Play interactive tour

Edit tour

Analysis Report parcel_images.exe

Overview

General Information

Sample Name:	parcel_images.exe
Analysis ID:	339033
MD5:	5f8a97a2c2b464c360a3628c73b88103
SHA1:	134af6300df733356a3bd6dbe94f42dbfd2f31d8
SHA256:	74995e87513e47357c351f37565a1422202dace38dc789308d72417b5797b93e
Tags:	exeNanoCoreRATUPS
Most interesting Screenshot:

Detection

Nanocore

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Antivirus / Scanner detection for submitted sample

Antivirus detection for dropped file

Detected Nanocore Rat

Detected unpacking (changes PE section rights)

Detected unpacking (overwrites its own PE header)

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for dropped file

Multi AV Scanner detection for submitted file

Sigma detected: NanoCore

Sigma detected: Scheduled temp file as task from temp location

Yara detected AntiVM_3

Yara detected Nanocore RAT

.NET source code contains potential unpacker

Allocates memory in foreign processes

Hides that the sample has been downloaded from the Internet (zone.identifier)

Initial sample is a PE file and has a suspicious name

Injects a PE file into a foreign processes

Machine Learning detection for dropped file

Machine Learning detection for sample

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Uses dynamic DNS services

Uses schtasks.exe or at.exe to add and modify task schedules

Writes to foreign memory regions

Antivirus or Machine Learning detection for unpacked file

Contains capabilities to detect virtual machines

Contains functionality to call native functions

Contains functionality to open a port and listen for incoming connection (possibly a backdoor)

Contains long sleeps (>= 3 min)

Creates a process in suspended mode (likely to inject code)

Detected TCP or UDP traffic on non-standard ports

Detected potential crypto function

Drops PE files

Enables debug privileges

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

Found inlined nop instructions (likely shell or obfuscated code)

Installs a raw input device (often for capturing keystrokes)

Internet Provider seen in connection with other malware

May sleep (evasive loops) to hinder dynamic analysis

PE file contains strange resources

Queries the volume information (name, serial number etc) of a device

Sample execution stops while process was sleeping (likely an evasion)

Sample file is different than original file name gathered from version info

Uses 32bit PE files

Uses code obfuscation techniques (call, push, ret)

Yara signature match

Classification

Startup

System is w10x64

parcel_images.exe (PID: 6068 cmdline: 'C:\Users\user\Desktop\parcel_images.exe' MD5: 5F8A97A2C2B464C360A3628C73B88103)

schtasks.exe (PID: 5664 cmdline: 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\kWLVXBfTFQKW' /XML 'C:\Users\user\AppData\Local\Temp\tmp2412.tmp' MD5: 15FF7D8324231381BAD48A052F85DF04)

conhost.exe (PID: 4712 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)

RegSvcs.exe (PID: 5420 cmdline: {path} MD5: 71369277D09DA0830C8C59F9E22BB23A)

schtasks.exe (PID: 1928 cmdline: 'schtasks.exe' /create /f /tn 'DHCP Monitor' /xml 'C:\Users\user\AppData\Local\Temp\tmpB461.tmp' MD5: 15FF7D8324231381BAD48A052F85DF04)

conhost.exe (PID: 5736 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)

schtasks.exe (PID: 576 cmdline: 'schtasks.exe' /create /f /tn 'DHCP Monitor Task' /xml 'C:\Users\user\AppData\Local\Temp\tmpB81B.tmp' MD5: 15FF7D8324231381BAD48A052F85DF04)

conhost.exe (PID: 5376 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)

RegSvcs.exe (PID: 5836 cmdline: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe 0 MD5: 71369277D09DA0830C8C59F9E22BB23A)

conhost.exe (PID: 5620 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)

dhcpmon.exe (PID: 5268 cmdline: 'C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe' 0 MD5: 71369277D09DA0830C8C59F9E22BB23A)

conhost.exe (PID: 720 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)

dhcpmon.exe (PID: 5960 cmdline: 'C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe' MD5: 71369277D09DA0830C8C59F9E22BB23A)

conhost.exe (PID: 5384 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)

cleanup

Malware Configuration

No configs have been found

Yara Overview

Memory Dumps

Source	Rule	Description	Author	Strings
00000004.00000002.604092435.0000000005B00000.00000004.00000001.sdmp	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0xe75:$x1: NanoCore.ClientPluginHost 0xe8f:$x2: IClientNetworkHost
00000004.00000002.604092435.0000000005B00000.00000004.00000001.sdmp	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0xe75:$x2: NanoCore.ClientPluginHost 0x1261:$s3: PipeExists 0x1136:$s4: PipeCreated 0xeb0:$s5: IClientLoggingHost
00000000.00000002.245819001.000000000416B000.00000004.00000001.sdmp	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x14c9d:$x1: NanoCore.ClientPluginHost 0x14cda:$x2: IClientNetworkHost 0x1880d:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
00000000.00000002.245819001.000000000416B000.00000004.00000001.sdmp	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
00000000.00000002.245819001.000000000416B000.00000004.00000001.sdmp	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0x14a05:$a: NanoCore 0x14a15:$a: NanoCore 0x14c49:$a: NanoCore 0x14c5d:$a: NanoCore 0x14c9d:$a: NanoCore 0x14a64:$b: ClientPlugin 0x14c66:$b: ClientPlugin 0x14ca6:$b: ClientPlugin 0x14b8b:$c: ProjectData 0x15592:$d: DESCrypto 0x1cf5e:$e: KeepAlive 0x1af4c:$g: LogClientMessage 0x17147:$i: get_Connected 0x158c8:$j: #=q 0x158f8:$j: #=q 0x15914:$j: #=q 0x15944:$j: #=q 0x15960:$j: #=q 0x1597c:$j: #=q 0x159ac:$j: #=q 0x159c8:$j: #=q
00000004.00000002.604237301.0000000005CB0000.00000004.00000001.sdmp	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0xf7ad:$x1: NanoCore.ClientPluginHost 0xf7da:$x2: IClientNetworkHost
00000004.00000002.604237301.0000000005CB0000.00000004.00000001.sdmp	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0xf7ad:$x2: NanoCore.ClientPluginHost 0x10888:$s4: PipeCreated 0xf7c7:$s5: IClientLoggingHost
00000004.00000002.604237301.0000000005CB0000.00000004.00000001.sdmp	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
00000004.00000002.603472332.00000000048E8000.00000004.00000001.sdmp	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
00000004.00000002.603472332.00000000048E8000.00000004.00000001.sdmp	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0x17af5:$a: NanoCore 0x17b4e:$a: NanoCore 0x17b8b:$a: NanoCore 0x17c04:$a: NanoCore 0x1d199:$a: NanoCore 0x1d1e3:$a: NanoCore 0x1d3cd:$a: NanoCore 0x30cec:$a: NanoCore 0x30d01:$a: NanoCore 0x30d36:$a: NanoCore 0x49cd3:$a: NanoCore 0x49ce8:$a: NanoCore 0x49d1d:$a: NanoCore 0x17b57:$b: ClientPlugin 0x17b94:$b: ClientPlugin 0x18492:$b: ClientPlugin 0x1849f:$b: ClientPlugin 0x1cf32:$b: ClientPlugin 0x1d1a2:$b: ClientPlugin 0x1d1ec:$b: ClientPlugin 0x30aa8:$b: ClientPlugin
00000000.00000002.243301800.0000000003CE1000.00000004.00000001.sdmp	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x1bdefd:$x1: NanoCore.ClientPluginHost 0x1bdf3a:$x2: IClientNetworkHost 0x1c1a6d:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
00000000.00000002.243301800.0000000003CE1000.00000004.00000001.sdmp	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
00000000.00000002.243301800.0000000003CE1000.00000004.00000001.sdmp	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0x1bdc65:$a: NanoCore 0x1bdc75:$a: NanoCore 0x1bdea9:$a: NanoCore 0x1bdebd:$a: NanoCore 0x1bdefd:$a: NanoCore 0x1bdcc4:$b: ClientPlugin 0x1bdec6:$b: ClientPlugin 0x1bdf06:$b: ClientPlugin 0x10d375:$c: ProjectData 0x1bddeb:$c: ProjectData 0x10de13:$d: DESCrypto 0x1be7f2:$d: DESCrypto 0x1c61be:$e: KeepAlive 0x1c41ac:$g: LogClientMessage 0x1c03a7:$i: get_Connected 0x1beb28:$j: #=q 0x1beb58:$j: #=q 0x1beb74:$j: #=q 0x1beba4:$j: #=q 0x1bebc0:$j: #=q 0x1bebdc:$j: #=q
00000004.00000002.604208395.0000000005CA0000.00000004.00000001.sdmp	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x1646:$x1: NanoCore.ClientPluginHost
00000004.00000002.604208395.0000000005CA0000.00000004.00000001.sdmp	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0x1646:$x2: NanoCore.ClientPluginHost 0x1724:$s4: PipeCreated 0x1660:$s5: IClientLoggingHost
00000004.00000002.595481599.0000000000402000.00000040.00000001.sdmp	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0xff8d:$x1: NanoCore.ClientPluginHost 0xffca:$x2: IClientNetworkHost 0x13afd:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
00000004.00000002.595481599.0000000000402000.00000040.00000001.sdmp	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
00000004.00000002.595481599.0000000000402000.00000040.00000001.sdmp	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0xfcf5:$a: NanoCore 0xfd05:$a: NanoCore 0xff39:$a: NanoCore 0xff4d:$a: NanoCore 0xff8d:$a: NanoCore 0xfd54:$b: ClientPlugin 0xff56:$b: ClientPlugin 0xff96:$b: ClientPlugin 0xfe7b:$c: ProjectData 0x10882:$d: DESCrypto 0x1824e:$e: KeepAlive 0x1623c:$g: LogClientMessage 0x12437:$i: get_Connected 0x10bb8:$j: #=q 0x10be8:$j: #=q 0x10c04:$j: #=q 0x10c34:$j: #=q 0x10c50:$j: #=q 0x10c6c:$j: #=q 0x10c9c:$j: #=q 0x10cb8:$j: #=q
Process Memory Space: RegSvcs.exe PID: 5420	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x98286:$x1: NanoCore.ClientPluginHost 0x1bb9c3:$x1: NanoCore.ClientPluginHost 0x1fb71c:$x1: NanoCore.ClientPluginHost 0x1fdd97:$x1: NanoCore.ClientPluginHost 0x2039c4:$x1: NanoCore.ClientPluginHost 0x214d68:$x1: NanoCore.ClientPluginHost 0x28030c:$x1: NanoCore.ClientPluginHost 0x29f699:$x1: NanoCore.ClientPluginHost 0x39359c:$x1: NanoCore.ClientPluginHost 0x395c38:$x1: NanoCore.ClientPluginHost 0x982ac:$x2: IClientNetworkHost 0x1bba08:$x2: IClientNetworkHost 0x1fb742:$x2: IClientNetworkHost 0x203a09:$x2: IClientNetworkHost 0x214dad:$x2: IClientNetworkHost 0x28036d:$x2: IClientNetworkHost 0x3935c2:$x2: IClientNetworkHost 0x285772:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe 0x2936e4:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
Process Memory Space: RegSvcs.exe PID: 5420	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
Process Memory Space: RegSvcs.exe PID: 5420	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0x98178:$a: NanoCore 0x98219:$a: NanoCore 0x98286:$a: NanoCore 0x98347:$a: NanoCore 0x99218:$a: NanoCore 0x9926b:$a: NanoCore 0x992a4:$a: NanoCore 0x99317:$a: NanoCore 0x1bb93d:$a: NanoCore 0x1bb96a:$a: NanoCore 0x1bb9c3:$a: NanoCore 0x1c31d2:$a: NanoCore 0x1c31e5:$a: NanoCore 0x1c3217:$a: NanoCore 0x1fb60e:$a: NanoCore 0x1fb6af:$a: NanoCore 0x1fb71c:$a: NanoCore 0x1fb7dd:$a: NanoCore 0x1fc6ae:$a: NanoCore 0x1fc701:$a: NanoCore 0x1fc73a:$a: NanoCore
Process Memory Space: parcel_images.exe PID: 6068	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x41971e:$x1: NanoCore.ClientPluginHost 0x41977f:$x2: IClientNetworkHost 0x41eb84:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe 0x42caf6:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
Process Memory Space: parcel_images.exe PID: 6068	JoeSecurity_AntiVM_3	Yara detected AntiVM_3	Joe Security
Process Memory Space: parcel_images.exe PID: 6068	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
Process Memory Space: parcel_images.exe PID: 6068	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0x419223:$a: NanoCore 0x41923f:$a: NanoCore 0x41939a:$a: NanoCore 0x4193a9:$a: NanoCore 0x419682:$a: NanoCore 0x4196ae:$a: NanoCore 0x41971e:$a: NanoCore 0x429160:$a: NanoCore 0x429172:$a: NanoCore 0x4291ae:$a: NanoCore 0x4192ca:$b: ClientPlugin 0x4193f3:$b: ClientPlugin 0x4196b7:$b: ClientPlugin 0x419727:$b: ClientPlugin 0x42917b:$b: ClientPlugin 0x4291b7:$b: ClientPlugin 0x419540:$c: ProjectData 0x4290ad:$c: ProjectData 0x75345c:$c: ProjectData 0x7558c6:$c: ProjectData 0x41a67c:$d: DESCrypto
Click to see the 20 entries

Unpacked PEs

Source	Rule	Description	Author	Strings
4.2.RegSvcs.exe.5ca0000.4.raw.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x1646:$x1: NanoCore.ClientPluginHost
4.2.RegSvcs.exe.5ca0000.4.raw.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0x1646:$x2: NanoCore.ClientPluginHost 0x1724:$s4: PipeCreated 0x1660:$s5: IClientLoggingHost
4.2.RegSvcs.exe.5b00000.3.raw.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0xe75:$x1: NanoCore.ClientPluginHost 0xe8f:$x2: IClientNetworkHost
4.2.RegSvcs.exe.5b00000.3.raw.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0xe75:$x2: NanoCore.ClientPluginHost 0x1261:$s3: PipeExists 0x1136:$s4: PipeCreated 0xeb0:$s5: IClientLoggingHost
4.2.RegSvcs.exe.400000.0.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x1018d:$x1: NanoCore.ClientPluginHost 0x101ca:$x2: IClientNetworkHost 0x13cfd:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
4.2.RegSvcs.exe.400000.0.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0xff05:$x1: NanoCore Client.exe 0x1018d:$x2: NanoCore.ClientPluginHost 0x117c6:$s1: PluginCommand 0x117ba:$s2: FileCommand 0x1266b:$s3: PipeExists 0x18422:$s4: PipeCreated 0x101b7:$s5: IClientLoggingHost
4.2.RegSvcs.exe.400000.0.unpack	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
4.2.RegSvcs.exe.400000.0.unpack	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0xfef5:$a: NanoCore 0xff05:$a: NanoCore 0x10139:$a: NanoCore 0x1014d:$a: NanoCore 0x1018d:$a: NanoCore 0xff54:$b: ClientPlugin 0x10156:$b: ClientPlugin 0x10196:$b: ClientPlugin 0x1007b:$c: ProjectData 0x10a82:$d: DESCrypto 0x1844e:$e: KeepAlive 0x1643c:$g: LogClientMessage 0x12637:$i: get_Connected 0x10db8:$j: #=q 0x10de8:$j: #=q 0x10e04:$j: #=q 0x10e34:$j: #=q 0x10e50:$j: #=q 0x10e6c:$j: #=q 0x10e9c:$j: #=q 0x10eb8:$j: #=q
4.2.RegSvcs.exe.5cb0000.5.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0xd9ad:$x1: NanoCore.ClientPluginHost 0xd9da:$x2: IClientNetworkHost
4.2.RegSvcs.exe.5cb0000.5.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0xd9ad:$x2: NanoCore.ClientPluginHost 0xea88:$s4: PipeCreated 0xd9c7:$s5: IClientLoggingHost
4.2.RegSvcs.exe.5cb0000.5.unpack	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
4.2.RegSvcs.exe.5cb0000.5.raw.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0xf7ad:$x1: NanoCore.ClientPluginHost 0xf7da:$x2: IClientNetworkHost
4.2.RegSvcs.exe.5cb0000.5.raw.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0xf7ad:$x2: NanoCore.ClientPluginHost 0x10888:$s4: PipeCreated 0xf7c7:$s5: IClientLoggingHost
4.2.RegSvcs.exe.5cb0000.5.raw.unpack	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
Click to see the 9 entries

Sigma Overview

System Summary:

Sigma detected: NanoCore

Show sources

Source: File created

Author: Joe Security: Data: EventID: 11, Image: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe, ProcessId: 5420, TargetFilename: C:\Users\user\AppData\Roaming\D06ED635-68F6-4E9A-955C-4899F5F57B9A\run.dat

Sigma detected: Scheduled temp file as task from temp location

Show sources

Source: Process started

Author: Joe Security: Data: Command: 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\kWLVXBfTFQKW' /XML 'C:\Users\user\AppData\Local\Temp\tmp2412.tmp', CommandLine: 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\kWLVXBfTFQKW' /XML 'C:\Users\user\AppData\Local\Temp\tmp2412.tmp', CommandLine|base64offset|contains: *j, Image: C:\Windows\SysWOW64\schtasks.exe, NewProcessName: C:\Windows\SysWOW64\schtasks.exe, OriginalFileName: C:\Windows\SysWOW64\schtasks.exe, ParentCommandLine: 'C:\Users\user\Desktop\parcel_images.exe' , ParentImage: C:\Users\user\Desktop\parcel_images.exe, ParentProcessId: 6068, ProcessCommandLine: 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\kWLVXBfTFQKW' /XML 'C:\Users\user\AppData\Local\Temp\tmp2412.tmp', ProcessId: 5664

Signature Overview

Click to jump to signature section

Show All Signature Results

AV Detection:

Antivirus / Scanner detection for submitted sample

Show sources

Source: parcel_images.exe

Avira: detected

Antivirus detection for dropped file

Show sources

Source: C:\Users\user\AppData\Roaming\kWLVXBfTFQKW.exe

Avira: detection malicious, Label: HEUR/AGEN.1120329

Multi AV Scanner detection for dropped file

Show sources

Source: C:\Users\user\AppData\Roaming\kWLVXBfTFQKW.exe

ReversingLabs: Detection: 31%

Multi AV Scanner detection for submitted file

Show sources

Source: parcel_images.exe	Virustotal: Detection: 47%			Perma Link
Source: parcel_images.exe	ReversingLabs: Detection: 31%

Yara detected Nanocore RAT

Show sources

Source: Yara match	File source: 00000000.00000002.245819001.000000000416B000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.604237301.0000000005CB0000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.603472332.00000000048E8000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.243301800.0000000003CE1000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.595481599.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: RegSvcs.exe PID: 5420, type: MEMORY
Source: Yara match	File source: Process Memory Space: parcel_images.exe PID: 6068, type: MEMORY
Source: Yara match	File source: 4.2.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.RegSvcs.exe.5cb0000.5.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.RegSvcs.exe.5cb0000.5.raw.unpack, type: UNPACKEDPE

Machine Learning detection for dropped file

Show sources

Source: C:\Users\user\AppData\Roaming\kWLVXBfTFQKW.exe

Joe Sandbox ML: detected

Machine Learning detection for sample

Show sources

Source: parcel_images.exe

Joe Sandbox ML: detected

Source: 4.2.RegSvcs.exe.5cb0000.5.unpack	Avira: Label: TR/NanoCore.fadte
Source: 4.2.RegSvcs.exe.400000.0.unpack	Avira: Label: TR/Dropper.MSIL.Gen7

Compliance:

Detected unpacking (overwrites its own PE header)

Show sources

Source: C:\Users\user\Desktop\parcel_images.exe

Unpacked PE file: 0.2.parcel_images.exe.3d0000.0.unpack

Source: parcel_images.exe

Static PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE

Source: C:\Users\user\Desktop\parcel_images.exe

File opened: C:\Windows\WinSxS\x86_microsoft.vc80.crt_1fc8b3b9a1e18e3b_8.0.50727.9445_none_d08c58b4442ba54f\MSVCR80.dll

Jump to behavior

Source: parcel_images.exe

Static PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT

Source:	Binary string: C:\Users\Cole\Documents\Visual Studio 2013\Projects\NanoProtectPlugin\NanoProtectClient\obj\Debug\NanoProtectClient.pdb source: RegSvcs.exe, 00000004.00000002.603472332.00000000048E8000.00000004.00000001.sdmp
Source:	Binary string: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.pdb source: RegSvcs.exe, 00000004.00000002.599613900.0000000003565000.00000004.00000040.sdmp
Source:	Binary string: System.EnterpriseServices.Wrapper.pdb source: dhcpmon.exe, 0000000B.00000002.258862329.0000000005360000.00000002.00000001.sdmp
Source:	Binary string: indows\mscorlib.pdbpdblib.pdb source: RegSvcs.exe, 00000004.00000002.599613900.0000000003565000.00000004.00000040.sdmp
Source:	Binary string: indows\RegSvcs.pdbpdbvcs.pdb source: RegSvcs.exe, 00000004.00000002.599613900.0000000003565000.00000004.00000040.sdmp
Source:	Binary string: C:\Windows\symbols\exe\RegSvcs.pdb source: RegSvcs.exe, 00000004.00000002.599613900.0000000003565000.00000004.00000040.sdmp
Source:	Binary string: RegSvcs.pdb source: dhcpmon.exe, dhcpmon.exe.4.dr
Source:	Binary string: mscorrc.pdb source: parcel_images.exe, 00000000.00000002.253906839.0000000006AC0000.00000002.00000001.sdmp, RegSvcs.exe, 00000004.00000002.604432852.0000000006120000.00000002.00000001.sdmp, RegSvcs.exe, 00000009.00000002.255719251.0000000005290000.00000002.00000001.sdmp, dhcpmon.exe, 0000000B.00000002.259020078.0000000005400000.00000002.00000001.sdmp

Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe

Code function: 4x nop then mov esp, ebp

4_2_0349865F

Networking:

Uses dynamic DNS services

Show sources

Source: unknown

DNS query: name: cldgr.duckdns.org

Source: global traffic

TCP traffic: 192.168.2.3:49713 -> 69.61.59.215:60003

Source: Joe Sandbox View

ASN Name: GLOBALCOMPASSUS GLOBALCOMPASSUS

Source: unknown

DNS traffic detected: queries for: cldgr.duckdns.org

Source: parcel_images.exe, 00000000.00000002.246509480.00000000051D0000.00000002.00000001.sdmp	String found in binary or memory: http://fontfabrik.com
Source: parcel_images.exe, 00000000.00000002.246509480.00000000051D0000.00000002.00000001.sdmp	String found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0
Source: parcel_images.exe, 00000000.00000002.246509480.00000000051D0000.00000002.00000001.sdmp	String found in binary or memory: http://www.carterandcone.coml
Source: parcel_images.exe, 00000000.00000002.246509480.00000000051D0000.00000002.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com
Source: parcel_images.exe, 00000000.00000003.222434128.000000000506D000.00000004.00000001.sdmp, parcel_images.exe, 00000000.00000003.221895972.0000000005068000.00000004.00000001.sdmp, parcel_images.exe, 00000000.00000003.221943311.0000000005069000.00000004.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com/designers
Source: parcel_images.exe, 00000000.00000002.246509480.00000000051D0000.00000002.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com/designers/?
Source: parcel_images.exe, 00000000.00000002.246509480.00000000051D0000.00000002.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com/designers/cabarga.htmlN
Source: parcel_images.exe, 00000000.00000002.246509480.00000000051D0000.00000002.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com/designers/frere-jones.html
Source: parcel_images.exe, 00000000.00000002.246509480.00000000051D0000.00000002.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com/designers8
Source: parcel_images.exe, 00000000.00000003.221943311.0000000005069000.00000004.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com/designers:
Source: parcel_images.exe, 00000000.00000002.246509480.00000000051D0000.00000002.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com/designers?
Source: parcel_images.exe, 00000000.00000002.246509480.00000000051D0000.00000002.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com/designersG
Source: parcel_images.exe, 00000000.00000002.246216893.0000000005060000.00000004.00000001.sdmp	String found in binary or memory: http://www.fontbureau.comFP
Source: parcel_images.exe, 00000000.00000002.246216893.0000000005060000.00000004.00000001.sdmp	String found in binary or memory: http://www.fontbureau.coml1
Source: parcel_images.exe, 00000000.00000003.216620193.000000000507B000.00000004.00000001.sdmp	String found in binary or memory: http://www.fonts.com
Source: parcel_images.exe, 00000000.00000003.216620193.000000000507B000.00000004.00000001.sdmp	String found in binary or memory: http://www.fonts.comh
Source: parcel_images.exe, 00000000.00000003.216665590.000000000507B000.00000004.00000001.sdmp	String found in binary or memory: http://www.fonts.comic
Source: parcel_images.exe, 00000000.00000003.218388349.0000000005064000.00000004.00000001.sdmp	String found in binary or memory: http://www.founder.c
Source: parcel_images.exe, 00000000.00000002.246509480.00000000051D0000.00000002.00000001.sdmp	String found in binary or memory: http://www.founder.com.cn/cn
Source: parcel_images.exe, 00000000.00000003.218388349.0000000005064000.00000004.00000001.sdmp	String found in binary or memory: http://www.founder.com.cn/cn/
Source: parcel_images.exe, 00000000.00000002.246509480.00000000051D0000.00000002.00000001.sdmp	String found in binary or memory: http://www.founder.com.cn/cn/bThe
Source: parcel_images.exe, 00000000.00000002.246509480.00000000051D0000.00000002.00000001.sdmp	String found in binary or memory: http://www.founder.com.cn/cn/cThe
Source: parcel_images.exe, 00000000.00000003.218388349.0000000005064000.00000004.00000001.sdmp	String found in binary or memory: http://www.founder.com.cn/cn/e
Source: parcel_images.exe, 00000000.00000003.218064819.000000000509D000.00000004.00000001.sdmp	String found in binary or memory: http://www.founder.com.cn/cnl-n
Source: parcel_images.exe, 00000000.00000002.246509480.00000000051D0000.00000002.00000001.sdmp	String found in binary or memory: http://www.galapagosdesign.com/DPlease
Source: parcel_images.exe, 00000000.00000002.246509480.00000000051D0000.00000002.00000001.sdmp	String found in binary or memory: http://www.galapagosdesign.com/staff/dennis.htm
Source: parcel_images.exe, 00000000.00000002.246509480.00000000051D0000.00000002.00000001.sdmp	String found in binary or memory: http://www.goodfont.co.kr
Source: parcel_images.exe, 00000000.00000002.246509480.00000000051D0000.00000002.00000001.sdmp, parcel_images.exe, 00000000.00000003.219725000.0000000005064000.00000004.00000001.sdmp	String found in binary or memory: http://www.jiyu-kobo.co.jp/
Source: parcel_images.exe, 00000000.00000003.219725000.0000000005064000.00000004.00000001.sdmp	String found in binary or memory: http://www.jiyu-kobo.co.jp/O
Source: parcel_images.exe, 00000000.00000003.219725000.0000000005064000.00000004.00000001.sdmp	String found in binary or memory: http://www.jiyu-kobo.co.jp/Y0/
Source: parcel_images.exe, 00000000.00000003.219725000.0000000005064000.00000004.00000001.sdmp	String found in binary or memory: http://www.jiyu-kobo.co.jp/Y0a
Source: parcel_images.exe, 00000000.00000003.219725000.0000000005064000.00000004.00000001.sdmp	String found in binary or memory: http://www.jiyu-kobo.co.jp/jp/
Source: parcel_images.exe, 00000000.00000003.219725000.0000000005064000.00000004.00000001.sdmp	String found in binary or memory: http://www.jiyu-kobo.co.jp/jp/F
Source: parcel_images.exe, 00000000.00000002.246509480.00000000051D0000.00000002.00000001.sdmp	String found in binary or memory: http://www.sajatypeworks.com
Source: parcel_images.exe, 00000000.00000003.216620193.000000000507B000.00000004.00000001.sdmp	String found in binary or memory: http://www.sajatypeworks.compe
Source: parcel_images.exe, 00000000.00000002.246509480.00000000051D0000.00000002.00000001.sdmp	String found in binary or memory: http://www.sakkal.com
Source: parcel_images.exe, 00000000.00000002.246509480.00000000051D0000.00000002.00000001.sdmp	String found in binary or memory: http://www.sandoll.co.kr
Source: parcel_images.exe, 00000000.00000003.217510313.0000000005069000.00000004.00000001.sdmp	String found in binary or memory: http://www.sandoll.co.krC
Source: parcel_images.exe, 00000000.00000003.217510313.0000000005069000.00000004.00000001.sdmp	String found in binary or memory: http://www.sandoll.co.krlearn
Source: parcel_images.exe, 00000000.00000002.246509480.00000000051D0000.00000002.00000001.sdmp	String found in binary or memory: http://www.tiro.com
Source: parcel_images.exe, 00000000.00000003.216945664.000000000507B000.00000004.00000001.sdmp	String found in binary or memory: http://www.tiro.comF
Source: parcel_images.exe, 00000000.00000003.216900726.000000000507B000.00000004.00000001.sdmp	String found in binary or memory: http://www.tiro.comw
Source: parcel_images.exe, 00000000.00000002.246509480.00000000051D0000.00000002.00000001.sdmp	String found in binary or memory: http://www.typography.netD
Source: parcel_images.exe, 00000000.00000002.246509480.00000000051D0000.00000002.00000001.sdmp	String found in binary or memory: http://www.urwpp.deDPlease
Source: parcel_images.exe, 00000000.00000002.246509480.00000000051D0000.00000002.00000001.sdmp	String found in binary or memory: http://www.zhongyicts.com.cn

Source: RegSvcs.exe, 00000004.00000002.604237301.0000000005CB0000.00000004.00000001.sdmp

Binary or memory string: RegisterRawInputDevices

E-Banking Fraud:

Yara detected Nanocore RAT

Show sources

Source: Yara match	File source: 00000000.00000002.245819001.000000000416B000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.604237301.0000000005CB0000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.603472332.00000000048E8000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.243301800.0000000003CE1000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.595481599.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: RegSvcs.exe PID: 5420, type: MEMORY
Source: Yara match	File source: Process Memory Space: parcel_images.exe PID: 6068, type: MEMORY
Source: Yara match	File source: 4.2.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.RegSvcs.exe.5cb0000.5.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.RegSvcs.exe.5cb0000.5.raw.unpack, type: UNPACKEDPE

System Summary:

Malicious sample detected (through community Yara rule)

Show sources

Source: 00000004.00000002.604092435.0000000005B00000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 00000000.00000002.245819001.000000000416B000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 00000000.00000002.245819001.000000000416B000.00000004.00000001.sdmp, type: MEMORY	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 00000004.00000002.604237301.0000000005CB0000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 00000004.00000002.603472332.00000000048E8000.00000004.00000001.sdmp, type: MEMORY	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 00000000.00000002.243301800.0000000003CE1000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 00000000.00000002.243301800.0000000003CE1000.00000004.00000001.sdmp, type: MEMORY	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 00000004.00000002.604208395.0000000005CA0000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 00000004.00000002.595481599.0000000000402000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 00000004.00000002.595481599.0000000000402000.00000040.00000001.sdmp, type: MEMORY	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: Process Memory Space: RegSvcs.exe PID: 5420, type: MEMORY	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: Process Memory Space: RegSvcs.exe PID: 5420, type: MEMORY	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: Process Memory Space: parcel_images.exe PID: 6068, type: MEMORY	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: Process Memory Space: parcel_images.exe PID: 6068, type: MEMORY	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 4.2.RegSvcs.exe.5ca0000.4.raw.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 4.2.RegSvcs.exe.5b00000.3.raw.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 4.2.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 4.2.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 4.2.RegSvcs.exe.5cb0000.5.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 4.2.RegSvcs.exe.5cb0000.5.raw.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth

Initial sample is a PE file and has a suspicious name

Show sources

Source: initial sample

Static PE information: Filename: parcel_images.exe

Source: C:\Users\user\Desktop\parcel_images.exe	Code function: 0_2_04E51D8E NtQuerySystemInformation,	0_2_04E51D8E
Source: C:\Users\user\Desktop\parcel_images.exe	Code function: 0_2_04E51D54 NtQuerySystemInformation,	0_2_04E51D54
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe	Code function: 4_2_05A016DA NtQuerySystemInformation,	4_2_05A016DA
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe	Code function: 4_2_05A0169F NtQuerySystemInformation,	4_2_05A0169F

Source: C:\Users\user\Desktop\parcel_images.exe	Code function: 0_2_01000C50	0_2_01000C50
Source: C:\Users\user\Desktop\parcel_images.exe	Code function: 0_2_01001C53	0_2_01001C53
Source: C:\Users\user\Desktop\parcel_images.exe	Code function: 0_2_010000F8	0_2_010000F8
Source: C:\Users\user\Desktop\parcel_images.exe	Code function: 0_2_01002B08	0_2_01002B08
Source: C:\Users\user\Desktop\parcel_images.exe	Code function: 0_2_01001374	0_2_01001374
Source: C:\Users\user\Desktop\parcel_images.exe	Code function: 0_2_0100454C	0_2_0100454C
Source: C:\Users\user\Desktop\parcel_images.exe	Code function: 0_2_01003800	0_2_01003800
Source: C:\Users\user\Desktop\parcel_images.exe	Code function: 0_2_01004848	0_2_01004848
Source: C:\Users\user\Desktop\parcel_images.exe	Code function: 0_2_01000C4D	0_2_01000C4D
Source: C:\Users\user\Desktop\parcel_images.exe	Code function: 0_2_01004858	0_2_01004858
Source: C:\Users\user\Desktop\parcel_images.exe	Code function: 0_2_01004CA4	0_2_01004CA4
Source: C:\Users\user\Desktop\parcel_images.exe	Code function: 0_2_01004CA8	0_2_01004CA8
Source: C:\Users\user\Desktop\parcel_images.exe	Code function: 0_2_01002B01	0_2_01002B01
Source: C:\Users\user\Desktop\parcel_images.exe	Code function: 0_2_01002F18	0_2_01002F18
Source: C:\Users\user\Desktop\parcel_images.exe	Code function: 0_2_010037F8	0_2_010037F8
Source: C:\Users\user\Desktop\parcel_images.exe	Code function: 0_2_01004A55	0_2_01004A55
Source: C:\Users\user\Desktop\parcel_images.exe	Code function: 0_2_01004E55	0_2_01004E55
Source: C:\Users\user\Desktop\parcel_images.exe	Code function: 0_2_01004A58	0_2_01004A58
Source: C:\Users\user\Desktop\parcel_images.exe	Code function: 0_2_01004291	0_2_01004291
Source: C:\Users\user\Desktop\parcel_images.exe	Code function: 0_2_01004298	0_2_01004298
Source: C:\Users\user\Desktop\parcel_images.exe	Code function: 0_2_01002AA5	0_2_01002AA5
Source: C:\Users\user\Desktop\parcel_images.exe	Code function: 0_2_0681208C	0_2_0681208C
Source: C:\Users\user\Desktop\parcel_images.exe	Code function: 0_2_06810D90	0_2_06810D90
Source: C:\Users\user\Desktop\parcel_images.exe	Code function: 0_2_06810530	0_2_06810530
Source: C:\Users\user\Desktop\parcel_images.exe	Code function: 0_2_0681AC65	0_2_0681AC65
Source: C:\Users\user\Desktop\parcel_images.exe	Code function: 0_2_06810D82	0_2_06810D82
Source: C:\Users\user\Desktop\parcel_images.exe	Code function: 0_2_068105F0	0_2_068105F0
Source: C:\Users\user\Desktop\parcel_images.exe	Code function: 0_2_06F8CC20	0_2_06F8CC20
Source: C:\Users\user\Desktop\parcel_images.exe	Code function: 0_2_06F8E120	0_2_06F8E120
Source: C:\Users\user\Desktop\parcel_images.exe	Code function: 0_2_06F8C500	0_2_06F8C500
Source: C:\Users\user\Desktop\parcel_images.exe	Code function: 0_2_06F8B0E8	0_2_06F8B0E8
Source: C:\Users\user\Desktop\parcel_images.exe	Code function: 0_2_06F8CEA8	0_2_06F8CEA8
Source: C:\Users\user\Desktop\parcel_images.exe	Code function: 0_2_06F8BC98	0_2_06F8BC98
Source: C:\Users\user\Desktop\parcel_images.exe	Code function: 0_2_06F8DE78	0_2_06F8DE78
Source: C:\Users\user\Desktop\parcel_images.exe	Code function: 0_2_06F8A250	0_2_06F8A250
Source: C:\Users\user\Desktop\parcel_images.exe	Code function: 0_2_06F8A9F8	0_2_06F8A9F8
Source: C:\Users\user\Desktop\parcel_images.exe	Code function: 0_2_06F8B728	0_2_06F8B728
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe	Code function: 4_2_01902477	4_2_01902477
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe	Code function: 4_2_01917ABE	4_2_01917ABE
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe	Code function: 4_2_03492FA8	4_2_03492FA8
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe	Code function: 4_2_034923A0	4_2_034923A0
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe	Code function: 4_2_03498BB8	4_2_03498BB8
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe	Code function: 4_2_034997B8	4_2_034997B8
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe	Code function: 4_2_03499ACB	4_2_03499ACB
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe	Code function: 4_2_03493850	4_2_03493850
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe	Code function: 4_2_0349B488	4_2_0349B488
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe	Code function: 4_2_034932BB	4_2_034932BB
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe	Code function: 4_2_0349306F	4_2_0349306F
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe	Code function: 4_2_0349A060	4_2_0349A060
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe	Code function: 4_2_0349987F	4_2_0349987F

Source: parcel_images.exe	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: parcel_images.exe	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: parcel_images.exe	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: parcel_images.exe	Static PE information: Resource name: RT_GROUP_ICON type: GLS_BINARY_LSB_FIRST
Source: kWLVXBfTFQKW.exe.0.dr	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: kWLVXBfTFQKW.exe.0.dr	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: kWLVXBfTFQKW.exe.0.dr	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: kWLVXBfTFQKW.exe.0.dr	Static PE information: Resource name: RT_GROUP_ICON type: GLS_BINARY_LSB_FIRST

Source: parcel_images.exe	Binary or memory string: OriginalFilename vs parcel_images.exe
Source: parcel_images.exe, 00000000.00000002.240637309.0000000000517000.00000002.00020000.sdmp	Binary or memory string: OriginalFilenameG vs parcel_images.exe
Source: parcel_images.exe, 00000000.00000002.253906839.0000000006AC0000.00000002.00000001.sdmp	Binary or memory string: OriginalFilenamemscorrc.dllT vs parcel_images.exe
Source: parcel_images.exe, 00000000.00000002.245931889.0000000004E70000.00000004.00000001.sdmp	Binary or memory string: OriginalFilenameTypeLibImporterFlags.dll4 vs parcel_images.exe
Source: parcel_images.exe, 00000000.00000002.254340963.0000000006F40000.00000002.00000001.sdmp	Binary or memory string: originalfilename vs parcel_images.exe
Source: parcel_images.exe, 00000000.00000002.254340963.0000000006F40000.00000002.00000001.sdmp	Binary or memory string: OriginalFilenamepropsys.dll.mui@ vs parcel_images.exe
Source: parcel_images.exe, 00000000.00000002.254894264.0000000007340000.00000002.00000001.sdmp	Binary or memory string: System.OriginalFileName vs parcel_images.exe
Source: parcel_images.exe, 00000000.00000002.253585075.0000000006820000.00000004.00000001.sdmp	Binary or memory string: OriginalFilenameAssemblyReferenceEntry.exeD vs parcel_images.exe
Source: parcel_images.exe	Binary or memory string: OriginalFilenameG vs parcel_images.exe

Source: parcel_images.exe

Static PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE

Source: 00000004.00000002.604092435.0000000005B00000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 00000004.00000002.604092435.0000000005B00000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 00000000.00000002.245819001.000000000416B000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 00000000.00000002.245819001.000000000416B000.00000004.00000001.sdmp, type: MEMORY	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 00000004.00000002.604237301.0000000005CB0000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 00000004.00000002.604237301.0000000005CB0000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 00000004.00000002.603472332.00000000048E8000.00000004.00000001.sdmp, type: MEMORY	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 00000000.00000002.243301800.0000000003CE1000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 00000000.00000002.243301800.0000000003CE1000.00000004.00000001.sdmp, type: MEMORY	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 00000004.00000002.604208395.0000000005CA0000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 00000004.00000002.604208395.0000000005CA0000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 00000004.00000002.595481599.0000000000402000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 00000004.00000002.595481599.0000000000402000.00000040.00000001.sdmp, type: MEMORY	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: Process Memory Space: RegSvcs.exe PID: 5420, type: MEMORY	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: Process Memory Space: RegSvcs.exe PID: 5420, type: MEMORY	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: Process Memory Space: parcel_images.exe PID: 6068, type: MEMORY	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: Process Memory Space: parcel_images.exe PID: 6068, type: MEMORY	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 4.2.RegSvcs.exe.5ca0000.4.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 4.2.RegSvcs.exe.5ca0000.4.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 4.2.RegSvcs.exe.5b00000.3.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 4.2.RegSvcs.exe.5b00000.3.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 4.2.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 4.2.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 4.2.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 4.2.RegSvcs.exe.5cb0000.5.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 4.2.RegSvcs.exe.5cb0000.5.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 4.2.RegSvcs.exe.5cb0000.5.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 4.2.RegSvcs.exe.5cb0000.5.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/

Source: parcel_images.exe	Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
Source: kWLVXBfTFQKW.exe.0.dr	Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ

Source: 4.2.RegSvcs.exe.400000.0.unpack, u0023u003dqjIje6jGWLd2EOkfZXKqBbgu003du003d.cs	Cryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'
Source: 4.2.RegSvcs.exe.400000.0.unpack, u0023u003dqVxXNKnhAcArgJoGGYXiyyQu003du003d.cs	Cryptographic APIs: 'CreateDecryptor'
Source: 4.2.RegSvcs.exe.400000.0.unpack, u0023u003dqVxXNKnhAcArgJoGGYXiyyQu003du003d.cs	Cryptographic APIs: 'TransformFinalBlock'

Source: classification engine

Classification label: mal100.troj.evad.winEXE@18/13@8/1

Source: C:\Users\user\Desktop\parcel_images.exe	Code function: 0_2_04E51CBE AdjustTokenPrivileges,	0_2_04E51CBE
Source: C:\Users\user\Desktop\parcel_images.exe	Code function: 0_2_04E51C87 AdjustTokenPrivileges,	0_2_04E51C87
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe	Code function: 4_2_05A0149A AdjustTokenPrivileges,	4_2_05A0149A
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe	Code function: 4_2_05A01463 AdjustTokenPrivileges,	4_2_05A01463

Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe

File created: C:\Program Files (x86)\DHCP Monitor

Jump to behavior

Source: C:\Users\user\Desktop\parcel_images.exe

File created: C:\Users\user\AppData\Roaming\kWLVXBfTFQKW.exe

Jump to behavior

Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5736:120:WilError_01
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:4712:120:WilError_01
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:720:120:WilError_01
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5376:120:WilError_01
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe	Mutant created: \Sessions\1\BaseNamedObjects\Global\{0c1e37c4-6fe0-4fbd-a4f4-dbf4c0453c4a}
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe	Mutant created: \Sessions\1\BaseNamedObjects\Global\.net clr networking
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5620:120:WilError_01
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5384:120:WilError_01
Source: C:\Users\user\Desktop\parcel_images.exe	Mutant created: \Sessions\1\BaseNamedObjects\btYicyWOySdNftvOgyOAHWI

Source: C:\Users\user\Desktop\parcel_images.exe

File created: C:\Users\user\AppData\Local\Temp\tmp2412.tmp

Jump to behavior

Source: parcel_images.exe

Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ

Source: C:\Users\user\Desktop\parcel_images.exe	Section loaded: C:\Windows\assembly\NativeImages_v2.0.50727_32\mscorlib\9603718106bd57ecfbb18fefd769cab4\mscorlib.ni.dll	Jump to behavior
Source: C:\Users\user\Desktop\parcel_images.exe	Section loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sorttbls.nlp	Jump to behavior
Source: C:\Users\user\Desktop\parcel_images.exe	Section loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sortkey.nlp	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe	Section loaded: C:\Windows\assembly\NativeImages_v2.0.50727_32\mscorlib\9603718106bd57ecfbb18fefd769cab4\mscorlib.ni.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe	Section loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sorttbls.nlp	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe	Section loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sortkey.nlp	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe	Section loaded: C:\Windows\assembly\NativeImages_v2.0.50727_32\mscorlib\9603718106bd57ecfbb18fefd769cab4\mscorlib.ni.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe	Section loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sorttbls.nlp	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe	Section loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sortkey.nlp	Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Section loaded: C:\Windows\assembly\NativeImages_v2.0.50727_32\mscorlib\9603718106bd57ecfbb18fefd769cab4\mscorlib.ni.dll	Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Section loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sorttbls.nlp	Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Section loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sortkey.nlp	Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Section loaded: C:\Windows\assembly\NativeImages_v2.0.50727_32\mscorlib\9603718106bd57ecfbb18fefd769cab4\mscorlib.ni.dll	Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Section loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sorttbls.nlp	Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Section loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sortkey.nlp	Jump to behavior

Source: C:\Users\user\Desktop\parcel_images.exe

File read: C:\Users\user\Desktop\desktop.ini

Jump to behavior

Source: C:\Users\user\Desktop\parcel_images.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: parcel_images.exe	Virustotal: Detection: 47%
Source: parcel_images.exe	ReversingLabs: Detection: 31%

Source: C:\Users\user\Desktop\parcel_images.exe

File read: C:\Users\user\Desktop\parcel_images.exe

Jump to behavior

Source: unknown	Process created: C:\Users\user\Desktop\parcel_images.exe 'C:\Users\user\Desktop\parcel_images.exe'
Source: unknown	Process created: C:\Windows\SysWOW64\schtasks.exe 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\kWLVXBfTFQKW' /XML 'C:\Users\user\AppData\Local\Temp\tmp2412.tmp'
Source: unknown	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknown	Process created: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe {path}
Source: unknown	Process created: C:\Windows\SysWOW64\schtasks.exe 'schtasks.exe' /create /f /tn 'DHCP Monitor' /xml 'C:\Users\user\AppData\Local\Temp\tmpB461.tmp'
Source: unknown	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknown	Process created: C:\Windows\SysWOW64\schtasks.exe 'schtasks.exe' /create /f /tn 'DHCP Monitor Task' /xml 'C:\Users\user\AppData\Local\Temp\tmpB81B.tmp'
Source: unknown	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknown	Process created: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe 0
Source: unknown	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknown	Process created: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe 'C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe' 0
Source: unknown	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknown	Process created: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe 'C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe'
Source: unknown	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\parcel_images.exe	Process created: C:\Windows\SysWOW64\schtasks.exe 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\kWLVXBfTFQKW' /XML 'C:\Users\user\AppData\Local\Temp\tmp2412.tmp'	Jump to behavior
Source: C:\Users\user\Desktop\parcel_images.exe	Process created: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe {path}	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe	Process created: C:\Windows\SysWOW64\schtasks.exe 'schtasks.exe' /create /f /tn 'DHCP Monitor' /xml 'C:\Users\user\AppData\Local\Temp\tmpB461.tmp'	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe	Process created: C:\Windows\SysWOW64\schtasks.exe 'schtasks.exe' /create /f /tn 'DHCP Monitor Task' /xml 'C:\Users\user\AppData\Local\Temp\tmpB81B.tmp'	Jump to behavior

Source: C:\Users\user\Desktop\parcel_images.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{95E15D0A-66E6-93D9-C53C-76E6219D3341}\InProcServer32

Jump to behavior

Source: Window Recorder

Window detected: More than 3 window changes detected

Source: C:\Users\user\Desktop\parcel_images.exe

File opened: C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorrc.dll

Jump to behavior

Source: parcel_images.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR

Source: parcel_images.exe

Static PE information: Virtual size of .text is bigger than: 0x100000

Source: parcel_images.exe

Static file information: File size 1350144 > 1048576

Source: C:\Users\user\Desktop\parcel_images.exe

File opened: C:\Windows\WinSxS\x86_microsoft.vc80.crt_1fc8b3b9a1e18e3b_8.0.50727.9445_none_d08c58b4442ba54f\MSVCR80.dll

Jump to behavior

Source: parcel_images.exe

Static PE information: Raw size of .text is bigger than: 0x100000 < 0x10ee00

Source: parcel_images.exe

Static PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT

Source:	Binary string: C:\Users\Cole\Documents\Visual Studio 2013\Projects\NanoProtectPlugin\NanoProtectClient\obj\Debug\NanoProtectClient.pdb source: RegSvcs.exe, 00000004.00000002.603472332.00000000048E8000.00000004.00000001.sdmp
Source:	Binary string: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.pdb source: RegSvcs.exe, 00000004.00000002.599613900.0000000003565000.00000004.00000040.sdmp
Source:	Binary string: System.EnterpriseServices.Wrapper.pdb source: dhcpmon.exe, 0000000B.00000002.258862329.0000000005360000.00000002.00000001.sdmp
Source:	Binary string: indows\mscorlib.pdbpdblib.pdb source: RegSvcs.exe, 00000004.00000002.599613900.0000000003565000.00000004.00000040.sdmp
Source:	Binary string: indows\RegSvcs.pdbpdbvcs.pdb source: RegSvcs.exe, 00000004.00000002.599613900.0000000003565000.00000004.00000040.sdmp
Source:	Binary string: C:\Windows\symbols\exe\RegSvcs.pdb source: RegSvcs.exe, 00000004.00000002.599613900.0000000003565000.00000004.00000040.sdmp
Source:	Binary string: RegSvcs.pdb source: dhcpmon.exe, dhcpmon.exe.4.dr
Source:	Binary string: mscorrc.pdb source: parcel_images.exe, 00000000.00000002.253906839.0000000006AC0000.00000002.00000001.sdmp, RegSvcs.exe, 00000004.00000002.604432852.0000000006120000.00000002.00000001.sdmp, RegSvcs.exe, 00000009.00000002.255719251.0000000005290000.00000002.00000001.sdmp, dhcpmon.exe, 0000000B.00000002.259020078.0000000005400000.00000002.00000001.sdmp

Data Obfuscation:

Detected unpacking (changes PE section rights)

Show sources

Source: C:\Users\user\Desktop\parcel_images.exe

Unpacked PE file: 0.2.parcel_images.exe.3d0000.0.unpack .text:ER;.rsrc:R;.reloc:R; vs Unknown_Section0:ER;Unknown_Section1:R;Unknown_Section2:R;

Detected unpacking (overwrites its own PE header)

Show sources

Source: C:\Users\user\Desktop\parcel_images.exe

Unpacked PE file: 0.2.parcel_images.exe.3d0000.0.unpack

.NET source code contains potential unpacker

Show sources

Source: 4.2.RegSvcs.exe.400000.0.unpack, u0023u003dqjIje6jGWLd2EOkfZXKqBbgu003du003d.cs	.Net Code: #=q_FL69pQf17BUSAFbWYu1SStMAbdu$R1GJ8VY8UL5_EA= System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: 4.2.RegSvcs.exe.400000.0.unpack, u0023u003dqxoz66kOqvxr21iYXZYXWiumy9eZGwFWaiX4C5X8aecUu003d.cs	.Net Code: #=qKU0J1fiP8KA33eFK1owekQ== System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])

Source: C:\Users\user\Desktop\parcel_images.exe	Code function: 0_2_003D4419 push es; retf	0_2_003D441C
Source: C:\Users\user\Desktop\parcel_images.exe	Code function: 0_2_0100054B pushfd ; retf	0_2_0100054D
Source: C:\Users\user\Desktop\parcel_images.exe	Code function: 0_2_01007581 push esp; retf	0_2_01007582
Source: C:\Users\user\Desktop\parcel_images.exe	Code function: 0_2_01007589 push esp; retf	0_2_0100758A
Source: C:\Users\user\Desktop\parcel_images.exe	Code function: 0_2_010075B8 push ebp; retf	0_2_010075BA
Source: C:\Users\user\Desktop\parcel_images.exe	Code function: 0_2_010075C1 push ebp; retf	0_2_010075C2
Source: C:\Users\user\Desktop\parcel_images.exe	Code function: 0_2_01008C49 push BAFFFFFEh; retn 0001h	0_2_01008C4E
Source: C:\Users\user\Desktop\parcel_images.exe	Code function: 0_2_01008CAE push eax; iretd	0_2_01008CB1
Source: C:\Users\user\Desktop\parcel_images.exe	Code function: 0_2_010037F0 pushad ; retf	0_2_010037F1
Source: C:\Users\user\Desktop\parcel_images.exe	Code function: 0_2_0681AE4B push es; iretd	0_2_0681AE4C
Source: C:\Users\user\Desktop\parcel_images.exe	Code function: 0_2_06814060 push es; retf	0_2_06814070
Source: C:\Users\user\Desktop\parcel_images.exe	Code function: 0_2_06F8355F push ebx; retf	0_2_06F83560
Source: C:\Users\user\Desktop\parcel_images.exe	Code function: 0_2_06F83D52 pushad ; ret	0_2_06F83D53
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe	Code function: 4_2_019174B8 push ebp; ret	4_2_019174B9
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe	Code function: 4_2_019174AC push ecx; ret	4_2_019174AD
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe	Code function: 4_2_01919D78 pushad ; retf	4_2_01919D79

Source: initial sample	Static PE information: section name: .text entropy: 7.47102153037
Source: initial sample	Static PE information: section name: .text entropy: 7.47102153037

Source: 4.2.RegSvcs.exe.400000.0.unpack, u0023u003dqJT4I5hOweIku0024xYFEeDszbikglXCuquUdu0024v9AXtyq2nsu003d.cs	High entropy of concatenated method names: '#=qBeOBlH6CwHFnQdZWWBgZ_pemudZ6CfCVcfOQtgpeG$Y=', '#=q5v5cLSMFBaxiTtOEjscx86gN2ozXlfytiL6UmXnyWtg=', '#=q_XA5h2lVGHLcY9dK754wKGrOjAm6aBbwPxcUJXgJThJUz83kMbCL53G5uuOLP6Rq', '#=qIFfr$DrKqIieRc688$vylAlBsEnx9Z3$TxvrDsPURfM=', '#=qejgvNXJQvgM2GomZsygLjreyguSPQ29pQHqjR_a0dWk=', '#=qCGokdf0OOxeMJLDkXSfc3NPmwygIQ29RjKQWj$wbNGB9C1pPgma_891QiNyTRXcA', '#=qDqyUVyJLXCtYqhZ0$opqkomqhUBn2WCeEEvGAXlNQ$I=', '#=qdImPAY1o3YhbLtukwCQ91cISaeIEWRKSYrGZ3dTVnkY=', '#=qza7O1AHrroJC7yRIJz4wINR_Sgo4hDpQrj_OYfIrlJE=', '#=q6Ct3QmvVLFC7my$dL1uEiHGmXJ5qCuK4WIhDwfhPTFs='
Source: 4.2.RegSvcs.exe.400000.0.unpack, u0023u003dqWrm21vQ8CBMZP_RBTwpusAu003du003d.cs	High entropy of concatenated method names: '#=qCgU$tDqtOAyz2b$RwfSF7UzBcCAr0rFJWxm16x7Lre0=', '#=qeD3MBfedCIuKIQf9V1u2N3YS4VXE_FOHqw_XAjWtZK8=', '#=q$mvEHEBkZud$AdHPWqsMQnw5Xm5sD4vBSSmqrKuXGOk=', '#=qZaN94n8dM6tBEf$qCdY2kbTZb5BOW8Z134$2tNv7EJs=', '#=qtlZnL8mho$rv1eTFz0Mw9UYFC_yCabEZ0xtVePn6wR5aSHE7ti3UfKg2l7D0_xk8', '#=qVS$QmQjvFfsXSqQAKGSl6HGbkse2SG0XCab4upVjtRJkvhTEk$oIS2I9Zja7id1Q', '#=qxJg7RxTW1v5mnt12xXeJiYJv_bcctbtL2BCD5MjDi45Hlz6t8vwDNTv1Rv7tgIct', '#=qp$ZVC1r9spi890l$D7IwEd3faoKeWHvv42mVq8wIIWM=', '#=qCoWHlVuoVRMkOzC7RZubJCslkxaEWn9yZiIydECf69$ktj0IPD5wAwC2H5Cc8C$L', '#=qqs1moO$mYaS72OXOWe0Z6GycslEb6e9Ipoy7ppW0O5abIp05ajv8doqdJZHlN3cK'

Source: C:\Users\user\Desktop\parcel_images.exe	File created: C:\Users\user\AppData\Roaming\kWLVXBfTFQKW.exe			Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe	File created: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe			Jump to dropped file

Boot Survival:

Uses schtasks.exe or at.exe to add and modify task schedules

Show sources

Source: unknown

Process created: C:\Windows\SysWOW64\schtasks.exe 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\kWLVXBfTFQKW' /XML 'C:\Users\user\AppData\Local\Temp\tmp2412.tmp'

Hooking and other Techniques for Hiding and Protection:

Hides that the sample has been downloaded from the Internet (zone.identifier)

Show sources

Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe

File opened: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe:Zone.Identifier read attributes | delete

Jump to behavior

Source: C:\Users\user\Desktop\parcel_images.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\parcel_images.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\parcel_images.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\parcel_images.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\parcel_images.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\parcel_images.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\parcel_images.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\parcel_images.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\parcel_images.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\parcel_images.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\parcel_images.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\parcel_images.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\parcel_images.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\parcel_images.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\parcel_images.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\parcel_images.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\parcel_images.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\parcel_images.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\parcel_images.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\parcel_images.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\parcel_images.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\parcel_images.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\parcel_images.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\parcel_images.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\parcel_images.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\parcel_images.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\parcel_images.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\parcel_images.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\parcel_images.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\parcel_images.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\parcel_images.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\parcel_images.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\parcel_images.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\parcel_images.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\parcel_images.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Malware Analysis System Evasion:

Yara detected AntiVM_3

Show sources

Source: Yara match

File source: Process Memory Space: parcel_images.exe PID: 6068, type: MEMORY

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Show sources

Source: parcel_images.exe, 00000000.00000002.242365854.0000000002D3E000.00000004.00000001.sdmp	Binary or memory string: WINE_GET_UNIX_FILE_NAME
Source: parcel_images.exe, 00000000.00000002.242365854.0000000002D3E000.00000004.00000001.sdmp	Binary or memory string: SBIEDLL.DLL
Source: parcel_images.exe, 00000000.00000002.242365854.0000000002D3E000.00000004.00000001.sdmp	Binary or memory string: WINE_GET_UNIX_FILE_NAMEX1AR
Source: parcel_images.exe, 00000000.00000002.242365854.0000000002D3E000.00000004.00000001.sdmp	Binary or memory string: SBIEDLL.DLLX1AR&H

Source: C:\Users\user\Desktop\parcel_images.exe

File opened / queried: SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}

Jump to behavior

Source: C:\Users\user\Desktop\parcel_images.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Thread delayed: delay time: 922337203685477	Jump to behavior

Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe	Window / User API: threadDelayed 418	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe	Window / User API: threadDelayed 1121	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe	Window / User API: foregroundWindowGot 459	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe	Window / User API: foregroundWindowGot 1304	Jump to behavior

Source: C:\Users\user\Desktop\parcel_images.exe TID: 6000	Thread sleep time: -31500s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\parcel_images.exe TID: 5988	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe TID: 2584	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe TID: 1636	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior

Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed

Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe

Code function: 4_2_05A011C2 GetSystemInfo,

4_2_05A011C2

Source: parcel_images.exe, 00000000.00000002.242365854.0000000002D3E000.00000004.00000001.sdmp	Binary or memory string: VMware SVGA IIX1arELH
Source: parcel_images.exe, 00000000.00000002.242365854.0000000002D3E000.00000004.00000001.sdmp	Binary or memory string: VMware
Source: parcel_images.exe, 00000000.00000002.242365854.0000000002D3E000.00000004.00000001.sdmp	Binary or memory string: VMWAREX1ar
Source: RegSvcs.exe, 00000004.00000002.598251567.0000000001930000.00000002.00000001.sdmp, RegSvcs.exe, 00000009.00000002.255844333.00000000052F0000.00000002.00000001.sdmp, dhcpmon.exe, 0000000B.00000002.259080590.0000000005460000.00000002.00000001.sdmp	Binary or memory string: A Virtual Machine could not be started because Hyper-V is not installed.
Source: parcel_images.exe, 00000000.00000002.242365854.0000000002D3E000.00000004.00000001.sdmp	Binary or memory string: ar#"SOFTWARE\VMware, Inc.\VMware ToolsX1ar
Source: parcel_images.exe, 00000000.00000002.242365854.0000000002D3E000.00000004.00000001.sdmp	Binary or memory string: VMWARE\|9ar
Source: parcel_images.exe, 00000000.00000002.242365854.0000000002D3E000.00000004.00000001.sdmp	Binary or memory string: QEMUX1ar
Source: parcel_images.exe, 00000000.00000002.242365854.0000000002D3E000.00000004.00000001.sdmp	Binary or memory string: VMWARE
Source: parcel_images.exe, 00000000.00000002.242365854.0000000002D3E000.00000004.00000001.sdmp	Binary or memory string: VMware \|9ar
Source: parcel_images.exe, 00000000.00000002.242260159.0000000002CE1000.00000004.00000001.sdmp	Binary or memory string: VMware SVGA IIX1arEL
Source: parcel_images.exe, 00000000.00000002.242365854.0000000002D3E000.00000004.00000001.sdmp	Binary or memory string: InstallPath%C:\PROGRAM FILES\VMWARE\VMWARE TOOLS\
Source: RegSvcs.exe, 00000004.00000002.597587716.00000000015FC000.00000004.00000001.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dllY y
Source: RegSvcs.exe, 00000004.00000002.598251567.0000000001930000.00000002.00000001.sdmp, RegSvcs.exe, 00000009.00000002.255844333.00000000052F0000.00000002.00000001.sdmp, dhcpmon.exe, 0000000B.00000002.259080590.0000000005460000.00000002.00000001.sdmp	Binary or memory string: A communication protocol error has occurred between the Hyper-V Host and Guest Compute Service.
Source: parcel_images.exe, 00000000.00000002.242365854.0000000002D3E000.00000004.00000001.sdmp	Binary or memory string: VMware\|9ar
Source: parcel_images.exe, 00000000.00000002.242365854.0000000002D3E000.00000004.00000001.sdmp	Binary or memory string: vmwareX1ar
Source: RegSvcs.exe, 00000004.00000002.598251567.0000000001930000.00000002.00000001.sdmp, RegSvcs.exe, 00000009.00000002.255844333.00000000052F0000.00000002.00000001.sdmp, dhcpmon.exe, 0000000B.00000002.259080590.0000000005460000.00000002.00000001.sdmp	Binary or memory string: The communication protocol version between the Hyper-V Host and Guest Compute Services is not supported.
Source: parcel_images.exe, 00000000.00000002.242365854.0000000002D3E000.00000004.00000001.sdmp	Binary or memory string: VMware
Source: parcel_images.exe, 00000000.00000002.242365854.0000000002D3E000.00000004.00000001.sdmp	Binary or memory string: VMWARE"SOFTWARE\VMware, Inc.\VMware ToolsLHARDWARE\DEVICEMAP\Scsi\Scsi Port 1\Scsi Bus 0\Target Id 0\Logical Unit Id 0LHARDWARE\DEVICEMAP\Scsi\Scsi Port 2\Scsi Bus 0\Target Id 0\Logical Unit Id 0'SYSTEM\ControlSet001\Services\Disk\Enum
Source: parcel_images.exe, 00000000.00000002.242365854.0000000002D3E000.00000004.00000001.sdmp	Binary or memory string: VMware SVGA II
Source: parcel_images.exe, 00000000.00000002.242365854.0000000002D3E000.00000004.00000001.sdmp	Binary or memory string: vmwareNSYSTEM\ControlSet001\Control\Class\{4D36E968-E325-11CE-BFC1-08002BE10318}\0000
Source: parcel_images.exe, 00000000.00000002.242365854.0000000002D3E000.00000004.00000001.sdmp	Binary or memory string: ar&%C:\PROGRAM FILES\VMWARE\VMWARE TOOLS\X1arK
Source: RegSvcs.exe, 00000004.00000002.598251567.0000000001930000.00000002.00000001.sdmp, RegSvcs.exe, 00000009.00000002.255844333.00000000052F0000.00000002.00000001.sdmp, dhcpmon.exe, 0000000B.00000002.259080590.0000000005460000.00000002.00000001.sdmp	Binary or memory string: An unknown internal message was received by the Hyper-V Compute Service.

