Play interactive tour

Edit tour

Analysis Report OFFER.exe

Overview

General Information

Sample Name:	OFFER.exe
Analysis ID:	322137
MD5:	f0a3b70a92ece3204289b3e1e25c9942
SHA1:	5af0534294c9f5fd1ada722919ec8583f88f2ac9
SHA256:	0a09ec08c850081ffb281f5716859d62093a5f772266503cb67d5e49a4ecd4f4
Tags:	NanoCore
Most interesting Screenshot:

Detection

NanoCore

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Antivirus / Scanner detection for submitted sample

Antivirus detection for dropped file

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for dropped file

Multi AV Scanner detection for submitted file

Sigma detected: NanoCore

Sigma detected: Scheduled temp file as task from temp location

Yara detected AntiVM_3

Yara detected Nanocore RAT

.NET source code contains potential unpacker

Hides that the sample has been downloaded from the Internet (zone.identifier)

Injects a PE file into a foreign processes

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Uses dynamic DNS services

Uses schtasks.exe or at.exe to add and modify task schedules

Contains capabilities to detect virtual machines

Contains functionality to call native functions

Contains long sleeps (>= 3 min)

Creates a process in suspended mode (likely to inject code)

Detected TCP or UDP traffic on non-standard ports

Detected potential crypto function

Drops PE files

Enables debug privileges

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

Found inlined nop instructions (likely shell or obfuscated code)

May sleep (evasive loops) to hinder dynamic analysis

PE file contains strange resources

Sample execution stops while process was sleeping (likely an evasion)

Sample file is different than original file name gathered from version info

Uses code obfuscation techniques (call, push, ret)

Yara signature match

Classification

Startup

System is w10x64

OFFER.exe (PID: 6088 cmdline: 'C:\Users\user\Desktop\OFFER.exe' MD5: F0A3B70A92ECE3204289B3E1E25C9942)

schtasks.exe (PID: 5436 cmdline: 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\RplepwTnfZYE' /XML 'C:\Users\user\AppData\Local\Temp\tmpB5D6.tmp' MD5: 15FF7D8324231381BAD48A052F85DF04)

conhost.exe (PID: 4084 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)

OFFER.exe (PID: 5056 cmdline: C:\Users\user\Desktop\OFFER.exe MD5: F0A3B70A92ECE3204289B3E1E25C9942)

cleanup

Malware Configuration

No configs have been found

Yara Overview

Memory Dumps

Source	Rule	Description	Author	Strings
00000000.00000002.210666466.0000000002EA1000.00000004.00000001.sdmp	JoeSecurity_AntiVM_3	Yara detected AntiVM_3	Joe Security
00000000.00000002.211065928.0000000003EA1000.00000004.00000001.sdmp	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x1116cd:$x1: NanoCore.ClientPluginHost 0x143eed:$x1: NanoCore.ClientPluginHost 0x11170a:$x2: IClientNetworkHost 0x143f2a:$x2: IClientNetworkHost 0x11523d:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe 0x147a5d:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
00000000.00000002.211065928.0000000003EA1000.00000004.00000001.sdmp	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
00000000.00000002.211065928.0000000003EA1000.00000004.00000001.sdmp	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0x111435:$a: NanoCore 0x111445:$a: NanoCore 0x111679:$a: NanoCore 0x11168d:$a: NanoCore 0x1116cd:$a: NanoCore 0x143c55:$a: NanoCore 0x143c65:$a: NanoCore 0x143e99:$a: NanoCore 0x143ead:$a: NanoCore 0x143eed:$a: NanoCore 0x111494:$b: ClientPlugin 0x111696:$b: ClientPlugin 0x1116d6:$b: ClientPlugin 0x143cb4:$b: ClientPlugin 0x143eb6:$b: ClientPlugin 0x143ef6:$b: ClientPlugin 0x1115bb:$c: ProjectData 0x143ddb:$c: ProjectData 0x111fc2:$d: DESCrypto 0x1447e2:$d: DESCrypto 0x11998e:$e: KeepAlive
00000000.00000002.210800137.0000000002F20000.00000004.00000001.sdmp	JoeSecurity_AntiVM_3	Yara detected AntiVM_3	Joe Security
Process Memory Space: OFFER.exe PID: 6088	JoeSecurity_AntiVM_3	Yara detected AntiVM_3	Joe Security
Click to see the 1 entries

Sigma Overview

System Summary:

Sigma detected: NanoCore

Show sources

Source: File created

Author: Joe Security: Data: EventID: 11, Image: C:\Users\user\Desktop\OFFER.exe, ProcessId: 5056, TargetFilename: C:\Users\user\AppData\Roaming\D06ED635-68F6-4E9A-955C-4899F5F57B9A\run.dat

Sigma detected: Scheduled temp file as task from temp location

Show sources

Source: Process started

Author: Joe Security: Data: Command: 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\RplepwTnfZYE' /XML 'C:\Users\user\AppData\Local\Temp\tmpB5D6.tmp', CommandLine: 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\RplepwTnfZYE' /XML 'C:\Users\user\AppData\Local\Temp\tmpB5D6.tmp', CommandLine|base64offset|contains: *j, Image: C:\Windows\SysWOW64\schtasks.exe, NewProcessName: C:\Windows\SysWOW64\schtasks.exe, OriginalFileName: C:\Windows\SysWOW64\schtasks.exe, ParentCommandLine: 'C:\Users\user\Desktop\OFFER.exe' , ParentImage: C:\Users\user\Desktop\OFFER.exe, ParentProcessId: 6088, ProcessCommandLine: 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\RplepwTnfZYE' /XML 'C:\Users\user\AppData\Local\Temp\tmpB5D6.tmp', ProcessId: 5436

Signature Overview

Click to jump to signature section

Show All Signature Results

AV Detection:

Antivirus / Scanner detection for submitted sample

Show sources

Source: OFFER.exe

Avira: detected

Antivirus detection for dropped file

Show sources

Source: C:\Users\user\AppData\Roaming\RplepwTnfZYE.exe

Avira: detection malicious, Label: TR/AD.Nanocore.gzsda

Multi AV Scanner detection for dropped file

Show sources

Source: C:\Users\user\AppData\Roaming\RplepwTnfZYE.exe	Virustotal: Detection: 57%	Perma Link
Source: C:\Users\user\AppData\Roaming\RplepwTnfZYE.exe	Metadefender: Detection: 37%	Perma Link
Source: C:\Users\user\AppData\Roaming\RplepwTnfZYE.exe	ReversingLabs: Detection: 68%

Multi AV Scanner detection for submitted file

Show sources

Source: OFFER.exe	Virustotal: Detection: 57%	Perma Link
Source: OFFER.exe	Metadefender: Detection: 37%	Perma Link
Source: OFFER.exe	ReversingLabs: Detection: 68%

Yara detected Nanocore RAT

Show sources

Source: Yara match

File source: 00000000.00000002.211065928.0000000003EA1000.00000004.00000001.sdmp, type: MEMORY

Source: C:\Users\user\Desktop\OFFER.exe

Code function: 4x nop then jmp 055428F7h

0_2_055427EA

Networking:

Uses dynamic DNS services

Show sources

Source: unknown

DNS query: name: udochukwu.ddns.net

Source: global traffic

TCP traffic: 192.168.2.3:49711 -> 37.18.96.19:2323

Source: unknown

DNS traffic detected: queries for: udochukwu.ddns.net

E-Banking Fraud:

Yara detected Nanocore RAT

Show sources

Source: Yara match

File source: 00000000.00000002.211065928.0000000003EA1000.00000004.00000001.sdmp, type: MEMORY

System Summary:

Malicious sample detected (through community Yara rule)

Show sources

Source: 00000000.00000002.211065928.0000000003EA1000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 00000000.00000002.211065928.0000000003EA1000.00000004.00000001.sdmp, type: MEMORY	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>

Source: C:\Users\user\Desktop\OFFER.exe	Code function: 0_2_05531016 NtQuerySystemInformation,		0_2_05531016
Source: C:\Users\user\Desktop\OFFER.exe	Code function: 0_2_05530FE5 NtQuerySystemInformation,		0_2_05530FE5

Source: C:\Users\user\Desktop\OFFER.exe	Code function: 0_2_00723AED	0_2_00723AED
Source: C:\Users\user\Desktop\OFFER.exe	Code function: 0_2_02A209C8	0_2_02A209C8
Source: C:\Users\user\Desktop\OFFER.exe	Code function: 0_2_02A21D2E	0_2_02A21D2E
Source: C:\Users\user\Desktop\OFFER.exe	Code function: 0_2_02A209CD	0_2_02A209CD
Source: C:\Users\user\Desktop\OFFER.exe	Code function: 0_2_02A231D8	0_2_02A231D8
Source: C:\Users\user\Desktop\OFFER.exe	Code function: 0_2_02A28EA8	0_2_02A28EA8
Source: C:\Users\user\Desktop\OFFER.exe	Code function: 0_2_02A28FB2	0_2_02A28FB2
Source: C:\Users\user\Desktop\OFFER.exe	Code function: 0_2_02A22F88	0_2_02A22F88
Source: C:\Users\user\Desktop\OFFER.exe	Code function: 0_2_02A22F77	0_2_02A22F77
Source: C:\Users\user\Desktop\OFFER.exe	Code function: 0_2_02A23C32	0_2_02A23C32
Source: C:\Users\user\Desktop\OFFER.exe	Code function: 0_2_02A2E598	0_2_02A2E598
Source: C:\Users\user\Desktop\OFFER.exe	Code function: 0_2_00722050	0_2_00722050

Source: OFFER.exe	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: RplepwTnfZYE.exe.0.dr	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST

Source: OFFER.exe, 00000000.00000000.202703558.00000000007B4000.00000002.00020000.sdmp	Binary or memory string: OriginalFilenamemQWh.exe8 vs OFFER.exe
Source: OFFER.exe, 00000000.00000002.212114802.0000000004FF0000.00000002.00000001.sdmp	Binary or memory string: OriginalFilenamemscorrc.dllT vs OFFER.exe
Source: OFFER.exe, 00000000.00000002.213553763.0000000005BC0000.00000002.00000001.sdmp	Binary or memory string: System.OriginalFileName vs OFFER.exe
Source: OFFER.exe, 00000000.00000002.212759761.0000000005460000.00000004.00000001.sdmp	Binary or memory string: OriginalFilenameKedermister.dllT vs OFFER.exe
Source: OFFER.exe, 00000000.00000002.214012672.0000000005CC0000.00000002.00000001.sdmp	Binary or memory string: originalfilename vs OFFER.exe
Source: OFFER.exe, 00000000.00000002.214012672.0000000005CC0000.00000002.00000001.sdmp	Binary or memory string: OriginalFilenamepropsys.dll.mui@ vs OFFER.exe
Source: OFFER.exe, 00000000.00000002.212203919.0000000005050000.00000004.00000001.sdmp	Binary or memory string: OriginalFilenameexag vs OFFER.exe
Source: OFFER.exe, 00000003.00000000.208615410.0000000001024000.00000002.00020000.sdmp	Binary or memory string: OriginalFilenamemQWh.exe8 vs OFFER.exe
Source: OFFER.exe	Binary or memory string: OriginalFilenamemQWh.exe8 vs OFFER.exe

Source: 00000000.00000002.211065928.0000000003EA1000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 00000000.00000002.211065928.0000000003EA1000.00000004.00000001.sdmp, type: MEMORY	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore

Source: OFFER.exe	Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
Source: RplepwTnfZYE.exe.0.dr	Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ

Source: OFFER.exe, IdManager.cs	Cryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'
Source: RplepwTnfZYE.exe.0.dr, IdManager.cs	Cryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'
Source: 0.2.OFFER.exe.720000.0.unpack, IdManager.cs	Cryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'
Source: 0.0.OFFER.exe.720000.0.unpack, IdManager.cs	Cryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'
Source: 3.0.OFFER.exe.f90000.0.unpack, IdManager.cs	Cryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'

Source: classification engine

Classification label: mal100.troj.evad.winEXE@6/5@9/2

Source: C:\Users\user\Desktop\OFFER.exe	Code function: 0_2_05530E9A AdjustTokenPrivileges,		0_2_05530E9A
Source: C:\Users\user\Desktop\OFFER.exe	Code function: 0_2_05530E63 AdjustTokenPrivileges,		0_2_05530E63

Source: C:\Users\user\Desktop\OFFER.exe

File created: C:\Users\user\AppData\Roaming\RplepwTnfZYE.exe

Jump to behavior

Source: C:\Users\user\Desktop\OFFER.exe	Mutant created: \Sessions\1\BaseNamedObjects\Global\.net clr networking
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:4084:120:WilError_01
Source: C:\Users\user\Desktop\OFFER.exe	Mutant created: \Sessions\1\BaseNamedObjects\Global\{e9662336-59a2-4ebb-989e-7c602bdb23a8}
Source: C:\Users\user\Desktop\OFFER.exe	Mutant created: \Sessions\1\BaseNamedObjects\qkUPEOxutgScEw

Source: C:\Users\user\Desktop\OFFER.exe

File created: C:\Users\user\AppData\Local\Temp\tmpB5D6.tmp

Jump to behavior

Source: OFFER.exe

Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ

Source: C:\Users\user\Desktop\OFFER.exe	Section loaded: C:\Windows\assembly\NativeImages_v2.0.50727_32\mscorlib\9603718106bd57ecfbb18fefd769cab4\mscorlib.ni.dll	Jump to behavior
Source: C:\Users\user\Desktop\OFFER.exe	Section loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sorttbls.nlp	Jump to behavior
Source: C:\Users\user\Desktop\OFFER.exe	Section loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sortkey.nlp	Jump to behavior
Source: C:\Users\user\Desktop\OFFER.exe	Section loaded: C:\Windows\assembly\NativeImages_v2.0.50727_32\mscorlib\9603718106bd57ecfbb18fefd769cab4\mscorlib.ni.dll	Jump to behavior
Source: C:\Users\user\Desktop\OFFER.exe	Section loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sorttbls.nlp	Jump to behavior
Source: C:\Users\user\Desktop\OFFER.exe	Section loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sortkey.nlp	Jump to behavior

Source: C:\Users\user\Desktop\OFFER.exe

File read: C:\Users\user\Desktop\desktop.ini

Jump to behavior

Source: C:\Users\user\Desktop\OFFER.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: OFFER.exe	Virustotal: Detection: 57%
Source: OFFER.exe	Metadefender: Detection: 37%
Source: OFFER.exe	ReversingLabs: Detection: 68%

Source: C:\Users\user\Desktop\OFFER.exe

File read: C:\Users\user\Desktop\OFFER.exe

Jump to behavior

Source: unknown	Process created: C:\Users\user\Desktop\OFFER.exe 'C:\Users\user\Desktop\OFFER.exe'
Source: unknown	Process created: C:\Windows\SysWOW64\schtasks.exe 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\RplepwTnfZYE' /XML 'C:\Users\user\AppData\Local\Temp\tmpB5D6.tmp'
Source: unknown	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknown	Process created: C:\Users\user\Desktop\OFFER.exe C:\Users\user\Desktop\OFFER.exe
Source: C:\Users\user\Desktop\OFFER.exe	Process created: C:\Windows\SysWOW64\schtasks.exe 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\RplepwTnfZYE' /XML 'C:\Users\user\AppData\Local\Temp\tmpB5D6.tmp'	Jump to behavior
Source: C:\Users\user\Desktop\OFFER.exe	Process created: C:\Users\user\Desktop\OFFER.exe C:\Users\user\Desktop\OFFER.exe	Jump to behavior

Source: C:\Users\user\Desktop\OFFER.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{95E15D0A-66E6-93D9-C53C-76E6219D3341}\InProcServer32

Jump to behavior

Source: C:\Users\user\Desktop\OFFER.exe

File opened: C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorrc.dll

Jump to behavior

Source: OFFER.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR

Source: C:\Users\user\Desktop\OFFER.exe

File opened: C:\Windows\WinSxS\x86_microsoft.vc80.crt_1fc8b3b9a1e18e3b_8.0.50727.9445_none_d08c58b4442ba54f\MSVCR80.dll

Jump to behavior

Source: OFFER.exe

Static PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT

Source:

Binary string: mscorrc.pdb source: OFFER.exe, 00000000.00000002.212114802.0000000004FF0000.00000002.00000001.sdmp

Data Obfuscation:

.NET source code contains potential unpacker

Show sources

Source: OFFER.exe, IdManager.cs	.Net Code: Remoting_Identity_IDGuid System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: RplepwTnfZYE.exe.0.dr, IdManager.cs	.Net Code: Remoting_Identity_IDGuid System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: 0.2.OFFER.exe.720000.0.unpack, IdManager.cs	.Net Code: Remoting_Identity_IDGuid System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: 0.0.OFFER.exe.720000.0.unpack, IdManager.cs	.Net Code: Remoting_Identity_IDGuid System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: 3.0.OFFER.exe.f90000.0.unpack, IdManager.cs	.Net Code: Remoting_Identity_IDGuid System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])

Source: C:\Users\user\Desktop\OFFER.exe

Code function: 0_2_00EA2010 push eax; retf

0_2_00EA2011

Source: initial sample	Static PE information: section name: .text entropy: 7.70065403732
Source: initial sample	Static PE information: section name: .text entropy: 7.70065403732

Source: C:\Users\user\Desktop\OFFER.exe

File created: C:\Users\user\AppData\Roaming\RplepwTnfZYE.exe

Jump to dropped file

Boot Survival:

Uses schtasks.exe or at.exe to add and modify task schedules

Show sources

Source: unknown

Process created: C:\Windows\SysWOW64\schtasks.exe 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\RplepwTnfZYE' /XML 'C:\Users\user\AppData\Local\Temp\tmpB5D6.tmp'

Hooking and other Techniques for Hiding and Protection:

Hides that the sample has been downloaded from the Internet (zone.identifier)

Show sources

Source: C:\Users\user\Desktop\OFFER.exe

File opened: C:\Users\user\Desktop\OFFER.exe:Zone.Identifier read attributes | delete

Jump to behavior

Source: C:\Users\user\Desktop\OFFER.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\OFFER.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\OFFER.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\OFFER.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\OFFER.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\OFFER.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\OFFER.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\OFFER.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\OFFER.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\OFFER.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\OFFER.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\OFFER.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\OFFER.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\OFFER.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\OFFER.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\OFFER.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\OFFER.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\OFFER.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\OFFER.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\OFFER.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\OFFER.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\OFFER.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\OFFER.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\OFFER.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\OFFER.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\OFFER.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\OFFER.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\OFFER.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\OFFER.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\OFFER.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\OFFER.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\OFFER.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\OFFER.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\OFFER.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\OFFER.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\OFFER.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\OFFER.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\OFFER.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\OFFER.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\OFFER.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\OFFER.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\OFFER.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\OFFER.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\OFFER.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\OFFER.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\OFFER.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\OFFER.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\OFFER.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\OFFER.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\OFFER.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\OFFER.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\OFFER.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\OFFER.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\OFFER.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\OFFER.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\OFFER.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\OFFER.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\OFFER.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\OFFER.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\OFFER.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\OFFER.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\OFFER.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\OFFER.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\OFFER.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\OFFER.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\OFFER.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\OFFER.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\OFFER.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\OFFER.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\OFFER.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Malware Analysis System Evasion:

Yara detected AntiVM_3

Show sources

Source: Yara match	File source: 00000000.00000002.210666466.0000000002EA1000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.210800137.0000000002F20000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: OFFER.exe PID: 6088, type: MEMORY

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Show sources

Source: OFFER.exe, 00000000.00000002.210666466.0000000002EA1000.00000004.00000001.sdmp	Binary or memory string: SBIEDLL.DLL
Source: OFFER.exe, 00000000.00000002.210666466.0000000002EA1000.00000004.00000001.sdmp	Binary or memory string: KERNEL32.DLL.WINE_GET_UNIX_FILE_NAME

Source: C:\Users\user\Desktop\OFFER.exe

File opened / queried: SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}

Jump to behavior

Source: C:\Users\user\Desktop\OFFER.exe	Thread delayed: delay time: 922337203685477			Jump to behavior
Source: C:\Users\user\Desktop\OFFER.exe	Thread delayed: delay time: 922337203685477			Jump to behavior

Source: C:\Users\user\Desktop\OFFER.exe	Window / User API: threadDelayed 647	Jump to behavior
Source: C:\Users\user\Desktop\OFFER.exe	Window / User API: threadDelayed 852	Jump to behavior
Source: C:\Users\user\Desktop\OFFER.exe	Window / User API: foregroundWindowGot 988	Jump to behavior

Source: C:\Users\user\Desktop\OFFER.exe TID: 6064	Thread sleep time: -49583s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\OFFER.exe TID: 2796	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\OFFER.exe TID: 5076	Thread sleep time: -1844674407370954s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\OFFER.exe TID: 5072	Thread sleep time: -40000s >= -30000s	Jump to behavior

Source: C:\Windows\System32\conhost.exe

Last function: Thread delayed

Source: OFFER.exe, 00000000.00000002.210666466.0000000002EA1000.00000004.00000001.sdmp	Binary or memory string: InstallPathJC:\PROGRAM FILES\VMWARE\VMWARE TOOLS\
Source: OFFER.exe, 00000000.00000002.210666466.0000000002EA1000.00000004.00000001.sdmp	Binary or memory string: vmware
Source: OFFER.exe, 00000000.00000002.210666466.0000000002EA1000.00000004.00000001.sdmp	Binary or memory string: VMware SVGA II\|update users set password = @password where user_id = @user_id
Source: OFFER.exe, 00000000.00000002.210666466.0000000002EA1000.00000004.00000001.sdmp	Binary or memory string: VMWAREDSOFTWARE\VMware, Inc.\VMware Tools

Source: C:\Users\user\Desktop\OFFER.exe

Process information queried: ProcessInformation

Jump to behavior

Source: C:\Users\user\Desktop\OFFER.exe	Process token adjusted: Debug			Jump to behavior
Source: C:\Users\user\Desktop\OFFER.exe	Process token adjusted: Debug			Jump to behavior

Source: C:\Users\user\Desktop\OFFER.exe

Memory allocated: page read and write | page guard

Jump to behavior

HIPS / PFW / Operating System Protection Evasion:

Injects a PE file into a foreign processes

Show sources

Source: C:\Users\user\Desktop\OFFER.exe

Memory written: C:\Users\user\Desktop\OFFER.exe base: 400000 value starts with: 4D5A

Jump to behavior

Source: C:\Users\user\Desktop\OFFER.exe	Process created: C:\Windows\SysWOW64\schtasks.exe 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\RplepwTnfZYE' /XML 'C:\Users\user\AppData\Local\Temp\tmpB5D6.tmp'			Jump to behavior
Source: C:\Users\user\Desktop\OFFER.exe	Process created: C:\Users\user\Desktop\OFFER.exe C:\Users\user\Desktop\OFFER.exe			Jump to behavior

Source: C:\Users\user\Desktop\OFFER.exe

Code function: 0_2_00E9AEFE GetUserNameW,

0_2_00E9AEFE

Source: C:\Users\user\Desktop\OFFER.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Stealing of Sensitive Information:

Yara detected Nanocore RAT

Show sources

Source: Yara match

File source: 00000000.00000002.211065928.0000000003EA1000.00000004.00000001.sdmp, type: MEMORY

Remote Access Functionality:

Yara detected Nanocore RAT

Show sources

Source: Yara match

File source: 00000000.00000002.211065928.0000000003EA1000.00000004.00000001.sdmp, type: MEMORY

Mitre Att&ck Matrix

Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Exfiltration	Command and Control	Network Effects	Remote Service Effects	Impact
Valid Accounts	Scheduled Task/Job1	Scheduled Task/Job1	Access Token Manipulation1	Masquerading1	OS Credential Dumping	Security Software Discovery211	Remote Services	Archive Collected Data11	Exfiltration Over Other Network Medium	Encrypted Channel1	Eavesdrop on Insecure Network Communication	Remotely Track Device Without Authorization	Modify System Partition
Default Accounts	Scheduled Task/Job	Boot or Logon Initialization Scripts	Process Injection111	Virtualization/Sandbox Evasion3	LSASS Memory	Virtualization/Sandbox Evasion3	Remote Desktop Protocol	Data from Removable Media	Exfiltration Over Bluetooth	Non-Standard Port1	Exploit SS7 to Redirect Phone Calls/SMS	Remotely Wipe Data Without Authorization	Device Lockout
Domain Accounts	At (Linux)	Logon Script (Windows)	Scheduled Task/Job1	Disable or Modify Tools1	Security Account Manager	Process Discovery1	SMB/Windows Admin Shares	Data from Network Shared Drive	Automated Exfiltration	Non-Application Layer Protocol1	Exploit SS7 to Track Device Location	Obtain Device Cloud Backups	Delete Device Data
Local Accounts	At (Windows)	Logon Script (Mac)	Logon Script (Mac)	Access Token Manipulation1	NTDS	Application Window Discovery1	Distributed Component Object Model	Input Capture	Scheduled Transfer	Application Layer Protocol11	SIM Card Swap		Carrier Billing Fraud
Cloud Accounts	Cron	Network Logon Script	Network Logon Script	Process Injection111	LSA Secrets	Account Discovery1	SSH	Keylogging	Data Transfer Size Limits	Fallback Channels	Manipulate Device Communication		Manipulate App Store Rankings or Ratings
Replication Through Removable Media	Launchd	Rc.common	Rc.common	Deobfuscate/Decode Files or Information1	Cached Domain Credentials	System Owner/User Discovery1	VNC	GUI Input Capture	Exfiltration Over C2 Channel	Multiband Communication	Jamming or Denial of Service		Abuse Accessibility Features
External Remote Services	Scheduled Task	Startup Items	Startup Items	Hidden Files and Directories1	DCSync	File and Directory Discovery1	Windows Remote Management	Web Portal Capture	Exfiltration Over Alternative Protocol	Commonly Used Port	Rogue Wi-Fi Access Points		Data Encrypted for Impact
Drive-by Compromise	Command and Scripting Interpreter	Scheduled Task/Job	Scheduled Task/Job	Obfuscated Files or Information3	Proc Filesystem	System Information Discovery2	Shared Webroot	Credential API Hooking	Exfiltration Over Symmetric Encrypted Non-C2 Protocol	Application Layer Protocol	Downgrade to Insecure Protocols		Generate Fraudulent Advertising Revenue
Exploit Public-Facing Application	PowerShell	At (Linux)	At (Linux)	Software Packing12	/etc/passwd and /etc/shadow	System Network Connections Discovery	Software Deployment Tools	Data Staged	Exfiltration Over Asymmetric Encrypted Non-C2 Protocol	Web Protocols	Rogue Cellular Base Station		Data Destruction

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Source	Detection	Scanner	Label	Link
OFFER.exe	57%	Virustotal		Browse
OFFER.exe	41%	Metadefender		Browse
OFFER.exe	69%	ReversingLabs	ByteCode-MSIL.Trojan.AgentTesla
OFFER.exe	100%	Avira	TR/AD.Nanocore.gzsda

Dropped Files

Source	Detection	Scanner	Label	Link
C:\Users\user\AppData\Roaming\RplepwTnfZYE.exe	100%	Avira	TR/AD.Nanocore.gzsda
C:\Users\user\AppData\Roaming\RplepwTnfZYE.exe	57%	Virustotal		Browse
C:\Users\user\AppData\Roaming\RplepwTnfZYE.exe	41%	Metadefender		Browse
C:\Users\user\AppData\Roaming\RplepwTnfZYE.exe	69%	ReversingLabs	ByteCode-MSIL.Trojan.AgentTesla

Unpacked PE Files

No Antivirus matches

Domains

Source	Detection	Scanner	Label	Link
udochukwu.ddns.net	1%	Virustotal		Browse

URLs

No Antivirus matches

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Antivirus Detection	Reputation
udochukwu.ddns.net	37.18.96.19	true	true	1%, Virustotal, Browse	unknown

Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public

IP	Domain	Country	Flag	ASN	ASN Name	Malicious
37.18.96.19	unknown	Netherlands		201411	GOKNETTR	true

Private

IP
192.168.2.1

General Information

Joe Sandbox Version:	31.0.0 Red Diamond
Analysis ID:	322137
Start date:	24.11.2020
Start time:	15:27:11
Joe Sandbox Product:	CloudBasic
Overall analysis duration:	0h 6m 24s
Hypervisor based Inspection enabled:	false
Report type:	full
Sample file name:	OFFER.exe
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 85, IE 11, Adobe Reader DC 19, Java 8 Update 211
Number of analysed new started processes analysed:	26
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled HDC enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Detection:	MAL
Classification:	mal100.troj.evad.winEXE@6/5@9/2
EGA Information:	Failed
HDC Information:	Failed
HCA Information:	Successful, ratio: 91% Number of executed functions: 210 Number of non-executed functions: 9
Cookbook Comments:	Adjust boot time Enable AMSI Found application associated with file extension: .exe
Warnings:	Show All Behavior information exceeds normal sizes, reducing to normal. Report will have missing behavior information. Exclude process from analysis (whitelisted): MpCmdRun.exe, BackgroundTransferHost.exe, backgroundTaskHost.exe, SgrmBroker.exe, conhost.exe, svchost.exe, UsoClient.exe Excluded IPs from analysis (whitelisted): 168.61.161.212, 104.42.151.234, 13.88.21.125, 51.104.139.180, 92.122.144.200, 20.54.26.129, 8.241.122.126, 8.241.9.254, 67.26.139.254, 8.241.11.254, 8.253.204.121, 92.122.213.247, 92.122.213.194, 51.11.168.160 Excluded domains from analysis (whitelisted): arc.msn.com.nsatc.net, fs.microsoft.com, ris-prod.trafficmanager.net, skypedataprdcolcus17.cloudapp.net, e1723.g.akamaiedge.net, ctldl.windowsupdate.com, fs-wildcard.microsoft.com.edgekey.net, fs-wildcard.microsoft.com.edgekey.net.globalredir.akadns.net, a1449.dscg2.akamai.net, arc.msn.com, ris.api.iris.microsoft.com, blobcollector.events.data.trafficmanager.net, audownload.windowsupdate.nsatc.net, watson.telemetry.microsoft.com, auto.au.download.windowsupdate.com.c.footprint.net, img-prod-cms-rt-microsoft-com.akamaized.net, prod.fs.microsoft.com.akadns.net, skypedataprdcolwus16.cloudapp.net, skypedataprdcolwus15.cloudapp.net, au-bg-shim.trafficmanager.net Report size getting too big, too many NtOpenKeyEx calls found. Report size getting too big, too many NtProtectVirtualMemory calls found. Report size getting too big, too many NtQueryValueKey calls found.

Simulations

Behavior and APIs

Time	Type	Description
15:27:58	API Interceptor	1064x Sleep call for process: OFFER.exe modified

Joe Sandbox View / Context

IPs

No context

Domains

Match	Associated Sample Name / URL	SHA 256	Detection	Link	Context
udochukwu.ddns.net	xh1V3riWZ5.exe	Get hash	malicious	Browse	216.38.8.174
	A2UVQZMMkB.exe	Get hash	malicious	Browse	216.38.8.174
	PURCHASE09812.exe	Get hash	malicious	Browse	185.140.53.132

ASN

No context

JA3 Fingerprints

No context

Dropped Files

No context

Created / dropped Files

C:\Users\user\AppData\Local\Microsoft\CLR_v2.0_32\UsageLogs\OFFER.exe.log Download File
Process:	C:\Users\user\Desktop\OFFER.exe
File Type:	ASCII text, with CRLF line terminators
Category:	modified
Size (bytes):	525
Entropy (8bit):	5.2874233355119316
Encrypted:	false
SSDEEP:	12:Q3LaJU20NaL10U29hJ5g1B0U2ukyrFk70Ug+9Yz9tv:MLF20NaL329hJ5g522rWz2T
MD5:	61CCF53571C9ABA6511D696CB0D32E45
SHA1:	A13A42A20EC14942F52DB20FB16A0A520F8183CE
SHA-256:	3459BDF6C0B7F9D43649ADAAF19BA8D5D133BCBE5EF80CF4B7000DC91E10903B
SHA-512:	90E180D9A681F82C010C326456AC88EBB89256CC769E900BFB4B2DF92E69CA69726863B45DFE4627FC1EE8C281F2AF86A6A1E2EF1710094CCD3F4E092872F06F
Malicious:	true
Reputation:	moderate, very likely benign file
Preview:	1,"fusion","GAC",0..3,"C:\Windows\assembly\NativeImages_v2.0.50727_32\System\1ffc437de59fb69ba2b865ffdc98ffd1\System.ni.dll",0..3,"C:\Windows\assembly\NativeImages_v2.0.50727_32\System.Drawing\54d944b3ca0ea1188d700fbd8089726b\System.Drawing.ni.dll",0..3,"C:\Windows\assembly\NativeImages_v2.0.50727_32\System.Windows.Forms\bd8d59c984c9f5f2695f64341115cdf0\System.Windows.Forms.ni.dll",0..3,"C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.VisualBas#\cd7c74fce2a0eab72cd25cbe4bb61614\Microsoft.VisualBasic.ni.dll",0..

C:\Users\user\AppData\Local\Temp\tmpB5D6.tmp Download File
Process:	C:\Users\user\Desktop\OFFER.exe
File Type:	XML 1.0 document, ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	1645
Entropy (8bit):	5.191084760568334
Encrypted:	false
SSDEEP:	24:2dH4+SEqC/Q7hxlNMFp1/rlMhEMjnGpwjpIgUYODOLD9RJh7h8gKBPtn:cbh47TlNQ//rydbz9I3YODOLNdq3T
MD5:	AB592D06D98D97E7246ACDE4BC6F877E
SHA1:	6F407D15DCD33272C9F36A3B60CE18EA287D943D
SHA-256:	5F401C9D62E49D3C79957EE747E11E54B09AE2577B37BF3FD8E0F59779E17764
SHA-512:	323FEB7A1596BC5CCC43507EC2D975930D4A35E9D726592570FD27CA47874336CB1743BC9F2E4E0BF4A32FA9605280B27281E373F176AE3762E1F33B50EE5BCD
Malicious:	true
Reputation:	low
Preview:	<?xml version="1.0" encoding="UTF-16"?>..<Task version="1.2" xmlns="http://schemas.microsoft.com/windows/2004/02/mit/task">.. <RegistrationInfo>.. <Date>2014-10-25T14:27:44.8929027</Date>.. <Author>computer\user</Author>.. </RegistrationInfo>.. <Triggers>.. <LogonTrigger>.. <Enabled>true</Enabled>.. <UserId>computer\user</UserId>.. </LogonTrigger>.. <RegistrationTrigger>.. <Enabled>false</Enabled>.. </RegistrationTrigger>.. </Triggers>.. <Principals>.. <Principal id="Author">.. <UserId>computer\user</UserId>.. <LogonType>InteractiveToken</LogonType>.. <RunLevel>LeastPrivilege</RunLevel>.. </Principal>.. </Principals>.. <Settings>.. <MultipleInstancesPolicy>StopExisting</MultipleInstancesPolicy>.. <DisallowStartIfOnBatteries>false</DisallowStartIfOnBatteries>.. <StopIfGoingOnBatteries>true</StopIfGoingOnBatteries>.. <AllowHardTerminate>false</AllowHardTerminate>.. <StartWhenAvailable>true

C:\Users\user\AppData\Roaming\D06ED635-68F6-4E9A-955C-4899F5F57B9A\run.dat Download File
Process:	C:\Users\user\Desktop\OFFER.exe
File Type:	Non-ISO extended-ASCII text, with no line terminators
Category:	dropped
Size (bytes):	8
Entropy (8bit):	3.0
Encrypted:	false
SSDEEP:	3:fPn:fP
MD5:	94BA71EFD891C3DCB84D299A3569E0DA
SHA1:	D1377C913F96023629C1A07DB3BF23E0BB5F9005
SHA-256:	30F19B17612845ECB696342C4C9306B80FFCEC7BDC5ABA5DC83A9DA346270990
SHA-512:	E82A98D4BB3D4218A77A020B3DF08B6EBD14411C8345EDB9D152B31D3A85098764928DBFE1CA3831A8581FE1F32F15DB0341AD132CCB0AF58B3EDB234A7A5944
Malicious:	true
Reputation:	low
Preview:	i.L...H

C:\Users\user\AppData\Roaming\RplepwTnfZYE.exe Download File
Process:	C:\Users\user\Desktop\OFFER.exe
File Type:	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	610816
Entropy (8bit):	7.683539798870558
Encrypted:	false
SSDEEP:	12288:5pV+lmcosZeY2eCbJtTx31jbzNDWMEDBOzuZ2znyo3almjbbLSz9CUo:9cGVF9d1DNDWMYAzuIbyoqlMbPSzbo
MD5:	F0A3B70A92ECE3204289B3E1E25C9942
SHA1:	5AF0534294C9F5FD1ADA722919EC8583F88F2AC9
SHA-256:	0A09EC08C850081FFB281F5716859D62093A5F772266503CB67D5E49A4ECD4F4
SHA-512:	35E3E2924E5B0CA26CD8D25DD0AF84ED89196EF6B4C7202BA2E18EC1741C030CC7D53C86EF0FCC9A876DC151A38A5AB3979D9B948ADB8C2E1560D3FDD35011E0
Malicious:	true
Antivirus:	Antivirus: Avira, Detection: 100% Antivirus: Virustotal, Detection: 57%, Browse Antivirus: Metadefender, Detection: 41%, Browse Antivirus: ReversingLabs, Detection: 69%
Reputation:	low
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......_..............P......D......>+... ...@....@.. ....................................@....................................O....@..xA........................................................................... ............... ..H............text...D.... ...................... ..`.rsrc...xA...@...B..................@..@.reloc...............P..............@..B................ +......H............e...........Y................................................(....&..(......s.........s.........s ........s!........s"...........0...........~....o#....+...0...........~....o$....+...0...........~....o%....+...0...........~....o&....+...0...........~....o'....+...0..<........~.....((.....,!r...p.....()...o...s+............~.....+...0...........~.....+.."........0..&........(....r-..p~....o,...(-.....t.....+.....0..&........(....r9..p~....o,...(-.....

C:\Users\user\AppData\Roaming\RplepwTnfZYE.exe:Zone.Identifier Download File
Process:	C:\Users\user\Desktop\OFFER.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	26
Entropy (8bit):	3.95006375643621
Encrypted:	false
SSDEEP:	3:ggPYV:rPYV
MD5:	187F488E27DB4AF347237FE461A079AD
SHA1:	6693BA299EC1881249D59262276A0D2CB21F8E64
SHA-256:	255A65D30841AB4082BD9D0EEA79D49C5EE88F56136157D8D6156AEF11C12309
SHA-512:	89879F237C0C051EBE784D0690657A6827A312A82735DA42DAD5F744D734FC545BEC9642C19D14C05B2F01FF53BC731530C92F7327BB7DC9CDE1B60FB21CD64E
Malicious:	true
Reputation:	high, very likely benign file
Preview:	[ZoneTransfer]....ZoneId=0

Static File Info

General
File type:	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Entropy (8bit):	7.683539798870558
TrID:	Win32 Executable (generic) Net Framework (10011505/4) 49.83% Win32 Executable (generic) a (10002005/4) 49.78% Generic CIL Executable (.NET, Mono, etc.) (73296/58) 0.36% Generic Win/DOS Executable (2004/3) 0.01% DOS Executable Generic (2002/1) 0.01%
File name:	OFFER.exe
File size:	610816
MD5:	f0a3b70a92ece3204289b3e1e25c9942
SHA1:	5af0534294c9f5fd1ada722919ec8583f88f2ac9
SHA256:	0a09ec08c850081ffb281f5716859d62093a5f772266503cb67d5e49a4ecd4f4
SHA512:	35e3e2924e5b0ca26cd8d25dd0af84ed89196ef6b4c7202ba2e18ec1741c030cc7d53c86ef0fcc9a876dc151a38a5ab3979d9b948adb8c2e1560d3fdd35011e0
SSDEEP:	12288:5pV+lmcosZeY2eCbJtTx31jbzNDWMEDBOzuZ2znyo3almjbbLSz9CUo:9cGVF9d1DNDWMYAzuIbyoqlMbPSzbo
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......_..............P......D......>+... ...@....@.. ....................................@................................

File Icon


Icon Hash:	480f0f49194d4520

Static PE Info

General
Entrypoint:	0x492b3e
Entrypoint Section:	.text
Digitally signed:	false
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	32BIT_MACHINE, EXECUTABLE_IMAGE
DLL Characteristics:	NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
Time Stamp:	0x5F990EE4 [Wed Oct 28 06:25:40 2020 UTC]
TLS Callbacks:
CLR (.Net) Version:	v2.0.50727
OS Version Major:	4
OS Version Minor:	0
File Version Major:	4
File Version Minor:	0
Subsystem Version Major:	4
Subsystem Version Minor:	0
Import Hash:	f34d5f2d4577ed6d9ceec516c1f5a744

Entrypoint Preview

Instruction
jmp dword ptr [00402000h]
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0x92aec	0x4f	.text
IMAGE_DIRECTORY_ENTRY_RESOURCE	0x94000	0x4178	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x9a000	0xc	.reloc
IMAGE_DIRECTORY_ENTRY_DEBUG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x2000	0x8	.text
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x2008	0x48	.text
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x2000	0x90b44	0x90c00	False	0.811946783247	data	7.70065403732	IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
.rsrc	0x94000	0x4178	0x4200	False	0.340968276515	data	4.65497389104	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.reloc	0x9a000	0xc	0x200	False	0.044921875	data	0.101910425663	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type
RT_ICON	0x94190	0x468	GLS_BINARY_LSB_FIRST
RT_ICON	0x945f8	0x10a8	dBase IV DBT of @.DBF, block length 4096, next free block index 40, next free block 4294967295, next used block 4294967295
RT_ICON	0x956a0	0x25a8	dBase IV DBT of `.DBF, block length 9216, next free block index 40, next free block 4294967295, next used block 4294967295
RT_GROUP_ICON	0x97c48	0x30	data
RT_VERSION	0x97c78	0x314	data
RT_MANIFEST	0x97f8c	0x1ea	XML 1.0 document, UTF-8 Unicode (with BOM) text, with CRLF line terminators

Imports

DLL	Import
mscoree.dll	_CorExeMain

Version Infos

Description	Data
Translation	0x0000 0x04b0
LegalCopyright	Copyright 2016
Assembly Version	1.0.0.0
InternalName	mQWh.exe
FileVersion	1.0.0.0
CompanyName
LegalTrademarks
Comments
ProductName	Controlador
ProductVersion	1.0.0.0
FileDescription	Controlador
OriginalFilename	mQWh.exe

Network Behavior

Network Port Distribution

TCP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Nov 24, 2020 15:28:03.778383017 CET	49711	2323	192.168.2.3	37.18.96.19
Nov 24, 2020 15:28:06.779992104 CET	49711	2323	192.168.2.3	37.18.96.19
Nov 24, 2020 15:28:12.780513048 CET	49711	2323	192.168.2.3	37.18.96.19
Nov 24, 2020 15:28:22.446753979 CET	49717	2323	192.168.2.3	37.18.96.19
Nov 24, 2020 15:28:25.453433037 CET	49717	2323	192.168.2.3	37.18.96.19
Nov 24, 2020 15:28:31.469504118 CET	49717	2323	192.168.2.3	37.18.96.19
Nov 24, 2020 15:28:41.136913061 CET	49729	2323	192.168.2.3	37.18.96.19
Nov 24, 2020 15:28:44.142489910 CET	49729	2323	192.168.2.3	37.18.96.19
Nov 24, 2020 15:28:50.158615112 CET	49729	2323	192.168.2.3	37.18.96.19
Nov 24, 2020 15:28:57.892918110 CET	49734	2323	192.168.2.3	37.18.96.19
Nov 24, 2020 15:29:00.893838882 CET	49734	2323	192.168.2.3	37.18.96.19
Nov 24, 2020 15:29:06.910063028 CET	49734	2323	192.168.2.3	37.18.96.19
Nov 24, 2020 15:29:15.128210068 CET	49739	2323	192.168.2.3	37.18.96.19
Nov 24, 2020 15:29:18.129841089 CET	49739	2323	192.168.2.3	37.18.96.19
Nov 24, 2020 15:29:24.146588087 CET	49739	2323	192.168.2.3	37.18.96.19
Nov 24, 2020 15:29:31.857831001 CET	49742	2323	192.168.2.3	37.18.96.19
Nov 24, 2020 15:29:34.865459919 CET	49742	2323	192.168.2.3	37.18.96.19
Nov 24, 2020 15:29:40.881633997 CET	49742	2323	192.168.2.3	37.18.96.19
Nov 24, 2020 15:29:49.063406944 CET	49743	2323	192.168.2.3	37.18.96.19
Nov 24, 2020 15:29:52.069961071 CET	49743	2323	192.168.2.3	37.18.96.19
Nov 24, 2020 15:29:58.086153984 CET	49743	2323	192.168.2.3	37.18.96.19
Nov 24, 2020 15:30:08.977169037 CET	49744	2323	192.168.2.3	37.18.96.19
Nov 24, 2020 15:30:12.102895021 CET	49744	2323	192.168.2.3	37.18.96.19
Nov 24, 2020 15:30:18.103403091 CET	49744	2323	192.168.2.3	37.18.96.19
Nov 24, 2020 15:30:25.596973896 CET	49745	2323	192.168.2.3	37.18.96.19
Nov 24, 2020 15:30:28.604291916 CET	49745	2323	192.168.2.3	37.18.96.19
Nov 24, 2020 15:30:34.620423079 CET	49745	2323	192.168.2.3	37.18.96.19

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Nov 24, 2020 15:27:53.506155968 CET	55984	53	192.168.2.3	8.8.8.8
Nov 24, 2020 15:27:53.533616066 CET	53	55984	8.8.8.8	192.168.2.3
Nov 24, 2020 15:27:54.659101963 CET	64185	53	192.168.2.3	8.8.8.8
Nov 24, 2020 15:27:54.686460018 CET	53	64185	8.8.8.8	192.168.2.3
Nov 24, 2020 15:27:56.442240953 CET	65110	53	192.168.2.3	8.8.8.8
Nov 24, 2020 15:27:56.478300095 CET	53	65110	8.8.8.8	192.168.2.3
Nov 24, 2020 15:27:57.345671892 CET	58361	53	192.168.2.3	8.8.8.8
Nov 24, 2020 15:27:57.372770071 CET	53	58361	8.8.8.8	192.168.2.3
Nov 24, 2020 15:27:58.937705994 CET	63492	53	192.168.2.3	8.8.8.8
Nov 24, 2020 15:27:58.964807034 CET	53	63492	8.8.8.8	192.168.2.3
Nov 24, 2020 15:27:59.964009047 CET	60831	53	192.168.2.3	8.8.8.8
Nov 24, 2020 15:27:59.991353035 CET	53	60831	8.8.8.8	192.168.2.3
Nov 24, 2020 15:28:03.718260050 CET	60100	53	192.168.2.3	8.8.8.8
Nov 24, 2020 15:28:03.764199018 CET	53	60100	8.8.8.8	192.168.2.3
Nov 24, 2020 15:28:15.093889952 CET	53195	53	192.168.2.3	8.8.8.8
Nov 24, 2020 15:28:15.129780054 CET	53	53195	8.8.8.8	192.168.2.3
Nov 24, 2020 15:28:16.826072931 CET	50141	53	192.168.2.3	8.8.8.8
Nov 24, 2020 15:28:16.853127956 CET	53	50141	8.8.8.8	192.168.2.3
Nov 24, 2020 15:28:21.401735067 CET	53023	53	192.168.2.3	8.8.8.8
Nov 24, 2020 15:28:21.429003000 CET	53	53023	8.8.8.8	192.168.2.3
Nov 24, 2020 15:28:22.360163927 CET	49563	53	192.168.2.3	8.8.8.8
Nov 24, 2020 15:28:22.387494087 CET	53	49563	8.8.8.8	192.168.2.3
Nov 24, 2020 15:28:22.404793978 CET	51352	53	192.168.2.3	8.8.8.8
Nov 24, 2020 15:28:22.445501089 CET	53	51352	8.8.8.8	192.168.2.3
Nov 24, 2020 15:28:23.165205956 CET	59349	53	192.168.2.3	8.8.8.8
Nov 24, 2020 15:28:23.200990915 CET	53	59349	8.8.8.8	192.168.2.3
Nov 24, 2020 15:28:24.037941933 CET	57084	53	192.168.2.3	8.8.8.8
Nov 24, 2020 15:28:24.073755980 CET	53	57084	8.8.8.8	192.168.2.3
Nov 24, 2020 15:28:25.199189901 CET	58823	53	192.168.2.3	8.8.8.8
Nov 24, 2020 15:28:25.226290941 CET	53	58823	8.8.8.8	192.168.2.3
Nov 24, 2020 15:28:27.783973932 CET	57568	53	192.168.2.3	8.8.8.8
Nov 24, 2020 15:28:27.821347952 CET	53	57568	8.8.8.8	192.168.2.3
Nov 24, 2020 15:28:34.769733906 CET	50540	53	192.168.2.3	8.8.8.8
Nov 24, 2020 15:28:34.796920061 CET	53	50540	8.8.8.8	192.168.2.3
Nov 24, 2020 15:28:35.618417978 CET	54366	53	192.168.2.3	8.8.8.8
Nov 24, 2020 15:28:35.645675898 CET	53	54366	8.8.8.8	192.168.2.3
Nov 24, 2020 15:28:38.654897928 CET	53034	53	192.168.2.3	8.8.8.8
Nov 24, 2020 15:28:38.681972980 CET	53	53034	8.8.8.8	192.168.2.3
Nov 24, 2020 15:28:39.306180000 CET	57762	53	192.168.2.3	8.8.8.8
Nov 24, 2020 15:28:39.356237888 CET	53	57762	8.8.8.8	192.168.2.3
Nov 24, 2020 15:28:39.559573889 CET	55435	53	192.168.2.3	8.8.8.8
Nov 24, 2020 15:28:39.586956024 CET	53	55435	8.8.8.8	192.168.2.3
Nov 24, 2020 15:28:41.097023964 CET	50713	53	192.168.2.3	8.8.8.8
Nov 24, 2020 15:28:41.134298086 CET	53	50713	8.8.8.8	192.168.2.3
Nov 24, 2020 15:28:44.236629963 CET	56132	53	192.168.2.3	8.8.8.8
Nov 24, 2020 15:28:44.263674021 CET	53	56132	8.8.8.8	192.168.2.3
Nov 24, 2020 15:28:55.406728029 CET	58987	53	192.168.2.3	8.8.8.8
Nov 24, 2020 15:28:55.434057951 CET	53	58987	8.8.8.8	192.168.2.3
Nov 24, 2020 15:28:57.856010914 CET	56579	53	192.168.2.3	8.8.8.8
Nov 24, 2020 15:28:57.891792059 CET	53	56579	8.8.8.8	192.168.2.3
Nov 24, 2020 15:28:57.897439957 CET	60633	53	192.168.2.3	8.8.8.8
Nov 24, 2020 15:28:57.934497118 CET	53	60633	8.8.8.8	192.168.2.3
Nov 24, 2020 15:29:15.099493980 CET	61292	53	192.168.2.3	8.8.8.8
Nov 24, 2020 15:29:15.126679897 CET	53	61292	8.8.8.8	192.168.2.3
Nov 24, 2020 15:29:30.311285019 CET	63619	53	192.168.2.3	8.8.8.8
Nov 24, 2020 15:29:30.338418961 CET	53	63619	8.8.8.8	192.168.2.3
Nov 24, 2020 15:29:31.783803940 CET	64938	53	192.168.2.3	8.8.8.8
Nov 24, 2020 15:29:31.815838099 CET	61946	53	192.168.2.3	8.8.8.8
Nov 24, 2020 15:29:31.819479942 CET	53	64938	8.8.8.8	192.168.2.3
Nov 24, 2020 15:29:31.851372004 CET	53	61946	8.8.8.8	192.168.2.3
Nov 24, 2020 15:29:49.024101973 CET	64910	53	192.168.2.3	8.8.8.8
Nov 24, 2020 15:29:49.059978962 CET	53	64910	8.8.8.8	192.168.2.3
Nov 24, 2020 15:30:07.586671114 CET	52123	53	192.168.2.3	8.8.8.8
Nov 24, 2020 15:30:07.624885082 CET	53	52123	8.8.8.8	192.168.2.3
Nov 24, 2020 15:30:25.558933020 CET	56130	53	192.168.2.3	8.8.8.8
Nov 24, 2020 15:30:25.596074104 CET	53	56130	8.8.8.8	192.168.2.3

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class
Nov 24, 2020 15:28:03.718260050 CET	192.168.2.3	8.8.8.8	0x330b	Standard query (0)	udochukwu.ddns.net	A (IP address)	IN (0x0001)
Nov 24, 2020 15:28:22.404793978 CET	192.168.2.3	8.8.8.8	0x731b	Standard query (0)	udochukwu.ddns.net	A (IP address)	IN (0x0001)
Nov 24, 2020 15:28:41.097023964 CET	192.168.2.3	8.8.8.8	0xdf3e	Standard query (0)	udochukwu.ddns.net	A (IP address)	IN (0x0001)
Nov 24, 2020 15:28:57.856010914 CET	192.168.2.3	8.8.8.8	0x7759	Standard query (0)	udochukwu.ddns.net	A (IP address)	IN (0x0001)
Nov 24, 2020 15:29:15.099493980 CET	192.168.2.3	8.8.8.8	0xdf0b	Standard query (0)	udochukwu.ddns.net	A (IP address)	IN (0x0001)
Nov 24, 2020 15:29:31.815838099 CET	192.168.2.3	8.8.8.8	0xe3da	Standard query (0)	udochukwu.ddns.net	A (IP address)	IN (0x0001)
Nov 24, 2020 15:29:49.024101973 CET	192.168.2.3	8.8.8.8	0x8150	Standard query (0)	udochukwu.ddns.net	A (IP address)	IN (0x0001)
Nov 24, 2020 15:30:07.586671114 CET	192.168.2.3	8.8.8.8	0x371e	Standard query (0)	udochukwu.ddns.net	A (IP address)	IN (0x0001)
Nov 24, 2020 15:30:25.558933020 CET	192.168.2.3	8.8.8.8	0x748e	Standard query (0)	udochukwu.ddns.net	A (IP address)	IN (0x0001)

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	Address	Type	Class
Nov 24, 2020 15:28:03.764199018 CET	8.8.8.8	192.168.2.3	0x330b	No error (0)	udochukwu.ddns.net	37.18.96.19	A (IP address)	IN (0x0001)
Nov 24, 2020 15:28:22.445501089 CET	8.8.8.8	192.168.2.3	0x731b	No error (0)	udochukwu.ddns.net	37.18.96.19	A (IP address)	IN (0x0001)
Nov 24, 2020 15:28:41.134298086 CET	8.8.8.8	192.168.2.3	0xdf3e	No error (0)	udochukwu.ddns.net	37.18.96.19	A (IP address)	IN (0x0001)
Nov 24, 2020 15:28:57.891792059 CET	8.8.8.8	192.168.2.3	0x7759	No error (0)	udochukwu.ddns.net	37.18.96.19	A (IP address)	IN (0x0001)
Nov 24, 2020 15:29:15.126679897 CET	8.8.8.8	192.168.2.3	0xdf0b	No error (0)	udochukwu.ddns.net	37.18.96.19	A (IP address)	IN (0x0001)
Nov 24, 2020 15:29:31.851372004 CET	8.8.8.8	192.168.2.3	0xe3da	No error (0)	udochukwu.ddns.net	37.18.96.19	A (IP address)	IN (0x0001)
Nov 24, 2020 15:29:49.059978962 CET	8.8.8.8	192.168.2.3	0x8150	No error (0)	udochukwu.ddns.net	37.18.96.19	A (IP address)	IN (0x0001)
Nov 24, 2020 15:30:07.624885082 CET	8.8.8.8	192.168.2.3	0x371e	No error (0)	udochukwu.ddns.net	37.18.96.19	A (IP address)	IN (0x0001)
Nov 24, 2020 15:30:25.596074104 CET	8.8.8.8	192.168.2.3	0x748e	No error (0)	udochukwu.ddns.net	37.18.96.19	A (IP address)	IN (0x0001)

Code Manipulations

Statistics

CPU Usage

Click to jump to process

Memory Usage

Click to jump to process

High Level Behavior Distribution

Click to dive into process behavior distribution

Behavior

Click to jump to process

System Behavior

Analysis Process: OFFER.exe PID: 6088 Parent PID: 5720

General

Start time:	15:27:58
Start date:	24/11/2020
Path:	C:\Users\user\Desktop\OFFER.exe
Wow64 process (32bit):	true
Commandline:	'C:\Users\user\Desktop\OFFER.exe'
Imagebase:	0x720000
File size:	610816 bytes
MD5 hash:	F0A3B70A92ECE3204289B3E1E25C9942
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	.Net C# or VB.NET
Yara matches:	Rule: JoeSecurity_AntiVM_3, Description: Yara detected AntiVM_3, Source: 00000000.00000002.210666466.0000000002EA1000.00000004.00000001.sdmp, Author: Joe Security Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 00000000.00000002.211065928.0000000003EA1000.00000004.00000001.sdmp, Author: Florian Roth Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 00000000.00000002.211065928.0000000003EA1000.00000004.00000001.sdmp, Author: Joe Security Rule: NanoCore, Description: unknown, Source: 00000000.00000002.211065928.0000000003EA1000.00000004.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net> Rule: JoeSecurity_AntiVM_3, Description: Yara detected AntiVM_3, Source: 00000000.00000002.210800137.0000000002F20000.00000004.00000001.sdmp, Author: Joe Security
Reputation:	low

Chronological Activities

Analysis Process: schtasks.exe PID: 5436 Parent PID: 6088

General

Start time:	15:28:00
Start date:	24/11/2020
Path:	C:\Windows\SysWOW64\schtasks.exe
Wow64 process (32bit):	true
Commandline:	'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\RplepwTnfZYE' /XML 'C:\Users\user\AppData\Local\Temp\tmpB5D6.tmp'
Imagebase:	0x1390000
File size:	185856 bytes
MD5 hash:	15FF7D8324231381BAD48A052F85DF04
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Chronological Activities

Analysis Process: conhost.exe PID: 4084 Parent PID: 5436

General

Start time:	15:28:00
Start date:	24/11/2020
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff6b2800000
File size:	625664 bytes
MD5 hash:	EA777DEEA782E8B4D7C7C33BBF8A4496
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Chronological Activities

Analysis Process: OFFER.exe PID: 5056 Parent PID: 6088

General

Start time:	15:28:01
Start date:	24/11/2020
Path:	C:\Users\user\Desktop\OFFER.exe
Wow64 process (32bit):	true
Commandline:	C:\Users\user\Desktop\OFFER.exe
Imagebase:	0xf90000
File size:	610816 bytes
MD5 hash:	F0A3B70A92ECE3204289B3E1E25C9942
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	.Net C# or VB.NET
Reputation:	low

Chronological Activities

Disassembly

Code Analysis

Reset < >

Analysis Process: OFFER.exe PID: 6088 Parent PID: 5720 OFFER.exeCOMMON

Executed Functions

Function 02A21D2E, Relevance: 2.8, Strings: 2, Instructions: 256COMMON

Download Yara Rule

Strings

?, xrefs: 02A21E93
;, xrefs: 02A21D30

Memory Dump Source

Source File: 00000000.00000002.210075788.0000000002A20000.00000040.00000001.sdmp, Offset: 02A20000, based on PE: false

Similarity

API ID:
String ID: ;$?
API String ID: 0-2431721464
Opcode ID: 95c0fd233c35dba184505821f0c41b5b413a0dcaf37839f9a4e20051158d2baa
Instruction ID: 5f5c4c6552a246bdc2c9ef4f73d12fb176e6f3c234bb7329f711245706636194
Opcode Fuzzy Hash: 95c0fd233c35dba184505821f0c41b5b413a0dcaf37839f9a4e20051158d2baa
Instruction Fuzzy Hash: EAA1E274D09228CFDB20CFA9C880BEDBBB9AF4A310F545559D51DBB282DB74598ACF00

Uniqueness

Uniqueness Score: -1.00%

Function 055427EA, Relevance: 2.6, Strings: 2, Instructions: 84COMMON

Download Yara Rule

Strings

, xrefs: 05542135
>_Ir, xrefs: 055427F5

Memory Dump Source

Source File: 00000000.00000002.213268927.0000000005540000.00000040.00000001.sdmp, Offset: 05540000, based on PE: false

Similarity

API ID:
String ID: $>_Ir
API String ID: 0-1787506450
Opcode ID: ac88dde7a4284bfb8b560a61cc3f518a2747704f066447af0ff227706337fefc
Instruction ID: c4c13a8a7a01254bc353daa886fd94191414d6f8d4dcff4f8fa7690170c54e9d
Opcode Fuzzy Hash: ac88dde7a4284bfb8b560a61cc3f518a2747704f066447af0ff227706337fefc
Instruction Fuzzy Hash: 4E3112B8D05228CFDB24CF68D8997ECBBB1BB49318F1084EAE50DA7241DB345A85CF50

Uniqueness

Uniqueness Score: -1.00%

Function 05530E63, Relevance: 1.6, APIs: 1, Instructions: 75COMMON

Download Yara Rule

APIs

AdjustTokenPrivileges.KERNELBASE(?,?,?,?,?,?), ref: 05530EE3

Memory Dump Source

Source File: 00000000.00000002.213253422.0000000005530000.00000040.00000001.sdmp, Offset: 05530000, based on PE: false

Similarity

API ID: AdjustPrivilegesToken
String ID:
API String ID: 2874748243-0
Opcode ID: a2c27d9b4d155412a60a4653e7f2b545a28b22dc99571b93a057e14414055811
Instruction ID: 979ba7c663778696a116ab461506d04354fec22e58fdc0025dc1a9f2dcf73d1e
Opcode Fuzzy Hash: a2c27d9b4d155412a60a4653e7f2b545a28b22dc99571b93a057e14414055811
Instruction Fuzzy Hash: 9B21A176509784AFDB228F25DC45B62BFF4FF06310F0885DAE9898F1A3D2719908DB61

Uniqueness

Uniqueness Score: -1.00%

Function 05530FE5, Relevance: 1.6, APIs: 1, Instructions: 57nativeCOMMON

Download Yara Rule

APIs

NtQuerySystemInformation.NTDLL(?,?,?,?), ref: 05531051

Memory Dump Source

Source File: 00000000.00000002.213253422.0000000005530000.00000040.00000001.sdmp, Offset: 05530000, based on PE: false

Similarity

API ID: InformationQuerySystem
String ID:
API String ID: 3562636166-0
Opcode ID: 57ea07ad48c539c64ff84e8ee11c84cd84ab3a73d3f334f58fd8286bbe9e9c0f
Instruction ID: 0ced03cb0e743afb5cee2e9e410dbc4ca9a06318d04f75868f2f58c0ff6dd14a
Opcode Fuzzy Hash: 57ea07ad48c539c64ff84e8ee11c84cd84ab3a73d3f334f58fd8286bbe9e9c0f
Instruction Fuzzy Hash: BD118E724097C0AFDB228F24DC45A52FFB4EF06314F0980DAE9858B163D275A908DB62

Uniqueness

Uniqueness Score: -1.00%

Function 05530E9A, Relevance: 1.6, APIs: 1, Instructions: 52COMMON

Download Yara Rule

APIs

AdjustTokenPrivileges.KERNELBASE(?,?,?,?,?,?), ref: 05530EE3

Memory Dump Source

Source File: 00000000.00000002.213253422.0000000005530000.00000040.00000001.sdmp, Offset: 05530000, based on PE: false

Similarity

API ID: AdjustPrivilegesToken
String ID:
API String ID: 2874748243-0
Opcode ID: a0fa9acbf4d798d3913d2f3a9bb680e91139b7720926e15e049c6092e6f6448e
Instruction ID: 50298270694f1a0c82e86d4d8a623a96c1f6ca1f9c7a23913f31df56618b4e37
Opcode Fuzzy Hash: a0fa9acbf4d798d3913d2f3a9bb680e91139b7720926e15e049c6092e6f6448e
Instruction Fuzzy Hash: 72115E765047049FDB20CF55D885B66FBE4FF04720F08846AEE4A8B661D271E418DB61

Uniqueness

Uniqueness Score: -1.00%

Function 00E9AEFE, Relevance: 1.5, APIs: 1, Instructions: 43COMMON

Download Yara Rule

APIs

GetUserNameW.ADVAPI32(?,00000E2C,?,?), ref: 00E9AF4E

Memory Dump Source

Source File: 00000000.00000002.209866942.0000000000E9A000.00000040.00000001.sdmp, Offset: 00E9A000, based on PE: false

Similarity

API ID: NameUser
String ID:
API String ID: 2645101109-0
Opcode ID: 13b6cf18cd0e44417f1387a30de02e2c1f069753ff15ef568b0b4cd638851ae3
Instruction ID: c01379d999ca09cd78c1faaa2f324675e3c52b9b98a63c19129f28deab134564
Opcode Fuzzy Hash: 13b6cf18cd0e44417f1387a30de02e2c1f069753ff15ef568b0b4cd638851ae3
Instruction Fuzzy Hash: F1016D76500600ABD610DF16DC86F26FBA8FB88B20F14815AED085B741E375F916CBE6

Uniqueness

Uniqueness Score: -1.00%

Function 05531016, Relevance: 1.5, APIs: 1, Instructions: 38nativeCOMMON

Download Yara Rule

APIs

NtQuerySystemInformation.NTDLL(?,?,?,?), ref: 05531051

Memory Dump Source

Source File: 00000000.00000002.213253422.0000000005530000.00000040.00000001.sdmp, Offset: 05530000, based on PE: false

Similarity

API ID: InformationQuerySystem
String ID:
API String ID: 3562636166-0
Opcode ID: 6c04678ec2c553ffe118361301c07a38dfcdb3d84047fa8d60c52eb8679b79ee
Instruction ID: 71ff5b3c2f117d2a1baf82fc80332fb9124424f59be30c6b6228b820a8419691
Opcode Fuzzy Hash: 6c04678ec2c553ffe118361301c07a38dfcdb3d84047fa8d60c52eb8679b79ee
Instruction Fuzzy Hash: C6018B31400A44DFDB20CF25D985B26FFA0FF08320F18C49ADE494B256D2B6A418CFA2

Uniqueness

Uniqueness Score: -1.00%

Function 02A209C8, Relevance: 1.4, Strings: 1, Instructions: 142COMMON

Download Yara Rule

Strings

X1kr, xrefs: 02A20B56

Memory Dump Source

Source File: 00000000.00000002.210075788.0000000002A20000.00000040.00000001.sdmp, Offset: 02A20000, based on PE: false

Similarity

API ID:
String ID: X1kr
API String ID: 0-844551562
Opcode ID: 6504bfa458db22b83fbde15d085f967863046502218f434b90bb1eb8508f372a
Instruction ID: f049650d594bf1c34b377b221b2746113407c4917cb40a919a69dcc86711753c
Opcode Fuzzy Hash: 6504bfa458db22b83fbde15d085f967863046502218f434b90bb1eb8508f372a
Instruction Fuzzy Hash: 46518DB4E01258DFDB58DFAAD584A9DBBF2BF88305F14C06AD808AB324DB319945CF50

Uniqueness

Uniqueness Score: -1.00%

Function 02A209CD, Relevance: 1.4, Strings: 1, Instructions: 140COMMON

Download Yara Rule

Strings

X1kr, xrefs: 02A20B56

Memory Dump Source

Source File: 00000000.00000002.210075788.0000000002A20000.00000040.00000001.sdmp, Offset: 02A20000, based on PE: false

Similarity

API ID:
String ID: X1kr
API String ID: 0-844551562
Opcode ID: 98761322c74f58a0d36c9950a1737f3481a4cdc3281259311b7f610406bdac59
Instruction ID: 991f2c70f32a6b0427313b063de15b0b3e02333f16a5fab27cf67654a05114b1
Opcode Fuzzy Hash: 98761322c74f58a0d36c9950a1737f3481a4cdc3281259311b7f610406bdac59
Instruction Fuzzy Hash: 50517CB4E01258DFDB58DFAAD584A9DBBF2BF88305F14C46AD808AB324DB319945CF50

Uniqueness

Uniqueness Score: -1.00%

Function 02A20448, Relevance: 10.2, Strings: 8, Instructions: 201COMMON

Download Yara Rule

Strings

`5kr, xrefs: 02A205CD
e, xrefs: 02A205E2
:@Dr, xrefs: 02A20574
e, xrefs: 02A2050B
e, xrefs: 02A20602
\,, xrefs: 02A2055D
e, xrefs: 02A2080B
e, xrefs: 02A204E0

Memory Dump Source

Source File: 00000000.00000002.210075788.0000000002A20000.00000040.00000001.sdmp, Offset: 02A20000, based on PE: false

Similarity

API ID:
String ID: :@Dr$\,$`5kr$e$e$e$e$e
API String ID: 0-2885563795
Opcode ID: b6676d0be838f91d65815dcddb1f17e5e8eebcbd579b58e99198db1488bc242c
Instruction ID: d6e9403f61b3ed536fb95c81ee209b44ab1cd9147d87061eafbbc3e1c892b498
Opcode Fuzzy Hash: b6676d0be838f91d65815dcddb1f17e5e8eebcbd579b58e99198db1488bc242c
Instruction Fuzzy Hash: D191C374E01228CFDB54DFA9C894BADBBF1BF89310F109069D509AB3A0DB71A945CF50

Uniqueness

Uniqueness Score: -1.00%

Function 055422C0, Relevance: 3.8, Strings: 3, Instructions: 77COMMON

Download Yara Rule

Strings

+, xrefs: 05542304
(, xrefs: 05541EEF
, xrefs: 05542135

Memory Dump Source

Source File: 00000000.00000002.213268927.0000000005540000.00000040.00000001.sdmp, Offset: 05540000, based on PE: false

Similarity

API ID:
String ID: $($+
API String ID: 0-1136259022
Opcode ID: 9287c698fc7c98a91479fff40c7bfc8e58c81e7e2860aee1b6811cab6f892244
Instruction ID: 76215eeef9309ce405fa50a8b64b84396575d618811dc8cfd117abb84c8140fb
Opcode Fuzzy Hash: 9287c698fc7c98a91479fff40c7bfc8e58c81e7e2860aee1b6811cab6f892244
Instruction Fuzzy Hash: 8641ACB4D06228CFDB24CF68C988BDDBBB2BB48305F1081EAD509A7285DB345E85CF51

Uniqueness

Uniqueness Score: -1.00%

Function 055426A0, Relevance: 3.8, Strings: 3, Instructions: 76COMMON

Download Yara Rule

Strings

*, xrefs: 05542775
-, xrefs: 055426E7
, xrefs: 05542135

Memory Dump Source

Source File: 00000000.00000002.213268927.0000000005540000.00000040.00000001.sdmp, Offset: 05540000, based on PE: false

Similarity

API ID:
String ID: $*$-
API String ID: 0-2841550485
Opcode ID: 4346d261c6c4aec1524ab66b7d219753c3814c3de682ea174acab39888f67bf5
Instruction ID: 35aca049a721716b6aea23be334b8be1e385cb6da57708ef6dbb7315f476cde1
Opcode Fuzzy Hash: 4346d261c6c4aec1524ab66b7d219753c3814c3de682ea174acab39888f67bf5
Instruction Fuzzy Hash: F641BEB4D01228CFDB64CF68C988BECBBB2BB48304F1080DAE509A7255DB345E85DF11

Uniqueness

Uniqueness Score: -1.00%

Function 02A200BD, Relevance: 3.8, Strings: 3, Instructions: 54COMMON

Download Yara Rule

Strings

Pm, xrefs: 02A2015C
@l, xrefs: 02A20138
k, xrefs: 02A20114

Memory Dump Source

Source File: 00000000.00000002.210075788.0000000002A20000.00000040.00000001.sdmp, Offset: 02A20000, based on PE: false

Similarity

API ID:
String ID: @l$Pm$k
API String ID: 0-878155680
Opcode ID: e0c18f7d5bbae6d21b70421a097bd48fc8c721a813abd9d49af2c3fb132684bb
Instruction ID: c30e1ebcabfbc1791e540766b65d0ae3a0d07da57a5cfbd1a3b85f19b798e62e
Opcode Fuzzy Hash: e0c18f7d5bbae6d21b70421a097bd48fc8c721a813abd9d49af2c3fb132684bb
Instruction Fuzzy Hash: 9D215C30A0005ADFCB04EBA4D9954AD7BB1FFCA304B1452A8EA11B72A5DF706E0ADB41

Uniqueness

Uniqueness Score: -1.00%

Function 055424BD, Relevance: 3.8, Strings: 3, Instructions: 52COMMON

Download Yara Rule

Strings

(, xrefs: 055424CB
), xrefs: 0554206A
, xrefs: 05542135

Memory Dump Source

Source File: 00000000.00000002.213268927.0000000005540000.00000040.00000001.sdmp, Offset: 05540000, based on PE: false

Similarity

API ID:
String ID: $($)
API String ID: 0-2914488034
Opcode ID: f3302f7613659157db7b5d871416a06d27a5ccdbbc0ec928bba44eb831d1502c
Instruction ID: 14e37b72542e7730d5a3b4d0d3052e776ecadfa2bde02c66c2abdeb629223fed
Opcode Fuzzy Hash: f3302f7613659157db7b5d871416a06d27a5ccdbbc0ec928bba44eb831d1502c
Instruction Fuzzy Hash: 33213678D05228DFDF24CFA4C848BDDBBB2BB48308F2081DAE509A3255C7355A86CF51

Uniqueness

Uniqueness Score: -1.00%

Function 02A200B8, Relevance: 3.8, Strings: 3, Instructions: 50COMMON

Download Yara Rule

Strings

Pm, xrefs: 02A2015C
@l, xrefs: 02A20138
k, xrefs: 02A20114

Memory Dump Source

Source File: 00000000.00000002.210075788.0000000002A20000.00000040.00000001.sdmp, Offset: 02A20000, based on PE: false

Similarity

API ID:
String ID: @l$Pm$k
API String ID: 0-878155680
Opcode ID: ddb7503b247edc6d6ff980e94887c679d873826cf2dba0f5b5515e7d4c3b199e
Instruction ID: 4818bd23d4475af32e87651805647b2346b227c014287d0494c91063d56173bb
Opcode Fuzzy Hash: ddb7503b247edc6d6ff980e94887c679d873826cf2dba0f5b5515e7d4c3b199e
Instruction Fuzzy Hash: 90114C30A0014ADFCB04EBA9D9959AD7BF1FB8A304F145268DA01B7394DF707E09DB51

Uniqueness

Uniqueness Score: -1.00%

Function 05541FC9, Relevance: 3.8, Strings: 3, Instructions: 43COMMON

Download Yara Rule

Strings

., xrefs: 05541FCF
#, xrefs: 05541FFD
, xrefs: 05542135

Memory Dump Source

Source File: 00000000.00000002.213268927.0000000005540000.00000040.00000001.sdmp, Offset: 05540000, based on PE: false

Similarity

API ID:
String ID: $#$.
API String ID: 0-1065809056
Opcode ID: d87b9aed7c71ba3dbb9c32bb22964255c94e14a5aad7ddf6191be758edc2707e
Instruction ID: 95d1d59257096b4ea68b78fd0c2c778c6f71afde41ab28e1c51f3ea3089de7f2
Opcode Fuzzy Hash: d87b9aed7c71ba3dbb9c32bb22964255c94e14a5aad7ddf6191be758edc2707e
Instruction Fuzzy Hash: A8110378D05228CFDB64CF64D989BEDBBB2BB48304F20809AE509A7244CB755AC5CF61

Uniqueness

Uniqueness Score: -1.00%

Function 02A222F3, Relevance: 2.7, Strings: 2, Instructions: 236COMMON

Download Yara Rule

Strings

P, xrefs: 02A2207B
G, xrefs: 02A22345

Memory Dump Source

Source File: 00000000.00000002.210075788.0000000002A20000.00000040.00000001.sdmp, Offset: 02A20000, based on PE: false

Similarity

API ID:
String ID: G$P
API String ID: 0-270004741
Opcode ID: 7d4f9d896d6ddeeb27faf88b5d6e92cb337c222fa4eceb8c097b0dada59fb9db
Instruction ID: 37bcf55906989d5aa8db7c681e0d59b6f24e19edc046d2c1ab4c968377abfd03
Opcode Fuzzy Hash: 7d4f9d896d6ddeeb27faf88b5d6e92cb337c222fa4eceb8c097b0dada59fb9db
Instruction Fuzzy Hash: 65912870D09229CFCB00CFADC580BFDBBB5BF4A324F549255D919AB295DB30994ACB90

Uniqueness

Uniqueness Score: -1.00%

Function 02A20EC6, Relevance: 2.6, Strings: 2, Instructions: 98COMMON

Download Yara Rule

Strings

], xrefs: 02A20E4E
T, xrefs: 02A20E55

Memory Dump Source

Source File: 00000000.00000002.210075788.0000000002A20000.00000040.00000001.sdmp, Offset: 02A20000, based on PE: false

Similarity

API ID:
String ID: T$]
API String ID: 0-1892062097
Opcode ID: 190343271f629fa1126e9949773e3fdf5918203f7bc230d48c27fb2bdd3e55ce
Instruction ID: 3693e6696b3fe5702a3fc76bf64d0a0205ab5540487fa01f025640719973f6e1
Opcode Fuzzy Hash: 190343271f629fa1126e9949773e3fdf5918203f7bc230d48c27fb2bdd3e55ce
Instruction Fuzzy Hash: D7311A70D9E229DFCB00CFACD8406FDBBB9FB1A710F10A655D52AA6291CB705689CF10

Uniqueness

Uniqueness Score: -1.00%

Function 05542257, Relevance: 2.6, Strings: 2, Instructions: 78COMMON

Download Yara Rule

Strings

, xrefs: 05542135
$, xrefs: 0554259A

Memory Dump Source

Source File: 00000000.00000002.213268927.0000000005540000.00000040.00000001.sdmp, Offset: 05540000, based on PE: false

Similarity

API ID:
String ID: $$
API String ID: 0-182950533
Opcode ID: 1052ec18f96454afd48eab3eee090e78278334dfeddca014d55d7167b43fb6af
Instruction ID: 42ef75b6cfa52203fcd3be99dd8842d04ba4dc0610396e3450c21e3d932d72d6
Opcode Fuzzy Hash: 1052ec18f96454afd48eab3eee090e78278334dfeddca014d55d7167b43fb6af
Instruction Fuzzy Hash: 2741D174D05628CFDB24CF64C989BEDBBB2BB09309F1084EAE509A7280CB755AC5CF55

Uniqueness

Uniqueness Score: -1.00%

Function 02A28DE0, Relevance: 2.6, Strings: 2, Instructions: 64COMMON

Download Yara Rule

Strings

X$kr, xrefs: 02A28E7A
X$kr, xrefs: 02A28E6A

Memory Dump Source

Source File: 00000000.00000002.210075788.0000000002A20000.00000040.00000001.sdmp, Offset: 02A20000, based on PE: false

Similarity

API ID:
String ID: X$kr$X$kr
API String ID: 0-2690305392
Opcode ID: 16939999b742e996d22431888d5e568abceee8a352aefae797dd41b8fd259bcd
Instruction ID: 02b7570237954cc35ca2f86a11ba6a19e704f49e60ee7ba24aaf28cfaa3280a3
Opcode Fuzzy Hash: 16939999b742e996d22431888d5e568abceee8a352aefae797dd41b8fd259bcd
Instruction Fuzzy Hash: 59213D74D00219CFCB04DF9AC5846BEBBB2FF44304F14C5A5E80567250CB38A985CFA1

Uniqueness

Uniqueness Score: -1.00%

Function 05542145, Relevance: 2.6, Strings: 2, Instructions: 60COMMON

Download Yara Rule

Strings

,, xrefs: 05542167
, xrefs: 05542135

Memory Dump Source

Source File: 00000000.00000002.213268927.0000000005540000.00000040.00000001.sdmp, Offset: 05540000, based on PE: false

Similarity

API ID:
String ID: $,
API String ID: 0-71045815
Opcode ID: 20d96bfced4f8309ae62d5d6a0f9fd2f1a6517a2a1fc299f417317f198157e6a
Instruction ID: 238d152fa3e4e9e6f34f56b9474cd14b3bc21fac7bcc899639ee1c8d1ee35fcf
Opcode Fuzzy Hash: 20d96bfced4f8309ae62d5d6a0f9fd2f1a6517a2a1fc299f417317f198157e6a
Instruction Fuzzy Hash: 7631E278D05228CFDB68CF24D889BDCBBB2BB49305F1081D9E509A7255DB341AC5CFA1

Uniqueness

Uniqueness Score: -1.00%

Function 05542520, Relevance: 2.6, Strings: 2, Instructions: 58COMMON

Download Yara Rule

Strings

, xrefs: 05542135
$, xrefs: 0554259A

Memory Dump Source

Source File: 00000000.00000002.213268927.0000000005540000.00000040.00000001.sdmp, Offset: 05540000, based on PE: false

Similarity

API ID:
String ID: $$
API String ID: 0-182950533
Opcode ID: 2ed575c674687dc185e41824cc2bd02a6aa9a70d5618f07ed56209ea6103d30c
Instruction ID: 47d8d8dbd5058d3fdb8ce4be4bf3ab45f5448b4e5122de0b6445afafe42b9702
Opcode Fuzzy Hash: 2ed575c674687dc185e41824cc2bd02a6aa9a70d5618f07ed56209ea6103d30c
Instruction Fuzzy Hash: 66210EB4D05668CFDB24CF64C988BEDBBB2BB49305F1080EAE509AB251CB305A85CF55

Uniqueness

Uniqueness Score: -1.00%

Function 05542009, Relevance: 2.6, Strings: 2, Instructions: 54COMMON

Download Yara Rule

Strings

), xrefs: 0554206A
, xrefs: 05542135

Memory Dump Source

Source File: 00000000.00000002.213268927.0000000005540000.00000040.00000001.sdmp, Offset: 05540000, based on PE: false

Similarity

API ID:
String ID: $)
API String ID: 0-1951852088
Opcode ID: c265c4e78f26debb398bd3a2631c1af13d998387a71b62b14a6b76a8f52d00ef
Instruction ID: 6e192099b27ae64892a76b2a39a5c1e277db2d0f5429b61a64377c7e2b9b7a65
Opcode Fuzzy Hash: c265c4e78f26debb398bd3a2631c1af13d998387a71b62b14a6b76a8f52d00ef
Instruction Fuzzy Hash: A621F074D00228DFDB64CFA4C884BECBBB2BB89304F20809AE509B7255CB315A85DF51

Uniqueness

Uniqueness Score: -1.00%

Function 05541EC8, Relevance: 2.5, Strings: 2, Instructions: 48COMMON

Download Yara Rule

Strings

(, xrefs: 05541EEF
, xrefs: 05542135

Memory Dump Source

Source File: 00000000.00000002.213268927.0000000005540000.00000040.00000001.sdmp, Offset: 05540000, based on PE: false

Similarity

API ID:
String ID: $(
API String ID: 0-55695022
Opcode ID: 2c6f679db67ea034d59f866a940bdcbc878b587ccf9a963f184341b714797aad
Instruction ID: 959f60c8370530c747fc362d0302140e92fb049c846b1196bd04f1b9d92c4e12
Opcode Fuzzy Hash: 2c6f679db67ea034d59f866a940bdcbc878b587ccf9a963f184341b714797aad
Instruction Fuzzy Hash: F111D074D02228CFDB24CF64C985BECBBB2BB89304F208099E509AB245CB345E81DF52

Uniqueness

Uniqueness Score: -1.00%

Function 05541D0A, Relevance: 2.5, Strings: 2, Instructions: 46COMMON

Download Yara Rule

Strings

', xrefs: 05541D55
, xrefs: 05542135

Memory Dump Source

Source File: 00000000.00000002.213268927.0000000005540000.00000040.00000001.sdmp, Offset: 05540000, based on PE: false

Similarity

API ID:
String ID: $'
API String ID: 0-2481900351
Opcode ID: 6f236d6e5b42c7010650d8728a13bb4ea3ce14fd53b71f0592428f838c24c616
Instruction ID: fd16d856cfa8bb2f2029b0787e0b8a4e22fdb2c4e0469060bd392c6c70e43ca6
Opcode Fuzzy Hash: 6f236d6e5b42c7010650d8728a13bb4ea3ce14fd53b71f0592428f838c24c616
Instruction Fuzzy Hash: 4321E4B4D05228CBDB24CF64DD95BDCBBB2BB88304F2081D9E509A7245CB355E81DF55

Uniqueness

Uniqueness Score: -1.00%

Function 05541CD0, Relevance: 2.5, Strings: 2, Instructions: 46COMMON

Download Yara Rule

Strings

(, xrefs: 05541EEF
, xrefs: 05542135

Memory Dump Source

Source File: 00000000.00000002.213268927.0000000005540000.00000040.00000001.sdmp, Offset: 05540000, based on PE: false

Similarity

API ID:
String ID: $(
API String ID: 0-55695022
Opcode ID: d77b7508bf0cd626d9fea800d58bd8d8c882a6db9464bfdda1bd0a277ae8be4d
Instruction ID: 501fc5924ff5706274d3adc91c2bb0038a88745c3e817b078505f5b155e962d6
Opcode Fuzzy Hash: d77b7508bf0cd626d9fea800d58bd8d8c882a6db9464bfdda1bd0a277ae8be4d
Instruction Fuzzy Hash: 33110274D06228CBDB24CF64CD89BECBBB2FB48305F108099E509A3241CB341AC5DF65

Uniqueness

Uniqueness Score: -1.00%

Function 055425D4, Relevance: 2.5, Strings: 2, Instructions: 44COMMON

Download Yara Rule

Strings

', xrefs: 05541D55
, xrefs: 05542135

Memory Dump Source

Source File: 00000000.00000002.213268927.0000000005540000.00000040.00000001.sdmp, Offset: 05540000, based on PE: false

Similarity

API ID:
String ID: $'
API String ID: 0-2481900351
Opcode ID: 880645cc2ccd8b67bc26aa1bdf9f05d34d7cfba619f5a6045a634aed073b7f0f
Instruction ID: 81c4bb26b025a2212a373787d99c67d8de0c7b9e9d68d116a6a97317b00e8e11
Opcode Fuzzy Hash: 880645cc2ccd8b67bc26aa1bdf9f05d34d7cfba619f5a6045a634aed073b7f0f
Instruction Fuzzy Hash: 201102B4D05628CBDB24CF64DC49BDDBBB2BB48308F10859AE509A7244CB341AC5CF65

Uniqueness

Uniqueness Score: -1.00%

Function 055424DA, Relevance: 2.5, Strings: 2, Instructions: 44COMMON

Download Yara Rule

Strings

, xrefs: 05542135
%, xrefs: 055424E8

Memory Dump Source

Source File: 00000000.00000002.213268927.0000000005540000.00000040.00000001.sdmp, Offset: 05540000, based on PE: false

Similarity

API ID:
String ID: $%
API String ID: 0-2111875603
Opcode ID: 1ab1c29a666ca58026c20e86cd9bfaa92fe9f9d020210b6e1e6d118ffb64df10
Instruction ID: 94551bc794b71fa8e5a43e080e71c8663723a536f0de21d98ed0635ab1e9fb49
Opcode Fuzzy Hash: 1ab1c29a666ca58026c20e86cd9bfaa92fe9f9d020210b6e1e6d118ffb64df10
Instruction Fuzzy Hash: 16110374D0562CCFDB24CF64C949BEDBBB2BB49309F14849AE509A7280C7741AC5CF66

Uniqueness

Uniqueness Score: -1.00%

Function 02A2144E, Relevance: 2.5, Strings: 2, Instructions: 29COMMON

Download Yara Rule

Strings

{, xrefs: 02A21500
p, xrefs: 02A2146E

Memory Dump Source

Source File: 00000000.00000002.210075788.0000000002A20000.00000040.00000001.sdmp, Offset: 02A20000, based on PE: false

Similarity

API ID:
String ID: p${
API String ID: 0-2643458128
Opcode ID: 1ccba0aaf9fceb17cebed56844ef5bfb82b66baa074010f664d9b9183156f202
Instruction ID: 0573fa76b853f2a34fb09afc1445fa4c608334bef058e1db5988a687733ab76b
Opcode Fuzzy Hash: 1ccba0aaf9fceb17cebed56844ef5bfb82b66baa074010f664d9b9183156f202
Instruction Fuzzy Hash: 20F0E2B4D0A298CFC711CF69C54869CBBF0AB05615F1442EAD5589B262D7749908CF91

Uniqueness

Uniqueness Score: -1.00%

Function 05540006, Relevance: 1.7, Strings: 1, Instructions: 402COMMON

Download Yara Rule

Strings

, xrefs: 05540477

Memory Dump Source

Source File: 00000000.00000002.213268927.0000000005540000.00000040.00000001.sdmp, Offset: 05540000, based on PE: false

Similarity

API ID:
String ID:
API String ID: 0-3916222277
Opcode ID: cb16b04ba103cc59d4b3b9f3e00f7f5d1bbcd84996d37301f8869357618b7c90
Instruction ID: 3dd87ad59348051a743665b07138137aeb8ece54287153ef0c72374357a66fc8
Opcode Fuzzy Hash: cb16b04ba103cc59d4b3b9f3e00f7f5d1bbcd84996d37301f8869357618b7c90
Instruction Fuzzy Hash: E3F16970D09318CFDB18DFA1D84C7EDBBB1BB4A309F65945AD005A72A1DBB84988CF11

Uniqueness

Uniqueness Score: -1.00%

Function 055305EE, Relevance: 1.6, APIs: 1, Instructions: 114COMMON

Download Yara Rule

APIs

GetTempFileNameW.KERNELBASE(?,00000E2C,?,?), ref: 055306CE

Memory Dump Source

Source File: 00000000.00000002.213253422.0000000005530000.00000040.00000001.sdmp, Offset: 05530000, based on PE: false

Similarity

API ID: FileNameTemp
String ID:
API String ID: 745986568-0
Opcode ID: e61db818055d98d61faaed85373da47c15d369462370c0bf5212ed37b2904e14
Instruction ID: 4ca1cc337c57093930874ecfb97a64aaaf5c1a78c2a51babd90dbdce4f13eac9
Opcode Fuzzy Hash: e61db818055d98d61faaed85373da47c15d369462370c0bf5212ed37b2904e14
Instruction Fuzzy Hash: D6416E6240E3C05FD7038B758C65A62BFB4AF47610F0E85DBD8C49F5A3D2246919C7B2

Uniqueness

Uniqueness Score: -1.00%

Function 05530B0B, Relevance: 1.6, APIs: 1, Instructions: 102COMMON

Download Yara Rule

APIs

DuplicateHandle.KERNELBASE(?,00000E2C), ref: 05530BBB

Memory Dump Source

Source File: 00000000.00000002.213253422.0000000005530000.00000040.00000001.sdmp, Offset: 05530000, based on PE: false

Similarity

API ID: DuplicateHandle
String ID:
API String ID: 3793708945-0
Opcode ID: 7aa4ce2b4d49d4e1dc32c66eaaa0564d798ca7ba80701017b246d8637b144d38
Instruction ID: a4c1df73b5312d4a8a1a783ef1ad517e07f3e445dbdd075ea902967ff76516dc
Opcode Fuzzy Hash: 7aa4ce2b4d49d4e1dc32c66eaaa0564d798ca7ba80701017b246d8637b144d38
Instruction Fuzzy Hash: 1C31B471004384AFEB228B65DC45F67BFACEF46310F04849BE985DB1A2D224A909DB71

Uniqueness

Uniqueness Score: -1.00%

Function 05540070, Relevance: 1.6, Strings: 1, Instructions: 348COMMON

Download Yara Rule

Strings

, xrefs: 05540477

Memory Dump Source

Source File: 00000000.00000002.213268927.0000000005540000.00000040.00000001.sdmp, Offset: 05540000, based on PE: false

Similarity

API ID:
String ID:
API String ID: 0-3916222277
Opcode ID: 3446fafd9e9728b34592c683f72faa0564a7a549b16e4e2c3b41f47e99ee6a41
Instruction ID: 5ecfecdacf88d82999a1b68b6908ca4f41ac8c077aabdd487e3b1eb807d515ff
Opcode Fuzzy Hash: 3446fafd9e9728b34592c683f72faa0564a7a549b16e4e2c3b41f47e99ee6a41
Instruction Fuzzy Hash: 14E11474D05218CFDB18DFA5D98C7EDBBB1BB4A309F60A419D106B72A0CBB84588CF54

Uniqueness

Uniqueness Score: -1.00%

Function 0553023A, Relevance: 1.6, APIs: 1, Instructions: 94COMMON

Download Yara Rule

APIs

GetTokenInformation.KERNELBASE(?,00000E2C,E93E605A,00000000,00000000,00000000,00000000), ref: 055302E4

Memory Dump Source

Source File: 00000000.00000002.213253422.0000000005530000.00000040.00000001.sdmp, Offset: 05530000, based on PE: false

Similarity

API ID: InformationToken
String ID:
API String ID: 4114910276-0
Opcode ID: fc000233b13a5aa220d84e3458a19fa2979843503d430a0227a607e3b4d098fc
Instruction ID: 45bad2dcab3db06208df0372b60dd7055dc17bc3dfd3891af5fd1d483685cc39
Opcode Fuzzy Hash: fc000233b13a5aa220d84e3458a19fa2979843503d430a0227a607e3b4d098fc
Instruction Fuzzy Hash: 8D31B571409384AFEB228F65DC55F97BFB8EF06310F08849BE9859B162D224A909C761

Uniqueness

Uniqueness Score: -1.00%

Function 00E9AA02, Relevance: 1.6, APIs: 1, Instructions: 92registryCOMMON

Download Yara Rule

APIs

RegOpenKeyExW.KERNELBASE(?,00000E2C), ref: 00E9AAB1

Memory Dump Source

Source File: 00000000.00000002.209866942.0000000000E9A000.00000040.00000001.sdmp, Offset: 00E9A000, based on PE: false

Similarity

API ID: Open
String ID:
API String ID: 71445658-0
Opcode ID: c8e95285ada23e3518a6e007afe9e669f4be314a5fba0d851f8b63339bca9cdd
Instruction ID: 3b39a766a41a25e239c510c23c033317760e93bd0d1515bb5aef1f04b183c347
Opcode Fuzzy Hash: c8e95285ada23e3518a6e007afe9e669f4be314a5fba0d851f8b63339bca9cdd
Instruction Fuzzy Hash: 1A31B472544384AFE7228B25CC45F67BFACEF06710F0885ABED819B152D264A849CB71

Uniqueness

Uniqueness Score: -1.00%

Function 05530704, Relevance: 1.6, APIs: 1, Instructions: 90fileCOMMON

Download Yara Rule

APIs

CreateFileW.KERNELBASE(?,?,?,?,?,?), ref: 055307A5

Memory Dump Source

Source File: 00000000.00000002.213253422.0000000005530000.00000040.00000001.sdmp, Offset: 05530000, based on PE: false

Similarity

API ID: CreateFile
String ID:
API String ID: 823142352-0
Opcode ID: 2024462daa144c214390f992b2d41adbb668ec1ca353d4aebcc4930b6afe64d5
Instruction ID: 82b8c1911ff55ca611754cbdfce9507c67bfba0f71b05ffeccb3b6cd6cf660f2
Opcode Fuzzy Hash: 2024462daa144c214390f992b2d41adbb668ec1ca353d4aebcc4930b6afe64d5
Instruction Fuzzy Hash: 33315E71505340AFE722CF65DC49F66BFE8EF45610F0884AEE9898B292D375E805CB71

Uniqueness

Uniqueness Score: -1.00%

Function 00E9AAF9, Relevance: 1.6, APIs: 1, Instructions: 89registryCOMMON

Download Yara Rule

APIs

RegQueryValueExW.KERNELBASE(?,00000E2C,E93E605A,00000000,00000000,00000000,00000000), ref: 00E9ABB4

Memory Dump Source

Source File: 00000000.00000002.209866942.0000000000E9A000.00000040.00000001.sdmp, Offset: 00E9A000, based on PE: false

Similarity

API ID: QueryValue
String ID:
API String ID: 3660427363-0
Opcode ID: 480574ea07e1e90453ea7a2f37db7befcaac4e9f5ef0d7b308180792db7f10c8
Instruction ID: 307c28acad8abac5d82993187a9a8f75281447e34972fdae49a7d669215c3a78
Opcode Fuzzy Hash: 480574ea07e1e90453ea7a2f37db7befcaac4e9f5ef0d7b308180792db7f10c8
Instruction Fuzzy Hash: 9531A471109384AFDB22CF25CC44F52BFF8EF06314F18849AE985DB152D264E949CBA1

Uniqueness

Uniqueness Score: -1.00%

Function 00E9BCBA, Relevance: 1.6, APIs: 1, Instructions: 89fileCOMMON

Download Yara Rule

APIs

CopyFileW.KERNELBASE(?,?,?), ref: 00E9BD46

Memory Dump Source

Source File: 00000000.00000002.209866942.0000000000E9A000.00000040.00000001.sdmp, Offset: 00E9A000, based on PE: false

Similarity

API ID: CopyFile
String ID:
API String ID: 1304948518-0
Opcode ID: 4a41c387f43f4add7a4980b73d663fb8697cca9d44a70e37f6ebf0b1cec812c4
Instruction ID: 014f8c69ec4bfc559eace185f20550a1954bc613a82d0139dd271c81af806111
Opcode Fuzzy Hash: 4a41c387f43f4add7a4980b73d663fb8697cca9d44a70e37f6ebf0b1cec812c4
Instruction Fuzzy Hash: 343190B150D3C45FD7138B24DC64652BFB89F17214F1D84DBD984CF1A3E2259808C762

Uniqueness

Uniqueness Score: -1.00%

Function 00E9B91E, Relevance: 1.6, APIs: 1, Instructions: 89synchronizationCOMMON

Download Yara Rule

APIs

CreateMutexW.KERNELBASE(?,?), ref: 00E9B9C5

Memory Dump Source

Source File: 00000000.00000002.209866942.0000000000E9A000.00000040.00000001.sdmp, Offset: 00E9A000, based on PE: false

Similarity

API ID: CreateMutex
String ID:
API String ID: 1964310414-0
Opcode ID: 9e824a6097bb7ad8e6d8e4178273f91cd81ac31b206237f9e4d53cc16cf3e83e
Instruction ID: 59fcc35c143d48e50ff64bf7f93628b5f695317e255b669d37b45a57135138ae
Opcode Fuzzy Hash: 9e824a6097bb7ad8e6d8e4178273f91cd81ac31b206237f9e4d53cc16cf3e83e
Instruction Fuzzy Hash: 7131B3B15093806FE712CB25DC84F56FFE8EF46314F08849AE984DB293D364E908C761

Uniqueness

Uniqueness Score: -1.00%

Function 00E9BE72, Relevance: 1.6, APIs: 1, Instructions: 86COMMON

Download Yara Rule

APIs

LsaOpenPolicy.ADVAPI32(?,00000E2C), ref: 00E9BF0F

Memory Dump Source

Source File: 00000000.00000002.209866942.0000000000E9A000.00000040.00000001.sdmp, Offset: 00E9A000, based on PE: false

Similarity

API ID: OpenPolicy
String ID:
API String ID: 2030686058-0
Opcode ID: 3bfed479c636c306dd1db3a64f322ee317fbc8872d4647fc154f9bc083700dcf
Instruction ID: 2ceaf5023bf9cbdadc08f54efef548449d8e87f6e3eb76a01a5f2914a5aaf944
Opcode Fuzzy Hash: 3bfed479c636c306dd1db3a64f322ee317fbc8872d4647fc154f9bc083700dcf
Instruction Fuzzy Hash: 9B219172504344AFEB21CF25DC45F67FFA8EF45310F14849BEE449B152D364A808CB65

Uniqueness

Uniqueness Score: -1.00%

Function 055307FC, Relevance: 1.6, APIs: 1, Instructions: 80COMMON

Download Yara Rule

APIs

GetFileType.KERNELBASE(?,00000E2C,E93E605A,00000000,00000000,00000000,00000000), ref: 05530891

Memory Dump Source

Source File: 00000000.00000002.213253422.0000000005530000.00000040.00000001.sdmp, Offset: 05530000, based on PE: false

Similarity

API ID: FileType
String ID:
API String ID: 3081899298-0
Opcode ID: e4bb86f78e02ac5e95d5a893d3c27448a3fcf6dfe35a82ecd4616aa9672f0cb8
Instruction ID: 4f0347cefe7a706621f1a0eac0de2a45401263b059b29975e91dedb9b11eb4cd
Opcode Fuzzy Hash: e4bb86f78e02ac5e95d5a893d3c27448a3fcf6dfe35a82ecd4616aa9672f0cb8
Instruction Fuzzy Hash: 0F21F8B54093806FE7128B25DC41FA2BFA8EF47720F1880D7EE848B293D2646909C771

Uniqueness

Uniqueness Score: -1.00%

Function 05530B3E, Relevance: 1.6, APIs: 1, Instructions: 80COMMON

Download Yara Rule

APIs

DuplicateHandle.KERNELBASE(?,00000E2C), ref: 05530BBB

Memory Dump Source

Source File: 00000000.00000002.213253422.0000000005530000.00000040.00000001.sdmp, Offset: 05530000, based on PE: false

Similarity

API ID: DuplicateHandle
String ID:
API String ID: 3793708945-0
Opcode ID: 89677433e723f0ff2320c0eef33e76832ef4af2228d29aee660419f663a29f07
Instruction ID: c3911bfd2f45b27647af47fe36290f5da56472177e9f65ca738c30cfd8234bb4
Opcode Fuzzy Hash: 89677433e723f0ff2320c0eef33e76832ef4af2228d29aee660419f663a29f07
Instruction Fuzzy Hash: 5021C172500304AFEB21DF65DC85F6BFBECEF04310F14886AEE459B251D670A8098B71

Uniqueness

Uniqueness Score: -1.00%

Function 05530726, Relevance: 1.6, APIs: 1, Instructions: 76fileCOMMON

Download Yara Rule

APIs

CreateFileW.KERNELBASE(?,?,?,?,?,?), ref: 055307A5

Memory Dump Source

Source File: 00000000.00000002.213253422.0000000005530000.00000040.00000001.sdmp, Offset: 05530000, based on PE: false

Similarity

API ID: CreateFile
String ID:
API String ID: 823142352-0
Opcode ID: ef36ddd0f7515d3f8bc806620eea72a89e821dcea747a8003304109173c5d1c7
Instruction ID: f5242f77755d29188b10b52083b5d5af535bcbe155cb4631b41a2a5297964319
Opcode Fuzzy Hash: ef36ddd0f7515d3f8bc806620eea72a89e821dcea747a8003304109173c5d1c7
Instruction Fuzzy Hash: C3216D75504740AFEB21DF65C889F66FFE8FF04610F14846AEA498B691D771E404CB61

Uniqueness

Uniqueness Score: -1.00%

Function 055308CC, Relevance: 1.6, APIs: 1, Instructions: 75fileCOMMON

Download Yara Rule

APIs

WriteFile.KERNELBASE(?,00000E2C,E93E605A,00000000,00000000,00000000,00000000), ref: 0553095D

Memory Dump Source

Source File: 00000000.00000002.213253422.0000000005530000.00000040.00000001.sdmp, Offset: 05530000, based on PE: false

Similarity

API ID: FileWrite
String ID:
API String ID: 3934441357-0
Opcode ID: 1909db0e78949d7362bc58f8de4c15c304db079b38909f5b9e1f5c76fb5a1230
Instruction ID: f6c9692780dea16d666ffe25e97a5685fbe6462917283e26d89fa0a7508a4b43
Opcode Fuzzy Hash: 1909db0e78949d7362bc58f8de4c15c304db079b38909f5b9e1f5c76fb5a1230
Instruction Fuzzy Hash: A821A772409380AFE7228F65DC45F56BFB8EF46314F08849BEA849B153D265A909CB71

Uniqueness

Uniqueness Score: -1.00%

Function 05530C19, Relevance: 1.6, APIs: 1, Instructions: 75fileCOMMON

Download Yara Rule

APIs

DeleteFileW.KERNELBASE(?), ref: 05530CA0

Memory Dump Source

Source File: 00000000.00000002.213253422.0000000005530000.00000040.00000001.sdmp, Offset: 05530000, based on PE: false

Similarity

API ID: DeleteFile
String ID:
API String ID: 4033686569-0
Opcode ID: 9cc486455df3aec375d066258cd6549e4422bad423e9a82ee18e50d44d15096b
Instruction ID: f4e3556e06f1ba4740c789a017a5966bc16ac9572af76ffb10f4c38a6651c6cb
Opcode Fuzzy Hash: 9cc486455df3aec375d066258cd6549e4422bad423e9a82ee18e50d44d15096b
Instruction Fuzzy Hash: 6B21B0725093849FDB128B25DC95A92BFB4EF06214F0984DBDC898F2A3D235A909CB61

Uniqueness

Uniqueness Score: -1.00%

Function 00E9AA32, Relevance: 1.6, APIs: 1, Instructions: 74registryCOMMON

Download Yara Rule

APIs

RegOpenKeyExW.KERNELBASE(?,00000E2C), ref: 00E9AAB1

Memory Dump Source

Source File: 00000000.00000002.209866942.0000000000E9A000.00000040.00000001.sdmp, Offset: 00E9A000, based on PE: false

Similarity

API ID: Open
String ID:
API String ID: 71445658-0
Opcode ID: fde7b56fc7a733f88e6c531d0c7c2edc1246eba356c8eaa146bd59894164bf11
Instruction ID: cc4a8324ee35d7d2ee9d08592bcc22114fe133076f059e14dfe86928bee969a0
Opcode Fuzzy Hash: fde7b56fc7a733f88e6c531d0c7c2edc1246eba356c8eaa146bd59894164bf11
Instruction Fuzzy Hash: 66219272500604AFEB219F15CD84F6BFBECEF14710F18856AEE459A241D6A4E808CBB1

Uniqueness

Uniqueness Score: -1.00%

Function 00E9B952, Relevance: 1.6, APIs: 1, Instructions: 72synchronizationCOMMON

Download Yara Rule

APIs

CreateMutexW.KERNELBASE(?,?), ref: 00E9B9C5

Memory Dump Source

Source File: 00000000.00000002.209866942.0000000000E9A000.00000040.00000001.sdmp, Offset: 00E9A000, based on PE: false

Similarity

API ID: CreateMutex
String ID:
API String ID: 1964310414-0
Opcode ID: b2bb7baf941abdce8dbf1d120c0e4e7898485614d6cd1fa867ab7da3b432904e
Instruction ID: af3fb3eaa70e59fdd6760f72fd297dd193c9e7a6e6ff573b59654be3c8c8a20f
Opcode Fuzzy Hash: b2bb7baf941abdce8dbf1d120c0e4e7898485614d6cd1fa867ab7da3b432904e
Instruction Fuzzy Hash: 0C219FB1500240AFEB20DF25DD85FA6FBE8EF45714F14846AEE449B242D771E804CB75

Uniqueness

Uniqueness Score: -1.00%

Function 00E9BE9E, Relevance: 1.6, APIs: 1, Instructions: 72COMMON

Download Yara Rule

APIs

LsaOpenPolicy.ADVAPI32(?,00000E2C), ref: 00E9BF0F

Memory Dump Source

Source File: 00000000.00000002.209866942.0000000000E9A000.00000040.00000001.sdmp, Offset: 00E9A000, based on PE: false

Similarity

API ID: OpenPolicy
String ID:
API String ID: 2030686058-0
Opcode ID: 969a5fd06867a30ff7d0594b6c3c89ae1b3b9caf5eebac3131ff54202cb32b52
Instruction ID: 19c1f4a3360a0c28dc0d1532f4c6d13f0f737520351a8294a5deeacc3f58d5d2
Opcode Fuzzy Hash: 969a5fd06867a30ff7d0594b6c3c89ae1b3b9caf5eebac3131ff54202cb32b52
Instruction Fuzzy Hash: FF219071500304AFEB20DF69DD85FABFBACEF44710F14886AEE459B241D774A8098B75

Uniqueness

Uniqueness Score: -1.00%

Function 05530CE7, Relevance: 1.6, APIs: 1, Instructions: 70COMMON

Download Yara Rule

APIs

LookupPrivilegeValueW.ADVAPI32(?,?,?), ref: 05530D62

Memory Dump Source

Source File: 00000000.00000002.213253422.0000000005530000.00000040.00000001.sdmp, Offset: 05530000, based on PE: false

Similarity

API ID: LookupPrivilegeValue
String ID:
API String ID: 3899507212-0
Opcode ID: 1444935f543f60f00310ba476733fdd7059368c120de02b0a6f48d010fbdf12c
Instruction ID: 9e2fa4b02f204916d7d34b7b5c593b80abda9e08ae0ae2cd52c89dc36b63a02f
Opcode Fuzzy Hash: 1444935f543f60f00310ba476733fdd7059368c120de02b0a6f48d010fbdf12c
Instruction Fuzzy Hash: 442162755093809FD722CF25DC85B56BFE8FF46210F0984AAD989CF2A2D274E908CB61

Uniqueness

Uniqueness Score: -1.00%

Function 0553027A, Relevance: 1.6, APIs: 1, Instructions: 69COMMON

Download Yara Rule

APIs

GetTokenInformation.KERNELBASE(?,00000E2C,E93E605A,00000000,00000000,00000000,00000000), ref: 055302E4

Memory Dump Source

Source File: 00000000.00000002.213253422.0000000005530000.00000040.00000001.sdmp, Offset: 05530000, based on PE: false

Similarity

API ID: InformationToken
String ID:
API String ID: 4114910276-0
Opcode ID: a734d8f51205e9f06496427e34b981288a9f2979564a839934510ad5c3ccd527
Instruction ID: 342237130c9a26ce9200792b702d71f81dcb740675cf2db7fb366d75f6fcd4bf
Opcode Fuzzy Hash: a734d8f51205e9f06496427e34b981288a9f2979564a839934510ad5c3ccd527
Instruction Fuzzy Hash: D9119071500204AFEB21CF65DC85FABBBACEF05310F14846BEE49DB251D674A805CB71

Uniqueness

Uniqueness Score: -1.00%

Function 00E9AB3A, Relevance: 1.6, APIs: 1, Instructions: 69registryCOMMON

Download Yara Rule

APIs

RegQueryValueExW.KERNELBASE(?,00000E2C,E93E605A,00000000,00000000,00000000,00000000), ref: 00E9ABB4

Memory Dump Source

Source File: 00000000.00000002.209866942.0000000000E9A000.00000040.00000001.sdmp, Offset: 00E9A000, based on PE: false

Similarity

API ID: QueryValue
String ID:
API String ID: 3660427363-0
Opcode ID: fda8b23ab318af8986012bad9155f4909592d731cabfce05040e4656f08441f0
Instruction ID: e9ee6098e3658cd15ab69f600655fe8579a776003b3ce55fee87cb99860a4e8a
Opcode Fuzzy Hash: fda8b23ab318af8986012bad9155f4909592d731cabfce05040e4656f08441f0
Instruction Fuzzy Hash: D7219371500604AFEB20CF15CC84FA7FBECEF04714F18846AED459B251E660E808CBB2

Uniqueness

Uniqueness Score: -1.00%

Function 05530F30, Relevance: 1.6, APIs: 1, Instructions: 68COMMON

Download Yara Rule

APIs

FindCloseChangeNotification.KERNELBASE(?), ref: 05530F9C

Memory Dump Source

Source File: 00000000.00000002.213253422.0000000005530000.00000040.00000001.sdmp, Offset: 05530000, based on PE: false

Similarity

API ID: ChangeCloseFindNotification
String ID:
API String ID: 2591292051-0
Opcode ID: 7e7d2e13a506274ed4a2d99179b238ccbcf2773a9dcc36b7bd0841a12caebaf7
Instruction ID: 7cd915918de0d0b683dbb2a1134c1df6aa1d9fbfb63d167d5d6eea075d6b9ed9
Opcode Fuzzy Hash: 7e7d2e13a506274ed4a2d99179b238ccbcf2773a9dcc36b7bd0841a12caebaf7
Instruction Fuzzy Hash: 8421C3725093C45FDB128B25DC95B92BFB4AF47324F0980DAED858F6A3D2749908CB62

Uniqueness

Uniqueness Score: -1.00%

Function 00E9B16D, Relevance: 1.6, APIs: 1, Instructions: 65libraryCOMMON

Download Yara Rule

APIs

LoadLibraryShim.MSCOREE(?,?,?,?), ref: 00E9B1E9

Memory Dump Source

Source File: 00000000.00000002.209866942.0000000000E9A000.00000040.00000001.sdmp, Offset: 00E9A000, based on PE: false

Similarity

API ID: LibraryLoadShim
String ID:
API String ID: 1475914169-0
Opcode ID: a814f97099e6bec4ccffa07e3ddd9004ebe4f641e52ddad1e28ba78dd8af79a0
Instruction ID: 350a0db7b9c5fe794ba7f4d712a7183a43910b8a404feed7e378e701a23b6ac2
Opcode Fuzzy Hash: a814f97099e6bec4ccffa07e3ddd9004ebe4f641e52ddad1e28ba78dd8af79a0
Instruction Fuzzy Hash: A32193B15093845FDB228F15DC45B52BFE8EF56314F08808AED849B253D365E908C761

Uniqueness

Uniqueness Score: -1.00%

Function 00E9AED6, Relevance: 1.6, APIs: 1, Instructions: 63COMMON

Download Yara Rule

APIs

GetUserNameW.ADVAPI32(?,00000E2C,?,?), ref: 00E9AF4E

Memory Dump Source

Source File: 00000000.00000002.209866942.0000000000E9A000.00000040.00000001.sdmp, Offset: 00E9A000, based on PE: false

Similarity

API ID: NameUser
String ID:
API String ID: 2645101109-0
Opcode ID: 4bb8544ceec205bb0aa8dedb9054360264132b28275884fd51454562542f6732
Instruction ID: 3d9dce42ec2ef940b5dcb1b54e86064af7d50ccce5251a7527abb957d3d9dc24
Opcode Fuzzy Hash: 4bb8544ceec205bb0aa8dedb9054360264132b28275884fd51454562542f6732
Instruction Fuzzy Hash: 9A11A7715093807FD7128B16DC41F72FFB8EF86A20F19819BED448B652D225B915CBB2

Uniqueness

Uniqueness Score: -1.00%

Function 00E9B79B, Relevance: 1.6, APIs: 1, Instructions: 63COMMON

Download Yara Rule

APIs

FindCloseChangeNotification.KERNELBASE(?), ref: 00E9B800

Memory Dump Source

Source File: 00000000.00000002.209866942.0000000000E9A000.00000040.00000001.sdmp, Offset: 00E9A000, based on PE: false

Similarity

API ID: ChangeCloseFindNotification
String ID:
API String ID: 2591292051-0
Opcode ID: 3aef23364fca04a6a24df754bb8df75dd25cf6bce4a725a9a929da59208c2f44
Instruction ID: 6df38e1b5545275586edfc532c4408a249e4a0a224a55cbfd5d716ac8e0d4105
Opcode Fuzzy Hash: 3aef23364fca04a6a24df754bb8df75dd25cf6bce4a725a9a929da59208c2f44
Instruction Fuzzy Hash: A111AF714093849FDB128F25DC94752BFB8EF06224F1884EBED859F693D275A848CB62

Uniqueness

Uniqueness Score: -1.00%

Function 05531129, Relevance: 1.6, APIs: 1, Instructions: 62windowCOMMON

Download Yara Rule

APIs

PostMessageW.USER32(?,?,?,?), ref: 0553119D

Memory Dump Source

Source File: 00000000.00000002.213253422.0000000005530000.00000040.00000001.sdmp, Offset: 05530000, based on PE: false

Similarity

API ID: MessagePost
String ID:
API String ID: 410705778-0
Opcode ID: 43685cfd887107616c6c03a468eea417f59e43203d14bd992834d7c6f23b75ed
Instruction ID: 39df052e1f61896ec53ee7923892e1814cecd95ece79cbbb1964db0cc58ca4fb
Opcode Fuzzy Hash: 43685cfd887107616c6c03a468eea417f59e43203d14bd992834d7c6f23b75ed
Instruction Fuzzy Hash: 2C218C714097C0AFDB238F25CC44A92FFB4EF17310F0984DAE9848F163D265A818DB62

Uniqueness

Uniqueness Score: -1.00%

Function 00E9A51F, Relevance: 1.6, APIs: 1, Instructions: 61COMMON

Download Yara Rule

APIs

DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 00E9A58A

Memory Dump Source

Source File: 00000000.00000002.209866942.0000000000E9A000.00000040.00000001.sdmp, Offset: 00E9A000, based on PE: false

Similarity

API ID: DuplicateHandle
String ID:
API String ID: 3793708945-0
Opcode ID: 3eed1590d95bb3f5b7dcb050ed665269198c2146e29684f1cbb2097002f55547
Instruction ID: 06ebc5a2498bacef41f57285c1d5f8958b8ecee0923b30fe40f15059088f5070
Opcode Fuzzy Hash: 3eed1590d95bb3f5b7dcb050ed665269198c2146e29684f1cbb2097002f55547
Instruction Fuzzy Hash: C4118471409380AFDB228F55DC44A62FFF4EF4A314F0885DAEE858B162D275A918DB61

Uniqueness

Uniqueness Score: -1.00%

Function 055308FE, Relevance: 1.6, APIs: 1, Instructions: 60fileCOMMON

Download Yara Rule

APIs

WriteFile.KERNELBASE(?,00000E2C,E93E605A,00000000,00000000,00000000,00000000), ref: 0553095D

Memory Dump Source

Source File: 00000000.00000002.213253422.0000000005530000.00000040.00000001.sdmp, Offset: 05530000, based on PE: false

Similarity

API ID: FileWrite
String ID:
API String ID: 3934441357-0
Opcode ID: d4bee29a82397b514056eef22f5c744283baf947981d60899b6a6eb6829b353e
Instruction ID: e3396950e4058d4f19501bd564837c115548ff91ca61fa26709aef2a01cfb1ea
Opcode Fuzzy Hash: d4bee29a82397b514056eef22f5c744283baf947981d60899b6a6eb6829b353e
Instruction Fuzzy Hash: C211BF72400304EFEB21CF55DC85F66FBA8EF44720F14886BEE499B291D274A4088BB1

Uniqueness

Uniqueness Score: -1.00%

Function 00E9BDC1, Relevance: 1.6, APIs: 1, Instructions: 60COMMON

Download Yara Rule

APIs

SetFileAttributesW.KERNELBASE(?,?), ref: 00E9BE23

Memory Dump Source

Source File: 00000000.00000002.209866942.0000000000E9A000.00000040.00000001.sdmp, Offset: 00E9A000, based on PE: false

Similarity

API ID: AttributesFile
String ID:
API String ID: 3188754299-0
Opcode ID: 2857746782184344013b6a4bba83fda422d38669bf55ee7698546e6814fca35a
Instruction ID: 6874fdfb66548320c8b54d34cb51036b0a04fdbeb1d0690bdad94dcfc53a1645
Opcode Fuzzy Hash: 2857746782184344013b6a4bba83fda422d38669bf55ee7698546e6814fca35a
Instruction Fuzzy Hash: 0E11D3715083849FDB11CF25DC85B96BFE8EF06314F0880AAED45DB252D274D844CB61

Uniqueness

Uniqueness Score: -1.00%

Function 05530D1A, Relevance: 1.6, APIs: 1, Instructions: 53COMMON

Download Yara Rule

APIs

LookupPrivilegeValueW.ADVAPI32(?,?,?), ref: 05530D62

Memory Dump Source

Source File: 00000000.00000002.213253422.0000000005530000.00000040.00000001.sdmp, Offset: 05530000, based on PE: false

Similarity

API ID: LookupPrivilegeValue
String ID:
API String ID: 3899507212-0
Opcode ID: 058a478be58e3e47dfd2acf86b5083b80621ed161d5336402a03dad3757db2ee
Instruction ID: 33732dd6bb840b36488fc97037da4ffbc7c2f15067971cd28498d87ba4aaca7b
Opcode Fuzzy Hash: 058a478be58e3e47dfd2acf86b5083b80621ed161d5336402a03dad3757db2ee
Instruction Fuzzy Hash: F91161756047009FDB60CF29D889B66FBE8FF44620F18C86ADD4ACB6A5D674E804CB71

Uniqueness

Uniqueness Score: -1.00%

Function 00E9BCFE, Relevance: 1.6, APIs: 1, Instructions: 53fileCOMMON

Download Yara Rule

APIs

CopyFileW.KERNELBASE(?,?,?), ref: 00E9BD46

Memory Dump Source

Source File: 00000000.00000002.209866942.0000000000E9A000.00000040.00000001.sdmp, Offset: 00E9A000, based on PE: false

Similarity

API ID: CopyFile
String ID:
API String ID: 1304948518-0
Opcode ID: 893f73795d3c1ce98c02f69583c8c6f85c063af6fc9eccf61eab429d590b9bb6
Instruction ID: 3ab9ae4c05953fbb59e82604d7b98ad934f0114ac0f8d0b9b6ed363d07a51c13
Opcode Fuzzy Hash: 893f73795d3c1ce98c02f69583c8c6f85c063af6fc9eccf61eab429d590b9bb6
Instruction Fuzzy Hash: 8411A1B16002449FDB20CF29E985B66FBD8EF54324F18D46ADD09DB242D770E804CB71

Uniqueness

Uniqueness Score: -1.00%

Function 0553083E, Relevance: 1.6, APIs: 1, Instructions: 52COMMON

Download Yara Rule

APIs

GetFileType.KERNELBASE(?,00000E2C,E93E605A,00000000,00000000,00000000,00000000), ref: 05530891

Memory Dump Source

Source File: 00000000.00000002.213253422.0000000005530000.00000040.00000001.sdmp, Offset: 05530000, based on PE: false

Similarity

API ID: FileType
String ID:
API String ID: 3081899298-0
Opcode ID: 1182068e90adacd8557932b5d0fcdde0f55f393208dd81057e419eba52035c23
Instruction ID: 48cc3236a3d8467aabe4a89bd7064683ce615ca3b668165d2a09f1d83c4086cf
Opcode Fuzzy Hash: 1182068e90adacd8557932b5d0fcdde0f55f393208dd81057e419eba52035c23
Instruction Fuzzy Hash: DB01D271500704EEE720DB19DC89F66FFA8EF45720F1484A7EE499B291D6B4A4488AB1

Uniqueness

Uniqueness Score: -1.00%

Function 00E9BDE6, Relevance: 1.5, APIs: 1, Instructions: 48COMMON

Download Yara Rule

APIs

SetFileAttributesW.KERNELBASE(?,?), ref: 00E9BE23

Memory Dump Source

Source File: 00000000.00000002.209866942.0000000000E9A000.00000040.00000001.sdmp, Offset: 00E9A000, based on PE: false

Similarity

API ID: AttributesFile
String ID:
API String ID: 3188754299-0
Opcode ID: 529f9660c1b659751966a0acf9c0d6f862e66b80ae2d70ddd7e8a84a65089a31
Instruction ID: 13753c1f85176e0bc91998035aee66f0649001f8f7b045a27ec710ba06e6a75b
Opcode Fuzzy Hash: 529f9660c1b659751966a0acf9c0d6f862e66b80ae2d70ddd7e8a84a65089a31
Instruction Fuzzy Hash: EE0180715002049FDF10CF29E9847A6FBD8EF04724F18D4AADE09DB251D774D804CB61

Uniqueness

Uniqueness Score: -1.00%

Function 00E9A8CC, Relevance: 1.5, APIs: 1, Instructions: 48COMMON

Download Yara Rule

APIs

SetWindowLongW.USER32 ref: 00E9A926

Memory Dump Source

Source File: 00000000.00000002.209866942.0000000000E9A000.00000040.00000001.sdmp, Offset: 00E9A000, based on PE: false

Similarity

API ID: LongWindow
String ID:
API String ID: 1378638983-0
Opcode ID: 6783c7d350e1d4aa5b5e85fa6db4b1eb629944f70737f227c9bee3840f9c34e1
Instruction ID: 2ede890b84a41626813694bd4be6aa2d079fdb4d8d7553aeb9586f3bb185f739
Opcode Fuzzy Hash: 6783c7d350e1d4aa5b5e85fa6db4b1eb629944f70737f227c9bee3840f9c34e1
Instruction Fuzzy Hash: AB11C231409784AFCB218F15DC85A52FFF4EF46320F09C4DAEE854B262C275A808CB62

Uniqueness

Uniqueness Score: -1.00%

Function 0553067E, Relevance: 1.5, APIs: 1, Instructions: 47COMMON

Download Yara Rule

APIs

GetTempFileNameW.KERNELBASE(?,00000E2C,?,?), ref: 055306CE

Memory Dump Source

Source File: 00000000.00000002.213253422.0000000005530000.00000040.00000001.sdmp, Offset: 05530000, based on PE: false

Similarity

API ID: FileNameTemp
String ID:
API String ID: 745986568-0
Opcode ID: d2fa45dc83ef03a474995f1a9309450f47685bd3e0c0096d55827003b3f4279e
Instruction ID: fa94b7e32190386a0604dd5b7b07968d6345b1fffde09f7d1c9998928ba5fb49
Opcode Fuzzy Hash: d2fa45dc83ef03a474995f1a9309450f47685bd3e0c0096d55827003b3f4279e
Instruction Fuzzy Hash: F9017172500600ABD710DF16DC85F26FBA8FB88B20F14856AED089B741E331B915CBA5

Uniqueness

Uniqueness Score: -1.00%

Function 05530C66, Relevance: 1.5, APIs: 1, Instructions: 47fileCOMMON

Download Yara Rule

APIs

DeleteFileW.KERNELBASE(?), ref: 05530CA0

Memory Dump Source

Source File: 00000000.00000002.213253422.0000000005530000.00000040.00000001.sdmp, Offset: 05530000, based on PE: false

Similarity

API ID: DeleteFile
String ID:
API String ID: 4033686569-0
Opcode ID: f0e370b0fd65c2746f5ff8ff07e2bf0994371ddb015f4f825fd5ed90d64fa3cd
Instruction ID: 1de106a19c9e8e111c4c27c2b28994de58c5dc86da6a1a691e4f29eee14faa10
Opcode Fuzzy Hash: f0e370b0fd65c2746f5ff8ff07e2bf0994371ddb015f4f825fd5ed90d64fa3cd
Instruction Fuzzy Hash: 93019E715043089FDB10CF2AD88A766FBD8EF44220F18C4AADD09CB2A2D675E804CBA1

Uniqueness

Uniqueness Score: -1.00%

Function 00E9A350, Relevance: 1.5, APIs: 1, Instructions: 46COMMON

Download Yara Rule

APIs

SetErrorMode.KERNELBASE(?), ref: 00E9A3A4

Memory Dump Source

Source File: 00000000.00000002.209866942.0000000000E9A000.00000040.00000001.sdmp, Offset: 00E9A000, based on PE: false

Similarity

API ID: ErrorMode
String ID:
API String ID: 2340568224-0
Opcode ID: 27bba646eedecc0b94a1c3842cc47b5362d854da6c4f4a437aa1ac71244c8b4a
Instruction ID: eafd0c9b758513c11c146728051a3c1a94f8e78cf27dfd85b6545c66c3b16d4b
Opcode Fuzzy Hash: 27bba646eedecc0b94a1c3842cc47b5362d854da6c4f4a437aa1ac71244c8b4a
Instruction Fuzzy Hash: E701C4714093849FDB22CF15DC84B56FFB4EF06324F0980EAED855F262D279A808CB62

Uniqueness

Uniqueness Score: -1.00%

Function 00E9B19E, Relevance: 1.5, APIs: 1, Instructions: 46libraryCOMMON

Download Yara Rule

APIs

LoadLibraryShim.MSCOREE(?,?,?,?), ref: 00E9B1E9

Memory Dump Source

Source File: 00000000.00000002.209866942.0000000000E9A000.00000040.00000001.sdmp, Offset: 00E9A000, based on PE: false

Similarity

API ID: LibraryLoadShim
String ID:
API String ID: 1475914169-0
Opcode ID: 866606bc403bec757cb5f9cf5d27072a5f5920f0835d72e0bbfb2b3b5da726d4
Instruction ID: b6e054b295a00de95302d5d0126bd1a6c6f6d959c732a8670d969c47531a2a5c
Opcode Fuzzy Hash: 866606bc403bec757cb5f9cf5d27072a5f5920f0835d72e0bbfb2b3b5da726d4
Instruction Fuzzy Hash: DD019E719006049FDB20DF1AE985B66FFE8EF14724F18909ADD499B256D371E808CB72

Uniqueness

Uniqueness Score: -1.00%

Function 00E9A546, Relevance: 1.5, APIs: 1, Instructions: 45COMMON

Download Yara Rule

APIs

DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 00E9A58A

Memory Dump Source

Source File: 00000000.00000002.209866942.0000000000E9A000.00000040.00000001.sdmp, Offset: 00E9A000, based on PE: false

Similarity

API ID: DuplicateHandle
String ID:
API String ID: 3793708945-0
Opcode ID: 521eaa14772b624a258f15193ef8e3aec53a8cff8e4d7129aeb0a7e3488ea93a
Instruction ID: 1be58ad8bee04f76371045dd9982256afa9a8cf21546d170a8da845d5645735b
Opcode Fuzzy Hash: 521eaa14772b624a258f15193ef8e3aec53a8cff8e4d7129aeb0a7e3488ea93a
Instruction Fuzzy Hash: 34016D71500600EFDF218F55D844B56FFE0EF48320F18C5AADE495A655D275A818DFA2

Uniqueness

Uniqueness Score: -1.00%

Function 05530F6A, Relevance: 1.5, APIs: 1, Instructions: 43COMMON

Download Yara Rule

APIs

FindCloseChangeNotification.KERNELBASE(?), ref: 05530F9C

Memory Dump Source

Source File: 00000000.00000002.213253422.0000000005530000.00000040.00000001.sdmp, Offset: 05530000, based on PE: false

Similarity

API ID: ChangeCloseFindNotification
String ID:
API String ID: 2591292051-0
Opcode ID: e1d37b57638bc49689b42bc1b06589c4b2c33f2445b179896c8d40e24deddf0c
Instruction ID: d89a55258c0d44ddec299890940a2f3a60439e259c5e034de85253f7d54d6bbf
Opcode Fuzzy Hash: e1d37b57638bc49689b42bc1b06589c4b2c33f2445b179896c8d40e24deddf0c
Instruction Fuzzy Hash: F101D4715003449FDB10DF19D889756FF94EF44220F18C4ABDD098F695D274A908CB72

Uniqueness

Uniqueness Score: -1.00%

Function 00E9B7CE, Relevance: 1.5, APIs: 1, Instructions: 43COMMON

Download Yara Rule

APIs

FindCloseChangeNotification.KERNELBASE(?), ref: 00E9B800

Memory Dump Source

Source File: 00000000.00000002.209866942.0000000000E9A000.00000040.00000001.sdmp, Offset: 00E9A000, based on PE: false

Similarity

API ID: ChangeCloseFindNotification
String ID:
API String ID: 2591292051-0
Opcode ID: 4391fd4a8e40c07b5f51c65668d7785228e0b3ef87bf1d62f12b914e04137457
Instruction ID: 13bdd68729bdee27c60b3cc816f8906a089267d6c5343227fef94613951c8fbd
Opcode Fuzzy Hash: 4391fd4a8e40c07b5f51c65668d7785228e0b3ef87bf1d62f12b914e04137457
Instruction Fuzzy Hash: 2901DF719002449FDB208F29E9847A6FFA8EF44320F18C4ABDD0A9F242D274A848CB61

Uniqueness

Uniqueness Score: -1.00%

Function 05531162, Relevance: 1.5, APIs: 1, Instructions: 38windowCOMMON

Download Yara Rule

APIs

PostMessageW.USER32(?,?,?,?), ref: 0553119D

Memory Dump Source

Source File: 00000000.00000002.213253422.0000000005530000.00000040.00000001.sdmp, Offset: 05530000, based on PE: false

Similarity

API ID: MessagePost
String ID:
API String ID: 410705778-0
Opcode ID: e954265c4d7a6a611f0557df2be83d1c69045416ef3d2063e1ba00e47eff801e
Instruction ID: 669c87e0504dd894f19886298d6d53c86318d9a4f6a9b191d29ce2cf3741a446
Opcode Fuzzy Hash: e954265c4d7a6a611f0557df2be83d1c69045416ef3d2063e1ba00e47eff801e
Instruction Fuzzy Hash: DE017835800A04DFDB20CF25D885B66FFA1FF08320F18849ADE490A266D2B5A418CBA2

Uniqueness

Uniqueness Score: -1.00%

Function 00E9A8EE, Relevance: 1.5, APIs: 1, Instructions: 37COMMON

Download Yara Rule

APIs

SetWindowLongW.USER32 ref: 00E9A926

Memory Dump Source

Source File: 00000000.00000002.209866942.0000000000E9A000.00000040.00000001.sdmp, Offset: 00E9A000, based on PE: false

Similarity

API ID: LongWindow
String ID:
API String ID: 1378638983-0
Opcode ID: 7567d2b29982910d17a8281219feba89b417e4a4ec5f1bdae26da240848e1f5f
Instruction ID: db891f556094ced11b9826b21621920178768ed8ccf8995d6e4da241930ca299
Opcode Fuzzy Hash: 7567d2b29982910d17a8281219feba89b417e4a4ec5f1bdae26da240848e1f5f
Instruction Fuzzy Hash: 8001D131400644DFDB208F05E885752FFE0FF49324F18D0AADE4A1B252C2B5A808DFB2

Uniqueness

Uniqueness Score: -1.00%

Function 00E9A372, Relevance: 1.5, APIs: 1, Instructions: 35COMMON

Download Yara Rule

APIs

SetErrorMode.KERNELBASE(?), ref: 00E9A3A4

Memory Dump Source

Source File: 00000000.00000002.209866942.0000000000E9A000.00000040.00000001.sdmp, Offset: 00E9A000, based on PE: false

Similarity

API ID: ErrorMode
String ID:
API String ID: 2340568224-0
Opcode ID: 4af3c74e0d9089353be0ef1f2b1abdc3dbf4d46a4519b7fb8f330a8c7f379428
Instruction ID: 05b0174c947d52e1a19c91593ba9584fb514df7326b9b48298fc20d0fa12f94c
Opcode Fuzzy Hash: 4af3c74e0d9089353be0ef1f2b1abdc3dbf4d46a4519b7fb8f330a8c7f379428
Instruction Fuzzy Hash: 9CF0AF34404744DFDB20CF15D88476AFFA0EF04328F28D0AADE495B656D6B9A808CBA2

Uniqueness

Uniqueness Score: -1.00%

Function 05540C18, Relevance: 1.5, Strings: 1, Instructions: 265COMMON

Download Yara Rule

Strings

|mhr, xrefs: 05540C70

Memory Dump Source

Source File: 00000000.00000002.213268927.0000000005540000.00000040.00000001.sdmp, Offset: 05540000, based on PE: false

Similarity

API ID:
String ID: |mhr
API String ID: 0-1401776628
Opcode ID: 3cf25ca8d39c82b0f2120a646c0723f79f20a2ec146017dce4ff25a3b1d1edaa
Instruction ID: b799f533caafc77b6f5e13d9ff6200d66954ef04917c6cc7bdab24faa7d90879
Opcode Fuzzy Hash: 3cf25ca8d39c82b0f2120a646c0723f79f20a2ec146017dce4ff25a3b1d1edaa
Instruction Fuzzy Hash: ACA12730E45208DBEB14DFA4C895BADBBB2BF89714F245029E6067B3D1CB716882CF55

Uniqueness

Uniqueness Score: -1.00%

Function 0554105F, Relevance: 1.4, Strings: 1, Instructions: 191COMMON

Download Yara Rule

Strings

:@Dr, xrefs: 055411E4

Memory Dump Source

Source File: 00000000.00000002.213268927.0000000005540000.00000040.00000001.sdmp, Offset: 05540000, based on PE: false

Similarity

API ID:
String ID: :@Dr
API String ID: 0-3830894600
Opcode ID: 4b4837166df007d6e32e8de1d676b713b22951a58fb444e7fc18566e4c0525f4
Instruction ID: d93b53f79e83eaf9e5a33504146e939ebfc9e2bdd6d8e9268c1477817645fae4
Opcode Fuzzy Hash: 4b4837166df007d6e32e8de1d676b713b22951a58fb444e7fc18566e4c0525f4
Instruction Fuzzy Hash: 1D81D074E05658DFDB08DFA9D984AADBFB2FF89304F20902AE809A7350DB345985CF51

Uniqueness

Uniqueness Score: -1.00%

Function 055410A0, Relevance: 1.4, Strings: 1, Instructions: 173COMMON

Download Yara Rule

Strings

:@Dr, xrefs: 055411E4

Memory Dump Source

Source File: 00000000.00000002.213268927.0000000005540000.00000040.00000001.sdmp, Offset: 05540000, based on PE: false

Similarity

API ID:
String ID: :@Dr
API String ID: 0-3830894600
Opcode ID: afdb392357f7b739aa733bb1136f77c196820f8f1f026f165aec4aa542f69335
Instruction ID: 331fbdab83712d5c49f3854e1f41d80d7207089ca3357b54ab8c4c1ea4360e6b
Opcode Fuzzy Hash: afdb392357f7b739aa733bb1136f77c196820f8f1f026f165aec4aa542f69335
Instruction Fuzzy Hash: 0771C074E01658DFDB08DFA9D984AADBBB2FF89304F20902AE815A7391DB345985CF10

Uniqueness

Uniqueness Score: -1.00%

Function 055410B0, Relevance: 1.4, Strings: 1, Instructions: 172COMMON

Download Yara Rule

Strings

:@Dr, xrefs: 055411E4

Memory Dump Source

Source File: 00000000.00000002.213268927.0000000005540000.00000040.00000001.sdmp, Offset: 05540000, based on PE: false

Similarity

API ID:
String ID: :@Dr
API String ID: 0-3830894600
Opcode ID: 1e312bbc5acdbde99b91adfcb35923a84d144e97c596edd40327c42199785d5a
Instruction ID: 2a3f6b3fef5f338ccf561c6bfe559b5e4e3a6ec34eec625efdfe3606621e8430
Opcode Fuzzy Hash: 1e312bbc5acdbde99b91adfcb35923a84d144e97c596edd40327c42199785d5a
Instruction Fuzzy Hash: 3071BF74E01658DFDF08DFA9D884AADBFB2BF89304F20942AE809A7350DB745985CF51

Uniqueness

Uniqueness Score: -1.00%

Function 0554098F, Relevance: 1.4, Strings: 1, Instructions: 103COMMON

Download Yara Rule

Strings

|mhr, xrefs: 05540A1B

Memory Dump Source

Source File: 00000000.00000002.213268927.0000000005540000.00000040.00000001.sdmp, Offset: 05540000, based on PE: false

Similarity

API ID:
String ID: |mhr
API String ID: 0-1401776628
Opcode ID: 892260a78c9cf3c25e9402b5460c468cc48b4cf81cd400d6f3f31e7fb587441b
Instruction ID: 477681876048028dc1ab786d7e1877e416c2e87908105f7f44d89c84739685ae
Opcode Fuzzy Hash: 892260a78c9cf3c25e9402b5460c468cc48b4cf81cd400d6f3f31e7fb587441b
Instruction Fuzzy Hash: 8B316F70D06208DBDB04DFA5D4487AEBBB2FF8A314F245429E505B72A0DB715845CF55

Uniqueness

Uniqueness Score: -1.00%

Function 055409D8, Relevance: 1.3, Strings: 1, Instructions: 97COMMON

Download Yara Rule

Strings

|mhr, xrefs: 05540A1B

Memory Dump Source

Source File: 00000000.00000002.213268927.0000000005540000.00000040.00000001.sdmp, Offset: 05540000, based on PE: false

Similarity

API ID:
String ID: |mhr
API String ID: 0-1401776628
Opcode ID: d50b8be8176c819e78214e6555f575f6f8e3a268c4a6525762f2da39033989cc
Instruction ID: 7c2e4cafe46bfb5970a46d5d5bd9a269538eb470b033daf2c60273ff3619c606
Opcode Fuzzy Hash: d50b8be8176c819e78214e6555f575f6f8e3a268c4a6525762f2da39033989cc
Instruction Fuzzy Hash: 0231A170D06208DFCB04DFA6D488AEEBBB2FF89314F249429E505BB290CB315845CF44

Uniqueness

Uniqueness Score: -1.00%

Function 05542916, Relevance: 1.3, Strings: 1, Instructions: 94COMMON

Download Yara Rule

Strings

, xrefs: 05542135

Memory Dump Source

Source File: 00000000.00000002.213268927.0000000005540000.00000040.00000001.sdmp, Offset: 05540000, based on PE: false

Similarity

API ID:
String ID:
API String ID: 0-3916222277
Opcode ID: 810cd890799b477cfaaecc1faf9c8123266e701f10654f499ac9ad993f2a8f2b
Instruction ID: 0b6d3badec093a78bc3f46b0eb3216075d54ab6686207ebf90299c5427464c04
Opcode Fuzzy Hash: 810cd890799b477cfaaecc1faf9c8123266e701f10654f499ac9ad993f2a8f2b
Instruction Fuzzy Hash: 8841D2B4D00228DFDB24CF64C985BEDBBB2BB48308F1084EAE559A7280D7B55AC5CF55

Uniqueness

Uniqueness Score: -1.00%

Function 055409CA, Relevance: 1.3, Strings: 1, Instructions: 93COMMON

Download Yara Rule

Strings

|mhr, xrefs: 05540A1B

Memory Dump Source

Source File: 00000000.00000002.213268927.0000000005540000.00000040.00000001.sdmp, Offset: 05540000, based on PE: false

Similarity

API ID:
String ID: |mhr
API String ID: 0-1401776628
Opcode ID: 9b683a1d2a2fc2d0076da7d36012acce80f0339a61ae6d95610a67ceef45855a
Instruction ID: b40d0831a9e3f036c4fbbf3f1003ca1c71d8093f00fb731175cffc9e123b9d15
Opcode Fuzzy Hash: 9b683a1d2a2fc2d0076da7d36012acce80f0339a61ae6d95610a67ceef45855a
Instruction Fuzzy Hash: CC319370D06218EFCB04DFAAD4886EEBBB2FF89314F249429E505B7690DB315845CF55

Uniqueness

Uniqueness Score: -1.00%

Function 055421FE, Relevance: 1.3, Strings: 1, Instructions: 92COMMON

Download Yara Rule

Strings

, xrefs: 05542135

Memory Dump Source

Source File: 00000000.00000002.213268927.0000000005540000.00000040.00000001.sdmp, Offset: 05540000, based on PE: false

Similarity

API ID:
String ID:
API String ID: 0-3916222277
Opcode ID: 542667ef38c610cba529c173097f3712455493bfcdc43b292fde6ff21ee90ea6
Instruction ID: 3acfde8fcc335c5d2de651bc6559a8d18e81688648ed77cc1acf6d053bc6f9ae
Opcode Fuzzy Hash: 542667ef38c610cba529c173097f3712455493bfcdc43b292fde6ff21ee90ea6
Instruction Fuzzy Hash: 33411F78D05628DFCB24CF60C948BECBBB2BB49304F1084DAD41AA3284CB745AC6DF60

Uniqueness

Uniqueness Score: -1.00%

Function 05541C04, Relevance: 1.3, Strings: 1, Instructions: 78COMMON

Download Yara Rule

Strings

, xrefs: 05542135

Memory Dump Source

Source File: 00000000.00000002.213268927.0000000005540000.00000040.00000001.sdmp, Offset: 05540000, based on PE: false

Similarity

API ID:
String ID:
API String ID: 0-3916222277
Opcode ID: 16aeed1fd6a2445968f984e6ed5206cd7e01338e3ba3da3d9e926e5fa0303c4c
Instruction ID: 486aad44d830d94ae642c0ca3b0dcad331b4c8e7c99584a764a8f92a4de1a0cd
Opcode Fuzzy Hash: 16aeed1fd6a2445968f984e6ed5206cd7e01338e3ba3da3d9e926e5fa0303c4c
Instruction Fuzzy Hash: 8E31D278D00228DFDB24CF65C985BDDBBB2BB48308F1080EAE519A7280DBB55AC5CF55

Uniqueness

Uniqueness Score: -1.00%

Function 05542079, Relevance: 1.3, Strings: 1, Instructions: 75COMMON

Download Yara Rule

Strings

, xrefs: 05542135

Memory Dump Source

Source File: 00000000.00000002.213268927.0000000005540000.00000040.00000001.sdmp, Offset: 05540000, based on PE: false

Similarity

API ID:
String ID:
API String ID: 0-3916222277
Opcode ID: 2afdf320dca92ba370077684524b403ea08dff13d23385ce4df55e4751e31ee5
Instruction ID: 9ae07f98f6db0fe3d25f63dc23e7f0f94fa7f154688bba8c7c65918a0186443e
Opcode Fuzzy Hash: 2afdf320dca92ba370077684524b403ea08dff13d23385ce4df55e4751e31ee5
Instruction Fuzzy Hash: F331E078D00228DFDB64CF64C989BDDBBB1BB88304F1481AAD919A7294DB345AC6CF51

Uniqueness

Uniqueness Score: -1.00%

Function 05541C01, Relevance: 1.3, Strings: 1, Instructions: 73COMMON

Download Yara Rule

Strings

, xrefs: 05542135

Memory Dump Source

Source File: 00000000.00000002.213268927.0000000005540000.00000040.00000001.sdmp, Offset: 05540000, based on PE: false

Similarity

API ID:
String ID:
API String ID: 0-3916222277
Opcode ID: 1afafafce7e1e33ba0b79cc422c8fc2766ad11f4df6f7f3a8d4644ef7fc949db
Instruction ID: 3097d093b062131f9c241445f85e977cf00bce37447c397ef5d18bb15a0a9523
Opcode Fuzzy Hash: 1afafafce7e1e33ba0b79cc422c8fc2766ad11f4df6f7f3a8d4644ef7fc949db
Instruction Fuzzy Hash: BB310178D04228DFDB24CF64C849BDCBBB2BB49304F10809AE609A7280CBB55AC5CF55

Uniqueness

Uniqueness Score: -1.00%

Function 05541D92, Relevance: 1.3, Strings: 1, Instructions: 58COMMON

Download Yara Rule

Strings

, xrefs: 05542135

Memory Dump Source

Source File: 00000000.00000002.213268927.0000000005540000.00000040.00000001.sdmp, Offset: 05540000, based on PE: false

Similarity

API ID:
String ID:
API String ID: 0-3916222277
Opcode ID: 63d08745c36631098689b6936dd373511a19ccfa88c54638768d36464c8d4a30
Instruction ID: 2b82e14707e4c72c18455a71bbed651d1f17296691d9d7f1f007cf8c6bff7d6d
Opcode Fuzzy Hash: 63d08745c36631098689b6936dd373511a19ccfa88c54638768d36464c8d4a30
Instruction Fuzzy Hash: 83211FB8D05628CFDB24CF25C888BECBBB2BB48305F1084DAE509A7244CB345AC5DF60

Uniqueness

Uniqueness Score: -1.00%

Function 055423DA, Relevance: 1.3, Strings: 1, Instructions: 56COMMON

Download Yara Rule

Strings

, xrefs: 05542135

Memory Dump Source

Source File: 00000000.00000002.213268927.0000000005540000.00000040.00000001.sdmp, Offset: 05540000, based on PE: false

Similarity

API ID:
String ID:
API String ID: 0-3916222277
Opcode ID: f9e2a881ef73102d400baa76f20f429e4497ea238e5c9c87aeedf4b150bd9136
Instruction ID: 92bedac782374f0492cdc207b567fba212fcfb838719a670a74806c004de0e00
Opcode Fuzzy Hash: f9e2a881ef73102d400baa76f20f429e4497ea238e5c9c87aeedf4b150bd9136
Instruction Fuzzy Hash: DD21E274D05228CFDB24CF64C989BEDBBB2BB88305F20809AE50DAB255CB345E85CF55

Uniqueness

Uniqueness Score: -1.00%

Function 05541E61, Relevance: 1.3, Strings: 1, Instructions: 54COMMON

Download Yara Rule

Strings

, xrefs: 05542135

Memory Dump Source

Source File: 00000000.00000002.213268927.0000000005540000.00000040.00000001.sdmp, Offset: 05540000, based on PE: false

Similarity

API ID:
String ID:
API String ID: 0-3916222277
Opcode ID: 25e50fbd1b16fa658d842b06ef1c3a54377353ed2aa65d13d8929adec727f3b2
Instruction ID: 58a3ca02009be7cdd7933b0be436d4f91313a7ca3cc7b6cae1cf1a4e3c59eec1
Opcode Fuzzy Hash: 25e50fbd1b16fa658d842b06ef1c3a54377353ed2aa65d13d8929adec727f3b2
Instruction Fuzzy Hash: 1C21D374D04228DFDB64CF64C885BDDBBB1BB48304F20809AE919A7245CB355A85CF51

Uniqueness

Uniqueness Score: -1.00%

Function 05541DEF, Relevance: 1.3, Strings: 1, Instructions: 52COMMON

Download Yara Rule

Strings

, xrefs: 05542135

Memory Dump Source

Source File: 00000000.00000002.213268927.0000000005540000.00000040.00000001.sdmp, Offset: 05540000, based on PE: false

Similarity

API ID:
String ID:
API String ID: 0-3916222277
Opcode ID: 68fb317d58d3b10763be526e686fc1eae950322a8e198e686bbdc856fa5d5d23
Instruction ID: a8b38dc01f10c917d824fc5ac4325eb63f186ae37b5df1f410ccd7a56f7e8a83
Opcode Fuzzy Hash: 68fb317d58d3b10763be526e686fc1eae950322a8e198e686bbdc856fa5d5d23
Instruction Fuzzy Hash: 57111674D05228DBDB24CF54D8897ECBBB2FB48308F10849AE50DA7241C7315AC5CF51

Uniqueness

Uniqueness Score: -1.00%

Function 02A20E10, Relevance: 1.3, Strings: 1, Instructions: 47COMMON

Download Yara Rule

Strings

T, xrefs: 02A20E55

Memory Dump Source

Source File: 00000000.00000002.210075788.0000000002A20000.00000040.00000001.sdmp, Offset: 02A20000, based on PE: false

Similarity

API ID:
String ID: T
API String ID: 0-3187964512
Opcode ID: d7396b72cd3c0abe81b62efe8c4d9db9cb42f4ace82ab9eb761e137818a46dc9
Instruction ID: 9eca193639ac96b23d49e7c1048e4c4071f61c161ee99d53179e01cbd530c0c7
Opcode Fuzzy Hash: d7396b72cd3c0abe81b62efe8c4d9db9cb42f4ace82ab9eb761e137818a46dc9
Instruction Fuzzy Hash: 260125B4D08619DFCB04DFAAD8406AEBFFABB59300F10D469C51AA3350DB306A88CF51

Uniqueness

Uniqueness Score: -1.00%

Function 05541F4B, Relevance: 1.3, Strings: 1, Instructions: 39COMMON

Download Yara Rule

Strings

, xrefs: 05542135

Memory Dump Source

Source File: 00000000.00000002.213268927.0000000005540000.00000040.00000001.sdmp, Offset: 05540000, based on PE: false

Similarity

API ID:
String ID:
API String ID: 0-3916222277
Opcode ID: be92a6b1d04357eec0fc1093e0131085b16f7a177739773df780087f714b48c7
Instruction ID: d106a5f407550ed0e04417ecbcc6a7040e035131b67516fe84248abb24ad6e06
Opcode Fuzzy Hash: be92a6b1d04357eec0fc1093e0131085b16f7a177739773df780087f714b48c7
Instruction Fuzzy Hash: 6911E5B4D05228CBDB24CF64DC49BDDBBB2FB48304F208199E509A7245CB315E85DF55

Uniqueness

Uniqueness Score: -1.00%

Function 05541F2C, Relevance: 1.3, Strings: 1, Instructions: 39COMMON

Download Yara Rule

Strings

, xrefs: 05542135

Memory Dump Source

Source File: 00000000.00000002.213268927.0000000005540000.00000040.00000001.sdmp, Offset: 05540000, based on PE: false

Similarity

API ID:
String ID:
API String ID: 0-3916222277
Opcode ID: 5b0ef0ee0215096379dfdca7e3a46660f8d788c7d59e63cc5729a7ac449c189f
Instruction ID: 05fb88311819c974a917ea81eede1e327af5555af1762d6342075105c6a980b8
Opcode Fuzzy Hash: 5b0ef0ee0215096379dfdca7e3a46660f8d788c7d59e63cc5729a7ac449c189f
Instruction Fuzzy Hash: 52111774D09668DFDB24CF64DC45BDDBBB2BB49304F20819AE519A7281CB311E85CF51

Uniqueness

Uniqueness Score: -1.00%

Function 02A20888, Relevance: 1.3, Strings: 1, Instructions: 38COMMON

Download Yara Rule

Strings

o, xrefs: 02A208D2

Memory Dump Source

Source File: 00000000.00000002.210075788.0000000002A20000.00000040.00000001.sdmp, Offset: 02A20000, based on PE: false

Similarity

API ID:
String ID: o
API String ID: 0-2084137227
Opcode ID: 211e2ea297ba7807b1f3e15239114d0929b3367d5ebbdd73767ea922a5bc3cfd
Instruction ID: d998b3bc2ae74e588d82c9c57adbdc720b8ec0539be8d7982f4da89c84109866
Opcode Fuzzy Hash: 211e2ea297ba7807b1f3e15239114d0929b3367d5ebbdd73767ea922a5bc3cfd
Instruction Fuzzy Hash: 5C01F634E01108EBCB04EFA8D992AAEBBB5EB85300F2066A8950577391DF306E45DB95

Uniqueness

Uniqueness Score: -1.00%

Function 02A2088D, Relevance: 1.3, Strings: 1, Instructions: 37COMMON

Download Yara Rule

Strings

o, xrefs: 02A208D2

Memory Dump Source

Source File: 00000000.00000002.210075788.0000000002A20000.00000040.00000001.sdmp, Offset: 02A20000, based on PE: false

Similarity

API ID:
String ID: o
API String ID: 0-2084137227
Opcode ID: cb151cfc926f29f08c82f9aa9f01d5f4c4be1676cea3611103f2dcd4f22f8884
Instruction ID: f8340283ba05df1e72f4a8efd5f8070ac4612b9689159c0faea457015abb5455
Opcode Fuzzy Hash: cb151cfc926f29f08c82f9aa9f01d5f4c4be1676cea3611103f2dcd4f22f8884
Instruction Fuzzy Hash: F8F0C934A41108EBCB04EFA4D991AADB7B1EB8A340F6066A8951577351CF306F45DB91

Uniqueness

Uniqueness Score: -1.00%

Function 05541CEE, Relevance: 1.3, Strings: 1, Instructions: 36COMMON

Download Yara Rule

Strings

, xrefs: 05542135

Memory Dump Source

Source File: 00000000.00000002.213268927.0000000005540000.00000040.00000001.sdmp, Offset: 05540000, based on PE: false

Similarity

API ID:
String ID:
API String ID: 0-3916222277
Opcode ID: 4e3176128193e9f8855ec266ca5ee43c72663194a269c483b2c291f918692bb9
Instruction ID: 849e1d30a10a918c91c691a27fc0073a3bb83bca930ab91a4d4a35420329bc91
Opcode Fuzzy Hash: 4e3176128193e9f8855ec266ca5ee43c72663194a269c483b2c291f918692bb9
Instruction Fuzzy Hash: 23018C74C09658CFDB24CF64DC45BDDBBB1BB49304F10809AE509A7281CB301A85CF21

Uniqueness

Uniqueness Score: -1.00%

Function 02A203D1, Relevance: 1.3, Strings: 1, Instructions: 34COMMON

Download Yara Rule

Strings

xn, xrefs: 02A20403

Memory Dump Source

Source File: 00000000.00000002.210075788.0000000002A20000.00000040.00000001.sdmp, Offset: 02A20000, based on PE: false

Similarity

API ID:
String ID: xn
API String ID: 0-2689218296
Opcode ID: 887f5bc538f1d861fa6783c8d001451c66f170a745cf90d3684c5aef388a7b70
Instruction ID: e587f11e8dd24ef7e870a2b88fbcf1df5eca32c0fa6d45e80c485d69032fedba
Opcode Fuzzy Hash: 887f5bc538f1d861fa6783c8d001451c66f170a745cf90d3684c5aef388a7b70
Instruction Fuzzy Hash: 9801C938905248EFCB01DFA8C98499DBFF0FF4A200B148AE9D845A7352D771AE4ADB51

Uniqueness

Uniqueness Score: -1.00%

Function 05541FA3, Relevance: 1.3, Strings: 1, Instructions: 32COMMON

Download Yara Rule

Strings

, xrefs: 05542135

Memory Dump Source

Source File: 00000000.00000002.213268927.0000000005540000.00000040.00000001.sdmp, Offset: 05540000, based on PE: false

Similarity

API ID:
String ID:
API String ID: 0-3916222277
Opcode ID: acd0b18cc2538b0355991f674c87a7c8b907238ce18d37c47b3c87db7d8c2bd1
Instruction ID: dc26bf68364ebf5fa1cbdf0bc7dabe85dbc29714f69eb31f41fd5a4135500c77
Opcode Fuzzy Hash: acd0b18cc2538b0355991f674c87a7c8b907238ce18d37c47b3c87db7d8c2bd1
Instruction Fuzzy Hash: 61010474D05628DFDB28CF64D889BECBBB1FB48304F2080AAE919A7245CB311A81DF51

Uniqueness

Uniqueness Score: -1.00%

Function 02A214CA, Relevance: 1.3, Strings: 1, Instructions: 17COMMON

Download Yara Rule

Strings

{, xrefs: 02A21500

Memory Dump Source

Source File: 00000000.00000002.210075788.0000000002A20000.00000040.00000001.sdmp, Offset: 02A20000, based on PE: false

Similarity

API ID:
String ID: {
API String ID: 0-366298937
Opcode ID: 62ca7af59d677f6c9881eb3569ba37cb934f18f5a8d3fe8636214aa0ebb2521a
Instruction ID: b5119d0663660aefb238b001638269a71327b5c52d89753d04e5a2c2e4dca724
Opcode Fuzzy Hash: 62ca7af59d677f6c9881eb3569ba37cb934f18f5a8d3fe8636214aa0ebb2521a
Instruction Fuzzy Hash: 6EE0C2B480D2889FDB11CB69C198698BFF0BB06214B1941EAD45C9B663D7359A49CF41

Uniqueness

Uniqueness Score: -1.00%

Function 02A2142A, Relevance: 1.3, Strings: 1, Instructions: 9COMMON

Download Yara Rule

Strings

u, xrefs: 02A21440

Memory Dump Source

Source File: 00000000.00000002.210075788.0000000002A20000.00000040.00000001.sdmp, Offset: 02A20000, based on PE: false

Similarity

API ID:
String ID: u
API String ID: 0-4067256894
Opcode ID: 5dbb1c53f0188b456e1092b8107cee797db130b8c33be620a0ba994a1c0cc856
Instruction ID: e68901e7f5a823da76a6518533c17096e17526646fa4c95371fdc9913535644f
Opcode Fuzzy Hash: 5dbb1c53f0188b456e1092b8107cee797db130b8c33be620a0ba994a1c0cc856
Instruction Fuzzy Hash: 62C0807044E1599FC701D71494585D97F71AF43304F0500D59045CB077C7744618CF45

Uniqueness

Uniqueness Score: -1.00%

Function 00EA99E3, Relevance: .8, Instructions: 826COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.209871923.0000000000EA2000.00000040.00000001.sdmp, Offset: 00EA2000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 77e145a66bf8c7e3f7a42d2f3408922f40e852c2286220dbe36c02e222049680
Instruction ID: c5b48492c005107b6e6bea6ec6cb05e4ca54c3c88ccdfb66708f76c70d6c4899
Opcode Fuzzy Hash: 77e145a66bf8c7e3f7a42d2f3408922f40e852c2286220dbe36c02e222049680
Instruction Fuzzy Hash: A31102B250D394AFE3128B149C559A2BF78EB57610F1884DAED86AF193D2517808C772

Uniqueness

Uniqueness Score: -1.00%

Function 00E92477, Relevance: .2, Instructions: 219COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.209862381.0000000000E92000.00000040.00000001.sdmp, Offset: 00E92000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 02c1d18393892ab49688db2d6d0d01586b121bcf5180e4692b7c0c6a55e5d984
Instruction ID: 2442e27bcabbbf565dee42d88917712cd43efc2707e02adf170561ab7c24a293
Opcode Fuzzy Hash: 02c1d18393892ab49688db2d6d0d01586b121bcf5180e4692b7c0c6a55e5d984
Instruction Fuzzy Hash: E5618E6290E3C5AFCF079B346839595BF76DA1332070A62DFC6A0EB0E3D5184949C72B

Uniqueness

Uniqueness Score: -1.00%

Function 05542E58, Relevance: .2, Instructions: 179COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.213268927.0000000005540000.00000040.00000001.sdmp, Offset: 05540000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: aa5d0eb5c74d5c198acd2e896558878282a930631febe35f1d6542077e4d0e64
Instruction ID: 0f215d5c4103643f36a6aa8060d15aef40143dc0574913e5470464a17f121f81
Opcode Fuzzy Hash: aa5d0eb5c74d5c198acd2e896558878282a930631febe35f1d6542077e4d0e64
Instruction Fuzzy Hash: 73612578C19218DBDB04CFA5D488BFEBBB6BF4A308F14A81AE40AB7254D7745489CF54

Uniqueness

Uniqueness Score: -1.00%

Function 00EAAA48, Relevance: .2, Instructions: 170COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.209871923.0000000000EA2000.00000040.00000001.sdmp, Offset: 00EA2000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: eed9b4ba3fa9bebabe9ec3132cd3742a95f7c529c5621bf95dd07750b129f5fc
Instruction ID: ab72958be6659ca455045f5581c38e24a5470e34075befe32adda72bb1114729
Opcode Fuzzy Hash: eed9b4ba3fa9bebabe9ec3132cd3742a95f7c529c5621bf95dd07750b129f5fc
Instruction Fuzzy Hash: C45195725093806FD712CF25DC41956FFF4EF8A620F08899FF9899B252D275A904CBA2

Uniqueness

Uniqueness Score: -1.00%

Function 05542E48, Relevance: .2, Instructions: 152COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.213268927.0000000005540000.00000040.00000001.sdmp, Offset: 05540000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0c481a27c8b5af79daa9a75a2021d59dacb805cff44a8a6d833f6a547428f87e
Instruction ID: f2542512aa8ee0d69c18f756b5cab0239744b4c2723a6c8613d8ba5977fba1df
Opcode Fuzzy Hash: 0c481a27c8b5af79daa9a75a2021d59dacb805cff44a8a6d833f6a547428f87e
Instruction Fuzzy Hash: 3C513774C19218DBDB04CFA5D489BFEBBB2BF4A308F14A81AE40AB7254DB745489CF54

Uniqueness

Uniqueness Score: -1.00%

Function 00EAA5B8, Relevance: .2, Instructions: 150COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.209871923.0000000000EA2000.00000040.00000001.sdmp, Offset: 00EA2000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ea9b103fe17d1ea5450a9dc2bd2d05d5ae5d82eb2faed6815263dcac6ef997e6
Instruction ID: c196e02d649c35893f4272040485c4a2f6f95245197a56e95e3e2b44a8ea7872
Opcode Fuzzy Hash: ea9b103fe17d1ea5450a9dc2bd2d05d5ae5d82eb2faed6815263dcac6ef997e6
Instruction Fuzzy Hash: D651B1765093806FD712CF15DC50957FFE8EF8A620F08C89BF9889B252D235A904CBA2

Uniqueness

Uniqueness Score: -1.00%

Function 05541420, Relevance: .1, Instructions: 127COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.213268927.0000000005540000.00000040.00000001.sdmp, Offset: 05540000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2ed1a49be66cef3a7c0a0f7311defd2b24de4ed0fdb083e2b7c932379a5eb5ce
Instruction ID: 6b9c6995f9ae10394199a1bae2d116c53c9dc7815dd49c25bcf39914e651a45d
Opcode Fuzzy Hash: 2ed1a49be66cef3a7c0a0f7311defd2b24de4ed0fdb083e2b7c932379a5eb5ce
Instruction Fuzzy Hash: 35510EB4D05618DFCB04DFA9D489BEDBBF5FB09308F1085AAE806A3240DB345A84CF61

Uniqueness

Uniqueness Score: -1.00%

Function 05542FF9, Relevance: .1, Instructions: 125COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.213268927.0000000005540000.00000040.00000001.sdmp, Offset: 05540000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: bb5f568619e572dce3f6839c4fabe5df20d4db45a913c5dbe231999e5aa8b844
Instruction ID: 351353818eebbe80d8d9198bb72f628adc44d597ab2fa6e369bc11e728f8f877
Opcode Fuzzy Hash: bb5f568619e572dce3f6839c4fabe5df20d4db45a913c5dbe231999e5aa8b844
Instruction Fuzzy Hash: B141F578C19228DBDF04CFA4D088AFDBBB2BF0A309F54A81AE40AB7650D7345589CF54

Uniqueness

Uniqueness Score: -1.00%

Function 02A2268A, Relevance: .1, Instructions: 119COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.210075788.0000000002A20000.00000040.00000001.sdmp, Offset: 02A20000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4123e07a1f75088846d77f6e774a13fb53c3025bbc51172829a8ecdf7d72ba42
Instruction ID: 096946188e8e218c218cb28d49003d85c8aaab74170239d1ca8ec4d044db7e57
Opcode Fuzzy Hash: 4123e07a1f75088846d77f6e774a13fb53c3025bbc51172829a8ecdf7d72ba42
Instruction Fuzzy Hash: F7514974901228CFDB18DF68D998BEDBBF1FB48315F1195A9E809A7340DB709988CF50

Uniqueness

Uniqueness Score: -1.00%

Function 02A2259F, Relevance: .1, Instructions: 104COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.210075788.0000000002A20000.00000040.00000001.sdmp, Offset: 02A20000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: bfef444665a5af94d51006bec972cef31927a9649e7b3a87a62e3965fd7ebc40
Instruction ID: 2eadaf0dc5ada3d9318ecb874d63cd39a20de4aa6a536675db8c95da3bee324b
Opcode Fuzzy Hash: bfef444665a5af94d51006bec972cef31927a9649e7b3a87a62e3965fd7ebc40
Instruction Fuzzy Hash: 2D51C274A11228CFDB58DF64D859BEDBBB2FB48315F1045A9E909A3344EF705A84CF60

Uniqueness

Uniqueness Score: -1.00%

Function 02A22BB2, Relevance: .1, Instructions: 102COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.210075788.0000000002A20000.00000040.00000001.sdmp, Offset: 02A20000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: aed28034dc74c7df6aa0ee819aed52fff340dcb77f5e4f402315910a26a08463
Instruction ID: 9d1d75b16ed10306295b115440451f372713a20497ff5efb3ac82d4470a3b175
Opcode Fuzzy Hash: aed28034dc74c7df6aa0ee819aed52fff340dcb77f5e4f402315910a26a08463
Instruction Fuzzy Hash: 2F416974901268CFDB18DF68D998BECBFF1FB09315F1155A9E809A7280DB709988CF20

Uniqueness

Uniqueness Score: -1.00%

Function 02A228F6, Relevance: .1, Instructions: 96COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.210075788.0000000002A20000.00000040.00000001.sdmp, Offset: 02A20000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b6158a5b3b20b207525d61acf0a886bf9467da2b340016206084f95ec829c303
Instruction ID: ff964b6d6b292d7c2319391a23e2e0a0ddce961cc71fe56b31473770af46767c
Opcode Fuzzy Hash: b6158a5b3b20b207525d61acf0a886bf9467da2b340016206084f95ec829c303
Instruction Fuzzy Hash: B2413774901268CFDB48DFA8D898BDCBBB1FB48315F1191A9E809A7344DF705988CF11

Uniqueness

Uniqueness Score: -1.00%

Function 00EAA810, Relevance: .1, Instructions: 86COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.209871923.0000000000EA2000.00000040.00000001.sdmp, Offset: 00EA2000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 183417400b32fa621884c1c762183172008d29ff72ed6f9277d2bfb495c75326
Instruction ID: 4dcc7b10261b7144474b6d135128d9dd7dda9313e005e4b82086712450bb688d
Opcode Fuzzy Hash: 183417400b32fa621884c1c762183172008d29ff72ed6f9277d2bfb495c75326
Instruction Fuzzy Hash: 8F216DB6508304AFD710CF0AEC41E57FFE8EB88760F14C96EFD499B211D271A9048BA2

Uniqueness

Uniqueness Score: -1.00%

Function 02A22C87, Relevance: .1, Instructions: 85COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.210075788.0000000002A20000.00000040.00000001.sdmp, Offset: 02A20000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2904ece8d61fe9e455cf7eb5a3b6b340b24f831edfac396f01385cd01dd329db
Instruction ID: a782e664caf1bc6a5b1a2d7c0a79957f549b7548b872b5829336e559ffdbcb2f
Opcode Fuzzy Hash: 2904ece8d61fe9e455cf7eb5a3b6b340b24f831edfac396f01385cd01dd329db
Instruction Fuzzy Hash: C1411674911228CFDB18DF68D899BEDBFB1FB48314F1055A9E809A7340EBB05988CF50

Uniqueness

Uniqueness Score: -1.00%

Function 00EAA6EC, Relevance: .1, Instructions: 84COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.209871923.0000000000EA2000.00000040.00000001.sdmp, Offset: 00EA2000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3fd30626906f1d0a65e236203cd71046d9cc073b20bc62d4c865ff6bf447748e
Instruction ID: 880d76dfd9d24370431a5de24e83b64baf3a39c1c949b24053db770c5eb8b356
Opcode Fuzzy Hash: 3fd30626906f1d0a65e236203cd71046d9cc073b20bc62d4c865ff6bf447748e
Instruction Fuzzy Hash: A3214FB6504304BFD610CF09EC41E57FBE8EB88B60F14C92EFD4997200D271A9148BA2

Uniqueness

Uniqueness Score: -1.00%

Function 00EAA944, Relevance: .1, Instructions: 84COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.209871923.0000000000EA2000.00000040.00000001.sdmp, Offset: 00EA2000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 98e5364e8901498c679202b603bfebd0e994d3f57a5eb0f31f60513128939866
Instruction ID: e51d5fef6cf15dbd68778c517b2422947faf384cbcf4969522493a4d0838e8a2
Opcode Fuzzy Hash: 98e5364e8901498c679202b603bfebd0e994d3f57a5eb0f31f60513128939866
Instruction Fuzzy Hash: 1B212FB6544304BFD610CF49EC41E67FBE8EB88B60F14C92EFD4997211D275A9148BA2

Uniqueness

Uniqueness Score: -1.00%

Function 02A2281E, Relevance: .1, Instructions: 83COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.210075788.0000000002A20000.00000040.00000001.sdmp, Offset: 02A20000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9e3f20cbf2d0785236a3709dd36e992d5ceed73e2fe8c66f55dd79be0f6b2b91
Instruction ID: 0cdc051b11cbfcebd7237b1a49c82199be52bd97eaa692bb0a3c4d89263c533a
Opcode Fuzzy Hash: 9e3f20cbf2d0785236a3709dd36e992d5ceed73e2fe8c66f55dd79be0f6b2b91
Instruction Fuzzy Hash: 8A41F674911228CFDB18DF64D859BECBFB1FB48311F1055A9E80AA7344DBB01A84CF60

Uniqueness

Uniqueness Score: -1.00%

Function 02A22452, Relevance: .1, Instructions: 83COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.210075788.0000000002A20000.00000040.00000001.sdmp, Offset: 02A20000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a20957f8c60106d0a720e9dd7e047a496bed2628677ba3990756b0398484a7a6
Instruction ID: b252df07f78d40d5a0187c6e4edebb76ce7fdbe595102e45e509f801b7339a63
Opcode Fuzzy Hash: a20957f8c60106d0a720e9dd7e047a496bed2628677ba3990756b0398484a7a6
Instruction Fuzzy Hash: D041F774901229CFDB18DF64D859BEDBFB1FB48315F1151A9E809A7280DF705984CF61

Uniqueness

Uniqueness Score: -1.00%

Function 02A22411, Relevance: .1, Instructions: 81COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.210075788.0000000002A20000.00000040.00000001.sdmp, Offset: 02A20000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 34011b8a7466956ebe824382556d4bebfa0c7ecb01cc06b22a90012085402743
Instruction ID: 5ac49089f0745e95fffa7c145d48b6ee2ee92641c956326a847819b8d94112c3
Opcode Fuzzy Hash: 34011b8a7466956ebe824382556d4bebfa0c7ecb01cc06b22a90012085402743
Instruction Fuzzy Hash: 51313A70911228CFDB58DF68D8597EDBFB1FB08315F1055A9E909A3280DFB05A88CF61

Uniqueness

Uniqueness Score: -1.00%

Function 02A227B5, Relevance: .1, Instructions: 79COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.210075788.0000000002A20000.00000040.00000001.sdmp, Offset: 02A20000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4c91019a12f7844a7d971b073135927e3647af9fa8ebc92cf67c2a7ecb6b5af7
Instruction ID: c9764078c40f22d63d0793f28b441390f119e3e5d4a49df3744c6cc16d1c9b76
Opcode Fuzzy Hash: 4c91019a12f7844a7d971b073135927e3647af9fa8ebc92cf67c2a7ecb6b5af7
Instruction Fuzzy Hash: 2B411574A11228CFDB58DF64D8597DDBFB1FB49311F1085A9E809A3244DFB01A84CF21

Uniqueness

Uniqueness Score: -1.00%

Function 02A22766, Relevance: .1, Instructions: 78COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.210075788.0000000002A20000.00000040.00000001.sdmp, Offset: 02A20000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a822856d2e54c3cffa81850821cbdfec56847a26830a7b5516a97d9d4c333f9a
Instruction ID: efa192ceb4bd7e5050ff58dd5198efa1ed147a86fa7e82f68664ff1e6b9e0f98
Opcode Fuzzy Hash: a822856d2e54c3cffa81850821cbdfec56847a26830a7b5516a97d9d4c333f9a
Instruction Fuzzy Hash: 0E41E774911228CFDB58DF68D8997DCBFB1FB48315F1055A9E809A7380DBB05A88CF61

Uniqueness

Uniqueness Score: -1.00%

Function 02A22420, Relevance: .1, Instructions: 78COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.210075788.0000000002A20000.00000040.00000001.sdmp, Offset: 02A20000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8fc12665a3eff4d1bb629a831f7132e9eb7cbcd37511fc32065674fc52c6bfdc
Instruction ID: 823fada23cd5d444e9e9b102a79b850a909699f0c1e077c245cca3739ceba055
Opcode Fuzzy Hash: 8fc12665a3eff4d1bb629a831f7132e9eb7cbcd37511fc32065674fc52c6bfdc
Instruction Fuzzy Hash: 05311670911228CFDB58DF68D8597EDBFB1FB48315F1055A9E90AA3280DFB05A88CF61

Uniqueness

Uniqueness Score: -1.00%

Function 00EAA3A0, Relevance: .1, Instructions: 78COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.209871923.0000000000EA2000.00000040.00000001.sdmp, Offset: 00EA2000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 313bd2d449d20048132e3fdc3d8360a8b005a04d9b6177305795790a4f0355d6
Instruction ID: 97ccf11d59d8558dde8c3c871c89d38c8cd10f9367195aed89eab2383ae2302b
Opcode Fuzzy Hash: 313bd2d449d20048132e3fdc3d8360a8b005a04d9b6177305795790a4f0355d6
Instruction Fuzzy Hash: 6D2192B6548300AFD7108F05EC45E57FFA8EB89630F18C86EFD4D9B251D275A9048BA2

Uniqueness

Uniqueness Score: -1.00%

Function 02A226D8, Relevance: .1, Instructions: 76COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.210075788.0000000002A20000.00000040.00000001.sdmp, Offset: 02A20000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8e482f96fc56e7acc4633a1e896efca70ef536d1fdefeea716ac61c5f98d7375
Instruction ID: ad8da4b90829b7c2acd1e6f1a2ea5edab71a9496d8468f66a6973ec28357448c
Opcode Fuzzy Hash: 8e482f96fc56e7acc4633a1e896efca70ef536d1fdefeea716ac61c5f98d7375
Instruction Fuzzy Hash: DA41E774911228CFDB58DF64D859BEDBFB2FB48311F1055A9E909A3240DFB05A84CF61

Uniqueness

Uniqueness Score: -1.00%

Function 02A22899, Relevance: .1, Instructions: 76COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.210075788.0000000002A20000.00000040.00000001.sdmp, Offset: 02A20000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4b373d1c015c84363279d719e8b81a75265e8abebd455eb7ba0cfc58df76ad92
Instruction ID: 6d207918d79256879447c0fe6c5c011fa4e8b4f67f80a954ad170377b55b8c23
Opcode Fuzzy Hash: 4b373d1c015c84363279d719e8b81a75265e8abebd455eb7ba0cfc58df76ad92
Instruction Fuzzy Hash: EF41E274A11228CFDB18DF64D859BEDBFB2FB48311F1055A9E909A3284DFB05A84CF61

Uniqueness

Uniqueness Score: -1.00%

Function 02A224C7, Relevance: .1, Instructions: 76COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.210075788.0000000002A20000.00000040.00000001.sdmp, Offset: 02A20000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fe60ecbd64178cdbfb5ac9153068297898f6ccc1119ebbdc089fb8291ec54789
Instruction ID: ed8d053696f433c477df2efa06a3f35bfcf83a22d9bb406a5779f55f8269b75b
Opcode Fuzzy Hash: fe60ecbd64178cdbfb5ac9153068297898f6ccc1119ebbdc089fb8291ec54789
Instruction Fuzzy Hash: A0311E74901228CFDB14DF68D898BDCBFB1FB49315F1095A9E909A7244DFB05984CF51

Uniqueness

Uniqueness Score: -1.00%

Function 02A22516, Relevance: .1, Instructions: 76COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.210075788.0000000002A20000.00000040.00000001.sdmp, Offset: 02A20000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 111af861a423b728d89741a976e7dad1e80b4ea6fede7794a15eec6d4d6ec055
Instruction ID: 9eea8bf5a2e67bd6f47fd9b609a2476e2c665854290f52e840132700bd0252af
Opcode Fuzzy Hash: 111af861a423b728d89741a976e7dad1e80b4ea6fede7794a15eec6d4d6ec055
Instruction Fuzzy Hash: 38411674A11228CFDB18DF64D858BECBBB1FB48310F1046A9E809A3384DBB05A84CF60

Uniqueness

Uniqueness Score: -1.00%

Function 00EAA82E, Relevance: .1, Instructions: 75COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.209871923.0000000000EA2000.00000040.00000001.sdmp, Offset: 00EA2000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ea08aea629020083621f6d7dc557ef59696b114bb6999a3fc648c3c845c9aa42
Instruction ID: d1c173d3bba4872d59ddb460d84b3c7fde93a738d8685d3ce04f826f5478326c
Opcode Fuzzy Hash: ea08aea629020083621f6d7dc557ef59696b114bb6999a3fc648c3c845c9aa42
Instruction Fuzzy Hash: D8212FB6544304AFD610CF09EC41E57FBE8EB88630F14C96EFD4997311D275A9148BA2

Uniqueness

Uniqueness Score: -1.00%

Function 00EAA95A, Relevance: .1, Instructions: 75COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.209871923.0000000000EA2000.00000040.00000001.sdmp, Offset: 00EA2000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 52b942322d347fb1d64c3ffc7b2f2d7b9fda6b81af34aff2abe5a4d5840e6891
Instruction ID: 64e1a08b30bf12c556ff28d71a4e569870a88e2346ae482cf2e71196d4ae0a2c
Opcode Fuzzy Hash: 52b942322d347fb1d64c3ffc7b2f2d7b9fda6b81af34aff2abe5a4d5840e6891
Instruction Fuzzy Hash: 7F212FB6544304AFD610CF09EC41E57FBE8EB88630F14C92EFD4997311D275A9148BA2

Uniqueness

Uniqueness Score: -1.00%

Function 00EAA702, Relevance: .1, Instructions: 75COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.209871923.0000000000EA2000.00000040.00000001.sdmp, Offset: 00EA2000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1ad58943a038debcf8de6c03e1f653402183e8ac5d6dcbc3f61cdd74aee72e28
Instruction ID: 2147d2d86271a3eabcf21635ca6a06b363ea7f505adf6aa1d4e38a4933ef44ad
Opcode Fuzzy Hash: 1ad58943a038debcf8de6c03e1f653402183e8ac5d6dcbc3f61cdd74aee72e28
Instruction Fuzzy Hash: A2212FB6544304AFD650CF09EC41E57FBE8EB88630F14C92EFD4997311D275A9148BA2

Uniqueness

Uniqueness Score: -1.00%

Function 00EAA190, Relevance: .1, Instructions: 73COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.209871923.0000000000EA2000.00000040.00000001.sdmp, Offset: 00EA2000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0d459e4260db6e50eb33f59ae9324a84d50ee43e5da48689a8fdfbe013fcb7ac
Instruction ID: b819be4af09234416f5de8ce8e87dddec5276ceadfbd1a2f9169a553dfa8155f
Opcode Fuzzy Hash: 0d459e4260db6e50eb33f59ae9324a84d50ee43e5da48689a8fdfbe013fcb7ac
Instruction Fuzzy Hash: 12119AB6544304BFD6108E06EC41D67FFACEB89B74F14C55AFE095B201D272B9149BB1

Uniqueness

Uniqueness Score: -1.00%

Function 02A22735, Relevance: .1, Instructions: 71COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.210075788.0000000002A20000.00000040.00000001.sdmp, Offset: 02A20000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 22be7006816f7e48b4d6c50e99581b20663f17f8cc3b7e75a89db23747a74ffc
Instruction ID: 4de0fb3287ccec469bcfc95dff3c80ee44e325d57762afcb0246bb89c0091a20
Opcode Fuzzy Hash: 22be7006816f7e48b4d6c50e99581b20663f17f8cc3b7e75a89db23747a74ffc
Instruction Fuzzy Hash: 9031E674911228CFDB58DF64D859BECBFB1FB48315F1055A9E809A7280DFB05A88CF61

Uniqueness

Uniqueness Score: -1.00%

Function 02A229CC, Relevance: .1, Instructions: 71COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.210075788.0000000002A20000.00000040.00000001.sdmp, Offset: 02A20000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 67da94a99c1b7279a3bda7d498074912235a71c5b27c073bca8c0e4459bc2035
Instruction ID: 749097378267f550cf8e6a6d40f6dfba4709bf6ca531c5071212562263e46c2b
Opcode Fuzzy Hash: 67da94a99c1b7279a3bda7d498074912235a71c5b27c073bca8c0e4459bc2035
Instruction Fuzzy Hash: A3310574911228CFDB18DF64D898BECBFB1FB48315F1055A9E809A7280DBB05984CF21

Uniqueness

Uniqueness Score: -1.00%

Function 02A2256B, Relevance: .1, Instructions: 71COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.210075788.0000000002A20000.00000040.00000001.sdmp, Offset: 02A20000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 898628ca09f171287438e0b429b2884a75fa2f97e0451e164f956a4b3161d882
Instruction ID: ef25d0dacc1681bff47a97058317a2f2ec82c31f995ec4d183f9f3c11d198feb
Opcode Fuzzy Hash: 898628ca09f171287438e0b429b2884a75fa2f97e0451e164f956a4b3161d882
Instruction Fuzzy Hash: 8531E674911228CFDB18DF68D899BECBFB1FB48315F1195A9E809A7280DBB05984CF61

Uniqueness

Uniqueness Score: -1.00%

Function 02A22C55, Relevance: .1, Instructions: 69COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.210075788.0000000002A20000.00000040.00000001.sdmp, Offset: 02A20000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d1877a5b6f54449dc6fbfeb777f37c439682f5325289eb8ea07998e27cbc63a7
Instruction ID: cabf4d91adb264492b44f9f51082ac6716a9a04436bd495c187b942406165bca
Opcode Fuzzy Hash: d1877a5b6f54449dc6fbfeb777f37c439682f5325289eb8ea07998e27cbc63a7
Instruction Fuzzy Hash: E2311A74911228CFDB18DF64D898BECBFB1FB48315F1055A9E909A7244DFB05A84CF51

Uniqueness

Uniqueness Score: -1.00%

Function 02A50844, Relevance: .1, Instructions: 69COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.210127043.0000000002A50000.00000040.00000040.sdmp, Offset: 02A50000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9e48e30a2f15d13ef477f2de44dd714603226d8cb73a53cd0015cd8fce748bb3
Instruction ID: 760692f2419d01b1b35667b59a1bc248e18f07a97fe4a3effcbf99976fc4d472
Opcode Fuzzy Hash: 9e48e30a2f15d13ef477f2de44dd714603226d8cb73a53cd0015cd8fce748bb3
Instruction Fuzzy Hash: DD313E7550E7C49FC7038B208864B557F71AB5B214F1986DFD8858B6A3D63A880ACB52

Uniqueness

Uniqueness Score: -1.00%

Function 00EAA5D6, Relevance: .1, Instructions: 69COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.209871923.0000000000EA2000.00000040.00000001.sdmp, Offset: 00EA2000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 34c9492def9f81617e17a03b35a211c7a87557a7e48c41590419296e7e57714d
Instruction ID: 5cd69314ed3e21ea9c9f7066dfcdda19df82dd47d53fd39d4e60c7406f0f8f44
Opcode Fuzzy Hash: 34c9492def9f81617e17a03b35a211c7a87557a7e48c41590419296e7e57714d
Instruction Fuzzy Hash: 681193B6544304BFD6108F0AEC41E67FBE8EB88670F18C56AFD095B211D276B9148AA2

Uniqueness

Uniqueness Score: -1.00%

Function 00EAA3BE, Relevance: .1, Instructions: 69COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.209871923.0000000000EA2000.00000040.00000001.sdmp, Offset: 00EA2000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f20ab746bf37c6c5755ae4c32b3b5510c78d61ecac95a66144993c4c828583ad
Instruction ID: 8234198b4750f0d6ea8f48c1fef332d2c98af89c74a77fe71591bf4a7ec2bcb3
Opcode Fuzzy Hash: f20ab746bf37c6c5755ae4c32b3b5510c78d61ecac95a66144993c4c828583ad
Instruction Fuzzy Hash: 6E1193B6544304BFD6108F0AEC41E67FBA8EB88630F18C56AFD095B311D276B9148AA2

Uniqueness

Uniqueness Score: -1.00%

Function 02A229A3, Relevance: .1, Instructions: 68COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.210075788.0000000002A20000.00000040.00000001.sdmp, Offset: 02A20000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: edf88c845d16a6a37bbe7dce98a51a3de3c798e22c214d47ded3331dddcb9433
Instruction ID: 708c639019346a61cac7edc6526172556841786dbe1b608e834fa2690d20a17f
Opcode Fuzzy Hash: edf88c845d16a6a37bbe7dce98a51a3de3c798e22c214d47ded3331dddcb9433
Instruction Fuzzy Hash: A5310474A11228CFDB18DF68D859BEDBFB1FB48315F1055A9E909A3280DFB05A84CF61

Uniqueness

Uniqueness Score: -1.00%

Function 02A20CC0, Relevance: .1, Instructions: 65COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.210075788.0000000002A20000.00000040.00000001.sdmp, Offset: 02A20000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b5856b06ca207e26697bc2e584598c5d6b2f833a28b1bcb9f3f003f95d99775f
Instruction ID: b082ef5e3bdf607f400fe40d6c5afb276755fc88a0ea691b070fa0a6b30dce1a
Opcode Fuzzy Hash: b5856b06ca207e26697bc2e584598c5d6b2f833a28b1bcb9f3f003f95d99775f
Instruction Fuzzy Hash: CE21B3B4E042098FCB04DFA9C895AAEBBF1FF89300F1481AAD814B7361DB355945CB61

Uniqueness

Uniqueness Score: -1.00%

Function 00EAA1A6, Relevance: .1, Instructions: 64COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.209871923.0000000000EA2000.00000040.00000001.sdmp, Offset: 00EA2000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 12e80b9b59c51427cddbb41d779fe1c595aa52c1e08005e78cedb9f5e893c74f
Instruction ID: 873fc58ac806207fe45ddeaa75c92ea8d56d9a31f210f1a92d1996282d15d03e
Opcode Fuzzy Hash: 12e80b9b59c51427cddbb41d779fe1c595aa52c1e08005e78cedb9f5e893c74f
Instruction Fuzzy Hash: 4C118AB6644304BFD6108E0AEC41E67FB98EB88730F18C56BFD095B641D276B9149BB1

Uniqueness

Uniqueness Score: -1.00%

Function 02A2E448, Relevance: .1, Instructions: 63COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.210075788.0000000002A20000.00000040.00000001.sdmp, Offset: 02A20000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a35248e99ac0c4057bf6632c142077022d274adaa55a95ced2aec5953f0c63cd
Instruction ID: fecb0b9a00f4ae50113495fef7cf5c9961fcf487e8519dec5d6ec86b2a75e711
Opcode Fuzzy Hash: a35248e99ac0c4057bf6632c142077022d274adaa55a95ced2aec5953f0c63cd
Instruction Fuzzy Hash: DF218AB4D00218DFDB44DFA9C684AEDBBF5BB4C310F1490AAD818A3350DB35AA84CF64

Uniqueness

Uniqueness Score: -1.00%

Function 05542DC7, Relevance: .1, Instructions: 62COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.213268927.0000000005540000.00000040.00000001.sdmp, Offset: 05540000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 97d07e0eb43a0e0976fef7be86e4f6506c9e77efd240f714447f0294b450c2de
Instruction ID: aeafc0528a9d13d2fd8b74dd6b9b5b5638aeada4576de7539d5edee2c9192648
Opcode Fuzzy Hash: 97d07e0eb43a0e0976fef7be86e4f6506c9e77efd240f714447f0294b450c2de
Instruction Fuzzy Hash: 8211A074D04208EBCB14EFB9C9817AEBBBAEF86304F1090AA980563380DA715E05CFC5

Uniqueness

Uniqueness Score: -1.00%

Function 02A5087C, Relevance: .1, Instructions: 59COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.210127043.0000000002A50000.00000040.00000040.sdmp, Offset: 02A50000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3a55dff4d389f1f104f9f80aeba9c044df649e281604cca7c70dbb0c6ac38c22
Instruction ID: 8d86c8b65779aa3ea4bfa7bf223672e28bea0a2a190c2099ec7f816cc3763027
Opcode Fuzzy Hash: 3a55dff4d389f1f104f9f80aeba9c044df649e281604cca7c70dbb0c6ac38c22
Instruction Fuzzy Hash: 7811D234204684EFE305CB24C580F27BBA1AB8C708F24C99CED490B642CB7BD803CA91

Uniqueness

Uniqueness Score: -1.00%

Function 0554074A, Relevance: .1, Instructions: 59COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.213268927.0000000005540000.00000040.00000001.sdmp, Offset: 05540000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 72070994bb0c8a341239986c9b479b174b4b60c8abe11157b41ae9476d8cfe0c
Instruction ID: 5c4dba83e7cd9a1ac3322962de284e109c062d472518d5b81c4c077a93806528
Opcode Fuzzy Hash: 72070994bb0c8a341239986c9b479b174b4b60c8abe11157b41ae9476d8cfe0c
Instruction Fuzzy Hash: 51117C31815118DBDB04DBA5E84D6EFBBB6FF4A319F206425D605B7190DB30A4088FE6

Uniqueness

Uniqueness Score: -1.00%

Function 05540758, Relevance: .1, Instructions: 58COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.213268927.0000000005540000.00000040.00000001.sdmp, Offset: 05540000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: baeccc88814788b2182a055e6ea584124ba59cb37a2c2cdbd32420599e26e4ba
Instruction ID: 70bc9cd72be276721d13f91b5447b16a10ea03ff9277abe1ad4302f3637912de
Opcode Fuzzy Hash: baeccc88814788b2182a055e6ea584124ba59cb37a2c2cdbd32420599e26e4ba
Instruction Fuzzy Hash: 98015E31D19118DBDB04DBA5E44CAEFBBBAFB4A315F206425D606B7190DB7054048FE6

Uniqueness

Uniqueness Score: -1.00%

Function 05540908, Relevance: .1, Instructions: 58COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.213268927.0000000005540000.00000040.00000001.sdmp, Offset: 05540000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 039d8009084fca7155744d47591da51f481b25e2369ae28f2ccd0cd5f4c4f943
Instruction ID: b08c3a72fb49f4744bf54b1ef08774ff7ce98c736c59f10115450986d8226441
Opcode Fuzzy Hash: 039d8009084fca7155744d47591da51f481b25e2369ae28f2ccd0cd5f4c4f943
Instruction Fuzzy Hash: 5911C271C49308DBDB10EBA0D9097BDBBB9BB46204F2050AACD0567392DA316A00DE91

Uniqueness

Uniqueness Score: -1.00%

Function 00EAAAF5, Relevance: .1, Instructions: 56COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.209871923.0000000000EA2000.00000040.00000001.sdmp, Offset: 00EA2000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d7a390c1187eba3bb8d5bc903a5fab4dd4799797ba7161f390d3f4995023c41c
Instruction ID: 4d4c47dfbf32995e2e812638c997498d7197a3f15eddc7781371279993e3c5d6
Opcode Fuzzy Hash: d7a390c1187eba3bb8d5bc903a5fab4dd4799797ba7161f390d3f4995023c41c
Instruction Fuzzy Hash: 1711D7B5908301AFD350CF19D881A5BFBE4FB88664F14892EF998D7311D371E9048FA2

Uniqueness

Uniqueness Score: -1.00%

Function 00EAA104, Relevance: .0, Instructions: 49COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.209871923.0000000000EA2000.00000040.00000001.sdmp, Offset: 00EA2000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b3f88dbe5181c82e97a4b7c1d3b588ed8aea3ee5feac9a829478a5151e703d9b
Instruction ID: 93afe57b3065c6e84cb85131624285e33da5d4835310a7d683be5f25c2af9257
Opcode Fuzzy Hash: b3f88dbe5181c82e97a4b7c1d3b588ed8aea3ee5feac9a829478a5151e703d9b
Instruction Fuzzy Hash: 1201B1B640D3C46FD7124B259C51AA2BF78DF43624F1884CBE9849F193D2566909C7B2

Uniqueness

Uniqueness Score: -1.00%

Function 02A28CBF, Relevance: .0, Instructions: 46COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.210075788.0000000002A20000.00000040.00000001.sdmp, Offset: 02A20000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d250ea35881b5a3aa80350a0b108bb223dc4534371d2f87345e3974bc38c2db7
Instruction ID: 34f99a423c344f9d72d61463539fcd5dc5f181047f249bfc1667f86d7f915734
Opcode Fuzzy Hash: d250ea35881b5a3aa80350a0b108bb223dc4534371d2f87345e3974bc38c2db7
Instruction Fuzzy Hash: 3C111BB4D05209DFCB44CFA9C9456EEBBB2FF89300F10916AE915A3350DB385A05DF91

Uniqueness

Uniqueness Score: -1.00%

Function 02A505CF, Relevance: .0, Instructions: 46COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.210127043.0000000002A50000.00000040.00000040.sdmp, Offset: 02A50000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ea1c1b8f1ef3516696868ddc5505f828b820a6aeab7fe28f586270c3419c013a
Instruction ID: 6d67f415de92db486a8d6dd7920f317081f1fff21947f00bc3b8676b4ddb4596
Opcode Fuzzy Hash: ea1c1b8f1ef3516696868ddc5505f828b820a6aeab7fe28f586270c3419c013a
Instruction Fuzzy Hash: AD01D6B650D7806FD7128B16EC50862FFB8DE86220708C0DFED898B652D125A909CBB2

Uniqueness

Uniqueness Score: -1.00%

Function 02A50870, Relevance: .0, Instructions: 42COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.210127043.0000000002A50000.00000040.00000040.sdmp, Offset: 02A50000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c22cd07c301a022948fdcf57f9381c8d79f8386cce36683716c6e225c1bf7e3d
Instruction ID: eaab9a399bf76ef2fdf8f6a5f61c7c268add565f30cc2398f066864f8b552f44
Opcode Fuzzy Hash: c22cd07c301a022948fdcf57f9381c8d79f8386cce36683716c6e225c1bf7e3d
Instruction Fuzzy Hash: 5A113C35108684DFC716CB10C590B16BFA1EB8A718F28C6EEE9894B652C73B9812DB81

Uniqueness

Uniqueness Score: -1.00%

Function 055406CF, Relevance: .0, Instructions: 41COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.213268927.0000000005540000.00000040.00000001.sdmp, Offset: 05540000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 345e1cce7c72e79be5fe9e64bf43bf9fec6852e8260f19462ae6a9f929be9f57
Instruction ID: ab4e84899da5cb163f4dfed7686a9189da75b8073e317bcb00f61feafd85f143
Opcode Fuzzy Hash: 345e1cce7c72e79be5fe9e64bf43bf9fec6852e8260f19462ae6a9f929be9f57
Instruction Fuzzy Hash: D9F0C270D09308EFC710EFA5D80D7AD7BB9FB46209F2440A9DD0A673A1EA719904DF92

Uniqueness

Uniqueness Score: -1.00%

Function 02A28DD0, Relevance: .0, Instructions: 40COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.210075788.0000000002A20000.00000040.00000001.sdmp, Offset: 02A20000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d5e706db28ee758aa04c61fb101e56c8fefefc38132da222655c4bc6829faa5e
Instruction ID: 5a2549679a506d77e34062c84c4cc94b726ec4db1a7d018519f99db20edb7f4a
Opcode Fuzzy Hash: d5e706db28ee758aa04c61fb101e56c8fefefc38132da222655c4bc6829faa5e
Instruction Fuzzy Hash: D7011D70D04219DFDB14DFAAC9817AEBFB6EF89304F18C569E405A3250DB359988CFA1

Uniqueness

Uniqueness Score: -1.00%

Function 05540FE0, Relevance: .0, Instructions: 40COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.213268927.0000000005540000.00000040.00000001.sdmp, Offset: 05540000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ddd709bf6b588b2eaae44aa6240130063ee29314d1bc460513b79a036df580ca
Instruction ID: 2264c9a94beee1967c8e264a8843f0ad69620204c1b74c0b9ce6a864d04a9b10
Opcode Fuzzy Hash: ddd709bf6b588b2eaae44aa6240130063ee29314d1bc460513b79a036df580ca
Instruction Fuzzy Hash: 7BF03C70809208EBC714DBA4D9456BDBB76FB46305F5045A9C80923350E736AA85DF91

Uniqueness

Uniqueness Score: -1.00%

Function 05540840, Relevance: .0, Instructions: 39COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.213268927.0000000005540000.00000040.00000001.sdmp, Offset: 05540000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b17a1fa6cd77495078ea604239092c3159a6aa9d1b077bd1d83b61f2f4911543
Instruction ID: 8797b4d07e8d047599761dcc0d791c0f94bb7779a0bf5410bcc1d8837bd4c7e9
Opcode Fuzzy Hash: b17a1fa6cd77495078ea604239092c3159a6aa9d1b077bd1d83b61f2f4911543
Instruction Fuzzy Hash: 8AF02B30C05208DFCB04EBA5DA057ADBB74FB06704F6004A4C844273D0E7305A44CFC1

Uniqueness

Uniqueness Score: -1.00%

Function 05540880, Relevance: .0, Instructions: 38COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.213268927.0000000005540000.00000040.00000001.sdmp, Offset: 05540000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f6f68c024f65b6ddddf4a4b9d8de63b92d342960eb3098b1c50dead7315e74da
Instruction ID: da4ad035d2247566286a2d3ac6e19602855d9dd5420b07fc6af20537d38b5d8e
Opcode Fuzzy Hash: f6f68c024f65b6ddddf4a4b9d8de63b92d342960eb3098b1c50dead7315e74da
Instruction Fuzzy Hash: B3F06D71C05208EBC710DBA9D9457ADBBB5FB45304F208495884967790D7346A40DFD5

Uniqueness

Uniqueness Score: -1.00%

Function 0554137F, Relevance: .0, Instructions: 35COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.213268927.0000000005540000.00000040.00000001.sdmp, Offset: 05540000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c2eacd1ee4bcc727f3b32f7713d95a68272728803afe09c7936443cde3f351a7
Instruction ID: d6c5d18db70737dd5c117c16214512d5836ba98d3fbf92260772d392fe8d3027
Opcode Fuzzy Hash: c2eacd1ee4bcc727f3b32f7713d95a68272728803afe09c7936443cde3f351a7
Instruction Fuzzy Hash: 51012478C096089FCB05DFA5C4486ADBBF1FF4A304F10849AD80693351D6306A44DF52

Uniqueness

Uniqueness Score: -1.00%

Function 02A20908, Relevance: .0, Instructions: 34COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.210075788.0000000002A20000.00000040.00000001.sdmp, Offset: 02A20000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e2815330da9bbfad5d64d7dc34359bc5a69bf6940d98f05a2f57ac9da52be3c9
Instruction ID: 6cb32df5c9a8f611fd9f87ee255e6cc439e738b954efa8303046470ebcc11239
Opcode Fuzzy Hash: e2815330da9bbfad5d64d7dc34359bc5a69bf6940d98f05a2f57ac9da52be3c9
Instruction Fuzzy Hash: 68F04930904288DFCB44DBB8C9A19ADBF71EF43604F1482A9D400772A1CB306E45DB55

Uniqueness

Uniqueness Score: -1.00%

Function 02A50938, Relevance: .0, Instructions: 31COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.210127043.0000000002A50000.00000040.00000040.sdmp, Offset: 02A50000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 525cef522958239b2deb72ab7ac90410e2832b06fb356f1b7ca8807ee3c9392c
Instruction ID: aaa135968c5ed0a551ed1fbc90bcd20ccdc6ca654aa740a4432e1d1189cbd3e3
Opcode Fuzzy Hash: 525cef522958239b2deb72ab7ac90410e2832b06fb356f1b7ca8807ee3c9392c
Instruction Fuzzy Hash: 18F01D35104644DFC305DF40D580B16FBA2EB89718F24CAADED490B752C737D813DA81

Uniqueness

Uniqueness Score: -1.00%

Function 05541848, Relevance: .0, Instructions: 28COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.213268927.0000000005540000.00000040.00000001.sdmp, Offset: 05540000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7204961c3e95f83246bd968fe6b54891dc3acb0e8d43808a2f4a79dd3145ceed
Instruction ID: d78af6d8ed4a96c31798ded08c162401a8fbdbcd5cbd7f3b793d1826f9120a5a
Opcode Fuzzy Hash: 7204961c3e95f83246bd968fe6b54891dc3acb0e8d43808a2f4a79dd3145ceed
Instruction Fuzzy Hash: EDF0ED3084930C9FCB08DFA0EE056EE7B71FB47341F2092A5C819A3251CB345A81CF51

Uniqueness

Uniqueness Score: -1.00%

Function 02A201D0, Relevance: .0, Instructions: 27COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.210075788.0000000002A20000.00000040.00000001.sdmp, Offset: 02A20000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f35ece7f21c4a7a79f8c0578b1fe654a846c7456ba4715db26cd33c19ef9a57c
Instruction ID: d13b0a835b3ef4af2f031142d4983b2d654256ace97cb457d927e2d5f3f65619
Opcode Fuzzy Hash: f35ece7f21c4a7a79f8c0578b1fe654a846c7456ba4715db26cd33c19ef9a57c
Instruction Fuzzy Hash: AFF0A034D09388CFCF05CFB9D44069CBFB0EF66300F1481A9C804A3251C6751A48CB11

Uniqueness

Uniqueness Score: -1.00%

Function 02A505F6, Relevance: .0, Instructions: 27COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.210127043.0000000002A50000.00000040.00000040.sdmp, Offset: 02A50000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 97ac7904344f46cb8e9dbeabfb0e9efe8868affa6fb500b796fc8daa54a83793
Instruction ID: dd5924bbaa6a17d70baed7a6fc8dec64e32a2af54f4ed8862546297b5e76d1ae
Opcode Fuzzy Hash: 97ac7904344f46cb8e9dbeabfb0e9efe8868affa6fb500b796fc8daa54a83793
Instruction Fuzzy Hash: 6BE092B66046008BD650CF0BEC81452F7D8EB88630B18C07FDD0D8B700E135B904CEA5

Uniqueness

Uniqueness Score: -1.00%

Function 05542C18, Relevance: .0, Instructions: 27COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.213268927.0000000005540000.00000040.00000001.sdmp, Offset: 05540000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 900e3c86c689b9892d79ad5ea607c850bba03943e8dcf7d440b5dc5c55099153
Instruction ID: 36bc692c58cd7ca5e5b4ffbe2e5dea35daf5f191ff63bc7c8224e2bdcd20951b
Opcode Fuzzy Hash: 900e3c86c689b9892d79ad5ea607c850bba03943e8dcf7d440b5dc5c55099153
Instruction Fuzzy Hash: AFF03034804218AFC704DB94C9517ADBBB5FB4D304F14C0AAD84557351EA359A42EF95

Uniqueness

Uniqueness Score: -1.00%

Function 05542D08, Relevance: .0, Instructions: 27COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.213268927.0000000005540000.00000040.00000001.sdmp, Offset: 05540000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d7704b274aa5638a7e60f8294b0416ae6c7acd577fde1ccdccabbe9d3dea7d68
Instruction ID: dfff2d7b0c64515140f811bd1af71a34a829b25fe1f2d8aff2844a71d60a84b9
Opcode Fuzzy Hash: d7704b274aa5638a7e60f8294b0416ae6c7acd577fde1ccdccabbe9d3dea7d68
Instruction Fuzzy Hash: B4F0A934C04208AFCB00DF98C8517ADFBB5FB48304F10C0AAE89462342D6329A02EF80

Uniqueness

Uniqueness Score: -1.00%

Function 02A289F0, Relevance: .0, Instructions: 26COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.210075788.0000000002A20000.00000040.00000001.sdmp, Offset: 02A20000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f3626fe5e9966129a6c6d80caf6baec274b850b1048d36db280f748ce875c27a
Instruction ID: 48534ee7b53a228e28ec595e6d2ab8164f2acc63d0d8673d94233a404983c11f
Opcode Fuzzy Hash: f3626fe5e9966129a6c6d80caf6baec274b850b1048d36db280f748ce875c27a
Instruction Fuzzy Hash: E1F03030C08348DFC701DF68C55479DBFB4EF46204F1680E6D848A7352DA35A918DF95

Uniqueness

Uniqueness Score: -1.00%

Function 00EAA8E7, Relevance: .0, Instructions: 26COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.209871923.0000000000EA2000.00000040.00000001.sdmp, Offset: 00EA2000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 875d3c6c81a26cbe8e0ed974d0f4574c1eb28eb3e448fbee050f8690317d8a45
Instruction ID: 69ea3bb4fb1737502aca1b36ab3c9846b006551a22a44caf41f58623f4846b75
Opcode Fuzzy Hash: 875d3c6c81a26cbe8e0ed974d0f4574c1eb28eb3e448fbee050f8690317d8a45
Instruction Fuzzy Hash: 37E0D8B254030067D2208F069C82F63FB58EB64A31F14C56BEE091B741E1B1B6048AE1

Uniqueness

Uniqueness Score: -1.00%

Function 00EAA68F, Relevance: .0, Instructions: 26COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.209871923.0000000000EA2000.00000040.00000001.sdmp, Offset: 00EA2000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8a11d43e1baff907adc37afec9b0c2a0889497ff3352e1db1077d68e49d148be
Instruction ID: 035a05eeee50b21edfb6595d4c1d42a146fec04a40ad5b9fa0532b2403339dbb
Opcode Fuzzy Hash: 8a11d43e1baff907adc37afec9b0c2a0889497ff3352e1db1077d68e49d148be
Instruction Fuzzy Hash: 74E0D8B254130067D2208F0A9C86F53FB58EB94A30F14C45BEE0D1B741E1B1B5048AE5

Uniqueness

Uniqueness Score: -1.00%

Function 00EAA7BB, Relevance: .0, Instructions: 26COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.209871923.0000000000EA2000.00000040.00000001.sdmp, Offset: 00EA2000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f523bbafddb8dbed645c5bbcb9b64cf02aafffc9c03ea31b4cafd75bc91bd36d
Instruction ID: 34d1373897ab79447b3df3e5223c306dfae22431cf6ffec3c1f7ac19885320a8
Opcode Fuzzy Hash: f523bbafddb8dbed645c5bbcb9b64cf02aafffc9c03ea31b4cafd75bc91bd36d
Instruction Fuzzy Hash: 34E0D8B254030067D2209F069C86F53FB58EB54A30F14C45BEE0D5B741E1B1B5048AE1

Uniqueness

Uniqueness Score: -1.00%

Function 00EAA567, Relevance: .0, Instructions: 26COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.209871923.0000000000EA2000.00000040.00000001.sdmp, Offset: 00EA2000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b1af5c8a84382a383c40a7f0c5adaf23c0bbbd0641866aa0c1ba7c9cab9c64ef
Instruction ID: a951edc6b893994c987b6b5e6e50192fbe7edab3de542d9bc8fab7e3aa61ae00
Opcode Fuzzy Hash: b1af5c8a84382a383c40a7f0c5adaf23c0bbbd0641866aa0c1ba7c9cab9c64ef
Instruction Fuzzy Hash: 20E020B154030067D6208F06DC82B53FB5CEB44A30F54C457EE0D1B741E1B5B5048AE1

Uniqueness

Uniqueness Score: -1.00%

Function 00EAA34F, Relevance: .0, Instructions: 26COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.209871923.0000000000EA2000.00000040.00000001.sdmp, Offset: 00EA2000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a4d0a55faced4477be401dd318bd2bf842e8fc9c47cf92bcb4d46fc7fe467b9a
Instruction ID: 1c3d4109229197d3d0adfe1def62dc299654821e43640570a5af2b5b7e25205b
Opcode Fuzzy Hash: a4d0a55faced4477be401dd318bd2bf842e8fc9c47cf92bcb4d46fc7fe467b9a
Instruction Fuzzy Hash: ECE020B154030067D6209F06DC82B53FF5CEB44A30F58C457EE0D5B741E1B5B5048AE1

Uniqueness

Uniqueness Score: -1.00%

Function 00EAAB57, Relevance: .0, Instructions: 26COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.209871923.0000000000EA2000.00000040.00000001.sdmp, Offset: 00EA2000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fae7c702413cea9be28e252fc8a05be5be7728e12da88743bf0a92ba3cfab3f8
Instruction ID: ed07448c372fe67c702f80bd0b52c4de55edd25aba5e7ab970cd8c78a2be4c24
Opcode Fuzzy Hash: fae7c702413cea9be28e252fc8a05be5be7728e12da88743bf0a92ba3cfab3f8
Instruction Fuzzy Hash: 2CE0D8B25407046BD6208E06DC82B53FB58EB84A30F14C457EE095B741E1B1B5148AE5

Uniqueness

Uniqueness Score: -1.00%

Function 00EAA138, Relevance: .0, Instructions: 26COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.209871923.0000000000EA2000.00000040.00000001.sdmp, Offset: 00EA2000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e870a070207a7e97c8f43732a4a1bee438cd482189f024cc5eadbddca155fc91
Instruction ID: 183a0546f0ab7a6d2ea252e54bd608015cb5e8f67787c6108ebb04735167a62a
Opcode Fuzzy Hash: e870a070207a7e97c8f43732a4a1bee438cd482189f024cc5eadbddca155fc91
Instruction Fuzzy Hash: 11E020B2540304ABD6208F06DC82B53FB5CEB44A30F54C457EE0D1B741E1B5B5048AE1

Uniqueness

Uniqueness Score: -1.00%

Function 05542C72, Relevance: .0, Instructions: 26COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.213268927.0000000005540000.00000040.00000001.sdmp, Offset: 05540000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6574015e3870f060cc5b8f8c9ba9247fe4827d8c37acea7fe7f876d0b8b324b9
Instruction ID: 962ea31b90153adbbfb3638b3db56134f230f60e9ec06875a506f38042b4de44
Opcode Fuzzy Hash: 6574015e3870f060cc5b8f8c9ba9247fe4827d8c37acea7fe7f876d0b8b324b9
Instruction Fuzzy Hash: 19F01539904208FFCB00DF98D941AADBBB6FB48304F14C499EC4967351D732AA21EF91

Uniqueness

Uniqueness Score: -1.00%

Function 05542C78, Relevance: .0, Instructions: 24COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.213268927.0000000005540000.00000040.00000001.sdmp, Offset: 05540000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: cbd162c40db9ac2aa88f0054c74cb94348ae0bce39075c431676e4665d0ac55c
Instruction ID: 1c702e9645a66a1825d0ea2e23a2e27a90fb28bc5e96d520db38c64c61e86121
Opcode Fuzzy Hash: cbd162c40db9ac2aa88f0054c74cb94348ae0bce39075c431676e4665d0ac55c
Instruction Fuzzy Hash: 35F01538904208FFCB00DF94D940AADBBB6FB48300F10C499EC0967351C732AA21EF81

Uniqueness

Uniqueness Score: -1.00%

Function 02A28C4F, Relevance: .0, Instructions: 23COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.210075788.0000000002A20000.00000040.00000001.sdmp, Offset: 02A20000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 22d82a28ca1f0f646baa242ff9e6dccff0dbf8389874551d86e9f89f5bfadbbc
Instruction ID: 29ff2dc067b1475ae335daa1eb2dfa4cf747565cdeb6dfdca64c20ae6615b27c
Opcode Fuzzy Hash: 22d82a28ca1f0f646baa242ff9e6dccff0dbf8389874551d86e9f89f5bfadbbc
Instruction Fuzzy Hash: 51E04F71C46208DBCB00DFA8D95A3D97BB8DB15601F5015A4D84462240EB385A44DAA1

Uniqueness

Uniqueness Score: -1.00%

Function 05541757, Relevance: .0, Instructions: 23COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.213268927.0000000005540000.00000040.00000001.sdmp, Offset: 05540000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 66389f0920eb4f2e8958438a4659cf8f42ec8ec6f06517a91043da0a2f52cc87
Instruction ID: 07a9479ecdd0a586070bc1194c5e576fbefc519da846e097ba5fab5873041894
Opcode Fuzzy Hash: 66389f0920eb4f2e8958438a4659cf8f42ec8ec6f06517a91043da0a2f52cc87
Instruction Fuzzy Hash: 2EE092308447489FCB10EF64D90569A7BB5FB42205F0185A9C89557291DB706A45CF52

Uniqueness

Uniqueness Score: -1.00%

Function 05541858, Relevance: .0, Instructions: 23COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.213268927.0000000005540000.00000040.00000001.sdmp, Offset: 05540000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 766952a0a2b05fac44210706528bf6591428e2ff482c0a0e190d5c00354b2a60
Instruction ID: 06fcb285e22031d8a4732febf3377a422b31e2a86a89821bbb963ee95f516478
Opcode Fuzzy Hash: 766952a0a2b05fac44210706528bf6591428e2ff482c0a0e190d5c00354b2a60
Instruction Fuzzy Hash: 1FE04F30D05308EFC708EFA5E9455ADBBB5FB8A311F2092A9D80973354DB306A81CF95

Uniqueness

Uniqueness Score: -1.00%

Function 05541D64, Relevance: .0, Instructions: 23COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.213268927.0000000005540000.00000040.00000001.sdmp, Offset: 05540000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: dd1c6a6be840cc5c905f2ec75f1a6ea03fa5687f8a5b829dd9c4ac320434fe12
Instruction ID: e71756e7202a6be0737dca9042a7c87b29555525deb8f1803b2d599ca5608625
Opcode Fuzzy Hash: dd1c6a6be840cc5c905f2ec75f1a6ea03fa5687f8a5b829dd9c4ac320434fe12
Instruction Fuzzy Hash: D1F01C34A012689FCBA4DF24C9807ECB7B2AB86314F2051D9801977295CF345EC2DF51

Uniqueness

Uniqueness Score: -1.00%

Function 05541808, Relevance: .0, Instructions: 23COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.213268927.0000000005540000.00000040.00000001.sdmp, Offset: 05540000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c8288a1ff70ccada035bef9cd3947d61df454b45b96fef374280fd00b6a025e2
Instruction ID: b79585f8bcf83c5f08fd3dea685b1afd2533cc621b7cdd62ad1ab026123970c3
Opcode Fuzzy Hash: c8288a1ff70ccada035bef9cd3947d61df454b45b96fef374280fd00b6a025e2
Instruction Fuzzy Hash: 48E0DF3085A3888BC329DB60CA026EA3B31EB07209F148A9DCC494224287322A46CE41

Uniqueness

Uniqueness Score: -1.00%

Function 05540950, Relevance: .0, Instructions: 22COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.213268927.0000000005540000.00000040.00000001.sdmp, Offset: 05540000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9829a8cd2adc6af63994b17648467ce64acc853703d78bd2325495f7fca472c6
Instruction ID: 2a54233050cd043f6206983210fce329096a7687aed45f12ae96a61b480c4a6b
Opcode Fuzzy Hash: 9829a8cd2adc6af63994b17648467ce64acc853703d78bd2325495f7fca472c6
Instruction Fuzzy Hash: 98E0263184820CDBC700EB64D8013BDBFB4AB02205F6410EAC94067291E5355A01DFE0

Uniqueness

Uniqueness Score: -1.00%

Function 055417CF, Relevance: .0, Instructions: 22COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.213268927.0000000005540000.00000040.00000001.sdmp, Offset: 05540000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 36f73cce67b358749861da14641b40bcd1bd15350848fac6b99c05ec7e467777
Instruction ID: c28b253cfdeca8f1136c1166d8f91337620d2f6ccc1aa7370d3977f4309d5bca
Opcode Fuzzy Hash: 36f73cce67b358749861da14641b40bcd1bd15350848fac6b99c05ec7e467777
Instruction Fuzzy Hash: F7E08C7044A7888BC31297609A817AB7BA0AF03504F148DDEC899532D2CA359A49DF16

Uniqueness

Uniqueness Score: -1.00%

Function 05540710, Relevance: .0, Instructions: 21COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.213268927.0000000005540000.00000040.00000001.sdmp, Offset: 05540000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d702d4997f63c34721e94075726e3feda5084a8d3082e04876af00278c49de8a
Instruction ID: b42a473917c0b30e34385360004fd833d9edc12fc34862527446023cb6d99372
Opcode Fuzzy Hash: d702d4997f63c34721e94075726e3feda5084a8d3082e04876af00278c49de8a
Instruction Fuzzy Hash: 20E02B71405308ABD710D765CC0D7AB776CF703605F641058DD0592251EB356A00DED6

Uniqueness

Uniqueness Score: -1.00%

Function 05542D18, Relevance: .0, Instructions: 21COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.213268927.0000000005540000.00000040.00000001.sdmp, Offset: 05540000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4f2dd9a1a8fcb175dd2f3fd6e9d0b15ed4722f2ed41b303d10b17098391d7bda
Instruction ID: 65c1e0e6631dfb97766cfd1e5e823f8cd806f7f2c4aae6259aa951246fab02df
Opcode Fuzzy Hash: 4f2dd9a1a8fcb175dd2f3fd6e9d0b15ed4722f2ed41b303d10b17098391d7bda
Instruction Fuzzy Hash: 70E01A78D04208EFCB04DF95D5446ACFBB5FB99304F20C4AAEC4463341DA36AA52DF91

Uniqueness

Uniqueness Score: -1.00%

Function 0554263E, Relevance: .0, Instructions: 21COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.213268927.0000000005540000.00000040.00000001.sdmp, Offset: 05540000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 384583892bc4d8fa150eb9633f9bca7e5b90c5eef06c0c5ffe1b077874755ce1
Instruction ID: a79d4fd7e4f3941b05d75556fc5fee3eeb72f75feac8810c4ace22b4e60115f3
Opcode Fuzzy Hash: 384583892bc4d8fa150eb9633f9bca7e5b90c5eef06c0c5ffe1b077874755ce1
Instruction Fuzzy Hash: B6F015349002689FCB64DF24CA80BEDBBB2AB85320F2041D9801977295CB355E82DF10

Uniqueness

Uniqueness Score: -1.00%

Function 05542C28, Relevance: .0, Instructions: 21COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.213268927.0000000005540000.00000040.00000001.sdmp, Offset: 05540000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4f2dd9a1a8fcb175dd2f3fd6e9d0b15ed4722f2ed41b303d10b17098391d7bda
Instruction ID: 954a78df3560b30d3e527da9cd824e71ecab6b7e38cddbb754240ed7be04376d
Opcode Fuzzy Hash: 4f2dd9a1a8fcb175dd2f3fd6e9d0b15ed4722f2ed41b303d10b17098391d7bda
Instruction Fuzzy Hash: 7FE01A78D04208EFCB04DF95D5416ADFBB5FB99304F10C0AAEC4563351DA36AA51EF91

Uniqueness

Uniqueness Score: -1.00%

Function 0554168F, Relevance: .0, Instructions: 21COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.213268927.0000000005540000.00000040.00000001.sdmp, Offset: 05540000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7c86a30d2d4bee4d410ed2cd8e7a88d0323c37d8f7b875ae57a1c77115f6c822
Instruction ID: fb82fbc8b5cc27ae924e6c3997c22bbe14468be9061ef2bef71ab10cbfbada98
Opcode Fuzzy Hash: 7c86a30d2d4bee4d410ed2cd8e7a88d0323c37d8f7b875ae57a1c77115f6c822
Instruction Fuzzy Hash: 00E026304093849FC301EB64D40979A7FF9EB03204F05C8AEC80983612D570AA44DF52

Uniqueness

Uniqueness Score: -1.00%

Function 02A2E2F0, Relevance: .0, Instructions: 20COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.210075788.0000000002A20000.00000040.00000001.sdmp, Offset: 02A20000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7ed0de94269642709738709da452291b3f51f4cd51e073927fa24cdfe181c02a
Instruction ID: a44f0e77ec29ffbe97e319750f85e31b40062b21b774e0a0be63fde27afa165a
Opcode Fuzzy Hash: 7ed0de94269642709738709da452291b3f51f4cd51e073927fa24cdfe181c02a
Instruction Fuzzy Hash: BBE04674C05208EFCB14DFA8E6486ACBBB5EB49311F1081A9EC0463340CB316A98DF91

Uniqueness

Uniqueness Score: -1.00%

Function 05542D98, Relevance: .0, Instructions: 20COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.213268927.0000000005540000.00000040.00000001.sdmp, Offset: 05540000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ea43131e30261d5b1737112f33287c96deae5a663410199e87e2acf993d829d0
Instruction ID: 801628f66f2e9d33258c57192c5e9e4aee69bfeb302cf0aa6088ef7f34f3d5dd
Opcode Fuzzy Hash: ea43131e30261d5b1737112f33287c96deae5a663410199e87e2acf993d829d0
Instruction Fuzzy Hash: 75D022340466308BC300A604AC7E3F7BB18EB0B60CF852800A04D81153CAA2E400CCE9

Uniqueness

Uniqueness Score: -1.00%

Function 02A28A00, Relevance: .0, Instructions: 19COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.210075788.0000000002A20000.00000040.00000001.sdmp, Offset: 02A20000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 17b6efe501c6705507ab147f330a209cee99519926d105dd50cf4bfeb5f23cde
Instruction ID: a0bf2d6c25985eb8ae6d4e21c9b64118b3f8a3d09cdf02899dd31818d6c2d91b
Opcode Fuzzy Hash: 17b6efe501c6705507ab147f330a209cee99519926d105dd50cf4bfeb5f23cde
Instruction Fuzzy Hash: C7E0B674D04208EFCB04DFA9D544AACBBF4EB49304F1081E9E80967351DA356A58DF91

Uniqueness

Uniqueness Score: -1.00%

Function 02A2E260, Relevance: .0, Instructions: 19COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.210075788.0000000002A20000.00000040.00000001.sdmp, Offset: 02A20000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a87663a948bb8ebd42a437e2eeae95840821fd9ef8105147548b094af4d18dba
Instruction ID: 0389666a7b688b84ffbee85347ce5b8c5f78e157c5213a5cdcfe7e99599cb823
Opcode Fuzzy Hash: a87663a948bb8ebd42a437e2eeae95840821fd9ef8105147548b094af4d18dba
Instruction Fuzzy Hash: 80E08CB0D05208EFCF04DFA8E5446ACBBB4EB4A310F1081A8D80563340CB302A44DF91

Uniqueness

Uniqueness Score: -1.00%

Function 02A2EF88, Relevance: .0, Instructions: 19COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.210075788.0000000002A20000.00000040.00000001.sdmp, Offset: 02A20000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 81ce2bd8757f9c0c4a27cf4fb93de2945769bdb901acea4616805ae1268961f3
Instruction ID: a818d93b28940535143d20e345fc392290e5dede34b753a59a7a823a4bd593b7
Opcode Fuzzy Hash: 81ce2bd8757f9c0c4a27cf4fb93de2945769bdb901acea4616805ae1268961f3
Instruction Fuzzy Hash: 51E0EC74D06208EFDB18DFA9E5456ADBBB8EB89301F2081AADC0863340DB706A54DF95

Uniqueness

Uniqueness Score: -1.00%

Function 02A22F42, Relevance: .0, Instructions: 19COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.210075788.0000000002A20000.00000040.00000001.sdmp, Offset: 02A20000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d3c9c598d82ec1e98f9ce67f42b64b67c0331788edfc42840e505e12777869f4
Instruction ID: 5428cc2ddda1c44467399af889f09114fa73bea75cdb86a0583082b530dfc117
Opcode Fuzzy Hash: d3c9c598d82ec1e98f9ce67f42b64b67c0331788edfc42840e505e12777869f4
Instruction Fuzzy Hash: A0E01234855318DBC704DBA8D9557ADBB74EB06615F1011A99C0463341DF706954DFA1

Uniqueness

Uniqueness Score: -1.00%

Function 02A2E070, Relevance: .0, Instructions: 19COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.210075788.0000000002A20000.00000040.00000001.sdmp, Offset: 02A20000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 17b6efe501c6705507ab147f330a209cee99519926d105dd50cf4bfeb5f23cde
Instruction ID: 010052caa9156671e19f830bdf96a119ba41c6d91253d9a99df4a8bdf79442bc
Opcode Fuzzy Hash: 17b6efe501c6705507ab147f330a209cee99519926d105dd50cf4bfeb5f23cde
Instruction Fuzzy Hash: 21E0B674D48208EFCB04DFA9D644AACBBF9EB49304F1081E9DC0867751DA316A49DF81

Uniqueness

Uniqueness Score: -1.00%

Function 02A2E190, Relevance: .0, Instructions: 19COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.210075788.0000000002A20000.00000040.00000001.sdmp, Offset: 02A20000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 91c4027c36df30b2ffbec0a22b58235d55316f5034f6761216160b3c98955db1
Instruction ID: 76fcc2561de5271e76ce246de261d78e0a31f59e3c7adf83f57049f8f2cf2d9b
Opcode Fuzzy Hash: 91c4027c36df30b2ffbec0a22b58235d55316f5034f6761216160b3c98955db1
Instruction Fuzzy Hash: 92E0EC74D0521CEFDB18EFA9D5456ADBBB5EB89304F1081A9D80863340DB306A98DF95

Uniqueness

Uniqueness Score: -1.00%

Function 02A20070, Relevance: .0, Instructions: 18COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.210075788.0000000002A20000.00000040.00000001.sdmp, Offset: 02A20000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 074491aab07631105d0c6cc5bcb08f19c5d5033eeaa9d92845c7a2b25e493647
Instruction ID: 3a4d538c384027644fe6e86897bcaa2fc98205d6e206a582e4944e47ac87093a
Opcode Fuzzy Hash: 074491aab07631105d0c6cc5bcb08f19c5d5033eeaa9d92845c7a2b25e493647
Instruction Fuzzy Hash: B9E08C70801308DFC704EFB8E80865DBBB0AB0A201F1045A9C80562250DB326A58DE92

Uniqueness

Uniqueness Score: -1.00%

Function 02A21090, Relevance: .0, Instructions: 17COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.210075788.0000000002A20000.00000040.00000001.sdmp, Offset: 02A20000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e9039b845d5fa9c862014e801667eee7edb03cc5bec072451a71ad511c13e42e
Instruction ID: 866faaadaa39640f952c907fd31e14c7572fee3ad97e011bfd7cbbc80cff9590
Opcode Fuzzy Hash: e9039b845d5fa9c862014e801667eee7edb03cc5bec072451a71ad511c13e42e
Instruction Fuzzy Hash: E2D05E3090E258DFC700EBAADC0466D77ACF70A209F2045A9990C63211DAB17A08CE91

Uniqueness

Uniqueness Score: -1.00%

Function 02A28C60, Relevance: .0, Instructions: 17COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.210075788.0000000002A20000.00000040.00000001.sdmp, Offset: 02A20000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c6e74d173f676e59f37370086bf1efb9bb65072dc6ed715dd67fcc648098e0d1
Instruction ID: 8f4cfad63d234a9f3fc13514b16e7e431b84f881423072a6713e96fe5c2a4386
Opcode Fuzzy Hash: c6e74d173f676e59f37370086bf1efb9bb65072dc6ed715dd67fcc648098e0d1
Instruction Fuzzy Hash: 4DD05E70C4730CDFCB14EFA8E9456ACBFB8AB06211F1011A8E84863350DF786A58DFA1

Uniqueness

Uniqueness Score: -1.00%

Function 02A2EDE0, Relevance: .0, Instructions: 17COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.210075788.0000000002A20000.00000040.00000001.sdmp, Offset: 02A20000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f118e2cc83af9a4d2637376d8ed2a65221b33850a67dc49bb1420b965fe6b1b8
Instruction ID: 5c9cfd3001c2067fccac07923ccf10d9c7f632828e43c6b6f9f1b3a3e6340e13
Opcode Fuzzy Hash: f118e2cc83af9a4d2637376d8ed2a65221b33850a67dc49bb1420b965fe6b1b8
Instruction Fuzzy Hash: D8D05E30C15318DFCB04EFA8EA457ACBB78EB0A201F1041A8D80563350DF706A88CF91

Uniqueness

Uniqueness Score: -1.00%

Function 02A2E110, Relevance: .0, Instructions: 17COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.210075788.0000000002A20000.00000040.00000001.sdmp, Offset: 02A20000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7ff2decea8ed0012330f5fd8d9e416a629b25f06c58f99cf50b23cd1a46d72af
Instruction ID: 3c5b6617000d6920e0d5acf101aadfb643ddf0f6bf560d6ea5f143c75dafce64
Opcode Fuzzy Hash: 7ff2decea8ed0012330f5fd8d9e416a629b25f06c58f99cf50b23cd1a46d72af
Instruction Fuzzy Hash: 03D05B34C05328DFC704DFA8DA456AD7B749B06201F1011A5D80463350DF307948CF51

Uniqueness

Uniqueness Score: -1.00%

Function 00E923F4, Relevance: .0, Instructions: 15COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.209862381.0000000000E92000.00000040.00000001.sdmp, Offset: 00E92000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6dfbb122a4d2f57fe93c526814b4775c5833701fd9de642b83efbb820132914d
Instruction ID: 9631ba09f44a825814ad4db094885c90551505160bcedcb1cda581f2a1a53340
Opcode Fuzzy Hash: 6dfbb122a4d2f57fe93c526814b4775c5833701fd9de642b83efbb820132914d
Instruction Fuzzy Hash: DCD05E79215A819FDB268A1CC1A8B953B94AB61B08F4644FDE8008B663C368D981E200

Uniqueness

Uniqueness Score: -1.00%

Function 00E923BC, Relevance: .0, Instructions: 14COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.209862381.0000000000E92000.00000040.00000001.sdmp, Offset: 00E92000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 09cb1d9f5b63d5401b3a8db7d5d80629f5174c5678d86e72d510ef8e3b2c3369
Instruction ID: 2d88b9464a9a91b4e5e0ed20751a37530cd73a68dadad2ffc3fb850da7822ca9
Opcode Fuzzy Hash: 09cb1d9f5b63d5401b3a8db7d5d80629f5174c5678d86e72d510ef8e3b2c3369
Instruction Fuzzy Hash: CAD05E342002828BCF15DB0CC594F5937D4AB41B04F0654ECAD008B662C3A8DC81C600

Uniqueness

Uniqueness Score: -1.00%

Function 02A2B765, Relevance: .0, Instructions: 13COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.210075788.0000000002A20000.00000040.00000001.sdmp, Offset: 02A20000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0879cf962f942da0c0ba62d85f993fc3ab19a660025bcff13e9d639001f1d42f
Instruction ID: 581f591c9590038f27331d76b7bc63130327bdf4ee23e16ea3357d644816e634
Opcode Fuzzy Hash: 0879cf962f942da0c0ba62d85f993fc3ab19a660025bcff13e9d639001f1d42f
Instruction Fuzzy Hash: 90E00978E16228CFDB29CF28D851AD9BBB1BB5A354F0055D5E59EA3300DB706E80CF51

Uniqueness

Uniqueness Score: -1.00%

Function 05542DA8, Relevance: .0, Instructions: 12COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.213268927.0000000005540000.00000040.00000001.sdmp, Offset: 05540000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 66ea4ec9d4678116cb6b329b2d7a6cde0b265a08c38a17b3d9e1b0a27019460c
Instruction ID: 77838e5d8fc890507ec81d2a5beea3a0de93819d4479e22a6013a2c19015316a
Opcode Fuzzy Hash: 66ea4ec9d4678116cb6b329b2d7a6cde0b265a08c38a17b3d9e1b0a27019460c
Instruction Fuzzy Hash: D9C02B3404A3248BC3142741651C3F53B5CB707309F002C00740D400238EB0E000CDB5

Uniqueness

Uniqueness Score: -1.00%

Function 02A29E66, Relevance: .0, Instructions: 11COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.210075788.0000000002A20000.00000040.00000001.sdmp, Offset: 02A20000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 93660ffe59aacea98c08e37e50f5ccadd23e2c81eae7df18fd56ff7c5ccd9a7b
Instruction ID: 4f509285d1eb04175486fb271cb8e27bc9e9f116d91b83ee3a0fa1581540de7a
Opcode Fuzzy Hash: 93660ffe59aacea98c08e37e50f5ccadd23e2c81eae7df18fd56ff7c5ccd9a7b
Instruction Fuzzy Hash: 59E0487082A2288BDB6A9F24CDD4798BAB9BB08611F0010C9E40E62260CB711F84DF00

Uniqueness

Uniqueness Score: -1.00%

Function 02A2B82D, Relevance: .0, Instructions: 10COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.210075788.0000000002A20000.00000040.00000001.sdmp, Offset: 02A20000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4658a4756099298843e585b9635c4fe1b3970b3b54b895db1e8ba2967189d2cf
Instruction ID: bef8f3201b1ed47686a1d56e632701b3f89795a8d0aaad241d02d895b3c92654
Opcode Fuzzy Hash: 4658a4756099298843e585b9635c4fe1b3970b3b54b895db1e8ba2967189d2cf
Instruction Fuzzy Hash: E8D0BC74D15229DBCB65CF24D845BD8BBB5BB49755F0018D6E80EB2241DB715E84CE20

Uniqueness

Uniqueness Score: -1.00%

Function 02A2B83E, Relevance: .0, Instructions: 10COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.210075788.0000000002A20000.00000040.00000001.sdmp, Offset: 02A20000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a72b0c18aaccaadb0a58b0934cc6e983e82f21de1d372554a13f32c4f1118db9
Instruction ID: 955f256960bedc6d690ad3103f80832f4e9c986bc7817fa145ca68c6379fd187
Opcode Fuzzy Hash: a72b0c18aaccaadb0a58b0934cc6e983e82f21de1d372554a13f32c4f1118db9
Instruction Fuzzy Hash: D3D0BC74924129DFCB65CF25D8556D8BBB4AB09355F0064DBAC0EB6210DA705E84CF10

Uniqueness

Uniqueness Score: -1.00%

Function 02A21D02, Relevance: .0, Instructions: 10COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.210075788.0000000002A20000.00000040.00000001.sdmp, Offset: 02A20000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6d1cb0b367ceec2789839d664ae913610014a98575a7a9e58d41a76c816f5c71
Instruction ID: 91fc4b10f76a491f669bfc1f07434b42118de647fcce689022be468da8e4b004
Opcode Fuzzy Hash: 6d1cb0b367ceec2789839d664ae913610014a98575a7a9e58d41a76c816f5c71
Instruction Fuzzy Hash: A7D0C9B08042288ADB50CF688805799BBB96B19200F001099810CE3202D73019458F11

Uniqueness

Uniqueness Score: -1.00%

Function 02A21203, Relevance: .0, Instructions: 8COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.210075788.0000000002A20000.00000040.00000001.sdmp, Offset: 02A20000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: aa556cb96130e31daad34ccc9cb6bc2ecc37488ae2793d3876f45f8d699e22a7
Instruction ID: 0f7da0c07fed40bb7c0b56b6644d1be7ee0cfa2e238ae448c267d09822db2f9c
Opcode Fuzzy Hash: aa556cb96130e31daad34ccc9cb6bc2ecc37488ae2793d3876f45f8d699e22a7
Instruction Fuzzy Hash: CEC09B7154F120D5C700CA48DD546BC66799B4B705F592454504D57707C534510CDB05

Uniqueness

Uniqueness Score: -1.00%

Function 02A27D84, Relevance: .0, Instructions: 8COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.210075788.0000000002A20000.00000040.00000001.sdmp, Offset: 02A20000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3900f28dc0cc87638dc910d5ce050f91c6473f64869acef08b564efbb0861245
Instruction ID: d967f9082f68a18e38329b3abeb741e533f4f499342e2c5d7466a34e72896ace
Opcode Fuzzy Hash: 3900f28dc0cc87638dc910d5ce050f91c6473f64869acef08b564efbb0861245
Instruction Fuzzy Hash: 71D0C978D15228DBCB25CF24C885689BB74BB08210F0081D4D41963200DB311F81CE04

Uniqueness

Uniqueness Score: -1.00%

Non-executed Functions

Function 02A22F77, Relevance: 5.1, Strings: 4, Instructions: 141COMMON

Download Yara Rule

Strings

`5kr, xrefs: 02A23182
:@Dr, xrefs: 02A230A9
>_Ir, xrefs: 02A230C6
f]Ir, xrefs: 02A22FDD

Memory Dump Source

Source File: 00000000.00000002.210075788.0000000002A20000.00000040.00000001.sdmp, Offset: 02A20000, based on PE: false

Similarity

API ID:
String ID: :@Dr$>_Ir$`5kr$f]Ir
API String ID: 0-3492759196
Opcode ID: 6e239a6e3c7579eea0c00ba2e58e613abdd4c0b7afe147ded2432829b033cd8d
Instruction ID: 70f2408a56a49e6217592cd688f00b6aac7dd364b6bbf8fc5851f3e8d0002b6b
Opcode Fuzzy Hash: 6e239a6e3c7579eea0c00ba2e58e613abdd4c0b7afe147ded2432829b033cd8d
Instruction Fuzzy Hash: 0A513D70A016588FDB44EF6ED94579EBBF2FFCA304F14916AD508B7268DF7028098B52

Uniqueness

Uniqueness Score: -1.00%

Function 02A22F88, Relevance: 5.1, Strings: 4, Instructions: 137COMMON

Download Yara Rule

Strings

`5kr, xrefs: 02A23182
:@Dr, xrefs: 02A230A9
>_Ir, xrefs: 02A230C6
f]Ir, xrefs: 02A22FDD

Memory Dump Source

Source File: 00000000.00000002.210075788.0000000002A20000.00000040.00000001.sdmp, Offset: 02A20000, based on PE: false

Similarity

API ID:
String ID: :@Dr$>_Ir$`5kr$f]Ir
API String ID: 0-3492759196
Opcode ID: 3fadb262440444c08b417f8688e78661ea97107bc6fd503b04c426ba86585257
Instruction ID: 39a34b176e7a9c68543a9fd82425cc1d37069ee0ac086abc2e3e52f0e77209de
Opcode Fuzzy Hash: 3fadb262440444c08b417f8688e78661ea97107bc6fd503b04c426ba86585257
Instruction Fuzzy Hash: E1514E70A016198FDB44EF6FD94579EBBF2FBCA304F14912AD508B7264DF70280A8B52

Uniqueness

Uniqueness Score: -1.00%

Function 00723AED, Relevance: 4.1, Strings: 1, Instructions: 2868COMMON

Download Yara Rule

Strings

1, xrefs: 00724359

Memory Dump Source

Source File: 00000000.00000002.209336023.0000000000722000.00000002.00020000.sdmp, Offset: 00720000, based on PE: true

Associated: 00000000.00000002.209312746.0000000000720000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.209417562.00000000007B4000.00000002.00020000.sdmp Download File

Similarity

API ID:
String ID: 1
API String ID: 0-2212294583
Opcode ID: 1c85e7c52363bc03a5bf40f4a977fa3bca5cf2fe265f17a60ef688e8de267a1c
Instruction ID: ba1480f3fc639a04825d8aef377150788e65c76b8d54978c84ca688a7b0514f1
Opcode Fuzzy Hash: 1c85e7c52363bc03a5bf40f4a977fa3bca5cf2fe265f17a60ef688e8de267a1c
Instruction Fuzzy Hash: 8733266240E3C19FCB138BB89CB56D17FB1AE5721471E49D7D4C0CF0A3E228695ADB62

Uniqueness

Uniqueness Score: -1.00%

Function 02A2E598, Relevance: 2.9, Strings: 2, Instructions: 413COMMON

Download Yara Rule

Strings

, xrefs: 02A2E6B0
f]Ir, xrefs: 02A2E713

Memory Dump Source

Source File: 00000000.00000002.210075788.0000000002A20000.00000040.00000001.sdmp, Offset: 02A20000, based on PE: false

Similarity

API ID:
String ID: $f]Ir
API String ID: 0-1740037169
Opcode ID: ff08b9a56292a24d06bffb7709bfcbd841f3ed397d3f59bb323a2c32ea9e5525
Instruction ID: d5ac4a0925f47a1a3d843994e89b5d90556249189f57eaf0241f27f47b773994
Opcode Fuzzy Hash: ff08b9a56292a24d06bffb7709bfcbd841f3ed397d3f59bb323a2c32ea9e5525
Instruction Fuzzy Hash: E912DF70E012298FDB14CFA9C985BEDFBB2FF48314F148169E919A7245DB34A986CF50

Uniqueness

Uniqueness Score: -1.00%

Function 02A23C32, Relevance: 1.4, Strings: 1, Instructions: 197COMMON

Download Yara Rule

Strings

., xrefs: 02A23F60

Memory Dump Source

Source File: 00000000.00000002.210075788.0000000002A20000.00000040.00000001.sdmp, Offset: 02A20000, based on PE: false

Similarity

API ID:
String ID: .
API String ID: 0-248832578
Opcode ID: 2f16a9aa7b2d77b0b6d0dd18f1cf19073ec3174320d5ec38ffe454cab1b7e24c
Instruction ID: 6fd9481631fd87af63a5a540bf3c274c896538c54b538757bd477212485a6a2d
Opcode Fuzzy Hash: 2f16a9aa7b2d77b0b6d0dd18f1cf19073ec3174320d5ec38ffe454cab1b7e24c
Instruction Fuzzy Hash: A7A15BB0E146288FDB64DF69C8847DDBBF1FF48318F5485E9D148A6205DB309A9ACF44

Uniqueness

Uniqueness Score: -1.00%

Function 02A28EA8, Relevance: 1.3, Strings: 1, Instructions: 94COMMON

Download Yara Rule

Strings

d, xrefs: 02A28FA2

Memory Dump Source

Source File: 00000000.00000002.210075788.0000000002A20000.00000040.00000001.sdmp, Offset: 02A20000, based on PE: false

Similarity

API ID:
String ID: d
API String ID: 0-2564639436
Opcode ID: 5ad7b036adc7508d25ed88b332960da25b2a9b60217c93fbf7cd54e3b2f94176
Instruction ID: 40c8e5772a857d849cc9c700a25d76eb64870f1302c7036739a06f434ff7cd58
Opcode Fuzzy Hash: 5ad7b036adc7508d25ed88b332960da25b2a9b60217c93fbf7cd54e3b2f94176
Instruction Fuzzy Hash: 16415FB1E056189BEB1DCF6B8D4069EFAF7BFC9200F18C1B9D94CAA254EB3045468E10

Uniqueness

Uniqueness Score: -1.00%

Function 02A28FB2, Relevance: .2, Instructions: 189COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.210075788.0000000002A20000.00000040.00000001.sdmp, Offset: 02A20000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a4fca1f822fa1f430041c5c0b0726e222d18a3522daccfaf465c328fea318a01
Instruction ID: 1ac6c8a5c11ce8a6c28cdcb625691625857f5466d878ae6855fe444068ccd1e7
Opcode Fuzzy Hash: a4fca1f822fa1f430041c5c0b0726e222d18a3522daccfaf465c328fea318a01
Instruction Fuzzy Hash: A3A1ADB0E256298BEB65DFA9D884BDDBBF5FF48310F10A1D9D04CF6205DA309A948F40

Uniqueness

Uniqueness Score: -1.00%

Function 02A231D8, Relevance: .1, Instructions: 102COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.210075788.0000000002A20000.00000040.00000001.sdmp, Offset: 02A20000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9c4f50e178426e82f3d65b0498f387a081ecb1467fcbaf2994bd0954b039bb79
Instruction ID: cc44e751517b80a40563d677042699654b3aae96d142fc42042016428a222692
Opcode Fuzzy Hash: 9c4f50e178426e82f3d65b0498f387a081ecb1467fcbaf2994bd0954b039bb79
Instruction Fuzzy Hash: 464131B1E056588BEB1CCF6B8D4038EFAF7AFC9200F14D5BA950CA6215DB3006458E15

Uniqueness

Uniqueness Score: -1.00%

Function 02A20230, Relevance: 5.1, Strings: 4, Instructions: 117COMMON

Download Yara Rule

Strings

xi, xrefs: 02A20320
xi, xrefs: 02A202DA
xi, xrefs: 02A20281
xi, xrefs: 02A2036D

Memory Dump Source

Source File: 00000000.00000002.210075788.0000000002A20000.00000040.00000001.sdmp, Offset: 02A20000, based on PE: false

Similarity

API ID:
String ID: xi$xi$xi$xi
API String ID: 0-3100342707
Opcode ID: 9ff1d4a71ba87a702f7840f6108f2047c283ffc5ea81c3a77ba62c2a9200c3d7
Instruction ID: 3278c7c7eeaa0a4efba0f9d74c50f6de75a4824a714bc376cf357d942043edef
Opcode Fuzzy Hash: 9ff1d4a71ba87a702f7840f6108f2047c283ffc5ea81c3a77ba62c2a9200c3d7
Instruction Fuzzy Hash: A6418D78A00218DFDB00DFA8C985BADBBF1EB4E310F1454A5EA01BB3A0D735A944DF61

Uniqueness

Uniqueness Score: -1.00%

Description:	Adversaries may abuse task scheduling functionality to facilitate initial or recurring execution of malicious code. Utilities exist within all major operating systems to schedule programs or scripts to be executed at a specified date and time. A task can also be scheduled on a remote system, provided the proper authentication is met (ex: RPC and file and printer sharing in Windows environments). Scheduling a task on a remote system typically requires being a member of an admin or otherwise privileged group on the remote system.
Tactics:	Execution, Persistence, Privilege Escalation
Data Sources:	File monitoring, Process command-line parameters, Process monitoring, Windows event logs
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify access tokens to operate under a different user or system security context to perform actions and bypass access controls. Windows uses access tokens to determine the ownership of a running process. A user can manipulate access tokens to make a running process appear as though it is the child of a different process or belongs to someone other than the user that started the process. When this occurs, the process also takes on the security context associated with the new token.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	API monitoring, Access tokens, Authentication logs, Process command-line parameters, Process monitoring, Windows event logs
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	API monitoring, DLL monitoring, File monitoring, Named Pipes, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata, File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may disable security tools to avoid possible detection of their tools and activities. This can take the form of killing security software or event logging processes, deleting Registry keys so that tools do not start at run time, or other methods to interfere with security tools scanning or reporting information.
Tactics:	Defense Evasion
Data Sources:	File monitoring, Process command-line parameters, Services, Windows Registry
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use Obfuscated Files or Information to hide artifacts of an intrusion from analysis. They may require separate mechanisms to decode or deobfuscate that information depending on how they intend to use it. Methods for doing that include built-in functionality of malware or by using utilities present on the system.
Tactics:	Defense Evasion
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may set files and directories to be hidden to evade detection mechanisms. To prevent normal users from accidentally changing special files on a system, most operating systems have the concept of a ‘hidden’ file. These files don’t show up when a user browses the file system with a GUI or when using normal commands on the command line. Users must explicitly ask to show the hidden files either via a series of Graphical User Interface (GUI) prompts or with command line switches ( `dir /a` for Windows and `ls –a` for Linux and macOS).
Tactics:	Defense Evasion
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata, Email gateway, Environment variable, File monitoring, Malware reverse engineering, Network intrusion detection system, Network protocol analysis, Process command-line parameters, Process monitoring, Process use of network, SSL/TLS inspection, Windows event logs
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may perform software packing or virtual machine software protection to conceal their code. Software packing is a method of compressing or encrypting an executable. Packing an executable changes the file signature in an attempt to avoid signature-based detection. Most decompression techniques decompress the executable code in memory. Virtual machine software protection translates an executable's original code into a special format that only a special virtual machine can run. A virtual machine is then called to run this code.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata
Platforms:	macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	AWS CloudTrail logs, Azure activity logs, File monitoring, Process command-line parameters, Process monitoring, Stackdriver logs
Platforms:	AWS, Azure, Azure AD, GCP, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	API monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to identify the primary user, currently logged in user, set of users that commonly uses a system, or whether a user is actively using the system. They may do this, for example, by retrieving account usernames or by using OS Credential Dumping . The information may be collected in a number of different ways using other Discovery techniques, because user and username details are prevalent throughout a system and include running process ownership, file/directory ownership, session information, and system logs. Adversaries may use the information from [System Owner/User Discovery](https://attack.mitre.org/techniques/T1033) during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	AWS CloudTrail logs, Azure activity logs, Process command-line parameters, Process monitoring, Stackdriver logs
Platforms:	AWS, Azure, GCP, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Binary file metadata, File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Malware reverse engineering, Netflow/Enclave netflow, Packet capture, Process monitoring, Process use of network, SSL/TLS inspection
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using a protocol and port paring that are typically not associated. For example, HTTPS over port 8088or port 587as opposed to the traditional port 443. Adversaries may make changes to the standard port used by a protocol to bypass filtering or muddle analysis/parsing of network data.
Tactics:	Command and Control
Data Sources:	Netflow/Enclave netflow, Packet capture, Process monitoring, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use a non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Host network interface, Netflow/Enclave netflow, Network intrusion detection system, Network protocol analysis, Packet capture, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	DNS records, Netflow/Enclave netflow, Network protocol analysis, Packet capture, Process monitoring, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading ...

Warning!

Analysis Report OFFER.exe

Overview

General Information

Detection

Signatures

Classification

Startup

Malware Configuration

Yara Overview

Memory Dumps

Sigma Overview

System Summary:

Signature Overview

AV Detection:

Software Vulnerabilities:

Networking:

E-Banking Fraud:

System Summary:

Data Obfuscation:

Persistence and Installation Behavior:

Boot Survival:

Hooking and other Techniques for Hiding and Protection:

Malware Analysis System Evasion:

Anti Debugging:

HIPS / PFW / Operating System Protection Evasion:

Language, Device and Operating System Detection:

Stealing of Sensitive Information:

Remote Access Functionality:

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted IPs

Public

Private

General Information

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASN

JA3 Fingerprints

Dropped Files

Created / dropped Files

Static File Info

General

File Icon

Static PE Info

General

Entrypoint Preview

Data Directories

Sections

Resources

Imports

Version Infos

Network Behavior

Network Port Distribution

TCP Packets

UDP Packets

DNS Queries

DNS Answers

Code Manipulations

Statistics

CPU Usage