Joe Sandbox Cloud Basic Analysis Report

Loading ...

Play interactive tourEdit tour

Analysis Report PO#4018-308875.pdf.exe

Overview

General Information

Sample Name:PO#4018-308875.pdf.exe
Analysis ID:341926
MD5:d90049e2aff303588e499820e0d9078c
SHA1:1153f298db7e6aeed9c3a55c907dfa474ae9155f
SHA256:761e77be2bbf6089f04b1901c44548bd4ff5ac873a74b1ca0e0604bb902eff22
Tags:exeNanoCoreRAT

Most interesting Screenshot:

Detection

Nanocore
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Detected Nanocore Rat
Found malware configuration
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Sigma detected: NanoCore
Yara detected Nanocore RAT
.NET source code contains very large array initializations
Allocates memory in foreign processes
C2 URLs / IPs found in malware configuration
Hides that the sample has been downloaded from the Internet (zone.identifier)
Initial sample is a PE file and has a suspicious name
Injects a PE file into a foreign processes
Uses an obfuscated file name to hide its real file extension (double extension)
Uses dynamic DNS services
Writes to foreign memory regions
Antivirus or Machine Learning detection for unpacked file
Contains capabilities to detect virtual machines
Contains functionality to launch a process as a different user
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Detected TCP or UDP traffic on non-standard ports
Detected potential crypto function
Dropped file seen in connection with other malware
Drops PE files
Enables debug privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found inlined nop instructions (likely shell or obfuscated code)
Installs a raw input device (often for capturing keystrokes)
Internet Provider seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
Monitors certain registry keys / values for changes (often done to protect autostart functionality)
PE file contains strange resources
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Sample file is different than original file name gathered from version info
Uses 32bit PE files
Uses code obfuscation techniques (call, push, ret)
Uses reg.exe to modify the Windows registry
Yara signature match

Classification

Startup

  • System is w10x64
  • PO#4018-308875.pdf.exe (PID: 6080 cmdline: 'C:\Users\user\Desktop\PO#4018-308875.pdf.exe' MD5: D90049E2AFF303588E499820E0D9078C)
    • cmd.exe (PID: 5444 cmdline: 'cmd.exe' /c REG ADD 'HKCU\Software\Microsoft\Windows\CurrentVersion\Run' /f /v 'olkkmmxxzaa' /t REG_SZ /d 'C:\Users\user\AppData\Roaming\gfrdeswaq.exe' MD5: F3BDBE3BB6F734E357235F4D5898582D)
      • conhost.exe (PID: 5952 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
      • reg.exe (PID: 4636 cmdline: REG ADD 'HKCU\Software\Microsoft\Windows\CurrentVersion\Run' /f /v 'olkkmmxxzaa' /t REG_SZ /d 'C:\Users\user\AppData\Roaming\gfrdeswaq.exe' MD5: CEE2A7E57DF2A159A065A34913A055C2)
    • gfrdeswaq.exe (PID: 6764 cmdline: 'C:\Users\user\AppData\Roaming\gfrdeswaq.exe' MD5: D90049E2AFF303588E499820E0D9078C)
      • InstallUtil.exe (PID: 6280 cmdline: C:\Users\user\AppData\Local\Temp\InstallUtil.exe MD5: EFEC8C379D165E3F33B536739AEE26A3)
  • cleanup

Malware Configuration

Threatname: NanoCore

{"C2: ": ["185.162.88.26"], "Version: ": "NanoCore Client, Version=1.2.2.0"}

Yara Overview

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000019.00000002.618309984.0000000000402000.00000040.00000001.sdmpNanocore_RAT_Gen_2Detetcs the Nanocore RATFlorian Roth
  • 0xff8d:$x1: NanoCore.ClientPluginHost
  • 0xffca:$x2: IClientNetworkHost
  • 0x13afd:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
00000019.00000002.618309984.0000000000402000.00000040.00000001.sdmpJoeSecurity_NanocoreYara detected Nanocore RATJoe Security
    00000019.00000002.618309984.0000000000402000.00000040.00000001.sdmpNanoCoreunknown Kevin Breen <kevin@techanarchy.net>
    • 0xfcf5:$a: NanoCore
    • 0xfd05:$a: NanoCore
    • 0xff39:$a: NanoCore
    • 0xff4d:$a: NanoCore
    • 0xff8d:$a: NanoCore
    • 0xfd54:$b: ClientPlugin
    • 0xff56:$b: ClientPlugin
    • 0xff96:$b: ClientPlugin
    • 0xfe7b:$c: ProjectData
    • 0x10882:$d: DESCrypto
    • 0x1824e:$e: KeepAlive
    • 0x1623c:$g: LogClientMessage
    • 0x12437:$i: get_Connected
    • 0x10bb8:$j: #=q
    • 0x10be8:$j: #=q
    • 0x10c04:$j: #=q
    • 0x10c34:$j: #=q
    • 0x10c50:$j: #=q
    • 0x10c6c:$j: #=q
    • 0x10c9c:$j: #=q
    • 0x10cb8:$j: #=q
    00000019.00000002.628566138.0000000005010000.00000004.00000001.sdmpNanocore_RAT_Gen_2Detetcs the Nanocore RATFlorian Roth
    • 0xe75:$x1: NanoCore.ClientPluginHost
    • 0xe8f:$x2: IClientNetworkHost
    00000019.00000002.628566138.0000000005010000.00000004.00000001.sdmpNanocore_RAT_Feb18_1Detects Nanocore RATFlorian Roth
    • 0xe75:$x2: NanoCore.ClientPluginHost
    • 0x1261:$s3: PipeExists
    • 0x1136:$s4: PipeCreated
    • 0xeb0:$s5: IClientLoggingHost
    Click to see the 18 entries

    Unpacked PEs

    SourceRuleDescriptionAuthorStrings
    25.2.InstallUtil.exe.5010000.3.raw.unpackNanocore_RAT_Gen_2Detetcs the Nanocore RATFlorian Roth
    • 0xe75:$x1: NanoCore.ClientPluginHost
    • 0xe8f:$x2: IClientNetworkHost
    25.2.InstallUtil.exe.5010000.3.raw.unpackNanocore_RAT_Feb18_1Detects Nanocore RATFlorian Roth
    • 0xe75:$x2: NanoCore.ClientPluginHost
    • 0x1261:$s3: PipeExists
    • 0x1136:$s4: PipeCreated
    • 0xeb0:$s5: IClientLoggingHost
    25.2.InstallUtil.exe.400000.0.unpackNanocore_RAT_Gen_2Detetcs the Nanocore RATFlorian Roth
    • 0x1018d:$x1: NanoCore.ClientPluginHost
    • 0x101ca:$x2: IClientNetworkHost
    • 0x13cfd:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
    25.2.InstallUtil.exe.400000.0.unpackNanocore_RAT_Feb18_1Detects Nanocore RATFlorian Roth
    • 0xff05:$x1: NanoCore Client.exe
    • 0x1018d:$x2: NanoCore.ClientPluginHost
    • 0x117c6:$s1: PluginCommand
    • 0x117ba:$s2: FileCommand
    • 0x1266b:$s3: PipeExists
    • 0x18422:$s4: PipeCreated
    • 0x101b7:$s5: IClientLoggingHost
    25.2.InstallUtil.exe.400000.0.unpackJoeSecurity_NanocoreYara detected Nanocore RATJoe Security
      Click to see the 7 entries

      Sigma Overview

      System Summary:

      barindex
      Sigma detected: NanoCoreShow sources
      Source: File createdAuthor: Joe Security: Data: EventID: 11, Image: C:\Users\user\AppData\Local\Temp\InstallUtil.exe, ProcessId: 6280, TargetFilename: C:\Users\user\AppData\Roaming\D06ED635-68F6-4E9A-955C-4899F5F57B9A\run.dat

      Signature Overview

      Click to jump to signature section

      Show All Signature Results

      AV Detection:

      barindex
      Found malware configurationShow sources
      Source: InstallUtil.exe.6280.25.memstrMalware Configuration Extractor: NanoCore {"C2: ": ["185.162.88.26"], "Version: ": "NanoCore Client, Version=1.2.2.0"}
      Multi AV Scanner detection for dropped fileShow sources
      Source: C:\Users\user\AppData\Roaming\gfrdeswaq.exeReversingLabs: Detection: 15%
      Multi AV Scanner detection for submitted fileShow sources
      Source: PO#4018-308875.pdf.exeReversingLabs: Detection: 15%
      Yara detected Nanocore RATShow sources
      Source: Yara matchFile source: 00000019.00000002.618309984.0000000000402000.00000040.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000019.00000002.621682158.0000000002971000.00000004.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000000.00000002.337437485.0000000004734000.00000004.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000019.00000002.628917829.0000000005220000.00000004.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000019.00000002.625511486.00000000039B9000.00000004.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000014.00000002.627989417.0000000004C62000.00000004.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000014.00000002.627812499.0000000004BCF000.00000004.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: Process Memory Space: InstallUtil.exe PID: 6280, type: MEMORY
      Source: Yara matchFile source: 25.2.InstallUtil.exe.400000.0.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 25.2.InstallUtil.exe.5220000.6.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 25.2.InstallUtil.exe.5220000.6.raw.unpack, type: UNPACKEDPE
      Source: 25.2.InstallUtil.exe.400000.0.unpackAvira: Label: TR/Dropper.MSIL.Gen7
      Source: 25.2.InstallUtil.exe.5220000.6.unpackAvira: Label: TR/NanoCore.fadte

      Compliance:

      barindex
      Uses 32bit PE filesShow sources
      Source: PO#4018-308875.pdf.exeStatic PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE
      Contains modern PE file flags such as dynamic base (ASLR) or NXShow sources
      Source: PO#4018-308875.pdf.exeStatic PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT, HIGH_ENTROPY_VA
      Binary contains paths to debug symbolsShow sources
      Source: Binary string: InstallUtil.pdb\rvr hr_CorExeMainmscoree.dll source: InstallUtil.exe, 00000019.00000000.412603173.0000000000502000.00000002.00020000.sdmp, InstallUtil.exe.0.dr
      Source: Binary string: InstallUtil.pdb source: InstallUtil.exe, InstallUtil.exe.0.dr
      Source: C:\Users\user\Desktop\PO#4018-308875.pdf.exeCode function: 4x nop then mov esp, ebp0_2_0550E678
      Source: C:\Users\user\Desktop\PO#4018-308875.pdf.exeCode function: 4x nop then push dword ptr [ebp-24h]0_2_05506D20
      Source: C:\Users\user\Desktop\PO#4018-308875.pdf.exeCode function: 4x nop then mov dword ptr [ebp-1Ch], 7FFFFFFFh0_2_05506D20
      Source: C:\Users\user\Desktop\PO#4018-308875.pdf.exeCode function: 4x nop then mov dword ptr [ebp-18h], 00000000h0_2_0550CF27
      Source: C:\Users\user\Desktop\PO#4018-308875.pdf.exeCode function: 4x nop then mov dword ptr [ebp-1Ch], 00000000h0_2_05505EE8
      Source: C:\Users\user\Desktop\PO#4018-308875.pdf.exeCode function: 4x nop then jmp 0550205Eh0_2_05501889
      Source: C:\Users\user\Desktop\PO#4018-308875.pdf.exeCode function: 4x nop then mov dword ptr [ebp-1Ch], 00000000h0_2_05507BB8
      Source: C:\Users\user\Desktop\PO#4018-308875.pdf.exeCode function: 4x nop then lea esp, dword ptr [ebp-08h]0_2_0550FA79
      Source: C:\Users\user\Desktop\PO#4018-308875.pdf.exeCode function: 4x nop then push dword ptr [ebp-20h]0_2_05506A00
      Source: C:\Users\user\Desktop\PO#4018-308875.pdf.exeCode function: 4x nop then mov dword ptr [ebp-1Ch], 7FFFFFFFh0_2_05506A00
      Source: C:\Users\user\Desktop\PO#4018-308875.pdf.exeCode function: 4x nop then mov dword ptr [ebp-1Ch], 00000000h0_2_0550651C
      Source: C:\Users\user\Desktop\PO#4018-308875.pdf.exeCode function: 4x nop then push dword ptr [ebp-24h]0_2_05506D14
      Source: C:\Users\user\Desktop\PO#4018-308875.pdf.exeCode function: 4x nop then mov dword ptr [ebp-1Ch], 7FFFFFFFh0_2_05506D14
      Source: C:\Users\user\Desktop\PO#4018-308875.pdf.exeCode function: 4x nop then xor edx, edx0_2_05506C58
      Source: C:\Users\user\Desktop\PO#4018-308875.pdf.exeCode function: 4x nop then xor edx, edx0_2_05506C4C
      Source: C:\Users\user\Desktop\PO#4018-308875.pdf.exeCode function: 4x nop then mov dword ptr [ebp-1Ch], 00000000h0_2_05507C98
      Source: C:\Users\user\Desktop\PO#4018-308875.pdf.exeCode function: 4x nop then push dword ptr [ebp-20h]0_2_055069F4
      Source: C:\Users\user\Desktop\PO#4018-308875.pdf.exeCode function: 4x nop then mov dword ptr [ebp-1Ch], 7FFFFFFFh0_2_055069F4
      Source: C:\Users\user\AppData\Roaming\gfrdeswaq.exeCode function: 4x nop then push dword ptr [ebp-24h]20_2_05AE6D20
      Source: C:\Users\user\AppData\Roaming\gfrdeswaq.exeCode function: 4x nop then mov dword ptr [ebp-1Ch], 7FFFFFFFh20_2_05AE6D20
      Source: C:\Users\user\AppData\Roaming\gfrdeswaq.exeCode function: 4x nop then mov dword ptr [ebp-18h], 00000000h20_2_05AECF38
      Source: C:\Users\user\AppData\Roaming\gfrdeswaq.exeCode function: 4x nop then mov dword ptr [ebp-1Ch], 00000000h20_2_05AE5EE8
      Source: C:\Users\user\AppData\Roaming\gfrdeswaq.exeCode function: 4x nop then jmp 05AE205Eh20_2_05AE1898
      Source: C:\Users\user\AppData\Roaming\gfrdeswaq.exeCode function: 4x nop then mov dword ptr [ebp-1Ch], 00000000h20_2_05AE7BB8
      Source: C:\Users\user\AppData\Roaming\gfrdeswaq.exeCode function: 4x nop then push dword ptr [ebp-20h]20_2_05AE6A00
      Source: C:\Users\user\AppData\Roaming\gfrdeswaq.exeCode function: 4x nop then mov dword ptr [ebp-1Ch], 7FFFFFFFh20_2_05AE6A00
      Source: C:\Users\user\AppData\Roaming\gfrdeswaq.exeCode function: 4x nop then mov dword ptr [ebp-1Ch], 00000000h20_2_05AE651C
      Source: C:\Users\user\AppData\Roaming\gfrdeswaq.exeCode function: 4x nop then push dword ptr [ebp-24h]20_2_05AE6D14
      Source: C:\Users\user\AppData\Roaming\gfrdeswaq.exeCode function: 4x nop then mov dword ptr [ebp-1Ch], 7FFFFFFFh20_2_05AE6D14
      Source: C:\Users\user\AppData\Roaming\gfrdeswaq.exeCode function: 4x nop then mov dword ptr [ebp-1Ch], 00000000h20_2_05AE7C98
      Source: C:\Users\user\AppData\Roaming\gfrdeswaq.exeCode function: 4x nop then xor edx, edx20_2_05AE6C4C
      Source: C:\Users\user\AppData\Roaming\gfrdeswaq.exeCode function: 4x nop then xor edx, edx20_2_05AE6C58
      Source: C:\Users\user\AppData\Roaming\gfrdeswaq.exeCode function: 4x nop then mov dword ptr [ebp-18h], 00000000h20_2_05AECF27
      Source: C:\Users\user\AppData\Roaming\gfrdeswaq.exeCode function: 4x nop then push dword ptr [ebp-20h]20_2_05AE69F4
      Source: C:\Users\user\AppData\Roaming\gfrdeswaq.exeCode function: 4x nop then mov dword ptr [ebp-1Ch], 7FFFFFFFh20_2_05AE69F4
      Source: C:\Users\user\AppData\Roaming\gfrdeswaq.exeCode function: 4x nop then jmp 05AE205Eh20_2_05AE1889

      Networking:

      barindex
      C2 URLs / IPs found in malware configurationShow sources
      Source: Malware configuration extractorIPs: 185.162.88.26
      Uses dynamic DNS servicesShow sources
      Source: unknownDNS query: name: fenixalec.ddns.net
      Source: global trafficTCP traffic: 192.168.2.5:49729 -> 185.162.88.26:20911
      Source: Joe Sandbox ViewASN Name: AS40676US AS40676US
      Source: unknownDNS traffic detected: queries for: fenixalec.ddns.net
      Source: PO#4018-308875.pdf.exe, 00000000.00000003.331443931.00000000014C9000.00000004.00000001.sdmpString found in binary or memory: http://ns.ado/Ident
      Source: InstallUtil.exe, 00000019.00000002.625511486.00000000039B9000.00000004.00000001.sdmpBinary or memory string: RegisterRawInputDevices

      E-Banking Fraud:

      barindex
      Yara detected Nanocore RATShow sources
      Source: Yara matchFile source: 00000019.00000002.618309984.0000000000402000.00000040.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000019.00000002.621682158.0000000002971000.00000004.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000000.00000002.337437485.0000000004734000.00000004.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000019.00000002.628917829.0000000005220000.00000004.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000019.00000002.625511486.00000000039B9000.00000004.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000014.00000002.627989417.0000000004C62000.00000004.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000014.00000002.627812499.0000000004BCF000.00000004.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: Process Memory Space: InstallUtil.exe PID: 6280, type: MEMORY
      Source: Yara matchFile source: 25.2.InstallUtil.exe.400000.0.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 25.2.InstallUtil.exe.5220000.6.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 25.2.InstallUtil.exe.5220000.6.raw.unpack, type: UNPACKEDPE

      System Summary:

      barindex
      Malicious sample detected (through community Yara rule)Show sources
      Source: 00000019.00000002.618309984.0000000000402000.00000040.00000001.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
      Source: 00000019.00000002.618309984.0000000000402000.00000040.00000001.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
      Source: 00000019.00000002.628566138.0000000005010000.00000004.00000001.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
      Source: 00000000.00000002.337437485.0000000004734000.00000004.00000001.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
      Source: 00000000.00000002.337437485.0000000004734000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
      Source: 00000019.00000002.628917829.0000000005220000.00000004.00000001.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
      Source: 00000019.00000002.625511486.00000000039B9000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
      Source: 00000014.00000002.627989417.0000000004C62000.00000004.00000001.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
      Source: 00000014.00000002.627989417.0000000004C62000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
      Source: 00000014.00000002.627812499.0000000004BCF000.00000004.00000001.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
      Source: 00000014.00000002.627812499.0000000004BCF000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
      Source: Process Memory Space: InstallUtil.exe PID: 6280, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
      Source: Process Memory Space: InstallUtil.exe PID: 6280, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
      Source: 25.2.InstallUtil.exe.5010000.3.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
      Source: 25.2.InstallUtil.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
      Source: 25.2.InstallUtil.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
      Source: 25.2.InstallUtil.exe.5220000.6.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
      Source: 25.2.InstallUtil.exe.5220000.6.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
      .NET source code contains very large array initializationsShow sources
      Source: PO#4018-308875.pdf.exe, Cx1/r2K.csLarge array initialization: .cctor: array initializer size 2491
      Source: gfrdeswaq.exe.0.dr, Cx1/r2K.csLarge array initialization: .cctor: array initializer size 2491
      Source: 0.0.PO#4018-308875.pdf.exe.9d0000.0.unpack, Cx1/r2K.csLarge array initialization: .cctor: array initializer size 2491
      Source: 0.2.PO#4018-308875.pdf.exe.9d0000.0.unpack, Cx1/r2K.csLarge array initialization: .cctor: array initializer size 2491
      Source: 20.2.gfrdeswaq.exe.e50000.0.unpack, Cx1/r2K.csLarge array initialization: .cctor: array initializer size 2491
      Initial sample is a PE file and has a suspicious nameShow sources
      Source: initial sampleStatic PE information: Filename: PO#4018-308875.pdf.exe
      Source: initial sampleStatic PE information: Filename: PO#4018-308875.pdf.exe
      Source: C:\Users\user\AppData\Roaming\gfrdeswaq.exeCode function: 20_2_05A13F34 CreateProcessAsUserW,20_2_05A13F34
      Source: C:\Users\user\Desktop\PO#4018-308875.pdf.exeCode function: 0_2_013BC02F0_2_013BC02F
      Source: C:\Users\user\Desktop\PO#4018-308875.pdf.exeCode function: 0_2_013B8BD00_2_013B8BD0
      Source: C:\Users\user\Desktop\PO#4018-308875.pdf.exeCode function: 0_2_013B5AD00_2_013B5AD0
      Source: C:\Users\user\Desktop\PO#4018-308875.pdf.exeCode function: 0_2_013B54AB0_2_013B54AB
      Source: C:\Users\user\Desktop\PO#4018-308875.pdf.exeCode function: 0_2_013BB4F80_2_013BB4F8
      Source: C:\Users\user\Desktop\PO#4018-308875.pdf.exeCode function: 0_2_013BD7600_2_013BD760
      Source: C:\Users\user\Desktop\PO#4018-308875.pdf.exeCode function: 0_2_013B18F80_2_013B18F8
      Source: C:\Users\user\Desktop\PO#4018-308875.pdf.exeCode function: 0_2_013B0C400_2_013B0C40
      Source: C:\Users\user\Desktop\PO#4018-308875.pdf.exeCode function: 0_2_013BAF380_2_013BAF38
      Source: C:\Users\user\Desktop\PO#4018-308875.pdf.exeCode function: 0_2_0550D5D80_2_0550D5D8
      Source: C:\Users\user\Desktop\PO#4018-308875.pdf.exeCode function: 0_2_055000400_2_05500040
      Source: C:\Users\user\Desktop\PO#4018-308875.pdf.exeCode function: 0_2_055020880_2_05502088
      Source: C:\Users\user\Desktop\PO#4018-308875.pdf.exeCode function: 0_2_055018890_2_05501889
      Source: C:\Users\user\Desktop\PO#4018-308875.pdf.exeCode function: 0_2_0550D5C80_2_0550D5C8
      Source: C:\Users\user\Desktop\PO#4018-308875.pdf.exeCode function: 0_2_055074D80_2_055074D8
      Source: C:\Users\user\Desktop\PO#4018-308875.pdf.exeCode function: 0_2_055074C90_2_055074C9
      Source: C:\Users\user\Desktop\PO#4018-308875.pdf.exeCode function: 0_2_055020780_2_05502078
      Source: C:\Users\user\Desktop\PO#4018-308875.pdf.exeCode function: 0_2_055000060_2_05500006
      Source: C:\Users\user\Desktop\PO#4018-308875.pdf.exeCode function: 0_2_0550E0E80_2_0550E0E8
      Source: C:\Users\user\Desktop\PO#4018-308875.pdf.exeCode function: 0_2_05507E750_2_05507E75
      Source: C:\Users\user\AppData\Roaming\gfrdeswaq.exeCode function: 20_2_0326331820_2_03263318
      Source: C:\Users\user\AppData\Roaming\gfrdeswaq.exeCode function: 20_2_03268BD020_2_03268BD0
      Source: C:\Users\user\AppData\Roaming\gfrdeswaq.exeCode function: 20_2_0326C04020_2_0326C040
      Source: C:\Users\user\AppData\Roaming\gfrdeswaq.exeCode function: 20_2_0326D77020_2_0326D770
      Source: C:\Users\user\AppData\Roaming\gfrdeswaq.exeCode function: 20_2_0326B54820_2_0326B548
      Source: C:\Users\user\AppData\Roaming\gfrdeswaq.exeCode function: 20_2_032654B820_2_032654B8
      Source: C:\Users\user\AppData\Roaming\gfrdeswaq.exeCode function: 20_2_0326C02F20_2_0326C02F
      Source: C:\Users\user\AppData\Roaming\gfrdeswaq.exeCode function: 20_2_0326AF3820_2_0326AF38
      Source: C:\Users\user\AppData\Roaming\gfrdeswaq.exeCode function: 20_2_0326D76020_2_0326D760
      Source: C:\Users\user\AppData\Roaming\gfrdeswaq.exeCode function: 20_2_03260CB020_2_03260CB0
      Source: C:\Users\user\AppData\Roaming\gfrdeswaq.exeCode function: 20_2_0326B4F820_2_0326B4F8
      Source: C:\Users\user\AppData\Roaming\gfrdeswaq.exeCode function: 20_2_05A16D2820_2_05A16D28
      Source: C:\Users\user\AppData\Roaming\gfrdeswaq.exeCode function: 20_2_05A1443820_2_05A14438
      Source: C:\Users\user\AppData\Roaming\gfrdeswaq.exeCode function: 20_2_05A1004020_2_05A10040
      Source: C:\Users\user\AppData\Roaming\gfrdeswaq.exeCode function: 20_2_05A11B0020_2_05A11B00
      Source: C:\Users\user\AppData\Roaming\gfrdeswaq.exeCode function: 20_2_05A1223020_2_05A12230
      Source: C:\Users\user\AppData\Roaming\gfrdeswaq.exeCode function: 20_2_05A1795820_2_05A17958
      Source: C:\Users\user\AppData\Roaming\gfrdeswaq.exeCode function: 20_2_05A1380020_2_05A13800
      Source: C:\Users\user\AppData\Roaming\gfrdeswaq.exeCode function: 20_2_05A1000620_2_05A10006
      Source: C:\Users\user\AppData\Roaming\gfrdeswaq.exeCode function: 20_2_05A1381020_2_05A13810
      Source: C:\Users\user\AppData\Roaming\gfrdeswaq.exeCode function: 20_2_05A1338820_2_05A13388
      Source: C:\Users\user\AppData\Roaming\gfrdeswaq.exeCode function: 20_2_05A1339820_2_05A13398
      Source: C:\Users\user\AppData\Roaming\gfrdeswaq.exeCode function: 20_2_05A15BE020_2_05A15BE0
      Source: C:\Users\user\AppData\Roaming\gfrdeswaq.exeCode function: 20_2_05A14EE820_2_05A14EE8
      Source: C:\Users\user\AppData\Roaming\gfrdeswaq.exeCode function: 20_2_05A11AF120_2_05A11AF1
      Source: C:\Users\user\AppData\Roaming\gfrdeswaq.exeCode function: 20_2_05A1222020_2_05A12220
      Source: C:\Users\user\AppData\Roaming\gfrdeswaq.exeCode function: 20_2_05AEF6A820_2_05AEF6A8
      Source: C:\Users\user\AppData\Roaming\gfrdeswaq.exeCode function: 20_2_05AED18020_2_05AED180
      Source: C:\Users\user\AppData\Roaming\gfrdeswaq.exeCode function: 20_2_05AE208820_2_05AE2088
      Source: C:\Users\user\AppData\Roaming\gfrdeswaq.exeCode function: 20_2_05AE004020_2_05AE0040
      Source: C:\Users\user\AppData\Roaming\gfrdeswaq.exeCode function: 20_2_05AEECC020_2_05AEECC0
      Source: C:\Users\user\AppData\Roaming\gfrdeswaq.exeCode function: 20_2_05AE7E9020_2_05AE7E90
      Source: C:\Users\user\AppData\Roaming\gfrdeswaq.exeCode function: 20_2_05AE189820_2_05AE1898
      Source: C:\Users\user\AppData\Roaming\gfrdeswaq.exeCode function: 20_2_05AE74CB20_2_05AE74CB
      Source: C:\Users\user\AppData\Roaming\gfrdeswaq.exeCode function: 20_2_05AE74D820_2_05AE74D8
      Source: C:\Users\user\AppData\Roaming\gfrdeswaq.exeCode function: 20_2_05AED17020_2_05AED170
      Source: C:\Users\user\AppData\Roaming\gfrdeswaq.exeCode function: 20_2_05AE000620_2_05AE0006
      Source: C:\Users\user\AppData\Roaming\gfrdeswaq.exeCode function: 20_2_05AE207820_2_05AE2078
      Source: C:\Users\user\AppData\Roaming\gfrdeswaq.exeCode function: 20_2_05AE7E8020_2_05AE7E80
      Source: C:\Users\user\AppData\Roaming\gfrdeswaq.exeCode function: 20_2_05AE188920_2_05AE1889
      Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeCode function: 25_2_005020B025_2_005020B0
      Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeCode function: 25_2_04DFE48025_2_04DFE480
      Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeCode function: 25_2_04DFE47125_2_04DFE471
      Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeCode function: 25_2_04DFBBD425_2_04DFBBD4
      Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeCode function: 25_2_04F7F5F825_2_04F7F5F8
      Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeCode function: 25_2_04F7978825_2_04F79788
      Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeCode function: 25_2_04F7A61025_2_04F7A610
      Source: Joe Sandbox ViewDropped File: C:\Users\user\AppData\Local\Temp\InstallUtil.exe 46DEE184523A584E56DF93389F81992911A1BA6B1F05AD7D803C6AB1450E18CB
      Source: PO#4018-308875.pdf.exeStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
      Source: PO#4018-308875.pdf.exeStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
      Source: PO#4018-308875.pdf.exeStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
      Source: gfrdeswaq.exe.0.drStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
      Source: gfrdeswaq.exe.0.drStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
      Source: gfrdeswaq.exe.0.drStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
      Source: PO#4018-308875.pdf.exe, 00000000.00000002.333040710.0000000001430000.00000002.00000001.sdmpBinary or memory string: System.OriginalFileName vs PO#4018-308875.pdf.exe
      Source: PO#4018-308875.pdf.exe, 00000000.00000002.336488472.0000000003DF1000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameSHCore1.dll0 vs PO#4018-308875.pdf.exe
      Source: PO#4018-308875.pdf.exe, 00000000.00000002.333139108.0000000001490000.00000002.00000001.sdmpBinary or memory string: originalfilename vs PO#4018-308875.pdf.exe
      Source: PO#4018-308875.pdf.exe, 00000000.00000002.333139108.0000000001490000.00000002.00000001.sdmpBinary or memory string: OriginalFilenamepropsys.dll.mui@ vs PO#4018-308875.pdf.exe
      Source: PO#4018-308875.pdf.exe, 00000000.00000002.341746042.0000000005530000.00000002.00000001.sdmpBinary or memory string: OriginalFilenameKernelbase.dll.muij% vs PO#4018-308875.pdf.exe
      Source: PO#4018-308875.pdf.exeStatic PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE
      Source: unknownProcess created: C:\Windows\SysWOW64\reg.exe REG ADD 'HKCU\Software\Microsoft\Windows\CurrentVersion\Run' /f /v 'olkkmmxxzaa' /t REG_SZ /d 'C:\Users\user\AppData\Roaming\gfrdeswaq.exe'
      Source: 00000019.00000002.618309984.0000000000402000.00000040.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
      Source: 00000019.00000002.618309984.0000000000402000.00000040.00000001.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
      Source: 00000019.00000002.628566138.0000000005010000.00000004.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
      Source: 00000019.00000002.628566138.0000000005010000.00000004.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
      Source: 00000000.00000002.337437485.0000000004734000.00000004.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
      Source: 00000000.00000002.337437485.0000000004734000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
      Source: 00000019.00000002.628917829.0000000005220000.00000004.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
      Source: 00000019.00000002.628917829.0000000005220000.00000004.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
      Source: 00000019.00000002.625511486.00000000039B9000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
      Source: 00000014.00000002.627989417.0000000004C62000.00000004.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
      Source: 00000014.00000002.627989417.0000000004C62000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
      Source: 00000014.00000002.627812499.0000000004BCF000.00000004.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
      Source: 00000014.00000002.627812499.0000000004BCF000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
      Source: Process Memory Space: InstallUtil.exe PID: 6280, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
      Source: Process Memory Space: InstallUtil.exe PID: 6280, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
      Source: 25.2.InstallUtil.exe.5010000.3.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
      Source: 25.2.InstallUtil.exe.5010000.3.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
      Source: 25.2.InstallUtil.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
      Source: 25.2.InstallUtil.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
      Source: 25.2.InstallUtil.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
      Source: 25.2.InstallUtil.exe.5220000.6.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
      Source: 25.2.InstallUtil.exe.5220000.6.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
      Source: 25.2.InstallUtil.exe.5220000.6.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
      Source: 25.2.InstallUtil.exe.5220000.6.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
      Source: classification engineClassification label: mal100.troj.evad.winEXE@10/5@9/2
      Source: C:\Users\user\Desktop\PO#4018-308875.pdf.exeFile created: C:\Users\user\AppData\Roaming\gfrdeswaq.exeJump to behavior
      Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeMutant created: \Sessions\1\BaseNamedObjects\Global\{4c844ad7-de78-4c04-815b-d468ebb89811}
      Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5952:120:WilError_01
      Source: C:\Users\user\Desktop\PO#4018-308875.pdf.exeFile created: C:\Users\user\AppData\Local\Temp\InstallUtil.exeJump to behavior
      Source: PO#4018-308875.pdf.exeStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
      Source: C:\Users\user\Desktop\PO#4018-308875.pdf.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dllJump to behavior
      Source: C:\Users\user\AppData\Roaming\gfrdeswaq.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dllJump to behavior
      Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dllJump to behavior
      Source: C:\Users\user\Desktop\PO#4018-308875.pdf.exeFile read: C:\Users\user\Desktop\desktop.iniJump to behavior
      Source: C:\Users\user\Desktop\PO#4018-308875.pdf.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
      Source: PO#4018-308875.pdf.exeReversingLabs: Detection: 15%
      Source: C:\Users\user\Desktop\PO#4018-308875.pdf.exeFile read: C:\Users\user\Desktop\PO#4018-308875.pdf.exeJump to behavior
      Source: unknownProcess created: C:\Users\user\Desktop\PO#4018-308875.pdf.exe 'C:\Users\user\Desktop\PO#4018-308875.pdf.exe'
      Source: unknownProcess created: C:\Windows\SysWOW64\cmd.exe 'cmd.exe' /c REG ADD 'HKCU\Software\Microsoft\Windows\CurrentVersion\Run' /f /v 'olkkmmxxzaa' /t REG_SZ /d 'C:\Users\user\AppData\Roaming\gfrdeswaq.exe'
      Source: unknownProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
      Source: unknownProcess created: C:\Windows\SysWOW64\reg.exe REG ADD 'HKCU\Software\Microsoft\Windows\CurrentVersion\Run' /f /v 'olkkmmxxzaa' /t REG_SZ /d 'C:\Users\user\AppData\Roaming\gfrdeswaq.exe'
      Source: unknownProcess created: C:\Users\user\AppData\Roaming\gfrdeswaq.exe 'C:\Users\user\AppData\Roaming\gfrdeswaq.exe'
      Source: unknownProcess created: C:\Users\user\AppData\Local\Temp\InstallUtil.exe C:\Users\user\AppData\Local\Temp\InstallUtil.exe
      Source: C:\Users\user\Desktop\PO#4018-308875.pdf.exeProcess created: C:\Windows\SysWOW64\cmd.exe 'cmd.exe' /c REG ADD 'HKCU\Software\Microsoft\Windows\CurrentVersion\Run' /f /v 'olkkmmxxzaa' /t REG_SZ /d 'C:\Users\user\AppData\Roaming\gfrdeswaq.exe'Jump to behavior
      Source: C:\Users\user\Desktop\PO#4018-308875.pdf.exeProcess created: C:\Users\user\AppData\Roaming\gfrdeswaq.exe 'C:\Users\user\AppData\Roaming\gfrdeswaq.exe' Jump to behavior
      Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\reg.exe REG ADD 'HKCU\Software\Microsoft\Windows\CurrentVersion\Run' /f /v 'olkkmmxxzaa' /t REG_SZ /d 'C:\Users\user\AppData\Roaming\gfrdeswaq.exe'Jump to behavior
      Source: C:\Users\user\AppData\Roaming\gfrdeswaq.exeProcess created: C:\Users\user\AppData\Local\Temp\InstallUtil.exe C:\Users\user\AppData\Local\Temp\InstallUtil.exeJump to behavior
      Source: C:\Users\user\Desktop\PO#4018-308875.pdf.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\InProcServer32Jump to behavior
      Source: C:\Users\user\Desktop\PO#4018-308875.pdf.exeFile opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dllJump to behavior
      Source: PO#4018-308875.pdf.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR
      Source: PO#4018-308875.pdf.exeStatic PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT, HIGH_ENTROPY_VA
      Source: Binary string: InstallUtil.pdb\rvr hr_CorExeMainmscoree.dll source: InstallUtil.exe, 00000019.00000000.412603173.0000000000502000.00000002.00020000.sdmp, InstallUtil.exe.0.dr
      Source: Binary string: InstallUtil.pdb source: InstallUtil.exe, InstallUtil.exe.0.dr
      Source: C:\Users\user\Desktop\PO#4018-308875.pdf.exeCode function: 0_2_009D2AD4 pushad ; retf 0_2_009D2AD5
      Source: C:\Users\user\Desktop\PO#4018-308875.pdf.exeCode function: 0_2_009D2ED1 push edx; ret 0_2_009D2ED2
      Source: C:\Users\user\Desktop\PO#4018-308875.pdf.exeCode function: 0_2_009D36CC push eax; retf 0_2_009D36CD
      Source: C:\Users\user\Desktop\PO#4018-308875.pdf.exeCode function: 0_2_009D21C5 push ebx; ret 0_2_009D21C9
      Source: C:\Users\user\Desktop\PO#4018-308875.pdf.exeCode function: 0_2_013B15A0 pushad ; iretd 0_2_013B1649
      Source: C:\Users\user\Desktop\PO#4018-308875.pdf.exeCode function: 0_2_013B161F pushad ; iretd 0_2_013B1649
      Source: C:\Users\user\Desktop\PO#4018-308875.pdf.exeCode function: 0_2_0550C2B8 push 5DE58B90h; ret 0_2_0550C27C
      Source: C:\Users\user\AppData\Roaming\gfrdeswaq.exeCode function: 20_2_00E521C5 push ebx; ret 20_2_00E521C9
      Source: C:\Users\user\AppData\Roaming\gfrdeswaq.exeCode function: 20_2_00E536CC push eax; retf 20_2_00E536CD
      Source: C:\Users\user\AppData\Roaming\gfrdeswaq.exeCode function: 20_2_00E52AD4 pushad ; retf 20_2_00E52AD5
      Source: C:\Users\user\AppData\Roaming\gfrdeswaq.exeCode function: 20_2_00E52ED1 push edx; ret 20_2_00E52ED2
      Source: C:\Users\user\AppData\Roaming\gfrdeswaq.exeCode function: 20_2_0326161F pushad ; iretd 20_2_03261649
      Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeCode function: 25_2_04F769F8 pushad ; retf 25_2_04F769F9
      Source: C:\Users\user\Desktop\PO#4018-308875.pdf.exeFile created: C:\Users\user\AppData\Local\Temp\InstallUtil.exeJump to dropped file
      Source: C:\Users\user\Desktop\PO#4018-308875.pdf.exeFile created: C:\Users\user\AppData\Roaming\gfrdeswaq.exeJump to dropped file
      Source: C:\Windows\SysWOW64\reg.exeRegistry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run olkkmmxxzaaJump to behavior
      Source: C:\Windows\SysWOW64\reg.exeRegistry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run olkkmmxxzaaJump to behavior

      Hooking and other Techniques for Hiding and Protection:

      barindex
      Hides that the sample has been downloaded from the Internet (zone.identifier)Show sources
      Source: C:\Users\user\Desktop\PO#4018-308875.pdf.exeFile opened: C:\Users\user\Desktop\PO#4018-308875.pdf.exe\:Zone.Identifier read attributes | deleteJump to behavior
      Source: C:\Users\user\AppData\Roaming\gfrdeswaq.exeFile opened: C:\Users\user\AppData\Roaming\gfrdeswaq.exe\:Zone.Identifier read attributes | deleteJump to behavior
      Uses an obfuscated file name to hide its real file extension (double extension)Show sources
      Source: Possible double extension: pdf.exeStatic PE information: PO#4018-308875.pdf.exe
      Source: C:\Users\user\Desktop\PO#4018-308875.pdf.exeRegistry key monitored for changes: HKEY_CURRENT_USER_ClassesJump to behavior
      Source: C:\Users\user\Desktop\PO#4018-308875.pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\PO#4018-308875.pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\PO#4018-308875.pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\PO#4018-308875.pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\PO#4018-308875.pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\PO#4018-308875.pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\PO#4018-308875.pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\PO#4018-308875.pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\PO#4018-308875.pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\PO#4018-308875.pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\PO#4018-308875.pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\PO#4018-308875.pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\PO#4018-308875.pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\PO#4018-308875.pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\PO#4018-308875.pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\PO#4018-308875.pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\PO#4018-308875.pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\PO#4018-308875.pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\PO#4018-308875.pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\PO#4018-308875.pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\PO#4018-308875.pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\PO#4018-308875.pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\PO#4018-308875.pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\PO#4018-308875.pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\PO#4018-308875.pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\PO#4018-308875.pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\PO#4018-308875.pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\PO#4018-308875.pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\PO#4018-308875.pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\PO#4018-308875.pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\PO#4018-308875.pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\PO#4018-308875.pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\PO#4018-308875.pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\PO#4018-308875.pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\PO#4018-308875.pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\PO#4018-308875.pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\PO#4018-308875.pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\PO#4018-308875.pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\PO#4018-308875.pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\AppData\Roaming\gfrdeswaq.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\AppData\Roaming\gfrdeswaq.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\AppData\Roaming\gfrdeswaq.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\AppData\Roaming\gfrdeswaq.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\AppData\Roaming\gfrdeswaq.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\AppData\Roaming\gfrdeswaq.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\AppData\Roaming\gfrdeswaq.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\AppData\Roaming\gfrdeswaq.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\AppData\Roaming\gfrdeswaq.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\AppData\Roaming\gfrdeswaq.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\AppData\Roaming\gfrdeswaq.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\AppData\Roaming\gfrdeswaq.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\AppData\Roaming\gfrdeswaq.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\AppData\Roaming\gfrdeswaq.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\AppData\Roaming\gfrdeswaq.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\AppData\Roaming\gfrdeswaq.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\AppData\Roaming\gfrdeswaq.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\AppData\Roaming\gfrdeswaq.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\AppData\Roaming\gfrdeswaq.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\AppData\Roaming\gfrdeswaq.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\AppData\Roaming\gfrdeswaq.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\AppData\Roaming\gfrdeswaq.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\AppData\Roaming\gfrdeswaq.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\AppData\Roaming\gfrdeswaq.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\AppData\Roaming\gfrdeswaq.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\AppData\Roaming\gfrdeswaq.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\AppData\Roaming\gfrdeswaq.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\AppData\Roaming\gfrdeswaq.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\AppData\Roaming\gfrdeswaq.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\AppData\Roaming\gfrdeswaq.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\AppData\Roaming\gfrdeswaq.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\AppData\Roaming\gfrdeswaq.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\AppData\Roaming\gfrdeswaq.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\AppData\Roaming\gfrdeswaq.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\AppData\Roaming\gfrdeswaq.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\AppData\Roaming\gfrdeswaq.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\AppData\Roaming\gfrdeswaq.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\AppData\Roaming\gfrdeswaq.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\AppData\Roaming\gfrdeswaq.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\AppData\Roaming\gfrdeswaq.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\PO#4018-308875.pdf.exeFile opened / queried: SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}Jump to behavior
      Source: C:\Users\user\Desktop\PO#4018-308875.pdf.exeThread delayed: delay time: 922337203685477Jump to behavior
      Source: C:\Users\user\AppData\Roaming\gfrdeswaq.exeThread delayed: delay time: 922337203685477Jump to behavior
      Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeThread delayed: delay time: 922337203685477Jump to behavior
      Source: C:\Users\user\Desktop\PO#4018-308875.pdf.exeWindow / User API: threadDelayed 2655Jump to behavior
      Source: C:\Users\user\Desktop\PO#4018-308875.pdf.exeWindow / User API: threadDelayed 7155Jump to behavior
      Source: C:\Users\user\AppData\Roaming\gfrdeswaq.exeWindow / User API: threadDelayed 8964Jump to behavior
      Source: C:\Users\user\AppData\Roaming\gfrdeswaq.exeWindow / User API: threadDelayed 840Jump to behavior
      Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeWindow / User API: threadDelayed 1392Jump to behavior
      Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeWindow / User API: threadDelayed 8306Jump to behavior
      Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeWindow / User API: foregroundWindowGot 750Jump to behavior
      Source: C:\Users\user\Desktop\PO#4018-308875.pdf.exe TID: 5928Thread sleep time: -11068046444225724s >= -30000sJump to behavior
      Source: C:\Users\user\Desktop\PO#4018-308875.pdf.exe TID: 5928Thread sleep time: -30000s >= -30000sJump to behavior
      Source: C:\Users\user\Desktop\PO#4018-308875.pdf.exe TID: 4528Thread sleep count: 2655 > 30Jump to behavior
      Source: C:\Users\user\Desktop\PO#4018-308875.pdf.exe TID: 4528Thread sleep count: 7155 > 30Jump to behavior
      Source: C:\Users\user\AppData\Roaming\gfrdeswaq.exe TID: 6940Thread sleep time: -12912720851596678s >= -30000sJump to behavior
      Source: C:\Users\user\AppData\Roaming\gfrdeswaq.exe TID: 6940Thread sleep time: -30000s >= -30000sJump to behavior
      Source: C:\Users\user\AppData\Roaming\gfrdeswaq.exe TID: 6944Thread sleep count: 8964 > 30Jump to behavior
      Source: C:\Users\user\AppData\Roaming\gfrdeswaq.exe TID: 6944Thread sleep count: 840 > 30Jump to behavior
      Source: C:\Users\user\AppData\Roaming\gfrdeswaq.exe TID: 6940Thread sleep count: 45 > 30Jump to behavior
      Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exe TID: 6312Thread sleep time: -2767011611056431s >= -30000sJump to behavior
      Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
      Source: gfrdeswaq.exe, 00000014.00000002.627687152.0000000004321000.00000004.00000001.sdmpBinary or memory string: VMware
      Source: gfrdeswaq.exe, 00000014.00000002.627687152.0000000004321000.00000004.00000001.sdmpBinary or memory string: vmware svga
      Source: PO#4018-308875.pdf.exe, 00000000.00000002.342115569.0000000008108000.00000004.00000001.sdmpBinary or memory string: \??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\Device\CdRom0\??\Volume{e6e9dfd8-98f2-11e9-90ce-806e6f6e6963}\DosDevices\D:
      Source: PO#4018-308875.pdf.exe, 00000000.00000002.341746042.0000000005530000.00000002.00000001.sdmp, reg.exe, 00000004.00000002.235703391.0000000001140000.00000002.00000001.sdmp, InstallUtil.exe, 00000019.00000002.629244850.0000000006330000.00000002.00000001.sdmpBinary or memory string: A Virtual Machine could not be started because Hyper-V is not installed.
      Source: gfrdeswaq.exe, 00000014.00000002.627687152.0000000004321000.00000004.00000001.sdmpBinary or memory string: vmware
      Source: PO#4018-308875.pdf.exe, 00000000.00000002.336488472.0000000003DF1000.00000004.00000001.sdmp, gfrdeswaq.exe, 00000014.00000002.627687152.0000000004321000.00000004.00000001.sdmpBinary or memory string: tpautoconnsvc#Microsoft Hyper-V
      Source: PO#4018-308875.pdf.exe, 00000000.00000002.336488472.0000000003DF1000.00000004.00000001.sdmp, gfrdeswaq.exe, 00000014.00000002.627687152.0000000004321000.00000004.00000001.sdmpBinary or memory string: cmd.txtQEMUqemu
      Source: PO#4018-308875.pdf.exe, 00000000.00000002.336488472.0000000003DF1000.00000004.00000001.sdmp, gfrdeswaq.exe, 00000014.00000002.627687152.0000000004321000.00000004.00000001.sdmpBinary or memory string: vmusrvc
      Source: gfrdeswaq.exe, 00000014.00000002.627687152.0000000004321000.00000004.00000001.sdmpBinary or memory string: vmsrvc
      Source: gfrdeswaq.exe, 00000014.00000002.627687152.0000000004321000.00000004.00000001.sdmpBinary or memory string: vmtools
      Source: gfrdeswaq.exe, 00000014.00000002.627687152.0000000004321000.00000004.00000001.sdmpBinary or memory string: vmware sata5vmware usb pointing device-vmware vmci bus deviceCvmware virtual s scsi disk device
      Source: gfrdeswaq.exe, 00000014.00000002.627687152.0000000004321000.00000004.00000001.sdmpBinary or memory string: vboxservicevbox)Microsoft Virtual PC
      Source: PO#4018-308875.pdf.exe, 00000000.00000002.341746042.0000000005530000.00000002.00000001.sdmp, reg.exe, 00000004.00000002.235703391.0000000001140000.00000002.00000001.sdmp, InstallUtil.exe, 00000019.00000002.629244850.0000000006330000.00000002.00000001.sdmpBinary or memory string: A communication protocol error has occurred between the Hyper-V Host and Guest Compute Service.
      Source: PO#4018-308875.pdf.exe, 00000000.00000002.341746042.0000000005530000.00000002.00000001.sdmp, reg.exe, 00000004.00000002.235703391.0000000001140000.00000002.00000001.sdmp, InstallUtil.exe, 00000019.00000002.629244850.0000000006330000.00000002.00000001.sdmpBinary or memory string: The communication protocol version between the Hyper-V Host and Guest Compute Services is not supported.
      Source: gfrdeswaq.exe, 00000014.00000002.627687152.0000000004321000.00000004.00000001.sdmpBinary or memory string: virtual-vmware pointing device
      Source: PO#4018-308875.pdf.exe, 00000000.00000002.341746042.0000000005530000.00000002.00000001.sdmp, reg.exe, 00000004.00000002.235703391.0000000001140000.00000002.00000001.sdmp, InstallUtil.exe, 00000019.00000002.629244850.0000000006330000.00000002.00000001.sdmpBinary or memory string: An unknown internal message was received by the Hyper-V Compute Service.
      Source: C:\Users\user\Desktop\PO#4018-308875.pdf.exeProcess information queried: ProcessInformationJump to behavior
      Source: C:\Users\user\Desktop\PO#4018-308875.pdf.exeProcess token adjusted: DebugJump to behavior
      Source: C:\Users\user\AppData\Roaming\gfrdeswaq.exeProcess token adjusted: DebugJump to behavior
      Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeProcess token adjusted: DebugJump to behavior
      Source: C:\Users\user\Desktop\PO#4018-308875.pdf.exeMemory allocated: page read and write | page guardJump to behavior

      HIPS / PFW / Operating System Protection Evasion:

      barindex
      Allocates memory in foreign processesShow sources
      Source: C:\Users\user\AppData\Roaming\gfrdeswaq.exeMemory allocated: C:\Users\user\AppData\Local\Temp\InstallUtil.exe base: 400000 protect: page execute and read and writeJump to behavior
      Injects a PE file into a foreign processesShow sources
      Source: C:\Users\user\AppData\Roaming\gfrdeswaq.exeMemory written: C:\Users\user\AppData\Local\Temp\InstallUtil.exe base: 400000 value starts with: 4D5AJump to behavior
      Writes to foreign memory regionsShow sources
      Source: C:\Users\user\AppData\Roaming\gfrdeswaq.exeMemory written: C:\Users\user\AppData\Local\Temp\InstallUtil.exe base: 400000Jump to behavior
      Source: C:\Users\user\AppData\Roaming\gfrdeswaq.exeMemory written: C:\Users\user\AppData\Local\Temp\InstallUtil.exe base: 402000Jump to behavior
      Source: C:\Users\user\AppData\Roaming\gfrdeswaq.exeMemory written: C:\Users\user\AppData\Local\Temp\InstallUtil.exe base: 420000Jump to behavior
      Source: C:\Users\user\AppData\Roaming\gfrdeswaq.exeMemory written: C:\Users\user\AppData\Local\Temp\InstallUtil.exe base: 422000Jump to behavior
      Source: C:\Users\user\AppData\Roaming\gfrdeswaq.exeMemory written: C:\Users\user\AppData\Local\Temp\InstallUtil.exe base: 68C008Jump to behavior
      Source: C:\Users\user\Desktop\PO#4018-308875.pdf.exeProcess created: C:\Windows\SysWOW64\cmd.exe 'cmd.exe' /c REG ADD 'HKCU\Software\Microsoft\Windows\CurrentVersion\Run' /f /v 'olkkmmxxzaa' /t REG_SZ /d 'C:\Users\user\AppData\Roaming\gfrdeswaq.exe'Jump to behavior
      Source: C:\Users\user\Desktop\PO#4018-308875.pdf.exeProcess created: C:\Users\user\AppData\Roaming\gfrdeswaq.exe 'C:\Users\user\AppData\Roaming\gfrdeswaq.exe' Jump to behavior
      Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\reg.exe REG ADD 'HKCU\Software\Microsoft\Windows\CurrentVersion\Run' /f /v 'olkkmmxxzaa' /t REG_SZ /d 'C:\Users\user\AppData\Roaming\gfrdeswaq.exe'Jump to behavior
      Source: C:\Users\user\AppData\Roaming\gfrdeswaq.exeProcess created: C:\Users\user\AppData\Local\Temp\InstallUtil.exe C:\Users\user\AppData\Local\Temp\InstallUtil.exeJump to behavior
      Source: InstallUtil.exe, 00000019.00000002.625145136.0000000002DAD000.00000004.00000001.sdmpBinary or memory string: Program Manager
      Source: gfrdeswaq.exe, 00000014.00000002.620841266.0000000001CF0000.00000002.00000001.sdmp, InstallUtil.exe, 00000019.00000002.621252206.00000000012F0000.00000002.00000001.sdmpBinary or memory string: Shell_TrayWnd
      Source: gfrdeswaq.exe, 00000014.00000002.620841266.0000000001CF0000.00000002.00000001.sdmp, InstallUtil.exe, 00000019.00000002.621252206.00000000012F0000.00000002.00000001.sdmpBinary or memory string: Progman
      Source: gfrdeswaq.exe, 00000014.00000002.620841266.0000000001CF0000.00000002.00000001.sdmp, InstallUtil.exe, 00000019.00000002.621252206.00000000012F0000.00000002.00000001.sdmpBinary or memory string: SProgram Managerl
      Source: InstallUtil.exe, 00000019.00000002.629234238.0000000005F6E000.00000004.00000001.sdmpBinary or memory string: Program Manager0
      Source: InstallUtil.exe, 00000019.00000002.622561201.0000000002A9B000.00000004.00000001.sdmpBinary or memory string: Program Managerx
      Source: gfrdeswaq.exe, 00000014.00000002.620841266.0000000001CF0000.00000002.00000001.sdmp, InstallUtil.exe, 00000019.00000002.621252206.00000000012F0000.00000002.00000001.sdmpBinary or memory string: Shell_TrayWnd,
      Source: gfrdeswaq.exe, 00000014.00000002.620841266.0000000001CF0000.00000002.00000001.sdmp, InstallUtil.exe, 00000019.00000002.621252206.00000000012F0000.00000002.00000001.sdmpBinary or memory string: Progmanlock
      Source: InstallUtil.exe, 00000019.00000002.621682158.0000000002971000.00000004.00000001.sdmpBinary or memory string: Program Manager`
      Source: C:\Users\user\Desktop\PO#4018-308875.pdf.exeQueries volume information: C:\Users\user\Desktop\PO#4018-308875.pdf.exe VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\PO#4018-308875.pdf.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\PO#4018-308875.pdf.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformationJump to behavior
      Source: C:\Users\user\AppData\Roaming\gfrdeswaq.exeQueries volume information: C:\Users\user\AppData\Roaming\gfrdeswaq.exe VolumeInformationJump to behavior
      Source: C:\Users\user\AppData\Roaming\gfrdeswaq.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformationJump to behavior
      Source: C:\Users\user\AppData\Roaming\gfrdeswaq.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformationJump to behavior
      Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeQueries volume information: C:\Users\user\AppData\Local\Temp\InstallUtil.exe VolumeInformationJump to behavior
      Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformationJump to behavior
      Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformationJump to behavior
      Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformationJump to behavior
      Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\PO#4018-308875.pdf.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior

      Stealing of Sensitive Information:

      barindex
      Yara detected Nanocore RATShow sources
      Source: Yara matchFile source: 00000019.00000002.618309984.0000000000402000.00000040.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000019.00000002.621682158.0000000002971000.00000004.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000000.00000002.337437485.0000000004734000.00000004.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000019.00000002.628917829.0000000005220000.00000004.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000019.00000002.625511486.00000000039B9000.00000004.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000014.00000002.627989417.0000000004C62000.00000004.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000014.00000002.627812499.0000000004BCF000.00000004.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: Process Memory Space: InstallUtil.exe PID: 6280, type: MEMORY
      Source: Yara matchFile source: 25.2.InstallUtil.exe.400000.0.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 25.2.InstallUtil.exe.5220000.6.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 25.2.InstallUtil.exe.5220000.6.raw.unpack, type: UNPACKEDPE

      Remote Access Functionality:

      barindex
      Detected Nanocore RatShow sources
      Source: InstallUtil.exe, 00000019.00000002.618309984.0000000000402000.00000040.00000001.sdmpString found in binary or memory: NanoCore.ClientPluginHost
      Source: InstallUtil.exe, 00000019.00000002.621682158.0000000002971000.00000004.00000001.sdmpString found in binary or memory: <Module>mscorlibMicrosoft.VisualBasicMyApplicationNanoCore.MyMyComputerMyProjectMyWebServicesThreadSafeObjectProvider`1IClientNetworkNanoCore.ClientPluginIClientDataIClientAppIClientDataHostNanoCore.ClientPluginHostIClientNetworkHostIClientUIHostIClientLoggingHostIClientAppHostIClientNameObjectCollectionNanoCoreIClientReadOnlyNameObjectCollectionClientInvokeDelegateMicrosoft.VisualBasic.ApplicationServicesApplicationBase.ctorMicrosoft.VisualBasic.DevicesComputerSystemObject.cctorget_Computerm_ComputerObjectProviderget_Applicationm_AppObjectProviderUserget_Userm_UserObjectProviderget_WebServicesm_MyWebServicesObjectProviderApplicationWebServicesEqualsoGetHashCodeTypeGetTypeToStringCreate__Instance__TinstanceDispose__Instance__get_GetInstanceMicrosoft.VisualBasic.MyServices.InternalContextValue`1m_ContextGetInstanceReadPacketpipeNameparamsPipeCreatedPipeClosedConnectionStateChangedconnectedConnectionFailedhostportBuildingHostCacheVariableChangednameClientSettingChangedPluginUninstallingClientUninstallingget_Variablesget_ClientSettingsget_BuilderSettingsVariablesClientSettingsBuilderSettingsget_ConnectedClosePipePipeExistsRebuildHostCacheAddHostEntryDisconnectSendToServercompressConnectedInvokemethodstateLogClientMessagemessageExceptionLogClientExceptionexsiteRestartShutdownDisableProtectionRestoreProtectionUninstallEntryExistsSystem.Collections.GenericKeyValuePair`2GetEntriesGetValuedefaultValueSetValuevalueRemoveValueMulticastDelegateTargetObjectTargetMethodIAsyncResultAsyncCallbackBeginInvokeDelegateCallbackDelegateAsyncStateEndInvokeDelegateAsyncResultSystem.ComponentModelEditorBrowsableAttributeEditorBrowsableStateSystem.CodeDom.CompilerGeneratedCodeAttributeSystem.DiagnosticsDebuggerHiddenAttributeMicrosoft.VisualBasic.CompilerServicesStandardModuleAttributeHideModuleNameAttributeSystem.ComponentModel.DesignHelpKeywordAttributeSystem.Runtime.CompilerServicesRuntimeHelpersGetObjectValueRuntimeTypeHandleGetTypeFromHandleActivatorCreateInstanceMyGroupCollectionAttributeget_Valueset_ValueSystem.Runtime.InteropServicesComVisibleAttributeParamArrayAttributeCompilationRelaxationsAttributeRuntimeCompatibilityAttributeSystem.ReflectionAssemblyFileVersionAttributeGuidAttributeAssemblyTrademarkAttributeAssemblyCopyrightAttributeAssemblyProductAttributeAssemblyCompanyAttributeAssemblyDescriptionAttributeAssemblyTitleAttributeClientPluginClientPlugin.dll
      Yara detected Nanocore RATShow sources
      Source: Yara matchFile source: 00000019.00000002.618309984.0000000000402000.00000040.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000019.00000002.621682158.0000000002971000.00000004.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000000.00000002.337437485.0000000004734000.00000004.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000019.00000002.628917829.0000000005220000.00000004.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000019.00000002.625511486.00000000039B9000.00000004.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000014.00000002.627989417.0000000004C62000.00000004.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000014.00000002.627812499.0000000004BCF000.00000004.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: Process Memory Space: InstallUtil.exe PID: 6280, type: MEMORY
      Source: Yara matchFile source: 25.2.InstallUtil.exe.400000.0.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 25.2.InstallUtil.exe.5220000.6.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 25.2.InstallUtil.exe.5220000.6.raw.unpack, type: UNPACKEDPE

      Mitre Att&ck Matrix

      Initial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionExfiltrationCommand and ControlNetwork EffectsRemote Service EffectsImpact
      Valid Accounts1Windows Management InstrumentationValid Accounts1Valid Accounts1Masquerading11Input Capture11Query Registry1Remote ServicesInput Capture11Exfiltration Over Other Network MediumEncrypted Channel1Eavesdrop on Insecure Network CommunicationRemotely Track Device Without AuthorizationModify System Partition
      Default AccountsScheduled Task/JobRegistry Run Keys / Startup Folder1Access Token Manipulation1Valid Accounts1LSASS MemorySecurity Software Discovery111Remote Desktop ProtocolArchive Collected Data1Exfiltration Over BluetoothNon-Standard Port1Exploit SS7 to Redirect Phone Calls/SMSRemotely Wipe Data Without AuthorizationDevice Lockout
      Domain AccountsAt (Linux)Logon Script (Windows)Process Injection312Modify Registry1Security Account ManagerVirtualization/Sandbox Evasion3SMB/Windows Admin SharesData from Network Shared DriveAutomated ExfiltrationRemote Access Software1Exploit SS7 to Track Device LocationObtain Device Cloud BackupsDelete Device Data
      Local AccountsAt (Windows)Logon Script (Mac)Registry Run Keys / Startup Folder1Access Token Manipulation1NTDSProcess Discovery2Distributed Component Object ModelInput CaptureScheduled TransferNon-Application Layer Protocol1SIM Card SwapCarrier Billing Fraud
      Cloud AccountsCronNetwork Logon ScriptNetwork Logon ScriptVirtualization/Sandbox Evasion3LSA SecretsApplication Window Discovery1SSHKeyloggingData Transfer Size LimitsApplication Layer Protocol21Manipulate Device CommunicationManipulate App Store Rankings or Ratings
      Replication Through Removable MediaLaunchdRc.commonRc.commonDisable or Modify Tools1Cached Domain CredentialsFile and Directory Discovery1VNCGUI Input CaptureExfiltration Over C2 ChannelMultiband CommunicationJamming or Denial of ServiceAbuse Accessibility Features
      External Remote ServicesScheduled TaskStartup ItemsStartup ItemsProcess Injection312DCSyncSystem Information Discovery12Windows Remote ManagementWeb Portal CaptureExfiltration Over Alternative ProtocolCommonly Used PortRogue Wi-Fi Access PointsData Encrypted for Impact
      Drive-by CompromiseCommand and Scripting InterpreterScheduled Task/JobScheduled Task/JobHidden Files and Directories1Proc FilesystemNetwork Service ScanningShared WebrootCredential API HookingExfiltration Over Symmetric Encrypted Non-C2 ProtocolApplication Layer ProtocolDowngrade to Insecure ProtocolsGenerate Fraudulent Advertising Revenue
      Exploit Public-Facing ApplicationPowerShellAt (Linux)At (Linux)Obfuscated Files or Information12/etc/passwd and /etc/shadowSystem Network Connections DiscoverySoftware Deployment ToolsData StagedExfiltration Over Asymmetric Encrypted Non-C2 ProtocolWeb ProtocolsRogue Cellular Base StationData Destruction
      Supply Chain CompromiseAppleScriptAt (Windows)At (Windows)Software Packing1Network SniffingProcess DiscoveryTaint Shared ContentLocal Data StagingExfiltration Over Unencrypted/Obfuscated Non-C2 ProtocolFile Transfer ProtocolsData Encrypted for Impact

      Behavior Graph

      Hide Legend

      Legend:

      • Process
      • Signature
      • Created File
      • DNS/IP Info
      • Is Dropped
      • Is Windows Process
      • Number of created Registry Values
      • Number of created Files
      • Visual Basic
      • Delphi
      • Java
      • .Net C# or VB.NET
      • C, C++ or other language
      • Is malicious
      • Internet
      behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 341926 Sample: PO#4018-308875.pdf.exe Startdate: 20/01/2021 Architecture: WINDOWS Score: 100 39 fenixalec.ddns.net 2->39 41 Found malware configuration 2->41 43 Malicious sample detected (through community Yara rule) 2->43 45 Multi AV Scanner detection for submitted file 2->45 47 8 other signatures 2->47 8 PO#4018-308875.pdf.exe 5 2->8         started        signatures3 process4 file5 27 C:\Users\user\AppData\Roaming\gfrdeswaq.exe, PE32 8->27 dropped 29 C:\Users\user\AppData\...\InstallUtil.exe, PE32 8->29 dropped 31 C:\Users\...\gfrdeswaq.exe:Zone.Identifier, ASCII 8->31 dropped 33 C:\Users\user\...\PO#4018-308875.pdf.exe.log, ASCII 8->33 dropped 49 Hides that the sample has been downloaded from the Internet (zone.identifier) 8->49 12 gfrdeswaq.exe 2 8->12         started        15 cmd.exe 1 8->15         started        signatures6 process7 signatures8 51 Multi AV Scanner detection for dropped file 12->51 53 Writes to foreign memory regions 12->53 55 Allocates memory in foreign processes 12->55 57 2 other signatures 12->57 17 InstallUtil.exe 6 12->17         started        21 conhost.exe 15->21         started        23 reg.exe 1 1 15->23         started        process9 dnsIp10 35 fenixalec.ddns.net 185.162.88.26, 20911, 49729, 49730 AS40676US Netherlands 17->35 37 192.168.2.1 unknown unknown 17->37 25 C:\Users\user\AppData\Roaming\...\run.dat, data 17->25 dropped file11

      Screenshots

      Thumbnails

      This section contains all screenshots as thumbnails, including those not shown in the slideshow.

      windows-stand

      Antivirus, Machine Learning and Genetic Malware Detection

      Initial Sample

      SourceDetectionScannerLabelLink
      PO#4018-308875.pdf.exe15%ReversingLabsWin32.Trojan.Wacatac

      Dropped Files

      SourceDetectionScannerLabelLink
      C:\Users\user\AppData\Local\Temp\InstallUtil.exe0%MetadefenderBrowse
      C:\Users\user\AppData\Local\Temp\InstallUtil.exe0%ReversingLabs
      C:\Users\user\AppData\Roaming\gfrdeswaq.exe15%ReversingLabsWin32.Trojan.Wacatac

      Unpacked PE Files

      SourceDetectionScannerLabelLinkDownload
      25.2.InstallUtil.exe.400000.0.unpack100%AviraTR/Dropper.MSIL.Gen7Download File
      25.2.InstallUtil.exe.5220000.6.unpack100%AviraTR/NanoCore.fadteDownload File

      Domains

      SourceDetectionScannerLabelLink
      fenixalec.ddns.net4%VirustotalBrowse

      URLs

      SourceDetectionScannerLabelLink
      http://ns.ado/Ident0%Avira URL Cloudsafe

      Domains and IPs

      Contacted Domains

      NameIPActiveMaliciousAntivirus DetectionReputation
      fenixalec.ddns.net
      		185.162.88.26
      		truetrueunknown

      URLs from Memory and Binaries

      NameSourceMaliciousAntivirus DetectionReputation
      http://ns.ado/IdentPO#4018-308875.pdf.exe, 00000000.00000003.331443931.00000000014C9000.00000004.00000001.sdmpfalse
      • Avira URL Cloud: safe
      		unknown

      Contacted IPs

      • No. of IPs < 25%
      • 25% < No. of IPs < 50%
      • 50% < No. of IPs < 75%
      • 75% < No. of IPs

      Public

      IPDomainCountryFlagASNASN NameMalicious
      185.162.88.26
      		unknownNetherlands
      		40676AS40676UStrue

      Private

      IP
      192.168.2.1

      General Information

      Joe Sandbox Version:31.0.0 Red Diamond
      Analysis ID:341926
      Start date:20.01.2021
      Start time:07:29:15
      Joe Sandbox Product:CloudBasic
      Overall analysis duration:0h 11m 19s
      Hypervisor based Inspection enabled:false
      Report type:full
      Sample file name:PO#4018-308875.pdf.exe
      Cookbook file name:default.jbs
      Analysis system description:Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 85, IE 11, Adobe Reader DC 19, Java 8 Update 211
      Number of analysed new started processes analysed:35
      Number of new started drivers analysed:0
      Number of existing processes analysed:0
      Number of existing drivers analysed:0
      Number of injected processes analysed:0
      Technologies:
      • HCA enabled
      • EGA enabled
      • HDC enabled
      • AMSI enabled
      Analysis Mode:default
      Analysis stop reason:Timeout
      Detection:MAL
      Classification:mal100.troj.evad.winEXE@10/5@9/2
      EGA Information:Failed
      HDC Information:
      • Successful, ratio: 0.4% (good quality ratio 0.1%)
      • Quality average: 18.2%
      • Quality standard deviation: 32.6%
      HCA Information:
      • Successful, ratio: 100%
      • Number of executed functions: 87
      • Number of non-executed functions: 9
      Cookbook Comments:
      • Adjust boot time
      • Enable AMSI
      • Found application associated with file extension: .exe
      Warnings:
      Show All
      • Behavior information exceeds normal sizes, reducing to normal. Report will have missing behavior information.
      • Exclude process from analysis (whitelisted): taskhostw.exe, MpCmdRun.exe, audiodg.exe, BackgroundTransferHost.exe, RuntimeBroker.exe, WMIADAP.exe, backgroundTaskHost.exe, SgrmBroker.exe, conhost.exe, svchost.exe, UsoClient.exe, wuapihost.exe
      • Excluded IPs from analysis (whitelisted): 104.43.193.48, 40.88.32.150, 51.104.139.180, 92.122.213.247, 92.122.213.194, 51.103.5.186, 20.54.26.129, 52.155.217.156
      • Excluded domains from analysis (whitelisted): displaycatalog-europeeap.md.mp.microsoft.com.akadns.net, client.wns.windows.com, arc.msn.com.nsatc.net, ris-prod.trafficmanager.net, displaycatalog.md.mp.microsoft.com.akadns.net, a1449.dscg2.akamai.net, wns.notify.windows.com.akadns.net, arc.msn.com, skypedataprdcolcus15.cloudapp.net, ris.api.iris.microsoft.com, db5eap.displaycatalog.md.mp.microsoft.com.akadns.net, skypedataprdcoleus15.cloudapp.net, emea1.notify.windows.com.akadns.net, blobcollector.events.data.trafficmanager.net, displaycatalog.mp.microsoft.com, watson.telemetry.microsoft.com, img-prod-cms-rt-microsoft-com.akamaized.net, par02p.wns.notify.trafficmanager.net
      • Report size exceeded maximum capacity and may have missing behavior information.
      • Report size getting too big, too many NtOpenKeyEx calls found.
      • Report size getting too big, too many NtProtectVirtualMemory calls found.
      • Report size getting too big, too many NtQueryValueKey calls found.
      • Report size getting too big, too many NtReadVirtualMemory calls found.

      Simulations

      Behavior and APIs

      TimeTypeDescription
      07:30:11API Interceptor201x Sleep call for process: PO#4018-308875.pdf.exe modified
      07:30:12AutostartRun: HKCU\Software\Microsoft\Windows\CurrentVersion\Run olkkmmxxzaa C:\Users\user\AppData\Roaming\gfrdeswaq.exe
      07:30:20AutostartRun: HKCU64\Software\Microsoft\Windows\CurrentVersion\Run olkkmmxxzaa C:\Users\user\AppData\Roaming\gfrdeswaq.exe
      07:31:03API Interceptor200x Sleep call for process: gfrdeswaq.exe modified

      Joe Sandbox View / Context

      IPs

      MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
      185.162.88.26MEDUSI492126.pdf.exeGet hashmaliciousBrowse
        silkOrder00110.pdf.exeGet hashmaliciousBrowse
          Order_BC012356.pdf.exeGet hashmaliciousBrowse
            Document#20014464370.pdf.exeGet hashmaliciousBrowse

              Domains

              MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
              fenixalec.ddns.netMEDUSI492126.pdf.exeGet hashmaliciousBrowse
              • 185.162.88.26
              silkOrder00110.pdf.exeGet hashmaliciousBrowse
              • 185.162.88.26
              Order_BC012356.pdf.exeGet hashmaliciousBrowse
              • 185.162.88.26
              Document#20014464370.pdf.exeGet hashmaliciousBrowse
              • 185.162.88.26

              ASN

              MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
              AS40676USUlma9B5jo1.exeGet hashmaliciousBrowse
              • 104.149.57.92
              MEDUSI492126.pdf.exeGet hashmaliciousBrowse
              • 185.162.88.26
              Request for Quotation.exeGet hashmaliciousBrowse
              • 45.34.249.53
              silkOrder00110.pdf.exeGet hashmaliciousBrowse
              • 185.162.88.26
              Order_BC012356.pdf.exeGet hashmaliciousBrowse
              • 185.162.88.26
              Document#20014464370.pdf.exeGet hashmaliciousBrowse
              • 185.162.88.26
              t1XJOlYvhExZyrm.exeGet hashmaliciousBrowse
              • 104.225.208.15
              SWIFT_COPY00993Payment_advic4555pdf.exeGet hashmaliciousBrowse
              • 172.106.111.244
              QN08qH1zYv.exeGet hashmaliciousBrowse
              • 104.149.57.92
              SWIFT-COPY Payment advice3243343.exeGet hashmaliciousBrowse
              • 172.106.111.244
              catalogo TAWI group.exeGet hashmaliciousBrowse
              • 107.160.127.252
              Rfq 214871_TAWI Catalog.exeGet hashmaliciousBrowse
              • 107.160.127.252
              Rfq_Catalog.exeGet hashmaliciousBrowse
              • 107.160.127.252
              NPD76122.exeGet hashmaliciousBrowse
              • 104.217.231.247
              h3dFAROdF3.exeGet hashmaliciousBrowse
              • 104.217.231.248
              d2mISAbTQN.exeGet hashmaliciousBrowse
              • 104.217.231.248
              n41pVXkYCe.exeGet hashmaliciousBrowse
              • 104.217.231.248
              kqwqyoFz1C.exeGet hashmaliciousBrowse
              • 104.217.231.248
              53McmgaUJP.exeGet hashmaliciousBrowse
              • 104.217.231.248
              BsR85tOyjL.exeGet hashmaliciousBrowse
              • 104.217.231.248

              JA3 Fingerprints

              No context

              Dropped Files

              MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
              C:\Users\user\AppData\Local\Temp\InstallUtil.exeSecuriteInfo.com.Trojan.PackedNET.509.8504.exeGet hashmaliciousBrowse
                IMG_80137.pdf.exeGet hashmaliciousBrowse
                  Ziraat Bankasi Swift Mesaji.exeGet hashmaliciousBrowse
                    MEDUSI492126.pdf.exeGet hashmaliciousBrowse
                      2GNCGUZ6JU.exeGet hashmaliciousBrowse
                        IMG_53771.pdf.exeGet hashmaliciousBrowse
                          SecuriteInfo.com.Generic.mg.fb5363e0cae04979.exeGet hashmaliciousBrowse
                            Ziraat Bankasi Swift Mesaji.exeGet hashmaliciousBrowse
                              silkOrder00110.pdf.exeGet hashmaliciousBrowse
                                74725794.exeGet hashmaliciousBrowse
                                  74725794.exeGet hashmaliciousBrowse
                                    IMG_53091.pdf.exeGet hashmaliciousBrowse
                                      IMG_71103.pdf.exeGet hashmaliciousBrowse
                                        WjIKk3FzeI.exeGet hashmaliciousBrowse
                                          iv2yPzJEMs.exeGet hashmaliciousBrowse
                                            Jb4NE4iWz5.exeGet hashmaliciousBrowse
                                              mmcrkHjIb3.exeGet hashmaliciousBrowse
                                                fkGmyP7ryc.exeGet hashmaliciousBrowse
                                                  product supplies 10589TW.exeGet hashmaliciousBrowse
                                                    IMG_13791.pdf.exeGet hashmaliciousBrowse

                                                      Created / dropped Files

                                                      C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\PO#4018-308875.pdf.exe.log
                                                      Process:C:\Users\user\Desktop\PO#4018-308875.pdf.exe
                                                      File Type:ASCII text, with CRLF line terminators
                                                      Category:modified
                                                      Size (bytes):1451
                                                      Entropy (8bit):5.345862727722058
                                                      Encrypted:false
                                                      SSDEEP:24:ML9E4Ks2eE4O1lEE4UVwPKDE4KhK3VZ9pKhuE4IWUAE4KI6no84G1qE4j:MxHKXeHKlEHU0YHKhQnouHIW7HKjovGm
                                                      MD5:06F54CDBFEF62849AF5AE052722BD7B6
                                                      SHA1:FB0250AAC2057D0B5BCE4CE130891E428F28DA05
                                                      SHA-256:4C039B93A728B546F49C47ED8B448D40A3553CDAABB147067AEE3958133CB446
                                                      SHA-512:34EF5F6D5EAB0E5B11AC81F0D72FC56304291EDEEF6D19DF7145FDECAB5D342767DBBC0B4384B8DECB5741E6B85A4B431DF14FBEB5DDF2DEE103064D2895EABB
                                                      Malicious:true
                                                      Reputation:moderate, very likely benign file
                                                      Preview: 1,"fusion","GAC",0..1,"WinRT","NotApp",1..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System\4f0a7eefa3cd3e0ba98b5ebddbbc72e6\System.ni.dll",0..3,"PresentationCore, Version=4.0.0.0, Culture=neutral, PublicKeyToken=31bf3856ad364e35","C:\Windows\assembly\NativeImages_v4.0.30319_32\PresentationCore\820a27781e8540ca263d835ec155f1a5\PresentationCore.ni.dll",0..3,"PresentationFramework, Version=4.0.0.0, Culture=neutral, PublicKeyToken=31bf3856ad364e35","C:\Windows\assembly\NativeImages_v4.0.30319_32\Presentatio5ae0f00f#\889128adc9a7c9370e5e293f65060164\PresentationFramework.ni.dll",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Core\f1d8480152e0da9a60ad49c6d16a3b6d\System.Core.ni.dll",0..3,"WindowsBase, Version=4.0.0.0, Culture=neutral, PublicKeyToken=31bf3856ad364e35","C:\Windows\assembly\NativeImages_v4.0.30319_32\Wi
                                                      C:\Users\user\AppData\Local\Temp\InstallUtil.exe
                                                      Process:C:\Users\user\Desktop\PO#4018-308875.pdf.exe
                                                      File Type:PE32 executable (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                      Category:dropped
                                                      Size (bytes):41064
                                                      Entropy (8bit):6.164873449128079
                                                      Encrypted:false
                                                      SSDEEP:384:FtpFVLK0MsihB9VKS7xdgE7KJ9Yl6dnPU3SERztmbqCJstdMardz/JikPZ+sPZTd:ZBMs2SqdD86Iq8gZZFyViML3an
                                                      MD5:EFEC8C379D165E3F33B536739AEE26A3
                                                      SHA1:C875908ACBA5CAC1E0B40F06A83F0F156A2640FA
                                                      SHA-256:46DEE184523A584E56DF93389F81992911A1BA6B1F05AD7D803C6AB1450E18CB
                                                      SHA-512:497847EC115D9AF78899E6DC20EC32A60B16954F83CF5169A23DD3F1459CB632DAC95417BD898FD1895C9FE2262FCBF7838FCF6919FB3B851A0557FBE07CCFFA
                                                      Malicious:true
                                                      Antivirus:
                                                      • Antivirus: Metadefender, Detection: 0%, Browse
                                                      • Antivirus: ReversingLabs, Detection: 0%
                                                      Joe Sandbox View:
                                                      • Filename: SecuriteInfo.com.Trojan.PackedNET.509.8504.exe, Detection: malicious, Browse
                                                      • Filename: IMG_80137.pdf.exe, Detection: malicious, Browse
                                                      • Filename: Ziraat Bankasi Swift Mesaji.exe, Detection: malicious, Browse
                                                      • Filename: MEDUSI492126.pdf.exe, Detection: malicious, Browse
                                                      • Filename: 2GNCGUZ6JU.exe, Detection: malicious, Browse
                                                      • Filename: IMG_53771.pdf.exe, Detection: malicious, Browse
                                                      • Filename: SecuriteInfo.com.Generic.mg.fb5363e0cae04979.exe, Detection: malicious, Browse
                                                      • Filename: Ziraat Bankasi Swift Mesaji.exe, Detection: malicious, Browse
                                                      • Filename: silkOrder00110.pdf.exe, Detection: malicious, Browse
                                                      • Filename: 74725794.exe, Detection: malicious, Browse
                                                      • Filename: 74725794.exe, Detection: malicious, Browse
                                                      • Filename: IMG_53091.pdf.exe, Detection: malicious, Browse
                                                      • Filename: IMG_71103.pdf.exe, Detection: malicious, Browse
                                                      • Filename: WjIKk3FzeI.exe, Detection: malicious, Browse
                                                      • Filename: iv2yPzJEMs.exe, Detection: malicious, Browse
                                                      • Filename: Jb4NE4iWz5.exe, Detection: malicious, Browse
                                                      • Filename: mmcrkHjIb3.exe, Detection: malicious, Browse
                                                      • Filename: fkGmyP7ryc.exe, Detection: malicious, Browse
                                                      • Filename: product supplies 10589TW.exe, Detection: malicious, Browse
                                                      • Filename: IMG_13791.pdf.exe, Detection: malicious, Browse
                                                      Reputation:moderate, very likely benign file
                                                      Preview: MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....Z.Z..............0..T...........r... ........@.. ....................................`.................................4r..O....................b..h>...........p............................................... ............... ..H............text....R... ...T.................. ..`.rsrc................V..............@..@.reloc...............`..............@..B................hr......H........"..|J..........lm.......o......................................2~.....o....*.r...p(....*VrK..p(....s.........*..0..........(....(....o....o....(....o.... .....T(....o....(....o....o ...o!....4(....o....(....o....o ...o".....(....rm..ps#...o....($........(%....o&....ry..p......%.r...p.%.(.....(....('....((.......o)...('........*.*................"..(*...*..{Q...-...}Q.....(+...(....(,....(+...*"..(-...*..(....*..(.....r...p.(/...o0...s....}T...*....0.. .......~S...-.s
                                                      C:\Users\user\AppData\Roaming\D06ED635-68F6-4E9A-955C-4899F5F57B9A\run.dat
                                                      Process:C:\Users\user\AppData\Local\Temp\InstallUtil.exe
                                                      File Type:data
                                                      Category:dropped
                                                      Size (bytes):8
                                                      Entropy (8bit):3.0
                                                      Encrypted:false
                                                      SSDEEP:3:I6P:Iq
                                                      MD5:67B9DD027EDDE081BABBBB3F21F38634
                                                      SHA1:8D78824EB573B5241A92587DDA5BE4ABB877C66D
                                                      SHA-256:3A71BB34D6D0B9075ED5F864C16300AF74B34FE99A32A60EC212001830F4F3EC
                                                      SHA-512:6DC3178E91AD6653B0426D950F0E6A2ED52484D61FCC51CD0AF5FBD99EDFA6FFD9E9DE92BA1F4B851440406EBAECFA02CF92CF0F8ADA8ACD17C6C35E363EB6AC
                                                      Malicious:true
                                                      Reputation:low
                                                      Preview: ...zX..H
                                                      C:\Users\user\AppData\Roaming\gfrdeswaq.exe
                                                      Process:C:\Users\user\Desktop\PO#4018-308875.pdf.exe
                                                      File Type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                                                      Category:dropped
                                                      Size (bytes):783360
                                                      Entropy (8bit):5.789061235197813
                                                      Encrypted:false
                                                      SSDEEP:12288:NAagt50jwcEc6tvHpTkJ23d9ZSn9V9ovGPfiu:N3i08cEc6tvHpAIZSnb+vGXi
                                                      MD5:D90049E2AFF303588E499820E0D9078C
                                                      SHA1:1153F298DB7E6AEED9C3A55C907DFA474AE9155F
                                                      SHA-256:761E77BE2BBF6089F04B1901C44548BD4FF5AC873A74B1CA0E0604BB902EFF22
                                                      SHA-512:0AB4D1CCD24FA3174750B69F929C8DC34334F88941F1708E5EDC2FDB7498636AA0C441BB9BB7E54A1EBB246500DDBFDDBDBCCFD4FE1EC7EE16C14229AF1F9E89
                                                      Malicious:true
                                                      Antivirus:
                                                      • Antivirus: ReversingLabs, Detection: 15%
                                                      Reputation:low
                                                      Preview: MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...-.D\.....................^........... ........@.. .......................@............`.....................................K.......N[................... ....................................................... ............... ..H............text........ ...................... ..`.rsrc...N[.......\..................@..@.reloc....... ......................@..B.......................H........x...:......C....B...6.............................................V.=y.....N..>..y..:..#..1.[....:.........SD8....F.=...6ix..D.J.....{....-.=..g..Y.........p";......}....M.......^.}.1..BX..t.,.|.>.B..v$j.V..v.o<i]s.(.).1.....-\..~..N!%..;v.@.3...?.6u...c".1.3p.^......F.....r..%.o.....L..F.........@[...`.~.......@o.#..P..5.Y....?..s~x.2V....|...z8.r%I.b.....6.....^r.!!......F....+Au...:uxr.;..x.=...xI..@K....uc.$..P.!AS.e.w.D .I....{...I..q/...6...
                                                      C:\Users\user\AppData\Roaming\gfrdeswaq.exe:Zone.Identifier
                                                      Process:C:\Users\user\Desktop\PO#4018-308875.pdf.exe
                                                      File Type:ASCII text, with CRLF line terminators
                                                      Category:dropped
                                                      Size (bytes):26
                                                      Entropy (8bit):3.95006375643621
                                                      Encrypted:false
                                                      SSDEEP:3:ggPYV:rPYV
                                                      MD5:187F488E27DB4AF347237FE461A079AD
                                                      SHA1:6693BA299EC1881249D59262276A0D2CB21F8E64
                                                      SHA-256:255A65D30841AB4082BD9D0EEA79D49C5EE88F56136157D8D6156AEF11C12309
                                                      SHA-512:89879F237C0C051EBE784D0690657A6827A312A82735DA42DAD5F744D734FC545BEC9642C19D14C05B2F01FF53BC731530C92F7327BB7DC9CDE1B60FB21CD64E
                                                      Malicious:true
                                                      Reputation:high, very likely benign file
                                                      Preview: [ZoneTransfer]....ZoneId=0

                                                      Static File Info

                                                      General

                                                      File type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                                                      Entropy (8bit):5.789061235197813
                                                      TrID:
                                                      • Win32 Executable (generic) Net Framework (10011505/4) 49.83%
                                                      • Win32 Executable (generic) a (10002005/4) 49.78%
                                                      • Generic CIL Executable (.NET, Mono, etc.) (73296/58) 0.36%
                                                      • Generic Win/DOS Executable (2004/3) 0.01%
                                                      • DOS Executable Generic (2002/1) 0.01%
                                                      File name:PO#4018-308875.pdf.exe
                                                      File size:783360
                                                      MD5:d90049e2aff303588e499820e0d9078c
                                                      SHA1:1153f298db7e6aeed9c3a55c907dfa474ae9155f
                                                      SHA256:761e77be2bbf6089f04b1901c44548bd4ff5ac873a74b1ca0e0604bb902eff22
                                                      SHA512:0ab4d1ccd24fa3174750b69f929c8dc34334f88941f1708e5edc2fdb7498636aa0c441bb9bb7e54a1ebb246500ddbfddbdbccfd4fe1ec7ee16c14229af1f9e89
                                                      SSDEEP:12288:NAagt50jwcEc6tvHpTkJ23d9ZSn9V9ovGPfiu:N3i08cEc6tvHpAIZSnb+vGXi
                                                      File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...-.D\.....................^........... ........@.. .......................@............`................................

                                                      File Icon

                                                      Icon Hash:b2718f33292b177e

                                                      Static PE Info

                                                      General

                                                      Entrypoint:0x4ab2fe
                                                      Entrypoint Section:.text
                                                      Digitally signed:false
                                                      Imagebase:0x400000
                                                      Subsystem:windows gui
                                                      Image File Characteristics:32BIT_MACHINE, EXECUTABLE_IMAGE
                                                      DLL Characteristics:NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT, HIGH_ENTROPY_VA
                                                      Time Stamp:0x5C44F42D [Sun Jan 20 22:20:29 2019 UTC]
                                                      TLS Callbacks:
                                                      CLR (.Net) Version:v4.0.30319
                                                      OS Version Major:4
                                                      OS Version Minor:0
                                                      File Version Major:4
                                                      File Version Minor:0
                                                      Subsystem Version Major:4
                                                      Subsystem Version Minor:0
                                                      Import Hash:f34d5f2d4577ed6d9ceec516c1f5a744

                                                      Entrypoint Preview

                                                      Instruction
                                                      jmp dword ptr [00402000h]
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al

                                                      Data Directories

                                                      NameVirtual AddressVirtual Size Is in Section
                                                      IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                                                      IMAGE_DIRECTORY_ENTRY_IMPORT0xab2b00x4b.text
                                                      IMAGE_DIRECTORY_ENTRY_RESOURCE0xac0000x15b4e.rsrc
                                                      IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                                                      IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
                                                      IMAGE_DIRECTORY_ENTRY_BASERELOC0xc20000xc.reloc
                                                      IMAGE_DIRECTORY_ENTRY_DEBUG0x00x0
                                                      IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                                                      IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                                                      IMAGE_DIRECTORY_ENTRY_TLS0x00x0
                                                      IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
                                                      IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                                                      IMAGE_DIRECTORY_ENTRY_IAT0x20000x8.text
                                                      IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                                                      IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x20080x48.text
                                                      IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                                                      Sections

                                                      NameVirtual AddressVirtual SizeRaw SizeXored PEZLIB ComplexityFile TypeEntropyCharacteristics
                                                      .text0x20000xa93040xa9400False0.526561923006data5.51757303939IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
                                                      .rsrc0xac0000x15b4e0x15c00False0.631824712644data7.26106977005IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                                      .reloc0xc20000xc0x200False0.041015625data0.0815394123432IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

                                                      Resources

                                                      NameRVASizeTypeLanguageCountry
                                                      RT_ICON0xac3700x2e8data
                                                      RT_ICON0xac6580x128GLS_BINARY_LSB_FIRST
                                                      RT_ICON0xac7800xea8data
                                                      RT_ICON0xad6280x8a8data
                                                      RT_ICON0xaded00x568GLS_BINARY_LSB_FIRST
                                                      RT_ICON0xae4380x889fPNG image data, 256 x 256, 8-bit/color RGBA, non-interlaced
                                                      RT_ICON0xb6cd80x4228dBase IV DBT of \200.DBF, blocks size 0, block length 16896, next free block index 40, next free block 224, next used block 117440512
                                                      RT_ICON0xbaf000x25a8data
                                                      RT_ICON0xbd4a80x1a68data
                                                      RT_ICON0xbef100x10a8data
                                                      RT_ICON0xbffb80x988data
                                                      RT_ICON0xc09400x6b8data
                                                      RT_ICON0xc0ff80x468GLS_BINARY_LSB_FIRST
                                                      RT_GROUP_ICON0xc14600xbcdata
                                                      RT_VERSION0xc151c0x448dataEnglishUnited States
                                                      RT_MANIFEST0xc19640x1eaXML 1.0 document, UTF-8 Unicode (with BOM) text, with CRLF line terminators

                                                      Imports

                                                      DLLImport
                                                      mscoree.dll_CorExeMain

                                                      Version Infos

                                                      DescriptionData
                                                      LegalCopyrightCopyright 2020 Maxthon Ltd. All rights reserved.
                                                      InternalNamemini_installer
                                                      CompanyShortNameMaxthon Ltd.
                                                      FileVersion6.1.0.2000
                                                      CompanyNameMaxthon Ltd.
                                                      ProductShortNameMaxthon Installer
                                                      ProductNameMaxthon Installer
                                                      LastChange94abc2237ae0c9a4cb5f035431c8adfb94324633-refs/branch-heads/4183@{#1658}
                                                      ProductVersion6.1.0.2000
                                                      FileDescriptionMaxthon Installer
                                                      Official Build1
                                                      Translation0x0409 0x04b0

                                                      Possible Origin

                                                      Language of compilation systemCountry where language is spokenMap
                                                      EnglishUnited States

                                                      Network Behavior

                                                      Network Port Distribution

                                                      TCP Packets

                                                      TimestampSource PortDest PortSource IPDest IP
                                                      Jan 20, 2021 07:31:39.854502916 CET4972920911192.168.2.5185.162.88.26
                                                      Jan 20, 2021 07:31:39.905483007 CET2091149729185.162.88.26192.168.2.5
                                                      Jan 20, 2021 07:31:40.408859015 CET4972920911192.168.2.5185.162.88.26
                                                      Jan 20, 2021 07:31:40.459676027 CET2091149729185.162.88.26192.168.2.5
                                                      Jan 20, 2021 07:31:40.971297979 CET4972920911192.168.2.5185.162.88.26
                                                      Jan 20, 2021 07:31:41.021905899 CET2091149729185.162.88.26192.168.2.5
                                                      Jan 20, 2021 07:31:45.101613045 CET4973020911192.168.2.5185.162.88.26
                                                      Jan 20, 2021 07:31:45.152352095 CET2091149730185.162.88.26192.168.2.5
                                                      Jan 20, 2021 07:31:45.659298897 CET4973020911192.168.2.5185.162.88.26
                                                      Jan 20, 2021 07:31:45.709918976 CET2091149730185.162.88.26192.168.2.5
                                                      Jan 20, 2021 07:31:46.221895933 CET4973020911192.168.2.5185.162.88.26
                                                      Jan 20, 2021 07:31:46.272509098 CET2091149730185.162.88.26192.168.2.5
                                                      Jan 20, 2021 07:31:50.286111116 CET4973120911192.168.2.5185.162.88.26
                                                      Jan 20, 2021 07:31:50.336662054 CET2091149731185.162.88.26192.168.2.5
                                                      Jan 20, 2021 07:31:50.847104073 CET4973120911192.168.2.5185.162.88.26
                                                      Jan 20, 2021 07:31:50.897509098 CET2091149731185.162.88.26192.168.2.5
                                                      Jan 20, 2021 07:31:51.409755945 CET4973120911192.168.2.5185.162.88.26
                                                      Jan 20, 2021 07:31:51.460391998 CET2091149731185.162.88.26192.168.2.5
                                                      Jan 20, 2021 07:31:55.742108107 CET4973220911192.168.2.5185.162.88.26
                                                      Jan 20, 2021 07:31:55.792807102 CET2091149732185.162.88.26192.168.2.5
                                                      Jan 20, 2021 07:31:56.300697088 CET4973220911192.168.2.5185.162.88.26
                                                      Jan 20, 2021 07:31:56.351223946 CET2091149732185.162.88.26192.168.2.5
                                                      Jan 20, 2021 07:31:56.863302946 CET4973220911192.168.2.5185.162.88.26
                                                      Jan 20, 2021 07:31:56.914103985 CET2091149732185.162.88.26192.168.2.5
                                                      Jan 20, 2021 07:32:00.993782043 CET4973320911192.168.2.5185.162.88.26
                                                      Jan 20, 2021 07:32:01.044477940 CET2091149733185.162.88.26192.168.2.5
                                                      Jan 20, 2021 07:32:01.551114082 CET4973320911192.168.2.5185.162.88.26
                                                      Jan 20, 2021 07:32:01.601830006 CET2091149733185.162.88.26192.168.2.5
                                                      Jan 20, 2021 07:32:02.113833904 CET4973320911192.168.2.5185.162.88.26
                                                      Jan 20, 2021 07:32:02.164552927 CET2091149733185.162.88.26192.168.2.5
                                                      Jan 20, 2021 07:32:06.242758989 CET4973420911192.168.2.5185.162.88.26
                                                      Jan 20, 2021 07:32:06.293401957 CET2091149734185.162.88.26192.168.2.5
                                                      Jan 20, 2021 07:32:06.801650047 CET4973420911192.168.2.5185.162.88.26
                                                      Jan 20, 2021 07:32:06.852528095 CET2091149734185.162.88.26192.168.2.5
                                                      Jan 20, 2021 07:32:07.364125967 CET4973420911192.168.2.5185.162.88.26
                                                      Jan 20, 2021 07:32:07.414671898 CET2091149734185.162.88.26192.168.2.5
                                                      Jan 20, 2021 07:32:11.428158998 CET4973520911192.168.2.5185.162.88.26
                                                      Jan 20, 2021 07:32:11.478652000 CET2091149735185.162.88.26192.168.2.5
                                                      Jan 20, 2021 07:32:11.989595890 CET4973520911192.168.2.5185.162.88.26
                                                      Jan 20, 2021 07:32:12.040324926 CET2091149735185.162.88.26192.168.2.5
                                                      Jan 20, 2021 07:32:12.552088976 CET4973520911192.168.2.5185.162.88.26
                                                      Jan 20, 2021 07:32:12.602437019 CET2091149735185.162.88.26192.168.2.5
                                                      Jan 20, 2021 07:32:16.616096973 CET4973620911192.168.2.5185.162.88.26
                                                      Jan 20, 2021 07:32:16.666659117 CET2091149736185.162.88.26192.168.2.5
                                                      Jan 20, 2021 07:32:17.177428007 CET4973620911192.168.2.5185.162.88.26
                                                      Jan 20, 2021 07:32:17.228347063 CET2091149736185.162.88.26192.168.2.5
                                                      Jan 20, 2021 07:32:17.740000010 CET4973620911192.168.2.5185.162.88.26
                                                      Jan 20, 2021 07:32:17.790555000 CET2091149736185.162.88.26192.168.2.5
                                                      Jan 20, 2021 07:32:21.806370974 CET4973720911192.168.2.5185.162.88.26
                                                      Jan 20, 2021 07:32:21.857095957 CET2091149737185.162.88.26192.168.2.5
                                                      Jan 20, 2021 07:32:22.365370035 CET4973720911192.168.2.5185.162.88.26
                                                      Jan 20, 2021 07:32:22.416100025 CET2091149737185.162.88.26192.168.2.5
                                                      Jan 20, 2021 07:32:22.927898884 CET4973720911192.168.2.5185.162.88.26
                                                      Jan 20, 2021 07:32:22.978466034 CET2091149737185.162.88.26192.168.2.5
                                                      Jan 20, 2021 07:32:27.107625961 CET4973820911192.168.2.5185.162.88.26
                                                      Jan 20, 2021 07:32:27.158226967 CET2091149738185.162.88.26192.168.2.5
                                                      Jan 20, 2021 07:32:27.662640095 CET4973820911192.168.2.5185.162.88.26
                                                      Jan 20, 2021 07:32:27.713306904 CET2091149738185.162.88.26192.168.2.5
                                                      Jan 20, 2021 07:32:28.225193977 CET4973820911192.168.2.5185.162.88.26
                                                      Jan 20, 2021 07:32:28.275882006 CET2091149738185.162.88.26192.168.2.5
                                                      Jan 20, 2021 07:32:32.402971983 CET4973920911192.168.2.5185.162.88.26
                                                      Jan 20, 2021 07:32:32.453649998 CET2091149739185.162.88.26192.168.2.5
                                                      Jan 20, 2021 07:32:32.961524963 CET4973920911192.168.2.5185.162.88.26
                                                      Jan 20, 2021 07:32:33.012324095 CET2091149739185.162.88.26192.168.2.5
                                                      Jan 20, 2021 07:32:33.522510052 CET4973920911192.168.2.5185.162.88.26
                                                      Jan 20, 2021 07:32:33.573262930 CET2091149739185.162.88.26192.168.2.5
                                                      Jan 20, 2021 07:32:37.712385893 CET4974020911192.168.2.5185.162.88.26
                                                      Jan 20, 2021 07:32:37.763009071 CET2091149740185.162.88.26192.168.2.5
                                                      Jan 20, 2021 07:32:38.302246094 CET4974020911192.168.2.5185.162.88.26
                                                      Jan 20, 2021 07:32:38.352889061 CET2091149740185.162.88.26192.168.2.5
                                                      Jan 20, 2021 07:32:38.992669106 CET4974020911192.168.2.5185.162.88.26
                                                      Jan 20, 2021 07:32:39.043415070 CET2091149740185.162.88.26192.168.2.5
                                                      Jan 20, 2021 07:32:43.051678896 CET4974620911192.168.2.5185.162.88.26
                                                      Jan 20, 2021 07:32:43.102233887 CET2091149746185.162.88.26192.168.2.5
                                                      Jan 20, 2021 07:32:43.608247995 CET4974620911192.168.2.5185.162.88.26
                                                      Jan 20, 2021 07:32:43.658893108 CET2091149746185.162.88.26192.168.2.5
                                                      Jan 20, 2021 07:32:44.170759916 CET4974620911192.168.2.5185.162.88.26
                                                      Jan 20, 2021 07:32:44.221250057 CET2091149746185.162.88.26192.168.2.5
                                                      Jan 20, 2021 07:32:48.235095024 CET4975220911192.168.2.5185.162.88.26
                                                      Jan 20, 2021 07:32:48.285700083 CET2091149752185.162.88.26192.168.2.5
                                                      Jan 20, 2021 07:32:48.796133995 CET4975220911192.168.2.5185.162.88.26
                                                      Jan 20, 2021 07:32:48.846766949 CET2091149752185.162.88.26192.168.2.5
                                                      Jan 20, 2021 07:32:49.358694077 CET4975220911192.168.2.5185.162.88.26
                                                      Jan 20, 2021 07:32:49.409111977 CET2091149752185.162.88.26192.168.2.5
                                                      Jan 20, 2021 07:32:53.422578096 CET4975320911192.168.2.5185.162.88.26
                                                      Jan 20, 2021 07:32:53.473304987 CET2091149753185.162.88.26192.168.2.5
                                                      Jan 20, 2021 07:32:53.984086990 CET4975320911192.168.2.5185.162.88.26
                                                      Jan 20, 2021 07:32:54.034677029 CET2091149753185.162.88.26192.168.2.5
                                                      Jan 20, 2021 07:32:54.546641111 CET4975320911192.168.2.5185.162.88.26
                                                      Jan 20, 2021 07:32:54.597167969 CET2091149753185.162.88.26192.168.2.5
                                                      Jan 20, 2021 07:32:58.883698940 CET4975420911192.168.2.5185.162.88.26
                                                      Jan 20, 2021 07:32:58.934469938 CET2091149754185.162.88.26192.168.2.5
                                                      Jan 20, 2021 07:32:59.437683105 CET4975420911192.168.2.5185.162.88.26
                                                      Jan 20, 2021 07:32:59.488444090 CET2091149754185.162.88.26192.168.2.5
                                                      Jan 20, 2021 07:33:00.000999928 CET4975420911192.168.2.5185.162.88.26
                                                      Jan 20, 2021 07:33:00.051909924 CET2091149754185.162.88.26192.168.2.5
                                                      Jan 20, 2021 07:33:04.554666996 CET4975520911192.168.2.5185.162.88.26
                                                      Jan 20, 2021 07:33:04.605324984 CET2091149755185.162.88.26192.168.2.5
                                                      Jan 20, 2021 07:33:05.110050917 CET4975520911192.168.2.5185.162.88.26
                                                      Jan 20, 2021 07:33:05.160808086 CET2091149755185.162.88.26192.168.2.5
                                                      Jan 20, 2021 07:33:05.689454079 CET4975520911192.168.2.5185.162.88.26
                                                      Jan 20, 2021 07:33:05.740303040 CET2091149755185.162.88.26192.168.2.5
                                                      Jan 20, 2021 07:33:10.017544031 CET4975620911192.168.2.5185.162.88.26
                                                      Jan 20, 2021 07:33:10.069735050 CET2091149756185.162.88.26192.168.2.5
                                                      Jan 20, 2021 07:33:10.579200983 CET4975620911192.168.2.5185.162.88.26
                                                      Jan 20, 2021 07:33:10.629745960 CET2091149756185.162.88.26192.168.2.5
                                                      Jan 20, 2021 07:33:11.142257929 CET4975620911192.168.2.5185.162.88.26

                                                      UDP Packets

                                                      TimestampSource PortDest PortSource IPDest IP
                                                      Jan 20, 2021 07:30:00.328669071 CET5959653192.168.2.58.8.8.8
                                                      Jan 20, 2021 07:30:00.387139082 CET53595968.8.8.8192.168.2.5
                                                      Jan 20, 2021 07:30:01.378868103 CET6529653192.168.2.58.8.8.8
                                                      Jan 20, 2021 07:30:01.429608107 CET53652968.8.8.8192.168.2.5
                                                      Jan 20, 2021 07:30:02.159115076 CET6318353192.168.2.58.8.8.8
                                                      Jan 20, 2021 07:30:02.207123995 CET53631838.8.8.8192.168.2.5
                                                      Jan 20, 2021 07:30:03.067598104 CET6015153192.168.2.58.8.8.8
                                                      Jan 20, 2021 07:30:03.115561008 CET53601518.8.8.8192.168.2.5
                                                      Jan 20, 2021 07:30:15.570496082 CET5696953192.168.2.58.8.8.8
                                                      Jan 20, 2021 07:30:15.618387938 CET53569698.8.8.8192.168.2.5
                                                      Jan 20, 2021 07:30:16.518938065 CET5516153192.168.2.58.8.8.8
                                                      Jan 20, 2021 07:30:16.577927113 CET53551618.8.8.8192.168.2.5
                                                      Jan 20, 2021 07:30:30.826376915 CET5475753192.168.2.58.8.8.8
                                                      Jan 20, 2021 07:30:30.875653028 CET53547578.8.8.8192.168.2.5
                                                      Jan 20, 2021 07:30:36.568918943 CET4999253192.168.2.58.8.8.8
                                                      Jan 20, 2021 07:30:36.629512072 CET53499928.8.8.8192.168.2.5
                                                      Jan 20, 2021 07:30:49.575465918 CET6007553192.168.2.58.8.8.8
                                                      Jan 20, 2021 07:30:49.626271963 CET53600758.8.8.8192.168.2.5
                                                      Jan 20, 2021 07:30:50.580446005 CET5501653192.168.2.58.8.8.8
                                                      Jan 20, 2021 07:30:50.644397020 CET53550168.8.8.8192.168.2.5
                                                      Jan 20, 2021 07:30:53.665081978 CET6434553192.168.2.58.8.8.8
                                                      Jan 20, 2021 07:30:53.721483946 CET53643458.8.8.8192.168.2.5
                                                      Jan 20, 2021 07:31:27.587776899 CET5712853192.168.2.58.8.8.8
                                                      Jan 20, 2021 07:31:27.635565996 CET53571288.8.8.8192.168.2.5
                                                      Jan 20, 2021 07:31:55.679936886 CET5479153192.168.2.58.8.8.8
                                                      Jan 20, 2021 07:31:55.738428116 CET53547918.8.8.8192.168.2.5
                                                      Jan 20, 2021 07:32:00.930579901 CET5046353192.168.2.58.8.8.8
                                                      Jan 20, 2021 07:32:00.991537094 CET53504638.8.8.8192.168.2.5
                                                      Jan 20, 2021 07:32:06.184623957 CET5039453192.168.2.58.8.8.8
                                                      Jan 20, 2021 07:32:06.241209984 CET53503948.8.8.8192.168.2.5
                                                      Jan 20, 2021 07:32:27.046736956 CET5853053192.168.2.58.8.8.8
                                                      Jan 20, 2021 07:32:27.105943918 CET53585308.8.8.8192.168.2.5
                                                      Jan 20, 2021 07:32:32.341784000 CET5381353192.168.2.58.8.8.8
                                                      Jan 20, 2021 07:32:32.401135921 CET53538138.8.8.8192.168.2.5
                                                      Jan 20, 2021 07:32:37.644326925 CET6373253192.168.2.58.8.8.8
                                                      Jan 20, 2021 07:32:37.700372934 CET53637328.8.8.8192.168.2.5
                                                      Jan 20, 2021 07:32:39.441392899 CET5734453192.168.2.58.8.8.8
                                                      Jan 20, 2021 07:32:39.492288113 CET53573448.8.8.8192.168.2.5
                                                      Jan 20, 2021 07:32:40.285835981 CET5445053192.168.2.58.8.8.8
                                                      Jan 20, 2021 07:32:40.342093945 CET53544508.8.8.8192.168.2.5
                                                      Jan 20, 2021 07:32:41.056921959 CET5926153192.168.2.58.8.8.8
                                                      Jan 20, 2021 07:32:41.115889072 CET53592618.8.8.8192.168.2.5
                                                      Jan 20, 2021 07:32:41.594192982 CET5715153192.168.2.58.8.8.8
                                                      Jan 20, 2021 07:32:41.650599957 CET53571518.8.8.8192.168.2.5
                                                      Jan 20, 2021 07:32:42.263398886 CET5941353192.168.2.58.8.8.8
                                                      Jan 20, 2021 07:32:42.319693089 CET53594138.8.8.8192.168.2.5
                                                      Jan 20, 2021 07:32:43.092466116 CET6051653192.168.2.58.8.8.8
                                                      Jan 20, 2021 07:32:43.140361071 CET53605168.8.8.8192.168.2.5
                                                      Jan 20, 2021 07:32:43.907529116 CET5164953192.168.2.58.8.8.8
                                                      Jan 20, 2021 07:32:43.963603973 CET53516498.8.8.8192.168.2.5
                                                      Jan 20, 2021 07:32:45.203284025 CET6508653192.168.2.58.8.8.8
                                                      Jan 20, 2021 07:32:45.251498938 CET53650868.8.8.8192.168.2.5
                                                      Jan 20, 2021 07:32:46.543776035 CET5643253192.168.2.58.8.8.8
                                                      Jan 20, 2021 07:32:46.591660976 CET53564328.8.8.8192.168.2.5
                                                      Jan 20, 2021 07:32:48.046406984 CET5292953192.168.2.58.8.8.8
                                                      Jan 20, 2021 07:32:48.094095945 CET53529298.8.8.8192.168.2.5
                                                      Jan 20, 2021 07:32:58.664227962 CET6431753192.168.2.58.8.8.8
                                                      Jan 20, 2021 07:32:58.720607042 CET53643178.8.8.8192.168.2.5
                                                      Jan 20, 2021 07:33:04.489262104 CET6100453192.168.2.58.8.8.8
                                                      Jan 20, 2021 07:33:04.547322035 CET53610048.8.8.8192.168.2.5
                                                      Jan 20, 2021 07:33:09.955523014 CET5689553192.168.2.58.8.8.8
                                                      Jan 20, 2021 07:33:10.016967058 CET53568958.8.8.8192.168.2.5

                                                      DNS Queries

                                                      TimestampSource IPDest IPTrans IDOP CodeNameTypeClass
                                                      Jan 20, 2021 07:31:55.679936886 CET192.168.2.58.8.8.80xe915Standard query (0)fenixalec.ddns.netA (IP address)IN (0x0001)
                                                      Jan 20, 2021 07:32:00.930579901 CET192.168.2.58.8.8.80x85beStandard query (0)fenixalec.ddns.netA (IP address)IN (0x0001)
                                                      Jan 20, 2021 07:32:06.184623957 CET192.168.2.58.8.8.80xc998Standard query (0)fenixalec.ddns.netA (IP address)IN (0x0001)
                                                      Jan 20, 2021 07:32:27.046736956 CET192.168.2.58.8.8.80xcce3Standard query (0)fenixalec.ddns.netA (IP address)IN (0x0001)
                                                      Jan 20, 2021 07:32:32.341784000 CET192.168.2.58.8.8.80xa8b6Standard query (0)fenixalec.ddns.netA (IP address)IN (0x0001)
                                                      Jan 20, 2021 07:32:37.644326925 CET192.168.2.58.8.8.80xa38cStandard query (0)fenixalec.ddns.netA (IP address)IN (0x0001)
                                                      Jan 20, 2021 07:32:58.664227962 CET192.168.2.58.8.8.80x60c2Standard query (0)fenixalec.ddns.netA (IP address)IN (0x0001)
                                                      Jan 20, 2021 07:33:04.489262104 CET192.168.2.58.8.8.80x1fd9Standard query (0)fenixalec.ddns.netA (IP address)IN (0x0001)
                                                      Jan 20, 2021 07:33:09.955523014 CET192.168.2.58.8.8.80x96aaStandard query (0)fenixalec.ddns.netA (IP address)IN (0x0001)

                                                      DNS Answers

                                                      TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClass
                                                      Jan 20, 2021 07:31:55.738428116 CET8.8.8.8192.168.2.50xe915No error (0)fenixalec.ddns.net185.162.88.26A (IP address)IN (0x0001)
                                                      Jan 20, 2021 07:32:00.991537094 CET8.8.8.8192.168.2.50x85beNo error (0)fenixalec.ddns.net185.162.88.26A (IP address)IN (0x0001)
                                                      Jan 20, 2021 07:32:06.241209984 CET8.8.8.8192.168.2.50xc998No error (0)fenixalec.ddns.net185.162.88.26A (IP address)IN (0x0001)
                                                      Jan 20, 2021 07:32:27.105943918 CET8.8.8.8192.168.2.50xcce3No error (0)fenixalec.ddns.net185.162.88.26A (IP address)IN (0x0001)
                                                      Jan 20, 2021 07:32:32.401135921 CET8.8.8.8192.168.2.50xa8b6No error (0)fenixalec.ddns.net185.162.88.26A (IP address)IN (0x0001)
                                                      Jan 20, 2021 07:32:37.700372934 CET8.8.8.8192.168.2.50xa38cNo error (0)fenixalec.ddns.net185.162.88.26A (IP address)IN (0x0001)
                                                      Jan 20, 2021 07:32:58.720607042 CET8.8.8.8192.168.2.50x60c2No error (0)fenixalec.ddns.net185.162.88.26A (IP address)IN (0x0001)
                                                      Jan 20, 2021 07:33:04.547322035 CET8.8.8.8192.168.2.50x1fd9No error (0)fenixalec.ddns.net185.162.88.26A (IP address)IN (0x0001)
                                                      Jan 20, 2021 07:33:10.016967058 CET8.8.8.8192.168.2.50x96aaNo error (0)fenixalec.ddns.net185.162.88.26A (IP address)IN (0x0001)

                                                      Code Manipulations

                                                      Statistics

                                                      CPU Usage

                                                      Click to jump to process

                                                      Memory Usage

                                                      Click to jump to process

                                                      High Level Behavior Distribution

                                                      Click to dive into process behavior distribution

                                                      Behavior

                                                      Click to jump to process

                                                      System Behavior

                                                      Analysis Process: PO#4018-308875.pdf.exe PID: 6080 Parent PID: 5628

                                                      General

                                                      Start time:07:30:05
                                                      Start date:20/01/2021
                                                      Path:C:\Users\user\Desktop\PO#4018-308875.pdf.exe
                                                      Wow64 process (32bit):true
                                                      Commandline:'C:\Users\user\Desktop\PO#4018-308875.pdf.exe'
                                                      Imagebase:0x9d0000
                                                      File size:783360 bytes
                                                      MD5 hash:D90049E2AFF303588E499820E0D9078C
                                                      Has elevated privileges:true
                                                      Has administrator privileges:true
                                                      Programmed in:.Net C# or VB.NET
                                                      Yara matches:
                                                      • Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 00000000.00000002.337437485.0000000004734000.00000004.00000001.sdmp, Author: Florian Roth
                                                      • Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 00000000.00000002.337437485.0000000004734000.00000004.00000001.sdmp, Author: Joe Security
                                                      • Rule: NanoCore, Description: unknown, Source: 00000000.00000002.337437485.0000000004734000.00000004.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
                                                      Reputation:low

                                                      Chronological Activities

                                                      Analysis Process: cmd.exe PID: 5444 Parent PID: 6080

                                                      General

                                                      Start time:07:30:09
                                                      Start date:20/01/2021
                                                      Path:C:\Windows\SysWOW64\cmd.exe
                                                      Wow64 process (32bit):true
                                                      Commandline:'cmd.exe' /c REG ADD 'HKCU\Software\Microsoft\Windows\CurrentVersion\Run' /f /v 'olkkmmxxzaa' /t REG_SZ /d 'C:\Users\user\AppData\Roaming\gfrdeswaq.exe'
                                                      Imagebase:0x150000
                                                      File size:232960 bytes
                                                      MD5 hash:F3BDBE3BB6F734E357235F4D5898582D
                                                      Has elevated privileges:true
                                                      Has administrator privileges:true
                                                      Programmed in:C, C++ or other language
                                                      Reputation:high

                                                      Chronological Activities

                                                      Analysis Process: conhost.exe PID: 5952 Parent PID: 5444

                                                      General

                                                      Start time:07:30:10
                                                      Start date:20/01/2021
                                                      Path:C:\Windows\System32\conhost.exe
                                                      Wow64 process (32bit):false
                                                      Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                      Imagebase:0x7ff7ecfc0000
                                                      File size:625664 bytes
                                                      MD5 hash:EA777DEEA782E8B4D7C7C33BBF8A4496
                                                      Has elevated privileges:true
                                                      Has administrator privileges:true
                                                      Programmed in:C, C++ or other language
                                                      Reputation:high

                                                      Chronological Activities

                                                      Analysis Process: reg.exe PID: 4636 Parent PID: 5444

                                                      General

                                                      Start time:07:30:10
                                                      Start date:20/01/2021
                                                      Path:C:\Windows\SysWOW64\reg.exe
                                                      Wow64 process (32bit):true
                                                      Commandline:REG ADD 'HKCU\Software\Microsoft\Windows\CurrentVersion\Run' /f /v 'olkkmmxxzaa' /t REG_SZ /d 'C:\Users\user\AppData\Roaming\gfrdeswaq.exe'
                                                      Imagebase:0x1320000
                                                      File size:59392 bytes
                                                      MD5 hash:CEE2A7E57DF2A159A065A34913A055C2
                                                      Has elevated privileges:true
                                                      Has administrator privileges:true
                                                      Programmed in:C, C++ or other language
                                                      Reputation:high

                                                      Chronological Activities

                                                      Analysis Process: gfrdeswaq.exe PID: 6764 Parent PID: 6080

                                                      General

                                                      Start time:07:30:55
                                                      Start date:20/01/2021
                                                      Path:C:\Users\user\AppData\Roaming\gfrdeswaq.exe
                                                      Wow64 process (32bit):true
                                                      Commandline:'C:\Users\user\AppData\Roaming\gfrdeswaq.exe'
                                                      Imagebase:0xe50000
                                                      File size:783360 bytes
                                                      MD5 hash:D90049E2AFF303588E499820E0D9078C
                                                      Has elevated privileges:true
                                                      Has administrator privileges:true
                                                      Programmed in:.Net C# or VB.NET
                                                      Yara matches:
                                                      • Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 00000014.00000002.627989417.0000000004C62000.00000004.00000001.sdmp, Author: Florian Roth
                                                      • Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 00000014.00000002.627989417.0000000004C62000.00000004.00000001.sdmp, Author: Joe Security
                                                      • Rule: NanoCore, Description: unknown, Source: 00000014.00000002.627989417.0000000004C62000.00000004.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
                                                      • Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 00000014.00000002.627812499.0000000004BCF000.00000004.00000001.sdmp, Author: Florian Roth
                                                      • Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 00000014.00000002.627812499.0000000004BCF000.00000004.00000001.sdmp, Author: Joe Security
                                                      • Rule: NanoCore, Description: unknown, Source: 00000014.00000002.627812499.0000000004BCF000.00000004.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
                                                      Antivirus matches:
                                                      • Detection: 15%, ReversingLabs
                                                      Reputation:low

                                                      Chronological Activities

                                                      Analysis Process: InstallUtil.exe PID: 6280 Parent PID: 6764

                                                      General

                                                      Start time:07:31:33
                                                      Start date:20/01/2021
                                                      Path:C:\Users\user\AppData\Local\Temp\InstallUtil.exe
                                                      Wow64 process (32bit):true
                                                      Commandline:C:\Users\user\AppData\Local\Temp\InstallUtil.exe
                                                      Imagebase:0x500000
                                                      File size:41064 bytes
                                                      MD5 hash:EFEC8C379D165E3F33B536739AEE26A3
                                                      Has elevated privileges:true
                                                      Has administrator privileges:true
                                                      Programmed in:.Net C# or VB.NET
                                                      Yara matches:
                                                      • Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 00000019.00000002.618309984.0000000000402000.00000040.00000001.sdmp, Author: Florian Roth
                                                      • Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 00000019.00000002.618309984.0000000000402000.00000040.00000001.sdmp, Author: Joe Security
                                                      • Rule: NanoCore, Description: unknown, Source: 00000019.00000002.618309984.0000000000402000.00000040.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
                                                      • Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 00000019.00000002.628566138.0000000005010000.00000004.00000001.sdmp, Author: Florian Roth
                                                      • Rule: Nanocore_RAT_Feb18_1, Description: Detects Nanocore RAT, Source: 00000019.00000002.628566138.0000000005010000.00000004.00000001.sdmp, Author: Florian Roth
                                                      • Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 00000019.00000002.621682158.0000000002971000.00000004.00000001.sdmp, Author: Joe Security
                                                      • Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 00000019.00000002.628917829.0000000005220000.00000004.00000001.sdmp, Author: Florian Roth
                                                      • Rule: Nanocore_RAT_Feb18_1, Description: Detects Nanocore RAT, Source: 00000019.00000002.628917829.0000000005220000.00000004.00000001.sdmp, Author: Florian Roth
                                                      • Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 00000019.00000002.628917829.0000000005220000.00000004.00000001.sdmp, Author: Joe Security
                                                      • Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 00000019.00000002.625511486.00000000039B9000.00000004.00000001.sdmp, Author: Joe Security
                                                      • Rule: NanoCore, Description: unknown, Source: 00000019.00000002.625511486.00000000039B9000.00000004.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
                                                      Antivirus matches:
                                                      • Detection: 0%, Metadefender, Browse
                                                      • Detection: 0%, ReversingLabs
                                                      Reputation:moderate

                                                      Chronological Activities

                                                      Disassembly

                                                      Code Analysis

                                                      Reset < >

                                                        Analysis Process: PO#4018-308875.pdf.exe PID: 6080 Parent PID: 5628 PO#4018-308875.pdf.exeCOMMON

                                                        Executed Functions

                                                        Function 05500040, Relevance: 6.0, Strings: 4, Instructions: 974COMMON
                                                        Download Yara Rule
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.341699107.0000000005500000.00000040.00000001.sdmp, Offset: 05500000, based on PE: false
                                                        Similarity
                                                        • API ID:
                                                        • String ID: ($<$ntin$ntin
                                                        • API String ID: 0-2884023141
                                                        • Opcode ID: 52753ebd1cc432bf5902c00b1fa6d6c21f9e10d31ab6a93472ba581a2480f81a
                                                        • Instruction ID: a647db94d129cde0d7caf18e72aabead64033390443388663f881ede7b6223c1
                                                        • Opcode Fuzzy Hash: 52753ebd1cc432bf5902c00b1fa6d6c21f9e10d31ab6a93472ba581a2480f81a
                                                        • Instruction Fuzzy Hash: 59A2E474E042198FDB14CFA9C985BDDFBF2BF89304F649099D508AB295DB30A981CF60
                                                        Uniqueness

                                                        Uniqueness Score: -1.00%

                                                        Function 05500006, Relevance: 4.1, Strings: 3, Instructions: 329COMMON
                                                        Download Yara Rule
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.341699107.0000000005500000.00000040.00000001.sdmp, Offset: 05500000, based on PE: false
                                                        Similarity
                                                        • API ID:
                                                        • String ID: <$ntin$ntin
                                                        • API String ID: 0-1029651476
                                                        • Opcode ID: 220cd86804a204ef3c9c78f37d2e0e1a4858e8d1379ec503eac29c110637e7be
                                                        • Instruction ID: d92e6cca2d000fe7300d87c22dab27dc18264f13e3dd01edceb00b473bc16b7e
                                                        • Opcode Fuzzy Hash: 220cd86804a204ef3c9c78f37d2e0e1a4858e8d1379ec503eac29c110637e7be
                                                        • Instruction Fuzzy Hash: 6FE1B5B5E046198FDB18CFAAC985BDEBBF2BF89300F14C0A9D508AB265DB345941CF51
                                                        Uniqueness

                                                        Uniqueness Score: -1.00%

                                                        Function 05501889, Relevance: 3.0, Strings: 2, Instructions: 452COMMON
                                                        Download Yara Rule
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.341699107.0000000005500000.00000040.00000001.sdmp, Offset: 05500000, based on PE: false
                                                        Similarity
                                                        • API ID:
                                                        • String ID: 3!ul^$C!ul^
                                                        • API String ID: 0-2256062107
                                                        • Opcode ID: 13d8b2e1718ee2a692ae9c0f35ef8a7e6f5cac38d05d1582914c244e87d35352
                                                        • Instruction ID: 906a671aaae3fb705e197d997a0f04e356cabe4e96b16497280d8348324d926a
                                                        • Opcode Fuzzy Hash: 13d8b2e1718ee2a692ae9c0f35ef8a7e6f5cac38d05d1582914c244e87d35352
                                                        • Instruction Fuzzy Hash: 1222F774E01228CFDB64EF75D9497ACBBB2BF49301F1094A9E40AA7394DB349A85CF50
                                                        Uniqueness

                                                        Uniqueness Score: -1.00%

                                                        Function 013B8BD0, Relevance: .9, Instructions: 896COMMON
                                                        Download Yara Rule
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.332942601.00000000013B0000.00000040.00000001.sdmp, Offset: 013B0000, based on PE: false
                                                        Similarity
                                                        • API ID:
                                                        • String ID:
                                                        • API String ID:
                                                        • Opcode ID: 06334d41884cf5dab6d97ea7907229f333b123f09724924f5bc582b30e244ffe
                                                        • Instruction ID: 5b8880fa49ebff0cd8904a564c14ade0e1e89af3fcf9d6f1752429417c494fc1
                                                        • Opcode Fuzzy Hash: 06334d41884cf5dab6d97ea7907229f333b123f09724924f5bc582b30e244ffe
                                                        • Instruction Fuzzy Hash: B182AFB4A00209DFCB15CF68C484AEEBBB6FF48318F15855AE605DB7A2E730E955CB50
                                                        Uniqueness

                                                        Uniqueness Score: -1.00%

                                                        Function 013BB4F8, Relevance: .7, Instructions: 668COMMON
                                                        Download Yara Rule
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.332942601.00000000013B0000.00000040.00000001.sdmp, Offset: 013B0000, based on PE: false
                                                        Similarity
                                                        • API ID:
                                                        • String ID:
                                                        • API String ID:
                                                        • Opcode ID: 9312a7dd210f9179beb0ac6b652eae103e8bd3a75c99cafa7dbe84f24a4aa566
                                                        • Instruction ID: 8996b02b176f4c02064afe9ae5091908222af3a9f6d8ed5009c54ddb1093cd80
                                                        • Opcode Fuzzy Hash: 9312a7dd210f9179beb0ac6b652eae103e8bd3a75c99cafa7dbe84f24a4aa566
                                                        • Instruction Fuzzy Hash: B362CF74E00219CFDB64CFA9CA80A9DFBF2BF49345F15C1A9D608AB615EB309981CF51
                                                        Uniqueness

                                                        Uniqueness Score: -1.00%

                                                        Function 013BD760, Relevance: .5, Instructions: 512COMMON
                                                        Download Yara Rule
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.332942601.00000000013B0000.00000040.00000001.sdmp, Offset: 013B0000, based on PE: false
                                                        Similarity
                                                        • API ID:
                                                        • String ID:
                                                        • API String ID:
                                                        • Opcode ID: 959be799ecc691302822968256bd05817f43b187a84e214d372842cf6426fd32
                                                        • Instruction ID: 02f0ce3523f9d28af3649d2619521f26dd6920c7e068e43c8464008066444d62
                                                        • Opcode Fuzzy Hash: 959be799ecc691302822968256bd05817f43b187a84e214d372842cf6426fd32
                                                        • Instruction Fuzzy Hash: CE42B378E11219CFDB24CFA9D984B9DBBB2BF48314F1481A9E909A7355DB30AD81CF50
                                                        Uniqueness

                                                        Uniqueness Score: -1.00%

                                                        Function 013BC02F, Relevance: .5, Instructions: 507COMMON
                                                        Download Yara Rule
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.332942601.00000000013B0000.00000040.00000001.sdmp, Offset: 013B0000, based on PE: false
                                                        Similarity
                                                        • API ID:
                                                        • String ID:
                                                        • API String ID:
                                                        • Opcode ID: 7346c98f476cfce9c3a240926d2952a7fe8cb79d5dd74d03d806b58ff8893525
                                                        • Instruction ID: 98cdaf1f01ab8fe0c1e64a3d9b10ddd8a81740681810107df7daf235ba950d98
                                                        • Opcode Fuzzy Hash: 7346c98f476cfce9c3a240926d2952a7fe8cb79d5dd74d03d806b58ff8893525
                                                        • Instruction Fuzzy Hash: F832F470900219CFDB60DF69CA80A8DFBB2BF49759F65D1A9C508AB611DB30DD81CFA1
                                                        Uniqueness

                                                        Uniqueness Score: -1.00%

                                                        Function 013B54AB, Relevance: .5, Instructions: 505COMMON
                                                        Download Yara Rule
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.332942601.00000000013B0000.00000040.00000001.sdmp, Offset: 013B0000, based on PE: false
                                                        Similarity
                                                        • API ID:
                                                        • String ID:
                                                        • API String ID:
                                                        • Opcode ID: 976832a562db92de61c96ca8f7ec66d3f38f203177ab50567b1d011c3c2b889e
                                                        • Instruction ID: af3a582c3daeea861c9788ed87920716fe0cc227ee1251db34c3e73809252914
                                                        • Opcode Fuzzy Hash: 976832a562db92de61c96ca8f7ec66d3f38f203177ab50567b1d011c3c2b889e
                                                        • Instruction Fuzzy Hash: 33129270B002599FDB14DF68C894BAEBBB6BF88308F148129E506DB795EF30D941CB90
                                                        Uniqueness

                                                        Uniqueness Score: -1.00%

                                                        Function 013B5AD0, Relevance: .4, Instructions: 441COMMON
                                                        Download Yara Rule
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.332942601.00000000013B0000.00000040.00000001.sdmp, Offset: 013B0000, based on PE: false
                                                        Similarity
                                                        • API ID:
                                                        • String ID:
                                                        • API String ID:
                                                        • Opcode ID: 33322731457fc486056d5d333e3d0662fbd5cd6f9b91ccd42c88ea5eb34ca691
                                                        • Instruction ID: 1613b12742b611c5e24dee5270296845ecb3e2996bf69ecebb1f8c52e0ef6797
                                                        • Opcode Fuzzy Hash: 33322731457fc486056d5d333e3d0662fbd5cd6f9b91ccd42c88ea5eb34ca691
                                                        • Instruction Fuzzy Hash: FE025D70A04209DFDB15CFA9D9C4AEDBBB6FF88308F158469E605AB661EB30D845CB50
                                                        Uniqueness

                                                        Uniqueness Score: -1.00%

                                                        Function 0550D5D8, Relevance: .3, Instructions: 294COMMON
                                                        Download Yara Rule
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.341699107.0000000005500000.00000040.00000001.sdmp, Offset: 05500000, based on PE: false
                                                        Similarity
                                                        • API ID:
                                                        • String ID:
                                                        • API String ID:
                                                        • Opcode ID: 018b6db2a44408ed1589a76830544ace6cbe37841d9f6ca3bbf805aa3487d6bf
                                                        • Instruction ID: 3e9ef20aa01abaacc7c46e15705c4819b78bbc8077a3ca91a8dd1588a135dd4f
                                                        • Opcode Fuzzy Hash: 018b6db2a44408ed1589a76830544ace6cbe37841d9f6ca3bbf805aa3487d6bf
                                                        • Instruction Fuzzy Hash: 0ED1CF78E05228CFDB24DFA5D988B9DBBF2BF49301F10956AD809A7384DB745A85CF40
                                                        Uniqueness

                                                        Uniqueness Score: -1.00%

                                                        Function 05502088, Relevance: .3, Instructions: 294COMMON
                                                        Download Yara Rule
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.341699107.0000000005500000.00000040.00000001.sdmp, Offset: 05500000, based on PE: false
                                                        Similarity
                                                        • API ID:
                                                        • String ID:
                                                        • API String ID:
                                                        • Opcode ID: a028efc3a20a2653d308e0dca7d9f175c76043d58d0a2f65a3211a54de324972
                                                        • Instruction ID: 96e5f0ba157a0482f92d41b058fea21fc83ff797bd93fd2940e4c702f0b38169
                                                        • Opcode Fuzzy Hash: a028efc3a20a2653d308e0dca7d9f175c76043d58d0a2f65a3211a54de324972
                                                        • Instruction Fuzzy Hash: 8DD1D478E04218CFDB54DFA9D988B9DBBB2FF88304F1085AAD509A7394DB305A85CF51
                                                        Uniqueness

                                                        Uniqueness Score: -1.00%

                                                        Function 0550D5C8, Relevance: .3, Instructions: 293COMMON
                                                        Download Yara Rule
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.341699107.0000000005500000.00000040.00000001.sdmp, Offset: 05500000, based on PE: false
                                                        Similarity
                                                        • API ID:
                                                        • String ID:
                                                        • API String ID:
                                                        • Opcode ID: 26bfe5c4963f9ce07cf45f67455563d58637c5b696901b488063ffdcb34d3334
                                                        • Instruction ID: 9f157eff71d27b21bd409f90281438f0857c65326fd73a72e4b08431c62f4255
                                                        • Opcode Fuzzy Hash: 26bfe5c4963f9ce07cf45f67455563d58637c5b696901b488063ffdcb34d3334
                                                        • Instruction Fuzzy Hash: 35D1C078E05228CFDB24DFA5D948B9DBBF2BF49301F1091AAD809A7394DB745A85CF40
                                                        Uniqueness

                                                        Uniqueness Score: -1.00%

                                                        Function 05507BB8, Relevance: .3, Instructions: 282COMMON
                                                        Download Yara Rule
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.341699107.0000000005500000.00000040.00000001.sdmp, Offset: 05500000, based on PE: false
                                                        Similarity
                                                        • API ID:
                                                        • String ID:
                                                        • API String ID:
                                                        • Opcode ID: e4c59c4a456b79eb167324b60c01b041cfd87a95ea5732e4f0f4981e240fae0c
                                                        • Instruction ID: 76e2f0b6a024ad91e48b26d739c2a66a6e63324477c27146d7995f7f8ff39cc2
                                                        • Opcode Fuzzy Hash: e4c59c4a456b79eb167324b60c01b041cfd87a95ea5732e4f0f4981e240fae0c
                                                        • Instruction Fuzzy Hash: 0BB12970E042089FCB14DFA9C494AEEBBF1FF89314F249529D519AB390DB70A945CF90
                                                        Uniqueness

                                                        Uniqueness Score: -1.00%

                                                        Function 05502078, Relevance: .2, Instructions: 211COMMON
                                                        Download Yara Rule
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.341699107.0000000005500000.00000040.00000001.sdmp, Offset: 05500000, based on PE: false
                                                        Similarity
                                                        • API ID:
                                                        • String ID:
                                                        • API String ID:
                                                        • Opcode ID: 76f8e24e58e3d69b76e5f3fa08c00ef18a7209278333ef3e9643375c160965cb
                                                        • Instruction ID: 40580ab56824a0241561bc47dcc74a1efb45741c006af09850de12b0341e32f2
                                                        • Opcode Fuzzy Hash: 76f8e24e58e3d69b76e5f3fa08c00ef18a7209278333ef3e9643375c160965cb
                                                        • Instruction Fuzzy Hash: E6A1E374E04618CFDB54EFA9D94879DBBB2FF88304F1084AAD449AB394DB305A98CF11
                                                        Uniqueness

                                                        Uniqueness Score: -1.00%

                                                        Function 0550CF27, Relevance: .1, Instructions: 139COMMON
                                                        Download Yara Rule
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.341699107.0000000005500000.00000040.00000001.sdmp, Offset: 05500000, based on PE: false
                                                        Similarity
                                                        • API ID:
                                                        • String ID:
                                                        • API String ID:
                                                        • Opcode ID: 9832db7b09661e9a30892ecc5dd5aa3abb9b55abea5fdc0efde33b9dbe49d74a
                                                        • Instruction ID: 3781d240996195b989450aca3f38bdb112a5cbf6ffcba5a3c1e1c79645d4608a
                                                        • Opcode Fuzzy Hash: 9832db7b09661e9a30892ecc5dd5aa3abb9b55abea5fdc0efde33b9dbe49d74a
                                                        • Instruction Fuzzy Hash: 90513274D05218CFCB18CFA4D4987EDBBB2BF49304F24902AE805BB294D7799A86CF50
                                                        Uniqueness

                                                        Uniqueness Score: -1.00%

                                                        Function 05507C98, Relevance: .1, Instructions: 105COMMON
                                                        Download Yara Rule
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.341699107.0000000005500000.00000040.00000001.sdmp, Offset: 05500000, based on PE: false
                                                        Similarity
                                                        • API ID:
                                                        • String ID:
                                                        • API String ID:
                                                        • Opcode ID: bf4f65c28573627b6fabe831422694f96380c314cdd792e1cfa460dda25632fd
                                                        • Instruction ID: 3d8f6faf057a97d8c6447ca1b9356104d12e450df61fc80ee2b3692381696b81
                                                        • Opcode Fuzzy Hash: bf4f65c28573627b6fabe831422694f96380c314cdd792e1cfa460dda25632fd
                                                        • Instruction Fuzzy Hash: 1541AAB4D042489FCB10CFA9C984ADEBBF0BF09304F24952AE419BB350D774A949CF94
                                                        Uniqueness

                                                        Uniqueness Score: -1.00%

                                                        Function 0550651C, Relevance: .1, Instructions: 97COMMON
                                                        Download Yara Rule
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.341699107.0000000005500000.00000040.00000001.sdmp, Offset: 05500000, based on PE: false
                                                        Similarity
                                                        • API ID:
                                                        • String ID:
                                                        • API String ID:
                                                        • Opcode ID: e8b70ee60fd096e6541023e7878f00f70165c2185d5be6d55013722729b23dd0
                                                        • Instruction ID: 3c62ca6501440057e9bdbfb8bcc1d7671ab349a32f822be1b314bac9ee2a0d02
                                                        • Opcode Fuzzy Hash: e8b70ee60fd096e6541023e7878f00f70165c2185d5be6d55013722729b23dd0
                                                        • Instruction Fuzzy Hash: 0441BBB4D052489FDB10CFA9C984BDEFBF0BB09304F20912AE415BB294DB749949CF54
                                                        Uniqueness

                                                        Uniqueness Score: -1.00%

                                                        Function 05505EE8, Relevance: .1, Instructions: 97COMMON
                                                        Download Yara Rule
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.341699107.0000000005500000.00000040.00000001.sdmp, Offset: 05500000, based on PE: false
                                                        Similarity
                                                        • API ID:
                                                        • String ID:
                                                        • API String ID:
                                                        • Opcode ID: 9363877b190712d8794c9690d785f12e6bed3dea9e972e916c13377abc2bfed1
                                                        • Instruction ID: ef972c292554508ecda233987ed3687af281f5396dfe8409df23f91ce3dcd857
                                                        • Opcode Fuzzy Hash: 9363877b190712d8794c9690d785f12e6bed3dea9e972e916c13377abc2bfed1
                                                        • Instruction Fuzzy Hash: 8C41BCB4D052489FCB10CFA9C584B9EFBF0BB09304F60912AE415BB294DB759949CF98
                                                        Uniqueness

                                                        Uniqueness Score: -1.00%

                                                        Function 055069F4, Relevance: .1, Instructions: 75COMMON
                                                        Download Yara Rule
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.341699107.0000000005500000.00000040.00000001.sdmp, Offset: 05500000, based on PE: false
                                                        Similarity
                                                        • API ID:
                                                        • String ID:
                                                        • API String ID:
                                                        • Opcode ID: 2524eea3de3aab964552d84272b36d646eb9288b4400e74bb89144b34788b553
                                                        • Instruction ID: 2d7d1466923135c251ec25429ac846404c5f6eb47f098ea07926be5614cc886f
                                                        • Opcode Fuzzy Hash: 2524eea3de3aab964552d84272b36d646eb9288b4400e74bb89144b34788b553
                                                        • Instruction Fuzzy Hash: 3A319EB4D05219DFCB14CFA9D984AEDBBF2BB49310F24E12AE819A7390C3349945CF58
                                                        Uniqueness

                                                        Uniqueness Score: -1.00%

                                                        Function 0550FA79, Relevance: .1, Instructions: 75COMMON
                                                        Download Yara Rule
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.341699107.0000000005500000.00000040.00000001.sdmp, Offset: 05500000, based on PE: false
                                                        Similarity
                                                        • API ID:
                                                        • String ID:
                                                        • API String ID:
                                                        • Opcode ID: 8b033e66a343e107272735997cd24a807efdf5e3f277a7b1c0ef4860ce7b0da3
                                                        • Instruction ID: 2f03a31973e44838374b061ef008240555016e5a8443e458ecded193e8f8b2ce
                                                        • Opcode Fuzzy Hash: 8b033e66a343e107272735997cd24a807efdf5e3f277a7b1c0ef4860ce7b0da3
                                                        • Instruction Fuzzy Hash: AE213975D182199FCB14DFB0D4197EEBBB1BF4A311F00642AD01577690DB380A88CFA4
                                                        Uniqueness

                                                        Uniqueness Score: -1.00%

                                                        Function 05506A00, Relevance: .1, Instructions: 71COMMON
                                                        Download Yara Rule
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.341699107.0000000005500000.00000040.00000001.sdmp, Offset: 05500000, based on PE: false
                                                        Similarity
                                                        • API ID:
                                                        • String ID:
                                                        • API String ID:
                                                        • Opcode ID: 4deb3c58d6d47788584570820beba680f9f5ad868884dde9198f56d645061c7c
                                                        • Instruction ID: bd93c0317e6abbb33dd0eab44c749989bc8d447516535304780a0bbbf57348c8
                                                        • Opcode Fuzzy Hash: 4deb3c58d6d47788584570820beba680f9f5ad868884dde9198f56d645061c7c
                                                        • Instruction Fuzzy Hash: AE317DB4D05218EFCB14DFA9D584AADBBF2BB49310F24E129E815B7390D7349941CF94
                                                        Uniqueness

                                                        Uniqueness Score: -1.00%

                                                        Function 05506D14, Relevance: .1, Instructions: 63COMMON
                                                        Download Yara Rule
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.341699107.0000000005500000.00000040.00000001.sdmp, Offset: 05500000, based on PE: false
                                                        Similarity
                                                        • API ID:
                                                        • String ID:
                                                        • API String ID:
                                                        • Opcode ID: 5a7c459f740b222b425174116138ac36c94c3824a38a327d87934d05152f7c11
                                                        • Instruction ID: 3cc147987d150fb956512a2e7a76103b35feb5553b2b2b2a1e911bba92e73d6f
                                                        • Opcode Fuzzy Hash: 5a7c459f740b222b425174116138ac36c94c3824a38a327d87934d05152f7c11
                                                        • Instruction Fuzzy Hash: F921C275D04219DFDB14CFAAC4846EDBBB2FB4A310F24E225E825B7294C7349946CF58
                                                        Uniqueness

                                                        Uniqueness Score: -1.00%

                                                        Function 05506D20, Relevance: .1, Instructions: 59COMMON
                                                        Download Yara Rule
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.341699107.0000000005500000.00000040.00000001.sdmp, Offset: 05500000, based on PE: false
                                                        Similarity
                                                        • API ID:
                                                        • String ID:
                                                        • API String ID:
                                                        • Opcode ID: ff6d7654b2baf9cd7f7af3ff497f77528e0128170a388b069bb186891abcbb3d
                                                        • Instruction ID: 59ec3d6587d733e7045b874921b898d93c976b3a31ed70159384768adbe2bf34
                                                        • Opcode Fuzzy Hash: ff6d7654b2baf9cd7f7af3ff497f77528e0128170a388b069bb186891abcbb3d
                                                        • Instruction Fuzzy Hash: D8217D75D04218DFDB14CFAAC4446EDBBB2BB49310F14E12AE825B7294D7349941CF98
                                                        Uniqueness

                                                        Uniqueness Score: -1.00%

                                                        Function 0550E678, Relevance: .0, Instructions: 37COMMON
                                                        Download Yara Rule
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.341699107.0000000005500000.00000040.00000001.sdmp, Offset: 05500000, based on PE: false
                                                        Similarity
                                                        • API ID:
                                                        • String ID:
                                                        • API String ID:
                                                        • Opcode ID: eeda7a5d37dd54731d223d80395fa37cfbc91b98abacca7d5fedf7736fd6adeb
                                                        • Instruction ID: fe156edb8d85a15001d82c2f03b14b03038792eba26e1150e1e58cbaceef412b
                                                        • Opcode Fuzzy Hash: eeda7a5d37dd54731d223d80395fa37cfbc91b98abacca7d5fedf7736fd6adeb
                                                        • Instruction Fuzzy Hash: 4601D130C092989FCB11DFA4E9197FEBF70BF06214F2455AAD0A5776D1CB384A45CB84
                                                        Uniqueness

                                                        Uniqueness Score: -1.00%

                                                        Function 0550E6F0, Relevance: 1.8, APIs: 1, Instructions: 273COMMON
                                                        Download Yara Rule
                                                        APIs
                                                        • CopyFileExW.KERNEL32(?,?,?,?,?,?), ref: 0550EE19
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.341699107.0000000005500000.00000040.00000001.sdmp, Offset: 05500000, based on PE: false
                                                        Similarity
                                                        • API ID: CopyFile
                                                        • String ID:
                                                        • API String ID: 1304948518-0
                                                        • Opcode ID: 3dc1c3677c8b2c19d75443f8fea09c1b69125d536c9a1dedaa1a1c8179af89f1
                                                        • Instruction ID: 20530f09c6259fdf9dc90ae69cca2960b76ad0f2d2606f417a1fd78820f796f7
                                                        • Opcode Fuzzy Hash: 3dc1c3677c8b2c19d75443f8fea09c1b69125d536c9a1dedaa1a1c8179af89f1
                                                        • Instruction Fuzzy Hash: 8BC1F174E04218CFDB24CFA9C981B9EBBB1BF49304F2495A9E419B7391DB34A985CF44
                                                        Uniqueness

                                                        Uniqueness Score: -1.00%

                                                        Function 0550EB6C, Relevance: 1.8, APIs: 1, Instructions: 263COMMON
                                                        Download Yara Rule
                                                        APIs
                                                        • CopyFileExW.KERNEL32(?,?,?,?,?,?), ref: 0550EE19
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.341699107.0000000005500000.00000040.00000001.sdmp, Offset: 05500000, based on PE: false
                                                        Similarity
                                                        • API ID: CopyFile
                                                        • String ID:
                                                        • API String ID: 1304948518-0
                                                        • Opcode ID: 6c5b0742fbe6eb9c8883cd63c3b0a1d9d9e82aae1eec217fbce19a18912b6609
                                                        • Instruction ID: 1e830ff80bbc99b9d83ef79b9b5a7040c7c200581b11a31fe18d28c8b1293a46
                                                        • Opcode Fuzzy Hash: 6c5b0742fbe6eb9c8883cd63c3b0a1d9d9e82aae1eec217fbce19a18912b6609
                                                        • Instruction Fuzzy Hash: 67B1F074E04218CFDB24CFA8C982B9EBBB2BF49304F2495A9E419B7391D7349985CF44
                                                        Uniqueness

                                                        Uniqueness Score: -1.00%

                                                        Function 013BBF29, Relevance: 1.6, APIs: 1, Instructions: 96memoryCOMMON
                                                        Download Yara Rule
                                                        APIs
                                                        • VirtualProtect.KERNEL32(?,?,?,?), ref: 013BBFD7
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.332942601.00000000013B0000.00000040.00000001.sdmp, Offset: 013B0000, based on PE: false
                                                        Similarity
                                                        • API ID: ProtectVirtual
                                                        • String ID:
                                                        • API String ID: 544645111-0
                                                        • Opcode ID: a22e684005eb3329201f36a6c6f54eb769abb64c1c5f4ea98883b6e594683e54
                                                        • Instruction ID: f23e01e5da918857bdb71ea167c146bf5f27a48838d96ed436ce37ada65051b6
                                                        • Opcode Fuzzy Hash: a22e684005eb3329201f36a6c6f54eb769abb64c1c5f4ea98883b6e594683e54
                                                        • Instruction Fuzzy Hash: 913197B9D042589FCF10CFA9E884ADEFBB0BB49314F14902AE914B7210D739A949CF64
                                                        Uniqueness

                                                        Uniqueness Score: -1.00%

                                                        Function 05500E38, Relevance: 1.6, APIs: 1, Instructions: 96memoryCOMMON
                                                        Download Yara Rule
                                                        APIs
                                                        • VirtualProtect.KERNEL32(?,?,?,?), ref: 05500EE7
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.341699107.0000000005500000.00000040.00000001.sdmp, Offset: 05500000, based on PE: false
                                                        Similarity
                                                        • API ID: ProtectVirtual
                                                        • String ID:
                                                        • API String ID: 544645111-0
                                                        • Opcode ID: 7ee5f584709997efb55216824671f2e2e2c8e7149790c96d195082cf10bf491d
                                                        • Instruction ID: dcdc36a50b4d0fb5cffee31c46217b723947867283cabf7a98775d014a569855
                                                        • Opcode Fuzzy Hash: 7ee5f584709997efb55216824671f2e2e2c8e7149790c96d195082cf10bf491d
                                                        • Instruction Fuzzy Hash: 013197B9D042589FCF10CFA9E884ADEFBF0BB09314F14A02AE814B7250D734AA45CF64
                                                        Uniqueness

                                                        Uniqueness Score: -1.00%

                                                        Function 013BBF30, Relevance: 1.6, APIs: 1, Instructions: 94memoryCOMMON
                                                        Download Yara Rule
                                                        APIs
                                                        • VirtualProtect.KERNEL32(?,?,?,?), ref: 013BBFD7
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.332942601.00000000013B0000.00000040.00000001.sdmp, Offset: 013B0000, based on PE: false
                                                        Similarity
                                                        • API ID: ProtectVirtual
                                                        • String ID:
                                                        • API String ID: 544645111-0
                                                        • Opcode ID: 3fb7189dd940786d50d34fbf0e429d4945d58a92332192f647933030f362ed9f
                                                        • Instruction ID: e43b3c789629934b685d4acc1ebc8cee94126b45d4a13bb83772f6b4f38f21fd
                                                        • Opcode Fuzzy Hash: 3fb7189dd940786d50d34fbf0e429d4945d58a92332192f647933030f362ed9f
                                                        • Instruction Fuzzy Hash: C73198B9D042589FCF10CFA9D884ADEFBB0BB09314F14902AE814B7310D735A949CF64
                                                        Uniqueness

                                                        Uniqueness Score: -1.00%

                                                        Function 05500E40, Relevance: 1.6, APIs: 1, Instructions: 94memoryCOMMON
                                                        Download Yara Rule
                                                        APIs
                                                        • VirtualProtect.KERNEL32(?,?,?,?), ref: 05500EE7
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.341699107.0000000005500000.00000040.00000001.sdmp, Offset: 05500000, based on PE: false
                                                        Similarity
                                                        • API ID: ProtectVirtual
                                                        • String ID:
                                                        • API String ID: 544645111-0
                                                        • Opcode ID: faf50ba240de1db7aa49446f2894ac446f1db757a1a4baed15d07d7c81e30c3b
                                                        • Instruction ID: f89df7ccd01439c9b7940c8fbea4d2e9d52b26fd5a80b50601819543b6d822fa
                                                        • Opcode Fuzzy Hash: faf50ba240de1db7aa49446f2894ac446f1db757a1a4baed15d07d7c81e30c3b
                                                        • Instruction Fuzzy Hash: 6E3197B9D042589FCF10CFA9E884ADEFBF0BB09314F14A02AE814B7250D734AA45CF64
                                                        Uniqueness

                                                        Uniqueness Score: -1.00%

                                                        Function 055015E2, Relevance: 1.6, APIs: 1, Instructions: 84fileCOMMON
                                                        Download Yara Rule
                                                        APIs
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.341699107.0000000005500000.00000040.00000001.sdmp, Offset: 05500000, based on PE: false
                                                        Similarity
                                                        • API ID: DeleteFile
                                                        • String ID:
                                                        • API String ID: 4033686569-0
                                                        • Opcode ID: 21c5d031bef8dff22a0eadd7265b04b4d3411450365f9c1eded1fa8507bf5a74
                                                        • Instruction ID: 843cc95c1bc4fb79787bccbd4aa84c809b171ef64f9f37fb3a58e23084523d83
                                                        • Opcode Fuzzy Hash: 21c5d031bef8dff22a0eadd7265b04b4d3411450365f9c1eded1fa8507bf5a74
                                                        • Instruction Fuzzy Hash: 4931FCB4D052589FCB00CFA9D884AEEFBF0BB49314F14902AE409B7350D734A945CF94
                                                        Uniqueness

                                                        Uniqueness Score: -1.00%

                                                        Function 055015E8, Relevance: 1.6, APIs: 1, Instructions: 83fileCOMMON
                                                        Download Yara Rule
                                                        APIs
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.341699107.0000000005500000.00000040.00000001.sdmp, Offset: 05500000, based on PE: false
                                                        Similarity
                                                        • API ID: DeleteFile
                                                        • String ID:
                                                        • API String ID: 4033686569-0
                                                        • Opcode ID: 8a3a044f4c63e2ac5e73cbced7e5c6ce29c1816ac5d71e1deb749f3982137a50
                                                        • Instruction ID: bc7f56e571b16c2e621ef7cc60198697fbaa2e40de376ee7356f51a7058b3451
                                                        • Opcode Fuzzy Hash: 8a3a044f4c63e2ac5e73cbced7e5c6ce29c1816ac5d71e1deb749f3982137a50
                                                        • Instruction Fuzzy Hash: E231D8B4D052589FCB00CFA9D884AEEFBF5BB49314F14902AE409B7350D738AA45CFA4
                                                        Uniqueness

                                                        Uniqueness Score: -1.00%

                                                        Function 0135D21D, Relevance: .0, Instructions: 45COMMON
                                                        Download Yara Rule
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.332785339.000000000135D000.00000040.00000001.sdmp, Offset: 0135D000, based on PE: false
                                                        Similarity
                                                        • API ID:
                                                        • String ID:
                                                        • API String ID:
                                                        • Opcode ID: e0e351f5f686a4bb4c0a2651af3a6af4d93bf517cc8d1e398c57f58e72753201
                                                        • Instruction ID: 75cda9f9ab45a7a276f5a3409642afba0ba6556d91c648443f4c0823c8b60619
                                                        • Opcode Fuzzy Hash: e0e351f5f686a4bb4c0a2651af3a6af4d93bf517cc8d1e398c57f58e72753201
                                                        • Instruction Fuzzy Hash: BA01F77140C3849AEB504A69DCC0B6BBF98EF426BCF088059EE045B646C778D844CAB1
                                                        Uniqueness

                                                        Uniqueness Score: -1.00%

                                                        Function 0135D21C, Relevance: .0, Instructions: 36COMMON
                                                        Download Yara Rule
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.332785339.000000000135D000.00000040.00000001.sdmp, Offset: 0135D000, based on PE: false
                                                        Similarity
                                                        • API ID:
                                                        • String ID:
                                                        • API String ID:
                                                        • Opcode ID: 0a95a02ad348b0d3da0ce3eac9256220a466a9aed8977cb4b179a984058d85f9
                                                        • Instruction ID: 87066c87563925094ead223aba15d9ec4512d803700d27e9423784633fc38409
                                                        • Opcode Fuzzy Hash: 0a95a02ad348b0d3da0ce3eac9256220a466a9aed8977cb4b179a984058d85f9
                                                        • Instruction Fuzzy Hash: 81F09671404384AEEB518E59CCC4B67FF98EF42678F18C45AED085B287C3789844CAB1
                                                        Uniqueness

                                                        Uniqueness Score: -1.00%

                                                        Non-executed Functions

                                                        Function 0550E0E8, Relevance: .4, Instructions: 375COMMON
                                                        Download Yara Rule
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.341699107.0000000005500000.00000040.00000001.sdmp, Offset: 05500000, based on PE: false
                                                        Similarity
                                                        • API ID:
                                                        • String ID:
                                                        • API String ID:
                                                        • Opcode ID: 95a29aca83ef2f20a53e61904b10bbafe209782aff8a237b2ab0f3a66bd15032
                                                        • Instruction ID: 84167f55b0b6a6fb8a42304895a39c7e1e997f76dc2a73cae017e80e93475a7a
                                                        • Opcode Fuzzy Hash: 95a29aca83ef2f20a53e61904b10bbafe209782aff8a237b2ab0f3a66bd15032
                                                        • Instruction Fuzzy Hash: 45021574E04228CFDB24CFA5D945BEDBBB2BF49304F2495AAD408A7381DB349A85CF50
                                                        Uniqueness

                                                        Uniqueness Score: -1.00%

                                                        Function 013B18F8, Relevance: .3, Instructions: 332COMMON
                                                        Download Yara Rule
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.332942601.00000000013B0000.00000040.00000001.sdmp, Offset: 013B0000, based on PE: false
                                                        Similarity
                                                        • API ID:
                                                        • String ID:
                                                        • API String ID:
                                                        • Opcode ID: a1b29438859dd3fb34ac14422add0ef580d1346ff75ff5e446f019e8d9043bc9
                                                        • Instruction ID: 6f3eb77b929c4dd659dac7a7d6b5aef182b0e44a305b45aa216ebb69dfd1cf89
                                                        • Opcode Fuzzy Hash: a1b29438859dd3fb34ac14422add0ef580d1346ff75ff5e446f019e8d9043bc9
                                                        • Instruction Fuzzy Hash: 3EB11C30708159CBEB382F39E4A537A76AAAF82749F14442DDB82C7D88EF34C851C752
                                                        Uniqueness

                                                        Uniqueness Score: -1.00%

                                                        Function 013B0C40, Relevance: .3, Instructions: 289COMMON
                                                        Download Yara Rule
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.332942601.00000000013B0000.00000040.00000001.sdmp, Offset: 013B0000, based on PE: false
                                                        Similarity
                                                        • API ID:
                                                        • String ID:
                                                        • API String ID:
                                                        • Opcode ID: f7d8ce2008e262c43a1822a637c8efb6b10bbc0300152e80ccf0780291747fb4
                                                        • Instruction ID: 2f9c67b4f2d699a7aec5501fe670dd0fc2ac54f4909a02d4274ab14482d90a86
                                                        • Opcode Fuzzy Hash: f7d8ce2008e262c43a1822a637c8efb6b10bbc0300152e80ccf0780291747fb4
                                                        • Instruction Fuzzy Hash: 3BC17F70A04258CFCB19CFA8D4D0AEEB7B2FF49304F15816AE615BBA55E731AC41CB91
                                                        Uniqueness

                                                        Uniqueness Score: -1.00%

                                                        Function 055074C9, Relevance: .3, Instructions: 270COMMON
                                                        Download Yara Rule
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.341699107.0000000005500000.00000040.00000001.sdmp, Offset: 05500000, based on PE: false
                                                        Similarity
                                                        • API ID:
                                                        • String ID:
                                                        • API String ID:
                                                        • Opcode ID: 9b44d8505f7e509260da6a4203a60e740662fd781942ebe64769ffbd61bd9962
                                                        • Instruction ID: 11ed7e45276e6c66d6f474be2bdef2ce68e0b8369519b37ab921e08fd7dc57ae
                                                        • Opcode Fuzzy Hash: 9b44d8505f7e509260da6a4203a60e740662fd781942ebe64769ffbd61bd9962
                                                        • Instruction Fuzzy Hash: E5D1F631C2075A8ACB04EB64D994ADDF7B1FFA5300F518B9AE4097B215EF706AC8CB51
                                                        Uniqueness

                                                        Uniqueness Score: -1.00%

                                                        Function 055074D8, Relevance: .3, Instructions: 264COMMON
                                                        Download Yara Rule
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.341699107.0000000005500000.00000040.00000001.sdmp, Offset: 05500000, based on PE: false
                                                        Similarity
                                                        • API ID:
                                                        • String ID:
                                                        • API String ID:
                                                        • Opcode ID: 63441895ac23a0a1487e06429909f7192c7af0b33273f67c8c4388a2f59f2bbe
                                                        • Instruction ID: adab0ae66a346a3704086f962f5d6b5bf25e49e2c3bdf74cc71881877ef4e1eb
                                                        • Opcode Fuzzy Hash: 63441895ac23a0a1487e06429909f7192c7af0b33273f67c8c4388a2f59f2bbe
                                                        • Instruction Fuzzy Hash: 92D1E631C2075A8ACB14EB64D994ADDF7B1FFA5300F518B9AE5093B214EF706AC8CB51
                                                        Uniqueness

                                                        Uniqueness Score: -1.00%

                                                        Function 013BAF38, Relevance: .3, Instructions: 260COMMON
                                                        Download Yara Rule
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.332942601.00000000013B0000.00000040.00000001.sdmp, Offset: 013B0000, based on PE: false
                                                        Similarity
                                                        • API ID:
                                                        • String ID:
                                                        • API String ID:
                                                        • Opcode ID: b3cf47b4a21a27c08b9a323878a3c5fee4f8413da9bfe60d87d23944b542f7e8
                                                        • Instruction ID: 820bbf1a1bd57c0735395fc4aeb71e1e344030502c0ae064bc48c8d9c0c5f4a4
                                                        • Opcode Fuzzy Hash: b3cf47b4a21a27c08b9a323878a3c5fee4f8413da9bfe60d87d23944b542f7e8
                                                        • Instruction Fuzzy Hash: 4E819530B0421C8BCB18AB7498546BEB7ABBFC9358F05882DD506E778CDF348845C791
                                                        Uniqueness

                                                        Uniqueness Score: -1.00%

                                                        Function 05507E75, Relevance: .1, Instructions: 89COMMON
                                                        Download Yara Rule
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.341699107.0000000005500000.00000040.00000001.sdmp, Offset: 05500000, based on PE: false
                                                        Similarity
                                                        • API ID:
                                                        • String ID:
                                                        • API String ID:
                                                        • Opcode ID: f8ccf6c2c09e186e1fa8188cd3b245e7caed67eea1523f95ca2acb866d14987f
                                                        • Instruction ID: 680568fdf7f8a5ed49060221a8e99d9c9d031d4e16ea5a9831467d0b9588610e
                                                        • Opcode Fuzzy Hash: f8ccf6c2c09e186e1fa8188cd3b245e7caed67eea1523f95ca2acb866d14987f
                                                        • Instruction Fuzzy Hash: BF31BE75E146188FEB18CFAAC8446DEFBF2BF89300F14C16AD818AB255EB305946CF40
                                                        Uniqueness

                                                        Uniqueness Score: -1.00%

                                                        Function 05506C4C, Relevance: .0, Instructions: 39COMMON
                                                        Download Yara Rule
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.341699107.0000000005500000.00000040.00000001.sdmp, Offset: 05500000, based on PE: false
                                                        Similarity
                                                        • API ID:
                                                        • String ID:
                                                        • API String ID:
                                                        • Opcode ID: df4355381d9c7cb8b3b0417f7b61cf543a79d0b9c1005693ba13d78e12bae1e5
                                                        • Instruction ID: 15ec42599d6c13a3ade8118e5ffe53b7178ee946b3eac5457790a93f2335e462
                                                        • Opcode Fuzzy Hash: df4355381d9c7cb8b3b0417f7b61cf543a79d0b9c1005693ba13d78e12bae1e5
                                                        • Instruction Fuzzy Hash: 6AF0B2B5D0420D8B8B04CFA9D9405EEFBF2FB5A310F10A126D814B3310D73489028EA8
                                                        Uniqueness

                                                        Uniqueness Score: -1.00%

                                                        Function 05506C58, Relevance: .0, Instructions: 34COMMON
                                                        Download Yara Rule
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.341699107.0000000005500000.00000040.00000001.sdmp, Offset: 05500000, based on PE: false
                                                        Similarity
                                                        • API ID:
                                                        • String ID:
                                                        • API String ID:
                                                        • Opcode ID: 9eb7edaa31dfbf35867dc96d8b8f8c426529f6e1b54484e160c576f9eb5ddf33
                                                        • Instruction ID: e1d03de24a134628a57e5bb27e93d096401a527f84895b53466753f46ac32d37
                                                        • Opcode Fuzzy Hash: 9eb7edaa31dfbf35867dc96d8b8f8c426529f6e1b54484e160c576f9eb5ddf33
                                                        • Instruction Fuzzy Hash: 21F042B5D0520C9F8F04DFA9D5418EEFBF2BB59310F10A16AE914B3310E73599518FA8
                                                        Uniqueness

                                                        Uniqueness Score: -1.00%

                                                        Analysis Process: gfrdeswaq.exe PID: 6764 Parent PID: 6080 gfrdeswaq.exeCOMMON

                                                        Executed Functions

                                                        Function 05A13F34, Relevance: 1.8, APIs: 1, Instructions: 253processCOMMON
                                                        Download Yara Rule
                                                        APIs
                                                        • CreateProcessAsUserW.KERNELBASE(?,00000000,00000000,00000000,00000000,?,?,05A1555D,?,?,?), ref: 05A157C4
                                                        Memory Dump Source
                                                        • Source File: 00000014.00000002.629881681.0000000005A10000.00000040.00000001.sdmp, Offset: 05A10000, based on PE: false
                                                        Similarity
                                                        • API ID: CreateProcessUser
                                                        • String ID:
                                                        • API String ID: 2217836671-0
                                                        • Opcode ID: 4ec0855261f163c14763891be4b9fb4d7106f7c5bf512823e34888e22e115295
                                                        • Instruction ID: 66157d6acc5fe1ebf5b9cffde2a347238384f57617abf9ec0007c5ceabb2dd15
                                                        • Opcode Fuzzy Hash: 4ec0855261f163c14763891be4b9fb4d7106f7c5bf512823e34888e22e115295
                                                        • Instruction Fuzzy Hash: 6091D075D0426D8FCF21CFA4C880BDEBBB1BB59314F0591AAE549B7210DB74AA85CF84
                                                        Uniqueness

                                                        Uniqueness Score: -1.00%

                                                        Function 05A155CC, Relevance: 1.8, APIs: 1, Instructions: 255processCOMMON
                                                        Download Yara Rule
                                                        APIs
                                                        • CreateProcessAsUserW.KERNELBASE(?,00000000,00000000,00000000,00000000,?,?,05A1555D,?,?,?), ref: 05A157C4
                                                        Memory Dump Source
                                                        • Source File: 00000014.00000002.629881681.0000000005A10000.00000040.00000001.sdmp, Offset: 05A10000, based on PE: false
                                                        Similarity
                                                        • API ID: CreateProcessUser
                                                        • String ID:
                                                        • API String ID: 2217836671-0
                                                        • Opcode ID: 2195d508b59cc1742dc18b4af078a39a47a6d0e91a5b07380c13f9e0ba51a560
                                                        • Instruction ID: a53c8fa73d10f6131cc79a2689e5245ff159873d79ba5c5950b9b733eecde59e
                                                        • Opcode Fuzzy Hash: 2195d508b59cc1742dc18b4af078a39a47a6d0e91a5b07380c13f9e0ba51a560
                                                        • Instruction Fuzzy Hash: 0191DF75D0426D8FCF21CFA4D880BDDBBB1BB4A304F0591AAE549B7210DB74AA85CF84
                                                        Uniqueness

                                                        Uniqueness Score: -1.00%

                                                        Function 05A183A0, Relevance: 1.6, APIs: 1, Instructions: 117injectionCOMMON
                                                        Download Yara Rule
                                                        APIs
                                                        • WriteProcessMemory.KERNELBASE(?,?,?,?,?), ref: 05A1847B
                                                        Memory Dump Source
                                                        • Source File: 00000014.00000002.629881681.0000000005A10000.00000040.00000001.sdmp, Offset: 05A10000, based on PE: false
                                                        Similarity
                                                        • API ID: MemoryProcessWrite
                                                        • String ID:
                                                        • API String ID: 3559483778-0
                                                        • Opcode ID: 49f52486ed3a689ace6257c2d174efef50e6fc06d359bd5d165b7fdba8a63985
                                                        • Instruction ID: 0259b021a3f92ed9ed62d7b3771602e051c971524a8d7202dbd523c590d5c9e9
                                                        • Opcode Fuzzy Hash: 49f52486ed3a689ace6257c2d174efef50e6fc06d359bd5d165b7fdba8a63985
                                                        • Instruction Fuzzy Hash: F241BAB5D052599FCF00CFA9D984AEEBBF1BB09314F14902AE914B7240D738AA45CF54
                                                        Uniqueness

                                                        Uniqueness Score: -1.00%

                                                        Function 05A183A8, Relevance: 1.6, APIs: 1, Instructions: 116injectionCOMMON
                                                        Download Yara Rule
                                                        APIs
                                                        • WriteProcessMemory.KERNELBASE(?,?,?,?,?), ref: 05A1847B
                                                        Memory Dump Source
                                                        • Source File: 00000014.00000002.629881681.0000000005A10000.00000040.00000001.sdmp, Offset: 05A10000, based on PE: false
                                                        Similarity
                                                        • API ID: MemoryProcessWrite
                                                        • String ID:
                                                        • API String ID: 3559483778-0
                                                        • Opcode ID: 19a2c649b6d372035fae7456712a209d91627e2b8ead5ad27ed6933194dbc89b
                                                        • Instruction ID: 8b7c2189a8bb95184a86b47c66e6c6d088f44e761df4c3783dbde30b4ae68ff1
                                                        • Opcode Fuzzy Hash: 19a2c649b6d372035fae7456712a209d91627e2b8ead5ad27ed6933194dbc89b
                                                        • Instruction Fuzzy Hash: 2241ACB5D052589FCF00CFA9D984ADEFBF1BB49314F14902AE915B7240D738AA45CF54
                                                        Uniqueness

                                                        Uniqueness Score: -1.00%

                                                        Function 05A180B8, Relevance: 1.6, APIs: 1, Instructions: 102memoryCOMMON
                                                        Download Yara Rule
                                                        APIs
                                                        • VirtualAllocEx.KERNELBASE(?,?,?,?,?), ref: 05A1816A
                                                        Memory Dump Source
                                                        • Source File: 00000014.00000002.629881681.0000000005A10000.00000040.00000001.sdmp, Offset: 05A10000, based on PE: false
                                                        Similarity
                                                        • API ID: AllocVirtual
                                                        • String ID:
                                                        • API String ID: 4275171209-0
                                                        • Opcode ID: 908681c9db695e48cdc6a3414441b9adcbc321b51ca4ad45d71239ba4b3e9c3a
                                                        • Instruction ID: a9b56b77a9b118abdc6b027455a1a1a810bed143b1a338eedbb9b9832b1b1d95
                                                        • Opcode Fuzzy Hash: 908681c9db695e48cdc6a3414441b9adcbc321b51ca4ad45d71239ba4b3e9c3a
                                                        • Instruction Fuzzy Hash: 7541A9B9D042599BCF00CFA9D984ADEFBB1BB49314F14942AE825B7200D734A945CF98
                                                        Uniqueness

                                                        Uniqueness Score: -1.00%

                                                        Function 05A180C0, Relevance: 1.6, APIs: 1, Instructions: 101memoryCOMMON
                                                        Download Yara Rule
                                                        APIs
                                                        • VirtualAllocEx.KERNELBASE(?,?,?,?,?), ref: 05A1816A
                                                        Memory Dump Source
                                                        • Source File: 00000014.00000002.629881681.0000000005A10000.00000040.00000001.sdmp, Offset: 05A10000, based on PE: false
                                                        Similarity
                                                        • API ID: AllocVirtual
                                                        • String ID:
                                                        • API String ID: 4275171209-0
                                                        • Opcode ID: 079cb65c60755f42dc2986df3b4ff35257e653aca7cca20acce358744d69b7b0
                                                        • Instruction ID: 601c987e897144de50b611239470c240bc86f4328e52c3689ede893172192061
                                                        • Opcode Fuzzy Hash: 079cb65c60755f42dc2986df3b4ff35257e653aca7cca20acce358744d69b7b0
                                                        • Instruction Fuzzy Hash: 0F3188B9D042589FCF10CFA9D984ADEFBB1BB49314F14902AE825B7310D735A946CF98
                                                        Uniqueness

                                                        Uniqueness Score: -1.00%

                                                        Function 0326AB94, Relevance: 1.6, APIs: 1, Instructions: 97memoryCOMMON
                                                        Download Yara Rule
                                                        APIs
                                                        • VirtualProtect.KERNELBASE(?,?,514A1B1F,DBBDF2D4), ref: 0326BFD7
                                                        Memory Dump Source
                                                        • Source File: 00000014.00000002.621137183.0000000003260000.00000040.00000001.sdmp, Offset: 03260000, based on PE: false
                                                        Similarity
                                                        • API ID: ProtectVirtual
                                                        • String ID:
                                                        • API String ID: 544645111-0
                                                        • Opcode ID: 5d72327b7f989cc9166e4b234bd234a001f28357ebad367e46d39fd9bfa16315
                                                        • Instruction ID: 4317fd9aa6da8210951623d69dd8661ee6fd846ad9582ece333ba7ce41a63a5c
                                                        • Opcode Fuzzy Hash: 5d72327b7f989cc9166e4b234bd234a001f28357ebad367e46d39fd9bfa16315
                                                        • Instruction Fuzzy Hash: 4E3189B5D042589FCB10CFAAD884ADEFBB5AB19310F14902AE814B7250D775A985CFA4
                                                        Uniqueness

                                                        Uniqueness Score: -1.00%

                                                        Function 05A175C0, Relevance: 1.6, APIs: 1, Instructions: 97threadCOMMON
                                                        Download Yara Rule
                                                        APIs
                                                        • GetThreadContext.KERNELBASE(?,?), ref: 05A17677
                                                        Memory Dump Source
                                                        • Source File: 00000014.00000002.629881681.0000000005A10000.00000040.00000001.sdmp, Offset: 05A10000, based on PE: false
                                                        Similarity
                                                        • API ID: ContextThread
                                                        • String ID:
                                                        • API String ID: 1591575202-0
                                                        • Opcode ID: e2338223cf17968a765f3e2b231cea261f60aeb9a1a43f5acd0453dbcc9be660
                                                        • Instruction ID: eb05dcdbc3b3c6e4949ab8b69674fae639895299d005ef95c9939da3027dcfb2
                                                        • Opcode Fuzzy Hash: e2338223cf17968a765f3e2b231cea261f60aeb9a1a43f5acd0453dbcc9be660
                                                        • Instruction Fuzzy Hash: 4841BDB5D042589FCB10CFA9D984AEEBBF1BF49314F14902AE415B7240D738A949CF98
                                                        Uniqueness

                                                        Uniqueness Score: -1.00%

                                                        Function 05A18920, Relevance: 1.6, APIs: 1, Instructions: 97threadinjectionCOMMON
                                                        Download Yara Rule
                                                        APIs
                                                        • SetThreadContext.KERNELBASE(?,?), ref: 05A189D7
                                                        Memory Dump Source
                                                        • Source File: 00000014.00000002.629881681.0000000005A10000.00000040.00000001.sdmp, Offset: 05A10000, based on PE: false
                                                        Similarity
                                                        • API ID: ContextThread
                                                        • String ID:
                                                        • API String ID: 1591575202-0
                                                        • Opcode ID: c42d4286dc4ce11794974dcad0caa1eb52e0aa62180ccc8aeb8525b0f0d6b69f
                                                        • Instruction ID: bd84357e75b5d597502b70098ab415cb2d20240c9b1f0043dc096eb32c61cf3c
                                                        • Opcode Fuzzy Hash: c42d4286dc4ce11794974dcad0caa1eb52e0aa62180ccc8aeb8525b0f0d6b69f
                                                        • Instruction Fuzzy Hash: FE41CBB5D042589FCB00CFA9D984AEEBBF1BF49314F14802AE415B7240D738A949CF94
                                                        Uniqueness

                                                        Uniqueness Score: -1.00%

                                                        Function 0326BF29, Relevance: 1.6, APIs: 1, Instructions: 96memoryCOMMON
                                                        Download Yara Rule
                                                        APIs
                                                        • VirtualProtect.KERNELBASE(?,?,514A1B1F,DBBDF2D4), ref: 0326BFD7
                                                        Memory Dump Source
                                                        • Source File: 00000014.00000002.621137183.0000000003260000.00000040.00000001.sdmp, Offset: 03260000, based on PE: false
                                                        Similarity
                                                        • API ID: ProtectVirtual
                                                        • String ID:
                                                        • API String ID: 544645111-0
                                                        • Opcode ID: b919738c425d587733c553ad4b8c2618d1f979ce856c77dbdfe49530ede1b620
                                                        • Instruction ID: c8edcb5ddbac7eb868c83514c27f699da127ba14c62804897afd64906d94892e
                                                        • Opcode Fuzzy Hash: b919738c425d587733c553ad4b8c2618d1f979ce856c77dbdfe49530ede1b620
                                                        • Instruction Fuzzy Hash: 5E31AAB5D042589FCB10CFAAE484ADEFBB4BF49310F14902AE814B7310D774A985CF64
                                                        Uniqueness

                                                        Uniqueness Score: -1.00%

                                                        Function 05AE0E38, Relevance: 1.6, APIs: 1, Instructions: 96memoryCOMMON
                                                        Download Yara Rule
                                                        APIs
                                                        • VirtualProtect.KERNELBASE(?,?,?,?), ref: 05AE0EE7
                                                        Memory Dump Source
                                                        • Source File: 00000014.00000002.630003304.0000000005AE0000.00000040.00000001.sdmp, Offset: 05AE0000, based on PE: false
                                                        Similarity
                                                        • API ID: ProtectVirtual
                                                        • String ID:
                                                        • API String ID: 544645111-0
                                                        • Opcode ID: e47b92e9f9719fbf6d4e0e49e30669c0d9ad2a7438eb2cff9eaa4883c03dc672
                                                        • Instruction ID: a1114ef96490a35d7548051473e9bd906a8ff59ffb8340621938865462fc0132
                                                        • Opcode Fuzzy Hash: e47b92e9f9719fbf6d4e0e49e30669c0d9ad2a7438eb2cff9eaa4883c03dc672
                                                        • Instruction Fuzzy Hash: 663199B9D042589FCF10CFA9E884ADEFBB1BB5A310F14902AE814B7310D775AA45CF64
                                                        Uniqueness

                                                        Uniqueness Score: -1.00%

                                                        Function 05A175C8, Relevance: 1.6, APIs: 1, Instructions: 94threadCOMMON
                                                        Download Yara Rule
                                                        APIs
                                                        • GetThreadContext.KERNELBASE(?,?), ref: 05A17677
                                                        Memory Dump Source
                                                        • Source File: 00000014.00000002.629881681.0000000005A10000.00000040.00000001.sdmp, Offset: 05A10000, based on PE: false
                                                        Similarity
                                                        • API ID: ContextThread
                                                        • String ID:
                                                        • API String ID: 1591575202-0
                                                        • Opcode ID: 652e0d080119dd4c1eab70cb8af2974333044885082ce31b3c5755c58c07c720
                                                        • Instruction ID: c0ffa0c1dcd5504ce8179b2d7d885acddebdaa2488d04cc0de8543593053bb7c
                                                        • Opcode Fuzzy Hash: 652e0d080119dd4c1eab70cb8af2974333044885082ce31b3c5755c58c07c720
                                                        • Instruction Fuzzy Hash: 4F31ACB5D052589FCB10CFA9D884AEEBBF1BB49314F14902AE425B7240D738A949CF98
                                                        Uniqueness

                                                        Uniqueness Score: -1.00%

                                                        Function 05A18928, Relevance: 1.6, APIs: 1, Instructions: 94threadinjectionCOMMON
                                                        Download Yara Rule
                                                        APIs
                                                        • SetThreadContext.KERNELBASE(?,?), ref: 05A189D7
                                                        Memory Dump Source
                                                        • Source File: 00000014.00000002.629881681.0000000005A10000.00000040.00000001.sdmp, Offset: 05A10000, based on PE: false
                                                        Similarity
                                                        • API ID: ContextThread
                                                        • String ID:
                                                        • API String ID: 1591575202-0
                                                        • Opcode ID: e42edc466e8800ddec50d2d373e4eb353007b57dbf01481afe3bcf3ba0038029
                                                        • Instruction ID: 590a7185d3f52a930ba480e708f303f9f57e2eb4ae923fc678282ec1e8a6fdcb
                                                        • Opcode Fuzzy Hash: e42edc466e8800ddec50d2d373e4eb353007b57dbf01481afe3bcf3ba0038029
                                                        • Instruction Fuzzy Hash: A931ABB5D042599FCB14DFA9D884AEEFBF1BB49314F14802AE815B7240D738A949CF98
                                                        Uniqueness

                                                        Uniqueness Score: -1.00%

                                                        Function 05AE0E40, Relevance: 1.6, APIs: 1, Instructions: 94memoryCOMMON
                                                        Download Yara Rule
                                                        APIs
                                                        • VirtualProtect.KERNELBASE(?,?,?,?), ref: 05AE0EE7
                                                        Memory Dump Source
                                                        • Source File: 00000014.00000002.630003304.0000000005AE0000.00000040.00000001.sdmp, Offset: 05AE0000, based on PE: false
                                                        Similarity
                                                        • API ID: ProtectVirtual
                                                        • String ID:
                                                        • API String ID: 544645111-0
                                                        • Opcode ID: 12daddf5cc66b855a646395ead989692c1c41df213bf0cf5949fd0f81b0b672b
                                                        • Instruction ID: 2369fbf4f8218f5f4707c7ce6059f68dab5a76ef08c6c583a590c7a8ac07aa81
                                                        • Opcode Fuzzy Hash: 12daddf5cc66b855a646395ead989692c1c41df213bf0cf5949fd0f81b0b672b
                                                        • Instruction Fuzzy Hash: 8C3197B9D042589FCF10CFA9E884ADEFBB1BB09310F14902AE824B7210D775AA45CF64
                                                        Uniqueness

                                                        Uniqueness Score: -1.00%

                                                        Function 05AE15E3, Relevance: 1.6, APIs: 1, Instructions: 84fileCOMMON
                                                        Download Yara Rule
                                                        APIs
                                                        • DeleteFileW.KERNELBASE(?), ref: 05AE1681
                                                        Memory Dump Source
                                                        • Source File: 00000014.00000002.630003304.0000000005AE0000.00000040.00000001.sdmp, Offset: 05AE0000, based on PE: false
                                                        Similarity
                                                        • API ID: DeleteFile
                                                        • String ID:
                                                        • API String ID: 4033686569-0
                                                        • Opcode ID: 9327094d68b91ed6c1ebb1977d2d860ac532b6c6a9c0e1b462b69e4015c334c2
                                                        • Instruction ID: 953953c90aa57aff83a56a1145ffb20d2f3320e219b621f53755c8261d585c00
                                                        • Opcode Fuzzy Hash: 9327094d68b91ed6c1ebb1977d2d860ac532b6c6a9c0e1b462b69e4015c334c2
                                                        • Instruction Fuzzy Hash: 9131CDB4D052589FCB10CFA9D984AEEFBF5BB49314F14802AE414B7350D774A945CF94
                                                        Uniqueness

                                                        Uniqueness Score: -1.00%

                                                        Function 05AE15E8, Relevance: 1.6, APIs: 1, Instructions: 83fileCOMMON
                                                        Download Yara Rule
                                                        APIs
                                                        • DeleteFileW.KERNELBASE(?), ref: 05AE1681
                                                        Memory Dump Source
                                                        • Source File: 00000014.00000002.630003304.0000000005AE0000.00000040.00000001.sdmp, Offset: 05AE0000, based on PE: false
                                                        Similarity
                                                        • API ID: DeleteFile
                                                        • String ID:
                                                        • API String ID: 4033686569-0
                                                        • Opcode ID: 9e9d20e7762b685e02d564e771d3870ae8e2af830574a89ff78d34c2eca26229
                                                        • Instruction ID: c29ae968abcc201124191a09889c932c14ce89df2a7ca68a176a5cdde6658dd8
                                                        • Opcode Fuzzy Hash: 9e9d20e7762b685e02d564e771d3870ae8e2af830574a89ff78d34c2eca26229
                                                        • Instruction Fuzzy Hash: 1E31CDB4D052589FCB10CFA9D984AEEFBF5BB49314F14802AE414B7350D734A945CF94
                                                        Uniqueness

                                                        Uniqueness Score: -1.00%

                                                        Function 05A18B78, Relevance: 1.6, APIs: 1, Instructions: 75threadCOMMON
                                                        Download Yara Rule
                                                        APIs
                                                        • ResumeThread.KERNELBASE(?), ref: 05A18BFE
                                                        Memory Dump Source
                                                        • Source File: 00000014.00000002.629881681.0000000005A10000.00000040.00000001.sdmp, Offset: 05A10000, based on PE: false
                                                        Similarity
                                                        • API ID: ResumeThread
                                                        • String ID:
                                                        • API String ID: 947044025-0
                                                        • Opcode ID: 419a59b03136e638912bd27b26523af9d50c63e870183bb1228a7b720af673ce
                                                        • Instruction ID: 4d17887bd3ae449e5e6c0d8fa95318314560ab68a66c9b74188d426ca3555d09
                                                        • Opcode Fuzzy Hash: 419a59b03136e638912bd27b26523af9d50c63e870183bb1228a7b720af673ce
                                                        • Instruction Fuzzy Hash: 1D31BCB9D052589FCF04CFA9D984ADEFBB5AB49314F14842AE815B7300D738A945CF94
                                                        Uniqueness

                                                        Uniqueness Score: -1.00%

                                                        Function 05A18B80, Relevance: 1.6, APIs: 1, Instructions: 73threadCOMMON
                                                        Download Yara Rule
                                                        APIs
                                                        • ResumeThread.KERNELBASE(?), ref: 05A18BFE
                                                        Memory Dump Source
                                                        • Source File: 00000014.00000002.629881681.0000000005A10000.00000040.00000001.sdmp, Offset: 05A10000, based on PE: false
                                                        Similarity
                                                        • API ID: ResumeThread
                                                        • String ID:
                                                        • API String ID: 947044025-0
                                                        • Opcode ID: 4435c6b4f50ed94a82e1266ce0a21140e645ed1ed2080c284170ecefdfe3527d
                                                        • Instruction ID: 6a2e288771b3ec53beffc9abbf66f732bedd5f6e11f6cbf8a1f2d890d750a958
                                                        • Opcode Fuzzy Hash: 4435c6b4f50ed94a82e1266ce0a21140e645ed1ed2080c284170ecefdfe3527d
                                                        • Instruction Fuzzy Hash: 6631AAB4D052589FCF14CFA9D984ADEFBB5BB49324F14802AE825B7340D738A945CF98
                                                        Uniqueness

                                                        Uniqueness Score: -1.00%

                                                        Function 0171D6D8, Relevance: .1, Instructions: 75COMMON
                                                        Download Yara Rule
                                                        Memory Dump Source
                                                        • Source File: 00000014.00000002.620546480.000000000171D000.00000040.00000001.sdmp, Offset: 0171D000, based on PE: false
                                                        Similarity
                                                        • API ID:
                                                        • String ID:
                                                        • API String ID:
                                                        • Opcode ID: 0d728bea795f171997ddf7a67fc7f16540031bffa0b692cdc1205c9dba3b4f60
                                                        • Instruction ID: f2d579ab76bffb33d91f5d836e8209e92aab1ae01e17141b4d4437876a1ecaa1
                                                        • Opcode Fuzzy Hash: 0d728bea795f171997ddf7a67fc7f16540031bffa0b692cdc1205c9dba3b4f60
                                                        • Instruction Fuzzy Hash: 33216D71504284DFDB25DF58C9C4B1BFF65FB88324F248569E9054B20AC336D445CFA1
                                                        Uniqueness

                                                        Uniqueness Score: -1.00%

                                                        Function 0171D7C4, Relevance: .1, Instructions: 75COMMON
                                                        Download Yara Rule
                                                        Memory Dump Source
                                                        • Source File: 00000014.00000002.620546480.000000000171D000.00000040.00000001.sdmp, Offset: 0171D000, based on PE: false
                                                        Similarity
                                                        • API ID:
                                                        • String ID:
                                                        • API String ID:
                                                        • Opcode ID: 25eb9060cd692bb5c8a704dd40f4e7a5aef70a6e16c37012061cd9a4db7bc187
                                                        • Instruction ID: 0588f4301868910df02fc252bde6a3476b76bbfc00b5ec6984f5b17cefd5ec88
                                                        • Opcode Fuzzy Hash: 25eb9060cd692bb5c8a704dd40f4e7a5aef70a6e16c37012061cd9a4db7bc187
                                                        • Instruction Fuzzy Hash: 0B2106B1544244DFDB25DF58D8C4B1AFF65FB84324F24C5A9ED094B20AC336D446CAA1
                                                        Uniqueness

                                                        Uniqueness Score: -1.00%

                                                        Function 0171D7BF, Relevance: .1, Instructions: 56COMMON
                                                        Download Yara Rule
                                                        Memory Dump Source
                                                        • Source File: 00000014.00000002.620546480.000000000171D000.00000040.00000001.sdmp, Offset: 0171D000, based on PE: false
                                                        Similarity
                                                        • API ID:
                                                        • String ID:
                                                        • API String ID:
                                                        • Opcode ID: 2a9d003929d6dc02cb6594d9b18e81f81af5a06eac6336c657b4c9dac273578b
                                                        • Instruction ID: a63d77bcc7c66c709ff4a3c7953de8e9b62da782a2225e81a04311793c98c43a
                                                        • Opcode Fuzzy Hash: 2a9d003929d6dc02cb6594d9b18e81f81af5a06eac6336c657b4c9dac273578b
                                                        • Instruction Fuzzy Hash: AD119D76944280CFCB16CF58D9C4B16FF61FB84324F2886A9DC480B65AC336D45ACFA1
                                                        Uniqueness

                                                        Uniqueness Score: -1.00%

                                                        Function 0171D6D3, Relevance: .1, Instructions: 56COMMON
                                                        Download Yara Rule
                                                        Memory Dump Source
                                                        • Source File: 00000014.00000002.620546480.000000000171D000.00000040.00000001.sdmp, Offset: 0171D000, based on PE: false
                                                        Similarity
                                                        • API ID:
                                                        • String ID:
                                                        • API String ID:
                                                        • Opcode ID: 2a9d003929d6dc02cb6594d9b18e81f81af5a06eac6336c657b4c9dac273578b
                                                        • Instruction ID: 83f2d1bd24e2c20512bc0df2b0efa028fe21bd6f94bc2bab82833ba26e5ebc1c
                                                        • Opcode Fuzzy Hash: 2a9d003929d6dc02cb6594d9b18e81f81af5a06eac6336c657b4c9dac273578b
                                                        • Instruction Fuzzy Hash: A711B176504280CFCB16CF58D9C4B16FF71FB84324F2886A9D9050B65AC33AD45ACFA1
                                                        Uniqueness

                                                        Uniqueness Score: -1.00%

                                                        Function 0171D21D, Relevance: .0, Instructions: 45COMMON
                                                        Download Yara Rule
                                                        Memory Dump Source
                                                        • Source File: 00000014.00000002.620546480.000000000171D000.00000040.00000001.sdmp, Offset: 0171D000, based on PE: false
                                                        Similarity
                                                        • API ID:
                                                        • String ID:
                                                        • API String ID:
                                                        • Opcode ID: 9cdb71d13fff87af1820aaa8c2633404ea623fd4fe443b62ece2530444fe6993
                                                        • Instruction ID: b1776ab51d3c716dc265028b052e2e714d69673cb44f04099052c41940267c2d
                                                        • Opcode Fuzzy Hash: 9cdb71d13fff87af1820aaa8c2633404ea623fd4fe443b62ece2530444fe6993
                                                        • Instruction Fuzzy Hash: 7401887150C3449AE7214A5DDCC87A6FFD8EF46278F188159EE245B18AC374D444CAB1
                                                        Uniqueness

                                                        Uniqueness Score: -1.00%

                                                        Function 0171D21C, Relevance: .0, Instructions: 36COMMON
                                                        Download Yara Rule
                                                        Memory Dump Source
                                                        • Source File: 00000014.00000002.620546480.000000000171D000.00000040.00000001.sdmp, Offset: 0171D000, based on PE: false
                                                        Similarity
                                                        • API ID:
                                                        • String ID:
                                                        • API String ID:
                                                        • Opcode ID: 71a6ed125b8a132f9dd8c6f5526edb8954ab085e3a01f3d6aca5dd368ff672cb
                                                        • Instruction ID: 7ef947249c1d4e3d68e8780b3040b8ead483633b29f79292a39062d2bf5b5c1f
                                                        • Opcode Fuzzy Hash: 71a6ed125b8a132f9dd8c6f5526edb8954ab085e3a01f3d6aca5dd368ff672cb
                                                        • Instruction Fuzzy Hash: 72F09C714083449EEB218E59DCC87A3FFD8EF42674F18C55AED545B68BC3749844CAB1
                                                        Uniqueness

                                                        Uniqueness Score: -1.00%

                                                        Non-executed Functions

                                                        Analysis Process: InstallUtil.exe PID: 6280 Parent PID: 6764 InstallUtil.exeCOMMON

                                                        Executed Functions

                                                        Function 04DFFAA0, Relevance: 1.8, APIs: 1, Instructions: 284COMMON
                                                        Download Yara Rule
                                                        Memory Dump Source
                                                        • Source File: 00000019.00000002.628024050.0000000004DF0000.00000040.00000001.sdmp, Offset: 04DF0000, based on PE: false
                                                        Similarity
                                                        • API ID:
                                                        • String ID:
                                                        • API String ID:
                                                        • Opcode ID: 83eed0a7b5f0ab7ee5c6db336eb80cbcd04e60142730de171c690b1879d818ca
                                                        • Instruction ID: 3db376e86ff44cb16224f9626cd090e3fff593d7f449d91ed2814feeb4b06598
                                                        • Opcode Fuzzy Hash: 83eed0a7b5f0ab7ee5c6db336eb80cbcd04e60142730de171c690b1879d818ca
                                                        • Instruction Fuzzy Hash: FCA16C719083889FDF22CFA4C8909CDBFB1FF4A304F16809BE505AB252D335A95ACB51
                                                        Uniqueness

                                                        Uniqueness Score: -1.00%

                                                        Function 04DF93E8, Relevance: 1.7, APIs: 1, Instructions: 194COMMON
                                                        Download Yara Rule
                                                        APIs
                                                        • GetModuleHandleW.KERNEL32(00000000), ref: 04DF962E
                                                        Memory Dump Source
                                                        • Source File: 00000019.00000002.628024050.0000000004DF0000.00000040.00000001.sdmp, Offset: 04DF0000, based on PE: false
                                                        Similarity
                                                        • API ID: HandleModule
                                                        • String ID:
                                                        • API String ID: 4139908857-0
                                                        • Opcode ID: 65da09acf3cbce4cc28ca6e0ebd44d9903552cf0ae58943fa82ae6f968c5d0f2
                                                        • Instruction ID: daed61422d7ee971d73cefd34883ae027cf83e4db196df32579ff1ecbd7ab58b
                                                        • Opcode Fuzzy Hash: 65da09acf3cbce4cc28ca6e0ebd44d9903552cf0ae58943fa82ae6f968c5d0f2
                                                        • Instruction Fuzzy Hash: 157123B0A00B058FDB24DF2AD45175ABBF1FB88204F018A69E58ADBA50D734F845CF91
                                                        Uniqueness

                                                        Uniqueness Score: -1.00%

                                                        Function 04DFDA04, Relevance: 1.6, APIs: 1, Instructions: 116COMMON
                                                        Download Yara Rule
                                                        APIs
                                                        • CreateWindowExW.USER32(?,?,?,?,?,?,0000000C,?,?,?,?,?), ref: 04DFFD0A
                                                        Memory Dump Source
                                                        • Source File: 00000019.00000002.628024050.0000000004DF0000.00000040.00000001.sdmp, Offset: 04DF0000, based on PE: false
                                                        Similarity
                                                        • API ID: CreateWindow
                                                        • String ID:
                                                        • API String ID: 716092398-0
                                                        • Opcode ID: 9886e97699154670e27551a2788d8d96aa36e991d9f86c3f695cb3ce64c5ecb0
                                                        • Instruction ID: 610d675a3133c5790531b521f3fa1ae503127484d389c6b7441b957499ad9a68
                                                        • Opcode Fuzzy Hash: 9886e97699154670e27551a2788d8d96aa36e991d9f86c3f695cb3ce64c5ecb0
                                                        • Instruction Fuzzy Hash: B451B1B1D00359DFDB14CF99C884ADEBBB5FF48314F25812AE919AB210D774A985CF90
                                                        Uniqueness

                                                        Uniqueness Score: -1.00%

                                                        Function 04F745F4, Relevance: 1.6, APIs: 1, Instructions: 103COMMON
                                                        Download Yara Rule
                                                        APIs
                                                        • CreateActCtxA.KERNEL32(?), ref: 04F746B1
                                                        Memory Dump Source
                                                        • Source File: 00000019.00000002.628358190.0000000004F70000.00000040.00000001.sdmp, Offset: 04F70000, based on PE: false
                                                        Similarity
                                                        • API ID: Create
                                                        • String ID:
                                                        • API String ID: 2289755597-0
                                                        • Opcode ID: 0da204f11bc974cfe2a6627135ff9103efc7741e0e1726b8e3fb6ed9e7bad3e3
                                                        • Instruction ID: db1b74eca7f6da6a4b32ee86b5a98f814690178e2a775723cd705d664323f0a5
                                                        • Opcode Fuzzy Hash: 0da204f11bc974cfe2a6627135ff9103efc7741e0e1726b8e3fb6ed9e7bad3e3
                                                        • Instruction Fuzzy Hash: 37410471D0421CCBDB24CFA9D8847CEBBB1FF49318F10856AD508AB250D775698ACF90
                                                        Uniqueness

                                                        Uniqueness Score: -1.00%

                                                        Function 04F73474, Relevance: 1.6, APIs: 1, Instructions: 96COMMON
                                                        Download Yara Rule
                                                        APIs
                                                        • CreateActCtxA.KERNEL32(?), ref: 04F746B1
                                                        Memory Dump Source
                                                        • Source File: 00000019.00000002.628358190.0000000004F70000.00000040.00000001.sdmp, Offset: 04F70000, based on PE: false
                                                        Similarity
                                                        • API ID: Create
                                                        • String ID:
                                                        • API String ID: 2289755597-0
                                                        • Opcode ID: f81343de759b441be157616e7151dc17fa1a8ec31699ca2c7b1843b8aa8de2d4
                                                        • Instruction ID: 8edc7239f10229b2aab5cf1ca334b397c3457edcc0a7fc02729ee34e9da5c42d
                                                        • Opcode Fuzzy Hash: f81343de759b441be157616e7151dc17fa1a8ec31699ca2c7b1843b8aa8de2d4
                                                        • Instruction Fuzzy Hash: A9410471D0465CCBDB24CFA9C884BDEBBB1BF49308F20855AD508BB254D775A94ACF90
                                                        Uniqueness

                                                        Uniqueness Score: -1.00%

                                                        Function 04F72470, Relevance: 1.6, APIs: 1, Instructions: 93COMMON
                                                        Download Yara Rule
                                                        APIs
                                                        • CallWindowProcW.USER32(?,?,?,?,?), ref: 04F72531
                                                        Memory Dump Source
                                                        • Source File: 00000019.00000002.628358190.0000000004F70000.00000040.00000001.sdmp, Offset: 04F70000, based on PE: false
                                                        Similarity
                                                        • API ID: CallProcWindow
                                                        • String ID:
                                                        • API String ID: 2714655100-0
                                                        • Opcode ID: 16e1cb853e63a9e19bbbdc565e59dc53b9ba59070849d3d65a5d0d13ca5e0dc7
                                                        • Instruction ID: bf91503bf58b84257fd5f024f059c2d1e4834e7041ff0252a32c1fdfa3946215
                                                        • Opcode Fuzzy Hash: 16e1cb853e63a9e19bbbdc565e59dc53b9ba59070849d3d65a5d0d13ca5e0dc7
                                                        • Instruction Fuzzy Hash: D0411AB5A003058FDB14CF99C488AABBBF5FB88314F15C499D519A7321D774A845CFA0
                                                        Uniqueness

                                                        Uniqueness Score: -1.00%

                                                        Function 04F7B898, Relevance: 1.6, APIs: 1, Instructions: 85COMMON
                                                        Download Yara Rule
                                                        Memory Dump Source
                                                        • Source File: 00000019.00000002.628358190.0000000004F70000.00000040.00000001.sdmp, Offset: 04F70000, based on PE: false
                                                        Similarity
                                                        • API ID: CreateFromIconResource
                                                        • String ID:
                                                        • API String ID: 3668623891-0
                                                        • Opcode ID: 56c1f869e5bce63472239e32b02eacf5be0a1673424b3daa4068ff4136b83516
                                                        • Instruction ID: 3041890a6020dd73d2e77d4c7c4c5cf6080116be0b412880e8686f5160861ce0
                                                        • Opcode Fuzzy Hash: 56c1f869e5bce63472239e32b02eacf5be0a1673424b3daa4068ff4136b83516
                                                        • Instruction Fuzzy Hash: 3F319C729043899FCB01CFA9D844ADEBFF4EF0A314F14805AE554A7211C339A955DFA1
                                                        Uniqueness

                                                        Uniqueness Score: -1.00%

                                                        Function 04DFFE03, Relevance: 1.6, APIs: 1, Instructions: 78COMMON
                                                        Download Yara Rule
                                                        APIs
                                                        • SetWindowLongW.USER32(?,?,?,?,?,?,?,?,04DFFE28,?,?,?,?), ref: 04DFFE9D
                                                        Memory Dump Source
                                                        • Source File: 00000019.00000002.628024050.0000000004DF0000.00000040.00000001.sdmp, Offset: 04DF0000, based on PE: false
                                                        Similarity
                                                        • API ID: LongWindow
                                                        • String ID:
                                                        • API String ID: 1378638983-0
                                                        • Opcode ID: 25e396cad92411cf9896f490d5524865b8ff65d468288642c7649da3534b9af9
                                                        • Instruction ID: 8068a655abcc5a339914f37f9eaca2d199e2e9ccf200ab625c31d608dae7f523
                                                        • Opcode Fuzzy Hash: 25e396cad92411cf9896f490d5524865b8ff65d468288642c7649da3534b9af9
                                                        • Instruction Fuzzy Hash: 52218875800248EFCB21CF95E889BCEBFF8EB49314F05804AE954B7212D335A908CBA1
                                                        Uniqueness

                                                        Uniqueness Score: -1.00%

                                                        Function 04F7E6B0, Relevance: 1.6, APIs: 1, Instructions: 67windowCOMMON
                                                        Download Yara Rule
                                                        APIs
                                                        • PostMessageW.USER32(?,027F53E8,00000000,?), ref: 04F7E73D
                                                        Memory Dump Source
                                                        • Source File: 00000019.00000002.628358190.0000000004F70000.00000040.00000001.sdmp, Offset: 04F70000, based on PE: false
                                                        Similarity
                                                        • API ID: MessagePost
                                                        • String ID:
                                                        • API String ID: 410705778-0
                                                        • Opcode ID: adc4cbbcc716ea5a4f88030c0dca6f957f0e9d40c76a75fd05ab5bd7d369d230
                                                        • Instruction ID: cfb8afc44906f1d70294d67abfcecaccea4bd93912e8b43d5e0ce2e57160a0b3
                                                        • Opcode Fuzzy Hash: adc4cbbcc716ea5a4f88030c0dca6f957f0e9d40c76a75fd05ab5bd7d369d230
                                                        • Instruction Fuzzy Hash: 832193B19043498FDB10CF99C8857EEBFF4EF58314F14845AD464A7241D378A54ACFA1
                                                        Uniqueness

                                                        Uniqueness Score: -1.00%

                                                        Function 04DFBCF9, Relevance: 1.6, APIs: 1, Instructions: 66COMMON
                                                        Download Yara Rule
                                                        APIs
                                                        • DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?,?,?,?,04DFBCC6,?,?,?,?,?), ref: 04DFBD87
                                                        Memory Dump Source
                                                        • Source File: 00000019.00000002.628024050.0000000004DF0000.00000040.00000001.sdmp, Offset: 04DF0000, based on PE: false
                                                        Similarity
                                                        • API ID: DuplicateHandle
                                                        • String ID:
                                                        • API String ID: 3793708945-0
                                                        • Opcode ID: e13fd5d04ed4439fe48b2c2b168e63bf292a24501d56a6b4897e338166c0d741
                                                        • Instruction ID: 20e18fcff0ddf9656d6e406db1ca1eb9e4044541d8f47fcc65956ab2654a5b92
                                                        • Opcode Fuzzy Hash: e13fd5d04ed4439fe48b2c2b168e63bf292a24501d56a6b4897e338166c0d741
                                                        • Instruction Fuzzy Hash: 4621E4B5900248AFDB10CFA9D884BEEBFF4FB48324F14841AE915A3310D378A945CFA1
                                                        Uniqueness

                                                        Uniqueness Score: -1.00%

                                                        Function 04DFA14C, Relevance: 1.6, APIs: 1, Instructions: 65COMMON
                                                        Download Yara Rule
                                                        APIs
                                                        • DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?,?,?,?,04DFBCC6,?,?,?,?,?), ref: 04DFBD87
                                                        Memory Dump Source
                                                        • Source File: 00000019.00000002.628024050.0000000004DF0000.00000040.00000001.sdmp, Offset: 04DF0000, based on PE: false
                                                        Similarity
                                                        • API ID: DuplicateHandle
                                                        • String ID:
                                                        • API String ID: 3793708945-0
                                                        • Opcode ID: 8b05ca78c27e75c2f86646d33be36391d84d0f5cf8b4fc8f15110b7c7455893d
                                                        • Instruction ID: 6ff038de9463cfe5670f9c6fb57b3772429bbfc51146ac82650322c6f4329ef9
                                                        • Opcode Fuzzy Hash: 8b05ca78c27e75c2f86646d33be36391d84d0f5cf8b4fc8f15110b7c7455893d
                                                        • Instruction Fuzzy Hash: 1421E3B5900248AFDB10CF99D884BEEBBF4FB48324F15841AE955B3310D378A954CFA1
                                                        Uniqueness

                                                        Uniqueness Score: -1.00%

                                                        Function 04F7A504, Relevance: 1.6, APIs: 1, Instructions: 56windowCOMMON
                                                        Download Yara Rule
                                                        APIs
                                                        • CreateIconFromResourceEx.USER32(?,?,?,?,?,?,?,?,?,?,04F7B8B2,?,?,?,?,?), ref: 04F7B957
                                                        Memory Dump Source
                                                        • Source File: 00000019.00000002.628358190.0000000004F70000.00000040.00000001.sdmp, Offset: 04F70000, based on PE: false
                                                        Similarity
                                                        • API ID: CreateFromIconResource
                                                        • String ID:
                                                        • API String ID: 3668623891-0
                                                        • Opcode ID: 3297d5f74478d0dd9831d5a78cbd47f0a465175d5b3400a76c622a2a85a31e8d
                                                        • Instruction ID: 10277ddbbed4643c52226fde91d4a3c07a92381e6b6dc0e91c731d7e7488cbbc
                                                        • Opcode Fuzzy Hash: 3297d5f74478d0dd9831d5a78cbd47f0a465175d5b3400a76c622a2a85a31e8d
                                                        • Instruction Fuzzy Hash: B61126B29042499FDB10CF99C884BEEBFF8EB49324F14841AE525B7210C378A954DFA1
                                                        Uniqueness

                                                        Uniqueness Score: -1.00%

                                                        Function 04DF9849, Relevance: 1.6, APIs: 1, Instructions: 56libraryCOMMON
                                                        Download Yara Rule
                                                        APIs
                                                        • LoadLibraryExW.KERNEL32(00000000,00000000,?,?,?,?,00000000,?,04DF96A9,00000800,00000000,00000000), ref: 04DF98BA
                                                        Memory Dump Source
                                                        • Source File: 00000019.00000002.628024050.0000000004DF0000.00000040.00000001.sdmp, Offset: 04DF0000, based on PE: false
                                                        Similarity
                                                        • API ID: LibraryLoad
                                                        • String ID:
                                                        • API String ID: 1029625771-0
                                                        • Opcode ID: 76372ceab7af82e52bc8b848d9ca4c0a99b842fd4ef7e58382f77c40a4ebb172
                                                        • Instruction ID: 7870376caab35a9b94d9310b6eaad19e8b834485ff010bf574812be3df9f2ebb
                                                        • Opcode Fuzzy Hash: 76372ceab7af82e52bc8b848d9ca4c0a99b842fd4ef7e58382f77c40a4ebb172
                                                        • Instruction Fuzzy Hash: C01136B6D002498FDB10CF9AC844BDEBBF4EB48324F01842AD519A7200C378A545CFA5
                                                        Uniqueness

                                                        Uniqueness Score: -1.00%

                                                        Function 04DF8768, Relevance: 1.6, APIs: 1, Instructions: 55libraryCOMMON
                                                        Download Yara Rule
                                                        APIs
                                                        • LoadLibraryExW.KERNEL32(00000000,00000000,?,?,?,?,00000000,?,04DF96A9,00000800,00000000,00000000), ref: 04DF98BA
                                                        Memory Dump Source
                                                        • Source File: 00000019.00000002.628024050.0000000004DF0000.00000040.00000001.sdmp, Offset: 04DF0000, based on PE: false
                                                        Similarity
                                                        • API ID: LibraryLoad
                                                        • String ID:
                                                        • API String ID: 1029625771-0
                                                        • Opcode ID: 663c62b297dbdf5b594d92f4ffea1f24e362c624c8277ecde4a381c3bb42e12e
                                                        • Instruction ID: b8ffd1a1c2b519ce65dce6e8448cafabc9a12fad97c546c220bad6b6deebe36b
                                                        • Opcode Fuzzy Hash: 663c62b297dbdf5b594d92f4ffea1f24e362c624c8277ecde4a381c3bb42e12e
                                                        • Instruction Fuzzy Hash: FB1106B6D042498FDB20CF9AC844BDEBBF4EB48324F15846AE515B7700C374A545CFA5
                                                        Uniqueness

                                                        Uniqueness Score: -1.00%

                                                        Function 04F732D8, Relevance: 1.6, APIs: 1, Instructions: 51windowCOMMON
                                                        Download Yara Rule
                                                        APIs
                                                        • PostMessageW.USER32(?,027F53E8,00000000,?), ref: 04F7E73D
                                                        Memory Dump Source
                                                        • Source File: 00000019.00000002.628358190.0000000004F70000.00000040.00000001.sdmp, Offset: 04F70000, based on PE: false
                                                        Similarity
                                                        • API ID: MessagePost
                                                        • String ID:
                                                        • API String ID: 410705778-0
                                                        • Opcode ID: 059fab6de2f2c504cab85782bb8c495078902cb0838a94790d2b6ecb5305c12a
                                                        • Instruction ID: c42946b66a984d882b6c7e021e3fdb6d636b0c18e536ddbe4a60386ea4b0149a
                                                        • Opcode Fuzzy Hash: 059fab6de2f2c504cab85782bb8c495078902cb0838a94790d2b6ecb5305c12a
                                                        • Instruction Fuzzy Hash: 1D1125B59003499FDB10CF99C885BEEBBF8FB58324F10845AE554A3240D378A985CFA5
                                                        Uniqueness

                                                        Uniqueness Score: -1.00%

                                                        Function 04F7C3D0, Relevance: 1.5, APIs: 1, Instructions: 49windowCOMMON
                                                        Download Yara Rule
                                                        APIs
                                                        • SendMessageW.USER32(?,0000020A,?,?,?,?,?,?,04F7226A,?,00000000,?), ref: 04F7C435
                                                        Memory Dump Source
                                                        • Source File: 00000019.00000002.628358190.0000000004F70000.00000040.00000001.sdmp, Offset: 04F70000, based on PE: false
                                                        Similarity
                                                        • API ID: MessageSend
                                                        • String ID:
                                                        • API String ID: 3850602802-0
                                                        • Opcode ID: dcc1264d95645f81205293d854f29e71fb6df3a95bee0657dbc00f18e9c89924
                                                        • Instruction ID: 9e21c83cc18ff6d0a272c53da79a1a50f04695127790374726521c794c23fd9c
                                                        • Opcode Fuzzy Hash: dcc1264d95645f81205293d854f29e71fb6df3a95bee0657dbc00f18e9c89924
                                                        • Instruction Fuzzy Hash: 0011F5B59003499FDB10DF99C485BEFBBF8FB49324F10841AE454A7600C378A545CFA1
                                                        Uniqueness

                                                        Uniqueness Score: -1.00%

                                                        Function 04F7F3D8, Relevance: 1.5, APIs: 1, Instructions: 48comCOMMON
                                                        Download Yara Rule
                                                        APIs
                                                        • OleInitialize.OLE32(00000000), ref: 04F7F435
                                                        Memory Dump Source
                                                        • Source File: 00000019.00000002.628358190.0000000004F70000.00000040.00000001.sdmp, Offset: 04F70000, based on PE: false
                                                        Similarity
                                                        • API ID: Initialize
                                                        • String ID:
                                                        • API String ID: 2538663250-0
                                                        • Opcode ID: d22351279d9eea471fa380b9745e9c2ea372cf905a92f0d987dbc8cdaaaf1136
                                                        • Instruction ID: 04cd32ec3a0991252c1a8a89c94ad2cc3b8daac0995ae1270daa8bccd2985d53
                                                        • Opcode Fuzzy Hash: d22351279d9eea471fa380b9745e9c2ea372cf905a92f0d987dbc8cdaaaf1136
                                                        • Instruction Fuzzy Hash: 831115B19042498FDB10CFA9C889BDFBFF4EB49324F20842AD519B3200D378A945CFA5
                                                        Uniqueness

                                                        Uniqueness Score: -1.00%

                                                        Function 04F71540, Relevance: 1.5, APIs: 1, Instructions: 47windowCOMMON
                                                        Download Yara Rule
                                                        APIs
                                                        • SendMessageW.USER32(?,0000020A,?,?,?,?,?,?,04F7226A,?,00000000,?), ref: 04F7C435
                                                        Memory Dump Source
                                                        • Source File: 00000019.00000002.628358190.0000000004F70000.00000040.00000001.sdmp, Offset: 04F70000, based on PE: false
                                                        Similarity
                                                        • API ID: MessageSend
                                                        • String ID:
                                                        • API String ID: 3850602802-0
                                                        • Opcode ID: 90e395872e07dc099189650a1cb9146bdf43b1abaf2ab2a89295e2b22a4511a4
                                                        • Instruction ID: 9839b9db4b075e88b99e60427030805bca4052ea9e908df25a130f9b27f2c044
                                                        • Opcode Fuzzy Hash: 90e395872e07dc099189650a1cb9146bdf43b1abaf2ab2a89295e2b22a4511a4
                                                        • Instruction Fuzzy Hash: B011F5B59007489FDB10CF99C885BEFBBF8EB49324F10841AE515A7600C378A945CFA1
                                                        Uniqueness

                                                        Uniqueness Score: -1.00%

                                                        Function 04F7A548, Relevance: 1.5, APIs: 1, Instructions: 47windowCOMMON
                                                        Download Yara Rule
                                                        APIs
                                                        • SendMessageW.USER32(?,?,?,?,?,?,?,?,?,00000000), ref: 04F7BCBD
                                                        Memory Dump Source
                                                        • Source File: 00000019.00000002.628358190.0000000004F70000.00000040.00000001.sdmp, Offset: 04F70000, based on PE: false
                                                        Similarity
                                                        • API ID: MessageSend
                                                        • String ID:
                                                        • API String ID: 3850602802-0
                                                        • Opcode ID: aa035d3a3086ab420e3c2b9916b567c4038ec5f7ab305562582e71c9359f566a
                                                        • Instruction ID: d8ea7a354007d9a87ae90d993eb32ea5a222bfc1e6a076354eb093be2551b99f
                                                        • Opcode Fuzzy Hash: aa035d3a3086ab420e3c2b9916b567c4038ec5f7ab305562582e71c9359f566a
                                                        • Instruction Fuzzy Hash: B511E0B59007489FDB10CF99C889BDFBBF8EB49324F10841AE525A7300C378A944CFA1
                                                        Uniqueness

                                                        Uniqueness Score: -1.00%

                                                        Function 04F750D4, Relevance: 1.5, APIs: 1, Instructions: 47windowCOMMON
                                                        Download Yara Rule
                                                        APIs
                                                        • SendMessageW.USER32(?,00000018,00000001,?), ref: 04F7D29D
                                                        Memory Dump Source
                                                        • Source File: 00000019.00000002.628358190.0000000004F70000.00000040.00000001.sdmp, Offset: 04F70000, based on PE: false
                                                        Similarity
                                                        • API ID: MessageSend
                                                        • String ID:
                                                        • API String ID: 3850602802-0
                                                        • Opcode ID: a109c85735a792fa11e8e389663f37e18bd8e6e1449efd20b72c8ca5c7eb8b6a
                                                        • Instruction ID: ef57de40e724ca74173103710c7abc6007ab149790848d011cb72e5973b46910
                                                        • Opcode Fuzzy Hash: a109c85735a792fa11e8e389663f37e18bd8e6e1449efd20b72c8ca5c7eb8b6a
                                                        • Instruction Fuzzy Hash: 3F11F5B59003489FDB10CF99C485BDEBBF8EB48324F10841AE915B7300D378A945CFA1
                                                        Uniqueness

                                                        Uniqueness Score: -1.00%

                                                        Function 04DF95C8, Relevance: 1.5, APIs: 1, Instructions: 47COMMON
                                                        Download Yara Rule
                                                        APIs
                                                        • GetModuleHandleW.KERNEL32(00000000), ref: 04DF962E
                                                        Memory Dump Source
                                                        • Source File: 00000019.00000002.628024050.0000000004DF0000.00000040.00000001.sdmp, Offset: 04DF0000, based on PE: false
                                                        Similarity
                                                        • API ID: HandleModule
                                                        • String ID:
                                                        • API String ID: 4139908857-0
                                                        • Opcode ID: d4db8a80e2758284f32d219f9a23daaa191ba40b96273f5e13b1e29eb19095ca
                                                        • Instruction ID: 6b518a3210ea42b0126b09fde3c3cb354d7314b56c74a781e87535f975378b87
                                                        • Opcode Fuzzy Hash: d4db8a80e2758284f32d219f9a23daaa191ba40b96273f5e13b1e29eb19095ca
                                                        • Instruction Fuzzy Hash: 3D11E0B6D006498FDB20CF9AC844BDFFBF4AB89324F15845AD529A7700C378A549CFA1
                                                        Uniqueness

                                                        Uniqueness Score: -1.00%

                                                        Function 04DFDA3C, Relevance: 1.5, APIs: 1, Instructions: 47COMMON
                                                        Download Yara Rule
                                                        APIs
                                                        • SetWindowLongW.USER32(?,?,?,?,?,?,?,?,04DFFE28,?,?,?,?), ref: 04DFFE9D
                                                        Memory Dump Source
                                                        • Source File: 00000019.00000002.628024050.0000000004DF0000.00000040.00000001.sdmp, Offset: 04DF0000, based on PE: false
                                                        Similarity
                                                        • API ID: LongWindow
                                                        • String ID:
                                                        • API String ID: 1378638983-0
                                                        • Opcode ID: d7e649e33f1a80186a7262507ae5a776ee741acbd6cf17fe69528c44570b528b
                                                        • Instruction ID: f80a40950576c11100ae31aeaf174e902a6da60118a4060fcae6145f34f63b96
                                                        • Opcode Fuzzy Hash: d7e649e33f1a80186a7262507ae5a776ee741acbd6cf17fe69528c44570b528b
                                                        • Instruction Fuzzy Hash: 8A1103B59002489FDB20CF99D889BDFBBF8EB48324F10841AE915B7341C374A944CFA5
                                                        Uniqueness

                                                        Uniqueness Score: -1.00%

                                                        Function 04F7DC60, Relevance: 1.5, APIs: 1, Instructions: 46comCOMMON
                                                        Download Yara Rule
                                                        APIs
                                                        • OleInitialize.OLE32(00000000), ref: 04F7F435
                                                        Memory Dump Source
                                                        • Source File: 00000019.00000002.628358190.0000000004F70000.00000040.00000001.sdmp, Offset: 04F70000, based on PE: false
                                                        Similarity
                                                        • API ID: Initialize
                                                        • String ID:
                                                        • API String ID: 2538663250-0
                                                        • Opcode ID: 24c997803426192d5ae531643fffc585c090d0d3acc2b501d71f1ab70412e05d
                                                        • Instruction ID: 2ade0c0fa4cf279fad888d6d4c8805ace44ffbb12846e77ba7ed735ac294427f
                                                        • Opcode Fuzzy Hash: 24c997803426192d5ae531643fffc585c090d0d3acc2b501d71f1ab70412e05d
                                                        • Instruction Fuzzy Hash: 371100B19046488FDB20CF99D889B9FBBF4EB48324F10845AE519B7200D378A945CFA5
                                                        Uniqueness

                                                        Uniqueness Score: -1.00%

                                                        Function 04F7BC59, Relevance: 1.5, APIs: 1, Instructions: 46windowCOMMON
                                                        Download Yara Rule
                                                        APIs
                                                        • SendMessageW.USER32(?,?,?,?,?,?,?,?,?,00000000), ref: 04F7BCBD
                                                        Memory Dump Source
                                                        • Source File: 00000019.00000002.628358190.0000000004F70000.00000040.00000001.sdmp, Offset: 04F70000, based on PE: false
                                                        Similarity
                                                        • API ID: MessageSend
                                                        • String ID:
                                                        • API String ID: 3850602802-0
                                                        • Opcode ID: b48417a646c734c6a01f21c3876891b6548885b7c77aa4b280f3a7c89147ad03
                                                        • Instruction ID: 0278f962a3a14ce066c49ac7e92b0748b0574b1ca53cd900e2d54ef313647cca
                                                        • Opcode Fuzzy Hash: b48417a646c734c6a01f21c3876891b6548885b7c77aa4b280f3a7c89147ad03
                                                        • Instruction Fuzzy Hash: CC11E0B59006499FDB10CF99C885BEFBBF8EB49324F10841AE814A7200C378A944CFA1
                                                        Uniqueness

                                                        Uniqueness Score: -1.00%

                                                        Function 04F7D23E, Relevance: 1.5, APIs: 1, Instructions: 45windowCOMMON
                                                        Download Yara Rule
                                                        APIs
                                                        • SendMessageW.USER32(?,00000018,00000001,?), ref: 04F7D29D
                                                        Memory Dump Source
                                                        • Source File: 00000019.00000002.628358190.0000000004F70000.00000040.00000001.sdmp, Offset: 04F70000, based on PE: false
                                                        Similarity
                                                        • API ID: MessageSend
                                                        • String ID:
                                                        • API String ID: 3850602802-0
                                                        • Opcode ID: 549609f680808c0509b7a68d0e4fbc7f4d1608150ab865a8cc82c7fc6fa6c55c
                                                        • Instruction ID: 9e15838014212629e4f34cc1e21f6576dd867820729fa59bbe01b8d3ba9a7853
                                                        • Opcode Fuzzy Hash: 549609f680808c0509b7a68d0e4fbc7f4d1608150ab865a8cc82c7fc6fa6c55c
                                                        • Instruction Fuzzy Hash: 6011D3B59003499FDB10CF99D885BEFBBF8EB48324F10841AE915A7600D378A945CFA1
                                                        Uniqueness

                                                        Uniqueness Score: -1.00%

                                                        Function 00C0D4A0, Relevance: .1, Instructions: 75COMMON
                                                        Download Yara Rule
                                                        Memory Dump Source
                                                        • Source File: 00000019.00000002.620911858.0000000000C0D000.00000040.00000001.sdmp, Offset: 00C0D000, based on PE: false
                                                        Similarity
                                                        • API ID:
                                                        • String ID:
                                                        • API String ID:
                                                        • Opcode ID: 09b203139f46e29b98dd94a21498092e2717270d7c5a9e0a2b8dc66779e28e57
                                                        • Instruction ID: 799bf3b3d470a0ffe84ae1f8e07e4eaddbac172525f19f12f47953eb8dd78657
                                                        • Opcode Fuzzy Hash: 09b203139f46e29b98dd94a21498092e2717270d7c5a9e0a2b8dc66779e28e57
                                                        • Instruction Fuzzy Hash: 422128B2504244DFDB15DF94D8C0B2ABF65FB88328F24C569ED064B286C336D945DBA2
                                                        Uniqueness

                                                        Uniqueness Score: -1.00%

                                                        Function 00C1D01C, Relevance: .1, Instructions: 72COMMON
                                                        Download Yara Rule
                                                        Memory Dump Source
                                                        • Source File: 00000019.00000002.620954333.0000000000C1D000.00000040.00000001.sdmp, Offset: 00C1D000, based on PE: false
                                                        Similarity
                                                        • API ID:
                                                        • String ID:
                                                        • API String ID:
                                                        • Opcode ID: 87fa7966796b5ac4ef4d984cfe540d3ff48b0da05e380ce889102c37df7fb62a
                                                        • Instruction ID: 5d9f7726941c53b862fe33eb98bbaf90245e1813d5b146e3704d18ba561768a7
                                                        • Opcode Fuzzy Hash: 87fa7966796b5ac4ef4d984cfe540d3ff48b0da05e380ce889102c37df7fb62a
                                                        • Instruction Fuzzy Hash: 4521F275604244DFCB14DF14D9C0B66BB65FB89314F24C5A9E90A4B246C33AD887EA62
                                                        Uniqueness

                                                        Uniqueness Score: -1.00%

                                                        Function 00C1D005, Relevance: .1, Instructions: 62COMMON
                                                        Download Yara Rule
                                                        Memory Dump Source
                                                        • Source File: 00000019.00000002.620954333.0000000000C1D000.00000040.00000001.sdmp, Offset: 00C1D000, based on PE: false
                                                        Similarity
                                                        • API ID:
                                                        • String ID:
                                                        • API String ID:
                                                        • Opcode ID: a3beb7fb710171d468c61d3a2830ed13df85e29547671bc341066879abdbee2a
                                                        • Instruction ID: 29c508be78ae3889393cd11821c5489a4951a6296e8e44f6fd868b3e4f44f0e3
                                                        • Opcode Fuzzy Hash: a3beb7fb710171d468c61d3a2830ed13df85e29547671bc341066879abdbee2a
                                                        • Instruction Fuzzy Hash: 4D2192755093C08FCB02CF24D990755BF71EB46314F28C5EAD8498B697C33AD84ADB62
                                                        Uniqueness

                                                        Uniqueness Score: -1.00%

                                                        Function 00C0D49B, Relevance: .1, Instructions: 56COMMON
                                                        Download Yara Rule
                                                        Memory Dump Source
                                                        • Source File: 00000019.00000002.620911858.0000000000C0D000.00000040.00000001.sdmp, Offset: 00C0D000, based on PE: false
                                                        Similarity
                                                        • API ID:
                                                        • String ID:
                                                        • API String ID:
                                                        • Opcode ID: 2a9d003929d6dc02cb6594d9b18e81f81af5a06eac6336c657b4c9dac273578b
                                                        • Instruction ID: 793882ad8449cbc6f467d6f45ddeb99f55d975f12654b5c9939de27526270498
                                                        • Opcode Fuzzy Hash: 2a9d003929d6dc02cb6594d9b18e81f81af5a06eac6336c657b4c9dac273578b
                                                        • Instruction Fuzzy Hash: 4C11AFB6904280CFCB12CF54D9C4B16BF61FB84324F2486A9DC050B656C336D95ADBA2
                                                        Uniqueness

                                                        Uniqueness Score: -1.00%

                                                        Non-executed Functions