Play interactive tour

Edit tour

Analysis Report checklist pdf.exe

Overview

General Information

Sample Name:	checklist pdf.exe
Analysis ID:	323809
MD5:	33fb3c28df0f678c7c6ef72e7e748cb1
SHA1:	ab7fbfdaf59bf4d6c79bb7acf2b59dad316675f9
SHA256:	5295f63f8452d5ac0fc3577cb720949db21efe807059e0a74cadd4d9bbbc941f
Tags:	exeNanoCore
Most interesting Screenshot:

Detection

Nanocore

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Detected Nanocore Rat

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for dropped file

Multi AV Scanner detection for submitted file

Sigma detected: NanoCore

Sigma detected: Scheduled temp file as task from temp location

Yara detected AntiVM_3

Yara detected Nanocore RAT

.NET source code contains potential unpacker

.NET source code references suspicious native API functions

Contains functionality to log keystrokes (.Net Source)

Hides that the sample has been downloaded from the Internet (zone.identifier)

Injects a PE file into a foreign processes

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Uses dynamic DNS services

Uses schtasks.exe or at.exe to add and modify task schedules

Antivirus or Machine Learning detection for unpacked file

Contains capabilities to detect virtual machines

Contains functionality to call native functions

Contains functionality to open a port and listen for incoming connection (possibly a backdoor)

Contains long sleeps (>= 3 min)

Creates a process in suspended mode (likely to inject code)

Detected TCP or UDP traffic on non-standard ports

Detected potential crypto function

Drops PE files

Enables debug privileges

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

Found inlined nop instructions (likely shell or obfuscated code)

Installs a raw input device (often for capturing keystrokes)

Internet Provider seen in connection with other malware

May sleep (evasive loops) to hinder dynamic analysis

PE file contains strange resources

Queries the volume information (name, serial number etc) of a device

Sample execution stops while process was sleeping (likely an evasion)

Sample file is different than original file name gathered from version info

Uses code obfuscation techniques (call, push, ret)

Yara signature match

Classification

Startup

System is w10x64

checklist pdf.exe (PID: 4728 cmdline: 'C:\Users\user\Desktop\checklist pdf.exe' MD5: 33FB3C28DF0F678C7C6EF72E7E748CB1)

schtasks.exe (PID: 6100 cmdline: 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\PUalpOJIfJW' /XML 'C:\Users\user\AppData\Local\Temp\tmpECD4.tmp' MD5: 15FF7D8324231381BAD48A052F85DF04)

conhost.exe (PID: 6132 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)

checklist pdf.exe (PID: 4648 cmdline: {path} MD5: 33FB3C28DF0F678C7C6EF72E7E748CB1)

cleanup

Malware Configuration

No configs have been found

Yara Overview

Memory Dumps

Source	Rule	Description	Author	Strings
00000003.00000002.501688763.0000000000402000.00000040.00000001.sdmp	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0xff8d:$x1: NanoCore.ClientPluginHost 0xffca:$x2: IClientNetworkHost 0x13afd:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
00000003.00000002.501688763.0000000000402000.00000040.00000001.sdmp	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
00000003.00000002.501688763.0000000000402000.00000040.00000001.sdmp	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0xfcf5:$a: NanoCore 0xfd05:$a: NanoCore 0xff39:$a: NanoCore 0xff4d:$a: NanoCore 0xff8d:$a: NanoCore 0xfd54:$b: ClientPlugin 0xff56:$b: ClientPlugin 0xff96:$b: ClientPlugin 0xfe7b:$c: ProjectData 0x10882:$d: DESCrypto 0x1824e:$e: KeepAlive 0x1623c:$g: LogClientMessage 0x12437:$i: get_Connected 0x10bb8:$j: #=q 0x10be8:$j: #=q 0x10c04:$j: #=q 0x10c34:$j: #=q 0x10c50:$j: #=q 0x10c6c:$j: #=q 0x10c9c:$j: #=q 0x10cb8:$j: #=q
00000000.00000002.249652144.00000000039C9000.00000004.00000001.sdmp	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x130445:$x1: NanoCore.ClientPluginHost 0x130482:$x2: IClientNetworkHost 0x133fb5:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
00000000.00000002.249652144.00000000039C9000.00000004.00000001.sdmp	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
00000000.00000002.249652144.00000000039C9000.00000004.00000001.sdmp	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0x1301ad:$a: NanoCore 0x1301bd:$a: NanoCore 0x1303f1:$a: NanoCore 0x130405:$a: NanoCore 0x130445:$a: NanoCore 0x13020c:$b: ClientPlugin 0x13040e:$b: ClientPlugin 0x13044e:$b: ClientPlugin 0x130333:$c: ProjectData 0x130d3a:$d: DESCrypto 0x138706:$e: KeepAlive 0x1366f4:$g: LogClientMessage 0x1328ef:$i: get_Connected 0x131070:$j: #=q 0x1310a0:$j: #=q 0x1310bc:$j: #=q 0x1310ec:$j: #=q 0x131108:$j: #=q 0x131124:$j: #=q 0x131154:$j: #=q 0x131170:$j: #=q
00000003.00000002.509908735.0000000005440000.00000004.00000001.sdmp	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0xe75:$x1: NanoCore.ClientPluginHost 0xe8f:$x2: IClientNetworkHost
00000003.00000002.509908735.0000000005440000.00000004.00000001.sdmp	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0xe75:$x2: NanoCore.ClientPluginHost 0x1261:$s3: PipeExists 0x1136:$s4: PipeCreated 0xeb0:$s5: IClientLoggingHost
00000003.00000002.508000940.0000000004267000.00000004.00000001.sdmp	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
00000003.00000002.508000940.0000000004267000.00000004.00000001.sdmp	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0x3395:$a: NanoCore 0x33ee:$a: NanoCore 0x342b:$a: NanoCore 0x34a4:$a: NanoCore 0x16b4f:$a: NanoCore 0x16b64:$a: NanoCore 0x16b99:$a: NanoCore 0x2f5f3:$a: NanoCore 0x2f608:$a: NanoCore 0x2f63d:$a: NanoCore 0x33f7:$b: ClientPlugin 0x3434:$b: ClientPlugin 0x3d32:$b: ClientPlugin 0x3d3f:$b: ClientPlugin 0x1690b:$b: ClientPlugin 0x16926:$b: ClientPlugin 0x16956:$b: ClientPlugin 0x16b6d:$b: ClientPlugin 0x16ba2:$b: ClientPlugin 0x2f3af:$b: ClientPlugin 0x2f3ca:$b: ClientPlugin
00000000.00000002.250632075.0000000003BB3000.00000004.00000001.sdmp	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x56325:$x1: NanoCore.ClientPluginHost 0x56362:$x2: IClientNetworkHost 0x59e95:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
00000000.00000002.250632075.0000000003BB3000.00000004.00000001.sdmp	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
00000000.00000002.250632075.0000000003BB3000.00000004.00000001.sdmp	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0x5608d:$a: NanoCore 0x5609d:$a: NanoCore 0x562d1:$a: NanoCore 0x562e5:$a: NanoCore 0x56325:$a: NanoCore 0x560ec:$b: ClientPlugin 0x562ee:$b: ClientPlugin 0x5632e:$b: ClientPlugin 0x56213:$c: ProjectData 0x12ae90:$c: ProjectData 0x56c1a:$d: DESCrypto 0x12bbb6:$d: DESCrypto 0x5e5e6:$e: KeepAlive 0x5c5d4:$g: LogClientMessage 0x587cf:$i: get_Connected 0x56f50:$j: #=q 0x56f80:$j: #=q 0x56f9c:$j: #=q 0x56fcc:$j: #=q 0x56fe8:$j: #=q 0x57004:$j: #=q
00000003.00000002.510380996.00000000059B0000.00000004.00000001.sdmp	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0xf7ad:$x1: NanoCore.ClientPluginHost 0xf7da:$x2: IClientNetworkHost
00000003.00000002.510380996.00000000059B0000.00000004.00000001.sdmp	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0xf7ad:$x2: NanoCore.ClientPluginHost 0x10888:$s4: PipeCreated 0xf7c7:$s5: IClientLoggingHost
00000003.00000002.510380996.00000000059B0000.00000004.00000001.sdmp	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
00000000.00000002.248350217.0000000002A3E000.00000004.00000001.sdmp	JoeSecurity_AntiVM_3	Yara detected AntiVM_3	Joe Security
Process Memory Space: checklist pdf.exe PID: 4728	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0xdb826:$x1: NanoCore.ClientPluginHost 0xdb887:$x2: IClientNetworkHost 0xe0c8c:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe 0xeebfe:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
Process Memory Space: checklist pdf.exe PID: 4728	JoeSecurity_AntiVM_3	Yara detected AntiVM_3	Joe Security
Process Memory Space: checklist pdf.exe PID: 4728	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
Process Memory Space: checklist pdf.exe PID: 4728	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0xdb32b:$a: NanoCore 0xdb347:$a: NanoCore 0xdb4a2:$a: NanoCore 0xdb4b1:$a: NanoCore 0xdb78a:$a: NanoCore 0xdb7b6:$a: NanoCore 0xdb826:$a: NanoCore 0xeb268:$a: NanoCore 0xeb27a:$a: NanoCore 0xeb2b6:$a: NanoCore 0xdb3d2:$b: ClientPlugin 0xdb4fb:$b: ClientPlugin 0xdb7bf:$b: ClientPlugin 0xdb82f:$b: ClientPlugin 0xeb283:$b: ClientPlugin 0xeb2bf:$b: ClientPlugin 0xdb648:$c: ProjectData 0xeb1b5:$c: ProjectData 0x1eb2eb:$c: ProjectData 0x1ed093:$c: ProjectData 0x51c5c0:$c: ProjectData
Process Memory Space: checklist pdf.exe PID: 4648	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0xdf936:$x1: NanoCore.ClientPluginHost 0x2367c1:$x1: NanoCore.ClientPluginHost 0x2ad1bc:$x1: NanoCore.ClientPluginHost 0x2b2d7b:$x1: NanoCore.ClientPluginHost 0x2c3bcb:$x1: NanoCore.ClientPluginHost 0x3250ba:$x1: NanoCore.ClientPluginHost 0x3ca3fc:$x1: NanoCore.ClientPluginHost 0xdf997:$x2: IClientNetworkHost 0x2367e7:$x2: IClientNetworkHost 0x2ad1e2:$x2: IClientNetworkHost 0x2b2dc0:$x2: IClientNetworkHost 0x2c3c10:$x2: IClientNetworkHost 0x3250ff:$x2: IClientNetworkHost 0x3ca422:$x2: IClientNetworkHost 0xe4d9c:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe 0xf2d0e:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
Process Memory Space: checklist pdf.exe PID: 4648	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
Process Memory Space: checklist pdf.exe PID: 4648	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0xdf43b:$a: NanoCore 0xdf457:$a: NanoCore 0xdf5b2:$a: NanoCore 0xdf5c1:$a: NanoCore 0xdf89a:$a: NanoCore 0xdf8c6:$a: NanoCore 0xdf936:$a: NanoCore 0xef378:$a: NanoCore 0xef38a:$a: NanoCore 0xef3c6:$a: NanoCore 0x2366b3:$a: NanoCore 0x236754:$a: NanoCore 0x2367c1:$a: NanoCore 0x236882:$a: NanoCore 0x237753:$a: NanoCore 0x2377a6:$a: NanoCore 0x2377df:$a: NanoCore 0x237852:$a: NanoCore 0x2ad0ae:$a: NanoCore 0x2ad14f:$a: NanoCore 0x2ad1bc:$a: NanoCore
Click to see the 19 entries

Unpacked PEs

Source	Rule	Description	Author	Strings
3.2.checklist pdf.exe.5440000.3.raw.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0xe75:$x1: NanoCore.ClientPluginHost 0xe8f:$x2: IClientNetworkHost
3.2.checklist pdf.exe.5440000.3.raw.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0xe75:$x2: NanoCore.ClientPluginHost 0x1261:$s3: PipeExists 0x1136:$s4: PipeCreated 0xeb0:$s5: IClientLoggingHost
3.2.checklist pdf.exe.59b0000.6.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0xd9ad:$x1: NanoCore.ClientPluginHost 0xd9da:$x2: IClientNetworkHost
3.2.checklist pdf.exe.59b0000.6.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0xd9ad:$x2: NanoCore.ClientPluginHost 0xea88:$s4: PipeCreated 0xd9c7:$s5: IClientLoggingHost
3.2.checklist pdf.exe.59b0000.6.unpack	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
3.2.checklist pdf.exe.59b0000.6.raw.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0xf7ad:$x1: NanoCore.ClientPluginHost 0xf7da:$x2: IClientNetworkHost
3.2.checklist pdf.exe.59b0000.6.raw.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0xf7ad:$x2: NanoCore.ClientPluginHost 0x10888:$s4: PipeCreated 0xf7c7:$s5: IClientLoggingHost
3.2.checklist pdf.exe.59b0000.6.raw.unpack	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
3.2.checklist pdf.exe.400000.0.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x1018d:$x1: NanoCore.ClientPluginHost 0x101ca:$x2: IClientNetworkHost 0x13cfd:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
3.2.checklist pdf.exe.400000.0.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0xff05:$x1: NanoCore Client.exe 0x1018d:$x2: NanoCore.ClientPluginHost 0x117c6:$s1: PluginCommand 0x117ba:$s2: FileCommand 0x1266b:$s3: PipeExists 0x18422:$s4: PipeCreated 0x101b7:$s5: IClientLoggingHost
3.2.checklist pdf.exe.400000.0.unpack	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
3.2.checklist pdf.exe.400000.0.unpack	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0xfef5:$a: NanoCore 0xff05:$a: NanoCore 0x10139:$a: NanoCore 0x1014d:$a: NanoCore 0x1018d:$a: NanoCore 0xff54:$b: ClientPlugin 0x10156:$b: ClientPlugin 0x10196:$b: ClientPlugin 0x1007b:$c: ProjectData 0x10a82:$d: DESCrypto 0x1844e:$e: KeepAlive 0x1643c:$g: LogClientMessage 0x12637:$i: get_Connected 0x10db8:$j: #=q 0x10de8:$j: #=q 0x10e04:$j: #=q 0x10e34:$j: #=q 0x10e50:$j: #=q 0x10e6c:$j: #=q 0x10e9c:$j: #=q 0x10eb8:$j: #=q
Click to see the 7 entries

Sigma Overview

System Summary:

Sigma detected: NanoCore

Show sources

Source: File created

Author: Joe Security: Data: EventID: 11, Image: C:\Users\user\Desktop\checklist pdf.exe, ProcessId: 4648, TargetFilename: C:\Users\user\AppData\Roaming\D06ED635-68F6-4E9A-955C-4899F5F57B9A\run.dat

Sigma detected: Scheduled temp file as task from temp location

Show sources

Source: Process started

Author: Joe Security: Data: Command: 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\PUalpOJIfJW' /XML 'C:\Users\user\AppData\Local\Temp\tmpECD4.tmp', CommandLine: 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\PUalpOJIfJW' /XML 'C:\Users\user\AppData\Local\Temp\tmpECD4.tmp', CommandLine|base64offset|contains: *j, Image: C:\Windows\SysWOW64\schtasks.exe, NewProcessName: C:\Windows\SysWOW64\schtasks.exe, OriginalFileName: C:\Windows\SysWOW64\schtasks.exe, ParentCommandLine: 'C:\Users\user\Desktop\checklist pdf.exe' , ParentImage: C:\Users\user\Desktop\checklist pdf.exe, ParentProcessId: 4728, ProcessCommandLine: 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\PUalpOJIfJW' /XML 'C:\Users\user\AppData\Local\Temp\tmpECD4.tmp', ProcessId: 6100

Signature Overview

Click to jump to signature section

Show All Signature Results

AV Detection:

Multi AV Scanner detection for dropped file

Show sources

Source: C:\Users\user\AppData\Roaming\PUalpOJIfJW.exe

ReversingLabs: Detection: 37%

Multi AV Scanner detection for submitted file

Show sources

Source: checklist pdf.exe	Virustotal: Detection: 32%			Perma Link
Source: checklist pdf.exe	ReversingLabs: Detection: 37%

Yara detected Nanocore RAT

Show sources

Source: Yara match	File source: 00000003.00000002.501688763.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.249652144.00000000039C9000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000002.508000940.0000000004267000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.250632075.0000000003BB3000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000002.510380996.00000000059B0000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: checklist pdf.exe PID: 4728, type: MEMORY
Source: Yara match	File source: Process Memory Space: checklist pdf.exe PID: 4648, type: MEMORY
Source: Yara match	File source: 3.2.checklist pdf.exe.59b0000.6.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.2.checklist pdf.exe.59b0000.6.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.2.checklist pdf.exe.400000.0.unpack, type: UNPACKEDPE

Source: 3.2.checklist pdf.exe.400000.0.unpack	Avira: Label: TR/Dropper.MSIL.Gen7
Source: 3.2.checklist pdf.exe.59b0000.6.unpack	Avira: Label: TR/NanoCore.fadte

Source: C:\Users\user\Desktop\checklist pdf.exe

Code function: 4x nop then jmp 04B4C14Ch

0_2_04B4B3AC

Networking:

Uses dynamic DNS services

Show sources

Source: unknown

DNS query: name: kingman1.ddns.net

Source: global traffic

TCP traffic: 192.168.2.5:49704 -> 194.5.98.129:4545

Source: Joe Sandbox View

ASN Name: DANILENKODE DANILENKODE

Source: unknown

DNS traffic detected: queries for: kingman1.ddns.net

Source: checklist pdf.exe, 00000000.00000002.251725059.0000000004F40000.00000002.00000001.sdmp	String found in binary or memory: http://fontfabrik.com
Source: checklist pdf.exe, 00000000.00000002.251725059.0000000004F40000.00000002.00000001.sdmp	String found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0
Source: checklist pdf.exe, 00000000.00000003.236008822.0000000004E63000.00000004.00000001.sdmp	String found in binary or memory: http://www.carterandcone.coma
Source: checklist pdf.exe, 00000000.00000002.251725059.0000000004F40000.00000002.00000001.sdmp	String found in binary or memory: http://www.carterandcone.coml
Source: checklist pdf.exe, 00000000.00000002.251725059.0000000004F40000.00000002.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com
Source: checklist pdf.exe, 00000000.00000002.251725059.0000000004F40000.00000002.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com/designers
Source: checklist pdf.exe, 00000000.00000002.251725059.0000000004F40000.00000002.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com/designers/?
Source: checklist pdf.exe, 00000000.00000002.251725059.0000000004F40000.00000002.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com/designers/cabarga.htmlN
Source: checklist pdf.exe, 00000000.00000002.251725059.0000000004F40000.00000002.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com/designers/frere-jones.html
Source: checklist pdf.exe, 00000000.00000002.251725059.0000000004F40000.00000002.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com/designers8
Source: checklist pdf.exe, 00000000.00000002.251725059.0000000004F40000.00000002.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com/designers?
Source: checklist pdf.exe, 00000000.00000002.251725059.0000000004F40000.00000002.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com/designersG
Source: checklist pdf.exe, 00000000.00000003.246990634.0000000004E50000.00000004.00000001.sdmp	String found in binary or memory: http://www.fontbureau.coma
Source: checklist pdf.exe, 00000000.00000003.246990634.0000000004E50000.00000004.00000001.sdmp	String found in binary or memory: http://www.fontbureau.come.comE
Source: checklist pdf.exe, 00000000.00000002.247712407.0000000000D27000.00000004.00000040.sdmp	String found in binary or memory: http://www.fonts.com
Source: checklist pdf.exe, 00000000.00000003.235767459.0000000004E5F000.00000004.00000001.sdmp	String found in binary or memory: http://www.founder.com.c&
Source: checklist pdf.exe, 00000000.00000003.235767459.0000000004E5F000.00000004.00000001.sdmp	String found in binary or memory: http://www.founder.com.cn/cn
Source: checklist pdf.exe, 00000000.00000002.251725059.0000000004F40000.00000002.00000001.sdmp	String found in binary or memory: http://www.founder.com.cn/cn/bThe
Source: checklist pdf.exe, 00000000.00000002.251725059.0000000004F40000.00000002.00000001.sdmp	String found in binary or memory: http://www.founder.com.cn/cn/cThe
Source: checklist pdf.exe, 00000000.00000003.235767459.0000000004E5F000.00000004.00000001.sdmp	String found in binary or memory: http://www.founder.com.cn/cnM1
Source: checklist pdf.exe, 00000000.00000003.235869978.0000000004E63000.00000004.00000001.sdmp	String found in binary or memory: http://www.founder.com.cn/cnb-n
Source: checklist pdf.exe, 00000000.00000002.251725059.0000000004F40000.00000002.00000001.sdmp	String found in binary or memory: http://www.galapagosdesign.com/DPlease
Source: checklist pdf.exe, 00000000.00000002.251725059.0000000004F40000.00000002.00000001.sdmp	String found in binary or memory: http://www.galapagosdesign.com/staff/dennis.htm
Source: checklist pdf.exe, 00000000.00000002.251725059.0000000004F40000.00000002.00000001.sdmp	String found in binary or memory: http://www.goodfont.co.kr
Source: checklist pdf.exe, 00000000.00000002.251725059.0000000004F40000.00000002.00000001.sdmp	String found in binary or memory: http://www.jiyu-kobo.co.jp/
Source: checklist pdf.exe, 00000000.00000003.236732753.0000000004E5D000.00000004.00000001.sdmp	String found in binary or memory: http://www.jiyu-kobo.co.jp/)
Source: checklist pdf.exe, 00000000.00000003.236619084.0000000004E57000.00000004.00000001.sdmp	String found in binary or memory: http://www.jiyu-kobo.co.jp/E
Source: checklist pdf.exe, 00000000.00000003.236448569.0000000004E5D000.00000004.00000001.sdmp	String found in binary or memory: http://www.jiyu-kobo.co.jp/H
Source: checklist pdf.exe, 00000000.00000003.236369930.0000000004E56000.00000004.00000001.sdmp	String found in binary or memory: http://www.jiyu-kobo.co.jp/P
Source: checklist pdf.exe, 00000000.00000003.236517335.0000000004E5C000.00000004.00000001.sdmp	String found in binary or memory: http://www.jiyu-kobo.co.jp/X
Source: checklist pdf.exe, 00000000.00000003.236732753.0000000004E5D000.00000004.00000001.sdmp	String found in binary or memory: http://www.jiyu-kobo.co.jp/Y0
Source: checklist pdf.exe, 00000000.00000003.236517335.0000000004E5C000.00000004.00000001.sdmp	String found in binary or memory: http://www.jiyu-kobo.co.jp/Y0/E
Source: checklist pdf.exe, 00000000.00000003.236517335.0000000004E5C000.00000004.00000001.sdmp	String found in binary or memory: http://www.jiyu-kobo.co.jp/Y0s
Source: checklist pdf.exe, 00000000.00000003.236517335.0000000004E5C000.00000004.00000001.sdmp	String found in binary or memory: http://www.jiyu-kobo.co.jp/jp/
Source: checklist pdf.exe, 00000000.00000003.236517335.0000000004E5C000.00000004.00000001.sdmp	String found in binary or memory: http://www.jiyu-kobo.co.jp/jp/H
Source: checklist pdf.exe, 00000000.00000003.236619084.0000000004E57000.00000004.00000001.sdmp	String found in binary or memory: http://www.jiyu-kobo.co.jp/jp/J
Source: checklist pdf.exe, 00000000.00000003.236517335.0000000004E5C000.00000004.00000001.sdmp	String found in binary or memory: http://www.jiyu-kobo.co.jp/jp/v
Source: checklist pdf.exe, 00000000.00000003.236448569.0000000004E5D000.00000004.00000001.sdmp	String found in binary or memory: http://www.jiyu-kobo.co.jp/v
Source: checklist pdf.exe, 00000000.00000002.251725059.0000000004F40000.00000002.00000001.sdmp	String found in binary or memory: http://www.sajatypeworks.com
Source: checklist pdf.exe, 00000000.00000002.251725059.0000000004F40000.00000002.00000001.sdmp	String found in binary or memory: http://www.sakkal.com
Source: checklist pdf.exe, 00000000.00000002.251725059.0000000004F40000.00000002.00000001.sdmp	String found in binary or memory: http://www.sandoll.co.kr
Source: checklist pdf.exe, 00000000.00000002.251725059.0000000004F40000.00000002.00000001.sdmp	String found in binary or memory: http://www.tiro.com
Source: checklist pdf.exe, 00000000.00000002.251725059.0000000004F40000.00000002.00000001.sdmp	String found in binary or memory: http://www.typography.netD
Source: checklist pdf.exe, 00000000.00000002.251725059.0000000004F40000.00000002.00000001.sdmp	String found in binary or memory: http://www.urwpp.deDPlease
Source: checklist pdf.exe, 00000000.00000002.251725059.0000000004F40000.00000002.00000001.sdmp	String found in binary or memory: http://www.zhongyicts.com.cn
Source: checklist pdf.exe, 00000000.00000003.235981732.0000000004E64000.00000004.00000001.sdmp	String found in binary or memory: http://www.zhongyicts.com.cna
Source: checklist pdf.exe	String found in binary or memory: https://api.coinmarketcap.com/v1/ticker/
Source: checklist pdf.exe	String found in binary or memory: https://coinmarketcap.com/api/

Key, Mouse, Clipboard, Microphone and Screen Capturing:

Contains functionality to log keystrokes (.Net Source)

Show sources

Source: PUalpOJIfJW.exe.0.dr, Utilities/GlobalKeyboardHook.cs	.Net Code: Hook
Source: 0.0.checklist pdf.exe.2f0000.0.unpack, Utilities/GlobalKeyboardHook.cs	.Net Code: Hook
Source: 0.2.checklist pdf.exe.2f0000.0.unpack, Utilities/GlobalKeyboardHook.cs	.Net Code: Hook
Source: 3.2.checklist pdf.exe.a00000.1.unpack, Utilities/GlobalKeyboardHook.cs	.Net Code: Hook

Source: checklist pdf.exe, 00000003.00000002.508000940.0000000004267000.00000004.00000001.sdmp

Binary or memory string: RegisterRawInputDevices

E-Banking Fraud:

Yara detected Nanocore RAT

Show sources

Source: Yara match	File source: 00000003.00000002.501688763.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.249652144.00000000039C9000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000002.508000940.0000000004267000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.250632075.0000000003BB3000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000002.510380996.00000000059B0000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: checklist pdf.exe PID: 4728, type: MEMORY
Source: Yara match	File source: Process Memory Space: checklist pdf.exe PID: 4648, type: MEMORY
Source: Yara match	File source: 3.2.checklist pdf.exe.59b0000.6.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.2.checklist pdf.exe.59b0000.6.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.2.checklist pdf.exe.400000.0.unpack, type: UNPACKEDPE

System Summary:

Malicious sample detected (through community Yara rule)

Show sources

Source: 00000003.00000002.501688763.0000000000402000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 00000003.00000002.501688763.0000000000402000.00000040.00000001.sdmp, type: MEMORY	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 00000000.00000002.249652144.00000000039C9000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 00000000.00000002.249652144.00000000039C9000.00000004.00000001.sdmp, type: MEMORY	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 00000003.00000002.509908735.0000000005440000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 00000003.00000002.508000940.0000000004267000.00000004.00000001.sdmp, type: MEMORY	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 00000000.00000002.250632075.0000000003BB3000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 00000000.00000002.250632075.0000000003BB3000.00000004.00000001.sdmp, type: MEMORY	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 00000003.00000002.510380996.00000000059B0000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: Process Memory Space: checklist pdf.exe PID: 4728, type: MEMORY	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: Process Memory Space: checklist pdf.exe PID: 4728, type: MEMORY	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: Process Memory Space: checklist pdf.exe PID: 4648, type: MEMORY	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: Process Memory Space: checklist pdf.exe PID: 4648, type: MEMORY	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 3.2.checklist pdf.exe.5440000.3.raw.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 3.2.checklist pdf.exe.59b0000.6.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 3.2.checklist pdf.exe.59b0000.6.raw.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 3.2.checklist pdf.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 3.2.checklist pdf.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>

Source: C:\Users\user\Desktop\checklist pdf.exe	Code function: 0_2_066A1A36 NtQuerySystemInformation,	0_2_066A1A36
Source: C:\Users\user\Desktop\checklist pdf.exe	Code function: 0_2_066A1A05 NtQuerySystemInformation,	0_2_066A1A05
Source: C:\Users\user\Desktop\checklist pdf.exe	Code function: 3_2_052C136A NtQuerySystemInformation,	3_2_052C136A
Source: C:\Users\user\Desktop\checklist pdf.exe	Code function: 3_2_052C132F NtQuerySystemInformation,	3_2_052C132F

Source: C:\Users\user\Desktop\checklist pdf.exe	Code function: 0_2_04B414B0	0_2_04B414B0
Source: C:\Users\user\Desktop\checklist pdf.exe	Code function: 0_2_04B49CC1	0_2_04B49CC1
Source: C:\Users\user\Desktop\checklist pdf.exe	Code function: 0_2_04B4B3AC	0_2_04B4B3AC
Source: C:\Users\user\Desktop\checklist pdf.exe	Code function: 0_2_04B427E4	0_2_04B427E4
Source: C:\Users\user\Desktop\checklist pdf.exe	Code function: 0_2_04B44B30	0_2_04B44B30
Source: C:\Users\user\Desktop\checklist pdf.exe	Code function: 0_2_04B49CF8	0_2_04B49CF8
Source: C:\Users\user\Desktop\checklist pdf.exe	Code function: 0_2_04B4A1C7	0_2_04B4A1C7
Source: C:\Users\user\Desktop\checklist pdf.exe	Code function: 0_2_04B49D1C	0_2_04B49D1C
Source: C:\Users\user\Desktop\checklist pdf.exe	Code function: 3_2_01377ABE	3_2_01377ABE
Source: C:\Users\user\Desktop\checklist pdf.exe	Code function: 3_2_05268468	3_2_05268468
Source: C:\Users\user\Desktop\checklist pdf.exe	Code function: 3_2_05269068	3_2_05269068
Source: C:\Users\user\Desktop\checklist pdf.exe	Code function: 3_2_052623A0	3_2_052623A0
Source: C:\Users\user\Desktop\checklist pdf.exe	Code function: 3_2_05262FA8	3_2_05262FA8
Source: C:\Users\user\Desktop\checklist pdf.exe	Code function: 3_2_0526AEF8	3_2_0526AEF8
Source: C:\Users\user\Desktop\checklist pdf.exe	Code function: 3_2_0526912F	3_2_0526912F
Source: C:\Users\user\Desktop\checklist pdf.exe	Code function: 3_2_0526306F	3_2_0526306F

Source: checklist pdf.exe	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: PUalpOJIfJW.exe.0.dr	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST

Source: checklist pdf.exe	Binary or memory string: OriginalFilename vs checklist pdf.exe
Source: checklist pdf.exe, 00000000.00000002.247125807.00000000002F2000.00000002.00020000.sdmp	Binary or memory string: OriginalFilenamez3 vs checklist pdf.exe
Source: checklist pdf.exe, 00000000.00000002.253340179.00000000065F0000.00000002.00000001.sdmp	Binary or memory string: OriginalFilenamemscorrc.dllT vs checklist pdf.exe
Source: checklist pdf.exe, 00000000.00000002.253869691.0000000006800000.00000004.00000001.sdmp	Binary or memory string: OriginalFilenameB2B.exe4 vs checklist pdf.exe
Source: checklist pdf.exe, 00000000.00000002.254721885.0000000006FD0000.00000002.00000001.sdmp	Binary or memory string: originalfilename vs checklist pdf.exe
Source: checklist pdf.exe, 00000000.00000002.254721885.0000000006FD0000.00000002.00000001.sdmp	Binary or memory string: OriginalFilenamepropsys.dll.mui@ vs checklist pdf.exe
Source: checklist pdf.exe, 00000000.00000002.254226045.0000000006ED0000.00000002.00000001.sdmp	Binary or memory string: System.OriginalFileName vs checklist pdf.exe
Source: checklist pdf.exe, 00000000.00000002.253421979.0000000006650000.00000004.00000001.sdmp	Binary or memory string: OriginalFilenameMARCUS.dll4 vs checklist pdf.exe
Source: checklist pdf.exe	Binary or memory string: OriginalFilename vs checklist pdf.exe
Source: checklist pdf.exe, 00000003.00000002.510666524.0000000006600000.00000002.00000001.sdmp	Binary or memory string: OriginalFilenameKernelbase.dll.muij% vs checklist pdf.exe
Source: checklist pdf.exe, 00000003.00000002.509231793.00000000052B0000.00000002.00000001.sdmp	Binary or memory string: OriginalFilenameuser32j% vs checklist pdf.exe
Source: checklist pdf.exe, 00000003.00000002.501952278.0000000000A02000.00000002.00020000.sdmp	Binary or memory string: OriginalFilenamez3 vs checklist pdf.exe
Source: checklist pdf.exe, 00000003.00000002.509908735.0000000005440000.00000004.00000001.sdmp	Binary or memory string: OriginalFilenameClientPlugin.dll4 vs checklist pdf.exe
Source: checklist pdf.exe, 00000003.00000002.510102364.00000000055B0000.00000002.00000001.sdmp	Binary or memory string: OriginalFilenamemscorrc.dllT vs checklist pdf.exe
Source: checklist pdf.exe, 00000003.00000002.508000940.0000000004267000.00000004.00000001.sdmp	Binary or memory string: OriginalFilenameLzma#.dll4 vs checklist pdf.exe
Source: checklist pdf.exe, 00000003.00000002.508000940.0000000004267000.00000004.00000001.sdmp	Binary or memory string: OriginalFilenameSurveillanceExClientPlugin.dll4 vs checklist pdf.exe
Source: checklist pdf.exe	Binary or memory string: OriginalFilenamez3 vs checklist pdf.exe

Source: 00000003.00000002.501688763.0000000000402000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 00000003.00000002.501688763.0000000000402000.00000040.00000001.sdmp, type: MEMORY	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 00000000.00000002.249652144.00000000039C9000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 00000000.00000002.249652144.00000000039C9000.00000004.00000001.sdmp, type: MEMORY	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 00000003.00000002.509908735.0000000005440000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 00000003.00000002.509908735.0000000005440000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 00000003.00000002.508000940.0000000004267000.00000004.00000001.sdmp, type: MEMORY	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 00000000.00000002.250632075.0000000003BB3000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 00000000.00000002.250632075.0000000003BB3000.00000004.00000001.sdmp, type: MEMORY	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 00000003.00000002.510380996.00000000059B0000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 00000003.00000002.510380996.00000000059B0000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: Process Memory Space: checklist pdf.exe PID: 4728, type: MEMORY	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: Process Memory Space: checklist pdf.exe PID: 4728, type: MEMORY	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: Process Memory Space: checklist pdf.exe PID: 4648, type: MEMORY	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: Process Memory Space: checklist pdf.exe PID: 4648, type: MEMORY	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 3.2.checklist pdf.exe.5440000.3.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 3.2.checklist pdf.exe.5440000.3.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 3.2.checklist pdf.exe.59b0000.6.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 3.2.checklist pdf.exe.59b0000.6.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 3.2.checklist pdf.exe.59b0000.6.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 3.2.checklist pdf.exe.59b0000.6.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 3.2.checklist pdf.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 3.2.checklist pdf.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 3.2.checklist pdf.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore

Source: checklist pdf.exe	Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
Source: PUalpOJIfJW.exe.0.dr	Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ

Source: 3.2.checklist pdf.exe.400000.0.unpack, u0023u003dqjIje6jGWLd2EOkfZXKqBbgu003du003d.cs	Cryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'
Source: 3.2.checklist pdf.exe.400000.0.unpack, u0023u003dqVxXNKnhAcArgJoGGYXiyyQu003du003d.cs	Cryptographic APIs: 'CreateDecryptor'
Source: 3.2.checklist pdf.exe.400000.0.unpack, u0023u003dqVxXNKnhAcArgJoGGYXiyyQu003du003d.cs	Cryptographic APIs: 'TransformFinalBlock'

Source: classification engine

Classification label: mal100.troj.spyw.evad.winEXE@6/4@23/2

Source: C:\Users\user\Desktop\checklist pdf.exe	Code function: 0_2_066A18BA AdjustTokenPrivileges,	0_2_066A18BA
Source: C:\Users\user\Desktop\checklist pdf.exe	Code function: 0_2_066A1883 AdjustTokenPrivileges,	0_2_066A1883
Source: C:\Users\user\Desktop\checklist pdf.exe	Code function: 3_2_052C112A AdjustTokenPrivileges,	3_2_052C112A
Source: C:\Users\user\Desktop\checklist pdf.exe	Code function: 3_2_052C10F3 AdjustTokenPrivileges,	3_2_052C10F3

Source: C:\Users\user\Desktop\checklist pdf.exe

File created: C:\Users\user\AppData\Roaming\PUalpOJIfJW.exe

Jump to behavior

Source: C:\Users\user\Desktop\checklist pdf.exe	Mutant created: \Sessions\1\BaseNamedObjects\kDLjLtOaX
Source: C:\Users\user\Desktop\checklist pdf.exe	Mutant created: \Sessions\1\BaseNamedObjects\Global\.net clr networking
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6132:120:WilError_01
Source: C:\Users\user\Desktop\checklist pdf.exe	Mutant created: \Sessions\1\BaseNamedObjects\Global\{4e4bd5d9-18d3-437e-8c11-5aa0bfb7769c}

Source: C:\Users\user\Desktop\checklist pdf.exe

File created: C:\Users\user\AppData\Local\Temp\tmpECD4.tmp

Jump to behavior

Source: checklist pdf.exe

Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ

Source: C:\Users\user\Desktop\checklist pdf.exe	Section loaded: C:\Windows\assembly\NativeImages_v2.0.50727_32\mscorlib\9603718106bd57ecfbb18fefd769cab4\mscorlib.ni.dll	Jump to behavior
Source: C:\Users\user\Desktop\checklist pdf.exe	Section loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sorttbls.nlp	Jump to behavior
Source: C:\Users\user\Desktop\checklist pdf.exe	Section loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sortkey.nlp	Jump to behavior
Source: C:\Users\user\Desktop\checklist pdf.exe	Section loaded: C:\Windows\assembly\NativeImages_v2.0.50727_32\mscorlib\9603718106bd57ecfbb18fefd769cab4\mscorlib.ni.dll	Jump to behavior
Source: C:\Users\user\Desktop\checklist pdf.exe	Section loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sorttbls.nlp	Jump to behavior
Source: C:\Users\user\Desktop\checklist pdf.exe	Section loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sortkey.nlp	Jump to behavior

Source: C:\Users\user\Desktop\checklist pdf.exe

File read: C:\Users\user\Desktop\desktop.ini

Jump to behavior

Source: C:\Users\user\Desktop\checklist pdf.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: checklist pdf.exe	Virustotal: Detection: 32%
Source: checklist pdf.exe	ReversingLabs: Detection: 37%

Source: C:\Users\user\Desktop\checklist pdf.exe

File read: C:\Users\user\Desktop\checklist pdf.exe

Jump to behavior

Source: unknown	Process created: C:\Users\user\Desktop\checklist pdf.exe 'C:\Users\user\Desktop\checklist pdf.exe'
Source: unknown	Process created: C:\Windows\SysWOW64\schtasks.exe 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\PUalpOJIfJW' /XML 'C:\Users\user\AppData\Local\Temp\tmpECD4.tmp'
Source: unknown	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknown	Process created: C:\Users\user\Desktop\checklist pdf.exe {path}
Source: C:\Users\user\Desktop\checklist pdf.exe	Process created: C:\Windows\SysWOW64\schtasks.exe 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\PUalpOJIfJW' /XML 'C:\Users\user\AppData\Local\Temp\tmpECD4.tmp'	Jump to behavior
Source: C:\Users\user\Desktop\checklist pdf.exe	Process created: C:\Users\user\Desktop\checklist pdf.exe {path}	Jump to behavior

Source: C:\Users\user\Desktop\checklist pdf.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{95E15D0A-66E6-93D9-C53C-76E6219D3341}\InProcServer32

Jump to behavior

Source: C:\Users\user\Desktop\checklist pdf.exe

File opened: C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorrc.dll

Jump to behavior

Source: checklist pdf.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR

Source: C:\Users\user\Desktop\checklist pdf.exe

File opened: C:\Windows\WinSxS\x86_microsoft.vc80.crt_1fc8b3b9a1e18e3b_8.0.50727.9445_none_d08c58b4442ba54f\MSVCR80.dll

Jump to behavior

Source: checklist pdf.exe

Static PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT

Source:

Binary string: mscorrc.pdb source: checklist pdf.exe, 00000000.00000002.253340179.00000000065F0000.00000002.00000001.sdmp, checklist pdf.exe, 00000003.00000002.510102364.00000000055B0000.00000002.00000001.sdmp

Data Obfuscation:

.NET source code contains potential unpacker

Show sources

Source: PUalpOJIfJW.exe.0.dr, SimpleTickerWindowsForms/SimpleTickerView.cs	.Net Code: dddddddddddd System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: 0.0.checklist pdf.exe.2f0000.0.unpack, SimpleTickerWindowsForms/SimpleTickerView.cs	.Net Code: dddddddddddd System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: 0.2.checklist pdf.exe.2f0000.0.unpack, SimpleTickerWindowsForms/SimpleTickerView.cs	.Net Code: dddddddddddd System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: 3.2.checklist pdf.exe.a00000.1.unpack, SimpleTickerWindowsForms/SimpleTickerView.cs	.Net Code: dddddddddddd System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: 3.2.checklist pdf.exe.400000.0.unpack, u0023u003dqjIje6jGWLd2EOkfZXKqBbgu003du003d.cs	.Net Code: #=q_FL69pQf17BUSAFbWYu1SStMAbdu$R1GJ8VY8UL5_EA= System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: 3.2.checklist pdf.exe.400000.0.unpack, u0023u003dqxoz66kOqvxr21iYXZYXWiumy9eZGwFWaiX4C5X8aecUu003d.cs	.Net Code: #=qKU0J1fiP8KA33eFK1owekQ== System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])

Source: C:\Users\user\Desktop\checklist pdf.exe	Code function: 0_2_00A628AC push cs; ret	0_2_00A629AA
Source: C:\Users\user\Desktop\checklist pdf.exe	Code function: 0_2_00A62C71 push es; ret	0_2_00A62C72
Source: C:\Users\user\Desktop\checklist pdf.exe	Code function: 0_2_04B4575F push ecx; iretd	0_2_04B45760
Source: C:\Users\user\Desktop\checklist pdf.exe	Code function: 3_2_01362BBD push cs; ret	3_2_01362BEA
Source: C:\Users\user\Desktop\checklist pdf.exe	Code function: 3_2_01362BEC push cs; ret	3_2_01362BEA

Source: initial sample	Static PE information: section name: .text entropy: 7.54197829505
Source: initial sample	Static PE information: section name: .text entropy: 7.54197829505

Source: 3.2.checklist pdf.exe.400000.0.unpack, u0023u003dqJT4I5hOweIku0024xYFEeDszbikglXCuquUdu0024v9AXtyq2nsu003d.cs	High entropy of concatenated method names: '#=qBeOBlH6CwHFnQdZWWBgZ_pemudZ6CfCVcfOQtgpeG$Y=', '#=q5v5cLSMFBaxiTtOEjscx86gN2ozXlfytiL6UmXnyWtg=', '#=q_XA5h2lVGHLcY9dK754wKGrOjAm6aBbwPxcUJXgJThJUz83kMbCL53G5uuOLP6Rq', '#=qIFfr$DrKqIieRc688$vylAlBsEnx9Z3$TxvrDsPURfM=', '#=qejgvNXJQvgM2GomZsygLjreyguSPQ29pQHqjR_a0dWk=', '#=qCGokdf0OOxeMJLDkXSfc3NPmwygIQ29RjKQWj$wbNGB9C1pPgma_891QiNyTRXcA', '#=qDqyUVyJLXCtYqhZ0$opqkomqhUBn2WCeEEvGAXlNQ$I=', '#=qdImPAY1o3YhbLtukwCQ91cISaeIEWRKSYrGZ3dTVnkY=', '#=qza7O1AHrroJC7yRIJz4wINR_Sgo4hDpQrj_OYfIrlJE=', '#=q6Ct3QmvVLFC7my$dL1uEiHGmXJ5qCuK4WIhDwfhPTFs='
Source: 3.2.checklist pdf.exe.400000.0.unpack, u0023u003dqWrm21vQ8CBMZP_RBTwpusAu003du003d.cs	High entropy of concatenated method names: '#=qCgU$tDqtOAyz2b$RwfSF7UzBcCAr0rFJWxm16x7Lre0=', '#=qeD3MBfedCIuKIQf9V1u2N3YS4VXE_FOHqw_XAjWtZK8=', '#=q$mvEHEBkZud$AdHPWqsMQnw5Xm5sD4vBSSmqrKuXGOk=', '#=qZaN94n8dM6tBEf$qCdY2kbTZb5BOW8Z134$2tNv7EJs=', '#=qtlZnL8mho$rv1eTFz0Mw9UYFC_yCabEZ0xtVePn6wR5aSHE7ti3UfKg2l7D0_xk8', '#=qVS$QmQjvFfsXSqQAKGSl6HGbkse2SG0XCab4upVjtRJkvhTEk$oIS2I9Zja7id1Q', '#=qxJg7RxTW1v5mnt12xXeJiYJv_bcctbtL2BCD5MjDi45Hlz6t8vwDNTv1Rv7tgIct', '#=qp$ZVC1r9spi890l$D7IwEd3faoKeWHvv42mVq8wIIWM=', '#=qCoWHlVuoVRMkOzC7RZubJCslkxaEWn9yZiIydECf69$ktj0IPD5wAwC2H5Cc8C$L', '#=qqs1moO$mYaS72OXOWe0Z6GycslEb6e9Ipoy7ppW0O5abIp05ajv8doqdJZHlN3cK'

Source: C:\Users\user\Desktop\checklist pdf.exe

File created: C:\Users\user\AppData\Roaming\PUalpOJIfJW.exe

Jump to dropped file

Boot Survival:

Uses schtasks.exe or at.exe to add and modify task schedules

Show sources

Source: unknown

Process created: C:\Windows\SysWOW64\schtasks.exe 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\PUalpOJIfJW' /XML 'C:\Users\user\AppData\Local\Temp\tmpECD4.tmp'

Hooking and other Techniques for Hiding and Protection:

Hides that the sample has been downloaded from the Internet (zone.identifier)

Show sources

Source: C:\Users\user\Desktop\checklist pdf.exe

File opened: C:\Users\user\Desktop\checklist pdf.exe:Zone.Identifier read attributes | delete

Jump to behavior

Source: C:\Users\user\Desktop\checklist pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\checklist pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\checklist pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\checklist pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\checklist pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\checklist pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\checklist pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\checklist pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\checklist pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\checklist pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\checklist pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\checklist pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\checklist pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\checklist pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\checklist pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\checklist pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\checklist pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\checklist pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\checklist pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\checklist pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\checklist pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\checklist pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\checklist pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\checklist pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\checklist pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\checklist pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\checklist pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\checklist pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\checklist pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\checklist pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\checklist pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\checklist pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\checklist pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\checklist pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\checklist pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\checklist pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\checklist pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\checklist pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\checklist pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\checklist pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\checklist pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\checklist pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\checklist pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\checklist pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\checklist pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\checklist pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\checklist pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\checklist pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\checklist pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\checklist pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\checklist pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\checklist pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\checklist pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\checklist pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\checklist pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\checklist pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\checklist pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\checklist pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\checklist pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\checklist pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\checklist pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\checklist pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\checklist pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\checklist pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\checklist pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\checklist pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\checklist pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\checklist pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\checklist pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\checklist pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\checklist pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\checklist pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\checklist pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\checklist pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Malware Analysis System Evasion:

Yara detected AntiVM_3

Show sources

Source: Yara match	File source: 00000000.00000002.248350217.0000000002A3E000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: checklist pdf.exe PID: 4728, type: MEMORY

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Show sources

Source: checklist pdf.exe, 00000000.00000002.249543827.0000000002D4D000.00000004.00000001.sdmp	Binary or memory string: WINE_GET_UNIX_FILE_NAME
Source: checklist pdf.exe, 00000000.00000002.249543827.0000000002D4D000.00000004.00000001.sdmp	Binary or memory string: WINE_GET_UNIX_FILE_NAMEX1(R_
Source: checklist pdf.exe, 00000000.00000002.249543827.0000000002D4D000.00000004.00000001.sdmp	Binary or memory string: SBIEDLL.DLL
Source: checklist pdf.exe, 00000000.00000002.249543827.0000000002D4D000.00000004.00000001.sdmp	Binary or memory string: SBIEDLL.DLLX1(R(X

Source: C:\Users\user\Desktop\checklist pdf.exe

File opened / queried: SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}

Jump to behavior

Source: C:\Users\user\Desktop\checklist pdf.exe	Thread delayed: delay time: 922337203685477			Jump to behavior
Source: C:\Users\user\Desktop\checklist pdf.exe	Thread delayed: delay time: 922337203685477			Jump to behavior

Source: C:\Users\user\Desktop\checklist pdf.exe	Window / User API: threadDelayed 745			Jump to behavior
Source: C:\Users\user\Desktop\checklist pdf.exe	Window / User API: foregroundWindowGot 948			Jump to behavior

Source: C:\Users\user\Desktop\checklist pdf.exe TID: 5356	Thread sleep time: -41500s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\checklist pdf.exe TID: 5604	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\checklist pdf.exe TID: 5456	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\checklist pdf.exe TID: 5456	Thread sleep count: 194 > 30	Jump to behavior
Source: C:\Users\user\Desktop\checklist pdf.exe TID: 5456	Thread sleep count: 745 > 30	Jump to behavior
Source: C:\Users\user\Desktop\checklist pdf.exe TID: 2268	Thread sleep count: 316 > 30	Jump to behavior
Source: C:\Users\user\Desktop\checklist pdf.exe TID: 5456	Thread sleep count: 83 > 30	Jump to behavior
Source: C:\Users\user\Desktop\checklist pdf.exe TID: 4440	Thread sleep time: -220000s >= -30000s	Jump to behavior

Source: C:\Windows\System32\conhost.exe

Last function: Thread delayed

Source: C:\Users\user\Desktop\checklist pdf.exe

Code function: 3_2_052C0DB6 GetSystemInfo,

3_2_052C0DB6

Source: checklist pdf.exe, 00000000.00000002.249543827.0000000002D4D000.00000004.00000001.sdmp	Binary or memory string: VMware
Source: checklist pdf.exe, 00000000.00000002.249543827.0000000002D4D000.00000004.00000001.sdmp	Binary or memory string: VMware\|9(r
Source: checklist pdf.exe, 00000003.00000002.510666524.0000000006600000.00000002.00000001.sdmp	Binary or memory string: A Virtual Machine could not be started because Hyper-V is not installed.
Source: checklist pdf.exe, 00000000.00000002.249543827.0000000002D4D000.00000004.00000001.sdmp	Binary or memory string: VMWAREX1(riy
Source: checklist pdf.exe, 00000000.00000002.249543827.0000000002D4D000.00000004.00000001.sdmp	Binary or memory string: QEMUX1(rX
Source: checklist pdf.exe, 00000000.00000002.249543827.0000000002D4D000.00000004.00000001.sdmp	Binary or memory string: VMware SVGA IIX1(r
Source: checklist pdf.exe, 00000000.00000002.249543827.0000000002D4D000.00000004.00000001.sdmp	Binary or memory string: VMWARE
Source: checklist pdf.exe, 00000000.00000002.249543827.0000000002D4D000.00000004.00000001.sdmp	Binary or memory string: VMWARE\|9(r
Source: checklist pdf.exe, 00000000.00000002.249543827.0000000002D4D000.00000004.00000001.sdmp	Binary or memory string: InstallPath%C:\PROGRAM FILES\VMWARE\VMWARE TOOLS\
Source: checklist pdf.exe, 00000000.00000002.249543827.0000000002D4D000.00000004.00000001.sdmp	Binary or memory string: (r#"SOFTWARE\VMware, Inc.\VMware ToolsX1(rDy
Source: checklist pdf.exe, 00000003.00000002.510666524.0000000006600000.00000002.00000001.sdmp	Binary or memory string: A communication protocol error has occurred between the Hyper-V Host and Guest Compute Service.
Source: checklist pdf.exe, 00000003.00000002.510666524.0000000006600000.00000002.00000001.sdmp	Binary or memory string: The communication protocol version between the Hyper-V Host and Guest Compute Services is not supported.
Source: checklist pdf.exe, 00000000.00000002.249543827.0000000002D4D000.00000004.00000001.sdmp	Binary or memory string: vmwareX1(r{~
Source: checklist pdf.exe, 00000000.00000002.249543827.0000000002D4D000.00000004.00000001.sdmp	Binary or memory string: VMware
Source: checklist pdf.exe, 00000000.00000002.249543827.0000000002D4D000.00000004.00000001.sdmp	Binary or memory string: VMware \|9(r
Source: checklist pdf.exe, 00000000.00000002.249543827.0000000002D4D000.00000004.00000001.sdmp	Binary or memory string: VMWARE"SOFTWARE\VMware, Inc.\VMware ToolsLHARDWARE\DEVICEMAP\Scsi\Scsi Port 1\Scsi Bus 0\Target Id 0\Logical Unit Id 0LHARDWARE\DEVICEMAP\Scsi\Scsi Port 2\Scsi Bus 0\Target Id 0\Logical Unit Id 0'SYSTEM\ControlSet001\Services\Disk\Enum
Source: checklist pdf.exe, 00000000.00000002.249543827.0000000002D4D000.00000004.00000001.sdmp	Binary or memory string: VMware SVGA II
Source: checklist pdf.exe, 00000000.00000002.249543827.0000000002D4D000.00000004.00000001.sdmp	Binary or memory string: vmwareNSYSTEM\ControlSet001\Control\Class\{4D36E968-E325-11CE-BFC1-08002BE10318}\0000
Source: checklist pdf.exe, 00000000.00000002.249543827.0000000002D4D000.00000004.00000001.sdmp	Binary or memory string: (r&%C:\PROGRAM FILES\VMWARE\VMWARE TOOLS\X1(r
Source: checklist pdf.exe, 00000003.00000003.256504161.0000000001209000.00000004.00000001.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
Source: checklist pdf.exe, 00000003.00000002.510666524.0000000006600000.00000002.00000001.sdmp	Binary or memory string: An unknown internal message was received by the Hyper-V Compute Service.

Source: C:\Users\user\Desktop\checklist pdf.exe

Process information queried: ProcessInformation

Jump to behavior

Source: C:\Users\user\Desktop\checklist pdf.exe	Process token adjusted: Debug			Jump to behavior
Source: C:\Users\user\Desktop\checklist pdf.exe	Process token adjusted: Debug			Jump to behavior

Source: C:\Users\user\Desktop\checklist pdf.exe

Memory allocated: page read and write | page guard

Jump to behavior

HIPS / PFW / Operating System Protection Evasion:

.NET source code references suspicious native API functions

Show sources

Source: PUalpOJIfJW.exe.0.dr, Utilities/GlobalKeyboardHook.cs	Reference to suspicious API methods: ('LoadLibrary', 'LoadLibrary@kernel32.dll')
Source: 0.0.checklist pdf.exe.2f0000.0.unpack, Utilities/GlobalKeyboardHook.cs	Reference to suspicious API methods: ('LoadLibrary', 'LoadLibrary@kernel32.dll')
Source: 0.2.checklist pdf.exe.2f0000.0.unpack, Utilities/GlobalKeyboardHook.cs	Reference to suspicious API methods: ('LoadLibrary', 'LoadLibrary@kernel32.dll')
Source: 3.2.checklist pdf.exe.a00000.1.unpack, Utilities/GlobalKeyboardHook.cs	Reference to suspicious API methods: ('LoadLibrary', 'LoadLibrary@kernel32.dll')
Source: 3.2.checklist pdf.exe.400000.0.unpack, u0023u003dqjryTBW16mUfo_ItH9KWoGQu003du003d.cs	Reference to suspicious API methods: ('#=qxG$Aklpbf6gyBfAqTMmORA==', 'OpenProcess@kernel32.dll'), ('#=qh7diH14jww3Fm9rMJ_jIfQ==', 'FindResourceEx@kernel32.dll')

Injects a PE file into a foreign processes

Show sources

Source: C:\Users\user\Desktop\checklist pdf.exe

Memory written: C:\Users\user\Desktop\checklist pdf.exe base: 400000 value starts with: 4D5A

Jump to behavior

Source: C:\Users\user\Desktop\checklist pdf.exe	Process created: C:\Windows\SysWOW64\schtasks.exe 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\PUalpOJIfJW' /XML 'C:\Users\user\AppData\Local\Temp\tmpECD4.tmp'			Jump to behavior
Source: C:\Users\user\Desktop\checklist pdf.exe	Process created: C:\Users\user\Desktop\checklist pdf.exe {path}			Jump to behavior

Source: checklist pdf.exe, 00000003.00000003.256504161.0000000001209000.00000004.00000001.sdmp	Binary or memory string: Program Manager
Source: checklist pdf.exe, 00000003.00000002.503557397.00000000017A0000.00000002.00000001.sdmp	Binary or memory string: Shell_TrayWnd
Source: checklist pdf.exe, 00000003.00000002.503557397.00000000017A0000.00000002.00000001.sdmp	Binary or memory string: Progman
Source: checklist pdf.exe, 00000003.00000002.503557397.00000000017A0000.00000002.00000001.sdmp	Binary or memory string: SProgram Managerl
Source: checklist pdf.exe, 00000003.00000002.507713873.000000000343B000.00000004.00000001.sdmp	Binary or memory string: Program Manager0
Source: checklist pdf.exe, 00000003.00000002.503557397.00000000017A0000.00000002.00000001.sdmp	Binary or memory string: Shell_TrayWnd,
Source: checklist pdf.exe, 00000003.00000002.503557397.00000000017A0000.00000002.00000001.sdmp	Binary or memory string: Progmanlock

Source: C:\Users\user\Desktop\checklist pdf.exe	Queries volume information: C:\Windows\Fonts\arial.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\checklist pdf.exe	Queries volume information: C:\Windows\Fonts\ariali.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\checklist pdf.exe	Queries volume information: C:\Windows\Fonts\arialbd.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\checklist pdf.exe	Queries volume information: C:\Windows\Fonts\arialbi.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\checklist pdf.exe	Queries volume information: C:\Windows\Fonts\ARIALN.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\checklist pdf.exe	Queries volume information: C:\Windows\Fonts\ariblk.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\checklist pdf.exe	Queries volume information: C:\Windows\Fonts\ARIALNI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\checklist pdf.exe	Queries volume information: C:\Windows\Fonts\ARIALNB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\checklist pdf.exe	Queries volume information: C:\Windows\Fonts\ARIALNBI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\checklist pdf.exe	Queries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\checklist pdf.exe	Queries volume information: C:\Windows\Fonts\calibri.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\checklist pdf.exe	Queries volume information: C:\Windows\Fonts\calibril.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\checklist pdf.exe	Queries volume information: C:\Windows\Fonts\calibrii.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\checklist pdf.exe	Queries volume information: C:\Windows\Fonts\calibrili.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\checklist pdf.exe	Queries volume information: C:\Windows\Fonts\calibrib.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\checklist pdf.exe	Queries volume information: C:\Windows\Fonts\calibriz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\checklist pdf.exe	Queries volume information: C:\Windows\Fonts\cambria.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\checklist pdf.exe	Queries volume information: C:\Windows\Fonts\cambriai.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\checklist pdf.exe	Queries volume information: C:\Windows\Fonts\cambriab.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\checklist pdf.exe	Queries volume information: C:\Windows\Fonts\cambriaz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\checklist pdf.exe	Queries volume information: C:\Windows\Fonts\Candara.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\checklist pdf.exe	Queries volume information: C:\Windows\Fonts\Candarai.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\checklist pdf.exe	Queries volume information: C:\Windows\Fonts\Candarab.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\checklist pdf.exe	Queries volume information: C:\Windows\Fonts\Candaraz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\checklist pdf.exe	Queries volume information: C:\Windows\Fonts\comic.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\checklist pdf.exe	Queries volume information: C:\Windows\Fonts\comici.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\checklist pdf.exe	Queries volume information: C:\Windows\Fonts\comicbd.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\checklist pdf.exe	Queries volume information: C:\Windows\Fonts\comicz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\checklist pdf.exe	Queries volume information: C:\Windows\Fonts\consola.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\checklist pdf.exe	Queries volume information: C:\Windows\Fonts\consolai.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\checklist pdf.exe	Queries volume information: C:\Windows\Fonts\consolab.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\checklist pdf.exe	Queries volume information: C:\Windows\Fonts\consolaz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\checklist pdf.exe	Queries volume information: C:\Windows\Fonts\constan.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\checklist pdf.exe	Queries volume information: C:\Windows\Fonts\constani.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\checklist pdf.exe	Queries volume information: C:\Windows\Fonts\constanb.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\checklist pdf.exe	Queries volume information: C:\Windows\Fonts\constanz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\checklist pdf.exe	Queries volume information: C:\Windows\Fonts\corbel.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\checklist pdf.exe	Queries volume information: C:\Windows\Fonts\corbeli.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\checklist pdf.exe	Queries volume information: C:\Windows\Fonts\corbelb.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\checklist pdf.exe	Queries volume information: C:\Windows\Fonts\corbelz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\checklist pdf.exe	Queries volume information: C:\Windows\Fonts\cour.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\checklist pdf.exe	Queries volume information: C:\Windows\Fonts\couri.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\checklist pdf.exe	Queries volume information: C:\Windows\Fonts\courbd.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\checklist pdf.exe	Queries volume information: C:\Windows\Fonts\courbi.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\checklist pdf.exe	Queries volume information: C:\Windows\Fonts\ebrima.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\checklist pdf.exe	Queries volume information: C:\Windows\Fonts\ebrimabd.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\checklist pdf.exe	Queries volume information: C:\Windows\Fonts\framd.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\checklist pdf.exe	Queries volume information: C:\Windows\Fonts\FRADM.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\checklist pdf.exe	Queries volume information: C:\Windows\Fonts\framdit.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\checklist pdf.exe	Queries volume information: C:\Windows\Fonts\FRADMIT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\checklist pdf.exe	Queries volume information: C:\Windows\Fonts\FRAMDCN.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\checklist pdf.exe	Queries volume information: C:\Windows\Fonts\FRADMCN.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\checklist pdf.exe	Queries volume information: C:\Windows\Fonts\FRAHV.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\checklist pdf.exe	Queries volume information: C:\Windows\Fonts\FRAHVIT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\checklist pdf.exe	Queries volume information: C:\Windows\Fonts\Gabriola.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\checklist pdf.exe	Queries volume information: C:\Windows\Fonts\gadugi.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\checklist pdf.exe	Queries volume information: C:\Windows\Fonts\gadugib.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\checklist pdf.exe	Queries volume information: C:\Windows\Fonts\georgia.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\checklist pdf.exe	Queries volume information: C:\Windows\Fonts\georgiai.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\checklist pdf.exe	Queries volume information: C:\Windows\Fonts\georgiab.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\checklist pdf.exe	Queries volume information: C:\Windows\Fonts\georgiaz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\checklist pdf.exe	Queries volume information: C:\Windows\Fonts\impact.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\checklist pdf.exe	Queries volume information: C:\Windows\Fonts\Inkfree.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\checklist pdf.exe	Queries volume information: C:\Windows\Fonts\javatext.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\checklist pdf.exe	Queries volume information: C:\Windows\Fonts\LeelawUI.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\checklist pdf.exe	Queries volume information: C:\Windows\Fonts\LeelUIsl.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\checklist pdf.exe	Queries volume information: C:\Windows\Fonts\LeelaUIb.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\checklist pdf.exe	Queries volume information: C:\Windows\Fonts\lucon.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\checklist pdf.exe	Queries volume information: C:\Windows\Fonts\l_10646.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\checklist pdf.exe	Queries volume information: C:\Windows\Fonts\malgun.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\checklist pdf.exe	Queries volume information: C:\Windows\Fonts\malgunsl.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\checklist pdf.exe	Queries volume information: C:\Windows\Fonts\malgunbd.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\checklist pdf.exe	Queries volume information: C:\Windows\Fonts\himalaya.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\checklist pdf.exe	Queries volume information: C:\Windows\Fonts\msjh.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\checklist pdf.exe	Queries volume information: C:\Windows\Fonts\msjhl.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\checklist pdf.exe	Queries volume information: C:\Windows\Fonts\msjhbd.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\checklist pdf.exe	Queries volume information: C:\Windows\Fonts\ntailu.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\checklist pdf.exe	Queries volume information: C:\Windows\Fonts\ntailub.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\checklist pdf.exe	Queries volume information: C:\Windows\Fonts\phagspa.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\checklist pdf.exe	Queries volume information: C:\Windows\Fonts\phagspab.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\checklist pdf.exe	Queries volume information: C:\Windows\Fonts\micross.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\checklist pdf.exe	Queries volume information: C:\Windows\Fonts\taile.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\checklist pdf.exe	Queries volume information: C:\Windows\Fonts\taileb.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\checklist pdf.exe	Queries volume information: C:\Windows\Fonts\msyh.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\checklist pdf.exe	Queries volume information: C:\Windows\Fonts\msyhl.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\checklist pdf.exe	Queries volume information: C:\Windows\Fonts\msyhbd.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\checklist pdf.exe	Queries volume information: C:\Windows\Fonts\msyi.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\checklist pdf.exe	Queries volume information: C:\Windows\Fonts\mingliub.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\checklist pdf.exe	Queries volume information: C:\Windows\Fonts\monbaiti.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\checklist pdf.exe	Queries volume information: C:\Windows\Fonts\msgothic.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\checklist pdf.exe	Queries volume information: C:\Windows\Fonts\mvboli.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\checklist pdf.exe	Queries volume information: C:\Windows\Fonts\mmrtext.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\checklist pdf.exe	Queries volume information: C:\Windows\Fonts\mmrtextb.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\checklist pdf.exe	Queries volume information: C:\Windows\Fonts\Nirmala.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\checklist pdf.exe	Queries volume information: C:\Windows\Fonts\NirmalaS.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\checklist pdf.exe	Queries volume information: C:\Windows\Fonts\NirmalaB.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\checklist pdf.exe	Queries volume information: C:\Windows\Fonts\pala.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\checklist pdf.exe	Queries volume information: C:\Windows\Fonts\palai.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\checklist pdf.exe	Queries volume information: C:\Windows\Fonts\palab.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\checklist pdf.exe	Queries volume information: C:\Windows\Fonts\palabi.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\checklist pdf.exe	Queries volume information: C:\Windows\Fonts\segoepr.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\checklist pdf.exe	Queries volume information: C:\Windows\Fonts\segoeprb.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\checklist pdf.exe	Queries volume information: C:\Windows\Fonts\segoesc.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\checklist pdf.exe	Queries volume information: C:\Windows\Fonts\segoescb.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\checklist pdf.exe	Queries volume information: C:\Windows\Fonts\segoeuii.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\checklist pdf.exe	Queries volume information: C:\Windows\Fonts\seguisli.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\checklist pdf.exe	Queries volume information: C:\Windows\Fonts\seguili.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\checklist pdf.exe	Queries volume information: C:\Windows\Fonts\seguisbi.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\checklist pdf.exe	Queries volume information: C:\Windows\Fonts\segoeuiz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\checklist pdf.exe	Queries volume information: C:\Windows\Fonts\seguibl.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\checklist pdf.exe	Queries volume information: C:\Windows\Fonts\seguibli.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\checklist pdf.exe	Queries volume information: C:\Windows\Fonts\seguiemj.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\checklist pdf.exe	Queries volume information: C:\Windows\Fonts\seguihis.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\checklist pdf.exe	Queries volume information: C:\Windows\Fonts\seguisym.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\checklist pdf.exe	Queries volume information: C:\Windows\Fonts\simsun.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\checklist pdf.exe	Queries volume information: C:\Windows\Fonts\simsunb.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\checklist pdf.exe	Queries volume information: C:\Windows\Fonts\Sitka.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\checklist pdf.exe	Queries volume information: C:\Windows\Fonts\SitkaI.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\checklist pdf.exe	Queries volume information: C:\Windows\Fonts\SitkaB.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\checklist pdf.exe	Queries volume information: C:\Windows\Fonts\SitkaZ.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\checklist pdf.exe	Queries volume information: C:\Windows\Fonts\sylfaen.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\checklist pdf.exe	Queries volume information: C:\Windows\Fonts\symbol.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\checklist pdf.exe	Queries volume information: C:\Windows\Fonts\tahoma.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\checklist pdf.exe	Queries volume information: C:\Windows\Fonts\tahomabd.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\checklist pdf.exe	Queries volume information: C:\Windows\Fonts\timesi.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\checklist pdf.exe	Queries volume information: C:\Windows\Fonts\timesbd.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\checklist pdf.exe	Queries volume information: C:\Windows\Fonts\timesbi.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\checklist pdf.exe	Queries volume information: C:\Windows\Fonts\trebuc.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\checklist pdf.exe	Queries volume information: C:\Windows\Fonts\trebucit.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\checklist pdf.exe	Queries volume information: C:\Windows\Fonts\trebucbd.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\checklist pdf.exe	Queries volume information: C:\Windows\Fonts\trebucbi.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\checklist pdf.exe	Queries volume information: C:\Windows\Fonts\verdana.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\checklist pdf.exe	Queries volume information: C:\Windows\Fonts\verdanai.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\checklist pdf.exe	Queries volume information: C:\Windows\Fonts\verdanab.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\checklist pdf.exe	Queries volume information: C:\Windows\Fonts\verdanaz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\checklist pdf.exe	Queries volume information: C:\Windows\Fonts\webdings.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\checklist pdf.exe	Queries volume information: C:\Windows\Fonts\wingding.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\checklist pdf.exe	Queries volume information: C:\Windows\Fonts\YuGothR.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\checklist pdf.exe	Queries volume information: C:\Windows\Fonts\YuGothM.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\checklist pdf.exe	Queries volume information: C:\Windows\Fonts\YuGothL.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\checklist pdf.exe	Queries volume information: C:\Windows\Fonts\YuGothB.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\checklist pdf.exe	Queries volume information: C:\Windows\Fonts\holomdl2.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\checklist pdf.exe	Queries volume information: C:\Windows\Fonts\CENTURY.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\checklist pdf.exe	Queries volume information: C:\Windows\Fonts\LEELAWAD.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\checklist pdf.exe	Queries volume information: C:\Windows\Fonts\LEELAWDB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\checklist pdf.exe	Queries volume information: C:\Windows\Fonts\MSUIGHUR.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\checklist pdf.exe	Queries volume information: C:\Windows\Fonts\MSUIGHUB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\checklist pdf.exe	Queries volume information: C:\Windows\Fonts\WINGDNG2.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\checklist pdf.exe	Queries volume information: C:\Windows\Fonts\WINGDNG3.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\checklist pdf.exe	Queries volume information: C:\Windows\Fonts\TEMPSITC.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\checklist pdf.exe	Queries volume information: C:\Windows\Fonts\PRISTINA.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\checklist pdf.exe	Queries volume information: C:\Windows\Fonts\PAPYRUS.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\checklist pdf.exe	Queries volume information: C:\Windows\Fonts\MISTRAL.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\checklist pdf.exe	Queries volume information: C:\Windows\Fonts\LHANDW.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\checklist pdf.exe	Queries volume information: C:\Windows\Fonts\ITCKRIST.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\checklist pdf.exe	Queries volume information: C:\Windows\Fonts\JUICE___.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\checklist pdf.exe	Queries volume information: C:\Windows\Fonts\FRSCRIPT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\checklist pdf.exe	Queries volume information: C:\Windows\Fonts\FREESCPT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\checklist pdf.exe	Queries volume information: C:\Windows\Fonts\BRADHITC.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\checklist pdf.exe	Queries volume information: C:\Windows\Fonts\OUTLOOK.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\checklist pdf.exe	Queries volume information: C:\Windows\Fonts\BKANT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\checklist pdf.exe	Queries volume information: C:\Windows\Fonts\ANTQUAI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\checklist pdf.exe	Queries volume information: C:\Windows\Fonts\ANTQUAB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\checklist pdf.exe	Queries volume information: C:\Windows\Fonts\ANTQUABI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\checklist pdf.exe	Queries volume information: C:\Windows\Fonts\GARA.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\checklist pdf.exe	Queries volume information: C:\Windows\Fonts\GARAIT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\checklist pdf.exe	Queries volume information: C:\Windows\Fonts\GARABD.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\checklist pdf.exe	Queries volume information: C:\Windows\Fonts\MTCORSVA.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\checklist pdf.exe	Queries volume information: C:\Windows\Fonts\GOTHIC.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\checklist pdf.exe	Queries volume information: C:\Windows\Fonts\GOTHICI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\checklist pdf.exe	Queries volume information: C:\Windows\Fonts\GOTHICB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\checklist pdf.exe	Queries volume information: C:\Windows\Fonts\GOTHICBI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\checklist pdf.exe	Queries volume information: C:\Windows\Fonts\ALGER.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\checklist pdf.exe	Queries volume information: C:\Windows\Fonts\BASKVILL.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\checklist pdf.exe	Queries volume information: C:\Windows\Fonts\BAUHS93.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\checklist pdf.exe	Queries volume information: C:\Windows\Fonts\BELL.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\checklist pdf.exe	Queries volume information: C:\Windows\Fonts\BELLI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\checklist pdf.exe	Queries volume information: C:\Windows\Fonts\BELLB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\checklist pdf.exe	Queries volume information: C:\Windows\Fonts\BRLNSR.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\checklist pdf.exe	Queries volume information: C:\Windows\Fonts\BRLNSDB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\checklist pdf.exe	Queries volume information: C:\Windows\Fonts\BRLNSB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\checklist pdf.exe	Queries volume information: C:\Windows\Fonts\BERNHC.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\checklist pdf.exe	Queries volume information: C:\Windows\Fonts\BOD_PSTC.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\checklist pdf.exe	Queries volume information: C:\Windows\Fonts\BRITANIC.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\checklist pdf.exe	Queries volume information: C:\Windows\Fonts\BROADW.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\checklist pdf.exe	Queries volume information: C:\Windows\Fonts\BRUSHSCI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\checklist pdf.exe	Queries volume information: C:\Windows\Fonts\CALIFR.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\checklist pdf.exe	Queries volume information: C:\Windows\Fonts\CALIFI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\checklist pdf.exe	Queries volume information: C:\Windows\Fonts\CALIFB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\checklist pdf.exe	Queries volume information: C:\Windows\Fonts\CENTAUR.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\checklist pdf.exe	Queries volume information: C:\Windows\Fonts\CHILLER.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\checklist pdf.exe	Queries volume information: C:\Windows\Fonts\COLONNA.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\checklist pdf.exe	Queries volume information: C:\Windows\Fonts\COOPBL.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\checklist pdf.exe	Queries volume information: C:\Windows\Fonts\FTLTLT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\checklist pdf.exe	Queries volume information: C:\Windows\Fonts\HARLOWSI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\checklist pdf.exe	Queries volume information: C:\Windows\Fonts\HARNGTON.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\checklist pdf.exe	Queries volume information: C:\Windows\Fonts\HTOWERT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\checklist pdf.exe	Queries volume information: C:\Windows\Fonts\HTOWERTI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\checklist pdf.exe	Queries volume information: C:\Windows\Fonts\JOKERMAN.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\checklist pdf.exe	Queries volume information: C:\Windows\Fonts\KUNSTLER.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\checklist pdf.exe	Queries volume information: C:\Windows\Fonts\LBRITE.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\checklist pdf.exe	Queries volume information: C:\Windows\Fonts\LBRITED.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\checklist pdf.exe	Queries volume information: C:\Windows\Fonts\LBRITEI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\checklist pdf.exe	Queries volume information: C:\Windows\Fonts\LBRITEDI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\checklist pdf.exe	Queries volume information: C:\Windows\Fonts\LCALLIG.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\checklist pdf.exe	Queries volume information: C:\Windows\Fonts\LFAX.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\checklist pdf.exe	Queries volume information: C:\Windows\Fonts\LFAXD.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\checklist pdf.exe	Queries volume information: C:\Windows\Fonts\LFAXI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\checklist pdf.exe	Queries volume information: C:\Windows\Fonts\LFAXDI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\checklist pdf.exe	Queries volume information: C:\Windows\Fonts\MAGNETOB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\checklist pdf.exe	Queries volume information: C:\Windows\Fonts\MATURASC.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\checklist pdf.exe	Queries volume information: C:\Windows\Fonts\MOD20.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\checklist pdf.exe	Queries volume information: C:\Windows\Fonts\NIAGENG.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\checklist pdf.exe	Queries volume information: C:\Windows\Fonts\NIAGSOL.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\checklist pdf.exe	Queries volume information: C:\Windows\Fonts\OLDENGL.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\checklist pdf.exe	Queries volume information: C:\Windows\Fonts\ONYX.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\checklist pdf.exe	Queries volume information: C:\Windows\Fonts\PARCHM.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\checklist pdf.exe	Queries volume information: C:\Windows\Fonts\PLAYBILL.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\checklist pdf.exe	Queries volume information: C:\Windows\Fonts\POORICH.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\checklist pdf.exe	Queries volume information: C:\Windows\Fonts\RAVIE.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\checklist pdf.exe	Queries volume information: C:\Windows\Fonts\INFROMAN.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\checklist pdf.exe	Queries volume information: C:\Windows\Fonts\SHOWG.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\checklist pdf.exe	Queries volume information: C:\Windows\Fonts\SNAP____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\checklist pdf.exe	Queries volume information: C:\Windows\Fonts\STENCIL.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\checklist pdf.exe	Queries volume information: C:\Windows\Fonts\VINERITC.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\checklist pdf.exe	Queries volume information: C:\Windows\Fonts\VIVALDII.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\checklist pdf.exe	Queries volume information: C:\Windows\Fonts\VLADIMIR.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\checklist pdf.exe	Queries volume information: C:\Windows\Fonts\LATINWD.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\checklist pdf.exe	Queries volume information: C:\Windows\Fonts\TCM_____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\checklist pdf.exe	Queries volume information: C:\Windows\Fonts\TCMI____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\checklist pdf.exe	Queries volume information: C:\Windows\Fonts\TCB_____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\checklist pdf.exe	Queries volume information: C:\Windows\Fonts\TCBI____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\checklist pdf.exe	Queries volume information: C:\Windows\Fonts\TCCM____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\checklist pdf.exe	Queries volume information: C:\Windows\Fonts\TCCB____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\checklist pdf.exe	Queries volume information: C:\Windows\Fonts\TCCEB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\checklist pdf.exe	Queries volume information: C:\Windows\Fonts\SCRIPTBL.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\checklist pdf.exe	Queries volume information: C:\Windows\Fonts\ROCK.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\checklist pdf.exe	Queries volume information: C:\Windows\Fonts\ROCKI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\checklist pdf.exe	Queries volume information: C:\Windows\Fonts\ROCKB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\checklist pdf.exe	Queries volume information: C:\Windows\Fonts\ROCKEB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\checklist pdf.exe	Queries volume information: C:\Windows\Fonts\ROCKBI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\checklist pdf.exe	Queries volume information: C:\Windows\Fonts\ROCC____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\checklist pdf.exe	Queries volume information: C:\Windows\Fonts\ROCCB___.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\checklist pdf.exe	Queries volume information: C:\Windows\Fonts\RAGE.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\checklist pdf.exe	Queries volume information: C:\Windows\Fonts\PERTILI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\checklist pdf.exe	Queries volume information: C:\Windows\Fonts\PERTIBD.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\checklist pdf.exe	Queries volume information: C:\Windows\Fonts\PER_____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\checklist pdf.exe	Queries volume information: C:\Windows\Fonts\PERI____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\checklist pdf.exe	Queries volume information: C:\Windows\Fonts\PERB____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\checklist pdf.exe	Queries volume information: C:\Windows\Fonts\PERBI___.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\checklist pdf.exe	Queries volume information: C:\Windows\Fonts\PALSCRI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\checklist pdf.exe	Queries volume information: C:\Windows\Fonts\OCRAEXT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\checklist pdf.exe	Queries volume information: C:\Windows\Fonts\MAIAN.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\checklist pdf.exe	Queries volume information: C:\Windows\Fonts\LTYPE.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\checklist pdf.exe	Queries volume information: C:\Windows\Fonts\LTYPEO.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\checklist pdf.exe	Queries volume information: C:\Windows\Fonts\LTYPEB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\checklist pdf.exe	Queries volume information: C:\Windows\Fonts\LTYPEBO.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\checklist pdf.exe	Queries volume information: C:\Windows\Fonts\LSANS.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\checklist pdf.exe	Queries volume information: C:\Windows\Fonts\LSANSD.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\checklist pdf.exe	Queries volume information: C:\Windows\Fonts\LSANSI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\checklist pdf.exe	Queries volume information: C:\Windows\Fonts\LSANSDI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\checklist pdf.exe	Queries volume information: C:\Windows\Fonts\IMPRISHA.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\checklist pdf.exe	Queries volume information: C:\Windows\Fonts\HATTEN.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\checklist pdf.exe	Queries volume information: C:\Windows\Fonts\GOUDYSTO.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\checklist pdf.exe	Queries volume information: C:\Windows\Fonts\GOUDOS.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\checklist pdf.exe	Queries volume information: C:\Windows\Fonts\GOUDOSI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\checklist pdf.exe	Queries volume information: C:\Windows\Fonts\GOUDOSB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\checklist pdf.exe	Queries volume information: C:\Windows\Fonts\GLECB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\checklist pdf.exe	Queries volume information: C:\Windows\Fonts\GIL_____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\checklist pdf.exe	Queries volume information: C:\Windows\Fonts\GILI____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\checklist pdf.exe	Queries volume information: C:\Windows\Fonts\GILB____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\checklist pdf.exe	Queries volume information: C:\Windows\Fonts\GILBI___.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\checklist pdf.exe	Queries volume information: C:\Windows\Fonts\GILC____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\checklist pdf.exe	Queries volume information: C:\Windows\Fonts\GLSNECB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\checklist pdf.exe	Queries volume information: C:\Windows\Fonts\GIGI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\checklist pdf.exe	Queries volume information: C:\Windows\Fonts\FRABK.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\checklist pdf.exe	Queries volume information: C:\Windows\Fonts\FRABKIT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\checklist pdf.exe	Queries volume information: C:\Windows\Fonts\FORTE.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\checklist pdf.exe	Queries volume information: C:\Windows\Fonts\FELIXTI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\checklist pdf.exe	Queries volume information: C:\Windows\Fonts\ERASMD.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\checklist pdf.exe	Queries volume information: C:\Windows\Fonts\ERASLGHT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\checklist pdf.exe	Queries volume information: C:\Windows\Fonts\ERASDEMI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\checklist pdf.exe	Queries volume information: C:\Windows\Fonts\ERASBD.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\checklist pdf.exe	Queries volume information: C:\Windows\Fonts\ENGR.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\checklist pdf.exe	Queries volume information: C:\Windows\Fonts\ELEPHNT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\checklist pdf.exe	Queries volume information: C:\Windows\Fonts\ELEPHNTI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\checklist pdf.exe	Queries volume information: C:\Windows\Fonts\ITCEDSCR.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\checklist pdf.exe	Queries volume information: C:\Windows\Fonts\CURLZ___.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\checklist pdf.exe	Queries volume information: C:\Windows\Fonts\COPRGTL.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\checklist pdf.exe	Queries volume information: C:\Windows\Fonts\COPRGTB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\checklist pdf.exe	Queries volume information: C:\Windows\Fonts\CENSCBK.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\checklist pdf.exe	Queries volume information: C:\Windows\Fonts\SCHLBKI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\checklist pdf.exe	Queries volume information: C:\Windows\Fonts\SCHLBKB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\checklist pdf.exe	Queries volume information: C:\Windows\Fonts\SCHLBKBI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\checklist pdf.exe	Queries volume information: C:\Windows\Fonts\CASTELAR.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\checklist pdf.exe	Queries volume information: C:\Windows\Fonts\CALIST.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\checklist pdf.exe	Queries volume information: C:\Windows\Fonts\CALISTI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\checklist pdf.exe	Queries volume information: C:\Windows\Fonts\CALISTB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\checklist pdf.exe	Queries volume information: C:\Windows\Fonts\CALISTBI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\checklist pdf.exe	Queries volume information: C:\Windows\Fonts\BOOKOS.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\checklist pdf.exe	Queries volume information: C:\Windows\Fonts\BOOKOSB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\checklist pdf.exe	Queries volume information: C:\Windows\Fonts\BOOKOSI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\checklist pdf.exe	Queries volume information: C:\Windows\Fonts\BOOKOSBI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\checklist pdf.exe	Queries volume information: C:\Windows\Fonts\BOD_R.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\checklist pdf.exe	Queries volume information: C:\Windows\Fonts\BOD_I.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\checklist pdf.exe	Queries volume information: C:\Windows\Fonts\BOD_B.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\checklist pdf.exe	Queries volume information: C:\Windows\Fonts\BOD_BI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\checklist pdf.exe	Queries volume information: C:\Windows\Fonts\BOD_CR.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\checklist pdf.exe	Queries volume information: C:\Windows\Fonts\BOD_BLAR.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\checklist pdf.exe	Queries volume information: C:\Windows\Fonts\BOD_CI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\checklist pdf.exe	Queries volume information: C:\Windows\Fonts\BOD_CB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\checklist pdf.exe	Queries volume information: C:\Windows\Fonts\BOD_BLAI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\checklist pdf.exe	Queries volume information: C:\Windows\Fonts\BOD_CBI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\checklist pdf.exe	Queries volume information: C:\Windows\Fonts\ITCBLKAD.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\checklist pdf.exe	Queries volume information: C:\Windows\Fonts\ARLRDBD.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\checklist pdf.exe	Queries volume information: C:\Windows\Fonts\AGENCYR.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\checklist pdf.exe	Queries volume information: C:\Windows\Fonts\AGENCYB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\checklist pdf.exe	Queries volume information: C:\Windows\Fonts\BSSYM7.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\checklist pdf.exe	Queries volume information: C:\Windows\Fonts\REFSAN.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\checklist pdf.exe	Queries volume information: C:\Windows\Fonts\REFSPCL.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\checklist pdf.exe	Queries volume information: C:\Windows\Fonts\MTEXTRA.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\checklist pdf.exe	Queries volume information: C:\Windows\Fonts\marlett.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\checklist pdf.exe	Queries volume information: C:\Windows\Fonts\consola.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\checklist pdf.exe	Queries volume information: C:\Windows\Fonts\consolai.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\checklist pdf.exe	Queries volume information: C:\Windows\Fonts\consolab.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\checklist pdf.exe	Queries volume information: C:\Windows\Fonts\consolaz.ttf VolumeInformation	Jump to behavior

Source: C:\Users\user\Desktop\checklist pdf.exe

Code function: 3_2_0136AF9A GetUserNameW,

3_2_0136AF9A

Source: C:\Users\user\Desktop\checklist pdf.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Stealing of Sensitive Information:

Yara detected Nanocore RAT

Show sources

Source: Yara match	File source: 00000003.00000002.501688763.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.249652144.00000000039C9000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000002.508000940.0000000004267000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.250632075.0000000003BB3000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000002.510380996.00000000059B0000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: checklist pdf.exe PID: 4728, type: MEMORY
Source: Yara match	File source: Process Memory Space: checklist pdf.exe PID: 4648, type: MEMORY
Source: Yara match	File source: 3.2.checklist pdf.exe.59b0000.6.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.2.checklist pdf.exe.59b0000.6.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.2.checklist pdf.exe.400000.0.unpack, type: UNPACKEDPE

Remote Access Functionality:

Detected Nanocore Rat

Show sources

Source: checklist pdf.exe, 00000000.00000002.249652144.00000000039C9000.00000004.00000001.sdmp	String found in binary or memory: NanoCore.ClientPluginHost
Source: checklist pdf.exe, 00000003.00000002.501688763.0000000000402000.00000040.00000001.sdmp	String found in binary or memory: NanoCore.ClientPluginHost
Source: checklist pdf.exe, 00000003.00000002.509908735.0000000005440000.00000004.00000001.sdmp	String found in binary or memory: <Module>mscorlibMicrosoft.VisualBasicMyApplicationNanoCore.MyMyComputerMyProjectMyWebServicesThreadSafeObjectProvider`1IClientNetworkNanoCore.ClientPluginIClientDataIClientAppIClientDataHostNanoCore.ClientPluginHostIClientNetworkHostIClientUIHostIClientLoggingHostIClientAppHostIClientNameObjectCollectionNanoCoreIClientReadOnlyNameObjectCollectionClientInvokeDelegateMicrosoft.VisualBasic.ApplicationServicesApplicationBase.ctorMicrosoft.VisualBasic.DevicesComputerSystemObject.cctorget_Computerm_ComputerObjectProviderget_Applicationm_AppObjectProviderUserget_Userm_UserObjectProviderget_WebServicesm_MyWebServicesObjectProviderApplicationWebServicesEqualsoGetHashCodeTypeGetTypeToStringCreate__Instance__TinstanceDispose__Instance__get_GetInstanceMicrosoft.VisualBasic.MyServices.InternalContextValue`1m_ContextGetInstanceReadPacketpipeNameparamsPipeCreatedPipeClosedConnectionStateChangedconnectedConnectionFailedhostportBuildingHostCacheVariableChangednameClientSettingChangedPluginUninstallingClientUninstallingget_Variablesget_ClientSettingsget_BuilderSettingsVariablesClientSettingsBuilderSettingsget_ConnectedClosePipePipeExistsRebuildHostCacheAddHostEntryDisconnectSendToServercompressConnectedInvokemethodstateLogClientMessagemessageExceptionLogClientExceptionexsiteRestartShutdownDisableProtectionRestoreProtectionUninstallEntryExistsSystem.Collections.GenericKeyValuePair`2GetEntriesGetValuedefaultValueSetValuevalueRemoveValueMulticastDelegateTargetObjectTargetMethodIAsyncResultAsyncCallbackBeginInvokeDelegateCallbackDelegateAsyncStateEndInvokeDelegateAsyncResultSystem.ComponentModelEditorBrowsableAttributeEditorBrowsableStateSystem.CodeDom.CompilerGeneratedCodeAttributeSystem.DiagnosticsDebuggerHiddenAttributeMicrosoft.VisualBasic.CompilerServicesStandardModuleAttributeHideModuleNameAttributeSystem.ComponentModel.DesignHelpKeywordAttributeSystem.Runtime.CompilerServicesRuntimeHelpersGetObjectValueRuntimeTypeHandleGetTypeFromHandleActivatorCreateInstanceMyGroupCollectionAttributeget_Valueset_ValueSystem.Runtime.InteropServicesComVisibleAttributeParamArrayAttributeCompilationRelaxationsAttributeRuntimeCompatibilityAttributeSystem.ReflectionAssemblyFileVersionAttributeGuidAttributeAssemblyTrademarkAttributeAssemblyCopyrightAttributeAssemblyProductAttributeAssemblyCompanyAttributeAssemblyDescriptionAttributeAssemblyTitleAttributeClientPluginClientPlugin.dll

Yara detected Nanocore RAT

Show sources

Source: Yara match	File source: 00000003.00000002.501688763.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.249652144.00000000039C9000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000002.508000940.0000000004267000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.250632075.0000000003BB3000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000002.510380996.00000000059B0000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: checklist pdf.exe PID: 4728, type: MEMORY
Source: Yara match	File source: Process Memory Space: checklist pdf.exe PID: 4648, type: MEMORY
Source: Yara match	File source: 3.2.checklist pdf.exe.59b0000.6.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.2.checklist pdf.exe.59b0000.6.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.2.checklist pdf.exe.400000.0.unpack, type: UNPACKEDPE

Source: C:\Users\user\Desktop\checklist pdf.exe	Code function: 3_2_052C2442 bind,		3_2_052C2442
Source: C:\Users\user\Desktop\checklist pdf.exe	Code function: 3_2_052C23F0 bind,		3_2_052C23F0

Mitre Att&ck Matrix

Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Exfiltration	Command and Control	Network Effects	Remote Service Effects	Impact
Valid Accounts	Native API1	Scheduled Task/Job1	Access Token Manipulation1	Disable or Modify Tools1	Input Capture111	Account Discovery1	Remote Services	Archive Collected Data11	Exfiltration Over Other Network Medium	Encrypted Channel1	Eavesdrop on Insecure Network Communication	Remotely Track Device Without Authorization	Modify System Partition
Default Accounts	Scheduled Task/Job1	Boot or Logon Initialization Scripts	Process Injection112	Deobfuscate/Decode Files or Information1	LSASS Memory	File and Directory Discovery1	Remote Desktop Protocol	Input Capture111	Exfiltration Over Bluetooth	Non-Standard Port1	Exploit SS7 to Redirect Phone Calls/SMS	Remotely Wipe Data Without Authorization	Device Lockout
Domain Accounts	At (Linux)	Logon Script (Windows)	Scheduled Task/Job1	Obfuscated Files or Information3	Security Account Manager	System Information Discovery13	SMB/Windows Admin Shares	Data from Network Shared Drive	Automated Exfiltration	Remote Access Software1	Exploit SS7 to Track Device Location	Obtain Device Cloud Backups	Delete Device Data
Local Accounts	At (Windows)	Logon Script (Mac)	Logon Script (Mac)	Software Packing13	NTDS	Security Software Discovery211	Distributed Component Object Model	Input Capture	Scheduled Transfer	Non-Application Layer Protocol1	SIM Card Swap		Carrier Billing Fraud
Cloud Accounts	Cron	Network Logon Script	Network Logon Script	Masquerading1	LSA Secrets	Virtualization/Sandbox Evasion3	SSH	Keylogging	Data Transfer Size Limits	Application Layer Protocol11	Manipulate Device Communication		Manipulate App Store Rankings or Ratings
Replication Through Removable Media	Launchd	Rc.common	Rc.common	Virtualization/Sandbox Evasion3	Cached Domain Credentials	Process Discovery2	VNC	GUI Input Capture	Exfiltration Over C2 Channel	Multiband Communication	Jamming or Denial of Service		Abuse Accessibility Features
External Remote Services	Scheduled Task	Startup Items	Startup Items	Access Token Manipulation1	DCSync	Application Window Discovery1	Windows Remote Management	Web Portal Capture	Exfiltration Over Alternative Protocol	Commonly Used Port	Rogue Wi-Fi Access Points		Data Encrypted for Impact
Drive-by Compromise	Command and Scripting Interpreter	Scheduled Task/Job	Scheduled Task/Job	Process Injection112	Proc Filesystem	System Owner/User Discovery1	Shared Webroot	Credential API Hooking	Exfiltration Over Symmetric Encrypted Non-C2 Protocol	Application Layer Protocol	Downgrade to Insecure Protocols		Generate Fraudulent Advertising Revenue
Exploit Public-Facing Application	PowerShell	At (Linux)	At (Linux)	Hidden Files and Directories1	/etc/passwd and /etc/shadow	System Network Connections Discovery	Software Deployment Tools	Data Staged	Exfiltration Over Asymmetric Encrypted Non-C2 Protocol	Web Protocols	Rogue Cellular Base Station		Data Destruction

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Source	Detection	Scanner	Label	Link
checklist pdf.exe	32%	Virustotal		Browse
checklist pdf.exe	38%	ReversingLabs	ByteCode-MSIL.Spyware.Negasteal

Dropped Files

Source	Detection	Scanner	Label	Link
C:\Users\user\AppData\Roaming\PUalpOJIfJW.exe	38%	ReversingLabs	ByteCode-MSIL.Spyware.Negasteal

Unpacked PE Files

Source	Detection	Scanner	Label	Link	Download
3.2.checklist pdf.exe.400000.0.unpack	100%	Avira	TR/Dropper.MSIL.Gen7		Download File
3.2.checklist pdf.exe.59b0000.6.unpack	100%	Avira	TR/NanoCore.fadte		Download File

Domains

No Antivirus matches

URLs

Source	Detection	Scanner	Label
http://www.carterandcone.coma	0%	URL Reputation	safe
http://www.carterandcone.coma	0%	URL Reputation	safe
http://www.carterandcone.coma	0%	URL Reputation	safe
http://www.jiyu-kobo.co.jp/X	0%	URL Reputation	safe
http://www.jiyu-kobo.co.jp/X	0%	URL Reputation	safe
http://www.jiyu-kobo.co.jp/X	0%	URL Reputation	safe
http://www.founder.com.cn/cn/bThe	0%	URL Reputation	safe
http://www.founder.com.cn/cn/bThe	0%	URL Reputation	safe
http://www.founder.com.cn/cn/bThe	0%	URL Reputation	safe
http://www.jiyu-kobo.co.jp/jp/H	0%	Avira URL Cloud	safe
http://www.jiyu-kobo.co.jp/P	0%	URL Reputation	safe
http://www.jiyu-kobo.co.jp/P	0%	URL Reputation	safe
http://www.jiyu-kobo.co.jp/P	0%	URL Reputation	safe
http://www.jiyu-kobo.co.jp/jp/J	0%	Avira URL Cloud	safe
http://www.jiyu-kobo.co.jp/Y0/E	0%	Avira URL Cloud	safe
http://www.tiro.com	0%	URL Reputation	safe
http://www.tiro.com	0%	URL Reputation	safe
http://www.tiro.com	0%	URL Reputation	safe
http://www.jiyu-kobo.co.jp/H	0%	URL Reputation	safe
http://www.jiyu-kobo.co.jp/H	0%	URL Reputation	safe
http://www.jiyu-kobo.co.jp/H	0%	URL Reputation	safe
http://www.jiyu-kobo.co.jp/E	0%	Avira URL Cloud	safe
http://www.jiyu-kobo.co.jp/Y0s	0%	Avira URL Cloud	safe
http://www.goodfont.co.kr	0%	URL Reputation	safe
http://www.goodfont.co.kr	0%	URL Reputation	safe
http://www.goodfont.co.kr	0%	URL Reputation	safe
http://www.founder.com.cn/cnM1	0%	Avira URL Cloud	safe
http://www.jiyu-kobo.co.jp/jp/	0%	URL Reputation	safe
http://www.jiyu-kobo.co.jp/jp/	0%	URL Reputation	safe
http://www.jiyu-kobo.co.jp/jp/	0%	URL Reputation	safe
http://www.jiyu-kobo.co.jp/jp/v	0%	Avira URL Cloud	safe
http://www.fontbureau.coma	0%	URL Reputation	safe
http://www.fontbureau.coma	0%	URL Reputation	safe
http://www.fontbureau.coma	0%	URL Reputation	safe
http://www.carterandcone.coml	0%	URL Reputation	safe
http://www.carterandcone.coml	0%	URL Reputation	safe
http://www.carterandcone.coml	0%	URL Reputation	safe
http://www.sajatypeworks.com	0%	URL Reputation	safe
http://www.sajatypeworks.com	0%	URL Reputation	safe
http://www.sajatypeworks.com	0%	URL Reputation	safe
http://www.typography.netD	0%	URL Reputation	safe
http://www.typography.netD	0%	URL Reputation	safe
http://www.typography.netD	0%	URL Reputation	safe
http://www.founder.com.cn/cn/cThe	0%	URL Reputation	safe
http://www.founder.com.cn/cn/cThe	0%	URL Reputation	safe
http://www.founder.com.cn/cn/cThe	0%	URL Reputation	safe
http://www.galapagosdesign.com/staff/dennis.htm	0%	URL Reputation	safe
http://www.galapagosdesign.com/staff/dennis.htm	0%	URL Reputation	safe
http://www.galapagosdesign.com/staff/dennis.htm	0%	URL Reputation	safe
http://fontfabrik.com	0%	URL Reputation	safe
http://fontfabrik.com	0%	URL Reputation	safe
http://fontfabrik.com	0%	URL Reputation	safe
http://www.founder.com.cn/cn	0%	URL Reputation	safe
http://www.founder.com.cn/cn	0%	URL Reputation	safe
http://www.founder.com.cn/cn	0%	URL Reputation	safe
http://www.jiyu-kobo.co.jp/v	0%	Avira URL Cloud	safe
http://www.zhongyicts.com.cna	0%	Avira URL Cloud	safe
http://www.founder.com.cn/cnb-n	0%	Avira URL Cloud	safe
http://www.fontbureau.come.comE	0%	Avira URL Cloud	safe
http://www.jiyu-kobo.co.jp/	0%	URL Reputation	safe
http://www.jiyu-kobo.co.jp/	0%	URL Reputation	safe
http://www.jiyu-kobo.co.jp/	0%	URL Reputation	safe
http://www.galapagosdesign.com/DPlease	0%	URL Reputation	safe
http://www.galapagosdesign.com/DPlease	0%	URL Reputation	safe
http://www.galapagosdesign.com/DPlease	0%	URL Reputation	safe
http://www.jiyu-kobo.co.jp/)	0%	Avira URL Cloud	safe
http://www.jiyu-kobo.co.jp/Y0	0%	URL Reputation	safe
http://www.jiyu-kobo.co.jp/Y0	0%	URL Reputation	safe
http://www.jiyu-kobo.co.jp/Y0	0%	URL Reputation	safe
http://www.founder.com.c&	0%	Avira URL Cloud	safe
http://www.sandoll.co.kr	0%	URL Reputation	safe
http://www.sandoll.co.kr	0%	URL Reputation	safe
http://www.sandoll.co.kr	0%	URL Reputation	safe
http://www.urwpp.deDPlease	0%	URL Reputation	safe
http://www.urwpp.deDPlease	0%	URL Reputation	safe
http://www.urwpp.deDPlease	0%	URL Reputation	safe
http://www.zhongyicts.com.cn	0%	URL Reputation	safe
http://www.zhongyicts.com.cn	0%	URL Reputation	safe
http://www.zhongyicts.com.cn	0%	URL Reputation	safe
http://www.sakkal.com	0%	URL Reputation	safe
http://www.sakkal.com	0%	URL Reputation	safe
http://www.sakkal.com	0%	URL Reputation	safe

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Antivirus Detection	Reputation
kingman1.ddns.net	194.5.98.129	true	true		unknown
g.msn.com	unknown	unknown	false		high

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
http://www.carterandcone.coma	checklist pdf.exe, 00000000.00000003.236008822.0000000004E63000.00000004.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://www.apache.org/licenses/LICENSE-2.0	checklist pdf.exe, 00000000.00000002.251725059.0000000004F40000.00000002.00000001.sdmp	false		high
http://www.fontbureau.com	checklist pdf.exe, 00000000.00000002.251725059.0000000004F40000.00000002.00000001.sdmp	false		high
http://www.fontbureau.com/designersG	checklist pdf.exe, 00000000.00000002.251725059.0000000004F40000.00000002.00000001.sdmp	false		high
http://www.jiyu-kobo.co.jp/X	checklist pdf.exe, 00000000.00000003.236517335.0000000004E5C000.00000004.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://www.fontbureau.com/designers/?	checklist pdf.exe, 00000000.00000002.251725059.0000000004F40000.00000002.00000001.sdmp	false		high
http://www.founder.com.cn/cn/bThe	checklist pdf.exe, 00000000.00000002.251725059.0000000004F40000.00000002.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://www.fontbureau.com/designers?	checklist pdf.exe, 00000000.00000002.251725059.0000000004F40000.00000002.00000001.sdmp	false		high
http://www.jiyu-kobo.co.jp/jp/H	checklist pdf.exe, 00000000.00000003.236517335.0000000004E5C000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
http://www.jiyu-kobo.co.jp/P	checklist pdf.exe, 00000000.00000003.236369930.0000000004E56000.00000004.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://www.jiyu-kobo.co.jp/jp/J	checklist pdf.exe, 00000000.00000003.236619084.0000000004E57000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
https://coinmarketcap.com/api/	checklist pdf.exe	false		high
http://www.jiyu-kobo.co.jp/Y0/E	checklist pdf.exe, 00000000.00000003.236517335.0000000004E5C000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
http://www.tiro.com	checklist pdf.exe, 00000000.00000002.251725059.0000000004F40000.00000002.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://www.jiyu-kobo.co.jp/H	checklist pdf.exe, 00000000.00000003.236448569.0000000004E5D000.00000004.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://www.jiyu-kobo.co.jp/E	checklist pdf.exe, 00000000.00000003.236619084.0000000004E57000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
http://www.jiyu-kobo.co.jp/Y0s	checklist pdf.exe, 00000000.00000003.236517335.0000000004E5C000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
http://www.fontbureau.com/designers	checklist pdf.exe, 00000000.00000002.251725059.0000000004F40000.00000002.00000001.sdmp	false		high
https://api.coinmarketcap.com/v1/ticker/	checklist pdf.exe	false		high
http://www.goodfont.co.kr	checklist pdf.exe, 00000000.00000002.251725059.0000000004F40000.00000002.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://www.founder.com.cn/cnM1	checklist pdf.exe, 00000000.00000003.235767459.0000000004E5F000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
http://www.jiyu-kobo.co.jp/jp/	checklist pdf.exe, 00000000.00000003.236517335.0000000004E5C000.00000004.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://www.jiyu-kobo.co.jp/jp/v	checklist pdf.exe, 00000000.00000003.236517335.0000000004E5C000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
http://www.fontbureau.coma	checklist pdf.exe, 00000000.00000003.246990634.0000000004E50000.00000004.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://www.carterandcone.coml	checklist pdf.exe, 00000000.00000002.251725059.0000000004F40000.00000002.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://www.sajatypeworks.com	checklist pdf.exe, 00000000.00000002.251725059.0000000004F40000.00000002.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://www.typography.netD	checklist pdf.exe, 00000000.00000002.251725059.0000000004F40000.00000002.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://www.fontbureau.com/designers/cabarga.htmlN	checklist pdf.exe, 00000000.00000002.251725059.0000000004F40000.00000002.00000001.sdmp	false		high
http://www.founder.com.cn/cn/cThe	checklist pdf.exe, 00000000.00000002.251725059.0000000004F40000.00000002.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://www.galapagosdesign.com/staff/dennis.htm	checklist pdf.exe, 00000000.00000002.251725059.0000000004F40000.00000002.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://fontfabrik.com	checklist pdf.exe, 00000000.00000002.251725059.0000000004F40000.00000002.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://www.founder.com.cn/cn	checklist pdf.exe, 00000000.00000003.235767459.0000000004E5F000.00000004.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://www.fontbureau.com/designers/frere-jones.html	checklist pdf.exe, 00000000.00000002.251725059.0000000004F40000.00000002.00000001.sdmp	false		high
http://www.jiyu-kobo.co.jp/v	checklist pdf.exe, 00000000.00000003.236448569.0000000004E5D000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
http://www.zhongyicts.com.cna	checklist pdf.exe, 00000000.00000003.235981732.0000000004E64000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
http://www.founder.com.cn/cnb-n	checklist pdf.exe, 00000000.00000003.235869978.0000000004E63000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
http://www.fontbureau.come.comE	checklist pdf.exe, 00000000.00000003.246990634.0000000004E50000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
http://www.jiyu-kobo.co.jp/	checklist pdf.exe, 00000000.00000002.251725059.0000000004F40000.00000002.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://www.galapagosdesign.com/DPlease	checklist pdf.exe, 00000000.00000002.251725059.0000000004F40000.00000002.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://www.jiyu-kobo.co.jp/)	checklist pdf.exe, 00000000.00000003.236732753.0000000004E5D000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
http://www.jiyu-kobo.co.jp/Y0	checklist pdf.exe, 00000000.00000003.236732753.0000000004E5D000.00000004.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://www.fontbureau.com/designers8	checklist pdf.exe, 00000000.00000002.251725059.0000000004F40000.00000002.00000001.sdmp	false		high
http://www.fonts.com	checklist pdf.exe, 00000000.00000002.247712407.0000000000D27000.00000004.00000040.sdmp	false		high
http://www.founder.com.c&	checklist pdf.exe, 00000000.00000003.235767459.0000000004E5F000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	low
http://www.sandoll.co.kr	checklist pdf.exe, 00000000.00000002.251725059.0000000004F40000.00000002.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://www.urwpp.deDPlease	checklist pdf.exe, 00000000.00000002.251725059.0000000004F40000.00000002.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://www.zhongyicts.com.cn	checklist pdf.exe, 00000000.00000002.251725059.0000000004F40000.00000002.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://www.sakkal.com	checklist pdf.exe, 00000000.00000002.251725059.0000000004F40000.00000002.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown

Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public

IP	Domain	Country	Flag	ASN	ASN Name	Malicious
194.5.98.129	unknown	Netherlands		208476	DANILENKODE	true

Private

IP
192.168.2.1

General Information

Joe Sandbox Version:	31.0.0 Red Diamond
Analysis ID:	323809
Start date:	27.11.2020
Start time:	15:23:56
Joe Sandbox Product:	CloudBasic
Overall analysis duration:	0h 8m 20s
Hypervisor based Inspection enabled:	false
Report type:	full
Sample file name:	checklist pdf.exe
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 85, IE 11, Adobe Reader DC 19, Java 8 Update 211
Number of analysed new started processes analysed:	22
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled HDC enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Detection:	MAL
Classification:	mal100.troj.spyw.evad.winEXE@6/4@23/2
EGA Information:	Failed
HDC Information:	Failed
HCA Information:	Successful, ratio: 99% Number of executed functions: 346 Number of non-executed functions: 2
Cookbook Comments:	Adjust boot time Enable AMSI Found application associated with file extension: .exe
Warnings:	Show All Behavior information exceeds normal sizes, reducing to normal. Report will have missing behavior information. Exclude process from analysis (whitelisted): MpCmdRun.exe, BackgroundTransferHost.exe, backgroundTaskHost.exe, SgrmBroker.exe, conhost.exe, svchost.exe Excluded IPs from analysis (whitelisted): 104.79.90.110, 52.147.198.201, 13.88.21.125, 51.104.144.132, 20.54.26.129, 205.185.216.10, 205.185.216.42, 51.103.5.186, 52.142.114.176, 92.122.213.247, 92.122.213.194 Excluded domains from analysis (whitelisted): arc.msn.com.nsatc.net, fs-wildcard.microsoft.com.edgekey.net, fs-wildcard.microsoft.com.edgekey.net.globalredir.akadns.net, wns.notify.windows.com.akadns.net, a1449.dscg2.akamai.net, arc.msn.com, g-msn-com-nsatc.trafficmanager.net, par02p.wns.notify.windows.com.akadns.net, emea1.notify.windows.com.akadns.net, audownload.windowsupdate.nsatc.net, au.download.windowsupdate.com.hwcdn.net, watson.telemetry.microsoft.com, img-prod-cms-rt-microsoft-com.akamaized.net, prod.fs.microsoft.com.akadns.net, au-bg-shim.trafficmanager.net, client.wns.windows.com, fs.microsoft.com, ris-prod.trafficmanager.net, e1723.g.akamaiedge.net, ctldl.windowsupdate.com, cds.d2s7q6s2.hwcdn.net, skypedataprdcoleus16.cloudapp.net, ris.api.iris.microsoft.com, blobcollector.events.data.trafficmanager.net, skypedataprdcolwus15.cloudapp.net Report size getting too big, too many NtAllocateVirtualMemory calls found. Report size getting too big, too many NtOpenKeyEx calls found. Report size getting too big, too many NtQueryValueKey calls found.

Simulations

Behavior and APIs

Time	Type	Description
15:24:53	API Interceptor	1035x Sleep call for process: checklist pdf.exe modified

Joe Sandbox View / Context

IPs

No context

Domains

No context

ASN

Match	Associated Sample Name / URL	SHA 256	Detection	Link	Context
DANILENKODE	PEDIDO-6764,pdf.exe	Get hash	malicious	Browse	194.5.98.14
	DHL_Express_Consignment_Details.exe	Get hash	malicious	Browse	194.5.98.78
	Quotation ATB-PR28500KINH.exe	Get hash	malicious	Browse	194.5.97.9
	Quotation ATB-PR28500KINH.exe	Get hash	malicious	Browse	194.5.97.9
	19112020778IMG78487784.exe	Get hash	malicious	Browse	194.5.97.249
	PaymentConformation.exe	Get hash	malicious	Browse	194.5.97.202
	bGtm3bQKUj.exe	Get hash	malicious	Browse	194.5.98.122
	IMAGE-18112020.exe	Get hash	malicious	Browse	194.5.97.17
	Covid-19 relief.exe	Get hash	malicious	Browse	194.5.97.21
	tax-relief.exe	Get hash	malicious	Browse	194.5.97.166
	Ref-BID PRICE.exe	Get hash	malicious	Browse	194.5.98.252
	1ttmgYD97B.exe	Get hash	malicious	Browse	194.5.99.163
	2mtUEXin7W.exe	Get hash	malicious	Browse	194.5.99.163
	wk59hOo880.exe	Get hash	malicious	Browse	194.5.99.163
	BCVaSYrgmG.exe	Get hash	malicious	Browse	194.5.99.163
	30203490666.exe	Get hash	malicious	Browse	194.5.98.199
	InSppuoN2s.exe	Get hash	malicious	Browse	194.5.98.196
	Av01vC7kS1.exe	Get hash	malicious	Browse	194.5.97.155
	yb1rlaFJuO.exe	Get hash	malicious	Browse	194.5.99.163
	1MwYrZqjEy.exe	Get hash	malicious	Browse	194.5.99.163

JA3 Fingerprints

No context

Dropped Files

No context

Created / dropped Files

C:\Users\user\AppData\Local\Microsoft\CLR_v2.0_32\UsageLogs\checklist pdf.exe.log Download File
Process:	C:\Users\user\Desktop\checklist pdf.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	777
Entropy (8bit):	5.26742276088186
Encrypted:	false
SSDEEP:	24:MLF20NaL329hJ5g522rW26K95rKoO2I3rOz2T:MwLLG9h3go2rx6oxkr+2T
MD5:	2B6C737933EA1F082E0AA5CF21FE4B27
SHA1:	AB8133CDDD6361EC01FC5C6F2434A0666C764A62
SHA-256:	3D9DC8F0D25AFD18708145A78CF868393C4FD99989D02E090080C93A680680F9
SHA-512:	72E6087A511A26BD1811F74468D2D72A84818C0A8BB2F8CB72FFAD5FA8440E176F2238311DD9644F3CA3007E11DAB71B8CB62323400F25A7D61FBAB7CF329968
Malicious:	true
Reputation:	low
Preview:	1,"fusion","GAC",0..3,"C:\Windows\assembly\NativeImages_v2.0.50727_32\System\1ffc437de59fb69ba2b865ffdc98ffd1\System.ni.dll",0..3,"C:\Windows\assembly\NativeImages_v2.0.50727_32\System.Drawing\54d944b3ca0ea1188d700fbd8089726b\System.Drawing.ni.dll",0..3,"C:\Windows\assembly\NativeImages_v2.0.50727_32\System.Windows.Forms\bd8d59c984c9f5f2695f64341115cdf0\System.Windows.Forms.ni.dll",0..3,"C:\Windows\assembly\NativeImages_v2.0.50727_32\System.Configuration\de460308a9099237864d2ec2328fc958\System.Configuration.ni.dll",0..3,"C:\Windows\assembly\NativeImages_v2.0.50727_32\System.Web\d05d469d89b319a068f2123e7e6f8621\System.Web.ni.dll",0..3,"C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.VisualBas#\cd7c74fce2a0eab72cd25cbe4bb61614\Microsoft.VisualBasic.ni.dll",0..

C:\Users\user\AppData\Local\Temp\tmpECD4.tmp Download File
Process:	C:\Users\user\Desktop\checklist pdf.exe
File Type:	XML 1.0 document, ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	1648
Entropy (8bit):	5.17327511273268
Encrypted:	false
SSDEEP:	24:2dH4+SEqC/a7hTlNMFpH/rlMhEMjnGpwjpIgUYODOLD9RJh7h8gKBUtn:cbhC7ZlNQF/rydbz9I3YODOLNdq3Q
MD5:	95DB87F25A16CF410E85B362AF9E8C54
SHA1:	0E2E257BFE1735C46F12884B7F525DE75C528617
SHA-256:	4963527151134293B0D4E677DB01EAE3CB0FD852A47FA6D98C92F9AE8AEE13D6
SHA-512:	100AD6AAE6DD06783F8CFFB5378BA3FCCBE6BDB2767ABFF156F72A79F67073CCFB614EAE1D693E6057A6F32231C4F39A16EF059BA6DA31B3A7B964295AD883F7
Malicious:	true
Reputation:	low
Preview:	<?xml version="1.0" encoding="UTF-16"?>..<Task version="1.2" xmlns="http://schemas.microsoft.com/windows/2004/02/mit/task">.. <RegistrationInfo>.. <Date>2014-10-25T14:27:44.8929027</Date>.. <Author>computer\user</Author>.. </RegistrationInfo>.. <Triggers>.. <LogonTrigger>.. <Enabled>true</Enabled>.. <UserId>computer\user</UserId>.. </LogonTrigger>.. <RegistrationTrigger>.. <Enabled>false</Enabled>.. </RegistrationTrigger>.. </Triggers>.. <Principals>.. <Principal id="Author">.. <UserId>computer\user</UserId>.. <LogonType>InteractiveToken</LogonType>.. <RunLevel>LeastPrivilege</RunLevel>.. </Principal>.. </Principals>.. <Settings>.. <MultipleInstancesPolicy>StopExisting</MultipleInstancesPolicy>.. <DisallowStartIfOnBatteries>false</DisallowStartIfOnBatteries>.. <StopIfGoingOnBatteries>true</StopIfGoingOnBatteries>.. <AllowHardTerminate>false</AllowHardTerminate>.. <StartWhenAvailable>t

C:\Users\user\AppData\Roaming\D06ED635-68F6-4E9A-955C-4899F5F57B9A\run.dat Download File
Process:	C:\Users\user\Desktop\checklist pdf.exe
File Type:	data
Category:	dropped
Size (bytes):	8
Entropy (8bit):	3.0
Encrypted:	false
SSDEEP:	3:4N29t:4Nat
MD5:	1E849DE2B5A6913898333D1F94BCE8B7
SHA1:	217ED3764189A0E975CAEDC45368F292AF096215
SHA-256:	735F07332B146A283995E832359A13973DB93A3DB051E65AE1FCAA980F96F1B8
SHA-512:	D2196DA8B1C79B182A949E23519DEE669DE2A33B98126807D5AD08B61CEFDE55A0C5951A6BD89546E41C86D59D8B08F7CC8B5088B29254DE0D43087FC5702597
Malicious:	true
Reputation:	low
Preview:	DS..+..H

C:\Users\user\AppData\Roaming\PUalpOJIfJW.exe Download File
Process:	C:\Users\user\Desktop\checklist pdf.exe
File Type:	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	574464
Entropy (8bit):	7.516903184797801
Encrypted:	false
SSDEEP:	12288:3rrzEvkQwHE8Xk4ERhrRarQPY4Rt8LFNo:nY89k8LEfdarQP58
MD5:	33FB3C28DF0F678C7C6EF72E7E748CB1
SHA1:	AB7FBFDAF59BF4D6C79BB7ACF2B59DAD316675F9
SHA-256:	5295F63F8452D5AC0FC3577CB720949DB21EFE807059E0A74CADD4D9BBBC941F
SHA-512:	23950E6FCDAA53C881C6B140A48B1A78741798E12FED6CFF87502059097B34CE808B93A9C4FE6C2D34A2179A54ACB12AF7FBA4AC80F68A6FD646E783B4F25E2B
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 38%
Reputation:	low
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......_..............0..~...D.......... ........@.. ....................... ............@.....................................O........A........................................................................... ............... ..H............text....}... ...~.................. ..`.rsrc....A.......B..................@..@.reloc..............................@..B.......................H.......H...............H...H}...........................................0..)........{.........(....t......\|......(...+...3.....0..)........{.........(....t......\|......(...+...3.....0..)........{.........(....t......\|......(...+...3.....0..)........{.........(....t......\|......(...+...3...s....}.....~....}.....(.......(......0.............(........(.......................0..4........r...p(.............s....}........{......(....}....:..{....(....&..0..................

Static File Info

General
File type:	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Entropy (8bit):	7.516903184797801
TrID:	Win32 Executable (generic) Net Framework (10011505/4) 49.80% Win32 Executable (generic) a (10002005/4) 49.75% Generic CIL Executable (.NET, Mono, etc.) (73296/58) 0.36% Windows Screen Saver (13104/52) 0.07% Generic Win/DOS Executable (2004/3) 0.01%
File name:	checklist pdf.exe
File size:	574464
MD5:	33fb3c28df0f678c7c6ef72e7e748cb1
SHA1:	ab7fbfdaf59bf4d6c79bb7acf2b59dad316675f9
SHA256:	5295f63f8452d5ac0fc3577cb720949db21efe807059e0a74cadd4d9bbbc941f
SHA512:	23950e6fcdaa53c881c6b140a48b1a78741798e12fed6cff87502059097b34ce808b93a9c4fe6c2d34a2179a54acb12af7fba4ac80f68a6fd646e783b4f25e2b
SSDEEP:	12288:3rrzEvkQwHE8Xk4ERhrRarQPY4Rt8LFNo:nY89k8LEfdarQP58
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......_..............0..~...D........... ........@.. ....................... ............@................................

File Icon


Icon Hash:	f8c492aaaa92dcfe

Static PE Info

General
Entrypoint:	0x489ce2
Entrypoint Section:	.text
Digitally signed:	false
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	32BIT_MACHINE, EXECUTABLE_IMAGE
DLL Characteristics:	NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
Time Stamp:	0x5FBFA986 [Thu Nov 26 13:11:34 2020 UTC]
TLS Callbacks:
CLR (.Net) Version:	v2.0.50727
OS Version Major:	4
OS Version Minor:	0
File Version Major:	4
File Version Minor:	0
Subsystem Version Major:	4
Subsystem Version Minor:	0
Import Hash:	f34d5f2d4577ed6d9ceec516c1f5a744

Entrypoint Preview

Instruction
jmp dword ptr [00402000h]
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add al, 00h
adc byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
or byte ptr [eax], al
add dword ptr [eax], eax
add byte ptr [eax], al
add eax, 04000000h
add byte ptr [eax], al
add byte ptr [esi], al
add byte ptr [eax], al
add byte ptr [edx], al
add byte ptr [eax], al
add byte ptr [edx], cl
add byte ptr [eax], al
add byte ptr [eax], cl
add byte ptr [eax], al
add byte ptr [ecx], cl
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0x89c90	0x4f	.text
IMAGE_DIRECTORY_ENTRY_RESOURCE	0x8a000	0x41e8	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x90000	0xc	.reloc
IMAGE_DIRECTORY_ENTRY_DEBUG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x2000	0x8	.text
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x2008	0x48	.text
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x2000	0x87d18	0x87e00	False	0.758976828427	data	7.54197829505	IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
.rsrc	0x8a000	0x41e8	0x4200	False	0.506569602273	data	5.46524750156	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.reloc	0x90000	0xc	0x200	False	0.044921875	data	0.101910425663	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type
RT_ICON	0x8a190	0x468	GLS_BINARY_LSB_FIRST
RT_ICON	0x8a5f8	0x10a8	dBase IV DBT of @.DBF, block length 4096, next free block index 40, next free block 4275388049, next used block 4258479509
RT_ICON	0x8b6a0	0x25a8	dBase IV DBT of `.DBF, block length 9216, next free block index 40, next free block 3771611807, next used block 3167566498
RT_GROUP_ICON	0x8dc48	0x30	data
RT_VERSION	0x8dc78	0x384	data
RT_MANIFEST	0x8dffc	0x1ea	XML 1.0 document, UTF-8 Unicode (with BOM) text, with CRLF line terminators

Imports

DLL	Import
mscoree.dll	_CorExeMain

Version Infos

Description	Data
Translation	0x0000 0x04b0
LegalCopyright	Copyright 2018
Assembly Version	0.9.0.0
InternalName	z.exe
FileVersion	0.9.0.0
CompanyName
LegalTrademarks
Comments	A simple ticker to display various cryptocurrency prices
ProductName	SimpleTicker
ProductVersion	0.9.0.0
FileDescription	SimpleTicker
OriginalFilename	z.exe

Network Behavior

Snort IDS Alerts

Timestamp	Protocol	SID	Message	Source Port	Dest Port	Source IP	Dest IP
11/27/20-15:25:11.690596	ICMP	402	ICMP Destination Unreachable Port Unreachable			192.168.2.5	8.8.8.8

Network Port Distribution

TCP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Nov 27, 2020 15:24:58.405519009 CET	49704	4545	192.168.2.5	194.5.98.129
Nov 27, 2020 15:24:58.650526047 CET	4545	49704	194.5.98.129	192.168.2.5
Nov 27, 2020 15:24:59.198980093 CET	49704	4545	192.168.2.5	194.5.98.129
Nov 27, 2020 15:24:59.440412998 CET	4545	49704	194.5.98.129	192.168.2.5
Nov 27, 2020 15:24:59.949325085 CET	49704	4545	192.168.2.5	194.5.98.129
Nov 27, 2020 15:25:00.360718012 CET	4545	49704	194.5.98.129	192.168.2.5
Nov 27, 2020 15:25:04.523170948 CET	49707	4545	192.168.2.5	194.5.98.129
Nov 27, 2020 15:25:04.830581903 CET	4545	49707	194.5.98.129	192.168.2.5
Nov 27, 2020 15:25:05.340272903 CET	49707	4545	192.168.2.5	194.5.98.129
Nov 27, 2020 15:25:05.600172043 CET	4545	49707	194.5.98.129	192.168.2.5
Nov 27, 2020 15:25:06.105927944 CET	49707	4545	192.168.2.5	194.5.98.129
Nov 27, 2020 15:25:06.360011101 CET	4545	49707	194.5.98.129	192.168.2.5
Nov 27, 2020 15:25:11.691922903 CET	49715	4545	192.168.2.5	194.5.98.129
Nov 27, 2020 15:25:11.930038929 CET	4545	49715	194.5.98.129	192.168.2.5
Nov 27, 2020 15:25:12.434484959 CET	49715	4545	192.168.2.5	194.5.98.129
Nov 27, 2020 15:25:12.680125952 CET	4545	49715	194.5.98.129	192.168.2.5
Nov 27, 2020 15:25:13.184556961 CET	49715	4545	192.168.2.5	194.5.98.129
Nov 27, 2020 15:25:13.430128098 CET	4545	49715	194.5.98.129	192.168.2.5
Nov 27, 2020 15:25:17.513664007 CET	49721	4545	192.168.2.5	194.5.98.129
Nov 27, 2020 15:25:17.740284920 CET	4545	49721	194.5.98.129	192.168.2.5
Nov 27, 2020 15:25:18.247497082 CET	49721	4545	192.168.2.5	194.5.98.129
Nov 27, 2020 15:25:18.530086040 CET	4545	49721	194.5.98.129	192.168.2.5
Nov 27, 2020 15:25:19.044388056 CET	49721	4545	192.168.2.5	194.5.98.129
Nov 27, 2020 15:25:19.260154009 CET	4545	49721	194.5.98.129	192.168.2.5
Nov 27, 2020 15:25:23.338351965 CET	49724	4545	192.168.2.5	194.5.98.129
Nov 27, 2020 15:25:23.570322037 CET	4545	49724	194.5.98.129	192.168.2.5
Nov 27, 2020 15:25:24.076122046 CET	49724	4545	192.168.2.5	194.5.98.129
Nov 27, 2020 15:25:24.390094995 CET	4545	49724	194.5.98.129	192.168.2.5
Nov 27, 2020 15:25:24.904268026 CET	49724	4545	192.168.2.5	194.5.98.129
Nov 27, 2020 15:25:25.150145054 CET	4545	49724	194.5.98.129	192.168.2.5
Nov 27, 2020 15:25:29.242217064 CET	49726	4545	192.168.2.5	194.5.98.129
Nov 27, 2020 15:25:29.480413914 CET	4545	49726	194.5.98.129	192.168.2.5
Nov 27, 2020 15:25:29.982908964 CET	49726	4545	192.168.2.5	194.5.98.129
Nov 27, 2020 15:25:30.340281963 CET	4545	49726	194.5.98.129	192.168.2.5
Nov 27, 2020 15:25:30.842274904 CET	49726	4545	192.168.2.5	194.5.98.129
Nov 27, 2020 15:25:31.100343943 CET	4545	49726	194.5.98.129	192.168.2.5
Nov 27, 2020 15:25:35.466732025 CET	49728	4545	192.168.2.5	194.5.98.129
Nov 27, 2020 15:25:35.680409908 CET	4545	49728	194.5.98.129	192.168.2.5
Nov 27, 2020 15:25:36.186460972 CET	49728	4545	192.168.2.5	194.5.98.129
Nov 27, 2020 15:25:36.480526924 CET	4545	49728	194.5.98.129	192.168.2.5
Nov 27, 2020 15:25:37.014648914 CET	49728	4545	192.168.2.5	194.5.98.129
Nov 27, 2020 15:25:37.450448036 CET	4545	49728	194.5.98.129	192.168.2.5
Nov 27, 2020 15:25:41.634223938 CET	49732	4545	192.168.2.5	194.5.98.129
Nov 27, 2020 15:25:41.970936060 CET	4545	49732	194.5.98.129	192.168.2.5
Nov 27, 2020 15:25:42.483820915 CET	49732	4545	192.168.2.5	194.5.98.129
Nov 27, 2020 15:25:42.861203909 CET	4545	49732	194.5.98.129	192.168.2.5
Nov 27, 2020 15:25:43.374552011 CET	49732	4545	192.168.2.5	194.5.98.129
Nov 27, 2020 15:25:43.630310059 CET	4545	49732	194.5.98.129	192.168.2.5
Nov 27, 2020 15:25:47.873739958 CET	49739	4545	192.168.2.5	194.5.98.129
Nov 27, 2020 15:25:48.110625982 CET	4545	49739	194.5.98.129	192.168.2.5
Nov 27, 2020 15:25:48.624947071 CET	49739	4545	192.168.2.5	194.5.98.129
Nov 27, 2020 15:25:48.910851955 CET	4545	49739	194.5.98.129	192.168.2.5
Nov 27, 2020 15:25:49.421907902 CET	49739	4545	192.168.2.5	194.5.98.129
Nov 27, 2020 15:25:49.640892029 CET	4545	49739	194.5.98.129	192.168.2.5
Nov 27, 2020 15:25:53.760840893 CET	49740	4545	192.168.2.5	194.5.98.129
Nov 27, 2020 15:25:54.130446911 CET	4545	49740	194.5.98.129	192.168.2.5
Nov 27, 2020 15:25:54.641273022 CET	49740	4545	192.168.2.5	194.5.98.129
Nov 27, 2020 15:25:54.910104036 CET	4545	49740	194.5.98.129	192.168.2.5
Nov 27, 2020 15:25:55.413660049 CET	49740	4545	192.168.2.5	194.5.98.129
Nov 27, 2020 15:25:55.850143909 CET	4545	49740	194.5.98.129	192.168.2.5
Nov 27, 2020 15:25:59.935532093 CET	49741	4545	192.168.2.5	194.5.98.129
Nov 27, 2020 15:26:00.180088997 CET	4545	49741	194.5.98.129	192.168.2.5
Nov 27, 2020 15:26:00.688467979 CET	49741	4545	192.168.2.5	194.5.98.129
Nov 27, 2020 15:26:00.929894924 CET	4545	49741	194.5.98.129	192.168.2.5
Nov 27, 2020 15:26:01.438709021 CET	49741	4545	192.168.2.5	194.5.98.129
Nov 27, 2020 15:26:01.680001020 CET	4545	49741	194.5.98.129	192.168.2.5
Nov 27, 2020 15:26:05.762311935 CET	49742	4545	192.168.2.5	194.5.98.129
Nov 27, 2020 15:26:06.040018082 CET	4545	49742	194.5.98.129	192.168.2.5
Nov 27, 2020 15:26:06.548357964 CET	49742	4545	192.168.2.5	194.5.98.129
Nov 27, 2020 15:26:06.820146084 CET	4545	49742	194.5.98.129	192.168.2.5
Nov 27, 2020 15:26:07.329704046 CET	49742	4545	192.168.2.5	194.5.98.129
Nov 27, 2020 15:26:07.550179958 CET	4545	49742	194.5.98.129	192.168.2.5
Nov 27, 2020 15:26:11.683203936 CET	49743	4545	192.168.2.5	194.5.98.129
Nov 27, 2020 15:26:11.940596104 CET	4545	49743	194.5.98.129	192.168.2.5
Nov 27, 2020 15:26:12.455055952 CET	49743	4545	192.168.2.5	194.5.98.129
Nov 27, 2020 15:26:12.710442066 CET	4545	49743	194.5.98.129	192.168.2.5
Nov 27, 2020 15:26:13.220777035 CET	49743	4545	192.168.2.5	194.5.98.129
Nov 27, 2020 15:26:13.450519085 CET	4545	49743	194.5.98.129	192.168.2.5
Nov 27, 2020 15:26:17.524827003 CET	49745	4545	192.168.2.5	194.5.98.129
Nov 27, 2020 15:26:17.770490885 CET	4545	49745	194.5.98.129	192.168.2.5
Nov 27, 2020 15:26:18.283685923 CET	49745	4545	192.168.2.5	194.5.98.129
Nov 27, 2020 15:26:18.510463953 CET	4545	49745	194.5.98.129	192.168.2.5
Nov 27, 2020 15:26:19.018301964 CET	49745	4545	192.168.2.5	194.5.98.129
Nov 27, 2020 15:26:19.270576954 CET	4545	49745	194.5.98.129	192.168.2.5
Nov 27, 2020 15:26:23.548501015 CET	49746	4545	192.168.2.5	194.5.98.129
Nov 27, 2020 15:26:23.780339003 CET	4545	49746	194.5.98.129	192.168.2.5
Nov 27, 2020 15:26:24.284320116 CET	49746	4545	192.168.2.5	194.5.98.129
Nov 27, 2020 15:26:24.530333042 CET	4545	49746	194.5.98.129	192.168.2.5
Nov 27, 2020 15:26:25.034338951 CET	49746	4545	192.168.2.5	194.5.98.129
Nov 27, 2020 15:26:25.290507078 CET	4545	49746	194.5.98.129	192.168.2.5
Nov 27, 2020 15:26:29.365698099 CET	49747	4545	192.168.2.5	194.5.98.129
Nov 27, 2020 15:26:29.640475035 CET	4545	49747	194.5.98.129	192.168.2.5
Nov 27, 2020 15:26:30.144191027 CET	49747	4545	192.168.2.5	194.5.98.129
Nov 27, 2020 15:26:30.390332937 CET	4545	49747	194.5.98.129	192.168.2.5
Nov 27, 2020 15:26:30.909728050 CET	49747	4545	192.168.2.5	194.5.98.129
Nov 27, 2020 15:26:31.150455952 CET	4545	49747	194.5.98.129	192.168.2.5
Nov 27, 2020 15:26:35.243457079 CET	49748	4545	192.168.2.5	194.5.98.129
Nov 27, 2020 15:26:35.470355034 CET	4545	49748	194.5.98.129	192.168.2.5
Nov 27, 2020 15:26:35.972807884 CET	49748	4545	192.168.2.5	194.5.98.129
Nov 27, 2020 15:26:36.260142088 CET	4545	49748	194.5.98.129	192.168.2.5
Nov 27, 2020 15:26:36.769759893 CET	49748	4545	192.168.2.5	194.5.98.129
Nov 27, 2020 15:26:37.190440893 CET	4545	49748	194.5.98.129	192.168.2.5
Nov 27, 2020 15:26:41.422184944 CET	49749	4545	192.168.2.5	194.5.98.129
Nov 27, 2020 15:26:41.670593023 CET	4545	49749	194.5.98.129	192.168.2.5
Nov 27, 2020 15:26:42.176417112 CET	49749	4545	192.168.2.5	194.5.98.129
Nov 27, 2020 15:26:42.430207968 CET	4545	49749	194.5.98.129	192.168.2.5
Nov 27, 2020 15:26:42.942023039 CET	49749	4545	192.168.2.5	194.5.98.129
Nov 27, 2020 15:26:43.160356045 CET	4545	49749	194.5.98.129	192.168.2.5
Nov 27, 2020 15:26:47.249519110 CET	49750	4545	192.168.2.5	194.5.98.129
Nov 27, 2020 15:26:47.470216990 CET	4545	49750	194.5.98.129	192.168.2.5
Nov 27, 2020 15:26:47.973812103 CET	49750	4545	192.168.2.5	194.5.98.129
Nov 27, 2020 15:26:48.229996920 CET	4545	49750	194.5.98.129	192.168.2.5
Nov 27, 2020 15:26:48.739331007 CET	49750	4545	192.168.2.5	194.5.98.129
Nov 27, 2020 15:26:48.980163097 CET	4545	49750	194.5.98.129	192.168.2.5
Nov 27, 2020 15:26:53.062342882 CET	49751	4545	192.168.2.5	194.5.98.129
Nov 27, 2020 15:26:53.310205936 CET	4545	49751	194.5.98.129	192.168.2.5
Nov 27, 2020 15:26:53.818008900 CET	49751	4545	192.168.2.5	194.5.98.129
Nov 27, 2020 15:26:54.110174894 CET	4545	49751	194.5.98.129	192.168.2.5
Nov 27, 2020 15:26:54.614861012 CET	49751	4545	192.168.2.5	194.5.98.129
Nov 27, 2020 15:26:54.900361061 CET	4545	49751	194.5.98.129	192.168.2.5
Nov 27, 2020 15:26:58.955333948 CET	49752	4545	192.168.2.5	194.5.98.129
Nov 27, 2020 15:26:59.200128078 CET	4545	49752	194.5.98.129	192.168.2.5
Nov 27, 2020 15:26:59.710091114 CET	49752	4545	192.168.2.5	194.5.98.129
Nov 27, 2020 15:26:59.950226068 CET	4545	49752	194.5.98.129	192.168.2.5
Nov 27, 2020 15:27:00.459059954 CET	49752	4545	192.168.2.5	194.5.98.129
Nov 27, 2020 15:27:00.740083933 CET	4545	49752	194.5.98.129	192.168.2.5

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Nov 27, 2020 15:24:58.357662916 CET	61733	53	192.168.2.5	8.8.8.8
Nov 27, 2020 15:24:58.395020962 CET	53	61733	8.8.8.8	192.168.2.5
Nov 27, 2020 15:25:04.484256983 CET	65447	53	192.168.2.5	8.8.8.8
Nov 27, 2020 15:25:04.521737099 CET	53	65447	8.8.8.8	192.168.2.5
Nov 27, 2020 15:25:04.652782917 CET	52441	53	192.168.2.5	8.8.8.8
Nov 27, 2020 15:25:04.689975977 CET	53	52441	8.8.8.8	192.168.2.5
Nov 27, 2020 15:25:07.007154942 CET	62176	53	192.168.2.5	8.8.8.8
Nov 27, 2020 15:25:07.034149885 CET	53	62176	8.8.8.8	192.168.2.5
Nov 27, 2020 15:25:07.683125973 CET	59596	53	192.168.2.5	8.8.8.8
Nov 27, 2020 15:25:07.710150957 CET	53	59596	8.8.8.8	192.168.2.5
Nov 27, 2020 15:25:08.400015116 CET	65296	53	192.168.2.5	8.8.8.8
Nov 27, 2020 15:25:08.427098989 CET	53	65296	8.8.8.8	192.168.2.5
Nov 27, 2020 15:25:09.183744907 CET	63183	53	192.168.2.5	8.8.8.8
Nov 27, 2020 15:25:09.210896969 CET	53	63183	8.8.8.8	192.168.2.5
Nov 27, 2020 15:25:09.435415030 CET	60151	53	192.168.2.5	8.8.8.8
Nov 27, 2020 15:25:09.462397099 CET	53	60151	8.8.8.8	192.168.2.5
Nov 27, 2020 15:25:10.421276093 CET	56969	53	192.168.2.5	8.8.8.8
Nov 27, 2020 15:25:11.434983015 CET	56969	53	192.168.2.5	8.8.8.8
Nov 27, 2020 15:25:11.690089941 CET	53	56969	8.8.8.8	192.168.2.5
Nov 27, 2020 15:25:11.690448046 CET	53	56969	8.8.8.8	192.168.2.5
Nov 27, 2020 15:25:13.532213926 CET	55161	53	192.168.2.5	8.8.8.8
Nov 27, 2020 15:25:13.559271097 CET	53	55161	8.8.8.8	192.168.2.5
Nov 27, 2020 15:25:14.374159098 CET	54757	53	192.168.2.5	8.8.8.8
Nov 27, 2020 15:25:14.409761906 CET	53	54757	8.8.8.8	192.168.2.5
Nov 27, 2020 15:25:15.570341110 CET	49992	53	192.168.2.5	8.8.8.8
Nov 27, 2020 15:25:15.605603933 CET	53	49992	8.8.8.8	192.168.2.5
Nov 27, 2020 15:25:16.248915911 CET	60075	53	192.168.2.5	8.8.8.8
Nov 27, 2020 15:25:16.284332991 CET	53	60075	8.8.8.8	192.168.2.5
Nov 27, 2020 15:25:16.923398972 CET	55016	53	192.168.2.5	8.8.8.8
Nov 27, 2020 15:25:16.950576067 CET	53	55016	8.8.8.8	192.168.2.5
Nov 27, 2020 15:25:17.476521969 CET	64345	53	192.168.2.5	8.8.8.8
Nov 27, 2020 15:25:17.512070894 CET	53	64345	8.8.8.8	192.168.2.5
Nov 27, 2020 15:25:18.021945953 CET	57128	53	192.168.2.5	8.8.8.8
Nov 27, 2020 15:25:18.049098015 CET	53	57128	8.8.8.8	192.168.2.5
Nov 27, 2020 15:25:18.697639942 CET	54791	53	192.168.2.5	8.8.8.8
Nov 27, 2020 15:25:18.724796057 CET	53	54791	8.8.8.8	192.168.2.5
Nov 27, 2020 15:25:23.300571918 CET	50463	53	192.168.2.5	8.8.8.8
Nov 27, 2020 15:25:23.335999966 CET	53	50463	8.8.8.8	192.168.2.5
Nov 27, 2020 15:25:28.457411051 CET	50394	53	192.168.2.5	8.8.8.8
Nov 27, 2020 15:25:28.495412111 CET	53	50394	8.8.8.8	192.168.2.5
Nov 27, 2020 15:25:29.204447031 CET	58530	53	192.168.2.5	8.8.8.8
Nov 27, 2020 15:25:29.239996910 CET	53	58530	8.8.8.8	192.168.2.5
Nov 27, 2020 15:25:34.645425081 CET	53813	53	192.168.2.5	8.8.8.8
Nov 27, 2020 15:25:34.672533989 CET	53	53813	8.8.8.8	192.168.2.5
Nov 27, 2020 15:25:35.410989046 CET	63732	53	192.168.2.5	8.8.8.8
Nov 27, 2020 15:25:35.446361065 CET	53	63732	8.8.8.8	192.168.2.5
Nov 27, 2020 15:25:35.597779989 CET	57344	53	192.168.2.5	8.8.8.8
Nov 27, 2020 15:25:35.635382891 CET	53	57344	8.8.8.8	192.168.2.5
Nov 27, 2020 15:25:39.218868971 CET	54450	53	192.168.2.5	8.8.8.8
Nov 27, 2020 15:25:39.245986938 CET	53	54450	8.8.8.8	192.168.2.5
Nov 27, 2020 15:25:41.597326040 CET	59261	53	192.168.2.5	8.8.8.8
Nov 27, 2020 15:25:41.633171082 CET	53	59261	8.8.8.8	192.168.2.5
Nov 27, 2020 15:25:42.022618055 CET	57151	53	192.168.2.5	8.8.8.8
Nov 27, 2020 15:25:42.058497906 CET	53	57151	8.8.8.8	192.168.2.5
Nov 27, 2020 15:25:44.055949926 CET	59413	53	192.168.2.5	8.8.8.8
Nov 27, 2020 15:25:44.098527908 CET	53	59413	8.8.8.8	192.168.2.5
Nov 27, 2020 15:25:47.834994078 CET	60516	53	192.168.2.5	8.8.8.8
Nov 27, 2020 15:25:47.870517969 CET	53	60516	8.8.8.8	192.168.2.5
Nov 27, 2020 15:25:53.724030972 CET	51649	53	192.168.2.5	8.8.8.8
Nov 27, 2020 15:25:53.759481907 CET	53	51649	8.8.8.8	192.168.2.5
Nov 27, 2020 15:25:59.898118019 CET	65086	53	192.168.2.5	8.8.8.8
Nov 27, 2020 15:25:59.933912992 CET	53	65086	8.8.8.8	192.168.2.5
Nov 27, 2020 15:26:05.723683119 CET	56432	53	192.168.2.5	8.8.8.8
Nov 27, 2020 15:26:05.760940075 CET	53	56432	8.8.8.8	192.168.2.5
Nov 27, 2020 15:26:11.645477057 CET	52929	53	192.168.2.5	8.8.8.8
Nov 27, 2020 15:26:11.680973053 CET	53	52929	8.8.8.8	192.168.2.5
Nov 27, 2020 15:26:13.623311996 CET	64317	53	192.168.2.5	8.8.8.8
Nov 27, 2020 15:26:13.650369883 CET	53	64317	8.8.8.8	192.168.2.5
Nov 27, 2020 15:26:17.485431910 CET	61004	53	192.168.2.5	8.8.8.8
Nov 27, 2020 15:26:17.523525953 CET	53	61004	8.8.8.8	192.168.2.5
Nov 27, 2020 15:26:23.511261940 CET	56895	53	192.168.2.5	8.8.8.8
Nov 27, 2020 15:26:23.547116995 CET	53	56895	8.8.8.8	192.168.2.5
Nov 27, 2020 15:26:29.328500032 CET	62372	53	192.168.2.5	8.8.8.8
Nov 27, 2020 15:26:29.364310980 CET	53	62372	8.8.8.8	192.168.2.5
Nov 27, 2020 15:26:35.203321934 CET	61515	53	192.168.2.5	8.8.8.8
Nov 27, 2020 15:26:35.240972042 CET	53	61515	8.8.8.8	192.168.2.5
Nov 27, 2020 15:26:41.366586924 CET	56675	53	192.168.2.5	8.8.8.8
Nov 27, 2020 15:26:41.402296066 CET	53	56675	8.8.8.8	192.168.2.5
Nov 27, 2020 15:26:47.209471941 CET	57172	53	192.168.2.5	8.8.8.8
Nov 27, 2020 15:26:47.247246981 CET	53	57172	8.8.8.8	192.168.2.5
Nov 27, 2020 15:26:53.024509907 CET	55267	53	192.168.2.5	8.8.8.8
Nov 27, 2020 15:26:53.060303926 CET	53	55267	8.8.8.8	192.168.2.5
Nov 27, 2020 15:26:58.915927887 CET	50969	53	192.168.2.5	8.8.8.8
Nov 27, 2020 15:26:58.951435089 CET	53	50969	8.8.8.8	192.168.2.5

ICMP Packets

Timestamp	Source IP	Dest IP	Checksum	Code	Type
Nov 27, 2020 15:25:11.690596104 CET	192.168.2.5	8.8.8.8	d006	(Port unreachable)	Destination Unreachable

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class
Nov 27, 2020 15:24:58.357662916 CET	192.168.2.5	8.8.8.8	0x9472	Standard query (0)	kingman1.ddns.net	A (IP address)	IN (0x0001)
Nov 27, 2020 15:25:04.484256983 CET	192.168.2.5	8.8.8.8	0x924b	Standard query (0)	kingman1.ddns.net	A (IP address)	IN (0x0001)
Nov 27, 2020 15:25:10.421276093 CET	192.168.2.5	8.8.8.8	0x7629	Standard query (0)	kingman1.ddns.net	A (IP address)	IN (0x0001)
Nov 27, 2020 15:25:11.434983015 CET	192.168.2.5	8.8.8.8	0x7629	Standard query (0)	kingman1.ddns.net	A (IP address)	IN (0x0001)
Nov 27, 2020 15:25:17.476521969 CET	192.168.2.5	8.8.8.8	0xdfc9	Standard query (0)	kingman1.ddns.net	A (IP address)	IN (0x0001)
Nov 27, 2020 15:25:23.300571918 CET	192.168.2.5	8.8.8.8	0x1b29	Standard query (0)	kingman1.ddns.net	A (IP address)	IN (0x0001)
Nov 27, 2020 15:25:29.204447031 CET	192.168.2.5	8.8.8.8	0xd8b3	Standard query (0)	kingman1.ddns.net	A (IP address)	IN (0x0001)
Nov 27, 2020 15:25:35.410989046 CET	192.168.2.5	8.8.8.8	0xd6fd	Standard query (0)	kingman1.ddns.net	A (IP address)	IN (0x0001)
Nov 27, 2020 15:25:41.597326040 CET	192.168.2.5	8.8.8.8	0xfdbf	Standard query (0)	kingman1.ddns.net	A (IP address)	IN (0x0001)
Nov 27, 2020 15:25:42.022618055 CET	192.168.2.5	8.8.8.8	0xb27d	Standard query (0)	g.msn.com	A (IP address)	IN (0x0001)
Nov 27, 2020 15:25:47.834994078 CET	192.168.2.5	8.8.8.8	0x24fb	Standard query (0)	kingman1.ddns.net	A (IP address)	IN (0x0001)
Nov 27, 2020 15:25:53.724030972 CET	192.168.2.5	8.8.8.8	0x7ee6	Standard query (0)	kingman1.ddns.net	A (IP address)	IN (0x0001)
Nov 27, 2020 15:25:59.898118019 CET	192.168.2.5	8.8.8.8	0xfb54	Standard query (0)	kingman1.ddns.net	A (IP address)	IN (0x0001)
Nov 27, 2020 15:26:05.723683119 CET	192.168.2.5	8.8.8.8	0x449d	Standard query (0)	kingman1.ddns.net	A (IP address)	IN (0x0001)
Nov 27, 2020 15:26:11.645477057 CET	192.168.2.5	8.8.8.8	0x50f4	Standard query (0)	kingman1.ddns.net	A (IP address)	IN (0x0001)
Nov 27, 2020 15:26:17.485431910 CET	192.168.2.5	8.8.8.8	0xe529	Standard query (0)	kingman1.ddns.net	A (IP address)	IN (0x0001)
Nov 27, 2020 15:26:23.511261940 CET	192.168.2.5	8.8.8.8	0x6157	Standard query (0)	kingman1.ddns.net	A (IP address)	IN (0x0001)
Nov 27, 2020 15:26:29.328500032 CET	192.168.2.5	8.8.8.8	0xd8e4	Standard query (0)	kingman1.ddns.net	A (IP address)	IN (0x0001)
Nov 27, 2020 15:26:35.203321934 CET	192.168.2.5	8.8.8.8	0x1267	Standard query (0)	kingman1.ddns.net	A (IP address)	IN (0x0001)
Nov 27, 2020 15:26:41.366586924 CET	192.168.2.5	8.8.8.8	0xcea5	Standard query (0)	kingman1.ddns.net	A (IP address)	IN (0x0001)
Nov 27, 2020 15:26:47.209471941 CET	192.168.2.5	8.8.8.8	0xcb42	Standard query (0)	kingman1.ddns.net	A (IP address)	IN (0x0001)
Nov 27, 2020 15:26:53.024509907 CET	192.168.2.5	8.8.8.8	0x728a	Standard query (0)	kingman1.ddns.net	A (IP address)	IN (0x0001)
Nov 27, 2020 15:26:58.915927887 CET	192.168.2.5	8.8.8.8	0x7233	Standard query (0)	kingman1.ddns.net	A (IP address)	IN (0x0001)

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	CName	Address	Type	Class
Nov 27, 2020 15:24:58.395020962 CET	8.8.8.8	192.168.2.5	0x9472	No error (0)	kingman1.ddns.net		194.5.98.129	A (IP address)	IN (0x0001)
Nov 27, 2020 15:25:04.521737099 CET	8.8.8.8	192.168.2.5	0x924b	No error (0)	kingman1.ddns.net		194.5.98.129	A (IP address)	IN (0x0001)
Nov 27, 2020 15:25:11.690089941 CET	8.8.8.8	192.168.2.5	0x7629	No error (0)	kingman1.ddns.net		194.5.98.129	A (IP address)	IN (0x0001)
Nov 27, 2020 15:25:11.690448046 CET	8.8.8.8	192.168.2.5	0x7629	No error (0)	kingman1.ddns.net		194.5.98.129	A (IP address)	IN (0x0001)
Nov 27, 2020 15:25:17.512070894 CET	8.8.8.8	192.168.2.5	0xdfc9	No error (0)	kingman1.ddns.net		194.5.98.129	A (IP address)	IN (0x0001)
Nov 27, 2020 15:25:23.335999966 CET	8.8.8.8	192.168.2.5	0x1b29	No error (0)	kingman1.ddns.net		194.5.98.129	A (IP address)	IN (0x0001)
Nov 27, 2020 15:25:29.239996910 CET	8.8.8.8	192.168.2.5	0xd8b3	No error (0)	kingman1.ddns.net		194.5.98.129	A (IP address)	IN (0x0001)
Nov 27, 2020 15:25:35.446361065 CET	8.8.8.8	192.168.2.5	0xd6fd	No error (0)	kingman1.ddns.net		194.5.98.129	A (IP address)	IN (0x0001)
Nov 27, 2020 15:25:41.633171082 CET	8.8.8.8	192.168.2.5	0xfdbf	No error (0)	kingman1.ddns.net		194.5.98.129	A (IP address)	IN (0x0001)
Nov 27, 2020 15:25:42.058497906 CET	8.8.8.8	192.168.2.5	0xb27d	No error (0)	g.msn.com	g-msn-com-nsatc.trafficmanager.net		CNAME (Canonical name)	IN (0x0001)
Nov 27, 2020 15:25:47.870517969 CET	8.8.8.8	192.168.2.5	0x24fb	No error (0)	kingman1.ddns.net		194.5.98.129	A (IP address)	IN (0x0001)
Nov 27, 2020 15:25:53.759481907 CET	8.8.8.8	192.168.2.5	0x7ee6	No error (0)	kingman1.ddns.net		194.5.98.129	A (IP address)	IN (0x0001)
Nov 27, 2020 15:25:59.933912992 CET	8.8.8.8	192.168.2.5	0xfb54	No error (0)	kingman1.ddns.net		194.5.98.129	A (IP address)	IN (0x0001)
Nov 27, 2020 15:26:05.760940075 CET	8.8.8.8	192.168.2.5	0x449d	No error (0)	kingman1.ddns.net		194.5.98.129	A (IP address)	IN (0x0001)
Nov 27, 2020 15:26:11.680973053 CET	8.8.8.8	192.168.2.5	0x50f4	No error (0)	kingman1.ddns.net		194.5.98.129	A (IP address)	IN (0x0001)
Nov 27, 2020 15:26:17.523525953 CET	8.8.8.8	192.168.2.5	0xe529	No error (0)	kingman1.ddns.net		194.5.98.129	A (IP address)	IN (0x0001)
Nov 27, 2020 15:26:23.547116995 CET	8.8.8.8	192.168.2.5	0x6157	No error (0)	kingman1.ddns.net		194.5.98.129	A (IP address)	IN (0x0001)
Nov 27, 2020 15:26:29.364310980 CET	8.8.8.8	192.168.2.5	0xd8e4	No error (0)	kingman1.ddns.net		194.5.98.129	A (IP address)	IN (0x0001)
Nov 27, 2020 15:26:35.240972042 CET	8.8.8.8	192.168.2.5	0x1267	No error (0)	kingman1.ddns.net		194.5.98.129	A (IP address)	IN (0x0001)
Nov 27, 2020 15:26:41.402296066 CET	8.8.8.8	192.168.2.5	0xcea5	No error (0)	kingman1.ddns.net		194.5.98.129	A (IP address)	IN (0x0001)
Nov 27, 2020 15:26:47.247246981 CET	8.8.8.8	192.168.2.5	0xcb42	No error (0)	kingman1.ddns.net		194.5.98.129	A (IP address)	IN (0x0001)
Nov 27, 2020 15:26:53.060303926 CET	8.8.8.8	192.168.2.5	0x728a	No error (0)	kingman1.ddns.net		194.5.98.129	A (IP address)	IN (0x0001)
Nov 27, 2020 15:26:58.951435089 CET	8.8.8.8	192.168.2.5	0x7233	No error (0)	kingman1.ddns.net		194.5.98.129	A (IP address)	IN (0x0001)

Code Manipulations

Statistics

CPU Usage

Click to jump to process

Memory Usage

Click to jump to process

High Level Behavior Distribution

Click to dive into process behavior distribution

Behavior

Click to jump to process

System Behavior

Analysis Process: checklist pdf.exe PID: 4728 Parent PID: 5612

General

Start time:	15:24:50
Start date:	27/11/2020
Path:	C:\Users\user\Desktop\checklist pdf.exe
Wow64 process (32bit):	true
Commandline:	'C:\Users\user\Desktop\checklist pdf.exe'
Imagebase:	0x2f0000
File size:	574464 bytes
MD5 hash:	33FB3C28DF0F678C7C6EF72E7E748CB1
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	.Net C# or VB.NET
Yara matches:	Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 00000000.00000002.249652144.00000000039C9000.00000004.00000001.sdmp, Author: Florian Roth Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 00000000.00000002.249652144.00000000039C9000.00000004.00000001.sdmp, Author: Joe Security Rule: NanoCore, Description: unknown, Source: 00000000.00000002.249652144.00000000039C9000.00000004.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net> Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 00000000.00000002.250632075.0000000003BB3000.00000004.00000001.sdmp, Author: Florian Roth Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 00000000.00000002.250632075.0000000003BB3000.00000004.00000001.sdmp, Author: Joe Security Rule: NanoCore, Description: unknown, Source: 00000000.00000002.250632075.0000000003BB3000.00000004.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net> Rule: JoeSecurity_AntiVM_3, Description: Yara detected AntiVM_3, Source: 00000000.00000002.248350217.0000000002A3E000.00000004.00000001.sdmp, Author: Joe Security
Reputation:	low

Chronological Activities

Analysis Process: schtasks.exe PID: 6100 Parent PID: 4728

General

Start time:	15:24:54
Start date:	27/11/2020
Path:	C:\Windows\SysWOW64\schtasks.exe
Wow64 process (32bit):	true
Commandline:	'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\PUalpOJIfJW' /XML 'C:\Users\user\AppData\Local\Temp\tmpECD4.tmp'
Imagebase:	0xf50000
File size:	185856 bytes
MD5 hash:	15FF7D8324231381BAD48A052F85DF04
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Chronological Activities

Analysis Process: conhost.exe PID: 6132 Parent PID: 6100

General

Start time:	15:24:55
Start date:	27/11/2020
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff7ecfc0000
File size:	625664 bytes
MD5 hash:	EA777DEEA782E8B4D7C7C33BBF8A4496
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Chronological Activities

Analysis Process: checklist pdf.exe PID: 4648 Parent PID: 4728

General

Start time:	15:24:55
Start date:	27/11/2020
Path:	C:\Users\user\Desktop\checklist pdf.exe
Wow64 process (32bit):	true
Commandline:	{path}
Imagebase:	0xa00000
File size:	574464 bytes
MD5 hash:	33FB3C28DF0F678C7C6EF72E7E748CB1
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	.Net C# or VB.NET
Yara matches:	Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 00000003.00000002.501688763.0000000000402000.00000040.00000001.sdmp, Author: Florian Roth Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 00000003.00000002.501688763.0000000000402000.00000040.00000001.sdmp, Author: Joe Security Rule: NanoCore, Description: unknown, Source: 00000003.00000002.501688763.0000000000402000.00000040.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net> Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 00000003.00000002.509908735.0000000005440000.00000004.00000001.sdmp, Author: Florian Roth Rule: Nanocore_RAT_Feb18_1, Description: Detects Nanocore RAT, Source: 00000003.00000002.509908735.0000000005440000.00000004.00000001.sdmp, Author: Florian Roth Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 00000003.00000002.508000940.0000000004267000.00000004.00000001.sdmp, Author: Joe Security Rule: NanoCore, Description: unknown, Source: 00000003.00000002.508000940.0000000004267000.00000004.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net> Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 00000003.00000002.510380996.00000000059B0000.00000004.00000001.sdmp, Author: Florian Roth Rule: Nanocore_RAT_Feb18_1, Description: Detects Nanocore RAT, Source: 00000003.00000002.510380996.00000000059B0000.00000004.00000001.sdmp, Author: Florian Roth Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 00000003.00000002.510380996.00000000059B0000.00000004.00000001.sdmp, Author: Joe Security
Reputation:	low

Chronological Activities

Disassembly

Code Analysis

Reset < >

Analysis Process: checklist pdf.exe PID: 4728 Parent PID: 5612 checklist pdf.exeCOMMON

Executed Functions

Function 04B4B3AC, Relevance: 7.0, Strings: 5, Instructions: 797COMMON

Download Yara Rule

Strings

(, xrefs: 04B4BDAC
X1(r, xrefs: 04B4B552
R, xrefs: 04B4BB75
R, xrefs: 04B4B950
L, xrefs: 04B4B4EF

Memory Dump Source

Source File: 00000000.00000002.251036538.0000000004B40000.00000040.00000001.sdmp, Offset: 04B40000, based on PE: false

Similarity

API ID:
String ID: ($L$R$R$X1(r
API String ID: 0-2575727841
Opcode ID: 4f435e5ef2f13ce686d79e90604bb87248b7a88578bdf6af0c320fc3193af404
Instruction ID: 6b5476844a0162bc1eacc60441a2b40b2d43a87e5b30b87e6cd85a0d3f749a2d
Opcode Fuzzy Hash: 4f435e5ef2f13ce686d79e90604bb87248b7a88578bdf6af0c320fc3193af404
Instruction Fuzzy Hash: F472D370D49229CFDB64DF68C894BEDB7B1AB89300F1081E9811DA7291DB34AEC5EF15

Uniqueness

Uniqueness Score: -1.00%

Function 04B49CC1, Relevance: 2.9, Strings: 2, Instructions: 363COMMON

Download Yara Rule

Strings

], xrefs: 04B49D85
_, xrefs: 04B49FBC

Memory Dump Source

Source File: 00000000.00000002.251036538.0000000004B40000.00000040.00000001.sdmp, Offset: 04B40000, based on PE: false

Similarity

API ID:
String ID: ]$_
API String ID: 0-2434386226
Opcode ID: 55414713b722a443fb47c90c16e84d11c43514109df0014b053b0fb4e2a2894d
Instruction ID: 601627ea1c524af46bff6e87223f0b3738b0fc3b2c49474703a91536d8eacede
Opcode Fuzzy Hash: 55414713b722a443fb47c90c16e84d11c43514109df0014b053b0fb4e2a2894d
Instruction Fuzzy Hash: 67E15AB0D4A218CFDB24CF74D4447AEBBB1FB8A305F1061EAC019A3295E7746A84EF15

Uniqueness

Uniqueness Score: -1.00%

Function 04B49CF8, Relevance: 2.8, Strings: 2, Instructions: 322COMMON

Download Yara Rule

Strings

], xrefs: 04B49D85
_, xrefs: 04B49FBC

Memory Dump Source

Source File: 00000000.00000002.251036538.0000000004B40000.00000040.00000001.sdmp, Offset: 04B40000, based on PE: false

Similarity

API ID:
String ID: ]$_
API String ID: 0-2434386226
Opcode ID: bfefdffd6e6ab49937d4338597ab3b54e68d2e14d11fa406bfd7a49399bcd1ef
Instruction ID: c9fe7549c10fa0e302732f289f7305f6eb529842dec5528b6ed6fe84f534ade2
Opcode Fuzzy Hash: bfefdffd6e6ab49937d4338597ab3b54e68d2e14d11fa406bfd7a49399bcd1ef
Instruction Fuzzy Hash: 29C14AB0D45218CFDB28DF78D4447AEBBB2FB8A305F10A1E9D019A3294D7346A84EF15

Uniqueness

Uniqueness Score: -1.00%

Function 04B49D1C, Relevance: 2.8, Strings: 2, Instructions: 312COMMON

Download Yara Rule

Strings

], xrefs: 04B49D85
_, xrefs: 04B49FBC

Memory Dump Source

Source File: 00000000.00000002.251036538.0000000004B40000.00000040.00000001.sdmp, Offset: 04B40000, based on PE: false

Similarity

API ID:
String ID: ]$_
API String ID: 0-2434386226
Opcode ID: 6741b829420abc170afb56c0cb3538a0add43211c803b3f736ca380e6c49361b
Instruction ID: f7b4744b98669974c574dd5ec13f7e4568825fa70aea4ae6aae54209f8dba9cd
Opcode Fuzzy Hash: 6741b829420abc170afb56c0cb3538a0add43211c803b3f736ca380e6c49361b
Instruction Fuzzy Hash: CAC15CB0D45218CFDB28DF74D8447AEBBB2FB8A305F10A1E9D019A3295D7346A84EF15

Uniqueness

Uniqueness Score: -1.00%

Function 04B427E4, Relevance: 1.7, Strings: 1, Instructions: 445COMMON

Download Yara Rule

Strings

$g%r, xrefs: 04B42807

Memory Dump Source

Source File: 00000000.00000002.251036538.0000000004B40000.00000040.00000001.sdmp, Offset: 04B40000, based on PE: false

Similarity

API ID:
String ID: $g%r
API String ID: 0-359987751
Opcode ID: 83aa93ab66c96032cdf5ee650e1724224080820cd1f625c215eab2b5c6cde52b
Instruction ID: 6e90a48df84c71e157a3dcf519c1d69e889229c4e996563d8d84693e07f2200f
Opcode Fuzzy Hash: 83aa93ab66c96032cdf5ee650e1724224080820cd1f625c215eab2b5c6cde52b
Instruction Fuzzy Hash: 7122C374A45218CFDB68CF64C844BEDBBB1BF89344F1080E9E509A72A1DB716E85EF50

Uniqueness

Uniqueness Score: -1.00%

Function 066A1883, Relevance: 1.6, APIs: 1, Instructions: 75COMMON

Download Yara Rule

APIs

AdjustTokenPrivileges.KERNELBASE(?,?,?,?,?,?), ref: 066A1903

Memory Dump Source

Source File: 00000000.00000002.253490501.00000000066A0000.00000040.00000001.sdmp, Offset: 066A0000, based on PE: false

Similarity

API ID: AdjustPrivilegesToken
String ID:
API String ID: 2874748243-0
Opcode ID: 92191e0e4431bcf05bf748307d543dcbc346e0b26e5df87bad2e3dd3a5e650a8
Instruction ID: 159fb019af325e82dad770999549445e6604f3c155c22945c9e02290ccda96ff
Opcode Fuzzy Hash: 92191e0e4431bcf05bf748307d543dcbc346e0b26e5df87bad2e3dd3a5e650a8
Instruction Fuzzy Hash: 4D219176509784AFEB128F25DC40B52BFB4EF07310F0885EAE9858F263D2749908CB61

Uniqueness

Uniqueness Score: -1.00%

Function 066A1A05, Relevance: 1.6, APIs: 1, Instructions: 57nativeCOMMON

Download Yara Rule

APIs

NtQuerySystemInformation.NTDLL(?,?,?,?), ref: 066A1A71

Memory Dump Source

Source File: 00000000.00000002.253490501.00000000066A0000.00000040.00000001.sdmp, Offset: 066A0000, based on PE: false

Similarity

API ID: InformationQuerySystem
String ID:
API String ID: 3562636166-0
Opcode ID: 52901cadeaf24773e939e623bc65258fd2a21b7576a2e34d4baa0b71a41c4d88
Instruction ID: 82ac74470a786e556b4e66b9dffc36515b1f38881b14ef5fd278a1f0323377bd
Opcode Fuzzy Hash: 52901cadeaf24773e939e623bc65258fd2a21b7576a2e34d4baa0b71a41c4d88
Instruction Fuzzy Hash: C1118E724097809FDB228B24DC45A52FFB4EF06314F0984DAE9848F263D265A948CB62

Uniqueness

Uniqueness Score: -1.00%

Function 066A18BA, Relevance: 1.6, APIs: 1, Instructions: 52COMMON

Download Yara Rule

APIs

AdjustTokenPrivileges.KERNELBASE(?,?,?,?,?,?), ref: 066A1903

Memory Dump Source

Source File: 00000000.00000002.253490501.00000000066A0000.00000040.00000001.sdmp, Offset: 066A0000, based on PE: false

Similarity

API ID: AdjustPrivilegesToken
String ID:
API String ID: 2874748243-0
Opcode ID: 32bfae75e7a7a29142c9283937dd8429ad594555c203e618530a2e0b1bd75b50
Instruction ID: 0117a3bbe32385fdb065041bd5611bf15cffedd8f1719505a00f536b06dc7e5c
Opcode Fuzzy Hash: 32bfae75e7a7a29142c9283937dd8429ad594555c203e618530a2e0b1bd75b50
Instruction Fuzzy Hash: 601170769003049FEB60CF55D944B56FBE8EF05320F08C4AAED598B652D375E858CF61

Uniqueness

Uniqueness Score: -1.00%

Function 066A1A36, Relevance: 1.5, APIs: 1, Instructions: 38nativeCOMMON

Download Yara Rule

APIs

NtQuerySystemInformation.NTDLL(?,?,?,?), ref: 066A1A71

Memory Dump Source

Source File: 00000000.00000002.253490501.00000000066A0000.00000040.00000001.sdmp, Offset: 066A0000, based on PE: false

Similarity

API ID: InformationQuerySystem
String ID:
API String ID: 3562636166-0
Opcode ID: e01410cf6df5b108e32c1e61471bafcc1cc95a4ddda8f584db6d250f55b8fbac
Instruction ID: 8ee8e3669102d469337d8713892eb1eba0fe69905018d370ead95cc68889fa72
Opcode Fuzzy Hash: e01410cf6df5b108e32c1e61471bafcc1cc95a4ddda8f584db6d250f55b8fbac
Instruction Fuzzy Hash: C401A2369107449FDB608F15D944B25FFE0EF49320F08C49ADE594B252D275A458CFB2

Uniqueness

Uniqueness Score: -1.00%

Function 04B4A1C7, Relevance: 1.5, Strings: 1, Instructions: 250COMMON

Download Yara Rule

Strings

_, xrefs: 04B49FBC

Memory Dump Source

Source File: 00000000.00000002.251036538.0000000004B40000.00000040.00000001.sdmp, Offset: 04B40000, based on PE: false

Similarity

API ID:
String ID: _
API String ID: 0-701932520
Opcode ID: 2be87e737019772430f2d03a818ba11dcbd9bddcb2033a52e7df6ef29a767353
Instruction ID: de498a0f6fd855bdd7e2d7196a49a1fd41b5d5f79aef0c3cbc0118be999ccdf7
Opcode Fuzzy Hash: 2be87e737019772430f2d03a818ba11dcbd9bddcb2033a52e7df6ef29a767353
Instruction Fuzzy Hash: 17A15CB4D45218CFDF24DF65D4447EEB7B2FB8A305F10A5A9C409A3284D7346A84EF15

Uniqueness

Uniqueness Score: -1.00%

Function 04B44B30, Relevance: .3, Instructions: 264COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.251036538.0000000004B40000.00000040.00000001.sdmp, Offset: 04B40000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 38dceec23c87d9b554f309aea597d335666686b09e4c45b7a56e916bb2a3b280
Instruction ID: ffc08b99fa84dd63c067aea45d243c29df986c0f064ca47a6f8b05d04dcc1245
Opcode Fuzzy Hash: 38dceec23c87d9b554f309aea597d335666686b09e4c45b7a56e916bb2a3b280
Instruction Fuzzy Hash: 2BB1E3B4E04209DFDB04CF99C580BEDBBB6FF89304F249169D819BB205D770A959EB50

Uniqueness

Uniqueness Score: -1.00%

Function 04B414B0, Relevance: .2, Instructions: 188COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.251036538.0000000004B40000.00000040.00000001.sdmp, Offset: 04B40000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d356addbd719603d57960431da6b0850f6b455371f6185f317a609a82c42d4e6
Instruction ID: 059afe06cca5c4f56d1c1c2910e29a4b6461ab2066a63234ce3a2e053b65908e
Opcode Fuzzy Hash: d356addbd719603d57960431da6b0850f6b455371f6185f317a609a82c42d4e6
Instruction Fuzzy Hash: 9971D3B4E04218CFDB04DFA9C4886EEBBF2FF89304F1485A5D405A7255D734A981DF54

Uniqueness

Uniqueness Score: -1.00%

Function 04B41A18, Relevance: 3.8, Strings: 3, Instructions: 50COMMON

Download Yara Rule

Strings

X6, xrefs: 04B41A80
8, xrefs: 04B41B1B
6, xrefs: 04B41B14

Memory Dump Source

Source File: 00000000.00000002.251036538.0000000004B40000.00000040.00000001.sdmp, Offset: 04B40000, based on PE: false

Similarity

API ID:
String ID: X6$6$8
API String ID: 0-570212351
Opcode ID: 4da87288313addd83854b7fe95f3a6a8876fd14ad65a3b780e7bb0e65ec3c554
Instruction ID: c8ec9e7916aa110b4b6277c97a5f8fc1cd73527fae559723e3042ea8242f895d
Opcode Fuzzy Hash: 4da87288313addd83854b7fe95f3a6a8876fd14ad65a3b780e7bb0e65ec3c554
Instruction Fuzzy Hash: EE018870E0920CEBDB04CFA9C4046EDBBF6EF85344F14D195C42567255E3345686EB61

Uniqueness

Uniqueness Score: -1.00%

Function 04B41A28, Relevance: 3.8, Strings: 3, Instructions: 42COMMON

Download Yara Rule

Strings

X6, xrefs: 04B41A80
8, xrefs: 04B41B1B
6, xrefs: 04B41B14

Memory Dump Source

Source File: 00000000.00000002.251036538.0000000004B40000.00000040.00000001.sdmp, Offset: 04B40000, based on PE: false

Similarity

API ID:
String ID: X6$6$8
API String ID: 0-570212351
Opcode ID: df0c97f5c53f9db436fd2b65ada7c26d4ce690af39d9d3d19f39fa09a080b6a5
Instruction ID: 1a6958dd2b0815c847985a9b8db3022c7971e5e7468f8183f855306082671a94
Opcode Fuzzy Hash: df0c97f5c53f9db436fd2b65ada7c26d4ce690af39d9d3d19f39fa09a080b6a5
Instruction Fuzzy Hash: AB014F70E0920CDBDB04DFA9C4086ADBBBAEF89740F14E1A5C42567294E7746686EF50

Uniqueness

Uniqueness Score: -1.00%

Function 04B4A566, Relevance: 2.7, Strings: 2, Instructions: 212COMMON

Download Yara Rule

Strings

S, xrefs: 04B4A502
M, xrefs: 04B4A4FB

Memory Dump Source

Source File: 00000000.00000002.251036538.0000000004B40000.00000040.00000001.sdmp, Offset: 04B40000, based on PE: false

Similarity

API ID:
String ID: M$S
API String ID: 0-2223580777
Opcode ID: 36aa514bf4633abdc8a1b0107c8bf78260c660521a52a5b712952e7c8de54118
Instruction ID: d3da625d2bb69e57e7e18e4de75a7a5f984e53f06393fab75bfd3d204cdb4065
Opcode Fuzzy Hash: 36aa514bf4633abdc8a1b0107c8bf78260c660521a52a5b712952e7c8de54118
Instruction Fuzzy Hash: 4181F874E89248DFDB04DFA8C5946EDBBB6FF8A304F205099D40A6B391D7346A46EF01

Uniqueness

Uniqueness Score: -1.00%

Function 04B4B119, Relevance: 2.6, Strings: 2, Instructions: 150COMMON

Download Yara Rule

Strings

P, xrefs: 04B4B092
N, xrefs: 04B4B099

Memory Dump Source

Source File: 00000000.00000002.251036538.0000000004B40000.00000040.00000001.sdmp, Offset: 04B40000, based on PE: false

Similarity

API ID:
String ID: N$P
API String ID: 0-533121418
Opcode ID: 46d8c3442a32a07aa1af208e97a17f5af84065963ef84e620482282a112446ad
Instruction ID: 196f81c2121f6e282a8cea23f730c67669c66727380a0246889e4b24d7caef9d
Opcode Fuzzy Hash: 46d8c3442a32a07aa1af208e97a17f5af84065963ef84e620482282a112446ad
Instruction Fuzzy Hash: AA5147B0E4E24CDBCF14CFA5D4846FDBBB8AB8A315F106495D22AA6245E374B844FF00

Uniqueness

Uniqueness Score: -1.00%

Function 066A1012, Relevance: 1.6, APIs: 1, Instructions: 116COMMON

Download Yara Rule

APIs

GetTempFileNameW.KERNELBASE(?,00000E2C,?,?), ref: 066A10F2

Memory Dump Source

Source File: 00000000.00000002.253490501.00000000066A0000.00000040.00000001.sdmp, Offset: 066A0000, based on PE: false

Similarity

API ID: FileNameTemp
String ID:
API String ID: 745986568-0
Opcode ID: 7e10d32634b47f8b75a8925c62f47e0db8b08ea59dd978d9c87bf26aa66ffa16
Instruction ID: 792e0800090d4dd18d9e979663ad8cac37aa5c8c93c7b729e4266ceac4a897d1
Opcode Fuzzy Hash: 7e10d32634b47f8b75a8925c62f47e0db8b08ea59dd978d9c87bf26aa66ffa16
Instruction Fuzzy Hash: E2415C7240E3C05FD7038B358C65AA1BFB4AF47720F0A84DBD8849F1A3D564691AC7B2

Uniqueness

Uniqueness Score: -1.00%

Function 066A1273, Relevance: 1.6, APIs: 1, Instructions: 102COMMON

Download Yara Rule

APIs

DuplicateHandle.KERNELBASE(?,00000E2C), ref: 066A1323

Memory Dump Source

Source File: 00000000.00000002.253490501.00000000066A0000.00000040.00000001.sdmp, Offset: 066A0000, based on PE: false

Similarity

API ID: DuplicateHandle
String ID:
API String ID: 3793708945-0
Opcode ID: 36eddd43ed585fb79457d75ce3b502b2d455c60ca184bcca7cf4b1c76aa630e2
Instruction ID: cb692780c6f7a833c33b1bdd583623bb3d0a45b745fc81373670e2e731afeddd
Opcode Fuzzy Hash: 36eddd43ed585fb79457d75ce3b502b2d455c60ca184bcca7cf4b1c76aa630e2
Instruction Fuzzy Hash: FC31A5715043446FEB128B65DC44F66BFACEF06310F0884AAE985CB152D624A909DB71

Uniqueness

Uniqueness Score: -1.00%

Function 066A0ABA, Relevance: 1.6, APIs: 1, Instructions: 94COMMON

Download Yara Rule

APIs

GetTokenInformation.KERNELBASE(?,00000E2C,98A16BF4,00000000,00000000,00000000,00000000), ref: 066A0B64

Memory Dump Source

Source File: 00000000.00000002.253490501.00000000066A0000.00000040.00000001.sdmp, Offset: 066A0000, based on PE: false

Similarity

API ID: InformationToken
String ID:
API String ID: 4114910276-0
Opcode ID: 9b5fa99c0e0cd1b522aa397c3051f183a42254a7130fb863a9ec436bc9461455
Instruction ID: 0561dfe56d7b8e5abc8b48a055e620b17d9336940b8df77e6e99b8480e1a31d6
Opcode Fuzzy Hash: 9b5fa99c0e0cd1b522aa397c3051f183a42254a7130fb863a9ec436bc9461455
Instruction Fuzzy Hash: 6131C7725093806FEB128F65DC45F96BFB8EF06314F08849BE984DB153D624A908DB71

Uniqueness

Uniqueness Score: -1.00%

Function 00A6B18E, Relevance: 1.6, APIs: 1, Instructions: 92registryCOMMON

Download Yara Rule

APIs

RegOpenKeyExW.KERNELBASE(?,00000E2C), ref: 00A6B23D

Memory Dump Source

Source File: 00000000.00000002.247602264.0000000000A6A000.00000040.00000001.sdmp, Offset: 00A6A000, based on PE: false

Similarity

API ID: Open
String ID:
API String ID: 71445658-0
Opcode ID: d4d6e37a88026dfb0da41b045b57759c4ef7cd12690600d236ed5a7e2dcf7949
Instruction ID: 0f815ccad2b19cdc3200c83853403be3fcc4265b1a1fb6074838b3383dd7e22b
Opcode Fuzzy Hash: d4d6e37a88026dfb0da41b045b57759c4ef7cd12690600d236ed5a7e2dcf7949
Instruction Fuzzy Hash: DB31B6B2544384AFE7128B65CC45FA7BFFCEF05310F0884AAED81DB152D664A549C771

Uniqueness

Uniqueness Score: -1.00%

Function 066A0648, Relevance: 1.6, APIs: 1, Instructions: 90fileCOMMON

Download Yara Rule

APIs

CreateFileW.KERNELBASE(?,?,?,?,?,?), ref: 066A06E9

Memory Dump Source

Source File: 00000000.00000002.253490501.00000000066A0000.00000040.00000001.sdmp, Offset: 066A0000, based on PE: false

Similarity

API ID: CreateFile
String ID:
API String ID: 823142352-0
Opcode ID: e18e2a177f09a906e5178edd5398eb64bd3ee4bf54b139a183a7030cbb9af9db
Instruction ID: a220bc8a84c1a16934d953c16fade776fd57b78d2092d4f5bb749d9204e8bab3
Opcode Fuzzy Hash: e18e2a177f09a906e5178edd5398eb64bd3ee4bf54b139a183a7030cbb9af9db
Instruction Fuzzy Hash: EC315E71505340AFE722CF65DC44B66BFE8EF49224F0884AEE9859B252D375F809CB71

Uniqueness

Uniqueness Score: -1.00%

Function 00A6B285, Relevance: 1.6, APIs: 1, Instructions: 89registryCOMMON

Download Yara Rule

APIs

RegQueryValueExW.KERNELBASE(?,00000E2C,98A16BF4,00000000,00000000,00000000,00000000), ref: 00A6B340

Memory Dump Source

Source File: 00000000.00000002.247602264.0000000000A6A000.00000040.00000001.sdmp, Offset: 00A6A000, based on PE: false

Similarity

API ID: QueryValue
String ID:
API String ID: 3660427363-0
Opcode ID: 25ad77514797ade129d9d79f84421278d5d024076aa00d50236d1cd7d8d1963b
Instruction ID: 59465f4e501b255aa6ffa614a453ff920c270e4ba7dd663c013660245b4fbebc
Opcode Fuzzy Hash: 25ad77514797ade129d9d79f84421278d5d024076aa00d50236d1cd7d8d1963b
Instruction Fuzzy Hash: D731A1715093806FE722CB65CC84F92BFB8EF06310F08849AE984CB252D364E948CB71

Uniqueness

Uniqueness Score: -1.00%

Function 066A046A, Relevance: 1.6, APIs: 1, Instructions: 89synchronizationCOMMON

Download Yara Rule

APIs

CreateMutexW.KERNELBASE(?,?), ref: 066A0511

Memory Dump Source

Source File: 00000000.00000002.253490501.00000000066A0000.00000040.00000001.sdmp, Offset: 066A0000, based on PE: false

Similarity

API ID: CreateMutex
String ID:
API String ID: 1964310414-0
Opcode ID: 1adb282cdd190eb529afc2db469a2c7f04001e3685851e9dcf941a63a6697266
Instruction ID: 37ceb93dac118638bc5f1c1878c4147a53f9bb25c7231dd0a4d73cf835a498d7
Opcode Fuzzy Hash: 1adb282cdd190eb529afc2db469a2c7f04001e3685851e9dcf941a63a6697266
Instruction Fuzzy Hash: EF318F755097806FE712CB25DC84B56BFF8EF06314F0884AAE984CB293D364E909CB61

Uniqueness

Uniqueness Score: -1.00%

Function 066A0DEB, Relevance: 1.6, APIs: 1, Instructions: 85COMMON

Download Yara Rule

APIs

LsaOpenPolicy.ADVAPI32(?,00000E2C), ref: 066A0E87

Memory Dump Source

Source File: 00000000.00000002.253490501.00000000066A0000.00000040.00000001.sdmp, Offset: 066A0000, based on PE: false

Similarity

API ID: OpenPolicy
String ID:
API String ID: 2030686058-0
Opcode ID: a4438218d091657567b74fd3a8f70854e8e01cd8935ec0839eedb1fba7ab4d2d
Instruction ID: a1440884d9bd19630941fb5d379dd0b3dba0a08b3f25104b18bc56511d94ffab
Opcode Fuzzy Hash: a4438218d091657567b74fd3a8f70854e8e01cd8935ec0839eedb1fba7ab4d2d
Instruction Fuzzy Hash: 4C2185725043846FEB21CF65DC84F66BFF8EF05310F18849AED84DB152D625A948CB61

Uniqueness

Uniqueness Score: -1.00%

Function 00A6A2AC, Relevance: 1.6, APIs: 1, Instructions: 83COMMON

Download Yara Rule

APIs

SetConsoleCtrlHandler.KERNELBASE(?,00000E2C,?,?), ref: 00A6A346

Memory Dump Source

Source File: 00000000.00000002.247602264.0000000000A6A000.00000040.00000001.sdmp, Offset: 00A6A000, based on PE: false

Similarity

API ID: ConsoleCtrlHandler
String ID:
API String ID: 1513847179-0
Opcode ID: 55027430f5cda0deada15dcd4939ddd7a2c5c02139b16f04804196dd4734a1e1
Instruction ID: 7560fa4ec762d94b482d4e770e693ee12b33cd8d619a21879bf35d6d9466c49c
Opcode Fuzzy Hash: 55027430f5cda0deada15dcd4939ddd7a2c5c02139b16f04804196dd4734a1e1
Instruction Fuzzy Hash: F521957144E3C06FD7138B259C51B61BFB4EF57620F0A40DBE984CB5A3D129A919C7B2

Uniqueness

Uniqueness Score: -1.00%

Function 066A12A6, Relevance: 1.6, APIs: 1, Instructions: 80COMMON

Download Yara Rule

APIs

DuplicateHandle.KERNELBASE(?,00000E2C), ref: 066A1323

Memory Dump Source

Source File: 00000000.00000002.253490501.00000000066A0000.00000040.00000001.sdmp, Offset: 066A0000, based on PE: false

Similarity

API ID: DuplicateHandle
String ID:
API String ID: 3793708945-0
Opcode ID: 52501209cc5a7953f050a638c0eff82c5f5e6533081a5abc48b78c8dee481454
Instruction ID: 44b3f6a1fcc14b96fca5c4cf0d367aa1fcfd435621849287793821177a4397ad
Opcode Fuzzy Hash: 52501209cc5a7953f050a638c0eff82c5f5e6533081a5abc48b78c8dee481454
Instruction Fuzzy Hash: 3A21A172500304AFEB21DF65DC84F6AFBECEF05320F14886AE985DB551D674A9148BB1

Uniqueness

Uniqueness Score: -1.00%

Function 066A0740, Relevance: 1.6, APIs: 1, Instructions: 78COMMON

Download Yara Rule

APIs

GetFileType.KERNELBASE(?,00000E2C,98A16BF4,00000000,00000000,00000000,00000000), ref: 066A07D5

Memory Dump Source

Source File: 00000000.00000002.253490501.00000000066A0000.00000040.00000001.sdmp, Offset: 066A0000, based on PE: false

Similarity

API ID: FileType
String ID:
API String ID: 3081899298-0
Opcode ID: 0bc32cd7b5089d4aa0acb0046de9b13a02c822d5b3bf78aeef469f2bc1699bcf
Instruction ID: f47e47f9f15684c23987ba8001a09819e220a00f1822144cc26e51a3267e38b5
Opcode Fuzzy Hash: 0bc32cd7b5089d4aa0acb0046de9b13a02c822d5b3bf78aeef469f2bc1699bcf
Instruction Fuzzy Hash: F8210DB58097806FE7128B25DC41FA7BFB8EF46720F1880DAE9858F153D224A905C771

Uniqueness

Uniqueness Score: -1.00%

Function 066A1381, Relevance: 1.6, APIs: 1, Instructions: 77fileCOMMON

Download Yara Rule

APIs

DeleteFileW.KERNELBASE(?), ref: 066A1408

Memory Dump Source

Source File: 00000000.00000002.253490501.00000000066A0000.00000040.00000001.sdmp, Offset: 066A0000, based on PE: false

Similarity

API ID: DeleteFile
String ID:
API String ID: 4033686569-0
Opcode ID: 0cb7a346060fd2bb27eacd3e061c364c32adf90d0d360dfb019c51d1db681bc3
Instruction ID: 7cb576694676f8495994b43b241a15e9d6e5020f4dea5856ce699f5ce413e01b
Opcode Fuzzy Hash: 0cb7a346060fd2bb27eacd3e061c364c32adf90d0d360dfb019c51d1db681bc3
Instruction Fuzzy Hash: 342181765097C05FDB12CB35DC55B92BFA4EF07610F0984DADC858F263D265A908CB62

Uniqueness

Uniqueness Score: -1.00%

Function 066A066A, Relevance: 1.6, APIs: 1, Instructions: 76fileCOMMON

Download Yara Rule

APIs

CreateFileW.KERNELBASE(?,?,?,?,?,?), ref: 066A06E9

Memory Dump Source

Source File: 00000000.00000002.253490501.00000000066A0000.00000040.00000001.sdmp, Offset: 066A0000, based on PE: false

Similarity

API ID: CreateFile
String ID:
API String ID: 823142352-0
Opcode ID: 2f6daf4e1866dc9fb51cd27a59107ad702047edd4689c25d39e12d833c150061
Instruction ID: b9f9cf1654c313a22cc810fc4694d462041c81ea624438e642da33e051d846ff
Opcode Fuzzy Hash: 2f6daf4e1866dc9fb51cd27a59107ad702047edd4689c25d39e12d833c150061
Instruction Fuzzy Hash: EC216B71504740AFEB21DF66D884B6AFBE8EF08324F188469E9859A252D771E804CE61

Uniqueness

Uniqueness Score: -1.00%

Function 00A6B1BE, Relevance: 1.6, APIs: 1, Instructions: 74registryCOMMON

Download Yara Rule

APIs

RegOpenKeyExW.KERNELBASE(?,00000E2C), ref: 00A6B23D

Memory Dump Source

Source File: 00000000.00000002.247602264.0000000000A6A000.00000040.00000001.sdmp, Offset: 00A6A000, based on PE: false

Similarity

API ID: Open
String ID:
API String ID: 71445658-0
Opcode ID: 642d63dd91055d95c51ec59a4ad03fd0ff9f23cdee951331bf55fedf40f02a9a
Instruction ID: ab43f27fd41947c7bf00c3400dc787f6618cd23ee2609e4839243856a7dc0c75
Opcode Fuzzy Hash: 642d63dd91055d95c51ec59a4ad03fd0ff9f23cdee951331bf55fedf40f02a9a
Instruction Fuzzy Hash: 8921A1B2500204AFEB219B69DC85FABFBFCEF04720F14846AEE45DB251D734E5488A71

Uniqueness

Uniqueness Score: -1.00%

Function 066A1700, Relevance: 1.6, APIs: 1, Instructions: 74COMMON

Download Yara Rule

APIs

LookupPrivilegeValueW.ADVAPI32(?,?,?), ref: 066A1782

Memory Dump Source

Source File: 00000000.00000002.253490501.00000000066A0000.00000040.00000001.sdmp, Offset: 066A0000, based on PE: false

Similarity

API ID: LookupPrivilegeValue
String ID:
API String ID: 3899507212-0
Opcode ID: 77dfd7b1c2aca565b96f218f648f65b674d2e23e101072ca09cdd54c5f206c6d
Instruction ID: c84617f18a0dfcad2db53d9c03a7802c8ae1016bdb60b2c14b6b9ff8b4964e88
Opcode Fuzzy Hash: 77dfd7b1c2aca565b96f218f648f65b674d2e23e101072ca09cdd54c5f206c6d
Instruction Fuzzy Hash: 212141765093805FD752CB25DC45B96FFE8EF07210F0984EAE885CF253D264E948CB61

Uniqueness

Uniqueness Score: -1.00%

Function 066A049E, Relevance: 1.6, APIs: 1, Instructions: 72synchronizationCOMMON

Download Yara Rule

APIs

CreateMutexW.KERNELBASE(?,?), ref: 066A0511

Memory Dump Source

Source File: 00000000.00000002.253490501.00000000066A0000.00000040.00000001.sdmp, Offset: 066A0000, based on PE: false

Similarity

API ID: CreateMutex
String ID:
API String ID: 1964310414-0
Opcode ID: 9e40f83ac11c99df7a32d9e0d13a714d95e8717d21a1f186107e0118ba871b22
Instruction ID: cce2af626a5eb79de7be589b9a6813f110072295e3968885ef484d3ac3b03cbb
Opcode Fuzzy Hash: 9e40f83ac11c99df7a32d9e0d13a714d95e8717d21a1f186107e0118ba871b22
Instruction Fuzzy Hash: BC218EB1A04340AFE720DF69D985B6AFBE8EF04314F18846AE949CB242D774E904CA75

Uniqueness

Uniqueness Score: -1.00%

Function 066A0E16, Relevance: 1.6, APIs: 1, Instructions: 72COMMON

Download Yara Rule

APIs

LsaOpenPolicy.ADVAPI32(?,00000E2C), ref: 066A0E87

Memory Dump Source

Source File: 00000000.00000002.253490501.00000000066A0000.00000040.00000001.sdmp, Offset: 066A0000, based on PE: false

Similarity

API ID: OpenPolicy
String ID:
API String ID: 2030686058-0
Opcode ID: 26ef5da14d8d27ce93bee01e37df9f505645d787a951c5ef70a2d505e5e75bb8
Instruction ID: 65ac5aba2aaf5037909380026f98c1a177420931e3fbfd1f549a11330c991713
Opcode Fuzzy Hash: 26ef5da14d8d27ce93bee01e37df9f505645d787a951c5ef70a2d505e5e75bb8
Instruction Fuzzy Hash: 80219372900344AFEB20DF69DC85F6AFBECEF44714F14846AED45DB241D674A9048BB1

Uniqueness

Uniqueness Score: -1.00%

Function 066A08F2, Relevance: 1.6, APIs: 1, Instructions: 70fileCOMMON

Download Yara Rule

APIs

WriteFile.KERNELBASE(?,00000E2C,98A16BF4,00000000,00000000,00000000,00000000), ref: 066A0971

Memory Dump Source

Source File: 00000000.00000002.253490501.00000000066A0000.00000040.00000001.sdmp, Offset: 066A0000, based on PE: false

Similarity

API ID: FileWrite
String ID:
API String ID: 3934441357-0
Opcode ID: e86febef53b6e36d749382aaeb0010c9bb27e71ee4f7f815d628da95d7755107
Instruction ID: c6da4fb1036629ae16b6a23f3c0425633fb8a83278b4a3b92d697c52cd7873b5
Opcode Fuzzy Hash: e86febef53b6e36d749382aaeb0010c9bb27e71ee4f7f815d628da95d7755107
Instruction Fuzzy Hash: 00216272509344AFEB228F55DC84F56BFB8EF45314F0884AAEA859B152D274A508CB71

Uniqueness

Uniqueness Score: -1.00%

Function 00A6B2C6, Relevance: 1.6, APIs: 1, Instructions: 69registryCOMMON

Download Yara Rule

APIs

RegQueryValueExW.KERNELBASE(?,00000E2C,98A16BF4,00000000,00000000,00000000,00000000), ref: 00A6B340

Memory Dump Source

Source File: 00000000.00000002.247602264.0000000000A6A000.00000040.00000001.sdmp, Offset: 00A6A000, based on PE: false

Similarity

API ID: QueryValue
String ID:
API String ID: 3660427363-0
Opcode ID: 9e7778b983ea5d6546ec7c0c25fa433536f37d04b647fa5f22b7317921ec20c8
Instruction ID: 4092d0cb1f88ec80e65e930e1ebd73d10781c6a97189612923daa5f1963021c1
Opcode Fuzzy Hash: 9e7778b983ea5d6546ec7c0c25fa433536f37d04b647fa5f22b7317921ec20c8
Instruction Fuzzy Hash: 6D216DB1610604AFEB20CF65DC84FA6FBFCEF04710F18846AE945DB691D764E948CA71

Uniqueness

Uniqueness Score: -1.00%

Function 066A0AFA, Relevance: 1.6, APIs: 1, Instructions: 69COMMON

Download Yara Rule

APIs

GetTokenInformation.KERNELBASE(?,00000E2C,98A16BF4,00000000,00000000,00000000,00000000), ref: 066A0B64

Memory Dump Source

Source File: 00000000.00000002.253490501.00000000066A0000.00000040.00000001.sdmp, Offset: 066A0000, based on PE: false

Similarity

API ID: InformationToken
String ID:
API String ID: 4114910276-0
Opcode ID: 8799f1fc3ddd56763cc5af8ea0452fa3320c34e909930e0d98fc33b176982801
Instruction ID: 0dbcc8f6305b302d34778fe8c89634e59ebd92a3de9963c03b9ce1171406901d
Opcode Fuzzy Hash: 8799f1fc3ddd56763cc5af8ea0452fa3320c34e909930e0d98fc33b176982801
Instruction Fuzzy Hash: D211E4B2900304AFEB21CF65DD80FAAFBACEF04324F04846AEA45CB251D775A404CBB1

Uniqueness

Uniqueness Score: -1.00%

Function 066A1644, Relevance: 1.6, APIs: 1, Instructions: 68injectionCOMMON

Download Yara Rule

APIs

WriteProcessMemory.KERNELBASE(?,?,?,?,?), ref: 066A16C4

Memory Dump Source

Source File: 00000000.00000002.253490501.00000000066A0000.00000040.00000001.sdmp, Offset: 066A0000, based on PE: false

Similarity

API ID: MemoryProcessWrite
String ID:
API String ID: 3559483778-0
Opcode ID: 0da4f28ac45c2acbd0acb62dee7ddbe60f7a7b770bc6f2577635a1e539e7065b
Instruction ID: a4809598e41d5275901338e683105e88ee7f63f5c0e364e098a1c88165e09e45
Opcode Fuzzy Hash: 0da4f28ac45c2acbd0acb62dee7ddbe60f7a7b770bc6f2577635a1e539e7065b
Instruction Fuzzy Hash: 1721AC765097C09FDB128B25DC85A96FFB4EF07320F0980DEE8858B263D224A948DB21

Uniqueness

Uniqueness Score: -1.00%

Function 00A6A565, Relevance: 1.6, APIs: 1, Instructions: 65libraryCOMMON

Download Yara Rule

APIs

LoadLibraryShim.MSCOREE(?,?,?,?), ref: 00A6A5E1

Memory Dump Source

Source File: 00000000.00000002.247602264.0000000000A6A000.00000040.00000001.sdmp, Offset: 00A6A000, based on PE: false

Similarity

API ID: LibraryLoadShim
String ID:
API String ID: 1475914169-0
Opcode ID: 4f9add8d45e2cc461c3b92d603c8399ba3232a349cee946508edd2b8bdfdc430
Instruction ID: 6989425b819a95a06c817c719e98edc45cd8675e788bdae0f51feab0c05dc958
Opcode Fuzzy Hash: 4f9add8d45e2cc461c3b92d603c8399ba3232a349cee946508edd2b8bdfdc430
Instruction Fuzzy Hash: 7D2190755093809FD722CB25DC44B62BFF8EF56314F08809AED85DB253E265A908CB62

Uniqueness

Uniqueness Score: -1.00%

Function 00A6AB67, Relevance: 1.6, APIs: 1, Instructions: 61COMMON

Download Yara Rule

APIs

DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 00A6ABD2

Memory Dump Source

Source File: 00000000.00000002.247602264.0000000000A6A000.00000040.00000001.sdmp, Offset: 00A6A000, based on PE: false

Similarity

API ID: DuplicateHandle
String ID:
API String ID: 3793708945-0
Opcode ID: c0b11a63d97b59e628e1abe54ff76c84aa518a149cb76e6555f8458007252fe0
Instruction ID: ef357319cfe9e48503270105acf3c84af8c062e270d8e27cad72b5ee3939ce21
Opcode Fuzzy Hash: c0b11a63d97b59e628e1abe54ff76c84aa518a149cb76e6555f8458007252fe0
Instruction Fuzzy Hash: F4118172409380AFDB228F55DC44B62FFF8EF5A310F0885DAED858B163D275A518DB62

Uniqueness

Uniqueness Score: -1.00%

Function 066A0912, Relevance: 1.6, APIs: 1, Instructions: 60fileCOMMON

Download Yara Rule

APIs

WriteFile.KERNELBASE(?,00000E2C,98A16BF4,00000000,00000000,00000000,00000000), ref: 066A0971

Memory Dump Source

Source File: 00000000.00000002.253490501.00000000066A0000.00000040.00000001.sdmp, Offset: 066A0000, based on PE: false

Similarity

API ID: FileWrite
String ID:
API String ID: 3934441357-0
Opcode ID: c701e12cb07a372b4dc0aea9e09c571d1c97104f58666395fad3310f6a3a02d1
Instruction ID: 484612c331a310ecd9e0ac96cefe3b5f46c1d549a5c19acaab53c94a7dda2422
Opcode Fuzzy Hash: c701e12cb07a372b4dc0aea9e09c571d1c97104f58666395fad3310f6a3a02d1
Instruction Fuzzy Hash: A811C472900300AFEB21CF55DD80F6AFBA8EF44324F14846AEE499B251C774A404CBB1

Uniqueness

Uniqueness Score: -1.00%

Function 066A15A3, Relevance: 1.6, APIs: 1, Instructions: 58COMMON

Download Yara Rule

APIs

ReadProcessMemory.KERNELBASE(?,?,?,?,?), ref: 066A1608

Memory Dump Source

Source File: 00000000.00000002.253490501.00000000066A0000.00000040.00000001.sdmp, Offset: 066A0000, based on PE: false

Similarity

API ID: MemoryProcessRead
String ID:
API String ID: 1726664587-0
Opcode ID: c2af66370e0d663d5bcf47a69bd546b661c5fa058f8df301c546d4a5b7e355be
Instruction ID: 624df83afca4bbd87c0e2866b751c92ad736e99e00df6f590ef24c55c06ca469
Opcode Fuzzy Hash: c2af66370e0d663d5bcf47a69bd546b661c5fa058f8df301c546d4a5b7e355be
Instruction Fuzzy Hash: 0111B2765097809FDB228F25DC40A52FFB4EF06320F0880DEED858B663D275A959DB61

Uniqueness

Uniqueness Score: -1.00%

Function 00A6BEA6, Relevance: 1.6, APIs: 1, Instructions: 57windowCOMMON

Download Yara Rule

APIs

CreateIconFromResourceEx.USER32 ref: 00A6BF12

Memory Dump Source

Source File: 00000000.00000002.247602264.0000000000A6A000.00000040.00000001.sdmp, Offset: 00A6A000, based on PE: false

Similarity

API ID: CreateFromIconResource
String ID:
API String ID: 3668623891-0
Opcode ID: 635ce7f49a351433bd2a4b291bb7c59e9c199cd55e042c80551f099930d2f631
Instruction ID: 01185926a967aedc332e62ba63223b50109906a63dd0a7138ba2e53b7c7ae847
Opcode Fuzzy Hash: 635ce7f49a351433bd2a4b291bb7c59e9c199cd55e042c80551f099930d2f631
Instruction Fuzzy Hash: A5117F32409384AFDB22CF55DC44A96FFF4EF49320F0885AAED898B563D375A458CB61

Uniqueness

Uniqueness Score: -1.00%

Function 00A6B6E1, Relevance: 1.6, APIs: 1, Instructions: 56windowCOMMON

Download Yara Rule

APIs

PostMessageW.USER32(?,?,?,?), ref: 00A6B749

Memory Dump Source

Source File: 00000000.00000002.247602264.0000000000A6A000.00000040.00000001.sdmp, Offset: 00A6A000, based on PE: false

Similarity

API ID: MessagePost
String ID:
API String ID: 410705778-0
Opcode ID: 9fc2efca611a87a1a87c265f17b62d6720145008731a6c1caf586587472c1749
Instruction ID: 79d1fcb89e7e5149fb270afebca6d58dbb1c683bb9a1bb460af19783cfddaad6
Opcode Fuzzy Hash: 9fc2efca611a87a1a87c265f17b62d6720145008731a6c1caf586587472c1749
Instruction Fuzzy Hash: 9411B272409384AFDB228F21DC44A52FFB4EF16310F0884DAED848B163D365A958DB62

Uniqueness

Uniqueness Score: -1.00%

Function 066A1D93, Relevance: 1.6, APIs: 1, Instructions: 56windowCOMMON

Download Yara Rule

APIs

PostMessageW.USER32(?,?,?,?), ref: 066A1DFD

Memory Dump Source

Source File: 00000000.00000002.253490501.00000000066A0000.00000040.00000001.sdmp, Offset: 066A0000, based on PE: false

Similarity

API ID: MessagePost
String ID:
API String ID: 410705778-0
Opcode ID: 746b08e56acb5dd6f72030ca76a36ef64cfa5972e5c805ce52c399915554c96e
Instruction ID: 6d4e22b5ed26cc40f16831dd2124e158e3d2ad3ea1c490c5fddc1488b7f444ed
Opcode Fuzzy Hash: 746b08e56acb5dd6f72030ca76a36ef64cfa5972e5c805ce52c399915554c96e
Instruction Fuzzy Hash: 8211D0724093849FDB228F15DC45B52FFB4EF06324F0880EEED858B663C265A818CB61

Uniqueness

Uniqueness Score: -1.00%

Function 066A14FC, Relevance: 1.6, APIs: 1, Instructions: 55threadinjectionCOMMON

Download Yara Rule

APIs

SetThreadContext.KERNELBASE(?,?), ref: 066A155B

Memory Dump Source

Source File: 00000000.00000002.253490501.00000000066A0000.00000040.00000001.sdmp, Offset: 066A0000, based on PE: false

Similarity

API ID: ContextThread
String ID:
API String ID: 1591575202-0
Opcode ID: 6ee52f8e7ab608a818cbfc0726d1ed4d7981e1f76722c94311ea12345f089d71
Instruction ID: 55ab39f8feeeaae7be0bc22dd18ae776e7ae1f4986fea82d2e5ce63e848e1252
Opcode Fuzzy Hash: 6ee52f8e7ab608a818cbfc0726d1ed4d7981e1f76722c94311ea12345f089d71
Instruction Fuzzy Hash: 5C114F755093849FDB11CB15DC85B56FFE8EF06220F0980EAED858B262D274E948CB61

Uniqueness

Uniqueness Score: -1.00%

Function 066A173A, Relevance: 1.6, APIs: 1, Instructions: 53COMMON

Download Yara Rule

APIs

LookupPrivilegeValueW.ADVAPI32(?,?,?), ref: 066A1782

Memory Dump Source

Source File: 00000000.00000002.253490501.00000000066A0000.00000040.00000001.sdmp, Offset: 066A0000, based on PE: false

Similarity

API ID: LookupPrivilegeValue
String ID:
API String ID: 3899507212-0
Opcode ID: ba74f5369ebd032aa4b59c7c75daeee6c846844e28e33b453734e08acd47a4d6
Instruction ID: 3e09c415617c4b0859312f6d3fed15473c8d71ae6ac55a1053d070bd202cdd6e
Opcode Fuzzy Hash: ba74f5369ebd032aa4b59c7c75daeee6c846844e28e33b453734e08acd47a4d6
Instruction Fuzzy Hash: E4115275A043019FDB50DF29D845B56FBE8EF05610F08946ADD59CB342D674E804CE61

Uniqueness

Uniqueness Score: -1.00%

Function 066A0782, Relevance: 1.6, APIs: 1, Instructions: 52COMMON

Download Yara Rule

APIs

GetFileType.KERNELBASE(?,00000E2C,98A16BF4,00000000,00000000,00000000,00000000), ref: 066A07D5

Memory Dump Source

Source File: 00000000.00000002.253490501.00000000066A0000.00000040.00000001.sdmp, Offset: 066A0000, based on PE: false

Similarity

API ID: FileType
String ID:
API String ID: 3081899298-0
Opcode ID: c7705d7a179a08225761cce9ea40082f0e7922b56d4eeaa929d781e95bc0228e
Instruction ID: e97e7a8b0abd42830c1ebd8d45f1950777c9ebaf9076b0d442180646fd6ecb55
Opcode Fuzzy Hash: c7705d7a179a08225761cce9ea40082f0e7922b56d4eeaa929d781e95bc0228e
Instruction Fuzzy Hash: 0A01D2B1905304AFEB10DF19DC85BAAFBA8EF44724F14C0AAEE459B241D674B9048EB5

Uniqueness

Uniqueness Score: -1.00%

Function 00A6B45C, Relevance: 1.6, APIs: 1, Instructions: 50memoryCOMMON

Download Yara Rule

APIs

VirtualAllocEx.KERNELBASE(?,?,?,?,?), ref: 00A6B4BC

Memory Dump Source

Source File: 00000000.00000002.247602264.0000000000A6A000.00000040.00000001.sdmp, Offset: 00A6A000, based on PE: false

Similarity

API ID: AllocVirtual
String ID:
API String ID: 4275171209-0
Opcode ID: c126b0ca72c508a1139e6acdac50c41013f9f335e9e5e7fae7d22443304372ae
Instruction ID: b907a9a3e5ea9dd2f70d28e9574f9883fc4eb7ab4eb7a1beaa9b99fd15defd59
Opcode Fuzzy Hash: c126b0ca72c508a1139e6acdac50c41013f9f335e9e5e7fae7d22443304372ae
Instruction Fuzzy Hash: CF119E32409784AFDB228F15DC44E56FFF4EF09320F08849EED858B262C379A958CB61

Uniqueness

Uniqueness Score: -1.00%

Function 00A6A994, Relevance: 1.5, APIs: 1, Instructions: 49threadCOMMON

Download Yara Rule

APIs

ResumeThread.KERNELBASE(?), ref: 00A6A9EC

Memory Dump Source

Source File: 00000000.00000002.247602264.0000000000A6A000.00000040.00000001.sdmp, Offset: 00A6A000, based on PE: false

Similarity

API ID: ResumeThread
String ID:
API String ID: 947044025-0
Opcode ID: d54f230dce34d08cb62038e7d45bf1ecb9ec7f322e6706373c1f5b86f00217ed
Instruction ID: 13127cb9793370357f9a38f9870ee67ac01b5e6dd827d29e42bc9dae56964677
Opcode Fuzzy Hash: d54f230dce34d08cb62038e7d45bf1ecb9ec7f322e6706373c1f5b86f00217ed
Instruction Fuzzy Hash: 7011AD71409384AFDB128B15DC44B62FFB8EF56624F08C0DAED849B263D275A908CB72

Uniqueness

Uniqueness Score: -1.00%

Function 00A6B058, Relevance: 1.5, APIs: 1, Instructions: 48COMMON

Download Yara Rule

APIs

SetWindowLongW.USER32 ref: 00A6B0B2

Memory Dump Source

Source File: 00000000.00000002.247602264.0000000000A6A000.00000040.00000001.sdmp, Offset: 00A6A000, based on PE: false

Similarity

API ID: LongWindow
String ID:
API String ID: 1378638983-0
Opcode ID: 8c24bd251d32bb42f5dbed21e77d9c3c1de65678eabc4aa055098f8224c20115
Instruction ID: 8a73ec076d84817055e099df7ca4f23354cbd82da607369332ca4868ea6ab161
Opcode Fuzzy Hash: 8c24bd251d32bb42f5dbed21e77d9c3c1de65678eabc4aa055098f8224c20115
Instruction Fuzzy Hash: 77117C324097849FDB218F15DC85B52FFB4EF06320F09C49AED858B262D375A958CB62

Uniqueness

Uniqueness Score: -1.00%

Function 066A167E, Relevance: 1.5, APIs: 1, Instructions: 47injectionCOMMON

Download Yara Rule

APIs

WriteProcessMemory.KERNELBASE(?,?,?,?,?), ref: 066A16C4

Memory Dump Source

Source File: 00000000.00000002.253490501.00000000066A0000.00000040.00000001.sdmp, Offset: 066A0000, based on PE: false

Similarity

API ID: MemoryProcessWrite
String ID:
API String ID: 3559483778-0
Opcode ID: 36202bedb6428ad03a5876098e9843759091687e78804194531bbad6b7e6645e
Instruction ID: c9c6c968b550294e97cecb86bc958b69e35de45db79fc5d0a1bc4c7112c3371a
Opcode Fuzzy Hash: 36202bedb6428ad03a5876098e9843759091687e78804194531bbad6b7e6645e
Instruction Fuzzy Hash: EC016D756007009FEB608F1AD884B66FBE8EF05320F08C0AAED558B762D675E858CF61

Uniqueness

Uniqueness Score: -1.00%

Function 066A13CE, Relevance: 1.5, APIs: 1, Instructions: 47fileCOMMON

Download Yara Rule

APIs

DeleteFileW.KERNELBASE(?), ref: 066A1408

Memory Dump Source

Source File: 00000000.00000002.253490501.00000000066A0000.00000040.00000001.sdmp, Offset: 066A0000, based on PE: false

Similarity

API ID: DeleteFile
String ID:
API String ID: 4033686569-0
Opcode ID: 1dd55ba7ce005bf5bdab4067c1102bf143abdf6da3c9752498110c3ab391e029
Instruction ID: f2cdddb7b88a9b5690ae68c54bb694cea38d7b0bcb99c15f3c3d6639458e8a73
Opcode Fuzzy Hash: 1dd55ba7ce005bf5bdab4067c1102bf143abdf6da3c9752498110c3ab391e029
Instruction Fuzzy Hash: 86019E71A003408FEB50CF29D885766FBD8EF05220F08C0AADD49CF342D274E804CEA2

Uniqueness

Uniqueness Score: -1.00%

Function 066A10A2, Relevance: 1.5, APIs: 1, Instructions: 47COMMON

Download Yara Rule

APIs

GetTempFileNameW.KERNELBASE(?,00000E2C,?,?), ref: 066A10F2

Memory Dump Source

Source File: 00000000.00000002.253490501.00000000066A0000.00000040.00000001.sdmp, Offset: 066A0000, based on PE: false

Similarity

API ID: FileNameTemp
String ID:
API String ID: 745986568-0
Opcode ID: e00a7c7ba04763fc7c0abfcd250af449eb4f6d7522d245d560f69b3a1b19cb2e
Instruction ID: 9579484f8d0a25e28c4673a39dc35f0dc775e856bc3f80b2896f97afd83e97fa
Opcode Fuzzy Hash: e00a7c7ba04763fc7c0abfcd250af449eb4f6d7522d245d560f69b3a1b19cb2e
Instruction Fuzzy Hash: 7301B172900200AFD310DF1ADC85B26FBE8FB88B20F14816AED088B645E635F515CBE1

Uniqueness

Uniqueness Score: -1.00%

Function 00A6A596, Relevance: 1.5, APIs: 1, Instructions: 46libraryCOMMON

Download Yara Rule

APIs

LoadLibraryShim.MSCOREE(?,?,?,?), ref: 00A6A5E1

Memory Dump Source

Source File: 00000000.00000002.247602264.0000000000A6A000.00000040.00000001.sdmp, Offset: 00A6A000, based on PE: false

Similarity

API ID: LibraryLoadShim
String ID:
API String ID: 1475914169-0
Opcode ID: 58393a0afef2765f11c03fdbf7323898fb1b7866a1c83c7df5f49d3505441f2e
Instruction ID: 5acd912a6f800c421c9d115aa03ea0bd89f93641bc829a4e9baaa05bd251780b
Opcode Fuzzy Hash: 58393a0afef2765f11c03fdbf7323898fb1b7866a1c83c7df5f49d3505441f2e
Instruction Fuzzy Hash: B60180756002008FDB20DF19D844B16FBF8EF54720F08C09ADD5A9B252E274E444CE72

Uniqueness

Uniqueness Score: -1.00%

Function 00A6AB8E, Relevance: 1.5, APIs: 1, Instructions: 45COMMON

Download Yara Rule

APIs

DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 00A6ABD2

Memory Dump Source

Source File: 00000000.00000002.247602264.0000000000A6A000.00000040.00000001.sdmp, Offset: 00A6A000, based on PE: false

Similarity

API ID: DuplicateHandle
String ID:
API String ID: 3793708945-0
Opcode ID: afcf02c88c3019e33a0f6acf6a1d7efa1b38fa5051b0ca2c48aa04cfbda18fe0
Instruction ID: ed8af35bc2f70adef9302dfa4405aa75bdb0fd132f50a79781969925b7f70da9
Opcode Fuzzy Hash: afcf02c88c3019e33a0f6acf6a1d7efa1b38fa5051b0ca2c48aa04cfbda18fe0
Instruction Fuzzy Hash: F501C0325006009FDB21CF95D844B56FFF0EF18320F08C4AAED498B652C376A414DF62

Uniqueness

Uniqueness Score: -1.00%

Function 00A6BECE, Relevance: 1.5, APIs: 1, Instructions: 45windowCOMMON

Download Yara Rule

APIs

CreateIconFromResourceEx.USER32 ref: 00A6BF12

Memory Dump Source

Source File: 00000000.00000002.247602264.0000000000A6A000.00000040.00000001.sdmp, Offset: 00A6A000, based on PE: false

Similarity

API ID: CreateFromIconResource
String ID:
API String ID: 3668623891-0
Opcode ID: 1bdff350ae9d32048a54f006ada7525010cabcfb02cc099993783239527866aa
Instruction ID: b55e69848346d78c680f1b4165fbc1971e391a5141d1c06798483a4c03a6d7db
Opcode Fuzzy Hash: 1bdff350ae9d32048a54f006ada7525010cabcfb02cc099993783239527866aa
Instruction Fuzzy Hash: 32016D724106409FDB218F55DC44B66FFB4EF08320F18C4AAEE898A662D375E458DF71

Uniqueness

Uniqueness Score: -1.00%

Function 066A151E, Relevance: 1.5, APIs: 1, Instructions: 44threadinjectionCOMMON

Download Yara Rule

APIs

SetThreadContext.KERNELBASE(?,?), ref: 066A155B

Memory Dump Source

Source File: 00000000.00000002.253490501.00000000066A0000.00000040.00000001.sdmp, Offset: 066A0000, based on PE: false

Similarity

API ID: ContextThread
String ID:
API String ID: 1591575202-0
Opcode ID: b2e6c370fb8adc143e5bb2f863731c8a652f3ec3ca4ec4af6608da72f0a44b4f
Instruction ID: d74ce2fa198d15a39789a3f220fc77babf5c064fccbe61960edaabe1ad46f0c3
Opcode Fuzzy Hash: b2e6c370fb8adc143e5bb2f863731c8a652f3ec3ca4ec4af6608da72f0a44b4f
Instruction Fuzzy Hash: 8D0184B56103448FEB50CF19D884B65FBE8EF05320F08C0AADD568B752D275E954DFA1

Uniqueness

Uniqueness Score: -1.00%

Function 00A6A2F6, Relevance: 1.5, APIs: 1, Instructions: 43COMMON

Download Yara Rule

APIs

SetConsoleCtrlHandler.KERNELBASE(?,00000E2C,?,?), ref: 00A6A346

Memory Dump Source

Source File: 00000000.00000002.247602264.0000000000A6A000.00000040.00000001.sdmp, Offset: 00A6A000, based on PE: false

Similarity

API ID: ConsoleCtrlHandler
String ID:
API String ID: 1513847179-0
Opcode ID: 19a273c2723a4e4ba98f3b13c9439200b9d180152d2dd98c0f17b7bed121c4da
Instruction ID: 17d83793f9e1e78800912a811d01d0a6d7daf105c9efc9e3fdb309dd588267c2
Opcode Fuzzy Hash: 19a273c2723a4e4ba98f3b13c9439200b9d180152d2dd98c0f17b7bed121c4da
Instruction Fuzzy Hash: 3E01A272500200ABD210DF1ADC86B26FBE8FB88B20F14816AED088B745E635F515CBE5

Uniqueness

Uniqueness Score: -1.00%

Function 066A15CA, Relevance: 1.5, APIs: 1, Instructions: 43COMMON

Download Yara Rule

APIs

ReadProcessMemory.KERNELBASE(?,?,?,?,?), ref: 066A1608

Memory Dump Source

Source File: 00000000.00000002.253490501.00000000066A0000.00000040.00000001.sdmp, Offset: 066A0000, based on PE: false

Similarity

API ID: MemoryProcessRead
String ID:
API String ID: 1726664587-0
Opcode ID: b4b0eb772d76876b5784228dee26502560e087d4c482cc6226cf85915372f34f
Instruction ID: cfffcd3c3289fabca9e99db21e10b088490991104795c1a4945f1fd345b6bb24
Opcode Fuzzy Hash: b4b0eb772d76876b5784228dee26502560e087d4c482cc6226cf85915372f34f
Instruction Fuzzy Hash: 2A019E325007009FDB208F16D884B66FFA4EF09320F08C0AEED558B762D275E819CFA2

Uniqueness

Uniqueness Score: -1.00%

Function 066A1DC2, Relevance: 1.5, APIs: 1, Instructions: 42windowCOMMON

Download Yara Rule

APIs

PostMessageW.USER32(?,?,?,?), ref: 066A1DFD

Memory Dump Source

Source File: 00000000.00000002.253490501.00000000066A0000.00000040.00000001.sdmp, Offset: 066A0000, based on PE: false

Similarity

API ID: MessagePost
String ID:
API String ID: 410705778-0
Opcode ID: d563d1982a9a3e48926284028bf7c708947818cfbb289f9a243443c020bef92d
Instruction ID: 99e52829faabfcfdd5f8f3c2e8878ad4b7c58f2eb2a5939c769ea6b82cc170bf
Opcode Fuzzy Hash: d563d1982a9a3e48926284028bf7c708947818cfbb289f9a243443c020bef92d
Instruction Fuzzy Hash: DB01D4355007408FDB208F15D884B65FFA4FF09320F08C0AEDD558B662C275E858CFA1

Uniqueness

Uniqueness Score: -1.00%

Function 00A6B47E, Relevance: 1.5, APIs: 1, Instructions: 39memoryCOMMON

Download Yara Rule

APIs

VirtualAllocEx.KERNELBASE(?,?,?,?,?), ref: 00A6B4BC

Memory Dump Source

Source File: 00000000.00000002.247602264.0000000000A6A000.00000040.00000001.sdmp, Offset: 00A6A000, based on PE: false

Similarity

API ID: AllocVirtual
String ID:
API String ID: 4275171209-0
Opcode ID: 1ac2a858c81104eba75940cf245c8bbaac55e680113e58116e30541deea0c73e
Instruction ID: c6d0cde4e42a5e306caf8842e0a8e363ff4f5c0fc55c9d26f0d2209b56e0290c
Opcode Fuzzy Hash: 1ac2a858c81104eba75940cf245c8bbaac55e680113e58116e30541deea0c73e
Instruction Fuzzy Hash: 90017C71410604DFDB208F55D888B65FFB0EF08720F18C49ADE498A662C775A458DB72

Uniqueness

Uniqueness Score: -1.00%

Function 00A6B70E, Relevance: 1.5, APIs: 1, Instructions: 38windowCOMMON

Download Yara Rule

APIs

PostMessageW.USER32(?,?,?,?), ref: 00A6B749

Memory Dump Source

Source File: 00000000.00000002.247602264.0000000000A6A000.00000040.00000001.sdmp, Offset: 00A6A000, based on PE: false

Similarity

API ID: MessagePost
String ID:
API String ID: 410705778-0
Opcode ID: 4a75ad93d47d0178ea4f3c96293dc96e1aa73bd0ab517607682c290745446b13
Instruction ID: 8d14c040ec64698f0ba35167eec9979be3e2ee72705cbd0ac15a315cf4b36bb7
Opcode Fuzzy Hash: 4a75ad93d47d0178ea4f3c96293dc96e1aa73bd0ab517607682c290745446b13
Instruction Fuzzy Hash: 7A01DF31411204DFDB208F05D844B25FFB0EF48320F08C0AADE498B262D375A448CBB2

Uniqueness

Uniqueness Score: -1.00%

Function 00A6B07A, Relevance: 1.5, APIs: 1, Instructions: 37COMMON

Download Yara Rule

APIs

SetWindowLongW.USER32 ref: 00A6B0B2

Memory Dump Source

Source File: 00000000.00000002.247602264.0000000000A6A000.00000040.00000001.sdmp, Offset: 00A6A000, based on PE: false

Similarity

API ID: LongWindow
String ID:
API String ID: 1378638983-0
Opcode ID: dca79c8fa25f9ae08463da257d814738dc2250d068d4f0b8894acf64c222843d
Instruction ID: 306865d4d52c6f29d5b6d4b0ec1fab6c16f3316d862a8bacecba3147ce17a4b1
Opcode Fuzzy Hash: dca79c8fa25f9ae08463da257d814738dc2250d068d4f0b8894acf64c222843d
Instruction Fuzzy Hash: 7301D131410244CFDB208F05D884B16FFB0EF04320F18C0AADD598B652C375A448DF72

Uniqueness

Uniqueness Score: -1.00%

Function 00A6A9BA, Relevance: 1.5, APIs: 1, Instructions: 35threadCOMMON

Download Yara Rule

APIs

ResumeThread.KERNELBASE(?), ref: 00A6A9EC

Memory Dump Source

Source File: 00000000.00000002.247602264.0000000000A6A000.00000040.00000001.sdmp, Offset: 00A6A000, based on PE: false

Similarity

API ID: ResumeThread
String ID:
API String ID: 947044025-0
Opcode ID: 4d66888996b8fca747e07284b89ab1bb773de174161f34d2ed2c8f3e87bc78ca
Instruction ID: 15cba70404ca99fdcf08ff8569bc1474239710eb3ed9cbe259644257cc1cb633
Opcode Fuzzy Hash: 4d66888996b8fca747e07284b89ab1bb773de174161f34d2ed2c8f3e87bc78ca
Instruction Fuzzy Hash: F6F022315042408FDB20CF06D884725FFB0EF14320F18C0EADD485F352D279A808CEA2

Uniqueness

Uniqueness Score: -1.00%

Function 04B40CA0, Relevance: 1.4, Strings: 1, Instructions: 112COMMON

Download Yara Rule

Strings

X1(r, xrefs: 04B40DB3

Memory Dump Source

Source File: 00000000.00000002.251036538.0000000004B40000.00000040.00000001.sdmp, Offset: 04B40000, based on PE: false

Similarity

API ID:
String ID: X1(r
API String ID: 0-3909273932
Opcode ID: 4169c449e4da36349a2ddb4e8e1d8708551a2a954025a3fe7b8299bd495e51f2
Instruction ID: 6e1c35c32a28477656f362dd1a20eb234fbc5a79e5ec4528e25fc6a087031f9b
Opcode Fuzzy Hash: 4169c449e4da36349a2ddb4e8e1d8708551a2a954025a3fe7b8299bd495e51f2
Instruction Fuzzy Hash: D241B0B4E152089FDB04DFA9D9846ADBBF1FF89300F14806AD919E7360EB346941DF54

Uniqueness

Uniqueness Score: -1.00%

Function 04B40CB0, Relevance: 1.4, Strings: 1, Instructions: 110COMMON

Download Yara Rule

Strings

X1(r, xrefs: 04B40DB3

Memory Dump Source

Source File: 00000000.00000002.251036538.0000000004B40000.00000040.00000001.sdmp, Offset: 04B40000, based on PE: false

Similarity

API ID:
String ID: X1(r
API String ID: 0-3909273932
Opcode ID: 9dd8d3c5e515cf6414b9faf7169bc389c59cd8862a71c23c5eaa6f89fd17b40b
Instruction ID: 6e61d88b80954c5614f958e682ea2c2526210d05ac7c79d4889addd52a3cb9a2
Opcode Fuzzy Hash: 9dd8d3c5e515cf6414b9faf7169bc389c59cd8862a71c23c5eaa6f89fd17b40b
Instruction Fuzzy Hash: 6941A2B4E01208DFDB04EFA9D8447ADBBF1FB89300F14806AD916A7360EB746945DF54

Uniqueness

Uniqueness Score: -1.00%

Function 04B4AD4C, Relevance: 1.3, Strings: 1, Instructions: 82COMMON

Download Yara Rule

Strings

R, xrefs: 04B4AD94

Memory Dump Source

Source File: 00000000.00000002.251036538.0000000004B40000.00000040.00000001.sdmp, Offset: 04B40000, based on PE: false

Similarity

API ID:
String ID: R
API String ID: 0-1466425173
Opcode ID: 1fc494e558bbcb13b14d512b2dabea7b7de31407ce37b6a051e1b444156faa3e
Instruction ID: 3f79444ccb7e8a213d555afae6cb6266e8d2bf748d13a13fc708c8ec599eb7d4
Opcode Fuzzy Hash: 1fc494e558bbcb13b14d512b2dabea7b7de31407ce37b6a051e1b444156faa3e
Instruction Fuzzy Hash: AE21A4B0E49208DFDB04CFA5D8415FEBFB6AFCE300F14A5A9D415A7256E7B05601EB90

Uniqueness

Uniqueness Score: -1.00%

Function 04B404E0, Relevance: .3, Instructions: 315COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.251036538.0000000004B40000.00000040.00000001.sdmp, Offset: 04B40000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0f5fee7a6991e21661f004360e27ed6f02af8b9da4ff3300ff1fae0bbaa05f5d
Instruction ID: aaeadd17dcb95f0f5498b6d28bf0c5df18154ee4069c8efc0bfd1e12a2f28353
Opcode Fuzzy Hash: 0f5fee7a6991e21661f004360e27ed6f02af8b9da4ff3300ff1fae0bbaa05f5d
Instruction Fuzzy Hash: C2D1C534A01208CFDB04DBA4CA90EEEB7B2FF89304F659569E505AB365CB31BD46CB50

Uniqueness

Uniqueness Score: -1.00%

Function 04B404F0, Relevance: .3, Instructions: 314COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.251036538.0000000004B40000.00000040.00000001.sdmp, Offset: 04B40000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 37ea7e3413ea7dd5c6723feebf3741b769a883ada40126973b52fa203b6c26a6
Instruction ID: 6d4ce42fe92ebd876d805898aba96654aa7048420127acb95a83fa8e6e19689e
Opcode Fuzzy Hash: 37ea7e3413ea7dd5c6723feebf3741b769a883ada40126973b52fa203b6c26a6
Instruction Fuzzy Hash: EAD1C534A01208CFCB04DBA4CA90EEEB7B2FF89300F659569E505AB365CB31BD46CB50

Uniqueness

Uniqueness Score: -1.00%

Function 04B400B8, Relevance: .3, Instructions: 285COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.251036538.0000000004B40000.00000040.00000001.sdmp, Offset: 04B40000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1e990229d587a67e9d2b94f016a5ab7869f83d6ebed3e323828d105043013028
Instruction ID: 980700222b5e33a6919b2df3bff264bee87fe3cb0924078d374a2109c6e00bd3
Opcode Fuzzy Hash: 1e990229d587a67e9d2b94f016a5ab7869f83d6ebed3e323828d105043013028
Instruction Fuzzy Hash: 38D1B774E002088FCB04DFA8D994ADDBBB2FF89304F258169E459AB365DB31AD46CF54

Uniqueness

Uniqueness Score: -1.00%

Function 04B43A23, Relevance: .3, Instructions: 278COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.251036538.0000000004B40000.00000040.00000001.sdmp, Offset: 04B40000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: baaef948923de3aa82d09ece4d46e2dedf9e38d43dd6f122cd81bcff33379f26
Instruction ID: 4f05abb7ecf68520df8d7a0d6c77e422ca9e578fdbe2edabc3151dda317bf871
Opcode Fuzzy Hash: baaef948923de3aa82d09ece4d46e2dedf9e38d43dd6f122cd81bcff33379f26
Instruction Fuzzy Hash: CFC13370905205CFEB00DF98C188AADBBF5FB84348F65C1A4D454AF296C7B8E895DF64

Uniqueness

Uniqueness Score: -1.00%

Function 04B400C8, Relevance: .3, Instructions: 277COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.251036538.0000000004B40000.00000040.00000001.sdmp, Offset: 04B40000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4bcccf4a2eceb335fd0deeb7231827ebae2875911d45ac8d5350a3d41faa4217
Instruction ID: 5b2f099b89b5a662325983a74b342a9b8efdf3b83577668984e01b3e6b6d6282
Opcode Fuzzy Hash: 4bcccf4a2eceb335fd0deeb7231827ebae2875911d45ac8d5350a3d41faa4217
Instruction Fuzzy Hash: 94C1A574E002098FCB04DFA8C994ADDBBB2FF89304F258569E419AB365DB31AD46CF54

Uniqueness

Uniqueness Score: -1.00%

Function 04B43A75, Relevance: .3, Instructions: 274COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.251036538.0000000004B40000.00000040.00000001.sdmp, Offset: 04B40000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 84a67b576e10fec3d0bf8b8773fe4d438c4e95b87e661cfbdfaca5238c681dbb
Instruction ID: eaecc7719b5ced47c94ecd8c84f270e9ae344e04a47e59217e9fe67c3b6edadf
Opcode Fuzzy Hash: 84a67b576e10fec3d0bf8b8773fe4d438c4e95b87e661cfbdfaca5238c681dbb
Instruction Fuzzy Hash: 96C14470905205CFEB00DF98C188AADBBF5FB84348F65C1A4D454AF296C7B8E895DF64

Uniqueness

Uniqueness Score: -1.00%

Function 04B43AA4, Relevance: .3, Instructions: 264COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.251036538.0000000004B40000.00000040.00000001.sdmp, Offset: 04B40000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f8b602bab30a88e2ab421e654e9f733b75eca3441880cd89940e0230bd426508
Instruction ID: cc79ff6c18a21e18ef1fb171aebaa2c964be54e5c4599f89f702ca61cf29e831
Opcode Fuzzy Hash: f8b602bab30a88e2ab421e654e9f733b75eca3441880cd89940e0230bd426508
Instruction Fuzzy Hash: A0C15370901205CFEB00EF98C188AADBBF5FB84348F65C1A4D454AF296C7B9E895DF64

Uniqueness

Uniqueness Score: -1.00%

Function 04B41008, Relevance: .2, Instructions: 231COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.251036538.0000000004B40000.00000040.00000001.sdmp, Offset: 04B40000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3ca4d74b4a0f775eff652f05250961dabb45b2eaaa79cee50e61ac819a33306c
Instruction ID: 1deb456328e06489ef82e345a778b36f311b2292751e202f30214720662459ca
Opcode Fuzzy Hash: 3ca4d74b4a0f775eff652f05250961dabb45b2eaaa79cee50e61ac819a33306c
Instruction Fuzzy Hash: 9AA10474E01228CFDB14CFA9C888BEDBBB2FF86304F1481A9D149AB251D7716A85DF51

Uniqueness

Uniqueness Score: -1.00%

Function 04B44B22, Relevance: .2, Instructions: 217COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.251036538.0000000004B40000.00000040.00000001.sdmp, Offset: 04B40000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6c0a2fa0ae436dfe69f3da81df084d5d6343319f5f5aebcc82aba2f5a1120307
Instruction ID: 6c2b6908f6ff7a832159bbeb077aebcca3dd92ba3de4ebfed32d9538d4d3720a
Opcode Fuzzy Hash: 6c0a2fa0ae436dfe69f3da81df084d5d6343319f5f5aebcc82aba2f5a1120307
Instruction Fuzzy Hash: 1991F4B4E08208DFDB04CFA9C5807EDBBF6EF89304F249069D419BB249E770A955EB50

Uniqueness

Uniqueness Score: -1.00%

Function 04B43240, Relevance: .2, Instructions: 158COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.251036538.0000000004B40000.00000040.00000001.sdmp, Offset: 04B40000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6e67a4fc0275617c76ad93f74a519a398c6c9c05f6cfd8885b1bdb46250daa89
Instruction ID: 6458922ce44eb80d354ab9443b53ba0cb2f2714add9f947adec10be5d19a1262
Opcode Fuzzy Hash: 6e67a4fc0275617c76ad93f74a519a398c6c9c05f6cfd8885b1bdb46250daa89
Instruction Fuzzy Hash: C651F774F09208EFDF04CF99D4847EDBBF5AB89300F18A199E815A7241D774AA85EF50

Uniqueness

Uniqueness Score: -1.00%

Function 04B4499A, Relevance: .1, Instructions: 130COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.251036538.0000000004B40000.00000040.00000001.sdmp, Offset: 04B40000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8f285df152639a05ead3803b6327c4c9a3b2cd69ba4cc81cc906561c7e66fa81
Instruction ID: a2f5eac250cfb0cd7acfb9c88fa6589cae2c495444157fc62642d5ff8ace2d02
Opcode Fuzzy Hash: 8f285df152639a05ead3803b6327c4c9a3b2cd69ba4cc81cc906561c7e66fa81
Instruction Fuzzy Hash: 88410474E09219DFDB00CF98C480AEEF7B6FF89300F109591E415B7285E374B966AB68

Uniqueness

Uniqueness Score: -1.00%

Function 04B41850, Relevance: .1, Instructions: 124COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.251036538.0000000004B40000.00000040.00000001.sdmp, Offset: 04B40000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3c4972eafce13a8ef93a651e453c4e3691c0b19004f9459fce4539860b982c42
Instruction ID: 96ff4f1c66bd66468d258bbb4f0903e1ac896100484fb85c03162db3ffa94b8a
Opcode Fuzzy Hash: 3c4972eafce13a8ef93a651e453c4e3691c0b19004f9459fce4539860b982c42
Instruction Fuzzy Hash: 8241D274E05208DFDB14CFA9D858BADBBB2AF89300F20916AE815BB254DB306946DF54

Uniqueness

Uniqueness Score: -1.00%

Function 04B46110, Relevance: .1, Instructions: 108COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.251036538.0000000004B40000.00000040.00000001.sdmp, Offset: 04B40000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: bfe4bf3401042814c947bfc11c7686f881ff3f01a066353fb26ed775d395b8d6
Instruction ID: 6347eeed0e52f6eceeed1bee27f026a5b0f63ab22d1f0b3d9c4e91a9614c744a
Opcode Fuzzy Hash: bfe4bf3401042814c947bfc11c7686f881ff3f01a066353fb26ed775d395b8d6
Instruction Fuzzy Hash: 11410A74E04208DFDB15DFA9D580AADBBB2FF89300F20816AD8156B355DB35AD42DF50

Uniqueness

Uniqueness Score: -1.00%

Function 04B4328C, Relevance: .1, Instructions: 104COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.251036538.0000000004B40000.00000040.00000001.sdmp, Offset: 04B40000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8dad723b54101a454bd90923ec51213bd2c51c5402c0caeb650207c2cbf0bab9
Instruction ID: 3f52628feef7580d2d1641060955c3e0b119a9291ce46d842a87324529afd182
Opcode Fuzzy Hash: 8dad723b54101a454bd90923ec51213bd2c51c5402c0caeb650207c2cbf0bab9
Instruction Fuzzy Hash: B5410A74E09248EFDB05CFA8C484BDCBBF5AF89314F18A0DAE845A7252D7346985EB00

Uniqueness

Uniqueness Score: -1.00%

Function 04B40970, Relevance: .1, Instructions: 98COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.251036538.0000000004B40000.00000040.00000001.sdmp, Offset: 04B40000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f99718eca58b851410539b4416a7f67bbd5c0a6329ce73df6f1a46767675abbf
Instruction ID: 1e9ea562b7ecaa431013e9a0f36e7bec282f20b700d562c7064e41ec0e8ac4b5
Opcode Fuzzy Hash: f99718eca58b851410539b4416a7f67bbd5c0a6329ce73df6f1a46767675abbf
Instruction Fuzzy Hash: 8941B4B4E002099FDB04DFA9D880AAEFBF2FF88300F20816AE504AB364DB355945DF54

Uniqueness

Uniqueness Score: -1.00%

Function 04B40980, Relevance: .1, Instructions: 92COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.251036538.0000000004B40000.00000040.00000001.sdmp, Offset: 04B40000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8d27da811bfe236b24d39006aeff4aee509775bd6a68c3e036f0f23c83c75e20
Instruction ID: 4e4a03fd21d3bd180a55a214dec4da51a89fddbc2b24290464ee49e61f0c1281
Opcode Fuzzy Hash: 8d27da811bfe236b24d39006aeff4aee509775bd6a68c3e036f0f23c83c75e20
Instruction Fuzzy Hash: 3D4172B4E002099FDB44DFA9D981AAEFBF2FF88300F20816AE914A7354DB756941DF54

Uniqueness

Uniqueness Score: -1.00%

Function 04B41750, Relevance: .1, Instructions: 91COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.251036538.0000000004B40000.00000040.00000001.sdmp, Offset: 04B40000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a655febd9574932d352ceef23d9a6641052c74c6fd4395002fda4edf9db20f1a
Instruction ID: 636526fb27f6201c292faca285ac1d2018ed2b0ac11664e4685b5018e63d3571
Opcode Fuzzy Hash: a655febd9574932d352ceef23d9a6641052c74c6fd4395002fda4edf9db20f1a
Instruction Fuzzy Hash: 8A2143B0F042558BDB01EBBC88142AEBF76AFCA710F2481AAD005AB381DF305D05D7A1

Uniqueness

Uniqueness Score: -1.00%

Function 04B40006, Relevance: .1, Instructions: 73COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.251036538.0000000004B40000.00000040.00000001.sdmp, Offset: 04B40000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b542cfd87a3b3876300e57f499b7d51df2e693d19dc5899799a350a99721ecdf
Instruction ID: 5f1c7460e31bcd37db99677f3570e60039bff6ef3198faf73ef089df8cc48398
Opcode Fuzzy Hash: b542cfd87a3b3876300e57f499b7d51df2e693d19dc5899799a350a99721ecdf
Instruction Fuzzy Hash: 42116AA540F3C05FD707AB7098242A97FB0AF93114B0A14EBD0D1CB6A3D2285E0ADB36

Uniqueness

Uniqueness Score: -1.00%

Function 04B447C7, Relevance: .1, Instructions: 72COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.251036538.0000000004B40000.00000040.00000001.sdmp, Offset: 04B40000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: eb28a41385a1007bc3188dbf26e263596d8a58096e3257009f89a165cdfaa5f7
Instruction ID: 2b10c75579c8731edd81cce6f03ca9ffd1ecab78111665588c8f3ac1d31a72aa
Opcode Fuzzy Hash: eb28a41385a1007bc3188dbf26e263596d8a58096e3257009f89a165cdfaa5f7
Instruction Fuzzy Hash: C221B2749042498FCB10DBA8D4953CDFBB1EFC5200F2852BAD8A59B306D730AA42CF62

Uniqueness

Uniqueness Score: -1.00%

Function 04B40E88, Relevance: .1, Instructions: 67COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.251036538.0000000004B40000.00000040.00000001.sdmp, Offset: 04B40000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0f45f21c359e2fd08fb1ae20afc6a77d848b5460c8f78bcf57025976f1dc7264
Instruction ID: a9ac58e9204f47d3e8854ad6400fe068d55c093a483f67979a1b71dc60d442c2
Opcode Fuzzy Hash: 0f45f21c359e2fd08fb1ae20afc6a77d848b5460c8f78bcf57025976f1dc7264
Instruction Fuzzy Hash: 63212FB4E48209DFCB05EFA8D850AEEBBB5FB89300F1085A9D515B7390D7346A01EF65

Uniqueness

Uniqueness Score: -1.00%

Function 04B41FED, Relevance: .1, Instructions: 65COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.251036538.0000000004B40000.00000040.00000001.sdmp, Offset: 04B40000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 90a8ffc8e0bebbe933c1426077d87f986ee7709246dadac6ca89a034582111c3
Instruction ID: add4e877eb4051049d4116252c5f1136e2cef2a6bb75d2b1cce07e4b263c2be6
Opcode Fuzzy Hash: 90a8ffc8e0bebbe933c1426077d87f986ee7709246dadac6ca89a034582111c3
Instruction Fuzzy Hash: AA216674D04209DFCB04EFA8D484AAEBBB2EF8A300F1481AAD555E7395DB305942CF91

Uniqueness

Uniqueness Score: -1.00%

Function 00D10726, Relevance: .1, Instructions: 61COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.247692788.0000000000D10000.00000040.00000040.sdmp, Offset: 00D10000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 60d684054b0cf19193d4b16e48dbb4e00221ffadc106c01be003f70c991016d3
Instruction ID: 789b737b5b9278294fee7ddbf2bbbeb526608a6202b6381e0c7528ed1460ca89
Opcode Fuzzy Hash: 60d684054b0cf19193d4b16e48dbb4e00221ffadc106c01be003f70c991016d3
Instruction Fuzzy Hash: 5D2118351093C49FDB039B24D890B55BFB1AF47314F19C6DED8848B6A3C77A984ACB62

Uniqueness

Uniqueness Score: -1.00%

Function 00D1075C, Relevance: .1, Instructions: 59COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.247692788.0000000000D10000.00000040.00000040.sdmp, Offset: 00D10000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7453c3e4c887791ce408b7f84e8b95f9692d24be86d362bcc2925bf8e8fc7da0
Instruction ID: 016393801ebc676c2b986c6d69f866c34acd965eb41508be721538e8404b49fe
Opcode Fuzzy Hash: 7453c3e4c887791ce408b7f84e8b95f9692d24be86d362bcc2925bf8e8fc7da0
Instruction Fuzzy Hash: 7F11E734204245EFD705EB14E984B65FF95EB88708F28C59CE9491B692CBB7E883CE61

Uniqueness

Uniqueness Score: -1.00%

Function 04B40EC0, Relevance: .1, Instructions: 56COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.251036538.0000000004B40000.00000040.00000001.sdmp, Offset: 04B40000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4e92245b4b5f40102805748b55dd818970fae3124750ec98f8ee53e19fb9a14d
Instruction ID: 41515d415fd08403b6f073ccf5c937157f239a9e7f1899aebd210aa146c034be
Opcode Fuzzy Hash: 4e92245b4b5f40102805748b55dd818970fae3124750ec98f8ee53e19fb9a14d
Instruction Fuzzy Hash: 131126B4E04209CFCF05EFA9D8546AEBBB1FB89300F1085A9D515B7390D7346A02EFA5

Uniqueness

Uniqueness Score: -1.00%

Function 04B42010, Relevance: .1, Instructions: 54COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.251036538.0000000004B40000.00000040.00000001.sdmp, Offset: 04B40000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 930c575da27410ae60dc717f2b5a3ca6bb0794d3b86edbf05269ca762661845f
Instruction ID: 82a4ab431c1ab55d8fe1adf4ac427e812db455b964dc3a5f0ac1754ab5ab2552
Opcode Fuzzy Hash: 930c575da27410ae60dc717f2b5a3ca6bb0794d3b86edbf05269ca762661845f
Instruction Fuzzy Hash: C621C474E00209DFCB48EFA8D5859AEBBB2FF89300F1481A9D915A7394DB306A41CB91

Uniqueness

Uniqueness Score: -1.00%

Function 00D105D0, Relevance: .0, Instructions: 43COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.247692788.0000000000D10000.00000040.00000040.sdmp, Offset: 00D10000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 22d1b9077c089da638b81962707cc744f18f3659bd93b8f78050e522e162b140
Instruction ID: 2b7c45aa8d3107e81632a0ea7ac63cebcc0318b0fde04196c7397a1739032251
Opcode Fuzzy Hash: 22d1b9077c089da638b81962707cc744f18f3659bd93b8f78050e522e162b140
Instruction Fuzzy Hash: EA01D6B25497805FD3128F1AEC41897FFE8EF4633070984ABEC89CB212D129A918CB61

Uniqueness

Uniqueness Score: -1.00%

Function 04B4ACE8, Relevance: .0, Instructions: 34COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.251036538.0000000004B40000.00000040.00000001.sdmp, Offset: 04B40000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 84abbae28a36109b83c157dedb7c81f8f48ecab1f3bd4d6a5876499f87a1d552
Instruction ID: 2af49b32364a2119fa4ec71c847a41e57d78f861ffec78eb89b5c962a4e985b3
Opcode Fuzzy Hash: 84abbae28a36109b83c157dedb7c81f8f48ecab1f3bd4d6a5876499f87a1d552
Instruction Fuzzy Hash: EBF027B4949248AFD7089F70E8096ED3F36EB46305F1421E5D90117282E7F16D40E771

Uniqueness

Uniqueness Score: -1.00%

Function 04B44830, Relevance: .0, Instructions: 34COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.251036538.0000000004B40000.00000040.00000001.sdmp, Offset: 04B40000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8c70a5edfabf7db96a84c526f9caa6f9a5710ce8593974d4fe5352f7a778ffa3
Instruction ID: 5b32e9601183c8437cec3a06d903a97767d4d07a00f9e70e6869e158d9483c88
Opcode Fuzzy Hash: 8c70a5edfabf7db96a84c526f9caa6f9a5710ce8593974d4fe5352f7a778ffa3
Instruction Fuzzy Hash: FB01FB74E0010EDFCB44EFA8D54569DFBB2FF44300F1882AA9915A7344DB706E01DB91

Uniqueness

Uniqueness Score: -1.00%

Function 00D10818, Relevance: .0, Instructions: 31COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.247692788.0000000000D10000.00000040.00000040.sdmp, Offset: 00D10000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 693b7c54016a59cdbfed5bf97d611671327a7796b2b33607a59a4987e9e37b45
Instruction ID: c0fb2704b6236a1203f6e848f193294524de9616bd6d74dc9b72f2f3f77dc7f8
Opcode Fuzzy Hash: 693b7c54016a59cdbfed5bf97d611671327a7796b2b33607a59a4987e9e37b45
Instruction Fuzzy Hash: DBF04B35108644DFC302DF40D940B15FBA2EB89718F24C6A9E9480B652C777E853DE81

Uniqueness

Uniqueness Score: -1.00%

Function 04B40AAF, Relevance: .0, Instructions: 30COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.251036538.0000000004B40000.00000040.00000001.sdmp, Offset: 04B40000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4fc734df020302981cc06ab584e92ae2cce3f242ae93ee0519cf450ac9ac265e
Instruction ID: d557b224f43ee818f9705997f7fc1dd98ba5ecf9c139ea8a89c05eec49acdd95
Opcode Fuzzy Hash: 4fc734df020302981cc06ab584e92ae2cce3f242ae93ee0519cf450ac9ac265e
Instruction Fuzzy Hash: 81F05E78D08208DFDF15EF64E45869CBFB1EB49305F2081E6DC40A7361E7341A16DB05

Uniqueness

Uniqueness Score: -1.00%

Function 00D105F6, Relevance: .0, Instructions: 27COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.247692788.0000000000D10000.00000040.00000040.sdmp, Offset: 00D10000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2dae243c09a730982397af70470703c2e8c0ab779afc4e71075e127db62feb6a
Instruction ID: 307841fc7709e5360c0d07a758de663849e4970d22babde7fb13e9b07387d8b5
Opcode Fuzzy Hash: 2dae243c09a730982397af70470703c2e8c0ab779afc4e71075e127db62feb6a
Instruction Fuzzy Hash: 42E06DB66446004B9650CF0AEC81456F7D8EB88630718C47BDC0D8B711D539B5048EA5

Uniqueness

Uniqueness Score: -1.00%

Function 04B41811, Relevance: .0, Instructions: 25COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.251036538.0000000004B40000.00000040.00000001.sdmp, Offset: 04B40000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 195fa8bf8813f63622c70fd3c4229d00e131272ce6649dde1c792ee089255969
Instruction ID: 3d2a4c7f5055cf4d19e1eedb657f729d500a150b46d8781a16943d21fa4437e3
Opcode Fuzzy Hash: 195fa8bf8813f63622c70fd3c4229d00e131272ce6649dde1c792ee089255969
Instruction Fuzzy Hash: FDE09A709093489FEB029BA898186AC7F30DB07220F6411E6C445A33A2DA316A85EB25

Uniqueness

Uniqueness Score: -1.00%

Function 04B40070, Relevance: .0, Instructions: 24COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.251036538.0000000004B40000.00000040.00000001.sdmp, Offset: 04B40000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f5c6b60925f7ad8dbf714f3696dc88017ba78795f3498db1a5a58db1cf50a3e0
Instruction ID: 1eaeed6d3bc2ed1d9079e0035bb568807253381ac732ed44e9d1ac3d06d0ff11
Opcode Fuzzy Hash: f5c6b60925f7ad8dbf714f3696dc88017ba78795f3498db1a5a58db1cf50a3e0
Instruction Fuzzy Hash: FAE08CB0943108AACB08FBF4E95A62EB3B8DB82304F4028ACB10163241CE756E109769

Uniqueness

Uniqueness Score: -1.00%

Function 04B40930, Relevance: .0, Instructions: 23COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.251036538.0000000004B40000.00000040.00000001.sdmp, Offset: 04B40000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e020eab8aee99c0faa26862226f4b6976b11efe1e92f85f49218759bfeaad982
Instruction ID: da856687ebf6d103a71310e99897baa9fcc9147be6f152b47c4bbf1141b62a7c
Opcode Fuzzy Hash: e020eab8aee99c0faa26862226f4b6976b11efe1e92f85f49218759bfeaad982
Instruction Fuzzy Hash: CCE0867084A2444AEB09BFA4B8142AC7F30DB47305F1061E6C44467361D2351A56DB7D

Uniqueness

Uniqueness Score: -1.00%

Function 04B4ACF8, Relevance: .0, Instructions: 22COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.251036538.0000000004B40000.00000040.00000001.sdmp, Offset: 04B40000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c7a3e0005aaa4f0ce7cd75387e82bdab6beb9f4341bf77f089ec6e1eb2dff335
Instruction ID: 38e85c403520f6febd65365702149cee3380eaefb1ba32d1353f8579f5f032f4
Opcode Fuzzy Hash: c7a3e0005aaa4f0ce7cd75387e82bdab6beb9f4341bf77f089ec6e1eb2dff335
Instruction Fuzzy Hash: 2BE04FB0945208DBC708EFB4E54967D7B76EB89706F2021A4D90527285E7F26D40EB64

Uniqueness

Uniqueness Score: -1.00%

Function 04B40940, Relevance: .0, Instructions: 16COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.251036538.0000000004B40000.00000040.00000001.sdmp, Offset: 04B40000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 27a4ae37597ff7a7a52e69f5faa5a08a6d23a0c00f44226cbe38f2422d0c53b6
Instruction ID: a48d58ad2682fc2b04d7b646e2abd664a95185527a8eea31619b97d7f411429a
Opcode Fuzzy Hash: 27a4ae37597ff7a7a52e69f5faa5a08a6d23a0c00f44226cbe38f2422d0c53b6
Instruction Fuzzy Hash: F4D0C770C4610C97C704BFE8D94977DBB74D742305F1051A9954433351D6751A54DBBD

Uniqueness

Uniqueness Score: -1.00%

Function 00A623F4, Relevance: .0, Instructions: 15COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.247597551.0000000000A62000.00000040.00000001.sdmp, Offset: 00A62000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6dfbb122a4d2f57fe93c526814b4775c5833701fd9de642b83efbb820132914d
Instruction ID: db56648f9840e2966dd3cdf1f24239433d3547b6bb00185bd46c3a72aaad8de5
Opcode Fuzzy Hash: 6dfbb122a4d2f57fe93c526814b4775c5833701fd9de642b83efbb820132914d
Instruction Fuzzy Hash: EBD05E79245A814FD3268B1CC1ACBA53BA4EF52B04F4644F9E8008B663CB68D981D200

Uniqueness

Uniqueness Score: -1.00%

Function 00A623BC, Relevance: .0, Instructions: 14COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.247597551.0000000000A62000.00000040.00000001.sdmp, Offset: 00A62000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 09cb1d9f5b63d5401b3a8db7d5d80629f5174c5678d86e72d510ef8e3b2c3369
Instruction ID: a9210c5671e25a8670d0ed909e642897175d982f78039ce5f7528484dc4fc230
Opcode Fuzzy Hash: 09cb1d9f5b63d5401b3a8db7d5d80629f5174c5678d86e72d510ef8e3b2c3369
Instruction Fuzzy Hash: A0D05E342016814BD715DB1CC194F5937E4AB41B00F0644E9AC008F362C3A8EC81C600

Uniqueness

Uniqueness Score: -1.00%

Function 04B4C32A, Relevance: .0, Instructions: 11COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.251036538.0000000004B40000.00000040.00000001.sdmp, Offset: 04B40000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d01b5802bb5a3514dbec2638bc98698048cf3bd6aef19f137e6cb16bb06b14b9
Instruction ID: 23704dcff92e571aaf78c2e45138bb50eb559ab052068c579ab0b49f71033faf
Opcode Fuzzy Hash: d01b5802bb5a3514dbec2638bc98698048cf3bd6aef19f137e6cb16bb06b14b9
Instruction Fuzzy Hash: F8D0923054F2809FCB119B68D52C6A87EB4BF86701F2A04E6944A9E4A7CAA51E04AA14

Uniqueness

Uniqueness Score: -1.00%

Non-executed Functions

Function 04B48C6E, Relevance: 6.4, Strings: 5, Instructions: 148COMMON

Download Yara Rule

Strings

X1(r, xrefs: 04B48D7D
$g%r, xrefs: 04B48D25
X1(r, xrefs: 04B48DB6
>z, xrefs: 04B48C93
`5(r, xrefs: 04B48D55

Memory Dump Source

Source File: 00000000.00000002.251036538.0000000004B40000.00000040.00000001.sdmp, Offset: 04B40000, based on PE: false

Similarity

API ID:
String ID: $g%r$>z$X1(r$X1(r$`5(r
API String ID: 0-2285739851
Opcode ID: ef6d3fa0b667175bf51c0e083956a8a20646a418d8801783c70a347fcf6657d8
Instruction ID: c87ddaa47e1e4ebc24527c3ba702d1f290877808c006a88a5e2429d61a4658eb
Opcode Fuzzy Hash: ef6d3fa0b667175bf51c0e083956a8a20646a418d8801783c70a347fcf6657d8
Instruction Fuzzy Hash: 6B516B34A006059FCB15EF78C854BAEBBF2AF89310F2141A9E515EB3E5DB31AC41EB51

Uniqueness

Uniqueness Score: -1.00%

Function 04B48C88, Relevance: 6.4, Strings: 5, Instructions: 135COMMON

Download Yara Rule

Strings

X1(r, xrefs: 04B48D7D
$g%r, xrefs: 04B48D25
X1(r, xrefs: 04B48DB6
>z, xrefs: 04B48C93
`5(r, xrefs: 04B48D55

Memory Dump Source

Source File: 00000000.00000002.251036538.0000000004B40000.00000040.00000001.sdmp, Offset: 04B40000, based on PE: false

Similarity

API ID:
String ID: $g%r$>z$X1(r$X1(r$`5(r
API String ID: 0-2285739851
Opcode ID: b811ca9669bdd96af0c6ba0a71d14192d1693cf0030a18e3407031237b65fe2a
Instruction ID: b0330699afbd297cf69fc55ac959aa29c0d10867138e4478f94addbd88f764cf
Opcode Fuzzy Hash: b811ca9669bdd96af0c6ba0a71d14192d1693cf0030a18e3407031237b65fe2a
Instruction Fuzzy Hash: 2A514E34A006059FCB14EF68C854BAEBBF2BF88310F2141A9E515AB3E4DB31AC40EB55

Uniqueness

Uniqueness Score: -1.00%

Analysis Process: checklist pdf.exe PID: 4648 Parent PID: 4728 checklist pdf.exeCOMMON

Executed Functions

Function 0526AEF8, Relevance: 2.0, Strings: 1, Instructions: 733COMMON

Download Yara Rule

Strings

r, xrefs: 0526B7EC

Memory Dump Source

Source File: 00000003.00000002.508950288.0000000005260000.00000040.00000001.sdmp, Offset: 05260000, based on PE: false

Similarity

API ID:
String ID: r
API String ID: 0-1812594589
Opcode ID: d06a1e69a0155a477797a177aef5bf85cd2f2fd4fd4c5151bebc4956ead5dda7
Instruction ID: d17c7dc30628e8a7ce8cb23d365af7b600dcae0d05906080bb1d270ce0f37605
Opcode Fuzzy Hash: d06a1e69a0155a477797a177aef5bf85cd2f2fd4fd4c5151bebc4956ead5dda7
Instruction Fuzzy Hash: 14622671A1060ADFCB18CF68C584AAEFBF2FF88310F148569D45AAB651D730E981CF94

Uniqueness

Uniqueness Score: -1.00%

Function 052C23F0, Relevance: 1.6, APIs: 1, Instructions: 94networkCOMMON

Download Yara Rule

APIs

bind.WS2_32(?,00000E2C,883E0C6F,00000000,00000000,00000000,00000000), ref: 052C24A3

Memory Dump Source

Source File: 00000003.00000002.509275786.00000000052C0000.00000040.00000001.sdmp, Offset: 052C0000, based on PE: false

Similarity

API ID: bind
String ID:
API String ID: 1187836755-0
Opcode ID: 5c74b5497b8f99eb32467f515a2a70dd9e7dfb39043cdfbcda9d5b895e87a3dd
Instruction ID: 69cc7aa55ad320a67a0442aa2989f050d033ecc5fa34307290649bdc1b007f10
Opcode Fuzzy Hash: 5c74b5497b8f99eb32467f515a2a70dd9e7dfb39043cdfbcda9d5b895e87a3dd
Instruction Fuzzy Hash: 60317CB550E3C09FD7238B248C54B56BFB8AF07214F0984EBE984DF1A3D625A809C772

Uniqueness

Uniqueness Score: -1.00%

Function 052C10F3, Relevance: 1.6, APIs: 1, Instructions: 75COMMON

Download Yara Rule

APIs

AdjustTokenPrivileges.KERNELBASE(?,?,?,?,?,?), ref: 052C1173

Memory Dump Source

Source File: 00000003.00000002.509275786.00000000052C0000.00000040.00000001.sdmp, Offset: 052C0000, based on PE: false

Similarity

API ID: AdjustPrivilegesToken
String ID:
API String ID: 2874748243-0
Opcode ID: 3aa3509f9a85d42d1dcf552d97cb4d2d641d2e80426aace0590ba85730f706f3
Instruction ID: 218fda11fc765b6cca611fda816c92eaabf81198250c1f9bfb5daf9c72b37e83
Opcode Fuzzy Hash: 3aa3509f9a85d42d1dcf552d97cb4d2d641d2e80426aace0590ba85730f706f3
Instruction Fuzzy Hash: 0E21E2765097849FEB238F25DC41B52BFB4FF06310F0885EAE9898F163D2749918CB62

Uniqueness

Uniqueness Score: -1.00%

Function 052C132F, Relevance: 1.6, APIs: 1, Instructions: 64nativeCOMMON

Download Yara Rule

APIs

NtQuerySystemInformation.NTDLL(?,?,?,?), ref: 052C13A5

Memory Dump Source

Source File: 00000003.00000002.509275786.00000000052C0000.00000040.00000001.sdmp, Offset: 052C0000, based on PE: false

Similarity

API ID: InformationQuerySystem
String ID:
API String ID: 3562636166-0
Opcode ID: f2ba3b8723feb0fc7a5435689fb902e3639409c3209e724f1a1dbefc41ab3bad
Instruction ID: 7b5783e1a82f898b7c64f9f3e608a5083b2d861d4433e5591249bbf61aa27ce7
Opcode Fuzzy Hash: f2ba3b8723feb0fc7a5435689fb902e3639409c3209e724f1a1dbefc41ab3bad
Instruction Fuzzy Hash: 1921AE714097C09FDB238B21DC51A62FFB4EF16214F0981DBE9848B563D265A519CB62

Uniqueness

Uniqueness Score: -1.00%

Function 052C2442, Relevance: 1.6, APIs: 1, Instructions: 62networkCOMMON

Download Yara Rule

APIs

bind.WS2_32(?,00000E2C,883E0C6F,00000000,00000000,00000000,00000000), ref: 052C24A3

Memory Dump Source

Source File: 00000003.00000002.509275786.00000000052C0000.00000040.00000001.sdmp, Offset: 052C0000, based on PE: false

Similarity

API ID: bind
String ID:
API String ID: 1187836755-0
Opcode ID: 1c7c5b0b3e83c076d84c4efc172c2796d937a706efc7a5f81d98bb7c487c86e7
Instruction ID: 728740bcb7393fa9febc220d07c2e0981142e0d8b51b4483e7e5e8f43371078c
Opcode Fuzzy Hash: 1c7c5b0b3e83c076d84c4efc172c2796d937a706efc7a5f81d98bb7c487c86e7
Instruction Fuzzy Hash: C01182B5514204AFE720DF55DC84FAAFBACEF44710F1485EAEE499B242DB74A404CA71

Uniqueness

Uniqueness Score: -1.00%

Function 052C112A, Relevance: 1.6, APIs: 1, Instructions: 52COMMON

Download Yara Rule

APIs

AdjustTokenPrivileges.KERNELBASE(?,?,?,?,?,?), ref: 052C1173

Memory Dump Source

Source File: 00000003.00000002.509275786.00000000052C0000.00000040.00000001.sdmp, Offset: 052C0000, based on PE: false

Similarity

API ID: AdjustPrivilegesToken
String ID:
API String ID: 2874748243-0
Opcode ID: 3a04510073ad3a7fa88e9bd12353ec5c135c090b728849b60a283093af2afbe9
Instruction ID: 56930f133019e555247ad94a55bd7964e6c46ed773d32a7f72322bf09f2f24ea
Opcode Fuzzy Hash: 3a04510073ad3a7fa88e9bd12353ec5c135c090b728849b60a283093af2afbe9
Instruction Fuzzy Hash: 50119E759106059FDB20CF55D885B66FFE4EF04220F08C5AEED498B653D2B5E414CB61

Uniqueness

Uniqueness Score: -1.00%

Function 0136AF9A, Relevance: 1.5, APIs: 1, Instructions: 43COMMON

Download Yara Rule

APIs

GetUserNameW.ADVAPI32(?,00000E2C,?,?), ref: 0136AFEA

Memory Dump Source

Source File: 00000003.00000002.503338061.000000000136A000.00000040.00000001.sdmp, Offset: 0136A000, based on PE: false

Similarity

API ID: NameUser
String ID:
API String ID: 2645101109-0
Opcode ID: 96f5b5d8bdb1cf2f978037c72c8474077f26e348acc73ec7b8b24b8afdb69241
Instruction ID: d0ea48f07242b932a34365fac51a87af5ed5abd9642d738eb81c6849633edb24
Opcode Fuzzy Hash: 96f5b5d8bdb1cf2f978037c72c8474077f26e348acc73ec7b8b24b8afdb69241
Instruction Fuzzy Hash: 5A018671500600ABD710DF1ADC86B26FBE8FF88B20F14815AED085B745E675F515CBE5

Uniqueness

Uniqueness Score: -1.00%

Function 052C0DB6, Relevance: 1.5, APIs: 1, Instructions: 39COMMON

Download Yara Rule

APIs

GetSystemInfo.KERNELBASE(?), ref: 052C0DE8

Memory Dump Source

Source File: 00000003.00000002.509275786.00000000052C0000.00000040.00000001.sdmp, Offset: 052C0000, based on PE: false

Similarity

API ID: InfoSystem
String ID:
API String ID: 31276548-0
Opcode ID: b934cf4ff89f75d3b5ad49819fbccb9b4b1afbb83f7673f9a3f9bff9faf27cad
Instruction ID: 352404f4922cc1a97a7ec470fbf4debab1403bfd21716eb01d98c6a796d96b73
Opcode Fuzzy Hash: b934cf4ff89f75d3b5ad49819fbccb9b4b1afbb83f7673f9a3f9bff9faf27cad
Instruction Fuzzy Hash: 9201D175824244CFDB10CF15E988B69FFA4EF45320F18C0EADD498F247D2B4A414CBA2

Uniqueness

Uniqueness Score: -1.00%

Function 052C136A, Relevance: 1.5, APIs: 1, Instructions: 38nativeCOMMON

Download Yara Rule

APIs

NtQuerySystemInformation.NTDLL(?,?,?,?), ref: 052C13A5

Memory Dump Source

Source File: 00000003.00000002.509275786.00000000052C0000.00000040.00000001.sdmp, Offset: 052C0000, based on PE: false

Similarity

API ID: InformationQuerySystem
String ID:
API String ID: 3562636166-0
Opcode ID: d5c32b7af7ad9a4aaffc875a641c3d4560f745c27a8ef5bd5f16fdf9b67c39c3
Instruction ID: 27b60f18d835c6a32179caa90b18c239bd45a02cbe54b87ffcdcebf9760bb1bf
Opcode Fuzzy Hash: d5c32b7af7ad9a4aaffc875a641c3d4560f745c27a8ef5bd5f16fdf9b67c39c3
Instruction Fuzzy Hash: A701DB31820600CFDB20CF05D885B29FFA4FF08320F08C19EED890BA12D2B1A028CB62

Uniqueness

Uniqueness Score: -1.00%

Function 05268468, Relevance: .5, Instructions: 505COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.508950288.0000000005260000.00000040.00000001.sdmp, Offset: 05260000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e77014d2ebd274aa4484b7c6fd32bdc679f065ebd46bc36bffde0c5bbe79b132
Instruction ID: 8a251fa518ffad921d08bbee52db5c0681d6d099a786aac9dbd510233f7b244a
Opcode Fuzzy Hash: e77014d2ebd274aa4484b7c6fd32bdc679f065ebd46bc36bffde0c5bbe79b132
Instruction Fuzzy Hash: 6112AC70A24216DFCB28CF69D5846ADBBF2FF88304F148569D416DB290DBB5D981CF90

Uniqueness

Uniqueness Score: -1.00%

Function 052623A0, Relevance: .5, Instructions: 505COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.508950288.0000000005260000.00000040.00000001.sdmp, Offset: 05260000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 10166afbfc17fdf307fd22f5734a1bdee2ffaecc698ce7b03c7d4b3402dd6550
Instruction ID: 53e6069c2168f1b5271e6540de26f2dd38e453923c3b278c97215f8d61950e43
Opcode Fuzzy Hash: 10166afbfc17fdf307fd22f5734a1bdee2ffaecc698ce7b03c7d4b3402dd6550
Instruction Fuzzy Hash: 4B12BC38A24216CFCB34CF28D584A6DBBF2FF88314F658129D45AAB254DBB58C85DF50

Uniqueness

Uniqueness Score: -1.00%

Function 05269068, Relevance: .2, Instructions: 239COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.508950288.0000000005260000.00000040.00000001.sdmp, Offset: 05260000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8f7f340b0368e909730b8039229f1e89b67b9c712c81424fcb0725eb5f1587e9
Instruction ID: 17bf7f002aa1a54abaf49e549e8362816d355918180bf2e136c6863e0cb9b322
Opcode Fuzzy Hash: 8f7f340b0368e909730b8039229f1e89b67b9c712c81424fcb0725eb5f1587e9
Instruction Fuzzy Hash: 8B817E72F151159FCB14DB69D884A6EBBF3AFC8310F2A8075E40AEB355DE719C818B90

Uniqueness

Uniqueness Score: -1.00%

Function 05262FA8, Relevance: .2, Instructions: 239COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.508950288.0000000005260000.00000040.00000001.sdmp, Offset: 05260000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 356ffb2ed8c7d9c9592f09ac332c7a2352f7f889ccd23b46f346b9eeadb2c513
Instruction ID: 33937a59c508387aba16a8b5c1550bb2913a65f847016832a76456bc87e1d189
Opcode Fuzzy Hash: 356ffb2ed8c7d9c9592f09ac332c7a2352f7f889ccd23b46f346b9eeadb2c513
Instruction Fuzzy Hash: C8818D72F10115ABDB14DB69D884AAEBBF3AFC8310F2A8474D40AEB355DE719C418B90

Uniqueness

Uniqueness Score: -1.00%

Function 052609A0, Relevance: 5.2, Strings: 4, Instructions: 176COMMON

Download Yara Rule

Strings

X1(r, xrefs: 05260A98
X1(r, xrefs: 05260A50
X1(r, xrefs: 05260A5A
X1(r, xrefs: 05260AA2

Memory Dump Source

Source File: 00000003.00000002.508950288.0000000005260000.00000040.00000001.sdmp, Offset: 05260000, based on PE: false

Similarity

API ID:
String ID: X1(r$X1(r$X1(r$X1(r
API String ID: 0-1974604117
Opcode ID: cb0633f3dba00256fc39d27ce89ddec943dd081b420a23a6f565945027c85f51
Instruction ID: 6feec484581b51b4331f3586b64eed84dc63b44dc49fd2371667e987c8619416
Opcode Fuzzy Hash: cb0633f3dba00256fc39d27ce89ddec943dd081b420a23a6f565945027c85f51
Instruction Fuzzy Hash: EE51F531B24156EFCB24DBA8D858ABEB7B6FF84308F20C469D5169B254CB709C42DB90

Uniqueness

Uniqueness Score: -1.00%

Function 05265AA1, Relevance: 2.5, Strings: 2, Instructions: 29COMMON

Download Yara Rule

Strings

l&r, xrefs: 05265ABE
-Syq^, xrefs: 05265ACA, 05265ACF

Memory Dump Source

Source File: 00000003.00000002.508950288.0000000005260000.00000040.00000001.sdmp, Offset: 05260000, based on PE: false

Similarity

API ID:
String ID: l&r$-Syq^
API String ID: 0-2335152393
Opcode ID: f204c077cc36a9c2efc1909b3d84f227959b286a47c5a17f7d4cf5ec03dbcd62
Instruction ID: bdae067a95642c29c251e3dfb2f9101a61d83e5b2a4628e31eb80f4e541e08dc
Opcode Fuzzy Hash: f204c077cc36a9c2efc1909b3d84f227959b286a47c5a17f7d4cf5ec03dbcd62
Instruction Fuzzy Hash: 40E0D825BC53901FDB2317BC28201BE3F695E932613554AEAD046DB756CD098C0783D1

Uniqueness

Uniqueness Score: -1.00%

Function 05265AB0, Relevance: 2.5, Strings: 2, Instructions: 20COMMON

Download Yara Rule

Strings

l&r, xrefs: 05265ABE
-Syq^, xrefs: 05265ACA, 05265ACF

Memory Dump Source

Source File: 00000003.00000002.508950288.0000000005260000.00000040.00000001.sdmp, Offset: 05260000, based on PE: false

Similarity

API ID:
String ID: l&r$-Syq^
API String ID: 0-2335152393
Opcode ID: 44c5fdd52d9ba32a216df84469943d4bfa09629d72b9676973499f2b8fc2bcf0
Instruction ID: d9a20bcb7cec84057c1d5dcd94c568f1e4bbbe7ca995c8e23015e4e033c6e33f
Opcode Fuzzy Hash: 44c5fdd52d9ba32a216df84469943d4bfa09629d72b9676973499f2b8fc2bcf0
Instruction Fuzzy Hash: 86D0A759B8122527A925797E681063F374E6FC0A623414858E50ADA344DD15CC4143E5

Uniqueness

Uniqueness Score: -1.00%

Function 052612A0, Relevance: 1.7, Strings: 1, Instructions: 460COMMON

Download Yara Rule

Strings

$g%r, xrefs: 05261349

Memory Dump Source

Source File: 00000003.00000002.508950288.0000000005260000.00000040.00000001.sdmp, Offset: 05260000, based on PE: false

Similarity

API ID:
String ID: $g%r
API String ID: 0-359987751
Opcode ID: 7885c2ac460a62e1e2c386557d25577b72afdd07f9f0952d90187d9a31d0dab8
Instruction ID: 87828224f0f7e1d197733362cd2d8ce9cfadbd878d64458908b7b22724176f97
Opcode Fuzzy Hash: 7885c2ac460a62e1e2c386557d25577b72afdd07f9f0952d90187d9a31d0dab8
Instruction Fuzzy Hash: E122E234A10605CFC724DF28D584A6ABBF2FF88300B1085A9D85A9BB65DB79FD95CF40

Uniqueness

Uniqueness Score: -1.00%

Function 052C14B0, Relevance: 1.6, APIs: 1, Instructions: 98networkCOMMON

Download Yara Rule

APIs

DnsQuery_A.DNSAPI(?,00000E2C,?,?), ref: 052C156E

Memory Dump Source

Source File: 00000003.00000002.509275786.00000000052C0000.00000040.00000001.sdmp, Offset: 052C0000, based on PE: false

Similarity

API ID: Query_
String ID:
API String ID: 428220571-0
Opcode ID: 0937255de8077eeabe008aa008a855acfdebb68f126dd177c33640f968ffeb34
Instruction ID: f7e1c5fe6b9830bbdbad1853f000d3c7e5e8b291d5360127b49db08eaec9108f
Opcode Fuzzy Hash: 0937255de8077eeabe008aa008a855acfdebb68f126dd177c33640f968ffeb34
Instruction Fuzzy Hash: 16316B6500E3C06FD3138B258C61B61BFB5EF47610F0E85CBE8C49B5A3D525A91AD7B2

Uniqueness

Uniqueness Score: -1.00%

Function 052C0390, Relevance: 1.6, APIs: 1, Instructions: 93registryCOMMON

Download Yara Rule

APIs

RegQueryValueExA.KERNELBASE(?,00000E2C), ref: 052C045E

Memory Dump Source

Source File: 00000003.00000002.509275786.00000000052C0000.00000040.00000001.sdmp, Offset: 052C0000, based on PE: false

Similarity

API ID: QueryValue
String ID:
API String ID: 3660427363-0
Opcode ID: c589a001154fd5d97dec6a38f11d22306d0d12dab6b0250d1d4620f3d5f7cd2d
Instruction ID: f726758ff05d7afc1d76c9d8481527ee45487fe243f0252974099794464a7bc4
Opcode Fuzzy Hash: c589a001154fd5d97dec6a38f11d22306d0d12dab6b0250d1d4620f3d5f7cd2d
Instruction Fuzzy Hash: 4B31C4B1404744AFE7228F25CC41FA6FFB8EF05710F04859EFA859B192D365A949CB71

Uniqueness

Uniqueness Score: -1.00%

Function 0136AA02, Relevance: 1.6, APIs: 1, Instructions: 92registryCOMMON

Download Yara Rule

APIs

RegOpenKeyExW.KERNELBASE(?,00000E2C), ref: 0136AAB1

Memory Dump Source

Source File: 00000003.00000002.503338061.000000000136A000.00000040.00000001.sdmp, Offset: 0136A000, based on PE: false

Similarity

API ID: Open
String ID:
API String ID: 71445658-0
Opcode ID: b47d5187e02cbd8acde5129c0bd3162af9171e94b8e26e71922cafafd8ba1de3
Instruction ID: a76e0882c545c8ed242e910d6a889a95112ea764582e3b4e622f970848d1d0cb
Opcode Fuzzy Hash: b47d5187e02cbd8acde5129c0bd3162af9171e94b8e26e71922cafafd8ba1de3
Instruction Fuzzy Hash: D831A2B25043846FE7228B65CC85FABBFECEF05710F08859AED819B152D664E909CB71

Uniqueness

Uniqueness Score: -1.00%

Function 052C07F4, Relevance: 1.6, APIs: 1, Instructions: 92fileCOMMON

Download Yara Rule

APIs

CreateFileW.KERNELBASE(?,?,?,?,?,?), ref: 052C0899

Memory Dump Source

Source File: 00000003.00000002.509275786.00000000052C0000.00000040.00000001.sdmp, Offset: 052C0000, based on PE: false

Similarity

API ID: CreateFile
String ID:
API String ID: 823142352-0
Opcode ID: 742108c5a69ee86b0f4011bb9e4efe74eb35479160b859dae3cd73b91799acf6
Instruction ID: ba421fad0e6cb8fc66b7f9773b29db9ae8674e7257b09f8a9347bc2da4267895
Opcode Fuzzy Hash: 742108c5a69ee86b0f4011bb9e4efe74eb35479160b859dae3cd73b91799acf6
Instruction Fuzzy Hash: 8931AFB1504780AFE722CF65DC44F66BFE8EF05210F0885AEE9858B252D375E409CB71

Uniqueness

Uniqueness Score: -1.00%

Function 052C26D7, Relevance: 1.6, APIs: 1, Instructions: 90windowCOMMON

Download Yara Rule

APIs

FormatMessageW.KERNELBASE(?,00000E2C,?,?), ref: 052C2792

Memory Dump Source

Source File: 00000003.00000002.509275786.00000000052C0000.00000040.00000001.sdmp, Offset: 052C0000, based on PE: false

Similarity

API ID: FormatMessage
String ID:
API String ID: 1306739567-0
Opcode ID: 68eea72205dde749a1d0f28f37c9b02f1ce4b95ca48e17709158f73c7cdda01d
Instruction ID: 10291920f4310642aae076b979a27137a0c82e248bd497fc76e0a0c9e1a1aeb1
Opcode Fuzzy Hash: 68eea72205dde749a1d0f28f37c9b02f1ce4b95ca48e17709158f73c7cdda01d
Instruction Fuzzy Hash: D0318F7250D7C05FD7038B258C61A56BFB4EF47610F1A80DBD8848F1A3E6246909C7A2

Uniqueness

Uniqueness Score: -1.00%

Function 0136AAF9, Relevance: 1.6, APIs: 1, Instructions: 89registryCOMMON

Download Yara Rule

APIs

RegQueryValueExW.KERNELBASE(?,00000E2C,883E0C6F,00000000,00000000,00000000,00000000), ref: 0136ABB4

Memory Dump Source

Source File: 00000003.00000002.503338061.000000000136A000.00000040.00000001.sdmp, Offset: 0136A000, based on PE: false

Similarity

API ID: QueryValue
String ID:
API String ID: 3660427363-0
Opcode ID: f169848fce0f2cd304ba4b2ec87a525e26632e60ca5cc7e2d537712544376178
Instruction ID: 3f5a14a677dc6f37becc1eda90897359587d504b4049703ec71123983d6bc87f
Opcode Fuzzy Hash: f169848fce0f2cd304ba4b2ec87a525e26632e60ca5cc7e2d537712544376178
Instruction Fuzzy Hash: B331C2725093846FE722CB65CC84F92BFBCEF06310F08889AE985DB153D264E448CB61

Uniqueness

Uniqueness Score: -1.00%

Function 052C2178, Relevance: 1.6, APIs: 1, Instructions: 89timeCOMMON

Download Yara Rule

APIs

GetProcessTimes.KERNELBASE(?,00000E2C,883E0C6F,00000000,00000000,00000000,00000000), ref: 052C2215

Memory Dump Source

Source File: 00000003.00000002.509275786.00000000052C0000.00000040.00000001.sdmp, Offset: 052C0000, based on PE: false

Similarity

API ID: ProcessTimes
String ID:
API String ID: 1995159646-0
Opcode ID: 2bc152273191ec950a04ccb9b43aa7f7cfc63a91fd51a7c60aed4c28a543797c
Instruction ID: fceb96c1ef817032158fa87c1e6292bd6d31cb52ba5a7b01ad50c8796206320b
Opcode Fuzzy Hash: 2bc152273191ec950a04ccb9b43aa7f7cfc63a91fd51a7c60aed4c28a543797c
Instruction Fuzzy Hash: C431F576409780AFEB128F64DC45FA6BFB8EF06310F0885EAE9859B153C224A405CB71

Uniqueness

Uniqueness Score: -1.00%

Function 052C00F6, Relevance: 1.6, APIs: 1, Instructions: 89synchronizationCOMMON

Download Yara Rule

APIs

CreateMutexW.KERNELBASE(?,?), ref: 052C019D

Memory Dump Source

Source File: 00000003.00000002.509275786.00000000052C0000.00000040.00000001.sdmp, Offset: 052C0000, based on PE: false

Similarity

API ID: CreateMutex
String ID:
API String ID: 1964310414-0
Opcode ID: a364655c5df07e06a96f1a092099c81f44559b7ac2916b4082a920745cef2937
Instruction ID: 9ac029a5d68923a9753ec11110fecd4691ffa137d00975a99319f7bfb3c4ff3a
Opcode Fuzzy Hash: a364655c5df07e06a96f1a092099c81f44559b7ac2916b4082a920745cef2937
Instruction Fuzzy Hash: A5318F71509780AFE712CB65DC84F5AFFF8EF06210F0885AAE9848B293D364A909C761

Uniqueness

Uniqueness Score: -1.00%

Function 0136AF50, Relevance: 1.6, APIs: 1, Instructions: 87COMMON

Download Yara Rule

APIs

GetUserNameW.ADVAPI32(?,00000E2C,?,?), ref: 0136AFEA

Memory Dump Source

Source File: 00000003.00000002.503338061.000000000136A000.00000040.00000001.sdmp, Offset: 0136A000, based on PE: false

Similarity

API ID: NameUser
String ID:
API String ID: 2645101109-0
Opcode ID: f81b1d9acf3678d6fb861a1f06f4a14164dbbce0cd49c49b67fe747d1b69526e
Instruction ID: 70f17d72ebc34f3941856579ef1bc30dd7ff3e414050763d3e6d705e493591bb
Opcode Fuzzy Hash: f81b1d9acf3678d6fb861a1f06f4a14164dbbce0cd49c49b67fe747d1b69526e
Instruction Fuzzy Hash: ED31827140E3C06FD3138B259C55B25BFB8EF47610F0A81DBE884DF5A3D228A919C762

Uniqueness

Uniqueness Score: -1.00%

Function 052C1D0C, Relevance: 1.6, APIs: 1, Instructions: 87fileCOMMON

Download Yara Rule

APIs

MapViewOfFile.KERNELBASE ref: 052C1DBE

Memory Dump Source

Source File: 00000003.00000002.509275786.00000000052C0000.00000040.00000001.sdmp, Offset: 052C0000, based on PE: false

Similarity

API ID: FileView
String ID:
API String ID: 3314676101-0
Opcode ID: bcae130ff736da660b724d6a470aa67b52ea1993c378a268659684b9a6698160
Instruction ID: af1951087de5e6edee585fbb4bc88b9e4bdbef745f73728b34483d5b590adfe6
Opcode Fuzzy Hash: bcae130ff736da660b724d6a470aa67b52ea1993c378a268659684b9a6698160
Instruction Fuzzy Hash: 5A31B3B2404784AFE722CB59DC85F56FFF8EF06320F04859AE9849B252D365A509CB61

Uniqueness

Uniqueness Score: -1.00%

Function 052C04AB, Relevance: 1.6, APIs: 1, Instructions: 86registryCOMMON

Download Yara Rule

APIs

RegQueryValueExW.KERNELBASE(?,00000E2C,883E0C6F,00000000,00000000,00000000,00000000), ref: 052C055C

Memory Dump Source

Source File: 00000003.00000002.509275786.00000000052C0000.00000040.00000001.sdmp, Offset: 052C0000, based on PE: false

Similarity

API ID: QueryValue
String ID:
API String ID: 3660427363-0
Opcode ID: 0a68fa806d27eed1d48f665cee33b3437a71f5412c71061d3d63d9312be0c4b8
Instruction ID: 4aafaa1c1040666944fd68edbfda905e3a7ff5eda8264e7b2ed5e9aa9fca528d
Opcode Fuzzy Hash: 0a68fa806d27eed1d48f665cee33b3437a71f5412c71061d3d63d9312be0c4b8
Instruction Fuzzy Hash: D531A071509780AFD722CB65DC84F96BFB8EF06210F0885DAE9859B1A3D224A809CB71

Uniqueness

Uniqueness Score: -1.00%

Function 0136A120, Relevance: 1.6, APIs: 1, Instructions: 85networkCOMMON

Download Yara Rule

APIs

WSAStartup.WS2_32(?,00000E2C,?,?), ref: 0136A1C2

Memory Dump Source

Source File: 00000003.00000002.503338061.000000000136A000.00000040.00000001.sdmp, Offset: 0136A000, based on PE: false

Similarity

API ID: Startup
String ID:
API String ID: 724789610-0
Opcode ID: c796f8faef04ba10e79ed7e0cf86fc5163d20af6f8fcea1af95ce7baa7fcab91
Instruction ID: e45fc3c7e7a37b5810c6412c723302fe022aa0e460e8aca44d68fc663e5db9f5
Opcode Fuzzy Hash: c796f8faef04ba10e79ed7e0cf86fc5163d20af6f8fcea1af95ce7baa7fcab91
Instruction Fuzzy Hash: 6531D07140D3C05FD7138B768C55AA6BFB4EF47620F0985DBD8848F293D229A819CBA2

Uniqueness

Uniqueness Score: -1.00%

Function 052C02AB, Relevance: 1.6, APIs: 1, Instructions: 79registryCOMMON

Download Yara Rule

APIs

RegOpenKeyExA.KERNELBASE(?,00000E2C), ref: 052C0353

Memory Dump Source

Source File: 00000003.00000002.509275786.00000000052C0000.00000040.00000001.sdmp, Offset: 052C0000, based on PE: false

Similarity

API ID: Open
String ID:
API String ID: 71445658-0
Opcode ID: c22282a11d117b60760d35c5ca0e6c8ea1d56b2e249ae016399518d7bb113ab1
Instruction ID: 36a965d071a13b6557db88fd5104cbcc639b0846ad1b96e4f5fa9bf7aaf9c169
Opcode Fuzzy Hash: c22282a11d117b60760d35c5ca0e6c8ea1d56b2e249ae016399518d7bb113ab1
Instruction Fuzzy Hash: 9B21A375409780AFE7228B20DC45FA6BFB8EF06310F1885DAF9849B193D265A909CB75

Uniqueness

Uniqueness Score: -1.00%

Function 052C1C2A, Relevance: 1.6, APIs: 1, Instructions: 78COMMON

Download Yara Rule

APIs

OpenFileMappingW.KERNELBASE(?,?), ref: 052C1CB5

Memory Dump Source

Source File: 00000003.00000002.509275786.00000000052C0000.00000040.00000001.sdmp, Offset: 052C0000, based on PE: false

Similarity

API ID: FileMappingOpen
String ID:
API String ID: 1680863896-0
Opcode ID: fc459af8b09ee39a958e6c55aa72b1f74699c6c41f98f7bdf5635953d7dfb4b9
Instruction ID: 614ea36206124f83afb6d6a2e84f6294b62d1c5fd4a7625a7a056640cdca330a
Opcode Fuzzy Hash: fc459af8b09ee39a958e6c55aa72b1f74699c6c41f98f7bdf5635953d7dfb4b9
Instruction Fuzzy Hash: BA219FB1509780AFE722CB65DC45F66FFE8EF05210F0884AEE9859B252D375E508CB61

Uniqueness

Uniqueness Score: -1.00%

Function 052C08F0, Relevance: 1.6, APIs: 1, Instructions: 78COMMON

Download Yara Rule

APIs

GetFileType.KERNELBASE(?,00000E2C,883E0C6F,00000000,00000000,00000000,00000000), ref: 052C0985

Memory Dump Source

Source File: 00000003.00000002.509275786.00000000052C0000.00000040.00000001.sdmp, Offset: 052C0000, based on PE: false

Similarity

API ID: FileType
String ID:
API String ID: 3081899298-0
Opcode ID: e34a064e2667c7f4e1f8c4df04e5f02f56cecc68bf4cdf3c261f2c31636cfe23
Instruction ID: 155f62f06c17112aa4150caf0ece4dafd390cc2bfb6636cf3875d2ea564c50fa
Opcode Fuzzy Hash: e34a064e2667c7f4e1f8c4df04e5f02f56cecc68bf4cdf3c261f2c31636cfe23
Instruction Fuzzy Hash: E521F8B58087846FE7128B259C84BA6BFBCEF46720F0881DAE9849F153D224A909C771

Uniqueness

Uniqueness Score: -1.00%

Function 052C159A, Relevance: 1.6, APIs: 1, Instructions: 77networkCOMMON

Download Yara Rule

APIs

WSASocketW.WS2_32(?,?,?,?,?), ref: 052C1626

Memory Dump Source

Source File: 00000003.00000002.509275786.00000000052C0000.00000040.00000001.sdmp, Offset: 052C0000, based on PE: false

Similarity

API ID: Socket
String ID:
API String ID: 38366605-0
Opcode ID: 7a33105f9cbe10f7a2a16920bc8fde712a2eb9c9346296aa3106073fdc836982
Instruction ID: e3fd96a3f0467afcfb60a5efbea5b50e0cb3dbd6f2c86d60338c8786921505fa
Opcode Fuzzy Hash: 7a33105f9cbe10f7a2a16920bc8fde712a2eb9c9346296aa3106073fdc836982
Instruction Fuzzy Hash: 0C21AD71405780AFE722CF65DC45F66FFF8EF05210F0885AEE9849B252D375A418CB61

Uniqueness

Uniqueness Score: -1.00%

Function 052C081A, Relevance: 1.6, APIs: 1, Instructions: 76fileCOMMON

Download Yara Rule

APIs

CreateFileW.KERNELBASE(?,?,?,?,?,?), ref: 052C0899

Memory Dump Source

Source File: 00000003.00000002.509275786.00000000052C0000.00000040.00000001.sdmp, Offset: 052C0000, based on PE: false

Similarity

API ID: CreateFile
String ID:
API String ID: 823142352-0
Opcode ID: 0df545026042bac9233c6d388c9b61745d8e4b62b9899ca411779f8a636c383d
Instruction ID: a5573d3a6300ac94e1c5c567e484ca216af29de264e1a194425dcba08d670adc
Opcode Fuzzy Hash: 0df545026042bac9233c6d388c9b61745d8e4b62b9899ca411779f8a636c383d
Instruction Fuzzy Hash: EF219F75514640AFEB21DF65DC44B6AFFE8FF04310F1485ADE9898B242D371E404CBA1

Uniqueness

Uniqueness Score: -1.00%

Function 052C03CA, Relevance: 1.6, APIs: 1, Instructions: 75registryCOMMON

Download Yara Rule

APIs

RegQueryValueExA.KERNELBASE(?,00000E2C), ref: 052C045E

Memory Dump Source

Source File: 00000003.00000002.509275786.00000000052C0000.00000040.00000001.sdmp, Offset: 052C0000, based on PE: false

Similarity

API ID: QueryValue
String ID:
API String ID: 3660427363-0
Opcode ID: 45e46e696f2767046772a904cbd005166628e5b723b3d50ef9db3cbc32c6179e
Instruction ID: 49741923fa2293f61e18ab3b0847377d75af09ced9edd2906cd9114c97e400f8
Opcode Fuzzy Hash: 45e46e696f2767046772a904cbd005166628e5b723b3d50ef9db3cbc32c6179e
Instruction Fuzzy Hash: 7821F571510204AEEB31CF55DC85FABFBACEF04710F10859EFA459A181D6B4A409CBB1

Uniqueness

Uniqueness Score: -1.00%

Function 052C09C0, Relevance: 1.6, APIs: 1, Instructions: 75COMMON

Download Yara Rule

APIs

setsockopt.WS2_32(?,00000E2C,883E0C6F,00000000,00000000,00000000,00000000), ref: 052C0A51

Memory Dump Source

Source File: 00000003.00000002.509275786.00000000052C0000.00000040.00000001.sdmp, Offset: 052C0000, based on PE: false

Similarity

API ID: setsockopt
String ID:
API String ID: 3981526788-0
Opcode ID: 9522779a8707ec2e25f73b9cc006eca4a3db2947b2b19b4ffc871d3c17227fb3
Instruction ID: 0a43c9c20a2b0bdffdc56a67c71860c88d2c1499c66c8ece49bf5eb173c94df8
Opcode Fuzzy Hash: 9522779a8707ec2e25f73b9cc006eca4a3db2947b2b19b4ffc871d3c17227fb3
Instruction Fuzzy Hash: 95219271409380AFDB228F65DC84F56BFB8EF06314F0885DBEA849F153C264A409CB61

Uniqueness

Uniqueness Score: -1.00%

Function 0136AA32, Relevance: 1.6, APIs: 1, Instructions: 74registryCOMMON

Download Yara Rule

APIs

RegOpenKeyExW.KERNELBASE(?,00000E2C), ref: 0136AAB1

Memory Dump Source

Source File: 00000003.00000002.503338061.000000000136A000.00000040.00000001.sdmp, Offset: 0136A000, based on PE: false

Similarity

API ID: Open
String ID:
API String ID: 71445658-0
Opcode ID: 12d1027f2eb5b8209f9466be49f3b9644a9f43247b3a8e26253e4c2d51c529ef
Instruction ID: f4c1b7df42a927b2c78a1248d9a382e7911042cb0d1b41dff4c9896c7d76fe86
Opcode Fuzzy Hash: 12d1027f2eb5b8209f9466be49f3b9644a9f43247b3a8e26253e4c2d51c529ef
Instruction Fuzzy Hash: 8A21D1B2500204AEF7219F59DD84FABFBECEF04310F14C55AEE419B241D670E5088BB1

Uniqueness

Uniqueness Score: -1.00%

Function 052C012A, Relevance: 1.6, APIs: 1, Instructions: 72synchronizationCOMMON

Download Yara Rule

APIs

CreateMutexW.KERNELBASE(?,?), ref: 052C019D

Memory Dump Source

Source File: 00000003.00000002.509275786.00000000052C0000.00000040.00000001.sdmp, Offset: 052C0000, based on PE: false

Similarity

API ID: CreateMutex
String ID:
API String ID: 1964310414-0
Opcode ID: cc12de025653b0f31ae3b5272180dc4908f94a34930511606567e3b1e3a61b1b
Instruction ID: 5ff6aee8dd8eb509b396feec841ad8562960d11cfc95bb21b250f903a37ae331
Opcode Fuzzy Hash: cc12de025653b0f31ae3b5272180dc4908f94a34930511606567e3b1e3a61b1b
Instruction Fuzzy Hash: BF218EB1514240AFE720DF69DC89B6AFFE8EF04310F1485AEE9499B242D7B0E504CA65

Uniqueness

Uniqueness Score: -1.00%

Function 052C0723, Relevance: 1.6, APIs: 1, Instructions: 71COMMON

Download Yara Rule

APIs

CreateDirectoryW.KERNELBASE(?,?), ref: 052C079F

Memory Dump Source

Source File: 00000003.00000002.509275786.00000000052C0000.00000040.00000001.sdmp, Offset: 052C0000, based on PE: false

Similarity

API ID: CreateDirectory
String ID:
API String ID: 4241100979-0
Opcode ID: 2f0462fc14b02b9007b3024db68df9511b96fb8bc2560f62e920a2df5aee2633
Instruction ID: 9dab80a6ae0ec26f2b660b05ed05ed4c244b3b1466ccb9eeeecaec3f12f3a977
Opcode Fuzzy Hash: 2f0462fc14b02b9007b3024db68df9511b96fb8bc2560f62e920a2df5aee2633
Instruction Fuzzy Hash: 9F21B0725093819FD712CB25DC88B56BFE8EF06210F0980EAE889DF153E224E908CB61

Uniqueness

Uniqueness Score: -1.00%

Function 052C0CB6, Relevance: 1.6, APIs: 1, Instructions: 70fileCOMMON

Download Yara Rule

APIs

DeleteFileA.KERNELBASE(?,00000E2C), ref: 052C0D3F

Memory Dump Source

Source File: 00000003.00000002.509275786.00000000052C0000.00000040.00000001.sdmp, Offset: 052C0000, based on PE: false

Similarity

API ID: DeleteFile
String ID:
API String ID: 4033686569-0
Opcode ID: ff3bdb98d27f6dc6c7fb818d851074add6128c94c88f2e5038c5f17faf5cd7de
Instruction ID: b557709bb98ae36e25ca855cda1a11bcc8ee86bed3a777efe498338b76fccd3a
Opcode Fuzzy Hash: ff3bdb98d27f6dc6c7fb818d851074add6128c94c88f2e5038c5f17faf5cd7de
Instruction Fuzzy Hash: FA21D271505740AFE7218B29DC85FA6BFA8EF05720F18809EFE449B192D3A4B948CB61

Uniqueness

Uniqueness Score: -1.00%

Function 0136AB3A, Relevance: 1.6, APIs: 1, Instructions: 69registryCOMMON

Download Yara Rule

APIs

RegQueryValueExW.KERNELBASE(?,00000E2C,883E0C6F,00000000,00000000,00000000,00000000), ref: 0136ABB4

Memory Dump Source

Source File: 00000003.00000002.503338061.000000000136A000.00000040.00000001.sdmp, Offset: 0136A000, based on PE: false

Similarity

API ID: QueryValue
String ID:
API String ID: 3660427363-0
Opcode ID: e1389973ee22788c9ebf172db5bb9da3bf64ea30c74d62aeb205621d9850603c
Instruction ID: b53ef5e9ed89e5481e93212ccc409834bf0eb8bde4eb2a6073573bee6579f129
Opcode Fuzzy Hash: e1389973ee22788c9ebf172db5bb9da3bf64ea30c74d62aeb205621d9850603c
Instruction Fuzzy Hash: 09218EB1504604AFE721CE69DC84F66FBECEF04710F04C86AEA459B255D760E408CA71

Uniqueness

Uniqueness Score: -1.00%

Function 052C1C4A, Relevance: 1.6, APIs: 1, Instructions: 68COMMON

Download Yara Rule

APIs

OpenFileMappingW.KERNELBASE(?,?), ref: 052C1CB5

Memory Dump Source

Source File: 00000003.00000002.509275786.00000000052C0000.00000040.00000001.sdmp, Offset: 052C0000, based on PE: false

Similarity

API ID: FileMappingOpen
String ID:
API String ID: 1680863896-0
Opcode ID: 9fcfaf5678ce2f1cb343781c2a25068f86149038aafda2e6c69bee47a206225d
Instruction ID: dc2d81f735a84039ad7548190e4c2e4de8ce9f97a80355438bd2c56a7277b2a2
Opcode Fuzzy Hash: 9fcfaf5678ce2f1cb343781c2a25068f86149038aafda2e6c69bee47a206225d
Instruction Fuzzy Hash: F621F0B1510240AFE721DF29DC85B6AFFE8EF04320F1480AEED498B242D371E504CA72

Uniqueness

Uniqueness Score: -1.00%

Function 052C11C0, Relevance: 1.6, APIs: 1, Instructions: 68COMMON

Download Yara Rule

APIs

FindCloseChangeNotification.KERNELBASE(?), ref: 052C122C

Memory Dump Source

Source File: 00000003.00000002.509275786.00000000052C0000.00000040.00000001.sdmp, Offset: 052C0000, based on PE: false

Similarity

API ID: ChangeCloseFindNotification
String ID:
API String ID: 2591292051-0
Opcode ID: 3ce8da789fa9a1c2565b1a9c57960e7816fdc0ccd6cf907db6eeafa4a5cef5dd
Instruction ID: 42ae623991bb853eba149a9950c113184e5a595034a545df442224d03b82a8fd
Opcode Fuzzy Hash: 3ce8da789fa9a1c2565b1a9c57960e7816fdc0ccd6cf907db6eeafa4a5cef5dd
Instruction Fuzzy Hash: 8721C37650D3C05FDB128B25DC55A92BFB4AF07724F0980DAECC58F663D2749908CB62

Uniqueness

Uniqueness Score: -1.00%

Function 052C1275, Relevance: 1.6, APIs: 1, Instructions: 67COMMON

Download Yara Rule

APIs

K32EnumProcesses.KERNEL32(?,?,?,883E0C6F,00000000,?,?,?,?,?,?,?,?,72B13C38), ref: 052C12E6

Memory Dump Source

Source File: 00000003.00000002.509275786.00000000052C0000.00000040.00000001.sdmp, Offset: 052C0000, based on PE: false

Similarity

API ID: EnumProcesses
String ID:
API String ID: 84517404-0
Opcode ID: 9227c2d201ea32c1f062c629d8f8a6aabd75ba401ebd4cfd77c5736f1c762cdc
Instruction ID: 1fe8c7b442e6533ef48f28dba8a2a866f89fe293f4a7b55c04f88caf0c4a0f18
Opcode Fuzzy Hash: 9227c2d201ea32c1f062c629d8f8a6aabd75ba401ebd4cfd77c5736f1c762cdc
Instruction Fuzzy Hash: 79218E715093849FD712CF25DC85B96BFF8EF06220F0984EAE989CF163D264A918CB61

Uniqueness

Uniqueness Score: -1.00%

Function 052C1D4A, Relevance: 1.6, APIs: 1, Instructions: 67fileCOMMON

Download Yara Rule

APIs

MapViewOfFile.KERNELBASE ref: 052C1DBE

Memory Dump Source

Source File: 00000003.00000002.509275786.00000000052C0000.00000040.00000001.sdmp, Offset: 052C0000, based on PE: false

Similarity

API ID: FileView
String ID:
API String ID: 3314676101-0
Opcode ID: c88b29c72a5fdabba413c1baed4f0cf8b15be34838712f4f9630f8515b5d8e71
Instruction ID: 946806b9937c63c9840cf9fd8c56ac5005f755c8e8251db6bc64c537ff044d9e
Opcode Fuzzy Hash: c88b29c72a5fdabba413c1baed4f0cf8b15be34838712f4f9630f8515b5d8e71
Instruction Fuzzy Hash: E621D171410604AFE721CF59DC85FAAFFE8EF08310F04859DE9859B242D771A518CB61

Uniqueness

Uniqueness Score: -1.00%

Function 052C15BA, Relevance: 1.6, APIs: 1, Instructions: 67networkCOMMON

Download Yara Rule

APIs

WSASocketW.WS2_32(?,?,?,?,?), ref: 052C1626

Memory Dump Source

Source File: 00000003.00000002.509275786.00000000052C0000.00000040.00000001.sdmp, Offset: 052C0000, based on PE: false

Similarity

API ID: Socket
String ID:
API String ID: 38366605-0
Opcode ID: 75d1cd8335fc0aad470179fcfddec7a23f25ae4ab2dae864f2ef22160024f269
Instruction ID: b9bb0dbadc4b1d7e68cadad3c2cce4858098b5c485e5da8b0939289b310b17e3
Opcode Fuzzy Hash: 75d1cd8335fc0aad470179fcfddec7a23f25ae4ab2dae864f2ef22160024f269
Instruction Fuzzy Hash: 0421DE71510600AFEB21DF65DC85F6AFFE8EF08310F1885AEE9859B242D371A414CB61

Uniqueness

Uniqueness Score: -1.00%

Function 052C01F4, Relevance: 1.6, APIs: 1, Instructions: 67COMMON

Download Yara Rule

APIs

FindCloseChangeNotification.KERNELBASE(?), ref: 052C0264

Memory Dump Source

Source File: 00000003.00000002.509275786.00000000052C0000.00000040.00000001.sdmp, Offset: 052C0000, based on PE: false

Similarity

API ID: ChangeCloseFindNotification
String ID:
API String ID: 2591292051-0
Opcode ID: c8f35d127a27adc8b9506d275faffedcef0aed30eddd7208c6229f3db35a57e9
Instruction ID: c2cd4d67e189c8aff2e3be552d242849e1e38799c7ef48c8c258cb99c96114ca
Opcode Fuzzy Hash: c8f35d127a27adc8b9506d275faffedcef0aed30eddd7208c6229f3db35a57e9
Instruction Fuzzy Hash: 5F21D7728097849FD712CB54DC89B55BFA8FF06220F0981DEEC859B553D234A804C762

Uniqueness

Uniqueness Score: -1.00%

Function 052C04EA, Relevance: 1.6, APIs: 1, Instructions: 65registryCOMMON

Download Yara Rule

APIs

RegQueryValueExW.KERNELBASE(?,00000E2C,883E0C6F,00000000,00000000,00000000,00000000), ref: 052C055C

Memory Dump Source

Source File: 00000003.00000002.509275786.00000000052C0000.00000040.00000001.sdmp, Offset: 052C0000, based on PE: false

Similarity

API ID: QueryValue
String ID:
API String ID: 3660427363-0
Opcode ID: 2513b7fc4514eec1a4a29cc7417336eba1b3d18fbe18577bf473d45ce243e6e9
Instruction ID: 87dfa3aa952a6c359a5e2382d04c6da94a14b1ccbfedbf27b73f2e56f01f73f9
Opcode Fuzzy Hash: 2513b7fc4514eec1a4a29cc7417336eba1b3d18fbe18577bf473d45ce243e6e9
Instruction Fuzzy Hash: CE117FB1510604EFEB20CE55DC84F6AFBECFF04720F04859AEA4A9B252D760E404CA71

Uniqueness

Uniqueness Score: -1.00%

Function 052C21B6, Relevance: 1.6, APIs: 1, Instructions: 64timeCOMMON

Download Yara Rule

APIs

GetProcessTimes.KERNELBASE(?,00000E2C,883E0C6F,00000000,00000000,00000000,00000000), ref: 052C2215

Memory Dump Source

Source File: 00000003.00000002.509275786.00000000052C0000.00000040.00000001.sdmp, Offset: 052C0000, based on PE: false

Similarity

API ID: ProcessTimes
String ID:
API String ID: 1995159646-0
Opcode ID: 029f4780a4c032f19754b9f82fb324541f003ce6089472073f22a148ef5bf3b9
Instruction ID: 9a72f6e5efe4d0f94dc7ff6c170014c84ef21c421c93e619749baaeac3294bbb
Opcode Fuzzy Hash: 029f4780a4c032f19754b9f82fb324541f003ce6089472073f22a148ef5bf3b9
Instruction Fuzzy Hash: 9D11E671500600AFEB21CF59DC81F6AFFA8EF44710F0484AEEE499B252C770A404CB72

Uniqueness

Uniqueness Score: -1.00%

Function 052C0EEC, Relevance: 1.6, APIs: 1, Instructions: 64COMMON

Download Yara Rule

APIs

LookupPrivilegeValueW.ADVAPI32(?,?,?), ref: 052C0F56

Memory Dump Source

Source File: 00000003.00000002.509275786.00000000052C0000.00000040.00000001.sdmp, Offset: 052C0000, based on PE: false

Similarity

API ID: LookupPrivilegeValue
String ID:
API String ID: 3899507212-0
Opcode ID: 231587a1a40f5b2649f6baa67624fb94d8438d5a8f6299ced6d0ef509d3c3f88
Instruction ID: c75f85ae7933e0eaa74f6bcb46d3b3fdcc3dc19de1b7592a92f6523b8b004df3
Opcode Fuzzy Hash: 231587a1a40f5b2649f6baa67624fb94d8438d5a8f6299ced6d0ef509d3c3f88
Instruction Fuzzy Hash: 09119D715093819FD721CF25DC84B56BFE8EF05620F0884AEEC89CB253D264E948CB61

Uniqueness

Uniqueness Score: -1.00%

Function 0136A51F, Relevance: 1.6, APIs: 1, Instructions: 61COMMON

Download Yara Rule

APIs

DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 0136A58A

Memory Dump Source

Source File: 00000003.00000002.503338061.000000000136A000.00000040.00000001.sdmp, Offset: 0136A000, based on PE: false

Similarity

API ID: DuplicateHandle
String ID:
API String ID: 3793708945-0
Opcode ID: 697791dead49bd054a5fec6b7bdd9574a1a0d83a69109ef7ab38b857c54fef6c
Instruction ID: c2a7064e862b98fa4e8416923934593ad8e0c76ea2919714780c8280ecc07eb9
Opcode Fuzzy Hash: 697791dead49bd054a5fec6b7bdd9574a1a0d83a69109ef7ab38b857c54fef6c
Instruction Fuzzy Hash: 44117271409784AFDB228F55DC44A62FFF8EF4A210F08849AED858B553D375A418DB61

Uniqueness

Uniqueness Score: -1.00%

Function 0136B7CA, Relevance: 1.6, APIs: 1, Instructions: 61windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,?,?,?), ref: 0136B841

Memory Dump Source

Source File: 00000003.00000002.503338061.000000000136A000.00000040.00000001.sdmp, Offset: 0136A000, based on PE: false

Similarity

API ID: MessageSend
String ID:
API String ID: 3850602802-0
Opcode ID: 22240f19e11d50fe0a5361b77767afe6afe049189baad154cbecea24d0788135
Instruction ID: acb5665f99ea5acb828c487f1e0a81afba7c67ec467d9e6babc49ef5e2092325
Opcode Fuzzy Hash: 22240f19e11d50fe0a5361b77767afe6afe049189baad154cbecea24d0788135
Instruction Fuzzy Hash: 7F216D714097C49FDB128B25DC50A92BFB4EF06214F0984DAE9C44F163D265A958DB61

Uniqueness

Uniqueness Score: -1.00%

Function 052C09F2, Relevance: 1.6, APIs: 1, Instructions: 60COMMON

Download Yara Rule

APIs

setsockopt.WS2_32(?,00000E2C,883E0C6F,00000000,00000000,00000000,00000000), ref: 052C0A51

Memory Dump Source

Source File: 00000003.00000002.509275786.00000000052C0000.00000040.00000001.sdmp, Offset: 052C0000, based on PE: false

Similarity

API ID: setsockopt
String ID:
API String ID: 3981526788-0
Opcode ID: 01eb6d05fb2997be68f29293e04f4c80205f92839f57cde11144ec887b826466
Instruction ID: ca71b9bdebcaa0ec463a4bcfb71edd1222c51812aa175cd4bc15239771dcfb75
Opcode Fuzzy Hash: 01eb6d05fb2997be68f29293e04f4c80205f92839f57cde11144ec887b826466
Instruction Fuzzy Hash: DE11E771911204EFEB21CF55DC85F6AFFA8EF44710F1485AAEE499B242C774A404CBB1

Uniqueness

Uniqueness Score: -1.00%

Function 052C02DE, Relevance: 1.6, APIs: 1, Instructions: 60registryCOMMON

Download Yara Rule

APIs

RegOpenKeyExA.KERNELBASE(?,00000E2C), ref: 052C0353

Memory Dump Source

Source File: 00000003.00000002.509275786.00000000052C0000.00000040.00000001.sdmp, Offset: 052C0000, based on PE: false

Similarity

API ID: Open
String ID:
API String ID: 71445658-0
Opcode ID: e1a9fe1e847a90027f17066ed6d7b2cfc12203d33f4bf4776a51e3eee57ee9d8
Instruction ID: a713f33e48b2daff516cd103bbfa94fc70e9feba9b91f9bca5fb73234432fed4
Opcode Fuzzy Hash: e1a9fe1e847a90027f17066ed6d7b2cfc12203d33f4bf4776a51e3eee57ee9d8
Instruction Fuzzy Hash: D211EF71510600EFEB21CF54DC85F6AFFA8EF04710F14859AFE495B292C2B1A408CBB5

Uniqueness

Uniqueness Score: -1.00%

Function 052C0CD6, Relevance: 1.6, APIs: 1, Instructions: 60fileCOMMON

Download Yara Rule

APIs

DeleteFileA.KERNELBASE(?,00000E2C), ref: 052C0D3F

Memory Dump Source

Source File: 00000003.00000002.509275786.00000000052C0000.00000040.00000001.sdmp, Offset: 052C0000, based on PE: false

Similarity

API ID: DeleteFile
String ID:
API String ID: 4033686569-0
Opcode ID: cc4f380b985ac17f1465fea4c3131d57f97614b801a228d548e4375750666380
Instruction ID: 23b5036362df4b55b8e453528a3dbe91c0087c4c01f87a38a3b9d7e9ee995605
Opcode Fuzzy Hash: cc4f380b985ac17f1465fea4c3131d57f97614b801a228d548e4375750666380
Instruction Fuzzy Hash: 02110675610601AFF720DB19DC85BBAFFA8DF04720F14C49EFE499B285D6A4B444CA61

Uniqueness

Uniqueness Score: -1.00%

Function 0136BB4F, Relevance: 1.6, APIs: 1, Instructions: 59windowCOMMON

Download Yara Rule

APIs

PostMessageW.USER32(?,?,?,?), ref: 0136BBB9

Memory Dump Source

Source File: 00000003.00000002.503338061.000000000136A000.00000040.00000001.sdmp, Offset: 0136A000, based on PE: false

Similarity

API ID: MessagePost
String ID:
API String ID: 410705778-0
Opcode ID: 4c974422d009419b5a14633b1165f33b97d002274589915c6b7cafe9ce0904e3
Instruction ID: b19b758d076ba13f07e0fb10095acf11e62bdea7202119c36a61de082f7e1cd0
Opcode Fuzzy Hash: 4c974422d009419b5a14633b1165f33b97d002274589915c6b7cafe9ce0904e3
Instruction Fuzzy Hash: 1A1122311097C0AFDB228F25CC45B52FFB4EF06220F08C4DEED858B563D265A418CB62

Uniqueness

Uniqueness Score: -1.00%

Function 0136BE05, Relevance: 1.6, APIs: 1, Instructions: 58windowCOMMON

Download Yara Rule

APIs

DispatchMessageW.USER32(?), ref: 0136BE70

Memory Dump Source

Source File: 00000003.00000002.503338061.000000000136A000.00000040.00000001.sdmp, Offset: 0136A000, based on PE: false

Similarity

API ID: DispatchMessage
String ID:
API String ID: 2061451462-0
Opcode ID: 55343858c7a929dbe8ff8f3088fd2603656ab9dda5369f6743abd1ee3bf4d79d
Instruction ID: dc6949cd1751db1cb39dfcdb6ef51025c9c1de35cf7c31c6175dd3222684757f
Opcode Fuzzy Hash: 55343858c7a929dbe8ff8f3088fd2603656ab9dda5369f6743abd1ee3bf4d79d
Instruction Fuzzy Hash: 771181754093C49FD7138B25DC44761FFB4DF47624F0980DAED848F257D2655808CB62

Uniqueness

Uniqueness Score: -1.00%

Function 0136B71E, Relevance: 1.6, APIs: 1, Instructions: 57windowCOMMON

Download Yara Rule

APIs

CreateIconFromResourceEx.USER32 ref: 0136B78A

Memory Dump Source

Source File: 00000003.00000002.503338061.000000000136A000.00000040.00000001.sdmp, Offset: 0136A000, based on PE: false

Similarity

API ID: CreateFromIconResource
String ID:
API String ID: 3668623891-0
Opcode ID: 42900d3bc4194b778e29732492fe935cac1038b32be26dcdc476189750c92496
Instruction ID: bc6f8e4305fe6c8610ab08ad65810c478d599e8b7d8a00d0a724df34da123d52
Opcode Fuzzy Hash: 42900d3bc4194b778e29732492fe935cac1038b32be26dcdc476189750c92496
Instruction Fuzzy Hash: 5011A2314087849FDB228F54DC44A56FFF4EF09310F0884AEED858B526C375A418CB61

Uniqueness

Uniqueness Score: -1.00%

Function 052C0D83, Relevance: 1.6, APIs: 1, Instructions: 56COMMON

Download Yara Rule

APIs

GetSystemInfo.KERNELBASE(?), ref: 052C0DE8

Memory Dump Source

Source File: 00000003.00000002.509275786.00000000052C0000.00000040.00000001.sdmp, Offset: 052C0000, based on PE: false

Similarity

API ID: InfoSystem
String ID:
API String ID: 31276548-0
Opcode ID: e18381cd1ed8dfb0aafc89a77425e2e6e4d682cd87c8eee146642b947f6653dc
Instruction ID: b9dc062f8abea40ed01ce32645af3facc55f42d05718a6e5304dc6917b28ab6e
Opcode Fuzzy Hash: e18381cd1ed8dfb0aafc89a77425e2e6e4d682cd87c8eee146642b947f6653dc
Instruction Fuzzy Hash: DA1160714093C49FD7128B25DC44B96BFB4EF06224F0984EBED888F153D275A859CB61

Uniqueness

Uniqueness Score: -1.00%

Function 052C0F0E, Relevance: 1.6, APIs: 1, Instructions: 53COMMON

Download Yara Rule

APIs

LookupPrivilegeValueW.ADVAPI32(?,?,?), ref: 052C0F56

Memory Dump Source

Source File: 00000003.00000002.509275786.00000000052C0000.00000040.00000001.sdmp, Offset: 052C0000, based on PE: false

Similarity

API ID: LookupPrivilegeValue
String ID:
API String ID: 3899507212-0
Opcode ID: dfe03b2e76d3469a2541cd6f57869c19ab579794abe33f99e43a7f8cd81bfffd
Instruction ID: da5127a09015150b5c18e0d0232dd1c058e59cc88693b91c25edcfb60598faa7
Opcode Fuzzy Hash: dfe03b2e76d3469a2541cd6f57869c19ab579794abe33f99e43a7f8cd81bfffd
Instruction Fuzzy Hash: BD118271A10201CFDB60CF29D884B5AFFD8EF04720F0885AEED49CB242D674E544CA61

Uniqueness

Uniqueness Score: -1.00%

Function 0136A75B, Relevance: 1.6, APIs: 1, Instructions: 52COMMON

Download Yara Rule

APIs

closesocket.WS2_32(?), ref: 0136A7BC

Memory Dump Source

Source File: 00000003.00000002.503338061.000000000136A000.00000040.00000001.sdmp, Offset: 0136A000, based on PE: false

Similarity

API ID: closesocket
String ID:
API String ID: 2781271927-0
Opcode ID: c97e1a9f8d294c0719a16e3c1f6bb5f74dee0536aa3ec3c9e0a432b5ebbba3af
Instruction ID: e684efd72da9fd057860ac28cb3ae6d6d278e157df8c6580f4996a23aea0916c
Opcode Fuzzy Hash: c97e1a9f8d294c0719a16e3c1f6bb5f74dee0536aa3ec3c9e0a432b5ebbba3af
Instruction Fuzzy Hash: 0911C1714093849FD712CF14DC84B52BFB8EF05224F0880AAED459F243D275A408CB62

Uniqueness

Uniqueness Score: -1.00%

Function 052C0932, Relevance: 1.6, APIs: 1, Instructions: 52COMMON

Download Yara Rule

APIs

GetFileType.KERNELBASE(?,00000E2C,883E0C6F,00000000,00000000,00000000,00000000), ref: 052C0985

Memory Dump Source

Source File: 00000003.00000002.509275786.00000000052C0000.00000040.00000001.sdmp, Offset: 052C0000, based on PE: false

Similarity

API ID: FileType
String ID:
API String ID: 3081899298-0
Opcode ID: c9e56352de05166c8d6ddc32661d526c1dff1f832ce076be715e264506982f6e
Instruction ID: 0cfc947a70437d8de9eb676ed38e5a7f495d15aec6fa7bdccc8f1490c85d7c47
Opcode Fuzzy Hash: c9e56352de05166c8d6ddc32661d526c1dff1f832ce076be715e264506982f6e
Instruction Fuzzy Hash: 6A01D671510604AEF720CB19DCC5F6AFFA8EF44720F14C49AEE499F242C674A404CAB1

Uniqueness

Uniqueness Score: -1.00%

Function 052C075A, Relevance: 1.6, APIs: 1, Instructions: 52COMMON

Download Yara Rule

APIs

CreateDirectoryW.KERNELBASE(?,?), ref: 052C079F

Memory Dump Source

Source File: 00000003.00000002.509275786.00000000052C0000.00000040.00000001.sdmp, Offset: 052C0000, based on PE: false

Similarity

API ID: CreateDirectory
String ID:
API String ID: 4241100979-0
Opcode ID: 5bd573caefdbbf15ce29cec681a2afd57cc61543677fd8c0f650ba6a1eb002e0
Instruction ID: fd1ae50330052e3eae537a4a018d5f5cef23ca60511163b1d86f7381c1c34ddd
Opcode Fuzzy Hash: 5bd573caefdbbf15ce29cec681a2afd57cc61543677fd8c0f650ba6a1eb002e0
Instruction Fuzzy Hash: 64115E75615245CFDB54CF29D888B6AFFD8EF04620F08C5AADD49DB642D274E408CF61

Uniqueness

Uniqueness Score: -1.00%

Function 052C12A6, Relevance: 1.5, APIs: 1, Instructions: 49COMMON

Download Yara Rule

APIs

K32EnumProcesses.KERNEL32(?,?,?,883E0C6F,00000000,?,?,?,?,?,?,?,?,72B13C38), ref: 052C12E6

Memory Dump Source

Source File: 00000003.00000002.509275786.00000000052C0000.00000040.00000001.sdmp, Offset: 052C0000, based on PE: false

Similarity

API ID: EnumProcesses
String ID:
API String ID: 84517404-0
Opcode ID: d20022d81041429b3b1c5d2faf422b80de3d6b03c6c6a165e95b3c670fdeeb40
Instruction ID: 7b271f80e8fba8ee78bc5995446abaa1887e44959bcd8257b0230534c8d536a9
Opcode Fuzzy Hash: d20022d81041429b3b1c5d2faf422b80de3d6b03c6c6a165e95b3c670fdeeb40
Instruction Fuzzy Hash: B1118E759102458FDB10CF65D885B66FFE4EF04220F0884AADD49CB653D270E414CB61

Uniqueness

Uniqueness Score: -1.00%

Function 0136A8CC, Relevance: 1.5, APIs: 1, Instructions: 48COMMON

Download Yara Rule

APIs

SetWindowLongW.USER32(?,?,?), ref: 0136A926

Memory Dump Source

Source File: 00000003.00000002.503338061.000000000136A000.00000040.00000001.sdmp, Offset: 0136A000, based on PE: false

Similarity

API ID: LongWindow
String ID:
API String ID: 1378638983-0
Opcode ID: cacc9f5a59315451688de7ae4f3fc4c4e2ab5be090e4b2097d238a750431b580
Instruction ID: f9e80b506a8f7e917d1d48999d04066d755e2abd7bd9132892c8753e311ecef6
Opcode Fuzzy Hash: cacc9f5a59315451688de7ae4f3fc4c4e2ab5be090e4b2097d238a750431b580
Instruction Fuzzy Hash: 2211CE354097849FD7228F15DC85A52FFF4EF06220F09C4DAED854B263C275A818CB62

Uniqueness

Uniqueness Score: -1.00%

Function 0136A172, Relevance: 1.5, APIs: 1, Instructions: 47networkCOMMON

Download Yara Rule

APIs

WSAStartup.WS2_32(?,00000E2C,?,?), ref: 0136A1C2

Memory Dump Source

Source File: 00000003.00000002.503338061.000000000136A000.00000040.00000001.sdmp, Offset: 0136A000, based on PE: false

Similarity

API ID: Startup
String ID:
API String ID: 724789610-0
Opcode ID: 975ca1403c3fe4c80e9c74ad251d76ff2d6dd95c32fa2110ed542cd79e5cdb9f
Instruction ID: eef6ba7cd600095c9b99a642a488b3912fe741fd207f53f7663d868f2e46b62c
Opcode Fuzzy Hash: 975ca1403c3fe4c80e9c74ad251d76ff2d6dd95c32fa2110ed542cd79e5cdb9f
Instruction Fuzzy Hash: A501B171900600ABD710DF1ADC85B26FBE8FB88A20F14816AED089B645E635F515CBE1

Uniqueness

Uniqueness Score: -1.00%

Function 052C2742, Relevance: 1.5, APIs: 1, Instructions: 47windowCOMMON

Download Yara Rule

APIs

FormatMessageW.KERNELBASE(?,00000E2C,?,?), ref: 052C2792

Memory Dump Source

Source File: 00000003.00000002.509275786.00000000052C0000.00000040.00000001.sdmp, Offset: 052C0000, based on PE: false

Similarity

API ID: FormatMessage
String ID:
API String ID: 1306739567-0
Opcode ID: d85b5f23bb684cd4101f6fdf5b17563bf8ff4c5f925f7bc97aba27be75749255
Instruction ID: d393681c5c90d0868a4b516a5932cccf553952ef9aa44652c110472a3c2d60e4
Opcode Fuzzy Hash: d85b5f23bb684cd4101f6fdf5b17563bf8ff4c5f925f7bc97aba27be75749255
Instruction Fuzzy Hash: AF01B172900600ABD310DF1ADC85B26FBE8FB88B20F14812AED089B645E631F515CBE1

Uniqueness

Uniqueness Score: -1.00%

Function 0136B746, Relevance: 1.5, APIs: 1, Instructions: 45windowCOMMON

Download Yara Rule

APIs

CreateIconFromResourceEx.USER32 ref: 0136B78A

Memory Dump Source

Source File: 00000003.00000002.503338061.000000000136A000.00000040.00000001.sdmp, Offset: 0136A000, based on PE: false

Similarity

API ID: CreateFromIconResource
String ID:
API String ID: 3668623891-0
Opcode ID: da3e026cbe78cb04a2e0558b0e30894887b03e66854d44c5099e9c6c3396c570
Instruction ID: cf6f72f17cb86cf79cfcbffdb9cc41899a4c458c3000d408b7dd826ea9239ae1
Opcode Fuzzy Hash: da3e026cbe78cb04a2e0558b0e30894887b03e66854d44c5099e9c6c3396c570
Instruction Fuzzy Hash: ED016D71500604DFDB218F55D884B56FFE8EF08720F08C4AAEE898A61AD375A018DF61

Uniqueness

Uniqueness Score: -1.00%

Function 0136A546, Relevance: 1.5, APIs: 1, Instructions: 45COMMON

Download Yara Rule

APIs

DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 0136A58A

Memory Dump Source

Source File: 00000003.00000002.503338061.000000000136A000.00000040.00000001.sdmp, Offset: 0136A000, based on PE: false

Similarity

API ID: DuplicateHandle
String ID:
API String ID: 3793708945-0
Opcode ID: 8df45fa411f887cd4a3bb5118f535fd5b6d748105f7e1c2d00c5d58dd14026db
Instruction ID: 0f11196bf6b59b73ebb947015ea1a8671f23be2862e1e997b5a772edb9a7037a
Opcode Fuzzy Hash: 8df45fa411f887cd4a3bb5118f535fd5b6d748105f7e1c2d00c5d58dd14026db
Instruction Fuzzy Hash: 3F016D71400604DFDB21CF55D844B56FFE8EF48720F08C4AAEE895B656C375A018CF61

Uniqueness

Uniqueness Score: -1.00%

Function 052C0232, Relevance: 1.5, APIs: 1, Instructions: 43COMMON

Download Yara Rule

APIs

FindCloseChangeNotification.KERNELBASE(?), ref: 052C0264

Memory Dump Source

Source File: 00000003.00000002.509275786.00000000052C0000.00000040.00000001.sdmp, Offset: 052C0000, based on PE: false

Similarity

API ID: ChangeCloseFindNotification
String ID:
API String ID: 2591292051-0
Opcode ID: 35f8b1e8a81755c918e5b471579b1baa5401f6b0dd84d9f33aa1db6f75418d54
Instruction ID: 703c82c82b38514b899bb6901de626b1e3c237f10c98655e33d0f9fde2a231a5
Opcode Fuzzy Hash: 35f8b1e8a81755c918e5b471579b1baa5401f6b0dd84d9f33aa1db6f75418d54
Instruction Fuzzy Hash: 4B01DF75910200CFEB10CF29E88876AFFA4EF44220F08C0AADC4A8F642D274A404CA62

Uniqueness

Uniqueness Score: -1.00%

Function 052C151E, Relevance: 1.5, APIs: 1, Instructions: 43networkCOMMON

Download Yara Rule

APIs

DnsQuery_A.DNSAPI(?,00000E2C,?,?), ref: 052C156E

Memory Dump Source

Source File: 00000003.00000002.509275786.00000000052C0000.00000040.00000001.sdmp, Offset: 052C0000, based on PE: false

Similarity

API ID: Query_
String ID:
API String ID: 428220571-0
Opcode ID: 07903c283c8b3921b3d019404e4ccd79608454ce17d264a82033b99cb332b25f
Instruction ID: 12a0a3c9d525d17cb2e044bd97bcc2dafd8c483278104c04c5ea3b575b4c7e46
Opcode Fuzzy Hash: 07903c283c8b3921b3d019404e4ccd79608454ce17d264a82033b99cb332b25f
Instruction Fuzzy Hash: 8901A272500600ABD210DF1ADC86B26FBE8FB88B20F14811AED085B745E671F515CBE5

Uniqueness

Uniqueness Score: -1.00%

Function 052C11FA, Relevance: 1.5, APIs: 1, Instructions: 43COMMON

Download Yara Rule

APIs

FindCloseChangeNotification.KERNELBASE(?), ref: 052C122C

Memory Dump Source

Source File: 00000003.00000002.509275786.00000000052C0000.00000040.00000001.sdmp, Offset: 052C0000, based on PE: false

Similarity

API ID: ChangeCloseFindNotification
String ID:
API String ID: 2591292051-0
Opcode ID: 6a0cee0f764720f987432482f2ba2542c4e09ae33248abd948e958d4d3fda97c
Instruction ID: 515a5c36c2cd6b215ce67aa7404ae2da04a91f6d3207130b7a05b5a900094c0f
Opcode Fuzzy Hash: 6a0cee0f764720f987432482f2ba2542c4e09ae33248abd948e958d4d3fda97c
Instruction Fuzzy Hash: 5401DF759242408FDB10CF69E885B6AFFA4EF44620F08C0AADC4ACF643C274A418CB72

Uniqueness

Uniqueness Score: -1.00%

Function 0136BB7E, Relevance: 1.5, APIs: 1, Instructions: 42windowCOMMON

Download Yara Rule

APIs

PostMessageW.USER32(?,?,?,?), ref: 0136BBB9

Memory Dump Source

Source File: 00000003.00000002.503338061.000000000136A000.00000040.00000001.sdmp, Offset: 0136A000, based on PE: false

Similarity

API ID: MessagePost
String ID:
API String ID: 410705778-0
Opcode ID: 7bdb625f80945e49976295cd77dd1b8cb29906a7383cb52cf8db74adefeeeefb
Instruction ID: 47fe3d8db454794438c2d0d1265096906b36e78ab5a8d158024b5056b0d58d79
Opcode Fuzzy Hash: 7bdb625f80945e49976295cd77dd1b8cb29906a7383cb52cf8db74adefeeeefb
Instruction Fuzzy Hash: D201D435600604CFDB318F19D884B69FFA8EF04324F08C09EED458B66AC271E418CF61

Uniqueness

Uniqueness Score: -1.00%

Function 0136A78A, Relevance: 1.5, APIs: 1, Instructions: 39COMMON

Download Yara Rule

APIs

closesocket.WS2_32(?), ref: 0136A7BC

Memory Dump Source

Source File: 00000003.00000002.503338061.000000000136A000.00000040.00000001.sdmp, Offset: 0136A000, based on PE: false

Similarity

API ID: closesocket
String ID:
API String ID: 2781271927-0
Opcode ID: 98a93b8ea7cc4d4fd9383ac6a75b7f8f7d747ee94d5344e673109c5d6b50ddc2
Instruction ID: 4c29cf375aad1811550580cff3b93a74c1b01892f81a83d4568362c0923277ca
Opcode Fuzzy Hash: 98a93b8ea7cc4d4fd9383ac6a75b7f8f7d747ee94d5344e673109c5d6b50ddc2
Instruction Fuzzy Hash: 1001D1748002448FDB10DF59E884765FFE8EF44325F08C0AADD499F64AD278A404CBA2

Uniqueness

Uniqueness Score: -1.00%

Function 0136B806, Relevance: 1.5, APIs: 1, Instructions: 38windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,?,?,?), ref: 0136B841

Memory Dump Source

Source File: 00000003.00000002.503338061.000000000136A000.00000040.00000001.sdmp, Offset: 0136A000, based on PE: false

Similarity

API ID: MessageSend
String ID:
API String ID: 3850602802-0
Opcode ID: 0ae8b6dad7d23d600a2e44817a1a4114e035f2c320792924018cfec843c21e10
Instruction ID: 6e660f078cda9dac58f38c12c2949e9c3e687f5ff76929a4f353caa64280cb2b
Opcode Fuzzy Hash: 0ae8b6dad7d23d600a2e44817a1a4114e035f2c320792924018cfec843c21e10
Instruction Fuzzy Hash: 0701A271500648DFDB218F55D884B65FFA8EF08724F08C09AED894B66AD275A418CFB2

Uniqueness

Uniqueness Score: -1.00%

Function 0136A8EE, Relevance: 1.5, APIs: 1, Instructions: 37COMMON

Download Yara Rule

APIs

SetWindowLongW.USER32(?,?,?), ref: 0136A926

Memory Dump Source

Source File: 00000003.00000002.503338061.000000000136A000.00000040.00000001.sdmp, Offset: 0136A000, based on PE: false

Similarity

API ID: LongWindow
String ID:
API String ID: 1378638983-0
Opcode ID: e53cac302ed16413dcab8926fef3b271a2d7b1a156746e6f21e4bdad3253c315
Instruction ID: ff59a168090964d5c985a11015417a6d83854bb01eacc76a76bc41783688179e
Opcode Fuzzy Hash: e53cac302ed16413dcab8926fef3b271a2d7b1a156746e6f21e4bdad3253c315
Instruction Fuzzy Hash: D101D135400608CFDB208F09D885755FFE8EF08724F18C0AADD8A1B656C275A418CF72

Uniqueness

Uniqueness Score: -1.00%

Function 0136BE3E, Relevance: 1.5, APIs: 1, Instructions: 35windowCOMMON

Download Yara Rule

APIs

DispatchMessageW.USER32(?), ref: 0136BE70

Memory Dump Source

Source File: 00000003.00000002.503338061.000000000136A000.00000040.00000001.sdmp, Offset: 0136A000, based on PE: false

Similarity

API ID: DispatchMessage
String ID:
API String ID: 2061451462-0
Opcode ID: e76c2adb9715c7d83d30b01597e4bd1bb2d9718888a85a8795f0b0aa553d6a82
Instruction ID: cb46b3274adefee27d3dbf89973bf96202922880483b01112cd0f26c02f80c28
Opcode Fuzzy Hash: e76c2adb9715c7d83d30b01597e4bd1bb2d9718888a85a8795f0b0aa553d6a82
Instruction Fuzzy Hash: D1F0A475904644CFDB209F19EC84765FFA8EF44724F08C0AADE494B65AD275A408CEA2

Uniqueness

Uniqueness Score: -1.00%

Function 0136A372, Relevance: 1.5, APIs: 1, Instructions: 35COMMON

Download Yara Rule

APIs

SetErrorMode.KERNELBASE(?), ref: 0136A3A4

Memory Dump Source

Source File: 00000003.00000002.503338061.000000000136A000.00000040.00000001.sdmp, Offset: 0136A000, based on PE: false

Similarity

API ID: ErrorMode
String ID:
API String ID: 2340568224-0
Opcode ID: e76c2adb9715c7d83d30b01597e4bd1bb2d9718888a85a8795f0b0aa553d6a82
Instruction ID: 6331f1638dd982c700c9046c010ac7c64ac41a226bf97172777666206cd9dac4
Opcode Fuzzy Hash: e76c2adb9715c7d83d30b01597e4bd1bb2d9718888a85a8795f0b0aa553d6a82
Instruction Fuzzy Hash: D0F0FF34500344CFDB208F19D884729FFA8EF05324F28C09ADD495B64AD2B8A408CAA2

Uniqueness

Uniqueness Score: -1.00%

Function 052620D0, Relevance: 1.4, Strings: 1, Instructions: 200COMMON

Download Yara Rule

Strings

r*+, xrefs: 0526230F

Memory Dump Source

Source File: 00000003.00000002.508950288.0000000005260000.00000040.00000001.sdmp, Offset: 05260000, based on PE: false

Similarity

API ID:
String ID: r*+
API String ID: 0-3221063712
Opcode ID: 1c3866e4202adeb1a564cabe015cd7b4d6c53b83c850e7e26e7f3aaee23bb081
Instruction ID: 7979b64385b0e5dd050466b62f245342cbd186144260bb4947b6559c2e79674c
Opcode Fuzzy Hash: 1c3866e4202adeb1a564cabe015cd7b4d6c53b83c850e7e26e7f3aaee23bb081
Instruction Fuzzy Hash: 74717234E2820ADFCB54DFA8C5456BEBBB2FF84300F1080AAD5569B255D7749D81CB51

Uniqueness

Uniqueness Score: -1.00%

Function 052602E8, Relevance: 1.4, Strings: 1, Instructions: 175COMMON

Download Yara Rule

Strings

`5(r, xrefs: 052603A5

Memory Dump Source

Source File: 00000003.00000002.508950288.0000000005260000.00000040.00000001.sdmp, Offset: 05260000, based on PE: false

Similarity

API ID:
String ID: `5(r
API String ID: 0-3683955166
Opcode ID: 14bda944bcc7c08879eb5eb02563612b2083f2f7cb1a0356ce2af6852c143ff0
Instruction ID: 6fec48fdb6585440c7172520504b1b86f0d47b953dc416f7bfebac15f3f30f5a
Opcode Fuzzy Hash: 14bda944bcc7c08879eb5eb02563612b2083f2f7cb1a0356ce2af6852c143ff0
Instruction Fuzzy Hash: 0A519D70B142068FDB18DF68C4686AE7BF3FF89300F1480A9D50AAB395DB75AC45DB91

Uniqueness

Uniqueness Score: -1.00%

Function 05268E18, Relevance: 1.4, Strings: 1, Instructions: 136COMMON

Download Yara Rule

Strings

, xrefs: 05268F36

Memory Dump Source

Source File: 00000003.00000002.508950288.0000000005260000.00000040.00000001.sdmp, Offset: 05260000, based on PE: false

Similarity

API ID:
String ID:
API String ID: 0-3916222277
Opcode ID: 8f29f9c528f59af0dfe4eb5d44695cc4f76ca4109600dc4a80a65a84ce9dad6a
Instruction ID: 0e366606ec64e171055709256f715eb9b21e373a22c299a74c42fa5ea7b2dc66
Opcode Fuzzy Hash: 8f29f9c528f59af0dfe4eb5d44695cc4f76ca4109600dc4a80a65a84ce9dad6a
Instruction Fuzzy Hash: F841E030F241068FCB10CF69C8805BEBBF3FF81354B69C966E51ADB606D675D8828B91

Uniqueness

Uniqueness Score: -1.00%

Function 05262D58, Relevance: 1.4, Strings: 1, Instructions: 135COMMON

Download Yara Rule

Strings

, xrefs: 05262E76

Memory Dump Source

Source File: 00000003.00000002.508950288.0000000005260000.00000040.00000001.sdmp, Offset: 05260000, based on PE: false

Similarity

API ID:
String ID:
API String ID: 0-3916222277
Opcode ID: 26737fd367245de9257402cc2959976bfac2f913d11d6aa5a4e5d600374411a4
Instruction ID: a9c4af4d1f0a371127b3b4301e0be3b5b0830d57609f22a2928b42a4e47275b6
Opcode Fuzzy Hash: 26737fd367245de9257402cc2959976bfac2f913d11d6aa5a4e5d600374411a4
Instruction Fuzzy Hash: 1741B138F28256CFCB24CB69C8845BEBBA3BFC1214B24C57AC416DB645C675E892C791

Uniqueness

Uniqueness Score: -1.00%

Function 05261458, Relevance: 1.4, Strings: 1, Instructions: 128COMMON

Download Yara Rule

Strings

$g%r, xrefs: 052614C7

Memory Dump Source

Source File: 00000003.00000002.508950288.0000000005260000.00000040.00000001.sdmp, Offset: 05260000, based on PE: false

Similarity

API ID:
String ID: $g%r
API String ID: 0-359987751
Opcode ID: 978428dedbc07ebc27daf180c9dcb1c3c837b85015a0771d18e6d199573dffd2
Instruction ID: edcef4c86d16a6b09501f16d42bec44153c0ba79f64d2b89ddd18067ce7223c5
Opcode Fuzzy Hash: 978428dedbc07ebc27daf180c9dcb1c3c837b85015a0771d18e6d199573dffd2
Instruction Fuzzy Hash: 1651C534A04215CFDB64DF68D994BADBBB2FF49304F1040A9D40AAB3A5CB79AD84CF51

Uniqueness

Uniqueness Score: -1.00%

Function 05260681, Relevance: 1.4, Strings: 1, Instructions: 128COMMON

Download Yara Rule

Strings

Zyq^, xrefs: 052606A1, 052606A6

Memory Dump Source

Source File: 00000003.00000002.508950288.0000000005260000.00000040.00000001.sdmp, Offset: 05260000, based on PE: false

Similarity

API ID:
String ID: Zyq^
API String ID: 0-4065106858
Opcode ID: 8f092c94aec2f0287a9caf8739bbaf398402c33ebf5fc52e5d15a09365428f8b
Instruction ID: 605c83e7a03e68d194258c7ac8c12a8eff59d3293509e325beaac54bc6c5f0aa
Opcode Fuzzy Hash: 8f092c94aec2f0287a9caf8739bbaf398402c33ebf5fc52e5d15a09365428f8b
Instruction Fuzzy Hash: 33414B30610215DFD735BB78F91C66D3BAABF84306B154569E402C72A8DF758C819B92

Uniqueness

Uniqueness Score: -1.00%

Function 05261290, Relevance: 1.4, Strings: 1, Instructions: 101COMMON

Download Yara Rule

Strings

$g%r, xrefs: 05261349

Memory Dump Source

Source File: 00000003.00000002.508950288.0000000005260000.00000040.00000001.sdmp, Offset: 05260000, based on PE: false

Similarity

API ID:
String ID: $g%r
API String ID: 0-359987751
Opcode ID: 4fe3f0cba659c4511766b80e34b3a7a541e072de3c1d8048b912d91b3c2452fb
Instruction ID: 85a369f4f1d46a68857eee121d80a2e3e9649b0408d6aa531a428dcd9e2abdc1
Opcode Fuzzy Hash: 4fe3f0cba659c4511766b80e34b3a7a541e072de3c1d8048b912d91b3c2452fb
Instruction Fuzzy Hash: 9241F674E14219DFCB64DF68D884BADBBB2BF49300F0040A9D40AAB755DB74AD94CF51

Uniqueness

Uniqueness Score: -1.00%

Function 052682C0, Relevance: 1.3, Strings: 1, Instructions: 98COMMON

Download Yara Rule

Strings

r*+, xrefs: 052683D7

Memory Dump Source

Source File: 00000003.00000002.508950288.0000000005260000.00000040.00000001.sdmp, Offset: 05260000, based on PE: false

Similarity

API ID:
String ID: r*+
API String ID: 0-3221063712
Opcode ID: 11a2f7ed5013d6eea6093249226c6e7d349811ffcfcad49ac54215f14c4612b9
Instruction ID: 276447ea06fd329d2d7f07d92c939d8c68f72371120acb540d5054d8995d9b30
Opcode Fuzzy Hash: 11a2f7ed5013d6eea6093249226c6e7d349811ffcfcad49ac54215f14c4612b9
Instruction Fuzzy Hash: 69413E70E2420ADFDB4CDFA8C5456AEBBF2FF44304F10846AD406A7260D7749991CF56

Uniqueness

Uniqueness Score: -1.00%

Function 05268108, Relevance: 1.3, Strings: 1, Instructions: 87COMMON

Download Yara Rule

Strings

]Dyq^, xrefs: 05268136, 0526813B

Memory Dump Source

Source File: 00000003.00000002.508950288.0000000005260000.00000040.00000001.sdmp, Offset: 05260000, based on PE: false

Similarity

API ID:
String ID: ]Dyq^
API String ID: 0-2056877261
Opcode ID: 6daefd93c3147170abd184ab272f2024becdd08223f015444990789505d14a1c
Instruction ID: 109a5737b46bf88f94f4812abb59be7a08fb6a39f8105c6695922946471ac60c
Opcode Fuzzy Hash: 6daefd93c3147170abd184ab272f2024becdd08223f015444990789505d14a1c
Instruction Fuzzy Hash: BC314530A28240DFCB19EBBCE4584A97FA3FFC530031189AAE406CB394CF398D418B45

Uniqueness

Uniqueness Score: -1.00%

Function 0526D5D8, Relevance: 1.3, Strings: 1, Instructions: 76COMMON

Download Yara Rule

Strings

l&r, xrefs: 0526D693

Memory Dump Source

Source File: 00000003.00000002.508950288.0000000005260000.00000040.00000001.sdmp, Offset: 05260000, based on PE: false

Similarity

API ID:
String ID: l&r
API String ID: 0-2436013623
Opcode ID: 7e8b679fb21057e6c0c53dab3920c0f25030cd3c347b985f86bbb1468252f89f
Instruction ID: 2360c883c22741d7ef960867465a54dc46c33754656ae908c376e2249d783da3
Opcode Fuzzy Hash: 7e8b679fb21057e6c0c53dab3920c0f25030cd3c347b985f86bbb1468252f89f
Instruction Fuzzy Hash: 2421BD75B28218DBCB19CB78A4007BEB7E6AF88304F14447AD44EDB640DEB5CC868B91

Uniqueness

Uniqueness Score: -1.00%

Function 0526CAAF, Relevance: 1.3, Strings: 1, Instructions: 64COMMON

Download Yara Rule

Strings

}>yq^, xrefs: 0526CBD4

Memory Dump Source

Source File: 00000003.00000002.508950288.0000000005260000.00000040.00000001.sdmp, Offset: 05260000, based on PE: false

Similarity

API ID:
String ID: }>yq^
API String ID: 0-3218742065
Opcode ID: 1ecd3d25b608bac10ed35958d68dd83257d979c9e5105ef1c34e920cd8639bf0
Instruction ID: 3cab214fdf9438c8d26f393e5c979a1676c2729dfa93a6429a38a11a010adc3a
Opcode Fuzzy Hash: 1ecd3d25b608bac10ed35958d68dd83257d979c9e5105ef1c34e920cd8639bf0
Instruction Fuzzy Hash: F32159B0611311CFC759AB28E1084A97BA2FB8534932488BDE40A9F794DB768C87CF84

Uniqueness

Uniqueness Score: -1.00%

Function 052605B9, Relevance: 1.3, Strings: 1, Instructions: 53COMMON

Download Yara Rule

Strings

8bq, xrefs: 052605D6

Memory Dump Source

Source File: 00000003.00000002.508950288.0000000005260000.00000040.00000001.sdmp, Offset: 05260000, based on PE: false

Similarity

API ID:
String ID: 8bq
API String ID: 0-187764589
Opcode ID: 702ee9dd8ef67723c594a33d2a7ebce095ca414d7cff3b4aba8225db0f1131e0
Instruction ID: db6d261417a1cdc79fc361d4783ec2cc5e9be13b62581a618eecf8961d1e8e01
Opcode Fuzzy Hash: 702ee9dd8ef67723c594a33d2a7ebce095ca414d7cff3b4aba8225db0f1131e0
Instruction Fuzzy Hash: 2D01F430B502210FC659667D64215FF67DBAFDA150728802FE046DB788CDBA9C4743D6

Uniqueness

Uniqueness Score: -1.00%

Function 05264700, Relevance: 1.3, Strings: 1, Instructions: 50COMMON

Download Yara Rule

Strings

X1(r, xrefs: 05264747

Memory Dump Source

Source File: 00000003.00000002.508950288.0000000005260000.00000040.00000001.sdmp, Offset: 05260000, based on PE: false

Similarity

API ID:
String ID: X1(r
API String ID: 0-3909273932
Opcode ID: 3789c94ce56772235713bd411344abda4bbe2dd9e49ac9b483d6d223568867d4
Instruction ID: de355e5c0ea7eab6dd7ceb67445a5e528159105de30d4293ddf3b766a84d3ad5
Opcode Fuzzy Hash: 3789c94ce56772235713bd411344abda4bbe2dd9e49ac9b483d6d223568867d4
Instruction Fuzzy Hash: 600149337642D08FCF67A3BC54503BD3B969FC6264B94007FD186C7791C96A8C828392

Uniqueness

Uniqueness Score: -1.00%

Function 052605C8, Relevance: 1.3, Strings: 1, Instructions: 45COMMON

Download Yara Rule

Strings

8bq, xrefs: 052605D6

Memory Dump Source

Source File: 00000003.00000002.508950288.0000000005260000.00000040.00000001.sdmp, Offset: 05260000, based on PE: false

Similarity

API ID:
String ID: 8bq
API String ID: 0-187764589
Opcode ID: 932cb8232874c86f07ddf5717704719cf7d50a2f6e98dd4ad716cf8a474058b5
Instruction ID: e2e301f39dabf5aaedb5e5bd3a8808dcfccbf80cbebca711832f9deb87306274
Opcode Fuzzy Hash: 932cb8232874c86f07ddf5717704719cf7d50a2f6e98dd4ad716cf8a474058b5
Instruction Fuzzy Hash: F6F0BE207101250FC519767E74116BF62CFEFC8651B68942EF10AEB388CDBAAC4303EA

Uniqueness

Uniqueness Score: -1.00%

Function 05269CF0, Relevance: 1.3, Strings: 1, Instructions: 45COMMON

Download Yara Rule

Strings

Hu&r, xrefs: 05269D23

Memory Dump Source

Source File: 00000003.00000002.508950288.0000000005260000.00000040.00000001.sdmp, Offset: 05260000, based on PE: false

Similarity

API ID:
String ID: Hu&r
API String ID: 0-1342936641
Opcode ID: 079451842e94f2e05ba3701ecd08962d1e959e007533745236d5fc994abf2acb
Instruction ID: 87261e5bcd7ea86b4ea3db29b0d04335625c6a01b52528a2452579ced089802e
Opcode Fuzzy Hash: 079451842e94f2e05ba3701ecd08962d1e959e007533745236d5fc994abf2acb
Instruction Fuzzy Hash: AFF04C7171C1904BC715B6BC5C902BD6F5BAFC62307644379D405DF2D9CD648C864362

Uniqueness

Uniqueness Score: -1.00%

Function 05264710, Relevance: 1.3, Strings: 1, Instructions: 43COMMON

Download Yara Rule

Strings

X1(r, xrefs: 05264747

Memory Dump Source

Source File: 00000003.00000002.508950288.0000000005260000.00000040.00000001.sdmp, Offset: 05260000, based on PE: false

Similarity

API ID:
String ID: X1(r
API String ID: 0-3909273932
Opcode ID: 128ea3f9986a6fa2c15460e44cb52c169bd35310618ee12af389c31bc324ef55
Instruction ID: 6f0f64b47dfa3add2f6d4bb577ef480c1192803483d4c446c6f41edd654ca0b3
Opcode Fuzzy Hash: 128ea3f9986a6fa2c15460e44cb52c169bd35310618ee12af389c31bc324ef55
Instruction Fuzzy Hash: 57F02B363602908BCE2673BD541037E32CB9FC5655F84003ED149C7780DD66CC8143D1

Uniqueness

Uniqueness Score: -1.00%

Function 05266FF0, Relevance: 1.3, Strings: 1, Instructions: 43COMMON

Download Yara Rule

Strings

Hu&r, xrefs: 05267023

Memory Dump Source

Source File: 00000003.00000002.508950288.0000000005260000.00000040.00000001.sdmp, Offset: 05260000, based on PE: false

Similarity

API ID:
String ID: Hu&r
API String ID: 0-1342936641
Opcode ID: 71840a9523e27c1696fa7d91e82ac432f2b41dd52020ff67d60793085f8af805
Instruction ID: 667735d2caa0d36378279df01842d0c10928cc1f08bdb3679e57d8cdfb47f70b
Opcode Fuzzy Hash: 71840a9523e27c1696fa7d91e82ac432f2b41dd52020ff67d60793085f8af805
Instruction Fuzzy Hash: D0F046B2B2815083C650A97C7C447BD2B8BEFC0228F68832994099F2C8ED608C4A03A2

Uniqueness

Uniqueness Score: -1.00%

Function 05267000, Relevance: 1.3, Strings: 1, Instructions: 40COMMON

Download Yara Rule

Strings

Hu&r, xrefs: 05267023

Memory Dump Source

Source File: 00000003.00000002.508950288.0000000005260000.00000040.00000001.sdmp, Offset: 05260000, based on PE: false

Similarity

API ID:
String ID: Hu&r
API String ID: 0-1342936641
Opcode ID: b95dfeb6a72260f894a720cdfb733ee6a2215d050424af329d4a00d715dcb65c
Instruction ID: d95d576eead7ecff9928bebe700eca97b83295f3a97e92373613ff8f7c869b6e
Opcode Fuzzy Hash: b95dfeb6a72260f894a720cdfb733ee6a2215d050424af329d4a00d715dcb65c
Instruction Fuzzy Hash: BCF0BE7172811057C654A66D7C90A3E6A8BEFC5278B688239A41A9B3C8DD518C4543B6

Uniqueness

Uniqueness Score: -1.00%

Function 05265B42, Relevance: 1.3, Strings: 1, Instructions: 36COMMON

Download Yara Rule

Strings

=Ryq^, xrefs: 05265B60, 05265B65

Memory Dump Source

Source File: 00000003.00000002.508950288.0000000005260000.00000040.00000001.sdmp, Offset: 05260000, based on PE: false

Similarity

API ID:
String ID: =Ryq^
API String ID: 0-2530806723
Opcode ID: 85de106a51fc4a41329b42fb99ed06c2d1e12ad1ee9d0c901bcb2b1083dc448e
Instruction ID: 2f48cf7dfa5710e4aa5cfabda1e8e837cb7c2a7d1bcade7294080d3df9937aec
Opcode Fuzzy Hash: 85de106a51fc4a41329b42fb99ed06c2d1e12ad1ee9d0c901bcb2b1083dc448e
Instruction Fuzzy Hash: FBF02729A582D00FD316567C98608F93FB89ED312435944EB9859CB352C80A4C078791

Uniqueness

Uniqueness Score: -1.00%

Function 05265B50, Relevance: 1.3, Strings: 1, Instructions: 19COMMON

Download Yara Rule

Strings

=Ryq^, xrefs: 05265B60, 05265B65

Memory Dump Source

Source File: 00000003.00000002.508950288.0000000005260000.00000040.00000001.sdmp, Offset: 05260000, based on PE: false

Similarity

API ID:
String ID: =Ryq^
API String ID: 0-2530806723
Opcode ID: 7ad6a50e1e6465be1c367487d3976f52cd378a5db00cd83d649bcafa362f26a6
Instruction ID: 7eccccb30a82400249396d28ea15fe7f1b2cb256c845845e6f3edb1c7009cb88
Opcode Fuzzy Hash: 7ad6a50e1e6465be1c367487d3976f52cd378a5db00cd83d649bcafa362f26a6
Instruction Fuzzy Hash: D5D0A7387401256BE504A5ADE850D7AB38EDBC5564305885EA90ED7340CD63DC0247D0

Uniqueness

Uniqueness Score: -1.00%

Function 0526AE4F, Relevance: .3, Instructions: 259COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.508950288.0000000005260000.00000040.00000001.sdmp, Offset: 05260000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0821f47e43fcba0dbcd1aaa1a48c3832dc79e2b16cf3d522471a907e0d2df771
Instruction ID: a40b216dc91b63d12aa2eb854231e6e0f07e07150b969732b157a4c7e3b1e1c9
Opcode Fuzzy Hash: 0821f47e43fcba0dbcd1aaa1a48c3832dc79e2b16cf3d522471a907e0d2df771
Instruction Fuzzy Hash: 2AC11375A1060ADFCB18CF68C584AAEFBB2FF88310F15C569D45AAB641D730E981CF94

Uniqueness

Uniqueness Score: -1.00%

Function 05263B6B, Relevance: .2, Instructions: 241COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.508950288.0000000005260000.00000040.00000001.sdmp, Offset: 05260000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4ca15056bd19a1feee22cadeee8e0a5cce81b3df682520cdb9dce44d8b3b96e8
Instruction ID: a1a68d90c7c00d739481bc3a223b847ba26ca0fbb0f80c242c812729e5a5415f
Opcode Fuzzy Hash: 4ca15056bd19a1feee22cadeee8e0a5cce81b3df682520cdb9dce44d8b3b96e8
Instruction Fuzzy Hash: 53917F32610115DFCF15CF98C8849ADBBB7FF58310B298995E509AF226C771ED92CB90

Uniqueness

Uniqueness Score: -1.00%

Function 05265BC0, Relevance: .2, Instructions: 241COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.508950288.0000000005260000.00000040.00000001.sdmp, Offset: 05260000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 13305a7679ae0c5d74f13421bdef9794e33c108edd4187dc73ac13811716a850
Instruction ID: 3b39001e1460084092f0bc00834af860d629b63652186e29e53f5ac1ac16243f
Opcode Fuzzy Hash: 13305a7679ae0c5d74f13421bdef9794e33c108edd4187dc73ac13811716a850
Instruction Fuzzy Hash: DB817031A10619CFCF25CF14C894AAAB7B3BF85304F4584A5D90AAF215DB71AE86CF90

Uniqueness

Uniqueness Score: -1.00%

Function 0526A78F, Relevance: .2, Instructions: 226COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.508950288.0000000005260000.00000040.00000001.sdmp, Offset: 05260000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6c147c8c9374288bee037ddf56900d2eacb1ea9039411a747be4c0650954f77e
Instruction ID: 4d2e2f7896b139eb18450494827c5317ce12c52817b715d07badc7d4acbc5108
Opcode Fuzzy Hash: 6c147c8c9374288bee037ddf56900d2eacb1ea9039411a747be4c0650954f77e
Instruction Fuzzy Hash: 928180B0B00616CBD708EBA8C99466EBBB7FFC4304F61852DD1069B698DF70AD06C795

Uniqueness

Uniqueness Score: -1.00%

Function 0526E1B8, Relevance: .2, Instructions: 184COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.508950288.0000000005260000.00000040.00000001.sdmp, Offset: 05260000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c3b6bcbf1317920f79a8df712eb8e1d5604e0999e758dbd92c527e603011607a
Instruction ID: d30543e585f41c6a1fc5a6d9cf64b3eadce3610b062ef518829d271315ebab90
Opcode Fuzzy Hash: c3b6bcbf1317920f79a8df712eb8e1d5604e0999e758dbd92c527e603011607a
Instruction Fuzzy Hash: AE712938A24205DFDB18DF69C484BAABBF6BF48310F158459E456A7660DB70E8C1CF91

Uniqueness

Uniqueness Score: -1.00%

Function 0526DA50, Relevance: .2, Instructions: 164COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.508950288.0000000005260000.00000040.00000001.sdmp, Offset: 05260000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 26bb7d3a5d717c8a7b68b942811ed45d8a93555ba82ee28147c34b1f1d4be71c
Instruction ID: 54ce85a8a0c51a181ebaecdabc65d79f1fc9c2191ffd539058c1da1bf1267324
Opcode Fuzzy Hash: 26bb7d3a5d717c8a7b68b942811ed45d8a93555ba82ee28147c34b1f1d4be71c
Instruction Fuzzy Hash: 5A51B371B24109DFCF04DFA8C8948AEB7B7FF84300B158465E80AAF254DB70AD85CB95

Uniqueness

Uniqueness Score: -1.00%

Function 05267168, Relevance: .2, Instructions: 161COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.508950288.0000000005260000.00000040.00000001.sdmp, Offset: 05260000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7fbe9ae6b2f1751cb5f906334a168039c2eb70c6c091e84c64b2ef284e59bb64
Instruction ID: bdedfcb24a5bef221c93efc61271d883a6c1556231ca8829d2e1f7b3386f77f9
Opcode Fuzzy Hash: 7fbe9ae6b2f1751cb5f906334a168039c2eb70c6c091e84c64b2ef284e59bb64
Instruction Fuzzy Hash: 8831193192065ACFDF15CF64D854ADABBB2EF85304F558494D909BB204DBB06A8ACF80

Uniqueness

Uniqueness Score: -1.00%

Function 05266CD0, Relevance: .2, Instructions: 159COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.508950288.0000000005260000.00000040.00000001.sdmp, Offset: 05260000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9fc93fcc374ed005d70fc7fb913b55e0fe9e98dbce56ee293bc4cf5bf2faf589
Instruction ID: 15d90b59ac5d714f8f5ad2acdb5c822c87cc6286cfbf60c7461d71f12b05879c
Opcode Fuzzy Hash: 9fc93fcc374ed005d70fc7fb913b55e0fe9e98dbce56ee293bc4cf5bf2faf589
Instruction Fuzzy Hash: D8512D71B102158BCB18DBBDC454AAEB7F7AF88310B158569C40AAB349DF75ED42CB90

Uniqueness

Uniqueness Score: -1.00%

Function 052676A8, Relevance: .1, Instructions: 147COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.508950288.0000000005260000.00000040.00000001.sdmp, Offset: 05260000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 37c6831167dbd64ed20eb9cdeb3fb3b4a21907f712c8e3b851b16809e11f143f
Instruction ID: 0000ca73720d854ab2efb1480f4d5d252e8e045dc94011154c6a821073c62446
Opcode Fuzzy Hash: 37c6831167dbd64ed20eb9cdeb3fb3b4a21907f712c8e3b851b16809e11f143f
Instruction Fuzzy Hash: 785123B4D10208DFCB25CFA9D984A9CBBF1FF48314F24866AD45AA7294E7316D85CF41

Uniqueness

Uniqueness Score: -1.00%

Function 05267979, Relevance: .1, Instructions: 141COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.508950288.0000000005260000.00000040.00000001.sdmp, Offset: 05260000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1d4adb057f5da36614e051cfa8f9c1a8e07cb0f12c379d0337c9a8dd528390a3
Instruction ID: 037195847bdcc893c52e7da45f039a9e56a9e97d33ce4314e1df3c7b25eb0bca
Opcode Fuzzy Hash: 1d4adb057f5da36614e051cfa8f9c1a8e07cb0f12c379d0337c9a8dd528390a3
Instruction Fuzzy Hash: F3517B34A10216CFCB14DB78D588AADBBF2FF85304F2482B9D40ADB295DB349C81CB61

Uniqueness

Uniqueness Score: -1.00%

Function 05260BC0, Relevance: .1, Instructions: 132COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.508950288.0000000005260000.00000040.00000001.sdmp, Offset: 05260000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fc01748ff69a44d9fabd4eea5d3bccf4cef7c9df7c67d1dcfbca3aaf44b16d3a
Instruction ID: 33e5a07f16aac7eecf8524047afd3f5b3cc0567b28e994334a3d8cc45fb83ca0
Opcode Fuzzy Hash: fc01748ff69a44d9fabd4eea5d3bccf4cef7c9df7c67d1dcfbca3aaf44b16d3a
Instruction Fuzzy Hash: 2141B432B241048FC715CB68C418AAE7BEBEFC5310F15806AE906AF395CEB69C469791

Uniqueness

Uniqueness Score: -1.00%

Function 05267FA0, Relevance: .1, Instructions: 127COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.508950288.0000000005260000.00000040.00000001.sdmp, Offset: 05260000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3065704baa9846f5f020cee4361ae975b3544db7b4e527e7874aa0a213bd8b00
Instruction ID: d34226f593aa83577b115d5fac2a1769b0e893d1a4bcebeac97cf0bbf679298c
Opcode Fuzzy Hash: 3065704baa9846f5f020cee4361ae975b3544db7b4e527e7874aa0a213bd8b00
Instruction Fuzzy Hash: CD41E231624107DFCB00CB68D5849AEF7F2FF84314F248576E8198B251D772E896CB91

Uniqueness

Uniqueness Score: -1.00%

Function 05268CB8, Relevance: .1, Instructions: 119COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.508950288.0000000005260000.00000040.00000001.sdmp, Offset: 05260000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 17cbd7ea85d6fd93b66e20abf35bfa33d16128624ad82e1b025ab27047e84321
Instruction ID: 89c26105d84ab5a5d42473bd06637475ca3d9b0756036df7f027b2a05812ba78
Opcode Fuzzy Hash: 17cbd7ea85d6fd93b66e20abf35bfa33d16128624ad82e1b025ab27047e84321
Instruction Fuzzy Hash: 8031277163D291CFC719DB38C4A49757FF6EF42210B1884A6D48ACB692C6B58C85C762

Uniqueness

Uniqueness Score: -1.00%

Function 05266851, Relevance: .1, Instructions: 118COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.508950288.0000000005260000.00000040.00000001.sdmp, Offset: 05260000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9d1b75dbf9979da61e0b3482a29178aff8722e8603c3793c1bb3a785f118f677
Instruction ID: 3e817dde953e7549b4b8e9ffcf98bce20fb3d84bd82f0ee5ea7043901e99895f
Opcode Fuzzy Hash: 9d1b75dbf9979da61e0b3482a29178aff8722e8603c3793c1bb3a785f118f677
Instruction Fuzzy Hash: A941BE38701300DFCB29EB69A1585AE7BE6FF8C200754807DE906A7789CF769C11CB51

Uniqueness

Uniqueness Score: -1.00%

Function 05266860, Relevance: .1, Instructions: 115COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.508950288.0000000005260000.00000040.00000001.sdmp, Offset: 05260000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7af5f61a80b27575512d8b34f79f5185b86b214baf197a63f01eb6c9852e8c51
Instruction ID: 39ca1181335cd3ca2b0b2631c38875b823471da6ee16287b5a97ace6c91aca21
Opcode Fuzzy Hash: 7af5f61a80b27575512d8b34f79f5185b86b214baf197a63f01eb6c9852e8c51
Instruction Fuzzy Hash: 37418E39701300DFCB29AB69A15856EBBE6FF8C200354806DE906A7789DF76AC51CB91

Uniqueness

Uniqueness Score: -1.00%

Function 052602D9, Relevance: .1, Instructions: 105COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.508950288.0000000005260000.00000040.00000001.sdmp, Offset: 05260000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: edd279d3932121e3ee6984f25197a768caad93496776854e1ad91b1fe1bc10af
Instruction ID: 8cd1d2142eddde49652308ae6ee29d3b2ebeeca7a250c8424ef0d23587879255
Opcode Fuzzy Hash: edd279d3932121e3ee6984f25197a768caad93496776854e1ad91b1fe1bc10af
Instruction Fuzzy Hash: 85417A70B10206CFDB18CB68C568BAE7BB3FF88311F144469D506AB3A1DB75AC85DB91

Uniqueness

Uniqueness Score: -1.00%

Function 0526AD38, Relevance: .1, Instructions: 102COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.508950288.0000000005260000.00000040.00000001.sdmp, Offset: 05260000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 931a673a5f4be1ddd9659b7f6dcaf10a2fc108e24088e23f0f3de278a93a369b
Instruction ID: a57b985158259daf5995ac94e22da419f5308b45780a303b3bccd08b7c6a5e50
Opcode Fuzzy Hash: 931a673a5f4be1ddd9659b7f6dcaf10a2fc108e24088e23f0f3de278a93a369b
Instruction Fuzzy Hash: 6C313771614711CFC309DB28C450B6DBB66FF81315F19C57ED14A9BA82CB74A846CB90

Uniqueness

Uniqueness Score: -1.00%

Function 0526D928, Relevance: .1, Instructions: 100COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.508950288.0000000005260000.00000040.00000001.sdmp, Offset: 05260000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c4829aa5223a520d17c45d885a9b51419dbd680f4457e966e412f2a97d0515a1
Instruction ID: 4a140a7561ef6b1465f64d25717afed3fb989932383eb58bd164f37c5d0d7947
Opcode Fuzzy Hash: c4829aa5223a520d17c45d885a9b51419dbd680f4457e966e412f2a97d0515a1
Instruction Fuzzy Hash: D1314A75B25209CFCB58DF68C584AAEFBF2BF48210F249569D40AE7240DB30DD82CB90

Uniqueness

Uniqueness Score: -1.00%

Function 052643C0, Relevance: .1, Instructions: 98COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.508950288.0000000005260000.00000040.00000001.sdmp, Offset: 05260000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2b04f94680768aa1b0f2197917569d77a5a73751e7173900b44ef0a2d2ab28fd
Instruction ID: 9ab30e7a262af7e682342a3b8e0a5c432857d61463f2aca02b1cc8ae5d233a08
Opcode Fuzzy Hash: 2b04f94680768aa1b0f2197917569d77a5a73751e7173900b44ef0a2d2ab28fd
Instruction Fuzzy Hash: D031F231610205DFCB25EF68E948CAD7BF2FF85304B1481A9E4029B269D776AC66DB90

Uniqueness

Uniqueness Score: -1.00%

Function 0526DA41, Relevance: .1, Instructions: 97COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.508950288.0000000005260000.00000040.00000001.sdmp, Offset: 05260000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 96e5320b451183e4484d8ff9397c1cbbbd1e3e841425f21c8e8dbd29edd583e5
Instruction ID: 280fe87f7776630abdf0b88640e61fabe54b5948435cc0bbf0c442ad2b7a024b
Opcode Fuzzy Hash: 96e5320b451183e4484d8ff9397c1cbbbd1e3e841425f21c8e8dbd29edd583e5
Instruction Fuzzy Hash: 6931B175B2820DDFCB08DFA8C8548EDBBB7FF84300B144429E50AAB260DB719D85CB50

Uniqueness

Uniqueness Score: -1.00%

Function 0526E499, Relevance: .1, Instructions: 96COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.508950288.0000000005260000.00000040.00000001.sdmp, Offset: 05260000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fdfbf8c969830630f2d2e9be064597951ef16a0a6d7b73f78ab03751e51f4ff3
Instruction ID: 4bcc49370cd6c0342d974c2c308a90482c1fdc2be97d1d602ef3db92089db642
Opcode Fuzzy Hash: fdfbf8c969830630f2d2e9be064597951ef16a0a6d7b73f78ab03751e51f4ff3
Instruction Fuzzy Hash: D2414774624B52CFD339CB3AC544767B7E6BF84305F05886EC09B86AA0EB75E485CB01

Uniqueness

Uniqueness Score: -1.00%

Function 052645C8, Relevance: .1, Instructions: 95COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.508950288.0000000005260000.00000040.00000001.sdmp, Offset: 05260000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 923cd7ea55c06bb28f238cdf1901fbd05683a8c99e9c8898f2c1160ccc7cfb2c
Instruction ID: 37baaf837003366e079ed02a3493ccf748d70e5c25d61f59146f5f53dfd28480
Opcode Fuzzy Hash: 923cd7ea55c06bb28f238cdf1901fbd05683a8c99e9c8898f2c1160ccc7cfb2c
Instruction Fuzzy Hash: 4D217171B2011AABDF54EAA8DD81AFFB7BAFF88204F104129D619D3140EAB0995487A1

Uniqueness

Uniqueness Score: -1.00%

Function 05266CC0, Relevance: .1, Instructions: 94COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.508950288.0000000005260000.00000040.00000001.sdmp, Offset: 05260000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 133db4acf24315b7a4fe26930df561470dc6a62d0be3e6e0bde04a5b34323e23
Instruction ID: 0f3fd199d132b441bb1c8a4f3aadcd0304be7fba09f945ffe68301d4c49255c2
Opcode Fuzzy Hash: 133db4acf24315b7a4fe26930df561470dc6a62d0be3e6e0bde04a5b34323e23
Instruction Fuzzy Hash: 2F314931F102198FCB18DBB9C5549EEBBF2FF89300F148569C81AAB255DB71AD46CB90

Uniqueness

Uniqueness Score: -1.00%

Function 0526D6F8, Relevance: .1, Instructions: 94COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.508950288.0000000005260000.00000040.00000001.sdmp, Offset: 05260000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1c18b33e67615ae88d8bdd13e2572247dc594b577829b6cad9a042bb34bb7d7d
Instruction ID: e788c2199d27ff19bbd94b739fa7575cbf4ff59eb0545c3bec72917e4091f448
Opcode Fuzzy Hash: 1c18b33e67615ae88d8bdd13e2572247dc594b577829b6cad9a042bb34bb7d7d
Instruction Fuzzy Hash: 45315C307007068FC755A778C45026E77E3BFC5208B68892CD0469B794DE7AA80BCB91

Uniqueness

Uniqueness Score: -1.00%

Function 052650E0, Relevance: .1, Instructions: 92COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.508950288.0000000005260000.00000040.00000001.sdmp, Offset: 05260000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 598cd09aa20f46a011de130f8de33e0ab04c353caedf8084158e628846a99889
Instruction ID: 72fc0066a4a1b3c7c7b88f03f29f949fdbce08c55f5df8a90bc4924568019478
Opcode Fuzzy Hash: 598cd09aa20f46a011de130f8de33e0ab04c353caedf8084158e628846a99889
Instruction Fuzzy Hash: 94214B71B103099BDB04DFA9C4146AEFBF7AF89300F518569D40AAB255EBB4A985CB80

Uniqueness

Uniqueness Score: -1.00%

Function 0526D738, Relevance: .1, Instructions: 92COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.508950288.0000000005260000.00000040.00000001.sdmp, Offset: 05260000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 326646fc55783da6bb0fb2ba03203903819825ee0b811cd34f8784af901ffa9b
Instruction ID: 28ac6c3f464bba43085959408774948f28ab23db704dd361178f037867c86b6c
Opcode Fuzzy Hash: 326646fc55783da6bb0fb2ba03203903819825ee0b811cd34f8784af901ffa9b
Instruction Fuzzy Hash: 84314D317007068FC755E779C45016E77E3BFC5209B68896CD0469F794DE7AA80BCB90

Uniqueness

Uniqueness Score: -1.00%

Function 05260006, Relevance: .1, Instructions: 89COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.508950288.0000000005260000.00000040.00000001.sdmp, Offset: 05260000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: bdedad11f602a03d2d54a522e6cec8fd2b38e12ce74344323bdc75e0ef501c11
Instruction ID: eb3c85f1a1bcdf4b01364bbab402f959b0054b2ac5f06cec6f9c8f058730f076
Opcode Fuzzy Hash: bdedad11f602a03d2d54a522e6cec8fd2b38e12ce74344323bdc75e0ef501c11
Instruction Fuzzy Hash: 2931B1B0618382CFCB15DB74D8695193FB1FF41314F0588AED082CB296EA788C49CB12

Uniqueness

Uniqueness Score: -1.00%

Function 05268290, Relevance: .1, Instructions: 89COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.508950288.0000000005260000.00000040.00000001.sdmp, Offset: 05260000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6aa1ec9195aceb82f89185c4436cd5e5511adc99666a9f09c15844c71ce9cb25
Instruction ID: 74e0a70e99eadd94acc95c29193cfe0ec0975c639767aec05a0ff7860238cb87
Opcode Fuzzy Hash: 6aa1ec9195aceb82f89185c4436cd5e5511adc99666a9f09c15844c71ce9cb25
Instruction Fuzzy Hash: CC31B370D28385DFCB49CFA8C1556EE7FF2FF41304F14449AD4429B292D6748A92CB52

Uniqueness

Uniqueness Score: -1.00%

Function 0526DE9F, Relevance: .1, Instructions: 88COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.508950288.0000000005260000.00000040.00000001.sdmp, Offset: 05260000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 81758b6faae24ed9eaf8bc9665bb153c90e949634b3e2cdfc54a471da79137d5
Instruction ID: ea9b3083e795e5ef7873dd814bfda513b824d8ebe58aaad69611142eb8a2af3d
Opcode Fuzzy Hash: 81758b6faae24ed9eaf8bc9665bb153c90e949634b3e2cdfc54a471da79137d5
Instruction Fuzzy Hash: AE313E70B10309CFCB58DF6985856AEBBF6BF88200F604439E50AA7790DA71D842CB91

Uniqueness

Uniqueness Score: -1.00%

Function 0526AB30, Relevance: .1, Instructions: 87COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.508950288.0000000005260000.00000040.00000001.sdmp, Offset: 05260000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8d74695967a430f4fefd3ec694399355d83ec98d71284cbe1b27830a1e82ae64
Instruction ID: f5b294d3c4688d36f0c5eae45df9214010e6fd4da7e4ae441054fb8a34e2add3
Opcode Fuzzy Hash: 8d74695967a430f4fefd3ec694399355d83ec98d71284cbe1b27830a1e82ae64
Instruction Fuzzy Hash: 8421F671F106698BCB08DBACC8544AEBBB6BF88314B144029E456E7384DB349D01C794

Uniqueness

Uniqueness Score: -1.00%

Function 052643D0, Relevance: .1, Instructions: 87COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.508950288.0000000005260000.00000040.00000001.sdmp, Offset: 05260000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: bad00a138925862c2a489b7465e523db046d035e0848672d6f50e5f98a9d0c55
Instruction ID: 124dff429f3c3a4e9297e9db77eab50cf59190b50e3fad83e64ddeab410a1ead
Opcode Fuzzy Hash: bad00a138925862c2a489b7465e523db046d035e0848672d6f50e5f98a9d0c55
Instruction Fuzzy Hash: DD31D435210215DFCB21EF68E948CAD7BF2FF84304B1481A4E4069B269DB76AC65DF90

Uniqueness

Uniqueness Score: -1.00%

Function 0526CC00, Relevance: .1, Instructions: 83COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.508950288.0000000005260000.00000040.00000001.sdmp, Offset: 05260000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 45e75fc927c8be77d2853a6dfcce5d59822d5a32af8f517f24915ee2ff7170b2
Instruction ID: b47875c48ea82707e2e4c890d40dee916a275bc8d95865dd70825334011fdda5
Opcode Fuzzy Hash: 45e75fc927c8be77d2853a6dfcce5d59822d5a32af8f517f24915ee2ff7170b2
Instruction Fuzzy Hash: CC21A035B24605CFC764EB78E51C2AE7BA7BF84301B10806AE84BD7298DF308D42CB55

Uniqueness

Uniqueness Score: -1.00%

Function 0526CC08, Relevance: .1, Instructions: 82COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.508950288.0000000005260000.00000040.00000001.sdmp, Offset: 05260000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5997d50af2e80bf33e56f3b75c7cac2dbe759b80dc0b28c9fd24f6c5dd689bce
Instruction ID: b993dece62657c6a4d600059fa900938d5e0c24ad9ed30fe3f57903e872f824a
Opcode Fuzzy Hash: 5997d50af2e80bf33e56f3b75c7cac2dbe759b80dc0b28c9fd24f6c5dd689bce
Instruction Fuzzy Hash: 4521AD35B24605CBC764EB78E52D16E7BABFF84302B10806AE84BD7298DF349D41CB45

Uniqueness

Uniqueness Score: -1.00%

Function 0526667F, Relevance: .1, Instructions: 82COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.508950288.0000000005260000.00000040.00000001.sdmp, Offset: 05260000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 56c5b17ebc0106e6ff0e89e9842f4e7b7c79755181f7febd0fa175643e4db40b
Instruction ID: 73a6f2c5f400d68e981567b7f88a3a1e2d0ccaf3ce6a4c8d1e3a87169d831afd
Opcode Fuzzy Hash: 56c5b17ebc0106e6ff0e89e9842f4e7b7c79755181f7febd0fa175643e4db40b
Instruction Fuzzy Hash: 46319E34710306DBC724AB78E1585AD3BB6FF81288351996DD20A8B788DF769C06CB85

Uniqueness

Uniqueness Score: -1.00%

Function 0526A180, Relevance: .1, Instructions: 81COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.508950288.0000000005260000.00000040.00000001.sdmp, Offset: 05260000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7295de29ab043c12f94ff377f108f281e5fbb117194154a506680f290fc7773a
Instruction ID: 5ead0d37da01a05fd89ffc43e5ccd1e21768916a39e74e3c3667e7302598e06b
Opcode Fuzzy Hash: 7295de29ab043c12f94ff377f108f281e5fbb117194154a506680f290fc7773a
Instruction Fuzzy Hash: AA216A30B24216DBCB24DF78D850AAEB7B6FF84744F508969D407BB244EB75AC81C790

Uniqueness

Uniqueness Score: -1.00%

Function 05266F10, Relevance: .1, Instructions: 78COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.508950288.0000000005260000.00000040.00000001.sdmp, Offset: 05260000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5fe2dd2897cbde4368efa210aa3e1d074740a7cfa6edd2dfa54424cf2ce2d2c0
Instruction ID: 568902548addf6412b2d3e9faf9c7854e394fa62fa848f0bfb0b7b877e6948b5
Opcode Fuzzy Hash: 5fe2dd2897cbde4368efa210aa3e1d074740a7cfa6edd2dfa54424cf2ce2d2c0
Instruction Fuzzy Hash: 7021DE70B341429BCB18E7BA9814A7FBBEBAFC9244B50457ED407DB256DDB1AC0183A1

Uniqueness

Uniqueness Score: -1.00%

Function 052621E8, Relevance: .1, Instructions: 76COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.508950288.0000000005260000.00000040.00000001.sdmp, Offset: 05260000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2b8c4199d36253201142e39307efb120eba4db753d706d3832fdccbe981b22cb
Instruction ID: 320503456e8b2fd26c886990f30208fa1e9a6651b4c1c5c6e18331128d65ba97
Opcode Fuzzy Hash: 2b8c4199d36253201142e39307efb120eba4db753d706d3832fdccbe981b22cb
Instruction Fuzzy Hash: DA313C34D2820ADFCB54DFA8C1456BEBBF2FF45304F1045AAC406A72A4D7759E85CB52

Uniqueness

Uniqueness Score: -1.00%

Function 052625DE, Relevance: .1, Instructions: 75COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.508950288.0000000005260000.00000040.00000001.sdmp, Offset: 05260000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9168e718bcac15c3ff02482df5aa4b5e2b9218fc6c557cf3de93b25d1d267957
Instruction ID: af921fc30872dfd45a42583e062d5fce0519be87260ca96dddf5cd3e5473a58f
Opcode Fuzzy Hash: 9168e718bcac15c3ff02482df5aa4b5e2b9218fc6c557cf3de93b25d1d267957
Instruction Fuzzy Hash: 67316B78E1024ACFDB70CF69D544A5ABBB2FF84314F21C129C0499B258DBB49889DF81

Uniqueness

Uniqueness Score: -1.00%

Function 05264F10, Relevance: .1, Instructions: 75COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.508950288.0000000005260000.00000040.00000001.sdmp, Offset: 05260000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 424fab5f96d0e98766e15f706b2c5cc04ecc4f5060d9f91ec11d874f064e86b0
Instruction ID: e3a5bd8de35b19a45b7906c21fd4db8504cef440d85fb9498cc8f87bdee27821
Opcode Fuzzy Hash: 424fab5f96d0e98766e15f706b2c5cc04ecc4f5060d9f91ec11d874f064e86b0
Instruction Fuzzy Hash: 9921CF31338246DFCB14E668EAC48B93B63FFC0311710852AD0928B959CBF96C9287D2

Uniqueness

Uniqueness Score: -1.00%

Function 052686A6, Relevance: .1, Instructions: 75COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.508950288.0000000005260000.00000040.00000001.sdmp, Offset: 05260000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8a4287a12cd30ad5826b45ca23de7391bab286db0c9e67085ad61ee03bb67f31
Instruction ID: bf5a33bee16a2d2de65bd52fc047408b1bbe660cd0252fb4390dbcad90b590b5
Opcode Fuzzy Hash: 8a4287a12cd30ad5826b45ca23de7391bab286db0c9e67085ad61ee03bb67f31
Instruction Fuzzy Hash: B33165B0A2434ACFDB18DF6AD54469AFBE2BF84304F10C669D409AF254DBB49885CF85

Uniqueness

Uniqueness Score: -1.00%

Function 052648B9, Relevance: .1, Instructions: 74COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.508950288.0000000005260000.00000040.00000001.sdmp, Offset: 05260000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 636b61c67efe3a1a59a2d52aa961961a9fc759ae80927a0a0abe2ba32589cef4
Instruction ID: a250104003a2474faa0d87cd1f5386c3e934b1b1bb9c5e8810a3509ba16030b1
Opcode Fuzzy Hash: 636b61c67efe3a1a59a2d52aa961961a9fc759ae80927a0a0abe2ba32589cef4
Instruction Fuzzy Hash: 2411EE32A652549FCF05EA78C8D05FE7BB7AFC5320B04457AD886BB241DE241E8687A0

Uniqueness

Uniqueness Score: -1.00%

Function 0526AB21, Relevance: .1, Instructions: 72COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.508950288.0000000005260000.00000040.00000001.sdmp, Offset: 05260000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c12e7261413b1be8354aedc67cf2839b2bc0c455f50a944a0074c5684875fead
Instruction ID: a46265d8a3927f333ecc408190e5d5c18502995a9938942e622221fa9029b137
Opcode Fuzzy Hash: c12e7261413b1be8354aedc67cf2839b2bc0c455f50a944a0074c5684875fead
Instruction Fuzzy Hash: F4218172F102299BCB08CE99DC949AEFBB6FB88210F154129E816E3340D734ED45CB94

Uniqueness

Uniqueness Score: -1.00%

Function 02D10844, Relevance: .1, Instructions: 71COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.503658634.0000000002D10000.00000040.00000040.sdmp, Offset: 02D10000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ce8b66c62255bbfca9398195d20e5776a32dce1b1b6fd8b256363d922989ed8f
Instruction ID: e5a24b6c92debd183424dbdbe11fd96ee2bf3d6c7444bf5223f7540010e39707
Opcode Fuzzy Hash: ce8b66c62255bbfca9398195d20e5776a32dce1b1b6fd8b256363d922989ed8f
Instruction Fuzzy Hash: 77315C3510D3C19FD717DB24D8A0B55BFB1AF47214F1E85DED8848F6A3C22A884ACB62

Uniqueness

Uniqueness Score: -1.00%

Function 052650D0, Relevance: .1, Instructions: 70COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.508950288.0000000005260000.00000040.00000001.sdmp, Offset: 05260000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 87d5aae5fb617cb082133b46525068b48ea2a3b33b6f9b42b549cb7d9226bc92
Instruction ID: 8db00a0d8b563877c6fd8b1ee62cb8f08c1bf9eb656ab7b5d0a269d493a6dfa3
Opcode Fuzzy Hash: 87d5aae5fb617cb082133b46525068b48ea2a3b33b6f9b42b549cb7d9226bc92
Instruction Fuzzy Hash: C3119D31E10309DFDF04CFA8C414AEEBFF2AF85310F604565C409AB611E7B5598ACB80

Uniqueness

Uniqueness Score: -1.00%

Function 05266F20, Relevance: .1, Instructions: 70COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.508950288.0000000005260000.00000040.00000001.sdmp, Offset: 05260000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 10881dca260050925e8d5f4f1fb04bc9ec01ed8ab826fe8f2c06c5d4d0868483
Instruction ID: ef2cb7190e325b85f265772ad47ac487954a948ef393b6f245873e8fbed1e099
Opcode Fuzzy Hash: 10881dca260050925e8d5f4f1fb04bc9ec01ed8ab826fe8f2c06c5d4d0868483
Instruction Fuzzy Hash: 6E11E230730116ABCB08E7BE9854A3FBAEBAFC9640B90453D9407DB355DDB1AC4083A0

Uniqueness

Uniqueness Score: -1.00%

Function 052621F8, Relevance: .1, Instructions: 69COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.508950288.0000000005260000.00000040.00000001.sdmp, Offset: 05260000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a30cd66d4346233f057b017f62bdfc6a4d7b04d6914dc651390dac488dd9d48b
Instruction ID: b6327f85e7a9b278cef58e62db84c0fdebc04566a35501cf3b77e489e11b30db
Opcode Fuzzy Hash: a30cd66d4346233f057b017f62bdfc6a4d7b04d6914dc651390dac488dd9d48b
Instruction Fuzzy Hash: 38212C78E2820ADFCB54DFA8C1446BEBBB2FF44304F10406AC406A72A4D7759E84CB52

Uniqueness

Uniqueness Score: -1.00%

Function 0526A172, Relevance: .1, Instructions: 68COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.508950288.0000000005260000.00000040.00000001.sdmp, Offset: 05260000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f52f9df9033d365e2d57f1809f61b598f7929ca59a0ef24cc1977f12d967e8e1
Instruction ID: 14ed9b4f9696c0feba8b5bb81b42b91ae12bb1eb1c2557fdb58ef1d5ce4f5867
Opcode Fuzzy Hash: f52f9df9033d365e2d57f1809f61b598f7929ca59a0ef24cc1977f12d967e8e1
Instruction Fuzzy Hash: 0511B130B24215DBCB24DBB89951ABEBBB3BF84700F5045A9D402BB285EB75D88187A0

Uniqueness

Uniqueness Score: -1.00%

Function 0526DD40, Relevance: .1, Instructions: 68COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.508950288.0000000005260000.00000040.00000001.sdmp, Offset: 05260000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 92dbf5d080d46c0c25123a99f15673ab19bd0c9c473e91e66d88a979a8de2a6d
Instruction ID: e36ced2ea3e878fd335d6e9fcacfb531d0277aad36b2cbb92b9661c4e6609d27
Opcode Fuzzy Hash: 92dbf5d080d46c0c25123a99f15673ab19bd0c9c473e91e66d88a979a8de2a6d
Instruction Fuzzy Hash: 6D2196B6B30109DFCB58EF68C5449BEBBF6EF88310B10816AD40AE7244D7719D91CB95

Uniqueness

Uniqueness Score: -1.00%

Function 05264511, Relevance: .1, Instructions: 67COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.508950288.0000000005260000.00000040.00000001.sdmp, Offset: 05260000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4cdbcf044d67e8dc679200ec07c6b6221b8a1fbc6e4138b99bc963062b9d239b
Instruction ID: 76b02926b07c7f55bfb4ec3ccd605981926bd80ccb3efdeeee0392dcdd2bc8e1
Opcode Fuzzy Hash: 4cdbcf044d67e8dc679200ec07c6b6221b8a1fbc6e4138b99bc963062b9d239b
Instruction Fuzzy Hash: E311E732F141518BCF14DA6C94101FF7BB69FC6211F04417ED9469B250DAA59C568BD1

Uniqueness

Uniqueness Score: -1.00%

Function 05265000, Relevance: .1, Instructions: 67COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.508950288.0000000005260000.00000040.00000001.sdmp, Offset: 05260000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0cb30e0399dda044f42294690e4cfb5f454721bc2c133133f7f4ffc2d9c50d48
Instruction ID: 9fbac59136fd3aefc8ed592a194553a203bca5bec9b0c7170a3d0aad36db792a
Opcode Fuzzy Hash: 0cb30e0399dda044f42294690e4cfb5f454721bc2c133133f7f4ffc2d9c50d48
Instruction Fuzzy Hash: E011D331B2421ACFCB54EBB8945067E7BE2EF88610B954075C90ADB384EF71DC428BD6

Uniqueness

Uniqueness Score: -1.00%

Function 0526ACB8, Relevance: .1, Instructions: 64COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.508950288.0000000005260000.00000040.00000001.sdmp, Offset: 05260000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1da1bd6dce76bb17f34276f876c45c599eb7122873bf88de1a15b3e4d162a581
Instruction ID: a4349f09e832b765360ea4c8c71eb78031427e697119adaafbf2bb7e153b3729
Opcode Fuzzy Hash: 1da1bd6dce76bb17f34276f876c45c599eb7122873bf88de1a15b3e4d162a581
Instruction Fuzzy Hash: 59110C32214294DBC725616C9814A6D7B56FFC2771F5D803FE409976C0CB299C85C3EA

Uniqueness

Uniqueness Score: -1.00%

Function 02D1087C, Relevance: .1, Instructions: 59COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.503658634.0000000002D10000.00000040.00000040.sdmp, Offset: 02D10000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9502e445d24f6db48b228ee54ce7129058d9f14a63d39d1ada3b77bf23aa1871
Instruction ID: 64e83eb555e3ef45c27411e240a732d969c8a136715a686202d8af724b37f3d9
Opcode Fuzzy Hash: 9502e445d24f6db48b228ee54ce7129058d9f14a63d39d1ada3b77bf23aa1871
Instruction Fuzzy Hash: A211E734208244EFE705EB54E840B26BB95EB88709F28C59CED891BB42C377DC43CA51

Uniqueness

Uniqueness Score: -1.00%

Function 052611DF, Relevance: .1, Instructions: 58COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.508950288.0000000005260000.00000040.00000001.sdmp, Offset: 05260000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 571fbb56c51372d13a28b15e81dc5132d723c92866ff8c6a93a07e7c54841bfe
Instruction ID: 7ae2509103c88b7e9c5d532b1493b5866fdeaf7683dfd042efe5daa777b923c6
Opcode Fuzzy Hash: 571fbb56c51372d13a28b15e81dc5132d723c92866ff8c6a93a07e7c54841bfe
Instruction Fuzzy Hash: FF1182307282A0CFC706DB3CD5689A97FF6AF9A20071540EAD046CB676CBA55C5ACB51

Uniqueness

Uniqueness Score: -1.00%

Function 0526DD37, Relevance: .1, Instructions: 57COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.508950288.0000000005260000.00000040.00000001.sdmp, Offset: 05260000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 587ac1926197818c56f5e08c4197c37058692453935b866db949fb782d35075c
Instruction ID: e6d7fedfad72f0502e5c09cc9eb938fa85ea0114ea34499994121cc6f33cac6f
Opcode Fuzzy Hash: 587ac1926197818c56f5e08c4197c37058692453935b866db949fb782d35075c
Instruction Fuzzy Hash: 9311FEF6B24109DFCB58EF58C545AFAB7F6FF48311B1081AAD41AE3200D371A991CB95

Uniqueness

Uniqueness Score: -1.00%

Function 05264FF0, Relevance: .1, Instructions: 55COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.508950288.0000000005260000.00000040.00000001.sdmp, Offset: 05260000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b2a26b805063d2b93c52bcce7510a5f08dd3a7b53216449bd2f3170b9e7c6f3c
Instruction ID: fe6d8b4ef2d68e63d05964a4eda228529a22b5d15fe5bc9585e3871c9b39ba70
Opcode Fuzzy Hash: b2a26b805063d2b93c52bcce7510a5f08dd3a7b53216449bd2f3170b9e7c6f3c
Instruction Fuzzy Hash: DB01C431B24216CFCB50DABC98106FE7BF5EF89120B944136C509D7641D77588828BD1

Uniqueness

Uniqueness Score: -1.00%

Function 05264789, Relevance: .1, Instructions: 54COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.508950288.0000000005260000.00000040.00000001.sdmp, Offset: 05260000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6a1beee7d3195301358fb054d811113068ebfb8daee560791f1d4359c64cbc6c
Instruction ID: 22fe8f7eec1b31065deb32705adda9f973cb617d3d1913dc7a08b5cddb45265a
Opcode Fuzzy Hash: 6a1beee7d3195301358fb054d811113068ebfb8daee560791f1d4359c64cbc6c
Instruction Fuzzy Hash: 32016D31F402088FCB95EBBC98102EE7FF6AF99310F60457AC449E7645EA358942C791

Uniqueness

Uniqueness Score: -1.00%

Function 0137AC08, Relevance: .1, Instructions: 52COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.503364528.0000000001372000.00000040.00000001.sdmp, Offset: 01372000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4cc87e4efc5c4e6b6a12c10dbdc9af00f8d62cbdbe7d57237a10432840fd455f
Instruction ID: 5395d46e76123750005c876043dfa68f53041f06d28d5f514645602549b00df0
Opcode Fuzzy Hash: 4cc87e4efc5c4e6b6a12c10dbdc9af00f8d62cbdbe7d57237a10432840fd455f
Instruction Fuzzy Hash: 7011ECB5508301AFD350CF19D880A5BFBE8EB88660F04892EFD9997311D231E9148BA2

Uniqueness

Uniqueness Score: -1.00%

Function 0526238F, Relevance: .1, Instructions: 52COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.508950288.0000000005260000.00000040.00000001.sdmp, Offset: 05260000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b187c89822ff464607034e42f9c943224aeeb7c713b5913f01ed0c00f868b134
Instruction ID: 66ab567e4d90e825b15e3254c4d08e9ea7c97eab99349217a15f763811d103d6
Opcode Fuzzy Hash: b187c89822ff464607034e42f9c943224aeeb7c713b5913f01ed0c00f868b134
Instruction Fuzzy Hash: B8118C7492825ACFCB28CFA8D5506AE7FB2FF44300F10406AC142AB740DBB10882CB51

Uniqueness

Uniqueness Score: -1.00%

Function 052676A2, Relevance: .1, Instructions: 52COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.508950288.0000000005260000.00000040.00000001.sdmp, Offset: 05260000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ad625bba99d113ba20a2415b870f7a34e2fcb1ebf01e5fedcd6e3f1dd736d779
Instruction ID: 698fc5b91a8bb29052aee90e36332513fec0968fa56a65f1993d0dfaca785704
Opcode Fuzzy Hash: ad625bba99d113ba20a2415b870f7a34e2fcb1ebf01e5fedcd6e3f1dd736d779
Instruction Fuzzy Hash: 7611CE31914244DFDB21CB68E408AEABBF2FF48314F2845AAD512A7260D7766D85CF92

Uniqueness

Uniqueness Score: -1.00%

Function 052675B8, Relevance: .0, Instructions: 50COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.508950288.0000000005260000.00000040.00000001.sdmp, Offset: 05260000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0d738da1eaf982454b3a0b7562d768cf57ddf194a77d87973258fa79c5b52e71
Instruction ID: 889b1d53fc9c0a87c9ad9eb783a2d8a29e2514d3ff8838986239358a9633e39a
Opcode Fuzzy Hash: 0d738da1eaf982454b3a0b7562d768cf57ddf194a77d87973258fa79c5b52e71
Instruction Fuzzy Hash: 4301B531A28145DBCB15DA68E550ABFBBB3EF84218F18406EC417A7240CBB5AD418BD1

Uniqueness

Uniqueness Score: -1.00%

Function 0526D457, Relevance: .0, Instructions: 50COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.508950288.0000000005260000.00000040.00000001.sdmp, Offset: 05260000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 105e554b72f370a34e863079c549c12f06372b9747e73128be519cc5f8de5f55
Instruction ID: 3c39476ce47687ac2981a880976dc0e007037f81a8140a542006403c8138d51b
Opcode Fuzzy Hash: 105e554b72f370a34e863079c549c12f06372b9747e73128be519cc5f8de5f55
Instruction Fuzzy Hash: 3901D471B202159FCB282BB9A40C56F7AEFBFC9724710443DE406D7344DD718C0187A0

Uniqueness

Uniqueness Score: -1.00%

Function 0526D458, Relevance: .0, Instructions: 50COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.508950288.0000000005260000.00000040.00000001.sdmp, Offset: 05260000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6d3f65df37601089e8a19a78445f99b2e57482178aca0a0addd4e023e25e201e
Instruction ID: 8c612a33615ee2b088c9769c50305fb1cb8107e02dcb940bc66c18b17c972276
Opcode Fuzzy Hash: 6d3f65df37601089e8a19a78445f99b2e57482178aca0a0addd4e023e25e201e
Instruction Fuzzy Hash: F901A271720265ABCB282BB9A81C52F7AEFFFC9664B104839E40AD7345DD759C4187A0

Uniqueness

Uniqueness Score: -1.00%

Function 05269EB8, Relevance: .0, Instructions: 50COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.508950288.0000000005260000.00000040.00000001.sdmp, Offset: 05260000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 07ca436bfa5db258ff38885e74ae6c30e31fa8dfff26fd50a9e9d286431df452
Instruction ID: f15fe3983239faf4d1ac4b1946280ac8cf6de0144748c7dec11a8ac2402b41cb
Opcode Fuzzy Hash: 07ca436bfa5db258ff38885e74ae6c30e31fa8dfff26fd50a9e9d286431df452
Instruction Fuzzy Hash: 72019E32A28146DBCB14DA58D890BBFBBB6AF84210F15446BC01BA7640CFB1ADC187D1

Uniqueness

Uniqueness Score: -1.00%

Function 052675A9, Relevance: .0, Instructions: 49COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.508950288.0000000005260000.00000040.00000001.sdmp, Offset: 05260000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6e59f1b9fb5ab7ee8e94eb90a0bb98ba9f4628ec0bf572dbdda2a41e63beea39
Instruction ID: ac4c3722c2c15ab1a8b558c00b6ff29b8c13de5254d617b9dee4a8ffc29cece2
Opcode Fuzzy Hash: 6e59f1b9fb5ab7ee8e94eb90a0bb98ba9f4628ec0bf572dbdda2a41e63beea39
Instruction Fuzzy Hash: 2E01C030A28184CBDB25CA28A5A4BBB7BF2DF85208F1C009DC457A7240CAA5AD418BC1

Uniqueness

Uniqueness Score: -1.00%

Function 02D105AF, Relevance: .0, Instructions: 48COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.503658634.0000000002D10000.00000040.00000040.sdmp, Offset: 02D10000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6ea9d22fbeee4ee6553129ea3cee8332bb7e68216ae58f9fb7621453acc39b47
Instruction ID: 24ccf0f4cd6b69ccbadaa398b5c80c0874f1df233a8aedf267263314faad2342
Opcode Fuzzy Hash: 6ea9d22fbeee4ee6553129ea3cee8332bb7e68216ae58f9fb7621453acc39b47
Instruction Fuzzy Hash: E901ACB25097C46FD7128B15EC51862FFB8EF87620708C4DFEC898B612D165B908CB61

Uniqueness

Uniqueness Score: -1.00%

Function 0526A540, Relevance: .0, Instructions: 46COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.508950288.0000000005260000.00000040.00000001.sdmp, Offset: 05260000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: efe73314da64f68bf379e84e385a5ea01976d0f58e5bb223d80d7bcd9e3a268c
Instruction ID: c6e40bc9352f1694b5bfb2621ff5c0f776bc8393aff322da662456849ed77ac4
Opcode Fuzzy Hash: efe73314da64f68bf379e84e385a5ea01976d0f58e5bb223d80d7bcd9e3a268c
Instruction Fuzzy Hash: 6D011A75F142199ECF50EBACA9097AEBBF5FB88210F10052AD518E2280EB315A408BD5

Uniqueness

Uniqueness Score: -1.00%

Function 02D105CF, Relevance: .0, Instructions: 46COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.503658634.0000000002D10000.00000040.00000040.sdmp, Offset: 02D10000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ac67340c924b14f0097339c0e088b3a9ba2b2e61c704d9ebe6f4646f43dd5b8b
Instruction ID: 870497d43e55c92fd10d5103e3a067944907f743bf41302a48bf91391c1c4180
Opcode Fuzzy Hash: ac67340c924b14f0097339c0e088b3a9ba2b2e61c704d9ebe6f4646f43dd5b8b
Instruction Fuzzy Hash: 2C018FB250D7C06FD7128B16AC51862BFB8DF87620709C4DFE8898B613D125A809CB72

Uniqueness

Uniqueness Score: -1.00%

Function 05266588, Relevance: .0, Instructions: 45COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.508950288.0000000005260000.00000040.00000001.sdmp, Offset: 05260000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 206d50a2d1e4e3a2f411b06c88ff9f150549fa181b9ca75a707fecc3d90fe8af
Instruction ID: 0912a946984595a4b8932697abd426ec69dec71450a34fe9cf3dc62387977668
Opcode Fuzzy Hash: 206d50a2d1e4e3a2f411b06c88ff9f150549fa181b9ca75a707fecc3d90fe8af
Instruction Fuzzy Hash: 7F012C71B102099EDB50DABDE945BFABBF4FF44210F10013AD518D3280EB75A9918BD1

Uniqueness

Uniqueness Score: -1.00%

Function 0526A530, Relevance: .0, Instructions: 44COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.508950288.0000000005260000.00000040.00000001.sdmp, Offset: 05260000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ac2f06f6ec5a48c69382d943b30aee8256ffa5bcbf6e80569a404cf20e3fd902
Instruction ID: a6576cf4f92bb722426988a6c211dbdd6f9df2022136a804d31e96c5323f00f6
Opcode Fuzzy Hash: ac2f06f6ec5a48c69382d943b30aee8256ffa5bcbf6e80569a404cf20e3fd902
Instruction Fuzzy Hash: 9A0171B1E142099FCF50EFBC99097BDBBF5FF48200F10092AD555E6281E73459418BE5

Uniqueness

Uniqueness Score: -1.00%

Function 05266578, Relevance: .0, Instructions: 44COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.508950288.0000000005260000.00000040.00000001.sdmp, Offset: 05260000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4367dff5185282a24aff7c6ccab3d2876ed8ee1f408e7424f71f55e39c472c58
Instruction ID: 65f3d66a0173f1b4a5db3ff999e6d4216d6de5faf124a2923242043d8d311194
Opcode Fuzzy Hash: 4367dff5185282a24aff7c6ccab3d2876ed8ee1f408e7424f71f55e39c472c58
Instruction Fuzzy Hash: A8017CB1E102099FDB64DBB8A952BBABBF8FF44210F10407AC408D6280EB759D91CBD0

Uniqueness

Uniqueness Score: -1.00%

Function 05269EB2, Relevance: .0, Instructions: 44COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.508950288.0000000005260000.00000040.00000001.sdmp, Offset: 05260000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b7e00e53cb5efb05dee05a0075f7b633d0149e235000e7bb0fb5c0d16674f291
Instruction ID: 0e562711e3d3b4d0962d4186e8d4daf0f0164c76e65eb6686b26f395d8b4c18a
Opcode Fuzzy Hash: b7e00e53cb5efb05dee05a0075f7b633d0149e235000e7bb0fb5c0d16674f291
Instruction Fuzzy Hash: 9C017C71A38146DBCB19CA68C5A5BBEBBB66F84200F15445AC407A7640CFB5ADC187C1

Uniqueness

Uniqueness Score: -1.00%

Function 0526A6B1, Relevance: .0, Instructions: 44COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.508950288.0000000005260000.00000040.00000001.sdmp, Offset: 05260000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6987512bbff85db0ba59b06b4766a17f0e90978a86ec711df43ade2face57bcb
Instruction ID: 142f7423161202c2c6587bbb850d332de6c4a7c4ab2645a451d7d1289bb0f99c
Opcode Fuzzy Hash: 6987512bbff85db0ba59b06b4766a17f0e90978a86ec711df43ade2face57bcb
Instruction Fuzzy Hash: 3F01AD35310211DBC714E77CE41A6ED3BABEFC5210B148438E50ACB354DF769C468B8A

Uniqueness

Uniqueness Score: -1.00%

Function 05261218, Relevance: .0, Instructions: 42COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.508950288.0000000005260000.00000040.00000001.sdmp, Offset: 05260000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 368c83637b21529526c4465681209d46e2a27cf07158f1b12928480233aaa74d
Instruction ID: 6217858052c8b6fbe600e28ba01d5707ed36d00ef43ea0b7848c68c2b859080f
Opcode Fuzzy Hash: 368c83637b21529526c4465681209d46e2a27cf07158f1b12928480233aaa74d
Instruction Fuzzy Hash: 57011D30324120CBC644DB2DD15896A77EBBFC9600B2540AAE406CB674CFB6AC598782

Uniqueness

Uniqueness Score: -1.00%

Function 05265BB0, Relevance: .0, Instructions: 41COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.508950288.0000000005260000.00000040.00000001.sdmp, Offset: 05260000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 77f54f5baf47527054691019ef0e71775b518de5d66768dd4eb9fbace926f830
Instruction ID: eccbf02fc1635aa2327edf8bc157e2d9a069dd67a44023972597ced04ed69fb3
Opcode Fuzzy Hash: 77f54f5baf47527054691019ef0e71775b518de5d66768dd4eb9fbace926f830
Instruction Fuzzy Hash: A4F02431B342459FCF20823C68646FEBFB2DFD5260F8002B6C806D7641DB2A894382D1

Uniqueness

Uniqueness Score: -1.00%

Function 05267F90, Relevance: .0, Instructions: 41COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.508950288.0000000005260000.00000040.00000001.sdmp, Offset: 05260000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: dba75e03ef62d64115c37d6be33a2d7c18ac265e7ee29f72c831454655370ccc
Instruction ID: 11e879f90c165722bcc5d8340675e407a65533d8b2d835cab3517a60db72fac5
Opcode Fuzzy Hash: dba75e03ef62d64115c37d6be33a2d7c18ac265e7ee29f72c831454655370ccc
Instruction Fuzzy Hash: B3F0C270A38206DFC701CB68A845CBFFFB2EF9521471845B7D111DB261D77188938791

Uniqueness

Uniqueness Score: -1.00%

Function 05262F99, Relevance: .0, Instructions: 41COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.508950288.0000000005260000.00000040.00000001.sdmp, Offset: 05260000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 125fac46d7ad3fd1089ed7c5d279f825399bc74a89874fb1c42205e37e50a978
Instruction ID: ebb38a439752a71c3c68cf1a8b5ca88f20504dff24f00caeab2e7ce185a76635
Opcode Fuzzy Hash: 125fac46d7ad3fd1089ed7c5d279f825399bc74a89874fb1c42205e37e50a978
Instruction Fuzzy Hash: 29F02830F102469FDF1087B8D4149EFBFF5EF81220B808975D805D7711EA3588078780

Uniqueness

Uniqueness Score: -1.00%

Function 05269058, Relevance: .0, Instructions: 40COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.508950288.0000000005260000.00000040.00000001.sdmp, Offset: 05260000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5945efde5fa3a1f109a54d90123ba5ede1edd7856246efa5bc61593682d2a8b6
Instruction ID: 5a6c54a11779cc3ee10409c5b17fa7a563466c1861e279b88480df4bbec10e25
Opcode Fuzzy Hash: 5945efde5fa3a1f109a54d90123ba5ede1edd7856246efa5bc61593682d2a8b6
Instruction Fuzzy Hash: C7F0F6B1F14106EBDF04A7B4D4556EEBBF6EF80250F608832D905DB215FE3588078B90

Uniqueness

Uniqueness Score: -1.00%

Function 0526A211, Relevance: .0, Instructions: 40COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.508950288.0000000005260000.00000040.00000001.sdmp, Offset: 05260000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 800c138777cf19a6dbb1ef1dd73e707ec0f0c92c3a9d4ad81b8c0c4b666d7802
Instruction ID: 7b27759cfc19f9e7b964df0bc201cd31e7b76646e1248bff69a005d414ba514d
Opcode Fuzzy Hash: 800c138777cf19a6dbb1ef1dd73e707ec0f0c92c3a9d4ad81b8c0c4b666d7802
Instruction Fuzzy Hash: 02F08130B1021ADBCB14EBB8E991EAEB762FF84604F108515D505AB289DB75DD518790

Uniqueness

Uniqueness Score: -1.00%

Function 05265FB8, Relevance: .0, Instructions: 39COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.508950288.0000000005260000.00000040.00000001.sdmp, Offset: 05260000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 72a8fa36a74d273df2b2f225c2232a17c0efc9aa8ea7d1fc1c6324c7bba21640
Instruction ID: 01bd9b019a07ff9615bb79039073a1e4c3882e1446e18881352464d8cfc45044
Opcode Fuzzy Hash: 72a8fa36a74d273df2b2f225c2232a17c0efc9aa8ea7d1fc1c6324c7bba21640
Instruction Fuzzy Hash: 0DF02B30B342419FCB20837C58116FEBBF1AF86350F400177C906D3641DA65298286D1

Uniqueness

Uniqueness Score: -1.00%

Function 0526A6C0, Relevance: .0, Instructions: 39COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.508950288.0000000005260000.00000040.00000001.sdmp, Offset: 05260000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ae7b656707a007db98b39891324b4c212b4ca12b1acdcb0febfb66851ce14f21
Instruction ID: 67e7fe44427b8cc8ff5d6a9e023a1d4512ff5a8dd546f8ae3c77cead47336c8d
Opcode Fuzzy Hash: ae7b656707a007db98b39891324b4c212b4ca12b1acdcb0febfb66851ce14f21
Instruction Fuzzy Hash: 8EF0D734320212DBC608FB7CE0184A93BABEFC42107108438E10ACB358DF729C828B8A

Uniqueness

Uniqueness Score: -1.00%

Function 02D105BF, Relevance: .0, Instructions: 39COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.503658634.0000000002D10000.00000040.00000040.sdmp, Offset: 02D10000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 199f8f3ad49a50c6df69518bcf979090930782d1f0e965673bb01668f6775898
Instruction ID: b3fec578fc8fd172cc7e0a51dcebeff6748d19b868eadb0b69d050adc1034461
Opcode Fuzzy Hash: 199f8f3ad49a50c6df69518bcf979090930782d1f0e965673bb01668f6775898
Instruction Fuzzy Hash: 56F0A4B6605684AFC711CF16EC41496FFE8EF85620708C86EED8D47A01D235B809CFA1

Uniqueness

Uniqueness Score: -1.00%

Function 05265FC8, Relevance: .0, Instructions: 38COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.508950288.0000000005260000.00000040.00000001.sdmp, Offset: 05260000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: af4124e84b1ccf701be2d2597b80b61edffea09b114af907db8d6a2e12974252
Instruction ID: 750c5a5d22776afc217576459dfeecedc5c95c6070989ce83b6f8bba27ca6bb5
Opcode Fuzzy Hash: af4124e84b1ccf701be2d2597b80b61edffea09b114af907db8d6a2e12974252
Instruction Fuzzy Hash: 3CF0E231B34215EBCF20D26999007BFBBE6AF85694F000076C90B93341EAA17E8192E2

Uniqueness

Uniqueness Score: -1.00%

Function 0526D448, Relevance: .0, Instructions: 37COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.508950288.0000000005260000.00000040.00000001.sdmp, Offset: 05260000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8ea995ef4b5bc21d03d755392eddfe27e3d4b1dfcae98d701af73e64f25a094d
Instruction ID: bee985912e00c828c346bb95566149182c0727ee1fb67a447a979199aae2a9f4
Opcode Fuzzy Hash: 8ea995ef4b5bc21d03d755392eddfe27e3d4b1dfcae98d701af73e64f25a094d
Instruction Fuzzy Hash: 10F0B471B102258BDB182B7DA81836E76E6FF84710F10443ED00AD7284CD359C018790

Uniqueness

Uniqueness Score: -1.00%

Function 05269C81, Relevance: .0, Instructions: 37COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.508950288.0000000005260000.00000040.00000001.sdmp, Offset: 05260000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 077013504dd8c10bec8f787036597a3d2045f3c278a711342660aff14f1505e9
Instruction ID: 48f85c958c66cc5468e10ddb1ee7a2505769e68cb2aebf6931ec50f034c20708
Opcode Fuzzy Hash: 077013504dd8c10bec8f787036597a3d2045f3c278a711342660aff14f1505e9
Instruction Fuzzy Hash: EAF0F6326183818FC70593B894604A83FBBEFC721430984AFD04ACB651DF75884BC755

Uniqueness

Uniqueness Score: -1.00%

Function 05265700, Relevance: .0, Instructions: 36COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.508950288.0000000005260000.00000040.00000001.sdmp, Offset: 05260000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5987c4dfe285697ae04f46377e0535a4c47e3e565c54b030696c0898785f4385
Instruction ID: e923ce63cfba9a49a91a144af68bc37293fc4187e81677270145e29b2a9e2193
Opcode Fuzzy Hash: 5987c4dfe285697ae04f46377e0535a4c47e3e565c54b030696c0898785f4385
Instruction Fuzzy Hash: 2AF059313286928FCB721B3D50951EABFD56F522603A841EFC0DAC7A17CA199492C756

Uniqueness

Uniqueness Score: -1.00%

Function 052645B9, Relevance: .0, Instructions: 35COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.508950288.0000000005260000.00000040.00000001.sdmp, Offset: 05260000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 85e65802e426760416b52b482854a52cee6f70ee7e2f495239a57eb7ffe84af1
Instruction ID: 7afbd33ce927b4708f37a28f9b4023a4cc76e29db5a3095c02dee66ca3f869a4
Opcode Fuzzy Hash: 85e65802e426760416b52b482854a52cee6f70ee7e2f495239a57eb7ffe84af1
Instruction Fuzzy Hash: 84F0E931E443595FCB90DBAC5C45AFABFF8EF86220F1001BBD548D7152D22459168760

Uniqueness

Uniqueness Score: -1.00%

Function 0526E9C7, Relevance: .0, Instructions: 35COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.508950288.0000000005260000.00000040.00000001.sdmp, Offset: 05260000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 77407c95d3ef73713b93be2bc56352e4dd8d3cf35e1c603c1c13fc3b25fa79dd
Instruction ID: 43ee94b6f730c438508a4e79ed7ce1bd8b01fa462c83a810029156c0ae53b9ff
Opcode Fuzzy Hash: 77407c95d3ef73713b93be2bc56352e4dd8d3cf35e1c603c1c13fc3b25fa79dd
Instruction Fuzzy Hash: 7CF0A73CB652954FCB54A77864584FD3B9DEF8521430584ABD90ACB341CD519C474791

Uniqueness

Uniqueness Score: -1.00%

Function 05260908, Relevance: .0, Instructions: 34COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.508950288.0000000005260000.00000040.00000001.sdmp, Offset: 05260000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: de005085e950df104849f62ebee9e74746c9b5171c6f5cc018e5c36d1ce51854
Instruction ID: 1bf0902071d9bf0e877515d06e2dbef61b386b2389a94066814f0d515f05f1ea
Opcode Fuzzy Hash: de005085e950df104849f62ebee9e74746c9b5171c6f5cc018e5c36d1ce51854
Instruction Fuzzy Hash: 1DF0A73093A3948FD7A496F4489C5AF7FBB9F86640F0548B78943A7215D9E44C42A782

Uniqueness

Uniqueness Score: -1.00%

Function 05260918, Relevance: .0, Instructions: 33COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.508950288.0000000005260000.00000040.00000001.sdmp, Offset: 05260000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8b1adf0b012c9b02f2ab0e00732220f3f23969498957413e09aa1d60d91190d5
Instruction ID: 1efc7acd2cfa5ad6ff08934bcd2641c84da9a0c112fde267140276bb391f1ce0
Opcode Fuzzy Hash: 8b1adf0b012c9b02f2ab0e00732220f3f23969498957413e09aa1d60d91190d5
Instruction Fuzzy Hash: A6E0E532A3A2189ADB2095F898481AFBBABEF85A90F0044379A07A3304D9B0588566D1

Uniqueness

Uniqueness Score: -1.00%

Function 0526E147, Relevance: .0, Instructions: 33COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.508950288.0000000005260000.00000040.00000001.sdmp, Offset: 05260000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: cfa804a0cc33ee90afcc1f68a8291e3e1e65003cfc922bd40ebe8b153665959d
Instruction ID: fe7743a358b5efc628cf54f815409beb7a06e98ac14fc096bb601e8d2dbea874
Opcode Fuzzy Hash: cfa804a0cc33ee90afcc1f68a8291e3e1e65003cfc922bd40ebe8b153665959d
Instruction Fuzzy Hash: ECF0E9BA93C3944BDB2581585C4C7A75F4E6F45361F2B05F6D48ADF182D9904CC0A351

Uniqueness

Uniqueness Score: -1.00%

Function 05269F40, Relevance: .0, Instructions: 33COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.508950288.0000000005260000.00000040.00000001.sdmp, Offset: 05260000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 54a3f1a6e8ff9c1235e6d2a8c244211a1015226a12173762fbbf82eae8e27074
Instruction ID: 865462a1125a19dcdc40479eb1d9175a79db92864e9c28118a5bc556fc7ee962
Opcode Fuzzy Hash: 54a3f1a6e8ff9c1235e6d2a8c244211a1015226a12173762fbbf82eae8e27074
Instruction Fuzzy Hash: CBF0E270B50215DBCB10EBA89C81BAE7726FFC4604F108454D505AF188DBA5DD5043A1

Uniqueness

Uniqueness Score: -1.00%

Function 05263BC4, Relevance: .0, Instructions: 32COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.508950288.0000000005260000.00000040.00000001.sdmp, Offset: 05260000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5e697831000db6a95dac937dce6118b83abeaa9e8944ed93def10d46b85d4626
Instruction ID: c7bc053ffbe85742322fcfc48511ace88594301907a30e27c1a1d79c80ee1547
Opcode Fuzzy Hash: 5e697831000db6a95dac937dce6118b83abeaa9e8944ed93def10d46b85d4626
Instruction Fuzzy Hash: 08F08C71B24218CFCB00DF9CE5859BDBBB2FF94310B214966D125DB284DFB5AD928782

Uniqueness

Uniqueness Score: -1.00%

Function 052646A9, Relevance: .0, Instructions: 32COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.508950288.0000000005260000.00000040.00000001.sdmp, Offset: 05260000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7c35bcb7f541ba18ae9bc49a32a510ae09afd9f695b5c1fc0a7f708e5cfbab1d
Instruction ID: 58db10b55e4343ef0b945ef04ee3ceee9a3cc107717d6cf35e8d4098c599722e
Opcode Fuzzy Hash: 7c35bcb7f541ba18ae9bc49a32a510ae09afd9f695b5c1fc0a7f708e5cfbab1d
Instruction Fuzzy Hash: FFF0A7316542508FCB6167BC60A41FD3FA69F82214B1400E6D086CF666D95ACC0387C2

Uniqueness

Uniqueness Score: -1.00%

Function 0526E0C8, Relevance: .0, Instructions: 31COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.508950288.0000000005260000.00000040.00000001.sdmp, Offset: 05260000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a84c4abaf7c8cd503f9f592fe43b2e36aa32e1723d6ffa0885b56235e7c2014f
Instruction ID: a1799bcc77fc01c85fee1d81c3c4314931fa3017eae5ee9a34311cae0300d4a3
Opcode Fuzzy Hash: a84c4abaf7c8cd503f9f592fe43b2e36aa32e1723d6ffa0885b56235e7c2014f
Instruction Fuzzy Hash: 89E0ED392341515B8221E259842496B7BAEDFC1664312847ED86A8B201EE639C0647D1

Uniqueness

Uniqueness Score: -1.00%

Function 02D10938, Relevance: .0, Instructions: 31COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.503658634.0000000002D10000.00000040.00000040.sdmp, Offset: 02D10000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 693b7c54016a59cdbfed5bf97d611671327a7796b2b33607a59a4987e9e37b45
Instruction ID: 9b64602a526d223f4b2b486a17d6826cee7da85620eee51713d9e3690d43b4c0
Opcode Fuzzy Hash: 693b7c54016a59cdbfed5bf97d611671327a7796b2b33607a59a4987e9e37b45
Instruction Fuzzy Hash: 26F0FB35108645DFC606DB40D940B15FBA6EB89718F24C6A9E9890BB56C337D813DA81

Uniqueness

Uniqueness Score: -1.00%

Function 05269C98, Relevance: .0, Instructions: 30COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.508950288.0000000005260000.00000040.00000001.sdmp, Offset: 05260000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6c1bbdba60dde04e1e70da74e5ac4bce17ca4886453235a831e556e14ce96944
Instruction ID: 41906d452714d32101c738913794543ec9ca4dbeedea3f2ef2b3754d6f42ec61
Opcode Fuzzy Hash: 6c1bbdba60dde04e1e70da74e5ac4bce17ca4886453235a831e556e14ce96944
Instruction Fuzzy Hash: 58F0A0322102018FCB08A7ACD0548A97BEBEFC6364314C43EE00ACB340DF729C46C795

Uniqueness

Uniqueness Score: -1.00%

Function 0526D89F, Relevance: .0, Instructions: 29COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.508950288.0000000005260000.00000040.00000001.sdmp, Offset: 05260000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 43a5d4423159b024606cf3b4aa5d98fdb0adcb755e45b0e96c16a1f904467d12
Instruction ID: e0d578130b00f79515b762c015911ecda9faf819a3873bcd0bddeaa993049078
Opcode Fuzzy Hash: 43a5d4423159b024606cf3b4aa5d98fdb0adcb755e45b0e96c16a1f904467d12
Instruction Fuzzy Hash: 25E0D8357242055BC224E65DD4659AE77EBDFC5660340C82FD40E8B340EEA6EC474BD0

Uniqueness

Uniqueness Score: -1.00%

Function 05268230, Relevance: .0, Instructions: 29COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.508950288.0000000005260000.00000040.00000001.sdmp, Offset: 05260000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9e315a1d0f516f6e10369c5443395d953f183b8419e970b894b0cdd990ba9788
Instruction ID: ac9633bccd294340a9d9a9cb38a17b3789076f09e730147aab9d7d4ce372b70b
Opcode Fuzzy Hash: 9e315a1d0f516f6e10369c5443395d953f183b8419e970b894b0cdd990ba9788
Instruction Fuzzy Hash: EFF05C31A142914FCB6A07B8A5080647FF1EF49221304026ED806C3700CD394C078F81

Uniqueness

Uniqueness Score: -1.00%

Function 05266EA7, Relevance: .0, Instructions: 29COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.508950288.0000000005260000.00000040.00000001.sdmp, Offset: 05260000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 755eec3d29d4f7d80be63f0453fca8f84ed76191f0c0d51f53d412036ed7831c
Instruction ID: 432531deae3df752cf4add920017a5dcad951cf3a62e6ee6d68f6c7f66f56d84
Opcode Fuzzy Hash: 755eec3d29d4f7d80be63f0453fca8f84ed76191f0c0d51f53d412036ed7831c
Instruction Fuzzy Hash: F0F06D387550558BCB28B7B9E4287AD76969FC0B14F844078C61ADB785EF204C51C792

Uniqueness

Uniqueness Score: -1.00%

Function 0526D898, Relevance: .0, Instructions: 28COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.508950288.0000000005260000.00000040.00000001.sdmp, Offset: 05260000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 33037f911f3f228aece0f55812c5a6250732ef351b165b4eeb906d85af9f96bb
Instruction ID: 64e8f11386653225d0f0bb33de23a05417e12530c3ac44aa27b35618158100c8
Opcode Fuzzy Hash: 33037f911f3f228aece0f55812c5a6250732ef351b165b4eeb906d85af9f96bb
Instruction Fuzzy Hash: 68E0D8397341118BC614E69CC1255AD7797EFC5664314881FD41E9B340EE76DC074B90

Uniqueness

Uniqueness Score: -1.00%

Function 0526E0CF, Relevance: .0, Instructions: 28COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.508950288.0000000005260000.00000040.00000001.sdmp, Offset: 05260000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9f7cc498df9c0c3e8a6b7d8a7d05716a4f712e202492a78d2c5c98ec36720081
Instruction ID: 0de43cf6c3750f064952876f9404cd6fc8ce5490b57b5413b0763d174ce191e4
Opcode Fuzzy Hash: 9f7cc498df9c0c3e8a6b7d8a7d05716a4f712e202492a78d2c5c98ec36720081
Instruction Fuzzy Hash: C3E022352242110B8220E61EC8209AFBBAEDFC1260301887FD80A9B300EE63EC0647D5

Uniqueness

Uniqueness Score: -1.00%

Function 05265F68, Relevance: .0, Instructions: 28COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.508950288.0000000005260000.00000040.00000001.sdmp, Offset: 05260000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 34a5e47bc096f69bcdc651ff8e9b6751f25d6b4d7141b4fbe4c89d5916c61696
Instruction ID: fcefbf5fe9fc0f688486cd7e8bac63d0e0c1f318996a3b27380fb1c049f372dc
Opcode Fuzzy Hash: 34a5e47bc096f69bcdc651ff8e9b6751f25d6b4d7141b4fbe4c89d5916c61696
Instruction Fuzzy Hash: CDE0D83036C5938FC72066FC54086F83FA59F53310F9801A7E446C7662C99D4C834352

Uniqueness

Uniqueness Score: -1.00%

Function 02D105F6, Relevance: .0, Instructions: 27COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.503658634.0000000002D10000.00000040.00000040.sdmp, Offset: 02D10000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e7199933f82b3223c868a1925df5ed43b6d7bf572601c6b1cc88c9e20e6685b4
Instruction ID: 2787dd322e47f4b894e7b321422842249d84452e0d602c619be9e80addda819f
Opcode Fuzzy Hash: e7199933f82b3223c868a1925df5ed43b6d7bf572601c6b1cc88c9e20e6685b4
Instruction Fuzzy Hash: 4FE092B6600A048BD650CF0AFC81456F7D8EB88630718C47FDC0D8B701D135B505CFA5

Uniqueness

Uniqueness Score: -1.00%

Function 0137AC57, Relevance: .0, Instructions: 26COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.503364528.0000000001372000.00000040.00000001.sdmp, Offset: 01372000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5aa2349305c2c5cb92db7947132c24146a13673cf5edc0476bffefaebc503857
Instruction ID: cdbbf6d4a5d8ecd9d9bdc8e801a9135bb2a9ad182d671d8e0062bd11adf0cd4b
Opcode Fuzzy Hash: 5aa2349305c2c5cb92db7947132c24146a13673cf5edc0476bffefaebc503857
Instruction Fuzzy Hash: F0E0D8B25416046BD2208E0AAC81B12FB58EB44A30F04C567ED085F701D171B514CAF5

Uniqueness

Uniqueness Score: -1.00%

Function 0526AC71, Relevance: .0, Instructions: 26COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.508950288.0000000005260000.00000040.00000001.sdmp, Offset: 05260000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 30f88be90bebfeef6cf912dc3df29c8294d64f2673af7f82a95053ce48af1e61
Instruction ID: 5506de4aed5ddb259372bc425c0db3b5ee574a7cf68fc0775cd8e359bed7f3f6
Opcode Fuzzy Hash: 30f88be90bebfeef6cf912dc3df29c8294d64f2673af7f82a95053ce48af1e61
Instruction Fuzzy Hash: 46E01231A14B148BC3249F6FD8115A7FBEAFBC4620B158A3E955A82614D770A9094694

Uniqueness

Uniqueness Score: -1.00%

Function 0526D8A8, Relevance: .0, Instructions: 26COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.508950288.0000000005260000.00000040.00000001.sdmp, Offset: 05260000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0f174f6ebcfdf68cc1c7c489261989aa54ed1b9b25ec5f08e403072a759a35a7
Instruction ID: 5d1909b00633cf64a5fc1b9e64ecc34f891e590a59171e6015d26505f66c8a9a
Opcode Fuzzy Hash: 0f174f6ebcfdf68cc1c7c489261989aa54ed1b9b25ec5f08e403072a759a35a7
Instruction Fuzzy Hash: F0E026317201058BC220E66DC42486E77EBDFC6660340882FD40E8B340EEB2EC078BD0

Uniqueness

Uniqueness Score: -1.00%

Function 0526E0D8, Relevance: .0, Instructions: 26COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.508950288.0000000005260000.00000040.00000001.sdmp, Offset: 05260000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 161a1fa5b3ac5b2e7b6c65e3c85b8c67a528399b0afa7842d9b35008c587bdae
Instruction ID: a373e678a0c901110a7b67bc2d8d803c905d64a5aa7ec89dfc55e899f869e146
Opcode Fuzzy Hash: 161a1fa5b3ac5b2e7b6c65e3c85b8c67a528399b0afa7842d9b35008c587bdae
Instruction Fuzzy Hash: 9AE0DF392201154B8220E65EC4249AB77AFDFC1664301886ED81E8B300EE63DC0647D0

Uniqueness

Uniqueness Score: -1.00%

Function 05268240, Relevance: .0, Instructions: 26COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.508950288.0000000005260000.00000040.00000001.sdmp, Offset: 05260000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5e4b1c628501aeace2bdd1a4e358ac1fc21da4aebe564e136c2845488610e2c3
Instruction ID: 55480ee082fe3c746c6d91c5738d6f34817132009c640c33f6b855ada2dcf520
Opcode Fuzzy Hash: 5e4b1c628501aeace2bdd1a4e358ac1fc21da4aebe564e136c2845488610e2c3
Instruction Fuzzy Hash: 96E0D831F2062287CBB957BCA51852877DAFF9C6A1314412AED0BD3348DE71CC458BD2

Uniqueness

Uniqueness Score: -1.00%

Function 0526A5F0, Relevance: .0, Instructions: 24COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.508950288.0000000005260000.00000040.00000001.sdmp, Offset: 05260000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 852014d5c1645c44128469a362849f99d5ed70d847c8861cfe03585ed1dfeace
Instruction ID: cddf39e1fd25e2e2372b2c1eecd56960abe227b5477e398a25e03713b267b81f
Opcode Fuzzy Hash: 852014d5c1645c44128469a362849f99d5ed70d847c8861cfe03585ed1dfeace
Instruction Fuzzy Hash: 92E020B47682C08FCB85A7FC69180683FD35F8E34132414AEE416DB3A1DD714C435721

Uniqueness

Uniqueness Score: -1.00%

Function 0526D8E9, Relevance: .0, Instructions: 24COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.508950288.0000000005260000.00000040.00000001.sdmp, Offset: 05260000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 57bcc0b34033357855593ef0d7620e29efeb011a021cbece43e997e2a3bf4921
Instruction ID: 5512b013dcad81527c67c26c6b259d0be9fb765383028f25e3dceee03506fa85
Opcode Fuzzy Hash: 57bcc0b34033357855593ef0d7620e29efeb011a021cbece43e997e2a3bf4921
Instruction Fuzzy Hash: 8FE0C23137E21CDBC728D551E8C27B6B2AAEF08221F44403EE44FC2600DAFA98C183D1

Uniqueness

Uniqueness Score: -1.00%

Function 0526B8D7, Relevance: .0, Instructions: 24COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.508950288.0000000005260000.00000040.00000001.sdmp, Offset: 05260000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7aaedafc86c90ae38c9271e0aa516a13b37f8d4247825d5173c3c41208c33f85
Instruction ID: 13d44d34d12e1e531c987853a13ce7a9084c4d49130dbea1d28353eff5f88a61
Opcode Fuzzy Hash: 7aaedafc86c90ae38c9271e0aa516a13b37f8d4247825d5173c3c41208c33f85
Instruction Fuzzy Hash: FEF0A53A614B009FC334CF59D685C12F7F6EF886203158A6EE59AD3A14C770F8458F61

Uniqueness

Uniqueness Score: -1.00%

Function 0526AC27, Relevance: .0, Instructions: 23COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.508950288.0000000005260000.00000040.00000001.sdmp, Offset: 05260000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 53c49a1e7c3b528e0246fa8b8ec3ffc4944d8b8191f5c0c8cf702546e1d72c1b
Instruction ID: 9b53b1d52cab2fb49fc2f070ed59236fbbcab39d16b8f8954e037582e639acd5
Opcode Fuzzy Hash: 53c49a1e7c3b528e0246fa8b8ec3ffc4944d8b8191f5c0c8cf702546e1d72c1b
Instruction Fuzzy Hash: E4E0ED72520A40CFC3A8CA59D29066277E2FF44351BA4586EE04BD7E14D771F8C08B04

Uniqueness

Uniqueness Score: -1.00%

Function 05265789, Relevance: .0, Instructions: 22COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.508950288.0000000005260000.00000040.00000001.sdmp, Offset: 05260000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fdf70be4b5aeecdf232f84d455e9916b1a58008765681f4020d4988855fb80ca
Instruction ID: 367525f5f6b9bb2cddf8d7d73098905c4a208ff36c44e8b3ab12b4272c2ae880
Opcode Fuzzy Hash: fdf70be4b5aeecdf232f84d455e9916b1a58008765681f4020d4988855fb80ca
Instruction Fuzzy Hash: C8E0C23077A3918FCB57A3BC04600FD2FA91E921213844ABBC0068B761C94548634782

Uniqueness

Uniqueness Score: -1.00%

Function 05260170, Relevance: .0, Instructions: 21COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.508950288.0000000005260000.00000040.00000001.sdmp, Offset: 05260000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: acf7841cf570fc80e775e28df0e569f8b884f27cb2cef0028e43d288eba337cb
Instruction ID: 391f06ab205f6af41fb7422743f61d052427de5ddf5903ca6c4adabe7fbf90a9
Opcode Fuzzy Hash: acf7841cf570fc80e775e28df0e569f8b884f27cb2cef0028e43d288eba337cb
Instruction Fuzzy Hash: 6BE0CD70245340CFCB2557B8A42D4EC3F719E4622031406BFD405CBF61DA3B8453CB01

Uniqueness

Uniqueness Score: -1.00%

Function 0526AC80, Relevance: .0, Instructions: 21COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.508950288.0000000005260000.00000040.00000001.sdmp, Offset: 05260000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a1ed917d55f73e09da6aa38e3850f292ab522bd691ac4415ac51af5d1593c4c1
Instruction ID: 58b967969c5730349a90ede882cd961c000310088e86d61529d81a583ef61956
Opcode Fuzzy Hash: a1ed917d55f73e09da6aa38e3850f292ab522bd691ac4415ac51af5d1593c4c1
Instruction Fuzzy Hash: E9E0EC71A04B258B8334DF6F9500457F7EAFEC4B20715CA3E915A87614DBB0A9058AA0

Uniqueness

Uniqueness Score: -1.00%

Function 05265F78, Relevance: .0, Instructions: 20COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.508950288.0000000005260000.00000040.00000001.sdmp, Offset: 05260000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 834498e8cfdc84bb1db2121ea9834a66388b6ea9aae879966cf76cda31630ddc
Instruction ID: ea745ebaa439b02534cd614895ddc88e5835fbd4d3a013ac3f3f5ca4ab7c08c7
Opcode Fuzzy Hash: 834498e8cfdc84bb1db2121ea9834a66388b6ea9aae879966cf76cda31630ddc
Instruction Fuzzy Hash: D4D05B3133C417CBD330759D94087A9368D9F42351F840066F90BC6240DDD94CC04397

Uniqueness

Uniqueness Score: -1.00%

Function 052602A0, Relevance: .0, Instructions: 20COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.508950288.0000000005260000.00000040.00000001.sdmp, Offset: 05260000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ff62ae0be3bb0d6060f15b143cf1b035454393d813000bc41665964a0a0d43d5
Instruction ID: 290b919af3c233fc66978ae434b8f67c96f7b3d69c10724241669cabe9aed588
Opcode Fuzzy Hash: ff62ae0be3bb0d6060f15b143cf1b035454393d813000bc41665964a0a0d43d5
Instruction Fuzzy Hash: 0AE0C270429B40CFC3A2C768996A495BFF1BF822003048D4FC0878B945C3247C46CB01

Uniqueness

Uniqueness Score: -1.00%

Function 05267128, Relevance: .0, Instructions: 19COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.508950288.0000000005260000.00000040.00000001.sdmp, Offset: 05260000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9a46e1c6587dabba94c7439d54007ddbcf7f35e1f464bddad0a2b138981f8ace
Instruction ID: 821c0fbe1d68077fabcb06fdc378077b90a65f9383963401b640fbd8f127ab7a
Opcode Fuzzy Hash: 9a46e1c6587dabba94c7439d54007ddbcf7f35e1f464bddad0a2b138981f8ace
Instruction Fuzzy Hash: C8D0C230039354CBD335CA65F800762BAEFEF0121CF0C04FF80870560085E1A0C48792

Uniqueness

Uniqueness Score: -1.00%

Function 0526E9D8, Relevance: .0, Instructions: 19COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.508950288.0000000005260000.00000040.00000001.sdmp, Offset: 05260000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f926eb55494aa9a59c3cff42ab88732de55ff3416abf14aa00deab1dcc048b93
Instruction ID: 294a69bbfb16e030f65869ba523e5a157863dac13cf1c2db12fe30ebea94653d
Opcode Fuzzy Hash: f926eb55494aa9a59c3cff42ab88732de55ff3416abf14aa00deab1dcc048b93
Instruction Fuzzy Hash: 2AD0A7387401242BA514A5ADE8509BA77CEDBC556430588AEE90EDB380CD63DC0647D4

Uniqueness

Uniqueness Score: -1.00%

Function 0526D8F8, Relevance: .0, Instructions: 19COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.508950288.0000000005260000.00000040.00000001.sdmp, Offset: 05260000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ed3e6ac90519869eda366d2f2147e31d843560da4a2f015d5c29f617b133d0e6
Instruction ID: efdecae99e4659c800acd4091e075bce7b80974bde0afc47498b6685fb26ab12
Opcode Fuzzy Hash: ed3e6ac90519869eda366d2f2147e31d843560da4a2f015d5c29f617b133d0e6
Instruction Fuzzy Hash: F5D05E3133F26CDBC738D656A4C05B2B2ABAF08511740442EE48F86500DAF198C18791

Uniqueness

Uniqueness Score: -1.00%

Function 0526064F, Relevance: .0, Instructions: 19COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.508950288.0000000005260000.00000040.00000001.sdmp, Offset: 05260000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 88068f38935653995b60a6f9be3092558b611e1d20536708ef36033dfa234fea
Instruction ID: 7899d4c837eb151494e23e8fbefa85328453e4eb5a8c89e5e191cc90828deb66
Opcode Fuzzy Hash: 88068f38935653995b60a6f9be3092558b611e1d20536708ef36033dfa234fea
Instruction Fuzzy Hash: BAD0A7728B53808FC3654BB0281F0F47F66DEA3210710C8BFC8015692281B2399BEB12

Uniqueness

Uniqueness Score: -1.00%

Function 0526E119, Relevance: .0, Instructions: 17COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.508950288.0000000005260000.00000040.00000001.sdmp, Offset: 05260000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 961d900a16e8ff8a35c8328efe2e1f27d453c1a9eea8f1a23622379d5f3042d0
Instruction ID: d0044f47a1f05653f1a3e84ef8fd24a72eb292bcd5c9e73dcd108cf5a338f3c2
Opcode Fuzzy Hash: 961d900a16e8ff8a35c8328efe2e1f27d453c1a9eea8f1a23622379d5f3042d0
Instruction Fuzzy Hash: 69D0A739439200CB872CCA50D5891B373ABAF4171131648DDC04F0E710CBF1ACC2EB40

Uniqueness

Uniqueness Score: -1.00%

Function 0526ACC7, Relevance: .0, Instructions: 16COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.508950288.0000000005260000.00000040.00000001.sdmp, Offset: 05260000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 60a1aa178cd0c201bedf37fe1e3b35de2f4b46619437da26ab5688b1b11b146e
Instruction ID: 5a342e6d0a3f082bdc3dc0054fd7810d80eda9f1aa19c74da48b28b786309d9e
Opcode Fuzzy Hash: 60a1aa178cd0c201bedf37fe1e3b35de2f4b46619437da26ab5688b1b11b146e
Instruction Fuzzy Hash: F0D0A73B210100D7C3254948EE0549D3719FEC626334C043BF508A3900C731A481C7A0

Uniqueness

Uniqueness Score: -1.00%

Function 013623F4, Relevance: .0, Instructions: 15COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.503326405.0000000001362000.00000040.00000001.sdmp, Offset: 01362000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 24d5ca7d0cf7ebf151f46c2e66a72aaed57da1829836f9be211867bd79fd21e3
Instruction ID: c290218796a9235a42ab4c7db4ed4f76d7cded62618d046c1dd42d9eb02c015a
Opcode Fuzzy Hash: 24d5ca7d0cf7ebf151f46c2e66a72aaed57da1829836f9be211867bd79fd21e3
Instruction Fuzzy Hash: 75D05E79205A814FE3278A1CC1A8BA63FA8EF52B08F4784F9E8008B667C768D581D200

Uniqueness

Uniqueness Score: -1.00%

Function 0526E128, Relevance: .0, Instructions: 15COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.508950288.0000000005260000.00000040.00000001.sdmp, Offset: 05260000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9641107036b25da47c8809f14aa217e00be4b85fb8af09d30b3c8679b2afb0c4
Instruction ID: 241ea0548c54a346aca5aa07b2df9ce0d0991fe2aa08a04c1f38227ca38957b2
Opcode Fuzzy Hash: 9641107036b25da47c8809f14aa217e00be4b85fb8af09d30b3c8679b2afb0c4
Instruction Fuzzy Hash: D8D0C935539214DB8628DA55D8485A3B7AFAF4575170648AAD00B4A700DBF2AC819B80

Uniqueness

Uniqueness Score: -1.00%

Function 0526E11F, Relevance: .0, Instructions: 15COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.508950288.0000000005260000.00000040.00000001.sdmp, Offset: 05260000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1ec10977e8baa32954c758e48aa22caf5c380b3044267ee5ed93b0ca301b6458
Instruction ID: a10f4bd2744dc00cb6cebc488d0f6db0b2049202bb98696df9fb7cd9973b2a0f
Opcode Fuzzy Hash: 1ec10977e8baa32954c758e48aa22caf5c380b3044267ee5ed93b0ca301b6458
Instruction Fuzzy Hash: B3D05E35439200CB9728DA50E685163B76AAE407117064CAEC04B4AB10CBB1AD81DB80

Uniqueness

Uniqueness Score: -1.00%

Function 0526E4A8, Relevance: .0, Instructions: 15COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.508950288.0000000005260000.00000040.00000001.sdmp, Offset: 05260000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5e7f8cdc54eac6eceac7fa3e0c29ad67a8d5d95c9b3f2469b5e874a7bb4d2893
Instruction ID: 06c864d27ab9cd22cafa8f1e9412f4b9213275e70e02600884a308e478e9b745
Opcode Fuzzy Hash: 5e7f8cdc54eac6eceac7fa3e0c29ad67a8d5d95c9b3f2469b5e874a7bb4d2893
Instruction Fuzzy Hash: BEC0C034620315D30F14B0B428048EA735CCC01111F0000BBDD0C53180F6218C5043D2

Uniqueness

Uniqueness Score: -1.00%

Function 05266AF0, Relevance: .0, Instructions: 15COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.508950288.0000000005260000.00000040.00000001.sdmp, Offset: 05260000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9a0939ec5680cffb9ecca245d0aafbbebb033a67d769e75d7ec85179cdc98f5e
Instruction ID: 4bcf1a1e0c929732c093bbc9cc7009dfded3f94e8263b5bfe1113e688bb0f035
Opcode Fuzzy Hash: 9a0939ec5680cffb9ecca245d0aafbbebb033a67d769e75d7ec85179cdc98f5e
Instruction Fuzzy Hash: CED0423AA00004CFC704CB88D5949D9F7F1FB88325F28C1A6D919A7252C732ED56CE50

Uniqueness

Uniqueness Score: -1.00%

Function 013623BC, Relevance: .0, Instructions: 14COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.503326405.0000000001362000.00000040.00000001.sdmp, Offset: 01362000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1ee96d3f8f49cef99c428c95e257569702026a333e8c555424fbc5592a0b94f7
Instruction ID: 50e315a1973149eaf40bfacc0780548298083d9d45bacb8c3d72ad408c7205c9
Opcode Fuzzy Hash: 1ee96d3f8f49cef99c428c95e257569702026a333e8c555424fbc5592a0b94f7
Instruction Fuzzy Hash: E5D05E342012814BD715DB1CC194F5A3BD8AB41B04F1684E9AC008B266C3A4E881C600

Uniqueness

Uniqueness Score: -1.00%

Function 05268DE0, Relevance: .0, Instructions: 14COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.508950288.0000000005260000.00000040.00000001.sdmp, Offset: 05260000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 369660ffe52f3a765b1bb1c7584582cd5e7f28600ced569cc27c51baab4d0a24
Instruction ID: 813f01e3aa83389df2377f2f5becd13567786b2b211a1ced72961c820973985c
Opcode Fuzzy Hash: 369660ffe52f3a765b1bb1c7584582cd5e7f28600ced569cc27c51baab4d0a24
Instruction Fuzzy Hash: 48D0227107C3C07BCB1312342E1ABB22F738F0230AF0D0887F0CAA04A3D04B0032422A

Uniqueness

Uniqueness Score: -1.00%

Function 0526E4A7, Relevance: .0, Instructions: 13COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.508950288.0000000005260000.00000040.00000001.sdmp, Offset: 05260000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3166c77463c6e3f18539c284fe50802d6361775fc672466457568c1496733e0b
Instruction ID: a7a65fee51e9b882959f753aa7645d3829ccb55e7aadfe637ed7adfcf6f77c99
Opcode Fuzzy Hash: 3166c77463c6e3f18539c284fe50802d6361775fc672466457568c1496733e0b
Instruction Fuzzy Hash: 98C08C3AA20212C65F28B1F47B066BA77699D44626F4104BBDA0CA3680E6318AA54382

Uniqueness

Uniqueness Score: -1.00%

Function 052678F6, Relevance: .0, Instructions: 13COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.508950288.0000000005260000.00000040.00000001.sdmp, Offset: 05260000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e8559d91089f24e0a5c0d92297c54cb59cf49590e820edf875e03ef453c34f67
Instruction ID: fd7b683aecb064c6dce5b68de6f022bd6215efad0b7206d6959cf6e5afff7829
Opcode Fuzzy Hash: e8559d91089f24e0a5c0d92297c54cb59cf49590e820edf875e03ef453c34f67
Instruction Fuzzy Hash: 44D05E34A30209DFCB21CF75EA544AD77F1FB082287140725D412AB384E3745D508B10

Uniqueness

Uniqueness Score: -1.00%

Function 05260180, Relevance: .0, Instructions: 12COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.508950288.0000000005260000.00000040.00000001.sdmp, Offset: 05260000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b1a3d226eac3ac7021f6ef996f729a08df8b73ee3ab8aa2f07dfc9f77fc79664
Instruction ID: 5279cb88479020a89230e7c5c3ac55203561c031dbbbadcaf4c0f61ea28a6b29
Opcode Fuzzy Hash: b1a3d226eac3ac7021f6ef996f729a08df8b73ee3ab8aa2f07dfc9f77fc79664
Instruction Fuzzy Hash: 02D0C970201704CFCB282B74E42A42873A9AB482157500878E80686744DE36E850CB00

Uniqueness

Uniqueness Score: -1.00%

Function 05265710, Relevance: .0, Instructions: 11COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.508950288.0000000005260000.00000040.00000001.sdmp, Offset: 05260000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 860643ae72288803ff42ad0655c32d6821fde5ab63cd09821cdc96cc84e1b47d
Instruction ID: d2136639c997ca0ae68eaaccaea8503a9959de49c313ddf5e5278eabe1aa1325
Opcode Fuzzy Hash: 860643ae72288803ff42ad0655c32d6821fde5ab63cd09821cdc96cc84e1b47d
Instruction Fuzzy Hash: FDC08C30720208CFDE3027B0208E52D374E6E002827800054F40A85104EF28A04046A2

Uniqueness

Uniqueness Score: -1.00%

Function 05260660, Relevance: .0, Instructions: 10COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.508950288.0000000005260000.00000040.00000001.sdmp, Offset: 05260000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ac64389f07589a8ead467a4b7a3be956cffb459838d9afd9b42fc5c33d5968fb
Instruction ID: f370b1175f7d16eac5e7696d69d1b9aa7759cb01af17bc430ea5833e71163463
Opcode Fuzzy Hash: ac64389f07589a8ead467a4b7a3be956cffb459838d9afd9b42fc5c33d5968fb
Instruction Fuzzy Hash: FCC09B71075358CEC2649AB2790D439721F5ED1305750C835D5111052589F674E1EA66

Uniqueness

Uniqueness Score: -1.00%

Function 05266B14, Relevance: .0, Instructions: 8COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.508950288.0000000005260000.00000040.00000001.sdmp, Offset: 05260000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9331830965d72d12fcbefa973c87c0cf332396a92bd300e1243d284f656f33ac
Instruction ID: f29199966e665351042b7ffd95a4aec1fd837f86a035b3801790425d28295e07
Opcode Fuzzy Hash: 9331830965d72d12fcbefa973c87c0cf332396a92bd300e1243d284f656f33ac
Instruction Fuzzy Hash: 35B092B7A14048CADB00CA84B4413EDFB20FB90329F104023C31062001C27211A4CA91

Uniqueness

Uniqueness Score: -1.00%

Function 05268F80, Relevance: .0, Instructions: 8COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.508950288.0000000005260000.00000040.00000001.sdmp, Offset: 05260000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7d855347400049fa4ba28b80d992cd14849693c7802a7c00fb984d28927a8c14
Instruction ID: 072a4f7a0c7678a12f01de678518a425459d54761fc6ffb146985d65b34c2311
Opcode Fuzzy Hash: 7d855347400049fa4ba28b80d992cd14849693c7802a7c00fb984d28927a8c14
Instruction Fuzzy Hash: 7FB0123033430B0E1E5856B22805A2237CD59006443C00030A50CC0001F944D0800158

Uniqueness

Uniqueness Score: -1.00%

Function 0526EA20, Relevance: .0, Instructions: 8COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.508950288.0000000005260000.00000040.00000001.sdmp, Offset: 05260000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 12ca93df32198e4019a008697bbb51e9ff8e162307e49268f9215ac5fb1c58cb
Instruction ID: b343b70abd45dd5e1bba3dc8c854f4b3a83ea50389fd8fe8d4b991c8f59e0b20
Opcode Fuzzy Hash: 12ca93df32198e4019a008697bbb51e9ff8e162307e49268f9215ac5fb1c58cb
Instruction Fuzzy Hash: 8CB0122075074C47CD9033F4600C05D7B4C0D40211F804451980D47201FD6478404561

Uniqueness

Uniqueness Score: -1.00%

Function 05268E03, Relevance: .0, Instructions: 8COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.508950288.0000000005260000.00000040.00000001.sdmp, Offset: 05260000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2d84193c163a2f7d1c4b75746080662659cde189cd64764633d049e16d9f816c
Instruction ID: 0bf4a8475fc8acdabfc0a2ed1078befc98ce4a993ac4329c6b422de21eb29615
Opcode Fuzzy Hash: 2d84193c163a2f7d1c4b75746080662659cde189cd64764633d049e16d9f816c
Instruction Fuzzy Hash: 14B012301B8240F3D91489703C0ABB025B27F14706F000401F10F240C056C20090103D

Uniqueness

Uniqueness Score: -1.00%

Function 0526EA1F, Relevance: .0, Instructions: 8COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.508950288.0000000005260000.00000040.00000001.sdmp, Offset: 05260000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6fdefa6793e14123027cd18181f114aa37b069ee38d49f62cca9dfd9fc50ebca
Instruction ID: ee5b1baa9d67926890a294b7f0d1a1f39f32d180263b2e09a9359e1249440cf4
Opcode Fuzzy Hash: 6fdefa6793e14123027cd18181f114aa37b069ee38d49f62cca9dfd9fc50ebca
Instruction Fuzzy Hash: 36B09234AA034C9BCFA437B4A00C0AD7BA85E90221B00846A980A86211EE7158408A10

Uniqueness

Uniqueness Score: -1.00%

Function 05262EC0, Relevance: .0, Instructions: 8COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.508950288.0000000005260000.00000040.00000001.sdmp, Offset: 05260000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a4221a66e6477603c29e619ce9541e2367b6910739d9656c986c1bf8ec318429
Instruction ID: 4ab63be84db36d06633c521c62414aa356ceb44e98ac849c08f063d52916246a
Opcode Fuzzy Hash: a4221a66e6477603c29e619ce9541e2367b6910739d9656c986c1bf8ec318429
Instruction Fuzzy Hash: E9B012302142094B576056F13808F22338C994052974004B4D80CC0400F504E0E03340

Uniqueness

Uniqueness Score: -1.00%

Function 0526CAD0, Relevance: .0, Instructions: 8COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.508950288.0000000005260000.00000040.00000001.sdmp, Offset: 05260000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c0dc8334f849620fc554638476d0ae8d63d99db9aaa064c06f1831c90f8c6ffa
Instruction ID: 8a5f28705ecb6e33b95f2aab53f604d2b2fb90c6368aba5d6ec9af45d2765fee
Opcode Fuzzy Hash: c0dc8334f849620fc554638476d0ae8d63d99db9aaa064c06f1831c90f8c6ffa
Instruction Fuzzy Hash: 08B09B70038354D7C111F615D94DC55772DFD05640B400024E451550985BE56D414BD5

Uniqueness

Uniqueness Score: -1.00%

Non-executed Functions

Description:	Adversaries may directly interact with the native OS application programming interface (API) to execute behaviors. Native APIs provide a controlled means of calling low-level OS services within the kernel, such as those involving hardware/devices, memory, and processes.These native APIs are leveraged by the OS during system boot (when other system components are not yet initialized) as well as carrying out tasks and requests during routine operations.
Tactics:	Execution
Data Sources:	API monitoring, Loaded DLLs, Process monitoring, System calls
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse task scheduling functionality to facilitate initial or recurring execution of malicious code. Utilities exist within all major operating systems to schedule programs or scripts to be executed at a specified date and time. A task can also be scheduled on a remote system, provided the proper authentication is met (ex: RPC and file and printer sharing in Windows environments). Scheduling a task on a remote system typically requires being a member of an admin or otherwise privileged group on the remote system.
Tactics:	Execution, Persistence, Privilege Escalation
Data Sources:	File monitoring, Process command-line parameters, Process monitoring, Windows event logs
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify access tokens to operate under a different user or system security context to perform actions and bypass access controls. Windows uses access tokens to determine the ownership of a running process. A user can manipulate access tokens to make a running process appear as though it is the child of a different process or belongs to someone other than the user that started the process. When this occurs, the process also takes on the security context associated with the new token.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	API monitoring, Access tokens, Authentication logs, Process command-line parameters, Process monitoring, Windows event logs
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	API monitoring, DLL monitoring, File monitoring, Named Pipes, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may disable security tools to avoid possible detection of their tools and activities. This can take the form of killing security software or event logging processes, deleting Registry keys so that tools do not start at run time, or other methods to interfere with security tools scanning or reporting information.
Tactics:	Defense Evasion
Data Sources:	File monitoring, Process command-line parameters, Services, Windows Registry
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use Obfuscated Files or Information to hide artifacts of an intrusion from analysis. They may require separate mechanisms to decode or deobfuscate that information depending on how they intend to use it. Methods for doing that include built-in functionality of malware or by using utilities present on the system.
Tactics:	Defense Evasion
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata, Email gateway, Environment variable, File monitoring, Malware reverse engineering, Network intrusion detection system, Network protocol analysis, Process command-line parameters, Process monitoring, Process use of network, SSL/TLS inspection, Windows event logs
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may perform software packing or virtual machine software protection to conceal their code. Software packing is a method of compressing or encrypting an executable. Packing an executable changes the file signature in an attempt to avoid signature-based detection. Most decompression techniques decompress the executable code in memory. Virtual machine software protection translates an executable's original code into a special format that only a special virtual machine can run. A virtual machine is then called to run this code.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata
Platforms:	macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata, File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may set files and directories to be hidden to evade detection mechanisms. To prevent normal users from accidentally changing special files on a system, most operating systems have the concept of a ‘hidden’ file. These files don’t show up when a user browses the file system with a GUI or when using normal commands on the command line. Users must explicitly ask to show the hidden files either via a series of Graphical User Interface (GUI) prompts or with command line switches ( `dir /a` for Windows and `ls –a` for Linux and macOS).
Tactics:	Defense Evasion
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use methods of capturing user input to obtain credentials or collect information. During normal system usage, users often provide credentials to various different locations, such as login pages/portals or system dialog boxes. Input capture mechanisms may be transparent to the user (e.g. Credential API Hooking ) or rely on deceiving the user into providing input into what they believe to be a genuine service (e.g. Web Portal Capture ).
Tactics:	Collection, Credential Access
Data Sources:	API monitoring, Binary file metadata, DLL monitoring, Kernel drivers, Loaded DLLs, PowerShell logs, Process command-line parameters, Process monitoring, User interface, Windows Registry, Windows event logs
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of accounts on a system or within an environment. This information can help adversaries determine which accounts exist to aid in follow-on behavior.
Tactics:	Discovery
Data Sources:	API monitoring, Azure activity logs, Office 365 account logs, Process command-line parameters, Process monitoring
Platforms:	AWS, Azure, Azure AD, GCP, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	AWS CloudTrail logs, Azure activity logs, Process command-line parameters, Process monitoring, Stackdriver logs
Platforms:	AWS, Azure, GCP, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	API monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to identify the primary user, currently logged in user, set of users that commonly uses a system, or whether a user is actively using the system. They may do this, for example, by retrieving account usernames or by using OS Credential Dumping . The information may be collected in a number of different ways using other Discovery techniques, because user and username details are prevalent throughout a system and include running process ownership, file/directory ownership, session information, and system logs. Adversaries may use the information from [System Owner/User Discovery](https://attack.mitre.org/techniques/T1033) during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Binary file metadata, File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Malware reverse engineering, Netflow/Enclave netflow, Packet capture, Process monitoring, Process use of network, SSL/TLS inspection
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using a protocol and port paring that are typically not associated. For example, HTTPS over port 8088or port 587as opposed to the traditional port 443. Adversaries may make changes to the standard port used by a protocol to bypass filtering or muddle analysis/parsing of network data.
Tactics:	Command and Control
Data Sources:	Netflow/Enclave netflow, Packet capture, Process monitoring, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading ...

Warning!

Analysis Report checklist pdf.exe

Overview

General Information

Detection

Signatures

Classification

Startup

Malware Configuration

Yara Overview

Memory Dumps

Unpacked PEs

Sigma Overview

System Summary:

Signature Overview

AV Detection:

Software Vulnerabilities:

Networking:

Key, Mouse, Clipboard, Microphone and Screen Capturing:

E-Banking Fraud:

System Summary:

Data Obfuscation:

Persistence and Installation Behavior:

Boot Survival:

Hooking and other Techniques for Hiding and Protection:

Malware Analysis System Evasion:

Anti Debugging:

HIPS / PFW / Operating System Protection Evasion:

Language, Device and Operating System Detection:

Stealing of Sensitive Information:

Remote Access Functionality:

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

URLs from Memory and Binaries

Contacted IPs

Public

Private

General Information

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASN

JA3 Fingerprints

Dropped Files

Created / dropped Files

Static File Info

General

File Icon

Static PE Info

General

Entrypoint Preview

Data Directories

Sections

Resources

Imports

Version Infos

Network Behavior

Snort IDS Alerts

Network Port Distribution

TCP Packets

UDP Packets

ICMP Packets

Description:	An adversary may use legitimate desktop support and remote access software, such as Team Viewer, Go2Assist, LogMein, AmmyyAdmin, etc, to establish an interactive command and control channel to target systems within networks. These services are commonly used as legitimate technical support software, and may be allowed by application control within a target environment. Remote access tools like VNC, Ammyy, and Teamviewer are used frequently when compared with other legitimate software commonly used by adversaries.
Tactics:	Command and Control
Data Sources:	Network intrusion detection system, Network protocol analysis, Process monitoring, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use a non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Host network interface, Netflow/Enclave netflow, Network intrusion detection system, Network protocol analysis, Packet capture, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	DNS records, Netflow/Enclave netflow, Network protocol analysis, Packet capture, Process monitoring, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre