Play interactive tour

Edit tour

Analysis Report NXKfWP9SPF0XHRu.exe

Overview

General Information

Sample Name:	NXKfWP9SPF0XHRu.exe
Analysis ID:	319657
MD5:	444332a61d888ac4f80db03b3c2129e9
SHA1:	5d518f814c09b15b35cd9ba5d20d0892bd8ef90b
SHA256:	611c893208d8bf06031da708a44ec749b89b069ad1e84c14625b02bccb4998a0
Tags:	ESPexegeoNanoCoreRAT
Most interesting Screenshot:

Detection

Nanocore

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Detected Nanocore Rat

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for dropped file

Multi AV Scanner detection for submitted file

Sigma detected: NanoCore

Sigma detected: Scheduled temp file as task from temp location

Yara detected AntiVM_3

Yara detected Nanocore RAT

.NET source code contains potential unpacker

Hides that the sample has been downloaded from the Internet (zone.identifier)

Injects a PE file into a foreign processes

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Uses schtasks.exe or at.exe to add and modify task schedules

Antivirus or Machine Learning detection for unpacked file

Contains capabilities to detect virtual machines

Contains functionality to call native functions

Contains functionality to detect virtual machines (SLDT)

Contains functionality to open a port and listen for incoming connection (possibly a backdoor)

Contains long sleeps (>= 3 min)

Creates a DirectInput object (often for capturing keystrokes)

Creates a process in suspended mode (likely to inject code)

Detected TCP or UDP traffic on non-standard ports

Detected potential crypto function

Drops PE files

Enables debug privileges

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

Found inlined nop instructions (likely shell or obfuscated code)

Installs a raw input device (often for capturing keystrokes)

May sleep (evasive loops) to hinder dynamic analysis

PE file contains strange resources

Queries the volume information (name, serial number etc) of a device

Sample execution stops while process was sleeping (likely an evasion)

Sample file is different than original file name gathered from version info

Uses code obfuscation techniques (call, push, ret)

Yara signature match

Classification

Startup

System is w10x64

NXKfWP9SPF0XHRu.exe (PID: 5952 cmdline: 'C:\Users\user\Desktop\NXKfWP9SPF0XHRu.exe' MD5: 444332A61D888AC4F80DB03B3C2129E9)

schtasks.exe (PID: 6052 cmdline: 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\ynSazlVxDpCRe' /XML 'C:\Users\user\AppData\Local\Temp\tmp10AA.tmp' MD5: 15FF7D8324231381BAD48A052F85DF04)

conhost.exe (PID: 6092 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)

NXKfWP9SPF0XHRu.exe (PID: 768 cmdline: {path} MD5: 444332A61D888AC4F80DB03B3C2129E9)

cleanup

Malware Configuration

No configs have been found

Yara Overview

Memory Dumps

Source	Rule	Description	Author	Strings
00000003.00000002.512257767.0000000005710000.00000004.00000001.sdmp	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0xf7ad:$x1: NanoCore.ClientPluginHost 0xf7da:$x2: IClientNetworkHost
00000003.00000002.512257767.0000000005710000.00000004.00000001.sdmp	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0xf7ad:$x2: NanoCore.ClientPluginHost 0x10888:$s4: PipeCreated 0xf7c7:$s5: IClientLoggingHost
00000003.00000002.512257767.0000000005710000.00000004.00000001.sdmp	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
00000000.00000002.253897211.0000000003B42000.00000004.00000001.sdmp	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x24f68d:$x1: NanoCore.ClientPluginHost 0x24f6ca:$x2: IClientNetworkHost 0x2531fd:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
00000000.00000002.253897211.0000000003B42000.00000004.00000001.sdmp	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
00000000.00000002.253897211.0000000003B42000.00000004.00000001.sdmp	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0x24f3f5:$a: NanoCore 0x24f405:$a: NanoCore 0x24f639:$a: NanoCore 0x24f64d:$a: NanoCore 0x24f68d:$a: NanoCore 0x24f454:$b: ClientPlugin 0x24f656:$b: ClientPlugin 0x24f696:$b: ClientPlugin 0x12b687:$c: ProjectData 0x24f57b:$c: ProjectData 0x12c3af:$d: DESCrypto 0x24ff82:$d: DESCrypto 0x25794e:$e: KeepAlive 0x25593c:$g: LogClientMessage 0x251b37:$i: get_Connected 0x2502b8:$j: #=q 0x2502e8:$j: #=q 0x250304:$j: #=q 0x250334:$j: #=q 0x250350:$j: #=q 0x25036c:$j: #=q
00000000.00000002.253518250.000000000398D000.00000004.00000001.sdmp	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0xfb65d:$x1: NanoCore.ClientPluginHost 0xfb69a:$x2: IClientNetworkHost 0xff1cd:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
00000000.00000002.253518250.000000000398D000.00000004.00000001.sdmp	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
00000000.00000002.253518250.000000000398D000.00000004.00000001.sdmp	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0xfb3c5:$a: NanoCore 0xfb3d5:$a: NanoCore 0xfb609:$a: NanoCore 0xfb61d:$a: NanoCore 0xfb65d:$a: NanoCore 0xfb424:$b: ClientPlugin 0xfb626:$b: ClientPlugin 0xfb666:$b: ClientPlugin 0xfb54b:$c: ProjectData 0xfbf52:$d: DESCrypto 0x10391e:$e: KeepAlive 0x10190c:$g: LogClientMessage 0xfdb07:$i: get_Connected 0xfc288:$j: #=q 0xfc2b8:$j: #=q 0xfc2d4:$j: #=q 0xfc304:$j: #=q 0xfc320:$j: #=q 0xfc33c:$j: #=q 0xfc36c:$j: #=q 0xfc388:$j: #=q
00000003.00000002.511185145.0000000003EE7000.00000004.00000001.sdmp	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
00000003.00000002.511185145.0000000003EE7000.00000004.00000001.sdmp	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0x3395:$a: NanoCore 0x33ee:$a: NanoCore 0x342b:$a: NanoCore 0x34a4:$a: NanoCore 0x16b4f:$a: NanoCore 0x16b64:$a: NanoCore 0x16b99:$a: NanoCore 0x2f5f3:$a: NanoCore 0x2f608:$a: NanoCore 0x2f63d:$a: NanoCore 0x33f7:$b: ClientPlugin 0x3434:$b: ClientPlugin 0x3d32:$b: ClientPlugin 0x3d3f:$b: ClientPlugin 0x1690b:$b: ClientPlugin 0x16926:$b: ClientPlugin 0x16956:$b: ClientPlugin 0x16b6d:$b: ClientPlugin 0x16ba2:$b: ClientPlugin 0x2f3af:$b: ClientPlugin 0x2f3ca:$b: ClientPlugin
00000003.00000002.505689991.0000000000402000.00000040.00000001.sdmp	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0xff8d:$x1: NanoCore.ClientPluginHost 0xffca:$x2: IClientNetworkHost 0x13afd:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
00000003.00000002.505689991.0000000000402000.00000040.00000001.sdmp	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
00000003.00000002.505689991.0000000000402000.00000040.00000001.sdmp	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0xfcf5:$a: NanoCore 0xfd05:$a: NanoCore 0xff39:$a: NanoCore 0xff4d:$a: NanoCore 0xff8d:$a: NanoCore 0xfd54:$b: ClientPlugin 0xff56:$b: ClientPlugin 0xff96:$b: ClientPlugin 0xfe7b:$c: ProjectData 0x10882:$d: DESCrypto 0x1824e:$e: KeepAlive 0x1623c:$g: LogClientMessage 0x12437:$i: get_Connected 0x10bb8:$j: #=q 0x10be8:$j: #=q 0x10c04:$j: #=q 0x10c34:$j: #=q 0x10c50:$j: #=q 0x10c6c:$j: #=q 0x10c9c:$j: #=q 0x10cb8:$j: #=q
00000003.00000002.512006874.0000000005200000.00000004.00000001.sdmp	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0xe75:$x1: NanoCore.ClientPluginHost 0xe8f:$x2: IClientNetworkHost
00000003.00000002.512006874.0000000005200000.00000004.00000001.sdmp	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0xe75:$x2: NanoCore.ClientPluginHost 0x1261:$s3: PipeExists 0x1136:$s4: PipeCreated 0xeb0:$s5: IClientLoggingHost
00000000.00000002.251828506.0000000002994000.00000004.00000001.sdmp	JoeSecurity_AntiVM_3	Yara detected AntiVM_3	Joe Security
Process Memory Space: NXKfWP9SPF0XHRu.exe PID: 5952	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x9c32a:$x1: NanoCore.ClientPluginHost 0x9c38b:$x2: IClientNetworkHost 0xa1790:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe 0xaf702:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
Process Memory Space: NXKfWP9SPF0XHRu.exe PID: 5952	JoeSecurity_AntiVM_3	Yara detected AntiVM_3	Joe Security
Process Memory Space: NXKfWP9SPF0XHRu.exe PID: 5952	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
Process Memory Space: NXKfWP9SPF0XHRu.exe PID: 5952	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0x9be2f:$a: NanoCore 0x9be4b:$a: NanoCore 0x9bfa6:$a: NanoCore 0x9bfb5:$a: NanoCore 0x9c28e:$a: NanoCore 0x9c2ba:$a: NanoCore 0x9c32a:$a: NanoCore 0xabd6c:$a: NanoCore 0xabd7e:$a: NanoCore 0xabdba:$a: NanoCore 0x9bed6:$b: ClientPlugin 0x9bfff:$b: ClientPlugin 0x9c2c3:$b: ClientPlugin 0x9c333:$b: ClientPlugin 0xabd87:$b: ClientPlugin 0xabdc3:$b: ClientPlugin 0x239f0:$c: ProjectData 0x5820f:$c: ProjectData 0x59fbc:$c: ProjectData 0x9c14c:$c: ProjectData 0xabcb9:$c: ProjectData
Process Memory Space: NXKfWP9SPF0XHRu.exe PID: 768	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x2cee1:$x1: NanoCore.ClientPluginHost 0xe29eb:$x1: NanoCore.ClientPluginHost 0x1ad68d:$x1: NanoCore.ClientPluginHost 0x1b324c:$x1: NanoCore.ClientPluginHost 0x1c4099:$x1: NanoCore.ClientPluginHost 0x1f10b1:$x1: NanoCore.ClientPluginHost 0x24be9d:$x1: NanoCore.ClientPluginHost 0x2cf07:$x2: IClientNetworkHost 0xe2a30:$x2: IClientNetworkHost 0x1ad6b3:$x2: IClientNetworkHost 0x1b3291:$x2: IClientNetworkHost 0x1c40de:$x2: IClientNetworkHost 0x1f1112:$x2: IClientNetworkHost 0x24bec3:$x2: IClientNetworkHost 0x1f6517:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe 0x204489:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
Process Memory Space: NXKfWP9SPF0XHRu.exe PID: 768	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
Process Memory Space: NXKfWP9SPF0XHRu.exe PID: 768	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0x2cdd3:$a: NanoCore 0x2ce74:$a: NanoCore 0x2cee1:$a: NanoCore 0x2cfa2:$a: NanoCore 0x2de73:$a: NanoCore 0x2dec6:$a: NanoCore 0x2deff:$a: NanoCore 0x2df72:$a: NanoCore 0xe2965:$a: NanoCore 0xe2992:$a: NanoCore 0xe29eb:$a: NanoCore 0xea1fa:$a: NanoCore 0xea20d:$a: NanoCore 0xea23f:$a: NanoCore 0x1ad57f:$a: NanoCore 0x1ad620:$a: NanoCore 0x1ad68d:$a: NanoCore 0x1ad74e:$a: NanoCore 0x1ae61f:$a: NanoCore 0x1ae672:$a: NanoCore 0x1ae6ab:$a: NanoCore
Click to see the 19 entries

Unpacked PEs

Source	Rule	Description	Author	Strings
3.2.NXKfWP9SPF0XHRu.exe.5710000.5.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0xd9ad:$x1: NanoCore.ClientPluginHost 0xd9da:$x2: IClientNetworkHost
3.2.NXKfWP9SPF0XHRu.exe.5710000.5.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0xd9ad:$x2: NanoCore.ClientPluginHost 0xea88:$s4: PipeCreated 0xd9c7:$s5: IClientLoggingHost
3.2.NXKfWP9SPF0XHRu.exe.5710000.5.unpack	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
3.2.NXKfWP9SPF0XHRu.exe.5710000.5.raw.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0xf7ad:$x1: NanoCore.ClientPluginHost 0xf7da:$x2: IClientNetworkHost
3.2.NXKfWP9SPF0XHRu.exe.5710000.5.raw.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0xf7ad:$x2: NanoCore.ClientPluginHost 0x10888:$s4: PipeCreated 0xf7c7:$s5: IClientLoggingHost
3.2.NXKfWP9SPF0XHRu.exe.5710000.5.raw.unpack	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
3.2.NXKfWP9SPF0XHRu.exe.5200000.4.raw.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0xe75:$x1: NanoCore.ClientPluginHost 0xe8f:$x2: IClientNetworkHost
3.2.NXKfWP9SPF0XHRu.exe.5200000.4.raw.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0xe75:$x2: NanoCore.ClientPluginHost 0x1261:$s3: PipeExists 0x1136:$s4: PipeCreated 0xeb0:$s5: IClientLoggingHost
3.2.NXKfWP9SPF0XHRu.exe.400000.0.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x1018d:$x1: NanoCore.ClientPluginHost 0x101ca:$x2: IClientNetworkHost 0x13cfd:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
3.2.NXKfWP9SPF0XHRu.exe.400000.0.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0xff05:$x1: NanoCore Client.exe 0x1018d:$x2: NanoCore.ClientPluginHost 0x117c6:$s1: PluginCommand 0x117ba:$s2: FileCommand 0x1266b:$s3: PipeExists 0x18422:$s4: PipeCreated 0x101b7:$s5: IClientLoggingHost
3.2.NXKfWP9SPF0XHRu.exe.400000.0.unpack	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
3.2.NXKfWP9SPF0XHRu.exe.400000.0.unpack	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0xfef5:$a: NanoCore 0xff05:$a: NanoCore 0x10139:$a: NanoCore 0x1014d:$a: NanoCore 0x1018d:$a: NanoCore 0xff54:$b: ClientPlugin 0x10156:$b: ClientPlugin 0x10196:$b: ClientPlugin 0x1007b:$c: ProjectData 0x10a82:$d: DESCrypto 0x1844e:$e: KeepAlive 0x1643c:$g: LogClientMessage 0x12637:$i: get_Connected 0x10db8:$j: #=q 0x10de8:$j: #=q 0x10e04:$j: #=q 0x10e34:$j: #=q 0x10e50:$j: #=q 0x10e6c:$j: #=q 0x10e9c:$j: #=q 0x10eb8:$j: #=q
Click to see the 7 entries

Sigma Overview

System Summary:

Sigma detected: NanoCore

Show sources

Source: File created

Author: Joe Security: Data: EventID: 11, Image: C:\Users\user\Desktop\NXKfWP9SPF0XHRu.exe, ProcessId: 768, TargetFilename: C:\Users\user\AppData\Roaming\D06ED635-68F6-4E9A-955C-4899F5F57B9A\run.dat

Sigma detected: Scheduled temp file as task from temp location

Show sources

Source: Process started

Author: Joe Security: Data: Command: 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\ynSazlVxDpCRe' /XML 'C:\Users\user\AppData\Local\Temp\tmp10AA.tmp', CommandLine: 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\ynSazlVxDpCRe' /XML 'C:\Users\user\AppData\Local\Temp\tmp10AA.tmp', CommandLine|base64offset|contains: *j, Image: C:\Windows\SysWOW64\schtasks.exe, NewProcessName: C:\Windows\SysWOW64\schtasks.exe, OriginalFileName: C:\Windows\SysWOW64\schtasks.exe, ParentCommandLine: 'C:\Users\user\Desktop\NXKfWP9SPF0XHRu.exe' , ParentImage: C:\Users\user\Desktop\NXKfWP9SPF0XHRu.exe, ParentProcessId: 5952, ProcessCommandLine: 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\ynSazlVxDpCRe' /XML 'C:\Users\user\AppData\Local\Temp\tmp10AA.tmp', ProcessId: 6052

Signature Overview

Click to jump to signature section

Show All Signature Results

AV Detection:

Multi AV Scanner detection for dropped file

Show sources

Source: C:\Users\user\AppData\Roaming\ynSazlVxDpCRe.exe	ReversingLabs: Detection: 16%
Source: C:\Users\user\AppData\Roaming\ynSazlVxDpCRe.exe	ReversingLabs: Detection: 16%

Multi AV Scanner detection for submitted file

Show sources

Source: NXKfWP9SPF0XHRu.exe	ReversingLabs: Detection: 16%
Source: NXKfWP9SPF0XHRu.exe	ReversingLabs: Detection: 16%

Yara detected Nanocore RAT

Show sources

Source: Yara match	File source: 00000003.00000002.512257767.0000000005710000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.253897211.0000000003B42000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.253518250.000000000398D000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000002.511185145.0000000003EE7000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000002.505689991.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: NXKfWP9SPF0XHRu.exe PID: 5952, type: MEMORY
Source: Yara match	File source: Process Memory Space: NXKfWP9SPF0XHRu.exe PID: 768, type: MEMORY
Source: Yara match	File source: 3.2.NXKfWP9SPF0XHRu.exe.5710000.5.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.2.NXKfWP9SPF0XHRu.exe.5710000.5.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.2.NXKfWP9SPF0XHRu.exe.400000.0.unpack, type: UNPACKEDPE

Source: 3.2.NXKfWP9SPF0XHRu.exe.400000.0.unpack	Avira: Label: TR/Dropper.MSIL.Gen7
Source: 3.2.NXKfWP9SPF0XHRu.exe.400000.0.unpack	Avira: Label: TR/Dropper.MSIL.Gen7

Source: C:\Users\user\Desktop\NXKfWP9SPF0XHRu.exe	Code function: 4x nop then jmp 05495DF9h		0_2_054950A7
Source: C:\Users\user\Desktop\NXKfWP9SPF0XHRu.exe	Code function: 4x nop then jmp 05495DF9h		0_2_054950A7

Source: global traffic	TCP traffic: 192.168.2.7:49707 -> 23.105.131.214:4040
Source: global traffic	TCP traffic: 192.168.2.7:49707 -> 23.105.131.214:4040

Source: unknown	TCP traffic detected without corresponding DNS query: 23.105.131.214
Source: unknown	TCP traffic detected without corresponding DNS query: 23.105.131.214
Source: unknown	TCP traffic detected without corresponding DNS query: 23.105.131.214
Source: unknown	TCP traffic detected without corresponding DNS query: 23.105.131.214
Source: unknown	TCP traffic detected without corresponding DNS query: 23.105.131.214
Source: unknown	TCP traffic detected without corresponding DNS query: 23.105.131.214
Source: unknown	TCP traffic detected without corresponding DNS query: 23.105.131.214
Source: unknown	TCP traffic detected without corresponding DNS query: 23.105.131.214
Source: unknown	TCP traffic detected without corresponding DNS query: 23.105.131.214
Source: unknown	TCP traffic detected without corresponding DNS query: 23.105.131.214
Source: unknown	TCP traffic detected without corresponding DNS query: 23.105.131.214
Source: unknown	TCP traffic detected without corresponding DNS query: 23.105.131.214
Source: unknown	TCP traffic detected without corresponding DNS query: 23.105.131.214
Source: unknown	TCP traffic detected without corresponding DNS query: 23.105.131.214
Source: unknown	TCP traffic detected without corresponding DNS query: 23.105.131.214
Source: unknown	TCP traffic detected without corresponding DNS query: 23.105.131.214
Source: unknown	TCP traffic detected without corresponding DNS query: 23.105.131.214
Source: unknown	TCP traffic detected without corresponding DNS query: 23.105.131.214
Source: unknown	TCP traffic detected without corresponding DNS query: 23.105.131.214
Source: unknown	TCP traffic detected without corresponding DNS query: 23.105.131.214
Source: unknown	TCP traffic detected without corresponding DNS query: 23.105.131.214
Source: unknown	TCP traffic detected without corresponding DNS query: 23.105.131.214
Source: unknown	TCP traffic detected without corresponding DNS query: 23.105.131.214
Source: unknown	TCP traffic detected without corresponding DNS query: 23.105.131.214
Source: unknown	TCP traffic detected without corresponding DNS query: 23.105.131.214
Source: unknown	TCP traffic detected without corresponding DNS query: 23.105.131.214
Source: unknown	TCP traffic detected without corresponding DNS query: 23.105.131.214
Source: unknown	TCP traffic detected without corresponding DNS query: 23.105.131.214
Source: unknown	TCP traffic detected without corresponding DNS query: 23.105.131.214
Source: unknown	TCP traffic detected without corresponding DNS query: 23.105.131.214
Source: unknown	TCP traffic detected without corresponding DNS query: 23.105.131.214
Source: unknown	TCP traffic detected without corresponding DNS query: 23.105.131.214
Source: unknown	TCP traffic detected without corresponding DNS query: 23.105.131.214
Source: unknown	TCP traffic detected without corresponding DNS query: 23.105.131.214
Source: unknown	TCP traffic detected without corresponding DNS query: 23.105.131.214
Source: unknown	TCP traffic detected without corresponding DNS query: 23.105.131.214
Source: unknown	TCP traffic detected without corresponding DNS query: 23.105.131.214
Source: unknown	TCP traffic detected without corresponding DNS query: 23.105.131.214
Source: unknown	TCP traffic detected without corresponding DNS query: 23.105.131.214
Source: unknown	TCP traffic detected without corresponding DNS query: 23.105.131.214
Source: unknown	TCP traffic detected without corresponding DNS query: 23.105.131.214
Source: unknown	TCP traffic detected without corresponding DNS query: 23.105.131.214
Source: unknown	TCP traffic detected without corresponding DNS query: 23.105.131.214
Source: unknown	TCP traffic detected without corresponding DNS query: 23.105.131.214
Source: unknown	TCP traffic detected without corresponding DNS query: 23.105.131.214
Source: unknown	TCP traffic detected without corresponding DNS query: 23.105.131.214
Source: unknown	TCP traffic detected without corresponding DNS query: 23.105.131.214
Source: unknown	TCP traffic detected without corresponding DNS query: 23.105.131.214
Source: unknown	TCP traffic detected without corresponding DNS query: 23.105.131.214
Source: unknown	TCP traffic detected without corresponding DNS query: 23.105.131.214
Source: unknown	TCP traffic detected without corresponding DNS query: 23.105.131.214
Source: unknown	TCP traffic detected without corresponding DNS query: 23.105.131.214
Source: unknown	TCP traffic detected without corresponding DNS query: 23.105.131.214
Source: unknown	TCP traffic detected without corresponding DNS query: 23.105.131.214
Source: unknown	TCP traffic detected without corresponding DNS query: 23.105.131.214
Source: unknown	TCP traffic detected without corresponding DNS query: 23.105.131.214
Source: unknown	TCP traffic detected without corresponding DNS query: 23.105.131.214
Source: unknown	TCP traffic detected without corresponding DNS query: 23.105.131.214
Source: unknown	TCP traffic detected without corresponding DNS query: 23.105.131.214
Source: unknown	TCP traffic detected without corresponding DNS query: 23.105.131.214
Source: unknown	TCP traffic detected without corresponding DNS query: 23.105.131.214
Source: unknown	TCP traffic detected without corresponding DNS query: 23.105.131.214
Source: unknown	TCP traffic detected without corresponding DNS query: 23.105.131.214
Source: unknown	TCP traffic detected without corresponding DNS query: 23.105.131.214
Source: unknown	TCP traffic detected without corresponding DNS query: 23.105.131.214
Source: unknown	TCP traffic detected without corresponding DNS query: 23.105.131.214
Source: unknown	TCP traffic detected without corresponding DNS query: 23.105.131.214
Source: unknown	TCP traffic detected without corresponding DNS query: 23.105.131.214
Source: unknown	TCP traffic detected without corresponding DNS query: 23.105.131.214
Source: unknown	TCP traffic detected without corresponding DNS query: 23.105.131.214
Source: unknown	TCP traffic detected without corresponding DNS query: 23.105.131.214
Source: unknown	TCP traffic detected without corresponding DNS query: 23.105.131.214
Source: unknown	TCP traffic detected without corresponding DNS query: 23.105.131.214
Source: unknown	TCP traffic detected without corresponding DNS query: 23.105.131.214
Source: unknown	TCP traffic detected without corresponding DNS query: 23.105.131.214
Source: unknown	TCP traffic detected without corresponding DNS query: 23.105.131.214
Source: unknown	TCP traffic detected without corresponding DNS query: 23.105.131.214
Source: unknown	TCP traffic detected without corresponding DNS query: 23.105.131.214
Source: unknown	TCP traffic detected without corresponding DNS query: 23.105.131.214
Source: unknown	TCP traffic detected without corresponding DNS query: 23.105.131.214
Source: unknown	TCP traffic detected without corresponding DNS query: 23.105.131.214
Source: unknown	TCP traffic detected without corresponding DNS query: 23.105.131.214
Source: unknown	TCP traffic detected without corresponding DNS query: 23.105.131.214
Source: unknown	TCP traffic detected without corresponding DNS query: 23.105.131.214
Source: unknown	TCP traffic detected without corresponding DNS query: 23.105.131.214
Source: unknown	TCP traffic detected without corresponding DNS query: 23.105.131.214
Source: unknown	TCP traffic detected without corresponding DNS query: 23.105.131.214
Source: unknown	TCP traffic detected without corresponding DNS query: 23.105.131.214
Source: unknown	TCP traffic detected without corresponding DNS query: 23.105.131.214
Source: unknown	TCP traffic detected without corresponding DNS query: 23.105.131.214
Source: unknown	TCP traffic detected without corresponding DNS query: 23.105.131.214
Source: unknown	TCP traffic detected without corresponding DNS query: 23.105.131.214
Source: unknown	TCP traffic detected without corresponding DNS query: 23.105.131.214
Source: unknown	TCP traffic detected without corresponding DNS query: 23.105.131.214
Source: unknown	TCP traffic detected without corresponding DNS query: 23.105.131.214
Source: unknown	TCP traffic detected without corresponding DNS query: 23.105.131.214
Source: unknown	TCP traffic detected without corresponding DNS query: 23.105.131.214
Source: unknown	TCP traffic detected without corresponding DNS query: 23.105.131.214
Source: unknown	TCP traffic detected without corresponding DNS query: 23.105.131.214
Source: unknown	TCP traffic detected without corresponding DNS query: 23.105.131.214

Source: NXKfWP9SPF0XHRu.exe, 00000000.00000002.255243254.0000000004E72000.00000004.00000001.sdmp	String found in binary or memory: http://fontfabrik.com
Source: NXKfWP9SPF0XHRu.exe, 00000000.00000002.255243254.0000000004E72000.00000004.00000001.sdmp	String found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0
Source: NXKfWP9SPF0XHRu.exe, 00000000.00000003.240900347.0000000004C68000.00000004.00000001.sdmp, NXKfWP9SPF0XHRu.exe, 00000000.00000003.239916983.0000000004C74000.00000004.00000001.sdmp	String found in binary or memory: http://www.carterandcone.com
Source: NXKfWP9SPF0XHRu.exe, 00000000.00000003.240900347.0000000004C68000.00000004.00000001.sdmp	String found in binary or memory: http://www.carterandcone.comadi
Source: NXKfWP9SPF0XHRu.exe, 00000000.00000003.240460926.0000000004C6B000.00000004.00000001.sdmp	String found in binary or memory: http://www.carterandcone.comefaD
Source: NXKfWP9SPF0XHRu.exe, 00000000.00000002.255243254.0000000004E72000.00000004.00000001.sdmp	String found in binary or memory: http://www.carterandcone.coml
Source: NXKfWP9SPF0XHRu.exe, 00000000.00000003.241684541.0000000004C6A000.00000004.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com
Source: NXKfWP9SPF0XHRu.exe, 00000000.00000002.255243254.0000000004E72000.00000004.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com/designers
Source: NXKfWP9SPF0XHRu.exe, 00000000.00000002.255243254.0000000004E72000.00000004.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com/designers/?
Source: NXKfWP9SPF0XHRu.exe, 00000000.00000002.255243254.0000000004E72000.00000004.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com/designers/cabarga.htmlN
Source: NXKfWP9SPF0XHRu.exe, 00000000.00000002.255243254.0000000004E72000.00000004.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com/designers/frere-jones.html
Source: NXKfWP9SPF0XHRu.exe, 00000000.00000002.255243254.0000000004E72000.00000004.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com/designers8
Source: NXKfWP9SPF0XHRu.exe, 00000000.00000002.255243254.0000000004E72000.00000004.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com/designers?
Source: NXKfWP9SPF0XHRu.exe, 00000000.00000002.255243254.0000000004E72000.00000004.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com/designersG
Source: NXKfWP9SPF0XHRu.exe, 00000000.00000003.241684541.0000000004C6A000.00000004.00000001.sdmp	String found in binary or memory: http://www.fontbureau.comF
Source: NXKfWP9SPF0XHRu.exe, 00000000.00000003.241684541.0000000004C6A000.00000004.00000001.sdmp	String found in binary or memory: http://www.fontbureau.comM.TTFh
Source: NXKfWP9SPF0XHRu.exe, 00000000.00000002.255001568.0000000004C60000.00000004.00000001.sdmp	String found in binary or memory: http://www.fontbureau.coma
Source: NXKfWP9SPF0XHRu.exe, 00000000.00000003.241684541.0000000004C6A000.00000004.00000001.sdmp	String found in binary or memory: http://www.fontbureau.comdE
Source: NXKfWP9SPF0XHRu.exe, 00000000.00000003.241684541.0000000004C6A000.00000004.00000001.sdmp	String found in binary or memory: http://www.fontbureau.comdL
Source: NXKfWP9SPF0XHRu.exe, 00000000.00000003.241684541.0000000004C6A000.00000004.00000001.sdmp	String found in binary or memory: http://www.fontbureau.comessed)
Source: NXKfWP9SPF0XHRu.exe, 00000000.00000003.241684541.0000000004C6A000.00000004.00000001.sdmp	String found in binary or memory: http://www.fontbureau.comituF
Source: NXKfWP9SPF0XHRu.exe, 00000000.00000003.241684541.0000000004C6A000.00000004.00000001.sdmp	String found in binary or memory: http://www.fontbureau.comlicF
Source: NXKfWP9SPF0XHRu.exe, 00000000.00000003.241684541.0000000004C6A000.00000004.00000001.sdmp	String found in binary or memory: http://www.fontbureau.comoa
Source: NXKfWP9SPF0XHRu.exe, 00000000.00000002.255243254.0000000004E72000.00000004.00000001.sdmp	String found in binary or memory: http://www.fonts.com
Source: NXKfWP9SPF0XHRu.exe, 00000000.00000002.255243254.0000000004E72000.00000004.00000001.sdmp, NXKfWP9SPF0XHRu.exe, 00000000.00000003.239663209.0000000004C70000.00000004.00000001.sdmp	String found in binary or memory: http://www.founder.com.cn/cn
Source: NXKfWP9SPF0XHRu.exe, 00000000.00000003.239663209.0000000004C70000.00000004.00000001.sdmp	String found in binary or memory: http://www.founder.com.cn/cn/
Source: NXKfWP9SPF0XHRu.exe, 00000000.00000002.255243254.0000000004E72000.00000004.00000001.sdmp	String found in binary or memory: http://www.founder.com.cn/cn/bThe
Source: NXKfWP9SPF0XHRu.exe, 00000000.00000002.255243254.0000000004E72000.00000004.00000001.sdmp	String found in binary or memory: http://www.founder.com.cn/cn/cThe
Source: NXKfWP9SPF0XHRu.exe, 00000000.00000002.255243254.0000000004E72000.00000004.00000001.sdmp	String found in binary or memory: http://www.galapagosdesign.com/DPlease
Source: NXKfWP9SPF0XHRu.exe, 00000000.00000002.255243254.0000000004E72000.00000004.00000001.sdmp	String found in binary or memory: http://www.galapagosdesign.com/staff/dennis.htm
Source: NXKfWP9SPF0XHRu.exe, 00000000.00000002.255243254.0000000004E72000.00000004.00000001.sdmp	String found in binary or memory: http://www.goodfont.co.kr
Source: NXKfWP9SPF0XHRu.exe, 00000000.00000003.240900347.0000000004C68000.00000004.00000001.sdmp, NXKfWP9SPF0XHRu.exe, 00000000.00000003.240252277.0000000004C6B000.00000004.00000001.sdmp	String found in binary or memory: http://www.jiyu-kobo.co.jp/
Source: NXKfWP9SPF0XHRu.exe, 00000000.00000003.240762052.0000000004C6A000.00000004.00000001.sdmp	String found in binary or memory: http://www.jiyu-kobo.co.jp/)
Source: NXKfWP9SPF0XHRu.exe, 00000000.00000003.240460926.0000000004C6B000.00000004.00000001.sdmp	String found in binary or memory: http://www.jiyu-kobo.co.jp/7
Source: NXKfWP9SPF0XHRu.exe, 00000000.00000003.240252277.0000000004C6B000.00000004.00000001.sdmp	String found in binary or memory: http://www.jiyu-kobo.co.jp/Bold
Source: NXKfWP9SPF0XHRu.exe, 00000000.00000003.240900347.0000000004C68000.00000004.00000001.sdmp	String found in binary or memory: http://www.jiyu-kobo.co.jp/E
Source: NXKfWP9SPF0XHRu.exe, 00000000.00000003.240900347.0000000004C68000.00000004.00000001.sdmp	String found in binary or memory: http://www.jiyu-kobo.co.jp/a
Source: NXKfWP9SPF0XHRu.exe, 00000000.00000003.240900347.0000000004C68000.00000004.00000001.sdmp	String found in binary or memory: http://www.jiyu-kobo.co.jp/h
Source: NXKfWP9SPF0XHRu.exe, 00000000.00000003.240900347.0000000004C68000.00000004.00000001.sdmp, NXKfWP9SPF0XHRu.exe, 00000000.00000003.240460926.0000000004C6B000.00000004.00000001.sdmp	String found in binary or memory: http://www.jiyu-kobo.co.jp/jp/
Source: NXKfWP9SPF0XHRu.exe, 00000000.00000003.240678890.0000000004C69000.00000004.00000001.sdmp	String found in binary or memory: http://www.jiyu-kobo.co.jp/jp/)
Source: NXKfWP9SPF0XHRu.exe, 00000000.00000003.240900347.0000000004C68000.00000004.00000001.sdmp	String found in binary or memory: http://www.jiyu-kobo.co.jp/jp/7
Source: NXKfWP9SPF0XHRu.exe, 00000000.00000003.240460926.0000000004C6B000.00000004.00000001.sdmp	String found in binary or memory: http://www.jiyu-kobo.co.jp/jp/h
Source: NXKfWP9SPF0XHRu.exe, 00000000.00000003.240900347.0000000004C68000.00000004.00000001.sdmp	String found in binary or memory: http://www.jiyu-kobo.co.jp/roso
Source: NXKfWP9SPF0XHRu.exe, 00000000.00000003.240900347.0000000004C68000.00000004.00000001.sdmp	String found in binary or memory: http://www.jiyu-kobo.co.jp/v
Source: NXKfWP9SPF0XHRu.exe, 00000000.00000003.240460926.0000000004C6B000.00000004.00000001.sdmp	String found in binary or memory: http://www.jiyu-kobo.co.jp/vvU
Source: NXKfWP9SPF0XHRu.exe, 00000000.00000002.255243254.0000000004E72000.00000004.00000001.sdmp	String found in binary or memory: http://www.sajatypeworks.com
Source: NXKfWP9SPF0XHRu.exe, 00000000.00000002.255243254.0000000004E72000.00000004.00000001.sdmp	String found in binary or memory: http://www.sakkal.com
Source: NXKfWP9SPF0XHRu.exe, 00000000.00000002.255243254.0000000004E72000.00000004.00000001.sdmp	String found in binary or memory: http://www.sandoll.co.kr
Source: NXKfWP9SPF0XHRu.exe, 00000000.00000002.255243254.0000000004E72000.00000004.00000001.sdmp	String found in binary or memory: http://www.tiro.com
Source: NXKfWP9SPF0XHRu.exe, 00000000.00000002.255243254.0000000004E72000.00000004.00000001.sdmp	String found in binary or memory: http://www.typography.netD
Source: NXKfWP9SPF0XHRu.exe, 00000000.00000002.255243254.0000000004E72000.00000004.00000001.sdmp	String found in binary or memory: http://www.urwpp.deDPlease
Source: NXKfWP9SPF0XHRu.exe, 00000000.00000002.255243254.0000000004E72000.00000004.00000001.sdmp	String found in binary or memory: http://www.zhongyicts.com.cn
Source: NXKfWP9SPF0XHRu.exe, 00000000.00000002.255243254.0000000004E72000.00000004.00000001.sdmp	String found in binary or memory: http://fontfabrik.com
Source: NXKfWP9SPF0XHRu.exe, 00000000.00000002.255243254.0000000004E72000.00000004.00000001.sdmp	String found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0
Source: NXKfWP9SPF0XHRu.exe, 00000000.00000003.240900347.0000000004C68000.00000004.00000001.sdmp, NXKfWP9SPF0XHRu.exe, 00000000.00000003.239916983.0000000004C74000.00000004.00000001.sdmp	String found in binary or memory: http://www.carterandcone.com
Source: NXKfWP9SPF0XHRu.exe, 00000000.00000003.240900347.0000000004C68000.00000004.00000001.sdmp	String found in binary or memory: http://www.carterandcone.comadi
Source: NXKfWP9SPF0XHRu.exe, 00000000.00000003.240460926.0000000004C6B000.00000004.00000001.sdmp	String found in binary or memory: http://www.carterandcone.comefaD
Source: NXKfWP9SPF0XHRu.exe, 00000000.00000002.255243254.0000000004E72000.00000004.00000001.sdmp	String found in binary or memory: http://www.carterandcone.coml
Source: NXKfWP9SPF0XHRu.exe, 00000000.00000003.241684541.0000000004C6A000.00000004.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com
Source: NXKfWP9SPF0XHRu.exe, 00000000.00000002.255243254.0000000004E72000.00000004.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com/designers
Source: NXKfWP9SPF0XHRu.exe, 00000000.00000002.255243254.0000000004E72000.00000004.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com/designers/?
Source: NXKfWP9SPF0XHRu.exe, 00000000.00000002.255243254.0000000004E72000.00000004.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com/designers/cabarga.htmlN
Source: NXKfWP9SPF0XHRu.exe, 00000000.00000002.255243254.0000000004E72000.00000004.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com/designers/frere-jones.html
Source: NXKfWP9SPF0XHRu.exe, 00000000.00000002.255243254.0000000004E72000.00000004.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com/designers8
Source: NXKfWP9SPF0XHRu.exe, 00000000.00000002.255243254.0000000004E72000.00000004.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com/designers?
Source: NXKfWP9SPF0XHRu.exe, 00000000.00000002.255243254.0000000004E72000.00000004.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com/designersG
Source: NXKfWP9SPF0XHRu.exe, 00000000.00000003.241684541.0000000004C6A000.00000004.00000001.sdmp	String found in binary or memory: http://www.fontbureau.comF
Source: NXKfWP9SPF0XHRu.exe, 00000000.00000003.241684541.0000000004C6A000.00000004.00000001.sdmp	String found in binary or memory: http://www.fontbureau.comM.TTFh
Source: NXKfWP9SPF0XHRu.exe, 00000000.00000002.255001568.0000000004C60000.00000004.00000001.sdmp	String found in binary or memory: http://www.fontbureau.coma
Source: NXKfWP9SPF0XHRu.exe, 00000000.00000003.241684541.0000000004C6A000.00000004.00000001.sdmp	String found in binary or memory: http://www.fontbureau.comdE
Source: NXKfWP9SPF0XHRu.exe, 00000000.00000003.241684541.0000000004C6A000.00000004.00000001.sdmp	String found in binary or memory: http://www.fontbureau.comdL
Source: NXKfWP9SPF0XHRu.exe, 00000000.00000003.241684541.0000000004C6A000.00000004.00000001.sdmp	String found in binary or memory: http://www.fontbureau.comessed)
Source: NXKfWP9SPF0XHRu.exe, 00000000.00000003.241684541.0000000004C6A000.00000004.00000001.sdmp	String found in binary or memory: http://www.fontbureau.comituF
Source: NXKfWP9SPF0XHRu.exe, 00000000.00000003.241684541.0000000004C6A000.00000004.00000001.sdmp	String found in binary or memory: http://www.fontbureau.comlicF
Source: NXKfWP9SPF0XHRu.exe, 00000000.00000003.241684541.0000000004C6A000.00000004.00000001.sdmp	String found in binary or memory: http://www.fontbureau.comoa
Source: NXKfWP9SPF0XHRu.exe, 00000000.00000002.255243254.0000000004E72000.00000004.00000001.sdmp	String found in binary or memory: http://www.fonts.com
Source: NXKfWP9SPF0XHRu.exe, 00000000.00000002.255243254.0000000004E72000.00000004.00000001.sdmp, NXKfWP9SPF0XHRu.exe, 00000000.00000003.239663209.0000000004C70000.00000004.00000001.sdmp	String found in binary or memory: http://www.founder.com.cn/cn
Source: NXKfWP9SPF0XHRu.exe, 00000000.00000003.239663209.0000000004C70000.00000004.00000001.sdmp	String found in binary or memory: http://www.founder.com.cn/cn/
Source: NXKfWP9SPF0XHRu.exe, 00000000.00000002.255243254.0000000004E72000.00000004.00000001.sdmp	String found in binary or memory: http://www.founder.com.cn/cn/bThe
Source: NXKfWP9SPF0XHRu.exe, 00000000.00000002.255243254.0000000004E72000.00000004.00000001.sdmp	String found in binary or memory: http://www.founder.com.cn/cn/cThe
Source: NXKfWP9SPF0XHRu.exe, 00000000.00000002.255243254.0000000004E72000.00000004.00000001.sdmp	String found in binary or memory: http://www.galapagosdesign.com/DPlease
Source: NXKfWP9SPF0XHRu.exe, 00000000.00000002.255243254.0000000004E72000.00000004.00000001.sdmp	String found in binary or memory: http://www.galapagosdesign.com/staff/dennis.htm
Source: NXKfWP9SPF0XHRu.exe, 00000000.00000002.255243254.0000000004E72000.00000004.00000001.sdmp	String found in binary or memory: http://www.goodfont.co.kr
Source: NXKfWP9SPF0XHRu.exe, 00000000.00000003.240900347.0000000004C68000.00000004.00000001.sdmp, NXKfWP9SPF0XHRu.exe, 00000000.00000003.240252277.0000000004C6B000.00000004.00000001.sdmp	String found in binary or memory: http://www.jiyu-kobo.co.jp/
Source: NXKfWP9SPF0XHRu.exe, 00000000.00000003.240762052.0000000004C6A000.00000004.00000001.sdmp	String found in binary or memory: http://www.jiyu-kobo.co.jp/)
Source: NXKfWP9SPF0XHRu.exe, 00000000.00000003.240460926.0000000004C6B000.00000004.00000001.sdmp	String found in binary or memory: http://www.jiyu-kobo.co.jp/7
Source: NXKfWP9SPF0XHRu.exe, 00000000.00000003.240252277.0000000004C6B000.00000004.00000001.sdmp	String found in binary or memory: http://www.jiyu-kobo.co.jp/Bold
Source: NXKfWP9SPF0XHRu.exe, 00000000.00000003.240900347.0000000004C68000.00000004.00000001.sdmp	String found in binary or memory: http://www.jiyu-kobo.co.jp/E
Source: NXKfWP9SPF0XHRu.exe, 00000000.00000003.240900347.0000000004C68000.00000004.00000001.sdmp	String found in binary or memory: http://www.jiyu-kobo.co.jp/a
Source: NXKfWP9SPF0XHRu.exe, 00000000.00000003.240900347.0000000004C68000.00000004.00000001.sdmp	String found in binary or memory: http://www.jiyu-kobo.co.jp/h
Source: NXKfWP9SPF0XHRu.exe, 00000000.00000003.240900347.0000000004C68000.00000004.00000001.sdmp, NXKfWP9SPF0XHRu.exe, 00000000.00000003.240460926.0000000004C6B000.00000004.00000001.sdmp	String found in binary or memory: http://www.jiyu-kobo.co.jp/jp/
Source: NXKfWP9SPF0XHRu.exe, 00000000.00000003.240678890.0000000004C69000.00000004.00000001.sdmp	String found in binary or memory: http://www.jiyu-kobo.co.jp/jp/)
Source: NXKfWP9SPF0XHRu.exe, 00000000.00000003.240900347.0000000004C68000.00000004.00000001.sdmp	String found in binary or memory: http://www.jiyu-kobo.co.jp/jp/7
Source: NXKfWP9SPF0XHRu.exe, 00000000.00000003.240460926.0000000004C6B000.00000004.00000001.sdmp	String found in binary or memory: http://www.jiyu-kobo.co.jp/jp/h
Source: NXKfWP9SPF0XHRu.exe, 00000000.00000003.240900347.0000000004C68000.00000004.00000001.sdmp	String found in binary or memory: http://www.jiyu-kobo.co.jp/roso
Source: NXKfWP9SPF0XHRu.exe, 00000000.00000003.240900347.0000000004C68000.00000004.00000001.sdmp	String found in binary or memory: http://www.jiyu-kobo.co.jp/v
Source: NXKfWP9SPF0XHRu.exe, 00000000.00000003.240460926.0000000004C6B000.00000004.00000001.sdmp	String found in binary or memory: http://www.jiyu-kobo.co.jp/vvU
Source: NXKfWP9SPF0XHRu.exe, 00000000.00000002.255243254.0000000004E72000.00000004.00000001.sdmp	String found in binary or memory: http://www.sajatypeworks.com
Source: NXKfWP9SPF0XHRu.exe, 00000000.00000002.255243254.0000000004E72000.00000004.00000001.sdmp	String found in binary or memory: http://www.sakkal.com
Source: NXKfWP9SPF0XHRu.exe, 00000000.00000002.255243254.0000000004E72000.00000004.00000001.sdmp	String found in binary or memory: http://www.sandoll.co.kr
Source: NXKfWP9SPF0XHRu.exe, 00000000.00000002.255243254.0000000004E72000.00000004.00000001.sdmp	String found in binary or memory: http://www.tiro.com
Source: NXKfWP9SPF0XHRu.exe, 00000000.00000002.255243254.0000000004E72000.00000004.00000001.sdmp	String found in binary or memory: http://www.typography.netD
Source: NXKfWP9SPF0XHRu.exe, 00000000.00000002.255243254.0000000004E72000.00000004.00000001.sdmp	String found in binary or memory: http://www.urwpp.deDPlease
Source: NXKfWP9SPF0XHRu.exe, 00000000.00000002.255243254.0000000004E72000.00000004.00000001.sdmp	String found in binary or memory: http://www.zhongyicts.com.cn

Source: NXKfWP9SPF0XHRu.exe, 00000000.00000002.250650891.00000000008D8000.00000004.00000020.sdmp	Binary or memory string: <HOOK MODULE="DDRAW.DLL" FUNCTION="DirectDrawCreateEx"/>
Source: NXKfWP9SPF0XHRu.exe, 00000000.00000002.250650891.00000000008D8000.00000004.00000020.sdmp	Binary or memory string: <HOOK MODULE="DDRAW.DLL" FUNCTION="DirectDrawCreateEx"/>

Source: NXKfWP9SPF0XHRu.exe, 00000003.00000002.512257767.0000000005710000.00000004.00000001.sdmp	Binary or memory string: RegisterRawInputDevices
Source: NXKfWP9SPF0XHRu.exe, 00000003.00000002.512257767.0000000005710000.00000004.00000001.sdmp	Binary or memory string: RegisterRawInputDevices

E-Banking Fraud:

Yara detected Nanocore RAT

Show sources

Source: Yara match	File source: 00000003.00000002.512257767.0000000005710000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.253897211.0000000003B42000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.253518250.000000000398D000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000002.511185145.0000000003EE7000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000002.505689991.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: NXKfWP9SPF0XHRu.exe PID: 5952, type: MEMORY
Source: Yara match	File source: Process Memory Space: NXKfWP9SPF0XHRu.exe PID: 768, type: MEMORY
Source: Yara match	File source: 3.2.NXKfWP9SPF0XHRu.exe.5710000.5.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.2.NXKfWP9SPF0XHRu.exe.5710000.5.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.2.NXKfWP9SPF0XHRu.exe.400000.0.unpack, type: UNPACKEDPE

System Summary:

Malicious sample detected (through community Yara rule)

Show sources

Source: 00000003.00000002.512257767.0000000005710000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 00000000.00000002.253897211.0000000003B42000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 00000000.00000002.253897211.0000000003B42000.00000004.00000001.sdmp, type: MEMORY	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 00000000.00000002.253518250.000000000398D000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 00000000.00000002.253518250.000000000398D000.00000004.00000001.sdmp, type: MEMORY	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 00000003.00000002.511185145.0000000003EE7000.00000004.00000001.sdmp, type: MEMORY	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 00000003.00000002.505689991.0000000000402000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 00000003.00000002.505689991.0000000000402000.00000040.00000001.sdmp, type: MEMORY	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 00000003.00000002.512006874.0000000005200000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: Process Memory Space: NXKfWP9SPF0XHRu.exe PID: 5952, type: MEMORY	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: Process Memory Space: NXKfWP9SPF0XHRu.exe PID: 5952, type: MEMORY	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: Process Memory Space: NXKfWP9SPF0XHRu.exe PID: 768, type: MEMORY	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: Process Memory Space: NXKfWP9SPF0XHRu.exe PID: 768, type: MEMORY	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 3.2.NXKfWP9SPF0XHRu.exe.5710000.5.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 3.2.NXKfWP9SPF0XHRu.exe.5710000.5.raw.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 3.2.NXKfWP9SPF0XHRu.exe.5200000.4.raw.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 3.2.NXKfWP9SPF0XHRu.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 3.2.NXKfWP9SPF0XHRu.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 00000003.00000002.512257767.0000000005710000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 00000000.00000002.253897211.0000000003B42000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 00000000.00000002.253897211.0000000003B42000.00000004.00000001.sdmp, type: MEMORY	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 00000000.00000002.253518250.000000000398D000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 00000000.00000002.253518250.000000000398D000.00000004.00000001.sdmp, type: MEMORY	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 00000003.00000002.511185145.0000000003EE7000.00000004.00000001.sdmp, type: MEMORY	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 00000003.00000002.505689991.0000000000402000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 00000003.00000002.505689991.0000000000402000.00000040.00000001.sdmp, type: MEMORY	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 00000003.00000002.512006874.0000000005200000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: Process Memory Space: NXKfWP9SPF0XHRu.exe PID: 5952, type: MEMORY	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: Process Memory Space: NXKfWP9SPF0XHRu.exe PID: 5952, type: MEMORY	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: Process Memory Space: NXKfWP9SPF0XHRu.exe PID: 768, type: MEMORY	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: Process Memory Space: NXKfWP9SPF0XHRu.exe PID: 768, type: MEMORY	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 3.2.NXKfWP9SPF0XHRu.exe.5710000.5.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 3.2.NXKfWP9SPF0XHRu.exe.5710000.5.raw.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 3.2.NXKfWP9SPF0XHRu.exe.5200000.4.raw.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 3.2.NXKfWP9SPF0XHRu.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 3.2.NXKfWP9SPF0XHRu.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>

Source: C:\Users\user\Desktop\NXKfWP9SPF0XHRu.exe	Code function: 0_2_05411756 NtQuerySystemInformation,	0_2_05411756
Source: C:\Users\user\Desktop\NXKfWP9SPF0XHRu.exe	Code function: 0_2_05411756 NtQuerySystemInformation,	0_2_05411756
Source: C:\Users\user\Desktop\NXKfWP9SPF0XHRu.exe	Code function: 3_2_0504116A NtQuerySystemInformation,	3_2_0504116A
Source: C:\Users\user\Desktop\NXKfWP9SPF0XHRu.exe	Code function: 3_2_0504112F NtQuerySystemInformation,	3_2_0504112F

Source: C:\Users\user\Desktop\NXKfWP9SPF0XHRu.exe	Code function: 0_2_04A74C88	0_2_04A74C88
Source: C:\Users\user\Desktop\NXKfWP9SPF0XHRu.exe	Code function: 0_2_04A7D8C0	0_2_04A7D8C0
Source: C:\Users\user\Desktop\NXKfWP9SPF0XHRu.exe	Code function: 0_2_04A7A238	0_2_04A7A238
Source: C:\Users\user\Desktop\NXKfWP9SPF0XHRu.exe	Code function: 0_2_04A787A0	0_2_04A787A0
Source: C:\Users\user\Desktop\NXKfWP9SPF0XHRu.exe	Code function: 0_2_04A711F8	0_2_04A711F8
Source: C:\Users\user\Desktop\NXKfWP9SPF0XHRu.exe	Code function: 0_2_04A71B21	0_2_04A71B21
Source: C:\Users\user\Desktop\NXKfWP9SPF0XHRu.exe	Code function: 0_2_04A70B18	0_2_04A70B18
Source: C:\Users\user\Desktop\NXKfWP9SPF0XHRu.exe	Code function: 0_2_04A72978	0_2_04A72978
Source: C:\Users\user\Desktop\NXKfWP9SPF0XHRu.exe	Code function: 0_2_04A74AA0	0_2_04A74AA0
Source: C:\Users\user\Desktop\NXKfWP9SPF0XHRu.exe	Code function: 0_2_04A740B8	0_2_04A740B8
Source: C:\Users\user\Desktop\NXKfWP9SPF0XHRu.exe	Code function: 0_2_04A72888	0_2_04A72888
Source: C:\Users\user\Desktop\NXKfWP9SPF0XHRu.exe	Code function: 0_2_04A79488	0_2_04A79488
Source: C:\Users\user\Desktop\NXKfWP9SPF0XHRu.exe	Code function: 0_2_04A74A90	0_2_04A74A90
Source: C:\Users\user\Desktop\NXKfWP9SPF0XHRu.exe	Code function: 0_2_04A70099	0_2_04A70099
Source: C:\Users\user\Desktop\NXKfWP9SPF0XHRu.exe	Code function: 0_2_04A746E0	0_2_04A746E0
Source: C:\Users\user\Desktop\NXKfWP9SPF0XHRu.exe	Code function: 0_2_04A740C8	0_2_04A740C8
Source: C:\Users\user\Desktop\NXKfWP9SPF0XHRu.exe	Code function: 0_2_04A746D0	0_2_04A746D0
Source: C:\Users\user\Desktop\NXKfWP9SPF0XHRu.exe	Code function: 0_2_04A71620	0_2_04A71620
Source: C:\Users\user\Desktop\NXKfWP9SPF0XHRu.exe	Code function: 0_2_04A73661	0_2_04A73661
Source: C:\Users\user\Desktop\NXKfWP9SPF0XHRu.exe	Code function: 0_2_04A74C77	0_2_04A74C77
Source: C:\Users\user\Desktop\NXKfWP9SPF0XHRu.exe	Code function: 0_2_04A73670	0_2_04A73670
Source: C:\Users\user\Desktop\NXKfWP9SPF0XHRu.exe	Code function: 0_2_04A70A7F	0_2_04A70A7F
Source: C:\Users\user\Desktop\NXKfWP9SPF0XHRu.exe	Code function: 0_2_04A74840	0_2_04A74840
Source: C:\Users\user\Desktop\NXKfWP9SPF0XHRu.exe	Code function: 0_2_04A74850	0_2_04A74850
Source: C:\Users\user\Desktop\NXKfWP9SPF0XHRu.exe	Code function: 0_2_04A78791	0_2_04A78791
Source: C:\Users\user\Desktop\NXKfWP9SPF0XHRu.exe	Code function: 0_2_04A78100	0_2_04A78100
Source: C:\Users\user\Desktop\NXKfWP9SPF0XHRu.exe	Code function: 0_2_04A78110	0_2_04A78110
Source: C:\Users\user\Desktop\NXKfWP9SPF0XHRu.exe	Code function: 0_2_04A78B48	0_2_04A78B48
Source: C:\Users\user\Desktop\NXKfWP9SPF0XHRu.exe	Code function: 0_2_04A74358	0_2_04A74358
Source: C:\Users\user\Desktop\NXKfWP9SPF0XHRu.exe	Code function: 0_2_05493A5C	0_2_05493A5C
Source: C:\Users\user\Desktop\NXKfWP9SPF0XHRu.exe	Code function: 0_2_054950A7	0_2_054950A7
Source: C:\Users\user\Desktop\NXKfWP9SPF0XHRu.exe	Code function: 0_2_05493F3C	0_2_05493F3C
Source: C:\Users\user\Desktop\NXKfWP9SPF0XHRu.exe	Code function: 0_2_05493ABA	0_2_05493ABA
Source: C:\Users\user\Desktop\NXKfWP9SPF0XHRu.exe	Code function: 0_2_04A74C88	0_2_04A74C88
Source: C:\Users\user\Desktop\NXKfWP9SPF0XHRu.exe	Code function: 0_2_04A7D8C0	0_2_04A7D8C0
Source: C:\Users\user\Desktop\NXKfWP9SPF0XHRu.exe	Code function: 0_2_04A7A238	0_2_04A7A238
Source: C:\Users\user\Desktop\NXKfWP9SPF0XHRu.exe	Code function: 0_2_04A787A0	0_2_04A787A0
Source: C:\Users\user\Desktop\NXKfWP9SPF0XHRu.exe	Code function: 0_2_04A711F8	0_2_04A711F8
Source: C:\Users\user\Desktop\NXKfWP9SPF0XHRu.exe	Code function: 0_2_04A71B21	0_2_04A71B21
Source: C:\Users\user\Desktop\NXKfWP9SPF0XHRu.exe	Code function: 0_2_04A70B18	0_2_04A70B18
Source: C:\Users\user\Desktop\NXKfWP9SPF0XHRu.exe	Code function: 0_2_04A72978	0_2_04A72978
Source: C:\Users\user\Desktop\NXKfWP9SPF0XHRu.exe	Code function: 0_2_04A74AA0	0_2_04A74AA0
Source: C:\Users\user\Desktop\NXKfWP9SPF0XHRu.exe	Code function: 0_2_04A740B8	0_2_04A740B8
Source: C:\Users\user\Desktop\NXKfWP9SPF0XHRu.exe	Code function: 0_2_04A72888	0_2_04A72888
Source: C:\Users\user\Desktop\NXKfWP9SPF0XHRu.exe	Code function: 0_2_04A79488	0_2_04A79488
Source: C:\Users\user\Desktop\NXKfWP9SPF0XHRu.exe	Code function: 0_2_04A74A90	0_2_04A74A90
Source: C:\Users\user\Desktop\NXKfWP9SPF0XHRu.exe	Code function: 0_2_04A70099	0_2_04A70099
Source: C:\Users\user\Desktop\NXKfWP9SPF0XHRu.exe	Code function: 0_2_04A746E0	0_2_04A746E0
Source: C:\Users\user\Desktop\NXKfWP9SPF0XHRu.exe	Code function: 0_2_04A740C8	0_2_04A740C8
Source: C:\Users\user\Desktop\NXKfWP9SPF0XHRu.exe	Code function: 0_2_04A746D0	0_2_04A746D0
Source: C:\Users\user\Desktop\NXKfWP9SPF0XHRu.exe	Code function: 0_2_04A71620	0_2_04A71620
Source: C:\Users\user\Desktop\NXKfWP9SPF0XHRu.exe	Code function: 0_2_04A73661	0_2_04A73661
Source: C:\Users\user\Desktop\NXKfWP9SPF0XHRu.exe	Code function: 0_2_04A74C77	0_2_04A74C77
Source: C:\Users\user\Desktop\NXKfWP9SPF0XHRu.exe	Code function: 0_2_04A73670	0_2_04A73670
Source: C:\Users\user\Desktop\NXKfWP9SPF0XHRu.exe	Code function: 0_2_04A70A7F	0_2_04A70A7F
Source: C:\Users\user\Desktop\NXKfWP9SPF0XHRu.exe	Code function: 0_2_04A74840	0_2_04A74840
Source: C:\Users\user\Desktop\NXKfWP9SPF0XHRu.exe	Code function: 0_2_04A74850	0_2_04A74850
Source: C:\Users\user\Desktop\NXKfWP9SPF0XHRu.exe	Code function: 0_2_04A78791	0_2_04A78791
Source: C:\Users\user\Desktop\NXKfWP9SPF0XHRu.exe	Code function: 0_2_04A78100	0_2_04A78100
Source: C:\Users\user\Desktop\NXKfWP9SPF0XHRu.exe	Code function: 0_2_04A78110	0_2_04A78110
Source: C:\Users\user\Desktop\NXKfWP9SPF0XHRu.exe	Code function: 0_2_04A78B48	0_2_04A78B48
Source: C:\Users\user\Desktop\NXKfWP9SPF0XHRu.exe	Code function: 0_2_04A74358	0_2_04A74358
Source: C:\Users\user\Desktop\NXKfWP9SPF0XHRu.exe	Code function: 0_2_05493A5C	0_2_05493A5C
Source: C:\Users\user\Desktop\NXKfWP9SPF0XHRu.exe	Code function: 0_2_054950A7	0_2_054950A7
Source: C:\Users\user\Desktop\NXKfWP9SPF0XHRu.exe	Code function: 0_2_05493F3C	0_2_05493F3C
Source: C:\Users\user\Desktop\NXKfWP9SPF0XHRu.exe	Code function: 0_2_05493ABA	0_2_05493ABA
Source: C:\Users\user\Desktop\NXKfWP9SPF0XHRu.exe	Code function: 3_2_02AF2FA8	3_2_02AF2FA8
Source: C:\Users\user\Desktop\NXKfWP9SPF0XHRu.exe	Code function: 3_2_02AF23A0	3_2_02AF23A0
Source: C:\Users\user\Desktop\NXKfWP9SPF0XHRu.exe	Code function: 3_2_02AFACC8	3_2_02AFACC8
Source: C:\Users\user\Desktop\NXKfWP9SPF0XHRu.exe	Code function: 3_2_02AF9068	3_2_02AF9068
Source: C:\Users\user\Desktop\NXKfWP9SPF0XHRu.exe	Code function: 3_2_02AF8468	3_2_02AF8468
Source: C:\Users\user\Desktop\NXKfWP9SPF0XHRu.exe	Code function: 3_2_02AF3850	3_2_02AF3850
Source: C:\Users\user\Desktop\NXKfWP9SPF0XHRu.exe	Code function: 3_2_02AF306F	3_2_02AF306F
Source: C:\Users\user\Desktop\NXKfWP9SPF0XHRu.exe	Code function: 3_2_02AF912F	3_2_02AF912F
Source: C:\Users\user\Desktop\NXKfWP9SPF0XHRu.exe	Code function: 3_2_02AF9910	3_2_02AF9910

Source: NXKfWP9SPF0XHRu.exe	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: ynSazlVxDpCRe.exe.0.dr	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: NXKfWP9SPF0XHRu.exe	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: ynSazlVxDpCRe.exe.0.dr	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST

Source: NXKfWP9SPF0XHRu.exe	Binary or memory string: OriginalFilename vs NXKfWP9SPF0XHRu.exe
Source: NXKfWP9SPF0XHRu.exe, 00000000.00000002.257068238.0000000005B30000.00000002.00000001.sdmp	Binary or memory string: originalfilename vs NXKfWP9SPF0XHRu.exe
Source: NXKfWP9SPF0XHRu.exe, 00000000.00000002.257068238.0000000005B30000.00000002.00000001.sdmp	Binary or memory string: OriginalFilenamepropsys.dll.mui@ vs NXKfWP9SPF0XHRu.exe
Source: NXKfWP9SPF0XHRu.exe, 00000000.00000002.253897211.0000000003B42000.00000004.00000001.sdmp	Binary or memory string: OriginalFilenameB2B.exe4 vs NXKfWP9SPF0XHRu.exe
Source: NXKfWP9SPF0XHRu.exe, 00000000.00000002.256985235.0000000005A50000.00000002.00000001.sdmp	Binary or memory string: OriginalFilenamemscorrc.dllT vs NXKfWP9SPF0XHRu.exe
Source: NXKfWP9SPF0XHRu.exe, 00000000.00000002.258006053.00000000070C0000.00000002.00000001.sdmp	Binary or memory string: System.OriginalFileName vs NXKfWP9SPF0XHRu.exe
Source: NXKfWP9SPF0XHRu.exe, 00000000.00000002.257045055.0000000005AC0000.00000004.00000001.sdmp	Binary or memory string: OriginalFilenameMARCUS.dll4 vs NXKfWP9SPF0XHRu.exe
Source: NXKfWP9SPF0XHRu.exe, 00000003.00000002.509434462.0000000002EA1000.00000004.00000001.sdmp	Binary or memory string: OriginalFilenameClientPlugin.dll4 vs NXKfWP9SPF0XHRu.exe
Source: NXKfWP9SPF0XHRu.exe, 00000003.00000002.512537276.0000000005FC0000.00000002.00000001.sdmp	Binary or memory string: OriginalFilenameKernelbase.dll.muij% vs NXKfWP9SPF0XHRu.exe
Source: NXKfWP9SPF0XHRu.exe, 00000003.00000002.512257767.0000000005710000.00000004.00000001.sdmp	Binary or memory string: OriginalFilenameLzma#.dll4 vs NXKfWP9SPF0XHRu.exe
Source: NXKfWP9SPF0XHRu.exe, 00000003.00000002.512257767.0000000005710000.00000004.00000001.sdmp	Binary or memory string: OriginalFilenameSurveillanceExClientPlugin.dll4 vs NXKfWP9SPF0XHRu.exe
Source: NXKfWP9SPF0XHRu.exe, 00000003.00000000.248853862.0000000000810000.00000002.00020000.sdmp	Binary or memory string: OriginalFilename vs NXKfWP9SPF0XHRu.exe
Source: NXKfWP9SPF0XHRu.exe, 00000003.00000002.511937278.0000000005190000.00000002.00000001.sdmp	Binary or memory string: OriginalFilenamemscorrc.dllT vs NXKfWP9SPF0XHRu.exe
Source: NXKfWP9SPF0XHRu.exe, 00000003.00000002.507771480.0000000002B40000.00000002.00000001.sdmp	Binary or memory string: OriginalFilenameuser32j% vs NXKfWP9SPF0XHRu.exe
Source: NXKfWP9SPF0XHRu.exe	Binary or memory string: OriginalFilename vs NXKfWP9SPF0XHRu.exe
Source: NXKfWP9SPF0XHRu.exe	Binary or memory string: OriginalFilename vs NXKfWP9SPF0XHRu.exe
Source: NXKfWP9SPF0XHRu.exe, 00000000.00000002.257068238.0000000005B30000.00000002.00000001.sdmp	Binary or memory string: originalfilename vs NXKfWP9SPF0XHRu.exe
Source: NXKfWP9SPF0XHRu.exe, 00000000.00000002.257068238.0000000005B30000.00000002.00000001.sdmp	Binary or memory string: OriginalFilenamepropsys.dll.mui@ vs NXKfWP9SPF0XHRu.exe
Source: NXKfWP9SPF0XHRu.exe, 00000000.00000002.253897211.0000000003B42000.00000004.00000001.sdmp	Binary or memory string: OriginalFilenameB2B.exe4 vs NXKfWP9SPF0XHRu.exe
Source: NXKfWP9SPF0XHRu.exe, 00000000.00000002.256985235.0000000005A50000.00000002.00000001.sdmp	Binary or memory string: OriginalFilenamemscorrc.dllT vs NXKfWP9SPF0XHRu.exe
Source: NXKfWP9SPF0XHRu.exe, 00000000.00000002.258006053.00000000070C0000.00000002.00000001.sdmp	Binary or memory string: System.OriginalFileName vs NXKfWP9SPF0XHRu.exe
Source: NXKfWP9SPF0XHRu.exe, 00000000.00000002.257045055.0000000005AC0000.00000004.00000001.sdmp	Binary or memory string: OriginalFilenameMARCUS.dll4 vs NXKfWP9SPF0XHRu.exe
Source: NXKfWP9SPF0XHRu.exe, 00000003.00000002.509434462.0000000002EA1000.00000004.00000001.sdmp	Binary or memory string: OriginalFilenameClientPlugin.dll4 vs NXKfWP9SPF0XHRu.exe
Source: NXKfWP9SPF0XHRu.exe, 00000003.00000002.512537276.0000000005FC0000.00000002.00000001.sdmp	Binary or memory string: OriginalFilenameKernelbase.dll.muij% vs NXKfWP9SPF0XHRu.exe
Source: NXKfWP9SPF0XHRu.exe, 00000003.00000002.512257767.0000000005710000.00000004.00000001.sdmp	Binary or memory string: OriginalFilenameLzma#.dll4 vs NXKfWP9SPF0XHRu.exe
Source: NXKfWP9SPF0XHRu.exe, 00000003.00000002.512257767.0000000005710000.00000004.00000001.sdmp	Binary or memory string: OriginalFilenameSurveillanceExClientPlugin.dll4 vs NXKfWP9SPF0XHRu.exe
Source: NXKfWP9SPF0XHRu.exe, 00000003.00000000.248853862.0000000000810000.00000002.00020000.sdmp	Binary or memory string: OriginalFilename vs NXKfWP9SPF0XHRu.exe
Source: NXKfWP9SPF0XHRu.exe, 00000003.00000002.511937278.0000000005190000.00000002.00000001.sdmp	Binary or memory string: OriginalFilenamemscorrc.dllT vs NXKfWP9SPF0XHRu.exe
Source: NXKfWP9SPF0XHRu.exe, 00000003.00000002.507771480.0000000002B40000.00000002.00000001.sdmp	Binary or memory string: OriginalFilenameuser32j% vs NXKfWP9SPF0XHRu.exe
Source: NXKfWP9SPF0XHRu.exe	Binary or memory string: OriginalFilename vs NXKfWP9SPF0XHRu.exe

Source: 00000003.00000002.512257767.0000000005710000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 00000003.00000002.512257767.0000000005710000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 00000000.00000002.253897211.0000000003B42000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 00000000.00000002.253897211.0000000003B42000.00000004.00000001.sdmp, type: MEMORY	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 00000000.00000002.253518250.000000000398D000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 00000000.00000002.253518250.000000000398D000.00000004.00000001.sdmp, type: MEMORY	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 00000003.00000002.511185145.0000000003EE7000.00000004.00000001.sdmp, type: MEMORY	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 00000003.00000002.505689991.0000000000402000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 00000003.00000002.505689991.0000000000402000.00000040.00000001.sdmp, type: MEMORY	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 00000003.00000002.512006874.0000000005200000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 00000003.00000002.512006874.0000000005200000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: Process Memory Space: NXKfWP9SPF0XHRu.exe PID: 5952, type: MEMORY	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: Process Memory Space: NXKfWP9SPF0XHRu.exe PID: 5952, type: MEMORY	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: Process Memory Space: NXKfWP9SPF0XHRu.exe PID: 768, type: MEMORY	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: Process Memory Space: NXKfWP9SPF0XHRu.exe PID: 768, type: MEMORY	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 3.2.NXKfWP9SPF0XHRu.exe.5710000.5.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 3.2.NXKfWP9SPF0XHRu.exe.5710000.5.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 3.2.NXKfWP9SPF0XHRu.exe.5710000.5.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 3.2.NXKfWP9SPF0XHRu.exe.5710000.5.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 3.2.NXKfWP9SPF0XHRu.exe.5200000.4.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 3.2.NXKfWP9SPF0XHRu.exe.5200000.4.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 3.2.NXKfWP9SPF0XHRu.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 3.2.NXKfWP9SPF0XHRu.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 3.2.NXKfWP9SPF0XHRu.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 00000003.00000002.512257767.0000000005710000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 00000003.00000002.512257767.0000000005710000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 00000000.00000002.253897211.0000000003B42000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 00000000.00000002.253897211.0000000003B42000.00000004.00000001.sdmp, type: MEMORY	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 00000000.00000002.253518250.000000000398D000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 00000000.00000002.253518250.000000000398D000.00000004.00000001.sdmp, type: MEMORY	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 00000003.00000002.511185145.0000000003EE7000.00000004.00000001.sdmp, type: MEMORY	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 00000003.00000002.505689991.0000000000402000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 00000003.00000002.505689991.0000000000402000.00000040.00000001.sdmp, type: MEMORY	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 00000003.00000002.512006874.0000000005200000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 00000003.00000002.512006874.0000000005200000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: Process Memory Space: NXKfWP9SPF0XHRu.exe PID: 5952, type: MEMORY	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: Process Memory Space: NXKfWP9SPF0XHRu.exe PID: 5952, type: MEMORY	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: Process Memory Space: NXKfWP9SPF0XHRu.exe PID: 768, type: MEMORY	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: Process Memory Space: NXKfWP9SPF0XHRu.exe PID: 768, type: MEMORY	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 3.2.NXKfWP9SPF0XHRu.exe.5710000.5.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 3.2.NXKfWP9SPF0XHRu.exe.5710000.5.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 3.2.NXKfWP9SPF0XHRu.exe.5710000.5.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 3.2.NXKfWP9SPF0XHRu.exe.5710000.5.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 3.2.NXKfWP9SPF0XHRu.exe.5200000.4.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 3.2.NXKfWP9SPF0XHRu.exe.5200000.4.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 3.2.NXKfWP9SPF0XHRu.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 3.2.NXKfWP9SPF0XHRu.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 3.2.NXKfWP9SPF0XHRu.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore

Source: 3.2.NXKfWP9SPF0XHRu.exe.400000.0.unpack, u0023u003dqjIje6jGWLd2EOkfZXKqBbgu003du003d.cs	Cryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'
Source: 3.2.NXKfWP9SPF0XHRu.exe.400000.0.unpack, u0023u003dqVxXNKnhAcArgJoGGYXiyyQu003du003d.cs	Cryptographic APIs: 'CreateDecryptor'
Source: 3.2.NXKfWP9SPF0XHRu.exe.400000.0.unpack, u0023u003dqVxXNKnhAcArgJoGGYXiyyQu003du003d.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: 3.2.NXKfWP9SPF0XHRu.exe.400000.0.unpack, u0023u003dqjIje6jGWLd2EOkfZXKqBbgu003du003d.cs	Cryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'
Source: 3.2.NXKfWP9SPF0XHRu.exe.400000.0.unpack, u0023u003dqVxXNKnhAcArgJoGGYXiyyQu003du003d.cs	Cryptographic APIs: 'CreateDecryptor'
Source: 3.2.NXKfWP9SPF0XHRu.exe.400000.0.unpack, u0023u003dqVxXNKnhAcArgJoGGYXiyyQu003du003d.cs	Cryptographic APIs: 'TransformFinalBlock'

Source: classification engine

Classification label: mal100.troj.evad.winEXE@6/4@0/1

Source: C:\Users\user\Desktop\NXKfWP9SPF0XHRu.exe	Code function: 0_2_054115DA AdjustTokenPrivileges,	0_2_054115DA
Source: C:\Users\user\Desktop\NXKfWP9SPF0XHRu.exe	Code function: 0_2_054115DA AdjustTokenPrivileges,	0_2_054115DA
Source: C:\Users\user\Desktop\NXKfWP9SPF0XHRu.exe	Code function: 3_2_05040F2A AdjustTokenPrivileges,	3_2_05040F2A
Source: C:\Users\user\Desktop\NXKfWP9SPF0XHRu.exe	Code function: 3_2_05040EF3 AdjustTokenPrivileges,	3_2_05040EF3

Source: C:\Users\user\Desktop\NXKfWP9SPF0XHRu.exe	File created: C:\Users\user\AppData\Roaming\ynSazlVxDpCRe.exe			Jump to behavior
Source: C:\Users\user\Desktop\NXKfWP9SPF0XHRu.exe	File created: C:\Users\user\AppData\Roaming\ynSazlVxDpCRe.exe			Jump to behavior

Source: C:\Users\user\Desktop\NXKfWP9SPF0XHRu.exe	Mutant created: \Sessions\1\BaseNamedObjects\wOaZzcrdioFDiVf
Source: C:\Users\user\Desktop\NXKfWP9SPF0XHRu.exe	Mutant created: \Sessions\1\BaseNamedObjects\Global\.net clr networking
Source: C:\Users\user\Desktop\NXKfWP9SPF0XHRu.exe	Mutant created: \Sessions\1\BaseNamedObjects\Global\{9f1637ca-7a2a-4aa5-bf17-8e7b7d705552}
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6092:120:WilError_01
Source: C:\Users\user\Desktop\NXKfWP9SPF0XHRu.exe	Mutant created: \Sessions\1\BaseNamedObjects\wOaZzcrdioFDiVf
Source: C:\Users\user\Desktop\NXKfWP9SPF0XHRu.exe	Mutant created: \Sessions\1\BaseNamedObjects\Global\.net clr networking
Source: C:\Users\user\Desktop\NXKfWP9SPF0XHRu.exe	Mutant created: \Sessions\1\BaseNamedObjects\Global\{9f1637ca-7a2a-4aa5-bf17-8e7b7d705552}
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6092:120:WilError_01

Source: C:\Users\user\Desktop\NXKfWP9SPF0XHRu.exe	File created: C:\Users\user\AppData\Local\Temp\tmp10AA.tmp			Jump to behavior
Source: C:\Users\user\Desktop\NXKfWP9SPF0XHRu.exe	File created: C:\Users\user\AppData\Local\Temp\tmp10AA.tmp			Jump to behavior

Source: NXKfWP9SPF0XHRu.exe	Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
Source: NXKfWP9SPF0XHRu.exe	Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ

Source: C:\Users\user\Desktop\NXKfWP9SPF0XHRu.exe	Section loaded: C:\Windows\assembly\NativeImages_v2.0.50727_32\mscorlib\9603718106bd57ecfbb18fefd769cab4\mscorlib.ni.dll	Jump to behavior
Source: C:\Users\user\Desktop\NXKfWP9SPF0XHRu.exe	Section loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sorttbls.nlp	Jump to behavior
Source: C:\Users\user\Desktop\NXKfWP9SPF0XHRu.exe	Section loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sortkey.nlp	Jump to behavior
Source: C:\Users\user\Desktop\NXKfWP9SPF0XHRu.exe	Section loaded: C:\Windows\assembly\NativeImages_v2.0.50727_32\mscorlib\9603718106bd57ecfbb18fefd769cab4\mscorlib.ni.dll	Jump to behavior
Source: C:\Users\user\Desktop\NXKfWP9SPF0XHRu.exe	Section loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sorttbls.nlp	Jump to behavior
Source: C:\Users\user\Desktop\NXKfWP9SPF0XHRu.exe	Section loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sortkey.nlp	Jump to behavior
Source: C:\Users\user\Desktop\NXKfWP9SPF0XHRu.exe	Section loaded: C:\Windows\assembly\NativeImages_v2.0.50727_32\mscorlib\9603718106bd57ecfbb18fefd769cab4\mscorlib.ni.dll	Jump to behavior
Source: C:\Users\user\Desktop\NXKfWP9SPF0XHRu.exe	Section loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sorttbls.nlp	Jump to behavior
Source: C:\Users\user\Desktop\NXKfWP9SPF0XHRu.exe	Section loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sortkey.nlp	Jump to behavior
Source: C:\Users\user\Desktop\NXKfWP9SPF0XHRu.exe	Section loaded: C:\Windows\assembly\NativeImages_v2.0.50727_32\mscorlib\9603718106bd57ecfbb18fefd769cab4\mscorlib.ni.dll	Jump to behavior
Source: C:\Users\user\Desktop\NXKfWP9SPF0XHRu.exe	Section loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sorttbls.nlp	Jump to behavior
Source: C:\Users\user\Desktop\NXKfWP9SPF0XHRu.exe	Section loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sortkey.nlp	Jump to behavior

Source: C:\Users\user\Desktop\NXKfWP9SPF0XHRu.exe	File read: C:\Users\user\Desktop\desktop.ini			Jump to behavior
Source: C:\Users\user\Desktop\NXKfWP9SPF0XHRu.exe	File read: C:\Users\user\Desktop\desktop.ini			Jump to behavior

Source: C:\Users\user\Desktop\NXKfWP9SPF0XHRu.exe	Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers			Jump to behavior
Source: C:\Users\user\Desktop\NXKfWP9SPF0XHRu.exe	Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers			Jump to behavior

Source: NXKfWP9SPF0XHRu.exe	ReversingLabs: Detection: 16%
Source: NXKfWP9SPF0XHRu.exe	ReversingLabs: Detection: 16%

Source: NXKfWP9SPF0XHRu.exe	String found in binary or memory: icons8-Add-16
Source: NXKfWP9SPF0XHRu.exe	String found in binary or memory: es>false</DisallowStartIfOnBatteries> <StopIfGoingOnBatteries>true</StopIfGoingOnBatteries> <AllowHardTerminate>false</AllowHardTerminate> <StartWhenAvailable>true</StartWhenAvailable> <RunOnlyIfNetworkAvailable>false</RunOnlyIfNetworkAvail
Source: NXKfWP9SPF0XHRu.exe	String found in binary or memory: es>false</DisallowStartIfOnBatteries> <StopIfGoingOnBatteries>true</StopIfGoingOnBatteries> <AllowHardTerminate>false</AllowHardTerminate> <StartWhenAvailable>true</StartWhenAvailable> <RunOnlyIfNetworkAvailable>false</RunOnlyIfNetworkAvail
Source: NXKfWP9SPF0XHRu.exe	String found in binary or memory: ble> <IdleSettings> <StopOnIdleEnd>true</StopOnIdleEnd> <RestartOnIdle>false</RestartOnIdle> </IdleSettings> <AllowStartOnDemand>true</AllowStartOnDemand> <Enabled>true</Enabled> <Hidden>false</Hidden> <RunOnlyIfIdle
Source: NXKfWP9SPF0XHRu.exe	String found in binary or memory: ble> <IdleSettings> <StopOnIdleEnd>true</StopOnIdleEnd> <RestartOnIdle>false</RestartOnIdle> </IdleSettings> <AllowStartOnDemand>true</AllowStartOnDemand> <Enabled>true</Enabled> <Hidden>false</Hidden> <RunOnlyIfIdle
Source: NXKfWP9SPF0XHRu.exe	String found in binary or memory: icons8-Add-16
Source: NXKfWP9SPF0XHRu.exe	String found in binary or memory: icons8-Add-16
Source: NXKfWP9SPF0XHRu.exe	String found in binary or memory: icons8-Add-16
Source: NXKfWP9SPF0XHRu.exe	String found in binary or memory: es>false</DisallowStartIfOnBatteries> <StopIfGoingOnBatteries>true</StopIfGoingOnBatteries> <AllowHardTerminate>false</AllowHardTerminate> <StartWhenAvailable>true</StartWhenAvailable> <RunOnlyIfNetworkAvailable>false</RunOnlyIfNetworkAvail
Source: NXKfWP9SPF0XHRu.exe	String found in binary or memory: es>false</DisallowStartIfOnBatteries> <StopIfGoingOnBatteries>true</StopIfGoingOnBatteries> <AllowHardTerminate>false</AllowHardTerminate> <StartWhenAvailable>true</StartWhenAvailable> <RunOnlyIfNetworkAvailable>false</RunOnlyIfNetworkAvail
Source: NXKfWP9SPF0XHRu.exe	String found in binary or memory: ble> <IdleSettings> <StopOnIdleEnd>true</StopOnIdleEnd> <RestartOnIdle>false</RestartOnIdle> </IdleSettings> <AllowStartOnDemand>true</AllowStartOnDemand> <Enabled>true</Enabled> <Hidden>false</Hidden> <RunOnlyIfIdle
Source: NXKfWP9SPF0XHRu.exe	String found in binary or memory: ble> <IdleSettings> <StopOnIdleEnd>true</StopOnIdleEnd> <RestartOnIdle>false</RestartOnIdle> </IdleSettings> <AllowStartOnDemand>true</AllowStartOnDemand> <Enabled>true</Enabled> <Hidden>false</Hidden> <RunOnlyIfIdle
Source: NXKfWP9SPF0XHRu.exe	String found in binary or memory: icons8-Add-16
Source: NXKfWP9SPF0XHRu.exe	String found in binary or memory: icons8-Add-16

Source: C:\Users\user\Desktop\NXKfWP9SPF0XHRu.exe	File read: C:\Users\user\Desktop\NXKfWP9SPF0XHRu.exe			Jump to behavior
Source: C:\Users\user\Desktop\NXKfWP9SPF0XHRu.exe	File read: C:\Users\user\Desktop\NXKfWP9SPF0XHRu.exe			Jump to behavior

Source: unknown	Process created: C:\Users\user\Desktop\NXKfWP9SPF0XHRu.exe 'C:\Users\user\Desktop\NXKfWP9SPF0XHRu.exe'
Source: unknown	Process created: C:\Windows\SysWOW64\schtasks.exe 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\ynSazlVxDpCRe' /XML 'C:\Users\user\AppData\Local\Temp\tmp10AA.tmp'
Source: unknown	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknown	Process created: C:\Users\user\Desktop\NXKfWP9SPF0XHRu.exe {path}
Source: C:\Users\user\Desktop\NXKfWP9SPF0XHRu.exe	Process created: C:\Windows\SysWOW64\schtasks.exe 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\ynSazlVxDpCRe' /XML 'C:\Users\user\AppData\Local\Temp\tmp10AA.tmp'	Jump to behavior
Source: C:\Users\user\Desktop\NXKfWP9SPF0XHRu.exe	Process created: C:\Users\user\Desktop\NXKfWP9SPF0XHRu.exe {path}	Jump to behavior
Source: unknown	Process created: C:\Users\user\Desktop\NXKfWP9SPF0XHRu.exe 'C:\Users\user\Desktop\NXKfWP9SPF0XHRu.exe'
Source: unknown	Process created: C:\Windows\SysWOW64\schtasks.exe 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\ynSazlVxDpCRe' /XML 'C:\Users\user\AppData\Local\Temp\tmp10AA.tmp'
Source: unknown	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknown	Process created: C:\Users\user\Desktop\NXKfWP9SPF0XHRu.exe {path}
Source: C:\Users\user\Desktop\NXKfWP9SPF0XHRu.exe	Process created: C:\Windows\SysWOW64\schtasks.exe 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\ynSazlVxDpCRe' /XML 'C:\Users\user\AppData\Local\Temp\tmp10AA.tmp'	Jump to behavior
Source: C:\Users\user\Desktop\NXKfWP9SPF0XHRu.exe	Process created: C:\Users\user\Desktop\NXKfWP9SPF0XHRu.exe {path}	Jump to behavior

Source: C:\Users\user\Desktop\NXKfWP9SPF0XHRu.exe	Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{95E15D0A-66E6-93D9-C53C-76E6219D3341}\InProcServer32			Jump to behavior
Source: C:\Users\user\Desktop\NXKfWP9SPF0XHRu.exe	Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{95E15D0A-66E6-93D9-C53C-76E6219D3341}\InProcServer32			Jump to behavior

Source: C:\Users\user\Desktop\NXKfWP9SPF0XHRu.exe	File opened: C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorrc.dll			Jump to behavior
Source: C:\Users\user\Desktop\NXKfWP9SPF0XHRu.exe	File opened: C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorrc.dll			Jump to behavior

Source: NXKfWP9SPF0XHRu.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR
Source: NXKfWP9SPF0XHRu.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR

Source: NXKfWP9SPF0XHRu.exe	Static PE information: Virtual size of .text is bigger than: 0x100000
Source: NXKfWP9SPF0XHRu.exe	Static PE information: Virtual size of .text is bigger than: 0x100000

Source: NXKfWP9SPF0XHRu.exe	Static file information: File size 1117184 > 1048576
Source: NXKfWP9SPF0XHRu.exe	Static file information: File size 1117184 > 1048576

Source: C:\Users\user\Desktop\NXKfWP9SPF0XHRu.exe	File opened: C:\Windows\WinSxS\x86_microsoft.vc80.crt_1fc8b3b9a1e18e3b_8.0.50727.9445_none_d08c58b4442ba54f\MSVCR80.dll			Jump to behavior
Source: C:\Users\user\Desktop\NXKfWP9SPF0XHRu.exe	File opened: C:\Windows\WinSxS\x86_microsoft.vc80.crt_1fc8b3b9a1e18e3b_8.0.50727.9445_none_d08c58b4442ba54f\MSVCR80.dll			Jump to behavior

Source: NXKfWP9SPF0XHRu.exe	Static PE information: Raw size of .text is bigger than: 0x100000 < 0x10c600
Source: NXKfWP9SPF0XHRu.exe	Static PE information: Raw size of .text is bigger than: 0x100000 < 0x10c600

Source: NXKfWP9SPF0XHRu.exe	Static PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
Source: NXKfWP9SPF0XHRu.exe	Static PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT

Source:	Binary string: mscorrc.pdb source: NXKfWP9SPF0XHRu.exe, 00000000.00000002.256985235.0000000005A50000.00000002.00000001.sdmp, NXKfWP9SPF0XHRu.exe, 00000003.00000002.511937278.0000000005190000.00000002.00000001.sdmp
Source:	Binary string: mscorrc.pdb source: NXKfWP9SPF0XHRu.exe, 00000000.00000002.256985235.0000000005A50000.00000002.00000001.sdmp, NXKfWP9SPF0XHRu.exe, 00000003.00000002.511937278.0000000005190000.00000002.00000001.sdmp

Data Obfuscation:

.NET source code contains potential unpacker

Show sources

Source: 3.2.NXKfWP9SPF0XHRu.exe.400000.0.unpack, u0023u003dqjIje6jGWLd2EOkfZXKqBbgu003du003d.cs	.Net Code: #=q_FL69pQf17BUSAFbWYu1SStMAbdu$R1GJ8VY8UL5_EA= System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: 3.2.NXKfWP9SPF0XHRu.exe.400000.0.unpack, u0023u003dqxoz66kOqvxr21iYXZYXWiumy9eZGwFWaiX4C5X8aecUu003d.cs	.Net Code: #=qKU0J1fiP8KA33eFK1owekQ== System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: 3.2.NXKfWP9SPF0XHRu.exe.400000.0.unpack, u0023u003dqjIje6jGWLd2EOkfZXKqBbgu003du003d.cs	.Net Code: #=q_FL69pQf17BUSAFbWYu1SStMAbdu$R1GJ8VY8UL5_EA= System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: 3.2.NXKfWP9SPF0XHRu.exe.400000.0.unpack, u0023u003dqxoz66kOqvxr21iYXZYXWiumy9eZGwFWaiX4C5X8aecUu003d.cs	.Net Code: #=qKU0J1fiP8KA33eFK1owekQ== System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])

Source: C:\Users\user\Desktop\NXKfWP9SPF0XHRu.exe	Code function: 0_2_001A4825 push ecx; retf	0_2_001A482D
Source: C:\Users\user\Desktop\NXKfWP9SPF0XHRu.exe	Code function: 0_2_001A317F pushfd ; ret	0_2_001A3185
Source: C:\Users\user\Desktop\NXKfWP9SPF0XHRu.exe	Code function: 0_2_001A2A7C pushfd ; iretd	0_2_001A2A81
Source: C:\Users\user\Desktop\NXKfWP9SPF0XHRu.exe	Code function: 0_2_001A23B3 pushad ; iretd	0_2_001A23B6
Source: C:\Users\user\Desktop\NXKfWP9SPF0XHRu.exe	Code function: 0_2_001A5EF8 push es; retf	0_2_001A5EFA
Source: C:\Users\user\Desktop\NXKfWP9SPF0XHRu.exe	Code function: 0_2_001A2CF6 push ds; ret	0_2_001A2D09
Source: C:\Users\user\Desktop\NXKfWP9SPF0XHRu.exe	Code function: 0_2_04A792C8 pushfd ; iretd	0_2_04A792C9
Source: C:\Users\user\Desktop\NXKfWP9SPF0XHRu.exe	Code function: 0_2_001A4825 push ecx; retf	0_2_001A482D
Source: C:\Users\user\Desktop\NXKfWP9SPF0XHRu.exe	Code function: 0_2_001A317F pushfd ; ret	0_2_001A3185
Source: C:\Users\user\Desktop\NXKfWP9SPF0XHRu.exe	Code function: 0_2_001A2A7C pushfd ; iretd	0_2_001A2A81
Source: C:\Users\user\Desktop\NXKfWP9SPF0XHRu.exe	Code function: 0_2_001A23B3 pushad ; iretd	0_2_001A23B6
Source: C:\Users\user\Desktop\NXKfWP9SPF0XHRu.exe	Code function: 0_2_001A5EF8 push es; retf	0_2_001A5EFA
Source: C:\Users\user\Desktop\NXKfWP9SPF0XHRu.exe	Code function: 0_2_001A2CF6 push ds; ret	0_2_001A2D09
Source: C:\Users\user\Desktop\NXKfWP9SPF0XHRu.exe	Code function: 0_2_04A792C8 pushfd ; iretd	0_2_04A792C9
Source: C:\Users\user\Desktop\NXKfWP9SPF0XHRu.exe	Code function: 3_2_00702A7C pushfd ; iretd	3_2_00702A81
Source: C:\Users\user\Desktop\NXKfWP9SPF0XHRu.exe	Code function: 3_2_0070317F pushfd ; ret	3_2_00703185
Source: C:\Users\user\Desktop\NXKfWP9SPF0XHRu.exe	Code function: 3_2_00704825 push ecx; retf	3_2_0070482D
Source: C:\Users\user\Desktop\NXKfWP9SPF0XHRu.exe	Code function: 3_2_00702CF6 push ds; ret	3_2_00702D09
Source: C:\Users\user\Desktop\NXKfWP9SPF0XHRu.exe	Code function: 3_2_00705EF8 push es; retf	3_2_00705EFA
Source: C:\Users\user\Desktop\NXKfWP9SPF0XHRu.exe	Code function: 3_2_007023B3 pushad ; iretd	3_2_007023B6
Source: C:\Users\user\Desktop\NXKfWP9SPF0XHRu.exe	Code function: 3_2_010F9D30 pushad ; retf	3_2_010F9D31

Source: initial sample	Static PE information: section name: .text entropy: 7.38603476189
Source: initial sample	Static PE information: section name: .text entropy: 7.38603476189
Source: initial sample	Static PE information: section name: .text entropy: 7.38603476189
Source: initial sample	Static PE information: section name: .text entropy: 7.38603476189

Source: 3.2.NXKfWP9SPF0XHRu.exe.400000.0.unpack, u0023u003dqJT4I5hOweIku0024xYFEeDszbikglXCuquUdu0024v9AXtyq2nsu003d.cs	High entropy of concatenated method names: '#=qBeOBlH6CwHFnQdZWWBgZ_pemudZ6CfCVcfOQtgpeG$Y=', '#=q5v5cLSMFBaxiTtOEjscx86gN2ozXlfytiL6UmXnyWtg=', '#=q_XA5h2lVGHLcY9dK754wKGrOjAm6aBbwPxcUJXgJThJUz83kMbCL53G5uuOLP6Rq', '#=qIFfr$DrKqIieRc688$vylAlBsEnx9Z3$TxvrDsPURfM=', '#=qejgvNXJQvgM2GomZsygLjreyguSPQ29pQHqjR_a0dWk=', '#=qCGokdf0OOxeMJLDkXSfc3NPmwygIQ29RjKQWj$wbNGB9C1pPgma_891QiNyTRXcA', '#=qDqyUVyJLXCtYqhZ0$opqkomqhUBn2WCeEEvGAXlNQ$I=', '#=qdImPAY1o3YhbLtukwCQ91cISaeIEWRKSYrGZ3dTVnkY=', '#=qza7O1AHrroJC7yRIJz4wINR_Sgo4hDpQrj_OYfIrlJE=', '#=q6Ct3QmvVLFC7my$dL1uEiHGmXJ5qCuK4WIhDwfhPTFs='
Source: 3.2.NXKfWP9SPF0XHRu.exe.400000.0.unpack, u0023u003dqWrm21vQ8CBMZP_RBTwpusAu003du003d.cs	High entropy of concatenated method names: '#=qCgU$tDqtOAyz2b$RwfSF7UzBcCAr0rFJWxm16x7Lre0=', '#=qeD3MBfedCIuKIQf9V1u2N3YS4VXE_FOHqw_XAjWtZK8=', '#=q$mvEHEBkZud$AdHPWqsMQnw5Xm5sD4vBSSmqrKuXGOk=', '#=qZaN94n8dM6tBEf$qCdY2kbTZb5BOW8Z134$2tNv7EJs=', '#=qtlZnL8mho$rv1eTFz0Mw9UYFC_yCabEZ0xtVePn6wR5aSHE7ti3UfKg2l7D0_xk8', '#=qVS$QmQjvFfsXSqQAKGSl6HGbkse2SG0XCab4upVjtRJkvhTEk$oIS2I9Zja7id1Q', '#=qxJg7RxTW1v5mnt12xXeJiYJv_bcctbtL2BCD5MjDi45Hlz6t8vwDNTv1Rv7tgIct', '#=qp$ZVC1r9spi890l$D7IwEd3faoKeWHvv42mVq8wIIWM=', '#=qCoWHlVuoVRMkOzC7RZubJCslkxaEWn9yZiIydECf69$ktj0IPD5wAwC2H5Cc8C$L', '#=qqs1moO$mYaS72OXOWe0Z6GycslEb6e9Ipoy7ppW0O5abIp05ajv8doqdJZHlN3cK'
Source: 3.2.NXKfWP9SPF0XHRu.exe.400000.0.unpack, u0023u003dqJT4I5hOweIku0024xYFEeDszbikglXCuquUdu0024v9AXtyq2nsu003d.cs	High entropy of concatenated method names: '#=qBeOBlH6CwHFnQdZWWBgZ_pemudZ6CfCVcfOQtgpeG$Y=', '#=q5v5cLSMFBaxiTtOEjscx86gN2ozXlfytiL6UmXnyWtg=', '#=q_XA5h2lVGHLcY9dK754wKGrOjAm6aBbwPxcUJXgJThJUz83kMbCL53G5uuOLP6Rq', '#=qIFfr$DrKqIieRc688$vylAlBsEnx9Z3$TxvrDsPURfM=', '#=qejgvNXJQvgM2GomZsygLjreyguSPQ29pQHqjR_a0dWk=', '#=qCGokdf0OOxeMJLDkXSfc3NPmwygIQ29RjKQWj$wbNGB9C1pPgma_891QiNyTRXcA', '#=qDqyUVyJLXCtYqhZ0$opqkomqhUBn2WCeEEvGAXlNQ$I=', '#=qdImPAY1o3YhbLtukwCQ91cISaeIEWRKSYrGZ3dTVnkY=', '#=qza7O1AHrroJC7yRIJz4wINR_Sgo4hDpQrj_OYfIrlJE=', '#=q6Ct3QmvVLFC7my$dL1uEiHGmXJ5qCuK4WIhDwfhPTFs='
Source: 3.2.NXKfWP9SPF0XHRu.exe.400000.0.unpack, u0023u003dqWrm21vQ8CBMZP_RBTwpusAu003du003d.cs	High entropy of concatenated method names: '#=qCgU$tDqtOAyz2b$RwfSF7UzBcCAr0rFJWxm16x7Lre0=', '#=qeD3MBfedCIuKIQf9V1u2N3YS4VXE_FOHqw_XAjWtZK8=', '#=q$mvEHEBkZud$AdHPWqsMQnw5Xm5sD4vBSSmqrKuXGOk=', '#=qZaN94n8dM6tBEf$qCdY2kbTZb5BOW8Z134$2tNv7EJs=', '#=qtlZnL8mho$rv1eTFz0Mw9UYFC_yCabEZ0xtVePn6wR5aSHE7ti3UfKg2l7D0_xk8', '#=qVS$QmQjvFfsXSqQAKGSl6HGbkse2SG0XCab4upVjtRJkvhTEk$oIS2I9Zja7id1Q', '#=qxJg7RxTW1v5mnt12xXeJiYJv_bcctbtL2BCD5MjDi45Hlz6t8vwDNTv1Rv7tgIct', '#=qp$ZVC1r9spi890l$D7IwEd3faoKeWHvv42mVq8wIIWM=', '#=qCoWHlVuoVRMkOzC7RZubJCslkxaEWn9yZiIydECf69$ktj0IPD5wAwC2H5Cc8C$L', '#=qqs1moO$mYaS72OXOWe0Z6GycslEb6e9Ipoy7ppW0O5abIp05ajv8doqdJZHlN3cK'

Source: C:\Users\user\Desktop\NXKfWP9SPF0XHRu.exe	File created: C:\Users\user\AppData\Roaming\ynSazlVxDpCRe.exe			Jump to dropped file
Source: C:\Users\user\Desktop\NXKfWP9SPF0XHRu.exe	File created: C:\Users\user\AppData\Roaming\ynSazlVxDpCRe.exe			Jump to dropped file

Boot Survival:

Uses schtasks.exe or at.exe to add and modify task schedules

Show sources

Source: unknown	Process created: C:\Windows\SysWOW64\schtasks.exe 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\ynSazlVxDpCRe' /XML 'C:\Users\user\AppData\Local\Temp\tmp10AA.tmp'
Source: unknown	Process created: C:\Windows\SysWOW64\schtasks.exe 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\ynSazlVxDpCRe' /XML 'C:\Users\user\AppData\Local\Temp\tmp10AA.tmp'

Hooking and other Techniques for Hiding and Protection:

Hides that the sample has been downloaded from the Internet (zone.identifier)

Show sources

Source: C:\Users\user\Desktop\NXKfWP9SPF0XHRu.exe	File opened: C:\Users\user\Desktop\NXKfWP9SPF0XHRu.exe:Zone.Identifier read attributes \| delete			Jump to behavior
Source: C:\Users\user\Desktop\NXKfWP9SPF0XHRu.exe	File opened: C:\Users\user\Desktop\NXKfWP9SPF0XHRu.exe:Zone.Identifier read attributes \| delete			Jump to behavior

Source: C:\Users\user\Desktop\NXKfWP9SPF0XHRu.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\NXKfWP9SPF0XHRu.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\NXKfWP9SPF0XHRu.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\NXKfWP9SPF0XHRu.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\NXKfWP9SPF0XHRu.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\NXKfWP9SPF0XHRu.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\NXKfWP9SPF0XHRu.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\NXKfWP9SPF0XHRu.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\NXKfWP9SPF0XHRu.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\NXKfWP9SPF0XHRu.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\NXKfWP9SPF0XHRu.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\NXKfWP9SPF0XHRu.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\NXKfWP9SPF0XHRu.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\NXKfWP9SPF0XHRu.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\NXKfWP9SPF0XHRu.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\NXKfWP9SPF0XHRu.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\NXKfWP9SPF0XHRu.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\NXKfWP9SPF0XHRu.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\NXKfWP9SPF0XHRu.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\NXKfWP9SPF0XHRu.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\NXKfWP9SPF0XHRu.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\NXKfWP9SPF0XHRu.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\NXKfWP9SPF0XHRu.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\NXKfWP9SPF0XHRu.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\NXKfWP9SPF0XHRu.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\NXKfWP9SPF0XHRu.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\NXKfWP9SPF0XHRu.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\NXKfWP9SPF0XHRu.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\NXKfWP9SPF0XHRu.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\NXKfWP9SPF0XHRu.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\NXKfWP9SPF0XHRu.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\NXKfWP9SPF0XHRu.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\NXKfWP9SPF0XHRu.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\NXKfWP9SPF0XHRu.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\NXKfWP9SPF0XHRu.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\NXKfWP9SPF0XHRu.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\NXKfWP9SPF0XHRu.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\NXKfWP9SPF0XHRu.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\NXKfWP9SPF0XHRu.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\NXKfWP9SPF0XHRu.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\NXKfWP9SPF0XHRu.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\NXKfWP9SPF0XHRu.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\NXKfWP9SPF0XHRu.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\NXKfWP9SPF0XHRu.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\NXKfWP9SPF0XHRu.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\NXKfWP9SPF0XHRu.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\NXKfWP9SPF0XHRu.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\NXKfWP9SPF0XHRu.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\NXKfWP9SPF0XHRu.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\NXKfWP9SPF0XHRu.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\NXKfWP9SPF0XHRu.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\NXKfWP9SPF0XHRu.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\NXKfWP9SPF0XHRu.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\NXKfWP9SPF0XHRu.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\NXKfWP9SPF0XHRu.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\NXKfWP9SPF0XHRu.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\NXKfWP9SPF0XHRu.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\NXKfWP9SPF0XHRu.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\NXKfWP9SPF0XHRu.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\NXKfWP9SPF0XHRu.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\NXKfWP9SPF0XHRu.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\NXKfWP9SPF0XHRu.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\NXKfWP9SPF0XHRu.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\NXKfWP9SPF0XHRu.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\NXKfWP9SPF0XHRu.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\NXKfWP9SPF0XHRu.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\NXKfWP9SPF0XHRu.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\NXKfWP9SPF0XHRu.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\NXKfWP9SPF0XHRu.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\NXKfWP9SPF0XHRu.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\NXKfWP9SPF0XHRu.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\NXKfWP9SPF0XHRu.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\NXKfWP9SPF0XHRu.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\NXKfWP9SPF0XHRu.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\NXKfWP9SPF0XHRu.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\NXKfWP9SPF0XHRu.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\NXKfWP9SPF0XHRu.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\NXKfWP9SPF0XHRu.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\NXKfWP9SPF0XHRu.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\NXKfWP9SPF0XHRu.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\NXKfWP9SPF0XHRu.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\NXKfWP9SPF0XHRu.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\NXKfWP9SPF0XHRu.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\NXKfWP9SPF0XHRu.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\NXKfWP9SPF0XHRu.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\NXKfWP9SPF0XHRu.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\NXKfWP9SPF0XHRu.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\NXKfWP9SPF0XHRu.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\NXKfWP9SPF0XHRu.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\NXKfWP9SPF0XHRu.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\NXKfWP9SPF0XHRu.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\NXKfWP9SPF0XHRu.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\NXKfWP9SPF0XHRu.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\NXKfWP9SPF0XHRu.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\NXKfWP9SPF0XHRu.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\NXKfWP9SPF0XHRu.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\NXKfWP9SPF0XHRu.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\NXKfWP9SPF0XHRu.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\NXKfWP9SPF0XHRu.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\NXKfWP9SPF0XHRu.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\NXKfWP9SPF0XHRu.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\NXKfWP9SPF0XHRu.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\NXKfWP9SPF0XHRu.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\NXKfWP9SPF0XHRu.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\NXKfWP9SPF0XHRu.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\NXKfWP9SPF0XHRu.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\NXKfWP9SPF0XHRu.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\NXKfWP9SPF0XHRu.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\NXKfWP9SPF0XHRu.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\NXKfWP9SPF0XHRu.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\NXKfWP9SPF0XHRu.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\NXKfWP9SPF0XHRu.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\NXKfWP9SPF0XHRu.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\NXKfWP9SPF0XHRu.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\NXKfWP9SPF0XHRu.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\NXKfWP9SPF0XHRu.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\NXKfWP9SPF0XHRu.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\NXKfWP9SPF0XHRu.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\NXKfWP9SPF0XHRu.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\NXKfWP9SPF0XHRu.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\NXKfWP9SPF0XHRu.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\NXKfWP9SPF0XHRu.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\NXKfWP9SPF0XHRu.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\NXKfWP9SPF0XHRu.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\NXKfWP9SPF0XHRu.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\NXKfWP9SPF0XHRu.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\NXKfWP9SPF0XHRu.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\NXKfWP9SPF0XHRu.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\NXKfWP9SPF0XHRu.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\NXKfWP9SPF0XHRu.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\NXKfWP9SPF0XHRu.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\NXKfWP9SPF0XHRu.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\NXKfWP9SPF0XHRu.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\NXKfWP9SPF0XHRu.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\NXKfWP9SPF0XHRu.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\NXKfWP9SPF0XHRu.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\NXKfWP9SPF0XHRu.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\NXKfWP9SPF0XHRu.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\NXKfWP9SPF0XHRu.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\NXKfWP9SPF0XHRu.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\NXKfWP9SPF0XHRu.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\NXKfWP9SPF0XHRu.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\NXKfWP9SPF0XHRu.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\NXKfWP9SPF0XHRu.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\NXKfWP9SPF0XHRu.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\NXKfWP9SPF0XHRu.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\NXKfWP9SPF0XHRu.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\NXKfWP9SPF0XHRu.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\NXKfWP9SPF0XHRu.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\NXKfWP9SPF0XHRu.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\NXKfWP9SPF0XHRu.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\NXKfWP9SPF0XHRu.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\NXKfWP9SPF0XHRu.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\NXKfWP9SPF0XHRu.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\NXKfWP9SPF0XHRu.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\NXKfWP9SPF0XHRu.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\NXKfWP9SPF0XHRu.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\NXKfWP9SPF0XHRu.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\NXKfWP9SPF0XHRu.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\NXKfWP9SPF0XHRu.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Malware Analysis System Evasion:

Yara detected AntiVM_3

Show sources

Source: Yara match	File source: 00000000.00000002.251828506.0000000002994000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: NXKfWP9SPF0XHRu.exe PID: 5952, type: MEMORY

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Show sources

Source: NXKfWP9SPF0XHRu.exe, 00000000.00000002.251736949.0000000002951000.00000004.00000001.sdmp	Binary or memory string: SBIEDLL.DLLX1
Source: NXKfWP9SPF0XHRu.exe, 00000000.00000002.253243662.0000000002CD6000.00000004.00000001.sdmp	Binary or memory string: WINE_GET_UNIX_FILE_NAME
Source: NXKfWP9SPF0XHRu.exe, 00000000.00000002.253243662.0000000002CD6000.00000004.00000001.sdmp	Binary or memory string: SBIEDLL.DLL
Source: NXKfWP9SPF0XHRu.exe, 00000000.00000002.251736949.0000000002951000.00000004.00000001.sdmp	Binary or memory string: WINE_GET_UNIX_FILE_NAMEX1
Source: NXKfWP9SPF0XHRu.exe, 00000000.00000002.251736949.0000000002951000.00000004.00000001.sdmp	Binary or memory string: SBIEDLL.DLLX1
Source: NXKfWP9SPF0XHRu.exe, 00000000.00000002.253243662.0000000002CD6000.00000004.00000001.sdmp	Binary or memory string: WINE_GET_UNIX_FILE_NAME
Source: NXKfWP9SPF0XHRu.exe, 00000000.00000002.253243662.0000000002CD6000.00000004.00000001.sdmp	Binary or memory string: SBIEDLL.DLL
Source: NXKfWP9SPF0XHRu.exe, 00000000.00000002.251736949.0000000002951000.00000004.00000001.sdmp	Binary or memory string: WINE_GET_UNIX_FILE_NAMEX1

Source: C:\Users\user\Desktop\NXKfWP9SPF0XHRu.exe	File opened / queried: SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}			Jump to behavior
Source: C:\Users\user\Desktop\NXKfWP9SPF0XHRu.exe	File opened / queried: SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}			Jump to behavior

Source: C:\Users\user\Desktop\NXKfWP9SPF0XHRu.exe	Code function: 0_2_053B09AA sldt word ptr [eax]		0_2_053B09AA
Source: C:\Users\user\Desktop\NXKfWP9SPF0XHRu.exe	Code function: 0_2_053B09AA sldt word ptr [eax]		0_2_053B09AA

Source: C:\Users\user\Desktop\NXKfWP9SPF0XHRu.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\Desktop\NXKfWP9SPF0XHRu.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\Desktop\NXKfWP9SPF0XHRu.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\Desktop\NXKfWP9SPF0XHRu.exe	Thread delayed: delay time: 922337203685477	Jump to behavior

Source: C:\Users\user\Desktop\NXKfWP9SPF0XHRu.exe	Window / User API: threadDelayed 706	Jump to behavior
Source: C:\Users\user\Desktop\NXKfWP9SPF0XHRu.exe	Window / User API: threadDelayed 630	Jump to behavior
Source: C:\Users\user\Desktop\NXKfWP9SPF0XHRu.exe	Window / User API: foregroundWindowGot 897	Jump to behavior
Source: C:\Users\user\Desktop\NXKfWP9SPF0XHRu.exe	Window / User API: threadDelayed 706	Jump to behavior
Source: C:\Users\user\Desktop\NXKfWP9SPF0XHRu.exe	Window / User API: threadDelayed 630	Jump to behavior
Source: C:\Users\user\Desktop\NXKfWP9SPF0XHRu.exe	Window / User API: foregroundWindowGot 897	Jump to behavior

Source: C:\Users\user\Desktop\NXKfWP9SPF0XHRu.exe TID: 4612	Thread sleep time: -41500s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\NXKfWP9SPF0XHRu.exe TID: 4600	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\NXKfWP9SPF0XHRu.exe TID: 4464	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\NXKfWP9SPF0XHRu.exe TID: 3388	Thread sleep time: -120000s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\NXKfWP9SPF0XHRu.exe TID: 4612	Thread sleep time: -41500s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\NXKfWP9SPF0XHRu.exe TID: 4600	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\NXKfWP9SPF0XHRu.exe TID: 4464	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\NXKfWP9SPF0XHRu.exe TID: 3388	Thread sleep time: -120000s >= -30000s	Jump to behavior

Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Users\user\Desktop\NXKfWP9SPF0XHRu.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Users\user\Desktop\NXKfWP9SPF0XHRu.exe	Last function: Thread delayed

Source: C:\Users\user\Desktop\NXKfWP9SPF0XHRu.exe	Code function: 3_2_05040BB6 GetSystemInfo,		3_2_05040BB6
Source: C:\Users\user\Desktop\NXKfWP9SPF0XHRu.exe	Code function: 3_2_05040BB6 GetSystemInfo,		3_2_05040BB6

Source: NXKfWP9SPF0XHRu.exe, 00000000.00000002.253243662.0000000002CD6000.00000004.00000001.sdmp	Binary or memory string: VMware
Source: NXKfWP9SPF0XHRu.exe, 00000000.00000002.251736949.0000000002951000.00000004.00000001.sdmp	Binary or memory string: vmwareX1
Source: NXKfWP9SPF0XHRu.exe, 00000000.00000002.253243662.0000000002CD6000.00000004.00000001.sdmp	Binary or memory string: VMWARE\|9
Source: NXKfWP9SPF0XHRu.exe, 00000000.00000002.251736949.0000000002951000.00000004.00000001.sdmp	Binary or memory string: q#"SOFTWARE\VMware, Inc.\VMware ToolsX1
Source: NXKfWP9SPF0XHRu.exe, 00000003.00000002.512537276.0000000005FC0000.00000002.00000001.sdmp	Binary or memory string: A Virtual Machine could not be started because Hyper-V is not installed.
Source: NXKfWP9SPF0XHRu.exe, 00000000.00000002.251736949.0000000002951000.00000004.00000001.sdmp	Binary or memory string: q&%C:\PROGRAM FILES\VMWARE\VMWARE TOOLS\X1
Source: NXKfWP9SPF0XHRu.exe, 00000000.00000002.253243662.0000000002CD6000.00000004.00000001.sdmp	Binary or memory string: VMware\|9
Source: NXKfWP9SPF0XHRu.exe, 00000000.00000002.251736949.0000000002951000.00000004.00000001.sdmp	Binary or memory string: VMware SVGA IIX1
Source: NXKfWP9SPF0XHRu.exe, 00000000.00000002.253243662.0000000002CD6000.00000004.00000001.sdmp	Binary or memory string: VMware \|9
Source: NXKfWP9SPF0XHRu.exe, 00000000.00000002.253243662.0000000002CD6000.00000004.00000001.sdmp	Binary or memory string: VMWARE
Source: NXKfWP9SPF0XHRu.exe, 00000000.00000002.253243662.0000000002CD6000.00000004.00000001.sdmp	Binary or memory string: InstallPath%C:\PROGRAM FILES\VMWARE\VMWARE TOOLS\
Source: NXKfWP9SPF0XHRu.exe, 00000003.00000002.512537276.0000000005FC0000.00000002.00000001.sdmp	Binary or memory string: A communication protocol error has occurred between the Hyper-V Host and Guest Compute Service.
Source: NXKfWP9SPF0XHRu.exe, 00000003.00000002.512537276.0000000005FC0000.00000002.00000001.sdmp	Binary or memory string: The communication protocol version between the Hyper-V Host and Guest Compute Services is not supported.
Source: NXKfWP9SPF0XHRu.exe, 00000000.00000002.251736949.0000000002951000.00000004.00000001.sdmp	Binary or memory string: VMWAREX1
Source: NXKfWP9SPF0XHRu.exe, 00000000.00000002.253243662.0000000002CD6000.00000004.00000001.sdmp	Binary or memory string: VMware
Source: NXKfWP9SPF0XHRu.exe, 00000000.00000002.253243662.0000000002CD6000.00000004.00000001.sdmp	Binary or memory string: VMWARE"SOFTWARE\VMware, Inc.\VMware ToolsLHARDWARE\DEVICEMAP\Scsi\Scsi Port 1\Scsi Bus 0\Target Id 0\Logical Unit Id 0LHARDWARE\DEVICEMAP\Scsi\Scsi Port 2\Scsi Bus 0\Target Id 0\Logical Unit Id 0'SYSTEM\ControlSet001\Services\Disk\Enum
Source: NXKfWP9SPF0XHRu.exe, 00000000.00000002.253243662.0000000002CD6000.00000004.00000001.sdmp	Binary or memory string: VMware SVGA II
Source: NXKfWP9SPF0XHRu.exe, 00000000.00000002.251736949.0000000002951000.00000004.00000001.sdmp	Binary or memory string: QEMUX1
Source: NXKfWP9SPF0XHRu.exe, 00000000.00000002.253243662.0000000002CD6000.00000004.00000001.sdmp	Binary or memory string: vmwareNSYSTEM\ControlSet001\Control\Class\{4D36E968-E325-11CE-BFC1-08002BE10318}\0000
Source: NXKfWP9SPF0XHRu.exe, 00000003.00000002.512537276.0000000005FC0000.00000002.00000001.sdmp	Binary or memory string: An unknown internal message was received by the Hyper-V Compute Service.
Source: NXKfWP9SPF0XHRu.exe, 00000000.00000002.253243662.0000000002CD6000.00000004.00000001.sdmp	Binary or memory string: VMware
Source: NXKfWP9SPF0XHRu.exe, 00000000.00000002.251736949.0000000002951000.00000004.00000001.sdmp	Binary or memory string: vmwareX1
Source: NXKfWP9SPF0XHRu.exe, 00000000.00000002.253243662.0000000002CD6000.00000004.00000001.sdmp	Binary or memory string: VMWARE\|9
Source: NXKfWP9SPF0XHRu.exe, 00000000.00000002.251736949.0000000002951000.00000004.00000001.sdmp	Binary or memory string: q#"SOFTWARE\VMware, Inc.\VMware ToolsX1
Source: NXKfWP9SPF0XHRu.exe, 00000003.00000002.512537276.0000000005FC0000.00000002.00000001.sdmp	Binary or memory string: A Virtual Machine could not be started because Hyper-V is not installed.
Source: NXKfWP9SPF0XHRu.exe, 00000000.00000002.251736949.0000000002951000.00000004.00000001.sdmp	Binary or memory string: q&%C:\PROGRAM FILES\VMWARE\VMWARE TOOLS\X1
Source: NXKfWP9SPF0XHRu.exe, 00000000.00000002.253243662.0000000002CD6000.00000004.00000001.sdmp	Binary or memory string: VMware\|9
Source: NXKfWP9SPF0XHRu.exe, 00000000.00000002.251736949.0000000002951000.00000004.00000001.sdmp	Binary or memory string: VMware SVGA IIX1
Source: NXKfWP9SPF0XHRu.exe, 00000000.00000002.253243662.0000000002CD6000.00000004.00000001.sdmp	Binary or memory string: VMware \|9
Source: NXKfWP9SPF0XHRu.exe, 00000000.00000002.253243662.0000000002CD6000.00000004.00000001.sdmp	Binary or memory string: VMWARE
Source: NXKfWP9SPF0XHRu.exe, 00000000.00000002.253243662.0000000002CD6000.00000004.00000001.sdmp	Binary or memory string: InstallPath%C:\PROGRAM FILES\VMWARE\VMWARE TOOLS\
Source: NXKfWP9SPF0XHRu.exe, 00000003.00000002.512537276.0000000005FC0000.00000002.00000001.sdmp	Binary or memory string: A communication protocol error has occurred between the Hyper-V Host and Guest Compute Service.
Source: NXKfWP9SPF0XHRu.exe, 00000003.00000002.512537276.0000000005FC0000.00000002.00000001.sdmp	Binary or memory string: The communication protocol version between the Hyper-V Host and Guest Compute Services is not supported.
Source: NXKfWP9SPF0XHRu.exe, 00000000.00000002.251736949.0000000002951000.00000004.00000001.sdmp	Binary or memory string: VMWAREX1
Source: NXKfWP9SPF0XHRu.exe, 00000000.00000002.253243662.0000000002CD6000.00000004.00000001.sdmp	Binary or memory string: VMware
Source: NXKfWP9SPF0XHRu.exe, 00000000.00000002.253243662.0000000002CD6000.00000004.00000001.sdmp	Binary or memory string: VMWARE"SOFTWARE\VMware, Inc.\VMware ToolsLHARDWARE\DEVICEMAP\Scsi\Scsi Port 1\Scsi Bus 0\Target Id 0\Logical Unit Id 0LHARDWARE\DEVICEMAP\Scsi\Scsi Port 2\Scsi Bus 0\Target Id 0\Logical Unit Id 0'SYSTEM\ControlSet001\Services\Disk\Enum
Source: NXKfWP9SPF0XHRu.exe, 00000000.00000002.253243662.0000000002CD6000.00000004.00000001.sdmp	Binary or memory string: VMware SVGA II
Source: NXKfWP9SPF0XHRu.exe, 00000000.00000002.251736949.0000000002951000.00000004.00000001.sdmp	Binary or memory string: QEMUX1
Source: NXKfWP9SPF0XHRu.exe, 00000000.00000002.253243662.0000000002CD6000.00000004.00000001.sdmp	Binary or memory string: vmwareNSYSTEM\ControlSet001\Control\Class\{4D36E968-E325-11CE-BFC1-08002BE10318}\0000
Source: NXKfWP9SPF0XHRu.exe, 00000003.00000002.512537276.0000000005FC0000.00000002.00000001.sdmp	Binary or memory string: An unknown internal message was received by the Hyper-V Compute Service.

Source: C:\Users\user\Desktop\NXKfWP9SPF0XHRu.exe	Process information queried: ProcessInformation			Jump to behavior
Source: C:\Users\user\Desktop\NXKfWP9SPF0XHRu.exe	Process information queried: ProcessInformation			Jump to behavior

Source: C:\Users\user\Desktop\NXKfWP9SPF0XHRu.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Users\user\Desktop\NXKfWP9SPF0XHRu.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Users\user\Desktop\NXKfWP9SPF0XHRu.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Users\user\Desktop\NXKfWP9SPF0XHRu.exe	Process token adjusted: Debug	Jump to behavior

Source: C:\Users\user\Desktop\NXKfWP9SPF0XHRu.exe	Memory allocated: page read and write \| page guard			Jump to behavior
Source: C:\Users\user\Desktop\NXKfWP9SPF0XHRu.exe	Memory allocated: page read and write \| page guard			Jump to behavior

HIPS / PFW / Operating System Protection Evasion:

Injects a PE file into a foreign processes

Show sources

Source: C:\Users\user\Desktop\NXKfWP9SPF0XHRu.exe	Memory written: C:\Users\user\Desktop\NXKfWP9SPF0XHRu.exe base: 400000 value starts with: 4D5A			Jump to behavior
Source: C:\Users\user\Desktop\NXKfWP9SPF0XHRu.exe	Memory written: C:\Users\user\Desktop\NXKfWP9SPF0XHRu.exe base: 400000 value starts with: 4D5A			Jump to behavior

Source: C:\Users\user\Desktop\NXKfWP9SPF0XHRu.exe	Process created: C:\Windows\SysWOW64\schtasks.exe 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\ynSazlVxDpCRe' /XML 'C:\Users\user\AppData\Local\Temp\tmp10AA.tmp'	Jump to behavior
Source: C:\Users\user\Desktop\NXKfWP9SPF0XHRu.exe	Process created: C:\Users\user\Desktop\NXKfWP9SPF0XHRu.exe {path}	Jump to behavior
Source: C:\Users\user\Desktop\NXKfWP9SPF0XHRu.exe	Process created: C:\Windows\SysWOW64\schtasks.exe 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\ynSazlVxDpCRe' /XML 'C:\Users\user\AppData\Local\Temp\tmp10AA.tmp'	Jump to behavior
Source: C:\Users\user\Desktop\NXKfWP9SPF0XHRu.exe	Process created: C:\Users\user\Desktop\NXKfWP9SPF0XHRu.exe {path}	Jump to behavior

Source: NXKfWP9SPF0XHRu.exe, 00000003.00000002.507540733.0000000001560000.00000002.00000001.sdmp	Binary or memory string: uProgram Manager
Source: NXKfWP9SPF0XHRu.exe, 00000003.00000002.510272832.0000000002F30000.00000004.00000001.sdmp	Binary or memory string: Program Manager
Source: NXKfWP9SPF0XHRu.exe, 00000003.00000002.507540733.0000000001560000.00000002.00000001.sdmp	Binary or memory string: Shell_TrayWnd
Source: NXKfWP9SPF0XHRu.exe, 00000003.00000002.507540733.0000000001560000.00000002.00000001.sdmp	Binary or memory string: Progman
Source: NXKfWP9SPF0XHRu.exe, 00000003.00000002.510272832.0000000002F30000.00000004.00000001.sdmp	Binary or memory string: Program Managerp
Source: NXKfWP9SPF0XHRu.exe, 00000003.00000002.510928937.00000000030E8000.00000004.00000001.sdmp	Binary or memory string: Program ManagerHs
Source: NXKfWP9SPF0XHRu.exe, 00000003.00000002.507540733.0000000001560000.00000002.00000001.sdmp	Binary or memory string: Progmanlock
Source: NXKfWP9SPF0XHRu.exe, 00000003.00000002.510928937.00000000030E8000.00000004.00000001.sdmp	Binary or memory string: Program Manager
Source: NXKfWP9SPF0XHRu.exe, 00000003.00000002.507540733.0000000001560000.00000002.00000001.sdmp	Binary or memory string: uProgram Manager
Source: NXKfWP9SPF0XHRu.exe, 00000003.00000002.510272832.0000000002F30000.00000004.00000001.sdmp	Binary or memory string: Program Manager
Source: NXKfWP9SPF0XHRu.exe, 00000003.00000002.507540733.0000000001560000.00000002.00000001.sdmp	Binary or memory string: Shell_TrayWnd
Source: NXKfWP9SPF0XHRu.exe, 00000003.00000002.507540733.0000000001560000.00000002.00000001.sdmp	Binary or memory string: Progman
Source: NXKfWP9SPF0XHRu.exe, 00000003.00000002.510272832.0000000002F30000.00000004.00000001.sdmp	Binary or memory string: Program Managerp
Source: NXKfWP9SPF0XHRu.exe, 00000003.00000002.510928937.00000000030E8000.00000004.00000001.sdmp	Binary or memory string: Program ManagerHs
Source: NXKfWP9SPF0XHRu.exe, 00000003.00000002.507540733.0000000001560000.00000002.00000001.sdmp	Binary or memory string: Progmanlock
Source: NXKfWP9SPF0XHRu.exe, 00000003.00000002.510928937.00000000030E8000.00000004.00000001.sdmp	Binary or memory string: Program Manager

Source: C:\Users\user\Desktop\NXKfWP9SPF0XHRu.exe	Queries volume information: C:\Windows\Fonts\arial.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\NXKfWP9SPF0XHRu.exe	Queries volume information: C:\Windows\Fonts\ariali.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\NXKfWP9SPF0XHRu.exe	Queries volume information: C:\Windows\Fonts\arialbd.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\NXKfWP9SPF0XHRu.exe	Queries volume information: C:\Windows\Fonts\arialbi.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\NXKfWP9SPF0XHRu.exe	Queries volume information: C:\Windows\Fonts\ARIALN.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\NXKfWP9SPF0XHRu.exe	Queries volume information: C:\Windows\Fonts\ariblk.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\NXKfWP9SPF0XHRu.exe	Queries volume information: C:\Windows\Fonts\ARIALNI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\NXKfWP9SPF0XHRu.exe	Queries volume information: C:\Windows\Fonts\ARIALNB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\NXKfWP9SPF0XHRu.exe	Queries volume information: C:\Windows\Fonts\ARIALNBI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\NXKfWP9SPF0XHRu.exe	Queries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\NXKfWP9SPF0XHRu.exe	Queries volume information: C:\Windows\Fonts\calibri.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\NXKfWP9SPF0XHRu.exe	Queries volume information: C:\Windows\Fonts\calibril.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\NXKfWP9SPF0XHRu.exe	Queries volume information: C:\Windows\Fonts\calibrii.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\NXKfWP9SPF0XHRu.exe	Queries volume information: C:\Windows\Fonts\calibrili.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\NXKfWP9SPF0XHRu.exe	Queries volume information: C:\Windows\Fonts\calibrib.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\NXKfWP9SPF0XHRu.exe	Queries volume information: C:\Windows\Fonts\calibriz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\NXKfWP9SPF0XHRu.exe	Queries volume information: C:\Windows\Fonts\cambria.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\NXKfWP9SPF0XHRu.exe	Queries volume information: C:\Windows\Fonts\cambriai.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\NXKfWP9SPF0XHRu.exe	Queries volume information: C:\Windows\Fonts\cambriab.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\NXKfWP9SPF0XHRu.exe	Queries volume information: C:\Windows\Fonts\cambriaz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\NXKfWP9SPF0XHRu.exe	Queries volume information: C:\Windows\Fonts\Candara.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\NXKfWP9SPF0XHRu.exe	Queries volume information: C:\Windows\Fonts\Candarai.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\NXKfWP9SPF0XHRu.exe	Queries volume information: C:\Windows\Fonts\Candarab.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\NXKfWP9SPF0XHRu.exe	Queries volume information: C:\Windows\Fonts\Candaraz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\NXKfWP9SPF0XHRu.exe	Queries volume information: C:\Windows\Fonts\comic.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\NXKfWP9SPF0XHRu.exe	Queries volume information: C:\Windows\Fonts\comici.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\NXKfWP9SPF0XHRu.exe	Queries volume information: C:\Windows\Fonts\comicbd.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\NXKfWP9SPF0XHRu.exe	Queries volume information: C:\Windows\Fonts\comicz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\NXKfWP9SPF0XHRu.exe	Queries volume information: C:\Windows\Fonts\consola.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\NXKfWP9SPF0XHRu.exe	Queries volume information: C:\Windows\Fonts\consolai.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\NXKfWP9SPF0XHRu.exe	Queries volume information: C:\Windows\Fonts\consolab.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\NXKfWP9SPF0XHRu.exe	Queries volume information: C:\Windows\Fonts\consolaz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\NXKfWP9SPF0XHRu.exe	Queries volume information: C:\Windows\Fonts\constan.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\NXKfWP9SPF0XHRu.exe	Queries volume information: C:\Windows\Fonts\constani.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\NXKfWP9SPF0XHRu.exe	Queries volume information: C:\Windows\Fonts\constanb.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\NXKfWP9SPF0XHRu.exe	Queries volume information: C:\Windows\Fonts\constanz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\NXKfWP9SPF0XHRu.exe	Queries volume information: C:\Windows\Fonts\corbel.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\NXKfWP9SPF0XHRu.exe	Queries volume information: C:\Windows\Fonts\corbeli.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\NXKfWP9SPF0XHRu.exe	Queries volume information: C:\Windows\Fonts\corbelb.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\NXKfWP9SPF0XHRu.exe	Queries volume information: C:\Windows\Fonts\corbelz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\NXKfWP9SPF0XHRu.exe	Queries volume information: C:\Windows\Fonts\cour.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\NXKfWP9SPF0XHRu.exe	Queries volume information: C:\Windows\Fonts\couri.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\NXKfWP9SPF0XHRu.exe	Queries volume information: C:\Windows\Fonts\courbd.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\NXKfWP9SPF0XHRu.exe	Queries volume information: C:\Windows\Fonts\courbi.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\NXKfWP9SPF0XHRu.exe	Queries volume information: C:\Windows\Fonts\ebrima.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\NXKfWP9SPF0XHRu.exe	Queries volume information: C:\Windows\Fonts\ebrimabd.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\NXKfWP9SPF0XHRu.exe	Queries volume information: C:\Windows\Fonts\framd.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\NXKfWP9SPF0XHRu.exe	Queries volume information: C:\Windows\Fonts\FRADM.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\NXKfWP9SPF0XHRu.exe	Queries volume information: C:\Windows\Fonts\framdit.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\NXKfWP9SPF0XHRu.exe	Queries volume information: C:\Windows\Fonts\FRADMIT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\NXKfWP9SPF0XHRu.exe	Queries volume information: C:\Windows\Fonts\FRAMDCN.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\NXKfWP9SPF0XHRu.exe	Queries volume information: C:\Windows\Fonts\FRADMCN.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\NXKfWP9SPF0XHRu.exe	Queries volume information: C:\Windows\Fonts\FRAHV.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\NXKfWP9SPF0XHRu.exe	Queries volume information: C:\Windows\Fonts\FRAHVIT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\NXKfWP9SPF0XHRu.exe	Queries volume information: C:\Windows\Fonts\Gabriola.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\NXKfWP9SPF0XHRu.exe	Queries volume information: C:\Windows\Fonts\gadugi.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\NXKfWP9SPF0XHRu.exe	Queries volume information: C:\Windows\Fonts\gadugib.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\NXKfWP9SPF0XHRu.exe	Queries volume information: C:\Windows\Fonts\georgia.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\NXKfWP9SPF0XHRu.exe	Queries volume information: C:\Windows\Fonts\georgiai.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\NXKfWP9SPF0XHRu.exe	Queries volume information: C:\Windows\Fonts\georgiab.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\NXKfWP9SPF0XHRu.exe	Queries volume information: C:\Windows\Fonts\georgiaz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\NXKfWP9SPF0XHRu.exe	Queries volume information: C:\Windows\Fonts\impact.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\NXKfWP9SPF0XHRu.exe	Queries volume information: C:\Windows\Fonts\Inkfree.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\NXKfWP9SPF0XHRu.exe	Queries volume information: C:\Windows\Fonts\javatext.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\NXKfWP9SPF0XHRu.exe	Queries volume information: C:\Windows\Fonts\LeelawUI.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\NXKfWP9SPF0XHRu.exe	Queries volume information: C:\Windows\Fonts\LeelUIsl.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\NXKfWP9SPF0XHRu.exe	Queries volume information: C:\Windows\Fonts\LeelaUIb.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\NXKfWP9SPF0XHRu.exe	Queries volume information: C:\Windows\Fonts\lucon.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\NXKfWP9SPF0XHRu.exe	Queries volume information: C:\Windows\Fonts\l_10646.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\NXKfWP9SPF0XHRu.exe	Queries volume information: C:\Windows\Fonts\malgun.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\NXKfWP9SPF0XHRu.exe	Queries volume information: C:\Windows\Fonts\malgunsl.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\NXKfWP9SPF0XHRu.exe	Queries volume information: C:\Windows\Fonts\malgunbd.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\NXKfWP9SPF0XHRu.exe	Queries volume information: C:\Windows\Fonts\himalaya.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\NXKfWP9SPF0XHRu.exe	Queries volume information: C:\Windows\Fonts\msjh.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\NXKfWP9SPF0XHRu.exe	Queries volume information: C:\Windows\Fonts\msjhl.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\NXKfWP9SPF0XHRu.exe	Queries volume information: C:\Windows\Fonts\msjhbd.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\NXKfWP9SPF0XHRu.exe	Queries volume information: C:\Windows\Fonts\ntailu.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\NXKfWP9SPF0XHRu.exe	Queries volume information: C:\Windows\Fonts\ntailub.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\NXKfWP9SPF0XHRu.exe	Queries volume information: C:\Windows\Fonts\phagspa.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\NXKfWP9SPF0XHRu.exe	Queries volume information: C:\Windows\Fonts\phagspab.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\NXKfWP9SPF0XHRu.exe	Queries volume information: C:\Windows\Fonts\micross.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\NXKfWP9SPF0XHRu.exe	Queries volume information: C:\Windows\Fonts\taile.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\NXKfWP9SPF0XHRu.exe	Queries volume information: C:\Windows\Fonts\taileb.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\NXKfWP9SPF0XHRu.exe	Queries volume information: C:\Windows\Fonts\msyh.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\NXKfWP9SPF0XHRu.exe	Queries volume information: C:\Windows\Fonts\msyhl.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\NXKfWP9SPF0XHRu.exe	Queries volume information: C:\Windows\Fonts\msyhbd.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\NXKfWP9SPF0XHRu.exe	Queries volume information: C:\Windows\Fonts\msyi.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\NXKfWP9SPF0XHRu.exe	Queries volume information: C:\Windows\Fonts\mingliub.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\NXKfWP9SPF0XHRu.exe	Queries volume information: C:\Windows\Fonts\monbaiti.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\NXKfWP9SPF0XHRu.exe	Queries volume information: C:\Windows\Fonts\msgothic.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\NXKfWP9SPF0XHRu.exe	Queries volume information: C:\Windows\Fonts\mvboli.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\NXKfWP9SPF0XHRu.exe	Queries volume information: C:\Windows\Fonts\mmrtext.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\NXKfWP9SPF0XHRu.exe	Queries volume information: C:\Windows\Fonts\mmrtextb.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\NXKfWP9SPF0XHRu.exe	Queries volume information: C:\Windows\Fonts\Nirmala.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\NXKfWP9SPF0XHRu.exe	Queries volume information: C:\Windows\Fonts\NirmalaS.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\NXKfWP9SPF0XHRu.exe	Queries volume information: C:\Windows\Fonts\NirmalaB.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\NXKfWP9SPF0XHRu.exe	Queries volume information: C:\Windows\Fonts\pala.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\NXKfWP9SPF0XHRu.exe	Queries volume information: C:\Windows\Fonts\palai.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\NXKfWP9SPF0XHRu.exe	Queries volume information: C:\Windows\Fonts\palab.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\NXKfWP9SPF0XHRu.exe	Queries volume information: C:\Windows\Fonts\palabi.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\NXKfWP9SPF0XHRu.exe	Queries volume information: C:\Windows\Fonts\segoepr.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\NXKfWP9SPF0XHRu.exe	Queries volume information: C:\Windows\Fonts\segoeprb.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\NXKfWP9SPF0XHRu.exe	Queries volume information: C:\Windows\Fonts\segoesc.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\NXKfWP9SPF0XHRu.exe	Queries volume information: C:\Windows\Fonts\segoescb.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\NXKfWP9SPF0XHRu.exe	Queries volume information: C:\Windows\Fonts\seguiemj.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\NXKfWP9SPF0XHRu.exe	Queries volume information: C:\Windows\Fonts\seguihis.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\NXKfWP9SPF0XHRu.exe	Queries volume information: C:\Windows\Fonts\seguisym.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\NXKfWP9SPF0XHRu.exe	Queries volume information: C:\Windows\Fonts\simsun.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\NXKfWP9SPF0XHRu.exe	Queries volume information: C:\Windows\Fonts\simsunb.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\NXKfWP9SPF0XHRu.exe	Queries volume information: C:\Windows\Fonts\Sitka.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\NXKfWP9SPF0XHRu.exe	Queries volume information: C:\Windows\Fonts\SitkaI.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\NXKfWP9SPF0XHRu.exe	Queries volume information: C:\Windows\Fonts\SitkaB.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\NXKfWP9SPF0XHRu.exe	Queries volume information: C:\Windows\Fonts\SitkaZ.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\NXKfWP9SPF0XHRu.exe	Queries volume information: C:\Windows\Fonts\sylfaen.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\NXKfWP9SPF0XHRu.exe	Queries volume information: C:\Windows\Fonts\symbol.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\NXKfWP9SPF0XHRu.exe	Queries volume information: C:\Windows\Fonts\tahoma.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\NXKfWP9SPF0XHRu.exe	Queries volume information: C:\Windows\Fonts\tahomabd.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\NXKfWP9SPF0XHRu.exe	Queries volume information: C:\Windows\Fonts\trebuc.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\NXKfWP9SPF0XHRu.exe	Queries volume information: C:\Windows\Fonts\trebucit.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\NXKfWP9SPF0XHRu.exe	Queries volume information: C:\Windows\Fonts\trebucbd.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\NXKfWP9SPF0XHRu.exe	Queries volume information: C:\Windows\Fonts\trebucbi.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\NXKfWP9SPF0XHRu.exe	Queries volume information: C:\Windows\Fonts\verdana.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\NXKfWP9SPF0XHRu.exe	Queries volume information: C:\Windows\Fonts\verdanai.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\NXKfWP9SPF0XHRu.exe	Queries volume information: C:\Windows\Fonts\verdanab.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\NXKfWP9SPF0XHRu.exe	Queries volume information: C:\Windows\Fonts\verdanaz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\NXKfWP9SPF0XHRu.exe	Queries volume information: C:\Windows\Fonts\webdings.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\NXKfWP9SPF0XHRu.exe	Queries volume information: C:\Windows\Fonts\wingding.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\NXKfWP9SPF0XHRu.exe	Queries volume information: C:\Windows\Fonts\YuGothR.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\NXKfWP9SPF0XHRu.exe	Queries volume information: C:\Windows\Fonts\YuGothM.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\NXKfWP9SPF0XHRu.exe	Queries volume information: C:\Windows\Fonts\YuGothL.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\NXKfWP9SPF0XHRu.exe	Queries volume information: C:\Windows\Fonts\YuGothB.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\NXKfWP9SPF0XHRu.exe	Queries volume information: C:\Windows\Fonts\holomdl2.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\NXKfWP9SPF0XHRu.exe	Queries volume information: C:\Windows\Fonts\CENTURY.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\NXKfWP9SPF0XHRu.exe	Queries volume information: C:\Windows\Fonts\LEELAWAD.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\NXKfWP9SPF0XHRu.exe	Queries volume information: C:\Windows\Fonts\LEELAWDB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\NXKfWP9SPF0XHRu.exe	Queries volume information: C:\Windows\Fonts\MSUIGHUR.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\NXKfWP9SPF0XHRu.exe	Queries volume information: C:\Windows\Fonts\MSUIGHUB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\NXKfWP9SPF0XHRu.exe	Queries volume information: C:\Windows\Fonts\WINGDNG2.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\NXKfWP9SPF0XHRu.exe	Queries volume information: C:\Windows\Fonts\WINGDNG3.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\NXKfWP9SPF0XHRu.exe	Queries volume information: C:\Windows\Fonts\TEMPSITC.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\NXKfWP9SPF0XHRu.exe	Queries volume information: C:\Windows\Fonts\PRISTINA.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\NXKfWP9SPF0XHRu.exe	Queries volume information: C:\Windows\Fonts\PAPYRUS.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\NXKfWP9SPF0XHRu.exe	Queries volume information: C:\Windows\Fonts\MISTRAL.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\NXKfWP9SPF0XHRu.exe	Queries volume information: C:\Windows\Fonts\LHANDW.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\NXKfWP9SPF0XHRu.exe	Queries volume information: C:\Windows\Fonts\ITCKRIST.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\NXKfWP9SPF0XHRu.exe	Queries volume information: C:\Windows\Fonts\JUICE___.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\NXKfWP9SPF0XHRu.exe	Queries volume information: C:\Windows\Fonts\FRSCRIPT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\NXKfWP9SPF0XHRu.exe	Queries volume information: C:\Windows\Fonts\FREESCPT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\NXKfWP9SPF0XHRu.exe	Queries volume information: C:\Windows\Fonts\BRADHITC.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\NXKfWP9SPF0XHRu.exe	Queries volume information: C:\Windows\Fonts\OUTLOOK.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\NXKfWP9SPF0XHRu.exe	Queries volume information: C:\Windows\Fonts\BKANT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\NXKfWP9SPF0XHRu.exe	Queries volume information: C:\Windows\Fonts\ANTQUAI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\NXKfWP9SPF0XHRu.exe	Queries volume information: C:\Windows\Fonts\ANTQUAB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\NXKfWP9SPF0XHRu.exe	Queries volume information: C:\Windows\Fonts\ANTQUABI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\NXKfWP9SPF0XHRu.exe	Queries volume information: C:\Windows\Fonts\GARA.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\NXKfWP9SPF0XHRu.exe	Queries volume information: C:\Windows\Fonts\GARAIT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\NXKfWP9SPF0XHRu.exe	Queries volume information: C:\Windows\Fonts\GARABD.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\NXKfWP9SPF0XHRu.exe	Queries volume information: C:\Windows\Fonts\MTCORSVA.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\NXKfWP9SPF0XHRu.exe	Queries volume information: C:\Windows\Fonts\GOTHIC.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\NXKfWP9SPF0XHRu.exe	Queries volume information: C:\Windows\Fonts\GOTHICI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\NXKfWP9SPF0XHRu.exe	Queries volume information: C:\Windows\Fonts\GOTHICB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\NXKfWP9SPF0XHRu.exe	Queries volume information: C:\Windows\Fonts\GOTHICBI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\NXKfWP9SPF0XHRu.exe	Queries volume information: C:\Windows\Fonts\ALGER.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\NXKfWP9SPF0XHRu.exe	Queries volume information: C:\Windows\Fonts\BASKVILL.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\NXKfWP9SPF0XHRu.exe	Queries volume information: C:\Windows\Fonts\BAUHS93.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\NXKfWP9SPF0XHRu.exe	Queries volume information: C:\Windows\Fonts\BELL.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\NXKfWP9SPF0XHRu.exe	Queries volume information: C:\Windows\Fonts\BELLI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\NXKfWP9SPF0XHRu.exe	Queries volume information: C:\Windows\Fonts\BELLB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\NXKfWP9SPF0XHRu.exe	Queries volume information: C:\Windows\Fonts\BRLNSR.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\NXKfWP9SPF0XHRu.exe	Queries volume information: C:\Windows\Fonts\BRLNSDB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\NXKfWP9SPF0XHRu.exe	Queries volume information: C:\Windows\Fonts\BRLNSB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\NXKfWP9SPF0XHRu.exe	Queries volume information: C:\Windows\Fonts\BERNHC.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\NXKfWP9SPF0XHRu.exe	Queries volume information: C:\Windows\Fonts\BOD_PSTC.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\NXKfWP9SPF0XHRu.exe	Queries volume information: C:\Windows\Fonts\BRITANIC.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\NXKfWP9SPF0XHRu.exe	Queries volume information: C:\Windows\Fonts\BROADW.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\NXKfWP9SPF0XHRu.exe	Queries volume information: C:\Windows\Fonts\BRUSHSCI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\NXKfWP9SPF0XHRu.exe	Queries volume information: C:\Windows\Fonts\CALIFR.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\NXKfWP9SPF0XHRu.exe	Queries volume information: C:\Windows\Fonts\CALIFI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\NXKfWP9SPF0XHRu.exe	Queries volume information: C:\Windows\Fonts\CALIFB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\NXKfWP9SPF0XHRu.exe	Queries volume information: C:\Windows\Fonts\CENTAUR.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\NXKfWP9SPF0XHRu.exe	Queries volume information: C:\Windows\Fonts\CHILLER.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\NXKfWP9SPF0XHRu.exe	Queries volume information: C:\Windows\Fonts\COLONNA.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\NXKfWP9SPF0XHRu.exe	Queries volume information: C:\Windows\Fonts\COOPBL.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\NXKfWP9SPF0XHRu.exe	Queries volume information: C:\Windows\Fonts\FTLTLT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\NXKfWP9SPF0XHRu.exe	Queries volume information: C:\Windows\Fonts\HARLOWSI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\NXKfWP9SPF0XHRu.exe	Queries volume information: C:\Windows\Fonts\HARNGTON.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\NXKfWP9SPF0XHRu.exe	Queries volume information: C:\Windows\Fonts\HTOWERT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\NXKfWP9SPF0XHRu.exe	Queries volume information: C:\Windows\Fonts\HTOWERTI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\NXKfWP9SPF0XHRu.exe	Queries volume information: C:\Windows\Fonts\JOKERMAN.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\NXKfWP9SPF0XHRu.exe	Queries volume information: C:\Windows\Fonts\KUNSTLER.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\NXKfWP9SPF0XHRu.exe	Queries volume information: C:\Windows\Fonts\LBRITE.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\NXKfWP9SPF0XHRu.exe	Queries volume information: C:\Windows\Fonts\LBRITED.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\NXKfWP9SPF0XHRu.exe	Queries volume information: C:\Windows\Fonts\LBRITEI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\NXKfWP9SPF0XHRu.exe	Queries volume information: C:\Windows\Fonts\LBRITEDI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\NXKfWP9SPF0XHRu.exe	Queries volume information: C:\Windows\Fonts\LCALLIG.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\NXKfWP9SPF0XHRu.exe	Queries volume information: C:\Windows\Fonts\LFAX.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\NXKfWP9SPF0XHRu.exe	Queries volume information: C:\Windows\Fonts\LFAXD.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\NXKfWP9SPF0XHRu.exe	Queries volume information: C:\Windows\Fonts\LFAXI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\NXKfWP9SPF0XHRu.exe	Queries volume information: C:\Windows\Fonts\LFAXDI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\NXKfWP9SPF0XHRu.exe	Queries volume information: C:\Windows\Fonts\MAGNETOB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\NXKfWP9SPF0XHRu.exe	Queries volume information: C:\Windows\Fonts\MATURASC.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\NXKfWP9SPF0XHRu.exe	Queries volume information: C:\Windows\Fonts\MOD20.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\NXKfWP9SPF0XHRu.exe	Queries volume information: C:\Windows\Fonts\NIAGENG.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\NXKfWP9SPF0XHRu.exe	Queries volume information: C:\Windows\Fonts\NIAGSOL.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\NXKfWP9SPF0XHRu.exe	Queries volume information: C:\Windows\Fonts\OLDENGL.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\NXKfWP9SPF0XHRu.exe	Queries volume information: C:\Windows\Fonts\ONYX.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\NXKfWP9SPF0XHRu.exe	Queries volume information: C:\Windows\Fonts\PARCHM.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\NXKfWP9SPF0XHRu.exe	Queries volume information: C:\Windows\Fonts\PLAYBILL.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\NXKfWP9SPF0XHRu.exe	Queries volume information: C:\Windows\Fonts\POORICH.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\NXKfWP9SPF0XHRu.exe	Queries volume information: C:\Windows\Fonts\RAVIE.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\NXKfWP9SPF0XHRu.exe	Queries volume information: C:\Windows\Fonts\INFROMAN.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\NXKfWP9SPF0XHRu.exe	Queries volume information: C:\Windows\Fonts\SHOWG.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\NXKfWP9SPF0XHRu.exe	Queries volume information: C:\Windows\Fonts\SNAP____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\NXKfWP9SPF0XHRu.exe	Queries volume information: C:\Windows\Fonts\STENCIL.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\NXKfWP9SPF0XHRu.exe	Queries volume information: C:\Windows\Fonts\VINERITC.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\NXKfWP9SPF0XHRu.exe	Queries volume information: C:\Windows\Fonts\VIVALDII.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\NXKfWP9SPF0XHRu.exe	Queries volume information: C:\Windows\Fonts\VLADIMIR.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\NXKfWP9SPF0XHRu.exe	Queries volume information: C:\Windows\Fonts\LATINWD.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\NXKfWP9SPF0XHRu.exe	Queries volume information: C:\Windows\Fonts\TCM_____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\NXKfWP9SPF0XHRu.exe	Queries volume information: C:\Windows\Fonts\TCMI____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\NXKfWP9SPF0XHRu.exe	Queries volume information: C:\Windows\Fonts\TCB_____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\NXKfWP9SPF0XHRu.exe	Queries volume information: C:\Windows\Fonts\TCBI____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\NXKfWP9SPF0XHRu.exe	Queries volume information: C:\Windows\Fonts\TCCM____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\NXKfWP9SPF0XHRu.exe	Queries volume information: C:\Windows\Fonts\TCCB____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\NXKfWP9SPF0XHRu.exe	Queries volume information: C:\Windows\Fonts\TCCEB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\NXKfWP9SPF0XHRu.exe	Queries volume information: C:\Windows\Fonts\SCRIPTBL.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\NXKfWP9SPF0XHRu.exe	Queries volume information: C:\Windows\Fonts\ROCK.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\NXKfWP9SPF0XHRu.exe	Queries volume information: C:\Windows\Fonts\ROCKI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\NXKfWP9SPF0XHRu.exe	Queries volume information: C:\Windows\Fonts\ROCKB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\NXKfWP9SPF0XHRu.exe	Queries volume information: C:\Windows\Fonts\ROCKEB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\NXKfWP9SPF0XHRu.exe	Queries volume information: C:\Windows\Fonts\ROCKBI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\NXKfWP9SPF0XHRu.exe	Queries volume information: C:\Windows\Fonts\ROCC____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\NXKfWP9SPF0XHRu.exe	Queries volume information: C:\Windows\Fonts\ROCCB___.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\NXKfWP9SPF0XHRu.exe	Queries volume information: C:\Windows\Fonts\RAGE.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\NXKfWP9SPF0XHRu.exe	Queries volume information: C:\Windows\Fonts\PERTILI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\NXKfWP9SPF0XHRu.exe	Queries volume information: C:\Windows\Fonts\PERTIBD.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\NXKfWP9SPF0XHRu.exe	Queries volume information: C:\Windows\Fonts\PER_____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\NXKfWP9SPF0XHRu.exe	Queries volume information: C:\Windows\Fonts\PERI____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\NXKfWP9SPF0XHRu.exe	Queries volume information: C:\Windows\Fonts\PERB____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\NXKfWP9SPF0XHRu.exe	Queries volume information: C:\Windows\Fonts\PERBI___.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\NXKfWP9SPF0XHRu.exe	Queries volume information: C:\Windows\Fonts\PALSCRI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\NXKfWP9SPF0XHRu.exe	Queries volume information: C:\Windows\Fonts\OCRAEXT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\NXKfWP9SPF0XHRu.exe	Queries volume information: C:\Windows\Fonts\MAIAN.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\NXKfWP9SPF0XHRu.exe	Queries volume information: C:\Windows\Fonts\LTYPE.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\NXKfWP9SPF0XHRu.exe	Queries volume information: C:\Windows\Fonts\LTYPEO.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\NXKfWP9SPF0XHRu.exe	Queries volume information: C:\Windows\Fonts\LTYPEB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\NXKfWP9SPF0XHRu.exe	Queries volume information: C:\Windows\Fonts\LTYPEBO.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\NXKfWP9SPF0XHRu.exe	Queries volume information: C:\Windows\Fonts\LSANS.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\NXKfWP9SPF0XHRu.exe	Queries volume information: C:\Windows\Fonts\LSANSD.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\NXKfWP9SPF0XHRu.exe	Queries volume information: C:\Windows\Fonts\LSANSI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\NXKfWP9SPF0XHRu.exe	Queries volume information: C:\Windows\Fonts\LSANSDI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\NXKfWP9SPF0XHRu.exe	Queries volume information: C:\Windows\Fonts\IMPRISHA.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\NXKfWP9SPF0XHRu.exe	Queries volume information: C:\Windows\Fonts\HATTEN.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\NXKfWP9SPF0XHRu.exe	Queries volume information: C:\Windows\Fonts\GOUDYSTO.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\NXKfWP9SPF0XHRu.exe	Queries volume information: C:\Windows\Fonts\GOUDOS.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\NXKfWP9SPF0XHRu.exe	Queries volume information: C:\Windows\Fonts\GOUDOSI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\NXKfWP9SPF0XHRu.exe	Queries volume information: C:\Windows\Fonts\GOUDOSB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\NXKfWP9SPF0XHRu.exe	Queries volume information: C:\Windows\Fonts\GLECB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\NXKfWP9SPF0XHRu.exe	Queries volume information: C:\Windows\Fonts\GIL_____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\NXKfWP9SPF0XHRu.exe	Queries volume information: C:\Windows\Fonts\GILI____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\NXKfWP9SPF0XHRu.exe	Queries volume information: C:\Windows\Fonts\GILB____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\NXKfWP9SPF0XHRu.exe	Queries volume information: C:\Windows\Fonts\GILBI___.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\NXKfWP9SPF0XHRu.exe	Queries volume information: C:\Windows\Fonts\GILC____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\NXKfWP9SPF0XHRu.exe	Queries volume information: C:\Windows\Fonts\GLSNECB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\NXKfWP9SPF0XHRu.exe	Queries volume information: C:\Windows\Fonts\GIGI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\NXKfWP9SPF0XHRu.exe	Queries volume information: C:\Windows\Fonts\FRABK.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\NXKfWP9SPF0XHRu.exe	Queries volume information: C:\Windows\Fonts\FRABKIT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\NXKfWP9SPF0XHRu.exe	Queries volume information: C:\Windows\Fonts\FORTE.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\NXKfWP9SPF0XHRu.exe	Queries volume information: C:\Windows\Fonts\FELIXTI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\NXKfWP9SPF0XHRu.exe	Queries volume information: C:\Windows\Fonts\ERASMD.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\NXKfWP9SPF0XHRu.exe	Queries volume information: C:\Windows\Fonts\ERASLGHT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\NXKfWP9SPF0XHRu.exe	Queries volume information: C:\Windows\Fonts\ERASDEMI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\NXKfWP9SPF0XHRu.exe	Queries volume information: C:\Windows\Fonts\ERASBD.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\NXKfWP9SPF0XHRu.exe	Queries volume information: C:\Windows\Fonts\ENGR.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\NXKfWP9SPF0XHRu.exe	Queries volume information: C:\Windows\Fonts\ELEPHNT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\NXKfWP9SPF0XHRu.exe	Queries volume information: C:\Windows\Fonts\ELEPHNTI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\NXKfWP9SPF0XHRu.exe	Queries volume information: C:\Windows\Fonts\ITCEDSCR.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\NXKfWP9SPF0XHRu.exe	Queries volume information: C:\Windows\Fonts\CURLZ___.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\NXKfWP9SPF0XHRu.exe	Queries volume information: C:\Windows\Fonts\COPRGTL.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\NXKfWP9SPF0XHRu.exe	Queries volume information: C:\Windows\Fonts\COPRGTB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\NXKfWP9SPF0XHRu.exe	Queries volume information: C:\Windows\Fonts\CENSCBK.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\NXKfWP9SPF0XHRu.exe	Queries volume information: C:\Windows\Fonts\SCHLBKI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\NXKfWP9SPF0XHRu.exe	Queries volume information: C:\Windows\Fonts\SCHLBKB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\NXKfWP9SPF0XHRu.exe	Queries volume information: C:\Windows\Fonts\SCHLBKBI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\NXKfWP9SPF0XHRu.exe	Queries volume information: C:\Windows\Fonts\CASTELAR.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\NXKfWP9SPF0XHRu.exe	Queries volume information: C:\Windows\Fonts\CALIST.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\NXKfWP9SPF0XHRu.exe	Queries volume information: C:\Windows\Fonts\CALISTI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\NXKfWP9SPF0XHRu.exe	Queries volume information: C:\Windows\Fonts\CALISTB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\NXKfWP9SPF0XHRu.exe	Queries volume information: C:\Windows\Fonts\CALISTBI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\NXKfWP9SPF0XHRu.exe	Queries volume information: C:\Windows\Fonts\BOOKOS.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\NXKfWP9SPF0XHRu.exe	Queries volume information: C:\Windows\Fonts\BOOKOSB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\NXKfWP9SPF0XHRu.exe	Queries volume information: C:\Windows\Fonts\BOOKOSI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\NXKfWP9SPF0XHRu.exe	Queries volume information: C:\Windows\Fonts\BOOKOSBI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\NXKfWP9SPF0XHRu.exe	Queries volume information: C:\Windows\Fonts\BOD_R.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\NXKfWP9SPF0XHRu.exe	Queries volume information: C:\Windows\Fonts\BOD_I.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\NXKfWP9SPF0XHRu.exe	Queries volume information: C:\Windows\Fonts\BOD_B.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\NXKfWP9SPF0XHRu.exe	Queries volume information: C:\Windows\Fonts\BOD_BI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\NXKfWP9SPF0XHRu.exe	Queries volume information: C:\Windows\Fonts\BOD_CR.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\NXKfWP9SPF0XHRu.exe	Queries volume information: C:\Windows\Fonts\BOD_BLAR.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\NXKfWP9SPF0XHRu.exe	Queries volume information: C:\Windows\Fonts\BOD_CI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\NXKfWP9SPF0XHRu.exe	Queries volume information: C:\Windows\Fonts\BOD_CB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\NXKfWP9SPF0XHRu.exe	Queries volume information: C:\Windows\Fonts\BOD_BLAI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\NXKfWP9SPF0XHRu.exe	Queries volume information: C:\Windows\Fonts\BOD_CBI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\NXKfWP9SPF0XHRu.exe	Queries volume information: C:\Windows\Fonts\ITCBLKAD.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\NXKfWP9SPF0XHRu.exe	Queries volume information: C:\Windows\Fonts\ARLRDBD.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\NXKfWP9SPF0XHRu.exe	Queries volume information: C:\Windows\Fonts\AGENCYR.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\NXKfWP9SPF0XHRu.exe	Queries volume information: C:\Windows\Fonts\AGENCYB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\NXKfWP9SPF0XHRu.exe	Queries volume information: C:\Windows\Fonts\BSSYM7.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\NXKfWP9SPF0XHRu.exe	Queries volume information: C:\Windows\Fonts\REFSAN.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\NXKfWP9SPF0XHRu.exe	Queries volume information: C:\Windows\Fonts\REFSPCL.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\NXKfWP9SPF0XHRu.exe	Queries volume information: C:\Windows\Fonts\MTEXTRA.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\NXKfWP9SPF0XHRu.exe	Queries volume information: C:\Windows\Fonts\marlett.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\NXKfWP9SPF0XHRu.exe	Queries volume information: C:\Windows\Fonts\micross.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\NXKfWP9SPF0XHRu.exe	Queries volume information: C:\Windows\Fonts\tahoma.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\NXKfWP9SPF0XHRu.exe	Queries volume information: C:\Windows\Fonts\tahomabd.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\NXKfWP9SPF0XHRu.exe	Queries volume information: C:\Windows\Fonts\arial.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\NXKfWP9SPF0XHRu.exe	Queries volume information: C:\Windows\Fonts\ariali.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\NXKfWP9SPF0XHRu.exe	Queries volume information: C:\Windows\Fonts\arialbd.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\NXKfWP9SPF0XHRu.exe	Queries volume information: C:\Windows\Fonts\arialbi.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\NXKfWP9SPF0XHRu.exe	Queries volume information: C:\Windows\Fonts\ARIALN.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\NXKfWP9SPF0XHRu.exe	Queries volume information: C:\Windows\Fonts\ariblk.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\NXKfWP9SPF0XHRu.exe	Queries volume information: C:\Windows\Fonts\ARIALNI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\NXKfWP9SPF0XHRu.exe	Queries volume information: C:\Windows\Fonts\ARIALNB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\NXKfWP9SPF0XHRu.exe	Queries volume information: C:\Windows\Fonts\ARIALNBI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\NXKfWP9SPF0XHRu.exe	Queries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\NXKfWP9SPF0XHRu.exe	Queries volume information: C:\Windows\Fonts\calibri.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\NXKfWP9SPF0XHRu.exe	Queries volume information: C:\Windows\Fonts\calibril.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\NXKfWP9SPF0XHRu.exe	Queries volume information: C:\Windows\Fonts\calibrii.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\NXKfWP9SPF0XHRu.exe	Queries volume information: C:\Windows\Fonts\calibrili.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\NXKfWP9SPF0XHRu.exe	Queries volume information: C:\Windows\Fonts\calibrib.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\NXKfWP9SPF0XHRu.exe	Queries volume information: C:\Windows\Fonts\calibriz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\NXKfWP9SPF0XHRu.exe	Queries volume information: C:\Windows\Fonts\cambria.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\NXKfWP9SPF0XHRu.exe	Queries volume information: C:\Windows\Fonts\cambriai.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\NXKfWP9SPF0XHRu.exe	Queries volume information: C:\Windows\Fonts\cambriab.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\NXKfWP9SPF0XHRu.exe	Queries volume information: C:\Windows\Fonts\cambriaz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\NXKfWP9SPF0XHRu.exe	Queries volume information: C:\Windows\Fonts\Candara.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\NXKfWP9SPF0XHRu.exe	Queries volume information: C:\Windows\Fonts\Candarai.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\NXKfWP9SPF0XHRu.exe	Queries volume information: C:\Windows\Fonts\Candarab.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\NXKfWP9SPF0XHRu.exe	Queries volume information: C:\Windows\Fonts\Candaraz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\NXKfWP9SPF0XHRu.exe	Queries volume information: C:\Windows\Fonts\comic.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\NXKfWP9SPF0XHRu.exe	Queries volume information: C:\Windows\Fonts\comici.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\NXKfWP9SPF0XHRu.exe	Queries volume information: C:\Windows\Fonts\comicbd.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\NXKfWP9SPF0XHRu.exe	Queries volume information: C:\Windows\Fonts\comicz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\NXKfWP9SPF0XHRu.exe	Queries volume information: C:\Windows\Fonts\consola.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\NXKfWP9SPF0XHRu.exe	Queries volume information: C:\Windows\Fonts\consolai.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\NXKfWP9SPF0XHRu.exe	Queries volume information: C:\Windows\Fonts\consolab.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\NXKfWP9SPF0XHRu.exe	Queries volume information: C:\Windows\Fonts\consolaz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\NXKfWP9SPF0XHRu.exe	Queries volume information: C:\Windows\Fonts\constan.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\NXKfWP9SPF0XHRu.exe	Queries volume information: C:\Windows\Fonts\constani.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\NXKfWP9SPF0XHRu.exe	Queries volume information: C:\Windows\Fonts\constanb.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\NXKfWP9SPF0XHRu.exe	Queries volume information: C:\Windows\Fonts\constanz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\NXKfWP9SPF0XHRu.exe	Queries volume information: C:\Windows\Fonts\corbel.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\NXKfWP9SPF0XHRu.exe	Queries volume information: C:\Windows\Fonts\corbeli.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\NXKfWP9SPF0XHRu.exe	Queries volume information: C:\Windows\Fonts\corbelb.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\NXKfWP9SPF0XHRu.exe	Queries volume information: C:\Windows\Fonts\corbelz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\NXKfWP9SPF0XHRu.exe	Queries volume information: C:\Windows\Fonts\cour.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\NXKfWP9SPF0XHRu.exe	Queries volume information: C:\Windows\Fonts\couri.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\NXKfWP9SPF0XHRu.exe	Queries volume information: C:\Windows\Fonts\courbd.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\NXKfWP9SPF0XHRu.exe	Queries volume information: C:\Windows\Fonts\courbi.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\NXKfWP9SPF0XHRu.exe	Queries volume information: C:\Windows\Fonts\ebrima.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\NXKfWP9SPF0XHRu.exe	Queries volume information: C:\Windows\Fonts\ebrimabd.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\NXKfWP9SPF0XHRu.exe	Queries volume information: C:\Windows\Fonts\framd.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\NXKfWP9SPF0XHRu.exe	Queries volume information: C:\Windows\Fonts\FRADM.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\NXKfWP9SPF0XHRu.exe	Queries volume information: C:\Windows\Fonts\framdit.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\NXKfWP9SPF0XHRu.exe	Queries volume information: C:\Windows\Fonts\FRADMIT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\NXKfWP9SPF0XHRu.exe	Queries volume information: C:\Windows\Fonts\FRAMDCN.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\NXKfWP9SPF0XHRu.exe	Queries volume information: C:\Windows\Fonts\FRADMCN.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\NXKfWP9SPF0XHRu.exe	Queries volume information: C:\Windows\Fonts\FRAHV.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\NXKfWP9SPF0XHRu.exe	Queries volume information: C:\Windows\Fonts\FRAHVIT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\NXKfWP9SPF0XHRu.exe	Queries volume information: C:\Windows\Fonts\Gabriola.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\NXKfWP9SPF0XHRu.exe	Queries volume information: C:\Windows\Fonts\gadugi.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\NXKfWP9SPF0XHRu.exe	Queries volume information: C:\Windows\Fonts\gadugib.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\NXKfWP9SPF0XHRu.exe	Queries volume information: C:\Windows\Fonts\georgia.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\NXKfWP9SPF0XHRu.exe	Queries volume information: C:\Windows\Fonts\georgiai.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\NXKfWP9SPF0XHRu.exe	Queries volume information: C:\Windows\Fonts\georgiab.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\NXKfWP9SPF0XHRu.exe	Queries volume information: C:\Windows\Fonts\georgiaz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\NXKfWP9SPF0XHRu.exe	Queries volume information: C:\Windows\Fonts\impact.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\NXKfWP9SPF0XHRu.exe	Queries volume information: C:\Windows\Fonts\Inkfree.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\NXKfWP9SPF0XHRu.exe	Queries volume information: C:\Windows\Fonts\javatext.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\NXKfWP9SPF0XHRu.exe	Queries volume information: C:\Windows\Fonts\LeelawUI.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\NXKfWP9SPF0XHRu.exe	Queries volume information: C:\Windows\Fonts\LeelUIsl.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\NXKfWP9SPF0XHRu.exe	Queries volume information: C:\Windows\Fonts\LeelaUIb.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\NXKfWP9SPF0XHRu.exe	Queries volume information: C:\Windows\Fonts\lucon.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\NXKfWP9SPF0XHRu.exe	Queries volume information: C:\Windows\Fonts\l_10646.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\NXKfWP9SPF0XHRu.exe	Queries volume information: C:\Windows\Fonts\malgun.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\NXKfWP9SPF0XHRu.exe	Queries volume information: C:\Windows\Fonts\malgunsl.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\NXKfWP9SPF0XHRu.exe	Queries volume information: C:\Windows\Fonts\malgunbd.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\NXKfWP9SPF0XHRu.exe	Queries volume information: C:\Windows\Fonts\himalaya.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\NXKfWP9SPF0XHRu.exe	Queries volume information: C:\Windows\Fonts\msjh.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\NXKfWP9SPF0XHRu.exe	Queries volume information: C:\Windows\Fonts\msjhl.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\NXKfWP9SPF0XHRu.exe	Queries volume information: C:\Windows\Fonts\msjhbd.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\NXKfWP9SPF0XHRu.exe	Queries volume information: C:\Windows\Fonts\ntailu.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\NXKfWP9SPF0XHRu.exe	Queries volume information: C:\Windows\Fonts\ntailub.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\NXKfWP9SPF0XHRu.exe	Queries volume information: C:\Windows\Fonts\phagspa.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\NXKfWP9SPF0XHRu.exe	Queries volume information: C:\Windows\Fonts\phagspab.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\NXKfWP9SPF0XHRu.exe	Queries volume information: C:\Windows\Fonts\micross.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\NXKfWP9SPF0XHRu.exe	Queries volume information: C:\Windows\Fonts\taile.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\NXKfWP9SPF0XHRu.exe	Queries volume information: C:\Windows\Fonts\taileb.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\NXKfWP9SPF0XHRu.exe	Queries volume information: C:\Windows\Fonts\msyh.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\NXKfWP9SPF0XHRu.exe	Queries volume information: C:\Windows\Fonts\msyhl.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\NXKfWP9SPF0XHRu.exe	Queries volume information: C:\Windows\Fonts\msyhbd.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\NXKfWP9SPF0XHRu.exe	Queries volume information: C:\Windows\Fonts\msyi.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\NXKfWP9SPF0XHRu.exe	Queries volume information: C:\Windows\Fonts\mingliub.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\NXKfWP9SPF0XHRu.exe	Queries volume information: C:\Windows\Fonts\monbaiti.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\NXKfWP9SPF0XHRu.exe	Queries volume information: C:\Windows\Fonts\msgothic.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\NXKfWP9SPF0XHRu.exe	Queries volume information: C:\Windows\Fonts\mvboli.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\NXKfWP9SPF0XHRu.exe	Queries volume information: C:\Windows\Fonts\mmrtext.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\NXKfWP9SPF0XHRu.exe	Queries volume information: C:\Windows\Fonts\mmrtextb.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\NXKfWP9SPF0XHRu.exe	Queries volume information: C:\Windows\Fonts\Nirmala.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\NXKfWP9SPF0XHRu.exe	Queries volume information: C:\Windows\Fonts\NirmalaS.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\NXKfWP9SPF0XHRu.exe	Queries volume information: C:\Windows\Fonts\NirmalaB.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\NXKfWP9SPF0XHRu.exe	Queries volume information: C:\Windows\Fonts\pala.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\NXKfWP9SPF0XHRu.exe	Queries volume information: C:\Windows\Fonts\palai.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\NXKfWP9SPF0XHRu.exe	Queries volume information: C:\Windows\Fonts\palab.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\NXKfWP9SPF0XHRu.exe	Queries volume information: C:\Windows\Fonts\palabi.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\NXKfWP9SPF0XHRu.exe	Queries volume information: C:\Windows\Fonts\segoepr.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\NXKfWP9SPF0XHRu.exe	Queries volume information: C:\Windows\Fonts\segoeprb.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\NXKfWP9SPF0XHRu.exe	Queries volume information: C:\Windows\Fonts\segoesc.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\NXKfWP9SPF0XHRu.exe	Queries volume information: C:\Windows\Fonts\segoescb.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\NXKfWP9SPF0XHRu.exe	Queries volume information: C:\Windows\Fonts\seguiemj.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\NXKfWP9SPF0XHRu.exe	Queries volume information: C:\Windows\Fonts\seguihis.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\NXKfWP9SPF0XHRu.exe	Queries volume information: C:\Windows\Fonts\seguisym.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\NXKfWP9SPF0XHRu.exe	Queries volume information: C:\Windows\Fonts\simsun.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\NXKfWP9SPF0XHRu.exe	Queries volume information: C:\Windows\Fonts\simsunb.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\NXKfWP9SPF0XHRu.exe	Queries volume information: C:\Windows\Fonts\Sitka.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\NXKfWP9SPF0XHRu.exe	Queries volume information: C:\Windows\Fonts\SitkaI.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\NXKfWP9SPF0XHRu.exe	Queries volume information: C:\Windows\Fonts\SitkaB.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\NXKfWP9SPF0XHRu.exe	Queries volume information: C:\Windows\Fonts\SitkaZ.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\NXKfWP9SPF0XHRu.exe	Queries volume information: C:\Windows\Fonts\sylfaen.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\NXKfWP9SPF0XHRu.exe	Queries volume information: C:\Windows\Fonts\symbol.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\NXKfWP9SPF0XHRu.exe	Queries volume information: C:\Windows\Fonts\tahoma.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\NXKfWP9SPF0XHRu.exe	Queries volume information: C:\Windows\Fonts\tahomabd.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\NXKfWP9SPF0XHRu.exe	Queries volume information: C:\Windows\Fonts\trebuc.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\NXKfWP9SPF0XHRu.exe	Queries volume information: C:\Windows\Fonts\trebucit.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\NXKfWP9SPF0XHRu.exe	Queries volume information: C:\Windows\Fonts\trebucbd.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\NXKfWP9SPF0XHRu.exe	Queries volume information: C:\Windows\Fonts\trebucbi.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\NXKfWP9SPF0XHRu.exe	Queries volume information: C:\Windows\Fonts\verdana.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\NXKfWP9SPF0XHRu.exe	Queries volume information: C:\Windows\Fonts\verdanai.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\NXKfWP9SPF0XHRu.exe	Queries volume information: C:\Windows\Fonts\verdanab.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\NXKfWP9SPF0XHRu.exe	Queries volume information: C:\Windows\Fonts\verdanaz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\NXKfWP9SPF0XHRu.exe	Queries volume information: C:\Windows\Fonts\webdings.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\NXKfWP9SPF0XHRu.exe	Queries volume information: C:\Windows\Fonts\wingding.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\NXKfWP9SPF0XHRu.exe	Queries volume information: C:\Windows\Fonts\YuGothR.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\NXKfWP9SPF0XHRu.exe	Queries volume information: C:\Windows\Fonts\YuGothM.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\NXKfWP9SPF0XHRu.exe	Queries volume information: C:\Windows\Fonts\YuGothL.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\NXKfWP9SPF0XHRu.exe	Queries volume information: C:\Windows\Fonts\YuGothB.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\NXKfWP9SPF0XHRu.exe	Queries volume information: C:\Windows\Fonts\holomdl2.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\NXKfWP9SPF0XHRu.exe	Queries volume information: C:\Windows\Fonts\CENTURY.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\NXKfWP9SPF0XHRu.exe	Queries volume information: C:\Windows\Fonts\LEELAWAD.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\NXKfWP9SPF0XHRu.exe	Queries volume information: C:\Windows\Fonts\LEELAWDB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\NXKfWP9SPF0XHRu.exe	Queries volume information: C:\Windows\Fonts\MSUIGHUR.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\NXKfWP9SPF0XHRu.exe	Queries volume information: C:\Windows\Fonts\MSUIGHUB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\NXKfWP9SPF0XHRu.exe	Queries volume information: C:\Windows\Fonts\WINGDNG2.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\NXKfWP9SPF0XHRu.exe	Queries volume information: C:\Windows\Fonts\WINGDNG3.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\NXKfWP9SPF0XHRu.exe	Queries volume information: C:\Windows\Fonts\TEMPSITC.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\NXKfWP9SPF0XHRu.exe	Queries volume information: C:\Windows\Fonts\PRISTINA.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\NXKfWP9SPF0XHRu.exe	Queries volume information: C:\Windows\Fonts\PAPYRUS.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\NXKfWP9SPF0XHRu.exe	Queries volume information: C:\Windows\Fonts\MISTRAL.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\NXKfWP9SPF0XHRu.exe	Queries volume information: C:\Windows\Fonts\LHANDW.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\NXKfWP9SPF0XHRu.exe	Queries volume information: C:\Windows\Fonts\ITCKRIST.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\NXKfWP9SPF0XHRu.exe	Queries volume information: C:\Windows\Fonts\JUICE___.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\NXKfWP9SPF0XHRu.exe	Queries volume information: C:\Windows\Fonts\FRSCRIPT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\NXKfWP9SPF0XHRu.exe	Queries volume information: C:\Windows\Fonts\FREESCPT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\NXKfWP9SPF0XHRu.exe	Queries volume information: C:\Windows\Fonts\BRADHITC.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\NXKfWP9SPF0XHRu.exe	Queries volume information: C:\Windows\Fonts\OUTLOOK.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\NXKfWP9SPF0XHRu.exe	Queries volume information: C:\Windows\Fonts\BKANT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\NXKfWP9SPF0XHRu.exe	Queries volume information: C:\Windows\Fonts\ANTQUAI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\NXKfWP9SPF0XHRu.exe	Queries volume information: C:\Windows\Fonts\ANTQUAB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\NXKfWP9SPF0XHRu.exe	Queries volume information: C:\Windows\Fonts\ANTQUABI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\NXKfWP9SPF0XHRu.exe	Queries volume information: C:\Windows\Fonts\GARA.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\NXKfWP9SPF0XHRu.exe	Queries volume information: C:\Windows\Fonts\GARAIT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\NXKfWP9SPF0XHRu.exe	Queries volume information: C:\Windows\Fonts\GARABD.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\NXKfWP9SPF0XHRu.exe	Queries volume information: C:\Windows\Fonts\MTCORSVA.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\NXKfWP9SPF0XHRu.exe	Queries volume information: C:\Windows\Fonts\GOTHIC.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\NXKfWP9SPF0XHRu.exe	Queries volume information: C:\Windows\Fonts\GOTHICI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\NXKfWP9SPF0XHRu.exe	Queries volume information: C:\Windows\Fonts\GOTHICB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\NXKfWP9SPF0XHRu.exe	Queries volume information: C:\Windows\Fonts\GOTHICBI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\NXKfWP9SPF0XHRu.exe	Queries volume information: C:\Windows\Fonts\ALGER.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\NXKfWP9SPF0XHRu.exe	Queries volume information: C:\Windows\Fonts\BASKVILL.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\NXKfWP9SPF0XHRu.exe	Queries volume information: C:\Windows\Fonts\BAUHS93.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\NXKfWP9SPF0XHRu.exe	Queries volume information: C:\Windows\Fonts\BELL.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\NXKfWP9SPF0XHRu.exe	Queries volume information: C:\Windows\Fonts\BELLI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\NXKfWP9SPF0XHRu.exe	Queries volume information: C:\Windows\Fonts\BELLB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\NXKfWP9SPF0XHRu.exe	Queries volume information: C:\Windows\Fonts\BRLNSR.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\NXKfWP9SPF0XHRu.exe	Queries volume information: C:\Windows\Fonts\BRLNSDB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\NXKfWP9SPF0XHRu.exe	Queries volume information: C:\Windows\Fonts\BRLNSB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\NXKfWP9SPF0XHRu.exe	Queries volume information: C:\Windows\Fonts\BERNHC.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\NXKfWP9SPF0XHRu.exe	Queries volume information: C:\Windows\Fonts\BOD_PSTC.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\NXKfWP9SPF0XHRu.exe	Queries volume information: C:\Windows\Fonts\BRITANIC.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\NXKfWP9SPF0XHRu.exe	Queries volume information: C:\Windows\Fonts\BROADW.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\NXKfWP9SPF0XHRu.exe	Queries volume information: C:\Windows\Fonts\BRUSHSCI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\NXKfWP9SPF0XHRu.exe	Queries volume information: C:\Windows\Fonts\CALIFR.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\NXKfWP9SPF0XHRu.exe	Queries volume information: C:\Windows\Fonts\CALIFI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\NXKfWP9SPF0XHRu.exe	Queries volume information: C:\Windows\Fonts\CALIFB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\NXKfWP9SPF0XHRu.exe	Queries volume information: C:\Windows\Fonts\CENTAUR.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\NXKfWP9SPF0XHRu.exe	Queries volume information: C:\Windows\Fonts\CHILLER.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\NXKfWP9SPF0XHRu.exe	Queries volume information: C:\Windows\Fonts\COLONNA.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\NXKfWP9SPF0XHRu.exe	Queries volume information: C:\Windows\Fonts\COOPBL.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\NXKfWP9SPF0XHRu.exe	Queries volume information: C:\Windows\Fonts\FTLTLT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\NXKfWP9SPF0XHRu.exe	Queries volume information: C:\Windows\Fonts\HARLOWSI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\NXKfWP9SPF0XHRu.exe	Queries volume information: C:\Windows\Fonts\HARNGTON.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\NXKfWP9SPF0XHRu.exe	Queries volume information: C:\Windows\Fonts\HTOWERT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\NXKfWP9SPF0XHRu.exe	Queries volume information: C:\Windows\Fonts\HTOWERTI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\NXKfWP9SPF0XHRu.exe	Queries volume information: C:\Windows\Fonts\JOKERMAN.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\NXKfWP9SPF0XHRu.exe	Queries volume information: C:\Windows\Fonts\KUNSTLER.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\NXKfWP9SPF0XHRu.exe	Queries volume information: C:\Windows\Fonts\LBRITE.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\NXKfWP9SPF0XHRu.exe	Queries volume information: C:\Windows\Fonts\LBRITED.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\NXKfWP9SPF0XHRu.exe	Queries volume information: C:\Windows\Fonts\LBRITEI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\NXKfWP9SPF0XHRu.exe	Queries volume information: C:\Windows\Fonts\LBRITEDI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\NXKfWP9SPF0XHRu.exe	Queries volume information: C:\Windows\Fonts\LCALLIG.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\NXKfWP9SPF0XHRu.exe	Queries volume information: C:\Windows\Fonts\LFAX.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\NXKfWP9SPF0XHRu.exe	Queries volume information: C:\Windows\Fonts\LFAXD.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\NXKfWP9SPF0XHRu.exe	Queries volume information: C:\Windows\Fonts\LFAXI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\NXKfWP9SPF0XHRu.exe	Queries volume information: C:\Windows\Fonts\LFAXDI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\NXKfWP9SPF0XHRu.exe	Queries volume information: C:\Windows\Fonts\MAGNETOB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\NXKfWP9SPF0XHRu.exe	Queries volume information: C:\Windows\Fonts\MATURASC.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\NXKfWP9SPF0XHRu.exe	Queries volume information: C:\Windows\Fonts\MOD20.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\NXKfWP9SPF0XHRu.exe	Queries volume information: C:\Windows\Fonts\NIAGENG.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\NXKfWP9SPF0XHRu.exe	Queries volume information: C:\Windows\Fonts\NIAGSOL.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\NXKfWP9SPF0XHRu.exe	Queries volume information: C:\Windows\Fonts\OLDENGL.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\NXKfWP9SPF0XHRu.exe	Queries volume information: C:\Windows\Fonts\ONYX.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\NXKfWP9SPF0XHRu.exe	Queries volume information: C:\Windows\Fonts\PARCHM.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\NXKfWP9SPF0XHRu.exe	Queries volume information: C:\Windows\Fonts\PLAYBILL.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\NXKfWP9SPF0XHRu.exe	Queries volume information: C:\Windows\Fonts\POORICH.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\NXKfWP9SPF0XHRu.exe	Queries volume information: C:\Windows\Fonts\RAVIE.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\NXKfWP9SPF0XHRu.exe	Queries volume information: C:\Windows\Fonts\INFROMAN.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\NXKfWP9SPF0XHRu.exe	Queries volume information: C:\Windows\Fonts\SHOWG.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\NXKfWP9SPF0XHRu.exe	Queries volume information: C:\Windows\Fonts\SNAP____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\NXKfWP9SPF0XHRu.exe	Queries volume information: C:\Windows\Fonts\STENCIL.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\NXKfWP9SPF0XHRu.exe	Queries volume information: C:\Windows\Fonts\VINERITC.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\NXKfWP9SPF0XHRu.exe	Queries volume information: C:\Windows\Fonts\VIVALDII.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\NXKfWP9SPF0XHRu.exe	Queries volume information: C:\Windows\Fonts\VLADIMIR.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\NXKfWP9SPF0XHRu.exe	Queries volume information: C:\Windows\Fonts\LATINWD.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\NXKfWP9SPF0XHRu.exe	Queries volume information: C:\Windows\Fonts\TCM_____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\NXKfWP9SPF0XHRu.exe	Queries volume information: C:\Windows\Fonts\TCMI____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\NXKfWP9SPF0XHRu.exe	Queries volume information: C:\Windows\Fonts\TCB_____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\NXKfWP9SPF0XHRu.exe	Queries volume information: C:\Windows\Fonts\TCBI____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\NXKfWP9SPF0XHRu.exe	Queries volume information: C:\Windows\Fonts\TCCM____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\NXKfWP9SPF0XHRu.exe	Queries volume information: C:\Windows\Fonts\TCCB____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\NXKfWP9SPF0XHRu.exe	Queries volume information: C:\Windows\Fonts\TCCEB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\NXKfWP9SPF0XHRu.exe	Queries volume information: C:\Windows\Fonts\SCRIPTBL.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\NXKfWP9SPF0XHRu.exe	Queries volume information: C:\Windows\Fonts\ROCK.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\NXKfWP9SPF0XHRu.exe	Queries volume information: C:\Windows\Fonts\ROCKI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\NXKfWP9SPF0XHRu.exe	Queries volume information: C:\Windows\Fonts\ROCKB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\NXKfWP9SPF0XHRu.exe	Queries volume information: C:\Windows\Fonts\ROCKEB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\NXKfWP9SPF0XHRu.exe	Queries volume information: C:\Windows\Fonts\ROCKBI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\NXKfWP9SPF0XHRu.exe	Queries volume information: C:\Windows\Fonts\ROCC____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\NXKfWP9SPF0XHRu.exe	Queries volume information: C:\Windows\Fonts\ROCCB___.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\NXKfWP9SPF0XHRu.exe	Queries volume information: C:\Windows\Fonts\RAGE.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\NXKfWP9SPF0XHRu.exe	Queries volume information: C:\Windows\Fonts\PERTILI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\NXKfWP9SPF0XHRu.exe	Queries volume information: C:\Windows\Fonts\PERTIBD.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\NXKfWP9SPF0XHRu.exe	Queries volume information: C:\Windows\Fonts\PER_____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\NXKfWP9SPF0XHRu.exe	Queries volume information: C:\Windows\Fonts\PERI____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\NXKfWP9SPF0XHRu.exe	Queries volume information: C:\Windows\Fonts\PERB____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\NXKfWP9SPF0XHRu.exe	Queries volume information: C:\Windows\Fonts\PERBI___.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\NXKfWP9SPF0XHRu.exe	Queries volume information: C:\Windows\Fonts\PALSCRI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\NXKfWP9SPF0XHRu.exe	Queries volume information: C:\Windows\Fonts\OCRAEXT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\NXKfWP9SPF0XHRu.exe	Queries volume information: C:\Windows\Fonts\MAIAN.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\NXKfWP9SPF0XHRu.exe	Queries volume information: C:\Windows\Fonts\LTYPE.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\NXKfWP9SPF0XHRu.exe	Queries volume information: C:\Windows\Fonts\LTYPEO.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\NXKfWP9SPF0XHRu.exe	Queries volume information: C:\Windows\Fonts\LTYPEB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\NXKfWP9SPF0XHRu.exe	Queries volume information: C:\Windows\Fonts\LTYPEBO.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\NXKfWP9SPF0XHRu.exe	Queries volume information: C:\Windows\Fonts\LSANS.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\NXKfWP9SPF0XHRu.exe	Queries volume information: C:\Windows\Fonts\LSANSD.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\NXKfWP9SPF0XHRu.exe	Queries volume information: C:\Windows\Fonts\LSANSI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\NXKfWP9SPF0XHRu.exe	Queries volume information: C:\Windows\Fonts\LSANSDI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\NXKfWP9SPF0XHRu.exe	Queries volume information: C:\Windows\Fonts\IMPRISHA.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\NXKfWP9SPF0XHRu.exe	Queries volume information: C:\Windows\Fonts\HATTEN.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\NXKfWP9SPF0XHRu.exe	Queries volume information: C:\Windows\Fonts\GOUDYSTO.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\NXKfWP9SPF0XHRu.exe	Queries volume information: C:\Windows\Fonts\GOUDOS.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\NXKfWP9SPF0XHRu.exe	Queries volume information: C:\Windows\Fonts\GOUDOSI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\NXKfWP9SPF0XHRu.exe	Queries volume information: C:\Windows\Fonts\GOUDOSB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\NXKfWP9SPF0XHRu.exe	Queries volume information: C:\Windows\Fonts\GLECB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\NXKfWP9SPF0XHRu.exe	Queries volume information: C:\Windows\Fonts\GIL_____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\NXKfWP9SPF0XHRu.exe	Queries volume information: C:\Windows\Fonts\GILI____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\NXKfWP9SPF0XHRu.exe	Queries volume information: C:\Windows\Fonts\GILB____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\NXKfWP9SPF0XHRu.exe	Queries volume information: C:\Windows\Fonts\GILBI___.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\NXKfWP9SPF0XHRu.exe	Queries volume information: C:\Windows\Fonts\GILC____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\NXKfWP9SPF0XHRu.exe	Queries volume information: C:\Windows\Fonts\GLSNECB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\NXKfWP9SPF0XHRu.exe	Queries volume information: C:\Windows\Fonts\GIGI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\NXKfWP9SPF0XHRu.exe	Queries volume information: C:\Windows\Fonts\FRABK.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\NXKfWP9SPF0XHRu.exe	Queries volume information: C:\Windows\Fonts\FRABKIT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\NXKfWP9SPF0XHRu.exe	Queries volume information: C:\Windows\Fonts\FORTE.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\NXKfWP9SPF0XHRu.exe	Queries volume information: C:\Windows\Fonts\FELIXTI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\NXKfWP9SPF0XHRu.exe	Queries volume information: C:\Windows\Fonts\ERASMD.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\NXKfWP9SPF0XHRu.exe	Queries volume information: C:\Windows\Fonts\ERASLGHT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\NXKfWP9SPF0XHRu.exe	Queries volume information: C:\Windows\Fonts\ERASDEMI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\NXKfWP9SPF0XHRu.exe	Queries volume information: C:\Windows\Fonts\ERASBD.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\NXKfWP9SPF0XHRu.exe	Queries volume information: C:\Windows\Fonts\ENGR.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\NXKfWP9SPF0XHRu.exe	Queries volume information: C:\Windows\Fonts\ELEPHNT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\NXKfWP9SPF0XHRu.exe	Queries volume information: C:\Windows\Fonts\ELEPHNTI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\NXKfWP9SPF0XHRu.exe	Queries volume information: C:\Windows\Fonts\ITCEDSCR.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\NXKfWP9SPF0XHRu.exe	Queries volume information: C:\Windows\Fonts\CURLZ___.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\NXKfWP9SPF0XHRu.exe	Queries volume information: C:\Windows\Fonts\COPRGTL.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\NXKfWP9SPF0XHRu.exe	Queries volume information: C:\Windows\Fonts\COPRGTB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\NXKfWP9SPF0XHRu.exe	Queries volume information: C:\Windows\Fonts\CENSCBK.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\NXKfWP9SPF0XHRu.exe	Queries volume information: C:\Windows\Fonts\SCHLBKI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\NXKfWP9SPF0XHRu.exe	Queries volume information: C:\Windows\Fonts\SCHLBKB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\NXKfWP9SPF0XHRu.exe	Queries volume information: C:\Windows\Fonts\SCHLBKBI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\NXKfWP9SPF0XHRu.exe	Queries volume information: C:\Windows\Fonts\CASTELAR.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\NXKfWP9SPF0XHRu.exe	Queries volume information: C:\Windows\Fonts\CALIST.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\NXKfWP9SPF0XHRu.exe	Queries volume information: C:\Windows\Fonts\CALISTI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\NXKfWP9SPF0XHRu.exe	Queries volume information: C:\Windows\Fonts\CALISTB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\NXKfWP9SPF0XHRu.exe	Queries volume information: C:\Windows\Fonts\CALISTBI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\NXKfWP9SPF0XHRu.exe	Queries volume information: C:\Windows\Fonts\BOOKOS.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\NXKfWP9SPF0XHRu.exe	Queries volume information: C:\Windows\Fonts\BOOKOSB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\NXKfWP9SPF0XHRu.exe	Queries volume information: C:\Windows\Fonts\BOOKOSI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\NXKfWP9SPF0XHRu.exe	Queries volume information: C:\Windows\Fonts\BOOKOSBI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\NXKfWP9SPF0XHRu.exe	Queries volume information: C:\Windows\Fonts\BOD_R.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\NXKfWP9SPF0XHRu.exe	Queries volume information: C:\Windows\Fonts\BOD_I.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\NXKfWP9SPF0XHRu.exe	Queries volume information: C:\Windows\Fonts\BOD_B.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\NXKfWP9SPF0XHRu.exe	Queries volume information: C:\Windows\Fonts\BOD_BI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\NXKfWP9SPF0XHRu.exe	Queries volume information: C:\Windows\Fonts\BOD_CR.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\NXKfWP9SPF0XHRu.exe	Queries volume information: C:\Windows\Fonts\BOD_BLAR.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\NXKfWP9SPF0XHRu.exe	Queries volume information: C:\Windows\Fonts\BOD_CI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\NXKfWP9SPF0XHRu.exe	Queries volume information: C:\Windows\Fonts\BOD_CB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\NXKfWP9SPF0XHRu.exe	Queries volume information: C:\Windows\Fonts\BOD_BLAI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\NXKfWP9SPF0XHRu.exe	Queries volume information: C:\Windows\Fonts\BOD_CBI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\NXKfWP9SPF0XHRu.exe	Queries volume information: C:\Windows\Fonts\ITCBLKAD.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\NXKfWP9SPF0XHRu.exe	Queries volume information: C:\Windows\Fonts\ARLRDBD.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\NXKfWP9SPF0XHRu.exe	Queries volume information: C:\Windows\Fonts\AGENCYR.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\NXKfWP9SPF0XHRu.exe	Queries volume information: C:\Windows\Fonts\AGENCYB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\NXKfWP9SPF0XHRu.exe	Queries volume information: C:\Windows\Fonts\BSSYM7.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\NXKfWP9SPF0XHRu.exe	Queries volume information: C:\Windows\Fonts\REFSAN.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\NXKfWP9SPF0XHRu.exe	Queries volume information: C:\Windows\Fonts\REFSPCL.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\NXKfWP9SPF0XHRu.exe	Queries volume information: C:\Windows\Fonts\MTEXTRA.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\NXKfWP9SPF0XHRu.exe	Queries volume information: C:\Windows\Fonts\marlett.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\NXKfWP9SPF0XHRu.exe	Queries volume information: C:\Windows\Fonts\micross.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\NXKfWP9SPF0XHRu.exe	Queries volume information: C:\Windows\Fonts\tahoma.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\NXKfWP9SPF0XHRu.exe	Queries volume information: C:\Windows\Fonts\tahomabd.ttf VolumeInformation	Jump to behavior

Source: C:\Users\user\Desktop\NXKfWP9SPF0XHRu.exe	Code function: 3_2_010EAF9A GetUserNameW,		3_2_010EAF9A
Source: C:\Users\user\Desktop\NXKfWP9SPF0XHRu.exe	Code function: 3_2_010EAF9A GetUserNameW,		3_2_010EAF9A

Source: C:\Users\user\Desktop\NXKfWP9SPF0XHRu.exe	Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid			Jump to behavior
Source: C:\Users\user\Desktop\NXKfWP9SPF0XHRu.exe	Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid			Jump to behavior

Stealing of Sensitive Information:

Yara detected Nanocore RAT

Show sources

Source: Yara match	File source: 00000003.00000002.512257767.0000000005710000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.253897211.0000000003B42000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.253518250.000000000398D000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000002.511185145.0000000003EE7000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000002.505689991.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: NXKfWP9SPF0XHRu.exe PID: 5952, type: MEMORY
Source: Yara match	File source: Process Memory Space: NXKfWP9SPF0XHRu.exe PID: 768, type: MEMORY
Source: Yara match	File source: 3.2.NXKfWP9SPF0XHRu.exe.5710000.5.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.2.NXKfWP9SPF0XHRu.exe.5710000.5.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.2.NXKfWP9SPF0XHRu.exe.400000.0.unpack, type: UNPACKEDPE

Remote Access Functionality:

Detected Nanocore Rat

Show sources

Source: NXKfWP9SPF0XHRu.exe, 00000000.00000002.253897211.0000000003B42000.00000004.00000001.sdmp	String found in binary or memory: NanoCore.ClientPluginHost
Source: NXKfWP9SPF0XHRu.exe, 00000003.00000002.509434462.0000000002EA1000.00000004.00000001.sdmp	String found in binary or memory: NanoCore.ClientPluginHost
Source: NXKfWP9SPF0XHRu.exe, 00000003.00000002.509434462.0000000002EA1000.00000004.00000001.sdmp	String found in binary or memory: <Module>mscorlibMicrosoft.VisualBasicMyApplicationNanoCore.MyMyComputerMyProjectMyWebServicesThreadSafeObjectProvider`1IClientNetworkNanoCore.ClientPluginIClientDataIClientAppIClientDataHostNanoCore.ClientPluginHostIClientNetworkHostIClientUIHostIClientLoggingHostIClientAppHostIClientNameObjectCollectionNanoCoreIClientReadOnlyNameObjectCollectionClientInvokeDelegateMicrosoft.VisualBasic.ApplicationServicesApplicationBase.ctorMicrosoft.VisualBasic.DevicesComputerSystemObject.cctorget_Computerm_ComputerObjectProviderget_Applicationm_AppObjectProviderUserget_Userm_UserObjectProviderget_WebServicesm_MyWebServicesObjectProviderApplicationWebServicesEqualsoGetHashCodeTypeGetTypeToStringCreate__Instance__TinstanceDispose__Instance__get_GetInstanceMicrosoft.VisualBasic.MyServices.InternalContextValue`1m_ContextGetInstanceReadPacketpipeNameparamsPipeCreatedPipeClosedConnectionStateChangedconnectedConnectionFailedhostportBuildingHostCacheVariableChangednameClientSettingChangedPluginUninstallingClientUninstallingget_Variablesget_ClientSettingsget_BuilderSettingsVariablesClientSettingsBuilderSettingsget_ConnectedClosePipePipeExistsRebuildHostCacheAddHostEntryDisconnectSendToServercompressConnectedInvokemethodstateLogClientMessagemessageExceptionLogClientExceptionexsiteRestartShutdownDisableProtectionRestoreProtectionUninstallEntryExistsSystem.Collections.GenericKeyValuePair`2GetEntriesGetValuedefaultValueSetValuevalueRemoveValueMulticastDelegateTargetObjectTargetMethodIAsyncResultAsyncCallbackBeginInvokeDelegateCallbackDelegateAsyncStateEndInvokeDelegateAsyncResultSystem.ComponentModelEditorBrowsableAttributeEditorBrowsableStateSystem.CodeDom.CompilerGeneratedCodeAttributeSystem.DiagnosticsDebuggerHiddenAttributeMicrosoft.VisualBasic.CompilerServicesStandardModuleAttributeHideModuleNameAttributeSystem.ComponentModel.DesignHelpKeywordAttributeSystem.Runtime.CompilerServicesRuntimeHelpersGetObjectValueRuntimeTypeHandleGetTypeFromHandleActivatorCreateInstanceMyGroupCollectionAttributeget_Valueset_ValueSystem.Runtime.InteropServicesComVisibleAttributeParamArrayAttributeCompilationRelaxationsAttributeRuntimeCompatibilityAttributeSystem.ReflectionAssemblyFileVersionAttributeGuidAttributeAssemblyTrademarkAttributeAssemblyCopyrightAttributeAssemblyProductAttributeAssemblyCompanyAttributeAssemblyDescriptionAttributeAssemblyTitleAttributeClientPluginClientPlugin.dll
Source: NXKfWP9SPF0XHRu.exe, 00000000.00000002.253897211.0000000003B42000.00000004.00000001.sdmp	String found in binary or memory: NanoCore.ClientPluginHost
Source: NXKfWP9SPF0XHRu.exe, 00000003.00000002.509434462.0000000002EA1000.00000004.00000001.sdmp	String found in binary or memory: NanoCore.ClientPluginHost
Source: NXKfWP9SPF0XHRu.exe, 00000003.00000002.509434462.0000000002EA1000.00000004.00000001.sdmp	String found in binary or memory: <Module>mscorlibMicrosoft.VisualBasicMyApplicationNanoCore.MyMyComputerMyProjectMyWebServicesThreadSafeObjectProvider`1IClientNetworkNanoCore.ClientPluginIClientDataIClientAppIClientDataHostNanoCore.ClientPluginHostIClientNetworkHostIClientUIHostIClientLoggingHostIClientAppHostIClientNameObjectCollectionNanoCoreIClientReadOnlyNameObjectCollectionClientInvokeDelegateMicrosoft.VisualBasic.ApplicationServicesApplicationBase.ctorMicrosoft.VisualBasic.DevicesComputerSystemObject.cctorget_Computerm_ComputerObjectProviderget_Applicationm_AppObjectProviderUserget_Userm_UserObjectProviderget_WebServicesm_MyWebServicesObjectProviderApplicationWebServicesEqualsoGetHashCodeTypeGetTypeToStringCreate__Instance__TinstanceDispose__Instance__get_GetInstanceMicrosoft.VisualBasic.MyServices.InternalContextValue`1m_ContextGetInstanceReadPacketpipeNameparamsPipeCreatedPipeClosedConnectionStateChangedconnectedConnectionFailedhostportBuildingHostCacheVariableChangednameClientSettingChangedPluginUninstallingClientUninstallingget_Variablesget_ClientSettingsget_BuilderSettingsVariablesClientSettingsBuilderSettingsget_ConnectedClosePipePipeExistsRebuildHostCacheAddHostEntryDisconnectSendToServercompressConnectedInvokemethodstateLogClientMessagemessageExceptionLogClientExceptionexsiteRestartShutdownDisableProtectionRestoreProtectionUninstallEntryExistsSystem.Collections.GenericKeyValuePair`2GetEntriesGetValuedefaultValueSetValuevalueRemoveValueMulticastDelegateTargetObjectTargetMethodIAsyncResultAsyncCallbackBeginInvokeDelegateCallbackDelegateAsyncStateEndInvokeDelegateAsyncResultSystem.ComponentModelEditorBrowsableAttributeEditorBrowsableStateSystem.CodeDom.CompilerGeneratedCodeAttributeSystem.DiagnosticsDebuggerHiddenAttributeMicrosoft.VisualBasic.CompilerServicesStandardModuleAttributeHideModuleNameAttributeSystem.ComponentModel.DesignHelpKeywordAttributeSystem.Runtime.CompilerServicesRuntimeHelpersGetObjectValueRuntimeTypeHandleGetTypeFromHandleActivatorCreateInstanceMyGroupCollectionAttributeget_Valueset_ValueSystem.Runtime.InteropServicesComVisibleAttributeParamArrayAttributeCompilationRelaxationsAttributeRuntimeCompatibilityAttributeSystem.ReflectionAssemblyFileVersionAttributeGuidAttributeAssemblyTrademarkAttributeAssemblyCopyrightAttributeAssemblyProductAttributeAssemblyCompanyAttributeAssemblyDescriptionAttributeAssemblyTitleAttributeClientPluginClientPlugin.dll

Yara detected Nanocore RAT

Show sources

Source: Yara match	File source: 00000003.00000002.512257767.0000000005710000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.253897211.0000000003B42000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.253518250.000000000398D000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000002.511185145.0000000003EE7000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000002.505689991.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: NXKfWP9SPF0XHRu.exe PID: 5952, type: MEMORY
Source: Yara match	File source: Process Memory Space: NXKfWP9SPF0XHRu.exe PID: 768, type: MEMORY
Source: Yara match	File source: 3.2.NXKfWP9SPF0XHRu.exe.5710000.5.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.2.NXKfWP9SPF0XHRu.exe.5710000.5.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.2.NXKfWP9SPF0XHRu.exe.400000.0.unpack, type: UNPACKEDPE

Source: C:\Users\user\Desktop\NXKfWP9SPF0XHRu.exe	Code function: 3_2_05042386 bind,	3_2_05042386
Source: C:\Users\user\Desktop\NXKfWP9SPF0XHRu.exe	Code function: 3_2_05042353 bind,	3_2_05042353
Source: C:\Users\user\Desktop\NXKfWP9SPF0XHRu.exe	Code function: 3_2_05042386 bind,	3_2_05042386
Source: C:\Users\user\Desktop\NXKfWP9SPF0XHRu.exe	Code function: 3_2_05042353 bind,	3_2_05042353

Mitre Att&ck Matrix

Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Exfiltration	Command and Control	Network Effects	Remote Service Effects	Impact
Valid Accounts	Command and Scripting Interpreter2	Scheduled Task/Job1	Access Token Manipulation1	Masquerading1	Input Capture21	Security Software Discovery211	Remote Services	Input Capture21	Exfiltration Over Other Network Medium	Encrypted Channel1	Eavesdrop on Insecure Network Communication	Remotely Track Device Without Authorization	Modify System Partition
Default Accounts	Scheduled Task/Job1	Boot or Logon Initialization Scripts	Process Injection112	Virtualization/Sandbox Evasion4	LSASS Memory	Virtualization/Sandbox Evasion4	Remote Desktop Protocol	Archive Collected Data11	Exfiltration Over Bluetooth	Non-Standard Port1	Exploit SS7 to Redirect Phone Calls/SMS	Remotely Wipe Data Without Authorization	Device Lockout
Domain Accounts	At (Linux)	Logon Script (Windows)	Scheduled Task/Job1	Disable or Modify Tools1	Security Account Manager	Process Discovery2	SMB/Windows Admin Shares	Data from Network Shared Drive	Automated Exfiltration	Remote Access Software1	Exploit SS7 to Track Device Location	Obtain Device Cloud Backups	Delete Device Data
Local Accounts	At (Windows)	Logon Script (Mac)	Logon Script (Mac)	Access Token Manipulation1	NTDS	Application Window Discovery1	Distributed Component Object Model	Input Capture	Scheduled Transfer	Protocol Impersonation	SIM Card Swap		Carrier Billing Fraud
Cloud Accounts	Cron	Network Logon Script	Network Logon Script	Process Injection112	LSA Secrets	Account Discovery1	SSH	Keylogging	Data Transfer Size Limits	Fallback Channels	Manipulate Device Communication		Manipulate App Store Rankings or Ratings
Replication Through Removable Media	Launchd	Rc.common	Rc.common	Deobfuscate/Decode Files or Information1	Cached Domain Credentials	System Owner/User Discovery1	VNC	GUI Input Capture	Exfiltration Over C2 Channel	Multiband Communication	Jamming or Denial of Service		Abuse Accessibility Features
External Remote Services	Scheduled Task	Startup Items	Startup Items	Hidden Files and Directories1	DCSync	File and Directory Discovery1	Windows Remote Management	Web Portal Capture	Exfiltration Over Alternative Protocol	Commonly Used Port	Rogue Wi-Fi Access Points		Data Encrypted for Impact
Drive-by Compromise	Command and Scripting Interpreter	Scheduled Task/Job	Scheduled Task/Job	Obfuscated Files or Information3	Proc Filesystem	System Information Discovery13	Shared Webroot	Credential API Hooking	Exfiltration Over Symmetric Encrypted Non-C2 Protocol	Application Layer Protocol	Downgrade to Insecure Protocols		Generate Fraudulent Advertising Revenue
Exploit Public-Facing Application	PowerShell	At (Linux)	At (Linux)	Software Packing12	/etc/passwd and /etc/shadow	System Network Connections Discovery	Software Deployment Tools	Data Staged	Exfiltration Over Asymmetric Encrypted Non-C2 Protocol	Web Protocols	Rogue Cellular Base Station		Data Destruction

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Source	Detection	Scanner	Label	Link
NXKfWP9SPF0XHRu.exe	17%	ReversingLabs	ByteCode-MSIL.Trojan.AgentTesla

Dropped Files

Source	Detection	Scanner	Label	Link
C:\Users\user\AppData\Roaming\ynSazlVxDpCRe.exe	17%	ReversingLabs	ByteCode-MSIL.Trojan.AgentTesla

Unpacked PE Files

Source	Detection	Scanner	Label	Link	Download
3.2.NXKfWP9SPF0XHRu.exe.400000.0.unpack	100%	Avira	TR/Dropper.MSIL.Gen7		Download File

Domains

No Antivirus matches

URLs

Source	Detection	Scanner	Label	Link
http://www.fontbureau.comoa	0%	Avira URL Cloud	safe
http://www.founder.com.cn/cn/bThe	0%	URL Reputation	safe
http://www.founder.com.cn/cn/bThe	0%	URL Reputation	safe
http://www.founder.com.cn/cn/bThe	0%	URL Reputation	safe
http://www.founder.com.cn/cn/bThe	0%	URL Reputation	safe
http://www.tiro.com	0%	URL Reputation	safe
http://www.tiro.com	0%	URL Reputation	safe
http://www.tiro.com	0%	URL Reputation	safe
http://www.tiro.com	0%	URL Reputation	safe
http://www.goodfont.co.kr	0%	URL Reputation	safe
http://www.goodfont.co.kr	0%	URL Reputation	safe
http://www.goodfont.co.kr	0%	URL Reputation	safe
http://www.goodfont.co.kr	0%	URL Reputation	safe
http://www.carterandcone.com	0%	URL Reputation	safe
http://www.carterandcone.com	0%	URL Reputation	safe
http://www.carterandcone.com	0%	URL Reputation	safe
http://www.carterandcone.com	0%	URL Reputation	safe
http://www.jiyu-kobo.co.jp/jp/7	0%	Virustotal		Browse
http://www.jiyu-kobo.co.jp/jp/7	0%	Avira URL Cloud	safe
http://www.sajatypeworks.com	0%	URL Reputation	safe
http://www.sajatypeworks.com	0%	URL Reputation	safe
http://www.sajatypeworks.com	0%	URL Reputation	safe
http://www.sajatypeworks.com	0%	URL Reputation	safe
http://www.carterandcone.comefaD	0%	Avira URL Cloud	safe
http://www.jiyu-kobo.co.jp/roso	0%	Avira URL Cloud	safe
http://www.typography.netD	0%	URL Reputation	safe
http://www.typography.netD	0%	URL Reputation	safe
http://www.typography.netD	0%	URL Reputation	safe
http://www.typography.netD	0%	URL Reputation	safe
http://www.founder.com.cn/cn/cThe	0%	URL Reputation	safe
http://www.founder.com.cn/cn/cThe	0%	URL Reputation	safe
http://www.founder.com.cn/cn/cThe	0%	URL Reputation	safe
http://www.founder.com.cn/cn/cThe	0%	URL Reputation	safe
http://www.galapagosdesign.com/staff/dennis.htm	0%	URL Reputation	safe
http://www.galapagosdesign.com/staff/dennis.htm	0%	URL Reputation	safe
http://www.galapagosdesign.com/staff/dennis.htm	0%	URL Reputation	safe
http://www.galapagosdesign.com/staff/dennis.htm	0%	URL Reputation	safe
http://www.jiyu-kobo.co.jp/7	0%	Avira URL Cloud	safe
http://fontfabrik.com	0%	URL Reputation	safe
http://fontfabrik.com	0%	URL Reputation	safe
http://fontfabrik.com	0%	URL Reputation	safe
http://www.jiyu-kobo.co.jp/jp/h	0%	Avira URL Cloud	safe
http://www.galapagosdesign.com/DPlease	0%	URL Reputation	safe
http://www.galapagosdesign.com/DPlease	0%	URL Reputation	safe
http://www.galapagosdesign.com/DPlease	0%	URL Reputation	safe
http://www.jiyu-kobo.co.jp/)	0%	Avira URL Cloud	safe
http://www.carterandcone.comadi	0%	Avira URL Cloud	safe
http://www.sandoll.co.kr	0%	URL Reputation	safe
http://www.sandoll.co.kr	0%	URL Reputation	safe
http://www.sandoll.co.kr	0%	URL Reputation	safe
http://www.urwpp.deDPlease	0%	URL Reputation	safe
http://www.urwpp.deDPlease	0%	URL Reputation	safe
http://www.urwpp.deDPlease	0%	URL Reputation	safe
http://www.zhongyicts.com.cn	0%	URL Reputation	safe
http://www.zhongyicts.com.cn	0%	URL Reputation	safe
http://www.zhongyicts.com.cn	0%	URL Reputation	safe
http://www.sakkal.com	0%	URL Reputation	safe
http://www.sakkal.com	0%	URL Reputation	safe
http://www.sakkal.com	0%	URL Reputation	safe
http://www.fontbureau.comlicF	0%	Avira URL Cloud	safe
http://www.fontbureau.comessed)	0%	Avira URL Cloud	safe
http://www.fontbureau.comF	0%	URL Reputation	safe
http://www.fontbureau.comF	0%	URL Reputation	safe
http://www.fontbureau.comF	0%	URL Reputation	safe
http://www.fontbureau.comM.TTFh	0%	Avira URL Cloud	safe
http://www.jiyu-kobo.co.jp/E	0%	Avira URL Cloud	safe
http://www.jiyu-kobo.co.jp/jp/	0%	URL Reputation	safe
http://www.jiyu-kobo.co.jp/jp/	0%	URL Reputation	safe
http://www.jiyu-kobo.co.jp/jp/	0%	URL Reputation	safe
http://www.fontbureau.coma	0%	URL Reputation	safe
http://www.fontbureau.coma	0%	URL Reputation	safe
http://www.fontbureau.coma	0%	URL Reputation	safe
http://www.carterandcone.coml	0%	URL Reputation	safe
http://www.carterandcone.coml	0%	URL Reputation	safe
http://www.carterandcone.coml	0%	URL Reputation	safe
http://www.founder.com.cn/cn/	0%	URL Reputation	safe
http://www.founder.com.cn/cn/	0%	URL Reputation	safe
http://www.founder.com.cn/cn/	0%	URL Reputation	safe
http://www.fontbureau.comituF	0%	Avira URL Cloud	safe
http://www.founder.com.cn/cn	0%	URL Reputation	safe
http://www.founder.com.cn/cn	0%	URL Reputation	safe
http://www.founder.com.cn/cn	0%	URL Reputation	safe
http://www.jiyu-kobo.co.jp/v	0%	Avira URL Cloud	safe
http://www.jiyu-kobo.co.jp/jp/)	0%	Avira URL Cloud	safe
http://www.jiyu-kobo.co.jp/vvU	0%	Avira URL Cloud	safe
http://www.jiyu-kobo.co.jp/	0%	URL Reputation	safe
http://www.jiyu-kobo.co.jp/	0%	URL Reputation	safe
http://www.jiyu-kobo.co.jp/	0%	URL Reputation	safe
http://www.fontbureau.comdE	0%	Avira URL Cloud	safe
http://www.jiyu-kobo.co.jp/h	0%	URL Reputation	safe
http://www.jiyu-kobo.co.jp/h	0%	URL Reputation	safe
http://www.jiyu-kobo.co.jp/h	0%	URL Reputation	safe
http://www.jiyu-kobo.co.jp/a	0%	Avira URL Cloud	safe
http://www.fontbureau.comdL	0%	Avira URL Cloud	safe
http://www.jiyu-kobo.co.jp/Bold	0%	Avira URL Cloud	safe

Domains and IPs

Contacted Domains

No contacted domains info

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
http://www.fontbureau.comoa	NXKfWP9SPF0XHRu.exe, 00000000.00000003.241684541.0000000004C6A000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
http://www.fontbureau.com/designersG	NXKfWP9SPF0XHRu.exe, 00000000.00000002.255243254.0000000004E72000.00000004.00000001.sdmp	false		high
http://www.fontbureau.com/designers/?	NXKfWP9SPF0XHRu.exe, 00000000.00000002.255243254.0000000004E72000.00000004.00000001.sdmp	false		high
http://www.founder.com.cn/cn/bThe	NXKfWP9SPF0XHRu.exe, 00000000.00000002.255243254.0000000004E72000.00000004.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://www.fontbureau.com/designers?	NXKfWP9SPF0XHRu.exe, 00000000.00000002.255243254.0000000004E72000.00000004.00000001.sdmp	false		high
http://www.tiro.com	NXKfWP9SPF0XHRu.exe, 00000000.00000002.255243254.0000000004E72000.00000004.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://www.fontbureau.com/designers	NXKfWP9SPF0XHRu.exe, 00000000.00000002.255243254.0000000004E72000.00000004.00000001.sdmp	false		high
http://www.goodfont.co.kr	NXKfWP9SPF0XHRu.exe, 00000000.00000002.255243254.0000000004E72000.00000004.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://www.carterandcone.com	NXKfWP9SPF0XHRu.exe, 00000000.00000003.240900347.0000000004C68000.00000004.00000001.sdmp, NXKfWP9SPF0XHRu.exe, 00000000.00000003.239916983.0000000004C74000.00000004.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://www.jiyu-kobo.co.jp/jp/7	NXKfWP9SPF0XHRu.exe, 00000000.00000003.240900347.0000000004C68000.00000004.00000001.sdmp	false	0%, Virustotal, Browse Avira URL Cloud: safe	unknown
http://www.sajatypeworks.com	NXKfWP9SPF0XHRu.exe, 00000000.00000002.255243254.0000000004E72000.00000004.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://www.carterandcone.comefaD	NXKfWP9SPF0XHRu.exe, 00000000.00000003.240460926.0000000004C6B000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
http://www.jiyu-kobo.co.jp/roso	NXKfWP9SPF0XHRu.exe, 00000000.00000003.240900347.0000000004C68000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
http://www.typography.netD	NXKfWP9SPF0XHRu.exe, 00000000.00000002.255243254.0000000004E72000.00000004.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://www.founder.com.cn/cn/cThe	NXKfWP9SPF0XHRu.exe, 00000000.00000002.255243254.0000000004E72000.00000004.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://www.galapagosdesign.com/staff/dennis.htm	NXKfWP9SPF0XHRu.exe, 00000000.00000002.255243254.0000000004E72000.00000004.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://www.jiyu-kobo.co.jp/7	NXKfWP9SPF0XHRu.exe, 00000000.00000003.240460926.0000000004C6B000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
http://fontfabrik.com	NXKfWP9SPF0XHRu.exe, 00000000.00000002.255243254.0000000004E72000.00000004.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://www.jiyu-kobo.co.jp/jp/h	NXKfWP9SPF0XHRu.exe, 00000000.00000003.240460926.0000000004C6B000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
http://www.galapagosdesign.com/DPlease	NXKfWP9SPF0XHRu.exe, 00000000.00000002.255243254.0000000004E72000.00000004.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://www.jiyu-kobo.co.jp/)	NXKfWP9SPF0XHRu.exe, 00000000.00000003.240762052.0000000004C6A000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
http://www.carterandcone.comadi	NXKfWP9SPF0XHRu.exe, 00000000.00000003.240900347.0000000004C68000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
http://www.fonts.com	NXKfWP9SPF0XHRu.exe, 00000000.00000002.255243254.0000000004E72000.00000004.00000001.sdmp	false		high
http://www.sandoll.co.kr	NXKfWP9SPF0XHRu.exe, 00000000.00000002.255243254.0000000004E72000.00000004.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://www.urwpp.deDPlease	NXKfWP9SPF0XHRu.exe, 00000000.00000002.255243254.0000000004E72000.00000004.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://www.zhongyicts.com.cn	NXKfWP9SPF0XHRu.exe, 00000000.00000002.255243254.0000000004E72000.00000004.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://www.sakkal.com	NXKfWP9SPF0XHRu.exe, 00000000.00000002.255243254.0000000004E72000.00000004.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://www.fontbureau.comlicF	NXKfWP9SPF0XHRu.exe, 00000000.00000003.241684541.0000000004C6A000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
http://www.apache.org/licenses/LICENSE-2.0	NXKfWP9SPF0XHRu.exe, 00000000.00000002.255243254.0000000004E72000.00000004.00000001.sdmp	false		high
http://www.fontbureau.com	NXKfWP9SPF0XHRu.exe, 00000000.00000003.241684541.0000000004C6A000.00000004.00000001.sdmp	false		high
http://www.fontbureau.comessed)	NXKfWP9SPF0XHRu.exe, 00000000.00000003.241684541.0000000004C6A000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	low
http://www.fontbureau.comF	NXKfWP9SPF0XHRu.exe, 00000000.00000003.241684541.0000000004C6A000.00000004.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://www.fontbureau.comM.TTFh	NXKfWP9SPF0XHRu.exe, 00000000.00000003.241684541.0000000004C6A000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
http://www.jiyu-kobo.co.jp/E	NXKfWP9SPF0XHRu.exe, 00000000.00000003.240900347.0000000004C68000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
http://www.jiyu-kobo.co.jp/jp/	NXKfWP9SPF0XHRu.exe, 00000000.00000003.240900347.0000000004C68000.00000004.00000001.sdmp, NXKfWP9SPF0XHRu.exe, 00000000.00000003.240460926.0000000004C6B000.00000004.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://www.fontbureau.coma	NXKfWP9SPF0XHRu.exe, 00000000.00000002.255001568.0000000004C60000.00000004.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://www.carterandcone.coml	NXKfWP9SPF0XHRu.exe, 00000000.00000002.255243254.0000000004E72000.00000004.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://www.founder.com.cn/cn/	NXKfWP9SPF0XHRu.exe, 00000000.00000003.239663209.0000000004C70000.00000004.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://www.fontbureau.com/designers/cabarga.htmlN	NXKfWP9SPF0XHRu.exe, 00000000.00000002.255243254.0000000004E72000.00000004.00000001.sdmp	false		high
http://www.fontbureau.comituF	NXKfWP9SPF0XHRu.exe, 00000000.00000003.241684541.0000000004C6A000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
http://www.founder.com.cn/cn	NXKfWP9SPF0XHRu.exe, 00000000.00000002.255243254.0000000004E72000.00000004.00000001.sdmp, NXKfWP9SPF0XHRu.exe, 00000000.00000003.239663209.0000000004C70000.00000004.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://www.fontbureau.com/designers/frere-jones.html	NXKfWP9SPF0XHRu.exe, 00000000.00000002.255243254.0000000004E72000.00000004.00000001.sdmp	false		high
http://www.jiyu-kobo.co.jp/v	NXKfWP9SPF0XHRu.exe, 00000000.00000003.240900347.0000000004C68000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
http://www.jiyu-kobo.co.jp/jp/)	NXKfWP9SPF0XHRu.exe, 00000000.00000003.240678890.0000000004C69000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
http://www.jiyu-kobo.co.jp/vvU	NXKfWP9SPF0XHRu.exe, 00000000.00000003.240460926.0000000004C6B000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
http://www.jiyu-kobo.co.jp/	NXKfWP9SPF0XHRu.exe, 00000000.00000003.240900347.0000000004C68000.00000004.00000001.sdmp, NXKfWP9SPF0XHRu.exe, 00000000.00000003.240252277.0000000004C6B000.00000004.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://www.fontbureau.comdE	NXKfWP9SPF0XHRu.exe, 00000000.00000003.241684541.0000000004C6A000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
http://www.fontbureau.com/designers8	NXKfWP9SPF0XHRu.exe, 00000000.00000002.255243254.0000000004E72000.00000004.00000001.sdmp	false		high
http://www.jiyu-kobo.co.jp/h	NXKfWP9SPF0XHRu.exe, 00000000.00000003.240900347.0000000004C68000.00000004.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://www.jiyu-kobo.co.jp/a	NXKfWP9SPF0XHRu.exe, 00000000.00000003.240900347.0000000004C68000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
http://www.fontbureau.comdL	NXKfWP9SPF0XHRu.exe, 00000000.00000003.241684541.0000000004C6A000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
http://www.jiyu-kobo.co.jp/Bold	NXKfWP9SPF0XHRu.exe, 00000000.00000003.240252277.0000000004C6B000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown

Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public

IP	Domain	Country	Flag	ASN	ASN Name	Malicious
23.105.131.214	unknown	United States		396362	LEASEWEB-USA-NYC-11US	false

General Information

Joe Sandbox Version:	31.0.0 Red Diamond
Analysis ID:	319657
Start date:	18.11.2020
Start time:	14:24:04
Joe Sandbox Product:	CloudBasic
Overall analysis duration:	0h 7m 33s
Hypervisor based Inspection enabled:	false
Report type:	full
Sample file name:	NXKfWP9SPF0XHRu.exe
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 85, IE 11, Adobe Reader DC 19, Java 8 Update 211
Number of analysed new started processes analysed:	13
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled HDC enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Detection:	MAL
Classification:	mal100.troj.evad.winEXE@6/4@0/1
EGA Information:	Failed
HDC Information:	Successful, ratio: 4.3% (good quality ratio 2.5%) Quality average: 36.9% Quality standard deviation: 37.2%
HCA Information:	Successful, ratio: 95% Number of executed functions: 336 Number of non-executed functions: 18
Cookbook Comments:	Adjust boot time Enable AMSI Found application associated with file extension: .exe
Warnings:	Show All Behavior information exceeds normal sizes, reducing to normal. Report will have missing behavior information. Exclude process from analysis (whitelisted): MpCmdRun.exe, SgrmBroker.exe, conhost.exe, svchost.exe Report size getting too big, too many NtAllocateVirtualMemory calls found. Report size getting too big, too many NtOpenKeyEx calls found. Report size getting too big, too many NtProtectVirtualMemory calls found. Report size getting too big, too many NtQueryValueKey calls found.

Simulations

Behavior and APIs

Time	Type	Description
14:25:00	API Interceptor	1032x Sleep call for process: NXKfWP9SPF0XHRu.exe modified

Joe Sandbox View / Context

IPs

No context

Domains

No context

ASN

Match	Associated Sample Name / URL	SHA 256	Detection	Link	Context
LEASEWEB-USA-NYC-11US	DOC.exe	Get hash	malicious	Browse	23.105.131.162
	Shipping_Details.exe	Get hash	malicious	Browse	23.105.131.165
	2AyWKsCvVF.exe	Get hash	malicious	Browse	192.253.246.143
	tn9jVPvlMSqAUX5.exe	Get hash	malicious	Browse	23.105.131.229
	HLiw2LPA8i.rtf	Get hash	malicious	Browse	192.253.246.143
	TDToxqrclL.exe	Get hash	malicious	Browse	23.105.131.177
	Ziiq5tI3CT.exe	Get hash	malicious	Browse	23.105.131.239
	f3wo2FuLN6.exe	Get hash	malicious	Browse	192.253.246.143
	ORDER INQUIRY.pdf.exe	Get hash	malicious	Browse	23.105.131.177
	Purchase Order 4500033557.pdf.exe	Get hash	malicious	Browse	23.105.131.177
	SecuriteInfo.com.Trojan.DownLoader35.34609.25775.exe	Get hash	malicious	Browse	192.253.246.138
	Proof_of_payment.xlsm	Get hash	malicious	Browse	23.105.131.217
	invoice tax.xlsm	Get hash	malicious	Browse	23.105.131.217
	SHIPPING DOCUMENTS.pdf.exe	Get hash	malicious	Browse	23.105.131.177
	Payment_Order_20201111.xlsx	Get hash	malicious	Browse	192.253.246.138
	TLpMnhJmg7.exe	Get hash	malicious	Browse	192.253.246.143
	HDyADDoI3I.exe	Get hash	malicious	Browse	192.253.246.143
	11.exe	Get hash	malicious	Browse	173.234.155.145
	53C29QAJnd.exe	Get hash	malicious	Browse	173.234.155.145
	OMQZvmAmCj.exe	Get hash	malicious	Browse	173.234.155.145

JA3 Fingerprints

No context

Dropped Files

No context

Created / dropped Files

C:\Users\user\AppData\Local\Microsoft\CLR_v2.0_32\UsageLogs\NXKfWP9SPF0XHRu.exe.log Download File
Process:	C:\Users\user\Desktop\NXKfWP9SPF0XHRu.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	641
Entropy (8bit):	5.271473536084351
Encrypted:	false
SSDEEP:	12:Q3LaJU20NaL10U29hJ5g1B0U2ukyrFk70U2u7x5I6Hi0Ug+9Yz9tv:MLF20NaL329hJ5g522rW2I3rOz2T
MD5:	C3EC08CD6BEA8576070D5A52B4B6D7D0
SHA1:	40B95253F98B3CC5953100C0E71DAC7915094A5A
SHA-256:	28B314C3E5651414FD36B2A65B644A2A55F007A34A536BE17514E12CEE5A091B
SHA-512:	5B0E6398A092F08240DC6765425E16DB52F32542FF7250E87403C407E54B3660EF93E0EAD17BA2CEF6B666951ACF66FA0EAD61FB52E80867DDD398E8258DED22
Malicious:	true
Reputation:	moderate, very likely benign file
Preview:	1,"fusion","GAC",0..3,"C:\Windows\assembly\NativeImages_v2.0.50727_32\System\1ffc437de59fb69ba2b865ffdc98ffd1\System.ni.dll",0..3,"C:\Windows\assembly\NativeImages_v2.0.50727_32\System.Drawing\54d944b3ca0ea1188d700fbd8089726b\System.Drawing.ni.dll",0..3,"C:\Windows\assembly\NativeImages_v2.0.50727_32\System.Windows.Forms\bd8d59c984c9f5f2695f64341115cdf0\System.Windows.Forms.ni.dll",0..3,"C:\Windows\assembly\NativeImages_v2.0.50727_32\System.Web\d05d469d89b319a068f2123e7e6f8621\System.Web.ni.dll",0..3,"C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.VisualBas#\cd7c74fce2a0eab72cd25cbe4bb61614\Microsoft.VisualBasic.ni.dll",0..

C:\Users\user\AppData\Local\Temp\tmp10AA.tmp Download File
Process:	C:\Users\user\Desktop\NXKfWP9SPF0XHRu.exe
File Type:	XML 1.0 document, ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	1662
Entropy (8bit):	5.176645564878553
Encrypted:	false
SSDEEP:	24:2dH4+SEqC/dp7hdMlNMFpdU/rlMhEMjnGpwjpIgUYODOLD9RJh7h8gKB9tn:cbhH7MlNQ8/rydbz9I3YODOLNdq3F
MD5:	FA36D3CC836AD8E1BADA121233E83614
SHA1:	0DE7C6F513638E8B5E51C10C120D72BE6597FE08
SHA-256:	0B393495206B3678363CAAE0231816475DAB2549E90F3F0F4C604B87BB20CB52
SHA-512:	70DB8009383D2B11EED52570BAD37F5C30265EE8C8327E8582BA5118F14E17812FB61F69BE7C2B8E4114AB6B335CFE746442B30CEA58E95BD1DF22D36CF16306
Malicious:	true
Reputation:	low
Preview:	<?xml version="1.0" encoding="UTF-16"?>..<Task version="1.2" xmlns="http://schemas.microsoft.com/windows/2004/02/mit/task">.. <RegistrationInfo>.. <Date>2014-10-25T14:27:44.8929027</Date>.. <Author>computer\user</Author>.. </RegistrationInfo>.. <Triggers>.. <LogonTrigger>.. <Enabled>true</Enabled>.. <UserId>computer\user</UserId>.. </LogonTrigger>.. <RegistrationTrigger>.. <Enabled>false</Enabled>.. </RegistrationTrigger>.. </Triggers>.. <Principals>.. <Principal id="Author">.. <UserId>computer\user</UserId>.. <LogonType>InteractiveToken</LogonType>.. <RunLevel>LeastPrivilege</RunLevel>.. </Principal>.. </Principals>.. <Settings>.. <MultipleInstancesPolicy>StopExisting</MultipleInstancesPolicy>.. <DisallowStartIfOnBatteries>false</DisallowStartIfOnBatteries>.. <StopIfGoingOnBatteries>true</StopIfGoingOnBatteries>.. <AllowHardTerminate>false</AllowHardTerminate>.. <StartWhenAv

C:\Users\user\AppData\Roaming\D06ED635-68F6-4E9A-955C-4899F5F57B9A\run.dat Download File
Process:	C:\Users\user\Desktop\NXKfWP9SPF0XHRu.exe
File Type:	data
Category:	dropped
Size (bytes):	8
Entropy (8bit):	3.0
Encrypted:	false
SSDEEP:	3:tLujP:5CP
MD5:	E78B48E8D621A403BFAB625F1C92B04C
SHA1:	E7A09F8F0B049DD57A0540A4AF40AF6A5D523676
SHA-256:	D898054E52D71F403A89EB5D4B16B2E5221320ADE9D664FA3C8D72FC25D3DF8B
SHA-512:	810437550F308D974262BDBE620BFC9DAC23AB85E044B9972ED8BC4CCBA66E617B1AC1389E1A56E0919B10176CC63EC495B4A472DD0CB9A0CC4F70137F819B40
Malicious:	true
Reputation:	low
Preview:	.=.....H

C:\Users\user\AppData\Roaming\ynSazlVxDpCRe.exe Download File
Process:	C:\Users\user\Desktop\NXKfWP9SPF0XHRu.exe
File Type:	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	1117184
Entropy (8bit):	7.378881785743249
Encrypted:	false
SSDEEP:	12288:VyrKywLz229e7sGJ3UogQpht8LFOcc6WkFR+wn3+0vCi/2mD0eIjAgC46H3Wsmij:VV29l19pv8bWkbr3nd2+sgT3c05s
MD5:	444332A61D888AC4F80DB03B3C2129E9
SHA1:	5D518F814C09B15B35CD9BA5D20D0892BD8EF90B
SHA-256:	611C893208D8BF06031DA708A44EC749B89B069AD1E84C14625B02BCCB4998A0
SHA-512:	699618863E73B9A748A54002847817C66D4582D70CB740C13AC24AD8C26AC050CA68A2B4BF84AA5594977B30B37EAA4B60D361B3C7C0E4D35A77AB66CF12DA67
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 17%
Reputation:	low
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...q.._..............0......D......~.... ........@.. ....................................@.................................0...K........A...................`....................................................... ............... ..H............text........ ...................... ..`.rsrc....A.......B..................@..@.reloc.......`......................@..B................`.......H.......H,..............................................................5......U.?...%......>M\|.u?Ls..5....\|...C..Z.P.z.......D.uj.b............h...q...N...Tf.J!.L.i...uU. p../rR./oe....;...?0....B..>e.K.A..(.0.........TZ......h;P8.....vc.Q.s<.sp+..K.....~..;...4..bn..`e,<s.E&f...4.=..N.C..P.x.g.G..s?...e.......r.b.P8M.....KbN.......d~.u..5..F.:..y..^g.....X....V.:..@.....4+.Y7.}:_.rC'.......9..A...\........c1..S....b.;...:.......fc+.......":(..V

Static File Info

General
File type:	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Entropy (8bit):	7.378881785743249
TrID:	Win32 Executable (generic) Net Framework (10011505/4) 49.80% Win32 Executable (generic) a (10002005/4) 49.75% Generic CIL Executable (.NET, Mono, etc.) (73296/58) 0.36% Windows Screen Saver (13104/52) 0.07% Generic Win/DOS Executable (2004/3) 0.01%
File name:	NXKfWP9SPF0XHRu.exe
File size:	1117184
MD5:	444332a61d888ac4f80db03b3c2129e9
SHA1:	5d518f814c09b15b35cd9ba5d20d0892bd8ef90b
SHA256:	611c893208d8bf06031da708a44ec749b89b069ad1e84c14625b02bccb4998a0
SHA512:	699618863e73b9a748a54002847817c66d4582d70cb740c13ac24ad8c26ac050ca68a2b4bf84aa5594977b30b37eaa4b60d361b3c7c0e4d35a77ab66cf12da67
SSDEEP:	12288:VyrKywLz229e7sGJ3UogQpht8LFOcc6WkFR+wn3+0vCi/2mD0eIjAgC46H3Wsmij:VV29l19pv8bWkbr3nd2+sgT3c05s
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...q.._..............0......D......~.... ........@.. ....................................@................................

File Icon


Icon Hash:	f8c492aaaa92dcfe

Static PE Info

General
Entrypoint:	0x50e47e
Entrypoint Section:	.text
Digitally signed:	false
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	32BIT_MACHINE, EXECUTABLE_IMAGE
DLL Characteristics:	NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
Time Stamp:	0x5FB4A371 [Wed Nov 18 04:30:41 2020 UTC]
TLS Callbacks:
CLR (.Net) Version:	v2.0.50727
OS Version Major:	4
OS Version Minor:	0
File Version Major:	4
File Version Minor:	0
Subsystem Version Major:	4
Subsystem Version Minor:	0
Import Hash:	f34d5f2d4577ed6d9ceec516c1f5a744

Entrypoint Preview

Instruction
jmp dword ptr [00402000h]
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0x10e430	0x4b	.text
IMAGE_DIRECTORY_ENTRY_RESOURCE	0x110000	0x41a8	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x116000	0xc	.reloc
IMAGE_DIRECTORY_ENTRY_DEBUG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x2000	0x8	.text
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x2008	0x48	.text
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x2000	0x10c484	0x10c600	False	0.694556539648	data	7.38603476189	IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
.rsrc	0x110000	0x41a8	0x4200	False	0.503551136364	data	5.45014806784	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.reloc	0x116000	0xc	0x200	False	0.044921875	data	0.101910425663	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type
RT_ICON	0x110190	0x468	GLS_BINARY_LSB_FIRST
RT_ICON	0x1105f8	0x10a8	dBase IV DBT of @.DBF, block length 4096, next free block index 40, next free block 4275388049, next used block 4258479509
RT_ICON	0x1116a0	0x25a8	dBase IV DBT of `.DBF, block length 9216, next free block index 40, next free block 3771611807, next used block 3167566498
RT_GROUP_ICON	0x113c48	0x30	data
RT_VERSION	0x113c78	0x344	data
RT_MANIFEST	0x113fbc	0x1ea	XML 1.0 document, UTF-8 Unicode (with BOM) text, with CRLF line terminators

Imports

DLL	Import
mscoree.dll	_CorExeMain

Version Infos

Description	Data
Translation	0x0000 0x04b0
LegalCopyright	Copyright 2017
Assembly Version	1.0.0.0
InternalName	u.exe
FileVersion	1.0.0.0
CompanyName
LegalTrademarks
Comments
ProductName	Clinic Management System
ProductVersion	1.0.0.0
FileDescription	Clinic Management System
OriginalFilename	u.exe

Network Behavior

Network Port Distribution

TCP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Nov 18, 2020 14:25:05.655561924 CET	49707	4040	192.168.2.7	23.105.131.214
Nov 18, 2020 14:25:05.762923956 CET	4040	49707	23.105.131.214	192.168.2.7
Nov 18, 2020 14:25:06.269063950 CET	49707	4040	192.168.2.7	23.105.131.214
Nov 18, 2020 14:25:06.376255989 CET	4040	49707	23.105.131.214	192.168.2.7
Nov 18, 2020 14:25:06.878592014 CET	49707	4040	192.168.2.7	23.105.131.214
Nov 18, 2020 14:25:06.985805988 CET	4040	49707	23.105.131.214	192.168.2.7
Nov 18, 2020 14:25:11.036412954 CET	49711	4040	192.168.2.7	23.105.131.214
Nov 18, 2020 14:25:11.143027067 CET	4040	49711	23.105.131.214	192.168.2.7
Nov 18, 2020 14:25:11.644598007 CET	49711	4040	192.168.2.7	23.105.131.214
Nov 18, 2020 14:25:11.751352072 CET	4040	49711	23.105.131.214	192.168.2.7
Nov 18, 2020 14:25:12.253920078 CET	49711	4040	192.168.2.7	23.105.131.214
Nov 18, 2020 14:25:12.360694885 CET	4040	49711	23.105.131.214	192.168.2.7
Nov 18, 2020 14:25:16.381172895 CET	49712	4040	192.168.2.7	23.105.131.214
Nov 18, 2020 14:25:16.487755060 CET	4040	49712	23.105.131.214	192.168.2.7
Nov 18, 2020 14:25:16.988778114 CET	49712	4040	192.168.2.7	23.105.131.214
Nov 18, 2020 14:25:17.095190048 CET	4040	49712	23.105.131.214	192.168.2.7
Nov 18, 2020 14:25:17.598263979 CET	49712	4040	192.168.2.7	23.105.131.214
Nov 18, 2020 14:25:17.704638004 CET	4040	49712	23.105.131.214	192.168.2.7
Nov 18, 2020 14:25:21.709471941 CET	49713	4040	192.168.2.7	23.105.131.214
Nov 18, 2020 14:25:21.816246033 CET	4040	49713	23.105.131.214	192.168.2.7
Nov 18, 2020 14:25:22.317313910 CET	49713	4040	192.168.2.7	23.105.131.214
Nov 18, 2020 14:25:22.424000978 CET	4040	49713	23.105.131.214	192.168.2.7
Nov 18, 2020 14:25:22.926789999 CET	49713	4040	192.168.2.7	23.105.131.214
Nov 18, 2020 14:25:23.033458948 CET	4040	49713	23.105.131.214	192.168.2.7
Nov 18, 2020 14:25:27.039275885 CET	49714	4040	192.168.2.7	23.105.131.214
Nov 18, 2020 14:25:27.145787954 CET	4040	49714	23.105.131.214	192.168.2.7
Nov 18, 2020 14:25:27.645889997 CET	49714	4040	192.168.2.7	23.105.131.214
Nov 18, 2020 14:25:27.752454042 CET	4040	49714	23.105.131.214	192.168.2.7
Nov 18, 2020 14:25:28.255383968 CET	49714	4040	192.168.2.7	23.105.131.214
Nov 18, 2020 14:25:28.363981962 CET	4040	49714	23.105.131.214	192.168.2.7
Nov 18, 2020 14:25:32.384649992 CET	49715	4040	192.168.2.7	23.105.131.214
Nov 18, 2020 14:25:32.491986036 CET	4040	49715	23.105.131.214	192.168.2.7
Nov 18, 2020 14:25:33.005712032 CET	49715	4040	192.168.2.7	23.105.131.214
Nov 18, 2020 14:25:33.113073111 CET	4040	49715	23.105.131.214	192.168.2.7
Nov 18, 2020 14:25:33.615221977 CET	49715	4040	192.168.2.7	23.105.131.214
Nov 18, 2020 14:25:33.722516060 CET	4040	49715	23.105.131.214	192.168.2.7
Nov 18, 2020 14:25:37.851440907 CET	49716	4040	192.168.2.7	23.105.131.214
Nov 18, 2020 14:25:37.958148003 CET	4040	49716	23.105.131.214	192.168.2.7
Nov 18, 2020 14:25:38.459316969 CET	49716	4040	192.168.2.7	23.105.131.214
Nov 18, 2020 14:25:38.566000938 CET	4040	49716	23.105.131.214	192.168.2.7
Nov 18, 2020 14:25:39.068857908 CET	49716	4040	192.168.2.7	23.105.131.214
Nov 18, 2020 14:25:39.175647020 CET	4040	49716	23.105.131.214	192.168.2.7
Nov 18, 2020 14:25:43.180646896 CET	49718	4040	192.168.2.7	23.105.131.214
Nov 18, 2020 14:25:43.284518003 CET	4040	49718	23.105.131.214	192.168.2.7
Nov 18, 2020 14:25:43.787796021 CET	49718	4040	192.168.2.7	23.105.131.214
Nov 18, 2020 14:25:43.891825914 CET	4040	49718	23.105.131.214	192.168.2.7
Nov 18, 2020 14:25:44.397327900 CET	49718	4040	192.168.2.7	23.105.131.214
Nov 18, 2020 14:25:44.501189947 CET	4040	49718	23.105.131.214	192.168.2.7
Nov 18, 2020 14:25:48.509617090 CET	49719	4040	192.168.2.7	23.105.131.214
Nov 18, 2020 14:25:48.612853050 CET	4040	49719	23.105.131.214	192.168.2.7
Nov 18, 2020 14:25:49.116368055 CET	49719	4040	192.168.2.7	23.105.131.214
Nov 18, 2020 14:25:49.219748020 CET	4040	49719	23.105.131.214	192.168.2.7
Nov 18, 2020 14:25:49.726284981 CET	49719	4040	192.168.2.7	23.105.131.214
Nov 18, 2020 14:25:49.829591990 CET	4040	49719	23.105.131.214	192.168.2.7
Nov 18, 2020 14:25:53.849896908 CET	49720	4040	192.168.2.7	23.105.131.214
Nov 18, 2020 14:25:53.956172943 CET	4040	49720	23.105.131.214	192.168.2.7
Nov 18, 2020 14:25:54.460562944 CET	49720	4040	192.168.2.7	23.105.131.214
Nov 18, 2020 14:25:54.567054987 CET	4040	49720	23.105.131.214	192.168.2.7
Nov 18, 2020 14:25:55.069973946 CET	49720	4040	192.168.2.7	23.105.131.214
Nov 18, 2020 14:25:55.176698923 CET	4040	49720	23.105.131.214	192.168.2.7
Nov 18, 2020 14:25:59.181191921 CET	49721	4040	192.168.2.7	23.105.131.214
Nov 18, 2020 14:25:59.284069061 CET	4040	49721	23.105.131.214	192.168.2.7
Nov 18, 2020 14:25:59.789201975 CET	49721	4040	192.168.2.7	23.105.131.214
Nov 18, 2020 14:25:59.892447948 CET	4040	49721	23.105.131.214	192.168.2.7
Nov 18, 2020 14:26:00.398818970 CET	49721	4040	192.168.2.7	23.105.131.214
Nov 18, 2020 14:26:00.501836061 CET	4040	49721	23.105.131.214	192.168.2.7
Nov 18, 2020 14:26:04.605669975 CET	49722	4040	192.168.2.7	23.105.131.214
Nov 18, 2020 14:26:04.712171078 CET	4040	49722	23.105.131.214	192.168.2.7
Nov 18, 2020 14:26:05.227189064 CET	49722	4040	192.168.2.7	23.105.131.214
Nov 18, 2020 14:26:05.333668947 CET	4040	49722	23.105.131.214	192.168.2.7
Nov 18, 2020 14:26:05.836596012 CET	49722	4040	192.168.2.7	23.105.131.214
Nov 18, 2020 14:26:05.943167925 CET	4040	49722	23.105.131.214	192.168.2.7
Nov 18, 2020 14:26:09.948410034 CET	49723	4040	192.168.2.7	23.105.131.214
Nov 18, 2020 14:26:10.056273937 CET	4040	49723	23.105.131.214	192.168.2.7
Nov 18, 2020 14:26:10.571996927 CET	49723	4040	192.168.2.7	23.105.131.214
Nov 18, 2020 14:26:10.679358959 CET	4040	49723	23.105.131.214	192.168.2.7
Nov 18, 2020 14:26:11.196446896 CET	49723	4040	192.168.2.7	23.105.131.214
Nov 18, 2020 14:26:11.303950071 CET	4040	49723	23.105.131.214	192.168.2.7
Nov 18, 2020 14:26:15.307607889 CET	49724	4040	192.168.2.7	23.105.131.214
Nov 18, 2020 14:26:15.411216021 CET	4040	49724	23.105.131.214	192.168.2.7
Nov 18, 2020 14:26:15.915965080 CET	49724	4040	192.168.2.7	23.105.131.214
Nov 18, 2020 14:26:16.019602060 CET	4040	49724	23.105.131.214	192.168.2.7
Nov 18, 2020 14:26:16.525095940 CET	49724	4040	192.168.2.7	23.105.131.214
Nov 18, 2020 14:26:16.628814936 CET	4040	49724	23.105.131.214	192.168.2.7
Nov 18, 2020 14:26:20.667470932 CET	49725	4040	192.168.2.7	23.105.131.214
Nov 18, 2020 14:26:20.770468950 CET	4040	49725	23.105.131.214	192.168.2.7
Nov 18, 2020 14:26:21.275284052 CET	49725	4040	192.168.2.7	23.105.131.214
Nov 18, 2020 14:26:21.378113985 CET	4040	49725	23.105.131.214	192.168.2.7
Nov 18, 2020 14:26:21.884706020 CET	49725	4040	192.168.2.7	23.105.131.214
Nov 18, 2020 14:26:21.987725973 CET	4040	49725	23.105.131.214	192.168.2.7
Nov 18, 2020 14:26:25.997817993 CET	49726	4040	192.168.2.7	23.105.131.214
Nov 18, 2020 14:26:26.104825020 CET	4040	49726	23.105.131.214	192.168.2.7
Nov 18, 2020 14:26:26.619509935 CET	49726	4040	192.168.2.7	23.105.131.214
Nov 18, 2020 14:26:26.726696014 CET	4040	49726	23.105.131.214	192.168.2.7
Nov 18, 2020 14:26:27.228938103 CET	49726	4040	192.168.2.7	23.105.131.214
Nov 18, 2020 14:26:27.336147070 CET	4040	49726	23.105.131.214	192.168.2.7
Nov 18, 2020 14:26:31.341444969 CET	49727	4040	192.168.2.7	23.105.131.214
Nov 18, 2020 14:26:31.447765112 CET	4040	49727	23.105.131.214	192.168.2.7
Nov 18, 2020 14:26:31.948226929 CET	49727	4040	192.168.2.7	23.105.131.214
Nov 18, 2020 14:26:32.054521084 CET	4040	49727	23.105.131.214	192.168.2.7
Nov 18, 2020 14:26:32.557468891 CET	49727	4040	192.168.2.7	23.105.131.214
Nov 18, 2020 14:26:32.663840055 CET	4040	49727	23.105.131.214	192.168.2.7
Nov 18, 2020 14:26:37.278852940 CET	49728	4040	192.168.2.7	23.105.131.214
Nov 18, 2020 14:26:37.381530046 CET	4040	49728	23.105.131.214	192.168.2.7
Nov 18, 2020 14:26:37.886092901 CET	49728	4040	192.168.2.7	23.105.131.214
Nov 18, 2020 14:26:37.988652945 CET	4040	49728	23.105.131.214	192.168.2.7
Nov 18, 2020 14:26:38.495501041 CET	49728	4040	192.168.2.7	23.105.131.214
Nov 18, 2020 14:26:38.598113060 CET	4040	49728	23.105.131.214	192.168.2.7
Nov 18, 2020 14:26:42.607181072 CET	49729	4040	192.168.2.7	23.105.131.214
Nov 18, 2020 14:26:42.714581966 CET	4040	49729	23.105.131.214	192.168.2.7
Nov 18, 2020 14:26:43.230252981 CET	49729	4040	192.168.2.7	23.105.131.214
Nov 18, 2020 14:26:43.337546110 CET	4040	49729	23.105.131.214	192.168.2.7
Nov 18, 2020 14:26:43.839771032 CET	49729	4040	192.168.2.7	23.105.131.214
Nov 18, 2020 14:26:43.947041035 CET	4040	49729	23.105.131.214	192.168.2.7
Nov 18, 2020 14:26:47.983880997 CET	49730	4040	192.168.2.7	23.105.131.214
Nov 18, 2020 14:26:48.086832047 CET	4040	49730	23.105.131.214	192.168.2.7
Nov 18, 2020 14:26:48.590156078 CET	49730	4040	192.168.2.7	23.105.131.214
Nov 18, 2020 14:26:48.692936897 CET	4040	49730	23.105.131.214	192.168.2.7
Nov 18, 2020 14:26:49.199505091 CET	49730	4040	192.168.2.7	23.105.131.214
Nov 18, 2020 14:26:49.302356958 CET	4040	49730	23.105.131.214	192.168.2.7
Nov 18, 2020 14:26:53.312999010 CET	49731	4040	192.168.2.7	23.105.131.214
Nov 18, 2020 14:26:53.415992022 CET	4040	49731	23.105.131.214	192.168.2.7
Nov 18, 2020 14:26:53.918654919 CET	49731	4040	192.168.2.7	23.105.131.214
Nov 18, 2020 14:26:54.021730900 CET	4040	49731	23.105.131.214	192.168.2.7
Nov 18, 2020 14:26:54.528191090 CET	49731	4040	192.168.2.7	23.105.131.214
Nov 18, 2020 14:26:54.631139994 CET	4040	49731	23.105.131.214	192.168.2.7
Nov 18, 2020 14:26:58.639164925 CET	49732	4040	192.168.2.7	23.105.131.214
Nov 18, 2020 14:26:58.745680094 CET	4040	49732	23.105.131.214	192.168.2.7
Nov 18, 2020 14:26:59.247302055 CET	49732	4040	192.168.2.7	23.105.131.214
Nov 18, 2020 14:26:59.354760885 CET	4040	49732	23.105.131.214	192.168.2.7
Nov 18, 2020 14:26:59.856652975 CET	49732	4040	192.168.2.7	23.105.131.214
Nov 18, 2020 14:26:59.963293076 CET	4040	49732	23.105.131.214	192.168.2.7
Nov 18, 2020 14:27:03.967441082 CET	49733	4040	192.168.2.7	23.105.131.214
Nov 18, 2020 14:27:04.073405981 CET	4040	49733	23.105.131.214	192.168.2.7
Nov 18, 2020 14:27:04.577605009 CET	49733	4040	192.168.2.7	23.105.131.214
Nov 18, 2020 14:27:04.683609009 CET	4040	49733	23.105.131.214	192.168.2.7
Nov 18, 2020 14:27:05.185421944 CET	49733	4040	192.168.2.7	23.105.131.214
Nov 18, 2020 14:27:05.291454077 CET	4040	49733	23.105.131.214	192.168.2.7
Nov 18, 2020 14:27:09.295814991 CET	49734	4040	192.168.2.7	23.105.131.214

Code Manipulations

Statistics

CPU Usage

Click to jump to process

Memory Usage

Click to jump to process

High Level Behavior Distribution

Click to dive into process behavior distribution

Behavior

Click to jump to process

System Behavior

Analysis Process: NXKfWP9SPF0XHRu.exe PID: 5952 Parent PID: 5616

General

Start time:	14:24:57
Start date:	18/11/2020
Path:	C:\Users\user\Desktop\NXKfWP9SPF0XHRu.exe
Wow64 process (32bit):	true
Commandline:	'C:\Users\user\Desktop\NXKfWP9SPF0XHRu.exe'
Imagebase:	0x1a0000
File size:	1117184 bytes
MD5 hash:	444332A61D888AC4F80DB03B3C2129E9
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	.Net C# or VB.NET
Yara matches:	Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 00000000.00000002.253897211.0000000003B42000.00000004.00000001.sdmp, Author: Florian Roth Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 00000000.00000002.253897211.0000000003B42000.00000004.00000001.sdmp, Author: Joe Security Rule: NanoCore, Description: unknown, Source: 00000000.00000002.253897211.0000000003B42000.00000004.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net> Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 00000000.00000002.253518250.000000000398D000.00000004.00000001.sdmp, Author: Florian Roth Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 00000000.00000002.253518250.000000000398D000.00000004.00000001.sdmp, Author: Joe Security Rule: NanoCore, Description: unknown, Source: 00000000.00000002.253518250.000000000398D000.00000004.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net> Rule: JoeSecurity_AntiVM_3, Description: Yara detected AntiVM_3, Source: 00000000.00000002.251828506.0000000002994000.00000004.00000001.sdmp, Author: Joe Security
Reputation:	low

Chronological Activities

Analysis Process: schtasks.exe PID: 6052 Parent PID: 5952

General

Start time:	14:25:01
Start date:	18/11/2020
Path:	C:\Windows\SysWOW64\schtasks.exe
Wow64 process (32bit):	true
Commandline:	'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\ynSazlVxDpCRe' /XML 'C:\Users\user\AppData\Local\Temp\tmp10AA.tmp'
Imagebase:	0xe50000
File size:	185856 bytes
MD5 hash:	15FF7D8324231381BAD48A052F85DF04
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Chronological Activities

Analysis Process: conhost.exe PID: 6092 Parent PID: 6052

General

Start time:	14:25:02
Start date:	18/11/2020
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff774ee0000
File size:	625664 bytes
MD5 hash:	EA777DEEA782E8B4D7C7C33BBF8A4496
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Chronological Activities

Analysis Process: NXKfWP9SPF0XHRu.exe PID: 768 Parent PID: 5952

General

Start time:	14:25:02
Start date:	18/11/2020
Path:	C:\Users\user\Desktop\NXKfWP9SPF0XHRu.exe
Wow64 process (32bit):	true
Commandline:	{path}
Imagebase:	0x700000
File size:	1117184 bytes
MD5 hash:	444332A61D888AC4F80DB03B3C2129E9
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	.Net C# or VB.NET
Yara matches:	Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 00000003.00000002.512257767.0000000005710000.00000004.00000001.sdmp, Author: Florian Roth Rule: Nanocore_RAT_Feb18_1, Description: Detects Nanocore RAT, Source: 00000003.00000002.512257767.0000000005710000.00000004.00000001.sdmp, Author: Florian Roth Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 00000003.00000002.512257767.0000000005710000.00000004.00000001.sdmp, Author: Joe Security Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 00000003.00000002.511185145.0000000003EE7000.00000004.00000001.sdmp, Author: Joe Security Rule: NanoCore, Description: unknown, Source: 00000003.00000002.511185145.0000000003EE7000.00000004.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net> Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 00000003.00000002.505689991.0000000000402000.00000040.00000001.sdmp, Author: Florian Roth Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 00000003.00000002.505689991.0000000000402000.00000040.00000001.sdmp, Author: Joe Security Rule: NanoCore, Description: unknown, Source: 00000003.00000002.505689991.0000000000402000.00000040.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net> Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 00000003.00000002.512006874.0000000005200000.00000004.00000001.sdmp, Author: Florian Roth Rule: Nanocore_RAT_Feb18_1, Description: Detects Nanocore RAT, Source: 00000003.00000002.512006874.0000000005200000.00000004.00000001.sdmp, Author: Florian Roth
Reputation:	low

Chronological Activities

Disassembly

Code Analysis

Reset < >

Analysis Process: NXKfWP9SPF0XHRu.exe PID: 5952 Parent PID: 5616 NXKfWP9SPF0XHRu.exeCOMMON

Executed Functions

Function 054950A7, Relevance: 5.8, Strings: 4, Instructions: 781COMMON

Download Yara Rule

Strings

(, xrefs: 05495A59
i, xrefs: 05495622
s, xrefs: 0549584A
k, xrefs: 054951EA

Memory Dump Source

Source File: 00000000.00000002.256041150.0000000005490000.00000040.00000001.sdmp, Offset: 05490000, based on PE: false

Similarity

API ID:
String ID: ($i$k$s
API String ID: 0-974595857
Opcode ID: b5a42149461756203d6b46b39d04b6f8b97906472a9549f02f5cf216e3bbb443
Instruction ID: 0ba70453923868fbe8ff4ac86ce5e7d12500ff39447a50fc6ecfdde66ddcf163
Opcode Fuzzy Hash: b5a42149461756203d6b46b39d04b6f8b97906472a9549f02f5cf216e3bbb443
Instruction Fuzzy Hash: EB72DF70D05229CFDF69DF68C895BEDBAB2BF49304F2081EA8009A7291DB745AC5CF45

Uniqueness

Uniqueness Score: -1.00%

Function 05493A5C, Relevance: 2.8, Strings: 2, Instructions: 349COMMON

Download Yara Rule

Strings

h, xrefs: 05493D2E
j, xrefs: 05493B1F

Memory Dump Source

Source File: 00000000.00000002.256041150.0000000005490000.00000040.00000001.sdmp, Offset: 05490000, based on PE: false

Similarity

API ID:
String ID: h$j
API String ID: 0-3842648682
Opcode ID: 108494a3f5cdda80c5f16e544b3f3b99f17ab64254308c7827fe53d8088899fb
Instruction ID: 120052af0cb716a729eb11ed9e9967e2d78b8861addb0364167920ec0876c771
Opcode Fuzzy Hash: 108494a3f5cdda80c5f16e544b3f3b99f17ab64254308c7827fe53d8088899fb
Instruction Fuzzy Hash: D9D15C74D09218CFEF28CF65D44A7EDBFB2BB46305F1059AAD00AA3295CB744A86CF45

Uniqueness

Uniqueness Score: -1.00%

Function 05493ABA, Relevance: 2.8, Strings: 2, Instructions: 304COMMON

Download Yara Rule

Strings

h, xrefs: 05493D2E
j, xrefs: 05493B1F

Memory Dump Source

Source File: 00000000.00000002.256041150.0000000005490000.00000040.00000001.sdmp, Offset: 05490000, based on PE: false

Similarity

API ID:
String ID: h$j
API String ID: 0-3842648682
Opcode ID: 247df926561d321e676c8ece31209102ebb3e2d0613e7868d550fac312908afd
Instruction ID: 5f89dca6461548c566a82c2ce2bacb77d0c790d5246c9528bc1f9f7d723c5d24
Opcode Fuzzy Hash: 247df926561d321e676c8ece31209102ebb3e2d0613e7868d550fac312908afd
Instruction Fuzzy Hash: 14C15A74D09218CFEF28CF65D44A7EDBFB2BB4A305F1059AAD009A7295CB344A85CF40

Uniqueness

Uniqueness Score: -1.00%

Function 054115DA, Relevance: 1.6, APIs: 1, Instructions: 52COMMON

Download Yara Rule

APIs

AdjustTokenPrivileges.KERNELBASE ref: 05411623

Memory Dump Source

Source File: 00000000.00000002.255937817.0000000005410000.00000040.00000001.sdmp, Offset: 053B0000, based on PE: true

Associated: 00000000.00000002.255842427.00000000053B0000.00000004.00000001.sdmp Download File

Similarity

API ID: AdjustPrivilegesToken
String ID:
API String ID: 2874748243-0
Opcode ID: 9a4f3b83bdd25754d797183f68173021a4929a67bd106b6db99c3210d5ec47d2
Instruction ID: 063905fb7c54f545d6b6c80d1792373e851c29a5238ec2fe0189bc47b879bbfd
Opcode Fuzzy Hash: 9a4f3b83bdd25754d797183f68173021a4929a67bd106b6db99c3210d5ec47d2
Instruction Fuzzy Hash: 141170755043009FDB20CF55E845BA6FBE4EF04620F08C4AADE4A8B652D376E418CF62

Uniqueness

Uniqueness Score: -1.00%

Function 05411756, Relevance: 1.5, APIs: 1, Instructions: 38nativeCOMMON

Download Yara Rule

APIs

NtQuerySystemInformation.NTDLL ref: 05411791

Memory Dump Source

Source File: 00000000.00000002.255937817.0000000005410000.00000040.00000001.sdmp, Offset: 053B0000, based on PE: true

Associated: 00000000.00000002.255842427.00000000053B0000.00000004.00000001.sdmp Download File

Similarity

API ID: InformationQuerySystem
String ID:
API String ID: 3562636166-0
Opcode ID: c8215bfaed9865ce7479b1740cbd483d8f36a0cfaa78e2c7678feb77495dd955
Instruction ID: 3de654814571b59c7dce4e52ee654d087476116dee5deff2b582414cb24b56f9
Opcode Fuzzy Hash: c8215bfaed9865ce7479b1740cbd483d8f36a0cfaa78e2c7678feb77495dd955
Instruction Fuzzy Hash: 8E018F354002409FDB20CF55E844B66FFA0EF04720F08C49BDE894B312D376A418CB66

Uniqueness

Uniqueness Score: -1.00%

Function 05493F3C, Relevance: 1.5, Strings: 1, Instructions: 250COMMON

Download Yara Rule

Strings

h, xrefs: 05493D2E

Memory Dump Source

Source File: 00000000.00000002.256041150.0000000005490000.00000040.00000001.sdmp, Offset: 05490000, based on PE: false

Similarity

API ID:
String ID: h
API String ID: 0-2439710439
Opcode ID: 55dfad8f74636b06f86a9142f1f4aa6e55c9480e6d6b2266a3169ef4507c6472
Instruction ID: 9f49fac457a098f822300682f16545111a1cb101d5ec5701702c9f1560e0ad66
Opcode Fuzzy Hash: 55dfad8f74636b06f86a9142f1f4aa6e55c9480e6d6b2266a3169ef4507c6472
Instruction Fuzzy Hash: 7AA15B74D0921CCFEF28DF65D44A7EEBBB2BB4A301F1059AAD009A3295DB344A85CF54

Uniqueness

Uniqueness Score: -1.00%

Function 04A711F8, Relevance: 1.4, Strings: 1, Instructions: 128COMMON

Download Yara Rule

Strings

<7-', xrefs: 04A71264

Memory Dump Source

Source File: 00000000.00000002.254584980.0000000004A70000.00000040.00000001.sdmp, Offset: 04A70000, based on PE: false

Similarity

API ID:
String ID: <7-'
API String ID: 0-1069384852
Opcode ID: b656d172f4130e970757d3a4bde6401f7b742bf962d750099ac9cd3723490061
Instruction ID: 26d3c4441d84d4666bc2ee2335639aabc664fd0e0d0248b9810145a796b194ef
Opcode Fuzzy Hash: b656d172f4130e970757d3a4bde6401f7b742bf962d750099ac9cd3723490061
Instruction Fuzzy Hash: CF513471E04249CFCB18CFAAC8405AEFBF2AF89300F14C06AD455AB355D734AA41CFA4

Uniqueness

Uniqueness Score: -1.00%

Function 04A72888, Relevance: .3, Instructions: 336COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.254584980.0000000004A70000.00000040.00000001.sdmp, Offset: 04A70000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3fbd2796e8c8c6386585a01b5ac062d594b5a1da902dafd8941976e3e36f5279
Instruction ID: 6bbadba4031b688d27d93d7a7a8ebc34fa8ab1e23a38259b55495fb2baaffe78
Opcode Fuzzy Hash: 3fbd2796e8c8c6386585a01b5ac062d594b5a1da902dafd8941976e3e36f5279
Instruction Fuzzy Hash: 52D1C0B6D0520ADFCB14CFA4D9819EEFBB1FF58310B149996C411AB215D330AB82DFA5

Uniqueness

Uniqueness Score: -1.00%

Function 04A7D8C0, Relevance: .3, Instructions: 264COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.254584980.0000000004A70000.00000040.00000001.sdmp, Offset: 04A70000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: be330ddabfd8e699f36f8d21c5555855e53a8eb26d96d0963b736aa39fa46212
Instruction ID: 90c6209ab502680f0b48acada139e4f5b2f1b9dde4e729ea8c5920aabe6e8bed
Opcode Fuzzy Hash: be330ddabfd8e699f36f8d21c5555855e53a8eb26d96d0963b736aa39fa46212
Instruction Fuzzy Hash: 68B1C574E04209CFDB24DF99C980AEDBBF5FF89304F24951AD809BB255E770A946CB90

Uniqueness

Uniqueness Score: -1.00%

Function 04A72978, Relevance: .3, Instructions: 254COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.254584980.0000000004A70000.00000040.00000001.sdmp, Offset: 04A70000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 69a497fbf802a5c913ff66ab42d2e833b4917704df502ce14f7edf5629178798
Instruction ID: 3425222e3b397e2f0df00353ffc4dd33d4bdd706454124403183b160b5535db9
Opcode Fuzzy Hash: 69a497fbf802a5c913ff66ab42d2e833b4917704df502ce14f7edf5629178798
Instruction Fuzzy Hash: 67B14A75D0520ADFCB14CFA4D9809AEFBB1FF48310B24999AC416AB355D330AB81DFA5

Uniqueness

Uniqueness Score: -1.00%

Function 04A74C77, Relevance: .2, Instructions: 225COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.254584980.0000000004A70000.00000040.00000001.sdmp, Offset: 04A70000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1961d682ae8b1b50bb2f667a92173e9f1e3395744ba86e6aed9e1941c7744719
Instruction ID: d69fe1470894ccbb3b2b0da7049c600c534ae5d1df460f46afc2b39c5051060e
Opcode Fuzzy Hash: 1961d682ae8b1b50bb2f667a92173e9f1e3395744ba86e6aed9e1941c7744719
Instruction Fuzzy Hash: 5B911670D4A20ACFCB14DFA4D9856AEBFB1FF49300F20556AD102BB250EB346A54CF99

Uniqueness

Uniqueness Score: -1.00%

Function 04A74C88, Relevance: .2, Instructions: 224COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.254584980.0000000004A70000.00000040.00000001.sdmp, Offset: 04A70000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 48595a5e2b91c405b714473215012a836a49a3306b3e81d60b4b66559f1a4716
Instruction ID: e2c57e59025e63c7b996295cbb686fe082271a1a20a61a64d72bc7fb2f886741
Opcode Fuzzy Hash: 48595a5e2b91c405b714473215012a836a49a3306b3e81d60b4b66559f1a4716
Instruction Fuzzy Hash: 56910570D4A20ADFCB14DFA4D9855AEBFB1FF49310F20556AD102BB250EB346A50CF99

Uniqueness

Uniqueness Score: -1.00%

Function 04A70A7F, Relevance: .2, Instructions: 215COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.254584980.0000000004A70000.00000040.00000001.sdmp, Offset: 04A70000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 705ac5f7f85d90283c9d671aa65ebe632c1ef0dcee45f34e32253329e97a49ca
Instruction ID: 18b8a181658c132a4f71fddab054379f6715ac46c889beca04464d8d306538a8
Opcode Fuzzy Hash: 705ac5f7f85d90283c9d671aa65ebe632c1ef0dcee45f34e32253329e97a49ca
Instruction Fuzzy Hash: 4C9134B0E056499FCB04CFA9C881ADEFBB2FF99304F14816AD405AB355E7355A42CF51

Uniqueness

Uniqueness Score: -1.00%

Function 04A7A238, Relevance: .2, Instructions: 177COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.254584980.0000000004A70000.00000040.00000001.sdmp, Offset: 04A70000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 711429f85ddd068ed0ab8a85e20b8a2033893525d856d511c9d4956c9ed24028
Instruction ID: e56897eb17b901bf650b4e601931b5a80fa02309042455f201ab8757f7a9285b
Opcode Fuzzy Hash: 711429f85ddd068ed0ab8a85e20b8a2033893525d856d511c9d4956c9ed24028
Instruction Fuzzy Hash: 6D71F474E05218DFDB14CFA9C8846EEFBF2BF49304F24856AD419AB255E734A981CF90

Uniqueness

Uniqueness Score: -1.00%

Function 04A70B18, Relevance: .2, Instructions: 155COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.254584980.0000000004A70000.00000040.00000001.sdmp, Offset: 04A70000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 54918d6f75b6d6318cb83490f0ad1793130ebccaf758b417cdc7f85074643b53
Instruction ID: 1894133247e9dac2453e3ab3926eaaa1524993f3fe2a947623659794afb0c73e
Opcode Fuzzy Hash: 54918d6f75b6d6318cb83490f0ad1793130ebccaf758b417cdc7f85074643b53
Instruction Fuzzy Hash: 5D61D074E05209DFCB48CFA9D894AAEBBB2FF89304F20816AD405BB354DB356A45CF51

Uniqueness

Uniqueness Score: -1.00%

Function 04A78791, Relevance: .1, Instructions: 101COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.254584980.0000000004A70000.00000040.00000001.sdmp, Offset: 04A70000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 748836e997d0ce55f0b4fc13d2526d1dd7c135dac53ff50abf01c4a909106ef3
Instruction ID: 3554600be1a3bf94ba5d622d9237baede39af3aeec9ee9ca625a6c0d00339f46
Opcode Fuzzy Hash: 748836e997d0ce55f0b4fc13d2526d1dd7c135dac53ff50abf01c4a909106ef3
Instruction Fuzzy Hash: A841E074D01209DFCB04DFAAD88859EBBB2FF89340F14856AD805A7364DB38AA41CF54

Uniqueness

Uniqueness Score: -1.00%

Function 04A787A0, Relevance: .1, Instructions: 97COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.254584980.0000000004A70000.00000040.00000001.sdmp, Offset: 04A70000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9f8750d77bd0328704d00a0c11f63cae82ec0647df0674ac9e22768bfbf75436
Instruction ID: 4f0bc6845a35c3b1cdc78ddcac69c42ad4ab50c0f1147a82eafc1cf7dc8c3295
Opcode Fuzzy Hash: 9f8750d77bd0328704d00a0c11f63cae82ec0647df0674ac9e22768bfbf75436
Instruction Fuzzy Hash: 8541A074E01209DFCB14DFAAD9885AEFBB2FF88340F10856AD805A7354DB38AA41CF54

Uniqueness

Uniqueness Score: -1.00%

Function 04A71B21, Relevance: .1, Instructions: 70COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.254584980.0000000004A70000.00000040.00000001.sdmp, Offset: 04A70000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f594319860e47db784d6b21221067f7ce778534443b48beab60106db33c6b2b8
Instruction ID: dd872b98ef6d495cc80e59f41b22967ca7daa1026e991eabafd99af4c5d723ac
Opcode Fuzzy Hash: f594319860e47db784d6b21221067f7ce778534443b48beab60106db33c6b2b8
Instruction Fuzzy Hash: 9A212AB1E056188BDB18CFABD8542DEFBF3EFC9310F14C0AAD409AA264DB351A55CB50

Uniqueness

Uniqueness Score: -1.00%

Function 05490B92, Relevance: 5.1, Strings: 4, Instructions: 111COMMON

Download Yara Rule

Strings

c, xrefs: 05490BF7
4, xrefs: 05490BA2
4, xrefs: 05490D44
4, xrefs: 05490C52

Memory Dump Source

Source File: 00000000.00000002.256041150.0000000005490000.00000040.00000001.sdmp, Offset: 05490000, based on PE: false

Similarity

API ID:
String ID: 4$4$4$c
API String ID: 0-549299000
Opcode ID: 68d912dac4e7277490aabdff7b4a0997268ba7f6d45fc71760b436f250b8c20b
Instruction ID: 49143887f19cc5adbabe4c424b098f99e9c8483981a7ad67406fc7280dff1e16
Opcode Fuzzy Hash: 68d912dac4e7277490aabdff7b4a0997268ba7f6d45fc71760b436f250b8c20b
Instruction Fuzzy Hash: 0551B570D012298FDF69DF69C859AADBBB6BF45304F1081D9D40CAB2A4DB305E82CF00

Uniqueness

Uniqueness Score: -1.00%

Function 04A73D40, Relevance: 2.6, Strings: 2, Instructions: 121COMMON

Download Yara Rule

Strings

t(1, xrefs: 04A73E3D
t(1, xrefs: 04A73E54

Memory Dump Source

Source File: 00000000.00000002.254584980.0000000004A70000.00000040.00000001.sdmp, Offset: 04A70000, based on PE: false

Similarity

API ID:
String ID: t(1$t(1
API String ID: 0-1694506003
Opcode ID: 4cc1f0a4f6f83af167510b3e9570cadaa8e4b1e6f2ebedc911982d225ca992c9
Instruction ID: f9dbaaa2963a10cfcfb2171767e3a35e3b792f2b66d9545f46f99002a749b4ab
Opcode Fuzzy Hash: 4cc1f0a4f6f83af167510b3e9570cadaa8e4b1e6f2ebedc911982d225ca992c9
Instruction Fuzzy Hash: 7551E474D05219EFCF14CFA8D9849AEFBB1FF49314F25899AD801A7311E730AA40DBA5

Uniqueness

Uniqueness Score: -1.00%

Function 04A73D50, Relevance: 2.6, Strings: 2, Instructions: 116COMMON

Download Yara Rule

Strings

t(1, xrefs: 04A73E3D
t(1, xrefs: 04A73E54

Memory Dump Source

Source File: 00000000.00000002.254584980.0000000004A70000.00000040.00000001.sdmp, Offset: 04A70000, based on PE: false

Similarity

API ID:
String ID: t(1$t(1
API String ID: 0-1694506003
Opcode ID: 95176321da3004118fc640d6c693e0c4a9926abd99c68f5634838823703ca16f
Instruction ID: eb5190afe899841629e281513996bda8750c7d82b7a3311729ab71ff7ceec9d6
Opcode Fuzzy Hash: 95176321da3004118fc640d6c693e0c4a9926abd99c68f5634838823703ca16f
Instruction Fuzzy Hash: 9351D474D05219EFCF14CFA8D9849AEFBB1FF48314F21895AD806A7315E731AA40DBA4

Uniqueness

Uniqueness Score: -1.00%

Function 0089A2AC, Relevance: 1.6, APIs: 1, Instructions: 125COMMON

Download Yara Rule

APIs

CreateActCtxA.KERNEL32(?,00000E2C,?,?), ref: 0089A346

Memory Dump Source

Source File: 00000000.00000002.250589772.000000000089A000.00000040.00000001.sdmp, Offset: 0089A000, based on PE: false

Similarity

API ID: Create
String ID:
API String ID: 2289755597-0
Opcode ID: c12013a97b68927a5024e14610e72ede8e98caa7e049c3952d34026aef4c4cab
Instruction ID: fee1e5e296defb36c4123c7fc16550a20fd94f11d0d39975c29352ab513ac50e
Opcode Fuzzy Hash: c12013a97b68927a5024e14610e72ede8e98caa7e049c3952d34026aef4c4cab
Instruction Fuzzy Hash: 9C41B375509380AFD7128B25DC45B62BFB8EF46624F0981DBEC84CB253D265A909CBA2

Uniqueness

Uniqueness Score: -1.00%

Function 0089AC22, Relevance: 1.6, APIs: 1, Instructions: 92registryCOMMON

Download Yara Rule

APIs

RegOpenKeyExW.KERNELBASE(?,00000E2C), ref: 0089ACD1

Memory Dump Source

Source File: 00000000.00000002.250589772.000000000089A000.00000040.00000001.sdmp, Offset: 0089A000, based on PE: false

Similarity

API ID: Open
String ID:
API String ID: 71445658-0
Opcode ID: 6a21a758e4b95764c35d9bbecc1ab875e08958b66e3426da494c62d2a5091654
Instruction ID: 1cf361d7667b488b839f05977bfff3ca04cb7d6ee6dae76be3fd7f9c916a416a
Opcode Fuzzy Hash: 6a21a758e4b95764c35d9bbecc1ab875e08958b66e3426da494c62d2a5091654
Instruction Fuzzy Hash: 0831C2725043806FE7228B25DC45FA7BFACEF06710F0884AAED81CB152D225A949CB71

Uniqueness

Uniqueness Score: -1.00%

Function 0089AD19, Relevance: 1.6, APIs: 1, Instructions: 89registryCOMMON

Download Yara Rule

APIs

RegQueryValueExW.KERNELBASE(?,00000E2C,6DFB25A3,00000000,00000000,00000000,00000000), ref: 0089ADD4

Memory Dump Source

Source File: 00000000.00000002.250589772.000000000089A000.00000040.00000001.sdmp, Offset: 0089A000, based on PE: false

Similarity

API ID: QueryValue
String ID:
API String ID: 3660427363-0
Opcode ID: 4271c81aa817dd497ea2cb8c4b9cf12be9b9c8ae916a4b5bf1dc22cdddc060d9
Instruction ID: 16ea54db0ac2ba0155c89f9dfb754f07b9b3c449ce4cdf660d650d96510633ba
Opcode Fuzzy Hash: 4271c81aa817dd497ea2cb8c4b9cf12be9b9c8ae916a4b5bf1dc22cdddc060d9
Instruction Fuzzy Hash: 4B31C7715093805FDB22CB25CC84FA2BFF8EF06310F0C849AE945CB153D264E948CBA1

Uniqueness

Uniqueness Score: -1.00%

Function 05410FC6, Relevance: 1.6, APIs: 1, Instructions: 80COMMON

Download Yara Rule

APIs

DuplicateHandle.KERNELBASE(?,00000E2C), ref: 05411043

Memory Dump Source

Source File: 00000000.00000002.255937817.0000000005410000.00000040.00000001.sdmp, Offset: 053B0000, based on PE: true

Associated: 00000000.00000002.255842427.00000000053B0000.00000004.00000001.sdmp Download File

Similarity

API ID: DuplicateHandle
String ID:
API String ID: 3793708945-0
Opcode ID: e0ae5b431a232e3012c428dd784ed59926eb8338b1997377957f73f7dbee17e5
Instruction ID: c6c8fe08b382daba4e0c8c055e1dd94a36a32957cd1f8ae6432df3caa1804da6
Opcode Fuzzy Hash: e0ae5b431a232e3012c428dd784ed59926eb8338b1997377957f73f7dbee17e5
Instruction Fuzzy Hash: 6421B072500204AFEB218F65DC45FABFBACEF08320F04886AEE85DB651D275A508CB71

Uniqueness

Uniqueness Score: -1.00%

Function 0089AC52, Relevance: 1.6, APIs: 1, Instructions: 74registryCOMMON

Download Yara Rule

APIs

RegOpenKeyExW.KERNELBASE(?,00000E2C), ref: 0089ACD1

Memory Dump Source

Source File: 00000000.00000002.250589772.000000000089A000.00000040.00000001.sdmp, Offset: 0089A000, based on PE: false

Similarity

API ID: Open
String ID:
API String ID: 71445658-0
Opcode ID: 5cb9f209fe9fa923df672bc530e7da3cfc631cb58422c81a8aac910fe8e685fb
Instruction ID: f8835e16a34c6a6e3ea5e5e7a9caf19c8504db9f0d4a8d489cc6db3fd1596d97
Opcode Fuzzy Hash: 5cb9f209fe9fa923df672bc530e7da3cfc631cb58422c81a8aac910fe8e685fb
Instruction Fuzzy Hash: 0521A172500604AFEB209F69DC85F6BFBECEF08714F18845AED45DB241D275E9488BB2

Uniqueness

Uniqueness Score: -1.00%

Function 05410B2E, Relevance: 1.6, APIs: 1, Instructions: 72COMMON

Download Yara Rule

APIs

LsaOpenPolicy.ADVAPI32(?,00000E2C), ref: 05410B9F

Memory Dump Source

Source File: 00000000.00000002.255937817.0000000005410000.00000040.00000001.sdmp, Offset: 053B0000, based on PE: true

Associated: 00000000.00000002.255842427.00000000053B0000.00000004.00000001.sdmp Download File

Similarity

API ID: OpenPolicy
String ID:
API String ID: 2030686058-0
Opcode ID: ddaa76830cdcb178270926f93787768b5402897b335bb2bfa9ae73e22e4ebe62
Instruction ID: 84294d5c79d3ee90eff4f082ac90f74658df862d23b9f53545dbceb55a778264
Opcode Fuzzy Hash: ddaa76830cdcb178270926f93787768b5402897b335bb2bfa9ae73e22e4ebe62
Instruction Fuzzy Hash: F421F371500204AFEB20DF69DD49FABFBACEF44714F04846BED48CB241D274A4448B75

Uniqueness

Uniqueness Score: -1.00%

Function 05410812, Relevance: 1.6, APIs: 1, Instructions: 69COMMON

Download Yara Rule

APIs

GetTokenInformation.KERNELBASE(?,00000E2C,6DFB25A3,00000000,00000000,00000000,00000000), ref: 0541087C

Memory Dump Source

Source File: 00000000.00000002.255937817.0000000005410000.00000040.00000001.sdmp, Offset: 053B0000, based on PE: true

Associated: 00000000.00000002.255842427.00000000053B0000.00000004.00000001.sdmp Download File

Similarity

API ID: InformationToken
String ID:
API String ID: 4114910276-0
Opcode ID: 041cc81fd6d6ec8085ecc18621226c9bc62dea3bd93b1206d1bc590e3cd39142
Instruction ID: 4c8305a88d0cb2f98d830b983a993603768a5461d2843225cc9e51cf695e8b1a
Opcode Fuzzy Hash: 041cc81fd6d6ec8085ecc18621226c9bc62dea3bd93b1206d1bc590e3cd39142
Instruction Fuzzy Hash: C9119371504204AFEB21CF56DD45FA7FBECEF04320F04846AED49DB241D674A5498BB1

Uniqueness

Uniqueness Score: -1.00%

Function 0089AD5A, Relevance: 1.6, APIs: 1, Instructions: 69registryCOMMON

Download Yara Rule

APIs

RegQueryValueExW.KERNELBASE(?,00000E2C,6DFB25A3,00000000,00000000,00000000,00000000), ref: 0089ADD4

Memory Dump Source

Source File: 00000000.00000002.250589772.000000000089A000.00000040.00000001.sdmp, Offset: 0089A000, based on PE: false

Similarity

API ID: QueryValue
String ID:
API String ID: 3660427363-0
Opcode ID: eebab00b7a6f4147c36d8538a57c3cd5d77a9153b33b4068783ac40c0b01d555
Instruction ID: d1b6449bf3ed7b6917717c819aec4c230b82c03013857fb4f1f288e5b063ed45
Opcode Fuzzy Hash: eebab00b7a6f4147c36d8538a57c3cd5d77a9153b33b4068783ac40c0b01d555
Instruction Fuzzy Hash: E7218E71600604AFEB21DF16DC80FA6FBECEF04711F18846AE945DB651D760E904CAB2

Uniqueness

Uniqueness Score: -1.00%

Function 0089B42D, Relevance: 1.6, APIs: 1, Instructions: 65libraryCOMMON

Download Yara Rule

APIs

LoadLibraryShim.MSCOREE(?,?,?,?), ref: 0089B4A9

Memory Dump Source

Source File: 00000000.00000002.250589772.000000000089A000.00000040.00000001.sdmp, Offset: 0089A000, based on PE: false

Similarity

API ID: LibraryLoadShim
String ID:
API String ID: 1475914169-0
Opcode ID: 8bffe10de06b9dca5e53ab01807b5734e25c01a8b5596a0083d46152fbad8a56
Instruction ID: 4af82a208796e4adea39d4fcb89a0ada7e8f506c37802d2c533bcbbe94f3268b
Opcode Fuzzy Hash: 8bffe10de06b9dca5e53ab01807b5734e25c01a8b5596a0083d46152fbad8a56
Instruction Fuzzy Hash: C5218EB15093805FDB228E15EC45B62BFE8EF56714F08809AED84CB293D365A908DB62

Uniqueness

Uniqueness Score: -1.00%

Function 0089A5FB, Relevance: 1.6, APIs: 1, Instructions: 61COMMON

Download Yara Rule

APIs

DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 0089A666

Memory Dump Source

Source File: 00000000.00000002.250589772.000000000089A000.00000040.00000001.sdmp, Offset: 0089A000, based on PE: false

Similarity

API ID: DuplicateHandle
String ID:
API String ID: 3793708945-0
Opcode ID: 108d9ff1c58259bff99f725bbce6a3b272d3797c3c2f5a42b17ad05fe90995e5
Instruction ID: c0cb570eb45b4492c5a3a1e7ad07b4caf9447ee9f9f7b70ffcd447dae81a95a0
Opcode Fuzzy Hash: 108d9ff1c58259bff99f725bbce6a3b272d3797c3c2f5a42b17ad05fe90995e5
Instruction Fuzzy Hash: 85118172409780AFDB238F55DC44A62FFF4EF4A314F0C84DAED858B162D276A518DB62

Uniqueness

Uniqueness Score: -1.00%

Function 0541062A, Relevance: 1.6, APIs: 1, Instructions: 60fileCOMMON

Download Yara Rule

APIs

WriteFile.KERNELBASE(?,00000E2C,6DFB25A3,00000000,00000000,00000000,00000000), ref: 05410689

Memory Dump Source

Source File: 00000000.00000002.255937817.0000000005410000.00000040.00000001.sdmp, Offset: 053B0000, based on PE: true

Associated: 00000000.00000002.255842427.00000000053B0000.00000004.00000001.sdmp Download File

Similarity

API ID: FileWrite
String ID:
API String ID: 3934441357-0
Opcode ID: c3422c4de1e4b0c41af077308c933f488b04edecb029672d3854b12fe89e4aea
Instruction ID: 86ffb0fa062e8cd25fd4f061ba25c4a4d80de64bbb286b3297328844ba06d614
Opcode Fuzzy Hash: c3422c4de1e4b0c41af077308c933f488b04edecb029672d3854b12fe89e4aea
Instruction Fuzzy Hash: BD11C172400300AFEB21DF56ED45FA6FBE8EF48724F0484ABED499B251C275A449CB75

Uniqueness

Uniqueness Score: -1.00%

Function 0541145A, Relevance: 1.6, APIs: 1, Instructions: 53COMMON

Download Yara Rule

APIs

LookupPrivilegeValueW.ADVAPI32 ref: 054114A2

Memory Dump Source

Source File: 00000000.00000002.255937817.0000000005410000.00000040.00000001.sdmp, Offset: 053B0000, based on PE: true

Associated: 00000000.00000002.255842427.00000000053B0000.00000004.00000001.sdmp Download File

Similarity

API ID: LookupPrivilegeValue
String ID:
API String ID: 3899507212-0
Opcode ID: 0cf42e4ed2e30cc38eecc2b3be3b3bb879d4f07d5d0c1eda07107d7e80184807
Instruction ID: 23e1119b7ca1f5a08b1ede2ada2b1e5cdec4694883280ad4e87a3d386cc3980d
Opcode Fuzzy Hash: 0cf42e4ed2e30cc38eecc2b3be3b3bb879d4f07d5d0c1eda07107d7e80184807
Instruction Fuzzy Hash: 951161756042449FDB20CF6AEC85BA6FBD8EF04A20F0894ABDD49CB742D275E404DA76

Uniqueness

Uniqueness Score: -1.00%

Function 0089AEF0, Relevance: 1.6, APIs: 1, Instructions: 50memoryCOMMON

Download Yara Rule

APIs

VirtualAllocEx.KERNELBASE(?,?,?,?,?), ref: 0089AF50

Memory Dump Source

Source File: 00000000.00000002.250589772.000000000089A000.00000040.00000001.sdmp, Offset: 0089A000, based on PE: false

Similarity

API ID: AllocVirtual
String ID:
API String ID: 4275171209-0
Opcode ID: 63e569f9803c170ee1fa517c379643f52c5d82834258bb7a503771d47dfe0bf2
Instruction ID: 23c0dbf88344b23b33b009141db8ea770d0544aa4278a8a58df0733dbc1ff4bd
Opcode Fuzzy Hash: 63e569f9803c170ee1fa517c379643f52c5d82834258bb7a503771d47dfe0bf2
Instruction Fuzzy Hash: EA119171405780AFDB218F15DC45A52FFF4EF05320F08849EED854B262C375A518CB62

Uniqueness

Uniqueness Score: -1.00%

Function 0089A42A, Relevance: 1.5, APIs: 1, Instructions: 48threadCOMMON

Download Yara Rule

APIs

ResumeThread.KERNELBASE(?), ref: 0089A480

Memory Dump Source

Source File: 00000000.00000002.250589772.000000000089A000.00000040.00000001.sdmp, Offset: 0089A000, based on PE: false

Similarity

API ID: ResumeThread
String ID:
API String ID: 947044025-0
Opcode ID: ee97f814b5a037b8dfbceea0cb1b619670c41218f37333a22bf5e16b68f3004e
Instruction ID: 4d5ac8c0c61a44a1ccc5f3224d1f2e91ab6d78fc9630f4e52e95aa8a124cecd5
Opcode Fuzzy Hash: ee97f814b5a037b8dfbceea0cb1b619670c41218f37333a22bf5e16b68f3004e
Instruction Fuzzy Hash: 19018475409384AFDB128B15DC44B62FFA8EF46724F08C0DAED858B252D275A908CBB2

Uniqueness

Uniqueness Score: -1.00%

Function 0089AAEC, Relevance: 1.5, APIs: 1, Instructions: 48COMMON

Download Yara Rule

APIs

SetWindowLongW.USER32 ref: 0089AB46

Memory Dump Source

Source File: 00000000.00000002.250589772.000000000089A000.00000040.00000001.sdmp, Offset: 0089A000, based on PE: false

Similarity

API ID: LongWindow
String ID:
API String ID: 1378638983-0
Opcode ID: 6ca1faa1368882e508b88a7699af41e5e0cedc7d80f0c78f5a2ff3a66f9a5f19
Instruction ID: bf3d3a0f42715500b667dc88c691fb1c90496c47b2b800c4ffd4d63825664384
Opcode Fuzzy Hash: 6ca1faa1368882e508b88a7699af41e5e0cedc7d80f0c78f5a2ff3a66f9a5f19
Instruction Fuzzy Hash: 071182314097849FDB218F15DC85A52FFB4EF06720F08C4DAED858B263C375A918CB62

Uniqueness

Uniqueness Score: -1.00%

Function 054110EE, Relevance: 1.5, APIs: 1, Instructions: 47fileCOMMON

Download Yara Rule

APIs

DeleteFileW.KERNELBASE ref: 05411128

Memory Dump Source

Source File: 00000000.00000002.255937817.0000000005410000.00000040.00000001.sdmp, Offset: 053B0000, based on PE: true

Associated: 00000000.00000002.255842427.00000000053B0000.00000004.00000001.sdmp Download File

Similarity

API ID: DeleteFile
String ID:
API String ID: 4033686569-0
Opcode ID: fce1c87c317c88544415baf3f85dc355fc05dc3dad62d30c6b4d253f96238516
Instruction ID: d37edfb8f9f51189b2f89fe39a0fd6942cd234dc4b100f84c73ebb96bf149961
Opcode Fuzzy Hash: fce1c87c317c88544415baf3f85dc355fc05dc3dad62d30c6b4d253f96238516
Instruction Fuzzy Hash: D8017171A042409FDB60CF2AE8857A6FB98EF44620F18D4ABDD49CB742D275E804CB61

Uniqueness

Uniqueness Score: -1.00%

Function 0541139E, Relevance: 1.5, APIs: 1, Instructions: 47injectionCOMMON

Download Yara Rule

APIs

WriteProcessMemory.KERNELBASE ref: 054113E4

Memory Dump Source

Source File: 00000000.00000002.255937817.0000000005410000.00000040.00000001.sdmp, Offset: 053B0000, based on PE: true

Associated: 00000000.00000002.255842427.00000000053B0000.00000004.00000001.sdmp Download File

Similarity

API ID: MemoryProcessWrite
String ID:
API String ID: 3559483778-0
Opcode ID: 8dcae582e1875d721e8da678c70cac2b9eff562cdbadbc2b0b778cf3c8f8daf6
Instruction ID: d95f1cd765e8eb842835abf5fbd030cfcd76f3926b5a6ad3105c9c1802e9ca7a
Opcode Fuzzy Hash: 8dcae582e1875d721e8da678c70cac2b9eff562cdbadbc2b0b778cf3c8f8daf6
Instruction Fuzzy Hash: 8C0161755046449FDB20CF15E884BA6FBE4EF04620F0884ABDE458B655D371E458DB72

Uniqueness

Uniqueness Score: -1.00%

Function 0089B45E, Relevance: 1.5, APIs: 1, Instructions: 46libraryCOMMON

Download Yara Rule

APIs

LoadLibraryShim.MSCOREE(?,?,?,?), ref: 0089B4A9

Memory Dump Source

Source File: 00000000.00000002.250589772.000000000089A000.00000040.00000001.sdmp, Offset: 0089A000, based on PE: false

Similarity

API ID: LibraryLoadShim
String ID:
API String ID: 1475914169-0
Opcode ID: 0df85df2fb235dfaa3b35f277ff274c601b0b07c8fe869db6487aa1fcf6e9ca3
Instruction ID: a40271c60a53ed3e3ba64b5f06d6a0b11f10ed28bf565dece791ff9ff87254bf
Opcode Fuzzy Hash: 0df85df2fb235dfaa3b35f277ff274c601b0b07c8fe869db6487aa1fcf6e9ca3
Instruction Fuzzy Hash: 890169715002449FDB20DE1AE985B62FBE8FF14724F0C84AAED49CB642D375E808DA76

Uniqueness

Uniqueness Score: -1.00%

Function 0089A622, Relevance: 1.5, APIs: 1, Instructions: 45COMMON

Download Yara Rule

APIs

DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 0089A666

Memory Dump Source

Source File: 00000000.00000002.250589772.000000000089A000.00000040.00000001.sdmp, Offset: 0089A000, based on PE: false

Similarity

API ID: DuplicateHandle
String ID:
API String ID: 3793708945-0
Opcode ID: 89f7e8b6c7a1188ba0b0d5b4173feb224fe3a4fe3e30546ff760452c24e3b1f6
Instruction ID: 36b8bf9c8bad3ee35660f96d3a3f8634c975b027f36d97df962e14e6acf8f74f
Opcode Fuzzy Hash: 89f7e8b6c7a1188ba0b0d5b4173feb224fe3a4fe3e30546ff760452c24e3b1f6
Instruction Fuzzy Hash: 4D018E314006009FDF228F55E844B56FFA4EF48320F08846ADD458A611D276E414DF62

Uniqueness

Uniqueness Score: -1.00%

Function 0541123E, Relevance: 1.5, APIs: 1, Instructions: 44threadinjectionCOMMON

Download Yara Rule

APIs

SetThreadContext.KERNELBASE ref: 0541127B

Memory Dump Source

Source File: 00000000.00000002.255937817.0000000005410000.00000040.00000001.sdmp, Offset: 053B0000, based on PE: true

Associated: 00000000.00000002.255842427.00000000053B0000.00000004.00000001.sdmp Download File

Similarity

API ID: ContextThread
String ID:
API String ID: 1591575202-0
Opcode ID: 64789a6c8d69343739c1b56e30096e7fe0bba654a922e91aaf9d5f6d855acf82
Instruction ID: 643053758e64d581b1c632e7fcd98e6dd2421d39b0bc6d2525d1ac35cfe0ba76
Opcode Fuzzy Hash: 64789a6c8d69343739c1b56e30096e7fe0bba654a922e91aaf9d5f6d855acf82
Instruction Fuzzy Hash: A501B135A042409FDB24CF19E884BA6FBD4EF05220F08C0ABDE49CF752D275E404CB66

Uniqueness

Uniqueness Score: -1.00%

Function 054112EA, Relevance: 1.5, APIs: 1, Instructions: 43COMMON

Download Yara Rule

APIs

ReadProcessMemory.KERNELBASE ref: 05411328

Memory Dump Source

Source File: 00000000.00000002.255937817.0000000005410000.00000040.00000001.sdmp, Offset: 053B0000, based on PE: true

Associated: 00000000.00000002.255842427.00000000053B0000.00000004.00000001.sdmp Download File

Similarity

API ID: MemoryProcessRead
String ID:
API String ID: 1726664587-0
Opcode ID: f54b3e9d91d65707bdaf7a6286ca3a4cca256b9a8d14df1ae7bd904dc1da997c
Instruction ID: a267fb66267ad5f2335d99fe40f38df6177c7e2641c58bb897fbdaa5c91439ff
Opcode Fuzzy Hash: f54b3e9d91d65707bdaf7a6286ca3a4cca256b9a8d14df1ae7bd904dc1da997c
Instruction Fuzzy Hash: 4401B531900704DFDB218F15E844BA6FBA4EF04720F08C49EDE464B655D371E419DF62

Uniqueness

Uniqueness Score: -1.00%

Function 0089A2F6, Relevance: 1.5, APIs: 1, Instructions: 43COMMON

Download Yara Rule

APIs

CreateActCtxA.KERNEL32(?,00000E2C,?,?), ref: 0089A346

Memory Dump Source

Source File: 00000000.00000002.250589772.000000000089A000.00000040.00000001.sdmp, Offset: 0089A000, based on PE: false

Similarity

API ID: Create
String ID:
API String ID: 2289755597-0
Opcode ID: cfb3b54ded02053bdf5800fd5e10e2c28802518ff815a8ebab5f07fb91a347d1
Instruction ID: 68ca6b27b444d11fd6e1d86af92ce9bb36e5d92d52e3861a643c188d2f1b166e
Opcode Fuzzy Hash: cfb3b54ded02053bdf5800fd5e10e2c28802518ff815a8ebab5f07fb91a347d1
Instruction Fuzzy Hash: 7F01AD71500200ABD620DF1ADC82B36FBA8FF88B20F14815AED084B741E231F915CBE6

Uniqueness

Uniqueness Score: -1.00%

Function 05410D96, Relevance: 1.5, APIs: 1, Instructions: 41COMMON

Download Yara Rule

APIs

GetLongPathNameW.KERNELBASE ref: 05410DCE

Memory Dump Source

Source File: 00000000.00000002.255937817.0000000005410000.00000040.00000001.sdmp, Offset: 053B0000, based on PE: true

Associated: 00000000.00000002.255842427.00000000053B0000.00000004.00000001.sdmp Download File

Similarity

API ID: LongNamePath
String ID:
API String ID: 82841172-0
Opcode ID: 6e12cd7c37b651d208329b571cf540c767bc375e1d138f1f7e638eda95891a84
Instruction ID: 814858cea20403a72dd8ab4a5f8ef5fba7b962d6f62bc41c8bbd2d5bd3367fc0
Opcode Fuzzy Hash: 6e12cd7c37b651d208329b571cf540c767bc375e1d138f1f7e638eda95891a84
Instruction Fuzzy Hash: 960171759043409FDB20CF59E849BA6FBA4EF44320F08C4ABDD498B656D275A444CBB6

Uniqueness

Uniqueness Score: -1.00%

Function 0089AF12, Relevance: 1.5, APIs: 1, Instructions: 39memoryCOMMON

Download Yara Rule

APIs

VirtualAllocEx.KERNELBASE(?,?,?,?,?), ref: 0089AF50

Memory Dump Source

Source File: 00000000.00000002.250589772.000000000089A000.00000040.00000001.sdmp, Offset: 0089A000, based on PE: false

Similarity

API ID: AllocVirtual
String ID:
API String ID: 4275171209-0
Opcode ID: 38b807aa860791599b0b2e576a37150ad0fbf02b6113d6183b5c02aac156c679
Instruction ID: 1805ff8f649dea3a64bf81536d324e880b0d1316dd7d1340ddde5d06a4165bfc
Opcode Fuzzy Hash: 38b807aa860791599b0b2e576a37150ad0fbf02b6113d6183b5c02aac156c679
Instruction Fuzzy Hash: 3B017C71400744DFDF209F45E885B65FBA0FF08724F08849ADD894A622D776A418DBA2

Uniqueness

Uniqueness Score: -1.00%

Function 054118A2, Relevance: 1.5, APIs: 1, Instructions: 38windowCOMMON

Download Yara Rule

APIs

PostMessageW.USER32 ref: 054118DD

Memory Dump Source

Source File: 00000000.00000002.255937817.0000000005410000.00000040.00000001.sdmp, Offset: 053B0000, based on PE: true

Associated: 00000000.00000002.255842427.00000000053B0000.00000004.00000001.sdmp Download File

Similarity

API ID: MessagePost
String ID:
API String ID: 410705778-0
Opcode ID: 85c47c1241ef3b76483160262e03db703e9e78a0f1ce1f0e55c6c408a8bea6f1
Instruction ID: cb64952c0155bd976d261f5751104548756a1c284a98ae8b8fc956e548e32e26
Opcode Fuzzy Hash: 85c47c1241ef3b76483160262e03db703e9e78a0f1ce1f0e55c6c408a8bea6f1
Instruction Fuzzy Hash: 91018F35900744DFDB20CF46E885B66FBA4EF04320F08C49ADE894B212D376A418CB62

Uniqueness

Uniqueness Score: -1.00%

Function 0089AB0E, Relevance: 1.5, APIs: 1, Instructions: 37COMMON

Download Yara Rule

APIs

SetWindowLongW.USER32 ref: 0089AB46

Memory Dump Source

Source File: 00000000.00000002.250589772.000000000089A000.00000040.00000001.sdmp, Offset: 0089A000, based on PE: false

Similarity

API ID: LongWindow
String ID:
API String ID: 1378638983-0
Opcode ID: d8ad75ac95e7a0553683b68fa750ed86c627f93452e1255b6f13c9286f5a422f
Instruction ID: 36ac40853a6dcfc97012d0708c7e53d45b5254462fc14b945ae9ca7e742ad3b3
Opcode Fuzzy Hash: d8ad75ac95e7a0553683b68fa750ed86c627f93452e1255b6f13c9286f5a422f
Instruction Fuzzy Hash: D101AD314046449FDF209F05E885B61FBA0EF04734F08C4AADD868B652C2B6A408DBA2

Uniqueness

Uniqueness Score: -1.00%

Function 0089A44E, Relevance: 1.5, APIs: 1, Instructions: 35threadCOMMON

Download Yara Rule

APIs

ResumeThread.KERNELBASE(?), ref: 0089A480

Memory Dump Source

Source File: 00000000.00000002.250589772.000000000089A000.00000040.00000001.sdmp, Offset: 0089A000, based on PE: false

Similarity

API ID: ResumeThread
String ID:
API String ID: 947044025-0
Opcode ID: de7d961c9d12c3b469bc67bcedefd0ae5b746d95d6235a937b2b82c30f9e33a7
Instruction ID: bf749d5f5bc1f92b6fdf6ee2e2593487cf925961feb251316aaf61b0fe0657d9
Opcode Fuzzy Hash: de7d961c9d12c3b469bc67bcedefd0ae5b746d95d6235a937b2b82c30f9e33a7
Instruction Fuzzy Hash: DDF0A4359042449FDF209F09E889761FB94EF04724F1CC0AADD458B256D2B5A504CEA6

Uniqueness

Uniqueness Score: -1.00%

Function 04A7AC46, Relevance: 1.5, Strings: 1, Instructions: 270COMMON

Download Yara Rule

Strings

h, xrefs: 04A7A7F6

Memory Dump Source

Source File: 00000000.00000002.254584980.0000000004A70000.00000040.00000001.sdmp, Offset: 04A70000, based on PE: false

Similarity

API ID:
String ID: h
API String ID: 0-2439710439
Opcode ID: 4e136c4699f98dc669759e9da04e814860db34f40fd92e67a3118373b53c9e6d
Instruction ID: 0722268472d77400d7006065a7dc41e135cd7125ca86a8187171e03c61987bee
Opcode Fuzzy Hash: 4e136c4699f98dc669759e9da04e814860db34f40fd92e67a3118373b53c9e6d
Instruction Fuzzy Hash: 6EC19E74915248DFEB14DFA8EA44A9DBBF4FB48318F00C069E4099F366EB70AA41DF51

Uniqueness

Uniqueness Score: -1.00%

Function 04A72ED0, Relevance: 1.3, Strings: 1, Instructions: 66COMMON

Download Yara Rule

Strings

/9, xrefs: 04A72F16

Memory Dump Source

Source File: 00000000.00000002.254584980.0000000004A70000.00000040.00000001.sdmp, Offset: 04A70000, based on PE: false

Similarity

API ID:
String ID: /9
API String ID: 0-1186500353
Opcode ID: 765e07bcb957697c4d34ecf95b9f9bb8f75b9a69bed163ec2547d298044f89d0
Instruction ID: 1f71fa3ff38dce9d247a3cd18c9db6ed69d54ab1e3d47688b6397e48b688be50
Opcode Fuzzy Hash: 765e07bcb957697c4d34ecf95b9f9bb8f75b9a69bed163ec2547d298044f89d0
Instruction Fuzzy Hash: DF212571A09209DFCB14CFA9D9806AEFBB1FF89300F1085AAD445AB294E734AA51DF50

Uniqueness

Uniqueness Score: -1.00%

Function 05492CD0, Relevance: 1.3, Strings: 1, Instructions: 58COMMON

Download Yara Rule

Strings

Y, xrefs: 05492D22

Memory Dump Source

Source File: 00000000.00000002.256041150.0000000005490000.00000040.00000001.sdmp, Offset: 05490000, based on PE: false

Similarity

API ID:
String ID: Y
API String ID: 0-3233089245
Opcode ID: 02eed613b56da358c58fdb1046304f91b0418077c6d47983c6e52f8d9ceef5a7
Instruction ID: 4b81805d57c0a4f01bbb6c727fe7e586a337fd9d72a664a25f15910a183c25c7
Opcode Fuzzy Hash: 02eed613b56da358c58fdb1046304f91b0418077c6d47983c6e52f8d9ceef5a7
Instruction Fuzzy Hash: 77111CB8D0C608EBDF08CFA6D4462EEBFBAAF89300F10E56A9415A6351D77445028B90

Uniqueness

Uniqueness Score: -1.00%

Function 04A78941, Relevance: 1.3, Strings: 1, Instructions: 55COMMON

Download Yara Rule

Strings

p;), xrefs: 04A789A4

Memory Dump Source

Source File: 00000000.00000002.254584980.0000000004A70000.00000040.00000001.sdmp, Offset: 04A70000, based on PE: false

Similarity

API ID:
String ID: p;)
API String ID: 0-28188274
Opcode ID: 25ac78664e85d7886a304918ec08ac5f8b958be3c77e46933e116c79461fecf2
Instruction ID: a28b212503753ded8e5067bd832a0e31cfd081a095aaa2a5a92db00b6e46cea6
Opcode Fuzzy Hash: 25ac78664e85d7886a304918ec08ac5f8b958be3c77e46933e116c79461fecf2
Instruction Fuzzy Hash: 62118B70D08209EFCB15EFA8D9845EEBFB0FF49310F2085AAD845E7251E334AA51CB42

Uniqueness

Uniqueness Score: -1.00%

Function 05492D6A, Relevance: 1.3, Strings: 1, Instructions: 53COMMON

Download Yara Rule

Strings

Y, xrefs: 05492D22

Memory Dump Source

Source File: 00000000.00000002.256041150.0000000005490000.00000040.00000001.sdmp, Offset: 05490000, based on PE: false

Similarity

API ID:
String ID: Y
API String ID: 0-3233089245
Opcode ID: e37724fe024a3fc4f1709417e67922d660509d3f3567dc83182c14838b345259
Instruction ID: d8dea18f7d3f5539c307e90c52b9c68e09e2e65785a48a0b5848da4596b6a0c5
Opcode Fuzzy Hash: e37724fe024a3fc4f1709417e67922d660509d3f3567dc83182c14838b345259
Instruction Fuzzy Hash: 0111DA78D0D209EBDF08CFA5D4865FDBFBAAB4A210F20A65AD426B7341D77046028F90

Uniqueness

Uniqueness Score: -1.00%

Function 05492CE0, Relevance: 1.3, Strings: 1, Instructions: 52COMMON

Download Yara Rule

Strings

Y, xrefs: 05492D22

Memory Dump Source

Source File: 00000000.00000002.256041150.0000000005490000.00000040.00000001.sdmp, Offset: 05490000, based on PE: false

Similarity

API ID:
String ID: Y
API String ID: 0-3233089245
Opcode ID: f461746a2bf1d12ffc876e5e4d2cb2411dbaf9378656259f3e6b96c6c7a1bc01
Instruction ID: 9bbb4e6f790d302eeeafc6384fc7aa8ea39c18d4ee3dc52a943bd1b0f3b07c17
Opcode Fuzzy Hash: f461746a2bf1d12ffc876e5e4d2cb2411dbaf9378656259f3e6b96c6c7a1bc01
Instruction Fuzzy Hash: E211BEB8D0D609EBDF08DFA6D4465EEBFB6AF89300F10D16A9415A7351D77045428B90

Uniqueness

Uniqueness Score: -1.00%

Function 04A7A7A2, Relevance: 1.3, Strings: 1, Instructions: 47COMMON

Download Yara Rule

Strings

k, xrefs: 04A7A7FD

Memory Dump Source

Source File: 00000000.00000002.254584980.0000000004A70000.00000040.00000001.sdmp, Offset: 04A70000, based on PE: false

Similarity

API ID:
String ID: k
API String ID: 0-140662621
Opcode ID: 9c9b7aff51e313d70e3f92a5fc61dd2117dd76ec47acc7c50f1d9c7a768b0eb7
Instruction ID: 34d2b2118b2dcc8eb2fab205ca36c8979513e36c2a4944d936e0323d7cbce344
Opcode Fuzzy Hash: 9c9b7aff51e313d70e3f92a5fc61dd2117dd76ec47acc7c50f1d9c7a768b0eb7
Instruction Fuzzy Hash: EC017CB0E49208EBEF14CFAAD8057EEBFB9BB88300F10D565C016A7251E7786606DF41

Uniqueness

Uniqueness Score: -1.00%

Function 04A7A7B0, Relevance: 1.3, Strings: 1, Instructions: 42COMMON

Download Yara Rule

Strings

k, xrefs: 04A7A7FD

Memory Dump Source

Source File: 00000000.00000002.254584980.0000000004A70000.00000040.00000001.sdmp, Offset: 04A70000, based on PE: false

Similarity

API ID:
String ID: k
API String ID: 0-140662621
Opcode ID: 8a8c65d34f45fbfcf0c9384983c98c536eaea584b5bcca784b3aff46c6dfec99
Instruction ID: 772698dae27cbb1d78befedbf4e3c2840800c6e67ac8748d44763ebe1020dd03
Opcode Fuzzy Hash: 8a8c65d34f45fbfcf0c9384983c98c536eaea584b5bcca784b3aff46c6dfec99
Instruction Fuzzy Hash: 57016DB0E19208EBDF24DFAAD8056EEBFB9BF49300F10D469C016A7251E7786606DF41

Uniqueness

Uniqueness Score: -1.00%

Function 04A79D90, Relevance: .2, Instructions: 230COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.254584980.0000000004A70000.00000040.00000001.sdmp, Offset: 04A70000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 43595f11f265ff7b2c825cb2c23c4b37e7f0cb70dc6142e2e7b2950b74569782
Instruction ID: da0db5b763f9fd182fc0a4dd0ed834f5f2d3c1e40638d864da09be8f22392e44
Opcode Fuzzy Hash: 43595f11f265ff7b2c825cb2c23c4b37e7f0cb70dc6142e2e7b2950b74569782
Instruction Fuzzy Hash: 09A15C70E01218CFEB24CFA5C844BEEBBB6BF45304F1484AAD009BB295D7706A86CF51

Uniqueness

Uniqueness Score: -1.00%

Function 04A70D58, Relevance: .2, Instructions: 203COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.254584980.0000000004A70000.00000040.00000001.sdmp, Offset: 04A70000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4039525e4bf9ab057499ca07dd1fe4ce6b133e26d4c96f89c2eb4310d6cc2301
Instruction ID: ad1ebb2b20663df9d30f11c3f9848d1ceca42cf395ff743231fd92ee58f44225
Opcode Fuzzy Hash: 4039525e4bf9ab057499ca07dd1fe4ce6b133e26d4c96f89c2eb4310d6cc2301
Instruction Fuzzy Hash: 9591C274E00209DFDB14DBA8D8809CDBBF2FF88310F218669E505AB355DA31AE46CF95

Uniqueness

Uniqueness Score: -1.00%

Function 04A7C590, Relevance: .1, Instructions: 146COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.254584980.0000000004A70000.00000040.00000001.sdmp, Offset: 04A70000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 981b7fdede105a5f2a64a32112e7d039761836cf8b037ed5e348c78470286ef7
Instruction ID: bbfd1e69778016ac481cfecf2d585bebb180c6c5aeebb8bf928ff7735e526e29
Opcode Fuzzy Hash: 981b7fdede105a5f2a64a32112e7d039761836cf8b037ed5e348c78470286ef7
Instruction Fuzzy Hash: 7D516F74E06209DFCB08CF99E98499DBBF2BF88310F259169E815AB315D730EA41CF95

Uniqueness

Uniqueness Score: -1.00%

Function 04A7A5D8, Relevance: .1, Instructions: 121COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.254584980.0000000004A70000.00000040.00000001.sdmp, Offset: 04A70000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f34126e7c803fe0d9a56a76cee96fb7fb44e8a186d68ac40ce98e6e14a80f4fe
Instruction ID: 8b5b2d522f0e7739083de48e232eefd88483c7583a8e9f27270fdd706364d1f4
Opcode Fuzzy Hash: f34126e7c803fe0d9a56a76cee96fb7fb44e8a186d68ac40ce98e6e14a80f4fe
Instruction Fuzzy Hash: 0641DA74E01208DBDB28DFA5D895BEEBBB2BF89300F24842AD405BB254DB706946CF45

Uniqueness

Uniqueness Score: -1.00%

Function 04A79A38, Relevance: .1, Instructions: 110COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.254584980.0000000004A70000.00000040.00000001.sdmp, Offset: 04A70000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 90e713ab9e8b8153dc85d29f47436f008ed1d903869c4579a78b860d12993b64
Instruction ID: 81274598f0985f098620075b8a487a8615ddec518c967656b17d3703d470b71a
Opcode Fuzzy Hash: 90e713ab9e8b8153dc85d29f47436f008ed1d903869c4579a78b860d12993b64
Instruction Fuzzy Hash: 5841B2B4E11208DFEB14DFA9D895AAEBBF5FF48300F10906AE415A7350EB356942CF54

Uniqueness

Uniqueness Score: -1.00%

Function 04A79A28, Relevance: .1, Instructions: 108COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.254584980.0000000004A70000.00000040.00000001.sdmp, Offset: 04A70000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: bd2ececcd37e19c42875b3bdbcf1836cef3803ecbf01f2518d7664eae28f2aad
Instruction ID: 5657cee07c5fa89ddd10fd6ece6f38c44d662560a620ec3b5d8fec27b1737521
Opcode Fuzzy Hash: bd2ececcd37e19c42875b3bdbcf1836cef3803ecbf01f2518d7664eae28f2aad
Instruction Fuzzy Hash: 6A41E2B4E15208DFDB14DFA9D8956EEBBF1FF89300F20806AE405A7251EB316942CF50

Uniqueness

Uniqueness Score: -1.00%

Function 04A7A4D8, Relevance: .1, Instructions: 95COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.254584980.0000000004A70000.00000040.00000001.sdmp, Offset: 04A70000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1b57d1cd62450a2fee648a56475111d50bf938ee101043a959361dd650e324fb
Instruction ID: 48e35e6812b8eaad598e94cd59088593c569bf57ae150b71c05dbfeac34b61e2
Opcode Fuzzy Hash: 1b57d1cd62450a2fee648a56475111d50bf938ee101043a959361dd650e324fb
Instruction Fuzzy Hash: 38314830B05295ABDB15DB7DCC0166EBBB6FF89700B24445AD009DB282EE30AD06C796

Uniqueness

Uniqueness Score: -1.00%

Function 04A78A11, Relevance: .1, Instructions: 77COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.254584980.0000000004A70000.00000040.00000001.sdmp, Offset: 04A70000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fa91085fb563db7460a98376042f7aa1db81b2832566802be9f67698cad3acd5
Instruction ID: aa017fc77501ea30c63e72b541f8465c3a34e742331f95c13e3633e37c04b9bf
Opcode Fuzzy Hash: fa91085fb563db7460a98376042f7aa1db81b2832566802be9f67698cad3acd5
Instruction Fuzzy Hash: 63313670E0520ADFCB04DFA9D9886EEBBF1FF89301F1085AAD505A7254D7345A41CF51

Uniqueness

Uniqueness Score: -1.00%

Function 04A7E058, Relevance: .1, Instructions: 76COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.254584980.0000000004A70000.00000040.00000001.sdmp, Offset: 04A70000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fa15cd2e207bdebc074ad0cc174e6199176990c5fb677a7e8fe074d37d4915d6
Instruction ID: ec26d8e9b3a46ddb1dbf6c6fdad6fe154ff33651f255e35efef59b5d12e74c37
Opcode Fuzzy Hash: fa15cd2e207bdebc074ad0cc174e6199176990c5fb677a7e8fe074d37d4915d6
Instruction Fuzzy Hash: B8213C74E89209CFEB20CF99D8446FFBBB4BB49300F1094EAD40563651E374A982DB55

Uniqueness

Uniqueness Score: -1.00%

Function 04A7AD6C, Relevance: .1, Instructions: 76COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.254584980.0000000004A70000.00000040.00000001.sdmp, Offset: 04A70000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0006d167ebc59a698d24289556165e8c70df2024cb65c5cd1b0fe0c8e577cab6
Instruction ID: 1091aa04c30c1dd33989ab98f4a24857804c71d1cd20dab5b9d08f8a8ee26308
Opcode Fuzzy Hash: 0006d167ebc59a698d24289556165e8c70df2024cb65c5cd1b0fe0c8e577cab6
Instruction Fuzzy Hash: 51215CB4D10209AFEF04DFA4D995AEDBBB1FF88304F108569D805A7356EB346A03DB91

Uniqueness

Uniqueness Score: -1.00%

Function 04A714C1, Relevance: .1, Instructions: 74COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.254584980.0000000004A70000.00000040.00000001.sdmp, Offset: 04A70000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3c198961362608a01154046b2732137211560b5f1d48ae1c1d37eddc6a4572fd
Instruction ID: e5137b127c044bf164947f993752fbcc79cf7e5bc834e8bdaeaeeb278e9be9a9
Opcode Fuzzy Hash: 3c198961362608a01154046b2732137211560b5f1d48ae1c1d37eddc6a4572fd
Instruction Fuzzy Hash: 47312970E08209EFCB18CFA9C98099EBBF1FF89300F14859AD415AB315E735EA018F51

Uniqueness

Uniqueness Score: -1.00%

Function 04A76CDF, Relevance: .1, Instructions: 73COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.254584980.0000000004A70000.00000040.00000001.sdmp, Offset: 04A70000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6c9be1576751529a51120619196a55f9d9625f47c932bf024f910ed1cf8fc338
Instruction ID: 32e62fc9272db6aa1bb43427787460b0e405fb7ebf52691d00c7b8310fc1670a
Opcode Fuzzy Hash: 6c9be1576751529a51120619196a55f9d9625f47c932bf024f910ed1cf8fc338
Instruction Fuzzy Hash: 6A415F78E01229DFCB65AF64C888A9DBBB9FF4A310F1041DA9849A7720DF745E80CF15

Uniqueness

Uniqueness Score: -1.00%

Function 04A78A20, Relevance: .1, Instructions: 73COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.254584980.0000000004A70000.00000040.00000001.sdmp, Offset: 04A70000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ef753339465a9f06330e25d2773c2ef0294a6752eb2470bbfd82b5358016269b
Instruction ID: 1e07dacd48064dd24d8ddc6e50c433a4e9ebcbb8ed0d5922260a717a3acf5a11
Opcode Fuzzy Hash: ef753339465a9f06330e25d2773c2ef0294a6752eb2470bbfd82b5358016269b
Instruction Fuzzy Hash: 3D312670E0520ADFCB14DFA9D9486EEBBF2FB88301F10856AD905A7354E738AA41CF51

Uniqueness

Uniqueness Score: -1.00%

Function 04A713C0, Relevance: .1, Instructions: 72COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.254584980.0000000004A70000.00000040.00000001.sdmp, Offset: 04A70000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3aa12804b4add65589d492f4a2c90723ed549ee47df57a28ea5008c2eaca9103
Instruction ID: f830d944f39ca7417b327819fe913792bd84cdd236540045e7361e45a8bc09cc
Opcode Fuzzy Hash: 3aa12804b4add65589d492f4a2c90723ed549ee47df57a28ea5008c2eaca9103
Instruction Fuzzy Hash: F931D2B4E05209DFCB54CFAAD8819AEBBF1FF89300F10859AD815A7350D334AA42CF61

Uniqueness

Uniqueness Score: -1.00%

Function 04A731F9, Relevance: .1, Instructions: 69COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.254584980.0000000004A70000.00000040.00000001.sdmp, Offset: 04A70000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b6341d64548d6ac29c47eea4d86b9cc2d4a2f31865e32128d280adb24c75c7ed
Instruction ID: 3d8571110e1394e424d062f712d33b35f07bf672af847374935bcc6669da6d86
Opcode Fuzzy Hash: b6341d64548d6ac29c47eea4d86b9cc2d4a2f31865e32128d280adb24c75c7ed
Instruction Fuzzy Hash: 69215C70E04249DFCF14CF9AD8805AEFFB1FF95300F1585AACA05AB215D730AA81DB95

Uniqueness

Uniqueness Score: -1.00%

Function 04A7937A, Relevance: .1, Instructions: 67COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.254584980.0000000004A70000.00000040.00000001.sdmp, Offset: 04A70000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 44ce034cc20d35b7db1d74a8d1a29b70e1e1df00b870af893eb8f96818de09f7
Instruction ID: 77087249df11cd8db7c92c47478fc316dddca4a5119894805c17d766d9bad4fc
Opcode Fuzzy Hash: 44ce034cc20d35b7db1d74a8d1a29b70e1e1df00b870af893eb8f96818de09f7
Instruction Fuzzy Hash: 55212AB4D042099FDF14DFA9D8819EEBFB1FF89300F10846AD815A7355D6389A51CB51

Uniqueness

Uniqueness Score: -1.00%

Function 04A713D0, Relevance: .1, Instructions: 66COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.254584980.0000000004A70000.00000040.00000001.sdmp, Offset: 04A70000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 58420f4b827f8aade8c2f30db750045176e6a8af82184fbdf279d4db25aa826e
Instruction ID: a8a6ce899c618b1d7bc54a6d52a951ec27ab83f230b482a64a70bcb543a6b8c6
Opcode Fuzzy Hash: 58420f4b827f8aade8c2f30db750045176e6a8af82184fbdf279d4db25aa826e
Instruction Fuzzy Hash: 5521E4B4E04209DFCB54CF9AC980AAEFBF1FB88301F1094AAD815A7310D374AA41CF61

Uniqueness

Uniqueness Score: -1.00%

Function 04A79388, Relevance: .1, Instructions: 64COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.254584980.0000000004A70000.00000040.00000001.sdmp, Offset: 04A70000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: cabd7382bca1f79d1f31931065fd93c3212d024e5fb4a37daa236131957f89ff
Instruction ID: e8a2d55a758e2847791255d12bc57ea507f73a0488c84b11d183859eee9dd9a7
Opcode Fuzzy Hash: cabd7382bca1f79d1f31931065fd93c3212d024e5fb4a37daa236131957f89ff
Instruction Fuzzy Hash: ED2139B4D04209DFDF14DFA6D880AAEBBB6FF88300F10806AD815A7354D7389A51CF95

Uniqueness

Uniqueness Score: -1.00%

Function 00C80724, Relevance: .1, Instructions: 60COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.250943504.0000000000C80000.00000040.00000040.sdmp, Offset: 00C80000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 261a8a8d11f80cba39255b269fa100f41186432387f9656f623a04c9348e8fae
Instruction ID: e24e70f4e5c79bc8f1627d9865d23e81c46cf6495595a57d1eb5e7223121fb04
Opcode Fuzzy Hash: 261a8a8d11f80cba39255b269fa100f41186432387f9656f623a04c9348e8fae
Instruction Fuzzy Hash: 7E216F355097C09FD3078B20C850B51BFB1AF47708F2985DAD8844B6A3C3369D06CB51

Uniqueness

Uniqueness Score: -1.00%

Function 04A71019, Relevance: .1, Instructions: 60COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.254584980.0000000004A70000.00000040.00000001.sdmp, Offset: 04A70000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 789a4323320ec93ae0378b937e1f4420e72ffd3565a9359f217896d5233a821d
Instruction ID: 4522e4b76c32e8a3769724ee1338532f6b05ded6321aa705c25e73607cd7fbcc
Opcode Fuzzy Hash: 789a4323320ec93ae0378b937e1f4420e72ffd3565a9359f217896d5233a821d
Instruction Fuzzy Hash: F2214774D0020A9FCF40DFA8C941AEEBBB1FF89300F21456AD504F7250D7306A56CBA5

Uniqueness

Uniqueness Score: -1.00%

Function 00C8075C, Relevance: .1, Instructions: 59COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.250943504.0000000000C80000.00000040.00000040.sdmp, Offset: 00C80000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c8d82aed00295e30b873ab4cd7a3c7849f8ea7d954ca15365d4e2e7e1171e949
Instruction ID: 961970948b5b68e507b9520abf4c1b6c1d260016f650d08502a9a8c83af29028
Opcode Fuzzy Hash: c8d82aed00295e30b873ab4cd7a3c7849f8ea7d954ca15365d4e2e7e1171e949
Instruction Fuzzy Hash: B711D234204244DFD755DB14D980B26BB95EB88B0CF38C5ADE8490B682C77BE807CF55

Uniqueness

Uniqueness Score: -1.00%

Function 04A79C47, Relevance: .1, Instructions: 59COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.254584980.0000000004A70000.00000040.00000001.sdmp, Offset: 04A70000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a346c47429866e608b85cedff9035774b03a87dc8fd05a5aea95f4645c99ace6
Instruction ID: 11dd57ed32106a498d287833e1ade31186a37610caf3afe5b23debf06928d862
Opcode Fuzzy Hash: a346c47429866e608b85cedff9035774b03a87dc8fd05a5aea95f4645c99ace6
Instruction Fuzzy Hash: A02135B4E08259CFDF14DFA8D8945EEBBB5BF48300F10815AD842A7261DB342A42DFA1

Uniqueness

Uniqueness Score: -1.00%

Function 04A72FC9, Relevance: .1, Instructions: 55COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.254584980.0000000004A70000.00000040.00000001.sdmp, Offset: 04A70000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 15dd311f711c86e89645a111e26f33e36d3edc5103d434f36ebc847445cac40e
Instruction ID: 37232e200ab22e00a1921ab1b58547935ea3ed16d29904f5f6fb91806bffa07c
Opcode Fuzzy Hash: 15dd311f711c86e89645a111e26f33e36d3edc5103d434f36ebc847445cac40e
Instruction Fuzzy Hash: 83112638E05108AFDB04DFA9C984A9DBBF2FF89300F55C49AD905AB365D630AE11DB40

Uniqueness

Uniqueness Score: -1.00%

Function 04A71028, Relevance: .1, Instructions: 54COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.254584980.0000000004A70000.00000040.00000001.sdmp, Offset: 04A70000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7602699b176959df9f2d3683828b4bfc7ee4292bc8a2bd933f0792ad9df88b00
Instruction ID: af956a42d55ee9f5fd8f5ac2e1a56212519018084d22a617d3c7fcd82902f1e3
Opcode Fuzzy Hash: 7602699b176959df9f2d3683828b4bfc7ee4292bc8a2bd933f0792ad9df88b00
Instruction Fuzzy Hash: 79111674D0020A9FCF40EFA8D941AEEBBB1FF89310F214529D504B7354D7346A46CBA5

Uniqueness

Uniqueness Score: -1.00%

Function 04A7ADA0, Relevance: .1, Instructions: 54COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.254584980.0000000004A70000.00000040.00000001.sdmp, Offset: 04A70000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9bebf44c00ff262be129acd387e42367b5445847e20f5ee88307f5ad22fc3265
Instruction ID: 88d5d6cdf5f0ed1c07bd1a17c996db9464a6bd3423594f3f117d185ad8c02c0f
Opcode Fuzzy Hash: 9bebf44c00ff262be129acd387e42367b5445847e20f5ee88307f5ad22fc3265
Instruction Fuzzy Hash: B021E774E00209DFDF44EFA8D8959AEBBB1FF88304F10856AE415A7355DB346E02CB91

Uniqueness

Uniqueness Score: -1.00%

Function 04A799B5, Relevance: .1, Instructions: 54COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.254584980.0000000004A70000.00000040.00000001.sdmp, Offset: 04A70000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1322ef12e0b37af7c74497d7b7c9bb2e5ba750a0064215b6dc4ec982b4cb8d76
Instruction ID: b55e9d9afcb56321820215faaa9b179c4f4925190b7f1ce2d18f3d972bb8acac
Opcode Fuzzy Hash: 1322ef12e0b37af7c74497d7b7c9bb2e5ba750a0064215b6dc4ec982b4cb8d76
Instruction Fuzzy Hash: 2D017C7494BA1D9FC702EB78D9822DE7FB0FB45200F0480FAC854D7A92D3359597CAA0

Uniqueness

Uniqueness Score: -1.00%

Function 04A750B0, Relevance: .1, Instructions: 52COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.254584980.0000000004A70000.00000040.00000001.sdmp, Offset: 04A70000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 064b2571ac739b92dae7a2878d1b9cb24f599ef8405e963b8fdac6119366dc2e
Instruction ID: 3f1be2b3f2411f5a0284d07ebe069265a33847027d6b0c2b76e3441735accb12
Opcode Fuzzy Hash: 064b2571ac739b92dae7a2878d1b9cb24f599ef8405e963b8fdac6119366dc2e
Instruction Fuzzy Hash: DB118C70D0A648EFEB14DFA9D98099EFBB1EF86300F24D0EAD405A7650E734AB00DB55

Uniqueness

Uniqueness Score: -1.00%

Function 04A750C0, Relevance: .1, Instructions: 51COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.254584980.0000000004A70000.00000040.00000001.sdmp, Offset: 04A70000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0029c9ef9893a118fca41ee2c674105fcb0e8d87e67a08f439929771c99372f6
Instruction ID: 3e440936f00d2f29503a4a8883ca7bfe43ce0b81ddd4bc808775f5b1d8da20a8
Opcode Fuzzy Hash: 0029c9ef9893a118fca41ee2c674105fcb0e8d87e67a08f439929771c99372f6
Instruction Fuzzy Hash: 7B113C70E06208FFDB14DFA9D9805AEFBF5EF85201F2494AA8415A7650E634AB009F55

Uniqueness

Uniqueness Score: -1.00%

Function 04A72FD8, Relevance: .1, Instructions: 51COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.254584980.0000000004A70000.00000040.00000001.sdmp, Offset: 04A70000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9ae9d5a4ffd46fd8c04f740d39279c0ffdd85944b7b02d72a638b82c61a788e3
Instruction ID: 6792a21d51f042e15f16b880442ada4ce1633593839204e0e17a7a4ee6acbca6
Opcode Fuzzy Hash: 9ae9d5a4ffd46fd8c04f740d39279c0ffdd85944b7b02d72a638b82c61a788e3
Instruction Fuzzy Hash: A011F578E01108EFDB04DFA9C944A9EFBF6FB88300F55C599D919AB365DA30AE11DB40

Uniqueness

Uniqueness Score: -1.00%

Function 04A70007, Relevance: .0, Instructions: 49COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.254584980.0000000004A70000.00000040.00000001.sdmp, Offset: 04A70000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: bfe118514654cf964377d28db8c3d64c3284925dddcf4c5bfcb10ddf119eabd5
Instruction ID: b3f68a26daa7eee5f01b3be0229fc929f7fff04c1b02d430764018267d7761d0
Opcode Fuzzy Hash: bfe118514654cf964377d28db8c3d64c3284925dddcf4c5bfcb10ddf119eabd5
Instruction Fuzzy Hash: 10014BA184E7C15FC3079BB45C29285BF74AF07209F1A41DBC4C5CB2A3E22C0A6AC763

Uniqueness

Uniqueness Score: -1.00%

Function 00C805D0, Relevance: .0, Instructions: 45COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.250943504.0000000000C80000.00000040.00000040.sdmp, Offset: 00C80000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 80dd0da72501f168949f75f111ea31a7af68a63eee84bc2a7791718c1956dac9
Instruction ID: 6d78e36e82e54d3d2f50265ef35aec3926c4a5dea08df2a507e04f53ae723706
Opcode Fuzzy Hash: 80dd0da72501f168949f75f111ea31a7af68a63eee84bc2a7791718c1956dac9
Instruction Fuzzy Hash: B701D6B65093806FC7118F1AEC40897BFE8EF4723071980ABEC498B212D135A909CB71

Uniqueness

Uniqueness Score: -1.00%

Function 04A7867F, Relevance: .0, Instructions: 41COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.254584980.0000000004A70000.00000040.00000001.sdmp, Offset: 04A70000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b0c1c1deb013db872e1a54d8a9e68eb71c9489457f67bbc0282543ea54be0c10
Instruction ID: 5a9712ea795c53203ff7dfed8dab632113bc9cd6622b302cce23cb9ee0b474eb
Opcode Fuzzy Hash: b0c1c1deb013db872e1a54d8a9e68eb71c9489457f67bbc0282543ea54be0c10
Instruction Fuzzy Hash: 6E019AB191A345AFC7429FA8D4D26DAFFB0EF52304F0180DAE89486256E3340A26CF56

Uniqueness

Uniqueness Score: -1.00%

Function 04A76121, Relevance: .0, Instructions: 41COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.254584980.0000000004A70000.00000040.00000001.sdmp, Offset: 04A70000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 14cce781a30b9d54e5b7bd0a8196cbc815ebd5610aed0d8ddf3488ab0d0270ca
Instruction ID: 6ec523893e36b1dac8e4e7f523cfe4417ab0ffd49c8dfd15cf883f95934e9f89
Opcode Fuzzy Hash: 14cce781a30b9d54e5b7bd0a8196cbc815ebd5610aed0d8ddf3488ab0d0270ca
Instruction Fuzzy Hash: 53110334A012189FCB61DBA4CC48AADBBB6BB4D300F4045A5E509A7260DB305E84CF00

Uniqueness

Uniqueness Score: -1.00%

Function 04A7D5C0, Relevance: .0, Instructions: 34COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.254584980.0000000004A70000.00000040.00000001.sdmp, Offset: 04A70000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 81aee39cedd5e65331acbcbfa6e359a109950370c36c3b5fa47b9fcb54d5159c
Instruction ID: 0caa883eafebc195ac2cd82a63bf1e7a46d3fd0e6b1057f5db9ca528fce23563
Opcode Fuzzy Hash: 81aee39cedd5e65331acbcbfa6e359a109950370c36c3b5fa47b9fcb54d5159c
Instruction Fuzzy Hash: 9801EC74D00209DBDF04EF98D54599DFBB1FF44300F20869AE815A7356DB709A01CBD5

Uniqueness

Uniqueness Score: -1.00%

Function 00C80818, Relevance: .0, Instructions: 31COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.250943504.0000000000C80000.00000040.00000040.sdmp, Offset: 00C80000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c3f6f7c96804cda76668e35a3bbcf86681c06fe62140db942cdcb6afdd34f29c
Instruction ID: 504d062f3c00bae7417c78dfd0f87fbeabc2a3b810b54bfdf819528bf6524d45
Opcode Fuzzy Hash: c3f6f7c96804cda76668e35a3bbcf86681c06fe62140db942cdcb6afdd34f29c
Instruction Fuzzy Hash: 6CF0FB35204644DFC206DF40D940B15FBA6EB89718F24C6A9E9591B652C337A913DF85

Uniqueness

Uniqueness Score: -1.00%

Function 05494A00, Relevance: .0, Instructions: 28COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.256041150.0000000005490000.00000040.00000001.sdmp, Offset: 05490000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 53d77514d71ffda22ff0bd0522d3547edb080e9e989b5a096c4a12670e124aaa
Instruction ID: d185939b7c3a15ef1bf2e267a73287bfabd2b00013a13a5947ccbade5ad5da85
Opcode Fuzzy Hash: 53d77514d71ffda22ff0bd0522d3547edb080e9e989b5a096c4a12670e124aaa
Instruction Fuzzy Hash: A2E06D349942089BEF04EF60E80A7EEBF78F741301F205696D80523792DB745A439699

Uniqueness

Uniqueness Score: -1.00%

Function 00C805F6, Relevance: .0, Instructions: 27COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.250943504.0000000000C80000.00000040.00000040.sdmp, Offset: 00C80000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3601242bb13f2b340091ffaa3da27a57cc2c164f43445782fc7e2cfc80ad43f0
Instruction ID: 100a806bc1d25a92157427a2a0d851cb77409dd3199d1bc14329fe5a0d9ef006
Opcode Fuzzy Hash: 3601242bb13f2b340091ffaa3da27a57cc2c164f43445782fc7e2cfc80ad43f0
Instruction Fuzzy Hash: 69E06D766006005B9750CF0AEC41466F798EB84630718C07FDC0D8B701D136B5048EA6

Uniqueness

Uniqueness Score: -1.00%

Function 04A71D95, Relevance: .0, Instructions: 27COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.254584980.0000000004A70000.00000040.00000001.sdmp, Offset: 04A70000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: aadb805c4f1130650e8e8ba58b7f4065275bdf5d447d9b529d62f9e8718fe7db
Instruction ID: d2f57125b0aa11ffeb9ab728f67955e67f822c587dda96d77e19c55f35207845
Opcode Fuzzy Hash: aadb805c4f1130650e8e8ba58b7f4065275bdf5d447d9b529d62f9e8718fe7db
Instruction Fuzzy Hash: 38F097B8901358CFCBA0CF55D844A9CBBB0FB59311F2062D5D469A7351D630AA828F40

Uniqueness

Uniqueness Score: -1.00%

Function 04A7BF30, Relevance: .0, Instructions: 27COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.254584980.0000000004A70000.00000040.00000001.sdmp, Offset: 04A70000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6eb7366b14c50072dc14bc3acd8cfee953957e23900b7cac75cebff5b1f30ba1
Instruction ID: 205e33e8fbc2921bcbae75e1e9a87b56fe0ded93beda37ba6739b66577184aa7
Opcode Fuzzy Hash: 6eb7366b14c50072dc14bc3acd8cfee953957e23900b7cac75cebff5b1f30ba1
Instruction Fuzzy Hash: 2DF0B278E0120DEBCB04EFA8D5419AEFBB1FF48304F20869A9804A7355DB30AA41CB85

Uniqueness

Uniqueness Score: -1.00%

Function 04A7923F, Relevance: .0, Instructions: 25COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.254584980.0000000004A70000.00000040.00000001.sdmp, Offset: 04A70000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7d0482fe3e913db30d72b94f81a20a5f7c9491a61c482e959ec84997dca04612
Instruction ID: f251699ba1eaddba9f748e95105cc58fa953769bc6cd32283fb6ee92e74620e7
Opcode Fuzzy Hash: 7d0482fe3e913db30d72b94f81a20a5f7c9491a61c482e959ec84997dca04612
Instruction Fuzzy Hash: 21F0F2B4D042489FDB84EFA8D8446A9BBF4FB49300F1041EAD818D7351D3706A51CB95

Uniqueness

Uniqueness Score: -1.00%

Function 04A791B0, Relevance: .0, Instructions: 25COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.254584980.0000000004A70000.00000040.00000001.sdmp, Offset: 04A70000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 270754d740201c94c3cbbf8ca78bbe4e460bb1c156e699d7d86f85f6857b93e4
Instruction ID: 82206aa04b5f4dcc60f24115d3b0afd488f4cba58f30f1266c266269c36ba1fa
Opcode Fuzzy Hash: 270754d740201c94c3cbbf8ca78bbe4e460bb1c156e699d7d86f85f6857b93e4
Instruction Fuzzy Hash: 2BF08C70D042089FCB44DFA8D84469DBBB0FF18300F1080AAEC14E7351D230AA50CB55

Uniqueness

Uniqueness Score: -1.00%

Function 04A79287, Relevance: .0, Instructions: 24COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.254584980.0000000004A70000.00000040.00000001.sdmp, Offset: 04A70000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 708d3fe8911b8fbf801973f5402d4028f9bcb15b5064fdb4a149fadf81670474
Instruction ID: 0b84220473b705fb51a0e5b1638dc4a9dc86319b9cc42765f3f1b4eeef36625f
Opcode Fuzzy Hash: 708d3fe8911b8fbf801973f5402d4028f9bcb15b5064fdb4a149fadf81670474
Instruction Fuzzy Hash: 4AE03274D052089FC740EFB8D488689BBF0EF0A310F0501EADC849B361E630AA45CB81

Uniqueness

Uniqueness Score: -1.00%

Function 05494A10, Relevance: .0, Instructions: 22COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.256041150.0000000005490000.00000040.00000001.sdmp, Offset: 05490000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0f655b6553df8115481fb95d26ae53b46bb4b93f39b8c64a0d415a0f179a8add
Instruction ID: 59cf8058303ce5290ab4f5afeeb293bf17091fdc82005b6a78fb1152f975ce27
Opcode Fuzzy Hash: 0f655b6553df8115481fb95d26ae53b46bb4b93f39b8c64a0d415a0f179a8add
Instruction Fuzzy Hash: 6CE04F34965208DBDF04EFA0E50A6ADBF78FB05702F101696D80523391DF701946DB9A

Uniqueness

Uniqueness Score: -1.00%

Function 04A75072, Relevance: .0, Instructions: 22COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.254584980.0000000004A70000.00000040.00000001.sdmp, Offset: 04A70000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d256e0b1e2285f7961ed6073415a0e4393310fce70f1a68853a250190a0c6811
Instruction ID: 5c30a7f791d6101b81a941acfdd5acc893b5acd4e4a24e3a783b437901b534b7
Opcode Fuzzy Hash: d256e0b1e2285f7961ed6073415a0e4393310fce70f1a68853a250190a0c6811
Instruction Fuzzy Hash: FFE0867080A2D49FC741EBBC58752DEBFF0AF07205F1401EAD88487292E2306A61CBD6

Uniqueness

Uniqueness Score: -1.00%

Function 04A78750, Relevance: .0, Instructions: 21COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.254584980.0000000004A70000.00000040.00000001.sdmp, Offset: 04A70000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 28f7f24d1cb0b4ee6ad6fb9d91281a10c4741d5f4506c5385cf273a6bd601b7f
Instruction ID: e6f240055724076abd2212f59ad549fc700ebb1bb40b953fe0050a904809a90d
Opcode Fuzzy Hash: 28f7f24d1cb0b4ee6ad6fb9d91281a10c4741d5f4506c5385cf273a6bd601b7f
Instruction Fuzzy Hash: 6AE04F70D4528C9FCB54EFBAA8497DE7BB0AB45301F1041AD980893252D6B55614CB99

Uniqueness

Uniqueness Score: -1.00%

Function 04A786C8, Relevance: .0, Instructions: 20COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.254584980.0000000004A70000.00000040.00000001.sdmp, Offset: 04A70000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: bcc655a464592a8ed8ad4ed6717221eb8dbd7e48262f95029b22f6edffd36f98
Instruction ID: e391087207d06404eaf0800cc7923a720a0e7bd289d3ee1724809d14d3f4fb99
Opcode Fuzzy Hash: bcc655a464592a8ed8ad4ed6717221eb8dbd7e48262f95029b22f6edffd36f98
Instruction Fuzzy Hash: F7E09A74E0120CAFCB54EFA9E84569DBBB5AB44300F2081AE9844A7390EA745A51CB95

Uniqueness

Uniqueness Score: -1.00%

Function 04A791C0, Relevance: .0, Instructions: 20COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.254584980.0000000004A70000.00000040.00000001.sdmp, Offset: 04A70000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2519e32ca3d2273a00187691bcbdfa65fd5f001d31ea269425aca2de02c86df0
Instruction ID: f04bb614f04afc1fe1eba5ab6e882182db2be1999476e6cad98ae2e501944706
Opcode Fuzzy Hash: 2519e32ca3d2273a00187691bcbdfa65fd5f001d31ea269425aca2de02c86df0
Instruction Fuzzy Hash: 5EE01274D00208DFCB44EFA8D84559EBBF4FB08300F1081AADC14A3350D7705A50CF95

Uniqueness

Uniqueness Score: -1.00%

Function 04A79202, Relevance: .0, Instructions: 19COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.254584980.0000000004A70000.00000040.00000001.sdmp, Offset: 04A70000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b0df71c09ffc7d83241f4fdae5b0488b5f3b4faa9e439d06bc4c0a1772471d27
Instruction ID: 77588067ced8d0797435c6e5ae76377c8bf6d1d52974a8c6422bb50f9916a959
Opcode Fuzzy Hash: b0df71c09ffc7d83241f4fdae5b0488b5f3b4faa9e439d06bc4c0a1772471d27
Instruction Fuzzy Hash: 3DE04F70D092849FCB45EBBC985469EBFB0EF1A204F1581EFC8489B262D6701914CB51

Uniqueness

Uniqueness Score: -1.00%

Function 04A71D26, Relevance: .0, Instructions: 19COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.254584980.0000000004A70000.00000040.00000001.sdmp, Offset: 04A70000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 95a907543e75e38916816ccb16a32a5e8afab9c0acc285af9225145f144544d1
Instruction ID: 640255c22c1eb06e015847e177fc8e524d329481920761e059255b05f448334f
Opcode Fuzzy Hash: 95a907543e75e38916816ccb16a32a5e8afab9c0acc285af9225145f144544d1
Instruction Fuzzy Hash: F4F02278E01758CFCBA0CF55D884AD9BBB1FB49311F1150E9E849A7311D630AE81CF40

Uniqueness

Uniqueness Score: -1.00%

Function 04A78760, Relevance: .0, Instructions: 18COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.254584980.0000000004A70000.00000040.00000001.sdmp, Offset: 04A70000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c985d41aef08bbef0aff443930669aa2ef46cadf2aeba5fee14fa49839104065
Instruction ID: d30b3543ba953900ef57aac8193362d2e711b31076bac79b987e196d9e27c6ff
Opcode Fuzzy Hash: c985d41aef08bbef0aff443930669aa2ef46cadf2aeba5fee14fa49839104065
Instruction Fuzzy Hash: B0D05E70D4120C9BC754FFBDA9056AEBBF4AB41300F1081B98408A3341D6746A10CBAE

Uniqueness

Uniqueness Score: -1.00%

Function 04A75038, Relevance: .0, Instructions: 17COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.254584980.0000000004A70000.00000040.00000001.sdmp, Offset: 04A70000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e5d5ab0a227cfd32b3d6c978d4680decdfe9a27160ca50bd68f5492cdd6a5548
Instruction ID: 993ae8118d1d5d36615c4f94f7d94ba585124ff57326ee1ca86e0e8915506769
Opcode Fuzzy Hash: e5d5ab0a227cfd32b3d6c978d4680decdfe9a27160ca50bd68f5492cdd6a5548
Instruction Fuzzy Hash: E4D02B700093889FC751DFB85C196153F744B07200F0004E6D804C31A3C1755511C7BA

Uniqueness

Uniqueness Score: -1.00%

Function 008923F4, Relevance: .0, Instructions: 15COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.250582184.0000000000892000.00000040.00000001.sdmp, Offset: 00892000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 002b67f8b2fc539ca6ace82ab9349465bdf0b50b13ccc0e131c98554d96ee3c3
Instruction ID: 5a7e7ef63aa0c6f0ef54d24df9712ac2d56edcaf89465ad226792471b711e992
Opcode Fuzzy Hash: 002b67f8b2fc539ca6ace82ab9349465bdf0b50b13ccc0e131c98554d96ee3c3
Instruction Fuzzy Hash: A6D05E79305A815FD726DA1CD1A8B953B94FB61B04F4A44FDE800CB663C368D981D600

Uniqueness

Uniqueness Score: -1.00%

Function 05494E80, Relevance: .0, Instructions: 15COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.256041150.0000000005490000.00000040.00000001.sdmp, Offset: 05490000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 186524f080870c2c7961b389dc95748b868b624aa4703ede304be73d68e60a10
Instruction ID: 850599abdde5ad89b1fe343d2ca72d2cfa343e807f04aa50ba964a013a767d80
Opcode Fuzzy Hash: 186524f080870c2c7961b389dc95748b868b624aa4703ede304be73d68e60a10
Instruction Fuzzy Hash: F0E012B880A6C84EDF418FA8E8945EDBFF86F0A310F14409AD590AB257D37542459F50

Uniqueness

Uniqueness Score: -1.00%

Function 04A7239D, Relevance: .0, Instructions: 15COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.254584980.0000000004A70000.00000040.00000001.sdmp, Offset: 04A70000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 93a3912185076e75779d915aa0db32f6c33a5610a03079ddec6f544aac2fae14
Instruction ID: 2bbab9926bf8a7f8b1aaab8fa6bfebc087ddf8ed0ed5006f71e0b826afa4fe22
Opcode Fuzzy Hash: 93a3912185076e75779d915aa0db32f6c33a5610a03079ddec6f544aac2fae14
Instruction Fuzzy Hash: 0AE09279602314CFC764CF24C9948987BB2FF4A312F5011D8E4066B360CB31EA81CF00

Uniqueness

Uniqueness Score: -1.00%

Function 008923BC, Relevance: .0, Instructions: 14COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.250582184.0000000000892000.00000040.00000001.sdmp, Offset: 00892000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 90af7832fd8db9dff60069b0ca451f94d7d5c269656d8a3b2962e43992e5a7a6
Instruction ID: 1a67f733bc03c26fda6c508519b861dae4293232d66fabfb070927890878d2aa
Opcode Fuzzy Hash: 90af7832fd8db9dff60069b0ca451f94d7d5c269656d8a3b2962e43992e5a7a6
Instruction Fuzzy Hash: 87D017342002814BCB25EA0CC194F5937D4BB81B00F0A44E9AC008B762C7A8D881D600

Uniqueness

Uniqueness Score: -1.00%

Function 054943D8, Relevance: .0, Instructions: 13COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.256041150.0000000005490000.00000040.00000001.sdmp, Offset: 05490000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 03f7fdb7f3fedcab2b94c31c10a92b2f9dd4b614467e40a8127d32d0d3549f3b
Instruction ID: e977144eaa0e64ef28669070305e187e8862d758617f8adf9e24908921723616
Opcode Fuzzy Hash: 03f7fdb7f3fedcab2b94c31c10a92b2f9dd4b614467e40a8127d32d0d3549f3b
Instruction Fuzzy Hash: 53D06CB4D00218CFCB58CFA8C5446DCBBF9BB09301B20816AD409AB351DB31590ADF00

Uniqueness

Uniqueness Score: -1.00%

Function 04A7709F, Relevance: .0, Instructions: 13COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.254584980.0000000004A70000.00000040.00000001.sdmp, Offset: 04A70000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 669d24001589d6c95dc896ed9afa582f1a05bea9b86a47e1f5f5fc994ea3e76b
Instruction ID: f4494bfa0f2deef37ddd7c65cabe8813b13aad53feb36d39c8d46a90761efd53
Opcode Fuzzy Hash: 669d24001589d6c95dc896ed9afa582f1a05bea9b86a47e1f5f5fc994ea3e76b
Instruction Fuzzy Hash: 59E0EC34D9135ADFCB20DF60C84899DBBB5FB44340F4046DA8815A2310DB745E81CF08

Uniqueness

Uniqueness Score: -1.00%

Function 04A70070, Relevance: .0, Instructions: 13COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.254584980.0000000004A70000.00000040.00000001.sdmp, Offset: 04A70000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 30851cacfefaa46ca4d66eaa3b4a621633db76499b69326c93f2e32984ec4bb5
Instruction ID: 567339b7c06875988daebb96e4d4a33ed09158e57568a067a7b541f592f0bb34
Opcode Fuzzy Hash: 30851cacfefaa46ca4d66eaa3b4a621633db76499b69326c93f2e32984ec4bb5
Instruction Fuzzy Hash: 1BC08070505208DBC310EFF9AC0D717779CF706316F104165D40CC3251E6719550C6F6

Uniqueness

Uniqueness Score: -1.00%

Function 05494301, Relevance: .0, Instructions: 11COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.256041150.0000000005490000.00000040.00000001.sdmp, Offset: 05490000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b569190e0c5859bd32ca1ab50d587580b15cbdaba53621f3b8513511001c0522
Instruction ID: ad94501e20782b20978a4e4b944112b69ad11341f96319e50818a4b0c6ae92cd
Opcode Fuzzy Hash: b569190e0c5859bd32ca1ab50d587580b15cbdaba53621f3b8513511001c0522
Instruction Fuzzy Hash: FBD09E3444E6408FDB099F28E94D5787FB0BF06246F1104F299199B5A2C6651E04AE91

Uniqueness

Uniqueness Score: -1.00%

Function 04A70785, Relevance: .0, Instructions: 11COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.254584980.0000000004A70000.00000040.00000001.sdmp, Offset: 04A70000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1af0a7cc54c01188862a415e1726bc2a70add8829717014dab18c320a952f5ba
Instruction ID: 26e0bfd63c7fa35e04443ad0503e8186c1429b3cbbbbce94ab51bfc3dc05166e
Opcode Fuzzy Hash: 1af0a7cc54c01188862a415e1726bc2a70add8829717014dab18c320a952f5ba
Instruction Fuzzy Hash: 0FD05E30D1A319EFCF10CF54E880B8CBBB9FB00200F0089A99405E6214D7305A88CF11

Uniqueness

Uniqueness Score: -1.00%

Function 05494334, Relevance: .0, Instructions: 7COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.256041150.0000000005490000.00000040.00000001.sdmp, Offset: 05490000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 544ad14a5f62206c783087469bb320403495734181c998b4c7e28c2680c778ee
Instruction ID: 69e12cf6c077454cc23864b75166bf643d0078b48fbb187d159308c01d7687bc
Opcode Fuzzy Hash: 544ad14a5f62206c783087469bb320403495734181c998b4c7e28c2680c778ee
Instruction Fuzzy Hash: 1AC04C70C06258CECFE4CF64D5403DCBAF4BB09344F50C495844CE3300DA701A8A9F00

Uniqueness

Uniqueness Score: -1.00%

Non-executed Functions

Function 04A71620, Relevance: 1.4, Strings: 1, Instructions: 151COMMON

Download Yara Rule

Strings

Q9, xrefs: 04A71725

Memory Dump Source

Source File: 00000000.00000002.254584980.0000000004A70000.00000040.00000001.sdmp, Offset: 04A70000, based on PE: false

Similarity

API ID:
String ID: Q9
API String ID: 0-3179083490
Opcode ID: 69a35b109aae3976e457a3cb37d31f237c0cce468d9cfeb5dc9db17883f130f0
Instruction ID: 20c2df9c2faacd798fae0f13cabd7891c417b50a11944cffc4e3e406ec4a12dd
Opcode Fuzzy Hash: 69a35b109aae3976e457a3cb37d31f237c0cce468d9cfeb5dc9db17883f130f0
Instruction Fuzzy Hash: E9610274E0520ADFCB14CFA5C9809AEBBF1FB49300F28965AD415BB315E334AA41DFA5

Uniqueness

Uniqueness Score: -1.00%

Function 04A79488, Relevance: .2, Instructions: 195COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.254584980.0000000004A70000.00000040.00000001.sdmp, Offset: 04A70000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5b44aefaa555fc224bb627037a80de1c51aa7787ed91fa52975fb76fba5904ad
Instruction ID: 9d443bcc906a71e3ccf20f5bd5c2616b65c793f1a265fa38ecaddbbdf56bb71c
Opcode Fuzzy Hash: 5b44aefaa555fc224bb627037a80de1c51aa7787ed91fa52975fb76fba5904ad
Instruction Fuzzy Hash: 05910874D04258DFDB14DFA9C58059DFBB6BF89304F24C6AAC414AB35AD730AA42CF50

Uniqueness

Uniqueness Score: -1.00%

Function 04A78B48, Relevance: .2, Instructions: 182COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.254584980.0000000004A70000.00000040.00000001.sdmp, Offset: 04A70000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f2bc6394e29f98d190dd77d045d8e16eaf2e2f8b59b2672a1c8443ec2da81675
Instruction ID: 5aa0ee8823d22e8967faef38d334f926f6b44934410ed310b1e8438bd768e651
Opcode Fuzzy Hash: f2bc6394e29f98d190dd77d045d8e16eaf2e2f8b59b2672a1c8443ec2da81675
Instruction Fuzzy Hash: 22812A74D04258DFDB14DFA9C58459DFBB2BF89304F24C6AAC814AB359D734AA42CF90

Uniqueness

Uniqueness Score: -1.00%

Function 04A73661, Relevance: .2, Instructions: 159COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.254584980.0000000004A70000.00000040.00000001.sdmp, Offset: 04A70000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 953d5046baa975925cd1e47f269f0fee9f4c756e27440121162a47d95d911881
Instruction ID: 38e5d0688c283d6cf1643cb965466b27dfe3469a211694c47df7bbb0ba2dbc41
Opcode Fuzzy Hash: 953d5046baa975925cd1e47f269f0fee9f4c756e27440121162a47d95d911881
Instruction Fuzzy Hash: 2A71DD74E25219EFCB54CFA9D88499EBBF1FF89300F15859AE815AB321D334AA40DF11

Uniqueness

Uniqueness Score: -1.00%

Function 04A73670, Relevance: .2, Instructions: 158COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.254584980.0000000004A70000.00000040.00000001.sdmp, Offset: 04A70000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 65e70c40065486e480006728d74c5cc0bbfc5ff52545764ab5c52adf790e2d84
Instruction ID: c469edf08932b0e3fc91299fd77fbe6af151fc5ce1c8cfa988ff14c0035fb154
Opcode Fuzzy Hash: 65e70c40065486e480006728d74c5cc0bbfc5ff52545764ab5c52adf790e2d84
Instruction Fuzzy Hash: 0671BC74E25219EFCB54CFA9D88499EBBF1FF89300F15859AE815AB310D334AA40EF51

Uniqueness

Uniqueness Score: -1.00%

Function 04A74840, Relevance: .2, Instructions: 151COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.254584980.0000000004A70000.00000040.00000001.sdmp, Offset: 04A70000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 06719aeacb3dc6e6f14e69347217b818a5abacd7b73ee3c22fda551017b822d7
Instruction ID: c6c09390873bb7f48a026c37b72b35a6f35a90c75e14d5f621a61acf99ebc45c
Opcode Fuzzy Hash: 06719aeacb3dc6e6f14e69347217b818a5abacd7b73ee3c22fda551017b822d7
Instruction Fuzzy Hash: 3D61E2B4E1565A9FCF04CFA9C9805EEFBF2FB89200F14956AD415B7214E338AA41CF54

Uniqueness

Uniqueness Score: -1.00%

Function 04A74850, Relevance: .1, Instructions: 149COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.254584980.0000000004A70000.00000040.00000001.sdmp, Offset: 04A70000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 757fbf5eb5e3dca7b33a188502b9d7f608a1337f96f399c0d3ff593f18156cb6
Instruction ID: 892c30fa00da572c2640048ac313508ca963a57f2bcee8979d0f4ed362a607e5
Opcode Fuzzy Hash: 757fbf5eb5e3dca7b33a188502b9d7f608a1337f96f399c0d3ff593f18156cb6
Instruction Fuzzy Hash: C561C2B4E1561ADFCF04CFAAC9809AEFBF1FB89201F10956AD415B7214E338AA41CF54

Uniqueness

Uniqueness Score: -1.00%

Function 04A740B8, Relevance: .1, Instructions: 138COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.254584980.0000000004A70000.00000040.00000001.sdmp, Offset: 04A70000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 48adfeab1d1e7466cd294f2b50e1662487a16912a4f7d40bfcb2bb3619016971
Instruction ID: 15b523200d79b3b7d68b06110e76a0a0729656ad6cdaaebafcaa7755d0811da8
Opcode Fuzzy Hash: 48adfeab1d1e7466cd294f2b50e1662487a16912a4f7d40bfcb2bb3619016971
Instruction Fuzzy Hash: 7F511474E16219DFCB14CFA9D9809AEFBF1FF49340F15859AE805AB211D330AA40CF95

Uniqueness

Uniqueness Score: -1.00%

Function 04A740C8, Relevance: .1, Instructions: 138COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.254584980.0000000004A70000.00000040.00000001.sdmp, Offset: 04A70000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c9dc1119810aa2821822079a1bc9301e0fab53320d4ebb667b307e08a16a9cf1
Instruction ID: 879e1bd663c65bd898b887210b18694363ee94c3814efd51058bce6f81d48dc3
Opcode Fuzzy Hash: c9dc1119810aa2821822079a1bc9301e0fab53320d4ebb667b307e08a16a9cf1
Instruction Fuzzy Hash: 7E51E274E1621ADFCB14DFA9D9809AEFBB1FF48350F11855AE805BB210D730AA40CFA5

Uniqueness

Uniqueness Score: -1.00%

Function 04A74358, Relevance: .1, Instructions: 137COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.254584980.0000000004A70000.00000040.00000001.sdmp, Offset: 04A70000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0f30b2641d7fa0092e965a725ac35efd56a18f79023697adc9247d709fab61d0
Instruction ID: a9afe173a659ab86cfe59bbf907bb9097e36c10694312b175c46345691508e42
Opcode Fuzzy Hash: 0f30b2641d7fa0092e965a725ac35efd56a18f79023697adc9247d709fab61d0
Instruction Fuzzy Hash: A55126B0E45249DFDF14CFA8CA805EEBBB1BF59300F14955AD405BB250D334AA41EF65

Uniqueness

Uniqueness Score: -1.00%

Function 04A74A90, Relevance: .1, Instructions: 99COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.254584980.0000000004A70000.00000040.00000001.sdmp, Offset: 04A70000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5fddd6ba2462716ad14e2da26d527621e11473dae4f92b8efc31f5780909f174
Instruction ID: 0922684b454b17d799efb2a298c3d03a2c2fac175672d2086e8ae8a51d121bde
Opcode Fuzzy Hash: 5fddd6ba2462716ad14e2da26d527621e11473dae4f92b8efc31f5780909f174
Instruction Fuzzy Hash: BA411575D0521ADFCB14CFA9C9815EEFBB1FF89300F6085AAC411AB214E734AA41DB99

Uniqueness

Uniqueness Score: -1.00%

Function 04A746D0, Relevance: .1, Instructions: 97COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.254584980.0000000004A70000.00000040.00000001.sdmp, Offset: 04A70000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6227d77cd9251c0aacd030f35cb3d1ec9fca1d01ede21cb15b905dcbd27c1eaa
Instruction ID: 5d45270458e2f7f32a825c95609e37f59b3c39bedf6351d1eddaa9d1df0e9e3c
Opcode Fuzzy Hash: 6227d77cd9251c0aacd030f35cb3d1ec9fca1d01ede21cb15b905dcbd27c1eaa
Instruction Fuzzy Hash: 954125B4E0520A9FCB14CFAAC8814EEFBF1FF89300F10946AC415AB254E734AA41DF95

Uniqueness

Uniqueness Score: -1.00%

Function 04A74AA0, Relevance: .1, Instructions: 93COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.254584980.0000000004A70000.00000040.00000001.sdmp, Offset: 04A70000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d86ed937eaecb72ab4b571a3883badb11b51091807e36a9781ef4596ffd0e602
Instruction ID: 242e2476f859673105d382e3fcb583755da539100eb2903c83d9bc1cf7157047
Opcode Fuzzy Hash: d86ed937eaecb72ab4b571a3883badb11b51091807e36a9781ef4596ffd0e602
Instruction Fuzzy Hash: 1F413971D0521ADFCB04CF96C9815AEFBB1FF88300F6095AAC425BB214E734AA41DF99

Uniqueness

Uniqueness Score: -1.00%

Function 04A746E0, Relevance: .1, Instructions: 92COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.254584980.0000000004A70000.00000040.00000001.sdmp, Offset: 04A70000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d7574f06dc2b84a3ac97276d2ac0f52b9061b3fb1cd9fdd123d29cbdc5d8b46a
Instruction ID: 5012c7012420d071f77ea38b5b6e7502fc97b570260d034e9f9fbc01d7e605c5
Opcode Fuzzy Hash: d7574f06dc2b84a3ac97276d2ac0f52b9061b3fb1cd9fdd123d29cbdc5d8b46a
Instruction Fuzzy Hash: 8541F2B4E0520ADBCB14CFAAC9815AEFBF1FF89300F10D46AC415AB254E734AA419F94

Uniqueness

Uniqueness Score: -1.00%

Function 04A70099, Relevance: .1, Instructions: 74COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.254584980.0000000004A70000.00000040.00000001.sdmp, Offset: 04A70000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 42611f4de3571822e0126b6eaba5028153ea46671b3320bc4b0ad8fa543b29a4
Instruction ID: c43a64292cdd1ba5f320936ae772aa7445abf3e87ecc519548fe904123b2e711
Opcode Fuzzy Hash: 42611f4de3571822e0126b6eaba5028153ea46671b3320bc4b0ad8fa543b29a4
Instruction Fuzzy Hash: 2321C771E056188FEB18CF6BD84469EBBF3AFC9310F15C0BAD848AA265E77059428F51

Uniqueness

Uniqueness Score: -1.00%

Function 04A78100, Relevance: .1, Instructions: 62COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.254584980.0000000004A70000.00000040.00000001.sdmp, Offset: 04A70000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9c7a2fa0cc530d9830d44208d380a5807950840a2e22d1c444ff228ce6ea2765
Instruction ID: 051bad5f4a7f3f3d68c4e7359e1027aa4d0ad346715d473a97e0468e2603149f
Opcode Fuzzy Hash: 9c7a2fa0cc530d9830d44208d380a5807950840a2e22d1c444ff228ce6ea2765
Instruction Fuzzy Hash: 832135B1E066099FCB18DFAAC8450DEFBB2BF89200F14C96EC054AB211EB3856028F54

Uniqueness

Uniqueness Score: -1.00%

Function 04A78110, Relevance: .1, Instructions: 61COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.254584980.0000000004A70000.00000040.00000001.sdmp, Offset: 04A70000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 38487c78bc0c3d99d02583f20e4dc80d0f55c58ecda62b49891365438168a8f2
Instruction ID: a2c547aa3c2caf3187e12f89ba1a755b75be50703da60d56b7f42199552149bf
Opcode Fuzzy Hash: 38487c78bc0c3d99d02583f20e4dc80d0f55c58ecda62b49891365438168a8f2
Instruction Fuzzy Hash: 44211A71E06619DFDB28DFAAC84549EFBF2BB89340F14C52EC415BB211EB3856029F54

Uniqueness

Uniqueness Score: -1.00%

Function 053B09AA, Relevance: .0, Instructions: 46COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.255842427.00000000053B0000.00000004.00000001.sdmp, Offset: 053B0000, based on PE: true

Associated: 00000000.00000002.255937817.0000000005410000.00000040.00000001.sdmp Download File

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 42ef1cfaf66b12e0eadb91f9ae565d9143f2db6134aacd6965c99cfb34d8d3af
Instruction ID: f318df4b92a86501e058ba3af051fba8cf24d3bda98a82ca8f08611194faa05a
Opcode Fuzzy Hash: 42ef1cfaf66b12e0eadb91f9ae565d9143f2db6134aacd6965c99cfb34d8d3af
Instruction Fuzzy Hash: 4401283600E3C19FD7139FB8DDA66C17FB1EE9721030A42C6D081CE0A7D668A559DB22

Uniqueness

Uniqueness Score: -1.00%

Analysis Process: NXKfWP9SPF0XHRu.exe PID: 768 Parent PID: 5952 NXKfWP9SPF0XHRu.exeCOMMON

Executed Functions

Function 05042353, Relevance: 1.6, APIs: 1, Instructions: 81networkCOMMON

Download Yara Rule

APIs

bind.WS2_32(?,00000E2C,47F0AD4C,00000000,00000000,00000000,00000000), ref: 050423E7

Memory Dump Source

Source File: 00000003.00000002.511687982.0000000005040000.00000040.00000001.sdmp, Offset: 05040000, based on PE: false

Similarity

API ID: bind
String ID:
API String ID: 1187836755-0
Opcode ID: 13cf2b9fdbe252cf5576aec51e48d5391ff7608b3e01997d67f17afe32e1e532
Instruction ID: 0d5586d626185ab69637af0cc50449185fe6ddc7ec2b7aba4da00d5924056ad8
Opcode Fuzzy Hash: 13cf2b9fdbe252cf5576aec51e48d5391ff7608b3e01997d67f17afe32e1e532
Instruction Fuzzy Hash: 1B2171B55093806FE7228B65DC44FA6BFF8EF46310F0884EBE944DF192D264A549CB71

Uniqueness

Uniqueness Score: -1.00%

Function 05040EF3, Relevance: 1.6, APIs: 1, Instructions: 75COMMON

Download Yara Rule

APIs

AdjustTokenPrivileges.KERNELBASE(?,?,?,?,?,?), ref: 05040F73

Memory Dump Source

Source File: 00000003.00000002.511687982.0000000005040000.00000040.00000001.sdmp, Offset: 05040000, based on PE: false

Similarity

API ID: AdjustPrivilegesToken
String ID:
API String ID: 2874748243-0
Opcode ID: a95608612a581d8150fd962b2b2ee5a2765098d0f2584478ced08e979973700a
Instruction ID: 631c068ac3a6a933435b8c8210cbf9b49fbe1d6e8259908c125c8ef22dd274f9
Opcode Fuzzy Hash: a95608612a581d8150fd962b2b2ee5a2765098d0f2584478ced08e979973700a
Instruction Fuzzy Hash: EF21BF76509380AFDB228F25DC45B52BFF4AF06210F0884EAE9858F563D275A908CB62

Uniqueness

Uniqueness Score: -1.00%

Function 0504112F, Relevance: 1.6, APIs: 1, Instructions: 64nativeCOMMON

Download Yara Rule

APIs

NtQuerySystemInformation.NTDLL ref: 050411A5

Memory Dump Source

Source File: 00000003.00000002.511687982.0000000005040000.00000040.00000001.sdmp, Offset: 05040000, based on PE: false

Similarity

API ID: InformationQuerySystem
String ID:
API String ID: 3562636166-0
Opcode ID: 14451d3b4060bc78d5d7533590d3c5e4566ae7b639755e633adf8648944c9204
Instruction ID: 46735958a912c153da7e386665fcc96337df3cd9d004cf21cf17ea2af8ba2d06
Opcode Fuzzy Hash: 14451d3b4060bc78d5d7533590d3c5e4566ae7b639755e633adf8648944c9204
Instruction Fuzzy Hash: 0921AEB14097C09FDB238B21EC41A62FFB4EF16314F0D84DBE9848B1A3D365A549DB62

Uniqueness

Uniqueness Score: -1.00%

Function 05042386, Relevance: 1.6, APIs: 1, Instructions: 62networkCOMMON

Download Yara Rule

APIs

bind.WS2_32(?,00000E2C,47F0AD4C,00000000,00000000,00000000,00000000), ref: 050423E7

Memory Dump Source

Source File: 00000003.00000002.511687982.0000000005040000.00000040.00000001.sdmp, Offset: 05040000, based on PE: false

Similarity

API ID: bind
String ID:
API String ID: 1187836755-0
Opcode ID: 12ca5b80b4b866a5ded707b867d755c53d556097a62e01bb57c25068d87800e0
Instruction ID: 5f998736035382805f23cd656e28257f14ac7d41fabb67ef77af983836b8ed5b
Opcode Fuzzy Hash: 12ca5b80b4b866a5ded707b867d755c53d556097a62e01bb57c25068d87800e0
Instruction Fuzzy Hash: F311B2B5604300AFEB21CF16EC84FAAFBE8EF44721F0484AAED49DB241D274A544CA71

Uniqueness

Uniqueness Score: -1.00%

Function 05040F2A, Relevance: 1.6, APIs: 1, Instructions: 52COMMON

Download Yara Rule

APIs

AdjustTokenPrivileges.KERNELBASE(?,?,?,?,?,?), ref: 05040F73

Memory Dump Source

Source File: 00000003.00000002.511687982.0000000005040000.00000040.00000001.sdmp, Offset: 05040000, based on PE: false

Similarity

API ID: AdjustPrivilegesToken
String ID:
API String ID: 2874748243-0
Opcode ID: 6f57fc4a0d7b5ce57f714b34956596a914d08408eb4135b54b15d038d38a1cca
Instruction ID: 289feacbfdd6ba582a67d3ba980c118b0ec3f38cf669ee3edec4a2e18760e1cc
Opcode Fuzzy Hash: 6f57fc4a0d7b5ce57f714b34956596a914d08408eb4135b54b15d038d38a1cca
Instruction Fuzzy Hash: 4A119E719003009FDB20CF55E849B6AFBE4EF04220F0884BAEE4A8F652D375E508CF61

Uniqueness

Uniqueness Score: -1.00%

Function 010EAF9A, Relevance: 1.5, APIs: 1, Instructions: 43COMMON

Download Yara Rule

APIs

GetUserNameW.ADVAPI32(?,00000E2C,?,?), ref: 010EAFEA

Memory Dump Source

Source File: 00000003.00000002.507246289.00000000010EA000.00000040.00000001.sdmp, Offset: 010EA000, based on PE: false

Similarity

API ID: NameUser
String ID:
API String ID: 2645101109-0
Opcode ID: 03e306de8fad66870cc3e0d957bf123fd760e74a577140e850f4de0cf61f452d
Instruction ID: 15a899d48194b2bad292d0fb317fa8bf35ac61627ebac572b837ab7ba6ee5e0d
Opcode Fuzzy Hash: 03e306de8fad66870cc3e0d957bf123fd760e74a577140e850f4de0cf61f452d
Instruction Fuzzy Hash: 6501AD75501200ABD220DF1ADC82B26FBE8FBC8B20F18815AED084B741E231F915CBE6

Uniqueness

Uniqueness Score: -1.00%

Function 05040BB6, Relevance: 1.5, APIs: 1, Instructions: 39COMMON

Download Yara Rule

APIs

GetSystemInfo.KERNELBASE(?), ref: 05040BE8

Memory Dump Source

Source File: 00000003.00000002.511687982.0000000005040000.00000040.00000001.sdmp, Offset: 05040000, based on PE: false

Similarity

API ID: InfoSystem
String ID:
API String ID: 31276548-0
Opcode ID: abc22d7c8008b77a67b7907dd8873f5adae86ecafcf617753f255210a9efd0e3
Instruction ID: fcc5669abbe443073e437b01344d287345f63dfc5994a006194d2030fa39cce5
Opcode Fuzzy Hash: abc22d7c8008b77a67b7907dd8873f5adae86ecafcf617753f255210a9efd0e3
Instruction Fuzzy Hash: 7B01A270804244CFDB20CF15E88876AFBE4EF44320F08C4AADE489F202D275A448CFA1

Uniqueness

Uniqueness Score: -1.00%

Function 0504116A, Relevance: 1.5, APIs: 1, Instructions: 38nativeCOMMON

Download Yara Rule

APIs

NtQuerySystemInformation.NTDLL ref: 050411A5

Memory Dump Source

Source File: 00000003.00000002.511687982.0000000005040000.00000040.00000001.sdmp, Offset: 05040000, based on PE: false

Similarity

API ID: InformationQuerySystem
String ID:
API String ID: 3562636166-0
Opcode ID: 8af1ec599114ce038bf6844b17b05a663d61ce8742b4e5fc6eaa229787d963bb
Instruction ID: b89066934d811a6bd02c5b611b8f2bb23f27d8310a1c8bab9d1d696435910d66
Opcode Fuzzy Hash: 8af1ec599114ce038bf6844b17b05a663d61ce8742b4e5fc6eaa229787d963bb
Instruction Fuzzy Hash: DD018B755042409FDB20CF45E884B6AFFE1EF08720F0CC4AADE894B622D375A498CF62

Uniqueness

Uniqueness Score: -1.00%

Function 02AFACC8, Relevance: .9, Instructions: 939COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.507710398.0000000002AF0000.00000040.00000001.sdmp, Offset: 02AF0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: baf50764ece06b5b87537e5a96c3a24453189639399858bc1341f52b8d2f618e
Instruction ID: de07411ee16bb7e0ad35b295f5a414256f7dd2f3dffbb860ef5cfc852e2935c5
Opcode Fuzzy Hash: baf50764ece06b5b87537e5a96c3a24453189639399858bc1341f52b8d2f618e
Instruction Fuzzy Hash: 85925C71A00605CFCB54CFA9C484AADFBF2FF88314F158969E51AAB651DB38E941CF90

Uniqueness

Uniqueness Score: -1.00%

Function 02AF3850, Relevance: .8, Instructions: 758COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.507710398.0000000002AF0000.00000040.00000001.sdmp, Offset: 02AF0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: df8b099fa0c416ab4750a5c7e1adfd1ca89f52c46fe99646152109110cb7d8c4
Instruction ID: 84bcf500d382d8f403998f2083f04a6a700601c6a9d2f6995c19a53540b98726
Opcode Fuzzy Hash: df8b099fa0c416ab4750a5c7e1adfd1ca89f52c46fe99646152109110cb7d8c4
Instruction Fuzzy Hash: EF52F571A00285CFCF55CFA9C4809A9BBB2FF85304B1985EAEA059F216CB35EC45CB90

Uniqueness

Uniqueness Score: -1.00%

Function 02AF23A0, Relevance: .5, Instructions: 505COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.507710398.0000000002AF0000.00000040.00000001.sdmp, Offset: 02AF0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2b7bdddcce41f5d1c7bab973461d53a0b928baf3afaf24422e0e3aa08d1cdeb5
Instruction ID: d1d710a5814fbf026474845d3f01f1eedc02461fafe11b5a745c7a9b3e219ddd
Opcode Fuzzy Hash: 2b7bdddcce41f5d1c7bab973461d53a0b928baf3afaf24422e0e3aa08d1cdeb5
Instruction Fuzzy Hash: F112CB34A00625CFDBA4DFBAC4807ADBBF2BF84315F14812DE946EB259DB799845CB40

Uniqueness

Uniqueness Score: -1.00%

Function 02AF8468, Relevance: .5, Instructions: 505COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.507710398.0000000002AF0000.00000040.00000001.sdmp, Offset: 02AF0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f07e6a74e2ba45add763160fe43ac6453409c2f66b096528dd57bbe1a44592f1
Instruction ID: 5ee9a5719103f7910a9cdbe8116094cc88025865c4fc3a378c21c6fac1514012
Opcode Fuzzy Hash: f07e6a74e2ba45add763160fe43ac6453409c2f66b096528dd57bbe1a44592f1
Instruction Fuzzy Hash: 5D12CE70A10215CFDB64CFA5C4847ADBBF2BF89304F598569E216AB284DF7C9842CF40

Uniqueness

Uniqueness Score: -1.00%

Function 02AF2FA8, Relevance: .2, Instructions: 239COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.507710398.0000000002AF0000.00000040.00000001.sdmp, Offset: 02AF0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9c8a9a076ba4f67e57cc753d945083bd64654913833c85237c7a41d84a5cf894
Instruction ID: d1f061c2627266f384c364a6076c958648eeab9f716b5bcca264a61dbb5cee7d
Opcode Fuzzy Hash: 9c8a9a076ba4f67e57cc753d945083bd64654913833c85237c7a41d84a5cf894
Instruction Fuzzy Hash: 2981AE31F011569BDB54DBA9D984A6EB7F3AFC4310F2A80B5E406EB369DE35DC018B90

Uniqueness

Uniqueness Score: -1.00%

Function 02AF9068, Relevance: .2, Instructions: 239COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.507710398.0000000002AF0000.00000040.00000001.sdmp, Offset: 02AF0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2de4d1ecd08553c95370c8d135605bfb41499a6558d46d1d47fc5f0cb4c8bd01
Instruction ID: 36dfb9af64a8982eddc0110b14d52eae289e8486bd415abbafdedbf14c56107a
Opcode Fuzzy Hash: 2de4d1ecd08553c95370c8d135605bfb41499a6558d46d1d47fc5f0cb4c8bd01
Instruction Fuzzy Hash: 28817C31F011169BDB54DBA9D884AAEB7F3AFC4210F2A8165E505EB369DF35AC018B90

Uniqueness

Uniqueness Score: -1.00%

Function 010EAF50, Relevance: 1.6, APIs: 1, Instructions: 110COMMON

Download Yara Rule

APIs

GetUserNameW.ADVAPI32(?,00000E2C,?,?), ref: 010EAFEA

Memory Dump Source

Source File: 00000003.00000002.507246289.00000000010EA000.00000040.00000001.sdmp, Offset: 010EA000, based on PE: false

Similarity

API ID: NameUser
String ID:
API String ID: 2645101109-0
Opcode ID: a0dabe15d6de30524c119b97d329d584680c7eadc619fa28438529765c429eca
Instruction ID: 27190ee3c4d4eefc9d913582aadb3540be9d2e171dfe8a61d2aa2ba5f7578b49
Opcode Fuzzy Hash: a0dabe15d6de30524c119b97d329d584680c7eadc619fa28438529765c429eca
Instruction Fuzzy Hash: 8141A8755093805FD7128F25DC55B62BFB4EF86620F0980DBEC84CF653D225A919CBA2

Uniqueness

Uniqueness Score: -1.00%

Function 050412B0, Relevance: 1.6, APIs: 1, Instructions: 99registryCOMMON

Download Yara Rule

APIs

RegQueryValueExW.KERNELBASE(?,00000E2C,?,?), ref: 0504136E

Memory Dump Source

Source File: 00000003.00000002.511687982.0000000005040000.00000040.00000001.sdmp, Offset: 05040000, based on PE: false

Similarity

API ID: QueryValue
String ID:
API String ID: 3660427363-0
Opcode ID: d5d04faa177621c949c79a0c89dc781c77dd0759cdc4424840732a9066576287
Instruction ID: 2dd22272c21696eea7ec33c288f0519b23a5789c094d90c14b32fa1068771c0b
Opcode Fuzzy Hash: d5d04faa177621c949c79a0c89dc781c77dd0759cdc4424840732a9066576287
Instruction Fuzzy Hash: 1D315E7510E3C06FD3138B259C51A61BFB4EF47610B0E81DBD884DB5A3D1156919D7B2

Uniqueness

Uniqueness Score: -1.00%

Function 05040390, Relevance: 1.6, APIs: 1, Instructions: 93registryCOMMON

Download Yara Rule

APIs

RegQueryValueExA.KERNELBASE(?,00000E2C), ref: 0504045E

Memory Dump Source

Source File: 00000003.00000002.511687982.0000000005040000.00000040.00000001.sdmp, Offset: 05040000, based on PE: false

Similarity

API ID: QueryValue
String ID:
API String ID: 3660427363-0
Opcode ID: 836e1bae14d1a3ae1832fc949afe96df4c7862bb695a656edf84993faf7188a1
Instruction ID: 6873bb793a5734a4f43430fac07cb18dca0d46b6504c6b806299c382f7363900
Opcode Fuzzy Hash: 836e1bae14d1a3ae1832fc949afe96df4c7862bb695a656edf84993faf7188a1
Instruction Fuzzy Hash: 9431C4B20043846FE7228F21DC41FA6FFB8EF05710F08859EE9859B192D3A5A949CB61

Uniqueness

Uniqueness Score: -1.00%

Function 010EAA02, Relevance: 1.6, APIs: 1, Instructions: 92registryCOMMON

Download Yara Rule

APIs

RegOpenKeyExW.KERNELBASE(?,00000E2C), ref: 010EAAB1

Memory Dump Source

Source File: 00000003.00000002.507246289.00000000010EA000.00000040.00000001.sdmp, Offset: 010EA000, based on PE: false

Similarity

API ID: Open
String ID:
API String ID: 71445658-0
Opcode ID: 9897e7fa5103a7afec803968ede10d84efcb067379f2f44fc37b5eb94d9d085e
Instruction ID: 2172bdcae6124b55d551f8a5609a4fb9cfcd5fb92bc16281cfa9f4c5a1de83d8
Opcode Fuzzy Hash: 9897e7fa5103a7afec803968ede10d84efcb067379f2f44fc37b5eb94d9d085e
Instruction Fuzzy Hash: 8031C472504384AFE7228B25CC45F67BFECEF49710F08849AED808B152D264A949C771

Uniqueness

Uniqueness Score: -1.00%

Function 050407F4, Relevance: 1.6, APIs: 1, Instructions: 92fileCOMMON

Download Yara Rule

APIs

CreateFileW.KERNELBASE(?,?,?,?,?,?), ref: 05040899

Memory Dump Source

Source File: 00000003.00000002.511687982.0000000005040000.00000040.00000001.sdmp, Offset: 05040000, based on PE: false

Similarity

API ID: CreateFile
String ID:
API String ID: 823142352-0
Opcode ID: f90aff1d2f7fdb3ffa82496983560eeb4b59e1c19f6e804bafd7d2a81e90da67
Instruction ID: 58782a69046b8baa944bc266413c3beb347d9c5994d9b4d1b3f6f932d7b298a0
Opcode Fuzzy Hash: f90aff1d2f7fdb3ffa82496983560eeb4b59e1c19f6e804bafd7d2a81e90da67
Instruction Fuzzy Hash: C8318BB1505380AFE722CF25DD44F66BFE8EF45210F0884AEE9859B252D375E808CB71

Uniqueness

Uniqueness Score: -1.00%

Function 050401F4, Relevance: 1.6, APIs: 1, Instructions: 91COMMON

Download Yara Rule

APIs

FindCloseChangeNotification.KERNELBASE(?), ref: 05040264

Memory Dump Source

Source File: 00000003.00000002.511687982.0000000005040000.00000040.00000001.sdmp, Offset: 05040000, based on PE: false

Similarity

API ID: ChangeCloseFindNotification
String ID:
API String ID: 2591292051-0
Opcode ID: 354cc646466700d262367117abe0eda28a8b1b6b240a501b5849eb57cd8a02d2
Instruction ID: c07953caf2fd0c4967023c4b56629d6c9a4f8ffb45afcaa048ab7d528d6c6460
Opcode Fuzzy Hash: 354cc646466700d262367117abe0eda28a8b1b6b240a501b5849eb57cd8a02d2
Instruction Fuzzy Hash: 8931D3B19097849FD711CF15ED89BA5BFA4EF46320F0880ABDD449F292D335A908CB61

Uniqueness

Uniqueness Score: -1.00%

Function 05042178, Relevance: 1.6, APIs: 1, Instructions: 90timeCOMMON

Download Yara Rule

APIs

GetProcessTimes.KERNELBASE(?,00000E2C,47F0AD4C,00000000,00000000,00000000,00000000), ref: 05042215

Memory Dump Source

Source File: 00000003.00000002.511687982.0000000005040000.00000040.00000001.sdmp, Offset: 05040000, based on PE: false

Similarity

API ID: ProcessTimes
String ID:
API String ID: 1995159646-0
Opcode ID: 935882a51ef72d11d3a5725d8ec8a25bda2c4ba5d4c9cb6100c7a01839b84052
Instruction ID: b2da0e05baee65b84348e1c67ed4c1992474e0edda290c2fce146b6b448b4b11
Opcode Fuzzy Hash: 935882a51ef72d11d3a5725d8ec8a25bda2c4ba5d4c9cb6100c7a01839b84052
Instruction Fuzzy Hash: 9931F7725093806FD7128F25DC45FA6BFB8EF46310F0884EAE984DF153D224A549CB71

Uniqueness

Uniqueness Score: -1.00%

Function 050426A7, Relevance: 1.6, APIs: 1, Instructions: 90windowCOMMON

Download Yara Rule

APIs

FormatMessageW.KERNELBASE(?,00000E2C,?,?), ref: 05042762

Memory Dump Source

Source File: 00000003.00000002.511687982.0000000005040000.00000040.00000001.sdmp, Offset: 05040000, based on PE: false

Similarity

API ID: FormatMessage
String ID:
API String ID: 1306739567-0
Opcode ID: fe4bb1e1a69567ae8f18cce1714da055afa3e22cd48ae08b870e0f6a13a49e96
Instruction ID: bee837aa764199b52cfebc19b2dad9e05a76b29f88a1b7b1d0c5f35101ed46d8
Opcode Fuzzy Hash: fe4bb1e1a69567ae8f18cce1714da055afa3e22cd48ae08b870e0f6a13a49e96
Instruction Fuzzy Hash: DD316F7550E3C45FD7139B358C65A56BFB4EF87610F1A80CBD8848F2A3E6246909C7A2

Uniqueness

Uniqueness Score: -1.00%

Function 010EAAF9, Relevance: 1.6, APIs: 1, Instructions: 89registryCOMMON

Download Yara Rule

APIs

RegQueryValueExW.KERNELBASE(?,00000E2C,47F0AD4C,00000000,00000000,00000000,00000000), ref: 010EABB4

Memory Dump Source

Source File: 00000003.00000002.507246289.00000000010EA000.00000040.00000001.sdmp, Offset: 010EA000, based on PE: false

Similarity

API ID: QueryValue
String ID:
API String ID: 3660427363-0
Opcode ID: 71d0bcfe6f8da92ba6238d9a42a6cd7dff30ac0df81976dbac0a4a63fddb3f78
Instruction ID: 3a78a62883b1276cf383ab9846eea43521d3f2f8e5ffbe72d94376c87b89d2f7
Opcode Fuzzy Hash: 71d0bcfe6f8da92ba6238d9a42a6cd7dff30ac0df81976dbac0a4a63fddb3f78
Instruction Fuzzy Hash: 7B3195715093849FEB22CB26CC44F92BFE8EF4A710F0884DAE985CB153D264E548CB61

Uniqueness

Uniqueness Score: -1.00%

Function 050400F6, Relevance: 1.6, APIs: 1, Instructions: 89synchronizationCOMMON

Download Yara Rule

APIs

CreateMutexW.KERNELBASE(?,?), ref: 0504019D

Memory Dump Source

Source File: 00000003.00000002.511687982.0000000005040000.00000040.00000001.sdmp, Offset: 05040000, based on PE: false

Similarity

API ID: CreateMutex
String ID:
API String ID: 1964310414-0
Opcode ID: dad0638f62914d5675490a469f8e25423e1a776c296c6c0769fb72abf3be89db
Instruction ID: 1b99f8607d3de84c01aab246e0c192ccee08488a70568eabfa681eabc1b03258
Opcode Fuzzy Hash: dad0638f62914d5675490a469f8e25423e1a776c296c6c0769fb72abf3be89db
Instruction Fuzzy Hash: 793195B15097806FE712CB25DC55F56FFF8EF06210F1884AAE984DF292D375A908CB61

Uniqueness

Uniqueness Score: -1.00%

Function 05041D0C, Relevance: 1.6, APIs: 1, Instructions: 87fileCOMMON

Download Yara Rule

APIs

MapViewOfFile.KERNELBASE ref: 05041DBE

Memory Dump Source

Source File: 00000003.00000002.511687982.0000000005040000.00000040.00000001.sdmp, Offset: 05040000, based on PE: false

Similarity

API ID: FileView
String ID:
API String ID: 3314676101-0
Opcode ID: 0430d7258ad3fad45aa7296d5943dc501c2dfe25807a172d79a8733daeca1ab0
Instruction ID: 47797c9c79eff2352507826e17936858a7528e488f1b164af72cc0bcf8394fb6
Opcode Fuzzy Hash: 0430d7258ad3fad45aa7296d5943dc501c2dfe25807a172d79a8733daeca1ab0
Instruction Fuzzy Hash: F131B3B2405784AFE722CF15DC45F56FFF8EF06320F08859EE9848B252D365A949CB61

Uniqueness

Uniqueness Score: -1.00%

Function 050404AB, Relevance: 1.6, APIs: 1, Instructions: 86registryCOMMON

Download Yara Rule

APIs

RegQueryValueExW.KERNELBASE(?,00000E2C,47F0AD4C,00000000,00000000,00000000,00000000), ref: 0504055C

Memory Dump Source

Source File: 00000003.00000002.511687982.0000000005040000.00000040.00000001.sdmp, Offset: 05040000, based on PE: false

Similarity

API ID: QueryValue
String ID:
API String ID: 3660427363-0
Opcode ID: e218add33b1c3cd8f5b7b06faee0e29b5922701cccd0dad4f7aaa87bc49c4389
Instruction ID: 8e6704287c5a659db0bdd7f3f558e33814c70e3fb01a2aab35d44e2bb2d2b67e
Opcode Fuzzy Hash: e218add33b1c3cd8f5b7b06faee0e29b5922701cccd0dad4f7aaa87bc49c4389
Instruction Fuzzy Hash: 703182715097C0AFD722CB25DC54F97BFF8EF06610F0885DAE9859B1A2D264A808CB71

Uniqueness

Uniqueness Score: -1.00%

Function 010EA120, Relevance: 1.6, APIs: 1, Instructions: 81networkCOMMON

Download Yara Rule

APIs

WSAStartup.WS2_32(?,00000E2C,?,?), ref: 010EA1C2

Memory Dump Source

Source File: 00000003.00000002.507246289.00000000010EA000.00000040.00000001.sdmp, Offset: 010EA000, based on PE: false

Similarity

API ID: Startup
String ID:
API String ID: 724789610-0
Opcode ID: 76ec4459ac1b212b54917f2b820b5637320e8f2ecc4aff9488c3b2d2778b9282
Instruction ID: 33a438862962b7da66b6f58ada17eb82c26157e3c8e8f9718b6e9dea3f099756
Opcode Fuzzy Hash: 76ec4459ac1b212b54917f2b820b5637320e8f2ecc4aff9488c3b2d2778b9282
Instruction Fuzzy Hash: 7521917140D3C06FD7128B35CC55B66BFB4EF87610F1985DBD8848F293D229A919CBA2

Uniqueness

Uniqueness Score: -1.00%

Function 050402AB, Relevance: 1.6, APIs: 1, Instructions: 79registryCOMMON

Download Yara Rule

APIs

RegOpenKeyExA.KERNELBASE(?,00000E2C), ref: 05040353

Memory Dump Source

Source File: 00000003.00000002.511687982.0000000005040000.00000040.00000001.sdmp, Offset: 05040000, based on PE: false

Similarity

API ID: Open
String ID:
API String ID: 71445658-0
Opcode ID: 9ee30ed44ccb0ffba4113014f22aa5ad568bd9c6f6ca5cd6a197cfae08a30e30
Instruction ID: 835ca419972450a413c978f11a5e90d783a8fb5d8e93469a43a8d2184e79c69f
Opcode Fuzzy Hash: 9ee30ed44ccb0ffba4113014f22aa5ad568bd9c6f6ca5cd6a197cfae08a30e30
Instruction Fuzzy Hash: 3821A3760097806FE7228B21DC45FA6FFF8EF06310F0884DAE9849F192D265A949CB71

Uniqueness

Uniqueness Score: -1.00%

Function 05041C2A, Relevance: 1.6, APIs: 1, Instructions: 78COMMON

Download Yara Rule

APIs

OpenFileMappingW.KERNELBASE(?,?), ref: 05041CB5

Memory Dump Source

Source File: 00000003.00000002.511687982.0000000005040000.00000040.00000001.sdmp, Offset: 05040000, based on PE: false

Similarity

API ID: FileMappingOpen
String ID:
API String ID: 1680863896-0
Opcode ID: dcab05ad8b5c50f71a92a9392d06e5644a97bcf4bcfa2b7dbc301397df88fe53
Instruction ID: 330eb2f084d197510327bf6ad16b1bd9803779a5021d51649113ea8f4bce67a2
Opcode Fuzzy Hash: dcab05ad8b5c50f71a92a9392d06e5644a97bcf4bcfa2b7dbc301397df88fe53
Instruction Fuzzy Hash: 362191B1509380AFE721CF25DC45F66FFE8EF45210F1884AEED858B252D375A948CB61

Uniqueness

Uniqueness Score: -1.00%

Function 05040A9B, Relevance: 1.6, APIs: 1, Instructions: 78fileCOMMON

Download Yara Rule

APIs

DeleteFileA.KERNELBASE(?,00000E2C), ref: 05040B3F

Memory Dump Source

Source File: 00000003.00000002.511687982.0000000005040000.00000040.00000001.sdmp, Offset: 05040000, based on PE: false

Similarity

API ID: DeleteFile
String ID:
API String ID: 4033686569-0
Opcode ID: 650ec9b89e889d42fb80a3ee496681f6a143ecb418493caaa6e526c4a2e9b23a
Instruction ID: 4405aa9e8eaba9b188a7c8c6f675c0159b6add909b5fc8f8f1cc6dc139f737d1
Opcode Fuzzy Hash: 650ec9b89e889d42fb80a3ee496681f6a143ecb418493caaa6e526c4a2e9b23a
Instruction Fuzzy Hash: AC2108715093806FE722CB25DC55FA6BFA8EF46314F1880DEE9849F193D364A948CB61

Uniqueness

Uniqueness Score: -1.00%

Function 050408F0, Relevance: 1.6, APIs: 1, Instructions: 78COMMON

Download Yara Rule

APIs

GetFileType.KERNELBASE(?,00000E2C,47F0AD4C,00000000,00000000,00000000,00000000), ref: 05040985

Memory Dump Source

Source File: 00000003.00000002.511687982.0000000005040000.00000040.00000001.sdmp, Offset: 05040000, based on PE: false

Similarity

API ID: FileType
String ID:
API String ID: 3081899298-0
Opcode ID: 58e2055d940db07979197fb46e28a0cc150242af1c5fda36e280a8fd71bb4d0a
Instruction ID: 1c7b14fe49a93e728c4b70523acc4d0d87df2ccf97ed049c55ce9a9fb5b020cf
Opcode Fuzzy Hash: 58e2055d940db07979197fb46e28a0cc150242af1c5fda36e280a8fd71bb4d0a
Instruction Fuzzy Hash: C421F8B64097806FE7128B25DC54FA7BFB8EF46720F0880DAE9849F153D224A909C771

Uniqueness

Uniqueness Score: -1.00%

Function 0504139A, Relevance: 1.6, APIs: 1, Instructions: 77networkCOMMON

Download Yara Rule

APIs

WSASocketW.WS2_32(?,?,?,?,?), ref: 05041426

Memory Dump Source

Source File: 00000003.00000002.511687982.0000000005040000.00000040.00000001.sdmp, Offset: 05040000, based on PE: false

Similarity

API ID: Socket
String ID:
API String ID: 38366605-0
Opcode ID: a15564429b1f3856e2be6da0d0c38d452974d29feb6266df84ed3d2cb0e84b09
Instruction ID: a96d4659bd9c306b62105da5e6d1dd3a34313e5f0c6821c7c639bb6018c26fba
Opcode Fuzzy Hash: a15564429b1f3856e2be6da0d0c38d452974d29feb6266df84ed3d2cb0e84b09
Instruction Fuzzy Hash: CE218D71509780AFE722CF65DC45FA6FFF8EF45210F0884AEE9858B292D375A448CB61

Uniqueness

Uniqueness Score: -1.00%

Function 0504081A, Relevance: 1.6, APIs: 1, Instructions: 76fileCOMMON

Download Yara Rule

APIs

CreateFileW.KERNELBASE(?,?,?,?,?,?), ref: 05040899

Memory Dump Source

Source File: 00000003.00000002.511687982.0000000005040000.00000040.00000001.sdmp, Offset: 05040000, based on PE: false

Similarity

API ID: CreateFile
String ID:
API String ID: 823142352-0
Opcode ID: 0554ed70848f694eea67c36a3a245a7e9c8702de0388665175397c58e06fe005
Instruction ID: 0a44002aadc991e60f85a8940388b61ec2b32e3378c87380fc878c05e10b8a89
Opcode Fuzzy Hash: 0554ed70848f694eea67c36a3a245a7e9c8702de0388665175397c58e06fe005
Instruction Fuzzy Hash: 85219CB1500244AFEB21DF65ED48B6AFBE8FF08310F18846EEA859B251D371E404CBA1

Uniqueness

Uniqueness Score: -1.00%

Function 050409C0, Relevance: 1.6, APIs: 1, Instructions: 75COMMON

Download Yara Rule

APIs

setsockopt.WS2_32(?,00000E2C,47F0AD4C,00000000,00000000,00000000,00000000), ref: 05040A51

Memory Dump Source

Source File: 00000003.00000002.511687982.0000000005040000.00000040.00000001.sdmp, Offset: 05040000, based on PE: false

Similarity

API ID: setsockopt
String ID:
API String ID: 3981526788-0
Opcode ID: 4e3e96dc37e41671faf6bd9c21b0d1bde726fb1ccb3c1bfd624afaa23bb4d047
Instruction ID: c97a56e62a63ca5cc3030c7b4c7d13d4ca35aed2f62e0151a1c5e6909d399529
Opcode Fuzzy Hash: 4e3e96dc37e41671faf6bd9c21b0d1bde726fb1ccb3c1bfd624afaa23bb4d047
Instruction Fuzzy Hash: 3A216072509380AFD7228F65DC44F66BFB8EF46714F0884AFE9849F153C265A449CB72

Uniqueness

Uniqueness Score: -1.00%

Function 050403CA, Relevance: 1.6, APIs: 1, Instructions: 75registryCOMMON

Download Yara Rule

APIs

RegQueryValueExA.KERNELBASE(?,00000E2C), ref: 0504045E

Memory Dump Source

Source File: 00000003.00000002.511687982.0000000005040000.00000040.00000001.sdmp, Offset: 05040000, based on PE: false

Similarity

API ID: QueryValue
String ID:
API String ID: 3660427363-0
Opcode ID: cad84f9637a9ee9e8bfcc66464ee6ad17970053da0cfa6994bd59a448fcefdcb
Instruction ID: 96f5a68f468481b6a5412215dfa096d866f2adab5f5f87dd5c0a3111cc233d5f
Opcode Fuzzy Hash: cad84f9637a9ee9e8bfcc66464ee6ad17970053da0cfa6994bd59a448fcefdcb
Instruction Fuzzy Hash: FB21B3B1100204AFEB31DF15DC45FBAFBACEF44710F04896AEE459A181D6B5A549CFB1

Uniqueness

Uniqueness Score: -1.00%

Function 010EAA32, Relevance: 1.6, APIs: 1, Instructions: 74registryCOMMON

Download Yara Rule

APIs

RegOpenKeyExW.KERNELBASE(?,00000E2C), ref: 010EAAB1

Memory Dump Source

Source File: 00000003.00000002.507246289.00000000010EA000.00000040.00000001.sdmp, Offset: 010EA000, based on PE: false

Similarity

API ID: Open
String ID:
API String ID: 71445658-0
Opcode ID: 8117c5be587782fda81056bdfb146761af1e657eafd10638b1bcefbae3cfe955
Instruction ID: 28279525acc61f8d2d45e17b4cfccb955c69bea46401c78313859bf083af667a
Opcode Fuzzy Hash: 8117c5be587782fda81056bdfb146761af1e657eafd10638b1bcefbae3cfe955
Instruction Fuzzy Hash: 05219272600704AFE7219F1ADD44F6BFBECEF48710F08845AE9859B241D774E5488B71

Uniqueness

Uniqueness Score: -1.00%

Function 0504012A, Relevance: 1.6, APIs: 1, Instructions: 72synchronizationCOMMON

Download Yara Rule

APIs

CreateMutexW.KERNELBASE(?,?), ref: 0504019D

Memory Dump Source

Source File: 00000003.00000002.511687982.0000000005040000.00000040.00000001.sdmp, Offset: 05040000, based on PE: false

Similarity

API ID: CreateMutex
String ID:
API String ID: 1964310414-0
Opcode ID: 7207cfcebb6f3a731ce87f0935ab34e06f3471f2adb3c0d9e4859f92f478ad69
Instruction ID: 58ec65a54e189aee6c3180d76e46937f53f7b4799791ca5229d5ba0d0bcd8c2c
Opcode Fuzzy Hash: 7207cfcebb6f3a731ce87f0935ab34e06f3471f2adb3c0d9e4859f92f478ad69
Instruction Fuzzy Hash: D9219FB1604244AFE720DF65ED89F6AFBE8EF04310F18846AEE459F251D375E504CA71

Uniqueness

Uniqueness Score: -1.00%

Function 05040723, Relevance: 1.6, APIs: 1, Instructions: 71COMMON

Download Yara Rule

APIs

CreateDirectoryW.KERNELBASE(?,?), ref: 0504079F

Memory Dump Source

Source File: 00000003.00000002.511687982.0000000005040000.00000040.00000001.sdmp, Offset: 05040000, based on PE: false

Similarity

API ID: CreateDirectory
String ID:
API String ID: 4241100979-0
Opcode ID: 20e79c8531a559418939da91ba36b65e6a9c7268575000b54c06fc086b7d4f71
Instruction ID: 14de00f8cf30bfa5364751ab701606bbf891c357ba78ab89d0d054fa8aa4a1d4
Opcode Fuzzy Hash: 20e79c8531a559418939da91ba36b65e6a9c7268575000b54c06fc086b7d4f71
Instruction Fuzzy Hash: 1A21B3B29093809FD751CB25DC58B56BFE8EF06210F0984EAE945DF152D234D908CB61

Uniqueness

Uniqueness Score: -1.00%

Function 010EAB3A, Relevance: 1.6, APIs: 1, Instructions: 69registryCOMMON

Download Yara Rule

APIs

RegQueryValueExW.KERNELBASE(?,00000E2C,47F0AD4C,00000000,00000000,00000000,00000000), ref: 010EABB4

Memory Dump Source

Source File: 00000003.00000002.507246289.00000000010EA000.00000040.00000001.sdmp, Offset: 010EA000, based on PE: false

Similarity

API ID: QueryValue
String ID:
API String ID: 3660427363-0
Opcode ID: 2463504918b2ae74d61abf164c3cb6a746073c2ad82e67e479dead17d27d012d
Instruction ID: b8a282417947a53c9d595a6451f5c7a37896e61933e073bf5ca8f7e4328679c6
Opcode Fuzzy Hash: 2463504918b2ae74d61abf164c3cb6a746073c2ad82e67e479dead17d27d012d
Instruction Fuzzy Hash: F4218171600204AFEB21CF1ADC44FA7FBECEF08711F0488AAE985CB252D360E444CA71

Uniqueness

Uniqueness Score: -1.00%

Function 05041C4A, Relevance: 1.6, APIs: 1, Instructions: 68COMMON

Download Yara Rule

APIs

OpenFileMappingW.KERNELBASE(?,?), ref: 05041CB5

Memory Dump Source

Source File: 00000003.00000002.511687982.0000000005040000.00000040.00000001.sdmp, Offset: 05040000, based on PE: false

Similarity

API ID: FileMappingOpen
String ID:
API String ID: 1680863896-0
Opcode ID: a2d7c6107de34c050b5e961246efa09ea4744b0d0122c03ab18d2144f7d9c017
Instruction ID: 206e5fcea513146cd5b527ee2910594e89cf5d199e364cee8f9e925bef859518
Opcode Fuzzy Hash: a2d7c6107de34c050b5e961246efa09ea4744b0d0122c03ab18d2144f7d9c017
Instruction Fuzzy Hash: E821A2B1604644AFE721DF29EC45B6AFBE8EF44320F18846EED858B241D375E444CB75

Uniqueness

Uniqueness Score: -1.00%

Function 05040FC0, Relevance: 1.6, APIs: 1, Instructions: 68COMMON

Download Yara Rule

APIs

FindCloseChangeNotification.KERNELBASE(?), ref: 0504102C

Memory Dump Source

Source File: 00000003.00000002.511687982.0000000005040000.00000040.00000001.sdmp, Offset: 05040000, based on PE: false

Similarity

API ID: ChangeCloseFindNotification
String ID:
API String ID: 2591292051-0
Opcode ID: 5e220f33b58335fdc92773787492e999e447689fe0f3b4b08739bd5158e4521d
Instruction ID: 02da6ebcc5a7ac9b778b3edbe469a6f66640a1e3ed096ebec98fe59218fae14e
Opcode Fuzzy Hash: 5e220f33b58335fdc92773787492e999e447689fe0f3b4b08739bd5158e4521d
Instruction Fuzzy Hash: 9221D1725093C05FDB028B25DC54A92BFB4AF03624F0D80EAEC848F263D2759908CB62

Uniqueness

Uniqueness Score: -1.00%

Function 05041D4A, Relevance: 1.6, APIs: 1, Instructions: 67fileCOMMON

Download Yara Rule

APIs

MapViewOfFile.KERNELBASE ref: 05041DBE

Memory Dump Source

Source File: 00000003.00000002.511687982.0000000005040000.00000040.00000001.sdmp, Offset: 05040000, based on PE: false

Similarity

API ID: FileView
String ID:
API String ID: 3314676101-0
Opcode ID: e0126c86fb2599e67d4bf4f5f50291892ed4619754383f172aea2cf85e7c1552
Instruction ID: 0b6f7255f28448561394ee1b08594736538cf82359bf6c95b773c6a3e6aec2d5
Opcode Fuzzy Hash: e0126c86fb2599e67d4bf4f5f50291892ed4619754383f172aea2cf85e7c1552
Instruction Fuzzy Hash: EC21D5B1500644AFE731CF1AED44FAAFBE8EF08320F14846EE9858B251D371A549CB71

Uniqueness

Uniqueness Score: -1.00%

Function 05041075, Relevance: 1.6, APIs: 1, Instructions: 67COMMON

Download Yara Rule

APIs

K32EnumProcesses.KERNEL32(?,?,?,47F0AD4C,00000000,?,?,?,?,?,?,?,?,723F3C38), ref: 050410E6

Memory Dump Source

Source File: 00000003.00000002.511687982.0000000005040000.00000040.00000001.sdmp, Offset: 05040000, based on PE: false

Similarity

API ID: EnumProcesses
String ID:
API String ID: 84517404-0
Opcode ID: 1caf4c1748c37309736a429cd3a92e268c5bf6da351eaf6ea7a29bb39f3bc72a
Instruction ID: fabd9ac91f7f9a341821b90264bbb5461422868f36ebd7bba2e828179867da61
Opcode Fuzzy Hash: 1caf4c1748c37309736a429cd3a92e268c5bf6da351eaf6ea7a29bb39f3bc72a
Instruction Fuzzy Hash: 452180715093805FD712CF65DC84A96BFF4AF06210F0984EAE985CF163D374A848CB62

Uniqueness

Uniqueness Score: -1.00%

Function 050413BA, Relevance: 1.6, APIs: 1, Instructions: 67networkCOMMON

Download Yara Rule

APIs

WSASocketW.WS2_32(?,?,?,?,?), ref: 05041426

Memory Dump Source

Source File: 00000003.00000002.511687982.0000000005040000.00000040.00000001.sdmp, Offset: 05040000, based on PE: false

Similarity

API ID: Socket
String ID:
API String ID: 38366605-0
Opcode ID: d2f115692e1696e2ec8d324be48c47b061c687d640b5ae368257cf8b1b56ef2b
Instruction ID: 307457d25e9d700ae5fd63d0ad968cff5424e79b953d0e1e511cfb68caeb8381
Opcode Fuzzy Hash: d2f115692e1696e2ec8d324be48c47b061c687d640b5ae368257cf8b1b56ef2b
Instruction Fuzzy Hash: 04219D71500240AFEB21DF65ED45B6AFBE9EF48320F18846EED858B251D375A448CF72

Uniqueness

Uniqueness Score: -1.00%

Function 050404EA, Relevance: 1.6, APIs: 1, Instructions: 65registryCOMMON

Download Yara Rule

APIs

RegQueryValueExW.KERNELBASE(?,00000E2C,47F0AD4C,00000000,00000000,00000000,00000000), ref: 0504055C

Memory Dump Source

Source File: 00000003.00000002.511687982.0000000005040000.00000040.00000001.sdmp, Offset: 05040000, based on PE: false

Similarity

API ID: QueryValue
String ID:
API String ID: 3660427363-0
Opcode ID: 5e81c5ced115c5ea63afedc14f0a886053c0de0676a0b3d23bb37f6d3ebb01a2
Instruction ID: a1bca0c5dd51dcdca929e8add9bf817bb4e39a5104199e521ed2b8048b9a2d8c
Opcode Fuzzy Hash: 5e81c5ced115c5ea63afedc14f0a886053c0de0676a0b3d23bb37f6d3ebb01a2
Instruction Fuzzy Hash: 311172B2500640AFEB20CF15EC44F6BFBE8EF08710F04846AEE469B251D270E444CA71

Uniqueness

Uniqueness Score: -1.00%

Function 050421B6, Relevance: 1.6, APIs: 1, Instructions: 64timeCOMMON

Download Yara Rule

APIs

GetProcessTimes.KERNELBASE(?,00000E2C,47F0AD4C,00000000,00000000,00000000,00000000), ref: 05042215

Memory Dump Source

Source File: 00000003.00000002.511687982.0000000005040000.00000040.00000001.sdmp, Offset: 05040000, based on PE: false

Similarity

API ID: ProcessTimes
String ID:
API String ID: 1995159646-0
Opcode ID: 5c5bd626da82e9f3a37291aa529bcb363750300105d7264218c9bc79c41e20bc
Instruction ID: f7c775de933e659c671e87f582d256a26956bf7f6681d13afb7cabc2b585ae3c
Opcode Fuzzy Hash: 5c5bd626da82e9f3a37291aa529bcb363750300105d7264218c9bc79c41e20bc
Instruction Fuzzy Hash: CC11B272600200AFEB21CF65ED45FAAFBE8EF48721F04846AED49DB251D674A445CF71

Uniqueness

Uniqueness Score: -1.00%

Function 05040CEC, Relevance: 1.6, APIs: 1, Instructions: 64COMMON

Download Yara Rule

APIs

LookupPrivilegeValueW.ADVAPI32(?,?,?), ref: 05040D56

Memory Dump Source

Source File: 00000003.00000002.511687982.0000000005040000.00000040.00000001.sdmp, Offset: 05040000, based on PE: false

Similarity

API ID: LookupPrivilegeValue
String ID:
API String ID: 3899507212-0
Opcode ID: 064256e367dcdffd3902282c0ba7dae78ba9da360323c5166ece07e88ffbbfa9
Instruction ID: 9671828dd5aa4bdfa94433127e4b5472d6e0d3e84f16d47b163bcec38154c7e4
Opcode Fuzzy Hash: 064256e367dcdffd3902282c0ba7dae78ba9da360323c5166ece07e88ffbbfa9
Instruction Fuzzy Hash: 3811AFB55093809FD761CF25DC89B67BFE8EF45210F0884AAED45DF252D234E808CB61

Uniqueness

Uniqueness Score: -1.00%

Function 010EA51F, Relevance: 1.6, APIs: 1, Instructions: 61COMMON

Download Yara Rule

APIs

DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 010EA58A

Memory Dump Source

Source File: 00000003.00000002.507246289.00000000010EA000.00000040.00000001.sdmp, Offset: 010EA000, based on PE: false

Similarity

API ID: DuplicateHandle
String ID:
API String ID: 3793708945-0
Opcode ID: 4d4334409fd041f3178fcbacc78b917dd62f0957e67e61bf3313432d2875fa3f
Instruction ID: dafb2876805efb2cd64c7b20ef7a60c54c77fbc689850ba9b80886b13e315800
Opcode Fuzzy Hash: 4d4334409fd041f3178fcbacc78b917dd62f0957e67e61bf3313432d2875fa3f
Instruction Fuzzy Hash: B2117F72409380AFDB228F55DC44A62FFF4EF4A220F0884DAED858B263C375A418DB61

Uniqueness

Uniqueness Score: -1.00%

Function 010EB7CA, Relevance: 1.6, APIs: 1, Instructions: 61windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,00000000,00000000,00000000), ref: 010EB841

Memory Dump Source

Source File: 00000003.00000002.507246289.00000000010EA000.00000040.00000001.sdmp, Offset: 010EA000, based on PE: false

Similarity

API ID: MessageSend
String ID:
API String ID: 3850602802-0
Opcode ID: d29e52ceb9ac679eeb21178a21086b36dfa544c99d95f0bff6fbb06d8ccd86a8
Instruction ID: ad738baae538df834ccd920ccadbb478bf262acbfb61151f102dad17a0f447c8
Opcode Fuzzy Hash: d29e52ceb9ac679eeb21178a21086b36dfa544c99d95f0bff6fbb06d8ccd86a8
Instruction Fuzzy Hash: 0E216D714097C09FDB128B26DC54AA2BFB0AF06210F0D84DAE9C44F263D265A958DB62

Uniqueness

Uniqueness Score: -1.00%

Function 05040AD6, Relevance: 1.6, APIs: 1, Instructions: 60fileCOMMON

Download Yara Rule

APIs

DeleteFileA.KERNELBASE(?,00000E2C), ref: 05040B3F

Memory Dump Source

Source File: 00000003.00000002.511687982.0000000005040000.00000040.00000001.sdmp, Offset: 05040000, based on PE: false

Similarity

API ID: DeleteFile
String ID:
API String ID: 4033686569-0
Opcode ID: cda8130f2035485be8c457a3a6533e3b8c951a34af68e2dac0be2c60d4a2d583
Instruction ID: 4e47d96c541897095256f116fcabf105e09df9f923230afcccdd1b66a64ee12a
Opcode Fuzzy Hash: cda8130f2035485be8c457a3a6533e3b8c951a34af68e2dac0be2c60d4a2d583
Instruction Fuzzy Hash: 1011C671600300AFE720DB19EC85BBAFB98DF44720F18846EEE459F281D6B4A544CEB5

Uniqueness

Uniqueness Score: -1.00%

Function 050402DE, Relevance: 1.6, APIs: 1, Instructions: 60registryCOMMON

Download Yara Rule

APIs

RegOpenKeyExA.KERNELBASE(?,00000E2C), ref: 05040353

Memory Dump Source

Source File: 00000003.00000002.511687982.0000000005040000.00000040.00000001.sdmp, Offset: 05040000, based on PE: false

Similarity

API ID: Open
String ID:
API String ID: 71445658-0
Opcode ID: 6c85115700e7b32af59c2ce62652964580891e68694de840e65f3ba692b9e616
Instruction ID: 98a9e6e267d3ac262502a1b4d28cb4575a83232ee369dc7dbc394e30b7450462
Opcode Fuzzy Hash: 6c85115700e7b32af59c2ce62652964580891e68694de840e65f3ba692b9e616
Instruction Fuzzy Hash: EC119071500600AFEB31DF15EC45F6AFFA8EF04711F14846AEE455A291C275A5488AB1

Uniqueness

Uniqueness Score: -1.00%

Function 050409F2, Relevance: 1.6, APIs: 1, Instructions: 60COMMON

Download Yara Rule

APIs

setsockopt.WS2_32(?,00000E2C,47F0AD4C,00000000,00000000,00000000,00000000), ref: 05040A51

Memory Dump Source

Source File: 00000003.00000002.511687982.0000000005040000.00000040.00000001.sdmp, Offset: 05040000, based on PE: false

Similarity

API ID: setsockopt
String ID:
API String ID: 3981526788-0
Opcode ID: 33b4409494c64b409bc27a87f9e982a7861c3ae358db1a50b4d35706475770ac
Instruction ID: 74bfea9448b297031f5a2a4e7b36e893b525825e5bc22888adc43d4bde187009
Opcode Fuzzy Hash: 33b4409494c64b409bc27a87f9e982a7861c3ae358db1a50b4d35706475770ac
Instruction Fuzzy Hash: 6D11B272501200AFEB21CF55EC45F6AFBE8EF44720F04846AEE499F241C275A4188BB1

Uniqueness

Uniqueness Score: -1.00%

Function 010EBB4F, Relevance: 1.6, APIs: 1, Instructions: 59windowCOMMON

Download Yara Rule

APIs

PostMessageW.USER32(?,?,?,?), ref: 010EBBB9

Memory Dump Source

Source File: 00000003.00000002.507246289.00000000010EA000.00000040.00000001.sdmp, Offset: 010EA000, based on PE: false

Similarity

API ID: MessagePost
String ID:
API String ID: 410705778-0
Opcode ID: f0af179928119c2ff3954eebb39aaac5bf94b7ab98aff32f873138f288770c03
Instruction ID: 5bae665cc5c50eabf0a05bbc4d04ad20f05e9434bab8d58c3b8b1c64644418be
Opcode Fuzzy Hash: f0af179928119c2ff3954eebb39aaac5bf94b7ab98aff32f873138f288770c03
Instruction Fuzzy Hash: 9C11D3355093C09FDB228F25DC45B52FFB4EF06220F0C84EEED858B563D265A458DB62

Uniqueness

Uniqueness Score: -1.00%

Function 010EBE05, Relevance: 1.6, APIs: 1, Instructions: 58windowCOMMON

Download Yara Rule

APIs

DispatchMessageW.USER32(?), ref: 010EBE70

Memory Dump Source

Source File: 00000003.00000002.507246289.00000000010EA000.00000040.00000001.sdmp, Offset: 010EA000, based on PE: false

Similarity

API ID: DispatchMessage
String ID:
API String ID: 2061451462-0
Opcode ID: be9b35977e0572cd4a859ea43a4c1025e03c009f233eb7ec353acf0c3899c6d2
Instruction ID: 6141ce7ec82111d631d8d1f84d453f263fe43757b3d14eb77cbc1ae19ea1d6ce
Opcode Fuzzy Hash: be9b35977e0572cd4a859ea43a4c1025e03c009f233eb7ec353acf0c3899c6d2
Instruction Fuzzy Hash: 17114C754093C0AFD7138B259C44B62BFB4DF47624F0984DAED858F263D2696848CB62

Uniqueness

Uniqueness Score: -1.00%

Function 010EB71E, Relevance: 1.6, APIs: 1, Instructions: 57windowCOMMON

Download Yara Rule

APIs

CreateIconFromResourceEx.USER32 ref: 010EB78A

Memory Dump Source

Source File: 00000003.00000002.507246289.00000000010EA000.00000040.00000001.sdmp, Offset: 010EA000, based on PE: false

Similarity

API ID: CreateFromIconResource
String ID:
API String ID: 3668623891-0
Opcode ID: 9383c277e8aef42e517a4f5d645eddbc1ec41320064a8f5abfd4823491f33954
Instruction ID: 2527aa73c05cdf3257aae23dbfd2571bf9ba60d7002ee7b4890238076c08e304
Opcode Fuzzy Hash: 9383c277e8aef42e517a4f5d645eddbc1ec41320064a8f5abfd4823491f33954
Instruction Fuzzy Hash: 52116D32409380AFDB228F55DC84A52FFF4EF49220F0985AEED858B562C375A458DB61

Uniqueness

Uniqueness Score: -1.00%

Function 05040B83, Relevance: 1.6, APIs: 1, Instructions: 56COMMON

Download Yara Rule

APIs

GetSystemInfo.KERNELBASE(?), ref: 05040BE8

Memory Dump Source

Source File: 00000003.00000002.511687982.0000000005040000.00000040.00000001.sdmp, Offset: 05040000, based on PE: false

Similarity

API ID: InfoSystem
String ID:
API String ID: 31276548-0
Opcode ID: 6d4544f4a2b9e8df19248f516782736732c07dad01db335951b273ed0858fbda
Instruction ID: 4e60a8ee6783bf3b4cc5ef5de52ee474fb7aa23256f20c88c07ced7ed2070c1e
Opcode Fuzzy Hash: 6d4544f4a2b9e8df19248f516782736732c07dad01db335951b273ed0858fbda
Instruction Fuzzy Hash: 7B1190714093C09FD7128B25DC44B56BFF4EF42224F0984EBED848F153C279A449CB62

Uniqueness

Uniqueness Score: -1.00%

Function 05040D0E, Relevance: 1.6, APIs: 1, Instructions: 53COMMON

Download Yara Rule

APIs

LookupPrivilegeValueW.ADVAPI32(?,?,?), ref: 05040D56

Memory Dump Source

Source File: 00000003.00000002.511687982.0000000005040000.00000040.00000001.sdmp, Offset: 05040000, based on PE: false

Similarity

API ID: LookupPrivilegeValue
String ID:
API String ID: 3899507212-0
Opcode ID: f87cd952191b4b8edeb6f97ba0ab5dad7574d71d46469163623869ced1f94ea7
Instruction ID: 48074a0b0aa443a080d7a0b9bed26c04e1b4d3dbedb91fb859b2d821fc5f091f
Opcode Fuzzy Hash: f87cd952191b4b8edeb6f97ba0ab5dad7574d71d46469163623869ced1f94ea7
Instruction Fuzzy Hash: 8D1161B56046409FDB60DF29EC89B6AFBE8EF44620F08847ADD49DF246D274E408CE71

Uniqueness

Uniqueness Score: -1.00%

Function 010EA75B, Relevance: 1.6, APIs: 1, Instructions: 52COMMON

Download Yara Rule

APIs

closesocket.WS2_32(?), ref: 010EA7BC

Memory Dump Source

Source File: 00000003.00000002.507246289.00000000010EA000.00000040.00000001.sdmp, Offset: 010EA000, based on PE: false

Similarity

API ID: closesocket
String ID:
API String ID: 2781271927-0
Opcode ID: b4089f7f7b9459a8f96e150bb9980bda90e7a4dbcc3c33b52ceb280d13ebfdc8
Instruction ID: c7b859d6a3a80ba77f980e42821855dea5a1bd16be52c4001320326caf830dda
Opcode Fuzzy Hash: b4089f7f7b9459a8f96e150bb9980bda90e7a4dbcc3c33b52ceb280d13ebfdc8
Instruction Fuzzy Hash: 1B11E0715493809FD712CF15DC88B52BFB4EF46220F0884EAED858F243C379A448CBA2

Uniqueness

Uniqueness Score: -1.00%

Function 05040932, Relevance: 1.6, APIs: 1, Instructions: 52COMMON

Download Yara Rule

APIs

GetFileType.KERNELBASE(?,00000E2C,47F0AD4C,00000000,00000000,00000000,00000000), ref: 05040985

Memory Dump Source

Source File: 00000003.00000002.511687982.0000000005040000.00000040.00000001.sdmp, Offset: 05040000, based on PE: false

Similarity

API ID: FileType
String ID:
API String ID: 3081899298-0
Opcode ID: ddcb99ec157e71f395bfa9a604aa07588bad2c6d0846caf510da3f0e000d48c0
Instruction ID: 0844a5f892c77c32455dbb38a275725fe4e5834bd06685ed977d8f0b6531a08a
Opcode Fuzzy Hash: ddcb99ec157e71f395bfa9a604aa07588bad2c6d0846caf510da3f0e000d48c0
Instruction Fuzzy Hash: C701D671500340AFE720CB1AEC45F7EFBE8EF44721F14806AEE44AF241C274A844CAB1

Uniqueness

Uniqueness Score: -1.00%

Function 0504075A, Relevance: 1.6, APIs: 1, Instructions: 52COMMON

Download Yara Rule

APIs

CreateDirectoryW.KERNELBASE(?,?), ref: 0504079F

Memory Dump Source

Source File: 00000003.00000002.511687982.0000000005040000.00000040.00000001.sdmp, Offset: 05040000, based on PE: false

Similarity

API ID: CreateDirectory
String ID:
API String ID: 4241100979-0
Opcode ID: ba5f9d4d70699db4ab74f248247a54a322075661a91c2ac8640c75f574695f11
Instruction ID: 8b582b12e9d1046a4b08a793e32eda3cf209340b3150ea956610d01759651d08
Opcode Fuzzy Hash: ba5f9d4d70699db4ab74f248247a54a322075661a91c2ac8640c75f574695f11
Instruction Fuzzy Hash: B31130B5A052408FDB60CF19E989B6ABBD8EF04620F08C4BADD45DF641D274E4448F62

Uniqueness

Uniqueness Score: -1.00%

Function 050410A6, Relevance: 1.5, APIs: 1, Instructions: 49COMMON

Download Yara Rule

APIs

K32EnumProcesses.KERNEL32(?,?,?,47F0AD4C,00000000,?,?,?,?,?,?,?,?,723F3C38), ref: 050410E6

Memory Dump Source

Source File: 00000003.00000002.511687982.0000000005040000.00000040.00000001.sdmp, Offset: 05040000, based on PE: false

Similarity

API ID: EnumProcesses
String ID:
API String ID: 84517404-0
Opcode ID: 93f08d34e6895105c757627dd2c8eee42870fd560b88fcdcd4b345e89d662e12
Instruction ID: da9a189c7888e252514013fb2ac4392511576dec4d87b504b5378e9ae9ff6391
Opcode Fuzzy Hash: 93f08d34e6895105c757627dd2c8eee42870fd560b88fcdcd4b345e89d662e12
Instruction Fuzzy Hash: C1115E716042448FDB60CF66E885B6AFBE4EF04220F0884BADD498B655D375E444CF61

Uniqueness

Uniqueness Score: -1.00%

Function 010EA8CC, Relevance: 1.5, APIs: 1, Instructions: 48COMMON

Download Yara Rule

APIs

SetWindowLongW.USER32(?,?,?), ref: 010EA926

Memory Dump Source

Source File: 00000003.00000002.507246289.00000000010EA000.00000040.00000001.sdmp, Offset: 010EA000, based on PE: false

Similarity

API ID: LongWindow
String ID:
API String ID: 1378638983-0
Opcode ID: 8368ac3d665e54d90fd8624b99eb48840883dca07620941d187b9ddeb68bc77d
Instruction ID: 5eb7b0ae875db68208b6f448140dcadafb122ba646691f1ecfd5b9805fc09fa3
Opcode Fuzzy Hash: 8368ac3d665e54d90fd8624b99eb48840883dca07620941d187b9ddeb68bc77d
Instruction Fuzzy Hash: 5311C2354097849FC7228F15DC85A52FFF4EF06220F09C4DAED854B263C375A408CB62

Uniqueness

Uniqueness Score: -1.00%

Function 010EA172, Relevance: 1.5, APIs: 1, Instructions: 47networkCOMMON

Download Yara Rule

APIs

WSAStartup.WS2_32(?,00000E2C,?,?), ref: 010EA1C2

Memory Dump Source

Source File: 00000003.00000002.507246289.00000000010EA000.00000040.00000001.sdmp, Offset: 010EA000, based on PE: false

Similarity

API ID: Startup
String ID:
API String ID: 724789610-0
Opcode ID: 04ebfaa469cd9128425d2edbb97872e981c64d7be1ec78a3e38e5da086b64a9b
Instruction ID: b8c2f28fb299385967525bd5e4b49de4c1a8532af55e4650fd45699eb9e1217a
Opcode Fuzzy Hash: 04ebfaa469cd9128425d2edbb97872e981c64d7be1ec78a3e38e5da086b64a9b
Instruction Fuzzy Hash: 26017175501200ABD710DF26DC86B26FBA8EB88A20F14816AED089B741D235F515CBA5

Uniqueness

Uniqueness Score: -1.00%

Function 05042712, Relevance: 1.5, APIs: 1, Instructions: 47windowCOMMON

Download Yara Rule

APIs

FormatMessageW.KERNELBASE(?,00000E2C,?,?), ref: 05042762

Memory Dump Source

Source File: 00000003.00000002.511687982.0000000005040000.00000040.00000001.sdmp, Offset: 05040000, based on PE: false

Similarity

API ID: FormatMessage
String ID:
API String ID: 1306739567-0
Opcode ID: c0157051e31892123214359d452112272ed339453a71dc0758d74d3f1257d07f
Instruction ID: 1d1f5a0b205db9181853633a390f83fe7893244078f8fd656fb464a6b27b549f
Opcode Fuzzy Hash: c0157051e31892123214359d452112272ed339453a71dc0758d74d3f1257d07f
Instruction Fuzzy Hash: B3017175501200ABD710DF26DC86B26FBA8EB88B20F14816AED089B741D235F515CBE5

Uniqueness

Uniqueness Score: -1.00%

Function 010EA546, Relevance: 1.5, APIs: 1, Instructions: 45COMMON

Download Yara Rule

APIs

DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 010EA58A

Memory Dump Source

Source File: 00000003.00000002.507246289.00000000010EA000.00000040.00000001.sdmp, Offset: 010EA000, based on PE: false

Similarity

API ID: DuplicateHandle
String ID:
API String ID: 3793708945-0
Opcode ID: 32740396219f2bcb350d5603e1e97c69f169777a1f1b3367987de5c576e82979
Instruction ID: 3508a9a262e4f584209b70e23459843f0b99f3dffc8f23a7a4aef32788a7fc0e
Opcode Fuzzy Hash: 32740396219f2bcb350d5603e1e97c69f169777a1f1b3367987de5c576e82979
Instruction Fuzzy Hash: FE016D32500740DFDB218F56E848B66FFE0EF48720F08C5AADD898B612C375A018DF61

Uniqueness

Uniqueness Score: -1.00%

Function 010EB746, Relevance: 1.5, APIs: 1, Instructions: 45windowCOMMON

Download Yara Rule

APIs

CreateIconFromResourceEx.USER32 ref: 010EB78A

Memory Dump Source

Source File: 00000003.00000002.507246289.00000000010EA000.00000040.00000001.sdmp, Offset: 010EA000, based on PE: false

Similarity

API ID: CreateFromIconResource
String ID:
API String ID: 3668623891-0
Opcode ID: a87e2128cd19c0bd6a77c47775c5f80b71fa193018104fb87287dacd6e41840a
Instruction ID: aaaa891c36e4f3678c8900ac77f190994b46187bdddc4794561ee068901f5071
Opcode Fuzzy Hash: a87e2128cd19c0bd6a77c47775c5f80b71fa193018104fb87287dacd6e41840a
Instruction Fuzzy Hash: 770121314046409FDB218F55D948B56FFE4FF48720F0885AEDD854A612D375A458DF61

Uniqueness

Uniqueness Score: -1.00%

Function 0504131E, Relevance: 1.5, APIs: 1, Instructions: 43registryCOMMON

Download Yara Rule

APIs

RegQueryValueExW.KERNELBASE(?,00000E2C,?,?), ref: 0504136E

Memory Dump Source

Source File: 00000003.00000002.511687982.0000000005040000.00000040.00000001.sdmp, Offset: 05040000, based on PE: false

Similarity

API ID: QueryValue
String ID:
API String ID: 3660427363-0
Opcode ID: 85c3bffb4276eeb0937d6659e82a43a46f6af30269826c17c4f942fcba58919b
Instruction ID: 6d2bf2a8b14b5f54e3099f88836572794f9dd3d9dce435024c4e4533ae4fd9eb
Opcode Fuzzy Hash: 85c3bffb4276eeb0937d6659e82a43a46f6af30269826c17c4f942fcba58919b
Instruction Fuzzy Hash: BE016D75501604ABD220DF1ADC86B26FBE8FBC8B20F18815AED085B741E371F955CBE6

Uniqueness

Uniqueness Score: -1.00%

Function 05040232, Relevance: 1.5, APIs: 1, Instructions: 43COMMON

Download Yara Rule

APIs

FindCloseChangeNotification.KERNELBASE(?), ref: 05040264

Memory Dump Source

Source File: 00000003.00000002.511687982.0000000005040000.00000040.00000001.sdmp, Offset: 05040000, based on PE: false

Similarity

API ID: ChangeCloseFindNotification
String ID:
API String ID: 2591292051-0
Opcode ID: 291165bcc16144b700dd2a401ea34baa7abbad1cb5a0552e82901b37fd0c1c3c
Instruction ID: 98c5e23733618da5f81263582696db6107fb056080dcc01e9393d9ebd76789c4
Opcode Fuzzy Hash: 291165bcc16144b700dd2a401ea34baa7abbad1cb5a0552e82901b37fd0c1c3c
Instruction Fuzzy Hash: 010184759042409FDB50CF15E98976AFBD4EF44220F08C4BADD459F642D275A444CE61

Uniqueness

Uniqueness Score: -1.00%

Function 05040FFA, Relevance: 1.5, APIs: 1, Instructions: 43COMMON

Download Yara Rule

APIs

FindCloseChangeNotification.KERNELBASE(?), ref: 0504102C

Memory Dump Source

Source File: 00000003.00000002.511687982.0000000005040000.00000040.00000001.sdmp, Offset: 05040000, based on PE: false

Similarity

API ID: ChangeCloseFindNotification
String ID:
API String ID: 2591292051-0
Opcode ID: 33337ed3fc2eb72c4ce5bd0258d91ffe7d0b25326692a715217fc3861be0dfda
Instruction ID: b70b423cf48a46155d13db9432beff31f6e36038393b072c459e56ac298e09c5
Opcode Fuzzy Hash: 33337ed3fc2eb72c4ce5bd0258d91ffe7d0b25326692a715217fc3861be0dfda
Instruction Fuzzy Hash: 460184715043808FDB60CF59E88576AFBE4EF44620F08C4BADD498F642D2B5A458CF72

Uniqueness

Uniqueness Score: -1.00%

Function 010EBB7E, Relevance: 1.5, APIs: 1, Instructions: 42windowCOMMON

Download Yara Rule

APIs

PostMessageW.USER32(?,?,?,?), ref: 010EBBB9

Memory Dump Source

Source File: 00000003.00000002.507246289.00000000010EA000.00000040.00000001.sdmp, Offset: 010EA000, based on PE: false

Similarity

API ID: MessagePost
String ID:
API String ID: 410705778-0
Opcode ID: a2c9193469ec2ea00c9b80e479b813e8055ba4582ca1f03bb57a9ad6f5afa63f
Instruction ID: 11692039cf34567dddf710e4f9a7ba7e646038b2e606d4aa101095c3aa78db16
Opcode Fuzzy Hash: a2c9193469ec2ea00c9b80e479b813e8055ba4582ca1f03bb57a9ad6f5afa63f
Instruction Fuzzy Hash: 70019E355042408FDB218F1AE884B66FBE0EF04220F0880AADD858A666C2B1E458CB61

Uniqueness

Uniqueness Score: -1.00%

Function 010EA78A, Relevance: 1.5, APIs: 1, Instructions: 39COMMON

Download Yara Rule

APIs

closesocket.WS2_32(?), ref: 010EA7BC

Memory Dump Source

Source File: 00000003.00000002.507246289.00000000010EA000.00000040.00000001.sdmp, Offset: 010EA000, based on PE: false

Similarity

API ID: closesocket
String ID:
API String ID: 2781271927-0
Opcode ID: d5785dad87f1324d4940a52c885188e323e8f62af1b1538e4feebf631037029d
Instruction ID: 196217021fcb6ec0d983d09dcde8b57a1d16d55b9b2e1fe423cf3c2940cf3842
Opcode Fuzzy Hash: d5785dad87f1324d4940a52c885188e323e8f62af1b1538e4feebf631037029d
Instruction Fuzzy Hash: 4D01A274904240CFDB20CF1AEC88765FFE4EF44220F08C4EADD898F202D275A444CA71

Uniqueness

Uniqueness Score: -1.00%

Function 010EB806, Relevance: 1.5, APIs: 1, Instructions: 38windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,00000000,00000000,00000000), ref: 010EB841

Memory Dump Source

Source File: 00000003.00000002.507246289.00000000010EA000.00000040.00000001.sdmp, Offset: 010EA000, based on PE: false

Similarity

API ID: MessageSend
String ID:
API String ID: 3850602802-0
Opcode ID: 7e509cf8eb40d61ff03d985b3aa5cf86a1c3ec52df0ad9ca4f5a98c02114d4c6
Instruction ID: 714e49b0254dfab7cec7c275b710a07422ea0679116bfe4896957b191b60018d
Opcode Fuzzy Hash: 7e509cf8eb40d61ff03d985b3aa5cf86a1c3ec52df0ad9ca4f5a98c02114d4c6
Instruction Fuzzy Hash: 6D018F31800340DFDB218F56D988B65FFE0EF04720F08C49ADD854B326D375A458CB62

Uniqueness

Uniqueness Score: -1.00%

Function 010EA8EE, Relevance: 1.5, APIs: 1, Instructions: 37COMMON

Download Yara Rule

APIs

SetWindowLongW.USER32(?,?,?), ref: 010EA926

Memory Dump Source

Source File: 00000003.00000002.507246289.00000000010EA000.00000040.00000001.sdmp, Offset: 010EA000, based on PE: false

Similarity

API ID: LongWindow
String ID:
API String ID: 1378638983-0
Opcode ID: 83f0f1af0a774bce3398f1a9aa8489fdf3b983395bce6f27ac3d1ae42566486c
Instruction ID: 153d159a47b7e446bc7f925ac6821ba9bf19018efaea038dec426f08805e325c
Opcode Fuzzy Hash: 83f0f1af0a774bce3398f1a9aa8489fdf3b983395bce6f27ac3d1ae42566486c
Instruction Fuzzy Hash: B301AD35900640DFDB218F0AE889766FFE0EF08720F08C4AADD864B252C375A409CB72

Uniqueness

Uniqueness Score: -1.00%

Function 010EBE3E, Relevance: 1.5, APIs: 1, Instructions: 35windowCOMMON

Download Yara Rule

APIs

DispatchMessageW.USER32(?), ref: 010EBE70

Memory Dump Source

Source File: 00000003.00000002.507246289.00000000010EA000.00000040.00000001.sdmp, Offset: 010EA000, based on PE: false

Similarity

API ID: DispatchMessage
String ID:
API String ID: 2061451462-0
Opcode ID: e25c0a3183671e67509d4f21dea7a586b48dcea149c6f1be7a6429f800b0d1fe
Instruction ID: c29e4141ae8911ef1b093a6c8174607d287e5f1d89c100820df6a97179f39714
Opcode Fuzzy Hash: e25c0a3183671e67509d4f21dea7a586b48dcea149c6f1be7a6429f800b0d1fe
Instruction Fuzzy Hash: C6F0A435904240CFDB208F0AE888765FFE0DF44720F08C4EADE854B356D375A448CAA2

Uniqueness

Uniqueness Score: -1.00%

Function 010EA372, Relevance: 1.5, APIs: 1, Instructions: 35COMMON

Download Yara Rule

APIs

SetErrorMode.KERNELBASE(?), ref: 010EA3A4

Memory Dump Source

Source File: 00000003.00000002.507246289.00000000010EA000.00000040.00000001.sdmp, Offset: 010EA000, based on PE: false

Similarity

API ID: ErrorMode
String ID:
API String ID: 2340568224-0
Opcode ID: e25c0a3183671e67509d4f21dea7a586b48dcea149c6f1be7a6429f800b0d1fe
Instruction ID: da11b7693544e988a6adf6cc15602fe1d3521f5ac1a69956c29eda00168a4fe5
Opcode Fuzzy Hash: e25c0a3183671e67509d4f21dea7a586b48dcea149c6f1be7a6429f800b0d1fe
Instruction Fuzzy Hash: 8AF0A434604340DFDB208F1AE888765FFE0DF48720F18C09AED854B756D2B5A444CA72

Uniqueness

Uniqueness Score: -1.00%

Function 02AF20D0, Relevance: 1.4, Strings: 1, Instructions: 199COMMON

Download Yara Rule

Strings

r*+, xrefs: 02AF230F

Memory Dump Source

Source File: 00000003.00000002.507710398.0000000002AF0000.00000040.00000001.sdmp, Offset: 02AF0000, based on PE: false

Similarity

API ID:
String ID: r*+
API String ID: 0-3221063712
Opcode ID: 157211e85628f7e8a57fd16af83ea78413348444a00c515bae39fdfe353bee23
Instruction ID: e7b4a215af414959945ca6700e4b99016dc29ceee0fd57117c1f00f715d6ad8c
Opcode Fuzzy Hash: 157211e85628f7e8a57fd16af83ea78413348444a00c515bae39fdfe353bee23
Instruction Fuzzy Hash: AA716D34A0820ACFDB94DFA9C5817BEBBB1FF85300F10816AEA06DB254DB399D45CB55

Uniqueness

Uniqueness Score: -1.00%

Function 02AF8E18, Relevance: 1.4, Strings: 1, Instructions: 134COMMON

Download Yara Rule

Strings

, xrefs: 02AF8F36

Memory Dump Source

Source File: 00000003.00000002.507710398.0000000002AF0000.00000040.00000001.sdmp, Offset: 02AF0000, based on PE: false

Similarity

API ID:
String ID:
API String ID: 0-3916222277
Opcode ID: dda722a75d4ad24131131e69335d676899d6593b39ddf4e66fc7aa1c63698d45
Instruction ID: ca49c0d8e9b9ca2be643100fc066d9cab4314b8c283d427d6b43250472689802
Opcode Fuzzy Hash: dda722a75d4ad24131131e69335d676899d6593b39ddf4e66fc7aa1c63698d45
Instruction Fuzzy Hash: E6419371E041058FDB90CFA5C8805AEB7B2EF85314B25C96BE615DB604EB3DD842CB91

Uniqueness

Uniqueness Score: -1.00%

Function 02AF2D58, Relevance: 1.4, Strings: 1, Instructions: 132COMMON

Download Yara Rule

Strings

, xrefs: 02AF2E76

Memory Dump Source

Source File: 00000003.00000002.507710398.0000000002AF0000.00000040.00000001.sdmp, Offset: 02AF0000, based on PE: false

Similarity

API ID:
String ID:
API String ID: 0-3916222277
Opcode ID: fa0afdf5bccabd54f759e48203a7d44406dd3ec4abdacfb41d0735019f102df9
Instruction ID: d2ff8dc49fd620886824671388f4daa4472eb733e615d190da0a199d8b496248
Opcode Fuzzy Hash: fa0afdf5bccabd54f759e48203a7d44406dd3ec4abdacfb41d0735019f102df9
Instruction Fuzzy Hash: E0419371E042458BCB90CFE5C8807AE7F72ABC5214B34847AEA55DB605EB39D852CF92

Uniqueness

Uniqueness Score: -1.00%

Function 02AF0698, Relevance: 1.4, Strings: 1, Instructions: 120COMMON

Download Yara Rule

Strings

Z/q^, xrefs: 02AF06A1, 02AF06A6

Memory Dump Source

Source File: 00000003.00000002.507710398.0000000002AF0000.00000040.00000001.sdmp, Offset: 02AF0000, based on PE: false

Similarity

API ID:
String ID: Z/q^
API String ID: 0-2591934888
Opcode ID: 7617bd26b80f344ce55493af492c013c8955fb36d94b486d9a11a9faf10f94a1
Instruction ID: 1ff35ae088ce7993a19beffc7a9c160c420ddd5e813d209eceb8c6a6b115ea11
Opcode Fuzzy Hash: 7617bd26b80f344ce55493af492c013c8955fb36d94b486d9a11a9faf10f94a1
Instruction Fuzzy Hash: 0241AB34600211CFD7A4BB75E80E66C3BA6FF80701B05856DF582CB6ADDF3A4C458B92

Uniqueness

Uniqueness Score: -1.00%

Function 02AF82C0, Relevance: 1.3, Strings: 1, Instructions: 98COMMON

Download Yara Rule

Strings

r*+, xrefs: 02AF83D7

Memory Dump Source

Source File: 00000003.00000002.507710398.0000000002AF0000.00000040.00000001.sdmp, Offset: 02AF0000, based on PE: false

Similarity

API ID:
String ID: r*+
API String ID: 0-3221063712
Opcode ID: 48ab6e30b3567fc07f31c1ce307e3e7782ec8fe8b3df11f1503ca74a51a38c07
Instruction ID: dc3fdf88f256d19c29d25fd15c3d3252a6f0cf7f3e302fe26d8009f385216e8e
Opcode Fuzzy Hash: 48ab6e30b3567fc07f31c1ce307e3e7782ec8fe8b3df11f1503ca74a51a38c07
Instruction Fuzzy Hash: 0D411C70E04209DFDB98DBE5D4956AEBBF1FF45304F1082AAE502A7260DB3D9A41CF52

Uniqueness

Uniqueness Score: -1.00%

Function 02AF8108, Relevance: 1.3, Strings: 1, Instructions: 85COMMON

Download Yara Rule

Strings

]D/q^, xrefs: 02AF8136, 02AF813B

Memory Dump Source

Source File: 00000003.00000002.507710398.0000000002AF0000.00000040.00000001.sdmp, Offset: 02AF0000, based on PE: false

Similarity

API ID:
String ID: ]D/q^
API String ID: 0-313009871
Opcode ID: 946841a67f83242781be5af8096acc2a82866bdb5ce6ba7d33399ed64eb82f48
Instruction ID: bc743eb7b44d7896852fd0de25c703fe9f5e52d24a095682cf64464fc0411f71
Opcode Fuzzy Hash: 946841a67f83242781be5af8096acc2a82866bdb5ce6ba7d33399ed64eb82f48
Instruction Fuzzy Hash: 2531D730A14711CFDB48ABB9E4584AD7BB3EF852113158569F116CB3AADF389D06CB41

Uniqueness

Uniqueness Score: -1.00%

Function 02AF8118, Relevance: 1.3, Strings: 1, Instructions: 81COMMON

Download Yara Rule

Strings

]D/q^, xrefs: 02AF8136, 02AF813B

Memory Dump Source

Source File: 00000003.00000002.507710398.0000000002AF0000.00000040.00000001.sdmp, Offset: 02AF0000, based on PE: false

Similarity

API ID:
String ID: ]D/q^
API String ID: 0-313009871
Opcode ID: 8299d69425a6489447534309a025f41a040e12468e468dd1d081206bbb6a1f8d
Instruction ID: b6c8d4579d8e444f2d85f9d66fc137e0c426a8f72065db457040ac6d464752db
Opcode Fuzzy Hash: 8299d69425a6489447534309a025f41a040e12468e468dd1d081206bbb6a1f8d
Instruction Fuzzy Hash: 6621D330B10611CFDB88ABB9E4984AD3BF3EB853103148668F112CB3A9DF389D02CB41

Uniqueness

Uniqueness Score: -1.00%

Function 02AFD5D9, Relevance: 1.3, Strings: 1, Instructions: 78COMMON

Download Yara Rule

Strings

M>/q^, xrefs: 02AFD69F, 02AFD6A4

Memory Dump Source

Source File: 00000003.00000002.507710398.0000000002AF0000.00000040.00000001.sdmp, Offset: 02AF0000, based on PE: false

Similarity

API ID:
String ID: M>/q^
API String ID: 0-1993011637
Opcode ID: 7d87d438ba5006cfe99dbebffe5d72b300d59bf0b18a0ffbca7fea9f3a005037
Instruction ID: 602c10aeb23ab2f2893c399d30f37e687b0e9dd746d38017666391203e7e01f6
Opcode Fuzzy Hash: 7d87d438ba5006cfe99dbebffe5d72b300d59bf0b18a0ffbca7fea9f3a005037
Instruction Fuzzy Hash: A221F171624A18CBCB968BE5D4407EEBBF6AF88210F14417AF60ADB340DF399C46C791

Uniqueness

Uniqueness Score: -1.00%

Function 02AF05B9, Relevance: 1.3, Strings: 1, Instructions: 51COMMON

Download Yara Rule

Strings

8p, xrefs: 02AF05D6

Memory Dump Source

Source File: 00000003.00000002.507710398.0000000002AF0000.00000040.00000001.sdmp, Offset: 02AF0000, based on PE: false

Similarity

API ID:
String ID: 8p
API String ID: 0-2220451280
Opcode ID: 9c7949c3803a992feb9692be085c3008f740fedf5fc121639325e5e229b9a216
Instruction ID: 219f6aec20c51034d58db240e2d90b69028a70ddaef015546078fbfa17b5919c
Opcode Fuzzy Hash: 9c7949c3803a992feb9692be085c3008f740fedf5fc121639325e5e229b9a216
Instruction Fuzzy Hash: E301F2303042640FC7C6767DA4225BFAB9BAFC6940718009EF186CB3C6DD696C4243EA

Uniqueness

Uniqueness Score: -1.00%

Function 02AF05C8, Relevance: 1.3, Strings: 1, Instructions: 45COMMON

Download Yara Rule

Strings

8p, xrefs: 02AF05D6

Memory Dump Source

Source File: 00000003.00000002.507710398.0000000002AF0000.00000040.00000001.sdmp, Offset: 02AF0000, based on PE: false

Similarity

API ID:
String ID: 8p
API String ID: 0-2220451280
Opcode ID: a5fe1dccd48d8347fa839681f60f81ca2479a61c1bf78227ee312bafb1a48ca3
Instruction ID: 93c07935aca432922edc0af03af0ed4e9dbb5dd12d8228c0c91868235db5ed03
Opcode Fuzzy Hash: a5fe1dccd48d8347fa839681f60f81ca2479a61c1bf78227ee312bafb1a48ca3
Instruction Fuzzy Hash: B1F090313101244FDAC9767EA4226BF629F6BC5940754402EB206D73C9DDB5AD4343EA

Uniqueness

Uniqueness Score: -1.00%

Function 02AF5AA1, Relevance: 1.3, Strings: 1, Instructions: 26COMMON

Download Yara Rule

Strings

-S/q^, xrefs: 02AF5ACA, 02AF5ACF

Memory Dump Source

Source File: 00000003.00000002.507710398.0000000002AF0000.00000040.00000001.sdmp, Offset: 02AF0000, based on PE: false

Similarity

API ID:
String ID: -S/q^
API String ID: 0-649373990
Opcode ID: a33a67d8cb4bfccf9fa6ccd66df1c8c6fbd586201c8e13992f57cd0324678aa1
Instruction ID: fb1d66f3ee2d5b135daa89ca17dbada4c716609f84e73f48a8952c0e07e567de
Opcode Fuzzy Hash: a33a67d8cb4bfccf9fa6ccd66df1c8c6fbd586201c8e13992f57cd0324678aa1
Instruction Fuzzy Hash: 64E026347083541FDB222F76A8615BD3B79AFC261430948CAE483DF25BDE158C0AC3D5

Uniqueness

Uniqueness Score: -1.00%

Function 02AF5B40, Relevance: 1.3, Strings: 1, Instructions: 25COMMON

Download Yara Rule

Strings

=R/q^, xrefs: 02AF5B60, 02AF5B65

Memory Dump Source

Source File: 00000003.00000002.507710398.0000000002AF0000.00000040.00000001.sdmp, Offset: 02AF0000, based on PE: false

Similarity

API ID:
String ID: =R/q^
API String ID: 0-4276640193
Opcode ID: 1348ce0276bbca727b78f75b08fc72e87e5cd14e1de34ebdbbeb5b2f74e4da69
Instruction ID: a6b342c84032c638df52b63c4d4da01a109ae9796d633f3673d80ae6f8530a98
Opcode Fuzzy Hash: 1348ce0276bbca727b78f75b08fc72e87e5cd14e1de34ebdbbeb5b2f74e4da69
Instruction Fuzzy Hash: C2E092317443149FE744DFA888118BA77B9AFD2220705849FE986DB256DA258C02C7E1

Uniqueness

Uniqueness Score: -1.00%

Function 02AF5AB0, Relevance: 1.3, Strings: 1, Instructions: 20COMMON

Download Yara Rule

Strings

-S/q^, xrefs: 02AF5ACA, 02AF5ACF

Memory Dump Source

Source File: 00000003.00000002.507710398.0000000002AF0000.00000040.00000001.sdmp, Offset: 02AF0000, based on PE: false

Similarity

API ID:
String ID: -S/q^
API String ID: 0-649373990
Opcode ID: 4fc75914e5c81137474c993c1fef1d2c5c12f8fbd990b32380220d3d180a8273
Instruction ID: 52729002675adda1b19d64c02036e7365ecf7e6911e7ca47bc6e966106dc3fe1
Opcode Fuzzy Hash: 4fc75914e5c81137474c993c1fef1d2c5c12f8fbd990b32380220d3d180a8273
Instruction Fuzzy Hash: 6CD097207002281726107677680167F338E6BC0851300445CF502EB344EE089C0683E4

Uniqueness

Uniqueness Score: -1.00%

Function 02AF5B50, Relevance: 1.3, Strings: 1, Instructions: 19COMMON

Download Yara Rule

Strings

=R/q^, xrefs: 02AF5B60, 02AF5B65

Memory Dump Source

Source File: 00000003.00000002.507710398.0000000002AF0000.00000040.00000001.sdmp, Offset: 02AF0000, based on PE: false

Similarity

API ID:
String ID: =R/q^
API String ID: 0-4276640193
Opcode ID: 0d4c4c08a5888b74b619731206d677457aa881871564c4151dd4b60328775cbe
Instruction ID: 6d03eb42422b29c234f00aec03bc38fe832ef19d102a8c9b5ed040b99c8eb193
Opcode Fuzzy Hash: 0d4c4c08a5888b74b619731206d677457aa881871564c4151dd4b60328775cbe
Instruction Fuzzy Hash: 37D0A72134012C1BB504E5ADDC12D79739FDBC5514704845EFA4ADB741CD739C0283D1

Uniqueness

Uniqueness Score: -1.00%

Function 02AF12A0, Relevance: .5, Instructions: 460COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.507710398.0000000002AF0000.00000040.00000001.sdmp, Offset: 02AF0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1d1056b8bfa5fe885f2dd1fa16747cb3cd87a67b271908366f131933dba8c180
Instruction ID: 3722b6930f91b4ca9465fb739cd4e599d345ff0e0096315c35bb9261a3fcb4b6
Opcode Fuzzy Hash: 1d1056b8bfa5fe885f2dd1fa16747cb3cd87a67b271908366f131933dba8c180
Instruction Fuzzy Hash: 09220538A00A55CFCB64DF65D480A6AB7F2FF88300F148699E85AAB759DB34BD45CF40

Uniqueness

Uniqueness Score: -1.00%

Function 02B5025D, Relevance: .5, Instructions: 454COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.507783196.0000000002B50000.00000040.00000040.sdmp, Offset: 02B50000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f8bffdc55e2adb80ebb7d1263517e33985ebe9df53ccda8a6f3d7c961ed74101
Instruction ID: bcb5030160fcb2ed504227a9613c865379940cd60683fc2eb6cf173d2bb60d2a
Opcode Fuzzy Hash: f8bffdc55e2adb80ebb7d1263517e33985ebe9df53ccda8a6f3d7c961ed74101
Instruction Fuzzy Hash: 3141D06254E3D15FD7138B749C615A1BFB4AE43221B0E80EBD4C4CF1A3E26D598ACB72

Uniqueness

Uniqueness Score: -1.00%

Function 02AFA7A0, Relevance: .3, Instructions: 264COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.507710398.0000000002AF0000.00000040.00000001.sdmp, Offset: 02AF0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0cf74bee6ee5ffef0a278417463011aa3b530616eb972f706d0beebdc7663502
Instruction ID: 05a6449f4a7e7f8e9561d07d28d0a0833091193d00be48c3055de1bfe2d92ce6
Opcode Fuzzy Hash: 0cf74bee6ee5ffef0a278417463011aa3b530616eb972f706d0beebdc7663502
Instruction Fuzzy Hash: 2591DE307006168FD708EB69D894AAE7BB7FFC4300F6185ACD2098B695DF71AD4687D2

Uniqueness

Uniqueness Score: -1.00%

Function 02AF5BC0, Relevance: .2, Instructions: 241COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.507710398.0000000002AF0000.00000040.00000001.sdmp, Offset: 02AF0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1e977c23c6730c850c4d25844a4e6352fe26857585fa3e74bf2fda3247676983
Instruction ID: dfd0db1379c017661d3630bfdfdfa877f2834ab24c51c7bce69cc9bb1fc20166
Opcode Fuzzy Hash: 1e977c23c6730c850c4d25844a4e6352fe26857585fa3e74bf2fda3247676983
Instruction Fuzzy Hash: DD818D31A00619CFCF55CF54C880ADAF7B2AF85304F4585D5EA0AAF215DB75AE8ACF90

Uniqueness

Uniqueness Score: -1.00%

Function 02AFDBA9, Relevance: .2, Instructions: 190COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.507710398.0000000002AF0000.00000040.00000001.sdmp, Offset: 02AF0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c393bf209ddd4fcdee1d26efd8607aa88f668efc75c48298d4eeefdabc659590
Instruction ID: e8dec640fff10dbaccc59288c292b2cabf3cec74414175966455a3648001a566
Opcode Fuzzy Hash: c393bf209ddd4fcdee1d26efd8607aa88f668efc75c48298d4eeefdabc659590
Instruction Fuzzy Hash: C3715F35A00A04DFDB56CFA4C494BADBBF1BB89314F148459E652A7351DF78E882CF50

Uniqueness

Uniqueness Score: -1.00%

Function 02AF7368, Relevance: .2, Instructions: 185COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.507710398.0000000002AF0000.00000040.00000001.sdmp, Offset: 02AF0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 81a6ed2d96be8c63db8a6facc8482957336523765617317f24ef10b58a00ef08
Instruction ID: d1fb21c68d4f06eb9d6b90c663378046815f5338334a5f39a61ec8641e9eb8fb
Opcode Fuzzy Hash: 81a6ed2d96be8c63db8a6facc8482957336523765617317f24ef10b58a00ef08
Instruction Fuzzy Hash: 1A51A331A04214CFCB55CFA8D880A9EFBF2FF85304F1585A5D949AF216CB74AD06CB91

Uniqueness

Uniqueness Score: -1.00%

Function 02AF02E8, Relevance: .2, Instructions: 175COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.507710398.0000000002AF0000.00000040.00000001.sdmp, Offset: 02AF0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 34e899d6c531a521b74f7624c6be91ebef9dcdd33b5c893307365e56fca3db4b
Instruction ID: 5164da99065a1d9b3c78ecce6a745a7264ab0639c39c20acaf8020afcbe40b79
Opcode Fuzzy Hash: 34e899d6c531a521b74f7624c6be91ebef9dcdd33b5c893307365e56fca3db4b
Instruction Fuzzy Hash: F1518134A052058FCB48DF69C4947AD7BF2EF89310F1481ADE6069B366DF35AC42CB51

Uniqueness

Uniqueness Score: -1.00%

Function 02AF09A5, Relevance: .2, Instructions: 175COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.507710398.0000000002AF0000.00000040.00000001.sdmp, Offset: 02AF0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1f536139c40fda2c3c73019d62521b4ab11f3c07b93914c84fe8183328acf141
Instruction ID: b969a17a2b386d1de3180c137d05618ffbb584841291e247bf922c0e9161a878
Opcode Fuzzy Hash: 1f536139c40fda2c3c73019d62521b4ab11f3c07b93914c84fe8183328acf141
Instruction Fuzzy Hash: 1451D535B00215DFCB549FA5D854AAEB7F2FF84304F208569E646DB259EF38AD02CB80

Uniqueness

Uniqueness Score: -1.00%

Function 02AF71C0, Relevance: .2, Instructions: 161COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.507710398.0000000002AF0000.00000040.00000001.sdmp, Offset: 02AF0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3e0b8cd51d6e73a3ddb8c600d31374d7c36c478e5a61c35e04b4629b4b9f8241
Instruction ID: 60d13611e6a9fb29a938cc95cb35ed07495253ddbe5b5f94e94d52ae31ad05fd
Opcode Fuzzy Hash: 3e0b8cd51d6e73a3ddb8c600d31374d7c36c478e5a61c35e04b4629b4b9f8241
Instruction Fuzzy Hash: 3231393190061ACFDF51CF54CC54ADAFBB2AF85304F518594EA09BB205DBB46B8ACF81

Uniqueness

Uniqueness Score: -1.00%

Function 02AF6CD0, Relevance: .2, Instructions: 159COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.507710398.0000000002AF0000.00000040.00000001.sdmp, Offset: 02AF0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 98fc62f1c5d56b14596ff7773ac4d139826deb5d8d5d00043e53b53ce0574770
Instruction ID: 33078274cacf2b422a334e82af33a189300a571b5cefdb0ba305c6e55eaa34c1
Opcode Fuzzy Hash: 98fc62f1c5d56b14596ff7773ac4d139826deb5d8d5d00043e53b53ce0574770
Instruction Fuzzy Hash: FC51B035B002198FCB48EBBAC5505AEF7F7AFC4710B148569D91AAB358DE34EC42CB90

Uniqueness

Uniqueness Score: -1.00%

Function 02AF76A8, Relevance: .1, Instructions: 147COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.507710398.0000000002AF0000.00000040.00000001.sdmp, Offset: 02AF0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: df0e2494c104f70e5b5f5647a6b4971f2e89d71d090e206ae6d58f83ff28158d
Instruction ID: 8ab5dfb081ca0c5cf0c9ee92b4d89f7b9168e32cb79e656d21273df7d16f53e9
Opcode Fuzzy Hash: df0e2494c104f70e5b5f5647a6b4971f2e89d71d090e206ae6d58f83ff28158d
Instruction Fuzzy Hash: 97511374D00618CFCB55DFA9C98499CFBF1FF48310F20866AE55AA7258EB356945CF80

Uniqueness

Uniqueness Score: -1.00%

Function 02AF7979, Relevance: .1, Instructions: 143COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.507710398.0000000002AF0000.00000040.00000001.sdmp, Offset: 02AF0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3d67c040eca71148e6376f085fa0c3dcb279c527f60d224fef97e28ddb644dad
Instruction ID: a4d2ef9df14c2799b0535689e609756d07a4911d5b6a98754de7830ff4192e6b
Opcode Fuzzy Hash: 3d67c040eca71148e6376f085fa0c3dcb279c527f60d224fef97e28ddb644dad
Instruction Fuzzy Hash: A6515D34A00215CFDB54DBB5D994BADBBF2BF84300F2142A9E54A9B295DF349C41CF61

Uniqueness

Uniqueness Score: -1.00%

Function 02AF0BC0, Relevance: .1, Instructions: 131COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.507710398.0000000002AF0000.00000040.00000001.sdmp, Offset: 02AF0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 52468e207210af84162a6df14cc8d4b54c4c641cd6ee39c833587989c58712f7
Instruction ID: 6b2fc47c30f03fbb7898083ba6eec9737e2cbcf6fa2129b795924663d1581f2c
Opcode Fuzzy Hash: 52468e207210af84162a6df14cc8d4b54c4c641cd6ee39c833587989c58712f7
Instruction Fuzzy Hash: 8841E931B041088FC7558B68C4146AE77F7AF85310F15806AF906EF3A9CE759D0AC791

Uniqueness

Uniqueness Score: -1.00%

Function 02AF1458, Relevance: .1, Instructions: 128COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.507710398.0000000002AF0000.00000040.00000001.sdmp, Offset: 02AF0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6e75b17b1db2e72ef336bfa9bc3aae89a86c2ddf9a1469ff0abe38555676df39
Instruction ID: cd76dd0736676bfc1c37db686f22c31d5c44a3be16577e27b72d59cfeac10566
Opcode Fuzzy Hash: 6e75b17b1db2e72ef336bfa9bc3aae89a86c2ddf9a1469ff0abe38555676df39
Instruction Fuzzy Hash: E6510538A00259CFDB54DFA5C894B9CBBB2BF48304F1441E9E50AAB369DB34AD85CF51

Uniqueness

Uniqueness Score: -1.00%

Function 02AF6850, Relevance: .1, Instructions: 121COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.507710398.0000000002AF0000.00000040.00000001.sdmp, Offset: 02AF0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9bcba08fac8a8d9745fc93820470d966b4e7a30f668d535f3e026c3d4f041a3b
Instruction ID: 4c25b2481693cd28e286de343cdfa6a21f8a2e168aba184acf8379f87df4832b
Opcode Fuzzy Hash: 9bcba08fac8a8d9745fc93820470d966b4e7a30f668d535f3e026c3d4f041a3b
Instruction Fuzzy Hash: 5F41E138A01660CFC755AB7691642AD7BF2BF8D71171402ACF906AB786DF3AAC01CF51

Uniqueness

Uniqueness Score: -1.00%

Function 02AF8CB8, Relevance: .1, Instructions: 119COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.507710398.0000000002AF0000.00000040.00000001.sdmp, Offset: 02AF0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: dbb346aa44d7d1cbc6ba8c92aba542f9dc867a5d57c8ccac60c9bd69014f2c20
Instruction ID: f80c2a9554014be3148ab8a251d51c2213b2f6b0e63b5330e44ca2219cb79e02
Opcode Fuzzy Hash: dbb346aa44d7d1cbc6ba8c92aba542f9dc867a5d57c8ccac60c9bd69014f2c20
Instruction Fuzzy Hash: 2441D23120E391CFC7958BB8D494964BFB5AF0321471949D7F296CF6A2CB2D9C05C751

Uniqueness

Uniqueness Score: -1.00%

Function 02AFAB20, Relevance: .1, Instructions: 115COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.507710398.0000000002AF0000.00000040.00000001.sdmp, Offset: 02AF0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 455f043a864b8df2664aaa18c2305023e00328ec9a6055bfa1622d32523df1f3
Instruction ID: 2a04b80b6fc804e6d5e18a557ee331fec512ad6bf3d48362989012754246bf7c
Opcode Fuzzy Hash: 455f043a864b8df2664aaa18c2305023e00328ec9a6055bfa1622d32523df1f3
Instruction Fuzzy Hash: 4741D071A006688FCB549BE9C8902EDBBF2FB88314B144429E54AD7741DB39ED42CB95

Uniqueness

Uniqueness Score: -1.00%

Function 02AF6860, Relevance: .1, Instructions: 115COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.507710398.0000000002AF0000.00000040.00000001.sdmp, Offset: 02AF0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4a3c9d20ae8e7a103552fbb07f51d37a430175082abd1bd64c683f1858e5e137
Instruction ID: 44cece87069ef731cdd2813eecc8f6c774ce855c28a9afb78b81bfcc07033f12
Opcode Fuzzy Hash: 4a3c9d20ae8e7a103552fbb07f51d37a430175082abd1bd64c683f1858e5e137
Instruction Fuzzy Hash: 38410438B01160CF8744AB76916425D7BE3BF8C7117140268F906A7786DF39AC01CF51

Uniqueness

Uniqueness Score: -1.00%

Function 02AF02DA, Relevance: .1, Instructions: 106COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.507710398.0000000002AF0000.00000040.00000001.sdmp, Offset: 02AF0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0a72780d3185313fe29aa463ba8de86c853d9660b6b05ca411de3ff79b2e78ba
Instruction ID: 2a2006a9bfb287a5c9fd33592db025796fb5739a8ada8d98380f371d0978627a
Opcode Fuzzy Hash: 0a72780d3185313fe29aa463ba8de86c853d9660b6b05ca411de3ff79b2e78ba
Instruction Fuzzy Hash: 69418F30A052058FDB58CFA9C0947BD7BB2EF89310F2444ADE642AB3A6CF75AC41CB51

Uniqueness

Uniqueness Score: -1.00%

Function 02AF7FA0, Relevance: .1, Instructions: 104COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.507710398.0000000002AF0000.00000040.00000001.sdmp, Offset: 02AF0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ac22d5ea5ec34a78d521d3d55d3fdbf61925410f2a8f4fc9a918fbaa09b08669
Instruction ID: 7b24fb7a687d1cc1cc67790429bda0a508feacaf9690ebe8a3788bb580e23fc9
Opcode Fuzzy Hash: ac22d5ea5ec34a78d521d3d55d3fdbf61925410f2a8f4fc9a918fbaa09b08669
Instruction Fuzzy Hash: 3441B335A00106CFC740CFA8C98496EF7B1FB44325F258276E616DB651CB39E956CB91

Uniqueness

Uniqueness Score: -1.00%

Function 02AF0170, Relevance: .1, Instructions: 103COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.507710398.0000000002AF0000.00000040.00000001.sdmp, Offset: 02AF0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f77e7dcbb287c9cd2b87e32fb85a0f7f5881cd1782c3d166c7e1f4f46c9d1d10
Instruction ID: 0f3666d47418643d8903caca51e986b378aa92c4543fe1daf4ee0dd4aa9b11a4
Opcode Fuzzy Hash: f77e7dcbb287c9cd2b87e32fb85a0f7f5881cd1782c3d166c7e1f4f46c9d1d10
Instruction Fuzzy Hash: 1731B2707053449FDB108B79D890B367BB9EF8A744F1404ADF6469F386DA36AC01CB64

Uniqueness

Uniqueness Score: -1.00%

Function 02AF1290, Relevance: .1, Instructions: 100COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.507710398.0000000002AF0000.00000040.00000001.sdmp, Offset: 02AF0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2132c71176969c096da6dda379d23b396ab30627af9971fef96fc63f91ff9145
Instruction ID: 79b09f1b2483fcc2cc17d1e047ed16c66f52e6c338ccfe82afb83595ced61fb2
Opcode Fuzzy Hash: 2132c71176969c096da6dda379d23b396ab30627af9971fef96fc63f91ff9145
Instruction Fuzzy Hash: 4541E274A04269CFCBA4DFA5D884BA9BBB2BF49340F0041E9E50EAB355DB349D84CF51

Uniqueness

Uniqueness Score: -1.00%

Function 02AFDE98, Relevance: .1, Instructions: 98COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.507710398.0000000002AF0000.00000040.00000001.sdmp, Offset: 02AF0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d21094d5828fe2773e24c26080055036d86fa3d20210a65efb409c2956c207f0
Instruction ID: 91b12c8b729c25a5de842bee39918a27db7c047f0cbbb4aa84bfdb47bb5d00a9
Opcode Fuzzy Hash: d21094d5828fe2773e24c26080055036d86fa3d20210a65efb409c2956c207f0
Instruction Fuzzy Hash: FD412931904F51CBD3BADB6AC540766B7F2BF84309F15886EE29786AA0DB79A441CF00

Uniqueness

Uniqueness Score: -1.00%

Function 02AF43C0, Relevance: .1, Instructions: 97COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.507710398.0000000002AF0000.00000040.00000001.sdmp, Offset: 02AF0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 99faa44ae87e8d0c29dabe8ec97e7aba0f2cb3bfaffb53dc22895349acaaadff
Instruction ID: 40474fb42f3c5fed2c042ffe07bd240c322d2add7cd45a583cb4f657808d29b7
Opcode Fuzzy Hash: 99faa44ae87e8d0c29dabe8ec97e7aba0f2cb3bfaffb53dc22895349acaaadff
Instruction Fuzzy Hash: 16314739500651DFCB51EF74E8058AE7FB2FF4931471581A9E142AB27ACB36A816CF41

Uniqueness

Uniqueness Score: -1.00%

Function 02AFA78F, Relevance: .1, Instructions: 96COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.507710398.0000000002AF0000.00000040.00000001.sdmp, Offset: 02AF0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 56693a0e7877fef75cbd6632c752bab0672b2a14d270b678e83804e3b1372dc2
Instruction ID: a033bb8696e870a7af4c81e7267757c7057440d29a6952a58e6f59260dc3fadc
Opcode Fuzzy Hash: 56693a0e7877fef75cbd6632c752bab0672b2a14d270b678e83804e3b1372dc2
Instruction Fuzzy Hash: F6312F31B101158FDB089BB9C899BBEBBF6BF89305F15407DE10ADB2A1DE754C068B91

Uniqueness

Uniqueness Score: -1.00%

Function 02AF45C8, Relevance: .1, Instructions: 95COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.507710398.0000000002AF0000.00000040.00000001.sdmp, Offset: 02AF0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: bfc82e036f388eef9b8a648c0f09e020c31af4a5c5f2dce73cae65da4a0e67b4
Instruction ID: 42dec608d7b7ab57b8655763a7005c095afb84c9e17b4cbd8ce073d62ea148e0
Opcode Fuzzy Hash: bfc82e036f388eef9b8a648c0f09e020c31af4a5c5f2dce73cae65da4a0e67b4
Instruction Fuzzy Hash: 00217131B0011A9BDB94DAE9D981AFFB7B9EB88244F10412AE719D3244EF746A14C7A1

Uniqueness

Uniqueness Score: -1.00%

Function 02AF8290, Relevance: .1, Instructions: 94COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.507710398.0000000002AF0000.00000040.00000001.sdmp, Offset: 02AF0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: eea72fe45ea32ce2874c30309ed262061a7fa2fd4b4a4caad8caf7656defacbd
Instruction ID: 1dbc5d2d5b4102d38cb11df8d40445201e8a9863e236b1b6fa64b3e313083ce4
Opcode Fuzzy Hash: eea72fe45ea32ce2874c30309ed262061a7fa2fd4b4a4caad8caf7656defacbd
Instruction Fuzzy Hash: 74317A30A08285DFDB85CBB4C0956EDBFB1EF06304F2446EAE542DB261DB3D9906CB52

Uniqueness

Uniqueness Score: -1.00%

Function 02AF50E0, Relevance: .1, Instructions: 92COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.507710398.0000000002AF0000.00000040.00000001.sdmp, Offset: 02AF0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1dcacb7d266026ac354419e6d1396fce393a13d1a56b9984bea4fa5e1c8ee76b
Instruction ID: 29563849a1221be6a32cc6f5e7d11bfcaef932b8764d57bbeb47f3ff1a34d4e7
Opcode Fuzzy Hash: 1dcacb7d266026ac354419e6d1396fce393a13d1a56b9984bea4fa5e1c8ee76b
Instruction Fuzzy Hash: BE217C74E003099FDB44EFE9C4146AEFBF6AF88300F504529D60AAB354DF74A94ACB81

Uniqueness

Uniqueness Score: -1.00%

Function 02AF6CC2, Relevance: .1, Instructions: 92COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.507710398.0000000002AF0000.00000040.00000001.sdmp, Offset: 02AF0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 250d6a6faf4788770cf74369ee35e400e3f087b48c14df07e292bb88e788a88d
Instruction ID: a2e87f52b748277699ef64ce7425160073da4747cf2d39f4ebc16b7d6964bb52
Opcode Fuzzy Hash: 250d6a6faf4788770cf74369ee35e400e3f087b48c14df07e292bb88e788a88d
Instruction Fuzzy Hash: 9A31AD31E002198FCB48DBBAC5509AEF7F7AF88310F108569D916AB359DF35AC06CB80

Uniqueness

Uniqueness Score: -1.00%

Function 02AF43D0, Relevance: .1, Instructions: 87COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.507710398.0000000002AF0000.00000040.00000001.sdmp, Offset: 02AF0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9d12fbd609f1ca380ec2632febd5d8946ff000f21d737cbdf28fd2a716faccfc
Instruction ID: 5ab7ca1e2dc7d635048f6b3da4b91fcd6e2e44fae0ce40a1b975cc98914fd57e
Opcode Fuzzy Hash: 9d12fbd609f1ca380ec2632febd5d8946ff000f21d737cbdf28fd2a716faccfc
Instruction Fuzzy Hash: 27312739500615DFCB50EF64E845C9E7FB2FF48314B0481A8E6066B26DCB36B816CF41

Uniqueness

Uniqueness Score: -1.00%

Function 02AFD741, Relevance: .1, Instructions: 87COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.507710398.0000000002AF0000.00000040.00000001.sdmp, Offset: 02AF0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e3c3adea87d42a06675acfa9615b05bcfcbdb209a8fa228d0cf8d8da8e1364bb
Instruction ID: 91b6c8084deca714b2edc74b6abaa928ce028e3ef427dee9e1eacd0b807e9bbc
Opcode Fuzzy Hash: e3c3adea87d42a06675acfa9615b05bcfcbdb209a8fa228d0cf8d8da8e1364bb
Instruction Fuzzy Hash: 8B314A302007068FC764AB79D4605AE7BE3BFC5205764896CD08A8FBD4DE76EC078B85

Uniqueness

Uniqueness Score: -1.00%

Function 02AFD8A8, Relevance: .1, Instructions: 87COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.507710398.0000000002AF0000.00000040.00000001.sdmp, Offset: 02AF0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: cce5596f5e16ca515eb09ce4b2fc17b2de36c79fe9c6008d827f0f597e781d8c
Instruction ID: c0133d815b0aa8032333067494dabea939e13111d750b22fd1e471f925f0af6b
Opcode Fuzzy Hash: cce5596f5e16ca515eb09ce4b2fc17b2de36c79fe9c6008d827f0f597e781d8c
Instruction Fuzzy Hash: 08312B70B00705CFCB55DFA9C484AAEBBF6BF88304B504429E9569B794DB35EC42CB91

Uniqueness

Uniqueness Score: -1.00%

Function 02AF0006, Relevance: .1, Instructions: 87COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.507710398.0000000002AF0000.00000040.00000001.sdmp, Offset: 02AF0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 120ff9bb97a0833835d0914926a872b6e66d1129dd509930a0df055415279f57
Instruction ID: 806a5246ecbdefa67166d7024a43b6457d64ca466a0905c52d639db37df38b13
Opcode Fuzzy Hash: 120ff9bb97a0833835d0914926a872b6e66d1129dd509930a0df055415279f57
Instruction Fuzzy Hash: 45318F3050D3C2CFC746ABB4D8694997FB1BF42304B09899EE1C2CB59BDB39580ACB52

Uniqueness

Uniqueness Score: -1.00%

Function 02AFD897, Relevance: .1, Instructions: 86COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.507710398.0000000002AF0000.00000040.00000001.sdmp, Offset: 02AF0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5b25846b08728fa2e292475d43e9c8b5413a194bca5c72facc641f81bc4b45d3
Instruction ID: 16f4e6e9acdb30dea63e218e9a30b6f46ae4fe9221e9dcb3a1f04f2987e03496
Opcode Fuzzy Hash: 5b25846b08728fa2e292475d43e9c8b5413a194bca5c72facc641f81bc4b45d3
Instruction Fuzzy Hash: 07318D70B006058FCB55DFA9C580AAEBBF2BF88300B504829E946EB794DB35DC42CB50

Uniqueness

Uniqueness Score: -1.00%

Function 02AFCC00, Relevance: .1, Instructions: 84COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.507710398.0000000002AF0000.00000040.00000001.sdmp, Offset: 02AF0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2d926b729f228dce82b900c272aab59923a1ccaa198775d3885b8ccdea6100f2
Instruction ID: 6dffedb3e739f80172a6e68de6a0478e9e0ad23091256b58c69c67c1b526fadd
Opcode Fuzzy Hash: 2d926b729f228dce82b900c272aab59923a1ccaa198775d3885b8ccdea6100f2
Instruction Fuzzy Hash: 8421AE31B00609CFC790EBB6E45D1AE7BA6EB80611700C12AE557C6668DF399902CB45

Uniqueness

Uniqueness Score: -1.00%

Function 02AF9F28, Relevance: .1, Instructions: 81COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.507710398.0000000002AF0000.00000040.00000001.sdmp, Offset: 02AF0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6bd44fa9ef94ec2d8ace22821c4219a9e1901a1e57ef766d4736a264bc832ee9
Instruction ID: d208869f1c217ac0f63f9f4451311068b2e42b3dc685ff474256ba47ebc8e146
Opcode Fuzzy Hash: 6bd44fa9ef94ec2d8ace22821c4219a9e1901a1e57ef766d4736a264bc832ee9
Instruction Fuzzy Hash: 21218030B0420ACBCB54DBF4D841AAFB7B6BB88640F11492EE246AB644DF35A801C791

Uniqueness

Uniqueness Score: -1.00%

Function 02AF668A, Relevance: .1, Instructions: 80COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.507710398.0000000002AF0000.00000040.00000001.sdmp, Offset: 02AF0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: dc587c84bcd98708ddaf36126afa5bd2f686e8b701a02e28b1dc2468d23d136d
Instruction ID: d3a4a330eb45d626481180b260cc3fa27c8e68237869ead882a55415bc9583eb
Opcode Fuzzy Hash: dc587c84bcd98708ddaf36126afa5bd2f686e8b701a02e28b1dc2468d23d136d
Instruction Fuzzy Hash: 6031AD34210752CFC714BB35E0A959D3BB2EFC53047548A6DE1469B389DF7A9807CB82

Uniqueness

Uniqueness Score: -1.00%

Function 02AF6F10, Relevance: .1, Instructions: 79COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.507710398.0000000002AF0000.00000040.00000001.sdmp, Offset: 02AF0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9102ea888791e1ad2eaba65210352cb2537da3e1fad97cce61a4510ecc9e22f5
Instruction ID: 29e1653d44fdc97a8c5eaf968336e3d9503eda2bf91a62ef1d9f9170f068bdb1
Opcode Fuzzy Hash: 9102ea888791e1ad2eaba65210352cb2537da3e1fad97cce61a4510ecc9e22f5
Instruction Fuzzy Hash: 73210130B001019FC758A7FA985097EBBFBAFC9300B52467EE613DB251DD798D018BA1

Uniqueness

Uniqueness Score: -1.00%

Function 02AF4F10, Relevance: .1, Instructions: 77COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.507710398.0000000002AF0000.00000040.00000001.sdmp, Offset: 02AF0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6af26ba01c985556e323ad95a889b448497fc89168434dfbd2135e3bd7c85dee
Instruction ID: e97f23fc0a2b7a7de08845073d17223f6284beac86a0fa87a6dc1040f50555b9
Opcode Fuzzy Hash: 6af26ba01c985556e323ad95a889b448497fc89168434dfbd2135e3bd7c85dee
Instruction Fuzzy Hash: 7F21D7352186518BC384E7B5E55087A3772EFC9B507128627E34B8B15EDF386C02C752

Uniqueness

Uniqueness Score: -1.00%

Function 02AF48B9, Relevance: .1, Instructions: 77COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.507710398.0000000002AF0000.00000040.00000001.sdmp, Offset: 02AF0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: dcc0a08e4fed386edf97d7c640265a23667bacecaeb7aa825146d4fc84ab662f
Instruction ID: de105b23e785a47d6828b086dc4f54d24b0362d2fd5a234fd2a6847ae12fc41e
Opcode Fuzzy Hash: dcc0a08e4fed386edf97d7c640265a23667bacecaeb7aa825146d4fc84ab662f
Instruction Fuzzy Hash: CB11B132B040569ACF85DAF4D8904FF7B76AFCA710B144429EB06BB244DE292A06C790

Uniqueness

Uniqueness Score: -1.00%

Function 02AF86A6, Relevance: .1, Instructions: 75COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.507710398.0000000002AF0000.00000040.00000001.sdmp, Offset: 02AF0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 870b2c751a16db37d1d2e4af4fbf8261e23ce26aa9b81ac58262321a9f7b3edc
Instruction ID: aa27829b175249e9b4a7f9e0f191b48520540c8fab4e3634c2c9eb55222228e8
Opcode Fuzzy Hash: 870b2c751a16db37d1d2e4af4fbf8261e23ce26aa9b81ac58262321a9f7b3edc
Instruction Fuzzy Hash: 63317CB4A1020ACFEB60DFA5D48479EBBF2BF45304F158269E105AB254DF7C9486CF81

Uniqueness

Uniqueness Score: -1.00%

Function 02AF21E9, Relevance: .1, Instructions: 75COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.507710398.0000000002AF0000.00000040.00000001.sdmp, Offset: 02AF0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2826e19f874f903db5f269bf82c2087fc011c15480133f26678b106a908d3d88
Instruction ID: b808e26644658fe46914768373cb46690aae010feffa3b50947a3bf46e49afa0
Opcode Fuzzy Hash: 2826e19f874f903db5f269bf82c2087fc011c15480133f26678b106a908d3d88
Instruction Fuzzy Hash: BB312870D08209DFCB94DFE8C1857ADBBB1FF44304F1041AAEA42A72A5DB399E45CB52

Uniqueness

Uniqueness Score: -1.00%

Function 02AF25DE, Relevance: .1, Instructions: 75COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.507710398.0000000002AF0000.00000040.00000001.sdmp, Offset: 02AF0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7d86d90d1de299de2003a84c00625284f9be0de9245931b538a97b9af2a800dc
Instruction ID: 8f2af4bb02e0c2382b0ccdec50e6013ef1b5cd9519ed8ff66c4bb8cd7609a797
Opcode Fuzzy Hash: 7d86d90d1de299de2003a84c00625284f9be0de9245931b538a97b9af2a800dc
Instruction Fuzzy Hash: 28314774A00249CBEBA0DFA6D48475AFBB2BF84314F14C22DD545AB259DBB89889CF41

Uniqueness

Uniqueness Score: -1.00%

Function 02AF9F18, Relevance: .1, Instructions: 72COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.507710398.0000000002AF0000.00000040.00000001.sdmp, Offset: 02AF0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c306d1fc97dd7873fce3226bf17e9a3482a8f43dca76091af03b272485f72384
Instruction ID: 6d6a931bcd70aeda0bc2621dd3c10da19d0b2ccbbcc627aedc0047a7fd36ca46
Opcode Fuzzy Hash: c306d1fc97dd7873fce3226bf17e9a3482a8f43dca76091af03b272485f72384
Instruction Fuzzy Hash: F6210230B042069BCB90DBF5D840BAFB7F2AB88740F11446EF246DB244DF79A900C390

Uniqueness

Uniqueness Score: -1.00%

Function 02AF4511, Relevance: .1, Instructions: 72COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.507710398.0000000002AF0000.00000040.00000001.sdmp, Offset: 02AF0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 417f8abf5688abcb8f8e6b6b4a286b39e81e47f7e24b21ab9eb40c262bdf13b4
Instruction ID: 46fea0016c489060c7298a16123a1767afe5dbdcaed96380b8e008d0ceb7e34a
Opcode Fuzzy Hash: 417f8abf5688abcb8f8e6b6b4a286b39e81e47f7e24b21ab9eb40c262bdf13b4
Instruction Fuzzy Hash: A511E672E041548BCF45AAA894102FF77B29FCA220F0441BEBF469B291DE6A9D05CB90

Uniqueness

Uniqueness Score: -1.00%

Function 02AF6F20, Relevance: .1, Instructions: 70COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.507710398.0000000002AF0000.00000040.00000001.sdmp, Offset: 02AF0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 97fc5a72472a88899310eb294503437710172247960c480d38cef2a894ff5fdc
Instruction ID: 06022fe69fdcfb89c8ccbc9a45512e173c023e5c22dd5f406fe4538a7ee393fd
Opcode Fuzzy Hash: 97fc5a72472a88899310eb294503437710172247960c480d38cef2a894ff5fdc
Instruction Fuzzy Hash: 1E11D030B000119BCB48B7FAD85497FB7FBAFC8700B92463AA6139B354DD789D008BA1

Uniqueness

Uniqueness Score: -1.00%

Function 02AF50D0, Relevance: .1, Instructions: 70COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.507710398.0000000002AF0000.00000040.00000001.sdmp, Offset: 02AF0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4420402ec3a06fbf287baadb74c8a2a088a57f2b2a3f8330c64a14528dd71fc8
Instruction ID: ff81bd9d72bad7f220c58877ebe61335549a7f2627a9716eb4c89eeddd3125c8
Opcode Fuzzy Hash: 4420402ec3a06fbf287baadb74c8a2a088a57f2b2a3f8330c64a14528dd71fc8
Instruction Fuzzy Hash: 4921DF31D043499FDF41DFE4C8046DEBFB2AF89310F504569D506AB255DB74664ACB81

Uniqueness

Uniqueness Score: -1.00%

Function 02AF21F8, Relevance: .1, Instructions: 69COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.507710398.0000000002AF0000.00000040.00000001.sdmp, Offset: 02AF0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4e886a0402c7003f008edd01bca02a26070a32aad8c7c322dff24f03b7773755
Instruction ID: 01f20b9684d58f9bed2627b726a7d2a85b29edcee5e55df722d3ee62f23f464f
Opcode Fuzzy Hash: 4e886a0402c7003f008edd01bca02a26070a32aad8c7c322dff24f03b7773755
Instruction Fuzzy Hash: 3C210A74D08209DFCB94DFE5C1457BDFBB1FB44304F10416AEA02A7694DB399A44CB52

Uniqueness

Uniqueness Score: -1.00%

Function 02AF5000, Relevance: .1, Instructions: 67COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.507710398.0000000002AF0000.00000040.00000001.sdmp, Offset: 02AF0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8fceb9b44c00d49a6f503ee17a9beae6147ee8c2183bc270f6f4fc9c583216f2
Instruction ID: 083595d6cb625999f7ce3d38cf986954fcd92d3102d3254bfe551a6093d71633
Opcode Fuzzy Hash: 8fceb9b44c00d49a6f503ee17a9beae6147ee8c2183bc270f6f4fc9c583216f2
Instruction Fuzzy Hash: E411B131E041668FCB84EBF994507AE7BE1EF84244B854179DA06E7789EF349C02CBD6

Uniqueness

Uniqueness Score: -1.00%

Function 02B50844, Relevance: .1, Instructions: 65COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.507783196.0000000002B50000.00000040.00000040.sdmp, Offset: 02B50000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c9826b6d38ba0e72d30e412e539ff87bcd61251cbf9faee3e4f03a0fe1aba9e4
Instruction ID: e9e9758b8185842af72bedc7610ddfbfac64e59256aea0f5673fca6d6a12cbfa
Opcode Fuzzy Hash: c9826b6d38ba0e72d30e412e539ff87bcd61251cbf9faee3e4f03a0fe1aba9e4
Instruction Fuzzy Hash: 44215E3514D7C58FC703CB24D860B55BF71AF46614F1986DAD8848F6A3C33A9806CB51

Uniqueness

Uniqueness Score: -1.00%

Function 02AF46A9, Relevance: .1, Instructions: 61COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.507710398.0000000002AF0000.00000040.00000001.sdmp, Offset: 02AF0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1cfbad9c4498762a7a7580ba4653526526dcf416710f9270ec0350c9eed474cc
Instruction ID: b51c03e8f3187060b25a1d586a47ae69504df7b3097b70ea9c6b617a5f746225
Opcode Fuzzy Hash: 1cfbad9c4498762a7a7580ba4653526526dcf416710f9270ec0350c9eed474cc
Instruction Fuzzy Hash: 7101D632605251DFC7E117F864103FF3BB59F8B614B1804BBF386CB2A1DD2A98028741

Uniqueness

Uniqueness Score: -1.00%

Function 02B5087C, Relevance: .1, Instructions: 59COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.507783196.0000000002B50000.00000040.00000040.sdmp, Offset: 02B50000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5d0d35890e6cb3f6d8a39ddfffc2f38561a30a981362abab58cf2fda0673dd22
Instruction ID: e8db3479d7ee1cce33c85c12d8c2922ebb450a2cad5e8af7cee51685510c2b50
Opcode Fuzzy Hash: 5d0d35890e6cb3f6d8a39ddfffc2f38561a30a981362abab58cf2fda0673dd22
Instruction Fuzzy Hash: AA11DF34208684DFE715DB18D940F26BB95EB9C718F28CDEDED494B682C37B9803CA91

Uniqueness

Uniqueness Score: -1.00%

Function 02AF11DF, Relevance: .1, Instructions: 56COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.507710398.0000000002AF0000.00000040.00000001.sdmp, Offset: 02AF0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 18b9b41593376bfeef06df8f6028d01a6fa824a6b59e888bb2781ffec5ed9745
Instruction ID: 5d3c0a3f9e94b60a27e463211f9b7ffc4abceac16127d7d758c81c6628629cb2
Opcode Fuzzy Hash: 18b9b41593376bfeef06df8f6028d01a6fa824a6b59e888bb2781ffec5ed9745
Instruction Fuzzy Hash: EA1182303092D0CFC74697B8D024869BFF6AF9660071901FAE146CB676CE6A5C09CB51

Uniqueness

Uniqueness Score: -1.00%

Function 02AF238F, Relevance: .1, Instructions: 55COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.507710398.0000000002AF0000.00000040.00000001.sdmp, Offset: 02AF0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 388f3affe1380047bbe9ec91ad8b9e1048a0b08c76098da6975607b72e914e74
Instruction ID: 4f8d01d51dc402f8fc815325146a4d6df419458967fabe6bfe9cf5a227ee80d9
Opcode Fuzzy Hash: 388f3affe1380047bbe9ec91ad8b9e1048a0b08c76098da6975607b72e914e74
Instruction Fuzzy Hash: 641188B0808289CECBA48FB484517EEBFB1EB45304F1045AEEA42AB340DF790842CF50

Uniqueness

Uniqueness Score: -1.00%

Function 02AF7699, Relevance: .1, Instructions: 54COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.507710398.0000000002AF0000.00000040.00000001.sdmp, Offset: 02AF0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 355f16e066029c74f3725649b4ac924219248dfece7918c67aac0dc25b7527e2
Instruction ID: a1bff1a4187b1b8795ccae17899a55d613569cdb332d27c38abdef97525e7882
Opcode Fuzzy Hash: 355f16e066029c74f3725649b4ac924219248dfece7918c67aac0dc25b7527e2
Instruction Fuzzy Hash: B511C135904144DFCB51CFA8D844AE9FBF1EF49340F1040A9E601A7264DB392D48CB91

Uniqueness

Uniqueness Score: -1.00%

Function 02AF4FF0, Relevance: .1, Instructions: 53COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.507710398.0000000002AF0000.00000040.00000001.sdmp, Offset: 02AF0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 298e465a8bc07619bd46cf2deaa1aab962fd1e091d28835b2431fe921cd8d328
Instruction ID: f7b3e805b435391e4f10c5e9a0b71aadaa2a502c061bf167172136eab2ed7757
Opcode Fuzzy Hash: 298e465a8bc07619bd46cf2deaa1aab962fd1e091d28835b2431fe921cd8d328
Instruction Fuzzy Hash: 8101C031E14255CECBC0EBF598407AE7FF1AF85200B94417AE645E7645EF344901CBD6

Uniqueness

Uniqueness Score: -1.00%

Function 02AFD449, Relevance: .1, Instructions: 53COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.507710398.0000000002AF0000.00000040.00000001.sdmp, Offset: 02AF0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f3f72ff2cac1cd390268b7ae026767515247882f817b37d3a8bb0614b3622a33
Instruction ID: 0e51fa9bed0cb688efe42110dcafc246d5ba5672fb2ae790fb0e714eabd2927a
Opcode Fuzzy Hash: f3f72ff2cac1cd390268b7ae026767515247882f817b37d3a8bb0614b3622a33
Instruction Fuzzy Hash: 2201B5717002259FCB146BBAA4196AF7AEEFF88355B10453EE906D3745DE3A8C0187A1

Uniqueness

Uniqueness Score: -1.00%

Function 02AF4789, Relevance: .1, Instructions: 52COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.507710398.0000000002AF0000.00000040.00000001.sdmp, Offset: 02AF0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f64f738e57ca8496c755dcd536e7d527ad3dcb40a55f741e90467f60ff404eed
Instruction ID: 2d9ebbbb499a57e57dcacea0e8226e272c591b585eea7eef2096d5a0f55bdfb3
Opcode Fuzzy Hash: f64f738e57ca8496c755dcd536e7d527ad3dcb40a55f741e90467f60ff404eed
Instruction Fuzzy Hash: C7018031F002598FCB95DFB885106EE7BF2EF89210F20847EC549E7254EA354A06DB91

Uniqueness

Uniqueness Score: -1.00%

Function 010FAB94, Relevance: .1, Instructions: 52COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.507269674.00000000010F2000.00000040.00000001.sdmp, Offset: 010F2000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 261f409ef1c28fe44d2d4228226c6ec2964962747bcf619109d07b6696eb2d48
Instruction ID: e26310bd1defc2a93ec90900d6e58a6c7095793b4b258abd457eb3a4bcb330ff
Opcode Fuzzy Hash: 261f409ef1c28fe44d2d4228226c6ec2964962747bcf619109d07b6696eb2d48
Instruction Fuzzy Hash: 9811ECB5508301AFD350CF09D840A57FBE8EB88660F04892EFD9897311D231E9088FA2

Uniqueness

Uniqueness Score: -1.00%

Function 02AF9E90, Relevance: .0, Instructions: 50COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.507710398.0000000002AF0000.00000040.00000001.sdmp, Offset: 02AF0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 71e033f2ba0ca832d4ab5b89b03c50dbdfe5d51cc41e7d3c72ed60e5687c0972
Instruction ID: a52779851990a2e5c8e9deee974f71a477171da37af8f8b7f8ae9915db35cd95
Opcode Fuzzy Hash: 71e033f2ba0ca832d4ab5b89b03c50dbdfe5d51cc41e7d3c72ed60e5687c0972
Instruction Fuzzy Hash: EA01D231A042068BCB64CA94C640BBFBBB19B84714F14046BE60AA7640EF396D01CFD1

Uniqueness

Uniqueness Score: -1.00%

Function 02AF74D0, Relevance: .0, Instructions: 50COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.507710398.0000000002AF0000.00000040.00000001.sdmp, Offset: 02AF0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: eae240b8b033212f82d8fc529f4048fb5104cce11f47e1255caccac234fa503a
Instruction ID: 0559619fcec42e8e54e2f1bb210753ccf5bcef32564617169f6aaf35597756a9
Opcode Fuzzy Hash: eae240b8b033212f82d8fc529f4048fb5104cce11f47e1255caccac234fa503a
Instruction Fuzzy Hash: C101B531A04104DBDB64CB98DC50ABFFBB19B84315F14486EE607A7640DF79AD06CBD1

Uniqueness

Uniqueness Score: -1.00%

Function 02AFD458, Relevance: .0, Instructions: 50COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.507710398.0000000002AF0000.00000040.00000001.sdmp, Offset: 02AF0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0a1dc9e7773a2a05d7f146b87c50376858cb343553c26d7a97d27f43e91ebd46
Instruction ID: c2835481fca22894a73680fb4f6c57eaf58ffdb64676614c0179ba0258791423
Opcode Fuzzy Hash: 0a1dc9e7773a2a05d7f146b87c50376858cb343553c26d7a97d27f43e91ebd46
Instruction Fuzzy Hash: F801A2717002259FCB282BBAA81856FBAEFFFC8365710453EE506D3745DE7A9C0187A1

Uniqueness

Uniqueness Score: -1.00%

Function 02AF9E80, Relevance: .0, Instructions: 49COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.507710398.0000000002AF0000.00000040.00000001.sdmp, Offset: 02AF0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a16d3a3438c0648d5f91f2599ba8d74353affa4a6e8d0b9ee40849df616d7dcb
Instruction ID: ca2337d2f4c74e380b3cb361104ed8a6b0c93d76923ec837eb0f650282f3c741
Opcode Fuzzy Hash: a16d3a3438c0648d5f91f2599ba8d74353affa4a6e8d0b9ee40849df616d7dcb
Instruction Fuzzy Hash: B80196316042068FC7A5CBA4C651BBFBBB19B44704F14485EE1469B650EF795D06CF91

Uniqueness

Uniqueness Score: -1.00%

Function 02B505CF, Relevance: .0, Instructions: 47COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.507783196.0000000002B50000.00000040.00000040.sdmp, Offset: 02B50000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3588ea165023e60ce97e22259a3b9da46eba33edd78fbfd32c7b2ce5459d3154
Instruction ID: b1daeec00577c866ebb963bf7c9340f421f10e51aba32cbcba9887630deeb27f
Opcode Fuzzy Hash: 3588ea165023e60ce97e22259a3b9da46eba33edd78fbfd32c7b2ce5459d3154
Instruction Fuzzy Hash: 1F01A77650D7815FD7128B16AC50862FFB8DE86630719C0DFEC498B652C229A849CBB1

Uniqueness

Uniqueness Score: -1.00%

Function 02AFA540, Relevance: .0, Instructions: 46COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.507710398.0000000002AF0000.00000040.00000001.sdmp, Offset: 02AF0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ecf38490d325864c30e52190bda1d24cb7278430ffadbb5a8b8cf90a8bdd1a92
Instruction ID: 3930758ecbab8f658131b1814905a39da97181d694c6727fca384d8507866d32
Opcode Fuzzy Hash: ecf38490d325864c30e52190bda1d24cb7278430ffadbb5a8b8cf90a8bdd1a92
Instruction Fuzzy Hash: 59014F75A002198FDFA0EFB9A8457EEBBF4EB48211F10427AE618E3241EF3559448BD1

Uniqueness

Uniqueness Score: -1.00%

Function 02AF9CEF, Relevance: .0, Instructions: 45COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.507710398.0000000002AF0000.00000040.00000001.sdmp, Offset: 02AF0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9de6e11cc569be6df47c2808e72918e4fc861b43f624cf383b0f131b931979dd
Instruction ID: 1280be1bab92ff2164cbf6959db44ba6c8b91b3acf17d947e24eb80de98a6b06
Opcode Fuzzy Hash: 9de6e11cc569be6df47c2808e72918e4fc861b43f624cf383b0f131b931979dd
Instruction Fuzzy Hash: 0BF0F9327093518BC7845AFDA8906AA7B977BC1220371426EE219CF2D5DD185C018361

Uniqueness

Uniqueness Score: -1.00%

Function 02AF6588, Relevance: .0, Instructions: 45COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.507710398.0000000002AF0000.00000040.00000001.sdmp, Offset: 02AF0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3b8be2f5fbe8ac2e5ddf67a2d7a5a4fc4c7abbb6d565a461ff06100a486db2a2
Instruction ID: 59bf6cf3159dc50e535ea0cb78dc4d79388cc88b8c86b957f0e5fff3996ff40f
Opcode Fuzzy Hash: 3b8be2f5fbe8ac2e5ddf67a2d7a5a4fc4c7abbb6d565a461ff06100a486db2a2
Instruction Fuzzy Hash: 51016275E002199FDF90EBB9E8407AEFBF4EB44610F10027AD618E3285EB31A945CBD1

Uniqueness

Uniqueness Score: -1.00%

Function 02AFA6B0, Relevance: .0, Instructions: 44COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.507710398.0000000002AF0000.00000040.00000001.sdmp, Offset: 02AF0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9afa61351669e6da9e6311489034692ec6604c25c3df6ad61b4c45212d8ccfa9
Instruction ID: ab1df7ea91f60e105b16d32858c77ef9a494aca56b79e1d1dc2899e047bd6a21
Opcode Fuzzy Hash: 9afa61351669e6da9e6311489034692ec6604c25c3df6ad61b4c45212d8ccfa9
Instruction Fuzzy Hash: 76012F34300310CFCB90AB75E46989D3FF6AB8520030940B8E20BCB396DF759D028752

Uniqueness

Uniqueness Score: -1.00%

Function 02AFA530, Relevance: .0, Instructions: 44COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.507710398.0000000002AF0000.00000040.00000001.sdmp, Offset: 02AF0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4fed910bc2ceeb599f8dc2254996e9732e897792693071675653c8fcdd3c14df
Instruction ID: 6af5fe2deb0663a8f1ac6ccebf34b5a4995da65e31f18cd7659361cf23c8c5dd
Opcode Fuzzy Hash: 4fed910bc2ceeb599f8dc2254996e9732e897792693071675653c8fcdd3c14df
Instruction Fuzzy Hash: 9D01F274A1020A8FCB90FFB9D9447EEBBF0EB09210F1046A9E618D3281EF355944CF91

Uniqueness

Uniqueness Score: -1.00%

Function 02AF6578, Relevance: .0, Instructions: 44COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.507710398.0000000002AF0000.00000040.00000001.sdmp, Offset: 02AF0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8fa6ab2a6a0cd10057392e6f950a0d3f44a117051a56afd45e55de52aa574455
Instruction ID: db5cf10b0391662aeb559c121e7317d6e32585ce15298ca876149d44c69f6576
Opcode Fuzzy Hash: 8fa6ab2a6a0cd10057392e6f950a0d3f44a117051a56afd45e55de52aa574455
Instruction Fuzzy Hash: CF015E71E003158FDB94DFB598407AABBB4EF44714F200169D614E7286EB359942CF90

Uniqueness

Uniqueness Score: -1.00%

Function 02AF4710, Relevance: .0, Instructions: 43COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.507710398.0000000002AF0000.00000040.00000001.sdmp, Offset: 02AF0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: db84e590e5b9968e82f5748167b20ab4938e893e5e9ceaf3b26d81f2ce0d2172
Instruction ID: 782f316af77e9439a5a240d884e0e32b562d51bdfd4a742175fc7d28117e0378
Opcode Fuzzy Hash: db84e590e5b9968e82f5748167b20ab4938e893e5e9ceaf3b26d81f2ce0d2172
Instruction Fuzzy Hash: 49F02436301260CBCAA422FA55003BF32EA8BCA664F44007EF70AD7B80DD3A98428791

Uniqueness

Uniqueness Score: -1.00%

Function 02AF7048, Relevance: .0, Instructions: 43COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.507710398.0000000002AF0000.00000040.00000001.sdmp, Offset: 02AF0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9f477b415d80a19b3953e857f7c8752ed98fb8ae3c521cd58aa13a49ffbb1c77
Instruction ID: e616830747f3351a84fc0e18dfc146fcd71b72d338c3376d02c9aa44d7b35041
Opcode Fuzzy Hash: 9f477b415d80a19b3953e857f7c8752ed98fb8ae3c521cd58aa13a49ffbb1c77
Instruction Fuzzy Hash: 03F04C3130C2558BC745ABBCAC50A7E6F677FC5230B24066EE25ACB3DACD254C068362

Uniqueness

Uniqueness Score: -1.00%

Function 02AF1218, Relevance: .0, Instructions: 42COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.507710398.0000000002AF0000.00000040.00000001.sdmp, Offset: 02AF0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 349037d04af0dd5dc25833b1d691906372036354a9a6a6d0538b6de28f96d921
Instruction ID: 082cd6f3e6f950ec4cf908648d79d6fbb273bdd676395b60e9c7a5cd3d9d2439
Opcode Fuzzy Hash: 349037d04af0dd5dc25833b1d691906372036354a9a6a6d0538b6de28f96d921
Instruction Fuzzy Hash: A6016D30314110CFC648ABA9D058969BBFABFD5700B2141BAF10ACB265CF769C098B81

Uniqueness

Uniqueness Score: -1.00%

Function 02AF7F90, Relevance: .0, Instructions: 41COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.507710398.0000000002AF0000.00000040.00000001.sdmp, Offset: 02AF0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 86817d7a09ab34ba4f94133f7d00ededf680278aca29c473e062073b38cc773a
Instruction ID: 38b1a79ea3ff172112d4ae4b8e167728aedf7eae56b6a8251eecf374618452e9
Opcode Fuzzy Hash: 86817d7a09ab34ba4f94133f7d00ededf680278aca29c473e062073b38cc773a
Instruction Fuzzy Hash: A9F09C30A08245DFC78297B48D458BEFFB0EF45210F2545A7F391D7292D7354915C791

Uniqueness

Uniqueness Score: -1.00%

Function 02AF7058, Relevance: .0, Instructions: 40COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.507710398.0000000002AF0000.00000040.00000001.sdmp, Offset: 02AF0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a47e5f671b0607a170e3e18839caaef0f23ee6edbdf0451709a944e2576c4306
Instruction ID: f156aa58500310935a1631865ca1cbd933fc2be0312b380a795ee7a9824f54c3
Opcode Fuzzy Hash: a47e5f671b0607a170e3e18839caaef0f23ee6edbdf0451709a944e2576c4306
Instruction Fuzzy Hash: 4EF0E93130811557C55465AEAC40A6FAA9B7FC0230B64422DB21ACB7DDDD154C0643A6

Uniqueness

Uniqueness Score: -1.00%

Function 02AF9D00, Relevance: .0, Instructions: 40COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.507710398.0000000002AF0000.00000040.00000001.sdmp, Offset: 02AF0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3d6002d6450afbdc787c266b7cc5d0d3e572350633bfdf151ec7da2eb8fd9248
Instruction ID: 4aae959ea8c118555b8aa9e303062a60ab6b15ef81371cbb0432f61af6b3a1e2
Opcode Fuzzy Hash: 3d6002d6450afbdc787c266b7cc5d0d3e572350633bfdf151ec7da2eb8fd9248
Instruction Fuzzy Hash: 68F0E93230821657C65466EEA840BAF6A9B7BC5630770422DB61ADF3D9DD155C0183A2

Uniqueness

Uniqueness Score: -1.00%

Function 02AF6632, Relevance: .0, Instructions: 39COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.507710398.0000000002AF0000.00000040.00000001.sdmp, Offset: 02AF0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f0f46d4bfe989d95c1ae8b4becb423dc9020bba3ad4173d797dc70313a5892c2
Instruction ID: 20380f2c341e1aff2dca5e79a43c954da22bb968b10c4ee609b8ce06faf94299
Opcode Fuzzy Hash: f0f46d4bfe989d95c1ae8b4becb423dc9020bba3ad4173d797dc70313a5892c2
Instruction Fuzzy Hash: 26F0C2356083D8CED7E597B5A4407A47F38EB42A28F0002ABE36096496CB2A5889C750

Uniqueness

Uniqueness Score: -1.00%

Function 02AF5BB0, Relevance: .0, Instructions: 39COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.507710398.0000000002AF0000.00000040.00000001.sdmp, Offset: 02AF0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0374e4c13ea177b6ebc02eaa55a047c3e44b4f5da436c953e4fe278c8612d1d5
Instruction ID: 40840812ebcf2d32e56b1edb43b50111b9df446b26ba85e81eb513c9dd3645ba
Opcode Fuzzy Hash: 0374e4c13ea177b6ebc02eaa55a047c3e44b4f5da436c953e4fe278c8612d1d5
Instruction Fuzzy Hash: 99F0F631E041158FCBA056B854506FEB7B1DB84750F4000AADE07DB245EE380902C7D2

Uniqueness

Uniqueness Score: -1.00%

Function 02AF2F99, Relevance: .0, Instructions: 39COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.507710398.0000000002AF0000.00000040.00000001.sdmp, Offset: 02AF0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 796dfd42824b0e23ca7d7ed3615c360e61d15390202f8a266107468798e58569
Instruction ID: 63759f318251bbfa173b960eed86c1c9010a9e56443a206d5d54a287252c81a5
Opcode Fuzzy Hash: 796dfd42824b0e23ca7d7ed3615c360e61d15390202f8a266107468798e58569
Instruction Fuzzy Hash: 55F0C230F00145ABDB5487F4D4546EEBBB5DB85204B1048B9EA45DB210EF3588068B80

Uniqueness

Uniqueness Score: -1.00%

Function 02AF9C81, Relevance: .0, Instructions: 39COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.507710398.0000000002AF0000.00000040.00000001.sdmp, Offset: 02AF0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b62114ceb7657ab68fa7e90a7f7a57926cd50e14afc7338a02a4ae210e76dcda
Instruction ID: 5576beea92c802bc89bf619a1b57e1593800b380575e4ca7e1a07d7c2d3c523e
Opcode Fuzzy Hash: b62114ceb7657ab68fa7e90a7f7a57926cd50e14afc7338a02a4ae210e76dcda
Instruction Fuzzy Hash: E1F0AF31214242CFC7846BA8B4545ED3BB3EBC222035945AEF14ACB392DE7AAC07C751

Uniqueness

Uniqueness Score: -1.00%

Function 02AF5FC8, Relevance: .0, Instructions: 38COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.507710398.0000000002AF0000.00000040.00000001.sdmp, Offset: 02AF0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c9318533860ef83f873007429229e6e181a7aa60e8c691124900834c284fcfd3
Instruction ID: 7876b51b48de529b1a6c1bd4ac6126f1e577faa2222c478582b5c81b6314b580
Opcode Fuzzy Hash: c9318533860ef83f873007429229e6e181a7aa60e8c691124900834c284fcfd3
Instruction Fuzzy Hash: 03F0E230B041169BCBA092B599006BF77FD8BC5A94F10802AEB17D3645EE2D5A05D6E2

Uniqueness

Uniqueness Score: -1.00%

Function 02AF9057, Relevance: .0, Instructions: 37COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.507710398.0000000002AF0000.00000040.00000001.sdmp, Offset: 02AF0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4adfdbb1f5031f86331893805d450cd02193f2460ffbddb303eac2766300de8c
Instruction ID: 211cd75819d4826c0b6b7d2e28aa63937217a98614669860959c87e1279aeb97
Opcode Fuzzy Hash: 4adfdbb1f5031f86331893805d450cd02193f2460ffbddb303eac2766300de8c
Instruction Fuzzy Hash: DCF0C238E00205EFDB449BB4E4946AEB7B5EF85344B508C65E601DB254EB35A816CB91

Uniqueness

Uniqueness Score: -1.00%

Function 02AFDB49, Relevance: .0, Instructions: 36COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.507710398.0000000002AF0000.00000040.00000001.sdmp, Offset: 02AF0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8f296ef834c5802b9110ac5c0b96eb1b59289d44ce44b46feb9752b32e5aa19a
Instruction ID: 739737969c1362509a05601e4b838a7c9000524747b8a53ef1271f3e876ff76e
Opcode Fuzzy Hash: 8f296ef834c5802b9110ac5c0b96eb1b59289d44ce44b46feb9752b32e5aa19a
Instruction Fuzzy Hash: F6F05C76608B5417EB631ED9A8CC3EA7EA88784361F0441B6FF0AD7182DF4C5C00C256

Uniqueness

Uniqueness Score: -1.00%

Function 02AF5FC1, Relevance: .0, Instructions: 35COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.507710398.0000000002AF0000.00000040.00000001.sdmp, Offset: 02AF0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 32833bb40b2a0380e284e910f4234a5cf036b6e8adca69af5dae2f48d037bae1
Instruction ID: 421ee58600b9499e1e6a1286aeda789d87367b3a840d6e0cc57f2981db3231bb
Opcode Fuzzy Hash: 32833bb40b2a0380e284e910f4234a5cf036b6e8adca69af5dae2f48d037bae1
Instruction Fuzzy Hash: CFF09730B040169ACBA043B899006FF77B9CBC0B50F104176EB07E3245EE380905D7E2

Uniqueness

Uniqueness Score: -1.00%

Function 02AF45B9, Relevance: .0, Instructions: 33COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.507710398.0000000002AF0000.00000040.00000001.sdmp, Offset: 02AF0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a6c6a8196fbe679b841165f6bc968023886bf7eaf2fb8f44337625f9d1320525
Instruction ID: 82790ec4d969c54a9179189394097a107a7bd0270cb29f797327aca7e7f0c470
Opcode Fuzzy Hash: a6c6a8196fbe679b841165f6bc968023886bf7eaf2fb8f44337625f9d1320525
Instruction Fuzzy Hash: 85F0BE31E043599FCB90CBB89C42AABBFF8AF8A210F1541AED648D7152E22459188761

Uniqueness

Uniqueness Score: -1.00%

Function 02AF0908, Relevance: .0, Instructions: 33COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.507710398.0000000002AF0000.00000040.00000001.sdmp, Offset: 02AF0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ed2b0f96158828c6c2d8adf4b479e7e823624ecdcd2d55ac53531cce6fcad344
Instruction ID: 35d11fa66e7021abcf0ee8306a8ddc0c470042565ce2ba25e7aba27c6b1bc1e6
Opcode Fuzzy Hash: ed2b0f96158828c6c2d8adf4b479e7e823624ecdcd2d55ac53531cce6fcad344
Instruction Fuzzy Hash: C9F0E2309053048FD7A09FF488945AB7BB9AF56300B0144AAAE039720AEEBC1C02C792

Uniqueness

Uniqueness Score: -1.00%

Function 02AF0918, Relevance: .0, Instructions: 33COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.507710398.0000000002AF0000.00000040.00000001.sdmp, Offset: 02AF0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3dba2331e528c90348f8e24b5959782946ca9fefa40ebf8d27ea71afd2d4aea5
Instruction ID: b4059701a657c8f91d0a322ca814b3ba5bb6640594292f917aeb414de8ff9386
Opcode Fuzzy Hash: 3dba2331e528c90348f8e24b5959782946ca9fefa40ebf8d27ea71afd2d4aea5
Instruction Fuzzy Hash: 82E0E536B152189A9BA056F598841AFB7BD9795250F00847BAF0BE320AEE78480182D2

Uniqueness

Uniqueness Score: -1.00%

Function 02AFDAC8, Relevance: .0, Instructions: 32COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.507710398.0000000002AF0000.00000040.00000001.sdmp, Offset: 02AF0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fff9affd33c5b0a9f6894434a40ddd2cd167acbb5c41fabae291430c69a10303
Instruction ID: 405a6c34c9004e3676bfefcfc5838847c31a0a25d41483035ceee66785470c5f
Opcode Fuzzy Hash: fff9affd33c5b0a9f6894434a40ddd2cd167acbb5c41fabae291430c69a10303
Instruction Fuzzy Hash: 51F02B3221464147C612E7B9D451A5E7BEDCFC1251744C46EE68AC7741DE65DC06C780

Uniqueness

Uniqueness Score: -1.00%

Function 02AF4700, Relevance: .0, Instructions: 32COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.507710398.0000000002AF0000.00000040.00000001.sdmp, Offset: 02AF0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: bddf4e26aa55e9aae0a4b4f7c3c9eb8142cd6ef95079d869df551dbc0bf7c1b2
Instruction ID: d6c175b0d9bf62b046defa238c032515b063ed137d084c2714192926379a2b95
Opcode Fuzzy Hash: bddf4e26aa55e9aae0a4b4f7c3c9eb8142cd6ef95079d869df551dbc0bf7c1b2
Instruction Fuzzy Hash: 59F0ED32209290CFCBA212B524103BB3B758BCB654F1804ABF782EB292DD2A58038310

Uniqueness

Uniqueness Score: -1.00%

Function 02B50938, Relevance: .0, Instructions: 31COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.507783196.0000000002B50000.00000040.00000040.sdmp, Offset: 02B50000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c3f6f7c96804cda76668e35a3bbcf86681c06fe62140db942cdcb6afdd34f29c
Instruction ID: 2a3981fb7a8b04b259f100b57eea00a62eb3fa4e7c269970e39a0bb974fa1871
Opcode Fuzzy Hash: c3f6f7c96804cda76668e35a3bbcf86681c06fe62140db942cdcb6afdd34f29c
Instruction Fuzzy Hash: 85F01D35104645DFC306DF04D940B15FBA2EB89718F24CAADED491B752C337E813DA81

Uniqueness

Uniqueness Score: -1.00%

Function 02AF8232, Relevance: .0, Instructions: 30COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.507710398.0000000002AF0000.00000040.00000001.sdmp, Offset: 02AF0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 21f8b3448ab5dfeb173e435970e422e53da9108d39cefefed3d316ada1e07dc4
Instruction ID: 0a20bd78f5e8a6e976d49444a634d5cba07df94d2e195e7ce9e3e04aae6f51bb
Opcode Fuzzy Hash: 21f8b3448ab5dfeb173e435970e422e53da9108d39cefefed3d316ada1e07dc4
Instruction Fuzzy Hash: 4FF0273AE045A14FC7A24BF4A064268BFB1EB4E59031846ABE996D7319CE388C41CBC1

Uniqueness

Uniqueness Score: -1.00%

Function 02AF6EA7, Relevance: .0, Instructions: 29COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.507710398.0000000002AF0000.00000040.00000001.sdmp, Offset: 02AF0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b506bd7b7a840d0414116a9d5b6108421f1f15686fb4b96955a881e08a505c0d
Instruction ID: 7ac22486c1d5395c08aa1c60fcfe58c4c47b3ac5bf3cb9718e3f4f43b313e788
Opcode Fuzzy Hash: b506bd7b7a840d0414116a9d5b6108421f1f15686fb4b96955a881e08a505c0d
Instruction Fuzzy Hash: 22F0ED387000414BCA94B3FCE4253AD76839FC4A14F8001B8DA56CBB84EF394C068F82

Uniqueness

Uniqueness Score: -1.00%

Function 02AFA5F0, Relevance: .0, Instructions: 29COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.507710398.0000000002AF0000.00000040.00000001.sdmp, Offset: 02AF0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 866225242a19f8aa9b02b798b4cbae5bd264595a68232294c720cb84173a189e
Instruction ID: 28f88a1f2e5d755ff94dea0347392c53be98f8fc2d41a67793d5767977a96b55
Opcode Fuzzy Hash: 866225242a19f8aa9b02b798b4cbae5bd264595a68232294c720cb84173a189e
Instruction Fuzzy Hash: 8EF0E5383083908FC7C663F944181987FE6DF4B71171900DEE54ACB393ED265C068711

Uniqueness

Uniqueness Score: -1.00%

Function 02B505F6, Relevance: .0, Instructions: 27COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.507783196.0000000002B50000.00000040.00000040.sdmp, Offset: 02B50000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8223163266122c0bf74214f98e45f150d96f3d7e4db87c290157e19cbef22959
Instruction ID: 7b0a1e168b1a0814414ec726c1ba4ac4ac1e1e99c2ea7e69fd64c7c033137477
Opcode Fuzzy Hash: 8223163266122c0bf74214f98e45f150d96f3d7e4db87c290157e19cbef22959
Instruction Fuzzy Hash: A1E092766016004BD750DF0AEC41456FBE8EB84630718C07FDC0D8B701D235B544CEA5

Uniqueness

Uniqueness Score: -1.00%

Function 02AFAC70, Relevance: .0, Instructions: 27COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.507710398.0000000002AF0000.00000040.00000001.sdmp, Offset: 02AF0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d421f50f0c0b4cb0304e62b91d2bb5a6b166bc5bfe60ccb453ca93a2762f632f
Instruction ID: a94af009da201d61bacf707b1597438d5f1e32d7901f3aa083b3fcab3bcf7595
Opcode Fuzzy Hash: d421f50f0c0b4cb0304e62b91d2bb5a6b166bc5bfe60ccb453ca93a2762f632f
Instruction Fuzzy Hash: BAE09235500B144BC3248E6BE802A52FBFAFBC0715B18CA2E915983601DBB0A90A4690

Uniqueness

Uniqueness Score: -1.00%

Function 02AFDAD8, Relevance: .0, Instructions: 26COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.507710398.0000000002AF0000.00000040.00000001.sdmp, Offset: 02AF0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1afb88f93be3e1f57473df8a8aeb73e31c10d7674b38c269bdbd0c35bd185d4f
Instruction ID: 98a42b67dfe270ae193fe3fef3984c524c96325f8917cc2677c1c95b5903e53b
Opcode Fuzzy Hash: 1afb88f93be3e1f57473df8a8aeb73e31c10d7674b38c269bdbd0c35bd185d4f
Instruction Fuzzy Hash: F9E02631304A114BC612EBEDC41086EB7AADBC1660340846EF65BCB740EF66DC06C790

Uniqueness

Uniqueness Score: -1.00%

Function 02AF5F68, Relevance: .0, Instructions: 26COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.507710398.0000000002AF0000.00000040.00000001.sdmp, Offset: 02AF0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 396f0ab91bc526aa576326add8e333ef99ab9e7130fb00d53ddb16917ca4791d
Instruction ID: d656a922131cf3226c065fad9fd904b8ff2f95f801b94d4457f93f11606e8410
Opcode Fuzzy Hash: 396f0ab91bc526aa576326add8e333ef99ab9e7130fb00d53ddb16917ca4791d
Instruction Fuzzy Hash: F5E0DF32A0C6858FD3921BB868145F83FB4DF9620574A00DBE286CA292CA6B4801C323

Uniqueness

Uniqueness Score: -1.00%

Function 02AFB8D8, Relevance: .0, Instructions: 26COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.507710398.0000000002AF0000.00000040.00000001.sdmp, Offset: 02AF0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 80a03b41bd297a13732de4ee85c3db7d84f3a52535ebf1b3cd9145495db6636b
Instruction ID: d702aafe12b835632f7b36d4390b7ed85cf69a811b1bc37b9781fc84793e085f
Opcode Fuzzy Hash: 80a03b41bd297a13732de4ee85c3db7d84f3a52535ebf1b3cd9145495db6636b
Instruction Fuzzy Hash: 3AF0AC36604B049F8370DF9AD584C13F7F5EFC9624311896EE59A83A14C770F8048BA5

Uniqueness

Uniqueness Score: -1.00%

Function 010FABE3, Relevance: .0, Instructions: 26COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.507269674.00000000010F2000.00000040.00000001.sdmp, Offset: 010F2000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: cd500d0730622f326ec4edd05723098cf10637b23133ea5ae4a2d7a0c42eb4b6
Instruction ID: 2230695df50ca6364b9e628a3df7c94aa772656d0c6428c69b3585f9ffe5409e
Opcode Fuzzy Hash: cd500d0730622f326ec4edd05723098cf10637b23133ea5ae4a2d7a0c42eb4b6
Instruction Fuzzy Hash: 9EE0D8725012046BD2209E07AC45B13FB98EB44A30F08C567ED081F302D175B5048AF5

Uniqueness

Uniqueness Score: -1.00%

Function 02AFAC28, Relevance: .0, Instructions: 25COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.507710398.0000000002AF0000.00000040.00000001.sdmp, Offset: 02AF0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 71e15acecf7e8a1341ecaea06eaf7e8429bfc5259159036062a03aa05a2a0d15
Instruction ID: 6f7fc9c23c684a13d74991fb523af733631e83d90537e8f7c032d3ce248bde1b
Opcode Fuzzy Hash: 71e15acecf7e8a1341ecaea06eaf7e8429bfc5259159036062a03aa05a2a0d15
Instruction Fuzzy Hash: 17E0C030500A44CFC3A48A9AD18069277E5FB44351B50582AF14FC7A11DB79F8C28B44

Uniqueness

Uniqueness Score: -1.00%

Function 02AFE3C7, Relevance: .0, Instructions: 24COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.507710398.0000000002AF0000.00000040.00000001.sdmp, Offset: 02AF0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a138960ae171db5030d14fe25c7d31aff4ce277a5d5eab49d64f71517e680faa
Instruction ID: c837c0ce1450073d2b0158349d44e30b457d8894b531a47dda327f0284a51ae8
Opcode Fuzzy Hash: a138960ae171db5030d14fe25c7d31aff4ce277a5d5eab49d64f71517e680faa
Instruction Fuzzy Hash: ABE07D213042141FE704E5BCDC126663FAEDBC6200704849FFE86DB392C8229C0187D7

Uniqueness

Uniqueness Score: -1.00%

Function 02AFACB9, Relevance: .0, Instructions: 22COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.507710398.0000000002AF0000.00000040.00000001.sdmp, Offset: 02AF0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 74898307345a72fa49f80dc4f5614d4038b005426ee1ccb0241b153155b42262
Instruction ID: cea94aaec8e1205f12d14716c4f43932459af8a03dc1795fa4cbeac2303c58a1
Opcode Fuzzy Hash: 74898307345a72fa49f80dc4f5614d4038b005426ee1ccb0241b153155b42262
Instruction Fuzzy Hash: 17E08C37601204A7C2215A98F981ACE7B69FBC6762B54853AFA0883502CB76B4028BA0

Uniqueness

Uniqueness Score: -1.00%

Function 02AFDB18, Relevance: .0, Instructions: 21COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.507710398.0000000002AF0000.00000040.00000001.sdmp, Offset: 02AF0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 95f17e1102a05c898a1e320be72870b77a836ba3cc17f8c09d723334e8754bb9
Instruction ID: b6841ca2830e1d693ca67f904c44548e74f96943ee5e12bba8dd90502a7aae18
Opcode Fuzzy Hash: 95f17e1102a05c898a1e320be72870b77a836ba3cc17f8c09d723334e8754bb9
Instruction Fuzzy Hash: 1DD02B31009904C7C762DEA0E4513D27BFCDB45222B008519F70782300CF69BC02D3C0

Uniqueness

Uniqueness Score: -1.00%

Function 02AF02A0, Relevance: .0, Instructions: 20COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.507710398.0000000002AF0000.00000040.00000001.sdmp, Offset: 02AF0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8d42b3745d4f3f6a68f166982bb8b2187eef27470921d6f81de20f64c02436d0
Instruction ID: b5becedbf52ed089ab74f864abfeab6999dbb99ef112686753ed784ff12dfa38
Opcode Fuzzy Hash: 8d42b3745d4f3f6a68f166982bb8b2187eef27470921d6f81de20f64c02436d0
Instruction Fuzzy Hash: FFE0123041D780CFC3A29774E5A68A5BFB1FF4AB003158C8EE5D28B99ACA266C49C711

Uniqueness

Uniqueness Score: -1.00%

Function 02AFE3D8, Relevance: .0, Instructions: 19COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.507710398.0000000002AF0000.00000040.00000001.sdmp, Offset: 02AF0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 304c438b27a3c5cfe12b0ef927c904cc2e5b16bfc6bee5bc2179b099bd968028
Instruction ID: dcbc8af947812e209660820ff1858ab647c6e1e5eb0f849814628ab6eb9ddf26
Opcode Fuzzy Hash: 304c438b27a3c5cfe12b0ef927c904cc2e5b16bfc6bee5bc2179b099bd968028
Instruction Fuzzy Hash: 65D0A7313401281B7504F5ADDC11A79739FEBC5614305885EFE4ADB391CD629C0283D1

Uniqueness

Uniqueness Score: -1.00%

Function 02AF7180, Relevance: .0, Instructions: 19COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.507710398.0000000002AF0000.00000040.00000001.sdmp, Offset: 02AF0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5eb3c5c13e09002847240330fd4435c679b20f564b9901194e71d520e079c55c
Instruction ID: be662ba07df5d36a722b7f694c40a7cbe4a9573bb5a8c513d2d9078e3a58721b
Opcode Fuzzy Hash: 5eb3c5c13e09002847240330fd4435c679b20f564b9901194e71d520e079c55c
Instruction Fuzzy Hash: E9D0C2300083509BF3754AA4AC006A2F7B95F45208F04045EE286069248E79E18CC39B

Uniqueness

Uniqueness Score: -1.00%

Function 02AF064F, Relevance: .0, Instructions: 18COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.507710398.0000000002AF0000.00000040.00000001.sdmp, Offset: 02AF0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4372d992bcd44d0fa7fdc382515931b446760624c43aa51e9331a8b7d74197df
Instruction ID: 89cc5f8f8b0bbcb7820d81e1ad19a3ddd88e6cd0c86b5a12f6ba447e73d8e2b3
Opcode Fuzzy Hash: 4372d992bcd44d0fa7fdc382515931b446760624c43aa51e9331a8b7d74197df
Instruction Fuzzy Hash: 6BD02B71449110CFC3D40EB054160D47B32DB51210B004965F40141402C9BE2A03C742

Uniqueness

Uniqueness Score: -1.00%

Function 02AF5F78, Relevance: .0, Instructions: 18COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.507710398.0000000002AF0000.00000040.00000001.sdmp, Offset: 02AF0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0e9d56b2fa6adc94d242f51ec8ca54247524a9a0f1f10b5bfdf9eb6893b18176
Instruction ID: 4dd5a20f3c4548e02e8537d6cd95043135660a389f89383c0cc9a8d807e747e6
Opcode Fuzzy Hash: 0e9d56b2fa6adc94d242f51ec8ca54247524a9a0f1f10b5bfdf9eb6893b18176
Instruction Fuzzy Hash: AED0A73170881D8BE7503AEDA8099A937DCDB84251B85006BF70BC6681DEAEA80083A7

Uniqueness

Uniqueness Score: -1.00%

Function 02AF8DE0, Relevance: .0, Instructions: 17COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.507710398.0000000002AF0000.00000040.00000001.sdmp, Offset: 02AF0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 17f4afd7de6377f213dcd2c28d86cefa7bac658271ebe6a4c905779e937cd2a4
Instruction ID: dc96b319e74302664ebe51cd0b06d36acb5e4f006673b4e92d02947b028ffa99
Opcode Fuzzy Hash: 17f4afd7de6377f213dcd2c28d86cefa7bac658271ebe6a4c905779e937cd2a4
Instruction Fuzzy Hash: 6BD05E3418C300CFD3C10FC098857A4B730EF16314F110CA3B3095E0E1AA7E1961DA55

Uniqueness

Uniqueness Score: -1.00%

Function 02AF5797, Relevance: .0, Instructions: 16COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.507710398.0000000002AF0000.00000040.00000001.sdmp, Offset: 02AF0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: be9535da4aa9981f705c8368fdb013fdaebfb029475bb5f7c85f36fe5e06d27f
Instruction ID: b13d9b432ae2edf4f1fc0373af5f27f6a67c6e7484a2165e876eec81fded2079
Opcode Fuzzy Hash: be9535da4aa9981f705c8368fdb013fdaebfb029475bb5f7c85f36fe5e06d27f
Instruction Fuzzy Hash: F2D01231F55116DB8FA861F421115BE139A0BD45253800E7FE60B97754ED694C014BC0

Uniqueness

Uniqueness Score: -1.00%

Function 02AF80BF, Relevance: .0, Instructions: 16COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.507710398.0000000002AF0000.00000040.00000001.sdmp, Offset: 02AF0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fdd563e86540d0500f373f1df36cee1f247dbbf2c2a6b3ba72ea4621e6bbb709
Instruction ID: d0d8586d1ce211484ddcbfbfeda773cc7cbe22d754e253f83cbf35cafc1b1f0d
Opcode Fuzzy Hash: fdd563e86540d0500f373f1df36cee1f247dbbf2c2a6b3ba72ea4621e6bbb709
Instruction Fuzzy Hash: 1BE0BD3112430ACBCB40EFA8E480C9C3F71FB423047518706B5219B519DB39AA4ACB41

Uniqueness

Uniqueness Score: -1.00%

Function 02AF80E7, Relevance: .0, Instructions: 16COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.507710398.0000000002AF0000.00000040.00000001.sdmp, Offset: 02AF0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 65df6db8aa30f2e4257eb267d4a8687e946ebac10fbb5ea3283a3e3ff2d2a9d0
Instruction ID: 1f7c95844236c04df4af18bd7bc831bbfd48648bbf9f1ae1602c73f850fe371b
Opcode Fuzzy Hash: 65df6db8aa30f2e4257eb267d4a8687e946ebac10fbb5ea3283a3e3ff2d2a9d0
Instruction Fuzzy Hash: 29E0E23512030ACBCB40EFA8F480C9C3F71FB42348351C606F4219B51DDB39AA0ACB40

Uniqueness

Uniqueness Score: -1.00%

Function 02AFDEA8, Relevance: .0, Instructions: 15COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.507710398.0000000002AF0000.00000040.00000001.sdmp, Offset: 02AF0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5e7f8cdc54eac6eceac7fa3e0c29ad67a8d5d95c9b3f2469b5e874a7bb4d2893
Instruction ID: f4b646c1691fff8f9b891e64024b30f2db8fe78f377071eaa3f35f78f634c3e2
Opcode Fuzzy Hash: 5e7f8cdc54eac6eceac7fa3e0c29ad67a8d5d95c9b3f2469b5e874a7bb4d2893
Instruction Fuzzy Hash: A7C02230500318938A2172E56900898F2688841121F0000BBEB0842180EE29881487C1

Uniqueness

Uniqueness Score: -1.00%

Function 02AF6AF0, Relevance: .0, Instructions: 15COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.507710398.0000000002AF0000.00000040.00000001.sdmp, Offset: 02AF0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9a0939ec5680cffb9ecca245d0aafbbebb033a67d769e75d7ec85179cdc98f5e
Instruction ID: 2d49c07b478873825ca1583d8756124ffb5b328bf9e65c3181d50457c941a96c
Opcode Fuzzy Hash: 9a0939ec5680cffb9ecca245d0aafbbebb033a67d769e75d7ec85179cdc98f5e
Instruction Fuzzy Hash: F4D0673AA00004DFC704CB88D5949DDF7F1EB88329F28C1A6DA15A7252C732ED56CF50

Uniqueness

Uniqueness Score: -1.00%

Function 02AFDB28, Relevance: .0, Instructions: 15COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.507710398.0000000002AF0000.00000040.00000001.sdmp, Offset: 02AF0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 817c6d5d3133eeea07979722ccbd0dcb48929a0da192dddc280fd00f31d22173
Instruction ID: eaa275b911a2ce01ddbab1a5e9b46d05b44330ae3f6f99b1c1f7496ba4f8faa8
Opcode Fuzzy Hash: 817c6d5d3133eeea07979722ccbd0dcb48929a0da192dddc280fd00f31d22173
Instruction Fuzzy Hash: 00D0C93111DA14DBC2A69E95D4544A2BBB9EA86622300456AF70B476009F6AAC41D791

Uniqueness

Uniqueness Score: -1.00%

Function 02AF5700, Relevance: .0, Instructions: 15COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.507710398.0000000002AF0000.00000040.00000001.sdmp, Offset: 02AF0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7b12e83260e0ea8381d5887e641f8d5adf5175f921549b7c903274a4db2b914a
Instruction ID: 196ab90aa140f1ce6fc873930843e7cf4538e9e33a45998f52d6bb1f79592915
Opcode Fuzzy Hash: 7b12e83260e0ea8381d5887e641f8d5adf5175f921549b7c903274a4db2b914a
Instruction Fuzzy Hash: 34D0C92550D2C08EC6A227B028612A53F355D0385834958D7D1C58D463E90A490993A2

Uniqueness

Uniqueness Score: -1.00%

Function 010E23F4, Relevance: .0, Instructions: 15COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.507233315.00000000010E2000.00000040.00000001.sdmp, Offset: 010E2000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d0a081164414b6ea8c68a0bd3ee43f2eba66c9dbf8b4532468f2ed3cac0034e5
Instruction ID: 8ad698da2eab6efea12a0053a1adbaa393cdc2415c8b041fb8de6e8f21b20904
Opcode Fuzzy Hash: d0a081164414b6ea8c68a0bd3ee43f2eba66c9dbf8b4532468f2ed3cac0034e5
Instruction Fuzzy Hash: 34D05EB9206A814FE3268B1CD1ACB953FE8AB51B04F4644FDE8408B663C768D5D1D600

Uniqueness

Uniqueness Score: -1.00%

Function 02AFE410, Relevance: .0, Instructions: 14COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.507710398.0000000002AF0000.00000040.00000001.sdmp, Offset: 02AF0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 96a03fd3274218923de894c7d79e8e17c2e87fe25cc259c96ad6b98540fdbb0b
Instruction ID: cc3e252f438679bd142a1f00349d72da46af18a31e3e759110130a156a035419
Opcode Fuzzy Hash: 96a03fd3274218923de894c7d79e8e17c2e87fe25cc259c96ad6b98540fdbb0b
Instruction Fuzzy Hash: 06C0802554464C4FCB8537F4E41B2087B9D594130134445476989C7543FD1D74154555

Uniqueness

Uniqueness Score: -1.00%

Function 010E23BC, Relevance: .0, Instructions: 14COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.507233315.00000000010E2000.00000040.00000001.sdmp, Offset: 010E2000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b65e408c970388355b60b9bd26f50e1d71a622426f9e6d9a1277f59bb6739541
Instruction ID: 53f9a093652fa831cf773a3655c3dd80b2d487b2b8807ceaf21d816759845a50
Opcode Fuzzy Hash: b65e408c970388355b60b9bd26f50e1d71a622426f9e6d9a1277f59bb6739541
Instruction Fuzzy Hash: AAD05E342002814FD725DB1DC1D8F593BD8AB81B00F1684FDAC408B262C7A4D8C1CA00

Uniqueness

Uniqueness Score: -1.00%

Function 02AF78F6, Relevance: .0, Instructions: 13COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.507710398.0000000002AF0000.00000040.00000001.sdmp, Offset: 02AF0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 00f35fd15036ef8b50afea4f4b1553899fb14a88a4f272fccecb4cf164051681
Instruction ID: 0d95eeb7f8dc3ba38d11349ef7eeb72a67732cc8c9c69679148fa54262dfcfa8
Opcode Fuzzy Hash: 00f35fd15036ef8b50afea4f4b1553899fb14a88a4f272fccecb4cf164051681
Instruction Fuzzy Hash: B5D05E34910619CF8791DFB5DD5009D77F0AB08220B11072AE902AB785F7381D00CB00

Uniqueness

Uniqueness Score: -1.00%

Function 02AFCAC1, Relevance: .0, Instructions: 12COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.507710398.0000000002AF0000.00000040.00000001.sdmp, Offset: 02AF0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1abfd9ccd90c3a6410265d24d7926183588307627baa030057b6dec6b640dc99
Instruction ID: fa03208223f6ba0f07d7a7505786ed2687e6d78280036f7b032b115f37c6c28a
Opcode Fuzzy Hash: 1abfd9ccd90c3a6410265d24d7926183588307627baa030057b6dec6b640dc99
Instruction Fuzzy Hash: D0D0123400839897C241E66AE847B993F7AFB41150F548569FA418104BDB187906C696

Uniqueness

Uniqueness Score: -1.00%

Function 02AF0180, Relevance: .0, Instructions: 12COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.507710398.0000000002AF0000.00000040.00000001.sdmp, Offset: 02AF0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e0f5c3aa90c13b124903a3555a2f2aa0d424623c229e707f5ea254304b2dd0cf
Instruction ID: 45f72d9d9283dfb429a742ef1225ec11422b30aac971f3e58398fc67bf7e54cb
Opcode Fuzzy Hash: e0f5c3aa90c13b124903a3555a2f2aa0d424623c229e707f5ea254304b2dd0cf
Instruction Fuzzy Hash: 6ED01230200314CFCB182B70E01E41C33A5AB48605700087CE80687B88DF3BE840CB04

Uniqueness

Uniqueness Score: -1.00%

Function 02AF2EC0, Relevance: .0, Instructions: 11COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.507710398.0000000002AF0000.00000040.00000001.sdmp, Offset: 02AF0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 16c1b9416a386932381477bb03ce6bcec882715b96402bec651a231afec3a947
Instruction ID: cfa4e313b48f8669b19361b725dc95b649360f85afe2c2de2f95d48266f298fb
Opcode Fuzzy Hash: 16c1b9416a386932381477bb03ce6bcec882715b96402bec651a231afec3a947
Instruction Fuzzy Hash: E9B092312542090BEBA097F5B889B66378C9780A19F9400B9B90CC5900FA4AE4E02640

Uniqueness

Uniqueness Score: -1.00%

Function 02AF5710, Relevance: .0, Instructions: 11COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.507710398.0000000002AF0000.00000040.00000001.sdmp, Offset: 02AF0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b6826d5e959daeeeeb99543a5eb677c0e6aa5e27ea992d998d4101a978d79537
Instruction ID: 1f93bdb6770007003181070dae31e827a99aa64f0abba67e17c89bf7f55a6c49
Opcode Fuzzy Hash: b6826d5e959daeeeeb99543a5eb677c0e6aa5e27ea992d998d4101a978d79537
Instruction Fuzzy Hash: B5C08C30E00604DF8EB027F0201B22E375C9A001803800819F64A85900FF2EA0008AA2

Uniqueness

Uniqueness Score: -1.00%

Function 02AF0660, Relevance: .0, Instructions: 10COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.507710398.0000000002AF0000.00000040.00000001.sdmp, Offset: 02AF0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 966113fc54ebf74dda6c6d922a56aa31c54fcc92a17d3451dac4a27e5216219e
Instruction ID: d4a786a2b51a0e351686f215fb6eb2bed44827433043b41ee97ed645911e5515
Opcode Fuzzy Hash: 966113fc54ebf74dda6c6d922a56aa31c54fcc92a17d3451dac4a27e5216219e
Instruction Fuzzy Hash: 4EC09B71045264CEC2E456F55806439B66A66D1315750C435F6010451A8EBB7462DA56

Uniqueness

Uniqueness Score: -1.00%

Function 02AFCAD0, Relevance: .0, Instructions: 8COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.507710398.0000000002AF0000.00000040.00000001.sdmp, Offset: 02AF0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 396f1b9e084b21db818aed40f7f2e0f0600f9725f3595d22ba4e99655ad866b6
Instruction ID: 91c60518dd3dab522bd0e9dbe276db58a408937d89e2fa6d21381fe2adb2ef2b
Opcode Fuzzy Hash: 396f1b9e084b21db818aed40f7f2e0f0600f9725f3595d22ba4e99655ad866b6
Instruction Fuzzy Hash: DBB09B3400875CD7C151F657D8468557B3AF9416507404155F6014104D5F697D01C796

Uniqueness

Uniqueness Score: -1.00%

Function 02AF8F80, Relevance: .0, Instructions: 8COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.507710398.0000000002AF0000.00000040.00000001.sdmp, Offset: 02AF0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: cfca0f8b575b0c257d5fbfa5b44054dc24dbe4b615714c903698646a3d9e9b50
Instruction ID: 99ff74ae87381f4c5a48ef6ba5afbc6a4c4ea8f22a958495e0dc922000cf84e3
Opcode Fuzzy Hash: cfca0f8b575b0c257d5fbfa5b44054dc24dbe4b615714c903698646a3d9e9b50
Instruction Fuzzy Hash: 1DB012302242080E278057F22C85F56379C46004043400431B70DC0000FE0CE0401245

Uniqueness

Uniqueness Score: -1.00%

Function 02AF5B92, Relevance: .0, Instructions: 8COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.507710398.0000000002AF0000.00000040.00000001.sdmp, Offset: 02AF0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 445036361ca2ae9c681e62192054e7f9f0d64cd83fafb2c8c20829b5b2421ad3
Instruction ID: 63f55b7b993f539310f9245f0070d409eab5423ec310351402d001e0017cb60d
Opcode Fuzzy Hash: 445036361ca2ae9c681e62192054e7f9f0d64cd83fafb2c8c20829b5b2421ad3
Instruction Fuzzy Hash: A3C0482410A3C44FE3434B288C254607F30BE0B3217E904EBC5808E663D1191809EB26

Uniqueness

Uniqueness Score: -1.00%

Function 02AF6B14, Relevance: .0, Instructions: 8COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.507710398.0000000002AF0000.00000040.00000001.sdmp, Offset: 02AF0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9331830965d72d12fcbefa973c87c0cf332396a92bd300e1243d284f656f33ac
Instruction ID: 5f5e1b31a89a460af0b4f06813b84178d77f96eab9b7b98ce678a0600f0803f1
Opcode Fuzzy Hash: 9331830965d72d12fcbefa973c87c0cf332396a92bd300e1243d284f656f33ac
Instruction Fuzzy Hash: 63B092B7A44008D9DB008AC4B4413EDFB34E790329F108023D32052001C2360164C691

Uniqueness

Uniqueness Score: -1.00%

Function 02AFE420, Relevance: .0, Instructions: 8COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.507710398.0000000002AF0000.00000040.00000001.sdmp, Offset: 02AF0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d4df9d7e7f85c207a31ec124dc53c4457c3923781d8cb8e649f1583163c188a0
Instruction ID: 1e7e1e08d110433e988db9b41831e4a09e2713efa05f188eac4592ddb8ff8df8
Opcode Fuzzy Hash: d4df9d7e7f85c207a31ec124dc53c4457c3923781d8cb8e649f1583163c188a0
Instruction Fuzzy Hash: 2AB01234580A4C47CEC437F8B00D11C778D09802027808417690D43681FE6E74004961

Uniqueness

Uniqueness Score: -1.00%

Non-executed Functions

Description:	Adversaries may abuse command and script interpreters to execute commands, scripts, or binaries. These interfaces and languages provide ways of interacting with computer systems and are a common feature across many different platforms. Most systems come with some built-in command-line interface and scripting capabilities, for example, macOS and Linux distributions include some flavor of Unix Shell while Windows installations include the Windows Command Shell and PowerShell .
Tactics:	Execution
Data Sources:	PowerShell logs, Process command-line parameters, Process monitoring, Windows event logs
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse task scheduling functionality to facilitate initial or recurring execution of malicious code. Utilities exist within all major operating systems to schedule programs or scripts to be executed at a specified date and time. A task can also be scheduled on a remote system, provided the proper authentication is met (ex: RPC and file and printer sharing in Windows environments). Scheduling a task on a remote system typically requires being a member of an admin or otherwise privileged group on the remote system.
Tactics:	Execution, Persistence, Privilege Escalation
Data Sources:	File monitoring, Process command-line parameters, Process monitoring, Windows event logs
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify access tokens to operate under a different user or system security context to perform actions and bypass access controls. Windows uses access tokens to determine the ownership of a running process. A user can manipulate access tokens to make a running process appear as though it is the child of a different process or belongs to someone other than the user that started the process. When this occurs, the process also takes on the security context associated with the new token.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	API monitoring, Access tokens, Authentication logs, Process command-line parameters, Process monitoring, Windows event logs
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	API monitoring, DLL monitoring, File monitoring, Named Pipes, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata, File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may disable security tools to avoid possible detection of their tools and activities. This can take the form of killing security software or event logging processes, deleting Registry keys so that tools do not start at run time, or other methods to interfere with security tools scanning or reporting information.
Tactics:	Defense Evasion
Data Sources:	File monitoring, Process command-line parameters, Services, Windows Registry
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use Obfuscated Files or Information to hide artifacts of an intrusion from analysis. They may require separate mechanisms to decode or deobfuscate that information depending on how they intend to use it. Methods for doing that include built-in functionality of malware or by using utilities present on the system.
Tactics:	Defense Evasion
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may set files and directories to be hidden to evade detection mechanisms. To prevent normal users from accidentally changing special files on a system, most operating systems have the concept of a ‘hidden’ file. These files don’t show up when a user browses the file system with a GUI or when using normal commands on the command line. Users must explicitly ask to show the hidden files either via a series of Graphical User Interface (GUI) prompts or with command line switches ( `dir /a` for Windows and `ls –a` for Linux and macOS).
Tactics:	Defense Evasion
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata, Email gateway, Environment variable, File monitoring, Malware reverse engineering, Network intrusion detection system, Network protocol analysis, Process command-line parameters, Process monitoring, Process use of network, SSL/TLS inspection, Windows event logs
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may perform software packing or virtual machine software protection to conceal their code. Software packing is a method of compressing or encrypting an executable. Packing an executable changes the file signature in an attempt to avoid signature-based detection. Most decompression techniques decompress the executable code in memory. Virtual machine software protection translates an executable's original code into a special format that only a special virtual machine can run. A virtual machine is then called to run this code.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata
Platforms:	macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use methods of capturing user input to obtain credentials or collect information. During normal system usage, users often provide credentials to various different locations, such as login pages/portals or system dialog boxes. Input capture mechanisms may be transparent to the user (e.g. Credential API Hooking ) or rely on deceiving the user into providing input into what they believe to be a genuine service (e.g. Web Portal Capture ).
Tactics:	Collection, Credential Access
Data Sources:	API monitoring, Binary file metadata, DLL monitoring, Kernel drivers, Loaded DLLs, PowerShell logs, Process command-line parameters, Process monitoring, User interface, Windows Registry, Windows event logs
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	AWS CloudTrail logs, Azure activity logs, File monitoring, Process command-line parameters, Process monitoring, Stackdriver logs
Platforms:	AWS, Azure, Azure AD, GCP, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	API monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to identify the primary user, currently logged in user, set of users that commonly uses a system, or whether a user is actively using the system. They may do this, for example, by retrieving account usernames or by using OS Credential Dumping . The information may be collected in a number of different ways using other Discovery techniques, because user and username details are prevalent throughout a system and include running process ownership, file/directory ownership, session information, and system logs. Adversaries may use the information from [System Owner/User Discovery](https://attack.mitre.org/techniques/T1033) during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	AWS CloudTrail logs, Azure activity logs, Process command-line parameters, Process monitoring, Stackdriver logs
Platforms:	AWS, Azure, GCP, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Binary file metadata, File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Malware reverse engineering, Netflow/Enclave netflow, Packet capture, Process monitoring, Process use of network, SSL/TLS inspection
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using a protocol and port paring that are typically not associated. For example, HTTPS over port 8088or port 587as opposed to the traditional port 443. Adversaries may make changes to the standard port used by a protocol to bypass filtering or muddle analysis/parsing of network data.
Tactics:	Command and Control
Data Sources:	Netflow/Enclave netflow, Packet capture, Process monitoring, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading ...

Warning!

Analysis Report NXKfWP9SPF0XHRu.exe

Overview

General Information

Detection

Signatures

Classification

Startup

Malware Configuration

Yara Overview

Memory Dumps

Unpacked PEs

Sigma Overview

System Summary:

Signature Overview

AV Detection:

Software Vulnerabilities:

Networking:

Key, Mouse, Clipboard, Microphone and Screen Capturing:

E-Banking Fraud:

System Summary:

Data Obfuscation:

Persistence and Installation Behavior:

Boot Survival:

Hooking and other Techniques for Hiding and Protection:

Malware Analysis System Evasion:

Anti Debugging:

HIPS / PFW / Operating System Protection Evasion:

Language, Device and Operating System Detection:

Stealing of Sensitive Information:

Remote Access Functionality:

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

URLs from Memory and Binaries

Contacted IPs

Public

General Information

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASN

JA3 Fingerprints

Dropped Files

Created / dropped Files

Static File Info

General

File Icon

Static PE Info

General

Entrypoint Preview

Data Directories

Sections

Resources

Imports

Version Infos

Network Behavior

Network Port Distribution

TCP Packets

Code Manipulations

Statistics

CPU Usage

Memory Usage

Description:	An adversary may use legitimate desktop support and remote access software, such as Team Viewer, Go2Assist, LogMein, AmmyyAdmin, etc, to establish an interactive command and control channel to target systems within networks. These services are commonly used as legitimate technical support software, and may be allowed by application control within a target environment. Remote access tools like VNC, Ammyy, and Teamviewer are used frequently when compared with other legitimate software commonly used by adversaries.
Tactics:	Command and Control
Data Sources:	Network intrusion detection system, Network protocol analysis, Process monitoring, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre