Play interactive tour

Edit tour

Analysis Report invoice & packing.pdf.exe

Overview

General Information

Sample Name:	invoice & packing.pdf.exe
Analysis ID:	320240
MD5:	ac3668260346d59f25905579aa8eaf94
SHA1:	479c7e0b3696f174e13d59ae04353205b9a3203d
SHA256:	3f746fa6f84b842f03679244794c7f16f4497fb2fb8eb770539a7bbd3110e9e9
Tags:	exeNanoCoreRAT
Most interesting Screenshot:

Detection

Nanocore

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Detected Nanocore Rat

Malicious sample detected (through community Yara rule)

Sigma detected: NanoCore

Sigma detected: Scheduled temp file as task from temp location

Sigma detected: Suspicious Double Extension

Yara detected AntiVM_3

Yara detected Nanocore RAT

Hides that the sample has been downloaded from the Internet (zone.identifier)

Initial sample is a PE file and has a suspicious name

Injects a PE file into a foreign processes

Machine Learning detection for dropped file

Machine Learning detection for sample

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Uses an obfuscated file name to hide its real file extension (double extension)

Uses schtasks.exe or at.exe to add and modify task schedules

Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)

Contains capabilities to detect virtual machines

Contains functionality to call native functions

Contains long sleeps (>= 3 min)

Creates a DirectInput object (often for capturing keystrokes)

Creates a process in suspended mode (likely to inject code)

Detected TCP or UDP traffic on non-standard ports

Detected potential crypto function

Drops PE files

Enables debug privileges

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

Found inlined nop instructions (likely shell or obfuscated code)

May sleep (evasive loops) to hinder dynamic analysis

Monitors certain registry keys / values for changes (often done to protect autostart functionality)

PE file contains strange resources

Sample execution stops while process was sleeping (likely an evasion)

Sample file is different than original file name gathered from version info

Uses code obfuscation techniques (call, push, ret)

Yara signature match

Classification

Startup

System is w10x64

invoice & packing.pdf.exe (PID: 7160 cmdline: 'C:\Users\user\Desktop\invoice & packing.pdf.exe' MD5: AC3668260346D59F25905579AA8EAF94)

schtasks.exe (PID: 1560 cmdline: 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\NKzWuwUvFAvUo' /XML 'C:\Users\user\AppData\Local\Temp\tmpEBB4.tmp' MD5: 15FF7D8324231381BAD48A052F85DF04)

conhost.exe (PID: 1420 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)

invoice & packing.pdf.exe (PID: 4624 cmdline: C:\Users\user\Desktop\invoice & packing.pdf.exe MD5: AC3668260346D59F25905579AA8EAF94)

invoice & packing.pdf.exe (PID: 4668 cmdline: C:\Users\user\Desktop\invoice & packing.pdf.exe MD5: AC3668260346D59F25905579AA8EAF94)

invoice & packing.pdf.exe (PID: 4696 cmdline: C:\Users\user\Desktop\invoice & packing.pdf.exe MD5: AC3668260346D59F25905579AA8EAF94)

invoice & packing.pdf.exe (PID: 6040 cmdline: C:\Users\user\Desktop\invoice & packing.pdf.exe MD5: AC3668260346D59F25905579AA8EAF94)

cleanup

Malware Configuration

No configs have been found

Yara Overview

Memory Dumps

Source	Rule	Description	Author	Strings
00000000.00000002.348394866.0000000003E84000.00000004.00000001.sdmp	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x10d64d:$x1: NanoCore.ClientPluginHost 0x13fe6d:$x1: NanoCore.ClientPluginHost 0x10d68a:$x2: IClientNetworkHost 0x13feaa:$x2: IClientNetworkHost 0x1111bd:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe 0x1439dd:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
00000000.00000002.348394866.0000000003E84000.00000004.00000001.sdmp	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
00000000.00000002.348394866.0000000003E84000.00000004.00000001.sdmp	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0x10d3b5:$a: NanoCore 0x10d3c5:$a: NanoCore 0x10d5f9:$a: NanoCore 0x10d60d:$a: NanoCore 0x10d64d:$a: NanoCore 0x13fbd5:$a: NanoCore 0x13fbe5:$a: NanoCore 0x13fe19:$a: NanoCore 0x13fe2d:$a: NanoCore 0x13fe6d:$a: NanoCore 0x10d414:$b: ClientPlugin 0x10d616:$b: ClientPlugin 0x10d656:$b: ClientPlugin 0x13fc34:$b: ClientPlugin 0x13fe36:$b: ClientPlugin 0x13fe76:$b: ClientPlugin 0x10d53b:$c: ProjectData 0x13fd5b:$c: ProjectData 0x10df42:$d: DESCrypto 0x140762:$d: DESCrypto 0x11590e:$e: KeepAlive
00000000.00000002.348069175.0000000002E81000.00000004.00000001.sdmp	JoeSecurity_AntiVM_3	Yara detected AntiVM_3	Joe Security
00000006.00000003.361188308.00000000045C4000.00000004.00000001.sdmp	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0x13c2:$a: NanoCore 0x13e7:$a: NanoCore 0x1440:$a: NanoCore 0x115dd:$a: NanoCore 0x11603:$a: NanoCore 0x1165f:$a: NanoCore 0x1e4b4:$a: NanoCore 0x1e50d:$a: NanoCore 0x1e540:$a: NanoCore 0x1e76c:$a: NanoCore 0x1e7e8:$a: NanoCore 0x1ee01:$a: NanoCore 0x1ef4a:$a: NanoCore 0x1f41e:$a: NanoCore 0x1f705:$a: NanoCore 0x1f71c:$a: NanoCore 0x24cba:$a: NanoCore 0x24d34:$a: NanoCore 0x298d1:$a: NanoCore 0x2ac8b:$a: NanoCore 0x2acd5:$a: NanoCore
00000000.00000002.348133021.0000000002ED7000.00000004.00000001.sdmp	JoeSecurity_AntiVM_3	Yara detected AntiVM_3	Joe Security
Process Memory Space: invoice & packing.pdf.exe PID: 6040	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0x1f7fb5:$a: NanoCore 0x1f7ff2:$a: NanoCore 0x1f807b:$a: NanoCore 0x1fd413:$a: NanoCore 0x1fd436:$a: NanoCore 0x1fd48b:$a: NanoCore 0x2028ce:$a: NanoCore 0x20290c:$a: NanoCore 0x202998:$a: NanoCore 0x20d335:$a: NanoCore 0x20d359:$a: NanoCore 0x20d3b1:$a: NanoCore 0x214fcd:$a: NanoCore 0x21506e:$a: NanoCore 0x2150d1:$a: NanoCore 0x215487:$a: NanoCore 0x215563:$a: NanoCore 0x215fd0:$a: NanoCore 0x2161b5:$a: NanoCore 0x216204:$a: NanoCore 0x216257:$a: NanoCore
Process Memory Space: invoice & packing.pdf.exe PID: 7160	JoeSecurity_AntiVM_3	Yara detected AntiVM_3	Joe Security
Click to see the 3 entries

Sigma Overview

System Summary:

Sigma detected: NanoCore

Show sources

Source: File created

Author: Joe Security: Data: EventID: 11, Image: C:\Users\user\Desktop\invoice & packing.pdf.exe, ProcessId: 6040, TargetFilename: C:\Users\user\AppData\Roaming\D06ED635-68F6-4E9A-955C-4899F5F57B9A\run.dat

Sigma detected: Scheduled temp file as task from temp location

Show sources

Source: Process started

Author: Joe Security: Data: Command: 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\NKzWuwUvFAvUo' /XML 'C:\Users\user\AppData\Local\Temp\tmpEBB4.tmp', CommandLine: 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\NKzWuwUvFAvUo' /XML 'C:\Users\user\AppData\Local\Temp\tmpEBB4.tmp', CommandLine|base64offset|contains: *j, Image: C:\Windows\SysWOW64\schtasks.exe, NewProcessName: C:\Windows\SysWOW64\schtasks.exe, OriginalFileName: C:\Windows\SysWOW64\schtasks.exe, ParentCommandLine: 'C:\Users\user\Desktop\invoice & packing.pdf.exe' , ParentImage: C:\Users\user\Desktop\invoice & packing.pdf.exe, ParentProcessId: 7160, ProcessCommandLine: 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\NKzWuwUvFAvUo' /XML 'C:\Users\user\AppData\Local\Temp\tmpEBB4.tmp', ProcessId: 1560

Sigma detected: Suspicious Double Extension

Show sources

Source: Process started

Author: Florian Roth (rule), @blu3_team (idea): Data: Command: C:\Users\user\Desktop\invoice & packing.pdf.exe, CommandLine: C:\Users\user\Desktop\invoice & packing.pdf.exe, CommandLine|base64offset|contains: , Image: C:\Users\user\Desktop\invoice & packing.pdf.exe, NewProcessName: C:\Users\user\Desktop\invoice & packing.pdf.exe, OriginalFileName: C:\Users\user\Desktop\invoice & packing.pdf.exe, ParentCommandLine: 'C:\Users\user\Desktop\invoice & packing.pdf.exe' , ParentImage: C:\Users\user\Desktop\invoice & packing.pdf.exe, ParentProcessId: 7160, ProcessCommandLine: C:\Users\user\Desktop\invoice & packing.pdf.exe, ProcessId: 4624

Signature Overview

Click to jump to signature section

Show All Signature Results

AV Detection:

Yara detected Nanocore RAT

Show sources

Source: Yara match

File source: 00000000.00000002.348394866.0000000003E84000.00000004.00000001.sdmp, type: MEMORY

Machine Learning detection for dropped file

Show sources

Source: C:\Users\user\AppData\Roaming\NKzWuwUvFAvUo.exe	Joe Sandbox ML: detected
Source: C:\Users\user\AppData\Roaming\NKzWuwUvFAvUo.exe	Joe Sandbox ML: detected

Machine Learning detection for sample

Show sources

Source: invoice & packing.pdf.exe	Joe Sandbox ML: detected
Source: invoice & packing.pdf.exe	Joe Sandbox ML: detected

Source: C:\Users\user\Desktop\invoice & packing.pdf.exe	Code function: 4x nop then mov dword ptr [ebp-1Ch], 00000000h	0_2_0562997F
Source: C:\Users\user\Desktop\invoice & packing.pdf.exe	Code function: 4x nop then mov dword ptr [ebp-1Ch], 00000000h	0_2_05629990
Source: C:\Users\user\Desktop\invoice & packing.pdf.exe	Code function: 4x nop then mov dword ptr [ebp-1Ch], 00000000h	0_2_0562997F
Source: C:\Users\user\Desktop\invoice & packing.pdf.exe	Code function: 4x nop then mov dword ptr [ebp-1Ch], 00000000h	0_2_05629990

Source: global traffic	TCP traffic: 192.168.2.6:49727 -> 23.105.131.164:5050
Source: global traffic	TCP traffic: 192.168.2.6:49727 -> 23.105.131.164:5050

Source: unknown	TCP traffic detected without corresponding DNS query: 23.105.131.164
Source: unknown	TCP traffic detected without corresponding DNS query: 23.105.131.164
Source: unknown	TCP traffic detected without corresponding DNS query: 23.105.131.164
Source: unknown	TCP traffic detected without corresponding DNS query: 23.105.131.164
Source: unknown	TCP traffic detected without corresponding DNS query: 23.105.131.164
Source: unknown	TCP traffic detected without corresponding DNS query: 23.105.131.164
Source: unknown	TCP traffic detected without corresponding DNS query: 23.105.131.164
Source: unknown	TCP traffic detected without corresponding DNS query: 23.105.131.164
Source: unknown	TCP traffic detected without corresponding DNS query: 23.105.131.164
Source: unknown	TCP traffic detected without corresponding DNS query: 23.105.131.164
Source: unknown	TCP traffic detected without corresponding DNS query: 23.105.131.164
Source: unknown	TCP traffic detected without corresponding DNS query: 23.105.131.164
Source: unknown	TCP traffic detected without corresponding DNS query: 23.105.131.164
Source: unknown	TCP traffic detected without corresponding DNS query: 23.105.131.164
Source: unknown	TCP traffic detected without corresponding DNS query: 23.105.131.164
Source: unknown	TCP traffic detected without corresponding DNS query: 23.105.131.164
Source: unknown	TCP traffic detected without corresponding DNS query: 23.105.131.164
Source: unknown	TCP traffic detected without corresponding DNS query: 23.105.131.164
Source: unknown	TCP traffic detected without corresponding DNS query: 23.105.131.164
Source: unknown	TCP traffic detected without corresponding DNS query: 23.105.131.164
Source: unknown	TCP traffic detected without corresponding DNS query: 23.105.131.164
Source: unknown	TCP traffic detected without corresponding DNS query: 23.105.131.164
Source: unknown	TCP traffic detected without corresponding DNS query: 23.105.131.164
Source: unknown	TCP traffic detected without corresponding DNS query: 23.105.131.164
Source: unknown	TCP traffic detected without corresponding DNS query: 23.105.131.164
Source: unknown	TCP traffic detected without corresponding DNS query: 23.105.131.164
Source: unknown	TCP traffic detected without corresponding DNS query: 23.105.131.164
Source: unknown	TCP traffic detected without corresponding DNS query: 23.105.131.164
Source: unknown	TCP traffic detected without corresponding DNS query: 23.105.131.164
Source: unknown	TCP traffic detected without corresponding DNS query: 23.105.131.164
Source: unknown	TCP traffic detected without corresponding DNS query: 23.105.131.164
Source: unknown	TCP traffic detected without corresponding DNS query: 23.105.131.164
Source: unknown	TCP traffic detected without corresponding DNS query: 23.105.131.164
Source: unknown	TCP traffic detected without corresponding DNS query: 23.105.131.164
Source: unknown	TCP traffic detected without corresponding DNS query: 23.105.131.164
Source: unknown	TCP traffic detected without corresponding DNS query: 23.105.131.164
Source: unknown	TCP traffic detected without corresponding DNS query: 23.105.131.164
Source: unknown	TCP traffic detected without corresponding DNS query: 23.105.131.164
Source: unknown	TCP traffic detected without corresponding DNS query: 23.105.131.164
Source: unknown	TCP traffic detected without corresponding DNS query: 23.105.131.164
Source: unknown	TCP traffic detected without corresponding DNS query: 23.105.131.164
Source: unknown	TCP traffic detected without corresponding DNS query: 23.105.131.164
Source: unknown	TCP traffic detected without corresponding DNS query: 23.105.131.164
Source: unknown	TCP traffic detected without corresponding DNS query: 23.105.131.164
Source: unknown	TCP traffic detected without corresponding DNS query: 23.105.131.164
Source: unknown	TCP traffic detected without corresponding DNS query: 23.105.131.164
Source: unknown	TCP traffic detected without corresponding DNS query: 23.105.131.164
Source: unknown	TCP traffic detected without corresponding DNS query: 23.105.131.164
Source: unknown	TCP traffic detected without corresponding DNS query: 23.105.131.164
Source: unknown	TCP traffic detected without corresponding DNS query: 23.105.131.164
Source: unknown	TCP traffic detected without corresponding DNS query: 23.105.131.164
Source: unknown	TCP traffic detected without corresponding DNS query: 23.105.131.164
Source: unknown	TCP traffic detected without corresponding DNS query: 23.105.131.164
Source: unknown	TCP traffic detected without corresponding DNS query: 23.105.131.164
Source: unknown	TCP traffic detected without corresponding DNS query: 23.105.131.164
Source: unknown	TCP traffic detected without corresponding DNS query: 23.105.131.164
Source: unknown	TCP traffic detected without corresponding DNS query: 23.105.131.164
Source: unknown	TCP traffic detected without corresponding DNS query: 23.105.131.164
Source: unknown	TCP traffic detected without corresponding DNS query: 23.105.131.164
Source: unknown	TCP traffic detected without corresponding DNS query: 23.105.131.164
Source: unknown	TCP traffic detected without corresponding DNS query: 23.105.131.164
Source: unknown	TCP traffic detected without corresponding DNS query: 23.105.131.164
Source: unknown	TCP traffic detected without corresponding DNS query: 23.105.131.164
Source: unknown	TCP traffic detected without corresponding DNS query: 23.105.131.164
Source: unknown	TCP traffic detected without corresponding DNS query: 23.105.131.164
Source: unknown	TCP traffic detected without corresponding DNS query: 23.105.131.164
Source: unknown	TCP traffic detected without corresponding DNS query: 23.105.131.164
Source: unknown	TCP traffic detected without corresponding DNS query: 23.105.131.164
Source: unknown	TCP traffic detected without corresponding DNS query: 23.105.131.164
Source: unknown	TCP traffic detected without corresponding DNS query: 23.105.131.164
Source: unknown	TCP traffic detected without corresponding DNS query: 23.105.131.164
Source: unknown	TCP traffic detected without corresponding DNS query: 23.105.131.164
Source: unknown	TCP traffic detected without corresponding DNS query: 23.105.131.164
Source: unknown	TCP traffic detected without corresponding DNS query: 23.105.131.164
Source: unknown	TCP traffic detected without corresponding DNS query: 23.105.131.164
Source: unknown	TCP traffic detected without corresponding DNS query: 23.105.131.164
Source: unknown	TCP traffic detected without corresponding DNS query: 23.105.131.164
Source: unknown	TCP traffic detected without corresponding DNS query: 23.105.131.164
Source: unknown	TCP traffic detected without corresponding DNS query: 23.105.131.164
Source: unknown	TCP traffic detected without corresponding DNS query: 23.105.131.164
Source: unknown	TCP traffic detected without corresponding DNS query: 23.105.131.164
Source: unknown	TCP traffic detected without corresponding DNS query: 23.105.131.164
Source: unknown	TCP traffic detected without corresponding DNS query: 23.105.131.164
Source: unknown	TCP traffic detected without corresponding DNS query: 23.105.131.164
Source: unknown	TCP traffic detected without corresponding DNS query: 23.105.131.164
Source: unknown	TCP traffic detected without corresponding DNS query: 23.105.131.164
Source: unknown	TCP traffic detected without corresponding DNS query: 23.105.131.164
Source: unknown	TCP traffic detected without corresponding DNS query: 23.105.131.164
Source: unknown	TCP traffic detected without corresponding DNS query: 23.105.131.164
Source: unknown	TCP traffic detected without corresponding DNS query: 23.105.131.164
Source: unknown	TCP traffic detected without corresponding DNS query: 23.105.131.164
Source: unknown	TCP traffic detected without corresponding DNS query: 23.105.131.164
Source: unknown	TCP traffic detected without corresponding DNS query: 23.105.131.164
Source: unknown	TCP traffic detected without corresponding DNS query: 23.105.131.164
Source: unknown	TCP traffic detected without corresponding DNS query: 23.105.131.164
Source: unknown	TCP traffic detected without corresponding DNS query: 23.105.131.164
Source: unknown	TCP traffic detected without corresponding DNS query: 23.105.131.164
Source: unknown	TCP traffic detected without corresponding DNS query: 23.105.131.164
Source: unknown	TCP traffic detected without corresponding DNS query: 23.105.131.164
Source: unknown	TCP traffic detected without corresponding DNS query: 23.105.131.164

Source: invoice & packing.pdf.exe, 00000006.00000003.361188308.00000000045C4000.00000004.00000001.sdmp	String found in binary or memory: http://google.com
Source: invoice & packing.pdf.exe, 00000006.00000003.361188308.00000000045C4000.00000004.00000001.sdmp	String found in binary or memory: http://google.com

Source: invoice & packing.pdf.exe, 00000000.00000002.346838980.0000000000E08000.00000004.00000020.sdmp	Binary or memory string: <HOOK MODULE="DDRAW.DLL" FUNCTION="DirectDrawCreateEx"/>
Source: invoice & packing.pdf.exe, 00000000.00000002.346838980.0000000000E08000.00000004.00000020.sdmp	Binary or memory string: <HOOK MODULE="DDRAW.DLL" FUNCTION="DirectDrawCreateEx"/>

E-Banking Fraud:

Yara detected Nanocore RAT

Show sources

Source: Yara match

File source: 00000000.00000002.348394866.0000000003E84000.00000004.00000001.sdmp, type: MEMORY

System Summary:

Malicious sample detected (through community Yara rule)

Show sources

Source: 00000000.00000002.348394866.0000000003E84000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 00000000.00000002.348394866.0000000003E84000.00000004.00000001.sdmp, type: MEMORY	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 00000006.00000003.361188308.00000000045C4000.00000004.00000001.sdmp, type: MEMORY	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: Process Memory Space: invoice & packing.pdf.exe PID: 6040, type: MEMORY	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 00000000.00000002.348394866.0000000003E84000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 00000000.00000002.348394866.0000000003E84000.00000004.00000001.sdmp, type: MEMORY	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 00000006.00000003.361188308.00000000045C4000.00000004.00000001.sdmp, type: MEMORY	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: Process Memory Space: invoice & packing.pdf.exe PID: 6040, type: MEMORY	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>

Initial sample is a PE file and has a suspicious name

Show sources

Source: initial sample	Static PE information: Filename: invoice & packing.pdf.exe
Source: initial sample	Static PE information: Filename: invoice & packing.pdf.exe
Source: initial sample	Static PE information: Filename: invoice & packing.pdf.exe
Source: initial sample	Static PE information: Filename: invoice & packing.pdf.exe

Source: C:\Users\user\Desktop\invoice & packing.pdf.exe	Code function: 0_2_055A13B6 NtQuerySystemInformation,	0_2_055A13B6
Source: C:\Users\user\Desktop\invoice & packing.pdf.exe	Code function: 0_2_055A1389 NtQuerySystemInformation,	0_2_055A1389
Source: C:\Users\user\Desktop\invoice & packing.pdf.exe	Code function: 0_2_055A13B6 NtQuerySystemInformation,	0_2_055A13B6
Source: C:\Users\user\Desktop\invoice & packing.pdf.exe	Code function: 0_2_055A1389 NtQuerySystemInformation,	0_2_055A1389

Source: C:\Users\user\Desktop\invoice & packing.pdf.exe	Code function: 0_2_04FC1DC8	0_2_04FC1DC8
Source: C:\Users\user\Desktop\invoice & packing.pdf.exe	Code function: 0_2_04FC27BC	0_2_04FC27BC
Source: C:\Users\user\Desktop\invoice & packing.pdf.exe	Code function: 0_2_04FC2270	0_2_04FC2270
Source: C:\Users\user\Desktop\invoice & packing.pdf.exe	Code function: 0_2_04FC0BA0	0_2_04FC0BA0
Source: C:\Users\user\Desktop\invoice & packing.pdf.exe	Code function: 0_2_04FC1DB7	0_2_04FC1DB7
Source: C:\Users\user\Desktop\invoice & packing.pdf.exe	Code function: 0_2_04FC36AC	0_2_04FC36AC
Source: C:\Users\user\Desktop\invoice & packing.pdf.exe	Code function: 0_2_04FC98D8	0_2_04FC98D8
Source: C:\Users\user\Desktop\invoice & packing.pdf.exe	Code function: 0_2_04FC77F1	0_2_04FC77F1
Source: C:\Users\user\Desktop\invoice & packing.pdf.exe	Code function: 0_2_04FC98D8	0_2_04FC98D8
Source: C:\Users\user\Desktop\invoice & packing.pdf.exe	Code function: 0_2_04FC3958	0_2_04FC3958
Source: C:\Users\user\Desktop\invoice & packing.pdf.exe	Code function: 0_2_04FC3945	0_2_04FC3945
Source: C:\Users\user\Desktop\invoice & packing.pdf.exe	Code function: 0_2_04FC2261	0_2_04FC2261
Source: C:\Users\user\Desktop\invoice & packing.pdf.exe	Code function: 0_2_04FCABFE	0_2_04FCABFE
Source: C:\Users\user\Desktop\invoice & packing.pdf.exe	Code function: 0_2_04FC0B90	0_2_04FC0B90
Source: C:\Users\user\Desktop\invoice & packing.pdf.exe	Code function: 0_2_04FCEB30	0_2_04FCEB30
Source: C:\Users\user\Desktop\invoice & packing.pdf.exe	Code function: 0_2_05625D97	0_2_05625D97
Source: C:\Users\user\Desktop\invoice & packing.pdf.exe	Code function: 0_2_0562006B	0_2_0562006B
Source: C:\Users\user\Desktop\invoice & packing.pdf.exe	Code function: 0_2_05620070	0_2_05620070
Source: C:\Users\user\Desktop\invoice & packing.pdf.exe	Code function: 0_2_0562535B	0_2_0562535B
Source: C:\Users\user\Desktop\invoice & packing.pdf.exe	Code function: 0_2_04FC1DC8	0_2_04FC1DC8
Source: C:\Users\user\Desktop\invoice & packing.pdf.exe	Code function: 0_2_04FC27BC	0_2_04FC27BC
Source: C:\Users\user\Desktop\invoice & packing.pdf.exe	Code function: 0_2_04FC2270	0_2_04FC2270
Source: C:\Users\user\Desktop\invoice & packing.pdf.exe	Code function: 0_2_04FC0BA0	0_2_04FC0BA0
Source: C:\Users\user\Desktop\invoice & packing.pdf.exe	Code function: 0_2_04FC1DB7	0_2_04FC1DB7
Source: C:\Users\user\Desktop\invoice & packing.pdf.exe	Code function: 0_2_04FC36AC	0_2_04FC36AC
Source: C:\Users\user\Desktop\invoice & packing.pdf.exe	Code function: 0_2_04FC98D8	0_2_04FC98D8
Source: C:\Users\user\Desktop\invoice & packing.pdf.exe	Code function: 0_2_04FC77F1	0_2_04FC77F1
Source: C:\Users\user\Desktop\invoice & packing.pdf.exe	Code function: 0_2_04FC98D8	0_2_04FC98D8
Source: C:\Users\user\Desktop\invoice & packing.pdf.exe	Code function: 0_2_04FC3958	0_2_04FC3958
Source: C:\Users\user\Desktop\invoice & packing.pdf.exe	Code function: 0_2_04FC3945	0_2_04FC3945
Source: C:\Users\user\Desktop\invoice & packing.pdf.exe	Code function: 0_2_04FC2261	0_2_04FC2261
Source: C:\Users\user\Desktop\invoice & packing.pdf.exe	Code function: 0_2_04FCABFE	0_2_04FCABFE
Source: C:\Users\user\Desktop\invoice & packing.pdf.exe	Code function: 0_2_04FC0B90	0_2_04FC0B90
Source: C:\Users\user\Desktop\invoice & packing.pdf.exe	Code function: 0_2_04FCEB30	0_2_04FCEB30
Source: C:\Users\user\Desktop\invoice & packing.pdf.exe	Code function: 0_2_05625D97	0_2_05625D97
Source: C:\Users\user\Desktop\invoice & packing.pdf.exe	Code function: 0_2_0562006B	0_2_0562006B
Source: C:\Users\user\Desktop\invoice & packing.pdf.exe	Code function: 0_2_05620070	0_2_05620070
Source: C:\Users\user\Desktop\invoice & packing.pdf.exe	Code function: 0_2_0562535B	0_2_0562535B

Source: invoice & packing.pdf.exe	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: NKzWuwUvFAvUo.exe.0.dr	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: invoice & packing.pdf.exe	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: NKzWuwUvFAvUo.exe.0.dr	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST

Source: invoice & packing.pdf.exe	Binary or memory string: OriginalFilename vs invoice & packing.pdf.exe
Source: invoice & packing.pdf.exe, 00000000.00000002.349440830.0000000005040000.00000002.00000001.sdmp	Binary or memory string: OriginalFilenamemscorrc.dllT vs invoice & packing.pdf.exe
Source: invoice & packing.pdf.exe, 00000000.00000000.335994926.0000000000792000.00000002.00020000.sdmp	Binary or memory string: OriginalFilenamegSqi.exe4 vs invoice & packing.pdf.exe
Source: invoice & packing.pdf.exe, 00000000.00000002.348759292.0000000004038000.00000004.00000001.sdmp	Binary or memory string: OriginalFilenameKedermister.dllT vs invoice & packing.pdf.exe
Source: invoice & packing.pdf.exe, 00000000.00000002.351801682.0000000005D40000.00000002.00000001.sdmp	Binary or memory string: originalfilename vs invoice & packing.pdf.exe
Source: invoice & packing.pdf.exe, 00000000.00000002.351801682.0000000005D40000.00000002.00000001.sdmp	Binary or memory string: OriginalFilenamepropsys.dll.mui@ vs invoice & packing.pdf.exe
Source: invoice & packing.pdf.exe, 00000000.00000002.351576272.0000000005C40000.00000002.00000001.sdmp	Binary or memory string: System.OriginalFileName vs invoice & packing.pdf.exe
Source: invoice & packing.pdf.exe	Binary or memory string: OriginalFilename vs invoice & packing.pdf.exe
Source: invoice & packing.pdf.exe, 00000003.00000000.342276749.0000000000372000.00000002.00020000.sdmp	Binary or memory string: OriginalFilenamegSqi.exe4 vs invoice & packing.pdf.exe
Source: invoice & packing.pdf.exe	Binary or memory string: OriginalFilename vs invoice & packing.pdf.exe
Source: invoice & packing.pdf.exe, 00000004.00000002.343495493.00000000003D2000.00000002.00020000.sdmp	Binary or memory string: OriginalFilenamegSqi.exe4 vs invoice & packing.pdf.exe
Source: invoice & packing.pdf.exe	Binary or memory string: OriginalFilename vs invoice & packing.pdf.exe
Source: invoice & packing.pdf.exe, 00000005.00000002.344572269.0000000000022000.00000002.00020000.sdmp	Binary or memory string: OriginalFilenamegSqi.exe4 vs invoice & packing.pdf.exe
Source: invoice & packing.pdf.exe, 00000006.00000000.345263115.0000000000A32000.00000002.00020000.sdmp	Binary or memory string: OriginalFilenamegSqi.exe4 vs invoice & packing.pdf.exe
Source: invoice & packing.pdf.exe, 00000006.00000003.361188308.00000000045C4000.00000004.00000001.sdmp	Binary or memory string: OriginalFilenameCoreClientPlugin.dll8 vs invoice & packing.pdf.exe
Source: invoice & packing.pdf.exe, 00000006.00000003.361188308.00000000045C4000.00000004.00000001.sdmp	Binary or memory string: OriginalFilenameManagementClientPlugin.dll4 vs invoice & packing.pdf.exe
Source: invoice & packing.pdf.exe, 00000006.00000003.361188308.00000000045C4000.00000004.00000001.sdmp	Binary or memory string: OriginalFilenameNanoCoreBase.dll< vs invoice & packing.pdf.exe
Source: invoice & packing.pdf.exe, 00000006.00000003.361188308.00000000045C4000.00000004.00000001.sdmp	Binary or memory string: OriginalFilenameFileBrowserClient.dllT vs invoice & packing.pdf.exe
Source: invoice & packing.pdf.exe, 00000006.00000003.361188308.00000000045C4000.00000004.00000001.sdmp	Binary or memory string: OriginalFilenameMyClientPlugin.dll4 vs invoice & packing.pdf.exe
Source: invoice & packing.pdf.exe, 00000006.00000003.361188308.00000000045C4000.00000004.00000001.sdmp	Binary or memory string: OriginalFilenameMyClientPlugin.dll@ vs invoice & packing.pdf.exe
Source: invoice & packing.pdf.exe, 00000006.00000003.361188308.00000000045C4000.00000004.00000001.sdmp	Binary or memory string: OriginalFilenameNanoCoreStressTester.dll< vs invoice & packing.pdf.exe
Source: invoice & packing.pdf.exe, 00000006.00000003.361188308.00000000045C4000.00000004.00000001.sdmp	Binary or memory string: OriginalFilenameNetworkClientPlugin.dll4 vs invoice & packing.pdf.exe
Source: invoice & packing.pdf.exe, 00000006.00000003.361188308.00000000045C4000.00000004.00000001.sdmp	Binary or memory string: OriginalFilenameSecurityClientPlugin.dll4 vs invoice & packing.pdf.exe
Source: invoice & packing.pdf.exe, 00000006.00000003.361188308.00000000045C4000.00000004.00000001.sdmp	Binary or memory string: OriginalFilenameAForge.Video.DirectShow.dll4 vs invoice & packing.pdf.exe
Source: invoice & packing.pdf.exe, 00000006.00000003.361188308.00000000045C4000.00000004.00000001.sdmp	Binary or memory string: OriginalFilenameNAudio.dll4 vs invoice & packing.pdf.exe
Source: invoice & packing.pdf.exe, 00000006.00000003.361188308.00000000045C4000.00000004.00000001.sdmp	Binary or memory string: OriginalFilenameSurveillanceClientPlugin.dll4 vs invoice & packing.pdf.exe
Source: invoice & packing.pdf.exe, 00000006.00000003.361188308.00000000045C4000.00000004.00000001.sdmp	Binary or memory string: OriginalFilenameToolsClientPlugin.dll4 vs invoice & packing.pdf.exe
Source: invoice & packing.pdf.exe	Binary or memory string: OriginalFilenamegSqi.exe4 vs invoice & packing.pdf.exe
Source: invoice & packing.pdf.exe	Binary or memory string: OriginalFilename vs invoice & packing.pdf.exe
Source: invoice & packing.pdf.exe, 00000000.00000002.349440830.0000000005040000.00000002.00000001.sdmp	Binary or memory string: OriginalFilenamemscorrc.dllT vs invoice & packing.pdf.exe
Source: invoice & packing.pdf.exe, 00000000.00000000.335994926.0000000000792000.00000002.00020000.sdmp	Binary or memory string: OriginalFilenamegSqi.exe4 vs invoice & packing.pdf.exe
Source: invoice & packing.pdf.exe, 00000000.00000002.348759292.0000000004038000.00000004.00000001.sdmp	Binary or memory string: OriginalFilenameKedermister.dllT vs invoice & packing.pdf.exe
Source: invoice & packing.pdf.exe, 00000000.00000002.351801682.0000000005D40000.00000002.00000001.sdmp	Binary or memory string: originalfilename vs invoice & packing.pdf.exe
Source: invoice & packing.pdf.exe, 00000000.00000002.351801682.0000000005D40000.00000002.00000001.sdmp	Binary or memory string: OriginalFilenamepropsys.dll.mui@ vs invoice & packing.pdf.exe
Source: invoice & packing.pdf.exe, 00000000.00000002.351576272.0000000005C40000.00000002.00000001.sdmp	Binary or memory string: System.OriginalFileName vs invoice & packing.pdf.exe
Source: invoice & packing.pdf.exe	Binary or memory string: OriginalFilename vs invoice & packing.pdf.exe
Source: invoice & packing.pdf.exe, 00000003.00000000.342276749.0000000000372000.00000002.00020000.sdmp	Binary or memory string: OriginalFilenamegSqi.exe4 vs invoice & packing.pdf.exe
Source: invoice & packing.pdf.exe	Binary or memory string: OriginalFilename vs invoice & packing.pdf.exe
Source: invoice & packing.pdf.exe, 00000004.00000002.343495493.00000000003D2000.00000002.00020000.sdmp	Binary or memory string: OriginalFilenamegSqi.exe4 vs invoice & packing.pdf.exe
Source: invoice & packing.pdf.exe	Binary or memory string: OriginalFilename vs invoice & packing.pdf.exe
Source: invoice & packing.pdf.exe, 00000005.00000002.344572269.0000000000022000.00000002.00020000.sdmp	Binary or memory string: OriginalFilenamegSqi.exe4 vs invoice & packing.pdf.exe
Source: invoice & packing.pdf.exe, 00000006.00000000.345263115.0000000000A32000.00000002.00020000.sdmp	Binary or memory string: OriginalFilenamegSqi.exe4 vs invoice & packing.pdf.exe
Source: invoice & packing.pdf.exe, 00000006.00000003.361188308.00000000045C4000.00000004.00000001.sdmp	Binary or memory string: OriginalFilenameCoreClientPlugin.dll8 vs invoice & packing.pdf.exe
Source: invoice & packing.pdf.exe, 00000006.00000003.361188308.00000000045C4000.00000004.00000001.sdmp	Binary or memory string: OriginalFilenameManagementClientPlugin.dll4 vs invoice & packing.pdf.exe
Source: invoice & packing.pdf.exe, 00000006.00000003.361188308.00000000045C4000.00000004.00000001.sdmp	Binary or memory string: OriginalFilenameNanoCoreBase.dll< vs invoice & packing.pdf.exe
Source: invoice & packing.pdf.exe, 00000006.00000003.361188308.00000000045C4000.00000004.00000001.sdmp	Binary or memory string: OriginalFilenameFileBrowserClient.dllT vs invoice & packing.pdf.exe
Source: invoice & packing.pdf.exe, 00000006.00000003.361188308.00000000045C4000.00000004.00000001.sdmp	Binary or memory string: OriginalFilenameMyClientPlugin.dll4 vs invoice & packing.pdf.exe
Source: invoice & packing.pdf.exe, 00000006.00000003.361188308.00000000045C4000.00000004.00000001.sdmp	Binary or memory string: OriginalFilenameMyClientPlugin.dll@ vs invoice & packing.pdf.exe
Source: invoice & packing.pdf.exe, 00000006.00000003.361188308.00000000045C4000.00000004.00000001.sdmp	Binary or memory string: OriginalFilenameNanoCoreStressTester.dll< vs invoice & packing.pdf.exe
Source: invoice & packing.pdf.exe, 00000006.00000003.361188308.00000000045C4000.00000004.00000001.sdmp	Binary or memory string: OriginalFilenameNetworkClientPlugin.dll4 vs invoice & packing.pdf.exe
Source: invoice & packing.pdf.exe, 00000006.00000003.361188308.00000000045C4000.00000004.00000001.sdmp	Binary or memory string: OriginalFilenameSecurityClientPlugin.dll4 vs invoice & packing.pdf.exe
Source: invoice & packing.pdf.exe, 00000006.00000003.361188308.00000000045C4000.00000004.00000001.sdmp	Binary or memory string: OriginalFilenameAForge.Video.DirectShow.dll4 vs invoice & packing.pdf.exe
Source: invoice & packing.pdf.exe, 00000006.00000003.361188308.00000000045C4000.00000004.00000001.sdmp	Binary or memory string: OriginalFilenameNAudio.dll4 vs invoice & packing.pdf.exe
Source: invoice & packing.pdf.exe, 00000006.00000003.361188308.00000000045C4000.00000004.00000001.sdmp	Binary or memory string: OriginalFilenameSurveillanceClientPlugin.dll4 vs invoice & packing.pdf.exe
Source: invoice & packing.pdf.exe, 00000006.00000003.361188308.00000000045C4000.00000004.00000001.sdmp	Binary or memory string: OriginalFilenameToolsClientPlugin.dll4 vs invoice & packing.pdf.exe
Source: invoice & packing.pdf.exe	Binary or memory string: OriginalFilenamegSqi.exe4 vs invoice & packing.pdf.exe

Source: 00000000.00000002.348394866.0000000003E84000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 00000000.00000002.348394866.0000000003E84000.00000004.00000001.sdmp, type: MEMORY	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 00000006.00000003.361188308.00000000045C4000.00000004.00000001.sdmp, type: MEMORY	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: Process Memory Space: invoice & packing.pdf.exe PID: 6040, type: MEMORY	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 00000000.00000002.348394866.0000000003E84000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 00000000.00000002.348394866.0000000003E84000.00000004.00000001.sdmp, type: MEMORY	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 00000006.00000003.361188308.00000000045C4000.00000004.00000001.sdmp, type: MEMORY	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: Process Memory Space: invoice & packing.pdf.exe PID: 6040, type: MEMORY	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore

Source: invoice & packing.pdf.exe	Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
Source: NKzWuwUvFAvUo.exe.0.dr	Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
Source: invoice & packing.pdf.exe	Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
Source: NKzWuwUvFAvUo.exe.0.dr	Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ

Source: classification engine

Classification label: mal100.troj.evad.winEXE@12/8@0/1

Source: C:\Users\user\Desktop\invoice & packing.pdf.exe	Code function: 0_2_055A0FA2 AdjustTokenPrivileges,	0_2_055A0FA2
Source: C:\Users\user\Desktop\invoice & packing.pdf.exe	Code function: 0_2_055A0F6B AdjustTokenPrivileges,	0_2_055A0F6B
Source: C:\Users\user\Desktop\invoice & packing.pdf.exe	Code function: 0_2_055A0FA2 AdjustTokenPrivileges,	0_2_055A0FA2
Source: C:\Users\user\Desktop\invoice & packing.pdf.exe	Code function: 0_2_055A0F6B AdjustTokenPrivileges,	0_2_055A0F6B

Source: C:\Users\user\Desktop\invoice & packing.pdf.exe	File created: C:\Users\user\AppData\Roaming\NKzWuwUvFAvUo.exe			Jump to behavior
Source: C:\Users\user\Desktop\invoice & packing.pdf.exe	File created: C:\Users\user\AppData\Roaming\NKzWuwUvFAvUo.exe			Jump to behavior

Source: C:\Users\user\Desktop\invoice & packing.pdf.exe	Mutant created: \Sessions\1\BaseNamedObjects\Global\.net clr networking
Source: C:\Users\user\Desktop\invoice & packing.pdf.exe	Mutant created: \Sessions\1\BaseNamedObjects\Global\{29d2abae-978d-4a2e-8d75-4eb1cf1bd386}
Source: C:\Users\user\Desktop\invoice & packing.pdf.exe	Mutant created: \Sessions\1\BaseNamedObjects\iJAEmKSWJugTtVGt
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:1420:120:WilError_01
Source: C:\Users\user\Desktop\invoice & packing.pdf.exe	Mutant created: \Sessions\1\BaseNamedObjects\Global\.net clr networking
Source: C:\Users\user\Desktop\invoice & packing.pdf.exe	Mutant created: \Sessions\1\BaseNamedObjects\Global\{29d2abae-978d-4a2e-8d75-4eb1cf1bd386}
Source: C:\Users\user\Desktop\invoice & packing.pdf.exe	Mutant created: \Sessions\1\BaseNamedObjects\iJAEmKSWJugTtVGt
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:1420:120:WilError_01

Source: C:\Users\user\Desktop\invoice & packing.pdf.exe	File created: C:\Users\user\AppData\Local\Temp\tmpEBB4.tmp			Jump to behavior
Source: C:\Users\user\Desktop\invoice & packing.pdf.exe	File created: C:\Users\user\AppData\Local\Temp\tmpEBB4.tmp			Jump to behavior

Source: invoice & packing.pdf.exe	Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
Source: invoice & packing.pdf.exe	Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ

Source: C:\Users\user\Desktop\invoice & packing.pdf.exe	Section loaded: C:\Windows\assembly\NativeImages_v2.0.50727_32\mscorlib\9603718106bd57ecfbb18fefd769cab4\mscorlib.ni.dll	Jump to behavior
Source: C:\Users\user\Desktop\invoice & packing.pdf.exe	Section loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sorttbls.nlp	Jump to behavior
Source: C:\Users\user\Desktop\invoice & packing.pdf.exe	Section loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sortkey.nlp	Jump to behavior
Source: C:\Users\user\Desktop\invoice & packing.pdf.exe	Section loaded: C:\Windows\assembly\NativeImages_v2.0.50727_32\mscorlib\9603718106bd57ecfbb18fefd769cab4\mscorlib.ni.dll	Jump to behavior
Source: C:\Users\user\Desktop\invoice & packing.pdf.exe	Section loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sorttbls.nlp	Jump to behavior
Source: C:\Users\user\Desktop\invoice & packing.pdf.exe	Section loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sortkey.nlp	Jump to behavior
Source: C:\Users\user\Desktop\invoice & packing.pdf.exe	Section loaded: C:\Windows\assembly\NativeImages_v2.0.50727_32\mscorlib\9603718106bd57ecfbb18fefd769cab4\mscorlib.ni.dll	Jump to behavior
Source: C:\Users\user\Desktop\invoice & packing.pdf.exe	Section loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sorttbls.nlp	Jump to behavior
Source: C:\Users\user\Desktop\invoice & packing.pdf.exe	Section loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sortkey.nlp	Jump to behavior
Source: C:\Users\user\Desktop\invoice & packing.pdf.exe	Section loaded: C:\Windows\assembly\NativeImages_v2.0.50727_32\mscorlib\9603718106bd57ecfbb18fefd769cab4\mscorlib.ni.dll	Jump to behavior
Source: C:\Users\user\Desktop\invoice & packing.pdf.exe	Section loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sorttbls.nlp	Jump to behavior
Source: C:\Users\user\Desktop\invoice & packing.pdf.exe	Section loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sortkey.nlp	Jump to behavior

Source: C:\Users\user\Desktop\invoice & packing.pdf.exe	File read: C:\Users\user\Desktop\desktop.ini			Jump to behavior
Source: C:\Users\user\Desktop\invoice & packing.pdf.exe	File read: C:\Users\user\Desktop\desktop.ini			Jump to behavior

Source: C:\Users\user\Desktop\invoice & packing.pdf.exe	Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers			Jump to behavior
Source: C:\Users\user\Desktop\invoice & packing.pdf.exe	Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers			Jump to behavior

Source: C:\Users\user\Desktop\invoice & packing.pdf.exe	File read: C:\Users\user\Desktop\invoice & packing.pdf.exe			Jump to behavior
Source: C:\Users\user\Desktop\invoice & packing.pdf.exe	File read: C:\Users\user\Desktop\invoice & packing.pdf.exe			Jump to behavior

Source: unknown	Process created: C:\Users\user\Desktop\invoice & packing.pdf.exe 'C:\Users\user\Desktop\invoice & packing.pdf.exe'
Source: unknown	Process created: C:\Windows\SysWOW64\schtasks.exe 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\NKzWuwUvFAvUo' /XML 'C:\Users\user\AppData\Local\Temp\tmpEBB4.tmp'
Source: unknown	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknown	Process created: C:\Users\user\Desktop\invoice & packing.pdf.exe C:\Users\user\Desktop\invoice & packing.pdf.exe
Source: unknown	Process created: C:\Users\user\Desktop\invoice & packing.pdf.exe C:\Users\user\Desktop\invoice & packing.pdf.exe
Source: unknown	Process created: C:\Users\user\Desktop\invoice & packing.pdf.exe C:\Users\user\Desktop\invoice & packing.pdf.exe
Source: unknown	Process created: C:\Users\user\Desktop\invoice & packing.pdf.exe C:\Users\user\Desktop\invoice & packing.pdf.exe
Source: C:\Users\user\Desktop\invoice & packing.pdf.exe	Process created: C:\Windows\SysWOW64\schtasks.exe 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\NKzWuwUvFAvUo' /XML 'C:\Users\user\AppData\Local\Temp\tmpEBB4.tmp'	Jump to behavior
Source: C:\Users\user\Desktop\invoice & packing.pdf.exe	Process created: C:\Users\user\Desktop\invoice & packing.pdf.exe C:\Users\user\Desktop\invoice & packing.pdf.exe	Jump to behavior
Source: C:\Users\user\Desktop\invoice & packing.pdf.exe	Process created: C:\Users\user\Desktop\invoice & packing.pdf.exe C:\Users\user\Desktop\invoice & packing.pdf.exe	Jump to behavior
Source: C:\Users\user\Desktop\invoice & packing.pdf.exe	Process created: C:\Users\user\Desktop\invoice & packing.pdf.exe C:\Users\user\Desktop\invoice & packing.pdf.exe	Jump to behavior
Source: C:\Users\user\Desktop\invoice & packing.pdf.exe	Process created: C:\Users\user\Desktop\invoice & packing.pdf.exe C:\Users\user\Desktop\invoice & packing.pdf.exe	Jump to behavior
Source: unknown	Process created: C:\Users\user\Desktop\invoice & packing.pdf.exe 'C:\Users\user\Desktop\invoice & packing.pdf.exe'
Source: unknown	Process created: C:\Windows\SysWOW64\schtasks.exe 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\NKzWuwUvFAvUo' /XML 'C:\Users\user\AppData\Local\Temp\tmpEBB4.tmp'
Source: unknown	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknown	Process created: C:\Users\user\Desktop\invoice & packing.pdf.exe C:\Users\user\Desktop\invoice & packing.pdf.exe
Source: unknown	Process created: C:\Users\user\Desktop\invoice & packing.pdf.exe C:\Users\user\Desktop\invoice & packing.pdf.exe
Source: unknown	Process created: C:\Users\user\Desktop\invoice & packing.pdf.exe C:\Users\user\Desktop\invoice & packing.pdf.exe
Source: unknown	Process created: C:\Users\user\Desktop\invoice & packing.pdf.exe C:\Users\user\Desktop\invoice & packing.pdf.exe
Source: C:\Users\user\Desktop\invoice & packing.pdf.exe	Process created: C:\Windows\SysWOW64\schtasks.exe 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\NKzWuwUvFAvUo' /XML 'C:\Users\user\AppData\Local\Temp\tmpEBB4.tmp'	Jump to behavior
Source: C:\Users\user\Desktop\invoice & packing.pdf.exe	Process created: C:\Users\user\Desktop\invoice & packing.pdf.exe C:\Users\user\Desktop\invoice & packing.pdf.exe	Jump to behavior
Source: C:\Users\user\Desktop\invoice & packing.pdf.exe	Process created: C:\Users\user\Desktop\invoice & packing.pdf.exe C:\Users\user\Desktop\invoice & packing.pdf.exe	Jump to behavior
Source: C:\Users\user\Desktop\invoice & packing.pdf.exe	Process created: C:\Users\user\Desktop\invoice & packing.pdf.exe C:\Users\user\Desktop\invoice & packing.pdf.exe	Jump to behavior
Source: C:\Users\user\Desktop\invoice & packing.pdf.exe	Process created: C:\Users\user\Desktop\invoice & packing.pdf.exe C:\Users\user\Desktop\invoice & packing.pdf.exe	Jump to behavior

Source: C:\Users\user\Desktop\invoice & packing.pdf.exe	Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{95E15D0A-66E6-93D9-C53C-76E6219D3341}\InProcServer32			Jump to behavior
Source: C:\Users\user\Desktop\invoice & packing.pdf.exe	Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{95E15D0A-66E6-93D9-C53C-76E6219D3341}\InProcServer32			Jump to behavior

Source: C:\Users\user\Desktop\invoice & packing.pdf.exe	File opened: C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorrc.dll			Jump to behavior
Source: C:\Users\user\Desktop\invoice & packing.pdf.exe	File opened: C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorrc.dll			Jump to behavior

Source: invoice & packing.pdf.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR
Source: invoice & packing.pdf.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR

Source: C:\Users\user\Desktop\invoice & packing.pdf.exe	File opened: C:\Windows\WinSxS\x86_microsoft.vc80.crt_1fc8b3b9a1e18e3b_8.0.50727.9445_none_d08c58b4442ba54f\MSVCR80.dll			Jump to behavior
Source: C:\Users\user\Desktop\invoice & packing.pdf.exe	File opened: C:\Windows\WinSxS\x86_microsoft.vc80.crt_1fc8b3b9a1e18e3b_8.0.50727.9445_none_d08c58b4442ba54f\MSVCR80.dll			Jump to behavior

Source: invoice & packing.pdf.exe	Static PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
Source: invoice & packing.pdf.exe	Static PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT

Source:	Binary string: C:\Users\Liam\Downloads\NanoCoreSwiss\MyClientPlugin\obj\Debug\MyClientPlugin.pdb source: invoice & packing.pdf.exe, 00000006.00000003.361188308.00000000045C4000.00000004.00000001.sdmp
Source:	Binary string: C:\Users\Liam\Documents\Visual Studio 2013\Projects\NanoCoreStressTester\NanoCoreStressTester\obj\Debug\NanoCoreStressTester.pdb source: invoice & packing.pdf.exe, 00000006.00000003.361188308.00000000045C4000.00000004.00000001.sdmp
Source:	Binary string: G:\Users\Andy\Documents\Visual Studio 2013\Projects\NanocoreBasicPlugin\NanoCoreBase\obj\Debug\NanoCoreBase.pdb source: invoice & packing.pdf.exe, 00000006.00000003.361188308.00000000045C4000.00000004.00000001.sdmp
Source:	Binary string: P:\Visual Studio Projects\Projects 15\NanoNana\MyClientPlugin\obj\Debug\MyClientPlugin.pdb source: invoice & packing.pdf.exe, 00000006.00000003.361188308.00000000045C4000.00000004.00000001.sdmp
Source:	Binary string: mscorrc.pdb source: invoice & packing.pdf.exe, 00000000.00000002.349440830.0000000005040000.00000002.00000001.sdmp
Source:	Binary string: C:\Users\Cole\Documents\Visual Studio 2013\Projects\FileBrowserPlugin\FileBrowserClient\obj\Debug\FileBrowserClient.pdb source: invoice & packing.pdf.exe, 00000006.00000003.361188308.00000000045C4000.00000004.00000001.sdmp
Source:	Binary string: C:\Users\Liam\Downloads\NanoCoreSwiss\MyClientPlugin\obj\Debug\MyClientPlugin.pdb source: invoice & packing.pdf.exe, 00000006.00000003.361188308.00000000045C4000.00000004.00000001.sdmp
Source:	Binary string: C:\Users\Liam\Documents\Visual Studio 2013\Projects\NanoCoreStressTester\NanoCoreStressTester\obj\Debug\NanoCoreStressTester.pdb source: invoice & packing.pdf.exe, 00000006.00000003.361188308.00000000045C4000.00000004.00000001.sdmp
Source:	Binary string: G:\Users\Andy\Documents\Visual Studio 2013\Projects\NanocoreBasicPlugin\NanoCoreBase\obj\Debug\NanoCoreBase.pdb source: invoice & packing.pdf.exe, 00000006.00000003.361188308.00000000045C4000.00000004.00000001.sdmp
Source:	Binary string: P:\Visual Studio Projects\Projects 15\NanoNana\MyClientPlugin\obj\Debug\MyClientPlugin.pdb source: invoice & packing.pdf.exe, 00000006.00000003.361188308.00000000045C4000.00000004.00000001.sdmp
Source:	Binary string: mscorrc.pdb source: invoice & packing.pdf.exe, 00000000.00000002.349440830.0000000005040000.00000002.00000001.sdmp
Source:	Binary string: C:\Users\Cole\Documents\Visual Studio 2013\Projects\FileBrowserPlugin\FileBrowserClient\obj\Debug\FileBrowserClient.pdb source: invoice & packing.pdf.exe, 00000006.00000003.361188308.00000000045C4000.00000004.00000001.sdmp

Source: C:\Users\user\Desktop\invoice & packing.pdf.exe	Code function: 0_2_01007751 push eax; ret	0_2_010077A1
Source: C:\Users\user\Desktop\invoice & packing.pdf.exe	Code function: 0_2_010077A5 push eax; ret	0_2_010077BD
Source: C:\Users\user\Desktop\invoice & packing.pdf.exe	Code function: 0_2_010077BF pushad ; ret	0_2_010077D1
Source: C:\Users\user\Desktop\invoice & packing.pdf.exe	Code function: 0_2_056295A8 pushfd ; ret	0_2_056295A9
Source: C:\Users\user\Desktop\invoice & packing.pdf.exe	Code function: 0_2_01007751 push eax; ret	0_2_010077A1
Source: C:\Users\user\Desktop\invoice & packing.pdf.exe	Code function: 0_2_010077A5 push eax; ret	0_2_010077BD
Source: C:\Users\user\Desktop\invoice & packing.pdf.exe	Code function: 0_2_010077BF pushad ; ret	0_2_010077D1
Source: C:\Users\user\Desktop\invoice & packing.pdf.exe	Code function: 0_2_056295A8 pushfd ; ret	0_2_056295A9

Source: initial sample	Static PE information: section name: .text entropy: 7.83069798608
Source: initial sample	Static PE information: section name: .text entropy: 7.83069798608
Source: initial sample	Static PE information: section name: .text entropy: 7.83069798608
Source: initial sample	Static PE information: section name: .text entropy: 7.83069798608

Source: C:\Users\user\Desktop\invoice & packing.pdf.exe	File created: C:\Users\user\AppData\Roaming\NKzWuwUvFAvUo.exe			Jump to dropped file
Source: C:\Users\user\Desktop\invoice & packing.pdf.exe	File created: C:\Users\user\AppData\Roaming\NKzWuwUvFAvUo.exe			Jump to dropped file

Boot Survival:

Uses schtasks.exe or at.exe to add and modify task schedules

Show sources

Source: unknown	Process created: C:\Windows\SysWOW64\schtasks.exe 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\NKzWuwUvFAvUo' /XML 'C:\Users\user\AppData\Local\Temp\tmpEBB4.tmp'
Source: unknown	Process created: C:\Windows\SysWOW64\schtasks.exe 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\NKzWuwUvFAvUo' /XML 'C:\Users\user\AppData\Local\Temp\tmpEBB4.tmp'

Hooking and other Techniques for Hiding and Protection:

Hides that the sample has been downloaded from the Internet (zone.identifier)

Show sources

Source: C:\Users\user\Desktop\invoice & packing.pdf.exe	File opened: C:\Users\user\Desktop\invoice & packing.pdf.exe:Zone.Identifier read attributes \| delete			Jump to behavior
Source: C:\Users\user\Desktop\invoice & packing.pdf.exe	File opened: C:\Users\user\Desktop\invoice & packing.pdf.exe:Zone.Identifier read attributes \| delete			Jump to behavior

Uses an obfuscated file name to hide its real file extension (double extension)

Show sources

Source: Possible double extension: pdf.exe	Static PE information: invoice & packing.pdf.exe
Source: Possible double extension: pdf.exe	Static PE information: invoice & packing.pdf.exe

Source: C:\Users\user\Desktop\invoice & packing.pdf.exe	Registry key monitored for changes: HKEY_CURRENT_USER_Classes			Jump to behavior
Source: C:\Users\user\Desktop\invoice & packing.pdf.exe	Registry key monitored for changes: HKEY_CURRENT_USER_Classes			Jump to behavior

Source: C:\Users\user\Desktop\invoice & packing.pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\invoice & packing.pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\invoice & packing.pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\invoice & packing.pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\invoice & packing.pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\invoice & packing.pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\invoice & packing.pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\invoice & packing.pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\invoice & packing.pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\invoice & packing.pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\invoice & packing.pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\invoice & packing.pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\invoice & packing.pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\invoice & packing.pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\invoice & packing.pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\invoice & packing.pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\invoice & packing.pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\invoice & packing.pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\invoice & packing.pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\invoice & packing.pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\invoice & packing.pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\invoice & packing.pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\invoice & packing.pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\invoice & packing.pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\invoice & packing.pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\invoice & packing.pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\invoice & packing.pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\invoice & packing.pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\invoice & packing.pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\invoice & packing.pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\invoice & packing.pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\invoice & packing.pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\invoice & packing.pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\invoice & packing.pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\invoice & packing.pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\invoice & packing.pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\invoice & packing.pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\invoice & packing.pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\invoice & packing.pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\invoice & packing.pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\invoice & packing.pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\invoice & packing.pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\invoice & packing.pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\invoice & packing.pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\invoice & packing.pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\invoice & packing.pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\invoice & packing.pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\invoice & packing.pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\invoice & packing.pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\invoice & packing.pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\invoice & packing.pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\invoice & packing.pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\invoice & packing.pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\invoice & packing.pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\invoice & packing.pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\invoice & packing.pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\invoice & packing.pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\invoice & packing.pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\invoice & packing.pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\invoice & packing.pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\invoice & packing.pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\invoice & packing.pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\invoice & packing.pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\invoice & packing.pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\invoice & packing.pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\invoice & packing.pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\invoice & packing.pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\invoice & packing.pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\invoice & packing.pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\invoice & packing.pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\invoice & packing.pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\invoice & packing.pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\invoice & packing.pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\invoice & packing.pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\invoice & packing.pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\invoice & packing.pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\invoice & packing.pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\invoice & packing.pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\invoice & packing.pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\invoice & packing.pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\invoice & packing.pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\invoice & packing.pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\invoice & packing.pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\invoice & packing.pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\invoice & packing.pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\invoice & packing.pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\invoice & packing.pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\invoice & packing.pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\invoice & packing.pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\invoice & packing.pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\invoice & packing.pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\invoice & packing.pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\invoice & packing.pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\invoice & packing.pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\invoice & packing.pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\invoice & packing.pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\invoice & packing.pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\invoice & packing.pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\invoice & packing.pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\invoice & packing.pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\invoice & packing.pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\invoice & packing.pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\invoice & packing.pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\invoice & packing.pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\invoice & packing.pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\invoice & packing.pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\invoice & packing.pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\invoice & packing.pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\invoice & packing.pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\invoice & packing.pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\invoice & packing.pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\invoice & packing.pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\invoice & packing.pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\invoice & packing.pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\invoice & packing.pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\invoice & packing.pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\invoice & packing.pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\invoice & packing.pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\invoice & packing.pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\invoice & packing.pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\invoice & packing.pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\invoice & packing.pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\invoice & packing.pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\invoice & packing.pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\invoice & packing.pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\invoice & packing.pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\invoice & packing.pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\invoice & packing.pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\invoice & packing.pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\invoice & packing.pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\invoice & packing.pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\invoice & packing.pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\invoice & packing.pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\invoice & packing.pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\invoice & packing.pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\invoice & packing.pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\invoice & packing.pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\invoice & packing.pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\invoice & packing.pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\invoice & packing.pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\invoice & packing.pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\invoice & packing.pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\invoice & packing.pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\invoice & packing.pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\invoice & packing.pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\invoice & packing.pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\invoice & packing.pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\invoice & packing.pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\invoice & packing.pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\invoice & packing.pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Malware Analysis System Evasion:

Yara detected AntiVM_3

Show sources

Source: Yara match	File source: 00000000.00000002.348069175.0000000002E81000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.348133021.0000000002ED7000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: invoice & packing.pdf.exe PID: 7160, type: MEMORY

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Show sources

Source: invoice & packing.pdf.exe, 00000000.00000002.348069175.0000000002E81000.00000004.00000001.sdmp	Binary or memory string: SBIEDLL.DLL
Source: invoice & packing.pdf.exe, 00000000.00000002.348069175.0000000002E81000.00000004.00000001.sdmp	Binary or memory string: KERNEL32.DLL.WINE_GET_UNIX_FILE_NAME
Source: invoice & packing.pdf.exe, 00000000.00000002.348069175.0000000002E81000.00000004.00000001.sdmp	Binary or memory string: SBIEDLL.DLL
Source: invoice & packing.pdf.exe, 00000000.00000002.348069175.0000000002E81000.00000004.00000001.sdmp	Binary or memory string: KERNEL32.DLL.WINE_GET_UNIX_FILE_NAME

Source: C:\Users\user\Desktop\invoice & packing.pdf.exe	File opened / queried: SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}			Jump to behavior
Source: C:\Users\user\Desktop\invoice & packing.pdf.exe	File opened / queried: SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}			Jump to behavior

Source: C:\Users\user\Desktop\invoice & packing.pdf.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\Desktop\invoice & packing.pdf.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\Desktop\invoice & packing.pdf.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\Desktop\invoice & packing.pdf.exe	Thread delayed: delay time: 922337203685477	Jump to behavior

Source: C:\Users\user\Desktop\invoice & packing.pdf.exe	Window / User API: threadDelayed 1093	Jump to behavior
Source: C:\Users\user\Desktop\invoice & packing.pdf.exe	Window / User API: foregroundWindowGot 674	Jump to behavior
Source: C:\Users\user\Desktop\invoice & packing.pdf.exe	Window / User API: foregroundWindowGot 704	Jump to behavior
Source: C:\Users\user\Desktop\invoice & packing.pdf.exe	Window / User API: threadDelayed 1093	Jump to behavior
Source: C:\Users\user\Desktop\invoice & packing.pdf.exe	Window / User API: foregroundWindowGot 674	Jump to behavior
Source: C:\Users\user\Desktop\invoice & packing.pdf.exe	Window / User API: foregroundWindowGot 704	Jump to behavior

Source: C:\Users\user\Desktop\invoice & packing.pdf.exe TID: 7164	Thread sleep time: -53140s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\invoice & packing.pdf.exe TID: 724	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\invoice & packing.pdf.exe TID: 4540	Thread sleep time: -1844674407370954s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\invoice & packing.pdf.exe TID: 4584	Thread sleep time: -340000s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\invoice & packing.pdf.exe TID: 7164	Thread sleep time: -53140s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\invoice & packing.pdf.exe TID: 724	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\invoice & packing.pdf.exe TID: 4540	Thread sleep time: -1844674407370954s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\invoice & packing.pdf.exe TID: 4584	Thread sleep time: -340000s >= -30000s	Jump to behavior

Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed

Source: invoice & packing.pdf.exe, 00000000.00000002.348069175.0000000002E81000.00000004.00000001.sdmp	Binary or memory string: InstallPathJC:\PROGRAM FILES\VMWARE\VMWARE TOOLS\
Source: invoice & packing.pdf.exe, 00000000.00000002.348069175.0000000002E81000.00000004.00000001.sdmp	Binary or memory string: vmware
Source: invoice & packing.pdf.exe, 00000000.00000002.348069175.0000000002E81000.00000004.00000001.sdmp	Binary or memory string: VMware SVGA II\|update users set password = @password where user_id = @user_id
Source: invoice & packing.pdf.exe, 00000000.00000002.346900929.0000000000E68000.00000004.00000020.sdmp	Binary or memory string: \\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#000000001F400000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000026700000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000000100000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
Source: invoice & packing.pdf.exe, 00000000.00000002.348069175.0000000002E81000.00000004.00000001.sdmp	Binary or memory string: VMWAREDSOFTWARE\VMware, Inc.\VMware Tools
Source: invoice & packing.pdf.exe, 00000000.00000002.348069175.0000000002E81000.00000004.00000001.sdmp	Binary or memory string: InstallPathJC:\PROGRAM FILES\VMWARE\VMWARE TOOLS\
Source: invoice & packing.pdf.exe, 00000000.00000002.348069175.0000000002E81000.00000004.00000001.sdmp	Binary or memory string: vmware
Source: invoice & packing.pdf.exe, 00000000.00000002.348069175.0000000002E81000.00000004.00000001.sdmp	Binary or memory string: VMware SVGA II\|update users set password = @password where user_id = @user_id
Source: invoice & packing.pdf.exe, 00000000.00000002.346900929.0000000000E68000.00000004.00000020.sdmp	Binary or memory string: \\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#000000001F400000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000026700000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000000100000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
Source: invoice & packing.pdf.exe, 00000000.00000002.348069175.0000000002E81000.00000004.00000001.sdmp	Binary or memory string: VMWAREDSOFTWARE\VMware, Inc.\VMware Tools

Source: C:\Users\user\Desktop\invoice & packing.pdf.exe	Process information queried: ProcessInformation			Jump to behavior
Source: C:\Users\user\Desktop\invoice & packing.pdf.exe	Process information queried: ProcessInformation			Jump to behavior

Source: C:\Users\user\Desktop\invoice & packing.pdf.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Users\user\Desktop\invoice & packing.pdf.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Users\user\Desktop\invoice & packing.pdf.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Users\user\Desktop\invoice & packing.pdf.exe	Process token adjusted: Debug	Jump to behavior

Source: C:\Users\user\Desktop\invoice & packing.pdf.exe	Memory allocated: page read and write \| page guard			Jump to behavior
Source: C:\Users\user\Desktop\invoice & packing.pdf.exe	Memory allocated: page read and write \| page guard			Jump to behavior

HIPS / PFW / Operating System Protection Evasion:

Injects a PE file into a foreign processes

Show sources

Source: C:\Users\user\Desktop\invoice & packing.pdf.exe	Memory written: C:\Users\user\Desktop\invoice & packing.pdf.exe base: 400000 value starts with: 4D5A			Jump to behavior
Source: C:\Users\user\Desktop\invoice & packing.pdf.exe	Memory written: C:\Users\user\Desktop\invoice & packing.pdf.exe base: 400000 value starts with: 4D5A			Jump to behavior

Source: C:\Users\user\Desktop\invoice & packing.pdf.exe	Process created: C:\Windows\SysWOW64\schtasks.exe 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\NKzWuwUvFAvUo' /XML 'C:\Users\user\AppData\Local\Temp\tmpEBB4.tmp'	Jump to behavior
Source: C:\Users\user\Desktop\invoice & packing.pdf.exe	Process created: C:\Users\user\Desktop\invoice & packing.pdf.exe C:\Users\user\Desktop\invoice & packing.pdf.exe	Jump to behavior
Source: C:\Users\user\Desktop\invoice & packing.pdf.exe	Process created: C:\Users\user\Desktop\invoice & packing.pdf.exe C:\Users\user\Desktop\invoice & packing.pdf.exe	Jump to behavior
Source: C:\Users\user\Desktop\invoice & packing.pdf.exe	Process created: C:\Users\user\Desktop\invoice & packing.pdf.exe C:\Users\user\Desktop\invoice & packing.pdf.exe	Jump to behavior
Source: C:\Users\user\Desktop\invoice & packing.pdf.exe	Process created: C:\Users\user\Desktop\invoice & packing.pdf.exe C:\Users\user\Desktop\invoice & packing.pdf.exe	Jump to behavior
Source: C:\Users\user\Desktop\invoice & packing.pdf.exe	Process created: C:\Windows\SysWOW64\schtasks.exe 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\NKzWuwUvFAvUo' /XML 'C:\Users\user\AppData\Local\Temp\tmpEBB4.tmp'	Jump to behavior
Source: C:\Users\user\Desktop\invoice & packing.pdf.exe	Process created: C:\Users\user\Desktop\invoice & packing.pdf.exe C:\Users\user\Desktop\invoice & packing.pdf.exe	Jump to behavior
Source: C:\Users\user\Desktop\invoice & packing.pdf.exe	Process created: C:\Users\user\Desktop\invoice & packing.pdf.exe C:\Users\user\Desktop\invoice & packing.pdf.exe	Jump to behavior
Source: C:\Users\user\Desktop\invoice & packing.pdf.exe	Process created: C:\Users\user\Desktop\invoice & packing.pdf.exe C:\Users\user\Desktop\invoice & packing.pdf.exe	Jump to behavior
Source: C:\Users\user\Desktop\invoice & packing.pdf.exe	Process created: C:\Users\user\Desktop\invoice & packing.pdf.exe C:\Users\user\Desktop\invoice & packing.pdf.exe	Jump to behavior

Source: C:\Users\user\Desktop\invoice & packing.pdf.exe	Code function: 0_2_00DFB0BE GetUserNameW,		0_2_00DFB0BE
Source: C:\Users\user\Desktop\invoice & packing.pdf.exe	Code function: 0_2_00DFB0BE GetUserNameW,		0_2_00DFB0BE

Source: C:\Users\user\Desktop\invoice & packing.pdf.exe	Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid			Jump to behavior
Source: C:\Users\user\Desktop\invoice & packing.pdf.exe	Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid			Jump to behavior

Source: C:\Users\user\Desktop\invoice & packing.pdf.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiVirusProduct
Source: C:\Users\user\Desktop\invoice & packing.pdf.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiSpywareProduct
Source: C:\Users\user\Desktop\invoice & packing.pdf.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM FirewallProduct
Source: C:\Users\user\Desktop\invoice & packing.pdf.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiVirusProduct
Source: C:\Users\user\Desktop\invoice & packing.pdf.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiSpywareProduct
Source: C:\Users\user\Desktop\invoice & packing.pdf.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM FirewallProduct

Stealing of Sensitive Information:

Yara detected Nanocore RAT

Show sources

Source: Yara match

File source: 00000000.00000002.348394866.0000000003E84000.00000004.00000001.sdmp, type: MEMORY

Remote Access Functionality:

Detected Nanocore Rat

Show sources

Source: invoice & packing.pdf.exe, 00000006.00000003.361188308.00000000045C4000.00000004.00000001.sdmp	String found in binary or memory: NanoCore.ClientPluginHost
Source: invoice & packing.pdf.exe, 00000006.00000003.361188308.00000000045C4000.00000004.00000001.sdmp	String found in binary or memory: <Module>mscorlibMicrosoft.VisualBasicMyApplicationNanoCoreBase.MyMyComputerMyProjectMyWebServicesThreadSafeObjectProvider`1ClientMainNanoCoreBaseClientPluginCommandHandlerResourcesNanoCoreBase.My.ResourcesMySettingsMySettingsPropertyCommandsMicrosoft.VisualBasic.ApplicationServicesApplicationBase.ctorMicrosoft.VisualBasic.DevicesComputerSystemObject.cctorget_Computerm_ComputerObjectProviderget_Applicationm_AppObjectProviderUserget_Userm_UserObjectProviderget_WebServicesm_MyWebServicesObjectProviderApplicationWebServicesEqualsoGetHashCodeTypeGetTypeToStringCreate__Instance__TinstanceDispose__Instance__get_GetInstanceMicrosoft.VisualBasic.MyServices.InternalContextValue`1m_ContextGetInstanceNanoCore.ClientPluginHostIClientLoggingHostLoggingHostIClientNetworkHostNetworkHostSendCommandparamsInitializePluginNanoCore.ClientPluginIClientNetwork_networkhost_loggingHostBuildingHostCacheConnectionFailedhostportConnectionStateChangedconnectedPipeClosedpipeNamePipeCreatedReadPacketHandleCommandHandleCommandOpenWebsiteHandleCommandMessageBoxSwapMouseButtonfSwapuser32.dllHandleCommandMouseSwapHandleCommandMouseUnswapmciSendStringlpszCommandlpszReturnStringcchReturnLengthhwndCallbackwinmm.dllmciSendStringAHandleCommandCDTrayHandleCommandCDTrayCloseSystem.ResourcesResourceManagerresourceManSystem.GlobalizationCultureInforesourceCultureget_ResourceManagerget_Cultureset_CultureValueCultureSystem.ConfigurationApplicationSettingsBasedefaultInstanceget_DefaultDefaultget_SettingsSettingsEnumvalue__OpenWebsiteMessageBoxCDTrayCDTrayCloseMouseSwapMouseUnswapSystem.ComponentModelEditorBrowsableAttributeEditorBrowsableStateSystem.CodeDom.CompilerGeneratedCodeAttributeSystem.DiagnosticsDebuggerNonUserCodeAttributeDebuggerHiddenAttributeMicrosoft.VisualBasic.CompilerServicesStandardModuleAttributeHideModuleNameAttributeSystem.ComponentModel.DesignHelpKeywordAttributeSystem.Runtime.CompilerServicesRuntimeHelpersGetObjectValueRuntimeTypeHandleGetTypeFromHandleActivatorCreateInstanceMyGroupCollectionAttributeget_Valueset_ValueSystem.Runtime.InteropServicesComVisibleAttributeSendToServerParamArrayAttributeStringProcessStartSystem.Windows.FormsDialogResultShowConversionsReferenceEqualsSystem.ReflectionAssemblyget_AssemblyCompilerGeneratedAttributeSettingsBaseSynchronizedNanoCoreBase.Resources.resourcesDebuggableAttributeDebuggingModesCompilationRelaxationsAttributeRuntimeCompatibilityAttributeAssemblyFileVersionAttributeGuidAttributeAssemblyTrademarkAttributeAssemblyCopyrightAttributeAssemblyProductAttributeAssemblyCompanyAttributeAssemblyDescriptionAttributeAssemblyTitleAttributeNanoCoreBase.dll+set CDAudio door open/set CDAudio door closed-NanoCoreBase.Resources3
Source: invoice & packing.pdf.exe, 00000006.00000003.361188308.00000000045C4000.00000004.00000001.sdmp	String found in binary or memory: <Module>mscorlibMicrosoft.VisualBasicMyApplicationFileBrowserClient.MyMyComputerMyProjectMyWebServicesThreadSafeObjectProvider`1ClientMainFileBrowserClientClientPluginCommandHandlersResourcesFileBrowserClient.My.ResourcesMySettingsMySettingsPropertyFunctionsCommandTypesMicrosoft.VisualBasic.ApplicationServicesApplicationBase.ctorMicrosoft.VisualBasic.DevicesComputerSystemObject.cctorget_Computerm_ComputerObjectProviderget_Applicationm_AppObjectProviderUserget_Userm_UserObjectProviderget_WebServicesm_MyWebServicesObjectProviderApplicationWebServicesEqualsoGetHashCodeTypeGetTypeToStringCreate__Instance__TinstanceDispose__Instance__get_GetInstanceMicrosoft.VisualBasic.MyServices.InternalContextValue`1m_ContextGetInstanceNanoCore.ClientPluginHostIClientLoggingHostLoggingHostIClientNetworkHostNetworkHostCurrentDirectoryInitializePluginNanoCore.ClientPluginIClientNetwork_loggingHost_networkHostBuildingHostCacheConnectionFailedhostportConnectionStateChangedconnectedPipeClosedpipeNamePipeCreatedReadPacketparamsHandleCreateDirectoryremoteDirHandleDeleteFileremoteFileisDirectoryHandleOpenFileHandleReceiveFilelocalFileHandleRenameFilenewFileNameHandleSetCurrentDirectorypathHandleDeleteHandleDownloadHandleDrivesHandleFilesHandleGetCurrentDirectoryHandleMachineNameHandleOpenHandleSetCurrentDirectoryPacketHandleUploadHandleRenameHandleCreateSendCurrentDirectorySendDrivesSendFileSendFilesSendMachineNameSystem.ResourcesResourceManagerresourceManSystem.GlobalizationCultureInforesourceCultureget_ResourceManagerget_Cultureset_CulturevalueCultureSystem.ConfigurationApplicationSettingsBasedefaultInstanceget_DefaultDefaultget_SettingsSettingsSystem.Collections.GenericList`1RemoteFilesRemoteFoldersRemoteDrivesEnumerateRemoteFilesEnumerateRemoteDrivesLogMessagemessageEnumvalue__MachineNameDrivesFilesGetCurrentDirectorySetCurrentDirectoryDownloadUploadOpenDeleteCreateDirectoryRenameSystem.ComponentModelEditorBrowsableAttributeEditorBrowsableStateSystem.CodeDom.CompilerGeneratedCodeAttributeSystem.DiagnosticsDebuggerNonUserCodeAttributeDebuggerHiddenAttributeMicrosoft.VisualBasic.CompilerServicesStandardModuleAttributeHideModuleNameAttributeSystem.ComponentModel.DesignHelpKeywordAttributeSystem.Runtime.CompilerServicesRuntimeHelpersGetObjectValueRuntimeTypeHandleGetTypeFromHandleActivatorCreateInstanceMyGroupCollectionAttributeget_Valueset_ValueSystem.Runtime.InteropServicesComVisibleAttributeEnvironmentSpecialFolderGetFolderPathStringFormatSystem.IODirectoryDirectoryInfoProjectDataExceptionSetProjectErrorClearProjectErrorFileLogClientExceptionProcessStartConvertFromBase64StringWriteAllBytesMoveSendToServerConversionsToBooleanInt32NewLateBindingLateIndexGetEnumeratorEmptyGetEnumeratorget_CurrentTrimConcatMoveNextIDisposableDisposeReadAllBytesToBase64StringIsNullOrEmptyget_MachineNameToUpperget_UserNameReferenceEqualsSystem.ReflectionAssemblyget_AssemblyCompilerGeneratedAttributeSettingsBaseSynchronizedFileInfoFileSystemInfoget_FullNameContainsGetDirectoriesget_NameAddGetF
Source: invoice & packing.pdf.exe, 00000006.00000003.361188308.00000000045C4000.00000004.00000001.sdmp	String found in binary or memory: <Module>mscorlibMicrosoft.VisualBasicMyApplicationMyClientPlugin.MyMyComputerMyProjectMyWebServicesThreadSafeObjectProvider`1ClientMainMyClientPluginClientPluginMiscCommandHandlerCommandTypeMiscCommandMicrosoft.VisualBasic.ApplicationServicesApplicationBase.ctorMicrosoft.VisualBasic.DevicesComputerSystemObject.cctorget_Computerm_ComputerObjectProviderget_Applicationm_AppObjectProviderUserget_Userm_UserObjectProviderget_WebServicesm_MyWebServicesObjectProviderApplicationWebServicesEqualsoGetHashCodeTypeGetTypeToStringCreate__Instance__TinstanceDispose__Instance__get_GetInstanceMicrosoft.VisualBasic.MyServices.InternalContextValue`1m_ContextGetInstanceNanoCore.ClientPluginHostIClientLoggingHostLoggingHostInitializePluginNanoCore.ClientPluginIClientNetwork_loggingHostBuildingHostCacheConnectionFailedhostportConnectionStateChangedconnectedPipeClosedpipeNamePipeCreatedReadPacketparamsHandleMiscCommandHandleMiscCommandMessageInterpretRecievedcommandtodoloopkeysEnumvalue__MessageStringExceptionMicrosoft.VisualBasic.CompilerServicesOperatorsCompareStringServerComputerMicrosoft.VisualBasic.MyServicesRegistryProxyget_RegistryMicrosoft.Win32RegistryKeyget_LocalMachineConcatInt32SetValueProjectDataSetProjectErrorClearProjectErrorget_LengthStandardModuleAttributeSystem.ComponentModelEditorBrowsableAttributeEditorBrowsableStateSystem.CodeDom.CompilerGeneratedCodeAttributeSystem.DiagnosticsDebuggerNonUserCodeAttributeDebuggerHiddenAttributeHideModuleNameAttributeSystem.ComponentModel.DesignHelpKeywordAttributeSystem.Runtime.CompilerServicesRuntimeHelpersGetObjectValueRuntimeTypeHandleGetTypeFromHandleActivatorCreateInstanceMyGroupCollectionAttributeget_Valueset_ValueSystem.Runtime.InteropServicesComVisibleAttributeDebuggableAttributeDebuggingModesCompilationRelaxationsAttributeRuntimeCompatibilityAttributeSystem.ReflectionAssemblyFileVersionAttributeGuidAttributeAssemblyTrademarkAttributeAssemblyCopyrightAttributeAssemblyProductAttributeAssemblyCompanyAttributeAssemblyDescriptionAttributeAssemblyTitleAttributeMyClientPlugin.dll'DisableWebcamLights
Source: invoice & packing.pdf.exe, 00000006.00000003.361188308.00000000045C4000.00000004.00000001.sdmp	String found in binary or memory: <Module>mscorlibMicrosoft.VisualBasicMyApplicationNanoCoreStressTester.MyMyComputerMyProjectMyWebServicesThreadSafeObjectProvider`1ClientMainNanoCoreStressTesterClientPluginHTTPFloodSlowLorisSYNFloodTCPNanoCoreStressTester.FloodUDPSendSynCommandHandlerResourcesNanoCoreStressTester.My.ResourcesMySettingsMySettingsPropertyCommandsMethodsMicrosoft.VisualBasic.ApplicationServicesApplicationBase.ctorMicrosoft.VisualBasic.DevicesComputerSystemObject.cctorget_Computerm_ComputerObjectProviderget_Applicationm_AppObjectProviderUserget_Userm_UserObjectProviderget_WebServicesm_MyWebServicesObjectProviderApplicationWebServicesEqualsoGetHashCodeTypeGetTypeToStringCreate__Instance__TinstanceDispose__Instance__get_GetInstanceMicrosoft.VisualBasic.MyServices.InternalContextValue`1m_ContextGetInstanceNanoCore.ClientPluginHostIClientLoggingHostLoggingHostIClientNetworkHostNetworkHostIClientDataHostDataHostClientGUIDSendCommandparamsInitializePluginNanoCore.ClientPluginIClientNetwork_networkhost_loggingHost_DataHostBuildingHostCacheConnectionFailedhostportConnectionStateChangedconnectedPipeClosedpipeNamePipeCreatedReadPacketStartHostToAttackArrayUploadDataSiteUserAgentRefererValuesGeneratecodelengthSystem.ThreadingThreadThreadsPortToAttackTimeToAttackThreadstoUseThreadsEndedattacksAttackRunningFloodnewHostnewPortnewTimenewThreadslolStopSlowlorisStressThreadStart_floodingJob_floodingThreadSystem.NetIPEndPoint_ipEo_synClassHostIsEnabledPortSuperSynSocketsStartSuperSynStopSuperSynSystem.Net.SocketsSocketClientIPPacketsPacketSizeMaxPacketsStopFloodmPacketspSize_sockipEosuperSynSockets__1IAsyncResultOnConnectarSendFloodingstopHTTPBytesSentSYNConnectionsHTTPDataSentMethodTargetAddressTargetStatusupdateBytesnewSYNFloodHandleDDOSCommandHandleStopCommandSystem.TimersElapsedEventArgsbytesTimerElapsedsourceeHandleHTTPCommandHandleSlowlorisCommandHandleTCPCommandHandleUDPCommandHandleSYNCommandSystem.ResourcesResourceManagerresourceManSystem.GlobalizationCultureInforesourceCultureget_ResourceManagerget_Cultureset_CultureValueCultureSystem.ConfigurationApplicationSettingsBasedefaultInstanceget_DefaultDefaultget_SettingsSettingsEnumvalue__sendStressCommandupdateStatusColumnstopStressCommandHTTPSlowlorisSYNSystem.ComponentModelEditorBrowsableAttributeEditorBrowsableStateSystem.CodeDom.CompilerGeneratedCodeAttributeSystem.DiagnosticsDebuggerNonUserCodeAttributeDebuggerHiddenAttributeMicrosoft.VisualBasic.CompilerServicesStandardModuleAttributeHideModuleNameAttributeSystem.ComponentModel.DesignHelpKeywordAttributeSystem.Runtime.CompilerServicesRuntimeHelpersGetObjectValueRuntimeTypeHandleGetTypeFromHandleActivatorCreateInstanceMyGroupCollectionAttributeget_Valueset_ValueSystem.Runtime.InteropServicesComVisibleAttributeExceptionSendToServerProjectDataSetProjectErrorClearProjectErrorTimerNanoCoreIClientNameObjectCollectionget_VariablesGetValueset_Intervalset_EnabledElapsedEventHandleradd_ElapsedParamArrayAttributeRandomGuidStringIsNullOrEmptyArgumentNullExceptionArgumentOutOfRangeExce
Source: invoice & packing.pdf.exe, 00000006.00000003.361188308.00000000045C4000.00000004.00000001.sdmp	String found in binary or memory: NanoCore.ClientPluginHost
Source: invoice & packing.pdf.exe, 00000006.00000003.361188308.00000000045C4000.00000004.00000001.sdmp	String found in binary or memory: <Module>mscorlibMicrosoft.VisualBasicMyApplicationNanoCoreBase.MyMyComputerMyProjectMyWebServicesThreadSafeObjectProvider`1ClientMainNanoCoreBaseClientPluginCommandHandlerResourcesNanoCoreBase.My.ResourcesMySettingsMySettingsPropertyCommandsMicrosoft.VisualBasic.ApplicationServicesApplicationBase.ctorMicrosoft.VisualBasic.DevicesComputerSystemObject.cctorget_Computerm_ComputerObjectProviderget_Applicationm_AppObjectProviderUserget_Userm_UserObjectProviderget_WebServicesm_MyWebServicesObjectProviderApplicationWebServicesEqualsoGetHashCodeTypeGetTypeToStringCreate__Instance__TinstanceDispose__Instance__get_GetInstanceMicrosoft.VisualBasic.MyServices.InternalContextValue`1m_ContextGetInstanceNanoCore.ClientPluginHostIClientLoggingHostLoggingHostIClientNetworkHostNetworkHostSendCommandparamsInitializePluginNanoCore.ClientPluginIClientNetwork_networkhost_loggingHostBuildingHostCacheConnectionFailedhostportConnectionStateChangedconnectedPipeClosedpipeNamePipeCreatedReadPacketHandleCommandHandleCommandOpenWebsiteHandleCommandMessageBoxSwapMouseButtonfSwapuser32.dllHandleCommandMouseSwapHandleCommandMouseUnswapmciSendStringlpszCommandlpszReturnStringcchReturnLengthhwndCallbackwinmm.dllmciSendStringAHandleCommandCDTrayHandleCommandCDTrayCloseSystem.ResourcesResourceManagerresourceManSystem.GlobalizationCultureInforesourceCultureget_ResourceManagerget_Cultureset_CultureValueCultureSystem.ConfigurationApplicationSettingsBasedefaultInstanceget_DefaultDefaultget_SettingsSettingsEnumvalue__OpenWebsiteMessageBoxCDTrayCDTrayCloseMouseSwapMouseUnswapSystem.ComponentModelEditorBrowsableAttributeEditorBrowsableStateSystem.CodeDom.CompilerGeneratedCodeAttributeSystem.DiagnosticsDebuggerNonUserCodeAttributeDebuggerHiddenAttributeMicrosoft.VisualBasic.CompilerServicesStandardModuleAttributeHideModuleNameAttributeSystem.ComponentModel.DesignHelpKeywordAttributeSystem.Runtime.CompilerServicesRuntimeHelpersGetObjectValueRuntimeTypeHandleGetTypeFromHandleActivatorCreateInstanceMyGroupCollectionAttributeget_Valueset_ValueSystem.Runtime.InteropServicesComVisibleAttributeSendToServerParamArrayAttributeStringProcessStartSystem.Windows.FormsDialogResultShowConversionsReferenceEqualsSystem.ReflectionAssemblyget_AssemblyCompilerGeneratedAttributeSettingsBaseSynchronizedNanoCoreBase.Resources.resourcesDebuggableAttributeDebuggingModesCompilationRelaxationsAttributeRuntimeCompatibilityAttributeAssemblyFileVersionAttributeGuidAttributeAssemblyTrademarkAttributeAssemblyCopyrightAttributeAssemblyProductAttributeAssemblyCompanyAttributeAssemblyDescriptionAttributeAssemblyTitleAttributeNanoCoreBase.dll+set CDAudio door open/set CDAudio door closed-NanoCoreBase.Resources3
Source: invoice & packing.pdf.exe, 00000006.00000003.361188308.00000000045C4000.00000004.00000001.sdmp	String found in binary or memory: <Module>mscorlibMicrosoft.VisualBasicMyApplicationFileBrowserClient.MyMyComputerMyProjectMyWebServicesThreadSafeObjectProvider`1ClientMainFileBrowserClientClientPluginCommandHandlersResourcesFileBrowserClient.My.ResourcesMySettingsMySettingsPropertyFunctionsCommandTypesMicrosoft.VisualBasic.ApplicationServicesApplicationBase.ctorMicrosoft.VisualBasic.DevicesComputerSystemObject.cctorget_Computerm_ComputerObjectProviderget_Applicationm_AppObjectProviderUserget_Userm_UserObjectProviderget_WebServicesm_MyWebServicesObjectProviderApplicationWebServicesEqualsoGetHashCodeTypeGetTypeToStringCreate__Instance__TinstanceDispose__Instance__get_GetInstanceMicrosoft.VisualBasic.MyServices.InternalContextValue`1m_ContextGetInstanceNanoCore.ClientPluginHostIClientLoggingHostLoggingHostIClientNetworkHostNetworkHostCurrentDirectoryInitializePluginNanoCore.ClientPluginIClientNetwork_loggingHost_networkHostBuildingHostCacheConnectionFailedhostportConnectionStateChangedconnectedPipeClosedpipeNamePipeCreatedReadPacketparamsHandleCreateDirectoryremoteDirHandleDeleteFileremoteFileisDirectoryHandleOpenFileHandleReceiveFilelocalFileHandleRenameFilenewFileNameHandleSetCurrentDirectorypathHandleDeleteHandleDownloadHandleDrivesHandleFilesHandleGetCurrentDirectoryHandleMachineNameHandleOpenHandleSetCurrentDirectoryPacketHandleUploadHandleRenameHandleCreateSendCurrentDirectorySendDrivesSendFileSendFilesSendMachineNameSystem.ResourcesResourceManagerresourceManSystem.GlobalizationCultureInforesourceCultureget_ResourceManagerget_Cultureset_CulturevalueCultureSystem.ConfigurationApplicationSettingsBasedefaultInstanceget_DefaultDefaultget_SettingsSettingsSystem.Collections.GenericList`1RemoteFilesRemoteFoldersRemoteDrivesEnumerateRemoteFilesEnumerateRemoteDrivesLogMessagemessageEnumvalue__MachineNameDrivesFilesGetCurrentDirectorySetCurrentDirectoryDownloadUploadOpenDeleteCreateDirectoryRenameSystem.ComponentModelEditorBrowsableAttributeEditorBrowsableStateSystem.CodeDom.CompilerGeneratedCodeAttributeSystem.DiagnosticsDebuggerNonUserCodeAttributeDebuggerHiddenAttributeMicrosoft.VisualBasic.CompilerServicesStandardModuleAttributeHideModuleNameAttributeSystem.ComponentModel.DesignHelpKeywordAttributeSystem.Runtime.CompilerServicesRuntimeHelpersGetObjectValueRuntimeTypeHandleGetTypeFromHandleActivatorCreateInstanceMyGroupCollectionAttributeget_Valueset_ValueSystem.Runtime.InteropServicesComVisibleAttributeEnvironmentSpecialFolderGetFolderPathStringFormatSystem.IODirectoryDirectoryInfoProjectDataExceptionSetProjectErrorClearProjectErrorFileLogClientExceptionProcessStartConvertFromBase64StringWriteAllBytesMoveSendToServerConversionsToBooleanInt32NewLateBindingLateIndexGetEnumeratorEmptyGetEnumeratorget_CurrentTrimConcatMoveNextIDisposableDisposeReadAllBytesToBase64StringIsNullOrEmptyget_MachineNameToUpperget_UserNameReferenceEqualsSystem.ReflectionAssemblyget_AssemblyCompilerGeneratedAttributeSettingsBaseSynchronizedFileInfoFileSystemInfoget_FullNameContainsGetDirectoriesget_NameAddGetF
Source: invoice & packing.pdf.exe, 00000006.00000003.361188308.00000000045C4000.00000004.00000001.sdmp	String found in binary or memory: <Module>mscorlibMicrosoft.VisualBasicMyApplicationMyClientPlugin.MyMyComputerMyProjectMyWebServicesThreadSafeObjectProvider`1ClientMainMyClientPluginClientPluginMiscCommandHandlerCommandTypeMiscCommandMicrosoft.VisualBasic.ApplicationServicesApplicationBase.ctorMicrosoft.VisualBasic.DevicesComputerSystemObject.cctorget_Computerm_ComputerObjectProviderget_Applicationm_AppObjectProviderUserget_Userm_UserObjectProviderget_WebServicesm_MyWebServicesObjectProviderApplicationWebServicesEqualsoGetHashCodeTypeGetTypeToStringCreate__Instance__TinstanceDispose__Instance__get_GetInstanceMicrosoft.VisualBasic.MyServices.InternalContextValue`1m_ContextGetInstanceNanoCore.ClientPluginHostIClientLoggingHostLoggingHostInitializePluginNanoCore.ClientPluginIClientNetwork_loggingHostBuildingHostCacheConnectionFailedhostportConnectionStateChangedconnectedPipeClosedpipeNamePipeCreatedReadPacketparamsHandleMiscCommandHandleMiscCommandMessageInterpretRecievedcommandtodoloopkeysEnumvalue__MessageStringExceptionMicrosoft.VisualBasic.CompilerServicesOperatorsCompareStringServerComputerMicrosoft.VisualBasic.MyServicesRegistryProxyget_RegistryMicrosoft.Win32RegistryKeyget_LocalMachineConcatInt32SetValueProjectDataSetProjectErrorClearProjectErrorget_LengthStandardModuleAttributeSystem.ComponentModelEditorBrowsableAttributeEditorBrowsableStateSystem.CodeDom.CompilerGeneratedCodeAttributeSystem.DiagnosticsDebuggerNonUserCodeAttributeDebuggerHiddenAttributeHideModuleNameAttributeSystem.ComponentModel.DesignHelpKeywordAttributeSystem.Runtime.CompilerServicesRuntimeHelpersGetObjectValueRuntimeTypeHandleGetTypeFromHandleActivatorCreateInstanceMyGroupCollectionAttributeget_Valueset_ValueSystem.Runtime.InteropServicesComVisibleAttributeDebuggableAttributeDebuggingModesCompilationRelaxationsAttributeRuntimeCompatibilityAttributeSystem.ReflectionAssemblyFileVersionAttributeGuidAttributeAssemblyTrademarkAttributeAssemblyCopyrightAttributeAssemblyProductAttributeAssemblyCompanyAttributeAssemblyDescriptionAttributeAssemblyTitleAttributeMyClientPlugin.dll'DisableWebcamLights
Source: invoice & packing.pdf.exe, 00000006.00000003.361188308.00000000045C4000.00000004.00000001.sdmp	String found in binary or memory: <Module>mscorlibMicrosoft.VisualBasicMyApplicationNanoCoreStressTester.MyMyComputerMyProjectMyWebServicesThreadSafeObjectProvider`1ClientMainNanoCoreStressTesterClientPluginHTTPFloodSlowLorisSYNFloodTCPNanoCoreStressTester.FloodUDPSendSynCommandHandlerResourcesNanoCoreStressTester.My.ResourcesMySettingsMySettingsPropertyCommandsMethodsMicrosoft.VisualBasic.ApplicationServicesApplicationBase.ctorMicrosoft.VisualBasic.DevicesComputerSystemObject.cctorget_Computerm_ComputerObjectProviderget_Applicationm_AppObjectProviderUserget_Userm_UserObjectProviderget_WebServicesm_MyWebServicesObjectProviderApplicationWebServicesEqualsoGetHashCodeTypeGetTypeToStringCreate__Instance__TinstanceDispose__Instance__get_GetInstanceMicrosoft.VisualBasic.MyServices.InternalContextValue`1m_ContextGetInstanceNanoCore.ClientPluginHostIClientLoggingHostLoggingHostIClientNetworkHostNetworkHostIClientDataHostDataHostClientGUIDSendCommandparamsInitializePluginNanoCore.ClientPluginIClientNetwork_networkhost_loggingHost_DataHostBuildingHostCacheConnectionFailedhostportConnectionStateChangedconnectedPipeClosedpipeNamePipeCreatedReadPacketStartHostToAttackArrayUploadDataSiteUserAgentRefererValuesGeneratecodelengthSystem.ThreadingThreadThreadsPortToAttackTimeToAttackThreadstoUseThreadsEndedattacksAttackRunningFloodnewHostnewPortnewTimenewThreadslolStopSlowlorisStressThreadStart_floodingJob_floodingThreadSystem.NetIPEndPoint_ipEo_synClassHostIsEnabledPortSuperSynSocketsStartSuperSynStopSuperSynSystem.Net.SocketsSocketClientIPPacketsPacketSizeMaxPacketsStopFloodmPacketspSize_sockipEosuperSynSockets__1IAsyncResultOnConnectarSendFloodingstopHTTPBytesSentSYNConnectionsHTTPDataSentMethodTargetAddressTargetStatusupdateBytesnewSYNFloodHandleDDOSCommandHandleStopCommandSystem.TimersElapsedEventArgsbytesTimerElapsedsourceeHandleHTTPCommandHandleSlowlorisCommandHandleTCPCommandHandleUDPCommandHandleSYNCommandSystem.ResourcesResourceManagerresourceManSystem.GlobalizationCultureInforesourceCultureget_ResourceManagerget_Cultureset_CultureValueCultureSystem.ConfigurationApplicationSettingsBasedefaultInstanceget_DefaultDefaultget_SettingsSettingsEnumvalue__sendStressCommandupdateStatusColumnstopStressCommandHTTPSlowlorisSYNSystem.ComponentModelEditorBrowsableAttributeEditorBrowsableStateSystem.CodeDom.CompilerGeneratedCodeAttributeSystem.DiagnosticsDebuggerNonUserCodeAttributeDebuggerHiddenAttributeMicrosoft.VisualBasic.CompilerServicesStandardModuleAttributeHideModuleNameAttributeSystem.ComponentModel.DesignHelpKeywordAttributeSystem.Runtime.CompilerServicesRuntimeHelpersGetObjectValueRuntimeTypeHandleGetTypeFromHandleActivatorCreateInstanceMyGroupCollectionAttributeget_Valueset_ValueSystem.Runtime.InteropServicesComVisibleAttributeExceptionSendToServerProjectDataSetProjectErrorClearProjectErrorTimerNanoCoreIClientNameObjectCollectionget_VariablesGetValueset_Intervalset_EnabledElapsedEventHandleradd_ElapsedParamArrayAttributeRandomGuidStringIsNullOrEmptyArgumentNullExceptionArgumentOutOfRangeExce

Yara detected Nanocore RAT

Show sources

Source: Yara match

File source: 00000000.00000002.348394866.0000000003E84000.00000004.00000001.sdmp, type: MEMORY

Mitre Att&ck Matrix

Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Exfiltration	Command and Control	Network Effects	Remote Service Effects	Impact
Valid Accounts	Windows Management Instrumentation1	Scheduled Task/Job1	Access Token Manipulation1	Masquerading11	Input Capture1	Query Registry1	Remote Services	Input Capture1	Exfiltration Over Other Network Medium	Encrypted Channel1	Eavesdrop on Insecure Network Communication	Remotely Track Device Without Authorization	Modify System Partition
Default Accounts	Scheduled Task/Job1	Boot or Logon Initialization Scripts	Process Injection111	Virtualization/Sandbox Evasion3	LSASS Memory	Security Software Discovery121	Remote Desktop Protocol	Archive Collected Data1	Exfiltration Over Bluetooth	Non-Standard Port1	Exploit SS7 to Redirect Phone Calls/SMS	Remotely Wipe Data Without Authorization	Device Lockout
Domain Accounts	At (Linux)	Logon Script (Windows)	Scheduled Task/Job1	Disable or Modify Tools1	Security Account Manager	Virtualization/Sandbox Evasion3	SMB/Windows Admin Shares	Data from Network Shared Drive	Automated Exfiltration	Remote Access Software1	Exploit SS7 to Track Device Location	Obtain Device Cloud Backups	Delete Device Data
Local Accounts	At (Windows)	Logon Script (Mac)	Logon Script (Mac)	Access Token Manipulation1	NTDS	Process Discovery1	Distributed Component Object Model	Input Capture	Scheduled Transfer	Protocol Impersonation	SIM Card Swap		Carrier Billing Fraud
Cloud Accounts	Cron	Network Logon Script	Network Logon Script	Process Injection111	LSA Secrets	Application Window Discovery1	SSH	Keylogging	Data Transfer Size Limits	Fallback Channels	Manipulate Device Communication		Manipulate App Store Rankings or Ratings
Replication Through Removable Media	Launchd	Rc.common	Rc.common	Hidden Files and Directories1	Cached Domain Credentials	Account Discovery1	VNC	GUI Input Capture	Exfiltration Over C2 Channel	Multiband Communication	Jamming or Denial of Service		Abuse Accessibility Features
External Remote Services	Scheduled Task	Startup Items	Startup Items	Obfuscated Files or Information13	DCSync	System Owner/User Discovery1	Windows Remote Management	Web Portal Capture	Exfiltration Over Alternative Protocol	Commonly Used Port	Rogue Wi-Fi Access Points		Data Encrypted for Impact
Drive-by Compromise	Command and Scripting Interpreter	Scheduled Task/Job	Scheduled Task/Job	Software Packing2	Proc Filesystem	File and Directory Discovery1	Shared Webroot	Credential API Hooking	Exfiltration Over Symmetric Encrypted Non-C2 Protocol	Application Layer Protocol	Downgrade to Insecure Protocols		Generate Fraudulent Advertising Revenue
Exploit Public-Facing Application	PowerShell	At (Linux)	At (Linux)	Masquerading	/etc/passwd and /etc/shadow	System Information Discovery2	Software Deployment Tools	Data Staged	Exfiltration Over Asymmetric Encrypted Non-C2 Protocol	Web Protocols	Rogue Cellular Base Station		Data Destruction

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Source	Detection	Scanner	Label	Link
invoice & packing.pdf.exe	8%	ReversingLabs
invoice & packing.pdf.exe	100%	Joe Sandbox ML

Dropped Files

Source	Detection	Scanner	Label	Link
C:\Users\user\AppData\Roaming\NKzWuwUvFAvUo.exe	100%	Joe Sandbox ML
C:\Users\user\AppData\Roaming\NKzWuwUvFAvUo.exe	8%	ReversingLabs

Unpacked PE Files

No Antivirus matches

Domains

No Antivirus matches

URLs

No Antivirus matches

Domains and IPs

Contacted Domains

No contacted domains info

Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public

IP	Domain	Country	Flag	ASN	ASN Name	Malicious
23.105.131.164	unknown	United States		396362	LEASEWEB-USA-NYC-11US	false

General Information

Joe Sandbox Version:	31.0.0 Red Diamond
Analysis ID:	320240
Start date:	19.11.2020
Start time:	07:46:27
Joe Sandbox Product:	CloudBasic
Overall analysis duration:	0h 10m 12s
Hypervisor based Inspection enabled:	false
Report type:	full
Sample file name:	invoice & packing.pdf.exe
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 85, IE 11, Adobe Reader DC 19, Java 8 Update 211
Number of analysed new started processes analysed:	23
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled HDC enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Detection:	MAL
Classification:	mal100.troj.evad.winEXE@12/8@0/1
EGA Information:	Failed
HDC Information:	Successful, ratio: 1.2% (good quality ratio 0.8%) Quality average: 44.3% Quality standard deviation: 33.7%
HCA Information:	Successful, ratio: 98% Number of executed functions: 255 Number of non-executed functions: 12
Cookbook Comments:	Adjust boot time Enable AMSI Found application associated with file extension: .exe
Warnings:	Show All Behavior information exceeds normal sizes, reducing to normal. Report will have missing behavior information. Exclude process from analysis (whitelisted): MpCmdRun.exe, audiodg.exe, BackgroundTransferHost.exe, WMIADAP.exe, backgroundTaskHost.exe, conhost.exe, svchost.exe, wuapihost.exe Report size getting too big, too many NtOpenKeyEx calls found. Report size getting too big, too many NtQueryValueKey calls found.

Simulations

Behavior and APIs

Time	Type	Description
07:47:23	API Interceptor	966x Sleep call for process: invoice & packing.pdf.exe modified

Joe Sandbox View / Context

IPs

No context

Domains

No context

ASN

Match	Associated Sample Name / URL	SHA 256	Detection	Link	Context
LEASEWEB-USA-NYC-11US	NXKfWP9SPF0XHRu.exe	Get hash	malicious	Browse	23.105.131.214
	DOC.exe	Get hash	malicious	Browse	23.105.131.162
	Shipping_Details.exe	Get hash	malicious	Browse	23.105.131.165
	2AyWKsCvVF.exe	Get hash	malicious	Browse	192.253.246.143
	tn9jVPvlMSqAUX5.exe	Get hash	malicious	Browse	23.105.131.229
	HLiw2LPA8i.rtf	Get hash	malicious	Browse	192.253.246.143
	TDToxqrclL.exe	Get hash	malicious	Browse	23.105.131.177
	Ziiq5tI3CT.exe	Get hash	malicious	Browse	23.105.131.239
	f3wo2FuLN6.exe	Get hash	malicious	Browse	192.253.246.143
	ORDER INQUIRY.pdf.exe	Get hash	malicious	Browse	23.105.131.177
	Purchase Order 4500033557.pdf.exe	Get hash	malicious	Browse	23.105.131.177
	SecuriteInfo.com.Trojan.DownLoader35.34609.25775.exe	Get hash	malicious	Browse	192.253.246.138
	Proof_of_payment.xlsm	Get hash	malicious	Browse	23.105.131.217
	invoice tax.xlsm	Get hash	malicious	Browse	23.105.131.217
	SHIPPING DOCUMENTS.pdf.exe	Get hash	malicious	Browse	23.105.131.177
	Payment_Order_20201111.xlsx	Get hash	malicious	Browse	192.253.246.138
	TLpMnhJmg7.exe	Get hash	malicious	Browse	192.253.246.143
	HDyADDoI3I.exe	Get hash	malicious	Browse	192.253.246.143
	11.exe	Get hash	malicious	Browse	173.234.155.145
	53C29QAJnd.exe	Get hash	malicious	Browse	173.234.155.145

JA3 Fingerprints

No context

Dropped Files

No context

Created / dropped Files

C:\Users\user\AppData\Local\Microsoft\CLR_v2.0_32\UsageLogs\invoice & packing.pdf.exe.log Download File
Process:	C:\Users\user\Desktop\invoice & packing.pdf.exe
File Type:	ASCII text, with CRLF line terminators
Category:	modified
Size (bytes):	664
Entropy (8bit):	5.288448637977022
Encrypted:	false
SSDEEP:	12:Q3LaJU20NaL10Ug+9Yz9t0U29hJ5g1B0U2ukyrFk70U2xANlW3ANv:MLF20NaL3z2p29hJ5g522rW2xAi3A9
MD5:	B1DB55991C3DA14E35249AEA1BC357CA
SHA1:	0DD2D91198FDEF296441B12F1A906669B279700C
SHA-256:	34D3E48321D5010AD2BD1F3F0B728077E4F5A7F70D66FA36B57E5209580B6BDC
SHA-512:	BE38A31888C9C2F8047FA9C99672CB985179D325107514B7500DDA9523AE3E1D20B45EACC4E6C8A5D096360D0FBB98A120E63F38FFE324DF8A0559F6890CC801
Malicious:	true
Reputation:	moderate, very likely benign file
Preview:	1,"fusion","GAC",0..3,"C:\Windows\assembly\NativeImages_v2.0.50727_32\System\1ffc437de59fb69ba2b865ffdc98ffd1\System.ni.dll",0..3,"C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.VisualBas#\cd7c74fce2a0eab72cd25cbe4bb61614\Microsoft.VisualBasic.ni.dll",0..3,"C:\Windows\assembly\NativeImages_v2.0.50727_32\System.Drawing\54d944b3ca0ea1188d700fbd8089726b\System.Drawing.ni.dll",0..3,"C:\Windows\assembly\NativeImages_v2.0.50727_32\System.Windows.Forms\bd8d59c984c9f5f2695f64341115cdf0\System.Windows.Forms.ni.dll",0..3,"C:\Windows\assembly\NativeImages_v2.0.50727_32\System.Runtime.Remo#\35774dc3cd31b4550ab06c3354cf4ba5\System.Runtime.Remoting.ni.dll",0..

C:\Users\user\AppData\Local\Temp\tmpEBB4.tmp Download File
Process:	C:\Users\user\Desktop\invoice & packing.pdf.exe
File Type:	XML 1.0 document, ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	1658
Entropy (8bit):	5.169644445225677
Encrypted:	false
SSDEEP:	24:2dH4+SEqC/S7h2ulNMFp2O/rlMhEMjnGpwjpIgUYODOLD9RJh7h8gKB3aItn:cbha7JlNQV/rydbz9I3YODOLNdq39
MD5:	8C54517939B406C8DAE32AD5439E85E4
SHA1:	F9C0D812F35D6498238989DFD5BF7469059632F8
SHA-256:	3B9BA204CF8DC26B7BE6F46EEDCDCA0D9DF4E156B4A57DB3647D998528CB871E
SHA-512:	795C7DE27586546AF789B9FFD53F891E70586DE2A5DCAE66328A8A6185739F69CC2C5B9BAC7AA0D8823160BCF2572ADC9AA548E7D9415A44EE33BF3C91EBE995
Malicious:	true
Reputation:	low
Preview:	<?xml version="1.0" encoding="UTF-16"?>..<Task version="1.2" xmlns="http://schemas.microsoft.com/windows/2004/02/mit/task">.. <RegistrationInfo>.. <Date>2014-10-25T14:27:44.8929027</Date>.. <Author>computer\user</Author>.. </RegistrationInfo>.. <Triggers>.. <LogonTrigger>.. <Enabled>true</Enabled>.. <UserId>computer\user</UserId>.. </LogonTrigger>.. <RegistrationTrigger>.. <Enabled>false</Enabled>.. </RegistrationTrigger>.. </Triggers>.. <Principals>.. <Principal id="Author">.. <UserId>computer\user</UserId>.. <LogonType>InteractiveToken</LogonType>.. <RunLevel>LeastPrivilege</RunLevel>.. </Principal>.. </Principals>.. <Settings>.. <MultipleInstancesPolicy>StopExisting</MultipleInstancesPolicy>.. <DisallowStartIfOnBatteries>false</DisallowStartIfOnBatteries>.. <StopIfGoingOnBatteries>true</StopIfGoingOnBatteries>.. <AllowHardTerminate>false</AllowHardTerminate>.. <StartWhenAvail

C:\Users\user\AppData\Roaming\D06ED635-68F6-4E9A-955C-4899F5F57B9A\catalog.dat Download File
Process:	C:\Users\user\Desktop\invoice & packing.pdf.exe
File Type:	data
Category:	dropped
Size (bytes):	232
Entropy (8bit):	7.024371743172393
Encrypted:	false
SSDEEP:	6:X4LDAnybgCFcpJSQwP4d7ZrqJgTFwoaw+9XU4:X4LEnybgCFCtvd7ZrCgpwoaw+Z9
MD5:	32D0AAE13696FF7F8AF33B2D22451028
SHA1:	EF80C4E0DB2AE8EF288027C9D3518E6950B583A4
SHA-256:	5347661365E7AD2C1ACC27AB0D150FFA097D9246BB3626FCA06989E976E8DD29
SHA-512:	1D77FC13512C0DBC4EFD7A66ACB502481E4EFA0FB73D0C7D0942448A72B9B05BA1EA78DDF0BE966363C2E3122E0B631DB7630D044D08C1E1D32B9FB025C356A5
Malicious:	false
Reputation:	moderate, very likely benign file
Preview:	Gj.h\.3.A...5.x..&...i+..c(1.P..P.cLT...A.b........4h...t.+..Z\.. .i.....@.3..{...grv+V...B.......].P...W.4C}uL.....s~..F...}......E......E...6E.....{...{.yS...7..".hK.!.x.2..i..zJ... ....f..?._....0.:e[7w{1.!.4.....&.

C:\Users\user\AppData\Roaming\D06ED635-68F6-4E9A-955C-4899F5F57B9A\run.dat Download File
Process:	C:\Users\user\Desktop\invoice & packing.pdf.exe
File Type:	data
Category:	dropped
Size (bytes):	8
Entropy (8bit):	3.0
Encrypted:	false
SSDEEP:	3:UHh:m
MD5:	8F8822F0459769C3D4C8BBD6B94685D1
SHA1:	4403B5ABEB290502AA1CD8A297D7A22AEEFC618C
SHA-256:	9380CC30AE6D7AE544EEFBDD8929DD26AF5BB425CAA97E7688C313F069098687
SHA-512:	5305B6872A18CF0EC3350E702D14AF9C9D908CBCD57F9274AD0D08A5514AE08DE21DCFD61EEF854AEB494E579B40D4892EB09B2DDF3500196DA8284DD983DA69
Malicious:	true
Reputation:	low
Preview:	..*k...H

C:\Users\user\AppData\Roaming\D06ED635-68F6-4E9A-955C-4899F5F57B9A\settings.bin Download File
Process:	C:\Users\user\Desktop\invoice & packing.pdf.exe
File Type:	data
Category:	dropped
Size (bytes):	40
Entropy (8bit):	5.221928094887364
Encrypted:	false
SSDEEP:	3:9bzY6oRDMjmPl:RzWDMCd
MD5:	AE0F5E6CE7122AF264EC533C6B15A27B
SHA1:	1265A495C42EED76CC043D50C60C23297E76CCE1
SHA-256:	73B0B92179C61C26589B47E9732CE418B07EDEE3860EE5A2A5FB06F3B8AA9B26
SHA-512:	DD44C2D24D4E3A0F0B988AD3D04683B5CB128298043134649BBE33B2512CE0C9B1A8E7D893B9F66FBBCDD901E2B0646C4533FB6C0C8C4AFCB95A0EFB95D446F8
Malicious:	false
Reputation:	moderate, very likely benign file
Preview:	9iH...}Z.4..f..... 8.j....\|.&X..e.F.*.

C:\Users\user\AppData\Roaming\D06ED635-68F6-4E9A-955C-4899F5F57B9A\storage.dat Download File
Process:	C:\Users\user\Desktop\invoice & packing.pdf.exe
File Type:	data
Category:	dropped
Size (bytes):	426840
Entropy (8bit):	7.999608491116724
Encrypted:	true
SSDEEP:	12288:zKf137EiDsTjevgA4p0V7njXuWSvdVU7V4OC0Rr:+134i2lp67i5d8+OCg
MD5:	963D5E2C9C0008DFF05518B47C367A7F
SHA1:	C183D601FABBC9AC8FBFA0A0937DECC677535E74
SHA-256:	5EACF2974C9BB2C2E24CDC651C4840DD6F4B76A98F0E85E90279F1DBB2E6F3C0
SHA-512:	0C04E1C1A13070D48728D9F7F300D9B26DEC6EC8875D8D3017EAD52B9EE5BDF9B651A7F0FCC537761212831107646ED72B8ED017E7477E600BC0137EF857AE2C
Malicious:	false
Reputation:	moderate, very likely benign file
Preview:	..g&jo...IPg...GM....R>i...o...I.>.&.r{....8...}...E....v.!7.u3e.. .....db...}.......".t(.xC9.cp.B....7...'.......%......w.^.._.......B.W%.<..i.0.{9.xS...5...)..w..$..C..?`F..u.5.T.X.w'Si..z.n{...Y!m...RA...xg....[7...z..9@.K.-...T..+.ACe....R....enO.....AoNMT.\^....}H&..4I...B.:..@..J...v..rI5..kP......2j....B..B.~.T..>.c..emW;Rn<9..[.r.o....R[....@=...:...L.g<.....I..%4[.G^.~.l'......v.p&.........+..S...9d/.{..H.`@.1..........f.\s...X.a.].<.h...J4...k.x....%3.......3.c..?%....>.!.}..)(.{...H...3..`'].Q.[sN..JX(.%pH....+......(...v.....H...3..8.a_..J..?4...y.N(..D.h..g.jD..I...44Q?..N......oX.A......l...n?./..........$.!..;.^9"H...........OkF....v.m_.e.v..f...."..bq{.....O.-....%R+...-..P.i..t5....2Z# ...#...,L..{..j..heT -=Z.P;...g.m)<owJ].J..../.p..8.u8.&..#.m9...j%..g&....g.x.I,....u.[....>./W...........X...bZ...ex.0..x.}.....Tb...[..H_M._.^N.d&...g._."@4N.pDs].GbT.......&p........Nw...%$=.....{..J.1....2....<E{..<!G..

C:\Users\user\AppData\Roaming\NKzWuwUvFAvUo.exe Download File
Process:	C:\Users\user\Desktop\invoice & packing.pdf.exe
File Type:	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	590336
Entropy (8bit):	7.810863680136923
Encrypted:	false
SSDEEP:	12288:h5k/J+UIdk23WCfofAeGD2TmPsaMj7Yx960yBHXoauQ2YwhOTHo:hfUIdkSWCQfAebiPZY7Ye9ZXzKD8
MD5:	AC3668260346D59F25905579AA8EAF94
SHA1:	479C7E0B3696F174E13D59AE04353205B9A3203D
SHA-256:	3F746FA6F84B842F03679244794C7F16F4497FB2FB8EB770539A7BBD3110E9E9
SHA-512:	1F7B0571BDD36F119EE7CC7A2D578C337E6BB9D092EA29E15C4C10A49BB6A0C95BEDBACF4F460815307585ECA9D02F249D9738B645F5BA8CBC4A9F502C7A8B55
Malicious:	true
Antivirus:	Antivirus: Joe Sandbox ML, Detection: 100% Antivirus: ReversingLabs, Detection: 8%
Reputation:	low
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....._..............P......D......".... ........@.. .......................`............@.....................................O.......pA...................@....................................................... ............... ..H............text...(.... ...................... ..`.rsrc...pA.......B..................@..@.reloc.......@......................@..B........................H......................x{..X_...........................................0............(....(..........(.....o..........................(.......( ......(!......("......(#....N..(....oD...($....&..(%.....s&........s'........s(........s)........s............0...........~....o+....+...0...........~....o,....+...0...........~....o-....+...0...........~....o.....+...0...........~....o/....+...0..<........~.....(0.....,!r...p.....(1...o2...s3............~.....+...0......

C:\Users\user\AppData\Roaming\NKzWuwUvFAvUo.exe:Zone.Identifier Download File
Process:	C:\Users\user\Desktop\invoice & packing.pdf.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	26
Entropy (8bit):	3.95006375643621
Encrypted:	false
SSDEEP:	3:ggPYV:rPYV
MD5:	187F488E27DB4AF347237FE461A079AD
SHA1:	6693BA299EC1881249D59262276A0D2CB21F8E64
SHA-256:	255A65D30841AB4082BD9D0EEA79D49C5EE88F56136157D8D6156AEF11C12309
SHA-512:	89879F237C0C051EBE784D0690657A6827A312A82735DA42DAD5F744D734FC545BEC9642C19D14C05B2F01FF53BC731530C92F7327BB7DC9CDE1B60FB21CD64E
Malicious:	true
Preview:	[ZoneTransfer]....ZoneId=0

Static File Info

General
File type:	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Entropy (8bit):	7.810863680136923
TrID:	Win32 Executable (generic) Net Framework (10011505/4) 49.80% Win32 Executable (generic) a (10002005/4) 49.75% Generic CIL Executable (.NET, Mono, etc.) (73296/58) 0.36% Windows Screen Saver (13104/52) 0.07% Generic Win/DOS Executable (2004/3) 0.01%
File name:	invoice & packing.pdf.exe
File size:	590336
MD5:	ac3668260346d59f25905579aa8eaf94
SHA1:	479c7e0b3696f174e13d59ae04353205b9a3203d
SHA256:	3f746fa6f84b842f03679244794c7f16f4497fb2fb8eb770539a7bbd3110e9e9
SHA512:	1f7b0571bdd36f119ee7cc7a2d578c337e6bb9d092ea29e15c4c10a49bb6a0c95bedbacf4f460815307585eca9d02f249d9738b645f5ba8cbc4a9f502c7a8b55
SSDEEP:	12288:h5k/J+UIdk23WCfofAeGD2TmPsaMj7Yx960yBHXoauQ2YwhOTHo:hfUIdkSWCQfAebiPZY7Ye9ZXzKD8
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......_..............P......D......".... ........@.. .......................`............@................................

File Icon


Icon Hash:	f8c492aaaa92dcfe

Static PE Info

General
Entrypoint:	0x48db22
Entrypoint Section:	.text
Digitally signed:	false
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	32BIT_MACHINE, EXECUTABLE_IMAGE
DLL Characteristics:	NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
Time Stamp:	0x5FB5CEE5 [Thu Nov 19 01:48:21 2020 UTC]
TLS Callbacks:
CLR (.Net) Version:	v2.0.50727
OS Version Major:	4
OS Version Minor:	0
File Version Major:	4
File Version Minor:	0
Subsystem Version Major:	4
Subsystem Version Minor:	0
Import Hash:	f34d5f2d4577ed6d9ceec516c1f5a744

Entrypoint Preview

Instruction
jmp dword ptr [00402000h]
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0x8dad0	0x4f	.text
IMAGE_DIRECTORY_ENTRY_RESOURCE	0x8e000	0x4170	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x94000	0xc	.reloc
IMAGE_DIRECTORY_ENTRY_DEBUG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x2000	0x8	.text
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x2008	0x48	.text
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x2000	0x8bb28	0x8bc00	False	0.877744507491	data	7.83069798608	IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
.rsrc	0x8e000	0x4170	0x4200	False	0.503255208333	data	5.47730162147	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.reloc	0x94000	0xc	0x200	False	0.044921875	data	0.101910425663	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type
RT_ICON	0x8e190	0x468	GLS_BINARY_LSB_FIRST
RT_ICON	0x8e5f8	0x10a8	dBase IV DBT of @.DBF, block length 4096, next free block index 40, next free block 4275388049, next used block 4258479509
RT_ICON	0x8f6a0	0x25a8	dBase IV DBT of `.DBF, block length 9216, next free block index 40, next free block 3771611807, next used block 3167566498
RT_GROUP_ICON	0x91c48	0x30	data
RT_VERSION	0x91c78	0x30c	data
RT_MANIFEST	0x91f84	0x1ea	XML 1.0 document, UTF-8 Unicode (with BOM) text, with CRLF line terminators

Imports

DLL	Import
mscoree.dll	_CorExeMain

Version Infos

Description	Data
Translation	0x0000 0x04b0
LegalCopyright	Copyright 2014
Assembly Version	1.0.0.0
InternalName	gSqi.exe
FileVersion	1.0.0.0
CompanyName
LegalTrademarks
Comments
ProductName	Blackjack
ProductVersion	1.0.0.0
FileDescription	Blackjack
OriginalFilename	gSqi.exe

Network Behavior

Network Port Distribution

TCP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Nov 19, 2020 07:47:30.474591970 CET	49727	5050	192.168.2.6	23.105.131.164
Nov 19, 2020 07:47:30.792576075 CET	5050	49727	23.105.131.164	192.168.2.6
Nov 19, 2020 07:47:30.792745113 CET	49727	5050	192.168.2.6	23.105.131.164
Nov 19, 2020 07:47:30.823401928 CET	49727	5050	192.168.2.6	23.105.131.164
Nov 19, 2020 07:47:31.155839920 CET	5050	49727	23.105.131.164	192.168.2.6
Nov 19, 2020 07:47:31.167666912 CET	49727	5050	192.168.2.6	23.105.131.164
Nov 19, 2020 07:47:31.486973047 CET	5050	49727	23.105.131.164	192.168.2.6
Nov 19, 2020 07:47:31.489686012 CET	49727	5050	192.168.2.6	23.105.131.164
Nov 19, 2020 07:47:31.849564075 CET	5050	49727	23.105.131.164	192.168.2.6
Nov 19, 2020 07:47:31.849776030 CET	49727	5050	192.168.2.6	23.105.131.164
Nov 19, 2020 07:47:32.215687990 CET	5050	49727	23.105.131.164	192.168.2.6
Nov 19, 2020 07:47:32.234042883 CET	5050	49727	23.105.131.164	192.168.2.6
Nov 19, 2020 07:47:32.240955114 CET	5050	49727	23.105.131.164	192.168.2.6
Nov 19, 2020 07:47:32.241173983 CET	49727	5050	192.168.2.6	23.105.131.164
Nov 19, 2020 07:47:32.246521950 CET	5050	49727	23.105.131.164	192.168.2.6
Nov 19, 2020 07:47:32.252232075 CET	5050	49727	23.105.131.164	192.168.2.6
Nov 19, 2020 07:47:32.252499104 CET	49727	5050	192.168.2.6	23.105.131.164
Nov 19, 2020 07:47:32.260375977 CET	5050	49727	23.105.131.164	192.168.2.6
Nov 19, 2020 07:47:32.265594006 CET	5050	49727	23.105.131.164	192.168.2.6
Nov 19, 2020 07:47:32.265743971 CET	49727	5050	192.168.2.6	23.105.131.164
Nov 19, 2020 07:47:32.270591974 CET	5050	49727	23.105.131.164	192.168.2.6
Nov 19, 2020 07:47:32.274962902 CET	5050	49727	23.105.131.164	192.168.2.6
Nov 19, 2020 07:47:32.275067091 CET	49727	5050	192.168.2.6	23.105.131.164
Nov 19, 2020 07:47:32.283077002 CET	5050	49727	23.105.131.164	192.168.2.6
Nov 19, 2020 07:47:32.289684057 CET	5050	49727	23.105.131.164	192.168.2.6
Nov 19, 2020 07:47:32.289827108 CET	49727	5050	192.168.2.6	23.105.131.164
Nov 19, 2020 07:47:32.577071905 CET	5050	49727	23.105.131.164	192.168.2.6
Nov 19, 2020 07:47:32.581955910 CET	5050	49727	23.105.131.164	192.168.2.6
Nov 19, 2020 07:47:32.582199097 CET	49727	5050	192.168.2.6	23.105.131.164
Nov 19, 2020 07:47:32.586194992 CET	5050	49727	23.105.131.164	192.168.2.6
Nov 19, 2020 07:47:32.591187954 CET	5050	49727	23.105.131.164	192.168.2.6
Nov 19, 2020 07:47:32.591351032 CET	49727	5050	192.168.2.6	23.105.131.164
Nov 19, 2020 07:47:32.598623991 CET	5050	49727	23.105.131.164	192.168.2.6
Nov 19, 2020 07:47:32.602005005 CET	5050	49727	23.105.131.164	192.168.2.6
Nov 19, 2020 07:47:32.602191925 CET	49727	5050	192.168.2.6	23.105.131.164
Nov 19, 2020 07:47:32.605751038 CET	5050	49727	23.105.131.164	192.168.2.6
Nov 19, 2020 07:47:32.612010956 CET	5050	49727	23.105.131.164	192.168.2.6
Nov 19, 2020 07:47:32.612185955 CET	49727	5050	192.168.2.6	23.105.131.164
Nov 19, 2020 07:47:32.618050098 CET	5050	49727	23.105.131.164	192.168.2.6
Nov 19, 2020 07:47:32.623076916 CET	5050	49727	23.105.131.164	192.168.2.6
Nov 19, 2020 07:47:32.623183966 CET	49727	5050	192.168.2.6	23.105.131.164
Nov 19, 2020 07:47:32.627986908 CET	5050	49727	23.105.131.164	192.168.2.6
Nov 19, 2020 07:47:32.633099079 CET	5050	49727	23.105.131.164	192.168.2.6
Nov 19, 2020 07:47:32.633234024 CET	49727	5050	192.168.2.6	23.105.131.164
Nov 19, 2020 07:47:32.637991905 CET	5050	49727	23.105.131.164	192.168.2.6
Nov 19, 2020 07:47:32.642129898 CET	5050	49727	23.105.131.164	192.168.2.6
Nov 19, 2020 07:47:32.642303944 CET	49727	5050	192.168.2.6	23.105.131.164
Nov 19, 2020 07:47:32.646337032 CET	5050	49727	23.105.131.164	192.168.2.6
Nov 19, 2020 07:47:32.658047915 CET	5050	49727	23.105.131.164	192.168.2.6
Nov 19, 2020 07:47:32.658168077 CET	49727	5050	192.168.2.6	23.105.131.164
Nov 19, 2020 07:47:32.658176899 CET	5050	49727	23.105.131.164	192.168.2.6
Nov 19, 2020 07:47:32.660998106 CET	5050	49727	23.105.131.164	192.168.2.6
Nov 19, 2020 07:47:32.661154032 CET	49727	5050	192.168.2.6	23.105.131.164
Nov 19, 2020 07:47:32.664242983 CET	5050	49727	23.105.131.164	192.168.2.6
Nov 19, 2020 07:47:32.670133114 CET	5050	49727	23.105.131.164	192.168.2.6
Nov 19, 2020 07:47:32.670347929 CET	49727	5050	192.168.2.6	23.105.131.164
Nov 19, 2020 07:47:32.903955936 CET	5050	49727	23.105.131.164	192.168.2.6
Nov 19, 2020 07:47:32.908914089 CET	5050	49727	23.105.131.164	192.168.2.6
Nov 19, 2020 07:47:32.909184933 CET	49727	5050	192.168.2.6	23.105.131.164
Nov 19, 2020 07:47:32.915057898 CET	5050	49727	23.105.131.164	192.168.2.6
Nov 19, 2020 07:47:32.918975115 CET	5050	49727	23.105.131.164	192.168.2.6
Nov 19, 2020 07:47:32.919220924 CET	49727	5050	192.168.2.6	23.105.131.164
Nov 19, 2020 07:47:32.925088882 CET	5050	49727	23.105.131.164	192.168.2.6
Nov 19, 2020 07:47:32.930382013 CET	5050	49727	23.105.131.164	192.168.2.6
Nov 19, 2020 07:47:32.930627108 CET	49727	5050	192.168.2.6	23.105.131.164
Nov 19, 2020 07:47:32.936024904 CET	5050	49727	23.105.131.164	192.168.2.6
Nov 19, 2020 07:47:32.941917896 CET	5050	49727	23.105.131.164	192.168.2.6
Nov 19, 2020 07:47:32.942300081 CET	49727	5050	192.168.2.6	23.105.131.164
Nov 19, 2020 07:47:32.947257042 CET	5050	49727	23.105.131.164	192.168.2.6
Nov 19, 2020 07:47:32.952514887 CET	5050	49727	23.105.131.164	192.168.2.6
Nov 19, 2020 07:47:32.952651978 CET	49727	5050	192.168.2.6	23.105.131.164
Nov 19, 2020 07:47:32.956017971 CET	5050	49727	23.105.131.164	192.168.2.6
Nov 19, 2020 07:47:32.960462093 CET	5050	49727	23.105.131.164	192.168.2.6
Nov 19, 2020 07:47:32.960736036 CET	49727	5050	192.168.2.6	23.105.131.164
Nov 19, 2020 07:47:32.964013100 CET	5050	49727	23.105.131.164	192.168.2.6
Nov 19, 2020 07:47:32.970436096 CET	5050	49727	23.105.131.164	192.168.2.6
Nov 19, 2020 07:47:32.970541000 CET	49727	5050	192.168.2.6	23.105.131.164
Nov 19, 2020 07:47:32.974679947 CET	5050	49727	23.105.131.164	192.168.2.6
Nov 19, 2020 07:47:32.977952957 CET	5050	49727	23.105.131.164	192.168.2.6
Nov 19, 2020 07:47:32.978094101 CET	49727	5050	192.168.2.6	23.105.131.164
Nov 19, 2020 07:47:32.981884003 CET	5050	49727	23.105.131.164	192.168.2.6
Nov 19, 2020 07:47:32.985008955 CET	5050	49727	23.105.131.164	192.168.2.6
Nov 19, 2020 07:47:32.985115051 CET	49727	5050	192.168.2.6	23.105.131.164
Nov 19, 2020 07:47:32.987893105 CET	5050	49727	23.105.131.164	192.168.2.6
Nov 19, 2020 07:47:32.990993977 CET	5050	49727	23.105.131.164	192.168.2.6
Nov 19, 2020 07:47:32.991130114 CET	49727	5050	192.168.2.6	23.105.131.164
Nov 19, 2020 07:47:32.992677927 CET	5050	49727	23.105.131.164	192.168.2.6
Nov 19, 2020 07:47:32.996151924 CET	5050	49727	23.105.131.164	192.168.2.6
Nov 19, 2020 07:47:32.996345997 CET	49727	5050	192.168.2.6	23.105.131.164
Nov 19, 2020 07:47:32.999043941 CET	5050	49727	23.105.131.164	192.168.2.6
Nov 19, 2020 07:47:33.002943993 CET	5050	49727	23.105.131.164	192.168.2.6
Nov 19, 2020 07:47:33.003117085 CET	49727	5050	192.168.2.6	23.105.131.164
Nov 19, 2020 07:47:33.005810976 CET	5050	49727	23.105.131.164	192.168.2.6
Nov 19, 2020 07:47:33.009715080 CET	5050	49727	23.105.131.164	192.168.2.6
Nov 19, 2020 07:47:33.009891033 CET	49727	5050	192.168.2.6	23.105.131.164
Nov 19, 2020 07:47:33.013971090 CET	5050	49727	23.105.131.164	192.168.2.6
Nov 19, 2020 07:47:33.017862082 CET	5050	49727	23.105.131.164	192.168.2.6
Nov 19, 2020 07:47:33.018131971 CET	49727	5050	192.168.2.6	23.105.131.164
Nov 19, 2020 07:47:33.021931887 CET	5050	49727	23.105.131.164	192.168.2.6
Nov 19, 2020 07:47:33.025867939 CET	5050	49727	23.105.131.164	192.168.2.6
Nov 19, 2020 07:47:33.026076078 CET	49727	5050	192.168.2.6	23.105.131.164
Nov 19, 2020 07:47:33.029792070 CET	5050	49727	23.105.131.164	192.168.2.6
Nov 19, 2020 07:47:33.032890081 CET	5050	49727	23.105.131.164	192.168.2.6
Nov 19, 2020 07:47:33.036854982 CET	5050	49727	23.105.131.164	192.168.2.6
Nov 19, 2020 07:47:33.040079117 CET	5050	49727	23.105.131.164	192.168.2.6
Nov 19, 2020 07:47:33.042859077 CET	5050	49727	23.105.131.164	192.168.2.6
Nov 19, 2020 07:47:33.043930054 CET	49727	5050	192.168.2.6	23.105.131.164
Nov 19, 2020 07:47:33.044075012 CET	49727	5050	192.168.2.6	23.105.131.164
Nov 19, 2020 07:47:33.045725107 CET	5050	49727	23.105.131.164	192.168.2.6
Nov 19, 2020 07:47:33.046396017 CET	49727	5050	192.168.2.6	23.105.131.164
Nov 19, 2020 07:47:33.049149990 CET	5050	49727	23.105.131.164	192.168.2.6
Nov 19, 2020 07:47:33.052216053 CET	5050	49727	23.105.131.164	192.168.2.6
Nov 19, 2020 07:47:33.052474976 CET	49727	5050	192.168.2.6	23.105.131.164
Nov 19, 2020 07:47:33.055042982 CET	5050	49727	23.105.131.164	192.168.2.6
Nov 19, 2020 07:47:33.058418036 CET	5050	49727	23.105.131.164	192.168.2.6
Nov 19, 2020 07:47:33.058598042 CET	49727	5050	192.168.2.6	23.105.131.164
Nov 19, 2020 07:47:33.060928106 CET	5050	49727	23.105.131.164	192.168.2.6
Nov 19, 2020 07:47:33.117253065 CET	49727	5050	192.168.2.6	23.105.131.164
Nov 19, 2020 07:47:33.238305092 CET	5050	49727	23.105.131.164	192.168.2.6
Nov 19, 2020 07:47:33.239873886 CET	5050	49727	23.105.131.164	192.168.2.6
Nov 19, 2020 07:47:33.239984035 CET	49727	5050	192.168.2.6	23.105.131.164
Nov 19, 2020 07:47:33.241883993 CET	5050	49727	23.105.131.164	192.168.2.6
Nov 19, 2020 07:47:33.246997118 CET	5050	49727	23.105.131.164	192.168.2.6
Nov 19, 2020 07:47:33.247098923 CET	49727	5050	192.168.2.6	23.105.131.164
Nov 19, 2020 07:47:33.257246017 CET	5050	49727	23.105.131.164	192.168.2.6
Nov 19, 2020 07:47:33.257280111 CET	5050	49727	23.105.131.164	192.168.2.6
Nov 19, 2020 07:47:33.257446051 CET	49727	5050	192.168.2.6	23.105.131.164
Nov 19, 2020 07:47:33.266299963 CET	5050	49727	23.105.131.164	192.168.2.6
Nov 19, 2020 07:47:33.271908998 CET	5050	49727	23.105.131.164	192.168.2.6
Nov 19, 2020 07:47:33.271996975 CET	49727	5050	192.168.2.6	23.105.131.164
Nov 19, 2020 07:47:33.280898094 CET	5050	49727	23.105.131.164	192.168.2.6
Nov 19, 2020 07:47:33.287240982 CET	5050	49727	23.105.131.164	192.168.2.6
Nov 19, 2020 07:47:33.287380934 CET	49727	5050	192.168.2.6	23.105.131.164
Nov 19, 2020 07:47:33.291390896 CET	5050	49727	23.105.131.164	192.168.2.6
Nov 19, 2020 07:47:33.295114040 CET	5050	49727	23.105.131.164	192.168.2.6
Nov 19, 2020 07:47:33.295218945 CET	49727	5050	192.168.2.6	23.105.131.164
Nov 19, 2020 07:47:33.298022032 CET	5050	49727	23.105.131.164	192.168.2.6
Nov 19, 2020 07:47:33.302053928 CET	5050	49727	23.105.131.164	192.168.2.6
Nov 19, 2020 07:47:33.302138090 CET	49727	5050	192.168.2.6	23.105.131.164
Nov 19, 2020 07:47:33.309271097 CET	5050	49727	23.105.131.164	192.168.2.6
Nov 19, 2020 07:47:33.310527086 CET	5050	49727	23.105.131.164	192.168.2.6
Nov 19, 2020 07:47:33.310616016 CET	49727	5050	192.168.2.6	23.105.131.164
Nov 19, 2020 07:47:33.312784910 CET	5050	49727	23.105.131.164	192.168.2.6
Nov 19, 2020 07:47:33.322698116 CET	5050	49727	23.105.131.164	192.168.2.6
Nov 19, 2020 07:47:33.322841883 CET	49727	5050	192.168.2.6	23.105.131.164
Nov 19, 2020 07:47:33.326060057 CET	5050	49727	23.105.131.164	192.168.2.6
Nov 19, 2020 07:47:33.329817057 CET	5050	49727	23.105.131.164	192.168.2.6
Nov 19, 2020 07:47:33.329950094 CET	49727	5050	192.168.2.6	23.105.131.164
Nov 19, 2020 07:47:33.332847118 CET	5050	49727	23.105.131.164	192.168.2.6
Nov 19, 2020 07:47:33.336837053 CET	5050	49727	23.105.131.164	192.168.2.6
Nov 19, 2020 07:47:33.336950064 CET	49727	5050	192.168.2.6	23.105.131.164
Nov 19, 2020 07:47:33.339987040 CET	5050	49727	23.105.131.164	192.168.2.6
Nov 19, 2020 07:47:33.343869925 CET	5050	49727	23.105.131.164	192.168.2.6
Nov 19, 2020 07:47:33.344075918 CET	49727	5050	192.168.2.6	23.105.131.164
Nov 19, 2020 07:47:33.346872091 CET	5050	49727	23.105.131.164	192.168.2.6
Nov 19, 2020 07:47:33.349657059 CET	5050	49727	23.105.131.164	192.168.2.6
Nov 19, 2020 07:47:33.349780083 CET	49727	5050	192.168.2.6	23.105.131.164
Nov 19, 2020 07:47:33.353041887 CET	5050	49727	23.105.131.164	192.168.2.6
Nov 19, 2020 07:47:33.355804920 CET	5050	49727	23.105.131.164	192.168.2.6
Nov 19, 2020 07:47:33.355901957 CET	49727	5050	192.168.2.6	23.105.131.164
Nov 19, 2020 07:47:33.358958960 CET	5050	49727	23.105.131.164	192.168.2.6
Nov 19, 2020 07:47:33.361037970 CET	5050	49727	23.105.131.164	192.168.2.6
Nov 19, 2020 07:47:33.361196995 CET	49727	5050	192.168.2.6	23.105.131.164
Nov 19, 2020 07:47:33.362668991 CET	5050	49727	23.105.131.164	192.168.2.6
Nov 19, 2020 07:47:33.364872932 CET	5050	49727	23.105.131.164	192.168.2.6
Nov 19, 2020 07:47:33.364949942 CET	49727	5050	192.168.2.6	23.105.131.164
Nov 19, 2020 07:47:33.368087053 CET	5050	49727	23.105.131.164	192.168.2.6
Nov 19, 2020 07:47:33.370106936 CET	5050	49727	23.105.131.164	192.168.2.6
Nov 19, 2020 07:47:33.370196104 CET	49727	5050	192.168.2.6	23.105.131.164
Nov 19, 2020 07:47:33.374034882 CET	5050	49727	23.105.131.164	192.168.2.6
Nov 19, 2020 07:47:33.376951933 CET	5050	49727	23.105.131.164	192.168.2.6
Nov 19, 2020 07:47:33.377100945 CET	49727	5050	192.168.2.6	23.105.131.164
Nov 19, 2020 07:47:33.380316019 CET	5050	49727	23.105.131.164	192.168.2.6
Nov 19, 2020 07:47:33.384556055 CET	5050	49727	23.105.131.164	192.168.2.6
Nov 19, 2020 07:47:33.384673119 CET	49727	5050	192.168.2.6	23.105.131.164
Nov 19, 2020 07:47:33.385304928 CET	5050	49727	23.105.131.164	192.168.2.6
Nov 19, 2020 07:47:33.387111902 CET	5050	49727	23.105.131.164	192.168.2.6
Nov 19, 2020 07:47:33.387167931 CET	49727	5050	192.168.2.6	23.105.131.164
Nov 19, 2020 07:47:33.389048100 CET	5050	49727	23.105.131.164	192.168.2.6
Nov 19, 2020 07:47:33.392139912 CET	5050	49727	23.105.131.164	192.168.2.6
Nov 19, 2020 07:47:33.392235041 CET	49727	5050	192.168.2.6	23.105.131.164
Nov 19, 2020 07:47:33.402111053 CET	5050	49727	23.105.131.164	192.168.2.6
Nov 19, 2020 07:47:33.402136087 CET	5050	49727	23.105.131.164	192.168.2.6
Nov 19, 2020 07:47:33.402252913 CET	49727	5050	192.168.2.6	23.105.131.164
Nov 19, 2020 07:47:33.402441025 CET	5050	49727	23.105.131.164	192.168.2.6
Nov 19, 2020 07:47:33.402563095 CET	5050	49727	23.105.131.164	192.168.2.6
Nov 19, 2020 07:47:33.402616978 CET	49727	5050	192.168.2.6	23.105.131.164
Nov 19, 2020 07:47:33.406877995 CET	5050	49727	23.105.131.164	192.168.2.6
Nov 19, 2020 07:47:33.408838034 CET	5050	49727	23.105.131.164	192.168.2.6
Nov 19, 2020 07:47:33.408916950 CET	49727	5050	192.168.2.6	23.105.131.164
Nov 19, 2020 07:47:33.411797047 CET	5050	49727	23.105.131.164	192.168.2.6
Nov 19, 2020 07:47:33.414072037 CET	5050	49727	23.105.131.164	192.168.2.6
Nov 19, 2020 07:47:33.414146900 CET	49727	5050	192.168.2.6	23.105.131.164
Nov 19, 2020 07:47:33.482022047 CET	5050	49727	23.105.131.164	192.168.2.6
Nov 19, 2020 07:47:33.523250103 CET	49727	5050	192.168.2.6	23.105.131.164
Nov 19, 2020 07:47:33.574114084 CET	5050	49727	23.105.131.164	192.168.2.6
Nov 19, 2020 07:47:33.575912952 CET	5050	49727	23.105.131.164	192.168.2.6
Nov 19, 2020 07:47:33.576034069 CET	49727	5050	192.168.2.6	23.105.131.164
Nov 19, 2020 07:47:33.580862999 CET	5050	49727	23.105.131.164	192.168.2.6
Nov 19, 2020 07:47:33.589409113 CET	5050	49727	23.105.131.164	192.168.2.6
Nov 19, 2020 07:47:33.589518070 CET	49727	5050	192.168.2.6	23.105.131.164
Nov 19, 2020 07:47:33.592077017 CET	5050	49727	23.105.131.164	192.168.2.6
Nov 19, 2020 07:47:33.593894005 CET	5050	49727	23.105.131.164	192.168.2.6
Nov 19, 2020 07:47:33.593980074 CET	49727	5050	192.168.2.6	23.105.131.164
Nov 19, 2020 07:47:33.599138975 CET	5050	49727	23.105.131.164	192.168.2.6
Nov 19, 2020 07:47:33.602981091 CET	5050	49727	23.105.131.164	192.168.2.6
Nov 19, 2020 07:47:33.603117943 CET	49727	5050	192.168.2.6	23.105.131.164
Nov 19, 2020 07:47:33.607666016 CET	5050	49727	23.105.131.164	192.168.2.6
Nov 19, 2020 07:47:33.610022068 CET	5050	49727	23.105.131.164	192.168.2.6
Nov 19, 2020 07:47:33.610129118 CET	49727	5050	192.168.2.6	23.105.131.164
Nov 19, 2020 07:47:33.615545034 CET	5050	49727	23.105.131.164	192.168.2.6
Nov 19, 2020 07:47:33.619282007 CET	5050	49727	23.105.131.164	192.168.2.6
Nov 19, 2020 07:47:33.619380951 CET	49727	5050	192.168.2.6	23.105.131.164
Nov 19, 2020 07:47:33.621728897 CET	5050	49727	23.105.131.164	192.168.2.6
Nov 19, 2020 07:47:33.624933958 CET	5050	49727	23.105.131.164	192.168.2.6
Nov 19, 2020 07:47:33.625003099 CET	49727	5050	192.168.2.6	23.105.131.164
Nov 19, 2020 07:47:33.627911091 CET	5050	49727	23.105.131.164	192.168.2.6
Nov 19, 2020 07:47:33.629745960 CET	5050	49727	23.105.131.164	192.168.2.6
Nov 19, 2020 07:47:33.630789042 CET	49727	5050	192.168.2.6	23.105.131.164
Nov 19, 2020 07:47:33.633074045 CET	5050	49727	23.105.131.164	192.168.2.6
Nov 19, 2020 07:47:33.635938883 CET	5050	49727	23.105.131.164	192.168.2.6
Nov 19, 2020 07:47:33.636070013 CET	49727	5050	192.168.2.6	23.105.131.164
Nov 19, 2020 07:47:33.652084112 CET	5050	49727	23.105.131.164	192.168.2.6
Nov 19, 2020 07:47:33.663899899 CET	5050	49727	23.105.131.164	192.168.2.6
Nov 19, 2020 07:47:33.664048910 CET	49727	5050	192.168.2.6	23.105.131.164
Nov 19, 2020 07:47:33.664098024 CET	5050	49727	23.105.131.164	192.168.2.6
Nov 19, 2020 07:47:33.668900967 CET	5050	49727	23.105.131.164	192.168.2.6
Nov 19, 2020 07:47:33.669037104 CET	49727	5050	192.168.2.6	23.105.131.164
Nov 19, 2020 07:47:33.671325922 CET	5050	49727	23.105.131.164	192.168.2.6
Nov 19, 2020 07:47:33.676032066 CET	5050	49727	23.105.131.164	192.168.2.6
Nov 19, 2020 07:47:33.676140070 CET	49727	5050	192.168.2.6	23.105.131.164
Nov 19, 2020 07:47:33.685815096 CET	5050	49727	23.105.131.164	192.168.2.6
Nov 19, 2020 07:47:33.689997911 CET	5050	49727	23.105.131.164	192.168.2.6
Nov 19, 2020 07:47:33.690073967 CET	5050	49727	23.105.131.164	192.168.2.6
Nov 19, 2020 07:47:33.690120935 CET	49727	5050	192.168.2.6	23.105.131.164
Nov 19, 2020 07:47:33.692747116 CET	5050	49727	23.105.131.164	192.168.2.6
Nov 19, 2020 07:47:33.692841053 CET	49727	5050	192.168.2.6	23.105.131.164
Nov 19, 2020 07:47:33.695858002 CET	5050	49727	23.105.131.164	192.168.2.6
Nov 19, 2020 07:47:33.699189901 CET	5050	49727	23.105.131.164	192.168.2.6
Nov 19, 2020 07:47:33.699341059 CET	49727	5050	192.168.2.6	23.105.131.164
Nov 19, 2020 07:47:33.700551033 CET	5050	49727	23.105.131.164	192.168.2.6
Nov 19, 2020 07:47:33.705094099 CET	5050	49727	23.105.131.164	192.168.2.6
Nov 19, 2020 07:47:33.705184937 CET	49727	5050	192.168.2.6	23.105.131.164
Nov 19, 2020 07:47:33.708065987 CET	5050	49727	23.105.131.164	192.168.2.6
Nov 19, 2020 07:47:33.712022066 CET	5050	49727	23.105.131.164	192.168.2.6
Nov 19, 2020 07:47:33.712272882 CET	49727	5050	192.168.2.6	23.105.131.164
Nov 19, 2020 07:47:33.716258049 CET	5050	49727	23.105.131.164	192.168.2.6
Nov 19, 2020 07:47:33.721779108 CET	5050	49727	23.105.131.164	192.168.2.6
Nov 19, 2020 07:47:33.721896887 CET	49727	5050	192.168.2.6	23.105.131.164
Nov 19, 2020 07:47:33.730930090 CET	5050	49727	23.105.131.164	192.168.2.6
Nov 19, 2020 07:47:33.730957031 CET	5050	49727	23.105.131.164	192.168.2.6
Nov 19, 2020 07:47:33.731065035 CET	49727	5050	192.168.2.6	23.105.131.164
Nov 19, 2020 07:47:33.741009951 CET	5050	49727	23.105.131.164	192.168.2.6
Nov 19, 2020 07:47:33.741039038 CET	5050	49727	23.105.131.164	192.168.2.6
Nov 19, 2020 07:47:33.741136074 CET	49727	5050	192.168.2.6	23.105.131.164
Nov 19, 2020 07:47:33.741945028 CET	5050	49727	23.105.131.164	192.168.2.6
Nov 19, 2020 07:47:33.743864059 CET	5050	49727	23.105.131.164	192.168.2.6
Nov 19, 2020 07:47:33.744028091 CET	49727	5050	192.168.2.6	23.105.131.164
Nov 19, 2020 07:47:33.747112989 CET	5050	49727	23.105.131.164	192.168.2.6
Nov 19, 2020 07:47:33.751204967 CET	5050	49727	23.105.131.164	192.168.2.6
Nov 19, 2020 07:47:33.751321077 CET	49727	5050	192.168.2.6	23.105.131.164
Nov 19, 2020 07:47:33.754914999 CET	5050	49727	23.105.131.164	192.168.2.6
Nov 19, 2020 07:47:33.758208990 CET	5050	49727	23.105.131.164	192.168.2.6
Nov 19, 2020 07:47:33.758388996 CET	49727	5050	192.168.2.6	23.105.131.164
Nov 19, 2020 07:47:33.769974947 CET	5050	49727	23.105.131.164	192.168.2.6
Nov 19, 2020 07:47:33.776305914 CET	5050	49727	23.105.131.164	192.168.2.6
Nov 19, 2020 07:47:33.776410103 CET	5050	49727	23.105.131.164	192.168.2.6
Nov 19, 2020 07:47:33.776489973 CET	49727	5050	192.168.2.6	23.105.131.164
Nov 19, 2020 07:47:33.779006958 CET	5050	49727	23.105.131.164	192.168.2.6
Nov 19, 2020 07:47:33.779129982 CET	49727	5050	192.168.2.6	23.105.131.164
Nov 19, 2020 07:47:33.839068890 CET	5050	49727	23.105.131.164	192.168.2.6
Nov 19, 2020 07:47:33.882827997 CET	49727	5050	192.168.2.6	23.105.131.164
Nov 19, 2020 07:47:33.890830040 CET	5050	49727	23.105.131.164	192.168.2.6
Nov 19, 2020 07:47:33.893629074 CET	5050	49727	23.105.131.164	192.168.2.6
Nov 19, 2020 07:47:33.893701077 CET	49727	5050	192.168.2.6	23.105.131.164
Nov 19, 2020 07:47:33.917355061 CET	5050	49727	23.105.131.164	192.168.2.6
Nov 19, 2020 07:47:33.917385101 CET	5050	49727	23.105.131.164	192.168.2.6
Nov 19, 2020 07:47:33.917500973 CET	49727	5050	192.168.2.6	23.105.131.164
Nov 19, 2020 07:47:33.925793886 CET	5050	49727	23.105.131.164	192.168.2.6
Nov 19, 2020 07:47:33.928845882 CET	5050	49727	23.105.131.164	192.168.2.6
Nov 19, 2020 07:47:33.928992033 CET	5050	49727	23.105.131.164	192.168.2.6
Nov 19, 2020 07:47:33.929009914 CET	5050	49727	23.105.131.164	192.168.2.6
Nov 19, 2020 07:47:33.929033041 CET	49727	5050	192.168.2.6	23.105.131.164
Nov 19, 2020 07:47:33.929083109 CET	49727	5050	192.168.2.6	23.105.131.164
Nov 19, 2020 07:47:33.930890083 CET	5050	49727	23.105.131.164	192.168.2.6
Nov 19, 2020 07:47:33.933947086 CET	5050	49727	23.105.131.164	192.168.2.6
Nov 19, 2020 07:47:33.934092999 CET	49727	5050	192.168.2.6	23.105.131.164
Nov 19, 2020 07:47:33.935908079 CET	5050	49727	23.105.131.164	192.168.2.6
Nov 19, 2020 07:47:33.946166039 CET	5050	49727	23.105.131.164	192.168.2.6
Nov 19, 2020 07:47:33.946336985 CET	49727	5050	192.168.2.6	23.105.131.164
Nov 19, 2020 07:47:33.947375059 CET	5050	49727	23.105.131.164	192.168.2.6
Nov 19, 2020 07:47:33.947647095 CET	5050	49727	23.105.131.164	192.168.2.6
Nov 19, 2020 07:47:33.947736979 CET	49727	5050	192.168.2.6	23.105.131.164
Nov 19, 2020 07:47:33.951935053 CET	5050	49727	23.105.131.164	192.168.2.6
Nov 19, 2020 07:47:33.952142954 CET	5050	49727	23.105.131.164	192.168.2.6
Nov 19, 2020 07:47:33.952240944 CET	49727	5050	192.168.2.6	23.105.131.164
Nov 19, 2020 07:47:33.954091072 CET	5050	49727	23.105.131.164	192.168.2.6
Nov 19, 2020 07:47:33.958065987 CET	5050	49727	23.105.131.164	192.168.2.6
Nov 19, 2020 07:47:33.958730936 CET	49727	5050	192.168.2.6	23.105.131.164
Nov 19, 2020 07:47:33.981000900 CET	5050	49727	23.105.131.164	192.168.2.6
Nov 19, 2020 07:47:33.983874083 CET	5050	49727	23.105.131.164	192.168.2.6
Nov 19, 2020 07:47:33.983997107 CET	49727	5050	192.168.2.6	23.105.131.164
Nov 19, 2020 07:47:33.986787081 CET	5050	49727	23.105.131.164	192.168.2.6
Nov 19, 2020 07:47:33.991815090 CET	5050	49727	23.105.131.164	192.168.2.6
Nov 19, 2020 07:47:33.991935015 CET	49727	5050	192.168.2.6	23.105.131.164
Nov 19, 2020 07:47:33.995558023 CET	5050	49727	23.105.131.164	192.168.2.6
Nov 19, 2020 07:47:33.997483969 CET	5050	49727	23.105.131.164	192.168.2.6
Nov 19, 2020 07:47:33.997603893 CET	49727	5050	192.168.2.6	23.105.131.164
Nov 19, 2020 07:47:34.000463963 CET	5050	49727	23.105.131.164	192.168.2.6
Nov 19, 2020 07:47:34.003149986 CET	5050	49727	23.105.131.164	192.168.2.6
Nov 19, 2020 07:47:34.003216982 CET	49727	5050	192.168.2.6	23.105.131.164
Nov 19, 2020 07:47:34.004869938 CET	5050	49727	23.105.131.164	192.168.2.6
Nov 19, 2020 07:47:34.008088112 CET	5050	49727	23.105.131.164	192.168.2.6
Nov 19, 2020 07:47:34.008275986 CET	49727	5050	192.168.2.6	23.105.131.164
Nov 19, 2020 07:47:34.009988070 CET	5050	49727	23.105.131.164	192.168.2.6
Nov 19, 2020 07:47:34.011934996 CET	5050	49727	23.105.131.164	192.168.2.6
Nov 19, 2020 07:47:34.012032032 CET	49727	5050	192.168.2.6	23.105.131.164
Nov 19, 2020 07:47:34.014889956 CET	5050	49727	23.105.131.164	192.168.2.6
Nov 19, 2020 07:47:34.017024040 CET	5050	49727	23.105.131.164	192.168.2.6
Nov 19, 2020 07:47:34.017141104 CET	49727	5050	192.168.2.6	23.105.131.164
Nov 19, 2020 07:47:34.018898964 CET	5050	49727	23.105.131.164	192.168.2.6
Nov 19, 2020 07:47:34.022052050 CET	5050	49727	23.105.131.164	192.168.2.6
Nov 19, 2020 07:47:34.022155046 CET	49727	5050	192.168.2.6	23.105.131.164
Nov 19, 2020 07:47:34.023843050 CET	5050	49727	23.105.131.164	192.168.2.6
Nov 19, 2020 07:47:34.026442051 CET	5050	49727	23.105.131.164	192.168.2.6
Nov 19, 2020 07:47:34.026561975 CET	49727	5050	192.168.2.6	23.105.131.164
Nov 19, 2020 07:47:34.028758049 CET	5050	49727	23.105.131.164	192.168.2.6
Nov 19, 2020 07:47:34.031030893 CET	5050	49727	23.105.131.164	192.168.2.6
Nov 19, 2020 07:47:34.032881021 CET	5050	49727	23.105.131.164	192.168.2.6
Nov 19, 2020 07:47:34.036019087 CET	5050	49727	23.105.131.164	192.168.2.6
Nov 19, 2020 07:47:34.040879965 CET	5050	49727	23.105.131.164	192.168.2.6
Nov 19, 2020 07:47:34.041001081 CET	49727	5050	192.168.2.6	23.105.131.164
Nov 19, 2020 07:47:34.041147947 CET	49727	5050	192.168.2.6	23.105.131.164
Nov 19, 2020 07:47:34.069508076 CET	5050	49727	23.105.131.164	192.168.2.6
Nov 19, 2020 07:47:34.069688082 CET	49727	5050	192.168.2.6	23.105.131.164
Nov 19, 2020 07:47:34.079114914 CET	5050	49727	23.105.131.164	192.168.2.6
Nov 19, 2020 07:47:34.082999945 CET	5050	49727	23.105.131.164	192.168.2.6
Nov 19, 2020 07:47:34.083134890 CET	49727	5050	192.168.2.6	23.105.131.164
Nov 19, 2020 07:47:34.083312035 CET	5050	49727	23.105.131.164	192.168.2.6
Nov 19, 2020 07:47:34.083448887 CET	5050	49727	23.105.131.164	192.168.2.6
Nov 19, 2020 07:47:34.083504915 CET	49727	5050	192.168.2.6	23.105.131.164
Nov 19, 2020 07:47:34.083832979 CET	5050	49727	23.105.131.164	192.168.2.6
Nov 19, 2020 07:47:34.085813999 CET	5050	49727	23.105.131.164	192.168.2.6
Nov 19, 2020 07:47:34.085917950 CET	49727	5050	192.168.2.6	23.105.131.164
Nov 19, 2020 07:47:34.088009119 CET	5050	49727	23.105.131.164	192.168.2.6
Nov 19, 2020 07:47:34.090740919 CET	5050	49727	23.105.131.164	192.168.2.6
Nov 19, 2020 07:47:34.090854883 CET	49727	5050	192.168.2.6	23.105.131.164
Nov 19, 2020 07:47:34.093946934 CET	5050	49727	23.105.131.164	192.168.2.6
Nov 19, 2020 07:47:34.096832037 CET	5050	49727	23.105.131.164	192.168.2.6
Nov 19, 2020 07:47:34.096921921 CET	49727	5050	192.168.2.6	23.105.131.164
Nov 19, 2020 07:47:34.107223988 CET	5050	49727	23.105.131.164	192.168.2.6
Nov 19, 2020 07:47:34.107711077 CET	5050	49727	23.105.131.164	192.168.2.6
Nov 19, 2020 07:47:34.107836008 CET	49727	5050	192.168.2.6	23.105.131.164
Nov 19, 2020 07:47:34.107850075 CET	5050	49727	23.105.131.164	192.168.2.6
Nov 19, 2020 07:47:34.108052015 CET	5050	49727	23.105.131.164	192.168.2.6
Nov 19, 2020 07:47:34.108104944 CET	49727	5050	192.168.2.6	23.105.131.164
Nov 19, 2020 07:47:34.118993998 CET	5050	49727	23.105.131.164	192.168.2.6
Nov 19, 2020 07:47:34.119025946 CET	5050	49727	23.105.131.164	192.168.2.6
Nov 19, 2020 07:47:34.119049072 CET	5050	49727	23.105.131.164	192.168.2.6
Nov 19, 2020 07:47:34.119072914 CET	5050	49727	23.105.131.164	192.168.2.6
Nov 19, 2020 07:47:34.119148970 CET	49727	5050	192.168.2.6	23.105.131.164
Nov 19, 2020 07:47:34.119204044 CET	49727	5050	192.168.2.6	23.105.131.164
Nov 19, 2020 07:47:34.132648945 CET	5050	49727	23.105.131.164	192.168.2.6
Nov 19, 2020 07:47:34.132682085 CET	5050	49727	23.105.131.164	192.168.2.6
Nov 19, 2020 07:47:34.132705927 CET	5050	49727	23.105.131.164	192.168.2.6
Nov 19, 2020 07:47:34.132726908 CET	5050	49727	23.105.131.164	192.168.2.6
Nov 19, 2020 07:47:34.132792950 CET	49727	5050	192.168.2.6	23.105.131.164
Nov 19, 2020 07:47:34.132832050 CET	49727	5050	192.168.2.6	23.105.131.164
Nov 19, 2020 07:47:34.134278059 CET	5050	49727	23.105.131.164	192.168.2.6
Nov 19, 2020 07:47:34.137033939 CET	5050	49727	23.105.131.164	192.168.2.6
Nov 19, 2020 07:47:34.137135029 CET	49727	5050	192.168.2.6	23.105.131.164
Nov 19, 2020 07:47:34.140129089 CET	5050	49727	23.105.131.164	192.168.2.6
Nov 19, 2020 07:47:34.149303913 CET	5050	49727	23.105.131.164	192.168.2.6
Nov 19, 2020 07:47:34.149327993 CET	5050	49727	23.105.131.164	192.168.2.6
Nov 19, 2020 07:47:34.149347067 CET	5050	49727	23.105.131.164	192.168.2.6
Nov 19, 2020 07:47:34.149493933 CET	49727	5050	192.168.2.6	23.105.131.164
Nov 19, 2020 07:47:34.149761915 CET	5050	49727	23.105.131.164	192.168.2.6
Nov 19, 2020 07:47:34.155052900 CET	5050	49727	23.105.131.164	192.168.2.6
Nov 19, 2020 07:47:34.155138969 CET	49727	5050	192.168.2.6	23.105.131.164
Nov 19, 2020 07:47:34.158390999 CET	5050	49727	23.105.131.164	192.168.2.6
Nov 19, 2020 07:47:34.160437107 CET	5050	49727	23.105.131.164	192.168.2.6
Nov 19, 2020 07:47:34.160516024 CET	49727	5050	192.168.2.6	23.105.131.164
Nov 19, 2020 07:47:34.161714077 CET	5050	49727	23.105.131.164	192.168.2.6
Nov 19, 2020 07:47:34.166182041 CET	5050	49727	23.105.131.164	192.168.2.6
Nov 19, 2020 07:47:34.166270971 CET	49727	5050	192.168.2.6	23.105.131.164
Nov 19, 2020 07:47:34.168997049 CET	5050	49727	23.105.131.164	192.168.2.6
Nov 19, 2020 07:47:34.205317974 CET	5050	49727	23.105.131.164	192.168.2.6
Nov 19, 2020 07:47:34.205380917 CET	49727	5050	192.168.2.6	23.105.131.164
Nov 19, 2020 07:47:34.215307951 CET	5050	49727	23.105.131.164	192.168.2.6
Nov 19, 2020 07:47:34.227442026 CET	5050	49727	23.105.131.164	192.168.2.6
Nov 19, 2020 07:47:34.227478981 CET	5050	49727	23.105.131.164	192.168.2.6
Nov 19, 2020 07:47:34.227706909 CET	49727	5050	192.168.2.6	23.105.131.164
Nov 19, 2020 07:47:34.258100033 CET	5050	49727	23.105.131.164	192.168.2.6
Nov 19, 2020 07:47:34.261475086 CET	5050	49727	23.105.131.164	192.168.2.6
Nov 19, 2020 07:47:34.261550903 CET	49727	5050	192.168.2.6	23.105.131.164
Nov 19, 2020 07:47:34.262933969 CET	5050	49727	23.105.131.164	192.168.2.6
Nov 19, 2020 07:47:34.266035080 CET	5050	49727	23.105.131.164	192.168.2.6
Nov 19, 2020 07:47:34.266166925 CET	49727	5050	192.168.2.6	23.105.131.164
Nov 19, 2020 07:47:34.267862082 CET	5050	49727	23.105.131.164	192.168.2.6
Nov 19, 2020 07:47:34.270761967 CET	5050	49727	23.105.131.164	192.168.2.6
Nov 19, 2020 07:47:34.270883083 CET	49727	5050	192.168.2.6	23.105.131.164
Nov 19, 2020 07:47:34.272860050 CET	5050	49727	23.105.131.164	192.168.2.6
Nov 19, 2020 07:47:34.276995897 CET	5050	49727	23.105.131.164	192.168.2.6
Nov 19, 2020 07:47:34.277113914 CET	49727	5050	192.168.2.6	23.105.131.164
Nov 19, 2020 07:47:34.279673100 CET	5050	49727	23.105.131.164	192.168.2.6
Nov 19, 2020 07:47:34.282912970 CET	5050	49727	23.105.131.164	192.168.2.6
Nov 19, 2020 07:47:34.283065081 CET	49727	5050	192.168.2.6	23.105.131.164
Nov 19, 2020 07:47:34.285763025 CET	5050	49727	23.105.131.164	192.168.2.6
Nov 19, 2020 07:47:34.288049936 CET	5050	49727	23.105.131.164	192.168.2.6
Nov 19, 2020 07:47:34.288144112 CET	49727	5050	192.168.2.6	23.105.131.164
Nov 19, 2020 07:47:34.289928913 CET	5050	49727	23.105.131.164	192.168.2.6
Nov 19, 2020 07:47:34.291872025 CET	5050	49727	23.105.131.164	192.168.2.6
Nov 19, 2020 07:47:34.291964054 CET	49727	5050	192.168.2.6	23.105.131.164
Nov 19, 2020 07:47:34.295106888 CET	5050	49727	23.105.131.164	192.168.2.6
Nov 19, 2020 07:47:34.297648907 CET	5050	49727	23.105.131.164	192.168.2.6
Nov 19, 2020 07:47:34.297840118 CET	49727	5050	192.168.2.6	23.105.131.164
Nov 19, 2020 07:47:34.325071096 CET	5050	49727	23.105.131.164	192.168.2.6
Nov 19, 2020 07:47:34.328299999 CET	5050	49727	23.105.131.164	192.168.2.6
Nov 19, 2020 07:47:34.328461885 CET	49727	5050	192.168.2.6	23.105.131.164
Nov 19, 2020 07:47:34.330838919 CET	5050	49727	23.105.131.164	192.168.2.6
Nov 19, 2020 07:47:34.334736109 CET	5050	49727	23.105.131.164	192.168.2.6
Nov 19, 2020 07:47:34.334892035 CET	49727	5050	192.168.2.6	23.105.131.164
Nov 19, 2020 07:47:34.337982893 CET	5050	49727	23.105.131.164	192.168.2.6
Nov 19, 2020 07:47:34.339719057 CET	5050	49727	23.105.131.164	192.168.2.6
Nov 19, 2020 07:47:34.339926958 CET	49727	5050	192.168.2.6	23.105.131.164
Nov 19, 2020 07:47:34.341748953 CET	5050	49727	23.105.131.164	192.168.2.6
Nov 19, 2020 07:47:34.382786989 CET	49727	5050	192.168.2.6	23.105.131.164
Nov 19, 2020 07:47:34.822532892 CET	49727	5050	192.168.2.6	23.105.131.164
Nov 19, 2020 07:47:35.173460960 CET	5050	49727	23.105.131.164	192.168.2.6
Nov 19, 2020 07:47:35.338215113 CET	5050	49727	23.105.131.164	192.168.2.6
Nov 19, 2020 07:47:35.382828951 CET	49727	5050	192.168.2.6	23.105.131.164
Nov 19, 2020 07:47:35.505636930 CET	49727	5050	192.168.2.6	23.105.131.164
Nov 19, 2020 07:47:35.683836937 CET	5050	49727	23.105.131.164	192.168.2.6
Nov 19, 2020 07:47:35.684148073 CET	49727	5050	192.168.2.6	23.105.131.164
Nov 19, 2020 07:47:35.705514908 CET	5050	49727	23.105.131.164	192.168.2.6
Nov 19, 2020 07:47:35.705712080 CET	49727	5050	192.168.2.6	23.105.131.164
Nov 19, 2020 07:47:35.895529032 CET	5050	49727	23.105.131.164	192.168.2.6
Nov 19, 2020 07:47:35.895678997 CET	49727	5050	192.168.2.6	23.105.131.164
Nov 19, 2020 07:47:36.111485004 CET	5050	49727	23.105.131.164	192.168.2.6
Nov 19, 2020 07:47:36.164149046 CET	49727	5050	192.168.2.6	23.105.131.164
Nov 19, 2020 07:47:36.248929024 CET	5050	49727	23.105.131.164	192.168.2.6
Nov 19, 2020 07:47:36.481659889 CET	5050	49727	23.105.131.164	192.168.2.6
Nov 19, 2020 07:47:36.481801987 CET	49727	5050	192.168.2.6	23.105.131.164
Nov 19, 2020 07:47:36.487430096 CET	5050	49727	23.105.131.164	192.168.2.6
Nov 19, 2020 07:47:36.487541914 CET	49727	5050	192.168.2.6	23.105.131.164
Nov 19, 2020 07:47:36.492708921 CET	49727	5050	192.168.2.6	23.105.131.164
Nov 19, 2020 07:47:36.851689100 CET	5050	49727	23.105.131.164	192.168.2.6
Nov 19, 2020 07:47:36.851958036 CET	49727	5050	192.168.2.6	23.105.131.164
Nov 19, 2020 07:47:37.204586029 CET	5050	49727	23.105.131.164	192.168.2.6
Nov 19, 2020 07:47:37.567451000 CET	49727	5050	192.168.2.6	23.105.131.164
Nov 19, 2020 07:47:37.922472000 CET	5050	49727	23.105.131.164	192.168.2.6
Nov 19, 2020 07:47:38.070847034 CET	5050	49727	23.105.131.164	192.168.2.6
Nov 19, 2020 07:47:38.117455006 CET	49727	5050	192.168.2.6	23.105.131.164
Nov 19, 2020 07:47:39.376895905 CET	49727	5050	192.168.2.6	23.105.131.164
Nov 19, 2020 07:47:39.733326912 CET	5050	49727	23.105.131.164	192.168.2.6
Nov 19, 2020 07:47:41.117816925 CET	5050	49727	23.105.131.164	192.168.2.6
Nov 19, 2020 07:47:41.164534092 CET	49727	5050	192.168.2.6	23.105.131.164
Nov 19, 2020 07:47:43.227916002 CET	49727	5050	192.168.2.6	23.105.131.164
Nov 19, 2020 07:47:43.580044031 CET	5050	49727	23.105.131.164	192.168.2.6
Nov 19, 2020 07:47:46.124427080 CET	5050	49727	23.105.131.164	192.168.2.6
Nov 19, 2020 07:47:46.164940119 CET	49727	5050	192.168.2.6	23.105.131.164
Nov 19, 2020 07:47:46.499491930 CET	5050	49727	23.105.131.164	192.168.2.6
Nov 19, 2020 07:47:46.499520063 CET	5050	49727	23.105.131.164	192.168.2.6
Nov 19, 2020 07:47:46.499598026 CET	49727	5050	192.168.2.6	23.105.131.164
Nov 19, 2020 07:47:46.499948978 CET	49727	5050	192.168.2.6	23.105.131.164
Nov 19, 2020 07:47:49.228002071 CET	49727	5050	192.168.2.6	23.105.131.164
Nov 19, 2020 07:47:49.576069117 CET	5050	49727	23.105.131.164	192.168.2.6
Nov 19, 2020 07:47:51.110513926 CET	5050	49727	23.105.131.164	192.168.2.6
Nov 19, 2020 07:47:51.165388107 CET	49727	5050	192.168.2.6	23.105.131.164
Nov 19, 2020 07:47:54.089277983 CET	5050	49727	23.105.131.164	192.168.2.6
Nov 19, 2020 07:47:54.134529114 CET	49727	5050	192.168.2.6	23.105.131.164
Nov 19, 2020 07:47:54.213546038 CET	49727	5050	192.168.2.6	23.105.131.164
Nov 19, 2020 07:47:54.584995985 CET	5050	49727	23.105.131.164	192.168.2.6
Nov 19, 2020 07:47:56.119386911 CET	5050	49727	23.105.131.164	192.168.2.6
Nov 19, 2020 07:47:56.161668062 CET	49727	5050	192.168.2.6	23.105.131.164
Nov 19, 2020 07:47:59.634414911 CET	49727	5050	192.168.2.6	23.105.131.164
Nov 19, 2020 07:47:59.996531010 CET	5050	49727	23.105.131.164	192.168.2.6
Nov 19, 2020 07:48:01.115570068 CET	5050	49727	23.105.131.164	192.168.2.6
Nov 19, 2020 07:48:01.166258097 CET	49727	5050	192.168.2.6	23.105.131.164
Nov 19, 2020 07:48:02.075684071 CET	5050	49727	23.105.131.164	192.168.2.6
Nov 19, 2020 07:48:02.119472027 CET	49727	5050	192.168.2.6	23.105.131.164
Nov 19, 2020 07:48:04.651329994 CET	49727	5050	192.168.2.6	23.105.131.164
Nov 19, 2020 07:48:05.006562948 CET	5050	49727	23.105.131.164	192.168.2.6
Nov 19, 2020 07:48:06.114814043 CET	5050	49727	23.105.131.164	192.168.2.6
Nov 19, 2020 07:48:06.166668892 CET	49727	5050	192.168.2.6	23.105.131.164
Nov 19, 2020 07:48:09.715878963 CET	49727	5050	192.168.2.6	23.105.131.164
Nov 19, 2020 07:48:10.070455074 CET	5050	49727	23.105.131.164	192.168.2.6
Nov 19, 2020 07:48:10.090493917 CET	5050	49727	23.105.131.164	192.168.2.6
Nov 19, 2020 07:48:10.198251963 CET	49727	5050	192.168.2.6	23.105.131.164
Nov 19, 2020 07:48:10.491452932 CET	5050	49727	23.105.131.164	192.168.2.6
Nov 19, 2020 07:48:10.491539955 CET	49727	5050	192.168.2.6	23.105.131.164
Nov 19, 2020 07:48:11.115291119 CET	5050	49727	23.105.131.164	192.168.2.6
Nov 19, 2020 07:48:11.198326111 CET	49727	5050	192.168.2.6	23.105.131.164
Nov 19, 2020 07:48:11.508735895 CET	5050	49727	23.105.131.164	192.168.2.6
Nov 19, 2020 07:48:11.508944988 CET	49727	5050	192.168.2.6	23.105.131.164
Nov 19, 2020 07:48:15.714914083 CET	49727	5050	192.168.2.6	23.105.131.164
Nov 19, 2020 07:48:16.075459003 CET	5050	49727	23.105.131.164	192.168.2.6
Nov 19, 2020 07:48:16.115503073 CET	5050	49727	23.105.131.164	192.168.2.6
Nov 19, 2020 07:48:16.198761940 CET	49727	5050	192.168.2.6	23.105.131.164
Nov 19, 2020 07:48:16.508625031 CET	5050	49727	23.105.131.164	192.168.2.6
Nov 19, 2020 07:48:16.509232044 CET	49727	5050	192.168.2.6	23.105.131.164
Nov 19, 2020 07:48:18.114487886 CET	5050	49727	23.105.131.164	192.168.2.6
Nov 19, 2020 07:48:18.198910952 CET	49727	5050	192.168.2.6	23.105.131.164
Nov 19, 2020 07:48:18.469465971 CET	5050	49727	23.105.131.164	192.168.2.6
Nov 19, 2020 07:48:18.469618082 CET	49727	5050	192.168.2.6	23.105.131.164
Nov 19, 2020 07:48:21.115230083 CET	5050	49727	23.105.131.164	192.168.2.6
Nov 19, 2020 07:48:21.201282978 CET	49727	5050	192.168.2.6	23.105.131.164
Nov 19, 2020 07:48:21.449595928 CET	49727	5050	192.168.2.6	23.105.131.164
Nov 19, 2020 07:48:21.509987116 CET	5050	49727	23.105.131.164	192.168.2.6
Nov 19, 2020 07:48:21.510407925 CET	49727	5050	192.168.2.6	23.105.131.164
Nov 19, 2020 07:48:21.807842016 CET	5050	49727	23.105.131.164	192.168.2.6
Nov 19, 2020 07:48:26.106065035 CET	5050	49727	23.105.131.164	192.168.2.6
Nov 19, 2020 07:48:26.152677059 CET	49727	5050	192.168.2.6	23.105.131.164
Nov 19, 2020 07:48:26.465002060 CET	5050	49727	23.105.131.164	192.168.2.6
Nov 19, 2020 07:48:26.509922981 CET	49727	5050	192.168.2.6	23.105.131.164
Nov 19, 2020 07:48:27.407046080 CET	49727	5050	192.168.2.6	23.105.131.164
Nov 19, 2020 07:48:27.761698008 CET	5050	49727	23.105.131.164	192.168.2.6
Nov 19, 2020 07:48:31.116660118 CET	5050	49727	23.105.131.164	192.168.2.6
Nov 19, 2020 07:48:31.168829918 CET	49727	5050	192.168.2.6	23.105.131.164
Nov 19, 2020 07:48:32.404073000 CET	49727	5050	192.168.2.6	23.105.131.164
Nov 19, 2020 07:48:32.775379896 CET	5050	49727	23.105.131.164	192.168.2.6
Nov 19, 2020 07:48:34.106786966 CET	5050	49727	23.105.131.164	192.168.2.6
Nov 19, 2020 07:48:34.153363943 CET	49727	5050	192.168.2.6	23.105.131.164
Nov 19, 2020 07:48:36.119344950 CET	5050	49727	23.105.131.164	192.168.2.6
Nov 19, 2020 07:48:36.169131041 CET	49727	5050	192.168.2.6	23.105.131.164
Nov 19, 2020 07:48:38.154865980 CET	49727	5050	192.168.2.6	23.105.131.164
Nov 19, 2020 07:48:38.504417896 CET	5050	49727	23.105.131.164	192.168.2.6
Nov 19, 2020 07:48:41.124798059 CET	5050	49727	23.105.131.164	192.168.2.6
Nov 19, 2020 07:48:41.169543982 CET	49727	5050	192.168.2.6	23.105.131.164
Nov 19, 2020 07:48:42.103327036 CET	5050	49727	23.105.131.164	192.168.2.6
Nov 19, 2020 07:48:42.154066086 CET	49727	5050	192.168.2.6	23.105.131.164
Nov 19, 2020 07:48:43.156187057 CET	49727	5050	192.168.2.6	23.105.131.164
Nov 19, 2020 07:48:43.526665926 CET	5050	49727	23.105.131.164	192.168.2.6
Nov 19, 2020 07:48:46.119525909 CET	5050	49727	23.105.131.164	192.168.2.6
Nov 19, 2020 07:48:46.169996023 CET	49727	5050	192.168.2.6	23.105.131.164
Nov 19, 2020 07:48:49.155038118 CET	49727	5050	192.168.2.6	23.105.131.164
Nov 19, 2020 07:48:49.516686916 CET	5050	49727	23.105.131.164	192.168.2.6
Nov 19, 2020 07:48:50.112087965 CET	5050	49727	23.105.131.164	192.168.2.6
Nov 19, 2020 07:48:50.154723883 CET	49727	5050	192.168.2.6	23.105.131.164
Nov 19, 2020 07:48:50.469181061 CET	5050	49727	23.105.131.164	192.168.2.6
Nov 19, 2020 07:48:50.469274044 CET	49727	5050	192.168.2.6	23.105.131.164
Nov 19, 2020 07:48:51.135755062 CET	5050	49727	23.105.131.164	192.168.2.6
Nov 19, 2020 07:48:51.186043978 CET	49727	5050	192.168.2.6	23.105.131.164
Nov 19, 2020 07:48:51.496646881 CET	5050	49727	23.105.131.164	192.168.2.6
Nov 19, 2020 07:48:51.498195887 CET	49727	5050	192.168.2.6	23.105.131.164
Nov 19, 2020 07:48:55.156204939 CET	49727	5050	192.168.2.6	23.105.131.164
Nov 19, 2020 07:48:55.509310007 CET	5050	49727	23.105.131.164	192.168.2.6
Nov 19, 2020 07:48:56.143491030 CET	5050	49727	23.105.131.164	192.168.2.6
Nov 19, 2020 07:48:56.186599016 CET	49727	5050	192.168.2.6	23.105.131.164
Nov 19, 2020 07:48:56.495687008 CET	5050	49727	23.105.131.164	192.168.2.6
Nov 19, 2020 07:48:56.495883942 CET	49727	5050	192.168.2.6	23.105.131.164
Nov 19, 2020 07:48:58.121857882 CET	5050	49727	23.105.131.164	192.168.2.6
Nov 19, 2020 07:48:58.171108007 CET	49727	5050	192.168.2.6	23.105.131.164
Nov 19, 2020 07:48:58.479067087 CET	5050	49727	23.105.131.164	192.168.2.6
Nov 19, 2020 07:48:58.479381084 CET	49727	5050	192.168.2.6	23.105.131.164
Nov 19, 2020 07:49:01.156001091 CET	49727	5050	192.168.2.6	23.105.131.164
Nov 19, 2020 07:49:01.203567028 CET	5050	49727	23.105.131.164	192.168.2.6
Nov 19, 2020 07:49:01.249397993 CET	49727	5050	192.168.2.6	23.105.131.164
Nov 19, 2020 07:49:01.534868956 CET	49727	5050	192.168.2.6	23.105.131.164
Nov 19, 2020 07:49:01.836858034 CET	5050	49727	23.105.131.164	192.168.2.6
Nov 19, 2020 07:49:01.836999893 CET	49727	5050	192.168.2.6	23.105.131.164
Nov 19, 2020 07:49:01.848417997 CET	5050	49727	23.105.131.164	192.168.2.6
Nov 19, 2020 07:49:06.115660906 CET	5050	49727	23.105.131.164	192.168.2.6
Nov 19, 2020 07:49:06.161755085 CET	49727	5050	192.168.2.6	23.105.131.164
Nov 19, 2020 07:49:06.259723902 CET	49727	5050	192.168.2.6	23.105.131.164
Nov 19, 2020 07:49:06.482587099 CET	5050	49727	23.105.131.164	192.168.2.6
Nov 19, 2020 07:49:06.537794113 CET	49727	5050	192.168.2.6	23.105.131.164
Nov 19, 2020 07:49:06.615132093 CET	5050	49727	23.105.131.164	192.168.2.6
Nov 19, 2020 07:49:11.128078938 CET	5050	49727	23.105.131.164	192.168.2.6
Nov 19, 2020 07:49:11.182039976 CET	49727	5050	192.168.2.6	23.105.131.164
Nov 19, 2020 07:49:11.823540926 CET	49727	5050	192.168.2.6	23.105.131.164
Nov 19, 2020 07:49:12.197757006 CET	49727	5050	192.168.2.6	23.105.131.164
Nov 19, 2020 07:49:12.202325106 CET	5050	49727	23.105.131.164	192.168.2.6
Nov 19, 2020 07:49:12.513901949 CET	5050	49727	23.105.131.164	192.168.2.6
Nov 19, 2020 07:49:14.126650095 CET	5050	49727	23.105.131.164	192.168.2.6
Nov 19, 2020 07:49:14.166608095 CET	49727	5050	192.168.2.6	23.105.131.164
Nov 19, 2020 07:49:16.144046068 CET	5050	49727	23.105.131.164	192.168.2.6
Nov 19, 2020 07:49:16.198260069 CET	49727	5050	192.168.2.6	23.105.131.164
Nov 19, 2020 07:49:16.502558947 CET	5050	49727	23.105.131.164	192.168.2.6
Nov 19, 2020 07:49:16.502837896 CET	49727	5050	192.168.2.6	23.105.131.164
Nov 19, 2020 07:49:16.824606895 CET	49727	5050	192.168.2.6	23.105.131.164
Nov 19, 2020 07:49:17.177620888 CET	5050	49727	23.105.131.164	192.168.2.6
Nov 19, 2020 07:49:21.135694027 CET	5050	49727	23.105.131.164	192.168.2.6
Nov 19, 2020 07:49:21.182887077 CET	49727	5050	192.168.2.6	23.105.131.164
Nov 19, 2020 07:49:21.500888109 CET	5050	49727	23.105.131.164	192.168.2.6
Nov 19, 2020 07:49:21.501127005 CET	49727	5050	192.168.2.6	23.105.131.164
Nov 19, 2020 07:49:21.824157000 CET	49727	5050	192.168.2.6	23.105.131.164
Nov 19, 2020 07:49:22.126611948 CET	5050	49727	23.105.131.164	192.168.2.6
Nov 19, 2020 07:49:22.167367935 CET	49727	5050	192.168.2.6	23.105.131.164
Nov 19, 2020 07:49:22.178631067 CET	5050	49727	23.105.131.164	192.168.2.6
Nov 19, 2020 07:49:26.126462936 CET	5050	49727	23.105.131.164	192.168.2.6
Nov 19, 2020 07:49:26.167619944 CET	49727	5050	192.168.2.6	23.105.131.164
Nov 19, 2020 07:49:26.898552895 CET	49727	5050	192.168.2.6	23.105.131.164
Nov 19, 2020 07:49:27.255127907 CET	5050	49727	23.105.131.164	192.168.2.6
Nov 19, 2020 07:49:30.128540039 CET	5050	49727	23.105.131.164	192.168.2.6
Nov 19, 2020 07:49:30.183628082 CET	49727	5050	192.168.2.6	23.105.131.164
Nov 19, 2020 07:49:31.129568100 CET	5050	49727	23.105.131.164	192.168.2.6
Nov 19, 2020 07:49:31.178742886 CET	49727	5050	192.168.2.6	23.105.131.164
Nov 19, 2020 07:49:32.247490883 CET	49727	5050	192.168.2.6	23.105.131.164
Nov 19, 2020 07:49:32.600199938 CET	5050	49727	23.105.131.164	192.168.2.6

Code Manipulations

Statistics

CPU Usage

Click to jump to process

Memory Usage

Click to jump to process

High Level Behavior Distribution

Click to dive into process behavior distribution

Behavior

Click to jump to process

System Behavior

Analysis Process: invoice & packing.pdf.exe PID: 7160 Parent PID: 5952

General

Start time:	07:47:22
Start date:	19/11/2020
Path:	C:\Users\user\Desktop\invoice & packing.pdf.exe
Wow64 process (32bit):	true
Commandline:	'C:\Users\user\Desktop\invoice & packing.pdf.exe'
Imagebase:	0x790000
File size:	590336 bytes
MD5 hash:	AC3668260346D59F25905579AA8EAF94
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	.Net C# or VB.NET
Yara matches:	Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 00000000.00000002.348394866.0000000003E84000.00000004.00000001.sdmp, Author: Florian Roth Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 00000000.00000002.348394866.0000000003E84000.00000004.00000001.sdmp, Author: Joe Security Rule: NanoCore, Description: unknown, Source: 00000000.00000002.348394866.0000000003E84000.00000004.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net> Rule: JoeSecurity_AntiVM_3, Description: Yara detected AntiVM_3, Source: 00000000.00000002.348069175.0000000002E81000.00000004.00000001.sdmp, Author: Joe Security Rule: JoeSecurity_AntiVM_3, Description: Yara detected AntiVM_3, Source: 00000000.00000002.348133021.0000000002ED7000.00000004.00000001.sdmp, Author: Joe Security
Reputation:	low

Chronological Activities

Analysis Process: schtasks.exe PID: 1560 Parent PID: 7160

General

Start time:	07:47:24
Start date:	19/11/2020
Path:	C:\Windows\SysWOW64\schtasks.exe
Wow64 process (32bit):	true
Commandline:	'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\NKzWuwUvFAvUo' /XML 'C:\Users\user\AppData\Local\Temp\tmpEBB4.tmp'
Imagebase:	0xa70000
File size:	185856 bytes
MD5 hash:	15FF7D8324231381BAD48A052F85DF04
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Chronological Activities

Analysis Process: conhost.exe PID: 1420 Parent PID: 1560

General

Start time:	07:47:25
Start date:	19/11/2020
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff61de10000
File size:	625664 bytes
MD5 hash:	EA777DEEA782E8B4D7C7C33BBF8A4496
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Chronological Activities

Analysis Process: invoice & packing.pdf.exe PID: 4624 Parent PID: 7160

General

Start time:	07:47:25
Start date:	19/11/2020
Path:	C:\Users\user\Desktop\invoice & packing.pdf.exe
Wow64 process (32bit):	false
Commandline:	C:\Users\user\Desktop\invoice & packing.pdf.exe
Imagebase:	0x370000
File size:	590336 bytes
MD5 hash:	AC3668260346D59F25905579AA8EAF94
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	low

Chronological Activities

Analysis Process: invoice & packing.pdf.exe PID: 4668 Parent PID: 7160

General

Start time:	07:47:25
Start date:	19/11/2020
Path:	C:\Users\user\Desktop\invoice & packing.pdf.exe
Wow64 process (32bit):	false
Commandline:	C:\Users\user\Desktop\invoice & packing.pdf.exe
Imagebase:	0x3d0000
File size:	590336 bytes
MD5 hash:	AC3668260346D59F25905579AA8EAF94
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	low

Chronological Activities

Analysis Process: invoice & packing.pdf.exe PID: 4696 Parent PID: 7160

General

Start time:	07:47:26
Start date:	19/11/2020
Path:	C:\Users\user\Desktop\invoice & packing.pdf.exe
Wow64 process (32bit):	false
Commandline:	C:\Users\user\Desktop\invoice & packing.pdf.exe
Imagebase:	0x20000
File size:	590336 bytes
MD5 hash:	AC3668260346D59F25905579AA8EAF94
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	low

Chronological Activities

Analysis Process: invoice & packing.pdf.exe PID: 6040 Parent PID: 7160

General

Start time:	07:47:26
Start date:	19/11/2020
Path:	C:\Users\user\Desktop\invoice & packing.pdf.exe
Wow64 process (32bit):	true
Commandline:	C:\Users\user\Desktop\invoice & packing.pdf.exe
Imagebase:	0xa30000
File size:	590336 bytes
MD5 hash:	AC3668260346D59F25905579AA8EAF94
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	.Net C# or VB.NET
Yara matches:	Rule: NanoCore, Description: unknown, Source: 00000006.00000003.361188308.00000000045C4000.00000004.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
Reputation:	low

Chronological Activities

Disassembly

Code Analysis

Reset < >

Analysis Process: invoice & packing.pdf.exe PID: 7160 Parent PID: 5952 invoice & packing.pdf.exeCOMMON

Executed Functions

Function 04FC1DC8, Relevance: 3.9, Strings: 3, Instructions: 190COMMON

Download Yara Rule

Strings

X$kr, xrefs: 04FC1EE1
X1kr, xrefs: 04FC1FA6
X$kr, xrefs: 04FC1EF1

Memory Dump Source

Source File: 00000000.00000002.349183972.0000000004FC0000.00000040.00000001.sdmp, Offset: 04FC0000, based on PE: false

Similarity

API ID:
String ID: X$kr$X$kr$X1kr
API String ID: 0-1403565524
Opcode ID: 34cba6246f49019c3734db5a282d7a10c2bb1ca6756f1dfd31f014b1f875b5f4
Instruction ID: de3df9ca22d68a3a7f9360ea745913eaf9f40cf2149bfdb7fd6f377f72193a62
Opcode Fuzzy Hash: 34cba6246f49019c3734db5a282d7a10c2bb1ca6756f1dfd31f014b1f875b5f4
Instruction Fuzzy Hash: B181C774E01209DFDB14DFA9D684AADBBF2FF88300F20906AD505AB255EB35A942CF14

Uniqueness

Uniqueness Score: -1.00%

Function 04FC1DB7, Relevance: 2.7, Strings: 2, Instructions: 181COMMON

Download Yara Rule

Strings

X$kr, xrefs: 04FC1EE1
X1kr, xrefs: 04FC1FA6

Memory Dump Source

Source File: 00000000.00000002.349183972.0000000004FC0000.00000040.00000001.sdmp, Offset: 04FC0000, based on PE: false

Similarity

API ID:
String ID: X$kr$X1kr
API String ID: 0-3132599531
Opcode ID: c213eede849ac79b45a086ed4216d9aff7e5e467082401e7b6f1bf5639c88068
Instruction ID: 8edd6df4a46bef1ff1053f2b92d53abea082381eb90d02ab276f6da5d442f668
Opcode Fuzzy Hash: c213eede849ac79b45a086ed4216d9aff7e5e467082401e7b6f1bf5639c88068
Instruction Fuzzy Hash: 6D71E874E01209DFDB14DFA9D684AADBBF2FF89300F20806AD405AB365EB356942CF14

Uniqueness

Uniqueness Score: -1.00%

Function 04FC0B90, Relevance: 1.6, Strings: 1, Instructions: 376COMMON

Download Yara Rule

Strings

X1kr, xrefs: 04FC11D7

Memory Dump Source

Source File: 00000000.00000002.349183972.0000000004FC0000.00000040.00000001.sdmp, Offset: 04FC0000, based on PE: false

Similarity

API ID:
String ID: X1kr
API String ID: 0-844551562
Opcode ID: b39ad70f691fa896e1ef29eeee8a2cd33f34e54d9f6c76562cfbb36a53e5765f
Instruction ID: 9ccdb0ae4c96e82f70fe385d2a06c4dfef379e6cb7e8d9f3d7fd00046c6e6fbc
Opcode Fuzzy Hash: b39ad70f691fa896e1ef29eeee8a2cd33f34e54d9f6c76562cfbb36a53e5765f
Instruction Fuzzy Hash: BE028474E002289FDB64DFA9CC51BDDBBB2BF89300F1081A99509AB365EB355E91CF50

Uniqueness

Uniqueness Score: -1.00%

Function 04FC0BA0, Relevance: 1.6, Strings: 1, Instructions: 368COMMON

Download Yara Rule

Strings

X1kr, xrefs: 04FC11D7

Memory Dump Source

Source File: 00000000.00000002.349183972.0000000004FC0000.00000040.00000001.sdmp, Offset: 04FC0000, based on PE: false

Similarity

API ID:
String ID: X1kr
API String ID: 0-844551562
Opcode ID: 0791f9fe9bc8a9ba583a2ead7b8b82af6eb1025d78bdc46092d2afa687547d00
Instruction ID: e6f0148a9c0452373c1ff0529dd8f18dafd3b3bc7c033191420759dbe1eba229
Opcode Fuzzy Hash: 0791f9fe9bc8a9ba583a2ead7b8b82af6eb1025d78bdc46092d2afa687547d00
Instruction Fuzzy Hash: B8028374E002289FDB64DFA9CD50BDDBBB2BF88300F1081A99609A7365EB755E91CF50

Uniqueness

Uniqueness Score: -1.00%

Function 055A0F6B, Relevance: 1.6, APIs: 1, Instructions: 75COMMON

Download Yara Rule

APIs

AdjustTokenPrivileges.KERNELBASE(?,?,?,?,?,?), ref: 055A0FEB

Memory Dump Source

Source File: 00000000.00000002.351363579.00000000055A0000.00000040.00000001.sdmp, Offset: 055A0000, based on PE: false

Similarity

API ID: AdjustPrivilegesToken
String ID:
API String ID: 2874748243-0
Opcode ID: 9e0098757831b7a4f8fa4068778cd19c389e7577220884dc6328ce95a96e8ab9
Instruction ID: 7a16507d2c92f3342adbdae95be7dadf0ead7fb931ae5ae9fc232a37e41b0106
Opcode Fuzzy Hash: 9e0098757831b7a4f8fa4068778cd19c389e7577220884dc6328ce95a96e8ab9
Instruction Fuzzy Hash: 6D219F76509784AFDB128F25DC44B66BFB4BF06210F0885DAEA858F163D275A908CB62

Uniqueness

Uniqueness Score: -1.00%

Function 055A1389, Relevance: 1.6, APIs: 1, Instructions: 56nativeCOMMON

Download Yara Rule

APIs

NtQuerySystemInformation.NTDLL ref: 055A13F1

Memory Dump Source

Source File: 00000000.00000002.351363579.00000000055A0000.00000040.00000001.sdmp, Offset: 055A0000, based on PE: false

Similarity

API ID: InformationQuerySystem
String ID:
API String ID: 3562636166-0
Opcode ID: d357b33e7b4d5e1bfe2412aab9ced4129c60a2ada941d0072414bda485e2fd5d
Instruction ID: 2e3e07f617af6fa725631756690ed9baf3ba5923c7040aa0af52f7ff4e6226e7
Opcode Fuzzy Hash: d357b33e7b4d5e1bfe2412aab9ced4129c60a2ada941d0072414bda485e2fd5d
Instruction Fuzzy Hash: C111BF72409780AFDB228F25DC44A62FFB4FF06310F0884DAEE844B663D375A519DB62

Uniqueness

Uniqueness Score: -1.00%

Function 055A0FA2, Relevance: 1.6, APIs: 1, Instructions: 52COMMON

Download Yara Rule

APIs

AdjustTokenPrivileges.KERNELBASE(?,?,?,?,?,?), ref: 055A0FEB

Memory Dump Source

Source File: 00000000.00000002.351363579.00000000055A0000.00000040.00000001.sdmp, Offset: 055A0000, based on PE: false

Similarity

API ID: AdjustPrivilegesToken
String ID:
API String ID: 2874748243-0
Opcode ID: 09870fbbe8edbfd7fff7529ed4cc5fb5c248e2f0e00542f41550e0e2fb594a5d
Instruction ID: 7a6c6b095686a0aa0ab0cbdd5d9327a7a5ac99633a70ef645bfba20b739d9dae
Opcode Fuzzy Hash: 09870fbbe8edbfd7fff7529ed4cc5fb5c248e2f0e00542f41550e0e2fb594a5d
Instruction Fuzzy Hash: E9115E725006449FDB20CF65D884B6AFBE4FF04220F0884AADE858B651D775E518CB71

Uniqueness

Uniqueness Score: -1.00%

Function 00DFB0BE, Relevance: 1.5, APIs: 1, Instructions: 43COMMON

Download Yara Rule

APIs

GetUserNameW.ADVAPI32(?,00000E2C,?,?), ref: 00DFB10E

Memory Dump Source

Source File: 00000000.00000002.346824127.0000000000DFA000.00000040.00000001.sdmp, Offset: 00DFA000, based on PE: false

Similarity

API ID: NameUser
String ID:
API String ID: 2645101109-0
Opcode ID: e501706fab4e7de498ebbafa3f89891b2c3b558ef7e768e876e452511eb093a0
Instruction ID: 6034e1267dbb2e35e1174a2a1e66353a59586ad65716549348981ca3693bb74c
Opcode Fuzzy Hash: e501706fab4e7de498ebbafa3f89891b2c3b558ef7e768e876e452511eb093a0
Instruction Fuzzy Hash: FC01A271500600ABD210DF16DC82F26FBA8FBC8B20F14815AED084B741E331F516CBE5

Uniqueness

Uniqueness Score: -1.00%

Function 055A13B6, Relevance: 1.5, APIs: 1, Instructions: 38nativeCOMMON

Download Yara Rule

APIs

NtQuerySystemInformation.NTDLL ref: 055A13F1

Memory Dump Source

Source File: 00000000.00000002.351363579.00000000055A0000.00000040.00000001.sdmp, Offset: 055A0000, based on PE: false

Similarity

API ID: InformationQuerySystem
String ID:
API String ID: 3562636166-0
Opcode ID: 693d53f71bfb252cafd8cfe8a00d1b9597b52a83a0ae9c2306ce9b4b4e52090d
Instruction ID: ba5f215727c7c12fc217216db5a88d8127f406101b2f19e6174f84317c59a2ec
Opcode Fuzzy Hash: 693d53f71bfb252cafd8cfe8a00d1b9597b52a83a0ae9c2306ce9b4b4e52090d
Instruction Fuzzy Hash: F1017C36400A40DFDB20CF69D884B2AFFE0FF04320F08849ADE490B611D3B5A418CFA2

Uniqueness

Uniqueness Score: -1.00%

Function 05625D97, Relevance: .2, Instructions: 235COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.351442044.0000000005620000.00000040.00000001.sdmp, Offset: 05620000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0c9f7f0aedec2ee84dc07c5fcbe1032ec8b9590f74228b7378479086ca8f4377
Instruction ID: 52ba4313df4a5d03adc8df971e025ff10d07e1c1a4165131cc04c87016efde49
Opcode Fuzzy Hash: 0c9f7f0aedec2ee84dc07c5fcbe1032ec8b9590f74228b7378479086ca8f4377
Instruction Fuzzy Hash: 63A134B0D04668CFDB14DFAAC444AADBBF2FF68314F20825AD816AB355D7309942CF65

Uniqueness

Uniqueness Score: -1.00%

Function 04FC27BC, Relevance: .2, Instructions: 217COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.349183972.0000000004FC0000.00000040.00000001.sdmp, Offset: 04FC0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a3b39c9e3614c08cfed3015caad2da309b5e7a12a728735061334da4a2aad963
Instruction ID: a916004a9549cf846c461f3d93c65cad77ad712cc4955573e4d1b52ff564ff5a
Opcode Fuzzy Hash: a3b39c9e3614c08cfed3015caad2da309b5e7a12a728735061334da4a2aad963
Instruction Fuzzy Hash: 609168B0E0425ACFDB00CFAAC6846ADFBF1FF49314F65829AD014AB295D730A942DB51

Uniqueness

Uniqueness Score: -1.00%

Function 04FC2270, Relevance: .2, Instructions: 215COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.349183972.0000000004FC0000.00000040.00000001.sdmp, Offset: 04FC0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2d418769e85a698d3aecb93c4134276b100350eb888a33b53be66fe0896df37a
Instruction ID: 402f89b07e8e377ff54547697dc65e11e6e68012c34223091449b1880eed1004
Opcode Fuzzy Hash: 2d418769e85a698d3aecb93c4134276b100350eb888a33b53be66fe0896df37a
Instruction Fuzzy Hash: A191C371D00619CFEB24CFA6C944BEEBBB2FF89300F0194A9D419A7255EB746986CF11

Uniqueness

Uniqueness Score: -1.00%

Function 04FC2261, Relevance: .2, Instructions: 169COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.349183972.0000000004FC0000.00000040.00000001.sdmp, Offset: 04FC0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ef6dbd2a548339aa2579a665cb59d88ef15f669e0737f2fe7a7e45d3ab81d234
Instruction ID: 8c13b68bfeebc2d367ac9393a26feda9e45afddc0ecff9c20b4cd7a6ac68dcd9
Opcode Fuzzy Hash: ef6dbd2a548339aa2579a665cb59d88ef15f669e0737f2fe7a7e45d3ab81d234
Instruction Fuzzy Hash: 9361E571D14229CFDB24CFAAC9447EEBBB1FF89300F0194AAD418A7251EB745986CF51

Uniqueness

Uniqueness Score: -1.00%

Function 05628783, Relevance: 5.1, Strings: 4, Instructions: 95COMMON

Download Yara Rule

Strings

&, xrefs: 05628991
', xrefs: 05628ED7
, xrefs: 056287B5
-, xrefs: 05628774

Memory Dump Source

Source File: 00000000.00000002.351442044.0000000005620000.00000040.00000001.sdmp, Offset: 05620000, based on PE: false

Similarity

API ID:
String ID: $&$'$-
API String ID: 0-638103225
Opcode ID: aecd60cd6aa0cf9d8f87d6642c2bc201aaa4239332eda57c7c8bbf6a800bd4d3
Instruction ID: 3948432ce50f6988fda71911e31ed4f3cecf68b6c35d535434e0fc7f0980d7d9
Opcode Fuzzy Hash: aecd60cd6aa0cf9d8f87d6642c2bc201aaa4239332eda57c7c8bbf6a800bd4d3
Instruction Fuzzy Hash: 9D41B0B4905228CFDB64DF25C998BECBBB2BB89305F1081DAD109AB295CB345EC5CF51

Uniqueness

Uniqueness Score: -1.00%

Function 056286C4, Relevance: 3.8, Strings: 3, Instructions: 62COMMON

Download Yara Rule

Strings

', xrefs: 05628ED7
), xrefs: 05628708
(, xrefs: 05628F40

Memory Dump Source

Source File: 00000000.00000002.351442044.0000000005620000.00000040.00000001.sdmp, Offset: 05620000, based on PE: false

Similarity

API ID:
String ID: '$($)
API String ID: 0-530010866
Opcode ID: 449d97511322bb4c973aafeef01ea3f39cf17ca496614fe033721c0a951036cf
Instruction ID: d632c28e99764946eb5ed028b85dd20db584113320159e946b1b6367079b1661
Opcode Fuzzy Hash: 449d97511322bb4c973aafeef01ea3f39cf17ca496614fe033721c0a951036cf
Instruction Fuzzy Hash: 4131A0B4905228CBDB64DF64C998BDCBBB2BB95305F1081DAD509AB380CB745EC5CF10

Uniqueness

Uniqueness Score: -1.00%

Function 04FC05A8, Relevance: 2.7, Strings: 2, Instructions: 201COMMON

Download Yara Rule

Strings

`5kr, xrefs: 04FC072D
:@Dr, xrefs: 04FC06D4

Memory Dump Source

Source File: 00000000.00000002.349183972.0000000004FC0000.00000040.00000001.sdmp, Offset: 04FC0000, based on PE: false

Similarity

API ID:
String ID: :@Dr$`5kr
API String ID: 0-2548079215
Opcode ID: 2e6856d953895f23dbdab1a36ed087ef145769e6a1e6d1046a4acd5ef54493c0
Instruction ID: 09a7d6bf822752ff4876256997ed6b041b00a60c5b77fbbef6f5f34ab65c73a0
Opcode Fuzzy Hash: 2e6856d953895f23dbdab1a36ed087ef145769e6a1e6d1046a4acd5ef54493c0
Instruction Fuzzy Hash: 5F91E374E01219CFEB54CFA8C994BADBBF2BF89310F109069D509AB390DB71A946DF50

Uniqueness

Uniqueness Score: -1.00%

Function 05628517, Relevance: 2.6, Strings: 2, Instructions: 97COMMON

Download Yara Rule

Strings

', xrefs: 05628ED7
", xrefs: 0562884B

Memory Dump Source

Source File: 00000000.00000002.351442044.0000000005620000.00000040.00000001.sdmp, Offset: 05620000, based on PE: false

Similarity

API ID:
String ID: "$'
API String ID: 0-2422873937
Opcode ID: 76a06467bd9f506a8f616789b81150dc63393536195b0d76fc43795a31a719c4
Instruction ID: 065cafff9d21ed1d17a2e9ab08a631290ed73de8355f8d1dcfd211ac75780e09
Opcode Fuzzy Hash: 76a06467bd9f506a8f616789b81150dc63393536195b0d76fc43795a31a719c4
Instruction Fuzzy Hash: B241D478905228CFDB64DF65C988BECBBB2BB45315F1081DAD40AA7391CB745ACACF40

Uniqueness

Uniqueness Score: -1.00%

Function 05628B5C, Relevance: 2.6, Strings: 2, Instructions: 86COMMON

Download Yara Rule

Strings

+, xrefs: 05628E60
', xrefs: 05628ED7

Memory Dump Source

Source File: 00000000.00000002.351442044.0000000005620000.00000040.00000001.sdmp, Offset: 05620000, based on PE: false

Similarity

API ID:
String ID: '$+
API String ID: 0-2669121937
Opcode ID: f402bf24335147fa38c6779e9aee79c37dd75d5105d60d6308825191efa5319f
Instruction ID: 24cef8a41f0b2d7dedd98b311ee3498ea7f530be6800a902f695f87b1a9ad82a
Opcode Fuzzy Hash: f402bf24335147fa38c6779e9aee79c37dd75d5105d60d6308825191efa5319f
Instruction Fuzzy Hash: 1941B2B4905228CFDB64DF64C958BECBBB2BB89305F1081DAD409AB355CB359E86CF00

Uniqueness

Uniqueness Score: -1.00%

Function 04FC97F8, Relevance: 2.6, Strings: 2, Instructions: 73COMMON

Download Yara Rule

Strings

X$kr, xrefs: 04FC989C
X$kr, xrefs: 04FC98AC

Memory Dump Source

Source File: 00000000.00000002.349183972.0000000004FC0000.00000040.00000001.sdmp, Offset: 04FC0000, based on PE: false

Similarity

API ID:
String ID: X$kr$X$kr
API String ID: 0-2690305392
Opcode ID: 488f2440df2ad96589a2b2f1b506f7ce98375a7b008cb64fd913379b28acb25f
Instruction ID: 8618fbbda33213ddd3a7379a45fb35901f20898a2851e035522d4edf159650f4
Opcode Fuzzy Hash: 488f2440df2ad96589a2b2f1b506f7ce98375a7b008cb64fd913379b28acb25f
Instruction Fuzzy Hash: C93130B0E04249CFDB14DFA9C984AADBBB6FF88300F54C569D445A7384DB74A982CF90

Uniqueness

Uniqueness Score: -1.00%

Function 05628660, Relevance: 2.6, Strings: 2, Instructions: 70COMMON

Download Yara Rule

Strings

', xrefs: 05628ED7
(, xrefs: 05628F40

Memory Dump Source

Source File: 00000000.00000002.351442044.0000000005620000.00000040.00000001.sdmp, Offset: 05620000, based on PE: false

Similarity

API ID:
String ID: '$(
API String ID: 0-102678571
Opcode ID: 44944520049c835884c168b13a238c784c50e2deb17b26d049f7dcba663d0947
Instruction ID: b996d1a781d7a3199bdfe73b8004b32927436224704eee59dc8a1ad9a225a31c
Opcode Fuzzy Hash: 44944520049c835884c168b13a238c784c50e2deb17b26d049f7dcba663d0947
Instruction Fuzzy Hash: 013170B4905228CFDB64DF64C998BDCBBB2BB49305F1081D9D409AB355CB759E86CF40

Uniqueness

Uniqueness Score: -1.00%

Function 05628A47, Relevance: 2.6, Strings: 2, Instructions: 69COMMON

Download Yara Rule

Strings

', xrefs: 05628ED7
,, xrefs: 05628CF7

Memory Dump Source

Source File: 00000000.00000002.351442044.0000000005620000.00000040.00000001.sdmp, Offset: 05620000, based on PE: false

Similarity

API ID:
String ID: '$,
API String ID: 0-24314930
Opcode ID: 9dd87f13399599fda359af87ca8b6ac17467610c5008247b90e52a6dc5ceec23
Instruction ID: d718c86f91d021b46cc43356ffb1f58710dea3ac86be2db36591f5719430f62a
Opcode Fuzzy Hash: 9dd87f13399599fda359af87ca8b6ac17467610c5008247b90e52a6dc5ceec23
Instruction Fuzzy Hash: CB318FB4A05228CFDB60CF64C998BDCBBB2BB4A305F1081DAD449AB341DB759E85CF11

Uniqueness

Uniqueness Score: -1.00%

Function 05628B76, Relevance: 2.6, Strings: 2, Instructions: 65COMMON

Download Yara Rule

Strings

>_Ir, xrefs: 05628B7B
', xrefs: 05628ED7

Memory Dump Source

Source File: 00000000.00000002.351442044.0000000005620000.00000040.00000001.sdmp, Offset: 05620000, based on PE: false

Similarity

API ID:
String ID: '$>_Ir
API String ID: 0-2005802922
Opcode ID: 642db5b7eb58c11cdbcdf1df42e30983a2cd5ae372d3f3825c7afa948cac09e9
Instruction ID: e6f63f0014e251415e21486e9b00062b54c8239463870864fa2f58b225c72644
Opcode Fuzzy Hash: 642db5b7eb58c11cdbcdf1df42e30983a2cd5ae372d3f3825c7afa948cac09e9
Instruction Fuzzy Hash: 5331C274901228CBDB60DF24C898BECBBB2BB89305F1081D9D509AB344CB749EC5CF11

Uniqueness

Uniqueness Score: -1.00%

Function 04FCF6A0, Relevance: 2.6, Strings: 2, Instructions: 64COMMON

Download Yara Rule

Strings

X$kr, xrefs: 04FCF72A
X$kr, xrefs: 04FCF73A

Memory Dump Source

Source File: 00000000.00000002.349183972.0000000004FC0000.00000040.00000001.sdmp, Offset: 04FC0000, based on PE: false

Similarity

API ID:
String ID: X$kr$X$kr
API String ID: 0-2690305392
Opcode ID: 0e59aac90943e1fd8583b91eddf4e6d77c35915112620461cab1361348771744
Instruction ID: aef821b8ca1cee44cb960c23cebe75252f832a9abfaef29376e8a40012125f77
Opcode Fuzzy Hash: 0e59aac90943e1fd8583b91eddf4e6d77c35915112620461cab1361348771744
Instruction Fuzzy Hash: 91214F74E0424ADFCB14DFA9C6406AEFBB2BF44300F10C1AAD815A7284D734A982DFA0

Uniqueness

Uniqueness Score: -1.00%

Function 05628717, Relevance: 2.6, Strings: 2, Instructions: 63COMMON

Download Yara Rule

Strings

', xrefs: 05628ED7
-, xrefs: 05628774

Memory Dump Source

Source File: 00000000.00000002.351442044.0000000005620000.00000040.00000001.sdmp, Offset: 05620000, based on PE: false

Similarity

API ID:
String ID: '$-
API String ID: 0-1987327140
Opcode ID: 347a99e71a10380486a796551dc935cb569b7aa1ef6aa4020b1bd88590f845a6
Instruction ID: 4f87d1758aedb79607a3c9f5ab6ef16fb5ef1ff76818329186823efff4115210
Opcode Fuzzy Hash: 347a99e71a10380486a796551dc935cb569b7aa1ef6aa4020b1bd88590f845a6
Instruction Fuzzy Hash: 9031A274901268CFDB64DF64C999BECBBB2AB85305F1081DAD50AAB394CB345EC6CF40

Uniqueness

Uniqueness Score: -1.00%

Function 05628614, Relevance: 2.6, Strings: 2, Instructions: 63COMMON

Download Yara Rule

Strings

#, xrefs: 05628650
', xrefs: 05628ED7

Memory Dump Source

Source File: 00000000.00000002.351442044.0000000005620000.00000040.00000001.sdmp, Offset: 05620000, based on PE: false

Similarity

API ID:
String ID: #$'
API String ID: 0-2443736422
Opcode ID: 3dc74708ede5d07eab7fa09f2a96979b5884ffe7111dcc3a8349632538cb09d0
Instruction ID: 172804816eb8bbcbc602016032d5730f5713479552c6c9c1bd6a1e2d7a88e93a
Opcode Fuzzy Hash: 3dc74708ede5d07eab7fa09f2a96979b5884ffe7111dcc3a8349632538cb09d0
Instruction Fuzzy Hash: C331B3B4904228CFDB50DF64C998BDDBBB2BB89305F1081DAD509AB384DB359E86CF00

Uniqueness

Uniqueness Score: -1.00%

Function 05628CA3, Relevance: 2.6, Strings: 2, Instructions: 61COMMON

Download Yara Rule

Strings

', xrefs: 05628ED7
,, xrefs: 05628CF7

Memory Dump Source

Source File: 00000000.00000002.351442044.0000000005620000.00000040.00000001.sdmp, Offset: 05620000, based on PE: false

Similarity

API ID:
String ID: '$,
API String ID: 0-24314930
Opcode ID: 797823c77293b00f0ae4e99854d80cd96be88d240b0c5abe9a6859d1dbfa9f9e
Instruction ID: 4aebea00a780b8ea729902c7f194c9c1f2f8980f765537fc5c74726d5eeefacd
Opcode Fuzzy Hash: 797823c77293b00f0ae4e99854d80cd96be88d240b0c5abe9a6859d1dbfa9f9e
Instruction Fuzzy Hash: 5331A0B4905268CBDB64DF64CD99BECBBB2BB89305F1081DAD509AB344CB359E85CF10

Uniqueness

Uniqueness Score: -1.00%

Function 05628904, Relevance: 2.5, Strings: 2, Instructions: 46COMMON

Download Yara Rule

Strings

', xrefs: 05628ED7
(, xrefs: 0562890B

Memory Dump Source

Source File: 00000000.00000002.351442044.0000000005620000.00000040.00000001.sdmp, Offset: 05620000, based on PE: false

Similarity

API ID:
String ID: '$(
API String ID: 0-102678571
Opcode ID: ce2a83a1cb00fbc62bfd36ad7b7e05e338fe3adb4b68f33a3ac82d33d699d3c7
Instruction ID: 63355ae5db21c8988bd986b70893b37431d224218fdce781a2a40c40ce8756c5
Opcode Fuzzy Hash: ce2a83a1cb00fbc62bfd36ad7b7e05e338fe3adb4b68f33a3ac82d33d699d3c7
Instruction Fuzzy Hash: 0811B0B4905228CBDB60DF64C998BDCBBB2BB89305F1081DAD409AB345CB759EC5CF00

Uniqueness

Uniqueness Score: -1.00%

Function 055A06F6, Relevance: 1.6, APIs: 1, Instructions: 114COMMON

Download Yara Rule

APIs

GetTempFileNameW.KERNELBASE(?,00000E2C,?,?), ref: 055A07D6

Memory Dump Source

Source File: 00000000.00000002.351363579.00000000055A0000.00000040.00000001.sdmp, Offset: 055A0000, based on PE: false

Similarity

API ID: FileNameTemp
String ID:
API String ID: 745986568-0
Opcode ID: 5d35960c528d5c21639669961afacd1abe61cc18d366ccb1bd1834cbc258484f
Instruction ID: 7d9d8518b003bb12acf9e4a7d4edcc831f85736b7709c468e56b0dfd6e2f4099
Opcode Fuzzy Hash: 5d35960c528d5c21639669961afacd1abe61cc18d366ccb1bd1834cbc258484f
Instruction Fuzzy Hash: 1E416C6240E3C05FD7038B758C65A62BFB4AF47620F0A85DBD8C4DF5A3D264691AC7B2

Uniqueness

Uniqueness Score: -1.00%

Function 055A0C13, Relevance: 1.6, APIs: 1, Instructions: 102COMMON

Download Yara Rule

APIs

DuplicateHandle.KERNELBASE(?,00000E2C), ref: 055A0CC3

Memory Dump Source

Source File: 00000000.00000002.351363579.00000000055A0000.00000040.00000001.sdmp, Offset: 055A0000, based on PE: false

Similarity

API ID: DuplicateHandle
String ID:
API String ID: 3793708945-0
Opcode ID: 6ae89218c964a30e5264705f257570f7364798c09fdf1bdcfb1221af5b736086
Instruction ID: 5b6df112fdd6684e86c2b9b340fd20bd8e799445d7f875bc4ac89ef4df021fa2
Opcode Fuzzy Hash: 6ae89218c964a30e5264705f257570f7364798c09fdf1bdcfb1221af5b736086
Instruction Fuzzy Hash: A131B472404384AFE7228B65DC45F6BBFACEF46310F04849BE985DB152D364A909CB71

Uniqueness

Uniqueness Score: -1.00%

Function 00DFAB26, Relevance: 1.6, APIs: 1, Instructions: 92registryCOMMON

Download Yara Rule

APIs

RegOpenKeyExW.KERNELBASE(?,00000E2C), ref: 00DFABD5

Memory Dump Source

Source File: 00000000.00000002.346824127.0000000000DFA000.00000040.00000001.sdmp, Offset: 00DFA000, based on PE: false

Similarity

API ID: Open
String ID:
API String ID: 71445658-0
Opcode ID: dc16e5525c32d4c95bd41df83e3cbfb0505325dbb19b7a7b425ab2dbdca7cb9a
Instruction ID: 0da1fb3712ff2469b3ef6e23be5ad45a6281033c7c2db940cf99065d003985c0
Opcode Fuzzy Hash: dc16e5525c32d4c95bd41df83e3cbfb0505325dbb19b7a7b425ab2dbdca7cb9a
Instruction Fuzzy Hash: 8631C5B2544384AFE7228B25CC45F67BFBCEF06710F08859BEE849B152D264A949CB71

Uniqueness

Uniqueness Score: -1.00%

Function 055A080C, Relevance: 1.6, APIs: 1, Instructions: 90fileCOMMON

Download Yara Rule

APIs

CreateFileW.KERNELBASE(?,?,?,?,?,?), ref: 055A08AD

Memory Dump Source

Source File: 00000000.00000002.351363579.00000000055A0000.00000040.00000001.sdmp, Offset: 055A0000, based on PE: false

Similarity

API ID: CreateFile
String ID:
API String ID: 823142352-0
Opcode ID: 3ca7ff78ae84319204c0dd94f893adec0487d17ba76577d6f938c8b31dd37106
Instruction ID: abd61e697b1e7d76458855510af73c86b55be4aa41dfdbcc6b33e61fdcfd544e
Opcode Fuzzy Hash: 3ca7ff78ae84319204c0dd94f893adec0487d17ba76577d6f938c8b31dd37106
Instruction Fuzzy Hash: F7317C72504380AFE722CF65CC44F66BFE8EF45610F0884AEE9858B292D375E809CB75

Uniqueness

Uniqueness Score: -1.00%

Function 00DFBE5A, Relevance: 1.6, APIs: 1, Instructions: 89fileCOMMON

Download Yara Rule

APIs

CopyFileW.KERNELBASE(?,?,?), ref: 00DFBEE6

Memory Dump Source

Source File: 00000000.00000002.346824127.0000000000DFA000.00000040.00000001.sdmp, Offset: 00DFA000, based on PE: false

Similarity

API ID: CopyFile
String ID:
API String ID: 1304948518-0
Opcode ID: 756b832561bed735c829d96c3c2be2964c2565c557b2557c85fa414a203972f4
Instruction ID: 07db76920eec66635d16124088a6c27ee595ab85ffadaf20b2229c25498917af
Opcode Fuzzy Hash: 756b832561bed735c829d96c3c2be2964c2565c557b2557c85fa414a203972f4
Instruction Fuzzy Hash: A6316F7150D3C49FD7138B24DC556A2BFB89F17220F1D84DBE984CF1A3E2659849C762

Uniqueness

Uniqueness Score: -1.00%

Function 00DFAC1D, Relevance: 1.6, APIs: 1, Instructions: 89registryCOMMON

Download Yara Rule

APIs

RegQueryValueExW.KERNELBASE(?,00000E2C,389545C7,00000000,00000000,00000000,00000000), ref: 00DFACD8

Memory Dump Source

Source File: 00000000.00000002.346824127.0000000000DFA000.00000040.00000001.sdmp, Offset: 00DFA000, based on PE: false

Similarity

API ID: QueryValue
String ID:
API String ID: 3660427363-0
Opcode ID: bd99a38c81bf5ced8d4fa2622de06ab0684104b50fdb27acc3cf038c7fcb6e81
Instruction ID: 0209e8a6976730e18226d8b4a4e1c4775523522240a09231076378e337f0d8b8
Opcode Fuzzy Hash: bd99a38c81bf5ced8d4fa2622de06ab0684104b50fdb27acc3cf038c7fcb6e81
Instruction Fuzzy Hash: 33319375105384AFE722CB25CC44F66BFB8EF06310F19849AE9898B152D264E949CB71

Uniqueness

Uniqueness Score: -1.00%

Function 00DFBABE, Relevance: 1.6, APIs: 1, Instructions: 89synchronizationCOMMON

Download Yara Rule

APIs

CreateMutexW.KERNELBASE(?,?), ref: 00DFBB65

Memory Dump Source

Source File: 00000000.00000002.346824127.0000000000DFA000.00000040.00000001.sdmp, Offset: 00DFA000, based on PE: false

Similarity

API ID: CreateMutex
String ID:
API String ID: 1964310414-0
Opcode ID: 1f228cff76e61c5f03624802ba2a8de9d884b3a02867dca86e682792d0bbd0d0
Instruction ID: 01b1014a59eca3f186fcafff9d345663585939c216aa8c479b0055be6359e138
Opcode Fuzzy Hash: 1f228cff76e61c5f03624802ba2a8de9d884b3a02867dca86e682792d0bbd0d0
Instruction Fuzzy Hash: 17319371509784AFE712CB25CC85F56FFE8EF06310F19849BE984CB292D365A909CB71

Uniqueness

Uniqueness Score: -1.00%

Function 055A129C, Relevance: 1.6, APIs: 1, Instructions: 87COMMON

Download Yara Rule

APIs

TerminateProcess.KERNELBASE(?,00000E2C,389545C7,00000000,00000000,00000000,00000000), ref: 055A1330

Memory Dump Source

Source File: 00000000.00000002.351363579.00000000055A0000.00000040.00000001.sdmp, Offset: 055A0000, based on PE: false

Similarity

API ID: ProcessTerminate
String ID:
API String ID: 560597551-0
Opcode ID: 38096e5498ebcc606d9336c6fc66dd9417282c63b2ce53f5c718204b022914ba
Instruction ID: 73a6487477402828a90576cc9a9256f54cfe25f51e0b0f2cf1889eb24fa4389c
Opcode Fuzzy Hash: 38096e5498ebcc606d9336c6fc66dd9417282c63b2ce53f5c718204b022914ba
Instruction Fuzzy Hash: 1C21D672509780AFE7128F25DC45F96BFA8EF47320F0884DBE984DF193D264A509C761

Uniqueness

Uniqueness Score: -1.00%

Function 055A00BE, Relevance: 1.6, APIs: 1, Instructions: 86COMMON

Download Yara Rule

APIs

LsaOpenPolicy.ADVAPI32(?,00000E2C), ref: 055A015B

Memory Dump Source

Source File: 00000000.00000002.351363579.00000000055A0000.00000040.00000001.sdmp, Offset: 055A0000, based on PE: false

Similarity

API ID: OpenPolicy
String ID:
API String ID: 2030686058-0
Opcode ID: 8e8015e875556de4e49a5548a8e49764ea0f90a57637f10964ca4bc01d98d073
Instruction ID: 84874b8d4e52faebf2526d4d4fed85eb710db7182ff666aa932af698ea42f7f5
Opcode Fuzzy Hash: 8e8015e875556de4e49a5548a8e49764ea0f90a57637f10964ca4bc01d98d073
Instruction Fuzzy Hash: 1A219172504344AFE721CB25DC45FAAFFA8EF45310F04849BED84DB192D264A548CB65

Uniqueness

Uniqueness Score: -1.00%

Function 055A0357, Relevance: 1.6, APIs: 1, Instructions: 84COMMON

Download Yara Rule

APIs

GetTokenInformation.KERNELBASE(?,00000E2C,389545C7,00000000,00000000,00000000,00000000), ref: 055A03EC

Memory Dump Source

Source File: 00000000.00000002.351363579.00000000055A0000.00000040.00000001.sdmp, Offset: 055A0000, based on PE: false

Similarity

API ID: InformationToken
String ID:
API String ID: 4114910276-0
Opcode ID: dbab0fdb00c342e598f66d42b5bf5fe4b9ee109b504e4372c5aa90ba93364b4c
Instruction ID: 4aac141faffc271989a7173ba87e9cf2fe2ec9bd966893c8be388542c485f3d5
Opcode Fuzzy Hash: dbab0fdb00c342e598f66d42b5bf5fe4b9ee109b504e4372c5aa90ba93364b4c
Instruction Fuzzy Hash: 0521A272004380AFE722CF65DC45FABFFBCEF06310F08849BEA859B152D264A544CB61

Uniqueness

Uniqueness Score: -1.00%

Function 055A0C46, Relevance: 1.6, APIs: 1, Instructions: 80COMMON

Download Yara Rule

APIs

DuplicateHandle.KERNELBASE(?,00000E2C), ref: 055A0CC3

Memory Dump Source

Source File: 00000000.00000002.351363579.00000000055A0000.00000040.00000001.sdmp, Offset: 055A0000, based on PE: false

Similarity

API ID: DuplicateHandle
String ID:
API String ID: 3793708945-0
Opcode ID: d6371e36889ab6a2ef502a75431c5984d6927d17b57204ed1fa81bb8126a91c9
Instruction ID: 7cea0b1c934de2b0163497af3c3c1301001081a2bd019a75a532a97ec31a2939
Opcode Fuzzy Hash: d6371e36889ab6a2ef502a75431c5984d6927d17b57204ed1fa81bb8126a91c9
Instruction Fuzzy Hash: F621BD72500204AFEB21DF65DC49F6BFBECFF04320F14886AEA859B251D670A4098BB1

Uniqueness

Uniqueness Score: -1.00%

Function 055A0904, Relevance: 1.6, APIs: 1, Instructions: 80COMMON

Download Yara Rule

APIs

GetFileType.KERNELBASE(?,00000E2C,389545C7,00000000,00000000,00000000,00000000), ref: 055A0999

Memory Dump Source

Source File: 00000000.00000002.351363579.00000000055A0000.00000040.00000001.sdmp, Offset: 055A0000, based on PE: false

Similarity

API ID: FileType
String ID:
API String ID: 3081899298-0
Opcode ID: 8b8fdb4f7c456313d32733a7c9f09edb47ddcc3bea01dac84be76dd149f31fbc
Instruction ID: 20f1620dcd97e85b28d4d71902d33a68a6d4a3134cafbe45a70dbab303a625cf
Opcode Fuzzy Hash: 8b8fdb4f7c456313d32733a7c9f09edb47ddcc3bea01dac84be76dd149f31fbc
Instruction Fuzzy Hash: A221FBB64493806FE7128B25DC41F66BFA8EF47720F1885D7ED848B193D2646909C771

Uniqueness

Uniqueness Score: -1.00%

Function 00DFB074, Relevance: 1.6, APIs: 1, Instructions: 77COMMON

Download Yara Rule

APIs

GetUserNameW.ADVAPI32(?,00000E2C,?,?), ref: 00DFB10E

Memory Dump Source

Source File: 00000000.00000002.346824127.0000000000DFA000.00000040.00000001.sdmp, Offset: 00DFA000, based on PE: false

Similarity

API ID: NameUser
String ID:
API String ID: 2645101109-0
Opcode ID: 3d3305a5582095a163e505b94aa4f5cc8db1542213973fbe70cd08e08e5ea5fd
Instruction ID: 7c9c0d30d2edbc8cfbffa1b63cf5f4c467617163f9946929a4f31c4ef57b8e97
Opcode Fuzzy Hash: 3d3305a5582095a163e505b94aa4f5cc8db1542213973fbe70cd08e08e5ea5fd
Instruction Fuzzy Hash: 3221B67144D3C06FD3138B259C51B22BFB4EF87610F0A81DBE984CB653D225A91AC7B2

Uniqueness

Uniqueness Score: -1.00%

Function 055A082E, Relevance: 1.6, APIs: 1, Instructions: 76fileCOMMON

Download Yara Rule

APIs

CreateFileW.KERNELBASE(?,?,?,?,?,?), ref: 055A08AD

Memory Dump Source

Source File: 00000000.00000002.351363579.00000000055A0000.00000040.00000001.sdmp, Offset: 055A0000, based on PE: false

Similarity

API ID: CreateFile
String ID:
API String ID: 823142352-0
Opcode ID: 7731d2bfc50ce2c135f07143b7f5c6f0a2a0309e4866f0fb3fcfc516033d0956
Instruction ID: a4b8d4f6ef11460d1e719f2048441369e3fb5e53bb76564d281d0d2857d7da3c
Opcode Fuzzy Hash: 7731d2bfc50ce2c135f07143b7f5c6f0a2a0309e4866f0fb3fcfc516033d0956
Instruction Fuzzy Hash: 26218D72500340AFE721DF25C844F6AFBE8FF04310F14846AEA858B292D371E404CBA5

Uniqueness

Uniqueness Score: -1.00%

Function 055A09D4, Relevance: 1.6, APIs: 1, Instructions: 75fileCOMMON

Download Yara Rule

APIs

WriteFile.KERNELBASE(?,00000E2C,389545C7,00000000,00000000,00000000,00000000), ref: 055A0A65

Memory Dump Source

Source File: 00000000.00000002.351363579.00000000055A0000.00000040.00000001.sdmp, Offset: 055A0000, based on PE: false

Similarity

API ID: FileWrite
String ID:
API String ID: 3934441357-0
Opcode ID: c23210eb24bbc32bb88f037e4ec448916cbfb268f45fe6505b3a450fd44c2c6b
Instruction ID: f025f9772b763f8b3d55febd67a02bcc9fbffd19f50db919729248210bf5fb79
Opcode Fuzzy Hash: c23210eb24bbc32bb88f037e4ec448916cbfb268f45fe6505b3a450fd44c2c6b
Instruction Fuzzy Hash: D6217472409380AFD722CF65DC45F56BFB8EF46314F0884DBEA849B193D265A509CB71

Uniqueness

Uniqueness Score: -1.00%

Function 055A0D21, Relevance: 1.6, APIs: 1, Instructions: 75fileCOMMON

Download Yara Rule

APIs

DeleteFileW.KERNELBASE(?), ref: 055A0DA8

Memory Dump Source

Source File: 00000000.00000002.351363579.00000000055A0000.00000040.00000001.sdmp, Offset: 055A0000, based on PE: false

Similarity

API ID: DeleteFile
String ID:
API String ID: 4033686569-0
Opcode ID: f50ac6455859424273e8239485f3924a47678ad7226ceb342b0ee528425a8494
Instruction ID: 1005343a68ad759da887d59bbffc5f105a296eb48cef70c8fca4cfff2b5df64c
Opcode Fuzzy Hash: f50ac6455859424273e8239485f3924a47678ad7226ceb342b0ee528425a8494
Instruction Fuzzy Hash: D421B0765093C09FDB12CB25DC95A96BFB8EF06210F0984DADC858F2A3D275A908CB61

Uniqueness

Uniqueness Score: -1.00%

Function 00DFAB56, Relevance: 1.6, APIs: 1, Instructions: 74registryCOMMON

Download Yara Rule

APIs

RegOpenKeyExW.KERNELBASE(?,00000E2C), ref: 00DFABD5

Memory Dump Source

Source File: 00000000.00000002.346824127.0000000000DFA000.00000040.00000001.sdmp, Offset: 00DFA000, based on PE: false

Similarity

API ID: Open
String ID:
API String ID: 71445658-0
Opcode ID: c9d086abe0665597abb7af0c5763f400b5ea9a4f450c0ec3103823e99a930aae
Instruction ID: 29a694b7af2e02c70ff4e85b8cf4defb2219a60136cdfb13d2b81650ffe2a4f3
Opcode Fuzzy Hash: c9d086abe0665597abb7af0c5763f400b5ea9a4f450c0ec3103823e99a930aae
Instruction Fuzzy Hash: 7D21A1B2500704AFE721DB29CC84F6BFBECEF04710F14855BEE459B241D664E9088B72

Uniqueness

Uniqueness Score: -1.00%

Function 055A00EA, Relevance: 1.6, APIs: 1, Instructions: 72COMMON

Download Yara Rule

APIs

LsaOpenPolicy.ADVAPI32(?,00000E2C), ref: 055A015B

Memory Dump Source

Source File: 00000000.00000002.351363579.00000000055A0000.00000040.00000001.sdmp, Offset: 055A0000, based on PE: false

Similarity

API ID: OpenPolicy
String ID:
API String ID: 2030686058-0
Opcode ID: 4301124fe2ab9b4c0c64e98ebafd3cbfd675163e3866a7c509361504de56d04e
Instruction ID: 316a1c34ebba5767a6a36698312d90bdb208513a9e7925af663731c2b6df57e2
Opcode Fuzzy Hash: 4301124fe2ab9b4c0c64e98ebafd3cbfd675163e3866a7c509361504de56d04e
Instruction Fuzzy Hash: 7321A172500304AFF720DB29DC45FAAFBACFF44710F14885AEE449B251D664A4058B75

Uniqueness

Uniqueness Score: -1.00%

Function 00DFBAF2, Relevance: 1.6, APIs: 1, Instructions: 72synchronizationCOMMON

Download Yara Rule

APIs

CreateMutexW.KERNELBASE(?,?), ref: 00DFBB65

Memory Dump Source

Source File: 00000000.00000002.346824127.0000000000DFA000.00000040.00000001.sdmp, Offset: 00DFA000, based on PE: false

Similarity

API ID: CreateMutex
String ID:
API String ID: 1964310414-0
Opcode ID: 0af8fb9efa4bccff058d78ab35fe5c3553de1dfa531dc3460fbfd2c60fc4c1bc
Instruction ID: 5c1a22519a777743c08d1123107e7e30faf416abe02525b163e5ef24ddd65bdb
Opcode Fuzzy Hash: 0af8fb9efa4bccff058d78ab35fe5c3553de1dfa531dc3460fbfd2c60fc4c1bc
Instruction Fuzzy Hash: B6218E71504244AFE721DF25CC85B66FBE8EF04720F18C4AAEE898B246D771E905CB76

Uniqueness

Uniqueness Score: -1.00%

Function 055A0382, Relevance: 1.6, APIs: 1, Instructions: 69COMMON

Download Yara Rule

APIs

GetTokenInformation.KERNELBASE(?,00000E2C,389545C7,00000000,00000000,00000000,00000000), ref: 055A03EC

Memory Dump Source

Source File: 00000000.00000002.351363579.00000000055A0000.00000040.00000001.sdmp, Offset: 055A0000, based on PE: false

Similarity

API ID: InformationToken
String ID:
API String ID: 4114910276-0
Opcode ID: afcec21a6e25538dc4577cd7759602fa01cf5b07918961f40f854d9c2a6b4192
Instruction ID: 6214fcdb1cdbf73e7eb948b3491df7fbc061bd00e3f917b2a1b3a8e27b39e29f
Opcode Fuzzy Hash: afcec21a6e25538dc4577cd7759602fa01cf5b07918961f40f854d9c2a6b4192
Instruction Fuzzy Hash: CA118972500204AEEB21CF65DC85FABBBACEF05320F14886BEE459B251D674A509CBB1

Uniqueness

Uniqueness Score: -1.00%

Function 00DFAC5E, Relevance: 1.6, APIs: 1, Instructions: 69registryCOMMON

Download Yara Rule

APIs

RegQueryValueExW.KERNELBASE(?,00000E2C,389545C7,00000000,00000000,00000000,00000000), ref: 00DFACD8

Memory Dump Source

Source File: 00000000.00000002.346824127.0000000000DFA000.00000040.00000001.sdmp, Offset: 00DFA000, based on PE: false

Similarity

API ID: QueryValue
String ID:
API String ID: 3660427363-0
Opcode ID: 020a3294a3926a324529da1531b4cd33bfbfcdcac8ac9691b62935ef734d1ba3
Instruction ID: cef61f0d432b76ea08c7a99250a11a830d82fc4e8ddaa68703e1ba595642e7a9
Opcode Fuzzy Hash: 020a3294a3926a324529da1531b4cd33bfbfcdcac8ac9691b62935ef734d1ba3
Instruction Fuzzy Hash: 33215EB5500608AFE720CF19DC84F67BBECEF04710F18C56AEA499B651D660E949CA72

Uniqueness

Uniqueness Score: -1.00%

Function 055A1038, Relevance: 1.6, APIs: 1, Instructions: 68COMMON

Download Yara Rule

APIs

FindCloseChangeNotification.KERNELBASE(?), ref: 055A10A4

Memory Dump Source

Source File: 00000000.00000002.351363579.00000000055A0000.00000040.00000001.sdmp, Offset: 055A0000, based on PE: false

Similarity

API ID: ChangeCloseFindNotification
String ID:
API String ID: 2591292051-0
Opcode ID: 90baa8d06a0c81baf040ad137bfa4422dd1e77eb2e46f76257de5661e406db02
Instruction ID: 953ce60d6c0e0c2ef3053373ceca79448d608568563f85eb1d49bbeaa624f618
Opcode Fuzzy Hash: 90baa8d06a0c81baf040ad137bfa4422dd1e77eb2e46f76257de5661e406db02
Instruction Fuzzy Hash: 5C21C3725093C09FDB128B25DC54B96BFB4AF47224F0980DAED858F663D275A908CB72

Uniqueness

Uniqueness Score: -1.00%

Function 055A10ED, Relevance: 1.6, APIs: 1, Instructions: 67COMMON

Download Yara Rule

APIs

K32EnumProcesses.KERNEL32(?,?,?,389545C7,00000000,?,?,?,?,?,?,?,?,72F43C38), ref: 055A115E

Memory Dump Source

Source File: 00000000.00000002.351363579.00000000055A0000.00000040.00000001.sdmp, Offset: 055A0000, based on PE: false

Similarity

API ID: EnumProcesses
String ID:
API String ID: 84517404-0
Opcode ID: a7a6d5fa6b9170e000a26ea8de5bacc814c62a844a8eeea75006ab6d2966d518
Instruction ID: 99dd7e155f8e73d16a6396efc0f83c11501ce75f916b1d2dadf9912e01a25f19
Opcode Fuzzy Hash: a7a6d5fa6b9170e000a26ea8de5bacc814c62a844a8eeea75006ab6d2966d518
Instruction Fuzzy Hash: 422162725093849FD712CF65DC45B96BFE8EF46210F0984EBE985CF163D274A908CB61

Uniqueness

Uniqueness Score: -1.00%

Function 00DFB3B9, Relevance: 1.6, APIs: 1, Instructions: 65libraryCOMMON

Download Yara Rule

APIs

LoadLibraryShim.MSCOREE(?,?,?,?), ref: 00DFB435

Memory Dump Source

Source File: 00000000.00000002.346824127.0000000000DFA000.00000040.00000001.sdmp, Offset: 00DFA000, based on PE: false

Similarity

API ID: LibraryLoadShim
String ID:
API String ID: 1475914169-0
Opcode ID: 8def1d4360cca588ab7e9f2ec93177f8745c1ad190f96e5019dc3093d3c6702c
Instruction ID: 0c9bceb82ca14bda777e301d47fa65107e3619cd89c967c92d9f51467a53d293
Opcode Fuzzy Hash: 8def1d4360cca588ab7e9f2ec93177f8745c1ad190f96e5019dc3093d3c6702c
Instruction Fuzzy Hash: 36219371509384AFD7228B25DC45B62FFE8EF56314F0D809AEE84CB253D365A909CB71

Uniqueness

Uniqueness Score: -1.00%

Function 055A0006, Relevance: 1.6, APIs: 1, Instructions: 63COMMON

Download Yara Rule

APIs

SetFileAttributesW.KERNELBASE(?,?), ref: 055A006F

Memory Dump Source

Source File: 00000000.00000002.351363579.00000000055A0000.00000040.00000001.sdmp, Offset: 055A0000, based on PE: false

Similarity

API ID: AttributesFile
String ID:
API String ID: 3188754299-0
Opcode ID: 428462d2498c4671aa29c83585fc5825876d3d57161bb2ac85a83a54718dd436
Instruction ID: 90faa0b9e59e8cdf5c8cc522409be3c8ed32711eccc9214cc4bdd1d55302490b
Opcode Fuzzy Hash: 428462d2498c4671aa29c83585fc5825876d3d57161bb2ac85a83a54718dd436
Instruction Fuzzy Hash: E411B4725093809FD712CF25DC45B56BFE8EF46220F0980EAED85CB262E278A944CB61

Uniqueness

Uniqueness Score: -1.00%

Function 055A14C9, Relevance: 1.6, APIs: 1, Instructions: 62windowCOMMON

Download Yara Rule

APIs

PostMessageW.USER32(?,?,?,?), ref: 055A153D

Memory Dump Source

Source File: 00000000.00000002.351363579.00000000055A0000.00000040.00000001.sdmp, Offset: 055A0000, based on PE: false

Similarity

API ID: MessagePost
String ID:
API String ID: 410705778-0
Opcode ID: a925b7c35eab916d2301eba1055ac20f47f202f155351db35cd93611dcd54808
Instruction ID: 661d7a92ab9bd6de8fafea52c56dbf02e9c97d5a1024b18ae6903dcba835b6e5
Opcode Fuzzy Hash: a925b7c35eab916d2301eba1055ac20f47f202f155351db35cd93611dcd54808
Instruction Fuzzy Hash: 98218C724097C0AFDB138B25CC44A62FFB4EF17210F0985DAE9858F163D265A918DB62

Uniqueness

Uniqueness Score: -1.00%

Function 055A12DA, Relevance: 1.6, APIs: 1, Instructions: 61COMMON

Download Yara Rule

APIs

TerminateProcess.KERNELBASE(?,00000E2C,389545C7,00000000,00000000,00000000,00000000), ref: 055A1330

Memory Dump Source

Source File: 00000000.00000002.351363579.00000000055A0000.00000040.00000001.sdmp, Offset: 055A0000, based on PE: false

Similarity

API ID: ProcessTerminate
String ID:
API String ID: 560597551-0
Opcode ID: ef9d89d2cdf18ca41ac25048dc173577d0bf0c7e2b859f08748b5d7bc8089f84
Instruction ID: 9bfbf1706a1a8eae02976b0f8efd381df0ebb0467012cf91b624a190d97e4dcd
Opcode Fuzzy Hash: ef9d89d2cdf18ca41ac25048dc173577d0bf0c7e2b859f08748b5d7bc8089f84
Instruction Fuzzy Hash: EF11A372900604EFEB10DF29DC85F6ABB98EF45320F1884ABEE45DB641D6B4A505CBB1

Uniqueness

Uniqueness Score: -1.00%

Function 00DFA5AF, Relevance: 1.6, APIs: 1, Instructions: 61COMMON

Download Yara Rule

APIs

DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 00DFA61A

Memory Dump Source

Source File: 00000000.00000002.346824127.0000000000DFA000.00000040.00000001.sdmp, Offset: 00DFA000, based on PE: false

Similarity

API ID: DuplicateHandle
String ID:
API String ID: 3793708945-0
Opcode ID: 176bac5bb6746b90e47e8c107f44264eb1894424012be5ce2cd36208384de638
Instruction ID: c0cc988d83bbc0a7cf2d7e1eae9c1a4115db1cb5c946b7e9844be1d8a87538b9
Opcode Fuzzy Hash: 176bac5bb6746b90e47e8c107f44264eb1894424012be5ce2cd36208384de638
Instruction Fuzzy Hash: 0111A271409780AFDB228F55DC44A62FFF4EF4A310F0884DAEE898B152D275A518DB71

Uniqueness

Uniqueness Score: -1.00%

Function 055A0A06, Relevance: 1.6, APIs: 1, Instructions: 60fileCOMMON

Download Yara Rule

APIs

WriteFile.KERNELBASE(?,00000E2C,389545C7,00000000,00000000,00000000,00000000), ref: 055A0A65

Memory Dump Source

Source File: 00000000.00000002.351363579.00000000055A0000.00000040.00000001.sdmp, Offset: 055A0000, based on PE: false

Similarity

API ID: FileWrite
String ID:
API String ID: 3934441357-0
Opcode ID: df87f77fb14bdaf09f24ba09a433f527437d0fd661c32e3187aac0041e629d88
Instruction ID: d68d2095f4ebd511ef0f841556fe101b1734fe2bd2038ae1dfcc9315a5590ad2
Opcode Fuzzy Hash: df87f77fb14bdaf09f24ba09a433f527437d0fd661c32e3187aac0041e629d88
Instruction Fuzzy Hash: FE11BF72400200EEEB21CF55DC44F6AFBA8EF44320F1488ABEE459B691D2B4A509CBB1

Uniqueness

Uniqueness Score: -1.00%

Function 00DFA65A, Relevance: 1.6, APIs: 1, Instructions: 59COMMON

Download Yara Rule

APIs

SetErrorMode.KERNELBASE(?), ref: 00DFA6CC

Memory Dump Source

Source File: 00000000.00000002.346824127.0000000000DFA000.00000040.00000001.sdmp, Offset: 00DFA000, based on PE: false

Similarity

API ID: ErrorMode
String ID:
API String ID: 2340568224-0
Opcode ID: 2398809020d1ab3afbc162c4ccbb579cb89e907e3ea028f4fe9761878911633d
Instruction ID: 70bdfd2166148360d4d53ac0211c8d69da875236a52bab3d0f762ef1fba3cc23
Opcode Fuzzy Hash: 2398809020d1ab3afbc162c4ccbb579cb89e907e3ea028f4fe9761878911633d
Instruction Fuzzy Hash: FC1159754093C49FD7128B25CC94A52BFB4DF07220F0E80DBD9858F1A3D2696948CB72

Uniqueness

Uniqueness Score: -1.00%

Function 00DFA2D6, Relevance: 1.6, APIs: 1, Instructions: 57COMMON

Download Yara Rule

APIs

FindCloseChangeNotification.KERNELBASE(?), ref: 00DFA32C

Memory Dump Source

Source File: 00000000.00000002.346824127.0000000000DFA000.00000040.00000001.sdmp, Offset: 00DFA000, based on PE: false

Similarity

API ID: ChangeCloseFindNotification
String ID:
API String ID: 2591292051-0
Opcode ID: b723907f27c00e20944096bfcce8b8a07c1873829ead1bab7054db56d9948cf8
Instruction ID: e9bcb90c60681f12cd2e7fb1921e6ea3ff9503fe8e14f8205b6946eede1decc7
Opcode Fuzzy Hash: b723907f27c00e20944096bfcce8b8a07c1873829ead1bab7054db56d9948cf8
Instruction Fuzzy Hash: A01194715093C4AFDB128F25DC94B56BFA8DF46220F0880EBED858F652D275A908CB62

Uniqueness

Uniqueness Score: -1.00%

Function 00DFBE9E, Relevance: 1.6, APIs: 1, Instructions: 53fileCOMMON

Download Yara Rule

APIs

CopyFileW.KERNELBASE(?,?,?), ref: 00DFBEE6

Memory Dump Source

Source File: 00000000.00000002.346824127.0000000000DFA000.00000040.00000001.sdmp, Offset: 00DFA000, based on PE: false

Similarity

API ID: CopyFile
String ID:
API String ID: 1304948518-0
Opcode ID: 1089870acc5714636e486455d03f7b45ff739c8c49877b7c40a5cb68da81e82d
Instruction ID: 74c7b80f028c1a8c653dc17115ed2e5af46ea69766537384e60ec1b943db9392
Opcode Fuzzy Hash: 1089870acc5714636e486455d03f7b45ff739c8c49877b7c40a5cb68da81e82d
Instruction Fuzzy Hash: 9D112A716002449FEB10DF69D885766BBD8EF04320F18C4AAEE49CB642D775E904CA71

Uniqueness

Uniqueness Score: -1.00%

Function 055A0946, Relevance: 1.6, APIs: 1, Instructions: 52COMMON

Download Yara Rule

APIs

GetFileType.KERNELBASE(?,00000E2C,389545C7,00000000,00000000,00000000,00000000), ref: 055A0999

Memory Dump Source

Source File: 00000000.00000002.351363579.00000000055A0000.00000040.00000001.sdmp, Offset: 055A0000, based on PE: false

Similarity

API ID: FileType
String ID:
API String ID: 3081899298-0
Opcode ID: b0e3dbc9d15a71fe420f48da83037f3920a4d14f2a86b2894afab5d61482f729
Instruction ID: 1e575c7e9ade590c8e85791a18852e7eaf87323a70298887c2f76007ef2d00b8
Opcode Fuzzy Hash: b0e3dbc9d15a71fe420f48da83037f3920a4d14f2a86b2894afab5d61482f729
Instruction Fuzzy Hash: 0101D272500604EEF720CB15DC85F6BFB98EF45720F14C4A7EE489B391D6B4A509CAB2

Uniqueness

Uniqueness Score: -1.00%

Function 055A111E, Relevance: 1.5, APIs: 1, Instructions: 49COMMON

Download Yara Rule

APIs

K32EnumProcesses.KERNEL32(?,?,?,389545C7,00000000,?,?,?,?,?,?,?,?,72F43C38), ref: 055A115E

Memory Dump Source

Source File: 00000000.00000002.351363579.00000000055A0000.00000040.00000001.sdmp, Offset: 055A0000, based on PE: false

Similarity

API ID: EnumProcesses
String ID:
API String ID: 84517404-0
Opcode ID: d0aed33a9b19f828532d07b648cd26dfb974bbcc3e2d9fb371a16782e6badd3e
Instruction ID: c4a8c63eff70ca52bbd9d65a788a46562a8c14a09a50ad570a39bd60da69dc04
Opcode Fuzzy Hash: d0aed33a9b19f828532d07b648cd26dfb974bbcc3e2d9fb371a16782e6badd3e
Instruction Fuzzy Hash: 13116D76500644DFDB10CF6AD885B6AFBE8FF44220F0884ABDE498B651D775E508CF61

Uniqueness

Uniqueness Score: -1.00%

Function 055A0032, Relevance: 1.5, APIs: 1, Instructions: 48COMMON

Download Yara Rule

APIs

SetFileAttributesW.KERNELBASE(?,?), ref: 055A006F

Memory Dump Source

Source File: 00000000.00000002.351363579.00000000055A0000.00000040.00000001.sdmp, Offset: 055A0000, based on PE: false

Similarity

API ID: AttributesFile
String ID:
API String ID: 3188754299-0
Opcode ID: 50cf1fdb6a6fab0345cf80347f6b8f09e2ea2756902a0d8d2c82be8ff110e529
Instruction ID: fc4e47a4402a4702b59ef7abd0c9d73db017ceda32faf821edfe22d1514cbb3d
Opcode Fuzzy Hash: 50cf1fdb6a6fab0345cf80347f6b8f09e2ea2756902a0d8d2c82be8ff110e529
Instruction Fuzzy Hash: 6F019272501240DFDB10CF29D88976AFFD8FF44220F48C4AADD49DB652E6B5E508CB61

Uniqueness

Uniqueness Score: -1.00%

Function 00DFA9F0, Relevance: 1.5, APIs: 1, Instructions: 48COMMON

Download Yara Rule

APIs

SetWindowLongW.USER32 ref: 00DFAA4A

Memory Dump Source

Source File: 00000000.00000002.346824127.0000000000DFA000.00000040.00000001.sdmp, Offset: 00DFA000, based on PE: false

Similarity

API ID: LongWindow
String ID:
API String ID: 1378638983-0
Opcode ID: 9b37345e8fbfb861d596e0f83fc9f5460abc26f151b54ec92ccfa7a914444ee9
Instruction ID: d81e1b62a4c9a7baa1ec58d909479b72f0c47c1a442112eef944281dc29f1641
Opcode Fuzzy Hash: 9b37345e8fbfb861d596e0f83fc9f5460abc26f151b54ec92ccfa7a914444ee9
Instruction Fuzzy Hash: 5611C271408384AFC7218F15DC44B52FFF4EF06320F09C4DAEE894B262C275A908CB62

Uniqueness

Uniqueness Score: -1.00%

Function 055A0D6E, Relevance: 1.5, APIs: 1, Instructions: 47fileCOMMON

Download Yara Rule

APIs

DeleteFileW.KERNELBASE(?), ref: 055A0DA8

Memory Dump Source

Source File: 00000000.00000002.351363579.00000000055A0000.00000040.00000001.sdmp, Offset: 055A0000, based on PE: false

Similarity

API ID: DeleteFile
String ID:
API String ID: 4033686569-0
Opcode ID: 93e9e6fd763fb0cdabb148648a17f1219e7ac784852c9f27a6800e067da2bf09
Instruction ID: 923e2bde8e76a07c000792751769fbaa7f17229ead77a0af222cebd224b7e0d6
Opcode Fuzzy Hash: 93e9e6fd763fb0cdabb148648a17f1219e7ac784852c9f27a6800e067da2bf09
Instruction Fuzzy Hash: 6E017576504280DFDB50CF2AD88976AFFD8EF44220F18C4AADD49CF692D675E504CB61

Uniqueness

Uniqueness Score: -1.00%

Function 055A0786, Relevance: 1.5, APIs: 1, Instructions: 47COMMON

Download Yara Rule

APIs

GetTempFileNameW.KERNELBASE(?,00000E2C,?,?), ref: 055A07D6

Memory Dump Source

Source File: 00000000.00000002.351363579.00000000055A0000.00000040.00000001.sdmp, Offset: 055A0000, based on PE: false

Similarity

API ID: FileNameTemp
String ID:
API String ID: 745986568-0
Opcode ID: 84cab481a49959fa8453e25bd1e9e43ff63347c776665a15de49194b002ad5aa
Instruction ID: 61f27d40e4485ff68075865a3e5a8cd31a7512016b76c205e3cedb75e467e2d9
Opcode Fuzzy Hash: 84cab481a49959fa8453e25bd1e9e43ff63347c776665a15de49194b002ad5aa
Instruction Fuzzy Hash: 00017172540600AFD750DF16DC86F26FBA8FB88B20F14856AED089B741E371B515CBA5

Uniqueness

Uniqueness Score: -1.00%

Function 00DFB3EA, Relevance: 1.5, APIs: 1, Instructions: 46libraryCOMMON

Download Yara Rule

APIs

LoadLibraryShim.MSCOREE(?,?,?,?), ref: 00DFB435

Memory Dump Source

Source File: 00000000.00000002.346824127.0000000000DFA000.00000040.00000001.sdmp, Offset: 00DFA000, based on PE: false

Similarity

API ID: LibraryLoadShim
String ID:
API String ID: 1475914169-0
Opcode ID: 1cd00fa1d52571088e89ee3150e16879ebeb838a6e2af035ad19ae25b83b7c94
Instruction ID: 4a83162da6ea95144383cf8c2e7ce80c96fe9052473ba24b059b49bb0af13d93
Opcode Fuzzy Hash: 1cd00fa1d52571088e89ee3150e16879ebeb838a6e2af035ad19ae25b83b7c94
Instruction Fuzzy Hash: 770169719006489FDB60CE19D985B36FBE8EF04724F18C09ADE898B252D365E808DA72

Uniqueness

Uniqueness Score: -1.00%

Function 00DFA5D6, Relevance: 1.5, APIs: 1, Instructions: 45COMMON

Download Yara Rule

APIs

DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 00DFA61A

Memory Dump Source

Source File: 00000000.00000002.346824127.0000000000DFA000.00000040.00000001.sdmp, Offset: 00DFA000, based on PE: false

Similarity

API ID: DuplicateHandle
String ID:
API String ID: 3793708945-0
Opcode ID: bb4bdad6c66409cade5b73cddaaf250fffac74eac0652fe745cdd8b16ea05bce
Instruction ID: 06049eb5b6059c26069aa8ecd532d306b1a051225addba0eefb055baedb475a0
Opcode Fuzzy Hash: bb4bdad6c66409cade5b73cddaaf250fffac74eac0652fe745cdd8b16ea05bce
Instruction Fuzzy Hash: 9A01AD71400A04EFDB218F59D844B26FFE0EF08720F18C5AADE898B611D275E418DF72

Uniqueness

Uniqueness Score: -1.00%

Function 055A1072, Relevance: 1.5, APIs: 1, Instructions: 43COMMON

Download Yara Rule

APIs

FindCloseChangeNotification.KERNELBASE(?), ref: 055A10A4

Memory Dump Source

Source File: 00000000.00000002.351363579.00000000055A0000.00000040.00000001.sdmp, Offset: 055A0000, based on PE: false

Similarity

API ID: ChangeCloseFindNotification
String ID:
API String ID: 2591292051-0
Opcode ID: df8475a8ffba045fe972d43484c26a84bdcd303cc40f59229f68c6353b04b221
Instruction ID: d412f244fc1ff89c8049ddbf4a4feae41b8a96e1c07ca3f002ba910b70d9defd
Opcode Fuzzy Hash: df8475a8ffba045fe972d43484c26a84bdcd303cc40f59229f68c6353b04b221
Instruction Fuzzy Hash: C801B1765046409FD710CF29E88476AFBD4FF40220F08C4AADD498B642D6B5A408CB72

Uniqueness

Uniqueness Score: -1.00%

Function 00DFA2FA, Relevance: 1.5, APIs: 1, Instructions: 43COMMON

Download Yara Rule

APIs

FindCloseChangeNotification.KERNELBASE(?), ref: 00DFA32C

Memory Dump Source

Source File: 00000000.00000002.346824127.0000000000DFA000.00000040.00000001.sdmp, Offset: 00DFA000, based on PE: false

Similarity

API ID: ChangeCloseFindNotification
String ID:
API String ID: 2591292051-0
Opcode ID: 9861606c3ebccd3f0fa33eb67a0fed59ddb9be87d206fe966609e695395c69c9
Instruction ID: 576ff65c748125ce31082f0f437441525e28ca03c2b29f6e86ee829eddfdf041
Opcode Fuzzy Hash: 9861606c3ebccd3f0fa33eb67a0fed59ddb9be87d206fe966609e695395c69c9
Instruction Fuzzy Hash: 3D017CB1904244DFDB108F69D88576AFBD4EF44720F18C4AADE498B642D6B5A508CA72

Uniqueness

Uniqueness Score: -1.00%

Function 055A1502, Relevance: 1.5, APIs: 1, Instructions: 38windowCOMMON

Download Yara Rule

APIs

PostMessageW.USER32(?,?,?,?), ref: 055A153D

Memory Dump Source

Source File: 00000000.00000002.351363579.00000000055A0000.00000040.00000001.sdmp, Offset: 055A0000, based on PE: false

Similarity

API ID: MessagePost
String ID:
API String ID: 410705778-0
Opcode ID: de8292d816fa59b2b95d8d578e29380f512bef681f4ebeae84cc586c4ee496ff
Instruction ID: 0d1ccae2ee7be72b196a58bdcaf4c7dc91d66ee0b4a20b470fd598c4d9345f90
Opcode Fuzzy Hash: de8292d816fa59b2b95d8d578e29380f512bef681f4ebeae84cc586c4ee496ff
Instruction Fuzzy Hash: 0101A236400A40DFDB20CF15D844B2AFFA5FF08320F08C49ADE8A0B612C375A418CFA2

Uniqueness

Uniqueness Score: -1.00%

Function 00DFAA12, Relevance: 1.5, APIs: 1, Instructions: 37COMMON

Download Yara Rule

APIs

SetWindowLongW.USER32 ref: 00DFAA4A

Memory Dump Source

Source File: 00000000.00000002.346824127.0000000000DFA000.00000040.00000001.sdmp, Offset: 00DFA000, based on PE: false

Similarity

API ID: LongWindow
String ID:
API String ID: 1378638983-0
Opcode ID: 73033223f08fd71c5a066fccdcc3ebb104e231d99fdcdba53cafe533996dff2f
Instruction ID: 023920af6d7ae022533a5d7446b76f28ca986bc153f3ac2724f6ed8459b9fae3
Opcode Fuzzy Hash: 73033223f08fd71c5a066fccdcc3ebb104e231d99fdcdba53cafe533996dff2f
Instruction Fuzzy Hash: BE01A975400648DFDB208F19D984B26FFA0EF04720F18C1AADE890B616C2B5A908DFB2

Uniqueness

Uniqueness Score: -1.00%

Function 00DFA69A, Relevance: 1.5, APIs: 1, Instructions: 35COMMON

Download Yara Rule

APIs

SetErrorMode.KERNELBASE(?), ref: 00DFA6CC

Memory Dump Source

Source File: 00000000.00000002.346824127.0000000000DFA000.00000040.00000001.sdmp, Offset: 00DFA000, based on PE: false

Similarity

API ID: ErrorMode
String ID:
API String ID: 2340568224-0
Opcode ID: 8151b8314d09ac101462ca01f783ae14b08cc4b68308e0fa79106bb0c03d0c29
Instruction ID: 287b04d23d28867966d6752dfeb11a03efb202d3882d2800dda7b2eaf69d7078
Opcode Fuzzy Hash: 8151b8314d09ac101462ca01f783ae14b08cc4b68308e0fa79106bb0c03d0c29
Instruction Fuzzy Hash: 19F0AF74400A48DFDB10DF19D884766FFA4EF04320F1CC09ADE498B216D2B5A948DE72

Uniqueness

Uniqueness Score: -1.00%

Function 05627230, Relevance: 1.5, Strings: 1, Instructions: 265COMMON

Download Yara Rule

Strings

|mhr, xrefs: 05627288

Memory Dump Source

Source File: 00000000.00000002.351442044.0000000005620000.00000040.00000001.sdmp, Offset: 05620000, based on PE: false

Similarity

API ID:
String ID: |mhr
API String ID: 0-1401776628
Opcode ID: dfeafae2968c1006ce168a6e0b60296edc185a4df7975a427d79be8e8f96107e
Instruction ID: d75711299fd1dec0e158370a42d1877b4adbb7a2d16882e2e3176ffbb2f4e875
Opcode Fuzzy Hash: dfeafae2968c1006ce168a6e0b60296edc185a4df7975a427d79be8e8f96107e
Instruction Fuzzy Hash: 50A11570E41748DBEB14DFA4D881FADBBB2EF89710F249029E5067B394CA716882CF55

Uniqueness

Uniqueness Score: -1.00%

Function 04FC0599, Relevance: 1.4, Strings: 1, Instructions: 181COMMON

Download Yara Rule

Strings

:@Dr, xrefs: 04FC06D4

Memory Dump Source

Source File: 00000000.00000002.349183972.0000000004FC0000.00000040.00000001.sdmp, Offset: 04FC0000, based on PE: false

Similarity

API ID:
String ID: :@Dr
API String ID: 0-3830894600
Opcode ID: adc2b85c723ce1d96049f92877bd58c7936844a332e6a45c15d0da52b0af3a86
Instruction ID: 1289a12c50400054d2f3c0b424ab0c1cc6480c19e6bde26e951b83d96e416d67
Opcode Fuzzy Hash: adc2b85c723ce1d96049f92877bd58c7936844a332e6a45c15d0da52b0af3a86
Instruction Fuzzy Hash: 94811774E01219CFEB54CFA8C594BADBBF1BF49310F1080A9D505AB3A0DB71A986DF50

Uniqueness

Uniqueness Score: -1.00%

Function 05627708, Relevance: 1.4, Strings: 1, Instructions: 173COMMON

Download Yara Rule

Strings

:@Dr, xrefs: 0562784C

Memory Dump Source

Source File: 00000000.00000002.351442044.0000000005620000.00000040.00000001.sdmp, Offset: 05620000, based on PE: false

Similarity

API ID:
String ID: :@Dr
API String ID: 0-3830894600
Opcode ID: a2ad63837a85d398953778c89a8c6a54b3ff8bbd869e7be26cb9e5410b22b8c3
Instruction ID: 06da6d615f81df1a94e50f5a9d77e2a902676ae4ac1ca06bc285c44f7f027423
Opcode Fuzzy Hash: a2ad63837a85d398953778c89a8c6a54b3ff8bbd869e7be26cb9e5410b22b8c3
Instruction Fuzzy Hash: F371E1B4D01619CFDB04DFA5D854AAEBFB2FF89304F20912AE805A7344DB742946CF50

Uniqueness

Uniqueness Score: -1.00%

Function 05628379, Relevance: 1.4, Strings: 1, Instructions: 161COMMON

Download Yara Rule

Strings

', xrefs: 05628ED7

Memory Dump Source

Source File: 00000000.00000002.351442044.0000000005620000.00000040.00000001.sdmp, Offset: 05620000, based on PE: false

Similarity

API ID:
String ID: '
API String ID: 0-1997036262
Opcode ID: 4aba7db96603b85174f5d309a1088e421584747f457e457c088c322e71820171
Instruction ID: e39ade29642bc21010260f81759a006cfcf332abe72bcdbe54db0e9841985c9b
Opcode Fuzzy Hash: 4aba7db96603b85174f5d309a1088e421584747f457e457c088c322e71820171
Instruction Fuzzy Hash: 1271BFB4A00228CFDB64DF65CD88BECBBB1BB59305F1085EAD409A7281DB759AC5CF40

Uniqueness

Uniqueness Score: -1.00%

Function 056282D8, Relevance: 1.4, Strings: 1, Instructions: 136COMMON

Download Yara Rule

Strings

', xrefs: 05628ED7

Memory Dump Source

Source File: 00000000.00000002.351442044.0000000005620000.00000040.00000001.sdmp, Offset: 05620000, based on PE: false

Similarity

API ID:
String ID: '
API String ID: 0-1997036262
Opcode ID: 30991a57e7fce87ddedf8aa4549948d7ccedfd77f4787e665920e54acde0a747
Instruction ID: e98ff20b2a13c8fbbbfb1fa793fff3268dbd05eae65e2ff561db9657576b27d8
Opcode Fuzzy Hash: 30991a57e7fce87ddedf8aa4549948d7ccedfd77f4787e665920e54acde0a747
Instruction Fuzzy Hash: 8651E3B4E00228CFDB64CF65CC48BD9BBB2BB89305F1081E9D449AB281DB745AC5CF40

Uniqueness

Uniqueness Score: -1.00%

Function 05626F90, Relevance: 1.4, Strings: 1, Instructions: 105COMMON

Download Yara Rule

Strings

|mhr, xrefs: 05626FD3

Memory Dump Source

Source File: 00000000.00000002.351442044.0000000005620000.00000040.00000001.sdmp, Offset: 05620000, based on PE: false

Similarity

API ID:
String ID: |mhr
API String ID: 0-1401776628
Opcode ID: 253b53177237f1c137e9a0edac11394ff54c19714b2ce5a1cc09dd21dba236f5
Instruction ID: 1584352ed4d71738d490e89321d91a9e016da450df1749b1cdd93ba71bc7d932
Opcode Fuzzy Hash: 253b53177237f1c137e9a0edac11394ff54c19714b2ce5a1cc09dd21dba236f5
Instruction Fuzzy Hash: 4E4105B4D14618DFDB04DFA9D494AEEBBB2FB89310F14A02AE406A7344DB34588ACF15

Uniqueness

Uniqueness Score: -1.00%

Function 05626F80, Relevance: 1.4, Strings: 1, Instructions: 100COMMON

Download Yara Rule

Strings

|mhr, xrefs: 05626FD3

Memory Dump Source

Source File: 00000000.00000002.351442044.0000000005620000.00000040.00000001.sdmp, Offset: 05620000, based on PE: false

Similarity

API ID:
String ID: |mhr
API String ID: 0-1401776628
Opcode ID: 0006d3b500be4b5aa2007f9d6a47df8bf2fdd90b3d37189930f3a9e677389c7f
Instruction ID: e6dd8ad30a6a7aa719fd67a05ef63ab4c73dfd46722e02bbdb0bba0de0f2a229
Opcode Fuzzy Hash: 0006d3b500be4b5aa2007f9d6a47df8bf2fdd90b3d37189930f3a9e677389c7f
Instruction Fuzzy Hash: E73127B4D14618DBDB04DFE9D495AEDBBB2FB89300F14A02AD406B7244DB35588ACF15

Uniqueness

Uniqueness Score: -1.00%

Function 05625BA0, Relevance: 1.3, Strings: 1, Instructions: 79COMMON

Download Yara Rule

Strings

X$kr, xrefs: 05625C14

Memory Dump Source

Source File: 00000000.00000002.351442044.0000000005620000.00000040.00000001.sdmp, Offset: 05620000, based on PE: false

Similarity

API ID:
String ID: X$kr
API String ID: 0-683389969
Opcode ID: aa5abbeb659531e9f4452e554336d7b4c6ed1aa3fbf61c811ddcfe9fc359b0ed
Instruction ID: fc19f0643ac6cbd9f3fea9d763a6a5aab6dedc78ded4a93e10c64702eb003c90
Opcode Fuzzy Hash: aa5abbeb659531e9f4452e554336d7b4c6ed1aa3fbf61c811ddcfe9fc359b0ed
Instruction Fuzzy Hash: 96312774E056189FCB04DFA9D8519ADBFB2FF89304F2090AAE809A7351EB311A01DF64

Uniqueness

Uniqueness Score: -1.00%

Function 05628A2A, Relevance: 1.3, Strings: 1, Instructions: 76COMMON

Download Yara Rule

Strings

', xrefs: 05628ED7

Memory Dump Source

Source File: 00000000.00000002.351442044.0000000005620000.00000040.00000001.sdmp, Offset: 05620000, based on PE: false

Similarity

API ID:
String ID: '
API String ID: 0-1997036262
Opcode ID: 60118704e1edb401000b03e5344920e121e006e650d4fc7cad4116ae3e821029
Instruction ID: d5484978b7c76ed47d001514081ab7336974b1cfc4ca36d8c3bef0d9d4968e12
Opcode Fuzzy Hash: 60118704e1edb401000b03e5344920e121e006e650d4fc7cad4116ae3e821029
Instruction Fuzzy Hash: 0E319EB8905228CFDB60DF64C988BDDBBB2BB49305F1081DAD449AB351CB749A85CF01

Uniqueness

Uniqueness Score: -1.00%

Function 05628D06, Relevance: 1.3, Strings: 1, Instructions: 74COMMON

Download Yara Rule

Strings

', xrefs: 05628ED7

Memory Dump Source

Source File: 00000000.00000002.351442044.0000000005620000.00000040.00000001.sdmp, Offset: 05620000, based on PE: false

Similarity

API ID:
String ID: '
API String ID: 0-1997036262
Opcode ID: 714b4043d7502379d482bcb3c282c7e9f51851111c77a25019b7d73303f2a555
Instruction ID: 2aa26cda2764f8be08c00136a10482523f5dbae891927442fae274e63f3ec2f4
Opcode Fuzzy Hash: 714b4043d7502379d482bcb3c282c7e9f51851111c77a25019b7d73303f2a555
Instruction Fuzzy Hash: 54319CB8904228CFDB60DF65C899BD8BBB2BB49315F1081DAD409AB350CB745AC9CF00

Uniqueness

Uniqueness Score: -1.00%

Function 05628D80, Relevance: 1.3, Strings: 1, Instructions: 68COMMON

Download Yara Rule

Strings

', xrefs: 05628ED7

Memory Dump Source

Source File: 00000000.00000002.351442044.0000000005620000.00000040.00000001.sdmp, Offset: 05620000, based on PE: false

Similarity

API ID:
String ID: '
API String ID: 0-1997036262
Opcode ID: b0b1824b76c5fcffb3b3ecab5be875f0670f58fd19e934f5d32946a5a75525cc
Instruction ID: 69db98b59a71e87854342d84c50a703811e65b7eb2b87004f93e38180d7d2512
Opcode Fuzzy Hash: b0b1824b76c5fcffb3b3ecab5be875f0670f58fd19e934f5d32946a5a75525cc
Instruction Fuzzy Hash: D831B274A05228CFDB64DF64C998BECBBB2BB89305F1081DAD449AB354CB749E85CF01

Uniqueness

Uniqueness Score: -1.00%

Function 05628877, Relevance: 1.3, Strings: 1, Instructions: 68COMMON

Download Yara Rule

Strings

', xrefs: 05628ED7

Memory Dump Source

Source File: 00000000.00000002.351442044.0000000005620000.00000040.00000001.sdmp, Offset: 05620000, based on PE: false

Similarity

API ID:
String ID: '
API String ID: 0-1997036262
Opcode ID: 541beea12f224dbb538b3145ff95492534ddef98a6cffb576e1647277ef1fed5
Instruction ID: 75f886f1f5137e1547671e46e76386aead6ac9cec5c262c1e114166e4bb79237
Opcode Fuzzy Hash: 541beea12f224dbb538b3145ff95492534ddef98a6cffb576e1647277ef1fed5
Instruction Fuzzy Hash: F5317AB4905628CFDB60DF64C998BD8BBB2AB49305F1081EAD409AB340DB749AC9CF50

Uniqueness

Uniqueness Score: -1.00%

Function 05625BE0, Relevance: 1.3, Strings: 1, Instructions: 67COMMON

Download Yara Rule

Strings

X$kr, xrefs: 05625C14

Memory Dump Source

Source File: 00000000.00000002.351442044.0000000005620000.00000040.00000001.sdmp, Offset: 05620000, based on PE: false

Similarity

API ID:
String ID: X$kr
API String ID: 0-683389969
Opcode ID: 4babc5ef635c9a332d31507a835e2e1f176299004f7cedfb03abf5fd25330a02
Instruction ID: 83c98efda824e39676a2f11af323a108151f8ff87050c4c210c4cedde95cb42e
Opcode Fuzzy Hash: 4babc5ef635c9a332d31507a835e2e1f176299004f7cedfb03abf5fd25330a02
Instruction Fuzzy Hash: 4121F374E012189FDB08DFA9D8449EEBFB2FF88304F20916AD815A7350EB355A41DF60

Uniqueness

Uniqueness Score: -1.00%

Function 0562857E, Relevance: 1.3, Strings: 1, Instructions: 59COMMON

Download Yara Rule

Strings

', xrefs: 05628ED7

Memory Dump Source

Source File: 00000000.00000002.351442044.0000000005620000.00000040.00000001.sdmp, Offset: 05620000, based on PE: false

Similarity

API ID:
String ID: '
API String ID: 0-1997036262
Opcode ID: b6c8ee3db934c91264b0a82d3505eb47b064a2dfadc6a184afc4e1302d457f58
Instruction ID: e4a1800e5854821a82b72edb5e08dd5b599d2881e6f6adc60dbcb244749b7ae7
Opcode Fuzzy Hash: b6c8ee3db934c91264b0a82d3505eb47b064a2dfadc6a184afc4e1302d457f58
Instruction Fuzzy Hash: D421B0B4901268CBDB64DF64CD99BECBBB2BB89305F1081D9D509AB355CB359E85CF00

Uniqueness

Uniqueness Score: -1.00%

Function 0562891A, Relevance: 1.3, Strings: 1, Instructions: 59COMMON

Download Yara Rule

Strings

', xrefs: 05628ED7

Memory Dump Source

Source File: 00000000.00000002.351442044.0000000005620000.00000040.00000001.sdmp, Offset: 05620000, based on PE: false

Similarity

API ID:
String ID: '
API String ID: 0-1997036262
Opcode ID: ab1a87cdf10f71e5a78ef5b7f50522d0e6dd72949bb0ca7ba2e7a965062914aa
Instruction ID: 064a7e0e123e5698219ee1ad29809e4483b242171d3ff49e58c81dceec6a3fa9
Opcode Fuzzy Hash: ab1a87cdf10f71e5a78ef5b7f50522d0e6dd72949bb0ca7ba2e7a965062914aa
Instruction Fuzzy Hash: 0721B074A01268CFDB64DF64C999BECBBB2BB85305F1081D9D409AB354CB749E85CF11

Uniqueness

Uniqueness Score: -1.00%

Function 056289A0, Relevance: 1.3, Strings: 1, Instructions: 59COMMON

Download Yara Rule

Strings

', xrefs: 05628ED7

Memory Dump Source

Source File: 00000000.00000002.351442044.0000000005620000.00000040.00000001.sdmp, Offset: 05620000, based on PE: false

Similarity

API ID:
String ID: '
API String ID: 0-1997036262
Opcode ID: a5daeb06157fb9bc7061864ff72d0941ec0405c5c0bf8a85589797abd61c5c57
Instruction ID: 9e3c77045c27f788d44d85c5cff8362d1682f8d2850888cf3543d6cddfd68130
Opcode Fuzzy Hash: a5daeb06157fb9bc7061864ff72d0941ec0405c5c0bf8a85589797abd61c5c57
Instruction Fuzzy Hash: 9D21D374945228CBDB60CF54D898BECB7B2BB89305F1081DAD40AAB340CB759EC6CF00

Uniqueness

Uniqueness Score: -1.00%

Function 05628A95, Relevance: 1.3, Strings: 1, Instructions: 57COMMON

Download Yara Rule

Strings

', xrefs: 05628ED7

Memory Dump Source

Source File: 00000000.00000002.351442044.0000000005620000.00000040.00000001.sdmp, Offset: 05620000, based on PE: false

Similarity

API ID:
String ID: '
API String ID: 0-1997036262
Opcode ID: 836b7bfb516f090ab28db41f37d1fcdef52f8bb45d55770e9bdbb5bd12a5bc45
Instruction ID: 1868ca4c691d20095ff9fdd53cbcf4fdfec13904318ae99c82a83dc87917878c
Opcode Fuzzy Hash: 836b7bfb516f090ab28db41f37d1fcdef52f8bb45d55770e9bdbb5bd12a5bc45
Instruction Fuzzy Hash: 4421AFB4A05668CBDB64CF64C998B98BBB2BB85305F1081DAD409AB351CB749AC5CF11

Uniqueness

Uniqueness Score: -1.00%

Function 056285D5, Relevance: 1.3, Strings: 1, Instructions: 56COMMON

Download Yara Rule

Strings

', xrefs: 05628ED7

Memory Dump Source

Source File: 00000000.00000002.351442044.0000000005620000.00000040.00000001.sdmp, Offset: 05620000, based on PE: false

Similarity

API ID:
String ID: '
API String ID: 0-1997036262
Opcode ID: 4bd0bdd74723f85bb14ed6741c72e137eb44cb9b5b336578245a0a2d5dd294ad
Instruction ID: f195357801edea31a682aae921707109ca0b49b475060cf75a8998c3d72b73df
Opcode Fuzzy Hash: 4bd0bdd74723f85bb14ed6741c72e137eb44cb9b5b336578245a0a2d5dd294ad
Instruction Fuzzy Hash: 0021ADB4905268CBDB64CF64C998BDCBBB2BB89305F1081DAD409AB351CB759EC5CF00

Uniqueness

Uniqueness Score: -1.00%

Function 056289BD, Relevance: 1.3, Strings: 1, Instructions: 55COMMON

Download Yara Rule

Strings

', xrefs: 05628ED7

Memory Dump Source

Source File: 00000000.00000002.351442044.0000000005620000.00000040.00000001.sdmp, Offset: 05620000, based on PE: false

Similarity

API ID:
String ID: '
API String ID: 0-1997036262
Opcode ID: 8a4f57c320cda01ac753b9bfd3d830025391f79155dcbab8e4fc8bdb929e3320
Instruction ID: b5071f61e2bbdc6a9b6d178d7a11a19dbce33890a9be0890424b462755a5ce02
Opcode Fuzzy Hash: 8a4f57c320cda01ac753b9bfd3d830025391f79155dcbab8e4fc8bdb929e3320
Instruction Fuzzy Hash: C721A374905228CBDB60DF64CD99BDCBBB2BB49305F1081D9D509AB344CB755E85CF00

Uniqueness

Uniqueness Score: -1.00%

Function 0562852A, Relevance: 1.3, Strings: 1, Instructions: 52COMMON

Download Yara Rule

Strings

', xrefs: 05628ED7

Memory Dump Source

Source File: 00000000.00000002.351442044.0000000005620000.00000040.00000001.sdmp, Offset: 05620000, based on PE: false

Similarity

API ID:
String ID: '
API String ID: 0-1997036262
Opcode ID: fba006edfe071e79e0acb04a834243f08db1458059b47c3f6dd4c7f3e6152a8e
Instruction ID: b149d8dd82630569e7228dc7f7d4f6fe0dc696ca3f161679d6a36015ece1df39
Opcode Fuzzy Hash: fba006edfe071e79e0acb04a834243f08db1458059b47c3f6dd4c7f3e6152a8e
Instruction Fuzzy Hash: A0218CB4905228CFDB60DF64C999BD8BBB2BB89305F1081DAD409AB340DB759EC6CF40

Uniqueness

Uniqueness Score: -1.00%

Function 056289F8, Relevance: 1.3, Strings: 1, Instructions: 52COMMON

Download Yara Rule

Strings

', xrefs: 05628ED7

Memory Dump Source

Source File: 00000000.00000002.351442044.0000000005620000.00000040.00000001.sdmp, Offset: 05620000, based on PE: false

Similarity

API ID:
String ID: '
API String ID: 0-1997036262
Opcode ID: c5e2d2a4356ecf6acef40e550db15ebd70f7f16e647e84ec8f48a3909993d41d
Instruction ID: 33bbcee4c8630083bce6b668f2744afe9ffa89ad71707a1ae664cefef91bc8fb
Opcode Fuzzy Hash: c5e2d2a4356ecf6acef40e550db15ebd70f7f16e647e84ec8f48a3909993d41d
Instruction Fuzzy Hash: 3721A2B8905228CBDB60DF54CD99B9CBBB2BB89305F1081D9D509AB395CB759E85CF00

Uniqueness

Uniqueness Score: -1.00%

Function 05626984, Relevance: 1.3, Strings: 1, Instructions: 51COMMON

Download Yara Rule

Strings

, xrefs: 056269DD

Memory Dump Source

Source File: 00000000.00000002.351442044.0000000005620000.00000040.00000001.sdmp, Offset: 05620000, based on PE: false

Similarity

API ID:
String ID:
API String ID: 0-3916222277
Opcode ID: 13716782b67c287b202c648bc33a1aa88f659cd37363e248a04826ab13b31d69
Instruction ID: 0a37b01850f1918ea05fb3ee4ecbb803bcc5f3db94c7702e2d2a4bb7ca9449cc
Opcode Fuzzy Hash: 13716782b67c287b202c648bc33a1aa88f659cd37363e248a04826ab13b31d69
Instruction Fuzzy Hash: 1A2126B4C1572ACFCB24DF64E5987ADBFB1BB09309F10819AE45AA3260CF744A84DF41

Uniqueness

Uniqueness Score: -1.00%

Function 05628B35, Relevance: 1.3, Strings: 1, Instructions: 50COMMON

Download Yara Rule

Strings

', xrefs: 05628ED7

Memory Dump Source

Source File: 00000000.00000002.351442044.0000000005620000.00000040.00000001.sdmp, Offset: 05620000, based on PE: false

Similarity

API ID:
String ID: '
API String ID: 0-1997036262
Opcode ID: a4ff9b7a2a77017da7b9124b0232f2bc6add52cd3bcfc2bc539cd22a678eb479
Instruction ID: ed667e7759fb39e00fef4757f247e90b31ff5d1d214b8a737f1b24afe6d45602
Opcode Fuzzy Hash: a4ff9b7a2a77017da7b9124b0232f2bc6add52cd3bcfc2bc539cd22a678eb479
Instruction Fuzzy Hash: 7B21A378905268CFDB60DF64C999BDCBBB2BB89305F1081DAD40AAB344CB759E85CF00

Uniqueness

Uniqueness Score: -1.00%

Function 056288E8, Relevance: 1.3, Strings: 1, Instructions: 48COMMON

Download Yara Rule

Strings

', xrefs: 05628ED7

Memory Dump Source

Source File: 00000000.00000002.351442044.0000000005620000.00000040.00000001.sdmp, Offset: 05620000, based on PE: false

Similarity

API ID:
String ID: '
API String ID: 0-1997036262
Opcode ID: 6427e0bae41666843fa5a3e25bf0fe9240d4ca09b3b603362d730bac76dcc3e8
Instruction ID: e00134be1e817c382da46863ace10994076d8448dce7d82a8384e8ea0fb11a07
Opcode Fuzzy Hash: 6427e0bae41666843fa5a3e25bf0fe9240d4ca09b3b603362d730bac76dcc3e8
Instruction Fuzzy Hash: 4521CFB4905228CFDB64DF24C998BDCBBB2BB89305F1081D9D409AB384CB759E86CF00

Uniqueness

Uniqueness Score: -1.00%

Function 05628569, Relevance: 1.3, Strings: 1, Instructions: 47COMMON

Download Yara Rule

Strings

', xrefs: 05628ED7

Memory Dump Source

Source File: 00000000.00000002.351442044.0000000005620000.00000040.00000001.sdmp, Offset: 05620000, based on PE: false

Similarity

API ID:
String ID: '
API String ID: 0-1997036262
Opcode ID: 51d6c4fd8d926a6437d4b7a3bcc8f2e6fb7ae588cab72e3877048c5e5492508f
Instruction ID: 2869362c65e4ea53c5af111494b5eedea65126f700c95178f783cbb7034353ba
Opcode Fuzzy Hash: 51d6c4fd8d926a6437d4b7a3bcc8f2e6fb7ae588cab72e3877048c5e5492508f
Instruction Fuzzy Hash: DB21B0B4905628CBDB64DF65CD98BDCBBB2BB89305F1081DAD409AB344CB759E86CF00

Uniqueness

Uniqueness Score: -1.00%

Function 056288D3, Relevance: 1.3, Strings: 1, Instructions: 47COMMON

Download Yara Rule

Strings

', xrefs: 05628ED7

Memory Dump Source

Source File: 00000000.00000002.351442044.0000000005620000.00000040.00000001.sdmp, Offset: 05620000, based on PE: false

Similarity

API ID:
String ID: '
API String ID: 0-1997036262
Opcode ID: 61db9a0bf0febaec6a46b2afb8f685abd091c6cbcca25b20bc116d645d7761fc
Instruction ID: 619f3d40736646c1ced1e88127b2a5f61dbaf9dac97c8f9b78ff982b7658b070
Opcode Fuzzy Hash: 61db9a0bf0febaec6a46b2afb8f685abd091c6cbcca25b20bc116d645d7761fc
Instruction Fuzzy Hash: 8421B0B4905228CBDB64DF64C998BDCBBB2BB89305F1081DAD409AB344CB759E86CF00

Uniqueness

Uniqueness Score: -1.00%

Function 05628AAF, Relevance: 1.3, Strings: 1, Instructions: 46COMMON

Download Yara Rule

Strings

+, xrefs: 05628E60

Memory Dump Source

Source File: 00000000.00000002.351442044.0000000005620000.00000040.00000001.sdmp, Offset: 05620000, based on PE: false

Similarity

API ID:
String ID: +
API String ID: 0-2126386893
Opcode ID: c7ff5095c26d4bd8ae9a77c10e1f664b52b7c3880fbd172ead35b548cf022885
Instruction ID: d031cc64c650259f6f3879b56cead665a48c1f70359b19d19d22e6d5cbb0ce5f
Opcode Fuzzy Hash: c7ff5095c26d4bd8ae9a77c10e1f664b52b7c3880fbd172ead35b548cf022885
Instruction Fuzzy Hash: D011C374D08268DBCBA5DF64C944BECBBB2BF88304F5081EAD109AB255DB355E86DF01

Uniqueness

Uniqueness Score: -1.00%

Function 05628868, Relevance: 1.3, Strings: 1, Instructions: 44COMMON

Download Yara Rule

Strings

', xrefs: 05628ED7

Memory Dump Source

Source File: 00000000.00000002.351442044.0000000005620000.00000040.00000001.sdmp, Offset: 05620000, based on PE: false

Similarity

API ID:
String ID: '
API String ID: 0-1997036262
Opcode ID: 00a04914bd84b53ef9ec40eef1a9fea8bdf484fcf0fbcaeca479806a48b4a88e
Instruction ID: 84bb07f2b36e2005e5c359385e1d701f9911ef3308bbd49b65ce4ca3a3e7f95a
Opcode Fuzzy Hash: 00a04914bd84b53ef9ec40eef1a9fea8bdf484fcf0fbcaeca479806a48b4a88e
Instruction Fuzzy Hash: 3E1192B4905268CBDB64DF64C999BDCBBB2BB89305F1081D9D409AB344CB759EC5CF00

Uniqueness

Uniqueness Score: -1.00%

Function 0562937B, Relevance: 1.3, Strings: 1, Instructions: 29COMMON

Download Yara Rule

Strings

x, xrefs: 05629381

Memory Dump Source

Source File: 00000000.00000002.351442044.0000000005620000.00000040.00000001.sdmp, Offset: 05620000, based on PE: false

Similarity

API ID:
String ID: x
API String ID: 0-2363233923
Opcode ID: 61f86cb812046981f511583b642349e9b90967e88a78e0ca01dcc40a8cf4ab21
Instruction ID: bc8916aea4814fdf2e83d77be8435fd2c4a791601687ac20b5172c7352e16569
Opcode Fuzzy Hash: 61f86cb812046981f511583b642349e9b90967e88a78e0ca01dcc40a8cf4ab21
Instruction Fuzzy Hash: 0EF05836904208EFDF01CF90C941BADBBB2FB49300F24C599A85852391C6369A62EF42

Uniqueness

Uniqueness Score: -1.00%

Function 05621F6D, Relevance: 1.3, Strings: 1, Instructions: 16COMMON

Download Yara Rule

Strings

0, xrefs: 05621F92

Memory Dump Source

Source File: 00000000.00000002.351442044.0000000005620000.00000040.00000001.sdmp, Offset: 05620000, based on PE: false

Similarity

API ID:
String ID: 0
API String ID: 0-4108050209
Opcode ID: 3dd0406ca0a3555e1951296099bff69567777878875590a3f0798996bed67e0d
Instruction ID: 8147178e48a288d78d14d9da56624926e2577dd791571fb7f1a413064aae8716
Opcode Fuzzy Hash: 3dd0406ca0a3555e1951296099bff69567777878875590a3f0798996bed67e0d
Instruction Fuzzy Hash: 1AE075B4A26228CFDB61DF25C945B99BBF9BF49304F1192DA980DA7301DB705E81CF11

Uniqueness

Uniqueness Score: -1.00%

Function 05628EE6, Relevance: 1.3, Strings: 1, Instructions: 4COMMON

Download Yara Rule

Strings

., xrefs: 05628EED

Memory Dump Source

Source File: 00000000.00000002.351442044.0000000005620000.00000040.00000001.sdmp, Offset: 05620000, based on PE: false

Similarity

API ID:
String ID: .
API String ID: 0-248832578
Opcode ID: 8d705a94caaef7b7eaa790080a8d4ee9447dbdcae11eed19cc18a884dac8c817
Instruction ID: ffd0960c7d93092db31a6bcc55940a6c309cb3d99343003b792a4afc43cafb1e
Opcode Fuzzy Hash: 8d705a94caaef7b7eaa790080a8d4ee9447dbdcae11eed19cc18a884dac8c817
Instruction Fuzzy Hash: 92A011B80003A28BCB088B20C80C3883AA0A30330AF00A08AA00AA2002CBB8008A8E80

Uniqueness

Uniqueness Score: -1.00%

Function 0100AA37, Relevance: .2, Instructions: 174COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.346986212.0000000001002000.00000040.00000001.sdmp, Offset: 01002000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 204bdb20f3ea45ccbc74fb03093881ecdfe517bbf76eee360de618d5c7bff671
Instruction ID: 2e7cdeb3064e29f01858ff2293ecc9a9b61f68a6895f41e70e0ac63d647d9823
Opcode Fuzzy Hash: 204bdb20f3ea45ccbc74fb03093881ecdfe517bbf76eee360de618d5c7bff671
Instruction Fuzzy Hash: C65184B6509380AFD312CF259C41957FFF4EF86620F0889DFF9889B252D275A905CB62

Uniqueness

Uniqueness Score: -1.00%

Function 0100A5AC, Relevance: .2, Instructions: 158COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.346986212.0000000001002000.00000040.00000001.sdmp, Offset: 01002000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 659a6b9c2962a985608cf90cf5dbae10757b5eff6e037473b3ab009d7763ce3a
Instruction ID: 12174539f8998f98ced9652b3e0c341456a77a9bdc1e65e611af5f26a0e0c863
Opcode Fuzzy Hash: 659a6b9c2962a985608cf90cf5dbae10757b5eff6e037473b3ab009d7763ce3a
Instruction Fuzzy Hash: B251B2B254D380AFD302CF159C51957FFF4EF86620F09899BF9889B252D275A908CB72

Uniqueness

Uniqueness Score: -1.00%

Function 04FC0221, Relevance: .1, Instructions: 145COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.349183972.0000000004FC0000.00000040.00000001.sdmp, Offset: 04FC0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: bd9c0ed6635a0d123a7dc73595cf5d3a492467fbfe9f8c44b173e3a811e78ef2
Instruction ID: 11b9397bced8d673633a36541f471142056d13772ceb7c79db84b840efed189e
Opcode Fuzzy Hash: bd9c0ed6635a0d123a7dc73595cf5d3a492467fbfe9f8c44b173e3a811e78ef2
Instruction Fuzzy Hash: A651A078E05219DFDB01CFA8C980A9DBBF1FB4D310F1454A9E542AB3A0DB35A952DF60

Uniqueness

Uniqueness Score: -1.00%

Function 04FC2DFA, Relevance: .1, Instructions: 139COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.349183972.0000000004FC0000.00000040.00000001.sdmp, Offset: 04FC0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a5af2dc0af8f9e3a91c47439111207176bc8b25490bcf8c6853aa068da23b20e
Instruction ID: 5dcc4a44b09d8e4c959091c8309ea89a46e1e69292753196f6b6700db1d3b244
Opcode Fuzzy Hash: a5af2dc0af8f9e3a91c47439111207176bc8b25490bcf8c6853aa068da23b20e
Instruction Fuzzy Hash: F1613A74E10259CFDB24DFA5D984B9CBBF1FB08304F1085AAE809AB394DB719985DF40

Uniqueness

Uniqueness Score: -1.00%

Function 0562987E, Relevance: .1, Instructions: 139COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.351442044.0000000005620000.00000040.00000001.sdmp, Offset: 05620000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d1cbc3198ccaa554cd55bd3441e8a29f27a53cc4b34f41884c44d2afa27a20a0
Instruction ID: 127b6995d07c863a1ce5e0f2d6907a49fc02caf99a84cc100139ec9204e5da1a
Opcode Fuzzy Hash: d1cbc3198ccaa554cd55bd3441e8a29f27a53cc4b34f41884c44d2afa27a20a0
Instruction Fuzzy Hash: B351CCB4D05629CFEB20DFA5C588BEDBBF2FB49304F10946AD41AAB245D7349886CF14

Uniqueness

Uniqueness Score: -1.00%

Function 04FC328C, Relevance: .1, Instructions: 126COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.349183972.0000000004FC0000.00000040.00000001.sdmp, Offset: 04FC0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f370e9a93e93540094e1a086d2c9c1abe6be729dd7373a87b09ac088a11ef251
Instruction ID: ce300413a95bddf3dcf23446dff97778259728be5aae29cde97f7bfbf36e16d2
Opcode Fuzzy Hash: f370e9a93e93540094e1a086d2c9c1abe6be729dd7373a87b09ac088a11ef251
Instruction Fuzzy Hash: BA514874E10259CFDB20DFA4D998B9CBBB1FB49308F1081AAE809A7354DB709989DF41

Uniqueness

Uniqueness Score: -1.00%

Function 05626A3F, Relevance: .1, Instructions: 115COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.351442044.0000000005620000.00000040.00000001.sdmp, Offset: 05620000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e04eb23629aaf36bc743dbb1e4aa0e37bf8deabab93fc7c05917c222e972e8c2
Instruction ID: 4921231aa7eb6f89aef2558bd0d16d4270b277b237c8c404984549cab37747a9
Opcode Fuzzy Hash: e04eb23629aaf36bc743dbb1e4aa0e37bf8deabab93fc7c05917c222e972e8c2
Instruction Fuzzy Hash: F94104B4C1576ACFDB28CFA5D0487EDBBB1BB05309F00846AD016B76A0CB784689CF54

Uniqueness

Uniqueness Score: -1.00%

Function 04FC33F7, Relevance: .1, Instructions: 112COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.349183972.0000000004FC0000.00000040.00000001.sdmp, Offset: 04FC0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 666e5264070a5269489b15920159ff3f73df7ac886eb2730fefdaa3d65f8ab31
Instruction ID: fef52d7b02bcd9bd87c880244a25ccf29e172f38647843f23f2d46e8f0cc97bf
Opcode Fuzzy Hash: 666e5264070a5269489b15920159ff3f73df7ac886eb2730fefdaa3d65f8ab31
Instruction Fuzzy Hash: 95516C74E11259CFDB64DFA4D998B9CBFB1FB08304F1082AAE809A7354DB709989DF50

Uniqueness

Uniqueness Score: -1.00%

Function 04FC30B6, Relevance: .1, Instructions: 109COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.349183972.0000000004FC0000.00000040.00000001.sdmp, Offset: 04FC0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f9a8cccf48df3f0c0faf358ffa5fa00193551de104d94ec7b854fd83a98d6415
Instruction ID: d8b2439907294f82219c10494abf386643a2c920ae935ee9c983598dd33b3ecb
Opcode Fuzzy Hash: f9a8cccf48df3f0c0faf358ffa5fa00193551de104d94ec7b854fd83a98d6415
Instruction Fuzzy Hash: 4B513BB4E10259CFDB14DFA9E584B9CBBF0FB08354F10816AE8099B355DB709885DF40

Uniqueness

Uniqueness Score: -1.00%

Function 04FC303E, Relevance: .1, Instructions: 109COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.349183972.0000000004FC0000.00000040.00000001.sdmp, Offset: 04FC0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3f5263576710e749d0322390c5de9448759097bfaf1fdac5b6e406e20d37b732
Instruction ID: 8dde4c6d111de1395d89b212f5bf052f0be7a15c3a6ab87b67d11b4d698aa5b0
Opcode Fuzzy Hash: 3f5263576710e749d0322390c5de9448759097bfaf1fdac5b6e406e20d37b732
Instruction Fuzzy Hash: 07513AB4D1025ACFDB24DFA9E588B9CBBB1FB08354F10C16AE809AB354DB709985DF40

Uniqueness

Uniqueness Score: -1.00%

Function 04FC35E5, Relevance: .1, Instructions: 104COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.349183972.0000000004FC0000.00000040.00000001.sdmp, Offset: 04FC0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 92ddfc3ad0ac94ce55790b78bf8dd7f70c351ed27701fc113232bc0ba4d16734
Instruction ID: a21a68e2d5d3c629f8c72a6ed9a42e937247f99f10105b40bfc08f63f902cab6
Opcode Fuzzy Hash: 92ddfc3ad0ac94ce55790b78bf8dd7f70c351ed27701fc113232bc0ba4d16734
Instruction Fuzzy Hash: 425129B4E1025ACFDB14DFA5D588B9CBFB0FB08354F1081AAE809A7354DB74A985DF50

Uniqueness

Uniqueness Score: -1.00%

Function 04FC2DB9, Relevance: .1, Instructions: 104COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.349183972.0000000004FC0000.00000040.00000001.sdmp, Offset: 04FC0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 952519d0497f3d6fee0921edaaac8eba86b6c2eb3ad49343a04bba4ac5b5e570
Instruction ID: 62dde35458396b73a44a9dd840b003fdf0451fcaa536a8ac6fbd70e60292265f
Opcode Fuzzy Hash: 952519d0497f3d6fee0921edaaac8eba86b6c2eb3ad49343a04bba4ac5b5e570
Instruction Fuzzy Hash: 60417970E1124ACFDB24DFA9E588B9CBBB1FB09304F1081AAE809D7355DBB09985DF41

Uniqueness

Uniqueness Score: -1.00%

Function 04FC2DC8, Relevance: .1, Instructions: 103COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.349183972.0000000004FC0000.00000040.00000001.sdmp, Offset: 04FC0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f3e78aa74207c6e3c2c8754d9e8295732e543884b207962ca08d9fbe339a678b
Instruction ID: 3978455709af613e319777bae0001f6bc1b7ce6d28261c6f65e7057c01ce41f3
Opcode Fuzzy Hash: f3e78aa74207c6e3c2c8754d9e8295732e543884b207962ca08d9fbe339a678b
Instruction Fuzzy Hash: 13414D70E1125ACFDB24DFA5D588B9CBBB1FB08344F10C1AAE809A7255DBB09985DF41

Uniqueness

Uniqueness Score: -1.00%

Function 04FC3386, Relevance: .1, Instructions: 103COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.349183972.0000000004FC0000.00000040.00000001.sdmp, Offset: 04FC0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b23898bf35897cd2a2112f70f94c452374f0b33830ed9f5c300d8749d014bdc1
Instruction ID: d72b3e5f6ba27de22ea80c8a5b7a01458a730fe2936b002b701a524762627848
Opcode Fuzzy Hash: b23898bf35897cd2a2112f70f94c452374f0b33830ed9f5c300d8749d014bdc1
Instruction Fuzzy Hash: 66412B74E1125ACFDB14DFA9E584B9CBBB1FB08354F20C1AAE8099B354DB709985DF40

Uniqueness

Uniqueness Score: -1.00%

Function 04FC2F15, Relevance: .1, Instructions: 100COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.349183972.0000000004FC0000.00000040.00000001.sdmp, Offset: 04FC0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c028b4627447f29dbe758c4179cf7cc2ce5691f4c762b578190c3e8337ddadfe
Instruction ID: 9c24042383050cddb3d3aa0973ea69ec195324eec9286094a91a98d0e3ee85cb
Opcode Fuzzy Hash: c028b4627447f29dbe758c4179cf7cc2ce5691f4c762b578190c3e8337ddadfe
Instruction Fuzzy Hash: D5512A74E11259CFDB64DFA9E988B9CBBB1FB08304F1081AAE809A7354DB709985DF41

Uniqueness

Uniqueness Score: -1.00%

Function 04FC319F, Relevance: .1, Instructions: 98COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.349183972.0000000004FC0000.00000040.00000001.sdmp, Offset: 04FC0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1d1cc4230f477219d2765f0a341d24cbf0eefdb9a0ab2501e5be3079ae337810
Instruction ID: 32b4460317f83858421439b5f97774f759bc33e796ee6a365a48a840ef30aef7
Opcode Fuzzy Hash: 1d1cc4230f477219d2765f0a341d24cbf0eefdb9a0ab2501e5be3079ae337810
Instruction Fuzzy Hash: 41412B74E10259CFDB24DFA9D588B9CBFB1FB08358F20816AE809A7355DB709985DF40

Uniqueness

Uniqueness Score: -1.00%

Function 04FC2F80, Relevance: .1, Instructions: 98COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.349183972.0000000004FC0000.00000040.00000001.sdmp, Offset: 04FC0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4601952eb9052ab40cde6f9f3cd1556c2c179680d48c80a0e00b210dc588c581
Instruction ID: 0bee4161809e68cfd5fe33d85229686841671644903827da13cff66bb77fe6dc
Opcode Fuzzy Hash: 4601952eb9052ab40cde6f9f3cd1556c2c179680d48c80a0e00b210dc588c581
Instruction Fuzzy Hash: 36414BB4E11259CFDB64DFA5E588B9CBBB1FB08304F1081AAE809A7354DBB09985DF40

Uniqueness

Uniqueness Score: -1.00%

Function 04FC34A4, Relevance: .1, Instructions: 93COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.349183972.0000000004FC0000.00000040.00000001.sdmp, Offset: 04FC0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f6acf8d477a9bdf6da454d695048d54b76475ed65802674fec1a221a743a3859
Instruction ID: 6e9df7cadda212db73c10598d10fe4960f9a25ba25caccdb95853b590007d99c
Opcode Fuzzy Hash: f6acf8d477a9bdf6da454d695048d54b76475ed65802674fec1a221a743a3859
Instruction Fuzzy Hash: 76413A74E1025ACFDB20DFA9E584B9CBBB1FB08354F1081AAE809EB354DB709985DF50

Uniqueness

Uniqueness Score: -1.00%

Function 04FC300D, Relevance: .1, Instructions: 93COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.349183972.0000000004FC0000.00000040.00000001.sdmp, Offset: 04FC0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5f379bbe3690cc3a85739f1cdf39598ea0c7f800c29c39a64606d960017c4d52
Instruction ID: c04482bfd0367f5de66c7823f80cb3975156971eabd71158d56a6ddcfd7f34bc
Opcode Fuzzy Hash: 5f379bbe3690cc3a85739f1cdf39598ea0c7f800c29c39a64606d960017c4d52
Instruction Fuzzy Hash: 42414BB4E10259CFDB20DFA9E588B9CBBB1FB08354F10C1AAE8099B354DB709885DF40

Uniqueness

Uniqueness Score: -1.00%

Function 04FC2FDD, Relevance: .1, Instructions: 93COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.349183972.0000000004FC0000.00000040.00000001.sdmp, Offset: 04FC0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 63769f8116c9635f9f95a6baf349cc04f14761d0fa4c04162618a729c21959c2
Instruction ID: d7d4b31973ab32b831ed0e1b241421ec2427342178ff8ddf7931793d362b122d
Opcode Fuzzy Hash: 63769f8116c9635f9f95a6baf349cc04f14761d0fa4c04162618a729c21959c2
Instruction Fuzzy Hash: 83414BB4E1025ACFDB20DFA9E584B9CBBF1FB08354F1081AAE8099B355DB709985DF40

Uniqueness

Uniqueness Score: -1.00%

Function 04FC09D9, Relevance: .1, Instructions: 88COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.349183972.0000000004FC0000.00000040.00000001.sdmp, Offset: 04FC0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c14c6c4ea1701414c1a65e699143b6ecf75febbe83b4c6802fd2ded979d5e31a
Instruction ID: f704e4c3806a3cb240f0fa3bd97b4d4ea48c594f38a493090753747e35767554
Opcode Fuzzy Hash: c14c6c4ea1701414c1a65e699143b6ecf75febbe83b4c6802fd2ded979d5e31a
Instruction Fuzzy Hash: 5C313970E00209EFDB05DFA4C691AEEBBB2FF89300F2081A9D941A7390CB355E01DB61

Uniqueness

Uniqueness Score: -1.00%

Function 056268AA, Relevance: .1, Instructions: 87COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.351442044.0000000005620000.00000040.00000001.sdmp, Offset: 05620000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fa773a10732e1120ef2a5d9d86e69628e18b3c80825e73b25825a31f58a272cf
Instruction ID: 4e15fd2ca24ee65deeed104b1148f4d9254f07234af14a459ff95985b892610e
Opcode Fuzzy Hash: fa773a10732e1120ef2a5d9d86e69628e18b3c80825e73b25825a31f58a272cf
Instruction Fuzzy Hash: 5B317974C1976ACFCB15CF64E1487ECBFB0BB06305F10819AE059A72A1CB78598ACF41

Uniqueness

Uniqueness Score: -1.00%

Function 0100A944, Relevance: .1, Instructions: 84COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.346986212.0000000001002000.00000040.00000001.sdmp, Offset: 01002000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e0472c71df0cf4d7a8b3f122f02962b2555580febf1a955c87f856056b853546
Instruction ID: 01a70c41a6640ce03e831e694beae620fdd7f34e305a35f3c7396cf3b4bd1923
Opcode Fuzzy Hash: e0472c71df0cf4d7a8b3f122f02962b2555580febf1a955c87f856056b853546
Instruction Fuzzy Hash: 862141B6544304BFD350CF4AEC41E5BFBE8EB88660F14C91EFD4997201D271A9148BA2

Uniqueness

Uniqueness Score: -1.00%

Function 0100A810, Relevance: .1, Instructions: 84COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.346986212.0000000001002000.00000040.00000001.sdmp, Offset: 01002000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ecc47b06f09b68b06bfab089ddeb02eab1c55b07a3a88da774247aed2a76a85b
Instruction ID: a6cd59887c3b4bbcd56d43204ec54e85d26eaa696727c6fdb4e9b8920849e2d6
Opcode Fuzzy Hash: ecc47b06f09b68b06bfab089ddeb02eab1c55b07a3a88da774247aed2a76a85b
Instruction Fuzzy Hash: 4C217EB6508340AFD710CF1AEC41E5BFFE8EB88620F04C96EFD4997211D271A5048BA2

Uniqueness

Uniqueness Score: -1.00%

Function 0100A6EC, Relevance: .1, Instructions: 84COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.346986212.0000000001002000.00000040.00000001.sdmp, Offset: 01002000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d89a0062a320e7a5674d24abf1535e8a4934781ab7d4256b22fc88e4921a7f64
Instruction ID: ae7a0d91bad5f789b5185595e953d972bdfa62fd156c712724a90483b6893103
Opcode Fuzzy Hash: d89a0062a320e7a5674d24abf1535e8a4934781ab7d4256b22fc88e4921a7f64
Instruction Fuzzy Hash: 3C2141B6544305BFD350CF4AEC41E5BFBE8EB88660F14C91EFD4997201D271A9148BA2

Uniqueness

Uniqueness Score: -1.00%

Function 0100A394, Relevance: .1, Instructions: 82COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.346986212.0000000001002000.00000040.00000001.sdmp, Offset: 01002000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 08772d196d61bd92602fc30e610dfd400aacb6667a0ddd24259911fc7e6234e2
Instruction ID: d8b30cc017b7f2f611dff49156a3d82ecac124976a329be561a105e4abbc48bd
Opcode Fuzzy Hash: 08772d196d61bd92602fc30e610dfd400aacb6667a0ddd24259911fc7e6234e2
Instruction Fuzzy Hash: 9D21D6B6549340AFD3118F56EC41E57FFA8EB85630F08C9AFFD489B212D271A504CBA2

Uniqueness

Uniqueness Score: -1.00%

Function 04FC0006, Relevance: .1, Instructions: 81COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.349183972.0000000004FC0000.00000040.00000001.sdmp, Offset: 04FC0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 342e62fed781e4d03fc608fdfbf86d34caf5acac288aab31cae0a585c1b89103
Instruction ID: e2232bde4b8ff825426fc8c1dc180a9a5e1d8ddab411f7d8edbac1e3c953a786
Opcode Fuzzy Hash: 342e62fed781e4d03fc608fdfbf86d34caf5acac288aab31cae0a585c1b89103
Instruction Fuzzy Hash: 232172B294E3C58FD7074B708C6529A7FB09F17214F1A04DBC481DB2A3E66D590BC762

Uniqueness

Uniqueness Score: -1.00%

Function 04FC09E8, Relevance: .1, Instructions: 80COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.349183972.0000000004FC0000.00000040.00000001.sdmp, Offset: 04FC0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6a172a43d14c3fe822259864ca5067615f17ab5118fcbf32c2971cf7f3685fb1
Instruction ID: 9b23db1113770f3f7326ff53689a07e8192e415a8912f78af66036de18147b6a
Opcode Fuzzy Hash: 6a172a43d14c3fe822259864ca5067615f17ab5118fcbf32c2971cf7f3685fb1
Instruction Fuzzy Hash: 01310874E00209EBDB05EFA4C691AEEB7B2FF89300F2081A9D945B7394DB315E01DB65

Uniqueness

Uniqueness Score: -1.00%

Function 0100A95A, Relevance: .1, Instructions: 75COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.346986212.0000000001002000.00000040.00000001.sdmp, Offset: 01002000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f0e71f4788860286eff546026052992b29a151a05922c0c94266d2849677fd71
Instruction ID: 1de5899cecc2f2a3b03433ff0b0d419519deac47279ecf5f26f9b080090998cb
Opcode Fuzzy Hash: f0e71f4788860286eff546026052992b29a151a05922c0c94266d2849677fd71
Instruction Fuzzy Hash: F0212CB6644304AFD350CF4AEC41E5BFBE8EB88630F14C96EFD4997311D275A9148BA2

Uniqueness

Uniqueness Score: -1.00%

Function 0100A82E, Relevance: .1, Instructions: 75COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.346986212.0000000001002000.00000040.00000001.sdmp, Offset: 01002000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 63b513bd3b69274735f8abab5e5fac6fe0e41d3e786123d3772fc9dc0114dcd4
Instruction ID: fa36c94db511f553c66714360b32a2f3ebd6bd1f783a2c187936b75910f83e3c
Opcode Fuzzy Hash: 63b513bd3b69274735f8abab5e5fac6fe0e41d3e786123d3772fc9dc0114dcd4
Instruction Fuzzy Hash: 6B212CB6644304AFD350CF4AEC41E5BFBE8EB88630F14C96EFD4997311D275A9148BA2

Uniqueness

Uniqueness Score: -1.00%

Function 0100A702, Relevance: .1, Instructions: 75COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.346986212.0000000001002000.00000040.00000001.sdmp, Offset: 01002000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 39541843fd3284024f3ba8bd907cd78cd2ffb0d334a41a361405c000b82e243d
Instruction ID: b0346a83b8d6485ba1a3a66386fa20e4c4ffbc13b0f5b50227018b4067471c98
Opcode Fuzzy Hash: 39541843fd3284024f3ba8bd907cd78cd2ffb0d334a41a361405c000b82e243d
Instruction Fuzzy Hash: E5212CB6644304AFD350CF4AEC41E5BFBE8EB88670F14C96EFD4897311D275A9148BA2

Uniqueness

Uniqueness Score: -1.00%

Function 0100A190, Relevance: .1, Instructions: 73COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.346986212.0000000001002000.00000040.00000001.sdmp, Offset: 01002000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 23a6d4c4ef40187ea3f7cd196623c64d3af744a6d11a10f42d32f792c515cd34
Instruction ID: 95aa1ae642c3219db113eaaa4ffd4cafcfdca73d36dec15e59de9aef038dc9fa
Opcode Fuzzy Hash: 23a6d4c4ef40187ea3f7cd196623c64d3af744a6d11a10f42d32f792c515cd34
Instruction Fuzzy Hash: 9111D6B2640304BFD6108E0AAC41E67FFACEB84A70F14C55EFE095B201D272B9148BB1

Uniqueness

Uniqueness Score: -1.00%

Function 0100A5D6, Relevance: .1, Instructions: 69COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.346986212.0000000001002000.00000040.00000001.sdmp, Offset: 01002000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: bab804d3e8646cc48792064f53ab2dc5a9d18d7bac39d74f0ebca364bc738c3e
Instruction ID: ee45505e320d7ab880d04a4355694bbc9e1843692261bbc2bc701515e85476c3
Opcode Fuzzy Hash: bab804d3e8646cc48792064f53ab2dc5a9d18d7bac39d74f0ebca364bc738c3e
Instruction Fuzzy Hash: BB1193B6644304BFD6108F4AEC41E67FBE8EB84630F14C96AFE485B211D276B5148BA2

Uniqueness

Uniqueness Score: -1.00%

Function 0100A3BE, Relevance: .1, Instructions: 69COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.346986212.0000000001002000.00000040.00000001.sdmp, Offset: 01002000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ff37340675dd43f56f7057145a4194a59f75907b1b58ab4e4efe936d1c7a9bca
Instruction ID: 113d720a401cef4eb9ba7023147cb5621c827e1f388c64b78423ebc25e6c32c6
Opcode Fuzzy Hash: ff37340675dd43f56f7057145a4194a59f75907b1b58ab4e4efe936d1c7a9bca
Instruction Fuzzy Hash: D51193B6644304BFD6108F4AEC41E67FBE8EB84630F14C96AFD485B211D276B5148BA2

Uniqueness

Uniqueness Score: -1.00%

Function 0100A1A6, Relevance: .1, Instructions: 64COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.346986212.0000000001002000.00000040.00000001.sdmp, Offset: 01002000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ebbb91ee1e6c40333d019209029804333e1062bd82c8d7cb338f1ca069b58478
Instruction ID: a859c66351a7f4821cb39f885e4af93ace856d11c02e4bc122a6294015e02613
Opcode Fuzzy Hash: ebbb91ee1e6c40333d019209029804333e1062bd82c8d7cb338f1ca069b58478
Instruction Fuzzy Hash: 6111C6B2644304BFD6508E0AEC41E67FBA8EB84A30F18C56AFE085B601D276B5148BB1

Uniqueness

Uniqueness Score: -1.00%

Function 05626B9D, Relevance: .1, Instructions: 61COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.351442044.0000000005620000.00000040.00000001.sdmp, Offset: 05620000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2bd3d9b19e85f7d9dd4d4300bb8e277be1a01c88a2ef863cc7e120709feab665
Instruction ID: f1d94b476929468cb82bdc4c34fdcfeb889a7cc7d7ce68953c8179f8c6014d0e
Opcode Fuzzy Hash: 2bd3d9b19e85f7d9dd4d4300bb8e277be1a01c88a2ef863cc7e120709feab665
Instruction Fuzzy Hash: 7121F574C1562ACFCB24CFA5D1587EDBBB1BB05309F10846AE056B26A0CF784685CF55

Uniqueness

Uniqueness Score: -1.00%

Function 04FC00F8, Relevance: .1, Instructions: 60COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.349183972.0000000004FC0000.00000040.00000001.sdmp, Offset: 04FC0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 18cd34c0481f6d4f3c29fa4560228691e968d97b674e5a807b54c26e068d41dc
Instruction ID: 6a10b69daba3e60a0d1d1b8986c5673c7ed01cf742d8e9452f50eca590b3a3cc
Opcode Fuzzy Hash: 18cd34c0481f6d4f3c29fa4560228691e968d97b674e5a807b54c26e068d41dc
Instruction Fuzzy Hash: B8216230A01249EFCB05EFA8D8454ADBB72FF81304F2441A9D94697359DF731E15CBA1

Uniqueness

Uniqueness Score: -1.00%

Function 04FC1A78, Relevance: .1, Instructions: 59COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.349183972.0000000004FC0000.00000040.00000001.sdmp, Offset: 04FC0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e405c4c179acee5548df2039e93d8eb339f135b626e1cd9bee7de73778cda816
Instruction ID: ddd3a8c31ec85c1bcac5468bd06f7550bfa06050aa9ac8979327f03b37b7d86c
Opcode Fuzzy Hash: e405c4c179acee5548df2039e93d8eb339f135b626e1cd9bee7de73778cda816
Instruction Fuzzy Hash: C4212E74E0420ACFDB10EFA4D7083AEBBB4FB09306F14856AD415A3246F77A6596CF52

Uniqueness

Uniqueness Score: -1.00%

Function 010B075C, Relevance: .1, Instructions: 59COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.347107833.00000000010B0000.00000040.00000040.sdmp, Offset: 010B0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f6ba4a5abe7bb31034bbcf6e832cafd3ef451edc97a7db0d43a9d9e9a93cad55
Instruction ID: c10b1d1cc0287491c295adb1d778bea1bcde9836cd00ab16a1f5bab560f2aa42
Opcode Fuzzy Hash: f6ba4a5abe7bb31034bbcf6e832cafd3ef451edc97a7db0d43a9d9e9a93cad55
Instruction Fuzzy Hash: 2611C034644244EFD315CB24C984B66FBE5AB88708F24C5ECE9891B657C777D803CA51

Uniqueness

Uniqueness Score: -1.00%

Function 04FC2208, Relevance: .1, Instructions: 57COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.349183972.0000000004FC0000.00000040.00000001.sdmp, Offset: 04FC0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 765ce8584db5b76b6a1f23b81f3570e34d65c36ebc2b6f63351053e3b32e7c47
Instruction ID: a191388f5c6661fc7021077330bd8ccffd8eede6d60a2d7d41ce11a6a09b1852
Opcode Fuzzy Hash: 765ce8584db5b76b6a1f23b81f3570e34d65c36ebc2b6f63351053e3b32e7c47
Instruction Fuzzy Hash: D701D2B0D09289DFEB02CFB0D5003A9BFB4EB56314F0649EED84497262E7766942CB51

Uniqueness

Uniqueness Score: -1.00%

Function 05625CC8, Relevance: .1, Instructions: 57COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.351442044.0000000005620000.00000040.00000001.sdmp, Offset: 05620000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7649ff14e7fa755642c3425099bd849c8305e9386be21f8b95aa4d12cd0babc6
Instruction ID: 37425c6a8db7c9bc86542396e1c934f9cba332ad6289d5a923c4662ace9b9a01
Opcode Fuzzy Hash: 7649ff14e7fa755642c3425099bd849c8305e9386be21f8b95aa4d12cd0babc6
Instruction Fuzzy Hash: 00210634E05218AFCB01CFA8C9418ADBFB2EF49204F1491AADC05A7351EA315E11CF61

Uniqueness

Uniqueness Score: -1.00%

Function 04FC1A67, Relevance: .1, Instructions: 56COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.349183972.0000000004FC0000.00000040.00000001.sdmp, Offset: 04FC0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d9df3da749aada1ded8bece20f6b67aa7782b5ba209991ead29de8d6e85cd219
Instruction ID: 39c31468939f0ded96d392b5900ae9f5ba5d1918d2fae3521b2ebe3898a0f841
Opcode Fuzzy Hash: d9df3da749aada1ded8bece20f6b67aa7782b5ba209991ead29de8d6e85cd219
Instruction Fuzzy Hash: 2D116A30D0530ACFCB11AFB4D2083AD7BB4FB0A316F24856AD406E2156F77A1996CF11

Uniqueness

Uniqueness Score: -1.00%

Function 0100AAF5, Relevance: .1, Instructions: 56COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.346986212.0000000001002000.00000040.00000001.sdmp, Offset: 01002000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 58fe77ee1a055a0f7ffdaaa2d591f6f46521783d79d13bd1728bc0de2a2a5774
Instruction ID: 85c3359dfc2ef5c4173cc02b80e45fc2b30441b9ebd75b59f7e27a1d70fa0425
Opcode Fuzzy Hash: 58fe77ee1a055a0f7ffdaaa2d591f6f46521783d79d13bd1728bc0de2a2a5774
Instruction Fuzzy Hash: 0D11D7B5908301AFD340CF19D881A5BFBE4FB88660F048D6EF99897311D371EA048FA2

Uniqueness

Uniqueness Score: -1.00%

Function 05626489, Relevance: .1, Instructions: 56COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.351442044.0000000005620000.00000040.00000001.sdmp, Offset: 05620000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3ed564d1b29bc301889b5bc6e42f2446ab54d32ced3a1f1f1a7cff110bc3ec88
Instruction ID: 48a4d2f0e29d97255424798b4d033e7a716b13b73d0c5e678dcd331cc0c09c4a
Opcode Fuzzy Hash: 3ed564d1b29bc301889b5bc6e42f2446ab54d32ced3a1f1f1a7cff110bc3ec88
Instruction Fuzzy Hash: 3021F674D0461ACFDB04CF94D581AEEBBB5FF58310F10816AD846A7350DB349A45DF91

Uniqueness

Uniqueness Score: -1.00%

Function 010B072C, Relevance: .1, Instructions: 55COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.347107833.00000000010B0000.00000040.00000040.sdmp, Offset: 010B0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: da1d91836b0896e422799ac298516dd406d2028feb089e565871394a6fb5caaf
Instruction ID: 8558197e818cf62350fad5f2e070a9ba04fb468f25da1ad77fea4c27e30e2ede
Opcode Fuzzy Hash: da1d91836b0896e422799ac298516dd406d2028feb089e565871394a6fb5caaf
Instruction Fuzzy Hash: 23215B355493809FD703CB24C890B55BFB1BF46308F1985EED8885B6A3C37A9846CB52

Uniqueness

Uniqueness Score: -1.00%

Function 05626498, Relevance: .1, Instructions: 55COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.351442044.0000000005620000.00000040.00000001.sdmp, Offset: 05620000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0fd1eb576cbc18e4b4bba1e488edb85b0abee96879aa4ce9a8d06c410b33256d
Instruction ID: d5b742d9c8fa41993a311e2f9de42e91d24af1e707049c2f82838b77975049da
Opcode Fuzzy Hash: 0fd1eb576cbc18e4b4bba1e488edb85b0abee96879aa4ce9a8d06c410b33256d
Instruction Fuzzy Hash: 1B21CE74E0461ACFCB04DF98D585AEEBBB6BF48310F10816AD846AB350DB34AA41DF90

Uniqueness

Uniqueness Score: -1.00%

Function 05626AC1, Relevance: .1, Instructions: 52COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.351442044.0000000005620000.00000040.00000001.sdmp, Offset: 05620000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a97552d2bf66341de1877144c216a81aee55bb7eb8f2565f8a0b28fad3f038e8
Instruction ID: ad21ce39159a12cd745428da90033540351d4d58f35d1fb8466f02dfd5438460
Opcode Fuzzy Hash: a97552d2bf66341de1877144c216a81aee55bb7eb8f2565f8a0b28fad3f038e8
Instruction Fuzzy Hash: 05111274C1562ACFDB24CFA1E1987EDBBB0BB05309F10916AE006A36A0CF784689CF51

Uniqueness

Uniqueness Score: -1.00%

Function 04FC0108, Relevance: .0, Instructions: 50COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.349183972.0000000004FC0000.00000040.00000001.sdmp, Offset: 04FC0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: dd00430a656542cade59701c0777b940803f8a157dfba4afede975b307c889f7
Instruction ID: 3819545be88515ddc702082e0981012600fad8b7ffd59edf31e414a8db897d0f
Opcode Fuzzy Hash: dd00430a656542cade59701c0777b940803f8a157dfba4afede975b307c889f7
Instruction Fuzzy Hash: 52112130A0114EDFCB05EFA8D8455ADBB72FF80304F248269D94557359DF725E15CBA1

Uniqueness

Uniqueness Score: -1.00%

Function 04FC96DB, Relevance: .0, Instructions: 46COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.349183972.0000000004FC0000.00000040.00000001.sdmp, Offset: 04FC0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e0b795a5bd84e7c188ed6b4332e1e6d5da1fa4f73079c3a859390e29d9ab58b9
Instruction ID: ceb6643f291ce1ad25ac3efb700d83ea26f9f9037adee10feb36f2cc07a4c4cf
Opcode Fuzzy Hash: e0b795a5bd84e7c188ed6b4332e1e6d5da1fa4f73079c3a859390e29d9ab58b9
Instruction Fuzzy Hash: 5D011BB9D00109DBCB44DFE5C5416BEBBB6FB88300F20915AD819A3350DA345A42DF91

Uniqueness

Uniqueness Score: -1.00%

Function 05627A10, Relevance: .0, Instructions: 46COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.351442044.0000000005620000.00000040.00000001.sdmp, Offset: 05620000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6c962b8332cc6c1380d22b1285fd3df155586fadcded4da91fcd0f1e263f51ea
Instruction ID: bd08b17b3ca816db9bda30840edcde26016d148f2a73e7c9f82b1ed09e6caf73
Opcode Fuzzy Hash: 6c962b8332cc6c1380d22b1285fd3df155586fadcded4da91fcd0f1e263f51ea
Instruction Fuzzy Hash: AD11D279C19248DFDB00DFA4D9896ADBFB5FB09305F2490AAD81193342EB345705DF92

Uniqueness

Uniqueness Score: -1.00%

Function 04FC97E8, Relevance: .0, Instructions: 44COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.349183972.0000000004FC0000.00000040.00000001.sdmp, Offset: 04FC0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 80df29630acca15597502fd214c3c8643550fe5e4e7b21de41c4f2dbc0aadfc8
Instruction ID: d29390697624f5c228dcf9e927450a38d689716190903374f58e863e5239f47d
Opcode Fuzzy Hash: 80df29630acca15597502fd214c3c8643550fe5e4e7b21de41c4f2dbc0aadfc8
Instruction Fuzzy Hash: 6D01B1B0D083498FCB19CFB5C9406AEBFB5BF85300F54C5AAC44897285D775A942CF90

Uniqueness

Uniqueness Score: -1.00%

Function 010B05D0, Relevance: .0, Instructions: 43COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.347107833.00000000010B0000.00000040.00000040.sdmp, Offset: 010B0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c65760ced63a4bc6c91248a54383524f84287df8fb64251c09d41b04d080c6c9
Instruction ID: ce39296ca00d650f31b7776d8e26d965ad609cf60f17670315eb425c9af5432c
Opcode Fuzzy Hash: c65760ced63a4bc6c91248a54383524f84287df8fb64251c09d41b04d080c6c9
Instruction Fuzzy Hash: 7801DB71509780AFD712CF16DC40862FFB8DF86620709C49FED898B612D2257905CB71

Uniqueness

Uniqueness Score: -1.00%

Function 04FC1C89, Relevance: .0, Instructions: 42COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.349183972.0000000004FC0000.00000040.00000001.sdmp, Offset: 04FC0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8ca0447a1d6de9e0973b729c3c841137bb393aa09477ae2e0cfdc6f8343d8d5c
Instruction ID: a4cc4fd8beb605bccb5f355f76526ca9d5fd63e4a4873144992ca0d0dd3c238f
Opcode Fuzzy Hash: 8ca0447a1d6de9e0973b729c3c841137bb393aa09477ae2e0cfdc6f8343d8d5c
Instruction Fuzzy Hash: ABF0F630D4634A8FD712DB709B543AD7FF4EF06305F1049EAD844C6152E675A962CF51

Uniqueness

Uniqueness Score: -1.00%

Function 05624F18, Relevance: .0, Instructions: 42COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.351442044.0000000005620000.00000040.00000001.sdmp, Offset: 05620000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 45dca0025a5c64506f96c40d64ef5eaadcc2771ddd5cb598d2e20e4740e6c13a
Instruction ID: bca93e3ac8de9a9da7241dc1f855314c7a8c31bc036fd98529aadda02f9b3bed
Opcode Fuzzy Hash: 45dca0025a5c64506f96c40d64ef5eaadcc2771ddd5cb598d2e20e4740e6c13a
Instruction Fuzzy Hash: F2111374E0421ADFDB04CFA5C9456AEFBB2FB89301F20C0AA9909A7344DB301A85DF61

Uniqueness

Uniqueness Score: -1.00%

Function 056267D1, Relevance: .0, Instructions: 42COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.351442044.0000000005620000.00000040.00000001.sdmp, Offset: 05620000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c7a889e7227a00a44ea022178f17ba754b6f0e0adf0504f5cc28bb8f5bffc207
Instruction ID: 596412b7af4e83d465b49cfd367b5cc1d88db7351f2fbb2388960093ef1e4152
Opcode Fuzzy Hash: c7a889e7227a00a44ea022178f17ba754b6f0e0adf0504f5cc28bb8f5bffc207
Instruction Fuzzy Hash: 02016974C1572ACFCB14CF61E1987ADBBB1BB05309F109196E445A32A4CF784AC4CF50

Uniqueness

Uniqueness Score: -1.00%

Function 04FC451B, Relevance: .0, Instructions: 41COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.349183972.0000000004FC0000.00000040.00000001.sdmp, Offset: 04FC0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: afbf915e303e3101e965dfbc9b16f14af61cb441ede29d2ba0a282f2993508ca
Instruction ID: bf4719e480ecdad0dddad218da85b87a9806c6278f89f0854fd7a643d9535d86
Opcode Fuzzy Hash: afbf915e303e3101e965dfbc9b16f14af61cb441ede29d2ba0a282f2993508ca
Instruction Fuzzy Hash: AB11DFB494526ADFDB20CF25C988B99BBB0FB04304F0495DAD00EA7200E330AEC5DF14

Uniqueness

Uniqueness Score: -1.00%

Function 04FC03E8, Relevance: .0, Instructions: 41COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.349183972.0000000004FC0000.00000040.00000001.sdmp, Offset: 04FC0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 829734ca86dc36dfd56f03b5c27ecc38690458154ad0231c1d2b227fde12cd18
Instruction ID: 83de5fa88daa0e314513641230a49146bd16e92d6f64e257424b1db01f61515d
Opcode Fuzzy Hash: 829734ca86dc36dfd56f03b5c27ecc38690458154ad0231c1d2b227fde12cd18
Instruction Fuzzy Hash: 60F06230A463489FD709DBF0C551AEB7BB6DFC6304F2458998001A7295CA795E02EA95

Uniqueness

Uniqueness Score: -1.00%

Function 04FC0B18, Relevance: .0, Instructions: 38COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.349183972.0000000004FC0000.00000040.00000001.sdmp, Offset: 04FC0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c4bd935f3d7113dd5b37102171284663051b8c44fa47ac8fb60e946c9dbddc05
Instruction ID: 14acbf785d50e9d463749ae3cc7d5883679bfc50280a75d20e9e130a17ea5fd0
Opcode Fuzzy Hash: c4bd935f3d7113dd5b37102171284663051b8c44fa47ac8fb60e946c9dbddc05
Instruction Fuzzy Hash: 2F01AD30A02249DFC705DFA4D9819ADBB71FF82318F2086ACD4099B265CB766E03DB40

Uniqueness

Uniqueness Score: -1.00%

Function 04FC2D50, Relevance: .0, Instructions: 37COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.349183972.0000000004FC0000.00000040.00000001.sdmp, Offset: 04FC0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 00294a5bed8cc06c0249db19c091e21cf41cc0d46db91b5867e2b6ead75ce633
Instruction ID: ca22527d546130f54c8e141c2a5be02f403b2fd8a5c4bad5279c576353087d16
Opcode Fuzzy Hash: 00294a5bed8cc06c0249db19c091e21cf41cc0d46db91b5867e2b6ead75ce633
Instruction Fuzzy Hash: DA016970D053499FDB16DFB5C90079DBBB2EF15300F1185EAD4409B2A1D77A9982CB91

Uniqueness

Uniqueness Score: -1.00%

Function 05629533, Relevance: .0, Instructions: 37COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.351442044.0000000005620000.00000040.00000001.sdmp, Offset: 05620000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7dd0f26272302e2c82e72c4c2692318b94487854090c942bf3f6b4f9af6d78d3
Instruction ID: bfb493ab5071e4dff39d6afafc608ce5d5b4c5f6ae3ba7acb6f9b8ba150ebc69
Opcode Fuzzy Hash: 7dd0f26272302e2c82e72c4c2692318b94487854090c942bf3f6b4f9af6d78d3
Instruction Fuzzy Hash: 4FF06270E05208EBCB44DFB9C481AADBBB6EF85300F10909E940967380CE359E40CF95

Uniqueness

Uniqueness Score: -1.00%

Function 04FC1D59, Relevance: .0, Instructions: 36COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.349183972.0000000004FC0000.00000040.00000001.sdmp, Offset: 04FC0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d341bbd6d87623f1653fd01698baa034f7a5dc5366960579229620ac10dff860
Instruction ID: 8b16c0c34c5c11ecbd2700a8af8815b7e706ec27bbc351b82d7c806e55c44ab0
Opcode Fuzzy Hash: d341bbd6d87623f1653fd01698baa034f7a5dc5366960579229620ac10dff860
Instruction Fuzzy Hash: F4F0AF30805388AFD71A9BB0CA00399BFF6AF46310F1080AAD44086252D77959A2CE50

Uniqueness

Uniqueness Score: -1.00%

Function 05629538, Relevance: .0, Instructions: 36COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.351442044.0000000005620000.00000040.00000001.sdmp, Offset: 05620000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 634b568d3f089e51064a908a15237872ea07bbfb7e2791090ff53d077d064339
Instruction ID: 09ef607dcacbbb5177d63047b5e11bdae0972369a3f58e4bbdde23d963256b7e
Opcode Fuzzy Hash: 634b568d3f089e51064a908a15237872ea07bbfb7e2791090ff53d077d064339
Instruction Fuzzy Hash: EAF03070E05608EBDB54DFBAC4819ADBBB6EFC5300F1090AE940967384DE355E45CF95

Uniqueness

Uniqueness Score: -1.00%

Function 04FC2081, Relevance: .0, Instructions: 35COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.349183972.0000000004FC0000.00000040.00000001.sdmp, Offset: 04FC0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ff1644fba6eb0007b2e1a736ea72791b81532b72159fa2097866f9428e02cc01
Instruction ID: 527abad1d1c32696c93b71c32e6f7c5609884f232f3f49306596a2fdb338c56c
Opcode Fuzzy Hash: ff1644fba6eb0007b2e1a736ea72791b81532b72159fa2097866f9428e02cc01
Instruction Fuzzy Hash: 66F08770D4A388DFD705EBB8C5043AEBBB1EF49300F1085EBC44497262DB79AA42CB51

Uniqueness

Uniqueness Score: -1.00%

Function 05629062, Relevance: .0, Instructions: 35COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.351442044.0000000005620000.00000040.00000001.sdmp, Offset: 05620000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5ba7577325b458bf065ab3a32ef713a0902fae55a9e99e5349e0028c481fb86d
Instruction ID: ce8687e4839d25d0b4738e88d573bc9dc4f233b0f61158404204a0bfddf11691
Opcode Fuzzy Hash: 5ba7577325b458bf065ab3a32ef713a0902fae55a9e99e5349e0028c481fb86d
Instruction Fuzzy Hash: B101C074D01629DFEB60DF64D888BDCBBB1BB69304F1094EAD50AB6250DB310E86CF41

Uniqueness

Uniqueness Score: -1.00%

Function 04FC1CE1, Relevance: .0, Instructions: 34COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.349183972.0000000004FC0000.00000040.00000001.sdmp, Offset: 04FC0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c4cb5875e82846d1784fff05bf0d9c3714c932b9e51d7b324543fb4e666efe93
Instruction ID: f01f2f5a14d3b8379f8982fc5f998b93170bc08cbd2caab2f8160e4c0d4f4de3
Opcode Fuzzy Hash: c4cb5875e82846d1784fff05bf0d9c3714c932b9e51d7b324543fb4e666efe93
Instruction Fuzzy Hash: C3F0B434D0A201DFD71ADF70E645654BBF2EB4B301F2081AAC845C7215D3361916DF01

Uniqueness

Uniqueness Score: -1.00%

Function 04FC273F, Relevance: .0, Instructions: 34COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.349183972.0000000004FC0000.00000040.00000001.sdmp, Offset: 04FC0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6e18fa6c5612231ff65aab1c842006f47d7d43472782dc7dea28517c93495743
Instruction ID: 6a1d16a18fbe0efeffc1f167f16ef5bf5642e363160f1250f7e1f4f0a6e48814
Opcode Fuzzy Hash: 6e18fa6c5612231ff65aab1c842006f47d7d43472782dc7dea28517c93495743
Instruction Fuzzy Hash: 90F01470D86245CFDB06DFB8C6496ADBFB0FF0A310F1185EAC40597261E7395946CB50

Uniqueness

Uniqueness Score: -1.00%

Function 04FC1CF0, Relevance: .0, Instructions: 33COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.349183972.0000000004FC0000.00000040.00000001.sdmp, Offset: 04FC0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e9b84e081184caaa5d37fd6d9e40d2721657d4fa8822ba7e9f2d1a03254a28c4
Instruction ID: 7228efb7505d671cf9b86108cc890d53c9539c2be839dde5aa14b59b34fe3b48
Opcode Fuzzy Hash: e9b84e081184caaa5d37fd6d9e40d2721657d4fa8822ba7e9f2d1a03254a28c4
Instruction Fuzzy Hash: 42F0BE34E05205DFEB14EF66E644B58F7F7EB88301F20D1A9C84883215E730A966DF01

Uniqueness

Uniqueness Score: -1.00%

Function 04FC0070, Relevance: .0, Instructions: 33COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.349183972.0000000004FC0000.00000040.00000001.sdmp, Offset: 04FC0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9cfe5b24cd7c7d0ce3cfa03356cec7ba170be254d917523ae32e17190c1eb45e
Instruction ID: 40497f96dfe59d3fa74a34fcc8cda7aba5537a917ee40e7920cf02bef4cb254c
Opcode Fuzzy Hash: 9cfe5b24cd7c7d0ce3cfa03356cec7ba170be254d917523ae32e17190c1eb45e
Instruction Fuzzy Hash: B1F05870D8120ADBDB649BA4C9597AFBAF4AB49704F10182AC110B3280DA7569058BE5

Uniqueness

Uniqueness Score: -1.00%

Function 04FC0531, Relevance: .0, Instructions: 33COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.349183972.0000000004FC0000.00000040.00000001.sdmp, Offset: 04FC0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a7f743e7a0703bbc6b54d54d5a55a666b9fe7b3e8896eab205006ac942c5faad
Instruction ID: 68d8928fc82b13442bbb1451ed393d957ea5e27f7e6c1f11416cf283479de6c4
Opcode Fuzzy Hash: a7f743e7a0703bbc6b54d54d5a55a666b9fe7b3e8896eab205006ac942c5faad
Instruction Fuzzy Hash: 9E01D274904249DFCB02CBA8C14499DBFF0FF4A214F208699D84497311D775AE02DB51

Uniqueness

Uniqueness Score: -1.00%

Function 05627FA8, Relevance: .0, Instructions: 33COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.351442044.0000000005620000.00000040.00000001.sdmp, Offset: 05620000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: bf4a4db42929c1079f102f24779abbb9c6077c19c213c16a1e956ea154bd2311
Instruction ID: a4c334b932235e4fd19135819bce44fc944682f4bdaba92dbb9b65e612a47e71
Opcode Fuzzy Hash: bf4a4db42929c1079f102f24779abbb9c6077c19c213c16a1e956ea154bd2311
Instruction Fuzzy Hash: EAF08C74D0D618EBC710DFA4F446BADBBB5FB4A301F1082AAE80823344DB315A11DF89

Uniqueness

Uniqueness Score: -1.00%

Function 04FC0450, Relevance: .0, Instructions: 32COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.349183972.0000000004FC0000.00000040.00000001.sdmp, Offset: 04FC0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2e91d150029fd527be8a9d4a50796a9018854f2a70e73ef4a8848d3de0211a6e
Instruction ID: 8d2ad914f0c0f83ae8d71872a2b9139fbfc112773dff831c31e1d83decd8304b
Opcode Fuzzy Hash: 2e91d150029fd527be8a9d4a50796a9018854f2a70e73ef4a8848d3de0211a6e
Instruction Fuzzy Hash: 79F06D34C46348DFCB06DFF4C4045ADBFB0AB06304F1005EAC840A7251DB7A5A52CF95

Uniqueness

Uniqueness Score: -1.00%

Function 04FC261F, Relevance: .0, Instructions: 32COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.349183972.0000000004FC0000.00000040.00000001.sdmp, Offset: 04FC0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8fd29d2b338e42a2f0ea0437acc29d4dc0ed7bd38f94cd1e2807f981bafa2555
Instruction ID: 26a1421ad5d0080f92bfc9b891f78dd2acbb5124c6d7417b6e588a5df9deafd7
Opcode Fuzzy Hash: 8fd29d2b338e42a2f0ea0437acc29d4dc0ed7bd38f94cd1e2807f981bafa2555
Instruction Fuzzy Hash: 88F0F430D052459FDB05DF68D1847A9BBB0EF4A310F1584FEC404972A1E77A6952EE21

Uniqueness

Uniqueness Score: -1.00%

Function 04FC03F8, Relevance: .0, Instructions: 32COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.349183972.0000000004FC0000.00000040.00000001.sdmp, Offset: 04FC0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: cb806b981351d6e2f0f585c176d8b31ce5c6aa7f83642cf3bd3872d8084c8ac7
Instruction ID: 5b550837a6bf2d4d9d94d40d3c03afbfcc9fabdfb26c132a2f982ca56a145c74
Opcode Fuzzy Hash: cb806b981351d6e2f0f585c176d8b31ce5c6aa7f83642cf3bd3872d8084c8ac7
Instruction Fuzzy Hash: C1F0C034A42208DBD708DBF1D590FAF73BBDFC5304F6058999405732898E756F01EA95

Uniqueness

Uniqueness Score: -1.00%

Function 05624DF7, Relevance: .0, Instructions: 32COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.351442044.0000000005620000.00000040.00000001.sdmp, Offset: 05620000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 96805c897b1bcce08560e01e51d20326a9277c026bf0f81096d9753cd3b4a585
Instruction ID: 3656c224d01429819843a7d17ce6671f2f3b5d7799641718b956ff399b2f4900
Opcode Fuzzy Hash: 96805c897b1bcce08560e01e51d20326a9277c026bf0f81096d9753cd3b4a585
Instruction Fuzzy Hash: 7DF0597291C2488BDB118BB4E88A7A87FB4E701201F0481E6C8888B3C2DA309945CF62

Uniqueness

Uniqueness Score: -1.00%

Function 010B0818, Relevance: .0, Instructions: 31COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.347107833.00000000010B0000.00000040.00000040.sdmp, Offset: 010B0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 525cef522958239b2deb72ab7ac90410e2832b06fb356f1b7ca8807ee3c9392c
Instruction ID: 6112411a10c4d80d5ef63311fea4483610d122c798fc8c0279b0ed78fc94ab69
Opcode Fuzzy Hash: 525cef522958239b2deb72ab7ac90410e2832b06fb356f1b7ca8807ee3c9392c
Instruction Fuzzy Hash: 96F04B35144640DFC202CB00C980B26FBA2FB89718F24C6A9E9880B652C3379813DE81

Uniqueness

Uniqueness Score: -1.00%

Function 05624DB3, Relevance: .0, Instructions: 30COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.351442044.0000000005620000.00000040.00000001.sdmp, Offset: 05620000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 88d7836a3b574f826475f5e8f546145200558e283d4285431f867f7e49b8c74a
Instruction ID: 7121cf34c08fb7fa700c7f516d38e98106c00d7b1d6d3bf717fceb8ccf6e1dc1
Opcode Fuzzy Hash: 88d7836a3b574f826475f5e8f546145200558e283d4285431f867f7e49b8c74a
Instruction Fuzzy Hash: 14F0A932944108DBEF20CB98D2017A8B3A5EB09306F0081A1E81DD7311CA368E12DF80

Uniqueness

Uniqueness Score: -1.00%

Function 04FCF5D8, Relevance: .0, Instructions: 29COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.349183972.0000000004FC0000.00000040.00000001.sdmp, Offset: 04FC0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fd320af6ada549a54994c2b7029e5842de0d0137908f327651d1919f347ef94d
Instruction ID: 5439ddbde039f489b5527e48b15c44a444778b5dcc413c79bd627fc7038e8709
Opcode Fuzzy Hash: fd320af6ada549a54994c2b7029e5842de0d0137908f327651d1919f347ef94d
Instruction Fuzzy Hash: 4EF03AB0D01209DFDB04DFA8C5047AEFBB6AB48310F2089A9C80497250DB75AA81DA94

Uniqueness

Uniqueness Score: -1.00%

Function 056271F7, Relevance: .0, Instructions: 29COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.351442044.0000000005620000.00000040.00000001.sdmp, Offset: 05620000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 21cd6105866bdbc8652180b87bc998fefadc43c1cdd965033e66d2864bafb80d
Instruction ID: 63c4f4248b44bf6645d097e65a3612b49c6a5711d50d88a762e54e8de5307d25
Opcode Fuzzy Hash: 21cd6105866bdbc8652180b87bc998fefadc43c1cdd965033e66d2864bafb80d
Instruction Fuzzy Hash: B8E09238546708EBEB34DFA1E401FA9777AFB46315F2052EAE80913210EB369E41DF85

Uniqueness

Uniqueness Score: -1.00%

Function 04FCE718, Relevance: .0, Instructions: 28COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.349183972.0000000004FC0000.00000040.00000001.sdmp, Offset: 04FC0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a7d441e9abd43e50a2ae65add641a06911e10ae4de5a37e162361259eabd31a6
Instruction ID: bf31add1870ec57dc0f9169a051e16b7876cca6e22afb4dc47e9f8e03cb82195
Opcode Fuzzy Hash: a7d441e9abd43e50a2ae65add641a06911e10ae4de5a37e162361259eabd31a6
Instruction Fuzzy Hash: BAF01C70D45249DFEB04DFA9C5447AEBBF5FF98300F1485A9D81493240DB74AA46DE40

Uniqueness

Uniqueness Score: -1.00%

Function 04FC96A8, Relevance: .0, Instructions: 27COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.349183972.0000000004FC0000.00000040.00000001.sdmp, Offset: 04FC0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 540d6dcbbef1efd82be95a23d2729e47941ea7855a6ed2b45a57dd8d4b27556c
Instruction ID: 8cca48ec6e26ebee53cce71d97725dafd2692734d13a052d870be2dc7635078c
Opcode Fuzzy Hash: 540d6dcbbef1efd82be95a23d2729e47941ea7855a6ed2b45a57dd8d4b27556c
Instruction Fuzzy Hash: 7FE020B246A2854FCF118E406EC55F9BF74EA02315B1494CBD84CDE552D13195415797

Uniqueness

Uniqueness Score: -1.00%

Function 010B05F6, Relevance: .0, Instructions: 27COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.347107833.00000000010B0000.00000040.00000040.sdmp, Offset: 010B0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 41cc6b7ee1dc95960825e7ad778f07953328654dae11938b71a5a188f3290b8c
Instruction ID: f29efb55080516109dfee17ef930ec6f7a8e0989416b8b9fb15e4f7758cb3db1
Opcode Fuzzy Hash: 41cc6b7ee1dc95960825e7ad778f07953328654dae11938b71a5a188f3290b8c
Instruction Fuzzy Hash: F6E092B66406008BD650CF0BEC41466F7D8EB88630B18C47FDD0D8B700E135B505CEA5

Uniqueness

Uniqueness Score: -1.00%

Function 04FCE660, Relevance: .0, Instructions: 26COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.349183972.0000000004FC0000.00000040.00000001.sdmp, Offset: 04FC0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8861d46c6c58cc654233cdff198fa8e7359c81060bea3392be3148b3fcee09f6
Instruction ID: 31ab5dfb310adb1e396f71d41d2d4e819f5ea41d31545e09ed98765ea7e656f8
Opcode Fuzzy Hash: 8861d46c6c58cc654233cdff198fa8e7359c81060bea3392be3148b3fcee09f6
Instruction Fuzzy Hash: 23F06D30D26208DFD714DFA9D54475DFBB5EB44301F0084A9C80493250EB75A995EF50

Uniqueness

Uniqueness Score: -1.00%

Function 04FCF3C8, Relevance: .0, Instructions: 26COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.349183972.0000000004FC0000.00000040.00000001.sdmp, Offset: 04FC0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 506cb00efb1ecc108f338a9675865d529d9f3573c9a932dd4eccd089f2443c4e
Instruction ID: 27d48bd5ad6559eee91c26c5820bb0c36191a8ed52eef4dce3fb337edc0432df
Opcode Fuzzy Hash: 506cb00efb1ecc108f338a9675865d529d9f3573c9a932dd4eccd089f2443c4e
Instruction Fuzzy Hash: 21F06D30D05249EFD744DFB9D64475DFBB6EF44304F1084A9C80893280EB74A985CEA0

Uniqueness

Uniqueness Score: -1.00%

Function 0100A138, Relevance: .0, Instructions: 26COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.346986212.0000000001002000.00000040.00000001.sdmp, Offset: 01002000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 063170c459570c1811f260fee7d16488a103aa3225f193034d755e79d809a46e
Instruction ID: 96b9180f4ccf98ec1b08cf76a52e1606c926ff3e39eb021a1428f2a570962105
Opcode Fuzzy Hash: 063170c459570c1811f260fee7d16488a103aa3225f193034d755e79d809a46e
Instruction Fuzzy Hash: 85E0D8B1540300ABD2508E079C42B63FB98DB44A30F14C55BEE081B701D1B5B6048AE1

Uniqueness

Uniqueness Score: -1.00%

Function 0100A567, Relevance: .0, Instructions: 26COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.346986212.0000000001002000.00000040.00000001.sdmp, Offset: 01002000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d1460ac4ed83b91993dd061097ff9336a41ebc48d5a27b258a2be010532c696a
Instruction ID: 7f6a9a496cdb552c18424048d8c6b3d77c425518428f7d17d58bbf383eeb3618
Opcode Fuzzy Hash: d1460ac4ed83b91993dd061097ff9336a41ebc48d5a27b258a2be010532c696a
Instruction Fuzzy Hash: EDE0D8B1544344ABD2508E07AC42B63FB58DB40930F14C55BEE081B701D1B5B6048AE1

Uniqueness

Uniqueness Score: -1.00%

Function 0100A8E7, Relevance: .0, Instructions: 26COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.346986212.0000000001002000.00000040.00000001.sdmp, Offset: 01002000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 051b2291dca0c347b4201a5871353773f555c5cef26aba5fddc7f10fb759090a
Instruction ID: da61212d7c3fb1f7f2f366dd8c36a6f8918d243e4a4785b40d1b8ddf20b9139c
Opcode Fuzzy Hash: 051b2291dca0c347b4201a5871353773f555c5cef26aba5fddc7f10fb759090a
Instruction Fuzzy Hash: 6DE0D8B2581300ABD2509F0B9C42F67FB58DB50A30F14C55BEE081B701D1B1B6048AE1

Uniqueness

Uniqueness Score: -1.00%

Function 0100A34F, Relevance: .0, Instructions: 26COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.346986212.0000000001002000.00000040.00000001.sdmp, Offset: 01002000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2bbb9029f5bf3b141c77a15b1fa71386497a85d57ee422bde31c02bc517f89b3
Instruction ID: 39c4bf63581c85daffd095f734c3a15c4af8f93d3f63c3ab8b73c36bae5efa14
Opcode Fuzzy Hash: 2bbb9029f5bf3b141c77a15b1fa71386497a85d57ee422bde31c02bc517f89b3
Instruction Fuzzy Hash: 23E0D8B1541300ABD2509E07DC42B63FB58DB40930F14C55BEE081B702D1B5B6048AE1

Uniqueness

Uniqueness Score: -1.00%

Function 0100AB57, Relevance: .0, Instructions: 26COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.346986212.0000000001002000.00000040.00000001.sdmp, Offset: 01002000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8a6409632f6e75889917a3f53ab1ec8611cf24cbc990618bb92b6a753df02ecc
Instruction ID: 96e69e36b1af3ea1a8debe3ed34f7682732ab129c0ff6c4092c20eba278af43c
Opcode Fuzzy Hash: 8a6409632f6e75889917a3f53ab1ec8611cf24cbc990618bb92b6a753df02ecc
Instruction Fuzzy Hash: 14E0D8B2544300ABD2508E079C42B63FB58DB80A30F14C55BEE081B702D1B2B6148AE5

Uniqueness

Uniqueness Score: -1.00%

Function 0100A7BB, Relevance: .0, Instructions: 26COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.346986212.0000000001002000.00000040.00000001.sdmp, Offset: 01002000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 334e517330600ce85e04c442815568b1a350bbbeb7928aac9c081a5cae6f5f42
Instruction ID: 6ad087dbcf09463c3b5265fb0baa7690f2d3b754128af39b45f5675ed0b76f07
Opcode Fuzzy Hash: 334e517330600ce85e04c442815568b1a350bbbeb7928aac9c081a5cae6f5f42
Instruction Fuzzy Hash: 1AE0D8B2541300ABD2509F0B9C42F67FF58DB40A30F14C55BEE081B701D1B2B6048AE1

Uniqueness

Uniqueness Score: -1.00%

Function 0100A68F, Relevance: .0, Instructions: 26COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.346986212.0000000001002000.00000040.00000001.sdmp, Offset: 01002000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a1782b515fdd28751b398036fdf647a425f546f9d7b1cfdce3e5f5cdfcaa54e6
Instruction ID: bf5f5dd810b2067f917e9488fba332f32ba2bff2d14540d5c36665d7b1a48bba
Opcode Fuzzy Hash: a1782b515fdd28751b398036fdf647a425f546f9d7b1cfdce3e5f5cdfcaa54e6
Instruction Fuzzy Hash: F0E0D8B2540304ABD2508F079C42F67FB58EB40A30F14C55BEE081B701D1B1B6048AF5

Uniqueness

Uniqueness Score: -1.00%

Function 056294E0, Relevance: .0, Instructions: 26COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.351442044.0000000005620000.00000040.00000001.sdmp, Offset: 05620000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 12012252934532d63a9ac3ae196576b340461140605fd8b5ea926a45bfa77cf6
Instruction ID: 300ef16a2ce2d8a26087bc37b63f91ca789e16aee5bb1d8b5993f4e5ebfce0da
Opcode Fuzzy Hash: 12012252934532d63a9ac3ae196576b340461140605fd8b5ea926a45bfa77cf6
Instruction Fuzzy Hash: 7DE06D34A05208ABDB10CBA4D9417A9B7B5FB89304F20819AD81863300C7329E42DF41

Uniqueness

Uniqueness Score: -1.00%

Function 05627D30, Relevance: .0, Instructions: 25COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.351442044.0000000005620000.00000040.00000001.sdmp, Offset: 05620000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 224970a241582704f61b8c45da40d7ef5db9f65a9d95db5359af7de16eb2d9e5
Instruction ID: f11ccf44ad6e47fc92530eeb0ff7a4f48659a9422fc4847eb2a897985ed39c98
Opcode Fuzzy Hash: 224970a241582704f61b8c45da40d7ef5db9f65a9d95db5359af7de16eb2d9e5
Instruction Fuzzy Hash: 53F03275D04208EBCB00EFA8E481AACBBB4FB59300F10C1AAEC0163320E735AA45DF95

Uniqueness

Uniqueness Score: -1.00%

Function 05625D09, Relevance: .0, Instructions: 25COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.351442044.0000000005620000.00000040.00000001.sdmp, Offset: 05620000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f86eb3343f95a7715dca1ff4ecdd2e3b074fab1a0600dd0ba2823a29f336256f
Instruction ID: 696da007d5622e8ce662f73a8e46f1b7a90e4bce65bd338cf49106d98e180130
Opcode Fuzzy Hash: f86eb3343f95a7715dca1ff4ecdd2e3b074fab1a0600dd0ba2823a29f336256f
Instruction Fuzzy Hash: 7BF01574C09348EFCB11DFA4D4056A8BF75AB6A300F1084AAD8445B242D7359A54EF95

Uniqueness

Uniqueness Score: -1.00%

Function 04FC0460, Relevance: .0, Instructions: 24COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.349183972.0000000004FC0000.00000040.00000001.sdmp, Offset: 04FC0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e8293a93e31d87c13c4341752fe21ce604895bd0fda2e27cdaa54b86d2940781
Instruction ID: bb54515822f7528882b8f4aa5f4f050856c47e988dceeecd9de6424a1033e88b
Opcode Fuzzy Hash: e8293a93e31d87c13c4341752fe21ce604895bd0fda2e27cdaa54b86d2940781
Instruction Fuzzy Hash: 95F03974C01208DFCB14EFF8C5486AEBBB1FB04300F1049AAC84463340DB36AA11CF81

Uniqueness

Uniqueness Score: -1.00%

Function 05629493, Relevance: .0, Instructions: 24COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.351442044.0000000005620000.00000040.00000001.sdmp, Offset: 05620000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 46f0f0adc28a9c5cc26b1793c3237195a5a483433edbb4cc9d8b9f3bf2cf6851
Instruction ID: fc62a4c882cc66e08f68771129245c451e1cc666d3ccd094f39c41092e3a2dfb
Opcode Fuzzy Hash: 46f0f0adc28a9c5cc26b1793c3237195a5a483433edbb4cc9d8b9f3bf2cf6851
Instruction Fuzzy Hash: DBF03978D04208ABCB04DFA4E4417ACBBB5FB89300F10C1AADC4553341D73A9A45EF80

Uniqueness

Uniqueness Score: -1.00%

Function 05625307, Relevance: .0, Instructions: 24COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.351442044.0000000005620000.00000040.00000001.sdmp, Offset: 05620000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 50a492fe38c74dbd78bd698fedaf91db866f37b1faef9b73881ba9a52c57c5bf
Instruction ID: 2dbf944df5716f97a5a8b1638f4535709941d49ac3d9254d96bc251160f27868
Opcode Fuzzy Hash: 50a492fe38c74dbd78bd698fedaf91db866f37b1faef9b73881ba9a52c57c5bf
Instruction Fuzzy Hash: CEF0A934C08308EFCB10DF94E4057ADBFB0BB58300F2091AAEC8546300E3358A14EF81

Uniqueness

Uniqueness Score: -1.00%

Function 05629388, Relevance: .0, Instructions: 24COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.351442044.0000000005620000.00000040.00000001.sdmp, Offset: 05620000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b1b9f72155e9bdaa393f9b98f5538c09b431e6326a69acaa47f0e063c8284aa4
Instruction ID: 90694f9377f6fe7fb5626d9593400d5575f756573f0a9bc22d84dea12a03b2b7
Opcode Fuzzy Hash: b1b9f72155e9bdaa393f9b98f5538c09b431e6326a69acaa47f0e063c8284aa4
Instruction Fuzzy Hash: 37F0A535904208EFCF05DF94D940AADBBB6FB88310F20C599EC5957351D7329A61EF91

Uniqueness

Uniqueness Score: -1.00%

Function 05624E90, Relevance: .0, Instructions: 24COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.351442044.0000000005620000.00000040.00000001.sdmp, Offset: 05620000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e1b31549c2048de72911fe703b2e8179cbe41b85d0c43156c5a2f5fd56a04ffe
Instruction ID: 6f3e518e3b6a1ccccb2094ddd65a2765d71a33b72ff8bbc6804ce41526e7371d
Opcode Fuzzy Hash: e1b31549c2048de72911fe703b2e8179cbe41b85d0c43156c5a2f5fd56a04ffe
Instruction Fuzzy Hash: 71E09234819318DFDB10DFA4E4097B8BBB5FB45306F0480ABD88C56641DA315584EF52

Uniqueness

Uniqueness Score: -1.00%

Function 04FC9637, Relevance: .0, Instructions: 23COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.349183972.0000000004FC0000.00000040.00000001.sdmp, Offset: 04FC0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2038e9c474d22cd5a5f9fce363c98e0f891dee902652f1a90c0ccd333254d432
Instruction ID: 74533ff5d040d7b9c178c6f7754d9e08790b8c3f1c1b55b55434d5d7c417b9fb
Opcode Fuzzy Hash: 2038e9c474d22cd5a5f9fce363c98e0f891dee902652f1a90c0ccd333254d432
Instruction Fuzzy Hash: CEE09274D5A3C8DFC702DBB0A4596A87F74EB03704F1440DFD84597282E6711905EF52

Uniqueness

Uniqueness Score: -1.00%

Function 05627FB8, Relevance: .0, Instructions: 23COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.351442044.0000000005620000.00000040.00000001.sdmp, Offset: 05620000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2ff4557bf393b8eaed5606ee76d7e08a9cc0b14404bfa39ce1d64ce97de78e3a
Instruction ID: cded735333852fbb3e98838fd34b0d34115467f27a225195c35db0792666bd5f
Opcode Fuzzy Hash: 2ff4557bf393b8eaed5606ee76d7e08a9cc0b14404bfa39ce1d64ce97de78e3a
Instruction Fuzzy Hash: 48E0DF74C08208DFC700EFA0F045AADBBB9FB4A301F2082AAD80923304CB305A01DF89

Uniqueness

Uniqueness Score: -1.00%

Function 056276C7, Relevance: .0, Instructions: 23COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.351442044.0000000005620000.00000040.00000001.sdmp, Offset: 05620000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8c1e92fadac436250a3840de9c37af59ef94f7d0cf261b7fe2c53d6e66339e2c
Instruction ID: a9c38bdeab48a97c869fb9cedcda5a81de6605e65f5704a399621d2677838995
Opcode Fuzzy Hash: 8c1e92fadac436250a3840de9c37af59ef94f7d0cf261b7fe2c53d6e66339e2c
Instruction Fuzzy Hash: 27E02634844308EBE304EFB8F4427AD7F78F706300F6081AAD80523200DB340A46EF96

Uniqueness

Uniqueness Score: -1.00%

Function 05628288, Relevance: .0, Instructions: 23COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.351442044.0000000005620000.00000040.00000001.sdmp, Offset: 05620000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4358159a412686b6844406e25c3e37ffb48d50eab4bb8352b7810af40b80f3e2
Instruction ID: a5e8545e2f1a0bb27d2ad06dcbe5829a30a03180ac7dbdc016faef8ca7455314
Opcode Fuzzy Hash: 4358159a412686b6844406e25c3e37ffb48d50eab4bb8352b7810af40b80f3e2
Instruction Fuzzy Hash: 4BE07230A0B340DBC721C7A4D9053AA3B79E703302F80469A940C93392C63A0E06CF81

Uniqueness

Uniqueness Score: -1.00%

Function 05624FA3, Relevance: .0, Instructions: 22COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.351442044.0000000005620000.00000040.00000001.sdmp, Offset: 05620000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ed2e6837c2cfcd41c332397a0342865ef651fb057c40455afc97a89088e46076
Instruction ID: bdbaf93c579ef9a55276c509896f235ace4d6bb3a8153dc65f7ced1b9e335d61
Opcode Fuzzy Hash: ed2e6837c2cfcd41c332397a0342865ef651fb057c40455afc97a89088e46076
Instruction Fuzzy Hash: D3E0DF36C49608CBCB20CFE4E8407AC7BB0FB86324F20A3E9C81952381CA345A41DF41

Uniqueness

Uniqueness Score: -1.00%

Function 05628FBA, Relevance: .0, Instructions: 22COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.351442044.0000000005620000.00000040.00000001.sdmp, Offset: 05620000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 47212174d5b0f2837350c45eeb04393357a54809abd322605af2f63884d2990b
Instruction ID: 7f8d646cbce02fa4aa7624f8d4fc36039125a940acdd141854a000f4bd96cfb6
Opcode Fuzzy Hash: 47212174d5b0f2837350c45eeb04393357a54809abd322605af2f63884d2990b
Instruction Fuzzy Hash: B4F092B59042289FCB50DF94CD80BD9BBB5AB58305F1490DAA54CE7240C735AA86CF20

Uniqueness

Uniqueness Score: -1.00%

Function 05627EF7, Relevance: .0, Instructions: 22COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.351442044.0000000005620000.00000040.00000001.sdmp, Offset: 05620000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b7d26e9e1021f9dd4a51b934b666668ef54eb91c92414fbf80218f5274ba631b
Instruction ID: 0910e58d375bb0fa77be0c226a769ff3b12ef6bfc12ac7938220676cf1fa74b2
Opcode Fuzzy Hash: b7d26e9e1021f9dd4a51b934b666668ef54eb91c92414fbf80218f5274ba631b
Instruction Fuzzy Hash: 59E0C275C19348EBCB10EFA4E9467ECBBB8FB52700F2051AAC80423340E7349A46DF61

Uniqueness

Uniqueness Score: -1.00%

Function 05626EF9, Relevance: .0, Instructions: 22COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.351442044.0000000005620000.00000040.00000001.sdmp, Offset: 05620000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4e7b43e384993174f3a3e6a1585b2d4b823c19c7d6a0617e9fd4e3a900d995ae
Instruction ID: cef953dc09787c17794371d50759e3e3aaf8aaaa26badf345749f43f00deed3d
Opcode Fuzzy Hash: 4e7b43e384993174f3a3e6a1585b2d4b823c19c7d6a0617e9fd4e3a900d995ae
Instruction Fuzzy Hash: 4CE0CDB1C05208D7CF10DB64D48179DBBB5A701744F1041A5D88473341DB355740CF41

Uniqueness

Uniqueness Score: -1.00%

Function 05624ED0, Relevance: .0, Instructions: 22COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.351442044.0000000005620000.00000040.00000001.sdmp, Offset: 05620000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6f3966684bcc37cec91e80eac5fe86cd8553a9aea2872965b678bcc0a1daa285
Instruction ID: 3fa29de8daf97a524cad0fc268e871977c70b3661a877e6a3e71848b0893e92a
Opcode Fuzzy Hash: 6f3966684bcc37cec91e80eac5fe86cd8553a9aea2872965b678bcc0a1daa285
Instruction Fuzzy Hash: D9E09A34C51288CFCB11CFC4E144BACBBB1FB04306F01A5AACC5A12751CB384A01DF42

Uniqueness

Uniqueness Score: -1.00%

Function 04FC0230, Relevance: .0, Instructions: 21COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.349183972.0000000004FC0000.00000040.00000001.sdmp, Offset: 04FC0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 757f2e66478d53ed5abaa8ace4ccc14a7639911e55cff2499fb79379acd7d5f5
Instruction ID: fc2afbfb1a5a61afa92d0add1e4d06b2bb3e455151d6eec9bb9716ae45c20bb0
Opcode Fuzzy Hash: 757f2e66478d53ed5abaa8ace4ccc14a7639911e55cff2499fb79379acd7d5f5
Instruction Fuzzy Hash: 39E08C34D09349DFCB14EFE9E20969CBBB6EB45301F1081A9D84993344EB366E56DF81

Uniqueness

Uniqueness Score: -1.00%

Function 05626179, Relevance: .0, Instructions: 21COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.351442044.0000000005620000.00000040.00000001.sdmp, Offset: 05620000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 20614ac5731462a0e5ebe57566811f05633d46ae3a1d0399b31f48fc5ead1522
Instruction ID: dc5374fac2a9e544d901d40d25318e2f3cacfe23f213ab2a921d91a0f68c12ec
Opcode Fuzzy Hash: 20614ac5731462a0e5ebe57566811f05633d46ae3a1d0399b31f48fc5ead1522
Instruction Fuzzy Hash: B7E08638856348EFDB14EFA9E4453AC7B78F745304F60416BD80457301EB302A54EF51

Uniqueness

Uniqueness Score: -1.00%

Function 05627DB0, Relevance: .0, Instructions: 21COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.351442044.0000000005620000.00000040.00000001.sdmp, Offset: 05620000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: abf0e25dda9c8b60ea988cf04e8e424c74cde6344f977980b8c70e74845b563c
Instruction ID: 19facb52ac5facae89ac3be1142bf9cda5bbcd61c3a519012098ff5ec4b96b54
Opcode Fuzzy Hash: abf0e25dda9c8b60ea988cf04e8e424c74cde6344f977980b8c70e74845b563c
Instruction Fuzzy Hash: 3AE04671905618EBD705EFA4D186BACBBB4EB15300F2084AACC0497351E679AA98CF82

Uniqueness

Uniqueness Score: -1.00%

Function 05629410, Relevance: .0, Instructions: 21COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.351442044.0000000005620000.00000040.00000001.sdmp, Offset: 05620000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9e367e2784a7bd18d6f068754a7787d20e6c51975cd9048e9c495f8307187458
Instruction ID: 5927ff602c78cde5dfb4f25247b1e04f071eeae15a88491fd1b25b37d1e5fbdc
Opcode Fuzzy Hash: 9e367e2784a7bd18d6f068754a7787d20e6c51975cd9048e9c495f8307187458
Instruction Fuzzy Hash: 29E02CB080A3448FC322CB30C8087A977BDAB82308FA040DD84095A283C63B8841CFA2

Uniqueness

Uniqueness Score: -1.00%

Function 056294A0, Relevance: .0, Instructions: 21COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.351442044.0000000005620000.00000040.00000001.sdmp, Offset: 05620000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5b7d122facc77beb07e898a2108b6a91195645473912fcf9edaddbd6d92364e8
Instruction ID: d080f33d38bc4592a3ff687956c690cee239a7437b08dfabc8f77dff524eea35
Opcode Fuzzy Hash: 5b7d122facc77beb07e898a2108b6a91195645473912fcf9edaddbd6d92364e8
Instruction Fuzzy Hash: 6DE01A74D04218EFCB14DF94D450AACFBB5EB89300F10C1AADC4453341C63A9A52DF91

Uniqueness

Uniqueness Score: -1.00%

Function 05624E50, Relevance: .0, Instructions: 21COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.351442044.0000000005620000.00000040.00000001.sdmp, Offset: 05620000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f5798efd2ce66e1b038d35f391707828da254e5cda7bcad78131b64580322925
Instruction ID: c49e04fa421d8727c12339dcacd79540cda860a2c250df6594ea454070921fb8
Opcode Fuzzy Hash: f5798efd2ce66e1b038d35f391707828da254e5cda7bcad78131b64580322925
Instruction Fuzzy Hash: C8E08634C59208EBD740EFF4E4067AC7B75F705301F5045ABD84953201EB311A55DF55

Uniqueness

Uniqueness Score: -1.00%

Function 05627D40, Relevance: .0, Instructions: 20COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.351442044.0000000005620000.00000040.00000001.sdmp, Offset: 05620000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d0e5f5f452fc2e862d7dc1740e862d7f9c518d8dd2e562f5e06a73ee1fda0bc0
Instruction ID: f4a8d29f2df026874c658b4459d6eb262a14e12df0359a91a635800f7c188dd0
Opcode Fuzzy Hash: d0e5f5f452fc2e862d7dc1740e862d7f9c518d8dd2e562f5e06a73ee1fda0bc0
Instruction Fuzzy Hash: 93E04674D04208EFCB04DFA8E044AACBBB9FB48300F10C1AAEC0463320D635AA54EF95

Uniqueness

Uniqueness Score: -1.00%

Function 05625D18, Relevance: .0, Instructions: 20COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.351442044.0000000005620000.00000040.00000001.sdmp, Offset: 05620000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8a7d8866ec390b473fe624f67a81524201b1feb4b494ba4760afd4e013a9a6f2
Instruction ID: 5429b9191f7b8266c14d1cc2bacf275ada434daa5e1dc975168aeac9a76b2740
Opcode Fuzzy Hash: 8a7d8866ec390b473fe624f67a81524201b1feb4b494ba4760afd4e013a9a6f2
Instruction Fuzzy Hash: FDE046B0C0530CEBCB24DFA8D0046ADBBBAFB68300F2089AAD84527300D7369A50DF85

Uniqueness

Uniqueness Score: -1.00%

Function 05627DF1, Relevance: .0, Instructions: 20COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.351442044.0000000005620000.00000040.00000001.sdmp, Offset: 05620000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: cd1f41fed240fac86796b23c7998069a7e8562536cf4c0a186310aacd06f92e3
Instruction ID: ba97f4a24a39efb82124a48b6275dc0f36f07f06c73861c4da9a026360067408
Opcode Fuzzy Hash: cd1f41fed240fac86796b23c7998069a7e8562536cf4c0a186310aacd06f92e3
Instruction Fuzzy Hash: A0D05B71946114DFC714DBA4D44579AB7ACD726604F1459559404D3301E7365E10DF51

Uniqueness

Uniqueness Score: -1.00%

Function 056294F0, Relevance: .0, Instructions: 20COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.351442044.0000000005620000.00000040.00000001.sdmp, Offset: 05620000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f63fd7d1a673b8ae1a0172907fc2f1a6e7979aadde22b6ff5e9b036c1599016a
Instruction ID: 5340a66e0656473507d215ee7e88d3f22ae9f599ab79901b929b21067e54c371
Opcode Fuzzy Hash: f63fd7d1a673b8ae1a0172907fc2f1a6e7979aadde22b6ff5e9b036c1599016a
Instruction Fuzzy Hash: 0EE09A74E05208EBCB14DF98D5456ACB7B5EB89304F10C5A9D81967341D636AA42DF81

Uniqueness

Uniqueness Score: -1.00%

Function 05625318, Relevance: .0, Instructions: 20COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.351442044.0000000005620000.00000040.00000001.sdmp, Offset: 05620000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f73beff7b9f3f51172830dc88c8078d3265af58de4347545c010b41ff48be590
Instruction ID: 913270152478f9a7ff32ddce55ee21bf4d7c0dc5d6954ba45e5f185daa6f06fc
Opcode Fuzzy Hash: f73beff7b9f3f51172830dc88c8078d3265af58de4347545c010b41ff48be590
Instruction Fuzzy Hash: 1AE04674C05308EFCB24EF94E404AECBBB9BB58300F2091AAE84553300D7716A54EF91

Uniqueness

Uniqueness Score: -1.00%

Function 05627651, Relevance: .0, Instructions: 20COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.351442044.0000000005620000.00000040.00000001.sdmp, Offset: 05620000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 39cd07bf1badf04650ace1768f0bde1988099b63ffd4fb5caef90378688cde15
Instruction ID: af6d4aaff9bf2783c2f31ac373148e7d47aeec131959d0046f5c8cf0618b3ffd
Opcode Fuzzy Hash: 39cd07bf1badf04650ace1768f0bde1988099b63ffd4fb5caef90378688cde15
Instruction Fuzzy Hash: 95E0C230849308EBC714EFB8E000A6DBBB9FB41304F2082AEC80417340DB369A80EF81

Uniqueness

Uniqueness Score: -1.00%

Function 05624DC0, Relevance: .0, Instructions: 19COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.351442044.0000000005620000.00000040.00000001.sdmp, Offset: 05620000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1155a03480e1cd0806b60080f03afd881cfc4ab58f50ef7db9d8f9886e6bd603
Instruction ID: 9b35fee0f88ccd22b1a427e43a1be059b1c35b97781f6e0c3a994cf2469dec68
Opcode Fuzzy Hash: 1155a03480e1cd0806b60080f03afd881cfc4ab58f50ef7db9d8f9886e6bd603
Instruction Fuzzy Hash: ABE04634D04208EFCB00DFA8D044AACBBF8FB48305F1081E9D80863301CA316A10CF81

Uniqueness

Uniqueness Score: -1.00%

Function 05624FB0, Relevance: .0, Instructions: 19COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.351442044.0000000005620000.00000040.00000001.sdmp, Offset: 05620000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9aa74369a268d1e2586309888df0b0db8b70bdaf0aaa210442d40abb7bd15d28
Instruction ID: 9b9959c48bb0d1385dbbc52f40a1896f0284e7ad6ac1dd43f82432ea5f264e86
Opcode Fuzzy Hash: 9aa74369a268d1e2586309888df0b0db8b70bdaf0aaa210442d40abb7bd15d28
Instruction Fuzzy Hash: 43E0EC74D09308EBCB14EFA4E4456ADBBB9BB84305F1082A9D80963340DA356A44DF85

Uniqueness

Uniqueness Score: -1.00%

Function 05624EE0, Relevance: .0, Instructions: 19COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.351442044.0000000005620000.00000040.00000001.sdmp, Offset: 05620000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 921e319ab46991024d97463472d9edbca31a33fe49c41d53dbaa66682503600d
Instruction ID: ac037841f94dd81932d334e9f96f4ca2064a1e265a673e58f9752b35b51f6bf7
Opcode Fuzzy Hash: 921e319ab46991024d97463472d9edbca31a33fe49c41d53dbaa66682503600d
Instruction Fuzzy Hash: 87E08C34C06208EFCB04EFA8E044AACBBB9FB44301F1081AADC0963340CB302A40DF81

Uniqueness

Uniqueness Score: -1.00%

Function 056279A8, Relevance: .0, Instructions: 18COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.351442044.0000000005620000.00000040.00000001.sdmp, Offset: 05620000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7988138bf6e6dd8d8a583d96110b55fb390577ed79ffa94a53a63054da20e6fa
Instruction ID: 77fc3cc39dfb6a987bad815165e641fc726bbc49fcfd66b1b2e2fa9210fc409b
Opcode Fuzzy Hash: 7988138bf6e6dd8d8a583d96110b55fb390577ed79ffa94a53a63054da20e6fa
Instruction Fuzzy Hash: DCE0C230845704DBDB11EFA4E00679833A8F71C305F20086AD819C3251E3354900CF50

Uniqueness

Uniqueness Score: -1.00%

Function 05627F70, Relevance: .0, Instructions: 18COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.351442044.0000000005620000.00000040.00000001.sdmp, Offset: 05620000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 562826bf4e34eb68122e56ef4ec57ad2c3381280f7e8941c015f8e62a2978038
Instruction ID: 4d9060eccdcb1c63d36eed7c1ae91b9185ee30481540eaefb7182bbaa5aba51c
Opcode Fuzzy Hash: 562826bf4e34eb68122e56ef4ec57ad2c3381280f7e8941c015f8e62a2978038
Instruction Fuzzy Hash: B3D05E3084E258DBDB26EFB0A646BAA7728FB53701F60999EC44523381D6764A02EF45

Uniqueness

Uniqueness Score: -1.00%

Function 056276D8, Relevance: .0, Instructions: 18COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.351442044.0000000005620000.00000040.00000001.sdmp, Offset: 05620000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 119a44b5c9df7b07c526df320410ecdf2a65ad6c50d228c7d85acea662511139
Instruction ID: e29a152130fec023a08c0f7eb98e6635c461870d7bae4f4d4c8c6ac043dec9a8
Opcode Fuzzy Hash: 119a44b5c9df7b07c526df320410ecdf2a65ad6c50d228c7d85acea662511139
Instruction Fuzzy Hash: ADD05B30C09318DBC714DFA8E545A6D7F79F746305F109199D80623341C7351A85DF96

Uniqueness

Uniqueness Score: -1.00%

Function 04FC00ED, Relevance: .0, Instructions: 17COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.349183972.0000000004FC0000.00000040.00000001.sdmp, Offset: 04FC0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5a053d119e8b04fd84b6fc2eeed77141441b8faaeb491135e186c114de1e48b8
Instruction ID: 5f4795cd004c246449d711e3378b66dc5ecc4bc3e3a97ce44ccfedcf9cf2276e
Opcode Fuzzy Hash: 5a053d119e8b04fd84b6fc2eeed77141441b8faaeb491135e186c114de1e48b8
Instruction Fuzzy Hash: 51D0E236E01109CFCB109BA8E0446ECBB70EB89229F10842BC514A2210D73554468F90

Uniqueness

Uniqueness Score: -1.00%

Function 04FC9648, Relevance: .0, Instructions: 17COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.349183972.0000000004FC0000.00000040.00000001.sdmp, Offset: 04FC0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fe62bece097bfad3eea2dbf34638ca0513806994f62a856a0fa87a775e7d4389
Instruction ID: cbeb05868221230a25b50c30ed845cb9d5934a7260f13c5a39abd8166450499a
Opcode Fuzzy Hash: fe62bece097bfad3eea2dbf34638ca0513806994f62a856a0fa87a775e7d4389
Instruction Fuzzy Hash: 23D01774D56208DBCB10EFA4E505BACBBB8AB05701F1041A9D80863281EA716A54EF91

Uniqueness

Uniqueness Score: -1.00%

Function 05627DC0, Relevance: .0, Instructions: 17COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.351442044.0000000005620000.00000040.00000001.sdmp, Offset: 05620000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: feeb9452042af78eda00de95176942af94d794cdda35e4e56fc5d7abc327f8b5
Instruction ID: 6a71fc41f1041a1a15f63681ec7969fbe049925cc65e6f47f053e6da0b83ab6d
Opcode Fuzzy Hash: feeb9452042af78eda00de95176942af94d794cdda35e4e56fc5d7abc327f8b5
Instruction Fuzzy Hash: 47E01735905208EFC714EFA8D144AACBBF8EB05301F1085E9D80567351E635AE48DF96

Uniqueness

Uniqueness Score: -1.00%

Function 05626188, Relevance: .0, Instructions: 17COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.351442044.0000000005620000.00000040.00000001.sdmp, Offset: 05620000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 25832b45643a32bea518d3b97db545be5a65733c12e8734226c682b19bc4c1cb
Instruction ID: 409e37d7965c85f047c69be663669340a6e6394d190952df3a2acc0cac7cdb15
Opcode Fuzzy Hash: 25832b45643a32bea518d3b97db545be5a65733c12e8734226c682b19bc4c1cb
Instruction Fuzzy Hash: DAD05B34C56208DFCF14DFA9D44966CBB79AB45205F104195D80563341DB317A54DF51

Uniqueness

Uniqueness Score: -1.00%

Function 05627F08, Relevance: .0, Instructions: 17COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.351442044.0000000005620000.00000040.00000001.sdmp, Offset: 05620000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0bbe1c0b0113883134c4e36d13ebb0adf9916c334e3d1e7857bda7c3fd84f687
Instruction ID: 8f56a14e3fb58ca73670864decbc104502fb791543496cb7716d0fe789080793
Opcode Fuzzy Hash: 0bbe1c0b0113883134c4e36d13ebb0adf9916c334e3d1e7857bda7c3fd84f687
Instruction Fuzzy Hash: CBD05E70C5E248DBCB10EFA8D501AADBBB8EB41301F1051A9884523340D6315A45CF92

Uniqueness

Uniqueness Score: -1.00%

Function 05626F08, Relevance: .0, Instructions: 17COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.351442044.0000000005620000.00000040.00000001.sdmp, Offset: 05620000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3b50181dc0d6f77d38d47e7a2986f1ba6def587e899b4f4bb20991ca7c89c137
Instruction ID: 49dda2a3251839958ceb01ed987200fec2b7b93c5d0198c465983e34edbd8b64
Opcode Fuzzy Hash: 3b50181dc0d6f77d38d47e7a2986f1ba6def587e899b4f4bb20991ca7c89c137
Instruction Fuzzy Hash: A2D0A770C0A30CDBCF10EFA8D5416ADBFF9AB01700F1051E9C84423380DA355A40CF91

Uniqueness

Uniqueness Score: -1.00%

Function 05625BB0, Relevance: .0, Instructions: 17COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.351442044.0000000005620000.00000040.00000001.sdmp, Offset: 05620000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a0c83da7c183f947cb8e7112f9a82979a7c1ea87724c88b3a7ad58c966e58e79
Instruction ID: 4a1906cf6f0a39dcab1edc27aac6289ecb3d7c2259d048f85ea2479b5d25914e
Opcode Fuzzy Hash: a0c83da7c183f947cb8e7112f9a82979a7c1ea87724c88b3a7ad58c966e58e79
Instruction Fuzzy Hash: 44D05E34C15308DFC720EFB4E4056ACBBB8AB06206F1041AAD80AA3380DB316A44DF95

Uniqueness

Uniqueness Score: -1.00%

Function 05624E60, Relevance: .0, Instructions: 17COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.351442044.0000000005620000.00000040.00000001.sdmp, Offset: 05620000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c45226cf3dc50e9a9d5a123f0663f3d58f314260fb90eda046daea332b921e1c
Instruction ID: 3942bf04ffa2c6b017bfabb11b73d4b36ffa49167ce3e8e4fad5fa9ddb1e1b14
Opcode Fuzzy Hash: c45226cf3dc50e9a9d5a123f0663f3d58f314260fb90eda046daea332b921e1c
Instruction Fuzzy Hash: E4D05B34C59208DBDB10DFA4E40566CBFB8A705211F104195D84553341DB316A44DF51

Uniqueness

Uniqueness Score: -1.00%

Function 05627611, Relevance: .0, Instructions: 17COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.351442044.0000000005620000.00000040.00000001.sdmp, Offset: 05620000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 543baa83f1de58e1949edabc6400cc0f6af04fb0ff694b336edad0246d7bda4b
Instruction ID: 2f3e21837a9747cb1930f50569dd4b1817d0e275e1b85569e8da833105df297a
Opcode Fuzzy Hash: 543baa83f1de58e1949edabc6400cc0f6af04fb0ff694b336edad0246d7bda4b
Instruction Fuzzy Hash: 44D05E6485625587DB20DBB8A749BEE7BB8FB45704F209E8BC48863202E6358981DF81

Uniqueness

Uniqueness Score: -1.00%

Function 04FC602F, Relevance: .0, Instructions: 16COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.349183972.0000000004FC0000.00000040.00000001.sdmp, Offset: 04FC0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a1c113b54e224c86e84b5f225957b69d82139ae9c6fc6ed866dcabb3a1dd44b2
Instruction ID: c61655d8d557578d6bccd2cd0a67188782e567241e5075c1b7242b9069fc00ed
Opcode Fuzzy Hash: a1c113b54e224c86e84b5f225957b69d82139ae9c6fc6ed866dcabb3a1dd44b2
Instruction Fuzzy Hash: 71E0E5B4A042288FDBA0CF28C84969ABBB0EF0A304F1080DD960DA3300DB305EC08F24

Uniqueness

Uniqueness Score: -1.00%

Function 05629420, Relevance: .0, Instructions: 16COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.351442044.0000000005620000.00000040.00000001.sdmp, Offset: 05620000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 70909235eec5bd073ed5ca23d671ad0d33fc2798f6f26dd9bf755ae72e17ce9b
Instruction ID: 4bb0e5b2ee04b8e1fa8dc4266256f7af7f2bbfd1566b58aa8ee770b45ee72e66
Opcode Fuzzy Hash: 70909235eec5bd073ed5ca23d671ad0d33fc2798f6f26dd9bf755ae72e17ce9b
Instruction Fuzzy Hash: CAD0A730406318DBC324DB7090007A9736EAB82300FA0059C840812300C7375941CFA5

Uniqueness

Uniqueness Score: -1.00%

Function 05627F80, Relevance: .0, Instructions: 16COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.351442044.0000000005620000.00000040.00000001.sdmp, Offset: 05620000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e9132a6f217e4956031ffa62a66c2ffbcf43c776aed8e84b91f4e268453e8620
Instruction ID: 2be01f1a962f1a7aaa4395be1e1c2843d6668bb7754949bf7ab2522322311b43
Opcode Fuzzy Hash: e9132a6f217e4956031ffa62a66c2ffbcf43c776aed8e84b91f4e268453e8620
Instruction Fuzzy Hash: ADD0127084E21CDFC725EFA5E401FBE776DE712600F6099998809133C1DA765A01DF96

Uniqueness

Uniqueness Score: -1.00%

Function 05627208, Relevance: .0, Instructions: 16COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.351442044.0000000005620000.00000040.00000001.sdmp, Offset: 05620000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2f4d34fb1e79e47e6a915291a7320f5c2d35bba49b5849a8af80021a9d7cb7e4
Instruction ID: 90a1aa62f47b4a24ca8a65411546961d562905f684ba7c3b12ab88e73ca66560
Opcode Fuzzy Hash: 2f4d34fb1e79e47e6a915291a7320f5c2d35bba49b5849a8af80021a9d7cb7e4
Instruction Fuzzy Hash: D6D0A93088A208EBCB20DBA1E405BAA776CE703201F0026A9E40913201CA365A00DF91

Uniqueness

Uniqueness Score: -1.00%

Function 00DF23F4, Relevance: .0, Instructions: 15COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.346819069.0000000000DF2000.00000040.00000001.sdmp, Offset: 00DF2000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f9ce216d95634129d6130e9f298ec934d1f04609e0409b2c7c425657ef0a6c32
Instruction ID: 00345925d2c906148d9ef5031d965b1470c31838fceb29227eb8470ba1f27eb9
Opcode Fuzzy Hash: f9ce216d95634129d6130e9f298ec934d1f04609e0409b2c7c425657ef0a6c32
Instruction Fuzzy Hash: 2ED05B752156815FD3178A1CC165B753B94AB51B04F4B84FDE8008B663C354D981D110

Uniqueness

Uniqueness Score: -1.00%

Function 056279B8, Relevance: .0, Instructions: 15COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.351442044.0000000005620000.00000040.00000001.sdmp, Offset: 05620000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 21ae33ec86880d268884eccc0a54b87e5b472d33971c76d7182e3262662c1dd8
Instruction ID: 2d34e16c32699236e22b2efa9de914f5eb6f2e3adaa2c2274dd701f7c2314666
Opcode Fuzzy Hash: 21ae33ec86880d268884eccc0a54b87e5b472d33971c76d7182e3262662c1dd8
Instruction Fuzzy Hash: 77D01274C5A718DBCB11EB99E409BA977ECF70D306F105D99E80A83341DB765A00DFA1

Uniqueness

Uniqueness Score: -1.00%

Function 05626BB5, Relevance: .0, Instructions: 15COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.351442044.0000000005620000.00000040.00000001.sdmp, Offset: 05620000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e8304dcc062a9a4a13cbfbd01c10a623554004c29ec4beb798091fc0e972f23e
Instruction ID: e84c8c437de6ff96dff471d1a9720c7b6bb3ede71fabef9da58575e0be0515ca
Opcode Fuzzy Hash: e8304dcc062a9a4a13cbfbd01c10a623554004c29ec4beb798091fc0e972f23e
Instruction Fuzzy Hash: CEE07574E00768DFDB64DF24C84079ABAB1AF86304F0080EA9589A7240DF301A859F22

Uniqueness

Uniqueness Score: -1.00%

Function 05627620, Relevance: .0, Instructions: 15COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.351442044.0000000005620000.00000040.00000001.sdmp, Offset: 05620000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b6f0e375649ddcf87ecb7e9855cc74e17c30833f0f0466d063894ea992c630ba
Instruction ID: e3d6af84391ec0ffd9a55993256771210c57b6f01aa4669d597af5128e7b8708
Opcode Fuzzy Hash: b6f0e375649ddcf87ecb7e9855cc74e17c30833f0f0466d063894ea992c630ba
Instruction Fuzzy Hash: 63D0127084A319DBC710EBADD404FBE77FCE706704F109995984953601D9769E80DFD1

Uniqueness

Uniqueness Score: -1.00%

Function 05627E00, Relevance: .0, Instructions: 15COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.351442044.0000000005620000.00000040.00000001.sdmp, Offset: 05620000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e6b69a5a676b4626f463278ca4c24f423fd7f23260ebdde9ab9160e33df5ba25
Instruction ID: 1140fdddf461c20fa8ec81d8db8479e24d4d9eb150a5198e2694f6d82cee4cf0
Opcode Fuzzy Hash: e6b69a5a676b4626f463278ca4c24f423fd7f23260ebdde9ab9160e33df5ba25
Instruction Fuzzy Hash: 91D0223084A218DBC714EBA8E405B6EB3ECE706300F000C95880843300D6326E10DFA1

Uniqueness

Uniqueness Score: -1.00%

Function 04FC00CD, Relevance: .0, Instructions: 14COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.349183972.0000000004FC0000.00000040.00000001.sdmp, Offset: 04FC0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6f2aea50a0fe951a5a8ccebc3e9486f24f8a029d9e951afc8a3ec8420d8e66a3
Instruction ID: 3bc5b20a08f76895b706e590899d35b4f47c32c74eb5c4dd8c2c1fd75326f2ad
Opcode Fuzzy Hash: 6f2aea50a0fe951a5a8ccebc3e9486f24f8a029d9e951afc8a3ec8420d8e66a3
Instruction Fuzzy Hash: 59D09236E01108CF8B109BB9E4444DCF775EB8D225B10956BC524B2214D73698158F50

Uniqueness

Uniqueness Score: -1.00%

Function 00DF23BC, Relevance: .0, Instructions: 14COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.346819069.0000000000DF2000.00000040.00000001.sdmp, Offset: 00DF2000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 840eb05e7984f09085387cf4fc53d20453bc5a185d251ab4513264066d841a41
Instruction ID: fecf4fc49c7a54ceab6ff645804e9e68e3b638d08c6a8bad8cd30a03019a6b5e
Opcode Fuzzy Hash: 840eb05e7984f09085387cf4fc53d20453bc5a185d251ab4513264066d841a41
Instruction Fuzzy Hash: 22D05E742006858BC715DB0CC594F6937D4AB41B00F0A84ECAD008B662C3A9DC81C610

Uniqueness

Uniqueness Score: -1.00%

Function 04FCB587, Relevance: .0, Instructions: 10COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.349183972.0000000004FC0000.00000040.00000001.sdmp, Offset: 04FC0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: af06fd575cd2ca627d4b5f21854a4b8172c380e4ff75a066bd81221de3aa21cd
Instruction ID: f87d1a0eea508d0a87ebe6fa06b28986ab827cc232ac3507b1eefe084a6f3ecf
Opcode Fuzzy Hash: af06fd575cd2ca627d4b5f21854a4b8172c380e4ff75a066bd81221de3aa21cd
Instruction Fuzzy Hash: 52D06774E151298FDB21CF20D9546DDB7B4BB0D341F4094EAD44AA2204E7302E81CF15

Uniqueness

Uniqueness Score: -1.00%

Function 04FCB576, Relevance: .0, Instructions: 10COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.349183972.0000000004FC0000.00000040.00000001.sdmp, Offset: 04FC0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8a3f4248b1c87c7f7688b4a0efef50cb25d8ad7bedaa40d4f73cfd085555a05f
Instruction ID: aeea1e8f22c3c2906d5d0511c9afb7fe54c247182776ea0bb0f757ea867e0b14
Opcode Fuzzy Hash: 8a3f4248b1c87c7f7688b4a0efef50cb25d8ad7bedaa40d4f73cfd085555a05f
Instruction Fuzzy Hash: 12D09278E04229CFCBA1CF24D9916DCB7B0AB0A320F4044E9954EA3304EA312EC2CF10

Uniqueness

Uniqueness Score: -1.00%

Function 0562383C, Relevance: .0, Instructions: 10COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.351442044.0000000005620000.00000040.00000001.sdmp, Offset: 05620000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 792c341325d6161bab02ab68fc372153f62692d5005759dab5421746bacebfe8
Instruction ID: 3248ffa9a0bfe001b6142199485874309a8f8678be58496dd51d36181581b6c5
Opcode Fuzzy Hash: 792c341325d6161bab02ab68fc372153f62692d5005759dab5421746bacebfe8
Instruction Fuzzy Hash: 41D09278D29329CFCF26CF20C994698BBB9BB08604F0015DAA50AA3305DB305F81CE04

Uniqueness

Uniqueness Score: -1.00%

Function 05624049, Relevance: .0, Instructions: 8COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.351442044.0000000005620000.00000040.00000001.sdmp, Offset: 05620000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7dd22cf7cb6b98f9c47fc5eb7d83456901fd85f871d033512015358bbeb57551
Instruction ID: f13b293c9bf0945c709389bfd97c4c1ac4450953578d01484fd7369854ba9a77
Opcode Fuzzy Hash: 7dd22cf7cb6b98f9c47fc5eb7d83456901fd85f871d033512015358bbeb57551
Instruction Fuzzy Hash: ABD0CA38914128ABCB21CF20C980AC8BBB2AB09300F0082DA980EA3300DE702F86CF00

Uniqueness

Uniqueness Score: -1.00%

Function 056245CA, Relevance: .0, Instructions: 7COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.351442044.0000000005620000.00000040.00000001.sdmp, Offset: 05620000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 930490d26ec02689430ec575574543e0f26799bb9ecd812d1b7b5166a53ed5b5
Instruction ID: 9845128c85ccd3ea7812f841c1fcfdae92535f7b0cc39af8cb8f7c1433418c34
Opcode Fuzzy Hash: 930490d26ec02689430ec575574543e0f26799bb9ecd812d1b7b5166a53ed5b5
Instruction Fuzzy Hash: 67C00278E15128CFCB25CF20D944A99BBB5FF4B300F0055DA948AA7200E7705E81CE41

Uniqueness

Uniqueness Score: -1.00%

Function 056245A6, Relevance: .0, Instructions: 7COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.351442044.0000000005620000.00000040.00000001.sdmp, Offset: 05620000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b1c632d22dccb95204486d2572aa4515d88572542c2ab34f5e87daf7dd55cc27
Instruction ID: 8b50e162471a3544297ccaffe87d9e8ff3061151cb96b12eacfc5d82a0e04293
Opcode Fuzzy Hash: b1c632d22dccb95204486d2572aa4515d88572542c2ab34f5e87daf7dd55cc27
Instruction Fuzzy Hash: ADC00278E14228CFCB69CF20D8456D9BB75BB1A340F4055D5A48AA2200DB301E81CE01

Uniqueness

Uniqueness Score: -1.00%

Function 05626C07, Relevance: .0, Instructions: 5COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.351442044.0000000005620000.00000040.00000001.sdmp, Offset: 05620000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e813f302e0fdc952b2c35ed90267e1fa3579d24a93bf0d2d8f57027c7e3e099d
Instruction ID: 87795616cd6ef0bc3f54d858a9d60f8421494e6e7a335038ba7a14caabe42df3
Opcode Fuzzy Hash: e813f302e0fdc952b2c35ed90267e1fa3579d24a93bf0d2d8f57027c7e3e099d
Instruction Fuzzy Hash: 37B01270C20315CBC754DF51E0487583B32FB02319F005105B01A22070CF308988DF90

Uniqueness

Uniqueness Score: -1.00%

Non-executed Functions

Function 04FC3945, Relevance: 5.1, Strings: 4, Instructions: 142COMMON

Download Yara Rule

Strings

f]Ir, xrefs: 04FC39AD
:@Dr, xrefs: 04FC3A79
`5kr, xrefs: 04FC3B52
>_Ir, xrefs: 04FC3A96

Memory Dump Source

Source File: 00000000.00000002.349183972.0000000004FC0000.00000040.00000001.sdmp, Offset: 04FC0000, based on PE: false

Similarity

API ID:
String ID: :@Dr$>_Ir$`5kr$f]Ir
API String ID: 0-3492759196
Opcode ID: 6bcfa3f92e805043c2ac9e4c836dabdb53ae945e2cba62587ba2af68be7c6e15
Instruction ID: 34b8f1fefc68b4e961a58f67258da31b4772ad28a9046057c3b194e48f187e1d
Opcode Fuzzy Hash: 6bcfa3f92e805043c2ac9e4c836dabdb53ae945e2cba62587ba2af68be7c6e15
Instruction Fuzzy Hash: AA516B70E012098FD755EFAAD945B9DBBF2FF84304F24C12AE148A7268DF7518468B61

Uniqueness

Uniqueness Score: -1.00%

Function 04FC3958, Relevance: 5.1, Strings: 4, Instructions: 137COMMON

Download Yara Rule

Strings

f]Ir, xrefs: 04FC39AD
:@Dr, xrefs: 04FC3A79
`5kr, xrefs: 04FC3B52
>_Ir, xrefs: 04FC3A96

Memory Dump Source

Source File: 00000000.00000002.349183972.0000000004FC0000.00000040.00000001.sdmp, Offset: 04FC0000, based on PE: false

Similarity

API ID:
String ID: :@Dr$>_Ir$`5kr$f]Ir
API String ID: 0-3492759196
Opcode ID: 931757db68cd78349ab537b334957e466a36fd235de2838f64a491ccf0e07d6e
Instruction ID: fc80cf9e5d1ce33ea1ececc3866d0e459c77c68516e76fdef9df765891ba3d52
Opcode Fuzzy Hash: 931757db68cd78349ab537b334957e466a36fd235de2838f64a491ccf0e07d6e
Instruction Fuzzy Hash: CA518B70E01209CFD755EFAED944B9DBBF6FB84304F24C12AE148A7258DF7528468B61

Uniqueness

Uniqueness Score: -1.00%

Function 0562535B, Relevance: 2.9, Strings: 2, Instructions: 416COMMON

Download Yara Rule

Strings

, xrefs: 05625480
f]Ir, xrefs: 056254E3

Memory Dump Source

Source File: 00000000.00000002.351442044.0000000005620000.00000040.00000001.sdmp, Offset: 05620000, based on PE: false

Similarity

API ID:
String ID: $f]Ir
API String ID: 0-1740037169
Opcode ID: bea7f5638157578a4e59dcdda2b514424a7b0c72cdc246e8841ee30a08fc18dd
Instruction ID: 591ae4f6c59852c12f294d2051274520de11fadd5bc5cf60500fb4be8ade53a3
Opcode Fuzzy Hash: bea7f5638157578a4e59dcdda2b514424a7b0c72cdc246e8841ee30a08fc18dd
Instruction Fuzzy Hash: 91120574D10629DFDB14CFA9C885BADBBB2FF48314F148169E819AB345D7349986CF10

Uniqueness

Uniqueness Score: -1.00%

Function 04FCEB30, Relevance: 2.9, Strings: 2, Instructions: 412COMMON

Download Yara Rule

Strings

f]Ir, xrefs: 04FCECBF
, xrefs: 04FCEC62

Memory Dump Source

Source File: 00000000.00000002.349183972.0000000004FC0000.00000040.00000001.sdmp, Offset: 04FC0000, based on PE: false

Similarity

API ID:
String ID: $f]Ir
API String ID: 0-1740037169
Opcode ID: eef724b7f90d4e961e3a4ab70c66f5ab7bcaf162f00378255bcaf059a09ec651
Instruction ID: b3e7900466ad1bc4422ec364f2a382b971fe0b690014bf79757d78c9aae635e5
Opcode Fuzzy Hash: eef724b7f90d4e961e3a4ab70c66f5ab7bcaf162f00378255bcaf059a09ec651
Instruction Fuzzy Hash: CF12F3B5E0021ACFDB14CFA9C985AEDFBB2FF48304F148169E419A7245D734A986CF50

Uniqueness

Uniqueness Score: -1.00%

Function 05620070, Relevance: 1.3, Strings: 1, Instructions: 97COMMON

Download Yara Rule

Strings

;, xrefs: 05620164

Memory Dump Source

Source File: 00000000.00000002.351442044.0000000005620000.00000040.00000001.sdmp, Offset: 05620000, based on PE: false

Similarity

API ID:
String ID: ;
API String ID: 0-1661535913
Opcode ID: 23b6844e0bfcb470a66358f9ec971fa44b662974aac79d8e8197e836e48861a4
Instruction ID: d635ef0d80592193a9555946139b59f4fd8f5eac36b3fefd621d5134ffc24236
Opcode Fuzzy Hash: 23b6844e0bfcb470a66358f9ec971fa44b662974aac79d8e8197e836e48861a4
Instruction Fuzzy Hash: 2A4141B1D05A589BEB2DCF6B8D4479AFAF7BFC9200F14C1B9940CAA254DB344686CF11

Uniqueness

Uniqueness Score: -1.00%

Function 0562006B, Relevance: 1.3, Strings: 1, Instructions: 84COMMON

Download Yara Rule

Strings

;, xrefs: 05620164

Memory Dump Source

Source File: 00000000.00000002.351442044.0000000005620000.00000040.00000001.sdmp, Offset: 05620000, based on PE: false

Similarity

API ID:
String ID: ;
API String ID: 0-1661535913
Opcode ID: 414ce0ffdbb9edfea4625202f99a00b12c4f942a6a1b3da20ba93481fa2287d7
Instruction ID: 1858cfd8a13bf36cc399c205be33da16cf7909699b4f48ba4f8dda7d9cf8ef0c
Opcode Fuzzy Hash: 414ce0ffdbb9edfea4625202f99a00b12c4f942a6a1b3da20ba93481fa2287d7
Instruction Fuzzy Hash: F83136B1D05A189BEB1DCF6B8D4069EFAF7BFC8200F14C1B9981CAA218DB300642CF11

Uniqueness

Uniqueness Score: -1.00%

Function 04FC77F1, Relevance: .2, Instructions: 220COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.349183972.0000000004FC0000.00000040.00000001.sdmp, Offset: 04FC0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9f2560fb0ab558c387f227f405e15c224ba81ac2b5dc846128019239f84a387b
Instruction ID: e92f12e27b664b412e9447e3717d2a68af3d4a8e8dee869b146eb2643d44a7ad
Opcode Fuzzy Hash: 9f2560fb0ab558c387f227f405e15c224ba81ac2b5dc846128019239f84a387b
Instruction Fuzzy Hash: 7AB18EB0D16628CBEBA4DF69C884B8CBBF1FF48314F5081D9D14CA7205EB309A959F58

Uniqueness

Uniqueness Score: -1.00%

Function 04FCABFE, Relevance: .2, Instructions: 173COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.349183972.0000000004FC0000.00000040.00000001.sdmp, Offset: 04FC0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 702f4373adc4fbfece955c6915037b789c48139892f4b8a5d600b77fd4da973c
Instruction ID: c1745b5e1b62af76e5cdce716b6cfced74570e0368851829c582686b41e8d6a0
Opcode Fuzzy Hash: 702f4373adc4fbfece955c6915037b789c48139892f4b8a5d600b77fd4da973c
Instruction Fuzzy Hash: DC91B1B0E04A2D8BCB69DF68DD847ADBBF5FF48345F1441E9D048E6214DB349A998F01

Uniqueness

Uniqueness Score: -1.00%

Function 04FC98D8, Relevance: .1, Instructions: 104COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.349183972.0000000004FC0000.00000040.00000001.sdmp, Offset: 04FC0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 218d8a842d8d2363eb05746ac32099636e4b3acdb3fc1d27f6b2984c1cdd32b9
Instruction ID: 4a4f393ecc81efe29462e5b08ac323e8325575f943010ce80d37fab204fd58b9
Opcode Fuzzy Hash: 218d8a842d8d2363eb05746ac32099636e4b3acdb3fc1d27f6b2984c1cdd32b9
Instruction Fuzzy Hash: C64170B1E056588BEB1DCF6B8D4079AFAF7AFC8300F14C1B9840CAA255EB345A428F11

Uniqueness

Uniqueness Score: -1.00%

Function 04FC36AC, Relevance: .1, Instructions: 70COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.349183972.0000000004FC0000.00000040.00000001.sdmp, Offset: 04FC0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: de4a6a0ce3c2aa0e11b2201f8a6ba8d787dcd1d7ef766e355925dd3007a340d1
Instruction ID: dce3c7a71cb7b1d324c26e97c7592f05e18d403352bb465f062466aec010c02e
Opcode Fuzzy Hash: de4a6a0ce3c2aa0e11b2201f8a6ba8d787dcd1d7ef766e355925dd3007a340d1
Instruction Fuzzy Hash: 5401A9E24FB3424FE3A66170D6EB1C77BA1DA1B105717D846F4C68F852E179450B9221

Uniqueness

Uniqueness Score: -1.00%

Function 0562997F, Relevance: .1, Instructions: 57COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.351442044.0000000005620000.00000040.00000001.sdmp, Offset: 05620000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 97d27313c4f6ec9d06553d8f45d7784c7d6e11bff6d8ce862ae1e557148dc41d
Instruction ID: 74326a6e839304e141dc7b61ff4c9b7a5c54f5e88582c3de5f6f5bffa1899745
Opcode Fuzzy Hash: 97d27313c4f6ec9d06553d8f45d7784c7d6e11bff6d8ce862ae1e557148dc41d
Instruction Fuzzy Hash: 88113470C042698FCB10CFA5C849BFEBBF4BB4A311F14546AE445B3280D7388A80DF68

Uniqueness

Uniqueness Score: -1.00%

Function 05629990, Relevance: .1, Instructions: 55COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.351442044.0000000005620000.00000040.00000001.sdmp, Offset: 05620000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3c9cc06cdbc2b05a1099856a3056ad9a100827aab057f4af345fb62d7343d755
Instruction ID: f1e1a205f5fac4bd27bf723a5ad8d0bb4b364251a54cb3fa11577dc91dbd5d50
Opcode Fuzzy Hash: 3c9cc06cdbc2b05a1099856a3056ad9a100827aab057f4af345fb62d7343d755
Instruction Fuzzy Hash: 4C11F870D046699FCB54DFA9C848BEEBBF4BB4A311F14946AE445B3280D7788680CF68

Uniqueness

Uniqueness Score: -1.00%

Description:	Adversaries may abuse Windows Management Instrumentation (WMI) to achieve execution. WMI is a Windows administration feature that provides a uniform environment for local and remote access to Windows system components. It relies on the WMI service for local and remote access and the server message block (SMB) and Remote Procedure Call Service (RPCS) for remote access. RPCS operates over port 135.
Tactics:	Execution
Data Sources:	Authentication logs, Netflow/Enclave netflow, Process command-line parameters, Process monitoring
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse task scheduling functionality to facilitate initial or recurring execution of malicious code. Utilities exist within all major operating systems to schedule programs or scripts to be executed at a specified date and time. A task can also be scheduled on a remote system, provided the proper authentication is met (ex: RPC and file and printer sharing in Windows environments). Scheduling a task on a remote system typically requires being a member of an admin or otherwise privileged group on the remote system.
Tactics:	Execution, Persistence, Privilege Escalation
Data Sources:	File monitoring, Process command-line parameters, Process monitoring, Windows event logs
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify access tokens to operate under a different user or system security context to perform actions and bypass access controls. Windows uses access tokens to determine the ownership of a running process. A user can manipulate access tokens to make a running process appear as though it is the child of a different process or belongs to someone other than the user that started the process. When this occurs, the process also takes on the security context associated with the new token.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	API monitoring, Access tokens, Authentication logs, Process command-line parameters, Process monitoring, Windows event logs
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	API monitoring, DLL monitoring, File monitoring, Named Pipes, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata, File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may disable security tools to avoid possible detection of their tools and activities. This can take the form of killing security software or event logging processes, deleting Registry keys so that tools do not start at run time, or other methods to interfere with security tools scanning or reporting information.
Tactics:	Defense Evasion
Data Sources:	File monitoring, Process command-line parameters, Services, Windows Registry
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may set files and directories to be hidden to evade detection mechanisms. To prevent normal users from accidentally changing special files on a system, most operating systems have the concept of a ‘hidden’ file. These files don’t show up when a user browses the file system with a GUI or when using normal commands on the command line. Users must explicitly ask to show the hidden files either via a series of Graphical User Interface (GUI) prompts or with command line switches ( `dir /a` for Windows and `ls –a` for Linux and macOS).
Tactics:	Defense Evasion
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata, Email gateway, Environment variable, File monitoring, Malware reverse engineering, Network intrusion detection system, Network protocol analysis, Process command-line parameters, Process monitoring, Process use of network, SSL/TLS inspection, Windows event logs
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may perform software packing or virtual machine software protection to conceal their code. Software packing is a method of compressing or encrypting an executable. Packing an executable changes the file signature in an attempt to avoid signature-based detection. Most decompression techniques decompress the executable code in memory. Virtual machine software protection translates an executable's original code into a special format that only a special virtual machine can run. A virtual machine is then called to run this code.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata
Platforms:	macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use methods of capturing user input to obtain credentials or collect information. During normal system usage, users often provide credentials to various different locations, such as login pages/portals or system dialog boxes. Input capture mechanisms may be transparent to the user (e.g. Credential API Hooking ) or rely on deceiving the user into providing input into what they believe to be a genuine service (e.g. Web Portal Capture ).
Tactics:	Collection, Credential Access
Data Sources:	API monitoring, Binary file metadata, DLL monitoring, Kernel drivers, Loaded DLLs, PowerShell logs, Process command-line parameters, Process monitoring, User interface, Windows Registry, Windows event logs
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may interact with the Windows Registry to gather information about the system, configuration, and installed software.
Tactics:	Discovery
Data Sources:	Process command-line parameters, Process monitoring, Windows Registry
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	AWS CloudTrail logs, Azure activity logs, File monitoring, Process command-line parameters, Process monitoring, Stackdriver logs
Platforms:	AWS, Azure, Azure AD, GCP, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	API monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to identify the primary user, currently logged in user, set of users that commonly uses a system, or whether a user is actively using the system. They may do this, for example, by retrieving account usernames or by using OS Credential Dumping . The information may be collected in a number of different ways using other Discovery techniques, because user and username details are prevalent throughout a system and include running process ownership, file/directory ownership, session information, and system logs. Adversaries may use the information from [System Owner/User Discovery](https://attack.mitre.org/techniques/T1033) during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	AWS CloudTrail logs, Azure activity logs, Process command-line parameters, Process monitoring, Stackdriver logs
Platforms:	AWS, Azure, GCP, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Binary file metadata, File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Malware reverse engineering, Netflow/Enclave netflow, Packet capture, Process monitoring, Process use of network, SSL/TLS inspection
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using a protocol and port paring that are typically not associated. For example, HTTPS over port 8088or port 587as opposed to the traditional port 443. Adversaries may make changes to the standard port used by a protocol to bypass filtering or muddle analysis/parsing of network data.
Tactics:	Command and Control
Data Sources:	Netflow/Enclave netflow, Packet capture, Process monitoring, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading ...

Warning!

Analysis Report invoice & packing.pdf.exe

Overview

General Information

Detection

Signatures

Classification

Startup

Malware Configuration

Yara Overview

Memory Dumps

Sigma Overview

System Summary:

Signature Overview

AV Detection:

Software Vulnerabilities:

Networking:

Key, Mouse, Clipboard, Microphone and Screen Capturing:

E-Banking Fraud:

System Summary:

Data Obfuscation:

Persistence and Installation Behavior:

Boot Survival:

Hooking and other Techniques for Hiding and Protection:

Malware Analysis System Evasion:

Anti Debugging:

HIPS / PFW / Operating System Protection Evasion:

Language, Device and Operating System Detection:

Lowering of HIPS / PFW / Operating System Security Settings:

Stealing of Sensitive Information:

Remote Access Functionality:

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted IPs

Public

General Information

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASN

JA3 Fingerprints

Dropped Files

Created / dropped Files

Static File Info

General

File Icon

Static PE Info

General

Entrypoint Preview

Data Directories

Sections

Resources

Imports

Version Infos

Network Behavior

Network Port Distribution

TCP Packets

Code Manipulations

Statistics

CPU Usage

Memory Usage

High Level Behavior Distribution

Description:	An adversary may use legitimate desktop support and remote access software, such as Team Viewer, Go2Assist, LogMein, AmmyyAdmin, etc, to establish an interactive command and control channel to target systems within networks. These services are commonly used as legitimate technical support software, and may be allowed by application control within a target environment. Remote access tools like VNC, Ammyy, and Teamviewer are used frequently when compared with other legitimate software commonly used by adversaries.
Tactics:	Command and Control
Data Sources:	Network intrusion detection system, Network protocol analysis, Process monitoring, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre