Joe Sandbox Cloud Basic Analysis Report

Loading ...

Play interactive tourEdit tour

Analysis Report kelvinx.exe

Overview

General Information

Sample Name:kelvinx.exe
Analysis ID:322215
MD5:0e4ecbb7ebdd4c7341658b9e6471a0b7
SHA1:994026038fcbd0514d029c511f20bda6b0b17080
SHA256:20eb19ebf2de8995adbc740f2a797cc3119face8760885e7cb9e3a6f3d376d5d
Tags:exeNanoCore

Most interesting Screenshot:

Detection

Nanocore
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Detected Nanocore Rat
Found malware configuration
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Sigma detected: NanoCore
Yara detected Nanocore RAT
.NET source code references suspicious native API functions
Hides that the sample has been downloaded from the Internet (zone.identifier)
Injects a PE file into a foreign processes
Machine Learning detection for dropped file
Machine Learning detection for sample
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Antivirus or Machine Learning detection for unpacked file
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Detected TCP or UDP traffic on non-standard ports
Detected potential crypto function
Drops PE files
Enables debug privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
IP address seen in connection with other malware
Installs a raw input device (often for capturing keystrokes)
Internet Provider seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
Queries the volume information (name, serial number etc) of a device
Sample file is different than original file name gathered from version info
Stores files to the Windows start menu directory
Uses code obfuscation techniques (call, push, ret)
Yara signature match

Classification

Startup

  • System is w10x64
  • kelvinx.exe (PID: 5332 cmdline: 'C:\Users\user\Desktop\kelvinx.exe' MD5: 0E4ECBB7EBDD4C7341658B9E6471A0B7)
    • kelvinx.exe (PID: 1556 cmdline: C:\Users\user\Desktop\kelvinx.exe MD5: 0E4ECBB7EBDD4C7341658B9E6471A0B7)
  • noteped.exe (PID: 5368 cmdline: 'C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\notepod\noteped.exe' MD5: 0E4ECBB7EBDD4C7341658B9E6471A0B7)
    • noteped.exe (PID: 6312 cmdline: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\notepod\noteped.exe MD5: 0E4ECBB7EBDD4C7341658B9E6471A0B7)
  • noteped.exe (PID: 6360 cmdline: 'C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\notepod\noteped.exe' MD5: 0E4ECBB7EBDD4C7341658B9E6471A0B7)
    • noteped.exe (PID: 6648 cmdline: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\notepod\noteped.exe MD5: 0E4ECBB7EBDD4C7341658B9E6471A0B7)
  • cleanup

Malware Configuration

Threatname: NanoCore

{"C2: ": ["185.140.53.132"], "Version: ": "NanoCore Client, Version=1.2.2.0"}

Yara Overview

Memory Dumps

SourceRuleDescriptionAuthorStrings
0000000C.00000002.306118461.0000000003AE9000.00000004.00000001.sdmpJoeSecurity_NanocoreYara detected Nanocore RATJoe Security
    0000000C.00000002.306118461.0000000003AE9000.00000004.00000001.sdmpNanoCoreunknown Kevin Breen <kevin@techanarchy.net>
    • 0x42f15:$a: NanoCore
    • 0x42f6e:$a: NanoCore
    • 0x42fab:$a: NanoCore
    • 0x43024:$a: NanoCore
    • 0x566cf:$a: NanoCore
    • 0x566e4:$a: NanoCore
    • 0x56719:$a: NanoCore
    • 0x6f19b:$a: NanoCore
    • 0x6f1b0:$a: NanoCore
    • 0x6f1e5:$a: NanoCore
    • 0x42f77:$b: ClientPlugin
    • 0x42fb4:$b: ClientPlugin
    • 0x438b2:$b: ClientPlugin
    • 0x438bf:$b: ClientPlugin
    • 0x5648b:$b: ClientPlugin
    • 0x564a6:$b: ClientPlugin
    • 0x564d6:$b: ClientPlugin
    • 0x566ed:$b: ClientPlugin
    • 0x56722:$b: ClientPlugin
    • 0x6ef57:$b: ClientPlugin
    • 0x6ef72:$b: ClientPlugin
    00000001.00000002.492062764.00000000041A9000.00000004.00000001.sdmpJoeSecurity_NanocoreYara detected Nanocore RATJoe Security
      00000001.00000002.492062764.00000000041A9000.00000004.00000001.sdmpNanoCoreunknown Kevin Breen <kevin@techanarchy.net>
      • 0x2f15:$a: NanoCore
      • 0x2f6e:$a: NanoCore
      • 0x2fab:$a: NanoCore
      • 0x3024:$a: NanoCore
      • 0x166cf:$a: NanoCore
      • 0x166e4:$a: NanoCore
      • 0x16719:$a: NanoCore
      • 0x2f19b:$a: NanoCore
      • 0x2f1b0:$a: NanoCore
      • 0x2f1e5:$a: NanoCore
      • 0x2f77:$b: ClientPlugin
      • 0x2fb4:$b: ClientPlugin
      • 0x38b2:$b: ClientPlugin
      • 0x38bf:$b: ClientPlugin
      • 0x1648b:$b: ClientPlugin
      • 0x164a6:$b: ClientPlugin
      • 0x164d6:$b: ClientPlugin
      • 0x166ed:$b: ClientPlugin
      • 0x16722:$b: ClientPlugin
      • 0x2ef57:$b: ClientPlugin
      • 0x2ef72:$b: ClientPlugin
      00000001.00000002.493316264.0000000005A30000.00000004.00000001.sdmpNanocore_RAT_Gen_2Detetcs the Nanocore RATFlorian Roth
      • 0xf7ad:$x1: NanoCore.ClientPluginHost
      • 0xf7da:$x2: IClientNetworkHost
      Click to see the 47 entries

      Unpacked PEs

      SourceRuleDescriptionAuthorStrings
      12.2.noteped.exe.400000.0.unpackNanocore_RAT_Gen_2Detetcs the Nanocore RATFlorian Roth
      • 0x1018d:$x1: NanoCore.ClientPluginHost
      • 0x101ca:$x2: IClientNetworkHost
      • 0x13cfd:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
      12.2.noteped.exe.400000.0.unpackNanocore_RAT_Feb18_1Detects Nanocore RATFlorian Roth
      • 0xff05:$x1: NanoCore Client.exe
      • 0x1018d:$x2: NanoCore.ClientPluginHost
      • 0x117c6:$s1: PluginCommand
      • 0x117ba:$s2: FileCommand
      • 0x1266b:$s3: PipeExists
      • 0x18422:$s4: PipeCreated
      • 0x101b7:$s5: IClientLoggingHost
      12.2.noteped.exe.400000.0.unpackJoeSecurity_NanocoreYara detected Nanocore RATJoe Security
        12.2.noteped.exe.400000.0.unpackNanoCoreunknown Kevin Breen <kevin@techanarchy.net>
        • 0xfef5:$a: NanoCore
        • 0xff05:$a: NanoCore
        • 0x10139:$a: NanoCore
        • 0x1014d:$a: NanoCore
        • 0x1018d:$a: NanoCore
        • 0xff54:$b: ClientPlugin
        • 0x10156:$b: ClientPlugin
        • 0x10196:$b: ClientPlugin
        • 0x1007b:$c: ProjectData
        • 0x10a82:$d: DESCrypto
        • 0x1844e:$e: KeepAlive
        • 0x1643c:$g: LogClientMessage
        • 0x12637:$i: get_Connected
        • 0x10db8:$j: #=q
        • 0x10de8:$j: #=q
        • 0x10e04:$j: #=q
        • 0x10e34:$j: #=q
        • 0x10e50:$j: #=q
        • 0x10e6c:$j: #=q
        • 0x10e9c:$j: #=q
        • 0x10eb8:$j: #=q
        6.2.noteped.exe.400000.0.unpackNanocore_RAT_Gen_2Detetcs the Nanocore RATFlorian Roth
        • 0x1018d:$x1: NanoCore.ClientPluginHost
        • 0x101ca:$x2: IClientNetworkHost
        • 0x13cfd:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
        Click to see the 15 entries

        Sigma Overview

        System Summary:

        barindex
        Sigma detected: NanoCoreShow sources
        Source: File createdAuthor: Joe Security: Data: EventID: 11, Image: C:\Users\user\Desktop\kelvinx.exe, ProcessId: 1556, TargetFilename: C:\Users\user\AppData\Roaming\D06ED635-68F6-4E9A-955C-4899F5F57B9A\run.dat

        Signature Overview

        Click to jump to signature section

        Show All Signature Results

        AV Detection:

        barindex
        Found malware configurationShow sources
        Source: noteped.exe.6648.12.memstrMalware Configuration Extractor: NanoCore {"C2: ": ["185.140.53.132"], "Version: ": "NanoCore Client, Version=1.2.2.0"}
        Multi AV Scanner detection for dropped fileShow sources
        Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\notepod\noteped.exeReversingLabs: Detection: 52%
        Multi AV Scanner detection for submitted fileShow sources
        Source: kelvinx.exeVirustotal: Detection: 35%Perma Link
        Source: kelvinx.exeReversingLabs: Detection: 52%
        Yara detected Nanocore RATShow sources
        Source: Yara matchFile source: 0000000C.00000002.306118461.0000000003AE9000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000001.00000002.492062764.00000000041A9000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000001.00000002.493316264.0000000005A30000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 0000000C.00000002.305164959.0000000000402000.00000040.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000006.00000002.284681945.0000000002FB1000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000006.00000002.284823064.0000000003FB9000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 0000000C.00000002.306051125.0000000002AE1000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000000.00000002.240965816.0000000003B26000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000001.00000002.488239312.0000000003161000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000006.00000002.283332088.0000000000402000.00000040.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000001.00000002.485264467.0000000000402000.00000040.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000002.00000002.269811701.00000000035FB000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000007.00000002.289900545.0000000003C9C000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: Process Memory Space: noteped.exe PID: 6360, type: MEMORY
        Source: Yara matchFile source: Process Memory Space: noteped.exe PID: 6648, type: MEMORY
        Source: Yara matchFile source: Process Memory Space: noteped.exe PID: 5368, type: MEMORY
        Source: Yara matchFile source: Process Memory Space: noteped.exe PID: 6312, type: MEMORY
        Source: Yara matchFile source: Process Memory Space: kelvinx.exe PID: 5332, type: MEMORY
        Source: Yara matchFile source: Process Memory Space: kelvinx.exe PID: 1556, type: MEMORY
        Source: Yara matchFile source: 12.2.noteped.exe.400000.0.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 6.2.noteped.exe.400000.0.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 1.2.kelvinx.exe.5a30000.4.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 1.2.kelvinx.exe.400000.0.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 1.2.kelvinx.exe.5a30000.4.raw.unpack, type: UNPACKEDPE
        Machine Learning detection for dropped fileShow sources
        Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\notepod\noteped.exeJoe Sandbox ML: detected
        Machine Learning detection for sampleShow sources
        Source: kelvinx.exeJoe Sandbox ML: detected
        Source: 12.2.noteped.exe.400000.0.unpackAvira: Label: TR/Dropper.MSIL.Gen7
        Source: 6.2.noteped.exe.400000.0.unpackAvira: Label: TR/Dropper.MSIL.Gen7
        Source: 1.2.kelvinx.exe.5a30000.4.unpackAvira: Label: TR/NanoCore.fadte
        Source: 1.2.kelvinx.exe.400000.0.unpackAvira: Label: TR/Dropper.MSIL.Gen7
        Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\notepod\noteped.exeFile opened: C:\Users\user\AppData\Jump to behavior
        Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\notepod\noteped.exeFile opened: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\notepod\Jump to behavior
        Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\notepod\noteped.exeFile opened: C:\Users\user\AppData\Roaming\Microsoft\Jump to behavior
        Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\notepod\noteped.exeFile opened: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Jump to behavior
        Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\notepod\noteped.exeFile opened: C:\Users\user\Jump to behavior
        Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\notepod\noteped.exeFile opened: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Jump to behavior
        Source: global trafficTCP traffic: 192.168.2.5:49715 -> 185.140.53.132:7600
        Source: Joe Sandbox ViewIP Address: 185.140.53.132 185.140.53.132
        Source: Joe Sandbox ViewASN Name: DAVID_CRAIGGG DAVID_CRAIGGG
        Source: unknownTCP traffic detected without corresponding DNS query: 185.140.53.132
        Source: unknownTCP traffic detected without corresponding DNS query: 185.140.53.132
        Source: unknownTCP traffic detected without corresponding DNS query: 185.140.53.132
        Source: unknownTCP traffic detected without corresponding DNS query: 185.140.53.132
        Source: unknownTCP traffic detected without corresponding DNS query: 185.140.53.132
        Source: unknownTCP traffic detected without corresponding DNS query: 185.140.53.132
        Source: unknownTCP traffic detected without corresponding DNS query: 185.140.53.132
        Source: unknownTCP traffic detected without corresponding DNS query: 185.140.53.132
        Source: unknownTCP traffic detected without corresponding DNS query: 185.140.53.132
        Source: unknownTCP traffic detected without corresponding DNS query: 185.140.53.132
        Source: unknownTCP traffic detected without corresponding DNS query: 185.140.53.132
        Source: unknownTCP traffic detected without corresponding DNS query: 185.140.53.132
        Source: unknownTCP traffic detected without corresponding DNS query: 185.140.53.132
        Source: unknownTCP traffic detected without corresponding DNS query: 185.140.53.132
        Source: unknownTCP traffic detected without corresponding DNS query: 185.140.53.132
        Source: unknownTCP traffic detected without corresponding DNS query: 185.140.53.132
        Source: unknownTCP traffic detected without corresponding DNS query: 185.140.53.132
        Source: unknownTCP traffic detected without corresponding DNS query: 185.140.53.132
        Source: unknownTCP traffic detected without corresponding DNS query: 185.140.53.132
        Source: unknownTCP traffic detected without corresponding DNS query: 185.140.53.132
        Source: unknownTCP traffic detected without corresponding DNS query: 185.140.53.132
        Source: unknownTCP traffic detected without corresponding DNS query: 185.140.53.132
        Source: unknownTCP traffic detected without corresponding DNS query: 185.140.53.132
        Source: unknownTCP traffic detected without corresponding DNS query: 185.140.53.132
        Source: unknownTCP traffic detected without corresponding DNS query: 185.140.53.132
        Source: unknownTCP traffic detected without corresponding DNS query: 185.140.53.132
        Source: unknownTCP traffic detected without corresponding DNS query: 185.140.53.132
        Source: unknownTCP traffic detected without corresponding DNS query: 185.140.53.132
        Source: unknownTCP traffic detected without corresponding DNS query: 185.140.53.132
        Source: unknownTCP traffic detected without corresponding DNS query: 185.140.53.132
        Source: unknownTCP traffic detected without corresponding DNS query: 185.140.53.132
        Source: unknownTCP traffic detected without corresponding DNS query: 185.140.53.132
        Source: unknownTCP traffic detected without corresponding DNS query: 185.140.53.132
        Source: unknownTCP traffic detected without corresponding DNS query: 185.140.53.132
        Source: unknownTCP traffic detected without corresponding DNS query: 185.140.53.132
        Source: unknownTCP traffic detected without corresponding DNS query: 185.140.53.132
        Source: kelvinx.exe, 00000000.00000003.220047831.00000000057E7000.00000004.00000001.sdmpString found in binary or memory: http://en.w
        Source: kelvinx.exe, 00000000.00000003.219897482.00000000057E6000.00000004.00000001.sdmpString found in binary or memory: http://en.wC
        Source: kelvinx.exe, 00000000.00000003.219971249.00000000057E7000.00000004.00000001.sdmpString found in binary or memory: http://en.wikipF
        Source: kelvinx.exe, 00000000.00000002.244011097.0000000006A52000.00000004.00000001.sdmp, noteped.exe, 00000002.00000002.274192762.00000000055C0000.00000002.00000001.sdmp, noteped.exe, 00000007.00000002.296939599.0000000005BD0000.00000002.00000001.sdmpString found in binary or memory: http://fontfabrik.com
        Source: kelvinx.exe, 00000000.00000002.244011097.0000000006A52000.00000004.00000001.sdmp, kelvinx.exe, 00000000.00000003.221048841.00000000057D7000.00000004.00000001.sdmp, noteped.exe, 00000002.00000002.274192762.00000000055C0000.00000002.00000001.sdmp, noteped.exe, 00000007.00000002.296939599.0000000005BD0000.00000002.00000001.sdmpString found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0
        Source: kelvinx.exe, 00000000.00000003.221502115.00000000057D2000.00000004.00000001.sdmpString found in binary or memory: http://www.carterandcone.com
        Source: kelvinx.exe, 00000000.00000003.221173652.00000000057CE000.00000004.00000001.sdmpString found in binary or memory: http://www.carterandcone.comimS
        Source: kelvinx.exe, 00000000.00000002.244011097.0000000006A52000.00000004.00000001.sdmp, noteped.exe, 00000002.00000002.274192762.00000000055C0000.00000002.00000001.sdmp, noteped.exe, 00000007.00000002.296939599.0000000005BD0000.00000002.00000001.sdmpString found in binary or memory: http://www.carterandcone.coml
        Source: kelvinx.exe, 00000000.00000003.221173652.00000000057CE000.00000004.00000001.sdmpString found in binary or memory: http://www.carterandcone.comper
        Source: kelvinx.exe, 00000000.00000002.244011097.0000000006A52000.00000004.00000001.sdmp, noteped.exe, 00000002.00000002.274192762.00000000055C0000.00000002.00000001.sdmp, noteped.exe, 00000007.00000002.296939599.0000000005BD0000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com
        Source: noteped.exe, 00000007.00000002.296939599.0000000005BD0000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers
        Source: kelvinx.exe, 00000000.00000002.244011097.0000000006A52000.00000004.00000001.sdmp, noteped.exe, 00000002.00000002.274192762.00000000055C0000.00000002.00000001.sdmp, noteped.exe, 00000007.00000002.296939599.0000000005BD0000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers/?
        Source: kelvinx.exe, 00000000.00000002.244011097.0000000006A52000.00000004.00000001.sdmp, noteped.exe, 00000002.00000002.274192762.00000000055C0000.00000002.00000001.sdmp, noteped.exe, 00000007.00000002.296939599.0000000005BD0000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers/cabarga.htmlN
        Source: kelvinx.exe, 00000000.00000002.244011097.0000000006A52000.00000004.00000001.sdmp, noteped.exe, 00000002.00000002.274192762.00000000055C0000.00000002.00000001.sdmp, noteped.exe, 00000007.00000002.296939599.0000000005BD0000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers/frere-jones.html
        Source: kelvinx.exe, 00000000.00000002.244011097.0000000006A52000.00000004.00000001.sdmp, noteped.exe, 00000002.00000002.274192762.00000000055C0000.00000002.00000001.sdmp, noteped.exe, 00000007.00000002.296939599.0000000005BD0000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers8
        Source: kelvinx.exe, 00000000.00000002.244011097.0000000006A52000.00000004.00000001.sdmp, noteped.exe, 00000002.00000002.274192762.00000000055C0000.00000002.00000001.sdmp, noteped.exe, 00000007.00000002.296939599.0000000005BD0000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers?
        Source: kelvinx.exe, 00000000.00000002.244011097.0000000006A52000.00000004.00000001.sdmp, noteped.exe, 00000002.00000002.274192762.00000000055C0000.00000002.00000001.sdmp, noteped.exe, 00000007.00000002.296939599.0000000005BD0000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designersG
        Source: kelvinx.exe, 00000000.00000003.237362642.00000000057C0000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.comcomo
        Source: kelvinx.exe, 00000000.00000002.244011097.0000000006A52000.00000004.00000001.sdmp, noteped.exe, 00000002.00000002.274192762.00000000055C0000.00000002.00000001.sdmp, noteped.exe, 00000007.00000002.296939599.0000000005BD0000.00000002.00000001.sdmpString found in binary or memory: http://www.fonts.com
        Source: kelvinx.exe, 00000000.00000003.220783733.00000000057F2000.00000004.00000001.sdmp, noteped.exe, 00000002.00000002.274192762.00000000055C0000.00000002.00000001.sdmp, noteped.exe, 00000007.00000002.296939599.0000000005BD0000.00000002.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn
        Source: kelvinx.exe, 00000000.00000003.220824103.00000000057EC000.00000004.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn/
        Source: kelvinx.exe, 00000000.00000002.244011097.0000000006A52000.00000004.00000001.sdmp, noteped.exe, 00000002.00000002.274192762.00000000055C0000.00000002.00000001.sdmp, noteped.exe, 00000007.00000002.296939599.0000000005BD0000.00000002.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn/bThe
        Source: kelvinx.exe, 00000000.00000002.244011097.0000000006A52000.00000004.00000001.sdmp, noteped.exe, 00000002.00000002.274192762.00000000055C0000.00000002.00000001.sdmp, noteped.exe, 00000007.00000002.296939599.0000000005BD0000.00000002.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn/cThe
        Source: kelvinx.exe, 00000000.00000003.220725135.00000000057EC000.00000004.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cna-d
        Source: kelvinx.exe, 00000000.00000003.220725135.00000000057EC000.00000004.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cnd:
        Source: kelvinx.exe, 00000000.00000003.220911534.00000000057EC000.00000004.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cnude
        Source: kelvinx.exe, 00000000.00000003.220911534.00000000057EC000.00000004.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn~
        Source: kelvinx.exe, 00000000.00000002.244011097.0000000006A52000.00000004.00000001.sdmp, noteped.exe, 00000002.00000002.274192762.00000000055C0000.00000002.00000001.sdmp, noteped.exe, 00000007.00000002.296939599.0000000005BD0000.00000002.00000001.sdmpString found in binary or memory: http://www.galapagosdesign.com/DPlease
        Source: kelvinx.exe, 00000000.00000002.244011097.0000000006A52000.00000004.00000001.sdmp, noteped.exe, 00000002.00000002.274192762.00000000055C0000.00000002.00000001.sdmp, noteped.exe, 00000007.00000002.296939599.0000000005BD0000.00000002.00000001.sdmpString found in binary or memory: http://www.galapagosdesign.com/staff/dennis.htm
        Source: kelvinx.exe, 00000000.00000003.225402812.00000000057C4000.00000004.00000001.sdmpString found in binary or memory: http://www.galapagosdesign.com/staff/dennis.htmNormalr
        Source: kelvinx.exe, 00000000.00000002.244011097.0000000006A52000.00000004.00000001.sdmp, noteped.exe, 00000002.00000002.274192762.00000000055C0000.00000002.00000001.sdmp, noteped.exe, 00000007.00000002.296939599.0000000005BD0000.00000002.00000001.sdmpString found in binary or memory: http://www.goodfont.co.kr
        Source: kelvinx.exe, 00000000.00000003.222115295.00000000057CE000.00000004.00000001.sdmp, kelvinx.exe, 00000000.00000003.221900652.00000000057D5000.00000004.00000001.sdmp, kelvinx.exe, 00000000.00000003.221985463.00000000057D5000.00000004.00000001.sdmp, noteped.exe, 00000002.00000002.274192762.00000000055C0000.00000002.00000001.sdmp, noteped.exe, 00000007.00000002.296939599.0000000005BD0000.00000002.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/
        Source: kelvinx.exe, 00000000.00000003.221803128.00000000057C6000.00000004.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/0w
        Source: kelvinx.exe, 00000000.00000003.221900652.00000000057D5000.00000004.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/J
        Source: kelvinx.exe, 00000000.00000003.221900652.00000000057D5000.00000004.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/Vwfz
        Source: kelvinx.exe, 00000000.00000003.221985463.00000000057D5000.00000004.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/Y01
        Source: kelvinx.exe, 00000000.00000003.222579187.00000000057CE000.00000004.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/jp/
        Source: kelvinx.exe, 00000000.00000003.221900652.00000000057D5000.00000004.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/jp/.w
        Source: kelvinx.exe, 00000000.00000003.221803128.00000000057C6000.00000004.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/jp/qwCz
        Source: kelvinx.exe, 00000000.00000003.221985463.00000000057D5000.00000004.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/xwtz
        Source: kelvinx.exe, 00000000.00000003.221803128.00000000057C6000.00000004.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/z
        Source: kelvinx.exe, 00000000.00000002.244011097.0000000006A52000.00000004.00000001.sdmp, noteped.exe, 00000002.00000002.274192762.00000000055C0000.00000002.00000001.sdmp, noteped.exe, 00000007.00000002.296939599.0000000005BD0000.00000002.00000001.sdmpString found in binary or memory: http://www.sajatypeworks.com
        Source: kelvinx.exe, 00000000.00000002.244011097.0000000006A52000.00000004.00000001.sdmp, noteped.exe, 00000002.00000002.274192762.00000000055C0000.00000002.00000001.sdmp, noteped.exe, 00000007.00000002.296939599.0000000005BD0000.00000002.00000001.sdmpString found in binary or memory: http://www.sakkal.com
        Source: kelvinx.exe, 00000000.00000002.244011097.0000000006A52000.00000004.00000001.sdmp, noteped.exe, 00000002.00000002.274192762.00000000055C0000.00000002.00000001.sdmp, noteped.exe, 00000007.00000002.296939599.0000000005BD0000.00000002.00000001.sdmpString found in binary or memory: http://www.sandoll.co.kr
        Source: noteped.exe, 00000007.00000002.296939599.0000000005BD0000.00000002.00000001.sdmpString found in binary or memory: http://www.tiro.com
        Source: kelvinx.exe, 00000000.00000002.244011097.0000000006A52000.00000004.00000001.sdmp, noteped.exe, 00000002.00000002.274192762.00000000055C0000.00000002.00000001.sdmp, noteped.exe, 00000007.00000002.296939599.0000000005BD0000.00000002.00000001.sdmpString found in binary or memory: http://www.typography.netD
        Source: kelvinx.exe, 00000000.00000002.244011097.0000000006A52000.00000004.00000001.sdmp, noteped.exe, 00000002.00000002.274192762.00000000055C0000.00000002.00000001.sdmp, noteped.exe, 00000007.00000002.296939599.0000000005BD0000.00000002.00000001.sdmpString found in binary or memory: http://www.urwpp.deDPlease
        Source: kelvinx.exe, 00000000.00000002.244011097.0000000006A52000.00000004.00000001.sdmp, noteped.exe, 00000002.00000002.274192762.00000000055C0000.00000002.00000001.sdmp, noteped.exe, 00000007.00000002.296939599.0000000005BD0000.00000002.00000001.sdmpString found in binary or memory: http://www.zhongyicts.com.cn
        Source: kelvinx.exe, 00000001.00000002.492062764.00000000041A9000.00000004.00000001.sdmpBinary or memory string: RegisterRawInputDevices

        E-Banking Fraud:

        barindex
        Yara detected Nanocore RATShow sources
        Source: Yara matchFile source: 0000000C.00000002.306118461.0000000003AE9000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000001.00000002.492062764.00000000041A9000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000001.00000002.493316264.0000000005A30000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 0000000C.00000002.305164959.0000000000402000.00000040.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000006.00000002.284681945.0000000002FB1000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000006.00000002.284823064.0000000003FB9000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 0000000C.00000002.306051125.0000000002AE1000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000000.00000002.240965816.0000000003B26000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000001.00000002.488239312.0000000003161000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000006.00000002.283332088.0000000000402000.00000040.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000001.00000002.485264467.0000000000402000.00000040.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000002.00000002.269811701.00000000035FB000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000007.00000002.289900545.0000000003C9C000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: Process Memory Space: noteped.exe PID: 6360, type: MEMORY
        Source: Yara matchFile source: Process Memory Space: noteped.exe PID: 6648, type: MEMORY
        Source: Yara matchFile source: Process Memory Space: noteped.exe PID: 5368, type: MEMORY
        Source: Yara matchFile source: Process Memory Space: noteped.exe PID: 6312, type: MEMORY
        Source: Yara matchFile source: Process Memory Space: kelvinx.exe PID: 5332, type: MEMORY
        Source: Yara matchFile source: Process Memory Space: kelvinx.exe PID: 1556, type: MEMORY
        Source: Yara matchFile source: 12.2.noteped.exe.400000.0.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 6.2.noteped.exe.400000.0.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 1.2.kelvinx.exe.5a30000.4.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 1.2.kelvinx.exe.400000.0.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 1.2.kelvinx.exe.5a30000.4.raw.unpack, type: UNPACKEDPE

        System Summary:

        barindex
        Malicious sample detected (through community Yara rule)Show sources
        Source: 0000000C.00000002.306118461.0000000003AE9000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: 00000001.00000002.492062764.00000000041A9000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: 00000001.00000002.493316264.0000000005A30000.00000004.00000001.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 0000000C.00000002.305164959.0000000000402000.00000040.00000001.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 0000000C.00000002.305164959.0000000000402000.00000040.00000001.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: 00000006.00000002.284681945.0000000002FB1000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: 00000006.00000002.284823064.0000000003FB9000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: 0000000C.00000002.306051125.0000000002AE1000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: 00000001.00000002.493282549.00000000058E0000.00000004.00000001.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 00000000.00000002.240965816.0000000003B26000.00000004.00000001.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 00000000.00000002.240965816.0000000003B26000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: 00000006.00000002.283332088.0000000000402000.00000040.00000001.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 00000006.00000002.283332088.0000000000402000.00000040.00000001.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: 00000001.00000002.485264467.0000000000402000.00000040.00000001.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 00000001.00000002.485264467.0000000000402000.00000040.00000001.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: 00000002.00000002.269811701.00000000035FB000.00000004.00000001.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 00000002.00000002.269811701.00000000035FB000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: 00000007.00000002.289900545.0000000003C9C000.00000004.00000001.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 00000007.00000002.289900545.0000000003C9C000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: Process Memory Space: noteped.exe PID: 6360, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: Process Memory Space: noteped.exe PID: 6360, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: Process Memory Space: noteped.exe PID: 6648, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: Process Memory Space: noteped.exe PID: 6648, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: Process Memory Space: noteped.exe PID: 5368, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: Process Memory Space: noteped.exe PID: 5368, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: Process Memory Space: noteped.exe PID: 6312, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: Process Memory Space: noteped.exe PID: 6312, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: Process Memory Space: kelvinx.exe PID: 5332, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: Process Memory Space: kelvinx.exe PID: 5332, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: Process Memory Space: kelvinx.exe PID: 1556, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: Process Memory Space: kelvinx.exe PID: 1556, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: 12.2.noteped.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 12.2.noteped.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: 6.2.noteped.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 6.2.noteped.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: 1.2.kelvinx.exe.5a30000.4.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 1.2.kelvinx.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 1.2.kelvinx.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: 1.2.kelvinx.exe.5a30000.4.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 1.2.kelvinx.exe.58e0000.3.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: C:\Users\user\Desktop\kelvinx.exeCode function: 0_2_0268C25C0_2_0268C25C
        Source: C:\Users\user\Desktop\kelvinx.exeCode function: 0_2_0268E1C00_2_0268E1C0
        Source: C:\Users\user\Desktop\kelvinx.exeCode function: 0_2_0268E1D00_2_0268E1D0
        Source: C:\Users\user\Desktop\kelvinx.exeCode function: 0_2_070968B80_2_070968B8
        Source: C:\Users\user\Desktop\kelvinx.exeCode function: 0_2_070975800_2_07097580
        Source: C:\Users\user\Desktop\kelvinx.exeCode function: 0_2_070910D00_2_070910D0
        Source: C:\Users\user\Desktop\kelvinx.exeCode function: 0_2_070910E00_2_070910E0
        Source: C:\Users\user\Desktop\kelvinx.exeCode function: 1_2_0303E4711_2_0303E471
        Source: C:\Users\user\Desktop\kelvinx.exeCode function: 1_2_0303E4801_2_0303E480
        Source: C:\Users\user\Desktop\kelvinx.exeCode function: 1_2_0303BBD41_2_0303BBD4
        Source: C:\Users\user\Desktop\kelvinx.exeCode function: 1_2_0580F5F81_2_0580F5F8
        Source: C:\Users\user\Desktop\kelvinx.exeCode function: 1_2_058097881_2_05809788
        Source: C:\Users\user\Desktop\kelvinx.exeCode function: 1_2_0580A5D01_2_0580A5D0
        Source: C:\Users\user\Desktop\kelvinx.exeCode function: 1_2_0580A6101_2_0580A610
        Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\notepod\noteped.exeCode function: 2_2_0258EBE02_2_0258EBE0
        Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\notepod\noteped.exeCode function: 2_2_0258EF802_2_0258EF80
        Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\notepod\noteped.exeCode function: 2_2_0258F0B12_2_0258F0B1
        Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\notepod\noteped.exeCode function: 2_2_0258F53E2_2_0258F53E
        Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\notepod\noteped.exeCode function: 2_2_065D4DA02_2_065D4DA0
        Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\notepod\noteped.exeCode function: 2_2_065D5E702_2_065D5E70
        Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\notepod\noteped.exeCode function: 6_2_0139E4716_2_0139E471
        Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\notepod\noteped.exeCode function: 6_2_0139E4806_2_0139E480
        Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\notepod\noteped.exeCode function: 6_2_0139BBD46_2_0139BBD4
        Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\notepod\noteped.exeCode function: 7_2_00FBE1D07_2_00FBE1D0
        Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\notepod\noteped.exeCode function: 7_2_00FBE1C07_2_00FBE1C0
        Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\notepod\noteped.exeCode function: 7_2_00FBC25C7_2_00FBC25C
        Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\notepod\noteped.exeCode function: 7_2_0511EF987_2_0511EF98
        Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\notepod\noteped.exeCode function: 7_2_0511EBE07_2_0511EBE0
        Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\notepod\noteped.exeCode function: 7_2_0511F0B17_2_0511F0B1
        Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\notepod\noteped.exeCode function: 7_2_0511F53E7_2_0511F53E
        Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\notepod\noteped.exeCode function: 7_2_056CE4707_2_056CE470
        Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\notepod\noteped.exeCode function: 7_2_056C06C07_2_056C06C0
        Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\notepod\noteped.exeCode function: 7_2_056C06D07_2_056C06D0
        Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\notepod\noteped.exeCode function: 7_2_056C4D007_2_056C4D00
        Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\notepod\noteped.exeCode function: 7_2_056C0CF87_2_056C0CF8
        Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\notepod\noteped.exeCode function: 7_2_056C4CF07_2_056C4CF0
        Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\notepod\noteped.exeCode function: 7_2_056C9E507_2_056C9E50
        Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\notepod\noteped.exeCode function: 7_2_056C9E3F7_2_056C9E3F
        Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\notepod\noteped.exeCode function: 7_2_07004DA07_2_07004DA0
        Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\notepod\noteped.exeCode function: 7_2_07005E707_2_07005E70
        Source: kelvinx.exe, 00000000.00000002.245703517.0000000007030000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameClassLibrary3.dll< vs kelvinx.exe
        Source: kelvinx.exe, 00000000.00000000.217843119.000000000056E000.00000002.00020000.sdmpBinary or memory string: OriginalFilenameKhmprj5.exe@ vs kelvinx.exe
        Source: kelvinx.exe, 00000000.00000002.240965816.0000000003B26000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameWpvxioquaewsx.dll4 vs kelvinx.exe
        Source: kelvinx.exe, 00000000.00000002.244828080.0000000006F30000.00000002.00000001.sdmpBinary or memory string: OriginalFilenamemscorrc.dllT vs kelvinx.exe
        Source: kelvinx.exe, 00000001.00000002.493859893.0000000006950000.00000002.00000001.sdmpBinary or memory string: OriginalFilenameKernelbase.dll.muij% vs kelvinx.exe
        Source: kelvinx.exe, 00000001.00000002.492062764.00000000041A9000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameClientPlugin.dll4 vs kelvinx.exe
        Source: kelvinx.exe, 00000001.00000002.492062764.00000000041A9000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameLzma#.dll4 vs kelvinx.exe
        Source: kelvinx.exe, 00000001.00000002.492062764.00000000041A9000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameSurveillanceExClientPlugin.dll4 vs kelvinx.exe
        Source: kelvinx.exe, 00000001.00000002.487573900.00000000015DA000.00000004.00000020.sdmpBinary or memory string: OriginalFilenameclr.dllT vs kelvinx.exe
        Source: kelvinx.exe, 00000001.00000002.486180497.0000000000EDE000.00000002.00020000.sdmpBinary or memory string: OriginalFilenameKhmprj5.exe@ vs kelvinx.exe
        Source: kelvinx.exe, 00000001.00000002.493800589.00000000067F0000.00000002.00000001.sdmpBinary or memory string: OriginalFilenamenapinsp.dll.muij% vs kelvinx.exe
        Source: kelvinx.exe, 00000001.00000002.493154809.0000000005850000.00000002.00000001.sdmpBinary or memory string: OriginalFilenameuser32j% vs kelvinx.exe
        Source: kelvinx.exeBinary or memory string: OriginalFilenameKhmprj5.exe@ vs kelvinx.exe
        Source: 0000000C.00000002.306118461.0000000003AE9000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: 00000001.00000002.492062764.00000000041A9000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: 00000001.00000002.493316264.0000000005A30000.00000004.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 00000001.00000002.493316264.0000000005A30000.00000004.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
        Source: 0000000C.00000002.305164959.0000000000402000.00000040.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 0000000C.00000002.305164959.0000000000402000.00000040.00000001.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: 00000006.00000002.284681945.0000000002FB1000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: 00000006.00000002.284823064.0000000003FB9000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: 0000000C.00000002.306051125.0000000002AE1000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: 00000001.00000002.493282549.00000000058E0000.00000004.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 00000001.00000002.493282549.00000000058E0000.00000004.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
        Source: 00000000.00000002.240965816.0000000003B26000.00000004.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 00000000.00000002.240965816.0000000003B26000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: 00000006.00000002.283332088.0000000000402000.00000040.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 00000006.00000002.283332088.0000000000402000.00000040.00000001.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: 00000001.00000002.485264467.0000000000402000.00000040.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 00000001.00000002.485264467.0000000000402000.00000040.00000001.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: 00000002.00000002.269811701.00000000035FB000.00000004.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 00000002.00000002.269811701.00000000035FB000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: 00000007.00000002.289900545.0000000003C9C000.00000004.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 00000007.00000002.289900545.0000000003C9C000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: Process Memory Space: noteped.exe PID: 6360, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: Process Memory Space: noteped.exe PID: 6360, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: Process Memory Space: noteped.exe PID: 6648, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: Process Memory Space: noteped.exe PID: 6648, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: Process Memory Space: noteped.exe PID: 5368, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: Process Memory Space: noteped.exe PID: 5368, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: Process Memory Space: noteped.exe PID: 6312, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: Process Memory Space: noteped.exe PID: 6312, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: Process Memory Space: kelvinx.exe PID: 5332, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: Process Memory Space: kelvinx.exe PID: 5332, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: Process Memory Space: kelvinx.exe PID: 1556, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: Process Memory Space: kelvinx.exe PID: 1556, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: 12.2.noteped.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 12.2.noteped.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
        Source: 12.2.noteped.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: 6.2.noteped.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 6.2.noteped.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
        Source: 6.2.noteped.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: 1.2.kelvinx.exe.5a30000.4.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 1.2.kelvinx.exe.5a30000.4.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
        Source: 1.2.kelvinx.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 1.2.kelvinx.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
        Source: 1.2.kelvinx.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: 1.2.kelvinx.exe.5a30000.4.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 1.2.kelvinx.exe.5a30000.4.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
        Source: 1.2.kelvinx.exe.58e0000.3.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 1.2.kelvinx.exe.58e0000.3.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
        Source: 1.2.kelvinx.exe.400000.0.unpack, u0023u003dqjIje6jGWLd2EOkfZXKqBbgu003du003d.csCryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'
        Source: 1.2.kelvinx.exe.400000.0.unpack, u0023u003dqVxXNKnhAcArgJoGGYXiyyQu003du003d.csCryptographic APIs: 'CreateDecryptor'
        Source: 1.2.kelvinx.exe.400000.0.unpack, u0023u003dqVxXNKnhAcArgJoGGYXiyyQu003du003d.csCryptographic APIs: 'TransformFinalBlock'
        Source: 6.2.noteped.exe.400000.0.unpack, u0023u003dqjIje6jGWLd2EOkfZXKqBbgu003du003d.csCryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'
        Source: 6.2.noteped.exe.400000.0.unpack, u0023u003dqVxXNKnhAcArgJoGGYXiyyQu003du003d.csCryptographic APIs: 'CreateDecryptor'
        Source: 6.2.noteped.exe.400000.0.unpack, u0023u003dqVxXNKnhAcArgJoGGYXiyyQu003du003d.csCryptographic APIs: 'TransformFinalBlock'
        Source: 12.2.noteped.exe.400000.0.unpack, u0023u003dqjIje6jGWLd2EOkfZXKqBbgu003du003d.csCryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'
        Source: 12.2.noteped.exe.400000.0.unpack, u0023u003dqVxXNKnhAcArgJoGGYXiyyQu003du003d.csCryptographic APIs: 'CreateDecryptor'
        Source: 12.2.noteped.exe.400000.0.unpack, u0023u003dqVxXNKnhAcArgJoGGYXiyyQu003du003d.csCryptographic APIs: 'TransformFinalBlock'
        Source: 1.2.kelvinx.exe.400000.0.unpack, u0023u003dqjIje6jGWLd2EOkfZXKqBbgu003du003d.csSecurity API names: System.Security.Principal.WindowsIdentity System.Security.Principal.WindowsIdentity::GetCurrent()
        Source: 1.2.kelvinx.exe.400000.0.unpack, u0023u003dqjIje6jGWLd2EOkfZXKqBbgu003du003d.csSecurity API names: System.Boolean System.Security.Principal.WindowsPrincipal::IsInRole(System.Security.Principal.WindowsBuiltInRole)
        Source: 12.2.noteped.exe.400000.0.unpack, u0023u003dqjIje6jGWLd2EOkfZXKqBbgu003du003d.csSecurity API names: System.Security.Principal.WindowsIdentity System.Security.Principal.WindowsIdentity::GetCurrent()
        Source: 12.2.noteped.exe.400000.0.unpack, u0023u003dqjIje6jGWLd2EOkfZXKqBbgu003du003d.csSecurity API names: System.Boolean System.Security.Principal.WindowsPrincipal::IsInRole(System.Security.Principal.WindowsBuiltInRole)
        Source: 6.2.noteped.exe.400000.0.unpack, u0023u003dqjIje6jGWLd2EOkfZXKqBbgu003du003d.csSecurity API names: System.Security.Principal.WindowsIdentity System.Security.Principal.WindowsIdentity::GetCurrent()
        Source: 6.2.noteped.exe.400000.0.unpack, u0023u003dqjIje6jGWLd2EOkfZXKqBbgu003du003d.csSecurity API names: System.Boolean System.Security.Principal.WindowsPrincipal::IsInRole(System.Security.Principal.WindowsBuiltInRole)
        Source: classification engineClassification label: mal100.troj.evad.winEXE@9/5@0/1
        Source: C:\Users\user\Desktop\kelvinx.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\notepodJump to behavior
        Source: C:\Users\user\Desktop\kelvinx.exeMutant created: \Sessions\1\BaseNamedObjects\Global\{9f6164b7-e376-4012-b3ba-64bf2d46d5d2}
        Source: kelvinx.exeStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
        Source: C:\Users\user\Desktop\kelvinx.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dllJump to behavior
        Source: C:\Users\user\Desktop\kelvinx.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dllJump to behavior
        Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\notepod\noteped.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dllJump to behavior
        Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\notepod\noteped.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dllJump to behavior
        Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\notepod\noteped.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dllJump to behavior
        Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\notepod\noteped.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dllJump to behavior
        Source: C:\Users\user\Desktop\kelvinx.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
        Source: kelvinx.exeVirustotal: Detection: 35%
        Source: kelvinx.exeReversingLabs: Detection: 52%
        Source: C:\Users\user\Desktop\kelvinx.exeFile read: C:\Users\user\Desktop\kelvinx.exeJump to behavior
        Source: unknownProcess created: C:\Users\user\Desktop\kelvinx.exe 'C:\Users\user\Desktop\kelvinx.exe'
        Source: unknownProcess created: C:\Users\user\Desktop\kelvinx.exe C:\Users\user\Desktop\kelvinx.exe
        Source: unknownProcess created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\notepod\noteped.exe 'C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\notepod\noteped.exe'
        Source: unknownProcess created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\notepod\noteped.exe C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\notepod\noteped.exe
        Source: unknownProcess created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\notepod\noteped.exe 'C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\notepod\noteped.exe'
        Source: unknownProcess created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\notepod\noteped.exe C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\notepod\noteped.exe
        Source: C:\Users\user\Desktop\kelvinx.exeProcess created: C:\Users\user\Desktop\kelvinx.exe C:\Users\user\Desktop\kelvinx.exeJump to behavior
        Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\notepod\noteped.exeProcess created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\notepod\noteped.exe C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\notepod\noteped.exeJump to behavior
        Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\notepod\noteped.exeProcess created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\notepod\noteped.exe C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\notepod\noteped.exeJump to behavior
        Source: C:\Users\user\Desktop\kelvinx.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0A29FF9E-7F9C-4437-8B11-F424491E3931}\InprocServer32Jump to behavior
        Source: Window RecorderWindow detected: More than 3 window changes detected
        Source: C:\Users\user\Desktop\kelvinx.exeFile opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dllJump to behavior
        Source: kelvinx.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR
        Source: kelvinx.exeStatic PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
        Source: Binary string: \??\C:\Windows\Microsoft.Net\assembly\GAC_MSIL\System\v4.0_4.0.0.0__b77a5c561934e089\System.pdb source: kelvinx.exe, 00000001.00000002.487735163.0000000001691000.00000004.00000020.sdmp
        Source: Binary string: j,C:\Windows\System.pdb source: kelvinx.exe, 00000001.00000002.493719059.00000000065AC000.00000004.00000001.sdmp
        Source: Binary string: System.pdb source: kelvinx.exe, 00000001.00000002.487749638.0000000001699000.00000004.00000020.sdmp
        Source: C:\Users\user\Desktop\kelvinx.exeCode function: 0_2_070968B8 push 00000002h; ret 0_2_07096EC0
        Source: C:\Users\user\Desktop\kelvinx.exeCode function: 0_2_07096EB1 push 00000002h; ret 0_2_07096EC0
        Source: C:\Users\user\Desktop\kelvinx.exeCode function: 1_2_058069F8 pushad ; retf 1_2_058069F9
        Source: C:\Users\user\Desktop\kelvinx.exeCode function: 1_2_058069FA push esp; retf 1_2_05806A01
        Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\notepod\noteped.exeCode function: 2_2_065D3A00 push es; retf 2_2_065D3A84
        Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\notepod\noteped.exeCode function: 2_2_065D3A85 push es; ret 2_2_065D3AE4
        Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\notepod\noteped.exeCode function: 7_2_056C0478 push eax; iretd 7_2_056C0481
        Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\notepod\noteped.exeCode function: 7_2_056C5C03 push E804CF5Eh; ret 7_2_056C5C09
        Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\notepod\noteped.exeCode function: 7_2_056C6F1C push ss; retf 7_2_056C6F23
        Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\notepod\noteped.exeCode function: 7_2_056C5BE8 push E805C65Eh; retf 7_2_056C5C01
        Source: 1.2.kelvinx.exe.400000.0.unpack, u0023u003dqWrm21vQ8CBMZP_RBTwpusAu003du003d.csHigh entropy of concatenated method names: '#=qCgU$tDqtOAyz2b$RwfSF7UzBcCAr0rFJWxm16x7Lre0=', '#=qeD3MBfedCIuKIQf9V1u2N3YS4VXE_FOHqw_XAjWtZK8=', '#=q$mvEHEBkZud$AdHPWqsMQnw5Xm5sD4vBSSmqrKuXGOk=', '#=qZaN94n8dM6tBEf$qCdY2kbTZb5BOW8Z134$2tNv7EJs=', '#=qtlZnL8mho$rv1eTFz0Mw9UYFC_yCabEZ0xtVePn6wR5aSHE7ti3UfKg2l7D0_xk8', '#=qVS$QmQjvFfsXSqQAKGSl6HGbkse2SG0XCab4upVjtRJkvhTEk$oIS2I9Zja7id1Q', '#=qxJg7RxTW1v5mnt12xXeJiYJv_bcctbtL2BCD5MjDi45Hlz6t8vwDNTv1Rv7tgIct', '#=qp$ZVC1r9spi890l$D7IwEd3faoKeWHvv42mVq8wIIWM=', '#=qCoWHlVuoVRMkOzC7RZubJCslkxaEWn9yZiIydECf69$ktj0IPD5wAwC2H5Cc8C$L', '#=qqs1moO$mYaS72OXOWe0Z6GycslEb6e9Ipoy7ppW0O5abIp05ajv8doqdJZHlN3cK'
        Source: 1.2.kelvinx.exe.400000.0.unpack, u0023u003dqJT4I5hOweIku0024xYFEeDszbikglXCuquUdu0024v9AXtyq2nsu003d.csHigh entropy of concatenated method names: '#=qBeOBlH6CwHFnQdZWWBgZ_pemudZ6CfCVcfOQtgpeG$Y=', '#=q5v5cLSMFBaxiTtOEjscx86gN2ozXlfytiL6UmXnyWtg=', '#=q_XA5h2lVGHLcY9dK754wKGrOjAm6aBbwPxcUJXgJThJUz83kMbCL53G5uuOLP6Rq', '#=qIFfr$DrKqIieRc688$vylAlBsEnx9Z3$TxvrDsPURfM=', '#=qejgvNXJQvgM2GomZsygLjreyguSPQ29pQHqjR_a0dWk=', '#=qCGokdf0OOxeMJLDkXSfc3NPmwygIQ29RjKQWj$wbNGB9C1pPgma_891QiNyTRXcA', '#=qDqyUVyJLXCtYqhZ0$opqkomqhUBn2WCeEEvGAXlNQ$I=', '#=qdImPAY1o3YhbLtukwCQ91cISaeIEWRKSYrGZ3dTVnkY=', '#=qza7O1AHrroJC7yRIJz4wINR_Sgo4hDpQrj_OYfIrlJE=', '#=q6Ct3QmvVLFC7my$dL1uEiHGmXJ5qCuK4WIhDwfhPTFs='
        Source: 6.2.noteped.exe.400000.0.unpack, u0023u003dqJT4I5hOweIku0024xYFEeDszbikglXCuquUdu0024v9AXtyq2nsu003d.csHigh entropy of concatenated method names: '#=qBeOBlH6CwHFnQdZWWBgZ_pemudZ6CfCVcfOQtgpeG$Y=', '#=q5v5cLSMFBaxiTtOEjscx86gN2ozXlfytiL6UmXnyWtg=', '#=q_XA5h2lVGHLcY9dK754wKGrOjAm6aBbwPxcUJXgJThJUz83kMbCL53G5uuOLP6Rq', '#=qIFfr$DrKqIieRc688$vylAlBsEnx9Z3$TxvrDsPURfM=', '#=qejgvNXJQvgM2GomZsygLjreyguSPQ29pQHqjR_a0dWk=', '#=qCGokdf0OOxeMJLDkXSfc3NPmwygIQ29RjKQWj$wbNGB9C1pPgma_891QiNyTRXcA', '#=qDqyUVyJLXCtYqhZ0$opqkomqhUBn2WCeEEvGAXlNQ$I=', '#=qdImPAY1o3YhbLtukwCQ91cISaeIEWRKSYrGZ3dTVnkY=', '#=qza7O1AHrroJC7yRIJz4wINR_Sgo4hDpQrj_OYfIrlJE=', '#=q6Ct3QmvVLFC7my$dL1uEiHGmXJ5qCuK4WIhDwfhPTFs='
        Source: 6.2.noteped.exe.400000.0.unpack, u0023u003dqWrm21vQ8CBMZP_RBTwpusAu003du003d.csHigh entropy of concatenated method names: '#=qCgU$tDqtOAyz2b$RwfSF7UzBcCAr0rFJWxm16x7Lre0=', '#=qeD3MBfedCIuKIQf9V1u2N3YS4VXE_FOHqw_XAjWtZK8=', '#=q$mvEHEBkZud$AdHPWqsMQnw5Xm5sD4vBSSmqrKuXGOk=', '#=qZaN94n8dM6tBEf$qCdY2kbTZb5BOW8Z134$2tNv7EJs=', '#=qtlZnL8mho$rv1eTFz0Mw9UYFC_yCabEZ0xtVePn6wR5aSHE7ti3UfKg2l7D0_xk8', '#=qVS$QmQjvFfsXSqQAKGSl6HGbkse2SG0XCab4upVjtRJkvhTEk$oIS2I9Zja7id1Q', '#=qxJg7RxTW1v5mnt12xXeJiYJv_bcctbtL2BCD5MjDi45Hlz6t8vwDNTv1Rv7tgIct', '#=qp$ZVC1r9spi890l$D7IwEd3faoKeWHvv42mVq8wIIWM=', '#=qCoWHlVuoVRMkOzC7RZubJCslkxaEWn9yZiIydECf69$ktj0IPD5wAwC2H5Cc8C$L', '#=qqs1moO$mYaS72OXOWe0Z6GycslEb6e9Ipoy7ppW0O5abIp05ajv8doqdJZHlN3cK'
        Source: 12.2.noteped.exe.400000.0.unpack, u0023u003dqJT4I5hOweIku0024xYFEeDszbikglXCuquUdu0024v9AXtyq2nsu003d.csHigh entropy of concatenated method names: '#=qBeOBlH6CwHFnQdZWWBgZ_pemudZ6CfCVcfOQtgpeG$Y=', '#=q5v5cLSMFBaxiTtOEjscx86gN2ozXlfytiL6UmXnyWtg=', '#=q_XA5h2lVGHLcY9dK754wKGrOjAm6aBbwPxcUJXgJThJUz83kMbCL53G5uuOLP6Rq', '#=qIFfr$DrKqIieRc688$vylAlBsEnx9Z3$TxvrDsPURfM=', '#=qejgvNXJQvgM2GomZsygLjreyguSPQ29pQHqjR_a0dWk=', '#=qCGokdf0OOxeMJLDkXSfc3NPmwygIQ29RjKQWj$wbNGB9C1pPgma_891QiNyTRXcA', '#=qDqyUVyJLXCtYqhZ0$opqkomqhUBn2WCeEEvGAXlNQ$I=', '#=qdImPAY1o3YhbLtukwCQ91cISaeIEWRKSYrGZ3dTVnkY=', '#=qza7O1AHrroJC7yRIJz4wINR_Sgo4hDpQrj_OYfIrlJE=', '#=q6Ct3QmvVLFC7my$dL1uEiHGmXJ5qCuK4WIhDwfhPTFs='
        Source: 12.2.noteped.exe.400000.0.unpack, u0023u003dqWrm21vQ8CBMZP_RBTwpusAu003du003d.csHigh entropy of concatenated method names: '#=qCgU$tDqtOAyz2b$RwfSF7UzBcCAr0rFJWxm16x7Lre0=', '#=qeD3MBfedCIuKIQf9V1u2N3YS4VXE_FOHqw_XAjWtZK8=', '#=q$mvEHEBkZud$AdHPWqsMQnw5Xm5sD4vBSSmqrKuXGOk=', '#=qZaN94n8dM6tBEf$qCdY2kbTZb5BOW8Z134$2tNv7EJs=', '#=qtlZnL8mho$rv1eTFz0Mw9UYFC_yCabEZ0xtVePn6wR5aSHE7ti3UfKg2l7D0_xk8', '#=qVS$QmQjvFfsXSqQAKGSl6HGbkse2SG0XCab4upVjtRJkvhTEk$oIS2I9Zja7id1Q', '#=qxJg7RxTW1v5mnt12xXeJiYJv_bcctbtL2BCD5MjDi45Hlz6t8vwDNTv1Rv7tgIct', '#=qp$ZVC1r9spi890l$D7IwEd3faoKeWHvv42mVq8wIIWM=', '#=qCoWHlVuoVRMkOzC7RZubJCslkxaEWn9yZiIydECf69$ktj0IPD5wAwC2H5Cc8C$L', '#=qqs1moO$mYaS72OXOWe0Z6GycslEb6e9Ipoy7ppW0O5abIp05ajv8doqdJZHlN3cK'
        Source: C:\Users\user\Desktop\kelvinx.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\notepod\noteped.exeJump to dropped file
        Source: C:\Users\user\Desktop\kelvinx.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\notepodJump to behavior
        Source: C:\Users\user\Desktop\kelvinx.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\notepod\noteped.exeJump to behavior
        Source: C:\Users\user\Desktop\kelvinx.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\notepod\noteped.exe\:Zone.Identifier:$DATAJump to behavior
        Source: C:\Users\user\Desktop\kelvinx.exeRegistry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run notepedJump to behavior
        Source: C:\Users\user\Desktop\kelvinx.exeRegistry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run notepedJump to behavior

        Hooking and other Techniques for Hiding and Protection:

        barindex
        Hides that the sample has been downloaded from the Internet (zone.identifier)Show sources
        Source: C:\Users\user\Desktop\kelvinx.exeFile opened: C:\Users\user\Desktop\kelvinx.exe:Zone.Identifier read attributes | deleteJump to behavior
        Source: C:\Users\user\Desktop\kelvinx.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\kelvinx.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\kelvinx.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\kelvinx.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\kelvinx.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\kelvinx.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\kelvinx.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\kelvinx.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\kelvinx.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\kelvinx.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\kelvinx.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\kelvinx.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\kelvinx.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\kelvinx.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\kelvinx.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\kelvinx.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\kelvinx.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\kelvinx.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\kelvinx.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\kelvinx.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\kelvinx.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\kelvinx.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\kelvinx.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\kelvinx.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\kelvinx.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\kelvinx.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\kelvinx.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\kelvinx.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\kelvinx.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\kelvinx.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\kelvinx.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\kelvinx.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\kelvinx.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\kelvinx.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\kelvinx.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\kelvinx.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\kelvinx.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\kelvinx.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\kelvinx.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\kelvinx.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\kelvinx.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\kelvinx.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\kelvinx.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\kelvinx.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\kelvinx.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\kelvinx.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\kelvinx.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\kelvinx.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\kelvinx.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\kelvinx.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\kelvinx.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\kelvinx.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\kelvinx.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\kelvinx.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\kelvinx.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\kelvinx.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\kelvinx.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\kelvinx.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\kelvinx.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\kelvinx.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\kelvinx.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\kelvinx.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\kelvinx.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\kelvinx.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\kelvinx.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\kelvinx.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\kelvinx.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\kelvinx.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\kelvinx.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\kelvinx.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\kelvinx.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\kelvinx.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\kelvinx.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\kelvinx.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\kelvinx.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\kelvinx.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\kelvinx.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\kelvinx.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\kelvinx.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\kelvinx.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\kelvinx.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\notepod\noteped.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\notepod\noteped.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\notepod\noteped.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\notepod\noteped.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\notepod\noteped.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\notepod\noteped.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\notepod\noteped.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\notepod\noteped.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\notepod\noteped.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\notepod\noteped.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\notepod\noteped.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\notepod\noteped.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\notepod\noteped.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\notepod\noteped.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\notepod\noteped.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\notepod\noteped.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\notepod\noteped.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\notepod\noteped.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\notepod\noteped.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\notepod\noteped.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\notepod\noteped.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\notepod\noteped.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\notepod\noteped.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\notepod\noteped.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\notepod\noteped.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\notepod\noteped.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\notepod\noteped.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\notepod\noteped.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\notepod\noteped.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\notepod\noteped.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\notepod\noteped.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\notepod\noteped.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\notepod\noteped.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\notepod\noteped.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\notepod\noteped.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\notepod\noteped.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\notepod\noteped.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\notepod\noteped.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\notepod\noteped.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\notepod\noteped.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\notepod\noteped.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\notepod\noteped.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\notepod\noteped.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\notepod\noteped.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\notepod\noteped.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\notepod\noteped.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\notepod\noteped.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\notepod\noteped.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\notepod\noteped.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\notepod\noteped.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\notepod\noteped.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\notepod\noteped.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\notepod\noteped.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\notepod\noteped.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\notepod\noteped.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\notepod\noteped.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\notepod\noteped.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\notepod\noteped.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\notepod\noteped.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\notepod\noteped.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\notepod\noteped.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\notepod\noteped.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\notepod\noteped.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\notepod\noteped.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\notepod\noteped.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\notepod\noteped.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\notepod\noteped.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\notepod\noteped.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\notepod\noteped.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\notepod\noteped.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\notepod\noteped.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\notepod\noteped.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\notepod\noteped.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\notepod\noteped.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\notepod\noteped.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\notepod\noteped.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\notepod\noteped.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\notepod\noteped.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\notepod\noteped.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\notepod\noteped.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\notepod\noteped.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\notepod\noteped.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\notepod\noteped.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\notepod\noteped.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\notepod\noteped.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\notepod\noteped.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\notepod\noteped.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\notepod\noteped.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\notepod\noteped.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\notepod\noteped.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\notepod\noteped.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\notepod\noteped.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\notepod\noteped.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\notepod\noteped.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\notepod\noteped.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\notepod\noteped.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\notepod\noteped.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\notepod\noteped.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\notepod\noteped.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\notepod\noteped.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\notepod\noteped.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\notepod\noteped.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\notepod\noteped.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\notepod\noteped.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\notepod\noteped.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\notepod\noteped.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\notepod\noteped.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\notepod\noteped.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\notepod\noteped.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\notepod\noteped.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\notepod\noteped.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\notepod\noteped.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\notepod\noteped.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\notepod\noteped.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\notepod\noteped.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\notepod\noteped.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\notepod\noteped.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\notepod\noteped.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\notepod\noteped.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\notepod\noteped.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\notepod\noteped.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\notepod\noteped.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\notepod\noteped.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\notepod\noteped.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\notepod\noteped.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\notepod\noteped.exeProcess information set: NOOPENFILEERRORBOXJump to behavior

        Malware Analysis System Evasion:

        barindex
        Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)Show sources
        Source: kelvinx.exe, 00000000.00000002.238524182.00000000028C1000.00000004.00000001.sdmp, noteped.exe, 00000002.00000002.268891763.00000000025A1000.00000004.00000001.sdmp, noteped.exe, 00000007.00000002.287346538.0000000002C41000.00000004.00000001.sdmpBinary or memory string: SBIEDLL.DLL
        Source: C:\Users\user\Desktop\kelvinx.exeThread delayed: delay time: 922337203685477Jump to behavior
        Source: C:\Users\user\Desktop\kelvinx.exeThread delayed: delay time: 922337203685477Jump to behavior
        Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\notepod\noteped.exeThread delayed: delay time: 922337203685477Jump to behavior
        Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\notepod\noteped.exeThread delayed: delay time: 922337203685477Jump to behavior
        Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\notepod\noteped.exeThread delayed: delay time: 922337203685477Jump to behavior
        Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\notepod\noteped.exeThread delayed: delay time: 922337203685477Jump to behavior
        Source: C:\Users\user\Desktop\kelvinx.exeWindow / User API: threadDelayed 2736Jump to behavior
        Source: C:\Users\user\Desktop\kelvinx.exeWindow / User API: threadDelayed 6831Jump to behavior
        Source: C:\Users\user\Desktop\kelvinx.exeWindow / User API: foregroundWindowGot 816Jump to behavior
        Source: C:\Users\user\Desktop\kelvinx.exe TID: 5340Thread sleep time: -922337203685477s >= -30000sJump to behavior
        Source: C:\Users\user\Desktop\kelvinx.exe TID: 5992Thread sleep time: -15679732462653109s >= -30000sJump to behavior
        Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\notepod\noteped.exe TID: 4920Thread sleep time: -922337203685477s >= -30000sJump to behavior
        Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\notepod\noteped.exe TID: 6352Thread sleep time: -922337203685477s >= -30000sJump to behavior
        Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\notepod\noteped.exe TID: 6388Thread sleep time: -922337203685477s >= -30000sJump to behavior
        Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\notepod\noteped.exe TID: 6776Thread sleep time: -922337203685477s >= -30000sJump to behavior
        Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\notepod\noteped.exeFile opened: C:\Users\user\AppData\Jump to behavior
        Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\notepod\noteped.exeFile opened: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\notepod\Jump to behavior
        Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\notepod\noteped.exeFile opened: C:\Users\user\AppData\Roaming\Microsoft\Jump to behavior
        Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\notepod\noteped.exeFile opened: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Jump to behavior
        Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\notepod\noteped.exeFile opened: C:\Users\user\Jump to behavior
        Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\notepod\noteped.exeFile opened: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Jump to behavior
        Source: kelvinx.exe, 00000001.00000002.493859893.0000000006950000.00000002.00000001.sdmpBinary or memory string: A Virtual Machine could not be started because Hyper-V is not installed.
        Source: noteped.exe, 00000007.00000002.287346538.0000000002C41000.00000004.00000001.sdmpBinary or memory string: vmware
        Source: kelvinx.exe, 00000001.00000002.493859893.0000000006950000.00000002.00000001.sdmpBinary or memory string: A communication protocol error has occurred between the Hyper-V Host and Guest Compute Service.
        Source: kelvinx.exe, 00000001.00000002.493859893.0000000006950000.00000002.00000001.sdmpBinary or memory string: The communication protocol version between the Hyper-V Host and Guest Compute Services is not supported.
        Source: kelvinx.exe, 00000001.00000002.487702153.0000000001657000.00000004.00000020.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
        Source: kelvinx.exe, 00000001.00000002.493859893.0000000006950000.00000002.00000001.sdmpBinary or memory string: An unknown internal message was received by the Hyper-V Compute Service.
        Source: C:\Users\user\Desktop\kelvinx.exeProcess information queried: ProcessInformationJump to behavior
        Source: C:\Users\user\Desktop\kelvinx.exeProcess token adjusted: DebugJump to behavior
        Source: C:\Users\user\Desktop\kelvinx.exeProcess token adjusted: DebugJump to behavior
        Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\notepod\noteped.exeProcess token adjusted: DebugJump to behavior
        Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\notepod\noteped.exeProcess token adjusted: DebugJump to behavior
        Source: C:\Users\user\Desktop\kelvinx.exeMemory allocated: page read and write | page guardJump to behavior

        HIPS / PFW / Operating System Protection Evasion:

        barindex
        .NET source code references suspicious native API functionsShow sources
        Source: kelvinx.exe, Pnpzgijtkyai/r.csReference to suspicious API methods: ('a', 'VirtualProtect@kernel32'), ('a', 'GetProcAddress@kernel32'), ('a', 'LoadLibrary@kernel32')
        Source: noteped.exe.0.dr, Pnpzgijtkyai/r.csReference to suspicious API methods: ('a', 'VirtualProtect@kernel32'), ('a', 'GetProcAddress@kernel32'), ('a', 'LoadLibrary@kernel32')
        Source: 0.0.kelvinx.exe.4b0000.0.unpack, Pnpzgijtkyai/r.csReference to suspicious API methods: ('a', 'VirtualProtect@kernel32'), ('a', 'GetProcAddress@kernel32'), ('a', 'LoadLibrary@kernel32')
        Source: 0.2.kelvinx.exe.4b0000.0.unpack, Pnpzgijtkyai/r.csReference to suspicious API methods: ('a', 'VirtualProtect@kernel32'), ('a', 'GetProcAddress@kernel32'), ('a', 'LoadLibrary@kernel32')
        Source: 1.2.kelvinx.exe.400000.0.unpack, u0023u003dqjryTBW16mUfo_ItH9KWoGQu003du003d.csReference to suspicious API methods: ('#=qxG$Aklpbf6gyBfAqTMmORA==', 'OpenProcess@kernel32.dll'), ('#=qh7diH14jww3Fm9rMJ_jIfQ==', 'FindResourceEx@kernel32.dll')
        Source: 1.2.kelvinx.exe.e20000.1.unpack, Pnpzgijtkyai/r.csReference to suspicious API methods: ('a', 'VirtualProtect@kernel32'), ('a', 'GetProcAddress@kernel32'), ('a', 'LoadLibrary@kernel32')
        Source: 1.0.kelvinx.exe.e20000.0.unpack, Pnpzgijtkyai/r.csReference to suspicious API methods: ('a', 'VirtualProtect@kernel32'), ('a', 'GetProcAddress@kernel32'), ('a', 'LoadLibrary@kernel32')
        Source: 2.2.noteped.exe.130000.0.unpack, Pnpzgijtkyai/r.csReference to suspicious API methods: ('a', 'VirtualProtect@kernel32'), ('a', 'GetProcAddress@kernel32'), ('a', 'LoadLibrary@kernel32')
        Source: 2.0.noteped.exe.130000.0.unpack, Pnpzgijtkyai/r.csReference to suspicious API methods: ('a', 'VirtualProtect@kernel32'), ('a', 'GetProcAddress@kernel32'), ('a', 'LoadLibrary@kernel32')
        Source: 6.2.noteped.exe.a60000.1.unpack, Pnpzgijtkyai/r.csReference to suspicious API methods: ('a', 'VirtualProtect@kernel32'), ('a', 'GetProcAddress@kernel32'), ('a', 'LoadLibrary@kernel32')
        Source: 6.2.noteped.exe.400000.0.unpack, u0023u003dqjryTBW16mUfo_ItH9KWoGQu003du003d.csReference to suspicious API methods: ('#=qxG$Aklpbf6gyBfAqTMmORA==', 'OpenProcess@kernel32.dll'), ('#=qh7diH14jww3Fm9rMJ_jIfQ==', 'FindResourceEx@kernel32.dll')
        Source: 6.0.noteped.exe.a60000.0.unpack, Pnpzgijtkyai/r.csReference to suspicious API methods: ('a', 'VirtualProtect@kernel32'), ('a', 'GetProcAddress@kernel32'), ('a', 'LoadLibrary@kernel32')
        Source: 7.2.noteped.exe.7d0000.0.unpack, Pnpzgijtkyai/r.csReference to suspicious API methods: ('a', 'VirtualProtect@kernel32'), ('a', 'GetProcAddress@kernel32'), ('a', 'LoadLibrary@kernel32')
        Source: 7.0.noteped.exe.7d0000.0.unpack, Pnpzgijtkyai/r.csReference to suspicious API methods: ('a', 'VirtualProtect@kernel32'), ('a', 'GetProcAddress@kernel32'), ('a', 'LoadLibrary@kernel32')
        Source: 12.2.noteped.exe.400000.0.unpack, u0023u003dqjryTBW16mUfo_ItH9KWoGQu003du003d.csReference to suspicious API methods: ('#=qxG$Aklpbf6gyBfAqTMmORA==', 'OpenProcess@kernel32.dll'), ('#=qh7diH14jww3Fm9rMJ_jIfQ==', 'FindResourceEx@kernel32.dll')
        Source: 12.2.noteped.exe.6e0000.1.unpack, Pnpzgijtkyai/r.csReference to suspicious API methods: ('a', 'VirtualProtect@kernel32'), ('a', 'GetProcAddress@kernel32'), ('a', 'LoadLibrary@kernel32')
        Source: 12.0.noteped.exe.6e0000.0.unpack, Pnpzgijtkyai/r.csReference to suspicious API methods: ('a', 'VirtualProtect@kernel32'), ('a', 'GetProcAddress@kernel32'), ('a', 'LoadLibrary@kernel32')
        Injects a PE file into a foreign processesShow sources
        Source: C:\Users\user\Desktop\kelvinx.exeMemory written: C:\Users\user\Desktop\kelvinx.exe base: 400000 value starts with: 4D5AJump to behavior
        Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\notepod\noteped.exeMemory written: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\notepod\noteped.exe base: 400000 value starts with: 4D5AJump to behavior
        Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\notepod\noteped.exeMemory written: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\notepod\noteped.exe base: 400000 value starts with: 4D5AJump to behavior
        Source: C:\Users\user\Desktop\kelvinx.exeProcess created: C:\Users\user\Desktop\kelvinx.exe C:\Users\user\Desktop\kelvinx.exeJump to behavior
        Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\notepod\noteped.exeProcess created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\notepod\noteped.exe C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\notepod\noteped.exeJump to behavior
        Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\notepod\noteped.exeProcess created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\notepod\noteped.exe C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\notepod\noteped.exeJump to behavior
        Source: kelvinx.exe, 00000001.00000002.491998166.000000000372C000.00000004.00000001.sdmpBinary or memory string: Program Managerp*FP
        Source: kelvinx.exe, 00000001.00000002.489465459.00000000032ED000.00000004.00000001.sdmpBinary or memory string: Program Manager
        Source: kelvinx.exe, 00000001.00000002.488037614.0000000001BC0000.00000002.00000001.sdmpBinary or memory string: Shell_TrayWnd
        Source: kelvinx.exe, 00000001.00000002.488037614.0000000001BC0000.00000002.00000001.sdmpBinary or memory string: Progman
        Source: kelvinx.exe, 00000001.00000002.488037614.0000000001BC0000.00000002.00000001.sdmpBinary or memory string: SProgram Managerl
        Source: kelvinx.exe, 00000001.00000002.489465459.00000000032ED000.00000004.00000001.sdmpBinary or memory string: Program Manager|$
        Source: kelvinx.exe, 00000001.00000002.488037614.0000000001BC0000.00000002.00000001.sdmpBinary or memory string: Shell_TrayWnd,
        Source: kelvinx.exe, 00000001.00000002.488037614.0000000001BC0000.00000002.00000001.sdmpBinary or memory string: Progmanlock
        Source: kelvinx.exe, 00000001.00000002.488867682.0000000003264000.00000004.00000001.sdmpBinary or memory string: Program ManagerHa
        Source: C:\Users\user\Desktop\kelvinx.exeQueries volume information: C:\Users\user\Desktop\kelvinx.exe VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\kelvinx.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\kelvinx.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\kelvinx.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\kelvinx.exeQueries volume information: C:\Windows\Fonts\arial.ttf VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\kelvinx.exeQueries volume information: C:\Windows\Fonts\ariali.ttf VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\kelvinx.exeQueries volume information: C:\Windows\Fonts\arialbd.ttf VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\kelvinx.exeQueries volume information: C:\Windows\Fonts\arialbi.ttf VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\kelvinx.exeQueries volume information: C:\Windows\Fonts\ARIALN.TTF VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\kelvinx.exeQueries volume information: C:\Windows\Fonts\ariblk.ttf VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\kelvinx.exeQueries volume information: C:\Windows\Fonts\ARIALNI.TTF VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\kelvinx.exeQueries volume information: C:\Windows\Fonts\ARIALNB.TTF VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\kelvinx.exeQueries volume information: C:\Windows\Fonts\ARIALNBI.TTF VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\kelvinx.exeQueries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\kelvinx.exeQueries volume information: C:\Windows\Fonts\calibri.ttf VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\kelvinx.exeQueries volume information: C:\Windows\Fonts\calibril.ttf VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\kelvinx.exeQueries volume information: C:\Windows\Fonts\calibrii.ttf VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\kelvinx.exeQueries volume information: C:\Windows\Fonts\calibrili.ttf VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\kelvinx.exeQueries volume information: C:\Windows\Fonts\calibrib.ttf VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\kelvinx.exeQueries volume information: C:\Windows\Fonts\calibriz.ttf VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\kelvinx.exeQueries volume information: C:\Windows\Fonts\cambria.ttc VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\kelvinx.exeQueries volume information: C:\Windows\Fonts\cambriai.ttf VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\kelvinx.exeQueries volume information: C:\Windows\Fonts\cambriab.ttf VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\kelvinx.exeQueries volume information: C:\Windows\Fonts\cambriaz.ttf VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\kelvinx.exeQueries volume information: C:\Windows\Fonts\Candara.ttf VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\kelvinx.exeQueries volume information: C:\Windows\Fonts\Candarai.ttf VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\kelvinx.exeQueries volume information: C:\Windows\Fonts\Candarab.ttf VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\kelvinx.exeQueries volume information: C:\Windows\Fonts\Candaraz.ttf VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\kelvinx.exeQueries volume information: C:\Windows\Fonts\comic.ttf VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\kelvinx.exeQueries volume information: C:\Windows\Fonts\comici.ttf VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\kelvinx.exeQueries volume information: C:\Windows\Fonts\comicbd.ttf VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\kelvinx.exeQueries volume information: C:\Windows\Fonts\comicz.ttf VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\kelvinx.exeQueries volume information: C:\Windows\Fonts\consola.ttf VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\kelvinx.exeQueries volume information: C:\Windows\Fonts\consolai.ttf VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\kelvinx.exeQueries volume information: C:\Windows\Fonts\consolab.ttf VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\kelvinx.exeQueries volume information: C:\Windows\Fonts\consolaz.ttf VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\kelvinx.exeQueries volume information: C:\Windows\Fonts\constan.ttf VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\kelvinx.exeQueries volume information: C:\Windows\Fonts\constani.ttf VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\kelvinx.exeQueries volume information: C:\Windows\Fonts\constanb.ttf VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\kelvinx.exeQueries volume information: C:\Windows\Fonts\constanz.ttf VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\kelvinx.exeQueries volume information: C:\Windows\Fonts\corbel.ttf VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\kelvinx.exeQueries volume information: C:\Windows\Fonts\corbeli.ttf VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\kelvinx.exeQueries volume information: C:\Windows\Fonts\corbelb.ttf VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\kelvinx.exeQueries volume information: C:\Windows\Fonts\corbelz.ttf VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\kelvinx.exeQueries volume information: C:\Windows\Fonts\cour.ttf VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\kelvinx.exeQueries volume information: C:\Windows\Fonts\couri.ttf VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\kelvinx.exeQueries volume information: C:\Windows\Fonts\courbd.ttf VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\kelvinx.exeQueries volume information: C:\Windows\Fonts\courbi.ttf VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\kelvinx.exeQueries volume information: C:\Windows\Fonts\ebrima.ttf VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\kelvinx.exeQueries volume information: C:\Windows\Fonts\ebrimabd.ttf VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\kelvinx.exeQueries volume information: C:\Windows\Fonts\framd.ttf VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\kelvinx.exeQueries volume information: C:\Windows\Fonts\FRADM.TTF VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\kelvinx.exeQueries volume information: C:\Windows\Fonts\framdit.ttf VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\kelvinx.exeQueries volume information: C:\Windows\Fonts\FRADMIT.TTF VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\kelvinx.exeQueries volume information: C:\Windows\Fonts\FRAMDCN.TTF VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\kelvinx.exeQueries volume information: C:\Windows\Fonts\FRADMCN.TTF VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\kelvinx.exeQueries volume information: C:\Windows\Fonts\FRAHV.TTF VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\kelvinx.exeQueries volume information: C:\Windows\Fonts\FRAHVIT.TTF VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\kelvinx.exeQueries volume information: C:\Windows\Fonts\Gabriola.ttf VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\kelvinx.exeQueries volume information: C:\Windows\Fonts\gadugi.ttf VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\kelvinx.exeQueries volume information: C:\Windows\Fonts\gadugib.ttf VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\kelvinx.exeQueries volume information: C:\Windows\Fonts\georgia.ttf VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\kelvinx.exeQueries volume information: C:\Windows\Fonts\georgiai.ttf VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\kelvinx.exeQueries volume information: C:\Windows\Fonts\georgiab.ttf VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\kelvinx.exeQueries volume information: C:\Windows\Fonts\georgiaz.ttf VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\kelvinx.exeQueries volume information: C:\Windows\Fonts\impact.ttf VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\kelvinx.exeQueries volume information: C:\Windows\Fonts\Inkfree.ttf VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\kelvinx.exeQueries volume information: C:\Windows\Fonts\javatext.ttf VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\kelvinx.exeQueries volume information: C:\Windows\Fonts\LeelawUI.ttf VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\kelvinx.exeQueries volume information: C:\Windows\Fonts\LeelUIsl.ttf VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\kelvinx.exeQueries volume information: C:\Windows\Fonts\LeelaUIb.ttf VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\kelvinx.exeQueries volume information: C:\Windows\Fonts\lucon.ttf VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\kelvinx.exeQueries volume information: C:\Windows\Fonts\l_10646.ttf VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\kelvinx.exeQueries volume information: C:\Windows\Fonts\malgun.ttf VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\kelvinx.exeQueries volume information: C:\Windows\Fonts\malgunsl.ttf VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\kelvinx.exeQueries volume information: C:\Windows\Fonts\malgunbd.ttf VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\kelvinx.exeQueries volume information: C:\Windows\Fonts\himalaya.ttf VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\kelvinx.exeQueries volume information: C:\Windows\Fonts\msjh.ttc VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\kelvinx.exeQueries volume information: C:\Windows\Fonts\msjhl.ttc VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\kelvinx.exeQueries volume information: C:\Windows\Fonts\msjhbd.ttc VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\kelvinx.exeQueries volume information: C:\Windows\Fonts\ntailu.ttf VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\kelvinx.exeQueries volume information: C:\Windows\Fonts\ntailub.ttf VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\kelvinx.exeQueries volume information: C:\Windows\Fonts\phagspa.ttf VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\kelvinx.exeQueries volume information: C:\Windows\Fonts\phagspab.ttf VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\kelvinx.exeQueries volume information: C:\Windows\Fonts\micross.ttf VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\kelvinx.exeQueries volume information: C:\Windows\Fonts\taile.ttf VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\kelvinx.exeQueries volume information: C:\Windows\Fonts\taileb.ttf VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\kelvinx.exeQueries volume information: C:\Windows\Fonts\msyh.ttc VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\kelvinx.exeQueries volume information: C:\Windows\Fonts\msyhl.ttc VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\kelvinx.exeQueries volume information: C:\Windows\Fonts\msyhbd.ttc VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\kelvinx.exeQueries volume information: C:\Windows\Fonts\msyi.ttf VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\kelvinx.exeQueries volume information: C:\Windows\Fonts\mingliub.ttc VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\kelvinx.exeQueries volume information: C:\Windows\Fonts\monbaiti.ttf VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\kelvinx.exeQueries volume information: C:\Windows\Fonts\msgothic.ttc VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\kelvinx.exeQueries volume information: C:\Windows\Fonts\mvboli.ttf VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\kelvinx.exeQueries volume information: C:\Windows\Fonts\mmrtext.ttf VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\kelvinx.exeQueries volume information: C:\Windows\Fonts\mmrtextb.ttf VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\kelvinx.exeQueries volume information: C:\Windows\Fonts\Nirmala.ttf VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\kelvinx.exeQueries volume information: C:\Windows\Fonts\NirmalaS.ttf VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\kelvinx.exeQueries volume information: C:\Windows\Fonts\NirmalaB.ttf VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\kelvinx.exeQueries volume information: C:\Windows\Fonts\pala.ttf VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\kelvinx.exeQueries volume information: C:\Windows\Fonts\palai.ttf VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\kelvinx.exeQueries volume information: C:\Windows\Fonts\palab.ttf VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\kelvinx.exeQueries volume information: C:\Windows\Fonts\palabi.ttf VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\kelvinx.exeQueries volume information: C:\Windows\Fonts\segoepr.ttf VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\kelvinx.exeQueries volume information: C:\Windows\Fonts\segoeprb.ttf VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\kelvinx.exeQueries volume information: C:\Windows\Fonts\segoesc.ttf VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\kelvinx.exeQueries volume information: C:\Windows\Fonts\segoescb.ttf VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\kelvinx.exeQueries volume information: C:\Windows\Fonts\segoeuii.ttf VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\kelvinx.exeQueries volume information: C:\Windows\Fonts\seguisli.ttf VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\kelvinx.exeQueries volume information: C:\Windows\Fonts\seguili.ttf VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\kelvinx.exeQueries volume information: C:\Windows\Fonts\seguisbi.ttf VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\kelvinx.exeQueries volume information: C:\Windows\Fonts\segoeuiz.ttf VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\kelvinx.exeQueries volume information: C:\Windows\Fonts\seguibl.ttf VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\kelvinx.exeQueries volume information: C:\Windows\Fonts\seguibli.ttf VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\kelvinx.exeQueries volume information: C:\Windows\Fonts\seguiemj.ttf VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\kelvinx.exeQueries volume information: C:\Windows\Fonts\seguihis.ttf VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\kelvinx.exeQueries volume information: C:\Windows\Fonts\seguisym.ttf VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\kelvinx.exeQueries volume information: C:\Windows\Fonts\simsun.ttc VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\kelvinx.exeQueries volume information: C:\Windows\Fonts\simsunb.ttf VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\kelvinx.exeQueries volume information: C:\Windows\Fonts\Sitka.ttc VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\kelvinx.exeQueries volume information: C:\Windows\Fonts\SitkaI.ttc VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\kelvinx.exeQueries volume information: C:\Windows\Fonts\SitkaB.ttc VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\kelvinx.exeQueries volume information: C:\Windows\Fonts\SitkaZ.ttc VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\kelvinx.exeQueries volume information: C:\Windows\Fonts\sylfaen.ttf VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\kelvinx.exeQueries volume information: C:\Windows\Fonts\symbol.ttf VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\kelvinx.exeQueries volume information: C:\Windows\Fonts\tahoma.ttf VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\kelvinx.exeQueries volume information: C:\Windows\Fonts\tahomabd.ttf VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\kelvinx.exeQueries volume information: C:\Windows\Fonts\timesi.ttf VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\kelvinx.exeQueries volume information: C:\Windows\Fonts\timesbd.ttf VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\kelvinx.exeQueries volume information: C:\Windows\Fonts\timesbi.ttf VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\kelvinx.exeQueries volume information: C:\Windows\Fonts\trebuc.ttf VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\kelvinx.exeQueries volume information: C:\Windows\Fonts\trebucit.ttf VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\kelvinx.exeQueries volume information: C:\Windows\Fonts\trebucbd.ttf VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\kelvinx.exeQueries volume information: C:\Windows\Fonts\trebucbi.ttf VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\kelvinx.exeQueries volume information: C:\Windows\Fonts\verdana.ttf VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\kelvinx.exeQueries volume information: C:\Windows\Fonts\verdanai.ttf VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\kelvinx.exeQueries volume information: C:\Windows\Fonts\verdanab.ttf VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\kelvinx.exeQueries volume information: C:\Windows\Fonts\verdanaz.ttf VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\kelvinx.exeQueries volume information: C:\Windows\Fonts\webdings.ttf VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\kelvinx.exeQueries volume information: C:\Windows\Fonts\wingding.ttf VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\kelvinx.exeQueries volume information: C:\Windows\Fonts\YuGothR.ttc VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\kelvinx.exeQueries volume information: C:\Windows\Fonts\YuGothM.ttc VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\kelvinx.exeQueries volume information: C:\Windows\Fonts\YuGothL.ttc VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\kelvinx.exeQueries volume information: C:\Windows\Fonts\YuGothB.ttc VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\kelvinx.exeQueries volume information: C:\Windows\Fonts\holomdl2.ttf VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\kelvinx.exeQueries volume information: C:\Windows\Fonts\CENTURY.TTF VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\kelvinx.exeQueries volume information: C:\Windows\Fonts\LEELAWAD.TTF VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\kelvinx.exeQueries volume information: C:\Windows\Fonts\LEELAWDB.TTF VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\kelvinx.exeQueries volume information: C:\Windows\Fonts\MSUIGHUR.TTF VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\kelvinx.exeQueries volume information: C:\Windows\Fonts\MSUIGHUB.TTF VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\kelvinx.exeQueries volume information: C:\Windows\Fonts\WINGDNG2.TTF VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\kelvinx.exeQueries volume information: C:\Windows\Fonts\WINGDNG3.TTF VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\kelvinx.exeQueries volume information: C:\Windows\Fonts\TEMPSITC.TTF VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\kelvinx.exeQueries volume information: C:\Windows\Fonts\PRISTINA.TTF VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\kelvinx.exeQueries volume information: C:\Windows\Fonts\PAPYRUS.TTF VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\kelvinx.exeQueries volume information: C:\Windows\Fonts\MISTRAL.TTF VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\kelvinx.exeQueries volume information: C:\Windows\Fonts\LHANDW.TTF VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\kelvinx.exeQueries volume information: C:\Windows\Fonts\ITCKRIST.TTF VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\kelvinx.exeQueries volume information: C:\Windows\Fonts\JUICE___.TTF VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\kelvinx.exeQueries volume information: C:\Windows\Fonts\FRSCRIPT.TTF VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\kelvinx.exeQueries volume information: C:\Windows\Fonts\FREESCPT.TTF VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\kelvinx.exeQueries volume information: C:\Windows\Fonts\BRADHITC.TTF VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\kelvinx.exeQueries volume information: C:\Windows\Fonts\OUTLOOK.TTF VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\kelvinx.exeQueries volume information: C:\Windows\Fonts\BKANT.TTF VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\kelvinx.exeQueries volume information: C:\Windows\Fonts\ANTQUAI.TTF VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\kelvinx.exeQueries volume information: C:\Windows\Fonts\ANTQUAB.TTF VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\kelvinx.exeQueries volume information: C:\Windows\Fonts\ANTQUABI.TTF VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\kelvinx.exeQueries volume information: C:\Windows\Fonts\GARA.TTF VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\kelvinx.exeQueries volume information: C:\Windows\Fonts\GARAIT.TTF VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\kelvinx.exeQueries volume information: C:\Windows\Fonts\GARABD.TTF VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\kelvinx.exeQueries volume information: C:\Windows\Fonts\MTCORSVA.TTF VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\kelvinx.exeQueries volume information: C:\Windows\Fonts\GOTHIC.TTF VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\kelvinx.exeQueries volume information: C:\Windows\Fonts\GOTHICI.TTF VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\kelvinx.exeQueries volume information: C:\Windows\Fonts\GOTHICB.TTF VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\kelvinx.exeQueries volume information: C:\Windows\Fonts\GOTHICBI.TTF VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\kelvinx.exeQueries volume information: C:\Windows\Fonts\ALGER.TTF VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\kelvinx.exeQueries volume information: C:\Windows\Fonts\BASKVILL.TTF VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\kelvinx.exeQueries volume information: C:\Windows\Fonts\BAUHS93.TTF VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\kelvinx.exeQueries volume information: C:\Windows\Fonts\BELL.TTF VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\kelvinx.exeQueries volume information: C:\Windows\Fonts\BELLI.TTF VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\kelvinx.exeQueries volume information: C:\Windows\Fonts\BELLB.TTF VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\kelvinx.exeQueries volume information: C:\Windows\Fonts\BRLNSR.TTF VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\kelvinx.exeQueries volume information: C:\Windows\Fonts\BRLNSDB.TTF VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\kelvinx.exeQueries volume information: C:\Windows\Fonts\BRLNSB.TTF VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\kelvinx.exeQueries volume information: C:\Windows\Fonts\BERNHC.TTF VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\kelvinx.exeQueries volume information: C:\Windows\Fonts\BOD_PSTC.TTF VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\kelvinx.exeQueries volume information: C:\Windows\Fonts\BRITANIC.TTF VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\kelvinx.exeQueries volume information: C:\Windows\Fonts\BROADW.TTF VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\kelvinx.exeQueries volume information: C:\Windows\Fonts\BRUSHSCI.TTF VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\kelvinx.exeQueries volume information: C:\Windows\Fonts\CALIFR.TTF VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\kelvinx.exeQueries volume information: C:\Windows\Fonts\CALIFI.TTF VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\kelvinx.exeQueries volume information: C:\Windows\Fonts\CALIFB.TTF VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\kelvinx.exeQueries volume information: C:\Windows\Fonts\CENTAUR.TTF VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\kelvinx.exeQueries volume information: C:\Windows\Fonts\CHILLER.TTF VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\kelvinx.exeQueries volume information: C:\Windows\Fonts\COLONNA.TTF VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\kelvinx.exeQueries volume information: C:\Windows\Fonts\COOPBL.TTF VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\kelvinx.exeQueries volume information: C:\Windows\Fonts\FTLTLT.TTF VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\kelvinx.exeQueries volume information: C:\Windows\Fonts\HARLOWSI.TTF VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\kelvinx.exeQueries volume information: C:\Windows\Fonts\HARNGTON.TTF VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\kelvinx.exeQueries volume information: C:\Windows\Fonts\HTOWERT.TTF VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\kelvinx.exeQueries volume information: C:\Windows\Fonts\HTOWERTI.TTF VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\kelvinx.exeQueries volume information: C:\Windows\Fonts\JOKERMAN.TTF VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\kelvinx.exeQueries volume information: C:\Windows\Fonts\KUNSTLER.TTF VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\kelvinx.exeQueries volume information: C:\Windows\Fonts\LBRITE.TTF VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\kelvinx.exeQueries volume information: C:\Windows\Fonts\LBRITED.TTF VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\kelvinx.exeQueries volume information: C:\Windows\Fonts\LBRITEI.TTF VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\kelvinx.exeQueries volume information: C:\Windows\Fonts\LBRITEDI.TTF VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\kelvinx.exeQueries volume information: C:\Windows\Fonts\LCALLIG.TTF VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\kelvinx.exeQueries volume information: C:\Windows\Fonts\LFAX.TTF VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\kelvinx.exeQueries volume information: C:\Windows\Fonts\LFAXD.TTF VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\kelvinx.exeQueries volume information: C:\Windows\Fonts\LFAXI.TTF VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\kelvinx.exeQueries volume information: C:\Windows\Fonts\LFAXDI.TTF VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\kelvinx.exeQueries volume information: C:\Windows\Fonts\MAGNETOB.TTF VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\kelvinx.exeQueries volume information: C:\Windows\Fonts\MATURASC.TTF VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\kelvinx.exeQueries volume information: C:\Windows\Fonts\MOD20.TTF VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\kelvinx.exeQueries volume information: C:\Windows\Fonts\NIAGENG.TTF VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\kelvinx.exeQueries volume information: C:\Windows\Fonts\NIAGSOL.TTF VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\kelvinx.exeQueries volume information: C:\Windows\Fonts\OLDENGL.TTF VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\kelvinx.exeQueries volume information: C:\Windows\Fonts\ONYX.TTF VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\kelvinx.exeQueries volume information: C:\Windows\Fonts\PARCHM.TTF VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\kelvinx.exeQueries volume information: C:\Windows\Fonts\PLAYBILL.TTF VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\kelvinx.exeQueries volume information: C:\Windows\Fonts\POORICH.TTF VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\kelvinx.exeQueries volume information: C:\Windows\Fonts\RAVIE.TTF VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\kelvinx.exeQueries volume information: C:\Windows\Fonts\INFROMAN.TTF VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\kelvinx.exeQueries volume information: C:\Windows\Fonts\SHOWG.TTF VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\kelvinx.exeQueries volume information: C:\Windows\Fonts\SNAP____.TTF VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\kelvinx.exeQueries volume information: C:\Windows\Fonts\STENCIL.TTF VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\kelvinx.exeQueries volume information: C:\Windows\Fonts\VINERITC.TTF VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\kelvinx.exeQueries volume information: C:\Windows\Fonts\VIVALDII.TTF VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\kelvinx.exeQueries volume information: C:\Windows\Fonts\VLADIMIR.TTF VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\kelvinx.exeQueries volume information: C:\Windows\Fonts\LATINWD.TTF VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\kelvinx.exeQueries volume information: C:\Windows\Fonts\TCM_____.TTF VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\kelvinx.exeQueries volume information: C:\Windows\Fonts\TCMI____.TTF VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\kelvinx.exeQueries volume information: C:\Windows\Fonts\TCB_____.TTF VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\kelvinx.exeQueries volume information: C:\Windows\Fonts\TCBI____.TTF VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\kelvinx.exeQueries volume information: C:\Windows\Fonts\TCCM____.TTF VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\kelvinx.exeQueries volume information: C:\Windows\Fonts\TCCB____.TTF VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\kelvinx.exeQueries volume information: C:\Windows\Fonts\TCCEB.TTF VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\kelvinx.exeQueries volume information: C:\Windows\Fonts\SCRIPTBL.TTF VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\kelvinx.exeQueries volume information: C:\Windows\Fonts\ROCK.TTF VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\kelvinx.exeQueries volume information: C:\Windows\Fonts\ROCKI.TTF VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\kelvinx.exeQueries volume information: C:\Windows\Fonts\ROCKB.TTF VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\kelvinx.exeQueries volume information: C:\Windows\Fonts\ROCKEB.TTF VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\kelvinx.exeQueries volume information: C:\Windows\Fonts\ROCKBI.TTF VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\kelvinx.exeQueries volume information: C:\Windows\Fonts\ROCC____.TTF VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\kelvinx.exeQueries volume information: C:\Windows\Fonts\ROCCB___.TTF VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\kelvinx.exeQueries volume information: C:\Windows\Fonts\RAGE.TTF VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\kelvinx.exeQueries volume information: C:\Windows\Fonts\PERTILI.TTF VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\kelvinx.exeQueries volume information: C:\Windows\Fonts\PERTIBD.TTF VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\kelvinx.exeQueries volume information: C:\Windows\Fonts\PER_____.TTF VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\kelvinx.exeQueries volume information: C:\Windows\Fonts\PERI____.TTF VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\kelvinx.exeQueries volume information: C:\Windows\Fonts\PERB____.TTF VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\kelvinx.exeQueries volume information: C:\Windows\Fonts\PERBI___.TTF VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\kelvinx.exeQueries volume information: C:\Windows\Fonts\PALSCRI.TTF VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\kelvinx.exeQueries volume information: C:\Windows\Fonts\OCRAEXT.TTF VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\kelvinx.exeQueries volume information: C:\Windows\Fonts\MAIAN.TTF VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\kelvinx.exeQueries volume information: C:\Windows\Fonts\LTYPE.TTF VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\kelvinx.exeQueries volume information: C:\Windows\Fonts\LTYPEO.TTF VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\kelvinx.exeQueries volume information: C:\Windows\Fonts\LTYPEB.TTF VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\kelvinx.exeQueries volume information: C:\Windows\Fonts\LTYPEBO.TTF VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\kelvinx.exeQueries volume information: C:\Windows\Fonts\LSANS.TTF VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\kelvinx.exeQueries volume information: C:\Windows\Fonts\LSANSD.TTF VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\kelvinx.exeQueries volume information: C:\Windows\Fonts\LSANSI.TTF VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\kelvinx.exeQueries volume information: C:\Windows\Fonts\LSANSDI.TTF VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\kelvinx.exeQueries volume information: C:\Windows\Fonts\IMPRISHA.TTF VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\kelvinx.exeQueries volume information: C:\Windows\Fonts\HATTEN.TTF VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\kelvinx.exeQueries volume information: C:\Windows\Fonts\GOUDYSTO.TTF VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\kelvinx.exeQueries volume information: C:\Windows\Fonts\GOUDOS.TTF VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\kelvinx.exeQueries volume information: C:\Windows\Fonts\GOUDOSI.TTF VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\kelvinx.exeQueries volume information: C:\Windows\Fonts\GOUDOSB.TTF VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\kelvinx.exeQueries volume information: C:\Windows\Fonts\GLECB.TTF VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\kelvinx.exeQueries volume information: C:\Windows\Fonts\GIL_____.TTF VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\kelvinx.exeQueries volume information: C:\Windows\Fonts\GILI____.TTF VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\kelvinx.exeQueries volume information: C:\Windows\Fonts\GILB____.TTF VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\kelvinx.exeQueries volume information: C:\Windows\Fonts\GILBI___.TTF VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\kelvinx.exeQueries volume information: C:\Windows\Fonts\GILC____.TTF VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\kelvinx.exeQueries volume information: C:\Windows\Fonts\GLSNECB.TTF VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\kelvinx.exeQueries volume information: C:\Windows\Fonts\GIGI.TTF VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\kelvinx.exeQueries volume information: C:\Windows\Fonts\FRABK.TTF VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\kelvinx.exeQueries volume information: C:\Windows\Fonts\FRABKIT.TTF VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\kelvinx.exeQueries volume information: C:\Windows\Fonts\FORTE.TTF VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\kelvinx.exeQueries volume information: C:\Windows\Fonts\FELIXTI.TTF VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\kelvinx.exeQueries volume information: C:\Windows\Fonts\ERASMD.TTF VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\kelvinx.exeQueries volume information: C:\Windows\Fonts\ERASLGHT.TTF VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\kelvinx.exeQueries volume information: C:\Windows\Fonts\ERASDEMI.TTF VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\kelvinx.exeQueries volume information: C:\Windows\Fonts\ERASBD.TTF VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\kelvinx.exeQueries volume information: C:\Windows\Fonts\ENGR.TTF VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\kelvinx.exeQueries volume information: C:\Windows\Fonts\ELEPHNT.TTF VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\kelvinx.exeQueries volume information: C:\Windows\Fonts\ELEPHNTI.TTF VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\kelvinx.exeQueries volume information: C:\Windows\Fonts\ITCEDSCR.TTF VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\kelvinx.exeQueries volume information: C:\Windows\Fonts\CURLZ___.TTF VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\kelvinx.exeQueries volume information: C:\Windows\Fonts\COPRGTL.TTF VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\kelvinx.exeQueries volume information: C:\Windows\Fonts\COPRGTB.TTF VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\kelvinx.exeQueries volume information: C:\Windows\Fonts\CENSCBK.TTF VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\kelvinx.exeQueries volume information: C:\Windows\Fonts\SCHLBKI.TTF VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\kelvinx.exeQueries volume information: C:\Windows\Fonts\SCHLBKB.TTF VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\kelvinx.exeQueries volume information: C:\Windows\Fonts\SCHLBKBI.TTF VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\kelvinx.exeQueries volume information: C:\Windows\Fonts\CASTELAR.TTF VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\kelvinx.exeQueries volume information: C:\Windows\Fonts\CALIST.TTF VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\kelvinx.exeQueries volume information: C:\Windows\Fonts\CALISTI.TTF VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\kelvinx.exeQueries volume information: C:\Windows\Fonts\CALISTB.TTF VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\kelvinx.exeQueries volume information: C:\Windows\Fonts\CALISTBI.TTF VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\kelvinx.exeQueries volume information: C:\Windows\Fonts\BOOKOS.TTF VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\kelvinx.exeQueries volume information: C:\Windows\Fonts\BOOKOSB.TTF VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\kelvinx.exeQueries volume information: C:\Windows\Fonts\BOOKOSI.TTF VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\kelvinx.exeQueries volume information: C:\Windows\Fonts\BOOKOSBI.TTF VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\kelvinx.exeQueries volume information: C:\Windows\Fonts\BOD_R.TTF VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\kelvinx.exeQueries volume information: C:\Windows\Fonts\BOD_I.TTF VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\kelvinx.exeQueries volume information: C:\Windows\Fonts\BOD_B.TTF VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\kelvinx.exeQueries volume information: C:\Windows\Fonts\BOD_BI.TTF VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\kelvinx.exeQueries volume information: C:\Windows\Fonts\BOD_CR.TTF VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\kelvinx.exeQueries volume information: C:\Windows\Fonts\BOD_BLAR.TTF VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\kelvinx.exeQueries volume information: C:\Windows\Fonts\BOD_CI.TTF VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\kelvinx.exeQueries volume information: C:\Windows\Fonts\BOD_CB.TTF VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\kelvinx.exeQueries volume information: C:\Windows\Fonts\BOD_BLAI.TTF VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\kelvinx.exeQueries volume information: C:\Windows\Fonts\BOD_CBI.TTF VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\kelvinx.exeQueries volume information: C:\Windows\Fonts\ITCBLKAD.TTF VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\kelvinx.exeQueries volume information: C:\Windows\Fonts\ARLRDBD.TTF VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\kelvinx.exeQueries volume information: C:\Windows\Fonts\AGENCYR.TTF VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\kelvinx.exeQueries volume information: C:\Windows\Fonts\AGENCYB.TTF VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\kelvinx.exeQueries volume information: C:\Windows\Fonts\BSSYM7.TTF VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\kelvinx.exeQueries volume information: C:\Windows\Fonts\REFSAN.TTF VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\kelvinx.exeQueries volume information: C:\Windows\Fonts\REFSPCL.TTF VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\kelvinx.exeQueries volume information: C:\Windows\Fonts\MTEXTRA.TTF VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\kelvinx.exeQueries volume information: C:\Windows\Fonts\marlett.ttf VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\kelvinx.exeQueries volume information: C:\Windows\Fonts\micross.ttf VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\kelvinx.exeQueries volume information: C:\Users\user\Desktop\kelvinx.exe VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\kelvinx.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\kelvinx.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\kelvinx.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\kelvinx.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformationJump to behavior
        Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\notepod\noteped.exeQueries volume information: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\notepod\noteped.exe VolumeInformationJump to behavior
        Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\notepod\noteped.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformationJump to behavior
        Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\notepod\noteped.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformationJump to behavior
        Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\notepod\noteped.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformationJump to behavior
        Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\notepod\noteped.exeQueries volume information: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\notepod\noteped.exe VolumeInformationJump to behavior
        Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\notepod\noteped.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformationJump to behavior
        Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\notepod\noteped.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformationJump to behavior
        Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\notepod\noteped.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformationJump to behavior
        Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\notepod\noteped.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformationJump to behavior
        Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\notepod\noteped.exeQueries volume information: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\notepod\noteped.exe VolumeInformationJump to behavior
        Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\notepod\noteped.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformationJump to behavior
        Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\notepod\noteped.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformationJump to behavior
        Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\notepod\noteped.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformationJump to behavior
        Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\notepod\noteped.exeQueries volume information: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\notepod\noteped.exe VolumeInformationJump to behavior
        Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\notepod\noteped.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformationJump to behavior
        Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\notepod\noteped.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformationJump to behavior
        Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\notepod\noteped.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformationJump to behavior
        Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\notepod\noteped.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\kelvinx.exeCode function: 0_2_07095760 GetUserNameA,0_2_07095760
        Source: C:\Users\user\Desktop\kelvinx.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior

        Stealing of Sensitive Information:

        barindex
        Yara detected Nanocore RATShow sources
        Source: Yara matchFile source: 0000000C.00000002.306118461.0000000003AE9000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000001.00000002.492062764.00000000041A9000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000001.00000002.493316264.0000000005A30000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 0000000C.00000002.305164959.0000000000402000.00000040.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000006.00000002.284681945.0000000002FB1000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000006.00000002.284823064.0000000003FB9000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 0000000C.00000002.306051125.0000000002AE1000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000000.00000002.240965816.0000000003B26000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000001.00000002.488239312.0000000003161000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000006.00000002.283332088.0000000000402000.00000040.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000001.00000002.485264467.0000000000402000.00000040.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000002.00000002.269811701.00000000035FB000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000007.00000002.289900545.0000000003C9C000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: Process Memory Space: noteped.exe PID: 6360, type: MEMORY
        Source: Yara matchFile source: Process Memory Space: noteped.exe PID: 6648, type: MEMORY
        Source: Yara matchFile source: Process Memory Space: noteped.exe PID: 5368, type: MEMORY
        Source: Yara matchFile source: Process Memory Space: noteped.exe PID: 6312, type: MEMORY
        Source: Yara matchFile source: Process Memory Space: kelvinx.exe PID: 5332, type: MEMORY
        Source: Yara matchFile source: Process Memory Space: kelvinx.exe PID: 1556, type: MEMORY
        Source: Yara matchFile source: 12.2.noteped.exe.400000.0.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 6.2.noteped.exe.400000.0.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 1.2.kelvinx.exe.5a30000.4.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 1.2.kelvinx.exe.400000.0.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 1.2.kelvinx.exe.5a30000.4.raw.unpack, type: UNPACKEDPE

        Remote Access Functionality:

        barindex
        Detected Nanocore RatShow sources
        Source: kelvinx.exe, 00000000.00000002.240965816.0000000003B26000.00000004.00000001.sdmpString found in binary or memory: NanoCore.ClientPluginHost
        Source: kelvinx.exe, 00000001.00000002.492062764.00000000041A9000.00000004.00000001.sdmpString found in binary or memory: NanoCore.ClientPluginHost
        Source: kelvinx.exe, 00000001.00000002.492062764.00000000041A9000.00000004.00000001.sdmpString found in binary or memory: <Module>mscorlibMicrosoft.VisualBasicMyApplicationNanoCore.MyMyComputerMyProjectMyWebServicesThreadSafeObjectProvider`1IClientNetworkNanoCore.ClientPluginIClientDataIClientAppIClientDataHostNanoCore.ClientPluginHostIClientNetworkHostIClientUIHostIClientLoggingHostIClientAppHostIClientNameObjectCollectionNanoCoreIClientReadOnlyNameObjectCollectionClientInvokeDelegateMicrosoft.VisualBasic.ApplicationServicesApplicationBase.ctorMicrosoft.VisualBasic.DevicesComputerSystemObject.cctorget_Computerm_ComputerObjectProviderget_Applicationm_AppObjectProviderUserget_Userm_UserObjectProviderget_WebServicesm_MyWebServicesObjectProviderApplicationWebServicesEqualsoGetHashCodeTypeGetTypeToStringCreate__Instance__TinstanceDispose__Instance__get_GetInstanceMicrosoft.VisualBasic.MyServices.InternalContextValue`1m_ContextGetInstanceReadPacketpipeNameparamsPipeCreatedPipeClosedConnectionStateChangedconnectedConnectionFailedhostportBuildingHostCacheVariableChangednameClientSettingChangedPluginUninstallingClientUninstallingget_Variablesget_ClientSettingsget_BuilderSettingsVariablesClientSettingsBuilderSettingsget_ConnectedClosePipePipeExistsRebuildHostCacheAddHostEntryDisconnectSendToServercompressConnectedInvokemethodstateLogClientMessagemessageExceptionLogClientExceptionexsiteRestartShutdownDisableProtectionRestoreProtectionUninstallEntryExistsSystem.Collections.GenericKeyValuePair`2GetEntriesGetValuedefaultValueSetValuevalueRemoveValueMulticastDelegateTargetObjectTargetMethodIAsyncResultAsyncCallbackBeginInvokeDelegateCallbackDelegateAsyncStateEndInvokeDelegateAsyncResultSystem.ComponentModelEditorBrowsableAttributeEditorBrowsableStateSystem.CodeDom.CompilerGeneratedCodeAttributeSystem.DiagnosticsDebuggerHiddenAttributeMicrosoft.VisualBasic.CompilerServicesStandardModuleAttributeHideModuleNameAttributeSystem.ComponentModel.DesignHelpKeywordAttributeSystem.Runtime.CompilerServicesRuntimeHelpersGetObjectValueRuntimeTypeHandleGetTypeFromHandleActivatorCreateInstanceMyGroupCollectionAttributeget_Valueset_ValueSystem.Runtime.InteropServicesComVisibleAttributeParamArrayAttributeCompilationRelaxationsAttributeRuntimeCompatibilityAttributeSystem.ReflectionAssemblyFileVersionAttributeGuidAttributeAssemblyTrademarkAttributeAssemblyCopyrightAttributeAssemblyProductAttributeAssemblyCompanyAttributeAssemblyDescriptionAttributeAssemblyTitleAttributeClientPluginClientPlugin.dll
        Source: noteped.exe, 00000002.00000002.269811701.00000000035FB000.00000004.00000001.sdmpString found in binary or memory: NanoCore.ClientPluginHost
        Source: noteped.exe, 00000006.00000002.284681945.0000000002FB1000.00000004.00000001.sdmpString found in binary or memory: NanoCore.ClientPluginHost
        Source: noteped.exe, 00000006.00000002.284681945.0000000002FB1000.00000004.00000001.sdmpString found in binary or memory: <Module>mscorlibMicrosoft.VisualBasicMyApplicationNanoCore.MyMyComputerMyProjectMyWebServicesThreadSafeObjectProvider`1IClientNetworkNanoCore.ClientPluginIClientDataIClientAppIClientDataHostNanoCore.ClientPluginHostIClientNetworkHostIClientUIHostIClientLoggingHostIClientAppHostIClientNameObjectCollectionNanoCoreIClientReadOnlyNameObjectCollectionClientInvokeDelegateMicrosoft.VisualBasic.ApplicationServicesApplicationBase.ctorMicrosoft.VisualBasic.DevicesComputerSystemObject.cctorget_Computerm_ComputerObjectProviderget_Applicationm_AppObjectProviderUserget_Userm_UserObjectProviderget_WebServicesm_MyWebServicesObjectProviderApplicationWebServicesEqualsoGetHashCodeTypeGetTypeToStringCreate__Instance__TinstanceDispose__Instance__get_GetInstanceMicrosoft.VisualBasic.MyServices.InternalContextValue`1m_ContextGetInstanceReadPacketpipeNameparamsPipeCreatedPipeClosedConnectionStateChangedconnectedConnectionFailedhostportBuildingHostCacheVariableChangednameClientSettingChangedPluginUninstallingClientUninstallingget_Variablesget_ClientSettingsget_BuilderSettingsVariablesClientSettingsBuilderSettingsget_ConnectedClosePipePipeExistsRebuildHostCacheAddHostEntryDisconnectSendToServercompressConnectedInvokemethodstateLogClientMessagemessageExceptionLogClientExceptionexsiteRestartShutdownDisableProtectionRestoreProtectionUninstallEntryExistsSystem.Collections.GenericKeyValuePair`2GetEntriesGetValuedefaultValueSetValuevalueRemoveValueMulticastDelegateTargetObjectTargetMethodIAsyncResultAsyncCallbackBeginInvokeDelegateCallbackDelegateAsyncStateEndInvokeDelegateAsyncResultSystem.ComponentModelEditorBrowsableAttributeEditorBrowsableStateSystem.CodeDom.CompilerGeneratedCodeAttributeSystem.DiagnosticsDebuggerHiddenAttributeMicrosoft.VisualBasic.CompilerServicesStandardModuleAttributeHideModuleNameAttributeSystem.ComponentModel.DesignHelpKeywordAttributeSystem.Runtime.CompilerServicesRuntimeHelpersGetObjectValueRuntimeTypeHandleGetTypeFromHandleActivatorCreateInstanceMyGroupCollectionAttributeget_Valueset_ValueSystem.Runtime.InteropServicesComVisibleAttributeParamArrayAttributeCompilationRelaxationsAttributeRuntimeCompatibilityAttributeSystem.ReflectionAssemblyFileVersionAttributeGuidAttributeAssemblyTrademarkAttributeAssemblyCopyrightAttributeAssemblyProductAttributeAssemblyCompanyAttributeAssemblyDescriptionAttributeAssemblyTitleAttributeClientPluginClientPlugin.dll
        Source: noteped.exe, 00000007.00000002.289900545.0000000003C9C000.00000004.00000001.sdmpString found in binary or memory: NanoCore.ClientPluginHost
        Source: noteped.exe, 0000000C.00000002.306118461.0000000003AE9000.00000004.00000001.sdmpString found in binary or memory: NanoCore.ClientPluginHost
        Source: noteped.exe, 0000000C.00000002.306118461.0000000003AE9000.00000004.00000001.sdmpString found in binary or memory: <Module>mscorlibMicrosoft.VisualBasicMyApplicationNanoCore.MyMyComputerMyProjectMyWebServicesThreadSafeObjectProvider`1IClientNetworkNanoCore.ClientPluginIClientDataIClientAppIClientDataHostNanoCore.ClientPluginHostIClientNetworkHostIClientUIHostIClientLoggingHostIClientAppHostIClientNameObjectCollectionNanoCoreIClientReadOnlyNameObjectCollectionClientInvokeDelegateMicrosoft.VisualBasic.ApplicationServicesApplicationBase.ctorMicrosoft.VisualBasic.DevicesComputerSystemObject.cctorget_Computerm_ComputerObjectProviderget_Applicationm_AppObjectProviderUserget_Userm_UserObjectProviderget_WebServicesm_MyWebServicesObjectProviderApplicationWebServicesEqualsoGetHashCodeTypeGetTypeToStringCreate__Instance__TinstanceDispose__Instance__get_GetInstanceMicrosoft.VisualBasic.MyServices.InternalContextValue`1m_ContextGetInstanceReadPacketpipeNameparamsPipeCreatedPipeClosedConnectionStateChangedconnectedConnectionFailedhostportBuildingHostCacheVariableChangednameClientSettingChangedPluginUninstallingClientUninstallingget_Variablesget_ClientSettingsget_BuilderSettingsVariablesClientSettingsBuilderSettingsget_ConnectedClosePipePipeExistsRebuildHostCacheAddHostEntryDisconnectSendToServercompressConnectedInvokemethodstateLogClientMessagemessageExceptionLogClientExceptionexsiteRestartShutdownDisableProtectionRestoreProtectionUninstallEntryExistsSystem.Collections.GenericKeyValuePair`2GetEntriesGetValuedefaultValueSetValuevalueRemoveValueMulticastDelegateTargetObjectTargetMethodIAsyncResultAsyncCallbackBeginInvokeDelegateCallbackDelegateAsyncStateEndInvokeDelegateAsyncResultSystem.ComponentModelEditorBrowsableAttributeEditorBrowsableStateSystem.CodeDom.CompilerGeneratedCodeAttributeSystem.DiagnosticsDebuggerHiddenAttributeMicrosoft.VisualBasic.CompilerServicesStandardModuleAttributeHideModuleNameAttributeSystem.ComponentModel.DesignHelpKeywordAttributeSystem.Runtime.CompilerServicesRuntimeHelpersGetObjectValueRuntimeTypeHandleGetTypeFromHandleActivatorCreateInstanceMyGroupCollectionAttributeget_Valueset_ValueSystem.Runtime.InteropServicesComVisibleAttributeParamArrayAttributeCompilationRelaxationsAttributeRuntimeCompatibilityAttributeSystem.ReflectionAssemblyFileVersionAttributeGuidAttributeAssemblyTrademarkAttributeAssemblyCopyrightAttributeAssemblyProductAttributeAssemblyCompanyAttributeAssemblyDescriptionAttributeAssemblyTitleAttributeClientPluginClientPlugin.dll
        Yara detected Nanocore RATShow sources
        Source: Yara matchFile source: 0000000C.00000002.306118461.0000000003AE9000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000001.00000002.492062764.00000000041A9000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000001.00000002.493316264.0000000005A30000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 0000000C.00000002.305164959.0000000000402000.00000040.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000006.00000002.284681945.0000000002FB1000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000006.00000002.284823064.0000000003FB9000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 0000000C.00000002.306051125.0000000002AE1000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000000.00000002.240965816.0000000003B26000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000001.00000002.488239312.0000000003161000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000006.00000002.283332088.0000000000402000.00000040.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000001.00000002.485264467.0000000000402000.00000040.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000002.00000002.269811701.00000000035FB000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000007.00000002.289900545.0000000003C9C000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: Process Memory Space: noteped.exe PID: 6360, type: MEMORY
        Source: Yara matchFile source: Process Memory Space: noteped.exe PID: 6648, type: MEMORY
        Source: Yara matchFile source: Process Memory Space: noteped.exe PID: 5368, type: MEMORY
        Source: Yara matchFile source: Process Memory Space: noteped.exe PID: 6312, type: MEMORY
        Source: Yara matchFile source: Process Memory Space: kelvinx.exe PID: 5332, type: MEMORY
        Source: Yara matchFile source: Process Memory Space: kelvinx.exe PID: 1556, type: MEMORY
        Source: Yara matchFile source: 12.2.noteped.exe.400000.0.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 6.2.noteped.exe.400000.0.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 1.2.kelvinx.exe.5a30000.4.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 1.2.kelvinx.exe.400000.0.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 1.2.kelvinx.exe.5a30000.4.raw.unpack, type: UNPACKEDPE

        Mitre Att&ck Matrix

        Initial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionExfiltrationCommand and ControlNetwork EffectsRemote Service EffectsImpact
        Valid AccountsNative API1Registry Run Keys / Startup Folder11Process Injection112Masquerading1Input Capture11Security Software Discovery21Remote ServicesInput Capture11Exfiltration Over Other Network MediumEncrypted Channel1Eavesdrop on Insecure Network CommunicationRemotely Track Device Without AuthorizationModify System Partition
        Default AccountsScheduled Task/JobBoot or Logon Initialization ScriptsRegistry Run Keys / Startup Folder11Virtualization/Sandbox Evasion2LSASS MemoryVirtualization/Sandbox Evasion2Remote Desktop ProtocolArchive Collected Data11Exfiltration Over BluetoothNon-Standard Port1Exploit SS7 to Redirect Phone Calls/SMSRemotely Wipe Data Without AuthorizationDevice Lockout
        Domain AccountsAt (Linux)Logon Script (Windows)Logon Script (Windows)Disable or Modify Tools1Security Account ManagerProcess Discovery2SMB/Windows Admin SharesData from Network Shared DriveAutomated ExfiltrationRemote Access Software1Exploit SS7 to Track Device LocationObtain Device Cloud BackupsDelete Device Data
        Local AccountsAt (Windows)Logon Script (Mac)Logon Script (Mac)Process Injection112NTDSApplication Window Discovery1Distributed Component Object ModelInput CaptureScheduled TransferProtocol ImpersonationSIM Card SwapCarrier Billing Fraud
        Cloud AccountsCronNetwork Logon ScriptNetwork Logon ScriptDeobfuscate/Decode Files or Information1LSA SecretsAccount Discovery1SSHKeyloggingData Transfer Size LimitsFallback ChannelsManipulate Device CommunicationManipulate App Store Rankings or Ratings
        Replication Through Removable MediaLaunchdRc.commonRc.commonHidden Files and Directories1Cached Domain CredentialsSystem Owner/User Discovery1VNCGUI Input CaptureExfiltration Over C2 ChannelMultiband CommunicationJamming or Denial of ServiceAbuse Accessibility Features
        External Remote ServicesScheduled TaskStartup ItemsStartup ItemsObfuscated Files or Information1DCSyncFile and Directory Discovery1Windows Remote ManagementWeb Portal CaptureExfiltration Over Alternative ProtocolCommonly Used PortRogue Wi-Fi Access PointsData Encrypted for Impact
        Drive-by CompromiseCommand and Scripting InterpreterScheduled Task/JobScheduled Task/JobSoftware Packing1Proc FilesystemSystem Information Discovery12Shared WebrootCredential API HookingExfiltration Over Symmetric Encrypted Non-C2 ProtocolApplication Layer ProtocolDowngrade to Insecure ProtocolsGenerate Fraudulent Advertising Revenue

        Behavior Graph

        Hide Legend

        Legend:

        • Process
        • Signature
        • Created File
        • DNS/IP Info
        • Is Dropped
        • Is Windows Process
        • Number of created Registry Values
        • Number of created Files
        • Visual Basic
        • Delphi
        • Java
        • .Net C# or VB.NET
        • C, C++ or other language
        • Is malicious
        • Internet

        Screenshots

        Thumbnails

        This section contains all screenshots as thumbnails, including those not shown in the slideshow.

        windows-stand

        Antivirus, Machine Learning and Genetic Malware Detection

        Initial Sample

        SourceDetectionScannerLabelLink
        kelvinx.exe35%VirustotalBrowse
        kelvinx.exe52%ReversingLabsByteCode-MSIL.Backdoor.NanoBot
        kelvinx.exe100%Joe Sandbox ML

        Dropped Files

        SourceDetectionScannerLabelLink
        C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\notepod\noteped.exe100%Joe Sandbox ML
        C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\notepod\noteped.exe52%ReversingLabsByteCode-MSIL.Backdoor.NanoBot

        Unpacked PE Files

        SourceDetectionScannerLabelLinkDownload
        12.2.noteped.exe.400000.0.unpack100%AviraTR/Dropper.MSIL.Gen7Download File
        6.2.noteped.exe.400000.0.unpack100%AviraTR/Dropper.MSIL.Gen7Download File
        1.2.kelvinx.exe.5a30000.4.unpack100%AviraTR/NanoCore.fadteDownload File
        1.2.kelvinx.exe.400000.0.unpack100%AviraTR/Dropper.MSIL.Gen7Download File

        Domains

        No Antivirus matches

        URLs

        SourceDetectionScannerLabelLink
        http://www.jiyu-kobo.co.jp/0w0%Avira URL Cloudsafe
        http://www.founder.com.cn/cn/bThe0%URL Reputationsafe
        http://www.founder.com.cn/cn/bThe0%URL Reputationsafe
        http://www.founder.com.cn/cn/bThe0%URL Reputationsafe
        http://www.jiyu-kobo.co.jp/jp/.w0%Avira URL Cloudsafe
        http://www.founder.com.cn/cna-d0%Avira URL Cloudsafe
        http://www.founder.com.cn/cn~0%Avira URL Cloudsafe
        http://www.jiyu-kobo.co.jp/J0%Avira URL Cloudsafe
        http://www.galapagosdesign.com/staff/dennis.htmNormalr0%Avira URL Cloudsafe
        http://www.tiro.com0%URL Reputationsafe
        http://www.tiro.com0%URL Reputationsafe
        http://www.tiro.com0%URL Reputationsafe
        http://www.fontbureau.comcomo0%Avira URL Cloudsafe
        http://www.founder.com.cn/cnude0%Avira URL Cloudsafe
        http://www.jiyu-kobo.co.jp/jp/qwCz0%Avira URL Cloudsafe
        http://www.goodfont.co.kr0%URL Reputationsafe
        http://www.goodfont.co.kr0%URL Reputationsafe
        http://www.goodfont.co.kr0%URL Reputationsafe
        http://www.jiyu-kobo.co.jp/Vwfz0%Avira URL Cloudsafe
        http://www.carterandcone.com0%URL Reputationsafe
        http://www.carterandcone.com0%URL Reputationsafe
        http://www.carterandcone.com0%URL Reputationsafe
        http://www.jiyu-kobo.co.jp/jp/0%URL Reputationsafe
        http://www.jiyu-kobo.co.jp/jp/0%URL Reputationsafe
        http://www.jiyu-kobo.co.jp/jp/0%URL Reputationsafe
        http://en.w0%URL Reputationsafe
        http://en.w0%URL Reputationsafe
        http://en.w0%URL Reputationsafe
        http://www.carterandcone.coml0%URL Reputationsafe
        http://www.carterandcone.coml0%URL Reputationsafe
        http://www.carterandcone.coml0%URL Reputationsafe
        http://www.sajatypeworks.com0%URL Reputationsafe
        http://www.sajatypeworks.com0%URL Reputationsafe
        http://www.sajatypeworks.com0%URL Reputationsafe
        http://www.founder.com.cn/cn/0%URL Reputationsafe
        http://www.founder.com.cn/cn/0%URL Reputationsafe
        http://www.founder.com.cn/cn/0%URL Reputationsafe
        http://www.typography.netD0%URL Reputationsafe
        http://www.typography.netD0%URL Reputationsafe
        http://www.typography.netD0%URL Reputationsafe
        http://www.founder.com.cn/cn/cThe0%URL Reputationsafe
        http://www.founder.com.cn/cn/cThe0%URL Reputationsafe
        http://www.founder.com.cn/cn/cThe0%URL Reputationsafe
        http://www.jiyu-kobo.co.jp/z0%Avira URL Cloudsafe
        http://www.galapagosdesign.com/staff/dennis.htm0%URL Reputationsafe
        http://www.galapagosdesign.com/staff/dennis.htm0%URL Reputationsafe
        http://www.galapagosdesign.com/staff/dennis.htm0%URL Reputationsafe
        http://fontfabrik.com0%URL Reputationsafe
        http://fontfabrik.com0%URL Reputationsafe
        http://fontfabrik.com0%URL Reputationsafe
        http://www.carterandcone.comimS0%Avira URL Cloudsafe
        http://www.founder.com.cn/cn0%URL Reputationsafe
        http://www.founder.com.cn/cn0%URL Reputationsafe
        http://www.founder.com.cn/cn0%URL Reputationsafe
        http://www.jiyu-kobo.co.jp/Y010%Avira URL Cloudsafe
        http://www.jiyu-kobo.co.jp/0%URL Reputationsafe
        http://www.jiyu-kobo.co.jp/0%URL Reputationsafe
        http://www.jiyu-kobo.co.jp/0%URL Reputationsafe
        http://www.galapagosdesign.com/DPlease0%URL Reputationsafe
        http://www.galapagosdesign.com/DPlease0%URL Reputationsafe
        http://www.galapagosdesign.com/DPlease0%URL Reputationsafe
        http://www.sandoll.co.kr0%URL Reputationsafe
        http://www.sandoll.co.kr0%URL Reputationsafe
        http://www.sandoll.co.kr0%URL Reputationsafe
        http://www.founder.com.cn/cnd:0%Avira URL Cloudsafe
        http://www.jiyu-kobo.co.jp/xwtz0%Avira URL Cloudsafe
        http://www.urwpp.deDPlease0%URL Reputationsafe
        http://www.urwpp.deDPlease0%URL Reputationsafe
        http://www.urwpp.deDPlease0%URL Reputationsafe
        http://www.zhongyicts.com.cn0%URL Reputationsafe
        http://www.zhongyicts.com.cn0%URL Reputationsafe
        http://www.zhongyicts.com.cn0%URL Reputationsafe
        http://www.sakkal.com0%URL Reputationsafe
        http://www.sakkal.com0%URL Reputationsafe
        http://www.sakkal.com0%URL Reputationsafe
        http://en.wikipF0%Avira URL Cloudsafe
        http://en.wC0%Avira URL Cloudsafe
        http://www.carterandcone.comper0%Avira URL Cloudsafe

        Domains and IPs

        Contacted Domains

        No contacted domains info

        URLs from Memory and Binaries

        NameSourceMaliciousAntivirus DetectionReputation
        http://www.jiyu-kobo.co.jp/0wkelvinx.exe, 00000000.00000003.221803128.00000000057C6000.00000004.00000001.sdmpfalse
        • Avira URL Cloud: safe
        		unknown
        http://www.apache.org/licenses/LICENSE-2.0kelvinx.exe, 00000000.00000002.244011097.0000000006A52000.00000004.00000001.sdmp, kelvinx.exe, 00000000.00000003.221048841.00000000057D7000.00000004.00000001.sdmp, noteped.exe, 00000002.00000002.274192762.00000000055C0000.00000002.00000001.sdmp, noteped.exe, 00000007.00000002.296939599.0000000005BD0000.00000002.00000001.sdmpfalse
          		high
          http://www.fontbureau.comkelvinx.exe, 00000000.00000002.244011097.0000000006A52000.00000004.00000001.sdmp, noteped.exe, 00000002.00000002.274192762.00000000055C0000.00000002.00000001.sdmp, noteped.exe, 00000007.00000002.296939599.0000000005BD0000.00000002.00000001.sdmpfalse
            		high
            http://www.fontbureau.com/designersGkelvinx.exe, 00000000.00000002.244011097.0000000006A52000.00000004.00000001.sdmp, noteped.exe, 00000002.00000002.274192762.00000000055C0000.00000002.00000001.sdmp, noteped.exe, 00000007.00000002.296939599.0000000005BD0000.00000002.00000001.sdmpfalse
              		high
              http://www.fontbureau.com/designers/?kelvinx.exe, 00000000.00000002.244011097.0000000006A52000.00000004.00000001.sdmp, noteped.exe, 00000002.00000002.274192762.00000000055C0000.00000002.00000001.sdmp, noteped.exe, 00000007.00000002.296939599.0000000005BD0000.00000002.00000001.sdmpfalse
                		high
                http://www.founder.com.cn/cn/bThekelvinx.exe, 00000000.00000002.244011097.0000000006A52000.00000004.00000001.sdmp, noteped.exe, 00000002.00000002.274192762.00000000055C0000.00000002.00000001.sdmp, noteped.exe, 00000007.00000002.296939599.0000000005BD0000.00000002.00000001.sdmpfalse
                • URL Reputation: safe
                • URL Reputation: safe
                • URL Reputation: safe
                		unknown
                http://www.fontbureau.com/designers?kelvinx.exe, 00000000.00000002.244011097.0000000006A52000.00000004.00000001.sdmp, noteped.exe, 00000002.00000002.274192762.00000000055C0000.00000002.00000001.sdmp, noteped.exe, 00000007.00000002.296939599.0000000005BD0000.00000002.00000001.sdmpfalse
                  		high
                  http://www.jiyu-kobo.co.jp/jp/.wkelvinx.exe, 00000000.00000003.221900652.00000000057D5000.00000004.00000001.sdmpfalse
                  • Avira URL Cloud: safe
                  		unknown
                  http://www.founder.com.cn/cna-dkelvinx.exe, 00000000.00000003.220725135.00000000057EC000.00000004.00000001.sdmpfalse
                  • Avira URL Cloud: safe
                  		unknown
                  http://www.founder.com.cn/cn~kelvinx.exe, 00000000.00000003.220911534.00000000057EC000.00000004.00000001.sdmpfalse
                  • Avira URL Cloud: safe
                  		unknown
                  http://www.jiyu-kobo.co.jp/Jkelvinx.exe, 00000000.00000003.221900652.00000000057D5000.00000004.00000001.sdmpfalse
                  • Avira URL Cloud: safe
                  		unknown
                  http://www.galapagosdesign.com/staff/dennis.htmNormalrkelvinx.exe, 00000000.00000003.225402812.00000000057C4000.00000004.00000001.sdmpfalse
                  • Avira URL Cloud: safe
                  		unknown
                  http://www.tiro.comnoteped.exe, 00000007.00000002.296939599.0000000005BD0000.00000002.00000001.sdmpfalse
                  • URL Reputation: safe
                  • URL Reputation: safe
                  • URL Reputation: safe
                  		unknown
                  http://www.fontbureau.comcomokelvinx.exe, 00000000.00000003.237362642.00000000057C0000.00000004.00000001.sdmpfalse
                  • Avira URL Cloud: safe
                  		unknown
                  http://www.founder.com.cn/cnudekelvinx.exe, 00000000.00000003.220911534.00000000057EC000.00000004.00000001.sdmpfalse
                  • Avira URL Cloud: safe
                  		unknown
                  http://www.jiyu-kobo.co.jp/jp/qwCzkelvinx.exe, 00000000.00000003.221803128.00000000057C6000.00000004.00000001.sdmpfalse
                  • Avira URL Cloud: safe
                  		unknown
                  http://www.fontbureau.com/designersnoteped.exe, 00000007.00000002.296939599.0000000005BD0000.00000002.00000001.sdmpfalse
                    		high
                    http://www.goodfont.co.krkelvinx.exe, 00000000.00000002.244011097.0000000006A52000.00000004.00000001.sdmp, noteped.exe, 00000002.00000002.274192762.00000000055C0000.00000002.00000001.sdmp, noteped.exe, 00000007.00000002.296939599.0000000005BD0000.00000002.00000001.sdmpfalse
                    • URL Reputation: safe
                    • URL Reputation: safe
                    • URL Reputation: safe
                    		unknown
                    http://www.jiyu-kobo.co.jp/Vwfzkelvinx.exe, 00000000.00000003.221900652.00000000057D5000.00000004.00000001.sdmpfalse
                    • Avira URL Cloud: safe
                    		unknown
                    http://www.carterandcone.comkelvinx.exe, 00000000.00000003.221502115.00000000057D2000.00000004.00000001.sdmpfalse
                    • URL Reputation: safe
                    • URL Reputation: safe
                    • URL Reputation: safe
                    		unknown
                    http://www.jiyu-kobo.co.jp/jp/kelvinx.exe, 00000000.00000003.222579187.00000000057CE000.00000004.00000001.sdmpfalse
                    • URL Reputation: safe
                    • URL Reputation: safe
                    • URL Reputation: safe
                    		unknown
                    http://en.wkelvinx.exe, 00000000.00000003.220047831.00000000057E7000.00000004.00000001.sdmpfalse
                    • URL Reputation: safe
                    • URL Reputation: safe
                    • URL Reputation: safe
                    		unknown
                    http://www.carterandcone.comlkelvinx.exe, 00000000.00000002.244011097.0000000006A52000.00000004.00000001.sdmp, noteped.exe, 00000002.00000002.274192762.00000000055C0000.00000002.00000001.sdmp, noteped.exe, 00000007.00000002.296939599.0000000005BD0000.00000002.00000001.sdmpfalse
                    • URL Reputation: safe
                    • URL Reputation: safe
                    • URL Reputation: safe
                    		unknown
                    http://www.sajatypeworks.comkelvinx.exe, 00000000.00000002.244011097.0000000006A52000.00000004.00000001.sdmp, noteped.exe, 00000002.00000002.274192762.00000000055C0000.00000002.00000001.sdmp, noteped.exe, 00000007.00000002.296939599.0000000005BD0000.00000002.00000001.sdmpfalse
                    • URL Reputation: safe
                    • URL Reputation: safe
                    • URL Reputation: safe
                    		unknown
                    http://www.founder.com.cn/cn/kelvinx.exe, 00000000.00000003.220824103.00000000057EC000.00000004.00000001.sdmpfalse
                    • URL Reputation: safe
                    • URL Reputation: safe
                    • URL Reputation: safe
                    		unknown
                    http://www.typography.netDkelvinx.exe, 00000000.00000002.244011097.0000000006A52000.00000004.00000001.sdmp, noteped.exe, 00000002.00000002.274192762.00000000055C0000.00000002.00000001.sdmp, noteped.exe, 00000007.00000002.296939599.0000000005BD0000.00000002.00000001.sdmpfalse
                    • URL Reputation: safe
                    • URL Reputation: safe
                    • URL Reputation: safe
                    		unknown
                    http://www.fontbureau.com/designers/cabarga.htmlNkelvinx.exe, 00000000.00000002.244011097.0000000006A52000.00000004.00000001.sdmp, noteped.exe, 00000002.00000002.274192762.00000000055C0000.00000002.00000001.sdmp, noteped.exe, 00000007.00000002.296939599.0000000005BD0000.00000002.00000001.sdmpfalse
                      		high
                      http://www.founder.com.cn/cn/cThekelvinx.exe, 00000000.00000002.244011097.0000000006A52000.00000004.00000001.sdmp, noteped.exe, 00000002.00000002.274192762.00000000055C0000.00000002.00000001.sdmp, noteped.exe, 00000007.00000002.296939599.0000000005BD0000.00000002.00000001.sdmpfalse
                      • URL Reputation: safe
                      • URL Reputation: safe
                      • URL Reputation: safe
                      		unknown
                      http://www.jiyu-kobo.co.jp/zkelvinx.exe, 00000000.00000003.221803128.00000000057C6000.00000004.00000001.sdmpfalse
                      • Avira URL Cloud: safe
                      		unknown
                      http://www.galapagosdesign.com/staff/dennis.htmkelvinx.exe, 00000000.00000002.244011097.0000000006A52000.00000004.00000001.sdmp, noteped.exe, 00000002.00000002.274192762.00000000055C0000.00000002.00000001.sdmp, noteped.exe, 00000007.00000002.296939599.0000000005BD0000.00000002.00000001.sdmpfalse
                      • URL Reputation: safe
                      • URL Reputation: safe
                      • URL Reputation: safe
                      		unknown
                      http://fontfabrik.comkelvinx.exe, 00000000.00000002.244011097.0000000006A52000.00000004.00000001.sdmp, noteped.exe, 00000002.00000002.274192762.00000000055C0000.00000002.00000001.sdmp, noteped.exe, 00000007.00000002.296939599.0000000005BD0000.00000002.00000001.sdmpfalse
                      • URL Reputation: safe
                      • URL Reputation: safe
                      • URL Reputation: safe
                      		unknown
                      http://www.carterandcone.comimSkelvinx.exe, 00000000.00000003.221173652.00000000057CE000.00000004.00000001.sdmpfalse
                      • Avira URL Cloud: safe
                      		unknown
                      http://www.founder.com.cn/cnkelvinx.exe, 00000000.00000003.220783733.00000000057F2000.00000004.00000001.sdmp, noteped.exe, 00000002.00000002.274192762.00000000055C0000.00000002.00000001.sdmp, noteped.exe, 00000007.00000002.296939599.0000000005BD0000.00000002.00000001.sdmpfalse
                      • URL Reputation: safe
                      • URL Reputation: safe
                      • URL Reputation: safe
                      		unknown
                      http://www.fontbureau.com/designers/frere-jones.htmlkelvinx.exe, 00000000.00000002.244011097.0000000006A52000.00000004.00000001.sdmp, noteped.exe, 00000002.00000002.274192762.00000000055C0000.00000002.00000001.sdmp, noteped.exe, 00000007.00000002.296939599.0000000005BD0000.00000002.00000001.sdmpfalse
                        		high
                        http://www.jiyu-kobo.co.jp/Y01kelvinx.exe, 00000000.00000003.221985463.00000000057D5000.00000004.00000001.sdmpfalse
                        • Avira URL Cloud: safe
                        		unknown
                        http://www.jiyu-kobo.co.jp/kelvinx.exe, 00000000.00000003.222115295.00000000057CE000.00000004.00000001.sdmp, kelvinx.exe, 00000000.00000003.221900652.00000000057D5000.00000004.00000001.sdmp, kelvinx.exe, 00000000.00000003.221985463.00000000057D5000.00000004.00000001.sdmp, noteped.exe, 00000002.00000002.274192762.00000000055C0000.00000002.00000001.sdmp, noteped.exe, 00000007.00000002.296939599.0000000005BD0000.00000002.00000001.sdmpfalse
                        • URL Reputation: safe
                        • URL Reputation: safe
                        • URL Reputation: safe
                        		unknown
                        http://www.galapagosdesign.com/DPleasekelvinx.exe, 00000000.00000002.244011097.0000000006A52000.00000004.00000001.sdmp, noteped.exe, 00000002.00000002.274192762.00000000055C0000.00000002.00000001.sdmp, noteped.exe, 00000007.00000002.296939599.0000000005BD0000.00000002.00000001.sdmpfalse
                        • URL Reputation: safe
                        • URL Reputation: safe
                        • URL Reputation: safe
                        		unknown
                        http://www.fontbureau.com/designers8kelvinx.exe, 00000000.00000002.244011097.0000000006A52000.00000004.00000001.sdmp, noteped.exe, 00000002.00000002.274192762.00000000055C0000.00000002.00000001.sdmp, noteped.exe, 00000007.00000002.296939599.0000000005BD0000.00000002.00000001.sdmpfalse
                          		high
                          http://www.fonts.comkelvinx.exe, 00000000.00000002.244011097.0000000006A52000.00000004.00000001.sdmp, noteped.exe, 00000002.00000002.274192762.00000000055C0000.00000002.00000001.sdmp, noteped.exe, 00000007.00000002.296939599.0000000005BD0000.00000002.00000001.sdmpfalse
                            		high
                            http://www.sandoll.co.krkelvinx.exe, 00000000.00000002.244011097.0000000006A52000.00000004.00000001.sdmp, noteped.exe, 00000002.00000002.274192762.00000000055C0000.00000002.00000001.sdmp, noteped.exe, 00000007.00000002.296939599.0000000005BD0000.00000002.00000001.sdmpfalse
                            • URL Reputation: safe
                            • URL Reputation: safe
                            • URL Reputation: safe
                            		unknown
                            http://www.founder.com.cn/cnd:kelvinx.exe, 00000000.00000003.220725135.00000000057EC000.00000004.00000001.sdmpfalse
                            • Avira URL Cloud: safe
                            		unknown
                            http://www.jiyu-kobo.co.jp/xwtzkelvinx.exe, 00000000.00000003.221985463.00000000057D5000.00000004.00000001.sdmpfalse
                            • Avira URL Cloud: safe
                            		unknown
                            http://www.urwpp.deDPleasekelvinx.exe, 00000000.00000002.244011097.0000000006A52000.00000004.00000001.sdmp, noteped.exe, 00000002.00000002.274192762.00000000055C0000.00000002.00000001.sdmp, noteped.exe, 00000007.00000002.296939599.0000000005BD0000.00000002.00000001.sdmpfalse
                            • URL Reputation: safe
                            • URL Reputation: safe
                            • URL Reputation: safe
                            		unknown
                            http://www.zhongyicts.com.cnkelvinx.exe, 00000000.00000002.244011097.0000000006A52000.00000004.00000001.sdmp, noteped.exe, 00000002.00000002.274192762.00000000055C0000.00000002.00000001.sdmp, noteped.exe, 00000007.00000002.296939599.0000000005BD0000.00000002.00000001.sdmpfalse
                            • URL Reputation: safe
                            • URL Reputation: safe
                            • URL Reputation: safe
                            		unknown
                            http://www.sakkal.comkelvinx.exe, 00000000.00000002.244011097.0000000006A52000.00000004.00000001.sdmp, noteped.exe, 00000002.00000002.274192762.00000000055C0000.00000002.00000001.sdmp, noteped.exe, 00000007.00000002.296939599.0000000005BD0000.00000002.00000001.sdmpfalse
                            • URL Reputation: safe
                            • URL Reputation: safe
                            • URL Reputation: safe
                            		unknown
                            http://en.wikipFkelvinx.exe, 00000000.00000003.219971249.00000000057E7000.00000004.00000001.sdmpfalse
                            • Avira URL Cloud: safe
                            		unknown
                            http://en.wCkelvinx.exe, 00000000.00000003.219897482.00000000057E6000.00000004.00000001.sdmpfalse
                            • Avira URL Cloud: safe
                            		unknown
                            http://www.carterandcone.comperkelvinx.exe, 00000000.00000003.221173652.00000000057CE000.00000004.00000001.sdmpfalse
                            • Avira URL Cloud: safe
                            		unknown

                            Contacted IPs

                            • No. of IPs < 25%
                            • 25% < No. of IPs < 50%
                            • 50% < No. of IPs < 75%
                            • 75% < No. of IPs

                            Public

                            IPDomainCountryFlagASNASN NameMalicious
                            185.140.53.132
                            		unknownSweden
                            		209623DAVID_CRAIGGGtrue

                            General Information

                            Joe Sandbox Version:31.0.0 Red Diamond
                            Analysis ID:322215
                            Start date:24.11.2020
                            Start time:17:56:15
                            Joe Sandbox Product:CloudBasic
                            Overall analysis duration:0h 13m 7s
                            Hypervisor based Inspection enabled:false
                            Report type:full
                            Sample file name:kelvinx.exe
                            Cookbook file name:default.jbs
                            Analysis system description:Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 85, IE 11, Adobe Reader DC 19, Java 8 Update 211
                            Number of analysed new started processes analysed:23
                            Number of new started drivers analysed:0
                            Number of existing processes analysed:0
                            Number of existing drivers analysed:0
                            Number of injected processes analysed:0
                            Technologies:
                            • HCA enabled
                            • EGA enabled
                            • HDC enabled
                            • AMSI enabled
                            Analysis Mode:default
                            Analysis stop reason:Timeout
                            Detection:MAL
                            Classification:mal100.troj.evad.winEXE@9/5@0/1
                            EGA Information:Failed
                            HDC Information:Failed
                            HCA Information:
                            • Successful, ratio: 99%
                            • Number of executed functions: 127
                            • Number of non-executed functions: 6
                            Cookbook Comments:
                            • Adjust boot time
                            • Enable AMSI
                            • Found application associated with file extension: .exe
                            Warnings:
                            Show All
                            • Behavior information exceeds normal sizes, reducing to normal. Report will have missing behavior information.
                            • Exclude process from analysis (whitelisted): MpCmdRun.exe, BackgroundTransferHost.exe, backgroundTaskHost.exe, SgrmBroker.exe, conhost.exe, svchost.exe
                            • Report creation exceeded maximum time and may have missing disassembly code information.
                            • Report size exceeded maximum capacity and may have missing behavior information.
                            • Report size getting too big, too many NtAllocateVirtualMemory calls found.

                            Simulations

                            Behavior and APIs

                            TimeTypeDescription
                            17:57:08AutostartRun: HKCU\Software\Microsoft\Windows\CurrentVersion\Run noteped "C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\notepod\noteped.exe"
                            17:57:11API Interceptor951x Sleep call for process: kelvinx.exe modified
                            17:57:16AutostartRun: HKCU64\Software\Microsoft\Windows\CurrentVersion\Run noteped "C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\notepod\noteped.exe"

                            Joe Sandbox View / Context

                            IPs

                            MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
                            185.140.53.1321kn1ejwPxi.exeGet hashmaliciousBrowse
                              7iatifHQEp.exeGet hashmaliciousBrowse
                                Do43p0ghpz.exeGet hashmaliciousBrowse
                                  zWKtabs92B.exeGet hashmaliciousBrowse
                                    0076364_00533MXS2.jarGet hashmaliciousBrowse
                                      Atlas Home Products Inc RFQ_pdf.jarGet hashmaliciousBrowse
                                        Payment Advice Hsbc_pdf.jarGet hashmaliciousBrowse
                                          NOTIFICA DI ARRIVO DHL_PDF.jarGet hashmaliciousBrowse
                                            NOTIFICA DI ARRIVO DHL_PDF.jarGet hashmaliciousBrowse
                                              BOLDROCCHI SRL ITALY QUOTATION REQUEST_PDF.jarGet hashmaliciousBrowse
                                                REQUEST FOR QUOTATION.jarGet hashmaliciousBrowse
                                                  REQUEST FOR QUOTATION_pdf.jarGet hashmaliciousBrowse
                                                    REQUEST FOR QUOTATION_pdf.jarGet hashmaliciousBrowse
                                                      Yasuda Kogyo Thailand Co Ltd Request For Quotation_pdf.jarGet hashmaliciousBrowse
                                                        Yasuda Kogyo Thailand Co Ltd Request For Quotation_pdf.jarGet hashmaliciousBrowse
                                                          Ziraat Bankasi Swift_pdf.jarGet hashmaliciousBrowse
                                                            YI SHNUFA REQUEST FOR QUOTATION.jarGet hashmaliciousBrowse
                                                              YI SHNUFA REQUEST FOR QUOTATION.jarGet hashmaliciousBrowse
                                                                TyRSrOojgV.exeGet hashmaliciousBrowse
                                                                  2KGU6Ue1fD.exeGet hashmaliciousBrowse

                                                                    Domains

                                                                    No context

                                                                    ASN

                                                                    MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
                                                                    DAVID_CRAIGGGOrder-2311.exeGet hashmaliciousBrowse
                                                                    • 91.193.75.147
                                                                    YZD221120.exeGet hashmaliciousBrowse
                                                                    • 91.193.75.147
                                                                    ORDER #201120A.exeGet hashmaliciousBrowse
                                                                    • 185.244.30.92
                                                                    oUI0jQS8xQ.exeGet hashmaliciousBrowse
                                                                    • 185.140.53.149
                                                                    Quotation ATB-PR28500KINH.exeGet hashmaliciousBrowse
                                                                    • 185.140.53.139
                                                                    Quotation ATB-PR28500KINH.exeGet hashmaliciousBrowse
                                                                    • 185.140.53.139
                                                                    Ups file de.exeGet hashmaliciousBrowse
                                                                    • 185.140.53.221
                                                                    NyUnwsFSCa.exeGet hashmaliciousBrowse
                                                                    • 185.140.53.149
                                                                    purchase order.exeGet hashmaliciousBrowse
                                                                    • 185.140.53.233
                                                                    Remittance Details.xlsGet hashmaliciousBrowse
                                                                    • 185.140.53.184
                                                                    PaymentConfirmation.exeGet hashmaliciousBrowse
                                                                    • 185.140.53.183
                                                                    ORDER #02676.doc.exeGet hashmaliciousBrowse
                                                                    • 185.244.30.92
                                                                    b11305c6ab207f830062f80eeec728c4.exeGet hashmaliciousBrowse
                                                                    • 185.140.53.233
                                                                    ShippingDoc.jarGet hashmaliciousBrowse
                                                                    • 185.244.30.139
                                                                    1kn1ejwPxi.exeGet hashmaliciousBrowse
                                                                    • 185.140.53.132
                                                                    D6vy84I7rJ.exeGet hashmaliciousBrowse
                                                                    • 185.140.53.149
                                                                    7iatifHQEp.exeGet hashmaliciousBrowse
                                                                    • 185.140.53.132
                                                                    Sbext4ZNBq.exeGet hashmaliciousBrowse
                                                                    • 185.140.53.197
                                                                    xEdiPz1bC3.exeGet hashmaliciousBrowse
                                                                    • 185.140.53.234
                                                                    7D1wvBrRib.exeGet hashmaliciousBrowse
                                                                    • 185.140.53.234

                                                                    JA3 Fingerprints

                                                                    No context

                                                                    Dropped Files

                                                                    No context

                                                                    Created / dropped Files

                                                                    C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\kelvinx.exe.log
                                                                    Process:C:\Users\user\Desktop\kelvinx.exe
                                                                    File Type:ASCII text, with CRLF line terminators
                                                                    Category:modified
                                                                    Size (bytes):1119
                                                                    Entropy (8bit):5.356708753875314
                                                                    Encrypted:false
                                                                    SSDEEP:24:MLUE4K5E4Ks2E1qE4qXKDE4KhK3VZ9pKhPKIE4oKFKHKoZAE4Kzr7FE4j:MIHK5HKXE1qHiYHKhQnoPtHoxHhAHKzd
                                                                    MD5:3197B1D4714B56F2A6AC9E83761739AE
                                                                    SHA1:3B38010F0DF51C1D4D2C020138202DABB686741D
                                                                    SHA-256:40586572180B85042FEFED9F367B43831C5D269751D9F3940BBC29B41E18E9F6
                                                                    SHA-512:58EC975A53AD9B19B425F6C6843A94CC280F794D436BBF3D29D8B76CA1E8C2D8883B3E754F9D4F2C9E9387FE88825CCD9919369A5446B1AFF73EDBE07FA94D88
                                                                    Malicious:true
                                                                    Reputation:moderate, very likely benign file
                                                                    Preview: 1,"fusion","GAC",0..1,"WinRT","NotApp",1..2,"System.Windows.Forms, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089",0..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System\4f0a7eefa3cd3e0ba98b5ebddbbc72e6\System.ni.dll",0..2,"System.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Core\f1d8480152e0da9a60ad49c6d16a3b6d\System.Core.ni.dll",0..3,"System.Configuration, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Configuration\8d67d92724ba494b6c7fd089d6f25b48\System.Configuration.ni.dll",0..3,"System.Xml, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Xml\b219d4630d26b88041b59c21
                                                                    C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\noteped.exe.log
                                                                    Process:C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\notepod\noteped.exe
                                                                    File Type:ASCII text, with CRLF line terminators
                                                                    Category:dropped
                                                                    Size (bytes):1119
                                                                    Entropy (8bit):5.356708753875314
                                                                    Encrypted:false
                                                                    SSDEEP:24:MLUE4K5E4Ks2E1qE4qXKDE4KhK3VZ9pKhPKIE4oKFKHKoZAE4Kzr7FE4j:MIHK5HKXE1qHiYHKhQnoPtHoxHhAHKzd
                                                                    MD5:3197B1D4714B56F2A6AC9E83761739AE
                                                                    SHA1:3B38010F0DF51C1D4D2C020138202DABB686741D
                                                                    SHA-256:40586572180B85042FEFED9F367B43831C5D269751D9F3940BBC29B41E18E9F6
                                                                    SHA-512:58EC975A53AD9B19B425F6C6843A94CC280F794D436BBF3D29D8B76CA1E8C2D8883B3E754F9D4F2C9E9387FE88825CCD9919369A5446B1AFF73EDBE07FA94D88
                                                                    Malicious:false
                                                                    Reputation:moderate, very likely benign file
                                                                    Preview: 1,"fusion","GAC",0..1,"WinRT","NotApp",1..2,"System.Windows.Forms, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089",0..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System\4f0a7eefa3cd3e0ba98b5ebddbbc72e6\System.ni.dll",0..2,"System.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Core\f1d8480152e0da9a60ad49c6d16a3b6d\System.Core.ni.dll",0..3,"System.Configuration, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Configuration\8d67d92724ba494b6c7fd089d6f25b48\System.Configuration.ni.dll",0..3,"System.Xml, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Xml\b219d4630d26b88041b59c21
                                                                    C:\Users\user\AppData\Roaming\D06ED635-68F6-4E9A-955C-4899F5F57B9A\run.dat
                                                                    Process:C:\Users\user\Desktop\kelvinx.exe
                                                                    File Type:Non-ISO extended-ASCII text, with no line terminators
                                                                    Category:dropped
                                                                    Size (bytes):8
                                                                    Entropy (8bit):3.0
                                                                    Encrypted:false
                                                                    SSDEEP:3:j/tn:B
                                                                    MD5:7BA5C76EEEAAFAC03FA652DB1B992259
                                                                    SHA1:A003E71FB8D389EA8D30D464095DD3CA0AFE8302
                                                                    SHA-256:A3B6AD29006658E0A88D38C34AD7541C0C6BEB75E76C7AEF80195110DFCE5406
                                                                    SHA-512:B22927302B1614585CDD5F6BFD9935EA64F240800D2801398D25543D9E0E85D2123F73785954523A8DF2D88E0B772B4DB2E076E8381592EFBB44BC0EDA0763F5
                                                                    Malicious:true
                                                                    Reputation:low
                                                                    Preview: ..#l..H
                                                                    C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\notepod\noteped.exe
                                                                    Process:C:\Users\user\Desktop\kelvinx.exe
                                                                    File Type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                    Category:dropped
                                                                    Size (bytes):783872
                                                                    Entropy (8bit):4.202608930384064
                                                                    Encrypted:false
                                                                    SSDEEP:12288:uAeJdbNJHrO2MZQZhCHy3yYoNp8sGayaRHWXVM4tGG:ybNJLnMZQZMNp7z0GG
                                                                    MD5:0E4ECBB7EBDD4C7341658B9E6471A0B7
                                                                    SHA1:994026038FCBD0514D029C511F20BDA6B0B17080
                                                                    SHA-256:20EB19EBF2DE8995ADBC740F2A797CC3119FACE8760885E7CB9E3A6F3D376D5D
                                                                    SHA-512:71493FA50A84576DD8DE39B6A4A111DAB5626073589AFDD9F172C4E292F2E1C220F4DE5257DDAB932A73BC5DD0CCDDEA89336D36536AB4EC2C264DFFFE2EF5EA
                                                                    Malicious:true
                                                                    Antivirus:
                                                                    • Antivirus: Joe Sandbox ML, Detection: 100%
                                                                    • Antivirus: ReversingLabs, Detection: 52%
                                                                    Reputation:low
                                                                    Preview: MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......_.....................L........... ........@.. .......................`............@.....................................W........H...................@....................................................... ............... ..H............text........ ...................... ..`.rsrc....H.......J..................@..@.reloc.......@......................@..B........................H.......l...0)..........lJ...S...........................................0.............-.&(....+.&+.*....0.............-.&(....+.&+.*....0.............-.&(....+.&+.*....0.............-.&(....+.&+.*....0.............,.&(....+.&+.*....0.............-.&(....+.&+.*....0..)........-...-.&sf....-.&+.(....+.(....+.(....+.*....0.............-.&(....+.&+.*....0..F.......~.....(....,3 .4..(.........(....o....s.....-.&..-.&+..+......+.~....*...~....*..0............-.&+......+.*.j(.... .
                                                                    C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\notepod\noteped.exe:Zone.Identifier
                                                                    Process:C:\Users\user\Desktop\kelvinx.exe
                                                                    File Type:ASCII text, with CRLF line terminators
                                                                    Category:dropped
                                                                    Size (bytes):26
                                                                    Entropy (8bit):3.95006375643621
                                                                    Encrypted:false
                                                                    SSDEEP:3:ggPYV:rPYV
                                                                    MD5:187F488E27DB4AF347237FE461A079AD
                                                                    SHA1:6693BA299EC1881249D59262276A0D2CB21F8E64
                                                                    SHA-256:255A65D30841AB4082BD9D0EEA79D49C5EE88F56136157D8D6156AEF11C12309
                                                                    SHA-512:89879F237C0C051EBE784D0690657A6827A312A82735DA42DAD5F744D734FC545BEC9642C19D14C05B2F01FF53BC731530C92F7327BB7DC9CDE1B60FB21CD64E
                                                                    Malicious:true
                                                                    Reputation:high, very likely benign file
                                                                    Preview: [ZoneTransfer]....ZoneId=0

                                                                    Static File Info

                                                                    General

                                                                    File type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                    Entropy (8bit):4.202608930384064
                                                                    TrID:
                                                                    • Win32 Executable (generic) Net Framework (10011505/4) 49.83%
                                                                    • Win32 Executable (generic) a (10002005/4) 49.78%
                                                                    • Generic CIL Executable (.NET, Mono, etc.) (73296/58) 0.36%
                                                                    • Generic Win/DOS Executable (2004/3) 0.01%
                                                                    • DOS Executable Generic (2002/1) 0.01%
                                                                    File name:kelvinx.exe
                                                                    File size:783872
                                                                    MD5:0e4ecbb7ebdd4c7341658b9e6471a0b7
                                                                    SHA1:994026038fcbd0514d029c511f20bda6b0b17080
                                                                    SHA256:20eb19ebf2de8995adbc740f2a797cc3119face8760885e7cb9e3a6f3d376d5d
                                                                    SHA512:71493fa50a84576dd8de39b6a4a111dab5626073589afdd9f172c4e292f2e1c220f4de5257ddab932a73bc5dd0ccddea89336d36536ab4ec2c264dfffe2ef5ea
                                                                    SSDEEP:12288:uAeJdbNJHrO2MZQZhCHy3yYoNp8sGayaRHWXVM4tGG:ybNJLnMZQZMNp7z0GG
                                                                    File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......_.....................L........... ........@.. .......................`............@................................

                                                                    File Icon

                                                                    Icon Hash:31b1393969391b39

                                                                    Static PE Info

                                                                    General

                                                                    Entrypoint:0x4bc6f6
                                                                    Entrypoint Section:.text
                                                                    Digitally signed:false
                                                                    Imagebase:0x400000
                                                                    Subsystem:windows gui
                                                                    Image File Characteristics:LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED
                                                                    DLL Characteristics:NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
                                                                    Time Stamp:0x5FBBAB02 [Mon Nov 23 12:28:50 2020 UTC]
                                                                    TLS Callbacks:
                                                                    CLR (.Net) Version:v4.0.30319
                                                                    OS Version Major:4
                                                                    OS Version Minor:0
                                                                    File Version Major:4
                                                                    File Version Minor:0
                                                                    Subsystem Version Major:4
                                                                    Subsystem Version Minor:0
                                                                    Import Hash:f34d5f2d4577ed6d9ceec516c1f5a744

                                                                    Entrypoint Preview

                                                                    Instruction
                                                                    jmp dword ptr [00402000h]
                                                                    add byte ptr [eax], al
                                                                    add byte ptr [eax], al
                                                                    add byte ptr [eax], al
                                                                    add byte ptr [eax], al
                                                                    add byte ptr [eax], al
                                                                    add byte ptr [eax], al
                                                                    add byte ptr [eax], al
                                                                    add byte ptr [eax], al
                                                                    add byte ptr [eax], al
                                                                    add byte ptr [eax], al
                                                                    add byte ptr [eax], al
                                                                    add byte ptr [eax], al
                                                                    add byte ptr [eax], al
                                                                    add byte ptr [eax], al
                                                                    add byte ptr [eax], al
                                                                    add byte ptr [eax], al
                                                                    add byte ptr [eax], al
                                                                    add byte ptr [eax], al
                                                                    add byte ptr [eax], al
                                                                    add byte ptr [eax], al
                                                                    add byte ptr [eax], al
                                                                    add byte ptr [eax], al
                                                                    add byte ptr [eax], al
                                                                    add byte ptr [eax], al
                                                                    add byte ptr [eax], al
                                                                    add byte ptr [eax], al
                                                                    add byte ptr [eax], al
                                                                    add byte ptr [eax], al
                                                                    add byte ptr [eax], al
                                                                    add byte ptr [eax], al
                                                                    add byte ptr [eax], al
                                                                    add byte ptr [eax], al
                                                                    add byte ptr [eax], al
                                                                    add byte ptr [eax], al
                                                                    add byte ptr [eax], al
                                                                    add byte ptr [eax], al
                                                                    add byte ptr [eax], al
                                                                    add byte ptr [eax], al
                                                                    add byte ptr [eax], al
                                                                    add byte ptr [eax], al
                                                                    add byte ptr [eax], al
                                                                    add byte ptr [eax], al
                                                                    add byte ptr [eax], al
                                                                    add byte ptr [eax], al
                                                                    add byte ptr [eax], al
                                                                    add byte ptr [eax], al
                                                                    add byte ptr [eax], al
                                                                    add byte ptr [eax], al
                                                                    add byte ptr [eax], al
                                                                    add byte ptr [eax], al
                                                                    add byte ptr [eax], al
                                                                    add byte ptr [eax], al
                                                                    add byte ptr [eax], al
                                                                    add byte ptr [eax], al
                                                                    add byte ptr [eax], al
                                                                    add byte ptr [eax], al
                                                                    add byte ptr [eax], al
                                                                    add byte ptr [eax], al
                                                                    add byte ptr [eax], al
                                                                    add byte ptr [eax], al
                                                                    add byte ptr [eax], al
                                                                    add byte ptr [eax], al
                                                                    add byte ptr [eax], al
                                                                    add byte ptr [eax], al
                                                                    add byte ptr [eax], al
                                                                    add byte ptr [eax], al
                                                                    add byte ptr [eax], al
                                                                    add byte ptr [eax], al
                                                                    add byte ptr [eax], al
                                                                    add byte ptr [eax], al
                                                                    add byte ptr [eax], al
                                                                    add byte ptr [eax], al
                                                                    add byte ptr [eax], al
                                                                    add byte ptr [eax], al
                                                                    add byte ptr [eax], al
                                                                    add byte ptr [eax], al
                                                                    add byte ptr [eax], al
                                                                    add byte ptr [eax], al
                                                                    add byte ptr [eax], al
                                                                    add byte ptr [eax], al
                                                                    add byte ptr [eax], al
                                                                    add byte ptr [eax], al
                                                                    add byte ptr [eax], al
                                                                    add byte ptr [eax], al
                                                                    add byte ptr [eax], al
                                                                    add byte ptr [eax], al
                                                                    add byte ptr [eax], al
                                                                    add byte ptr [eax], al
                                                                    add byte ptr [eax], al
                                                                    add byte ptr [eax], al
                                                                    add byte ptr [eax], al
                                                                    add byte ptr [eax], al
                                                                    add byte ptr [eax], al
                                                                    add byte ptr [eax], al
                                                                    add byte ptr [eax], al
                                                                    add byte ptr [eax], al
                                                                    add byte ptr [eax], al

                                                                    Data Directories

                                                                    NameVirtual AddressVirtual Size Is in Section
                                                                    IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                                                                    IMAGE_DIRECTORY_ENTRY_IMPORT0xbc69c0x57.text
                                                                    IMAGE_DIRECTORY_ENTRY_RESOURCE0xbe0000x48b4.rsrc
                                                                    IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                                                                    IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
                                                                    IMAGE_DIRECTORY_ENTRY_BASERELOC0xc40000xc.reloc
                                                                    IMAGE_DIRECTORY_ENTRY_DEBUG0x00x0
                                                                    IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                                                                    IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                                                                    IMAGE_DIRECTORY_ENTRY_TLS0x00x0
                                                                    IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
                                                                    IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                                                                    IMAGE_DIRECTORY_ENTRY_IAT0x20000x8.text
                                                                    IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                                                                    IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x20080x48.text
                                                                    IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                                                                    Sections

                                                                    NameVirtual AddressVirtual SizeRaw SizeXored PEZLIB ComplexityFile TypeEntropyCharacteristics
                                                                    .text0x20000xba6fc0xba800False0.415618978301data4.02562612318IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
                                                                    .rsrc0xbe0000x48b40x4a00False0.664643158784data6.51515856258IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                                                    .reloc0xc40000xc0x200False0.044921875data0.101910425663IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

                                                                    Resources

                                                                    NameRVASizeTypeLanguageCountry
                                                                    RT_ICON0xbe1300x4228dBase IV DBT of \200.DBF, blocks size 0, block length 16384, next free block index 40, next free block 4294268550, next used block 4294202757
                                                                    RT_GROUP_ICON0xc23580x14data
                                                                    RT_VERSION0xc236c0x394data
                                                                    RT_MANIFEST0xc27000x1b4XML 1.0 document, UTF-8 Unicode (with BOM) text, with very long lines, with no line terminators

                                                                    Imports

                                                                    DLLImport
                                                                    mscoree.dll_CorExeMain

                                                                    Version Infos

                                                                    DescriptionData
                                                                    Translation0x0000 0x04b0
                                                                    LegalCopyrightValts Silaputnins (c) 2002-2017 All Rights Reserved
                                                                    Assembly Version6.4.0.7666
                                                                    InternalNameKhmprj5.exe
                                                                    FileVersion6.4.0.7666
                                                                    CompanyNameProxy Switcher
                                                                    CommentsProxy Switcher
                                                                    ProductNameProxy Switcher
                                                                    ProductVersion6.4.0.7666
                                                                    FileDescriptionProxy Switcher
                                                                    OriginalFilenameKhmprj5.exe

                                                                    Network Behavior

                                                                    Network Port Distribution

                                                                    TCP Packets

                                                                    TimestampSource PortDest PortSource IPDest IP
                                                                    Nov 24, 2020 17:57:25.073673964 CET497157600192.168.2.5185.140.53.132
                                                                    Nov 24, 2020 17:57:25.101609945 CET760049715185.140.53.132192.168.2.5
                                                                    Nov 24, 2020 17:57:25.602993965 CET497157600192.168.2.5185.140.53.132
                                                                    Nov 24, 2020 17:57:25.629240036 CET760049715185.140.53.132192.168.2.5
                                                                    Nov 24, 2020 17:57:26.134700060 CET497157600192.168.2.5185.140.53.132
                                                                    Nov 24, 2020 17:57:26.161360025 CET760049715185.140.53.132192.168.2.5
                                                                    Nov 24, 2020 17:57:30.198173046 CET497167600192.168.2.5185.140.53.132
                                                                    Nov 24, 2020 17:57:30.225003958 CET760049716185.140.53.132192.168.2.5
                                                                    Nov 24, 2020 17:57:30.728708982 CET497167600192.168.2.5185.140.53.132
                                                                    Nov 24, 2020 17:57:30.755484104 CET760049716185.140.53.132192.168.2.5
                                                                    Nov 24, 2020 17:57:31.260085106 CET497167600192.168.2.5185.140.53.132
                                                                    Nov 24, 2020 17:57:31.286396980 CET760049716185.140.53.132192.168.2.5
                                                                    Nov 24, 2020 17:57:35.405589104 CET497177600192.168.2.5185.140.53.132
                                                                    Nov 24, 2020 17:57:35.432176113 CET760049717185.140.53.132192.168.2.5
                                                                    Nov 24, 2020 17:57:35.947624922 CET497177600192.168.2.5185.140.53.132
                                                                    Nov 24, 2020 17:57:35.974446058 CET760049717185.140.53.132192.168.2.5
                                                                    Nov 24, 2020 17:57:36.494554996 CET497177600192.168.2.5185.140.53.132
                                                                    Nov 24, 2020 17:57:36.521564960 CET760049717185.140.53.132192.168.2.5
                                                                    Nov 24, 2020 17:57:53.293711901 CET497357600192.168.2.5185.140.53.132
                                                                    Nov 24, 2020 17:57:53.320538998 CET760049735185.140.53.132192.168.2.5
                                                                    Nov 24, 2020 17:57:53.824115992 CET497357600192.168.2.5185.140.53.132
                                                                    Nov 24, 2020 17:57:53.850712061 CET760049735185.140.53.132192.168.2.5
                                                                    Nov 24, 2020 17:57:54.355438948 CET497357600192.168.2.5185.140.53.132
                                                                    Nov 24, 2020 17:57:54.382368088 CET760049735185.140.53.132192.168.2.5
                                                                    Nov 24, 2020 17:57:58.482429981 CET497377600192.168.2.5185.140.53.132
                                                                    Nov 24, 2020 17:57:58.509083033 CET760049737185.140.53.132192.168.2.5
                                                                    Nov 24, 2020 17:57:59.012036085 CET497377600192.168.2.5185.140.53.132
                                                                    Nov 24, 2020 17:57:59.038661957 CET760049737185.140.53.132192.168.2.5
                                                                    Nov 24, 2020 17:57:59.543447971 CET497377600192.168.2.5185.140.53.132
                                                                    Nov 24, 2020 17:57:59.570210934 CET760049737185.140.53.132192.168.2.5
                                                                    Nov 24, 2020 17:58:03.577419996 CET497397600192.168.2.5185.140.53.132
                                                                    Nov 24, 2020 17:58:03.603759050 CET760049739185.140.53.132192.168.2.5
                                                                    Nov 24, 2020 17:58:04.106302023 CET497397600192.168.2.5185.140.53.132
                                                                    Nov 24, 2020 17:58:04.132730961 CET760049739185.140.53.132192.168.2.5
                                                                    Nov 24, 2020 17:58:04.637505054 CET497397600192.168.2.5185.140.53.132
                                                                    Nov 24, 2020 17:58:04.664300919 CET760049739185.140.53.132192.168.2.5
                                                                    Nov 24, 2020 17:58:20.812513113 CET497407600192.168.2.5185.140.53.132
                                                                    Nov 24, 2020 17:58:20.839032888 CET760049740185.140.53.132192.168.2.5
                                                                    Nov 24, 2020 17:58:21.342053890 CET497407600192.168.2.5185.140.53.132
                                                                    Nov 24, 2020 17:58:21.368587017 CET760049740185.140.53.132192.168.2.5
                                                                    Nov 24, 2020 17:58:21.873284101 CET497407600192.168.2.5185.140.53.132
                                                                    Nov 24, 2020 17:58:21.899713993 CET760049740185.140.53.132192.168.2.5
                                                                    Nov 24, 2020 17:58:25.922238111 CET497437600192.168.2.5185.140.53.132
                                                                    Nov 24, 2020 17:58:25.948868036 CET760049743185.140.53.132192.168.2.5
                                                                    Nov 24, 2020 17:58:26.451749086 CET497437600192.168.2.5185.140.53.132
                                                                    Nov 24, 2020 17:58:26.478372097 CET760049743185.140.53.132192.168.2.5
                                                                    Nov 24, 2020 17:58:26.983045101 CET497437600192.168.2.5185.140.53.132
                                                                    Nov 24, 2020 17:58:27.009251118 CET760049743185.140.53.132192.168.2.5
                                                                    Nov 24, 2020 17:58:31.330995083 CET497447600192.168.2.5185.140.53.132
                                                                    Nov 24, 2020 17:58:31.357367039 CET760049744185.140.53.132192.168.2.5
                                                                    Nov 24, 2020 17:58:31.874105930 CET497447600192.168.2.5185.140.53.132
                                                                    Nov 24, 2020 17:58:31.900265932 CET760049744185.140.53.132192.168.2.5
                                                                    Nov 24, 2020 17:58:32.421050072 CET497447600192.168.2.5185.140.53.132
                                                                    Nov 24, 2020 17:58:32.447215080 CET760049744185.140.53.132192.168.2.5
                                                                    Nov 24, 2020 17:58:49.379565954 CET497457600192.168.2.5185.140.53.132
                                                                    Nov 24, 2020 17:58:49.406280994 CET760049745185.140.53.132192.168.2.5
                                                                    Nov 24, 2020 17:58:49.906951904 CET497457600192.168.2.5185.140.53.132
                                                                    Nov 24, 2020 17:58:49.933033943 CET760049745185.140.53.132192.168.2.5
                                                                    Nov 24, 2020 17:58:50.438106060 CET497457600192.168.2.5185.140.53.132
                                                                    Nov 24, 2020 17:58:50.464126110 CET760049745185.140.53.132192.168.2.5
                                                                    Nov 24, 2020 17:58:54.503382921 CET497467600192.168.2.5185.140.53.132
                                                                    Nov 24, 2020 17:58:54.529875994 CET760049746185.140.53.132192.168.2.5
                                                                    Nov 24, 2020 17:58:55.032444000 CET497467600192.168.2.5185.140.53.132
                                                                    Nov 24, 2020 17:58:55.058907032 CET760049746185.140.53.132192.168.2.5
                                                                    Nov 24, 2020 17:58:55.565989017 CET497467600192.168.2.5185.140.53.132
                                                                    Nov 24, 2020 17:58:55.592271090 CET760049746185.140.53.132192.168.2.5
                                                                    Nov 24, 2020 17:58:59.597549915 CET497477600192.168.2.5185.140.53.132
                                                                    Nov 24, 2020 17:58:59.624389887 CET760049747185.140.53.132192.168.2.5
                                                                    Nov 24, 2020 17:59:00.126689911 CET497477600192.168.2.5185.140.53.132
                                                                    Nov 24, 2020 17:59:00.153503895 CET760049747185.140.53.132192.168.2.5
                                                                    Nov 24, 2020 17:59:00.657816887 CET497477600192.168.2.5185.140.53.132
                                                                    Nov 24, 2020 17:59:00.684556961 CET760049747185.140.53.132192.168.2.5

                                                                    Code Manipulations

                                                                    Statistics

                                                                    CPU Usage

                                                                    Click to jump to process

                                                                    Memory Usage

                                                                    Click to jump to process

                                                                    High Level Behavior Distribution

                                                                    Click to dive into process behavior distribution

                                                                    Behavior

                                                                    Click to jump to process

                                                                    System Behavior

                                                                    Analysis Process: kelvinx.exe PID: 5332 Parent PID: 5744

                                                                    General

                                                                    Start time:17:57:00
                                                                    Start date:24/11/2020
                                                                    Path:C:\Users\user\Desktop\kelvinx.exe
                                                                    Wow64 process (32bit):true
                                                                    Commandline:'C:\Users\user\Desktop\kelvinx.exe'
                                                                    Imagebase:0x4b0000
                                                                    File size:783872 bytes
                                                                    MD5 hash:0E4ECBB7EBDD4C7341658B9E6471A0B7
                                                                    Has elevated privileges:true
                                                                    Has administrator privileges:true
                                                                    Programmed in:.Net C# or VB.NET
                                                                    Yara matches:
                                                                    • Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 00000000.00000002.240965816.0000000003B26000.00000004.00000001.sdmp, Author: Florian Roth
                                                                    • Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 00000000.00000002.240965816.0000000003B26000.00000004.00000001.sdmp, Author: Joe Security
                                                                    • Rule: NanoCore, Description: unknown, Source: 00000000.00000002.240965816.0000000003B26000.00000004.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
                                                                    Reputation:low

                                                                    Chronological Activities

                                                                    Analysis Process: kelvinx.exe PID: 1556 Parent PID: 5332

                                                                    General

                                                                    Start time:17:57:09
                                                                    Start date:24/11/2020
                                                                    Path:C:\Users\user\Desktop\kelvinx.exe
                                                                    Wow64 process (32bit):true
                                                                    Commandline:C:\Users\user\Desktop\kelvinx.exe
                                                                    Imagebase:0xe20000
                                                                    File size:783872 bytes
                                                                    MD5 hash:0E4ECBB7EBDD4C7341658B9E6471A0B7
                                                                    Has elevated privileges:true
                                                                    Has administrator privileges:true
                                                                    Programmed in:.Net C# or VB.NET
                                                                    Yara matches:
                                                                    • Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 00000001.00000002.492062764.00000000041A9000.00000004.00000001.sdmp, Author: Joe Security
                                                                    • Rule: NanoCore, Description: unknown, Source: 00000001.00000002.492062764.00000000041A9000.00000004.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
                                                                    • Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 00000001.00000002.493316264.0000000005A30000.00000004.00000001.sdmp, Author: Florian Roth
                                                                    • Rule: Nanocore_RAT_Feb18_1, Description: Detects Nanocore RAT, Source: 00000001.00000002.493316264.0000000005A30000.00000004.00000001.sdmp, Author: Florian Roth
                                                                    • Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 00000001.00000002.493316264.0000000005A30000.00000004.00000001.sdmp, Author: Joe Security
                                                                    • Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 00000001.00000002.493282549.00000000058E0000.00000004.00000001.sdmp, Author: Florian Roth
                                                                    • Rule: Nanocore_RAT_Feb18_1, Description: Detects Nanocore RAT, Source: 00000001.00000002.493282549.00000000058E0000.00000004.00000001.sdmp, Author: Florian Roth
                                                                    • Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 00000001.00000002.488239312.0000000003161000.00000004.00000001.sdmp, Author: Joe Security
                                                                    • Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 00000001.00000002.485264467.0000000000402000.00000040.00000001.sdmp, Author: Florian Roth
                                                                    • Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 00000001.00000002.485264467.0000000000402000.00000040.00000001.sdmp, Author: Joe Security
                                                                    • Rule: NanoCore, Description: unknown, Source: 00000001.00000002.485264467.0000000000402000.00000040.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
                                                                    Reputation:low

                                                                    Chronological Activities

                                                                    Analysis Process: noteped.exe PID: 5368 Parent PID: 3472

                                                                    General

                                                                    Start time:17:57:16
                                                                    Start date:24/11/2020
                                                                    Path:C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\notepod\noteped.exe
                                                                    Wow64 process (32bit):true
                                                                    Commandline:'C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\notepod\noteped.exe'
                                                                    Imagebase:0x130000
                                                                    File size:783872 bytes
                                                                    MD5 hash:0E4ECBB7EBDD4C7341658B9E6471A0B7
                                                                    Has elevated privileges:true
                                                                    Has administrator privileges:true
                                                                    Programmed in:.Net C# or VB.NET
                                                                    Yara matches:
                                                                    • Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 00000002.00000002.269811701.00000000035FB000.00000004.00000001.sdmp, Author: Florian Roth
                                                                    • Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 00000002.00000002.269811701.00000000035FB000.00000004.00000001.sdmp, Author: Joe Security
                                                                    • Rule: NanoCore, Description: unknown, Source: 00000002.00000002.269811701.00000000035FB000.00000004.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
                                                                    Antivirus matches:
                                                                    • Detection: 100%, Joe Sandbox ML
                                                                    • Detection: 52%, ReversingLabs
                                                                    Reputation:low

                                                                    Chronological Activities

                                                                    Analysis Process: noteped.exe PID: 6312 Parent PID: 5368

                                                                    General

                                                                    Start time:17:57:23
                                                                    Start date:24/11/2020
                                                                    Path:C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\notepod\noteped.exe
                                                                    Wow64 process (32bit):true
                                                                    Commandline:C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\notepod\noteped.exe
                                                                    Imagebase:0xa60000
                                                                    File size:783872 bytes
                                                                    MD5 hash:0E4ECBB7EBDD4C7341658B9E6471A0B7
                                                                    Has elevated privileges:true
                                                                    Has administrator privileges:true
                                                                    Programmed in:.Net C# or VB.NET
                                                                    Yara matches:
                                                                    • Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 00000006.00000002.284681945.0000000002FB1000.00000004.00000001.sdmp, Author: Joe Security
                                                                    • Rule: NanoCore, Description: unknown, Source: 00000006.00000002.284681945.0000000002FB1000.00000004.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
                                                                    • Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 00000006.00000002.284823064.0000000003FB9000.00000004.00000001.sdmp, Author: Joe Security
                                                                    • Rule: NanoCore, Description: unknown, Source: 00000006.00000002.284823064.0000000003FB9000.00000004.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
                                                                    • Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 00000006.00000002.283332088.0000000000402000.00000040.00000001.sdmp, Author: Florian Roth
                                                                    • Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 00000006.00000002.283332088.0000000000402000.00000040.00000001.sdmp, Author: Joe Security
                                                                    • Rule: NanoCore, Description: unknown, Source: 00000006.00000002.283332088.0000000000402000.00000040.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
                                                                    Reputation:low

                                                                    Chronological Activities

                                                                    Analysis Process: noteped.exe PID: 6360 Parent PID: 3472

                                                                    General

                                                                    Start time:17:57:24
                                                                    Start date:24/11/2020
                                                                    Path:C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\notepod\noteped.exe
                                                                    Wow64 process (32bit):true
                                                                    Commandline:'C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\notepod\noteped.exe'
                                                                    Imagebase:0x7d0000
                                                                    File size:783872 bytes
                                                                    MD5 hash:0E4ECBB7EBDD4C7341658B9E6471A0B7
                                                                    Has elevated privileges:true
                                                                    Has administrator privileges:true
                                                                    Programmed in:.Net C# or VB.NET
                                                                    Yara matches:
                                                                    • Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 00000007.00000002.289900545.0000000003C9C000.00000004.00000001.sdmp, Author: Florian Roth
                                                                    • Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 00000007.00000002.289900545.0000000003C9C000.00000004.00000001.sdmp, Author: Joe Security
                                                                    • Rule: NanoCore, Description: unknown, Source: 00000007.00000002.289900545.0000000003C9C000.00000004.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
                                                                    Reputation:low

                                                                    Chronological Activities

                                                                    Analysis Process: noteped.exe PID: 6648 Parent PID: 6360

                                                                    General

                                                                    Start time:17:57:31
                                                                    Start date:24/11/2020
                                                                    Path:C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\notepod\noteped.exe
                                                                    Wow64 process (32bit):true
                                                                    Commandline:C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\notepod\noteped.exe
                                                                    Imagebase:0x6e0000
                                                                    File size:783872 bytes
                                                                    MD5 hash:0E4ECBB7EBDD4C7341658B9E6471A0B7
                                                                    Has elevated privileges:true
                                                                    Has administrator privileges:true
                                                                    Programmed in:.Net C# or VB.NET
                                                                    Yara matches:
                                                                    • Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 0000000C.00000002.306118461.0000000003AE9000.00000004.00000001.sdmp, Author: Joe Security
                                                                    • Rule: NanoCore, Description: unknown, Source: 0000000C.00000002.306118461.0000000003AE9000.00000004.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
                                                                    • Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 0000000C.00000002.305164959.0000000000402000.00000040.00000001.sdmp, Author: Florian Roth
                                                                    • Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 0000000C.00000002.305164959.0000000000402000.00000040.00000001.sdmp, Author: Joe Security
                                                                    • Rule: NanoCore, Description: unknown, Source: 0000000C.00000002.305164959.0000000000402000.00000040.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
                                                                    • Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 0000000C.00000002.306051125.0000000002AE1000.00000004.00000001.sdmp, Author: Joe Security
                                                                    • Rule: NanoCore, Description: unknown, Source: 0000000C.00000002.306051125.0000000002AE1000.00000004.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
                                                                    Reputation:low

                                                                    Chronological Activities

                                                                    Disassembly

                                                                    Code Analysis

                                                                    Reset < >

                                                                      Analysis Process: kelvinx.exe PID: 5332 Parent PID: 5744 kelvinx.exeCOMMON

                                                                      Executed Functions

                                                                      Function 07095760, Relevance: 1.6, APIs: 1, Instructions: 140COMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      • GetUserNameA.ADVAPI32(00000000), ref: 070958AC
                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.245767003.0000000007090000.00000040.00000001.sdmp, Offset: 07090000, based on PE: false
                                                                      Similarity
                                                                      • API ID: NameUser
                                                                      • String ID:
                                                                      • API String ID: 2645101109-0
                                                                      • Opcode ID: 23a39b7be704111345d5631ff771fea82edc4b87669408f4a2480146b02e1003
                                                                      • Instruction ID: 233af775df5b1084d930ad81d1f68f1123aaf1c9f08c1a6bb2393f0a110d3310
                                                                      • Opcode Fuzzy Hash: 23a39b7be704111345d5631ff771fea82edc4b87669408f4a2480146b02e1003
                                                                      • Instruction Fuzzy Hash: 235125B0D042198FDB14CFAAC985BDEFBF1AF48304F148129E816BB395CB749949CB91
                                                                      Uniqueness

                                                                      Uniqueness Score: -1.00%

                                                                      Function 070968B8, Relevance: .5, Instructions: 473COMMON
                                                                      Download Yara Rule
                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.245767003.0000000007090000.00000040.00000001.sdmp, Offset: 07090000, based on PE: false
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID:
                                                                      • API String ID:
                                                                      • Opcode ID: 889bfc9e9c3f60ddc61aaac36f3d6e653e7584dee150dee4506cccd972d88258
                                                                      • Instruction ID: 92c7ab63241a2e005eee3643847054dd906884764e2636a3b06a49f986d59751
                                                                      • Opcode Fuzzy Hash: 889bfc9e9c3f60ddc61aaac36f3d6e653e7584dee150dee4506cccd972d88258
                                                                      • Instruction Fuzzy Hash: 791279B4B001058FCB14DFA8D594AADB7F6EF89304F2582A9E415EB3A1CB31EC45CB91
                                                                      Uniqueness

                                                                      Uniqueness Score: -1.00%

                                                                      Function 0268B6D9, Relevance: 6.1, APIs: 4, Instructions: 123threadCOMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      • GetCurrentProcess.KERNEL32 ref: 0268B748
                                                                      • GetCurrentThread.KERNEL32 ref: 0268B785
                                                                      • GetCurrentProcess.KERNEL32 ref: 0268B7C2
                                                                      • GetCurrentThreadId.KERNEL32 ref: 0268B81B
                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.238397734.0000000002680000.00000040.00000001.sdmp, Offset: 02680000, based on PE: false
                                                                      Similarity
                                                                      • API ID: Current$ProcessThread
                                                                      • String ID:
                                                                      • API String ID: 2063062207-0
                                                                      • Opcode ID: 121b27f7030f19f72013465da0da8ecf9b159f6926e9d4702ac04e43094fdbdb
                                                                      • Instruction ID: dec2436884e95c81e68961a5dcb1877bfad224e60b07ae4d12808eda005cbbbd
                                                                      • Opcode Fuzzy Hash: 121b27f7030f19f72013465da0da8ecf9b159f6926e9d4702ac04e43094fdbdb
                                                                      • Instruction Fuzzy Hash: 345177B09007498FDB10DFA9D5487AEBBF1EF49318F248559E419B73A0CB346944CF61
                                                                      Uniqueness

                                                                      Uniqueness Score: -1.00%

                                                                      Function 0268B6E8, Relevance: 6.1, APIs: 4, Instructions: 120threadCOMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      • GetCurrentProcess.KERNEL32 ref: 0268B748
                                                                      • GetCurrentThread.KERNEL32 ref: 0268B785
                                                                      • GetCurrentProcess.KERNEL32 ref: 0268B7C2
                                                                      • GetCurrentThreadId.KERNEL32 ref: 0268B81B
                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.238397734.0000000002680000.00000040.00000001.sdmp, Offset: 02680000, based on PE: false
                                                                      Similarity
                                                                      • API ID: Current$ProcessThread
                                                                      • String ID:
                                                                      • API String ID: 2063062207-0
                                                                      • Opcode ID: 8595af1c9c0d58b251b037e515f5b21c3e3ab226fa7052d270c15f42c5d09922
                                                                      • Instruction ID: 8eb3ddccdfd11c3b1963ae44a24c230a898f5cd561f86404e449cb1106cdbce5
                                                                      • Opcode Fuzzy Hash: 8595af1c9c0d58b251b037e515f5b21c3e3ab226fa7052d270c15f42c5d09922
                                                                      • Instruction Fuzzy Hash: F95144B09007498FDB50DFA9D588BAEBBF1EF48318F248559E409B7350CB74A984CF65
                                                                      Uniqueness

                                                                      Uniqueness Score: -1.00%

                                                                      Function 07093E9E, Relevance: 1.7, APIs: 1, Instructions: 247processCOMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      • CreateProcessA.KERNELBASE(?,?,?,?,?,?,?,?,?,?), ref: 070940DE
                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.245767003.0000000007090000.00000040.00000001.sdmp, Offset: 07090000, based on PE: false
                                                                      Similarity
                                                                      • API ID: CreateProcess
                                                                      • String ID:
                                                                      • API String ID: 963392458-0
                                                                      • Opcode ID: 0e41b5b5993be45e3e95beab87621f6687714ef540dfde4eda028affcd18aabd
                                                                      • Instruction ID: b6bd69e4ff51f7a025a07ff971493bc383fbe38b9fb56dcc50ae2ec9810052e0
                                                                      • Opcode Fuzzy Hash: 0e41b5b5993be45e3e95beab87621f6687714ef540dfde4eda028affcd18aabd
                                                                      • Instruction Fuzzy Hash: 29A14AB1D0025ADFDF50CFA4C8817EEBBB2BF48314F148669E809A7280DB749985DF91
                                                                      Uniqueness

                                                                      Uniqueness Score: -1.00%

                                                                      Function 07093EA8, Relevance: 1.7, APIs: 1, Instructions: 243processCOMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      • CreateProcessA.KERNELBASE(?,?,?,?,?,?,?,?,?,?), ref: 070940DE
                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.245767003.0000000007090000.00000040.00000001.sdmp, Offset: 07090000, based on PE: false
                                                                      Similarity
                                                                      • API ID: CreateProcess
                                                                      • String ID:
                                                                      • API String ID: 963392458-0
                                                                      • Opcode ID: a32a07bf84c3776b5ea94b7d4d0bde8b100683f673e7b0662f7789807f3bf0a1
                                                                      • Instruction ID: df32b2723ffce297bc498dee86537da373d6e688134a9ce075eb1965c382ab76
                                                                      • Opcode Fuzzy Hash: a32a07bf84c3776b5ea94b7d4d0bde8b100683f673e7b0662f7789807f3bf0a1
                                                                      • Instruction Fuzzy Hash: 31914BB1D0025ADFDF50CFA4C8417DEBAF2BF48314F148669E809A7280DB749985DF91
                                                                      Uniqueness

                                                                      Uniqueness Score: -1.00%

                                                                      Function 026893F0, Relevance: 1.7, APIs: 1, Instructions: 198COMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      • GetModuleHandleW.KERNELBASE(00000000), ref: 02689636
                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.238397734.0000000002680000.00000040.00000001.sdmp, Offset: 02680000, based on PE: false
                                                                      Similarity
                                                                      • API ID: HandleModule
                                                                      • String ID:
                                                                      • API String ID: 4139908857-0
                                                                      • Opcode ID: 1e92597a9abd841f2e8fd7ecf4fd1fc74591ff5b0acabc468ccedb9b6b1046c6
                                                                      • Instruction ID: e979e5f4075b0da130373d89977fb2ac06bcd4006246214714b1929ed9759515
                                                                      • Opcode Fuzzy Hash: 1e92597a9abd841f2e8fd7ecf4fd1fc74591ff5b0acabc468ccedb9b6b1046c6
                                                                      • Instruction Fuzzy Hash: DE7123B0A01B058FD764EF6AD4457AAB7F1BF88314F008A2DE54AD7B40DB35E805CB91
                                                                      Uniqueness

                                                                      Uniqueness Score: -1.00%

                                                                      Function 07095754, Relevance: 1.6, APIs: 1, Instructions: 141COMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      • GetUserNameA.ADVAPI32(00000000), ref: 070958AC
                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.245767003.0000000007090000.00000040.00000001.sdmp, Offset: 07090000, based on PE: false
                                                                      Similarity
                                                                      • API ID: NameUser
                                                                      • String ID:
                                                                      • API String ID: 2645101109-0
                                                                      • Opcode ID: f4a4df554a0fcc4c480d0055e0718cb42dbf7fcb28675666a784665612c10bac
                                                                      • Instruction ID: 75dcb60796e4d64fedb4e4b3d7aa7529bbc6507098f52f66b7ef3d6f2ffcf4fb
                                                                      • Opcode Fuzzy Hash: f4a4df554a0fcc4c480d0055e0718cb42dbf7fcb28675666a784665612c10bac
                                                                      • Instruction Fuzzy Hash: 155123B0D042598FDB14CFAAC995BDEFBF1AF48314F148129E816BB391C7749949CB90
                                                                      Uniqueness

                                                                      Uniqueness Score: -1.00%

                                                                      Function 0268FD4C, Relevance: 1.6, APIs: 1, Instructions: 115COMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      • CreateWindowExW.USER32(?,?,?,?,?,?,0000000C,?,?,?,?,?), ref: 0268FE6A
                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.238397734.0000000002680000.00000040.00000001.sdmp, Offset: 02680000, based on PE: false
                                                                      Similarity
                                                                      • API ID: CreateWindow
                                                                      • String ID:
                                                                      • API String ID: 716092398-0
                                                                      • Opcode ID: e19e82c2db21386d0e965d8ef6380a54dbc1db9d0d3a242d1eef37a34cc2313e
                                                                      • Instruction ID: c4eba91edf45f6d09471dae566c7255942e7e58bf5fa974366441f06211129bf
                                                                      • Opcode Fuzzy Hash: e19e82c2db21386d0e965d8ef6380a54dbc1db9d0d3a242d1eef37a34cc2313e
                                                                      • Instruction Fuzzy Hash: 6051D0B1D00349EFDB14CF99C984ADEBFB1BF48314F64822AE819AB250D7749985CF90
                                                                      Uniqueness

                                                                      Uniqueness Score: -1.00%

                                                                      Function 0268FD58, Relevance: 1.6, APIs: 1, Instructions: 113COMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      • CreateWindowExW.USER32(?,?,?,?,?,?,0000000C,?,?,?,?,?), ref: 0268FE6A
                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.238397734.0000000002680000.00000040.00000001.sdmp, Offset: 02680000, based on PE: false
                                                                      Similarity
                                                                      • API ID: CreateWindow
                                                                      • String ID:
                                                                      • API String ID: 716092398-0
                                                                      • Opcode ID: 6560a57c4dd10a2bbaf7055633eb56fb700ddaabdf513f46674c7bbddc153d40
                                                                      • Instruction ID: 7786506c54e88630dadfd8915dd6bd0b8d602f9bad59ac2e7f5143d48ac21dff
                                                                      • Opcode Fuzzy Hash: 6560a57c4dd10a2bbaf7055633eb56fb700ddaabdf513f46674c7bbddc153d40
                                                                      • Instruction Fuzzy Hash: D641D0B1D00309EFDB14CF99C884ADEBBB5BF48314F64822AE819AB210D7749885CF90
                                                                      Uniqueness

                                                                      Uniqueness Score: -1.00%

                                                                      Function 02685355, Relevance: 1.6, APIs: 1, Instructions: 98COMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      • CreateActCtxA.KERNEL32(?), ref: 02685411
                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.238397734.0000000002680000.00000040.00000001.sdmp, Offset: 02680000, based on PE: false
                                                                      Similarity
                                                                      • API ID: Create
                                                                      • String ID:
                                                                      • API String ID: 2289755597-0
                                                                      • Opcode ID: bf3b928f0eafcb96e829f898ff1f00fe1336c7b6d6246b47a2d224ebbe70354b
                                                                      • Instruction ID: 767fdc514b83f7f6ed323b310fc6ee6f0a755bd757823bea96a77c74f3534fc1
                                                                      • Opcode Fuzzy Hash: bf3b928f0eafcb96e829f898ff1f00fe1336c7b6d6246b47a2d224ebbe70354b
                                                                      • Instruction Fuzzy Hash: 0C41F171C00219CFDB24DFA9C88479DBBB1FF88308F65816AD409BB251DB756949CF50
                                                                      Uniqueness

                                                                      Uniqueness Score: -1.00%

                                                                      Function 02683E18, Relevance: 1.6, APIs: 1, Instructions: 96COMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      • CreateActCtxA.KERNEL32(?), ref: 02685411
                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.238397734.0000000002680000.00000040.00000001.sdmp, Offset: 02680000, based on PE: false
                                                                      Similarity
                                                                      • API ID: Create
                                                                      • String ID:
                                                                      • API String ID: 2289755597-0
                                                                      • Opcode ID: 101f8af0ec46c12ff2bd16d335164ba0b0da1168a913b7a698b68f70edfd4e94
                                                                      • Instruction ID: 16657517866b2ca9cac6728e2b764c9a541dcbcf0d7a6f3ad3d65092e59bc85e
                                                                      • Opcode Fuzzy Hash: 101f8af0ec46c12ff2bd16d335164ba0b0da1168a913b7a698b68f70edfd4e94
                                                                      • Instruction Fuzzy Hash: B541ED70C0061C8BDB24DFA9C884B9EBBB5BF48308F65816AD509BB251DBB56949CF90
                                                                      Uniqueness

                                                                      Uniqueness Score: -1.00%

                                                                      Function 07093B7A, Relevance: 1.6, APIs: 1, Instructions: 71injectionCOMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      • WriteProcessMemory.KERNELBASE(?,?,00000000,?,?), ref: 07093C10
                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.245767003.0000000007090000.00000040.00000001.sdmp, Offset: 07090000, based on PE: false
                                                                      Similarity
                                                                      • API ID: MemoryProcessWrite
                                                                      • String ID:
                                                                      • API String ID: 3559483778-0
                                                                      • Opcode ID: c4142cf2fb0bef1ab2f4612c56b971bd05da15699103c533d9a93c7970d87880
                                                                      • Instruction ID: 2dd3a031405ade013be01a7e8dbc5c72635d9ab53034ca0d4d4488f8b8e950dc
                                                                      • Opcode Fuzzy Hash: c4142cf2fb0bef1ab2f4612c56b971bd05da15699103c533d9a93c7970d87880
                                                                      • Instruction Fuzzy Hash: 582115B19003599FCF50CFA9C8857EEBBF5FF48314F04842AE919A7240DB78A944DBA0
                                                                      Uniqueness

                                                                      Uniqueness Score: -1.00%

                                                                      Function 07093B80, Relevance: 1.6, APIs: 1, Instructions: 69injectionCOMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      • WriteProcessMemory.KERNELBASE(?,?,00000000,?,?), ref: 07093C10
                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.245767003.0000000007090000.00000040.00000001.sdmp, Offset: 07090000, based on PE: false
                                                                      Similarity
                                                                      • API ID: MemoryProcessWrite
                                                                      • String ID:
                                                                      • API String ID: 3559483778-0
                                                                      • Opcode ID: 653841613a1325c067610f01299f08ef95612a50c56fdfef4ba2109f997a310b
                                                                      • Instruction ID: b88f69deb2ad17a1354d227f49d2e67d88f8eea3bdc163c7b2bcfe08b2e2c748
                                                                      • Opcode Fuzzy Hash: 653841613a1325c067610f01299f08ef95612a50c56fdfef4ba2109f997a310b
                                                                      • Instruction Fuzzy Hash: 1821F5B19003599FCF50CFA9C8857EEBBF5FF48314F148429E919A7240D778A954DBA0
                                                                      Uniqueness

                                                                      Uniqueness Score: -1.00%

                                                                      Function 07093C68, Relevance: 1.6, APIs: 1, Instructions: 66COMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      • ReadProcessMemory.KERNELBASE(?,?,?,?,?), ref: 07093CF0
                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.245767003.0000000007090000.00000040.00000001.sdmp, Offset: 07090000, based on PE: false
                                                                      Similarity
                                                                      • API ID: MemoryProcessRead
                                                                      • String ID:
                                                                      • API String ID: 1726664587-0
                                                                      • Opcode ID: e912fe347a812e20e83b7670de29622fb8189f37e04791d8eea79d0c68a19601
                                                                      • Instruction ID: a195ed06e856ae4cca5e146e9a1bd4af2fe5d12c16d5d1b6f80ffb4194f358f1
                                                                      • Opcode Fuzzy Hash: e912fe347a812e20e83b7670de29622fb8189f37e04791d8eea79d0c68a19601
                                                                      • Instruction Fuzzy Hash: 552127B18003599FCF10CFA9C8856EEBBF5FF48324F408429E919A7240D7389944DBA1
                                                                      Uniqueness

                                                                      Uniqueness Score: -1.00%

                                                                      Function 070939E0, Relevance: 1.6, APIs: 1, Instructions: 66threadinjectionCOMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      • SetThreadContext.KERNELBASE(?,00000000), ref: 07093A66
                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.245767003.0000000007090000.00000040.00000001.sdmp, Offset: 07090000, based on PE: false
                                                                      Similarity
                                                                      • API ID: ContextThread
                                                                      • String ID:
                                                                      • API String ID: 1591575202-0
                                                                      • Opcode ID: e8ea5d697884e0885a49f879142f8cb119e0f9c5500e98b2a9776ba7591c3cc8
                                                                      • Instruction ID: b78801c9ca8eafa9b4f970a6fd657488b48d5b9e6fde6d859b7d619e348e32ff
                                                                      • Opcode Fuzzy Hash: e8ea5d697884e0885a49f879142f8cb119e0f9c5500e98b2a9776ba7591c3cc8
                                                                      • Instruction Fuzzy Hash: 49216AB1D003499FCB50CFAAC4857EEBBF4EF48324F048429E519A7240DB78A984CFA1
                                                                      Uniqueness

                                                                      Uniqueness Score: -1.00%

                                                                      Function 0268B908, Relevance: 1.6, APIs: 1, Instructions: 66COMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      • DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 0268B997
                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.238397734.0000000002680000.00000040.00000001.sdmp, Offset: 02680000, based on PE: false
                                                                      Similarity
                                                                      • API ID: DuplicateHandle
                                                                      • String ID:
                                                                      • API String ID: 3793708945-0
                                                                      • Opcode ID: 516e224b8d147ed2db35fe97ba3db8885f316e34045569ef2a2f7e542315bf5c
                                                                      • Instruction ID: 449330271a386501b0e45dcca575bc60f0a5146598b0fada233d9f43a9c3a8a7
                                                                      • Opcode Fuzzy Hash: 516e224b8d147ed2db35fe97ba3db8885f316e34045569ef2a2f7e542315bf5c
                                                                      • Instruction Fuzzy Hash: 5321C3B5900248AFDF10CF9AD984ADEBBF4AB49324F14851AE914B3350C374A944CF65
                                                                      Uniqueness

                                                                      Uniqueness Score: -1.00%

                                                                      Function 07093C70, Relevance: 1.6, APIs: 1, Instructions: 63COMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      • ReadProcessMemory.KERNELBASE(?,?,?,?,?), ref: 07093CF0
                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.245767003.0000000007090000.00000040.00000001.sdmp, Offset: 07090000, based on PE: false
                                                                      Similarity
                                                                      • API ID: MemoryProcessRead
                                                                      • String ID:
                                                                      • API String ID: 1726664587-0
                                                                      • Opcode ID: 365be52d70e77497824e487a882e1ad563c678a67f562aed27ac427ea11ba454
                                                                      • Instruction ID: 29dbefe17fc7432086e0b6c0732e9bcb171d8c22940aea35d8daeb15bfb126ec
                                                                      • Opcode Fuzzy Hash: 365be52d70e77497824e487a882e1ad563c678a67f562aed27ac427ea11ba454
                                                                      • Instruction Fuzzy Hash: 7A2116B18003599FCF10CFAAC8846EEBBF5FF48314F508429E919A7240D7789944DBA0
                                                                      Uniqueness

                                                                      Uniqueness Score: -1.00%

                                                                      Function 070939E8, Relevance: 1.6, APIs: 1, Instructions: 63threadinjectionCOMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      • SetThreadContext.KERNELBASE(?,00000000), ref: 07093A66
                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.245767003.0000000007090000.00000040.00000001.sdmp, Offset: 07090000, based on PE: false
                                                                      Similarity
                                                                      • API ID: ContextThread
                                                                      • String ID:
                                                                      • API String ID: 1591575202-0
                                                                      • Opcode ID: b2e1ac2a12756aef2ce24e78ddf4f4edbc18403fcf12c6e2e8020ebecffe5bb7
                                                                      • Instruction ID: 86505f081a4261cdf7d5945e3d08e737a00c312a0e4005f8b99e640d05d2f3aa
                                                                      • Opcode Fuzzy Hash: b2e1ac2a12756aef2ce24e78ddf4f4edbc18403fcf12c6e2e8020ebecffe5bb7
                                                                      • Instruction Fuzzy Hash: 912138B1D003099FCB50DFAAC8857EEBBF4EF48224F148429D519A7240DB78A944CFA0
                                                                      Uniqueness

                                                                      Uniqueness Score: -1.00%

                                                                      Function 0268B910, Relevance: 1.6, APIs: 1, Instructions: 62COMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      • DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 0268B997
                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.238397734.0000000002680000.00000040.00000001.sdmp, Offset: 02680000, based on PE: false
                                                                      Similarity
                                                                      • API ID: DuplicateHandle
                                                                      • String ID:
                                                                      • API String ID: 3793708945-0
                                                                      • Opcode ID: 6fb0cf5847d4a46ff7eef5389e5a1ebb79ab6f2abbec73efc7a8ef9a0af210ae
                                                                      • Instruction ID: b4620c26fd8222c402dcbabece024ca9ec238d235a67c042589f0cb9b2ebd85e
                                                                      • Opcode Fuzzy Hash: 6fb0cf5847d4a46ff7eef5389e5a1ebb79ab6f2abbec73efc7a8ef9a0af210ae
                                                                      • Instruction Fuzzy Hash: F321E4B5D002489FDF10CF9AD984ADEBBF8EB48324F14841AE914B3350C374A944CFA1
                                                                      Uniqueness

                                                                      Uniqueness Score: -1.00%

                                                                      Function 07093ABA, Relevance: 1.6, APIs: 1, Instructions: 55memoryCOMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      • VirtualAllocEx.KERNELBASE(?,?,?,?,?), ref: 07093B2E
                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.245767003.0000000007090000.00000040.00000001.sdmp, Offset: 07090000, based on PE: false
                                                                      Similarity
                                                                      • API ID: AllocVirtual
                                                                      • String ID:
                                                                      • API String ID: 4275171209-0
                                                                      • Opcode ID: fde45b993863ceb809a761a3913c5472676158b98d29331d241daa16ed24cfcd
                                                                      • Instruction ID: badd889afe927352677baf5c6fbdfd02211a6077f5300651b553424d84eb05d8
                                                                      • Opcode Fuzzy Hash: fde45b993863ceb809a761a3913c5472676158b98d29331d241daa16ed24cfcd
                                                                      • Instruction Fuzzy Hash: 6C1147718002499BCF10CFA9D8447EEBBF5AF88324F148419E515A7250CB75A944CFA0
                                                                      Uniqueness

                                                                      Uniqueness Score: -1.00%

                                                                      Function 02688E78, Relevance: 1.6, APIs: 1, Instructions: 55libraryCOMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      • LoadLibraryExW.KERNELBASE(00000000,00000000,?,?,?,?,00000000,?,026896B1,00000800,00000000,00000000), ref: 026898C2
                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.238397734.0000000002680000.00000040.00000001.sdmp, Offset: 02680000, based on PE: false
                                                                      Similarity
                                                                      • API ID: LibraryLoad
                                                                      • String ID:
                                                                      • API String ID: 1029625771-0
                                                                      • Opcode ID: 665e85da3187dd98e06fd3305fb8d0a83d5905168535aa20ade17a300fcf7903
                                                                      • Instruction ID: b702b378d797183d269706d91479d70d31a8e0d5b6cb1d9720ee59b24098ebad
                                                                      • Opcode Fuzzy Hash: 665e85da3187dd98e06fd3305fb8d0a83d5905168535aa20ade17a300fcf7903
                                                                      • Instruction Fuzzy Hash: 021103B2D003499FDB10DF9AC444AEEBBF4EB88324F04852AE915B7700C775A549CFA1
                                                                      Uniqueness

                                                                      Uniqueness Score: -1.00%

                                                                      Function 02689850, Relevance: 1.6, APIs: 1, Instructions: 54libraryCOMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      • LoadLibraryExW.KERNELBASE(00000000,00000000,?,?,?,?,00000000,?,026896B1,00000800,00000000,00000000), ref: 026898C2
                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.238397734.0000000002680000.00000040.00000001.sdmp, Offset: 02680000, based on PE: false
                                                                      Similarity
                                                                      • API ID: LibraryLoad
                                                                      • String ID:
                                                                      • API String ID: 1029625771-0
                                                                      • Opcode ID: 5e2f42836ef578ac5f542e7cb68c1abf37590cb92b6624b1cea8c9e7ee2ab7a7
                                                                      • Instruction ID: b35e02bf5f0d65e7da7c289cd131df3b14cc98413f229ed630c5373e48bf6535
                                                                      • Opcode Fuzzy Hash: 5e2f42836ef578ac5f542e7cb68c1abf37590cb92b6624b1cea8c9e7ee2ab7a7
                                                                      • Instruction Fuzzy Hash: 251112B2D003498FCB10CF9AD444AEEFBF4AB88324F14852AE819B7340C775A645CFA1
                                                                      Uniqueness

                                                                      Uniqueness Score: -1.00%

                                                                      Function 07093AC0, Relevance: 1.6, APIs: 1, Instructions: 53memoryCOMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      • VirtualAllocEx.KERNELBASE(?,?,?,?,?), ref: 07093B2E
                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.245767003.0000000007090000.00000040.00000001.sdmp, Offset: 07090000, based on PE: false
                                                                      Similarity
                                                                      • API ID: AllocVirtual
                                                                      • String ID:
                                                                      • API String ID: 4275171209-0
                                                                      • Opcode ID: 5e568fdc2fedc9bdea055e97ce17d0fb12c032550b3482099c660722d8cf5e72
                                                                      • Instruction ID: bff065c37293d0c416a2d696d76cf2c8e3893bb299a1aa4a3d3113a2b962dc48
                                                                      • Opcode Fuzzy Hash: 5e568fdc2fedc9bdea055e97ce17d0fb12c032550b3482099c660722d8cf5e72
                                                                      • Instruction Fuzzy Hash: 8D1126719002499FCF10DFAAC844BEFFBF5AF48324F148429E615A7250CB75A944CFA0
                                                                      Uniqueness

                                                                      Uniqueness Score: -1.00%

                                                                      Function 07093930, Relevance: 1.6, APIs: 1, Instructions: 52threadCOMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.245767003.0000000007090000.00000040.00000001.sdmp, Offset: 07090000, based on PE: false
                                                                      Similarity
                                                                      • API ID: ResumeThread
                                                                      • String ID:
                                                                      • API String ID: 947044025-0
                                                                      • Opcode ID: 4487126ba431c3c5c28419bc93e4fc1f0b1cb9595f5ab072942aee39fa691208
                                                                      • Instruction ID: d68320e4fbbb58f63d79d84d4d8d6e58a6f037e529b8eebdfa7dbb508839bbb2
                                                                      • Opcode Fuzzy Hash: 4487126ba431c3c5c28419bc93e4fc1f0b1cb9595f5ab072942aee39fa691208
                                                                      • Instruction Fuzzy Hash: F11149B19003488FCB10DFAAD8447EEFBF5AB88224F148529D515B7240CB74A944CFA0
                                                                      Uniqueness

                                                                      Uniqueness Score: -1.00%

                                                                      Function 07093938, Relevance: 1.5, APIs: 1, Instructions: 49threadCOMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.245767003.0000000007090000.00000040.00000001.sdmp, Offset: 07090000, based on PE: false
                                                                      Similarity
                                                                      • API ID: ResumeThread
                                                                      • String ID:
                                                                      • API String ID: 947044025-0
                                                                      • Opcode ID: 1aebedc4aba7ef60b5d4f3c4b623f68b223c0083bec07889761763141b3d8a29
                                                                      • Instruction ID: 4e6582bd213d8a99f07cb4e57bc90f986b89bf091f57bb027f7b2ad6102931bc
                                                                      • Opcode Fuzzy Hash: 1aebedc4aba7ef60b5d4f3c4b623f68b223c0083bec07889761763141b3d8a29
                                                                      • Instruction Fuzzy Hash: 781128B19043498BCB10DFAAC8447EEFBF5AB88224F148429D515A7240CB74A944CFA4
                                                                      Uniqueness

                                                                      Uniqueness Score: -1.00%

                                                                      Function 026895D0, Relevance: 1.5, APIs: 1, Instructions: 47COMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      • GetModuleHandleW.KERNELBASE(00000000), ref: 02689636
                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.238397734.0000000002680000.00000040.00000001.sdmp, Offset: 02680000, based on PE: false
                                                                      Similarity
                                                                      • API ID: HandleModule
                                                                      • String ID:
                                                                      • API String ID: 4139908857-0
                                                                      • Opcode ID: a3d3bfcf281baa3bb75237e496dca1e065f5c58afa6eec5a491b45b016f3a24c
                                                                      • Instruction ID: e436d5258da3adb2396471aa96f959e4c655a5b258c0cbd3f3799553aa7786d4
                                                                      • Opcode Fuzzy Hash: a3d3bfcf281baa3bb75237e496dca1e065f5c58afa6eec5a491b45b016f3a24c
                                                                      • Instruction Fuzzy Hash: 8F110FB1C013898FDB10DF9AC844AEEFBF4AB88324F14851AD819B7300C378A585CFA1
                                                                      Uniqueness

                                                                      Uniqueness Score: -1.00%

                                                                      Function 026898FA, Relevance: 1.5, APIs: 1, Instructions: 40libraryCOMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      • LoadLibraryExW.KERNELBASE(00000000,00000000,?,?,?,?,00000000,?,026896B1,00000800,00000000,00000000), ref: 026898C2
                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.238397734.0000000002680000.00000040.00000001.sdmp, Offset: 02680000, based on PE: false
                                                                      Similarity
                                                                      • API ID: LibraryLoad
                                                                      • String ID:
                                                                      • API String ID: 1029625771-0
                                                                      • Opcode ID: aa5dd7b0676b461eee212b5c14d67238d057d2dcf8e7bf52c08783846d448e6d
                                                                      • Instruction ID: 8f4480917fb45f713b7b641c2b8408ac27f87e23da5dee5145618ee4e51cca9e
                                                                      • Opcode Fuzzy Hash: aa5dd7b0676b461eee212b5c14d67238d057d2dcf8e7bf52c08783846d448e6d
                                                                      • Instruction Fuzzy Hash: 470178B69042888FCF108F98D4047EEBBF0EB95314F25856AD549AB391C375A949CF61
                                                                      Uniqueness

                                                                      Uniqueness Score: -1.00%

                                                                      Function 00FCD3D8, Relevance: .1, Instructions: 75COMMON
                                                                      Download Yara Rule
                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.238244334.0000000000FCD000.00000040.00000001.sdmp, Offset: 00FCD000, based on PE: false
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID:
                                                                      • API String ID:
                                                                      • Opcode ID: 46fd38ae69e474fde9f576b340e2d4715d55cab4f72b07de6e6addd2564148e2
                                                                      • Instruction ID: 0767086fbbdb9bf47bb62276f208e28b6a5122c05ef2733969922c27016a312a
                                                                      • Opcode Fuzzy Hash: 46fd38ae69e474fde9f576b340e2d4715d55cab4f72b07de6e6addd2564148e2
                                                                      • Instruction Fuzzy Hash: EE2108B2504245EFDB08DF10DAC1F2ABB65FB94324F24857DEA054B246C336E846D6A1
                                                                      Uniqueness

                                                                      Uniqueness Score: -1.00%

                                                                      Function 00FCD4C4, Relevance: .1, Instructions: 75COMMON
                                                                      Download Yara Rule
                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.238244334.0000000000FCD000.00000040.00000001.sdmp, Offset: 00FCD000, based on PE: false
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID:
                                                                      • API String ID:
                                                                      • Opcode ID: 4553b613fdcaa935597a707412748b6e02435d0dd3cc60e4a6ed3bff32f39e31
                                                                      • Instruction ID: 2edbad067c6223b1849464c21ba1bd2164730df29bf0a42da5b04159d81f0ba0
                                                                      • Opcode Fuzzy Hash: 4553b613fdcaa935597a707412748b6e02435d0dd3cc60e4a6ed3bff32f39e31
                                                                      • Instruction Fuzzy Hash: F82108B2904245DFCB05DF10DAC1F2ABF65FB84328F24897DE9054B246C336D846D6A1
                                                                      Uniqueness

                                                                      Uniqueness Score: -1.00%

                                                                      Function 025FD01C, Relevance: .1, Instructions: 72COMMON
                                                                      Download Yara Rule
                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.238309865.00000000025FD000.00000040.00000001.sdmp, Offset: 025FD000, based on PE: false
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID:
                                                                      • API String ID:
                                                                      • Opcode ID: 927cc9000fa86def0de1826a68058462ecfb3f66a35f437af16e25478d802744
                                                                      • Instruction ID: e4633fdf6cd0f70054179386a02fe3508b5adc307606a6e173adf6d619cb6121
                                                                      • Opcode Fuzzy Hash: 927cc9000fa86def0de1826a68058462ecfb3f66a35f437af16e25478d802744
                                                                      • Instruction Fuzzy Hash: B32100B1504244EFDB54DF20D8C0B26BBB9FB84318F20C969EA0A4B646D73BD846CA61
                                                                      Uniqueness

                                                                      Uniqueness Score: -1.00%

                                                                      Function 025FD006, Relevance: .1, Instructions: 62COMMON
                                                                      Download Yara Rule
                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.238309865.00000000025FD000.00000040.00000001.sdmp, Offset: 025FD000, based on PE: false
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID:
                                                                      • API String ID:
                                                                      • Opcode ID: 1751a35faad7db0dff09f1e14a40fb4bd72f00295b20a2cdfe209bff6029078b
                                                                      • Instruction ID: 75a374b18cfdd5fa68061c249a9ffbcff2c7765376120823cb3e2a32e0401bbd
                                                                      • Opcode Fuzzy Hash: 1751a35faad7db0dff09f1e14a40fb4bd72f00295b20a2cdfe209bff6029078b
                                                                      • Instruction Fuzzy Hash: 552192755093C09FCB02CF24D594715BF71FB46214F28C5EAD9898B657C33A984ACB62
                                                                      Uniqueness

                                                                      Uniqueness Score: -1.00%

                                                                      Function 00FCD4BF, Relevance: .1, Instructions: 56COMMON
                                                                      Download Yara Rule
                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.238244334.0000000000FCD000.00000040.00000001.sdmp, Offset: 00FCD000, based on PE: false
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID:
                                                                      • API String ID:
                                                                      • Opcode ID: d3d3a5c8a77c1f93a9d2bb5ebde4aa2dc7ff225c0119cd3fdbf9822ffe318854
                                                                      • Instruction ID: f1557ad489d636b6ecaa2b6c76d77c653fd6fc4c1d13200bbf9a65d7b4da0fd5
                                                                      • Opcode Fuzzy Hash: d3d3a5c8a77c1f93a9d2bb5ebde4aa2dc7ff225c0119cd3fdbf9822ffe318854
                                                                      • Instruction Fuzzy Hash: F411B176804280DFCB15CF10DAC5B1ABF72FB84328F28C6ADD8450B656C336D85ADBA1
                                                                      Uniqueness

                                                                      Uniqueness Score: -1.00%

                                                                      Function 00FCD3D3, Relevance: .1, Instructions: 56COMMON
                                                                      Download Yara Rule
                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.238244334.0000000000FCD000.00000040.00000001.sdmp, Offset: 00FCD000, based on PE: false
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID:
                                                                      • API String ID:
                                                                      • Opcode ID: d3d3a5c8a77c1f93a9d2bb5ebde4aa2dc7ff225c0119cd3fdbf9822ffe318854
                                                                      • Instruction ID: d0e0038b635cc205b988f2539845f428ee7a5b79e7ecd4e317af5624b70ae94e
                                                                      • Opcode Fuzzy Hash: d3d3a5c8a77c1f93a9d2bb5ebde4aa2dc7ff225c0119cd3fdbf9822ffe318854
                                                                      • Instruction Fuzzy Hash: EB11E472804280DFCB05CF00D6C4B1ABF71FB94324F24C2ADD9090B616C33AE85ADBA1
                                                                      Uniqueness

                                                                      Uniqueness Score: -1.00%

                                                                      Non-executed Functions

                                                                      Function 07097580, Relevance: .3, Instructions: 349COMMON
                                                                      Download Yara Rule
                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.245767003.0000000007090000.00000040.00000001.sdmp, Offset: 07090000, based on PE: false
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID:
                                                                      • API String ID:
                                                                      • Opcode ID: 271ce7d5ae6fd0c35578cd570ee6986d082c398c515f8ab547e9d28031900bf1
                                                                      • Instruction ID: fff9b0a506f43f8792ebc8d333b231956aa871b3075b3c84616a8fc9ba63f8d6
                                                                      • Opcode Fuzzy Hash: 271ce7d5ae6fd0c35578cd570ee6986d082c398c515f8ab547e9d28031900bf1
                                                                      • Instruction Fuzzy Hash: 80D1AAB17016058FEB25EB79C420BAEB7F6AF89300F54466DD146DB390DB35E901CB62
                                                                      Uniqueness

                                                                      Uniqueness Score: -1.00%

                                                                      Function 0268E1D0, Relevance: .3, Instructions: 315COMMON
                                                                      Download Yara Rule
                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.238397734.0000000002680000.00000040.00000001.sdmp, Offset: 02680000, based on PE: false
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID:
                                                                      • API String ID:
                                                                      • Opcode ID: c08451ea1b4ba98bf0f87c623335b01466510ba5cc29b2dd59c692e10604dcfc
                                                                      • Instruction ID: fc27bd3239b56ccd7c6a941a9f713556a6bacedf5cf64ea9b5f4fed8acee2281
                                                                      • Opcode Fuzzy Hash: c08451ea1b4ba98bf0f87c623335b01466510ba5cc29b2dd59c692e10604dcfc
                                                                      • Instruction Fuzzy Hash: 2112D4F1E917468AD310CF65E99818D3BA1B745328FD06A09D2632FAD1D7B421EECF84
                                                                      Uniqueness

                                                                      Uniqueness Score: -1.00%

                                                                      Function 0268C25C, Relevance: .3, Instructions: 265COMMON
                                                                      Download Yara Rule
                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.238397734.0000000002680000.00000040.00000001.sdmp, Offset: 02680000, based on PE: false
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID:
                                                                      • API String ID:
                                                                      • Opcode ID: 286e31dfd50552933abeebe7f44ececc1c40814f68797debd813df1db1483ceb
                                                                      • Instruction ID: 035d140d87f734d82caff204ae7c932dede0c26a9d171720cbec8012f612e0d1
                                                                      • Opcode Fuzzy Hash: 286e31dfd50552933abeebe7f44ececc1c40814f68797debd813df1db1483ceb
                                                                      • Instruction Fuzzy Hash: 9BA16E32E00219CFCF09EFB5C84459DBBB2FF89304B15866AE905BB261DB71A955CF50
                                                                      Uniqueness

                                                                      Uniqueness Score: -1.00%

                                                                      Function 0268E1C0, Relevance: .2, Instructions: 225COMMON
                                                                      Download Yara Rule
                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.238397734.0000000002680000.00000040.00000001.sdmp, Offset: 02680000, based on PE: false
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID:
                                                                      • API String ID:
                                                                      • Opcode ID: 9bb7670f7b9989e0d279622c9f2dc3cd07c5ea18996a5c71d10cfb8323dde52b
                                                                      • Instruction ID: 606c3ecd28b698e134037d195989b3e0611fd45286d2763a3258bead7cba2f57
                                                                      • Opcode Fuzzy Hash: 9bb7670f7b9989e0d279622c9f2dc3cd07c5ea18996a5c71d10cfb8323dde52b
                                                                      • Instruction Fuzzy Hash: 2FC13CB1E917458AD710CF64E89818D7BB1BB45328F906A09D2632F6D1D7B430EECF84
                                                                      Uniqueness

                                                                      Uniqueness Score: -1.00%

                                                                      Function 070910E0, Relevance: .2, Instructions: 214COMMON
                                                                      Download Yara Rule
                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.245767003.0000000007090000.00000040.00000001.sdmp, Offset: 07090000, based on PE: false
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID:
                                                                      • API String ID:
                                                                      • Opcode ID: ff442093c52b03a44348311d4e5c6aeec0341234232e425cadcb82c132f798ad
                                                                      • Instruction ID: 5c30fddea7eff516d74a32fb7b82b04e96782358b097c950898671e57281c4e3
                                                                      • Opcode Fuzzy Hash: ff442093c52b03a44348311d4e5c6aeec0341234232e425cadcb82c132f798ad
                                                                      • Instruction Fuzzy Hash: BC8169B4B1460ADFDF64CB59C8407AEB3F2EB8A305F14827AD16697780C734A984DB51
                                                                      Uniqueness

                                                                      Uniqueness Score: -1.00%

                                                                      Function 070910D0, Relevance: .2, Instructions: 208COMMON
                                                                      Download Yara Rule
                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.245767003.0000000007090000.00000040.00000001.sdmp, Offset: 07090000, based on PE: false
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID:
                                                                      • API String ID:
                                                                      • Opcode ID: 9bc053405544e0a43daeed06bc8057e83caea1919c85d12ea1000ba2e06d006c
                                                                      • Instruction ID: bfedaf72a970a518ce5ab671f6b317e1c5e1de33ceb246ffc905e00405207b29
                                                                      • Opcode Fuzzy Hash: 9bc053405544e0a43daeed06bc8057e83caea1919c85d12ea1000ba2e06d006c
                                                                      • Instruction Fuzzy Hash: 338169B5F1420ADFDF54CB58C8447AEB3F2EB8A305F14827AD166A7B80C734A984DB51
                                                                      Uniqueness

                                                                      Uniqueness Score: -1.00%

                                                                      Analysis Process: kelvinx.exe PID: 1556 Parent PID: 5332 kelvinx.exeCOMMON

                                                                      Executed Functions

                                                                      Function 06802F98, Relevance: 1.7, APIs: 1, Instructions: 207COMMON
                                                                      Download Yara Rule
                                                                      Memory Dump Source
                                                                      • Source File: 00000001.00000002.493814175.0000000006800000.00000040.00000001.sdmp, Offset: 06800000, based on PE: false
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID:
                                                                      • API String ID:
                                                                      • Opcode ID: 292d7b27e4140f2f8186b0d87c7b7ffe5879f53dbfd7adc5326b85a089774d3d
                                                                      • Instruction ID: 6dc7e71b9eea2b379c6754cfa993d11dfe840abd5c73d1b770fb499f48ac9128
                                                                      • Opcode Fuzzy Hash: 292d7b27e4140f2f8186b0d87c7b7ffe5879f53dbfd7adc5326b85a089774d3d
                                                                      • Instruction Fuzzy Hash: D8817A71D0420EDFEB50CFA9C8816EEBBB1FF48314F10892AD915EB250DB719949CB91
                                                                      Uniqueness

                                                                      Uniqueness Score: -1.00%

                                                                      Function 030393E8, Relevance: 1.7, APIs: 1, Instructions: 194COMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      • GetModuleHandleW.KERNEL32(00000000), ref: 0303962E
                                                                      Memory Dump Source
                                                                      • Source File: 00000001.00000002.488157939.0000000003030000.00000040.00000001.sdmp, Offset: 03030000, based on PE: false
                                                                      Similarity
                                                                      • API ID: HandleModule
                                                                      • String ID:
                                                                      • API String ID: 4139908857-0
                                                                      • Opcode ID: 7435ac1ca46ba11526829d0f15f48c81b58d29445ab9f03add02b51b9c79dc5c
                                                                      • Instruction ID: 84d629d1218f54d6feea508c2c577f06c1fd19b1c342fa6cd03e00c6e4f217fa
                                                                      • Opcode Fuzzy Hash: 7435ac1ca46ba11526829d0f15f48c81b58d29445ab9f03add02b51b9c79dc5c
                                                                      • Instruction Fuzzy Hash: 75714670A01B058FD764DF2AC44075BBBF9FF89204F04896EE486DBA50DB74E849CB91
                                                                      Uniqueness

                                                                      Uniqueness Score: -1.00%

                                                                      Function 0303FB20, Relevance: 1.7, APIs: 1, Instructions: 182COMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      • CreateWindowExW.USER32(?,?,?,?,?,?,0000000C,?,?,?,?,?), ref: 0303FD0A
                                                                      Memory Dump Source
                                                                      • Source File: 00000001.00000002.488157939.0000000003030000.00000040.00000001.sdmp, Offset: 03030000, based on PE: false
                                                                      Similarity
                                                                      • API ID: CreateWindow
                                                                      • String ID:
                                                                      • API String ID: 716092398-0
                                                                      • Opcode ID: f8afd7064dceb7353f950a1af43f2fa99ef6e21e9ebb6db6718d492c4cfad42e
                                                                      • Instruction ID: 5a744a2136246f0a3b6d095a7655b07385c7448671d59c9d49a6c05580b81ddb
                                                                      • Opcode Fuzzy Hash: f8afd7064dceb7353f950a1af43f2fa99ef6e21e9ebb6db6718d492c4cfad42e
                                                                      • Instruction Fuzzy Hash: EC6157B1C053899FCB11CFA9D880ADEFFB5BF4A310F18816AE814AB251D734A945CF91
                                                                      Uniqueness

                                                                      Uniqueness Score: -1.00%

                                                                      Function 0303FB98, Relevance: 1.6, APIs: 1, Instructions: 145COMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      • CreateWindowExW.USER32(?,?,?,?,?,?,0000000C,?,?,?,?,?), ref: 0303FD0A
                                                                      Memory Dump Source
                                                                      • Source File: 00000001.00000002.488157939.0000000003030000.00000040.00000001.sdmp, Offset: 03030000, based on PE: false
                                                                      Similarity
                                                                      • API ID: CreateWindow
                                                                      • String ID:
                                                                      • API String ID: 716092398-0
                                                                      • Opcode ID: 5837c56c9d85fc085508bfa9d4979a28df2b9a234e60d5cd64e1258634354dcf
                                                                      • Instruction ID: f2947551460bb869845e725b768950c9b7bc78d55e895eb45a6f7a2018afc1e2
                                                                      • Opcode Fuzzy Hash: 5837c56c9d85fc085508bfa9d4979a28df2b9a234e60d5cd64e1258634354dcf
                                                                      • Instruction Fuzzy Hash: FE5102B1C04249EFCF11CFA9C984ADEBFB6BF49314F18816AE818AB221D7719955CF50
                                                                      Uniqueness

                                                                      Uniqueness Score: -1.00%

                                                                      Function 06803044, Relevance: 1.6, APIs: 1, Instructions: 141networkCOMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      • DnsQuery_A.DNSAPI(?,?,?,?,?,?), ref: 06803178
                                                                      Memory Dump Source
                                                                      • Source File: 00000001.00000002.493814175.0000000006800000.00000040.00000001.sdmp, Offset: 06800000, based on PE: false
                                                                      Similarity
                                                                      • API ID: Query_
                                                                      • String ID:
                                                                      • API String ID: 428220571-0
                                                                      • Opcode ID: d468e9ce129ffc44b24860c8da657f6e1b604f756110a56c8456aa76c9136f87
                                                                      • Instruction ID: f9b886bda5118d8040c8a3a1758c1ea3b7efd180ee9d8b7d56f4fed51668bcbc
                                                                      • Opcode Fuzzy Hash: d468e9ce129ffc44b24860c8da657f6e1b604f756110a56c8456aa76c9136f87
                                                                      • Instruction Fuzzy Hash: E45135B1D0421E9FEB50CFA9C9806DEBBB1FF48304F14852AE914A7290DB75A985CF91
                                                                      Uniqueness

                                                                      Uniqueness Score: -1.00%

                                                                      Function 0680249C, Relevance: 1.6, APIs: 1, Instructions: 140networkCOMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      • DnsQuery_A.DNSAPI(?,?,?,?,?,?), ref: 06803178
                                                                      Memory Dump Source
                                                                      • Source File: 00000001.00000002.493814175.0000000006800000.00000040.00000001.sdmp, Offset: 06800000, based on PE: false
                                                                      Similarity
                                                                      • API ID: Query_
                                                                      • String ID:
                                                                      • API String ID: 428220571-0
                                                                      • Opcode ID: b1acf89d6d67f6374f3e37924af21fec5309384cebeca6b783d24c706aa5caad
                                                                      • Instruction ID: 05c17c766a9482d91cfca50d3724b6ceb598deb39e82bdf33c5128d89432094e
                                                                      • Opcode Fuzzy Hash: b1acf89d6d67f6374f3e37924af21fec5309384cebeca6b783d24c706aa5caad
                                                                      • Instruction Fuzzy Hash: 63512670D0421E9FEB50CFA9C9807DEBBB1FF48304F14852AE914A7290DB75A985CF91
                                                                      Uniqueness

                                                                      Uniqueness Score: -1.00%

                                                                      Function 0303D9E8, Relevance: 1.6, APIs: 1, Instructions: 130COMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      • CreateWindowExW.USER32(?,?,?,?,?,?,0000000C,?,?,?,?,?), ref: 0303FD0A
                                                                      Memory Dump Source
                                                                      • Source File: 00000001.00000002.488157939.0000000003030000.00000040.00000001.sdmp, Offset: 03030000, based on PE: false
                                                                      Similarity
                                                                      • API ID: CreateWindow
                                                                      • String ID:
                                                                      • API String ID: 716092398-0
                                                                      • Opcode ID: 31ad98293dbe7861d21d671b55e915ee2eaf0d05400c86dce0146e67061eb0b3
                                                                      • Instruction ID: 3a7dd133563a35a89e6b6e9b98c333398aae8146a6cfc638cf82fc7716cb0e38
                                                                      • Opcode Fuzzy Hash: 31ad98293dbe7861d21d671b55e915ee2eaf0d05400c86dce0146e67061eb0b3
                                                                      • Instruction Fuzzy Hash: 9D5110B1D05349DFCB15CFA9C984ADEBFB6BF49314F24852AE809AB211D7709885CF90
                                                                      Uniqueness

                                                                      Uniqueness Score: -1.00%

                                                                      Function 0303DA04, Relevance: 1.6, APIs: 1, Instructions: 116COMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      • CreateWindowExW.USER32(?,?,?,?,?,?,0000000C,?,?,?,?,?), ref: 0303FD0A
                                                                      Memory Dump Source
                                                                      • Source File: 00000001.00000002.488157939.0000000003030000.00000040.00000001.sdmp, Offset: 03030000, based on PE: false
                                                                      Similarity
                                                                      • API ID: CreateWindow
                                                                      • String ID:
                                                                      • API String ID: 716092398-0
                                                                      • Opcode ID: f55f8cc36dc0189284dbb1805e42a4c5a84dff74886862bb65d60dd25c004f8d
                                                                      • Instruction ID: e50d9298097f30f72faf341b411948eb3a8427da1c55765d7c12cce1a5cf563b
                                                                      • Opcode Fuzzy Hash: f55f8cc36dc0189284dbb1805e42a4c5a84dff74886862bb65d60dd25c004f8d
                                                                      • Instruction Fuzzy Hash: 2F51BEB1D00349DFDB14CF99C984ADEFBB6BF49314F24852AE819AB210D774A985CF90
                                                                      Uniqueness

                                                                      Uniqueness Score: -1.00%

                                                                      Function 058045F4, Relevance: 1.6, APIs: 1, Instructions: 96COMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      • CreateActCtxA.KERNEL32(?), ref: 058046B1
                                                                      Memory Dump Source
                                                                      • Source File: 00000001.00000002.493085804.0000000005800000.00000040.00000001.sdmp, Offset: 05800000, based on PE: false
                                                                      Similarity
                                                                      • API ID: Create
                                                                      • String ID:
                                                                      • API String ID: 2289755597-0
                                                                      • Opcode ID: 66cf5c3eaadeb876bb1be92d515deea76ae91142e92cb2fd29e08b28613a81c3
                                                                      • Instruction ID: 110bab63cadb87a3591f8a137930ee0c8eb34ac2bf57ddf349912c5fd125deba
                                                                      • Opcode Fuzzy Hash: 66cf5c3eaadeb876bb1be92d515deea76ae91142e92cb2fd29e08b28613a81c3
                                                                      • Instruction Fuzzy Hash: DF4100B1C0461CCFDF24CFA9C884B9EBBB5BF49308F14842AD908AB251DB746949DF90
                                                                      Uniqueness

                                                                      Uniqueness Score: -1.00%

                                                                      Function 05803474, Relevance: 1.6, APIs: 1, Instructions: 96COMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      • CreateActCtxA.KERNEL32(?), ref: 058046B1
                                                                      Memory Dump Source
                                                                      • Source File: 00000001.00000002.493085804.0000000005800000.00000040.00000001.sdmp, Offset: 05800000, based on PE: false
                                                                      Similarity
                                                                      • API ID: Create
                                                                      • String ID:
                                                                      • API String ID: 2289755597-0
                                                                      • Opcode ID: 50858ec5c700c089a68acdfdb2f5ae2bff3631ae22dfbabfac1978c3ff55b445
                                                                      • Instruction ID: 946532b98903182991cd38185939e0ca1eb73c1507b6b9d0da436498998b989f
                                                                      • Opcode Fuzzy Hash: 50858ec5c700c089a68acdfdb2f5ae2bff3631ae22dfbabfac1978c3ff55b445
                                                                      • Instruction Fuzzy Hash: 6841E0B0C0461CCBDF24CFA9C88479EBBB5BF49308F10856AD909AB255DB756949CF90
                                                                      Uniqueness

                                                                      Uniqueness Score: -1.00%

                                                                      Function 05802470, Relevance: 1.6, APIs: 1, Instructions: 93COMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      • CallWindowProcW.USER32(?,?,?,?,?), ref: 05802531
                                                                      Memory Dump Source
                                                                      • Source File: 00000001.00000002.493085804.0000000005800000.00000040.00000001.sdmp, Offset: 05800000, based on PE: false
                                                                      Similarity
                                                                      • API ID: CallProcWindow
                                                                      • String ID:
                                                                      • API String ID: 2714655100-0
                                                                      • Opcode ID: 5314ad8b16423e4ee5471c9683d9d6ad325e3cc98c45937989bb3b9514892515
                                                                      • Instruction ID: 02e72b3eeca31787df11d03de11469b68dd192236716265d0f10d9dbee48325d
                                                                      • Opcode Fuzzy Hash: 5314ad8b16423e4ee5471c9683d9d6ad325e3cc98c45937989bb3b9514892515
                                                                      • Instruction Fuzzy Hash: B8412CB8900705CFCB54CF99C888AAAFBF6FB88314F148459D919A7361D774A941CFA0
                                                                      Uniqueness

                                                                      Uniqueness Score: -1.00%

                                                                      Function 0580B898, Relevance: 1.6, APIs: 1, Instructions: 84COMMON
                                                                      Download Yara Rule
                                                                      Memory Dump Source
                                                                      • Source File: 00000001.00000002.493085804.0000000005800000.00000040.00000001.sdmp, Offset: 05800000, based on PE: false
                                                                      Similarity
                                                                      • API ID: CreateFromIconResource
                                                                      • String ID:
                                                                      • API String ID: 3668623891-0
                                                                      • Opcode ID: 67198d96840aa1b3708e4835acd85caa1573603717d5fa7441e227db4ec5c328
                                                                      • Instruction ID: 343972fa7e1c46aa749309d7f5f6868e2b7ab425f26f5e9040b4eafd05d0f8ca
                                                                      • Opcode Fuzzy Hash: 67198d96840aa1b3708e4835acd85caa1573603717d5fa7441e227db4ec5c328
                                                                      • Instruction Fuzzy Hash: 1C317A71904389DFCB11CFA9C844AEEBFF8EF09210F14806AEA54E7261C7359954DFA1
                                                                      Uniqueness

                                                                      Uniqueness Score: -1.00%

                                                                      Function 0303A141, Relevance: 1.6, APIs: 1, Instructions: 69COMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      • DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?,?,?,?,0303BCC6,?,?,?,?,?), ref: 0303BD87
                                                                      Memory Dump Source
                                                                      • Source File: 00000001.00000002.488157939.0000000003030000.00000040.00000001.sdmp, Offset: 03030000, based on PE: false
                                                                      Similarity
                                                                      • API ID: DuplicateHandle
                                                                      • String ID:
                                                                      • API String ID: 3793708945-0
                                                                      • Opcode ID: 1f7829b17c2bab6acde5030ed6f103f1a427367649e4580598846a9d5e28622b
                                                                      • Instruction ID: 9eeb5c780cf6a6ab2c4e077e45c5aab905185e18a25550850bfcc4313b26e67c
                                                                      • Opcode Fuzzy Hash: 1f7829b17c2bab6acde5030ed6f103f1a427367649e4580598846a9d5e28622b
                                                                      • Instruction Fuzzy Hash: DF2113B58052489FCB10CFA9D884AEEBFF9FB49324F14841AE954A7350D378A944CFA1
                                                                      Uniqueness

                                                                      Uniqueness Score: -1.00%

                                                                      Function 0303BCF9, Relevance: 1.6, APIs: 1, Instructions: 66COMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      • DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?,?,?,?,0303BCC6,?,?,?,?,?), ref: 0303BD87
                                                                      Memory Dump Source
                                                                      • Source File: 00000001.00000002.488157939.0000000003030000.00000040.00000001.sdmp, Offset: 03030000, based on PE: false
                                                                      Similarity
                                                                      • API ID: DuplicateHandle
                                                                      • String ID:
                                                                      • API String ID: 3793708945-0
                                                                      • Opcode ID: a397452b53dce400e0c00965defa88cc0f711b89ba1b97e8128d98d0a92a846f
                                                                      • Instruction ID: cdaca610af9988c2c477fc9e5de7df81a9aaccea244619477c97c34491bb5441
                                                                      • Opcode Fuzzy Hash: a397452b53dce400e0c00965defa88cc0f711b89ba1b97e8128d98d0a92a846f
                                                                      • Instruction Fuzzy Hash: 1D2105B59002489FCB10CF99D884AEEFBF8FB48324F14801AE914A3310D374A954CFA1
                                                                      Uniqueness

                                                                      Uniqueness Score: -1.00%

                                                                      Function 0303A14C, Relevance: 1.6, APIs: 1, Instructions: 65COMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      • DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?,?,?,?,0303BCC6,?,?,?,?,?), ref: 0303BD87
                                                                      Memory Dump Source
                                                                      • Source File: 00000001.00000002.488157939.0000000003030000.00000040.00000001.sdmp, Offset: 03030000, based on PE: false
                                                                      Similarity
                                                                      • API ID: DuplicateHandle
                                                                      • String ID:
                                                                      • API String ID: 3793708945-0
                                                                      • Opcode ID: 48f8ceb55fcfe40fd1a7f2c3342ada870c4208553ccfc11a57dd7130bf8f87ec
                                                                      • Instruction ID: 0208cf226bec3c45d2c3589c64421bea41d01c7645dd8143956d03410c49dd9b
                                                                      • Opcode Fuzzy Hash: 48f8ceb55fcfe40fd1a7f2c3342ada870c4208553ccfc11a57dd7130bf8f87ec
                                                                      • Instruction Fuzzy Hash: 2121E3B5901248AFDB10CF99D984AEEBBF9EB48324F14841AE914A7310D374A954CFA1
                                                                      Uniqueness

                                                                      Uniqueness Score: -1.00%

                                                                      Function 0580E6B0, Relevance: 1.6, APIs: 1, Instructions: 65windowCOMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      • PostMessageW.USER32(?,018053E8,00000000,?), ref: 0580E73D
                                                                      Memory Dump Source
                                                                      • Source File: 00000001.00000002.493085804.0000000005800000.00000040.00000001.sdmp, Offset: 05800000, based on PE: false
                                                                      Similarity
                                                                      • API ID: MessagePost
                                                                      • String ID:
                                                                      • API String ID: 410705778-0
                                                                      • Opcode ID: 626fc05c0c8b2345e5ad1c9bc2d80709e01f3b53635554dd583c09eeddab4575
                                                                      • Instruction ID: c345aea90e0bc90b1f1af11c99e2df1e00daf784cef48329c8f4f8c24e09788a
                                                                      • Opcode Fuzzy Hash: 626fc05c0c8b2345e5ad1c9bc2d80709e01f3b53635554dd583c09eeddab4575
                                                                      • Instruction Fuzzy Hash: 47215EB18043499FDB10CFA9C885BEEBFF8EB09314F14845AD954A3241D778A945CFA1
                                                                      Uniqueness

                                                                      Uniqueness Score: -1.00%

                                                                      Function 0580A504, Relevance: 1.6, APIs: 1, Instructions: 56windowCOMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      • CreateIconFromResourceEx.USER32(?,?,?,?,?,?,?,?,?,?,0580B8B2,?,?,?,?,?), ref: 0580B957
                                                                      Memory Dump Source
                                                                      • Source File: 00000001.00000002.493085804.0000000005800000.00000040.00000001.sdmp, Offset: 05800000, based on PE: false
                                                                      Similarity
                                                                      • API ID: CreateFromIconResource
                                                                      • String ID:
                                                                      • API String ID: 3668623891-0
                                                                      • Opcode ID: 1155129723be48f0d5e2aa4c1a62ec5a44cc395f4166996253ec61ac10bc8fd5
                                                                      • Instruction ID: d5867cc73d5ef50a52774780db439236c436b2770dfeade6ed9ef7f136cb43ba
                                                                      • Opcode Fuzzy Hash: 1155129723be48f0d5e2aa4c1a62ec5a44cc395f4166996253ec61ac10bc8fd5
                                                                      • Instruction Fuzzy Hash: 2D1156B1800249DFCF10CF99C844BEEBBF8EB48324F14841AE914B7250C374A954DFA1
                                                                      Uniqueness

                                                                      Uniqueness Score: -1.00%

                                                                      Function 03038768, Relevance: 1.6, APIs: 1, Instructions: 55libraryCOMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      • LoadLibraryExW.KERNEL32(00000000,00000000,?,?,?,?,00000000,?,030396A9,00000800,00000000,00000000), ref: 030398BA
                                                                      Memory Dump Source
                                                                      • Source File: 00000001.00000002.488157939.0000000003030000.00000040.00000001.sdmp, Offset: 03030000, based on PE: false
                                                                      Similarity
                                                                      • API ID: LibraryLoad
                                                                      • String ID:
                                                                      • API String ID: 1029625771-0
                                                                      • Opcode ID: 3f4ab2cce687d06f7aa7edbaa4a17646ee88c16feb55de582064b7fd15c4b931
                                                                      • Instruction ID: ab8b37e1b42db0dc55c618b52d9bff51f9a837fd250fccef2f29f62109936685
                                                                      • Opcode Fuzzy Hash: 3f4ab2cce687d06f7aa7edbaa4a17646ee88c16feb55de582064b7fd15c4b931
                                                                      • Instruction Fuzzy Hash: 0711F4B59002499FCB10CF9AC444B9EFBF8EB89314F04842AD515B7600C7B4A945CFA5
                                                                      Uniqueness

                                                                      Uniqueness Score: -1.00%

                                                                      Function 03039849, Relevance: 1.6, APIs: 1, Instructions: 55libraryCOMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      • LoadLibraryExW.KERNEL32(00000000,00000000,?,?,?,?,00000000,?,030396A9,00000800,00000000,00000000), ref: 030398BA
                                                                      Memory Dump Source
                                                                      • Source File: 00000001.00000002.488157939.0000000003030000.00000040.00000001.sdmp, Offset: 03030000, based on PE: false
                                                                      Similarity
                                                                      • API ID: LibraryLoad
                                                                      • String ID:
                                                                      • API String ID: 1029625771-0
                                                                      • Opcode ID: 6d72fc220b7648b2c5fa14e5d7b7d9ad0efd507be7fd685bd8293d04ec044b3f
                                                                      • Instruction ID: 821c1d2871e979dbc2a4d5956784bb0bd8f67ee0a0e338c3ab74ef0ec78fd59d
                                                                      • Opcode Fuzzy Hash: 6d72fc220b7648b2c5fa14e5d7b7d9ad0efd507be7fd685bd8293d04ec044b3f
                                                                      • Instruction Fuzzy Hash: 7C1103B68002498FCB10CF9AC844BDEFBF8EB89324F04842AD815A7700C774A545CFA5
                                                                      Uniqueness

                                                                      Uniqueness Score: -1.00%

                                                                      Function 058032D8, Relevance: 1.6, APIs: 1, Instructions: 51windowCOMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      • PostMessageW.USER32(?,018053E8,00000000,?), ref: 0580E73D
                                                                      Memory Dump Source
                                                                      • Source File: 00000001.00000002.493085804.0000000005800000.00000040.00000001.sdmp, Offset: 05800000, based on PE: false
                                                                      Similarity
                                                                      • API ID: MessagePost
                                                                      • String ID:
                                                                      • API String ID: 410705778-0
                                                                      • Opcode ID: c99cbe97e3766721a5b2dd0651afbc257aae7e53a8e318bc5d757e1fdb8fa164
                                                                      • Instruction ID: 719d2075c1b430b24a40cb914696bc38e2515d61197f04238628309feaee8b50
                                                                      • Opcode Fuzzy Hash: c99cbe97e3766721a5b2dd0651afbc257aae7e53a8e318bc5d757e1fdb8fa164
                                                                      • Instruction Fuzzy Hash: 031116B58003499FDB50CF99C885BEEBBF8FB48324F108819E954A3240D374A984CFA1
                                                                      Uniqueness

                                                                      Uniqueness Score: -1.00%

                                                                      Function 030395C8, Relevance: 1.5, APIs: 1, Instructions: 47COMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      • GetModuleHandleW.KERNEL32(00000000), ref: 0303962E
                                                                      Memory Dump Source
                                                                      • Source File: 00000001.00000002.488157939.0000000003030000.00000040.00000001.sdmp, Offset: 03030000, based on PE: false
                                                                      Similarity
                                                                      • API ID: HandleModule
                                                                      • String ID:
                                                                      • API String ID: 4139908857-0
                                                                      • Opcode ID: 04f851ef40a9b22faf267beb95fbb0d333bf3851523c3b9c965400eef361a419
                                                                      • Instruction ID: a934c13db648e6aa8edee2157ec676fced8061d81b3aaf5a7f2f9fbeb7f7e546
                                                                      • Opcode Fuzzy Hash: 04f851ef40a9b22faf267beb95fbb0d333bf3851523c3b9c965400eef361a419
                                                                      • Instruction Fuzzy Hash: CA11E0B5C016498FCB10CF9AC844BDEFBF9AB89224F14851AD859A7600D3B4A545CFA1
                                                                      Uniqueness

                                                                      Uniqueness Score: -1.00%

                                                                      Function 0303DA3C, Relevance: 1.5, APIs: 1, Instructions: 47COMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      • SetWindowLongW.USER32(?,?,?,?,?,?,?,?,0303FE28,?,?,?,?), ref: 0303FE9D
                                                                      Memory Dump Source
                                                                      • Source File: 00000001.00000002.488157939.0000000003030000.00000040.00000001.sdmp, Offset: 03030000, based on PE: false
                                                                      Similarity
                                                                      • API ID: LongWindow
                                                                      • String ID:
                                                                      • API String ID: 1378638983-0
                                                                      • Opcode ID: 4aca9d5a77202e4eb0832c3b37291a979c228bfaa845c092e23d7ced38aac06b
                                                                      • Instruction ID: e3f22bce6d536ea07fb9ff2c79aef5a0f0e60ecf910c641630bc4a57fa86bb9c
                                                                      • Opcode Fuzzy Hash: 4aca9d5a77202e4eb0832c3b37291a979c228bfaa845c092e23d7ced38aac06b
                                                                      • Instruction Fuzzy Hash: 0D11F5B58012499FDB10CF99D585BDFFBF8EB48324F108419E915A7341C3B4A944CFA1
                                                                      Uniqueness

                                                                      Uniqueness Score: -1.00%

                                                                      Function 0303FE38, Relevance: 1.5, APIs: 1, Instructions: 47COMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      • SetWindowLongW.USER32(?,?,?,?,?,?,?,?,0303FE28,?,?,?,?), ref: 0303FE9D
                                                                      Memory Dump Source
                                                                      • Source File: 00000001.00000002.488157939.0000000003030000.00000040.00000001.sdmp, Offset: 03030000, based on PE: false
                                                                      Similarity
                                                                      • API ID: LongWindow
                                                                      • String ID:
                                                                      • API String ID: 1378638983-0
                                                                      • Opcode ID: 680025a05504df4a868b8efc22516a8f7e635286e9645d716860b19214a58b4f
                                                                      • Instruction ID: afe290e264276d9955906e8ee421b628991edbbfe83ec480468010cb235a02b8
                                                                      • Opcode Fuzzy Hash: 680025a05504df4a868b8efc22516a8f7e635286e9645d716860b19214a58b4f
                                                                      • Instruction Fuzzy Hash: 4611F2B58002499FDB10CF99D989BDEBBF8EB48324F14841AE955A7341C374AA44CFA1
                                                                      Uniqueness

                                                                      Uniqueness Score: -1.00%

                                                                      Function 05801540, Relevance: 1.5, APIs: 1, Instructions: 47windowCOMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      • SendMessageW.USER32(?,0000020A,?,?,?,?,?,?,0580226A,?,00000000,?), ref: 0580C435
                                                                      Memory Dump Source
                                                                      • Source File: 00000001.00000002.493085804.0000000005800000.00000040.00000001.sdmp, Offset: 05800000, based on PE: false
                                                                      Similarity
                                                                      • API ID: MessageSend
                                                                      • String ID:
                                                                      • API String ID: 3850602802-0
                                                                      • Opcode ID: 485d3109b0488986bb256f720deb37a4c073bb5d0ffb74a5120582f5e866984f
                                                                      • Instruction ID: 72f5994010de4f8915581e5b683e57efedb352d1598934597a37b4d03087a439
                                                                      • Opcode Fuzzy Hash: 485d3109b0488986bb256f720deb37a4c073bb5d0ffb74a5120582f5e866984f
                                                                      • Instruction Fuzzy Hash: 8211F2B58047489FCB50CF99D989BEEFBF8FB48324F108519E955A7640C3B4A984CFA1
                                                                      Uniqueness

                                                                      Uniqueness Score: -1.00%

                                                                      Function 0580A548, Relevance: 1.5, APIs: 1, Instructions: 47windowCOMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      • SendMessageW.USER32(?,?,?,?,?,?,?,?,?,00000000), ref: 0580BCBD
                                                                      Memory Dump Source
                                                                      • Source File: 00000001.00000002.493085804.0000000005800000.00000040.00000001.sdmp, Offset: 05800000, based on PE: false
                                                                      Similarity
                                                                      • API ID: MessageSend
                                                                      • String ID:
                                                                      • API String ID: 3850602802-0
                                                                      • Opcode ID: b6207afc9de85662f8d0f8ccc327d4aecbcc3071978427cca88d51e51c995615
                                                                      • Instruction ID: f417641e1ae0cb69158bc340a1586ec07b558a4ad1b9f1aab7daf0ca938d3830
                                                                      • Opcode Fuzzy Hash: b6207afc9de85662f8d0f8ccc327d4aecbcc3071978427cca88d51e51c995615
                                                                      • Instruction Fuzzy Hash: 6711E3B58003489FCB50CF99C984BDEBBF8EB48324F108419E955A7340C774A944CFA1
                                                                      Uniqueness

                                                                      Uniqueness Score: -1.00%

                                                                      Function 058050D4, Relevance: 1.5, APIs: 1, Instructions: 47windowCOMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      • SendMessageW.USER32(?,00000018,00000001,?), ref: 0580D29D
                                                                      Memory Dump Source
                                                                      • Source File: 00000001.00000002.493085804.0000000005800000.00000040.00000001.sdmp, Offset: 05800000, based on PE: false
                                                                      Similarity
                                                                      • API ID: MessageSend
                                                                      • String ID:
                                                                      • API String ID: 3850602802-0
                                                                      • Opcode ID: 40c653507cc2609f873b4eb45f4e0a9d4603ca39fae1663de73b71e9b1a02c6b
                                                                      • Instruction ID: 68b6888da191526cacd8877e3840c956b1eb37a2d1c6ee68cfc5cde6effbebd5
                                                                      • Opcode Fuzzy Hash: 40c653507cc2609f873b4eb45f4e0a9d4603ca39fae1663de73b71e9b1a02c6b
                                                                      • Instruction Fuzzy Hash: 8611F5B58003489FDB50CF99C984BDEBBF8EB48324F108419E955A7340C375A984CFA1
                                                                      Uniqueness

                                                                      Uniqueness Score: -1.00%

                                                                      Function 0580D238, Relevance: 1.5, APIs: 1, Instructions: 47windowCOMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      • SendMessageW.USER32(?,00000018,00000001,?), ref: 0580D29D
                                                                      Memory Dump Source
                                                                      • Source File: 00000001.00000002.493085804.0000000005800000.00000040.00000001.sdmp, Offset: 05800000, based on PE: false
                                                                      Similarity
                                                                      • API ID: MessageSend
                                                                      • String ID:
                                                                      • API String ID: 3850602802-0
                                                                      • Opcode ID: 276d58f9b8d593ff1a56fd973b8deb148020671c02f75625193bad4a80ad1aea
                                                                      • Instruction ID: 4d25a09d7b9e2a8336e7d7b2db1a8152fbaaa3dfd5116113634996a978429c63
                                                                      • Opcode Fuzzy Hash: 276d58f9b8d593ff1a56fd973b8deb148020671c02f75625193bad4a80ad1aea
                                                                      • Instruction Fuzzy Hash: 1E11F2B58003499FDB10CF99D985BDEBFF8FB48324F10841AE964A3640C374AA84CFA1
                                                                      Uniqueness

                                                                      Uniqueness Score: -1.00%

                                                                      Function 0580C3D0, Relevance: 1.5, APIs: 1, Instructions: 46windowCOMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      • SendMessageW.USER32(?,0000020A,?,?,?,?,?,?,0580226A,?,00000000,?), ref: 0580C435
                                                                      Memory Dump Source
                                                                      • Source File: 00000001.00000002.493085804.0000000005800000.00000040.00000001.sdmp, Offset: 05800000, based on PE: false
                                                                      Similarity
                                                                      • API ID: MessageSend
                                                                      • String ID:
                                                                      • API String ID: 3850602802-0
                                                                      • Opcode ID: 9108fdb95bc2bc71b27f3366b53250e39c298d50080ffa0a9b278bbb9db0874a
                                                                      • Instruction ID: 28b7c969eda789a3048516a246736977d448d3b9c9d33177fe128d461591c42f
                                                                      • Opcode Fuzzy Hash: 9108fdb95bc2bc71b27f3366b53250e39c298d50080ffa0a9b278bbb9db0874a
                                                                      • Instruction Fuzzy Hash: 3911F5B58007489FDB50CF99D985BEEBFF8FB48324F108419E954A3240C374A944CFA1
                                                                      Uniqueness

                                                                      Uniqueness Score: -1.00%

                                                                      Function 0580BC59, Relevance: 1.5, APIs: 1, Instructions: 46windowCOMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      • SendMessageW.USER32(?,?,?,?,?,?,?,?,?,00000000), ref: 0580BCBD
                                                                      Memory Dump Source
                                                                      • Source File: 00000001.00000002.493085804.0000000005800000.00000040.00000001.sdmp, Offset: 05800000, based on PE: false
                                                                      Similarity
                                                                      • API ID: MessageSend
                                                                      • String ID:
                                                                      • API String ID: 3850602802-0
                                                                      • Opcode ID: d57ed6efdf9b997ba068f39ce65a85e4e48205cc5aff0ecbe28be76c0b9c922d
                                                                      • Instruction ID: 2db76dc758ee8a83231d7672c1dd3e85d728d80933baa0a1abaf0c3d6d015eba
                                                                      • Opcode Fuzzy Hash: d57ed6efdf9b997ba068f39ce65a85e4e48205cc5aff0ecbe28be76c0b9c922d
                                                                      • Instruction Fuzzy Hash: 2111F5B58003489FDB10CF99D984BDEBBF8EB48324F108419E955A7340C774A944CFA1
                                                                      Uniqueness

                                                                      Uniqueness Score: -1.00%

                                                                      Function 0580DC60, Relevance: 1.5, APIs: 1, Instructions: 46comCOMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      • OleInitialize.OLE32(00000000), ref: 0580F435
                                                                      Memory Dump Source
                                                                      • Source File: 00000001.00000002.493085804.0000000005800000.00000040.00000001.sdmp, Offset: 05800000, based on PE: false
                                                                      Similarity
                                                                      • API ID: Initialize
                                                                      • String ID:
                                                                      • API String ID: 2538663250-0
                                                                      • Opcode ID: 5383c00be15278ac36b487093e603b0dfc9c4cdbf6fd717676b90d430121bd35
                                                                      • Instruction ID: 284a811fb5348ab4f76ac1fcc87ea2dd05d52e5fe17697608abb211acabb3a7e
                                                                      • Opcode Fuzzy Hash: 5383c00be15278ac36b487093e603b0dfc9c4cdbf6fd717676b90d430121bd35
                                                                      • Instruction Fuzzy Hash: A81115B19047488FCB60CF99C889BDEBBF4EB48324F108419DA59B7340D374A944CFA1
                                                                      Uniqueness

                                                                      Uniqueness Score: -1.00%

                                                                      Function 0580F3D8, Relevance: 1.5, APIs: 1, Instructions: 45comCOMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      • OleInitialize.OLE32(00000000), ref: 0580F435
                                                                      Memory Dump Source
                                                                      • Source File: 00000001.00000002.493085804.0000000005800000.00000040.00000001.sdmp, Offset: 05800000, based on PE: false
                                                                      Similarity
                                                                      • API ID: Initialize
                                                                      • String ID:
                                                                      • API String ID: 2538663250-0
                                                                      • Opcode ID: 0f03c5ae461c2ae6bb74f23ca6d36c52f9873db26a7fe670902494f52241ac03
                                                                      • Instruction ID: 09cb380db2c083aeff3cdb664e0ebbb003c7a595320e82e1f8fffdb037921671
                                                                      • Opcode Fuzzy Hash: 0f03c5ae461c2ae6bb74f23ca6d36c52f9873db26a7fe670902494f52241ac03
                                                                      • Instruction Fuzzy Hash: 471103B1804648CFCB60CFA9D989BDEBFF4EB48324F148519DA59A7340C374A944CFA1
                                                                      Uniqueness

                                                                      Uniqueness Score: -1.00%

                                                                      Non-executed Functions

                                                                      Analysis Process: noteped.exe PID: 5368 Parent PID: 3472 noteped.exeCOMMON

                                                                      Executed Functions

                                                                      Function 065D2149, Relevance: 3.1, APIs: 2, Instructions: 94injectionCOMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      • WriteProcessMemory.KERNELBASE(?,?,00000000,?,?), ref: 065D20F0
                                                                      • ReadProcessMemory.KERNELBASE(?,?,?,?,?), ref: 065D21D0
                                                                      Memory Dump Source
                                                                      • Source File: 00000002.00000002.276845018.00000000065D0000.00000040.00000001.sdmp, Offset: 065D0000, based on PE: false
                                                                      Similarity
                                                                      • API ID: MemoryProcess$ReadWrite
                                                                      • String ID:
                                                                      • API String ID: 3589323503-0
                                                                      • Opcode ID: a1e932eb26cbcbb5b18606162ab98cd3004161096bc6455be94c6fda05c453c1
                                                                      • Instruction ID: 6ce64c3be34338891d5079e427bd18b2b4bb29657d9b828b149c5596f909f3d8
                                                                      • Opcode Fuzzy Hash: a1e932eb26cbcbb5b18606162ab98cd3004161096bc6455be94c6fda05c453c1
                                                                      • Instruction Fuzzy Hash: 92313772D043498FCF50CFA9C8457EEBBF1BF48324F14842AD659A7290C7789A45DBA0
                                                                      Uniqueness

                                                                      Uniqueness Score: -1.00%

                                                                      Function 065D237D, Relevance: 1.7, APIs: 1, Instructions: 247processCOMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      • CreateProcessA.KERNELBASE(?,?,?,?,?,?,?,?,?,?), ref: 065D25BE
                                                                      Memory Dump Source
                                                                      • Source File: 00000002.00000002.276845018.00000000065D0000.00000040.00000001.sdmp, Offset: 065D0000, based on PE: false
                                                                      Similarity
                                                                      • API ID: CreateProcess
                                                                      • String ID:
                                                                      • API String ID: 963392458-0
                                                                      • Opcode ID: 6ef761e3d219be9d2e988a979d3b62848f05ffad586afc306c653b532f2cf98a
                                                                      • Instruction ID: fbc01efafca98f1efc4206432029b2fce099ce24ebf7fb91117760aa5fc835a1
                                                                      • Opcode Fuzzy Hash: 6ef761e3d219be9d2e988a979d3b62848f05ffad586afc306c653b532f2cf98a
                                                                      • Instruction Fuzzy Hash: 63A15971D003198FDF60CFA8C981BEEBBB2BF48314F058569D949A7284DB749A85CF91
                                                                      Uniqueness

                                                                      Uniqueness Score: -1.00%

                                                                      Function 065D2388, Relevance: 1.7, APIs: 1, Instructions: 243processCOMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      • CreateProcessA.KERNELBASE(?,?,?,?,?,?,?,?,?,?), ref: 065D25BE
                                                                      Memory Dump Source
                                                                      • Source File: 00000002.00000002.276845018.00000000065D0000.00000040.00000001.sdmp, Offset: 065D0000, based on PE: false
                                                                      Similarity
                                                                      • API ID: CreateProcess
                                                                      • String ID:
                                                                      • API String ID: 963392458-0
                                                                      • Opcode ID: 29ca5d71712a9afd946e17719a1f8d86d1b478583bbb9e34d16fa6057fd9ccff
                                                                      • Instruction ID: f42748bc8f478c155c340d513d47b4138f28eeb5b22acb319da7bec87c6d439f
                                                                      • Opcode Fuzzy Hash: 29ca5d71712a9afd946e17719a1f8d86d1b478583bbb9e34d16fa6057fd9ccff
                                                                      • Instruction Fuzzy Hash: 8A914871D003198FDF60CFA8C981BEEBBB2BF48314F058569D949A7284DB749A85CF91
                                                                      Uniqueness

                                                                      Uniqueness Score: -1.00%

                                                                      Function 065D4050, Relevance: 1.6, APIs: 1, Instructions: 140COMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      • GetUserNameA.ADVAPI32(00000000), ref: 065D419C
                                                                      Memory Dump Source
                                                                      • Source File: 00000002.00000002.276845018.00000000065D0000.00000040.00000001.sdmp, Offset: 065D0000, based on PE: false
                                                                      Similarity
                                                                      • API ID: NameUser
                                                                      • String ID:
                                                                      • API String ID: 2645101109-0
                                                                      • Opcode ID: 2163917f754b0148e5eb4cd5342e76208633bee4a8483b612dfaa3f050bb87d6
                                                                      • Instruction ID: c9f85380437ad336a4528b2f9f4a9d5fc479cf2a53d0d2608765f92c13cb6745
                                                                      • Opcode Fuzzy Hash: 2163917f754b0148e5eb4cd5342e76208633bee4a8483b612dfaa3f050bb87d6
                                                                      • Instruction Fuzzy Hash: 0C513670D002588FDB24CFA9C985BDEBBF1BF48304F158029E816AB395DB749949CF90
                                                                      Uniqueness

                                                                      Uniqueness Score: -1.00%

                                                                      Function 065D4046, Relevance: 1.6, APIs: 1, Instructions: 140COMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      • GetUserNameA.ADVAPI32(00000000), ref: 065D419C
                                                                      Memory Dump Source
                                                                      • Source File: 00000002.00000002.276845018.00000000065D0000.00000040.00000001.sdmp, Offset: 065D0000, based on PE: false
                                                                      Similarity
                                                                      • API ID: NameUser
                                                                      • String ID:
                                                                      • API String ID: 2645101109-0
                                                                      • Opcode ID: 60a7d863a754176a2fb4c161ec9add1fed4bf1027254fb669adfdf825bda9a72
                                                                      • Instruction ID: 1608a3ebfa92a9ba0fe904fdc1aa7cf55a14ae37be2fe3932b8def2a8af48472
                                                                      • Opcode Fuzzy Hash: 60a7d863a754176a2fb4c161ec9add1fed4bf1027254fb669adfdf825bda9a72
                                                                      • Instruction Fuzzy Hash: C7512574D002588FDB24CFA9C985BEDBBF1BF48304F258429E816AB395D7749949CF90
                                                                      Uniqueness

                                                                      Uniqueness Score: -1.00%

                                                                      Function 025823B0, Relevance: 1.6, APIs: 1, Instructions: 93COMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      • CallWindowProcW.USER32(?,?,?,?,?), ref: 02582471
                                                                      Memory Dump Source
                                                                      • Source File: 00000002.00000002.268830963.0000000002580000.00000040.00000001.sdmp, Offset: 02580000, based on PE: false
                                                                      Similarity
                                                                      • API ID: CallProcWindow
                                                                      • String ID:
                                                                      • API String ID: 2714655100-0
                                                                      • Opcode ID: c616ebfeffa1abf97929738864c3ce5d3abc9967aae6031479740b0163155c7b
                                                                      • Instruction ID: 1903c6fab0991c57bdf6123abb816e18cb2d6d53c0ef7a948d6ac090e2e31a6f
                                                                      • Opcode Fuzzy Hash: c616ebfeffa1abf97929738864c3ce5d3abc9967aae6031479740b0163155c7b
                                                                      • Instruction Fuzzy Hash: B6414CB4A003458FCB14CF99C488BAABBF5FF88314F14C458D519A7361D774A841CFA4
                                                                      Uniqueness

                                                                      Uniqueness Score: -1.00%

                                                                      Function 065D2228, Relevance: 1.6, APIs: 1, Instructions: 80COMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      • ReadProcessMemory.KERNELBASE(?,?,?,?,?), ref: 065D21D0
                                                                      Memory Dump Source
                                                                      • Source File: 00000002.00000002.276845018.00000000065D0000.00000040.00000001.sdmp, Offset: 065D0000, based on PE: false
                                                                      Similarity
                                                                      • API ID: MemoryProcessRead
                                                                      • String ID:
                                                                      • API String ID: 1726664587-0
                                                                      • Opcode ID: 1c0d68601953ea9359ecdb78e45929f500b04cc750cca740f2a4afb8f1ae429d
                                                                      • Instruction ID: 26c7b777c9bbcca5d1a2e1295586103a5bb76f4f644a4f39b6997af0cc566e84
                                                                      • Opcode Fuzzy Hash: 1c0d68601953ea9359ecdb78e45929f500b04cc750cca740f2a4afb8f1ae429d
                                                                      • Instruction Fuzzy Hash: DA316A729043488FDB50CFA9D8457EEBBF1BB48328F14842AD655B7680C7799648CBA0
                                                                      Uniqueness

                                                                      Uniqueness Score: -1.00%

                                                                      Function 065D2058, Relevance: 1.6, APIs: 1, Instructions: 72injectionCOMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      • WriteProcessMemory.KERNELBASE(?,?,00000000,?,?), ref: 065D20F0
                                                                      Memory Dump Source
                                                                      • Source File: 00000002.00000002.276845018.00000000065D0000.00000040.00000001.sdmp, Offset: 065D0000, based on PE: false
                                                                      Similarity
                                                                      • API ID: MemoryProcessWrite
                                                                      • String ID:
                                                                      • API String ID: 3559483778-0
                                                                      • Opcode ID: 48fcd4d110218368f344d70683a71ee90cf314829ec7a15b01f3c2db847bda53
                                                                      • Instruction ID: 44f5371e3fc120a0bc123205eb8c657b082ff8aaeddbfff4a341fd99bf22f5c1
                                                                      • Opcode Fuzzy Hash: 48fcd4d110218368f344d70683a71ee90cf314829ec7a15b01f3c2db847bda53
                                                                      • Instruction Fuzzy Hash: 5D2115759003599FCF50CFA9C9857EEBBF1FB48314F00842AEA19A7240D7789A55CBA1
                                                                      Uniqueness

                                                                      Uniqueness Score: -1.00%

                                                                      Function 065D1DA9, Relevance: 1.6, APIs: 1, Instructions: 71threadCOMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      Memory Dump Source
                                                                      • Source File: 00000002.00000002.276845018.00000000065D0000.00000040.00000001.sdmp, Offset: 065D0000, based on PE: false
                                                                      Similarity
                                                                      • API ID: ResumeThread
                                                                      • String ID:
                                                                      • API String ID: 947044025-0
                                                                      • Opcode ID: e5e140dafdaba086aea13ec0bb5d79126c3114ccea3c145f720212ec61778316
                                                                      • Instruction ID: 42956611921177022adeb319cfccc3422fb0752ebd2d0f38f691f1ae21465973
                                                                      • Opcode Fuzzy Hash: e5e140dafdaba086aea13ec0bb5d79126c3114ccea3c145f720212ec61778316
                                                                      • Instruction Fuzzy Hash: 4F21AE71D043888FCB10CFA8D9453EEBBF5EF49214F14846AC509B7350DB355A04CB91
                                                                      Uniqueness

                                                                      Uniqueness Score: -1.00%

                                                                      Function 02580006, Relevance: 1.6, APIs: 1, Instructions: 69COMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      • SetWindowLongW.USER32(?,?,?), ref: 0258009D
                                                                      Memory Dump Source
                                                                      • Source File: 00000002.00000002.268830963.0000000002580000.00000040.00000001.sdmp, Offset: 02580000, based on PE: false
                                                                      Similarity
                                                                      • API ID: LongWindow
                                                                      • String ID:
                                                                      • API String ID: 1378638983-0
                                                                      • Opcode ID: 06730a444dea7703684510517ef0c2105e1ebe5c6d352e0437d10cd8d4c33e7b
                                                                      • Instruction ID: 230291b398a0e64e8d059af2b5579f46619a0045b38568923d12a13fb25e5726
                                                                      • Opcode Fuzzy Hash: 06730a444dea7703684510517ef0c2105e1ebe5c6d352e0437d10cd8d4c33e7b
                                                                      • Instruction Fuzzy Hash: BB2171718093C48FCB11DFA8D9587DABFF0EF4A314F19848BD484A7252C3785549CBA1
                                                                      Uniqueness

                                                                      Uniqueness Score: -1.00%

                                                                      Function 065D2060, Relevance: 1.6, APIs: 1, Instructions: 69injectionCOMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      • WriteProcessMemory.KERNELBASE(?,?,00000000,?,?), ref: 065D20F0
                                                                      Memory Dump Source
                                                                      • Source File: 00000002.00000002.276845018.00000000065D0000.00000040.00000001.sdmp, Offset: 065D0000, based on PE: false
                                                                      Similarity
                                                                      • API ID: MemoryProcessWrite
                                                                      • String ID:
                                                                      • API String ID: 3559483778-0
                                                                      • Opcode ID: 8b56f92d735b30e742e2f84784177cdb62d7fa482ff02a4429aa9ee015bc703b
                                                                      • Instruction ID: 71c2c282188c52e933754a676058b62d06b6746e5eb4424aec9d12ac87472606
                                                                      • Opcode Fuzzy Hash: 8b56f92d735b30e742e2f84784177cdb62d7fa482ff02a4429aa9ee015bc703b
                                                                      • Instruction Fuzzy Hash: 3A2126719003499FCF50CFA9C8847EEBBF5FF48314F008429EA19A7240D778AA44CBA1
                                                                      Uniqueness

                                                                      Uniqueness Score: -1.00%

                                                                      Function 065D1EC1, Relevance: 1.6, APIs: 1, Instructions: 66threadinjectionCOMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      • SetThreadContext.KERNELBASE(?,00000000), ref: 065D1F46
                                                                      Memory Dump Source
                                                                      • Source File: 00000002.00000002.276845018.00000000065D0000.00000040.00000001.sdmp, Offset: 065D0000, based on PE: false
                                                                      Similarity
                                                                      • API ID: ContextThread
                                                                      • String ID:
                                                                      • API String ID: 1591575202-0
                                                                      • Opcode ID: 64f4d3f5976b42f65fc0ee578ca47c6bc73cb68bbf9c4bb813d4f2baf1716710
                                                                      • Instruction ID: f0335af7f311da7d27b11653c25281f25f08cae4079b0303dec2e559ab0d8c6f
                                                                      • Opcode Fuzzy Hash: 64f4d3f5976b42f65fc0ee578ca47c6bc73cb68bbf9c4bb813d4f2baf1716710
                                                                      • Instruction Fuzzy Hash: 53215971D007498FCB50DFA9C4847EEBBF0AF88224F14842AD519BB280CB789945CFA0
                                                                      Uniqueness

                                                                      Uniqueness Score: -1.00%

                                                                      Function 065D1EC8, Relevance: 1.6, APIs: 1, Instructions: 63threadinjectionCOMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      • SetThreadContext.KERNELBASE(?,00000000), ref: 065D1F46
                                                                      Memory Dump Source
                                                                      • Source File: 00000002.00000002.276845018.00000000065D0000.00000040.00000001.sdmp, Offset: 065D0000, based on PE: false
                                                                      Similarity
                                                                      • API ID: ContextThread
                                                                      • String ID:
                                                                      • API String ID: 1591575202-0
                                                                      • Opcode ID: 132d95f5b25ac061279959ae6fddb782ea635485f01b73a15b32b166fc30ed37
                                                                      • Instruction ID: 6048a0d153a57a9a4f352474757b7c4f65030a226c529e25ba93899b0955e022
                                                                      • Opcode Fuzzy Hash: 132d95f5b25ac061279959ae6fddb782ea635485f01b73a15b32b166fc30ed37
                                                                      • Instruction Fuzzy Hash: AC213871D043498FDB60DFAAC8847EEBBF5EF48224F148429D519A7240DB78A945CFA0
                                                                      Uniqueness

                                                                      Uniqueness Score: -1.00%

                                                                      Function 065D2150, Relevance: 1.6, APIs: 1, Instructions: 63COMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      • ReadProcessMemory.KERNELBASE(?,?,?,?,?), ref: 065D21D0
                                                                      Memory Dump Source
                                                                      • Source File: 00000002.00000002.276845018.00000000065D0000.00000040.00000001.sdmp, Offset: 065D0000, based on PE: false
                                                                      Similarity
                                                                      • API ID: MemoryProcessRead
                                                                      • String ID:
                                                                      • API String ID: 1726664587-0
                                                                      • Opcode ID: fa6d1f7d076e185a0d1e52a7af12b5d9c665cdfcf4f8b4227b8e9144b37024d0
                                                                      • Instruction ID: e3119d25f6ff7891e4cba74d0e6d005f9a2697b7283806fef99ffc77000ab708
                                                                      • Opcode Fuzzy Hash: fa6d1f7d076e185a0d1e52a7af12b5d9c665cdfcf4f8b4227b8e9144b37024d0
                                                                      • Instruction Fuzzy Hash: C6212871D003499FCF10DFA9C8846EEBBF5FF48314F508429EA19A7240D7789944CBA0
                                                                      Uniqueness

                                                                      Uniqueness Score: -1.00%

                                                                      Function 065D1F99, Relevance: 1.6, APIs: 1, Instructions: 56memoryCOMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      • VirtualAllocEx.KERNELBASE(?,?,?,?,?), ref: 065D200E
                                                                      Memory Dump Source
                                                                      • Source File: 00000002.00000002.276845018.00000000065D0000.00000040.00000001.sdmp, Offset: 065D0000, based on PE: false
                                                                      Similarity
                                                                      • API ID: AllocVirtual
                                                                      • String ID:
                                                                      • API String ID: 4275171209-0
                                                                      • Opcode ID: 5b2eae69c2b95edf8b4a1d7a72f20ba24b2cb7503a1a19c504f10b74caa3f181
                                                                      • Instruction ID: ac11c610cd9fada467f903d7c0ada3e01dd110a65fc1ce3d00fabb13203e12ed
                                                                      • Opcode Fuzzy Hash: 5b2eae69c2b95edf8b4a1d7a72f20ba24b2cb7503a1a19c504f10b74caa3f181
                                                                      • Instruction Fuzzy Hash: B01159729002498FCF10DFA9D8447EEBBF5FF48324F14882ADA15A7250C7759A44CFA0
                                                                      Uniqueness

                                                                      Uniqueness Score: -1.00%

                                                                      Function 065D1FA0, Relevance: 1.6, APIs: 1, Instructions: 53memoryCOMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      • VirtualAllocEx.KERNELBASE(?,?,?,?,?), ref: 065D200E
                                                                      Memory Dump Source
                                                                      • Source File: 00000002.00000002.276845018.00000000065D0000.00000040.00000001.sdmp, Offset: 065D0000, based on PE: false
                                                                      Similarity
                                                                      • API ID: AllocVirtual
                                                                      • String ID:
                                                                      • API String ID: 4275171209-0
                                                                      • Opcode ID: 78aeef98901966c5d9e885281a40d57223c6c4d4b2ddc471214deae252f984a2
                                                                      • Instruction ID: e87884419c187a3f83a910e449a4ac44bd3b47e580a6a62f16c2723f16ac0b7c
                                                                      • Opcode Fuzzy Hash: 78aeef98901966c5d9e885281a40d57223c6c4d4b2ddc471214deae252f984a2
                                                                      • Instruction Fuzzy Hash: 911137719002499FCF10DFAAC8447EFBBF5EF48324F148419EA15A7250C775A944CFA0
                                                                      Uniqueness

                                                                      Uniqueness Score: -1.00%

                                                                      Function 065D1E18, Relevance: 1.5, APIs: 1, Instructions: 49threadCOMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      Memory Dump Source
                                                                      • Source File: 00000002.00000002.276845018.00000000065D0000.00000040.00000001.sdmp, Offset: 065D0000, based on PE: false
                                                                      Similarity
                                                                      • API ID: ResumeThread
                                                                      • String ID:
                                                                      • API String ID: 947044025-0
                                                                      • Opcode ID: 2ff6cbebdddf2ce94e5821bc0fcc87e01800624e636ef766115a79cd64c07197
                                                                      • Instruction ID: 62c6e2b028392ac734e8391c3f1170948e538594da6af445b5d873dc0094dde5
                                                                      • Opcode Fuzzy Hash: 2ff6cbebdddf2ce94e5821bc0fcc87e01800624e636ef766115a79cd64c07197
                                                                      • Instruction Fuzzy Hash: CD112871D047498BDB20DFAAC8447EEBBF5EB88224F148419D519A7640DB74A944CFA4
                                                                      Uniqueness

                                                                      Uniqueness Score: -1.00%

                                                                      Function 02580040, Relevance: 1.5, APIs: 1, Instructions: 44COMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      • SetWindowLongW.USER32(?,?,?), ref: 0258009D
                                                                      Memory Dump Source
                                                                      • Source File: 00000002.00000002.268830963.0000000002580000.00000040.00000001.sdmp, Offset: 02580000, based on PE: false
                                                                      Similarity
                                                                      • API ID: LongWindow
                                                                      • String ID:
                                                                      • API String ID: 1378638983-0
                                                                      • Opcode ID: 25b764c807566de78a1b43fd620400317b0e64a7c2717a0be8124840297ddaf1
                                                                      • Instruction ID: 2420942b214eb2fb35a7deabafaf6cbcf3dcae509844eed108e73dd20822f420
                                                                      • Opcode Fuzzy Hash: 25b764c807566de78a1b43fd620400317b0e64a7c2717a0be8124840297ddaf1
                                                                      • Instruction Fuzzy Hash: CE11CEB59002499FDB20DF99D589BEEBBF8EB48324F10841AE955B7340C3B4A944CFA5
                                                                      Uniqueness

                                                                      Uniqueness Score: -1.00%

                                                                      Non-executed Functions

                                                                      Analysis Process: noteped.exe PID: 6312 Parent PID: 5368 noteped.exeCOMMON

                                                                      Executed Functions

                                                                      Function 0139B6C0, Relevance: 6.1, APIs: 4, Instructions: 125threadCOMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      • GetCurrentProcess.KERNEL32 ref: 0139B730
                                                                      • GetCurrentThread.KERNEL32 ref: 0139B76D
                                                                      • GetCurrentProcess.KERNEL32 ref: 0139B7AA
                                                                      • GetCurrentThreadId.KERNEL32 ref: 0139B803
                                                                      Memory Dump Source
                                                                      • Source File: 00000006.00000002.284012478.0000000001390000.00000040.00000001.sdmp, Offset: 01390000, based on PE: false
                                                                      Similarity
                                                                      • API ID: Current$ProcessThread
                                                                      • String ID:
                                                                      • API String ID: 2063062207-0
                                                                      • Opcode ID: 541018feab6977d4080745e754410dce22aeb82c5de38c6760f518c9dedd9f91
                                                                      • Instruction ID: 28f53abab89085aa790ae1bf62442fe77a4c70fb19c411b835de27770bd8e3ed
                                                                      • Opcode Fuzzy Hash: 541018feab6977d4080745e754410dce22aeb82c5de38c6760f518c9dedd9f91
                                                                      • Instruction Fuzzy Hash: 9C5187B48003899FDB14CFA9D988BEEBFF1AF48318F248159E419B7394CB745884CB61
                                                                      Uniqueness

                                                                      Uniqueness Score: -1.00%

                                                                      Function 0139B6D0, Relevance: 6.1, APIs: 4, Instructions: 120threadCOMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      • GetCurrentProcess.KERNEL32 ref: 0139B730
                                                                      • GetCurrentThread.KERNEL32 ref: 0139B76D
                                                                      • GetCurrentProcess.KERNEL32 ref: 0139B7AA
                                                                      • GetCurrentThreadId.KERNEL32 ref: 0139B803
                                                                      Memory Dump Source
                                                                      • Source File: 00000006.00000002.284012478.0000000001390000.00000040.00000001.sdmp, Offset: 01390000, based on PE: false
                                                                      Similarity
                                                                      • API ID: Current$ProcessThread
                                                                      • String ID:
                                                                      • API String ID: 2063062207-0
                                                                      • Opcode ID: b3fbc22996743ddf808cbb496b18a6bcda5571dc590b06a6e58da6e97cfb7123
                                                                      • Instruction ID: 4e36e38169e2035c0885213372034621d8cc77ff8c5d0dd8ec812664e1b5a00a
                                                                      • Opcode Fuzzy Hash: b3fbc22996743ddf808cbb496b18a6bcda5571dc590b06a6e58da6e97cfb7123
                                                                      • Instruction Fuzzy Hash: 895184B49002489FDB14CFA9D988BEEBBF1BF48308F248119E419B7354CB745888CF61
                                                                      Uniqueness

                                                                      Uniqueness Score: -1.00%

                                                                      Function 0139FAA0, Relevance: 1.7, APIs: 1, Instructions: 240COMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      • CreateWindowExW.USER32(?,?,?,?,?,?,0000000C,?,?,?,?,?), ref: 0139FD0A
                                                                      Memory Dump Source
                                                                      • Source File: 00000006.00000002.284012478.0000000001390000.00000040.00000001.sdmp, Offset: 01390000, based on PE: false
                                                                      Similarity
                                                                      • API ID: CreateWindow
                                                                      • String ID:
                                                                      • API String ID: 716092398-0
                                                                      • Opcode ID: 8e3551eaad3b50a688e8a8dd6599febf877e252aedc52e449f87ef8eee5be118
                                                                      • Instruction ID: e2584d07a03b85a2b5a971d1a2e8fd1a291d669f6c17968f5fa3ea60e4158a5e
                                                                      • Opcode Fuzzy Hash: 8e3551eaad3b50a688e8a8dd6599febf877e252aedc52e449f87ef8eee5be118
                                                                      • Instruction Fuzzy Hash: 93914C718093C99FDF16CFA4C850AC9BFB5EF0A314F1985AAE844AB2A2C7785845CF51
                                                                      Uniqueness

                                                                      Uniqueness Score: -1.00%

                                                                      Function 013993E8, Relevance: 1.7, APIs: 1, Instructions: 194COMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      • GetModuleHandleW.KERNELBASE(00000000), ref: 0139962E
                                                                      Memory Dump Source
                                                                      • Source File: 00000006.00000002.284012478.0000000001390000.00000040.00000001.sdmp, Offset: 01390000, based on PE: false
                                                                      Similarity
                                                                      • API ID: HandleModule
                                                                      • String ID:
                                                                      • API String ID: 4139908857-0
                                                                      • Opcode ID: a1b759b8b1f8bcf9050191159fe638c35a45834cb1671d37f1552176cce9c5b3
                                                                      • Instruction ID: cf08151e35563e96b5f0378fb797365fa8b38cec0632c19b0008a2d0e21f39b3
                                                                      • Opcode Fuzzy Hash: a1b759b8b1f8bcf9050191159fe638c35a45834cb1671d37f1552176cce9c5b3
                                                                      • Instruction Fuzzy Hash: 39712670A00B058FDB65DF6AD4417ABBBF1FF89218F008A2DD58AD7A50DB34E845CB91
                                                                      Uniqueness

                                                                      Uniqueness Score: -1.00%

                                                                      Function 0139FBF8, Relevance: 1.6, APIs: 1, Instructions: 113COMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      • CreateWindowExW.USER32(?,?,?,?,?,?,0000000C,?,?,?,?,?), ref: 0139FD0A
                                                                      Memory Dump Source
                                                                      • Source File: 00000006.00000002.284012478.0000000001390000.00000040.00000001.sdmp, Offset: 01390000, based on PE: false
                                                                      Similarity
                                                                      • API ID: CreateWindow
                                                                      • String ID:
                                                                      • API String ID: 716092398-0
                                                                      • Opcode ID: 6f93ee2cf7e40f7dc91d365b5804ba7207ae6a0a2508cfb07696a27cf8167e0a
                                                                      • Instruction ID: 59636655fba15692306b75a5496e789352c2c2bac06f9d68e7d35eff386aab81
                                                                      • Opcode Fuzzy Hash: 6f93ee2cf7e40f7dc91d365b5804ba7207ae6a0a2508cfb07696a27cf8167e0a
                                                                      • Instruction Fuzzy Hash: 6D419EB1D003499FDF14CF9AC984ADEBFB5BF48314F24812AE819AB254D774A985CF90
                                                                      Uniqueness

                                                                      Uniqueness Score: -1.00%

                                                                      Function 0139BCF9, Relevance: 1.6, APIs: 1, Instructions: 64COMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      • DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 0139BD87
                                                                      Memory Dump Source
                                                                      • Source File: 00000006.00000002.284012478.0000000001390000.00000040.00000001.sdmp, Offset: 01390000, based on PE: false
                                                                      Similarity
                                                                      • API ID: DuplicateHandle
                                                                      • String ID:
                                                                      • API String ID: 3793708945-0
                                                                      • Opcode ID: 59571ab1598d95b169f66b9509c74282471696efaca26a24cb6049a519b40754
                                                                      • Instruction ID: 6f9c7747768df389996b614245e99525cded22567a17a643fb05ef49635e58c7
                                                                      • Opcode Fuzzy Hash: 59571ab1598d95b169f66b9509c74282471696efaca26a24cb6049a519b40754
                                                                      • Instruction Fuzzy Hash: 6521E0B5D002489FDF00CFA9D984AEEBBF5EB48324F14841AE914B7350D778A944CFA1
                                                                      Uniqueness

                                                                      Uniqueness Score: -1.00%

                                                                      Function 0139BD00, Relevance: 1.6, APIs: 1, Instructions: 62COMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      • DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 0139BD87
                                                                      Memory Dump Source
                                                                      • Source File: 00000006.00000002.284012478.0000000001390000.00000040.00000001.sdmp, Offset: 01390000, based on PE: false
                                                                      Similarity
                                                                      • API ID: DuplicateHandle
                                                                      • String ID:
                                                                      • API String ID: 3793708945-0
                                                                      • Opcode ID: 9cfb17d229d6af2e698ca714ad348bc1574fa6c45cb86f7004d864ba929d048e
                                                                      • Instruction ID: 3c55076f15788e281f5d7a6dab5bfa1b76c5de6ed35d892377e64d59a2003408
                                                                      • Opcode Fuzzy Hash: 9cfb17d229d6af2e698ca714ad348bc1574fa6c45cb86f7004d864ba929d048e
                                                                      • Instruction Fuzzy Hash: 1121E4B59002489FDF10CF9AD484ADEFBF4EB48324F14801AE914A3310C374A944CFA1
                                                                      Uniqueness

                                                                      Uniqueness Score: -1.00%

                                                                      Function 01398768, Relevance: 1.6, APIs: 1, Instructions: 55libraryCOMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      • LoadLibraryExW.KERNELBASE(00000000,00000000,?,?,?,?,00000000,?,013996A9,00000800,00000000,00000000), ref: 013998BA
                                                                      Memory Dump Source
                                                                      • Source File: 00000006.00000002.284012478.0000000001390000.00000040.00000001.sdmp, Offset: 01390000, based on PE: false
                                                                      Similarity
                                                                      • API ID: LibraryLoad
                                                                      • String ID:
                                                                      • API String ID: 1029625771-0
                                                                      • Opcode ID: 767c04945d174d26113f33147aa55114923f8244ec84b6e2590f2e89b04e51b5
                                                                      • Instruction ID: 03d7ad0f11bbbde92f22dfe50af027a8a8855740209ce7e469cc0eb4f829b960
                                                                      • Opcode Fuzzy Hash: 767c04945d174d26113f33147aa55114923f8244ec84b6e2590f2e89b04e51b5
                                                                      • Instruction Fuzzy Hash: AF1103B69042499FDF10CF9AC444BDEBBF4EB48328F14842EE915BB600C775A945CFA5
                                                                      Uniqueness

                                                                      Uniqueness Score: -1.00%

                                                                      Function 01399849, Relevance: 1.6, APIs: 1, Instructions: 54libraryCOMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      • LoadLibraryExW.KERNELBASE(00000000,00000000,?,?,?,?,00000000,?,013996A9,00000800,00000000,00000000), ref: 013998BA
                                                                      Memory Dump Source
                                                                      • Source File: 00000006.00000002.284012478.0000000001390000.00000040.00000001.sdmp, Offset: 01390000, based on PE: false
                                                                      Similarity
                                                                      • API ID: LibraryLoad
                                                                      • String ID:
                                                                      • API String ID: 1029625771-0
                                                                      • Opcode ID: a73c9327aec23e1d295b92e5097cdcb5821ca53fec7180f85ec96225e30c467e
                                                                      • Instruction ID: ba597f998a5e76941cbc477598059180355cb240709e117fde66107d5263039d
                                                                      • Opcode Fuzzy Hash: a73c9327aec23e1d295b92e5097cdcb5821ca53fec7180f85ec96225e30c467e
                                                                      • Instruction Fuzzy Hash: CB1103B6C002498FDF10CF99C444BDEBBF4AB48328F14842ED915BB640C779A545CFA0
                                                                      Uniqueness

                                                                      Uniqueness Score: -1.00%

                                                                      Function 013995C8, Relevance: 1.5, APIs: 1, Instructions: 47COMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      • GetModuleHandleW.KERNELBASE(00000000), ref: 0139962E
                                                                      Memory Dump Source
                                                                      • Source File: 00000006.00000002.284012478.0000000001390000.00000040.00000001.sdmp, Offset: 01390000, based on PE: false
                                                                      Similarity
                                                                      • API ID: HandleModule
                                                                      • String ID:
                                                                      • API String ID: 4139908857-0
                                                                      • Opcode ID: 4754b0b32c14de7d04ffdd540d71faa94bc1607cba7cf22ffe0095ad0a25044b
                                                                      • Instruction ID: cd8b31f79e910aaa9168ed50bddefc5447478bc2748e71e163c36d6d6e197bed
                                                                      • Opcode Fuzzy Hash: 4754b0b32c14de7d04ffdd540d71faa94bc1607cba7cf22ffe0095ad0a25044b
                                                                      • Instruction Fuzzy Hash: C111E0B6C006498FDB10CF9AC444BDEFBF4EB88228F14841AD959A7600C774A545CFA1
                                                                      Uniqueness

                                                                      Uniqueness Score: -1.00%

                                                                      Function 0139FE38, Relevance: 1.5, APIs: 1, Instructions: 47COMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      • SetWindowLongW.USER32(?,?,?), ref: 0139FE9D
                                                                      Memory Dump Source
                                                                      • Source File: 00000006.00000002.284012478.0000000001390000.00000040.00000001.sdmp, Offset: 01390000, based on PE: false
                                                                      Similarity
                                                                      • API ID: LongWindow
                                                                      • String ID:
                                                                      • API String ID: 1378638983-0
                                                                      • Opcode ID: fec8778ed763ad3c8daec4353e5b50ab4f5feca028eb10a560a206c626b9ca40
                                                                      • Instruction ID: 83c231fc51b033e38baecfbb8d672c39295a3aea209b59916f0bbfcbb1e76187
                                                                      • Opcode Fuzzy Hash: fec8778ed763ad3c8daec4353e5b50ab4f5feca028eb10a560a206c626b9ca40
                                                                      • Instruction Fuzzy Hash: E41125B58003499FDB10CF99C585BDEFBF8EB48328F14855AE958A7341C375A944CFA1
                                                                      Uniqueness

                                                                      Uniqueness Score: -1.00%

                                                                      Function 0139FE40, Relevance: 1.5, APIs: 1, Instructions: 44COMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      • SetWindowLongW.USER32(?,?,?), ref: 0139FE9D
                                                                      Memory Dump Source
                                                                      • Source File: 00000006.00000002.284012478.0000000001390000.00000040.00000001.sdmp, Offset: 01390000, based on PE: false
                                                                      Similarity
                                                                      • API ID: LongWindow
                                                                      • String ID:
                                                                      • API String ID: 1378638983-0
                                                                      • Opcode ID: 040aed7d89d5d5def8f98ff69f237bdcf905ae5a6779e2e6e19ce5e2303ecce6
                                                                      • Instruction ID: 19ba623b9af6b0996585c3db359590809580b0d39a212c9cb2a6cfe8a67abf2f
                                                                      • Opcode Fuzzy Hash: 040aed7d89d5d5def8f98ff69f237bdcf905ae5a6779e2e6e19ce5e2303ecce6
                                                                      • Instruction Fuzzy Hash: D611E2B58002499FDB10CF9AD589BDFBBF8EB48724F20845AE959A7341C374A944CFA1
                                                                      Uniqueness

                                                                      Uniqueness Score: -1.00%

                                                                      Non-executed Functions

                                                                      Analysis Process: noteped.exe PID: 6360 Parent PID: 3472 noteped.exeCOMMON

                                                                      Executed Functions

                                                                      Function 07002149, Relevance: 3.1, APIs: 2, Instructions: 95injectionCOMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      • WriteProcessMemory.KERNELBASE(?,?,00000000,?,?), ref: 070020F0
                                                                      • ReadProcessMemory.KERNELBASE(?,?,?,?,?), ref: 070021D0
                                                                      Memory Dump Source
                                                                      • Source File: 00000007.00000002.300127240.0000000007000000.00000040.00000001.sdmp, Offset: 07000000, based on PE: false
                                                                      Similarity
                                                                      • API ID: MemoryProcess$ReadWrite
                                                                      • String ID:
                                                                      • API String ID: 3589323503-0
                                                                      • Opcode ID: 0d4efd65062cd530e86cbed868ae5feb3ac922470b9dbf2b558372e43400ae1e
                                                                      • Instruction ID: 237f21ebe377eb70582bb559c5504b4b27c348861732e6fce9a8384530368fb3
                                                                      • Opcode Fuzzy Hash: 0d4efd65062cd530e86cbed868ae5feb3ac922470b9dbf2b558372e43400ae1e
                                                                      • Instruction Fuzzy Hash: 413157B18003498FDF10CFA9C8847EEBBF5FF48324F10842AD959A7290C7789944CBA0
                                                                      Uniqueness

                                                                      Uniqueness Score: -1.00%

                                                                      Function 0700237D, Relevance: 1.7, APIs: 1, Instructions: 249processCOMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      • CreateProcessA.KERNELBASE(?,?,?,?,?,?,?,?,?,?), ref: 070025BE
                                                                      Memory Dump Source
                                                                      • Source File: 00000007.00000002.300127240.0000000007000000.00000040.00000001.sdmp, Offset: 07000000, based on PE: false
                                                                      Similarity
                                                                      • API ID: CreateProcess
                                                                      • String ID:
                                                                      • API String ID: 963392458-0
                                                                      • Opcode ID: 8d6627ca6825d32514f5eeaf4a541cd8cb8f64254f26b7e735a4ca4fea0f28ab
                                                                      • Instruction ID: 3ea4dbf722022b869d096069c2f18e47d7bfe5512704cae7fc66d84e5493b1cd
                                                                      • Opcode Fuzzy Hash: 8d6627ca6825d32514f5eeaf4a541cd8cb8f64254f26b7e735a4ca4fea0f28ab
                                                                      • Instruction Fuzzy Hash: 30A14CB1D0025ACFEB50CF68C8457EEBBF2BF48324F158669D849A7280DB749985CF91
                                                                      Uniqueness

                                                                      Uniqueness Score: -1.00%

                                                                      Function 07002388, Relevance: 1.7, APIs: 1, Instructions: 243processCOMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      • CreateProcessA.KERNELBASE(?,?,?,?,?,?,?,?,?,?), ref: 070025BE
                                                                      Memory Dump Source
                                                                      • Source File: 00000007.00000002.300127240.0000000007000000.00000040.00000001.sdmp, Offset: 07000000, based on PE: false
                                                                      Similarity
                                                                      • API ID: CreateProcess
                                                                      • String ID:
                                                                      • API String ID: 963392458-0
                                                                      • Opcode ID: 90ad5b3939eec8ca02a1c18b23af830ec5da62a4e059ca851564e8769e4dd9ef
                                                                      • Instruction ID: 9336d2cdcb2188326af4f6266e0d9c47fd7704f580374c11e9064291c9cd7b18
                                                                      • Opcode Fuzzy Hash: 90ad5b3939eec8ca02a1c18b23af830ec5da62a4e059ca851564e8769e4dd9ef
                                                                      • Instruction Fuzzy Hash: C6914CB1D0021ACFEF50CF68C9457DEBBB2BF48324F158669D809A7280DB749985CF91
                                                                      Uniqueness

                                                                      Uniqueness Score: -1.00%

                                                                      Function 00FB93F0, Relevance: 1.7, APIs: 1, Instructions: 195COMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      • GetModuleHandleW.KERNELBASE(00000000), ref: 00FB9636
                                                                      Memory Dump Source
                                                                      • Source File: 00000007.00000002.286020209.0000000000FB0000.00000040.00000001.sdmp, Offset: 00FB0000, based on PE: false
                                                                      Similarity
                                                                      • API ID: HandleModule
                                                                      • String ID:
                                                                      • API String ID: 4139908857-0
                                                                      • Opcode ID: 7c6f34d1d43fcbab20d65078160169717e7d3d93cfddad4145bc21df44e1053c
                                                                      • Instruction ID: 68f91944978c9c4ab8049c6cf2c4d98c10d6c00dd18832cfad16bf7cc8aa325c
                                                                      • Opcode Fuzzy Hash: 7c6f34d1d43fcbab20d65078160169717e7d3d93cfddad4145bc21df44e1053c
                                                                      • Instruction Fuzzy Hash: 70712370A04B058FD724DF6AD44179ABBF5BF88314F008929E58AD7A40EB75E80ADF91
                                                                      Uniqueness

                                                                      Uniqueness Score: -1.00%

                                                                      Function 07004046, Relevance: 1.6, APIs: 1, Instructions: 141COMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      • GetUserNameA.ADVAPI32(00000000), ref: 0700419C
                                                                      Memory Dump Source
                                                                      • Source File: 00000007.00000002.300127240.0000000007000000.00000040.00000001.sdmp, Offset: 07000000, based on PE: false
                                                                      Similarity
                                                                      • API ID: NameUser
                                                                      • String ID:
                                                                      • API String ID: 2645101109-0
                                                                      • Opcode ID: 6c65a8426a9a8f6a4eddc3e573c21f9d57c02b1e214652fb0aacbfb401b0c7ba
                                                                      • Instruction ID: 9086c9bb54f404d9e63bf9513192f83dac4a623cc874418cbaf8acdca4ca6801
                                                                      • Opcode Fuzzy Hash: 6c65a8426a9a8f6a4eddc3e573c21f9d57c02b1e214652fb0aacbfb401b0c7ba
                                                                      • Instruction Fuzzy Hash: 445156B0E002588FEB14CFA9C984BDDBBF1BF49314F248129E916AB395C7749848CF94
                                                                      Uniqueness

                                                                      Uniqueness Score: -1.00%

                                                                      Function 07004050, Relevance: 1.6, APIs: 1, Instructions: 140COMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      • GetUserNameA.ADVAPI32(00000000), ref: 0700419C
                                                                      Memory Dump Source
                                                                      • Source File: 00000007.00000002.300127240.0000000007000000.00000040.00000001.sdmp, Offset: 07000000, based on PE: false
                                                                      Similarity
                                                                      • API ID: NameUser
                                                                      • String ID:
                                                                      • API String ID: 2645101109-0
                                                                      • Opcode ID: ba423bfb21fa642de631db021dc65bac7c553c06cc582e790da3f1dbe3a570b7
                                                                      • Instruction ID: 8ef6d6b9165d09274c4517f3819f9244c6f7e156e52aa0e0424c22a41aa4fbd8
                                                                      • Opcode Fuzzy Hash: ba423bfb21fa642de631db021dc65bac7c553c06cc582e790da3f1dbe3a570b7
                                                                      • Instruction Fuzzy Hash: 445148B0D002588FDB14CFA9C984BDEBBF1BF49314F248129E915AB395D7749848CF94
                                                                      Uniqueness

                                                                      Uniqueness Score: -1.00%

                                                                      Function 00FBEC1C, Relevance: 1.6, APIs: 1, Instructions: 116COMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      • CreateWindowExW.USER32(?,?,?,?,?,?,0000000C,?,?,?,?,?), ref: 00FBFE6A
                                                                      Memory Dump Source
                                                                      • Source File: 00000007.00000002.286020209.0000000000FB0000.00000040.00000001.sdmp, Offset: 00FB0000, based on PE: false
                                                                      Similarity
                                                                      • API ID: CreateWindow
                                                                      • String ID:
                                                                      • API String ID: 716092398-0
                                                                      • Opcode ID: 5b6fe68a3964b8a0f502bb6c20335752231a65a34dcce17923e2544f197a5f95
                                                                      • Instruction ID: 49d81b82cf65963a3040da6d8e700f8ae779f42ba110fc84ca9046d8eb8aa4c5
                                                                      • Opcode Fuzzy Hash: 5b6fe68a3964b8a0f502bb6c20335752231a65a34dcce17923e2544f197a5f95
                                                                      • Instruction Fuzzy Hash: BC51C1B1D003489FDF14CF9AC884ADEBBB5FF48314F24852AE819AB255D7749985CF90
                                                                      Uniqueness

                                                                      Uniqueness Score: -1.00%

                                                                      Function 00FBFD4C, Relevance: 1.6, APIs: 1, Instructions: 116COMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      • CreateWindowExW.USER32(?,?,?,?,?,?,0000000C,?,?,?,?,?), ref: 00FBFE6A
                                                                      Memory Dump Source
                                                                      • Source File: 00000007.00000002.286020209.0000000000FB0000.00000040.00000001.sdmp, Offset: 00FB0000, based on PE: false
                                                                      Similarity
                                                                      • API ID: CreateWindow
                                                                      • String ID:
                                                                      • API String ID: 716092398-0
                                                                      • Opcode ID: c1a5edaefa364abe6b2d95ad10d778a73be40174baa9b2c97f4c600bee94dd11
                                                                      • Instruction ID: 6ed6519dbf0ed5562dcbdc58b65c196c4d4a78539f5faa25ce1eef219de27cd2
                                                                      • Opcode Fuzzy Hash: c1a5edaefa364abe6b2d95ad10d778a73be40174baa9b2c97f4c600bee94dd11
                                                                      • Instruction Fuzzy Hash: AB51D1B1D003489FDF15CFAAC884ADEBFB5BF48314F24822AE418AB251D7749885CF90
                                                                      Uniqueness

                                                                      Uniqueness Score: -1.00%

                                                                      Function 00FB3E18, Relevance: 1.6, APIs: 1, Instructions: 96COMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      • CreateActCtxA.KERNEL32(?), ref: 00FB5411
                                                                      Memory Dump Source
                                                                      • Source File: 00000007.00000002.286020209.0000000000FB0000.00000040.00000001.sdmp, Offset: 00FB0000, based on PE: false
                                                                      Similarity
                                                                      • API ID: Create
                                                                      • String ID:
                                                                      • API String ID: 2289755597-0
                                                                      • Opcode ID: 76d660a68b125f8168a911b31930451eafd72e1a2bc4e2adfc15980f739a867f
                                                                      • Instruction ID: bd1ddf4cf95b86d7b7c7111d1358bcc1ff5269b5303ffe1de07f4961826c9438
                                                                      • Opcode Fuzzy Hash: 76d660a68b125f8168a911b31930451eafd72e1a2bc4e2adfc15980f739a867f
                                                                      • Instruction Fuzzy Hash: 0D41E171C0461CCBDB24CFAAC8847DEBBB5FF49318F24806AD408AB255DB755945DF90
                                                                      Uniqueness

                                                                      Uniqueness Score: -1.00%

                                                                      Function 00FB5355, Relevance: 1.6, APIs: 1, Instructions: 95COMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      • CreateActCtxA.KERNEL32(?), ref: 00FB5411
                                                                      Memory Dump Source
                                                                      • Source File: 00000007.00000002.286020209.0000000000FB0000.00000040.00000001.sdmp, Offset: 00FB0000, based on PE: false
                                                                      Similarity
                                                                      • API ID: Create
                                                                      • String ID:
                                                                      • API String ID: 2289755597-0
                                                                      • Opcode ID: 55a4944b3990cf6bb0701dba85379d96959feac614b6f8b4d1d20c95401f4475
                                                                      • Instruction ID: 6bdd478a1e32d0592864f349020f2eee7ceea06205c53a7b928c441e2c6ea782
                                                                      • Opcode Fuzzy Hash: 55a4944b3990cf6bb0701dba85379d96959feac614b6f8b4d1d20c95401f4475
                                                                      • Instruction Fuzzy Hash: A241E270C04659CEDB24CFAAC884BDEBBB1FF89318F24816AD408AB255DB755945CF50
                                                                      Uniqueness

                                                                      Uniqueness Score: -1.00%

                                                                      Function 051123B0, Relevance: 1.6, APIs: 1, Instructions: 93COMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      • CallWindowProcW.USER32(?,?,?,?,?), ref: 05112471
                                                                      Memory Dump Source
                                                                      • Source File: 00000007.00000002.296479660.0000000005110000.00000040.00000001.sdmp, Offset: 05110000, based on PE: false
                                                                      Similarity
                                                                      • API ID: CallProcWindow
                                                                      • String ID:
                                                                      • API String ID: 2714655100-0
                                                                      • Opcode ID: da768ffcb686415e0714ed944ce7b98708524a6a0bdf37afa93242fd6eba9287
                                                                      • Instruction ID: 6f69bac9be819f23d41f4403edc6ca89e1cb4fc48d693c75b2d0298532e1db41
                                                                      • Opcode Fuzzy Hash: da768ffcb686415e0714ed944ce7b98708524a6a0bdf37afa93242fd6eba9287
                                                                      • Instruction Fuzzy Hash: 1B414AB89003458FCB14CF99C488AAABBF5FF88314F15C498E519A7725D774A841CFA4
                                                                      Uniqueness

                                                                      Uniqueness Score: -1.00%

                                                                      Function 07002228, Relevance: 1.6, APIs: 1, Instructions: 81COMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      • ReadProcessMemory.KERNELBASE(?,?,?,?,?), ref: 070021D0
                                                                      Memory Dump Source
                                                                      • Source File: 00000007.00000002.300127240.0000000007000000.00000040.00000001.sdmp, Offset: 07000000, based on PE: false
                                                                      Similarity
                                                                      • API ID: MemoryProcessRead
                                                                      • String ID:
                                                                      • API String ID: 1726664587-0
                                                                      • Opcode ID: bb0164ac4b6840558fb697ad8c7ca2041beaf9d2fca552d6be1fcad4f835cc71
                                                                      • Instruction ID: 470c9ddbcd54fd1f2c54ec514ad8d0999af8a1f6f204aaca7f80e11edeaaef36
                                                                      • Opcode Fuzzy Hash: bb0164ac4b6840558fb697ad8c7ca2041beaf9d2fca552d6be1fcad4f835cc71
                                                                      • Instruction Fuzzy Hash: 12317EB19043488FDB10CFA9D8487EEBBF5FF58328F14882AD555B7680C7789544CBA0
                                                                      Uniqueness

                                                                      Uniqueness Score: -1.00%

                                                                      Function 07001DA9, Relevance: 1.6, APIs: 1, Instructions: 75threadCOMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      Memory Dump Source
                                                                      • Source File: 00000007.00000002.300127240.0000000007000000.00000040.00000001.sdmp, Offset: 07000000, based on PE: false
                                                                      Similarity
                                                                      • API ID: ResumeThread
                                                                      • String ID:
                                                                      • API String ID: 947044025-0
                                                                      • Opcode ID: 10f2ca21d0a6cde124576782a1b57d762f1fc8c9706cdb8506fd8856f498f00d
                                                                      • Instruction ID: 74e7401caaad285a2d737fcdf951a167b064432a82d3f0362942d0afadb2f625
                                                                      • Opcode Fuzzy Hash: 10f2ca21d0a6cde124576782a1b57d762f1fc8c9706cdb8506fd8856f498f00d
                                                                      • Instruction Fuzzy Hash: 2021BCB1D043889FDB10DFA9C8446EFFBF9EB49324F1484AAD518A7240DB356944CBE1
                                                                      Uniqueness

                                                                      Uniqueness Score: -1.00%

                                                                      Function 07002058, Relevance: 1.6, APIs: 1, Instructions: 73injectionCOMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      • WriteProcessMemory.KERNELBASE(?,?,00000000,?,?), ref: 070020F0
                                                                      Memory Dump Source
                                                                      • Source File: 00000007.00000002.300127240.0000000007000000.00000040.00000001.sdmp, Offset: 07000000, based on PE: false
                                                                      Similarity
                                                                      • API ID: MemoryProcessWrite
                                                                      • String ID:
                                                                      • API String ID: 3559483778-0
                                                                      • Opcode ID: 060894226f8ac3b8a300afc580c81d641edc16c8f25e99045654eefab7814774
                                                                      • Instruction ID: 36720c143f2ff7b2d3596233117ef1fb189865e78583448df9a0a30227ff3e2e
                                                                      • Opcode Fuzzy Hash: 060894226f8ac3b8a300afc580c81d641edc16c8f25e99045654eefab7814774
                                                                      • Instruction Fuzzy Hash: 762148B19003599FDF50CFA9C8847EEBBF5FF48324F00842AE919A7240D7789944CBA0
                                                                      Uniqueness

                                                                      Uniqueness Score: -1.00%

                                                                      Function 07002060, Relevance: 1.6, APIs: 1, Instructions: 69injectionCOMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      • WriteProcessMemory.KERNELBASE(?,?,00000000,?,?), ref: 070020F0
                                                                      Memory Dump Source
                                                                      • Source File: 00000007.00000002.300127240.0000000007000000.00000040.00000001.sdmp, Offset: 07000000, based on PE: false
                                                                      Similarity
                                                                      • API ID: MemoryProcessWrite
                                                                      • String ID:
                                                                      • API String ID: 3559483778-0
                                                                      • Opcode ID: 3d14ea371ef18b2f9c314fd1f3e60b1ad16a45be0a658871228535739df2261b
                                                                      • Instruction ID: 94776bff71392f81ebf65cd214c1d64e8d938195a5c31f0a33b40036732b4389
                                                                      • Opcode Fuzzy Hash: 3d14ea371ef18b2f9c314fd1f3e60b1ad16a45be0a658871228535739df2261b
                                                                      • Instruction Fuzzy Hash: F321F6B19003599FDF50CFA9C8847EEBBF5FF48324F108429E919A7241D778A954CBA1
                                                                      Uniqueness

                                                                      Uniqueness Score: -1.00%

                                                                      Function 07001EC1, Relevance: 1.6, APIs: 1, Instructions: 66threadinjectionCOMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      • SetThreadContext.KERNELBASE(?,00000000), ref: 07001F46
                                                                      Memory Dump Source
                                                                      • Source File: 00000007.00000002.300127240.0000000007000000.00000040.00000001.sdmp, Offset: 07000000, based on PE: false
                                                                      Similarity
                                                                      • API ID: ContextThread
                                                                      • String ID:
                                                                      • API String ID: 1591575202-0
                                                                      • Opcode ID: 5ecee079219f7a070924bc2cddc29fb0e8c1194d3fd31037bb1471e4fac1dfea
                                                                      • Instruction ID: 1c5b4678431c4fb8a58a496867d503b7c4ed9cd827b10cb4ac64b872c1f51f8c
                                                                      • Opcode Fuzzy Hash: 5ecee079219f7a070924bc2cddc29fb0e8c1194d3fd31037bb1471e4fac1dfea
                                                                      • Instruction Fuzzy Hash: 5E215CB19042498FDB50DFA9C4847EEBBF5EF48364F448429D519A7280DB789944CFA0
                                                                      Uniqueness

                                                                      Uniqueness Score: -1.00%

                                                                      Function 00FBAAEC, Relevance: 1.6, APIs: 1, Instructions: 65COMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      • DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?,?,?,?,00FBB8D6,?,?,?,?,?), ref: 00FBB997
                                                                      Memory Dump Source
                                                                      • Source File: 00000007.00000002.286020209.0000000000FB0000.00000040.00000001.sdmp, Offset: 00FB0000, based on PE: false
                                                                      Similarity
                                                                      • API ID: DuplicateHandle
                                                                      • String ID:
                                                                      • API String ID: 3793708945-0
                                                                      • Opcode ID: 73b6286aa3651383d858df4491414c55b217d21d36988f5690b725c9b7336312
                                                                      • Instruction ID: 8b8523ad33bb3a3823010a43d8d2b20eab7ed5e31c3a1db35851079696b6e15c
                                                                      • Opcode Fuzzy Hash: 73b6286aa3651383d858df4491414c55b217d21d36988f5690b725c9b7336312
                                                                      • Instruction Fuzzy Hash: 952114B5900248EFDF10CF9AD484AEEBBF4EB48320F14841AE914B3350D374A944DFA1
                                                                      Uniqueness

                                                                      Uniqueness Score: -1.00%

                                                                      Function 00FB8E60, Relevance: 1.6, APIs: 1, Instructions: 64libraryCOMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      • LoadLibraryExW.KERNELBASE(00000000,00000000,?,?,?,?,00000000,?,00FB96B1,00000800,00000000,00000000), ref: 00FB98C2
                                                                      Memory Dump Source
                                                                      • Source File: 00000007.00000002.286020209.0000000000FB0000.00000040.00000001.sdmp, Offset: 00FB0000, based on PE: false
                                                                      Similarity
                                                                      • API ID: LibraryLoad
                                                                      • String ID:
                                                                      • API String ID: 1029625771-0
                                                                      • Opcode ID: 5cd23004330fef8fa3c959e3fa89f1c000c8bed36f854903dac47ffc7f035239
                                                                      • Instruction ID: a42723ed0de2baf36cfbdc5532df95b31314e37352a3b27d91b0d7227b554ff3
                                                                      • Opcode Fuzzy Hash: 5cd23004330fef8fa3c959e3fa89f1c000c8bed36f854903dac47ffc7f035239
                                                                      • Instruction Fuzzy Hash: D12148B2C042888FCB10CF9AC444ADEBBF4EB99324F05842ED555A7601D3B49948CFA1
                                                                      Uniqueness

                                                                      Uniqueness Score: -1.00%

                                                                      Function 00FBB908, Relevance: 1.6, APIs: 1, Instructions: 64COMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      • DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?,?,?,?,00FBB8D6,?,?,?,?,?), ref: 00FBB997
                                                                      Memory Dump Source
                                                                      • Source File: 00000007.00000002.286020209.0000000000FB0000.00000040.00000001.sdmp, Offset: 00FB0000, based on PE: false
                                                                      Similarity
                                                                      • API ID: DuplicateHandle
                                                                      • String ID:
                                                                      • API String ID: 3793708945-0
                                                                      • Opcode ID: ed3126c1ed2c00bbf77be7efecc0fbe67fa35c1d25abf9861205a1b92e06f5dd
                                                                      • Instruction ID: b6eb082adbe017e7689bafe0c686525a4f168d5bd5c4a4ac75bd78f55373eb87
                                                                      • Opcode Fuzzy Hash: ed3126c1ed2c00bbf77be7efecc0fbe67fa35c1d25abf9861205a1b92e06f5dd
                                                                      • Instruction Fuzzy Hash: 6C2116B5901248AFCB10CF9AD484ADEBFF4FB48320F14841AE954B3350C374A944DFA1
                                                                      Uniqueness

                                                                      Uniqueness Score: -1.00%

                                                                      Function 07001EC8, Relevance: 1.6, APIs: 1, Instructions: 63threadinjectionCOMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      • SetThreadContext.KERNELBASE(?,00000000), ref: 07001F46
                                                                      Memory Dump Source
                                                                      • Source File: 00000007.00000002.300127240.0000000007000000.00000040.00000001.sdmp, Offset: 07000000, based on PE: false
                                                                      Similarity
                                                                      • API ID: ContextThread
                                                                      • String ID:
                                                                      • API String ID: 1591575202-0
                                                                      • Opcode ID: dabd0cd8af22660ca44162a083a84a36b96a4a538ce4f21f7d6aa35169c124df
                                                                      • Instruction ID: 72c4fe9ad80b1b99acfd2b85a255f55819568486173143d11f8f270a92f66112
                                                                      • Opcode Fuzzy Hash: dabd0cd8af22660ca44162a083a84a36b96a4a538ce4f21f7d6aa35169c124df
                                                                      • Instruction Fuzzy Hash: 062138B19043098FDB50DFAAC4847EEBBF5EF48364F148429D519A7280DB78A944CFA0
                                                                      Uniqueness

                                                                      Uniqueness Score: -1.00%

                                                                      Function 07002150, Relevance: 1.6, APIs: 1, Instructions: 63COMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      • ReadProcessMemory.KERNELBASE(?,?,?,?,?), ref: 070021D0
                                                                      Memory Dump Source
                                                                      • Source File: 00000007.00000002.300127240.0000000007000000.00000040.00000001.sdmp, Offset: 07000000, based on PE: false
                                                                      Similarity
                                                                      • API ID: MemoryProcessRead
                                                                      • String ID:
                                                                      • API String ID: 1726664587-0
                                                                      • Opcode ID: 520240b03b0582f33cb6c69ec3c5d8515f7c58cc5072051f23fb25df7c683d29
                                                                      • Instruction ID: acf3c21fe2863c900810ea47da6130e75341a008e97795a73a2ec15677bf9707
                                                                      • Opcode Fuzzy Hash: 520240b03b0582f33cb6c69ec3c5d8515f7c58cc5072051f23fb25df7c683d29
                                                                      • Instruction Fuzzy Hash: 282128B18003499FCF10CFA9C8846EEBBF5FF48324F508429E919A7240D7749944CBA0
                                                                      Uniqueness

                                                                      Uniqueness Score: -1.00%

                                                                      Function 07001F99, Relevance: 1.6, APIs: 1, Instructions: 57memoryCOMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      • VirtualAllocEx.KERNELBASE(?,?,?,?,?), ref: 0700200E
                                                                      Memory Dump Source
                                                                      • Source File: 00000007.00000002.300127240.0000000007000000.00000040.00000001.sdmp, Offset: 07000000, based on PE: false
                                                                      Similarity
                                                                      • API ID: AllocVirtual
                                                                      • String ID:
                                                                      • API String ID: 4275171209-0
                                                                      • Opcode ID: 26d97614cfc9b9b5a7022fa48f568416c10ea658445dc072eacf52e7b65e8403
                                                                      • Instruction ID: 7058c1a9b8deea5fa27af9b7c0550b8c80870c76c4ac86157178716ff5e0db32
                                                                      • Opcode Fuzzy Hash: 26d97614cfc9b9b5a7022fa48f568416c10ea658445dc072eacf52e7b65e8403
                                                                      • Instruction Fuzzy Hash: F61159B19002499FDF10DFA9D8487EEBBF5FF48324F14882AE915A7250D7759944CFA0
                                                                      Uniqueness

                                                                      Uniqueness Score: -1.00%

                                                                      Function 00FB8E78, Relevance: 1.6, APIs: 1, Instructions: 55libraryCOMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      • LoadLibraryExW.KERNELBASE(00000000,00000000,?,?,?,?,00000000,?,00FB96B1,00000800,00000000,00000000), ref: 00FB98C2
                                                                      Memory Dump Source
                                                                      • Source File: 00000007.00000002.286020209.0000000000FB0000.00000040.00000001.sdmp, Offset: 00FB0000, based on PE: false
                                                                      Similarity
                                                                      • API ID: LibraryLoad
                                                                      • String ID:
                                                                      • API String ID: 1029625771-0
                                                                      • Opcode ID: 7f17234431ccd75e5cd68b8459f47166a8fbd92b8dfbe00a0a6784a7791611f6
                                                                      • Instruction ID: 17c39e9d9878541df884984a4a35bdb6712af017bd748548ea56f43d248ec3b9
                                                                      • Opcode Fuzzy Hash: 7f17234431ccd75e5cd68b8459f47166a8fbd92b8dfbe00a0a6784a7791611f6
                                                                      • Instruction Fuzzy Hash: 291106B2D042488FCB10CF9AD444BDEBBF4EB89324F14842ED515A7640C3B4A945CFA1
                                                                      Uniqueness

                                                                      Uniqueness Score: -1.00%

                                                                      Function 00FB9850, Relevance: 1.6, APIs: 1, Instructions: 54libraryCOMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      • LoadLibraryExW.KERNELBASE(00000000,00000000,?,?,?,?,00000000,?,00FB96B1,00000800,00000000,00000000), ref: 00FB98C2
                                                                      Memory Dump Source
                                                                      • Source File: 00000007.00000002.286020209.0000000000FB0000.00000040.00000001.sdmp, Offset: 00FB0000, based on PE: false
                                                                      Similarity
                                                                      • API ID: LibraryLoad
                                                                      • String ID:
                                                                      • API String ID: 1029625771-0
                                                                      • Opcode ID: 48cb702037374d14ae2cec4d918df87ec9f2ba83700e00791243e64b0ccc55dd
                                                                      • Instruction ID: 7a36f37fd55fef19e77e108a0edc1de6e667bb0c0578eb89e4e64eb5faf0b325
                                                                      • Opcode Fuzzy Hash: 48cb702037374d14ae2cec4d918df87ec9f2ba83700e00791243e64b0ccc55dd
                                                                      • Instruction Fuzzy Hash: 781114B2D042488FCB10CF9AD444ADEFBF4EB89324F04842EE519A7640C7B4A945CFA1
                                                                      Uniqueness

                                                                      Uniqueness Score: -1.00%

                                                                      Function 07001FA0, Relevance: 1.6, APIs: 1, Instructions: 53memoryCOMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      • VirtualAllocEx.KERNELBASE(?,?,?,?,?), ref: 0700200E
                                                                      Memory Dump Source
                                                                      • Source File: 00000007.00000002.300127240.0000000007000000.00000040.00000001.sdmp, Offset: 07000000, based on PE: false
                                                                      Similarity
                                                                      • API ID: AllocVirtual
                                                                      • String ID:
                                                                      • API String ID: 4275171209-0
                                                                      • Opcode ID: 2bf246793c8332f2283cc112a0de9bb6cc389b4e06dfef7035455eb73e6077da
                                                                      • Instruction ID: 47a4f240e9f630d5a6de54c68c4c89decc76bf73be1c426df54a99f894f63d9d
                                                                      • Opcode Fuzzy Hash: 2bf246793c8332f2283cc112a0de9bb6cc389b4e06dfef7035455eb73e6077da
                                                                      • Instruction Fuzzy Hash: 3C1126719002499FDF10DFA9C8487EFBBF5EB88324F148819E915A7250C775A944CFA0
                                                                      Uniqueness

                                                                      Uniqueness Score: -1.00%

                                                                      Function 00FB98F8, Relevance: 1.6, APIs: 1, Instructions: 50libraryCOMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      • LoadLibraryExW.KERNELBASE(00000000,00000000,?,?,?,?,00000000,?,00FB96B1,00000800,00000000,00000000), ref: 00FB98C2
                                                                      Memory Dump Source
                                                                      • Source File: 00000007.00000002.286020209.0000000000FB0000.00000040.00000001.sdmp, Offset: 00FB0000, based on PE: false
                                                                      Similarity
                                                                      • API ID: LibraryLoad
                                                                      • String ID:
                                                                      • API String ID: 1029625771-0
                                                                      • Opcode ID: b414f6ed2ae885a2f85e35d4bb17534c154483f83a3e5339b19c50df106209bc
                                                                      • Instruction ID: 61584a38edf236d530009766bcdde25e62bbaf30122ade241e9af160caadf54d
                                                                      • Opcode Fuzzy Hash: b414f6ed2ae885a2f85e35d4bb17534c154483f83a3e5339b19c50df106209bc
                                                                      • Instruction Fuzzy Hash: 7C11C0B69043088FDF10CBDAD4047DABBF4EF99324F14846AE649E7240C7B5A845DFA1
                                                                      Uniqueness

                                                                      Uniqueness Score: -1.00%

                                                                      Function 07001E18, Relevance: 1.5, APIs: 1, Instructions: 49threadCOMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      Memory Dump Source
                                                                      • Source File: 00000007.00000002.300127240.0000000007000000.00000040.00000001.sdmp, Offset: 07000000, based on PE: false
                                                                      Similarity
                                                                      • API ID: ResumeThread
                                                                      • String ID:
                                                                      • API String ID: 947044025-0
                                                                      • Opcode ID: 424528bd2758e5e8c973340a0521c18aff523a9286d0d06efb9b6c48b835c181
                                                                      • Instruction ID: 30e6ba6fd5e1c881fedc36c6609463865b45773b3722b7028b66c495a4a20093
                                                                      • Opcode Fuzzy Hash: 424528bd2758e5e8c973340a0521c18aff523a9286d0d06efb9b6c48b835c181
                                                                      • Instruction Fuzzy Hash: A71128B19043498BDB10DFAAC8447EFBBF5AB88328F148429D519A7240DB74A944CBA0
                                                                      Uniqueness

                                                                      Uniqueness Score: -1.00%

                                                                      Function 00FB95D0, Relevance: 1.5, APIs: 1, Instructions: 47COMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      • GetModuleHandleW.KERNELBASE(00000000), ref: 00FB9636
                                                                      Memory Dump Source
                                                                      • Source File: 00000007.00000002.286020209.0000000000FB0000.00000040.00000001.sdmp, Offset: 00FB0000, based on PE: false
                                                                      Similarity
                                                                      • API ID: HandleModule
                                                                      • String ID:
                                                                      • API String ID: 4139908857-0
                                                                      • Opcode ID: 1f0322e652f73888fbd6359cef193d75579747ef5d1781de10fd256760b175d5
                                                                      • Instruction ID: c196d088bb7252a192664aa000b0314c91abc787a9b20b1d01886abc0f7096a1
                                                                      • Opcode Fuzzy Hash: 1f0322e652f73888fbd6359cef193d75579747ef5d1781de10fd256760b175d5
                                                                      • Instruction Fuzzy Hash: E011DFB5C046498FCB10CF9AD444BDEFBF5AB88324F14842AD929B7640D3B8A545CFA1
                                                                      Uniqueness

                                                                      Uniqueness Score: -1.00%

                                                                      Function 056CE9B0, Relevance: .2, Instructions: 151COMMON
                                                                      Download Yara Rule
                                                                      Memory Dump Source
                                                                      • Source File: 00000007.00000002.296910005.00000000056C0000.00000040.00000001.sdmp, Offset: 056C0000, based on PE: false
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID:
                                                                      • API String ID:
                                                                      • Opcode ID: 0a8574b3f32440d30e47bd5f3d6579819a7b81e76a02372f9a7521c6d54ff2f5
                                                                      • Instruction ID: abe2b0ad60345440b413994aa03ef4c2ae7a12add85b1e4a8976ba50e2ab1911
                                                                      • Opcode Fuzzy Hash: 0a8574b3f32440d30e47bd5f3d6579819a7b81e76a02372f9a7521c6d54ff2f5
                                                                      • Instruction Fuzzy Hash: 5541C332F041108BEB96FAA5A8447BEBFBEEB80650F0540BED90AE7740DB365D05C791
                                                                      Uniqueness

                                                                      Uniqueness Score: -1.00%

                                                                      Function 056CE2F0, Relevance: .0, Instructions: 43COMMON
                                                                      Download Yara Rule
                                                                      Memory Dump Source
                                                                      • Source File: 00000007.00000002.296910005.00000000056C0000.00000040.00000001.sdmp, Offset: 056C0000, based on PE: false
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID:
                                                                      • API String ID:
                                                                      • Opcode ID: c4c6819910eb12d13382262e317fee05fa78d9ff2cbc6a72a20d53ca1bf527a1
                                                                      • Instruction ID: fc40ea4d479347a64d3987038f39f4156b309c783be83a5bcf74031924084d05
                                                                      • Opcode Fuzzy Hash: c4c6819910eb12d13382262e317fee05fa78d9ff2cbc6a72a20d53ca1bf527a1
                                                                      • Instruction Fuzzy Hash: CF01D770D04208EBDB45DFA9D5456ADBFBAEB44300F1088AEC40AE7240EB76AA85DF41
                                                                      Uniqueness

                                                                      Uniqueness Score: -1.00%

                                                                      Function 056CE930, Relevance: .0, Instructions: 4COMMON
                                                                      Download Yara Rule
                                                                      Memory Dump Source
                                                                      • Source File: 00000007.00000002.296910005.00000000056C0000.00000040.00000001.sdmp, Offset: 056C0000, based on PE: false
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID:
                                                                      • API String ID:
                                                                      • Opcode ID: 584a3913bed7d41f6751d29dc0af2e109adf5df94d8de11209de24b86f245c04
                                                                      • Instruction ID: 2108930940694c1c8b8ad4272d9396267f2db374b9021a0985f6588530823504
                                                                      • Opcode Fuzzy Hash: 584a3913bed7d41f6751d29dc0af2e109adf5df94d8de11209de24b86f245c04
                                                                      • Instruction Fuzzy Hash: 6BA002742010009BC644DB54C991814F761EFC5219728C4DDA8198B256CF33ED03DA40
                                                                      Uniqueness

                                                                      Uniqueness Score: -1.00%

                                                                      Function 056CFB30, Relevance: .0, Instructions: 4COMMON
                                                                      Download Yara Rule
                                                                      Memory Dump Source
                                                                      • Source File: 00000007.00000002.296910005.00000000056C0000.00000040.00000001.sdmp, Offset: 056C0000, based on PE: false
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID:
                                                                      • API String ID:
                                                                      • Opcode ID: 584a3913bed7d41f6751d29dc0af2e109adf5df94d8de11209de24b86f245c04
                                                                      • Instruction ID: 2108930940694c1c8b8ad4272d9396267f2db374b9021a0985f6588530823504
                                                                      • Opcode Fuzzy Hash: 584a3913bed7d41f6751d29dc0af2e109adf5df94d8de11209de24b86f245c04
                                                                      • Instruction Fuzzy Hash: 6BA002742010009BC644DB54C991814F761EFC5219728C4DDA8198B256CF33ED03DA40
                                                                      Uniqueness

                                                                      Uniqueness Score: -1.00%

                                                                      Non-executed Functions