Play interactive tour

Edit tour

Analysis Report Receipt.exe

Overview

General Information

Sample Name:	Receipt.exe
Analysis ID:	320376
MD5:	bb6f9ffd7714ccbadf5d6d37efc73c1a
SHA1:	167f22c4e387dd05b4dd0bd3e172f4f805572b07
SHA256:	bd8cfbef2d3351bf256ed71484202f8351fe4705d32a23f8afa0b7e86b5aa250
Tags:	exeNanoCoreRAT
Most interesting Screenshot:

Detection

Nanocore

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Detected Nanocore Rat

Malicious sample detected (through community Yara rule)

Sigma detected: NanoCore

Sigma detected: Scheduled temp file as task from temp location

Yara detected AntiVM_3

Yara detected Nanocore RAT

.NET source code contains potential unpacker

Allocates memory in foreign processes

Hides that the sample has been downloaded from the Internet (zone.identifier)

Injects a PE file into a foreign processes

Machine Learning detection for dropped file

Machine Learning detection for sample

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Uses schtasks.exe or at.exe to add and modify task schedules

Writes to foreign memory regions

Antivirus or Machine Learning detection for unpacked file

Contains capabilities to detect virtual machines

Contains functionality to call native functions

Contains functionality to open a port and listen for incoming connection (possibly a backdoor)

Contains long sleeps (>= 3 min)

Creates a DirectInput object (often for capturing keystrokes)

Creates a process in suspended mode (likely to inject code)

Detected potential crypto function

Drops PE files

Enables debug privileges

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

Found inlined nop instructions (likely shell or obfuscated code)

Installs a raw input device (often for capturing keystrokes)

May sleep (evasive loops) to hinder dynamic analysis

Queries the volume information (name, serial number etc) of a device

Sample execution stops while process was sleeping (likely an evasion)

Sample file is different than original file name gathered from version info

Uses code obfuscation techniques (call, push, ret)

Yara signature match

Classification

Startup

System is w10x64

Receipt.exe (PID: 6444 cmdline: 'C:\Users\user\Desktop\Receipt.exe' MD5: BB6F9FFD7714CCBADF5D6D37EFC73C1A)

schtasks.exe (PID: 6580 cmdline: 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\FJyjsoEc' /XML 'C:\Users\user\AppData\Local\Temp\tmp90A5.tmp' MD5: 15FF7D8324231381BAD48A052F85DF04)

conhost.exe (PID: 6588 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)

RegSvcs.exe (PID: 6628 cmdline: {path} MD5: 71369277D09DA0830C8C59F9E22BB23A)

cleanup

Malware Configuration

No configs have been found

Yara Overview

Memory Dumps

Source	Rule	Description	Author	Strings
00000004.00000002.503407116.0000000004587000.00000004.00000001.sdmp	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
00000004.00000002.503407116.0000000004587000.00000004.00000001.sdmp	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0x33e5:$a: NanoCore 0x343e:$a: NanoCore 0x347b:$a: NanoCore 0x34f4:$a: NanoCore 0x16b9f:$a: NanoCore 0x16bb4:$a: NanoCore 0x16be9:$a: NanoCore 0x2f663:$a: NanoCore 0x2f678:$a: NanoCore 0x2f6ad:$a: NanoCore 0x3447:$b: ClientPlugin 0x3484:$b: ClientPlugin 0x3d82:$b: ClientPlugin 0x3d8f:$b: ClientPlugin 0x1695b:$b: ClientPlugin 0x16976:$b: ClientPlugin 0x169a6:$b: ClientPlugin 0x16bbd:$b: ClientPlugin 0x16bf2:$b: ClientPlugin 0x2f41f:$b: ClientPlugin 0x2f43a:$b: ClientPlugin
00000004.00000002.504460720.00000000057D0000.00000004.00000001.sdmp	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0xe75:$x1: NanoCore.ClientPluginHost 0xe8f:$x2: IClientNetworkHost
00000004.00000002.504460720.00000000057D0000.00000004.00000001.sdmp	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0xe75:$x2: NanoCore.ClientPluginHost 0x1261:$s3: PipeExists 0x1136:$s4: PipeCreated 0xeb0:$s5: IClientLoggingHost
00000004.00000002.497486301.0000000000402000.00000040.00000001.sdmp	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0xff8d:$x1: NanoCore.ClientPluginHost 0xffca:$x2: IClientNetworkHost 0x13afd:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
00000004.00000002.497486301.0000000000402000.00000040.00000001.sdmp	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
00000004.00000002.497486301.0000000000402000.00000040.00000001.sdmp	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0xfcf5:$a: NanoCore 0xfd05:$a: NanoCore 0xff39:$a: NanoCore 0xff4d:$a: NanoCore 0xff8d:$a: NanoCore 0xfd54:$b: ClientPlugin 0xff56:$b: ClientPlugin 0xff96:$b: ClientPlugin 0xfe7b:$c: ProjectData 0x10882:$d: DESCrypto 0x1824e:$e: KeepAlive 0x1623c:$g: LogClientMessage 0x12437:$i: get_Connected 0x10bb8:$j: #=q 0x10be8:$j: #=q 0x10c04:$j: #=q 0x10c34:$j: #=q 0x10c50:$j: #=q 0x10c6c:$j: #=q 0x10c9c:$j: #=q 0x10cb8:$j: #=q
00000000.00000002.256996521.00000000032AA000.00000004.00000001.sdmp	JoeSecurity_AntiVM_3	Yara detected AntiVM_3	Joe Security
00000000.00000002.258930784.0000000004238000.00000004.00000001.sdmp	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x1313cd:$x1: NanoCore.ClientPluginHost 0x1d7c0d:$x1: NanoCore.ClientPluginHost 0x13140a:$x2: IClientNetworkHost 0x1d7c4a:$x2: IClientNetworkHost 0x134f3d:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe 0x1db77d:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
00000000.00000002.258930784.0000000004238000.00000004.00000001.sdmp	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
00000000.00000002.258930784.0000000004238000.00000004.00000001.sdmp	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0x131135:$a: NanoCore 0x131145:$a: NanoCore 0x131379:$a: NanoCore 0x13138d:$a: NanoCore 0x1313cd:$a: NanoCore 0x1d7975:$a: NanoCore 0x1d7985:$a: NanoCore 0x1d7bb9:$a: NanoCore 0x1d7bcd:$a: NanoCore 0x1d7c0d:$a: NanoCore 0x131194:$b: ClientPlugin 0x131396:$b: ClientPlugin 0x1313d6:$b: ClientPlugin 0x1d79d4:$b: ClientPlugin 0x1d7bd6:$b: ClientPlugin 0x1d7c16:$b: ClientPlugin 0x1312bb:$c: ProjectData 0x1d7afb:$c: ProjectData 0x131cc2:$d: DESCrypto 0x1d8502:$d: DESCrypto 0x13968e:$e: KeepAlive
00000004.00000002.504863829.0000000005D00000.00000004.00000001.sdmp	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0xf7ad:$x1: NanoCore.ClientPluginHost 0xf7da:$x2: IClientNetworkHost
00000004.00000002.504863829.0000000005D00000.00000004.00000001.sdmp	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0xf7ad:$x2: NanoCore.ClientPluginHost 0x10888:$s4: PipeCreated 0xf7c7:$s5: IClientLoggingHost
00000004.00000002.504863829.0000000005D00000.00000004.00000001.sdmp	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
Process Memory Space: Receipt.exe PID: 6444	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x212ede:$x1: NanoCore.ClientPluginHost 0x25a456:$x1: NanoCore.ClientPluginHost 0x212f3f:$x2: IClientNetworkHost 0x25a4b7:$x2: IClientNetworkHost 0x218344:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe 0x2262b6:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe 0x25f8bc:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe 0x26d82e:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
Process Memory Space: Receipt.exe PID: 6444	JoeSecurity_AntiVM_3	Yara detected AntiVM_3	Joe Security
Process Memory Space: Receipt.exe PID: 6444	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
Process Memory Space: Receipt.exe PID: 6444	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0x2129e3:$a: NanoCore 0x2129ff:$a: NanoCore 0x212b5a:$a: NanoCore 0x212b69:$a: NanoCore 0x212e42:$a: NanoCore 0x212e6e:$a: NanoCore 0x212ede:$a: NanoCore 0x222920:$a: NanoCore 0x222932:$a: NanoCore 0x22296e:$a: NanoCore 0x259f5b:$a: NanoCore 0x259f77:$a: NanoCore 0x25a0d2:$a: NanoCore 0x25a0e1:$a: NanoCore 0x25a3ba:$a: NanoCore 0x25a3e6:$a: NanoCore 0x25a456:$a: NanoCore 0x269e98:$a: NanoCore 0x269eaa:$a: NanoCore 0x269ee6:$a: NanoCore 0x212a8a:$b: ClientPlugin
Process Memory Space: RegSvcs.exe PID: 6628	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x19a23:$x1: NanoCore.ClientPluginHost 0x1f5e2:$x1: NanoCore.ClientPluginHost 0x30440:$x1: NanoCore.ClientPluginHost 0xb1716:$x1: NanoCore.ClientPluginHost 0x1964b3:$x1: NanoCore.ClientPluginHost 0x23cb69:$x1: NanoCore.ClientPluginHost 0x2b2f93:$x1: NanoCore.ClientPluginHost 0x19a49:$x2: IClientNetworkHost 0x1f627:$x2: IClientNetworkHost 0x30485:$x2: IClientNetworkHost 0xb173c:$x2: IClientNetworkHost 0x196514:$x2: IClientNetworkHost 0x23cbae:$x2: IClientNetworkHost 0x2b2fb9:$x2: IClientNetworkHost 0x19b919:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe 0x1a988b:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
Process Memory Space: RegSvcs.exe PID: 6628	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
Process Memory Space: RegSvcs.exe PID: 6628	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0x19915:$a: NanoCore 0x199b6:$a: NanoCore 0x19a23:$a: NanoCore 0x19ae4:$a: NanoCore 0x1a9b5:$a: NanoCore 0x1aa08:$a: NanoCore 0x1aa41:$a: NanoCore 0x1aab4:$a: NanoCore 0x1f55c:$a: NanoCore 0x1f589:$a: NanoCore 0x1f5e2:$a: NanoCore 0x26df1:$a: NanoCore 0x26e04:$a: NanoCore 0x26e36:$a: NanoCore 0x303ba:$a: NanoCore 0x303e7:$a: NanoCore 0x30440:$a: NanoCore 0x37c4f:$a: NanoCore 0x37c62:$a: NanoCore 0x37c94:$a: NanoCore 0xb1608:$a: NanoCore
Click to see the 16 entries

Unpacked PEs

Source	Rule	Description	Author	Strings
4.2.RegSvcs.exe.57d0000.3.raw.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0xe75:$x1: NanoCore.ClientPluginHost 0xe8f:$x2: IClientNetworkHost
4.2.RegSvcs.exe.57d0000.3.raw.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0xe75:$x2: NanoCore.ClientPluginHost 0x1261:$s3: PipeExists 0x1136:$s4: PipeCreated 0xeb0:$s5: IClientLoggingHost
4.2.RegSvcs.exe.400000.0.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x1018d:$x1: NanoCore.ClientPluginHost 0x101ca:$x2: IClientNetworkHost 0x13cfd:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
4.2.RegSvcs.exe.400000.0.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0xff05:$x1: NanoCore Client.exe 0x1018d:$x2: NanoCore.ClientPluginHost 0x117c6:$s1: PluginCommand 0x117ba:$s2: FileCommand 0x1266b:$s3: PipeExists 0x18422:$s4: PipeCreated 0x101b7:$s5: IClientLoggingHost
4.2.RegSvcs.exe.400000.0.unpack	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
4.2.RegSvcs.exe.400000.0.unpack	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0xfef5:$a: NanoCore 0xff05:$a: NanoCore 0x10139:$a: NanoCore 0x1014d:$a: NanoCore 0x1018d:$a: NanoCore 0xff54:$b: ClientPlugin 0x10156:$b: ClientPlugin 0x10196:$b: ClientPlugin 0x1007b:$c: ProjectData 0x10a82:$d: DESCrypto 0x1844e:$e: KeepAlive 0x1643c:$g: LogClientMessage 0x12637:$i: get_Connected 0x10db8:$j: #=q 0x10de8:$j: #=q 0x10e04:$j: #=q 0x10e34:$j: #=q 0x10e50:$j: #=q 0x10e6c:$j: #=q 0x10e9c:$j: #=q 0x10eb8:$j: #=q
4.2.RegSvcs.exe.5d00000.4.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0xd9ad:$x1: NanoCore.ClientPluginHost 0xd9da:$x2: IClientNetworkHost
4.2.RegSvcs.exe.5d00000.4.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0xd9ad:$x2: NanoCore.ClientPluginHost 0xea88:$s4: PipeCreated 0xd9c7:$s5: IClientLoggingHost
4.2.RegSvcs.exe.5d00000.4.unpack	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
4.2.RegSvcs.exe.5d00000.4.raw.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0xf7ad:$x1: NanoCore.ClientPluginHost 0xf7da:$x2: IClientNetworkHost
4.2.RegSvcs.exe.5d00000.4.raw.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0xf7ad:$x2: NanoCore.ClientPluginHost 0x10888:$s4: PipeCreated 0xf7c7:$s5: IClientLoggingHost
4.2.RegSvcs.exe.5d00000.4.raw.unpack	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
Click to see the 7 entries

Sigma Overview

System Summary:

Sigma detected: NanoCore

Show sources

Source: File created

Author: Joe Security: Data: EventID: 11, Image: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe, ProcessId: 6628, TargetFilename: C:\Users\user\AppData\Roaming\D06ED635-68F6-4E9A-955C-4899F5F57B9A\run.dat

Sigma detected: Scheduled temp file as task from temp location

Show sources

Source: Process started

Author: Joe Security: Data: Command: 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\FJyjsoEc' /XML 'C:\Users\user\AppData\Local\Temp\tmp90A5.tmp', CommandLine: 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\FJyjsoEc' /XML 'C:\Users\user\AppData\Local\Temp\tmp90A5.tmp', CommandLine|base64offset|contains: *j, Image: C:\Windows\SysWOW64\schtasks.exe, NewProcessName: C:\Windows\SysWOW64\schtasks.exe, OriginalFileName: C:\Windows\SysWOW64\schtasks.exe, ParentCommandLine: 'C:\Users\user\Desktop\Receipt.exe' , ParentImage: C:\Users\user\Desktop\Receipt.exe, ParentProcessId: 6444, ProcessCommandLine: 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\FJyjsoEc' /XML 'C:\Users\user\AppData\Local\Temp\tmp90A5.tmp', ProcessId: 6580

Signature Overview

Click to jump to signature section

Show All Signature Results

AV Detection:

Yara detected Nanocore RAT

Show sources

Source: Yara match	File source: 00000004.00000002.503407116.0000000004587000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.497486301.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.258930784.0000000004238000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.504863829.0000000005D00000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: Receipt.exe PID: 6444, type: MEMORY
Source: Yara match	File source: Process Memory Space: RegSvcs.exe PID: 6628, type: MEMORY
Source: Yara match	File source: 4.2.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.RegSvcs.exe.5d00000.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.RegSvcs.exe.5d00000.4.raw.unpack, type: UNPACKEDPE

Machine Learning detection for dropped file

Show sources

Source: C:\Users\user\AppData\Roaming\FJyjsoEc.exe

Joe Sandbox ML: detected

Machine Learning detection for sample

Show sources

Source: Receipt.exe

Joe Sandbox ML: detected

Source: 4.2.RegSvcs.exe.400000.0.unpack

Avira: Label: TR/Dropper.MSIL.Gen7

Source: C:\Users\user\Desktop\Receipt.exe

Code function: 4x nop then jmp 02EDCCD0h

0_2_02EDBF77

Source: Receipt.exe, 00000000.00000002.261487262.0000000006832000.00000004.00000001.sdmp	String found in binary or memory: http://fontfabrik.com
Source: Receipt.exe, 00000000.00000003.236159958.000000000552E000.00000004.00000001.sdmp	String found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0
Source: Receipt.exe, 00000000.00000002.261487262.0000000006832000.00000004.00000001.sdmp	String found in binary or memory: http://www.carterandcone.coml
Source: Receipt.exe, 00000000.00000003.241744334.00000000054FE000.00000004.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com
Source: Receipt.exe, 00000000.00000002.261487262.0000000006832000.00000004.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com/designers
Source: Receipt.exe, 00000000.00000003.240253238.0000000005529000.00000004.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com/designers-
Source: Receipt.exe, 00000000.00000002.261487262.0000000006832000.00000004.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com/designers/?
Source: Receipt.exe, 00000000.00000003.241301369.00000000054FC000.00000004.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com/designers/cabarga.html
Source: Receipt.exe, 00000000.00000002.261487262.0000000006832000.00000004.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com/designers/cabarga.htmlN
Source: Receipt.exe, 00000000.00000003.241301369.00000000054FC000.00000004.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com/designers/cabarga.htmlo
Source: Receipt.exe, 00000000.00000002.261487262.0000000006832000.00000004.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com/designers/frere-jones.html
Source: Receipt.exe, 00000000.00000003.240676562.0000000005529000.00000004.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com/designers/frere-jones.htmlw
Source: Receipt.exe, 00000000.00000003.239390099.0000000005529000.00000004.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com/designers/q
Source: Receipt.exe, 00000000.00000003.239390099.0000000005529000.00000004.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com/designers/w
Source: Receipt.exe, 00000000.00000003.240184375.0000000005529000.00000004.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com/designers2
Source: Receipt.exe, 00000000.00000002.261487262.0000000006832000.00000004.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com/designers8
Source: Receipt.exe, 00000000.00000002.261487262.0000000006832000.00000004.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com/designers?
Source: Receipt.exe, 00000000.00000003.241402308.0000000005529000.00000004.00000001.sdmp, Receipt.exe, 00000000.00000002.261487262.0000000006832000.00000004.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com/designersG
Source: Receipt.exe, 00000000.00000003.240719140.0000000005529000.00000004.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com/designersQ
Source: Receipt.exe, 00000000.00000003.241420432.0000000005529000.00000004.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com/designersX
Source: Receipt.exe, 00000000.00000003.240782075.00000000054FF000.00000004.00000001.sdmp	String found in binary or memory: http://www.fontbureau.comF
Source: Receipt.exe, 00000000.00000003.240782075.00000000054FF000.00000004.00000001.sdmp	String found in binary or memory: http://www.fontbureau.comFM
Source: Receipt.exe, 00000000.00000003.240782075.00000000054FF000.00000004.00000001.sdmp	String found in binary or memory: http://www.fontbureau.comai
Source: Receipt.exe, 00000000.00000003.241744334.00000000054FE000.00000004.00000001.sdmp	String found in binary or memory: http://www.fontbureau.comalic
Source: Receipt.exe, 00000000.00000003.241744334.00000000054FE000.00000004.00000001.sdmp	String found in binary or memory: http://www.fontbureau.comalsd
Source: Receipt.exe, 00000000.00000003.240782075.00000000054FF000.00000004.00000001.sdmp	String found in binary or memory: http://www.fontbureau.comcomd
Source: Receipt.exe, 00000000.00000003.240782075.00000000054FF000.00000004.00000001.sdmp	String found in binary or memory: http://www.fontbureau.comd
Source: Receipt.exe, 00000000.00000003.241301369.00000000054FC000.00000004.00000001.sdmp	String found in binary or memory: http://www.fontbureau.comessedT
Source: Receipt.exe, 00000000.00000003.241558097.00000000054FF000.00000004.00000001.sdmp	String found in binary or memory: http://www.fontbureau.comessedp
Source: Receipt.exe, 00000000.00000003.240782075.00000000054FF000.00000004.00000001.sdmp	String found in binary or memory: http://www.fontbureau.comgrita
Source: Receipt.exe, 00000000.00000003.255007346.00000000054FA000.00000004.00000001.sdmp	String found in binary or memory: http://www.fontbureau.comionM
Source: Receipt.exe, 00000000.00000003.241744334.00000000054FE000.00000004.00000001.sdmp	String found in binary or memory: http://www.fontbureau.comituF
Source: Receipt.exe, 00000000.00000003.240782075.00000000054FF000.00000004.00000001.sdmp	String found in binary or memory: http://www.fontbureau.commmt
Source: Receipt.exe, 00000000.00000003.255007346.00000000054FA000.00000004.00000001.sdmp	String found in binary or memory: http://www.fontbureau.como
Source: Receipt.exe, 00000000.00000002.261487262.0000000006832000.00000004.00000001.sdmp	String found in binary or memory: http://www.fonts.com
Source: Receipt.exe, 00000000.00000002.261487262.0000000006832000.00000004.00000001.sdmp	String found in binary or memory: http://www.founder.com.cn/cn
Source: Receipt.exe, 00000000.00000003.235863625.0000000005529000.00000004.00000001.sdmp	String found in binary or memory: http://www.founder.com.cn/cn/Ex
Source: Receipt.exe, 00000000.00000002.261487262.0000000006832000.00000004.00000001.sdmp	String found in binary or memory: http://www.founder.com.cn/cn/bThe
Source: Receipt.exe, 00000000.00000002.261487262.0000000006832000.00000004.00000001.sdmp	String found in binary or memory: http://www.founder.com.cn/cn/cThe
Source: Receipt.exe, 00000000.00000003.235663476.0000000005529000.00000004.00000001.sdmp	String found in binary or memory: http://www.founder.com.cn/cn:
Source: Receipt.exe, 00000000.00000003.244241263.0000000005529000.00000004.00000001.sdmp	String found in binary or memory: http://www.galapagosdesign.com/
Source: Receipt.exe, 00000000.00000002.261487262.0000000006832000.00000004.00000001.sdmp	String found in binary or memory: http://www.galapagosdesign.com/DPlease
Source: Receipt.exe, 00000000.00000003.244662704.0000000005529000.00000004.00000001.sdmp	String found in binary or memory: http://www.galapagosdesign.com/s
Source: Receipt.exe, 00000000.00000003.244592597.0000000005529000.00000004.00000001.sdmp, Receipt.exe, 00000000.00000002.261487262.0000000006832000.00000004.00000001.sdmp	String found in binary or memory: http://www.galapagosdesign.com/staff/dennis.htm
Source: Receipt.exe, 00000000.00000003.244468863.0000000005507000.00000004.00000001.sdmp	String found in binary or memory: http://www.galapagosdesign.com/staff/dennis.htm&
Source: Receipt.exe, 00000000.00000002.261487262.0000000006832000.00000004.00000001.sdmp	String found in binary or memory: http://www.goodfont.co.kr
Source: Receipt.exe, 00000000.00000003.237318949.00000000054FC000.00000004.00000001.sdmp	String found in binary or memory: http://www.jiyu-kobo.co.jp/
Source: Receipt.exe, 00000000.00000003.237048281.00000000054FD000.00000004.00000001.sdmp	String found in binary or memory: http://www.jiyu-kobo.co.jp/?
Source: Receipt.exe, 00000000.00000003.237048281.00000000054FD000.00000004.00000001.sdmp	String found in binary or memory: http://www.jiyu-kobo.co.jp/F
Source: Receipt.exe, 00000000.00000003.237213962.00000000054F3000.00000004.00000001.sdmp	String found in binary or memory: http://www.jiyu-kobo.co.jp/T
Source: Receipt.exe, 00000000.00000003.237048281.00000000054FD000.00000004.00000001.sdmp	String found in binary or memory: http://www.jiyu-kobo.co.jp/Y0
Source: Receipt.exe, 00000000.00000003.237318949.00000000054FC000.00000004.00000001.sdmp	String found in binary or memory: http://www.jiyu-kobo.co.jp/Y0/
Source: Receipt.exe, 00000000.00000003.237048281.00000000054FD000.00000004.00000001.sdmp	String found in binary or memory: http://www.jiyu-kobo.co.jp/a
Source: Receipt.exe, 00000000.00000003.237318949.00000000054FC000.00000004.00000001.sdmp	String found in binary or memory: http://www.jiyu-kobo.co.jp/b
Source: Receipt.exe, 00000000.00000003.237213962.00000000054F3000.00000004.00000001.sdmp	String found in binary or memory: http://www.jiyu-kobo.co.jp/i
Source: Receipt.exe, 00000000.00000003.237213962.00000000054F3000.00000004.00000001.sdmp	String found in binary or memory: http://www.jiyu-kobo.co.jp/jp/
Source: Receipt.exe, 00000000.00000003.237213962.00000000054F3000.00000004.00000001.sdmp	String found in binary or memory: http://www.jiyu-kobo.co.jp/jp/F
Source: Receipt.exe, 00000000.00000003.237318949.00000000054FC000.00000004.00000001.sdmp	String found in binary or memory: http://www.jiyu-kobo.co.jp/jp/i
Source: Receipt.exe, 00000000.00000003.237318949.00000000054FC000.00000004.00000001.sdmp	String found in binary or memory: http://www.jiyu-kobo.co.jp/jp/p
Source: Receipt.exe, 00000000.00000003.237048281.00000000054FD000.00000004.00000001.sdmp	String found in binary or memory: http://www.jiyu-kobo.co.jp/l-g
Source: Receipt.exe, 00000000.00000003.237048281.00000000054FD000.00000004.00000001.sdmp	String found in binary or memory: http://www.jiyu-kobo.co.jp/ms
Source: Receipt.exe, 00000000.00000003.237213962.00000000054F3000.00000004.00000001.sdmp	String found in binary or memory: http://www.jiyu-kobo.co.jp/p
Source: Receipt.exe, 00000000.00000003.237048281.00000000054FD000.00000004.00000001.sdmp	String found in binary or memory: http://www.jiyu-kobo.co.jp/tion
Source: Receipt.exe, 00000000.00000002.261487262.0000000006832000.00000004.00000001.sdmp	String found in binary or memory: http://www.sajatypeworks.com
Source: Receipt.exe, 00000000.00000002.261487262.0000000006832000.00000004.00000001.sdmp	String found in binary or memory: http://www.sakkal.com
Source: Receipt.exe, 00000000.00000002.261487262.0000000006832000.00000004.00000001.sdmp	String found in binary or memory: http://www.sandoll.co.kr
Source: Receipt.exe, 00000000.00000002.261487262.0000000006832000.00000004.00000001.sdmp	String found in binary or memory: http://www.tiro.com
Source: Receipt.exe, 00000000.00000003.235912791.0000000005529000.00000004.00000001.sdmp	String found in binary or memory: http://www.tiro.comatio
Source: Receipt.exe, 00000000.00000002.261487262.0000000006832000.00000004.00000001.sdmp	String found in binary or memory: http://www.typography.netD
Source: Receipt.exe, 00000000.00000003.241744334.00000000054FE000.00000004.00000001.sdmp	String found in binary or memory: http://www.urwpp.de
Source: Receipt.exe, 00000000.00000002.261487262.0000000006832000.00000004.00000001.sdmp	String found in binary or memory: http://www.urwpp.deDPlease
Source: Receipt.exe, 00000000.00000003.241744334.00000000054FE000.00000004.00000001.sdmp	String found in binary or memory: http://www.urwpp.deFT
Source: Receipt.exe, 00000000.00000003.241744334.00000000054FE000.00000004.00000001.sdmp	String found in binary or memory: http://www.urwpp.dev
Source: Receipt.exe, 00000000.00000002.261487262.0000000006832000.00000004.00000001.sdmp	String found in binary or memory: http://www.zhongyicts.com.cn

Source: Receipt.exe, 00000000.00000002.255762822.0000000001340000.00000004.00000020.sdmp

Binary or memory string: <HOOK MODULE="DDRAW.DLL" FUNCTION="DirectDrawCreateEx"/>

Source: RegSvcs.exe, 00000004.00000002.503407116.0000000004587000.00000004.00000001.sdmp

Binary or memory string: RegisterRawInputDevices

E-Banking Fraud:

Yara detected Nanocore RAT

Show sources

Source: Yara match	File source: 00000004.00000002.503407116.0000000004587000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.497486301.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.258930784.0000000004238000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.504863829.0000000005D00000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: Receipt.exe PID: 6444, type: MEMORY
Source: Yara match	File source: Process Memory Space: RegSvcs.exe PID: 6628, type: MEMORY
Source: Yara match	File source: 4.2.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.RegSvcs.exe.5d00000.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.RegSvcs.exe.5d00000.4.raw.unpack, type: UNPACKEDPE

System Summary:

Malicious sample detected (through community Yara rule)

Show sources

Source: 00000004.00000002.503407116.0000000004587000.00000004.00000001.sdmp, type: MEMORY	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 00000004.00000002.504460720.00000000057D0000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 00000004.00000002.497486301.0000000000402000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 00000004.00000002.497486301.0000000000402000.00000040.00000001.sdmp, type: MEMORY	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 00000000.00000002.258930784.0000000004238000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 00000000.00000002.258930784.0000000004238000.00000004.00000001.sdmp, type: MEMORY	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 00000004.00000002.504863829.0000000005D00000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: Process Memory Space: Receipt.exe PID: 6444, type: MEMORY	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: Process Memory Space: Receipt.exe PID: 6444, type: MEMORY	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: Process Memory Space: RegSvcs.exe PID: 6628, type: MEMORY	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: Process Memory Space: RegSvcs.exe PID: 6628, type: MEMORY	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 4.2.RegSvcs.exe.57d0000.3.raw.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 4.2.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 4.2.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 4.2.RegSvcs.exe.5d00000.4.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 4.2.RegSvcs.exe.5d00000.4.raw.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth

Source: C:\Users\user\Desktop\Receipt.exe	Code function: 0_2_057D1A7A NtQuerySystemInformation,	0_2_057D1A7A
Source: C:\Users\user\Desktop\Receipt.exe	Code function: 0_2_057D1A49 NtQuerySystemInformation,	0_2_057D1A49
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe	Code function: 4_2_031E116A NtQuerySystemInformation,	4_2_031E116A
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe	Code function: 4_2_031E112F NtQuerySystemInformation,	4_2_031E112F

Source: C:\Users\user\Desktop\Receipt.exe	Code function: 0_2_02ED2037	0_2_02ED2037
Source: C:\Users\user\Desktop\Receipt.exe	Code function: 0_2_02ED33CC	0_2_02ED33CC
Source: C:\Users\user\Desktop\Receipt.exe	Code function: 0_2_02EDBF77	0_2_02EDBF77
Source: C:\Users\user\Desktop\Receipt.exe	Code function: 0_2_02EDA959	0_2_02EDA959
Source: C:\Users\user\Desktop\Receipt.exe	Code function: 0_2_02EDADC0	0_2_02EDADC0
Source: C:\Users\user\Desktop\Receipt.exe	Code function: 0_2_02EDA96D	0_2_02EDA96D
Source: C:\Users\user\Desktop\Receipt.exe	Code function: 0_2_02ED010D	0_2_02ED010D
Source: C:\Users\user\Desktop\Receipt.exe	Code function: 0_2_02ED0110	0_2_02ED0110
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe	Code function: 4_2_031723A0	4_2_031723A0
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe	Code function: 4_2_03172FA8	4_2_03172FA8
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe	Code function: 4_2_0317AD38	4_2_0317AD38
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe	Code function: 4_2_03178468	4_2_03178468
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe	Code function: 4_2_03179068	4_2_03179068
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe	Code function: 4_2_03179910	4_2_03179910
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe	Code function: 4_2_0317912F	4_2_0317912F
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe	Code function: 4_2_0317306F	4_2_0317306F

Source: Receipt.exe	Binary or memory string: OriginalFilename vs Receipt.exe
Source: Receipt.exe, 00000000.00000002.262760402.0000000006DE0000.00000004.00000001.sdmp	Binary or memory string: OriginalFilenameB2B.exe4 vs Receipt.exe
Source: Receipt.exe, 00000000.00000002.258930784.0000000004238000.00000004.00000001.sdmp	Binary or memory string: OriginalFilenameI5.exeF vs Receipt.exe
Source: Receipt.exe, 00000000.00000002.255762822.0000000001340000.00000004.00000020.sdmp	Binary or memory string: OriginalFilenamemscorwks.dllT vs Receipt.exe
Source: Receipt.exe, 00000000.00000002.261817510.0000000006C10000.00000002.00000001.sdmp	Binary or memory string: OriginalFilenamemscorrc.dllT vs Receipt.exe
Source: Receipt.exe, 00000000.00000002.263979443.00000000087F0000.00000002.00000001.sdmp	Binary or memory string: System.OriginalFileName vs Receipt.exe
Source: Receipt.exe, 00000000.00000002.264217230.00000000088F0000.00000002.00000001.sdmp	Binary or memory string: originalfilename vs Receipt.exe
Source: Receipt.exe, 00000000.00000002.264217230.00000000088F0000.00000002.00000001.sdmp	Binary or memory string: OriginalFilenamepropsys.dll.mui@ vs Receipt.exe
Source: Receipt.exe, 00000000.00000002.260595337.00000000057E0000.00000004.00000001.sdmp	Binary or memory string: OriginalFilenameMARCUS.dll4 vs Receipt.exe
Source: Receipt.exe	Binary or memory string: OriginalFilenameI5.exeF vs Receipt.exe

Source: 00000004.00000002.503407116.0000000004587000.00000004.00000001.sdmp, type: MEMORY	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 00000004.00000002.504460720.00000000057D0000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 00000004.00000002.504460720.00000000057D0000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 00000004.00000002.497486301.0000000000402000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 00000004.00000002.497486301.0000000000402000.00000040.00000001.sdmp, type: MEMORY	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 00000000.00000002.258930784.0000000004238000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 00000000.00000002.258930784.0000000004238000.00000004.00000001.sdmp, type: MEMORY	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 00000004.00000002.504863829.0000000005D00000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 00000004.00000002.504863829.0000000005D00000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: Process Memory Space: Receipt.exe PID: 6444, type: MEMORY	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: Process Memory Space: Receipt.exe PID: 6444, type: MEMORY	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: Process Memory Space: RegSvcs.exe PID: 6628, type: MEMORY	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: Process Memory Space: RegSvcs.exe PID: 6628, type: MEMORY	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 4.2.RegSvcs.exe.57d0000.3.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 4.2.RegSvcs.exe.57d0000.3.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 4.2.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 4.2.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 4.2.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 4.2.RegSvcs.exe.5d00000.4.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 4.2.RegSvcs.exe.5d00000.4.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 4.2.RegSvcs.exe.5d00000.4.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 4.2.RegSvcs.exe.5d00000.4.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/

Source: Receipt.exe	Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
Source: FJyjsoEc.exe.0.dr	Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ

Source: 4.2.RegSvcs.exe.400000.0.unpack, u0023u003dqjIje6jGWLd2EOkfZXKqBbgu003du003d.cs	Cryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'
Source: 4.2.RegSvcs.exe.400000.0.unpack, u0023u003dqVxXNKnhAcArgJoGGYXiyyQu003du003d.cs	Cryptographic APIs: 'CreateDecryptor'
Source: 4.2.RegSvcs.exe.400000.0.unpack, u0023u003dqVxXNKnhAcArgJoGGYXiyyQu003du003d.cs	Cryptographic APIs: 'TransformFinalBlock'

Source: classification engine

Classification label: mal100.troj.evad.winEXE@6/4@0/1

Source: C:\Users\user\Desktop\Receipt.exe	Code function: 0_2_057D18FE AdjustTokenPrivileges,	0_2_057D18FE
Source: C:\Users\user\Desktop\Receipt.exe	Code function: 0_2_057D18C7 AdjustTokenPrivileges,	0_2_057D18C7
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe	Code function: 4_2_031E0F2A AdjustTokenPrivileges,	4_2_031E0F2A
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe	Code function: 4_2_031E0EF3 AdjustTokenPrivileges,	4_2_031E0EF3

Source: C:\Users\user\Desktop\Receipt.exe

File created: C:\Users\user\AppData\Roaming\FJyjsoEc.exe

Jump to behavior

Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6588:120:WilError_01
Source: C:\Users\user\Desktop\Receipt.exe	Mutant created: \Sessions\1\BaseNamedObjects\eoKRhcehSnEh
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe	Mutant created: \Sessions\1\BaseNamedObjects\Global\{4da8ce56-eacf-4373-8fb7-f39e5894de0d}
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe	Mutant created: \Sessions\1\BaseNamedObjects\Global\.net clr networking

Source: C:\Users\user\Desktop\Receipt.exe

File created: C:\Users\user\AppData\Local\Temp\tmp90A5.tmp

Jump to behavior

Source: Receipt.exe

Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ

Source: C:\Users\user\Desktop\Receipt.exe	Section loaded: C:\Windows\assembly\NativeImages_v2.0.50727_32\mscorlib\9603718106bd57ecfbb18fefd769cab4\mscorlib.ni.dll	Jump to behavior
Source: C:\Users\user\Desktop\Receipt.exe	Section loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sorttbls.nlp	Jump to behavior
Source: C:\Users\user\Desktop\Receipt.exe	Section loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sortkey.nlp	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe	Section loaded: C:\Windows\assembly\NativeImages_v2.0.50727_32\mscorlib\9603718106bd57ecfbb18fefd769cab4\mscorlib.ni.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe	Section loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sorttbls.nlp	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe	Section loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sortkey.nlp	Jump to behavior

Source: C:\Users\user\Desktop\Receipt.exe

File read: C:\Users\user\Desktop\desktop.ini

Jump to behavior

Source: C:\Users\user\Desktop\Receipt.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: C:\Users\user\Desktop\Receipt.exe

File read: C:\Users\user\Desktop\Receipt.exe

Jump to behavior

Source: unknown	Process created: C:\Users\user\Desktop\Receipt.exe 'C:\Users\user\Desktop\Receipt.exe'
Source: unknown	Process created: C:\Windows\SysWOW64\schtasks.exe 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\FJyjsoEc' /XML 'C:\Users\user\AppData\Local\Temp\tmp90A5.tmp'
Source: unknown	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknown	Process created: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe {path}
Source: C:\Users\user\Desktop\Receipt.exe	Process created: C:\Windows\SysWOW64\schtasks.exe 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\FJyjsoEc' /XML 'C:\Users\user\AppData\Local\Temp\tmp90A5.tmp'	Jump to behavior
Source: C:\Users\user\Desktop\Receipt.exe	Process created: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe {path}	Jump to behavior

Source: C:\Users\user\Desktop\Receipt.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{95E15D0A-66E6-93D9-C53C-76E6219D3341}\InProcServer32

Jump to behavior

Source: C:\Users\user\Desktop\Receipt.exe

File opened: C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorrc.dll

Jump to behavior

Source: Receipt.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR

Source: C:\Users\user\Desktop\Receipt.exe

File opened: C:\Windows\WinSxS\x86_microsoft.vc80.crt_1fc8b3b9a1e18e3b_8.0.50727.9445_none_d08c58b4442ba54f\MSVCR80.dll

Jump to behavior

Source: Receipt.exe

Static PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT

Source:	Binary string: C:\Windows\dll\System.pdbER source: RegSvcs.exe, 00000004.00000002.499749870.00000000031F5000.00000004.00000040.sdmp
Source:	Binary string: indows\System.pdbpdbtem.pdbca source: RegSvcs.exe, 00000004.00000002.499749870.00000000031F5000.00000004.00000040.sdmp
Source:	Binary string: .pdby source: RegSvcs.exe, 00000004.00000002.505087785.00000000061DC000.00000004.00000001.sdmp
Source:	Binary string: C:\Windows\assembly\GAC_MSIL\System\2.0.0.0__b77a5c561934e089\System.pdb\al source: RegSvcs.exe, 00000004.00000002.499749870.00000000031F5000.00000004.00000040.sdmp
Source:	Binary string: C:\Windows\System.pdb\U source: RegSvcs.exe, 00000004.00000002.499749870.00000000031F5000.00000004.00000040.sdmp
Source:	Binary string: oC:\Windows\System.pdb source: RegSvcs.exe, 00000004.00000002.505087785.00000000061DC000.00000004.00000001.sdmp
Source:	Binary string: System.pdb\ source: RegSvcs.exe, 00000004.00000002.499749870.00000000031F5000.00000004.00000040.sdmp
Source:	Binary string: mscorrc.pdb source: Receipt.exe, 00000000.00000002.261817510.0000000006C10000.00000002.00000001.sdmp, RegSvcs.exe, 00000004.00000002.504349348.0000000005760000.00000002.00000001.sdmp
Source:	Binary string: C:\Windows\symbols\dll\System.pdbOA source: RegSvcs.exe, 00000004.00000002.499749870.00000000031F5000.00000004.00000040.sdmp

Data Obfuscation:

.NET source code contains potential unpacker

Show sources

Source: 4.2.RegSvcs.exe.400000.0.unpack, u0023u003dqjIje6jGWLd2EOkfZXKqBbgu003du003d.cs	.Net Code: #=q_FL69pQf17BUSAFbWYu1SStMAbdu$R1GJ8VY8UL5_EA= System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: 4.2.RegSvcs.exe.400000.0.unpack, u0023u003dqxoz66kOqvxr21iYXZYXWiumy9eZGwFWaiX4C5X8aecUu003d.cs	.Net Code: #=qKU0J1fiP8KA33eFK1owekQ== System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])

Source: C:\Users\user\Desktop\Receipt.exe	Code function: 0_2_01122894 push cs; ret	0_2_011229AA
Source: C:\Users\user\Desktop\Receipt.exe	Code function: 0_2_01122D65 push es; ret	0_2_01122D66
Source: C:\Users\user\Desktop\Receipt.exe	Code function: 0_2_02EDCE31 pushad ; iretd	0_2_02EDCE34

Source: initial sample	Static PE information: section name: .text entropy: 7.75501817542
Source: initial sample	Static PE information: section name: .text entropy: 7.75501817542

Source: 4.2.RegSvcs.exe.400000.0.unpack, u0023u003dqJT4I5hOweIku0024xYFEeDszbikglXCuquUdu0024v9AXtyq2nsu003d.cs	High entropy of concatenated method names: '#=qBeOBlH6CwHFnQdZWWBgZ_pemudZ6CfCVcfOQtgpeG$Y=', '#=q5v5cLSMFBaxiTtOEjscx86gN2ozXlfytiL6UmXnyWtg=', '#=q_XA5h2lVGHLcY9dK754wKGrOjAm6aBbwPxcUJXgJThJUz83kMbCL53G5uuOLP6Rq', '#=qIFfr$DrKqIieRc688$vylAlBsEnx9Z3$TxvrDsPURfM=', '#=qejgvNXJQvgM2GomZsygLjreyguSPQ29pQHqjR_a0dWk=', '#=qCGokdf0OOxeMJLDkXSfc3NPmwygIQ29RjKQWj$wbNGB9C1pPgma_891QiNyTRXcA', '#=qDqyUVyJLXCtYqhZ0$opqkomqhUBn2WCeEEvGAXlNQ$I=', '#=qdImPAY1o3YhbLtukwCQ91cISaeIEWRKSYrGZ3dTVnkY=', '#=qza7O1AHrroJC7yRIJz4wINR_Sgo4hDpQrj_OYfIrlJE=', '#=q6Ct3QmvVLFC7my$dL1uEiHGmXJ5qCuK4WIhDwfhPTFs='
Source: 4.2.RegSvcs.exe.400000.0.unpack, u0023u003dqWrm21vQ8CBMZP_RBTwpusAu003du003d.cs	High entropy of concatenated method names: '#=qCgU$tDqtOAyz2b$RwfSF7UzBcCAr0rFJWxm16x7Lre0=', '#=qeD3MBfedCIuKIQf9V1u2N3YS4VXE_FOHqw_XAjWtZK8=', '#=q$mvEHEBkZud$AdHPWqsMQnw5Xm5sD4vBSSmqrKuXGOk=', '#=qZaN94n8dM6tBEf$qCdY2kbTZb5BOW8Z134$2tNv7EJs=', '#=qtlZnL8mho$rv1eTFz0Mw9UYFC_yCabEZ0xtVePn6wR5aSHE7ti3UfKg2l7D0_xk8', '#=qVS$QmQjvFfsXSqQAKGSl6HGbkse2SG0XCab4upVjtRJkvhTEk$oIS2I9Zja7id1Q', '#=qxJg7RxTW1v5mnt12xXeJiYJv_bcctbtL2BCD5MjDi45Hlz6t8vwDNTv1Rv7tgIct', '#=qp$ZVC1r9spi890l$D7IwEd3faoKeWHvv42mVq8wIIWM=', '#=qCoWHlVuoVRMkOzC7RZubJCslkxaEWn9yZiIydECf69$ktj0IPD5wAwC2H5Cc8C$L', '#=qqs1moO$mYaS72OXOWe0Z6GycslEb6e9Ipoy7ppW0O5abIp05ajv8doqdJZHlN3cK'

Source: C:\Users\user\Desktop\Receipt.exe

File created: C:\Users\user\AppData\Roaming\FJyjsoEc.exe

Jump to dropped file

Boot Survival:

Uses schtasks.exe or at.exe to add and modify task schedules

Show sources

Source: unknown

Process created: C:\Windows\SysWOW64\schtasks.exe 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\FJyjsoEc' /XML 'C:\Users\user\AppData\Local\Temp\tmp90A5.tmp'

Hooking and other Techniques for Hiding and Protection:

Hides that the sample has been downloaded from the Internet (zone.identifier)

Show sources

Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe

File opened: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe:Zone.Identifier read attributes | delete

Jump to behavior

Source: C:\Users\user\Desktop\Receipt.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Receipt.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Receipt.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Receipt.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Receipt.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Receipt.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Receipt.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Receipt.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Receipt.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Receipt.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Receipt.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Receipt.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Receipt.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Receipt.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Receipt.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Receipt.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Receipt.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Receipt.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Receipt.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Receipt.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Receipt.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Receipt.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Receipt.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Receipt.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Receipt.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Receipt.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Receipt.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Receipt.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Receipt.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Receipt.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Receipt.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Receipt.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Receipt.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Receipt.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Malware Analysis System Evasion:

Yara detected AntiVM_3

Show sources

Source: Yara match	File source: 00000000.00000002.256996521.00000000032AA000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: Receipt.exe PID: 6444, type: MEMORY

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Show sources

Source: Receipt.exe, 00000000.00000002.258628985.00000000035B4000.00000004.00000001.sdmp	Binary or memory string: WINE_GET_UNIX_FILE_NAME
Source: Receipt.exe, 00000000.00000002.258628985.00000000035B4000.00000004.00000001.sdmp	Binary or memory string: SBIEDLL.DLL
Source: Receipt.exe, 00000000.00000002.258628985.00000000035B4000.00000004.00000001.sdmp	Binary or memory string: WINE_GET_UNIX_FILE_NAMEX1(R)O
Source: Receipt.exe, 00000000.00000002.258628985.00000000035B4000.00000004.00000001.sdmp	Binary or memory string: SBIEDLL.DLLX1(RTH

Source: C:\Users\user\Desktop\Receipt.exe

File opened / queried: SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}

Jump to behavior

Source: C:\Users\user\Desktop\Receipt.exe	Thread delayed: delay time: 922337203685477			Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe	Thread delayed: delay time: 922337203685477			Jump to behavior

Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe	Window / User API: threadDelayed 710	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe	Window / User API: threadDelayed 565	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe	Window / User API: foregroundWindowGot 824	Jump to behavior

Source: C:\Users\user\Desktop\Receipt.exe TID: 6448	Thread sleep time: -41500s >= -30000s			Jump to behavior
Source: C:\Users\user\Desktop\Receipt.exe TID: 6464	Thread sleep time: -922337203685477s >= -30000s			Jump to behavior

Source: C:\Windows\System32\conhost.exe

Last function: Thread delayed

Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe

Code function: 4_2_031E0BB6 GetSystemInfo,

4_2_031E0BB6

Source: Receipt.exe, 00000000.00000002.258628985.00000000035B4000.00000004.00000001.sdmp	Binary or memory string: vmwareX1(rEn
Source: Receipt.exe, 00000000.00000002.258628985.00000000035B4000.00000004.00000001.sdmp	Binary or memory string: VMware
Source: Receipt.exe, 00000000.00000002.258628985.00000000035B4000.00000004.00000001.sdmp	Binary or memory string: VMware\|9(r
Source: Receipt.exe, 00000000.00000002.258628985.00000000035B4000.00000004.00000001.sdmp	Binary or memory string: QEMUX1(r$o
Source: Receipt.exe, 00000000.00000002.258628985.00000000035B4000.00000004.00000001.sdmp	Binary or memory string: (r#"SOFTWARE\VMware, Inc.\VMware ToolsX1(r
Source: Receipt.exe, 00000000.00000002.258628985.00000000035B4000.00000004.00000001.sdmp	Binary or memory string: VMWAREX1(r7i
Source: RegSvcs.exe, 00000004.00000002.505280845.0000000006330000.00000002.00000001.sdmp	Binary or memory string: A Virtual Machine could not be started because Hyper-V is not installed.
Source: Receipt.exe, 00000000.00000002.258628985.00000000035B4000.00000004.00000001.sdmp	Binary or memory string: VMware SVGA IIX1(r
Source: Receipt.exe, 00000000.00000002.258628985.00000000035B4000.00000004.00000001.sdmp	Binary or memory string: VMWARE
Source: Receipt.exe, 00000000.00000002.258628985.00000000035B4000.00000004.00000001.sdmp	Binary or memory string: VMWARE\|9(r
Source: Receipt.exe, 00000000.00000002.258628985.00000000035B4000.00000004.00000001.sdmp	Binary or memory string: InstallPath%C:\PROGRAM FILES\VMWARE\VMWARE TOOLS\
Source: RegSvcs.exe, 00000004.00000002.505280845.0000000006330000.00000002.00000001.sdmp	Binary or memory string: A communication protocol error has occurred between the Hyper-V Host and Guest Compute Service.
Source: RegSvcs.exe, 00000004.00000002.505280845.0000000006330000.00000002.00000001.sdmp	Binary or memory string: The communication protocol version between the Hyper-V Host and Guest Compute Services is not supported.
Source: Receipt.exe, 00000000.00000002.258628985.00000000035B4000.00000004.00000001.sdmp	Binary or memory string: VMware
Source: Receipt.exe, 00000000.00000002.258628985.00000000035B4000.00000004.00000001.sdmp	Binary or memory string: VMware \|9(r
Source: Receipt.exe, 00000000.00000002.258628985.00000000035B4000.00000004.00000001.sdmp	Binary or memory string: VMWARE"SOFTWARE\VMware, Inc.\VMware ToolsLHARDWARE\DEVICEMAP\Scsi\Scsi Port 1\Scsi Bus 0\Target Id 0\Logical Unit Id 0LHARDWARE\DEVICEMAP\Scsi\Scsi Port 2\Scsi Bus 0\Target Id 0\Logical Unit Id 0'SYSTEM\ControlSet001\Services\Disk\Enum
Source: Receipt.exe, 00000000.00000002.258628985.00000000035B4000.00000004.00000001.sdmp	Binary or memory string: VMware SVGA II
Source: Receipt.exe, 00000000.00000002.258628985.00000000035B4000.00000004.00000001.sdmp	Binary or memory string: vmwareNSYSTEM\ControlSet001\Control\Class\{4D36E968-E325-11CE-BFC1-08002BE10318}\0000
Source: Receipt.exe, 00000000.00000002.258628985.00000000035B4000.00000004.00000001.sdmp	Binary or memory string: (r&%C:\PROGRAM FILES\VMWARE\VMWARE TOOLS\X1(rRo
Source: RegSvcs.exe, 00000004.00000002.505280845.0000000006330000.00000002.00000001.sdmp	Binary or memory string: An unknown internal message was received by the Hyper-V Compute Service.

Source: C:\Users\user\Desktop\Receipt.exe

Process information queried: ProcessInformation

Jump to behavior

Source: C:\Users\user\Desktop\Receipt.exe	Process token adjusted: Debug			Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe	Process token adjusted: Debug			Jump to behavior

Source: C:\Users\user\Desktop\Receipt.exe

Memory allocated: page read and write | page guard

Jump to behavior

HIPS / PFW / Operating System Protection Evasion:

Allocates memory in foreign processes

Show sources

Source: C:\Users\user\Desktop\Receipt.exe

Memory allocated: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe base: 400000 protect: page execute and read and write

Jump to behavior

Injects a PE file into a foreign processes

Show sources

Source: C:\Users\user\Desktop\Receipt.exe

Memory written: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe base: 400000 value starts with: 4D5A

Jump to behavior

Writes to foreign memory regions

Show sources

Source: C:\Users\user\Desktop\Receipt.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe base: 400000	Jump to behavior
Source: C:\Users\user\Desktop\Receipt.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe base: 402000	Jump to behavior
Source: C:\Users\user\Desktop\Receipt.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe base: 420000	Jump to behavior
Source: C:\Users\user\Desktop\Receipt.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe base: 422000	Jump to behavior
Source: C:\Users\user\Desktop\Receipt.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe base: F38008	Jump to behavior

Source: C:\Users\user\Desktop\Receipt.exe	Process created: C:\Windows\SysWOW64\schtasks.exe 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\FJyjsoEc' /XML 'C:\Users\user\AppData\Local\Temp\tmp90A5.tmp'			Jump to behavior
Source: C:\Users\user\Desktop\Receipt.exe	Process created: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe {path}			Jump to behavior

Source: RegSvcs.exe, 00000004.00000002.503267436.00000000037CE000.00000004.00000001.sdmp	Binary or memory string: Program Manager
Source: RegSvcs.exe, 00000004.00000002.499346397.0000000001AF0000.00000002.00000001.sdmp	Binary or memory string: Shell_TrayWnd
Source: RegSvcs.exe, 00000004.00000002.499346397.0000000001AF0000.00000002.00000001.sdmp	Binary or memory string: Progman
Source: RegSvcs.exe, 00000004.00000002.499346397.0000000001AF0000.00000002.00000001.sdmp	Binary or memory string: SProgram Managerl
Source: RegSvcs.exe, 00000004.00000002.501317775.00000000035CF000.00000004.00000001.sdmp	Binary or memory string: Program Managerp
Source: RegSvcs.exe, 00000004.00000002.498952299.0000000001493000.00000004.00000020.sdmp	Binary or memory string: Program Managerknown.
Source: RegSvcs.exe, 00000004.00000002.499346397.0000000001AF0000.00000002.00000001.sdmp	Binary or memory string: Shell_TrayWnd,
Source: RegSvcs.exe, 00000004.00000002.499346397.0000000001AF0000.00000002.00000001.sdmp	Binary or memory string: Progmanlock

Source: C:\Users\user\Desktop\Receipt.exe	Queries volume information: C:\Windows\Fonts\arial.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Receipt.exe	Queries volume information: C:\Windows\Fonts\ariali.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Receipt.exe	Queries volume information: C:\Windows\Fonts\arialbd.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Receipt.exe	Queries volume information: C:\Windows\Fonts\arialbi.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Receipt.exe	Queries volume information: C:\Windows\Fonts\ARIALN.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Receipt.exe	Queries volume information: C:\Windows\Fonts\ariblk.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Receipt.exe	Queries volume information: C:\Windows\Fonts\ARIALNI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Receipt.exe	Queries volume information: C:\Windows\Fonts\ARIALNB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Receipt.exe	Queries volume information: C:\Windows\Fonts\ARIALNBI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Receipt.exe	Queries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Receipt.exe	Queries volume information: C:\Windows\Fonts\calibri.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Receipt.exe	Queries volume information: C:\Windows\Fonts\calibril.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Receipt.exe	Queries volume information: C:\Windows\Fonts\calibrii.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Receipt.exe	Queries volume information: C:\Windows\Fonts\calibrili.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Receipt.exe	Queries volume information: C:\Windows\Fonts\calibrib.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Receipt.exe	Queries volume information: C:\Windows\Fonts\calibriz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Receipt.exe	Queries volume information: C:\Windows\Fonts\cambria.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Receipt.exe	Queries volume information: C:\Windows\Fonts\cambriai.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Receipt.exe	Queries volume information: C:\Windows\Fonts\cambriab.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Receipt.exe	Queries volume information: C:\Windows\Fonts\cambriaz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Receipt.exe	Queries volume information: C:\Windows\Fonts\Candara.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Receipt.exe	Queries volume information: C:\Windows\Fonts\Candarai.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Receipt.exe	Queries volume information: C:\Windows\Fonts\Candarab.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Receipt.exe	Queries volume information: C:\Windows\Fonts\Candaraz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Receipt.exe	Queries volume information: C:\Windows\Fonts\comic.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Receipt.exe	Queries volume information: C:\Windows\Fonts\comici.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Receipt.exe	Queries volume information: C:\Windows\Fonts\comicbd.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Receipt.exe	Queries volume information: C:\Windows\Fonts\comicz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Receipt.exe	Queries volume information: C:\Windows\Fonts\consola.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Receipt.exe	Queries volume information: C:\Windows\Fonts\consolai.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Receipt.exe	Queries volume information: C:\Windows\Fonts\consolab.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Receipt.exe	Queries volume information: C:\Windows\Fonts\consolaz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Receipt.exe	Queries volume information: C:\Windows\Fonts\constan.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Receipt.exe	Queries volume information: C:\Windows\Fonts\constani.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Receipt.exe	Queries volume information: C:\Windows\Fonts\constanb.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Receipt.exe	Queries volume information: C:\Windows\Fonts\constanz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Receipt.exe	Queries volume information: C:\Windows\Fonts\corbel.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Receipt.exe	Queries volume information: C:\Windows\Fonts\corbeli.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Receipt.exe	Queries volume information: C:\Windows\Fonts\corbelb.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Receipt.exe	Queries volume information: C:\Windows\Fonts\corbelz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Receipt.exe	Queries volume information: C:\Windows\Fonts\cour.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Receipt.exe	Queries volume information: C:\Windows\Fonts\couri.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Receipt.exe	Queries volume information: C:\Windows\Fonts\courbd.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Receipt.exe	Queries volume information: C:\Windows\Fonts\courbi.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Receipt.exe	Queries volume information: C:\Windows\Fonts\ebrima.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Receipt.exe	Queries volume information: C:\Windows\Fonts\ebrimabd.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Receipt.exe	Queries volume information: C:\Windows\Fonts\framd.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Receipt.exe	Queries volume information: C:\Windows\Fonts\FRADM.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Receipt.exe	Queries volume information: C:\Windows\Fonts\framdit.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Receipt.exe	Queries volume information: C:\Windows\Fonts\FRADMIT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Receipt.exe	Queries volume information: C:\Windows\Fonts\FRAMDCN.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Receipt.exe	Queries volume information: C:\Windows\Fonts\FRADMCN.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Receipt.exe	Queries volume information: C:\Windows\Fonts\FRAHV.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Receipt.exe	Queries volume information: C:\Windows\Fonts\FRAHVIT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Receipt.exe	Queries volume information: C:\Windows\Fonts\Gabriola.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Receipt.exe	Queries volume information: C:\Windows\Fonts\gadugi.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Receipt.exe	Queries volume information: C:\Windows\Fonts\gadugib.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Receipt.exe	Queries volume information: C:\Windows\Fonts\georgia.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Receipt.exe	Queries volume information: C:\Windows\Fonts\georgiai.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Receipt.exe	Queries volume information: C:\Windows\Fonts\georgiab.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Receipt.exe	Queries volume information: C:\Windows\Fonts\georgiaz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Receipt.exe	Queries volume information: C:\Windows\Fonts\impact.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Receipt.exe	Queries volume information: C:\Windows\Fonts\Inkfree.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Receipt.exe	Queries volume information: C:\Windows\Fonts\javatext.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Receipt.exe	Queries volume information: C:\Windows\Fonts\LeelawUI.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Receipt.exe	Queries volume information: C:\Windows\Fonts\LeelUIsl.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Receipt.exe	Queries volume information: C:\Windows\Fonts\LeelaUIb.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Receipt.exe	Queries volume information: C:\Windows\Fonts\lucon.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Receipt.exe	Queries volume information: C:\Windows\Fonts\l_10646.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Receipt.exe	Queries volume information: C:\Windows\Fonts\malgun.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Receipt.exe	Queries volume information: C:\Windows\Fonts\malgunsl.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Receipt.exe	Queries volume information: C:\Windows\Fonts\malgunbd.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Receipt.exe	Queries volume information: C:\Windows\Fonts\himalaya.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Receipt.exe	Queries volume information: C:\Windows\Fonts\msjh.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Receipt.exe	Queries volume information: C:\Windows\Fonts\msjhl.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Receipt.exe	Queries volume information: C:\Windows\Fonts\msjhbd.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Receipt.exe	Queries volume information: C:\Windows\Fonts\ntailu.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Receipt.exe	Queries volume information: C:\Windows\Fonts\ntailub.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Receipt.exe	Queries volume information: C:\Windows\Fonts\phagspa.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Receipt.exe	Queries volume information: C:\Windows\Fonts\phagspab.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Receipt.exe	Queries volume information: C:\Windows\Fonts\micross.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Receipt.exe	Queries volume information: C:\Windows\Fonts\taile.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Receipt.exe	Queries volume information: C:\Windows\Fonts\taileb.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Receipt.exe	Queries volume information: C:\Windows\Fonts\msyh.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Receipt.exe	Queries volume information: C:\Windows\Fonts\msyhl.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Receipt.exe	Queries volume information: C:\Windows\Fonts\msyhbd.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Receipt.exe	Queries volume information: C:\Windows\Fonts\msyi.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Receipt.exe	Queries volume information: C:\Windows\Fonts\mingliub.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Receipt.exe	Queries volume information: C:\Windows\Fonts\monbaiti.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Receipt.exe	Queries volume information: C:\Windows\Fonts\msgothic.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Receipt.exe	Queries volume information: C:\Windows\Fonts\mvboli.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Receipt.exe	Queries volume information: C:\Windows\Fonts\mmrtext.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Receipt.exe	Queries volume information: C:\Windows\Fonts\mmrtextb.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Receipt.exe	Queries volume information: C:\Windows\Fonts\Nirmala.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Receipt.exe	Queries volume information: C:\Windows\Fonts\NirmalaS.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Receipt.exe	Queries volume information: C:\Windows\Fonts\NirmalaB.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Receipt.exe	Queries volume information: C:\Windows\Fonts\pala.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Receipt.exe	Queries volume information: C:\Windows\Fonts\palai.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Receipt.exe	Queries volume information: C:\Windows\Fonts\palab.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Receipt.exe	Queries volume information: C:\Windows\Fonts\palabi.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Receipt.exe	Queries volume information: C:\Windows\Fonts\segoepr.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Receipt.exe	Queries volume information: C:\Windows\Fonts\segoeprb.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Receipt.exe	Queries volume information: C:\Windows\Fonts\segoesc.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Receipt.exe	Queries volume information: C:\Windows\Fonts\segoescb.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Receipt.exe	Queries volume information: C:\Windows\Fonts\segoeuii.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Receipt.exe	Queries volume information: C:\Windows\Fonts\seguisli.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Receipt.exe	Queries volume information: C:\Windows\Fonts\seguili.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Receipt.exe	Queries volume information: C:\Windows\Fonts\seguisbi.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Receipt.exe	Queries volume information: C:\Windows\Fonts\segoeuiz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Receipt.exe	Queries volume information: C:\Windows\Fonts\seguibl.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Receipt.exe	Queries volume information: C:\Windows\Fonts\seguibli.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Receipt.exe	Queries volume information: C:\Windows\Fonts\seguiemj.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Receipt.exe	Queries volume information: C:\Windows\Fonts\seguihis.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Receipt.exe	Queries volume information: C:\Windows\Fonts\seguisym.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Receipt.exe	Queries volume information: C:\Windows\Fonts\simsun.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Receipt.exe	Queries volume information: C:\Windows\Fonts\simsunb.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Receipt.exe	Queries volume information: C:\Windows\Fonts\Sitka.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Receipt.exe	Queries volume information: C:\Windows\Fonts\SitkaI.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Receipt.exe	Queries volume information: C:\Windows\Fonts\SitkaB.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Receipt.exe	Queries volume information: C:\Windows\Fonts\SitkaZ.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Receipt.exe	Queries volume information: C:\Windows\Fonts\sylfaen.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Receipt.exe	Queries volume information: C:\Windows\Fonts\symbol.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Receipt.exe	Queries volume information: C:\Windows\Fonts\tahoma.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Receipt.exe	Queries volume information: C:\Windows\Fonts\tahomabd.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Receipt.exe	Queries volume information: C:\Windows\Fonts\timesi.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Receipt.exe	Queries volume information: C:\Windows\Fonts\timesbd.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Receipt.exe	Queries volume information: C:\Windows\Fonts\timesbi.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Receipt.exe	Queries volume information: C:\Windows\Fonts\trebuc.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Receipt.exe	Queries volume information: C:\Windows\Fonts\trebucit.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Receipt.exe	Queries volume information: C:\Windows\Fonts\trebucbd.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Receipt.exe	Queries volume information: C:\Windows\Fonts\trebucbi.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Receipt.exe	Queries volume information: C:\Windows\Fonts\verdana.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Receipt.exe	Queries volume information: C:\Windows\Fonts\verdanai.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Receipt.exe	Queries volume information: C:\Windows\Fonts\verdanab.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Receipt.exe	Queries volume information: C:\Windows\Fonts\verdanaz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Receipt.exe	Queries volume information: C:\Windows\Fonts\webdings.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Receipt.exe	Queries volume information: C:\Windows\Fonts\wingding.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Receipt.exe	Queries volume information: C:\Windows\Fonts\YuGothR.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Receipt.exe	Queries volume information: C:\Windows\Fonts\YuGothM.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Receipt.exe	Queries volume information: C:\Windows\Fonts\YuGothL.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Receipt.exe	Queries volume information: C:\Windows\Fonts\YuGothB.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Receipt.exe	Queries volume information: C:\Windows\Fonts\holomdl2.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Receipt.exe	Queries volume information: C:\Windows\Fonts\CENTURY.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Receipt.exe	Queries volume information: C:\Windows\Fonts\LEELAWAD.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Receipt.exe	Queries volume information: C:\Windows\Fonts\LEELAWDB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Receipt.exe	Queries volume information: C:\Windows\Fonts\MSUIGHUR.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Receipt.exe	Queries volume information: C:\Windows\Fonts\MSUIGHUB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Receipt.exe	Queries volume information: C:\Windows\Fonts\WINGDNG2.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Receipt.exe	Queries volume information: C:\Windows\Fonts\WINGDNG3.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Receipt.exe	Queries volume information: C:\Windows\Fonts\TEMPSITC.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Receipt.exe	Queries volume information: C:\Windows\Fonts\PRISTINA.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Receipt.exe	Queries volume information: C:\Windows\Fonts\PAPYRUS.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Receipt.exe	Queries volume information: C:\Windows\Fonts\MISTRAL.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Receipt.exe	Queries volume information: C:\Windows\Fonts\LHANDW.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Receipt.exe	Queries volume information: C:\Windows\Fonts\ITCKRIST.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Receipt.exe	Queries volume information: C:\Windows\Fonts\JUICE___.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Receipt.exe	Queries volume information: C:\Windows\Fonts\FRSCRIPT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Receipt.exe	Queries volume information: C:\Windows\Fonts\FREESCPT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Receipt.exe	Queries volume information: C:\Windows\Fonts\BRADHITC.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Receipt.exe	Queries volume information: C:\Windows\Fonts\OUTLOOK.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Receipt.exe	Queries volume information: C:\Windows\Fonts\BKANT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Receipt.exe	Queries volume information: C:\Windows\Fonts\ANTQUAI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Receipt.exe	Queries volume information: C:\Windows\Fonts\ANTQUAB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Receipt.exe	Queries volume information: C:\Windows\Fonts\ANTQUABI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Receipt.exe	Queries volume information: C:\Windows\Fonts\GARA.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Receipt.exe	Queries volume information: C:\Windows\Fonts\GARAIT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Receipt.exe	Queries volume information: C:\Windows\Fonts\GARABD.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Receipt.exe	Queries volume information: C:\Windows\Fonts\MTCORSVA.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Receipt.exe	Queries volume information: C:\Windows\Fonts\GOTHIC.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Receipt.exe	Queries volume information: C:\Windows\Fonts\GOTHICI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Receipt.exe	Queries volume information: C:\Windows\Fonts\GOTHICB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Receipt.exe	Queries volume information: C:\Windows\Fonts\GOTHICBI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Receipt.exe	Queries volume information: C:\Windows\Fonts\ALGER.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Receipt.exe	Queries volume information: C:\Windows\Fonts\BASKVILL.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Receipt.exe	Queries volume information: C:\Windows\Fonts\BAUHS93.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Receipt.exe	Queries volume information: C:\Windows\Fonts\BELL.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Receipt.exe	Queries volume information: C:\Windows\Fonts\BELLI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Receipt.exe	Queries volume information: C:\Windows\Fonts\BELLB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Receipt.exe	Queries volume information: C:\Windows\Fonts\BRLNSR.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Receipt.exe	Queries volume information: C:\Windows\Fonts\BRLNSDB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Receipt.exe	Queries volume information: C:\Windows\Fonts\BRLNSB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Receipt.exe	Queries volume information: C:\Windows\Fonts\BERNHC.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Receipt.exe	Queries volume information: C:\Windows\Fonts\BOD_PSTC.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Receipt.exe	Queries volume information: C:\Windows\Fonts\BRITANIC.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Receipt.exe	Queries volume information: C:\Windows\Fonts\BROADW.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Receipt.exe	Queries volume information: C:\Windows\Fonts\BRUSHSCI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Receipt.exe	Queries volume information: C:\Windows\Fonts\CALIFR.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Receipt.exe	Queries volume information: C:\Windows\Fonts\CALIFI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Receipt.exe	Queries volume information: C:\Windows\Fonts\CALIFB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Receipt.exe	Queries volume information: C:\Windows\Fonts\CENTAUR.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Receipt.exe	Queries volume information: C:\Windows\Fonts\CHILLER.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Receipt.exe	Queries volume information: C:\Windows\Fonts\COLONNA.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Receipt.exe	Queries volume information: C:\Windows\Fonts\COOPBL.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Receipt.exe	Queries volume information: C:\Windows\Fonts\FTLTLT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Receipt.exe	Queries volume information: C:\Windows\Fonts\HARLOWSI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Receipt.exe	Queries volume information: C:\Windows\Fonts\HARNGTON.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Receipt.exe	Queries volume information: C:\Windows\Fonts\HTOWERT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Receipt.exe	Queries volume information: C:\Windows\Fonts\HTOWERTI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Receipt.exe	Queries volume information: C:\Windows\Fonts\JOKERMAN.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Receipt.exe	Queries volume information: C:\Windows\Fonts\KUNSTLER.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Receipt.exe	Queries volume information: C:\Windows\Fonts\LBRITE.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Receipt.exe	Queries volume information: C:\Windows\Fonts\LBRITED.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Receipt.exe	Queries volume information: C:\Windows\Fonts\LBRITEI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Receipt.exe	Queries volume information: C:\Windows\Fonts\LBRITEDI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Receipt.exe	Queries volume information: C:\Windows\Fonts\LCALLIG.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Receipt.exe	Queries volume information: C:\Windows\Fonts\LFAX.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Receipt.exe	Queries volume information: C:\Windows\Fonts\LFAXD.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Receipt.exe	Queries volume information: C:\Windows\Fonts\LFAXI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Receipt.exe	Queries volume information: C:\Windows\Fonts\LFAXDI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Receipt.exe	Queries volume information: C:\Windows\Fonts\MAGNETOB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Receipt.exe	Queries volume information: C:\Windows\Fonts\MATURASC.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Receipt.exe	Queries volume information: C:\Windows\Fonts\MOD20.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Receipt.exe	Queries volume information: C:\Windows\Fonts\NIAGENG.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Receipt.exe	Queries volume information: C:\Windows\Fonts\NIAGSOL.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Receipt.exe	Queries volume information: C:\Windows\Fonts\OLDENGL.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Receipt.exe	Queries volume information: C:\Windows\Fonts\ONYX.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Receipt.exe	Queries volume information: C:\Windows\Fonts\PARCHM.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Receipt.exe	Queries volume information: C:\Windows\Fonts\PLAYBILL.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Receipt.exe	Queries volume information: C:\Windows\Fonts\POORICH.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Receipt.exe	Queries volume information: C:\Windows\Fonts\RAVIE.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Receipt.exe	Queries volume information: C:\Windows\Fonts\INFROMAN.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Receipt.exe	Queries volume information: C:\Windows\Fonts\SHOWG.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Receipt.exe	Queries volume information: C:\Windows\Fonts\SNAP____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Receipt.exe	Queries volume information: C:\Windows\Fonts\STENCIL.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Receipt.exe	Queries volume information: C:\Windows\Fonts\VINERITC.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Receipt.exe	Queries volume information: C:\Windows\Fonts\VIVALDII.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Receipt.exe	Queries volume information: C:\Windows\Fonts\VLADIMIR.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Receipt.exe	Queries volume information: C:\Windows\Fonts\LATINWD.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Receipt.exe	Queries volume information: C:\Windows\Fonts\TCM_____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Receipt.exe	Queries volume information: C:\Windows\Fonts\TCMI____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Receipt.exe	Queries volume information: C:\Windows\Fonts\TCB_____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Receipt.exe	Queries volume information: C:\Windows\Fonts\TCBI____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Receipt.exe	Queries volume information: C:\Windows\Fonts\TCCM____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Receipt.exe	Queries volume information: C:\Windows\Fonts\TCCB____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Receipt.exe	Queries volume information: C:\Windows\Fonts\TCCEB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Receipt.exe	Queries volume information: C:\Windows\Fonts\SCRIPTBL.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Receipt.exe	Queries volume information: C:\Windows\Fonts\ROCK.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Receipt.exe	Queries volume information: C:\Windows\Fonts\ROCKI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Receipt.exe	Queries volume information: C:\Windows\Fonts\ROCKB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Receipt.exe	Queries volume information: C:\Windows\Fonts\ROCKEB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Receipt.exe	Queries volume information: C:\Windows\Fonts\ROCKBI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Receipt.exe	Queries volume information: C:\Windows\Fonts\ROCC____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Receipt.exe	Queries volume information: C:\Windows\Fonts\ROCCB___.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Receipt.exe	Queries volume information: C:\Windows\Fonts\RAGE.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Receipt.exe	Queries volume information: C:\Windows\Fonts\PERTILI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Receipt.exe	Queries volume information: C:\Windows\Fonts\PERTIBD.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Receipt.exe	Queries volume information: C:\Windows\Fonts\PER_____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Receipt.exe	Queries volume information: C:\Windows\Fonts\PERI____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Receipt.exe	Queries volume information: C:\Windows\Fonts\PERB____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Receipt.exe	Queries volume information: C:\Windows\Fonts\PERBI___.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Receipt.exe	Queries volume information: C:\Windows\Fonts\PALSCRI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Receipt.exe	Queries volume information: C:\Windows\Fonts\OCRAEXT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Receipt.exe	Queries volume information: C:\Windows\Fonts\MAIAN.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Receipt.exe	Queries volume information: C:\Windows\Fonts\LTYPE.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Receipt.exe	Queries volume information: C:\Windows\Fonts\LTYPEO.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Receipt.exe	Queries volume information: C:\Windows\Fonts\LTYPEB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Receipt.exe	Queries volume information: C:\Windows\Fonts\LTYPEBO.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Receipt.exe	Queries volume information: C:\Windows\Fonts\LSANS.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Receipt.exe	Queries volume information: C:\Windows\Fonts\LSANSD.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Receipt.exe	Queries volume information: C:\Windows\Fonts\LSANSI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Receipt.exe	Queries volume information: C:\Windows\Fonts\LSANSDI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Receipt.exe	Queries volume information: C:\Windows\Fonts\IMPRISHA.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Receipt.exe	Queries volume information: C:\Windows\Fonts\HATTEN.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Receipt.exe	Queries volume information: C:\Windows\Fonts\GOUDYSTO.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Receipt.exe	Queries volume information: C:\Windows\Fonts\GOUDOS.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Receipt.exe	Queries volume information: C:\Windows\Fonts\GOUDOSI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Receipt.exe	Queries volume information: C:\Windows\Fonts\GOUDOSB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Receipt.exe	Queries volume information: C:\Windows\Fonts\GLECB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Receipt.exe	Queries volume information: C:\Windows\Fonts\GIL_____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Receipt.exe	Queries volume information: C:\Windows\Fonts\GILI____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Receipt.exe	Queries volume information: C:\Windows\Fonts\GILB____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Receipt.exe	Queries volume information: C:\Windows\Fonts\GILBI___.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Receipt.exe	Queries volume information: C:\Windows\Fonts\GILC____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Receipt.exe	Queries volume information: C:\Windows\Fonts\GLSNECB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Receipt.exe	Queries volume information: C:\Windows\Fonts\GIGI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Receipt.exe	Queries volume information: C:\Windows\Fonts\FRABK.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Receipt.exe	Queries volume information: C:\Windows\Fonts\FRABKIT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Receipt.exe	Queries volume information: C:\Windows\Fonts\FORTE.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Receipt.exe	Queries volume information: C:\Windows\Fonts\FELIXTI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Receipt.exe	Queries volume information: C:\Windows\Fonts\ERASMD.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Receipt.exe	Queries volume information: C:\Windows\Fonts\ERASLGHT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Receipt.exe	Queries volume information: C:\Windows\Fonts\ERASDEMI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Receipt.exe	Queries volume information: C:\Windows\Fonts\ERASBD.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Receipt.exe	Queries volume information: C:\Windows\Fonts\ENGR.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Receipt.exe	Queries volume information: C:\Windows\Fonts\ELEPHNT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Receipt.exe	Queries volume information: C:\Windows\Fonts\ELEPHNTI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Receipt.exe	Queries volume information: C:\Windows\Fonts\ITCEDSCR.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Receipt.exe	Queries volume information: C:\Windows\Fonts\CURLZ___.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Receipt.exe	Queries volume information: C:\Windows\Fonts\COPRGTL.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Receipt.exe	Queries volume information: C:\Windows\Fonts\COPRGTB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Receipt.exe	Queries volume information: C:\Windows\Fonts\CENSCBK.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Receipt.exe	Queries volume information: C:\Windows\Fonts\SCHLBKI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Receipt.exe	Queries volume information: C:\Windows\Fonts\SCHLBKB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Receipt.exe	Queries volume information: C:\Windows\Fonts\SCHLBKBI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Receipt.exe	Queries volume information: C:\Windows\Fonts\CASTELAR.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Receipt.exe	Queries volume information: C:\Windows\Fonts\CALIST.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Receipt.exe	Queries volume information: C:\Windows\Fonts\CALISTI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Receipt.exe	Queries volume information: C:\Windows\Fonts\CALISTB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Receipt.exe	Queries volume information: C:\Windows\Fonts\CALISTBI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Receipt.exe	Queries volume information: C:\Windows\Fonts\BOOKOS.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Receipt.exe	Queries volume information: C:\Windows\Fonts\BOOKOSB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Receipt.exe	Queries volume information: C:\Windows\Fonts\BOOKOSI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Receipt.exe	Queries volume information: C:\Windows\Fonts\BOOKOSBI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Receipt.exe	Queries volume information: C:\Windows\Fonts\BOD_R.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Receipt.exe	Queries volume information: C:\Windows\Fonts\BOD_I.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Receipt.exe	Queries volume information: C:\Windows\Fonts\BOD_B.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Receipt.exe	Queries volume information: C:\Windows\Fonts\BOD_BI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Receipt.exe	Queries volume information: C:\Windows\Fonts\BOD_CR.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Receipt.exe	Queries volume information: C:\Windows\Fonts\BOD_BLAR.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Receipt.exe	Queries volume information: C:\Windows\Fonts\BOD_CI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Receipt.exe	Queries volume information: C:\Windows\Fonts\BOD_CB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Receipt.exe	Queries volume information: C:\Windows\Fonts\BOD_BLAI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Receipt.exe	Queries volume information: C:\Windows\Fonts\BOD_CBI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Receipt.exe	Queries volume information: C:\Windows\Fonts\ITCBLKAD.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Receipt.exe	Queries volume information: C:\Windows\Fonts\ARLRDBD.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Receipt.exe	Queries volume information: C:\Windows\Fonts\AGENCYR.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Receipt.exe	Queries volume information: C:\Windows\Fonts\AGENCYB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Receipt.exe	Queries volume information: C:\Windows\Fonts\BSSYM7.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Receipt.exe	Queries volume information: C:\Windows\Fonts\REFSAN.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Receipt.exe	Queries volume information: C:\Windows\Fonts\REFSPCL.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Receipt.exe	Queries volume information: C:\Windows\Fonts\MTEXTRA.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Receipt.exe	Queries volume information: C:\Windows\Fonts\marlett.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Receipt.exe	Queries volume information: C:\Windows\Fonts\micross.ttf VolumeInformation	Jump to behavior

Source: C:\Users\user\Desktop\Receipt.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Stealing of Sensitive Information:

Yara detected Nanocore RAT

Show sources

Source: Yara match	File source: 00000004.00000002.503407116.0000000004587000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.497486301.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.258930784.0000000004238000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.504863829.0000000005D00000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: Receipt.exe PID: 6444, type: MEMORY
Source: Yara match	File source: Process Memory Space: RegSvcs.exe PID: 6628, type: MEMORY
Source: Yara match	File source: 4.2.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.RegSvcs.exe.5d00000.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.RegSvcs.exe.5d00000.4.raw.unpack, type: UNPACKEDPE

Remote Access Functionality:

Detected Nanocore Rat

Show sources

Source: Receipt.exe, 00000000.00000002.258930784.0000000004238000.00000004.00000001.sdmp	String found in binary or memory: NanoCore.ClientPluginHost
Source: RegSvcs.exe, 00000004.00000002.503407116.0000000004587000.00000004.00000001.sdmp	String found in binary or memory: NanoCore.ClientPluginHost
Source: RegSvcs.exe, 00000004.00000002.503407116.0000000004587000.00000004.00000001.sdmp	String found in binary or memory: <Module>mscorlibMicrosoft.VisualBasicMyApplicationNanoCore.MyMyComputerMyProjectMyWebServicesThreadSafeObjectProvider`1IClientNetworkNanoCore.ClientPluginIClientDataIClientAppIClientDataHostNanoCore.ClientPluginHostIClientNetworkHostIClientUIHostIClientLoggingHostIClientAppHostIClientNameObjectCollectionNanoCoreIClientReadOnlyNameObjectCollectionClientInvokeDelegateMicrosoft.VisualBasic.ApplicationServicesApplicationBase.ctorMicrosoft.VisualBasic.DevicesComputerSystemObject.cctorget_Computerm_ComputerObjectProviderget_Applicationm_AppObjectProviderUserget_Userm_UserObjectProviderget_WebServicesm_MyWebServicesObjectProviderApplicationWebServicesEqualsoGetHashCodeTypeGetTypeToStringCreate__Instance__TinstanceDispose__Instance__get_GetInstanceMicrosoft.VisualBasic.MyServices.InternalContextValue`1m_ContextGetInstanceReadPacketpipeNameparamsPipeCreatedPipeClosedConnectionStateChangedconnectedConnectionFailedhostportBuildingHostCacheVariableChangednameClientSettingChangedPluginUninstallingClientUninstallingget_Variablesget_ClientSettingsget_BuilderSettingsVariablesClientSettingsBuilderSettingsget_ConnectedClosePipePipeExistsRebuildHostCacheAddHostEntryDisconnectSendToServercompressConnectedInvokemethodstateLogClientMessagemessageExceptionLogClientExceptionexsiteRestartShutdownDisableProtectionRestoreProtectionUninstallEntryExistsSystem.Collections.GenericKeyValuePair`2GetEntriesGetValuedefaultValueSetValuevalueRemoveValueMulticastDelegateTargetObjectTargetMethodIAsyncResultAsyncCallbackBeginInvokeDelegateCallbackDelegateAsyncStateEndInvokeDelegateAsyncResultSystem.ComponentModelEditorBrowsableAttributeEditorBrowsableStateSystem.CodeDom.CompilerGeneratedCodeAttributeSystem.DiagnosticsDebuggerHiddenAttributeMicrosoft.VisualBasic.CompilerServicesStandardModuleAttributeHideModuleNameAttributeSystem.ComponentModel.DesignHelpKeywordAttributeSystem.Runtime.CompilerServicesRuntimeHelpersGetObjectValueRuntimeTypeHandleGetTypeFromHandleActivatorCreateInstanceMyGroupCollectionAttributeget_Valueset_ValueSystem.Runtime.InteropServicesComVisibleAttributeParamArrayAttributeCompilationRelaxationsAttributeRuntimeCompatibilityAttributeSystem.ReflectionAssemblyFileVersionAttributeGuidAttributeAssemblyTrademarkAttributeAssemblyCopyrightAttributeAssemblyProductAttributeAssemblyCompanyAttributeAssemblyDescriptionAttributeAssemblyTitleAttributeClientPluginClientPlugin.dll

Yara detected Nanocore RAT

Show sources

Source: Yara match	File source: 00000004.00000002.503407116.0000000004587000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.497486301.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.258930784.0000000004238000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.504863829.0000000005D00000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: Receipt.exe PID: 6444, type: MEMORY
Source: Yara match	File source: Process Memory Space: RegSvcs.exe PID: 6628, type: MEMORY
Source: Yara match	File source: 4.2.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.RegSvcs.exe.5d00000.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.RegSvcs.exe.5d00000.4.raw.unpack, type: UNPACKEDPE

Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe	Code function: 4_2_031E2732 bind,		4_2_031E2732
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe	Code function: 4_2_031E270F bind,		4_2_031E270F

Mitre Att&ck Matrix

Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Exfiltration	Command and Control	Network Effects	Remote Service Effects	Impact
Valid Accounts	Scheduled Task/Job1	Scheduled Task/Job1	Access Token Manipulation1	Masquerading1	Input Capture21	Security Software Discovery111	Remote Services	Input Capture21	Exfiltration Over Other Network Medium	Encrypted Channel1	Eavesdrop on Insecure Network Communication	Remotely Track Device Without Authorization	Modify System Partition
Default Accounts	Scheduled Task/Job	Boot or Logon Initialization Scripts	Process Injection312	Virtualization/Sandbox Evasion3	LSASS Memory	Virtualization/Sandbox Evasion3	Remote Desktop Protocol	Archive Collected Data11	Exfiltration Over Bluetooth	Remote Access Software1	Exploit SS7 to Redirect Phone Calls/SMS	Remotely Wipe Data Without Authorization	Device Lockout
Domain Accounts	At (Linux)	Logon Script (Windows)	Scheduled Task/Job1	Disable or Modify Tools1	Security Account Manager	Process Discovery2	SMB/Windows Admin Shares	Data from Network Shared Drive	Automated Exfiltration	Steganography	Exploit SS7 to Track Device Location	Obtain Device Cloud Backups	Delete Device Data
Local Accounts	At (Windows)	Logon Script (Mac)	Logon Script (Mac)	Access Token Manipulation1	NTDS	Application Window Discovery1	Distributed Component Object Model	Input Capture	Scheduled Transfer	Protocol Impersonation	SIM Card Swap		Carrier Billing Fraud
Cloud Accounts	Cron	Network Logon Script	Network Logon Script	Process Injection312	LSA Secrets	File and Directory Discovery1	SSH	Keylogging	Data Transfer Size Limits	Fallback Channels	Manipulate Device Communication		Manipulate App Store Rankings or Ratings
Replication Through Removable Media	Launchd	Rc.common	Rc.common	Deobfuscate/Decode Files or Information1	Cached Domain Credentials	System Information Discovery13	VNC	GUI Input Capture	Exfiltration Over C2 Channel	Multiband Communication	Jamming or Denial of Service		Abuse Accessibility Features
External Remote Services	Scheduled Task	Startup Items	Startup Items	Hidden Files and Directories1	DCSync	Network Sniffing	Windows Remote Management	Web Portal Capture	Exfiltration Over Alternative Protocol	Commonly Used Port	Rogue Wi-Fi Access Points		Data Encrypted for Impact
Drive-by Compromise	Command and Scripting Interpreter	Scheduled Task/Job	Scheduled Task/Job	Obfuscated Files or Information3	Proc Filesystem	Network Service Scanning	Shared Webroot	Credential API Hooking	Exfiltration Over Symmetric Encrypted Non-C2 Protocol	Application Layer Protocol	Downgrade to Insecure Protocols		Generate Fraudulent Advertising Revenue
Exploit Public-Facing Application	PowerShell	At (Linux)	At (Linux)	Software Packing13	/etc/passwd and /etc/shadow	System Network Connections Discovery	Software Deployment Tools	Data Staged	Exfiltration Over Asymmetric Encrypted Non-C2 Protocol	Web Protocols	Rogue Cellular Base Station		Data Destruction

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Source	Detection	Scanner	Label	Link
Receipt.exe	100%	Joe Sandbox ML

Dropped Files

Source	Detection	Scanner	Label	Link
C:\Users\user\AppData\Roaming\FJyjsoEc.exe	100%	Joe Sandbox ML

Unpacked PE Files

Source	Detection	Scanner	Label	Link	Download
4.2.RegSvcs.exe.400000.0.unpack	100%	Avira	TR/Dropper.MSIL.Gen7		Download File

Domains

No Antivirus matches

URLs

Source	Detection	Scanner	Label
http://www.tiro.comatio	0%	Avira URL Cloud	safe
http://www.founder.com.cn/cn/bThe	0%	URL Reputation	safe
http://www.founder.com.cn/cn/bThe	0%	URL Reputation	safe
http://www.founder.com.cn/cn/bThe	0%	URL Reputation	safe
http://www.jiyu-kobo.co.jp/jp/F	0%	Avira URL Cloud	safe
http://www.fontbureau.comionM	0%	Avira URL Cloud	safe
http://www.tiro.com	0%	URL Reputation	safe
http://www.tiro.com	0%	URL Reputation	safe
http://www.tiro.com	0%	URL Reputation	safe
http://www.founder.com.cn/cn:	0%	Avira URL Cloud	safe
http://www.goodfont.co.kr	0%	URL Reputation	safe
http://www.goodfont.co.kr	0%	URL Reputation	safe
http://www.goodfont.co.kr	0%	URL Reputation	safe
http://www.fontbureau.comessedp	0%	Avira URL Cloud	safe
http://www.fontbureau.commmt	0%	Avira URL Cloud	safe
http://www.fontbureau.comFM	0%	Avira URL Cloud	safe
http://www.sajatypeworks.com	0%	URL Reputation	safe
http://www.sajatypeworks.com	0%	URL Reputation	safe
http://www.sajatypeworks.com	0%	URL Reputation	safe
http://www.typography.netD	0%	URL Reputation	safe
http://www.typography.netD	0%	URL Reputation	safe
http://www.typography.netD	0%	URL Reputation	safe
http://www.founder.com.cn/cn/cThe	0%	URL Reputation	safe
http://www.founder.com.cn/cn/cThe	0%	URL Reputation	safe
http://www.founder.com.cn/cn/cThe	0%	URL Reputation	safe
http://www.galapagosdesign.com/staff/dennis.htm	0%	URL Reputation	safe
http://www.galapagosdesign.com/staff/dennis.htm	0%	URL Reputation	safe
http://www.galapagosdesign.com/staff/dennis.htm	0%	URL Reputation	safe
http://fontfabrik.com	0%	URL Reputation	safe
http://fontfabrik.com	0%	URL Reputation	safe
http://fontfabrik.com	0%	URL Reputation	safe
http://www.fontbureau.comgrita	0%	URL Reputation	safe
http://www.fontbureau.comgrita	0%	URL Reputation	safe
http://www.fontbureau.comgrita	0%	URL Reputation	safe
http://www.founder.com.cn/cn/Ex	0%	Avira URL Cloud	safe
http://www.galapagosdesign.com/s	0%	Avira URL Cloud	safe
http://www.jiyu-kobo.co.jp/jp/i	0%	Avira URL Cloud	safe
http://www.galapagosdesign.com/DPlease	0%	URL Reputation	safe
http://www.galapagosdesign.com/DPlease	0%	URL Reputation	safe
http://www.galapagosdesign.com/DPlease	0%	URL Reputation	safe
http://www.jiyu-kobo.co.jp/Y0	0%	URL Reputation	safe
http://www.jiyu-kobo.co.jp/Y0	0%	URL Reputation	safe
http://www.jiyu-kobo.co.jp/Y0	0%	URL Reputation	safe
http://www.urwpp.deFT	0%	Avira URL Cloud	safe
http://www.sandoll.co.kr	0%	URL Reputation	safe
http://www.sandoll.co.kr	0%	URL Reputation	safe
http://www.sandoll.co.kr	0%	URL Reputation	safe
http://www.urwpp.deDPlease	0%	URL Reputation	safe
http://www.urwpp.deDPlease	0%	URL Reputation	safe
http://www.urwpp.deDPlease	0%	URL Reputation	safe
http://www.urwpp.de	0%	URL Reputation	safe
http://www.urwpp.de	0%	URL Reputation	safe
http://www.urwpp.de	0%	URL Reputation	safe
http://www.zhongyicts.com.cn	0%	URL Reputation	safe
http://www.zhongyicts.com.cn	0%	URL Reputation	safe
http://www.zhongyicts.com.cn	0%	URL Reputation	safe
http://www.sakkal.com	0%	URL Reputation	safe
http://www.sakkal.com	0%	URL Reputation	safe
http://www.sakkal.com	0%	URL Reputation	safe
http://www.fontbureau.comai	0%	Avira URL Cloud	safe
http://www.fontbureau.comessedT	0%	Avira URL Cloud	safe
http://www.jiyu-kobo.co.jp/l-g	0%	Avira URL Cloud	safe
http://www.fontbureau.comalsd	0%	Avira URL Cloud	safe
http://www.galapagosdesign.com/	0%	URL Reputation	safe
http://www.galapagosdesign.com/	0%	URL Reputation	safe
http://www.galapagosdesign.com/	0%	URL Reputation	safe
http://www.fontbureau.comF	0%	URL Reputation	safe
http://www.fontbureau.comF	0%	URL Reputation	safe
http://www.fontbureau.comF	0%	URL Reputation	safe
http://www.jiyu-kobo.co.jp/T	0%	Avira URL Cloud	safe
http://www.fontbureau.comcomd	0%	Avira URL Cloud	safe
http://www.jiyu-kobo.co.jp/jp/p	0%	Avira URL Cloud	safe
http://www.jiyu-kobo.co.jp/F	0%	URL Reputation	safe
http://www.jiyu-kobo.co.jp/F	0%	URL Reputation	safe
http://www.jiyu-kobo.co.jp/F	0%	URL Reputation	safe
http://www.jiyu-kobo.co.jp/jp/	0%	URL Reputation	safe
http://www.jiyu-kobo.co.jp/jp/	0%	URL Reputation	safe
http://www.jiyu-kobo.co.jp/jp/	0%	URL Reputation	safe
http://www.fontbureau.comd	0%	URL Reputation	safe
http://www.fontbureau.comd	0%	URL Reputation	safe
http://www.fontbureau.comd	0%	URL Reputation	safe
http://www.jiyu-kobo.co.jp/?	0%	Avira URL Cloud	safe
http://www.carterandcone.coml	0%	URL Reputation	safe
http://www.carterandcone.coml	0%	URL Reputation	safe
http://www.carterandcone.coml	0%	URL Reputation	safe
http://www.fontbureau.comituF	0%	Avira URL Cloud	safe
http://www.urwpp.dev	0%	Avira URL Cloud	safe
http://www.founder.com.cn/cn	0%	URL Reputation	safe
http://www.founder.com.cn/cn	0%	URL Reputation	safe
http://www.founder.com.cn/cn	0%	URL Reputation	safe
http://www.jiyu-kobo.co.jp/ms	0%	Avira URL Cloud	safe
http://www.jiyu-kobo.co.jp/Y0/	0%	URL Reputation	safe
http://www.jiyu-kobo.co.jp/Y0/	0%	URL Reputation	safe
http://www.jiyu-kobo.co.jp/Y0/	0%	URL Reputation	safe
http://www.jiyu-kobo.co.jp/p	0%	URL Reputation	safe
http://www.jiyu-kobo.co.jp/p	0%	URL Reputation	safe
http://www.jiyu-kobo.co.jp/p	0%	URL Reputation	safe
http://www.galapagosdesign.com/staff/dennis.htm&	0%	Avira URL Cloud	safe
http://www.jiyu-kobo.co.jp/	0%	URL Reputation	safe
http://www.jiyu-kobo.co.jp/	0%	URL Reputation	safe

Domains and IPs

Contacted Domains

No contacted domains info

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
http://www.fontbureau.com/designersG	Receipt.exe, 00000000.00000003.241402308.0000000005529000.00000004.00000001.sdmp, Receipt.exe, 00000000.00000002.261487262.0000000006832000.00000004.00000001.sdmp	false		high
http://www.fontbureau.com/designers/?	Receipt.exe, 00000000.00000002.261487262.0000000006832000.00000004.00000001.sdmp	false		high
http://www.tiro.comatio	Receipt.exe, 00000000.00000003.235912791.0000000005529000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
http://www.founder.com.cn/cn/bThe	Receipt.exe, 00000000.00000002.261487262.0000000006832000.00000004.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://www.jiyu-kobo.co.jp/jp/F	Receipt.exe, 00000000.00000003.237213962.00000000054F3000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
http://www.fontbureau.comionM	Receipt.exe, 00000000.00000003.255007346.00000000054FA000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
http://www.fontbureau.com/designers?	Receipt.exe, 00000000.00000002.261487262.0000000006832000.00000004.00000001.sdmp	false		high
http://www.fontbureau.com/designersX	Receipt.exe, 00000000.00000003.241420432.0000000005529000.00000004.00000001.sdmp	false		high
http://www.tiro.com	Receipt.exe, 00000000.00000002.261487262.0000000006832000.00000004.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://www.fontbureau.com/designers	Receipt.exe, 00000000.00000002.261487262.0000000006832000.00000004.00000001.sdmp	false		high
http://www.founder.com.cn/cn:	Receipt.exe, 00000000.00000003.235663476.0000000005529000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
http://www.goodfont.co.kr	Receipt.exe, 00000000.00000002.261487262.0000000006832000.00000004.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://www.fontbureau.com/designersQ	Receipt.exe, 00000000.00000003.240719140.0000000005529000.00000004.00000001.sdmp	false		high
http://www.fontbureau.comessedp	Receipt.exe, 00000000.00000003.241558097.00000000054FF000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
http://www.fontbureau.commmt	Receipt.exe, 00000000.00000003.240782075.00000000054FF000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
http://www.fontbureau.comFM	Receipt.exe, 00000000.00000003.240782075.00000000054FF000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
http://www.sajatypeworks.com	Receipt.exe, 00000000.00000002.261487262.0000000006832000.00000004.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://www.typography.netD	Receipt.exe, 00000000.00000002.261487262.0000000006832000.00000004.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://www.founder.com.cn/cn/cThe	Receipt.exe, 00000000.00000002.261487262.0000000006832000.00000004.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://www.galapagosdesign.com/staff/dennis.htm	Receipt.exe, 00000000.00000003.244592597.0000000005529000.00000004.00000001.sdmp, Receipt.exe, 00000000.00000002.261487262.0000000006832000.00000004.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://fontfabrik.com	Receipt.exe, 00000000.00000002.261487262.0000000006832000.00000004.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://www.fontbureau.comgrita	Receipt.exe, 00000000.00000003.240782075.00000000054FF000.00000004.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://www.founder.com.cn/cn/Ex	Receipt.exe, 00000000.00000003.235863625.0000000005529000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
http://www.galapagosdesign.com/s	Receipt.exe, 00000000.00000003.244662704.0000000005529000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
http://www.jiyu-kobo.co.jp/jp/i	Receipt.exe, 00000000.00000003.237318949.00000000054FC000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
http://www.galapagosdesign.com/DPlease	Receipt.exe, 00000000.00000002.261487262.0000000006832000.00000004.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://www.jiyu-kobo.co.jp/Y0	Receipt.exe, 00000000.00000003.237048281.00000000054FD000.00000004.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://www.urwpp.deFT	Receipt.exe, 00000000.00000003.241744334.00000000054FE000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
http://www.fonts.com	Receipt.exe, 00000000.00000002.261487262.0000000006832000.00000004.00000001.sdmp	false		high
http://www.sandoll.co.kr	Receipt.exe, 00000000.00000002.261487262.0000000006832000.00000004.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://www.urwpp.deDPlease	Receipt.exe, 00000000.00000002.261487262.0000000006832000.00000004.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://www.urwpp.de	Receipt.exe, 00000000.00000003.241744334.00000000054FE000.00000004.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://www.zhongyicts.com.cn	Receipt.exe, 00000000.00000002.261487262.0000000006832000.00000004.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://www.sakkal.com	Receipt.exe, 00000000.00000002.261487262.0000000006832000.00000004.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://www.fontbureau.comai	Receipt.exe, 00000000.00000003.240782075.00000000054FF000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
http://www.fontbureau.comessedT	Receipt.exe, 00000000.00000003.241301369.00000000054FC000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
http://www.jiyu-kobo.co.jp/l-g	Receipt.exe, 00000000.00000003.237048281.00000000054FD000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
http://www.fontbureau.comalsd	Receipt.exe, 00000000.00000003.241744334.00000000054FE000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
http://www.apache.org/licenses/LICENSE-2.0	Receipt.exe, 00000000.00000003.236159958.000000000552E000.00000004.00000001.sdmp	false		high
http://www.fontbureau.com	Receipt.exe, 00000000.00000003.241744334.00000000054FE000.00000004.00000001.sdmp	false		high
http://www.galapagosdesign.com/	Receipt.exe, 00000000.00000003.244241263.0000000005529000.00000004.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://www.fontbureau.comF	Receipt.exe, 00000000.00000003.240782075.00000000054FF000.00000004.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://www.fontbureau.com/designers/cabarga.htmlo	Receipt.exe, 00000000.00000003.241301369.00000000054FC000.00000004.00000001.sdmp	false		high
http://www.jiyu-kobo.co.jp/T	Receipt.exe, 00000000.00000003.237213962.00000000054F3000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
http://www.fontbureau.comcomd	Receipt.exe, 00000000.00000003.240782075.00000000054FF000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
http://www.fontbureau.com/designers/q	Receipt.exe, 00000000.00000003.239390099.0000000005529000.00000004.00000001.sdmp	false		high
http://www.fontbureau.com/designers/w	Receipt.exe, 00000000.00000003.239390099.0000000005529000.00000004.00000001.sdmp	false		high
http://www.jiyu-kobo.co.jp/jp/p	Receipt.exe, 00000000.00000003.237318949.00000000054FC000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
http://www.jiyu-kobo.co.jp/F	Receipt.exe, 00000000.00000003.237048281.00000000054FD000.00000004.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://www.jiyu-kobo.co.jp/jp/	Receipt.exe, 00000000.00000003.237213962.00000000054F3000.00000004.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://www.fontbureau.comd	Receipt.exe, 00000000.00000003.240782075.00000000054FF000.00000004.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://www.jiyu-kobo.co.jp/?	Receipt.exe, 00000000.00000003.237048281.00000000054FD000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
http://www.carterandcone.coml	Receipt.exe, 00000000.00000002.261487262.0000000006832000.00000004.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://www.fontbureau.com/designers/cabarga.htmlN	Receipt.exe, 00000000.00000002.261487262.0000000006832000.00000004.00000001.sdmp	false		high
http://www.fontbureau.comituF	Receipt.exe, 00000000.00000003.241744334.00000000054FE000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
http://www.urwpp.dev	Receipt.exe, 00000000.00000003.241744334.00000000054FE000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
http://www.founder.com.cn/cn	Receipt.exe, 00000000.00000002.261487262.0000000006832000.00000004.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://www.jiyu-kobo.co.jp/ms	Receipt.exe, 00000000.00000003.237048281.00000000054FD000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
http://www.fontbureau.com/designers-	Receipt.exe, 00000000.00000003.240253238.0000000005529000.00000004.00000001.sdmp	false		high
http://www.fontbureau.com/designers/frere-jones.html	Receipt.exe, 00000000.00000002.261487262.0000000006832000.00000004.00000001.sdmp	false		high
http://www.fontbureau.com/designers/cabarga.html	Receipt.exe, 00000000.00000003.241301369.00000000054FC000.00000004.00000001.sdmp	false		high
http://www.jiyu-kobo.co.jp/Y0/	Receipt.exe, 00000000.00000003.237318949.00000000054FC000.00000004.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://www.jiyu-kobo.co.jp/p	Receipt.exe, 00000000.00000003.237213962.00000000054F3000.00000004.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://www.galapagosdesign.com/staff/dennis.htm&	Receipt.exe, 00000000.00000003.244468863.0000000005507000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
http://www.jiyu-kobo.co.jp/	Receipt.exe, 00000000.00000003.237318949.00000000054FC000.00000004.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://www.fontbureau.como	Receipt.exe, 00000000.00000003.255007346.00000000054FA000.00000004.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://www.jiyu-kobo.co.jp/i	Receipt.exe, 00000000.00000003.237213962.00000000054F3000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
http://www.fontbureau.com/designers8	Receipt.exe, 00000000.00000002.261487262.0000000006832000.00000004.00000001.sdmp	false		high
http://www.fontbureau.com/designers/frere-jones.htmlw	Receipt.exe, 00000000.00000003.240676562.0000000005529000.00000004.00000001.sdmp	false		high
http://www.fontbureau.comalic	Receipt.exe, 00000000.00000003.241744334.00000000054FE000.00000004.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://www.jiyu-kobo.co.jp/a	Receipt.exe, 00000000.00000003.237048281.00000000054FD000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
http://www.jiyu-kobo.co.jp/b	Receipt.exe, 00000000.00000003.237318949.00000000054FC000.00000004.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://www.jiyu-kobo.co.jp/tion	Receipt.exe, 00000000.00000003.237048281.00000000054FD000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
http://www.fontbureau.com/designers2	Receipt.exe, 00000000.00000003.240184375.0000000005529000.00000004.00000001.sdmp	false		high

Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public

IP	Domain	Country	Flag	ASN	ASN Name	Malicious

Private

IP
127.0.0.1

General Information

Joe Sandbox Version:	31.0.0 Red Diamond
Analysis ID:	320376
Start date:	19.11.2020
Start time:	09:57:12
Joe Sandbox Product:	CloudBasic
Overall analysis duration:	0h 7m 0s
Hypervisor based Inspection enabled:	false
Report type:	full
Sample file name:	Receipt.exe
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 85, IE 11, Adobe Reader DC 19, Java 8 Update 211
Number of analysed new started processes analysed:	23
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled HDC enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Detection:	MAL
Classification:	mal100.troj.evad.winEXE@6/4@0/1
EGA Information:	Failed
HDC Information:	Successful, ratio: 3.3% (good quality ratio 2.8%) Quality average: 71.9% Quality standard deviation: 32.6%
HCA Information:	Successful, ratio: 98% Number of executed functions: 331 Number of non-executed functions: 2
Cookbook Comments:	Adjust boot time Enable AMSI Found application associated with file extension: .exe
Warnings:	Show All Behavior information exceeds normal sizes, reducing to normal. Report will have missing behavior information. Exclude process from analysis (whitelisted): MpCmdRun.exe, BackgroundTransferHost.exe, backgroundTaskHost.exe, SgrmBroker.exe, conhost.exe, svchost.exe Report size getting too big, too many NtAllocateVirtualMemory calls found. Report size getting too big, too many NtOpenKeyEx calls found. Report size getting too big, too many NtProtectVirtualMemory calls found. Report size getting too big, too many NtQueryValueKey calls found.

Simulations

Behavior and APIs

Time	Type	Description
09:58:13	API Interceptor	2x Sleep call for process: Receipt.exe modified
09:58:16	API Interceptor	966x Sleep call for process: RegSvcs.exe modified

Joe Sandbox View / Context

IPs

No context

Domains

No context

ASN

No context

JA3 Fingerprints

No context

Dropped Files

No context

Created / dropped Files

C:\Users\user\AppData\Local\Microsoft\CLR_v2.0_32\UsageLogs\Receipt.exe.log Download File
Process:	C:\Users\user\Desktop\Receipt.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	641
Entropy (8bit):	5.271473536084351
Encrypted:	false
SSDEEP:	12:Q3LaJU20NaL10U29hJ5g1B0U2ukyrFk70U2u7x5I6Hi0Ug+9Yz9tv:MLF20NaL329hJ5g522rW2I3rOz2T
MD5:	C3EC08CD6BEA8576070D5A52B4B6D7D0
SHA1:	40B95253F98B3CC5953100C0E71DAC7915094A5A
SHA-256:	28B314C3E5651414FD36B2A65B644A2A55F007A34A536BE17514E12CEE5A091B
SHA-512:	5B0E6398A092F08240DC6765425E16DB52F32542FF7250E87403C407E54B3660EF93E0EAD17BA2CEF6B666951ACF66FA0EAD61FB52E80867DDD398E8258DED22
Malicious:	true
Reputation:	moderate, very likely benign file
Preview:	1,"fusion","GAC",0..3,"C:\Windows\assembly\NativeImages_v2.0.50727_32\System\1ffc437de59fb69ba2b865ffdc98ffd1\System.ni.dll",0..3,"C:\Windows\assembly\NativeImages_v2.0.50727_32\System.Drawing\54d944b3ca0ea1188d700fbd8089726b\System.Drawing.ni.dll",0..3,"C:\Windows\assembly\NativeImages_v2.0.50727_32\System.Windows.Forms\bd8d59c984c9f5f2695f64341115cdf0\System.Windows.Forms.ni.dll",0..3,"C:\Windows\assembly\NativeImages_v2.0.50727_32\System.Web\d05d469d89b319a068f2123e7e6f8621\System.Web.ni.dll",0..3,"C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.VisualBas#\cd7c74fce2a0eab72cd25cbe4bb61614\Microsoft.VisualBasic.ni.dll",0..

C:\Users\user\AppData\Local\Temp\tmp90A5.tmp Download File
Process:	C:\Users\user\Desktop\Receipt.exe
File Type:	XML 1.0 document, ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	1645
Entropy (8bit):	5.17308342231138
Encrypted:	false
SSDEEP:	24:2dH4+SEqC/a7hTlNMFpH/rlMhEMjnGpwjpIgUYODOLD9RJh7h8gKBXitn:cbhC7ZlNQF/rydbz9I3YODOLNdq3hE
MD5:	2C024392C6A14572C1EC4ABB2BD1D328
SHA1:	FF54EB8AE973485D78A0B0A02748AC6EE628640F
SHA-256:	73701C60D1A452D6602F6C7140F61AE3CE50BB6B0E902BF00EB5AEED2F4E888C
SHA-512:	059AEA7926F7871E0DE34A2D5EC5EE1F2EB0B94241578393B706CCD276D6BF0E246B2094044E8827AD10D7D9F2D047055FA5559BF596B809A3D141FA93BC4371
Malicious:	true
Reputation:	low
Preview:	<?xml version="1.0" encoding="UTF-16"?>..<Task version="1.2" xmlns="http://schemas.microsoft.com/windows/2004/02/mit/task">.. <RegistrationInfo>.. <Date>2014-10-25T14:27:44.8929027</Date>.. <Author>computer\user</Author>.. </RegistrationInfo>.. <Triggers>.. <LogonTrigger>.. <Enabled>true</Enabled>.. <UserId>computer\user</UserId>.. </LogonTrigger>.. <RegistrationTrigger>.. <Enabled>false</Enabled>.. </RegistrationTrigger>.. </Triggers>.. <Principals>.. <Principal id="Author">.. <UserId>computer\user</UserId>.. <LogonType>InteractiveToken</LogonType>.. <RunLevel>LeastPrivilege</RunLevel>.. </Principal>.. </Principals>.. <Settings>.. <MultipleInstancesPolicy>StopExisting</MultipleInstancesPolicy>.. <DisallowStartIfOnBatteries>false</DisallowStartIfOnBatteries>.. <StopIfGoingOnBatteries>true</StopIfGoingOnBatteries>.. <AllowHardTerminate>false</AllowHardTerminate>.. <StartWhenAvailable>t

C:\Users\user\AppData\Roaming\D06ED635-68F6-4E9A-955C-4899F5F57B9A\run.dat Download File
Process:	C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe
File Type:	data
Category:	dropped
Size (bytes):	8
Entropy (8bit):	3.0
Encrypted:	false
SSDEEP:	3:fth:7
MD5:	E863A149CC5D367806B364589CDA010C
SHA1:	E86FB80C32B4CD566E67D417BBE339D8A7A7DCD1
SHA-256:	D7044E422D9E9B0385F94405665796713AB7A5F9F12A6047343668BA3D9CE10F
SHA-512:	A751133FD52FAC4DCA4C2C5FC59D107A071D77869C23EDD5B4F8CAF2112514371A64E1D809764C7C752230A7500D204E680B837FA4BBAEA1890C7B21987FECAA
Malicious:	true
Reputation:	low
Preview:	.3C....H

C:\Users\user\AppData\Roaming\FJyjsoEc.exe Download File
Process:	C:\Users\user\Desktop\Receipt.exe
File Type:	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	475136
Entropy (8bit):	7.7475263494256925
Encrypted:	false
SSDEEP:	12288:IKIMhB743rIsoik5RvU0GMuNMydyOWYt8LF:IKviKy0GMuNMy/Wc8
MD5:	BB6F9FFD7714CCBADF5D6D37EFC73C1A
SHA1:	167F22C4E387DD05B4DD0BD3E172F4F805572B07
SHA-256:	BD8CFBEF2D3351BF256ED71484202F8351FE4705D32A23F8AFA0B7E86B5AA250
SHA-512:	8CE60CBF073C6FD9B9671D147E1AA85B7427A251DB95EFFA0712E5C50B97E8DB4DF5FE0BFC5F00C7291546032FB0CB170B76E79C7B9EC0D3440D720378134A10
Malicious:	true
Antivirus:	Antivirus: Joe Sandbox ML, Detection: 100%
Reputation:	low
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....F._..............0..6.........."T... ...`....@.. ....................................@..................................S..O....`............................................................................... ............... ..H............text...(4... ...6.................. ..`.rsrc........`.......8..............@..@.reloc...............>..............@..B.................T......H........Y..hC......o...................................................B.(........}........0..!.........{....r...p.\|....(....(.....+......0..<.............5...%...o.......o.......+.......o........X.........-....o...........,..r...p(....&...8..........(....}.......&.r?..p(....&.............(....}.......&.ro..p(....&...........}.....{....r...p(........,..r...p(....&...+X....}.....{....r...p(........,..r...p(....&...+(......(....}.......&.r...p(....&......+....(....b..t..

Static File Info

General
File type:	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Entropy (8bit):	7.7475263494256925
TrID:	Win32 Executable (generic) Net Framework (10011505/4) 49.80% Win32 Executable (generic) a (10002005/4) 49.75% Generic CIL Executable (.NET, Mono, etc.) (73296/58) 0.36% Windows Screen Saver (13104/52) 0.07% Generic Win/DOS Executable (2004/3) 0.01%
File name:	Receipt.exe
File size:	475136
MD5:	bb6f9ffd7714ccbadf5d6d37efc73c1a
SHA1:	167f22c4e387dd05b4dd0bd3e172f4f805572b07
SHA256:	bd8cfbef2d3351bf256ed71484202f8351fe4705d32a23f8afa0b7e86b5aa250
SHA512:	8ce60cbf073c6fd9b9671d147e1aa85b7427a251db95effa0712e5c50b97e8db4df5fe0bfc5f00c7291546032fb0cb170b76e79c7b9ec0d3440d720378134a10
SSDEEP:	12288:IKIMhB743rIsoik5RvU0GMuNMydyOWYt8LF:IKviKy0GMuNMy/Wc8
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....F._..............0..6.........."T... ...`....@.. ....................................@................................

File Icon


Icon Hash:	00828e8e8686b000

Static PE Info

General
Entrypoint:	0x475422
Entrypoint Section:	.text
Digitally signed:	false
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	32BIT_MACHINE, EXECUTABLE_IMAGE
DLL Characteristics:	NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
Time Stamp:	0x5FB546A1 [Wed Nov 18 16:06:57 2020 UTC]
TLS Callbacks:
CLR (.Net) Version:	v2.0.50727
OS Version Major:	4
OS Version Minor:	0
File Version Major:	4
File Version Minor:	0
Subsystem Version Major:	4
Subsystem Version Minor:	0
Import Hash:	f34d5f2d4577ed6d9ceec516c1f5a744

Entrypoint Preview

Instruction
jmp dword ptr [00402000h]
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0x753d0	0x4f	.text
IMAGE_DIRECTORY_ENTRY_RESOURCE	0x76000	0x5ec	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x78000	0xc	.reloc
IMAGE_DIRECTORY_ENTRY_DEBUG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x2000	0x8	.text
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x2008	0x48	.text
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x2000	0x73428	0x73600	False	0.860306067172	data	7.75501817542	IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
.rsrc	0x76000	0x5ec	0x600	False	0.434244791667	data	4.17989088822	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.reloc	0x78000	0xc	0x200	False	0.044921875	data	0.101910425663	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	Language	Country
RT_VERSION	0x76090	0x35c	data
RT_MANIFEST	0x763fc	0x1ea	XML 1.0 document, UTF-8 Unicode (with BOM) text, with CRLF line terminators

Imports

DLL	Import
mscoree.dll	_CorExeMain

Version Infos

Description	Data
Translation	0x0000 0x04b0
LegalCopyright	Copyright Microsoft 2017 - 2020
Assembly Version	1.0.0.0
InternalName	I5.exe
FileVersion	1.0.0.0
CompanyName	Microsoft
LegalTrademarks
Comments
ProductName	Monopoly Simulator
ProductVersion	1.0.0.0
FileDescription	Monopoly Simulator
OriginalFilename	I5.exe

Network Behavior

No network behavior found

Code Manipulations

Statistics

CPU Usage

Click to jump to process

Memory Usage

Click to jump to process

High Level Behavior Distribution

Click to dive into process behavior distribution

Behavior

Click to jump to process

System Behavior

Analysis Process: Receipt.exe PID: 6444 Parent PID: 5636

General

Start time:	09:58:05
Start date:	19/11/2020
Path:	C:\Users\user\Desktop\Receipt.exe
Wow64 process (32bit):	true
Commandline:	'C:\Users\user\Desktop\Receipt.exe'
Imagebase:	0xb00000
File size:	475136 bytes
MD5 hash:	BB6F9FFD7714CCBADF5D6D37EFC73C1A
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	.Net C# or VB.NET
Yara matches:	Rule: JoeSecurity_AntiVM_3, Description: Yara detected AntiVM_3, Source: 00000000.00000002.256996521.00000000032AA000.00000004.00000001.sdmp, Author: Joe Security Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 00000000.00000002.258930784.0000000004238000.00000004.00000001.sdmp, Author: Florian Roth Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 00000000.00000002.258930784.0000000004238000.00000004.00000001.sdmp, Author: Joe Security Rule: NanoCore, Description: unknown, Source: 00000000.00000002.258930784.0000000004238000.00000004.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
Reputation:	low

Chronological Activities

Analysis Process: schtasks.exe PID: 6580 Parent PID: 6444

General

Start time:	09:58:14
Start date:	19/11/2020
Path:	C:\Windows\SysWOW64\schtasks.exe
Wow64 process (32bit):	true
Commandline:	'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\FJyjsoEc' /XML 'C:\Users\user\AppData\Local\Temp\tmp90A5.tmp'
Imagebase:	0x30000
File size:	185856 bytes
MD5 hash:	15FF7D8324231381BAD48A052F85DF04
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Chronological Activities

Analysis Process: conhost.exe PID: 6588 Parent PID: 6580

General

Start time:	09:58:15
Start date:	19/11/2020
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff7ecfc0000
File size:	625664 bytes
MD5 hash:	EA777DEEA782E8B4D7C7C33BBF8A4496
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Chronological Activities

Analysis Process: RegSvcs.exe PID: 6628 Parent PID: 6444

General

Start time:	09:58:15
Start date:	19/11/2020
Path:	C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe
Wow64 process (32bit):	true
Commandline:	{path}
Imagebase:	0xdf0000
File size:	32768 bytes
MD5 hash:	71369277D09DA0830C8C59F9E22BB23A
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	.Net C# or VB.NET
Yara matches:	Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 00000004.00000002.503407116.0000000004587000.00000004.00000001.sdmp, Author: Joe Security Rule: NanoCore, Description: unknown, Source: 00000004.00000002.503407116.0000000004587000.00000004.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net> Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 00000004.00000002.504460720.00000000057D0000.00000004.00000001.sdmp, Author: Florian Roth Rule: Nanocore_RAT_Feb18_1, Description: Detects Nanocore RAT, Source: 00000004.00000002.504460720.00000000057D0000.00000004.00000001.sdmp, Author: Florian Roth Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 00000004.00000002.497486301.0000000000402000.00000040.00000001.sdmp, Author: Florian Roth Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 00000004.00000002.497486301.0000000000402000.00000040.00000001.sdmp, Author: Joe Security Rule: NanoCore, Description: unknown, Source: 00000004.00000002.497486301.0000000000402000.00000040.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net> Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 00000004.00000002.504863829.0000000005D00000.00000004.00000001.sdmp, Author: Florian Roth Rule: Nanocore_RAT_Feb18_1, Description: Detects Nanocore RAT, Source: 00000004.00000002.504863829.0000000005D00000.00000004.00000001.sdmp, Author: Florian Roth Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 00000004.00000002.504863829.0000000005D00000.00000004.00000001.sdmp, Author: Joe Security
Reputation:	moderate

Chronological Activities

Disassembly

Code Analysis

Reset < >

Analysis Process: Receipt.exe PID: 6444 Parent PID: 5636 Receipt.exeCOMMON

Executed Functions

Function 02EDBF77, Relevance: 7.0, Strings: 5, Instructions: 781COMMON

Download Yara Rule

Strings

(, xrefs: 02EDC930
l, xrefs: 02EDC0BA
p, xrefs: 02EDC71D
X1(r, xrefs: 02EDC17A
m, xrefs: 02EDC4F5

Memory Dump Source

Source File: 00000000.00000002.256275734.0000000002ED0000.00000040.00000001.sdmp, Offset: 02ED0000, based on PE: false

Similarity

API ID:
String ID: ($X1(r$l$m$p
API String ID: 0-2668433436
Opcode ID: 9c140b43c4af74a5f726d4e3138205b72bfdab7b0a6c0c02988010bbed0ada34
Instruction ID: d94b4a9d4535eb3729ea3fec47e65aad5ab2bde088ea2ae4feba53f9d028e01e
Opcode Fuzzy Hash: 9c140b43c4af74a5f726d4e3138205b72bfdab7b0a6c0c02988010bbed0ada34
Instruction Fuzzy Hash: A472EE70D85229CFDB64DF28C854BEDBBB1AB49344F20A0EAC11DA7290DB745AC6CF45

Uniqueness

Uniqueness Score: -1.00%

Function 02EDA959, Relevance: 2.8, Strings: 2, Instructions: 339COMMON

Download Yara Rule

Strings

r, xrefs: 02EDABC5
s, xrefs: 02EDA9C5

Memory Dump Source

Source File: 00000000.00000002.256275734.0000000002ED0000.00000040.00000001.sdmp, Offset: 02ED0000, based on PE: false

Similarity

API ID:
String ID: r$s
API String ID: 0-2429592588
Opcode ID: 4941e1cffdcd9c958ef31ff4cab231719eb7f14e6d98aa0de81351185d9ca509
Instruction ID: 0e951e67bff99e02f32c9f31e7428c4596594451387c2c91544ddd61dfe65e74
Opcode Fuzzy Hash: 4941e1cffdcd9c958ef31ff4cab231719eb7f14e6d98aa0de81351185d9ca509
Instruction Fuzzy Hash: BBD10770D86218CFDF24CF65D5487EDBAB1BB4A309F10A569C01AA3395DBB84A86CF05

Uniqueness

Uniqueness Score: -1.00%

Function 02EDA96D, Relevance: 2.8, Strings: 2, Instructions: 292COMMON

Download Yara Rule

Strings

r, xrefs: 02EDABC5
s, xrefs: 02EDA9C5

Memory Dump Source

Source File: 00000000.00000002.256275734.0000000002ED0000.00000040.00000001.sdmp, Offset: 02ED0000, based on PE: false

Similarity

API ID:
String ID: r$s
API String ID: 0-2429592588
Opcode ID: 4c575c70abfe2eeff25cb50e67e2eefe45245b4fe0f6975b67f62491c5b39636
Instruction ID: 06bce73eb344b0223bdb37111d4442f0c260d8370551b1e3b2080e85af8f3842
Opcode Fuzzy Hash: 4c575c70abfe2eeff25cb50e67e2eefe45245b4fe0f6975b67f62491c5b39636
Instruction Fuzzy Hash: A3B11870D85218CFDF28CF65D5487EDBBB6BB4A309F10A5B9D009A3295DB784A86CF04

Uniqueness

Uniqueness Score: -1.00%

Function 02EDADC0, Relevance: 2.8, Strings: 2, Instructions: 268COMMON

Download Yara Rule

Strings

r, xrefs: 02EDABC5
s, xrefs: 02EDA9C5

Memory Dump Source

Source File: 00000000.00000002.256275734.0000000002ED0000.00000040.00000001.sdmp, Offset: 02ED0000, based on PE: false

Similarity

API ID:
String ID: r$s
API String ID: 0-2429592588
Opcode ID: 806b7d6120d40f069ab75506574b3c9c066d2a77aac6c2c7b19612f0faba31ab
Instruction ID: 0298740b4db93bfe9795e52eabc9e232c118f61ef03c5b94e8c27ee4f9174b54
Opcode Fuzzy Hash: 806b7d6120d40f069ab75506574b3c9c066d2a77aac6c2c7b19612f0faba31ab
Instruction Fuzzy Hash: ABA11770D86218CFDF28CF65D5447EDBBB2BB4A309F10A5B9D009A3295DB784A86CF44

Uniqueness

Uniqueness Score: -1.00%

Function 02ED33CC, Relevance: 1.7, Strings: 1, Instructions: 445COMMON

Download Yara Rule

Strings

$g%r, xrefs: 02ED33EF

Memory Dump Source

Source File: 00000000.00000002.256275734.0000000002ED0000.00000040.00000001.sdmp, Offset: 02ED0000, based on PE: false

Similarity

API ID:
String ID: $g%r
API String ID: 0-359987751
Opcode ID: 7a8fce20c110f8b4b109e9fae8465fd95c2b1d7760f55df680b9557dc62b2b4d
Instruction ID: ff12f4540d4b19d19e9f0b961019914001cfa62c2dfe66f9f49afc33c1605843
Opcode Fuzzy Hash: 7a8fce20c110f8b4b109e9fae8465fd95c2b1d7760f55df680b9557dc62b2b4d
Instruction Fuzzy Hash: 8D22E174A45228CFDB24DF64C844BEDBBB1BF49304F10A1E9D50AA7291CB755E86CF42

Uniqueness

Uniqueness Score: -1.00%

Function 057D18C7, Relevance: 1.6, APIs: 1, Instructions: 75COMMON

Download Yara Rule

APIs

AdjustTokenPrivileges.KERNELBASE(?,?,?,?,?,?), ref: 057D1947

Memory Dump Source

Source File: 00000000.00000002.260579426.00000000057D0000.00000040.00000001.sdmp, Offset: 057D0000, based on PE: false

Similarity

API ID: AdjustPrivilegesToken
String ID:
API String ID: 2874748243-0
Opcode ID: d6643575e9962cd74cfb3b18d259b3cb257555f38cdd7a6e3f8fa93185101997
Instruction ID: e77c71674638ed6a902468c0e66437960dacf13db0d4c4aed70148c29c25353b
Opcode Fuzzy Hash: d6643575e9962cd74cfb3b18d259b3cb257555f38cdd7a6e3f8fa93185101997
Instruction Fuzzy Hash: CD219F765097C49FEB138F25DC44B52FFB8EF06210F08849AE9858B563D2719918DB61

Uniqueness

Uniqueness Score: -1.00%

Function 057D1A49, Relevance: 1.6, APIs: 1, Instructions: 57nativeCOMMON

Download Yara Rule

APIs

NtQuerySystemInformation.NTDLL(?,?,?,?), ref: 057D1AB5

Memory Dump Source

Source File: 00000000.00000002.260579426.00000000057D0000.00000040.00000001.sdmp, Offset: 057D0000, based on PE: false

Similarity

API ID: InformationQuerySystem
String ID:
API String ID: 3562636166-0
Opcode ID: 355a5e28d1a257ab63fc8b109b36e92cbdaf8dc166d2b8e2518439cbaf1eec3b
Instruction ID: ad41f6a316f0686b671367bc39b83c1c4d08d6b8ae956dd190a65ee8182bed26
Opcode Fuzzy Hash: 355a5e28d1a257ab63fc8b109b36e92cbdaf8dc166d2b8e2518439cbaf1eec3b
Instruction Fuzzy Hash: 24118E724097849FDB228F25DC45A52FFB4EF46314F09C0DAE9844B163D265A918DB62

Uniqueness

Uniqueness Score: -1.00%

Function 057D18FE, Relevance: 1.6, APIs: 1, Instructions: 52COMMON

Download Yara Rule

APIs

AdjustTokenPrivileges.KERNELBASE(?,?,?,?,?,?), ref: 057D1947

Memory Dump Source

Source File: 00000000.00000002.260579426.00000000057D0000.00000040.00000001.sdmp, Offset: 057D0000, based on PE: false

Similarity

API ID: AdjustPrivilegesToken
String ID:
API String ID: 2874748243-0
Opcode ID: ae91ffcc02e9f0d0cd81ddda51603409d849ef00b2fa5efbe4609581dcf11863
Instruction ID: fcd6347e62c99379c9d02fe35baecabe6d6d70290f5bda3ef560cfe12396629f
Opcode Fuzzy Hash: ae91ffcc02e9f0d0cd81ddda51603409d849ef00b2fa5efbe4609581dcf11863
Instruction Fuzzy Hash: CF115A755002449FDB21CF65D889B66FBE8EF04320F08C4AAED8A8B652D271E418DBB1

Uniqueness

Uniqueness Score: -1.00%

Function 057D1A7A, Relevance: 1.5, APIs: 1, Instructions: 38nativeCOMMON

Download Yara Rule

APIs

NtQuerySystemInformation.NTDLL(?,?,?,?), ref: 057D1AB5

Memory Dump Source

Source File: 00000000.00000002.260579426.00000000057D0000.00000040.00000001.sdmp, Offset: 057D0000, based on PE: false

Similarity

API ID: InformationQuerySystem
String ID:
API String ID: 3562636166-0
Opcode ID: 96f150aee95b41f4bca0b9fae9e860825594e363941ccf4477b4439d14ceea4c
Instruction ID: 76c44c3e59fb62dcebe53d8fd4f5bc60212c86e280875e1338c6cbf3f96d6a49
Opcode Fuzzy Hash: 96f150aee95b41f4bca0b9fae9e860825594e363941ccf4477b4439d14ceea4c
Instruction Fuzzy Hash: 2201DB314003008FDB20CF05D884B26FFB1EF88320F08C09ADD890B252C279A418DBB2

Uniqueness

Uniqueness Score: -1.00%

Function 02ED010D, Relevance: 1.2, Instructions: 1204COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.256275734.0000000002ED0000.00000040.00000001.sdmp, Offset: 02ED0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: af8c5064fda7cefa1408bea00468fc4f5f206eae5ffcf0f2e1b8a63f76c3dd21
Instruction ID: 570af1a02d126702d92f3eab60e5dfe911ca288dd048abdb2f3fb151bdbe1347
Opcode Fuzzy Hash: af8c5064fda7cefa1408bea00468fc4f5f206eae5ffcf0f2e1b8a63f76c3dd21
Instruction Fuzzy Hash: A6C2D734A01218DFDB15DB24C984BD9B7B2FF8A301F5584E9E509AB360DB35AE89CF50

Uniqueness

Uniqueness Score: -1.00%

Function 02ED0110, Relevance: 1.2, Instructions: 1202COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.256275734.0000000002ED0000.00000040.00000001.sdmp, Offset: 02ED0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c08ab94a0fb586498039b6fc52eb6bfea15d9f5e5c17ba2578fb125d7e427f84
Instruction ID: 2913592a0e91cb91a9499bab6e155e38cd3e01e905fff32b882c3240ca496a28
Opcode Fuzzy Hash: c08ab94a0fb586498039b6fc52eb6bfea15d9f5e5c17ba2578fb125d7e427f84
Instruction Fuzzy Hash: 09C2D734A01218DFDB15DB24C984BD9B7B2FF8A301F5584E9E509AB360DB35AE89CF50

Uniqueness

Uniqueness Score: -1.00%

Function 02ED2037, Relevance: .2, Instructions: 181COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.256275734.0000000002ED0000.00000040.00000001.sdmp, Offset: 02ED0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 25f3e4990b3ffcc133dacae14cba4fc06133a0f258945157574902ef1d9fc9cf
Instruction ID: d1f2316cec3000661b9e2623a6c7bae1f885d1c4574567c330c158d85832e771
Opcode Fuzzy Hash: 25f3e4990b3ffcc133dacae14cba4fc06133a0f258945157574902ef1d9fc9cf
Instruction Fuzzy Hash: 1171E270E44218CFCB04DFA9C8846ADBBF2BF49304F14E5AAD958A7256D7349982CF61

Uniqueness

Uniqueness Score: -1.00%

Function 02ED8537, Relevance: 7.7, Strings: 5, Instructions: 1416COMMON

Download Yara Rule

Strings

`5(r, xrefs: 02ED85D1
X1(r, xrefs: 02ED945D
X1(r, xrefs: 02ED854A
$g%r, xrefs: 02ED85A6
X1(r, xrefs: 02ED9164

Memory Dump Source

Source File: 00000000.00000002.256275734.0000000002ED0000.00000040.00000001.sdmp, Offset: 02ED0000, based on PE: false

Similarity

API ID:
String ID: $g%r$X1(r$X1(r$X1(r$`5(r
API String ID: 0-2208637506
Opcode ID: 3c49e951b1dcefbff7d3d594263daad5f6a1a5e527e6c919ef505ead33983060
Instruction ID: e5360e610b812ba3c03dbb42418e0b4c79da16479f058c2011bb52b3397c7225
Opcode Fuzzy Hash: 3c49e951b1dcefbff7d3d594263daad5f6a1a5e527e6c919ef505ead33983060
Instruction Fuzzy Hash: 80E24F3A500115EFCB5A8F98D948E64BFB2FF4D315B1A81D4E60A5B232C732E961EF41

Uniqueness

Uniqueness Score: -1.00%

Function 02ED2D98, Relevance: 2.6, Strings: 2, Instructions: 147COMMON

Download Yara Rule

Strings

1, xrefs: 02ED2E17
2, xrefs: 02ED2E4A

Memory Dump Source

Source File: 00000000.00000002.256275734.0000000002ED0000.00000040.00000001.sdmp, Offset: 02ED0000, based on PE: false

Similarity

API ID:
String ID: 1$2
API String ID: 0-3822577299
Opcode ID: cb6da22183c1791a3ad232fd624e7bc0d86590fdf0c3db14504883fd891a4c1f
Instruction ID: c0401cb44a530b1a864bc59015dfdf2de60449f28b5d1a3d0f30235168341b20
Opcode Fuzzy Hash: cb6da22183c1791a3ad232fd624e7bc0d86590fdf0c3db14504883fd891a4c1f
Instruction Fuzzy Hash: C6517BB4A49248DFDB04CFA8D584ADDFBF5FB0A308F14E099DA446B342C3B49946CB65

Uniqueness

Uniqueness Score: -1.00%

Function 02ED2DA0, Relevance: 2.6, Strings: 2, Instructions: 144COMMON

Download Yara Rule

Strings

1, xrefs: 02ED2E17
2, xrefs: 02ED2E4A

Memory Dump Source

Source File: 00000000.00000002.256275734.0000000002ED0000.00000040.00000001.sdmp, Offset: 02ED0000, based on PE: false

Similarity

API ID:
String ID: 1$2
API String ID: 0-3822577299
Opcode ID: 462430195dcd34e92f0035f9bd1ff002641d9c3d0f5e95abc993603d9deccf9f
Instruction ID: 33935e81745d10daf372428e0904ad10df7616c370c053ad41131f8a9710d69e
Opcode Fuzzy Hash: 462430195dcd34e92f0035f9bd1ff002641d9c3d0f5e95abc993603d9deccf9f
Instruction Fuzzy Hash: 43515AB4A49248DFDB04CFA8D584ADDFBF5FB0A308F14E099DA446B342C3B49946CB65

Uniqueness

Uniqueness Score: -1.00%

Function 057D12B7, Relevance: 1.6, APIs: 1, Instructions: 102COMMON

Download Yara Rule

APIs

DuplicateHandle.KERNELBASE(?,00000E2C), ref: 057D1367

Memory Dump Source

Source File: 00000000.00000002.260579426.00000000057D0000.00000040.00000001.sdmp, Offset: 057D0000, based on PE: false

Similarity

API ID: DuplicateHandle
String ID:
API String ID: 3793708945-0
Opcode ID: 124579999f80267cb46dee4dc54d13da785c3779508d2ac65716c44b2f1549fa
Instruction ID: c045a77e79ac7735ec3771d8ecc9cfe7c174de19077eccf623db7330b91c7b89
Opcode Fuzzy Hash: 124579999f80267cb46dee4dc54d13da785c3779508d2ac65716c44b2f1549fa
Instruction Fuzzy Hash: 1231B4715043846FEB128B65DC45FA7BFBCEF06310F0485AAF985CB152D724A909DB71

Uniqueness

Uniqueness Score: -1.00%

Function 057D0BA6, Relevance: 1.6, APIs: 1, Instructions: 94COMMON

Download Yara Rule

APIs

GetTokenInformation.KERNELBASE(?,00000E2C,2C167302,00000000,00000000,00000000,00000000), ref: 057D0C50

Memory Dump Source

Source File: 00000000.00000002.260579426.00000000057D0000.00000040.00000001.sdmp, Offset: 057D0000, based on PE: false

Similarity

API ID: InformationToken
String ID:
API String ID: 4114910276-0
Opcode ID: 2d015a66136d71fb157d08ff05fc874a65db16b609815da82f4e24f5fcfa6cc7
Instruction ID: 6b71538a22d6bcdc50617c15e07e76708b030617475c936936dcc4246c90dc19
Opcode Fuzzy Hash: 2d015a66136d71fb157d08ff05fc874a65db16b609815da82f4e24f5fcfa6cc7
Instruction Fuzzy Hash: 4531C7725093846FEB228F64DC85F96BFB8EF06310F08849AE9849B153D724A508D7B1

Uniqueness

Uniqueness Score: -1.00%

Function 0112AC22, Relevance: 1.6, APIs: 1, Instructions: 92registryCOMMON

Download Yara Rule

APIs

RegOpenKeyExW.KERNELBASE(?,00000E2C), ref: 0112ACD1

Memory Dump Source

Source File: 00000000.00000002.255504091.000000000112A000.00000040.00000001.sdmp, Offset: 0112A000, based on PE: false

Similarity

API ID: Open
String ID:
API String ID: 71445658-0
Opcode ID: b538d369465dbff83d1068c8ec4b2a7306fedf403c2a813f797ab80776ccb652
Instruction ID: 19f155faa25fd51b24ff1e6d4774a5bd70d80324f7f332473ced4c39a500c6b2
Opcode Fuzzy Hash: b538d369465dbff83d1068c8ec4b2a7306fedf403c2a813f797ab80776ccb652
Instruction Fuzzy Hash: 5331B4B25043846FE7228B65DC85FA7BFFCEF05310F0884AAED819B152D264A959CB71

Uniqueness

Uniqueness Score: -1.00%

Function 057D0734, Relevance: 1.6, APIs: 1, Instructions: 90fileCOMMON

Download Yara Rule

APIs

CreateFileW.KERNELBASE(?,?,?,?,?,?), ref: 057D07D5

Memory Dump Source

Source File: 00000000.00000002.260579426.00000000057D0000.00000040.00000001.sdmp, Offset: 057D0000, based on PE: false

Similarity

API ID: CreateFile
String ID:
API String ID: 823142352-0
Opcode ID: 7d3fcdd985784323dc77a1e5f156f912e01887892ad0ee6850f63b702c5a5f7e
Instruction ID: edf6bdae84360b02a37eea80abd257c6462da5d4d14090c5f2fe5aafe27a3210
Opcode Fuzzy Hash: 7d3fcdd985784323dc77a1e5f156f912e01887892ad0ee6850f63b702c5a5f7e
Instruction Fuzzy Hash: 7F314B71505380AFE722CF65DC44F66FFE8EF05620F0884AAE9859B252D375E409DB71

Uniqueness

Uniqueness Score: -1.00%

Function 0112AD19, Relevance: 1.6, APIs: 1, Instructions: 89registryCOMMON

Download Yara Rule

APIs

RegQueryValueExW.KERNELBASE(?,00000E2C,2C167302,00000000,00000000,00000000,00000000), ref: 0112ADD4

Memory Dump Source

Source File: 00000000.00000002.255504091.000000000112A000.00000040.00000001.sdmp, Offset: 0112A000, based on PE: false

Similarity

API ID: QueryValue
String ID:
API String ID: 3660427363-0
Opcode ID: 510c92c5961ffe3dceada9023ba8190e25e2530aaba218a45c0156054c375e56
Instruction ID: b27e127ec960b50f143b998880b9eeb2e45e17ed2466d616e5c3a58b77799ab7
Opcode Fuzzy Hash: 510c92c5961ffe3dceada9023ba8190e25e2530aaba218a45c0156054c375e56
Instruction Fuzzy Hash: 0431B1725083846FE722CB65DC85FA6BFB8EF06310F08849AE985CB153D364E549CB61

Uniqueness

Uniqueness Score: -1.00%

Function 057D0556, Relevance: 1.6, APIs: 1, Instructions: 89synchronizationCOMMON

Download Yara Rule

APIs

CreateMutexW.KERNELBASE(?,?), ref: 057D05FD

Memory Dump Source

Source File: 00000000.00000002.260579426.00000000057D0000.00000040.00000001.sdmp, Offset: 057D0000, based on PE: false

Similarity

API ID: CreateMutex
String ID:
API String ID: 1964310414-0
Opcode ID: 5a847821c868b2b2c0ba9608f6ba0746a72c790f638a9da01b52b7bf37fe980a
Instruction ID: 0e8169ff22d33c64768d220e5e3c676a4ca84592f2ce6ffdfeb1c76765952020
Opcode Fuzzy Hash: 5a847821c868b2b2c0ba9608f6ba0746a72c790f638a9da01b52b7bf37fe980a
Instruction Fuzzy Hash: A3318171509780AFE712CB25DC85F56FFF8EF06210F08849AE9858B292D365E909C771

Uniqueness

Uniqueness Score: -1.00%

Function 0112A2AC, Relevance: 1.6, APIs: 1, Instructions: 87COMMON

Download Yara Rule

APIs

SetConsoleCtrlHandler.KERNELBASE(?,00000E2C,?,?), ref: 0112A346

Memory Dump Source

Source File: 00000000.00000002.255504091.000000000112A000.00000040.00000001.sdmp, Offset: 0112A000, based on PE: false

Similarity

API ID: ConsoleCtrlHandler
String ID:
API String ID: 1513847179-0
Opcode ID: 9e384925f2a4b05851a0d2f6f76c7fbca64463986b163e4f7899146429638d6c
Instruction ID: 08c12bfecfdc88f805fac609507b24e288f7235d2587849465459c3fd495b482
Opcode Fuzzy Hash: 9e384925f2a4b05851a0d2f6f76c7fbca64463986b163e4f7899146429638d6c
Instruction Fuzzy Hash: 4631827140E3C06FD3138B359C55A22BFB4EF47610F0A40DBE884CB5A3D229A919C7A2

Uniqueness

Uniqueness Score: -1.00%

Function 057D0ED7, Relevance: 1.6, APIs: 1, Instructions: 85COMMON

Download Yara Rule

APIs

LsaOpenPolicy.ADVAPI32(?,00000E2C), ref: 057D0F73

Memory Dump Source

Source File: 00000000.00000002.260579426.00000000057D0000.00000040.00000001.sdmp, Offset: 057D0000, based on PE: false

Similarity

API ID: OpenPolicy
String ID:
API String ID: 2030686058-0
Opcode ID: d1f799a1ff28d5a73e855be496b05f746994c6a23552ff561b893057a82f939a
Instruction ID: 1a8a401264dbc0b122c65b23a71a60003ddc861e2a2a8e325470201cf4a05780
Opcode Fuzzy Hash: d1f799a1ff28d5a73e855be496b05f746994c6a23552ff561b893057a82f939a
Instruction Fuzzy Hash: E821A272504344AFEB21CF65DC85FAAFFF8EF05310F18889AED849B152D264A908CB71

Uniqueness

Uniqueness Score: -1.00%

Function 057D12EA, Relevance: 1.6, APIs: 1, Instructions: 80COMMON

Download Yara Rule

APIs

DuplicateHandle.KERNELBASE(?,00000E2C), ref: 057D1367

Memory Dump Source

Source File: 00000000.00000002.260579426.00000000057D0000.00000040.00000001.sdmp, Offset: 057D0000, based on PE: false

Similarity

API ID: DuplicateHandle
String ID:
API String ID: 3793708945-0
Opcode ID: 185b939d7e6271ba5dc06224d19843aa44621961463cbcef5f9dc875bd279601
Instruction ID: 18cb6a5e6674c3be2f529ad4ab2b56da2b7d7591038e177976ca1e5461aef5ca
Opcode Fuzzy Hash: 185b939d7e6271ba5dc06224d19843aa44621961463cbcef5f9dc875bd279601
Instruction Fuzzy Hash: 9421C1B2900204AFEB21DF69DC85F6AFBECEF04310F14886AED458B651D670E504DBB1

Uniqueness

Uniqueness Score: -1.00%

Function 057D082C, Relevance: 1.6, APIs: 1, Instructions: 78COMMON

Download Yara Rule

APIs

GetFileType.KERNELBASE(?,00000E2C,2C167302,00000000,00000000,00000000,00000000), ref: 057D08C1

Memory Dump Source

Source File: 00000000.00000002.260579426.00000000057D0000.00000040.00000001.sdmp, Offset: 057D0000, based on PE: false

Similarity

API ID: FileType
String ID:
API String ID: 3081899298-0
Opcode ID: b301d6bcb14ad2ba1afad50e552a142c9e705f6736fbb2e129a04ce0cfbcda6d
Instruction ID: eddf1facd8fff923bbe8677daceed2bf16c3c22b29c8ac726454c76cce7b85a6
Opcode Fuzzy Hash: b301d6bcb14ad2ba1afad50e552a142c9e705f6736fbb2e129a04ce0cfbcda6d
Instruction Fuzzy Hash: 5421F8B58087806FE712CB259C45FA6FFB8EF46720F1880DAED848B153D224A909D7B1

Uniqueness

Uniqueness Score: -1.00%

Function 057D13C5, Relevance: 1.6, APIs: 1, Instructions: 77fileCOMMON

Download Yara Rule

APIs

DeleteFileW.KERNELBASE(?), ref: 057D144C

Memory Dump Source

Source File: 00000000.00000002.260579426.00000000057D0000.00000040.00000001.sdmp, Offset: 057D0000, based on PE: false

Similarity

API ID: DeleteFile
String ID:
API String ID: 4033686569-0
Opcode ID: 16a380e594860fe0182ed33fa68a6eb277dc304d24912aa30f90bc2ea6af9397
Instruction ID: b40c01bab509dadb3007a76fe8afd37a9be883bb81ef3b662fe537c3db41eb8f
Opcode Fuzzy Hash: 16a380e594860fe0182ed33fa68a6eb277dc304d24912aa30f90bc2ea6af9397
Instruction Fuzzy Hash: D5216D765093C05FDB12CB25D855AA2BFB4AF07610F0984DADC858F263D225A908DB61

Uniqueness

Uniqueness Score: -1.00%

Function 057D0756, Relevance: 1.6, APIs: 1, Instructions: 76fileCOMMON

Download Yara Rule

APIs

CreateFileW.KERNELBASE(?,?,?,?,?,?), ref: 057D07D5

Memory Dump Source

Source File: 00000000.00000002.260579426.00000000057D0000.00000040.00000001.sdmp, Offset: 057D0000, based on PE: false

Similarity

API ID: CreateFile
String ID:
API String ID: 823142352-0
Opcode ID: 77de9e1e9068365c8b660b89ac4de6987155b85c4fac51f6e44965664a8d2129
Instruction ID: 67a9c2238099f137ec5cc3963885ab088b66ac338a0a64554839f935ed858ade
Opcode Fuzzy Hash: 77de9e1e9068365c8b660b89ac4de6987155b85c4fac51f6e44965664a8d2129
Instruction Fuzzy Hash: 2921B071504640AFEB21DF65DC89F66FBE8EF08320F048469E9458B241E371E404CB71

Uniqueness

Uniqueness Score: -1.00%

Function 0112AC52, Relevance: 1.6, APIs: 1, Instructions: 74registryCOMMON

Download Yara Rule

APIs

RegOpenKeyExW.KERNELBASE(?,00000E2C), ref: 0112ACD1

Memory Dump Source

Source File: 00000000.00000002.255504091.000000000112A000.00000040.00000001.sdmp, Offset: 0112A000, based on PE: false

Similarity

API ID: Open
String ID:
API String ID: 71445658-0
Opcode ID: cf87e10388537fb25a1c71e568014e2d6916b195e04aec10c875654a0d0c3837
Instruction ID: c2a208116f90e2f72964ceb0b6cf224f19ab0c1259fee248bc4d593fc46735e2
Opcode Fuzzy Hash: cf87e10388537fb25a1c71e568014e2d6916b195e04aec10c875654a0d0c3837
Instruction Fuzzy Hash: 1721A1B2500204AFE7219F69DC85FABFBECEF04310F14845AEE459B641D774E5188BB1

Uniqueness

Uniqueness Score: -1.00%

Function 057D1744, Relevance: 1.6, APIs: 1, Instructions: 74COMMON

Download Yara Rule

APIs

LookupPrivilegeValueW.ADVAPI32(?,?,?), ref: 057D17C6

Memory Dump Source

Source File: 00000000.00000002.260579426.00000000057D0000.00000040.00000001.sdmp, Offset: 057D0000, based on PE: false

Similarity

API ID: LookupPrivilegeValue
String ID:
API String ID: 3899507212-0
Opcode ID: 99c25154692937035a6c6f57f5cfdf6d36a27696aa73ab7d5ec1e4b643a5cad4
Instruction ID: 65c4276a32a9453d43474560b54ae46caf03e6eb3792a5b9404da11136526bca
Opcode Fuzzy Hash: 99c25154692937035a6c6f57f5cfdf6d36a27696aa73ab7d5ec1e4b643a5cad4
Instruction Fuzzy Hash: 4C2160765093805FD712CB25DC85B92FFB8EF16220F0984EAEC89CB153D224E948DB61

Uniqueness

Uniqueness Score: -1.00%

Function 0112BF11, Relevance: 1.6, APIs: 1, Instructions: 73COMMON

Download Yara Rule

APIs

DrawTextExW.USER32(?,?,?,?,?), ref: 0112BF93

Memory Dump Source

Source File: 00000000.00000002.255504091.000000000112A000.00000040.00000001.sdmp, Offset: 0112A000, based on PE: false

Similarity

API ID: DrawText
String ID:
API String ID: 2175133113-0
Opcode ID: 8c893acf93f1a56ce0454e2b1184b7b221a6f6113642cb58c7342c26bafd06fc
Instruction ID: 558690a63caa3e8338352a001b070ba51b924bf16efcdebd4839e4337bf2178f
Opcode Fuzzy Hash: 8c893acf93f1a56ce0454e2b1184b7b221a6f6113642cb58c7342c26bafd06fc
Instruction Fuzzy Hash: 2421AE715083849FDB22CF25D881B52BFF8EF06210F09849AED848B163D375E518CB61

Uniqueness

Uniqueness Score: -1.00%

Function 057D058A, Relevance: 1.6, APIs: 1, Instructions: 72synchronizationCOMMON

Download Yara Rule

APIs

CreateMutexW.KERNELBASE(?,?), ref: 057D05FD

Memory Dump Source

Source File: 00000000.00000002.260579426.00000000057D0000.00000040.00000001.sdmp, Offset: 057D0000, based on PE: false

Similarity

API ID: CreateMutex
String ID:
API String ID: 1964310414-0
Opcode ID: f138a22cddc430223d464f1948d037b65bcdf58e173e8153e1b7f6d04d2f3739
Instruction ID: c1297d28167fc3ed2a5eb356a552f09d645095cdb51b765a91d866f223d782f7
Opcode Fuzzy Hash: f138a22cddc430223d464f1948d037b65bcdf58e173e8153e1b7f6d04d2f3739
Instruction Fuzzy Hash: A521A1B1904244AFE721DF6ADC89F6AFBE8EF04310F14846AED499B242E775E404CB75

Uniqueness

Uniqueness Score: -1.00%

Function 057D0F02, Relevance: 1.6, APIs: 1, Instructions: 72COMMON

Download Yara Rule

APIs

LsaOpenPolicy.ADVAPI32(?,00000E2C), ref: 057D0F73

Memory Dump Source

Source File: 00000000.00000002.260579426.00000000057D0000.00000040.00000001.sdmp, Offset: 057D0000, based on PE: false

Similarity

API ID: OpenPolicy
String ID:
API String ID: 2030686058-0
Opcode ID: 8a9d7264ae013a65fccd1707d99b8f0a671700e65941b1ac2a14f292b0b0eaa0
Instruction ID: 0228e6030207f5fbd93e0ecabbc6ba9fbfc6fd64eff4d33930b6a3bffa643fa8
Opcode Fuzzy Hash: 8a9d7264ae013a65fccd1707d99b8f0a671700e65941b1ac2a14f292b0b0eaa0
Instruction Fuzzy Hash: F621A5B2900204AFEB21DF69DC85F6AFBECEF44710F24846AED45DB241D674E5088B75

Uniqueness

Uniqueness Score: -1.00%

Function 057D09DE, Relevance: 1.6, APIs: 1, Instructions: 70fileCOMMON

Download Yara Rule

APIs

WriteFile.KERNELBASE(?,00000E2C,2C167302,00000000,00000000,00000000,00000000), ref: 057D0A5D

Memory Dump Source

Source File: 00000000.00000002.260579426.00000000057D0000.00000040.00000001.sdmp, Offset: 057D0000, based on PE: false

Similarity

API ID: FileWrite
String ID:
API String ID: 3934441357-0
Opcode ID: 687d43b4560a5f3004fa9caa0cbc5d77162f992d9d38eef84550580030186a76
Instruction ID: e9406df167ef7d103fa4235d7b39d6385ec235f7d392ebc2d3a4569ddacd2eda
Opcode Fuzzy Hash: 687d43b4560a5f3004fa9caa0cbc5d77162f992d9d38eef84550580030186a76
Instruction Fuzzy Hash: 25219271505340AFDB22CF55DC85F56FFB8EF45310F0884AAEA859B152D264A408CB71

Uniqueness

Uniqueness Score: -1.00%

Function 0112AD5A, Relevance: 1.6, APIs: 1, Instructions: 69registryCOMMON

Download Yara Rule

APIs

RegQueryValueExW.KERNELBASE(?,00000E2C,2C167302,00000000,00000000,00000000,00000000), ref: 0112ADD4

Memory Dump Source

Source File: 00000000.00000002.255504091.000000000112A000.00000040.00000001.sdmp, Offset: 0112A000, based on PE: false

Similarity

API ID: QueryValue
String ID:
API String ID: 3660427363-0
Opcode ID: 71e55d07187757876e88c7bb0f0b06e992f8fbe052f07e3509390c9da4e83665
Instruction ID: 255625368fffbc1898d29d72028b7449abde889208d28ace61701696f981336a
Opcode Fuzzy Hash: 71e55d07187757876e88c7bb0f0b06e992f8fbe052f07e3509390c9da4e83665
Instruction Fuzzy Hash: F42190B1500604AFE721CF69DC81FA6FBECEF04711F08846AEE459B651D760E514CBB1

Uniqueness

Uniqueness Score: -1.00%

Function 057D0BE6, Relevance: 1.6, APIs: 1, Instructions: 69COMMON

Download Yara Rule

APIs

GetTokenInformation.KERNELBASE(?,00000E2C,2C167302,00000000,00000000,00000000,00000000), ref: 057D0C50

Memory Dump Source

Source File: 00000000.00000002.260579426.00000000057D0000.00000040.00000001.sdmp, Offset: 057D0000, based on PE: false

Similarity

API ID: InformationToken
String ID:
API String ID: 4114910276-0
Opcode ID: 8206db6c2c8d2918f03be4fc24f2bcb154d0701614cf9cbd8337aca06495aa9f
Instruction ID: f5364c03d4200df114888bb4a97b168aafc348d16b2fd61436b1963bc88a21cb
Opcode Fuzzy Hash: 8206db6c2c8d2918f03be4fc24f2bcb154d0701614cf9cbd8337aca06495aa9f
Instruction Fuzzy Hash: BA11A2B1500204AFEB21CF65DC85FAAFBECEF04320F14846AEA49DB151E774A404DB71

Uniqueness

Uniqueness Score: -1.00%

Function 057D1688, Relevance: 1.6, APIs: 1, Instructions: 68injectionCOMMON

Download Yara Rule

APIs

WriteProcessMemory.KERNELBASE(?,?,?,?,?), ref: 057D1708

Memory Dump Source

Source File: 00000000.00000002.260579426.00000000057D0000.00000040.00000001.sdmp, Offset: 057D0000, based on PE: false

Similarity

API ID: MemoryProcessWrite
String ID:
API String ID: 3559483778-0
Opcode ID: b765fc18ebea146b0a0c75cf1d1ef039db90dcddfc3c05c0ef616c630a40d809
Instruction ID: 09ddcdeed6a4ce1fe0e1cfdf141ed688e4fb9b83e771367ff5e634ae81432410
Opcode Fuzzy Hash: b765fc18ebea146b0a0c75cf1d1ef039db90dcddfc3c05c0ef616c630a40d809
Instruction Fuzzy Hash: 7921B0761097C09FDB128F25DC85A96FFB4EF06220F0980DEE8858B163D225A959DB71

Uniqueness

Uniqueness Score: -1.00%

Function 0112B42D, Relevance: 1.6, APIs: 1, Instructions: 65libraryCOMMON

Download Yara Rule

APIs

LoadLibraryShim.MSCOREE(?,?,?,?), ref: 0112B4A9

Memory Dump Source

Source File: 00000000.00000002.255504091.000000000112A000.00000040.00000001.sdmp, Offset: 0112A000, based on PE: false

Similarity

API ID: LibraryLoadShim
String ID:
API String ID: 1475914169-0
Opcode ID: b4ef167371bcfd9d1c061aa5853dce9375866ddb6c08f3ec7a2b83a571e58941
Instruction ID: 88d787ded4ae63512fb56bda28134f5924bf4193c399eceac58a50e6cca724d0
Opcode Fuzzy Hash: b4ef167371bcfd9d1c061aa5853dce9375866ddb6c08f3ec7a2b83a571e58941
Instruction Fuzzy Hash: 5F2193715093845FD7228E15DC85B62BFF8EF06614F08808AED858B253D365A918C771

Uniqueness

Uniqueness Score: -1.00%

Function 057D1B8D, Relevance: 1.6, APIs: 1, Instructions: 62windowCOMMON

Download Yara Rule

APIs

PostMessageW.USER32(?,?,?,?), ref: 057D1C01

Memory Dump Source

Source File: 00000000.00000002.260579426.00000000057D0000.00000040.00000001.sdmp, Offset: 057D0000, based on PE: false

Similarity

API ID: MessagePost
String ID:
API String ID: 410705778-0
Opcode ID: 6d1f5ca38fad888acbfc69492fa79be44ef0d1e6472ccc283cb165da54fe6836
Instruction ID: 087ba3bb14f7dee9e496621410a2aa2cb9862f62e7d648fc9eacd85443cdcf59
Opcode Fuzzy Hash: 6d1f5ca38fad888acbfc69492fa79be44ef0d1e6472ccc283cb165da54fe6836
Instruction Fuzzy Hash: AB216A714093C49FDB138B25DC44A62FFB4EF17210F0984DAE9848B163D225A958DB62

Uniqueness

Uniqueness Score: -1.00%

Function 0112A5FB, Relevance: 1.6, APIs: 1, Instructions: 61COMMON

Download Yara Rule

APIs

DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 0112A666

Memory Dump Source

Source File: 00000000.00000002.255504091.000000000112A000.00000040.00000001.sdmp, Offset: 0112A000, based on PE: false

Similarity

API ID: DuplicateHandle
String ID:
API String ID: 3793708945-0
Opcode ID: a567af8b2dd27cde4f95b4723cc5f52f37adc978970941c5358a810293b45d8a
Instruction ID: 96565a1e9375846fec918697fcfa15c1fd035f1692aa3c3dcc88ad9f37581153
Opcode Fuzzy Hash: a567af8b2dd27cde4f95b4723cc5f52f37adc978970941c5358a810293b45d8a
Instruction Fuzzy Hash: B4117F72409780AFDB238F55DC44A62FFB8EF4A210F08849AED858B563D375A528DB61

Uniqueness

Uniqueness Score: -1.00%

Function 057D09FE, Relevance: 1.6, APIs: 1, Instructions: 60fileCOMMON

Download Yara Rule

APIs

WriteFile.KERNELBASE(?,00000E2C,2C167302,00000000,00000000,00000000,00000000), ref: 057D0A5D

Memory Dump Source

Source File: 00000000.00000002.260579426.00000000057D0000.00000040.00000001.sdmp, Offset: 057D0000, based on PE: false

Similarity

API ID: FileWrite
String ID:
API String ID: 3934441357-0
Opcode ID: 0a1e594e9e754e8685ad1dc684753132415e2c52170d52ccde59ee8d83d14ce8
Instruction ID: 14bc1e6dac39123a27f77146d20dece7c8683f41f6ac1248439d1fd982e8c061
Opcode Fuzzy Hash: 0a1e594e9e754e8685ad1dc684753132415e2c52170d52ccde59ee8d83d14ce8
Instruction Fuzzy Hash: 3A11E3B1500200AFEB21CF95DD85FAAFBB8EF44320F14D46AEE459B241D774A408DBB1

Uniqueness

Uniqueness Score: -1.00%

Function 057D15E7, Relevance: 1.6, APIs: 1, Instructions: 58COMMON

Download Yara Rule

APIs

ReadProcessMemory.KERNELBASE(?,?,?,?,?), ref: 057D164C

Memory Dump Source

Source File: 00000000.00000002.260579426.00000000057D0000.00000040.00000001.sdmp, Offset: 057D0000, based on PE: false

Similarity

API ID: MemoryProcessRead
String ID:
API String ID: 1726664587-0
Opcode ID: 5f60d66d0814c9c5e9748ef70db3c8937ed34da10a49a33799c0dd4afe458a64
Instruction ID: 0ba93e2634a625f397fcbce9a137f06d6b056575c8e9805d6032344407648d7b
Opcode Fuzzy Hash: 5f60d66d0814c9c5e9748ef70db3c8937ed34da10a49a33799c0dd4afe458a64
Instruction Fuzzy Hash: 731190764097809FDB228F25DC41A52FFB4EF06220F08C09EED858B562D265A559DB61

Uniqueness

Uniqueness Score: -1.00%

Function 057D1F1F, Relevance: 1.6, APIs: 1, Instructions: 56windowCOMMON

Download Yara Rule

APIs

PostMessageW.USER32(?,?,?,?), ref: 057D1F89

Memory Dump Source

Source File: 00000000.00000002.260579426.00000000057D0000.00000040.00000001.sdmp, Offset: 057D0000, based on PE: false

Similarity

API ID: MessagePost
String ID:
API String ID: 410705778-0
Opcode ID: 2f0d3d26ec1011ee6131e49bfb35ee06d1db7060889d583dbf764d469f20513b
Instruction ID: 7870d8a297127076470f856f80aef695bdf6308e9d7841d14a640ed5b222a8df
Opcode Fuzzy Hash: 2f0d3d26ec1011ee6131e49bfb35ee06d1db7060889d583dbf764d469f20513b
Instruction Fuzzy Hash: 7811BE714093809FDB228F15DC45B52FFB4EF06224F08C09EED858B663C265A518DB61

Uniqueness

Uniqueness Score: -1.00%

Function 057D1540, Relevance: 1.6, APIs: 1, Instructions: 55threadinjectionCOMMON

Download Yara Rule

APIs

SetThreadContext.KERNELBASE(?,?), ref: 057D159F

Memory Dump Source

Source File: 00000000.00000002.260579426.00000000057D0000.00000040.00000001.sdmp, Offset: 057D0000, based on PE: false

Similarity

API ID: ContextThread
String ID:
API String ID: 1591575202-0
Opcode ID: 028fbb2f3eef3ec2ee3eb76352ba21bc4e8493e09213fedc6a99a20e5479f658
Instruction ID: efe552df3dbccc9f39986c3e0b47ac7cb7a31d221fc9cc1ab1d2fd2307191acf
Opcode Fuzzy Hash: 028fbb2f3eef3ec2ee3eb76352ba21bc4e8493e09213fedc6a99a20e5479f658
Instruction Fuzzy Hash: D5118F755093849FDB11CF15DC85A66FFF8EF06220F0980AAED468B262D278E958CB71

Uniqueness

Uniqueness Score: -1.00%

Function 057D177E, Relevance: 1.6, APIs: 1, Instructions: 53COMMON

Download Yara Rule

APIs

LookupPrivilegeValueW.ADVAPI32(?,?,?), ref: 057D17C6

Memory Dump Source

Source File: 00000000.00000002.260579426.00000000057D0000.00000040.00000001.sdmp, Offset: 057D0000, based on PE: false

Similarity

API ID: LookupPrivilegeValue
String ID:
API String ID: 3899507212-0
Opcode ID: 0a5b0c59fb34a3a34a816d82a03fdc360fa1f3eb03d9c9b0c24beb56db9853b5
Instruction ID: 57cf182bd99fbe893dcac72215716c5c2322ebbb43169d5b8af4e8604f8a4720
Opcode Fuzzy Hash: 0a5b0c59fb34a3a34a816d82a03fdc360fa1f3eb03d9c9b0c24beb56db9853b5
Instruction Fuzzy Hash: 2F11ADB1A002008FEB60CF69D885B66FBE8EF04331F18C4AAEC49CB256D270E404DB71

Uniqueness

Uniqueness Score: -1.00%

Function 0112BF42, Relevance: 1.6, APIs: 1, Instructions: 52COMMON

Download Yara Rule

APIs

DrawTextExW.USER32(?,?,?,?,?), ref: 0112BF93

Memory Dump Source

Source File: 00000000.00000002.255504091.000000000112A000.00000040.00000001.sdmp, Offset: 0112A000, based on PE: false

Similarity

API ID: DrawText
String ID:
API String ID: 2175133113-0
Opcode ID: 1b8416b5e1ce398050872fe2186f018804edb5397a3887c0674a1c82f2017174
Instruction ID: 21ff6dc12d1213a288d12de4f0baee2ceb70ef7f9ffc6c6f9540718088d4130d
Opcode Fuzzy Hash: 1b8416b5e1ce398050872fe2186f018804edb5397a3887c0674a1c82f2017174
Instruction Fuzzy Hash: 1A117C755042049FEB25CF69D885B66FFE8EF04210F08C4AAED498B652D372E464CFA2

Uniqueness

Uniqueness Score: -1.00%

Function 057D086E, Relevance: 1.6, APIs: 1, Instructions: 52COMMON

Download Yara Rule

APIs

GetFileType.KERNELBASE(?,00000E2C,2C167302,00000000,00000000,00000000,00000000), ref: 057D08C1

Memory Dump Source

Source File: 00000000.00000002.260579426.00000000057D0000.00000040.00000001.sdmp, Offset: 057D0000, based on PE: false

Similarity

API ID: FileType
String ID:
API String ID: 3081899298-0
Opcode ID: 3953b1a7600f97695785a6b3f056b3eeac232747fcd269a4366092469c2c68a0
Instruction ID: 916b4168e39cf43b71341cd03c28b410bf01b27d9d8b09736deac8bbfe368cc4
Opcode Fuzzy Hash: 3953b1a7600f97695785a6b3f056b3eeac232747fcd269a4366092469c2c68a0
Instruction Fuzzy Hash: ED01D2B1904304AEE720DB19DC89F6AFFA8EF44720F18C0AAEE449B241D674A544DBB1

Uniqueness

Uniqueness Score: -1.00%

Function 0112AEF0, Relevance: 1.6, APIs: 1, Instructions: 50memoryCOMMON

Download Yara Rule

APIs

VirtualAllocEx.KERNELBASE(?,?,?,?,?), ref: 0112AF50

Memory Dump Source

Source File: 00000000.00000002.255504091.000000000112A000.00000040.00000001.sdmp, Offset: 0112A000, based on PE: false

Similarity

API ID: AllocVirtual
String ID:
API String ID: 4275171209-0
Opcode ID: de848d97748190e17e1c175b09881e628e42bcc86a59bde3b91b7d8de392024a
Instruction ID: fdb843a6f584a45f3643715aab8233b78b9c734bc686e73d9445b6caf3eb5942
Opcode Fuzzy Hash: de848d97748190e17e1c175b09881e628e42bcc86a59bde3b91b7d8de392024a
Instruction Fuzzy Hash: EA11BC72008380AFDB228F15DC45E56FFB4EF09220F08849AED854B662C379A418CB62

Uniqueness

Uniqueness Score: -1.00%

Function 0112A42A, Relevance: 1.5, APIs: 1, Instructions: 48threadCOMMON

Download Yara Rule

APIs

ResumeThread.KERNELBASE(?), ref: 0112A480

Memory Dump Source

Source File: 00000000.00000002.255504091.000000000112A000.00000040.00000001.sdmp, Offset: 0112A000, based on PE: false

Similarity

API ID: ResumeThread
String ID:
API String ID: 947044025-0
Opcode ID: 8c3a32e8b8a88b448e5d5a093bfba0fc8406e99cb751816b5a43c32e83a8aa72
Instruction ID: 4ecfbdb7d8a80e1dedb254b0d1b58da5a43695ec182a8e6446c89d6a2dc6ad89
Opcode Fuzzy Hash: 8c3a32e8b8a88b448e5d5a093bfba0fc8406e99cb751816b5a43c32e83a8aa72
Instruction Fuzzy Hash: F301AD71408384AFDB128B15DC84B62FFA8EF46224F08C0DAED844B253D275A918CBA2

Uniqueness

Uniqueness Score: -1.00%

Function 0112AAEC, Relevance: 1.5, APIs: 1, Instructions: 48COMMON

Download Yara Rule

APIs

SetWindowLongW.USER32 ref: 0112AB46

Memory Dump Source

Source File: 00000000.00000002.255504091.000000000112A000.00000040.00000001.sdmp, Offset: 0112A000, based on PE: false

Similarity

API ID: LongWindow
String ID:
API String ID: 1378638983-0
Opcode ID: f772f78022af8a57bad1a17ec05e75bcef09c7be5b8adce20d9cd10941ec4c15
Instruction ID: 1457cd67b12ea1e6f26e142f1c3f16a1da711ae74e13a346c0b57e954baede57
Opcode Fuzzy Hash: f772f78022af8a57bad1a17ec05e75bcef09c7be5b8adce20d9cd10941ec4c15
Instruction Fuzzy Hash: E011AC324097849FD722CF15DC85A52FFB4EF06220F08C49AED854B262C375A818CB62

Uniqueness

Uniqueness Score: -1.00%

Function 057D16C2, Relevance: 1.5, APIs: 1, Instructions: 47injectionCOMMON

Download Yara Rule

APIs

WriteProcessMemory.KERNELBASE(?,?,?,?,?), ref: 057D1708

Memory Dump Source

Source File: 00000000.00000002.260579426.00000000057D0000.00000040.00000001.sdmp, Offset: 057D0000, based on PE: false

Similarity

API ID: MemoryProcessWrite
String ID:
API String ID: 3559483778-0
Opcode ID: 5ea9c395e39788882eefb6af9db3d43e7a7169f9c181eceeac0e7138f1a5c31c
Instruction ID: 1f807e359415e55cb4244324b3654c1e9ecbdd45f1e068fda423d02305478465
Opcode Fuzzy Hash: 5ea9c395e39788882eefb6af9db3d43e7a7169f9c181eceeac0e7138f1a5c31c
Instruction Fuzzy Hash: 97016D755006009FDB21CF15D885B66FBF4EF04320F48C0AAED558B661D271E858DB71

Uniqueness

Uniqueness Score: -1.00%

Function 057D1412, Relevance: 1.5, APIs: 1, Instructions: 47fileCOMMON

Download Yara Rule

APIs

DeleteFileW.KERNELBASE(?), ref: 057D144C

Memory Dump Source

Source File: 00000000.00000002.260579426.00000000057D0000.00000040.00000001.sdmp, Offset: 057D0000, based on PE: false

Similarity

API ID: DeleteFile
String ID:
API String ID: 4033686569-0
Opcode ID: bade5e2aaa4dd6044fcb0b2b027a22a94f5d8d58f755ca921f6622711c8595ab
Instruction ID: a38feb6686c6452ea61987728f1e9482c2b521cad35fc294ea84880b06dd5a97
Opcode Fuzzy Hash: bade5e2aaa4dd6044fcb0b2b027a22a94f5d8d58f755ca921f6622711c8595ab
Instruction Fuzzy Hash: EC017CB5A042458FDB10CF29E8857B6FBA8EF44220F58C0AADD49CF646D674E444CBB2

Uniqueness

Uniqueness Score: -1.00%

Function 0112B45E, Relevance: 1.5, APIs: 1, Instructions: 46libraryCOMMON

Download Yara Rule

APIs

LoadLibraryShim.MSCOREE(?,?,?,?), ref: 0112B4A9

Memory Dump Source

Source File: 00000000.00000002.255504091.000000000112A000.00000040.00000001.sdmp, Offset: 0112A000, based on PE: false

Similarity

API ID: LibraryLoadShim
String ID:
API String ID: 1475914169-0
Opcode ID: fbe881c992da556aa1eb2460eff357527db1f7ca9136e166cf64bb426aea9ca2
Instruction ID: b5025f647854302124e1e041abc9036968b7d4b4f2012e303fcd31767f84ed5f
Opcode Fuzzy Hash: fbe881c992da556aa1eb2460eff357527db1f7ca9136e166cf64bb426aea9ca2
Instruction Fuzzy Hash: F6019E715042408FEB24CF19D885B22FFE8EF04720F08C09AED4A8B646E374E418CB76

Uniqueness

Uniqueness Score: -1.00%

Function 0112A622, Relevance: 1.5, APIs: 1, Instructions: 45COMMON

Download Yara Rule

APIs

DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 0112A666

Memory Dump Source

Source File: 00000000.00000002.255504091.000000000112A000.00000040.00000001.sdmp, Offset: 0112A000, based on PE: false

Similarity

API ID: DuplicateHandle
String ID:
API String ID: 3793708945-0
Opcode ID: 36a5cfc3085531082fcd50b77589333b0711e494595031d1d61e8a56a2b075ac
Instruction ID: 9290ec94c73fc3d8164b44d15fa38b2d0a0b369cf8bcd4b9c071fc9839315820
Opcode Fuzzy Hash: 36a5cfc3085531082fcd50b77589333b0711e494595031d1d61e8a56a2b075ac
Instruction Fuzzy Hash: 020180718006009FDB22CF55E944B56FFE4EF48720F08C4AAED494BA52D375A428CF62

Uniqueness

Uniqueness Score: -1.00%

Function 057D1562, Relevance: 1.5, APIs: 1, Instructions: 44threadinjectionCOMMON

Download Yara Rule

APIs

SetThreadContext.KERNELBASE(?,?), ref: 057D159F

Memory Dump Source

Source File: 00000000.00000002.260579426.00000000057D0000.00000040.00000001.sdmp, Offset: 057D0000, based on PE: false

Similarity

API ID: ContextThread
String ID:
API String ID: 1591575202-0
Opcode ID: faddef382f606417e6fbb666aee44fcc567b8888fd0df49f83128f1434d8d9b1
Instruction ID: 1ce85f259ea16b1c46e4f4ab40b3e9595e33aceaa619085c41e3a16c1935c3d6
Opcode Fuzzy Hash: faddef382f606417e6fbb666aee44fcc567b8888fd0df49f83128f1434d8d9b1
Instruction Fuzzy Hash: EC0171756042448FDB10CF1AD885B65FBE8EF04360F48C0AADD478B652D278E454DB72

Uniqueness

Uniqueness Score: -1.00%

Function 0112A2F6, Relevance: 1.5, APIs: 1, Instructions: 43COMMON

Download Yara Rule

APIs

SetConsoleCtrlHandler.KERNELBASE(?,00000E2C,?,?), ref: 0112A346

Memory Dump Source

Source File: 00000000.00000002.255504091.000000000112A000.00000040.00000001.sdmp, Offset: 0112A000, based on PE: false

Similarity

API ID: ConsoleCtrlHandler
String ID:
API String ID: 1513847179-0
Opcode ID: 8004ca32e58f4090f5d53267711e9165906ef5db341593d7ecc7b3499b165c4c
Instruction ID: 728a7214a397e8258a7998707956949f70d6c44d87e79cc9a500912bfec58caf
Opcode Fuzzy Hash: 8004ca32e58f4090f5d53267711e9165906ef5db341593d7ecc7b3499b165c4c
Instruction Fuzzy Hash: C901A271500200ABD310DF1ADC86B26FBE8FF88B20F14815AED084B745E675F515CBE5

Uniqueness

Uniqueness Score: -1.00%

Function 057D160E, Relevance: 1.5, APIs: 1, Instructions: 43COMMON

Download Yara Rule

APIs

ReadProcessMemory.KERNELBASE(?,?,?,?,?), ref: 057D164C

Memory Dump Source

Source File: 00000000.00000002.260579426.00000000057D0000.00000040.00000001.sdmp, Offset: 057D0000, based on PE: false

Similarity

API ID: MemoryProcessRead
String ID:
API String ID: 1726664587-0
Opcode ID: 8ee707d3f88c2dfd50cf3bd94e44425757c47559b2c44cb7e33bfcf3b0ed16f6
Instruction ID: b8cffaaf416e66f454de9269b7924644aea6b9f822bb30ad343a84c7376bc006
Opcode Fuzzy Hash: 8ee707d3f88c2dfd50cf3bd94e44425757c47559b2c44cb7e33bfcf3b0ed16f6
Instruction Fuzzy Hash: 14019E715006009FDB218F15D885B66FFB5EF04320F08C0AAED454B661C672A458EF72

Uniqueness

Uniqueness Score: -1.00%

Function 057D1F4E, Relevance: 1.5, APIs: 1, Instructions: 42windowCOMMON

Download Yara Rule

APIs

PostMessageW.USER32(?,?,?,?), ref: 057D1F89

Memory Dump Source

Source File: 00000000.00000002.260579426.00000000057D0000.00000040.00000001.sdmp, Offset: 057D0000, based on PE: false

Similarity

API ID: MessagePost
String ID:
API String ID: 410705778-0
Opcode ID: ff20b0a4ddf2b505057fb5f3052406fbb1048de5364b08061ab39539275f6cf8
Instruction ID: 956ddb37cb66f5a43b0ac0980d7007e1c49a7c63769196597bd047ddfcba9168
Opcode Fuzzy Hash: ff20b0a4ddf2b505057fb5f3052406fbb1048de5364b08061ab39539275f6cf8
Instruction Fuzzy Hash: 5101BCB15012008FDB21CF15D885B6AFFA4EF04320F08C0AAED498B662C371E458DBB2

Uniqueness

Uniqueness Score: -1.00%

Function 0112AF12, Relevance: 1.5, APIs: 1, Instructions: 39memoryCOMMON

Download Yara Rule

APIs

VirtualAllocEx.KERNELBASE(?,?,?,?,?), ref: 0112AF50

Memory Dump Source

Source File: 00000000.00000002.255504091.000000000112A000.00000040.00000001.sdmp, Offset: 0112A000, based on PE: false

Similarity

API ID: AllocVirtual
String ID:
API String ID: 4275171209-0
Opcode ID: 54825941bf78901fee657e5c9a40ea70b37bee43b3fcd0685d11aef935f12cd1
Instruction ID: 39ff99388c1d3ecd7384a5f76834f2ab0c581755e71cdf35b3b7e2929ae1e835
Opcode Fuzzy Hash: 54825941bf78901fee657e5c9a40ea70b37bee43b3fcd0685d11aef935f12cd1
Instruction Fuzzy Hash: AB018471400600DFDB258F55E845B55FFA0EF08320F08C49ADD494B652D375A468DFA2

Uniqueness

Uniqueness Score: -1.00%

Function 057D1BC6, Relevance: 1.5, APIs: 1, Instructions: 38windowCOMMON

Download Yara Rule

APIs

PostMessageW.USER32(?,?,?,?), ref: 057D1C01

Memory Dump Source

Source File: 00000000.00000002.260579426.00000000057D0000.00000040.00000001.sdmp, Offset: 057D0000, based on PE: false

Similarity

API ID: MessagePost
String ID:
API String ID: 410705778-0
Opcode ID: bff52990a2b7051c8cc38361cc22a8fc522ebd8a2ca7fa3ab5c8a01b65f09f1f
Instruction ID: 16cdda143f630c4098e8bcf7c41ebad44728c9ca64ada456da34e8afcc044797
Opcode Fuzzy Hash: bff52990a2b7051c8cc38361cc22a8fc522ebd8a2ca7fa3ab5c8a01b65f09f1f
Instruction Fuzzy Hash: 6101AD71400204DFDB21CF55D985B25FFB0EF48320F08C49AEE890B652D275A458DFB2

Uniqueness

Uniqueness Score: -1.00%

Function 0112AB0E, Relevance: 1.5, APIs: 1, Instructions: 37COMMON

Download Yara Rule

APIs

SetWindowLongW.USER32 ref: 0112AB46

Memory Dump Source

Source File: 00000000.00000002.255504091.000000000112A000.00000040.00000001.sdmp, Offset: 0112A000, based on PE: false

Similarity

API ID: LongWindow
String ID:
API String ID: 1378638983-0
Opcode ID: f6a7c94d1dedee52bcac16d6e27380c3883a85edb268fdef502574716589d5f4
Instruction ID: 5b600c1914cb5f748b9591441bd4c9f7902b6f88610a02d4934fe978a8a440d8
Opcode Fuzzy Hash: f6a7c94d1dedee52bcac16d6e27380c3883a85edb268fdef502574716589d5f4
Instruction Fuzzy Hash: DC01F431400604CFDB25CF09E885B11FFA0EF04720F08C49ADD8A0BA52C375A428CFB2

Uniqueness

Uniqueness Score: -1.00%

Function 0112A44E, Relevance: 1.5, APIs: 1, Instructions: 35threadCOMMON

Download Yara Rule

APIs

ResumeThread.KERNELBASE(?), ref: 0112A480

Memory Dump Source

Source File: 00000000.00000002.255504091.000000000112A000.00000040.00000001.sdmp, Offset: 0112A000, based on PE: false

Similarity

API ID: ResumeThread
String ID:
API String ID: 947044025-0
Opcode ID: 04e958bf7a3fe2d6096227d7e78f50eecf8a06c5b5555b1e0566efec0d465b3d
Instruction ID: 10c8cf0d6d915bd0643d145aff7033619da423c2fc37dd249e86384cba580fbe
Opcode Fuzzy Hash: 04e958bf7a3fe2d6096227d7e78f50eecf8a06c5b5555b1e0566efec0d465b3d
Instruction Fuzzy Hash: 04F0FF748002808FDB14CF09EC89721FFA4EF44320F08C0AADD480B646D378E418CEA2

Uniqueness

Uniqueness Score: -1.00%

Function 02ED1829, Relevance: 1.4, Strings: 1, Instructions: 114COMMON

Download Yara Rule

Strings

X1(r, xrefs: 02ED193B

Memory Dump Source

Source File: 00000000.00000002.256275734.0000000002ED0000.00000040.00000001.sdmp, Offset: 02ED0000, based on PE: false

Similarity

API ID:
String ID: X1(r
API String ID: 0-3909273932
Opcode ID: f36fbe102f3c848d289c6e878b892304e425f39bc9ebe3c4b3d7a33616cc1e5f
Instruction ID: 1f6c4222f981cc34cab2a08ba8ee1e87d9ffac1e06dfa1e27fa4c53fa244014a
Opcode Fuzzy Hash: f36fbe102f3c848d289c6e878b892304e425f39bc9ebe3c4b3d7a33616cc1e5f
Instruction Fuzzy Hash: C24111B8E85208CFCB08DFA9D5446ADBBF2BF49300F14916AE819EB394D7345982CF54

Uniqueness

Uniqueness Score: -1.00%

Function 02ED1838, Relevance: 1.4, Strings: 1, Instructions: 110COMMON

Download Yara Rule

Strings

X1(r, xrefs: 02ED193B

Memory Dump Source

Source File: 00000000.00000002.256275734.0000000002ED0000.00000040.00000001.sdmp, Offset: 02ED0000, based on PE: false

Similarity

API ID:
String ID: X1(r
API String ID: 0-3909273932
Opcode ID: 27cda1c41d5f61fc0518dbe0b82a59b4c4f9041afd74865adee07e4d85d8b893
Instruction ID: e37f96212ea750d38a116fe229120b43b8e25e95d3eb25ae42e7a870103ab9b5
Opcode Fuzzy Hash: 27cda1c41d5f61fc0518dbe0b82a59b4c4f9041afd74865adee07e4d85d8b893
Instruction Fuzzy Hash: BE41AFB8E85208DFCB18DFA9D544AADBBB2BB48300F10912AE419A7394DB355982CF54

Uniqueness

Uniqueness Score: -1.00%

Function 02ED25A8, Relevance: 1.3, Strings: 1, Instructions: 55COMMON

Download Yara Rule

Strings

q, xrefs: 02ED2603

Memory Dump Source

Source File: 00000000.00000002.256275734.0000000002ED0000.00000040.00000001.sdmp, Offset: 02ED0000, based on PE: false

Similarity

API ID:
String ID: q
API String ID: 0-4110462503
Opcode ID: 3393a1b575364cbad34a17bd2b639c7ac28f84072f363b4b7b036b21d4f90265
Instruction ID: f749f0ab9dd5ce5a57e829b65896fbf8282d29305315dd86cca2ca1581569db5
Opcode Fuzzy Hash: 3393a1b575364cbad34a17bd2b639c7ac28f84072f363b4b7b036b21d4f90265
Instruction Fuzzy Hash: 8F116674D4930DCBCB08CFA9C4146EDBBB9EF88304F10E069DA26A7249D7740A42CF51

Uniqueness

Uniqueness Score: -1.00%

Function 02ED25B0, Relevance: 1.3, Strings: 1, Instructions: 50COMMON

Download Yara Rule

Strings

q, xrefs: 02ED2603

Memory Dump Source

Source File: 00000000.00000002.256275734.0000000002ED0000.00000040.00000001.sdmp, Offset: 02ED0000, based on PE: false

Similarity

API ID:
String ID: q
API String ID: 0-4110462503
Opcode ID: 041c59cbb6da359e695f1b7e05fe9849fd7b009c0d2e01ca062f0f6725bfbade
Instruction ID: c69c60dc4c6c892f297ba92a1ba7efdd6c1e97b4d8d92a92b81493044424c308
Opcode Fuzzy Hash: 041c59cbb6da359e695f1b7e05fe9849fd7b009c0d2e01ca062f0f6725bfbade
Instruction Fuzzy Hash: 0C1157B4D4930DCBCB04CFA9C5146EEBBB9EF48304F10E069DA25A7249D7740A42CF11

Uniqueness

Uniqueness Score: -1.00%

Function 02EDBD1A, Relevance: 1.3, Strings: 1, Instructions: 38COMMON

Download Yara Rule

Strings

w, xrefs: 02EDBC5A

Memory Dump Source

Source File: 00000000.00000002.256275734.0000000002ED0000.00000040.00000001.sdmp, Offset: 02ED0000, based on PE: false

Similarity

API ID:
String ID: w
API String ID: 0-476252946
Opcode ID: efd37a08c2be6069d13027bb1fe0f5fac8ba76597f4451a78019a07d668385f2
Instruction ID: 13179ffdf7d477e493a578f28b7c1e77fa3781b84fe01ae72437f91604c9fbd5
Opcode Fuzzy Hash: efd37a08c2be6069d13027bb1fe0f5fac8ba76597f4451a78019a07d668385f2
Instruction Fuzzy Hash: ED01EC74C89248CFCB14DFA9D4585EDBFF4BF49304F11646AE41AAB261DB741906CF11

Uniqueness

Uniqueness Score: -1.00%

Function 02EDB1A6, Relevance: 1.3, Strings: 1, Instructions: 13COMMON

Download Yara Rule

Strings

l, xrefs: 02EDB0BB

Memory Dump Source

Source File: 00000000.00000002.256275734.0000000002ED0000.00000040.00000001.sdmp, Offset: 02ED0000, based on PE: false

Similarity

API ID:
String ID: l
API String ID: 0-2517025534
Opcode ID: 69dd00552ceaae5fda247de908102672881e5179e8b28fb522d0102520972234
Instruction ID: 124b74e2129bc5aac2f1ae6d791168ebd6dda4a51f57627c0f131745f99417c2
Opcode Fuzzy Hash: 69dd00552ceaae5fda247de908102672881e5179e8b28fb522d0102520972234
Instruction Fuzzy Hash: 47D0C97098E208DBCB00CF94C1822FEBA78FB09308F91B04C811667241E2B44682EB84

Uniqueness

Uniqueness Score: -1.00%

Function 02ED465D, Relevance: .3, Instructions: 290COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.256275734.0000000002ED0000.00000040.00000001.sdmp, Offset: 02ED0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 56365fb2c4b7a3bc20a56ff3b26cce6d6165589cc19ea97a7b0d08eb47e74a02
Instruction ID: c776aaafc8b63e17c194b34cd7b520da5a3bdfaf4324911b3c93433ab264b4f1
Opcode Fuzzy Hash: 56365fb2c4b7a3bc20a56ff3b26cce6d6165589cc19ea97a7b0d08eb47e74a02
Instruction Fuzzy Hash: 29D14770941205CFDB04CF98D188A9DFBB1FF06318F95E194D954AB352C3B8998ACFA5

Uniqueness

Uniqueness Score: -1.00%

Function 02ED460B, Relevance: .3, Instructions: 278COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.256275734.0000000002ED0000.00000040.00000001.sdmp, Offset: 02ED0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 97136f6768266a620ff62a0ead4806ae7cbb352a08a11eb84d33992ef37d4fa2
Instruction ID: cf8c797af4187b60ee9dd2bd50953a90204e33f2e8a3020fa0720a5cad7e4da2
Opcode Fuzzy Hash: 97136f6768266a620ff62a0ead4806ae7cbb352a08a11eb84d33992ef37d4fa2
Instruction Fuzzy Hash: A1C13670941205CFDB04CF98D188A9DFBB2FB05319F95E194D944AB392C3B8D98ACFA5

Uniqueness

Uniqueness Score: -1.00%

Function 02ED1B90, Relevance: .2, Instructions: 237COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.256275734.0000000002ED0000.00000040.00000001.sdmp, Offset: 02ED0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a7dd959dd499113e99974cad8905ad52712f5dabb5c5ea9e32570812000f8ab5
Instruction ID: e946d4193d8eb8ac99b861ca5bbb80c27e7336d7bb3bf4955a17abc8c0da97ee
Opcode Fuzzy Hash: a7dd959dd499113e99974cad8905ad52712f5dabb5c5ea9e32570812000f8ab5
Instruction Fuzzy Hash: 7DA14570D45228CFDB24CFA9C884BEDBBB2BF4A304F1491A9D409BB251C7705A86CF51

Uniqueness

Uniqueness Score: -1.00%

Function 02ED57DE, Relevance: .2, Instructions: 218COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.256275734.0000000002ED0000.00000040.00000001.sdmp, Offset: 02ED0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b77f4c8493b2d54848bf147c3c98d3cb9a9141bacd1214514d83d4ca7e1bcc77
Instruction ID: 0fc594d49cfc1a8d368a838b9e5ac721b50dfbec53684913a4ae0af435bb7ce2
Opcode Fuzzy Hash: b77f4c8493b2d54848bf147c3c98d3cb9a9141bacd1214514d83d4ca7e1bcc77
Instruction Fuzzy Hash: 4791D174D85209CFCB10CF98C580AEDBBF6FB49314FA4A015E819BB245D770A98ACF50

Uniqueness

Uniqueness Score: -1.00%

Function 02ED5B1C, Relevance: .2, Instructions: 183COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.256275734.0000000002ED0000.00000040.00000001.sdmp, Offset: 02ED0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d0cdb1a26dbb82d3a92116343a0a63d7658a2205b60976bd7ad0db12a1fd0b27
Instruction ID: 0ea8bdb76a0645ce6830d651bebd0973dbdb3bf49de56c84bf77380c4cb6d798
Opcode Fuzzy Hash: d0cdb1a26dbb82d3a92116343a0a63d7658a2205b60976bd7ad0db12a1fd0b27
Instruction Fuzzy Hash: BB810278D45208DFCB04DFA8D084AEDBBB5FB0A314F90E556E819AB351C334A986CF50

Uniqueness

Uniqueness Score: -1.00%

Function 02ED5AF0, Relevance: .2, Instructions: 157COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.256275734.0000000002ED0000.00000040.00000001.sdmp, Offset: 02ED0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 13cd3ba6dafd4702784847153f2f4da4f6fb4652db38e030496a0a8db5212039
Instruction ID: 2326ad4906cdc4fd7ff01f08f295078ed5fae065d3426e025d35326e6e35a120
Opcode Fuzzy Hash: 13cd3ba6dafd4702784847153f2f4da4f6fb4652db38e030496a0a8db5212039
Instruction Fuzzy Hash: E561B378949308CFCF04DFA9D4949EDBBB5FB4A310F90A56AE919AB351C7309982CF50

Uniqueness

Uniqueness Score: -1.00%

Function 02ED3E27, Relevance: .2, Instructions: 155COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.256275734.0000000002ED0000.00000040.00000001.sdmp, Offset: 02ED0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: dca73ecd07aaee0667ab7bf6f5a07d5f9df855bc501038c8699ab239e1b81130
Instruction ID: 336a7e1757b2c271b9582c8801a357160e99e02aaf8c8b17f50a54c7bade3550
Opcode Fuzzy Hash: dca73ecd07aaee0667ab7bf6f5a07d5f9df855bc501038c8699ab239e1b81130
Instruction Fuzzy Hash: 81512874D8920CDFCB14CFAAD4447EDBBF6AB49304F10E1A6E815A3291D7744A86CF52

Uniqueness

Uniqueness Score: -1.00%

Function 02ED5B49, Relevance: .1, Instructions: 149COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.256275734.0000000002ED0000.00000040.00000001.sdmp, Offset: 02ED0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 84cb2b3b1fc0ea3d80f7b87384aa9ec0086d0d5eb2ef4ce6a7aa1488e40b29af
Instruction ID: 30366890f7d2189b0d58dc25ec5b0a4208634268c7043a5d619256d6cbb30697
Opcode Fuzzy Hash: 84cb2b3b1fc0ea3d80f7b87384aa9ec0086d0d5eb2ef4ce6a7aa1488e40b29af
Instruction Fuzzy Hash: B351B1B8949308CFCF04DFA9D4949EDBBB6FB4A310F50A55AE919AB351C7309982CF50

Uniqueness

Uniqueness Score: -1.00%

Function 02ED43E8, Relevance: .1, Instructions: 146COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.256275734.0000000002ED0000.00000040.00000001.sdmp, Offset: 02ED0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fcc3f71c7454291254ee908ef7fb287606c3837f98db5f58cb6a1dac92361b61
Instruction ID: f22e0eca417cf2218f537eb0932b9fde13c8922d9103ef8ba91be8e565e02fe5
Opcode Fuzzy Hash: fcc3f71c7454291254ee908ef7fb287606c3837f98db5f58cb6a1dac92361b61
Instruction Fuzzy Hash: FA518F74E46209DFCB08CF99E58499DBBF2BF98314B2591A9E814AB355D330EE41CF90

Uniqueness

Uniqueness Score: -1.00%

Function 02ED5511, Relevance: .1, Instructions: 131COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.256275734.0000000002ED0000.00000040.00000001.sdmp, Offset: 02ED0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 117c6d0259a71eff9ba88abd07b4f3ea93f1210b16e01e7c2f672bd22287a7a7
Instruction ID: 91eb121cb9eae43937917ae0f793101527b02f306a23852218c73a87d8156ee3
Opcode Fuzzy Hash: 117c6d0259a71eff9ba88abd07b4f3ea93f1210b16e01e7c2f672bd22287a7a7
Instruction Fuzzy Hash: 76410278D86209DFCB00CF98D580AEDFBBAFB49304F91E551E826AB211D730A946CB50

Uniqueness

Uniqueness Score: -1.00%

Function 02ED23D8, Relevance: .1, Instructions: 125COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.256275734.0000000002ED0000.00000040.00000001.sdmp, Offset: 02ED0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b2bccaeed00841fd6312a6cae9b084ab79c3f6ed6ede2473d2c1a782d72048b5
Instruction ID: 56a866bd5e5d695479fccdf9a51a5e7c809f34408d7c5e5866dd845788abea88
Opcode Fuzzy Hash: b2bccaeed00841fd6312a6cae9b084ab79c3f6ed6ede2473d2c1a782d72048b5
Instruction Fuzzy Hash: AD412474E40208CFDB18CFA9D894AEEBBF2BF89304F209029E905BB355DB305946CB41

Uniqueness

Uniqueness Score: -1.00%

Function 02ED6CF8, Relevance: .1, Instructions: 107COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.256275734.0000000002ED0000.00000040.00000001.sdmp, Offset: 02ED0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 930f6c2760ffd8cca7ebca4d110124104172fdf4a00ea6c2ced24a3ab7df476e
Instruction ID: ebc1f612602b728f4096860f820faa0f49bf0c7b31297fc4ee1ef8216456ff92
Opcode Fuzzy Hash: 930f6c2760ffd8cca7ebca4d110124104172fdf4a00ea6c2ced24a3ab7df476e
Instruction Fuzzy Hash: 2B41E874D04208DFCB15DFB9E580AEDBBB2FF89304F208069D815A7365DB359942CB54

Uniqueness

Uniqueness Score: -1.00%

Function 02ED3E74, Relevance: .1, Instructions: 104COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.256275734.0000000002ED0000.00000040.00000001.sdmp, Offset: 02ED0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 13961e144e86c6b861b064acbd04be5d6a1cf63b3ed6fa4b3acc0149824ff0a8
Instruction ID: 078ae09daf2ab6ba895ac0b3c430af2379cd68597286f00bd298ab0dd62487ef
Opcode Fuzzy Hash: 13961e144e86c6b861b064acbd04be5d6a1cf63b3ed6fa4b3acc0149824ff0a8
Instruction Fuzzy Hash: E0410674D8924CDFCB11CFAAD584BDCBBB6AF09304F18A0DAE405A7292D7745986CF12

Uniqueness

Uniqueness Score: -1.00%

Function 02ED22D8, Relevance: .1, Instructions: 100COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.256275734.0000000002ED0000.00000040.00000001.sdmp, Offset: 02ED0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6c06b218ea3e185cfb94a5ed52923380eab2101201fa038340d7e17af867703f
Instruction ID: d0a8b3653bf7d17184afc370458a5346110e7412eb1ec0cd297c0265d004fca7
Opcode Fuzzy Hash: 6c06b218ea3e185cfb94a5ed52923380eab2101201fa038340d7e17af867703f
Instruction Fuzzy Hash: 6A314930F043A68FCB19DBBD881065DBFB5AF86604F2491AAE541EB296DF704D06C7A1

Uniqueness

Uniqueness Score: -1.00%

Function 02ED53A0, Relevance: .1, Instructions: 96COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.256275734.0000000002ED0000.00000040.00000001.sdmp, Offset: 02ED0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1186187b97a16a1b76e6c3933616b8faaae8924c4a1bb467dea3a9442cc672d1
Instruction ID: 2c1ef4a2e819f86f607b4895109ebad90e682ab78782c1e4f719b815dcc60b3b
Opcode Fuzzy Hash: 1186187b97a16a1b76e6c3933616b8faaae8924c4a1bb467dea3a9442cc672d1
Instruction Fuzzy Hash: AB3182305882A6DBCF45DB7884E51E9BFF1EF62220B9842A9C9D197D12CB3D9943C741

Uniqueness

Uniqueness Score: -1.00%

Function 02ED2BC5, Relevance: .1, Instructions: 86COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.256275734.0000000002ED0000.00000040.00000001.sdmp, Offset: 02ED0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b82d8b8bb55bacefde9ec0e0c6ac9949ced4991d2b63727b2398a78f86d88850
Instruction ID: b93a1c2582a40f49b2f82089a16050211c708c405c266500c49c49fe716adc52
Opcode Fuzzy Hash: b82d8b8bb55bacefde9ec0e0c6ac9949ced4991d2b63727b2398a78f86d88850
Instruction Fuzzy Hash: DF31D270E44299DFCB09DFB8C8945ADBFF2EF8A304B1485AAD490D7356CB395802CB91

Uniqueness

Uniqueness Score: -1.00%

Function 02ED0006, Relevance: .1, Instructions: 77COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.256275734.0000000002ED0000.00000040.00000001.sdmp, Offset: 02ED0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ce3f033c715c651512f9acb634e80efd0147ebe1f45ecbb7b835b7d993873e74
Instruction ID: 8b9ba1bbb7c8e9880b969b11f9ec91121e2f8b1cab2993b52e4ea5ddcad382ba
Opcode Fuzzy Hash: ce3f033c715c651512f9acb634e80efd0147ebe1f45ecbb7b835b7d993873e74
Instruction Fuzzy Hash: 7021466044F3C06FC70793B448761A97FB49E4722470E49DBD4C0CF5A3CA1D581AD722

Uniqueness

Uniqueness Score: -1.00%

Function 02ED5EB0, Relevance: .1, Instructions: 76COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.256275734.0000000002ED0000.00000040.00000001.sdmp, Offset: 02ED0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 68afe17c80f675caf85393e282ad2128b2b8619fa17935c4fdaaa300f58c706a
Instruction ID: c3062989bacfb35e3afab48bd8ad9d0fa6da43b44abca2ee13a66fd9eb4685fa
Opcode Fuzzy Hash: 68afe17c80f675caf85393e282ad2128b2b8619fa17935c4fdaaa300f58c706a
Instruction Fuzzy Hash: 89211970D89209CFDB14CFAAC084AFEB7B5FB09304F94F459D815AB240D3749982CB50

Uniqueness

Uniqueness Score: -1.00%

Function 02ED1548, Relevance: .1, Instructions: 76COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.256275734.0000000002ED0000.00000040.00000001.sdmp, Offset: 02ED0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 96e349ba58e05b9e3a4dfbef54bb5ff4e2fcb859d8b66be7bc5d3e2b7123084e
Instruction ID: adf8743eab8394cb7e49e109a65bf4498bbe6e6952363ccaf655490630b5c30c
Opcode Fuzzy Hash: 96e349ba58e05b9e3a4dfbef54bb5ff4e2fcb859d8b66be7bc5d3e2b7123084e
Instruction Fuzzy Hash: 9231B0B4D01209DFCB04DFA9C5849ADBBF2FF89304F2481AAD804AB355D7359A41CFA1

Uniqueness

Uniqueness Score: -1.00%

Function 02ED1558, Relevance: .1, Instructions: 71COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.256275734.0000000002ED0000.00000040.00000001.sdmp, Offset: 02ED0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d8a57bf502627e4756fdba37d3be99077efcf6f4e6a69bf4c7cb2cfd9949ddb6
Instruction ID: c4c286503e92e93470f93e36744b14d0fcbccad906d7dd1514ded9a42d3b69a1
Opcode Fuzzy Hash: d8a57bf502627e4756fdba37d3be99077efcf6f4e6a69bf4c7cb2cfd9949ddb6
Instruction Fuzzy Hash: C1317FB4E01209DFCB08DFA9C5849ADBBF2FF89304F2481AAD815A7354D735AA41CF94

Uniqueness

Uniqueness Score: -1.00%

Function 02EDBA7D, Relevance: .1, Instructions: 66COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.256275734.0000000002ED0000.00000040.00000001.sdmp, Offset: 02ED0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 61adffb57fd0e1b8f4b58143349c535d0566c1385de422f4a3cd7b9794298227
Instruction ID: afe62e44c53c19df93caf91aed9ab6544a46938a2b05e180a79d6c36e5efa15b
Opcode Fuzzy Hash: 61adffb57fd0e1b8f4b58143349c535d0566c1385de422f4a3cd7b9794298227
Instruction Fuzzy Hash: BB219F74D45258CFCB40DFA8E4945EDBBB5FF5A300F20A46A980ABB359EA315846CF80

Uniqueness

Uniqueness Score: -1.00%

Function 012D075C, Relevance: .1, Instructions: 59COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.255721247.00000000012D0000.00000040.00000040.sdmp, Offset: 012D0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 349aa368f0e118ebd6d127610196aedd13fdcd37d275f3cf36d60adcc2f4cab2
Instruction ID: 6fa5ab2460bde32ea8923ea4da9a8671fd2a04363b3d3b4b7de88f0c594f05ca
Opcode Fuzzy Hash: 349aa368f0e118ebd6d127610196aedd13fdcd37d275f3cf36d60adcc2f4cab2
Instruction Fuzzy Hash: 7D11E434214245DFE709CB28C980B26BB95EB88708F24C59CFA495F663C77BD803CE55

Uniqueness

Uniqueness Score: -1.00%

Function 02ED1A48, Relevance: .1, Instructions: 59COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.256275734.0000000002ED0000.00000040.00000001.sdmp, Offset: 02ED0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 96956d14c2e9b0e7ab7b84de0ccfe29d618c31718026af351c8ed33039a2a116
Instruction ID: 23e6f9d69be532b776e1953b97ab1af46eaf15a85e46c167e7452f51088e67a5
Opcode Fuzzy Hash: 96956d14c2e9b0e7ab7b84de0ccfe29d618c31718026af351c8ed33039a2a116
Instruction Fuzzy Hash: C8214D74E48259CFCF05DFA5D8445EEBBB1BB49300F1091AAD419AB355D7344942CFA1

Uniqueness

Uniqueness Score: -1.00%

Function 012D0724, Relevance: .1, Instructions: 58COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.255721247.00000000012D0000.00000040.00000040.sdmp, Offset: 012D0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 36e26a67073c6ae399d9ab744c37e9b05ecf6e675c1a7902e24394bb277f053d
Instruction ID: e066e6cdf5cae9d4e04cd77688b55445f43feff33ea47080f30e292c8b48f800
Opcode Fuzzy Hash: 36e26a67073c6ae399d9ab744c37e9b05ecf6e675c1a7902e24394bb277f053d
Instruction Fuzzy Hash: 3B216F355093C58FD707CB20C954B55BFB1AB46304F2986EEE5858F663D23A8807CB51

Uniqueness

Uniqueness Score: -1.00%

Function 02ED1A32, Relevance: .1, Instructions: 55COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.256275734.0000000002ED0000.00000040.00000001.sdmp, Offset: 02ED0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: dececf9a8f35912b8b5609d397cade769d9bee042824f3205a757d7a696b2d95
Instruction ID: 676a3207d0d4ae782a92c2cce245fe5ecd515673e3632612a7e01368eb6fcbce
Opcode Fuzzy Hash: dececf9a8f35912b8b5609d397cade769d9bee042824f3205a757d7a696b2d95
Instruction Fuzzy Hash: B8111974E48259CFCF04CFA9D8509EEBBB2BB89300B109265D81977354DB345A02CFA0

Uniqueness

Uniqueness Score: -1.00%

Function 02ED3CC8, Relevance: .1, Instructions: 54COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.256275734.0000000002ED0000.00000040.00000001.sdmp, Offset: 02ED0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 71cd9e6889c3898273a20ae3979d1a2fe2583c80b48a54a96c36269c6757a7e8
Instruction ID: c6bcdcbab84f6f7720af04fc895c3e2088fbdc89ad740a6bbd01a82fbb1d096c
Opcode Fuzzy Hash: 71cd9e6889c3898273a20ae3979d1a2fe2583c80b48a54a96c36269c6757a7e8
Instruction Fuzzy Hash: F1118E74905209DFCB04DFA8D445AAEBFB1FF45314F108299D9546B396CB309A82CF96

Uniqueness

Uniqueness Score: -1.00%

Function 02ED2BF8, Relevance: .1, Instructions: 54COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.256275734.0000000002ED0000.00000040.00000001.sdmp, Offset: 02ED0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 083eb2be0df0b70d6c5db1bb1e62ae1f8e7194760322e6c0521b6a87a2f50d59
Instruction ID: 0ba3be55fb99ec0459b1529caf96a95a397ebe586e93892515664e0bc7cade3d
Opcode Fuzzy Hash: 083eb2be0df0b70d6c5db1bb1e62ae1f8e7194760322e6c0521b6a87a2f50d59
Instruction Fuzzy Hash: 34212974E00219DFCB48DFA8D5849AEBBB6FF89304F208469D815A7358DB746E41CB91

Uniqueness

Uniqueness Score: -1.00%

Function 012D05D0, Relevance: .0, Instructions: 44COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.255721247.00000000012D0000.00000040.00000040.sdmp, Offset: 012D0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: df00ef22ebf7523e94616dc50433788aed4b2f7c16fe29e72a77fa348922cf54
Instruction ID: 3ac30e0ec509ba42bd3ea732d552ac68ff18d21ac69ed5a7b6a790aaf9e6c6d7
Opcode Fuzzy Hash: df00ef22ebf7523e94616dc50433788aed4b2f7c16fe29e72a77fa348922cf54
Instruction Fuzzy Hash: 5601D6755487805FC312CF16EC41893FFE8EF86230709C4AFEC498B612D229B919CB61

Uniqueness

Uniqueness Score: -1.00%

Function 02ED3D78, Relevance: .0, Instructions: 36COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.256275734.0000000002ED0000.00000040.00000001.sdmp, Offset: 02ED0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fedd37d5621bb8cf9b001754321e975be0d109c11b4b0ffa1c89ccec468fff9c
Instruction ID: 9008e9a09ca1c9640a43d00a57e800531abbaba86d6a286d2f5ac4a8e30b62c7
Opcode Fuzzy Hash: fedd37d5621bb8cf9b001754321e975be0d109c11b4b0ffa1c89ccec468fff9c
Instruction Fuzzy Hash: 91018B749093499FCB45DFA8C84059DBFB1FF46304F2482DAD804AB366D7309E45CB91

Uniqueness

Uniqueness Score: -1.00%

Function 02ED5418, Relevance: .0, Instructions: 34COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.256275734.0000000002ED0000.00000040.00000001.sdmp, Offset: 02ED0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4099629c53ca05d49e3f0d5028455c0c6acd848623fc11860e4cbf4c444a4cc1
Instruction ID: 980372039f17892dfa83abb13414a8f2f7afeb375386254eb3bc2f440075b7ce
Opcode Fuzzy Hash: 4099629c53ca05d49e3f0d5028455c0c6acd848623fc11860e4cbf4c444a4cc1
Instruction Fuzzy Hash: BF01E874D0020EDFCB44EFA8D544A9DFBB2FF84304F2086A9EA15A7354DB706A42DB91

Uniqueness

Uniqueness Score: -1.00%

Function 012D0818, Relevance: .0, Instructions: 31COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.255721247.00000000012D0000.00000040.00000040.sdmp, Offset: 012D0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 693b7c54016a59cdbfed5bf97d611671327a7796b2b33607a59a4987e9e37b45
Instruction ID: add3df9f80f1d7d9317ee3856fe1ad7346327e82fd9142d22a62bd607db58634
Opcode Fuzzy Hash: 693b7c54016a59cdbfed5bf97d611671327a7796b2b33607a59a4987e9e37b45
Instruction Fuzzy Hash: BFF01935208645DFC706CF44D980B26FBA6EB89718F24C6ADE9490B762C337E813DE85

Uniqueness

Uniqueness Score: -1.00%

Function 012D05F6, Relevance: .0, Instructions: 27COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.255721247.00000000012D0000.00000040.00000040.sdmp, Offset: 012D0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0c632f688cd6f28a01c4cb23364e4162d14a103ed71f33b97a7b5a852a790fee
Instruction ID: e45b70886f5ca35b2196358814d49cc49c2473f6e54822a5b071e0a12d599a7b
Opcode Fuzzy Hash: 0c632f688cd6f28a01c4cb23364e4162d14a103ed71f33b97a7b5a852a790fee
Instruction Fuzzy Hash: 33E092B66006004BD650CF0AEC82452F7D8EB84730718C47FDC0D8B701D135B505CFA5

Uniqueness

Uniqueness Score: -1.00%

Function 02ED3D88, Relevance: .0, Instructions: 27COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.256275734.0000000002ED0000.00000040.00000001.sdmp, Offset: 02ED0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 64ff14ef09c739998c5657cf3b45a23ba1df29c73806f566364800d1b07e1de4
Instruction ID: 17f82f2e72c95bbe49e4470de177f723bca5d0da02fbfd49f3b1d52931ab2144
Opcode Fuzzy Hash: 64ff14ef09c739998c5657cf3b45a23ba1df29c73806f566364800d1b07e1de4
Instruction Fuzzy Hash: 24F0B774D0421DDBCB44DF99D54099DFBB5FB84304F208699981467315D770AA819B91

Uniqueness

Uniqueness Score: -1.00%

Function 02ED1645, Relevance: .0, Instructions: 26COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.256275734.0000000002ED0000.00000040.00000001.sdmp, Offset: 02ED0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 432faf57aade57bd7807d7547fa6c1b2532094ee1c4309c82dbc4d4fe92cba4b
Instruction ID: 8810ba61a236a40115948c529b2da69901698fedc331497df9e4ffda688afe2f
Opcode Fuzzy Hash: 432faf57aade57bd7807d7547fa6c1b2532094ee1c4309c82dbc4d4fe92cba4b
Instruction Fuzzy Hash: 35F01C78D04208EFCB04DFA8E1499ACBBB5EB48305F2091A5EC1597314D7355E55DF51

Uniqueness

Uniqueness Score: -1.00%

Function 02ED00B8, Relevance: .0, Instructions: 25COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.256275734.0000000002ED0000.00000040.00000001.sdmp, Offset: 02ED0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 08bd32e0e321283df7015201598b9f5650250aaa644079f3be1f9a4e412f8f0b
Instruction ID: 44d2962676fb024a0d496a09a6cf2f92bea68d502dbeea690fa1432b7e4856ff
Opcode Fuzzy Hash: 08bd32e0e321283df7015201598b9f5650250aaa644079f3be1f9a4e412f8f0b
Instruction Fuzzy Hash: 3BE06D70909308DFC709DFA9C941A99BBB5DF46304F5450EAD404B7255DB706A00CB65

Uniqueness

Uniqueness Score: -1.00%

Function 02ED1509, Relevance: .0, Instructions: 25COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.256275734.0000000002ED0000.00000040.00000001.sdmp, Offset: 02ED0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c525ea2d14a0ad150576422621359430d396efd783c788f2de807f217e29ff69
Instruction ID: b88f577d2dd7a0107203301e03e1c7a0ed424efb51a021abf3085aa12a744053
Opcode Fuzzy Hash: c525ea2d14a0ad150576422621359430d396efd783c788f2de807f217e29ff69
Instruction Fuzzy Hash: BBE0D87084E348CFC31ADBB49C555A97F705B03304F5440EFD845AB256D6746884C7A7

Uniqueness

Uniqueness Score: -1.00%

Function 02EDB8A5, Relevance: .0, Instructions: 24COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.256275734.0000000002ED0000.00000040.00000001.sdmp, Offset: 02ED0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4e51b736556641c75c5ee99d77d0b1b12913d6a1b90b5f7ee1f87c1f96c3ca5b
Instruction ID: 63a9088685b114d704fec54feba871312a190314c6cb58b3a742f44c6de7a746
Opcode Fuzzy Hash: 4e51b736556641c75c5ee99d77d0b1b12913d6a1b90b5f7ee1f87c1f96c3ca5b
Instruction Fuzzy Hash: 56E0DF3098420CDBC704EFB0E449AACBB74EB4630DF1051A8D81123398EBB269C1CB54

Uniqueness

Uniqueness Score: -1.00%

Function 02ED0070, Relevance: .0, Instructions: 24COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.256275734.0000000002ED0000.00000040.00000001.sdmp, Offset: 02ED0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 017bfec33d6431e0546c86b2b871be80f1a9dc5ea305463d3031039d5982e45a
Instruction ID: e58f25a0cbdf62b7a1bbde69ef62d95d9e944fd62b13c477c8fc33f090929b6b
Opcode Fuzzy Hash: 017bfec33d6431e0546c86b2b871be80f1a9dc5ea305463d3031039d5982e45a
Instruction Fuzzy Hash: 2DE08C70983108AEC70CFBB4E61666EB7B9DB82218F10686CB00173240CE716E1086A6

Uniqueness

Uniqueness Score: -1.00%

Function 02ED2398, Relevance: .0, Instructions: 23COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.256275734.0000000002ED0000.00000040.00000001.sdmp, Offset: 02ED0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2f8464e7d3b7a3b1ae9fee0e43d4bcc92e1ebe01a2071e8eb75193ced88f6b97
Instruction ID: c072f5d6cfa16e7799cc49e54bdce42b58ea0b456d7b04d98ed52792f4e9774a
Opcode Fuzzy Hash: 2f8464e7d3b7a3b1ae9fee0e43d4bcc92e1ebe01a2071e8eb75193ced88f6b97
Instruction Fuzzy Hash: 8BE09230C492889FC715DB74D40655C7F70EB06204F0051EAD84493297E3310945C751

Uniqueness

Uniqueness Score: -1.00%

Function 02EDB946, Relevance: .0, Instructions: 23COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.256275734.0000000002ED0000.00000040.00000001.sdmp, Offset: 02ED0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: bd883e97103ce6a7d6b914324e020062fedb6d5105fc1c1ca286aa4d5970db0e
Instruction ID: f5b7acf4303440ca598ccb944c7e8a912018d3434d996c9c38b7a6090c197f70
Opcode Fuzzy Hash: bd883e97103ce6a7d6b914324e020062fedb6d5105fc1c1ca286aa4d5970db0e
Instruction Fuzzy Hash: 87E0EC74D9824ECB8F10CFA594414FFBBF4AB5E318B01B669D41AB7200E73040428B85

Uniqueness

Uniqueness Score: -1.00%

Function 02EDB8A8, Relevance: .0, Instructions: 22COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.256275734.0000000002ED0000.00000040.00000001.sdmp, Offset: 02ED0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7717c649fe5db0d73ef2b67212c0ab24a42675e95fb942c4e21605b1f04b7a22
Instruction ID: c8dfb1579e964f258301f8945c454968f6fc6bf0772b18799c6c3430f979d793
Opcode Fuzzy Hash: 7717c649fe5db0d73ef2b67212c0ab24a42675e95fb942c4e21605b1f04b7a22
Instruction Fuzzy Hash: 35E0D630A8420CDBC708EFA0E408AACBB34EB86309F1051A8D81123388EBB129C1CB58

Uniqueness

Uniqueness Score: -1.00%

Function 02ED00C8, Relevance: .0, Instructions: 21COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.256275734.0000000002ED0000.00000040.00000001.sdmp, Offset: 02ED0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6654fed79efd5045311a35a4668d198697bd53ecccb633be73f3f1c7492e89d5
Instruction ID: b545fcc8b009c6c4ba6387f086e485339d3c9aff159933fcbdb1c3811d3d5db5
Opcode Fuzzy Hash: 6654fed79efd5045311a35a4668d198697bd53ecccb633be73f3f1c7492e89d5
Instruction Fuzzy Hash: DAE0EC70D41208EBC708EFA9DA45BAEF7B5DF86304F54A0B9D40873254DB716E10DBA5

Uniqueness

Uniqueness Score: -1.00%

Function 02ED1518, Relevance: .0, Instructions: 16COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.256275734.0000000002ED0000.00000040.00000001.sdmp, Offset: 02ED0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9c6b5d06594d9bab32d4ee314c6ce8be089468c1b8545d8d42557a8034568592
Instruction ID: e80c049b64b293f0fd29324887302604e4b3b41e83c830f597a864ef1cbefbac
Opcode Fuzzy Hash: 9c6b5d06594d9bab32d4ee314c6ce8be089468c1b8545d8d42557a8034568592
Instruction Fuzzy Hash: E8D0A770C4510897C708FFA4E40566DBB749741304F1050B9C40433344C7701954C6A9

Uniqueness

Uniqueness Score: -1.00%

Function 011223F4, Relevance: .0, Instructions: 15COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.255492237.0000000001122000.00000040.00000001.sdmp, Offset: 01122000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6a553c294a1b700f25e5f405ec3be3fe390edbaee9943556e65f6264a8781e5b
Instruction ID: 12bd115bbeaabe76a79849ec123c489e80da69173d975892ad7d9b0a5d9b3c54
Opcode Fuzzy Hash: 6a553c294a1b700f25e5f405ec3be3fe390edbaee9943556e65f6264a8781e5b
Instruction Fuzzy Hash: 80D05E79305AD14FE32A8A1CC1A8B993FA4EF51B04F5644FAE8008B663C378D591D610

Uniqueness

Uniqueness Score: -1.00%

Function 02EDADA9, Relevance: .0, Instructions: 14COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.256275734.0000000002ED0000.00000040.00000001.sdmp, Offset: 02ED0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5cd0aa35833ca45f4855a6d2c717ec5964786048ee0ec124e8f19f13e2a313b9
Instruction ID: 6fbe33ef26f3c01e835271efa843f24a2881a30b85dfdd05fe6da97357fff6d5
Opcode Fuzzy Hash: 5cd0aa35833ca45f4855a6d2c717ec5964786048ee0ec124e8f19f13e2a313b9
Instruction Fuzzy Hash: 33C04CB25CF40887CA141D15D4080F9B278EBC731EB15B1D2984D77607DA578621DB89

Uniqueness

Uniqueness Score: -1.00%

Function 011223BC, Relevance: .0, Instructions: 14COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.255492237.0000000001122000.00000040.00000001.sdmp, Offset: 01122000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: cb794b4a67b10cddce08115e46a218400c146e575828f93833fba8f40cbd4506
Instruction ID: ca81a6178a89af85fbdf64bc8f3a45c195a9db41f48568e9a301f6e52f0c6f24
Opcode Fuzzy Hash: cb794b4a67b10cddce08115e46a218400c146e575828f93833fba8f40cbd4506
Instruction Fuzzy Hash: 50D05E342052814BD719DB1CC194F5D3BD4AF45B00F0644E8EC008B262C3B4E891C600

Uniqueness

Uniqueness Score: -1.00%

Function 02EDB38E, Relevance: .0, Instructions: 12COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.256275734.0000000002ED0000.00000040.00000001.sdmp, Offset: 02ED0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 32d55d20bac96d470eac27c39c0340420da86756fd2fe49c8b5fad05d4e006ac
Instruction ID: 34101b055c320762bd5a75b33e301dcd86923ece541c43ce610afa5a68130450
Opcode Fuzzy Hash: 32d55d20bac96d470eac27c39c0340420da86756fd2fe49c8b5fad05d4e006ac
Instruction Fuzzy Hash: 37D0C97494D258CBDB05CFA4D5946EDBBB8FF09304B61A058D44AA7242EB744E0AEB00

Uniqueness

Uniqueness Score: -1.00%

Function 02EDB240, Relevance: .0, Instructions: 7COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.256275734.0000000002ED0000.00000040.00000001.sdmp, Offset: 02ED0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 527af1c373fc3d2e2cf991d3a704ee0fb7f62d6f4d6c7dba1b17ffebe24db2be
Instruction ID: ec3a5b7dba488e2d5629aa7393bd7db2be2347e3552a5be430830dfdc4e6da5f
Opcode Fuzzy Hash: 527af1c373fc3d2e2cf991d3a704ee0fb7f62d6f4d6c7dba1b17ffebe24db2be
Instruction Fuzzy Hash: 19C001B1C86388DFCB80CFA8D28029EBAF4AB0A304F6098599008BB200E2705A48CB04

Uniqueness

Uniqueness Score: -1.00%

Function 02EDB1B3, Relevance: .0, Instructions: 7COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.256275734.0000000002ED0000.00000040.00000001.sdmp, Offset: 02ED0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 41eba41953df20ff2629f4d30fc5a18e44ae519f81a5ab368c95f5eaddb202c4
Instruction ID: 833be1fbd6745c85971cea96c476502920f564dbcb813b7609fc1fa699df219e
Opcode Fuzzy Hash: 41eba41953df20ff2629f4d30fc5a18e44ae519f81a5ab368c95f5eaddb202c4
Instruction Fuzzy Hash: 54C001B5C45208DFCB60CFA8D0886DEBAF4BB0D308F21912AA83AA320AE77045458F00

Uniqueness

Uniqueness Score: -1.00%

Non-executed Functions

Function 02ED97E8, Relevance: 6.5, Strings: 5, Instructions: 206COMMON

Download Yara Rule

Strings

`5(r, xrefs: 02ED9935
X1(r, xrefs: 02ED995D
$g%r, xrefs: 02ED9905
X1(r, xrefs: 02ED9996
}j, xrefs: 02ED9873

Memory Dump Source

Source File: 00000000.00000002.256275734.0000000002ED0000.00000040.00000001.sdmp, Offset: 02ED0000, based on PE: false

Similarity

API ID:
String ID: $g%r$X1(r$X1(r$`5(r$}j
API String ID: 0-444735069
Opcode ID: 609991f78da288576bb56f48a3f671334c9bd6a3cb9ce2609f769e26d96c2fc2
Instruction ID: 845be99e192c8531a2181d1d0cd13bd8d185a718fc863253f14db2bc8ae4f1e8
Opcode Fuzzy Hash: 609991f78da288576bb56f48a3f671334c9bd6a3cb9ce2609f769e26d96c2fc2
Instruction Fuzzy Hash: 29711330A806819FCB15DB3CC894BAEBFF2AF85724F1481D9D5819B6A6CB35D807CB40

Uniqueness

Uniqueness Score: -1.00%

Function 02ED9868, Relevance: 6.4, Strings: 5, Instructions: 135COMMON

Download Yara Rule

Strings

`5(r, xrefs: 02ED9935
X1(r, xrefs: 02ED995D
$g%r, xrefs: 02ED9905
X1(r, xrefs: 02ED9996
}j, xrefs: 02ED9873

Memory Dump Source

Source File: 00000000.00000002.256275734.0000000002ED0000.00000040.00000001.sdmp, Offset: 02ED0000, based on PE: false

Similarity

API ID:
String ID: $g%r$X1(r$X1(r$`5(r$}j
API String ID: 0-444735069
Opcode ID: eef0dbe82cdffa7c0a2d47bfdca67b7ceece9e5e12b958ae641b710596668904
Instruction ID: be12dd6be7c0b6023db8f089d6d2fc83769d1eefa118680edabe60bc91283ab7
Opcode Fuzzy Hash: eef0dbe82cdffa7c0a2d47bfdca67b7ceece9e5e12b958ae641b710596668904
Instruction Fuzzy Hash: B0518B34B006059FCB14DF68C894BAEBBF2BF88714F2091A9E515AB3A5DB359C41CB51

Uniqueness

Uniqueness Score: -1.00%

Analysis Process: RegSvcs.exe PID: 6628 Parent PID: 6444 RegSvcs.exeCOMMON

Executed Functions

Function 0317AD38, Relevance: 2.2, Strings: 1, Instructions: 915COMMON

Download Yara Rule

Strings

r, xrefs: 0317B7EC

Memory Dump Source

Source File: 00000004.00000002.499656485.0000000003170000.00000040.00000001.sdmp, Offset: 03170000, based on PE: false

Similarity

API ID:
String ID: r
API String ID: 0-1812594589
Opcode ID: 3aa35935bc98aecc53866d34a0b3a9b1417125c0b578ac25e2da6cd1a12b6434
Instruction ID: 3ccc6e1c3ad2d09e627ef00b84f53f1ab29dc1948e5889f0163dc30d9233c7db
Opcode Fuzzy Hash: 3aa35935bc98aecc53866d34a0b3a9b1417125c0b578ac25e2da6cd1a12b6434
Instruction Fuzzy Hash: 96822670A04605CFCB14CF68C594AAEFBB2FF88310F29C569D55AAB651D730E981CF90

Uniqueness

Uniqueness Score: -1.00%

Function 031E0EF3, Relevance: 1.6, APIs: 1, Instructions: 75COMMON

Download Yara Rule

APIs

AdjustTokenPrivileges.KERNELBASE(?,?,?,?,?,?), ref: 031E0F73

Memory Dump Source

Source File: 00000004.00000002.499726769.00000000031E0000.00000040.00000001.sdmp, Offset: 031E0000, based on PE: false

Similarity

API ID: AdjustPrivilegesToken
String ID:
API String ID: 2874748243-0
Opcode ID: 39b11be849c400a540f85e27d273fd86b4f1704bc2b154ad50efcae0fdc43ff6
Instruction ID: fd8dd04387e1c644e8ffef3672d8c21b93365a33d8629aa9a8b407c067e88895
Opcode Fuzzy Hash: 39b11be849c400a540f85e27d273fd86b4f1704bc2b154ad50efcae0fdc43ff6
Instruction Fuzzy Hash: 992191765097849FDB12CF25DC40B52BFB8EF0A210F0884EAE9858B563D375A918CB61

Uniqueness

Uniqueness Score: -1.00%

Function 031E270F, Relevance: 1.6, APIs: 1, Instructions: 73networkCOMMON

Download Yara Rule

APIs

bind.WS2_32(?,00000E2C,13325108,00000000,00000000,00000000,00000000), ref: 031E2793

Memory Dump Source

Source File: 00000004.00000002.499726769.00000000031E0000.00000040.00000001.sdmp, Offset: 031E0000, based on PE: false

Similarity

API ID: bind
String ID:
API String ID: 1187836755-0
Opcode ID: 649efcade57f4b76df58e4f41b3927a8b447ec46f7e7a70b7529a095aea2b708
Instruction ID: 138b366569e00302028f911d832b3e1a4d2cabb946958e7bf61573cb2ff91838
Opcode Fuzzy Hash: 649efcade57f4b76df58e4f41b3927a8b447ec46f7e7a70b7529a095aea2b708
Instruction Fuzzy Hash: 68217FB29083846FE721CB65DC84F96BFBCEF45620F0884AAEA449B152D374A548CB71

Uniqueness

Uniqueness Score: -1.00%

Function 031E112F, Relevance: 1.6, APIs: 1, Instructions: 64nativeCOMMON

Download Yara Rule

APIs

NtQuerySystemInformation.NTDLL(?,?,?,?), ref: 031E11A5

Memory Dump Source

Source File: 00000004.00000002.499726769.00000000031E0000.00000040.00000001.sdmp, Offset: 031E0000, based on PE: false

Similarity

API ID: InformationQuerySystem
String ID:
API String ID: 3562636166-0
Opcode ID: cda5bb01e6d3137e07abeeae0ebbba030ec5b67eef90cc2747dde349733d0802
Instruction ID: 88b65090a9a62f4f452e5b403a278e0200d4ac9900df51c2a6c6a412f04a23c5
Opcode Fuzzy Hash: cda5bb01e6d3137e07abeeae0ebbba030ec5b67eef90cc2747dde349733d0802
Instruction Fuzzy Hash: 7821AE764097C0AFDB238B21DC41A52FFB4EF16214F0980DBED844B1A3D265A509DB62

Uniqueness

Uniqueness Score: -1.00%

Function 031E2732, Relevance: 1.6, APIs: 1, Instructions: 62networkCOMMON

Download Yara Rule

APIs

bind.WS2_32(?,00000E2C,13325108,00000000,00000000,00000000,00000000), ref: 031E2793

Memory Dump Source

Source File: 00000004.00000002.499726769.00000000031E0000.00000040.00000001.sdmp, Offset: 031E0000, based on PE: false

Similarity

API ID: bind
String ID:
API String ID: 1187836755-0
Opcode ID: 822d976817c0ce7220a795b8dec31bb47bb0b37143f7b7cc293f6a8d321b3f7b
Instruction ID: b2af2be4767c0008b2abc0f01a0d1c490abae3c6e68e9d4da38e4965559be925
Opcode Fuzzy Hash: 822d976817c0ce7220a795b8dec31bb47bb0b37143f7b7cc293f6a8d321b3f7b
Instruction Fuzzy Hash: 9711C4B1904600AFEB20DF65DC84F96FBECEF48720F1888AAEE459B241D775A444DB71

Uniqueness

Uniqueness Score: -1.00%

Function 031E0F2A, Relevance: 1.6, APIs: 1, Instructions: 52COMMON

Download Yara Rule

APIs

AdjustTokenPrivileges.KERNELBASE(?,?,?,?,?,?), ref: 031E0F73

Memory Dump Source

Source File: 00000004.00000002.499726769.00000000031E0000.00000040.00000001.sdmp, Offset: 031E0000, based on PE: false

Similarity

API ID: AdjustPrivilegesToken
String ID:
API String ID: 2874748243-0
Opcode ID: 4a443f007c14e514deef38daf5fe300af542c552d96c04718233c1acbf578b75
Instruction ID: a2d15f3b84dd1b799278641a1e84000567cad27fe4611618a1e9a63a2d9b93df
Opcode Fuzzy Hash: 4a443f007c14e514deef38daf5fe300af542c552d96c04718233c1acbf578b75
Instruction Fuzzy Hash: 191170759006049FDB21CF66D844B66FBE8EF08321F08C4AAED4A8B652D376E458CF61

Uniqueness

Uniqueness Score: -1.00%

Function 031E0BB6, Relevance: 1.5, APIs: 1, Instructions: 39COMMON

Download Yara Rule

APIs

GetSystemInfo.KERNELBASE(?), ref: 031E0BE8

Memory Dump Source

Source File: 00000004.00000002.499726769.00000000031E0000.00000040.00000001.sdmp, Offset: 031E0000, based on PE: false

Similarity

API ID: InfoSystem
String ID:
API String ID: 31276548-0
Opcode ID: 0116fcd717dddf0e17fde4262d7ab3891b96d76cce2dd82820af7af39bbc43ba
Instruction ID: 5656b26a768740a7afde009d8351628826b1e3c4e3f99e721cf413882c74a661
Opcode Fuzzy Hash: 0116fcd717dddf0e17fde4262d7ab3891b96d76cce2dd82820af7af39bbc43ba
Instruction Fuzzy Hash: D30181759046449FEB10CF16D884766FFE8EF48321F18C4EADD499F246D3B5A448CBA2

Uniqueness

Uniqueness Score: -1.00%

Function 031E116A, Relevance: 1.5, APIs: 1, Instructions: 38nativeCOMMON

Download Yara Rule

APIs

NtQuerySystemInformation.NTDLL(?,?,?,?), ref: 031E11A5

Memory Dump Source

Source File: 00000004.00000002.499726769.00000000031E0000.00000040.00000001.sdmp, Offset: 031E0000, based on PE: false

Similarity

API ID: InformationQuerySystem
String ID:
API String ID: 3562636166-0
Opcode ID: d2de6762d88afaadcf088539d4a5e6bb191dcd6bafdb1aaee77c783269a5d851
Instruction ID: 02a2b5f44bd503cd5c603b14d758a142d3dc39eb67fe04d75b863abe82f6d3d6
Opcode Fuzzy Hash: d2de6762d88afaadcf088539d4a5e6bb191dcd6bafdb1aaee77c783269a5d851
Instruction Fuzzy Hash: A201AD39500640EFDB20CF65D884B65FFA4EF48321F08C4AADD9A0B652D376A458CF72

Uniqueness

Uniqueness Score: -1.00%

Function 031723A0, Relevance: .5, Instructions: 505COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.499656485.0000000003170000.00000040.00000001.sdmp, Offset: 03170000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6e1fd5197189c53b5a3ae1b7d21eb9bb7e94035a18cb888aa086567c5fa5d130
Instruction ID: d561d6e2ccb80fea7474c11fbf52ade30d3afe29c094ef879ea3b229c9dc2462
Opcode Fuzzy Hash: 6e1fd5197189c53b5a3ae1b7d21eb9bb7e94035a18cb888aa086567c5fa5d130
Instruction Fuzzy Hash: 9412AB70E00215CFCB28CF69D5846ADBBF6FB88305F298969D4169B258DB749C87CB60

Uniqueness

Uniqueness Score: -1.00%

Function 03178468, Relevance: .5, Instructions: 505COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.499656485.0000000003170000.00000040.00000001.sdmp, Offset: 03170000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 285aebf24323a6f7530a7c53492ffc3fc3ab58e9904ddb02f2c316df6f5bae49
Instruction ID: e93fce93fe24d8d43f0275cf8119f7dea8ac80a28c9b108eb1de9277957bd26c
Opcode Fuzzy Hash: 285aebf24323a6f7530a7c53492ffc3fc3ab58e9904ddb02f2c316df6f5bae49
Instruction Fuzzy Hash: 6E12DE70A10215DFCB28CF29C48A36DFBF2FF89304F598569E4169B251DBB89885DF90

Uniqueness

Uniqueness Score: -1.00%

Function 03172FA8, Relevance: .2, Instructions: 239COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.499656485.0000000003170000.00000040.00000001.sdmp, Offset: 03170000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ae67a3364bd96896cdc8f435301e61b0ec58bbbee0320b1388d80d44c9070b97
Instruction ID: 6e49649781bc7256b7f7197fd49dd6439a166231d24bfcb01e052e497d063cda
Opcode Fuzzy Hash: ae67a3364bd96896cdc8f435301e61b0ec58bbbee0320b1388d80d44c9070b97
Instruction Fuzzy Hash: 40818C76F00115AFCB18DB69D884A6EBBF3AFC8310F2A8468E415EB355DF319C418B90

Uniqueness

Uniqueness Score: -1.00%

Function 03179068, Relevance: .2, Instructions: 239COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.499656485.0000000003170000.00000040.00000001.sdmp, Offset: 03170000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 43ac962d59ea806ffe54da18ae2ee8e1f0b8a662228707813650bd15d62881af
Instruction ID: 8d97675491e3aa38ab7cc19a6d1f2ef928de94b71e636ca8e3bb673db5a5c008
Opcode Fuzzy Hash: 43ac962d59ea806ffe54da18ae2ee8e1f0b8a662228707813650bd15d62881af
Instruction Fuzzy Hash: BD815972F01115ABDB14DB69D894AAEBBF3AFC8310B2E8065E405EB355DF319C058B90

Uniqueness

Uniqueness Score: -1.00%

Function 031709A5, Relevance: 5.1, Strings: 4, Instructions: 135COMMON

Download Yara Rule

Strings

X1(r, xrefs: 03170AA2
X1(r, xrefs: 03170A5A
X1(r, xrefs: 03170A50
X1(r, xrefs: 03170A98

Memory Dump Source

Source File: 00000004.00000002.499656485.0000000003170000.00000040.00000001.sdmp, Offset: 03170000, based on PE: false

Similarity

API ID:
String ID: X1(r$X1(r$X1(r$X1(r
API String ID: 0-1974604117
Opcode ID: 7beb6fb5e08a44ee9956eb68b3cddcec9e6977f87c777c05d64f25262d097f13
Instruction ID: 556e6e2c4e4e3e44785e782a7f22d3800531157d7a80d68c82a8028b23734c2d
Opcode Fuzzy Hash: 7beb6fb5e08a44ee9956eb68b3cddcec9e6977f87c777c05d64f25262d097f13
Instruction Fuzzy Hash: E941B735B00211DFCB14DBA8D898AAEB7F6FF88704F258195E5059F364CB31AD06CB90

Uniqueness

Uniqueness Score: -1.00%

Function 031702E8, Relevance: 2.7, Strings: 2, Instructions: 227COMMON

Download Yara Rule

Strings

8bq, xrefs: 031705D6
`5(r, xrefs: 031703A5

Memory Dump Source

Source File: 00000004.00000002.499656485.0000000003170000.00000040.00000001.sdmp, Offset: 03170000, based on PE: false

Similarity

API ID:
String ID: 8bq$`5(r
API String ID: 0-4147111389
Opcode ID: 23ba7e5232779b2920c858bc74b0ff1d11231d96597871a61268c731210513b2
Instruction ID: 53571c4eebf614e2f29c4e47b89416afbde1bc1c5da187582b1f5be49d60ac67
Opcode Fuzzy Hash: 23ba7e5232779b2920c858bc74b0ff1d11231d96597871a61268c731210513b2
Instruction Fuzzy Hash: 1E81AB70B042018FCB09DB68D4506AE7BF2AFCD300F2980AAD506EB395DB35AC45CB92

Uniqueness

Uniqueness Score: -1.00%

Function 031712A0, Relevance: 1.7, Strings: 1, Instructions: 460COMMON

Download Yara Rule

Strings

$g%r, xrefs: 03171349

Memory Dump Source

Source File: 00000004.00000002.499656485.0000000003170000.00000040.00000001.sdmp, Offset: 03170000, based on PE: false

Similarity

API ID:
String ID: $g%r
API String ID: 0-359987751
Opcode ID: 0b513267440af9ba8d089bd26f9a034c90677b1d38d2af1c819f0babda8f297d
Instruction ID: 1931340b156361f553fc514eb475279e3f69d33b4cc1bc3ca16883407e5578c5
Opcode Fuzzy Hash: 0b513267440af9ba8d089bd26f9a034c90677b1d38d2af1c819f0babda8f297d
Instruction Fuzzy Hash: 6F221838A00A05DFC724DF28C484A6ABBF2FF88344F1585A9D85A9B755DB34ED86CF50

Uniqueness

Uniqueness Score: -1.00%

Function 031E13E0, Relevance: 1.6, APIs: 1, Instructions: 126networkCOMMON

Download Yara Rule

APIs

DnsQuery_A.DNSAPI(?,00000E2C,?,?), ref: 031E14D6

Memory Dump Source

Source File: 00000004.00000002.499726769.00000000031E0000.00000040.00000001.sdmp, Offset: 031E0000, based on PE: false

Similarity

API ID: Query_
String ID:
API String ID: 428220571-0
Opcode ID: 6a50c76d5b76855be5afe09c895e48196e964e4ea8c12ea8830375863b4b1729
Instruction ID: edec9c29b2fecf6692b082b42b9c6f6410f494274597e471481ea8355321aee3
Opcode Fuzzy Hash: 6a50c76d5b76855be5afe09c895e48196e964e4ea8c12ea8830375863b4b1729
Instruction Fuzzy Hash: 8E41126640E3C06FD3138B358C61A61BFB4EF47614B0E85CBE8C4CB5A3D519690AD772

Uniqueness

Uniqueness Score: -1.00%

Function 031E2428, Relevance: 1.6, APIs: 1, Instructions: 114COMMON

Download Yara Rule

APIs

getaddrinfo.WS2_32(?,00000E2C), ref: 031E251F

Memory Dump Source

Source File: 00000004.00000002.499726769.00000000031E0000.00000040.00000001.sdmp, Offset: 031E0000, based on PE: false

Similarity

API ID: getaddrinfo
String ID:
API String ID: 300660673-0
Opcode ID: fb42a595af9b6cf2772e3edb042790dc0bb44c4559bffb65c979069713b4fec7
Instruction ID: 8761d57617f31490d173a95d9dde14f45d0250b2ae6a05039ab7a3ed91061811
Opcode Fuzzy Hash: fb42a595af9b6cf2772e3edb042790dc0bb44c4559bffb65c979069713b4fec7
Instruction Fuzzy Hash: 4841B1B15093806FE7228B649C54FA6BFB8EF06310F1848DBE9849F193D275A949CB71

Uniqueness

Uniqueness Score: -1.00%

Function 031E0390, Relevance: 1.6, APIs: 1, Instructions: 93registryCOMMON

Download Yara Rule

APIs

RegQueryValueExA.KERNELBASE(?,00000E2C), ref: 031E045E

Memory Dump Source

Source File: 00000004.00000002.499726769.00000000031E0000.00000040.00000001.sdmp, Offset: 031E0000, based on PE: false

Similarity

API ID: QueryValue
String ID:
API String ID: 3660427363-0
Opcode ID: ac54947d9bd78c5d3a3946e1324c14a402e7ced6276a636769893ba932036b80
Instruction ID: c0eef28c9de20a74ee3da7abd6cd8028bfc062fcc37bb8adbb0d86918c7e68ef
Opcode Fuzzy Hash: ac54947d9bd78c5d3a3946e1324c14a402e7ced6276a636769893ba932036b80
Instruction Fuzzy Hash: 8C31D7B20047446FE7228F15CC41FA6FFB8EF05314F04859EF9859B192D3A5A949CB71

Uniqueness

Uniqueness Score: -1.00%

Function 031E07F4, Relevance: 1.6, APIs: 1, Instructions: 92fileCOMMON

Download Yara Rule

APIs

CreateFileW.KERNELBASE(?,?,?,?,?,?), ref: 031E0899

Memory Dump Source

Source File: 00000004.00000002.499726769.00000000031E0000.00000040.00000001.sdmp, Offset: 031E0000, based on PE: false

Similarity

API ID: CreateFile
String ID:
API String ID: 823142352-0
Opcode ID: 3825554ebb5c18f777c67287a51c9ec7dc3d8dcdd0608760a29bc0b05581a584
Instruction ID: a2ef0dbc3714ef4e62c877bf243f82f2a5bed50ce45b9052d2c96d16829f5778
Opcode Fuzzy Hash: 3825554ebb5c18f777c67287a51c9ec7dc3d8dcdd0608760a29bc0b05581a584
Instruction Fuzzy Hash: 96316F71504780AFE722CB66DC44F66FFE8EF09210F0884AAE9858B252D375E909DB71

Uniqueness

Uniqueness Score: -1.00%

Function 031E21B0, Relevance: 1.6, APIs: 1, Instructions: 89timeCOMMON

Download Yara Rule

APIs

GetProcessTimes.KERNELBASE(?,00000E2C,13325108,00000000,00000000,00000000,00000000), ref: 031E224D

Memory Dump Source

Source File: 00000004.00000002.499726769.00000000031E0000.00000040.00000001.sdmp, Offset: 031E0000, based on PE: false

Similarity

API ID: ProcessTimes
String ID:
API String ID: 1995159646-0
Opcode ID: 89054c598185633ccaed858ec5b788ae64eaa7f1c0f2b9acffd2610a8ff643cf
Instruction ID: 4f3c5585f5d12a3407b2db9bff97b7ba99861817eb7d5f7f2da2f106b2c0f7a0
Opcode Fuzzy Hash: 89054c598185633ccaed858ec5b788ae64eaa7f1c0f2b9acffd2610a8ff643cf
Instruction Fuzzy Hash: EC31F5B25097806FEB128F64DC45B96BFBCEF06320F0884EAE9858B153D325A505CB71

Uniqueness

Uniqueness Score: -1.00%

Function 031E00F6, Relevance: 1.6, APIs: 1, Instructions: 89synchronizationCOMMON

Download Yara Rule

APIs

CreateMutexW.KERNELBASE(?,?), ref: 031E019D

Memory Dump Source

Source File: 00000004.00000002.499726769.00000000031E0000.00000040.00000001.sdmp, Offset: 031E0000, based on PE: false

Similarity

API ID: CreateMutex
String ID:
API String ID: 1964310414-0
Opcode ID: 1565c773b01b686137bbf17cf1c11e959d054a5121a16d29afd6564d6fa62084
Instruction ID: 4858257d99b90a1c1cdbcd70d4ce58e18b731678c324f334031f0f607de669aa
Opcode Fuzzy Hash: 1565c773b01b686137bbf17cf1c11e959d054a5121a16d29afd6564d6fa62084
Instruction Fuzzy Hash: 30316F755097806FE712CB65DC85B56FFF8EF0A210F0884AAE9848F293D365E909C761

Uniqueness

Uniqueness Score: -1.00%

Function 031E1D44, Relevance: 1.6, APIs: 1, Instructions: 87fileCOMMON

Download Yara Rule

APIs

MapViewOfFile.KERNELBASE ref: 031E1DF6

Memory Dump Source

Source File: 00000004.00000002.499726769.00000000031E0000.00000040.00000001.sdmp, Offset: 031E0000, based on PE: false

Similarity

API ID: FileView
String ID:
API String ID: 3314676101-0
Opcode ID: 8c1b63cd51f8945de3db2da9701c473dcf5d02eeeaa7079cd946df91e34bc2dd
Instruction ID: 77069c0f1ae45d50c53817e4e625a2ad01a21d6e00c30f39da4c3f91f83c8610
Opcode Fuzzy Hash: 8c1b63cd51f8945de3db2da9701c473dcf5d02eeeaa7079cd946df91e34bc2dd
Instruction Fuzzy Hash: CE31D6B2404780AFE722CF55DC45F56FFF8EF05320F08859AE9849B152D375A909CB61

Uniqueness

Uniqueness Score: -1.00%

Function 031E262A, Relevance: 1.6, APIs: 1, Instructions: 86windowCOMMON

Download Yara Rule

APIs

FormatMessageW.KERNELBASE(?,00000E2C,?,?), ref: 031E26DA

Memory Dump Source

Source File: 00000004.00000002.499726769.00000000031E0000.00000040.00000001.sdmp, Offset: 031E0000, based on PE: false

Similarity

API ID: FormatMessage
String ID:
API String ID: 1306739567-0
Opcode ID: f7714495e2c960e31c77323bfa212118e5e7d89ec10cfffde728c67b1df3ff90
Instruction ID: 7f871e404681665354cdd6d8176dcee144b78e2be76db77c7e47e9281d834216
Opcode Fuzzy Hash: f7714495e2c960e31c77323bfa212118e5e7d89ec10cfffde728c67b1df3ff90
Instruction Fuzzy Hash: FD318F7250D3C06FD7038B758C51A66BFB4EF47610F0980DBD885CF2A3E624A919C7A2

Uniqueness

Uniqueness Score: -1.00%

Function 031E04AB, Relevance: 1.6, APIs: 1, Instructions: 86registryCOMMON

Download Yara Rule

APIs

RegQueryValueExW.KERNELBASE(?,00000E2C,13325108,00000000,00000000,00000000,00000000), ref: 031E055C

Memory Dump Source

Source File: 00000004.00000002.499726769.00000000031E0000.00000040.00000001.sdmp, Offset: 031E0000, based on PE: false

Similarity

API ID: QueryValue
String ID:
API String ID: 3660427363-0
Opcode ID: a397bb5f3683b32eefd536d0e5fc9df69ac3514c7f4f8a763f4e933543b88c46
Instruction ID: f29ec477c28f2f136ca0a0b5d9032900d02c006064b59712a534774d974f8b73
Opcode Fuzzy Hash: a397bb5f3683b32eefd536d0e5fc9df69ac3514c7f4f8a763f4e933543b88c46
Instruction Fuzzy Hash: EB31A2715097806FD722CB65DC84B92FFB8EF0A210F0C84DAE9858B1A2D365A908DB71

Uniqueness

Uniqueness Score: -1.00%

Function 031E247A, Relevance: 1.6, APIs: 1, Instructions: 84COMMON

Download Yara Rule

APIs

getaddrinfo.WS2_32(?,00000E2C), ref: 031E251F

Memory Dump Source

Source File: 00000004.00000002.499726769.00000000031E0000.00000040.00000001.sdmp, Offset: 031E0000, based on PE: false

Similarity

API ID: getaddrinfo
String ID:
API String ID: 300660673-0
Opcode ID: e105d3b2f60ee9a5797ee6dd834cf2cebfe4fd2e00069085838ac994f1152673
Instruction ID: e4eed2711e5d34a81945416e49c5ce3b74d39be77713488411e2d3c6f34daf6e
Opcode Fuzzy Hash: e105d3b2f60ee9a5797ee6dd834cf2cebfe4fd2e00069085838ac994f1152673
Instruction Fuzzy Hash: 732102B1500200AFFB20DB64DC85FAAFBACEF04310F14886AFA559A181D7B1A5458BB1

Uniqueness

Uniqueness Score: -1.00%

Function 031E02AB, Relevance: 1.6, APIs: 1, Instructions: 79registryCOMMON

Download Yara Rule

APIs

RegOpenKeyExA.KERNELBASE(?,00000E2C), ref: 031E0353

Memory Dump Source

Source File: 00000004.00000002.499726769.00000000031E0000.00000040.00000001.sdmp, Offset: 031E0000, based on PE: false

Similarity

API ID: Open
String ID:
API String ID: 71445658-0
Opcode ID: ebd83e0759dfb9494f543a9a204c1c17c224b5a6cc2743838d70b8cc1337ec05
Instruction ID: 011b89d12b70843047b667183b8bd48ed6807b26e6862ab3f1986cca3b978e47
Opcode Fuzzy Hash: ebd83e0759dfb9494f543a9a204c1c17c224b5a6cc2743838d70b8cc1337ec05
Instruction Fuzzy Hash: 4521A6754097806FE7228B21DC41FA6FFB8EF06310F0884DAE9848B192D265A909D771

Uniqueness

Uniqueness Score: -1.00%

Function 031E1C62, Relevance: 1.6, APIs: 1, Instructions: 78COMMON

Download Yara Rule

APIs

OpenFileMappingW.KERNELBASE(?,?), ref: 031E1CED

Memory Dump Source

Source File: 00000004.00000002.499726769.00000000031E0000.00000040.00000001.sdmp, Offset: 031E0000, based on PE: false

Similarity

API ID: FileMappingOpen
String ID:
API String ID: 1680863896-0
Opcode ID: 5adb555b977151b1b8cbfb75e3eab1fc50156339f30ec55a8adb754777d212a9
Instruction ID: b6001f34ea91c2f9410880fb9bb52d9125c1b553bea31674992532b958fcb23a
Opcode Fuzzy Hash: 5adb555b977151b1b8cbfb75e3eab1fc50156339f30ec55a8adb754777d212a9
Instruction Fuzzy Hash: 5521A1B1509780AFE722CB65DC45F66FFE8EF05220F0884AAE9849B252D375A508CB65

Uniqueness

Uniqueness Score: -1.00%

Function 031E0A9B, Relevance: 1.6, APIs: 1, Instructions: 78fileCOMMON

Download Yara Rule

APIs

DeleteFileA.KERNELBASE(?,00000E2C), ref: 031E0B3F

Memory Dump Source

Source File: 00000004.00000002.499726769.00000000031E0000.00000040.00000001.sdmp, Offset: 031E0000, based on PE: false

Similarity

API ID: DeleteFile
String ID:
API String ID: 4033686569-0
Opcode ID: 992f49cffc047de50dd8e3de870e6c8265dbced3c5ed6243e66b69fe3951396f
Instruction ID: 8ea3fdb20b50b3bb414fa16f4b98826936acc6f7628186785b12c4f23d17e72f
Opcode Fuzzy Hash: 992f49cffc047de50dd8e3de870e6c8265dbced3c5ed6243e66b69fe3951396f
Instruction Fuzzy Hash: E921F8715087806FE722CB25DC95BA6BFA8EF06324F1C81DAFD849F193D364A948C761

Uniqueness

Uniqueness Score: -1.00%

Function 031E08F0, Relevance: 1.6, APIs: 1, Instructions: 78COMMON

Download Yara Rule

APIs

GetFileType.KERNELBASE(?,00000E2C,13325108,00000000,00000000,00000000,00000000), ref: 031E0985

Memory Dump Source

Source File: 00000004.00000002.499726769.00000000031E0000.00000040.00000001.sdmp, Offset: 031E0000, based on PE: false

Similarity

API ID: FileType
String ID:
API String ID: 3081899298-0
Opcode ID: d52b5d8ea7fcb75f609241e7c607fc5b47e77ccc676ce692a2430090858b8940
Instruction ID: b3574f3aef197997213334980f353eca39496c8fc520c06e5c8989ac21e15a81
Opcode Fuzzy Hash: d52b5d8ea7fcb75f609241e7c607fc5b47e77ccc676ce692a2430090858b8940
Instruction Fuzzy Hash: EB21F5B68087846FE712CB25DC40BA2BFBCEF46720F0880DAED858B153D364A909C775

Uniqueness

Uniqueness Score: -1.00%

Function 031E1502, Relevance: 1.6, APIs: 1, Instructions: 77networkCOMMON

Download Yara Rule

APIs

WSASocketW.WS2_32(?,?,?,?,?), ref: 031E158E

Memory Dump Source

Source File: 00000004.00000002.499726769.00000000031E0000.00000040.00000001.sdmp, Offset: 031E0000, based on PE: false

Similarity

API ID: Socket
String ID:
API String ID: 38366605-0
Opcode ID: d15ad9234d30476d2739f8418ce93a3628cb27c0bf016010ecca9698a6241ecd
Instruction ID: dabff723f4a57efd1bc1a50c7ef62e4b3b020d70312f78b4122c043de4a211ae
Opcode Fuzzy Hash: d15ad9234d30476d2739f8418ce93a3628cb27c0bf016010ecca9698a6241ecd
Instruction Fuzzy Hash: 83218D71509780AFEB22CF65DC44F96FFF8EF09210F0884AEE9859B652D375A508CB61

Uniqueness

Uniqueness Score: -1.00%

Function 031E081A, Relevance: 1.6, APIs: 1, Instructions: 76fileCOMMON

Download Yara Rule

APIs

CreateFileW.KERNELBASE(?,?,?,?,?,?), ref: 031E0899

Memory Dump Source

Source File: 00000004.00000002.499726769.00000000031E0000.00000040.00000001.sdmp, Offset: 031E0000, based on PE: false

Similarity

API ID: CreateFile
String ID:
API String ID: 823142352-0
Opcode ID: e5dce89ecea3a75ce6d4baf44e30b4d0438ee62b2b58c3f16a4d489a6446c9b2
Instruction ID: 7f22ae56b5ce27751c898d05edf46105fa7163d0d846462d32a292e9fa84522a
Opcode Fuzzy Hash: e5dce89ecea3a75ce6d4baf44e30b4d0438ee62b2b58c3f16a4d489a6446c9b2
Instruction Fuzzy Hash: 4A219275900640AFEB21DF66DC44F66FBE8EF08310F188469E9858B252D771E404CBB1

Uniqueness

Uniqueness Score: -1.00%

Function 031E03CA, Relevance: 1.6, APIs: 1, Instructions: 75registryCOMMON

Download Yara Rule

APIs

RegQueryValueExA.KERNELBASE(?,00000E2C), ref: 031E045E

Memory Dump Source

Source File: 00000004.00000002.499726769.00000000031E0000.00000040.00000001.sdmp, Offset: 031E0000, based on PE: false

Similarity

API ID: QueryValue
String ID:
API String ID: 3660427363-0
Opcode ID: 43b287f0b8864d7aa035fe468a9abdedbcbc9fd92caadab4a107bc6b25ac4d02
Instruction ID: 25b0f1b2886b096eaa6cdc3d5c8c52e08a6e9b860068667dcdd4ec3fb9ec5060
Opcode Fuzzy Hash: 43b287f0b8864d7aa035fe468a9abdedbcbc9fd92caadab4a107bc6b25ac4d02
Instruction Fuzzy Hash: CA21F572500604AFEB21DF15DD81FA6FBACEF08310F04855AFE459A181D7B5A548CBB1

Uniqueness

Uniqueness Score: -1.00%

Function 031E09C0, Relevance: 1.6, APIs: 1, Instructions: 75COMMON

Download Yara Rule

APIs

setsockopt.WS2_32(?,00000E2C,13325108,00000000,00000000,00000000,00000000), ref: 031E0A51

Memory Dump Source

Source File: 00000004.00000002.499726769.00000000031E0000.00000040.00000001.sdmp, Offset: 031E0000, based on PE: false

Similarity

API ID: setsockopt
String ID:
API String ID: 3981526788-0
Opcode ID: 72debc70ac48f922d762da0edc6c9b728acfc64e94aa17d8c04b4737068dddc0
Instruction ID: 156a174e98b89c25956908773b52070fd0fbc8ed889feb54e482c99dd6dec7f5
Opcode Fuzzy Hash: 72debc70ac48f922d762da0edc6c9b728acfc64e94aa17d8c04b4737068dddc0
Instruction Fuzzy Hash: 39218171409384AFEB22CB65DC44F56BFB8EF46314F08849AE9849B153C265A509CB61

Uniqueness

Uniqueness Score: -1.00%

Function 031E012A, Relevance: 1.6, APIs: 1, Instructions: 72synchronizationCOMMON

Download Yara Rule

APIs

CreateMutexW.KERNELBASE(?,?), ref: 031E019D

Memory Dump Source

Source File: 00000004.00000002.499726769.00000000031E0000.00000040.00000001.sdmp, Offset: 031E0000, based on PE: false

Similarity

API ID: CreateMutex
String ID:
API String ID: 1964310414-0
Opcode ID: 275bcf84ae9b007f220e074d53d7147b9316c992d6958cc6f5ef79e881f76df4
Instruction ID: 090292cd7d40d9b02d82cab7ce7dda9ebec9c468719870334b66a33a66b8e417
Opcode Fuzzy Hash: 275bcf84ae9b007f220e074d53d7147b9316c992d6958cc6f5ef79e881f76df4
Instruction Fuzzy Hash: 74219F75504640AFE720DF6ADC85B6AFBE8EF08310F1884AAED458F282D7B1E504CB75

Uniqueness

Uniqueness Score: -1.00%

Function 031E0723, Relevance: 1.6, APIs: 1, Instructions: 71COMMON

Download Yara Rule

APIs

CreateDirectoryW.KERNELBASE(?,?), ref: 031E079F

Memory Dump Source

Source File: 00000004.00000002.499726769.00000000031E0000.00000040.00000001.sdmp, Offset: 031E0000, based on PE: false

Similarity

API ID: CreateDirectory
String ID:
API String ID: 4241100979-0
Opcode ID: ea20c9efcc55755b946358ae5d14089b0afe7bb99e5536d0a466d0eb992f60eb
Instruction ID: ffabec0d6689d46b5e58cdef3d38005b1877d7526da8671d6a8f6fb31345d0e7
Opcode Fuzzy Hash: ea20c9efcc55755b946358ae5d14089b0afe7bb99e5536d0a466d0eb992f60eb
Instruction Fuzzy Hash: B72171769093809FD711CB25DC44B56FFE8EF06214F0984EAE885DF153D365A908CB61

Uniqueness

Uniqueness Score: -1.00%

Function 031E1C82, Relevance: 1.6, APIs: 1, Instructions: 68COMMON

Download Yara Rule

APIs

OpenFileMappingW.KERNELBASE(?,?), ref: 031E1CED

Memory Dump Source

Source File: 00000004.00000002.499726769.00000000031E0000.00000040.00000001.sdmp, Offset: 031E0000, based on PE: false

Similarity

API ID: FileMappingOpen
String ID:
API String ID: 1680863896-0
Opcode ID: 302ccfae1f8c75a4f5887fd7637ae3dd057f78d58eace80c1b7bc6c5723a3487
Instruction ID: 1dc4d8335bc29d10178fe97fde36555fddb24e0b669ac2ffd00a2430d23bdcdb
Opcode Fuzzy Hash: 302ccfae1f8c75a4f5887fd7637ae3dd057f78d58eace80c1b7bc6c5723a3487
Instruction Fuzzy Hash: 3321C0B1500640AFEB21DF69DC85B66FBE8EF08320F1884AAED458B242D771A504CA75

Uniqueness

Uniqueness Score: -1.00%

Function 031E0FC0, Relevance: 1.6, APIs: 1, Instructions: 68COMMON

Download Yara Rule

APIs

FindCloseChangeNotification.KERNELBASE(?), ref: 031E102C

Memory Dump Source

Source File: 00000004.00000002.499726769.00000000031E0000.00000040.00000001.sdmp, Offset: 031E0000, based on PE: false

Similarity

API ID: ChangeCloseFindNotification
String ID:
API String ID: 2591292051-0
Opcode ID: 831b11647129df778d24be42438dceb1c44690d14a7e73036cd0191af35a478b
Instruction ID: 63b092906356a8f4138e1f152410b9940ea59ec4021c99f32de68bc1d5286cdd
Opcode Fuzzy Hash: 831b11647129df778d24be42438dceb1c44690d14a7e73036cd0191af35a478b
Instruction Fuzzy Hash: D721A1725093C05FDB02CB25DC54692BFB4AF07624F0D84EAEC858F663D275A908CB61

Uniqueness

Uniqueness Score: -1.00%

Function 031E1522, Relevance: 1.6, APIs: 1, Instructions: 67networkCOMMON

Download Yara Rule

APIs

WSASocketW.WS2_32(?,?,?,?,?), ref: 031E158E

Memory Dump Source

Source File: 00000004.00000002.499726769.00000000031E0000.00000040.00000001.sdmp, Offset: 031E0000, based on PE: false

Similarity

API ID: Socket
String ID:
API String ID: 38366605-0
Opcode ID: 1cb6939c1e4e3d7e60a8d899d3982cb339ddc51af54d61f0d5490eb638aa8dc7
Instruction ID: 36d1af45ebefc7481cce9e24ecf45aeb9d7db6ef23c0a9f7bf4610a5d75b7849
Opcode Fuzzy Hash: 1cb6939c1e4e3d7e60a8d899d3982cb339ddc51af54d61f0d5490eb638aa8dc7
Instruction Fuzzy Hash: CA21DE71500640AFEB21CF65DC44B6AFFE8EF08320F14846EEE858B642D772A404CB61

Uniqueness

Uniqueness Score: -1.00%

Function 031E1075, Relevance: 1.6, APIs: 1, Instructions: 67COMMON

Download Yara Rule

APIs

K32EnumProcesses.KERNEL32(?,?,?,13325108,00000000,?,?,?,?,?,?,?,?,72B13C38), ref: 031E10E6

Memory Dump Source

Source File: 00000004.00000002.499726769.00000000031E0000.00000040.00000001.sdmp, Offset: 031E0000, based on PE: false

Similarity

API ID: EnumProcesses
String ID:
API String ID: 84517404-0
Opcode ID: aef60915aa8e193837d3ef71c780c3011f0cb630446aa8e41fdb4b80c0f98cc8
Instruction ID: 7e17dddeb9b050c3531932f0e682435af19474395a00cf0030dbbdfd15a802d1
Opcode Fuzzy Hash: aef60915aa8e193837d3ef71c780c3011f0cb630446aa8e41fdb4b80c0f98cc8
Instruction Fuzzy Hash: B02150755093849FDB12CF65DC44A96BFF8EF06220F0984EAE985CB163D275A908CB61

Uniqueness

Uniqueness Score: -1.00%

Function 031E1D82, Relevance: 1.6, APIs: 1, Instructions: 67fileCOMMON

Download Yara Rule

APIs

MapViewOfFile.KERNELBASE ref: 031E1DF6

Memory Dump Source

Source File: 00000004.00000002.499726769.00000000031E0000.00000040.00000001.sdmp, Offset: 031E0000, based on PE: false

Similarity

API ID: FileView
String ID:
API String ID: 3314676101-0
Opcode ID: 5c652f9ee6c3dce706bb3b265f8c87b6191b0c794f99f4d23836e746d366e7a0
Instruction ID: fd1d141bfdbe9db7864dde207f01021d5934a03496487c11671eee40c16ca264
Opcode Fuzzy Hash: 5c652f9ee6c3dce706bb3b265f8c87b6191b0c794f99f4d23836e746d366e7a0
Instruction Fuzzy Hash: A321A171500604AFE721CF59DC84F5AFBECEF08320F04846AE9859B241D771B558CB65

Uniqueness

Uniqueness Score: -1.00%

Function 031E01F4, Relevance: 1.6, APIs: 1, Instructions: 67COMMON

Download Yara Rule

APIs

FindCloseChangeNotification.KERNELBASE(?), ref: 031E0264

Memory Dump Source

Source File: 00000004.00000002.499726769.00000000031E0000.00000040.00000001.sdmp, Offset: 031E0000, based on PE: false

Similarity

API ID: ChangeCloseFindNotification
String ID:
API String ID: 2591292051-0
Opcode ID: d8c53de21d137344eeae1a2794e31fa1b17529d9d0d77a8dcd2dcd233c5f775a
Instruction ID: 55f13e41abbd55f9a649bd8707b772062978a637295c242d76bd3aaa33aedaa1
Opcode Fuzzy Hash: d8c53de21d137344eeae1a2794e31fa1b17529d9d0d77a8dcd2dcd233c5f775a
Instruction Fuzzy Hash: CD21D4B68097859FD702CB65DC85792BFA8EF0A220F0980EAEC848B153D3759804CB61

Uniqueness

Uniqueness Score: -1.00%

Function 031E04EA, Relevance: 1.6, APIs: 1, Instructions: 65registryCOMMON

Download Yara Rule

APIs

RegQueryValueExW.KERNELBASE(?,00000E2C,13325108,00000000,00000000,00000000,00000000), ref: 031E055C

Memory Dump Source

Source File: 00000004.00000002.499726769.00000000031E0000.00000040.00000001.sdmp, Offset: 031E0000, based on PE: false

Similarity

API ID: QueryValue
String ID:
API String ID: 3660427363-0
Opcode ID: 7ef07a0f302e684a28ebefc481c07a82920596b9197d1e6f471bbe46f3e1aaee
Instruction ID: 8c84af709d8d6a2f90c6370b409cac18566f41ef393557b48f635741f3d35391
Opcode Fuzzy Hash: 7ef07a0f302e684a28ebefc481c07a82920596b9197d1e6f471bbe46f3e1aaee
Instruction Fuzzy Hash: 761181B2500A04AFEB20CF56DC80F66FBECEF08720F08846AEE569B251D765E544DB71

Uniqueness

Uniqueness Score: -1.00%

Function 031E21EE, Relevance: 1.6, APIs: 1, Instructions: 64timeCOMMON

Download Yara Rule

APIs

GetProcessTimes.KERNELBASE(?,00000E2C,13325108,00000000,00000000,00000000,00000000), ref: 031E224D

Memory Dump Source

Source File: 00000004.00000002.499726769.00000000031E0000.00000040.00000001.sdmp, Offset: 031E0000, based on PE: false

Similarity

API ID: ProcessTimes
String ID:
API String ID: 1995159646-0
Opcode ID: 1a425b5af0f901cc5bab1bf492e8da9a079d69e734ecd157fc7a71651657728a
Instruction ID: 446a6d99620a5da5717ece2fea2b50e24f81fe9c01d64a73464f9f18ed5ca5fa
Opcode Fuzzy Hash: 1a425b5af0f901cc5bab1bf492e8da9a079d69e734ecd157fc7a71651657728a
Instruction Fuzzy Hash: 4E110872500604AFEB21DF55DC81FAAFBACEF08320F08C86AEE458B151D771A404CB71

Uniqueness

Uniqueness Score: -1.00%

Function 031E0CEC, Relevance: 1.6, APIs: 1, Instructions: 64COMMON

Download Yara Rule

APIs

LookupPrivilegeValueW.ADVAPI32(?,?,?), ref: 031E0D56

Memory Dump Source

Source File: 00000004.00000002.499726769.00000000031E0000.00000040.00000001.sdmp, Offset: 031E0000, based on PE: false

Similarity

API ID: LookupPrivilegeValue
String ID:
API String ID: 3899507212-0
Opcode ID: 6630826b385f89b8a2b6d660a3a892c1a7bcae1f386436ab4013de800bded39e
Instruction ID: d8c4b3bdc16d4a63a8b347d729f95611ead7c8abeb12dde0f517f61454fa2546
Opcode Fuzzy Hash: 6630826b385f89b8a2b6d660a3a892c1a7bcae1f386436ab4013de800bded39e
Instruction Fuzzy Hash: C3115E715057809FD711CB66DC85B96FFA8EF09210F0C84AAED45CB252D265E808CB61

Uniqueness

Uniqueness Score: -1.00%

Function 031E02DE, Relevance: 1.6, APIs: 1, Instructions: 60registryCOMMON

Download Yara Rule

APIs

RegOpenKeyExA.KERNELBASE(?,00000E2C), ref: 031E0353

Memory Dump Source

Source File: 00000004.00000002.499726769.00000000031E0000.00000040.00000001.sdmp, Offset: 031E0000, based on PE: false

Similarity

API ID: Open
String ID:
API String ID: 71445658-0
Opcode ID: 5e7beed867b5aa921bdc3bfabe654f766015c7f90cf7f487040a3523d0da8582
Instruction ID: ee6e602a38a8e7d3dc30c26e153fea467cec63b8db2e1fc3c990c4c45f27a79c
Opcode Fuzzy Hash: 5e7beed867b5aa921bdc3bfabe654f766015c7f90cf7f487040a3523d0da8582
Instruction Fuzzy Hash: 7F11C171500600AFEB31DF15DC81F6AFFA8EF08720F14849AFE855A291C3B5A548CBB1

Uniqueness

Uniqueness Score: -1.00%

Function 031E0AD6, Relevance: 1.6, APIs: 1, Instructions: 60fileCOMMON

Download Yara Rule

APIs

DeleteFileA.KERNELBASE(?,00000E2C), ref: 031E0B3F

Memory Dump Source

Source File: 00000004.00000002.499726769.00000000031E0000.00000040.00000001.sdmp, Offset: 031E0000, based on PE: false

Similarity

API ID: DeleteFile
String ID:
API String ID: 4033686569-0
Opcode ID: 01371e809c9fe57a1b3b065e684795a95c8eb7411d9f99db55c1ee7c78422395
Instruction ID: 3f993b19b3d56fe52389e87afc2f38edecf191baa249d7891eeaa737358dbf22
Opcode Fuzzy Hash: 01371e809c9fe57a1b3b065e684795a95c8eb7411d9f99db55c1ee7c78422395
Instruction Fuzzy Hash: 4D110675600600AFF720DB19DC81BA6FB98EF08724F18809AFE458A281D7A5A544CB71

Uniqueness

Uniqueness Score: -1.00%

Function 031E09F2, Relevance: 1.6, APIs: 1, Instructions: 60COMMON

Download Yara Rule

APIs

setsockopt.WS2_32(?,00000E2C,13325108,00000000,00000000,00000000,00000000), ref: 031E0A51

Memory Dump Source

Source File: 00000004.00000002.499726769.00000000031E0000.00000040.00000001.sdmp, Offset: 031E0000, based on PE: false

Similarity

API ID: setsockopt
String ID:
API String ID: 3981526788-0
Opcode ID: 1b5b0e7cab49d6e37343a0c455d052cbf1d992615c614ac119ccf665c7110fad
Instruction ID: 50bbad04d775e629c755606d22ff8ee23adb9b973d2cc40ccc56a9902ce8a15c
Opcode Fuzzy Hash: 1b5b0e7cab49d6e37343a0c455d052cbf1d992615c614ac119ccf665c7110fad
Instruction Fuzzy Hash: 1511E771500704AFEB21CF55DC84F96FFA8EF48320F18846AEE499B141C775A508CBB1

Uniqueness

Uniqueness Score: -1.00%

Function 031E0B83, Relevance: 1.6, APIs: 1, Instructions: 56COMMON

Download Yara Rule

APIs

GetSystemInfo.KERNELBASE(?), ref: 031E0BE8

Memory Dump Source

Source File: 00000004.00000002.499726769.00000000031E0000.00000040.00000001.sdmp, Offset: 031E0000, based on PE: false

Similarity

API ID: InfoSystem
String ID:
API String ID: 31276548-0
Opcode ID: e06601cf17ac94d33a9dc085a0e658d334f1b0056be39bcce40e9a7a50308aae
Instruction ID: 178c19de6d7b65982fcb07e75c080f2cea5a3359fe27ee00b49dac013dd902be
Opcode Fuzzy Hash: e06601cf17ac94d33a9dc085a0e658d334f1b0056be39bcce40e9a7a50308aae
Instruction Fuzzy Hash: 1A115E714093C49FD712CB25DC44792BFB4EF06224F0984EBED858F153D275A549CB61

Uniqueness

Uniqueness Score: -1.00%

Function 031E0D0E, Relevance: 1.6, APIs: 1, Instructions: 53COMMON

Download Yara Rule

APIs

LookupPrivilegeValueW.ADVAPI32(?,?,?), ref: 031E0D56

Memory Dump Source

Source File: 00000004.00000002.499726769.00000000031E0000.00000040.00000001.sdmp, Offset: 031E0000, based on PE: false

Similarity

API ID: LookupPrivilegeValue
String ID:
API String ID: 3899507212-0
Opcode ID: 39dd5de99af8faaa2f8d2bc7ab7ddf4c39782dc61536177db72b60db2046ad27
Instruction ID: e11268c8aad19c77fd454cf1fe0b3a10b96be43df96e3655e31388b11040aa5d
Opcode Fuzzy Hash: 39dd5de99af8faaa2f8d2bc7ab7ddf4c39782dc61536177db72b60db2046ad27
Instruction Fuzzy Hash: A5115E756006409FDB50CF6ADC85756FBE8EF18620F0C84AAED49CB246D3B5E444CB61

Uniqueness

Uniqueness Score: -1.00%

Function 031E0932, Relevance: 1.6, APIs: 1, Instructions: 52COMMON

Download Yara Rule

APIs

GetFileType.KERNELBASE(?,00000E2C,13325108,00000000,00000000,00000000,00000000), ref: 031E0985

Memory Dump Source

Source File: 00000004.00000002.499726769.00000000031E0000.00000040.00000001.sdmp, Offset: 031E0000, based on PE: false

Similarity

API ID: FileType
String ID:
API String ID: 3081899298-0
Opcode ID: 9ba335739e50626a5b3d983afb4e48bc4dcaa35f4787f7d6808d123232b77c43
Instruction ID: 4aca9e0b2c5b9649f162541497469996e04cea0b54e71a4795f0d3391b3a8bb9
Opcode Fuzzy Hash: 9ba335739e50626a5b3d983afb4e48bc4dcaa35f4787f7d6808d123232b77c43
Instruction Fuzzy Hash: 3C01D2B1504604AFF710CF1ADC85BA6FBACDF48720F18C09AEE499B281C7B5A5448AB5

Uniqueness

Uniqueness Score: -1.00%

Function 031E075A, Relevance: 1.6, APIs: 1, Instructions: 52COMMON

Download Yara Rule

APIs

CreateDirectoryW.KERNELBASE(?,?), ref: 031E079F

Memory Dump Source

Source File: 00000004.00000002.499726769.00000000031E0000.00000040.00000001.sdmp, Offset: 031E0000, based on PE: false

Similarity

API ID: CreateDirectory
String ID:
API String ID: 4241100979-0
Opcode ID: 527d7f3cac4bddffbef10ed8671ec98b575d40e9572ff3c1366944e6d7f4719a
Instruction ID: 3142edeac5d657e0f9a9989b73543805b8edb872d5e075f6a05380a1a8058eec
Opcode Fuzzy Hash: 527d7f3cac4bddffbef10ed8671ec98b575d40e9572ff3c1366944e6d7f4719a
Instruction Fuzzy Hash: A911A175A006008FEB10CF2AD884B6AFBD8EF08220F0CC0AADD49DB642D3B5E544CF61

Uniqueness

Uniqueness Score: -1.00%

Function 031E10A6, Relevance: 1.5, APIs: 1, Instructions: 49COMMON

Download Yara Rule

APIs

K32EnumProcesses.KERNEL32(?,?,?,13325108,00000000,?,?,?,?,?,?,?,?,72B13C38), ref: 031E10E6

Memory Dump Source

Source File: 00000004.00000002.499726769.00000000031E0000.00000040.00000001.sdmp, Offset: 031E0000, based on PE: false

Similarity

API ID: EnumProcesses
String ID:
API String ID: 84517404-0
Opcode ID: 0c21b45de61c1957e4419be990754de849c60c389cc0f9e8db517e52fe2e9b46
Instruction ID: 15447e9566ec10bb617dc5a668c99e85ee51343e064233817508b89e80e468e4
Opcode Fuzzy Hash: 0c21b45de61c1957e4419be990754de849c60c389cc0f9e8db517e52fe2e9b46
Instruction Fuzzy Hash: 3D1180756006449FDB10CF6AD884BA6FBE8EF08721F08C4BAED49CB256D375E544CB62

Uniqueness

Uniqueness Score: -1.00%

Function 031E268A, Relevance: 1.5, APIs: 1, Instructions: 47windowCOMMON

Download Yara Rule

APIs

FormatMessageW.KERNELBASE(?,00000E2C,?,?), ref: 031E26DA

Memory Dump Source

Source File: 00000004.00000002.499726769.00000000031E0000.00000040.00000001.sdmp, Offset: 031E0000, based on PE: false

Similarity

API ID: FormatMessage
String ID:
API String ID: 1306739567-0
Opcode ID: 9adac353615cf0ef4b0a16e143b90f1c545a5114467e64e104eb44658dbdbb9b
Instruction ID: e66acdeafcb5a6afdf6b4ace10437867ae09dd2fb784732844fc177b5712b500
Opcode Fuzzy Hash: 9adac353615cf0ef4b0a16e143b90f1c545a5114467e64e104eb44658dbdbb9b
Instruction Fuzzy Hash: 6401B172900200ABD710DF1ADC85B66FBE8EB88B20F14812AED098B645E631F515CBE5

Uniqueness

Uniqueness Score: -1.00%

Function 031E0232, Relevance: 1.5, APIs: 1, Instructions: 43COMMON

Download Yara Rule

APIs

FindCloseChangeNotification.KERNELBASE(?), ref: 031E0264

Memory Dump Source

Source File: 00000004.00000002.499726769.00000000031E0000.00000040.00000001.sdmp, Offset: 031E0000, based on PE: false

Similarity

API ID: ChangeCloseFindNotification
String ID:
API String ID: 2591292051-0
Opcode ID: 69cf7be6deb4a024943497b0241f7e142f33837cbeddf561b062dd88cb73e02c
Instruction ID: 5cf7d3db596a8643988fde3524bb386b0ca7d4a2bc444ff2848d3ed49572f30e
Opcode Fuzzy Hash: 69cf7be6deb4a024943497b0241f7e142f33837cbeddf561b062dd88cb73e02c
Instruction Fuzzy Hash: A301D4759006019FDB10CF26D884755FFE4DF48220F08C0AADC498F242D3B5A444CA61

Uniqueness

Uniqueness Score: -1.00%

Function 031E1486, Relevance: 1.5, APIs: 1, Instructions: 43networkCOMMON

Download Yara Rule

APIs

DnsQuery_A.DNSAPI(?,00000E2C,?,?), ref: 031E14D6

Memory Dump Source

Source File: 00000004.00000002.499726769.00000000031E0000.00000040.00000001.sdmp, Offset: 031E0000, based on PE: false

Similarity

API ID: Query_
String ID:
API String ID: 428220571-0
Opcode ID: c2c32b5f45c164182643ea4af102ea2088e270685848e4899dbe945d41b59880
Instruction ID: e11b36da9585b2d02b2e98edb8c7b243913da54d70ff2ccd8bacfd7f9fb40ff1
Opcode Fuzzy Hash: c2c32b5f45c164182643ea4af102ea2088e270685848e4899dbe945d41b59880
Instruction Fuzzy Hash: 1601AD72500200ABD210DF1ADC86B26FBE8FB88B20F14811AED094B785E671F915CBE6

Uniqueness

Uniqueness Score: -1.00%

Function 031E0FFA, Relevance: 1.5, APIs: 1, Instructions: 43COMMON

Download Yara Rule

APIs

FindCloseChangeNotification.KERNELBASE(?), ref: 031E102C

Memory Dump Source

Source File: 00000004.00000002.499726769.00000000031E0000.00000040.00000001.sdmp, Offset: 031E0000, based on PE: false

Similarity

API ID: ChangeCloseFindNotification
String ID:
API String ID: 2591292051-0
Opcode ID: 69a16dec3940cdbe6ea02b1a5ac8ec869211ce1322dc0299b3ab115371b321ae
Instruction ID: b4d5b980d48ae1a52e25c9b535b82ee22a04c90a517bbcf99b074a01c9b0afe6
Opcode Fuzzy Hash: 69a16dec3940cdbe6ea02b1a5ac8ec869211ce1322dc0299b3ab115371b321ae
Instruction Fuzzy Hash: CE01DF719006809FDB10CF2AE884796FFA8EF44621F18C4BADC4A8B642C375A448CB72

Uniqueness

Uniqueness Score: -1.00%

Function 03172D58, Relevance: 1.4, Strings: 1, Instructions: 134COMMON

Download Yara Rule

Strings

, xrefs: 03172E76

Memory Dump Source

Source File: 00000004.00000002.499656485.0000000003170000.00000040.00000001.sdmp, Offset: 03170000, based on PE: false

Similarity

API ID:
String ID:
API String ID: 0-3916222277
Opcode ID: e5e41741befa59a4e389edcdbc20bb9bc1669d6ffbdb2dae8186d056e2ca7d7c
Instruction ID: f2f02f8d14bdd09f6bd110b605cf7520866d42bffa43158a18eff15d20ad2ac6
Opcode Fuzzy Hash: e5e41741befa59a4e389edcdbc20bb9bc1669d6ffbdb2dae8186d056e2ca7d7c
Instruction Fuzzy Hash: 5C41B071E241458FCB24CB69C8805BEB7B2EBCD214B2D8C76C415DB605CB35E9A38792

Uniqueness

Uniqueness Score: -1.00%

Function 03178E18, Relevance: 1.4, Strings: 1, Instructions: 130COMMON

Download Yara Rule

Strings

, xrefs: 03178F36

Memory Dump Source

Source File: 00000004.00000002.499656485.0000000003170000.00000040.00000001.sdmp, Offset: 03170000, based on PE: false

Similarity

API ID:
String ID:
API String ID: 0-3916222277
Opcode ID: 522f8ded3ae842ca81c2426e2f059b8de8022debaa0bac9dd7e2dfee308c1374
Instruction ID: 6b7937f704dc6b30abef62e94a69113b08d9caa510e7f1a3036c0ae32610950f
Opcode Fuzzy Hash: 522f8ded3ae842ca81c2426e2f059b8de8022debaa0bac9dd7e2dfee308c1374
Instruction Fuzzy Hash: 4541E230F142158FCB14CF68C8895AEBBB2EB89314B2DC9A6D415DB744CB31D853CBA2

Uniqueness

Uniqueness Score: -1.00%

Function 03171458, Relevance: 1.4, Strings: 1, Instructions: 128COMMON

Download Yara Rule

Strings

$g%r, xrefs: 031714C7

Memory Dump Source

Source File: 00000004.00000002.499656485.0000000003170000.00000040.00000001.sdmp, Offset: 03170000, based on PE: false

Similarity

API ID:
String ID: $g%r
API String ID: 0-359987751
Opcode ID: 38c44bb64d415c15221cfe5959a33f49395461a97aa7024fcaaf121226d8f5dd
Instruction ID: 0dd80bf695d46f36973c4f80e384f3934acb6b7a498339497c09d80f1d2d0488
Opcode Fuzzy Hash: 38c44bb64d415c15221cfe5959a33f49395461a97aa7024fcaaf121226d8f5dd
Instruction Fuzzy Hash: B251E534A00214DFDB54DF68C898B9DBBB2BF89344F1540E9D40AAB365CB359D89CF61

Uniqueness

Uniqueness Score: -1.00%

Function 03171290, Relevance: 1.3, Strings: 1, Instructions: 99COMMON

Download Yara Rule

Strings

$g%r, xrefs: 03171349

Memory Dump Source

Source File: 00000004.00000002.499656485.0000000003170000.00000040.00000001.sdmp, Offset: 03170000, based on PE: false

Similarity

API ID:
String ID: $g%r
API String ID: 0-359987751
Opcode ID: 8be4413f456921666429c24561b683da4f12e4abfb2abf2d0d89b680520cec8f
Instruction ID: 19a286a5ddbb211d47bf220508733300c8f9952fb0c2720e949097ec53197c7f
Opcode Fuzzy Hash: 8be4413f456921666429c24561b683da4f12e4abfb2abf2d0d89b680520cec8f
Instruction Fuzzy Hash: A7410474A04219EFCB64DF68C884B9DBBB2BF49344F1540AAD40AAB354DB349DC4CF61

Uniqueness

Uniqueness Score: -1.00%

Function 031782C0, Relevance: 1.3, Strings: 1, Instructions: 98COMMON

Download Yara Rule

Strings

r*+, xrefs: 031783D7

Memory Dump Source

Source File: 00000004.00000002.499656485.0000000003170000.00000040.00000001.sdmp, Offset: 03170000, based on PE: false

Similarity

API ID:
String ID: r*+
API String ID: 0-3221063712
Opcode ID: 6a74090bbd79764df5363e82783b34f5d1cba8c85e55f07fe4bdd49ea3d8c451
Instruction ID: e1dded58fc3df68207c9ff334dd8f8778686debd39189b5d8718f0bf7ecd0b83
Opcode Fuzzy Hash: 6a74090bbd79764df5363e82783b34f5d1cba8c85e55f07fe4bdd49ea3d8c451
Instruction Fuzzy Hash: 0A413B70E04209DFDB58DFA9C54A6AEBBF1FF48304F19806AD40AA7260DB759A41CF52

Uniqueness

Uniqueness Score: -1.00%

Function 031721F8, Relevance: 1.3, Strings: 1, Instructions: 98COMMON

Download Yara Rule

Strings

r*+, xrefs: 0317230F

Memory Dump Source

Source File: 00000004.00000002.499656485.0000000003170000.00000040.00000001.sdmp, Offset: 03170000, based on PE: false

Similarity

API ID:
String ID: r*+
API String ID: 0-3221063712
Opcode ID: 72131749603ebe67c021a914ff3ecd899aa212893c5079d5e533faa858ad5e9c
Instruction ID: 03708d2e5377d7b826a7dca61d9cbd035ee29b6d56f2e571b6c2d58a62e532a7
Opcode Fuzzy Hash: 72131749603ebe67c021a914ff3ecd899aa212893c5079d5e533faa858ad5e9c
Instruction Fuzzy Hash: 18412970E09209DFCB58DFA4C5456AEBBB1FF4C304F1984AAD402A72A4D7359A87CF52

Uniqueness

Uniqueness Score: -1.00%

Function 0317D947, Relevance: 1.3, Strings: 1, Instructions: 85COMMON

Download Yara Rule

Strings

l&r, xrefs: 0317DA03

Memory Dump Source

Source File: 00000004.00000002.499656485.0000000003170000.00000040.00000001.sdmp, Offset: 03170000, based on PE: false

Similarity

API ID:
String ID: l&r
API String ID: 0-2436013623
Opcode ID: 3a7ce938d82ec34afde5c06b0c8e7969208b855d635326e687f4d82a1a47dbf7
Instruction ID: 472341d008dbaf2f14ed3647dd26ea356f9b03b66c2dab21d326708bcd4d9be2
Opcode Fuzzy Hash: 3a7ce938d82ec34afde5c06b0c8e7969208b855d635326e687f4d82a1a47dbf7
Instruction Fuzzy Hash: B521C735704218DBCB19DA68A4047BEB7F5BF8C310F59407AE446AB340DB319DC6C7A1

Uniqueness

Uniqueness Score: -1.00%

Function 03179CEF, Relevance: 1.3, Strings: 1, Instructions: 48COMMON

Download Yara Rule

Strings

Hu&r, xrefs: 03179D23

Memory Dump Source

Source File: 00000004.00000002.499656485.0000000003170000.00000040.00000001.sdmp, Offset: 03170000, based on PE: false

Similarity

API ID:
String ID: Hu&r
API String ID: 0-1342936641
Opcode ID: 30145da42a7dae5f057ee35814017db8376df1cdaf7314d1151b3555190b2f30
Instruction ID: 05d5876ba9e754ec54638f8f188e34df76004a78eee588f585926e8af6470c45
Opcode Fuzzy Hash: 30145da42a7dae5f057ee35814017db8376df1cdaf7314d1151b3555190b2f30
Instruction Fuzzy Hash: 3EF02D717081505BC715E66DDC90A797BA6FFCA22076A426AD409DF3D4DF118C498362

Uniqueness

Uniqueness Score: -1.00%

Function 03177048, Relevance: 1.3, Strings: 1, Instructions: 46COMMON

Download Yara Rule

Strings

Hu&r, xrefs: 0317707B

Memory Dump Source

Source File: 00000004.00000002.499656485.0000000003170000.00000040.00000001.sdmp, Offset: 03170000, based on PE: false

Similarity

API ID:
String ID: Hu&r
API String ID: 0-1342936641
Opcode ID: 3d3359fe7586a38a9e47626f56ee9d242ec7683ef0595369b6df0ec0de846e64
Instruction ID: 373064def1d36e579958f5800fd7d5be7b5b2015178b8cae6537e5b2d5348f44
Opcode Fuzzy Hash: 3d3359fe7586a38a9e47626f56ee9d242ec7683ef0595369b6df0ec0de846e64
Instruction Fuzzy Hash: 78F0287170825047CA15BA3DAC90A7A3F6ABBCB260F69066AD019DF3D9DE11CD4543A3

Uniqueness

Uniqueness Score: -1.00%

Function 03174710, Relevance: 1.3, Strings: 1, Instructions: 43COMMON

Download Yara Rule

Strings

X1(r, xrefs: 03174747

Memory Dump Source

Source File: 00000004.00000002.499656485.0000000003170000.00000040.00000001.sdmp, Offset: 03170000, based on PE: false

Similarity

API ID:
String ID: X1(r
API String ID: 0-3909273932
Opcode ID: c4e29af8bf9c84eba30979592a82c3723db9e9c55ac56b296aa48e941d5231ce
Instruction ID: 3a6ea862d983d477b7a9939d7201cf739c6333edc33967157a9a0c10575fa956
Opcode Fuzzy Hash: c4e29af8bf9c84eba30979592a82c3723db9e9c55ac56b296aa48e941d5231ce
Instruction Fuzzy Hash: 6DF0BB367013A04BC62996BE94103BE32EAD7CD655F5D047EE105DB780DE76CC825391

Uniqueness

Uniqueness Score: -1.00%

Function 03177058, Relevance: 1.3, Strings: 1, Instructions: 40COMMON

Download Yara Rule

Strings

Hu&r, xrefs: 0317707B

Memory Dump Source

Source File: 00000004.00000002.499656485.0000000003170000.00000040.00000001.sdmp, Offset: 03170000, based on PE: false

Similarity

API ID:
String ID: Hu&r
API String ID: 0-1342936641
Opcode ID: a090647d08f6ed56188b9cf4cdaa48c40aff2a69a0c12e7c15f3cf713300aa7d
Instruction ID: b5fdce985c6dcbfe2a08815ef4280f785142aa62527485cc826776728da02ef8
Opcode Fuzzy Hash: a090647d08f6ed56188b9cf4cdaa48c40aff2a69a0c12e7c15f3cf713300aa7d
Instruction Fuzzy Hash: EFF0597130811043C518B93D6C40A3F2A9BFBCA230B64033DA00A8B3C8DE11CC4543A2

Uniqueness

Uniqueness Score: -1.00%

Function 03175AA1, Relevance: 1.3, Strings: 1, Instructions: 25COMMON

Download Yara Rule

Strings

l&r, xrefs: 03175ABE

Memory Dump Source

Source File: 00000004.00000002.499656485.0000000003170000.00000040.00000001.sdmp, Offset: 03170000, based on PE: false

Similarity

API ID:
String ID: l&r
API String ID: 0-2436013623
Opcode ID: bce47443999b435893af60d8f15f14cb51d3ea6e1faf352ce646ac26f78663c7
Instruction ID: c141306215c4afbf995605e5ffb33abdded0b94923cf0753618f7494b35d1fd0
Opcode Fuzzy Hash: bce47443999b435893af60d8f15f14cb51d3ea6e1faf352ce646ac26f78663c7
Instruction Fuzzy Hash: AEE026253462600FCF12AB789C8062E3B2BBE8271530D44CAD005DF347CE20DC05C3D2

Uniqueness

Uniqueness Score: -1.00%

Function 03175AB0, Relevance: 1.3, Strings: 1, Instructions: 20COMMON

Download Yara Rule

Strings

l&r, xrefs: 03175ABE

Memory Dump Source

Source File: 00000004.00000002.499656485.0000000003170000.00000040.00000001.sdmp, Offset: 03170000, based on PE: false

Similarity

API ID:
String ID: l&r
API String ID: 0-2436013623
Opcode ID: 994769a52f0066f1623a23a6f1980c92d193f076ce400c48bfe5d69ab9ffee49
Instruction ID: 67bb05ff6f89797db9396e4c1ac29e0bf4821ddc4ddf3529cb1dbb1c3fb78cb1
Opcode Fuzzy Hash: 994769a52f0066f1623a23a6f1980c92d193f076ce400c48bfe5d69ab9ffee49
Instruction Fuzzy Hash: 59D0A7557822242BD915B97E680067F374E7AC5A55344446CE405CE345DE11DC0183D5

Uniqueness

Uniqueness Score: -1.00%

Function 03173B6B, Relevance: .4, Instructions: 390COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.499656485.0000000003170000.00000040.00000001.sdmp, Offset: 03170000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: efe765c3a642994003198c462dc51ad3675d341021c130bbfe7e9bb4f0861986
Instruction ID: 5342d32a03f91201267779ac0df2c7b4a55c71416b88f756eea42c8bfe70e639
Opcode Fuzzy Hash: efe765c3a642994003198c462dc51ad3675d341021c130bbfe7e9bb4f0861986
Instruction Fuzzy Hash: FDE18075A00115CFCB15CF58C9849A9FBB6FF8831071AC996E9199F226C730EC92DBD1

Uniqueness

Uniqueness Score: -1.00%

Function 03175BC0, Relevance: .2, Instructions: 241COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.499656485.0000000003170000.00000040.00000001.sdmp, Offset: 03170000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5815944e40e600f5ad96020bca7cca1483ce61c2b559c99f970f14806ceec6ac
Instruction ID: bd89da793776f79e316ae14fcf7e1d30447738f9b1db731cb2260140998ea0c6
Opcode Fuzzy Hash: 5815944e40e600f5ad96020bca7cca1483ce61c2b559c99f970f14806ceec6ac
Instruction Fuzzy Hash: FA813C31A00519CFDF15CF24C89069AF7B7BF8A304F1985D5D90AAF215DB71AA8ACF90

Uniqueness

Uniqueness Score: -1.00%

Function 0317A78F, Relevance: .2, Instructions: 235COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.499656485.0000000003170000.00000040.00000001.sdmp, Offset: 03170000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f59f9c7f78c8e03d85bd72092648c4332fac326efd7b876b87fd227e413f72bb
Instruction ID: c7cd5d77da0b049af7dec86a6c3f9648cfc10465fac10e3dbf7508c327df03f1
Opcode Fuzzy Hash: f59f9c7f78c8e03d85bd72092648c4332fac326efd7b876b87fd227e413f72bb
Instruction Fuzzy Hash: 6581D1707006269BC704EB68C854A6EBBB7FFC4704F64852DE206AB794DF71AD0687D2

Uniqueness

Uniqueness Score: -1.00%

Function 0317E970, Relevance: .2, Instructions: 192COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.499656485.0000000003170000.00000040.00000001.sdmp, Offset: 03170000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b37ef3f83b07966eaa76acd4f7c19ac6c4727b1bb22902c773c1d8d76314ece5
Instruction ID: 514f0889171a69d4fc8a7ff5080bbaa6304f44d94378adbe0e017dbbf81512b6
Opcode Fuzzy Hash: b37ef3f83b07966eaa76acd4f7c19ac6c4727b1bb22902c773c1d8d76314ece5
Instruction Fuzzy Hash: BF712B34A04605DFDB19CB68C488BAAFBF2BF4C314F1D9599D416A7661CB71E881CFA0

Uniqueness

Uniqueness Score: -1.00%

Function 03174DB8, Relevance: .2, Instructions: 188COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.499656485.0000000003170000.00000040.00000001.sdmp, Offset: 03170000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: dc681e0a3a2e69ad31a4525187417e2db64d4a625e31b868cd8eb2c50bfca149
Instruction ID: 59f2b0e288d5abaae08bda46af1e66fb598c31cb5a0477d2e171fb957a7554dd
Opcode Fuzzy Hash: dc681e0a3a2e69ad31a4525187417e2db64d4a625e31b868cd8eb2c50bfca149
Instruction Fuzzy Hash: 1461CD35604205CFCB09DB6DD59497E7BB2FFC9310B1A84A6D4068F259DF34AC86CBA2

Uniqueness

Uniqueness Score: -1.00%

Function 0317DDC0, Relevance: .2, Instructions: 164COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.499656485.0000000003170000.00000040.00000001.sdmp, Offset: 03170000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1dcc88669c2896ca5ebf2b036be2a19f7495a74878bd3b6a78aa749cee28e012
Instruction ID: ae73cfb0774af5dd4c24317674616477c48e0af01822c535854fd94748d9d1e6
Opcode Fuzzy Hash: 1dcc88669c2896ca5ebf2b036be2a19f7495a74878bd3b6a78aa749cee28e012
Instruction Fuzzy Hash: 8D51A331A10119DFCF09DFA4D4508AEB7B7FF98310B198465E906AF254DB30ED46DB91

Uniqueness

Uniqueness Score: -1.00%

Function 031771C0, Relevance: .2, Instructions: 161COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.499656485.0000000003170000.00000040.00000001.sdmp, Offset: 03170000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a4e53fcc40ceecc481f3fbb996d59552fc7635bc7da56056711bfd76f0093379
Instruction ID: ed7d7636ca846817766efb0549cf8b8294a3f675fe80766404b645d57f2ca468
Opcode Fuzzy Hash: a4e53fcc40ceecc481f3fbb996d59552fc7635bc7da56056711bfd76f0093379
Instruction Fuzzy Hash: 3B312A3190061ACFDF15CF24C854AEAB7B2EF89304F558494D909BF245DBB06B8ACF90

Uniqueness

Uniqueness Score: -1.00%

Function 03176D28, Relevance: .2, Instructions: 159COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.499656485.0000000003170000.00000040.00000001.sdmp, Offset: 03170000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 38a8f178519e562cbd319a476ebabe2a4067f6fb4936fc44bdff35fa8cb3e0a4
Instruction ID: 16ef07cc2e1261b85929d53efe6b8eec5974cd638604594190c903671bbf955d
Opcode Fuzzy Hash: 38a8f178519e562cbd319a476ebabe2a4067f6fb4936fc44bdff35fa8cb3e0a4
Instruction Fuzzy Hash: 9A514C75F106158BCB18DBB9C4506AEB7F3AFC8300B298569C40AAF345DF35AD42CBA0

Uniqueness

Uniqueness Score: -1.00%

Function 031776A8, Relevance: .1, Instructions: 147COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.499656485.0000000003170000.00000040.00000001.sdmp, Offset: 03170000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 41029927c5ab62e067ec529d48008c9d48eb69b69fe26e5dd8f6202973b6d537
Instruction ID: c3f510d85ac224dd25653095a9ff48aca4a326835511fbffcb7737f89a68a371
Opcode Fuzzy Hash: 41029927c5ab62e067ec529d48008c9d48eb69b69fe26e5dd8f6202973b6d537
Instruction Fuzzy Hash: F0510374D00618DFCB19CFA9C9846ACBBF1FF48310F29856AD45AA7294E7316D86CF50

Uniqueness

Uniqueness Score: -1.00%

Function 03177979, Relevance: .1, Instructions: 140COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.499656485.0000000003170000.00000040.00000001.sdmp, Offset: 03170000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c8d4722e357ade50e933f8b1fac4c22e490d0d8a8ba7b9cee08650d7b8b21976
Instruction ID: ff12457da5a48804f51d515800223d662d1328d836fd59674d85cea49134b2ac
Opcode Fuzzy Hash: c8d4722e357ade50e933f8b1fac4c22e490d0d8a8ba7b9cee08650d7b8b21976
Instruction Fuzzy Hash: E9515B34A00215CFCB14DB78C584BADBBF2FF89311F6981B9D84A9B295DB319C81CB61

Uniqueness

Uniqueness Score: -1.00%

Function 03170BC0, Relevance: .1, Instructions: 130COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.499656485.0000000003170000.00000040.00000001.sdmp, Offset: 03170000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d15019e50ca26d2cb6146a3684229b1a8bb92c2d86a24281556cea319ac73d8b
Instruction ID: 395dfdc14305127c9e02bc9769dc742af8101b55dd736903eb5e3dbbf6defdda
Opcode Fuzzy Hash: d15019e50ca26d2cb6146a3684229b1a8bb92c2d86a24281556cea319ac73d8b
Instruction Fuzzy Hash: 3341A931B042148FC719DB68C41466E77F6AFCD310F1A80AAE906EF355CFB69D458791

Uniqueness

Uniqueness Score: -1.00%

Function 03170682, Relevance: .1, Instructions: 129COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.499656485.0000000003170000.00000040.00000001.sdmp, Offset: 03170000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 93db3e3486f531c1de135b44f947e2b33f7e46388a319be498219136653585e6
Instruction ID: e55947fdb6adf3f8da7b56433624baa72af37d4ca85ec6bf2fb4f305d4c9f071
Opcode Fuzzy Hash: 93db3e3486f531c1de135b44f947e2b33f7e46388a319be498219136653585e6
Instruction Fuzzy Hash: 8B4162356022518FC728BB38F85C66D3B6ABFD870DF19456AF402CB268DF718C458BA1

Uniqueness

Uniqueness Score: -1.00%

Function 03172BF8, Relevance: .1, Instructions: 127COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.499656485.0000000003170000.00000040.00000001.sdmp, Offset: 03170000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4830be4be0f095c109dfdb26dd27e4b66a354bcdbc1dfcd1f757ad1a6aa73cad
Instruction ID: 8b1450b5c857c06e6e2ae0299600ed6f76d27441bc27fd221e1d003711e807e9
Opcode Fuzzy Hash: 4830be4be0f095c109dfdb26dd27e4b66a354bcdbc1dfcd1f757ad1a6aa73cad
Instruction Fuzzy Hash: AC41E43050D291DFC729C724D8945787BB5EF5A300B0E89A7D496CF652C3329C87C762

Uniqueness

Uniqueness Score: -1.00%

Function 03177FA0, Relevance: .1, Instructions: 126COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.499656485.0000000003170000.00000040.00000001.sdmp, Offset: 03170000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ba9d6024bd20d7d17f54317cd85699f68e93f19daa667e113605240c5d8d6de3
Instruction ID: a1df36adcf35102ca4e495bbef416c595eb73802482b656f739dd2676a4da928
Opcode Fuzzy Hash: ba9d6024bd20d7d17f54317cd85699f68e93f19daa667e113605240c5d8d6de3
Instruction Fuzzy Hash: 6641D33560420ACFCB04DF68C5899ADFBB1FB88314F29C176E4258B255D731EC96CB91

Uniqueness

Uniqueness Score: -1.00%

Function 03170690, Relevance: .1, Instructions: 123COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.499656485.0000000003170000.00000040.00000001.sdmp, Offset: 03170000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: dbeb12b5a8c5f9f520366f2c03d82c5feafcb164b721224da8546a5c7cdfa4f1
Instruction ID: 2dd24fa7da05c7f680e542e8fd32b6f911adbe9aed6b5a36f6cb5b36e5f2018b
Opcode Fuzzy Hash: dbeb12b5a8c5f9f520366f2c03d82c5feafcb164b721224da8546a5c7cdfa4f1
Instruction Fuzzy Hash: 024161356022518BC728BB78F81C66E3B6ABF8470DF194569F502CB268DF718C858B91

Uniqueness

Uniqueness Score: -1.00%

Function 031768AA, Relevance: .1, Instructions: 120COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.499656485.0000000003170000.00000040.00000001.sdmp, Offset: 03170000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ebb46d22a8510f5f3f6d7d4f72fef7aaf550737ee089555e4761dbc9daa754f6
Instruction ID: 63e6bcadb6f0976cb4c8e8b9ecd10133898a210771c850b35918ec904762df05
Opcode Fuzzy Hash: ebb46d22a8510f5f3f6d7d4f72fef7aaf550737ee089555e4761dbc9daa754f6
Instruction Fuzzy Hash: B641B038A01310DFC715DB78D09416E7BF2FBCD20635840A9E906AF786DB369C46DB62

Uniqueness

Uniqueness Score: -1.00%

Function 031768B8, Relevance: .1, Instructions: 115COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.499656485.0000000003170000.00000040.00000001.sdmp, Offset: 03170000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 888193f37d835e504fcb0ad66f694060200b5c26ce77cb5c1fad6160699e7f56
Instruction ID: 2737dbb0c8f346d550946403ab594a9e25e6ad902842aedeffdb98c7ada22f97
Opcode Fuzzy Hash: 888193f37d835e504fcb0ad66f694060200b5c26ce77cb5c1fad6160699e7f56
Instruction Fuzzy Hash: 0F419038A01610DFC715DB78D09415EBBF2FBCC64635840A8E906AF786DF36AC46DBA1

Uniqueness

Uniqueness Score: -1.00%

Function 0317AB30, Relevance: .1, Instructions: 114COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.499656485.0000000003170000.00000040.00000001.sdmp, Offset: 03170000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4057fa241aec9ab70644c2308a7e1c6a8571c070065089edd3dc4ff2649ba2b8
Instruction ID: 6f7221821bc011859ecd05d4ae4e2f8be76e91f055bc20b521e4d3e6d8a0ac65
Opcode Fuzzy Hash: 4057fa241aec9ab70644c2308a7e1c6a8571c070065089edd3dc4ff2649ba2b8
Instruction Fuzzy Hash: EC31C0B1A006658FC718DBACC8901AEBBF2FF88310B28446EE446E7740DB35ED41CB95

Uniqueness

Uniqueness Score: -1.00%

Function 031702DA, Relevance: .1, Instructions: 105COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.499656485.0000000003170000.00000040.00000001.sdmp, Offset: 03170000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f2db52596b9456d19462c0ae8b82d96eb9027144c5d7f15541ec7b1ffd29c225
Instruction ID: b94e1ffba4feb5d2bf5535b7cd1cc2130e10add2973f199c6c06c4c01f4e43a8
Opcode Fuzzy Hash: f2db52596b9456d19462c0ae8b82d96eb9027144c5d7f15541ec7b1ffd29c225
Instruction Fuzzy Hash: 33416971B00205CFDB18CB68C594BAEBBB2FF8D710F2944A9D512AB3A1CB31AC40CB51

Uniqueness

Uniqueness Score: -1.00%

Function 0317DDB1, Relevance: .1, Instructions: 102COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.499656485.0000000003170000.00000040.00000001.sdmp, Offset: 03170000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4656f6232998745a9f08b4213bd89bbe928cb34128e004fc0650135a22096a66
Instruction ID: e2298f637510e635420b7b73a4ad43d08cd0f6cd7445006fc862fe1ea2836b24
Opcode Fuzzy Hash: 4656f6232998745a9f08b4213bd89bbe928cb34128e004fc0650135a22096a66
Instruction Fuzzy Hash: F831D532A1020CDFCF0ADFA4D8448EEBBB7BF58300B194469E906AB251DB309D55D751

Uniqueness

Uniqueness Score: -1.00%

Function 0317DC99, Relevance: .1, Instructions: 102COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.499656485.0000000003170000.00000040.00000001.sdmp, Offset: 03170000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b2e72ecb5b446a7ebfd3eb93548cd1055af1e5f88631dff9847a912c315ba3fc
Instruction ID: 6a3948e71488ec777cc8e19e367b9dcc88b9ae35a3f1f4d0290646c7d5378c04
Opcode Fuzzy Hash: b2e72ecb5b446a7ebfd3eb93548cd1055af1e5f88631dff9847a912c315ba3fc
Instruction Fuzzy Hash: 34313E75A01208DFCB58DF68D944AAEFBF5BF8C310F198169D40AA7281DB71DD81CB90

Uniqueness

Uniqueness Score: -1.00%

Function 031743C0, Relevance: .1, Instructions: 99COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.499656485.0000000003170000.00000040.00000001.sdmp, Offset: 03170000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fd1a56b8a2fbb15a2a91f86592847c17b51ec5cf887124abe2256f453e81e742
Instruction ID: a643556c379e76fd6715b5063377378ce6a6a91fb134c3a5a51fa994762dbcb8
Opcode Fuzzy Hash: fd1a56b8a2fbb15a2a91f86592847c17b51ec5cf887124abe2256f453e81e742
Instruction Fuzzy Hash: 6B314C36500111DFCB15DF68E84889D7BF2FF89308B1980A5E4069F229DB31AD5AEF71

Uniqueness

Uniqueness Score: -1.00%

Function 031720D0, Relevance: .1, Instructions: 99COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.499656485.0000000003170000.00000040.00000001.sdmp, Offset: 03170000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2bb79e197397f775d3a7886ba02c08334c4f0bffa99f8c470d6a602c17b36822
Instruction ID: eb6f7a79904e5d299bd5a4a26d4db7063528ed047398f20860a9fc65cc83d100
Opcode Fuzzy Hash: 2bb79e197397f775d3a7886ba02c08334c4f0bffa99f8c470d6a602c17b36822
Instruction Fuzzy Hash: D0318234A04245DFCB09DB68C891A7E7BB5FF89300F198866D546DB244DB30ED83CBA1

Uniqueness

Uniqueness Score: -1.00%

Function 03170006, Relevance: .1, Instructions: 97COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.499656485.0000000003170000.00000040.00000001.sdmp, Offset: 03170000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 00c62530a60e0308aca6aa2e191b96013aee4d2cff3e2ed0e0ea99a6e76bd732
Instruction ID: 01e91370bb4d8fefdffc7a2ff3c73c1c5993adb879daeb551849d510b63a26a3
Opcode Fuzzy Hash: 00c62530a60e0308aca6aa2e191b96013aee4d2cff3e2ed0e0ea99a6e76bd732
Instruction Fuzzy Hash: B9317CB410E382DFC706DB74D8A55587FF1BF86318B09489AD081CB296DB799D48CB13

Uniqueness

Uniqueness Score: -1.00%

Function 031745C8, Relevance: .1, Instructions: 95COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.499656485.0000000003170000.00000040.00000001.sdmp, Offset: 03170000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: cb19c75ffc19302b2744ba34b7784528fe35a3bf8e7237abffdb72ad6a7b918e
Instruction ID: 9a37a1886fbe1aa64edeab9bb411f2f425a28dd5cce63d45f7d5985870db9e8f
Opcode Fuzzy Hash: cb19c75ffc19302b2744ba34b7784528fe35a3bf8e7237abffdb72ad6a7b918e
Instruction Fuzzy Hash: 54218275B0011A9BDB28DAAAD841AFFB3BDFBCC304F18412AE619D7140EF70994487A1

Uniqueness

Uniqueness Score: -1.00%

Function 0317E078, Relevance: .1, Instructions: 94COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.499656485.0000000003170000.00000040.00000001.sdmp, Offset: 03170000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 10138984b705d38499ce54b0a57dbda4fd348b306cd0199127738f0b6828f5fc
Instruction ID: e2e10a1884230d9df595d366d62d9b00d435ec435c9824d738112928d197725c
Opcode Fuzzy Hash: 10138984b705d38499ce54b0a57dbda4fd348b306cd0199127738f0b6828f5fc
Instruction Fuzzy Hash: B841F930A04B51CBD339CF2AC945766FBF2BF89305F5C88ADC19646AA0DB76A485CF10

Uniqueness

Uniqueness Score: -1.00%

Function 03176D18, Relevance: .1, Instructions: 92COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.499656485.0000000003170000.00000040.00000001.sdmp, Offset: 03170000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 484bb89b094bc47e2aa372d0c86b75b37f42e25f2a8de676c6fb2ea947c28c44
Instruction ID: ddaaa7c3868e64f09cf513aee14f7b4791c62a21f1c7e7d1038fe96638be0c77
Opcode Fuzzy Hash: 484bb89b094bc47e2aa372d0c86b75b37f42e25f2a8de676c6fb2ea947c28c44
Instruction Fuzzy Hash: 20315E75E106098FCF08DBB9C95469EBBF3BF88300B184569C809EB355DB31AD46CB90

Uniqueness

Uniqueness Score: -1.00%

Function 031750E0, Relevance: .1, Instructions: 92COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.499656485.0000000003170000.00000040.00000001.sdmp, Offset: 03170000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 47c24615ca1b304011c9893f2edab51ff2241a6f84faa816ad8fc7caaac677dd
Instruction ID: 641eaf678b6c6b59b6bd9b277d2c9a0440f2ba4ff27b9341c9727bc85762755d
Opcode Fuzzy Hash: 47c24615ca1b304011c9893f2edab51ff2241a6f84faa816ad8fc7caaac677dd
Instruction Fuzzy Hash: E1216B70E003099FDB04DFB9C4146AEFBF7AF89301F194429D40AAF255EB70A986CB90

Uniqueness

Uniqueness Score: -1.00%

Function 0317DAA8, Relevance: .1, Instructions: 90COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.499656485.0000000003170000.00000040.00000001.sdmp, Offset: 03170000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 462259b9396514f1fea4aecde92ffdd5e420a8d6016467d1814e7125856e56d3
Instruction ID: b959de51dd6561fa9992e6a51bbf88b3e743730bfdb95121131eac9229fab0cc
Opcode Fuzzy Hash: 462259b9396514f1fea4aecde92ffdd5e420a8d6016467d1814e7125856e56d3
Instruction Fuzzy Hash: C7314B317007068BC755A779C46026E7BE3BFC5218B68896CD0869F794DE7AAC0BCB91

Uniqueness

Uniqueness Score: -1.00%

Function 0317DF88, Relevance: .1, Instructions: 87COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.499656485.0000000003170000.00000040.00000001.sdmp, Offset: 03170000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 506521fdf67f679b4d93e94c1ec4773e17670b020b0ee8f1e2fed9050dec70e2
Instruction ID: 93237a71dffea6bd49b768b375cf5bc06a6cc1939caffc428408b1e9c16a0b26
Opcode Fuzzy Hash: 506521fdf67f679b4d93e94c1ec4773e17670b020b0ee8f1e2fed9050dec70e2
Instruction Fuzzy Hash: 3821B0BAE05219DFDB04DBB4D8105EFBBF5EF89300F0984A6D115EB150D330AA86C7A1

Uniqueness

Uniqueness Score: -1.00%

Function 031743D0, Relevance: .1, Instructions: 87COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.499656485.0000000003170000.00000040.00000001.sdmp, Offset: 03170000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: bff3e2255c0beeca10b7c6e833d913d67eb33082de681b97960e18d8f3d7cb1a
Instruction ID: fa78e312a9ca43817a9f4904a434a3a9bc7e2fb71e34829876845b0193cd2c7b
Opcode Fuzzy Hash: bff3e2255c0beeca10b7c6e833d913d67eb33082de681b97960e18d8f3d7cb1a
Instruction Fuzzy Hash: 1B31D739500115DFCB05DF68E84889D7BF2FF88308B5980A4E4075F269DB35AD9AEFA1

Uniqueness

Uniqueness Score: -1.00%

Function 03178108, Relevance: .1, Instructions: 85COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.499656485.0000000003170000.00000040.00000001.sdmp, Offset: 03170000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f20181131be45b842e3aeb97b63ea682b576804a535919e425fd68482eed19b5
Instruction ID: 3625397e2d03a85796be6a63a9f80714975348a1a97177aed0918775d4c02d4f
Opcode Fuzzy Hash: f20181131be45b842e3aeb97b63ea682b576804a535919e425fd68482eed19b5
Instruction Fuzzy Hash: 4B31BB75A10310DFCB08EB78E45962D7BB3FB8931571A886AE002CB399DF798C85DB51

Uniqueness

Uniqueness Score: -1.00%

Function 031701A8, Relevance: .1, Instructions: 84COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.499656485.0000000003170000.00000040.00000001.sdmp, Offset: 03170000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: bae3eb84277c80055fda72b88b2a9fdd8ff9492971bb9d306db63256470b80ea
Instruction ID: 89530628996573a3e0e7afc9371240638af2a9e7f32d120ff1c261e0a7cf26cf
Opcode Fuzzy Hash: bae3eb84277c80055fda72b88b2a9fdd8ff9492971bb9d306db63256470b80ea
Instruction Fuzzy Hash: 1D2159B1B012159FEB10CB68DC80F2A3BF9FF8E754F180099E505DB381EA61EC058BA5

Uniqueness

Uniqueness Score: -1.00%

Function 03178D18, Relevance: .1, Instructions: 81COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.499656485.0000000003170000.00000040.00000001.sdmp, Offset: 03170000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: cd06b0ddc79330fc82aed46cd542841857a23ad777f074b78293387629201c09
Instruction ID: b723e6000e6395e5e6f23325b043184f7a7140c4af8ad47b0662cae83d016772
Opcode Fuzzy Hash: cd06b0ddc79330fc82aed46cd542841857a23ad777f074b78293387629201c09
Instruction Fuzzy Hash: 92212532208255DFC708CB28CC8D969BBF6FF6E350B0E45A6E44ACB651CB719C40C792

Uniqueness

Uniqueness Score: -1.00%

Function 0317A418, Relevance: .1, Instructions: 81COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.499656485.0000000003170000.00000040.00000001.sdmp, Offset: 03170000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: be4f8032b95c50694fa29e57afd066e119c69b99d3735072305e6598c4128bdf
Instruction ID: dd372a176e96dca6976a15a0cfb250d12943f3f31c7d3a8de5fdfb21e445e30e
Opcode Fuzzy Hash: be4f8032b95c50694fa29e57afd066e119c69b99d3735072305e6598c4128bdf
Instruction Fuzzy Hash: 9F219F31B00255DBCB18DFB8D8449AEB7B5BF88704F188969D107AB384DB71AC85CB91

Uniqueness

Uniqueness Score: -1.00%

Function 031766E2, Relevance: .1, Instructions: 80COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.499656485.0000000003170000.00000040.00000001.sdmp, Offset: 03170000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4577f4301cdd902d54ce2d608904a5ffc37bc127a2ef9f07fbc07818fb46097f
Instruction ID: daed12a7d302410b779ad8030d693992eead401ef1fabdb09fecee5835d4fd6a
Opcode Fuzzy Hash: 4577f4301cdd902d54ce2d608904a5ffc37bc127a2ef9f07fbc07818fb46097f
Instruction Fuzzy Hash: 11314B346107168BC704AB38D09865E7BA2FB8521D394892DE44A8F384DFB69C4BDBA1

Uniqueness

Uniqueness Score: -1.00%

Function 0317CE30, Relevance: .1, Instructions: 79COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.499656485.0000000003170000.00000040.00000001.sdmp, Offset: 03170000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 676e983837f3526e693425f00fe5922f6278524eccd03aa6ba8d0a3b8ba1ea83
Instruction ID: bd3f9d86f6000ec6cbd897e93ffb511c1bae641819a0e5445191ca24402b90c2
Opcode Fuzzy Hash: 676e983837f3526e693425f00fe5922f6278524eccd03aa6ba8d0a3b8ba1ea83
Instruction Fuzzy Hash: 5131FB74601211CFCB499B38E05845ABBB2FB8931D36488ADE40A9F395DF769D4BCBD0

Uniqueness

Uniqueness Score: -1.00%

Function 031782B0, Relevance: .1, Instructions: 79COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.499656485.0000000003170000.00000040.00000001.sdmp, Offset: 03170000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e9a7f9a67fb41ead9b8c70edc77b2d04f5c300455fab74539e77cf64a56a7ee8
Instruction ID: 56ceb42348ce88af2dc1561a2150a936de5f797019a2a832587ceb5e3c5fbab7
Opcode Fuzzy Hash: e9a7f9a67fb41ead9b8c70edc77b2d04f5c300455fab74539e77cf64a56a7ee8
Instruction Fuzzy Hash: BB317F30D08205DFCB18DFB8C09A6BEBBB1AF49304F1944AAC40AEB351D771DA81CB52

Uniqueness

Uniqueness Score: -1.00%

Function 03174511, Relevance: .1, Instructions: 78COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.499656485.0000000003170000.00000040.00000001.sdmp, Offset: 03170000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6c8c5d9e73d10beb145195143866d3bc5f590b9f5b3e6018d404f45b8a907628
Instruction ID: 0014f06b60d36d50e3098b6950c3cf9880bec576722295556147f3b5ac01df96
Opcode Fuzzy Hash: 6c8c5d9e73d10beb145195143866d3bc5f590b9f5b3e6018d404f45b8a907628
Instruction Fuzzy Hash: BA212572E082828BCB07C629D8216AEBBB59F8B310B4D05FBD446DB382DF258845C752

Uniqueness

Uniqueness Score: -1.00%

Function 031701B8, Relevance: .1, Instructions: 78COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.499656485.0000000003170000.00000040.00000001.sdmp, Offset: 03170000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1f86bea6063a5cc181b8a9a7a6fc4e58ba48d726ff3541353005a80849e4b149
Instruction ID: 64b9a3eab7f40b3b48b014e8c3859010c5095ef686474a58601a60fdeb630d9d
Opcode Fuzzy Hash: 1f86bea6063a5cc181b8a9a7a6fc4e58ba48d726ff3541353005a80849e4b149
Instruction Fuzzy Hash: 25214DB5B012159FEA10CA6CDC80F2A77E9FFCD754F140499E5069B340DA71FC058BA4

Uniqueness

Uniqueness Score: -1.00%

Function 03176F68, Relevance: .1, Instructions: 77COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.499656485.0000000003170000.00000040.00000001.sdmp, Offset: 03170000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3467896918723ab4cf0469e6a54fdc57484ad511b9ff586e65fbdf3cab1d9ad9
Instruction ID: ddb4a65868c7e8861f03f08eb46193df4b031db7e0ac465726e3bff4d244834a
Opcode Fuzzy Hash: 3467896918723ab4cf0469e6a54fdc57484ad511b9ff586e65fbdf3cab1d9ad9
Instruction Fuzzy Hash: 3821D174B002118BCB08EBB9886067FBAF7EFCE600B59443E9406DF391DE359C0183A1

Uniqueness

Uniqueness Score: -1.00%

Function 031786A6, Relevance: .1, Instructions: 75COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.499656485.0000000003170000.00000040.00000001.sdmp, Offset: 03170000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 78e66c6977c93ea931963f01ac9739252c6741a1a800207137285a70ea7968c0
Instruction ID: bb8c5b2136c7b6e689efc2af4e7544988a67d6774c2640d5aa0090c6770e59d2
Opcode Fuzzy Hash: 78e66c6977c93ea931963f01ac9739252c6741a1a800207137285a70ea7968c0
Instruction Fuzzy Hash: B1315674A1030ACFDB60DF69C04A75AFBF2BF89308F18C169D4169B255CBB49889DF81

Uniqueness

Uniqueness Score: -1.00%

Function 031725DE, Relevance: .1, Instructions: 75COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.499656485.0000000003170000.00000040.00000001.sdmp, Offset: 03170000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4ddddc2c8cfcd7abfadaa3ad3d920e68d974cffdc829d8c279526f34c5f0d027
Instruction ID: cddcf3aabb5ba6bf8ce8b631084e27b8050018d511cc46b6b5193534f390b206
Opcode Fuzzy Hash: 4ddddc2c8cfcd7abfadaa3ad3d920e68d974cffdc829d8c279526f34c5f0d027
Instruction Fuzzy Hash: 05319CB0E00246CFDB60DF69D44465AFBF6FF88314F28C569C0059B258DB74988ACF52

Uniqueness

Uniqueness Score: -1.00%

Function 031721E9, Relevance: .1, Instructions: 74COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.499656485.0000000003170000.00000040.00000001.sdmp, Offset: 03170000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 24f53215aa2f799a7ccd5e6e4f4a22d5e524df397cffe5406f465b0913e69f68
Instruction ID: 572a7e328bc5c032f986807dbf6e52ffd2623e05d4a9fa6a8989ba823a580035
Opcode Fuzzy Hash: 24f53215aa2f799a7ccd5e6e4f4a22d5e524df397cffe5406f465b0913e69f68
Instruction Fuzzy Hash: 3A31F970E08209DFCB58DBA8C5446BEBBB1FB4D304F19489AD502A7264D735DA87CB52

Uniqueness

Uniqueness Score: -1.00%

Function 0317A409, Relevance: .1, Instructions: 73COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.499656485.0000000003170000.00000040.00000001.sdmp, Offset: 03170000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f7eb428275ced5c32152ddae208fdb070e317035a098e94ae690919c29effd14
Instruction ID: ba9cb97fdacafb92cf006a826acc74f05f12a94fc699a422b72bfbc6e6a331f2
Opcode Fuzzy Hash: f7eb428275ced5c32152ddae208fdb070e317035a098e94ae690919c29effd14
Instruction Fuzzy Hash: 9121D271B00215DBCF18CE68D849AAE77B5BF88704F1C4569E503AB784DB72AC848B91

Uniqueness

Uniqueness Score: -1.00%

Function 0317AB20, Relevance: .1, Instructions: 71COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.499656485.0000000003170000.00000040.00000001.sdmp, Offset: 03170000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 59446cc8054e8c913de181f0141371c857ebc878781591d009327516bdc271b9
Instruction ID: 3d79045406ce2f10db68063b717d7e67dfa7563978fb13d8b521e083bc3a7133
Opcode Fuzzy Hash: 59446cc8054e8c913de181f0141371c857ebc878781591d009327516bdc271b9
Instruction Fuzzy Hash: 0A21AEB6E102299FCB04DB98D8944AEFBF2FF8C210B18856AE456E3310D335AD41CBD0

Uniqueness

Uniqueness Score: -1.00%

Function 03176F78, Relevance: .1, Instructions: 70COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.499656485.0000000003170000.00000040.00000001.sdmp, Offset: 03170000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: edf2c467628f724fde438828de39fbd818704a93f08967e0d3669d012d1d8af0
Instruction ID: 90dc21a4c1f0cac464c4b4a8f39b1495b242a7b2309d68a4468f5457efec1e07
Opcode Fuzzy Hash: edf2c467628f724fde438828de39fbd818704a93f08967e0d3669d012d1d8af0
Instruction Fuzzy Hash: C7119078B002159BDB0CE7BA885067FB6FBEFCE604B59453D900A9F391DE759C0143A1

Uniqueness

Uniqueness Score: -1.00%

Function 0317E660, Relevance: .1, Instructions: 68COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.499656485.0000000003170000.00000040.00000001.sdmp, Offset: 03170000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3fa49309901ff770eacfcbf1f2172e79ca4a570d0b87d13a39640a404a2eed03
Instruction ID: c318f24e1aed8160bc4a4439a12654b610e578350be6d27020f20007bc585f38
Opcode Fuzzy Hash: 3fa49309901ff770eacfcbf1f2172e79ca4a570d0b87d13a39640a404a2eed03
Instruction Fuzzy Hash: 9611C179A00704CFCB18DBB59545AEABBF6EF8C310F204479E546E7740D731DA828BA0

Uniqueness

Uniqueness Score: -1.00%

Function 031746A9, Relevance: .1, Instructions: 68COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.499656485.0000000003170000.00000040.00000001.sdmp, Offset: 03170000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6c0c9961d4765ab7b5922603b5b347c720fff1b7c3e72378b783849a459fd4cf
Instruction ID: fc2f2f92fd80f4f59e108071765083fc270a46993c1872d232efd516d7e3ce7e
Opcode Fuzzy Hash: 6c0c9961d4765ab7b5922603b5b347c720fff1b7c3e72378b783849a459fd4cf
Instruction Fuzzy Hash: 0B11E136A412A08FCB2596BAE8117FA33B9DBCA365F0D04BBE105CB240DB2688428751

Uniqueness

Uniqueness Score: -1.00%

Function 03175F68, Relevance: .1, Instructions: 67COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.499656485.0000000003170000.00000040.00000001.sdmp, Offset: 03170000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 85ff3f0577ca1d2b03f1e64c5d69947b47ad4e2e7b5e71b2597ba18ded01b8ed
Instruction ID: 31780ba10e0cb0cce38ee6f3421712e79125f7ccb4e670b84fa4c14e042aaa3e
Opcode Fuzzy Hash: 85ff3f0577ca1d2b03f1e64c5d69947b47ad4e2e7b5e71b2597ba18ded01b8ed
Instruction Fuzzy Hash: A1113832A08650CFC724D778D8007AE3BB59B8B340B0D009BC506C7241E7345D4687A2

Uniqueness

Uniqueness Score: -1.00%

Function 03175000, Relevance: .1, Instructions: 67COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.499656485.0000000003170000.00000040.00000001.sdmp, Offset: 03170000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 04be999628eb7ed8eef0278494849a11f7b6083b428b9005c7276a631efaab7f
Instruction ID: 8ea70507e05c96792450344225ec69a7e47dd6a521fbc547a92a8f53fe1d6715
Opcode Fuzzy Hash: 04be999628eb7ed8eef0278494849a11f7b6083b428b9005c7276a631efaab7f
Instruction Fuzzy Hash: 97117235B042159FCB48EBB8945026E77F2EB89604B594479C50ADF244EF319D4287E6

Uniqueness

Uniqueness Score: -1.00%

Function 031750D0, Relevance: .1, Instructions: 67COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.499656485.0000000003170000.00000040.00000001.sdmp, Offset: 03170000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4cd5142dfb7c874ff85a500fc4525352b78d34cd3b0f264ac2d56561fff57b58
Instruction ID: 23f329afd81bee9e541251a0d7f78632fbea1e2545ec45f89ed1fad65cc1b848
Opcode Fuzzy Hash: 4cd5142dfb7c874ff85a500fc4525352b78d34cd3b0f264ac2d56561fff57b58
Instruction Fuzzy Hash: 0F116D71D003099FDF00CFA4C4596DEBBF2AF89305F154425C409AF215EB706A8ACB80

Uniqueness

Uniqueness Score: -1.00%

Function 031748C8, Relevance: .1, Instructions: 66COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.499656485.0000000003170000.00000040.00000001.sdmp, Offset: 03170000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0a04dc78d05034663f1b583e00de5704161efb2e00248ffd250eb023becaddb3
Instruction ID: 4039513f5cc6b1cfecbb22852b986ae5afdb975c4595921802a5417ab75ee4cd
Opcode Fuzzy Hash: 0a04dc78d05034663f1b583e00de5704161efb2e00248ffd250eb023becaddb3
Instruction Fuzzy Hash: CE117332F08119DBCF09DAA9D8505EEBBBAAFCD710F19442AD506B7281DF305E4687A1

Uniqueness

Uniqueness Score: -1.00%

Function 03170B18, Relevance: .1, Instructions: 61COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.499656485.0000000003170000.00000040.00000001.sdmp, Offset: 03170000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4d227be26b3e75ab6924aca2ca2b115705380db096fbc1fcfbf948be4faf6717
Instruction ID: 9b18d0aba2bae16515a790e800bf8620efe59c9de355d36ce91cf88b0d026224
Opcode Fuzzy Hash: 4d227be26b3e75ab6924aca2ca2b115705380db096fbc1fcfbf948be4faf6717
Instruction Fuzzy Hash: 7111C829B98316EBCB28D5789C1876E62B9574C64DF2E496A9803EB140DB31CB80C391

Uniqueness

Uniqueness Score: -1.00%

Function 0317C368, Relevance: .1, Instructions: 61COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.499656485.0000000003170000.00000040.00000001.sdmp, Offset: 03170000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5e5b6107579e980015d6819b92a3b59a6ebdd98ff176f7b0bba28f9926fca937
Instruction ID: 4acb825f5165b6b8cf6dcd7909e774d5b1e0e42f851297f7196c63d59218ecaf
Opcode Fuzzy Hash: 5e5b6107579e980015d6819b92a3b59a6ebdd98ff176f7b0bba28f9926fca937
Instruction Fuzzy Hash: 83113D74B00111ABC748EB6DC454A6EB7F7EBCC7547198069E80A9B350CF32EC4287A5

Uniqueness

Uniqueness Score: -1.00%

Function 03174520, Relevance: .1, Instructions: 61COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.499656485.0000000003170000.00000040.00000001.sdmp, Offset: 03170000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 74c08c6455fff919ba5061c34b7de89dcc5af8a2e7328a19f67c0195810c1dec
Instruction ID: cbd5f9a4da14fb7fc95901d22ebf09ab4f2e7c83c6814eb994aafb4bb69758a1
Opcode Fuzzy Hash: 74c08c6455fff919ba5061c34b7de89dcc5af8a2e7328a19f67c0195810c1dec
Instruction Fuzzy Hash: 0001C436E0451487CF08DA6AE4002EFB7B69FC9761F09403AAD069B344DF719D4587D1

Uniqueness

Uniqueness Score: -1.00%

Function 0317C488, Relevance: .1, Instructions: 61COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.499656485.0000000003170000.00000040.00000001.sdmp, Offset: 03170000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4e253b5dde50919488a3ce78b5e90b63b9740ff768bd7f1d4a2251cd17951967
Instruction ID: 5a82f0353821643ef1efcafc8bcfc9c670af9cfacefc442fb0092e78068f2af0
Opcode Fuzzy Hash: 4e253b5dde50919488a3ce78b5e90b63b9740ff768bd7f1d4a2251cd17951967
Instruction Fuzzy Hash: 5C1101713042418BC618EB3CE05003EBBB79FDA358359886E904B8B291DB72DC868BD1

Uniqueness

Uniqueness Score: -1.00%

Function 0317E890, Relevance: .1, Instructions: 60COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.499656485.0000000003170000.00000040.00000001.sdmp, Offset: 03170000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c12528d8a3792da30ac1e50c885b02ed0edf78634aad9aaafeb765086eebd18c
Instruction ID: ee08d9c794bb8aecd7e914a37413cb3ecf8a6da886f8bc9fdb2e049a149e5c06
Opcode Fuzzy Hash: c12528d8a3792da30ac1e50c885b02ed0edf78634aad9aaafeb765086eebd18c
Instruction Fuzzy Hash: BD012D321093609FC719D668A8104F77FF5DA8A32030944EFE45ACF641DB229D85C7F0

Uniqueness

Uniqueness Score: -1.00%

Function 0317C498, Relevance: .1, Instructions: 59COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.499656485.0000000003170000.00000040.00000001.sdmp, Offset: 03170000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 30b4fb1115e14b7d7361e0dc897ce074af82ac81924a870d14a89ccdc8ce7e57
Instruction ID: a68cb43b9c090149c9de32dd6355a2ac94def2d5e4373456c1cb5c57bbaa6516
Opcode Fuzzy Hash: 30b4fb1115e14b7d7361e0dc897ce074af82ac81924a870d14a89ccdc8ce7e57
Instruction Fuzzy Hash: 061194713082418BC61CEB6CD05013EBBB79BE9358759892E944F8B391DF72DC878B91

Uniqueness

Uniqueness Score: -1.00%

Function 0305087C, Relevance: .1, Instructions: 59COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.499559270.0000000003050000.00000040.00000040.sdmp, Offset: 03050000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d4b53b3ce05e67e81a5bad6bfa10327453f20743dd1140ad6394a5a7a5d69563
Instruction ID: 5d594dd4abee4a4f093a3caf9205b9fb55d0722ec2dd85dba832b82a12ec7643
Opcode Fuzzy Hash: d4b53b3ce05e67e81a5bad6bfa10327453f20743dd1140ad6394a5a7a5d69563
Instruction Fuzzy Hash: A111C035205645DFD705CB14C944F2ABBD5AB88708F28C99CF9891B642C37B9803CA91

Uniqueness

Uniqueness Score: -1.00%

Function 03174FF0, Relevance: .1, Instructions: 58COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.499656485.0000000003170000.00000040.00000001.sdmp, Offset: 03170000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1527b3473b45b7bb3b5acf5eb74b584f4e45158d178ecd672e2128a245857739
Instruction ID: fc32a706a63c3ce87a1aafe3f89a81b5638a4e7a63298d8b30106fcee17717be
Opcode Fuzzy Hash: 1527b3473b45b7bb3b5acf5eb74b584f4e45158d178ecd672e2128a245857739
Instruction Fuzzy Hash: ED11C436E10215DFCB44DBB898807EEB7F6FF8D210B59442AC509EB240EB304946CBE6

Uniqueness

Uniqueness Score: -1.00%

Function 031711DF, Relevance: .1, Instructions: 58COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.499656485.0000000003170000.00000040.00000001.sdmp, Offset: 03170000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 362ba95c02dd1fa3ebdce4c14158f477fb194097061e7a87e32c28b4a491666a
Instruction ID: 804d346b7c2ae77e07f89e09c441e4f58f9309d4d692eca0c4355f76bcc7353a
Opcode Fuzzy Hash: 362ba95c02dd1fa3ebdce4c14158f477fb194097061e7a87e32c28b4a491666a
Instruction Fuzzy Hash: CE118F30308290DFC709DB28D5589697BB2BFCA70472940EBD042CF665CB759C498762

Uniqueness

Uniqueness Score: -1.00%

Function 0317D7B9, Relevance: .1, Instructions: 57COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.499656485.0000000003170000.00000040.00000001.sdmp, Offset: 03170000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f2f09555c42b3817942b539c46ddb57271098205735c78b76f1372ae8a9245c2
Instruction ID: d8fbab5c60977db9543c98ed0079341db5453ec2bd7792d801f2e519b665d2e7
Opcode Fuzzy Hash: f2f09555c42b3817942b539c46ddb57271098205735c78b76f1372ae8a9245c2
Instruction Fuzzy Hash: A901D275B01261AFCB1427B8A81816F7BBBEFCE614719446EE40ADB345DE358C4283A0

Uniqueness

Uniqueness Score: -1.00%

Function 031748B9, Relevance: .1, Instructions: 57COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.499656485.0000000003170000.00000040.00000001.sdmp, Offset: 03170000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0817fbe29a646d336b2d6e8bb0bf3d62fcd4339845f85189f27f5705d875ce87
Instruction ID: f43099eb7cfc2795f69c999c69b323f452f443729516d256473471fd60003a96
Opcode Fuzzy Hash: 0817fbe29a646d336b2d6e8bb0bf3d62fcd4339845f85189f27f5705d875ce87
Instruction Fuzzy Hash: E601D232B08114DBCF09DE69C9A0AEE7BB6AF8D300B0A4929D402AB344DF246E468751

Uniqueness

Uniqueness Score: -1.00%

Function 03177698, Relevance: .1, Instructions: 56COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.499656485.0000000003170000.00000040.00000001.sdmp, Offset: 03170000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2a6c60f18e0783e5403db23506a09c9cd8220a5db200ddd5e0b0c7b74e4769f4
Instruction ID: 9c43f387d2f5a3ff637126c270949a20fe58e68b48a65da958301554907831c2
Opcode Fuzzy Hash: 2a6c60f18e0783e5403db23506a09c9cd8220a5db200ddd5e0b0c7b74e4769f4
Instruction Fuzzy Hash: D2119E35D04204DFDB25CBA8D848AE9BBF1FF8D300F1984AAE501AB2A1D7716D49CF61

Uniqueness

Uniqueness Score: -1.00%

Function 0317C080, Relevance: .1, Instructions: 56COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.499656485.0000000003170000.00000040.00000001.sdmp, Offset: 03170000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9210064ecf5c0cafa1bbaa396509e45c2228c14346a3423577a05e2afab5a6d9
Instruction ID: 08b1b52734585d6abb093590a07748081512b1f273241548deab5a5c309deba7
Opcode Fuzzy Hash: 9210064ecf5c0cafa1bbaa396509e45c2228c14346a3423577a05e2afab5a6d9
Instruction Fuzzy Hash: 6411E339300220AFD3459B38944472E3BABF7D9309F4504A8E846CF389CF788C85E794

Uniqueness

Uniqueness Score: -1.00%

Function 03050845, Relevance: .1, Instructions: 54COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.499559270.0000000003050000.00000040.00000040.sdmp, Offset: 03050000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 63e25fcccf4da0b1edc09d6a580f3a23e3c76b8155230334c9e65fbf14a53e60
Instruction ID: 2fe2415ad71492e2ce6119fbc04b615099a63994a62ab439c1c8c9bcccbc1f71
Opcode Fuzzy Hash: 63e25fcccf4da0b1edc09d6a580f3a23e3c76b8155230334c9e65fbf14a53e60
Instruction Fuzzy Hash: 8D214A7560A7C58FD703CB20C860B15BFB1AB47304F1986EED9898B6A3C33A9806CB51

Uniqueness

Uniqueness Score: -1.00%

Function 03174789, Relevance: .1, Instructions: 52COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.499656485.0000000003170000.00000040.00000001.sdmp, Offset: 03170000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 65e16af46d7fad09378b3de3aa1a8864ee71589b3648ea2bcc4e22f21e532845
Instruction ID: 87312c793991faf9d08c63edb9ed76b86571004dc660cb6353c38dafbf6bdc9b
Opcode Fuzzy Hash: 65e16af46d7fad09378b3de3aa1a8864ee71589b3648ea2bcc4e22f21e532845
Instruction Fuzzy Hash: 15015B31A002088FCB54EFBCC8503AE7BF2EB89310F24447AC449E7245EA358A46CBA1

Uniqueness

Uniqueness Score: -1.00%

Function 0317E670, Relevance: .1, Instructions: 52COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.499656485.0000000003170000.00000040.00000001.sdmp, Offset: 03170000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fe4929379efd6d3a178c0757baf4ca7a99c9ed9afa315e73f0f751f1fc775aaf
Instruction ID: f6bba3641e91d240922fc481b70097f2e3eeca28c3b23e68ae0586278d2e9ce3
Opcode Fuzzy Hash: fe4929379efd6d3a178c0757baf4ca7a99c9ed9afa315e73f0f751f1fc775aaf
Instruction Fuzzy Hash: E1117C70A00704CFCB58DB6585459AAFBF6AF8C300F604479D506A7740E732E941CBA0

Uniqueness

Uniqueness Score: -1.00%

Function 0317D7C8, Relevance: .0, Instructions: 50COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.499656485.0000000003170000.00000040.00000001.sdmp, Offset: 03170000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 350d70838d31c736efb6660df0b7ae4fc8b0cdd7ecb72a792278fe2048abfbb5
Instruction ID: ce85d69883e68edb722453870dd3174f730e722737a208c89ba6c08551ced430
Opcode Fuzzy Hash: 350d70838d31c736efb6660df0b7ae4fc8b0cdd7ecb72a792278fe2048abfbb5
Instruction Fuzzy Hash: F201A775B01325AFCB1467B9A40852F7AAFEFCD764754443DE40AD7345DE359C0183A0

Uniqueness

Uniqueness Score: -1.00%

Function 03177610, Relevance: .0, Instructions: 50COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.499656485.0000000003170000.00000040.00000001.sdmp, Offset: 03170000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1d7b3c430b544ac55517076437cfe4f823ee5a8ca1191980e92def8f35625b75
Instruction ID: fdb55ea506f5faac84a23634541a4ed6cdf7904e87970172540b5b354efd840d
Opcode Fuzzy Hash: 1d7b3c430b544ac55517076437cfe4f823ee5a8ca1191980e92def8f35625b75
Instruction Fuzzy Hash: 1401B571A041048BEB28DB5CC550ABFBBB19B8D314F29406EE51AA72C8CB716D4187D1

Uniqueness

Uniqueness Score: -1.00%

Function 0317C071, Relevance: .0, Instructions: 50COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.499656485.0000000003170000.00000040.00000001.sdmp, Offset: 03170000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 685fbfc37e1912ccc63258888d04c27c2d15eb9b9cf3b3e98db1f348f821b079
Instruction ID: ec524211ffb047b77bb108b8f7e73a93edeabede2cb300fe1947708b072e1fde
Opcode Fuzzy Hash: 685fbfc37e1912ccc63258888d04c27c2d15eb9b9cf3b3e98db1f348f821b079
Instruction Fuzzy Hash: E801D639304350AFC7069B38A45472E7BAAFB8A315F0945E5E845CF296CB788C85D7A0

Uniqueness

Uniqueness Score: -1.00%

Function 0317A068, Relevance: .0, Instructions: 50COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.499656485.0000000003170000.00000040.00000001.sdmp, Offset: 03170000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3685f5770bf063876d48a26be0701a349947301649b2744f74bc2137811e470c
Instruction ID: 68f616f2d16b9ba39f29dff9468c7c05834199af4b3eb18b4cf100f05af8e551
Opcode Fuzzy Hash: 3685f5770bf063876d48a26be0701a349947301649b2744f74bc2137811e470c
Instruction Fuzzy Hash: 99017132A08108DFDB1CDE54C950ABFBBB19F8C314F19486EC516A7741DB72AE458BD2

Uniqueness

Uniqueness Score: -1.00%

Function 03177602, Relevance: .0, Instructions: 49COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.499656485.0000000003170000.00000040.00000001.sdmp, Offset: 03170000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0d8bd1c7d3797be1e40cff38cd3d8b711d6f0aad8c1a1ec38bdc6a310c804850
Instruction ID: 83613de348f7f75e08c2e402fa21c3299a0e6b9bfb8b9a64d33ccaa41f0a6353
Opcode Fuzzy Hash: 0d8bd1c7d3797be1e40cff38cd3d8b711d6f0aad8c1a1ec38bdc6a310c804850
Instruction Fuzzy Hash: 2A0180706041148BEB28DB6CC594A7FBBB59B8D304F2E8459E016AB3C9DB71AD418BD1

Uniqueness

Uniqueness Score: -1.00%

Function 0317A530, Relevance: .0, Instructions: 49COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.499656485.0000000003170000.00000040.00000001.sdmp, Offset: 03170000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: eecc25c3833279e6e865b8db89aae1dbf2a63b588f51d0378031b967b9f898f9
Instruction ID: d8edbd54e821f7c4f72b7b1708ec26304d915e077b6dfb9e4ab62e82f1d6e17b
Opcode Fuzzy Hash: eecc25c3833279e6e865b8db89aae1dbf2a63b588f51d0378031b967b9f898f9
Instruction Fuzzy Hash: 09019EB5A00219DFCF50DB69D8497AEBBF4EB49340F144166D505DB244FB34A944CBE2

Uniqueness

Uniqueness Score: -1.00%

Function 0317A05E, Relevance: .0, Instructions: 48COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.499656485.0000000003170000.00000040.00000001.sdmp, Offset: 03170000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e85de93b3a1e2c8a124708963f24ee001c2df02d4ed70f02c7c392f46e55ac00
Instruction ID: 81f383dbb42d7f427c709aa289d062bdbbf05ec9475cf9ec7225e1b8b3c0e925
Opcode Fuzzy Hash: e85de93b3a1e2c8a124708963f24ee001c2df02d4ed70f02c7c392f46e55ac00
Instruction Fuzzy Hash: 86015E31A08504DFCB18DE14CA64B7EBBB59F8C300F1D485DC506A7341DB72AE458BD2

Uniqueness

Uniqueness Score: -1.00%

Function 03172393, Relevance: .0, Instructions: 47COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.499656485.0000000003170000.00000040.00000001.sdmp, Offset: 03170000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8ea762d3d7a79e1d28d2a327ea645255229b73f06230c7969d537744dd8fa8f1
Instruction ID: 25956b906984b106655614b1192fe723a10034a2e7af3c2beb8ecea145f80c45
Opcode Fuzzy Hash: 8ea762d3d7a79e1d28d2a327ea645255229b73f06230c7969d537744dd8fa8f1
Instruction Fuzzy Hash: 7C111570D0821ADBCB28CF54D944AAEBBB1BB4C304F19486AC506AB340DB3559C7CFA0

Uniqueness

Uniqueness Score: -1.00%

Function 03175788, Relevance: .0, Instructions: 46COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.499656485.0000000003170000.00000040.00000001.sdmp, Offset: 03170000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: cd4ba94b09e779183a575958ec3fd380dafdc44938fcca9bd60059d63276a683
Instruction ID: 0ed32b8b90d290e2e290230cc991e8c167c930da115ef504910e4b33ee16c5e9
Opcode Fuzzy Hash: cd4ba94b09e779183a575958ec3fd380dafdc44938fcca9bd60059d63276a683
Instruction Fuzzy Hash: 9BF0AF72F152148FCF54DBBCE8512EE7BFAEF8A220B5904BBD009DB201E73085418B91

Uniqueness

Uniqueness Score: -1.00%

Function 0317A540, Relevance: .0, Instructions: 46COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.499656485.0000000003170000.00000040.00000001.sdmp, Offset: 03170000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0535118d5e6d961753d485cb9d192d1250fc49cba8bdff8686312ed4854f9ae3
Instruction ID: b8ab1a882d6669dc114d9d7720a1c30f9ad011de42bbad953a82f7eb10ae7927
Opcode Fuzzy Hash: 0535118d5e6d961753d485cb9d192d1250fc49cba8bdff8686312ed4854f9ae3
Instruction Fuzzy Hash: 50018FB5A002099FCF50EBB8A80579EBBF4EB88354F14417AD608D7240FB3499448BE1

Uniqueness

Uniqueness Score: -1.00%

Function 03174798, Relevance: .0, Instructions: 45COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.499656485.0000000003170000.00000040.00000001.sdmp, Offset: 03170000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b62171651aab87b71325655400e8c4eb798211d820fb08aabb4ee09dfa3137bf
Instruction ID: 70d8b29c0847723a169098a4baf3c475b38c8d731989358c6627afe9ccad562d
Opcode Fuzzy Hash: b62171651aab87b71325655400e8c4eb798211d820fb08aabb4ee09dfa3137bf
Instruction Fuzzy Hash: 14012871F002088FCB54EBBC88002AFBAE6EB89340F61447AC549E7244EA358E4287E1

Uniqueness

Uniqueness Score: -1.00%

Function 03176588, Relevance: .0, Instructions: 45COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.499656485.0000000003170000.00000040.00000001.sdmp, Offset: 03170000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 54a49f0af4f1415016a13d0c09a25c9e3222baa0cee2367c334c44c000def43f
Instruction ID: 0084f10264586a09e943331163f3735cab44ac0e33cf6c4de3b077b49ea59580
Opcode Fuzzy Hash: 54a49f0af4f1415016a13d0c09a25c9e3222baa0cee2367c334c44c000def43f
Instruction Fuzzy Hash: 77018F75E002089FDB50DBB8D8407AEBBF4FB88214F54003AD508DB280EB309985CBE0

Uniqueness

Uniqueness Score: -1.00%

Function 0317A6B0, Relevance: .0, Instructions: 44COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.499656485.0000000003170000.00000040.00000001.sdmp, Offset: 03170000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d5f502e29610f45a04fbf5660573ffd3545a5a3dbf540759434de9b9d314b2c7
Instruction ID: 6f37443abc02249fe8b3af4c75645e31b88a457a1bfd973338f648f54334b083
Opcode Fuzzy Hash: d5f502e29610f45a04fbf5660573ffd3545a5a3dbf540759434de9b9d314b2c7
Instruction Fuzzy Hash: 6F01F239204310DFC748EB78E41559D7BB2EFDA22471980B9E10ACB351EF728C85A796

Uniqueness

Uniqueness Score: -1.00%

Function 03176578, Relevance: .0, Instructions: 44COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.499656485.0000000003170000.00000040.00000001.sdmp, Offset: 03170000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3e7da2f5320d2b2a7bf88a665332838aafa0978cb0f97ed9c6da187e4170a880
Instruction ID: af80b8fb5d95310e573a3a450aa44a4ac9d028819afbe2241c7894bc7b075e5d
Opcode Fuzzy Hash: 3e7da2f5320d2b2a7bf88a665332838aafa0978cb0f97ed9c6da187e4170a880
Instruction Fuzzy Hash: 4B017CB1E00609DFCB50DB78D844BAABBF4FB98354F58416AD104DB285E7349D86CFA0

Uniqueness

Uniqueness Score: -1.00%

Function 030505CF, Relevance: .0, Instructions: 44COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.499559270.0000000003050000.00000040.00000040.sdmp, Offset: 03050000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: addc66c30d28990d0788f757c34078bd46b82af09854040b6170c9294f4b32b8
Instruction ID: 4b8c60659d14395274dc053527cdf8e06b7fbc406ca8679e6da32481bc6f893f
Opcode Fuzzy Hash: addc66c30d28990d0788f757c34078bd46b82af09854040b6170c9294f4b32b8
Instruction Fuzzy Hash: 5001A2B65093806FD7128F06EC40862FFB8EB86220709849FEC498B612D225B908CB61

Uniqueness

Uniqueness Score: -1.00%

Function 0317E597, Relevance: .0, Instructions: 43COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.499656485.0000000003170000.00000040.00000001.sdmp, Offset: 03170000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3ca34f818b336ef697e2f8c5833fc6bebe09a0a7afaaa071e3ec1100cb3ad102
Instruction ID: 7448ee33b434f52fd978adff1586b55ba9a8b5991be86e787513d3afdbbb9aa2
Opcode Fuzzy Hash: 3ca34f818b336ef697e2f8c5833fc6bebe09a0a7afaaa071e3ec1100cb3ad102
Instruction Fuzzy Hash: 6FF0F03A74A3981FDB01A2747C114FE3F699A8626430881DBE489CF342C9114C0683A2

Uniqueness

Uniqueness Score: -1.00%

Function 03171218, Relevance: .0, Instructions: 42COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.499656485.0000000003170000.00000040.00000001.sdmp, Offset: 03170000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 94c466f5c80709d27ff6b60b55c5462c76ab9159d44da915d334aba1bfc82df6
Instruction ID: a2e7c329741c51036932f2d41af87df1a21b11c5f2a748f4d21cc24796882efc
Opcode Fuzzy Hash: 94c466f5c80709d27ff6b60b55c5462c76ab9159d44da915d334aba1bfc82df6
Instruction Fuzzy Hash: A2011D34304110EBC648D72CD15896A77FABFCD704B2940BAE506CB664CF769C898792

Uniqueness

Uniqueness Score: -1.00%

Function 0317E90F, Relevance: .0, Instructions: 41COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.499656485.0000000003170000.00000040.00000001.sdmp, Offset: 03170000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8655af863251067882ce8e66b7af4640e6a3c00ecdec4584ee1cfe9d743d1dcd
Instruction ID: 0c83a14bec369fc343921b3cb786abefd293b8004c4cef579c4791c075db54ed
Opcode Fuzzy Hash: 8655af863251067882ce8e66b7af4640e6a3c00ecdec4584ee1cfe9d743d1dcd
Instruction Fuzzy Hash: AEF0E96760D2905BEFAAD0B818447F21AE8974D320F0E14F3D4C9DB142D64008848372

Uniqueness

Uniqueness Score: -1.00%

Function 03177F90, Relevance: .0, Instructions: 39COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.499656485.0000000003170000.00000040.00000001.sdmp, Offset: 03170000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 81b23d8e69ffae0dc53aae749210ceb0cd2e9c94a12925668937fa2e3f2a90f7
Instruction ID: 28b79d5be3ed689d65053bede6c9e648b0da11f4a6c124a6e2e879af136f3343
Opcode Fuzzy Hash: 81b23d8e69ffae0dc53aae749210ceb0cd2e9c94a12925668937fa2e3f2a90f7
Instruction Fuzzy Hash: BDF0F631A18210DFC705DB64CE858BBBFB1EF4D300B1944A3D131CB2D1E330988287A6

Uniqueness

Uniqueness Score: -1.00%

Function 0317A6C0, Relevance: .0, Instructions: 39COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.499656485.0000000003170000.00000040.00000001.sdmp, Offset: 03170000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ec7428c1742c6a81d99ee4ecd337685029fef52835c61cde5ec48eedc2426069
Instruction ID: 96f1755144304784365a6e60122cbe117739df9818d0775ee7339396ac8b193f
Opcode Fuzzy Hash: ec7428c1742c6a81d99ee4ecd337685029fef52835c61cde5ec48eedc2426069
Instruction Fuzzy Hash: F9F0AF39300315DBCB48EB38E01455D7BB7EFC9228B198079E50ACB354DF729C85A796

Uniqueness

Uniqueness Score: -1.00%

Function 03179057, Relevance: .0, Instructions: 39COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.499656485.0000000003170000.00000040.00000001.sdmp, Offset: 03170000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9614cffaa3f56828ce5c4a15d02c6e6edc1d187dc4280db5a48a56235c5abd0d
Instruction ID: 388b33f59c4ab086aab19fe8e260cc521909fd2126f739584942a9adb954a8c5
Opcode Fuzzy Hash: 9614cffaa3f56828ce5c4a15d02c6e6edc1d187dc4280db5a48a56235c5abd0d
Instruction Fuzzy Hash: 1BF0A431F10105ABDF00DBB8D88459EB7B9EF89340F558870ED00DB214EB30A805C791

Uniqueness

Uniqueness Score: -1.00%

Function 03179C81, Relevance: .0, Instructions: 39COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.499656485.0000000003170000.00000040.00000001.sdmp, Offset: 03170000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 47093c42d84fe706e5e6a9dc6ba940a2f26da11071965c73b13c2d247042b36f
Instruction ID: ef1b6597ef67bb81ca7761237fa3740b7081a35350e078aa82c4e8a2f0992523
Opcode Fuzzy Hash: 47093c42d84fe706e5e6a9dc6ba940a2f26da11071965c73b13c2d247042b36f
Instruction Fuzzy Hash: E0F0C2726042808FCB45DB68A4045A97BB3FBCA22431D85AFE00ECB390DF729C4B9751

Uniqueness

Uniqueness Score: -1.00%

Function 0317C35A, Relevance: .0, Instructions: 38COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.499656485.0000000003170000.00000040.00000001.sdmp, Offset: 03170000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 03a9f8a8843fd4ec54ee1b5f5425b28bc28f839be16b578b3ec40ae5ad9ba39f
Instruction ID: 72980fad116dbbac793d22bd99fde35f61c21338386700372e340ff8c2bf622b
Opcode Fuzzy Hash: 03a9f8a8843fd4ec54ee1b5f5425b28bc28f839be16b578b3ec40ae5ad9ba39f
Instruction Fuzzy Hash: BFF0E9317052A01BC35AA23D581066F3AAE8BCE72035D01AAF445EB382CE119C1283E5

Uniqueness

Uniqueness Score: -1.00%

Function 03175BB0, Relevance: .0, Instructions: 38COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.499656485.0000000003170000.00000040.00000001.sdmp, Offset: 03170000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9ea0cd5dc79189d5d618c62989a08f513def3c2387275b8df41b0c3fe8afb3a4
Instruction ID: 0cecafe59d8b26d89d894de4c4d10800c7b3a5165343995c7a71ae13d324de03
Opcode Fuzzy Hash: 9ea0cd5dc79189d5d618c62989a08f513def3c2387275b8df41b0c3fe8afb3a4
Instruction Fuzzy Hash: D3F02B35A10110CBCF10D62888543AEB7F6EB8E310F1C046AC90AEB344E7345A4B83E2

Uniqueness

Uniqueness Score: -1.00%

Function 03175FC8, Relevance: .0, Instructions: 38COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.499656485.0000000003170000.00000040.00000001.sdmp, Offset: 03170000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 639b215d5fa246d87331cb5523f217858f0ae15aa0e68aabfd1b07db4b6c2a2c
Instruction ID: ae83eb6159bdb9cf684583c87d5027448b6983864c7cda6053f1e67f76245da9
Opcode Fuzzy Hash: 639b215d5fa246d87331cb5523f217858f0ae15aa0e68aabfd1b07db4b6c2a2c
Instruction Fuzzy Hash: 9CF0E231B04A14DBCB18D23899042BF7BF597CD694F490476C90797341EB245E8692E2

Uniqueness

Uniqueness Score: -1.00%

Function 03170918, Relevance: .0, Instructions: 33COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.499656485.0000000003170000.00000040.00000001.sdmp, Offset: 03170000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: af5bd5e46509e153e84790563ac08af869e0782dcf5aa460038f0fb756e46a95
Instruction ID: ff7f779d9efd0b6381f5d4aebfcd9e3c3195e43c0d893168797cd7fa8f1b5d40
Opcode Fuzzy Hash: af5bd5e46509e153e84790563ac08af869e0782dcf5aa460038f0fb756e46a95
Instruction Fuzzy Hash: FCE0E532A153189BDB5495F89C001AFBBB9D78D350F0A44379D0BA3204DB7098454291

Uniqueness

Uniqueness Score: -1.00%

Function 031745B9, Relevance: .0, Instructions: 33COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.499656485.0000000003170000.00000040.00000001.sdmp, Offset: 03170000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d662e39cb1dc37d188ee4ebc001fea77476a039952259714ebe04510f3407c61
Instruction ID: 6a8a9e9e138b5a614d100479d56b253578f1231cf7ad84ea91dbe696f2a39380
Opcode Fuzzy Hash: d662e39cb1dc37d188ee4ebc001fea77476a039952259714ebe04510f3407c61
Instruction Fuzzy Hash: 95F0BE31E403599FCB50CB68DC45BAABBF8EF89304F0841AAD508DB252E2306918C761

Uniqueness

Uniqueness Score: -1.00%

Function 03174700, Relevance: .0, Instructions: 32COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.499656485.0000000003170000.00000040.00000001.sdmp, Offset: 03170000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 61eacfb27f1b74e4d66e186d2e5e3f9e46dc879448cf9cf68d7e58f22d76f421
Instruction ID: 673a8d1e092f61f10bcf38d9233bbf8f84e1e95f60e0cc439fee54811754ac84
Opcode Fuzzy Hash: 61eacfb27f1b74e4d66e186d2e5e3f9e46dc879448cf9cf68d7e58f22d76f421
Instruction Fuzzy Hash: 17F0ED326053908FCB16C26AE8117F937B8DBCF660F0E00ABD401DF241DB2598868351

Uniqueness

Uniqueness Score: -1.00%

Function 03173BC4, Relevance: .0, Instructions: 32COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.499656485.0000000003170000.00000040.00000001.sdmp, Offset: 03170000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e580b42e580ab9a9b3dad74305ff21826f50bdd54b3c31fe070ad068f4cae3f8
Instruction ID: 214a81880661f9586ee324fca06e710b54904fd66ee496b4b40b1d716a3ad202
Opcode Fuzzy Hash: e580b42e580ab9a9b3dad74305ff21826f50bdd54b3c31fe070ad068f4cae3f8
Instruction Fuzzy Hash: A4F08279B04518CFCB04DF98D4881ACBB72FBD8314B6A0596D025DB244DF349DC6A7E2

Uniqueness

Uniqueness Score: -1.00%

Function 0317C68E, Relevance: .0, Instructions: 32COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.499656485.0000000003170000.00000040.00000001.sdmp, Offset: 03170000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 077597ea798c0203a7d616cbbe746ca5e63a73e949129df0aeffb0c76a0f9c23
Instruction ID: 9fdd357677f39ab5f1b44ccc0c362734088c3d0a1d0b144e6823ce0bfadcd900
Opcode Fuzzy Hash: 077597ea798c0203a7d616cbbe746ca5e63a73e949129df0aeffb0c76a0f9c23
Instruction Fuzzy Hash: A9E09B2130D2945FCA25927D847047D37AA9FDE56132E10EBF507CB351DE114CD283E2

Uniqueness

Uniqueness Score: -1.00%

Function 03170908, Relevance: .0, Instructions: 32COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.499656485.0000000003170000.00000040.00000001.sdmp, Offset: 03170000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 86866d341030f86baf6488b7f496281112b17fb18dd7f24529efb4d69ff85073
Instruction ID: fd593507cf27e9b8803a3b6a3c84850efb2b2992390e3f2dc7f8c6325faf0f6d
Opcode Fuzzy Hash: 86866d341030f86baf6488b7f496281112b17fb18dd7f24529efb4d69ff85073
Instruction Fuzzy Hash: C4F082309153508FDB54CBB88D9461B7BB5AF4E340B0B58A7980AE7344C774A8558652

Uniqueness

Uniqueness Score: -1.00%

Function 0317DC08, Relevance: .0, Instructions: 32COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.499656485.0000000003170000.00000040.00000001.sdmp, Offset: 03170000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 13f39a55a84a209352034fbeef405a04e56b88abf1c21695aa3b621f78809b44
Instruction ID: 09566cc31b3eeb555a76b295a21155d6d73bc8ccfdfb6b37adf45f9cf7c46377
Opcode Fuzzy Hash: 13f39a55a84a209352034fbeef405a04e56b88abf1c21695aa3b621f78809b44
Instruction Fuzzy Hash: 57F02B322046580BC214E669F53096E7BBADFC962435C886FC14ECB740EF63DC058791

Uniqueness

Uniqueness Score: -1.00%

Function 0317A5F0, Relevance: .0, Instructions: 31COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.499656485.0000000003170000.00000040.00000001.sdmp, Offset: 03170000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 536e1480555e6b1dcdca3ccef12c5a4d53f912049b088da602acc8c143824764
Instruction ID: 9c8565bb6cdfb0f59f538c75f86aa4edc882ff385e97b17f969b9db6fe8e8aae
Opcode Fuzzy Hash: 536e1480555e6b1dcdca3ccef12c5a4d53f912049b088da602acc8c143824764
Instruction Fuzzy Hash: 44F0A03A7083508FCB18A7BCE45421C7FF29F9E25631D00A7E10ACF396DE2298019762

Uniqueness

Uniqueness Score: -1.00%

Function 03050938, Relevance: .0, Instructions: 31COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.499559270.0000000003050000.00000040.00000040.sdmp, Offset: 03050000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 693b7c54016a59cdbfed5bf97d611671327a7796b2b33607a59a4987e9e37b45
Instruction ID: 2aff1896e99089e4b3de480eec144d9f43c5ba8e7137b9479d879d46042cdc6e
Opcode Fuzzy Hash: 693b7c54016a59cdbfed5bf97d611671327a7796b2b33607a59a4987e9e37b45
Instruction Fuzzy Hash: 71F0FB35104645DFC606CB00D940B2AFBE6EB89718F24CAA9E9890B652C3379813DA81

Uniqueness

Uniqueness Score: -1.00%

Function 0317AC70, Relevance: .0, Instructions: 30COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.499656485.0000000003170000.00000040.00000001.sdmp, Offset: 03170000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6d43c8bba0834ba314d1fd5ab0a4bf776c12e034097d2c9fd67f0e4ffaca6e8e
Instruction ID: 92757bbfa7455072af6a7ed5283c18ffd0abb174e2b9f871c215c1a335f46bdd
Opcode Fuzzy Hash: 6d43c8bba0834ba314d1fd5ab0a4bf776c12e034097d2c9fd67f0e4ffaca6e8e
Instruction Fuzzy Hash: CEE06535505B505FC3259F2FA810493FBF9AFC1724709866FE09587516D770994587A0

Uniqueness

Uniqueness Score: -1.00%

Function 0317E068, Relevance: .0, Instructions: 30COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.499656485.0000000003170000.00000040.00000001.sdmp, Offset: 03170000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 70b3b8510fd058da690678c5fdd7637c5a41281db9638c2a39bfcde9da0f1f0e
Instruction ID: daa274de865108df852f15d9424317c7b108b1344aa71d078ea7218da5356bbe
Opcode Fuzzy Hash: 70b3b8510fd058da690678c5fdd7637c5a41281db9638c2a39bfcde9da0f1f0e
Instruction Fuzzy Hash: 5AE02639A0E3846BCF22E538BC025F27BBC4D0B260B0C00F6E844CF102D314495B8AF2

Uniqueness

Uniqueness Score: -1.00%

Function 03179C98, Relevance: .0, Instructions: 30COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.499656485.0000000003170000.00000040.00000001.sdmp, Offset: 03170000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 197ff1eada44ab8a8ec5641eee162aa788be04cc17ff1590707b0a4215fbfdac
Instruction ID: 8626f6d65533c3018c2b6f9d570916303f5f11d0308781fa0d7c6fe8367ec61e
Opcode Fuzzy Hash: 197ff1eada44ab8a8ec5641eee162aa788be04cc17ff1590707b0a4215fbfdac
Instruction Fuzzy Hash: 3CF0A0313002048BCB48AB6CB00456E7BF7FBCA264358887EE10ECB380DF729C469741

Uniqueness

Uniqueness Score: -1.00%

Function 0317B8C8, Relevance: .0, Instructions: 30COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.499656485.0000000003170000.00000040.00000001.sdmp, Offset: 03170000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a2f142d5afb2bf4979a0c54a3fefb1e7505f28763c638a91f338628a56ab8520
Instruction ID: 5974c98fd99daf1a47bda1a928280a1ad692eabecc61691bd119a07016887079
Opcode Fuzzy Hash: a2f142d5afb2bf4979a0c54a3fefb1e7505f28763c638a91f338628a56ab8520
Instruction Fuzzy Hash: 0DF01D32608B449FC735CF69D544806FBF5EF89620306CAAAD4AA87A61C770F8048B61

Uniqueness

Uniqueness Score: -1.00%

Function 03176EFF, Relevance: .0, Instructions: 29COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.499656485.0000000003170000.00000040.00000001.sdmp, Offset: 03170000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 03a79ddc47f69988e42ba48ef1de5e8b053b879b6c7f4ddcd875335cc7bd6d2e
Instruction ID: 806799f09ec722de66071cf17e9c9c8f323fd6c6358c3594e6cdc4ea3e4c05b3
Opcode Fuzzy Hash: 03a79ddc47f69988e42ba48ef1de5e8b053b879b6c7f4ddcd875335cc7bd6d2e
Instruction Fuzzy Hash: 68F06D38F061114BDA24F3B9A4283ADB6A69FC8A18F880478D616DF7C4EF304D038796

Uniqueness

Uniqueness Score: -1.00%

Function 030505F6, Relevance: .0, Instructions: 27COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.499559270.0000000003050000.00000040.00000040.sdmp, Offset: 03050000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 39f840a941486b37964a5823a39e0c416cacfefd44d10e09f9e942fc776a8bfb
Instruction ID: 87884c1775c06589cb0a8bf66345d7749b18bab4198cc050edc7cd9138671a1e
Opcode Fuzzy Hash: 39f840a941486b37964a5823a39e0c416cacfefd44d10e09f9e942fc776a8bfb
Instruction Fuzzy Hash: A1E092B66446009BD650CF0BEC81452FBD8EB84631718C47FDC0D8B701D135B504CFA5

Uniqueness

Uniqueness Score: -1.00%

Function 03178232, Relevance: .0, Instructions: 26COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.499656485.0000000003170000.00000040.00000001.sdmp, Offset: 03170000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0fca378ff6824eb64a865dec99fafa3b07ebe5f6e341fecf13e7f526354a635d
Instruction ID: 8777f259800a75fe0f7adfe318ebe6116e978fdb6bcf157497944d13e30c34d7
Opcode Fuzzy Hash: 0fca378ff6824eb64a865dec99fafa3b07ebe5f6e341fecf13e7f526354a635d
Instruction Fuzzy Hash: 74F0A73AE015608BCB5587A4E4492147FF0EB4D22130D009AE445CF345CF349C44DB91

Uniqueness

Uniqueness Score: -1.00%

Function 03178240, Relevance: .0, Instructions: 26COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.499656485.0000000003170000.00000040.00000001.sdmp, Offset: 03170000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 639ad1f283114f5a16d608471d137c35dff0c57b5b620735b8a918fbb93f7d24
Instruction ID: e9f6b4e2de8d121ad44935d267a0059144ee044d2767b1d158882e06a98466d7
Opcode Fuzzy Hash: 639ad1f283114f5a16d608471d137c35dff0c57b5b620735b8a918fbb93f7d24
Instruction Fuzzy Hash: 9EE02239F1052087CAA896A8E4081147BE9E78C2A2319412AF906CB388CF70CC00CBD1

Uniqueness

Uniqueness Score: -1.00%

Function 031746B8, Relevance: .0, Instructions: 26COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.499656485.0000000003170000.00000040.00000001.sdmp, Offset: 03170000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 234326aa4f791a2acf98221a2493b9f7f9a79bf1f42648b1ab2f3a8d6bfbf3b9
Instruction ID: cb5100cc1ee61fa98806f454f843c5007bd5bf3e2905e92fa34f78633b523de7
Opcode Fuzzy Hash: 234326aa4f791a2acf98221a2493b9f7f9a79bf1f42648b1ab2f3a8d6bfbf3b9
Instruction Fuzzy Hash: DDE0863170012087C73466BEB0242AE36A9AF89754B1900A6F10ACB654DE56DC0143C6

Uniqueness

Uniqueness Score: -1.00%

Function 0317DC18, Relevance: .0, Instructions: 26COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.499656485.0000000003170000.00000040.00000001.sdmp, Offset: 03170000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f8894c220ffb034ab6c2a5bcd7592315ab2a2ce55dfa6e77d1f959de572e37fd
Instruction ID: e7cf8a07c6a378a2d9092afb43b41e8dd6e6bccb8ea9f47996d2f4baa4a9dfec
Opcode Fuzzy Hash: f8894c220ffb034ab6c2a5bcd7592315ab2a2ce55dfa6e77d1f959de572e37fd
Instruction Fuzzy Hash: 9CE026323002144BC214E66DE82092A7BEADFC9624358882FC40F8B300EFA3EC0687D1

Uniqueness

Uniqueness Score: -1.00%

Function 0317E8A0, Relevance: .0, Instructions: 26COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.499656485.0000000003170000.00000040.00000001.sdmp, Offset: 03170000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9216a336008e0e1538e9769c79238ecb384e8358a0a5bcf2f23dc143ee7800b4
Instruction ID: 9787a85ea8e6b5b0fa15282fcd3c6c932683a833342c6ca104727a5af60f5a40
Opcode Fuzzy Hash: 9216a336008e0e1538e9769c79238ecb384e8358a0a5bcf2f23dc143ee7800b4
Instruction Fuzzy Hash: AFE026327041105BC328E65DD82082A7BEADBC966830888BFC41ECB300EF23DC0A87E0

Uniqueness

Uniqueness Score: -1.00%

Function 0317E8E1, Relevance: .0, Instructions: 26COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.499656485.0000000003170000.00000040.00000001.sdmp, Offset: 03170000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 32c78614b82d299ae299226ccc1f177e3e49ad13e5d2de23aabcd1aa3b5c1379
Instruction ID: d77c55728d28f00ee62dc91238e5e7a1998a244183c54b98ef2fdaa7a144d3bf
Opcode Fuzzy Hash: 32c78614b82d299ae299226ccc1f177e3e49ad13e5d2de23aabcd1aa3b5c1379
Instruction Fuzzy Hash: 88E0863200D769DFC71AC661A4054E37FB9D90B21174A45DAE5968B541C7619980C7F1

Uniqueness

Uniqueness Score: -1.00%

Function 03175B40, Relevance: .0, Instructions: 25COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.499656485.0000000003170000.00000040.00000001.sdmp, Offset: 03170000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 182863e86d91f1ebaa65453a1b109158a6f1e5315131e7585722a7db904c86a1
Instruction ID: 292b6c632c2a9735a30c5678ba77914d95b13296544a84b8abb5212a71a85fbb
Opcode Fuzzy Hash: 182863e86d91f1ebaa65453a1b109158a6f1e5315131e7585722a7db904c86a1
Instruction Fuzzy Hash: CEE092362452505FD704DB68985187A77EAAF92214318849FD44ADF342CA21DC02C7D1

Uniqueness

Uniqueness Score: -1.00%

Function 0317C6A0, Relevance: .0, Instructions: 24COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.499656485.0000000003170000.00000040.00000001.sdmp, Offset: 03170000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4b2a74340ca7f3bfbc89da77fdba742c915d6dac05e71b224d0e1224691277b5
Instruction ID: fa54f5e5f407eb422332e8d3dd83204e6cb64262f13557d416e121baaad88507
Opcode Fuzzy Hash: 4b2a74340ca7f3bfbc89da77fdba742c915d6dac05e71b224d0e1224691277b5
Instruction Fuzzy Hash: F5E01231308158A74928A65E946187E72AB9BDDA6232E606FB507CB350DE529CD183E2

Uniqueness

Uniqueness Score: -1.00%

Function 0317DC59, Relevance: .0, Instructions: 23COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.499656485.0000000003170000.00000040.00000001.sdmp, Offset: 03170000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3536620484a7df5c67a1cced8a2b04f212c41b3d7ab276cb55f8ec2a37063ee7
Instruction ID: 09f9b0d29d8f6cc270e4b05b2e2a05b331439ef2de5623096069bc0a3c8c9b8f
Opcode Fuzzy Hash: 3536620484a7df5c67a1cced8a2b04f212c41b3d7ab276cb55f8ec2a37063ee7
Instruction Fuzzy Hash: EEE0867101839CDBC729C711B0159B2B7BCEF4D221B0E586EE18BDB540DBA69881C795

Uniqueness

Uniqueness Score: -1.00%

Function 03175F78, Relevance: .0, Instructions: 20COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.499656485.0000000003170000.00000040.00000001.sdmp, Offset: 03170000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1107e7a8e7ec15b2bb9354b424dc79d2dfa8f13f25d33583f7b1d1de092377de
Instruction ID: 3f6840372127a4c88766cf42f0feae72ff9745abe8b4fa9ff7eae26d858b1ec0
Opcode Fuzzy Hash: 1107e7a8e7ec15b2bb9354b424dc79d2dfa8f13f25d33583f7b1d1de092377de
Instruction Fuzzy Hash: 64D05B3164C8158BD31475AD74046AD36AE9B4B355F4D0066F906D6240DFB59C824397

Uniqueness

Uniqueness Score: -1.00%

Function 03170170, Relevance: .0, Instructions: 20COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.499656485.0000000003170000.00000040.00000001.sdmp, Offset: 03170000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2a2de3c0f66093008b820b8d459656a7c1fd2c23288c90199adeef67b10e9895
Instruction ID: 37548a45c693723a0f7e60dfbca88bf53c0b27488b5393be6464402cde734b4d
Opcode Fuzzy Hash: 2a2de3c0f66093008b820b8d459656a7c1fd2c23288c90199adeef67b10e9895
Instruction Fuzzy Hash: 22E08675206345CFCB165F70E4594087BB6BF4A30471544A5D412CB645DB36E851CB01

Uniqueness

Uniqueness Score: -1.00%

Function 03175B50, Relevance: .0, Instructions: 19COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.499656485.0000000003170000.00000040.00000001.sdmp, Offset: 03170000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fff4bcdebb50f416e29da0e449683baeb643ac5009213dcb1ae33c16acbc3e9f
Instruction ID: e690876e4d5552901a7fc6ae213ef6bde7f33c3d4e9bce75e4ff65ec96ca96d0
Opcode Fuzzy Hash: fff4bcdebb50f416e29da0e449683baeb643ac5009213dcb1ae33c16acbc3e9f
Instruction Fuzzy Hash: 73D0A7663801241BE504F5AD9C1083EB38FEBC5518304845EE80EDB341CD63DC0283D0

Uniqueness

Uniqueness Score: -1.00%

Function 031702A0, Relevance: .0, Instructions: 19COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.499656485.0000000003170000.00000040.00000001.sdmp, Offset: 03170000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a7426fa78d1139d559d2eaa5413712fb3c5f8140083d5fd09dd0e0ad2830829e
Instruction ID: 3e8be4e50fb44fba7570f392a380ee021c1301d77446cda0bb79950d392da39d
Opcode Fuzzy Hash: a7426fa78d1139d559d2eaa5413712fb3c5f8140083d5fd09dd0e0ad2830829e
Instruction Fuzzy Hash: 82E0E27200A761CBC755DB64F9969867BB0BF4E700309888AD066CAA59C720BC858B22

Uniqueness

Uniqueness Score: -1.00%

Function 03177180, Relevance: .0, Instructions: 19COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.499656485.0000000003170000.00000040.00000001.sdmp, Offset: 03170000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 556a7dc947b0f782ef28bb166e2001f6809a73046df95352ff75445b22369194
Instruction ID: c41a517fe9af16548841af2f6445ee9cfdfd7b73c08ccc36b20e00ef59fc0053
Opcode Fuzzy Hash: 556a7dc947b0f782ef28bb166e2001f6809a73046df95352ff75445b22369194
Instruction Fuzzy Hash: 59D0C2300083909BE339E624A8006B2BBF96B49318F0F086ED08205980C761A2C4C392

Uniqueness

Uniqueness Score: -1.00%

Function 0317E5A8, Relevance: .0, Instructions: 19COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.499656485.0000000003170000.00000040.00000001.sdmp, Offset: 03170000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 569d8bdfb05bece1481eb22582f1798030f4039cc0affbdfe7c063dedee4d877
Instruction ID: 72bc7ee7d6db5c6e2c32840f029f608d06ca8f7fa785e013b457cafa01b54595
Opcode Fuzzy Hash: 569d8bdfb05bece1481eb22582f1798030f4039cc0affbdfe7c063dedee4d877
Instruction Fuzzy Hash: 1BD0A7263801281FE504F5ADDC1083E778FFBC5519304846EE80ADF341CD62DC0683D0

Uniqueness

Uniqueness Score: -1.00%

Function 0317DC68, Relevance: .0, Instructions: 18COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.499656485.0000000003170000.00000040.00000001.sdmp, Offset: 03170000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b180d10ed59996c74a654f8e3e86e7e7c66f083bd7235e2d13956a176f6f784d
Instruction ID: a4d32d7cefceb4db33f323effb0b652859c23d0695cddd2dd5e0861c0d6c06cd
Opcode Fuzzy Hash: b180d10ed59996c74a654f8e3e86e7e7c66f083bd7235e2d13956a176f6f784d
Instruction Fuzzy Hash: 17D05E7110836CDBC62C9654B0019B2B3BCEF0D63270B492EE48B86200CBE298C183D0

Uniqueness

Uniqueness Score: -1.00%

Function 0317064F, Relevance: .0, Instructions: 17COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.499656485.0000000003170000.00000040.00000001.sdmp, Offset: 03170000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c498ca10312f9de2b5af9e75f18683e152adec67ad3b609d9a841d6a776493f7
Instruction ID: 2e08e703c4cc8ab2e51f9c63d83b4327b258d138f8695ebdb85d9388ffbd356e
Opcode Fuzzy Hash: c498ca10312f9de2b5af9e75f18683e152adec67ad3b609d9a841d6a776493f7
Instruction Fuzzy Hash: 54D0A7B3446240CFC324CB706E160A47761EE9B20571ACC97D40496D20C232B5A39612

Uniqueness

Uniqueness Score: -1.00%

Function 03172D20, Relevance: .0, Instructions: 17COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.499656485.0000000003170000.00000040.00000001.sdmp, Offset: 03170000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f6d515aeef0091dc7b52a55882d67ad3898d1674b5fbeaf4772cd0c539063cad
Instruction ID: 9f29ea482435c72f4a88f9dcbdf1ca4c516a6f7df2ae7794f63538a908cd4b6b
Opcode Fuzzy Hash: f6d515aeef0091dc7b52a55882d67ad3898d1674b5fbeaf4772cd0c539063cad
Instruction Fuzzy Hash: 4ED0173004D284CBC35AC798DD56BA03B31AB0E301F0E0C83D44ACD096C221A59B8712

Uniqueness

Uniqueness Score: -1.00%

Function 03178DE0, Relevance: .0, Instructions: 17COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.499656485.0000000003170000.00000040.00000001.sdmp, Offset: 03170000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 04934043f4f7854d804de20a4b6fb38867bbc4b63bde779039bc236b1dafc8e2
Instruction ID: 3f1a979cb635d40bd4dc9c91853490f66ffed3988cef66b8ce8553db8869dea1
Opcode Fuzzy Hash: 04934043f4f7854d804de20a4b6fb38867bbc4b63bde779039bc236b1dafc8e2
Instruction Fuzzy Hash: EFD05E3105C200CFC7088B40ECAFB203B70AF1E340F1B0C92A5098A1A5D7A02571AB93

Uniqueness

Uniqueness Score: -1.00%

Function 03175798, Relevance: .0, Instructions: 16COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.499656485.0000000003170000.00000040.00000001.sdmp, Offset: 03170000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9f0a7f0c72fcf0851297d6571d54dfc4f8144e540083d2169000e69d1519b174
Instruction ID: eee478535fdf47c962e64df3168ed0324c624fb004cbbe1b5cfc6bf2a44ed553
Opcode Fuzzy Hash: 9f0a7f0c72fcf0851297d6571d54dfc4f8144e540083d2169000e69d1519b174
Instruction Fuzzy Hash: 0AC01215715114978E18B1BD54101AE219E4B9D8253C9092A910A8B340EE618D4102D5

Uniqueness

Uniqueness Score: -1.00%

Function 0317E5E0, Relevance: .0, Instructions: 16COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.499656485.0000000003170000.00000040.00000001.sdmp, Offset: 03170000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: cb9d64daf818519768dab12c7a8f0268d13046cb7a8abcb8ca45f88d7eb8a6d2
Instruction ID: facddfda1452200c2e6b6731caa2eb87c8331196d2f96ed022ad015558eb9810
Opcode Fuzzy Hash: cb9d64daf818519768dab12c7a8f0268d13046cb7a8abcb8ca45f88d7eb8a6d2
Instruction Fuzzy Hash: 0ED0122D50F7C95FCB56337038950E53F3C0A0A2B870950C3E4888F743AD1804864762

Uniqueness

Uniqueness Score: -1.00%

Function 03175700, Relevance: .0, Instructions: 15COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.499656485.0000000003170000.00000040.00000001.sdmp, Offset: 03170000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 637f327b139a7d466f12602cd21d2d2af87d8b5863e42bc1e19ffb0ac1820e99
Instruction ID: 73cf83feb9a1454c739218e7d291288d52a9d55a55de62c4c57bfacee5414531
Opcode Fuzzy Hash: 637f327b139a7d466f12602cd21d2d2af87d8b5863e42bc1e19ffb0ac1820e99
Instruction Fuzzy Hash: 9ED0123240E7548FCB12E7A4F8E17953B7E6D5725434E10D3C145CE126E764A944DBB3

Uniqueness

Uniqueness Score: -1.00%

Function 03176B48, Relevance: .0, Instructions: 15COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.499656485.0000000003170000.00000040.00000001.sdmp, Offset: 03170000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9a0939ec5680cffb9ecca245d0aafbbebb033a67d769e75d7ec85179cdc98f5e
Instruction ID: 68a2e88b48ee3b25b2ca30b96585a8aa66dc6594a028bbd35c7e4f7889d618dc
Opcode Fuzzy Hash: 9a0939ec5680cffb9ecca245d0aafbbebb033a67d769e75d7ec85179cdc98f5e
Instruction Fuzzy Hash: BCD0423AA00004CFD704CB88D5849D9F7F1EB88325F28C1A6D915A7251C732ED56CA50

Uniqueness

Uniqueness Score: -1.00%

Function 0317E8F0, Relevance: .0, Instructions: 15COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.499656485.0000000003170000.00000040.00000001.sdmp, Offset: 03170000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d46eca5e349b3a0d374526d7625ec3214a4ebf98c3a71c9d2ca2fb17270c55af
Instruction ID: 7a8a296f4f50fabb83123b025ec0bf46fa428d6c4e5b2e047be7dd77fb17ffb8
Opcode Fuzzy Hash: d46eca5e349b3a0d374526d7625ec3214a4ebf98c3a71c9d2ca2fb17270c55af
Instruction Fuzzy Hash: 89D0A731004315C7831CC601D0044A177F9D6092113464599D1AB07500D761A8C1CBE0

Uniqueness

Uniqueness Score: -1.00%

Function 0317C469, Relevance: .0, Instructions: 14COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.499656485.0000000003170000.00000040.00000001.sdmp, Offset: 03170000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d634e8c9d6d9e3aa5234f98a95d77259724e646cd039b3d03ca26ae4e5a7dc85
Instruction ID: 8dae4156617031170e17b44148f89bcc0a352fe57dc79a8d439ead27e638e6ea
Opcode Fuzzy Hash: d634e8c9d6d9e3aa5234f98a95d77259724e646cd039b3d03ca26ae4e5a7dc85
Instruction Fuzzy Hash: 48D0120500F3D02BC30706310CA69E33F648C8312438E25EBA4D08E4A3E0698296C3B6

Uniqueness

Uniqueness Score: -1.00%

Function 031778F6, Relevance: .0, Instructions: 13COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.499656485.0000000003170000.00000040.00000001.sdmp, Offset: 03170000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 65bd5766be557d70efff5c836a5bbb831e49c25096fbadc63fa2adab5710c0f1
Instruction ID: 177ee61163f68d2cc66036216ec8d56465ae9d337afa69b2cd6d5f76950588a3
Opcode Fuzzy Hash: 65bd5766be557d70efff5c836a5bbb831e49c25096fbadc63fa2adab5710c0f1
Instruction Fuzzy Hash: 9CD05E34911609DFDB11CF71E9144AD7BF0FB48228B150729D4029B3C0E3345E818B20

Uniqueness

Uniqueness Score: -1.00%

Function 03170180, Relevance: .0, Instructions: 12COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.499656485.0000000003170000.00000040.00000001.sdmp, Offset: 03170000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fa40f7897d321d7846f8c5fd75685f01826b9777c1cc4b1330182e7b6177df81
Instruction ID: 61d9f7878c6cc9577d48f922f114524159a3465cd3298a2e4b659fd91db629e6
Opcode Fuzzy Hash: fa40f7897d321d7846f8c5fd75685f01826b9777c1cc4b1330182e7b6177df81
Instruction Fuzzy Hash: 78D01274302304CFCB182B70F01E41C77AABB88305740087CE81687744DF36E891CB00

Uniqueness

Uniqueness Score: -1.00%

Function 03175710, Relevance: .0, Instructions: 11COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.499656485.0000000003170000.00000040.00000001.sdmp, Offset: 03170000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 40c67315b6cd0133aea134a08effa9571b15853a1b5b9a7dee9d4ad5b01a53fa
Instruction ID: f6d95b4811c70ec1b55e5b55d9c15d2acc65fef206b6d38022fd497028d54959
Opcode Fuzzy Hash: 40c67315b6cd0133aea134a08effa9571b15853a1b5b9a7dee9d4ad5b01a53fa
Instruction Fuzzy Hash: ECC08C20A04208CFCF2027F1300A16D376E6B442847880098E50A85100EF38A00046A1

Uniqueness

Uniqueness Score: -1.00%

Function 03178F80, Relevance: .0, Instructions: 11COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.499656485.0000000003170000.00000040.00000001.sdmp, Offset: 03170000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 30945484a41b1abd12fd85105420edd0b8298d40877fde2be0eb75da6f8fd4f5
Instruction ID: f7abfa69651edf34afed3812d251a2cf62561dbd96116cc3b68012a332b57296
Opcode Fuzzy Hash: 30945484a41b1abd12fd85105420edd0b8298d40877fde2be0eb75da6f8fd4f5
Instruction Fuzzy Hash: 10B0923126460C0FEA509AB6784AB26779C8740658F4804B1B50CC1900EA8AE4912141

Uniqueness

Uniqueness Score: -1.00%

Function 03172D30, Relevance: .0, Instructions: 11COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.499656485.0000000003170000.00000040.00000001.sdmp, Offset: 03170000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fd2c6b3f8774385d7e8d91bdd24dca695a3a30647d74f411768b043bfc4357db
Instruction ID: dd288868655572a0d44f621e6dee40ead8e2c9ceda1c59ba5bce88d00763533c
Opcode Fuzzy Hash: fd2c6b3f8774385d7e8d91bdd24dca695a3a30647d74f411768b043bfc4357db
Instruction Fuzzy Hash: 1DC0923418D60CE7E5AC9184FC1AFB4363C970CB06F1E0C02AA0F1C0AA17B1A2934356

Uniqueness

Uniqueness Score: -1.00%

Function 03170660, Relevance: .0, Instructions: 10COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.499656485.0000000003170000.00000040.00000001.sdmp, Offset: 03170000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 36af4225e23d5b5521041bf60f6323bfd0ba3bc7e93431f1b5f39f9fa90d22ca
Instruction ID: 4a304d26171f198dd32028178c3dc1ace8cdfa0ecda7d5973a616f6e8e59f218
Opcode Fuzzy Hash: 36af4225e23d5b5521041bf60f6323bfd0ba3bc7e93431f1b5f39f9fa90d22ca
Instruction Fuzzy Hash: C3C02B70046348CFC23C96703C05439722D56CC304705C832F401001148B3274E1C921

Uniqueness

Uniqueness Score: -1.00%

Function 03176B6C, Relevance: .0, Instructions: 8COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.499656485.0000000003170000.00000040.00000001.sdmp, Offset: 03170000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9331830965d72d12fcbefa973c87c0cf332396a92bd300e1243d284f656f33ac
Instruction ID: 2d957fac1984e690a14d9b408455f8336af7dc500fca4f9cf7c9ab7d83591c24
Opcode Fuzzy Hash: 9331830965d72d12fcbefa973c87c0cf332396a92bd300e1243d284f656f33ac
Instruction Fuzzy Hash: 19B092B7A04008CAEB00CA84B4453EDF730E794325F104023C31052000C33201A48696

Uniqueness

Uniqueness Score: -1.00%

Function 03175B92, Relevance: .0, Instructions: 8COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.499656485.0000000003170000.00000040.00000001.sdmp, Offset: 03170000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7d827123c52778112986815c6c3ee684b5d4aae6333237f3010aebe94252b280
Instruction ID: be62d02336351b5e82357b3f476b5f48cb2d68b87936efd50af449e85f75d20d
Opcode Fuzzy Hash: 7d827123c52778112986815c6c3ee684b5d4aae6333237f3010aebe94252b280
Instruction Fuzzy Hash: 72C0923A00A3D48FDB13CB2CDCA5A243BB0BE073187DD11D3C041CF266E6286819EB26

Uniqueness

Uniqueness Score: -1.00%

Function 0317CE40, Relevance: .0, Instructions: 8COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.499656485.0000000003170000.00000040.00000001.sdmp, Offset: 03170000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 869d7fc549afbed8b29244c79100742a01c49e0bdf8828593d60a149d26a1b5d
Instruction ID: cf1a88d28dbd61daab8ed99ac14b8901834237d655a00e7403e96c594a6c5cec
Opcode Fuzzy Hash: 869d7fc549afbed8b29244c79100742a01c49e0bdf8828593d60a149d26a1b5d
Instruction Fuzzy Hash: 81B09270009718E7C309E619E84A869BB3CFB49705BD50024F9064608C9F646E8787F6

Uniqueness

Uniqueness Score: -1.00%

Function 03172EC0, Relevance: .0, Instructions: 8COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.499656485.0000000003170000.00000040.00000001.sdmp, Offset: 03170000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c4b57eb1fe6051d0848bae606fb75ca9974960f3d126e9c3de1b5b4734188c79
Instruction ID: f92be3dc16fe24449b607b0607e14eb84d1ae864c156c46e6e8ab616e8468ed8
Opcode Fuzzy Hash: c4b57eb1fe6051d0848bae606fb75ca9974960f3d126e9c3de1b5b4734188c79
Instruction Fuzzy Hash: 20B012302142081B975096B53808B16339C454450974814E4D80CC0000FA24D0E12340

Uniqueness

Uniqueness Score: -1.00%

Function 0317E5F0, Relevance: .0, Instructions: 8COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.499656485.0000000003170000.00000040.00000001.sdmp, Offset: 03170000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 819a476db1237f2c8ff63aee14542fe1262d2507a59a46373e18e3ee42f94fdb
Instruction ID: fd793cb320aa36679b04000e11c29129c0dc864d051c5a8875bb28cfc3707d07
Opcode Fuzzy Hash: 819a476db1237f2c8ff63aee14542fe1262d2507a59a46373e18e3ee42f94fdb
Instruction Fuzzy Hash: 9CB0122454170C4BCD8033F4700809D7FAC0D44604F840452D80D47202BE6474000551

Uniqueness

Uniqueness Score: -1.00%

Function 0317E060, Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.499656485.0000000003170000.00000040.00000001.sdmp, Offset: 03170000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 95db95d4f91ea3bdb4f1519029bb49e5f4036550ca8533dccfe587046c5ae7de
Instruction ID: 95b77c7241fa65c515c6d0ff797e6e76d29c851a6ed9123f7d4223df7f7b62de
Opcode Fuzzy Hash: 95db95d4f91ea3bdb4f1519029bb49e5f4036550ca8533dccfe587046c5ae7de
Instruction Fuzzy Hash: 9AA0022DA04950D78A18F620E5648552271B7CC2043F985A0811A4E054C72D6C8E55A1

Uniqueness

Uniqueness Score: -1.00%

Non-executed Functions

Description:	Adversaries may abuse task scheduling functionality to facilitate initial or recurring execution of malicious code. Utilities exist within all major operating systems to schedule programs or scripts to be executed at a specified date and time. A task can also be scheduled on a remote system, provided the proper authentication is met (ex: RPC and file and printer sharing in Windows environments). Scheduling a task on a remote system typically requires being a member of an admin or otherwise privileged group on the remote system.
Tactics:	Execution, Persistence, Privilege Escalation
Data Sources:	File monitoring, Process command-line parameters, Process monitoring, Windows event logs
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify access tokens to operate under a different user or system security context to perform actions and bypass access controls. Windows uses access tokens to determine the ownership of a running process. A user can manipulate access tokens to make a running process appear as though it is the child of a different process or belongs to someone other than the user that started the process. When this occurs, the process also takes on the security context associated with the new token.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	API monitoring, Access tokens, Authentication logs, Process command-line parameters, Process monitoring, Windows event logs
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	API monitoring, DLL monitoring, File monitoring, Named Pipes, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata, File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may disable security tools to avoid possible detection of their tools and activities. This can take the form of killing security software or event logging processes, deleting Registry keys so that tools do not start at run time, or other methods to interfere with security tools scanning or reporting information.
Tactics:	Defense Evasion
Data Sources:	File monitoring, Process command-line parameters, Services, Windows Registry
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use Obfuscated Files or Information to hide artifacts of an intrusion from analysis. They may require separate mechanisms to decode or deobfuscate that information depending on how they intend to use it. Methods for doing that include built-in functionality of malware or by using utilities present on the system.
Tactics:	Defense Evasion
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may set files and directories to be hidden to evade detection mechanisms. To prevent normal users from accidentally changing special files on a system, most operating systems have the concept of a ‘hidden’ file. These files don’t show up when a user browses the file system with a GUI or when using normal commands on the command line. Users must explicitly ask to show the hidden files either via a series of Graphical User Interface (GUI) prompts or with command line switches ( `dir /a` for Windows and `ls –a` for Linux and macOS).
Tactics:	Defense Evasion
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata, Email gateway, Environment variable, File monitoring, Malware reverse engineering, Network intrusion detection system, Network protocol analysis, Process command-line parameters, Process monitoring, Process use of network, SSL/TLS inspection, Windows event logs
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may perform software packing or virtual machine software protection to conceal their code. Software packing is a method of compressing or encrypting an executable. Packing an executable changes the file signature in an attempt to avoid signature-based detection. Most decompression techniques decompress the executable code in memory. Virtual machine software protection translates an executable's original code into a special format that only a special virtual machine can run. A virtual machine is then called to run this code.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata
Platforms:	macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use methods of capturing user input to obtain credentials or collect information. During normal system usage, users often provide credentials to various different locations, such as login pages/portals or system dialog boxes. Input capture mechanisms may be transparent to the user (e.g. Credential API Hooking ) or rely on deceiving the user into providing input into what they believe to be a genuine service (e.g. Web Portal Capture ).
Tactics:	Collection, Credential Access
Data Sources:	API monitoring, Binary file metadata, DLL monitoring, Kernel drivers, Loaded DLLs, PowerShell logs, Process command-line parameters, Process monitoring, User interface, Windows Registry, Windows event logs
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	AWS CloudTrail logs, Azure activity logs, File monitoring, Process command-line parameters, Process monitoring, Stackdriver logs
Platforms:	AWS, Azure, Azure AD, GCP, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	API monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	AWS CloudTrail logs, Azure activity logs, Process command-line parameters, Process monitoring, Stackdriver logs
Platforms:	AWS, Azure, GCP, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Binary file metadata, File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Malware reverse engineering, Netflow/Enclave netflow, Packet capture, Process monitoring, Process use of network, SSL/TLS inspection
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may use legitimate desktop support and remote access software, such as Team Viewer, Go2Assist, LogMein, AmmyyAdmin, etc, to establish an interactive command and control channel to target systems within networks. These services are commonly used as legitimate technical support software, and may be allowed by application control within a target environment. Remote access tools like VNC, Ammyy, and Teamviewer are used frequently when compared with other legitimate software commonly used by adversaries.
Tactics:	Command and Control
Data Sources:	Network intrusion detection system, Network protocol analysis, Process monitoring, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading ...

Warning!

Analysis Report Receipt.exe

Overview

General Information

Detection

Signatures

Classification

Startup

Malware Configuration

Yara Overview

Memory Dumps

Unpacked PEs

Sigma Overview

System Summary:

Signature Overview

AV Detection:

Software Vulnerabilities:

Networking:

Key, Mouse, Clipboard, Microphone and Screen Capturing:

E-Banking Fraud:

System Summary:

Data Obfuscation:

Persistence and Installation Behavior:

Boot Survival:

Hooking and other Techniques for Hiding and Protection:

Malware Analysis System Evasion:

Anti Debugging:

HIPS / PFW / Operating System Protection Evasion:

Language, Device and Operating System Detection:

Stealing of Sensitive Information:

Remote Access Functionality:

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

URLs from Memory and Binaries

Contacted IPs

Public

Private

General Information

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASN

JA3 Fingerprints

Dropped Files

Created / dropped Files

Static File Info

General

File Icon

Static PE Info

General

Entrypoint Preview

Data Directories

Sections

Resources

Imports

Version Infos

Network Behavior

Code Manipulations

Statistics

CPU Usage

Memory Usage

High Level Behavior Distribution