Joe Sandbox Cloud Basic Analysis Report

Loading ...

Play interactive tourEdit tour

Analysis Report z2d6Yt5v.exe

Overview

General Information

Sample Name:z2d6Yt5v.exe
Analysis ID:321423
MD5:9bb6d4f72a348ad47cc97185604f4dd9
SHA1:7384957e8a29f517654fcbd905861574e772d3ed
SHA256:0a170ca414d288bc25ebb5ce92ccd51ff0f62b1479d669172194bf0067601df1
Tags:exenjRat

Most interesting Screenshot:

Detection

njRat
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Antivirus / Scanner detection for submitted sample
Antivirus detection for dropped file
Detected njRat
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Yara detected Njrat
.NET source code contains potential unpacker
.NET source code references suspicious native API functions
Contains functionality to log keystrokes (.Net Source)
Creates autostart registry keys with suspicious names
Drops PE files to the startup folder
Machine Learning detection for dropped file
Machine Learning detection for sample
Modifies the windows firewall
Uses netsh to modify the Windows network and firewall settings
Antivirus or Machine Learning detection for unpacked file
Contains capabilities to detect virtual machines
Contains functionality to call native functions
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Creates a start menu entry (Start Menu\Programs\Startup)
Detected TCP or UDP traffic on non-standard ports
Drops PE files
Enables debug privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
May sleep (evasive loops) to hinder dynamic analysis
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Sample file is different than original file name gathered from version info
Sigma detected: Netsh Port or Application Allowed
Stores files to the Windows start menu directory
Uses code obfuscation techniques (call, push, ret)
Yara signature match

Classification

Startup

  • System is w10x64
  • z2d6Yt5v.exe (PID: 6072 cmdline: 'C:\Users\user\Desktop\z2d6Yt5v.exe' MD5: 9BB6D4F72A348AD47CC97185604F4DD9)
    • Core Service.exe (PID: 4464 cmdline: 'C:\Users\user\AppData\Local\Temp\Core Service.exe' MD5: 9BB6D4F72A348AD47CC97185604F4DD9)
      • netsh.exe (PID: 5416 cmdline: netsh firewall add allowedprogram 'C:\Users\user\AppData\Local\Temp\Core Service.exe' 'Core Service.exe' ENABLE MD5: A0AA3322BB46BBFC36AB9DC1DBBBB807)
        • conhost.exe (PID: 1124 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
  • Core Service.exe (PID: 4276 cmdline: 'C:\Users\user\AppData\Local\Temp\Core Service.exe' .. MD5: 9BB6D4F72A348AD47CC97185604F4DD9)
  • Core Service.exe (PID: 4760 cmdline: 'C:\Users\user\AppData\Local\Temp\Core Service.exe' .. MD5: 9BB6D4F72A348AD47CC97185604F4DD9)
  • Core Service.exe (PID: 6100 cmdline: 'C:\Users\user\AppData\Local\Temp\Core Service.exe' .. MD5: 9BB6D4F72A348AD47CC97185604F4DD9)
  • cleanup

Malware Configuration

No configs have been found

Yara Overview

Initial Sample

SourceRuleDescriptionAuthorStrings
z2d6Yt5v.exeCN_disclosed_20180208_cDetects malware from disclosed CN malware setFlorian Roth
  • 0x4d4a:$x1: cmd.exe /c ping 0 -n 2 & del "
  • 0x4ea2:$s3: Executed As
  • 0x4e84:$s6: Download ERROR
z2d6Yt5v.exeJoeSecurity_NjratYara detected NjratJoe Security
    z2d6Yt5v.exenjrat1Identify njRatBrian Wallace @botnet_hunter
    • 0x4db8:$a1: netsh firewall add allowedprogram
    • 0x4d88:$a2: SEE_MASK_NOZONECHECKS
    • 0x5032:$b1: [TAP]
    • 0x4d4a:$c3: cmd.exe /c ping
    z2d6Yt5v.exeNjratdetect njRAT in memoryJPCERT/CC Incident Response Group
    • 0x4d88:$reg: SEE_MASK_NOZONECHECKS
    • 0x4e60:$msg: Execute ERROR
    • 0x4ebc:$msg: Execute ERROR
    • 0x4d4a:$ping: cmd.exe /c ping 0 -n 2 & del

    Dropped Files

    SourceRuleDescriptionAuthorStrings
    C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\af48625ee196d906557ab2d838a9cc2f.exeCN_disclosed_20180208_cDetects malware from disclosed CN malware setFlorian Roth
    • 0x4d4a:$x1: cmd.exe /c ping 0 -n 2 & del "
    • 0x4ea2:$s3: Executed As
    • 0x4e84:$s6: Download ERROR
    C:\Users\user\AppData\Local\Temp\Core Service.exeCN_disclosed_20180208_cDetects malware from disclosed CN malware setFlorian Roth
    • 0x4d4a:$x1: cmd.exe /c ping 0 -n 2 & del "
    • 0x4ea2:$s3: Executed As
    • 0x4e84:$s6: Download ERROR
    C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\af48625ee196d906557ab2d838a9cc2f.exeJoeSecurity_NjratYara detected NjratJoe Security
      C:\Users\user\AppData\Local\Temp\Core Service.exeJoeSecurity_NjratYara detected NjratJoe Security
        C:\Users\user\AppData\Local\Temp\Core Service.exenjrat1Identify njRatBrian Wallace @botnet_hunter
        • 0x4db8:$a1: netsh firewall add allowedprogram
        • 0x4d88:$a2: SEE_MASK_NOZONECHECKS
        • 0x5032:$b1: [TAP]
        • 0x4d4a:$c3: cmd.exe /c ping
        Click to see the 3 entries

        Memory Dumps

        SourceRuleDescriptionAuthorStrings
        00000002.00000002.459233753.00000000008B2000.00000002.00020000.sdmpJoeSecurity_NjratYara detected NjratJoe Security
          00000002.00000002.459233753.00000000008B2000.00000002.00020000.sdmpnjrat1Identify njRatBrian Wallace @botnet_hunter
          • 0x4bb8:$a1: netsh firewall add allowedprogram
          • 0x4b88:$a2: SEE_MASK_NOZONECHECKS
          • 0x4e32:$b1: [TAP]
          • 0x4b4a:$c3: cmd.exe /c ping
          00000002.00000002.459233753.00000000008B2000.00000002.00020000.sdmpNjratdetect njRAT in memoryJPCERT/CC Incident Response Group
          • 0x4b88:$reg: SEE_MASK_NOZONECHECKS
          • 0x4c60:$msg: Execute ERROR
          • 0x4cbc:$msg: Execute ERROR
          • 0x4b4a:$ping: cmd.exe /c ping 0 -n 2 & del
          0000000F.00000002.296934602.0000000000922000.00000002.00020000.sdmpJoeSecurity_NjratYara detected NjratJoe Security
            0000000F.00000002.296934602.0000000000922000.00000002.00020000.sdmpnjrat1Identify njRatBrian Wallace @botnet_hunter
            • 0x4bb8:$a1: netsh firewall add allowedprogram
            • 0x4b88:$a2: SEE_MASK_NOZONECHECKS
            • 0x4e32:$b1: [TAP]
            • 0x4b4a:$c3: cmd.exe /c ping
            Click to see the 34 entries

            Unpacked PEs

            SourceRuleDescriptionAuthorStrings
            2.0.Core Service.exe.8b0000.0.unpackCN_disclosed_20180208_cDetects malware from disclosed CN malware setFlorian Roth
            • 0x4d4a:$x1: cmd.exe /c ping 0 -n 2 & del "
            • 0x4ea2:$s3: Executed As
            • 0x4e84:$s6: Download ERROR
            2.0.Core Service.exe.8b0000.0.unpackJoeSecurity_NjratYara detected NjratJoe Security
              2.0.Core Service.exe.8b0000.0.unpacknjrat1Identify njRatBrian Wallace @botnet_hunter
              • 0x4db8:$a1: netsh firewall add allowedprogram
              • 0x4d88:$a2: SEE_MASK_NOZONECHECKS
              • 0x5032:$b1: [TAP]
              • 0x4d4a:$c3: cmd.exe /c ping
              2.0.Core Service.exe.8b0000.0.unpackNjratdetect njRAT in memoryJPCERT/CC Incident Response Group
              • 0x4d88:$reg: SEE_MASK_NOZONECHECKS
              • 0x4e60:$msg: Execute ERROR
              • 0x4ebc:$msg: Execute ERROR
              • 0x4d4a:$ping: cmd.exe /c ping 0 -n 2 & del
              15.0.Core Service.exe.920000.0.unpackCN_disclosed_20180208_cDetects malware from disclosed CN malware setFlorian Roth
              • 0x4d4a:$x1: cmd.exe /c ping 0 -n 2 & del "
              • 0x4ea2:$s3: Executed As
              • 0x4e84:$s6: Download ERROR
              Click to see the 35 entries

              Sigma Overview

              System Summary:

              barindex
              Sigma detected: Netsh Port or Application AllowedShow sources
              Source: Process startedAuthor: Markus Neis, Sander Wiebing: Data: Command: netsh firewall add allowedprogram 'C:\Users\user\AppData\Local\Temp\Core Service.exe' 'Core Service.exe' ENABLE, CommandLine: netsh firewall add allowedprogram 'C:\Users\user\AppData\Local\Temp\Core Service.exe' 'Core Service.exe' ENABLE, CommandLine|base64offset|contains: l, Image: C:\Windows\SysWOW64\netsh.exe, NewProcessName: C:\Windows\SysWOW64\netsh.exe, OriginalFileName: C:\Windows\SysWOW64\netsh.exe, ParentCommandLine: 'C:\Users\user\AppData\Local\Temp\Core Service.exe' , ParentImage: C:\Users\user\AppData\Local\Temp\Core Service.exe, ParentProcessId: 4464, ProcessCommandLine: netsh firewall add allowedprogram 'C:\Users\user\AppData\Local\Temp\Core Service.exe' 'Core Service.exe' ENABLE, ProcessId: 5416

              Signature Overview

              Click to jump to signature section

              Show All Signature Results

              AV Detection:

              barindex
              Antivirus / Scanner detection for submitted sampleShow sources
              Source: z2d6Yt5v.exeAvira: detected
              Antivirus detection for dropped fileShow sources
              Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\af48625ee196d906557ab2d838a9cc2f.exeAvira: detection malicious, Label: TR/Dropper.Gen7
              Source: C:\Users\user\AppData\Local\Temp\Core Service.exeAvira: detection malicious, Label: TR/Dropper.Gen7
              Multi AV Scanner detection for dropped fileShow sources
              Source: C:\Users\user\AppData\Local\Temp\Core Service.exeVirustotal: Detection: 84%Perma Link
              Source: C:\Users\user\AppData\Local\Temp\Core Service.exeMetadefender: Detection: 89%Perma Link
              Source: C:\Users\user\AppData\Local\Temp\Core Service.exeReversingLabs: Detection: 89%
              Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\af48625ee196d906557ab2d838a9cc2f.exeVirustotal: Detection: 84%Perma Link
              Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\af48625ee196d906557ab2d838a9cc2f.exeMetadefender: Detection: 89%Perma Link
              Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\af48625ee196d906557ab2d838a9cc2f.exeReversingLabs: Detection: 89%
              Multi AV Scanner detection for submitted fileShow sources
              Source: z2d6Yt5v.exeVirustotal: Detection: 84%Perma Link
              Source: z2d6Yt5v.exeMetadefender: Detection: 89%Perma Link
              Yara detected NjratShow sources
              Source: Yara matchFile source: z2d6Yt5v.exe, type: SAMPLE
              Source: Yara matchFile source: 00000002.00000002.459233753.00000000008B2000.00000002.00020000.sdmp, type: MEMORY
              Source: Yara matchFile source: 0000000F.00000002.296934602.0000000000922000.00000002.00020000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000007.00000002.260704512.0000000000EC2000.00000002.00020000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000000.00000002.210341722.00000000005E2000.00000002.00020000.sdmp, type: MEMORY
              Source: Yara matchFile source: 0000000F.00000000.285488818.0000000000922000.00000002.00020000.sdmp, type: MEMORY
              Source: Yara matchFile source: 0000000A.00000000.267967586.0000000000812000.00000002.00020000.sdmp, type: MEMORY
              Source: Yara matchFile source: 0000000A.00000002.279339449.0000000000812000.00000002.00020000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000000.00000002.211371973.0000000002C85000.00000004.00000001.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000002.00000000.210200221.00000000008B2000.00000002.00020000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000000.00000000.194561361.00000000005E2000.00000002.00020000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000007.00000000.249387017.0000000000EC2000.00000002.00020000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000002.00000002.461812462.0000000002FB5000.00000004.00000001.sdmp, type: MEMORY
              Source: Yara matchFile source: Process Memory Space: Core Service.exe PID: 6100, type: MEMORY
              Source: Yara matchFile source: Process Memory Space: z2d6Yt5v.exe PID: 6072, type: MEMORY
              Source: Yara matchFile source: Process Memory Space: Core Service.exe PID: 4760, type: MEMORY
              Source: Yara matchFile source: Process Memory Space: Core Service.exe PID: 4276, type: MEMORY
              Source: Yara matchFile source: Process Memory Space: Core Service.exe PID: 4464, type: MEMORY
              Source: Yara matchFile source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\af48625ee196d906557ab2d838a9cc2f.exe, type: DROPPED
              Source: Yara matchFile source: C:\Users\user\AppData\Local\Temp\Core Service.exe, type: DROPPED
              Source: Yara matchFile source: 2.0.Core Service.exe.8b0000.0.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 15.0.Core Service.exe.920000.0.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 0.2.z2d6Yt5v.exe.5e0000.0.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 2.2.Core Service.exe.8b0000.0.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 7.0.Core Service.exe.ec0000.0.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 15.2.Core Service.exe.920000.0.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 7.2.Core Service.exe.ec0000.0.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 0.0.z2d6Yt5v.exe.5e0000.0.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 10.0.Core Service.exe.810000.0.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 10.2.Core Service.exe.810000.0.unpack, type: UNPACKEDPE
              Machine Learning detection for dropped fileShow sources
              Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\af48625ee196d906557ab2d838a9cc2f.exeJoe Sandbox ML: detected
              Source: C:\Users\user\AppData\Local\Temp\Core Service.exeJoe Sandbox ML: detected
              Machine Learning detection for sampleShow sources
              Source: z2d6Yt5v.exeJoe Sandbox ML: detected
              Source: 15.2.Core Service.exe.920000.0.unpackAvira: Label: TR/Dropper.Gen7
              Source: 15.0.Core Service.exe.920000.0.unpackAvira: Label: TR/Dropper.Gen7
              Source: 7.2.Core Service.exe.ec0000.0.unpackAvira: Label: TR/Dropper.Gen7
              Source: 0.0.z2d6Yt5v.exe.5e0000.0.unpackAvira: Label: TR/Dropper.Gen7
              Source: 2.2.Core Service.exe.8b0000.0.unpackAvira: Label: TR/Dropper.Gen7
              Source: 2.0.Core Service.exe.8b0000.0.unpackAvira: Label: TR/Dropper.Gen7
              Source: 10.0.Core Service.exe.810000.0.unpackAvira: Label: TR/Dropper.Gen7
              Source: 7.0.Core Service.exe.ec0000.0.unpackAvira: Label: TR/Dropper.Gen7
              Source: 0.2.z2d6Yt5v.exe.5e0000.0.unpackAvira: Label: TR/Dropper.Gen7
              Source: 10.2.Core Service.exe.810000.0.unpackAvira: Label: TR/Dropper.Gen7
              Source: global trafficTCP traffic: 192.168.2.3:49722 -> 81.249.236.18:5553
              Source: unknownDNS traffic detected: queries for: noiphack93.hopto.org

              Key, Mouse, Clipboard, Microphone and Screen Capturing:

              barindex
              Contains functionality to log keystrokes (.Net Source)Show sources
              Source: z2d6Yt5v.exe, kl.cs.Net Code: VKCodeToUnicode
              Source: Core Service.exe.0.dr, kl.cs.Net Code: VKCodeToUnicode
              Source: 0.0.z2d6Yt5v.exe.5e0000.0.unpack, kl.cs.Net Code: VKCodeToUnicode
              Source: 0.2.z2d6Yt5v.exe.5e0000.0.unpack, kl.cs.Net Code: VKCodeToUnicode
              Source: af48625ee196d906557ab2d838a9cc2f.exe.2.dr, kl.cs.Net Code: VKCodeToUnicode
              Source: 2.2.Core Service.exe.8b0000.0.unpack, kl.cs.Net Code: VKCodeToUnicode
              Source: 2.0.Core Service.exe.8b0000.0.unpack, kl.cs.Net Code: VKCodeToUnicode
              Source: 7.2.Core Service.exe.ec0000.0.unpack, kl.cs.Net Code: VKCodeToUnicode
              Source: 7.0.Core Service.exe.ec0000.0.unpack, kl.cs.Net Code: VKCodeToUnicode
              Source: 10.0.Core Service.exe.810000.0.unpack, kl.cs.Net Code: VKCodeToUnicode
              Source: 10.2.Core Service.exe.810000.0.unpack, kl.cs.Net Code: VKCodeToUnicode
              Source: 15.2.Core Service.exe.920000.0.unpack, kl.cs.Net Code: VKCodeToUnicode
              Source: 15.0.Core Service.exe.920000.0.unpack, kl.cs.Net Code: VKCodeToUnicode

              E-Banking Fraud:

              barindex
              Yara detected NjratShow sources
              Source: Yara matchFile source: z2d6Yt5v.exe, type: SAMPLE
              Source: Yara matchFile source: 00000002.00000002.459233753.00000000008B2000.00000002.00020000.sdmp, type: MEMORY
              Source: Yara matchFile source: 0000000F.00000002.296934602.0000000000922000.00000002.00020000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000007.00000002.260704512.0000000000EC2000.00000002.00020000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000000.00000002.210341722.00000000005E2000.00000002.00020000.sdmp, type: MEMORY
              Source: Yara matchFile source: 0000000F.00000000.285488818.0000000000922000.00000002.00020000.sdmp, type: MEMORY
              Source: Yara matchFile source: 0000000A.00000000.267967586.0000000000812000.00000002.00020000.sdmp, type: MEMORY
              Source: Yara matchFile source: 0000000A.00000002.279339449.0000000000812000.00000002.00020000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000000.00000002.211371973.0000000002C85000.00000004.00000001.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000002.00000000.210200221.00000000008B2000.00000002.00020000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000000.00000000.194561361.00000000005E2000.00000002.00020000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000007.00000000.249387017.0000000000EC2000.00000002.00020000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000002.00000002.461812462.0000000002FB5000.00000004.00000001.sdmp, type: MEMORY
              Source: Yara matchFile source: Process Memory Space: Core Service.exe PID: 6100, type: MEMORY
              Source: Yara matchFile source: Process Memory Space: z2d6Yt5v.exe PID: 6072, type: MEMORY
              Source: Yara matchFile source: Process Memory Space: Core Service.exe PID: 4760, type: MEMORY
              Source: Yara matchFile source: Process Memory Space: Core Service.exe PID: 4276, type: MEMORY
              Source: Yara matchFile source: Process Memory Space: Core Service.exe PID: 4464, type: MEMORY
              Source: Yara matchFile source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\af48625ee196d906557ab2d838a9cc2f.exe, type: DROPPED
              Source: Yara matchFile source: C:\Users\user\AppData\Local\Temp\Core Service.exe, type: DROPPED
              Source: Yara matchFile source: 2.0.Core Service.exe.8b0000.0.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 15.0.Core Service.exe.920000.0.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 0.2.z2d6Yt5v.exe.5e0000.0.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 2.2.Core Service.exe.8b0000.0.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 7.0.Core Service.exe.ec0000.0.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 15.2.Core Service.exe.920000.0.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 7.2.Core Service.exe.ec0000.0.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 0.0.z2d6Yt5v.exe.5e0000.0.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 10.0.Core Service.exe.810000.0.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 10.2.Core Service.exe.810000.0.unpack, type: UNPACKEDPE

              System Summary:

              barindex
              Malicious sample detected (through community Yara rule)Show sources
              Source: z2d6Yt5v.exe, type: SAMPLEMatched rule: Detects malware from disclosed CN malware set Author: Florian Roth
              Source: z2d6Yt5v.exe, type: SAMPLEMatched rule: Identify njRat Author: Brian Wallace @botnet_hunter
              Source: z2d6Yt5v.exe, type: SAMPLEMatched rule: detect njRAT in memory Author: JPCERT/CC Incident Response Group
              Source: 00000002.00000002.459233753.00000000008B2000.00000002.00020000.sdmp, type: MEMORYMatched rule: Identify njRat Author: Brian Wallace @botnet_hunter
              Source: 00000002.00000002.459233753.00000000008B2000.00000002.00020000.sdmp, type: MEMORYMatched rule: detect njRAT in memory Author: JPCERT/CC Incident Response Group
              Source: 0000000F.00000002.296934602.0000000000922000.00000002.00020000.sdmp, type: MEMORYMatched rule: Identify njRat Author: Brian Wallace @botnet_hunter
              Source: 0000000F.00000002.296934602.0000000000922000.00000002.00020000.sdmp, type: MEMORYMatched rule: detect njRAT in memory Author: JPCERT/CC Incident Response Group
              Source: 00000007.00000002.260704512.0000000000EC2000.00000002.00020000.sdmp, type: MEMORYMatched rule: Identify njRat Author: Brian Wallace @botnet_hunter
              Source: 00000007.00000002.260704512.0000000000EC2000.00000002.00020000.sdmp, type: MEMORYMatched rule: detect njRAT in memory Author: JPCERT/CC Incident Response Group
              Source: 00000000.00000002.210341722.00000000005E2000.00000002.00020000.sdmp, type: MEMORYMatched rule: Identify njRat Author: Brian Wallace @botnet_hunter
              Source: 00000000.00000002.210341722.00000000005E2000.00000002.00020000.sdmp, type: MEMORYMatched rule: detect njRAT in memory Author: JPCERT/CC Incident Response Group
              Source: 0000000F.00000000.285488818.0000000000922000.00000002.00020000.sdmp, type: MEMORYMatched rule: Identify njRat Author: Brian Wallace @botnet_hunter
              Source: 0000000F.00000000.285488818.0000000000922000.00000002.00020000.sdmp, type: MEMORYMatched rule: detect njRAT in memory Author: JPCERT/CC Incident Response Group
              Source: 0000000A.00000000.267967586.0000000000812000.00000002.00020000.sdmp, type: MEMORYMatched rule: Identify njRat Author: Brian Wallace @botnet_hunter
              Source: 0000000A.00000000.267967586.0000000000812000.00000002.00020000.sdmp, type: MEMORYMatched rule: detect njRAT in memory Author: JPCERT/CC Incident Response Group
              Source: 0000000A.00000002.279339449.0000000000812000.00000002.00020000.sdmp, type: MEMORYMatched rule: Identify njRat Author: Brian Wallace @botnet_hunter
              Source: 0000000A.00000002.279339449.0000000000812000.00000002.00020000.sdmp, type: MEMORYMatched rule: detect njRAT in memory Author: JPCERT/CC Incident Response Group
              Source: 00000000.00000002.211371973.0000000002C85000.00000004.00000001.sdmp, type: MEMORYMatched rule: Identify njRat Author: Brian Wallace @botnet_hunter
              Source: 00000000.00000002.211371973.0000000002C85000.00000004.00000001.sdmp, type: MEMORYMatched rule: detect njRAT in memory Author: JPCERT/CC Incident Response Group
              Source: 00000002.00000000.210200221.00000000008B2000.00000002.00020000.sdmp, type: MEMORYMatched rule: Identify njRat Author: Brian Wallace @botnet_hunter
              Source: 00000002.00000000.210200221.00000000008B2000.00000002.00020000.sdmp, type: MEMORYMatched rule: detect njRAT in memory Author: JPCERT/CC Incident Response Group
              Source: 00000000.00000000.194561361.00000000005E2000.00000002.00020000.sdmp, type: MEMORYMatched rule: Identify njRat Author: Brian Wallace @botnet_hunter
              Source: 00000000.00000000.194561361.00000000005E2000.00000002.00020000.sdmp, type: MEMORYMatched rule: detect njRAT in memory Author: JPCERT/CC Incident Response Group
              Source: 00000007.00000000.249387017.0000000000EC2000.00000002.00020000.sdmp, type: MEMORYMatched rule: Identify njRat Author: Brian Wallace @botnet_hunter
              Source: 00000007.00000000.249387017.0000000000EC2000.00000002.00020000.sdmp, type: MEMORYMatched rule: detect njRAT in memory Author: JPCERT/CC Incident Response Group
              Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\af48625ee196d906557ab2d838a9cc2f.exe, type: DROPPEDMatched rule: Detects malware from disclosed CN malware set Author: Florian Roth
              Source: C:\Users\user\AppData\Local\Temp\Core Service.exe, type: DROPPEDMatched rule: Detects malware from disclosed CN malware set Author: Florian Roth
              Source: C:\Users\user\AppData\Local\Temp\Core Service.exe, type: DROPPEDMatched rule: Identify njRat Author: Brian Wallace @botnet_hunter
              Source: C:\Users\user\AppData\Local\Temp\Core Service.exe, type: DROPPEDMatched rule: detect njRAT in memory Author: JPCERT/CC Incident Response Group
              Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\af48625ee196d906557ab2d838a9cc2f.exe, type: DROPPEDMatched rule: Identify njRat Author: Brian Wallace @botnet_hunter
              Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\af48625ee196d906557ab2d838a9cc2f.exe, type: DROPPEDMatched rule: detect njRAT in memory Author: JPCERT/CC Incident Response Group
              Source: 2.0.Core Service.exe.8b0000.0.unpack, type: UNPACKEDPEMatched rule: Detects malware from disclosed CN malware set Author: Florian Roth
              Source: 2.0.Core Service.exe.8b0000.0.unpack, type: UNPACKEDPEMatched rule: Identify njRat Author: Brian Wallace @botnet_hunter
              Source: 2.0.Core Service.exe.8b0000.0.unpack, type: UNPACKEDPEMatched rule: detect njRAT in memory Author: JPCERT/CC Incident Response Group
              Source: 15.0.Core Service.exe.920000.0.unpack, type: UNPACKEDPEMatched rule: Detects malware from disclosed CN malware set Author: Florian Roth
              Source: 15.0.Core Service.exe.920000.0.unpack, type: UNPACKEDPEMatched rule: Identify njRat Author: Brian Wallace @botnet_hunter
              Source: 15.0.Core Service.exe.920000.0.unpack, type: UNPACKEDPEMatched rule: detect njRAT in memory Author: JPCERT/CC Incident Response Group
              Source: 0.2.z2d6Yt5v.exe.5e0000.0.unpack, type: UNPACKEDPEMatched rule: Detects malware from disclosed CN malware set Author: Florian Roth
              Source: 0.2.z2d6Yt5v.exe.5e0000.0.unpack, type: UNPACKEDPEMatched rule: Identify njRat Author: Brian Wallace @botnet_hunter
              Source: 0.2.z2d6Yt5v.exe.5e0000.0.unpack, type: UNPACKEDPEMatched rule: detect njRAT in memory Author: JPCERT/CC Incident Response Group
              Source: 2.2.Core Service.exe.8b0000.0.unpack, type: UNPACKEDPEMatched rule: Detects malware from disclosed CN malware set Author: Florian Roth
              Source: 2.2.Core Service.exe.8b0000.0.unpack, type: UNPACKEDPEMatched rule: Identify njRat Author: Brian Wallace @botnet_hunter
              Source: 2.2.Core Service.exe.8b0000.0.unpack, type: UNPACKEDPEMatched rule: detect njRAT in memory Author: JPCERT/CC Incident Response Group
              Source: 7.0.Core Service.exe.ec0000.0.unpack, type: UNPACKEDPEMatched rule: Detects malware from disclosed CN malware set Author: Florian Roth
              Source: 7.0.Core Service.exe.ec0000.0.unpack, type: UNPACKEDPEMatched rule: Identify njRat Author: Brian Wallace @botnet_hunter
              Source: 7.0.Core Service.exe.ec0000.0.unpack, type: UNPACKEDPEMatched rule: detect njRAT in memory Author: JPCERT/CC Incident Response Group
              Source: 15.2.Core Service.exe.920000.0.unpack, type: UNPACKEDPEMatched rule: Detects malware from disclosed CN malware set Author: Florian Roth
              Source: 15.2.Core Service.exe.920000.0.unpack, type: UNPACKEDPEMatched rule: Identify njRat Author: Brian Wallace @botnet_hunter
              Source: 15.2.Core Service.exe.920000.0.unpack, type: UNPACKEDPEMatched rule: detect njRAT in memory Author: JPCERT/CC Incident Response Group
              Source: 7.2.Core Service.exe.ec0000.0.unpack, type: UNPACKEDPEMatched rule: Detects malware from disclosed CN malware set Author: Florian Roth
              Source: 7.2.Core Service.exe.ec0000.0.unpack, type: UNPACKEDPEMatched rule: Identify njRat Author: Brian Wallace @botnet_hunter
              Source: 7.2.Core Service.exe.ec0000.0.unpack, type: UNPACKEDPEMatched rule: detect njRAT in memory Author: JPCERT/CC Incident Response Group
              Source: 0.0.z2d6Yt5v.exe.5e0000.0.unpack, type: UNPACKEDPEMatched rule: Detects malware from disclosed CN malware set Author: Florian Roth
              Source: 0.0.z2d6Yt5v.exe.5e0000.0.unpack, type: UNPACKEDPEMatched rule: Identify njRat Author: Brian Wallace @botnet_hunter
              Source: 0.0.z2d6Yt5v.exe.5e0000.0.unpack, type: UNPACKEDPEMatched rule: detect njRAT in memory Author: JPCERT/CC Incident Response Group
              Source: 10.0.Core Service.exe.810000.0.unpack, type: UNPACKEDPEMatched rule: Detects malware from disclosed CN malware set Author: Florian Roth
              Source: 10.0.Core Service.exe.810000.0.unpack, type: UNPACKEDPEMatched rule: Identify njRat Author: Brian Wallace @botnet_hunter
              Source: 10.0.Core Service.exe.810000.0.unpack, type: UNPACKEDPEMatched rule: detect njRAT in memory Author: JPCERT/CC Incident Response Group
              Source: 10.2.Core Service.exe.810000.0.unpack, type: UNPACKEDPEMatched rule: Detects malware from disclosed CN malware set Author: Florian Roth
              Source: 10.2.Core Service.exe.810000.0.unpack, type: UNPACKEDPEMatched rule: Identify njRat Author: Brian Wallace @botnet_hunter
              Source: 10.2.Core Service.exe.810000.0.unpack, type: UNPACKEDPEMatched rule: detect njRAT in memory Author: JPCERT/CC Incident Response Group
              Source: C:\Users\user\AppData\Local\Temp\Core Service.exeCode function: 2_2_02B31BBA NtQuerySystemInformation,2_2_02B31BBA
              Source: C:\Users\user\AppData\Local\Temp\Core Service.exeCode function: 2_2_02B31B7F NtQuerySystemInformation,2_2_02B31B7F
              Source: z2d6Yt5v.exe, 00000000.00000002.211502125.0000000004E50000.00000002.00000001.sdmpBinary or memory string: originalfilename vs z2d6Yt5v.exe
              Source: z2d6Yt5v.exe, 00000000.00000002.211502125.0000000004E50000.00000002.00000001.sdmpBinary or memory string: OriginalFilenamepropsys.dll.mui@ vs z2d6Yt5v.exe
              Source: z2d6Yt5v.exe, 00000000.00000002.211523908.0000000004E80000.00000002.00000001.sdmpBinary or memory string: System.OriginalFileName vs z2d6Yt5v.exe
              Source: z2d6Yt5v.exe, type: SAMPLEMatched rule: CN_disclosed_20180208_c date = 2018-02-08, hash1 = 17475d25d40c877284e73890a9dd55fccedc6a5a071c351a8c342c8ef7f9cea7, author = Florian Roth, description = Detects malware from disclosed CN malware set, reference = https://twitter.com/cyberintproject/status/961714165550342146, license = https://creativecommons.org/licenses/by-nc/4.0/
              Source: z2d6Yt5v.exe, type: SAMPLEMatched rule: njrat1 date = 2015-05-27, author = Brian Wallace @botnet_hunter, description = Identify njRat, author_email = bwall@ballastsecurity.net
              Source: z2d6Yt5v.exe, type: SAMPLEMatched rule: Njrat hash1 = d5f63213ce11798879520b0e9b0d1b68d55f7727758ec8c120e370699a41379d, author = JPCERT/CC Incident Response Group, description = detect njRAT in memory, rule_usage = memory scan
              Source: 00000002.00000002.459233753.00000000008B2000.00000002.00020000.sdmp, type: MEMORYMatched rule: njrat1 date = 2015-05-27, author = Brian Wallace @botnet_hunter, description = Identify njRat, author_email = bwall@ballastsecurity.net
              Source: 00000002.00000002.459233753.00000000008B2000.00000002.00020000.sdmp, type: MEMORYMatched rule: Njrat hash1 = d5f63213ce11798879520b0e9b0d1b68d55f7727758ec8c120e370699a41379d, author = JPCERT/CC Incident Response Group, description = detect njRAT in memory, rule_usage = memory scan
              Source: 0000000F.00000002.296934602.0000000000922000.00000002.00020000.sdmp, type: MEMORYMatched rule: njrat1 date = 2015-05-27, author = Brian Wallace @botnet_hunter, description = Identify njRat, author_email = bwall@ballastsecurity.net
              Source: 0000000F.00000002.296934602.0000000000922000.00000002.00020000.sdmp, type: MEMORYMatched rule: Njrat hash1 = d5f63213ce11798879520b0e9b0d1b68d55f7727758ec8c120e370699a41379d, author = JPCERT/CC Incident Response Group, description = detect njRAT in memory, rule_usage = memory scan
              Source: 00000007.00000002.260704512.0000000000EC2000.00000002.00020000.sdmp, type: MEMORYMatched rule: njrat1 date = 2015-05-27, author = Brian Wallace @botnet_hunter, description = Identify njRat, author_email = bwall@ballastsecurity.net
              Source: 00000007.00000002.260704512.0000000000EC2000.00000002.00020000.sdmp, type: MEMORYMatched rule: Njrat hash1 = d5f63213ce11798879520b0e9b0d1b68d55f7727758ec8c120e370699a41379d, author = JPCERT/CC Incident Response Group, description = detect njRAT in memory, rule_usage = memory scan
              Source: 00000000.00000002.210341722.00000000005E2000.00000002.00020000.sdmp, type: MEMORYMatched rule: njrat1 date = 2015-05-27, author = Brian Wallace @botnet_hunter, description = Identify njRat, author_email = bwall@ballastsecurity.net
              Source: 00000000.00000002.210341722.00000000005E2000.00000002.00020000.sdmp, type: MEMORYMatched rule: Njrat hash1 = d5f63213ce11798879520b0e9b0d1b68d55f7727758ec8c120e370699a41379d, author = JPCERT/CC Incident Response Group, description = detect njRAT in memory, rule_usage = memory scan
              Source: 0000000F.00000000.285488818.0000000000922000.00000002.00020000.sdmp, type: MEMORYMatched rule: njrat1 date = 2015-05-27, author = Brian Wallace @botnet_hunter, description = Identify njRat, author_email = bwall@ballastsecurity.net
              Source: 0000000F.00000000.285488818.0000000000922000.00000002.00020000.sdmp, type: MEMORYMatched rule: Njrat hash1 = d5f63213ce11798879520b0e9b0d1b68d55f7727758ec8c120e370699a41379d, author = JPCERT/CC Incident Response Group, description = detect njRAT in memory, rule_usage = memory scan
              Source: 0000000A.00000000.267967586.0000000000812000.00000002.00020000.sdmp, type: MEMORYMatched rule: njrat1 date = 2015-05-27, author = Brian Wallace @botnet_hunter, description = Identify njRat, author_email = bwall@ballastsecurity.net
              Source: 0000000A.00000000.267967586.0000000000812000.00000002.00020000.sdmp, type: MEMORYMatched rule: Njrat hash1 = d5f63213ce11798879520b0e9b0d1b68d55f7727758ec8c120e370699a41379d, author = JPCERT/CC Incident Response Group, description = detect njRAT in memory, rule_usage = memory scan
              Source: 0000000A.00000002.279339449.0000000000812000.00000002.00020000.sdmp, type: MEMORYMatched rule: njrat1 date = 2015-05-27, author = Brian Wallace @botnet_hunter, description = Identify njRat, author_email = bwall@ballastsecurity.net
              Source: 0000000A.00000002.279339449.0000000000812000.00000002.00020000.sdmp, type: MEMORYMatched rule: Njrat hash1 = d5f63213ce11798879520b0e9b0d1b68d55f7727758ec8c120e370699a41379d, author = JPCERT/CC Incident Response Group, description = detect njRAT in memory, rule_usage = memory scan
              Source: 00000000.00000002.211371973.0000000002C85000.00000004.00000001.sdmp, type: MEMORYMatched rule: njrat1 date = 2015-05-27, author = Brian Wallace @botnet_hunter, description = Identify njRat, author_email = bwall@ballastsecurity.net
              Source: 00000000.00000002.211371973.0000000002C85000.00000004.00000001.sdmp, type: MEMORYMatched rule: Njrat hash1 = d5f63213ce11798879520b0e9b0d1b68d55f7727758ec8c120e370699a41379d, author = JPCERT/CC Incident Response Group, description = detect njRAT in memory, rule_usage = memory scan
              Source: 00000002.00000000.210200221.00000000008B2000.00000002.00020000.sdmp, type: MEMORYMatched rule: njrat1 date = 2015-05-27, author = Brian Wallace @botnet_hunter, description = Identify njRat, author_email = bwall@ballastsecurity.net
              Source: 00000002.00000000.210200221.00000000008B2000.00000002.00020000.sdmp, type: MEMORYMatched rule: Njrat hash1 = d5f63213ce11798879520b0e9b0d1b68d55f7727758ec8c120e370699a41379d, author = JPCERT/CC Incident Response Group, description = detect njRAT in memory, rule_usage = memory scan
              Source: 00000000.00000000.194561361.00000000005E2000.00000002.00020000.sdmp, type: MEMORYMatched rule: njrat1 date = 2015-05-27, author = Brian Wallace @botnet_hunter, description = Identify njRat, author_email = bwall@ballastsecurity.net
              Source: 00000000.00000000.194561361.00000000005E2000.00000002.00020000.sdmp, type: MEMORYMatched rule: Njrat hash1 = d5f63213ce11798879520b0e9b0d1b68d55f7727758ec8c120e370699a41379d, author = JPCERT/CC Incident Response Group, description = detect njRAT in memory, rule_usage = memory scan
              Source: 00000007.00000000.249387017.0000000000EC2000.00000002.00020000.sdmp, type: MEMORYMatched rule: njrat1 date = 2015-05-27, author = Brian Wallace @botnet_hunter, description = Identify njRat, author_email = bwall@ballastsecurity.net
              Source: 00000007.00000000.249387017.0000000000EC2000.00000002.00020000.sdmp, type: MEMORYMatched rule: Njrat hash1 = d5f63213ce11798879520b0e9b0d1b68d55f7727758ec8c120e370699a41379d, author = JPCERT/CC Incident Response Group, description = detect njRAT in memory, rule_usage = memory scan
              Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\af48625ee196d906557ab2d838a9cc2f.exe, type: DROPPEDMatched rule: CN_disclosed_20180208_c date = 2018-02-08, hash1 = 17475d25d40c877284e73890a9dd55fccedc6a5a071c351a8c342c8ef7f9cea7, author = Florian Roth, description = Detects malware from disclosed CN malware set, reference = https://twitter.com/cyberintproject/status/961714165550342146, license = https://creativecommons.org/licenses/by-nc/4.0/
              Source: C:\Users\user\AppData\Local\Temp\Core Service.exe, type: DROPPEDMatched rule: CN_disclosed_20180208_c date = 2018-02-08, hash1 = 17475d25d40c877284e73890a9dd55fccedc6a5a071c351a8c342c8ef7f9cea7, author = Florian Roth, description = Detects malware from disclosed CN malware set, reference = https://twitter.com/cyberintproject/status/961714165550342146, license = https://creativecommons.org/licenses/by-nc/4.0/
              Source: C:\Users\user\AppData\Local\Temp\Core Service.exe, type: DROPPEDMatched rule: njrat1 date = 2015-05-27, author = Brian Wallace @botnet_hunter, description = Identify njRat, author_email = bwall@ballastsecurity.net
              Source: C:\Users\user\AppData\Local\Temp\Core Service.exe, type: DROPPEDMatched rule: Njrat hash1 = d5f63213ce11798879520b0e9b0d1b68d55f7727758ec8c120e370699a41379d, author = JPCERT/CC Incident Response Group, description = detect njRAT in memory, rule_usage = memory scan
              Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\af48625ee196d906557ab2d838a9cc2f.exe, type: DROPPEDMatched rule: njrat1 date = 2015-05-27, author = Brian Wallace @botnet_hunter, description = Identify njRat, author_email = bwall@ballastsecurity.net
              Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\af48625ee196d906557ab2d838a9cc2f.exe, type: DROPPEDMatched rule: Njrat hash1 = d5f63213ce11798879520b0e9b0d1b68d55f7727758ec8c120e370699a41379d, author = JPCERT/CC Incident Response Group, description = detect njRAT in memory, rule_usage = memory scan
              Source: 2.0.Core Service.exe.8b0000.0.unpack, type: UNPACKEDPEMatched rule: CN_disclosed_20180208_c date = 2018-02-08, hash1 = 17475d25d40c877284e73890a9dd55fccedc6a5a071c351a8c342c8ef7f9cea7, author = Florian Roth, description = Detects malware from disclosed CN malware set, reference = https://twitter.com/cyberintproject/status/961714165550342146, license = https://creativecommons.org/licenses/by-nc/4.0/
              Source: 2.0.Core Service.exe.8b0000.0.unpack, type: UNPACKEDPEMatched rule: njrat1 date = 2015-05-27, author = Brian Wallace @botnet_hunter, description = Identify njRat, author_email = bwall@ballastsecurity.net
              Source: 2.0.Core Service.exe.8b0000.0.unpack, type: UNPACKEDPEMatched rule: Njrat hash1 = d5f63213ce11798879520b0e9b0d1b68d55f7727758ec8c120e370699a41379d, author = JPCERT/CC Incident Response Group, description = detect njRAT in memory, rule_usage = memory scan
              Source: 15.0.Core Service.exe.920000.0.unpack, type: UNPACKEDPEMatched rule: CN_disclosed_20180208_c date = 2018-02-08, hash1 = 17475d25d40c877284e73890a9dd55fccedc6a5a071c351a8c342c8ef7f9cea7, author = Florian Roth, description = Detects malware from disclosed CN malware set, reference = https://twitter.com/cyberintproject/status/961714165550342146, license = https://creativecommons.org/licenses/by-nc/4.0/
              Source: 15.0.Core Service.exe.920000.0.unpack, type: UNPACKEDPEMatched rule: njrat1 date = 2015-05-27, author = Brian Wallace @botnet_hunter, description = Identify njRat, author_email = bwall@ballastsecurity.net
              Source: 15.0.Core Service.exe.920000.0.unpack, type: UNPACKEDPEMatched rule: Njrat hash1 = d5f63213ce11798879520b0e9b0d1b68d55f7727758ec8c120e370699a41379d, author = JPCERT/CC Incident Response Group, description = detect njRAT in memory, rule_usage = memory scan
              Source: 0.2.z2d6Yt5v.exe.5e0000.0.unpack, type: UNPACKEDPEMatched rule: CN_disclosed_20180208_c date = 2018-02-08, hash1 = 17475d25d40c877284e73890a9dd55fccedc6a5a071c351a8c342c8ef7f9cea7, author = Florian Roth, description = Detects malware from disclosed CN malware set, reference = https://twitter.com/cyberintproject/status/961714165550342146, license = https://creativecommons.org/licenses/by-nc/4.0/
              Source: 0.2.z2d6Yt5v.exe.5e0000.0.unpack, type: UNPACKEDPEMatched rule: njrat1 date = 2015-05-27, author = Brian Wallace @botnet_hunter, description = Identify njRat, author_email = bwall@ballastsecurity.net
              Source: 0.2.z2d6Yt5v.exe.5e0000.0.unpack, type: UNPACKEDPEMatched rule: Njrat hash1 = d5f63213ce11798879520b0e9b0d1b68d55f7727758ec8c120e370699a41379d, author = JPCERT/CC Incident Response Group, description = detect njRAT in memory, rule_usage = memory scan
              Source: 2.2.Core Service.exe.8b0000.0.unpack, type: UNPACKEDPEMatched rule: CN_disclosed_20180208_c date = 2018-02-08, hash1 = 17475d25d40c877284e73890a9dd55fccedc6a5a071c351a8c342c8ef7f9cea7, author = Florian Roth, description = Detects malware from disclosed CN malware set, reference = https://twitter.com/cyberintproject/status/961714165550342146, license = https://creativecommons.org/licenses/by-nc/4.0/
              Source: 2.2.Core Service.exe.8b0000.0.unpack, type: UNPACKEDPEMatched rule: njrat1 date = 2015-05-27, author = Brian Wallace @botnet_hunter, description = Identify njRat, author_email = bwall@ballastsecurity.net
              Source: 2.2.Core Service.exe.8b0000.0.unpack, type: UNPACKEDPEMatched rule: Njrat hash1 = d5f63213ce11798879520b0e9b0d1b68d55f7727758ec8c120e370699a41379d, author = JPCERT/CC Incident Response Group, description = detect njRAT in memory, rule_usage = memory scan
              Source: 7.0.Core Service.exe.ec0000.0.unpack, type: UNPACKEDPEMatched rule: CN_disclosed_20180208_c date = 2018-02-08, hash1 = 17475d25d40c877284e73890a9dd55fccedc6a5a071c351a8c342c8ef7f9cea7, author = Florian Roth, description = Detects malware from disclosed CN malware set, reference = https://twitter.com/cyberintproject/status/961714165550342146, license = https://creativecommons.org/licenses/by-nc/4.0/
              Source: 7.0.Core Service.exe.ec0000.0.unpack, type: UNPACKEDPEMatched rule: njrat1 date = 2015-05-27, author = Brian Wallace @botnet_hunter, description = Identify njRat, author_email = bwall@ballastsecurity.net
              Source: 7.0.Core Service.exe.ec0000.0.unpack, type: UNPACKEDPEMatched rule: Njrat hash1 = d5f63213ce11798879520b0e9b0d1b68d55f7727758ec8c120e370699a41379d, author = JPCERT/CC Incident Response Group, description = detect njRAT in memory, rule_usage = memory scan
              Source: 15.2.Core Service.exe.920000.0.unpack, type: UNPACKEDPEMatched rule: CN_disclosed_20180208_c date = 2018-02-08, hash1 = 17475d25d40c877284e73890a9dd55fccedc6a5a071c351a8c342c8ef7f9cea7, author = Florian Roth, description = Detects malware from disclosed CN malware set, reference = https://twitter.com/cyberintproject/status/961714165550342146, license = https://creativecommons.org/licenses/by-nc/4.0/
              Source: 15.2.Core Service.exe.920000.0.unpack, type: UNPACKEDPEMatched rule: njrat1 date = 2015-05-27, author = Brian Wallace @botnet_hunter, description = Identify njRat, author_email = bwall@ballastsecurity.net
              Source: 15.2.Core Service.exe.920000.0.unpack, type: UNPACKEDPEMatched rule: Njrat hash1 = d5f63213ce11798879520b0e9b0d1b68d55f7727758ec8c120e370699a41379d, author = JPCERT/CC Incident Response Group, description = detect njRAT in memory, rule_usage = memory scan
              Source: 7.2.Core Service.exe.ec0000.0.unpack, type: UNPACKEDPEMatched rule: CN_disclosed_20180208_c date = 2018-02-08, hash1 = 17475d25d40c877284e73890a9dd55fccedc6a5a071c351a8c342c8ef7f9cea7, author = Florian Roth, description = Detects malware from disclosed CN malware set, reference = https://twitter.com/cyberintproject/status/961714165550342146, license = https://creativecommons.org/licenses/by-nc/4.0/
              Source: 7.2.Core Service.exe.ec0000.0.unpack, type: UNPACKEDPEMatched rule: njrat1 date = 2015-05-27, author = Brian Wallace @botnet_hunter, description = Identify njRat, author_email = bwall@ballastsecurity.net
              Source: 7.2.Core Service.exe.ec0000.0.unpack, type: UNPACKEDPEMatched rule: Njrat hash1 = d5f63213ce11798879520b0e9b0d1b68d55f7727758ec8c120e370699a41379d, author = JPCERT/CC Incident Response Group, description = detect njRAT in memory, rule_usage = memory scan
              Source: 0.0.z2d6Yt5v.exe.5e0000.0.unpack, type: UNPACKEDPEMatched rule: CN_disclosed_20180208_c date = 2018-02-08, hash1 = 17475d25d40c877284e73890a9dd55fccedc6a5a071c351a8c342c8ef7f9cea7, author = Florian Roth, description = Detects malware from disclosed CN malware set, reference = https://twitter.com/cyberintproject/status/961714165550342146, license = https://creativecommons.org/licenses/by-nc/4.0/
              Source: 0.0.z2d6Yt5v.exe.5e0000.0.unpack, type: UNPACKEDPEMatched rule: njrat1 date = 2015-05-27, author = Brian Wallace @botnet_hunter, description = Identify njRat, author_email = bwall@ballastsecurity.net
              Source: 0.0.z2d6Yt5v.exe.5e0000.0.unpack, type: UNPACKEDPEMatched rule: Njrat hash1 = d5f63213ce11798879520b0e9b0d1b68d55f7727758ec8c120e370699a41379d, author = JPCERT/CC Incident Response Group, description = detect njRAT in memory, rule_usage = memory scan
              Source: 10.0.Core Service.exe.810000.0.unpack, type: UNPACKEDPEMatched rule: CN_disclosed_20180208_c date = 2018-02-08, hash1 = 17475d25d40c877284e73890a9dd55fccedc6a5a071c351a8c342c8ef7f9cea7, author = Florian Roth, description = Detects malware from disclosed CN malware set, reference = https://twitter.com/cyberintproject/status/961714165550342146, license = https://creativecommons.org/licenses/by-nc/4.0/
              Source: 10.0.Core Service.exe.810000.0.unpack, type: UNPACKEDPEMatched rule: njrat1 date = 2015-05-27, author = Brian Wallace @botnet_hunter, description = Identify njRat, author_email = bwall@ballastsecurity.net
              Source: 10.0.Core Service.exe.810000.0.unpack, type: UNPACKEDPEMatched rule: Njrat hash1 = d5f63213ce11798879520b0e9b0d1b68d55f7727758ec8c120e370699a41379d, author = JPCERT/CC Incident Response Group, description = detect njRAT in memory, rule_usage = memory scan
              Source: 10.2.Core Service.exe.810000.0.unpack, type: UNPACKEDPEMatched rule: CN_disclosed_20180208_c date = 2018-02-08, hash1 = 17475d25d40c877284e73890a9dd55fccedc6a5a071c351a8c342c8ef7f9cea7, author = Florian Roth, description = Detects malware from disclosed CN malware set, reference = https://twitter.com/cyberintproject/status/961714165550342146, license = https://creativecommons.org/licenses/by-nc/4.0/
              Source: 10.2.Core Service.exe.810000.0.unpack, type: UNPACKEDPEMatched rule: njrat1 date = 2015-05-27, author = Brian Wallace @botnet_hunter, description = Identify njRat, author_email = bwall@ballastsecurity.net
              Source: 10.2.Core Service.exe.810000.0.unpack, type: UNPACKEDPEMatched rule: Njrat hash1 = d5f63213ce11798879520b0e9b0d1b68d55f7727758ec8c120e370699a41379d, author = JPCERT/CC Incident Response Group, description = detect njRAT in memory, rule_usage = memory scan
              Source: classification engineClassification label: mal100.troj.adwa.spyw.evad.winEXE@9/5@5/1
              Source: C:\Users\user\AppData\Local\Temp\Core Service.exeCode function: 2_2_02B31606 AdjustTokenPrivileges,2_2_02B31606
              Source: C:\Users\user\AppData\Local\Temp\Core Service.exeCode function: 2_2_02B315CF AdjustTokenPrivileges,2_2_02B315CF
              Source: C:\Users\user\Desktop\z2d6Yt5v.exeFile created: C:\Users\user\AppData\Local\Microsoft\CLR_v2.0_32\UsageLogs\z2d6Yt5v.exe.logJump to behavior
              Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:1124:120:WilError_01
              Source: C:\Users\user\AppData\Local\Temp\Core Service.exeMutant created: \Sessions\1\BaseNamedObjects\Global\.net clr networking
              Source: C:\Users\user\AppData\Local\Temp\Core Service.exeMutant created: \Sessions\1\BaseNamedObjects\af48625ee196d906557ab2d838a9cc2f
              Source: C:\Users\user\Desktop\z2d6Yt5v.exeFile created: C:\Users\user\AppData\Local\Temp\Core Service.exeJump to behavior
              Source: z2d6Yt5v.exeStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
              Source: C:\Users\user\Desktop\z2d6Yt5v.exeSection loaded: C:\Windows\assembly\NativeImages_v2.0.50727_32\mscorlib\9603718106bd57ecfbb18fefd769cab4\mscorlib.ni.dllJump to behavior
              Source: C:\Users\user\Desktop\z2d6Yt5v.exeSection loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sorttbls.nlpJump to behavior
              Source: C:\Users\user\Desktop\z2d6Yt5v.exeSection loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sortkey.nlpJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\Core Service.exeSection loaded: C:\Windows\assembly\NativeImages_v2.0.50727_32\mscorlib\9603718106bd57ecfbb18fefd769cab4\mscorlib.ni.dllJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\Core Service.exeSection loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sorttbls.nlpJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\Core Service.exeSection loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sortkey.nlpJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\Core Service.exeSection loaded: C:\Windows\assembly\NativeImages_v2.0.50727_32\mscorlib\9603718106bd57ecfbb18fefd769cab4\mscorlib.ni.dllJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\Core Service.exeSection loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sorttbls.nlpJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\Core Service.exeSection loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sortkey.nlpJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\Core Service.exeSection loaded: C:\Windows\assembly\NativeImages_v2.0.50727_32\mscorlib\9603718106bd57ecfbb18fefd769cab4\mscorlib.ni.dllJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\Core Service.exeSection loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sorttbls.nlpJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\Core Service.exeSection loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sortkey.nlpJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\Core Service.exeSection loaded: C:\Windows\assembly\NativeImages_v2.0.50727_32\mscorlib\9603718106bd57ecfbb18fefd769cab4\mscorlib.ni.dllJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\Core Service.exeSection loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sorttbls.nlpJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\Core Service.exeSection loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sortkey.nlpJump to behavior
              Source: C:\Users\user\Desktop\z2d6Yt5v.exeFile read: C:\Users\user\Desktop\desktop.iniJump to behavior
              Source: C:\Users\user\Desktop\z2d6Yt5v.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\Core Service.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\Core Service.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
              Source: z2d6Yt5v.exeVirustotal: Detection: 84%
              Source: z2d6Yt5v.exeMetadefender: Detection: 89%
              Source: C:\Users\user\Desktop\z2d6Yt5v.exeFile read: C:\Users\user\Desktop\z2d6Yt5v.exeJump to behavior
              Source: unknownProcess created: C:\Users\user\Desktop\z2d6Yt5v.exe 'C:\Users\user\Desktop\z2d6Yt5v.exe'
              Source: unknownProcess created: C:\Users\user\AppData\Local\Temp\Core Service.exe 'C:\Users\user\AppData\Local\Temp\Core Service.exe'
              Source: unknownProcess created: C:\Windows\SysWOW64\netsh.exe netsh firewall add allowedprogram 'C:\Users\user\AppData\Local\Temp\Core Service.exe' 'Core Service.exe' ENABLE
              Source: unknownProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
              Source: unknownProcess created: C:\Users\user\AppData\Local\Temp\Core Service.exe 'C:\Users\user\AppData\Local\Temp\Core Service.exe' ..
              Source: unknownProcess created: C:\Users\user\AppData\Local\Temp\Core Service.exe 'C:\Users\user\AppData\Local\Temp\Core Service.exe' ..
              Source: unknownProcess created: C:\Users\user\AppData\Local\Temp\Core Service.exe 'C:\Users\user\AppData\Local\Temp\Core Service.exe' ..
              Source: C:\Users\user\Desktop\z2d6Yt5v.exeProcess created: C:\Users\user\AppData\Local\Temp\Core Service.exe 'C:\Users\user\AppData\Local\Temp\Core Service.exe' Jump to behavior
              Source: C:\Users\user\AppData\Local\Temp\Core Service.exeProcess created: C:\Windows\SysWOW64\netsh.exe netsh firewall add allowedprogram 'C:\Users\user\AppData\Local\Temp\Core Service.exe' 'Core Service.exe' ENABLEJump to behavior
              Source: C:\Users\user\Desktop\z2d6Yt5v.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\InProcServer32Jump to behavior
              Source: z2d6Yt5v.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR
              Source: C:\Users\user\Desktop\z2d6Yt5v.exeFile opened: C:\Windows\WinSxS\x86_microsoft.vc80.crt_1fc8b3b9a1e18e3b_8.0.50727.9445_none_d08c58b4442ba54f\MSVCR80.dllJump to behavior
              Source: z2d6Yt5v.exeStatic PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT

              Data Obfuscation:

              barindex
              .NET source code contains potential unpackerShow sources
              Source: z2d6Yt5v.exe, OK.cs.Net Code: Plugin System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
              Source: Core Service.exe.0.dr, OK.cs.Net Code: Plugin System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
              Source: 0.0.z2d6Yt5v.exe.5e0000.0.unpack, OK.cs.Net Code: Plugin System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
              Source: 0.2.z2d6Yt5v.exe.5e0000.0.unpack, OK.cs.Net Code: Plugin System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
              Source: af48625ee196d906557ab2d838a9cc2f.exe.2.dr, OK.cs.Net Code: Plugin System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
              Source: 2.2.Core Service.exe.8b0000.0.unpack, OK.cs.Net Code: Plugin System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
              Source: 2.0.Core Service.exe.8b0000.0.unpack, OK.cs.Net Code: Plugin System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
              Source: 7.2.Core Service.exe.ec0000.0.unpack, OK.cs.Net Code: Plugin System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
              Source: 7.0.Core Service.exe.ec0000.0.unpack, OK.cs.Net Code: Plugin System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
              Source: 10.0.Core Service.exe.810000.0.unpack, OK.cs.Net Code: Plugin System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
              Source: 10.2.Core Service.exe.810000.0.unpack, OK.cs.Net Code: Plugin System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
              Source: 15.2.Core Service.exe.920000.0.unpack, OK.cs.Net Code: Plugin System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
              Source: 15.0.Core Service.exe.920000.0.unpack, OK.cs.Net Code: Plugin System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
              Source: C:\Users\user\Desktop\z2d6Yt5v.exeCode function: 0_2_005E5021 push cs; ret 0_2_005E5022
              Source: C:\Users\user\AppData\Local\Temp\Core Service.exeCode function: 2_2_008B5021 push cs; ret 2_2_008B5022
              Source: C:\Users\user\AppData\Local\Temp\Core Service.exeCode function: 7_2_00EC5021 push cs; ret 7_2_00EC5022
              Source: C:\Users\user\AppData\Local\Temp\Core Service.exeCode function: 10_2_00815021 push cs; ret 10_2_00815022
              Source: C:\Users\user\AppData\Local\Temp\Core Service.exeCode function: 15_2_00925021 push cs; ret 15_2_00925022
              Source: C:\Users\user\AppData\Local\Temp\Core Service.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\af48625ee196d906557ab2d838a9cc2f.exeJump to dropped file
              Source: C:\Users\user\Desktop\z2d6Yt5v.exeFile created: C:\Users\user\AppData\Local\Temp\Core Service.exeJump to dropped file

              Boot Survival:

              barindex
              Creates autostart registry keys with suspicious namesShow sources
              Source: C:\Users\user\AppData\Local\Temp\Core Service.exeRegistry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run af48625ee196d906557ab2d838a9cc2fJump to behavior
              Drops PE files to the startup folderShow sources
              Source: C:\Users\user\AppData\Local\Temp\Core Service.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\af48625ee196d906557ab2d838a9cc2f.exeJump to dropped file
              Source: C:\Users\user\AppData\Local\Temp\Core Service.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\af48625ee196d906557ab2d838a9cc2f.exeJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\Core Service.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\af48625ee196d906557ab2d838a9cc2f.exeJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\Core Service.exeRegistry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run af48625ee196d906557ab2d838a9cc2fJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\Core Service.exeRegistry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run af48625ee196d906557ab2d838a9cc2fJump to behavior
              Source: C:\Users\user\Desktop\z2d6Yt5v.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\z2d6Yt5v.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\z2d6Yt5v.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\z2d6Yt5v.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\z2d6Yt5v.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\z2d6Yt5v.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\z2d6Yt5v.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\z2d6Yt5v.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\z2d6Yt5v.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\z2d6Yt5v.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\z2d6Yt5v.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\z2d6Yt5v.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\z2d6Yt5v.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\z2d6Yt5v.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\z2d6Yt5v.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\z2d6Yt5v.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\z2d6Yt5v.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\z2d6Yt5v.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\z2d6Yt5v.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\z2d6Yt5v.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\z2d6Yt5v.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\Core Service.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\Core Service.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\Core Service.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\Core Service.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\Core Service.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\Core Service.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\Core Service.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\Core Service.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\Core Service.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\Core Service.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\Core Service.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\Core Service.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\Core Service.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\Core Service.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\Core Service.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\Core Service.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\Core Service.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\Core Service.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\Core Service.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\Core Service.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\Core Service.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\Core Service.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\Core Service.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\Core Service.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\Core Service.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\Core Service.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\Core Service.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\Core Service.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\Core Service.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\Core Service.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\Core Service.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\Core Service.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\Core Service.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\Core Service.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\netsh.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\netsh.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\Core Service.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\Core Service.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\Core Service.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\Core Service.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\Core Service.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\Core Service.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\Core Service.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\Core Service.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\Core Service.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\Core Service.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\Core Service.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\Core Service.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\Core Service.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\Core Service.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\Core Service.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\Core Service.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\Core Service.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\Core Service.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\Core Service.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\Core Service.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\Core Service.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\Core Service.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\Core Service.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\Core Service.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\Core Service.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\Core Service.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\Core Service.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\Core Service.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\Core Service.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\Core Service.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\Core Service.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\Core Service.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\Core Service.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\Core Service.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\Core Service.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\Core Service.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\Core Service.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\Core Service.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\Core Service.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\Core Service.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\Core Service.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\Core Service.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\Core Service.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\Core Service.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\Core Service.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\Core Service.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\Core Service.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\Core Service.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\Core Service.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\Core Service.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\Core Service.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\Core Service.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\Core Service.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\Core Service.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\z2d6Yt5v.exeFile opened / queried: SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}Jump to behavior
              Source: C:\Users\user\Desktop\z2d6Yt5v.exeThread delayed: delay time: 922337203685477Jump to behavior
              Source: C:\Users\user\AppData\Local\Temp\Core Service.exeThread delayed: delay time: 922337203685477Jump to behavior
              Source: C:\Users\user\AppData\Local\Temp\Core Service.exeThread delayed: delay time: 922337203685477Jump to behavior
              Source: C:\Users\user\AppData\Local\Temp\Core Service.exeThread delayed: delay time: 922337203685477Jump to behavior
              Source: C:\Users\user\AppData\Local\Temp\Core Service.exeWindow / User API: threadDelayed 6312Jump to behavior
              Source: C:\Users\user\Desktop\z2d6Yt5v.exe TID: 3984Thread sleep time: -922337203685477s >= -30000sJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\Core Service.exe TID: 5036Thread sleep count: 6312 > 30Jump to behavior
              Source: C:\Users\user\AppData\Local\Temp\Core Service.exe TID: 2308Thread sleep time: -922337203685477s >= -30000sJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\Core Service.exe TID: 2044Thread sleep time: -922337203685477s >= -30000sJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\Core Service.exe TID: 5372Thread sleep time: -922337203685477s >= -30000sJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\Core Service.exeLast function: Thread delayed
              Source: C:\Users\user\AppData\Local\Temp\Core Service.exeLast function: Thread delayed
              Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
              Source: Core Service.exe, 00000002.00000002.460157889.000000000103C000.00000004.00000020.sdmpBinary or memory string: Hyper-V RAWdingCollectionE)
              Source: Core Service.exe, 00000002.00000002.460157889.000000000103C000.00000004.00000020.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dlliceFiltersSection, System.Web.Mobile, Version=2.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a"/>
              Source: Core Service.exe, 00000002.00000002.463422241.00000000056E0000.00000002.00000001.sdmpBinary or memory string: A Virtual Machine could not be started because Hyper-V is not installed.
              Source: Core Service.exe, 00000002.00000002.463422241.00000000056E0000.00000002.00000001.sdmpBinary or memory string: A communication protocol error has occurred between the Hyper-V Host and Guest Compute Service.
              Source: Core Service.exe, 00000002.00000002.463422241.00000000056E0000.00000002.00000001.sdmpBinary or memory string: The communication protocol version between the Hyper-V Host and Guest Compute Services is not supported.
              Source: Core Service.exe, 00000002.00000002.463422241.00000000056E0000.00000002.00000001.sdmpBinary or memory string: An unknown internal message was received by the Hyper-V Compute Service.
              Source: C:\Users\user\AppData\Local\Temp\Core Service.exeProcess information queried: ProcessInformationJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\Core Service.exeProcess token adjusted: DebugJump to behavior
              Source: C:\Users\user\Desktop\z2d6Yt5v.exeMemory allocated: page read and write | page guardJump to behavior

              HIPS / PFW / Operating System Protection Evasion:

              barindex
              .NET source code references suspicious native API functionsShow sources
              Source: z2d6Yt5v.exe, OK.csReference to suspicious API methods: ('capGetDriverDescriptionA', 'capGetDriverDescriptionA@avicap32.dll')
              Source: z2d6Yt5v.exe, kl.csReference to suspicious API methods: ('MapVirtualKey', 'MapVirtualKey@user32.dll'), ('GetAsyncKeyState', 'GetAsyncKeyState@user32')
              Source: Core Service.exe.0.dr, OK.csReference to suspicious API methods: ('capGetDriverDescriptionA', 'capGetDriverDescriptionA@avicap32.dll')
              Source: Core Service.exe.0.dr, kl.csReference to suspicious API methods: ('MapVirtualKey', 'MapVirtualKey@user32.dll'), ('GetAsyncKeyState', 'GetAsyncKeyState@user32')
              Source: 0.0.z2d6Yt5v.exe.5e0000.0.unpack, OK.csReference to suspicious API methods: ('capGetDriverDescriptionA', 'capGetDriverDescriptionA@avicap32.dll')
              Source: 0.0.z2d6Yt5v.exe.5e0000.0.unpack, kl.csReference to suspicious API methods: ('MapVirtualKey', 'MapVirtualKey@user32.dll'), ('GetAsyncKeyState', 'GetAsyncKeyState@user32')
              Source: 0.2.z2d6Yt5v.exe.5e0000.0.unpack, OK.csReference to suspicious API methods: ('capGetDriverDescriptionA', 'capGetDriverDescriptionA@avicap32.dll')
              Source: 0.2.z2d6Yt5v.exe.5e0000.0.unpack, kl.csReference to suspicious API methods: ('MapVirtualKey', 'MapVirtualKey@user32.dll'), ('GetAsyncKeyState', 'GetAsyncKeyState@user32')
              Source: af48625ee196d906557ab2d838a9cc2f.exe.2.dr, OK.csReference to suspicious API methods: ('capGetDriverDescriptionA', 'capGetDriverDescriptionA@avicap32.dll')
              Source: af48625ee196d906557ab2d838a9cc2f.exe.2.dr, kl.csReference to suspicious API methods: ('MapVirtualKey', 'MapVirtualKey@user32.dll'), ('GetAsyncKeyState', 'GetAsyncKeyState@user32')
              Source: 2.2.Core Service.exe.8b0000.0.unpack, OK.csReference to suspicious API methods: ('capGetDriverDescriptionA', 'capGetDriverDescriptionA@avicap32.dll')
              Source: 2.2.Core Service.exe.8b0000.0.unpack, kl.csReference to suspicious API methods: ('MapVirtualKey', 'MapVirtualKey@user32.dll'), ('GetAsyncKeyState', 'GetAsyncKeyState@user32')
              Source: 2.0.Core Service.exe.8b0000.0.unpack, OK.csReference to suspicious API methods: ('capGetDriverDescriptionA', 'capGetDriverDescriptionA@avicap32.dll')
              Source: 2.0.Core Service.exe.8b0000.0.unpack, kl.csReference to suspicious API methods: ('MapVirtualKey', 'MapVirtualKey@user32.dll'), ('GetAsyncKeyState', 'GetAsyncKeyState@user32')
              Source: 7.2.Core Service.exe.ec0000.0.unpack, OK.csReference to suspicious API methods: ('capGetDriverDescriptionA', 'capGetDriverDescriptionA@avicap32.dll')
              Source: 7.2.Core Service.exe.ec0000.0.unpack, kl.csReference to suspicious API methods: ('MapVirtualKey', 'MapVirtualKey@user32.dll'), ('GetAsyncKeyState', 'GetAsyncKeyState@user32')
              Source: 7.0.Core Service.exe.ec0000.0.unpack, OK.csReference to suspicious API methods: ('capGetDriverDescriptionA', 'capGetDriverDescriptionA@avicap32.dll')
              Source: 7.0.Core Service.exe.ec0000.0.unpack, kl.csReference to suspicious API methods: ('MapVirtualKey', 'MapVirtualKey@user32.dll'), ('GetAsyncKeyState', 'GetAsyncKeyState@user32')
              Source: 10.0.Core Service.exe.810000.0.unpack, OK.csReference to suspicious API methods: ('capGetDriverDescriptionA', 'capGetDriverDescriptionA@avicap32.dll')
              Source: 10.0.Core Service.exe.810000.0.unpack, kl.csReference to suspicious API methods: ('MapVirtualKey', 'MapVirtualKey@user32.dll'), ('GetAsyncKeyState', 'GetAsyncKeyState@user32')
              Source: 10.2.Core Service.exe.810000.0.unpack, OK.csReference to suspicious API methods: ('capGetDriverDescriptionA', 'capGetDriverDescriptionA@avicap32.dll')
              Source: 10.2.Core Service.exe.810000.0.unpack, kl.csReference to suspicious API methods: ('MapVirtualKey', 'MapVirtualKey@user32.dll'), ('GetAsyncKeyState', 'GetAsyncKeyState@user32')
              Source: 15.2.Core Service.exe.920000.0.unpack, OK.csReference to suspicious API methods: ('capGetDriverDescriptionA', 'capGetDriverDescriptionA@avicap32.dll')
              Source: 15.2.Core Service.exe.920000.0.unpack, kl.csReference to suspicious API methods: ('MapVirtualKey', 'MapVirtualKey@user32.dll'), ('GetAsyncKeyState', 'GetAsyncKeyState@user32')
              Source: 15.0.Core Service.exe.920000.0.unpack, OK.csReference to suspicious API methods: ('capGetDriverDescriptionA', 'capGetDriverDescriptionA@avicap32.dll')
              Source: 15.0.Core Service.exe.920000.0.unpack, kl.csReference to suspicious API methods: ('MapVirtualKey', 'MapVirtualKey@user32.dll'), ('GetAsyncKeyState', 'GetAsyncKeyState@user32')
              Source: C:\Users\user\Desktop\z2d6Yt5v.exeProcess created: C:\Users\user\AppData\Local\Temp\Core Service.exe 'C:\Users\user\AppData\Local\Temp\Core Service.exe' Jump to behavior
              Source: Core Service.exe, 00000002.00000002.461812462.0000000002FB5000.00000004.00000001.sdmpBinary or memory string: Program Manager
              Source: Core Service.exe, 00000002.00000002.460556158.00000000015F0000.00000002.00000001.sdmpBinary or memory string: Shell_TrayWnd
              Source: Core Service.exe, 00000002.00000002.460556158.00000000015F0000.00000002.00000001.sdmpBinary or memory string: Progman
              Source: Core Service.exe, 00000002.00000002.461812462.0000000002FB5000.00000004.00000001.sdmpBinary or memory string: Program Manager|9kr
              Source: Core Service.exe, 00000002.00000002.460556158.00000000015F0000.00000002.00000001.sdmpBinary or memory string: Progmanlock
              Source: Core Service.exe, 00000002.00000002.461812462.0000000002FB5000.00000004.00000001.sdmpBinary or memory string: Program Manager<
              Source: C:\Windows\SysWOW64\netsh.exeQueries volume information: C:\ VolumeInformationJump to behavior
              Source: C:\Windows\SysWOW64\netsh.exeQueries volume information: C:\ VolumeInformationJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\Core Service.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior

              Lowering of HIPS / PFW / Operating System Security Settings:

              barindex
              Modifies the windows firewallShow sources
              Source: unknownProcess created: C:\Windows\SysWOW64\netsh.exe netsh firewall add allowedprogram 'C:\Users\user\AppData\Local\Temp\Core Service.exe' 'Core Service.exe' ENABLE
              Uses netsh to modify the Windows network and firewall settingsShow sources
              Source: unknownProcess created: C:\Windows\SysWOW64\netsh.exe netsh firewall add allowedprogram 'C:\Users\user\AppData\Local\Temp\Core Service.exe' 'Core Service.exe' ENABLE

              Stealing of Sensitive Information:

              barindex
              Yara detected NjratShow sources
              Source: Yara matchFile source: z2d6Yt5v.exe, type: SAMPLE
              Source: Yara matchFile source: 00000002.00000002.459233753.00000000008B2000.00000002.00020000.sdmp, type: MEMORY
              Source: Yara matchFile source: 0000000F.00000002.296934602.0000000000922000.00000002.00020000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000007.00000002.260704512.0000000000EC2000.00000002.00020000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000000.00000002.210341722.00000000005E2000.00000002.00020000.sdmp, type: MEMORY
              Source: Yara matchFile source: 0000000F.00000000.285488818.0000000000922000.00000002.00020000.sdmp, type: MEMORY
              Source: Yara matchFile source: 0000000A.00000000.267967586.0000000000812000.00000002.00020000.sdmp, type: MEMORY
              Source: Yara matchFile source: 0000000A.00000002.279339449.0000000000812000.00000002.00020000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000000.00000002.211371973.0000000002C85000.00000004.00000001.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000002.00000000.210200221.00000000008B2000.00000002.00020000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000000.00000000.194561361.00000000005E2000.00000002.00020000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000007.00000000.249387017.0000000000EC2000.00000002.00020000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000002.00000002.461812462.0000000002FB5000.00000004.00000001.sdmp, type: MEMORY
              Source: Yara matchFile source: Process Memory Space: Core Service.exe PID: 6100, type: MEMORY
              Source: Yara matchFile source: Process Memory Space: z2d6Yt5v.exe PID: 6072, type: MEMORY
              Source: Yara matchFile source: Process Memory Space: Core Service.exe PID: 4760, type: MEMORY
              Source: Yara matchFile source: Process Memory Space: Core Service.exe PID: 4276, type: MEMORY
              Source: Yara matchFile source: Process Memory Space: Core Service.exe PID: 4464, type: MEMORY
              Source: Yara matchFile source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\af48625ee196d906557ab2d838a9cc2f.exe, type: DROPPED
              Source: Yara matchFile source: C:\Users\user\AppData\Local\Temp\Core Service.exe, type: DROPPED
              Source: Yara matchFile source: 2.0.Core Service.exe.8b0000.0.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 15.0.Core Service.exe.920000.0.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 0.2.z2d6Yt5v.exe.5e0000.0.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 2.2.Core Service.exe.8b0000.0.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 7.0.Core Service.exe.ec0000.0.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 15.2.Core Service.exe.920000.0.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 7.2.Core Service.exe.ec0000.0.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 0.0.z2d6Yt5v.exe.5e0000.0.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 10.0.Core Service.exe.810000.0.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 10.2.Core Service.exe.810000.0.unpack, type: UNPACKEDPE

              Remote Access Functionality:

              barindex
              Detected njRatShow sources
              Source: z2d6Yt5v.exe, OK.cs.Net Code: njRat config detected
              Source: Core Service.exe.0.dr, OK.cs.Net Code: njRat config detected
              Source: 0.0.z2d6Yt5v.exe.5e0000.0.unpack, OK.cs.Net Code: njRat config detected
              Source: 0.2.z2d6Yt5v.exe.5e0000.0.unpack, OK.cs.Net Code: njRat config detected
              Source: af48625ee196d906557ab2d838a9cc2f.exe.2.dr, OK.cs.Net Code: njRat config detected
              Source: 2.2.Core Service.exe.8b0000.0.unpack, OK.cs.Net Code: njRat config detected
              Source: 2.0.Core Service.exe.8b0000.0.unpack, OK.cs.Net Code: njRat config detected
              Source: 7.2.Core Service.exe.ec0000.0.unpack, OK.cs.Net Code: njRat config detected
              Source: 7.0.Core Service.exe.ec0000.0.unpack, OK.cs.Net Code: njRat config detected
              Source: 10.0.Core Service.exe.810000.0.unpack, OK.cs.Net Code: njRat config detected
              Source: 10.2.Core Service.exe.810000.0.unpack, OK.cs.Net Code: njRat config detected
              Source: 15.2.Core Service.exe.920000.0.unpack, OK.cs.Net Code: njRat config detected
              Source: 15.0.Core Service.exe.920000.0.unpack, OK.cs.Net Code: njRat config detected
              Yara detected NjratShow sources
              Source: Yara matchFile source: z2d6Yt5v.exe, type: SAMPLE
              Source: Yara matchFile source: 00000002.00000002.459233753.00000000008B2000.00000002.00020000.sdmp, type: MEMORY
              Source: Yara matchFile source: 0000000F.00000002.296934602.0000000000922000.00000002.00020000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000007.00000002.260704512.0000000000EC2000.00000002.00020000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000000.00000002.210341722.00000000005E2000.00000002.00020000.sdmp, type: MEMORY
              Source: Yara matchFile source: 0000000F.00000000.285488818.0000000000922000.00000002.00020000.sdmp, type: MEMORY
              Source: Yara matchFile source: 0000000A.00000000.267967586.0000000000812000.00000002.00020000.sdmp, type: MEMORY
              Source: Yara matchFile source: 0000000A.00000002.279339449.0000000000812000.00000002.00020000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000000.00000002.211371973.0000000002C85000.00000004.00000001.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000002.00000000.210200221.00000000008B2000.00000002.00020000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000000.00000000.194561361.00000000005E2000.00000002.00020000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000007.00000000.249387017.0000000000EC2000.00000002.00020000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000002.00000002.461812462.0000000002FB5000.00000004.00000001.sdmp, type: MEMORY
              Source: Yara matchFile source: Process Memory Space: Core Service.exe PID: 6100, type: MEMORY
              Source: Yara matchFile source: Process Memory Space: z2d6Yt5v.exe PID: 6072, type: MEMORY
              Source: Yara matchFile source: Process Memory Space: Core Service.exe PID: 4760, type: MEMORY
              Source: Yara matchFile source: Process Memory Space: Core Service.exe PID: 4276, type: MEMORY
              Source: Yara matchFile source: Process Memory Space: Core Service.exe PID: 4464, type: MEMORY
              Source: Yara matchFile source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\af48625ee196d906557ab2d838a9cc2f.exe, type: DROPPED
              Source: Yara matchFile source: C:\Users\user\AppData\Local\Temp\Core Service.exe, type: DROPPED
              Source: Yara matchFile source: 2.0.Core Service.exe.8b0000.0.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 15.0.Core Service.exe.920000.0.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 0.2.z2d6Yt5v.exe.5e0000.0.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 2.2.Core Service.exe.8b0000.0.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 7.0.Core Service.exe.ec0000.0.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 15.2.Core Service.exe.920000.0.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 7.2.Core Service.exe.ec0000.0.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 0.0.z2d6Yt5v.exe.5e0000.0.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 10.0.Core Service.exe.810000.0.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 10.2.Core Service.exe.810000.0.unpack, type: UNPACKEDPE

              Mitre Att&ck Matrix

              Initial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionExfiltrationCommand and ControlNetwork EffectsRemote Service EffectsImpact
              Valid AccountsNative API1Startup Items1Startup Items1Masquerading1Input Capture1Security Software Discovery111Remote ServicesInput Capture1Exfiltration Over Other Network MediumNon-Standard Port1Eavesdrop on Insecure Network CommunicationRemotely Track Device Without AuthorizationModify System Partition
              Default AccountsScheduled Task/JobRegistry Run Keys / Startup Folder221Access Token Manipulation1Virtualization/Sandbox Evasion3LSASS MemoryVirtualization/Sandbox Evasion3Remote Desktop ProtocolData from Removable MediaExfiltration Over BluetoothRemote Access Software1Exploit SS7 to Redirect Phone Calls/SMSRemotely Wipe Data Without AuthorizationDevice Lockout
              Domain AccountsAt (Linux)Logon Script (Windows)Process Injection12Disable or Modify Tools21Security Account ManagerProcess Discovery2SMB/Windows Admin SharesData from Network Shared DriveAutomated ExfiltrationNon-Application Layer Protocol1Exploit SS7 to Track Device LocationObtain Device Cloud BackupsDelete Device Data
              Local AccountsAt (Windows)Logon Script (Mac)Registry Run Keys / Startup Folder221Access Token Manipulation1NTDSApplication Window Discovery1Distributed Component Object ModelInput CaptureScheduled TransferApplication Layer Protocol1SIM Card SwapCarrier Billing Fraud
              Cloud AccountsCronNetwork Logon ScriptNetwork Logon ScriptProcess Injection12LSA SecretsRemote System Discovery1SSHKeyloggingData Transfer Size LimitsFallback ChannelsManipulate Device CommunicationManipulate App Store Rankings or Ratings
              Replication Through Removable MediaLaunchdRc.commonRc.commonObfuscated Files or Information1Cached Domain CredentialsFile and Directory Discovery1VNCGUI Input CaptureExfiltration Over C2 ChannelMultiband CommunicationJamming or Denial of ServiceAbuse Accessibility Features
              External Remote ServicesScheduled TaskStartup ItemsStartup ItemsSoftware Packing11DCSyncSystem Information Discovery12Windows Remote ManagementWeb Portal CaptureExfiltration Over Alternative ProtocolCommonly Used PortRogue Wi-Fi Access PointsData Encrypted for Impact

              Behavior Graph

              Hide Legend

              Legend:

              • Process
              • Signature
              • Created File
              • DNS/IP Info
              • Is Dropped
              • Is Windows Process
              • Number of created Registry Values
              • Number of created Files
              • Visual Basic
              • Delphi
              • Java
              • .Net C# or VB.NET
              • C, C++ or other language
              • Is malicious
              • Internet
              behaviorgraph top1 signatures2 2 Behavior Graph ID: 321423 Sample: z2d6Yt5v.exe Startdate: 22/11/2020 Architecture: WINDOWS Score: 100 34 Malicious sample detected (through community Yara rule) 2->34 36 Antivirus detection for dropped file 2->36 38 Antivirus / Scanner detection for submitted sample 2->38 40 12 other signatures 2->40 8 z2d6Yt5v.exe 1 5 2->8         started        11 Core Service.exe 3 2->11         started        13 Core Service.exe 2 2->13         started        15 Core Service.exe 2 2->15         started        process3 file4 28 C:\Users\user\AppData\...\Core Service.exe, PE32 8->28 dropped 30 C:\Users\user\AppData\...\z2d6Yt5v.exe.log, ASCII 8->30 dropped 17 Core Service.exe 4 5 8->17         started        process5 dnsIp6 32 noiphack93.hopto.org 81.249.236.18, 5553 FranceTelecom-OrangeFR France 17->32 26 C:\...\af48625ee196d906557ab2d838a9cc2f.exe, PE32 17->26 dropped 42 Creates autostart registry keys with suspicious names 17->42 22 netsh.exe 1 3 17->22         started        file7 signatures8 process9 process10 24 conhost.exe 22->24         started       

              Screenshots

              Thumbnails

              This section contains all screenshots as thumbnails, including those not shown in the slideshow.

              windows-stand

              Antivirus, Machine Learning and Genetic Malware Detection

              Initial Sample

              SourceDetectionScannerLabelLink
              z2d6Yt5v.exe84%VirustotalBrowse
              z2d6Yt5v.exe89%MetadefenderBrowse
              z2d6Yt5v.exe100%AviraTR/Dropper.Gen7
              z2d6Yt5v.exe100%Joe Sandbox ML

              Dropped Files

              SourceDetectionScannerLabelLink
              C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\af48625ee196d906557ab2d838a9cc2f.exe100%AviraTR/Dropper.Gen7
              C:\Users\user\AppData\Local\Temp\Core Service.exe100%AviraTR/Dropper.Gen7
              C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\af48625ee196d906557ab2d838a9cc2f.exe100%Joe Sandbox ML
              C:\Users\user\AppData\Local\Temp\Core Service.exe100%Joe Sandbox ML
              C:\Users\user\AppData\Local\Temp\Core Service.exe84%VirustotalBrowse
              C:\Users\user\AppData\Local\Temp\Core Service.exe89%MetadefenderBrowse
              C:\Users\user\AppData\Local\Temp\Core Service.exe90%ReversingLabsByteCode-MSIL.Backdoor.Bladabhindi
              C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\af48625ee196d906557ab2d838a9cc2f.exe84%VirustotalBrowse
              C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\af48625ee196d906557ab2d838a9cc2f.exe89%MetadefenderBrowse
              C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\af48625ee196d906557ab2d838a9cc2f.exe90%ReversingLabsByteCode-MSIL.Backdoor.Bladabhindi

              Unpacked PE Files

              SourceDetectionScannerLabelLinkDownload
              15.2.Core Service.exe.920000.0.unpack100%AviraTR/Dropper.Gen7Download File
              15.0.Core Service.exe.920000.0.unpack100%AviraTR/Dropper.Gen7Download File
              7.2.Core Service.exe.ec0000.0.unpack100%AviraTR/Dropper.Gen7Download File
              0.0.z2d6Yt5v.exe.5e0000.0.unpack100%AviraTR/Dropper.Gen7Download File
              2.2.Core Service.exe.8b0000.0.unpack100%AviraTR/Dropper.Gen7Download File
              2.0.Core Service.exe.8b0000.0.unpack100%AviraTR/Dropper.Gen7Download File
              10.0.Core Service.exe.810000.0.unpack100%AviraTR/Dropper.Gen7Download File
              7.0.Core Service.exe.ec0000.0.unpack100%AviraTR/Dropper.Gen7Download File
              0.2.z2d6Yt5v.exe.5e0000.0.unpack100%AviraTR/Dropper.Gen7Download File
              10.2.Core Service.exe.810000.0.unpack100%AviraTR/Dropper.Gen7Download File

              Domains

              SourceDetectionScannerLabelLink
              noiphack93.hopto.org1%VirustotalBrowse

              URLs

              No Antivirus matches

              Domains and IPs

              Contacted Domains

              NameIPActiveMaliciousAntivirus DetectionReputation
              noiphack93.hopto.org
              		81.249.236.18
              		truefalseunknown

              Contacted IPs

              • No. of IPs < 25%
              • 25% < No. of IPs < 50%
              • 50% < No. of IPs < 75%
              • 75% < No. of IPs

              Public

              IPDomainCountryFlagASNASN NameMalicious
              81.249.236.18
              		unknownFrance
              		3215FranceTelecom-OrangeFRfalse

              General Information

              Joe Sandbox Version:31.0.0 Red Diamond
              Analysis ID:321423
              Start date:22.11.2020
              Start time:00:39:15
              Joe Sandbox Product:CloudBasic
              Overall analysis duration:0h 8m 7s
              Hypervisor based Inspection enabled:false
              Report type:full
              Sample file name:z2d6Yt5v.exe
              Cookbook file name:default.jbs
              Analysis system description:Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 85, IE 11, Adobe Reader DC 19, Java 8 Update 211
              Number of analysed new started processes analysed:30
              Number of new started drivers analysed:0
              Number of existing processes analysed:0
              Number of existing drivers analysed:0
              Number of injected processes analysed:0
              Technologies:
              • HCA enabled
              • EGA enabled
              • HDC enabled
              • AMSI enabled
              Analysis Mode:default
              Analysis stop reason:Timeout
              Detection:MAL
              Classification:mal100.troj.adwa.spyw.evad.winEXE@9/5@5/1
              EGA Information:Failed
              HDC Information:
              • Successful, ratio: 2.1% (good quality ratio 1.9%)
              • Quality average: 71%
              • Quality standard deviation: 21.5%
              HCA Information:
              • Successful, ratio: 98%
              • Number of executed functions: 148
              • Number of non-executed functions: 0
              Cookbook Comments:
              • Adjust boot time
              • Enable AMSI
              • Found application associated with file extension: .exe
              Warnings:
              Show All
              • Exclude process from analysis (whitelisted): taskhostw.exe, MpCmdRun.exe, audiodg.exe, BackgroundTransferHost.exe, backgroundTaskHost.exe, SgrmBroker.exe, conhost.exe, svchost.exe, UsoClient.exe
              • Excluded IPs from analysis (whitelisted): 52.147.198.201, 104.43.139.144, 51.104.144.132, 92.122.144.200, 20.54.26.129, 8.253.204.249, 8.253.95.121, 8.248.131.254, 8.248.115.254, 8.253.204.120, 51.104.139.180, 92.122.213.194, 92.122.213.247
              • Excluded domains from analysis (whitelisted): arc.msn.com.nsatc.net, fs.microsoft.com, ris-prod.trafficmanager.net, e1723.g.akamaiedge.net, ctldl.windowsupdate.com, skypedataprdcolcus16.cloudapp.net, fs-wildcard.microsoft.com.edgekey.net, fs-wildcard.microsoft.com.edgekey.net.globalredir.akadns.net, a1449.dscg2.akamai.net, arc.msn.com, skypedataprdcoleus16.cloudapp.net, ris.api.iris.microsoft.com, blobcollector.events.data.trafficmanager.net, audownload.windowsupdate.nsatc.net, watson.telemetry.microsoft.com, auto.au.download.windowsupdate.com.c.footprint.net, img-prod-cms-rt-microsoft-com.akamaized.net, prod.fs.microsoft.com.akadns.net, au-bg-shim.trafficmanager.net
              • Report size getting too big, too many NtOpenKeyEx calls found.
              • Report size getting too big, too many NtQueryValueKey calls found.

              Simulations

              Behavior and APIs

              TimeTypeDescription
              00:40:17AutostartRun: HKCU\Software\Microsoft\Windows\CurrentVersion\Run af48625ee196d906557ab2d838a9cc2f "C:\Users\user\AppData\Local\Temp\Core Service.exe" ..
              00:40:25AutostartRun: HKLM\Software\Microsoft\Windows\CurrentVersion\Run af48625ee196d906557ab2d838a9cc2f "C:\Users\user\AppData\Local\Temp\Core Service.exe" ..
              00:40:33AutostartRun: HKCU64\Software\Microsoft\Windows\CurrentVersion\Run af48625ee196d906557ab2d838a9cc2f "C:\Users\user\AppData\Local\Temp\Core Service.exe" ..
              00:40:41AutostartRun: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\af48625ee196d906557ab2d838a9cc2f.exe

              Joe Sandbox View / Context

              IPs

              MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
              81.249.236.18ErdS9XEU.exeGet hashmaliciousBrowse
                rTay7rkg.exeGet hashmaliciousBrowse

                  Domains

                  No context

                  ASN

                  MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
                  FranceTelecom-OrangeFRErdS9XEU.exeGet hashmaliciousBrowse
                  • 81.249.236.18
                  rTay7rkg.exeGet hashmaliciousBrowse
                  • 81.249.236.18
                  http://cdn.webbrowserbase.com/Bins/ASPGenericWebNavigatorInstaller_2.3.0.14_x64.exeGet hashmaliciousBrowse
                  • 2.3.0.14
                  qwhWqUYlnN.exeGet hashmaliciousBrowse
                  • 80.11.163.139
                  https://boolatona.live/5214774454/Get hashmaliciousBrowse
                  • 80.12.40.169
                  http://update2.control4.com/release/2.10.2.549842-res/glassedge-ota_2.10.2.549842-res.zipGet hashmaliciousBrowse
                  • 2.10.2.54
                  http://download.imgburn.com/SetupImgBurn_2.5.8.0.exeGet hashmaliciousBrowse
                  • 2.5.8.0
                  http://download.winzip.com/tools/winzip/releases/7fddd149-5a63-4dab-8e3f-ed9eae46d289_2.11.3.8/or/0/smartalertssetup.exeGet hashmaliciousBrowse
                  • 2.11.3.8
                  newdat.ps1Get hashmaliciousBrowse
                  • 90.121.249.114
                  FederalAgency.x86Get hashmaliciousBrowse
                  • 145.242.17.155
                  https://download.wbxhub.com:443/cgi/adk/chrdl.cgi?wb_id=35781x-0F&iid=WebexplorerGet hashmaliciousBrowse
                  • 2.1.0.5

                  JA3 Fingerprints

                  No context

                  Dropped Files

                  No context

                  Created / dropped Files

                  C:\Users\user\AppData\Local\Microsoft\CLR_v2.0_32\UsageLogs\Core Service.exe.log
                  Process:C:\Users\user\AppData\Local\Temp\Core Service.exe
                  File Type:ASCII text, with CRLF line terminators
                  Category:dropped
                  Size (bytes):525
                  Entropy (8bit):5.2874233355119316
                  Encrypted:false
                  SSDEEP:12:Q3LaJU20NaL10Ug+9Yz9t0U29hJ5g1B0U2ukyrFk7v:MLF20NaL3z2p29hJ5g522r0
                  MD5:80EFBEC081D7836D240503C4C9465FEC
                  SHA1:6AF398E08A359457083727BAF296445030A55AC3
                  SHA-256:C73F730EB5E05D15FAD6BE10AB51FE4D8A80B5E88B89D8BC80CC1DF09ACE1523
                  SHA-512:DEC3B1D9403894418AFD4433629CA6476C7BD359963328D17B93283B52EEC18B3725D2F02F0E9A142E705398DDDCE244D53829570E9DE1A87060A7DABFDCE5B3
                  Malicious:false
                  Reputation:moderate, very likely benign file
                  Preview: 1,"fusion","GAC",0..3,"C:\Windows\assembly\NativeImages_v2.0.50727_32\System\1ffc437de59fb69ba2b865ffdc98ffd1\System.ni.dll",0..3,"C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.VisualBas#\cd7c74fce2a0eab72cd25cbe4bb61614\Microsoft.VisualBasic.ni.dll",0..3,"C:\Windows\assembly\NativeImages_v2.0.50727_32\System.Drawing\54d944b3ca0ea1188d700fbd8089726b\System.Drawing.ni.dll",0..3,"C:\Windows\assembly\NativeImages_v2.0.50727_32\System.Windows.Forms\bd8d59c984c9f5f2695f64341115cdf0\System.Windows.Forms.ni.dll",0..
                  C:\Users\user\AppData\Local\Microsoft\CLR_v2.0_32\UsageLogs\z2d6Yt5v.exe.log
                  Process:C:\Users\user\Desktop\z2d6Yt5v.exe
                  File Type:ASCII text, with CRLF line terminators
                  Category:dropped
                  Size (bytes):525
                  Entropy (8bit):5.2874233355119316
                  Encrypted:false
                  SSDEEP:12:Q3LaJU20NaL10Ug+9Yz9t0U29hJ5g1B0U2ukyrFk7v:MLF20NaL3z2p29hJ5g522r0
                  MD5:80EFBEC081D7836D240503C4C9465FEC
                  SHA1:6AF398E08A359457083727BAF296445030A55AC3
                  SHA-256:C73F730EB5E05D15FAD6BE10AB51FE4D8A80B5E88B89D8BC80CC1DF09ACE1523
                  SHA-512:DEC3B1D9403894418AFD4433629CA6476C7BD359963328D17B93283B52EEC18B3725D2F02F0E9A142E705398DDDCE244D53829570E9DE1A87060A7DABFDCE5B3
                  Malicious:true
                  Reputation:moderate, very likely benign file
                  Preview: 1,"fusion","GAC",0..3,"C:\Windows\assembly\NativeImages_v2.0.50727_32\System\1ffc437de59fb69ba2b865ffdc98ffd1\System.ni.dll",0..3,"C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.VisualBas#\cd7c74fce2a0eab72cd25cbe4bb61614\Microsoft.VisualBasic.ni.dll",0..3,"C:\Windows\assembly\NativeImages_v2.0.50727_32\System.Drawing\54d944b3ca0ea1188d700fbd8089726b\System.Drawing.ni.dll",0..3,"C:\Windows\assembly\NativeImages_v2.0.50727_32\System.Windows.Forms\bd8d59c984c9f5f2695f64341115cdf0\System.Windows.Forms.ni.dll",0..
                  C:\Users\user\AppData\Local\Temp\Core Service.exe
                  Process:C:\Users\user\Desktop\z2d6Yt5v.exe
                  File Type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                  Category:dropped
                  Size (bytes):24064
                  Entropy (8bit):5.529551954242191
                  Encrypted:false
                  SSDEEP:384:FYmdk8XvCJrQLdRGSiEYF7Y65gPyx6BDXNRmRvR6JZlbw8hqIusZzZ/7oF2:6wWkti/aeRpcnu2N
                  MD5:9BB6D4F72A348AD47CC97185604F4DD9
                  SHA1:7384957E8A29F517654FCBD905861574E772D3ED
                  SHA-256:0A170CA414D288BC25EBB5CE92CCD51FF0F62B1479D669172194BF0067601DF1
                  SHA-512:3A1E4C94AFD24C89A256DECA640467C833547FE431C2041F3AFC6FAFDD3551F7D4F14EDFA5BE6099901D4BB38526FDFE197702DD334C74D98951887187CF2C48
                  Malicious:true
                  Yara Hits:
                  • Rule: CN_disclosed_20180208_c, Description: Detects malware from disclosed CN malware set, Source: C:\Users\user\AppData\Local\Temp\Core Service.exe, Author: Florian Roth
                  • Rule: JoeSecurity_Njrat, Description: Yara detected Njrat, Source: C:\Users\user\AppData\Local\Temp\Core Service.exe, Author: Joe Security
                  • Rule: njrat1, Description: Identify njRat, Source: C:\Users\user\AppData\Local\Temp\Core Service.exe, Author: Brian Wallace @botnet_hunter
                  • Rule: Njrat, Description: detect njRAT in memory, Source: C:\Users\user\AppData\Local\Temp\Core Service.exe, Author: JPCERT/CC Incident Response Group
                  Antivirus:
                  • Antivirus: Avira, Detection: 100%
                  • Antivirus: Joe Sandbox ML, Detection: 100%
                  • Antivirus: Virustotal, Detection: 84%, Browse
                  • Antivirus: Metadefender, Detection: 89%, Browse
                  • Antivirus: ReversingLabs, Detection: 90%
                  Reputation:low
                  Preview: MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......_.................V...........t... ........@.. ....................................@.................................Lt..O.......@............................................................................ ............... ..H............text....T... ...V.................. ..`.rsrc...@............X..............@..@.reloc...............\..............@..B.................t......H.......,K.. )....../....................................................0..........r...p.....r...p...........r%..p.....rG..p.....rQ..p.....r...p.....r...p.....r...p.....r...p(.........r...p(.........r...p(.........r...p(.........(....o....s.........s.....................r...p...........s......... ..............rE..p...........*...0..;.......~....o....o....rG..p~....(.....o.....o......%(.....(......*.........,,.......0..D.......~....o....o....rG..p~....(....o......(....o.....
                  C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\af48625ee196d906557ab2d838a9cc2f.exe
                  Process:C:\Users\user\AppData\Local\Temp\Core Service.exe
                  File Type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                  Category:dropped
                  Size (bytes):24064
                  Entropy (8bit):5.529551954242191
                  Encrypted:false
                  SSDEEP:384:FYmdk8XvCJrQLdRGSiEYF7Y65gPyx6BDXNRmRvR6JZlbw8hqIusZzZ/7oF2:6wWkti/aeRpcnu2N
                  MD5:9BB6D4F72A348AD47CC97185604F4DD9
                  SHA1:7384957E8A29F517654FCBD905861574E772D3ED
                  SHA-256:0A170CA414D288BC25EBB5CE92CCD51FF0F62B1479D669172194BF0067601DF1
                  SHA-512:3A1E4C94AFD24C89A256DECA640467C833547FE431C2041F3AFC6FAFDD3551F7D4F14EDFA5BE6099901D4BB38526FDFE197702DD334C74D98951887187CF2C48
                  Malicious:true
                  Yara Hits:
                  • Rule: CN_disclosed_20180208_c, Description: Detects malware from disclosed CN malware set, Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\af48625ee196d906557ab2d838a9cc2f.exe, Author: Florian Roth
                  • Rule: JoeSecurity_Njrat, Description: Yara detected Njrat, Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\af48625ee196d906557ab2d838a9cc2f.exe, Author: Joe Security
                  • Rule: njrat1, Description: Identify njRat, Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\af48625ee196d906557ab2d838a9cc2f.exe, Author: Brian Wallace @botnet_hunter
                  • Rule: Njrat, Description: detect njRAT in memory, Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\af48625ee196d906557ab2d838a9cc2f.exe, Author: JPCERT/CC Incident Response Group
                  Antivirus:
                  • Antivirus: Avira, Detection: 100%
                  • Antivirus: Joe Sandbox ML, Detection: 100%
                  • Antivirus: Virustotal, Detection: 84%, Browse
                  • Antivirus: Metadefender, Detection: 89%, Browse
                  • Antivirus: ReversingLabs, Detection: 90%
                  Reputation:low
                  Preview: MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......_.................V...........t... ........@.. ....................................@.................................Lt..O.......@............................................................................ ............... ..H............text....T... ...V.................. ..`.rsrc...@............X..............@..@.reloc...............\..............@..B.................t......H.......,K.. )....../....................................................0..........r...p.....r...p...........r%..p.....rG..p.....rQ..p.....r...p.....r...p.....r...p.....r...p(.........r...p(.........r...p(.........r...p(.........(....o....s.........s.....................r...p...........s......... ..............rE..p...........*...0..;.......~....o....o....rG..p~....(.....o.....o......%(.....(......*.........,,.......0..D.......~....o....o....rG..p~....(....o......(....o.....
                  \Device\ConDrv
                  Process:C:\Windows\SysWOW64\netsh.exe
                  File Type:ASCII text, with CRLF line terminators
                  Category:dropped
                  Size (bytes):313
                  Entropy (8bit):4.971939296804078
                  Encrypted:false
                  SSDEEP:6:/ojfKsUTGN8Ypox42k9L+DbGMKeQE+vigqAZs2E+AYeDPO+Yswyha:wjPIGNrkHk9iaeIM6ADDPOHyha
                  MD5:689E2126A85BF55121488295EE068FA1
                  SHA1:09BAAA253A49D80C18326DFBCA106551EBF22DD6
                  SHA-256:D968A966EF474068E41256321F77807A042F1965744633D37A203A705662EC25
                  SHA-512:C3736A8FC7E6573FA1B26FE6A901C05EE85C55A4A276F8F569D9EADC9A58BEC507D1BB90DBF9EA62AE79A6783178C69304187D6B90441D82E46F5F56172B5C5C
                  Malicious:false
                  Reputation:moderate, very likely benign file
                  Preview: ..IMPORTANT: Command executed successfully...However, "netsh firewall" is deprecated;..use "netsh advfirewall firewall" instead...For more information on using "netsh advfirewall firewall" commands..instead of "netsh firewall", see KB article 947709..at https://go.microsoft.com/fwlink/?linkid=121488 .....Ok.....

                  Static File Info

                  General

                  File type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                  Entropy (8bit):5.529551954242191
                  TrID:
                  • Win32 Executable (generic) Net Framework (10011505/4) 49.79%
                  • Win32 Executable (generic) a (10002005/4) 49.75%
                  • Generic CIL Executable (.NET, Mono, etc.) (73296/58) 0.36%
                  • Windows Screen Saver (13104/52) 0.07%
                  • Win16/32 Executable Delphi generic (2074/23) 0.01%
                  File name:z2d6Yt5v.exe
                  File size:24064
                  MD5:9bb6d4f72a348ad47cc97185604f4dd9
                  SHA1:7384957e8a29f517654fcbd905861574e772d3ed
                  SHA256:0a170ca414d288bc25ebb5ce92ccd51ff0f62b1479d669172194bf0067601df1
                  SHA512:3a1e4c94afd24c89a256deca640467c833547fe431c2041f3afc6fafdd3551f7d4f14edfa5be6099901d4bb38526fdfe197702dd334c74d98951887187cf2c48
                  SSDEEP:384:FYmdk8XvCJrQLdRGSiEYF7Y65gPyx6BDXNRmRvR6JZlbw8hqIusZzZ/7oF2:6wWkti/aeRpcnu2N
                  File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......_.................V...........t... ........@.. ....................................@................................

                  File Icon

                  Icon Hash:00828e8e8686b000

                  Static PE Info

                  General

                  Entrypoint:0x40749e
                  Entrypoint Section:.text
                  Digitally signed:false
                  Imagebase:0x400000
                  Subsystem:windows gui
                  Image File Characteristics:32BIT_MACHINE, EXECUTABLE_IMAGE
                  DLL Characteristics:NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
                  Time Stamp:0x5FB99AA1 [Sat Nov 21 22:54:25 2020 UTC]
                  TLS Callbacks:
                  CLR (.Net) Version:v2.0.50727
                  OS Version Major:4
                  OS Version Minor:0
                  File Version Major:4
                  File Version Minor:0
                  Subsystem Version Major:4
                  Subsystem Version Minor:0
                  Import Hash:f34d5f2d4577ed6d9ceec516c1f5a744

                  Entrypoint Preview

                  Instruction
                  jmp dword ptr [00402000h]
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al

                  Data Directories

                  NameVirtual AddressVirtual Size Is in Section
                  IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                  IMAGE_DIRECTORY_ENTRY_IMPORT0x744c0x4f.text
                  IMAGE_DIRECTORY_ENTRY_RESOURCE0x80000x240.rsrc
                  IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                  IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
                  IMAGE_DIRECTORY_ENTRY_BASERELOC0xa0000xc.reloc
                  IMAGE_DIRECTORY_ENTRY_DEBUG0x00x0
                  IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                  IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                  IMAGE_DIRECTORY_ENTRY_TLS0x00x0
                  IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
                  IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                  IMAGE_DIRECTORY_ENTRY_IAT0x20000x8.text
                  IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                  IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x20080x48.text
                  IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                  Sections

                  NameVirtual AddressVirtual SizeRaw SizeXored PEZLIB ComplexityFile TypeEntropyCharacteristics
                  .text0x20000x54a40x5600False0.490098110465data5.57654676439IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
                  .rsrc0x80000x2400x400False0.310546875data4.9660813397IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                  .reloc0xa0000xc0x200False0.044921875data0.0815394123432IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

                  Resources

                  NameRVASizeTypeLanguageCountry
                  RT_MANIFEST0x80580x1e7XML 1.0 document, ASCII text, with CRLF line terminators

                  Imports

                  DLLImport
                  mscoree.dll_CorExeMain

                  Network Behavior

                  Network Port Distribution

                  TCP Packets

                  TimestampSource PortDest PortSource IPDest IP
                  Nov 22, 2020 00:40:17.890508890 CET497225553192.168.2.381.249.236.18
                  Nov 22, 2020 00:40:20.973413944 CET497225553192.168.2.381.249.236.18
                  Nov 22, 2020 00:40:26.973902941 CET497225553192.168.2.381.249.236.18
                  Nov 22, 2020 00:40:41.291666985 CET497305553192.168.2.381.249.236.18
                  Nov 22, 2020 00:40:44.303378105 CET497305553192.168.2.381.249.236.18
                  Nov 22, 2020 00:40:50.319463968 CET497305553192.168.2.381.249.236.18
                  Nov 22, 2020 00:41:04.526819944 CET497405553192.168.2.381.249.236.18
                  Nov 22, 2020 00:41:07.541851044 CET497405553192.168.2.381.249.236.18
                  Nov 22, 2020 00:41:13.558038950 CET497405553192.168.2.381.249.236.18
                  Nov 22, 2020 00:41:27.847527981 CET497415553192.168.2.381.249.236.18
                  Nov 22, 2020 00:41:30.856450081 CET497415553192.168.2.381.249.236.18
                  Nov 22, 2020 00:41:36.856708050 CET497415553192.168.2.381.249.236.18
                  Nov 22, 2020 00:41:51.167507887 CET497445553192.168.2.381.249.236.18
                  Nov 22, 2020 00:41:54.170566082 CET497445553192.168.2.381.249.236.18
                  Nov 22, 2020 00:42:00.186686039 CET497445553192.168.2.381.249.236.18

                  UDP Packets

                  TimestampSource PortDest PortSource IPDest IP
                  Nov 22, 2020 00:39:54.824812889 CET6010053192.168.2.38.8.8.8
                  Nov 22, 2020 00:39:54.852051020 CET53601008.8.8.8192.168.2.3
                  Nov 22, 2020 00:39:55.577775955 CET5319553192.168.2.38.8.8.8
                  Nov 22, 2020 00:39:55.605178118 CET53531958.8.8.8192.168.2.3
                  Nov 22, 2020 00:39:56.278990984 CET5014153192.168.2.38.8.8.8
                  Nov 22, 2020 00:39:56.306338072 CET53501418.8.8.8192.168.2.3
                  Nov 22, 2020 00:39:57.062254906 CET5302353192.168.2.38.8.8.8
                  Nov 22, 2020 00:39:57.098078966 CET53530238.8.8.8192.168.2.3
                  Nov 22, 2020 00:39:58.065080881 CET4956353192.168.2.38.8.8.8
                  Nov 22, 2020 00:39:58.100954056 CET53495638.8.8.8192.168.2.3
                  Nov 22, 2020 00:39:58.990433931 CET5135253192.168.2.38.8.8.8
                  Nov 22, 2020 00:39:59.017735958 CET53513528.8.8.8192.168.2.3
                  Nov 22, 2020 00:39:59.719111919 CET5934953192.168.2.38.8.8.8
                  Nov 22, 2020 00:39:59.755022049 CET53593498.8.8.8192.168.2.3
                  Nov 22, 2020 00:40:01.396975040 CET5708453192.168.2.38.8.8.8
                  Nov 22, 2020 00:40:01.432693958 CET53570848.8.8.8192.168.2.3
                  Nov 22, 2020 00:40:02.044631958 CET5882353192.168.2.38.8.8.8
                  Nov 22, 2020 00:40:02.071861982 CET53588238.8.8.8192.168.2.3
                  Nov 22, 2020 00:40:17.847650051 CET5756853192.168.2.38.8.8.8
                  Nov 22, 2020 00:40:17.885140896 CET53575688.8.8.8192.168.2.3
                  Nov 22, 2020 00:40:20.254879951 CET5054053192.168.2.38.8.8.8
                  Nov 22, 2020 00:40:20.282639980 CET53505408.8.8.8192.168.2.3
                  Nov 22, 2020 00:40:32.367813110 CET5436653192.168.2.38.8.8.8
                  Nov 22, 2020 00:40:32.424653053 CET53543668.8.8.8192.168.2.3
                  Nov 22, 2020 00:40:35.789303064 CET5303453192.168.2.38.8.8.8
                  Nov 22, 2020 00:40:35.842669964 CET53530348.8.8.8192.168.2.3
                  Nov 22, 2020 00:40:41.250149965 CET5776253192.168.2.38.8.8.8
                  Nov 22, 2020 00:40:41.287931919 CET53577628.8.8.8192.168.2.3
                  Nov 22, 2020 00:40:43.834106922 CET5543553192.168.2.38.8.8.8
                  Nov 22, 2020 00:40:43.861291885 CET53554358.8.8.8192.168.2.3
                  Nov 22, 2020 00:40:54.670659065 CET5071353192.168.2.38.8.8.8
                  Nov 22, 2020 00:40:54.697799921 CET53507138.8.8.8192.168.2.3
                  Nov 22, 2020 00:40:58.006330013 CET5613253192.168.2.38.8.8.8
                  Nov 22, 2020 00:40:58.043577909 CET53561328.8.8.8192.168.2.3
                  Nov 22, 2020 00:41:04.489526987 CET5898753192.168.2.38.8.8.8
                  Nov 22, 2020 00:41:04.525306940 CET53589878.8.8.8192.168.2.3
                  Nov 22, 2020 00:41:27.808214903 CET5657953192.168.2.38.8.8.8
                  Nov 22, 2020 00:41:27.845371962 CET53565798.8.8.8192.168.2.3
                  Nov 22, 2020 00:41:28.968875885 CET6063353192.168.2.38.8.8.8
                  Nov 22, 2020 00:41:28.996134043 CET53606338.8.8.8192.168.2.3
                  Nov 22, 2020 00:41:30.149065971 CET6129253192.168.2.38.8.8.8
                  Nov 22, 2020 00:41:30.199475050 CET53612928.8.8.8192.168.2.3
                  Nov 22, 2020 00:41:51.128329992 CET6361953192.168.2.38.8.8.8
                  Nov 22, 2020 00:41:51.164169073 CET53636198.8.8.8192.168.2.3

                  DNS Queries

                  TimestampSource IPDest IPTrans IDOP CodeNameTypeClass
                  Nov 22, 2020 00:40:17.847650051 CET192.168.2.38.8.8.80x9347Standard query (0)noiphack93.hopto.orgA (IP address)IN (0x0001)
                  Nov 22, 2020 00:40:41.250149965 CET192.168.2.38.8.8.80xc086Standard query (0)noiphack93.hopto.orgA (IP address)IN (0x0001)
                  Nov 22, 2020 00:41:04.489526987 CET192.168.2.38.8.8.80x2762Standard query (0)noiphack93.hopto.orgA (IP address)IN (0x0001)
                  Nov 22, 2020 00:41:27.808214903 CET192.168.2.38.8.8.80x10f1Standard query (0)noiphack93.hopto.orgA (IP address)IN (0x0001)
                  Nov 22, 2020 00:41:51.128329992 CET192.168.2.38.8.8.80x23ddStandard query (0)noiphack93.hopto.orgA (IP address)IN (0x0001)

                  DNS Answers

                  TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClass
                  Nov 22, 2020 00:40:17.885140896 CET8.8.8.8192.168.2.30x9347No error (0)noiphack93.hopto.org81.249.236.18A (IP address)IN (0x0001)
                  Nov 22, 2020 00:40:41.287931919 CET8.8.8.8192.168.2.30xc086No error (0)noiphack93.hopto.org81.249.236.18A (IP address)IN (0x0001)
                  Nov 22, 2020 00:41:04.525306940 CET8.8.8.8192.168.2.30x2762No error (0)noiphack93.hopto.org81.249.236.18A (IP address)IN (0x0001)
                  Nov 22, 2020 00:41:27.845371962 CET8.8.8.8192.168.2.30x10f1No error (0)noiphack93.hopto.org81.249.236.18A (IP address)IN (0x0001)
                  Nov 22, 2020 00:41:51.164169073 CET8.8.8.8192.168.2.30x23ddNo error (0)noiphack93.hopto.org81.249.236.18A (IP address)IN (0x0001)

                  Code Manipulations

                  Statistics

                  CPU Usage

                  Click to jump to process

                  Memory Usage

                  Click to jump to process

                  High Level Behavior Distribution

                  Click to dive into process behavior distribution

                  Behavior

                  Click to jump to process

                  System Behavior

                  Analysis Process: z2d6Yt5v.exe PID: 6072 Parent PID: 5620

                  General

                  Start time:00:39:59
                  Start date:22/11/2020
                  Path:C:\Users\user\Desktop\z2d6Yt5v.exe
                  Wow64 process (32bit):true
                  Commandline:'C:\Users\user\Desktop\z2d6Yt5v.exe'
                  Imagebase:0x5e0000
                  File size:24064 bytes
                  MD5 hash:9BB6D4F72A348AD47CC97185604F4DD9
                  Has elevated privileges:true
                  Has administrator privileges:true
                  Programmed in:.Net C# or VB.NET
                  Yara matches:
                  • Rule: JoeSecurity_Njrat, Description: Yara detected Njrat, Source: 00000000.00000002.210341722.00000000005E2000.00000002.00020000.sdmp, Author: Joe Security
                  • Rule: njrat1, Description: Identify njRat, Source: 00000000.00000002.210341722.00000000005E2000.00000002.00020000.sdmp, Author: Brian Wallace @botnet_hunter
                  • Rule: Njrat, Description: detect njRAT in memory, Source: 00000000.00000002.210341722.00000000005E2000.00000002.00020000.sdmp, Author: JPCERT/CC Incident Response Group
                  • Rule: JoeSecurity_Njrat, Description: Yara detected Njrat, Source: 00000000.00000002.211371973.0000000002C85000.00000004.00000001.sdmp, Author: Joe Security
                  • Rule: njrat1, Description: Identify njRat, Source: 00000000.00000002.211371973.0000000002C85000.00000004.00000001.sdmp, Author: Brian Wallace @botnet_hunter
                  • Rule: Njrat, Description: detect njRAT in memory, Source: 00000000.00000002.211371973.0000000002C85000.00000004.00000001.sdmp, Author: JPCERT/CC Incident Response Group
                  • Rule: JoeSecurity_Njrat, Description: Yara detected Njrat, Source: 00000000.00000000.194561361.00000000005E2000.00000002.00020000.sdmp, Author: Joe Security
                  • Rule: njrat1, Description: Identify njRat, Source: 00000000.00000000.194561361.00000000005E2000.00000002.00020000.sdmp, Author: Brian Wallace @botnet_hunter
                  • Rule: Njrat, Description: detect njRAT in memory, Source: 00000000.00000000.194561361.00000000005E2000.00000002.00020000.sdmp, Author: JPCERT/CC Incident Response Group
                  Reputation:low

                  Chronological Activities

                  Analysis Process: Core Service.exe PID: 4464 Parent PID: 6072

                  General

                  Start time:00:40:06
                  Start date:22/11/2020
                  Path:C:\Users\user\AppData\Local\Temp\Core Service.exe
                  Wow64 process (32bit):true
                  Commandline:'C:\Users\user\AppData\Local\Temp\Core Service.exe'
                  Imagebase:0x8b0000
                  File size:24064 bytes
                  MD5 hash:9BB6D4F72A348AD47CC97185604F4DD9
                  Has elevated privileges:true
                  Has administrator privileges:true
                  Programmed in:.Net C# or VB.NET
                  Yara matches:
                  • Rule: JoeSecurity_Njrat, Description: Yara detected Njrat, Source: 00000002.00000002.459233753.00000000008B2000.00000002.00020000.sdmp, Author: Joe Security
                  • Rule: njrat1, Description: Identify njRat, Source: 00000002.00000002.459233753.00000000008B2000.00000002.00020000.sdmp, Author: Brian Wallace @botnet_hunter
                  • Rule: Njrat, Description: detect njRAT in memory, Source: 00000002.00000002.459233753.00000000008B2000.00000002.00020000.sdmp, Author: JPCERT/CC Incident Response Group
                  • Rule: JoeSecurity_Njrat, Description: Yara detected Njrat, Source: 00000002.00000000.210200221.00000000008B2000.00000002.00020000.sdmp, Author: Joe Security
                  • Rule: njrat1, Description: Identify njRat, Source: 00000002.00000000.210200221.00000000008B2000.00000002.00020000.sdmp, Author: Brian Wallace @botnet_hunter
                  • Rule: Njrat, Description: detect njRAT in memory, Source: 00000002.00000000.210200221.00000000008B2000.00000002.00020000.sdmp, Author: JPCERT/CC Incident Response Group
                  • Rule: JoeSecurity_Njrat, Description: Yara detected Njrat, Source: 00000002.00000002.461812462.0000000002FB5000.00000004.00000001.sdmp, Author: Joe Security
                  • Rule: CN_disclosed_20180208_c, Description: Detects malware from disclosed CN malware set, Source: C:\Users\user\AppData\Local\Temp\Core Service.exe, Author: Florian Roth
                  • Rule: JoeSecurity_Njrat, Description: Yara detected Njrat, Source: C:\Users\user\AppData\Local\Temp\Core Service.exe, Author: Joe Security
                  • Rule: njrat1, Description: Identify njRat, Source: C:\Users\user\AppData\Local\Temp\Core Service.exe, Author: Brian Wallace @botnet_hunter
                  • Rule: Njrat, Description: detect njRAT in memory, Source: C:\Users\user\AppData\Local\Temp\Core Service.exe, Author: JPCERT/CC Incident Response Group
                  Antivirus matches:
                  • Detection: 100%, Avira
                  • Detection: 100%, Joe Sandbox ML
                  • Detection: 84%, Virustotal, Browse
                  • Detection: 89%, Metadefender, Browse
                  • Detection: 90%, ReversingLabs
                  Reputation:low

                  Chronological Activities

                  Analysis Process: netsh.exe PID: 5416 Parent PID: 4464

                  General

                  Start time:00:40:14
                  Start date:22/11/2020
                  Path:C:\Windows\SysWOW64\netsh.exe
                  Wow64 process (32bit):true
                  Commandline:netsh firewall add allowedprogram 'C:\Users\user\AppData\Local\Temp\Core Service.exe' 'Core Service.exe' ENABLE
                  Imagebase:0xd90000
                  File size:82944 bytes
                  MD5 hash:A0AA3322BB46BBFC36AB9DC1DBBBB807
                  Has elevated privileges:true
                  Has administrator privileges:true
                  Programmed in:C, C++ or other language
                  Reputation:high

                  Chronological Activities

                  Analysis Process: conhost.exe PID: 1124 Parent PID: 5416

                  General

                  Start time:00:40:14
                  Start date:22/11/2020
                  Path:C:\Windows\System32\conhost.exe
                  Wow64 process (32bit):false
                  Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                  Imagebase:0x7ff6b2800000
                  File size:625664 bytes
                  MD5 hash:EA777DEEA782E8B4D7C7C33BBF8A4496
                  Has elevated privileges:true
                  Has administrator privileges:true
                  Programmed in:C, C++ or other language
                  Reputation:high

                  Chronological Activities

                  Analysis Process: Core Service.exe PID: 4276 Parent PID: 3388

                  General

                  Start time:00:40:25
                  Start date:22/11/2020
                  Path:C:\Users\user\AppData\Local\Temp\Core Service.exe
                  Wow64 process (32bit):true
                  Commandline:'C:\Users\user\AppData\Local\Temp\Core Service.exe' ..
                  Imagebase:0xec0000
                  File size:24064 bytes
                  MD5 hash:9BB6D4F72A348AD47CC97185604F4DD9
                  Has elevated privileges:true
                  Has administrator privileges:true
                  Programmed in:.Net C# or VB.NET
                  Yara matches:
                  • Rule: JoeSecurity_Njrat, Description: Yara detected Njrat, Source: 00000007.00000002.260704512.0000000000EC2000.00000002.00020000.sdmp, Author: Joe Security
                  • Rule: njrat1, Description: Identify njRat, Source: 00000007.00000002.260704512.0000000000EC2000.00000002.00020000.sdmp, Author: Brian Wallace @botnet_hunter
                  • Rule: Njrat, Description: detect njRAT in memory, Source: 00000007.00000002.260704512.0000000000EC2000.00000002.00020000.sdmp, Author: JPCERT/CC Incident Response Group
                  • Rule: JoeSecurity_Njrat, Description: Yara detected Njrat, Source: 00000007.00000000.249387017.0000000000EC2000.00000002.00020000.sdmp, Author: Joe Security
                  • Rule: njrat1, Description: Identify njRat, Source: 00000007.00000000.249387017.0000000000EC2000.00000002.00020000.sdmp, Author: Brian Wallace @botnet_hunter
                  • Rule: Njrat, Description: detect njRAT in memory, Source: 00000007.00000000.249387017.0000000000EC2000.00000002.00020000.sdmp, Author: JPCERT/CC Incident Response Group
                  Reputation:low

                  Chronological Activities

                  Analysis Process: Core Service.exe PID: 4760 Parent PID: 3388

                  General

                  Start time:00:40:33
                  Start date:22/11/2020
                  Path:C:\Users\user\AppData\Local\Temp\Core Service.exe
                  Wow64 process (32bit):true
                  Commandline:'C:\Users\user\AppData\Local\Temp\Core Service.exe' ..
                  Imagebase:0x810000
                  File size:24064 bytes
                  MD5 hash:9BB6D4F72A348AD47CC97185604F4DD9
                  Has elevated privileges:true
                  Has administrator privileges:true
                  Programmed in:.Net C# or VB.NET
                  Yara matches:
                  • Rule: JoeSecurity_Njrat, Description: Yara detected Njrat, Source: 0000000A.00000000.267967586.0000000000812000.00000002.00020000.sdmp, Author: Joe Security
                  • Rule: njrat1, Description: Identify njRat, Source: 0000000A.00000000.267967586.0000000000812000.00000002.00020000.sdmp, Author: Brian Wallace @botnet_hunter
                  • Rule: Njrat, Description: detect njRAT in memory, Source: 0000000A.00000000.267967586.0000000000812000.00000002.00020000.sdmp, Author: JPCERT/CC Incident Response Group
                  • Rule: JoeSecurity_Njrat, Description: Yara detected Njrat, Source: 0000000A.00000002.279339449.0000000000812000.00000002.00020000.sdmp, Author: Joe Security
                  • Rule: njrat1, Description: Identify njRat, Source: 0000000A.00000002.279339449.0000000000812000.00000002.00020000.sdmp, Author: Brian Wallace @botnet_hunter
                  • Rule: Njrat, Description: detect njRAT in memory, Source: 0000000A.00000002.279339449.0000000000812000.00000002.00020000.sdmp, Author: JPCERT/CC Incident Response Group
                  Reputation:low

                  Chronological Activities

                  Analysis Process: Core Service.exe PID: 6100 Parent PID: 3388

                  General

                  Start time:00:40:41
                  Start date:22/11/2020
                  Path:C:\Users\user\AppData\Local\Temp\Core Service.exe
                  Wow64 process (32bit):true
                  Commandline:'C:\Users\user\AppData\Local\Temp\Core Service.exe' ..
                  Imagebase:0x920000
                  File size:24064 bytes
                  MD5 hash:9BB6D4F72A348AD47CC97185604F4DD9
                  Has elevated privileges:true
                  Has administrator privileges:true
                  Programmed in:.Net C# or VB.NET
                  Yara matches:
                  • Rule: JoeSecurity_Njrat, Description: Yara detected Njrat, Source: 0000000F.00000002.296934602.0000000000922000.00000002.00020000.sdmp, Author: Joe Security
                  • Rule: njrat1, Description: Identify njRat, Source: 0000000F.00000002.296934602.0000000000922000.00000002.00020000.sdmp, Author: Brian Wallace @botnet_hunter
                  • Rule: Njrat, Description: detect njRAT in memory, Source: 0000000F.00000002.296934602.0000000000922000.00000002.00020000.sdmp, Author: JPCERT/CC Incident Response Group
                  • Rule: JoeSecurity_Njrat, Description: Yara detected Njrat, Source: 0000000F.00000000.285488818.0000000000922000.00000002.00020000.sdmp, Author: Joe Security
                  • Rule: njrat1, Description: Identify njRat, Source: 0000000F.00000000.285488818.0000000000922000.00000002.00020000.sdmp, Author: Brian Wallace @botnet_hunter
                  • Rule: Njrat, Description: detect njRAT in memory, Source: 0000000F.00000000.285488818.0000000000922000.00000002.00020000.sdmp, Author: JPCERT/CC Incident Response Group
                  Reputation:low

                  Chronological Activities

                  Disassembly

                  Code Analysis

                  Reset < >

                    Analysis Process: z2d6Yt5v.exe PID: 6072 Parent PID: 5620 z2d6Yt5v.exeCOMMON

                    Executed Functions

                    Function 00DAA94F, Relevance: 1.6, APIs: 1, Instructions: 98fileCOMMON
                    Download Yara Rule
                    APIs
                    • CreateFileW.KERNELBASE(?,?,?,?,?,?), ref: 00DAAA05
                    Memory Dump Source
                    • Source File: 00000000.00000002.210797646.0000000000DAA000.00000040.00000001.sdmp, Offset: 00DAA000, based on PE: false
                    Similarity
                    • API ID: CreateFile
                    • String ID:
                    • API String ID: 823142352-0
                    • Opcode ID: 1ee87ac673339b2af08079367740c27712c2e7b30317d35263121f9892d272e4
                    • Instruction ID: 60fc12cc3c5f6d81d2388852d5c6ccd0b6adea7861393c14a5c36ae1edf1e182
                    • Opcode Fuzzy Hash: 1ee87ac673339b2af08079367740c27712c2e7b30317d35263121f9892d272e4
                    • Instruction Fuzzy Hash: 3E319EB2505380AFE722CF25CC44F66BFE8EF46314F08859AE9848B252D375E909CB71
                    Uniqueness

                    Uniqueness Score: -1.00%

                    Function 00DAA612, Relevance: 1.6, APIs: 1, Instructions: 89synchronizationCOMMON
                    Download Yara Rule
                    APIs
                    • CreateMutexW.KERNELBASE(?,?), ref: 00DAA6B9
                    Memory Dump Source
                    • Source File: 00000000.00000002.210797646.0000000000DAA000.00000040.00000001.sdmp, Offset: 00DAA000, based on PE: false
                    Similarity
                    • API ID: CreateMutex
                    • String ID:
                    • API String ID: 1964310414-0
                    • Opcode ID: f506c05fb8332708df4f8f79de31949650dba18476e7142c15c8392e2aecd749
                    • Instruction ID: f692bd6f6fbbc167c1a7d9d5453c2820a9d790e564a1d0d660412bbceb2b8b47
                    • Opcode Fuzzy Hash: f506c05fb8332708df4f8f79de31949650dba18476e7142c15c8392e2aecd749
                    • Instruction Fuzzy Hash: 913181B15097806FE712CB25CC85F56FFF8EF06310F08859AE9848B292D375A909CB72
                    Uniqueness

                    Uniqueness Score: -1.00%

                    Function 00DAA361, Relevance: 1.6, APIs: 1, Instructions: 85registryCOMMON
                    Download Yara Rule
                    APIs
                    • RegQueryValueExW.KERNELBASE(?,00000E2C,EBF28CE8,00000000,00000000,00000000,00000000), ref: 00DAA40C
                    Memory Dump Source
                    • Source File: 00000000.00000002.210797646.0000000000DAA000.00000040.00000001.sdmp, Offset: 00DAA000, based on PE: false
                    Similarity
                    • API ID: QueryValue
                    • String ID:
                    • API String ID: 3660427363-0
                    • Opcode ID: 895349a603fee020664e78b1f4df9df82de4160ee8cc4cfbbd83b924cb8830dd
                    • Instruction ID: dd2551cfbb8b4368d205f012e1cf0edc2837c8398b3721bd0b7141db7e6182fc
                    • Opcode Fuzzy Hash: 895349a603fee020664e78b1f4df9df82de4160ee8cc4cfbbd83b924cb8830dd
                    • Instruction Fuzzy Hash: 4D317F71109744AFE722CF25CC84F52BFF8EF06710F08859AE9859B292D364E809CB72
                    Uniqueness

                    Uniqueness Score: -1.00%

                    Function 00DAAA5C, Relevance: 1.6, APIs: 1, Instructions: 80COMMON
                    Download Yara Rule
                    APIs
                    • GetFileType.KERNELBASE(?,00000E2C,EBF28CE8,00000000,00000000,00000000,00000000), ref: 00DAAAF1
                    Memory Dump Source
                    • Source File: 00000000.00000002.210797646.0000000000DAA000.00000040.00000001.sdmp, Offset: 00DAA000, based on PE: false
                    Similarity
                    • API ID: FileType
                    • String ID:
                    • API String ID: 3081899298-0
                    • Opcode ID: 00b13f0692072603da4ff8d82fcadc85c5704be120cb4bb1322a11e03835b872
                    • Instruction ID: d5a346b23fe8c7561d9890935a0628ab5fd5496f97fd778e110f69ee5000f2ef
                    • Opcode Fuzzy Hash: 00b13f0692072603da4ff8d82fcadc85c5704be120cb4bb1322a11e03835b872
                    • Instruction Fuzzy Hash: E921F8B64493806FE7138B25DC41FA2BFA8EF47720F1881DBED849B293D2646909C771
                    Uniqueness

                    Uniqueness Score: -1.00%

                    Function 00DAA462, Relevance: 1.6, APIs: 1, Instructions: 77registryCOMMON
                    Download Yara Rule
                    APIs
                    • RegSetValueExW.KERNELBASE(?,00000E2C,EBF28CE8,00000000,00000000,00000000,00000000), ref: 00DAA4F8
                    Memory Dump Source
                    • Source File: 00000000.00000002.210797646.0000000000DAA000.00000040.00000001.sdmp, Offset: 00DAA000, based on PE: false
                    Similarity
                    • API ID: Value
                    • String ID:
                    • API String ID: 3702945584-0
                    • Opcode ID: 4e1d288cad8c70e76943079d2c3835f21e265d0139328d17fc12f31d770698a2
                    • Instruction ID: ea31e30f2eb5c4af7e02ce1ec7738fb90d25f7d72518513f7beb8e7855dbb9de
                    • Opcode Fuzzy Hash: 4e1d288cad8c70e76943079d2c3835f21e265d0139328d17fc12f31d770698a2
                    • Instruction Fuzzy Hash: D0218E72508380AFE7228F25DC44F67BFB8EF46310F08859AE9859B252D364E848C772
                    Uniqueness

                    Uniqueness Score: -1.00%

                    Function 00DAA986, Relevance: 1.6, APIs: 1, Instructions: 76fileCOMMON
                    Download Yara Rule
                    APIs
                    • CreateFileW.KERNELBASE(?,?,?,?,?,?), ref: 00DAAA05
                    Memory Dump Source
                    • Source File: 00000000.00000002.210797646.0000000000DAA000.00000040.00000001.sdmp, Offset: 00DAA000, based on PE: false
                    Similarity
                    • API ID: CreateFile
                    • String ID:
                    • API String ID: 823142352-0
                    • Opcode ID: 37e5fc69ab47d40b6a61392b6935191576a25becc3082c60463fda24e709d9b1
                    • Instruction ID: dab5e01338b3b72d218c0d72734c28c9dfe5d9aacc0cb163b155138aff913716
                    • Opcode Fuzzy Hash: 37e5fc69ab47d40b6a61392b6935191576a25becc3082c60463fda24e709d9b1
                    • Instruction Fuzzy Hash: B0217C71500640AFE721DF69CD45F66FBE8EF09710F18856AEA858B252D375E804CB72
                    Uniqueness

                    Uniqueness Score: -1.00%

                    Function 00DAA646, Relevance: 1.6, APIs: 1, Instructions: 72synchronizationCOMMON
                    Download Yara Rule
                    APIs
                    • CreateMutexW.KERNELBASE(?,?), ref: 00DAA6B9
                    Memory Dump Source
                    • Source File: 00000000.00000002.210797646.0000000000DAA000.00000040.00000001.sdmp, Offset: 00DAA000, based on PE: false
                    Similarity
                    • API ID: CreateMutex
                    • String ID:
                    • API String ID: 1964310414-0
                    • Opcode ID: 00c00a7c58e50a08bc2aea1f2a2c2fc9c8736bdc7fd91d398daf5b33349ec04a
                    • Instruction ID: b1737f82c19508269d69afe10490956af82cf428dfb22b58082825a9fb47c4fb
                    • Opcode Fuzzy Hash: 00c00a7c58e50a08bc2aea1f2a2c2fc9c8736bdc7fd91d398daf5b33349ec04a
                    • Instruction Fuzzy Hash: 50219F71500600AFE721DF29CC85F66FBE8EF05710F18856AED859B241E771E805CB76
                    Uniqueness

                    Uniqueness Score: -1.00%

                    Function 00DAAC0E, Relevance: 1.6, APIs: 1, Instructions: 70fileCOMMON
                    Download Yara Rule
                    APIs
                    • WriteFile.KERNELBASE(?,00000E2C,EBF28CE8,00000000,00000000,00000000,00000000), ref: 00DAAC8D
                    Memory Dump Source
                    • Source File: 00000000.00000002.210797646.0000000000DAA000.00000040.00000001.sdmp, Offset: 00DAA000, based on PE: false
                    Similarity
                    • API ID: FileWrite
                    • String ID:
                    • API String ID: 3934441357-0
                    • Opcode ID: ec30459d7cb7cdcff90280c5857637c0c4445caf1b83593ccddf0c6b4d19d79c
                    • Instruction ID: 422a54c485103fe2e6f8d8a4ac2d9b68c5c6599f099266c660be450ea184b731
                    • Opcode Fuzzy Hash: ec30459d7cb7cdcff90280c5857637c0c4445caf1b83593ccddf0c6b4d19d79c
                    • Instruction Fuzzy Hash: 81216272405344AFEB228F55DC44F57FFB8EF46320F08859BEA459B252D275A508CB72
                    Uniqueness

                    Uniqueness Score: -1.00%

                    Function 00DAA392, Relevance: 1.6, APIs: 1, Instructions: 69registryCOMMON
                    Download Yara Rule
                    APIs
                    • RegQueryValueExW.KERNELBASE(?,00000E2C,EBF28CE8,00000000,00000000,00000000,00000000), ref: 00DAA40C
                    Memory Dump Source
                    • Source File: 00000000.00000002.210797646.0000000000DAA000.00000040.00000001.sdmp, Offset: 00DAA000, based on PE: false
                    Similarity
                    • API ID: QueryValue
                    • String ID:
                    • API String ID: 3660427363-0
                    • Opcode ID: 918538a8a769f8b52483e304979098b50698d25429e76a14d145d732b8378081
                    • Instruction ID: 08b6cee80e13e4ac46c6787646e40722c1cb11ae5c0041366ea75724a34f1ad1
                    • Opcode Fuzzy Hash: 918538a8a769f8b52483e304979098b50698d25429e76a14d145d732b8378081
                    • Instruction Fuzzy Hash: 7F215E75500604AFEB20CF59CC84F67FBECEF09710F18856AE9499B251D7A4E809CA72
                    Uniqueness

                    Uniqueness Score: -1.00%

                    Function 00DAA710, Relevance: 1.6, APIs: 1, Instructions: 69COMMON
                    Download Yara Rule
                    APIs
                    • FindCloseChangeNotification.KERNELBASE(?), ref: 00DAA780
                    Memory Dump Source
                    • Source File: 00000000.00000002.210797646.0000000000DAA000.00000040.00000001.sdmp, Offset: 00DAA000, based on PE: false
                    Similarity
                    • API ID: ChangeCloseFindNotification
                    • String ID:
                    • API String ID: 2591292051-0
                    • Opcode ID: 56a5612c1c669554be6a1c2ab313ca45d0ded82fd93f1e14b383c3d447f93ee4
                    • Instruction ID: 85317fdb6b9e6e26f56e8c8fd24cb8ad0af58e766a312a0b7ace1e5c6d3b43ae
                    • Opcode Fuzzy Hash: 56a5612c1c669554be6a1c2ab313ca45d0ded82fd93f1e14b383c3d447f93ee4
                    • Instruction Fuzzy Hash: EF2192B14097849FD7128B28DC85B52BFB8EF47220F0981DBDD458F663D2745905CB62
                    Uniqueness

                    Uniqueness Score: -1.00%

                    Function 00DAA486, Relevance: 1.6, APIs: 1, Instructions: 65registryCOMMON
                    Download Yara Rule
                    APIs
                    • RegSetValueExW.KERNELBASE(?,00000E2C,EBF28CE8,00000000,00000000,00000000,00000000), ref: 00DAA4F8
                    Memory Dump Source
                    • Source File: 00000000.00000002.210797646.0000000000DAA000.00000040.00000001.sdmp, Offset: 00DAA000, based on PE: false
                    Similarity
                    • API ID: Value
                    • String ID:
                    • API String ID: 3702945584-0
                    • Opcode ID: dcd36491f9add2f35834755d2f07aeb9bc7d8e938ee34ed09005884911461907
                    • Instruction ID: 5f0d5081a1f9e8aa8cfeba18aeb5d58e79989e730dcc053bc91e8bbf8073f098
                    • Opcode Fuzzy Hash: dcd36491f9add2f35834755d2f07aeb9bc7d8e938ee34ed09005884911461907
                    • Instruction Fuzzy Hash: 17119072500604AFEB218F19DC45F6BFBECEF19710F18855AEE499B241D7B0E808CA72
                    Uniqueness

                    Uniqueness Score: -1.00%

                    Function 00DAA2D2, Relevance: 1.6, APIs: 1, Instructions: 61COMMON
                    Download Yara Rule
                    APIs
                    • SetErrorMode.KERNELBASE(?), ref: 00DAA330
                    Memory Dump Source
                    • Source File: 00000000.00000002.210797646.0000000000DAA000.00000040.00000001.sdmp, Offset: 00DAA000, based on PE: false
                    Similarity
                    • API ID: ErrorMode
                    • String ID:
                    • API String ID: 2340568224-0
                    • Opcode ID: 6603b2f4c0e0248177b73a5d8315e163c18be3b7a0d3be3372b3ffd5a5c530a0
                    • Instruction ID: 89fabbda4b455d4a793f4267f94e30d31daacb82962f62958caa86694ded1ba9
                    • Opcode Fuzzy Hash: 6603b2f4c0e0248177b73a5d8315e163c18be3b7a0d3be3372b3ffd5a5c530a0
                    • Instruction Fuzzy Hash: 8E212C7140E3C4AFD7138B699C54A52BFB49F07220F0D80DBDD848F2A3D2696808DB72
                    Uniqueness

                    Uniqueness Score: -1.00%

                    Function 00DAAC2E, Relevance: 1.6, APIs: 1, Instructions: 60fileCOMMON
                    Download Yara Rule
                    APIs
                    • WriteFile.KERNELBASE(?,00000E2C,EBF28CE8,00000000,00000000,00000000,00000000), ref: 00DAAC8D
                    Memory Dump Source
                    • Source File: 00000000.00000002.210797646.0000000000DAA000.00000040.00000001.sdmp, Offset: 00DAA000, based on PE: false
                    Similarity
                    • API ID: FileWrite
                    • String ID:
                    • API String ID: 3934441357-0
                    • Opcode ID: e92dba4e43a3b71de00230ef4919fe178dac8e610a85a0ecb3a1672fea359c85
                    • Instruction ID: 5cda01d2c7ddf9a3c1f0aeb7565c58d6207d963138575bfadd32f8b79b6af474
                    • Opcode Fuzzy Hash: e92dba4e43a3b71de00230ef4919fe178dac8e610a85a0ecb3a1672fea359c85
                    • Instruction Fuzzy Hash: 9511BF72400200EFEB218F59DC40F66FBA8EF45320F18896BEE459B251D375A408CB72
                    Uniqueness

                    Uniqueness Score: -1.00%

                    Function 00DAAA9E, Relevance: 1.6, APIs: 1, Instructions: 52COMMON
                    Download Yara Rule
                    APIs
                    • GetFileType.KERNELBASE(?,00000E2C,EBF28CE8,00000000,00000000,00000000,00000000), ref: 00DAAAF1
                    Memory Dump Source
                    • Source File: 00000000.00000002.210797646.0000000000DAA000.00000040.00000001.sdmp, Offset: 00DAA000, based on PE: false
                    Similarity
                    • API ID: FileType
                    • String ID:
                    • API String ID: 3081899298-0
                    • Opcode ID: 9d165f2a13870abb197b7f1221fee6b00e5b97dd351d8a290f7f0a369d1ce088
                    • Instruction ID: 98b1f2a63368ef61828d8592d8282b513e51897f96908b4da355f3375826afb5
                    • Opcode Fuzzy Hash: 9d165f2a13870abb197b7f1221fee6b00e5b97dd351d8a290f7f0a369d1ce088
                    • Instruction Fuzzy Hash: 9201D271500604AEE720CF19DC85F67FB98DF06720F18C19BEE459B241D7B4A808CAB2
                    Uniqueness

                    Uniqueness Score: -1.00%

                    Function 00DAA74E, Relevance: 1.5, APIs: 1, Instructions: 43COMMON
                    Download Yara Rule
                    APIs
                    • FindCloseChangeNotification.KERNELBASE(?), ref: 00DAA780
                    Memory Dump Source
                    • Source File: 00000000.00000002.210797646.0000000000DAA000.00000040.00000001.sdmp, Offset: 00DAA000, based on PE: false
                    Similarity
                    • API ID: ChangeCloseFindNotification
                    • String ID:
                    • API String ID: 2591292051-0
                    • Opcode ID: 71591a587d9d97b66a981d9cda53e11330a294c14652457f98b9e4ff5ce38c6d
                    • Instruction ID: 246c8cb2607db2f836058c4a204c8a8c28874e9ac0af0fe850d2963e11d35a01
                    • Opcode Fuzzy Hash: 71591a587d9d97b66a981d9cda53e11330a294c14652457f98b9e4ff5ce38c6d
                    • Instruction Fuzzy Hash: 6F01DB719002009FEB108F29E884766FFA4EF05320F18C1ABDD498B242D3B5E808CBB2
                    Uniqueness

                    Uniqueness Score: -1.00%

                    Function 00DAA2FE, Relevance: 1.5, APIs: 1, Instructions: 35COMMON
                    Download Yara Rule
                    APIs
                    • SetErrorMode.KERNELBASE(?), ref: 00DAA330
                    Memory Dump Source
                    • Source File: 00000000.00000002.210797646.0000000000DAA000.00000040.00000001.sdmp, Offset: 00DAA000, based on PE: false
                    Similarity
                    • API ID: ErrorMode
                    • String ID:
                    • API String ID: 2340568224-0
                    • Opcode ID: bf85cb46ae49d9247c5543c3b66184b9ce0d13dcedf232e22a05c65741cc168e
                    • Instruction ID: 4057ddeb706be7eca87ff9cd3b06457a668e5c2ade74cebe4aa98d298604d6a8
                    • Opcode Fuzzy Hash: bf85cb46ae49d9247c5543c3b66184b9ce0d13dcedf232e22a05c65741cc168e
                    • Instruction Fuzzy Hash: 0BF0AF35804644DFDB108F59D884766FFA0EF05320F1CC19ADD494B352D3B9A408DAB2
                    Uniqueness

                    Uniqueness Score: -1.00%

                    Function 028006D1, Relevance: 1.5, Strings: 1, Instructions: 271COMMON
                    Download Yara Rule
                    Strings
                    Memory Dump Source
                    • Source File: 00000000.00000002.210880982.0000000002800000.00000040.00000001.sdmp, Offset: 02800000, based on PE: false
                    Similarity
                    • API ID:
                    • String ID: :@Dr
                    • API String ID: 0-3830894600
                    • Opcode ID: b70581e9f20a16618dace5b60fe266a3467cedf5b28cda87c71750adc686e7e4
                    • Instruction ID: 7e9d178284f0534262e38fbc5643c66960256e82b62ead2f38f13510561c275a
                    • Opcode Fuzzy Hash: b70581e9f20a16618dace5b60fe266a3467cedf5b28cda87c71750adc686e7e4
                    • Instruction Fuzzy Hash: 79A14834700200CFCB59EB78D894B6D3BE2BF88344B294469D50ADB3A9EF759E46CB51
                    Uniqueness

                    Uniqueness Score: -1.00%

                    Function 02800249, Relevance: .3, Instructions: 279COMMON
                    Download Yara Rule
                    Memory Dump Source
                    • Source File: 00000000.00000002.210880982.0000000002800000.00000040.00000001.sdmp, Offset: 02800000, based on PE: false
                    Similarity
                    • API ID:
                    • String ID:
                    • API String ID:
                    • Opcode ID: a46ce105fe6c7b89edb53a7eb45afec9b6b12de32fd207dd28ff999a6eef1ce8
                    • Instruction ID: e99d9b422092a2c7a408aa283203196f84dffe76b398804fe3c8839dad3e49e1
                    • Opcode Fuzzy Hash: a46ce105fe6c7b89edb53a7eb45afec9b6b12de32fd207dd28ff999a6eef1ce8
                    • Instruction Fuzzy Hash: E2B15B35B00200CFDB59AB78D894B6D3BE3BF89354B184469D802DB3A9DF359D42CBA5
                    Uniqueness

                    Uniqueness Score: -1.00%

                    Function 02800258, Relevance: .3, Instructions: 278COMMON
                    Download Yara Rule
                    Memory Dump Source
                    • Source File: 00000000.00000002.210880982.0000000002800000.00000040.00000001.sdmp, Offset: 02800000, based on PE: false
                    Similarity
                    • API ID:
                    • String ID:
                    • API String ID:
                    • Opcode ID: d70922be701e70ef477d6e053b44093e2530395412c59368ff1be297041ef3df
                    • Instruction ID: b0b7a13cd67c0a6e72dea23f2c7ceb57e8387f3bc487b0c939ecc0005c54083d
                    • Opcode Fuzzy Hash: d70922be701e70ef477d6e053b44093e2530395412c59368ff1be297041ef3df
                    • Instruction Fuzzy Hash: AFB16B34700200CFDB59AB78D894B6D3BE7BF89354B188469D802DB3A9DF359D42CBA5
                    Uniqueness

                    Uniqueness Score: -1.00%

                    Function 028002A5, Relevance: .3, Instructions: 251COMMON
                    Download Yara Rule
                    Memory Dump Source
                    • Source File: 00000000.00000002.210880982.0000000002800000.00000040.00000001.sdmp, Offset: 02800000, based on PE: false
                    Similarity
                    • API ID:
                    • String ID:
                    • API String ID:
                    • Opcode ID: 9ad8fedca807ea25c6b1410c05072df5bf18b37d27d39fcf41c2c1690a6acb41
                    • Instruction ID: 3914670598114af0beb437aaef91473e595e832f8af348ab349f36aebd173334
                    • Opcode Fuzzy Hash: 9ad8fedca807ea25c6b1410c05072df5bf18b37d27d39fcf41c2c1690a6acb41
                    • Instruction Fuzzy Hash: 57A15A35B00200CFCB59AB78D894B6D3BE3BF89354B198469D806DB3A9DF319D42CB65
                    Uniqueness

                    Uniqueness Score: -1.00%

                    Function 02800080, Relevance: .1, Instructions: 103COMMON
                    Download Yara Rule
                    Memory Dump Source
                    • Source File: 00000000.00000002.210880982.0000000002800000.00000040.00000001.sdmp, Offset: 02800000, based on PE: false
                    Similarity
                    • API ID:
                    • String ID:
                    • API String ID:
                    • Opcode ID: 9402e615fae28a101a266709823e54a19def64a98789be1471e057bf3df65be7
                    • Instruction ID: 37481bb739cf7f691b8d2c79aa20000e0fbcd1bfec99eb126ad247379428031d
                    • Opcode Fuzzy Hash: 9402e615fae28a101a266709823e54a19def64a98789be1471e057bf3df65be7
                    • Instruction Fuzzy Hash: 48413930204245CFC704FF69E994A9A7FE2FB84304B548A69D544CB36EDB74AE4BCB51
                    Uniqueness

                    Uniqueness Score: -1.00%

                    Function 028305CF, Relevance: .1, Instructions: 64COMMON
                    Download Yara Rule
                    Memory Dump Source
                    • Source File: 00000000.00000002.210889164.0000000002830000.00000040.00000040.sdmp, Offset: 02830000, based on PE: false
                    Similarity
                    • API ID:
                    • String ID:
                    • API String ID:
                    • Opcode ID: b510c3e31b8ad5c7a7f6ebe4ae7a1cd385ff0b6afe7ee0fbd703345ce6248cbd
                    • Instruction ID: 6d4e1fff98d353257bfd2f6f698ad8007f0eb4a2a5b8d2b60b25402943e12b9e
                    • Opcode Fuzzy Hash: b510c3e31b8ad5c7a7f6ebe4ae7a1cd385ff0b6afe7ee0fbd703345ce6248cbd
                    • Instruction Fuzzy Hash: F7019B7650D7806FD7138B159C50862FFB8DE4616070984DBDC85CB652D225A905C772
                    Uniqueness

                    Uniqueness Score: -1.00%

                    Function 02830638, Relevance: .1, Instructions: 56COMMON
                    Download Yara Rule
                    Memory Dump Source
                    • Source File: 00000000.00000002.210889164.0000000002830000.00000040.00000040.sdmp, Offset: 02830000, based on PE: false
                    Similarity
                    • API ID:
                    • String ID:
                    • API String ID:
                    • Opcode ID: 150d6664aa4337f06e76f48b381c947eccd45496e70105ac54ff0446b506ece8
                    • Instruction ID: c0290e0e11b84127e796d81c7f249be6260a394396622a8ef4d93e7f76d2ab8e
                    • Opcode Fuzzy Hash: 150d6664aa4337f06e76f48b381c947eccd45496e70105ac54ff0446b506ece8
                    • Instruction Fuzzy Hash: A60196BA44D7846FD3128B15AC41892BFB8DE4622071984DBEC88CB653D525A948CBB2
                    Uniqueness

                    Uniqueness Score: -1.00%

                    Function 02800007, Relevance: .0, Instructions: 41COMMON
                    Download Yara Rule
                    Memory Dump Source
                    • Source File: 00000000.00000002.210880982.0000000002800000.00000040.00000001.sdmp, Offset: 02800000, based on PE: false
                    Similarity
                    • API ID:
                    • String ID:
                    • API String ID:
                    • Opcode ID: 22386e0086826bda1416586e8604233f1c4559369c47a1679c94babb1b6b31d6
                    • Instruction ID: b319d535e3798b45240680ea7e6b18a0ef606b7eb2b13076f83b7d1ab9d575db
                    • Opcode Fuzzy Hash: 22386e0086826bda1416586e8604233f1c4559369c47a1679c94babb1b6b31d6
                    • Instruction Fuzzy Hash: 4101FA8504F3C25FD74353B40C78AA27FB09E03021B9E05DBC4D0CA1A3E5480A1AD322
                    Uniqueness

                    Uniqueness Score: -1.00%

                    Function 028305F6, Relevance: .0, Instructions: 27COMMON
                    Download Yara Rule
                    Memory Dump Source
                    • Source File: 00000000.00000002.210889164.0000000002830000.00000040.00000040.sdmp, Offset: 02830000, based on PE: false
                    Similarity
                    • API ID:
                    • String ID:
                    • API String ID:
                    • Opcode ID: c6ce4373f8a64fbaa21684fb89ff18ead5df1f614dc029ebdd82d510dd96d3b0
                    • Instruction ID: 70f1ddcdcae521a5a6db06ca5464f5da9357e931c7d5226a402cd52567e67055
                    • Opcode Fuzzy Hash: c6ce4373f8a64fbaa21684fb89ff18ead5df1f614dc029ebdd82d510dd96d3b0
                    • Instruction Fuzzy Hash: E5E092766446008BD650CF0BEC41452F7D8EB88630B18C07FDC0D8B700E235B504CEA5
                    Uniqueness

                    Uniqueness Score: -1.00%

                    Function 00DA23F4, Relevance: .0, Instructions: 15COMMON
                    Download Yara Rule
                    Memory Dump Source
                    • Source File: 00000000.00000002.210793004.0000000000DA2000.00000040.00000001.sdmp, Offset: 00DA2000, based on PE: false
                    Similarity
                    • API ID:
                    • String ID:
                    • API String ID:
                    • Opcode ID: a0c18379c2dd65ee6cf587116737af3fdba88e1e22db9d92ec9e0c037cb82f6c
                    • Instruction ID: 257af7233b3dd3218392f7341f12ad1c21236e3c4b3133d3ac27386fff6860b6
                    • Opcode Fuzzy Hash: a0c18379c2dd65ee6cf587116737af3fdba88e1e22db9d92ec9e0c037cb82f6c
                    • Instruction Fuzzy Hash: 8DD05E79215A818FD3268A1CC1A9BA53B94AB66B04F4A44FDE8008B6A3C3A8D981D210
                    Uniqueness

                    Uniqueness Score: -1.00%

                    Function 00DA23BC, Relevance: .0, Instructions: 14COMMON
                    Download Yara Rule
                    Memory Dump Source
                    • Source File: 00000000.00000002.210793004.0000000000DA2000.00000040.00000001.sdmp, Offset: 00DA2000, based on PE: false
                    Similarity
                    • API ID:
                    • String ID:
                    • API String ID:
                    • Opcode ID: 676d7ec84c5ca712f5f0b6a5960931c08431f5bdf8894c00b34976b8869730b0
                    • Instruction ID: fceac3c7b1f6658b7e0fd29346274c77e1689d18947e9c6621fb55fee18dd1ec
                    • Opcode Fuzzy Hash: 676d7ec84c5ca712f5f0b6a5960931c08431f5bdf8894c00b34976b8869730b0
                    • Instruction Fuzzy Hash: A1D05E342002818BCB15DB0EC594F6937D4AB43B00F0A44ECAC008B662C3A9DC81C610
                    Uniqueness

                    Uniqueness Score: -1.00%

                    Non-executed Functions

                    Analysis Process: Core Service.exe PID: 4464 Parent PID: 6072 Core Service.exeCOMMON

                    Executed Functions

                    Function 02B315CF, Relevance: 1.6, APIs: 1, Instructions: 75COMMON
                    Download Yara Rule
                    APIs
                    • AdjustTokenPrivileges.KERNELBASE(?,?,?,?,?,?), ref: 02B3164F
                    Memory Dump Source
                    • Source File: 00000002.00000002.460760461.0000000002B30000.00000040.00000001.sdmp, Offset: 02B30000, based on PE: false
                    Similarity
                    • API ID: AdjustPrivilegesToken
                    • String ID:
                    • API String ID: 2874748243-0
                    • Opcode ID: 39f26dafb30f6a371d65dd226a5b13e1409916bacbcf19bf201703f820b99854
                    • Instruction ID: 92d4ca194acc2a921b68f1caaa0398a46fd375d9f09c5f5b44732c08c5916abc
                    • Opcode Fuzzy Hash: 39f26dafb30f6a371d65dd226a5b13e1409916bacbcf19bf201703f820b99854
                    • Instruction Fuzzy Hash: 6821D176509784AFEB138F25DC40B52BFF8EF06210F0885DAE9898F163D370A908DB61
                    Uniqueness

                    Uniqueness Score: -1.00%

                    Function 02B31B7F, Relevance: 1.6, APIs: 1, Instructions: 64nativeCOMMON
                    Download Yara Rule
                    APIs
                    • NtQuerySystemInformation.NTDLL(?,?,?,?), ref: 02B31BF5
                    Memory Dump Source
                    • Source File: 00000002.00000002.460760461.0000000002B30000.00000040.00000001.sdmp, Offset: 02B30000, based on PE: false
                    Similarity
                    • API ID: InformationQuerySystem
                    • String ID:
                    • API String ID: 3562636166-0
                    • Opcode ID: 75af1dba03936380beb1d9afe7a488ee752da035e804f7ed88162efce639d196
                    • Instruction ID: b708efa0340de6029ac7b4e114f7f7a832eb5732d38f522e4c2955129298f8fd
                    • Opcode Fuzzy Hash: 75af1dba03936380beb1d9afe7a488ee752da035e804f7ed88162efce639d196
                    • Instruction Fuzzy Hash: 0321AEB14097C0AFDB238F24DC41A52FFB4EF16214F0980DBED888F163D265A909DB62
                    Uniqueness

                    Uniqueness Score: -1.00%

                    Function 02B31606, Relevance: 1.6, APIs: 1, Instructions: 52COMMON
                    Download Yara Rule
                    APIs
                    • AdjustTokenPrivileges.KERNELBASE(?,?,?,?,?,?), ref: 02B3164F
                    Memory Dump Source
                    • Source File: 00000002.00000002.460760461.0000000002B30000.00000040.00000001.sdmp, Offset: 02B30000, based on PE: false
                    Similarity
                    • API ID: AdjustPrivilegesToken
                    • String ID:
                    • API String ID: 2874748243-0
                    • Opcode ID: 0c5194ea545567ece6828ba5f44ec96ca4c035e263a6be3d71a3b299e937c83a
                    • Instruction ID: 2d5bd589b394012a997e8d9fa7ddc8f40ab0811dd54fd652ce980ee7cbc68c11
                    • Opcode Fuzzy Hash: 0c5194ea545567ece6828ba5f44ec96ca4c035e263a6be3d71a3b299e937c83a
                    • Instruction Fuzzy Hash: BE1170715006049FEB21CF59D844B66FFE8EF44220F08C5AADD498B621D775E418DF61
                    Uniqueness

                    Uniqueness Score: -1.00%

                    Function 02B31BBA, Relevance: 1.5, APIs: 1, Instructions: 38nativeCOMMON
                    Download Yara Rule
                    APIs
                    • NtQuerySystemInformation.NTDLL(?,?,?,?), ref: 02B31BF5
                    Memory Dump Source
                    • Source File: 00000002.00000002.460760461.0000000002B30000.00000040.00000001.sdmp, Offset: 02B30000, based on PE: false
                    Similarity
                    • API ID: InformationQuerySystem
                    • String ID:
                    • API String ID: 3562636166-0
                    • Opcode ID: 557dead9c79ebe2b84df71aee1e5cf07e20c0b917cbe992ab3427eb058acd460
                    • Instruction ID: 7ce3797642813d7ac16f831d034d0d1946ca69b31016f8043e042b13266fcb0c
                    • Opcode Fuzzy Hash: 557dead9c79ebe2b84df71aee1e5cf07e20c0b917cbe992ab3427eb058acd460
                    • Instruction Fuzzy Hash: 18018B31400640DFDB218F59D884B66FFA4EF08321F08C4AADE494B212D3B5E458DB72
                    Uniqueness

                    Uniqueness Score: -1.00%

                    Function 02B30AE1, Relevance: 1.6, APIs: 1, Instructions: 135COMMON
                    Download Yara Rule
                    APIs
                    • OpenFileMappingW.KERNELBASE(?,?), ref: 02B30BF1
                    Memory Dump Source
                    • Source File: 00000002.00000002.460760461.0000000002B30000.00000040.00000001.sdmp, Offset: 02B30000, based on PE: false
                    Similarity
                    • API ID: FileMappingOpen
                    • String ID:
                    • API String ID: 1680863896-0
                    • Opcode ID: b0edfcfa4a03b0b64396bc3c4b0a8bbac2b56cc6eca3cd20247549bb405aeb78
                    • Instruction ID: f177e0285cd6355f18a6589b2777a55d1a37a963084b4c77853854b2e4bcd8a7
                    • Opcode Fuzzy Hash: b0edfcfa4a03b0b64396bc3c4b0a8bbac2b56cc6eca3cd20247549bb405aeb78
                    • Instruction Fuzzy Hash: 4141C3715493806FE7128B25DC45F92FFB8EF42220F1885DBEE849F293D265A908C771
                    Uniqueness

                    Uniqueness Score: -1.00%

                    Function 02B31EB5, Relevance: 1.6, APIs: 1, Instructions: 115windowCOMMON
                    Download Yara Rule
                    APIs
                    • FormatMessageW.KERNELBASE(?,00000E2C,?,?), ref: 02B31F9E
                    Memory Dump Source
                    • Source File: 00000002.00000002.460760461.0000000002B30000.00000040.00000001.sdmp, Offset: 02B30000, based on PE: false
                    Similarity
                    • API ID: FormatMessage
                    • String ID:
                    • API String ID: 1306739567-0
                    • Opcode ID: 156f959061b21cbc7ab1497ed848e48a54dda391db0cc96075302bc7384d6757
                    • Instruction ID: 1a9de450bfa5d518ccf7e503b1e06c48c054b3d8a82ef67b3ae6f3e5f3309529
                    • Opcode Fuzzy Hash: 156f959061b21cbc7ab1497ed848e48a54dda391db0cc96075302bc7384d6757
                    • Instruction Fuzzy Hash: 65418B6244E3C05FD7038B718C61A51BFB4EF47610B0E84CBD8C48F1A3D628690AC7B2
                    Uniqueness

                    Uniqueness Score: -1.00%

                    Function 02AA1458, Relevance: 1.6, APIs: 1, Instructions: 110COMMON
                    Download Yara Rule
                    APIs
                    • KiUserExceptionDispatcher.NTDLL ref: 02AA147F
                    Memory Dump Source
                    • Source File: 00000002.00000002.460667068.0000000002AA0000.00000040.00000001.sdmp, Offset: 02AA0000, based on PE: false
                    Similarity
                    • API ID: DispatcherExceptionUser
                    • String ID:
                    • API String ID: 6842923-0
                    • Opcode ID: f38dc6ba775f1167e1629e1704c58f537f783f3f04187a7968bdda9da277d962
                    • Instruction ID: dc477e37cd732aef6bef19fb5ddf7132fbfdac6f9ba409c9445d580924ca429d
                    • Opcode Fuzzy Hash: f38dc6ba775f1167e1629e1704c58f537f783f3f04187a7968bdda9da277d962
                    • Instruction Fuzzy Hash: 8D414D75A002058FCB04EF78C8946ADBBB6EF88354F548469D809DB359EF35DD41CBA1
                    Uniqueness

                    Uniqueness Score: -1.00%

                    Function 02B31DA0, Relevance: 1.6, APIs: 1, Instructions: 106registryCOMMON
                    Download Yara Rule
                    APIs
                    • RegCreateKeyExW.KERNELBASE(?,00000E2C), ref: 02B31E6D
                    Memory Dump Source
                    • Source File: 00000002.00000002.460760461.0000000002B30000.00000040.00000001.sdmp, Offset: 02B30000, based on PE: false
                    Similarity
                    • API ID: Create
                    • String ID:
                    • API String ID: 2289755597-0
                    • Opcode ID: 76abe70b85466093a1320fee5331183e50e85df84cdf6a6450c3dc4b66f0c3e8
                    • Instruction ID: 81d244fe95125dfa8cdedbb6cb61bc48922beaa88b6642689159dc3284ac2043
                    • Opcode Fuzzy Hash: 76abe70b85466093a1320fee5331183e50e85df84cdf6a6450c3dc4b66f0c3e8
                    • Instruction Fuzzy Hash: 04319072505384AFE7228B25CC40F67BFECEF06610F08859AE989DB152D365E809CB71
                    Uniqueness

                    Uniqueness Score: -1.00%

                    Function 02AA144A, Relevance: 1.6, APIs: 1, Instructions: 103COMMON
                    Download Yara Rule
                    APIs
                    • KiUserExceptionDispatcher.NTDLL ref: 02AA147F
                    Memory Dump Source
                    • Source File: 00000002.00000002.460667068.0000000002AA0000.00000040.00000001.sdmp, Offset: 02AA0000, based on PE: false
                    Similarity
                    • API ID: DispatcherExceptionUser
                    • String ID:
                    • API String ID: 6842923-0
                    • Opcode ID: e059588d178dedd23a907afba1eb0f0cfd71750c2a6997bb85790767d23cc522
                    • Instruction ID: ad8b25cff7eb4a6409f96997ab6f4090550e92ee2345b543fd91e4a5cbf5c842
                    • Opcode Fuzzy Hash: e059588d178dedd23a907afba1eb0f0cfd71750c2a6997bb85790767d23cc522
                    • Instruction Fuzzy Hash: 53414F75A002058FCB04DF78C8D56AEBBB6EF88314F248569D809DB369EB75DD41CBA0
                    Uniqueness

                    Uniqueness Score: -1.00%

                    Function 02B30387, Relevance: 1.6, APIs: 1, Instructions: 103registryCOMMON
                    Download Yara Rule
                    APIs
                    • RegQueryValueExW.KERNELBASE(?,00000E2C,?,?), ref: 02B3044E
                    Memory Dump Source
                    • Source File: 00000002.00000002.460760461.0000000002B30000.00000040.00000001.sdmp, Offset: 02B30000, based on PE: false
                    Similarity
                    • API ID: QueryValue
                    • String ID:
                    • API String ID: 3660427363-0
                    • Opcode ID: 48f629a8178aa5e1fc80210ec5d845a0776c2aa99bc87db7057eb940172c55ed
                    • Instruction ID: d8426b1dce74b54b906da07602b2c0536dd310fe76ac82ce39df478190c11356
                    • Opcode Fuzzy Hash: 48f629a8178aa5e1fc80210ec5d845a0776c2aa99bc87db7057eb940172c55ed
                    • Instruction Fuzzy Hash: 16317C6510E7C06FD3139B358C61A62BF74EF47614B0E85CBE8C48F5A3D229A909D7B2
                    Uniqueness

                    Uniqueness Score: -1.00%

                    Function 02B310B4, Relevance: 1.6, APIs: 1, Instructions: 95timeCOMMON
                    Download Yara Rule
                    APIs
                    • GetProcessTimes.KERNELBASE(?,00000E2C,D24E1938,00000000,00000000,00000000,00000000), ref: 02B31151
                    Memory Dump Source
                    • Source File: 00000002.00000002.460760461.0000000002B30000.00000040.00000001.sdmp, Offset: 02B30000, based on PE: false
                    Similarity
                    • API ID: ProcessTimes
                    • String ID:
                    • API String ID: 1995159646-0
                    • Opcode ID: f5a7a3fb3d75951447274e8d0f82617b649ef4bfe16c47b59fe0cce43097cf83
                    • Instruction ID: 0e453d5eda90e598c3ebcf5332de36f6eaaca3c6877a41c9379c492c68633120
                    • Opcode Fuzzy Hash: f5a7a3fb3d75951447274e8d0f82617b649ef4bfe16c47b59fe0cce43097cf83
                    • Instruction Fuzzy Hash: E3310572009780AFEB128F25DC45F96FFB8EF46310F0884DBE9859F192D225A949CB71
                    Uniqueness

                    Uniqueness Score: -1.00%

                    Function 02B311BC, Relevance: 1.6, APIs: 1, Instructions: 93COMMON
                    Download Yara Rule
                    APIs
                    • getaddrinfo.WS2_32(?,00000E2C), ref: 02B31283
                    Memory Dump Source
                    • Source File: 00000002.00000002.460760461.0000000002B30000.00000040.00000001.sdmp, Offset: 02B30000, based on PE: false
                    Similarity
                    • API ID: getaddrinfo
                    • String ID:
                    • API String ID: 300660673-0
                    • Opcode ID: 850dcf2fc6a8c06b28439dd70a5c9a290b1fe7cebe410f2a21176c7b44e66ee9
                    • Instruction ID: 64f93b9326ea89622d78a3d0ad2384e1e28d5ce37e736082ea69994a6da2aa3b
                    • Opcode Fuzzy Hash: 850dcf2fc6a8c06b28439dd70a5c9a290b1fe7cebe410f2a21176c7b44e66ee9
                    • Instruction Fuzzy Hash: 5B31C2B2504344BFF721CB60CC85FA6FBACEF45710F14899AFA859B181D375A948CB61
                    Uniqueness

                    Uniqueness Score: -1.00%

                    Function 00E6A612, Relevance: 1.6, APIs: 1, Instructions: 89synchronizationCOMMON
                    Download Yara Rule
                    APIs
                    • CreateMutexW.KERNELBASE(?,?), ref: 00E6A6B9
                    Memory Dump Source
                    • Source File: 00000002.00000002.459772741.0000000000E6A000.00000040.00000001.sdmp, Offset: 00E6A000, based on PE: false
                    Similarity
                    • API ID: CreateMutex
                    • String ID:
                    • API String ID: 1964310414-0
                    • Opcode ID: b17ceb13a7c21b8f6f0041dc7e954129f3aa2406975d99f57759b576643fa156
                    • Instruction ID: f0bfa525251fceadf850a69aa8cb7d0d2c23ddbf6975301abc2065f27396f71a
                    • Opcode Fuzzy Hash: b17ceb13a7c21b8f6f0041dc7e954129f3aa2406975d99f57759b576643fa156
                    • Instruction Fuzzy Hash: DD3184B15097806FE712CB25DC45F56FFF8EF06314F0884AAE9849B292D375A905CB62
                    Uniqueness

                    Uniqueness Score: -1.00%

                    Function 02B309B0, Relevance: 1.6, APIs: 1, Instructions: 89COMMON
                    Download Yara Rule
                    APIs
                    • ConvertStringSecurityDescriptorToSecurityDescriptorW.ADVAPI32(?,00000E2C), ref: 02B30A47
                    Memory Dump Source
                    • Source File: 00000002.00000002.460760461.0000000002B30000.00000040.00000001.sdmp, Offset: 02B30000, based on PE: false
                    Similarity
                    • API ID: DescriptorSecurity$ConvertString
                    • String ID:
                    • API String ID: 3907675253-0
                    • Opcode ID: 232a38c706e68da3c8e77ba4b118dd30d5572ad270a1272a1e581921e15d94d6
                    • Instruction ID: 5fa43046e5f38ac1228a005cd29c39dc71f01c3885a79541a5823359e63db4b6
                    • Opcode Fuzzy Hash: 232a38c706e68da3c8e77ba4b118dd30d5572ad270a1272a1e581921e15d94d6
                    • Instruction Fuzzy Hash: A7318F72504385AFE722DB65DC45F67BFA8EF46310F0888AAE984DB152D364A848CB61
                    Uniqueness

                    Uniqueness Score: -1.00%

                    Function 00E6A8A4, Relevance: 1.6, APIs: 1, Instructions: 87registryCOMMON
                    Download Yara Rule
                    APIs
                    • RegOpenKeyExW.KERNELBASE(?,00000E2C), ref: 00E6A945
                    Memory Dump Source
                    • Source File: 00000002.00000002.459772741.0000000000E6A000.00000040.00000001.sdmp, Offset: 00E6A000, based on PE: false
                    Similarity
                    • API ID: Open
                    • String ID:
                    • API String ID: 71445658-0
                    • Opcode ID: 54d38ab91e440ff7e9d15ebee8ebb920aa60e18974c715b30ba47c9cf2e20bca
                    • Instruction ID: d05a303a4b08095328fa749e684fdf172e162a25da8ea4564ac06a208c94844d
                    • Opcode Fuzzy Hash: 54d38ab91e440ff7e9d15ebee8ebb920aa60e18974c715b30ba47c9cf2e20bca
                    • Instruction Fuzzy Hash: F021D272444344AFE7228B14DC44F67FFECEF55710F08856AEE809B152D264E809CB71
                    Uniqueness

                    Uniqueness Score: -1.00%

                    Function 02B30C48, Relevance: 1.6, APIs: 1, Instructions: 87fileCOMMON
                    Download Yara Rule
                    APIs
                    Memory Dump Source
                    • Source File: 00000002.00000002.460760461.0000000002B30000.00000040.00000001.sdmp, Offset: 02B30000, based on PE: false
                    Similarity
                    • API ID: FileView
                    • String ID:
                    • API String ID: 3314676101-0
                    • Opcode ID: 16baee5bcdd3fbe9502685ca77e05d77961202fe010689a2fb8b4c0dab5498b5
                    • Instruction ID: 2da2e670a658941c28edb10865a540a41a9c1e0d675ac7a9b07832bf31996839
                    • Opcode Fuzzy Hash: 16baee5bcdd3fbe9502685ca77e05d77961202fe010689a2fb8b4c0dab5498b5
                    • Instruction Fuzzy Hash: 8A31B3B2404780AFE722CB55DC45F96FFF8EF06320F04859AE9848B252D365A549CB61
                    Uniqueness

                    Uniqueness Score: -1.00%

                    Function 00E6AEC5, Relevance: 1.6, APIs: 1, Instructions: 86fileCOMMON
                    Download Yara Rule
                    APIs
                    • CreateFileW.KERNELBASE(?,?,?,?,?,?), ref: 00E6AF69
                    Memory Dump Source
                    • Source File: 00000002.00000002.459772741.0000000000E6A000.00000040.00000001.sdmp, Offset: 00E6A000, based on PE: false
                    Similarity
                    • API ID: CreateFile
                    • String ID:
                    • API String ID: 823142352-0
                    • Opcode ID: 4feec9256bb013846e9d16af6f8754e8dd7f063e3634938ab3005a650b39de74
                    • Instruction ID: 42fcbb38eddb58b69eae3e2c34473eb83265d16b53a34f186abc2516a6705985
                    • Opcode Fuzzy Hash: 4feec9256bb013846e9d16af6f8754e8dd7f063e3634938ab3005a650b39de74
                    • Instruction Fuzzy Hash: 2D316BB5504380AFE721CF65DC84F56FBE8EB45310F0884AEE9899B252D365E804CB62
                    Uniqueness

                    Uniqueness Score: -1.00%

                    Function 00E6A98D, Relevance: 1.6, APIs: 1, Instructions: 86windowtimeCOMMON
                    Download Yara Rule
                    APIs
                    • SendMessageTimeoutA.USER32(?,00000E2C), ref: 00E6AA49
                    Memory Dump Source
                    • Source File: 00000002.00000002.459772741.0000000000E6A000.00000040.00000001.sdmp, Offset: 00E6A000, based on PE: false
                    Similarity
                    • API ID: MessageSendTimeout
                    • String ID:
                    • API String ID: 1599653421-0
                    • Opcode ID: 21fd171812cd54058dfe5ce9715abcf94f6b80faf3cef8d0dcffb62478531799
                    • Instruction ID: 5c0b5726046109a47e79515169227419f99d047a67dcd28ac92e77b00f8fab5b
                    • Opcode Fuzzy Hash: 21fd171812cd54058dfe5ce9715abcf94f6b80faf3cef8d0dcffb62478531799
                    • Instruction Fuzzy Hash: 9D31E871405380AFEB228F60DC45F66FFB8EF46320F18859FE9855B153D275A849CB61
                    Uniqueness

                    Uniqueness Score: -1.00%

                    Function 02B31DD2, Relevance: 1.6, APIs: 1, Instructions: 86registryCOMMON
                    Download Yara Rule
                    APIs
                    • RegCreateKeyExW.KERNELBASE(?,00000E2C), ref: 02B31E6D
                    Memory Dump Source
                    • Source File: 00000002.00000002.460760461.0000000002B30000.00000040.00000001.sdmp, Offset: 02B30000, based on PE: false
                    Similarity
                    • API ID: Create
                    • String ID:
                    • API String ID: 2289755597-0
                    • Opcode ID: 684bd6b5c7d82a6186534995bf5fe8cea76151c2b3ebb245fe0a3a48a4325a47
                    • Instruction ID: ef6910787175fb8d1098e653da0f622b16fe724e4c90a8a45d6052a002e2d0b7
                    • Opcode Fuzzy Hash: 684bd6b5c7d82a6186534995bf5fe8cea76151c2b3ebb245fe0a3a48a4325a47
                    • Instruction Fuzzy Hash: 3E215C72A00604AFEB219E29CC84F67BBECEF08710F04856AE949DA651D765E419CB71
                    Uniqueness

                    Uniqueness Score: -1.00%

                    Function 00E6A361, Relevance: 1.6, APIs: 1, Instructions: 85registryCOMMON
                    Download Yara Rule
                    APIs
                    • RegQueryValueExW.KERNELBASE(?,00000E2C,D24E1938,00000000,00000000,00000000,00000000), ref: 00E6A40C
                    Memory Dump Source
                    • Source File: 00000002.00000002.459772741.0000000000E6A000.00000040.00000001.sdmp, Offset: 00E6A000, based on PE: false
                    Similarity
                    • API ID: QueryValue
                    • String ID:
                    • API String ID: 3660427363-0
                    • Opcode ID: b435dedb6727136b1fbb6e95825f93fcece3922cefc67d7abf18ee7133c7daa1
                    • Instruction ID: 63398c1d5fe615e7e4141c1d8922b95246d34ad9a18084590d09b30c55c1c091
                    • Opcode Fuzzy Hash: b435dedb6727136b1fbb6e95825f93fcece3922cefc67d7abf18ee7133c7daa1
                    • Instruction Fuzzy Hash: 47318071545740AFE721CF25DC84F56BFF8EF16310F0884ABE985DB252D264E849CB62
                    Uniqueness

                    Uniqueness Score: -1.00%

                    Function 02B311DE, Relevance: 1.6, APIs: 1, Instructions: 84COMMON
                    Download Yara Rule
                    APIs
                    • getaddrinfo.WS2_32(?,00000E2C), ref: 02B31283
                    Memory Dump Source
                    • Source File: 00000002.00000002.460760461.0000000002B30000.00000040.00000001.sdmp, Offset: 02B30000, based on PE: false
                    Similarity
                    • API ID: getaddrinfo
                    • String ID:
                    • API String ID: 300660673-0
                    • Opcode ID: ac84fee8e2851a65ec0c0e7ee221158ff0e3bf31f293df3833bae43afec51a96
                    • Instruction ID: 4a0ee6b7ea158d400bca37ef00d7d2785f9daa5e24073b1f9bcac29844e1e1df
                    • Opcode Fuzzy Hash: ac84fee8e2851a65ec0c0e7ee221158ff0e3bf31f293df3833bae43afec51a96
                    • Instruction Fuzzy Hash: B421E171000204AFFB219F24CC85FA6FBACEB44710F10895AFE899A141D2B4A508CB71
                    Uniqueness

                    Uniqueness Score: -1.00%

                    Function 00E6A120, Relevance: 1.6, APIs: 1, Instructions: 83COMMON
                    Download Yara Rule
                    APIs
                    • EnumWindows.USER32(?,00000E2C,?,?), ref: 00E6A1C2
                    Memory Dump Source
                    • Source File: 00000002.00000002.459772741.0000000000E6A000.00000040.00000001.sdmp, Offset: 00E6A000, based on PE: false
                    Similarity
                    • API ID: EnumWindows
                    • String ID:
                    • API String ID: 1129996299-0
                    • Opcode ID: e0724d95a5612d90185de4dfaec3996b468626f15c5e412f87f193caba3504a9
                    • Instruction ID: a17a088f480ceab65b50e25dce4f0b77c6ac157bec7401d3061f8678b7a8a140
                    • Opcode Fuzzy Hash: e0724d95a5612d90185de4dfaec3996b468626f15c5e412f87f193caba3504a9
                    • Instruction Fuzzy Hash: 2F31D37140D3C06FD7128B358C55B66BFB4EF87620F1985DBD9C48F1A3D229A909CBA2
                    Uniqueness

                    Uniqueness Score: -1.00%

                    Function 00E6AFC0, Relevance: 1.6, APIs: 1, Instructions: 80COMMON
                    Download Yara Rule
                    APIs
                    • GetFileType.KERNELBASE(?,00000E2C,D24E1938,00000000,00000000,00000000,00000000), ref: 00E6B055
                    Memory Dump Source
                    • Source File: 00000002.00000002.459772741.0000000000E6A000.00000040.00000001.sdmp, Offset: 00E6A000, based on PE: false
                    Similarity
                    • API ID: FileType
                    • String ID:
                    • API String ID: 3081899298-0
                    • Opcode ID: 8a8d82493b83905a1cf46cc24a74a884ec4c1c18eb711aa4144a2ac63640892a
                    • Instruction ID: b16fd738a4b0b634c6e3e35c2b3a00d719cc54866014882f8be5c97297f18131
                    • Opcode Fuzzy Hash: 8a8d82493b83905a1cf46cc24a74a884ec4c1c18eb711aa4144a2ac63640892a
                    • Instruction Fuzzy Hash: 002128B5449380AFE7128B25DC41FA2BFA8EF47720F1881D7ED849B293D2646909C771
                    Uniqueness

                    Uniqueness Score: -1.00%

                    Function 02B31751, Relevance: 1.6, APIs: 1, Instructions: 79COMMON
                    Download Yara Rule
                    APIs
                    • GetExitCodeProcess.KERNELBASE(?,00000E2C,D24E1938,00000000,00000000,00000000,00000000), ref: 02B317D8
                    Memory Dump Source
                    • Source File: 00000002.00000002.460760461.0000000002B30000.00000040.00000001.sdmp, Offset: 02B30000, based on PE: false
                    Similarity
                    • API ID: CodeExitProcess
                    • String ID:
                    • API String ID: 3861947596-0
                    • Opcode ID: 88559da081102bbdfb860aaa94256c2fde879d249146b25f313332d8f6c5f91e
                    • Instruction ID: 98bf558a91e40f61d2493ae4b44dc8827d7f265a3a0b251d57314a27908e21f3
                    • Opcode Fuzzy Hash: 88559da081102bbdfb860aaa94256c2fde879d249146b25f313332d8f6c5f91e
                    • Instruction Fuzzy Hash: 5921B372509384AFE712CB24DC85F96BFB8EF46310F1884EBE944DF192D264A909C771
                    Uniqueness

                    Uniqueness Score: -1.00%

                    Function 00E6A462, Relevance: 1.6, APIs: 1, Instructions: 77registryCOMMON
                    Download Yara Rule
                    APIs
                    • RegSetValueExW.KERNELBASE(?,00000E2C,D24E1938,00000000,00000000,00000000,00000000), ref: 00E6A4F8
                    Memory Dump Source
                    • Source File: 00000002.00000002.459772741.0000000000E6A000.00000040.00000001.sdmp, Offset: 00E6A000, based on PE: false
                    Similarity
                    • API ID: Value
                    • String ID:
                    • API String ID: 3702945584-0
                    • Opcode ID: de3fde8830122f976e423cfbdca4639f9fdee435f8087609c83446d36cfb2cf2
                    • Instruction ID: 40ed12240ddd00ec58489c1993c3df6957dc6f0f2ff6380cc1d3438883b03c75
                    • Opcode Fuzzy Hash: de3fde8830122f976e423cfbdca4639f9fdee435f8087609c83446d36cfb2cf2
                    • Instruction Fuzzy Hash: D2219272544380AFE7228F65DC44F67BFB8EF56310F08849AE985EB252C264E848CB71
                    Uniqueness

                    Uniqueness Score: -1.00%

                    Function 02B3047A, Relevance: 1.6, APIs: 1, Instructions: 77networkCOMMON
                    Download Yara Rule
                    APIs
                    • WSASocketW.WS2_32(?,?,?,?,?), ref: 02B30506
                    Memory Dump Source
                    • Source File: 00000002.00000002.460760461.0000000002B30000.00000040.00000001.sdmp, Offset: 02B30000, based on PE: false
                    Similarity
                    • API ID: Socket
                    • String ID:
                    • API String ID: 38366605-0
                    • Opcode ID: c9f63b9ead8d0a7e225f0f6f46a2e84e073b764bc4154292ac3f6233594eee56
                    • Instruction ID: 7c491b1b0fc79400bf24cd92d13058f1710d42747bddf145287425a7e51fae69
                    • Opcode Fuzzy Hash: c9f63b9ead8d0a7e225f0f6f46a2e84e073b764bc4154292ac3f6233594eee56
                    • Instruction Fuzzy Hash: F121B171405380AFE722CF65DC44F96FFF8EF45210F08859EEA858B252C375A408CB61
                    Uniqueness

                    Uniqueness Score: -1.00%

                    Function 00E6AEEA, Relevance: 1.6, APIs: 1, Instructions: 76fileCOMMON
                    Download Yara Rule
                    APIs
                    • CreateFileW.KERNELBASE(?,?,?,?,?,?), ref: 00E6AF69
                    Memory Dump Source
                    • Source File: 00000002.00000002.459772741.0000000000E6A000.00000040.00000001.sdmp, Offset: 00E6A000, based on PE: false
                    Similarity
                    • API ID: CreateFile
                    • String ID:
                    • API String ID: 823142352-0
                    • Opcode ID: 6e28d0a04556a5bb87a600f358a8ab394f3157a9fb04ebb79e61aa53e3138cbd
                    • Instruction ID: 20f08f97b0139f84e4518693e340919f7559a451920272c6c05c9f2bdc68951a
                    • Opcode Fuzzy Hash: 6e28d0a04556a5bb87a600f358a8ab394f3157a9fb04ebb79e61aa53e3138cbd
                    • Instruction Fuzzy Hash: A2217FB1A00640AFE721DF65D884B66FBE8EF04710F18856EED85AB251D771E804CB72
                    Uniqueness

                    Uniqueness Score: -1.00%

                    Function 02B309D6, Relevance: 1.6, APIs: 1, Instructions: 76COMMON
                    Download Yara Rule
                    APIs
                    • ConvertStringSecurityDescriptorToSecurityDescriptorW.ADVAPI32(?,00000E2C), ref: 02B30A47
                    Memory Dump Source
                    • Source File: 00000002.00000002.460760461.0000000002B30000.00000040.00000001.sdmp, Offset: 02B30000, based on PE: false
                    Similarity
                    • API ID: DescriptorSecurity$ConvertString
                    • String ID:
                    • API String ID: 3907675253-0
                    • Opcode ID: 7f4ba2a769b662492388ce467499037b247eefd5031e85d8e01646ed275689e7
                    • Instruction ID: 48b99de1d2a3a9d21861c24663ee02e61a38f76e34ab5fbb58046bef643084d5
                    • Opcode Fuzzy Hash: 7f4ba2a769b662492388ce467499037b247eefd5031e85d8e01646ed275689e7
                    • Instruction Fuzzy Hash: 89219272500204AFEB21DF29DC45F6BFBACEF44710F14886AED45DB241D674A505CB71
                    Uniqueness

                    Uniqueness Score: -1.00%

                    Function 02B308CA, Relevance: 1.6, APIs: 1, Instructions: 75registryCOMMON
                    Download Yara Rule
                    APIs
                    • RegQueryValueExW.KERNELBASE(?,00000E2C,D24E1938,00000000,00000000,00000000,00000000), ref: 02B3095C
                    Memory Dump Source
                    • Source File: 00000002.00000002.460760461.0000000002B30000.00000040.00000001.sdmp, Offset: 02B30000, based on PE: false
                    Similarity
                    • API ID: QueryValue
                    • String ID:
                    • API String ID: 3660427363-0
                    • Opcode ID: 4b34751791568f0c6d6ad33ea89772fdd1ec793683b0042e344e9ab9ca760587
                    • Instruction ID: fffcfb61430bf4a82aae681c952d57d7a78872e05be761ecc826946cb9af827d
                    • Opcode Fuzzy Hash: 4b34751791568f0c6d6ad33ea89772fdd1ec793683b0042e344e9ab9ca760587
                    • Instruction Fuzzy Hash: F4218C72105340AFE722CF15DC44F56FFE8EF56310F08899AEA859B252C364E848CB61
                    Uniqueness

                    Uniqueness Score: -1.00%

                    Function 02B3144A, Relevance: 1.6, APIs: 1, Instructions: 75COMMON
                    Download Yara Rule
                    APIs
                    • LookupPrivilegeValueW.ADVAPI32(?,?,?), ref: 02B314CE
                    Memory Dump Source
                    • Source File: 00000002.00000002.460760461.0000000002B30000.00000040.00000001.sdmp, Offset: 02B30000, based on PE: false
                    Similarity
                    • API ID: LookupPrivilegeValue
                    • String ID:
                    • API String ID: 3899507212-0
                    • Opcode ID: b60e5ad7af010bf75a7071e1fc2963a55cacf13a8ff1ab809e8d4d49831fdd8b
                    • Instruction ID: 084e45e845a455e91d22e12fca7caed69fd99c04ea832083714ce44d19d0c6d6
                    • Opcode Fuzzy Hash: b60e5ad7af010bf75a7071e1fc2963a55cacf13a8ff1ab809e8d4d49831fdd8b
                    • Instruction Fuzzy Hash: BA214F725093805FDB128B25DC55BA2BFE8EF56210F0D84EAD989CB263D2649944CB61
                    Uniqueness

                    Uniqueness Score: -1.00%

                    Function 00E6A8C6, Relevance: 1.6, APIs: 1, Instructions: 74registryCOMMON
                    Download Yara Rule
                    APIs
                    • RegOpenKeyExW.KERNELBASE(?,00000E2C), ref: 00E6A945
                    Memory Dump Source
                    • Source File: 00000002.00000002.459772741.0000000000E6A000.00000040.00000001.sdmp, Offset: 00E6A000, based on PE: false
                    Similarity
                    • API ID: Open
                    • String ID:
                    • API String ID: 71445658-0
                    • Opcode ID: dfbd7136d3bb10b90c3e495d653d80be4faf2e410da597ed889484dd8ba8e8e3
                    • Instruction ID: e071da94081a4147e895717867c547d30b13c72404fb00fd8b1617a785168f88
                    • Opcode Fuzzy Hash: dfbd7136d3bb10b90c3e495d653d80be4faf2e410da597ed889484dd8ba8e8e3
                    • Instruction Fuzzy Hash: C921A472900204AFE7219F15EC45F6BFBECEF54710F18856BEE45AB251D664E408CB72
                    Uniqueness

                    Uniqueness Score: -1.00%

                    Function 02B3183B, Relevance: 1.6, APIs: 1, Instructions: 73COMMON
                    Download Yara Rule
                    APIs
                    • GetProcessWorkingSetSize.KERNEL32(?,00000E2C,D24E1938,00000000,00000000,00000000,00000000), ref: 02B318B7
                    Memory Dump Source
                    • Source File: 00000002.00000002.460760461.0000000002B30000.00000040.00000001.sdmp, Offset: 02B30000, based on PE: false
                    Similarity
                    • API ID: ProcessSizeWorking
                    • String ID:
                    • API String ID: 3584180929-0
                    • Opcode ID: 8ace1d0ecd1161eaa6ca6cf981a43f35632239ba6112c0e6fad83756439a7708
                    • Instruction ID: ab2a8ac93c0fecd2c21c1e121a82b85b454abc7ec1488db835ff0aed55501515
                    • Opcode Fuzzy Hash: 8ace1d0ecd1161eaa6ca6cf981a43f35632239ba6112c0e6fad83756439a7708
                    • Instruction Fuzzy Hash: 56219272509384AFE712CF25DC45F5ABFA8EF46310F0884ABEA49DB152D374A904CB61
                    Uniqueness

                    Uniqueness Score: -1.00%

                    Function 02B3191F, Relevance: 1.6, APIs: 1, Instructions: 73COMMON
                    Download Yara Rule
                    APIs
                    • SetProcessWorkingSetSize.KERNEL32(?,00000E2C,D24E1938,00000000,00000000,00000000,00000000), ref: 02B3199B
                    Memory Dump Source
                    • Source File: 00000002.00000002.460760461.0000000002B30000.00000040.00000001.sdmp, Offset: 02B30000, based on PE: false
                    Similarity
                    • API ID: ProcessSizeWorking
                    • String ID:
                    • API String ID: 3584180929-0
                    • Opcode ID: 8ace1d0ecd1161eaa6ca6cf981a43f35632239ba6112c0e6fad83756439a7708
                    • Instruction ID: 142477bb88f8b2a7521141d45b13418fd780ad0f5ba896a3b9bba7a968321023
                    • Opcode Fuzzy Hash: 8ace1d0ecd1161eaa6ca6cf981a43f35632239ba6112c0e6fad83756439a7708
                    • Instruction Fuzzy Hash: 5B21C272509384AFEB12CF65DC45F57BFA8EF46310F0884ABEA49DB152C274A804CB71
                    Uniqueness

                    Uniqueness Score: -1.00%

                    Function 00E6A646, Relevance: 1.6, APIs: 1, Instructions: 72synchronizationCOMMON
                    Download Yara Rule
                    APIs
                    • CreateMutexW.KERNELBASE(?,?), ref: 00E6A6B9
                    Memory Dump Source
                    • Source File: 00000002.00000002.459772741.0000000000E6A000.00000040.00000001.sdmp, Offset: 00E6A000, based on PE: false
                    Similarity
                    • API ID: CreateMutex
                    • String ID:
                    • API String ID: 1964310414-0
                    • Opcode ID: 94a5dc33559a3f554be661871da8f08e5b8f9e41cedfffe8f82d714aaa0630ca
                    • Instruction ID: 0c3ad54662b2989d407793bbeb0942fea56034b7c137532d07a9594e9a41c0df
                    • Opcode Fuzzy Hash: 94a5dc33559a3f554be661871da8f08e5b8f9e41cedfffe8f82d714aaa0630ca
                    • Instruction Fuzzy Hash: 5821B0B1900200AFF720DF25DC85B6AFBE8EF04314F18846AED45AB241D771E805CB72
                    Uniqueness

                    Uniqueness Score: -1.00%

                    Function 00E6A710, Relevance: 1.6, APIs: 1, Instructions: 70COMMON
                    Download Yara Rule
                    APIs
                    • FindCloseChangeNotification.KERNELBASE(?), ref: 00E6A780
                    Memory Dump Source
                    • Source File: 00000002.00000002.459772741.0000000000E6A000.00000040.00000001.sdmp, Offset: 00E6A000, based on PE: false
                    Similarity
                    • API ID: ChangeCloseFindNotification
                    • String ID:
                    • API String ID: 2591292051-0
                    • Opcode ID: bd7a0e9193c4dcb0f1eded0dbde25110b0a9e5a3e2e5e8b1f9ef7a1db8290558
                    • Instruction ID: c0ee2423090a411b3ca8b73a738d8982c4d200a0dc26329379815ce34f5aa1aa
                    • Opcode Fuzzy Hash: bd7a0e9193c4dcb0f1eded0dbde25110b0a9e5a3e2e5e8b1f9ef7a1db8290558
                    • Instruction Fuzzy Hash: 9E21C2B68457809FD7128B14EC45752BFB8EB52324F0D80EBDD45AB163D234A908CB62
                    Uniqueness

                    Uniqueness Score: -1.00%

                    Function 02B30212, Relevance: 1.6, APIs: 1, Instructions: 70COMMON
                    Download Yara Rule
                    APIs
                    • setsockopt.WS2_32(?,00000E2C,D24E1938,00000000,00000000,00000000,00000000), ref: 02B30291
                    Memory Dump Source
                    • Source File: 00000002.00000002.460760461.0000000002B30000.00000040.00000001.sdmp, Offset: 02B30000, based on PE: false
                    Similarity
                    • API ID: setsockopt
                    • String ID:
                    • API String ID: 3981526788-0
                    • Opcode ID: cb3f154a8420e6019590cbf87033cbee71289e199ffb91105bb4d8485a7ed061
                    • Instruction ID: c6ca599906e8d74789952f7022d2defe7276687655081fb3bd459d79301ed6f5
                    • Opcode Fuzzy Hash: cb3f154a8420e6019590cbf87033cbee71289e199ffb91105bb4d8485a7ed061
                    • Instruction Fuzzy Hash: EE215072405344AFEB228F55DC44F56FFB8EF46310F08859BEA859B152C275A508CB61
                    Uniqueness

                    Uniqueness Score: -1.00%

                    Function 00E6A392, Relevance: 1.6, APIs: 1, Instructions: 69registryCOMMON
                    Download Yara Rule
                    APIs
                    • RegQueryValueExW.KERNELBASE(?,00000E2C,D24E1938,00000000,00000000,00000000,00000000), ref: 00E6A40C
                    Memory Dump Source
                    • Source File: 00000002.00000002.459772741.0000000000E6A000.00000040.00000001.sdmp, Offset: 00E6A000, based on PE: false
                    Similarity
                    • API ID: QueryValue
                    • String ID:
                    • API String ID: 3660427363-0
                    • Opcode ID: 322f1dcfb9d5be82ada8966f6ff1280fd9d8f4bc05e319dfec1d358f763f5c90
                    • Instruction ID: 6104cd6d6dfe5a9708c1e882c3b580c40f05f6fd25d5e65cbdb5221f214b00e3
                    • Opcode Fuzzy Hash: 322f1dcfb9d5be82ada8966f6ff1280fd9d8f4bc05e319dfec1d358f763f5c90
                    • Instruction Fuzzy Hash: 64218E71540604AEE720CF15DC84FA7FBECEF14750F18846AED45EB251D6A4E849CA72
                    Uniqueness

                    Uniqueness Score: -1.00%

                    Function 02B3169C, Relevance: 1.6, APIs: 1, Instructions: 68COMMON
                    Download Yara Rule
                    APIs
                    • FindCloseChangeNotification.KERNELBASE(?), ref: 02B31708
                    Memory Dump Source
                    • Source File: 00000002.00000002.460760461.0000000002B30000.00000040.00000001.sdmp, Offset: 02B30000, based on PE: false
                    Similarity
                    • API ID: ChangeCloseFindNotification
                    • String ID:
                    • API String ID: 2591292051-0
                    • Opcode ID: b4166c90bca150a0bbdb95cc0210d7efd86fd9769e4421dcdfb6ea7411f449f1
                    • Instruction ID: 64d60ab0ab5688757b6fdd1e9ff4d100443c1d349198cf5e825846ea1895ff18
                    • Opcode Fuzzy Hash: b4166c90bca150a0bbdb95cc0210d7efd86fd9769e4421dcdfb6ea7411f449f1
                    • Instruction Fuzzy Hash: 0721A1B25093C09FEB038F25DC54792BFA4AF57224F0D80DAED858F263D2749908CB61
                    Uniqueness

                    Uniqueness Score: -1.00%

                    Function 02B30B86, Relevance: 1.6, APIs: 1, Instructions: 68COMMON
                    Download Yara Rule
                    APIs
                    • OpenFileMappingW.KERNELBASE(?,?), ref: 02B30BF1
                    Memory Dump Source
                    • Source File: 00000002.00000002.460760461.0000000002B30000.00000040.00000001.sdmp, Offset: 02B30000, based on PE: false
                    Similarity
                    • API ID: FileMappingOpen
                    • String ID:
                    • API String ID: 1680863896-0
                    • Opcode ID: fbd5bdd77922c76702568019da83a4e9d5090372dd6dcf70fc03b6ebe4614704
                    • Instruction ID: c24929722ab6278430f19523107edd77ce809bfc0c064ac16a668fe88ad1ab58
                    • Opcode Fuzzy Hash: fbd5bdd77922c76702568019da83a4e9d5090372dd6dcf70fc03b6ebe4614704
                    • Instruction Fuzzy Hash: D121A171504200AFF721DF29DC85B66FBD8EF44324F1484AAED458B241D375E809CA71
                    Uniqueness

                    Uniqueness Score: -1.00%

                    Function 02B3049A, Relevance: 1.6, APIs: 1, Instructions: 67networkCOMMON
                    Download Yara Rule
                    APIs
                    • WSASocketW.WS2_32(?,?,?,?,?), ref: 02B30506
                    Memory Dump Source
                    • Source File: 00000002.00000002.460760461.0000000002B30000.00000040.00000001.sdmp, Offset: 02B30000, based on PE: false
                    Similarity
                    • API ID: Socket
                    • String ID:
                    • API String ID: 38366605-0
                    • Opcode ID: ac1b38df5669f7a5c134f553cc1bdf89fa7797a434dddf6203ffe7712a004dfa
                    • Instruction ID: 7afa9adf32a3e77f799f100389521a103c6597fe39add7bf45aafcc249ea989f
                    • Opcode Fuzzy Hash: ac1b38df5669f7a5c134f553cc1bdf89fa7797a434dddf6203ffe7712a004dfa
                    • Instruction Fuzzy Hash: 27219F72504640AFE721DF65DC85B66FFE8EF44310F14899EEE858B252D375A404CB61
                    Uniqueness

                    Uniqueness Score: -1.00%

                    Function 02B30C86, Relevance: 1.6, APIs: 1, Instructions: 67fileCOMMON
                    Download Yara Rule
                    APIs
                    Memory Dump Source
                    • Source File: 00000002.00000002.460760461.0000000002B30000.00000040.00000001.sdmp, Offset: 02B30000, based on PE: false
                    Similarity
                    • API ID: FileView
                    • String ID:
                    • API String ID: 3314676101-0
                    • Opcode ID: af4ac1b22e2bdaa2c3d4aa9cf89507a18d2d53b2388fc59d2e56be0f173ddc5b
                    • Instruction ID: 77b17183f05e5ffe5fcfceef9377b44b52b2dc997de0a20a2c7adc9022f4a1e2
                    • Opcode Fuzzy Hash: af4ac1b22e2bdaa2c3d4aa9cf89507a18d2d53b2388fc59d2e56be0f173ddc5b
                    • Instruction Fuzzy Hash: 53219D71500204AFE721DF15DC44FA6FBE8EF08320F14899AEE899B251D376A549CB62
                    Uniqueness

                    Uniqueness Score: -1.00%

                    Function 02B3138E, Relevance: 1.6, APIs: 1, Instructions: 67networkCOMMON
                    Download Yara Rule
                    APIs
                    • WSAConnect.WS2_32(?,?,?,?,?,?,?), ref: 02B3140A
                    Memory Dump Source
                    • Source File: 00000002.00000002.460760461.0000000002B30000.00000040.00000001.sdmp, Offset: 02B30000, based on PE: false
                    Similarity
                    • API ID: Connect
                    • String ID:
                    • API String ID: 3144859779-0
                    • Opcode ID: d5265c71c165a353cdbbaa07eb6c5b419e882ee502d6d18af745fd551d224121
                    • Instruction ID: e18d63e8889cdb6c987a8473cdb17f41212f0dd1f0e7790d28c09ed4fa668ea8
                    • Opcode Fuzzy Hash: d5265c71c165a353cdbbaa07eb6c5b419e882ee502d6d18af745fd551d224121
                    • Instruction Fuzzy Hash: B821A471408384AFDB228F55DC44B52FFF8EF46210F0885DAED898B163D375A819DB61
                    Uniqueness

                    Uniqueness Score: -1.00%

                    Function 00E6A9CE, Relevance: 1.6, APIs: 1, Instructions: 66windowtimeCOMMON
                    Download Yara Rule
                    APIs
                    • SendMessageTimeoutA.USER32(?,00000E2C), ref: 00E6AA49
                    Memory Dump Source
                    • Source File: 00000002.00000002.459772741.0000000000E6A000.00000040.00000001.sdmp, Offset: 00E6A000, based on PE: false
                    Similarity
                    • API ID: MessageSendTimeout
                    • String ID:
                    • API String ID: 1599653421-0
                    • Opcode ID: 19e8ec704b2391cc0b4254df5f2b3cf7bc404c486494da4ec673c5bd0b8bf875
                    • Instruction ID: fc1eabd02c4b42ef0c48e81995d45c90055497a83de709603c562b9040e3e40e
                    • Opcode Fuzzy Hash: 19e8ec704b2391cc0b4254df5f2b3cf7bc404c486494da4ec673c5bd0b8bf875
                    • Instruction Fuzzy Hash: FF21E171400200AFEB219F54DD41F66FFA8EF44720F18896BEE456A251D275A909CF72
                    Uniqueness

                    Uniqueness Score: -1.00%

                    Function 02B31ACA, Relevance: 1.6, APIs: 1, Instructions: 66COMMON
                    Download Yara Rule
                    APIs
                    • K32EnumProcesses.KERNEL32(?,?,?,D24E1938,00000000,?,?,?,?,?,?,?,?,72F43C38), ref: 02B31B36
                    Memory Dump Source
                    • Source File: 00000002.00000002.460760461.0000000002B30000.00000040.00000001.sdmp, Offset: 02B30000, based on PE: false
                    Similarity
                    • API ID: EnumProcesses
                    • String ID:
                    • API String ID: 84517404-0
                    • Opcode ID: 94e41c09568adf3c9b64f85ed543b731104270145fccfba216f37a0ed8deb926
                    • Instruction ID: b52b11e816399bae9bf5a024876506cfc7952391c06ac03f52c59e4c73fd5c60
                    • Opcode Fuzzy Hash: 94e41c09568adf3c9b64f85ed543b731104270145fccfba216f37a0ed8deb926
                    • Instruction Fuzzy Hash: 092184755093846FD712CF25DC44BA2BFE8EF46210F0884DAED85CF162D2759908CB71
                    Uniqueness

                    Uniqueness Score: -1.00%

                    Function 00E6A486, Relevance: 1.6, APIs: 1, Instructions: 65registryCOMMON
                    Download Yara Rule
                    APIs
                    • RegSetValueExW.KERNELBASE(?,00000E2C,D24E1938,00000000,00000000,00000000,00000000), ref: 00E6A4F8
                    Memory Dump Source
                    • Source File: 00000002.00000002.459772741.0000000000E6A000.00000040.00000001.sdmp, Offset: 00E6A000, based on PE: false
                    Similarity
                    • API ID: Value
                    • String ID:
                    • API String ID: 3702945584-0
                    • Opcode ID: e0b1e0103c9ad8663da67d77f3a449960a9f9278a30d7065aff2af896c889d44
                    • Instruction ID: 9bb14fb9cfc3a59b7915a7b17f281a090b30d1ec846319f24e248bce490dbde7
                    • Opcode Fuzzy Hash: e0b1e0103c9ad8663da67d77f3a449960a9f9278a30d7065aff2af896c889d44
                    • Instruction Fuzzy Hash: E711D371540600AFEB20CF15DC45F67FBECEF14710F18946AED46AB241D6B0E804CA72
                    Uniqueness

                    Uniqueness Score: -1.00%

                    Function 02B308EA, Relevance: 1.6, APIs: 1, Instructions: 65registryCOMMON
                    Download Yara Rule
                    APIs
                    • RegQueryValueExW.KERNELBASE(?,00000E2C,D24E1938,00000000,00000000,00000000,00000000), ref: 02B3095C
                    Memory Dump Source
                    • Source File: 00000002.00000002.460760461.0000000002B30000.00000040.00000001.sdmp, Offset: 02B30000, based on PE: false
                    Similarity
                    • API ID: QueryValue
                    • String ID:
                    • API String ID: 3660427363-0
                    • Opcode ID: 9e2469a086f70596a21e81d1c71b1cc1d26a8fea31a3a985cfb5b366fae4a1d1
                    • Instruction ID: aecf05ea59072f56963dff32e45922bbc4aef4530f912a171e0c283aeb954896
                    • Opcode Fuzzy Hash: 9e2469a086f70596a21e81d1c71b1cc1d26a8fea31a3a985cfb5b366fae4a1d1
                    • Instruction Fuzzy Hash: 2811BE72500604AFEB21DF19DC80F67FBE8EF14720F0889AAEE459B252D760E408CB71
                    Uniqueness

                    Uniqueness Score: -1.00%

                    Function 00E6AE00, Relevance: 1.6, APIs: 1, Instructions: 64fileCOMMON
                    Download Yara Rule
                    APIs
                    • CopyFileW.KERNELBASE(?,?,?), ref: 00E6AE6A
                    Memory Dump Source
                    • Source File: 00000002.00000002.459772741.0000000000E6A000.00000040.00000001.sdmp, Offset: 00E6A000, based on PE: false
                    Similarity
                    • API ID: CopyFile
                    • String ID:
                    • API String ID: 1304948518-0
                    • Opcode ID: a791c5e821fbe9ffa72c60edaedb7d34eb65edfe31408dd4d7653b55dd5f3f78
                    • Instruction ID: fbc4010fdcd002ce3d65906f1233e027fa9e851955ac2f243f1f4167cf60a137
                    • Opcode Fuzzy Hash: a791c5e821fbe9ffa72c60edaedb7d34eb65edfe31408dd4d7653b55dd5f3f78
                    • Instruction Fuzzy Hash: 7011A2B19453809FD721CF25DC84B56BFE8EF55210F0C84AAED45DB252D275E844CB61
                    Uniqueness

                    Uniqueness Score: -1.00%

                    Function 02B310F2, Relevance: 1.6, APIs: 1, Instructions: 64timeCOMMON
                    Download Yara Rule
                    APIs
                    • GetProcessTimes.KERNELBASE(?,00000E2C,D24E1938,00000000,00000000,00000000,00000000), ref: 02B31151
                    Memory Dump Source
                    • Source File: 00000002.00000002.460760461.0000000002B30000.00000040.00000001.sdmp, Offset: 02B30000, based on PE: false
                    Similarity
                    • API ID: ProcessTimes
                    • String ID:
                    • API String ID: 1995159646-0
                    • Opcode ID: 37a65eaee4e5d50c4c65d8ae99fd692422fbb1fa7980f873fd332089795c4253
                    • Instruction ID: d373bfe4ff4b5617a4933f2cda613d4fdbb4e38d6814a2e4d8efa6736bd2ae51
                    • Opcode Fuzzy Hash: 37a65eaee4e5d50c4c65d8ae99fd692422fbb1fa7980f873fd332089795c4253
                    • Instruction Fuzzy Hash: 4F11E271500600AFEB218F69DC85FABFBACEF44320F1484ABEE499B251D674A444CBB1
                    Uniqueness

                    Uniqueness Score: -1.00%

                    Function 02B3185E, Relevance: 1.6, APIs: 1, Instructions: 62COMMON
                    Download Yara Rule
                    APIs
                    • GetProcessWorkingSetSize.KERNEL32(?,00000E2C,D24E1938,00000000,00000000,00000000,00000000), ref: 02B318B7
                    Memory Dump Source
                    • Source File: 00000002.00000002.460760461.0000000002B30000.00000040.00000001.sdmp, Offset: 02B30000, based on PE: false
                    Similarity
                    • API ID: ProcessSizeWorking
                    • String ID:
                    • API String ID: 3584180929-0
                    • Opcode ID: 12a4ba115df0ace33f065c1f49e9bc1397563577f8c72e04c90b0270b2e8b8fa
                    • Instruction ID: 282d5b1c36491a3a4323900b2630af9f272dd3a04300a7256ec1694995055e75
                    • Opcode Fuzzy Hash: 12a4ba115df0ace33f065c1f49e9bc1397563577f8c72e04c90b0270b2e8b8fa
                    • Instruction Fuzzy Hash: 0511BF71500204AFEB118F69DC85B6ABBACEF45321F1484ABEE099B251D674A904CBB5
                    Uniqueness

                    Uniqueness Score: -1.00%

                    Function 02B31942, Relevance: 1.6, APIs: 1, Instructions: 62COMMON
                    Download Yara Rule
                    APIs
                    • SetProcessWorkingSetSize.KERNEL32(?,00000E2C,D24E1938,00000000,00000000,00000000,00000000), ref: 02B3199B
                    Memory Dump Source
                    • Source File: 00000002.00000002.460760461.0000000002B30000.00000040.00000001.sdmp, Offset: 02B30000, based on PE: false
                    Similarity
                    • API ID: ProcessSizeWorking
                    • String ID:
                    • API String ID: 3584180929-0
                    • Opcode ID: 12a4ba115df0ace33f065c1f49e9bc1397563577f8c72e04c90b0270b2e8b8fa
                    • Instruction ID: 9640bf4e1f8dd5dba78d14f696ee99e62507814dbe5c36a4f711ca2aa5ac7895
                    • Opcode Fuzzy Hash: 12a4ba115df0ace33f065c1f49e9bc1397563577f8c72e04c90b0270b2e8b8fa
                    • Instruction Fuzzy Hash: DA11B271500204AFEB11CF69DC45B6BBB9CEF45320F1485ABEE499B241D674A405CB71
                    Uniqueness

                    Uniqueness Score: -1.00%

                    Function 00E6B303, Relevance: 1.6, APIs: 1, Instructions: 61COMMON
                    Download Yara Rule
                    APIs
                    • DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 00E6B36E
                    Memory Dump Source
                    • Source File: 00000002.00000002.459772741.0000000000E6A000.00000040.00000001.sdmp, Offset: 00E6A000, based on PE: false
                    Similarity
                    • API ID: DuplicateHandle
                    • String ID:
                    • API String ID: 3793708945-0
                    • Opcode ID: aaa74b4e40194e48d618fe59d16cc03b689b1a6f36d6a6848536de2d40ab8302
                    • Instruction ID: 296c2ea9a1f450f00f567c922e73b26bcf09381ab88463c06d6addde01ed16b5
                    • Opcode Fuzzy Hash: aaa74b4e40194e48d618fe59d16cc03b689b1a6f36d6a6848536de2d40ab8302
                    • Instruction Fuzzy Hash: 2811B471449380AFDB228F50DC44A62FFF4EF4A310F0885DEEE858B162C375A818DB61
                    Uniqueness

                    Uniqueness Score: -1.00%

                    Function 02B31782, Relevance: 1.6, APIs: 1, Instructions: 61COMMON
                    Download Yara Rule
                    APIs
                    • GetExitCodeProcess.KERNELBASE(?,00000E2C,D24E1938,00000000,00000000,00000000,00000000), ref: 02B317D8
                    Memory Dump Source
                    • Source File: 00000002.00000002.460760461.0000000002B30000.00000040.00000001.sdmp, Offset: 02B30000, based on PE: false
                    Similarity
                    • API ID: CodeExitProcess
                    • String ID:
                    • API String ID: 3861947596-0
                    • Opcode ID: ae39997799487cd7012f9628f7fdbf7e622ef7c41a15d1fef0e663bca0c4363b
                    • Instruction ID: 35ace28d4215d5a3f26d0313399eca502812d75d4b89ca81fa86a0dfced1ca11
                    • Opcode Fuzzy Hash: ae39997799487cd7012f9628f7fdbf7e622ef7c41a15d1fef0e663bca0c4363b
                    • Instruction Fuzzy Hash: 5411A371500204EFEB11CF29DC85BABBBACDF45321F1884ABEE09DB241D674A805CB71
                    Uniqueness

                    Uniqueness Score: -1.00%

                    Function 02B30232, Relevance: 1.6, APIs: 1, Instructions: 60COMMON
                    Download Yara Rule
                    APIs
                    • setsockopt.WS2_32(?,00000E2C,D24E1938,00000000,00000000,00000000,00000000), ref: 02B30291
                    Memory Dump Source
                    • Source File: 00000002.00000002.460760461.0000000002B30000.00000040.00000001.sdmp, Offset: 02B30000, based on PE: false
                    Similarity
                    • API ID: setsockopt
                    • String ID:
                    • API String ID: 3981526788-0
                    • Opcode ID: b6f72649c82ea8d9bc31c85f687aab1ae45d3c87dda33b7386887d6dda99da52
                    • Instruction ID: 5586ae087fe459b4b7136c3f4fec21d1dc1cd9b5f2b459f69a282a67382a11e6
                    • Opcode Fuzzy Hash: b6f72649c82ea8d9bc31c85f687aab1ae45d3c87dda33b7386887d6dda99da52
                    • Instruction Fuzzy Hash: 8D11C171400200EFEB22DF55DC40F6AFFA8EF45320F1488ABEE899B251C674A408CBB1
                    Uniqueness

                    Uniqueness Score: -1.00%

                    Function 02B30826, Relevance: 1.6, APIs: 1, Instructions: 59COMMON
                    Download Yara Rule
                    APIs
                    • GetComputerNameW.KERNEL32(?,00000E2C,?,?), ref: 02B308A2
                    Memory Dump Source
                    • Source File: 00000002.00000002.460760461.0000000002B30000.00000040.00000001.sdmp, Offset: 02B30000, based on PE: false
                    Similarity
                    • API ID: ComputerName
                    • String ID:
                    • API String ID: 3545744682-0
                    • Opcode ID: 86b547dd7d3f9058f51b1a82a9dafe0eb0312bf9630f0084b89807978134b050
                    • Instruction ID: f0ff25ea2d4071eea4868d84456f7b286cb88db03c53d01133e1cbf2b631f05d
                    • Opcode Fuzzy Hash: 86b547dd7d3f9058f51b1a82a9dafe0eb0312bf9630f0084b89807978134b050
                    • Instruction Fuzzy Hash: 0611B6715093806FD3118B15CC45F26FFB4EF86720F19819FED488B692D225B915CBA2
                    Uniqueness

                    Uniqueness Score: -1.00%

                    Function 00E6AC8D, Relevance: 1.6, APIs: 1, Instructions: 57COMMON
                    Download Yara Rule
                    APIs
                    Memory Dump Source
                    • Source File: 00000002.00000002.459772741.0000000000E6A000.00000040.00000001.sdmp, Offset: 00E6A000, based on PE: false
                    Similarity
                    • API ID: closesocket
                    • String ID:
                    • API String ID: 2781271927-0
                    • Opcode ID: 62c1541d1b0b87463e2e1815ef30600d3a9ef1daab32f98e5fcf5be83d0f89a8
                    • Instruction ID: 7f3cc24900c56709eebd69bb1ae58ed16b7ec924797475143e87910118037833
                    • Opcode Fuzzy Hash: 62c1541d1b0b87463e2e1815ef30600d3a9ef1daab32f98e5fcf5be83d0f89a8
                    • Instruction Fuzzy Hash: E71160714493C4AFDB128F25DC44A92BFB4DF46215F0884DAED849F153C275A948DB62
                    Uniqueness

                    Uniqueness Score: -1.00%

                    Function 00E6A2D2, Relevance: 1.6, APIs: 1, Instructions: 54COMMON
                    Download Yara Rule
                    APIs
                    • SetErrorMode.KERNELBASE(?), ref: 00E6A330
                    Memory Dump Source
                    • Source File: 00000002.00000002.459772741.0000000000E6A000.00000040.00000001.sdmp, Offset: 00E6A000, based on PE: false
                    Similarity
                    • API ID: ErrorMode
                    • String ID:
                    • API String ID: 2340568224-0
                    • Opcode ID: 606bd0506a2202179c45a99fc03c66693659f7eed7c0ac3fe97bd16224d13211
                    • Instruction ID: 56425d4c321b95b7f8483693693946cac884e8cbc502e8a378527ff2148d058c
                    • Opcode Fuzzy Hash: 606bd0506a2202179c45a99fc03c66693659f7eed7c0ac3fe97bd16224d13211
                    • Instruction Fuzzy Hash: 5C119E71849384AFE7128B15DC44B62BFA4EF57264F0C80DAED849B263C265A808DB72
                    Uniqueness

                    Uniqueness Score: -1.00%

                    Function 00E6AE22, Relevance: 1.6, APIs: 1, Instructions: 53fileCOMMON
                    Download Yara Rule
                    APIs
                    • CopyFileW.KERNELBASE(?,?,?), ref: 00E6AE6A
                    Memory Dump Source
                    • Source File: 00000002.00000002.459772741.0000000000E6A000.00000040.00000001.sdmp, Offset: 00E6A000, based on PE: false
                    Similarity
                    • API ID: CopyFile
                    • String ID:
                    • API String ID: 1304948518-0
                    • Opcode ID: 9ba187137a0edcc092df2db0f46fc847485bc03ba2d9c35b6ecbc5e0936caff4
                    • Instruction ID: 5542c462f7006295dc857e70eba1cc1ac1625bd9c97d60116e7367115910c81e
                    • Opcode Fuzzy Hash: 9ba187137a0edcc092df2db0f46fc847485bc03ba2d9c35b6ecbc5e0936caff4
                    • Instruction Fuzzy Hash: 1F117CB1A402009FEB20DF29E884756FBD8EB54360F18946ADD09EB242D675E844CE62
                    Uniqueness

                    Uniqueness Score: -1.00%

                    Function 02B31486, Relevance: 1.6, APIs: 1, Instructions: 53COMMON
                    Download Yara Rule
                    APIs
                    • LookupPrivilegeValueW.ADVAPI32(?,?,?), ref: 02B314CE
                    Memory Dump Source
                    • Source File: 00000002.00000002.460760461.0000000002B30000.00000040.00000001.sdmp, Offset: 02B30000, based on PE: false
                    Similarity
                    • API ID: LookupPrivilegeValue
                    • String ID:
                    • API String ID: 3899507212-0
                    • Opcode ID: 221081ce40aaf37a9e02cccaa101d14a8710239277b377eabe677ba3e3c6d2ad
                    • Instruction ID: 0914eb81c808cc05e55d79e8fdf1280428054393fce25e3e635b57815882a1a6
                    • Opcode Fuzzy Hash: 221081ce40aaf37a9e02cccaa101d14a8710239277b377eabe677ba3e3c6d2ad
                    • Instruction Fuzzy Hash: FB117C726002009FEB21CF69D885B66FBE8EF54221F18C4AADD49CB242D774E404CB71
                    Uniqueness

                    Uniqueness Score: -1.00%

                    Function 00E6B002, Relevance: 1.6, APIs: 1, Instructions: 52COMMON
                    Download Yara Rule
                    APIs
                    • GetFileType.KERNELBASE(?,00000E2C,D24E1938,00000000,00000000,00000000,00000000), ref: 00E6B055
                    Memory Dump Source
                    • Source File: 00000002.00000002.459772741.0000000000E6A000.00000040.00000001.sdmp, Offset: 00E6A000, based on PE: false
                    Similarity
                    • API ID: FileType
                    • String ID:
                    • API String ID: 3081899298-0
                    • Opcode ID: 529768353866238a6f39e35cf8fe0deb5cdc60eb33fb250491aa571b4545e2e1
                    • Instruction ID: e816a3b725c32254e857b510fad1df95e287edb93e184397c7464d7a665d8c19
                    • Opcode Fuzzy Hash: 529768353866238a6f39e35cf8fe0deb5cdc60eb33fb250491aa571b4545e2e1
                    • Instruction Fuzzy Hash: 97012271440200EEE720CF15DC81FABFF9CDF05320F148097EE48AB241C2B8A948CAB1
                    Uniqueness

                    Uniqueness Score: -1.00%

                    Function 02B313BE, Relevance: 1.5, APIs: 1, Instructions: 49networkCOMMON
                    Download Yara Rule
                    APIs
                    • WSAConnect.WS2_32(?,?,?,?,?,?,?), ref: 02B3140A
                    Memory Dump Source
                    • Source File: 00000002.00000002.460760461.0000000002B30000.00000040.00000001.sdmp, Offset: 02B30000, based on PE: false
                    Similarity
                    • API ID: Connect
                    • String ID:
                    • API String ID: 3144859779-0
                    • Opcode ID: ea5d89e450db491735a3c1ac569ed011750dec4767df42f95ac629193d0faa84
                    • Instruction ID: 5682863a9af9d5b2121d93d43a381dbc112e2649f133d7529aaa4a565de15f76
                    • Opcode Fuzzy Hash: ea5d89e450db491735a3c1ac569ed011750dec4767df42f95ac629193d0faa84
                    • Instruction Fuzzy Hash: 49117C71500604AFDB21CF59D844B66FFE8EF08321F08C5AADE498B622D375E459DF61
                    Uniqueness

                    Uniqueness Score: -1.00%

                    Function 02B31AF6, Relevance: 1.5, APIs: 1, Instructions: 49COMMON
                    Download Yara Rule
                    APIs
                    • K32EnumProcesses.KERNEL32(?,?,?,D24E1938,00000000,?,?,?,?,?,?,?,?,72F43C38), ref: 02B31B36
                    Memory Dump Source
                    • Source File: 00000002.00000002.460760461.0000000002B30000.00000040.00000001.sdmp, Offset: 02B30000, based on PE: false
                    Similarity
                    • API ID: EnumProcesses
                    • String ID:
                    • API String ID: 84517404-0
                    • Opcode ID: 99e754dbf3f3ad7a514402a2539b31667caf0a962f9e8ed1715eafb327915b4f
                    • Instruction ID: f5ef2149f67eb0b3b65551958d715f0b9ec581480bc939a18eb7b47853a28fc0
                    • Opcode Fuzzy Hash: 99e754dbf3f3ad7a514402a2539b31667caf0a962f9e8ed1715eafb327915b4f
                    • Instruction Fuzzy Hash: 85115B755002449FEB11CF69D884BA6FBE8EF44221F18C4AADE498B251E675E848CB61
                    Uniqueness

                    Uniqueness Score: -1.00%

                    Function 00E6A172, Relevance: 1.5, APIs: 1, Instructions: 47COMMON
                    Download Yara Rule
                    APIs
                    • EnumWindows.USER32(?,00000E2C,?,?), ref: 00E6A1C2
                    Memory Dump Source
                    • Source File: 00000002.00000002.459772741.0000000000E6A000.00000040.00000001.sdmp, Offset: 00E6A000, based on PE: false
                    Similarity
                    • API ID: EnumWindows
                    • String ID:
                    • API String ID: 1129996299-0
                    • Opcode ID: 878a2187abce6fda2ee6249fad1943c9c1f6697a43d10325d735c91af29308eb
                    • Instruction ID: bb5d3cd762fc67e62cf379661d022a5b0efdac629b24009ae98b0df8371adaa1
                    • Opcode Fuzzy Hash: 878a2187abce6fda2ee6249fad1943c9c1f6697a43d10325d735c91af29308eb
                    • Instruction Fuzzy Hash: BA017171940600ABE710DF16DC85B36FBA8EBC8A20F14856AED089B741E335B915CBA5
                    Uniqueness

                    Uniqueness Score: -1.00%

                    Function 02B31F4E, Relevance: 1.5, APIs: 1, Instructions: 47windowCOMMON
                    Download Yara Rule
                    APIs
                    • FormatMessageW.KERNELBASE(?,00000E2C,?,?), ref: 02B31F9E
                    Memory Dump Source
                    • Source File: 00000002.00000002.460760461.0000000002B30000.00000040.00000001.sdmp, Offset: 02B30000, based on PE: false
                    Similarity
                    • API ID: FormatMessage
                    • String ID:
                    • API String ID: 1306739567-0
                    • Opcode ID: 098522022cfc57022ebfc42f20a8b630428ff6757c5b2173449d09fa1a65ea5c
                    • Instruction ID: 076b1965cc7dfda4cf034b71d8ad1402b6b70fac214354d3397177881ba3833e
                    • Opcode Fuzzy Hash: 098522022cfc57022ebfc42f20a8b630428ff6757c5b2173449d09fa1a65ea5c
                    • Instruction Fuzzy Hash: 62017172940600ABE710DF16DC85F36FBA8EBC8B20F14856AED099B741E335B915CBE5
                    Uniqueness

                    Uniqueness Score: -1.00%

                    Function 00E6B32A, Relevance: 1.5, APIs: 1, Instructions: 45COMMON
                    Download Yara Rule
                    APIs
                    • DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 00E6B36E
                    Memory Dump Source
                    • Source File: 00000002.00000002.459772741.0000000000E6A000.00000040.00000001.sdmp, Offset: 00E6A000, based on PE: false
                    Similarity
                    • API ID: DuplicateHandle
                    • String ID:
                    • API String ID: 3793708945-0
                    • Opcode ID: 68465a292dd1d53a0f3ecdb620ec6b243380290878afc4d9fc2f661659d894a9
                    • Instruction ID: d9f7bdfd0948768b4aa7efcac457cf35a01ada737d7cb1e971f383db22589402
                    • Opcode Fuzzy Hash: 68465a292dd1d53a0f3ecdb620ec6b243380290878afc4d9fc2f661659d894a9
                    • Instruction Fuzzy Hash: 2401AD31540700EFDB218F55E844B56FFE4EF48320F18C59ADE499A621C3B5A458DF62
                    Uniqueness

                    Uniqueness Score: -1.00%

                    Function 00E6A74E, Relevance: 1.5, APIs: 1, Instructions: 43COMMON
                    Download Yara Rule
                    APIs
                    • FindCloseChangeNotification.KERNELBASE(?), ref: 00E6A780
                    Memory Dump Source
                    • Source File: 00000002.00000002.459772741.0000000000E6A000.00000040.00000001.sdmp, Offset: 00E6A000, based on PE: false
                    Similarity
                    • API ID: ChangeCloseFindNotification
                    • String ID:
                    • API String ID: 2591292051-0
                    • Opcode ID: 282705b998936afd783a9b023ec7f06dc4ca217dffd4b149b5778d00d84dd181
                    • Instruction ID: 3ec2d264fd5a59326552a87ce3d6c9b665cf9a92d64bff823bf62caea7b476da
                    • Opcode Fuzzy Hash: 282705b998936afd783a9b023ec7f06dc4ca217dffd4b149b5778d00d84dd181
                    • Instruction Fuzzy Hash: 3F01DF719402009FEB108F29E8847A6FFA4DF50321F18C0BBDD09AB212D274E808CFA2
                    Uniqueness

                    Uniqueness Score: -1.00%

                    Function 02B303FE, Relevance: 1.5, APIs: 1, Instructions: 43registryCOMMON
                    Download Yara Rule
                    APIs
                    • RegQueryValueExW.KERNELBASE(?,00000E2C,?,?), ref: 02B3044E
                    Memory Dump Source
                    • Source File: 00000002.00000002.460760461.0000000002B30000.00000040.00000001.sdmp, Offset: 02B30000, based on PE: false
                    Similarity
                    • API ID: QueryValue
                    • String ID:
                    • API String ID: 3660427363-0
                    • Opcode ID: a09b4ac47e3a1a609902a94a5789579dd64a3a2c3f1e39b1c7fd1cee6d7cfc95
                    • Instruction ID: 7fbafdd91c3e4340e809b6fa992463156aae2fb89c89c9853dab86f0cf6a570b
                    • Opcode Fuzzy Hash: a09b4ac47e3a1a609902a94a5789579dd64a3a2c3f1e39b1c7fd1cee6d7cfc95
                    • Instruction Fuzzy Hash: 53018F72500600ABD210DF16DC82F26FBA8EB88B20F14811AED084B741E371B915CAA5
                    Uniqueness

                    Uniqueness Score: -1.00%

                    Function 02B30852, Relevance: 1.5, APIs: 1, Instructions: 43COMMON
                    Download Yara Rule
                    APIs
                    • GetComputerNameW.KERNEL32(?,00000E2C,?,?), ref: 02B308A2
                    Memory Dump Source
                    • Source File: 00000002.00000002.460760461.0000000002B30000.00000040.00000001.sdmp, Offset: 02B30000, based on PE: false
                    Similarity
                    • API ID: ComputerName
                    • String ID:
                    • API String ID: 3545744682-0
                    • Opcode ID: d3e9acd6e2af8ea274d34a92f524fcaee011d16f645963bac68b2bb0348f70e6
                    • Instruction ID: f063ae8aaea7680c6b8683a9d7a05aaf2d1ad530c3e4df921167d5ce210dc30c
                    • Opcode Fuzzy Hash: d3e9acd6e2af8ea274d34a92f524fcaee011d16f645963bac68b2bb0348f70e6
                    • Instruction Fuzzy Hash: 8B018F71500600ABD210DF16DC82B26FBA8EB88A20F14815AED084B741E335B915CAA5
                    Uniqueness

                    Uniqueness Score: -1.00%

                    Function 02B316D6, Relevance: 1.5, APIs: 1, Instructions: 43COMMON
                    Download Yara Rule
                    APIs
                    • FindCloseChangeNotification.KERNELBASE(?), ref: 02B31708
                    Memory Dump Source
                    • Source File: 00000002.00000002.460760461.0000000002B30000.00000040.00000001.sdmp, Offset: 02B30000, based on PE: false
                    Similarity
                    • API ID: ChangeCloseFindNotification
                    • String ID:
                    • API String ID: 2591292051-0
                    • Opcode ID: d00752bf195264221e017a41201a2da2cea1200bbd02ed365f78dfbb485828bf
                    • Instruction ID: 54e0c4529ab5bae339eb30d8d457670cb320346ba3ec47ad24f72e5dee0339e4
                    • Opcode Fuzzy Hash: d00752bf195264221e017a41201a2da2cea1200bbd02ed365f78dfbb485828bf
                    • Instruction Fuzzy Hash: CF01DFB1500200DFDB11CF29D885756FFE8EF44221F08C0ABDD0E8B212C6B4A808CB72
                    Uniqueness

                    Uniqueness Score: -1.00%

                    Function 00E6ACBA, Relevance: 1.5, APIs: 1, Instructions: 39COMMON
                    Download Yara Rule
                    APIs
                    Memory Dump Source
                    • Source File: 00000002.00000002.459772741.0000000000E6A000.00000040.00000001.sdmp, Offset: 00E6A000, based on PE: false
                    Similarity
                    • API ID: closesocket
                    • String ID:
                    • API String ID: 2781271927-0
                    • Opcode ID: 99c1f78754d6f7e11fc926165bd545d828c769cac38cb9eb66ecb10c644b34b9
                    • Instruction ID: 6488a117f584f0ecf5520a2930af0137a4a66846a91e1f63c971b79b66efdab0
                    • Opcode Fuzzy Hash: 99c1f78754d6f7e11fc926165bd545d828c769cac38cb9eb66ecb10c644b34b9
                    • Instruction Fuzzy Hash: 4901A2708442449FEB10CF15E884766FFA4EF44325F1CD4AADE49AF612D275A804CF62
                    Uniqueness

                    Uniqueness Score: -1.00%

                    Function 00E6A2FE, Relevance: 1.5, APIs: 1, Instructions: 35COMMON
                    Download Yara Rule
                    APIs
                    • SetErrorMode.KERNELBASE(?), ref: 00E6A330
                    Memory Dump Source
                    • Source File: 00000002.00000002.459772741.0000000000E6A000.00000040.00000001.sdmp, Offset: 00E6A000, based on PE: false
                    Similarity
                    • API ID: ErrorMode
                    • String ID:
                    • API String ID: 2340568224-0
                    • Opcode ID: 1a34ed46cc2ce72c208058a499713c6dc56ded79492794143da44b0e0df058f6
                    • Instruction ID: 3e2bffdaff1040fea9ac3407cbe3add265610a029efb7874238008fdde422ac3
                    • Opcode Fuzzy Hash: 1a34ed46cc2ce72c208058a499713c6dc56ded79492794143da44b0e0df058f6
                    • Instruction Fuzzy Hash: ADF0A435C84644DFD7109F19E884769FF90EF14721F1CD0AADD496B312D2B5A448DE62
                    Uniqueness

                    Uniqueness Score: -1.00%

                    Function 02B60804, Relevance: .1, Instructions: 59COMMON
                    Download Yara Rule
                    Memory Dump Source
                    • Source File: 00000002.00000002.460791108.0000000002B60000.00000040.00000040.sdmp, Offset: 02B60000, based on PE: false
                    Similarity
                    • API ID:
                    • String ID:
                    • API String ID:
                    • Opcode ID: 6b9a2c7ec5f628306b48a5c81176bc598c4fc7c9e3748c0b24dafed624fc17c5
                    • Instruction ID: 9a24b1ef2e4e534e11be5deae44be847e398091f38107d827495e191a4cd638b
                    • Opcode Fuzzy Hash: 6b9a2c7ec5f628306b48a5c81176bc598c4fc7c9e3748c0b24dafed624fc17c5
                    • Instruction Fuzzy Hash: F311AF30208344DFD715EB15C988B26BBA5FB89708F24C9EDE9491B653C77FE802CA91
                    Uniqueness

                    Uniqueness Score: -1.00%

                    Function 02B607CE, Relevance: .1, Instructions: 58COMMON
                    Download Yara Rule
                    Memory Dump Source
                    • Source File: 00000002.00000002.460791108.0000000002B60000.00000040.00000040.sdmp, Offset: 02B60000, based on PE: false
                    Similarity
                    • API ID:
                    • String ID:
                    • API String ID:
                    • Opcode ID: 2472f4b4d9cd0547634fbff02400bb748df2b9deede58017566f41c0474b9492
                    • Instruction ID: b67d60e0f676fdaf12d8c615418a22b2d9438e59de70f846a85dbfa9a9052b18
                    • Opcode Fuzzy Hash: 2472f4b4d9cd0547634fbff02400bb748df2b9deede58017566f41c0474b9492
                    • Instruction Fuzzy Hash: 43216D3110D7C08FD717DB25C850B25BFB1AF47214F298AEED4848B6A3C33A9806CB92
                    Uniqueness

                    Uniqueness Score: -1.00%

                    Function 02B605BD, Relevance: .0, Instructions: 50COMMON
                    Download Yara Rule
                    Memory Dump Source
                    • Source File: 00000002.00000002.460791108.0000000002B60000.00000040.00000040.sdmp, Offset: 02B60000, based on PE: false
                    Similarity
                    • API ID:
                    • String ID:
                    • API String ID:
                    • Opcode ID: ed3ec0d0ece99058032ec76c91fdb9c9ded5dce5bd2236db0c3c75ae783d0d7f
                    • Instruction ID: 17b561aca8eebf78de0b48e6db512b67bbb0e310bdc1f580ed9ed246ff843f90
                    • Opcode Fuzzy Hash: ed3ec0d0ece99058032ec76c91fdb9c9ded5dce5bd2236db0c3c75ae783d0d7f
                    • Instruction Fuzzy Hash: 6601B9B154D7C05FD7128B16EC50862FFB8DF8662071C84DFED498B652D2297909CB61
                    Uniqueness

                    Uniqueness Score: -1.00%

                    Function 02B608C0, Relevance: .0, Instructions: 31COMMON
                    Download Yara Rule
                    Memory Dump Source
                    • Source File: 00000002.00000002.460791108.0000000002B60000.00000040.00000040.sdmp, Offset: 02B60000, based on PE: false
                    Similarity
                    • API ID:
                    • String ID:
                    • API String ID:
                    • Opcode ID: 525cef522958239b2deb72ab7ac90410e2832b06fb356f1b7ca8807ee3c9392c
                    • Instruction ID: 2d6a38ee219e0dcddbdf109f96b9d47a0c7c5c089d4be686deec45412e9ec61e
                    • Opcode Fuzzy Hash: 525cef522958239b2deb72ab7ac90410e2832b06fb356f1b7ca8807ee3c9392c
                    • Instruction Fuzzy Hash: E2F0F635248644DFC206DF00D944B25FBA2FB89718F24CAE9E9491B762C73BA812DA81
                    Uniqueness

                    Uniqueness Score: -1.00%

                    Function 02B605F6, Relevance: .0, Instructions: 27COMMON
                    Download Yara Rule
                    Memory Dump Source
                    • Source File: 00000002.00000002.460791108.0000000002B60000.00000040.00000040.sdmp, Offset: 02B60000, based on PE: false
                    Similarity
                    • API ID:
                    • String ID:
                    • API String ID:
                    • Opcode ID: ae57eb282a28527401627559e60f5bf79a073c7b7b0bffb78d3cbc7209252df2
                    • Instruction ID: 84ecc3d94f5eea8eacd51dd81a10bcdacd18b88c45433c74b7ca3d033c8279bd
                    • Opcode Fuzzy Hash: ae57eb282a28527401627559e60f5bf79a073c7b7b0bffb78d3cbc7209252df2
                    • Instruction Fuzzy Hash: 7FE092B66406009BD750CF0BEC41466F7D8EB88631B18C07FDC0D8B710E139B504CEA5
                    Uniqueness

                    Uniqueness Score: -1.00%

                    Function 00E623F4, Relevance: .0, Instructions: 15COMMON
                    Download Yara Rule
                    Memory Dump Source
                    • Source File: 00000002.00000002.459747196.0000000000E62000.00000040.00000001.sdmp, Offset: 00E62000, based on PE: false
                    Similarity
                    • API ID:
                    • String ID:
                    • API String ID:
                    • Opcode ID: 887fbd1e53322b1f78dd80b6e7942d5bbce3560b3d6fe2a48ea1a9df5e168b4d
                    • Instruction ID: 6784dd4efc9ed5a59f48dc9497e01cae32e873ada77e00fa4d9c8b889504b475
                    • Opcode Fuzzy Hash: 887fbd1e53322b1f78dd80b6e7942d5bbce3560b3d6fe2a48ea1a9df5e168b4d
                    • Instruction Fuzzy Hash: 0AD05E79255A818FD3268A1CD1ACBA53B94AF52B08F4644FDE8008B663CB68D981E200
                    Uniqueness

                    Uniqueness Score: -1.00%

                    Function 00E623BC, Relevance: .0, Instructions: 14COMMON
                    Download Yara Rule
                    Memory Dump Source
                    • Source File: 00000002.00000002.459747196.0000000000E62000.00000040.00000001.sdmp, Offset: 00E62000, based on PE: false
                    Similarity
                    • API ID:
                    • String ID:
                    • API String ID:
                    • Opcode ID: f8a569d545a751a85ebc02684a4224b25521912d839c6b62ed00e7438d43b162
                    • Instruction ID: b679e45ee7812fbb7afb07224f1ac8cab2a6e9ccba0037ea67d419d10b50ed35
                    • Opcode Fuzzy Hash: f8a569d545a751a85ebc02684a4224b25521912d839c6b62ed00e7438d43b162
                    • Instruction Fuzzy Hash: 43D05E342806828BC715DB0CD594F5937D4AB41B04F0654EDAD008B762C3A8DC81C600
                    Uniqueness

                    Uniqueness Score: -1.00%

                    Non-executed Functions

                    Analysis Process: Core Service.exe PID: 4276 Parent PID: 3388 Core Service.exeCOMMON

                    Executed Functions

                    Function 0158A612, Relevance: 1.6, APIs: 1, Instructions: 89synchronizationCOMMON
                    Download Yara Rule
                    APIs
                    • CreateMutexW.KERNELBASE(?,?), ref: 0158A6B9
                    Memory Dump Source
                    • Source File: 00000007.00000002.260986140.000000000158A000.00000040.00000001.sdmp, Offset: 0158A000, based on PE: false
                    Similarity
                    • API ID: CreateMutex
                    • String ID:
                    • API String ID: 1964310414-0
                    • Opcode ID: aec0bd379a19b8eaee86c0f3b39110bc7298c1975be94bd9409e0ade37be84e2
                    • Instruction ID: a6f0d3bd6f22975364fa7d7610ed393ea2ecece32fc9d4e170ade6469b2e0d35
                    • Opcode Fuzzy Hash: aec0bd379a19b8eaee86c0f3b39110bc7298c1975be94bd9409e0ade37be84e2
                    • Instruction Fuzzy Hash: CF31AFB1509780AFE712DB25CC84F56FFF8EF46210F18849AE984DF292D364A909CB61
                    Uniqueness

                    Uniqueness Score: -1.00%

                    Function 0158A361, Relevance: 1.6, APIs: 1, Instructions: 85registryCOMMON
                    Download Yara Rule
                    APIs
                    • RegQueryValueExW.KERNELBASE(?,00000E2C,A7579540,00000000,00000000,00000000,00000000), ref: 0158A40C
                    Memory Dump Source
                    • Source File: 00000007.00000002.260986140.000000000158A000.00000040.00000001.sdmp, Offset: 0158A000, based on PE: false
                    Similarity
                    • API ID: QueryValue
                    • String ID:
                    • API String ID: 3660427363-0
                    • Opcode ID: ec9e781425f78d6756f0f38b80320c990e7cee15ae0b32d99ad1a7306a333679
                    • Instruction ID: b9c8c8139cd719ea7bf4ad90e9b59311ed282db68ef1783a77842697867f0026
                    • Opcode Fuzzy Hash: ec9e781425f78d6756f0f38b80320c990e7cee15ae0b32d99ad1a7306a333679
                    • Instruction Fuzzy Hash: 04315E71509784AFE722CF25CC84F56BFF8EF06710F08849BE9859B292D364E949CB61
                    Uniqueness

                    Uniqueness Score: -1.00%

                    Function 0158A462, Relevance: 1.6, APIs: 1, Instructions: 77registryCOMMON
                    Download Yara Rule
                    APIs
                    • RegSetValueExW.KERNELBASE(?,00000E2C,A7579540,00000000,00000000,00000000,00000000), ref: 0158A4F8
                    Memory Dump Source
                    • Source File: 00000007.00000002.260986140.000000000158A000.00000040.00000001.sdmp, Offset: 0158A000, based on PE: false
                    Similarity
                    • API ID: Value
                    • String ID:
                    • API String ID: 3702945584-0
                    • Opcode ID: 6eb1ac75d6647986ec2ceefd69e44fd4e2ab67088e74589dad96aeb3a2ee0289
                    • Instruction ID: fa4fca04a13e176f653e734bf02ba213515a4be7bcdf2e96e86db28d14de12af
                    • Opcode Fuzzy Hash: 6eb1ac75d6647986ec2ceefd69e44fd4e2ab67088e74589dad96aeb3a2ee0289
                    • Instruction Fuzzy Hash: F9218E72104380AFEB228B25DC44F67BFB8EF46710F08849BE9859B252D364E548C771
                    Uniqueness

                    Uniqueness Score: -1.00%

                    Function 0158A646, Relevance: 1.6, APIs: 1, Instructions: 72synchronizationCOMMON
                    Download Yara Rule
                    APIs
                    • CreateMutexW.KERNELBASE(?,?), ref: 0158A6B9
                    Memory Dump Source
                    • Source File: 00000007.00000002.260986140.000000000158A000.00000040.00000001.sdmp, Offset: 0158A000, based on PE: false
                    Similarity
                    • API ID: CreateMutex
                    • String ID:
                    • API String ID: 1964310414-0
                    • Opcode ID: f36359f50172fc0efb035b405d8f343b29a06ab0983ea4c0c1f7382b33c9ed80
                    • Instruction ID: 5b15e4a9202d660eda8bf3145cf2deb6ea664283a965f8c4e8a859f9874aa263
                    • Opcode Fuzzy Hash: f36359f50172fc0efb035b405d8f343b29a06ab0983ea4c0c1f7382b33c9ed80
                    • Instruction Fuzzy Hash: E421ACB1600200AFF721EB29C885B6AFBE8EF44310F14846AEE459F242D771E805CB71
                    Uniqueness

                    Uniqueness Score: -1.00%

                    Function 0158A392, Relevance: 1.6, APIs: 1, Instructions: 69registryCOMMON
                    Download Yara Rule
                    APIs
                    • RegQueryValueExW.KERNELBASE(?,00000E2C,A7579540,00000000,00000000,00000000,00000000), ref: 0158A40C
                    Memory Dump Source
                    • Source File: 00000007.00000002.260986140.000000000158A000.00000040.00000001.sdmp, Offset: 0158A000, based on PE: false
                    Similarity
                    • API ID: QueryValue
                    • String ID:
                    • API String ID: 3660427363-0
                    • Opcode ID: 890f6755389c204f0413f2956721b5af4a582b1cdecd77547194b1d28c54f6bf
                    • Instruction ID: 83b5706d40ea3d777b276d0b4245e69f136c5dc6cae27559d5401827018c1122
                    • Opcode Fuzzy Hash: 890f6755389c204f0413f2956721b5af4a582b1cdecd77547194b1d28c54f6bf
                    • Instruction Fuzzy Hash: AA215C71600604AEEB21DF29CC84F67FBECEF04710F14846BEA45AB252D6A4E909CB71
                    Uniqueness

                    Uniqueness Score: -1.00%

                    Function 0158A486, Relevance: 1.6, APIs: 1, Instructions: 65registryCOMMON
                    Download Yara Rule
                    APIs
                    • RegSetValueExW.KERNELBASE(?,00000E2C,A7579540,00000000,00000000,00000000,00000000), ref: 0158A4F8
                    Memory Dump Source
                    • Source File: 00000007.00000002.260986140.000000000158A000.00000040.00000001.sdmp, Offset: 0158A000, based on PE: false
                    Similarity
                    • API ID: Value
                    • String ID:
                    • API String ID: 3702945584-0
                    • Opcode ID: 2a049362f73a093a59a1cafb6aa9178ea8dc63d97ca4a3be3096ff181441e13c
                    • Instruction ID: 27df8e26d61013835e3e03896fe512fe9370f184ec0e978df2ac45a3b009e6d1
                    • Opcode Fuzzy Hash: 2a049362f73a093a59a1cafb6aa9178ea8dc63d97ca4a3be3096ff181441e13c
                    • Instruction Fuzzy Hash: B6118E72500604AFEB219F19DC45F6BFBECEF04710F14845BEE49AB252D764E548CA72
                    Uniqueness

                    Uniqueness Score: -1.00%

                    Function 01880258, Relevance: .3, Instructions: 278COMMON
                    Download Yara Rule
                    Memory Dump Source
                    • Source File: 00000007.00000002.261052552.0000000001880000.00000040.00000001.sdmp, Offset: 01880000, based on PE: false
                    Similarity
                    • API ID:
                    • String ID:
                    • API String ID:
                    • Opcode ID: df98f7557aca53df256d555b6a40fe9535da8d55ad3ae258aef05c211f0ce5f2
                    • Instruction ID: 49838ccfb7b2be4e05df7fdb284dc14104ea86cb69ce7590bdee70136be00924
                    • Opcode Fuzzy Hash: df98f7557aca53df256d555b6a40fe9535da8d55ad3ae258aef05c211f0ce5f2
                    • Instruction Fuzzy Hash: ECB18E30B00A00CFCB15AB79D490A6D7BA3FBC9344B15446AE901EB395DF399C4AEF61
                    Uniqueness

                    Uniqueness Score: -1.00%

                    Function 0188024A, Relevance: .3, Instructions: 275COMMON
                    Download Yara Rule
                    Memory Dump Source
                    • Source File: 00000007.00000002.261052552.0000000001880000.00000040.00000001.sdmp, Offset: 01880000, based on PE: false
                    Similarity
                    • API ID:
                    • String ID:
                    • API String ID:
                    • Opcode ID: 9c0e6f08a0c37db619cfabf77f517dc0d5bd7d4e6d61c5abd8d10cee6462fa6d
                    • Instruction ID: 946984b6d2626694fda33554564c4484494fa13a2af0423accb112bda2c10722
                    • Opcode Fuzzy Hash: 9c0e6f08a0c37db619cfabf77f517dc0d5bd7d4e6d61c5abd8d10cee6462fa6d
                    • Instruction Fuzzy Hash: 3CB16E30B00A00CFD715AB78D490A6D7BA3FBC9345B25446AE901EB395DF399C4AEF61
                    Uniqueness

                    Uniqueness Score: -1.00%

                    Function 018802A5, Relevance: .3, Instructions: 251COMMON
                    Download Yara Rule
                    Memory Dump Source
                    • Source File: 00000007.00000002.261052552.0000000001880000.00000040.00000001.sdmp, Offset: 01880000, based on PE: false
                    Similarity
                    • API ID:
                    • String ID:
                    • API String ID:
                    • Opcode ID: a742fe96586282e2f46d25d34e377752b8c153fdfc4983242a6343b6678e2d91
                    • Instruction ID: dd8cddc0278fb38528ea0d70029c37c8b0fdfa3b8c2ed638a7c6c7266b8567fc
                    • Opcode Fuzzy Hash: a742fe96586282e2f46d25d34e377752b8c153fdfc4983242a6343b6678e2d91
                    • Instruction Fuzzy Hash: C7A17F30B00A00CFCB15AB78D490A6D7BA3FBC9345B15446AE501EB395DF399C4AEF65
                    Uniqueness

                    Uniqueness Score: -1.00%

                    Function 01880080, Relevance: .1, Instructions: 94COMMON
                    Download Yara Rule
                    Memory Dump Source
                    • Source File: 00000007.00000002.261052552.0000000001880000.00000040.00000001.sdmp, Offset: 01880000, based on PE: false
                    Similarity
                    • API ID:
                    • String ID:
                    • API String ID:
                    • Opcode ID: 38b523113ebe718a58843a1f348574e86ccb00e4e905a8660b58303fc079fcec
                    • Instruction ID: d01f63f0a42f88ff90b5343dc83b7a45c0cfcba5cdb58a196602ea8fface67ac
                    • Opcode Fuzzy Hash: 38b523113ebe718a58843a1f348574e86ccb00e4e905a8660b58303fc079fcec
                    • Instruction Fuzzy Hash: A8414D30604A45CFC704EF38E8508893FB6FB80704B50957AE5449B269EFB89C4EEF51
                    Uniqueness

                    Uniqueness Score: -1.00%

                    Function 031705D7, Relevance: .0, Instructions: 42COMMON
                    Download Yara Rule
                    Memory Dump Source
                    • Source File: 00000007.00000002.261097774.0000000003170000.00000040.00000040.sdmp, Offset: 03170000, based on PE: false
                    Similarity
                    • API ID:
                    • String ID:
                    • API String ID:
                    • Opcode ID: 03b7c339d22e9d5685fb83a4bd19598659b2bcb23327e5a80aa718c98ee19a23
                    • Instruction ID: 950e8506630ebf337912a360fd1c79c019eccfd656bb1475f3730a6651cf17f7
                    • Opcode Fuzzy Hash: 03b7c339d22e9d5685fb83a4bd19598659b2bcb23327e5a80aa718c98ee19a23
                    • Instruction Fuzzy Hash: 6EF0A9B65097805FD7128B16EC40862FFB8DE86620749C49FED498B611D225B904CB72
                    Uniqueness

                    Uniqueness Score: -1.00%

                    Function 01880014, Relevance: .0, Instructions: 38COMMON
                    Download Yara Rule
                    Memory Dump Source
                    • Source File: 00000007.00000002.261052552.0000000001880000.00000040.00000001.sdmp, Offset: 01880000, based on PE: false
                    Similarity
                    • API ID:
                    • String ID:
                    • API String ID:
                    • Opcode ID: c3c4599bed898354ce827317cb286b8b08a7a6b8feaddad080b8cfefcae8a7b6
                    • Instruction ID: dead07d611094ecf2f4605668393dfe048dffff5edb76548af745965100db8df
                    • Opcode Fuzzy Hash: c3c4599bed898354ce827317cb286b8b08a7a6b8feaddad080b8cfefcae8a7b6
                    • Instruction Fuzzy Hash: 50F0AA6108F7D2AFC7938B3088296A07FB0AE0322070A45DBC0A0CF4A7D65D084EDB23
                    Uniqueness

                    Uniqueness Score: -1.00%

                    Function 031705F6, Relevance: .0, Instructions: 27COMMON
                    Download Yara Rule
                    Memory Dump Source
                    • Source File: 00000007.00000002.261097774.0000000003170000.00000040.00000040.sdmp, Offset: 03170000, based on PE: false
                    Similarity
                    • API ID:
                    • String ID:
                    • API String ID:
                    • Opcode ID: f82b979975a7a60157deb43e5aa06004e59bc511f31750dc934ced3eb8780e29
                    • Instruction ID: 234581f2d715491c858a88ef3b9be17ab02f158f71850ac313564a9952d13182
                    • Opcode Fuzzy Hash: f82b979975a7a60157deb43e5aa06004e59bc511f31750dc934ced3eb8780e29
                    • Instruction Fuzzy Hash: 25E06DB66006008B9650CF0BEC41462F7E8EB88630B18C46FDC0D8B710E235B504CEA6
                    Uniqueness

                    Uniqueness Score: -1.00%

                    Function 015823F4, Relevance: .0, Instructions: 15COMMON
                    Download Yara Rule
                    Memory Dump Source
                    • Source File: 00000007.00000002.260983015.0000000001582000.00000040.00000001.sdmp, Offset: 01582000, based on PE: false
                    Similarity
                    • API ID:
                    • String ID:
                    • API String ID:
                    • Opcode ID: 3ee524e9857363ff95a86a9a7923dbf0fafec3fa25c6fb8490908d5977b04ac1
                    • Instruction ID: dc8c88bd00882ef819d98865a53e3bef23350ca17dcbd8f302c774f4d0b5c28f
                    • Opcode Fuzzy Hash: 3ee524e9857363ff95a86a9a7923dbf0fafec3fa25c6fb8490908d5977b04ac1
                    • Instruction Fuzzy Hash: 7ED05E79215A818FE326AA1CC1A8B993FA4BB51B04F4644FEE8008F673C368D981D210
                    Uniqueness

                    Uniqueness Score: -1.00%

                    Function 015823BC, Relevance: .0, Instructions: 14COMMON
                    Download Yara Rule
                    Memory Dump Source
                    • Source File: 00000007.00000002.260983015.0000000001582000.00000040.00000001.sdmp, Offset: 01582000, based on PE: false
                    Similarity
                    • API ID:
                    • String ID:
                    • API String ID:
                    • Opcode ID: 4d6fa0e6db62412be0bbb26240b64f1e99bf1727304ff613fbe24107ab96c9bb
                    • Instruction ID: e881aacb35e1ab8665d826e7df72fa4e9cb5dd3e0cbcf6f727a50626231288fd
                    • Opcode Fuzzy Hash: 4d6fa0e6db62412be0bbb26240b64f1e99bf1727304ff613fbe24107ab96c9bb
                    • Instruction Fuzzy Hash: 10D05E342002818BD716EB0CC5A4F5D3FD4BB41B00F0644E8BD008F662C7A4D981C600
                    Uniqueness

                    Uniqueness Score: -1.00%

                    Non-executed Functions

                    Analysis Process: Core Service.exe PID: 4760 Parent PID: 3388 Core Service.exeCOMMON

                    Executed Functions

                    Function 02B70258, Relevance: 2.8, Strings: 2, Instructions: 278COMMON
                    Download Yara Rule
                    Strings
                    Memory Dump Source
                    • Source File: 0000000A.00000002.279819459.0000000002B70000.00000040.00000001.sdmp, Offset: 02B70000, based on PE: false
                    Similarity
                    • API ID:
                    • String ID: \ip^$-\ip^
                    • API String ID: 0-4195322624
                    • Opcode ID: d8962584a66d534506c132652cced27952d55819175d0fa825846f603130b242
                    • Instruction ID: 56dca7e73e8e3d6f7b767ab18a640cdf3491f703f8a11aaa262d90ed9caa4b01
                    • Opcode Fuzzy Hash: d8962584a66d534506c132652cced27952d55819175d0fa825846f603130b242
                    • Instruction Fuzzy Hash: 56B1BF34B00208DFDB24FB78D460A6D3BA7FBD9344B14486AD8129B3A9DF319C42CB95
                    Uniqueness

                    Uniqueness Score: -1.00%

                    Function 02B7024A, Relevance: 2.8, Strings: 2, Instructions: 275COMMON
                    Download Yara Rule
                    Strings
                    Memory Dump Source
                    • Source File: 0000000A.00000002.279819459.0000000002B70000.00000040.00000001.sdmp, Offset: 02B70000, based on PE: false
                    Similarity
                    • API ID:
                    • String ID: \ip^$-\ip^
                    • API String ID: 0-4195322624
                    • Opcode ID: c4c108ba8c5c78ac4a9bd9e5480c42fb5b575462204385665237ddffe178b54b
                    • Instruction ID: 4dc8c93b570efdd48ad5543fd7c5907ebcdca96207c31d80882bdf1ff40c2c30
                    • Opcode Fuzzy Hash: c4c108ba8c5c78ac4a9bd9e5480c42fb5b575462204385665237ddffe178b54b
                    • Instruction Fuzzy Hash: 05B1B134B00204DFDB65EB78D460A6D3BA3FBD9344B14486AD811DB3A9DF359C42CB95
                    Uniqueness

                    Uniqueness Score: -1.00%

                    Function 02B702A5, Relevance: 2.8, Strings: 2, Instructions: 251COMMON
                    Download Yara Rule
                    Strings
                    Memory Dump Source
                    • Source File: 0000000A.00000002.279819459.0000000002B70000.00000040.00000001.sdmp, Offset: 02B70000, based on PE: false
                    Similarity
                    • API ID:
                    • String ID: \ip^$-\ip^
                    • API String ID: 0-4195322624
                    • Opcode ID: ef210f23aa934564507ba9da351a0575dc3d3a3f28520edfce6a39fd447e4f76
                    • Instruction ID: 82acaa7321565fa1198f1de7f28795b729794d8acf89fb0bc63929f4eb6dff1c
                    • Opcode Fuzzy Hash: ef210f23aa934564507ba9da351a0575dc3d3a3f28520edfce6a39fd447e4f76
                    • Instruction Fuzzy Hash: 72A1AD34B00204CFDB69EB78D460A6D3BA3FBD8344B14486AD8129B3A9DF319C42CB95
                    Uniqueness

                    Uniqueness Score: -1.00%

                    Function 0289A612, Relevance: 1.6, APIs: 1, Instructions: 89synchronizationCOMMON
                    Download Yara Rule
                    APIs
                    • CreateMutexW.KERNELBASE(?,?), ref: 0289A6B9
                    Memory Dump Source
                    • Source File: 0000000A.00000002.279726489.000000000289A000.00000040.00000001.sdmp, Offset: 0289A000, based on PE: false
                    Similarity
                    • API ID: CreateMutex
                    • String ID:
                    • API String ID: 1964310414-0
                    • Opcode ID: 371acd34c9dfdaa987725014af9534072f43a0525159998d1e3448a46c5f4806
                    • Instruction ID: b9e18c49a8a1e973b15521f609fbb6cabaa7905f43f5dc1892a8c985e2158ed4
                    • Opcode Fuzzy Hash: 371acd34c9dfdaa987725014af9534072f43a0525159998d1e3448a46c5f4806
                    • Instruction Fuzzy Hash: 11318FB5509784AFE712CB25CC85F56FFF8EF46210F08849AE984CB293D365E909CB61
                    Uniqueness

                    Uniqueness Score: -1.00%

                    Function 0289A361, Relevance: 1.6, APIs: 1, Instructions: 85registryCOMMON
                    Download Yara Rule
                    APIs
                    • RegQueryValueExW.KERNELBASE(?,00000E2C,AAB3091F,00000000,00000000,00000000,00000000), ref: 0289A40C
                    Memory Dump Source
                    • Source File: 0000000A.00000002.279726489.000000000289A000.00000040.00000001.sdmp, Offset: 0289A000, based on PE: false
                    Similarity
                    • API ID: QueryValue
                    • String ID:
                    • API String ID: 3660427363-0
                    • Opcode ID: 8429d2003c66179cd135b5ab0a1c637a73be5b173fb55bf2f39c31fb88be5a22
                    • Instruction ID: 6d0ba6a86f1e6e67542ebb7744dea55d6b0aa3106be56e5cfadfef2deba7c947
                    • Opcode Fuzzy Hash: 8429d2003c66179cd135b5ab0a1c637a73be5b173fb55bf2f39c31fb88be5a22
                    • Instruction Fuzzy Hash: B4318075104744AFE721CF25CC84F52BFF8EF06710F08859AE985DB252D324E909CB61
                    Uniqueness

                    Uniqueness Score: -1.00%

                    Function 0289A462, Relevance: 1.6, APIs: 1, Instructions: 77registryCOMMON
                    Download Yara Rule
                    APIs
                    • RegSetValueExW.KERNELBASE(?,00000E2C,AAB3091F,00000000,00000000,00000000,00000000), ref: 0289A4F8
                    Memory Dump Source
                    • Source File: 0000000A.00000002.279726489.000000000289A000.00000040.00000001.sdmp, Offset: 0289A000, based on PE: false
                    Similarity
                    • API ID: Value
                    • String ID:
                    • API String ID: 3702945584-0
                    • Opcode ID: 6ef539bfd69114b8cb8c9e8b5152469ef4c7ddceb4dfd7514036fab4e910289e
                    • Instruction ID: eda3524783e00b37afa25321b0a1463e18da247f5be99016648778d93806551d
                    • Opcode Fuzzy Hash: 6ef539bfd69114b8cb8c9e8b5152469ef4c7ddceb4dfd7514036fab4e910289e
                    • Instruction Fuzzy Hash: BD218E76104384AFEB228B65DC44F67BFB8EF46310F08859AED89DB252C364E848C771
                    Uniqueness

                    Uniqueness Score: -1.00%

                    Function 0289A646, Relevance: 1.6, APIs: 1, Instructions: 72synchronizationCOMMON
                    Download Yara Rule
                    APIs
                    • CreateMutexW.KERNELBASE(?,?), ref: 0289A6B9
                    Memory Dump Source
                    • Source File: 0000000A.00000002.279726489.000000000289A000.00000040.00000001.sdmp, Offset: 0289A000, based on PE: false
                    Similarity
                    • API ID: CreateMutex
                    • String ID:
                    • API String ID: 1964310414-0
                    • Opcode ID: 77c860d1d1e2ea4ea6a64ecd7556064aea9d38fd57428cf8b7e615561198f0a3
                    • Instruction ID: 6643280c68b5fb93527f384334919af1cd39fc3dfc8fe2d69e912ccff2f81970
                    • Opcode Fuzzy Hash: 77c860d1d1e2ea4ea6a64ecd7556064aea9d38fd57428cf8b7e615561198f0a3
                    • Instruction Fuzzy Hash: A421BE79600204AFEB25DF25CC85B66FBE8EF44210F18846AEE89CB242D771E805CA71
                    Uniqueness

                    Uniqueness Score: -1.00%

                    Function 0289A392, Relevance: 1.6, APIs: 1, Instructions: 69registryCOMMON
                    Download Yara Rule
                    APIs
                    • RegQueryValueExW.KERNELBASE(?,00000E2C,AAB3091F,00000000,00000000,00000000,00000000), ref: 0289A40C
                    Memory Dump Source
                    • Source File: 0000000A.00000002.279726489.000000000289A000.00000040.00000001.sdmp, Offset: 0289A000, based on PE: false
                    Similarity
                    • API ID: QueryValue
                    • String ID:
                    • API String ID: 3660427363-0
                    • Opcode ID: 85f2a7d53b6a06e0adfe0299645743f115dcb1bca760a018b1acaa0d0c8d4a86
                    • Instruction ID: 329e9d09b829f1ae8f9261b4b942f482668b0d98ddce52bbee1bf04d48f12478
                    • Opcode Fuzzy Hash: 85f2a7d53b6a06e0adfe0299645743f115dcb1bca760a018b1acaa0d0c8d4a86
                    • Instruction Fuzzy Hash: 68214A79600604AFEB20CF15CC84F66BBE8EF05710F18856AEE4ADB251D764E909DA71
                    Uniqueness

                    Uniqueness Score: -1.00%

                    Function 0289A486, Relevance: 1.6, APIs: 1, Instructions: 65registryCOMMON
                    Download Yara Rule
                    APIs
                    • RegSetValueExW.KERNELBASE(?,00000E2C,AAB3091F,00000000,00000000,00000000,00000000), ref: 0289A4F8
                    Memory Dump Source
                    • Source File: 0000000A.00000002.279726489.000000000289A000.00000040.00000001.sdmp, Offset: 0289A000, based on PE: false
                    Similarity
                    • API ID: Value
                    • String ID:
                    • API String ID: 3702945584-0
                    • Opcode ID: dca20cc01aa3fc2234003bdcd970f6bebd5a143f34e16a2c1c91fe9254fdf253
                    • Instruction ID: 81bd7b945914710027848f69be671d210b8917b38e6febcf52dccb9bb5885a70
                    • Opcode Fuzzy Hash: dca20cc01aa3fc2234003bdcd970f6bebd5a143f34e16a2c1c91fe9254fdf253
                    • Instruction Fuzzy Hash: 1E11D07A600604AFEB208F15CC85F67FBECEF05710F08855AEE49DB652D760E408CA72
                    Uniqueness

                    Uniqueness Score: -1.00%

                    Function 02B70006, Relevance: .1, Instructions: 136COMMON
                    Download Yara Rule
                    Memory Dump Source
                    • Source File: 0000000A.00000002.279819459.0000000002B70000.00000040.00000001.sdmp, Offset: 02B70000, based on PE: false
                    Similarity
                    • API ID:
                    • String ID:
                    • API String ID:
                    • Opcode ID: 11ac76aa24edd986ab560454d97cc3af75004f61ea490850536002ec33403d28
                    • Instruction ID: d241d89e515ff9d3e91ee8f2bc9f838c6f19fa830693778c44293b2860e55fa1
                    • Opcode Fuzzy Hash: 11ac76aa24edd986ab560454d97cc3af75004f61ea490850536002ec33403d28
                    • Instruction Fuzzy Hash: 785182306093C9CFC756EB38D8708857FB1FFA220470589AAC0948B27FDB78594ACB55
                    Uniqueness

                    Uniqueness Score: -1.00%

                    Function 029F05CF, Relevance: .0, Instructions: 44COMMON
                    Download Yara Rule
                    Memory Dump Source
                    • Source File: 0000000A.00000002.279769854.00000000029F0000.00000040.00000040.sdmp, Offset: 029F0000, based on PE: false
                    Similarity
                    • API ID:
                    • String ID:
                    • API String ID:
                    • Opcode ID: e4840fd6409b8e038ee7cb16a5f574d886cf3d77502209a9647809efa3e32f79
                    • Instruction ID: ec044381a5eef0a782c993c18eda31e2f10787dd54727d18f82c7e62599fc41c
                    • Opcode Fuzzy Hash: e4840fd6409b8e038ee7cb16a5f574d886cf3d77502209a9647809efa3e32f79
                    • Instruction Fuzzy Hash: 5401A2B25097846FD7128B16AC50862FFBCDE86220708809FED498B612D169A908CB72
                    Uniqueness

                    Uniqueness Score: -1.00%

                    Function 029F05F6, Relevance: .0, Instructions: 27COMMON
                    Download Yara Rule
                    Memory Dump Source
                    • Source File: 0000000A.00000002.279769854.00000000029F0000.00000040.00000040.sdmp, Offset: 029F0000, based on PE: false
                    Similarity
                    • API ID:
                    • String ID:
                    • API String ID:
                    • Opcode ID: cda0f734b981eb6efa124c1ecbeffe89cc1491569bf023ad90e8e244d5c3238b
                    • Instruction ID: 01b5d646fe375c0e6aea4f9e0899b3b7e4111754d902c5661e60d3c8589d77ac
                    • Opcode Fuzzy Hash: cda0f734b981eb6efa124c1ecbeffe89cc1491569bf023ad90e8e244d5c3238b
                    • Instruction Fuzzy Hash: 12E092766006048BD650CF0BEC41452F7D8EB88630B18C17FDD0D8B711E135B504CEA5
                    Uniqueness

                    Uniqueness Score: -1.00%

                    Non-executed Functions

                    Analysis Process: Core Service.exe PID: 6100 Parent PID: 3388 Core Service.exeCOMMON

                    Executed Functions

                    Function 00EEA612, Relevance: 1.6, APIs: 1, Instructions: 89synchronizationCOMMON
                    Download Yara Rule
                    APIs
                    • CreateMutexW.KERNELBASE(?,?), ref: 00EEA6B9
                    Memory Dump Source
                    • Source File: 0000000F.00000002.297178293.0000000000EEA000.00000040.00000001.sdmp, Offset: 00EEA000, based on PE: false
                    Similarity
                    • API ID: CreateMutex
                    • String ID:
                    • API String ID: 1964310414-0
                    • Opcode ID: d057dcfd85c6037e4454cd1c15ce3d0a93d614a9624f66122faba327233a9b56
                    • Instruction ID: f46c21d2ff135a01b1d64c73b5d79750b2ddabb84a187ee013a0c8cf3f762004
                    • Opcode Fuzzy Hash: d057dcfd85c6037e4454cd1c15ce3d0a93d614a9624f66122faba327233a9b56
                    • Instruction Fuzzy Hash: C731A1B15097846FE712CB25CC84F56FFF8EF06310F0884AEE984DB292D364A909C762
                    Uniqueness

                    Uniqueness Score: -1.00%

                    Function 00EEA361, Relevance: 1.6, APIs: 1, Instructions: 85registryCOMMON
                    Download Yara Rule
                    APIs
                    • RegQueryValueExW.KERNELBASE(?,00000E2C,C2143C60,00000000,00000000,00000000,00000000), ref: 00EEA40C
                    Memory Dump Source
                    • Source File: 0000000F.00000002.297178293.0000000000EEA000.00000040.00000001.sdmp, Offset: 00EEA000, based on PE: false
                    Similarity
                    • API ID: QueryValue
                    • String ID:
                    • API String ID: 3660427363-0
                    • Opcode ID: b1e2c8e08c6081e0cbd831a50042d0a8175233b33f62976a45e3e7f99447efed
                    • Instruction ID: d84eaa2b941f50ce7005b4a7e279323f63cf59eff68a233d8554ff974e14288d
                    • Opcode Fuzzy Hash: b1e2c8e08c6081e0cbd831a50042d0a8175233b33f62976a45e3e7f99447efed
                    • Instruction Fuzzy Hash: A5318271104784AFE721CF15CC84F56BFB8EF06310F08849AE9859B292D364E949CB62
                    Uniqueness

                    Uniqueness Score: -1.00%

                    Function 00EEA462, Relevance: 1.6, APIs: 1, Instructions: 77registryCOMMON
                    Download Yara Rule
                    APIs
                    • RegSetValueExW.KERNELBASE(?,00000E2C,C2143C60,00000000,00000000,00000000,00000000), ref: 00EEA4F8
                    Memory Dump Source
                    • Source File: 0000000F.00000002.297178293.0000000000EEA000.00000040.00000001.sdmp, Offset: 00EEA000, based on PE: false
                    Similarity
                    • API ID: Value
                    • String ID:
                    • API String ID: 3702945584-0
                    • Opcode ID: 7661b4fe8d0c2ba446dd9f90c15290cb5f793ac34b385409abc49d7caf46ea02
                    • Instruction ID: 5925a86999ea8fff7393ac9c8154cdacc754e0943f11714672ac258138d2d3c3
                    • Opcode Fuzzy Hash: 7661b4fe8d0c2ba446dd9f90c15290cb5f793ac34b385409abc49d7caf46ea02
                    • Instruction Fuzzy Hash: DE219272104384AFE7228F55DC44F67BFB8EF46310F18849BE985DB252C264E848C771
                    Uniqueness

                    Uniqueness Score: -1.00%

                    Function 00EEA646, Relevance: 1.6, APIs: 1, Instructions: 72synchronizationCOMMON
                    Download Yara Rule
                    APIs
                    • CreateMutexW.KERNELBASE(?,?), ref: 00EEA6B9
                    Memory Dump Source
                    • Source File: 0000000F.00000002.297178293.0000000000EEA000.00000040.00000001.sdmp, Offset: 00EEA000, based on PE: false
                    Similarity
                    • API ID: CreateMutex
                    • String ID:
                    • API String ID: 1964310414-0
                    • Opcode ID: 540f3c2af288cf6a4220fba6d3c19180a79ad483cc779835399b7d377e7aaefc
                    • Instruction ID: 9a3063bd46321887ed0f972659adbf837a12438af3dbd205da2818137f742c25
                    • Opcode Fuzzy Hash: 540f3c2af288cf6a4220fba6d3c19180a79ad483cc779835399b7d377e7aaefc
                    • Instruction Fuzzy Hash: C221ACB1500244AFE720DF26C985BA6FBE8EF05310F18846EED489B241D770E805CB62
                    Uniqueness

                    Uniqueness Score: -1.00%

                    Function 00EEA710, Relevance: 1.6, APIs: 1, Instructions: 71COMMON
                    Download Yara Rule
                    APIs
                    • FindCloseChangeNotification.KERNELBASE(?), ref: 00EEA780
                    Memory Dump Source
                    • Source File: 0000000F.00000002.297178293.0000000000EEA000.00000040.00000001.sdmp, Offset: 00EEA000, based on PE: false
                    Similarity
                    • API ID: ChangeCloseFindNotification
                    • String ID:
                    • API String ID: 2591292051-0
                    • Opcode ID: e85098a5a145c2ce58ab760865359d297721edcd84164c41b0967a7d098b8237
                    • Instruction ID: 066184b0ee0b2f4f2f59914297d9dc2e59fec690e1a7564a5b1d1a5450c71198
                    • Opcode Fuzzy Hash: e85098a5a145c2ce58ab760865359d297721edcd84164c41b0967a7d098b8237
                    • Instruction Fuzzy Hash: 3021B3B54097C49FD7128B25DC85751BFB8EF02324F0981EBD9849F1A3D2746909CB62
                    Uniqueness

                    Uniqueness Score: -1.00%

                    Function 00EEA392, Relevance: 1.6, APIs: 1, Instructions: 69registryCOMMON
                    Download Yara Rule
                    APIs
                    • RegQueryValueExW.KERNELBASE(?,00000E2C,C2143C60,00000000,00000000,00000000,00000000), ref: 00EEA40C
                    Memory Dump Source
                    • Source File: 0000000F.00000002.297178293.0000000000EEA000.00000040.00000001.sdmp, Offset: 00EEA000, based on PE: false
                    Similarity
                    • API ID: QueryValue
                    • String ID:
                    • API String ID: 3660427363-0
                    • Opcode ID: a65a27173817198c697586b0ea1b8d49cbb71a47d011834bedb5f587caa3cf54
                    • Instruction ID: efb31a3b57e1731381a990058daf9dd7c15965da2d8d8611c209b96d8408dbe8
                    • Opcode Fuzzy Hash: a65a27173817198c697586b0ea1b8d49cbb71a47d011834bedb5f587caa3cf54
                    • Instruction Fuzzy Hash: B7218171500648AEE720CF16CC84F67FBECEF14710F18946AE9459B251D6A0F809CB72
                    Uniqueness

                    Uniqueness Score: -1.00%

                    Function 00EEA486, Relevance: 1.6, APIs: 1, Instructions: 65registryCOMMON
                    Download Yara Rule
                    APIs
                    • RegSetValueExW.KERNELBASE(?,00000E2C,C2143C60,00000000,00000000,00000000,00000000), ref: 00EEA4F8
                    Memory Dump Source
                    • Source File: 0000000F.00000002.297178293.0000000000EEA000.00000040.00000001.sdmp, Offset: 00EEA000, based on PE: false
                    Similarity
                    • API ID: Value
                    • String ID:
                    • API String ID: 3702945584-0
                    • Opcode ID: 7f9c367713adb9fe46a1202702deac3400596eff7f6213aac83070dd7139859c
                    • Instruction ID: 2f9e73af572df3db5e1bb60d7a57392aae6416183a073b72932157d001194a5c
                    • Opcode Fuzzy Hash: 7f9c367713adb9fe46a1202702deac3400596eff7f6213aac83070dd7139859c
                    • Instruction Fuzzy Hash: 40119375500648AFEB208F16DC85F67FBECEF04710F18946EED49AB241D6A0F848CA72
                    Uniqueness

                    Uniqueness Score: -1.00%

                    Function 00EEA74E, Relevance: 1.5, APIs: 1, Instructions: 43COMMON
                    Download Yara Rule
                    APIs
                    • FindCloseChangeNotification.KERNELBASE(?), ref: 00EEA780
                    Memory Dump Source
                    • Source File: 0000000F.00000002.297178293.0000000000EEA000.00000040.00000001.sdmp, Offset: 00EEA000, based on PE: false
                    Similarity
                    • API ID: ChangeCloseFindNotification
                    • String ID:
                    • API String ID: 2591292051-0
                    • Opcode ID: 4b197a5a62a7dd9478dc8bf683e3830ac40861f1b74beabe477540d51f36bf34
                    • Instruction ID: 717037e29258753518886e73196c5e4591e3c47289685d048c22c9c142f58871
                    • Opcode Fuzzy Hash: 4b197a5a62a7dd9478dc8bf683e3830ac40861f1b74beabe477540d51f36bf34
                    • Instruction Fuzzy Hash: 3A01DF755002889FEB10CF2AD9847A6FFA4DF04320F18C4BBDD499B202D674A808CBA2
                    Uniqueness

                    Uniqueness Score: -1.00%

                    Function 011B0258, Relevance: 1.5, Strings: 1, Instructions: 278COMMON
                    Download Yara Rule
                    Strings
                    Memory Dump Source
                    • Source File: 0000000F.00000002.297302716.00000000011B0000.00000040.00000001.sdmp, Offset: 011B0000, based on PE: false
                    Similarity
                    • API ID:
                    • String ID: 8a
                    • API String ID: 0-2698673895
                    • Opcode ID: a319a26b2a8168dfdae4d86e6280c80190659e78d61b46bd0ba3287d7c24cdb5
                    • Instruction ID: 4447e6b0af63a67b70c22e4d19f43120eaae5ca8adee37c23bc38d4bfa7bf22b
                    • Opcode Fuzzy Hash: a319a26b2a8168dfdae4d86e6280c80190659e78d61b46bd0ba3287d7c24cdb5
                    • Instruction Fuzzy Hash: 0FB19C31700205DFDB099F7EE498ABE3BA7EBC8344B154469D5029B3A4DF799C42CB91
                    Uniqueness

                    Uniqueness Score: -1.00%

                    Function 011B0249, Relevance: 1.5, Strings: 1, Instructions: 277COMMON
                    Download Yara Rule
                    Strings
                    Memory Dump Source
                    • Source File: 0000000F.00000002.297302716.00000000011B0000.00000040.00000001.sdmp, Offset: 011B0000, based on PE: false
                    Similarity
                    • API ID:
                    • String ID: 8a
                    • API String ID: 0-2698673895
                    • Opcode ID: f096703e21a0de638be9cb668b880770d17f35bd01d586594073a73339b63645
                    • Instruction ID: 30c31899c93612609ffc310b1c993984960474144250ada7b35e89307de85ad4
                    • Opcode Fuzzy Hash: f096703e21a0de638be9cb668b880770d17f35bd01d586594073a73339b63645
                    • Instruction Fuzzy Hash: 63B18B31700205DFDB19DF7EE498ABE3BA6EBC8340B154469D502AB3A4DF799C42CB91
                    Uniqueness

                    Uniqueness Score: -1.00%

                    Function 011B02A5, Relevance: 1.5, Strings: 1, Instructions: 251COMMON
                    Download Yara Rule
                    Strings
                    Memory Dump Source
                    • Source File: 0000000F.00000002.297302716.00000000011B0000.00000040.00000001.sdmp, Offset: 011B0000, based on PE: false
                    Similarity
                    • API ID:
                    • String ID: 8a
                    • API String ID: 0-2698673895
                    • Opcode ID: dad750856213f58ffe420cb7083965f4b6efb43965367b9ac1c3b249bc105a4b
                    • Instruction ID: eb72b05830fdf910424d1df748dcf9f628c9bdf9782c0d3dcf04dd11e442d687
                    • Opcode Fuzzy Hash: dad750856213f58ffe420cb7083965f4b6efb43965367b9ac1c3b249bc105a4b
                    • Instruction Fuzzy Hash: DDA16A31700205DFDB09DF7EE498ABD3BA6EBC8344B154469E502AB3A4DF799C42CB91
                    Uniqueness

                    Uniqueness Score: -1.00%

                    Function 011B0080, Relevance: .1, Instructions: 95COMMON
                    Download Yara Rule
                    Memory Dump Source
                    • Source File: 0000000F.00000002.297302716.00000000011B0000.00000040.00000001.sdmp, Offset: 011B0000, based on PE: false
                    Similarity
                    • API ID:
                    • String ID:
                    • API String ID:
                    • Opcode ID: b89ebfeb1ca6386733cf6537954c4d8a639abf9af8febedd60a5fe23f5299919
                    • Instruction ID: a8dd853f3f3633d3aae44521a6843330ff69a82af98e56936d02cff9a4b311ac
                    • Opcode Fuzzy Hash: b89ebfeb1ca6386733cf6537954c4d8a639abf9af8febedd60a5fe23f5299919
                    • Instruction Fuzzy Hash: 2041713030424ADFD704DF7EF8588693FA6FB90304B508969D5448B369EFB85D4ACB91
                    Uniqueness

                    Uniqueness Score: -1.00%

                    Function 011B0006, Relevance: .1, Instructions: 53COMMON
                    Download Yara Rule
                    Memory Dump Source
                    • Source File: 0000000F.00000002.297302716.00000000011B0000.00000040.00000001.sdmp, Offset: 011B0000, based on PE: false
                    Similarity
                    • API ID:
                    • String ID:
                    • API String ID:
                    • Opcode ID: 4ca0e00ac3f001e4d63194bb860d16633f6804112085fe1bf9f5dbd3732dd246
                    • Instruction ID: f52e5a385bd5da8b26ec8858438271b675562e1c28de835c23d52b94c5ffa591
                    • Opcode Fuzzy Hash: 4ca0e00ac3f001e4d63194bb860d16633f6804112085fe1bf9f5dbd3732dd246
                    • Instruction Fuzzy Hash: 3A01286645E3C19FC3038BB88C659903FB4AE2362431E09DBC480CF1A3D66E6919DB32
                    Uniqueness

                    Uniqueness Score: -1.00%

                    Function 02D805CF, Relevance: .0, Instructions: 47COMMON
                    Download Yara Rule
                    Memory Dump Source
                    • Source File: 0000000F.00000002.297400970.0000000002D80000.00000040.00000040.sdmp, Offset: 02D80000, based on PE: false
                    Similarity
                    • API ID:
                    • String ID:
                    • API String ID:
                    • Opcode ID: 13ea49653fe4ae01dfc6678a9406d7e4c804dd03924b857f77516fde9ffe4142
                    • Instruction ID: 3c828ff6c773e4724ccb42d7b02f5b465dbc7242858ccf6769419b0d0166fcb5
                    • Opcode Fuzzy Hash: 13ea49653fe4ae01dfc6678a9406d7e4c804dd03924b857f77516fde9ffe4142
                    • Instruction Fuzzy Hash: 5001DB7550D7945FD7128B16AC40862FFA8DB86630708C4AFED498B612D125B949CB72
                    Uniqueness

                    Uniqueness Score: -1.00%

                    Function 02D805F6, Relevance: .0, Instructions: 27COMMON
                    Download Yara Rule
                    Memory Dump Source
                    • Source File: 0000000F.00000002.297400970.0000000002D80000.00000040.00000040.sdmp, Offset: 02D80000, based on PE: false
                    Similarity
                    • API ID:
                    • String ID:
                    • API String ID:
                    • Opcode ID: 8b51ba9f88fe4f849a35b686eff439ecde6a2bd67f3718c958e64048b60cadda
                    • Instruction ID: 6e5248e4da7a8a2646e848ee97d9bcadeaa5daeb1722246d53c0ab5fbfa69306
                    • Opcode Fuzzy Hash: 8b51ba9f88fe4f849a35b686eff439ecde6a2bd67f3718c958e64048b60cadda
                    • Instruction Fuzzy Hash: 0AE09276644A048BD650CF0BEC81452F7D8EB88630B18C47FDC0D8B700E535B504CFA5
                    Uniqueness

                    Uniqueness Score: -1.00%

                    Function 00EE23F4, Relevance: .0, Instructions: 15COMMON
                    Download Yara Rule
                    Memory Dump Source
                    • Source File: 0000000F.00000002.297172500.0000000000EE2000.00000040.00000001.sdmp, Offset: 00EE2000, based on PE: false
                    Similarity
                    • API ID:
                    • String ID:
                    • API String ID:
                    • Opcode ID: 72289ea5c47ef69ecf1664e86b8495dfd9e441c093e4afcf6ca18a125d7de1f0
                    • Instruction ID: 2f7a9c06a0320623c7168a7c5c1ab61782315e3a8bd6c3c66af5249a6a9018ba
                    • Opcode Fuzzy Hash: 72289ea5c47ef69ecf1664e86b8495dfd9e441c093e4afcf6ca18a125d7de1f0
                    • Instruction Fuzzy Hash: 04D05E79215AC18FD3268F1CC1A8B953BD8AB51B08F4644FDE8008B6A3C368D981E200
                    Uniqueness

                    Uniqueness Score: -1.00%

                    Function 00EE23BC, Relevance: .0, Instructions: 14COMMON
                    Download Yara Rule
                    Memory Dump Source
                    • Source File: 0000000F.00000002.297172500.0000000000EE2000.00000040.00000001.sdmp, Offset: 00EE2000, based on PE: false
                    Similarity
                    • API ID:
                    • String ID:
                    • API String ID:
                    • Opcode ID: c0a91e25de159a1e0332e9c8e28f1ed44deb9960f6cec5010ea72a0032038782
                    • Instruction ID: 07e2388c9cd7854b2e4a32552c3e9f0cb5b3a2c5ae155ed03e3dc296b4ff1757
                    • Opcode Fuzzy Hash: c0a91e25de159a1e0332e9c8e28f1ed44deb9960f6cec5010ea72a0032038782
                    • Instruction Fuzzy Hash: 50D05E342002868BC715DF0DC594F5937D8AB41B04F1654ECAD008B662C3A8DC81CA00
                    Uniqueness

                    Uniqueness Score: -1.00%

                    Non-executed Functions