Source: C:\Users\user\Desktop\parcel_images.exe

Process information queried: ProcessInformation

Jump to behavior

Source: C:\Users\user\Desktop\parcel_images.exe

Process token adjusted: Debug

Jump to behavior

Source: C:\Users\user\Desktop\parcel_images.exe

Memory allocated: page read and write | page guard

Jump to behavior

HIPS / PFW / Operating System Protection Evasion:

Allocates memory in foreign processes

Show sources

Source: C:\Users\user\Desktop\parcel_images.exe

Memory allocated: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe base: 400000 protect: page execute and read and write

Jump to behavior

Injects a PE file into a foreign processes

Show sources

Source: C:\Users\user\Desktop\parcel_images.exe

Memory written: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe base: 400000 value starts with: 4D5A

Jump to behavior

Writes to foreign memory regions

Show sources

Source: C:\Users\user\Desktop\parcel_images.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe base: 400000	Jump to behavior
Source: C:\Users\user\Desktop\parcel_images.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe base: 402000	Jump to behavior
Source: C:\Users\user\Desktop\parcel_images.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe base: 420000	Jump to behavior
Source: C:\Users\user\Desktop\parcel_images.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe base: 422000	Jump to behavior
Source: C:\Users\user\Desktop\parcel_images.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe base: 1010008	Jump to behavior

Source: C:\Users\user\Desktop\parcel_images.exe	Process created: C:\Windows\SysWOW64\schtasks.exe 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\kWLVXBfTFQKW' /XML 'C:\Users\user\AppData\Local\Temp\tmp2412.tmp'	Jump to behavior
Source: C:\Users\user\Desktop\parcel_images.exe	Process created: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe {path}	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe	Process created: C:\Windows\SysWOW64\schtasks.exe 'schtasks.exe' /create /f /tn 'DHCP Monitor' /xml 'C:\Users\user\AppData\Local\Temp\tmpB461.tmp'	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe	Process created: C:\Windows\SysWOW64\schtasks.exe 'schtasks.exe' /create /f /tn 'DHCP Monitor Task' /xml 'C:\Users\user\AppData\Local\Temp\tmpB81B.tmp'	Jump to behavior

Source: RegSvcs.exe, 00000004.00000003.290249385.00000000015FC000.00000004.00000001.sdmp	Binary or memory string: Program Manager (x86)\DHCP Monitor\dhcpmon.exegSvcs.exe
Source: RegSvcs.exe, 00000004.00000002.603364013.0000000003B49000.00000004.00000001.sdmp	Binary or memory string: Program Manager
Source: RegSvcs.exe, 00000004.00000002.598599437.0000000001DC0000.00000002.00000001.sdmp	Binary or memory string: Shell_TrayWnd
Source: RegSvcs.exe, 00000004.00000002.598599437.0000000001DC0000.00000002.00000001.sdmp	Binary or memory string: Progman
Source: RegSvcs.exe, 00000004.00000002.602958083.0000000003945000.00000004.00000001.sdmp	Binary or memory string: Program Manager>A0
Source: RegSvcs.exe, 00000004.00000002.598599437.0000000001DC0000.00000002.00000001.sdmp	Binary or memory string: Progmanlock

Source: C:\Users\user\Desktop\parcel_images.exe	Queries volume information: C:\Windows\Fonts\arial.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\parcel_images.exe	Queries volume information: C:\Windows\Fonts\ariali.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\parcel_images.exe	Queries volume information: C:\Windows\Fonts\arialbd.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\parcel_images.exe	Queries volume information: C:\Windows\Fonts\arialbi.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\parcel_images.exe	Queries volume information: C:\Windows\Fonts\ARIALN.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\parcel_images.exe	Queries volume information: C:\Windows\Fonts\ariblk.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\parcel_images.exe	Queries volume information: C:\Windows\Fonts\ARIALNI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\parcel_images.exe	Queries volume information: C:\Windows\Fonts\ARIALNB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\parcel_images.exe	Queries volume information: C:\Windows\Fonts\ARIALNBI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\parcel_images.exe	Queries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\parcel_images.exe	Queries volume information: C:\Windows\Fonts\calibri.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\parcel_images.exe	Queries volume information: C:\Windows\Fonts\calibril.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\parcel_images.exe	Queries volume information: C:\Windows\Fonts\calibrii.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\parcel_images.exe	Queries volume information: C:\Windows\Fonts\calibrili.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\parcel_images.exe	Queries volume information: C:\Windows\Fonts\calibrib.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\parcel_images.exe	Queries volume information: C:\Windows\Fonts\calibriz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\parcel_images.exe	Queries volume information: C:\Windows\Fonts\cambria.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\parcel_images.exe	Queries volume information: C:\Windows\Fonts\cambriai.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\parcel_images.exe	Queries volume information: C:\Windows\Fonts\cambriab.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\parcel_images.exe	Queries volume information: C:\Windows\Fonts\cambriaz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\parcel_images.exe	Queries volume information: C:\Windows\Fonts\Candara.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\parcel_images.exe	Queries volume information: C:\Windows\Fonts\Candarai.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\parcel_images.exe	Queries volume information: C:\Windows\Fonts\Candarab.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\parcel_images.exe	Queries volume information: C:\Windows\Fonts\Candaraz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\parcel_images.exe	Queries volume information: C:\Windows\Fonts\comic.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\parcel_images.exe	Queries volume information: C:\Windows\Fonts\comici.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\parcel_images.exe	Queries volume information: C:\Windows\Fonts\comicbd.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\parcel_images.exe	Queries volume information: C:\Windows\Fonts\comicz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\parcel_images.exe	Queries volume information: C:\Windows\Fonts\consola.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\parcel_images.exe	Queries volume information: C:\Windows\Fonts\consolai.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\parcel_images.exe	Queries volume information: C:\Windows\Fonts\consolab.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\parcel_images.exe	Queries volume information: C:\Windows\Fonts\consolaz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\parcel_images.exe	Queries volume information: C:\Windows\Fonts\constan.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\parcel_images.exe	Queries volume information: C:\Windows\Fonts\constani.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\parcel_images.exe	Queries volume information: C:\Windows\Fonts\constanb.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\parcel_images.exe	Queries volume information: C:\Windows\Fonts\constanz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\parcel_images.exe	Queries volume information: C:\Windows\Fonts\corbel.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\parcel_images.exe	Queries volume information: C:\Windows\Fonts\corbeli.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\parcel_images.exe	Queries volume information: C:\Windows\Fonts\corbelb.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\parcel_images.exe	Queries volume information: C:\Windows\Fonts\corbelz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\parcel_images.exe	Queries volume information: C:\Windows\Fonts\cour.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\parcel_images.exe	Queries volume information: C:\Windows\Fonts\couri.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\parcel_images.exe	Queries volume information: C:\Windows\Fonts\courbd.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\parcel_images.exe	Queries volume information: C:\Windows\Fonts\courbi.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\parcel_images.exe	Queries volume information: C:\Windows\Fonts\ebrima.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\parcel_images.exe	Queries volume information: C:\Windows\Fonts\ebrimabd.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\parcel_images.exe	Queries volume information: C:\Windows\Fonts\framd.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\parcel_images.exe	Queries volume information: C:\Windows\Fonts\FRADM.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\parcel_images.exe	Queries volume information: C:\Windows\Fonts\framdit.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\parcel_images.exe	Queries volume information: C:\Windows\Fonts\FRADMIT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\parcel_images.exe	Queries volume information: C:\Windows\Fonts\FRAMDCN.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\parcel_images.exe	Queries volume information: C:\Windows\Fonts\FRADMCN.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\parcel_images.exe	Queries volume information: C:\Windows\Fonts\FRAHV.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\parcel_images.exe	Queries volume information: C:\Windows\Fonts\FRAHVIT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\parcel_images.exe	Queries volume information: C:\Windows\Fonts\Gabriola.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\parcel_images.exe	Queries volume information: C:\Windows\Fonts\gadugi.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\parcel_images.exe	Queries volume information: C:\Windows\Fonts\gadugib.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\parcel_images.exe	Queries volume information: C:\Windows\Fonts\georgia.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\parcel_images.exe	Queries volume information: C:\Windows\Fonts\georgiai.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\parcel_images.exe	Queries volume information: C:\Windows\Fonts\georgiab.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\parcel_images.exe	Queries volume information: C:\Windows\Fonts\georgiaz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\parcel_images.exe	Queries volume information: C:\Windows\Fonts\impact.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\parcel_images.exe	Queries volume information: C:\Windows\Fonts\Inkfree.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\parcel_images.exe	Queries volume information: C:\Windows\Fonts\javatext.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\parcel_images.exe	Queries volume information: C:\Windows\Fonts\LeelawUI.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\parcel_images.exe	Queries volume information: C:\Windows\Fonts\LeelUIsl.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\parcel_images.exe	Queries volume information: C:\Windows\Fonts\LeelaUIb.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\parcel_images.exe	Queries volume information: C:\Windows\Fonts\lucon.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\parcel_images.exe	Queries volume information: C:\Windows\Fonts\l_10646.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\parcel_images.exe	Queries volume information: C:\Windows\Fonts\malgun.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\parcel_images.exe	Queries volume information: C:\Windows\Fonts\malgunsl.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\parcel_images.exe	Queries volume information: C:\Windows\Fonts\malgunbd.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\parcel_images.exe	Queries volume information: C:\Windows\Fonts\himalaya.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\parcel_images.exe	Queries volume information: C:\Windows\Fonts\msjh.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\parcel_images.exe	Queries volume information: C:\Windows\Fonts\msjhl.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\parcel_images.exe	Queries volume information: C:\Windows\Fonts\msjhbd.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\parcel_images.exe	Queries volume information: C:\Windows\Fonts\ntailu.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\parcel_images.exe	Queries volume information: C:\Windows\Fonts\ntailub.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\parcel_images.exe	Queries volume information: C:\Windows\Fonts\phagspa.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\parcel_images.exe	Queries volume information: C:\Windows\Fonts\phagspab.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\parcel_images.exe	Queries volume information: C:\Windows\Fonts\micross.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\parcel_images.exe	Queries volume information: C:\Windows\Fonts\taile.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\parcel_images.exe	Queries volume information: C:\Windows\Fonts\taileb.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\parcel_images.exe	Queries volume information: C:\Windows\Fonts\msyh.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\parcel_images.exe	Queries volume information: C:\Windows\Fonts\msyhl.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\parcel_images.exe	Queries volume information: C:\Windows\Fonts\msyhbd.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\parcel_images.exe	Queries volume information: C:\Windows\Fonts\msyi.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\parcel_images.exe	Queries volume information: C:\Windows\Fonts\mingliub.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\parcel_images.exe	Queries volume information: C:\Windows\Fonts\monbaiti.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\parcel_images.exe	Queries volume information: C:\Windows\Fonts\msgothic.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\parcel_images.exe	Queries volume information: C:\Windows\Fonts\mvboli.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\parcel_images.exe	Queries volume information: C:\Windows\Fonts\mmrtext.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\parcel_images.exe	Queries volume information: C:\Windows\Fonts\mmrtextb.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\parcel_images.exe	Queries volume information: C:\Windows\Fonts\Nirmala.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\parcel_images.exe	Queries volume information: C:\Windows\Fonts\NirmalaS.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\parcel_images.exe	Queries volume information: C:\Windows\Fonts\NirmalaB.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\parcel_images.exe	Queries volume information: C:\Windows\Fonts\pala.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\parcel_images.exe	Queries volume information: C:\Windows\Fonts\palai.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\parcel_images.exe	Queries volume information: C:\Windows\Fonts\palab.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\parcel_images.exe	Queries volume information: C:\Windows\Fonts\palabi.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\parcel_images.exe	Queries volume information: C:\Windows\Fonts\segoepr.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\parcel_images.exe	Queries volume information: C:\Windows\Fonts\segoeprb.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\parcel_images.exe	Queries volume information: C:\Windows\Fonts\segoesc.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\parcel_images.exe	Queries volume information: C:\Windows\Fonts\segoescb.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\parcel_images.exe	Queries volume information: C:\Windows\Fonts\segoeuii.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\parcel_images.exe	Queries volume information: C:\Windows\Fonts\seguisli.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\parcel_images.exe	Queries volume information: C:\Windows\Fonts\seguili.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\parcel_images.exe	Queries volume information: C:\Windows\Fonts\seguisbi.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\parcel_images.exe	Queries volume information: C:\Windows\Fonts\segoeuiz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\parcel_images.exe	Queries volume information: C:\Windows\Fonts\seguibl.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\parcel_images.exe	Queries volume information: C:\Windows\Fonts\seguibli.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\parcel_images.exe	Queries volume information: C:\Windows\Fonts\seguiemj.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\parcel_images.exe	Queries volume information: C:\Windows\Fonts\seguihis.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\parcel_images.exe	Queries volume information: C:\Windows\Fonts\seguisym.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\parcel_images.exe	Queries volume information: C:\Windows\Fonts\simsun.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\parcel_images.exe	Queries volume information: C:\Windows\Fonts\simsunb.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\parcel_images.exe	Queries volume information: C:\Windows\Fonts\Sitka.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\parcel_images.exe	Queries volume information: C:\Windows\Fonts\SitkaI.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\parcel_images.exe	Queries volume information: C:\Windows\Fonts\SitkaB.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\parcel_images.exe	Queries volume information: C:\Windows\Fonts\SitkaZ.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\parcel_images.exe	Queries volume information: C:\Windows\Fonts\sylfaen.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\parcel_images.exe	Queries volume information: C:\Windows\Fonts\symbol.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\parcel_images.exe	Queries volume information: C:\Windows\Fonts\tahoma.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\parcel_images.exe	Queries volume information: C:\Windows\Fonts\tahomabd.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\parcel_images.exe	Queries volume information: C:\Windows\Fonts\timesi.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\parcel_images.exe	Queries volume information: C:\Windows\Fonts\timesbd.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\parcel_images.exe	Queries volume information: C:\Windows\Fonts\timesbi.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\parcel_images.exe	Queries volume information: C:\Windows\Fonts\trebuc.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\parcel_images.exe	Queries volume information: C:\Windows\Fonts\trebucit.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\parcel_images.exe	Queries volume information: C:\Windows\Fonts\trebucbd.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\parcel_images.exe	Queries volume information: C:\Windows\Fonts\trebucbi.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\parcel_images.exe	Queries volume information: C:\Windows\Fonts\verdana.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\parcel_images.exe	Queries volume information: C:\Windows\Fonts\verdanai.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\parcel_images.exe	Queries volume information: C:\Windows\Fonts\verdanab.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\parcel_images.exe	Queries volume information: C:\Windows\Fonts\verdanaz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\parcel_images.exe	Queries volume information: C:\Windows\Fonts\webdings.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\parcel_images.exe	Queries volume information: C:\Windows\Fonts\wingding.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\parcel_images.exe	Queries volume information: C:\Windows\Fonts\YuGothR.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\parcel_images.exe	Queries volume information: C:\Windows\Fonts\YuGothM.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\parcel_images.exe	Queries volume information: C:\Windows\Fonts\YuGothL.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\parcel_images.exe	Queries volume information: C:\Windows\Fonts\YuGothB.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\parcel_images.exe	Queries volume information: C:\Windows\Fonts\holomdl2.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\parcel_images.exe	Queries volume information: C:\Windows\Fonts\CENTURY.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\parcel_images.exe	Queries volume information: C:\Windows\Fonts\LEELAWAD.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\parcel_images.exe	Queries volume information: C:\Windows\Fonts\LEELAWDB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\parcel_images.exe	Queries volume information: C:\Windows\Fonts\MSUIGHUR.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\parcel_images.exe	Queries volume information: C:\Windows\Fonts\MSUIGHUB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\parcel_images.exe	Queries volume information: C:\Windows\Fonts\WINGDNG2.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\parcel_images.exe	Queries volume information: C:\Windows\Fonts\WINGDNG3.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\parcel_images.exe	Queries volume information: C:\Windows\Fonts\TEMPSITC.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\parcel_images.exe	Queries volume information: C:\Windows\Fonts\PRISTINA.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\parcel_images.exe	Queries volume information: C:\Windows\Fonts\PAPYRUS.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\parcel_images.exe	Queries volume information: C:\Windows\Fonts\MISTRAL.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\parcel_images.exe	Queries volume information: C:\Windows\Fonts\LHANDW.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\parcel_images.exe	Queries volume information: C:\Windows\Fonts\ITCKRIST.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\parcel_images.exe	Queries volume information: C:\Windows\Fonts\JUICE___.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\parcel_images.exe	Queries volume information: C:\Windows\Fonts\FRSCRIPT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\parcel_images.exe	Queries volume information: C:\Windows\Fonts\FREESCPT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\parcel_images.exe	Queries volume information: C:\Windows\Fonts\BRADHITC.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\parcel_images.exe	Queries volume information: C:\Windows\Fonts\OUTLOOK.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\parcel_images.exe	Queries volume information: C:\Windows\Fonts\BKANT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\parcel_images.exe	Queries volume information: C:\Windows\Fonts\ANTQUAI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\parcel_images.exe	Queries volume information: C:\Windows\Fonts\ANTQUAB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\parcel_images.exe	Queries volume information: C:\Windows\Fonts\ANTQUABI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\parcel_images.exe	Queries volume information: C:\Windows\Fonts\GARA.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\parcel_images.exe	Queries volume information: C:\Windows\Fonts\GARAIT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\parcel_images.exe	Queries volume information: C:\Windows\Fonts\GARABD.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\parcel_images.exe	Queries volume information: C:\Windows\Fonts\MTCORSVA.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\parcel_images.exe	Queries volume information: C:\Windows\Fonts\GOTHIC.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\parcel_images.exe	Queries volume information: C:\Windows\Fonts\GOTHICI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\parcel_images.exe	Queries volume information: C:\Windows\Fonts\GOTHICB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\parcel_images.exe	Queries volume information: C:\Windows\Fonts\GOTHICBI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\parcel_images.exe	Queries volume information: C:\Windows\Fonts\ALGER.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\parcel_images.exe	Queries volume information: C:\Windows\Fonts\BASKVILL.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\parcel_images.exe	Queries volume information: C:\Windows\Fonts\BAUHS93.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\parcel_images.exe	Queries volume information: C:\Windows\Fonts\BELL.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\parcel_images.exe	Queries volume information: C:\Windows\Fonts\BELLI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\parcel_images.exe	Queries volume information: C:\Windows\Fonts\BELLB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\parcel_images.exe	Queries volume information: C:\Windows\Fonts\BRLNSR.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\parcel_images.exe	Queries volume information: C:\Windows\Fonts\BRLNSDB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\parcel_images.exe	Queries volume information: C:\Windows\Fonts\BRLNSB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\parcel_images.exe	Queries volume information: C:\Windows\Fonts\BERNHC.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\parcel_images.exe	Queries volume information: C:\Windows\Fonts\BOD_PSTC.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\parcel_images.exe	Queries volume information: C:\Windows\Fonts\BRITANIC.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\parcel_images.exe	Queries volume information: C:\Windows\Fonts\BROADW.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\parcel_images.exe	Queries volume information: C:\Windows\Fonts\BRUSHSCI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\parcel_images.exe	Queries volume information: C:\Windows\Fonts\CALIFR.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\parcel_images.exe	Queries volume information: C:\Windows\Fonts\CALIFI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\parcel_images.exe	Queries volume information: C:\Windows\Fonts\CALIFB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\parcel_images.exe	Queries volume information: C:\Windows\Fonts\CENTAUR.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\parcel_images.exe	Queries volume information: C:\Windows\Fonts\CHILLER.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\parcel_images.exe	Queries volume information: C:\Windows\Fonts\COLONNA.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\parcel_images.exe	Queries volume information: C:\Windows\Fonts\COOPBL.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\parcel_images.exe	Queries volume information: C:\Windows\Fonts\FTLTLT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\parcel_images.exe	Queries volume information: C:\Windows\Fonts\HARLOWSI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\parcel_images.exe	Queries volume information: C:\Windows\Fonts\HARNGTON.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\parcel_images.exe	Queries volume information: C:\Windows\Fonts\HTOWERT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\parcel_images.exe	Queries volume information: C:\Windows\Fonts\HTOWERTI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\parcel_images.exe	Queries volume information: C:\Windows\Fonts\JOKERMAN.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\parcel_images.exe	Queries volume information: C:\Windows\Fonts\KUNSTLER.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\parcel_images.exe	Queries volume information: C:\Windows\Fonts\LBRITE.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\parcel_images.exe	Queries volume information: C:\Windows\Fonts\LBRITED.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\parcel_images.exe	Queries volume information: C:\Windows\Fonts\LBRITEI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\parcel_images.exe	Queries volume information: C:\Windows\Fonts\LBRITEDI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\parcel_images.exe	Queries volume information: C:\Windows\Fonts\LCALLIG.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\parcel_images.exe	Queries volume information: C:\Windows\Fonts\LFAX.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\parcel_images.exe	Queries volume information: C:\Windows\Fonts\LFAXD.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\parcel_images.exe	Queries volume information: C:\Windows\Fonts\LFAXI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\parcel_images.exe	Queries volume information: C:\Windows\Fonts\LFAXDI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\parcel_images.exe	Queries volume information: C:\Windows\Fonts\MAGNETOB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\parcel_images.exe	Queries volume information: C:\Windows\Fonts\MATURASC.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\parcel_images.exe	Queries volume information: C:\Windows\Fonts\MOD20.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\parcel_images.exe	Queries volume information: C:\Windows\Fonts\NIAGENG.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\parcel_images.exe	Queries volume information: C:\Windows\Fonts\NIAGSOL.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\parcel_images.exe	Queries volume information: C:\Windows\Fonts\OLDENGL.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\parcel_images.exe	Queries volume information: C:\Windows\Fonts\ONYX.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\parcel_images.exe	Queries volume information: C:\Windows\Fonts\PARCHM.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\parcel_images.exe	Queries volume information: C:\Windows\Fonts\PLAYBILL.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\parcel_images.exe	Queries volume information: C:\Windows\Fonts\POORICH.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\parcel_images.exe	Queries volume information: C:\Windows\Fonts\RAVIE.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\parcel_images.exe	Queries volume information: C:\Windows\Fonts\INFROMAN.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\parcel_images.exe	Queries volume information: C:\Windows\Fonts\SHOWG.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\parcel_images.exe	Queries volume information: C:\Windows\Fonts\SNAP____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\parcel_images.exe	Queries volume information: C:\Windows\Fonts\STENCIL.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\parcel_images.exe	Queries volume information: C:\Windows\Fonts\VINERITC.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\parcel_images.exe	Queries volume information: C:\Windows\Fonts\VIVALDII.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\parcel_images.exe	Queries volume information: C:\Windows\Fonts\VLADIMIR.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\parcel_images.exe	Queries volume information: C:\Windows\Fonts\LATINWD.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\parcel_images.exe	Queries volume information: C:\Windows\Fonts\TCM_____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\parcel_images.exe	Queries volume information: C:\Windows\Fonts\TCMI____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\parcel_images.exe	Queries volume information: C:\Windows\Fonts\TCB_____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\parcel_images.exe	Queries volume information: C:\Windows\Fonts\TCBI____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\parcel_images.exe	Queries volume information: C:\Windows\Fonts\TCCM____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\parcel_images.exe	Queries volume information: C:\Windows\Fonts\TCCB____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\parcel_images.exe	Queries volume information: C:\Windows\Fonts\TCCEB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\parcel_images.exe	Queries volume information: C:\Windows\Fonts\SCRIPTBL.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\parcel_images.exe	Queries volume information: C:\Windows\Fonts\ROCK.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\parcel_images.exe	Queries volume information: C:\Windows\Fonts\ROCKI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\parcel_images.exe	Queries volume information: C:\Windows\Fonts\ROCKB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\parcel_images.exe	Queries volume information: C:\Windows\Fonts\ROCKEB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\parcel_images.exe	Queries volume information: C:\Windows\Fonts\ROCKBI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\parcel_images.exe	Queries volume information: C:\Windows\Fonts\ROCC____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\parcel_images.exe	Queries volume information: C:\Windows\Fonts\ROCCB___.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\parcel_images.exe	Queries volume information: C:\Windows\Fonts\RAGE.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\parcel_images.exe	Queries volume information: C:\Windows\Fonts\PERTILI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\parcel_images.exe	Queries volume information: C:\Windows\Fonts\PERTIBD.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\parcel_images.exe	Queries volume information: C:\Windows\Fonts\PER_____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\parcel_images.exe	Queries volume information: C:\Windows\Fonts\PERI____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\parcel_images.exe	Queries volume information: C:\Windows\Fonts\PERB____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\parcel_images.exe	Queries volume information: C:\Windows\Fonts\PERBI___.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\parcel_images.exe	Queries volume information: C:\Windows\Fonts\PALSCRI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\parcel_images.exe	Queries volume information: C:\Windows\Fonts\OCRAEXT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\parcel_images.exe	Queries volume information: C:\Windows\Fonts\MAIAN.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\parcel_images.exe	Queries volume information: C:\Windows\Fonts\LTYPE.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\parcel_images.exe	Queries volume information: C:\Windows\Fonts\LTYPEO.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\parcel_images.exe	Queries volume information: C:\Windows\Fonts\LTYPEB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\parcel_images.exe	Queries volume information: C:\Windows\Fonts\LTYPEBO.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\parcel_images.exe	Queries volume information: C:\Windows\Fonts\LSANS.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\parcel_images.exe	Queries volume information: C:\Windows\Fonts\LSANSD.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\parcel_images.exe	Queries volume information: C:\Windows\Fonts\LSANSI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\parcel_images.exe	Queries volume information: C:\Windows\Fonts\LSANSDI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\parcel_images.exe	Queries volume information: C:\Windows\Fonts\IMPRISHA.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\parcel_images.exe	Queries volume information: C:\Windows\Fonts\HATTEN.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\parcel_images.exe	Queries volume information: C:\Windows\Fonts\GOUDYSTO.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\parcel_images.exe	Queries volume information: C:\Windows\Fonts\GOUDOS.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\parcel_images.exe	Queries volume information: C:\Windows\Fonts\GOUDOSI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\parcel_images.exe	Queries volume information: C:\Windows\Fonts\GOUDOSB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\parcel_images.exe	Queries volume information: C:\Windows\Fonts\GLECB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\parcel_images.exe	Queries volume information: C:\Windows\Fonts\GIL_____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\parcel_images.exe	Queries volume information: C:\Windows\Fonts\GILI____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\parcel_images.exe	Queries volume information: C:\Windows\Fonts\GILB____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\parcel_images.exe	Queries volume information: C:\Windows\Fonts\GILBI___.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\parcel_images.exe	Queries volume information: C:\Windows\Fonts\GILC____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\parcel_images.exe	Queries volume information: C:\Windows\Fonts\GLSNECB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\parcel_images.exe	Queries volume information: C:\Windows\Fonts\GIGI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\parcel_images.exe	Queries volume information: C:\Windows\Fonts\FRABK.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\parcel_images.exe	Queries volume information: C:\Windows\Fonts\FRABKIT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\parcel_images.exe	Queries volume information: C:\Windows\Fonts\FORTE.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\parcel_images.exe	Queries volume information: C:\Windows\Fonts\FELIXTI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\parcel_images.exe	Queries volume information: C:\Windows\Fonts\ERASMD.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\parcel_images.exe	Queries volume information: C:\Windows\Fonts\ERASLGHT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\parcel_images.exe	Queries volume information: C:\Windows\Fonts\ERASDEMI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\parcel_images.exe	Queries volume information: C:\Windows\Fonts\ERASBD.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\parcel_images.exe	Queries volume information: C:\Windows\Fonts\ENGR.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\parcel_images.exe	Queries volume information: C:\Windows\Fonts\ELEPHNT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\parcel_images.exe	Queries volume information: C:\Windows\Fonts\ELEPHNTI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\parcel_images.exe	Queries volume information: C:\Windows\Fonts\ITCEDSCR.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\parcel_images.exe	Queries volume information: C:\Windows\Fonts\CURLZ___.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\parcel_images.exe	Queries volume information: C:\Windows\Fonts\COPRGTL.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\parcel_images.exe	Queries volume information: C:\Windows\Fonts\COPRGTB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\parcel_images.exe	Queries volume information: C:\Windows\Fonts\CENSCBK.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\parcel_images.exe	Queries volume information: C:\Windows\Fonts\SCHLBKI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\parcel_images.exe	Queries volume information: C:\Windows\Fonts\SCHLBKB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\parcel_images.exe	Queries volume information: C:\Windows\Fonts\SCHLBKBI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\parcel_images.exe	Queries volume information: C:\Windows\Fonts\CASTELAR.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\parcel_images.exe	Queries volume information: C:\Windows\Fonts\CALIST.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\parcel_images.exe	Queries volume information: C:\Windows\Fonts\CALISTI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\parcel_images.exe	Queries volume information: C:\Windows\Fonts\CALISTB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\parcel_images.exe	Queries volume information: C:\Windows\Fonts\CALISTBI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\parcel_images.exe	Queries volume information: C:\Windows\Fonts\BOOKOS.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\parcel_images.exe	Queries volume information: C:\Windows\Fonts\BOOKOSB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\parcel_images.exe	Queries volume information: C:\Windows\Fonts\BOOKOSI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\parcel_images.exe	Queries volume information: C:\Windows\Fonts\BOOKOSBI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\parcel_images.exe	Queries volume information: C:\Windows\Fonts\BOD_R.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\parcel_images.exe	Queries volume information: C:\Windows\Fonts\BOD_I.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\parcel_images.exe	Queries volume information: C:\Windows\Fonts\BOD_B.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\parcel_images.exe	Queries volume information: C:\Windows\Fonts\BOD_BI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\parcel_images.exe	Queries volume information: C:\Windows\Fonts\BOD_CR.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\parcel_images.exe	Queries volume information: C:\Windows\Fonts\BOD_BLAR.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\parcel_images.exe	Queries volume information: C:\Windows\Fonts\BOD_CI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\parcel_images.exe	Queries volume information: C:\Windows\Fonts\BOD_CB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\parcel_images.exe	Queries volume information: C:\Windows\Fonts\BOD_BLAI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\parcel_images.exe	Queries volume information: C:\Windows\Fonts\BOD_CBI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\parcel_images.exe	Queries volume information: C:\Windows\Fonts\ITCBLKAD.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\parcel_images.exe	Queries volume information: C:\Windows\Fonts\ARLRDBD.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\parcel_images.exe	Queries volume information: C:\Windows\Fonts\AGENCYR.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\parcel_images.exe	Queries volume information: C:\Windows\Fonts\AGENCYB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\parcel_images.exe	Queries volume information: C:\Windows\Fonts\BSSYM7.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\parcel_images.exe	Queries volume information: C:\Windows\Fonts\REFSAN.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\parcel_images.exe	Queries volume information: C:\Windows\Fonts\REFSPCL.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\parcel_images.exe	Queries volume information: C:\Windows\Fonts\MTEXTRA.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\parcel_images.exe	Queries volume information: C:\Windows\Fonts\marlett.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\parcel_images.exe	Queries volume information: C:\Windows\Fonts\segoeuii.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\parcel_images.exe	Queries volume information: C:\Windows\Fonts\segoeuiz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\parcel_images.exe	Queries volume information: C:\Windows\Fonts\micross.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\parcel_images.exe	Queries volume information: C:\Windows\Fonts\arial.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\parcel_images.exe	Queries volume information: C:\Windows\Fonts\ariali.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\parcel_images.exe	Queries volume information: C:\Windows\Fonts\arialbd.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\parcel_images.exe	Queries volume information: C:\Windows\Fonts\arialbi.ttf VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe	Queries volume information: C:\Windows\assembly\GAC_32\System.EnterpriseServices\2.0.0.0__b03f5f7f11d50a3a\System.EnterpriseServices.dll VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe	Queries volume information: C:\Windows\assembly\GAC_32\System.EnterpriseServices\2.0.0.0__b03f5f7f11d50a3a\System.EnterpriseServices.dll VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe	Queries volume information: C:\Windows\assembly\GAC_32\System.EnterpriseServices\2.0.0.0__b03f5f7f11d50a3a\System.EnterpriseServices.Wrapper.dll VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe	Queries volume information: C:\Windows\assembly\GAC_32\System.EnterpriseServices\2.0.0.0__b03f5f7f11d50a3a\System.EnterpriseServices.Wrapper.dll VolumeInformation	Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Queries volume information: C:\Windows\assembly\GAC_32\System.EnterpriseServices\2.0.0.0__b03f5f7f11d50a3a\System.EnterpriseServices.dll VolumeInformation	Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Queries volume information: C:\Windows\assembly\GAC_32\System.EnterpriseServices\2.0.0.0__b03f5f7f11d50a3a\System.EnterpriseServices.dll VolumeInformation	Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Queries volume information: C:\Windows\assembly\GAC_32\System.EnterpriseServices\2.0.0.0__b03f5f7f11d50a3a\System.EnterpriseServices.Wrapper.dll VolumeInformation	Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Queries volume information: C:\Windows\assembly\GAC_32\System.EnterpriseServices\2.0.0.0__b03f5f7f11d50a3a\System.EnterpriseServices.Wrapper.dll VolumeInformation	Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Queries volume information: C:\Windows\assembly\GAC_32\System.EnterpriseServices\2.0.0.0__b03f5f7f11d50a3a\System.EnterpriseServices.dll VolumeInformation	Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Queries volume information: C:\Windows\assembly\GAC_32\System.EnterpriseServices\2.0.0.0__b03f5f7f11d50a3a\System.EnterpriseServices.dll VolumeInformation	Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Queries volume information: C:\Windows\assembly\GAC_32\System.EnterpriseServices\2.0.0.0__b03f5f7f11d50a3a\System.EnterpriseServices.Wrapper.dll VolumeInformation	Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Queries volume information: C:\Windows\assembly\GAC_32\System.EnterpriseServices\2.0.0.0__b03f5f7f11d50a3a\System.EnterpriseServices.Wrapper.dll VolumeInformation	Jump to behavior

Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe

Code function: 4_2_0190AF9A GetUserNameW,

4_2_0190AF9A

Source: C:\Users\user\Desktop\parcel_images.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Stealing of Sensitive Information:

Yara detected Nanocore RAT

Show sources

Source: Yara match	File source: 00000000.00000002.245819001.000000000416B000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.604237301.0000000005CB0000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.603472332.00000000048E8000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.243301800.0000000003CE1000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.595481599.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: RegSvcs.exe PID: 5420, type: MEMORY
Source: Yara match	File source: Process Memory Space: parcel_images.exe PID: 6068, type: MEMORY
Source: Yara match	File source: 4.2.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.RegSvcs.exe.5cb0000.5.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.RegSvcs.exe.5cb0000.5.raw.unpack, type: UNPACKEDPE

Remote Access Functionality:

Detected Nanocore Rat

Show sources

Source: parcel_images.exe, 00000000.00000002.245819001.000000000416B000.00000004.00000001.sdmp	String found in binary or memory: NanoCore.ClientPluginHost
Source: RegSvcs.exe, 00000004.00000002.604092435.0000000005B00000.00000004.00000001.sdmp	String found in binary or memory: NanoCore.ClientPluginHost
Source: RegSvcs.exe, 00000004.00000002.604092435.0000000005B00000.00000004.00000001.sdmp	String found in binary or memory: <Module>mscorlibMicrosoft.VisualBasicMyApplicationNanoCore.MyMyComputerMyProjectMyWebServicesThreadSafeObjectProvider`1IClientNetworkNanoCore.ClientPluginIClientDataIClientAppIClientDataHostNanoCore.ClientPluginHostIClientNetworkHostIClientUIHostIClientLoggingHostIClientAppHostIClientNameObjectCollectionNanoCoreIClientReadOnlyNameObjectCollectionClientInvokeDelegateMicrosoft.VisualBasic.ApplicationServicesApplicationBase.ctorMicrosoft.VisualBasic.DevicesComputerSystemObject.cctorget_Computerm_ComputerObjectProviderget_Applicationm_AppObjectProviderUserget_Userm_UserObjectProviderget_WebServicesm_MyWebServicesObjectProviderApplicationWebServicesEqualsoGetHashCodeTypeGetTypeToStringCreate__Instance__TinstanceDispose__Instance__get_GetInstanceMicrosoft.VisualBasic.MyServices.InternalContextValue`1m_ContextGetInstanceReadPacketpipeNameparamsPipeCreatedPipeClosedConnectionStateChangedconnectedConnectionFailedhostportBuildingHostCacheVariableChangednameClientSettingChangedPluginUninstallingClientUninstallingget_Variablesget_ClientSettingsget_BuilderSettingsVariablesClientSettingsBuilderSettingsget_ConnectedClosePipePipeExistsRebuildHostCacheAddHostEntryDisconnectSendToServercompressConnectedInvokemethodstateLogClientMessagemessageExceptionLogClientExceptionexsiteRestartShutdownDisableProtectionRestoreProtectionUninstallEntryExistsSystem.Collections.GenericKeyValuePair`2GetEntriesGetValuedefaultValueSetValuevalueRemoveValueMulticastDelegateTargetObjectTargetMethodIAsyncResultAsyncCallbackBeginInvokeDelegateCallbackDelegateAsyncStateEndInvokeDelegateAsyncResultSystem.ComponentModelEditorBrowsableAttributeEditorBrowsableStateSystem.CodeDom.CompilerGeneratedCodeAttributeSystem.DiagnosticsDebuggerHiddenAttributeMicrosoft.VisualBasic.CompilerServicesStandardModuleAttributeHideModuleNameAttributeSystem.ComponentModel.DesignHelpKeywordAttributeSystem.Runtime.CompilerServicesRuntimeHelpersGetObjectValueRuntimeTypeHandleGetTypeFromHandleActivatorCreateInstanceMyGroupCollectionAttributeget_Valueset_ValueSystem.Runtime.InteropServicesComVisibleAttributeParamArrayAttributeCompilationRelaxationsAttributeRuntimeCompatibilityAttributeSystem.ReflectionAssemblyFileVersionAttributeGuidAttributeAssemblyTrademarkAttributeAssemblyCopyrightAttributeAssemblyProductAttributeAssemblyCompanyAttributeAssemblyDescriptionAttributeAssemblyTitleAttributeClientPluginClientPlugin.dll
Source: RegSvcs.exe, 00000004.00000002.603472332.00000000048E8000.00000004.00000001.sdmp	String found in binary or memory: <Module>mscorlibMicrosoft.VisualBasicMyApplicationNanoProtectClient.MyMyComputerMyProjectMyWebServicesThreadSafeObjectProvider`1ClientMainNanoProtectClientClientPluginResourcesNanoProtectClient.My.ResourcesMySettingsMySettingsPropertyFunctionsNanoProtectClient.NanoProtectMicrosoft.VisualBasic.ApplicationServicesApplicationBase.ctorMicrosoft.VisualBasic.DevicesComputerSystemObject.cctorget_Computerm_ComputerObjectProviderget_Applicationm_AppObjectProviderUserget_Userm_UserObjectProviderget_WebServicesm_MyWebServicesObjectProviderApplicationWebServicesEqualsoGetHashCodeTypeGetTypeToStringCreate__Instance__TinstanceDispose__Instance__get_GetInstanceMicrosoft.VisualBasic.MyServices.InternalContextValue`1m_ContextGetInstanceNanoCore.ClientPluginHostIClientLoggingHostLoggingHostInitializePluginNanoCore.ClientPluginIClientNetwork_loggingHostBuildingHostCacheConnectionFailedhostportConnectionStateChangedconnectedPipeClosedpipeNamePipeCreatedReadPacketparamsSystem.ResourcesResourceManagerresourceManSystem.GlobalizationCultureInforesourceCultureget_ResourceManagerget_Cultureset_CulturevalueCultureSystem.ConfigurationApplicationSettingsBasedefaultInstanceget_DefaultDefaultget_SettingsSettingsGetProtectDirectoryGetProtectFileCreateProtectFileKillNanoCoreSystem.ComponentModelEditorBrowsableAttributeEditorBrowsableStateSystem.CodeDom.CompilerGeneratedCodeAttributeSystem.DiagnosticsDebuggerNonUserCodeAttributeDebuggerHiddenAttributeMicrosoft.VisualBasic.CompilerServicesStandardModuleAttributeHideModuleNameAttributeSystem.ComponentModel.DesignHelpKeywordAttributeSystem.Runtime.CompilerServicesRuntimeHelpersGetObjectValueRuntimeTypeHandleGetTypeFromHandleActivatorCreateInstanceMyGroupCollectionAttributeget_Valueset_ValueSystem.Runtime.InteropServicesComVisibleAttributeLogClientMessageSystem.IOFileExistsReferenceEqualsSystem.ReflectionAssemblyget_AssemblyCompilerGeneratedAttributeSettingsBaseSynchronizedEnvironmentSpecialFolderGetFolderPathPathCombineExceptionDirectoryDirectoryInfoCreateDirectoryFileStreamCreateProjectDataSetProjectErrorClearProjectErrorProcessGetCurrentProcessKillNanoProtectClient.Resources.resourcesDebuggableAttributeDebuggingModesCompilationRelaxationsAttributeRuntimeCompatibilityAttributeAssemblyFileVersionAttributeGuidAttributeAssemblyTrademarkAttributeAssemblyCopyrightAttributeAssemblyProductAttributeAssemblyCompanyAttributeAssemblyDescriptionAttributeAssemblyTitleAttributeNanoProtectClient.dlla[NanoProtect]: Checking for NanoProtect module..

Yara detected Nanocore RAT

Show sources

Source: Yara match	File source: 00000000.00000002.245819001.000000000416B000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.604237301.0000000005CB0000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.603472332.00000000048E8000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.243301800.0000000003CE1000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.595481599.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: RegSvcs.exe PID: 5420, type: MEMORY
Source: Yara match	File source: Process Memory Space: parcel_images.exe PID: 6068, type: MEMORY
Source: Yara match	File source: 4.2.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.RegSvcs.exe.5cb0000.5.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.RegSvcs.exe.5cb0000.5.raw.unpack, type: UNPACKEDPE

Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe	Code function: 4_2_05A0292E bind,		4_2_05A0292E
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe	Code function: 4_2_05A028FB bind,		4_2_05A028FB

Mitre Att&ck Matrix

Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Exfiltration	Command and Control	Network Effects	Remote Service Effects	Impact
Valid Accounts	Scheduled Task/Job1	Scheduled Task/Job1	Access Token Manipulation1	Masquerading2	Input Capture11	Security Software Discovery211	Remote Services	Input Capture11	Exfiltration Over Other Network Medium	Encrypted Channel1	Eavesdrop on Insecure Network Communication	Remotely Track Device Without Authorization	Modify System Partition
Default Accounts	Scheduled Task/Job	Boot or Logon Initialization Scripts	Process Injection312	Virtualization/Sandbox Evasion3	LSASS Memory	Virtualization/Sandbox Evasion3	Remote Desktop Protocol	Archive Collected Data11	Exfiltration Over Bluetooth	Non-Standard Port1	Exploit SS7 to Redirect Phone Calls/SMS	Remotely Wipe Data Without Authorization	Device Lockout
Domain Accounts	At (Linux)	Logon Script (Windows)	Scheduled Task/Job1	Disable or Modify Tools1	Security Account Manager	Process Discovery2	SMB/Windows Admin Shares	Data from Network Shared Drive	Automated Exfiltration	Remote Access Software1	Exploit SS7 to Track Device Location	Obtain Device Cloud Backups	Delete Device Data
Local Accounts	At (Windows)	Logon Script (Mac)	Logon Script (Mac)	Access Token Manipulation1	NTDS	Application Window Discovery1	Distributed Component Object Model	Input Capture	Scheduled Transfer	Non-Application Layer Protocol1	SIM Card Swap		Carrier Billing Fraud
Cloud Accounts	Cron	Network Logon Script	Network Logon Script	Process Injection312	LSA Secrets	Account Discovery1	SSH	Keylogging	Data Transfer Size Limits	Application Layer Protocol11	Manipulate Device Communication		Manipulate App Store Rankings or Ratings
Replication Through Removable Media	Launchd	Rc.common	Rc.common	Deobfuscate/Decode Files or Information1	Cached Domain Credentials	System Owner/User Discovery1	VNC	GUI Input Capture	Exfiltration Over C2 Channel	Multiband Communication	Jamming or Denial of Service		Abuse Accessibility Features
External Remote Services	Scheduled Task	Startup Items	Startup Items	Hidden Files and Directories1	DCSync	File and Directory Discovery1	Windows Remote Management	Web Portal Capture	Exfiltration Over Alternative Protocol	Commonly Used Port	Rogue Wi-Fi Access Points		Data Encrypted for Impact
Drive-by Compromise	Command and Scripting Interpreter	Scheduled Task/Job	Scheduled Task/Job	Obfuscated Files or Information3	Proc Filesystem	System Information Discovery13	Shared Webroot	Credential API Hooking	Exfiltration Over Symmetric Encrypted Non-C2 Protocol	Application Layer Protocol	Downgrade to Insecure Protocols		Generate Fraudulent Advertising Revenue
Exploit Public-Facing Application	PowerShell	At (Linux)	At (Linux)	Software Packing33	/etc/passwd and /etc/shadow	System Network Connections Discovery	Software Deployment Tools	Data Staged	Exfiltration Over Asymmetric Encrypted Non-C2 Protocol	Web Protocols	Rogue Cellular Base Station		Data Destruction

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Source	Detection	Scanner	Label	Link
parcel_images.exe	48%	Virustotal		Browse
parcel_images.exe	32%	ReversingLabs	ByteCode-MSIL.Trojan.AgentTesla
parcel_images.exe	100%	Avira	HEUR/AGEN.1120329
parcel_images.exe	100%	Joe Sandbox ML

Dropped Files

Source	Detection	Scanner	Label	Link
C:\Users\user\AppData\Roaming\kWLVXBfTFQKW.exe	100%	Avira	HEUR/AGEN.1120329
C:\Users\user\AppData\Roaming\kWLVXBfTFQKW.exe	100%	Joe Sandbox ML
C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	0%	Metadefender		Browse
C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	0%	ReversingLabs
C:\Users\user\AppData\Roaming\kWLVXBfTFQKW.exe	32%	ReversingLabs	ByteCode-MSIL.Trojan.AgentTesla

Unpacked PE Files

Source	Detection	Scanner	Label	Download
4.2.RegSvcs.exe.5cb0000.5.unpack	100%	Avira	TR/NanoCore.fadte	Download File
4.2.RegSvcs.exe.400000.0.unpack	100%	Avira	TR/Dropper.MSIL.Gen7	Download File
0.2.parcel_images.exe.3d0000.0.unpack	100%	Avira	HEUR/AGEN.1134873	Download File
0.0.parcel_images.exe.3d0000.0.unpack	100%	Avira	HEUR/AGEN.1120329	Download File

Domains

Source	Detection	Scanner	Label	Link
cldgr.duckdns.org	5%	Virustotal		Browse

URLs

Source	Detection	Scanner	Label
http://www.tiro.comw	0%	Avira URL Cloud	safe
http://www.founder.com.cn/cn/bThe	0%	URL Reputation	safe
http://www.founder.com.cn/cn/bThe	0%	URL Reputation	safe
http://www.founder.com.cn/cn/bThe	0%	URL Reputation	safe
http://www.founder.com.cn/cn/bThe	0%	URL Reputation	safe
http://www.jiyu-kobo.co.jp/jp/F	0%	Avira URL Cloud	safe
http://www.fonts.comh	0%	Avira URL Cloud	safe
http://www.jiyu-kobo.co.jp/O	0%	Avira URL Cloud	safe
http://www.tiro.com	0%	URL Reputation	safe
http://www.tiro.com	0%	URL Reputation	safe
http://www.tiro.com	0%	URL Reputation	safe
http://www.founder.c	0%	URL Reputation	safe
http://www.founder.c	0%	URL Reputation	safe
http://www.founder.c	0%	URL Reputation	safe
http://www.tiro.comF	0%	Avira URL Cloud	safe
http://www.goodfont.co.kr	0%	URL Reputation	safe
http://www.goodfont.co.kr	0%	URL Reputation	safe
http://www.goodfont.co.kr	0%	URL Reputation	safe
http://www.jiyu-kobo.co.jp/jp/	0%	URL Reputation	safe
http://www.jiyu-kobo.co.jp/jp/	0%	URL Reputation	safe
http://www.jiyu-kobo.co.jp/jp/	0%	URL Reputation	safe
http://www.fontbureau.comFP	0%	Avira URL Cloud	safe
http://www.fontbureau.coml1	0%	URL Reputation	safe
http://www.fontbureau.coml1	0%	URL Reputation	safe
http://www.fontbureau.coml1	0%	URL Reputation	safe
http://www.carterandcone.coml	0%	URL Reputation	safe
http://www.carterandcone.coml	0%	URL Reputation	safe
http://www.carterandcone.coml	0%	URL Reputation	safe
http://www.sajatypeworks.com	0%	URL Reputation	safe
http://www.sajatypeworks.com	0%	URL Reputation	safe
http://www.sajatypeworks.com	0%	URL Reputation	safe
http://www.founder.com.cn/cn/	0%	URL Reputation	safe
http://www.founder.com.cn/cn/	0%	URL Reputation	safe
http://www.founder.com.cn/cn/	0%	URL Reputation	safe
http://www.typography.netD	0%	URL Reputation	safe
http://www.typography.netD	0%	URL Reputation	safe
http://www.typography.netD	0%	URL Reputation	safe
http://www.founder.com.cn/cn/cThe	0%	URL Reputation	safe
http://www.founder.com.cn/cn/cThe	0%	URL Reputation	safe
http://www.founder.com.cn/cn/cThe	0%	URL Reputation	safe
http://www.galapagosdesign.com/staff/dennis.htm	0%	URL Reputation	safe
http://www.galapagosdesign.com/staff/dennis.htm	0%	URL Reputation	safe
http://www.galapagosdesign.com/staff/dennis.htm	0%	URL Reputation	safe
http://fontfabrik.com	0%	URL Reputation	safe
http://fontfabrik.com	0%	URL Reputation	safe
http://fontfabrik.com	0%	URL Reputation	safe
http://www.founder.com.cn/cn	0%	URL Reputation	safe
http://www.founder.com.cn/cn	0%	URL Reputation	safe
http://www.founder.com.cn/cn	0%	URL Reputation	safe
http://www.fonts.comic	0%	URL Reputation	safe
http://www.fonts.comic	0%	URL Reputation	safe
http://www.fonts.comic	0%	URL Reputation	safe
http://www.jiyu-kobo.co.jp/Y0/	0%	URL Reputation	safe
http://www.jiyu-kobo.co.jp/Y0/	0%	URL Reputation	safe
http://www.jiyu-kobo.co.jp/Y0/	0%	URL Reputation	safe
http://www.jiyu-kobo.co.jp/	0%	URL Reputation	safe
http://www.jiyu-kobo.co.jp/	0%	URL Reputation	safe
http://www.jiyu-kobo.co.jp/	0%	URL Reputation	safe
http://www.galapagosdesign.com/DPlease	0%	URL Reputation	safe
http://www.galapagosdesign.com/DPlease	0%	URL Reputation	safe
http://www.galapagosdesign.com/DPlease	0%	URL Reputation	safe
http://www.sandoll.co.kr	0%	URL Reputation	safe
http://www.sandoll.co.kr	0%	URL Reputation	safe
http://www.sandoll.co.kr	0%	URL Reputation	safe
http://www.founder.com.cn/cn/e	0%	Avira URL Cloud	safe
http://www.urwpp.deDPlease	0%	URL Reputation	safe
http://www.urwpp.deDPlease	0%	URL Reputation	safe
http://www.urwpp.deDPlease	0%	URL Reputation	safe
http://www.zhongyicts.com.cn	0%	URL Reputation	safe
http://www.zhongyicts.com.cn	0%	URL Reputation	safe
http://www.zhongyicts.com.cn	0%	URL Reputation	safe
http://www.sandoll.co.krlearn	0%	Avira URL Cloud	safe
http://www.sakkal.com	0%	URL Reputation	safe
http://www.sakkal.com	0%	URL Reputation	safe
http://www.sakkal.com	0%	URL Reputation	safe
http://www.sandoll.co.krC	0%	Avira URL Cloud	safe
http://www.jiyu-kobo.co.jp/Y0a	0%	Avira URL Cloud	safe
http://www.sajatypeworks.compe	0%	Avira URL Cloud	safe
http://www.founder.com.cn/cnl-n	0%	Avira URL Cloud	safe

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Antivirus Detection	Reputation
cldgr.duckdns.org	69.61.59.215	true	true	5%, Virustotal, Browse	unknown

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
http://www.apache.org/licenses/LICENSE-2.0	parcel_images.exe, 00000000.00000002.246509480.00000000051D0000.00000002.00000001.sdmp	false		high
http://www.fontbureau.com	parcel_images.exe, 00000000.00000002.246509480.00000000051D0000.00000002.00000001.sdmp	false		high
http://www.fontbureau.com/designersG	parcel_images.exe, 00000000.00000002.246509480.00000000051D0000.00000002.00000001.sdmp	false		high
http://www.tiro.comw	parcel_images.exe, 00000000.00000003.216900726.000000000507B000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
http://www.fontbureau.com/designers/?	parcel_images.exe, 00000000.00000002.246509480.00000000051D0000.00000002.00000001.sdmp	false		high
http://www.founder.com.cn/cn/bThe	parcel_images.exe, 00000000.00000002.246509480.00000000051D0000.00000002.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://www.jiyu-kobo.co.jp/jp/F	parcel_images.exe, 00000000.00000003.219725000.0000000005064000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
http://www.fontbureau.com/designers?	parcel_images.exe, 00000000.00000002.246509480.00000000051D0000.00000002.00000001.sdmp	false		high
http://www.fonts.comh	parcel_images.exe, 00000000.00000003.216620193.000000000507B000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
http://www.jiyu-kobo.co.jp/O	parcel_images.exe, 00000000.00000003.219725000.0000000005064000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
http://www.tiro.com	parcel_images.exe, 00000000.00000002.246509480.00000000051D0000.00000002.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://www.fontbureau.com/designers	parcel_images.exe, 00000000.00000003.222434128.000000000506D000.00000004.00000001.sdmp, parcel_images.exe, 00000000.00000003.221895972.0000000005068000.00000004.00000001.sdmp, parcel_images.exe, 00000000.00000003.221943311.0000000005069000.00000004.00000001.sdmp	false		high
http://www.founder.c	parcel_images.exe, 00000000.00000003.218388349.0000000005064000.00000004.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://www.tiro.comF	parcel_images.exe, 00000000.00000003.216945664.000000000507B000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
http://www.goodfont.co.kr	parcel_images.exe, 00000000.00000002.246509480.00000000051D0000.00000002.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://www.jiyu-kobo.co.jp/jp/	parcel_images.exe, 00000000.00000003.219725000.0000000005064000.00000004.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://www.fontbureau.comFP	parcel_images.exe, 00000000.00000002.246216893.0000000005060000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
http://www.fontbureau.coml1	parcel_images.exe, 00000000.00000002.246216893.0000000005060000.00000004.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://www.carterandcone.coml	parcel_images.exe, 00000000.00000002.246509480.00000000051D0000.00000002.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://www.sajatypeworks.com	parcel_images.exe, 00000000.00000002.246509480.00000000051D0000.00000002.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://www.founder.com.cn/cn/	parcel_images.exe, 00000000.00000003.218388349.0000000005064000.00000004.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://www.typography.netD	parcel_images.exe, 00000000.00000002.246509480.00000000051D0000.00000002.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://www.fontbureau.com/designers/cabarga.htmlN	parcel_images.exe, 00000000.00000002.246509480.00000000051D0000.00000002.00000001.sdmp	false		high
http://www.founder.com.cn/cn/cThe	parcel_images.exe, 00000000.00000002.246509480.00000000051D0000.00000002.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://www.galapagosdesign.com/staff/dennis.htm	parcel_images.exe, 00000000.00000002.246509480.00000000051D0000.00000002.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://fontfabrik.com	parcel_images.exe, 00000000.00000002.246509480.00000000051D0000.00000002.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://www.founder.com.cn/cn	parcel_images.exe, 00000000.00000002.246509480.00000000051D0000.00000002.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://www.fontbureau.com/designers/frere-jones.html	parcel_images.exe, 00000000.00000002.246509480.00000000051D0000.00000002.00000001.sdmp	false		high
http://www.fonts.comic	parcel_images.exe, 00000000.00000003.216665590.000000000507B000.00000004.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://www.jiyu-kobo.co.jp/Y0/	parcel_images.exe, 00000000.00000003.219725000.0000000005064000.00000004.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://www.jiyu-kobo.co.jp/	parcel_images.exe, 00000000.00000002.246509480.00000000051D0000.00000002.00000001.sdmp, parcel_images.exe, 00000000.00000003.219725000.0000000005064000.00000004.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://www.galapagosdesign.com/DPlease	parcel_images.exe, 00000000.00000002.246509480.00000000051D0000.00000002.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://www.fontbureau.com/designers8	parcel_images.exe, 00000000.00000002.246509480.00000000051D0000.00000002.00000001.sdmp	false		high
http://www.fonts.com	parcel_images.exe, 00000000.00000003.216620193.000000000507B000.00000004.00000001.sdmp	false		high
http://www.sandoll.co.kr	parcel_images.exe, 00000000.00000002.246509480.00000000051D0000.00000002.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://www.founder.com.cn/cn/e	parcel_images.exe, 00000000.00000003.218388349.0000000005064000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
http://www.urwpp.deDPlease	parcel_images.exe, 00000000.00000002.246509480.00000000051D0000.00000002.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://www.fontbureau.com/designers:	parcel_images.exe, 00000000.00000003.221943311.0000000005069000.00000004.00000001.sdmp	false		high
http://www.zhongyicts.com.cn	parcel_images.exe, 00000000.00000002.246509480.00000000051D0000.00000002.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://www.sandoll.co.krlearn	parcel_images.exe, 00000000.00000003.217510313.0000000005069000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
http://www.sakkal.com	parcel_images.exe, 00000000.00000002.246509480.00000000051D0000.00000002.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://www.sandoll.co.krC	parcel_images.exe, 00000000.00000003.217510313.0000000005069000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
http://www.jiyu-kobo.co.jp/Y0a	parcel_images.exe, 00000000.00000003.219725000.0000000005064000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
http://www.sajatypeworks.compe	parcel_images.exe, 00000000.00000003.216620193.000000000507B000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
http://www.founder.com.cn/cnl-n	parcel_images.exe, 00000000.00000003.218064819.000000000509D000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown

Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public

IP	Domain	Country	Flag	ASN	ASN Name	Malicious
69.61.59.215	unknown	United States		22653	GLOBALCOMPASSUS	true

General Information

Joe Sandbox Version:	31.0.0 Red Diamond
Analysis ID:	339033
Start date:	13.01.2021
Start time:	09:43:44
Joe Sandbox Product:	CloudBasic
Overall analysis duration:	0h 10m 18s
Hypervisor based Inspection enabled:	false
Report type:	full
Sample file name:	parcel_images.exe
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 85, IE 11, Adobe Reader DC 19, Java 8 Update 211
Number of analysed new started processes analysed:	40
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled HDC enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Detection:	MAL
Classification:	mal100.troj.evad.winEXE@18/13@8/1
EGA Information:	Failed
HDC Information:	Successful, ratio: 7.7% (good quality ratio 3.7%) Quality average: 31% Quality standard deviation: 38%
HCA Information:	Successful, ratio: 88% Number of executed functions: 442 Number of non-executed functions: 24
Cookbook Comments:	Adjust boot time Enable AMSI Found application associated with file extension: .exe
Warnings:	Show All Behavior information exceeds normal sizes, reducing to normal. Report will have missing behavior information. Exclude process from analysis (whitelisted): MpCmdRun.exe, audiodg.exe, BackgroundTransferHost.exe, WMIADAP.exe, backgroundTaskHost.exe, SgrmBroker.exe, conhost.exe, svchost.exe, UsoClient.exe Excluded IPs from analysis (whitelisted): 104.43.139.144, 104.43.193.48, 92.122.144.200, 51.11.168.160, 92.122.213.194, 92.122.213.247, 8.248.139.254, 67.26.81.254, 8.248.113.254, 67.27.157.254, 8.248.135.254, 52.147.198.201, 51.103.5.186, 20.54.26.129, 52.155.217.156 Excluded domains from analysis (whitelisted): arc.msn.com.nsatc.net, fs-wildcard.microsoft.com.edgekey.net, fs-wildcard.microsoft.com.edgekey.net.globalredir.akadns.net, a1449.dscg2.akamai.net, wns.notify.windows.com.akadns.net, arc.msn.com, db5eap.displaycatalog.md.mp.microsoft.com.akadns.net, par02p.wns.notify.windows.com.akadns.net, emea1.notify.windows.com.akadns.net, audownload.windowsupdate.nsatc.net, displaycatalog.mp.microsoft.com, watson.telemetry.microsoft.com, img-prod-cms-rt-microsoft-com.akamaized.net, auto.au.download.windowsupdate.com.c.footprint.net, prod.fs.microsoft.com.akadns.net, au-bg-shim.trafficmanager.net, displaycatalog-europeeap.md.mp.microsoft.com.akadns.net, client.wns.windows.com, fs.microsoft.com, ris-prod.trafficmanager.net, displaycatalog.md.mp.microsoft.com.akadns.net, e1723.g.akamaiedge.net, ctldl.windowsupdate.com, skypedataprdcolcus16.cloudapp.net, skypedataprdcolcus15.cloudapp.net, skypedataprdcoleus16.cloudapp.net, ris.api.iris.microsoft.com, blobcollector.events.data.trafficmanager.net Report size exceeded maximum capacity and may have missing behavior information. Report size getting too big, too many NtAllocateVirtualMemory calls found. Report size getting too big, too many NtOpenKeyEx calls found. Report size getting too big, too many NtProtectVirtualMemory calls found. Report size getting too big, too many NtQueryValueKey calls found.

Simulations

Behavior and APIs

Time	Type	Description
09:44:44	API Interceptor	1x Sleep call for process: parcel_images.exe modified
09:44:50	Autostart	Run: HKLM\Software\Microsoft\Windows\CurrentVersion\Run DHCP Monitor C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe
09:44:52	Task Scheduler	Run new task: DHCP Monitor path: "C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe" s>$(Arg0)
09:44:52	API Interceptor	1373x Sleep call for process: RegSvcs.exe modified
09:44:55	Task Scheduler	Run new task: DHCP Monitor Task path: "C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe" s>$(Arg0)

Joe Sandbox View / Context

IPs

No context

Domains

No context

ASN

Match	Associated Sample Name / URL	SHA 256	Detection	Link	Context
GLOBALCOMPASSUS	a4588f57322665c795bdf720abc23ffc.exe	Get hash	malicious	Browse	69.61.52.111
	Mf1iDAE6bE.exe	Get hash	malicious	Browse	69.61.52.111
	Buchung.doc	Get hash	malicious	Browse	69.61.42.251
	Buchung.doc	Get hash	malicious	Browse	69.61.42.251
	Buchung.doc	Get hash	malicious	Browse	69.61.42.251
	P64.exe	Get hash	malicious	Browse	69.61.38.132
	http://v.ht/v6GD	Get hash	malicious	Browse	69.61.26.121

JA3 Fingerprints

No context

Dropped Files

Match	Associated Sample Name / URL	SHA 256	Detection	Link
C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	0712020.exe	Get hash	malicious	Browse
	JfRbEbUkpV39K4L.exe	Get hash	malicious	Browse
	DECEMBER QUOTATION REQUEST FOR FR12007POH0008_PO0000143_ETQ.exe	Get hash	malicious	Browse
	DECEMBER QUOTATION REQUEST FOR FR12007POH0008_PO0000143_ETQ.exe	Get hash	malicious	Browse
	zC3edqmNNt.exe	Get hash	malicious	Browse
	Shipping Document.pdf..exe	Get hash	malicious	Browse
	PPR & CPR_HEA_DECEMBER 4 2020.exe	Get hash	malicious	Browse
	AdministratorDownloadsBL,.rar.exe	Get hash	malicious	Browse
	signed_19272.zip(#U007e18 KB) (2).exe	Get hash	malicious	Browse
	TT Swift Copy..,.exe	Get hash	malicious	Browse
	Invoice-.exe	Get hash	malicious	Browse
	Invoice..,.exe	Get hash	malicious	Browse
	Bank Update Info.exe	Get hash	malicious	Browse
	eLPEEvaFgq6CHTS.exe	Get hash	malicious	Browse
	NR.13346.exe	Get hash	malicious	Browse
	Quote 571189.exe	Get hash	malicious	Browse
	WyLE6g2Vrj.exe	Get hash	malicious	Browse
	SKM_C3350191107102300.exe	Get hash	malicious	Browse
	PO#1709 SHI Pdf.exe	Get hash	malicious	Browse
	DHL SHIPPINC DOCUUMEN....exe	Get hash	malicious	Browse

Created / dropped Files

C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe Download File
Process:	C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe
File Type:	PE32 executable (console) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	32768
Entropy (8bit):	3.7515815714465193
Encrypted:	false
SSDEEP:	384:BOj9Y8/gS7SDriLGKq1MHR5U4Ag6ihJSxUCR1rgCPKabK2t0X5P7DZ+JgWSW72uw:B+gSAdN1MH3HAFRJngW2u
MD5:	71369277D09DA0830C8C59F9E22BB23A
SHA1:	37F9781314F0F6B7E9CB529A573F2B1C8DE9E93F
SHA-256:	D4527B7AD2FC4778CC5BE8709C95AEA44EAC0568B367EE14F7357D72898C3698
SHA-512:	2F470383E3C796C4CF212EC280854DBB9E7E8C8010CE6857E58F8E7066D7516B7CD7039BC5C0F547E1F5C7F9F2287869ADFFB2869800B08B2982A88BE96E9FB7
Malicious:	false
Antivirus:	Antivirus: Metadefender, Detection: 0%, Browse Antivirus: ReversingLabs, Detection: 0%
Joe Sandbox View:	Filename: 0712020.exe, Detection: malicious, Browse Filename: JfRbEbUkpV39K4L.exe, Detection: malicious, Browse Filename: DECEMBER QUOTATION REQUEST FOR FR12007POH0008_PO0000143_ETQ.exe, Detection: malicious, Browse Filename: DECEMBER QUOTATION REQUEST FOR FR12007POH0008_PO0000143_ETQ.exe, Detection: malicious, Browse Filename: zC3edqmNNt.exe, Detection: malicious, Browse Filename: Shipping Document.pdf..exe, Detection: malicious, Browse Filename: PPR & CPR_HEA_DECEMBER 4 2020.exe, Detection: malicious, Browse Filename: AdministratorDownloadsBL,.rar.exe, Detection: malicious, Browse Filename: signed_19272.zip(#U007e18 KB) (2).exe, Detection: malicious, Browse Filename: TT Swift Copy..,.exe, Detection: malicious, Browse Filename: Invoice-.exe, Detection: malicious, Browse Filename: Invoice..,.exe, Detection: malicious, Browse Filename: Bank Update Info.exe, Detection: malicious, Browse Filename: eLPEEvaFgq6CHTS.exe, Detection: malicious, Browse Filename: NR.13346.exe, Detection: malicious, Browse Filename: Quote 571189.exe, Detection: malicious, Browse Filename: WyLE6g2Vrj.exe, Detection: malicious, Browse Filename: SKM_C3350191107102300.exe, Detection: malicious, Browse Filename: PO#1709 SHI Pdf.exe, Detection: malicious, Browse Filename: DHL SHIPPINC DOCUUMEN....exe, Detection: malicious, Browse
Reputation:	moderate, very likely benign file
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L.....{Z.................P... .......k... ........@.. ...............................[....@..................................k..K................................... k............................................... ............... ..H............text....K... ...P.................. ..`.rsrc................`..............@..@.reloc...............p..............@..B........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Microsoft\CLR_v2.0_32\UsageLogs\RegSvcs.exe.log Download File
Process:	C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe
File Type:	ASCII text, with CRLF line terminators
Category:	modified
Size (bytes):	120
Entropy (8bit):	5.016405576253028
Encrypted:	false
SSDEEP:	3:QHXMKaoWglAFXMWA2yTMGfsbNXLVd49Am12MFuAvOAsDeieVyn:Q3LawlAFXMWTyAGCFLIP12MUAvvrs
MD5:	50DEC1858E13F033E6DCA3CBFAD5E8DE
SHA1:	79AE1E9131B0FAF215B499D2F7B4C595AA120925
SHA-256:	14A557E226E3BA8620BB3A70035E1E316F1E9FB5C9E8F74C07110EE90B8D8AE4
SHA-512:	1BD73338DF685A5B57B0546E102ECFDEE65800410D6F77845E50456AC70DE72929088AF19B59647F01CBA7A5ACFB399C52D9EF2402A9451366586862EF88E7BF
Malicious:	false
Preview:	1,"fusion","GAC",0..2,"System.EnterpriseServices, Version=2.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a",0..

C:\Users\user\AppData\Local\Microsoft\CLR_v2.0_32\UsageLogs\dhcpmon.exe.log Download File
Process:	C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe
File Type:	ASCII text, with CRLF line terminators
Category:	modified
Size (bytes):	120
Entropy (8bit):	5.016405576253028
Encrypted:	false
SSDEEP:	3:QHXMKaoWglAFXMWA2yTMGfsbNXLVd49Am12MFuAvOAsDeieVyn:Q3LawlAFXMWTyAGCFLIP12MUAvvrs
MD5:	50DEC1858E13F033E6DCA3CBFAD5E8DE
SHA1:	79AE1E9131B0FAF215B499D2F7B4C595AA120925
SHA-256:	14A557E226E3BA8620BB3A70035E1E316F1E9FB5C9E8F74C07110EE90B8D8AE4
SHA-512:	1BD73338DF685A5B57B0546E102ECFDEE65800410D6F77845E50456AC70DE72929088AF19B59647F01CBA7A5ACFB399C52D9EF2402A9451366586862EF88E7BF
Malicious:	false
Preview:	1,"fusion","GAC",0..2,"System.EnterpriseServices, Version=2.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a",0..

C:\Users\user\AppData\Local\Microsoft\CLR_v2.0_32\UsageLogs\parcel_images.exe.log Download File
Process:	C:\Users\user\Desktop\parcel_images.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	525
Entropy (8bit):	5.2874233355119316
Encrypted:	false
SSDEEP:	12:Q3LaJU20NaL10U29hJ5g1B0U2ukyrFk70Ug+9Yz9tv:MLF20NaL329hJ5g522rWz2T
MD5:	61CCF53571C9ABA6511D696CB0D32E45
SHA1:	A13A42A20EC14942F52DB20FB16A0A520F8183CE
SHA-256:	3459BDF6C0B7F9D43649ADAAF19BA8D5D133BCBE5EF80CF4B7000DC91E10903B
SHA-512:	90E180D9A681F82C010C326456AC88EBB89256CC769E900BFB4B2DF92E69CA69726863B45DFE4627FC1EE8C281F2AF86A6A1E2EF1710094CCD3F4E092872F06F
Malicious:	true
Preview:	1,"fusion","GAC",0..3,"C:\Windows\assembly\NativeImages_v2.0.50727_32\System\1ffc437de59fb69ba2b865ffdc98ffd1\System.ni.dll",0..3,"C:\Windows\assembly\NativeImages_v2.0.50727_32\System.Drawing\54d944b3ca0ea1188d700fbd8089726b\System.Drawing.ni.dll",0..3,"C:\Windows\assembly\NativeImages_v2.0.50727_32\System.Windows.Forms\bd8d59c984c9f5f2695f64341115cdf0\System.Windows.Forms.ni.dll",0..3,"C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.VisualBas#\cd7c74fce2a0eab72cd25cbe4bb61614\Microsoft.VisualBasic.ni.dll",0..

C:\Users\user\AppData\Local\Temp\tmp2412.tmp Download File
Process:	C:\Users\user\Desktop\parcel_images.exe
File Type:	XML 1.0 document, ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	1645
Entropy (8bit):	5.205985051645918
Encrypted:	false
SSDEEP:	24:2dH4+SEqC/Q7hxlNMFp1/rlMhEMjnGpwjpIgUYODOLD9RJh7h8gKBGtn:cbh47TlNQ//rydbz9I3YODOLNdq3K
MD5:	46E9E8EC1EFA43B5667F496648C15EAF
SHA1:	6AE45D320AC09AEA99CA3103C5A46A97B8D3AF3C
SHA-256:	18E19AB18E0DC61E3076AEBEC9EB5A6C1BD4904B53C767CDECE8E69F4AA5EDAF
SHA-512:	0FBF69C3FBB651ECC7299AE53EDA9D3DEB1B93DC0CE518B313FAFDBFE1FAC84FD26D0ABE1B984E32897B69CC03598698109DF079385994E0FEF2E186066553D6
Malicious:	true
Preview:	<?xml version="1.0" encoding="UTF-16"?>..<Task version="1.2" xmlns="http://schemas.microsoft.com/windows/2004/02/mit/task">.. <RegistrationInfo>.. <Date>2014-10-25T14:27:44.8929027</Date>.. <Author>computer\user</Author>.. </RegistrationInfo>.. <Triggers>.. <LogonTrigger>.. <Enabled>true</Enabled>.. <UserId>computer\user</UserId>.. </LogonTrigger>.. <RegistrationTrigger>.. <Enabled>false</Enabled>.. </RegistrationTrigger>.. </Triggers>.. <Principals>.. <Principal id="Author">.. <UserId>computer\user</UserId>.. <LogonType>InteractiveToken</LogonType>.. <RunLevel>LeastPrivilege</RunLevel>.. </Principal>.. </Principals>.. <Settings>.. <MultipleInstancesPolicy>StopExisting</MultipleInstancesPolicy>.. <DisallowStartIfOnBatteries>false</DisallowStartIfOnBatteries>.. <StopIfGoingOnBatteries>true</StopIfGoingOnBatteries>.. <AllowHardTerminate>false</AllowHardTerminate>.. <StartWhenAvailable>true

C:\Users\user\AppData\Local\Temp\tmpB461.tmp Download File
Process:	C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe
File Type:	XML 1.0 document, ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	1320
Entropy (8bit):	5.135021273392143
Encrypted:	false
SSDEEP:	24:2dH4+S/4oL600QlMhEMjn5pwjVLUYODOLG9RJh7h8gK0mn4xtn:cbk4oL600QydbQxIYODOLedq3Z4j
MD5:	40B11EF601FB28F9B2E69D36857BF2EC
SHA1:	B6454020AD2CEED193F4792B77001D0BD741B370
SHA-256:	C51E12D18CC664425F6711D8AE2507068884C7057092CFA11884100E1E9D49E1
SHA-512:	E3C5BCC714CBFCA4B8058DDCDDF231DCEFA69C15881CE3F8123E59ED45CFB5DA052B56E1945DCF8DC7F800D62F9A4EECB82BCA69A66A1530787AEFFEB15E2BD5
Malicious:	false
Preview:	<?xml version="1.0" encoding="UTF-16"?>..<Task version="1.2" xmlns="http://schemas.microsoft.com/windows/2004/02/mit/task">.. <RegistrationInfo />.. <Triggers />.. <Principals>.. <Principal id="Author">.. <LogonType>InteractiveToken</LogonType>.. <RunLevel>HighestAvailable</RunLevel>.. </Principal>.. </Principals>.. <Settings>.. <MultipleInstancesPolicy>Parallel</MultipleInstancesPolicy>.. <DisallowStartIfOnBatteries>false</DisallowStartIfOnBatteries>.. <StopIfGoingOnBatteries>false</StopIfGoingOnBatteries>.. <AllowHardTerminate>true</AllowHardTerminate>.. <StartWhenAvailable>false</StartWhenAvailable>.. <RunOnlyIfNetworkAvailable>false</RunOnlyIfNetworkAvailable>.. <IdleSettings>.. <StopOnIdleEnd>false</StopOnIdleEnd>.. <RestartOnIdle>false</RestartOnIdle>.. </IdleSettings>.. <AllowStartOnDemand>true</AllowStartOnDemand>.. <Enabled>true</Enabled>.. <Hidden>false</Hidden>.. <RunOnlyIfIdle>false</RunOnlyIfIdle>.. <Wak

C:\Users\user\AppData\Local\Temp\tmpB81B.tmp Download File
Process:	C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe
File Type:	XML 1.0 document, ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	1310
Entropy (8bit):	5.109425792877704
Encrypted:	false
SSDEEP:	24:2dH4+S/4oL600QlMhEMjn5pwjVLUYODOLG9RJh7h8gK0R3xtn:cbk4oL600QydbQxIYODOLedq3S3j
MD5:	5C2F41CFC6F988C859DA7D727AC2B62A
SHA1:	68999C85FC7E37BAB9216E0099836D40D4545C1C
SHA-256:	98B6E66B6C2173B9B91FC97FE51805340EFDE978B695453742EBAB631018398B
SHA-512:	B5DA5DA378D038AFBF8A7738E47921ED39F9B726E2CAA2993D915D9291A3322F94EFE8CCA6E7AD678A670DB19926B22B20E5028460FCC89CEA7F6635E7557334
Malicious:	false
Preview:	<?xml version="1.0" encoding="UTF-16"?>..<Task version="1.2" xmlns="http://schemas.microsoft.com/windows/2004/02/mit/task">.. <RegistrationInfo />.. <Triggers />.. <Principals>.. <Principal id="Author">.. <LogonType>InteractiveToken</LogonType>.. <RunLevel>HighestAvailable</RunLevel>.. </Principal>.. </Principals>.. <Settings>.. <MultipleInstancesPolicy>Parallel</MultipleInstancesPolicy>.. <DisallowStartIfOnBatteries>false</DisallowStartIfOnBatteries>.. <StopIfGoingOnBatteries>false</StopIfGoingOnBatteries>.. <AllowHardTerminate>true</AllowHardTerminate>.. <StartWhenAvailable>false</StartWhenAvailable>.. <RunOnlyIfNetworkAvailable>false</RunOnlyIfNetworkAvailable>.. <IdleSettings>.. <StopOnIdleEnd>false</StopOnIdleEnd>.. <RestartOnIdle>false</RestartOnIdle>.. </IdleSettings>.. <AllowStartOnDemand>true</AllowStartOnDemand>.. <Enabled>true</Enabled>.. <Hidden>false</Hidden>.. <RunOnlyIfIdle>false</RunOnlyIfIdle>.. <Wak

C:\Users\user\AppData\Roaming\D06ED635-68F6-4E9A-955C-4899F5F57B9A\run.dat Download File
Process:	C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe
File Type:	data
Category:	dropped
Size (bytes):	8
Entropy (8bit):	3.0
Encrypted:	false
SSDEEP:	3:Ot:C
MD5:	E398E3F1CD99EEB8CA347854BB3BE3C8
SHA1:	A2AE483FB695B17B260BA64D668C2B45115637AC
SHA-256:	65FEAEA5580D02F5666021D68C872A98AA2FD31D2279DD9DD3FB57254D2C1058
SHA-512:	AB38564C16F6152EBD0A8C8F79851962140A74A8F84CDC594CD7ABAF227BD8A493E682DC06D6B2D74D98B7BFD1DD7DFDB70F913D5455AF9DA876E0AEBC468824
Malicious:	true
Preview:	......H

C:\Users\user\AppData\Roaming\D06ED635-68F6-4E9A-955C-4899F5F57B9A\task.dat Download File
Process:	C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	57
Entropy (8bit):	4.795707286467131
Encrypted:	false
SSDEEP:	3:oMty8WbSX/MNn:oMLWus
MD5:	D685103573539B7E9FDBF5F1D7DD96CE
SHA1:	4B2FE6B5C0B37954B314FCAEE1F12237A9B02D07
SHA-256:	D78BC23B0CA3EDDF52D56AB85CDC30A71B3756569CB32AA2F6C28DBC23C76E8E
SHA-512:	17769A5944E8929323A34269ABEEF0861D5C6799B0A27F5545FBFADC80E5AB684A471AD6F6A7FC623002385154EA89DE94013051E09120AB94362E542AB0F1DD
Malicious:	false
Preview:	C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe

C:\Users\user\AppData\Roaming\kWLVXBfTFQKW.exe Download File
Process:	C:\Users\user\Desktop\parcel_images.exe
File Type:	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	1350144
Entropy (8bit):	7.4795202963682215
Encrypted:	false
SSDEEP:	24576:fuul9wO6Vb1qm/gr5535mQwWdt3XB0zTaZ5VqIuJ:WA9dM1qKgr5N5mQVD3XoaEIuJ
MD5:	5F8A97A2C2B464C360A3628C73B88103
SHA1:	134AF6300DF733356A3BD6DBE94F42DBFD2F31D8
SHA-256:	74995E87513E47357C351F37565A1422202DACE38DC789308D72417B5797B93E
SHA-512:	2FD1F73C6BD869787347D1BDEA9D535E6ADA26DB2AEBEE0EF9A827D00D76654641A42DDF4763443F9D6181C75D8ED69375E9E52C19B16F50631C56E13382B446
Malicious:	true
Antivirus:	Antivirus: Avira, Detection: 100% Antivirus: Joe Sandbox ML, Detection: 100% Antivirus: ReversingLabs, Detection: 32%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......_..............0.................. ... ....@.. ....................................@.....................................O.... ..x............................................................................ ............... ..H............text........ ...................... ..`.rsrc...x.... ......................@..@.reloc..............................@..B........................H........k..................x...........................................G.WI`,@..[.t`[SC..8<.X<.J..s..-.....~....k.0.......%..........b..,].4...\.5r4... .k..R.h8tJ_.....e.G .e..e}.3.yU....D......4H.T:..B5.._.J....L..g..~.96...,............Y...I.i8..-...!.^e...G...r............e.,g.F...Fh.p3E.1.;..m?...A...I.}..G.p......B..D(.krX..{.?..d.....r.....Qq.b.s....b...U.K..z.S..-7.#...mA`(.....=...../2.}...$.....2{<.%}...pV....b.+3.oL...W~...KHE.j5...^..+.

\Device\ConDrv Download File
Process:	C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	1145
Entropy (8bit):	4.462201512373672
Encrypted:	false
SSDEEP:	24:zKLXkzPDObntKlglUEnfQtvNuNpKOK5aM9YJC:zKL0zPDQntKKH1MqJC
MD5:	46EBEB88876A00A52CC37B1F8E0D0438
SHA1:	5E5DB352F964E5F398301662FF558BD905798A65
SHA-256:	D65BD5A6CC112838AFE8FA70BF61FD13C1313BCE3EE3E76C50E454D7B581238B
SHA-512:	E713E6F304A469FB71235C598BC7E2C6F8458ABC61DAF3D1F364F66579CAFA4A7F3023E585BDA552FB400009E7805A8CA0311A50D5EDC9C2AD2D067772A071BE
Malicious:	false
Preview:	Microsoft (R) .NET Framework Services Installation Utility Version 2.0.50727.8922..Copyright (c) Microsoft Corporation. All rights reserved.....USAGE: regsvcs.exe [options] AssemblyName..Options:.. /? or /help Display this usage message... /fc Find or create target application (default)... /c Create target application, error if it already exists... /exapp Expect an existing application... /tlb:<tlbfile> Filename for the exported type library... /appname:<name> Use the specified name for the target application... /parname:<name> Use the specified name or id for the target partition... /extlb Use an existing type library... /reconfig Reconfigure existing target application (default)... /noreconfig Don't reconfigure existing target application... /u Uninstall target application... /nologo Suppress logo output... /quiet Suppress logo output and success output...

Static File Info

General
File type:	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Entropy (8bit):	7.4795202963682215
TrID:	Win32 Executable (generic) Net Framework (10011505/4) 49.83% Win32 Executable (generic) a (10002005/4) 49.78% Generic CIL Executable (.NET, Mono, etc.) (73296/58) 0.36% Generic Win/DOS Executable (2004/3) 0.01% DOS Executable Generic (2002/1) 0.01%
File name:	parcel_images.exe
File size:	1350144
MD5:	5f8a97a2c2b464c360a3628c73b88103
SHA1:	134af6300df733356a3bd6dbe94f42dbfd2f31d8
SHA256:	74995e87513e47357c351f37565a1422202dace38dc789308d72417b5797b93e
SHA512:	2fd1f73c6bd869787347d1bdea9d535e6ada26db2aebee0ef9a827d00d76654641a42ddf4763443f9d6181c75d8ed69375e9e52c19b16f50631c56e13382b446
SSDEEP:	24576:fuul9wO6Vb1qm/gr5535mQwWdt3XB0zTaZ5VqIuJ:WA9dM1qKgr5N5mQVD3XoaEIuJ
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......_..............0.................. ... ....@.. ....................................@................................

File Icon


Icon Hash:	00c2a69c95a3b18a

Static PE Info

General
Entrypoint:	0x510cee
Entrypoint Section:	.text
Digitally signed:	false
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	32BIT_MACHINE, EXECUTABLE_IMAGE
DLL Characteristics:	NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
Time Stamp:	0x5FFDDBCE [Tue Jan 12 17:26:38 2021 UTC]
TLS Callbacks:
CLR (.Net) Version:	v2.0.50727
OS Version Major:	4
OS Version Minor:	0
File Version Major:	4
File Version Minor:	0
Subsystem Version Major:	4
Subsystem Version Minor:	0
Import Hash:	f34d5f2d4577ed6d9ceec516c1f5a744

Entrypoint Preview

Instruction
jmp dword ptr [00402000h]
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0x110c9c	0x4f	.text
IMAGE_DIRECTORY_ENTRY_RESOURCE	0x112000	0x3a778	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x14e000	0xc	.reloc
IMAGE_DIRECTORY_ENTRY_DEBUG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x2000	0x8	.text
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x2008	0x48	.text
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x2000	0x10ecf4	0x10ee00	False	0.764669618136	data	7.47102153037	IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
.rsrc	0x112000	0x3a778	0x3a800	False	0.758188100962	data	7.35311799178	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.reloc	0x14e000	0xc	0x200	False	0.044921875	data	0.0815394123432	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type
RT_ICON	0x112400	0x5d9b	PNG image data, 256 x 256, 8-bit/color RGBA, non-interlaced
RT_ICON	0x11819c	0x668	data
RT_ICON	0x118804	0x2e8	dBase IV DBT of @.DBF, block length 512, next free block index 40, next free block 0, next used block 0
RT_ICON	0x118aec	0x1e8	data
RT_ICON	0x118cd4	0x128	GLS_BINARY_LSB_FIRST
RT_ICON	0x118dfc	0xbc4e	PNG image data, 256 x 256, 8-bit/color RGBA, non-interlaced
RT_ICON	0x124a4c	0xea8	data
RT_ICON	0x1258f4	0x8a8	dBase IV DBT of @.DBF, block length 1024, next free block index 40, next free block 14808060, next used block 15528179
RT_ICON	0x12619c	0x6c8	data
RT_ICON	0x126864	0x568	GLS_BINARY_LSB_FIRST
RT_ICON	0x126dcc	0x106e1	PNG image data, 256 x 256, 8-bit/color RGBA, non-interlaced
RT_ICON	0x1374b0	0x10828	dBase IV DBT, blocks size 0, block length 2048, next free block index 40, next free block 4293322470, next used block 4293322470
RT_ICON	0x147cd8	0x25a8	data
RT_ICON	0x14a280	0x10a8	data
RT_ICON	0x14b328	0x988	data
RT_ICON	0x14bcb0	0x468	GLS_BINARY_LSB_FIRST
RT_GROUP_ICON	0x14c118	0xe6	GLS_BINARY_LSB_FIRST
RT_VERSION	0x14c200	0x388	data
RT_MANIFEST	0x14c588	0x1ea	XML 1.0 document, UTF-8 Unicode (with BOM) text, with CRLF line terminators

Imports

DLL	Import
mscoree.dll	_CorExeMain

Version Infos

Description	Data
Translation	0x0000 0x04b0
LegalCopyright	Copyright Overwolf 2011 - 2020
Assembly Version	2.159.0.0
InternalName	x.exe
FileVersion	2.159.0.0
CompanyName	Overwolf Ltd.
LegalTrademarks
Comments	Overwolf Launcher
ProductName	OverwolfLauncher
ProductVersion	2.159.0.0
FileDescription	OverwolfLauncher
OriginalFilename	x.exe

Network Behavior

Network Port Distribution

TCP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Jan 13, 2021 09:44:54.503850937 CET	49713	60003	192.168.2.3	69.61.59.215
Jan 13, 2021 09:44:57.607218027 CET	49713	60003	192.168.2.3	69.61.59.215
Jan 13, 2021 09:45:03.607698917 CET	49713	60003	192.168.2.3	69.61.59.215
Jan 13, 2021 09:45:13.267003059 CET	49720	60003	192.168.2.3	69.61.59.215
Jan 13, 2021 09:45:16.265085936 CET	49720	60003	192.168.2.3	69.61.59.215
Jan 13, 2021 09:45:22.266592026 CET	49720	60003	192.168.2.3	69.61.59.215
Jan 13, 2021 09:45:31.136185884 CET	49732	60003	192.168.2.3	69.61.59.215
Jan 13, 2021 09:45:34.125889063 CET	49732	60003	192.168.2.3	69.61.59.215
Jan 13, 2021 09:45:40.126391888 CET	49732	60003	192.168.2.3	69.61.59.215
Jan 13, 2021 09:45:48.364228010 CET	49745	60003	192.168.2.3	69.61.59.215
Jan 13, 2021 09:45:51.377432108 CET	49745	60003	192.168.2.3	69.61.59.215
Jan 13, 2021 09:45:57.377882957 CET	49745	60003	192.168.2.3	69.61.59.215
Jan 13, 2021 09:46:07.698630095 CET	49746	60003	192.168.2.3	69.61.59.215
Jan 13, 2021 09:46:10.707190037 CET	49746	60003	192.168.2.3	69.61.59.215
Jan 13, 2021 09:46:16.707817078 CET	49746	60003	192.168.2.3	69.61.59.215
Jan 13, 2021 09:46:25.805608988 CET	49749	60003	192.168.2.3	69.61.59.215
Jan 13, 2021 09:46:28.818238974 CET	49749	60003	192.168.2.3	69.61.59.215
Jan 13, 2021 09:46:34.834044933 CET	49749	60003	192.168.2.3	69.61.59.215
Jan 13, 2021 09:46:44.508152008 CET	49751	60003	192.168.2.3	69.61.59.215
Jan 13, 2021 09:46:47.522659063 CET	49751	60003	192.168.2.3	69.61.59.215
Jan 13, 2021 09:46:53.538759947 CET	49751	60003	192.168.2.3	69.61.59.215
Jan 13, 2021 09:47:01.371797085 CET	49752	60003	192.168.2.3	69.61.59.215
Jan 13, 2021 09:47:04.383424997 CET	49752	60003	192.168.2.3	69.61.59.215
Jan 13, 2021 09:47:10.383960962 CET	49752	60003	192.168.2.3	69.61.59.215
Jan 13, 2021 09:47:21.661951065 CET	49760	60003	192.168.2.3	69.61.59.215
Jan 13, 2021 09:47:24.668900967 CET	49760	60003	192.168.2.3	69.61.59.215
Jan 13, 2021 09:47:30.685117960 CET	49760	60003	192.168.2.3	69.61.59.215
Jan 13, 2021 09:47:39.034679890 CET	49764	60003	192.168.2.3	69.61.59.215
Jan 13, 2021 09:47:42.047029972 CET	49764	60003	192.168.2.3	69.61.59.215
Jan 13, 2021 09:47:48.045860052 CET	49764	60003	192.168.2.3	69.61.59.215
Jan 13, 2021 09:47:55.899095058 CET	49765	60003	192.168.2.3	69.61.59.215
Jan 13, 2021 09:47:58.890527964 CET	49765	60003	192.168.2.3	69.61.59.215
Jan 13, 2021 09:48:04.891077042 CET	49765	60003	192.168.2.3	69.61.59.215

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Jan 13, 2021 09:44:34.333743095 CET	57544	53	192.168.2.3	8.8.8.8
Jan 13, 2021 09:44:34.381649971 CET	53	57544	8.8.8.8	192.168.2.3
Jan 13, 2021 09:44:37.203447104 CET	55984	53	192.168.2.3	8.8.8.8
Jan 13, 2021 09:44:37.262717962 CET	53	55984	8.8.8.8	192.168.2.3
Jan 13, 2021 09:44:38.185195923 CET	64185	53	192.168.2.3	8.8.8.8
Jan 13, 2021 09:44:38.233155012 CET	53	64185	8.8.8.8	192.168.2.3
Jan 13, 2021 09:45:01.545357943 CET	65110	53	192.168.2.3	8.8.8.8
Jan 13, 2021 09:45:01.603347063 CET	53	65110	8.8.8.8	192.168.2.3
Jan 13, 2021 09:45:04.449789047 CET	58361	53	192.168.2.3	8.8.8.8
Jan 13, 2021 09:45:04.497692108 CET	53	58361	8.8.8.8	192.168.2.3
Jan 13, 2021 09:45:10.722126961 CET	63492	53	192.168.2.3	8.8.8.8
Jan 13, 2021 09:45:10.772866011 CET	53	63492	8.8.8.8	192.168.2.3
Jan 13, 2021 09:45:13.894362926 CET	60831	53	192.168.2.3	8.8.8.8
Jan 13, 2021 09:45:13.955360889 CET	53	60831	8.8.8.8	192.168.2.3
Jan 13, 2021 09:45:19.268448114 CET	60100	53	192.168.2.3	8.8.8.8
Jan 13, 2021 09:45:19.328114986 CET	53	60100	8.8.8.8	192.168.2.3
Jan 13, 2021 09:45:23.259563923 CET	53195	53	192.168.2.3	8.8.8.8
Jan 13, 2021 09:45:23.307626963 CET	53	53195	8.8.8.8	192.168.2.3
Jan 13, 2021 09:45:24.156563044 CET	50141	53	192.168.2.3	8.8.8.8
Jan 13, 2021 09:45:24.207159996 CET	53	50141	8.8.8.8	192.168.2.3
Jan 13, 2021 09:45:25.034158945 CET	53023	53	192.168.2.3	8.8.8.8
Jan 13, 2021 09:45:25.082011938 CET	53	53023	8.8.8.8	192.168.2.3
Jan 13, 2021 09:45:25.856472969 CET	49563	53	192.168.2.3	8.8.8.8
Jan 13, 2021 09:45:25.904483080 CET	53	49563	8.8.8.8	192.168.2.3
Jan 13, 2021 09:45:26.228674889 CET	51352	53	192.168.2.3	8.8.8.8
Jan 13, 2021 09:45:26.285161972 CET	53	51352	8.8.8.8	192.168.2.3
Jan 13, 2021 09:45:26.704996109 CET	59349	53	192.168.2.3	8.8.8.8
Jan 13, 2021 09:45:26.752753973 CET	53	59349	8.8.8.8	192.168.2.3
Jan 13, 2021 09:45:27.869165897 CET	57084	53	192.168.2.3	8.8.8.8
Jan 13, 2021 09:45:27.917099953 CET	53	57084	8.8.8.8	192.168.2.3
Jan 13, 2021 09:45:28.924225092 CET	58823	53	192.168.2.3	8.8.8.8
Jan 13, 2021 09:45:28.988331079 CET	53	58823	8.8.8.8	192.168.2.3
Jan 13, 2021 09:45:30.135087967 CET	57568	53	192.168.2.3	8.8.8.8
Jan 13, 2021 09:45:30.183042049 CET	53	57568	8.8.8.8	192.168.2.3
Jan 13, 2021 09:45:31.868583918 CET	50540	53	192.168.2.3	8.8.8.8
Jan 13, 2021 09:45:31.919320107 CET	53	50540	8.8.8.8	192.168.2.3
Jan 13, 2021 09:45:32.754411936 CET	54366	53	192.168.2.3	8.8.8.8
Jan 13, 2021 09:45:32.802298069 CET	53	54366	8.8.8.8	192.168.2.3
Jan 13, 2021 09:45:33.937077999 CET	53034	53	192.168.2.3	8.8.8.8
Jan 13, 2021 09:45:33.984966040 CET	53	53034	8.8.8.8	192.168.2.3
Jan 13, 2021 09:45:34.811177015 CET	57762	53	192.168.2.3	8.8.8.8
Jan 13, 2021 09:45:34.858980894 CET	53	57762	8.8.8.8	192.168.2.3
Jan 13, 2021 09:45:35.070216894 CET	55435	53	192.168.2.3	8.8.8.8
Jan 13, 2021 09:45:35.127886057 CET	53	55435	8.8.8.8	192.168.2.3
Jan 13, 2021 09:45:35.892827988 CET	50713	53	192.168.2.3	8.8.8.8
Jan 13, 2021 09:45:35.943481922 CET	53	50713	8.8.8.8	192.168.2.3
Jan 13, 2021 09:45:36.697566986 CET	56132	53	192.168.2.3	8.8.8.8
Jan 13, 2021 09:45:36.748310089 CET	53	56132	8.8.8.8	192.168.2.3
Jan 13, 2021 09:45:37.945439100 CET	58987	53	192.168.2.3	8.8.8.8
Jan 13, 2021 09:45:37.993451118 CET	53	58987	8.8.8.8	192.168.2.3
Jan 13, 2021 09:45:48.135365963 CET	56579	53	192.168.2.3	8.8.8.8
Jan 13, 2021 09:45:48.361251116 CET	53	56579	8.8.8.8	192.168.2.3
Jan 13, 2021 09:46:05.627103090 CET	60633	53	192.168.2.3	8.8.8.8
Jan 13, 2021 09:46:06.613348007 CET	60633	53	192.168.2.3	8.8.8.8
Jan 13, 2021 09:46:07.640835047 CET	60633	53	192.168.2.3	8.8.8.8
Jan 13, 2021 09:46:07.681154013 CET	61292	53	192.168.2.3	8.8.8.8
Jan 13, 2021 09:46:07.697180033 CET	53	60633	8.8.8.8	192.168.2.3
Jan 13, 2021 09:46:07.729074955 CET	53	61292	8.8.8.8	192.168.2.3
Jan 13, 2021 09:46:08.133135080 CET	63619	53	192.168.2.3	8.8.8.8
Jan 13, 2021 09:46:08.189217091 CET	53	63619	8.8.8.8	192.168.2.3
Jan 13, 2021 09:46:24.709707022 CET	64938	53	192.168.2.3	8.8.8.8
Jan 13, 2021 09:46:25.747082949 CET	64938	53	192.168.2.3	8.8.8.8
Jan 13, 2021 09:46:25.803514957 CET	53	64938	8.8.8.8	192.168.2.3
Jan 13, 2021 09:46:27.355315924 CET	61946	53	192.168.2.3	8.8.8.8
Jan 13, 2021 09:46:27.406039953 CET	53	61946	8.8.8.8	192.168.2.3
Jan 13, 2021 09:47:17.882894039 CET	64910	53	192.168.2.3	8.8.8.8
Jan 13, 2021 09:47:17.939028978 CET	53	64910	8.8.8.8	192.168.2.3
Jan 13, 2021 09:47:18.490910053 CET	52123	53	192.168.2.3	8.8.8.8
Jan 13, 2021 09:47:18.550342083 CET	53	52123	8.8.8.8	192.168.2.3
Jan 13, 2021 09:47:19.339732885 CET	56130	53	192.168.2.3	8.8.8.8
Jan 13, 2021 09:47:19.399055004 CET	53	56130	8.8.8.8	192.168.2.3
Jan 13, 2021 09:47:19.786098003 CET	56338	53	192.168.2.3	8.8.8.8
Jan 13, 2021 09:47:19.842426062 CET	53	56338	8.8.8.8	192.168.2.3
Jan 13, 2021 09:47:20.247715950 CET	59420	53	192.168.2.3	8.8.8.8
Jan 13, 2021 09:47:20.306716919 CET	53	59420	8.8.8.8	192.168.2.3
Jan 13, 2021 09:47:20.836133957 CET	58784	53	192.168.2.3	8.8.8.8
Jan 13, 2021 09:47:20.884103060 CET	53	58784	8.8.8.8	192.168.2.3
Jan 13, 2021 09:47:21.355182886 CET	63978	53	192.168.2.3	8.8.8.8
Jan 13, 2021 09:47:21.403188944 CET	53	63978	8.8.8.8	192.168.2.3
Jan 13, 2021 09:47:21.973181009 CET	62938	53	192.168.2.3	8.8.8.8
Jan 13, 2021 09:47:22.032345057 CET	53	62938	8.8.8.8	192.168.2.3
Jan 13, 2021 09:47:22.760703087 CET	55708	53	192.168.2.3	8.8.8.8
Jan 13, 2021 09:47:22.808765888 CET	53	55708	8.8.8.8	192.168.2.3
Jan 13, 2021 09:47:23.188142061 CET	56803	53	192.168.2.3	8.8.8.8
Jan 13, 2021 09:47:23.246738911 CET	53	56803	8.8.8.8	192.168.2.3
Jan 13, 2021 09:47:38.812094927 CET	57145	53	192.168.2.3	8.8.8.8
Jan 13, 2021 09:47:39.034037113 CET	53	57145	8.8.8.8	192.168.2.3
Jan 13, 2021 09:47:55.578761101 CET	55359	53	192.168.2.3	8.8.8.8
Jan 13, 2021 09:47:55.898293972 CET	53	55359	8.8.8.8	192.168.2.3

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class
Jan 13, 2021 09:45:48.135365963 CET	192.168.2.3	8.8.8.8	0x87b	Standard query (0)	cldgr.duckdns.org	A (IP address)	IN (0x0001)
Jan 13, 2021 09:46:05.627103090 CET	192.168.2.3	8.8.8.8	0x4c82	Standard query (0)	cldgr.duckdns.org	A (IP address)	IN (0x0001)
Jan 13, 2021 09:46:06.613348007 CET	192.168.2.3	8.8.8.8	0x4c82	Standard query (0)	cldgr.duckdns.org	A (IP address)	IN (0x0001)
Jan 13, 2021 09:46:07.640835047 CET	192.168.2.3	8.8.8.8	0x4c82	Standard query (0)	cldgr.duckdns.org	A (IP address)	IN (0x0001)
Jan 13, 2021 09:46:24.709707022 CET	192.168.2.3	8.8.8.8	0xe1e2	Standard query (0)	cldgr.duckdns.org	A (IP address)	IN (0x0001)
Jan 13, 2021 09:46:25.747082949 CET	192.168.2.3	8.8.8.8	0xe1e2	Standard query (0)	cldgr.duckdns.org	A (IP address)	IN (0x0001)
Jan 13, 2021 09:47:38.812094927 CET	192.168.2.3	8.8.8.8	0x79e	Standard query (0)	cldgr.duckdns.org	A (IP address)	IN (0x0001)
Jan 13, 2021 09:47:55.578761101 CET	192.168.2.3	8.8.8.8	0xf082	Standard query (0)	cldgr.duckdns.org	A (IP address)	IN (0x0001)

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	Address	Type	Class
Jan 13, 2021 09:45:48.361251116 CET	8.8.8.8	192.168.2.3	0x87b	No error (0)	cldgr.duckdns.org	69.61.59.215	A (IP address)	IN (0x0001)
Jan 13, 2021 09:46:07.697180033 CET	8.8.8.8	192.168.2.3	0x4c82	No error (0)	cldgr.duckdns.org	69.61.59.215	A (IP address)	IN (0x0001)
Jan 13, 2021 09:46:25.803514957 CET	8.8.8.8	192.168.2.3	0xe1e2	No error (0)	cldgr.duckdns.org	69.61.59.215	A (IP address)	IN (0x0001)
Jan 13, 2021 09:47:39.034037113 CET	8.8.8.8	192.168.2.3	0x79e	No error (0)	cldgr.duckdns.org	69.61.59.215	A (IP address)	IN (0x0001)
Jan 13, 2021 09:47:55.898293972 CET	8.8.8.8	192.168.2.3	0xf082	No error (0)	cldgr.duckdns.org	69.61.59.215	A (IP address)	IN (0x0001)

Code Manipulations

Statistics

CPU Usage

Click to jump to process

Memory Usage

Click to jump to process

High Level Behavior Distribution

Click to dive into process behavior distribution

Behavior

Click to jump to process

System Behavior

Analysis Process: parcel_images.exe PID: 6068 Parent PID: 5532

General

Start time:	09:44:36
Start date:	13/01/2021
Path:	C:\Users\user\Desktop\parcel_images.exe
Wow64 process (32bit):	true
Commandline:	'C:\Users\user\Desktop\parcel_images.exe'
Imagebase:	0x3d0000
File size:	1350144 bytes
MD5 hash:	5F8A97A2C2B464C360A3628C73B88103
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	.Net C# or VB.NET
Yara matches:	Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 00000000.00000002.245819001.000000000416B000.00000004.00000001.sdmp, Author: Florian Roth Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 00000000.00000002.245819001.000000000416B000.00000004.00000001.sdmp, Author: Joe Security Rule: NanoCore, Description: unknown, Source: 00000000.00000002.245819001.000000000416B000.00000004.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net> Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 00000000.00000002.243301800.0000000003CE1000.00000004.00000001.sdmp, Author: Florian Roth Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 00000000.00000002.243301800.0000000003CE1000.00000004.00000001.sdmp, Author: Joe Security Rule: NanoCore, Description: unknown, Source: 00000000.00000002.243301800.0000000003CE1000.00000004.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
Reputation:	low

Chronological Activities

Analysis Process: schtasks.exe PID: 5664 Parent PID: 6068

General

Start time:	09:44:47
Start date:	13/01/2021
Path:	C:\Windows\SysWOW64\schtasks.exe
Wow64 process (32bit):	true
Commandline:	'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\kWLVXBfTFQKW' /XML 'C:\Users\user\AppData\Local\Temp\tmp2412.tmp'
Imagebase:	0xd40000
File size:	185856 bytes
MD5 hash:	15FF7D8324231381BAD48A052F85DF04
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Chronological Activities

Analysis Process: conhost.exe PID: 4712 Parent PID: 5664

General

Start time:	09:44:48
Start date:	13/01/2021
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff6b2800000
File size:	625664 bytes
MD5 hash:	EA777DEEA782E8B4D7C7C33BBF8A4496
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Chronological Activities

Analysis Process: RegSvcs.exe PID: 5420 Parent PID: 6068

General

Start time:	09:44:48
Start date:	13/01/2021
Path:	C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe
Wow64 process (32bit):	true
Commandline:	{path}
Imagebase:	0xfd0000
File size:	32768 bytes
MD5 hash:	71369277D09DA0830C8C59F9E22BB23A
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	.Net C# or VB.NET
Yara matches:	Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 00000004.00000002.604092435.0000000005B00000.00000004.00000001.sdmp, Author: Florian Roth Rule: Nanocore_RAT_Feb18_1, Description: Detects Nanocore RAT, Source: 00000004.00000002.604092435.0000000005B00000.00000004.00000001.sdmp, Author: Florian Roth Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 00000004.00000002.604237301.0000000005CB0000.00000004.00000001.sdmp, Author: Florian Roth Rule: Nanocore_RAT_Feb18_1, Description: Detects Nanocore RAT, Source: 00000004.00000002.604237301.0000000005CB0000.00000004.00000001.sdmp, Author: Florian Roth Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 00000004.00000002.604237301.0000000005CB0000.00000004.00000001.sdmp, Author: Joe Security Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 00000004.00000002.603472332.00000000048E8000.00000004.00000001.sdmp, Author: Joe Security Rule: NanoCore, Description: unknown, Source: 00000004.00000002.603472332.00000000048E8000.00000004.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net> Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 00000004.00000002.604208395.0000000005CA0000.00000004.00000001.sdmp, Author: Florian Roth Rule: Nanocore_RAT_Feb18_1, Description: Detects Nanocore RAT, Source: 00000004.00000002.604208395.0000000005CA0000.00000004.00000001.sdmp, Author: Florian Roth Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 00000004.00000002.595481599.0000000000402000.00000040.00000001.sdmp, Author: Florian Roth Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 00000004.00000002.595481599.0000000000402000.00000040.00000001.sdmp, Author: Joe Security Rule: NanoCore, Description: unknown, Source: 00000004.00000002.595481599.0000000000402000.00000040.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
Reputation:	moderate

Chronological Activities

Analysis Process: schtasks.exe PID: 1928 Parent PID: 5420

General

Start time:	09:44:50
Start date:	13/01/2021
Path:	C:\Windows\SysWOW64\schtasks.exe
Wow64 process (32bit):	true
Commandline:	'schtasks.exe' /create /f /tn 'DHCP Monitor' /xml 'C:\Users\user\AppData\Local\Temp\tmpB461.tmp'
Imagebase:	0xd40000
File size:	185856 bytes
MD5 hash:	15FF7D8324231381BAD48A052F85DF04
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Chronological Activities

Analysis Process: conhost.exe PID: 5736 Parent PID: 1928

General

Start time:	09:44:50
Start date:	13/01/2021
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff6b2800000
File size:	625664 bytes
MD5 hash:	EA777DEEA782E8B4D7C7C33BBF8A4496
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Chronological Activities

Analysis Process: schtasks.exe PID: 576 Parent PID: 5420

General

Start time:	09:44:51
Start date:	13/01/2021
Path:	C:\Windows\SysWOW64\schtasks.exe
Wow64 process (32bit):	true
Commandline:	'schtasks.exe' /create /f /tn 'DHCP Monitor Task' /xml 'C:\Users\user\AppData\Local\Temp\tmpB81B.tmp'
Imagebase:	0xd40000
File size:	185856 bytes
MD5 hash:	15FF7D8324231381BAD48A052F85DF04
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Chronological Activities

Analysis Process: conhost.exe PID: 5376 Parent PID: 576

General

Start time:	09:44:51
Start date:	13/01/2021
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff6b2800000
File size:	625664 bytes
MD5 hash:	EA777DEEA782E8B4D7C7C33BBF8A4496
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Chronological Activities

Analysis Process: RegSvcs.exe PID: 5836 Parent PID: 528

General

Start time:	09:44:52
Start date:	13/01/2021
Path:	C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe
Wow64 process (32bit):	true
Commandline:	C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe 0
Imagebase:	0x800000
File size:	32768 bytes
MD5 hash:	71369277D09DA0830C8C59F9E22BB23A
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	.Net C# or VB.NET
Reputation:	moderate

Chronological Activities

Analysis Process: conhost.exe PID: 5620 Parent PID: 5836

General

Start time:	09:44:53
Start date:	13/01/2021
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff6b2800000
File size:	625664 bytes
MD5 hash:	EA777DEEA782E8B4D7C7C33BBF8A4496
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Chronological Activities

Analysis Process: dhcpmon.exe PID: 5268 Parent PID: 528

General

Start time:	09:44:55
Start date:	13/01/2021
Path:	C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe
Wow64 process (32bit):	true
Commandline:	'C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe' 0
Imagebase:	0xad0000
File size:	32768 bytes
MD5 hash:	71369277D09DA0830C8C59F9E22BB23A
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	.Net C# or VB.NET
Antivirus matches:	Detection: 0%, Metadefender, Browse Detection: 0%, ReversingLabs
Reputation:	moderate

Chronological Activities

Analysis Process: conhost.exe PID: 720 Parent PID: 5268

General

Start time:	09:44:55
Start date:	13/01/2021
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff6b2800000
File size:	625664 bytes
MD5 hash:	EA777DEEA782E8B4D7C7C33BBF8A4496
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Chronological Activities

Analysis Process: dhcpmon.exe PID: 5960 Parent PID: 3388

General

Start time:	09:44:59
Start date:	13/01/2021
Path:	C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe
Wow64 process (32bit):	true
Commandline:	'C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe'
Imagebase:	0x160000
File size:	32768 bytes
MD5 hash:	71369277D09DA0830C8C59F9E22BB23A
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	.Net C# or VB.NET
Reputation:	moderate

Chronological Activities

Analysis Process: conhost.exe PID: 5384 Parent PID: 5960

General

Start time:	09:44:59
Start date:	13/01/2021
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff6b2800000
File size:	625664 bytes
MD5 hash:	EA777DEEA782E8B4D7C7C33BBF8A4496
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Chronological Activities

Disassembly

Code Analysis

Reset < >

Analysis Process: parcel_images.exe PID: 6068 Parent PID: 5532 parcel_images.exeCOMMON

Executed Functions

Function 06F8E120, Relevance: 2.2, Strings: 1, Instructions: 984COMMON

Download Yara Rule

Strings

$g^r, xrefs: 06F8E2BD

Memory Dump Source

Source File: 00000000.00000002.254355063.0000000006F80000.00000040.00000001.sdmp, Offset: 06F80000, based on PE: false

Similarity

API ID:
String ID: $g^r
API String ID: 0-3653196314
Opcode ID: 87b0e1797ce692cd4c39801013bb95ecdba285a091799a53663a5a6bb34b4a49
Instruction ID: 8ad6b7904c350226ab9a8bf1f6e9a3d4927069e222f1279b4f87bd0bdb8837cd
Opcode Fuzzy Hash: 87b0e1797ce692cd4c39801013bb95ecdba285a091799a53663a5a6bb34b4a49
Instruction Fuzzy Hash: E6B2AF75E00228DFDB65DF69C984BD9BBB2BF89304F1481E9D409AB225DB319E81CF40

Uniqueness

Uniqueness Score: -1.00%

Function 0681208C, Relevance: 1.7, Strings: 1, Instructions: 445COMMON

Download Yara Rule

Strings

$g^r, xrefs: 068120AF

Memory Dump Source

Source File: 00000000.00000002.253556230.0000000006810000.00000040.00000001.sdmp, Offset: 06810000, based on PE: false

Similarity

API ID:
String ID: $g^r
API String ID: 0-3653196314
Opcode ID: 68721d3d6bdfda4c127f0e28f96e9d6f7505eda848fe8612f032d50c5c3629ff
Instruction ID: 106370df461ef79506bda77b9134edd5a99c9a3fc247b7f58e11c6f0954afee0
Opcode Fuzzy Hash: 68721d3d6bdfda4c127f0e28f96e9d6f7505eda848fe8612f032d50c5c3629ff
Instruction Fuzzy Hash: D422DF7490522CCFEBA4DF64C869BEDBBB5BB49304F1081A9D509AB2A1CB745EC5CF40

Uniqueness

Uniqueness Score: -1.00%

Function 04E51C87, Relevance: 1.6, APIs: 1, Instructions: 75COMMON

Download Yara Rule

APIs

AdjustTokenPrivileges.KERNELBASE(?,?,?,?,?,?), ref: 04E51D07

Memory Dump Source

Source File: 00000000.00000002.245914621.0000000004E50000.00000040.00000001.sdmp, Offset: 04E50000, based on PE: false

Similarity

API ID: AdjustPrivilegesToken
String ID:
API String ID: 2874748243-0
Opcode ID: befa1b48ded9b63b926f7e10df20738e59203962a22e87f5739fc89a00a18e20
Instruction ID: 65465401f067a1022ca681599a1095a39b50d77a56b76412dba2e663d1ddc525
Opcode Fuzzy Hash: befa1b48ded9b63b926f7e10df20738e59203962a22e87f5739fc89a00a18e20
Instruction Fuzzy Hash: CA21D175509380AFDB128F25DC40B52BFF4EF06310F0884DAED848F163D271A918DB62

Uniqueness

Uniqueness Score: -1.00%

Function 04E51D54, Relevance: 1.6, APIs: 1, Instructions: 62nativeCOMMON

Download Yara Rule

APIs

NtQuerySystemInformation.NTDLL(?,?,?,?), ref: 04E51DC9

Memory Dump Source

Source File: 00000000.00000002.245914621.0000000004E50000.00000040.00000001.sdmp, Offset: 04E50000, based on PE: false

Similarity

API ID: InformationQuerySystem
String ID:
API String ID: 3562636166-0
Opcode ID: 128cd1f5fb41b0d3796200801bbbf48bb09c9c6182f95510e620c8eb204561a5
Instruction ID: efb87ae692edcc7bb79220453e109e6eb0909c2d33107c64f93782f4ef54b47e
Opcode Fuzzy Hash: 128cd1f5fb41b0d3796200801bbbf48bb09c9c6182f95510e620c8eb204561a5
Instruction Fuzzy Hash: 1E218E724097C49FDB128B25DC45A92FFB0AF47314F0984CAED844F163D265A948DB61

Uniqueness

Uniqueness Score: -1.00%

Function 04E51CBE, Relevance: 1.6, APIs: 1, Instructions: 52COMMON

Download Yara Rule

APIs

AdjustTokenPrivileges.KERNELBASE(?,?,?,?,?,?), ref: 04E51D07

Memory Dump Source

Source File: 00000000.00000002.245914621.0000000004E50000.00000040.00000001.sdmp, Offset: 04E50000, based on PE: false

Similarity

API ID: AdjustPrivilegesToken
String ID:
API String ID: 2874748243-0
Opcode ID: 77c50d64c293df9263eacc5e1fa4e5a783f69b3ea68008cbb898d3de1062cd18
Instruction ID: 982fb554364264352afb33a1edf92c48af0d5d080c6abbd09dbcd7349460fb28
Opcode Fuzzy Hash: 77c50d64c293df9263eacc5e1fa4e5a783f69b3ea68008cbb898d3de1062cd18
Instruction Fuzzy Hash: 171170759006049FDB20CF55D844B56FFE4EF48321F08D4AADE458B622D6B1E458DB62

Uniqueness

Uniqueness Score: -1.00%

Function 04E51D8E, Relevance: 1.5, APIs: 1, Instructions: 38nativeCOMMON

Download Yara Rule

APIs

NtQuerySystemInformation.NTDLL(?,?,?,?), ref: 04E51DC9

Memory Dump Source

Source File: 00000000.00000002.245914621.0000000004E50000.00000040.00000001.sdmp, Offset: 04E50000, based on PE: false

Similarity

API ID: InformationQuerySystem
String ID:
API String ID: 3562636166-0
Opcode ID: 0c85c57248ba7e059048d7b5a80ef2a53d7dba2842c6138755665205e5c99598
Instruction ID: d04396a6843c2bb797b8855b818319707a36dbbcb1b20089e35285882f1dae3c
Opcode Fuzzy Hash: 0c85c57248ba7e059048d7b5a80ef2a53d7dba2842c6138755665205e5c99598
Instruction Fuzzy Hash: CD01AD31900644DFDB208F59D884B62FFE0EF08325F08D49ADE894B626D3B5A458DF72

Uniqueness

Uniqueness Score: -1.00%

Function 01002B08, Relevance: 1.5, Strings: 1, Instructions: 259COMMON

Download Yara Rule

Strings

4?!, xrefs: 01002BBD

Memory Dump Source

Source File: 00000000.00000002.241321999.0000000001000000.00000040.00000001.sdmp, Offset: 01000000, based on PE: false

Similarity

API ID:
String ID: 4?!
API String ID: 0-1346692007
Opcode ID: f3381a66b7797b732a5227a95bcc8bb6d4e287940b53ff6b92baf0a144aa877a
Instruction ID: e0b93c371c0f5e65deb1b31116e596b82ad1d25fafe8536339bf82729e99474e
Opcode Fuzzy Hash: f3381a66b7797b732a5227a95bcc8bb6d4e287940b53ff6b92baf0a144aa877a
Instruction Fuzzy Hash: C2C12774A0520ADFDB05CFA4C5888AEFBB2FF48310F249556C412BB295D734EA81CFA5

Uniqueness

Uniqueness Score: -1.00%

Function 0681AC65, Relevance: .3, Instructions: 292COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.253556230.0000000006810000.00000040.00000001.sdmp, Offset: 06810000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: bfede665374b0db3d7918f8c121c19bce50c87f5e882c7ed555040bf0a002630
Instruction ID: 1029a623e0d0e9ab5e80f4a22199557e6b1be60f56366847a511c179e38a8602
Opcode Fuzzy Hash: bfede665374b0db3d7918f8c121c19bce50c87f5e882c7ed555040bf0a002630
Instruction Fuzzy Hash: 0AB15974C4621CCFEBA8CF25D9557FDB7B9AB4A305F0091AAC10ABA290D7780AC5CF50

Uniqueness

Uniqueness Score: -1.00%

Function 01002AA5, Relevance: .3, Instructions: 279COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.241321999.0000000001000000.00000040.00000001.sdmp, Offset: 01000000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a6e682db6f0f030241567732ac37a73c1a743c5d4f3966afad2e6b4fde7c489b
Instruction ID: cd343395ab186761803c7be91e75d6e04d3b63e88b107b806bd6aef80ae6ace4
Opcode Fuzzy Hash: a6e682db6f0f030241567732ac37a73c1a743c5d4f3966afad2e6b4fde7c489b
Instruction Fuzzy Hash: CAC16D7090520ADFDB06CFA4C5888AEFBB1FF59310F24959AC442AB295C734EB45CFA5

Uniqueness

Uniqueness Score: -1.00%

Function 01002B01, Relevance: .3, Instructions: 254COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.241321999.0000000001000000.00000040.00000001.sdmp, Offset: 01000000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: cd22eaed2888ee15430e8abbee08bb6712f6bcd199ce77ee3a1d0a548ef02f19
Instruction ID: 20082201caf8ab9ce3f4b6bac7bc940bf6f4339049122b595f03348f0c000218
Opcode Fuzzy Hash: cd22eaed2888ee15430e8abbee08bb6712f6bcd199ce77ee3a1d0a548ef02f19
Instruction Fuzzy Hash: 46B12870A0520ADFDB05CFA4C5888AEFBB2FF49310F249556C412AB295D734EA85CFA5

Uniqueness

Uniqueness Score: -1.00%

Function 01000C50, Relevance: .2, Instructions: 165COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.241321999.0000000001000000.00000040.00000001.sdmp, Offset: 01000000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 67162479aa57fb3826bdfcd48be2cc4517d4d3b8ef058068ad4a1d655cc970f8
Instruction ID: e013e96ab5b985d9c802386a1d9ac267230e95205f5cb5fefc6477b634ef11f0
Opcode Fuzzy Hash: 67162479aa57fb3826bdfcd48be2cc4517d4d3b8ef058068ad4a1d655cc970f8
Instruction Fuzzy Hash: 6871C274D01219DFDB08CFE9C984AAEBBB2FF88300F10856AE405BB394DB355A428F54

Uniqueness

Uniqueness Score: -1.00%

Function 01000C4D, Relevance: .2, Instructions: 161COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.241321999.0000000001000000.00000040.00000001.sdmp, Offset: 01000000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5984ae4802a1e245b191e2e664255d9588786c6ad4b16178e2725fa4ea34e2ee
Instruction ID: 8c5ef01317f2daef3a3eb30c240123d2c5484af797b206fcf1055ab846014bc6
Opcode Fuzzy Hash: 5984ae4802a1e245b191e2e664255d9588786c6ad4b16178e2725fa4ea34e2ee
Instruction Fuzzy Hash: 8C71A174D01219DFDB08CFE9C995AAEBBB2FF89300F10856AE405AB394DB355A428F54

Uniqueness

Uniqueness Score: -1.00%

Function 06810530, Relevance: .1, Instructions: 134COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.253556230.0000000006810000.00000040.00000001.sdmp, Offset: 06810000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b91081426ace7d0ebf5bd25f8d52410c252fdb56bc3fb466674a5db3038b2273
Instruction ID: 21434fa5867db364f8a2bef289576ba6ff287294045f6c982cf75e4bb453de73
Opcode Fuzzy Hash: b91081426ace7d0ebf5bd25f8d52410c252fdb56bc3fb466674a5db3038b2273
Instruction Fuzzy Hash: FA415C71E012198FEB58DBAA8C4079EBBF7AFC8600F14C47AE609EB254DF304D418B91

Uniqueness

Uniqueness Score: -1.00%

Function 06F8C500, Relevance: .1, Instructions: 131COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.254355063.0000000006F80000.00000040.00000001.sdmp, Offset: 06F80000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a8edbbb3474b0f51f3a6fd631621861fae78b99729bb56a394449ae9bf3be489
Instruction ID: 7dc46fc8833d31c264c735cb18c8651d85d6e7e0a2185cb0943af1b99d8b939b
Opcode Fuzzy Hash: a8edbbb3474b0f51f3a6fd631621861fae78b99729bb56a394449ae9bf3be489
Instruction Fuzzy Hash: 9A515A75D15209EFDF44DFE4E984AADBBB2FF4A300F5094A9D106AB260DB349A00CF54

Uniqueness

Uniqueness Score: -1.00%

Function 01001374, Relevance: .1, Instructions: 124COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.241321999.0000000001000000.00000040.00000001.sdmp, Offset: 01000000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8a55ef4fc2f3ff18c688ac9c042be60ecae6776596d133e9cd6f184b47022753
Instruction ID: adda1e7ac46ec75e6a18eeced54fa2a035ba73245e6b1d571da791fd430d4ee4
Opcode Fuzzy Hash: 8a55ef4fc2f3ff18c688ac9c042be60ecae6776596d133e9cd6f184b47022753
Instruction Fuzzy Hash: BA512871D04209CFEB09CFAAD4805EEFBF2EB88300F14D06AD455AB251D7749A41CFA5

Uniqueness

Uniqueness Score: -1.00%

Function 06F8CC20, Relevance: .1, Instructions: 105COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.254355063.0000000006F80000.00000040.00000001.sdmp, Offset: 06F80000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: dd4a5fbb7e7e3653e4edb667995e2f35198b1d28400ccefb5514ae73d3dd5a22
Instruction ID: 1dd70fd86bd9a48c99c2e467c9c85b505cfb3a6d5c066ce018825de4f40c9be7
Opcode Fuzzy Hash: dd4a5fbb7e7e3653e4edb667995e2f35198b1d28400ccefb5514ae73d3dd5a22
Instruction Fuzzy Hash: 8341E674E04209DFDB44DFA5D9449ADFBF2FF89300F2090AAD805A7255DB309A51CFA4

Uniqueness

Uniqueness Score: -1.00%

Function 010000F8, Relevance: .1, Instructions: 95COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.241321999.0000000001000000.00000040.00000001.sdmp, Offset: 01000000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b8d920fdeadbd13c6fd9799089a67ab5f895e511cc239abfc79be88374e1d000
Instruction ID: 6f1094ba5aee915b91c9c266be7ff76c8962fc21121b6a5e1fb285e248039773
Opcode Fuzzy Hash: b8d920fdeadbd13c6fd9799089a67ab5f895e511cc239abfc79be88374e1d000
Instruction Fuzzy Hash: D0410770E11619DFEB58CFAAD94469EFBF2BF89340F14C1A9D448AB224DB309A41CF51

Uniqueness

Uniqueness Score: -1.00%

Function 01001C53, Relevance: .1, Instructions: 68COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.241321999.0000000001000000.00000040.00000001.sdmp, Offset: 01000000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3de289b68c55bbe8ef1f91497400948293afef45f963307815c928010f7d3b11
Instruction ID: a9648f44ad4cd902bb4a154103da92b6b95a55900f90c1bfd3ccaedb441259a6
Opcode Fuzzy Hash: 3de289b68c55bbe8ef1f91497400948293afef45f963307815c928010f7d3b11
Instruction Fuzzy Hash: 1121E771E016588BEB19CFAAD8446DEFBF3BFC9310F14C06AD409AA268DB345A45CF50

Uniqueness

Uniqueness Score: -1.00%

Function 06810D82, Relevance: .1, Instructions: 52COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.253556230.0000000006810000.00000040.00000001.sdmp, Offset: 06810000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a14ea44de10368d55621d3580bf3b5bd9d5d05127569e04b2ade54eece1f732c
Instruction ID: 080a5be5fd71dd3e680f4ddf9a2a93bbfcde29aaa699a1be5398ba84695f6472
Opcode Fuzzy Hash: a14ea44de10368d55621d3580bf3b5bd9d5d05127569e04b2ade54eece1f732c
Instruction Fuzzy Hash: A811FEB5E05609DBEB48DFABC84169DFBF7BFC9200F14C17AC409AA259EB3409468B51

Uniqueness

Uniqueness Score: -1.00%

Function 06810D90, Relevance: .0, Instructions: 48COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.253556230.0000000006810000.00000040.00000001.sdmp, Offset: 06810000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a27b53b84a1592bdb59b1030d23023c7e4cc851f583298eba91b185cc14f8e55
Instruction ID: 1a990707530c7ab7a9b73f282695ec768050c7c79b6f775e325d3eb6fd887918
Opcode Fuzzy Hash: a27b53b84a1592bdb59b1030d23023c7e4cc851f583298eba91b185cc14f8e55
Instruction Fuzzy Hash: D311FE75E04609DBEB48DFABC84169EFBF7BFC8200F14C179C508A6258EB7409428F50

Uniqueness

Uniqueness Score: -1.00%

Function 068171F9, Relevance: 7.7, Strings: 5, Instructions: 1427COMMON

Download Yara Rule

Strings

`5ar, xrefs: 06817293
X1ar, xrefs: 0681720C
X1ar, xrefs: 06817E5F
$g^r, xrefs: 06817268
X1ar, xrefs: 06818158

Memory Dump Source

Source File: 00000000.00000002.253556230.0000000006810000.00000040.00000001.sdmp, Offset: 06810000, based on PE: false

Similarity

API ID:
String ID: $g^r$X1ar$X1ar$X1ar$`5ar
API String ID: 0-2309683945
Opcode ID: 27f529885b7f83d7c30623f346df1e2984d625daf1761f757a9bd1e46dbf1522
Instruction ID: bfc520610363231bcba61af31961afece32d56a0384a6c9dae2fba7252d6f847
Opcode Fuzzy Hash: 27f529885b7f83d7c30623f346df1e2984d625daf1761f757a9bd1e46dbf1522
Instruction Fuzzy Hash: B6E2307A500114EFCB569F94C948E94BBB2FF4D314B1A81D8E60A9F232C732D8A1EF51

Uniqueness

Uniqueness Score: -1.00%

Function 04E51677, Relevance: 1.6, APIs: 1, Instructions: 102COMMON

Download Yara Rule

APIs

DuplicateHandle.KERNELBASE(?,00000E2C), ref: 04E51727

Memory Dump Source

Source File: 00000000.00000002.245914621.0000000004E50000.00000040.00000001.sdmp, Offset: 04E50000, based on PE: false

Similarity

API ID: DuplicateHandle
String ID:
API String ID: 3793708945-0
Opcode ID: 9606178167516a2a37584b098a401dfbad9662a80d13e95b0e4fe543368aa076
Instruction ID: b2d570b674d970a186246b1b7f508fab96be79142ea8f46c0fae001e441b1b6b
Opcode Fuzzy Hash: 9606178167516a2a37584b098a401dfbad9662a80d13e95b0e4fe543368aa076
Instruction Fuzzy Hash: C131B471404384AFE7128F65DC44F67BFACEF46310F04849BF985CB162D264A919DB71

Uniqueness

Uniqueness Score: -1.00%

Function 04E50F66, Relevance: 1.6, APIs: 1, Instructions: 94COMMON

Download Yara Rule

APIs

GetTokenInformation.KERNELBASE(?,00000E2C,BA9DA4F2,00000000,00000000,00000000,00000000), ref: 04E51010

Memory Dump Source

Source File: 00000000.00000002.245914621.0000000004E50000.00000040.00000001.sdmp, Offset: 04E50000, based on PE: false

Similarity

API ID: InformationToken
String ID:
API String ID: 4114910276-0
Opcode ID: c9f22803fcf13a2029249369a720cd9dc1e4bd2d2a3d516e60cc154535cbfac1
Instruction ID: 18ebc5e57fc01c7d8c920f3b11df9991249efefe44be5bb256670cb3ed6c4d01
Opcode Fuzzy Hash: c9f22803fcf13a2029249369a720cd9dc1e4bd2d2a3d516e60cc154535cbfac1
Instruction Fuzzy Hash: 7F31C771409380AFE7228F64DC45F97FFB8EF06314F08849BE9849B162D624A908C771

Uniqueness

Uniqueness Score: -1.00%

Function 00AFACD2, Relevance: 1.6, APIs: 1, Instructions: 92registryCOMMON

Download Yara Rule

APIs

RegOpenKeyExW.KERNELBASE(?,00000E2C), ref: 00AFAD81

Memory Dump Source

Source File: 00000000.00000002.240985131.0000000000AFA000.00000040.00000001.sdmp, Offset: 00AFA000, based on PE: false

Similarity

API ID: Open
String ID:
API String ID: 71445658-0
Opcode ID: 65ee0c342cc89199c63b7193fe8249cf0a1f87efc0406f9917eb265e1b05f422
Instruction ID: 515d6bc108de9c1d4c4683cdb78fbebd01a301f467888a006dd23a97c03b8b6b
Opcode Fuzzy Hash: 65ee0c342cc89199c63b7193fe8249cf0a1f87efc0406f9917eb265e1b05f422
Instruction Fuzzy Hash: 7831E872504384AFE7228B64CC45FA7FFACEF16710F04849BFE849B252D264A849C771

Uniqueness

Uniqueness Score: -1.00%

Function 04E50AF4, Relevance: 1.6, APIs: 1, Instructions: 90fileCOMMON

Download Yara Rule

APIs

CreateFileW.KERNELBASE(?,?,?,?,?,?), ref: 04E50B95

Memory Dump Source

Source File: 00000000.00000002.245914621.0000000004E50000.00000040.00000001.sdmp, Offset: 04E50000, based on PE: false

Similarity

API ID: CreateFile
String ID:
API String ID: 823142352-0
Opcode ID: 1894c2e7453f2cf182c3ab02c57f80ec519a0f03ad382fa6f5e646e9c50515bc
Instruction ID: b8e3fa56955d530e97cc56e1fafa7d2eecde88a8b496cc1088465ccc13f996df
Opcode Fuzzy Hash: 1894c2e7453f2cf182c3ab02c57f80ec519a0f03ad382fa6f5e646e9c50515bc
Instruction Fuzzy Hash: E2316D71504344AFE722CF65CC84F66FFE8EF45614F08849AED858B262D375E805CB61

Uniqueness

Uniqueness Score: -1.00%

Function 04E50916, Relevance: 1.6, APIs: 1, Instructions: 89synchronizationCOMMON

Download Yara Rule

APIs

CreateMutexW.KERNELBASE(?,?), ref: 04E509BD

Memory Dump Source

Source File: 00000000.00000002.245914621.0000000004E50000.00000040.00000001.sdmp, Offset: 04E50000, based on PE: false

Similarity

API ID: CreateMutex
String ID:
API String ID: 1964310414-0
Opcode ID: e42d247a05515f09e938b063b8bcc8c00154fce8b73da9798aaf24b3989a88a1
Instruction ID: 4db0c74504a1bcdfc65461b4c6cc209337a361f21155ef9e9e9460fbd5e674f8
Opcode Fuzzy Hash: e42d247a05515f09e938b063b8bcc8c00154fce8b73da9798aaf24b3989a88a1
Instruction Fuzzy Hash: CB3181715097806FE712CF25DC44F56FFE8EF46314F08849AE984CB2A3D365A909C761

Uniqueness

Uniqueness Score: -1.00%

Function 00AFADC9, Relevance: 1.6, APIs: 1, Instructions: 89registryCOMMON

Download Yara Rule

APIs

RegQueryValueExW.KERNELBASE(?,00000E2C,BA9DA4F2,00000000,00000000,00000000,00000000), ref: 00AFAE84

Memory Dump Source

Source File: 00000000.00000002.240985131.0000000000AFA000.00000040.00000001.sdmp, Offset: 00AFA000, based on PE: false

Similarity

API ID: QueryValue
String ID:
API String ID: 3660427363-0
Opcode ID: 11cfbc2431f49491df59500b20de99a60fd9e7f651151689a359d1d8bc5f9462
Instruction ID: c9fa2f8708f279c62390cd4c90b4a6851c61fdb293ae069b9ccad6d2c835c389
Opcode Fuzzy Hash: 11cfbc2431f49491df59500b20de99a60fd9e7f651151689a359d1d8bc5f9462
Instruction Fuzzy Hash: 1B31B572105384AFD721CB65CC44FA2BFA8EF16310F08849AE985CB252D260E848CB61

Uniqueness

Uniqueness Score: -1.00%

Function 00AFA35C, Relevance: 1.6, APIs: 1, Instructions: 86COMMON

Download Yara Rule

APIs

SetConsoleCtrlHandler.KERNELBASE(?,00000E2C,?,?), ref: 00AFA3F6

Memory Dump Source

Source File: 00000000.00000002.240985131.0000000000AFA000.00000040.00000001.sdmp, Offset: 00AFA000, based on PE: false

Similarity

API ID: ConsoleCtrlHandler
String ID:
API String ID: 1513847179-0
Opcode ID: e06cd9266743ac257ca4c1b8fff39e0d09080fd625fcdc44a39b27bcc65375a6
Instruction ID: e3a5a7c88375927d74378e4e4b2207016e6f641973eb5fe1a6fda8ff85fa5481
Opcode Fuzzy Hash: e06cd9266743ac257ca4c1b8fff39e0d09080fd625fcdc44a39b27bcc65375a6
Instruction Fuzzy Hash: CB31917540E3C06FD3138B258C51B62BFB4EF87610F0A41DBE884CB5A3D228A919C772

Uniqueness

Uniqueness Score: -1.00%

Function 04E51297, Relevance: 1.6, APIs: 1, Instructions: 85COMMON

Download Yara Rule

APIs

LsaOpenPolicy.ADVAPI32(?,00000E2C), ref: 04E51333

Memory Dump Source

Source File: 00000000.00000002.245914621.0000000004E50000.00000040.00000001.sdmp, Offset: 04E50000, based on PE: false

Similarity

API ID: OpenPolicy
String ID:
API String ID: 2030686058-0
Opcode ID: 5e8f1a62e44b876933aa1ad13d86699c7196248b109ed00fabeece9cb6a4c156
Instruction ID: 3c755f027d50bb8259496b2afa09960979126c684c243c2c0b99f09cbddc86ad
Opcode Fuzzy Hash: 5e8f1a62e44b876933aa1ad13d86699c7196248b109ed00fabeece9cb6a4c156
Instruction Fuzzy Hash: CF21B472504344AFE721CF65DC44F6AFFB8EF46310F18849AED849B252C364A948CB61

Uniqueness

Uniqueness Score: -1.00%

Function 04E516AA, Relevance: 1.6, APIs: 1, Instructions: 80COMMON

Download Yara Rule

APIs

DuplicateHandle.KERNELBASE(?,00000E2C), ref: 04E51727

Memory Dump Source

Source File: 00000000.00000002.245914621.0000000004E50000.00000040.00000001.sdmp, Offset: 04E50000, based on PE: false

Similarity

API ID: DuplicateHandle
String ID:
API String ID: 3793708945-0
Opcode ID: 539db9592da164b2272be2a57a661166589ebd3326c81040b4f9f42aa483b497
Instruction ID: 8e2f3a8dc580fd34d6fd468f0746cb3e300c2febec48e982a04e32604a93f318
Opcode Fuzzy Hash: 539db9592da164b2272be2a57a661166589ebd3326c81040b4f9f42aa483b497
Instruction Fuzzy Hash: 7821D372500304AFEB219F68DC44FABFBACEF05310F14886AFE45DB661D670A4588B71

Uniqueness

Uniqueness Score: -1.00%

Function 04E50BEC, Relevance: 1.6, APIs: 1, Instructions: 78COMMON

Download Yara Rule

APIs

GetFileType.KERNELBASE(?,00000E2C,BA9DA4F2,00000000,00000000,00000000,00000000), ref: 04E50C81

Memory Dump Source

Source File: 00000000.00000002.245914621.0000000004E50000.00000040.00000001.sdmp, Offset: 04E50000, based on PE: false

Similarity

API ID: FileType
String ID:
API String ID: 3081899298-0
Opcode ID: a8d7384f556038b3427cb48e331456dad57328a19186be040669a778ec3e739c
Instruction ID: ef7edd418315ba73e1b8d61ca8b290de6c723298b765de2f42e31ae31416d154
Opcode Fuzzy Hash: a8d7384f556038b3427cb48e331456dad57328a19186be040669a778ec3e739c
Instruction Fuzzy Hash: 4C21F8B64097846FE7128B25DC40FA2BFB8EF47720F1880DBED859B163D264A905C771

Uniqueness

Uniqueness Score: -1.00%

Function 04E51785, Relevance: 1.6, APIs: 1, Instructions: 78fileCOMMON

Download Yara Rule

APIs

DeleteFileW.KERNELBASE(?), ref: 04E5180C

Memory Dump Source

Source File: 00000000.00000002.245914621.0000000004E50000.00000040.00000001.sdmp, Offset: 04E50000, based on PE: false

Similarity

API ID: DeleteFile
String ID:
API String ID: 4033686569-0
Opcode ID: 6c5d645e0786803aa7ff12b7cf5f2e99725d4f278529bf24975ef920a9d66d1b
Instruction ID: b9d6a2f6a252132b1faf0c9d035a988d8d752d4aa1880c4f8f28cc5967f72b76
Opcode Fuzzy Hash: 6c5d645e0786803aa7ff12b7cf5f2e99725d4f278529bf24975ef920a9d66d1b
Instruction Fuzzy Hash: 7F21D1729093C09FD713CB35DC54B92BFA4DF47614F0984DADD848F263D665A908C762

Uniqueness

Uniqueness Score: -1.00%

Function 04E50B16, Relevance: 1.6, APIs: 1, Instructions: 76fileCOMMON

Download Yara Rule

APIs

CreateFileW.KERNELBASE(?,?,?,?,?,?), ref: 04E50B95

Memory Dump Source

Source File: 00000000.00000002.245914621.0000000004E50000.00000040.00000001.sdmp, Offset: 04E50000, based on PE: false

Similarity

API ID: CreateFile
String ID:
API String ID: 823142352-0
Opcode ID: fb06684b828ade064072df7709b08902a9541a4735d09e88144248eb74a74979
Instruction ID: 163c41f9423445594705679cf74f573467ca365e52c7c5e87142b75d30d9084b
Opcode Fuzzy Hash: fb06684b828ade064072df7709b08902a9541a4735d09e88144248eb74a74979
Instruction Fuzzy Hash: F3217A71500604AFE721DF65C885FA6FBE8EF08724F14846AEE858B662D371F504CB61

Uniqueness

Uniqueness Score: -1.00%

Function 04E51B04, Relevance: 1.6, APIs: 1, Instructions: 74COMMON

Download Yara Rule

APIs

LookupPrivilegeValueW.ADVAPI32(?,?,?), ref: 04E51B86

Memory Dump Source

Source File: 00000000.00000002.245914621.0000000004E50000.00000040.00000001.sdmp, Offset: 04E50000, based on PE: false

Similarity

API ID: LookupPrivilegeValue
String ID:
API String ID: 3899507212-0
Opcode ID: 8cd155b87c87eaad926cf7a0dd8b91b4a966afb199de69a42a87e904a5120ee4
Instruction ID: 381306cbf6e6b5168cf1cec92e9e7bd8063fe3744f4f2b35a8f7ec1c32ef943d
Opcode Fuzzy Hash: 8cd155b87c87eaad926cf7a0dd8b91b4a966afb199de69a42a87e904a5120ee4
Instruction Fuzzy Hash: CC2190725093809FD7528B25DC45B92FFE8EF06214F0D84EAED88CB163E264E948CB61

Uniqueness

Uniqueness Score: -1.00%

Function 00AFAD02, Relevance: 1.6, APIs: 1, Instructions: 74registryCOMMON

Download Yara Rule

APIs

RegOpenKeyExW.KERNELBASE(?,00000E2C), ref: 00AFAD81

Memory Dump Source

Source File: 00000000.00000002.240985131.0000000000AFA000.00000040.00000001.sdmp, Offset: 00AFA000, based on PE: false

Similarity

API ID: Open
String ID:
API String ID: 71445658-0
Opcode ID: 456c70fa9c77a51b43af5a722fd1ecc1e0e55cf82d3f86cbf288500ff481b2aa
Instruction ID: f361f79f57559ada980ca1613847876a4a3951ab2833e3109cf862df6c32625d
Opcode Fuzzy Hash: 456c70fa9c77a51b43af5a722fd1ecc1e0e55cf82d3f86cbf288500ff481b2aa
Instruction Fuzzy Hash: FB21D1B2500604AFE7219B54CC84FABFBECEF14710F14841BFE459B641D660E8088BB2

Uniqueness

Uniqueness Score: -1.00%

Function 04E512C2, Relevance: 1.6, APIs: 1, Instructions: 72COMMON

Download Yara Rule

APIs

LsaOpenPolicy.ADVAPI32(?,00000E2C), ref: 04E51333

Memory Dump Source

Source File: 00000000.00000002.245914621.0000000004E50000.00000040.00000001.sdmp, Offset: 04E50000, based on PE: false

Similarity

API ID: OpenPolicy
String ID:
API String ID: 2030686058-0
Opcode ID: 037c585341a809f1f4a026f7ba826549be7d0d6d27a1da754b6d298a70938c52
Instruction ID: 4b9b411a7693c15711897691384af986d9a937bb195fa1cda3ff7d30c26bfab3
Opcode Fuzzy Hash: 037c585341a809f1f4a026f7ba826549be7d0d6d27a1da754b6d298a70938c52
Instruction Fuzzy Hash: DF21C072900304AFEB20DF29DC44F6AFBACEF44710F14846AEE849B651D274A5098B71

Uniqueness

Uniqueness Score: -1.00%

Function 04E5094A, Relevance: 1.6, APIs: 1, Instructions: 72synchronizationCOMMON

Download Yara Rule

APIs

CreateMutexW.KERNELBASE(?,?), ref: 04E509BD

Memory Dump Source

Source File: 00000000.00000002.245914621.0000000004E50000.00000040.00000001.sdmp, Offset: 04E50000, based on PE: false

Similarity

API ID: CreateMutex
String ID:
API String ID: 1964310414-0
Opcode ID: 21e7bbbc1a0efc9d9934abd32427225387837b4dba4486e91728650980331fb7
Instruction ID: 0e75fe4f65cfa154f6fa7f06e8a426e9b63e99dc181aefd4d49db3641495f0a9
Opcode Fuzzy Hash: 21e7bbbc1a0efc9d9934abd32427225387837b4dba4486e91728650980331fb7
Instruction Fuzzy Hash: 49218E71600644AFF720DF29DC85BA6FBE8EF44724F14846AEE858B252E771E904CA71

Uniqueness

Uniqueness Score: -1.00%

Function 04E50D9E, Relevance: 1.6, APIs: 1, Instructions: 70fileCOMMON

Download Yara Rule

APIs

WriteFile.KERNELBASE(?,00000E2C,BA9DA4F2,00000000,00000000,00000000,00000000), ref: 04E50E1D

Memory Dump Source

Source File: 00000000.00000002.245914621.0000000004E50000.00000040.00000001.sdmp, Offset: 04E50000, based on PE: false

Similarity

API ID: FileWrite
String ID:
API String ID: 3934441357-0
Opcode ID: ec03cef451c51da19d898abf8e516e17c0aeeff5dbacd0662714bba22ff23aae
Instruction ID: 220ec7a0da0b9cd80426304548f3e4654e0733c4b7a3c012f1137443ae2acd92
Opcode Fuzzy Hash: ec03cef451c51da19d898abf8e516e17c0aeeff5dbacd0662714bba22ff23aae
Instruction Fuzzy Hash: C1219272405344AFDB228F55DC44F57FFB8EF46310F18849BEA459B152C264A408CB71

Uniqueness

Uniqueness Score: -1.00%

Function 00AFA1F4, Relevance: 1.6, APIs: 1, Instructions: 70memoryCOMMON

Download Yara Rule

APIs

VirtualProtect.KERNELBASE(?,?,?,?), ref: 00AFA275

Memory Dump Source

Source File: 00000000.00000002.240985131.0000000000AFA000.00000040.00000001.sdmp, Offset: 00AFA000, based on PE: false

Similarity

API ID: ProtectVirtual
String ID:
API String ID: 544645111-0
Opcode ID: 6b4462a20173ed1dae7d0a4e97804fb77088ac0c10ff144c01ee03acc5ec12d3
Instruction ID: 9ee655c807b83b870dfb14c6207985c0320ef381792b35fc50020974534ce3dd
Opcode Fuzzy Hash: 6b4462a20173ed1dae7d0a4e97804fb77088ac0c10ff144c01ee03acc5ec12d3
Instruction Fuzzy Hash: CA21AF754093C0AFD7138B218C54AA2FFB4EF07220F0D81DFE9848B563D2659819DB62

Uniqueness

Uniqueness Score: -1.00%

Function 04E50FA6, Relevance: 1.6, APIs: 1, Instructions: 69COMMON

Download Yara Rule

APIs

GetTokenInformation.KERNELBASE(?,00000E2C,BA9DA4F2,00000000,00000000,00000000,00000000), ref: 04E51010

Memory Dump Source

Source File: 00000000.00000002.245914621.0000000004E50000.00000040.00000001.sdmp, Offset: 04E50000, based on PE: false

Similarity

API ID: InformationToken
String ID:
API String ID: 4114910276-0
Opcode ID: 5face0bb357ece20be31abfb4de1fa131c9457f830e899e1495d8597218109f2
Instruction ID: e574a878fc1fdc968928aab327f6f5aee2f4fe584170daa2c92294cbd2878a6f
Opcode Fuzzy Hash: 5face0bb357ece20be31abfb4de1fa131c9457f830e899e1495d8597218109f2
Instruction Fuzzy Hash: FB119D71500244EFEB218F65DC84FABFBACEF45320F14886BEE499B251D674A8498B71

Uniqueness

Uniqueness Score: -1.00%

Function 00AFAE0A, Relevance: 1.6, APIs: 1, Instructions: 69registryCOMMON

Download Yara Rule

APIs

RegQueryValueExW.KERNELBASE(?,00000E2C,BA9DA4F2,00000000,00000000,00000000,00000000), ref: 00AFAE84

Memory Dump Source

Source File: 00000000.00000002.240985131.0000000000AFA000.00000040.00000001.sdmp, Offset: 00AFA000, based on PE: false

Similarity

API ID: QueryValue
String ID:
API String ID: 3660427363-0
Opcode ID: 7fc8c701d17a10a610264e7456dd0c8237ff5dab31ba59356574cfaf9494c5d7
Instruction ID: f1e74db601793ced3101e8126e0934f8dad3906143a335f319df8e1f7c051c05
Opcode Fuzzy Hash: 7fc8c701d17a10a610264e7456dd0c8237ff5dab31ba59356574cfaf9494c5d7
Instruction Fuzzy Hash: 5B218EB2600604AFE720CF55DC84FA7BBECEF14710F14846AEE499B251D770E848CA72

Uniqueness

Uniqueness Score: -1.00%

Function 04E51A48, Relevance: 1.6, APIs: 1, Instructions: 68injectionCOMMON

Download Yara Rule

APIs

WriteProcessMemory.KERNELBASE(?,?,?,?,?), ref: 04E51AC8

Memory Dump Source

Source File: 00000000.00000002.245914621.0000000004E50000.00000040.00000001.sdmp, Offset: 04E50000, based on PE: false

Similarity

API ID: MemoryProcessWrite
String ID:
API String ID: 3559483778-0
Opcode ID: fbc555cb471c30758eb8037808b37e7cf6d71f2cccd3996bf293133667f05bb1
Instruction ID: b2d27185adb90b07148d37601998b410b5b5b5c6c8583d544d25ab3962ddfeaf
Opcode Fuzzy Hash: fbc555cb471c30758eb8037808b37e7cf6d71f2cccd3996bf293133667f05bb1
Instruction Fuzzy Hash: BA21CC764093C09FDB128F25DC84A92FFF4EF06220F0981DEED858B163D264A858DB22

Uniqueness

Uniqueness Score: -1.00%

Function 00AFB929, Relevance: 1.6, APIs: 1, Instructions: 65libraryCOMMON

Download Yara Rule

APIs

LoadLibraryShim.MSCOREE(?,?,?,?), ref: 00AFB9A5

Memory Dump Source

Source File: 00000000.00000002.240985131.0000000000AFA000.00000040.00000001.sdmp, Offset: 00AFA000, based on PE: false

Similarity

API ID: LibraryLoadShim
String ID:
API String ID: 1475914169-0
Opcode ID: e5c40febbd3c00cae0c4ed15cbe5403c36c12d77e09aa2ccd845dbc6742f4e33
Instruction ID: 2897fd18cd4491787ef1b6315b6598b218ba7e23374d6a2b069e57890ef443af
Opcode Fuzzy Hash: e5c40febbd3c00cae0c4ed15cbe5403c36c12d77e09aa2ccd845dbc6742f4e33
Instruction Fuzzy Hash: FF2193715093846FD7228B15DC84B62FFF8EF56314F08808AEE848B253D365E908C772

Uniqueness

Uniqueness Score: -1.00%

Function 04E51EA1, Relevance: 1.6, APIs: 1, Instructions: 62windowCOMMON

Download Yara Rule

APIs

PostMessageW.USER32(?,?,?,?), ref: 04E51F15

Memory Dump Source

Source File: 00000000.00000002.245914621.0000000004E50000.00000040.00000001.sdmp, Offset: 04E50000, based on PE: false

Similarity

API ID: MessagePost
String ID:
API String ID: 410705778-0
Opcode ID: 7d2bcac45cb9fdafd19b1d9af73c3d754cefee554e74a47e162434b7dadead51
Instruction ID: 585d75111e6ad258e06730ccfa9f0e410298f4f019cd28d8d363540f8f64c7a3
Opcode Fuzzy Hash: 7d2bcac45cb9fdafd19b1d9af73c3d754cefee554e74a47e162434b7dadead51
Instruction Fuzzy Hash: F9218C7140A3C0AFDB238F25CC44A52FFB4EF07214F0984DAEE848F563D265A858DB62

Uniqueness

Uniqueness Score: -1.00%

Function 00AFA6AB, Relevance: 1.6, APIs: 1, Instructions: 61COMMON

Download Yara Rule

APIs

DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 00AFA716

Memory Dump Source

Source File: 00000000.00000002.240985131.0000000000AFA000.00000040.00000001.sdmp, Offset: 00AFA000, based on PE: false

Similarity

API ID: DuplicateHandle
String ID:
API String ID: 3793708945-0
Opcode ID: 5800ed36a375121dc4f48323ec804e540d8c328d84aa61f8655c827c85442648
Instruction ID: 7a650180bca9d455d186a52e4dfe64b0e43b93a72e103296b40403c378b9db0f
Opcode Fuzzy Hash: 5800ed36a375121dc4f48323ec804e540d8c328d84aa61f8655c827c85442648
Instruction Fuzzy Hash: 1311B771405384AFDB228F54DC44E62FFF4EF46310F08C4DAEE858B562D275A818DB61

Uniqueness

Uniqueness Score: -1.00%

Function 04E50DBE, Relevance: 1.6, APIs: 1, Instructions: 60fileCOMMON

Download Yara Rule

APIs

WriteFile.KERNELBASE(?,00000E2C,BA9DA4F2,00000000,00000000,00000000,00000000), ref: 04E50E1D

Memory Dump Source

Source File: 00000000.00000002.245914621.0000000004E50000.00000040.00000001.sdmp, Offset: 04E50000, based on PE: false

Similarity

API ID: FileWrite
String ID:
API String ID: 3934441357-0
Opcode ID: a7a00025e1d34d2839d07bb3e5fe64b4d55572e5d5c15288a5ca56de2cc04526
Instruction ID: ba61012459cbf1c59060414f5b5143956484571347b4826ad11c2c6930f7c25a
Opcode Fuzzy Hash: a7a00025e1d34d2839d07bb3e5fe64b4d55572e5d5c15288a5ca56de2cc04526
Instruction Fuzzy Hash: 00119D71500204EFEB218F55DC44FAAFFA8EF44720F14846BEE499B261D674A4088B72

Uniqueness

Uniqueness Score: -1.00%

Function 04E519A7, Relevance: 1.6, APIs: 1, Instructions: 58COMMON

Download Yara Rule

APIs

ReadProcessMemory.KERNELBASE(?,?,?,?,?), ref: 04E51A0C

Memory Dump Source

Source File: 00000000.00000002.245914621.0000000004E50000.00000040.00000001.sdmp, Offset: 04E50000, based on PE: false

Similarity

API ID: MemoryProcessRead
String ID:
API String ID: 1726664587-0
Opcode ID: a8ea6eba7137292953bcbdb8b0959f6952abdc2a2983b33e7793518a8056a2de
Instruction ID: bd47043ad6e0bba3aff33bf7726de507c4f80bd0a46650a9a3035d76ad6cfef4
Opcode Fuzzy Hash: a8ea6eba7137292953bcbdb8b0959f6952abdc2a2983b33e7793518a8056a2de
Instruction Fuzzy Hash: D211D376409780AFDB228F25DC40A52FFB4EF06220F08C19EEE858B563C275A458DB61

Uniqueness

Uniqueness Score: -1.00%

Function 04E5218F, Relevance: 1.6, APIs: 1, Instructions: 56windowCOMMON

Download Yara Rule

APIs

PostMessageW.USER32(?,?,?,?), ref: 04E521F9

Memory Dump Source

Source File: 00000000.00000002.245914621.0000000004E50000.00000040.00000001.sdmp, Offset: 04E50000, based on PE: false

Similarity

API ID: MessagePost
String ID:
API String ID: 410705778-0
Opcode ID: 52b8944c3fe1f29c30306925b0978630a6f6c345cc87b52410d251c0c0da00f6
Instruction ID: c65aafaac1c8446a482f9cc2f6f2efb777b412f1ae9bf876d01f6a1eda4fb725
Opcode Fuzzy Hash: 52b8944c3fe1f29c30306925b0978630a6f6c345cc87b52410d251c0c0da00f6
Instruction Fuzzy Hash: 5E11BE75409380AFDB228F15EC45B52FFB4EF06224F08C4DEEE854B563C276A858DB61

Uniqueness

Uniqueness Score: -1.00%

Function 04E51900, Relevance: 1.6, APIs: 1, Instructions: 55threadinjectionCOMMON

Download Yara Rule

APIs

SetThreadContext.KERNELBASE(?,?), ref: 04E5195F

Memory Dump Source

Source File: 00000000.00000002.245914621.0000000004E50000.00000040.00000001.sdmp, Offset: 04E50000, based on PE: false

Similarity

API ID: ContextThread
String ID:
API String ID: 1591575202-0
Opcode ID: 6007ba116a63be1930aca17e43f932282d20f4eb26c5ddef0e4804f3aeeccc86
Instruction ID: 014742e2e3b341515920c6232cd6a02fc440b80383cbfb2c20e24b7953d1a050
Opcode Fuzzy Hash: 6007ba116a63be1930aca17e43f932282d20f4eb26c5ddef0e4804f3aeeccc86
Instruction Fuzzy Hash: 911191755053849FD711CF15DC85F52FFF8EF06220F0980AAED858B262D275E948CB61

Uniqueness

Uniqueness Score: -1.00%

Function 04E51B3E, Relevance: 1.6, APIs: 1, Instructions: 53COMMON

Download Yara Rule

APIs

LookupPrivilegeValueW.ADVAPI32(?,?,?), ref: 04E51B86

Memory Dump Source

Source File: 00000000.00000002.245914621.0000000004E50000.00000040.00000001.sdmp, Offset: 04E50000, based on PE: false

Similarity

API ID: LookupPrivilegeValue
String ID:
API String ID: 3899507212-0
Opcode ID: ac72ad9dd03df921ea679e9ebad85221cd5ef6d310e0b9449f605b68eb245c1c
Instruction ID: ecd557e1f9ab5b41ca8515217c2a1de4c6f857ab881ffff2bb1f8b65af866715
Opcode Fuzzy Hash: ac72ad9dd03df921ea679e9ebad85221cd5ef6d310e0b9449f605b68eb245c1c
Instruction Fuzzy Hash: 0C118E71A00200DFDB50CF29D885756FFD8EF04324F18D4AADE49CB661E670E844CA61

Uniqueness

Uniqueness Score: -1.00%

Function 04E50C2E, Relevance: 1.6, APIs: 1, Instructions: 52COMMON

Download Yara Rule

APIs

GetFileType.KERNELBASE(?,00000E2C,BA9DA4F2,00000000,00000000,00000000,00000000), ref: 04E50C81

Memory Dump Source

Source File: 00000000.00000002.245914621.0000000004E50000.00000040.00000001.sdmp, Offset: 04E50000, based on PE: false

Similarity

API ID: FileType
String ID:
API String ID: 3081899298-0
Opcode ID: 974f3c4dfe4a5f698e362cb62ab64881159e4ca0f45432197729422ec1b785e3
Instruction ID: 7593a15bd74bf41755906adeaeb69baf20aa41953689ab41ff5ecc5199ec3b0d
Opcode Fuzzy Hash: 974f3c4dfe4a5f698e362cb62ab64881159e4ca0f45432197729422ec1b785e3
Instruction Fuzzy Hash: 6E01D271501604AEE720CF29DC85FA6FFA8DF46720F14C09BEE459B251D6B4B4488AB2

Uniqueness

Uniqueness Score: -1.00%

Function 00AFAFA0, Relevance: 1.6, APIs: 1, Instructions: 50memoryCOMMON

Download Yara Rule

APIs

VirtualAllocEx.KERNELBASE(?,?,?,?,?), ref: 00AFB000

Memory Dump Source

Source File: 00000000.00000002.240985131.0000000000AFA000.00000040.00000001.sdmp, Offset: 00AFA000, based on PE: false

Similarity

API ID: AllocVirtual
String ID:
API String ID: 4275171209-0
Opcode ID: 75b0ef999ee04927270283fbd26f1bccb08e38b4f619042b9fb466cdc19bd442
Instruction ID: 7ff39bedb53717410e55fa7c8cfb01562c31899cec2c66fb865ffd7959d3ac23
Opcode Fuzzy Hash: 75b0ef999ee04927270283fbd26f1bccb08e38b4f619042b9fb466cdc19bd442
Instruction Fuzzy Hash: A2118C32405784AFDB228F55DC44A62FFF4EF46320F08C49AEE854B662C375A858DB62

Uniqueness

Uniqueness Score: -1.00%

Function 00AFAB9C, Relevance: 1.5, APIs: 1, Instructions: 48COMMON

Download Yara Rule

APIs

SetWindowLongW.USER32 ref: 00AFABF6

Memory Dump Source

Source File: 00000000.00000002.240985131.0000000000AFA000.00000040.00000001.sdmp, Offset: 00AFA000, based on PE: false

Similarity

API ID: LongWindow
String ID:
API String ID: 1378638983-0
Opcode ID: e0f1a701509f5fbfbf1468212e383252037aad63bdb0b849c7548db529cd9968
Instruction ID: f560c3d1b9cc0e7458437361557979fd2e7c17a2524881daa5a658008fb6c17d
Opcode Fuzzy Hash: e0f1a701509f5fbfbf1468212e383252037aad63bdb0b849c7548db529cd9968
Instruction Fuzzy Hash: A011AC71409784AFC7218F55DC84A52FFF4EF06320F08C49AEE8A4B262C275A858CB62

Uniqueness

Uniqueness Score: -1.00%

Function 00AFA4DA, Relevance: 1.5, APIs: 1, Instructions: 48threadCOMMON

Download Yara Rule

APIs

ResumeThread.KERNELBASE(?), ref: 00AFA530

Memory Dump Source

Source File: 00000000.00000002.240985131.0000000000AFA000.00000040.00000001.sdmp, Offset: 00AFA000, based on PE: false

Similarity

API ID: ResumeThread
String ID:
API String ID: 947044025-0
Opcode ID: 1f59a6917636167e0af4178fef7d01ce65b47c9b777705b3728aad7027f18ba6
Instruction ID: 077c1f1749b7af3f53789a062643be01f77027daec3d8e1332e93ffe8d9c7dfb
Opcode Fuzzy Hash: 1f59a6917636167e0af4178fef7d01ce65b47c9b777705b3728aad7027f18ba6
Instruction Fuzzy Hash: 1A01C471409384AFD712CB15DC44B62FFB4DF46324F08C0DAEE885B252C275A808DB72

Uniqueness

Uniqueness Score: -1.00%

Function 04E517D2, Relevance: 1.5, APIs: 1, Instructions: 47fileCOMMON

Download Yara Rule

APIs

DeleteFileW.KERNELBASE(?), ref: 04E5180C

Memory Dump Source

Source File: 00000000.00000002.245914621.0000000004E50000.00000040.00000001.sdmp, Offset: 04E50000, based on PE: false

Similarity

API ID: DeleteFile
String ID:
API String ID: 4033686569-0
Opcode ID: 431c5f79e3625be8207dee0f31770ec6a96fa3c72fdc19f1f0dd0d46ac4230e6
Instruction ID: 227a948d86e1df5e7070d323a1d23a6f8be30576c700862300f7f2484fd4a55d
Opcode Fuzzy Hash: 431c5f79e3625be8207dee0f31770ec6a96fa3c72fdc19f1f0dd0d46ac4230e6
Instruction Fuzzy Hash: A601D871A002409FDB20CF29D884756FFD8DF40324F18D4AADD49CF651D6B4E444CB62

Uniqueness

Uniqueness Score: -1.00%

Function 04E51A82, Relevance: 1.5, APIs: 1, Instructions: 47injectionCOMMON

Download Yara Rule

APIs

WriteProcessMemory.KERNELBASE(?,?,?,?,?), ref: 04E51AC8

Memory Dump Source

Source File: 00000000.00000002.245914621.0000000004E50000.00000040.00000001.sdmp, Offset: 04E50000, based on PE: false

Similarity

API ID: MemoryProcessWrite
String ID:
API String ID: 3559483778-0
Opcode ID: 0fccc91579e9a5a0d685011368efb39efcbc03b692647dd5b3797c8973c74a19
Instruction ID: a386061bc5a21ea77eeb31d8cf7628ede75161b4c9816cb2d5c0d9a3f69b2786
Opcode Fuzzy Hash: 0fccc91579e9a5a0d685011368efb39efcbc03b692647dd5b3797c8973c74a19
Instruction Fuzzy Hash: 060161356006409FDB218F59D884B66FFE4EF04314F08D16ADE858B662D6B1E458DB61

Uniqueness

Uniqueness Score: -1.00%

Function 00AFB95A, Relevance: 1.5, APIs: 1, Instructions: 46libraryCOMMON

Download Yara Rule

APIs

LoadLibraryShim.MSCOREE(?,?,?,?), ref: 00AFB9A5

Memory Dump Source

Source File: 00000000.00000002.240985131.0000000000AFA000.00000040.00000001.sdmp, Offset: 00AFA000, based on PE: false

Similarity

API ID: LibraryLoadShim
String ID:
API String ID: 1475914169-0
Opcode ID: 6bc91e6fdbf5b664bb0170cf0e46cd841325b92450dc58a92bac76a5b1af675e
Instruction ID: 5d52122291ba0d82746a0539e702459195b6956b09b61220d225d4248fd2dd32
Opcode Fuzzy Hash: 6bc91e6fdbf5b664bb0170cf0e46cd841325b92450dc58a92bac76a5b1af675e
Instruction Fuzzy Hash: 850157715006049FDB60DF59D884B26FFE8EB04720F18C49AEF898B612D3A1E848DA72

Uniqueness

Uniqueness Score: -1.00%

Function 00AFA6D2, Relevance: 1.5, APIs: 1, Instructions: 45COMMON

Download Yara Rule

APIs

DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 00AFA716

Memory Dump Source

Source File: 00000000.00000002.240985131.0000000000AFA000.00000040.00000001.sdmp, Offset: 00AFA000, based on PE: false

Similarity

API ID: DuplicateHandle
String ID:
API String ID: 3793708945-0
Opcode ID: cb631bd62ac81ee7e2f182dd6a06ac5ec37dd77a4b169aef86f173ecfb15cd20
Instruction ID: 3e35281e5a71f8f6e1aaac853d999490d014fef564b5392d3d8d69ea7037efe4
Opcode Fuzzy Hash: cb631bd62ac81ee7e2f182dd6a06ac5ec37dd77a4b169aef86f173ecfb15cd20
Instruction Fuzzy Hash: 7E01C071400744EFDB219F95D844B66FFF4EF58320F18C9AAEE498B621D271A818DF62

Uniqueness

Uniqueness Score: -1.00%

Function 04E51922, Relevance: 1.5, APIs: 1, Instructions: 44threadinjectionCOMMON

Download Yara Rule

APIs

SetThreadContext.KERNELBASE(?,?), ref: 04E5195F

Memory Dump Source

Source File: 00000000.00000002.245914621.0000000004E50000.00000040.00000001.sdmp, Offset: 04E50000, based on PE: false

Similarity

API ID: ContextThread
String ID:
API String ID: 1591575202-0
Opcode ID: a5c382e3cf53141146a2a6c269301ecdbc4fee472ac33788b9b73d92d8b638cf
Instruction ID: 220232f830f67569284956f4c931954777671e403cf1208621fcc018b955ac60
Opcode Fuzzy Hash: a5c382e3cf53141146a2a6c269301ecdbc4fee472ac33788b9b73d92d8b638cf
Instruction Fuzzy Hash: 54018435A006459FDB10CF19D885B66FFE4EF04320F08D0AADD458B665E6B5E848DF61

Uniqueness

Uniqueness Score: -1.00%

Function 04E519CE, Relevance: 1.5, APIs: 1, Instructions: 43COMMON

Download Yara Rule

APIs

ReadProcessMemory.KERNELBASE(?,?,?,?,?), ref: 04E51A0C

Memory Dump Source

Source File: 00000000.00000002.245914621.0000000004E50000.00000040.00000001.sdmp, Offset: 04E50000, based on PE: false

Similarity

API ID: MemoryProcessRead
String ID:
API String ID: 1726664587-0
Opcode ID: 6328799152ee28cc25af4ddba8744ce3b27b9bb3433f785fdd86d7fe9bd8a428
Instruction ID: e3d8f0f3c26674acdd75033b8e5cf33e7ffe3a6125ec9ec4562c7f12a9cfeeec
Opcode Fuzzy Hash: 6328799152ee28cc25af4ddba8744ce3b27b9bb3433f785fdd86d7fe9bd8a428
Instruction Fuzzy Hash: 3201B131900600DFDB218F15D884B66FFA0EF04320F08D59EDE898B622D2B1E458DF62

Uniqueness

Uniqueness Score: -1.00%

Function 00AFA3A6, Relevance: 1.5, APIs: 1, Instructions: 43COMMON

Download Yara Rule

APIs

SetConsoleCtrlHandler.KERNELBASE(?,00000E2C,?,?), ref: 00AFA3F6

Memory Dump Source

Source File: 00000000.00000002.240985131.0000000000AFA000.00000040.00000001.sdmp, Offset: 00AFA000, based on PE: false

Similarity

API ID: ConsoleCtrlHandler
String ID:
API String ID: 1513847179-0
Opcode ID: c6e5404408636345222b2712137c74b757160aa548a36bc9354d56b0c582446e
Instruction ID: ed5f3c9c05df1ab6bd76737ae6124cf5277cf67fc28a62b92f7d472ed3a63078
Opcode Fuzzy Hash: c6e5404408636345222b2712137c74b757160aa548a36bc9354d56b0c582446e
Instruction Fuzzy Hash: 6E01A271500600ABD210DF16DC86F26FBA8FBC8B20F14815AED084BB41E371F955CBE6

Uniqueness

Uniqueness Score: -1.00%

Function 04E521BE, Relevance: 1.5, APIs: 1, Instructions: 42windowCOMMON

Download Yara Rule

APIs

PostMessageW.USER32(?,?,?,?), ref: 04E521F9

Memory Dump Source

Source File: 00000000.00000002.245914621.0000000004E50000.00000040.00000001.sdmp, Offset: 04E50000, based on PE: false

Similarity

API ID: MessagePost
String ID:
API String ID: 410705778-0
Opcode ID: 78d3f4e9d6fb472cc91f7aa560b04b403344963bf9e5cec887e0d5bde7f7c345
Instruction ID: a2462895debe99cda41ad1bf13012f8fdb9fa03934b44dcf71dbb269b74512fe
Opcode Fuzzy Hash: 78d3f4e9d6fb472cc91f7aa560b04b403344963bf9e5cec887e0d5bde7f7c345
Instruction Fuzzy Hash: 4601D439500640DFDB218F55E844B66FFA0EF04320F08D59EDE454BA21D271E458DF62

Uniqueness

Uniqueness Score: -1.00%

Function 00AFA23A, Relevance: 1.5, APIs: 1, Instructions: 42memoryCOMMON

Download Yara Rule

APIs

VirtualProtect.KERNELBASE(?,?,?,?), ref: 00AFA275

Memory Dump Source

Source File: 00000000.00000002.240985131.0000000000AFA000.00000040.00000001.sdmp, Offset: 00AFA000, based on PE: false

Similarity

API ID: ProtectVirtual
String ID:
API String ID: 544645111-0
Opcode ID: 82e29a14562e1a553a50973644bff1935b6c433e3ade6c71e3f64956c59fdd0f
Instruction ID: f012bb073c0938d768e407b56d331abe81c6ee56fc29e5bf92d59c349ded6ea3
Opcode Fuzzy Hash: 82e29a14562e1a553a50973644bff1935b6c433e3ade6c71e3f64956c59fdd0f
Instruction Fuzzy Hash: 1101D475600604DFDB208F59D8847A6FFA0EF54320F18C09AEE494B621D2B6E858DF72

Uniqueness

Uniqueness Score: -1.00%

Function 00AFAFC2, Relevance: 1.5, APIs: 1, Instructions: 39memoryCOMMON

Download Yara Rule

APIs

VirtualAllocEx.KERNELBASE(?,?,?,?,?), ref: 00AFB000

Memory Dump Source

Source File: 00000000.00000002.240985131.0000000000AFA000.00000040.00000001.sdmp, Offset: 00AFA000, based on PE: false

Similarity

API ID: AllocVirtual
String ID:
API String ID: 4275171209-0
Opcode ID: 5c585a29d8eb5907cbe4f487c294accfa1bc882f31853d13f004c9d26d37fe80
Instruction ID: 75a98ed2970324fa3052f534f27e08e4a19fa0abc5dd40751cf95291b5901d37
Opcode Fuzzy Hash: 5c585a29d8eb5907cbe4f487c294accfa1bc882f31853d13f004c9d26d37fe80
Instruction Fuzzy Hash: E0018F31400604DFDB208F55D844B66FFB0EF18320F18C59AEE490B622C7B6A458DF72

Uniqueness

Uniqueness Score: -1.00%

Function 04E51EDA, Relevance: 1.5, APIs: 1, Instructions: 38windowCOMMON

Download Yara Rule

APIs

PostMessageW.USER32(?,?,?,?), ref: 04E51F15

Memory Dump Source

Source File: 00000000.00000002.245914621.0000000004E50000.00000040.00000001.sdmp, Offset: 04E50000, based on PE: false

Similarity

API ID: MessagePost
String ID:
API String ID: 410705778-0
Opcode ID: c62022276d31190df96e2c4b23d0a0df809aa67f36bf384704f2b7edd8d869f3
Instruction ID: 99ad50d9eaab5f300bcfb6653cec6dd5b21d7e145b94ba4845ac5d42ab896ac3
Opcode Fuzzy Hash: c62022276d31190df96e2c4b23d0a0df809aa67f36bf384704f2b7edd8d869f3
Instruction Fuzzy Hash: 87018B31900640DFDB208F15D884B66FFA0EF08320F08D09ADE494B622D3B5A458DB72

Uniqueness

Uniqueness Score: -1.00%

Function 00AFABBE, Relevance: 1.5, APIs: 1, Instructions: 37COMMON

Download Yara Rule

APIs

SetWindowLongW.USER32 ref: 00AFABF6

Memory Dump Source

Source File: 00000000.00000002.240985131.0000000000AFA000.00000040.00000001.sdmp, Offset: 00AFA000, based on PE: false

Similarity

API ID: LongWindow
String ID:
API String ID: 1378638983-0
Opcode ID: 4258e357ae67ed64c8d66f413d30141962dfbe11e1889aa3f4b7afb22a45e41f
Instruction ID: 7c7c1e9fc4d2c8f41502b93cf492f59f4e42535c173d62c229a0205f91727c82
Opcode Fuzzy Hash: 4258e357ae67ed64c8d66f413d30141962dfbe11e1889aa3f4b7afb22a45e41f
Instruction Fuzzy Hash: B201D171500608DFDB208F85D884762FFE0EF14320F18C49AEE4A4B622C2B5A859DF73

Uniqueness

Uniqueness Score: -1.00%

Function 00AFA4FE, Relevance: 1.5, APIs: 1, Instructions: 35threadCOMMON

Download Yara Rule

APIs

ResumeThread.KERNELBASE(?), ref: 00AFA530

Memory Dump Source

Source File: 00000000.00000002.240985131.0000000000AFA000.00000040.00000001.sdmp, Offset: 00AFA000, based on PE: false

Similarity

API ID: ResumeThread
String ID:
API String ID: 947044025-0
Opcode ID: e6c2aaea232d0c0d9c35e5a8f39fab5bd3f613da47f220c3b6add3fed55e4334
Instruction ID: 00a71357a6586927e46e2c8c8b1a431c7d51d576b46b7a693652abdd207f5877
Opcode Fuzzy Hash: e6c2aaea232d0c0d9c35e5a8f39fab5bd3f613da47f220c3b6add3fed55e4334
Instruction Fuzzy Hash: 18F0AF75804648DFDB10CF59D8887A2FFA0EF54320F18C09AEF4D4B612D2B5A848DAA2

Uniqueness

Uniqueness Score: -1.00%

Function 06F8DC10, Relevance: 1.4, Strings: 1, Instructions: 142COMMON

Download Yara Rule

Strings

X1ar, xrefs: 06F8DD4F

Memory Dump Source

Source File: 00000000.00000002.254355063.0000000006F80000.00000040.00000001.sdmp, Offset: 06F80000, based on PE: false

Similarity

API ID:
String ID: X1ar
API String ID: 0-3367582976
Opcode ID: 32b831edaf1e055aa3a32b305c39fa48a01c9fd983df54dd9c3a486e75a66ba9
Instruction ID: b6ad43f905adb7b159883fb7dc44eb22f774cd161b02c6b43c02a793ffdce153
Opcode Fuzzy Hash: 32b831edaf1e055aa3a32b305c39fa48a01c9fd983df54dd9c3a486e75a66ba9
Instruction Fuzzy Hash: 995107B4E01208DFDB48EFA6D5886ADBBB2FF89301F108069D919A7385D7745D46CF50

Uniqueness

Uniqueness Score: -1.00%

Function 06811867, Relevance: 1.3, Strings: 1, Instructions: 78COMMON

Download Yara Rule

Strings

JCr^, xrefs: 068118E6, 068118EB

Memory Dump Source

Source File: 00000000.00000002.253556230.0000000006810000.00000040.00000001.sdmp, Offset: 06810000, based on PE: false

Similarity

API ID:
String ID: JCr^
API String ID: 0-516007180
Opcode ID: afb1b03c26c6168ea4e6bb3f0cf1865ef4cb55243da00cf68f49c273c389e4cb
Instruction ID: 297848e0319323f53b532ff72a96ae876922e0079501cad4848f71c1f1e6e135
Opcode Fuzzy Hash: afb1b03c26c6168ea4e6bb3f0cf1865ef4cb55243da00cf68f49c273c389e4cb
Instruction Fuzzy Hash: 7631ABB4D0030A8FCB80DFA5C840AADBBF5FF89220B208559E594AB395EB355D46CB50

Uniqueness

Uniqueness Score: -1.00%

Function 068118B8, Relevance: 1.3, Strings: 1, Instructions: 54COMMON

Download Yara Rule

Strings

JCr^, xrefs: 068118E6, 068118EB

Memory Dump Source

Source File: 00000000.00000002.253556230.0000000006810000.00000040.00000001.sdmp, Offset: 06810000, based on PE: false

Similarity

API ID:
String ID: JCr^
API String ID: 0-516007180
Opcode ID: 0e06846bcf0b972b1adc018c67643442ce5e346d0487246dea8279c5162cfc50
Instruction ID: d01a6f74d3b5d5c6232956f44d0e8b6cdfe3dd2d6c1c79bfcf99d46b3dd9fe53
Opcode Fuzzy Hash: 0e06846bcf0b972b1adc018c67643442ce5e346d0487246dea8279c5162cfc50
Instruction Fuzzy Hash: 1521F774E002099FDB44EFB9D885AADBBF5FF88310B108569D805A7354DB356D02CF80

Uniqueness

Uniqueness Score: -1.00%

Function 01007600, Relevance: .5, Instructions: 485COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.241321999.0000000001000000.00000040.00000001.sdmp, Offset: 01000000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 06689ba27c9437ef16f0260cbb3b9a63b8cea1b46c49e66f36c3193304d91386
Instruction ID: 8619a921713b7a31a0f6fea36ce0fa2bd37da9712ce33c4777b629771f8c835f
Opcode Fuzzy Hash: 06689ba27c9437ef16f0260cbb3b9a63b8cea1b46c49e66f36c3193304d91386
Instruction Fuzzy Hash: CC327274A00228CFDB54DFA8C984F9DBBB2BB89301F1085EAE509A7355DB70AD85CF51

Uniqueness

Uniqueness Score: -1.00%

Function 01007608, Relevance: .5, Instructions: 483COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.241321999.0000000001000000.00000040.00000001.sdmp, Offset: 01000000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c683cfbcbe45ad36f825bfdd4ca248a60633e47b725973cfb7a8f01e87a1c901
Instruction ID: 53d48e902fae444301aa9753951f12e8b0cddc8982957774bb43aadfba5c1ffa
Opcode Fuzzy Hash: c683cfbcbe45ad36f825bfdd4ca248a60633e47b725973cfb7a8f01e87a1c901
Instruction Fuzzy Hash: 41327274A00228CFDB54DFA8C984F9DBBB2BB89301F1085E9E509AB355DB70AD85CF51

Uniqueness

Uniqueness Score: -1.00%

Function 068132CB, Relevance: .3, Instructions: 278COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.253556230.0000000006810000.00000040.00000001.sdmp, Offset: 06810000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d3feb55419eef89a9bc435bf26210bc92bbbfa04c569eca1edb946255f15834e
Instruction ID: 4cf41e3674e35132e64528ef900917aa3f74b0e9cd1dd39b2360cdbc2ea42d02
Opcode Fuzzy Hash: d3feb55419eef89a9bc435bf26210bc92bbbfa04c569eca1edb946255f15834e
Instruction Fuzzy Hash: 26C12FB0811248CFEB80DF99C488BADBBB9FB15319F559055D419AF29AC7B4EC84CF90

Uniqueness

Uniqueness Score: -1.00%

Function 0681331D, Relevance: .3, Instructions: 274COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.253556230.0000000006810000.00000040.00000001.sdmp, Offset: 06810000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 14adec177336abc93ad7f6cf9deaa285004e009a3d0d218365e637782244290b
Instruction ID: 5ac83fa1a8f58210dbddb792c51bc19aa14e25cb877c9b502b063920ec64d5a4
Opcode Fuzzy Hash: 14adec177336abc93ad7f6cf9deaa285004e009a3d0d218365e637782244290b
Instruction Fuzzy Hash: E9C130B0800248CFEB40DF59C488BADBBBAFB15358F559095D415AF29AC7B5EC84CF90

Uniqueness

Uniqueness Score: -1.00%

Function 0681334C, Relevance: .3, Instructions: 264COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.253556230.0000000006810000.00000040.00000001.sdmp, Offset: 06810000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4f9d46e5182be21ede80089ff3b2de6189fd6b7b4cdd50b3c64fa9a2ae9dd3e7
Instruction ID: bcee1526a0b88545f78fbfa10e63afe32dc5d7a976ff0c16a2633bac397e10a7
Opcode Fuzzy Hash: 4f9d46e5182be21ede80089ff3b2de6189fd6b7b4cdd50b3c64fa9a2ae9dd3e7
Instruction Fuzzy Hash: 6DC12FB0810248CFEB40DF99C488BADBBBAFB14358F559055D415AF69AC7B5EC84CF90

Uniqueness

Uniqueness Score: -1.00%

Function 068103AD, Relevance: .2, Instructions: 219COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.253556230.0000000006810000.00000040.00000001.sdmp, Offset: 06810000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: bd2cd06569a9889ff2bd4c01067e981a022975baee046d19ba37cf976e228186
Instruction ID: bf24aebea5ba82760564f8710fad1eaa9fe4a53dbee206be8c72694739f382d8
Opcode Fuzzy Hash: bd2cd06569a9889ff2bd4c01067e981a022975baee046d19ba37cf976e228186
Instruction Fuzzy Hash: 7A912270D05258CFDB80DFA4C984AEDFBB5FF49308F20925AE419BB241DB789981CB51

Uniqueness

Uniqueness Score: -1.00%

Function 068106F1, Relevance: .2, Instructions: 215COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.253556230.0000000006810000.00000040.00000001.sdmp, Offset: 06810000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 616677e71ec2a9cdb8a1570a873388e9747d0a01959ce1f876e52d9f1bb06c19
Instruction ID: 4537e96bf9053ef65c9e67b20aec787eeaef10f9376399498373c27e42127c20
Opcode Fuzzy Hash: 616677e71ec2a9cdb8a1570a873388e9747d0a01959ce1f876e52d9f1bb06c19
Instruction Fuzzy Hash: B791DF74D0521CCFEBA0DFA8DC55BADBBB9BB49304F2081A9D209EB285DB745981CF41

Uniqueness

Uniqueness Score: -1.00%

Function 06812AE8, Relevance: .2, Instructions: 154COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.253556230.0000000006810000.00000040.00000001.sdmp, Offset: 06810000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f0a0c9b64cf35b294c1736b714fb5a82769d8a69808cf8d3b577dec9d241006d
Instruction ID: 8f28e48eba06d67213695588e5c317deec41135843e16629bdff745492e7250f
Opcode Fuzzy Hash: f0a0c9b64cf35b294c1736b714fb5a82769d8a69808cf8d3b577dec9d241006d
Instruction Fuzzy Hash: 2D5114B0D0A20DDFEB84CF99D465BEDBBB9AB49308F109169D505EB251D7348AC5CF80

Uniqueness

Uniqueness Score: -1.00%

Function 0100D4F8, Relevance: .1, Instructions: 130COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.241321999.0000000001000000.00000040.00000001.sdmp, Offset: 01000000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 271f64065987cee5581b657bdb1189548d5a5a3706b3578d5513983425d93432
Instruction ID: f60e7a35189c2161a0c57f8479720bc34d4673698f1ad6a2f0117b4086d2e5ec
Opcode Fuzzy Hash: 271f64065987cee5581b657bdb1189548d5a5a3706b3578d5513983425d93432
Instruction Fuzzy Hash: 3E51B375E00209DFCB04DFE4D858AEEBBB2EF89301F108169D51ABB2A5DB356946CF50

Uniqueness

Uniqueness Score: -1.00%

Function 06814242, Relevance: .1, Instructions: 130COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.253556230.0000000006810000.00000040.00000001.sdmp, Offset: 06810000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 58103e56e8178779ac42c80465405f2a8394880d74e700387fab81be8830ad5e
Instruction ID: 2e32fd1a9657cad44bbc04fed1105528490fa5ebc982fcb7cf1995bfa6728c0b
Opcode Fuzzy Hash: 58103e56e8178779ac42c80465405f2a8394880d74e700387fab81be8830ad5e
Instruction Fuzzy Hash: D841EF74D05219DFEB40CF98D881AEDF7FABB4D308F219551E81AEB201D730A986CB94

Uniqueness

Uniqueness Score: -1.00%

Function 068159B8, Relevance: .1, Instructions: 108COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.253556230.0000000006810000.00000040.00000001.sdmp, Offset: 06810000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7cdf8fd95b682dabe61b7609398cf0e14f5d9c4eefa06f760efece170c3c4024
Instruction ID: c9da870f2719709088b6ad940e53188cd8c4c28117c81cef0e0362cf9b7a8572
Opcode Fuzzy Hash: 7cdf8fd95b682dabe61b7609398cf0e14f5d9c4eefa06f760efece170c3c4024
Instruction Fuzzy Hash: 7241E8B4D04208DFDB44DFA9D580AADBBB6FF88304F208169D505AB354DB36AE41CF91

Uniqueness

Uniqueness Score: -1.00%

Function 06812B34, Relevance: .1, Instructions: 104COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.253556230.0000000006810000.00000040.00000001.sdmp, Offset: 06810000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7e07d168c914c18deb3fcfa96a3175e48c5d72d534bf9e1b7761be5537186c8e
Instruction ID: 959bf7da28b1b83ffec11420323e20f9944cc504616a803459232e4973ed2e3f
Opcode Fuzzy Hash: 7e07d168c914c18deb3fcfa96a3175e48c5d72d534bf9e1b7761be5537186c8e
Instruction Fuzzy Hash: 87411474D09248DFDB81CFA8D495BECBBB9AF0A314F14909AE505EB252C7789A85CF40

Uniqueness

Uniqueness Score: -1.00%

Function 06F8F2E0, Relevance: .1, Instructions: 92COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.254355063.0000000006F80000.00000040.00000001.sdmp, Offset: 06F80000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 49f0424ad4f7b6a28ccff94b55bfaa794b7929a524989e2f3e116d40572b069e
Instruction ID: 80b0cf3beabfc0e87c674babf9586a27d789bc3e9b25faf9e66d99cb3a098f97
Opcode Fuzzy Hash: 49f0424ad4f7b6a28ccff94b55bfaa794b7929a524989e2f3e116d40572b069e
Instruction Fuzzy Hash: AD410674D06208DFDB44EFA9E545AAEBBB2FB89341F2080A9E515B7344C7349D41CFA1

Uniqueness

Uniqueness Score: -1.00%

Function 06814A0E, Relevance: .1, Instructions: 80COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.253556230.0000000006810000.00000040.00000001.sdmp, Offset: 06810000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8239b138c4562e4cdaf50ded58bb11e27d2398b27afa2d2cc9dd725cf70231ba
Instruction ID: e1f615055a919e54ea1179d8609309518dff1880e40024f202288e7dd2d33194
Opcode Fuzzy Hash: 8239b138c4562e4cdaf50ded58bb11e27d2398b27afa2d2cc9dd725cf70231ba
Instruction Fuzzy Hash: 2A31C2B8E04208CFDB84CF99D4809ADBBF9FB49315F119165E919EB352D734A942CF90

Uniqueness

Uniqueness Score: -1.00%

Function 01007E90, Relevance: .1, Instructions: 70COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.241321999.0000000001000000.00000040.00000001.sdmp, Offset: 01000000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: dccc1f62e10358395c36d71e7a58edac458738d7b3cbced3ed2ee2456816e9f7
Instruction ID: cfad4f663e1d4ee469ee83fc7ed191fc8f4d148d95261fb3153260fc3912ef8c
Opcode Fuzzy Hash: dccc1f62e10358395c36d71e7a58edac458738d7b3cbced3ed2ee2456816e9f7
Instruction Fuzzy Hash: 7421F874E052188BEF15DFA5C8445EEBBB2FF89300F0084AAD949B3350DB39AA50DF51

Uniqueness

Uniqueness Score: -1.00%

Function 06814071, Relevance: .1, Instructions: 70COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.253556230.0000000006810000.00000040.00000001.sdmp, Offset: 06810000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e5e124a7dfc100ea493b56cc002873d34ddcdb89ab8863ffc3d9af7107f48af0
Instruction ID: 085e98fce023097691934675ea0d935c307025afe2c9474cfd6d976707801801
Opcode Fuzzy Hash: e5e124a7dfc100ea493b56cc002873d34ddcdb89ab8863ffc3d9af7107f48af0
Instruction Fuzzy Hash: 7821BF70D0434ADFCB41DFA8C8405CEBBB4FF86314B2046AED580AB242E7356A46DBA1

Uniqueness

Uniqueness Score: -1.00%

Function 01000014, Relevance: .1, Instructions: 68COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.241321999.0000000001000000.00000040.00000001.sdmp, Offset: 01000000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a2f40671f4f9512a34f1c9b1ac91b049ee5624496e50e5ab8ac18ff3750031f8
Instruction ID: 63550ca58cc6ac0b4c9d239f008a072d90627efa932993e33ba3193a87c6b6a8
Opcode Fuzzy Hash: a2f40671f4f9512a34f1c9b1ac91b049ee5624496e50e5ab8ac18ff3750031f8
Instruction Fuzzy Hash: CB21123490E3C49FD703CB708D652587FB1AF17244F2A81DBD480DB1A7D6295A0AD722

Uniqueness

Uniqueness Score: -1.00%

Function 01007E8B, Relevance: .1, Instructions: 64COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.241321999.0000000001000000.00000040.00000001.sdmp, Offset: 01000000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 06839e3af451bf173585bcf8eb0686f71afd4ea8e4f0248194bbabf43ea780e6
Instruction ID: 766fb502887dda87fe16fc81e90e1bec985e982936c8ddfc7ceb4094ff925e03
Opcode Fuzzy Hash: 06839e3af451bf173585bcf8eb0686f71afd4ea8e4f0248194bbabf43ea780e6
Instruction Fuzzy Hash: B121EA74E052188BEB15DFA5C8446EEBBB2FF89700F0084AAD945B3350DB39AE51DF51

Uniqueness

Uniqueness Score: -1.00%

Function 01001540, Relevance: .1, Instructions: 63COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.241321999.0000000001000000.00000040.00000001.sdmp, Offset: 01000000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: cd64e9deae25b490e5ce350664ea41d61dd9c7d476dd48c714a7e9a6cce0b510
Instruction ID: cdd9d56bc8034835da66a748500ab01833ae267028cffe5d3058fd6bf88279e7
Opcode Fuzzy Hash: cd64e9deae25b490e5ce350664ea41d61dd9c7d476dd48c714a7e9a6cce0b510
Instruction Fuzzy Hash: A921A5B4E00209DFDB49CF99C9809AEBBF5FF88301F14806AD815A7354D735AA41CF50

Uniqueness

Uniqueness Score: -1.00%

Function 0100162B, Relevance: .1, Instructions: 63COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.241321999.0000000001000000.00000040.00000001.sdmp, Offset: 01000000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6e9a8026446655ed77d7c324b045d287c94cffe3ce2cb351ac6b1acb936e1ce7
Instruction ID: e40dc603350d1b527e6939462c1d4c054bf450b1e60be7fb576b4cc0aaa0834a
Opcode Fuzzy Hash: 6e9a8026446655ed77d7c324b045d287c94cffe3ce2cb351ac6b1acb936e1ce7
Instruction Fuzzy Hash: C8210570E04209DFDB48CF99C9849AEBBF2FF89300F2585AAD504AB254D734AA018F51

Uniqueness

Uniqueness Score: -1.00%

Function 0100153B, Relevance: .1, Instructions: 62COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.241321999.0000000001000000.00000040.00000001.sdmp, Offset: 01000000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2941b553a152c8af24f145a077f05b1b9b7a4a9ae896dc58da1021796e9ffb5e
Instruction ID: 5a444f2d86d53eccfd7d78a7b9b1b61f9a7bb55342f6355931ce9c0f433afe67
Opcode Fuzzy Hash: 2941b553a152c8af24f145a077f05b1b9b7a4a9ae896dc58da1021796e9ffb5e
Instruction Fuzzy Hash: 7321F5B4E04209DFDB49CFA9C5809AEBBF1FF88300F1481AAD815A7764D7349A41CF50

Uniqueness

Uniqueness Score: -1.00%

Function 01020726, Relevance: .1, Instructions: 61COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.241353861.0000000001020000.00000040.00000040.sdmp, Offset: 01020000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 93c086bbc43754163155d4701ef482f4a70ba3db8cb7946a215c4768afefac6e
Instruction ID: bcaa44b6a84f2eb93cd7aab0710d869245cd72cd2060984bf1be5ad66b16ed64
Opcode Fuzzy Hash: 93c086bbc43754163155d4701ef482f4a70ba3db8cb7946a215c4768afefac6e
Instruction Fuzzy Hash: 98216D355097C49FC7078B24C950B15BFB1AF47704F2A86EAE8C48B6A3C33A9806CB52

Uniqueness

Uniqueness Score: -1.00%

Function 0102075C, Relevance: .1, Instructions: 59COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.241353861.0000000001020000.00000040.00000040.sdmp, Offset: 01020000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 96463ae4f8673a458a4f9cc4941f6a9352c8d9dd9f17b957e72798dc3835fd22
Instruction ID: 561f03abc6c846f9b043b60a8d0bd1518db46d23db5cf226ca25a7d938cc8348
Opcode Fuzzy Hash: 96463ae4f8673a458a4f9cc4941f6a9352c8d9dd9f17b957e72798dc3835fd22
Instruction Fuzzy Hash: 88119034604744EFD715CB24C984B26BBD5AB88708F24C59DE9891B657C777D803CA51

Uniqueness

Uniqueness Score: -1.00%

Function 0100749F, Relevance: .1, Instructions: 58COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.241321999.0000000001000000.00000040.00000001.sdmp, Offset: 01000000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0fc4015c32e3bd69137212a048e1db075b49aef29da04e6d4f485570f85a6a50
Instruction ID: fb9cef9a8c128c6b768f9b5e141160ce2ebec4886f320373669bbe7763be5673
Opcode Fuzzy Hash: 0fc4015c32e3bd69137212a048e1db075b49aef29da04e6d4f485570f85a6a50
Instruction Fuzzy Hash: EA11E270D0A348EFD705DFA0D54515EBFB0EF86300F2194EAC586A72A1DB38AA00CB55

Uniqueness

Uniqueness Score: -1.00%

Function 010074B0, Relevance: .1, Instructions: 54COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.241321999.0000000001000000.00000040.00000001.sdmp, Offset: 01000000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 540ed587ad851bc034021f7141513c96ef5ce21f31c3a8f08f2ae8b56c0cb6c4
Instruction ID: 31df0063344ef3763d96e90d6e583de66e469c099d3efbc06e95b8346f41c3e3
Opcode Fuzzy Hash: 540ed587ad851bc034021f7141513c96ef5ce21f31c3a8f08f2ae8b56c0cb6c4
Instruction Fuzzy Hash: 62112570C05208EFD718DFA4D5451ADBFB5EF86300F1194A9C586B7294DF38AB00CB45

Uniqueness

Uniqueness Score: -1.00%

Function 01003130, Relevance: .1, Instructions: 53COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.241321999.0000000001000000.00000040.00000001.sdmp, Offset: 01000000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e425917c20d10934a823b1669516e989a573ce5ea3acc212e434c6314d788332
Instruction ID: 6c0d66f2c54443720888c2f5455372833229bcdaa377c4a2fe333f28d7f44453
Opcode Fuzzy Hash: e425917c20d10934a823b1669516e989a573ce5ea3acc212e434c6314d788332
Instruction Fuzzy Hash: EF110774E01108EFEB05CFA9C959A9DFBF2FF89200F15C1AAD554AB2A1C7349A01DF40

Uniqueness

Uniqueness Score: -1.00%

Function 01003140, Relevance: .1, Instructions: 51COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.241321999.0000000001000000.00000040.00000001.sdmp, Offset: 01000000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ac7f15d4e978fcd0020aa59a3ea0d699d652c4d301c49211c820ee6418631b78
Instruction ID: d6ea398d1f4d9ce6cc6a50730b9cbb672f9f2718054d3de73c36add0f42ebf9c
Opcode Fuzzy Hash: ac7f15d4e978fcd0020aa59a3ea0d699d652c4d301c49211c820ee6418631b78
Instruction Fuzzy Hash: A611F874E00108EFDB05DFA9C949A9DFBF6FF88200F15C4A9D519AB3A5D7319A009B40

Uniqueness

Uniqueness Score: -1.00%

Function 01003079, Relevance: .1, Instructions: 51COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.241321999.0000000001000000.00000040.00000001.sdmp, Offset: 01000000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c1caf113ef6c48d23c55b62b0b7ce41c70b313d1414b13ac888db967c2ace972
Instruction ID: e4d1829cb65c275f2fa0d4469de8cb2eadd9849432923f017791df9bdc3052cb
Opcode Fuzzy Hash: c1caf113ef6c48d23c55b62b0b7ce41c70b313d1414b13ac888db967c2ace972
Instruction Fuzzy Hash: D4115870D05209DFEB06CFA9C8545AEFBB2FF89200F14C6AAD4549B265D7309A01CB80

Uniqueness

Uniqueness Score: -1.00%

Function 010205D0, Relevance: .0, Instructions: 45COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.241353861.0000000001020000.00000040.00000040.sdmp, Offset: 01020000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ec48e08f60de62d7ca0f8a801ac83befeb3e2eddf311a02f94daacc41f819c18
Instruction ID: 679fd4f80026529dabb8b58ddfe60bf084a326fadf70c238e73232021905bb07
Opcode Fuzzy Hash: ec48e08f60de62d7ca0f8a801ac83befeb3e2eddf311a02f94daacc41f819c18
Instruction Fuzzy Hash: C801D6711497905FC702CB1AEC40853BFF8DF86230709C4ABED88CB622D275B959CBA1

Uniqueness

Uniqueness Score: -1.00%

Function 06F8D8E8, Relevance: .0, Instructions: 39COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.254355063.0000000006F80000.00000040.00000001.sdmp, Offset: 06F80000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1ae9021092b129d9e60a72b77668235bf0ce858fad5f33e8fb0402dabbae2794
Instruction ID: a4b0172de9dd1a68e652f326bd1fb0a574a92ba4cc4ee5c6e215dfeb6c9eecb3
Opcode Fuzzy Hash: 1ae9021092b129d9e60a72b77668235bf0ce858fad5f33e8fb0402dabbae2794
Instruction Fuzzy Hash: CF016974D0520DEFDB48DFA4E914AAEBBB6EF89300F10D4A9D41467298D7309A50DF90

Uniqueness

Uniqueness Score: -1.00%

Function 0681ACB5, Relevance: .0, Instructions: 38COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.253556230.0000000006810000.00000040.00000001.sdmp, Offset: 06810000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d048f628a361776c92a2eec633e20697ed5ae409b2ed13f12d9e589ae1764804
Instruction ID: 737c82aaf0ae97122d0e4c59106e779364d4066465485a50c458a2bdbb991438
Opcode Fuzzy Hash: d048f628a361776c92a2eec633e20697ed5ae409b2ed13f12d9e589ae1764804
Instruction Fuzzy Hash: 29F01C34D5FA0CCEEB988E11D5463BDB3BDAB4720FF003256980AEE555C3B44984C685

Uniqueness

Uniqueness Score: -1.00%

Function 068140D8, Relevance: .0, Instructions: 34COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.253556230.0000000006810000.00000040.00000001.sdmp, Offset: 06810000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 697343a8f92d10f11f9405271042b8284bb4be324c76d8c6389c670c3ee1f139
Instruction ID: 017a95d722da0b854ba6752634783aa05fb16b8bff13a8f15ae35a1a247ffc68
Opcode Fuzzy Hash: 697343a8f92d10f11f9405271042b8284bb4be324c76d8c6389c670c3ee1f139
Instruction Fuzzy Hash: 19011674E00209DBCB04EFA8D5456ADFBB1FF84305F2082A9E905A7344DB78AE42CB91

Uniqueness

Uniqueness Score: -1.00%

Function 06810CF0, Relevance: .0, Instructions: 33COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.253556230.0000000006810000.00000040.00000001.sdmp, Offset: 06810000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f9d33c59c225eb7b3ac87939c187dad56d02f8e634b6edca57f87689bab8f878
Instruction ID: ad3dd2145611ac009080fd85793e56cb03d17d7e3cd3dd881b934bb1fb1f28a5
Opcode Fuzzy Hash: f9d33c59c225eb7b3ac87939c187dad56d02f8e634b6edca57f87689bab8f878
Instruction Fuzzy Hash: 2BF08974D0924C9FD744DFA8D84159CBBB4EB45314F1441E9DC489B342DA326E47DB52

Uniqueness

Uniqueness Score: -1.00%

Function 01000070, Relevance: .0, Instructions: 32COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.241321999.0000000001000000.00000040.00000001.sdmp, Offset: 01000000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4e6ac492b6383fafadd4e58139540c79c53d21fd8fcbce7d79ca263d68883eed
Instruction ID: 4d6bcc0003bbd9e6f9523abb9d0832c9b381cc1968d0f319abdb5e21f85fccf7
Opcode Fuzzy Hash: 4e6ac492b6383fafadd4e58139540c79c53d21fd8fcbce7d79ca263d68883eed
Instruction Fuzzy Hash: 78F0B430D05309DFD705DFA4D94835DBBF5EB48241F10C5A5E545A3258DB348B508B52

Uniqueness

Uniqueness Score: -1.00%

Function 01020818, Relevance: .0, Instructions: 31COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.241353861.0000000001020000.00000040.00000040.sdmp, Offset: 01020000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 525cef522958239b2deb72ab7ac90410e2832b06fb356f1b7ca8807ee3c9392c
Instruction ID: 4f7eba4d739fb09899adff36a7cb095954da9169d78ace10574899dfc2756f8e
Opcode Fuzzy Hash: 525cef522958239b2deb72ab7ac90410e2832b06fb356f1b7ca8807ee3c9392c
Instruction Fuzzy Hash: D6F0FB35504644DFC206CB44D940B16FBA2FB89718F24C6A9E9890B666C3379813DE81

Uniqueness

Uniqueness Score: -1.00%

Function 06F8248D, Relevance: .0, Instructions: 28COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.254355063.0000000006F80000.00000040.00000001.sdmp, Offset: 06F80000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9b7d0505743705f04a7d28635d8daa2109d718daec316a56a8cbc97eeb328ec6
Instruction ID: 028aa3ef5927d31976b171baeade7f49bca8f71f2e9353a2511e7261348b3deb
Opcode Fuzzy Hash: 9b7d0505743705f04a7d28635d8daa2109d718daec316a56a8cbc97eeb328ec6
Instruction Fuzzy Hash: E2F04435A04208AFDB91CF54CC40FA8B7B2FF49300F4490E4E249AB2B1DB35AA40DF06

Uniqueness

Uniqueness Score: -1.00%

Function 010205F6, Relevance: .0, Instructions: 27COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.241353861.0000000001020000.00000040.00000040.sdmp, Offset: 01020000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 994a85589826a4f2e9d0792cb80afbd992613730385bcef21b9dd919ef036906
Instruction ID: 12b65d2968eff90218a78d9bb4972dfe64d6611b15ed6c6ce46c618a641c4791
Opcode Fuzzy Hash: 994a85589826a4f2e9d0792cb80afbd992613730385bcef21b9dd919ef036906
Instruction Fuzzy Hash: CCE092766006008BD650CF0BEC41452FBD8EB88630B18C07FDD0D8BB10E575B944CEA6

Uniqueness

Uniqueness Score: -1.00%

Function 06810C77, Relevance: .0, Instructions: 27COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.253556230.0000000006810000.00000040.00000001.sdmp, Offset: 06810000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: eea3250c37f7c39b74b321e3952ddb18f4fc637087236fda2bea487c52235b62
Instruction ID: dc8b9b57373d261b086973d633919fe747c5049c17ebc0791cceb60eaaf747e5
Opcode Fuzzy Hash: eea3250c37f7c39b74b321e3952ddb18f4fc637087236fda2bea487c52235b62
Instruction Fuzzy Hash: 29F03074D09204AFC785DF94D48569CBBB5EB85304F1081DACC4897342DA369E46DB91

Uniqueness

Uniqueness Score: -1.00%

Function 06810D3A, Relevance: .0, Instructions: 26COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.253556230.0000000006810000.00000040.00000001.sdmp, Offset: 06810000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4f8ec70795caa9a108d8aea362cd29dcc39d8a4a0a9789c8379b2b0c1d182bce
Instruction ID: 0c6e5db23bf35b3804e178e5e2568c6997e2994efead23efb49654674ffe9a33
Opcode Fuzzy Hash: 4f8ec70795caa9a108d8aea362cd29dcc39d8a4a0a9789c8379b2b0c1d182bce
Instruction Fuzzy Hash: EBF03974C09348AFDB16DFA4984459DBF75EB81300F1081EAE940AA351C7356A44DB92

Uniqueness

Uniqueness Score: -1.00%

Function 0100557C, Relevance: .0, Instructions: 24COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.241321999.0000000001000000.00000040.00000001.sdmp, Offset: 01000000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8d7c9d3ae9733b69286bce2452e43754adce7a980a312a0d29a241547843c0a7
Instruction ID: a66d036e8e07b7203eebe521fad0abeeac13b01765569dc092b018c1f4d67e23
Opcode Fuzzy Hash: 8d7c9d3ae9733b69286bce2452e43754adce7a980a312a0d29a241547843c0a7
Instruction Fuzzy Hash: 63F0DA74D4411C9BDB54DF55C849BAEBBB6FF95300F2082E99109772A4DA310E81CF51

Uniqueness

Uniqueness Score: -1.00%

Function 06F80A03, Relevance: .0, Instructions: 24COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.254355063.0000000006F80000.00000040.00000001.sdmp, Offset: 06F80000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a90a862ca98dab2e05f612552eb409d47c6a92c1abc7260eb8905828fa13fd94
Instruction ID: d24b76659ada4c6c73c99c6e59c36c81f2a92d0d50fc3b3149441df126d081bd
Opcode Fuzzy Hash: a90a862ca98dab2e05f612552eb409d47c6a92c1abc7260eb8905828fa13fd94
Instruction Fuzzy Hash: AAF08235C00348CFDB54DF60C859A99B771BF49200F8194A5D057A7275CB348544CF01

Uniqueness

Uniqueness Score: -1.00%

Function 06F8098A, Relevance: .0, Instructions: 23COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.254355063.0000000006F80000.00000040.00000001.sdmp, Offset: 06F80000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 90dfb904f6a8668bfba6819d3fb0a1aedf8b00861e14fa8a564c2d2403e9da85
Instruction ID: 7ea82b6f3d7556a0d250a6aed7bf8021fd91e9b620aae496f07a28454f113954
Opcode Fuzzy Hash: 90dfb904f6a8668bfba6819d3fb0a1aedf8b00861e14fa8a564c2d2403e9da85
Instruction Fuzzy Hash: F3F08C359016189FEB54CF60C868ADAB7B2BF4D300FC084E0E10AAB2B1CF709A84CF11

Uniqueness

Uniqueness Score: -1.00%

Function 0681CC00, Relevance: .0, Instructions: 22COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.253556230.0000000006810000.00000040.00000001.sdmp, Offset: 06810000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 170dd1613784671362bf7e505963bc169f1b371e558b097daa10c3ab3ba43961
Instruction ID: 75042ce140a41bd9c00c269c22a4bdacdc30a184bcd165d641ecaeb55f6e2b1c
Opcode Fuzzy Hash: 170dd1613784671362bf7e505963bc169f1b371e558b097daa10c3ab3ba43961
Instruction Fuzzy Hash: D0E08634945308EFD700EF61E846B6DBB38E74230AF1002A8C90567384D7755D81CF80

Uniqueness

Uniqueness Score: -1.00%

Function 01002958, Relevance: .0, Instructions: 21COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.241321999.0000000001000000.00000040.00000001.sdmp, Offset: 01000000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: cae7a2b058a2b7cee113fa09fc2c07847cba08f099b4b6117344a3c8113dace0
Instruction ID: d9b16e84bc53030a7083c6250dbfdc66ff5d5a7eb79a1fa30f74780c19003da8
Opcode Fuzzy Hash: cae7a2b058a2b7cee113fa09fc2c07847cba08f099b4b6117344a3c8113dace0
Instruction Fuzzy Hash: DEF0FF78D15258CFCB66CF64C984ADDBBB5FB19311F5005E9E419A7250DB319A81CF00

Uniqueness

Uniqueness Score: -1.00%

Function 01008437, Relevance: .0, Instructions: 21COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.241321999.0000000001000000.00000040.00000001.sdmp, Offset: 01000000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 02aa494aa3f635bff39b22deb3ab9fc8c79e3a456d0b8ff2b1793cb0de0604fd
Instruction ID: 6ee30d79a7a57e5ca41e1105817ccfa2630130f30804d66a52611a9ec5fbea80
Opcode Fuzzy Hash: 02aa494aa3f635bff39b22deb3ab9fc8c79e3a456d0b8ff2b1793cb0de0604fd
Instruction Fuzzy Hash: 6FF05478E052698FDB21DF64C9446DDBBB5EB49340F0088E79C19B6250DA355F90DF14

Uniqueness

Uniqueness Score: -1.00%

Function 06F8C970, Relevance: .0, Instructions: 20COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.254355063.0000000006F80000.00000040.00000001.sdmp, Offset: 06F80000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d36fb4eaae90ac9f4f3088d742581dbb57ec3f44174e010bab9a0567f4bbb5a4
Instruction ID: 3549ba3f29bed6ba047905b4a944fb797f4905b2938e7f72e53d3984c0db1cc3
Opcode Fuzzy Hash: d36fb4eaae90ac9f4f3088d742581dbb57ec3f44174e010bab9a0567f4bbb5a4
Instruction Fuzzy Hash: 18E09A74D00308EFCB44EFA8D448AADBBB5EB59311F1081A9A85897360D7355A54DF91

Uniqueness

Uniqueness Score: -1.00%

Function 06F800E3, Relevance: .0, Instructions: 19COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.254355063.0000000006F80000.00000040.00000001.sdmp, Offset: 06F80000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7a2ccace677ed97604aa7ae79e980f94e0e38a412b8b90dc8925e0a97c643c8e
Instruction ID: 0a996fdaaf93904f5c165d8df05dacdc19dba6f457b2fa9f588a3f9e29483797
Opcode Fuzzy Hash: 7a2ccace677ed97604aa7ae79e980f94e0e38a412b8b90dc8925e0a97c643c8e
Instruction Fuzzy Hash: 5BE01A34E05259DFEB84CF94D448AAEB3B2FF88300F40D4A6D95AA7245CB789A05CF06

Uniqueness

Uniqueness Score: -1.00%

Function 06F8B0A0, Relevance: .0, Instructions: 19COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.254355063.0000000006F80000.00000040.00000001.sdmp, Offset: 06F80000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e5ebdac2967f145062b3acd4fb8a008f2c25992dcc998fb7081220b4a7175b9e
Instruction ID: 5dfd049e1b417b47345fbf1a7fb1b75b53fc9f2e0ac8d6b4d024f912b68895cd
Opcode Fuzzy Hash: e5ebdac2967f145062b3acd4fb8a008f2c25992dcc998fb7081220b4a7175b9e
Instruction Fuzzy Hash: E2E04FB0D00308DFCB44EFA8C5013ADB7B0FB44300F1045A9C81493340D7719A41CF81

Uniqueness

Uniqueness Score: -1.00%

Function 010075C3, Relevance: .0, Instructions: 18COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.241321999.0000000001000000.00000040.00000001.sdmp, Offset: 01000000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 53f9fa4b4db8671cc8d6abb38f0e3914536bf505bcca5fcfe5cd541c6d55a871
Instruction ID: b8d0ce6ed27da8478742b63c17dea5ba73f3bf521e25827b48ef361935838ada
Opcode Fuzzy Hash: 53f9fa4b4db8671cc8d6abb38f0e3914536bf505bcca5fcfe5cd541c6d55a871
Instruction Fuzzy Hash: 06D0A7B4C15398DFD748EBB8990939DBBF48B00602F2001F9D88453390E9795B159EA1

Uniqueness

Uniqueness Score: -1.00%

Function 01002651, Relevance: .0, Instructions: 18COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.241321999.0000000001000000.00000040.00000001.sdmp, Offset: 01000000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 399f8e2d009e5b14b883f8d31d6e37052e3de9477ed4924aa99e69f95c7d1b6d
Instruction ID: 3731d7974f9c92d600f76beeb79c9f2e9cc4025e0db0b2f19f2c0820f5ca85f9
Opcode Fuzzy Hash: 399f8e2d009e5b14b883f8d31d6e37052e3de9477ed4924aa99e69f95c7d1b6d
Instruction Fuzzy Hash: 55E08CB4105219CFC7009FA8D44894DBBB5FF19301B4011A9E94A8B16ACB31C651CF10

Uniqueness

Uniqueness Score: -1.00%

Function 06F8C3D8, Relevance: .0, Instructions: 18COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.254355063.0000000006F80000.00000040.00000001.sdmp, Offset: 06F80000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a65d032f2d5921e5c474710646c16a739e0dea2454d1237159617110fc045129
Instruction ID: 38d2455ae9a98baa08ca5265325740802be0c4e65dada8d7bdced736ff6345cb
Opcode Fuzzy Hash: a65d032f2d5921e5c474710646c16a739e0dea2454d1237159617110fc045129
Instruction Fuzzy Hash: ABE0EC70D45318DBC754EBB4950529DBBF4AB45305F1085E9C80462350D6359A54DE95

Uniqueness

Uniqueness Score: -1.00%

Function 06F8A128, Relevance: .0, Instructions: 18COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.254355063.0000000006F80000.00000040.00000001.sdmp, Offset: 06F80000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a3452d050efd7af3a57dd494a58af1c0563eb8743d9f593f8831058cba7cfcb8
Instruction ID: 423177541dde8310c3e52bc62652ab6ee51ee765239551be7a74afbe82045486
Opcode Fuzzy Hash: a3452d050efd7af3a57dd494a58af1c0563eb8743d9f593f8831058cba7cfcb8
Instruction Fuzzy Hash: 8EE0B674D012089FC744EFA8D44979DBBB4EB45301F1081EA980893350DA355A58CF81

Uniqueness

Uniqueness Score: -1.00%

Function 06810C88, Relevance: .0, Instructions: 18COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.253556230.0000000006810000.00000040.00000001.sdmp, Offset: 06810000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9ec831b6b4932f439195f287378e14595b8f720ea3eced008482faa1e1d4ee05
Instruction ID: c971d8325a737f388cc6dc7c3dac1d17acb933ba7d851718a70c30243df825b0
Opcode Fuzzy Hash: 9ec831b6b4932f439195f287378e14595b8f720ea3eced008482faa1e1d4ee05
Instruction Fuzzy Hash: DBE09278D05208EBCB44DF99D54169CBBB5EB88304F2081A9D90897341DB36AA42DF81

Uniqueness

Uniqueness Score: -1.00%

Function 06810D00, Relevance: .0, Instructions: 18COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.253556230.0000000006810000.00000040.00000001.sdmp, Offset: 06810000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9ec831b6b4932f439195f287378e14595b8f720ea3eced008482faa1e1d4ee05
Instruction ID: 1c81e234997ee26372cf45f1d1fd789c157a4841f584577ca548c2c0c8b52c70
Opcode Fuzzy Hash: 9ec831b6b4932f439195f287378e14595b8f720ea3eced008482faa1e1d4ee05
Instruction Fuzzy Hash: 47E09278D05208ABCB44DF98D54169CBBB4EB88305F2081A9D90897340DB36AA42DF81

Uniqueness

Uniqueness Score: -1.00%

Function 06810D48, Relevance: .0, Instructions: 18COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.253556230.0000000006810000.00000040.00000001.sdmp, Offset: 06810000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6696b889679253c5bc41f3de9771b9b17dac627f6414f3aadcccc05b859355c9
Instruction ID: 9b0ad7c529179ae8e3a1b0710707fb15b9d14893133cbc589eb86b1f6d4a7c19
Opcode Fuzzy Hash: 6696b889679253c5bc41f3de9771b9b17dac627f6414f3aadcccc05b859355c9
Instruction Fuzzy Hash: D8E04674C0130CEBCB04EFA8D44069DBBB5FB84300F1081A9DA0067300C735AA90EF84

Uniqueness

Uniqueness Score: -1.00%

Function 01002162, Relevance: .0, Instructions: 17COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.241321999.0000000001000000.00000040.00000001.sdmp, Offset: 01000000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7562201c2b833c2a06b08ffceb19a25d53a9d308b1ed9f1aefbfdb42b84e8c39
Instruction ID: e8039efd3781f373683a24c3af709405da0bd2b33a2a639229cba6d461f99a69
Opcode Fuzzy Hash: 7562201c2b833c2a06b08ffceb19a25d53a9d308b1ed9f1aefbfdb42b84e8c39
Instruction Fuzzy Hash: F6E0C2B49012288FDB60CF68C984ACDB7B1BF68300F2041A9D458B7354DA709A81CF01

Uniqueness

Uniqueness Score: -1.00%

Function 0100D468, Relevance: .0, Instructions: 17COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.241321999.0000000001000000.00000040.00000001.sdmp, Offset: 01000000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 555b158a726cbd4026f020c3ccdb8e73712b11db0b189d4cf7fb96f42ceeb46a
Instruction ID: 4cf08fe639adf60a165fee42a80f90859829aebc2e371fcd90a2097a7a639814
Opcode Fuzzy Hash: 555b158a726cbd4026f020c3ccdb8e73712b11db0b189d4cf7fb96f42ceeb46a
Instruction Fuzzy Hash: 43D012309403189BD754FBF8E44529C7BB4AB44700F1004A9894497290EE305A95DBE1

Uniqueness

Uniqueness Score: -1.00%

Function 06F8D9D8, Relevance: .0, Instructions: 17COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.254355063.0000000006F80000.00000040.00000001.sdmp, Offset: 06F80000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d21ab631b245d6d05c14c83a453cb9ab7935ed599f52ddd1a18289ba965a0d90
Instruction ID: 7dd325f6d94d5c2c94642e7058b8f750f2b4f31a0b4ee34bd0dffbdd61066ffd
Opcode Fuzzy Hash: d21ab631b245d6d05c14c83a453cb9ab7935ed599f52ddd1a18289ba965a0d90
Instruction Fuzzy Hash: 5BE0EC74D003089FC784EFA8D44879CBBF4EF04300F1041F9980893360EA355A54CF82

Uniqueness

Uniqueness Score: -1.00%

Function 01005739, Relevance: .0, Instructions: 16COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.241321999.0000000001000000.00000040.00000001.sdmp, Offset: 01000000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ac7a808812153573c8c4991d8fd26954dcdc0dec920b4409ea157d02f3c69bc4
Instruction ID: 9b40b2f5a4d822447005e3fd54f2576010620bd582267b1f1e48376185f3e9ac
Opcode Fuzzy Hash: ac7a808812153573c8c4991d8fd26954dcdc0dec920b4409ea157d02f3c69bc4
Instruction Fuzzy Hash: A4E0BDB4D04259DFDB44DFA5C480ACEBBF6EB89320F15A1A9C118B7654D3349A808F68

Uniqueness

Uniqueness Score: -1.00%

Function 01005F5D, Relevance: .0, Instructions: 16COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.241321999.0000000001000000.00000040.00000001.sdmp, Offset: 01000000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7f301d032dea012825aa646bef3cdd85bfe8e169c5802c52a1b6c501c862bff0
Instruction ID: d99ea68b1bf979d7b6d2720a55eb041bec92f4f352e895adaa31a403e69e50b6
Opcode Fuzzy Hash: 7f301d032dea012825aa646bef3cdd85bfe8e169c5802c52a1b6c501c862bff0
Instruction Fuzzy Hash: F8E092B4D142198FDB00CBA4C981B9EFBF5AB89310F14A599D518AB340D7359E808F69

Uniqueness

Uniqueness Score: -1.00%

Function 0100758B, Relevance: .0, Instructions: 16COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.241321999.0000000001000000.00000040.00000001.sdmp, Offset: 01000000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7f9e3ee66cbcb5b511b81348b1362b77d279593d0b33f9720ed39296728cccad
Instruction ID: 3cb24b72dbdac3e180e0e48beb1f54d4cf8fcfd464e515cf58bbde815f7d7455
Opcode Fuzzy Hash: 7f9e3ee66cbcb5b511b81348b1362b77d279593d0b33f9720ed39296728cccad
Instruction Fuzzy Hash: 2FD080704463486FE311EFB49C0A79A77FC8B05606F1019B49C4493391E97665119DF7

Uniqueness

Uniqueness Score: -1.00%

Function 06F8CA98, Relevance: .0, Instructions: 16COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.254355063.0000000006F80000.00000040.00000001.sdmp, Offset: 06F80000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 15d0c181d3d8e85abe134f65756326c407b39b223b1c69e7d811e353f194ab84
Instruction ID: 99cb00a9e68ee97ea2f3dc13e8dcb46703e250560d598f6838e896af0d73f68b
Opcode Fuzzy Hash: 15d0c181d3d8e85abe134f65756326c407b39b223b1c69e7d811e353f194ab84
Instruction Fuzzy Hash: 45D02230C113088FC344FFB8A90C36ABBF4E702702F1008BA880893250EE708664CAF2

Uniqueness

Uniqueness Score: -1.00%

Function 06F81286, Relevance: .0, Instructions: 16COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.254355063.0000000006F80000.00000040.00000001.sdmp, Offset: 06F80000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: aafa7795868cd3213649f71fb9b82b62d20e5d84eb03234c39d3b7166f73845e
Instruction ID: 049ec6da50e59a043b8dcb7381f0198c91c13668e886017ac5c1d884c97a7fa2
Opcode Fuzzy Hash: aafa7795868cd3213649f71fb9b82b62d20e5d84eb03234c39d3b7166f73845e
Instruction Fuzzy Hash: 33E0C274D0022C8FCB90CF50C984AEABBF0BB49342F0490E5940DA3264CA709B808F91

Uniqueness

Uniqueness Score: -1.00%

Function 00AF2477, Relevance: .0, Instructions: 16COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.240979164.0000000000AF2000.00000040.00000001.sdmp, Offset: 00AF2000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 005fda4911324029636d9a29852b29e5d5faef2c25c586c130f627f7bdf4f607
Instruction ID: 04cbf05dd467605823b3c88008eae63ef6b356046508e8115c9decfc73382d12
Opcode Fuzzy Hash: 005fda4911324029636d9a29852b29e5d5faef2c25c586c130f627f7bdf4f607
Instruction Fuzzy Hash: B5D02345697E584AD62606B6C92E254FF54C8553213108185E9D00A905415000462F65

Uniqueness

Uniqueness Score: -1.00%

Function 0100514C, Relevance: .0, Instructions: 15COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.241321999.0000000001000000.00000040.00000001.sdmp, Offset: 01000000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 45cfe1650895cd07b8f111c7d958450d7f273f2af66af15ca4b63cbb2b4b2aae
Instruction ID: 2f15715eff34b2a6fd1f48ff4fdc5b1d74b3cee18f634959ef999ed816f6e246
Opcode Fuzzy Hash: 45cfe1650895cd07b8f111c7d958450d7f273f2af66af15ca4b63cbb2b4b2aae
Instruction Fuzzy Hash: FAE017B0904209DFDB00CBA4C848BDEBBB4BB49320F1052B9D26AB62C0CB305A89CF15

Uniqueness

Uniqueness Score: -1.00%

Function 06F8FEE0, Relevance: .0, Instructions: 15COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.254355063.0000000006F80000.00000040.00000001.sdmp, Offset: 06F80000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7d960a3840dd4f1a2e40ff33f96edb1b65cd3b84da24dad93417deefdf8681cf
Instruction ID: d6e8186a4033682984083cb57ef9bc927b45d505326fe132abc8ade44f56c3da
Opcode Fuzzy Hash: 7d960a3840dd4f1a2e40ff33f96edb1b65cd3b84da24dad93417deefdf8681cf
Instruction Fuzzy Hash: 31D05E34C03308EFC744EFA8D04025CBB74EB80706F2001E9C90417340D735AE90CB91

Uniqueness

Uniqueness Score: -1.00%

Function 00AF23F4, Relevance: .0, Instructions: 15COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.240979164.0000000000AF2000.00000040.00000001.sdmp, Offset: 00AF2000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1c2ff3e6d99a4e1d1e0cecc7bf111283343c3477c40c29854907d847f25b68d9
Instruction ID: 082caaa43942063b06bf569766c9371610b5938a4720b7ba611dd9933fc58305
Opcode Fuzzy Hash: 1c2ff3e6d99a4e1d1e0cecc7bf111283343c3477c40c29854907d847f25b68d9
Instruction Fuzzy Hash: 56D05E79255A818FD3278B1CC1A8BA53B94AB51B05F4644FEF8008B663C3A8D981D210

Uniqueness

Uniqueness Score: -1.00%

Function 0681AD49, Relevance: .0, Instructions: 15COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.253556230.0000000006810000.00000040.00000001.sdmp, Offset: 06810000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 28ef7f435da8f4a89238518dad1f4b96ebd47e069b1d520d778ea5279a6390b9
Instruction ID: 117881012fa328fdc1999934f3a11ee247fa73764c0564efa2b329a207c9132e
Opcode Fuzzy Hash: 28ef7f435da8f4a89238518dad1f4b96ebd47e069b1d520d778ea5279a6390b9
Instruction Fuzzy Hash: 07C08C31CCF90846E3880D14A84207AB32CE78301D7097783AC09AB5078281C02100C8

Uniqueness

Uniqueness Score: -1.00%

Function 00AF23BC, Relevance: .0, Instructions: 14COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.240979164.0000000000AF2000.00000040.00000001.sdmp, Offset: 00AF2000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f01f969ce1b5a1062e1f572329f54162fd7d62ed35551fd0ca4f7dc833f80da5
Instruction ID: 615ff26bfa59a9f33674d0def02d79520c8bcb09b786777fb89f4f54b29cd190
Opcode Fuzzy Hash: f01f969ce1b5a1062e1f572329f54162fd7d62ed35551fd0ca4f7dc833f80da5
Instruction Fuzzy Hash: F1D05E742006858BD715DB0CC594F6977D4AB41B00F0645E8BD008F662C3A8DC81C600

Uniqueness

Uniqueness Score: -1.00%

Function 01005325, Relevance: .0, Instructions: 13COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.241321999.0000000001000000.00000040.00000001.sdmp, Offset: 01000000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1f1d5a053f281b3f3048aeef9ca38c6fa53d96a01082ee821b47f414ace08463
Instruction ID: a8a79e3f4e19489c147ffbc4a0f7bf1248db279e75084067837145183e2bb6d6
Opcode Fuzzy Hash: 1f1d5a053f281b3f3048aeef9ca38c6fa53d96a01082ee821b47f414ace08463
Instruction Fuzzy Hash: D1D06CB49042488EDB01DBA4C481BDEBBB5AB5A320F146199D609B3281D7345A808F66

Uniqueness

Uniqueness Score: -1.00%

Function 01005208, Relevance: .0, Instructions: 12COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.241321999.0000000001000000.00000040.00000001.sdmp, Offset: 01000000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1be5f4e66fc04a1954d51318eca401ccf4b3256cc711581c443a474923626752
Instruction ID: 9934562415006b8f5b1426fbacc9dd9639e8e97e6d3a150e6bfd47c883ac23b9
Opcode Fuzzy Hash: 1be5f4e66fc04a1954d51318eca401ccf4b3256cc711581c443a474923626752
Instruction Fuzzy Hash: 16D0A770D052589EDB00CF90C440B9FFBB4FB89300F0050DA4048E3290E3349E40CF15

Uniqueness

Uniqueness Score: -1.00%

Function 01005462, Relevance: .0, Instructions: 12COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.241321999.0000000001000000.00000040.00000001.sdmp, Offset: 01000000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b5f6b06d5f7f0f9d22ff18e01c15ec5e2db2d11723796c4b10c27fb89ac77b8a
Instruction ID: 0748a25838fe3cfe62ddfdfffc832c3bca0b8519cee779c15226173fbb743c4d
Opcode Fuzzy Hash: b5f6b06d5f7f0f9d22ff18e01c15ec5e2db2d11723796c4b10c27fb89ac77b8a
Instruction Fuzzy Hash: DAD0A9B1C042189FDF14CFA0D440B9FFBBAEB88300F0091EA8118E7280D7309E408F10

Uniqueness

Uniqueness Score: -1.00%

Function 06F8FC70, Relevance: .0, Instructions: 10COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.254355063.0000000006F80000.00000040.00000001.sdmp, Offset: 06F80000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f41fd95e85f7f9f1277b037356e4eec447af5760c4cf1c6987d55338440057ef
Instruction ID: fa114cec1ea49ae3e913458781098f46f8d75849396a4d658c50367f8d483822
Opcode Fuzzy Hash: f41fd95e85f7f9f1277b037356e4eec447af5760c4cf1c6987d55338440057ef
Instruction Fuzzy Hash: C3B02220C23B088BF0A832C02C00338338CABC2A08F002AA0CF08028C20B28B800E8A2

Uniqueness

Uniqueness Score: -1.00%

Function 06F8DE48, Relevance: .0, Instructions: 10COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.254355063.0000000006F80000.00000040.00000001.sdmp, Offset: 06F80000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7e90f71c1a9ceb6901ac2582ebd07807dd96cf917590e7554867520450efe6f4
Instruction ID: 7ef73aa81be9642b34412b86edff0ca67954fd0c86f62fdc7692dbe0d12005d1
Opcode Fuzzy Hash: 7e90f71c1a9ceb6901ac2582ebd07807dd96cf917590e7554867520450efe6f4
Instruction Fuzzy Hash: 6CC02B3C80230847F5543AC1780D330F358EBC1707F040110CB0C41480CB78A890EA55

Uniqueness

Uniqueness Score: -1.00%

Function 06F8F530, Relevance: .0, Instructions: 10COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.254355063.0000000006F80000.00000040.00000001.sdmp, Offset: 06F80000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 19140b3c496bf569a039a0e70d0f526d8846a4079ba31eccdaee16c0a3734f5d
Instruction ID: d3f6c6b5a683a0c632041b189df7db41718dc90c7fec130b29dde8d34aaad041
Opcode Fuzzy Hash: 19140b3c496bf569a039a0e70d0f526d8846a4079ba31eccdaee16c0a3734f5d
Instruction Fuzzy Hash: FDB022A0803B080FF28833C83C02330B38CA3C0A08F002BA08B0C020828B28B800C8AA

Uniqueness

Uniqueness Score: -1.00%

Function 06810300, Relevance: .0, Instructions: 10COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.253556230.0000000006810000.00000040.00000001.sdmp, Offset: 06810000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b7ff4fca8408501dbe63392ca8944433033d116cf285daeabdd9722c0c67f31b
Instruction ID: 9c6245f7c1739d304367986cf7894b0e18a08c71aaf3ee4d09fd72b15b539496
Opcode Fuzzy Hash: b7ff4fca8408501dbe63392ca8944433033d116cf285daeabdd9722c0c67f31b
Instruction Fuzzy Hash: 68C01238A05108EFDB00CF80D9A9AACFBB4EB08300F20C082EC055B316DB309A0ADB40

Uniqueness

Uniqueness Score: -1.00%

Function 06F80953, Relevance: .0, Instructions: 7COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.254355063.0000000006F80000.00000040.00000001.sdmp, Offset: 06F80000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 85258e44f3d2d08fe71a170b4c1d0c15a8d615ca11e0009952ad8d770d37e7f0
Instruction ID: b6602a7188ec42ae8138b85401a42f751f38491b687041dae99bc5e166c17bc1
Opcode Fuzzy Hash: 85258e44f3d2d08fe71a170b4c1d0c15a8d615ca11e0009952ad8d770d37e7f0
Instruction Fuzzy Hash: 14C08C30C2431A9FC700DF50D8001AEBBB0FF05300B801888C007AA060CB741A00CF88

Uniqueness

Uniqueness Score: -1.00%

Non-executed Functions

Function 06F8DE78, Relevance: 5.2, Strings: 4, Instructions: 156COMMON

Download Yara Rule

Strings

:@:r, xrefs: 06F8DFB9
`5ar, xrefs: 06F8E092
>_?r, xrefs: 06F8DFD6
f]?r, xrefs: 06F8DEC2

Memory Dump Source

Source File: 00000000.00000002.254355063.0000000006F80000.00000040.00000001.sdmp, Offset: 06F80000, based on PE: false

Similarity

API ID:
String ID: :@:r$>_?r$`5ar$f]?r
API String ID: 0-3822966099
Opcode ID: 275336fe7e460856d93e16d2109d8436f6949e43ff5f8b783818410b5a15ba4c
Instruction ID: 77196bd2d79f6a3f4d13509ccb579c2f91b0bec71dd6da58aa334c1bfe35a310
Opcode Fuzzy Hash: 275336fe7e460856d93e16d2109d8436f6949e43ff5f8b783818410b5a15ba4c
Instruction Fuzzy Hash: EE61FA74E102098FD788EFAAD941799BBF2FFD4314F14C139D6089B258DBB52D068B50

Uniqueness

Uniqueness Score: -1.00%

Function 06F8CEA8, Relevance: 1.3, Strings: 1, Instructions: 96COMMON

Download Yara Rule

Strings

uJ8[, xrefs: 06F8CEDA

Memory Dump Source

Source File: 00000000.00000002.254355063.0000000006F80000.00000040.00000001.sdmp, Offset: 06F80000, based on PE: false

Similarity

API ID:
String ID: uJ8[
API String ID: 0-3951997731
Opcode ID: 69760afa42de3a1d1e1af60c167fb6659a7640e7cf80e3d2b7283acc2a912387
Instruction ID: 429cb265eef19bfc6bc7a8c18cb6e7e9051739c5a37a2af406021873e6002ba5
Opcode Fuzzy Hash: 69760afa42de3a1d1e1af60c167fb6659a7640e7cf80e3d2b7283acc2a912387
Instruction Fuzzy Hash: 6B414775D0420ADFDB44EFA9D5456AEBBB1FF88210F10D4AAC512B7254D7385B40CFA1

Uniqueness

Uniqueness Score: -1.00%

Function 01002F18, Relevance: 1.3, Strings: 1, Instructions: 94COMMON

Download Yara Rule

Strings

{l, xrefs: 01003042

Memory Dump Source

Source File: 00000000.00000002.241321999.0000000001000000.00000040.00000001.sdmp, Offset: 01000000, based on PE: false

Similarity

API ID:
String ID: {l
API String ID: 0-762591856
Opcode ID: bcf426231f6cc5446af8a999f44a80a6d202b391c5f3a8452e983be70edc904e
Instruction ID: dc712c8c616529a4617cc6b19b817af8cdddec29fe453de61b3b94690ec3f3f7
Opcode Fuzzy Hash: bcf426231f6cc5446af8a999f44a80a6d202b391c5f3a8452e983be70edc904e
Instruction Fuzzy Hash: 2141F2B0D092499FDB06CFA9C4859AEFBF0FB49340F14C5AAD855AB250D3389A42CF51

Uniqueness

Uniqueness Score: -1.00%

Function 01004CA8, Relevance: 1.3, Strings: 1, Instructions: 93COMMON

Download Yara Rule

Strings

SWU, xrefs: 01004CE9

Memory Dump Source

Source File: 00000000.00000002.241321999.0000000001000000.00000040.00000001.sdmp, Offset: 01000000, based on PE: false

Similarity

API ID:
String ID: SWU
API String ID: 0-957078890
Opcode ID: 22a519e81b7e64093e3f4e7d99d37b7f278de43bbb8e31576180e86857fbda74
Instruction ID: 6e80e8dbedf1badb0c01aa65e21cff7ba56c45ebe741ec4d45587a4c07393683
Opcode Fuzzy Hash: 22a519e81b7e64093e3f4e7d99d37b7f278de43bbb8e31576180e86857fbda74
Instruction Fuzzy Hash: 044113B4D0420ADBDB09DFA6D5819EEFBF1FF88300F20946AC515EB250D3349A41CB99

Uniqueness

Uniqueness Score: -1.00%

Function 01004CA4, Relevance: 1.3, Strings: 1, Instructions: 92COMMON

Download Yara Rule

Strings

SWU, xrefs: 01004CE9

Memory Dump Source

Source File: 00000000.00000002.241321999.0000000001000000.00000040.00000001.sdmp, Offset: 01000000, based on PE: false

Similarity

API ID:
String ID: SWU
API String ID: 0-957078890
Opcode ID: 54b6b05d44e011e4f72ad2036be62b2f1cfbff0fb045752a02e8b33d5ed3693d
Instruction ID: c7ba3a3f190d0b48b5db10bc2c2383e9f1255ce4aeaa08390c9beef1f6a92026
Opcode Fuzzy Hash: 54b6b05d44e011e4f72ad2036be62b2f1cfbff0fb045752a02e8b33d5ed3693d
Instruction Fuzzy Hash: B04104B4D0420ADBDB09DFA6D5819EEFBF1FF88300F20946AC515EB254D3349A41CB99

Uniqueness

Uniqueness Score: -1.00%

Function 06F8BC98, Relevance: .3, Instructions: 266COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.254355063.0000000006F80000.00000040.00000001.sdmp, Offset: 06F80000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c2d7b9458e0405f6fb538b2371441c9c41bc661385ad02382d4609bfc819b812
Instruction ID: 082e04c26e441cca8fd50d588e68abf8de0289cddda61c15b43ec115a7d17040
Opcode Fuzzy Hash: c2d7b9458e0405f6fb538b2371441c9c41bc661385ad02382d4609bfc819b812
Instruction Fuzzy Hash: 09C14974E04259DFDB54DFA9C580AADFBB2FF89304F2481AAD805AB315D734AA42CF50

Uniqueness

Uniqueness Score: -1.00%

Function 01003800, Relevance: .2, Instructions: 163COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.241321999.0000000001000000.00000040.00000001.sdmp, Offset: 01000000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 94afff9d793f28d2f9f91c472e107aa0537b0c2ec0514c2aea0970204b7eb410
Instruction ID: 2b154f2b430efcdcdab89e841092ea7f0d315ca7835f7b58f263b8815563e820
Opcode Fuzzy Hash: 94afff9d793f28d2f9f91c472e107aa0537b0c2ec0514c2aea0970204b7eb410
Instruction Fuzzy Hash: 1B71FB74E15209EFDB46CFA9D48499DFBF1FB48310F14C4AAE855AB260D334AA45CF50

Uniqueness

Uniqueness Score: -1.00%

Function 010037F8, Relevance: .2, Instructions: 160COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.241321999.0000000001000000.00000040.00000001.sdmp, Offset: 01000000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b9358d1ea0e7fbefcdbc323a8d1209ec29c1f7561002452015a7aa6b47f89df3
Instruction ID: d7f94d5d50a14b40bd106f364f52a4deb7bbdabaf270f0f62a9ed684115a081c
Opcode Fuzzy Hash: b9358d1ea0e7fbefcdbc323a8d1209ec29c1f7561002452015a7aa6b47f89df3
Instruction Fuzzy Hash: 9F71F974E25249EFDB46CFA9C48499DFBF1FF49310F24C4AAE855AB260D234AA45CF10

Uniqueness

Uniqueness Score: -1.00%

Function 01004A58, Relevance: .1, Instructions: 149COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.241321999.0000000001000000.00000040.00000001.sdmp, Offset: 01000000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7d5d9c79fee2f364dc5b37a141d78bdda5de8045b63ff0f3bb333d185091fb20
Instruction ID: 1fcf472d7288a44ab9254feb36feff52a076e19075759db6aa70c99fd18ab52a
Opcode Fuzzy Hash: 7d5d9c79fee2f364dc5b37a141d78bdda5de8045b63ff0f3bb333d185091fb20
Instruction Fuzzy Hash: 2B613EB0D1820ADFDF04CFAAD9809AEBBF1FB89200F10956AC555FB250D3389A51CF59

Uniqueness

Uniqueness Score: -1.00%

Function 01004A55, Relevance: .1, Instructions: 146COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.241321999.0000000001000000.00000040.00000001.sdmp, Offset: 01000000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: de07bbaf83adac82b4cb5d4dd932d2fe60474ff0c1f71cca6dd8c4616455ed99
Instruction ID: 02b749670b64b79597656fd603be39899897eca9e0ea90d5f61e236a601cffd6
Opcode Fuzzy Hash: de07bbaf83adac82b4cb5d4dd932d2fe60474ff0c1f71cca6dd8c4616455ed99
Instruction Fuzzy Hash: 2F5130B4D1820ADFDF04CFAAD9809AEBBF1EB89200F10956AC155FB254D3389A41CF59

Uniqueness

Uniqueness Score: -1.00%

Function 01004298, Relevance: .1, Instructions: 143COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.241321999.0000000001000000.00000040.00000001.sdmp, Offset: 01000000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d460ad74e45496cf0800028062ab4b1f1c3f95b64272194f377640ccef82417a
Instruction ID: 5a8d5b5c5ac9d99253e098b0975b350d020a3006da2fca031ae73f26afd4c77e
Opcode Fuzzy Hash: d460ad74e45496cf0800028062ab4b1f1c3f95b64272194f377640ccef82417a
Instruction Fuzzy Hash: 0C511374E0520AEFDB05CFA8C5809AEFBB1FF48310F14959AD945E7244D730AA81CFA9

Uniqueness

Uniqueness Score: -1.00%

Function 01004291, Relevance: .1, Instructions: 140COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.241321999.0000000001000000.00000040.00000001.sdmp, Offset: 01000000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8c4b681810fcccbb53b276a06fa6f4e946bf3b74646e18bb29ca54bfd88cd312
Instruction ID: 2573012e4f0d0b6ab59d685dd62cdc99949ebbfa0f5bb8665f6061135839eb4d
Opcode Fuzzy Hash: 8c4b681810fcccbb53b276a06fa6f4e946bf3b74646e18bb29ca54bfd88cd312
Instruction Fuzzy Hash: 71512374E0520AEFDB05CFA8D5809AEFBB1FF48310F14959AD945E7244D330AA81CFA9

Uniqueness

Uniqueness Score: -1.00%

Function 06F8A9F8, Relevance: .1, Instructions: 140COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.254355063.0000000006F80000.00000040.00000001.sdmp, Offset: 06F80000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9ed95ecedef74dd0f3871880ba22aee9dcf0c2ba93bf4a0490675154ced37ff5
Instruction ID: 541960e0a32eec0820e84485accacee0962e9d93547709cf0d2d0259ba84e568
Opcode Fuzzy Hash: 9ed95ecedef74dd0f3871880ba22aee9dcf0c2ba93bf4a0490675154ced37ff5
Instruction Fuzzy Hash: A2510574E04219CFDB54DFAAC6815ADFBF2FB89304F24D1AAD418AB215D7349A01CF94

Uniqueness

Uniqueness Score: -1.00%

Function 0100454C, Relevance: .1, Instructions: 128COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.241321999.0000000001000000.00000040.00000001.sdmp, Offset: 01000000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0dcc54596a0e9ca235a115603676f3cf904b4ef4d83e68cd7245d5c364763e3e
Instruction ID: 5642065208703ced516da190e3f1ec820af6076f91acc4d4353024811429b449
Opcode Fuzzy Hash: 0dcc54596a0e9ca235a115603676f3cf904b4ef4d83e68cd7245d5c364763e3e
Instruction Fuzzy Hash: 195107B0D0520ADFEB05CFA4C6805AEBBB1BB48300F24955AD555FB681D735AB40CFA9

Uniqueness

Uniqueness Score: -1.00%

Function 01004E55, Relevance: .1, Instructions: 107COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.241321999.0000000001000000.00000040.00000001.sdmp, Offset: 01000000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 09d8fca311cba64c727586daadf3d29ab9eadf0a5c6cec36e72928159abdec27
Instruction ID: 3d268733c9cf2711d0917b4510b57360514d68c8c8c1696ef8ba55c1b2ae7ef6
Opcode Fuzzy Hash: 09d8fca311cba64c727586daadf3d29ab9eadf0a5c6cec36e72928159abdec27
Instruction Fuzzy Hash: 11415C71E016588BEB6CCF6B8D4429EFAF3AFC9300F14C1BA854CA6264DB351A858F11

Uniqueness

Uniqueness Score: -1.00%

Function 01004848, Relevance: .1, Instructions: 102COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.241321999.0000000001000000.00000040.00000001.sdmp, Offset: 01000000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 42a92245350e06da03cf6ee282799c30d64f095fe76777de7755de118d802d59
Instruction ID: 3558403bda6a2aca6c44dfbc9c05fc8a0508d651bc92b038cdb76c2a77bcdf1c
Opcode Fuzzy Hash: 42a92245350e06da03cf6ee282799c30d64f095fe76777de7755de118d802d59
Instruction Fuzzy Hash: 864149B0D0420A8FDB05CFEAC4815AEFBB1BF88300F14986AC555EB298D7749651CF95

Uniqueness

Uniqueness Score: -1.00%

Function 01004858, Relevance: .1, Instructions: 99COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.241321999.0000000001000000.00000040.00000001.sdmp, Offset: 01000000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: caf66ebacc0d3337716a3bbc138254544801c99722265c78a12595df8e8029e4
Instruction ID: e7353d6352110b2840bc175a6e273e0c9a8d2fd14ac9e859e5f7796b1f74f52f
Opcode Fuzzy Hash: caf66ebacc0d3337716a3bbc138254544801c99722265c78a12595df8e8029e4
Instruction Fuzzy Hash: 514148B0D0420A8FEB05CFEAC4805AEFBF2FB88300F14986AC655EB254D7749651CF99

Uniqueness

Uniqueness Score: -1.00%

Function 06F8A250, Relevance: .1, Instructions: 96COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.254355063.0000000006F80000.00000040.00000001.sdmp, Offset: 06F80000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: bdc49ae608968b06d099490d32da29005a6860b03953d21e6828e0cec2b092f9
Instruction ID: 76b3a2412467f9ffbf2d450c8affd9c561fc2b0a4e7e667cc06d9f8106ab5cf4
Opcode Fuzzy Hash: bdc49ae608968b06d099490d32da29005a6860b03953d21e6828e0cec2b092f9
Instruction Fuzzy Hash: 72411570D04209DFDB64DFA6C945A9EFBB2FF88300F20C56AD415AB265DB759A01CF81

Uniqueness

Uniqueness Score: -1.00%

Function 068105F0, Relevance: .1, Instructions: 53COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.253556230.0000000006810000.00000040.00000001.sdmp, Offset: 06810000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d7046a3b77bd1f354904fd0a555d4c4831c936ee6b47843077568bf594eef0df
Instruction ID: 3883de163875e5d5bc83bcdaeddf7d1389c036342fda85e89426129ef8e273c4
Opcode Fuzzy Hash: d7046a3b77bd1f354904fd0a555d4c4831c936ee6b47843077568bf594eef0df
Instruction Fuzzy Hash: 8C11EC71E116189FEB58CF6BD84079EBAF7AFC8210F14C17AD508EA254DB3009818F51

Uniqueness

Uniqueness Score: -1.00%

Function 06F8B728, Relevance: .0, Instructions: 50COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.254355063.0000000006F80000.00000040.00000001.sdmp, Offset: 06F80000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6460395fbdf318c97c6a187a68b01fc4c1316d2f33c0fe7bcce19207288e711b
Instruction ID: 71cb88c802962f6280629aefef0a7b1df8bc74d0c5d17266473dab3f8a323e26
Opcode Fuzzy Hash: 6460395fbdf318c97c6a187a68b01fc4c1316d2f33c0fe7bcce19207288e711b
Instruction Fuzzy Hash: A211C871D05608DFDB58CFABC5411AEFBF7BFC9200F24C27A8818AB255EA3456019F51

Uniqueness

Uniqueness Score: -1.00%

Function 06F8B0E8, Relevance: .0, Instructions: 47COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.254355063.0000000006F80000.00000040.00000001.sdmp, Offset: 06F80000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9f3815aac85ded38f8dc50e60c566d570c3c0a9aa9a3fd1c02ea301a4f3b4e48
Instruction ID: 7fc516da9fcf12bf2a3ab5f615dc757ef69b95bc2b3a12b78f7644b441d2847a
Opcode Fuzzy Hash: 9f3815aac85ded38f8dc50e60c566d570c3c0a9aa9a3fd1c02ea301a4f3b4e48
Instruction Fuzzy Hash: 7811E8B1D00608CFDB58CFABC54019EFBF7AFC9200F24C1AAC418AB265DA345A029F51

Uniqueness

Uniqueness Score: -1.00%

Function 068184C0, Relevance: 6.4, Strings: 5, Instructions: 192COMMON

Download Yara Rule

Strings

$g^r, xrefs: 068185E5
gH, xrefs: 06818553
X1ar, xrefs: 0681863D
`5ar, xrefs: 06818615
X1ar, xrefs: 06818676

Memory Dump Source

Source File: 00000000.00000002.253556230.0000000006810000.00000040.00000001.sdmp, Offset: 06810000, based on PE: false

Similarity

API ID:
String ID: $g^r$X1ar$X1ar$`5ar$gH
API String ID: 0-163192674
Opcode ID: 67b556ac30d0a0de008c0c84c72d397d9c145120904077591e86a645e6ba168f
Instruction ID: a02632fc557db60bd8433fdec14cc98ec937184f643b4e7eec5d7a640eda791c
Opcode Fuzzy Hash: 67b556ac30d0a0de008c0c84c72d397d9c145120904077591e86a645e6ba168f
Instruction Fuzzy Hash: 72710471A002059FCB50DFA8C855AAEBBF6BF85320F20425AE652DF3A1DB319C40CF91

Uniqueness

Uniqueness Score: -1.00%

Function 06818548, Relevance: 6.4, Strings: 5, Instructions: 135COMMON

Download Yara Rule

Strings

$g^r, xrefs: 068185E5
gH, xrefs: 06818553
X1ar, xrefs: 0681863D
`5ar, xrefs: 06818615
X1ar, xrefs: 06818676

Memory Dump Source

Source File: 00000000.00000002.253556230.0000000006810000.00000040.00000001.sdmp, Offset: 06810000, based on PE: false

Similarity

API ID:
String ID: $g^r$X1ar$X1ar$`5ar$gH
API String ID: 0-163192674
Opcode ID: e32e15a8cdf24769237ef79f808760119a6546799d6d700e295a004a044dc45f
Instruction ID: efcdc14c7e070d95a253fb1bb4ad188b47538f9530db436165256452cfda4bb4
Opcode Fuzzy Hash: e32e15a8cdf24769237ef79f808760119a6546799d6d700e295a004a044dc45f
Instruction Fuzzy Hash: 63513F74A005059FCB54DFA9C855BAEBBF6BF84310F208259E612EB3A4DB31AD40CF55

Uniqueness

Uniqueness Score: -1.00%

Analysis Process: RegSvcs.exe PID: 5420 Parent PID: 6068 RegSvcs.exeCOMMON

Executed Functions

Function 03499ACB, Relevance: 2.7, Strings: 2, Instructions: 179COMMON

Download Yara Rule

Strings

>_?r, xrefs: 03499B3F
, xrefs: 03499C0B

Memory Dump Source

Source File: 00000004.00000002.599279331.0000000003490000.00000040.00000001.sdmp, Offset: 03490000, based on PE: false

Similarity

API ID:
String ID: $>_?r
API String ID: 0-334426466
Opcode ID: e3dd55171e0a90d5361396431eb5b676992720ebb809a6de39211c41822be7a1
Instruction ID: 988f5e3dbd3e02417258f0f47df6efe5513fe7d94c9f4e66b38e7893713bdf80
Opcode Fuzzy Hash: e3dd55171e0a90d5361396431eb5b676992720ebb809a6de39211c41822be7a1
Instruction Fuzzy Hash: 5B51BE71F141048FEF44CB69D8846AEBFF6EBC9214B2984BFC11ADB385DB3598028B55

Uniqueness

Uniqueness Score: -1.00%

Function 0349B488, Relevance: 2.2, Strings: 1, Instructions: 916COMMON

Download Yara Rule

Strings

r, xrefs: 0349BF3C

Memory Dump Source

Source File: 00000004.00000002.599279331.0000000003490000.00000040.00000001.sdmp, Offset: 03490000, based on PE: false

Similarity

API ID:
String ID: r
API String ID: 0-1812594589
Opcode ID: 828832091c25431eab11151e8c87cc40607a391794e318287164f486469fa7bd
Instruction ID: ce5cf0bfc9424caddb18a3018766676b86676d2c00b6da57e147df1c180e4669
Opcode Fuzzy Hash: 828832091c25431eab11151e8c87cc40607a391794e318287164f486469fa7bd
Instruction Fuzzy Hash: F3823870A00605CFDB14CF68D984AAEFBB2FF88310F15866AD45AAB755D730E942CF94

Uniqueness

Uniqueness Score: -1.00%

Function 03493850, Relevance: 2.0, Strings: 1, Instructions: 732COMMON

Download Yara Rule

Strings

>_?r, xrefs: 03493F9D

Memory Dump Source

Source File: 00000004.00000002.599279331.0000000003490000.00000040.00000001.sdmp, Offset: 03490000, based on PE: false

Similarity

API ID:
String ID: >_?r
API String ID: 0-2961507119
Opcode ID: 0700178648066721db964656f81b60ffd74a24283a4a74c975137fa4128d3ca8
Instruction ID: 2fc9dde60ae0a6c3c1079e88e2a2ec69beeaf1e44043e97fda17a18c568ca455
Opcode Fuzzy Hash: 0700178648066721db964656f81b60ffd74a24283a4a74c975137fa4128d3ca8
Instruction Fuzzy Hash: 3A42BE75A00206CFDF14CF68C5849AABFB6FF86314B1985ABD8199F256C731EC42CB94

Uniqueness

Uniqueness Score: -1.00%

Function 05A028FB, Relevance: 1.6, APIs: 1, Instructions: 81networkCOMMON

Download Yara Rule

APIs

bind.WS2_32(?,00000E2C,9BE4979D,00000000,00000000,00000000,00000000), ref: 05A0298F

Memory Dump Source

Source File: 00000004.00000002.603747038.0000000005A00000.00000040.00000001.sdmp, Offset: 05A00000, based on PE: false

Similarity

API ID: bind
String ID:
API String ID: 1187836755-0
Opcode ID: a7dfb1827a1ba67653fba026926caf2c37f028879e9384b05e907cd4178379bd
Instruction ID: 4c5b8212ae5b1d12065f9ac70d05ede53b0fdd4ddd73f3680921b3e84beb8865
Opcode Fuzzy Hash: a7dfb1827a1ba67653fba026926caf2c37f028879e9384b05e907cd4178379bd
Instruction Fuzzy Hash: 6921A375409384AFE7128F65DC84F96BFB8EF46310F1884EBE984DF192D264A909CB71

Uniqueness

Uniqueness Score: -1.00%

Function 05A01463, Relevance: 1.6, APIs: 1, Instructions: 75COMMON

Download Yara Rule

APIs

AdjustTokenPrivileges.KERNELBASE(?,?,?,?,?,?), ref: 05A014E3

Memory Dump Source

Source File: 00000004.00000002.603747038.0000000005A00000.00000040.00000001.sdmp, Offset: 05A00000, based on PE: false

Similarity

API ID: AdjustPrivilegesToken
String ID:
API String ID: 2874748243-0
Opcode ID: d6b11f77c53ddb3d674ca529c16b8e33edf7c3586648d960db8ba9c62b6dd872
Instruction ID: de1cd63f2bb1bb719bf6db4a0859ae3a83c5b1d224f38357f0c6424a32d906ff
Opcode Fuzzy Hash: d6b11f77c53ddb3d674ca529c16b8e33edf7c3586648d960db8ba9c62b6dd872
Instruction Fuzzy Hash: 6C21B176509380AFDB138F25DC44F92BFF4EF06310F08859AE9858F163D275A908CB62

Uniqueness

Uniqueness Score: -1.00%

Function 05A0169F, Relevance: 1.6, APIs: 1, Instructions: 64nativeCOMMON

Download Yara Rule

APIs

NtQuerySystemInformation.NTDLL(?,?,?,?), ref: 05A01715

Memory Dump Source

Source File: 00000004.00000002.603747038.0000000005A00000.00000040.00000001.sdmp, Offset: 05A00000, based on PE: false

Similarity

API ID: InformationQuerySystem
String ID:
API String ID: 3562636166-0
Opcode ID: 4250e6b8b6aea7d75fae45536c892b4a06af84ba7248530dcf634308a0334743
Instruction ID: 54843aedd1e34b7d59a1b8bb1aeaf7b649a037fd34dd522ddf290160214bbcc7
Opcode Fuzzy Hash: 4250e6b8b6aea7d75fae45536c892b4a06af84ba7248530dcf634308a0334743
Instruction Fuzzy Hash: 6321AE764097C0AFDB238B21DC45E62FFB4EF16314F0980DBE9849B1A3D265A509DB62

Uniqueness

Uniqueness Score: -1.00%

Function 05A0292E, Relevance: 1.6, APIs: 1, Instructions: 62networkCOMMON

Download Yara Rule

APIs

bind.WS2_32(?,00000E2C,9BE4979D,00000000,00000000,00000000,00000000), ref: 05A0298F

Memory Dump Source

Source File: 00000004.00000002.603747038.0000000005A00000.00000040.00000001.sdmp, Offset: 05A00000, based on PE: false

Similarity

API ID: bind
String ID:
API String ID: 1187836755-0
Opcode ID: 8c9ef34398689d5d02978b02234c5af57dd6a6dfa366a062ed8f0a8571ce6e33
Instruction ID: 8254dcdaaa3130e9bd3a08b1dede2f85b0a8eba7b0fe805498b4a5fed80b860d
Opcode Fuzzy Hash: 8c9ef34398689d5d02978b02234c5af57dd6a6dfa366a062ed8f0a8571ce6e33
Instruction Fuzzy Hash: BE116D75500304AEEB20CF55EC89FA6FBA8EF45720F58846BEE499B281D674A504CBB1

Uniqueness

Uniqueness Score: -1.00%

Function 05A0149A, Relevance: 1.6, APIs: 1, Instructions: 52COMMON

Download Yara Rule

APIs

AdjustTokenPrivileges.KERNELBASE(?,?,?,?,?,?), ref: 05A014E3

Memory Dump Source

Source File: 00000004.00000002.603747038.0000000005A00000.00000040.00000001.sdmp, Offset: 05A00000, based on PE: false

Similarity

API ID: AdjustPrivilegesToken
String ID:
API String ID: 2874748243-0
Opcode ID: 52ebbea9aae9ed3bfecea4fbd8762e11bd78d7a9e9c6223bd218f1e703dfb622
Instruction ID: 8a32be1baf8c06f5f9202f31b7dcaf2c6be64ecfb48e8dbf2b94be6008c74150
Opcode Fuzzy Hash: 52ebbea9aae9ed3bfecea4fbd8762e11bd78d7a9e9c6223bd218f1e703dfb622
Instruction Fuzzy Hash: 48119E765006009FDB21CF55EC84BA6FBE4EF04320F08C46AEE4A8B661D275E418CB71

Uniqueness

Uniqueness Score: -1.00%

Function 0190AF9A, Relevance: 1.5, APIs: 1, Instructions: 43COMMON

Download Yara Rule

APIs

GetUserNameW.ADVAPI32(?,00000E2C,?,?), ref: 0190AFEA

Memory Dump Source

Source File: 00000004.00000002.598144195.000000000190A000.00000040.00000001.sdmp, Offset: 0190A000, based on PE: false

Similarity

API ID: NameUser
String ID:
API String ID: 2645101109-0
Opcode ID: 8606fe6e5ad115518e1baa11df56eec174bda1085d1aa48dc93d0498bb60fce7
Instruction ID: e34477345f40d88dcd652b55072a0b40081d24349e0cad020f67342d0ba9555a
Opcode Fuzzy Hash: 8606fe6e5ad115518e1baa11df56eec174bda1085d1aa48dc93d0498bb60fce7
Instruction Fuzzy Hash: BF016D76500600ABD610DF16DC86F26FBE8FB88B20F14815AED085B741E375F916CBE6

Uniqueness

Uniqueness Score: -1.00%

Function 05A011C2, Relevance: 1.5, APIs: 1, Instructions: 39COMMON

Download Yara Rule

APIs

GetSystemInfo.KERNELBASE(?), ref: 05A011F4

Memory Dump Source

Source File: 00000004.00000002.603747038.0000000005A00000.00000040.00000001.sdmp, Offset: 05A00000, based on PE: false

Similarity

API ID: InfoSystem
String ID:
API String ID: 31276548-0
Opcode ID: 1a533aad213e80352005dadefddbec2fa29e19b7d4486f5618a4c39b6b493f24
Instruction ID: d4017b01a17e101834812c68163bb31a058968c5ccd6abaac9f1675313e715e5
Opcode Fuzzy Hash: 1a533aad213e80352005dadefddbec2fa29e19b7d4486f5618a4c39b6b493f24
Instruction Fuzzy Hash: 8201A271800240AFDB10DF55EC84BA6FFE4EF44320F18D4AADD089F242D279A408CB62

Uniqueness

Uniqueness Score: -1.00%

Function 05A016DA, Relevance: 1.5, APIs: 1, Instructions: 38nativeCOMMON

Download Yara Rule

APIs

NtQuerySystemInformation.NTDLL(?,?,?,?), ref: 05A01715

Memory Dump Source

Source File: 00000004.00000002.603747038.0000000005A00000.00000040.00000001.sdmp, Offset: 05A00000, based on PE: false

Similarity

API ID: InformationQuerySystem
String ID:
API String ID: 3562636166-0
Opcode ID: b20707102f9ad7c0c4f69ffe4153a1b7eec254c384d2b5d2a48c5a2e129077ca
Instruction ID: 800ebe779a9ca7100e733cdcc0cc9e7730e3def3583a4c17b7afe6df341e80ab
Opcode Fuzzy Hash: b20707102f9ad7c0c4f69ffe4153a1b7eec254c384d2b5d2a48c5a2e129077ca
Instruction Fuzzy Hash: B2017835400640DFDB218F15EC84BA2FFA5EF08720F18D09ADE895B652D2B5A418CF62

Uniqueness

Uniqueness Score: -1.00%

Function 01902477, Relevance: .7, Instructions: 656COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.598129799.0000000001902000.00000040.00000001.sdmp, Offset: 01902000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 01a208d7c5d510b7c2c5a4a98dbe432de83da4fa713e3a4384e47d1ae63a2ac0
Instruction ID: 9f77ad865b4fd6f2ff441301b78d5c0b6c616020fdc13d29dab670dc41afd58f
Opcode Fuzzy Hash: 01a208d7c5d510b7c2c5a4a98dbe432de83da4fa713e3a4384e47d1ae63a2ac0
Instruction Fuzzy Hash: BE22C26280E3D39FC7174B30487C194BFB2AF5762076E04CBD6CD8A0E3D21A484AC76A

Uniqueness

Uniqueness Score: -1.00%

Function 034923A0, Relevance: .5, Instructions: 505COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.599279331.0000000003490000.00000040.00000001.sdmp, Offset: 03490000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f6a8ef48312e3f8fc4bbb78785d3196308b133703e90f378e04e7f34461882b2
Instruction ID: a42e80f45f215982ca7ec29f295c3ec99827f5bb6331d9abbe5f8f09634e54c9
Opcode Fuzzy Hash: f6a8ef48312e3f8fc4bbb78785d3196308b133703e90f378e04e7f34461882b2
Instruction Fuzzy Hash: 7812BF30A04219EFEB24CF29C4946AEBBF2FB84314F14896BD415AF355DBB49D86CB44

Uniqueness

Uniqueness Score: -1.00%

Function 03498BB8, Relevance: .5, Instructions: 505COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.599279331.0000000003490000.00000040.00000001.sdmp, Offset: 03490000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 56b59acd9fc80e6188a4fff4a03c07b1e40d70061682cb5810c48f1197fccb99
Instruction ID: 8e7fb7428a4a32cd55e11b4ed57749af60ee278fe31cc5112ad760dd4f57d56d
Opcode Fuzzy Hash: 56b59acd9fc80e6188a4fff4a03c07b1e40d70061682cb5810c48f1197fccb99
Instruction Fuzzy Hash: D6128C31A10215DFEF24CF69D48466EBFF2BB89304F18896BE416AF390DB759842CB54

Uniqueness

Uniqueness Score: -1.00%

Function 03492FA8, Relevance: .2, Instructions: 239COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.599279331.0000000003490000.00000040.00000001.sdmp, Offset: 03490000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 26956d171aa283c530cf90fec207d08f4618541058b368f6614b57f4d72e855d
Instruction ID: bd80f1abd21dfcf3c4c22c7af2a22196d640e7c18c8c6a57432ecfe278df7220
Opcode Fuzzy Hash: 26956d171aa283c530cf90fec207d08f4618541058b368f6614b57f4d72e855d
Instruction Fuzzy Hash: 1881AB35F011159BEB04DF69C894A6EBBF3AFC9710B2A8466D419EF369DE319C018B84

Uniqueness

Uniqueness Score: -1.00%

Function 034997B8, Relevance: .2, Instructions: 239COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.599279331.0000000003490000.00000040.00000001.sdmp, Offset: 03490000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3b8adb0e72cf831a683e4532329ea1e9b877db8549f4158cc78216a3ceca3311
Instruction ID: b377333237949d68dd81406bce13a706a2b9102ed03dc0339d06b368da4edb59
Opcode Fuzzy Hash: 3b8adb0e72cf831a683e4532329ea1e9b877db8549f4158cc78216a3ceca3311
Instruction Fuzzy Hash: 1F818E71F111158FEB14DB69D880A6EBBF3AFC8710F2984AAE415AF355DF319C018B94

Uniqueness

Uniqueness Score: -1.00%

Function 0349987F, Relevance: .2, Instructions: 179COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.599279331.0000000003490000.00000040.00000001.sdmp, Offset: 03490000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3668e0623ce9f97c2715ba71ce2eda4cacd6857e8cc70b8d8cb3bf461ba0962e
Instruction ID: b67da57ff8a8e4a0db48684ed1334c05331ff7aa912976c5650232f313ef1d12
Opcode Fuzzy Hash: 3668e0623ce9f97c2715ba71ce2eda4cacd6857e8cc70b8d8cb3bf461ba0962e
Instruction Fuzzy Hash: 62516072F114158FDB54DB6DC940A6EBBE3AFC8710F2E806AD4059B369DE31DD018B94

Uniqueness

Uniqueness Score: -1.00%

Function 0349865F, Relevance: .0, Instructions: 46COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.599279331.0000000003490000.00000040.00000001.sdmp, Offset: 03490000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9cc7c703d0d6de9f758af4316c8a3407c97aeb0982aacfe1facf3e0cef8f5d7d
Instruction ID: eafadd3324c5bef8e22c0469b74d5db6e5d3915ba5a9aabc0fa24c3cd89a62d7
Opcode Fuzzy Hash: 9cc7c703d0d6de9f758af4316c8a3407c97aeb0982aacfe1facf3e0cef8f5d7d
Instruction Fuzzy Hash: 2301E575802208DFC704EFA4E4887A9BBB5EB4F301F145996D8066B3A0DB786E45CF95

Uniqueness

Uniqueness Score: -1.00%

Function 034909A0, Relevance: 5.2, Strings: 4, Instructions: 178COMMON

Download Yara Rule

Strings

X1ar, xrefs: 03490A5A
X1ar, xrefs: 03490A98
X1ar, xrefs: 03490AA2
X1ar, xrefs: 03490A50

Memory Dump Source

Source File: 00000004.00000002.599279331.0000000003490000.00000040.00000001.sdmp, Offset: 03490000, based on PE: false

Similarity

API ID:
String ID: X1ar$X1ar$X1ar$X1ar
API String ID: 0-346077691
Opcode ID: 13af4ffb77b7a54420569ab0eb8f81c5a21187905a38a9005182de758f6e5e05
Instruction ID: 606ccf930e8d145534d9f76d6dfcb014ebcd68f924ef3639932507e75a49f26e
Opcode Fuzzy Hash: 13af4ffb77b7a54420569ab0eb8f81c5a21187905a38a9005182de758f6e5e05
Instruction Fuzzy Hash: 09518035B00115DFDF14DBA8D854AAEBBF6AF84308F148567D5169F394DB30AD42CB84

Uniqueness

Uniqueness Score: -1.00%

Function 034902E8, Relevance: 2.7, Strings: 2, Instructions: 169COMMON

Download Yara Rule

Strings

:@:r, xrefs: 03490537
`5ar, xrefs: 034903A5

Memory Dump Source

Source File: 00000004.00000002.599279331.0000000003490000.00000040.00000001.sdmp, Offset: 03490000, based on PE: false

Similarity

API ID:
String ID: :@:r$`5ar
API String ID: 0-3512261011
Opcode ID: 4e1857ed1fb571ecda62986e073d7180502f9992a095ae2a5ef0552603ce8167
Instruction ID: b7d53ef9e537f9dd34f3f127aa23cce709d3cd84fe867dd420642f966272296e
Opcode Fuzzy Hash: 4e1857ed1fb571ecda62986e073d7180502f9992a095ae2a5ef0552603ce8167
Instruction Fuzzy Hash: 3B515D30A05205CFEB58DF68C450AAEBBF2BF89710F14846AD506AB391DB71AC41CB55

Uniqueness

Uniqueness Score: -1.00%

Function 0349EEC7, Relevance: 2.6, Strings: 2, Instructions: 116COMMON

Download Yara Rule

Strings

X1ar, xrefs: 0349EDF1
l_r, xrefs: 0349EE98

Memory Dump Source

Source File: 00000004.00000002.599279331.0000000003490000.00000040.00000001.sdmp, Offset: 03490000, based on PE: false

Similarity

API ID:
String ID: X1ar$l_r
API String ID: 0-1851361061
Opcode ID: 22de0ab3a06ea9aae8b22146ab106e76b567e35b733077cda6480bb9a7eaad26
Instruction ID: 86797592ac865d8f8de321a6feefd4cbbabccd59403d0f0e076621e329aac7bb
Opcode Fuzzy Hash: 22de0ab3a06ea9aae8b22146ab106e76b567e35b733077cda6480bb9a7eaad26
Instruction Fuzzy Hash: 7C319131A012459FEF19DBB8D4546AEBBE6AFC9300B14896BC41AEF341DB359C46CB81

Uniqueness

Uniqueness Score: -1.00%

Function 03496101, Relevance: 2.5, Strings: 2, Instructions: 23COMMON

Download Yara Rule

Strings

l_r, xrefs: 0349611E
-Sbq^, xrefs: 0349612A, 0349612F

Memory Dump Source

Source File: 00000004.00000002.599279331.0000000003490000.00000040.00000001.sdmp, Offset: 03490000, based on PE: false

Similarity

API ID:
String ID: l_r$-Sbq^
API String ID: 0-506706414
Opcode ID: 5d68358e4ed2ec40987c00239bc369060386a99af018048dd13102f619a93934
Instruction ID: 9ca0e8df7d82404f59c556a5819a56373c1f1bc9503011fe7016cc7d46b79984
Opcode Fuzzy Hash: 5d68358e4ed2ec40987c00239bc369060386a99af018048dd13102f619a93934
Instruction Fuzzy Hash: 99E0C261B803121FDB5AAE79A8102BE67DA6BD2652702482BD40ADA381EE04CC028395

Uniqueness

Uniqueness Score: -1.00%

Function 03496110, Relevance: 2.5, Strings: 2, Instructions: 20COMMON

Download Yara Rule

Strings

l_r, xrefs: 0349611E
-Sbq^, xrefs: 0349612A, 0349612F

Memory Dump Source

Source File: 00000004.00000002.599279331.0000000003490000.00000040.00000001.sdmp, Offset: 03490000, based on PE: false

Similarity

API ID:
String ID: l_r$-Sbq^
API String ID: 0-506706414
Opcode ID: 49ee68aec2f587ef84072b88e0dbe4b1b238f8b64e6d89beb187a96fad6a2bfb
Instruction ID: 9e62c93490056a9fa1c35ca46532001cb9c39e748e164a48b6f9ccefaa9c0824
Opcode Fuzzy Hash: 49ee68aec2f587ef84072b88e0dbe4b1b238f8b64e6d89beb187a96fad6a2bfb
Instruction Fuzzy Hash: FAD0A7117853151B591ABE7E9C005BF76CE5BC1961305441AE409DB380EE04CC4143D9

Uniqueness

Uniqueness Score: -1.00%

Function 034912A0, Relevance: 1.7, Strings: 1, Instructions: 460COMMON

Download Yara Rule

Strings

$g^r, xrefs: 03491349

Memory Dump Source

Source File: 00000004.00000002.599279331.0000000003490000.00000040.00000001.sdmp, Offset: 03490000, based on PE: false

Similarity

API ID:
String ID: $g^r
API String ID: 0-3653196314
Opcode ID: 4f2592e024dc1fcd34a269e57c4e4f19b8d9a716dc0f3a1756f5adb9a01b6372
Instruction ID: cb783b23fa1ba5bf8a0830bb558011ea1c9a5293f42da9f406aed29304233551
Opcode Fuzzy Hash: 4f2592e024dc1fcd34a269e57c4e4f19b8d9a716dc0f3a1756f5adb9a01b6372
Instruction Fuzzy Hash: 69221734A00606CFDB24DF28C494A6ABBF6FF88350F14899AD85A9B755DB34ED45CF80

Uniqueness

Uniqueness Score: -1.00%

Function 05A01950, Relevance: 1.6, APIs: 1, Instructions: 121registryCOMMON

Download Yara Rule

APIs

RegQueryValueExW.KERNELBASE(?,00000E2C,?,?), ref: 05A01A46

Memory Dump Source

Source File: 00000004.00000002.603747038.0000000005A00000.00000040.00000001.sdmp, Offset: 05A00000, based on PE: false

Similarity

API ID: QueryValue
String ID:
API String ID: 3660427363-0
Opcode ID: 56bdc40f7423b48e5649e39f7f229b1296896b5e426d1d6b080a41d6b3f98854
Instruction ID: b98f24cb45032ab96b5578f2828e85f6347ffedf85ea75bb0ff8e044b410e1dd
Opcode Fuzzy Hash: 56bdc40f7423b48e5649e39f7f229b1296896b5e426d1d6b080a41d6b3f98854
Instruction Fuzzy Hash: D141126540E3C06FD3139B318C65A61BF74AF47614B0E85CBE884CF5A3D229690AC7B2

Uniqueness

Uniqueness Score: -1.00%

Function 05A00EB8, Relevance: 1.6, APIs: 1, Instructions: 96COMMON

Download Yara Rule

APIs

DuplicateHandle.KERNELBASE(?,00000E2C), ref: 05A00F5B

Memory Dump Source

Source File: 00000004.00000002.603747038.0000000005A00000.00000040.00000001.sdmp, Offset: 05A00000, based on PE: false

Similarity

API ID: DuplicateHandle
String ID:
API String ID: 3793708945-0
Opcode ID: 4e01a4e6044faba6f6b4284c9cd3f0fe9624abda64772f304b8e8fe6e477267d
Instruction ID: 00e00a99369740d0a7eefabac597fc3ccc56c46a480d9b8a6f189dba907d51c2
Opcode Fuzzy Hash: 4e01a4e6044faba6f6b4284c9cd3f0fe9624abda64772f304b8e8fe6e477267d
Instruction Fuzzy Hash: 3431C272004344BFEB228F65DC44F67BFACEF46320F0489AAF985DB152D224A919DB71

Uniqueness

Uniqueness Score: -1.00%

Function 05A00390, Relevance: 1.6, APIs: 1, Instructions: 93registryCOMMON

Download Yara Rule

APIs

RegQueryValueExA.KERNELBASE(?,00000E2C), ref: 05A0045E

Memory Dump Source

Source File: 00000004.00000002.603747038.0000000005A00000.00000040.00000001.sdmp, Offset: 05A00000, based on PE: false

Similarity

API ID: QueryValue
String ID:
API String ID: 3660427363-0
Opcode ID: d48ab5d98fe313c24d2af088e3bf818649370713e17db8250934a3ff05253663
Instruction ID: 00263ef890857919fa8e118107aa099a6a6c979bbb346c624c8cff78a59081f1
Opcode Fuzzy Hash: d48ab5d98fe313c24d2af088e3bf818649370713e17db8250934a3ff05253663
Instruction Fuzzy Hash: A731D772004344AFE7228F11DC45FA6FFB8EF06710F04859EFA859B192D3A5A949CB71

Uniqueness

Uniqueness Score: -1.00%

Function 05A00C58, Relevance: 1.6, APIs: 1, Instructions: 93COMMON

Download Yara Rule

APIs

GetTempFileNameW.KERNELBASE(?,00000E2C,?,?), ref: 05A00D1A

Memory Dump Source

Source File: 00000004.00000002.603747038.0000000005A00000.00000040.00000001.sdmp, Offset: 05A00000, based on PE: false

Similarity

API ID: FileNameTemp
String ID:
API String ID: 745986568-0
Opcode ID: 043f6c429f56acf18d7246292a90db7ed294fc67b73021bda0dcc453a1dad71e
Instruction ID: 3be41c8b27234620a37c712b5969837c7a0ffa6d2f6859610e8eedb4bf5f4a88
Opcode Fuzzy Hash: 043f6c429f56acf18d7246292a90db7ed294fc67b73021bda0dcc453a1dad71e
Instruction Fuzzy Hash: AC317C6140D3C06FD7038B258C51B62BFB4EF87610F0E85DBE9848F5A3D225A81AC7B2

Uniqueness

Uniqueness Score: -1.00%

Function 05A007F4, Relevance: 1.6, APIs: 1, Instructions: 92fileCOMMON

Download Yara Rule

APIs

CreateFileW.KERNELBASE(?,?,?,?,?,?), ref: 05A00899

Memory Dump Source

Source File: 00000004.00000002.603747038.0000000005A00000.00000040.00000001.sdmp, Offset: 05A00000, based on PE: false

Similarity

API ID: CreateFile
String ID:
API String ID: 823142352-0
Opcode ID: c93be7949433408c3a89f09b1ecd45435db3d117cc74b6ffa0147866c7a91303
Instruction ID: e42180e61065d290a28e4983694235c955c143e32474571fb3c6ee2d0983ed82
Opcode Fuzzy Hash: c93be7949433408c3a89f09b1ecd45435db3d117cc74b6ffa0147866c7a91303
Instruction Fuzzy Hash: 4F316BB1504380AFE722CF65DC44F66BFE8FF45610F0884AEE9858B292D365E809DB71

Uniqueness

Uniqueness Score: -1.00%

Function 0190AA02, Relevance: 1.6, APIs: 1, Instructions: 92registryCOMMON

Download Yara Rule

APIs

RegOpenKeyExW.KERNELBASE(?,00000E2C), ref: 0190AAB1

Memory Dump Source

Source File: 00000004.00000002.598144195.000000000190A000.00000040.00000001.sdmp, Offset: 0190A000, based on PE: false

Similarity

API ID: Open
String ID:
API String ID: 71445658-0
Opcode ID: 6dc357b1ab46b41cfa1e3ac4cce5831de295a2cf2a97bb0d710a61874ae55c3a
Instruction ID: 3243eea4346a2a8b05731b27bb3540ff4425292a207500778593a1d7d05a058a
Opcode Fuzzy Hash: 6dc357b1ab46b41cfa1e3ac4cce5831de295a2cf2a97bb0d710a61874ae55c3a
Instruction Fuzzy Hash: 6131E572404384AFE7228B25CC45FA7BFECEF06710F08849BFD849B192D264A849CB71

Uniqueness

Uniqueness Score: -1.00%

Function 05A00FB9, Relevance: 1.6, APIs: 1, Instructions: 91COMMON

Download Yara Rule

APIs

GetExitCodeProcess.KERNELBASE(?,00000E2C,9BE4979D,00000000,00000000,00000000,00000000), ref: 05A0105C

Memory Dump Source

Source File: 00000004.00000002.603747038.0000000005A00000.00000040.00000001.sdmp, Offset: 05A00000, based on PE: false

Similarity

API ID: CodeExitProcess
String ID:
API String ID: 3861947596-0
Opcode ID: 9f4b4bbbec7da86f4561ded504765557b6eb7ed975a17719a23df7647febaec6
Instruction ID: cfb93b477435cad50d8e984b582d27882cef9f2331dc2081bb29a174fe21ea62
Opcode Fuzzy Hash: 9f4b4bbbec7da86f4561ded504765557b6eb7ed975a17719a23df7647febaec6
Instruction Fuzzy Hash: B731F472109380AFE7128B35DC54FA6BFA8EF43710F0884DBE9848F1A3D625A908C761

Uniqueness

Uniqueness Score: -1.00%

Function 05A02720, Relevance: 1.6, APIs: 1, Instructions: 90timeCOMMON

Download Yara Rule

APIs

GetProcessTimes.KERNELBASE(?,00000E2C,9BE4979D,00000000,00000000,00000000,00000000), ref: 05A027BD

Memory Dump Source

Source File: 00000004.00000002.603747038.0000000005A00000.00000040.00000001.sdmp, Offset: 05A00000, based on PE: false

Similarity

API ID: ProcessTimes
String ID:
API String ID: 1995159646-0
Opcode ID: 48ec50c1dd0a1d6b028c9699c1043abf79c634cccb4d1836b2a18934a001dfee
Instruction ID: 233bd368d9903c129023bd4a4ad755862be76b520349258eaea1be5985e53234
Opcode Fuzzy Hash: 48ec50c1dd0a1d6b028c9699c1043abf79c634cccb4d1836b2a18934a001dfee
Instruction Fuzzy Hash: B831E372009380AFEB128F24DC45FA6BFB8EF06314F0884DBE9849B193D221A809C771

Uniqueness

Uniqueness Score: -1.00%

Function 05A000F6, Relevance: 1.6, APIs: 1, Instructions: 89synchronizationCOMMON

Download Yara Rule

APIs

CreateMutexW.KERNELBASE(?,?), ref: 05A0019D

Memory Dump Source

Source File: 00000004.00000002.603747038.0000000005A00000.00000040.00000001.sdmp, Offset: 05A00000, based on PE: false

Similarity

API ID: CreateMutex
String ID:
API String ID: 1964310414-0
Opcode ID: a30a351d2837a5715f44cddebb2c02281702a44fbef5d5d5eae6fa2162fe28b0
Instruction ID: 6428926df26cc09895c26b1ab464706b659c708979e7af2c4ebf7842c3c69983
Opcode Fuzzy Hash: a30a351d2837a5715f44cddebb2c02281702a44fbef5d5d5eae6fa2162fe28b0
Instruction Fuzzy Hash: 49318F71509780AFE712CB25DC84F56FFE8EF06310F08849AE9848B292D365A909CB61

Uniqueness

Uniqueness Score: -1.00%

Function 0190AAF9, Relevance: 1.6, APIs: 1, Instructions: 89registryCOMMON

Download Yara Rule

APIs

RegQueryValueExW.KERNELBASE(?,00000E2C,9BE4979D,00000000,00000000,00000000,00000000), ref: 0190ABB4

Memory Dump Source

Source File: 00000004.00000002.598144195.000000000190A000.00000040.00000001.sdmp, Offset: 0190A000, based on PE: false

Similarity

API ID: QueryValue
String ID:
API String ID: 3660427363-0
Opcode ID: 71d3239e2e780d54950d4c1a32d6b5d17798adc3be53e2276c99e75ae5a3f1a8
Instruction ID: 5562c07eb09c75134f468f9927cc64f47179c7812ef7dc3413184bf3f8995acf
Opcode Fuzzy Hash: 71d3239e2e780d54950d4c1a32d6b5d17798adc3be53e2276c99e75ae5a3f1a8
Instruction Fuzzy Hash: 64319576109784AFE722CF25CC44F52BFECEF06310F18849AE9459B193D264E549CB61

Uniqueness

Uniqueness Score: -1.00%

Function 05A022B4, Relevance: 1.6, APIs: 1, Instructions: 87fileCOMMON

Download Yara Rule

APIs

MapViewOfFile.KERNELBASE ref: 05A02366

Memory Dump Source

Source File: 00000004.00000002.603747038.0000000005A00000.00000040.00000001.sdmp, Offset: 05A00000, based on PE: false

Similarity

API ID: FileView
String ID:
API String ID: 3314676101-0
Opcode ID: 09da4878be911ee80fc0193c76e32c80c1688c84d1040272f0a20ecd691fae99
Instruction ID: 8b017098b860a2a390ad0a5b5689dcd0110fd104015e68f6f2e88ead3cbc6a24
Opcode Fuzzy Hash: 09da4878be911ee80fc0193c76e32c80c1688c84d1040272f0a20ecd691fae99
Instruction Fuzzy Hash: B831A2B2404780AFE722CB55DC45F96FFF8EF06320F04859EE9849B292D375A909CB61

Uniqueness

Uniqueness Score: -1.00%

Function 05A004AB, Relevance: 1.6, APIs: 1, Instructions: 86registryCOMMON

Download Yara Rule

APIs

RegQueryValueExW.KERNELBASE(?,00000E2C,9BE4979D,00000000,00000000,00000000,00000000), ref: 05A0055C

Memory Dump Source

Source File: 00000004.00000002.603747038.0000000005A00000.00000040.00000001.sdmp, Offset: 05A00000, based on PE: false

Similarity

API ID: QueryValue
String ID:
API String ID: 3660427363-0
Opcode ID: f2a6e1d44a5b1aeb895c23e61af82cda4255ced3c86cdd60a91ac564a03b4d74
Instruction ID: de15d7576ff902265299df53cc0d7edb6c7afb00b3cac39eae5c8433b14810eb
Opcode Fuzzy Hash: f2a6e1d44a5b1aeb895c23e61af82cda4255ced3c86cdd60a91ac564a03b4d74
Instruction Fuzzy Hash: 26318271109780AFD722CB65DC44F52BFF8EF07310F4885DAE9859B1A2D264A809CB71

Uniqueness

Uniqueness Score: -1.00%

Function 0190AF50, Relevance: 1.6, APIs: 1, Instructions: 86COMMON

Download Yara Rule

APIs

GetUserNameW.ADVAPI32(?,00000E2C,?,?), ref: 0190AFEA

Memory Dump Source

Source File: 00000004.00000002.598144195.000000000190A000.00000040.00000001.sdmp, Offset: 0190A000, based on PE: false

Similarity

API ID: NameUser
String ID:
API String ID: 2645101109-0
Opcode ID: 98f49fd60ebd060f1906c30ee1077eb122fd26541a18038a60ece3127f17f919
Instruction ID: 460dd50bf34c2584a9ca92318b44196e966b088c84c344dd7610d42e40d63158
Opcode Fuzzy Hash: 98f49fd60ebd060f1906c30ee1077eb122fd26541a18038a60ece3127f17f919
Instruction Fuzzy Hash: 7831827540E3C06FD3138B258C55B25BFB8EF47610F0A41DBE884CB5A3D228A919C7B2

Uniqueness

Uniqueness Score: -1.00%

Function 0190A120, Relevance: 1.6, APIs: 1, Instructions: 83networkCOMMON

Download Yara Rule

APIs

WSAStartup.WS2_32(?,00000E2C,?,?), ref: 0190A1C2

Memory Dump Source

Source File: 00000004.00000002.598144195.000000000190A000.00000040.00000001.sdmp, Offset: 0190A000, based on PE: false

Similarity

API ID: Startup
String ID:
API String ID: 724789610-0
Opcode ID: 9cc69794af28d6ac2c2dc75f929f2e25f75eff670a21834beb246f2c05fafb1d
Instruction ID: 3113cb8515284b7d33e385a1513f28e45083f264f55dc0a56426dd2ddf06c459
Opcode Fuzzy Hash: 9cc69794af28d6ac2c2dc75f929f2e25f75eff670a21834beb246f2c05fafb1d
Instruction Fuzzy Hash: 1331D67140D3C06FD3038B758C55B62BFB4EF47610F1985DBD9848F193D225A919C7A2

Uniqueness

Uniqueness Score: -1.00%

Function 05A00EDE, Relevance: 1.6, APIs: 1, Instructions: 80COMMON

Download Yara Rule

APIs

DuplicateHandle.KERNELBASE(?,00000E2C), ref: 05A00F5B

Memory Dump Source

Source File: 00000004.00000002.603747038.0000000005A00000.00000040.00000001.sdmp, Offset: 05A00000, based on PE: false

Similarity

API ID: DuplicateHandle
String ID:
API String ID: 3793708945-0
Opcode ID: afba4501b0a1df347ec1842da543c5cc86237d3969440ac3ea3977533999835d
Instruction ID: 2836c601bd22db9d8c1bac3ff851622446aae1cca6d66142330a055a546de336
Opcode Fuzzy Hash: afba4501b0a1df347ec1842da543c5cc86237d3969440ac3ea3977533999835d
Instruction Fuzzy Hash: 7521BD72500704AFEB219F65DC88FABFBACEF04320F04896AFE45DA251D670A5089B71

Uniqueness

Uniqueness Score: -1.00%

Function 05A02B70, Relevance: 1.6, APIs: 1, Instructions: 80windowCOMMON

Download Yara Rule

APIs

FormatMessageW.KERNELBASE(?,00000E2C,?,?), ref: 05A02C12

Memory Dump Source

Source File: 00000004.00000002.603747038.0000000005A00000.00000040.00000001.sdmp, Offset: 05A00000, based on PE: false

Similarity

API ID: FormatMessage
String ID:
API String ID: 1306739567-0
Opcode ID: 0a90bd320629b61c17dd741df7da5a15fce19514f68288617d02ed831ae2f386
Instruction ID: c364cab99347047365f42d112b02639aa3cd07788a0e7d7b601ccc5d88a9637f
Opcode Fuzzy Hash: 0a90bd320629b61c17dd741df7da5a15fce19514f68288617d02ed831ae2f386
Instruction Fuzzy Hash: 1F21D67250D3C06FD3038B618C55B66BFB4EF87610F0980CBD8848F2A3D2246919C7B2

Uniqueness

Uniqueness Score: -1.00%

Function 05A002AB, Relevance: 1.6, APIs: 1, Instructions: 79registryCOMMON

Download Yara Rule

APIs

RegOpenKeyExA.KERNELBASE(?,00000E2C), ref: 05A00353

Memory Dump Source

Source File: 00000004.00000002.603747038.0000000005A00000.00000040.00000001.sdmp, Offset: 05A00000, based on PE: false

Similarity

API ID: Open
String ID:
API String ID: 71445658-0
Opcode ID: e90f39a141be5ce8cd2dc82a4cdabd2530c811135cc73f79cf138ee26f85350e
Instruction ID: 1b019ed7dba9d445d87c921bd9f0bb474c0ff89406d1032590af9893b355afa2
Opcode Fuzzy Hash: e90f39a141be5ce8cd2dc82a4cdabd2530c811135cc73f79cf138ee26f85350e
Instruction Fuzzy Hash: D421B775009380AFE7228F21DC45FA6FFB8EF06310F1884DAE9849B192D275A909C771

Uniqueness

Uniqueness Score: -1.00%

Function 05A008F0, Relevance: 1.6, APIs: 1, Instructions: 78COMMON

Download Yara Rule

APIs

GetFileType.KERNELBASE(?,00000E2C,9BE4979D,00000000,00000000,00000000,00000000), ref: 05A00985

Memory Dump Source

Source File: 00000004.00000002.603747038.0000000005A00000.00000040.00000001.sdmp, Offset: 05A00000, based on PE: false

Similarity

API ID: FileType
String ID:
API String ID: 3081899298-0
Opcode ID: 47742aeadd852e208a00e6e7bbc8d2f4c506700414a6a55dc63643980fa52311
Instruction ID: c25251ae55c2039710ffb8b3a6e7a5c43b640289937eaeb0906e4ef8370af425
Opcode Fuzzy Hash: 47742aeadd852e208a00e6e7bbc8d2f4c506700414a6a55dc63643980fa52311
Instruction Fuzzy Hash: 1221F8B64087846FE7128B25DC44FA3BFB8EF47720F18849BED949B193D264A905C771

Uniqueness

Uniqueness Score: -1.00%

Function 05A021D2, Relevance: 1.6, APIs: 1, Instructions: 78COMMON

Download Yara Rule

APIs

OpenFileMappingW.KERNELBASE(?,?), ref: 05A0225D

Memory Dump Source

Source File: 00000004.00000002.603747038.0000000005A00000.00000040.00000001.sdmp, Offset: 05A00000, based on PE: false

Similarity

API ID: FileMappingOpen
String ID:
API String ID: 1680863896-0
Opcode ID: 842baa0ea51174f1630f1f28acebe11bbac98c1e82f48b6175acf7f5c2590492
Instruction ID: 94475f815918a547998d10d47fb3f20f1c18b7caa4fd06a55f4fbcd1e878a1c5
Opcode Fuzzy Hash: 842baa0ea51174f1630f1f28acebe11bbac98c1e82f48b6175acf7f5c2590492
Instruction Fuzzy Hash: 5D219FB1509380AFE721CB65DC45F66FFE8EF45310F18849EE9849B292D375A908CB71

Uniqueness

Uniqueness Score: -1.00%

Function 05A01A72, Relevance: 1.6, APIs: 1, Instructions: 77networkCOMMON

Download Yara Rule

APIs

WSASocketW.WS2_32(?,?,?,?,?), ref: 05A01AFE

Memory Dump Source

Source File: 00000004.00000002.603747038.0000000005A00000.00000040.00000001.sdmp, Offset: 05A00000, based on PE: false

Similarity

API ID: Socket
String ID:
API String ID: 38366605-0
Opcode ID: bcf2d7fb184f08b1ef63bbc8ac7ea684ecf0fde82cae1bb88158bba51776f9f6
Instruction ID: 8ee6e60b77654f6b67299e8f951145c33851ef4e6ab5ca3fc227c810000210cd
Opcode Fuzzy Hash: bcf2d7fb184f08b1ef63bbc8ac7ea684ecf0fde82cae1bb88158bba51776f9f6
Instruction Fuzzy Hash: 7B217E71505380AFE7228F65DC44F96FFA8EF46310F08859EE9859B652D375A808CB61

Uniqueness

Uniqueness Score: -1.00%

Function 05A0081A, Relevance: 1.6, APIs: 1, Instructions: 76fileCOMMON

Download Yara Rule

APIs

CreateFileW.KERNELBASE(?,?,?,?,?,?), ref: 05A00899

Memory Dump Source

Source File: 00000004.00000002.603747038.0000000005A00000.00000040.00000001.sdmp, Offset: 05A00000, based on PE: false

Similarity

API ID: CreateFile
String ID:
API String ID: 823142352-0
Opcode ID: 27ab7241f8066770595f5251179ad1ce2f7aee15b1dc3c2569b543fb08340f51
Instruction ID: 33849d15db769064ef27419d678c4dff58685c07092ab5dc2111ce302d91b619
Opcode Fuzzy Hash: 27ab7241f8066770595f5251179ad1ce2f7aee15b1dc3c2569b543fb08340f51
Instruction Fuzzy Hash: D7216B75504644AFE721DF65D848F66FFE8FF04710F14846AEA858A291D771E408CBA1

Uniqueness

Uniqueness Score: -1.00%

Function 05A009C0, Relevance: 1.6, APIs: 1, Instructions: 75COMMON

Download Yara Rule

APIs

setsockopt.WS2_32(?,00000E2C,9BE4979D,00000000,00000000,00000000,00000000), ref: 05A00A51

Memory Dump Source

Source File: 00000004.00000002.603747038.0000000005A00000.00000040.00000001.sdmp, Offset: 05A00000, based on PE: false

Similarity

API ID: setsockopt
String ID:
API String ID: 3981526788-0
Opcode ID: cfe66a2ed1dbed824842aec6e7a9fef82470bd8ba65b521cbbd03be2ee78625e
Instruction ID: a82b53021f76857af6d9866b0019134431f45addce35f3c69d491b96bf41c9cf
Opcode Fuzzy Hash: cfe66a2ed1dbed824842aec6e7a9fef82470bd8ba65b521cbbd03be2ee78625e
Instruction Fuzzy Hash: 6A217472409380AFE7228F65DC44F56BFB8EF46314F08859BE9449B153C265A509CB71

Uniqueness

Uniqueness Score: -1.00%

Function 05A003CA, Relevance: 1.6, APIs: 1, Instructions: 75registryCOMMON

Download Yara Rule

APIs

RegQueryValueExA.KERNELBASE(?,00000E2C), ref: 05A0045E

Memory Dump Source

Source File: 00000004.00000002.603747038.0000000005A00000.00000040.00000001.sdmp, Offset: 05A00000, based on PE: false

Similarity

API ID: QueryValue
String ID:
API String ID: 3660427363-0
Opcode ID: 2ff0e2aaac431f279c61ccc6da73bd7ad591da478e07b71adb41333bcad3ba1b
Instruction ID: 9ef494f2dd3431f434c474ef3f40e73c23808923beaec621abf0467fd2674f45
Opcode Fuzzy Hash: 2ff0e2aaac431f279c61ccc6da73bd7ad591da478e07b71adb41333bcad3ba1b
Instruction Fuzzy Hash: 6B21FF72100204AFFB21CF15DC85FA6FBACEF04710F10895AFE469A281D6B1A549CBB1

Uniqueness

Uniqueness Score: -1.00%

Function 05A00B79, Relevance: 1.6, APIs: 1, Instructions: 75registryCOMMON

Download Yara Rule

APIs

RegSetValueExW.KERNELBASE(?,00000E2C,9BE4979D,00000000,00000000,00000000,00000000), ref: 05A00C10

Memory Dump Source

Source File: 00000004.00000002.603747038.0000000005A00000.00000040.00000001.sdmp, Offset: 05A00000, based on PE: false

Similarity

API ID: Value
String ID:
API String ID: 3702945584-0
Opcode ID: 8b04d814e13db4f68a176de84996a9a8572535567a3b13f7c790b8d53c636db1
Instruction ID: 2d1e1ebf2b14c052ca2b5c17a1a1821ec46720db2a700d0574ad6b5b3934b419
Opcode Fuzzy Hash: 8b04d814e13db4f68a176de84996a9a8572535567a3b13f7c790b8d53c636db1
Instruction Fuzzy Hash: A7219DB2508740AFE7218F15DC85F67BFE8EF06310F08859AE9859B292D264E809CB71

Uniqueness

Uniqueness Score: -1.00%

Function 0190AA32, Relevance: 1.6, APIs: 1, Instructions: 74registryCOMMON

Download Yara Rule

APIs

RegOpenKeyExW.KERNELBASE(?,00000E2C), ref: 0190AAB1

Memory Dump Source

Source File: 00000004.00000002.598144195.000000000190A000.00000040.00000001.sdmp, Offset: 0190A000, based on PE: false

Similarity

API ID: Open
String ID:
API String ID: 71445658-0
Opcode ID: 3c753dfea31df9fe163b55deeaa6da9840ae0ecc6dfc1b2f280f1c3ed00beb2f
Instruction ID: a911c33ff5475c516171de11eada5b20006827ae295aa12a698c8da3c5812e17
Opcode Fuzzy Hash: 3c753dfea31df9fe163b55deeaa6da9840ae0ecc6dfc1b2f280f1c3ed00beb2f
Instruction Fuzzy Hash: 60219F72500704AEE7229B59DD84FABFBECEF04710F14895AEE459B281D664E8488BB1

Uniqueness

Uniqueness Score: -1.00%

Function 05A0012A, Relevance: 1.6, APIs: 1, Instructions: 72synchronizationCOMMON

Download Yara Rule

APIs

CreateMutexW.KERNELBASE(?,?), ref: 05A0019D

Memory Dump Source

Source File: 00000004.00000002.603747038.0000000005A00000.00000040.00000001.sdmp, Offset: 05A00000, based on PE: false

Similarity

API ID: CreateMutex
String ID:
API String ID: 1964310414-0
Opcode ID: 5413538752827c542d83212b8c78b289d2130c9a269b2440a9ca78f9d7b70d38
Instruction ID: 22afed5359394823c7ecb7826796b5f14885ce1519dc04488814e0b2feb9520f
Opcode Fuzzy Hash: 5413538752827c542d83212b8c78b289d2130c9a269b2440a9ca78f9d7b70d38
Instruction Fuzzy Hash: 25217971504240AFE720DF25EC89F6AFBE8EF05710F5484AAED498B281E771E904CB71

Uniqueness

Uniqueness Score: -1.00%

Function 05A010BF, Relevance: 1.6, APIs: 1, Instructions: 71fileCOMMON

Download Yara Rule

APIs

DeleteFileA.KERNELBASE(?,00000E2C), ref: 05A0114B

Memory Dump Source

Source File: 00000004.00000002.603747038.0000000005A00000.00000040.00000001.sdmp, Offset: 05A00000, based on PE: false

Similarity

API ID: DeleteFile
String ID:
API String ID: 4033686569-0
Opcode ID: 40a03f7f4f252469fea2f607f469bce98359207f7ebd184321d37bf4da794168
Instruction ID: 31a16c33797ff2ef625c001a0db9baf79497457dfbec3a21061158a54061710d
Opcode Fuzzy Hash: 40a03f7f4f252469fea2f607f469bce98359207f7ebd184321d37bf4da794168
Instruction Fuzzy Hash: 2621D571504380BFE7218B25DC45FA6FFA8EF46720F18C09EFD459B292D364A949CB61

Uniqueness

Uniqueness Score: -1.00%

Function 05A00A9B, Relevance: 1.6, APIs: 1, Instructions: 71fileCOMMON

Download Yara Rule

APIs

CopyFileW.KERNELBASE(?,?,?), ref: 05A00B1E

Memory Dump Source

Source File: 00000004.00000002.603747038.0000000005A00000.00000040.00000001.sdmp, Offset: 05A00000, based on PE: false

Similarity

API ID: CopyFile
String ID:
API String ID: 1304948518-0
Opcode ID: 8f1e89c4de1e36e46068a5423aeec24de020040e71fdb172fb13d9c7ca466a1d
Instruction ID: e0cd31eff5f0f6c39bbdde8b80910d86ae2e1a932f3ab25e30fd7c84cacc6400
Opcode Fuzzy Hash: 8f1e89c4de1e36e46068a5423aeec24de020040e71fdb172fb13d9c7ca466a1d
Instruction Fuzzy Hash: 12217FB25093845FE722DB25DC55B62BFE8AF46314F0880EAE985DB293D225D808C761

Uniqueness

Uniqueness Score: -1.00%

Function 05A00723, Relevance: 1.6, APIs: 1, Instructions: 71COMMON

Download Yara Rule

APIs

CreateDirectoryW.KERNELBASE(?,?), ref: 05A0079F

Memory Dump Source

Source File: 00000004.00000002.603747038.0000000005A00000.00000040.00000001.sdmp, Offset: 05A00000, based on PE: false

Similarity

API ID: CreateDirectory
String ID:
API String ID: 4241100979-0
Opcode ID: 67afeb013bc7036107d4008543975ec93b3c36b508755714624e9d7f43e0f6d7
Instruction ID: 3cfed75d636dd5eb280c05fa86e46583b554cfad4fb0b80df609f06f297f45af
Opcode Fuzzy Hash: 67afeb013bc7036107d4008543975ec93b3c36b508755714624e9d7f43e0f6d7
Instruction Fuzzy Hash: 9E2171765093809FD711CF25DC48B56BFE8EF06210F0984EAE945DF192D2649908CB61

Uniqueness

Uniqueness Score: -1.00%

Function 0190AB3A, Relevance: 1.6, APIs: 1, Instructions: 69registryCOMMON

Download Yara Rule

APIs

RegQueryValueExW.KERNELBASE(?,00000E2C,9BE4979D,00000000,00000000,00000000,00000000), ref: 0190ABB4

Memory Dump Source

Source File: 00000004.00000002.598144195.000000000190A000.00000040.00000001.sdmp, Offset: 0190A000, based on PE: false

Similarity

API ID: QueryValue
String ID:
API String ID: 3660427363-0
Opcode ID: dd0c70753352ade30204547e7a8dbb59b0e5ed287d0f25b2923bec8e359cdcb6
Instruction ID: de92e971b1eba574939b66696f3f5a2f0e203f531d906e9d641a612e545f592f
Opcode Fuzzy Hash: dd0c70753352ade30204547e7a8dbb59b0e5ed287d0f25b2923bec8e359cdcb6
Instruction Fuzzy Hash: 38216D76500704AFE722CF29DC84F66FBECEF04711F14896AEA499B291D660E408CAB1

Uniqueness

Uniqueness Score: -1.00%

Function 05A021F2, Relevance: 1.6, APIs: 1, Instructions: 68COMMON

Download Yara Rule

APIs

OpenFileMappingW.KERNELBASE(?,?), ref: 05A0225D

Memory Dump Source

Source File: 00000004.00000002.603747038.0000000005A00000.00000040.00000001.sdmp, Offset: 05A00000, based on PE: false

Similarity

API ID: FileMappingOpen
String ID:
API String ID: 1680863896-0
Opcode ID: 5a590dde97f025a03280f00af479faf11dec66f6ed292c0db3ba79db625df18e
Instruction ID: fe4f1ea220545f4f7524c356c5ee17719d26994106ea3a93f713f3013078b3fd
Opcode Fuzzy Hash: 5a590dde97f025a03280f00af479faf11dec66f6ed292c0db3ba79db625df18e
Instruction Fuzzy Hash: BC21AE75504300AFEB20DF65DC89F66FBE8EF48320F14846AED459B281D375A805CB71

Uniqueness

Uniqueness Score: -1.00%

Function 05A01530, Relevance: 1.6, APIs: 1, Instructions: 68COMMON

Download Yara Rule

APIs

FindCloseChangeNotification.KERNELBASE(?), ref: 05A0159C

Memory Dump Source

Source File: 00000004.00000002.603747038.0000000005A00000.00000040.00000001.sdmp, Offset: 05A00000, based on PE: false

Similarity

API ID: ChangeCloseFindNotification
String ID:
API String ID: 2591292051-0
Opcode ID: f42837feb2d3c9f81f52bfa468734e91d6d935429cf4a03e287c7055d6b862f6
Instruction ID: 54227dd29bd9cf8a07d6efca5c0d15b739fce244883567b2c0237aba5554e02b
Opcode Fuzzy Hash: f42837feb2d3c9f81f52bfa468734e91d6d935429cf4a03e287c7055d6b862f6
Instruction Fuzzy Hash: 8C21C3725093C45FDB128F25DC54A92BFB4EF47324F0984DAED858F663D274A908CB61

Uniqueness

Uniqueness Score: -1.00%

Function 05A01A92, Relevance: 1.6, APIs: 1, Instructions: 67networkCOMMON

Download Yara Rule

APIs

WSASocketW.WS2_32(?,?,?,?,?), ref: 05A01AFE

Memory Dump Source

Source File: 00000004.00000002.603747038.0000000005A00000.00000040.00000001.sdmp, Offset: 05A00000, based on PE: false

Similarity

API ID: Socket
String ID:
API String ID: 38366605-0
Opcode ID: bd5b71f5c827cb034545735293250503b7b3f085d9700f0b4d2e3f2eac91d474
Instruction ID: dd2011e635a1fe3e3dc206c4911938154732dbff3cd80051d7ce64b5752f1eba
Opcode Fuzzy Hash: bd5b71f5c827cb034545735293250503b7b3f085d9700f0b4d2e3f2eac91d474
Instruction Fuzzy Hash: 7521CF71500200AFEB21DF65EC44FA6FFE9EF45310F14855EEE859A251D375A408CB71

Uniqueness

Uniqueness Score: -1.00%

Function 05A015E5, Relevance: 1.6, APIs: 1, Instructions: 67COMMON

Download Yara Rule

APIs

K32EnumProcesses.KERNEL32(?,?,?,9BE4979D,00000000,?,?,?,?,?,?,?,?,72F43C38), ref: 05A01656

Memory Dump Source

Source File: 00000004.00000002.603747038.0000000005A00000.00000040.00000001.sdmp, Offset: 05A00000, based on PE: false

Similarity

API ID: EnumProcesses
String ID:
API String ID: 84517404-0
Opcode ID: 9a5052217b3627e9d1644a91960faf73fe020e5152f811da7f6f455f5ec2a250
Instruction ID: c3cbf7ddb0d2227acacde6763def71af4a5980684d0bafcf0c9008075a86175d
Opcode Fuzzy Hash: 9a5052217b3627e9d1644a91960faf73fe020e5152f811da7f6f455f5ec2a250
Instruction Fuzzy Hash: D5216F725093849FD712CF25DC84B92BFE8EF06320F0984EAE985DF163D274A908CB61

Uniqueness

Uniqueness Score: -1.00%

Function 05A022F2, Relevance: 1.6, APIs: 1, Instructions: 67fileCOMMON

Download Yara Rule

APIs

MapViewOfFile.KERNELBASE ref: 05A02366

Memory Dump Source

Source File: 00000004.00000002.603747038.0000000005A00000.00000040.00000001.sdmp, Offset: 05A00000, based on PE: false

Similarity

API ID: FileView
String ID:
API String ID: 3314676101-0
Opcode ID: 504a2bea51722c26ffc56cc15a06b9ded9aaeb3a6f59c7cae7637f297eff4b55
Instruction ID: 58618a82c5e16a6437a5d96a6c782115b53be7fc4134a139957a65134a8ed9cf
Opcode Fuzzy Hash: 504a2bea51722c26ffc56cc15a06b9ded9aaeb3a6f59c7cae7637f297eff4b55
Instruction Fuzzy Hash: F821AE71500304AFE721CF15DC89FA6FBE8EF08320F14855EEA849B241D375A508CB72

Uniqueness

Uniqueness Score: -1.00%

Function 05A001F4, Relevance: 1.6, APIs: 1, Instructions: 67COMMON

Download Yara Rule

APIs

FindCloseChangeNotification.KERNELBASE(?), ref: 05A00264

Memory Dump Source

Source File: 00000004.00000002.603747038.0000000005A00000.00000040.00000001.sdmp, Offset: 05A00000, based on PE: false

Similarity

API ID: ChangeCloseFindNotification
String ID:
API String ID: 2591292051-0
Opcode ID: f841cb3e29f45217397e5351efdebd2786dda585b779884dfed997f67df215cf
Instruction ID: 38eb710bc9381f7a5755e49ffc4dd7715d96a4682e6b3e990ed3415f7bb08c9f
Opcode Fuzzy Hash: f841cb3e29f45217397e5351efdebd2786dda585b779884dfed997f67df215cf
Instruction Fuzzy Hash: 9221F6B24057849FD712CF14EC89B51BFA8FF46320F0880DAED449F593D234A805CB61

Uniqueness

Uniqueness Score: -1.00%

Function 05A00B9E, Relevance: 1.6, APIs: 1, Instructions: 65registryCOMMON

Download Yara Rule

APIs

RegSetValueExW.KERNELBASE(?,00000E2C,9BE4979D,00000000,00000000,00000000,00000000), ref: 05A00C10

Memory Dump Source

Source File: 00000004.00000002.603747038.0000000005A00000.00000040.00000001.sdmp, Offset: 05A00000, based on PE: false

Similarity

API ID: Value
String ID:
API String ID: 3702945584-0
Opcode ID: 5dd6b6880b8a919f92d9fdf8a706147a894c940a6f45a649ad5fa182798b0e90
Instruction ID: 243e441ac2127b9497436c8c2891724c94cbdec17469b9d8b764991c0f3aae30
Opcode Fuzzy Hash: 5dd6b6880b8a919f92d9fdf8a706147a894c940a6f45a649ad5fa182798b0e90
Instruction Fuzzy Hash: D5118E72500704AFEB209F15EC85F67FBECFF05720F54856AEE459B281D660E409CA71

Uniqueness

Uniqueness Score: -1.00%

Function 05A004EA, Relevance: 1.6, APIs: 1, Instructions: 65registryCOMMON

Download Yara Rule

APIs

RegQueryValueExW.KERNELBASE(?,00000E2C,9BE4979D,00000000,00000000,00000000,00000000), ref: 05A0055C

Memory Dump Source

Source File: 00000004.00000002.603747038.0000000005A00000.00000040.00000001.sdmp, Offset: 05A00000, based on PE: false

Similarity

API ID: QueryValue
String ID:
API String ID: 3660427363-0
Opcode ID: cb7547923dfaefabcaad8d876429e44b07581f0fa7e700587b82f650fc724335
Instruction ID: a64054821df749eb150622462027c93de9caf376bab1e3cff304b916e34aba6a
Opcode Fuzzy Hash: cb7547923dfaefabcaad8d876429e44b07581f0fa7e700587b82f650fc724335
Instruction Fuzzy Hash: 64116A72500604EEEB20CF15EC88F67FBE8FF04720F54C56AEA469B291D660E409CB71

Uniqueness

Uniqueness Score: -1.00%

Function 05A012F8, Relevance: 1.6, APIs: 1, Instructions: 64COMMON

Download Yara Rule

APIs

LookupPrivilegeValueW.ADVAPI32(?,?,?), ref: 05A01362

Memory Dump Source

Source File: 00000004.00000002.603747038.0000000005A00000.00000040.00000001.sdmp, Offset: 05A00000, based on PE: false

Similarity

API ID: LookupPrivilegeValue
String ID:
API String ID: 3899507212-0
Opcode ID: bce2bbcbbb6758eaae3ba33cd282528e5be5234b5a5a4fa9e676c67f7ce9c7f2
Instruction ID: fccf28d9e3af7cc2ff6dc3da3d10f170ef53e9dcbd121f8449040e5322293f6d
Opcode Fuzzy Hash: bce2bbcbbb6758eaae3ba33cd282528e5be5234b5a5a4fa9e676c67f7ce9c7f2
Instruction Fuzzy Hash: 4F1172729053809FD751CF25DC85F96BFE8EF45310F0884AAED45DB652D274E804CB62

Uniqueness

Uniqueness Score: -1.00%

Function 05A0275E, Relevance: 1.6, APIs: 1, Instructions: 64timeCOMMON

Download Yara Rule

APIs

GetProcessTimes.KERNELBASE(?,00000E2C,9BE4979D,00000000,00000000,00000000,00000000), ref: 05A027BD

Memory Dump Source

Source File: 00000004.00000002.603747038.0000000005A00000.00000040.00000001.sdmp, Offset: 05A00000, based on PE: false

Similarity

API ID: ProcessTimes
String ID:
API String ID: 1995159646-0
Opcode ID: 67271d7ba5ef33fdc2e126e31c5012525f25ae427145c5d93dc2cbb08bd7da11
Instruction ID: f75934e330ce514d4782432064bde8aadc3026ff646f477adce282c667587db6
Opcode Fuzzy Hash: 67271d7ba5ef33fdc2e126e31c5012525f25ae427145c5d93dc2cbb08bd7da11
Instruction Fuzzy Hash: 67119376500700AFEB21CF55EC89FA6FFA8EF45710F14846BEE459B251D674A4088B71

Uniqueness

Uniqueness Score: -1.00%

Function 05A01006, Relevance: 1.6, APIs: 1, Instructions: 61COMMON

Download Yara Rule

APIs

GetExitCodeProcess.KERNELBASE(?,00000E2C,9BE4979D,00000000,00000000,00000000,00000000), ref: 05A0105C

Memory Dump Source

Source File: 00000004.00000002.603747038.0000000005A00000.00000040.00000001.sdmp, Offset: 05A00000, based on PE: false

Similarity

API ID: CodeExitProcess
String ID:
API String ID: 3861947596-0
Opcode ID: 088562d70728d0575465e70e5eb9be882ad251c4a1ceb78eb3f52b932886667d
Instruction ID: b8cbbf24e8aeb8ec76d21ccc75b1959cea304486acb360efa9f6bbd39dc7362c
Opcode Fuzzy Hash: 088562d70728d0575465e70e5eb9be882ad251c4a1ceb78eb3f52b932886667d
Instruction Fuzzy Hash: 1A11A371500244AFEB10DF25EC85FABBBA8EF45320F14C46BEE45DB281D675A804CB71

Uniqueness

Uniqueness Score: -1.00%

Function 0190B7CA, Relevance: 1.6, APIs: 1, Instructions: 61windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,?,?,?), ref: 0190B841

Memory Dump Source

Source File: 00000004.00000002.598144195.000000000190A000.00000040.00000001.sdmp, Offset: 0190A000, based on PE: false

Similarity

API ID: MessageSend
String ID:
API String ID: 3850602802-0
Opcode ID: 7cab79fc71602a7a45c08b1b9b6845561b5dbd233ae9abb039a04aa9ce6ce977
Instruction ID: 279262f0ac61340daddb4325e55ec721af97310058ab825763b06c6187a2d2e2
Opcode Fuzzy Hash: 7cab79fc71602a7a45c08b1b9b6845561b5dbd233ae9abb039a04aa9ce6ce977
Instruction Fuzzy Hash: B221CD764093C09FDB138B25DC54AA2BFB4EF07220F0D84DAEDC44F163D265A958DB62

Uniqueness

Uniqueness Score: -1.00%

Function 0190A51F, Relevance: 1.6, APIs: 1, Instructions: 61COMMON

Download Yara Rule

APIs

DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 0190A58A

Memory Dump Source

Source File: 00000004.00000002.598144195.000000000190A000.00000040.00000001.sdmp, Offset: 0190A000, based on PE: false

Similarity

API ID: DuplicateHandle
String ID:
API String ID: 3793708945-0
Opcode ID: 0aef9b1e1cb8d8754ff3711ce550d0036519aba400425352f71760bf52388fd7
Instruction ID: 584b90ac46f260cbda1eeb68d2a13760b8967b59fcd072d16d80568eb546edfe
Opcode Fuzzy Hash: 0aef9b1e1cb8d8754ff3711ce550d0036519aba400425352f71760bf52388fd7
Instruction Fuzzy Hash: 03117571405380AFDB238F55DC44A52FFF8EF4A210F08859AED898B152D275A518DB61

Uniqueness

Uniqueness Score: -1.00%

Function 05A010E2, Relevance: 1.6, APIs: 1, Instructions: 60fileCOMMON

Download Yara Rule

APIs

DeleteFileA.KERNELBASE(?,00000E2C), ref: 05A0114B

Memory Dump Source

Source File: 00000004.00000002.603747038.0000000005A00000.00000040.00000001.sdmp, Offset: 05A00000, based on PE: false

Similarity

API ID: DeleteFile
String ID:
API String ID: 4033686569-0
Opcode ID: 1ca9aa7c9be678cc3353a82bd18d48d5b37e274b6dcb58ded70d29743763a85b
Instruction ID: 3ba59b38d7c0905184548f31e5306dd3f926f3da7888a360548a7b7bfa1fad52
Opcode Fuzzy Hash: 1ca9aa7c9be678cc3353a82bd18d48d5b37e274b6dcb58ded70d29743763a85b
Instruction Fuzzy Hash: 70110271600200AFF720DB25EC86FB6FBE8DF05720F14C06EEE059B281D6A4A909CB71

Uniqueness

Uniqueness Score: -1.00%

Function 05A009F2, Relevance: 1.6, APIs: 1, Instructions: 60COMMON

Download Yara Rule

APIs

setsockopt.WS2_32(?,00000E2C,9BE4979D,00000000,00000000,00000000,00000000), ref: 05A00A51

Memory Dump Source

Source File: 00000004.00000002.603747038.0000000005A00000.00000040.00000001.sdmp, Offset: 05A00000, based on PE: false

Similarity

API ID: setsockopt
String ID:
API String ID: 3981526788-0
Opcode ID: d52f7550855a6fd5833f1c95348f291eb6987ab20db6f057a82361bdee1cb169
Instruction ID: 10ab4cb3395e591d43dfe92ff1872dbe68a68d70283c47747507b11caa12b588
Opcode Fuzzy Hash: d52f7550855a6fd5833f1c95348f291eb6987ab20db6f057a82361bdee1cb169
Instruction Fuzzy Hash: 3111BF72500200AFEB21CF55EC84F66FBA8EF44320F14846BEE499B251C274A4098BB1

Uniqueness

Uniqueness Score: -1.00%

Function 05A002DE, Relevance: 1.6, APIs: 1, Instructions: 60registryCOMMON

Download Yara Rule

APIs

RegOpenKeyExA.KERNELBASE(?,00000E2C), ref: 05A00353

Memory Dump Source

Source File: 00000004.00000002.603747038.0000000005A00000.00000040.00000001.sdmp, Offset: 05A00000, based on PE: false

Similarity

API ID: Open
String ID:
API String ID: 71445658-0
Opcode ID: c0b4042a699c87075b4e6b79cb76a0c9954b160dad1027d8c11707a74c74275c
Instruction ID: 861ec6629a0c74c1907a43f710762230049af2f594333a8ce62141970b73bb11
Opcode Fuzzy Hash: c0b4042a699c87075b4e6b79cb76a0c9954b160dad1027d8c11707a74c74275c
Instruction Fuzzy Hash: FB11EC35000700EFEB22CF15EC85F66FBA8FF04720F14849AEE455A291C2B1A508CBB2

Uniqueness

Uniqueness Score: -1.00%

Function 0190BB4F, Relevance: 1.6, APIs: 1, Instructions: 59windowCOMMON

Download Yara Rule

APIs

PostMessageW.USER32(?,?,?,?), ref: 0190BBB9

Memory Dump Source

Source File: 00000004.00000002.598144195.000000000190A000.00000040.00000001.sdmp, Offset: 0190A000, based on PE: false

Similarity

API ID: MessagePost
String ID:
API String ID: 410705778-0
Opcode ID: c9aac44e901e672dd805f2193de33d83882ebb6c012c64fc5a76dc5ab43ebdd2
Instruction ID: ea46357845057748b797524ad2e9559e2171e556bf87b945938d4ae3f3af213a
Opcode Fuzzy Hash: c9aac44e901e672dd805f2193de33d83882ebb6c012c64fc5a76dc5ab43ebdd2
Instruction Fuzzy Hash: E511D3354097C0AFD7238F25DC45B52FFB4EF06220F0885DEED858B563D265A458DB61

Uniqueness

Uniqueness Score: -1.00%

Function 0190BE05, Relevance: 1.6, APIs: 1, Instructions: 58windowCOMMON

Download Yara Rule

APIs

DispatchMessageW.USER32(?), ref: 0190BE70

Memory Dump Source

Source File: 00000004.00000002.598144195.000000000190A000.00000040.00000001.sdmp, Offset: 0190A000, based on PE: false

Similarity

API ID: DispatchMessage
String ID:
API String ID: 2061451462-0
Opcode ID: da1223e1be50b1e9eb6e64ecc6392696de26aff9d53e8c33ca3a54a356f8ead4
Instruction ID: cbd107618257d589b57aba911e52317bfb9dd6aaad075f688d2d8fe8daab3a3d
Opcode Fuzzy Hash: da1223e1be50b1e9eb6e64ecc6392696de26aff9d53e8c33ca3a54a356f8ead4
Instruction Fuzzy Hash: 3C117C754093C0AFD7138B259C44B61BFB8DF47624F0980DAED898F263D2656808CB62

Uniqueness

Uniqueness Score: -1.00%

Function 0190B71E, Relevance: 1.6, APIs: 1, Instructions: 57windowCOMMON

Download Yara Rule

APIs

CreateIconFromResourceEx.USER32 ref: 0190B78A

Memory Dump Source

Source File: 00000004.00000002.598144195.000000000190A000.00000040.00000001.sdmp, Offset: 0190A000, based on PE: false

Similarity

API ID: CreateFromIconResource
String ID:
API String ID: 3668623891-0
Opcode ID: dfd6a84546516651afed49a893c582e646af1a30efa4dd28f1afc87ee696dcee
Instruction ID: 3bf2c66d0099e16555d6138aaf3acbe66226b171f3798686484710520ab2743f
Opcode Fuzzy Hash: dfd6a84546516651afed49a893c582e646af1a30efa4dd28f1afc87ee696dcee
Instruction Fuzzy Hash: C111A236404380AFDB228F55DC44E52FFF4EF49310F08859EEE898B562C375A418DB61

Uniqueness

Uniqueness Score: -1.00%

Function 05A0118F, Relevance: 1.6, APIs: 1, Instructions: 56COMMON

Download Yara Rule

APIs

GetSystemInfo.KERNELBASE(?), ref: 05A011F4

Memory Dump Source

Source File: 00000004.00000002.603747038.0000000005A00000.00000040.00000001.sdmp, Offset: 05A00000, based on PE: false

Similarity

API ID: InfoSystem
String ID:
API String ID: 31276548-0
Opcode ID: 32dc0f32e8ba378797eeef4b4d757be6fbf00d83186aff2ebb3c60f1a6eb381a
Instruction ID: 40c8eaf2a6aab4a5a1624c2da553ad6bca0e47076460b76faa54b6d87104b0ad
Opcode Fuzzy Hash: 32dc0f32e8ba378797eeef4b4d757be6fbf00d83186aff2ebb3c60f1a6eb381a
Instruction Fuzzy Hash: 481193714093C0AFD7128F25DC44B92BFB4EF46214F0984EBED848F153C279A849CB61

Uniqueness

Uniqueness Score: -1.00%

Function 0190BEB4, Relevance: 1.6, APIs: 1, Instructions: 56fileCOMMON

Download Yara Rule

APIs

DeleteFileW.KERNELBASE(?), ref: 0190BF0C

Memory Dump Source

Source File: 00000004.00000002.598144195.000000000190A000.00000040.00000001.sdmp, Offset: 0190A000, based on PE: false

Similarity

API ID: DeleteFile
String ID:
API String ID: 4033686569-0
Opcode ID: a703c35e717562a8e2077d1a80a4903b3b72923cbab15b9705183b247ac40c6e
Instruction ID: 044e1f8e23e831ff711cd3c5931ad97f36ba3ce426649c7f85fbffd80abe9d25
Opcode Fuzzy Hash: a703c35e717562a8e2077d1a80a4903b3b72923cbab15b9705183b247ac40c6e
Instruction Fuzzy Hash: 1611A7755053809FD711CF2ADC45B56BFE8DF45220F0884AAEE49CF252D275E848CB61

Uniqueness

Uniqueness Score: -1.00%

Function 05A00AD6, Relevance: 1.6, APIs: 1, Instructions: 53fileCOMMON

Download Yara Rule

APIs

CopyFileW.KERNELBASE(?,?,?), ref: 05A00B1E

Memory Dump Source

Source File: 00000004.00000002.603747038.0000000005A00000.00000040.00000001.sdmp, Offset: 05A00000, based on PE: false

Similarity

API ID: CopyFile
String ID:
API String ID: 1304948518-0
Opcode ID: ed9000b071cce7733c2da209ad96e20350f401f7cbfbaa7c03d8306ec493d4bf
Instruction ID: 4da6060910bdcce451cff4a279ecfddaaa4a94467455b3727cf03834e1c26b38
Opcode Fuzzy Hash: ed9000b071cce7733c2da209ad96e20350f401f7cbfbaa7c03d8306ec493d4bf
Instruction Fuzzy Hash: 661182716002049FDB50DF29E889B56FBE8FF05314F58D4AADD49DB281D674D404CB71

Uniqueness

Uniqueness Score: -1.00%

Function 05A0131A, Relevance: 1.6, APIs: 1, Instructions: 53COMMON

Download Yara Rule

APIs

LookupPrivilegeValueW.ADVAPI32(?,?,?), ref: 05A01362

Memory Dump Source

Source File: 00000004.00000002.603747038.0000000005A00000.00000040.00000001.sdmp, Offset: 05A00000, based on PE: false

Similarity

API ID: LookupPrivilegeValue
String ID:
API String ID: 3899507212-0
Opcode ID: ed9000b071cce7733c2da209ad96e20350f401f7cbfbaa7c03d8306ec493d4bf
Instruction ID: d12dfb9b7efb1c56c1cdd1dc79f5e0819deff759066b938df2db9ae6ceca39b3
Opcode Fuzzy Hash: ed9000b071cce7733c2da209ad96e20350f401f7cbfbaa7c03d8306ec493d4bf
Instruction Fuzzy Hash: 99116575A046009FDB50CF69EC85BA6FBE8EF44710F08D4AADD49DB641D674E404CB72

Uniqueness

Uniqueness Score: -1.00%

Function 05A00932, Relevance: 1.6, APIs: 1, Instructions: 52COMMON

Download Yara Rule

APIs

GetFileType.KERNELBASE(?,00000E2C,9BE4979D,00000000,00000000,00000000,00000000), ref: 05A00985

Memory Dump Source

Source File: 00000004.00000002.603747038.0000000005A00000.00000040.00000001.sdmp, Offset: 05A00000, based on PE: false

Similarity

API ID: FileType
String ID:
API String ID: 3081899298-0
Opcode ID: dc6a01c092808944293ece5e1d1bbf205d35dcb285dfcaf12161bb3fd0f5c358
Instruction ID: 409da53b8865e00f4aaa04a44ac8647ad0a21059528565b0135b730441e7122c
Opcode Fuzzy Hash: dc6a01c092808944293ece5e1d1bbf205d35dcb285dfcaf12161bb3fd0f5c358
Instruction Fuzzy Hash: 8301D671500704AEFB10CB19DC89F66FFA8EF05720F54C457EE449B281D674A4048BB1

Uniqueness

Uniqueness Score: -1.00%

Function 05A0075A, Relevance: 1.6, APIs: 1, Instructions: 52COMMON

Download Yara Rule

APIs

CreateDirectoryW.KERNELBASE(?,?), ref: 05A0079F

Memory Dump Source

Source File: 00000004.00000002.603747038.0000000005A00000.00000040.00000001.sdmp, Offset: 05A00000, based on PE: false

Similarity

API ID: CreateDirectory
String ID:
API String ID: 4241100979-0
Opcode ID: ec44fd23df3f3693b5391042a00423504b9da7b017e8fbe8951e02a503c64cb6
Instruction ID: 0dd6f1e97500135348be7e145e325e683d7370b16950b78905c8cc69f84240c4
Opcode Fuzzy Hash: ec44fd23df3f3693b5391042a00423504b9da7b017e8fbe8951e02a503c64cb6
Instruction Fuzzy Hash: B4117C756006009FEB10CF29E888B66BBE8FB04320F48D4AADD09DB681D678E4048F61

Uniqueness

Uniqueness Score: -1.00%

Function 0190A75B, Relevance: 1.6, APIs: 1, Instructions: 52COMMON

Download Yara Rule

APIs

closesocket.WS2_32(?), ref: 0190A7BC

Memory Dump Source

Source File: 00000004.00000002.598144195.000000000190A000.00000040.00000001.sdmp, Offset: 0190A000, based on PE: false

Similarity

API ID: closesocket
String ID:
API String ID: 2781271927-0
Opcode ID: 5bd9366468f069c04bd416a7802343dfb2a825dbbd17cb3962dc532264c1f4ca
Instruction ID: 82bcbc6ea89b83ff0f9d639d6fb48cd0e65f282dfa85a773c1eabdb8305f3f08
Opcode Fuzzy Hash: 5bd9366468f069c04bd416a7802343dfb2a825dbbd17cb3962dc532264c1f4ca
Instruction Fuzzy Hash: 1D11E071408384AFD712CF15DC84B52BFB8EF46220F08C4DAED499F293D275A908CBA2

Uniqueness

Uniqueness Score: -1.00%

Function 05A01616, Relevance: 1.5, APIs: 1, Instructions: 49COMMON

Download Yara Rule

APIs

K32EnumProcesses.KERNEL32(?,?,?,9BE4979D,00000000,?,?,?,?,?,?,?,?,72F43C38), ref: 05A01656

Memory Dump Source

Source File: 00000004.00000002.603747038.0000000005A00000.00000040.00000001.sdmp, Offset: 05A00000, based on PE: false

Similarity

API ID: EnumProcesses
String ID:
API String ID: 84517404-0
Opcode ID: f198848c355185579490265c24ac93b853c3c7568cb30e7b95cda6f139331dc4
Instruction ID: e75fb8aacb6cd3053aaf3025f4d99ca03c7467a4399006b6805c78446d08a50c
Opcode Fuzzy Hash: f198848c355185579490265c24ac93b853c3c7568cb30e7b95cda6f139331dc4
Instruction Fuzzy Hash: 731180755002449FDB10CF69EC84BA6FBE8EF04320F18D4AAED49CB251E675E408CF61

Uniqueness

Uniqueness Score: -1.00%

Function 0190A8CC, Relevance: 1.5, APIs: 1, Instructions: 48COMMON

Download Yara Rule

APIs

SetWindowLongW.USER32(?,?,?), ref: 0190A926

Memory Dump Source

Source File: 00000004.00000002.598144195.000000000190A000.00000040.00000001.sdmp, Offset: 0190A000, based on PE: false

Similarity

API ID: LongWindow
String ID:
API String ID: 1378638983-0
Opcode ID: 4038cbe3eaa0bd8f922936358b6a907406506e0648d2d23c40de7343cf35f5b2
Instruction ID: 0e19602f214b452ae6eba9ac0ce4bbfb7c352ce2c6368402e67de1f83ae760b5
Opcode Fuzzy Hash: 4038cbe3eaa0bd8f922936358b6a907406506e0648d2d23c40de7343cf35f5b2
Instruction Fuzzy Hash: F3118235409784AFD7228F15DC85A52FFF4EF06220F09C4DAED895B263D275A418CB62

Uniqueness

Uniqueness Score: -1.00%

Function 05A02BC2, Relevance: 1.5, APIs: 1, Instructions: 47windowCOMMON

Download Yara Rule

APIs

FormatMessageW.KERNELBASE(?,00000E2C,?,?), ref: 05A02C12

Memory Dump Source

Source File: 00000004.00000002.603747038.0000000005A00000.00000040.00000001.sdmp, Offset: 05A00000, based on PE: false

Similarity

API ID: FormatMessage
String ID:
API String ID: 1306739567-0
Opcode ID: 2a24c1653ea7c89c4ff7ef8bde95b873eea746bfda7ddaa7b6f72cb4a8abfd08
Instruction ID: 787f357a4b0e7a34caf66e439275eea213f5a7688c037f85ecc4af51f5cf78a9
Opcode Fuzzy Hash: 2a24c1653ea7c89c4ff7ef8bde95b873eea746bfda7ddaa7b6f72cb4a8abfd08
Instruction Fuzzy Hash: 8A017176500600ABE710DF16DC85F26FBA8EB88B20F14C56AED089B741E331B915CBE5

Uniqueness

Uniqueness Score: -1.00%

Function 05A00CCA, Relevance: 1.5, APIs: 1, Instructions: 47COMMON

Download Yara Rule

APIs

GetTempFileNameW.KERNELBASE(?,00000E2C,?,?), ref: 05A00D1A

Memory Dump Source

Source File: 00000004.00000002.603747038.0000000005A00000.00000040.00000001.sdmp, Offset: 05A00000, based on PE: false

Similarity

API ID: FileNameTemp
String ID:
API String ID: 745986568-0
Opcode ID: cee2f2a6e9e89ffc6f691fde7105804fb04e5ce70601122b350ed60bc5b0ccbc
Instruction ID: 85a0296bac0d6857939c324ed5c0e8e34765009c372b828272d97e5ad33c0b0c
Opcode Fuzzy Hash: cee2f2a6e9e89ffc6f691fde7105804fb04e5ce70601122b350ed60bc5b0ccbc
Instruction Fuzzy Hash: 0F017176500600ABE710DF16DC85F26FBA8FB88B20F14C56AED089B741E331B915CBA5

Uniqueness

Uniqueness Score: -1.00%

Function 0190BED2, Relevance: 1.5, APIs: 1, Instructions: 47fileCOMMON

Download Yara Rule

APIs

DeleteFileW.KERNELBASE(?), ref: 0190BF0C

Memory Dump Source

Source File: 00000004.00000002.598144195.000000000190A000.00000040.00000001.sdmp, Offset: 0190A000, based on PE: false

Similarity

API ID: DeleteFile
String ID:
API String ID: 4033686569-0
Opcode ID: 95850d07266b98138fc64b60733dc38647ca7fad528dd3ea2f10e7f1dc67ddec
Instruction ID: a16385305353c1e1dce68dde137f0662ff44bdeb2c82ab7762046c7353478cb0
Opcode Fuzzy Hash: 95850d07266b98138fc64b60733dc38647ca7fad528dd3ea2f10e7f1dc67ddec
Instruction Fuzzy Hash: 6E01B1756002009FEB11DF2AD884766FFD8DF00221F08C4AADE0ACB282D675E808CF61

Uniqueness

Uniqueness Score: -1.00%

Function 0190A172, Relevance: 1.5, APIs: 1, Instructions: 47networkCOMMON

Download Yara Rule

APIs

WSAStartup.WS2_32(?,00000E2C,?,?), ref: 0190A1C2

Memory Dump Source

Source File: 00000004.00000002.598144195.000000000190A000.00000040.00000001.sdmp, Offset: 0190A000, based on PE: false

Similarity

API ID: Startup
String ID:
API String ID: 724789610-0
Opcode ID: 63d3aa632e7d6030c2d67aac8eb60643d62cefe8d43c4fd9252dcd3181218439
Instruction ID: e347e3ebd28f6f3480b9643187ba64aab0a8a49bdd144bb8f766b8d5e8cfa985
Opcode Fuzzy Hash: 63d3aa632e7d6030c2d67aac8eb60643d62cefe8d43c4fd9252dcd3181218439
Instruction Fuzzy Hash: 34017176500600ABE710DF16DC85B26FBA8EB88A20F14856AED089B741E335B915CBA5

Uniqueness

Uniqueness Score: -1.00%

Function 0190A546, Relevance: 1.5, APIs: 1, Instructions: 45COMMON

Download Yara Rule

APIs

DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 0190A58A

Memory Dump Source

Source File: 00000004.00000002.598144195.000000000190A000.00000040.00000001.sdmp, Offset: 0190A000, based on PE: false

Similarity

API ID: DuplicateHandle
String ID:
API String ID: 3793708945-0
Opcode ID: a9ed8c5b12d302e8d408658c2c97e4583b94f28e2d7c816384cd6f5f391bf678
Instruction ID: b8be1219f752c6630a08566129c2f79123e16be990f4d80221c7e1d88fa02d74
Opcode Fuzzy Hash: a9ed8c5b12d302e8d408658c2c97e4583b94f28e2d7c816384cd6f5f391bf678
Instruction Fuzzy Hash: E0015B32400700AFDB228F55D844B56FFE4EF48321F08C99AEE495B652D376A418DFA1

Uniqueness

Uniqueness Score: -1.00%

Function 0190B746, Relevance: 1.5, APIs: 1, Instructions: 45windowCOMMON

Download Yara Rule

APIs

CreateIconFromResourceEx.USER32 ref: 0190B78A

Memory Dump Source

Source File: 00000004.00000002.598144195.000000000190A000.00000040.00000001.sdmp, Offset: 0190A000, based on PE: false

Similarity

API ID: CreateFromIconResource
String ID:
API String ID: 3668623891-0
Opcode ID: 103aa95a6523e72668abd9bf04f6cd4dfe0c875c54172aa08741966692563083
Instruction ID: 15c569e4436353d6b340f35012567f2c34613cbdc5da51060429771e9bd689b2
Opcode Fuzzy Hash: 103aa95a6523e72668abd9bf04f6cd4dfe0c875c54172aa08741966692563083
Instruction Fuzzy Hash: 92016136400600DFDB228F55D844B56FFE4EF48310F08C95EDE4A4A652D275A418DF61

Uniqueness

Uniqueness Score: -1.00%

Function 05A019F6, Relevance: 1.5, APIs: 1, Instructions: 43registryCOMMON

Download Yara Rule

APIs

RegQueryValueExW.KERNELBASE(?,00000E2C,?,?), ref: 05A01A46

Memory Dump Source

Source File: 00000004.00000002.603747038.0000000005A00000.00000040.00000001.sdmp, Offset: 05A00000, based on PE: false

Similarity

API ID: QueryValue
String ID:
API String ID: 3660427363-0
Opcode ID: 7893a11c461c8730b48bca54f865adedf0d7071caef885bdfb1c0f7c86b829ce
Instruction ID: 844686b266f3ad110ee66238695456f23c52c1444caeb5d48ec656c191674fda
Opcode Fuzzy Hash: 7893a11c461c8730b48bca54f865adedf0d7071caef885bdfb1c0f7c86b829ce
Instruction Fuzzy Hash: 0D014B76500604ABD210DF16DC86F26FBA8EB88B20F14815AED085B741E371B916CBA6

Uniqueness

Uniqueness Score: -1.00%

Function 05A00232, Relevance: 1.5, APIs: 1, Instructions: 43COMMON

Download Yara Rule

APIs

FindCloseChangeNotification.KERNELBASE(?), ref: 05A00264

Memory Dump Source

Source File: 00000004.00000002.603747038.0000000005A00000.00000040.00000001.sdmp, Offset: 05A00000, based on PE: false

Similarity

API ID: ChangeCloseFindNotification
String ID:
API String ID: 2591292051-0
Opcode ID: 8343ea6410d7a854051ce8b95d533be0928f75cab9727a6498c0feeabbc8fbc1
Instruction ID: 052074f97119c6ae6c35cd856b63ab966bf3ac9367b4e33f4c0d129c9b781b0b
Opcode Fuzzy Hash: 8343ea6410d7a854051ce8b95d533be0928f75cab9727a6498c0feeabbc8fbc1
Instruction Fuzzy Hash: 5B01F2759002009FEB10CF29E888B66FFE4EF44320F08C4ABDE098F242D6B5E408CB61

Uniqueness

Uniqueness Score: -1.00%

Function 05A0156A, Relevance: 1.5, APIs: 1, Instructions: 43COMMON

Download Yara Rule

APIs

FindCloseChangeNotification.KERNELBASE(?), ref: 05A0159C

Memory Dump Source

Source File: 00000004.00000002.603747038.0000000005A00000.00000040.00000001.sdmp, Offset: 05A00000, based on PE: false

Similarity

API ID: ChangeCloseFindNotification
String ID:
API String ID: 2591292051-0
Opcode ID: f3b3fdb28e78ee3318deaa407a8e6bf9ae83f0ecced6a19107259b789abc037b
Instruction ID: 2471da7e22dd3a1381a943bf6d11d96fcd5f2f855781eac5317dc266855aa3ae
Opcode Fuzzy Hash: f3b3fdb28e78ee3318deaa407a8e6bf9ae83f0ecced6a19107259b789abc037b
Instruction Fuzzy Hash: C001BC755002449FDB20CF2AEC84BA6FFA4EF44320F18D4AADD0A8F642D674A408CB72

Uniqueness

Uniqueness Score: -1.00%

Function 0190BB7E, Relevance: 1.5, APIs: 1, Instructions: 42windowCOMMON

Download Yara Rule

APIs

PostMessageW.USER32(?,?,?,?), ref: 0190BBB9

Memory Dump Source

Source File: 00000004.00000002.598144195.000000000190A000.00000040.00000001.sdmp, Offset: 0190A000, based on PE: false

Similarity

API ID: MessagePost
String ID:
API String ID: 410705778-0
Opcode ID: 559a3fceea29329477c6b1dfcbf02dc45b84bd86c5be580be946dfbc2c0139f4
Instruction ID: 79e59c090d287619bfd117db63c4aefd1a758e195cd695dd2e0eb80e5b4337c8
Opcode Fuzzy Hash: 559a3fceea29329477c6b1dfcbf02dc45b84bd86c5be580be946dfbc2c0139f4
Instruction Fuzzy Hash: 8701B139500A00DFDB218F1AD884B66FFE4EF04320F08C4AADD4A4B666D271E418CB61

Uniqueness

Uniqueness Score: -1.00%

Function 0190A78A, Relevance: 1.5, APIs: 1, Instructions: 39COMMON

Download Yara Rule

APIs

closesocket.WS2_32(?), ref: 0190A7BC

Memory Dump Source

Source File: 00000004.00000002.598144195.000000000190A000.00000040.00000001.sdmp, Offset: 0190A000, based on PE: false

Similarity

API ID: closesocket
String ID:
API String ID: 2781271927-0
Opcode ID: 0d8fbf8d69d52513cf6c30eac4cb7e5cd7112a9e4c646df410e5f1024ee7d7ae
Instruction ID: 54e6d416f0171a5a0958211ac9ba04e2acbefc6b1a341356f74ea06ef91c13d4
Opcode Fuzzy Hash: 0d8fbf8d69d52513cf6c30eac4cb7e5cd7112a9e4c646df410e5f1024ee7d7ae
Instruction Fuzzy Hash: 8001AD75800340DFDB11CF19D888B66FFE8EF44221F18C4AADE099F242D2B5A408CBA2

Uniqueness

Uniqueness Score: -1.00%

Function 0190B806, Relevance: 1.5, APIs: 1, Instructions: 38windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,?,?,?), ref: 0190B841

Memory Dump Source

Source File: 00000004.00000002.598144195.000000000190A000.00000040.00000001.sdmp, Offset: 0190A000, based on PE: false

Similarity

API ID: MessageSend
String ID:
API String ID: 3850602802-0
Opcode ID: ca813ec982f81b1df2b652e131a71f96e5fbacf11c2dd7c13009cc9f670300d6
Instruction ID: 712cdf325ea9d92f3a9c8ebb781bc5cb27149a6fbe00f2bf07ad417dd63a72c3
Opcode Fuzzy Hash: ca813ec982f81b1df2b652e131a71f96e5fbacf11c2dd7c13009cc9f670300d6
Instruction Fuzzy Hash: 0301A235400744DFDB218F16D884B66FFE4EF04720F08C49ADE4A5B262D275A518DF72

Uniqueness

Uniqueness Score: -1.00%

Function 0190A8EE, Relevance: 1.5, APIs: 1, Instructions: 37COMMON

Download Yara Rule

APIs

SetWindowLongW.USER32(?,?,?), ref: 0190A926

Memory Dump Source

Source File: 00000004.00000002.598144195.000000000190A000.00000040.00000001.sdmp, Offset: 0190A000, based on PE: false

Similarity

API ID: LongWindow
String ID:
API String ID: 1378638983-0
Opcode ID: dad8a1db82deecea1f8f21e97b9ee70006b5caebf2767212894ded6cdc2e850a
Instruction ID: c37aa98210ccd8982ed63d8fbd1fd35264d90e708873b06cf7aa753dce6e0ce5
Opcode Fuzzy Hash: dad8a1db82deecea1f8f21e97b9ee70006b5caebf2767212894ded6cdc2e850a
Instruction Fuzzy Hash: 5401D139500704DFDB218F19D885B52FFE4EF05320F08C4AADE4A4B252C2B5A408DFB2

Uniqueness

Uniqueness Score: -1.00%

Function 0190BE3E, Relevance: 1.5, APIs: 1, Instructions: 35windowCOMMON

Download Yara Rule

APIs

DispatchMessageW.USER32(?), ref: 0190BE70

Memory Dump Source

Source File: 00000004.00000002.598144195.000000000190A000.00000040.00000001.sdmp, Offset: 0190A000, based on PE: false

Similarity

API ID: DispatchMessage
String ID:
API String ID: 2061451462-0
Opcode ID: a1710afd09299c32843854cab4980b49ca50dbf8c2240771c3c4a318fe443c2d
Instruction ID: 4a5991c0f9216a6e367b49c44014bb1301d444835eed148ecf9af8f854e69173
Opcode Fuzzy Hash: a1710afd09299c32843854cab4980b49ca50dbf8c2240771c3c4a318fe443c2d
Instruction Fuzzy Hash: 4BF0A439804644DFD7118F19D888765FFD4DF04721F18C4AADE4D5B252D2B5B848CBA2

Uniqueness

Uniqueness Score: -1.00%

Function 0190A372, Relevance: 1.5, APIs: 1, Instructions: 35COMMON

Download Yara Rule

APIs

SetErrorMode.KERNELBASE(?), ref: 0190A3A4

Memory Dump Source

Source File: 00000004.00000002.598144195.000000000190A000.00000040.00000001.sdmp, Offset: 0190A000, based on PE: false

Similarity

API ID: ErrorMode
String ID:
API String ID: 2340568224-0
Opcode ID: a1710afd09299c32843854cab4980b49ca50dbf8c2240771c3c4a318fe443c2d
Instruction ID: 20465c81bb6864c869c325d0b39dda1f87c93da5b4e8a54e11d5f798bad84501
Opcode Fuzzy Hash: a1710afd09299c32843854cab4980b49ca50dbf8c2240771c3c4a318fe443c2d
Instruction Fuzzy Hash: B6F0AF35400744DFDB21CF1AD888B66FFE4EF04321F18C49ADE495B652D6B9A408CFA2

Uniqueness

Uniqueness Score: -1.00%

Function 034920D0, Relevance: 1.4, Strings: 1, Instructions: 198COMMON

Download Yara Rule

Strings

r*+, xrefs: 0349230F

Memory Dump Source

Source File: 00000004.00000002.599279331.0000000003490000.00000040.00000001.sdmp, Offset: 03490000, based on PE: false

Similarity

API ID:
String ID: r*+
API String ID: 0-3221063712
Opcode ID: b049601b1da936bf5c22c06083050cc6b83ee69f01fc7c132db79ed577781861
Instruction ID: d3dc761635e667f332aec5879a8bb04565a02e9b51af9c82499effe9a87e5611
Opcode Fuzzy Hash: b049601b1da936bf5c22c06083050cc6b83ee69f01fc7c132db79ed577781861
Instruction Fuzzy Hash: 29714A30A0820DEFEF54DFA8C5856AEBFB1FB84300F14886BC516AF255D7B49942CB95

Uniqueness

Uniqueness Score: -1.00%

Function 03490682, Relevance: 1.4, Strings: 1, Instructions: 138COMMON

Download Yara Rule

Strings

Zbq^, xrefs: 034906A1, 034906A6

Memory Dump Source

Source File: 00000004.00000002.599279331.0000000003490000.00000040.00000001.sdmp, Offset: 03490000, based on PE: false

Similarity

API ID:
String ID: Zbq^
API String ID: 0-3795834683
Opcode ID: 83b32a8d98a9e2285d7842892eb7b3c7a4c9e2d8d9a1c8448555e0ebf72fbd92
Instruction ID: ddced16e9a0b5d1543be073a1d07cd0c42900c1bb46fdd36d9d875a5b5cc7817
Opcode Fuzzy Hash: 83b32a8d98a9e2285d7842892eb7b3c7a4c9e2d8d9a1c8448555e0ebf72fbd92
Instruction Fuzzy Hash: C34162307442168FD719BBB8E81C5AD3BA6BFC0755714496BE406CB2A8DF744C82CB95

Uniqueness

Uniqueness Score: -1.00%

Function 03491458, Relevance: 1.4, Strings: 1, Instructions: 128COMMON

Download Yara Rule

Strings

$g^r, xrefs: 034914C7

Memory Dump Source

Source File: 00000004.00000002.599279331.0000000003490000.00000040.00000001.sdmp, Offset: 03490000, based on PE: false

Similarity

API ID:
String ID: $g^r
API String ID: 0-3653196314
Opcode ID: 906a4bbca61a5317b38cf4d748d86d86dcc8e6b4978a61c3cf0826d87e132030
Instruction ID: 3f44736acbfbdb1b6162acba9f8453d0792b939b9845b3ea43cfdd0802e5325b
Opcode Fuzzy Hash: 906a4bbca61a5317b38cf4d748d86d86dcc8e6b4978a61c3cf0826d87e132030
Instruction Fuzzy Hash: 5B51D034A00219CFDB54DF64C898B99BBB2FF89340F1145AAD80AAB365CB359D85CF91

Uniqueness

Uniqueness Score: -1.00%

Function 03491290, Relevance: 1.3, Strings: 1, Instructions: 99COMMON

Download Yara Rule

Strings

$g^r, xrefs: 03491349

Memory Dump Source

Source File: 00000004.00000002.599279331.0000000003490000.00000040.00000001.sdmp, Offset: 03490000, based on PE: false

Similarity

API ID:
String ID: $g^r
API String ID: 0-3653196314
Opcode ID: e96bc526b30625efafc586e4705a213b4e90681d42f5d16e448fb08d80da19a3
Instruction ID: 96a13ab082ed7e003fa290e6a94eb4763aa9b9bf1c4d118ca48ec56a8ddf200a
Opcode Fuzzy Hash: e96bc526b30625efafc586e4705a213b4e90681d42f5d16e448fb08d80da19a3
Instruction Fuzzy Hash: D641E674E04219CFEB64DF68D894BADBBB2BB49344F1044ABD40AAB350DB309D85CF55

Uniqueness

Uniqueness Score: -1.00%

Function 03498A10, Relevance: 1.3, Strings: 1, Instructions: 98COMMON

Download Yara Rule

Strings

r*+, xrefs: 03498B27

Memory Dump Source

Source File: 00000004.00000002.599279331.0000000003490000.00000040.00000001.sdmp, Offset: 03490000, based on PE: false

Similarity

API ID:
String ID: r*+
API String ID: 0-3221063712
Opcode ID: 894739e56ed582a4ae4238e4013d76417ea2894bf0b31d82992af69db8c2b059
Instruction ID: 2a1b3a6ab907f064b17ced355b38b7abc558a237e7996705cabab3db8c2771d3
Opcode Fuzzy Hash: 894739e56ed582a4ae4238e4013d76417ea2894bf0b31d82992af69db8c2b059
Instruction Fuzzy Hash: 88410830E04209DFEF44DBB8C5566AEBFB1FB86300F1484ABD516AB250DB349A46CF59

Uniqueness

Uniqueness Score: -1.00%

Function 0349E0C7, Relevance: 1.3, Strings: 1, Instructions: 79COMMON

Download Yara Rule

Strings

l_r, xrefs: 0349E183

Memory Dump Source

Source File: 00000004.00000002.599279331.0000000003490000.00000040.00000001.sdmp, Offset: 03490000, based on PE: false

Similarity

API ID:
String ID: l_r
API String ID: 0-1875860616
Opcode ID: 61525e128ef7c06bcde3f0423f41b85808ebd56fbd08507fd784dd23bcd30b72
Instruction ID: 69525b8ff6c2351b57d14799343fc99edfce7332ae25248339040b13830b0714
Opcode Fuzzy Hash: 61525e128ef7c06bcde3f0423f41b85808ebd56fbd08507fd784dd23bcd30b72
Instruction Fuzzy Hash: A121A135604214CBEF05CA6898052BEFFE5BB88611F14457BE856EF340DB719C868795

Uniqueness

Uniqueness Score: -1.00%

Function 0349C7C2, Relevance: 1.3, Strings: 1, Instructions: 63COMMON

Download Yara Rule

Strings

->bq^, xrefs: 0349C82D, 0349C832

Memory Dump Source

Source File: 00000004.00000002.599279331.0000000003490000.00000040.00000001.sdmp, Offset: 03490000, based on PE: false

Similarity

API ID:
String ID: ->bq^
API String ID: 0-2545588331
Opcode ID: 5b3029faec3dd7a04ffe67aa07f852693754852be751a0f7063213a584fcec2b
Instruction ID: 5e20f3767ae6344e3711508dfe401431b0d9222fdace883dd839299474b43f59
Opcode Fuzzy Hash: 5b3029faec3dd7a04ffe67aa07f852693754852be751a0f7063213a584fcec2b
Instruction Fuzzy Hash: 9811E2316053509FDB0ADB38E598A793BA6FF8A211B1904E6E846DF396C7349C43C790

Uniqueness

Uniqueness Score: -1.00%

Function 0349C7D0, Relevance: 1.3, Strings: 1, Instructions: 56COMMON

Download Yara Rule

Strings

->bq^, xrefs: 0349C82D, 0349C832

Memory Dump Source

Source File: 00000004.00000002.599279331.0000000003490000.00000040.00000001.sdmp, Offset: 03490000, based on PE: false

Similarity

API ID:
String ID: ->bq^
API String ID: 0-2545588331
Opcode ID: 35d9eb70c8ecb48646c2f58c77f388dc8988a35ae5025d67e88ff8bdb8beec1f
Instruction ID: 87b57cf96370c94ca3917bd497c03255eafe2803133a7b94d601227f69ade811
Opcode Fuzzy Hash: 35d9eb70c8ecb48646c2f58c77f388dc8988a35ae5025d67e88ff8bdb8beec1f
Instruction Fuzzy Hash: C31186307043549FDB09EB38E45872D3BEBF7CA611F1508A5E406EB384DA749C46C795

Uniqueness

Uniqueness Score: -1.00%

Function 0349A441, Relevance: 1.3, Strings: 1, Instructions: 47COMMON

Download Yara Rule

Strings

Hu_r, xrefs: 0349A473

Memory Dump Source

Source File: 00000004.00000002.599279331.0000000003490000.00000040.00000001.sdmp, Offset: 03490000, based on PE: false

Similarity

API ID:
String ID: Hu_r
API String ID: 0-2935379198
Opcode ID: f86d0d32a07a238394a1805bf2bcbe1af01af5756a768f3fb8ceeef4222473ac
Instruction ID: 2364bdb2b21fa283d188deeab8cf9ddc20ea93dd4db0a801bb9bd1602356daef
Opcode Fuzzy Hash: f86d0d32a07a238394a1805bf2bcbe1af01af5756a768f3fb8ceeef4222473ac
Instruction Fuzzy Hash: ADF04C203082109BDA41EA7C5C8467D2F9AABC15347744327E51ADF3C5CD145C0703B1

Uniqueness

Uniqueness Score: -1.00%

Function 03494710, Relevance: 1.3, Strings: 1, Instructions: 43COMMON

Download Yara Rule

Strings

X1ar, xrefs: 03494747

Memory Dump Source

Source File: 00000004.00000002.599279331.0000000003490000.00000040.00000001.sdmp, Offset: 03490000, based on PE: false

Similarity

API ID:
String ID: X1ar
API String ID: 0-3367582976
Opcode ID: c0eb1a9b9f42ee6f17056643c7513a285ae1bdc067b820f6fad380ac2076b042
Instruction ID: 094efddd47ab11d843abfd6fe23f4dcb62b58760059a7d2ed7ab33fdb2bcdfe7
Opcode Fuzzy Hash: c0eb1a9b9f42ee6f17056643c7513a285ae1bdc067b820f6fad380ac2076b042
Instruction Fuzzy Hash: EBF0F6363012546BDE29D6BAA8103AE3ACB87C6761F44047FD20ACF7C0D86588434394

Uniqueness

Uniqueness Score: -1.00%

Function 034975B0, Relevance: 1.3, Strings: 1, Instructions: 43COMMON

Download Yara Rule

Strings

Hu_r, xrefs: 034975E3

Memory Dump Source

Source File: 00000004.00000002.599279331.0000000003490000.00000040.00000001.sdmp, Offset: 03490000, based on PE: false

Similarity

API ID:
String ID: Hu_r
API String ID: 0-2935379198
Opcode ID: 5dc88a17358f9c5f20d716f2ab0128ed6d64d1d42df99909270f8c141dd6dc9c
Instruction ID: f08ed14e67e29dc890210b2e69252f7ebd3e78daad0d93da161121ac92f05b8f
Opcode Fuzzy Hash: 5dc88a17358f9c5f20d716f2ab0128ed6d64d1d42df99909270f8c141dd6dc9c
Instruction Fuzzy Hash: BBF046717082104BDA40FF6C9C90BBD2E8BABC4270B78462FA11ADF3D4DE204C0243A5

Uniqueness

Uniqueness Score: -1.00%

Function 034975C0, Relevance: 1.3, Strings: 1, Instructions: 40COMMON

Download Yara Rule

Strings

Hu_r, xrefs: 034975E3

Memory Dump Source

Source File: 00000004.00000002.599279331.0000000003490000.00000040.00000001.sdmp, Offset: 03490000, based on PE: false

Similarity

API ID:
String ID: Hu_r
API String ID: 0-2935379198
Opcode ID: f16a0de256caccb43ecf2f4b3f47de42c1c89c110ec1ea49933d0a1764443ec1
Instruction ID: ac24eea621958657bbc5ca7526391f4c29d26c36440fa0b5f14c691c211956b2
Opcode Fuzzy Hash: f16a0de256caccb43ecf2f4b3f47de42c1c89c110ec1ea49933d0a1764443ec1
Instruction Fuzzy Hash: 65F0E93030821057D944BA6D9C94A7D7E8BABC5670774472BA52ACF3D4DD515C0243A9

Uniqueness

Uniqueness Score: -1.00%

Function 03497C0E, Relevance: .4, Instructions: 436COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.599279331.0000000003490000.00000040.00000001.sdmp, Offset: 03490000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5afc847d4de742129be96fbdc05ba24e4a8abe540f0ead7cd6e048eb48f7cf7a
Instruction ID: c10da472b80013478ccf7548720b485ca64382e02d9bf27461293e45ca1e95c4
Opcode Fuzzy Hash: 5afc847d4de742129be96fbdc05ba24e4a8abe540f0ead7cd6e048eb48f7cf7a
Instruction Fuzzy Hash: 78020334A00605CFDB14DB69C584A6ABBF2FF89310F2586AAD85ADB750DB30EC42CB54

Uniqueness

Uniqueness Score: -1.00%

Function 0349AEE1, Relevance: .3, Instructions: 251COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.599279331.0000000003490000.00000040.00000001.sdmp, Offset: 03490000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f681215750235ca3577b4dbda5e85074d7f7a05b93b48e8b930ae29703c192f5
Instruction ID: 0367b702bd0ac1b0d9dbcdea9393e13f4d907b7fd140d7793fb21f6099aacf55
Opcode Fuzzy Hash: f681215750235ca3577b4dbda5e85074d7f7a05b93b48e8b930ae29703c192f5
Instruction Fuzzy Hash: AA91A330B006168FEB44EB68C858A6E7BA7FFC5310F50466AD20A9F7D4DFB09D068791

Uniqueness

Uniqueness Score: -1.00%

Function 034961B0, Relevance: .2, Instructions: 241COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.599279331.0000000003490000.00000040.00000001.sdmp, Offset: 03490000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3dadfe8d9f80aa15bc25ab5358d2ea5f26bd0e238393ad6eea34d63f7a18049f
Instruction ID: 5f73d7beec33a5ba26b811b47f862a65d6fe9e23f9e239ece2e87285081b2569
Opcode Fuzzy Hash: 3dadfe8d9f80aa15bc25ab5358d2ea5f26bd0e238393ad6eea34d63f7a18049f
Instruction Fuzzy Hash: 54818031A00619CFDF15DF54C8909DAFBB2EF85314F1684E6D80AAF205DB75AA86CF84

Uniqueness

Uniqueness Score: -1.00%

Function 0349E969, Relevance: .2, Instructions: 189COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.599279331.0000000003490000.00000040.00000001.sdmp, Offset: 03490000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8b9a00d34cc3b2ddb23e59cc4d3ed84bdbba18248045e27977be0b23f72e6c7c
Instruction ID: 84502227ad832984e38680c7894337f3ac188947038bb1363f0e9151eddcaac2
Opcode Fuzzy Hash: 8b9a00d34cc3b2ddb23e59cc4d3ed84bdbba18248045e27977be0b23f72e6c7c
Instruction Fuzzy Hash: FE71F834A00205DFEF14DF69C484AAABFF1FB48324F18855BD456AB761CB71E882CB58

Uniqueness

Uniqueness Score: -1.00%

Function 03497728, Relevance: .2, Instructions: 161COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.599279331.0000000003490000.00000040.00000001.sdmp, Offset: 03490000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 729a1253558d49d3f086141c93115d6f2fd892a308e0bb3bf131aa817efc195f
Instruction ID: 804b151419e2e0d615de93f4deb6f421ec2ebe121bc853121f2df7dde4d42921
Opcode Fuzzy Hash: 729a1253558d49d3f086141c93115d6f2fd892a308e0bb3bf131aa817efc195f
Instruction Fuzzy Hash: 1D311831910219CFEF15CF24C854ADABBB2BF85304F5184E6D909BF205DBB06A8ACF90

Uniqueness

Uniqueness Score: -1.00%

Function 03497378, Relevance: .2, Instructions: 159COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.599279331.0000000003490000.00000040.00000001.sdmp, Offset: 03490000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6a075899166e65cbea16c23199de4cb294f0c5ee16772284a6f70d1328a5827c
Instruction ID: 2c5e7f5a38c1a4efaf787b68ed4cf01a51826ad9b03ed57b8e312a5715865c96
Opcode Fuzzy Hash: 6a075899166e65cbea16c23199de4cb294f0c5ee16772284a6f70d1328a5827c
Instruction Fuzzy Hash: FA513C31B102158FDF18DBB9C4505AEBFF3AFC8310B24856AC80AAF345DA35AC42CB94

Uniqueness

Uniqueness Score: -1.00%

Function 03498288, Relevance: .2, Instructions: 152COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.599279331.0000000003490000.00000040.00000001.sdmp, Offset: 03490000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 12d8fb861e36bec3b273e4c7edd7e58fb9164fd12bd232f9bda8f34b0cdf6877
Instruction ID: e4d938ed256cf07b5826cc56d43f54399570243466067feef3bda13bacf959a3
Opcode Fuzzy Hash: 12d8fb861e36bec3b273e4c7edd7e58fb9164fd12bd232f9bda8f34b0cdf6877
Instruction Fuzzy Hash: A6518B31A04505CFDB24CBACC884AAEFBF1FF89314F14856BD52A9F651DB329842CB95

Uniqueness

Uniqueness Score: -1.00%

Function 03498438, Relevance: .1, Instructions: 147COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.599279331.0000000003490000.00000040.00000001.sdmp, Offset: 03490000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3083a5cb597802cf52833c8ee779b646ebec65b7e24f560761dfb662d96de61d
Instruction ID: 7e9ba05b96c04804479aee396c6b816f010b7633ff5d5593001e476e5aebe3da
Opcode Fuzzy Hash: 3083a5cb597802cf52833c8ee779b646ebec65b7e24f560761dfb662d96de61d
Instruction Fuzzy Hash: DD510274D00218CFDB54CFA8C58469DBBF1FF49310F24896AD86AAB354E731694ACF84

Uniqueness

Uniqueness Score: -1.00%

Function 03490BC0, Relevance: .1, Instructions: 132COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.599279331.0000000003490000.00000040.00000001.sdmp, Offset: 03490000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: baa08ffe0672ac262fd97bbf3f15b6dfaeef7aa2041a7869eb43d248407e5a2a
Instruction ID: a9ead276a393e1fc963f294c090a6164021b5546f769e43c7df418cc10705cfd
Opcode Fuzzy Hash: baa08ffe0672ac262fd97bbf3f15b6dfaeef7aa2041a7869eb43d248407e5a2a
Instruction Fuzzy Hash: 0C41C331B041049FDB19CF28C414AAE7BE6AFC9310F15816BE90AEF3A1CEB19C068791

Uniqueness

Uniqueness Score: -1.00%

Function 03495920, Relevance: .1, Instructions: 126COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.599279331.0000000003490000.00000040.00000001.sdmp, Offset: 03490000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 85466a99bdb26fd11499f455f47970f03782d6e01cffec64ca5cd1ab93d59b70
Instruction ID: 22705dd89070a9524d82dd3739d2e4799379c85e3c22a6701768381c94f6751a
Opcode Fuzzy Hash: 85466a99bdb26fd11499f455f47970f03782d6e01cffec64ca5cd1ab93d59b70
Instruction Fuzzy Hash: 454156307052019FFF16ABB5941823F3EAA9BC5650B2844ABD416DF344EE74CC428B99

Uniqueness

Uniqueness Score: -1.00%

Function 03496F02, Relevance: .1, Instructions: 116COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.599279331.0000000003490000.00000040.00000001.sdmp, Offset: 03490000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 48bd94a8e51e72dadf88685cafea134e53926326e25cd22a34fd27aebe4a6fcd
Instruction ID: 3f0ffc7112841ce8cb3d6ba6dc814537160ab15599907e01769240953cf317da
Opcode Fuzzy Hash: 48bd94a8e51e72dadf88685cafea134e53926326e25cd22a34fd27aebe4a6fcd
Instruction Fuzzy Hash: C6417B34A01210EF8B15EB79D46816E7BF2FBCD611354487EE80AAF391DB35AC45CB91

Uniqueness

Uniqueness Score: -1.00%

Function 03496F08, Relevance: .1, Instructions: 115COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.599279331.0000000003490000.00000040.00000001.sdmp, Offset: 03490000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3093190cd98c0acdc8e153c3f728e6bd3b19b46a768083bb45444fb623f1d6ae
Instruction ID: 532263808f07365b63207fc5d307cb0dbeb9168ab002ae54a854559629329743
Opcode Fuzzy Hash: 3093190cd98c0acdc8e153c3f728e6bd3b19b46a768083bb45444fb623f1d6ae
Instruction Fuzzy Hash: EB417934A01210AF8B15EB7AD46816E7BB6BBCD610354086AE90AAF381DB35AC45CB91

Uniqueness

Uniqueness Score: -1.00%

Function 0349B280, Relevance: .1, Instructions: 115COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.599279331.0000000003490000.00000040.00000001.sdmp, Offset: 03490000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6cc5aaea2aeff78ceffe9fa7f895fa38787e8ce2688d23802ab5d1f396eaa4df
Instruction ID: 4feaa31427178c3b78c44c928532e9cf23602caffffac3bbbd383016e688a3fb
Opcode Fuzzy Hash: 6cc5aaea2aeff78ceffe9fa7f895fa38787e8ce2688d23802ab5d1f396eaa4df
Instruction Fuzzy Hash: 5831F371A006658FDB14DBA9D5846AEFBF6FF88310B24446BE44ADBB50CB70EC42C794

Uniqueness

Uniqueness Score: -1.00%

Function 0349E698, Relevance: .1, Instructions: 104COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.599279331.0000000003490000.00000040.00000001.sdmp, Offset: 03490000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7928a80da3954ca4b11eab5cc10f3e55a173f3ae7d935e8e6d8ba7a108096d03
Instruction ID: c0e9faeb39ffc28eca172bc1e061279b09c9c441a14b664496296d5794375a2e
Opcode Fuzzy Hash: 7928a80da3954ca4b11eab5cc10f3e55a173f3ae7d935e8e6d8ba7a108096d03
Instruction Fuzzy Hash: EC414D34504B50DFE739CB2AC944766BFF1BF85305F5888AFC0968ABA0C735A482CB01

Uniqueness

Uniqueness Score: -1.00%

Function 034902DA, Relevance: .1, Instructions: 103COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.599279331.0000000003490000.00000040.00000001.sdmp, Offset: 03490000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9ee91036e9683ad9fd499ac93dd7143d23db90efa2e8016b015de19edd519dc2
Instruction ID: e38d1b62b03b1d12c4aab4b1af29ef3cf21ec2835847b59b0d2ce8d6be57d47c
Opcode Fuzzy Hash: 9ee91036e9683ad9fd499ac93dd7143d23db90efa2e8016b015de19edd519dc2
Instruction Fuzzy Hash: 77413B30A01205CFEB58CF68C554BAEBBB2BF88710F14846BD516AF7A0DB71AC41CB55

Uniqueness

Uniqueness Score: -1.00%

Function 0349B408, Relevance: .1, Instructions: 98COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.599279331.0000000003490000.00000040.00000001.sdmp, Offset: 03490000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c50a78e42851b70e93f167f5bb5b3aff68dc4b2f3a773f132e76ae4a9893b87b
Instruction ID: 7ffa59b9b860e943df9029930d939ecb3fb13ea9a999e2f030eb5e1e05e9286d
Opcode Fuzzy Hash: c50a78e42851b70e93f167f5bb5b3aff68dc4b2f3a773f132e76ae4a9893b87b
Instruction Fuzzy Hash: C1319076604390DFEB22CB68E900A1EBFA6FFC222071941AFD149DF641CB305802C3A5

Uniqueness

Uniqueness Score: -1.00%

Function 034945C8, Relevance: .1, Instructions: 95COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.599279331.0000000003490000.00000040.00000001.sdmp, Offset: 03490000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: dc7d605a36756e1cad3ed45784287ca4033466564130436b330fa3e5eacf3a9f
Instruction ID: d3cc7923e791a03a3743da8c32a2eae2809cfe33a375893738da5a0d04a4f0a6
Opcode Fuzzy Hash: dc7d605a36756e1cad3ed45784287ca4033466564130436b330fa3e5eacf3a9f
Instruction Fuzzy Hash: 832195B1B0011A9FEF40DA96D841AFFBBBDEBC4240F104527D619DB350E6749D0687A5

Uniqueness

Uniqueness Score: -1.00%

Function 0349D040, Relevance: .1, Instructions: 94COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.599279331.0000000003490000.00000040.00000001.sdmp, Offset: 03490000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: dfd9e617954a8fa23a34ca7558dc0fae1cf7689487da580641de24ccf5bf2677
Instruction ID: 5b875a2889e91ae3f573a35660f0d242f37c676f472dca780b84cf20dfdf744e
Opcode Fuzzy Hash: dfd9e617954a8fa23a34ca7558dc0fae1cf7689487da580641de24ccf5bf2677
Instruction Fuzzy Hash: 9B316D30E002059FEF18DFB5C8586AEBFB2AB89304F55892BC416AF344DB759842CB58

Uniqueness

Uniqueness Score: -1.00%

Function 0349E387, Relevance: .1, Instructions: 93COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.599279331.0000000003490000.00000040.00000001.sdmp, Offset: 03490000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 99f0d394a862a5b28ca8c1ad91af0169e70552bbf2b6f5482c8759f70a554938
Instruction ID: 843583139d2a15f520da7667b9390617fa2e5c6b02ad2199bed9177be63ea0e2
Opcode Fuzzy Hash: 99f0d394a862a5b28ca8c1ad91af0169e70552bbf2b6f5482c8759f70a554938
Instruction Fuzzy Hash: 14315E70B00205DFDB14DBA9C585AAEBBF6FF88210F50442AE516EB740DA75DC82CBA4

Uniqueness

Uniqueness Score: -1.00%

Function 03497368, Relevance: .1, Instructions: 92COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.599279331.0000000003490000.00000040.00000001.sdmp, Offset: 03490000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 61522cfa1e22f3b80224602a5fc1d19e07f9d8fc02f6c594f8086c641e609149
Instruction ID: 0bb2cc3b34012946605198d824e44aea12eeb655e4dce0cdbd190a881c53259a
Opcode Fuzzy Hash: 61522cfa1e22f3b80224602a5fc1d19e07f9d8fc02f6c594f8086c641e609149
Instruction Fuzzy Hash: DD312831E102098FDF14DBB9C4549AEBFF2BFC8350B14856AC81AAF755DA31AD46CB90

Uniqueness

Uniqueness Score: -1.00%

Function 034943C0, Relevance: .1, Instructions: 92COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.599279331.0000000003490000.00000040.00000001.sdmp, Offset: 03490000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9224811db4efd1027e6cbbf7c0de51ded1a267e09e2a2e2a56bb059385c65595
Instruction ID: c5a23680e1c138dda3503419ab20142fe48e2bfd50716d8b8117b0cd542d61af
Opcode Fuzzy Hash: 9224811db4efd1027e6cbbf7c0de51ded1a267e09e2a2e2a56bb059385c65595
Instruction Fuzzy Hash: 0231F331604105DFCB14EF68E85889E7FB2FF8431471089AAE8069F369DB35AD47CB90

Uniqueness

Uniqueness Score: -1.00%

Function 034950E0, Relevance: .1, Instructions: 92COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.599279331.0000000003490000.00000040.00000001.sdmp, Offset: 03490000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 876979ed5a88949202f53d0da19388793b3cafd3641d6c2bc25bd768825642aa
Instruction ID: 239b8818b10fc0774db44e3f152230baf769197e303fa2c7852010859dbff48c
Opcode Fuzzy Hash: 876979ed5a88949202f53d0da19388793b3cafd3641d6c2bc25bd768825642aa
Instruction Fuzzy Hash: 51214A31E003099FEF05DFA9C4146AEBBB6AF89300F14486AD50AAF255EA749946CB81

Uniqueness

Uniqueness Score: -1.00%

Function 0349E228, Relevance: .1, Instructions: 90COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.599279331.0000000003490000.00000040.00000001.sdmp, Offset: 03490000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d5e91073912cf21606b3631cb47f3e07f84979fbad9896d99a3133e3e3a1a872
Instruction ID: 49b822bb617499c2a80336a09f1d718295168c9f7f499cda74e17a74a4811df8
Opcode Fuzzy Hash: d5e91073912cf21606b3631cb47f3e07f84979fbad9896d99a3133e3e3a1a872
Instruction Fuzzy Hash: FC312B31340701CFC799EB78885056A7BE3BFC53187A4996CD2869B794DEB6ED438B80

Uniqueness

Uniqueness Score: -1.00%

Function 034943D0, Relevance: .1, Instructions: 87COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.599279331.0000000003490000.00000040.00000001.sdmp, Offset: 03490000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b90bb2402672b9be747365c9a4c7c6e283e3431c5f0736d81ed82e1d3663ae41
Instruction ID: 0dd3e91d73f4d5ea22ef59f29bdaaf9f8c3705768bd032b1b951759973d2c501
Opcode Fuzzy Hash: b90bb2402672b9be747365c9a4c7c6e283e3431c5f0736d81ed82e1d3663ae41
Instruction Fuzzy Hash: C931F431604105DFCB10EF68E85889D7FB2FF8831431488A6E9065F368DB35AD5ACB90

Uniqueness

Uniqueness Score: -1.00%

Function 0349E398, Relevance: .1, Instructions: 87COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.599279331.0000000003490000.00000040.00000001.sdmp, Offset: 03490000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1d67256b50c908295f5df124395adf03c1f1c544668fe9a7e4c6282f03a88c20
Instruction ID: 8e34bf12c0023848e8a031b49fab14b92c4f8a1336a40515d1478be313695452
Opcode Fuzzy Hash: 1d67256b50c908295f5df124395adf03c1f1c544668fe9a7e4c6282f03a88c20
Instruction Fuzzy Hash: 59312D30B00205CFDB54DFA9C544AAEBBF6BB88700B50453AD5169B790DA75EC42CB94

Uniqueness

Uniqueness Score: -1.00%

Function 0349DF39, Relevance: .1, Instructions: 86COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.599279331.0000000003490000.00000040.00000001.sdmp, Offset: 03490000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 228f5577913ed41dc94f09796c3eaae6288420a59bad3391b9a7054bfdb42ca7
Instruction ID: a11a9298c7d77ea7ea1491234665d9634e64ef060666fa78e3a44299753138ee
Opcode Fuzzy Hash: 228f5577913ed41dc94f09796c3eaae6288420a59bad3391b9a7054bfdb42ca7
Instruction Fuzzy Hash: B021B331B047159FEF289B79982487B7EAAEBCA220314457BE517CF384DE758C0287A5

Uniqueness

Uniqueness Score: -1.00%

Function 03495B51, Relevance: .1, Instructions: 85COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.599279331.0000000003490000.00000040.00000001.sdmp, Offset: 03490000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ff04321860861da645383b3f8307c69b753bac3d2d853a34a37902362c5c3acd
Instruction ID: b204ebca5d2150f88a14c5714211cdc4d236d13c29924bc0a3aec7a92d5e52d8
Opcode Fuzzy Hash: ff04321860861da645383b3f8307c69b753bac3d2d853a34a37902362c5c3acd
Instruction Fuzzy Hash: 0C21D072B002049FDF19EAB984505FEBEE6ABC9310F21447BD507EB380ED358C4687A4

Uniqueness

Uniqueness Score: -1.00%

Function 034955E8, Relevance: .1, Instructions: 85COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.599279331.0000000003490000.00000040.00000001.sdmp, Offset: 03490000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1e145ac5127e74ebc73610c39db28baeb89d2731b118f13c8f67cf8888a7c1d2
Instruction ID: 61c99586f65343fa4e12f2193292d8f15b8a967ad9ee22d76c5248bc10a0b2d1
Opcode Fuzzy Hash: 1e145ac5127e74ebc73610c39db28baeb89d2731b118f13c8f67cf8888a7c1d2
Instruction Fuzzy Hash: 78219130B102059BEB15AA78C4557BE7EE6AB88720F2800ABE506EB390DEB14D418795

Uniqueness

Uniqueness Score: -1.00%

Function 034950D0, Relevance: .1, Instructions: 85COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.599279331.0000000003490000.00000040.00000001.sdmp, Offset: 03490000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9726bcc28c593a9f639265e168a9993636ec3f189b2c26c0a80ff026670aec72
Instruction ID: 377c7c877599db34568696bbe0dbf3225aac068c2b6bf68cf5407e8a6bfa1800
Opcode Fuzzy Hash: 9726bcc28c593a9f639265e168a9993636ec3f189b2c26c0a80ff026670aec72
Instruction Fuzzy Hash: 64217F31E003099FEF01CFA4D4555DEBBB1EF89310F214867C909AF215D730A946CB81

Uniqueness

Uniqueness Score: -1.00%

Function 034989E0, Relevance: .1, Instructions: 82COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.599279331.0000000003490000.00000040.00000001.sdmp, Offset: 03490000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 72b435b290ca4b88f62b85cdcc55bf93be598ad6997c07f48596455db644fd63
Instruction ID: 854a9cbafe3a74e2e30e36915d514642c74482d753a82dd118a7afa45405d77c
Opcode Fuzzy Hash: 72b435b290ca4b88f62b85cdcc55bf93be598ad6997c07f48596455db644fd63
Instruction Fuzzy Hash: 06317C70D04249DFEF44CBB8C5457AEBFB1EB42300F1844ABD812AF391E6359A42CB56

Uniqueness

Uniqueness Score: -1.00%

Function 0349D590, Relevance: .1, Instructions: 82COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.599279331.0000000003490000.00000040.00000001.sdmp, Offset: 03490000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2d1fc3f325b53599047ae4f6345670dcf73d75b64db6936dec01fb8bd3ce9303
Instruction ID: 25ea8a8dc3c3f777dfe6327ca8a1a637796df764d70d012b7edcf00c506a9757
Opcode Fuzzy Hash: 2d1fc3f325b53599047ae4f6345670dcf73d75b64db6936dec01fb8bd3ce9303
Instruction Fuzzy Hash: 852162706053418FCB4A9B2898585697FB1FB8631832489AEE94ACF395CF769C07CB90

Uniqueness

Uniqueness Score: -1.00%

Function 03498851, Relevance: .1, Instructions: 82COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.599279331.0000000003490000.00000040.00000001.sdmp, Offset: 03490000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 965e9494cf0a080143af2b880edd65f20f756270e838a1a063e3f019241435b5
Instruction ID: 6ff56881ece703bf76655afefe3aa887db95bb319acfa8dc5c5d931e3e869b38
Opcode Fuzzy Hash: 965e9494cf0a080143af2b880edd65f20f756270e838a1a063e3f019241435b5
Instruction Fuzzy Hash: 0C216B30B14200CFDB48EB78E45992D3FE6EBC9211751886BE41ADB390EF359C42CB52

Uniqueness

Uniqueness Score: -1.00%

Function 0349AA78, Relevance: .1, Instructions: 81COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.599279331.0000000003490000.00000040.00000001.sdmp, Offset: 03490000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7cdce24b6d755bdef0a90f5c69b30436b6259b4ca39c4340ede463043deaeb06
Instruction ID: 9a2c8bcce0cc553911233c898d709ab98c742d642a178297a9f81f13c3518c50
Opcode Fuzzy Hash: 7cdce24b6d755bdef0a90f5c69b30436b6259b4ca39c4340ede463043deaeb06
Instruction Fuzzy Hash: 47216031B0024A9FDF14DFB4D9409AEBBF6FB88600B50496BD116AF644EB70A846CB94

Uniqueness

Uniqueness Score: -1.00%

Function 03496D36, Relevance: .1, Instructions: 79COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.599279331.0000000003490000.00000040.00000001.sdmp, Offset: 03490000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ca76b6192f1a9886e6f51edd5fd98ad76eee8810f9b7b41140a4336309d0d2aa
Instruction ID: f31a3dd1d4b23c970bc467bb64b3b605d0bead8f813e78d790f354aa133a48ac
Opcode Fuzzy Hash: ca76b6192f1a9886e6f51edd5fd98ad76eee8810f9b7b41140a4336309d0d2aa
Instruction Fuzzy Hash: 8E3127342103168FCB19EB38D46845D7FA6EB862583948A6DE50B8F384DF759C47CB91

Uniqueness

Uniqueness Score: -1.00%

Function 034921E9, Relevance: .1, Instructions: 76COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.599279331.0000000003490000.00000040.00000001.sdmp, Offset: 03490000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9e3530e426110c749796b49e8228412922d2eac8f296a3f3a480f78d51a8f8dd
Instruction ID: 6802adc96157cd1cf77178c9bd1fbed53eecc68f7fc046168a55aaaa40b8027c
Opcode Fuzzy Hash: 9e3530e426110c749796b49e8228412922d2eac8f296a3f3a480f78d51a8f8dd
Instruction Fuzzy Hash: 07311A30D0820DEFEF54DFA4C5456AEBFB1FB85300F14486BC412AF2A4D6B59A46CB56

Uniqueness

Uniqueness Score: -1.00%

Function 034925DE, Relevance: .1, Instructions: 75COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.599279331.0000000003490000.00000040.00000001.sdmp, Offset: 03490000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b2d64292bc535272313c0552700290588cc2b600bb54427c8278187295b68da2
Instruction ID: 2091f363a54bad959f322d163a69de90b90d903eb001303b1e33b62087e370d8
Opcode Fuzzy Hash: b2d64292bc535272313c0552700290588cc2b600bb54427c8278187295b68da2
Instruction Fuzzy Hash: 68317A30A04249CFEB60DF65D44469ABFF2FF84324F14C96AC005AF259DBB49989CF85

Uniqueness

Uniqueness Score: -1.00%

Function 03498DF6, Relevance: .1, Instructions: 75COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.599279331.0000000003490000.00000040.00000001.sdmp, Offset: 03490000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1d3652587ea3e7c44e2c6f972c78df0dad2a6abae28ae80c5d34b2c9df2034a9
Instruction ID: 2c77bf7655035ef5b5cf9aae6efb1da44188d563b78d112391a43ecf8f48081d
Opcode Fuzzy Hash: 1d3652587ea3e7c44e2c6f972c78df0dad2a6abae28ae80c5d34b2c9df2034a9
Instruction Fuzzy Hash: 48313A30E11205DFEF60DF69D44465EBFA2BF8A314F14896BD005AF390DBB4948ACB85

Uniqueness

Uniqueness Score: -1.00%

Function 0349B271, Relevance: .1, Instructions: 74COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.599279331.0000000003490000.00000040.00000001.sdmp, Offset: 03490000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d2fe52ed89101adccd15bb0fc92f3856a4fd7aea35d2eea62851bcc87fe428dd
Instruction ID: a581ddef73c35597d8da28064bdd8fe4572e3f96d11494b63ada87442f806cb4
Opcode Fuzzy Hash: d2fe52ed89101adccd15bb0fc92f3856a4fd7aea35d2eea62851bcc87fe428dd
Instruction Fuzzy Hash: 7421BEB1A0466A9FCB04CB99D8544AEFBF6FB89200B14816AE859EB351D730AC01CB94

Uniqueness

Uniqueness Score: -1.00%

Function 03495831, Relevance: .1, Instructions: 74COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.599279331.0000000003490000.00000040.00000001.sdmp, Offset: 03490000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b55ece55b717b55c520300c62afe55343d2a19c760d8cc411a491a7d89cea0c3
Instruction ID: 441f71705ae210a85641b63c216116ca5c5f3c0964a471dc39f2510cb115db22
Opcode Fuzzy Hash: b55ece55b717b55c520300c62afe55343d2a19c760d8cc411a491a7d89cea0c3
Instruction Fuzzy Hash: 5211F3357112049FEF08E7BA845097FBFAAAFCA210B6009BF80169F291DD718C018794

Uniqueness

Uniqueness Score: -1.00%

Function 0349AA69, Relevance: .1, Instructions: 72COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.599279331.0000000003490000.00000040.00000001.sdmp, Offset: 03490000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 23b1f7496898ed0f0fe34d6c7573d0bbede7eba1ef7ae0d115785aa38c18b07d
Instruction ID: 85aa7d1989eadc5e2ded9df3d383a96a114260d3646690813d71ed24e411abbe
Opcode Fuzzy Hash: 23b1f7496898ed0f0fe34d6c7573d0bbede7eba1ef7ae0d115785aa38c18b07d
Instruction Fuzzy Hash: A611A570B102459FEF14DBB4D941AAEBBF6EB84200B14456BD516AF244EB60D84687A8

Uniqueness

Uniqueness Score: -1.00%

Function 03494F10, Relevance: .1, Instructions: 71COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.599279331.0000000003490000.00000040.00000001.sdmp, Offset: 03490000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fdf571011b022019e35637211fe7f186402709920f956032fdd8e353d8d948fa
Instruction ID: 4ed83081f9e23708e61849cedf2b0086183cb6c376b760d0c6206fb58231f1c6
Opcode Fuzzy Hash: fdf571011b022019e35637211fe7f186402709920f956032fdd8e353d8d948fa
Instruction Fuzzy Hash: 1D11AE312182068FEB04DA66E8A49793F56FBC0391710892BE8128F74CDB745C03C799

Uniqueness

Uniqueness Score: -1.00%

Function 03495840, Relevance: .1, Instructions: 70COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.599279331.0000000003490000.00000040.00000001.sdmp, Offset: 03490000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4ef16690867def438ade2d47d924e46bbd756e4410fe4d213a4e3186452029f0
Instruction ID: d86edb80acd737e558106f2dfe0370bee198114c36369c117863cf63e826cfa4
Opcode Fuzzy Hash: 4ef16690867def438ade2d47d924e46bbd756e4410fe4d213a4e3186452029f0
Instruction Fuzzy Hash: 8F11D335701214AFEF08E7BA845497FBEEAAFCA214B60497F90169F390DD718C0147A4

Uniqueness

Uniqueness Score: -1.00%

Function 034948B9, Relevance: .1, Instructions: 70COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.599279331.0000000003490000.00000040.00000001.sdmp, Offset: 03490000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d58ccd096082366fe1a5cc84531fee2b618af9046bb50c2ba53ad0109ea729e3
Instruction ID: dd0fd51c455e552c1963ec94d0d91979f746f4124932c07b9fc995d0ccdc31af
Opcode Fuzzy Hash: d58ccd096082366fe1a5cc84531fee2b618af9046bb50c2ba53ad0109ea729e3
Instruction Fuzzy Hash: E111E672A08115ABDF09DE79C8504FEBFBAABC9310B04442BD502BB351ED205A078B95

Uniqueness

Uniqueness Score: -1.00%

Function 034921F8, Relevance: .1, Instructions: 69COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.599279331.0000000003490000.00000040.00000001.sdmp, Offset: 03490000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c9a0288ef776f7ca9d55d2c208b2a40bef05ce0a7131ad6c618057ed5b9f3c92
Instruction ID: a6611141214b2e081303d594c8727c66d84544785024215ce7474ce0ee7530e8
Opcode Fuzzy Hash: c9a0288ef776f7ca9d55d2c208b2a40bef05ce0a7131ad6c618057ed5b9f3c92
Instruction Fuzzy Hash: B821F830E0820EEFEF54DFA4C1456BEBFB5BB84300F50486BC416AF294D6B59A45CB96

Uniqueness

Uniqueness Score: -1.00%

Function 03495000, Relevance: .1, Instructions: 67COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.599279331.0000000003490000.00000040.00000001.sdmp, Offset: 03490000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 622d374a341e131f3a7b356a6a545b21bc08eabe8031084a33575a708453a0fa
Instruction ID: 917e717217c3cce748fa47be980bc90768697c583bad347eb3bab554df416970
Opcode Fuzzy Hash: 622d374a341e131f3a7b356a6a545b21bc08eabe8031084a33575a708453a0fa
Instruction Fuzzy Hash: 2311D231A012158FDF45EBB8D86026E7FE1EB85200B6545BBC91AAF340DF309C02CBD9

Uniqueness

Uniqueness Score: -1.00%

Function 03494511, Relevance: .1, Instructions: 65COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.599279331.0000000003490000.00000040.00000001.sdmp, Offset: 03490000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e57935f994dcff26755d015d9fdd0a1f76c8f821964838eccd046618e852eff2
Instruction ID: 245d7f2b3b1213d5c03685b316beb41172cce1ec428642538ce2e564126ee8d6
Opcode Fuzzy Hash: e57935f994dcff26755d015d9fdd0a1f76c8f821964838eccd046618e852eff2
Instruction Fuzzy Hash: CA112032E045009BEF14CAAAD4102EFBBA69FC9321F04013FAE06DF380DE619C06CB84

Uniqueness

Uniqueness Score: -1.00%

Function 03496BD0, Relevance: .1, Instructions: 62COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.599279331.0000000003490000.00000040.00000001.sdmp, Offset: 03490000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9c9957281f323193c9d078b0b0cb8928dfc1c0ac38da1304dbced46e156d4f53
Instruction ID: dce7a0b6ad3da26e6024e03cb11aea5c1991c6b4276d5883395b75bcd52f83e9
Opcode Fuzzy Hash: 9c9957281f323193c9d078b0b0cb8928dfc1c0ac38da1304dbced46e156d4f53
Instruction Fuzzy Hash: C411B175A002089FDF50DFA8D854AEEBFF1FB88320F2544ABD509EB261D7358911CB94

Uniqueness

Uniqueness Score: -1.00%

Function 0349CAB8, Relevance: .1, Instructions: 61COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.599279331.0000000003490000.00000040.00000001.sdmp, Offset: 03490000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0d919a5fb08ac3fef05ea34eeba156106ea82819f0b6940a51612f3019f8c661
Instruction ID: 6109287d26fba1ec90c6e794a1c0e03e46fc91df3e80fa29dccec30eaebdd88d
Opcode Fuzzy Hash: 0d919a5fb08ac3fef05ea34eeba156106ea82819f0b6940a51612f3019f8c661
Instruction Fuzzy Hash: A4115430B40111AFDB48EB69D494A6EBBE7DFC8650718806BD50ADF391DF31AC12C799

Uniqueness

Uniqueness Score: -1.00%

Function 0338087C, Relevance: .1, Instructions: 59COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.599148387.0000000003380000.00000040.00000040.sdmp, Offset: 03380000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8e96d13e2158bf7a9545847e1bc992acda1a5abab0405e7306f614a7544f8967
Instruction ID: bb27458b819365b14aa883d48498b1e724d87b105bfd6418d670a81ff4326e7f
Opcode Fuzzy Hash: 8e96d13e2158bf7a9545847e1bc992acda1a5abab0405e7306f614a7544f8967
Instruction Fuzzy Hash: 45110634204384EFE709EB24C9C0B26FBD5AB88708F28C99CE9494B653C777D847CA91

Uniqueness

Uniqueness Score: -1.00%

Function 0349CBE8, Relevance: .1, Instructions: 59COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.599279331.0000000003490000.00000040.00000001.sdmp, Offset: 03490000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f7e6829e74a589ba5e013b26fe270c0f9109c1dba9fd1de88a56bad2dbcbedb5
Instruction ID: 72963cb35c2fa0766077995b3dd1669e7f798d8a5cf6fec239fcc04aa49b3d86
Opcode Fuzzy Hash: f7e6829e74a589ba5e013b26fe270c0f9109c1dba9fd1de88a56bad2dbcbedb5
Instruction Fuzzy Hash: C011BF30308201CBEE29E738919453EBFE69BC6644384886FD11B9F380DF62EC43875A

Uniqueness

Uniqueness Score: -1.00%

Function 03380846, Relevance: .1, Instructions: 58COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.599148387.0000000003380000.00000040.00000040.sdmp, Offset: 03380000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 13e16c4cfdeba80ae7642850b8f651e120e857ff1704fa54865445bd73fc0464
Instruction ID: d52165b3905fbc35d55526379dd8e6fbb46e7ec8ccc70e777397ced36644a06f
Opcode Fuzzy Hash: 13e16c4cfdeba80ae7642850b8f651e120e857ff1704fa54865445bd73fc0464
Instruction Fuzzy Hash: FF216D7550D3C4AFD717DB20C990B15BFB1AB87204F2D85EAD4859B6A3C33A881BCB52

Uniqueness

Uniqueness Score: -1.00%

Function 03495730, Relevance: .1, Instructions: 55COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.599279331.0000000003490000.00000040.00000001.sdmp, Offset: 03490000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a1639d795eccc22186d4e5009aa4d13dda708c8380cf7c764cf7c08c09bc9951
Instruction ID: 28cc94845747cea90ba349cda91f9cbaaaedbf0505ef7bef9be2f171c0167a85
Opcode Fuzzy Hash: a1639d795eccc22186d4e5009aa4d13dda708c8380cf7c764cf7c08c09bc9951
Instruction Fuzzy Hash: BB118C71A54209CFEB15DF74E8506AE7BB2FB85380F2005ABC815EA280E7369D02CB94

Uniqueness

Uniqueness Score: -1.00%

Function 03499EC8, Relevance: .1, Instructions: 55COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.599279331.0000000003490000.00000040.00000001.sdmp, Offset: 03490000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ff7f2d83a22ee5a8666b9a45da6a365f8a34b735b579e29b09db68d1c6f902dc
Instruction ID: 3e96f0d75c0ae2755b191869419199431d2edbcf2f76ac7ae9277164b13d2d8a
Opcode Fuzzy Hash: ff7f2d83a22ee5a8666b9a45da6a365f8a34b735b579e29b09db68d1c6f902dc
Instruction Fuzzy Hash: 4F012D34B042808FCB88E7BC946897D7FEADF8D55131584AEE50ACF3A2DE648C4A8751

Uniqueness

Uniqueness Score: -1.00%

Function 0349A9D0, Relevance: .1, Instructions: 55COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.599279331.0000000003490000.00000040.00000001.sdmp, Offset: 03490000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 945e655761736aabe8ae4181f10f3dc23468e16a0cc9b222bc497260f1cc5241
Instruction ID: 84472fe1edbe06804543c2e388124e1d2bb19ba005b497827167f0c8132cee14
Opcode Fuzzy Hash: 945e655761736aabe8ae4181f10f3dc23468e16a0cc9b222bc497260f1cc5241
Instruction Fuzzy Hash: 7F01AD306041849FEB15DB648A59ABFBFF5DB85204F28945BC426AF642DA60AC038BD9

Uniqueness

Uniqueness Score: -1.00%

Function 03498428, Relevance: .1, Instructions: 55COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.599279331.0000000003490000.00000040.00000001.sdmp, Offset: 03490000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a157e9fc9c2ddc189247631a6f2e4a7dd22693e97cea4e5c798563308f3ece99
Instruction ID: 139c86146c26350b476366caaf49902ef8bf05b4fc51fa950a69864c715786cf
Opcode Fuzzy Hash: a157e9fc9c2ddc189247631a6f2e4a7dd22693e97cea4e5c798563308f3ece99
Instruction Fuzzy Hash: 46118C71904104DFEF15CBACD448AEABFF1EF8A310F1444ABD501AB2A1D7365D4ACB91

Uniqueness

Uniqueness Score: -1.00%

Function 034911DF, Relevance: .1, Instructions: 54COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.599279331.0000000003490000.00000040.00000001.sdmp, Offset: 03490000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 51fa7f41b3d899d5e843047e72e2633623b8602367f86a0ed3e1de8ce4df91ec
Instruction ID: 9e52270bca5c76c4e3a24fc1a951acd5d1a8feb161cb3f64cb14bd195cd7293b
Opcode Fuzzy Hash: 51fa7f41b3d899d5e843047e72e2633623b8602367f86a0ed3e1de8ce4df91ec
Instruction Fuzzy Hash: EB116130708140CFDB45E728D46896A7FE5AFD670072541EBD416DF3B1CA659C0A9B46

Uniqueness

Uniqueness Score: -1.00%

Function 034954F8, Relevance: .1, Instructions: 53COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.599279331.0000000003490000.00000040.00000001.sdmp, Offset: 03490000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2ef2b270382037530acad2bd283e9b9e2a6666739fbfcbb49828c7d9f9880219
Instruction ID: 319e6206fae0395224bf27f7790e4c8981113ee18c95cc06d2fe8fe256f78ef0
Opcode Fuzzy Hash: 2ef2b270382037530acad2bd283e9b9e2a6666739fbfcbb49828c7d9f9880219
Instruction Fuzzy Hash: 06119A70A512048FDB58EFB8E858AAE3FB6EBC8350B10482BC406DB395DB345842CBC0

Uniqueness

Uniqueness Score: -1.00%

Function 0191AE4C, Relevance: .1, Instructions: 52COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.598179451.0000000001912000.00000040.00000001.sdmp, Offset: 01912000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7e4e7d249b3abea1d067f8f366e726626a05b9c06602e63d88c0df5b2a45059e
Instruction ID: 012f5934ada89fad4b03f24c952ea7b9353880d51a5615ea68d6028274a354ed
Opcode Fuzzy Hash: 7e4e7d249b3abea1d067f8f366e726626a05b9c06602e63d88c0df5b2a45059e
Instruction Fuzzy Hash: 3511ECB5608301AFD350CF19DC80E57FBE8EB88660F14891EFD9897311D271E9048BA2

Uniqueness

Uniqueness Score: -1.00%

Function 03494FF0, Relevance: .1, Instructions: 51COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.599279331.0000000003490000.00000040.00000001.sdmp, Offset: 03490000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8427f14205d9bd53b5c4867d1f06bc0ea06b7b575d586076a7b2f818779c3d51
Instruction ID: c0748078efb85d807e5a30b5e4e5d9fa112aaa20acf160a783203314efcf5174
Opcode Fuzzy Hash: 8427f14205d9bd53b5c4867d1f06bc0ea06b7b575d586076a7b2f818779c3d51
Instruction Fuzzy Hash: 96019271E152058FDF41EAB898512AE7FF1EB86250B6545B7C929EB240EB304902CBE5

Uniqueness

Uniqueness Score: -1.00%

Function 0349238F, Relevance: .1, Instructions: 51COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.599279331.0000000003490000.00000040.00000001.sdmp, Offset: 03490000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1d1a064151affe9d64ccd170b679a88d5b0bbed37b1a49b53067d1ea22180e7a
Instruction ID: 064431bbd33845b19f1085ea49079485dde2bec9e764e9c4335a38796efeef9f
Opcode Fuzzy Hash: 1d1a064151affe9d64ccd170b679a88d5b0bbed37b1a49b53067d1ea22180e7a
Instruction Fuzzy Hash: 39113670944219EFEF28CF64C954AAEBFB1FB48340F10486BC526AB345DBB11842CB94

Uniqueness

Uniqueness Score: -1.00%

Function 03499D37, Relevance: .1, Instructions: 51COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.599279331.0000000003490000.00000040.00000001.sdmp, Offset: 03490000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c65cd7832354fabbb3a6e3aea0cbdcb692d6820d8c52fb4242cfaf300893ce57
Instruction ID: 5cb79a022c32bf8d8fd17e89a589b40389c8fc895f55b824491936d6fc3eabee
Opcode Fuzzy Hash: c65cd7832354fabbb3a6e3aea0cbdcb692d6820d8c52fb4242cfaf300893ce57
Instruction Fuzzy Hash: 7901D735B005008FCF88E7BC9468A6D3BE6EF8D655711446EE10ADB365EE318D468B45

Uniqueness

Uniqueness Score: -1.00%

Function 0349DF48, Relevance: .0, Instructions: 50COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.599279331.0000000003490000.00000040.00000001.sdmp, Offset: 03490000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fa2849612c40ca52e8914b870a229ee3d345c0b85b4a091e78940e0332d04df8
Instruction ID: b8ed522dd80998c32310ecf30b8660b451b7a3c33fff889ea8e1a49980ab18ce
Opcode Fuzzy Hash: fa2849612c40ca52e8914b870a229ee3d345c0b85b4a091e78940e0332d04df8
Instruction Fuzzy Hash: 3A01A735700225AFDF146BB9941892F7EAAFFC9624710443FE50ACB384DD758C41C3A4

Uniqueness

Uniqueness Score: -1.00%

Function 03495740, Relevance: .0, Instructions: 50COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.599279331.0000000003490000.00000040.00000001.sdmp, Offset: 03490000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1b66402886bb6959b474c190ddf219684c5bc6b411990ed959c6304532157a1d
Instruction ID: e0743628d00e8eec6a5ca954a859dce39c3c0cf61832e9479a86b61944b6c562
Opcode Fuzzy Hash: 1b66402886bb6959b474c190ddf219684c5bc6b411990ed959c6304532157a1d
Instruction Fuzzy Hash: 71117C30A00208CFEB15DF74E9506AE7BB6EB85380F2005ABC915AE384E7359D42CB94

Uniqueness

Uniqueness Score: -1.00%

Function 03494789, Relevance: .0, Instructions: 50COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.599279331.0000000003490000.00000040.00000001.sdmp, Offset: 03490000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 40991b6bfc7adcb2e1869e6116017a42017be0bd6718c5fc8b62bbd71e3ffc44
Instruction ID: 4d5ea9ca6eb024a5ba9143773d10f1649b5812ad259df44e91f267aae2857213
Opcode Fuzzy Hash: 40991b6bfc7adcb2e1869e6116017a42017be0bd6718c5fc8b62bbd71e3ffc44
Instruction Fuzzy Hash: 6A0140B1F001098FCB54EF78D4446AE7BF2EBD9310F10443BC009E7280EA354A468B91

Uniqueness

Uniqueness Score: -1.00%

Function 0349A9E0, Relevance: .0, Instructions: 50COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.599279331.0000000003490000.00000040.00000001.sdmp, Offset: 03490000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8b95be24c5779ea28a290801b170511fc9c9186af66a66c5c7441d8265311769
Instruction ID: bf7bc63c1c1bc54f5c4889925de6934a7dffe489a41598a6a6e09b693d63e9de
Opcode Fuzzy Hash: 8b95be24c5779ea28a290801b170511fc9c9186af66a66c5c7441d8265311769
Instruction Fuzzy Hash: 5401DE31A041848BEF14CA54CA44ABFBFB1DB84214F14846FC427AB241DF716D028B89

Uniqueness

Uniqueness Score: -1.00%

Function 0349B3C0, Relevance: .0, Instructions: 49COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.599279331.0000000003490000.00000040.00000001.sdmp, Offset: 03490000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b7ce13fc728bd35a95aa32dfc24caee8f0f2c7bcca3dc085b4f3b6d662b03824
Instruction ID: 810d1b27063ed496cbf5bcb57e43ad7c0142cabcd027b549db0464e3774015e2
Opcode Fuzzy Hash: b7ce13fc728bd35a95aa32dfc24caee8f0f2c7bcca3dc085b4f3b6d662b03824
Instruction Fuzzy Hash: D6016D31504B40CFE730CF6AA540556FBE6FFC8221364896FE08ACAE14D7B0E8818B54

Uniqueness

Uniqueness Score: -1.00%

Function 03499D48, Relevance: .0, Instructions: 49COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.599279331.0000000003490000.00000040.00000001.sdmp, Offset: 03490000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3e4b5640537111ddf1b3328f93394c711ab619d1b4a25a5cec9d31962199c105
Instruction ID: 8e3f3bee73536f99959125b6b1a1c5ed50087669700de3c287608e5ab5da2a61
Opcode Fuzzy Hash: 3e4b5640537111ddf1b3328f93394c711ab619d1b4a25a5cec9d31962199c105
Instruction Fuzzy Hash: 6F010834B001408F8F88E7BD906896D3FEADFCD651351406EE10ACF364EE209C468B95

Uniqueness

Uniqueness Score: -1.00%

Function 0349ADFF, Relevance: .0, Instructions: 48COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.599279331.0000000003490000.00000040.00000001.sdmp, Offset: 03490000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7ebc4b6d1bff8b24a9c335a25dc8ce5269447ef52b21ff23240715f650594ddb
Instruction ID: 81c237e6281d13c9d0c57701b15b06356b3bffa5a93399ffdcf8972509b17437
Opcode Fuzzy Hash: 7ebc4b6d1bff8b24a9c335a25dc8ce5269447ef52b21ff23240715f650594ddb
Instruction Fuzzy Hash: CD01BC30A04200CFDB01EB34D81546C7FA6EB8921071889BBE90ACB361DF319C0787A6

Uniqueness

Uniqueness Score: -1.00%

Function 034905B9, Relevance: .0, Instructions: 48COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.599279331.0000000003490000.00000040.00000001.sdmp, Offset: 03490000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 672b94c8939f077e8470bedafcc13694ef9dcaaa9cbdb576e62d5825bc4fc25c
Instruction ID: 4416e7f0eeb34916c7a907a861e21bc412abccd454ff7506628cab766184bb2f
Opcode Fuzzy Hash: 672b94c8939f077e8470bedafcc13694ef9dcaaa9cbdb576e62d5825bc4fc25c
Instruction Fuzzy Hash: 3B01F4707002590BCB1A6B7D54206BF67DB6BC5644714402FD00ADF3D4DE658C0343DA

Uniqueness

Uniqueness Score: -1.00%

Function 0349AC80, Relevance: .0, Instructions: 46COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.599279331.0000000003490000.00000040.00000001.sdmp, Offset: 03490000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 67965119a7333deb00cc0d03d569a0091bd643ee68a61d9a0e8177c70aa7ccfb
Instruction ID: 64ca58db8853f53b42cf42de2639d0d39b1297f41e805f6306bbb5f0111eb928
Opcode Fuzzy Hash: 67965119a7333deb00cc0d03d569a0091bd643ee68a61d9a0e8177c70aa7ccfb
Instruction Fuzzy Hash: D1018F74E012049FEF50EB7999067AEBFF8EB44210F20456BD955E7240EB345941CBE2

Uniqueness

Uniqueness Score: -1.00%

Function 0349AC90, Relevance: .0, Instructions: 46COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.599279331.0000000003490000.00000040.00000001.sdmp, Offset: 03490000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: bcee994d1181b2fba3d10735f8cccf62a38575474d1fcc4de5a2e8949d70395e
Instruction ID: b0145f91c143410aafbd4d2486e9b93360dcd3f3f35672c8cec36cd5c50a867c
Opcode Fuzzy Hash: bcee994d1181b2fba3d10735f8cccf62a38575474d1fcc4de5a2e8949d70395e
Instruction Fuzzy Hash: 20014B71E002098FDF50EBB9A8057AEBFF4EB84211F10457BDA18E7240EB355901CBE2

Uniqueness

Uniqueness Score: -1.00%

Function 033805CF, Relevance: .0, Instructions: 45COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.599148387.0000000003380000.00000040.00000040.sdmp, Offset: 03380000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 105a6ce45cb8cc6720da2addebd77fc33e823a9f5e22c65cdb70b521cb440e1a
Instruction ID: 18550f8cd7401504eda03a1c616dfe79a50182071964cf38f93e69069fa2a86d
Opcode Fuzzy Hash: 105a6ce45cb8cc6720da2addebd77fc33e823a9f5e22c65cdb70b521cb440e1a
Instruction Fuzzy Hash: 4701D6765097806FD7128F06EC41862FFB8EF86220748C09FED498B712D225B918CBB2

Uniqueness

Uniqueness Score: -1.00%

Function 03496BE0, Relevance: .0, Instructions: 45COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.599279331.0000000003490000.00000040.00000001.sdmp, Offset: 03490000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c2b3cfce047ce7a95d286c92c23e984f8841aad07b27ce6266e2a782e76e0e81
Instruction ID: a5893c95b098be3163096e934fd9957914cbc6e7f4aa8a9154501923f5ab8d08
Opcode Fuzzy Hash: c2b3cfce047ce7a95d286c92c23e984f8841aad07b27ce6266e2a782e76e0e81
Instruction Fuzzy Hash: F8018F71A002089FDF50DB79D8507AEBFF4EB84260F60053BD908DB280E7345941CBD4

Uniqueness

Uniqueness Score: -1.00%

Function 03499E4A, Relevance: .0, Instructions: 45COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.599279331.0000000003490000.00000040.00000001.sdmp, Offset: 03490000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e7f178dddb5404744f88a11b34c882ad9670085d1fab80696c832309873f7ad9
Instruction ID: c4a7a0bc4dfd360af3dc00b120de76167f993fef988cf18fd5252bf4f15ac194
Opcode Fuzzy Hash: e7f178dddb5404744f88a11b34c882ad9670085d1fab80696c832309873f7ad9
Instruction Fuzzy Hash: 22018C347041408FDB49E3BC8468A7C3FE6DF8E95131640AEE50ADF3A1DE248C4A87A2

Uniqueness

Uniqueness Score: -1.00%

Function 034905C8, Relevance: .0, Instructions: 45COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.599279331.0000000003490000.00000040.00000001.sdmp, Offset: 03490000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6ddbdc590c40a3ef084577b39159f5e53d756f0479035c025e9571c1e34c48cb
Instruction ID: 53e422f21fe169cedd4419a619f07c29281c778632e6d3ed0f9666196d6f7114
Opcode Fuzzy Hash: 6ddbdc590c40a3ef084577b39159f5e53d756f0479035c025e9571c1e34c48cb
Instruction Fuzzy Hash: F1F09A707002290BCB09BB7E94116BF66DBABC5A94754802BD10ADF3D4CEA58C4343EA

Uniqueness

Uniqueness Score: -1.00%

Function 03491218, Relevance: .0, Instructions: 42COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.599279331.0000000003490000.00000040.00000001.sdmp, Offset: 03490000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: aec50aee50a287f11fe77915a4040f7987bee45537066076c68f0cf3536aebd8
Instruction ID: d2caaa1648aea1ff9c245ce35855efdbec2e59cef5edeb29719da7796f5fe727
Opcode Fuzzy Hash: aec50aee50a287f11fe77915a4040f7987bee45537066076c68f0cf3536aebd8
Instruction Fuzzy Hash: 79011D30304111CFDA44EB2CD05896A7BEABFC965072441ABE516DF764CFB59C0A8786

Uniqueness

Uniqueness Score: -1.00%

Function 03498770, Relevance: .0, Instructions: 40COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.599279331.0000000003490000.00000040.00000001.sdmp, Offset: 03490000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 53b195122ba3b7cd8f392217b007c5fdfd5f17e8e1768c94b976ac61bbce375d
Instruction ID: 34077532d734b42cbd57bde6fe3aee5e667e5b89cb9ba4a1cfb1114015a49322
Opcode Fuzzy Hash: 53b195122ba3b7cd8f392217b007c5fdfd5f17e8e1768c94b976ac61bbce375d
Instruction Fuzzy Hash: B301C2B4E052089FDB04CFA9D880AAEBFF1EF99300F1081AAD814A7315D7346A41CF91

Uniqueness

Uniqueness Score: -1.00%

Function 0349AE10, Relevance: .0, Instructions: 39COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.599279331.0000000003490000.00000040.00000001.sdmp, Offset: 03490000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2b50bbb47ee60a1ea362747c7c70b2f0ecc237fc86942c8470217347c609c711
Instruction ID: 69c124a3ef96e7a40fc33fb0745f1f275f6167fc48338fb6c2448286cdaa83bf
Opcode Fuzzy Hash: 2b50bbb47ee60a1ea362747c7c70b2f0ecc237fc86942c8470217347c609c711
Instruction Fuzzy Hash: BAF03131B00201CFCA04EB78D41955D7FE6EBC9254754857BE50ACB354EF719C038795

Uniqueness

Uniqueness Score: -1.00%

Function 0349E639, Relevance: .0, Instructions: 39COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.599279331.0000000003490000.00000040.00000001.sdmp, Offset: 03490000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0c6fed4f13cea056b8b9b1e25696cb8b41fff21fa2f2bf0e8dce22c177c15f73
Instruction ID: 42a3db8d6b14c587287b55af141b23af21091a8fee71c05535555b1974523f02
Opcode Fuzzy Hash: 0c6fed4f13cea056b8b9b1e25696cb8b41fff21fa2f2bf0e8dce22c177c15f73
Instruction Fuzzy Hash: D8F0E96260A3505BFF21C56858447B65E4C9751120F4901B7E96BCF262D8504C87C3B6

Uniqueness

Uniqueness Score: -1.00%

Function 03499DDA, Relevance: .0, Instructions: 39COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.599279331.0000000003490000.00000040.00000001.sdmp, Offset: 03490000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d1ea4e0a52651bccdefe4a269efdda5b3f68beebf7eea519f9154479ac158956
Instruction ID: 2a5818fd66cd3444be08dea1de12bc9250ecea3d4f6b38dd200d7ac4a2563d41
Opcode Fuzzy Hash: d1ea4e0a52651bccdefe4a269efdda5b3f68beebf7eea519f9154479ac158956
Instruction Fuzzy Hash: 04F06D35B052808FDF49E7B89469A7D3FFADF8A50131540AEE80ADF3A1DE344D4A8761

Uniqueness

Uniqueness Score: -1.00%

Function 0349A3D1, Relevance: .0, Instructions: 38COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.599279331.0000000003490000.00000040.00000001.sdmp, Offset: 03490000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c45cdbf2bd8e1776bff2a60c57f2d8a63be419f0a090109916c40d02c8facf6f
Instruction ID: 034aa2b8610061c228f731c954b7a8ad2eb7eda936d2cb7f6b7ed1ee2aee4a49
Opcode Fuzzy Hash: c45cdbf2bd8e1776bff2a60c57f2d8a63be419f0a090109916c40d02c8facf6f
Instruction Fuzzy Hash: 67F0AF32605300CFCB05DB68E4195687FF6AECA22535D80ABD00ACF692DE3198078791

Uniqueness

Uniqueness Score: -1.00%

Function 03499E58, Relevance: .0, Instructions: 38COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.599279331.0000000003490000.00000040.00000001.sdmp, Offset: 03490000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 03515e0d5f373a1353874a7948f969794681f492aa34ca7cc68468beeed7d0e8
Instruction ID: a474d145d3f47bc52d212a0be61284c8b844e598946bc15087e9b1547e5d7ea0
Opcode Fuzzy Hash: 03515e0d5f373a1353874a7948f969794681f492aa34ca7cc68468beeed7d0e8
Instruction Fuzzy Hash: 8BF03A357001508F8E88E7BD9068A3D3FEAEFCDA51361406EE50ADF364DE608C468796

Uniqueness

Uniqueness Score: -1.00%

Function 03496620, Relevance: .0, Instructions: 38COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.599279331.0000000003490000.00000040.00000001.sdmp, Offset: 03490000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7d9048ae1e64cd0d2a568bbf38e3c7a402b74b2fd3a9de939ab67c6b74cf4420
Instruction ID: 01c23ae58f89d33e65ba783b8d319691596de995a37cd97e1190c22c1f837c35
Opcode Fuzzy Hash: 7d9048ae1e64cd0d2a568bbf38e3c7a402b74b2fd3a9de939ab67c6b74cf4420
Instruction Fuzzy Hash: D5F0BE31B04615ABAF10D629A8106BFBFE597C56A0F014477C91A9B380EA296E0686DA

Uniqueness

Uniqueness Score: -1.00%

Function 03496611, Relevance: .0, Instructions: 37COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.599279331.0000000003490000.00000040.00000001.sdmp, Offset: 03490000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4db2c6d8aed6fce02c2be2ff46026397addc6dd0d6144ba71c9ed967a49ce843
Instruction ID: 06103963a996bf1bf62cb6809367d5d015f2d2b2d944ffa4e9c0e8f6725fbafd
Opcode Fuzzy Hash: 4db2c6d8aed6fce02c2be2ff46026397addc6dd0d6144ba71c9ed967a49ce843
Instruction Fuzzy Hash: 0FF02B31A047059FEF10D628E8006FFBBB4EBC9361F010467C916DB390E6295E06C6C9

Uniqueness

Uniqueness Score: -1.00%

Function 0349CAA8, Relevance: .0, Instructions: 37COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.599279331.0000000003490000.00000040.00000001.sdmp, Offset: 03490000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 64fd9afeaf855c9ee4023efb7330227e9d09db7db0e95468cfdd5a22b972d63d
Instruction ID: 8989221befed4b7f445d97c20479a322f39a86013764d79a8760aa6863a5a1b9
Opcode Fuzzy Hash: 64fd9afeaf855c9ee4023efb7330227e9d09db7db0e95468cfdd5a22b972d63d
Instruction Fuzzy Hash: 78F097316052903F862AE2AD542092F7FEECBC492031A44ABE449DF381CD20AC0283E9

Uniqueness

Uniqueness Score: -1.00%

Function 034961A0, Relevance: .0, Instructions: 37COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.599279331.0000000003490000.00000040.00000001.sdmp, Offset: 03490000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a0814f3191755c99aa528bbdbbf1cf5b0e318ec16fc2aaad7cbed5d7d917408c
Instruction ID: e510ced7b1a8f80920c3345dbf3ca9c86f204890511500a29e7dd6b23d511f82
Opcode Fuzzy Hash: a0814f3191755c99aa528bbdbbf1cf5b0e318ec16fc2aaad7cbed5d7d917408c
Instruction Fuzzy Hash: 56F02431A10115AFEF50D92898111BFBFA4E7C87A4F01047BCD16EB341EB284A0386C1

Uniqueness

Uniqueness Score: -1.00%

Function 03495CD0, Relevance: .0, Instructions: 37COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.599279331.0000000003490000.00000040.00000001.sdmp, Offset: 03490000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2f48e3ce66914f5a784607ce075f706136037f48a24d99b12dd7ff9511586b83
Instruction ID: f333afed96983ee653b3a0da37be671810a5158805349c171ec99bf7903bfba0
Opcode Fuzzy Hash: 2f48e3ce66914f5a784607ce075f706136037f48a24d99b12dd7ff9511586b83
Instruction Fuzzy Hash: 7CF06D71E00215AF8F90DF7C94046AFBFF5ABD8324B11416BC808E3300EB304A028BD9

Uniqueness

Uniqueness Score: -1.00%

Function 03498278, Relevance: .0, Instructions: 36COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.599279331.0000000003490000.00000040.00000001.sdmp, Offset: 03490000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8e86427d9aaa33c5f9fa7076f0727dfdd50c600f0cc4afdc3cf4fe7b81b44d91
Instruction ID: 2c6cf55efcc5f10952c906c73381a1d23d2c822d973e4c12b32ba6a95f1bbabb
Opcode Fuzzy Hash: 8e86427d9aaa33c5f9fa7076f0727dfdd50c600f0cc4afdc3cf4fe7b81b44d91
Instruction Fuzzy Hash: 81F09A70A08605DFDB00CB6DE8848AFBFF5FFCA210B148577D522DF291D33188168A99

Uniqueness

Uniqueness Score: -1.00%

Function 03494700, Relevance: .0, Instructions: 33COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.599279331.0000000003490000.00000040.00000001.sdmp, Offset: 03490000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: dd5072c7c90a5fee935df3582f2c3b34f93ca31d20be5faccb2ad80d296acf28
Instruction ID: 96cef9ccb489629c7e8d5ada2d0aba7b6dd7892fecb167c19708781bbb78de51
Opcode Fuzzy Hash: dd5072c7c90a5fee935df3582f2c3b34f93ca31d20be5faccb2ad80d296acf28
Instruction Fuzzy Hash: 9CE0ED37704258AFEB25C86AF8107BA3B9AC7C6261F5508BFE10ADF781E42648034344

Uniqueness

Uniqueness Score: -1.00%

Function 03490918, Relevance: .0, Instructions: 33COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.599279331.0000000003490000.00000040.00000001.sdmp, Offset: 03490000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c35e9eee93397b41998ef171b8d2f77fd9648b6fe31509765f3703e0bd7c71b5
Instruction ID: 54347efdd2908b48932bae283dd7138ffc518de4bc2a205f0808f0cccb0bab57
Opcode Fuzzy Hash: c35e9eee93397b41998ef171b8d2f77fd9648b6fe31509765f3703e0bd7c71b5
Instruction Fuzzy Hash: ECE0E532E152289ABF249AF998045AFBFADD7C5650F0045279A17AB244D970480786D5

Uniqueness

Uniqueness Score: -1.00%

Function 0349E5B8, Relevance: .0, Instructions: 33COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.599279331.0000000003490000.00000040.00000001.sdmp, Offset: 03490000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f4cb3eeaa6daef64a72f899c4690522ce833cbc2183a07c3d5d9b52b2756ec9e
Instruction ID: 6a63dbb1692298d3c1f611f0c77adfd52d802053d858e5b8475d193996b17a67
Opcode Fuzzy Hash: f4cb3eeaa6daef64a72f899c4690522ce833cbc2183a07c3d5d9b52b2756ec9e
Instruction Fuzzy Hash: 03F0A7352492505FC712D26899104AA6FA9DBC6564315889FE45ECF352EA21DD078391

Uniqueness

Uniqueness Score: -1.00%

Function 034945B9, Relevance: .0, Instructions: 32COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.599279331.0000000003490000.00000040.00000001.sdmp, Offset: 03490000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b78c5412bbc17ec87244161302b2d36e40c05eb66c0316c6b71f174ae5222828
Instruction ID: 94cd154852b3508cf37800170a472dc3a164269df1d02374dce1e1789ec9ec00
Opcode Fuzzy Hash: b78c5412bbc17ec87244161302b2d36e40c05eb66c0316c6b71f174ae5222828
Instruction Fuzzy Hash: 55F0A0B2E4031A5FDB90DAB9AC05BBFBBFCEB85210F10043BD50CD7241E230490587A0

Uniqueness

Uniqueness Score: -1.00%

Function 03380938, Relevance: .0, Instructions: 31COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.599148387.0000000003380000.00000040.00000040.sdmp, Offset: 03380000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 525cef522958239b2deb72ab7ac90410e2832b06fb356f1b7ca8807ee3c9392c
Instruction ID: f54ab2bf0f9d84e81b377ed4ff309819ef5f139b092fd81ea65ec5534900333e
Opcode Fuzzy Hash: 525cef522958239b2deb72ab7ac90410e2832b06fb356f1b7ca8807ee3c9392c
Instruction Fuzzy Hash: 3BF03135204644DFC305DF00D980B15FBA6FB89718F24CAADE9890B762C337D813DA81

Uniqueness

Uniqueness Score: -1.00%

Function 0349A3E8, Relevance: .0, Instructions: 30COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.599279331.0000000003490000.00000040.00000001.sdmp, Offset: 03490000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 042205c2ae4a8d9571919685fcc705be30127ead2bccbda29f02f80c4496609a
Instruction ID: d70beef1dc8c543f8bb7ff85802922823769f4ef54c99eac265811fe29c7d9cf
Opcode Fuzzy Hash: 042205c2ae4a8d9571919685fcc705be30127ead2bccbda29f02f80c4496609a
Instruction Fuzzy Hash: 04F01C31604204CF8F04AB69A41896D7FBAEBCA225399857EE10A9B340DE729C438B95

Uniqueness

Uniqueness Score: -1.00%

Function 034946A9, Relevance: .0, Instructions: 30COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.599279331.0000000003490000.00000040.00000001.sdmp, Offset: 03490000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a04e58dbbe92a8dc16badb4d300da8fa8c5d0fcbb3bfdf8f90ab2c0fe2db756e
Instruction ID: ee690dc17cb33c1773bade7d7993498554aaaa8bfc606ea659c359551acdc0bd
Opcode Fuzzy Hash: a04e58dbbe92a8dc16badb4d300da8fa8c5d0fcbb3bfdf8f90ab2c0fe2db756e
Instruction Fuzzy Hash: 83F06571B501109BDB50DFB8E4686EE3B959FC5311F1444ABE50BCF375DA29CC028786

Uniqueness

Uniqueness Score: -1.00%

Function 03490908, Relevance: .0, Instructions: 30COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.599279331.0000000003490000.00000040.00000001.sdmp, Offset: 03490000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 198333b717ac942bcce853f04ae79f65c5ddc122c663541fe5a0658984524812
Instruction ID: b0bb1950e20f30edbfabc65d45ceab4315456807c43fc872e2fcb42ac9c54b06
Opcode Fuzzy Hash: 198333b717ac942bcce853f04ae79f65c5ddc122c663541fe5a0658984524812
Instruction Fuzzy Hash: 21F0A030D182249BFF64DFF8881867FBFA9DB91350F01442B8D13BB244C9781C078A85

Uniqueness

Uniqueness Score: -1.00%

Function 034955D9, Relevance: .0, Instructions: 30COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.599279331.0000000003490000.00000040.00000001.sdmp, Offset: 03490000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e0b378f031fe7c49c7d6675b43c7c3e113dc38428893fa723d87ee3516f596f7
Instruction ID: 673432664d16dfc9a8e87db84bdd273fb5cbfde30ab4891b2c08dae5905ecc24
Opcode Fuzzy Hash: e0b378f031fe7c49c7d6675b43c7c3e113dc38428893fa723d87ee3516f596f7
Instruction Fuzzy Hash: FDE09272F101199BDF549A78A8405FFBBFAABC9320F05047BD509D7241FA6299214AA1

Uniqueness

Uniqueness Score: -1.00%

Function 0349CDDE, Relevance: .0, Instructions: 30COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.599279331.0000000003490000.00000040.00000001.sdmp, Offset: 03490000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9bbf6a389301a460bbdb2bf3247fd8bf416926dd0903db89bec706fc3b3e57ad
Instruction ID: 77c94ba9c03d92fad4ab9ba327f233e7032fc0b144988e1873510b9abde92d81
Opcode Fuzzy Hash: 9bbf6a389301a460bbdb2bf3247fd8bf416926dd0903db89bec706fc3b3e57ad
Instruction Fuzzy Hash: FEE0D8327191919F9E25A61950545BD3EEB9ACA0B131940B7D507DF691DD118C0383EB

Uniqueness

Uniqueness Score: -1.00%

Function 034957A2, Relevance: .0, Instructions: 29COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.599279331.0000000003490000.00000040.00000001.sdmp, Offset: 03490000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9bc2b174a4f8297db830c09df4e787d5d7f25f4e179025128d069f494ea1b974
Instruction ID: 88a1573d92be6043b423dc1bd1690ceba37586e9f209e9a96e123fa69e76efed
Opcode Fuzzy Hash: 9bc2b174a4f8297db830c09df4e787d5d7f25f4e179025128d069f494ea1b974
Instruction Fuzzy Hash: 8FF0A030B44204CFEF09EBB8E8242AD3F61AF84204F3088E7D5269E280EF3049428799

Uniqueness

Uniqueness Score: -1.00%

Function 0349754F, Relevance: .0, Instructions: 29COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.599279331.0000000003490000.00000040.00000001.sdmp, Offset: 03490000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fae117d281d0484f4aad9a0d8fb603d05763473729657e80b40b200dd51cfca5
Instruction ID: f8a33daea9e5f63c5b58367d82ce46055ffde89ead1e3e781ee6babaf441056f
Opcode Fuzzy Hash: fae117d281d0484f4aad9a0d8fb603d05763473729657e80b40b200dd51cfca5
Instruction Fuzzy Hash: 34E03038B112587FEF54F3FA94103AE7A565FC4558B844C6BC50ACF681EE604901C796

Uniqueness

Uniqueness Score: -1.00%

Function 033805F6, Relevance: .0, Instructions: 27COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.599148387.0000000003380000.00000040.00000040.sdmp, Offset: 03380000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d1fb5b8a2e66722748158d75ef73258fc7f98ffcdc0248c43c26aa4dfb36e172
Instruction ID: 74f9919e926e654f19bccfc38bf692e042d9424a02086cfd18b47cbe9265f87a
Opcode Fuzzy Hash: d1fb5b8a2e66722748158d75ef73258fc7f98ffcdc0248c43c26aa4dfb36e172
Instruction Fuzzy Hash: 19E06D766006008B9650CF0BEC85452F7D8EB88630B18C06FDC0D8B700E135B5048EA5

Uniqueness

Uniqueness Score: -1.00%

Function 03498718, Relevance: .0, Instructions: 27COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.599279331.0000000003490000.00000040.00000001.sdmp, Offset: 03490000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1f3c8de384a6087d899d27d1549a3c34f5fd6edd5dd38ac6d7a2fa3d1f63bb75
Instruction ID: ecfa0ebec8e657072a3cab098aed449b92875e69d127a3c7901084cc736da801
Opcode Fuzzy Hash: 1f3c8de384a6087d899d27d1549a3c34f5fd6edd5dd38ac6d7a2fa3d1f63bb75
Instruction Fuzzy Hash: 09F082B5C092889FCF01CFACCA8559CBFB0DF5B300B1444DBC814D7342D134AA018B42

Uniqueness

Uniqueness Score: -1.00%

Function 0349AD3F, Relevance: .0, Instructions: 26COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.599279331.0000000003490000.00000040.00000001.sdmp, Offset: 03490000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0e0ed2776536e1783b0ece9e365bfbc1bc22c975c496da732ac7d574d120acce
Instruction ID: d2404ea451f6e19d0e113f33bd18299444def3b2517fce645043fe0dd9f9b633
Opcode Fuzzy Hash: 0e0ed2776536e1783b0ece9e365bfbc1bc22c975c496da732ac7d574d120acce
Instruction Fuzzy Hash: 1FE092346083904FEF45A7B865292293FE69FCA24131405EFE91ADF3A2DE358C024352

Uniqueness

Uniqueness Score: -1.00%

Function 0349E5C8, Relevance: .0, Instructions: 26COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.599279331.0000000003490000.00000040.00000001.sdmp, Offset: 03490000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 460e09f6917c725b91cdaf271bc428c44448315390e8eb2c71dc9333c708c9a4
Instruction ID: 0d837d9f46148a98dca3f8ec5f1be6bf343a0fbe61a786cfa6eb63fc8b0f574e
Opcode Fuzzy Hash: 460e09f6917c725b91cdaf271bc428c44448315390e8eb2c71dc9333c708c9a4
Instruction Fuzzy Hash: 87E026323002209B8A22D69DD52086EBFEADBC1674354882FE41FCF300EE72EC4287D0

Uniqueness

Uniqueness Score: -1.00%

Function 03498988, Relevance: .0, Instructions: 26COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.599279331.0000000003490000.00000040.00000001.sdmp, Offset: 03490000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b2a85b48484b0ddbe5c0a3f9804ca77d1d1255fddf241aaca896cd4dde54f5e6
Instruction ID: dcc9d5deb6946a98085cb2b91eb28d12f0262df463f2cc32e2672f34655c1772
Opcode Fuzzy Hash: b2a85b48484b0ddbe5c0a3f9804ca77d1d1255fddf241aaca896cd4dde54f5e6
Instruction Fuzzy Hash: DDE02B31B021258BCF546A6CB41421B7BEAE78D2D1714406BED06DB344DE305C018BD6

Uniqueness

Uniqueness Score: -1.00%

Function 0349C028, Relevance: .0, Instructions: 26COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.599279331.0000000003490000.00000040.00000001.sdmp, Offset: 03490000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 80a03b41bd297a13732de4ee85c3db7d84f3a52535ebf1b3cd9145495db6636b
Instruction ID: 82d256f619d4959c576ab46f425c5246b25c699f9c3f2278bd6f23924f8f5a81
Opcode Fuzzy Hash: 80a03b41bd297a13732de4ee85c3db7d84f3a52535ebf1b3cd9145495db6636b
Instruction Fuzzy Hash: 20F0F835200B409F8730CE9AD580C03FBF9EF896207118A6EE5AA87A10C671F8048BA5

Uniqueness

Uniqueness Score: -1.00%

Function 0191AE9B, Relevance: .0, Instructions: 26COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.598179451.0000000001912000.00000040.00000001.sdmp, Offset: 01912000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0d177e7b8ec57d7ed89d95e9501f2151b152c20deb5902255a03bdbba19bf5b4
Instruction ID: e47536fdde030820f9d98839f9c846a645d4074622663292b60d25694d1bd06f
Opcode Fuzzy Hash: 0d177e7b8ec57d7ed89d95e9501f2151b152c20deb5902255a03bdbba19bf5b4
Instruction Fuzzy Hash: 63E0D8725003046BD2508F07AC85F63FB9CEB40A30F54C557EE0C2B301E171B5048AF5

Uniqueness

Uniqueness Score: -1.00%

Function 0349E608, Relevance: .0, Instructions: 25COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.599279331.0000000003490000.00000040.00000001.sdmp, Offset: 03490000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 65d865b3792c16cfa111a536252212df3c30cf83eacc6502e65a9b591c714811
Instruction ID: e836e693145288f2ea23ff9ab65c7e078b3c24617923d3138897ce1f699105e6
Opcode Fuzzy Hash: 65d865b3792c16cfa111a536252212df3c30cf83eacc6502e65a9b591c714811
Instruction Fuzzy Hash: C3E0867005A290EFD716C710D8008B37F7DD94221538416AFF4E7CB562C6615D4387A1

Uniqueness

Uniqueness Score: -1.00%

Function 03498610, Relevance: .0, Instructions: 25COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.599279331.0000000003490000.00000040.00000001.sdmp, Offset: 03490000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4213135c178ffcd5d50de42b967976c031a805dda280c282697785ca8885c990
Instruction ID: 4c7267431af16028b2d5c57b1045a73e5722849aca5b587075351971c61608d8
Opcode Fuzzy Hash: 4213135c178ffcd5d50de42b967976c031a805dda280c282697785ca8885c990
Instruction Fuzzy Hash: 4CE03970805249CFC700EFB8D98AA5DBF70EF47305F10569AD4046B261DA706A48DF55

Uniqueness

Uniqueness Score: -1.00%

Function 03498978, Relevance: .0, Instructions: 24COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.599279331.0000000003490000.00000040.00000001.sdmp, Offset: 03490000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 15b79c4d2d2ef833f306108b422817b7f89f14310201e1e500b1419c3fc0533e
Instruction ID: 334f7c47a791527ff238baed885744d1cb901821503ce1203db30fc8e8aa0c2a
Opcode Fuzzy Hash: 15b79c4d2d2ef833f306108b422817b7f89f14310201e1e500b1419c3fc0533e
Instruction Fuzzy Hash: DCE0D171F171118FDF5656A8B51421B7B65D74E282B15085BD805DB344ED314C00CFD6

Uniqueness

Uniqueness Score: -1.00%

Function 034965C0, Relevance: .0, Instructions: 24COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.599279331.0000000003490000.00000040.00000001.sdmp, Offset: 03490000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f25952019475b895d1edfd4bb5b7387efad1964aec5f3f1caa8cc951e5e83ff1
Instruction ID: 0559e0f9b317985f35813ad75eef83a7d33f0ed4aeaa056b57d652217d8f3441
Opcode Fuzzy Hash: f25952019475b895d1edfd4bb5b7387efad1964aec5f3f1caa8cc951e5e83ff1
Instruction Fuzzy Hash: A4E0D87258C115CBFF55AA94B4047B83B9CA7806B0F06002FD916CB259C69DC841C79A

Uniqueness

Uniqueness Score: -1.00%

Function 0349CDF0, Relevance: .0, Instructions: 24COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.599279331.0000000003490000.00000040.00000001.sdmp, Offset: 03490000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d95b728a018bce0f6bda75c3fa2acc51c24c7d5ff085f6bf11fbef26d571e8f1
Instruction ID: 3714cc51ce6926bbed8feef592b909b02db0fa98363fba7ea82a2b9a0ef20362
Opcode Fuzzy Hash: d95b728a018bce0f6bda75c3fa2acc51c24c7d5ff085f6bf11fbef26d571e8f1
Instruction Fuzzy Hash: 76E0C2313141149B5E28E21E50545BE7ACFAAC54B1324403B91078F350CD418C0283EA

Uniqueness

Uniqueness Score: -1.00%

Function 03498728, Relevance: .0, Instructions: 23COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.599279331.0000000003490000.00000040.00000001.sdmp, Offset: 03490000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 71cab858117b6a8ab2e084f16fd45cd35f5c9f9dee9bb5158092b42dcf787ee6
Instruction ID: f1824c5039fb3f3bb23ea59f8404789efdfa8b6549ad12e73650dbb7cd037a81
Opcode Fuzzy Hash: 71cab858117b6a8ab2e084f16fd45cd35f5c9f9dee9bb5158092b42dcf787ee6
Instruction Fuzzy Hash: 43E0ED78D04208DFDB04EFA9E54569DBFB5EF89300F1091E7981497300DB305A01DF81

Uniqueness

Uniqueness Score: -1.00%

Function 03498800, Relevance: .0, Instructions: 23COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.599279331.0000000003490000.00000040.00000001.sdmp, Offset: 03490000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3a4c2f3b8ab5d3dc580a55ae9f6d70a47ff691c2b0daf18b248f652a5f835cb3
Instruction ID: 5733b5cf8b084466decab4b09af5b2ad57eedecf6c4c9c9998ba0a478f917505
Opcode Fuzzy Hash: 3a4c2f3b8ab5d3dc580a55ae9f6d70a47ff691c2b0daf18b248f652a5f835cb3
Instruction Fuzzy Hash: 23E0E53051420ECBDA00DF5CE88089D3F59FB413147509967E9119E714EFB46D0787E6

Uniqueness

Uniqueness Score: -1.00%

Function 03498620, Relevance: .0, Instructions: 22COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.599279331.0000000003490000.00000040.00000001.sdmp, Offset: 03490000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f6fb97d3e27426960b34d47692147354c61377fde6e0435dd5e56d57be3756c9
Instruction ID: f1c3632ba3e73f13541456955b4316edc1717a7b5f5fbfeb0449a49ea03232b0
Opcode Fuzzy Hash: f6fb97d3e27426960b34d47692147354c61377fde6e0435dd5e56d57be3756c9
Instruction Fuzzy Hash: 45E04674C0020CDBCB00EFA8E846AADBF78EB46305F1056AAD80427250DB705A45DF99

Uniqueness

Uniqueness Score: -1.00%

Function 034965D0, Relevance: .0, Instructions: 20COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.599279331.0000000003490000.00000040.00000001.sdmp, Offset: 03490000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3880b5e066cac0bf31f56a70952c54cfacb1e552794faa20991ff6f2d81b9133
Instruction ID: 38012693128e391e882b580c61c84c414f77b3d7e9de7573fb97cd5ecd9a832f
Opcode Fuzzy Hash: 3880b5e066cac0bf31f56a70952c54cfacb1e552794faa20991ff6f2d81b9133
Instruction Fuzzy Hash: 19D02B7128C015C3FE50719870047A53A8C67801F1B45003BDA1ACA248DADDCC80C3DF

Uniqueness

Uniqueness Score: -1.00%

Function 03495DE8, Relevance: .0, Instructions: 20COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.599279331.0000000003490000.00000040.00000001.sdmp, Offset: 03490000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f8300f416ee97908128d279acd7d6fbd2240423a66391257673878e1c99927fc
Instruction ID: b1a39fb66e4ecaa6b7892ee06d2240ee7945c1c9f6b4f6159cf1b9b8b8bd7785
Opcode Fuzzy Hash: f8300f416ee97908128d279acd7d6fbd2240423a66391257673878e1c99927fc
Instruction Fuzzy Hash: 0ED02B31A6A2056FDF16F37410201BE2A952BC1211B51087F801ACF311E8558C024784

Uniqueness

Uniqueness Score: -1.00%

Function 034957F6, Relevance: .0, Instructions: 19COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.599279331.0000000003490000.00000040.00000001.sdmp, Offset: 03490000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5db92203511d3507d74f9b422bedb4eacaeccda8e278a3165b688bb6d9869bea
Instruction ID: 5f7c52dfc3d8817e66d459f3044007205f8eea86dc94f830549f1456debd846a
Opcode Fuzzy Hash: 5db92203511d3507d74f9b422bedb4eacaeccda8e278a3165b688bb6d9869bea
Instruction Fuzzy Hash: 04D0C231E04608CBEF05E7F4E8141EC7F709B8412472018F7C12B9E500DE3004529395

Uniqueness

Uniqueness Score: -1.00%

Function 0349064F, Relevance: .0, Instructions: 19COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.599279331.0000000003490000.00000040.00000001.sdmp, Offset: 03490000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 38ea8ff0b3a7869555d8919a2a0f8d73d205ddce70aea82cfe286ca7c73eadc6
Instruction ID: e1690583ba9b8bbfd6e5919e191c0200f53b09dd74cff0ae85dbed8dbf4729f4
Opcode Fuzzy Hash: 38ea8ff0b3a7869555d8919a2a0f8d73d205ddce70aea82cfe286ca7c73eadc6
Instruction Fuzzy Hash: ADD05E739853518FDB598AB0D81A5E43B70EFA225471488ABC8118B561C2365943DE51

Uniqueness

Uniqueness Score: -1.00%

Function 0349EED8, Relevance: .0, Instructions: 19COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.599279331.0000000003490000.00000040.00000001.sdmp, Offset: 03490000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f1f7d40e1b8f685df606bea7ba749327c8efc6c31c8e7b5989428e626f4da90e
Instruction ID: 8c3b518f2d793e592ad36e33b6de81246203e9684b97123dddbdd55f9b6c0525
Opcode Fuzzy Hash: f1f7d40e1b8f685df606bea7ba749327c8efc6c31c8e7b5989428e626f4da90e
Instruction Fuzzy Hash: 3AD0A7213443282F9508E6ADC8618B9F3CFDBC5514304885FE80ED7341CD629C0243D0

Uniqueness

Uniqueness Score: -1.00%

Function 034976E8, Relevance: .0, Instructions: 19COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.599279331.0000000003490000.00000040.00000001.sdmp, Offset: 03490000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8325e858a674d420946bd35431955ccdae54920c64ebcc240f400b7eaaaade1a
Instruction ID: 26d6d5880122e5909223ae504c04f414145fd89322c037db01cb408c1a644fbe
Opcode Fuzzy Hash: 8325e858a674d420946bd35431955ccdae54920c64ebcc240f400b7eaaaade1a
Instruction Fuzzy Hash: A5D0C230029310CBEB36CAA9A800762BED96B41214F04099FC0620D550C9A1F485879A

Uniqueness

Uniqueness Score: -1.00%

Function 034902A0, Relevance: .0, Instructions: 18COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.599279331.0000000003490000.00000040.00000001.sdmp, Offset: 03490000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a55b3df2c9986828fa851f33bcf8b2d4cab88244abbe854eeece8ea5ca8803ab
Instruction ID: 1ecb5653d95f522581ed8651d16f03bf9535dedc50cf1f296c12adafe89a7149
Opcode Fuzzy Hash: a55b3df2c9986828fa851f33bcf8b2d4cab88244abbe854eeece8ea5ca8803ab
Instruction Fuzzy Hash: 59E02B3A904700CBD351C610E855886BBE1FB803007408C2FC4538F948C734AC42C700

Uniqueness

Uniqueness Score: -1.00%

Function 0349EF10, Relevance: .0, Instructions: 16COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.599279331.0000000003490000.00000040.00000001.sdmp, Offset: 03490000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 65f08cdb3b51bc8d9d6392e9a1481a9fac7d307940fcaabe3a059b0afc891a00
Instruction ID: 8d98e16fc34450b22753ca966bed33b43e5339d174a473a382b6ceaaa42f24ef
Opcode Fuzzy Hash: 65f08cdb3b51bc8d9d6392e9a1481a9fac7d307940fcaabe3a059b0afc891a00
Instruction Fuzzy Hash: 23D0121850F3844FEE4263B028281B53F28DA4748035828CBE8AACB243D91458479763

Uniqueness

Uniqueness Score: -1.00%

Function 03490170, Relevance: .0, Instructions: 16COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.599279331.0000000003490000.00000040.00000001.sdmp, Offset: 03490000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5d13345ae6cbb88597def58d8fd11a526e9b8b1fcc4d9bdd014e10fa717d51a3
Instruction ID: c7b2557bb82be28b10f4c64a492a5159f5112bdea80b479466236599d0620c8c
Opcode Fuzzy Hash: 5d13345ae6cbb88597def58d8fd11a526e9b8b1fcc4d9bdd014e10fa717d51a3
Instruction Fuzzy Hash: 9DD05EB1914340CFCB199B70D0284183B61EF5A2467110C7EC806CB265EABBC880CB00

Uniqueness

Uniqueness Score: -1.00%

Function 019023F4, Relevance: .0, Instructions: 15COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.598129799.0000000001902000.00000040.00000001.sdmp, Offset: 01902000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 350ec46844ed032b148358408797790be703c9167bacef95a37e6dd70c966cc6
Instruction ID: 54e517ee885e5c5e27601488f82c6fe46f147206d5bcd903e7b2c7a7f785314f
Opcode Fuzzy Hash: 350ec46844ed032b148358408797790be703c9167bacef95a37e6dd70c966cc6
Instruction Fuzzy Hash: 08D05E79219A818FE3278B1CC1A8B953FA8AB51F05F4744FDE8008B6A3C368D981D200

Uniqueness

Uniqueness Score: -1.00%

Function 0349E618, Relevance: .0, Instructions: 15COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.599279331.0000000003490000.00000040.00000001.sdmp, Offset: 03490000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0d719f7bb1dc9da162a5eaff59664adac7b59ce21194f3e1ba5f801f1b18d167
Instruction ID: 4539eac9420cae28de4d1ff24a24b6286e4bfed17a269a2c8b6cc99ade7d048e
Opcode Fuzzy Hash: 0d719f7bb1dc9da162a5eaff59664adac7b59ce21194f3e1ba5f801f1b18d167
Instruction Fuzzy Hash: 3FD02231008204CB9B24CA00E0004A27FB8EA002267C0082FD03B8F721CBB2FCC3C7C8

Uniqueness

Uniqueness Score: -1.00%

Function 0349E6A8, Relevance: .0, Instructions: 15COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.599279331.0000000003490000.00000040.00000001.sdmp, Offset: 03490000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5e7f8cdc54eac6eceac7fa3e0c29ad67a8d5d95c9b3f2469b5e874a7bb4d2893
Instruction ID: 8f76c83b92f32d9cbc920a51498758f136396717735590c6f6a13666bd3a3919
Opcode Fuzzy Hash: 5e7f8cdc54eac6eceac7fa3e0c29ad67a8d5d95c9b3f2469b5e874a7bb4d2893
Instruction Fuzzy Hash: 97C08035904314D77F14F1BA7D014D97F9CDD06565B4404FFDE085F250EA219D6543DA

Uniqueness

Uniqueness Score: -1.00%

Function 03497198, Relevance: .0, Instructions: 15COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.599279331.0000000003490000.00000040.00000001.sdmp, Offset: 03490000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9a0939ec5680cffb9ecca245d0aafbbebb033a67d769e75d7ec85179cdc98f5e
Instruction ID: b3b015f9589047f10f6be93b96ec9db9fa8de9d6a95baaa812f28e46ca893986
Opcode Fuzzy Hash: 9a0939ec5680cffb9ecca245d0aafbbebb033a67d769e75d7ec85179cdc98f5e
Instruction Fuzzy Hash: CDD04C366000048FD704CB84D5859D9F7F1EB88225F18C196D51567351C732ED56CB50

Uniqueness

Uniqueness Score: -1.00%

Function 019023BC, Relevance: .0, Instructions: 14COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.598129799.0000000001902000.00000040.00000001.sdmp, Offset: 01902000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a047d1676e226dca966082cf9e67009ff14a661ff9e43c132d9c4e2c332f3cf6
Instruction ID: ec18db68e3bc634ebe9948bfc968f50c6f330ef86ebf7b249a3084d8b8c48bf9
Opcode Fuzzy Hash: a047d1676e226dca966082cf9e67009ff14a661ff9e43c132d9c4e2c332f3cf6
Instruction Fuzzy Hash: E7D05E342002818FDB16DB0CD598F593BD8AB41B01F0644E8AD048B6A2C3B4D881C600

Uniqueness

Uniqueness Score: -1.00%

Function 03497BDE, Relevance: .0, Instructions: 13COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.599279331.0000000003490000.00000040.00000001.sdmp, Offset: 03490000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b6b572a8441fa9afc79144b0f7afef15bda3a3485fcd48ca29aa2457ee52618e
Instruction ID: 1302737346d509babe2f2c22898cde6e7c3dac08d386c554dc6c53b5fc915822
Opcode Fuzzy Hash: b6b572a8441fa9afc79144b0f7afef15bda3a3485fcd48ca29aa2457ee52618e
Instruction Fuzzy Hash: 37D01C30A20208DF9B12CE71D9680AEBBF0AB096603200B2A9812AB391E3345C02CB80

Uniqueness

Uniqueness Score: -1.00%

Function 03495478, Relevance: .0, Instructions: 13COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.599279331.0000000003490000.00000040.00000001.sdmp, Offset: 03490000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: cea13ac63846f3c8fda00d790f395f1fd7712b05edf77932d2d306352eab01b1
Instruction ID: 5a2ba8a9179f4072b44d2447e639e4abc1b74c7a6270673fa7f6f0620c3c4628
Opcode Fuzzy Hash: cea13ac63846f3c8fda00d790f395f1fd7712b05edf77932d2d306352eab01b1
Instruction Fuzzy Hash: 3DD0C92004C205CBEEB7E7AA641D36E7E69A702B06B6800D3E01684555DB644190D71A

Uniqueness

Uniqueness Score: -1.00%

Function 03495D5F, Relevance: .0, Instructions: 12COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.599279331.0000000003490000.00000040.00000001.sdmp, Offset: 03490000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e2cd1f912e3d5aa47101ef5ab71762a0c6cd73fad21ce16c8d86057fef20d1d6
Instruction ID: 4097ce56bc247e7e33e8d4e8603c8d591446f102ac6e1f4713270b9d9b95eafb
Opcode Fuzzy Hash: e2cd1f912e3d5aa47101ef5ab71762a0c6cd73fad21ce16c8d86057fef20d1d6
Instruction Fuzzy Hash: 00D0127154C741CFEF628B64A45C3663BE85B53154B1546A78C069A022D6614441CB05

Uniqueness

Uniqueness Score: -1.00%

Function 03490180, Relevance: .0, Instructions: 12COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.599279331.0000000003490000.00000040.00000001.sdmp, Offset: 03490000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4fea865a83876f1e1edc84028227bab904ab0c9322eb0052c2ea8fb6fc5fe577
Instruction ID: 1083588dff133c90307ed92d29464a8ed23feac9ff1b74ba1a0b81bd0fc9aeea
Opcode Fuzzy Hash: 4fea865a83876f1e1edc84028227bab904ab0c9322eb0052c2ea8fb6fc5fe577
Instruction Fuzzy Hash: FFD01230A04304CFCB282B70E42D42833AAAB8924A3100C7CD8068B748EFBBE880CB40

Uniqueness

Uniqueness Score: -1.00%

Function 0349CBB8, Relevance: .0, Instructions: 11COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.599279331.0000000003490000.00000040.00000001.sdmp, Offset: 03490000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7d6ea06149e4f6bc6793e3b6388017c1d9fdd0ca0d1c1a10b5b458a51be07596
Instruction ID: ad8470f0779e97da8f0f7b8b1b86bdc6bd1b73c7abdd6d89627516ba6c5e8c2c
Opcode Fuzzy Hash: 7d6ea06149e4f6bc6793e3b6388017c1d9fdd0ca0d1c1a10b5b458a51be07596
Instruction Fuzzy Hash: 6EC08C329095000BEB01DE02DC93A843BF0AE409483AA40E2DCA4CF513D328E40B4B82

Uniqueness

Uniqueness Score: -1.00%

Function 03495D70, Relevance: .0, Instructions: 11COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.599279331.0000000003490000.00000040.00000001.sdmp, Offset: 03490000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d0cbc698a54928a16412eb305aa19cfac648c0fa3a80956be5bd97880240705e
Instruction ID: 32844b68ea37fa5d3bc5e766d43f14f13b8d83ec5fcf39ee962824101798b00c
Opcode Fuzzy Hash: d0cbc698a54928a16412eb305aa19cfac648c0fa3a80956be5bd97880240705e
Instruction Fuzzy Hash: 99C08C20208A068FAE2667F0681D12A3BAC4A810453800297A80ACE100EE2080418249

Uniqueness

Uniqueness Score: -1.00%

Function 03490660, Relevance: .0, Instructions: 10COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.599279331.0000000003490000.00000040.00000001.sdmp, Offset: 03490000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9dc6bebe7ffb9ecd96fd2452817646f0b5726b6a6115e82eff09eaf0f656a398
Instruction ID: fe4916eedab759fa50781e901daa1cf73819ef30ff9e050e0fccc98aa300af31
Opcode Fuzzy Hash: 9dc6bebe7ffb9ecd96fd2452817646f0b5726b6a6115e82eff09eaf0f656a398
Instruction Fuzzy Hash: B9C02B31049305CED71896B0580C535760966C0304300C433841108030CB325C93CD29

Uniqueness

Uniqueness Score: -1.00%

Function 034978AD, Relevance: .0, Instructions: 9COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.599279331.0000000003490000.00000040.00000001.sdmp, Offset: 03490000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 44cea2c98da2488107e7d0b01925b6892442e839c1ff73df26d2095bea16c145
Instruction ID: 3ccd3b0219bb2509f1a38d444e5cdefe90f139af50d9c23d35f8544b7baff669
Opcode Fuzzy Hash: 44cea2c98da2488107e7d0b01925b6892442e839c1ff73df26d2095bea16c145
Instruction Fuzzy Hash: A5C09B37A05109DFCB145BA4F4540DCB375F78826E7504477D51945100C7365555CB80

Uniqueness

Uniqueness Score: -1.00%

Function 0349EF20, Relevance: .0, Instructions: 8COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.599279331.0000000003490000.00000040.00000001.sdmp, Offset: 03490000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6287b2aa8fdd35122303537ff2e953d3f15b1cc2c84baa31e9babd3155a77b17
Instruction ID: 705ceb312bac4a3d091f5836afd2a362a303ff485cbc2c345fba4db381f5a063
Opcode Fuzzy Hash: 6287b2aa8fdd35122303537ff2e953d3f15b1cc2c84baa31e9babd3155a77b17
Instruction Fuzzy Hash: CEB0122494970C4BDD9073F1601D11C778C19C14907800457590D4B244FE74A4408559

Uniqueness

Uniqueness Score: -1.00%

Function 0349D5C0, Relevance: .0, Instructions: 8COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.599279331.0000000003490000.00000040.00000001.sdmp, Offset: 03490000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 69005144aabf7a98d4fafc9729592789aa9460e2ba7db3dd11069ab06f135e85
Instruction ID: 449f49dc94780549970a7690a622fed0a1a49a1de5e3a07194fb75711b7b9cb2
Opcode Fuzzy Hash: 69005144aabf7a98d4fafc9729592789aa9460e2ba7db3dd11069ab06f135e85
Instruction Fuzzy Hash: 2CB09230409308DB9644E669EC4A8597F6CF9432A03901527F9124E29CDBA42D43C7EA

Uniqueness

Uniqueness Score: -1.00%

Function 034971BC, Relevance: .0, Instructions: 8COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.599279331.0000000003490000.00000040.00000001.sdmp, Offset: 03490000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9331830965d72d12fcbefa973c87c0cf332396a92bd300e1243d284f656f33ac
Instruction ID: 30618e083a2b44752fec187bc700f96e1d9195e0332ad55c1da6f37f5262053c
Opcode Fuzzy Hash: 9331830965d72d12fcbefa973c87c0cf332396a92bd300e1243d284f656f33ac
Instruction Fuzzy Hash: 9BB092B7A04008CAEF00CA84B4423EDFB20E790225F104023C32056100C23201A987A5

Uniqueness

Uniqueness Score: -1.00%

Function 034965A1, Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.599279331.0000000003490000.00000040.00000001.sdmp, Offset: 03490000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c98f2910ef65ab76c0764adf57f338ef339f013bbc797ddf30ddcdb82355e668
Instruction ID: 0c2ea7739b63998505edd21332f2e8333f71265f10093ea64cebe6533286a978
Opcode Fuzzy Hash: c98f2910ef65ab76c0764adf57f338ef339f013bbc797ddf30ddcdb82355e668
Instruction Fuzzy Hash: C9B0127D40050C4BC609CF0CD914B207374B310248FC910854000A7220C2146400ED04

Uniqueness

Uniqueness Score: -1.00%

Non-executed Functions

Function 03490D8C, Relevance: 5.3, Strings: 4, Instructions: 251COMMON

Download Yara Rule

Strings

0`r, xrefs: 03490F8E
X1ar, xrefs: 03490F1C
,:ar, xrefs: 03490E38
:@:r, xrefs: 034910CB

Memory Dump Source

Source File: 00000004.00000002.599279331.0000000003490000.00000040.00000001.sdmp, Offset: 03490000, based on PE: false

Similarity

API ID:
String ID: ,:ar$0`r$:@:r$X1ar
API String ID: 0-2614842347
Opcode ID: 3cdd3e4d740aa447fd280442a0abb9c27f5901a9a603881d08e9c0eb546d7652
Instruction ID: 1cee91a011147daaa47100be219b45686ef4a11c7a10a16c4aad150a263a655e
Opcode Fuzzy Hash: 3cdd3e4d740aa447fd280442a0abb9c27f5901a9a603881d08e9c0eb546d7652
Instruction Fuzzy Hash: DFB19470A08344CFD3A4DF788160B6ABBE2FB99744F10496EE54A8B394DF759845CB42

Uniqueness

Uniqueness Score: -1.00%

Analysis Process: RegSvcs.exe PID: 5836 Parent PID: 528 RegSvcs.exeCOMMON

Executed Functions

Function 02AB11D0, Relevance: 4.0, Strings: 3, Instructions: 222COMMON

Download Yara Rule

Strings

X1ar, xrefs: 02AB1253
:@:r, xrefs: 02AB1406
X1ar, xrefs: 02AB130B

Memory Dump Source

Source File: 00000009.00000002.253947247.0000000002AB0000.00000040.00000001.sdmp, Offset: 02AB0000, based on PE: false

Similarity

API ID:
String ID: :@:r$X1ar$X1ar
API String ID: 0-1028378736
Opcode ID: dab6ea95d7d10e7e8b9effadb8006aab079e0c333da00f2b2fa4b0c865522937
Instruction ID: 75eb00679c40ec172e3d2df4b064a12f2448b20b5cb7a5624533cca8452da9e2
Opcode Fuzzy Hash: dab6ea95d7d10e7e8b9effadb8006aab079e0c333da00f2b2fa4b0c865522937
Instruction Fuzzy Hash: BC814B74B001018FCB15DFA9C494B6EBAE7EFC4304F248079D50AAB7A5EE799D41CB61

Uniqueness

Uniqueness Score: -1.00%

Function 02AB11C1, Relevance: 2.7, Strings: 2, Instructions: 180COMMON

Download Yara Rule

Strings

X1ar, xrefs: 02AB1253
:@:r, xrefs: 02AB1406

Memory Dump Source

Source File: 00000009.00000002.253947247.0000000002AB0000.00000040.00000001.sdmp, Offset: 02AB0000, based on PE: false

Similarity

API ID:
String ID: :@:r$X1ar
API String ID: 0-3821969665
Opcode ID: fb8b74c3a9b288d548d7f5563444e0dd04b03e12cfc36a6ec72dd23a5b92507b
Instruction ID: 857d4927dc8fcb7bc642a6e11e0554352620125012a587a7ac7c01199bb69cd1
Opcode Fuzzy Hash: fb8b74c3a9b288d548d7f5563444e0dd04b03e12cfc36a6ec72dd23a5b92507b
Instruction Fuzzy Hash: C4614B74B001018FCB159FA9C494BAEBBF6EFC4304F258079D509AB7A2EE759D41CB61

Uniqueness

Uniqueness Score: -1.00%

Function 02AB010F, Relevance: 1.4, Strings: 1, Instructions: 195COMMON

Download Yara Rule

Strings

:@:r, xrefs: 02AB02C5

Memory Dump Source

Source File: 00000009.00000002.253947247.0000000002AB0000.00000040.00000001.sdmp, Offset: 02AB0000, based on PE: false

Similarity

API ID:
String ID: :@:r
API String ID: 0-1441432688
Opcode ID: 51a56e4969754c7da0483ff194a02d90e3cce99a7fd52fcd458e2de0ff9eb4ec
Instruction ID: d57894397fd99009b7ae521bb45b3025c25434ea21e0a552ae054650ab3a5b67
Opcode Fuzzy Hash: 51a56e4969754c7da0483ff194a02d90e3cce99a7fd52fcd458e2de0ff9eb4ec
Instruction Fuzzy Hash: FB716F30A002118FDB6ADF78D558B6A7BF6BF88300F148079D4169B695DFB99C85CB80

Uniqueness

Uniqueness Score: -1.00%

Function 02AB040C, Relevance: .1, Instructions: 122COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.253947247.0000000002AB0000.00000040.00000001.sdmp, Offset: 02AB0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9f760a1f4c2f42f569cbd00e7ecfd85864d2f77bc7d4d5b71edef7ea5396e60a
Instruction ID: bc4129b2ead91e9e967898de9bd2d50af27fe768980d23d29dff886cea0fcde1
Opcode Fuzzy Hash: 9f760a1f4c2f42f569cbd00e7ecfd85864d2f77bc7d4d5b71edef7ea5396e60a
Instruction Fuzzy Hash: E3414F70A00225CFEB26AF74C4A97EF7FB5BF84704F105069D512AB692CFB98945CB90

Uniqueness

Uniqueness Score: -1.00%

Function 02AB06E8, Relevance: .1, Instructions: 93COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.253947247.0000000002AB0000.00000040.00000001.sdmp, Offset: 02AB0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 24bcaa1e0f85b17f9f8d8c928e99debda884def53b6d4cda6192fd85ea620e45
Instruction ID: ee4cc0d11c1896cae45102eb8d39e35fbdc2870779d55e2c378a20da50786253
Opcode Fuzzy Hash: 24bcaa1e0f85b17f9f8d8c928e99debda884def53b6d4cda6192fd85ea620e45
Instruction Fuzzy Hash: FE311A303012508FC759ABBCD058A2E3BE69FC5305B2504BED406CF7A2EE7ADC868795

Uniqueness

Uniqueness Score: -1.00%

Function 02AB06F8, Relevance: .1, Instructions: 86COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.253947247.0000000002AB0000.00000040.00000001.sdmp, Offset: 02AB0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 885656f8723003ced7b51444b262fa2edaee498342fb3726229cbd97b66b861c
Instruction ID: 8c16db71cec63c3e736ac09c72f1191fb1f1076b81d7b6c539310730f52c2885
Opcode Fuzzy Hash: 885656f8723003ced7b51444b262fa2edaee498342fb3726229cbd97b66b861c
Instruction Fuzzy Hash: BB21ED703012118FCB596FBCD058A2E3AE6AFC5305B1104BDD506CF7A2EE7ADC858795

Uniqueness

Uniqueness Score: -1.00%

Function 02AD05CF, Relevance: .0, Instructions: 44COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.253960623.0000000002AD0000.00000040.00000040.sdmp, Offset: 02AD0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4cc0ee7e62e437502df877d0b6def1c9d66d44ea400a8b90d36437134ccfc7c1
Instruction ID: 3a57319082f26093d4cdb00db4cfbbcada741958b082144983cdf1e4393fdb41
Opcode Fuzzy Hash: 4cc0ee7e62e437502df877d0b6def1c9d66d44ea400a8b90d36437134ccfc7c1
Instruction Fuzzy Hash: 5201D1725497806FC7128B1AEC40897BFF8EF8623070984AFED498B212D165B909CBB1

Uniqueness

Uniqueness Score: -1.00%

Function 02AB1060, Relevance: .0, Instructions: 42COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.253947247.0000000002AB0000.00000040.00000001.sdmp, Offset: 02AB0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c382e972aaa7b57c7c230fe784eab4513719ba44fa7d41844110b8dd68ef07e6
Instruction ID: 916cd0cdc9841755cfbcc9cb17060f5dd183452fc12df329162b55eaf510aa41
Opcode Fuzzy Hash: c382e972aaa7b57c7c230fe784eab4513719ba44fa7d41844110b8dd68ef07e6
Instruction Fuzzy Hash: 27F0F0307042806FD36646788C62BB72FA98FC6250F1580AAE609DB182EEA4DC06CB60

Uniqueness

Uniqueness Score: -1.00%

Function 02AB1070, Relevance: .0, Instructions: 41COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.253947247.0000000002AB0000.00000040.00000001.sdmp, Offset: 02AB0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e2d239efc1dbc5829ce967dc10126eac01f627b04e8b4510479fe6886ee664e6
Instruction ID: e0eafe7146ebaaa4eee49324964097c4b3949139c61ca0bf0f66cca336c39040
Opcode Fuzzy Hash: e2d239efc1dbc5829ce967dc10126eac01f627b04e8b4510479fe6886ee664e6
Instruction Fuzzy Hash: AFF09A32700150ABD7149AB99951FAB779AEBC8660F14856AF609DB281EEA1DC0087A0

Uniqueness

Uniqueness Score: -1.00%

Function 02AB00C0, Relevance: .0, Instructions: 32COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.253947247.0000000002AB0000.00000040.00000001.sdmp, Offset: 02AB0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 214d0bd9340f914db9922c92d9d470899810ae3034958ba15aeaf1978aaf9c66
Instruction ID: b2b1cc4a5d9769bf62fa2a7eca43068e961d654f014d3707641410aeb938294e
Opcode Fuzzy Hash: 214d0bd9340f914db9922c92d9d470899810ae3034958ba15aeaf1978aaf9c66
Instruction Fuzzy Hash: D3F0FE75D052499FCB51DFBC98455EFBFF4EA8D250B1040AAD544E7211E6305506CBA0

Uniqueness

Uniqueness Score: -1.00%

Function 02AB0F23, Relevance: .0, Instructions: 30COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.253947247.0000000002AB0000.00000040.00000001.sdmp, Offset: 02AB0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 23d2a31e18d4cb010a08e872e9b205e58540fd7f706e082483872c14e9445cbe
Instruction ID: a54e22509b8591b351e3d7604a46711f999e8f79d963276bd8b67551279c5a51
Opcode Fuzzy Hash: 23d2a31e18d4cb010a08e872e9b205e58540fd7f706e082483872c14e9445cbe
Instruction Fuzzy Hash: D8F0E2342092808FC325DFBCD4948553FEADF8A21832800FBD444DB372C92A9C06C781

Uniqueness

Uniqueness Score: -1.00%

Function 02AB10D0, Relevance: .0, Instructions: 29COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.253947247.0000000002AB0000.00000040.00000001.sdmp, Offset: 02AB0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fc2160fa49fff8a74955d897182b386b58262bb4510d8911897aefa1eeb3ee5a
Instruction ID: 1f841f3478ff8782f9adababed6ccf0a9ca9132b422bb28bb605a57c1f66eb78
Opcode Fuzzy Hash: fc2160fa49fff8a74955d897182b386b58262bb4510d8911897aefa1eeb3ee5a
Instruction Fuzzy Hash: 01F01C75D05248AECF41DFBC98562EFBFF4EF89220F0140BAD508E2502E235450ACBA1

Uniqueness

Uniqueness Score: -1.00%

Function 02AD05F6, Relevance: .0, Instructions: 27COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.253960623.0000000002AD0000.00000040.00000040.sdmp, Offset: 02AD0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: dc29fab7d54b4969db4f310669a42e0ea74a73a01d2b93e13037deb135411297
Instruction ID: 03275694f6488af40eb831d2b3fc46a769b4cfeda26125e98af882a316496ae0
Opcode Fuzzy Hash: dc29fab7d54b4969db4f310669a42e0ea74a73a01d2b93e13037deb135411297
Instruction Fuzzy Hash: C3E06D766406009B9650DF0AEC41456FBE8EB88630B18C07FDC0D8B711E136B5048EA5

Uniqueness

Uniqueness Score: -1.00%

Function 02AB0F30, Relevance: .0, Instructions: 23COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.253947247.0000000002AB0000.00000040.00000001.sdmp, Offset: 02AB0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 603e80724b7fb1fdce12c515d1f8a026d2ed909f610b162ef4c21c313311adbd
Instruction ID: 03a7dacccb681f0d0c4efdc2600c466275d8af62ca38466245bda58034bd8f09
Opcode Fuzzy Hash: 603e80724b7fb1fdce12c515d1f8a026d2ed909f610b162ef4c21c313311adbd
Instruction Fuzzy Hash: 17E0D8357001108FC764EFBCE58485537EBEB8822432040BBE409D7361DE7A9C41CBC1

Uniqueness

Uniqueness Score: -1.00%

Function 02AB00D0, Relevance: .0, Instructions: 23COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.253947247.0000000002AB0000.00000040.00000001.sdmp, Offset: 02AB0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 25342d7df1ed6a0d150f5c329d2df26fce249afff38e0ea1a7f9bb4604c8fb6d
Instruction ID: 6f21fe0151e92378c1c71545ab90dd2784118d6e9f4af837e09756bbbd5d442c
Opcode Fuzzy Hash: 25342d7df1ed6a0d150f5c329d2df26fce249afff38e0ea1a7f9bb4604c8fb6d
Instruction Fuzzy Hash: 8CE0E571E002099F8F40DFB998456DEBFF8FA48250B100066D518E3200E23156008BE0

Uniqueness

Uniqueness Score: -1.00%

Function 02AB10E0, Relevance: .0, Instructions: 22COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.253947247.0000000002AB0000.00000040.00000001.sdmp, Offset: 02AB0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7b73a71c8a12208e52aafdfdfd6d9fee5ccb2dff1c255281bdd5e5996ea7906b
Instruction ID: 3fa587418b4ee3bf9f1f96c269dbaeba472805210cb2dabc2762bfb200ebfc21
Opcode Fuzzy Hash: 7b73a71c8a12208e52aafdfdfd6d9fee5ccb2dff1c255281bdd5e5996ea7906b
Instruction Fuzzy Hash: 39E0B6B1D01209AECF40EFBDA8556EFBFF8EB48260F10403AD108E3201E6355215CBE1

Uniqueness

Uniqueness Score: -1.00%

Non-executed Functions

Analysis Process: dhcpmon.exe PID: 5268 Parent PID: 528 dhcpmon.exeCOMMON

Executed Functions

Function 02D706E8, Relevance: 3.1, APIs: 2, Instructions: 93COMMON

Download Yara Rule

APIs

GlobalMemoryStatus.KERNEL32 ref: 02D70735
GlobalMemoryStatus.KERNEL32 ref: 02D70756

Memory Dump Source

Source File: 0000000B.00000002.256597337.0000000002D70000.00000040.00000001.sdmp, Offset: 02D70000, based on PE: false

Similarity

API ID: GlobalMemoryStatus
String ID:
API String ID: 1890195054-0
Opcode ID: 18a700cab38f7781fa11b510bdec24194d651cb7c706e21efd5c99c759452ada
Instruction ID: 9a407d2b7502156482b8bb341b2f999881888e1964164c13b1df85c2cb0a90c0
Opcode Fuzzy Hash: 18a700cab38f7781fa11b510bdec24194d651cb7c706e21efd5c99c759452ada
Instruction Fuzzy Hash: 613138303012518FC759AB7CC429A2D3BE29FC5305B2504BED006CF7A2EE7ADC868796

Uniqueness

Uniqueness Score: -1.00%

Function 02D706F8, Relevance: 3.1, APIs: 2, Instructions: 86COMMON

Download Yara Rule

APIs

GlobalMemoryStatus.KERNEL32 ref: 02D70735
GlobalMemoryStatus.KERNEL32 ref: 02D70756

Memory Dump Source

Source File: 0000000B.00000002.256597337.0000000002D70000.00000040.00000001.sdmp, Offset: 02D70000, based on PE: false

Similarity

API ID: GlobalMemoryStatus
String ID:
API String ID: 1890195054-0
Opcode ID: a6cfc60bc083b0f6b00e93cc5b903946b13329a341fe95e2a09457e38dbba6cd
Instruction ID: 67d7beb7d8d4f48785f41115a4966788ce9531dd9314733c3ab367b2023f1fe1
Opcode Fuzzy Hash: a6cfc60bc083b0f6b00e93cc5b903946b13329a341fe95e2a09457e38dbba6cd
Instruction Fuzzy Hash: 2D21DB303012118FC7596F7CD059A2E3AE6AFC5305B1104BED406CF7A1EE79DC858795

Uniqueness

Uniqueness Score: -1.00%

Function 02D71060, Relevance: 1.5, APIs: 1, Instructions: 42COMMON

Download Yara Rule

APIs

Module32FirstW.KERNEL32(00000000,00000000,?,00000000), ref: 02D710B2

Memory Dump Source

Source File: 0000000B.00000002.256597337.0000000002D70000.00000040.00000001.sdmp, Offset: 02D70000, based on PE: false

Similarity

API ID: FirstModule32
String ID:
API String ID: 3757679902-0
Opcode ID: edc23d4aec12e74c702095dcb46e85871b6b3d81f19a89c6a0824446cc93ef84
Instruction ID: 76e8b3060e92cb3364fc1418efbc8fbab5824ef73a1db41bfbb290b0ca922641
Opcode Fuzzy Hash: edc23d4aec12e74c702095dcb46e85871b6b3d81f19a89c6a0824446cc93ef84
Instruction Fuzzy Hash: 03F024307082C16FD72056794C22FA72FA68BC5210F25426AE649DB281E969CC029750

Uniqueness

Uniqueness Score: -1.00%

Function 02D71070, Relevance: 1.5, APIs: 1, Instructions: 41COMMON

Download Yara Rule

APIs

Module32FirstW.KERNEL32(00000000,00000000,?,00000000), ref: 02D710B2

Memory Dump Source

Source File: 0000000B.00000002.256597337.0000000002D70000.00000040.00000001.sdmp, Offset: 02D70000, based on PE: false

Similarity

API ID: FirstModule32
String ID:
API String ID: 3757679902-0
Opcode ID: 21caa5b1947e13cb4b9e13232da4bec170fa4a6d014f81e4af088f127a4fd69f
Instruction ID: 973c35c43d477f35ff8f881f1ee17e85ac92961b3cbc0571e5bba64e99d983ce
Opcode Fuzzy Hash: 21caa5b1947e13cb4b9e13232da4bec170fa4a6d014f81e4af088f127a4fd69f
Instruction Fuzzy Hash: E3F0BE32300251ABD7149ABADD01FAB77DAEBC8660F24456AF60DDB380EEA5DC40D790

Uniqueness

Uniqueness Score: -1.00%

Function 02E205CF, Relevance: .0, Instructions: 44COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.256682322.0000000002E20000.00000040.00000040.sdmp, Offset: 02E20000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 49dc3c4928ce7540e14a70f85285e4fb7a884d252d13ad9aca5a83e0bc179fd6
Instruction ID: 4965b01b2297ab3b42eeb35a89549410afbe71e481071a84863b9303cb08836c
Opcode Fuzzy Hash: 49dc3c4928ce7540e14a70f85285e4fb7a884d252d13ad9aca5a83e0bc179fd6
Instruction Fuzzy Hash: 4301D6765083845FD7128F1AAC41863FFB8EE86620708C09FED898B612D265B809CB75

Uniqueness

Uniqueness Score: -1.00%

Function 02E205F6, Relevance: .0, Instructions: 27COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.256682322.0000000002E20000.00000040.00000040.sdmp, Offset: 02E20000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 55206d4733af04008cd43fce542f800b78addcc96409a465d1e5e22d4aa21cc9
Instruction ID: bf898f7cc955271abab2a2fc8a0b2051c394356e67952cee7a1f225725682cf0
Opcode Fuzzy Hash: 55206d4733af04008cd43fce542f800b78addcc96409a465d1e5e22d4aa21cc9
Instruction Fuzzy Hash: 43E09276A406008BD650CF0FEC41452FBD8EB88630B18C07FDD0D8B711E175B508CEA5

Uniqueness

Uniqueness Score: -1.00%

Non-executed Functions

Analysis Process: dhcpmon.exe PID: 5960 Parent PID: 3388 dhcpmon.exeCOMMON

Executed Functions

Function 00A4A4AA, Relevance: 1.6, APIs: 1, Instructions: 79fileCOMMON

Download Yara Rule

APIs

WriteFile.KERNELBASE(?,00000E2C,3112CE32,00000000,00000000,00000000,00000000), ref: 00A4A53D

Memory Dump Source

Source File: 0000000E.00000002.264373275.0000000000A4A000.00000040.00000001.sdmp, Offset: 00A4A000, based on PE: false

Similarity

API ID: FileWrite
String ID:
API String ID: 3934441357-0
Opcode ID: 54a2829bf19d19e2125c39730a5cd0d6f685b21f7887ce1dc2866338a7be5515
Instruction ID: cd7a6808386b971f1668d250dbe45bca31ff08a1d2d4b9e39ac82d2670320a9f
Opcode Fuzzy Hash: 54a2829bf19d19e2125c39730a5cd0d6f685b21f7887ce1dc2866338a7be5515
Instruction Fuzzy Hash: 1421A371409380AFE7128B65DC44F96BFB8EF46310F0884DBEA849F153C265A909CB72

Uniqueness

Uniqueness Score: -1.00%

Function 00A4A336, Relevance: 1.6, APIs: 1, Instructions: 62COMMON

Download Yara Rule

APIs

FindCloseChangeNotification.KERNELBASE(?), ref: 00A4A39C

Memory Dump Source

Source File: 0000000E.00000002.264373275.0000000000A4A000.00000040.00000001.sdmp, Offset: 00A4A000, based on PE: false

Similarity

API ID: ChangeCloseFindNotification
String ID:
API String ID: 2591292051-0
Opcode ID: ff055746559b84d5662f8b1a9dcb23d9b870e546d5ad376545db118714b236af
Instruction ID: 7ed17f5fc1cae28a55d55f38b10032e88f72d9972ff9c14fdffbaad286e1dda7
Opcode Fuzzy Hash: ff055746559b84d5662f8b1a9dcb23d9b870e546d5ad376545db118714b236af
Instruction Fuzzy Hash: 66218C754093C09FD7128F25DC44A52BFB4EF46220F0984EBDD858F163D278A848CB62

Uniqueness

Uniqueness Score: -1.00%

Function 00A4A1F4, Relevance: 1.6, APIs: 1, Instructions: 61COMMON

Download Yara Rule

APIs

GetConsoleOutputCP.KERNELBASE ref: 00A4A269

Memory Dump Source

Source File: 0000000E.00000002.264373275.0000000000A4A000.00000040.00000001.sdmp, Offset: 00A4A000, based on PE: false

Similarity

API ID: ConsoleOutput
String ID:
API String ID: 3985236979-0
Opcode ID: 5a5912019e93245044f3740451c0857b2cf1860aa8f56f93f481d59963d39186
Instruction ID: 966a2fcd86d22977384530f1a0875f51762ea1d9f8a855286c6aed68287361f4
Opcode Fuzzy Hash: 5a5912019e93245044f3740451c0857b2cf1860aa8f56f93f481d59963d39186
Instruction Fuzzy Hash: 87216D3540D7C49FD7138B258C95A92BFB4EF53220F0E81DBD9848F1A3D269A909DB62

Uniqueness

Uniqueness Score: -1.00%

Function 00A4A4DE, Relevance: 1.6, APIs: 1, Instructions: 60fileCOMMON

Download Yara Rule

APIs

WriteFile.KERNELBASE(?,00000E2C,3112CE32,00000000,00000000,00000000,00000000), ref: 00A4A53D

Memory Dump Source

Source File: 0000000E.00000002.264373275.0000000000A4A000.00000040.00000001.sdmp, Offset: 00A4A000, based on PE: false

Similarity

API ID: FileWrite
String ID:
API String ID: 3934441357-0
Opcode ID: 83c85fef9ed1a93e034e3013d57c0d400dc0b4e60536920730b7ae044b092ef1
Instruction ID: 08a02f864ec026909f8a0a39eb887770210c55ed263cd0c095edfc82d83e853b
Opcode Fuzzy Hash: 83c85fef9ed1a93e034e3013d57c0d400dc0b4e60536920730b7ae044b092ef1
Instruction Fuzzy Hash: BC11BF71400600EFEB21CF55DD40FAAFFA8EF54320F14846BEE459B251C275A4098B72

Uniqueness

Uniqueness Score: -1.00%

Function 00A4A36A, Relevance: 1.5, APIs: 1, Instructions: 43COMMON

Download Yara Rule

APIs

FindCloseChangeNotification.KERNELBASE(?), ref: 00A4A39C

Memory Dump Source

Source File: 0000000E.00000002.264373275.0000000000A4A000.00000040.00000001.sdmp, Offset: 00A4A000, based on PE: false

Similarity

API ID: ChangeCloseFindNotification
String ID:
API String ID: 2591292051-0
Opcode ID: 912fe6a3216a7ca31792d3dd2c1dae3d5ac7520e0b5cd326cd569de735f4e4df
Instruction ID: c530da0370550369fa9148a4e36194577475d7849b31420aa23766a09a8b738f
Opcode Fuzzy Hash: 912fe6a3216a7ca31792d3dd2c1dae3d5ac7520e0b5cd326cd569de735f4e4df
Instruction Fuzzy Hash: 8D01DF79500240DFDB10CF29D884766FFA4DF54320F18C0ABDD098F202E6B5E808DB62

Uniqueness

Uniqueness Score: -1.00%

Function 00A4A23A, Relevance: 1.5, APIs: 1, Instructions: 34COMMON

Download Yara Rule

APIs

GetConsoleOutputCP.KERNELBASE ref: 00A4A269

Memory Dump Source

Source File: 0000000E.00000002.264373275.0000000000A4A000.00000040.00000001.sdmp, Offset: 00A4A000, based on PE: false

Similarity

API ID: ConsoleOutput
String ID:
API String ID: 3985236979-0
Opcode ID: caf9ac09794e15e35afa1b6c2f7be8e700e2868e5bfb7ed98f942b3995d3b0bd
Instruction ID: 52cd6da06375db40005d531bb53403e91d3d533c0bb83d608f1526de4645c9d9
Opcode Fuzzy Hash: caf9ac09794e15e35afa1b6c2f7be8e700e2868e5bfb7ed98f942b3995d3b0bd
Instruction Fuzzy Hash: C6F0C834944644DFD710CF15D8847A2FFA4EF54720F18C09ADD494F212D2B6A448DF62

Uniqueness

Uniqueness Score: -1.00%

Function 0237010F, Relevance: 1.4, Strings: 1, Instructions: 191COMMON

Download Yara Rule

Strings

:@:r, xrefs: 023702C5

Memory Dump Source

Source File: 0000000E.00000002.264560133.0000000002370000.00000040.00000001.sdmp, Offset: 02370000, based on PE: false

Similarity

API ID:
String ID: :@:r
API String ID: 0-1441432688
Opcode ID: 1478a48aabb9cb99409fc360e8bc92f9456dbb33a62bd6f0255196ae28bcf65b
Instruction ID: ac8c46db425e6f43c8f3e9a15ad18412345d1fbe246433cddcf61afee96a0dff
Opcode Fuzzy Hash: 1478a48aabb9cb99409fc360e8bc92f9456dbb33a62bd6f0255196ae28bcf65b
Instruction Fuzzy Hash: 1F716E357112418FDF58EBB8D458B697BE3BF88345F0480A9E8068B7A5CF759D85CB80

Uniqueness

Uniqueness Score: -1.00%

Function 00A2025D, Relevance: .4, Instructions: 433COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000E.00000002.264352289.0000000000A20000.00000040.00000040.sdmp, Offset: 00A20000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9ef2cfd213a188589dfbd05324b6bfa7b7c92ca94ff27891894287294d09bee4
Instruction ID: 8f37c72e8fd246ac0d0027ad3cc36fa976b95c0c956939f78c93369685e1bcfa
Opcode Fuzzy Hash: 9ef2cfd213a188589dfbd05324b6bfa7b7c92ca94ff27891894287294d09bee4
Instruction Fuzzy Hash: 0911746294F3C10FC7039738AC28255BF709E53124B1E81EBC885CE1A3D60D585AC763

Uniqueness

Uniqueness Score: -1.00%

Function 02370818, Relevance: .4, Instructions: 371COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000E.00000002.264560133.0000000002370000.00000040.00000001.sdmp, Offset: 02370000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4597ca816d5a13d31886a8bc6550991557f1d6dcfd983aca67c76494c3d43f4b
Instruction ID: 241aea038853f92c10468a8792de563e89962a3a00de99023e3dde6b45e2b4b9
Opcode Fuzzy Hash: 4597ca816d5a13d31886a8bc6550991557f1d6dcfd983aca67c76494c3d43f4b
Instruction Fuzzy Hash: 8EF18330200B42CFDF28DFA0E884A2A77A7BBC4355B1485ADD4468B799DB75ED42CB91

Uniqueness

Uniqueness Score: -1.00%

Function 00A42477, Relevance: .2, Instructions: 185COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000E.00000002.264366690.0000000000A42000.00000040.00000001.sdmp, Offset: 00A42000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b5e9c4238f201ac272dabd03f0c6dd6afa1a46abb26b998f1fb9a6acb76b225e
Instruction ID: 59612ce8ff026688ff74dcadca0ba97b789fd518aa08a74a8596fc3085908163
Opcode Fuzzy Hash: b5e9c4238f201ac272dabd03f0c6dd6afa1a46abb26b998f1fb9a6acb76b225e
Instruction Fuzzy Hash: 95518CAA90E3D14FDB135B365834254BFB29EE735079A44CBE4C1CB0A3E12D484A876B

Uniqueness

Uniqueness Score: -1.00%

Function 023706E8, Relevance: .1, Instructions: 92COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000E.00000002.264560133.0000000002370000.00000040.00000001.sdmp, Offset: 02370000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: abb321c3beaa146f717125daa8e3a46895537a0f4597149a3aca26567d4103d2
Instruction ID: 745cf08140e74ae02c05e13980f563176f54f63d4bb53547c525492e2d3aeb6c
Opcode Fuzzy Hash: abb321c3beaa146f717125daa8e3a46895537a0f4597149a3aca26567d4103d2
Instruction Fuzzy Hash: 7E31FA707052508FCB59AF7CD068A2D3BE29FC5305B1504BAE406CF7A2EE7ADC868795

Uniqueness

Uniqueness Score: -1.00%

Function 023706F8, Relevance: .1, Instructions: 86COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000E.00000002.264560133.0000000002370000.00000040.00000001.sdmp, Offset: 02370000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 11fb5a3b0d35d8faf596d2c0e843ab5a257c3685863dc51c183cc8ae1ff05645
Instruction ID: 1f563816e573533223edb5be85792232be45d940b6e50e91ce87f5333e731626
Opcode Fuzzy Hash: 11fb5a3b0d35d8faf596d2c0e843ab5a257c3685863dc51c183cc8ae1ff05645
Instruction Fuzzy Hash: F021ED303012118FCB596F7CD058A2E3AE6AFC5305B1104B9E406CF7A1EE7ADC858795

Uniqueness

Uniqueness Score: -1.00%

Function 02370DD0, Relevance: .1, Instructions: 69COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000E.00000002.264560133.0000000002370000.00000040.00000001.sdmp, Offset: 02370000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 83f802d759ae8591e5db16c952f4a1ffcf5a0506c23a0b89f5441bb127b0f0e8
Instruction ID: f686a669ed3005815b1f79c3476b262bd134cdeeeb4f45a73aa7173ad629cb08
Opcode Fuzzy Hash: 83f802d759ae8591e5db16c952f4a1ffcf5a0506c23a0b89f5441bb127b0f0e8
Instruction Fuzzy Hash: 9E213A30B042808FCB54EBBC98107AD3FB6AFC5610B1040EAC505DB696CF318D06C7A2

Uniqueness

Uniqueness Score: -1.00%

Function 00A205D0, Relevance: .0, Instructions: 44COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000E.00000002.264352289.0000000000A20000.00000040.00000040.sdmp, Offset: 00A20000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9f519c777dbc34a451e05827f531ce435eaeb07a06d9cbd339fc04105880a29a
Instruction ID: 988489adaa85bc55b3d52e73628e87eab4b743a90559b972bf51b32daa46bd1f
Opcode Fuzzy Hash: 9f519c777dbc34a451e05827f531ce435eaeb07a06d9cbd339fc04105880a29a
Instruction Fuzzy Hash: D201D6715097806FD7128F16EC40863FFB8DA86620758C49FED498B612D125A809CBB2

Uniqueness

Uniqueness Score: -1.00%

Function 023700A0, Relevance: .0, Instructions: 43COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000E.00000002.264560133.0000000002370000.00000040.00000001.sdmp, Offset: 02370000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 509134a7b65ec22fbed3ea3aaf4d27c7429321755058a3aa8666795915e5af12
Instruction ID: 75797ac6e98a11f175ff3d7bc4dce977ceb460b746171ad04dc2033b10cdf3db
Opcode Fuzzy Hash: 509134a7b65ec22fbed3ea3aaf4d27c7429321755058a3aa8666795915e5af12
Instruction Fuzzy Hash: B2F04971E4A2899FCF41CFB898645EEBFF4EE4A210B1500EAD884E7112E2240616CBA0

Uniqueness

Uniqueness Score: -1.00%

Function 02370EF7, Relevance: .0, Instructions: 29COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000E.00000002.264560133.0000000002370000.00000040.00000001.sdmp, Offset: 02370000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0d27aaa48df2a6066d314a293f21f0d30622a2b0f356b761f60dbe6a585ab30d
Instruction ID: 1f23d160ad78f4c52321b8ff17d6e1c93465bf0625e35db100352a2fef01f125
Opcode Fuzzy Hash: 0d27aaa48df2a6066d314a293f21f0d30622a2b0f356b761f60dbe6a585ab30d
Instruction Fuzzy Hash: 14F0E93420E2804FC760FBBCE4A49693FF29FCA21071445EFC445D7766C5255C05CB51

Uniqueness

Uniqueness Score: -1.00%

Function 00A205F6, Relevance: .0, Instructions: 27COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000E.00000002.264352289.0000000000A20000.00000040.00000040.sdmp, Offset: 00A20000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 05414f0d6142bf3eda9dfedcd321ea8a2b76bce52af95136b3974c6b9f1c6da5
Instruction ID: 744940e9faaa2093591dab97b714b0365f78620e7691bd886b4776d5951407b3
Opcode Fuzzy Hash: 05414f0d6142bf3eda9dfedcd321ea8a2b76bce52af95136b3974c6b9f1c6da5
Instruction Fuzzy Hash: 87E092766406008FD650CF0BEC41462FBD8EB88630B18C07FDD0D8B701E176B505CEA5

Uniqueness

Uniqueness Score: -1.00%

Function 023700D0, Relevance: .0, Instructions: 23COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000E.00000002.264560133.0000000002370000.00000040.00000001.sdmp, Offset: 02370000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 39f148f73573a1735e46d9eabf336f3586d19d841d6bc2911c923e903968ea9c
Instruction ID: 9115fe388ebdadec1647e56ea13086fbf3aa83ea2e51b83abd6f0448d31946dc
Opcode Fuzzy Hash: 39f148f73573a1735e46d9eabf336f3586d19d841d6bc2911c923e903968ea9c
Instruction Fuzzy Hash: 89E09A75D0521D9F8F50DFF999455DEBFF8FA48251F100566D508E3201E33556118BE1

Uniqueness

Uniqueness Score: -1.00%

Function 023703C5, Relevance: .0, Instructions: 23COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000E.00000002.264560133.0000000002370000.00000040.00000001.sdmp, Offset: 02370000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: bf691a8938d67de52ec26e3d216199134e7467b18ffcc15819006deb43f7de6d
Instruction ID: 23c9a879b99d92953112cbeab9721f4724afc2477474a76be5ea09e11c53ecd5
Opcode Fuzzy Hash: bf691a8938d67de52ec26e3d216199134e7467b18ffcc15819006deb43f7de6d
Instruction Fuzzy Hash: B8F01C70A407248FEF28DBA4C56C7AD7EF0AF88315F141459E402A62A0CF784985CB44

Uniqueness

Uniqueness Score: -1.00%

Function 02370F08, Relevance: .0, Instructions: 23COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000E.00000002.264560133.0000000002370000.00000040.00000001.sdmp, Offset: 02370000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: bf6dc49be0a0d666998aa263f091433178ab32485bbf77923e13d01e8e7b0f7a
Instruction ID: 9d33a4fbf3bcf42451cd3fce1d2dbc38daac5aee434248d8480c317037b9cff4
Opcode Fuzzy Hash: bf6dc49be0a0d666998aa263f091433178ab32485bbf77923e13d01e8e7b0f7a
Instruction Fuzzy Hash: 95E01A357115108FC754FB6CE444A5A37EBAB8922071040A7D809D7328DA71AC54CBA1

Uniqueness

Uniqueness Score: -1.00%

Function 02370DC0, Relevance: .0, Instructions: 21COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000E.00000002.264560133.0000000002370000.00000040.00000001.sdmp, Offset: 02370000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 572af6f6576a6804d2eed3c6c19f4b3457b7f2087a66c0e5c6bfc5d269310ab0
Instruction ID: 2b9186ceefc2558958178f0face3705b3c7d7dbd36887ba2d5d98440856bc653
Opcode Fuzzy Hash: 572af6f6576a6804d2eed3c6c19f4b3457b7f2087a66c0e5c6bfc5d269310ab0
Instruction Fuzzy Hash: 7AE02631A042808FCB14A7B498185D43F70EF0B125F0400E6D8808F2B3D6269D16C7C1

Uniqueness

Uniqueness Score: -1.00%

Function 00A423F4, Relevance: .0, Instructions: 15COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000E.00000002.264366690.0000000000A42000.00000040.00000001.sdmp, Offset: 00A42000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9de9c73080b03ed7bd3a05af18c457c63f8bf1f83a288634f475800fad769d42
Instruction ID: 1fa9f4a8e23a7b4ef145a6b49772e56571d6b626d7211ffb0919afc5b640d5a0
Opcode Fuzzy Hash: 9de9c73080b03ed7bd3a05af18c457c63f8bf1f83a288634f475800fad769d42
Instruction Fuzzy Hash: 28D05E79255A818FD3268B1CC1A8BA53B94EB91B04F8644FDF8008B6A3C768D981D200

Uniqueness

Uniqueness Score: -1.00%

Function 00A423BC, Relevance: .0, Instructions: 14COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000E.00000002.264366690.0000000000A42000.00000040.00000001.sdmp, Offset: 00A42000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c5eecee475ebfff296ffa8a6c982d0a6fa0f67b1f1c7435545e8d3a00878ac18
Instruction ID: 2ff467baae6d11397209abc1808bd48fb91f932919f790269c1b1b1246680886
Opcode Fuzzy Hash: c5eecee475ebfff296ffa8a6c982d0a6fa0f67b1f1c7435545e8d3a00878ac18
Instruction Fuzzy Hash: 80D05E382002818BD715DF0CC594F5937E4AB81B00F0644E8BC008F662C3A8EC81C600

Uniqueness

Uniqueness Score: -1.00%

Non-executed Functions

Description:	Adversaries may abuse task scheduling functionality to facilitate initial or recurring execution of malicious code. Utilities exist within all major operating systems to schedule programs or scripts to be executed at a specified date and time. A task can also be scheduled on a remote system, provided the proper authentication is met (ex: RPC and file and printer sharing in Windows environments). Scheduling a task on a remote system typically requires being a member of an admin or otherwise privileged group on the remote system.
Tactics:	Execution, Persistence, Privilege Escalation
Data Sources:	File monitoring, Process command-line parameters, Process monitoring, Windows event logs
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify access tokens to operate under a different user or system security context to perform actions and bypass access controls. Windows uses access tokens to determine the ownership of a running process. A user can manipulate access tokens to make a running process appear as though it is the child of a different process or belongs to someone other than the user that started the process. When this occurs, the process also takes on the security context associated with the new token.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	API monitoring, Access tokens, Authentication logs, Process command-line parameters, Process monitoring, Windows event logs
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	API monitoring, DLL monitoring, File monitoring, Named Pipes, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata, File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may disable security tools to avoid possible detection of their tools and activities. This can take the form of killing security software or event logging processes, deleting Registry keys so that tools do not start at run time, or other methods to interfere with security tools scanning or reporting information.
Tactics:	Defense Evasion
Data Sources:	File monitoring, Process command-line parameters, Services, Windows Registry
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use Obfuscated Files or Information to hide artifacts of an intrusion from analysis. They may require separate mechanisms to decode or deobfuscate that information depending on how they intend to use it. Methods for doing that include built-in functionality of malware or by using utilities present on the system.
Tactics:	Defense Evasion
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may set files and directories to be hidden to evade detection mechanisms. To prevent normal users from accidentally changing special files on a system, most operating systems have the concept of a ‘hidden’ file. These files don’t show up when a user browses the file system with a GUI or when using normal commands on the command line. Users must explicitly ask to show the hidden files either via a series of Graphical User Interface (GUI) prompts or with command line switches ( `dir /a` for Windows and `ls –a` for Linux and macOS).
Tactics:	Defense Evasion
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata, Email gateway, Environment variable, File monitoring, Malware reverse engineering, Network intrusion detection system, Network protocol analysis, Process command-line parameters, Process monitoring, Process use of network, SSL/TLS inspection, Windows event logs
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may perform software packing or virtual machine software protection to conceal their code. Software packing is a method of compressing or encrypting an executable. Packing an executable changes the file signature in an attempt to avoid signature-based detection. Most decompression techniques decompress the executable code in memory. Virtual machine software protection translates an executable's original code into a special format that only a special virtual machine can run. A virtual machine is then called to run this code.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata
Platforms:	macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use methods of capturing user input to obtain credentials or collect information. During normal system usage, users often provide credentials to various different locations, such as login pages/portals or system dialog boxes. Input capture mechanisms may be transparent to the user (e.g. Credential API Hooking ) or rely on deceiving the user into providing input into what they believe to be a genuine service (e.g. Web Portal Capture ).
Tactics:	Collection, Credential Access
Data Sources:	API monitoring, Binary file metadata, DLL monitoring, Kernel drivers, Loaded DLLs, PowerShell logs, Process command-line parameters, Process monitoring, User interface, Windows Registry, Windows event logs
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	AWS CloudTrail logs, Azure activity logs, File monitoring, Process command-line parameters, Process monitoring, Stackdriver logs
Platforms:	AWS, Azure, Azure AD, GCP, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	API monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to identify the primary user, currently logged in user, set of users that commonly uses a system, or whether a user is actively using the system. They may do this, for example, by retrieving account usernames or by using OS Credential Dumping . The information may be collected in a number of different ways using other Discovery techniques, because user and username details are prevalent throughout a system and include running process ownership, file/directory ownership, session information, and system logs. Adversaries may use the information from [System Owner/User Discovery](https://attack.mitre.org/techniques/T1033) during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	AWS CloudTrail logs, Azure activity logs, Process command-line parameters, Process monitoring, Stackdriver logs
Platforms:	AWS, Azure, GCP, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Binary file metadata, File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Malware reverse engineering, Netflow/Enclave netflow, Packet capture, Process monitoring, Process use of network, SSL/TLS inspection
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using a protocol and port paring that are typically not associated. For example, HTTPS over port 8088or port 587as opposed to the traditional port 443. Adversaries may make changes to the standard port used by a protocol to bypass filtering or muddle analysis/parsing of network data.
Tactics:	Command and Control
Data Sources:	Netflow/Enclave netflow, Packet capture, Process monitoring, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may use legitimate desktop support and remote access software, such as Team Viewer, Go2Assist, LogMein, AmmyyAdmin, etc, to establish an interactive command and control channel to target systems within networks. These services are commonly used as legitimate technical support software, and may be allowed by application control within a target environment. Remote access tools like VNC, Ammyy, and Teamviewer are used frequently when compared with other legitimate software commonly used by adversaries.
Tactics:	Command and Control
Data Sources:	Network intrusion detection system, Network protocol analysis, Process monitoring, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading ...

Warning!

Analysis Report parcel_images.exe

Overview

General Information

Detection

Signatures

Classification

Startup

Malware Configuration

Yara Overview

Memory Dumps

Unpacked PEs

Sigma Overview

System Summary:

Signature Overview

AV Detection:

Compliance:

Software Vulnerabilities:

Networking:

Key, Mouse, Clipboard, Microphone and Screen Capturing:

E-Banking Fraud:

System Summary:

Data Obfuscation:

Persistence and Installation Behavior:

Boot Survival:

Hooking and other Techniques for Hiding and Protection:

Malware Analysis System Evasion:

Anti Debugging:

HIPS / PFW / Operating System Protection Evasion:

Language, Device and Operating System Detection:

Stealing of Sensitive Information:

Remote Access Functionality:

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

URLs from Memory and Binaries

Contacted IPs

Public

General Information

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASN

JA3 Fingerprints

Dropped Files

Created / dropped Files

Static File Info

General

File Icon

Static PE Info

General

Entrypoint Preview

Data Directories

Sections

Resources

Imports

Version Infos

Network Behavior

Network Port Distribution

TCP Packets

UDP Packets

DNS Queries

DNS Answers

Description:	Adversaries may use a non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Host network interface, Netflow/Enclave netflow, Network intrusion detection system, Network protocol analysis, Packet capture, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	DNS records, Netflow/Enclave netflow, Network protocol analysis, Packet capture, Process monitoring, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre