Play interactive tour

Edit tour

Analysis Report lNCyFjhn7M

Overview

General Information

Sample Name:	lNCyFjhn7M (renamed file extension from none to exe)
Analysis ID:	356766
MD5:	1ad8213451de5daa4ad536cd9c70e9ce
SHA1:	62c394dfc3094044454f0d25775ca87e6749787e
SHA256:	152dabf84b039a8c1412d8dea323051ee96b1696c3e551a049801c8a320d23e7
Tags:	AgentTesla
Infos:
Most interesting Screenshot:

Detection

AgentTesla

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Found malware configuration

Icon mismatch, binary includes an icon from a different legit application in order to fool users

Multi AV Scanner detection for submitted file

Yara detected AgentTesla

Yara detected AntiVM_3

.NET source code contains potential unpacker

.NET source code contains very large array initializations

.NET source code contains very large strings

C2 URLs / IPs found in malware configuration

Found evasive API chain (trying to detect sleep duration tampering with parallel thread)

Injects a PE file into a foreign processes

Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)

Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)

Tries to harvest and steal browser information (history, passwords, etc)

Tries to harvest and steal ftp login credentials

Tries to steal Mail credentials (via file access)

Antivirus or Machine Learning detection for unpacked file

Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)

Contains functionality to call native functions

Contains long sleeps (>= 3 min)

Creates a process in suspended mode (likely to inject code)

Detected TCP or UDP traffic on non-standard ports

Detected potential crypto function

Enables debug privileges

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

Found inlined nop instructions (likely shell or obfuscated code)

IP address seen in connection with other malware

Internet Provider seen in connection with other malware

May sleep (evasive loops) to hinder dynamic analysis

Monitors certain registry keys / values for changes (often done to protect autostart functionality)

PE file contains strange resources

Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)

Queries the volume information (name, serial number etc) of a device

Sample execution stops while process was sleeping (likely an evasion)

Sample file is different than original file name gathered from version info

Uses 32bit PE files

Uses SMTP (mail sending)

Uses code obfuscation techniques (call, push, ret)

Yara detected Credential Stealer

Classification

Startup

System is w10x64

lNCyFjhn7M.exe (PID: 6996 cmdline: 'C:\Users\user\Desktop\lNCyFjhn7M.exe' MD5: 1AD8213451DE5DAA4AD536CD9C70E9CE)

lNCyFjhn7M.exe (PID: 7036 cmdline: C:\Users\user\Desktop\lNCyFjhn7M.exe MD5: 1AD8213451DE5DAA4AD536CD9C70E9CE)

cleanup

Malware Configuration

Threatname: Agenttesla

{"Username: ": "E943pmspWkN", "URL: ": "https://femFzmplqt.net", "To: ": "", "ByHost: ": "mail.hybridgroupco.com:587", "Password: ": "RgZuUQv5z", "From: ": ""}

Yara Overview

Memory Dumps

Source	Rule	Description	Author
00000000.00000002.326906613.0000000003C04000.00000004.00000001.sdmp	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
00000000.00000002.326698522.0000000002C01000.00000004.00000001.sdmp	JoeSecurity_AntiVM_3	Yara detected AntiVM_3	Joe Security
00000001.00000002.589195869.0000000000402000.00000040.00000001.sdmp	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
00000001.00000002.590922380.0000000002F51000.00000004.00000001.sdmp	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
00000001.00000002.590922380.0000000002F51000.00000004.00000001.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
Process Memory Space: lNCyFjhn7M.exe PID: 7036	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
Process Memory Space: lNCyFjhn7M.exe PID: 7036	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
Process Memory Space: lNCyFjhn7M.exe PID: 6996	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
Process Memory Space: lNCyFjhn7M.exe PID: 6996	JoeSecurity_AntiVM_3	Yara detected AntiVM_3	Joe Security
Click to see the 4 entries

Unpacked PEs

Source	Rule	Description	Author
0.2.lNCyFjhn7M.exe.3ec88a0.2.raw.unpack	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
0.2.lNCyFjhn7M.exe.3ec88a0.2.unpack	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
1.2.lNCyFjhn7M.exe.400000.0.unpack	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
0.2.lNCyFjhn7M.exe.3d6bdd0.3.raw.unpack	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
0.2.lNCyFjhn7M.exe.3dc95f0.4.raw.unpack	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
0.2.lNCyFjhn7M.exe.2c1f204.1.raw.unpack	JoeSecurity_AntiVM_3	Yara detected AntiVM_3	Joe Security
Click to see the 1 entries

Sigma Overview

No Sigma rule has matched

Signature Overview

Click to jump to signature section

Show All Signature Results

AV Detection:

Found malware configuration

Show sources

Source: lNCyFjhn7M.exe.7036.1.memstr

Malware Configuration Extractor: Agenttesla {"Username: ": "E943pmspWkN", "URL: ": "https://femFzmplqt.net", "To: ": "", "ByHost: ": "mail.hybridgroupco.com:587", "Password: ": "RgZuUQv5z", "From: ": ""}

Multi AV Scanner detection for submitted file

Show sources

Source: lNCyFjhn7M.exe	Metadefender: Detection: 21%			Perma Link
Source: lNCyFjhn7M.exe	ReversingLabs: Detection: 62%

Source: 1.2.lNCyFjhn7M.exe.400000.0.unpack

Avira: Label: TR/Spy.Gen8

Compliance:

Uses 32bit PE files

Show sources

Source: lNCyFjhn7M.exe

Static PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE

Uses new MSVCR Dlls

Show sources

Source: C:\Users\user\Desktop\lNCyFjhn7M.exe

File opened: C:\Windows\WinSxS\x86_microsoft.vc80.crt_1fc8b3b9a1e18e3b_8.0.50727.9445_none_d08c58b4442ba54f\MSVCR80.dll

Jump to behavior

Contains modern PE file flags such as dynamic base (ASLR) or NX

Show sources

Source: lNCyFjhn7M.exe

Static PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT

Binary contains paths to debug symbols

Show sources

Source:

Binary string: mscorrc.pdb source: lNCyFjhn7M.exe, 00000000.00000002.328365675.0000000004E90000.00000002.00000001.sdmp, lNCyFjhn7M.exe, 00000001.00000002.590216922.00000000012C0000.00000002.00000001.sdmp

Software Vulnerabilities:

Source: C:\Users\user\Desktop\lNCyFjhn7M.exe	Code function: 4x nop then jmp 04E0BB61h	0_2_04E0B8D1
Source: C:\Users\user\Desktop\lNCyFjhn7M.exe	Code function: 4x nop then mov dword ptr [ebp-1Ch], 00000000h	0_2_04E0BEE0
Source: C:\Users\user\Desktop\lNCyFjhn7M.exe	Code function: 4x nop then mov dword ptr [ebp-1Ch], 00000000h	0_2_04E0BED0

Networking:

C2 URLs / IPs found in malware configuration

Show sources

Source: Malware configuration extractor

URLs: https://femFzmplqt.net

Source: global traffic

TCP traffic: 192.168.2.6:49751 -> 66.70.204.222:587

Source: Joe Sandbox View

IP Address: 66.70.204.222 66.70.204.222

Source: Joe Sandbox View

ASN Name: OVHFR OVHFR

Source: global traffic

TCP traffic: 192.168.2.6:49751 -> 66.70.204.222:587

Source: C:\Users\user\Desktop\lNCyFjhn7M.exe

Code function: 1_2_0117A09A recv,

1_2_0117A09A

Source: unknown

DNS traffic detected: queries for: mail.hybridgroupco.com

Source: lNCyFjhn7M.exe, 00000001.00000002.590922380.0000000002F51000.00000004.00000001.sdmp	String found in binary or memory: http://127.0.0.1:HTTP/1.1
Source: lNCyFjhn7M.exe, 00000001.00000002.590922380.0000000002F51000.00000004.00000001.sdmp	String found in binary or memory: http://DynDns.comDynDNS
Source: lNCyFjhn7M.exe, 00000001.00000002.590922380.0000000002F51000.00000004.00000001.sdmp	String found in binary or memory: http://cfWnht.com
Source: lNCyFjhn7M.exe, 00000001.00000002.590922380.0000000002F51000.00000004.00000001.sdmp	String found in binary or memory: https://femFzmplqt.net
Source: lNCyFjhn7M.exe, 00000000.00000002.326698522.0000000002C01000.00000004.00000001.sdmp	String found in binary or memory: https://stackpath.bootstrapcdn.com/bootstrap/4.5.0/css/bootstrap.min.css
Source: lNCyFjhn7M.exe, 00000000.00000002.326906613.0000000003C04000.00000004.00000001.sdmp, lNCyFjhn7M.exe, 00000001.00000002.589195869.0000000000402000.00000040.00000001.sdmp	String found in binary or memory: https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zip
Source: lNCyFjhn7M.exe, 00000001.00000002.590922380.0000000002F51000.00000004.00000001.sdmp	String found in binary or memory: https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zip%tordir%%ha

System Summary:

.NET source code contains very large array initializations

Show sources

Source: 1.2.lNCyFjhn7M.exe.400000.0.unpack, u003cPrivateImplementationDetailsu003eu007b2541D03Bu002dC05Au002d4A3Bu002dB0FDu002d61EAF17A97E9u007d/u0034E1BA1C7u002d80DBu002d446Bu002d895Cu002d57E0865F0350.cs

Large array initialization: .cctor: array initializer size 11963

.NET source code contains very large strings

Show sources

Source: lNCyFjhn7M.exe, Form1.cs	Long String: Length: 13656
Source: 0.2.lNCyFjhn7M.exe.540000.0.unpack, Form1.cs	Long String: Length: 13656
Source: 0.0.lNCyFjhn7M.exe.540000.0.unpack, Form1.cs	Long String: Length: 13656
Source: 1.2.lNCyFjhn7M.exe.890000.1.unpack, Form1.cs	Long String: Length: 13656
Source: 1.0.lNCyFjhn7M.exe.890000.0.unpack, Form1.cs	Long String: Length: 13656

Source: C:\Users\user\Desktop\lNCyFjhn7M.exe	Code function: 1_2_0117B0BA NtQuerySystemInformation,		1_2_0117B0BA
Source: C:\Users\user\Desktop\lNCyFjhn7M.exe	Code function: 1_2_0117B089 NtQuerySystemInformation,		1_2_0117B089

Source: C:\Users\user\Desktop\lNCyFjhn7M.exe	Code function: 0_2_04E03850	0_2_04E03850
Source: C:\Users\user\Desktop\lNCyFjhn7M.exe	Code function: 0_2_04E03648	0_2_04E03648
Source: C:\Users\user\Desktop\lNCyFjhn7M.exe	Code function: 0_2_04E0AF90	0_2_04E0AF90
Source: C:\Users\user\Desktop\lNCyFjhn7M.exe	Code function: 0_2_04E09F70	0_2_04E09F70
Source: C:\Users\user\Desktop\lNCyFjhn7M.exe	Code function: 0_2_04E04529	0_2_04E04529
Source: C:\Users\user\Desktop\lNCyFjhn7M.exe	Code function: 0_2_04E04538	0_2_04E04538
Source: C:\Users\user\Desktop\lNCyFjhn7M.exe	Code function: 0_2_04E042F0	0_2_04E042F0
Source: C:\Users\user\Desktop\lNCyFjhn7M.exe	Code function: 0_2_04E042DF	0_2_04E042DF
Source: C:\Users\user\Desktop\lNCyFjhn7M.exe	Code function: 0_2_04E0424D	0_2_04E0424D
Source: C:\Users\user\Desktop\lNCyFjhn7M.exe	Code function: 0_2_04E03638	0_2_04E03638
Source: C:\Users\user\Desktop\lNCyFjhn7M.exe	Code function: 0_2_04E09F61	0_2_04E09F61
Source: C:\Users\user\Desktop\lNCyFjhn7M.exe	Code function: 0_2_04E00A28	0_2_04E00A28
Source: C:\Users\user\Desktop\lNCyFjhn7M.exe	Code function: 0_2_04E00A18	0_2_04E00A18
Source: C:\Users\user\Desktop\lNCyFjhn7M.exe	Code function: 1_2_012B4060	1_2_012B4060
Source: C:\Users\user\Desktop\lNCyFjhn7M.exe	Code function: 1_2_012BA27A	1_2_012BA27A
Source: C:\Users\user\Desktop\lNCyFjhn7M.exe	Code function: 1_2_012B6B48	1_2_012B6B48
Source: C:\Users\user\Desktop\lNCyFjhn7M.exe	Code function: 1_2_012B5244	1_2_012B5244
Source: C:\Users\user\Desktop\lNCyFjhn7M.exe	Code function: 1_2_012BA058	1_2_012BA058
Source: C:\Users\user\Desktop\lNCyFjhn7M.exe	Code function: 1_2_012B28E0	1_2_012B28E0
Source: C:\Users\user\Desktop\lNCyFjhn7M.exe	Code function: 1_2_0515F158	1_2_0515F158
Source: C:\Users\user\Desktop\lNCyFjhn7M.exe	Code function: 1_2_05157B60	1_2_05157B60
Source: C:\Users\user\Desktop\lNCyFjhn7M.exe	Code function: 1_2_0515D768	1_2_0515D768
Source: C:\Users\user\Desktop\lNCyFjhn7M.exe	Code function: 1_2_05157290	1_2_05157290
Source: C:\Users\user\Desktop\lNCyFjhn7M.exe	Code function: 1_2_05156498	1_2_05156498
Source: C:\Users\user\Desktop\lNCyFjhn7M.exe	Code function: 1_2_05157AB2	1_2_05157AB2
Source: C:\Users\user\Desktop\lNCyFjhn7M.exe	Code function: 1_2_05B70679	1_2_05B70679

Source: lNCyFjhn7M.exe

Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST

Source: lNCyFjhn7M.exe, 00000000.00000002.326906613.0000000003C04000.00000004.00000001.sdmp	Binary or memory string: OriginalFilenameLegacyPathHandling.dllN vs lNCyFjhn7M.exe
Source: lNCyFjhn7M.exe, 00000000.00000002.326906613.0000000003C04000.00000004.00000001.sdmp	Binary or memory string: OriginalFilenamercGeguBNXNlIGogKUXwddetDKLGbJb.exe4 vs lNCyFjhn7M.exe
Source: lNCyFjhn7M.exe, 00000000.00000002.326698522.0000000002C01000.00000004.00000001.sdmp	Binary or memory string: OriginalFilenameAsyncState.dllF vs lNCyFjhn7M.exe
Source: lNCyFjhn7M.exe, 00000000.00000000.321220967.0000000000628000.00000002.00020000.sdmp	Binary or memory string: OriginalFilenameStaticIndexRangePartitionForIList.exeN vs lNCyFjhn7M.exe
Source: lNCyFjhn7M.exe, 00000000.00000002.328365675.0000000004E90000.00000002.00000001.sdmp	Binary or memory string: OriginalFilenamemscorrc.dllT vs lNCyFjhn7M.exe
Source: lNCyFjhn7M.exe, 00000001.00000002.589458599.0000000000978000.00000002.00020000.sdmp	Binary or memory string: OriginalFilenameStaticIndexRangePartitionForIList.exeN vs lNCyFjhn7M.exe
Source: lNCyFjhn7M.exe, 00000001.00000002.590216922.00000000012C0000.00000002.00000001.sdmp	Binary or memory string: OriginalFilenamemscorrc.dllT vs lNCyFjhn7M.exe
Source: lNCyFjhn7M.exe, 00000001.00000002.589195869.0000000000402000.00000040.00000001.sdmp	Binary or memory string: OriginalFilenamercGeguBNXNlIGogKUXwddetDKLGbJb.exe4 vs lNCyFjhn7M.exe
Source: lNCyFjhn7M.exe, 00000001.00000002.590185619.0000000001280000.00000002.00000001.sdmp	Binary or memory string: OriginalFilenamewshom.ocx.mui vs lNCyFjhn7M.exe
Source: lNCyFjhn7M.exe, 00000001.00000002.594298776.00000000053D0000.00000002.00000001.sdmp	Binary or memory string: OriginalFilenameKernelbase.dll.muij% vs lNCyFjhn7M.exe
Source: lNCyFjhn7M.exe	Binary or memory string: OriginalFilenameStaticIndexRangePartitionForIList.exeN vs lNCyFjhn7M.exe

Source: lNCyFjhn7M.exe

Static PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE

Source: lNCyFjhn7M.exe

Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ

Source: 1.2.lNCyFjhn7M.exe.400000.0.unpack, A/b2.cs	Cryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'
Source: 1.2.lNCyFjhn7M.exe.400000.0.unpack, A/b2.cs	Cryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'

Source: lNCyFjhn7M.exe, Form1.cs	Base64 encoded string: 'GIdDNNZNNNNRNNNN//8NNYtNNNNNNNNNDNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNtNNNNN4sht4NgNaAVotOGZ0uITucplOjpz9apzSgVTAuoz5iqPOvMFOlqJ4tnJ4tER9GVT1iMTHhQD0XWNNNNNNNNNODEDNNGNRQNViu868NNNNNNNNNNBNNNvRYNINNNPNNNNNTNNNNNNNNlw8NNNNtNNNNDNNNNNNNRDNtNNNNNtNNONNNNNNNNNNRNNNNNNNNNNPNNNNNNtNNNNNNNNZNDVHNNONNNONNNNNNRNNNRNNNNNNNNONNNNNNNNNNNNNNNUt/NNOCNNNNNRNNNBDQNNNNNNNNNNNNNNNNNNNNNNNNNTNNNNjNNNOpCjNNUNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNVNNNPNNNNNNNNNNNNNNNPPNNNRtNNNNNNNNNNNNNNP50MKu0NNNN0O8NNNNtNNNNVNNNNNVNNNNNNNNNNNNNNNNNNPNNNTNhpaAlLjNNNBDQNNNNDNNNNNDNNNNvNNNNNNNNNNNNNNNNNNONNNONYaWyoT9wNNNZNNNNNTNNNNNPNNNNWtNNNNNNNNNNNNNNNNNNDNNNDtNNNNNNNNNNNNNNNNNNNNPfCjNNNNNNNRtNNNNPNNHNhPHNNBjLNNNQNNNNNNNNNXD+NNP4NNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNO4PXOLNNNbdWtNPXOpNNNbNXdMmTNNNPbNONNNRpkxNNNdNNtNNOUZnNNNXtNZNNNEmTjNNPbNRNNNRXuZjNDNDNNNNNDNNRDO+NDNNOT8pNNNXPvfNOvbGZNRNRNNNNNVNNORNstVNNNEiUDNNPtbeNNLdRmNONONNNNNQNNNENU4QNNNRok4NNNbXXjNTXuZjNDNDNNNNONNNRDO+ONNNOT8sNNNXPvfNOvbGZNVNCNNNNNHNNORNstHNNNDHXPNNNNbYOljuptRNNUQDODNNNvtuNNNXolVNNNcmVjNNPtjVtNHNNNDNNU4SNNNRPvfNOvbGZNRNPjNNNNLNNORNstLNNNDXXjNTXvVNNbNTNNNRXyMmQNNNOvtxNNNXqNLNNNXNOjNNOPbrNvtyNNNXXtNNRmNONNfNNNNUNNNENU4UNNNRPvfNOvbNRmNONNfNNNNUNNNENPtANNNTPvfNOvc+pwfNNUPNPNNNOUV7NNOjtNxNNNElBjNNpVNXNNNRXxbNNvtzNNNXNNZROFtENNNTNPbNNOZjONO0NNNNPNNNRDOmWjNNPtbTVYvPNDNtXWbONT8bNNNXXPxNNNbNNvtINNNTOPtHNNNTPjpbRjNNOtZbSDNNOvtFNNNTQNtbXtNNPt0WolfNNNbqzuZRRDEiYNNNPuhnRjHEOKV9NNOjTOvAStNNNFtgNNNXWuLbYtNNPtNdRmNSNWpNNNNWNNNENPtiNNNXN28jNNNXPjVPwzxK2cRspTRZNb5cS9LK2usJwF8NNNRANb5cS9bGOORRRjHJRjLeBtxEOtVEOcRVLDpEO5SugWjEOjAiZDNNPusn/tRGPORVRjxEPFjTSuZUNPfVNORUS9LGOjNEOusJRjLEOuRSZpNWNb5cTAbK1usnS9nAYjNNNFtlNNNXqNHNNOfXXjNTXtNGZNHNctNNNNbNNORNStfPomZNNNbGOkVUXQDNNNbZPNwLTgtAPEsnS9nAYjNNNEZRPOsnRjtJRjxeDjtK2uZXSuZYXl0PRDxEP281NNNXRjjFQPt2NNNXXQpNNNbJRDDUTvt4NNNXNNpn1tfEPksJRjfEPkRXZp0EPEsJRjxEPERVZopEOOLbBDNNPuZSRDHK2usJwF8NNNRGOuRRTuRTSuRTwzxbBNNNPtNEOtbeNNLdNNNGZNVNXNNNNNfNNORNN3WYNNOjXQbNNNbbBjNNPaZwNNNXPjpPomjNNNc0VtNNNDbeNNLdRmNRNRbNNNNZNNNENNWiZDNNPuuopm0NNNbYNz8kNNNXTAbZSt0eUjpPPEuiCtNNPu8DXQ8NNNbbDNNNPz9ONNNXWtxL1t0WPQUqO29PNNNXPvfNOvbNNOZjNDNUNNNNQDNNRDNHPvfNOvcTNNVJztVKztVLzvtENNNTNPbNNNNGZNZNVNNNNN4NNORNsttNNNE+PDNNOU4XNNNRXORNNNLNpwfNNUNXXjNTXuZjNtNFNNNNQjNNRDNPNluQNNNXXRDNNNbXXjNTXtNNRmNONNjNNNNDNNNENNVbEDNNPtbeNNLdRmNONONNNNNENNNENANWNNNPXPRNNNbXXjNTXuZjNDNZNNNNQtNNRDNPXRLNNNbXXjNTXuZjNtNqNNNNRtNNRDNPwNLNNOfH/tRYOljVXNRNNPfXXjHNNtbeNNLdWtNQ/uHTNNNoXvLNNvtzNNNXNPbNNNNGZNVNADNNNOZNNORNNagVNNNXo0xNNNbYO4jWNNNoSC4OQNtfSPtPNNNePjW7FNNNPtqiFtNNPtNNNNpXXjNTXyVNNvtzNNNXNNWmFjNNPa1VNNNXXv4bTNNNObNZNNNRXu4PXPLNNNbdNNOPH0cPNDNONNNNNNNZNNNNqwVhZP41ZQplAjNNNNNSNTjNNNPbPDNNV34NNODXNNOjPDNNV1A0pzyhM3ZNNNNNuOZNNTDNNNNwIIZN6OZNNONNNNNwE1IWENNNNCtGNNQ0ONNNV0Wfo2VNNNNNNNNNNtNNNIpIbtxWQjNNNCbOZjNJNNNONNNNBDNNNNfNNNNZNNNNVjNNNORNNNOYNNNNCjNNNOZNNNNTNNNNPtNNNNjNNNNWNNNNNDNNNNDNNNNONNNNNjNNNNZNNNNPNNNNNNNZODRNNNNNNNLNdtBJOjLNSjFJOjLNztYZOt8NQttNNNLN2jXzODLNwDBzODLN/tBzODLNltBzODLN4jBzODL
Source: 0.2.lNCyFjhn7M.exe.540000.0.unpack, Form1.cs	Base64 encoded string: 'GIdDNNZNNNNRNNNN//8NNYtNNNNNNNNNDNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNtNNNNN4sht4NgNaAVotOGZ0uITucplOjpz9apzSgVTAuoz5iqPOvMFOlqJ4tnJ4tER9GVT1iMTHhQD0XWNNNNNNNNNODEDNNGNRQNViu868NNNNNNNNNNBNNNvRYNINNNPNNNNNTNNNNNNNNlw8NNNNtNNNNDNNNNNNNRDNtNNNNNtNNONNNNNNNNNNRNNNNNNNNNNPNNNNNNtNNNNNNNNZNDVHNNONNNONNNNNNRNNNRNNNNNNNNONNNNNNNNNNNNNNNUt/NNOCNNNNNRNNNBDQNNNNNNNNNNNNNNNNNNNNNNNNNTNNNNjNNNOpCjNNUNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNVNNNPNNNNNNNNNNNNNNNPPNNNRtNNNNNNNNNNNNNNP50MKu0NNNN0O8NNNNtNNNNVNNNNNVNNNNNNNNNNNNNNNNNNPNNNTNhpaAlLjNNNBDQNNNNDNNNNNDNNNNvNNNNNNNNNNNNNNNNNNONNNONYaWyoT9wNNNZNNNNNTNNNNNPNNNNWtNNNNNNNNNNNNNNNNNNDNNNDtNNNNNNNNNNNNNNNNNNNNPfCjNNNNNNNRtNNNNPNNHNhPHNNBjLNNNQNNNNNNNNNXD+NNP4NNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNO4PXOLNNNbdWtNPXOpNNNbNXdMmTNNNPbNONNNRpkxNNNdNNtNNOUZnNNNXtNZNNNEmTjNNPbNRNNNRXuZjNDNDNNNNNDNNRDO+NDNNOT8pNNNXPvfNOvbGZNRNRNNNNNVNNORNstVNNNEiUDNNPtbeNNLdRmNONONNNNNQNNNENU4QNNNRok4NNNbXXjNTXuZjNDNDNNNNONNNRDO+ONNNOT8sNNNXPvfNOvbGZNVNCNNNNNHNNORNstHNNNDHXPNNNNbYOljuptRNNUQDODNNNvtuNNNXolVNNNcmVjNNPtjVtNHNNNDNNU4SNNNRPvfNOvbGZNRNPjNNNNLNNORNstLNNNDXXjNTXvVNNbNTNNNRXyMmQNNNOvtxNNNXqNLNNNXNOjNNOPbrNvtyNNNXXtNNRmNONNfNNNNUNNNENU4UNNNRPvfNOvbNRmNONNfNNNNUNNNENPtANNNTPvfNOvc+pwfNNUPNPNNNOUV7NNOjtNxNNNElBjNNpVNXNNNRXxbNNvtzNNNXNNZROFtENNNTNPbNNOZjONO0NNNNPNNNRDOmWjNNPtbTVYvPNDNtXWbONT8bNNNXXPxNNNbNNvtINNNTOPtHNNNTPjpbRjNNOtZbSDNNOvtFNNNTQNtbXtNNPt0WolfNNNbqzuZRRDEiYNNNPuhnRjHEOKV9NNOjTOvAStNNNFtgNNNXWuLbYtNNPtNdRmNSNWpNNNNWNNNENPtiNNNXN28jNNNXPjVPwzxK2cRspTRZNb5cS9LK2usJwF8NNNRANb5cS9bGOORRRjHJRjLeBtxEOtVEOcRVLDpEO5SugWjEOjAiZDNNPusn/tRGPORVRjxEPFjTSuZUNPfVNORUS9LGOjNEOusJRjLEOuRSZpNWNb5cTAbK1usnS9nAYjNNNFtlNNNXqNHNNOfXXjNTXtNGZNHNctNNNNbNNORNStfPomZNNNbGOkVUXQDNNNbZPNwLTgtAPEsnS9nAYjNNNEZRPOsnRjtJRjxeDjtK2uZXSuZYXl0PRDxEP281NNNXRjjFQPt2NNNXXQpNNNbJRDDUTvt4NNNXNNpn1tfEPksJRjfEPkRXZp0EPEsJRjxEPERVZopEOOLbBDNNPuZSRDHK2usJwF8NNNRGOuRRTuRTSuRTwzxbBNNNPtNEOtbeNNLdNNNGZNVNXNNNNNfNNORNN3WYNNOjXQbNNNbbBjNNPaZwNNNXPjpPomjNNNc0VtNNNDbeNNLdRmNRNRbNNNNZNNNENNWiZDNNPuuopm0NNNbYNz8kNNNXTAbZSt0eUjpPPEuiCtNNPu8DXQ8NNNbbDNNNPz9ONNNXWtxL1t0WPQUqO29PNNNXPvfNOvbNNOZjNDNUNNNNQDNNRDNHPvfNOvcTNNVJztVKztVLzvtENNNTNPbNNNNGZNZNVNNNNN4NNORNsttNNNE+PDNNOU4XNNNRXORNNNLNpwfNNUNXXjNTXuZjNtNFNNNNQjNNRDNPNluQNNNXXRDNNNbXXjNTXtNNRmNONNjNNNNDNNNENNVbEDNNPtbeNNLdRmNONONNNNNENNNENANWNNNPXPRNNNbXXjNTXuZjNDNZNNNNQtNNRDNPXRLNNNbXXjNTXuZjNtNqNNNNRtNNRDNPwNLNNOfH/tRYOljVXNRNNPfXXjHNNtbeNNLdWtNQ/uHTNNNoXvLNNvtzNNNXNPbNNNNGZNVNADNNNOZNNORNNagVNNNXo0xNNNbYO4jWNNNoSC4OQNtfSPtPNNNePjW7FNNNPtqiFtNNPtNNNNpXXjNTXyVNNvtzNNNXNNWmFjNNPa1VNNNXXv4bTNNNObNZNNNRXu4PXPLNNNbdNNOPH0cPNDNONNNNNNNZNNNNqwVhZP41ZQplAjNNNNNSNTjNNNPbPDNNV34NNODXNNOjPDNNV1A0pzyhM3ZNNNNNuOZNNTDNNNNwIIZN6OZNNONNNNNwE1IWENNNNCtGNNQ0ONNNV0Wfo2VNNNNNNNNNNtNNNIpIbtxWQjNNNCbOZjNJNNNONNNNBDNNNNfNNNNZNNNNVjNNNORNNNOYNNNNCjNNNOZNNNNTNNNNPtNNNNjNNNNWNNNNNDNNNNDNNNNONNNNNjNNNNZNNNNPNNNNNNNZODRNNNNNNNLNdtBJOjLNSjFJOjLNztYZOt8NQttNNNLN2jXzODLNwDBzODLN/tBzODLNltBzODLN4jBzODL
Source: 0.0.lNCyFjhn7M.exe.540000.0.unpack, Form1.cs	Base64 encoded string: 'GIdDNNZNNNNRNNNN//8NNYtNNNNNNNNNDNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNtNNNNN4sht4NgNaAVotOGZ0uITucplOjpz9apzSgVTAuoz5iqPOvMFOlqJ4tnJ4tER9GVT1iMTHhQD0XWNNNNNNNNNODEDNNGNRQNViu868NNNNNNNNNNBNNNvRYNINNNPNNNNNTNNNNNNNNlw8NNNNtNNNNDNNNNNNNRDNtNNNNNtNNONNNNNNNNNNRNNNNNNNNNNPNNNNNNtNNNNNNNNZNDVHNNONNNONNNNNNRNNNRNNNNNNNNONNNNNNNNNNNNNNNUt/NNOCNNNNNRNNNBDQNNNNNNNNNNNNNNNNNNNNNNNNNTNNNNjNNNOpCjNNUNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNVNNNPNNNNNNNNNNNNNNNPPNNNRtNNNNNNNNNNNNNNP50MKu0NNNN0O8NNNNtNNNNVNNNNNVNNNNNNNNNNNNNNNNNNPNNNTNhpaAlLjNNNBDQNNNNDNNNNNDNNNNvNNNNNNNNNNNNNNNNNNONNNONYaWyoT9wNNNZNNNNNTNNNNNPNNNNWtNNNNNNNNNNNNNNNNNNDNNNDtNNNNNNNNNNNNNNNNNNNNPfCjNNNNNNNRtNNNNPNNHNhPHNNBjLNNNQNNNNNNNNNXD+NNP4NNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNO4PXOLNNNbdWtNPXOpNNNbNXdMmTNNNPbNONNNRpkxNNNdNNtNNOUZnNNNXtNZNNNEmTjNNPbNRNNNRXuZjNDNDNNNNNDNNRDO+NDNNOT8pNNNXPvfNOvbGZNRNRNNNNNVNNORNstVNNNEiUDNNPtbeNNLdRmNONONNNNNQNNNENU4QNNNRok4NNNbXXjNTXuZjNDNDNNNNONNNRDO+ONNNOT8sNNNXPvfNOvbGZNVNCNNNNNHNNORNstHNNNDHXPNNNNbYOljuptRNNUQDODNNNvtuNNNXolVNNNcmVjNNPtjVtNHNNNDNNU4SNNNRPvfNOvbGZNRNPjNNNNLNNORNstLNNNDXXjNTXvVNNbNTNNNRXyMmQNNNOvtxNNNXqNLNNNXNOjNNOPbrNvtyNNNXXtNNRmNONNfNNNNUNNNENU4UNNNRPvfNOvbNRmNONNfNNNNUNNNENPtANNNTPvfNOvc+pwfNNUPNPNNNOUV7NNOjtNxNNNElBjNNpVNXNNNRXxbNNvtzNNNXNNZROFtENNNTNPbNNOZjONO0NNNNPNNNRDOmWjNNPtbTVYvPNDNtXWbONT8bNNNXXPxNNNbNNvtINNNTOPtHNNNTPjpbRjNNOtZbSDNNOvtFNNNTQNtbXtNNPt0WolfNNNbqzuZRRDEiYNNNPuhnRjHEOKV9NNOjTOvAStNNNFtgNNNXWuLbYtNNPtNdRmNSNWpNNNNWNNNENPtiNNNXN28jNNNXPjVPwzxK2cRspTRZNb5cS9LK2usJwF8NNNRANb5cS9bGOORRRjHJRjLeBtxEOtVEOcRVLDpEO5SugWjEOjAiZDNNPusn/tRGPORVRjxEPFjTSuZUNPfVNORUS9LGOjNEOusJRjLEOuRSZpNWNb5cTAbK1usnS9nAYjNNNFtlNNNXqNHNNOfXXjNTXtNGZNHNctNNNNbNNORNStfPomZNNNbGOkVUXQDNNNbZPNwLTgtAPEsnS9nAYjNNNEZRPOsnRjtJRjxeDjtK2uZXSuZYXl0PRDxEP281NNNXRjjFQPt2NNNXXQpNNNbJRDDUTvt4NNNXNNpn1tfEPksJRjfEPkRXZp0EPEsJRjxEPERVZopEOOLbBDNNPuZSRDHK2usJwF8NNNRGOuRRTuRTSuRTwzxbBNNNPtNEOtbeNNLdNNNGZNVNXNNNNNfNNORNN3WYNNOjXQbNNNbbBjNNPaZwNNNXPjpPomjNNNc0VtNNNDbeNNLdRmNRNRbNNNNZNNNENNWiZDNNPuuopm0NNNbYNz8kNNNXTAbZSt0eUjpPPEuiCtNNPu8DXQ8NNNbbDNNNPz9ONNNXWtxL1t0WPQUqO29PNNNXPvfNOvbNNOZjNDNUNNNNQDNNRDNHPvfNOvcTNNVJztVKztVLzvtENNNTNPbNNNNGZNZNVNNNNN4NNORNsttNNNE+PDNNOU4XNNNRXORNNNLNpwfNNUNXXjNTXuZjNtNFNNNNQjNNRDNPNluQNNNXXRDNNNbXXjNTXtNNRmNONNjNNNNDNNNENNVbEDNNPtbeNNLdRmNONONNNNNENNNENANWNNNPXPRNNNbXXjNTXuZjNDNZNNNNQtNNRDNPXRLNNNbXXjNTXuZjNtNqNNNNRtNNRDNPwNLNNOfH/tRYOljVXNRNNPfXXjHNNtbeNNLdWtNQ/uHTNNNoXvLNNvtzNNNXNPbNNNNGZNVNADNNNOZNNORNNagVNNNXo0xNNNbYO4jWNNNoSC4OQNtfSPtPNNNePjW7FNNNPtqiFtNNPtNNNNpXXjNTXyVNNvtzNNNXNNWmFjNNPa1VNNNXXv4bTNNNObNZNNNRXu4PXPLNNNbdNNOPH0cPNDNONNNNNNNZNNNNqwVhZP41ZQplAjNNNNNSNTjNNNPbPDNNV34NNODXNNOjPDNNV1A0pzyhM3ZNNNNNuOZNNTDNNNNwIIZN6OZNNONNNNNwE1IWENNNNCtGNNQ0ONNNV0Wfo2VNNNNNNNNNNtNNNIpIbtxWQjNNNCbOZjNJNNNONNNNBDNNNNfNNNNZNNNNVjNNNORNNNOYNNNNCjNNNOZNNNNTNNNNPtNNNNjNNNNWNNNNNDNNNNDNNNNONNNNNjNNNNZNNNNPNNNNNNNZODRNNNNNNNLNdtBJOjLNSjFJOjLNztYZOt8NQttNNNLN2jXzODLNwDBzODLN/tBzODLNltBzODLN4jBzODL
Source: 1.2.lNCyFjhn7M.exe.890000.1.unpack, Form1.cs	Base64 encoded string: 'GIdDNNZNNNNRNNNN//8NNYtNNNNNNNNNDNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNtNNNNN4sht4NgNaAVotOGZ0uITucplOjpz9apzSgVTAuoz5iqPOvMFOlqJ4tnJ4tER9GVT1iMTHhQD0XWNNNNNNNNNODEDNNGNRQNViu868NNNNNNNNNNBNNNvRYNINNNPNNNNNTNNNNNNNNlw8NNNNtNNNNDNNNNNNNRDNtNNNNNtNNONNNNNNNNNNRNNNNNNNNNNPNNNNNNtNNNNNNNNZNDVHNNONNNONNNNNNRNNNRNNNNNNNNONNNNNNNNNNNNNNNUt/NNOCNNNNNRNNNBDQNNNNNNNNNNNNNNNNNNNNNNNNNTNNNNjNNNOpCjNNUNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNVNNNPNNNNNNNNNNNNNNNPPNNNRtNNNNNNNNNNNNNNP50MKu0NNNN0O8NNNNtNNNNVNNNNNVNNNNNNNNNNNNNNNNNNPNNNTNhpaAlLjNNNBDQNNNNDNNNNNDNNNNvNNNNNNNNNNNNNNNNNNONNNONYaWyoT9wNNNZNNNNNTNNNNNPNNNNWtNNNNNNNNNNNNNNNNNNDNNNDtNNNNNNNNNNNNNNNNNNNNPfCjNNNNNNNRtNNNNPNNHNhPHNNBjLNNNQNNNNNNNNNXD+NNP4NNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNO4PXOLNNNbdWtNPXOpNNNbNXdMmTNNNPbNONNNRpkxNNNdNNtNNOUZnNNNXtNZNNNEmTjNNPbNRNNNRXuZjNDNDNNNNNDNNRDO+NDNNOT8pNNNXPvfNOvbGZNRNRNNNNNVNNORNstVNNNEiUDNNPtbeNNLdRmNONONNNNNQNNNENU4QNNNRok4NNNbXXjNTXuZjNDNDNNNNONNNRDO+ONNNOT8sNNNXPvfNOvbGZNVNCNNNNNHNNORNstHNNNDHXPNNNNbYOljuptRNNUQDODNNNvtuNNNXolVNNNcmVjNNPtjVtNHNNNDNNU4SNNNRPvfNOvbGZNRNPjNNNNLNNORNstLNNNDXXjNTXvVNNbNTNNNRXyMmQNNNOvtxNNNXqNLNNNXNOjNNOPbrNvtyNNNXXtNNRmNONNfNNNNUNNNENU4UNNNRPvfNOvbNRmNONNfNNNNUNNNENPtANNNTPvfNOvc+pwfNNUPNPNNNOUV7NNOjtNxNNNElBjNNpVNXNNNRXxbNNvtzNNNXNNZROFtENNNTNPbNNOZjONO0NNNNPNNNRDOmWjNNPtbTVYvPNDNtXWbONT8bNNNXXPxNNNbNNvtINNNTOPtHNNNTPjpbRjNNOtZbSDNNOvtFNNNTQNtbXtNNPt0WolfNNNbqzuZRRDEiYNNNPuhnRjHEOKV9NNOjTOvAStNNNFtgNNNXWuLbYtNNPtNdRmNSNWpNNNNWNNNENPtiNNNXN28jNNNXPjVPwzxK2cRspTRZNb5cS9LK2usJwF8NNNRANb5cS9bGOORRRjHJRjLeBtxEOtVEOcRVLDpEO5SugWjEOjAiZDNNPusn/tRGPORVRjxEPFjTSuZUNPfVNORUS9LGOjNEOusJRjLEOuRSZpNWNb5cTAbK1usnS9nAYjNNNFtlNNNXqNHNNOfXXjNTXtNGZNHNctNNNNbNNORNStfPomZNNNbGOkVUXQDNNNbZPNwLTgtAPEsnS9nAYjNNNEZRPOsnRjtJRjxeDjtK2uZXSuZYXl0PRDxEP281NNNXRjjFQPt2NNNXXQpNNNbJRDDUTvt4NNNXNNpn1tfEPksJRjfEPkRXZp0EPEsJRjxEPERVZopEOOLbBDNNPuZSRDHK2usJwF8NNNRGOuRRTuRTSuRTwzxbBNNNPtNEOtbeNNLdNNNGZNVNXNNNNNfNNORNN3WYNNOjXQbNNNbbBjNNPaZwNNNXPjpPomjNNNc0VtNNNDbeNNLdRmNRNRbNNNNZNNNENNWiZDNNPuuopm0NNNbYNz8kNNNXTAbZSt0eUjpPPEuiCtNNPu8DXQ8NNNbbDNNNPz9ONNNXWtxL1t0WPQUqO29PNNNXPvfNOvbNNOZjNDNUNNNNQDNNRDNHPvfNOvcTNNVJztVKztVLzvtENNNTNPbNNNNGZNZNVNNNNN4NNORNsttNNNE+PDNNOU4XNNNRXORNNNLNpwfNNUNXXjNTXuZjNtNFNNNNQjNNRDNPNluQNNNXXRDNNNbXXjNTXtNNRmNONNjNNNNDNNNENNVbEDNNPtbeNNLdRmNONONNNNNENNNENANWNNNPXPRNNNbXXjNTXuZjNDNZNNNNQtNNRDNPXRLNNNbXXjNTXuZjNtNqNNNNRtNNRDNPwNLNNOfH/tRYOljVXNRNNPfXXjHNNtbeNNLdWtNQ/uHTNNNoXvLNNvtzNNNXNPbNNNNGZNVNADNNNOZNNORNNagVNNNXo0xNNNbYO4jWNNNoSC4OQNtfSPtPNNNePjW7FNNNPtqiFtNNPtNNNNpXXjNTXyVNNvtzNNNXNNWmFjNNPa1VNNNXXv4bTNNNObNZNNNRXu4PXPLNNNbdNNOPH0cPNDNONNNNNNNZNNNNqwVhZP41ZQplAjNNNNNSNTjNNNPbPDNNV34NNODXNNOjPDNNV1A0pzyhM3ZNNNNNuOZNNTDNNNNwIIZN6OZNNONNNNNwE1IWENNNNCtGNNQ0ONNNV0Wfo2VNNNNNNNNNNtNNNIpIbtxWQjNNNCbOZjNJNNNONNNNBDNNNNfNNNNZNNNNVjNNNORNNNOYNNNNCjNNNOZNNNNTNNNNPtNNNNjNNNNWNNNNNDNNNNDNNNNONNNNNjNNNNZNNNNPNNNNNNNZODRNNNNNNNLNdtBJOjLNSjFJOjLNztYZOt8NQttNNNLN2jXzODLNwDBzODLN/tBzODLNltBzODLN4jBzODL
Source: 1.0.lNCyFjhn7M.exe.890000.0.unpack, Form1.cs	Base64 encoded string: 'GIdDNNZNNNNRNNNN//8NNYtNNNNNNNNNDNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNtNNNNN4sht4NgNaAVotOGZ0uITucplOjpz9apzSgVTAuoz5iqPOvMFOlqJ4tnJ4tER9GVT1iMTHhQD0XWNNNNNNNNNODEDNNGNRQNViu868NNNNNNNNNNBNNNvRYNINNNPNNNNNTNNNNNNNNlw8NNNNtNNNNDNNNNNNNRDNtNNNNNtNNONNNNNNNNNNRNNNNNNNNNNPNNNNNNtNNNNNNNNZNDVHNNONNNONNNNNNRNNNRNNNNNNNNONNNNNNNNNNNNNNNUt/NNOCNNNNNRNNNBDQNNNNNNNNNNNNNNNNNNNNNNNNNTNNNNjNNNOpCjNNUNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNVNNNPNNNNNNNNNNNNNNNPPNNNRtNNNNNNNNNNNNNNP50MKu0NNNN0O8NNNNtNNNNVNNNNNVNNNNNNNNNNNNNNNNNNPNNNTNhpaAlLjNNNBDQNNNNDNNNNNDNNNNvNNNNNNNNNNNNNNNNNNONNNONYaWyoT9wNNNZNNNNNTNNNNNPNNNNWtNNNNNNNNNNNNNNNNNNDNNNDtNNNNNNNNNNNNNNNNNNNNPfCjNNNNNNNRtNNNNPNNHNhPHNNBjLNNNQNNNNNNNNNXD+NNP4NNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNO4PXOLNNNbdWtNPXOpNNNbNXdMmTNNNPbNONNNRpkxNNNdNNtNNOUZnNNNXtNZNNNEmTjNNPbNRNNNRXuZjNDNDNNNNNDNNRDO+NDNNOT8pNNNXPvfNOvbGZNRNRNNNNNVNNORNstVNNNEiUDNNPtbeNNLdRmNONONNNNNQNNNENU4QNNNRok4NNNbXXjNTXuZjNDNDNNNNONNNRDO+ONNNOT8sNNNXPvfNOvbGZNVNCNNNNNHNNORNstHNNNDHXPNNNNbYOljuptRNNUQDODNNNvtuNNNXolVNNNcmVjNNPtjVtNHNNNDNNU4SNNNRPvfNOvbGZNRNPjNNNNLNNORNstLNNNDXXjNTXvVNNbNTNNNRXyMmQNNNOvtxNNNXqNLNNNXNOjNNOPbrNvtyNNNXXtNNRmNONNfNNNNUNNNENU4UNNNRPvfNOvbNRmNONNfNNNNUNNNENPtANNNTPvfNOvc+pwfNNUPNPNNNOUV7NNOjtNxNNNElBjNNpVNXNNNRXxbNNvtzNNNXNNZROFtENNNTNPbNNOZjONO0NNNNPNNNRDOmWjNNPtbTVYvPNDNtXWbONT8bNNNXXPxNNNbNNvtINNNTOPtHNNNTPjpbRjNNOtZbSDNNOvtFNNNTQNtbXtNNPt0WolfNNNbqzuZRRDEiYNNNPuhnRjHEOKV9NNOjTOvAStNNNFtgNNNXWuLbYtNNPtNdRmNSNWpNNNNWNNNENPtiNNNXN28jNNNXPjVPwzxK2cRspTRZNb5cS9LK2usJwF8NNNRANb5cS9bGOORRRjHJRjLeBtxEOtVEOcRVLDpEO5SugWjEOjAiZDNNPusn/tRGPORVRjxEPFjTSuZUNPfVNORUS9LGOjNEOusJRjLEOuRSZpNWNb5cTAbK1usnS9nAYjNNNFtlNNNXqNHNNOfXXjNTXtNGZNHNctNNNNbNNORNStfPomZNNNbGOkVUXQDNNNbZPNwLTgtAPEsnS9nAYjNNNEZRPOsnRjtJRjxeDjtK2uZXSuZYXl0PRDxEP281NNNXRjjFQPt2NNNXXQpNNNbJRDDUTvt4NNNXNNpn1tfEPksJRjfEPkRXZp0EPEsJRjxEPERVZopEOOLbBDNNPuZSRDHK2usJwF8NNNRGOuRRTuRTSuRTwzxbBNNNPtNEOtbeNNLdNNNGZNVNXNNNNNfNNORNN3WYNNOjXQbNNNbbBjNNPaZwNNNXPjpPomjNNNc0VtNNNDbeNNLdRmNRNRbNNNNZNNNENNWiZDNNPuuopm0NNNbYNz8kNNNXTAbZSt0eUjpPPEuiCtNNPu8DXQ8NNNbbDNNNPz9ONNNXWtxL1t0WPQUqO29PNNNXPvfNOvbNNOZjNDNUNNNNQDNNRDNHPvfNOvcTNNVJztVKztVLzvtENNNTNPbNNNNGZNZNVNNNNN4NNORNsttNNNE+PDNNOU4XNNNRXORNNNLNpwfNNUNXXjNTXuZjNtNFNNNNQjNNRDNPNluQNNNXXRDNNNbXXjNTXtNNRmNONNjNNNNDNNNENNVbEDNNPtbeNNLdRmNONONNNNNENNNENANWNNNPXPRNNNbXXjNTXuZjNDNZNNNNQtNNRDNPXRLNNNbXXjNTXuZjNtNqNNNNRtNNRDNPwNLNNOfH/tRYOljVXNRNNPfXXjHNNtbeNNLdWtNQ/uHTNNNoXvLNNvtzNNNXNPbNNNNGZNVNADNNNOZNNORNNagVNNNXo0xNNNbYO4jWNNNoSC4OQNtfSPtPNNNePjW7FNNNPtqiFtNNPtNNNNpXXjNTXyVNNvtzNNNXNNWmFjNNPa1VNNNXXv4bTNNNObNZNNNRXu4PXPLNNNbdNNOPH0cPNDNONNNNNNNZNNNNqwVhZP41ZQplAjNNNNNSNTjNNNPbPDNNV34NNODXNNOjPDNNV1A0pzyhM3ZNNNNNuOZNNTDNNNNwIIZN6OZNNONNNNNwE1IWENNNNCtGNNQ0ONNNV0Wfo2VNNNNNNNNNNtNNNIpIbtxWQjNNNCbOZjNJNNNONNNNBDNNNNfNNNNZNNNNVjNNNORNNNOYNNNNCjNNNOZNNNNTNNNNPtNNNNjNNNNWNNNNNDNNNNDNNNNONNNNNjNNNNZNNNNPNNNNNNNZODRNNNNNNNLNdtBJOjLNSjFJOjLNztYZOt8NQttNNNLN2jXzODLNwDBzODLN/tBzODLNltBzODLN4jBzODL

Source: classification engine

Classification label: mal100.troj.spyw.evad.winEXE@3/1@1/2

Source: C:\Users\user\Desktop\lNCyFjhn7M.exe	Code function: 1_2_0117AF3E AdjustTokenPrivileges,		1_2_0117AF3E
Source: C:\Users\user\Desktop\lNCyFjhn7M.exe	Code function: 1_2_0117AF07 AdjustTokenPrivileges,		1_2_0117AF07

Source: C:\Users\user\Desktop\lNCyFjhn7M.exe

File created: C:\Users\user\AppData\Local\Microsoft\CLR_v2.0_32\UsageLogs\lNCyFjhn7M.exe.log

Jump to behavior

Source: C:\Users\user\Desktop\lNCyFjhn7M.exe

Mutant created: \Sessions\1\BaseNamedObjects\Global\.net clr networking

Source: lNCyFjhn7M.exe

Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ

Source: C:\Users\user\Desktop\lNCyFjhn7M.exe	Section loaded: C:\Windows\assembly\NativeImages_v2.0.50727_32\mscorlib\9603718106bd57ecfbb18fefd769cab4\mscorlib.ni.dll	Jump to behavior
Source: C:\Users\user\Desktop\lNCyFjhn7M.exe	Section loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sorttbls.nlp	Jump to behavior
Source: C:\Users\user\Desktop\lNCyFjhn7M.exe	Section loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sortkey.nlp	Jump to behavior
Source: C:\Users\user\Desktop\lNCyFjhn7M.exe	Section loaded: C:\Windows\assembly\NativeImages_v2.0.50727_32\mscorlib\9603718106bd57ecfbb18fefd769cab4\mscorlib.ni.dll	Jump to behavior
Source: C:\Users\user\Desktop\lNCyFjhn7M.exe	Section loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sorttbls.nlp	Jump to behavior
Source: C:\Users\user\Desktop\lNCyFjhn7M.exe	Section loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sortkey.nlp	Jump to behavior

Source: C:\Users\user\Desktop\lNCyFjhn7M.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Users\user\Desktop\lNCyFjhn7M.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor

Source: C:\Users\user\Desktop\lNCyFjhn7M.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: C:\Users\user\Desktop\lNCyFjhn7M.exe	File read: C:\Windows\System32\drivers\etc\hosts			Jump to behavior
Source: C:\Users\user\Desktop\lNCyFjhn7M.exe	File read: C:\Windows\System32\drivers\etc\hosts			Jump to behavior

Source: lNCyFjhn7M.exe, 00000000.00000000.321030949.0000000000542000.00000002.00020000.sdmp, lNCyFjhn7M.exe, 00000001.00000000.324216545.0000000000892000.00000002.00020000.sdmp	Binary or memory string: Select distinct emp_id as Employee_ID,names as Employee_Name,age as Age,gender as Gender,dob as Date_of_Birth,date as Date_of_Registration,title as Title,proffession as Proffession,contact as Contact,email as Email_Address,residence as Residence,mstatus as Martial_Status,username as User_Name,time as Time from employee order by dob;
Source: lNCyFjhn7M.exe	Binary or memory string: SELECT `immun_id`, `at_birth`, `at_one_month`, `at_three_month`, `at_six_months`, `date`, `officer` FROM `baby_immunization`;
Source: lNCyFjhn7M.exe, 00000000.00000000.321030949.0000000000542000.00000002.00020000.sdmp, lNCyFjhn7M.exe, 00000001.00000000.324216545.0000000000892000.00000002.00020000.sdmp	Binary or memory string: SELECT `childbirthid`, `nin`, `admissiondate`, `deiverydate`, `time_of_delivery`, `type_of_delivery`, `number_of_babies`, `delivery`, `healthofficer`, `compilication`, `vitimingiven`, `discahgredate`, `nextappointment` FROM `childbirth`;
Source: lNCyFjhn7M.exe, 00000000.00000000.321030949.0000000000542000.00000002.00020000.sdmp, lNCyFjhn7M.exe, 00000001.00000000.324216545.0000000000892000.00000002.00020000.sdmp	Binary or memory string: SELECT `baby_id`, `name`, `time_of_birth`, `weight`, `body_parts_exam`, `gender1`, `skin_color`, `breast_feeding`, `cdofbaby_on_discharge2`, `name2`, `time_of_birth2`, `weight2`, `body_parts_exams2`, `gender2`, `skin_color2`, `breast_feeding2` FROM `baby`;
Source: lNCyFjhn7M.exe, 00000000.00000002.326698522.0000000002C01000.00000004.00000001.sdmp	Binary or memory string: INSERT INTO Itens_Aluguel VALUES(@aluguelID, @aviaoID, @validade);
Source: lNCyFjhn7M.exe, 00000000.00000002.326698522.0000000002C01000.00000004.00000001.sdmp	Binary or memory string: Insert into Clientes values (@nome, @cpf, @rg, @cidade, @endereco, @uf, @telefone);
Source: lNCyFjhn7M.exe, 00000001.00000002.591059491.0000000003012000.00000004.00000001.sdmp	Binary or memory string: SELECT * FROM Win32_Processor(>;n
Source: lNCyFjhn7M.exe, 00000000.00000000.321030949.0000000000542000.00000002.00020000.sdmp, lNCyFjhn7M.exe, 00000001.00000000.324216545.0000000000892000.00000002.00020000.sdmp	Binary or memory string: Select distinct mm_id as MORTALITY_ID, cases as CASES_NUMBER,cause_of_death as CAUSE_OF_DEATH,time_of_death as TIME_OF_DEATH,date_of_death as DEATH_DATE from mortality order by date_of_death;
Source: lNCyFjhn7M.exe, 00000000.00000000.321030949.0000000000542000.00000002.00020000.sdmp, lNCyFjhn7M.exe, 00000001.00000000.324216545.0000000000892000.00000002.00020000.sdmp	Binary or memory string: Select distinct `nin_id`, `admission_date`, `delivery_time`, `delivery_type`, `numberof_babies`, `healthofficer`, `complication`, `vitim_given`, `dischagre_date`, `nextappointment`, `address` from `mother`;

Source: lNCyFjhn7M.exe	Metadefender: Detection: 21%
Source: lNCyFjhn7M.exe	ReversingLabs: Detection: 62%

Source: unknown	Process created: C:\Users\user\Desktop\lNCyFjhn7M.exe 'C:\Users\user\Desktop\lNCyFjhn7M.exe'
Source: unknown	Process created: C:\Users\user\Desktop\lNCyFjhn7M.exe C:\Users\user\Desktop\lNCyFjhn7M.exe
Source: C:\Users\user\Desktop\lNCyFjhn7M.exe	Process created: C:\Users\user\Desktop\lNCyFjhn7M.exe C:\Users\user\Desktop\lNCyFjhn7M.exe	Jump to behavior

Source: C:\Users\user\Desktop\lNCyFjhn7M.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{172BDDF8-CEEA-11D1-8B05-00600806D9B6}\InProcServer32

Jump to behavior

Source: C:\Users\user\Desktop\lNCyFjhn7M.exe

File opened: C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorrc.dll

Jump to behavior

Source: C:\Users\user\Desktop\lNCyFjhn7M.exe

Key opened: HKEY_CURRENT_USER\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676

Jump to behavior

Source: lNCyFjhn7M.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR

Source: lNCyFjhn7M.exe

Static file information: File size 1058816 > 1048576

Source: C:\Users\user\Desktop\lNCyFjhn7M.exe

File opened: C:\Windows\WinSxS\x86_microsoft.vc80.crt_1fc8b3b9a1e18e3b_8.0.50727.9445_none_d08c58b4442ba54f\MSVCR80.dll

Jump to behavior

Source: lNCyFjhn7M.exe

Static PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT

Source:

Data Obfuscation:

.NET source code contains potential unpacker

Show sources

Source: lNCyFjhn7M.exe, BoundHandle.cs	.Net Code: .ctor System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: 0.2.lNCyFjhn7M.exe.540000.0.unpack, BoundHandle.cs	.Net Code: .ctor System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: 0.0.lNCyFjhn7M.exe.540000.0.unpack, BoundHandle.cs	.Net Code: .ctor System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: 1.2.lNCyFjhn7M.exe.890000.1.unpack, BoundHandle.cs	.Net Code: .ctor System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: 1.0.lNCyFjhn7M.exe.890000.0.unpack, BoundHandle.cs	.Net Code: .ctor System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])

Source: C:\Users\user\Desktop\lNCyFjhn7M.exe	Code function: 0_2_00544C70 push 28060000h; retf 0000h	0_2_00544C76
Source: C:\Users\user\Desktop\lNCyFjhn7M.exe	Code function: 1_2_00894C70 push 28060000h; retf 0000h	1_2_00894C76
Source: C:\Users\user\Desktop\lNCyFjhn7M.exe	Code function: 1_2_05A441D8 push cs; retf	1_2_05A441EF
Source: C:\Users\user\Desktop\lNCyFjhn7M.exe	Code function: 1_2_05A44164 push cs; retf	1_2_05A4417B
Source: C:\Users\user\Desktop\lNCyFjhn7M.exe	Code function: 1_2_05A4424B push cs; retf	1_2_05A44263

Source: initial sample

Static PE information: section name: .text entropy: 7.44014806301

Hooking and other Techniques for Hiding and Protection:

Icon mismatch, binary includes an icon from a different legit application in order to fool users

Show sources

Source: initial sample

Icon embedded in binary file: icon matches a legit application icon: download (50).png

Source: C:\Users\user\Desktop\lNCyFjhn7M.exe

Registry key monitored for changes: HKEY_CURRENT_USER_Classes

Jump to behavior

Source: C:\Users\user\Desktop\lNCyFjhn7M.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\lNCyFjhn7M.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\lNCyFjhn7M.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\lNCyFjhn7M.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\lNCyFjhn7M.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\lNCyFjhn7M.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\lNCyFjhn7M.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\lNCyFjhn7M.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\lNCyFjhn7M.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\lNCyFjhn7M.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\lNCyFjhn7M.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\lNCyFjhn7M.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\lNCyFjhn7M.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\lNCyFjhn7M.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\lNCyFjhn7M.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\lNCyFjhn7M.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\lNCyFjhn7M.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\lNCyFjhn7M.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\lNCyFjhn7M.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\lNCyFjhn7M.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\lNCyFjhn7M.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\lNCyFjhn7M.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\lNCyFjhn7M.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\lNCyFjhn7M.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\lNCyFjhn7M.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\lNCyFjhn7M.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\lNCyFjhn7M.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\lNCyFjhn7M.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\lNCyFjhn7M.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\lNCyFjhn7M.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\lNCyFjhn7M.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\lNCyFjhn7M.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\lNCyFjhn7M.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\lNCyFjhn7M.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\lNCyFjhn7M.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\lNCyFjhn7M.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\lNCyFjhn7M.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\lNCyFjhn7M.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\lNCyFjhn7M.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\lNCyFjhn7M.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\lNCyFjhn7M.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\lNCyFjhn7M.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\lNCyFjhn7M.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\lNCyFjhn7M.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\lNCyFjhn7M.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\lNCyFjhn7M.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\lNCyFjhn7M.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\lNCyFjhn7M.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\lNCyFjhn7M.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\lNCyFjhn7M.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\lNCyFjhn7M.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\lNCyFjhn7M.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\lNCyFjhn7M.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\lNCyFjhn7M.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\lNCyFjhn7M.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\lNCyFjhn7M.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\lNCyFjhn7M.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\lNCyFjhn7M.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\lNCyFjhn7M.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\lNCyFjhn7M.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\lNCyFjhn7M.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\lNCyFjhn7M.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\lNCyFjhn7M.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\lNCyFjhn7M.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\lNCyFjhn7M.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\lNCyFjhn7M.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\lNCyFjhn7M.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\lNCyFjhn7M.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\lNCyFjhn7M.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\lNCyFjhn7M.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\lNCyFjhn7M.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\lNCyFjhn7M.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\lNCyFjhn7M.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\lNCyFjhn7M.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\lNCyFjhn7M.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Malware Analysis System Evasion:

Yara detected AntiVM_3

Show sources

Source: Yara match	File source: 00000000.00000002.326698522.0000000002C01000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: lNCyFjhn7M.exe PID: 6996, type: MEMORY
Source: Yara match	File source: 0.2.lNCyFjhn7M.exe.2c1f204.1.raw.unpack, type: UNPACKEDPE

Found evasive API chain (trying to detect sleep duration tampering with parallel thread)

Show sources

Source: C:\Users\user\Desktop\lNCyFjhn7M.exe

Function Chain: systemQueried,systemQueried,threadCreated,threadResumed,threadDelayed,threadDelayed,threadDelayed,systemQueried,systemQueried,threadDelayed,systemQueried,memAlloc,threadDelayed,threadDelayed,threadDelayed,threadDelayed,threadDelayed,memAlloc,memAlloc,memAlloc,memAlloc,memAlloc,memAlloc,memAlloc,memAlloc

Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)

Show sources

Source: C:\Users\user\Desktop\lNCyFjhn7M.exe

WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BaseBoard

Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)

Show sources

Source: C:\Users\user\Desktop\lNCyFjhn7M.exe

WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_NetworkAdapterConfiguration

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Show sources

Source: lNCyFjhn7M.exe, 00000000.00000002.326698522.0000000002C01000.00000004.00000001.sdmp	Binary or memory string: SBIEDLL.DLL
Source: lNCyFjhn7M.exe, 00000000.00000002.326698522.0000000002C01000.00000004.00000001.sdmp	Binary or memory string: KERNEL32.DLL.WINE_GET_UNIX_FILE_NAME

Source: C:\Users\user\Desktop\lNCyFjhn7M.exe	Thread delayed: delay time: 922337203685477			Jump to behavior
Source: C:\Users\user\Desktop\lNCyFjhn7M.exe	Thread delayed: delay time: 922337203685477			Jump to behavior

Source: C:\Users\user\Desktop\lNCyFjhn7M.exe

Window / User API: threadDelayed 693

Jump to behavior

Source: C:\Users\user\Desktop\lNCyFjhn7M.exe TID: 7000	Thread sleep time: -102800s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\lNCyFjhn7M.exe TID: 7024	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\lNCyFjhn7M.exe TID: 6224	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\lNCyFjhn7M.exe TID: 6224	Thread sleep count: 693 > 30	Jump to behavior
Source: C:\Users\user\Desktop\lNCyFjhn7M.exe TID: 6224	Thread sleep time: -20790000s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\lNCyFjhn7M.exe TID: 6224	Thread sleep time: -30000s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\lNCyFjhn7M.exe TID: 6224	Thread sleep time: -30000s >= -30000s	Jump to behavior

Source: C:\Users\user\Desktop\lNCyFjhn7M.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Users\user\Desktop\lNCyFjhn7M.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor

Source: C:\Users\user\Desktop\lNCyFjhn7M.exe	Last function: Thread delayed
Source: C:\Users\user\Desktop\lNCyFjhn7M.exe	Last function: Thread delayed

Source: lNCyFjhn7M.exe, 00000000.00000002.326698522.0000000002C01000.00000004.00000001.sdmp	Binary or memory string: InstallPathJC:\PROGRAM FILES\VMWARE\VMWARE TOOLS\
Source: lNCyFjhn7M.exe, 00000001.00000002.594298776.00000000053D0000.00000002.00000001.sdmp	Binary or memory string: A Virtual Machine could not be started because Hyper-V is not installed.
Source: lNCyFjhn7M.exe, 00000000.00000002.326698522.0000000002C01000.00000004.00000001.sdmp	Binary or memory string: vmware
Source: lNCyFjhn7M.exe, 00000001.00000002.594298776.00000000053D0000.00000002.00000001.sdmp	Binary or memory string: A communication protocol error has occurred between the Hyper-V Host and Guest Compute Service.
Source: lNCyFjhn7M.exe, 00000001.00000002.594298776.00000000053D0000.00000002.00000001.sdmp	Binary or memory string: The communication protocol version between the Hyper-V Host and Guest Compute Services is not supported.
Source: lNCyFjhn7M.exe, 00000000.00000002.326698522.0000000002C01000.00000004.00000001.sdmp	Binary or memory string: VMware SVGA II
Source: lNCyFjhn7M.exe, 00000000.00000002.326698522.0000000002C01000.00000004.00000001.sdmp	Binary or memory string: VMWAREDSOFTWARE\VMware, Inc.\VMware Tools
Source: lNCyFjhn7M.exe, 00000001.00000002.594298776.00000000053D0000.00000002.00000001.sdmp	Binary or memory string: An unknown internal message was received by the Hyper-V Compute Service.

Source: C:\Users\user\Desktop\lNCyFjhn7M.exe

Process information queried: ProcessInformation

Jump to behavior

Anti Debugging:

Source: C:\Users\user\Desktop\lNCyFjhn7M.exe

Code function: 1_2_012B24F8 LdrInitializeThunk,

1_2_012B24F8

Source: C:\Users\user\Desktop\lNCyFjhn7M.exe

Process token adjusted: Debug

Jump to behavior

Source: C:\Users\user\Desktop\lNCyFjhn7M.exe

Memory allocated: page read and write | page guard

Jump to behavior

HIPS / PFW / Operating System Protection Evasion:

Injects a PE file into a foreign processes

Show sources

Source: C:\Users\user\Desktop\lNCyFjhn7M.exe

Memory written: C:\Users\user\Desktop\lNCyFjhn7M.exe base: 400000 value starts with: 4D5A

Jump to behavior

Source: C:\Users\user\Desktop\lNCyFjhn7M.exe

Process created: C:\Users\user\Desktop\lNCyFjhn7M.exe C:\Users\user\Desktop\lNCyFjhn7M.exe

Jump to behavior

Source: lNCyFjhn7M.exe, 00000001.00000002.590281124.00000000016C0000.00000002.00000001.sdmp	Binary or memory string: Shell_TrayWnd
Source: lNCyFjhn7M.exe, 00000001.00000002.590281124.00000000016C0000.00000002.00000001.sdmp	Binary or memory string: Progman
Source: lNCyFjhn7M.exe, 00000001.00000002.590281124.00000000016C0000.00000002.00000001.sdmp	Binary or memory string: &Program Manager
Source: lNCyFjhn7M.exe, 00000001.00000002.590281124.00000000016C0000.00000002.00000001.sdmp	Binary or memory string: Progmanlock

Language, Device and Operating System Detection:

Source: C:\Users\user\Desktop\lNCyFjhn7M.exe	Queries volume information: C:\Windows\assembly\GAC_32\CustomMarshalers\2.0.0.0__b03f5f7f11d50a3a\CustomMarshalers.dll VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\lNCyFjhn7M.exe	Queries volume information: C:\Windows\assembly\GAC_32\CustomMarshalers\2.0.0.0__b03f5f7f11d50a3a\CustomMarshalers.dll VolumeInformation			Jump to behavior

Source: C:\Users\user\Desktop\lNCyFjhn7M.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Stealing of Sensitive Information:

Yara detected AgentTesla

Show sources

Source: Yara match	File source: 00000000.00000002.326906613.0000000003C04000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.589195869.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.590922380.0000000002F51000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: lNCyFjhn7M.exe PID: 7036, type: MEMORY
Source: Yara match	File source: Process Memory Space: lNCyFjhn7M.exe PID: 6996, type: MEMORY
Source: Yara match	File source: 0.2.lNCyFjhn7M.exe.3ec88a0.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.lNCyFjhn7M.exe.3ec88a0.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.lNCyFjhn7M.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.lNCyFjhn7M.exe.3d6bdd0.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.lNCyFjhn7M.exe.3dc95f0.4.raw.unpack, type: UNPACKEDPE

Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)

Show sources

Source: C:\Users\user\Desktop\lNCyFjhn7M.exe

Key opened: HKEY_CURRENT_USER\SOFTWARE\Martin Prikryl\WinSCP 2\Sessions

Jump to behavior

Tries to harvest and steal browser information (history, passwords, etc)

Show sources

Source: C:\Users\user\Desktop\lNCyFjhn7M.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data			Jump to behavior
Source: C:\Users\user\Desktop\lNCyFjhn7M.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\profiles.ini			Jump to behavior

Tries to harvest and steal ftp login credentials

Show sources

Source: C:\Users\user\Desktop\lNCyFjhn7M.exe	File opened: C:\Users\user\AppData\Roaming\FileZilla\recentservers.xml			Jump to behavior
Source: C:\Users\user\Desktop\lNCyFjhn7M.exe	File opened: C:\Users\user\AppData\Roaming\SmartFTP\Client 2.0\Favorites\Quick Connect\			Jump to behavior

Tries to steal Mail credentials (via file access)

Show sources

Source: C:\Users\user\Desktop\lNCyFjhn7M.exe	File opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.ini	Jump to behavior
Source: C:\Users\user\Desktop\lNCyFjhn7M.exe	File opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.ini	Jump to behavior
Source: C:\Users\user\Desktop\lNCyFjhn7M.exe	Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	Jump to behavior
Source: C:\Users\user\Desktop\lNCyFjhn7M.exe	Key opened: HKEY_CURRENT_USER\Software\IncrediMail\Identities	Jump to behavior

Source: Yara match	File source: 00000001.00000002.590922380.0000000002F51000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: lNCyFjhn7M.exe PID: 7036, type: MEMORY

Remote Access Functionality:

Yara detected AgentTesla

Show sources

Source: Yara match	File source: 00000000.00000002.326906613.0000000003C04000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.589195869.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.590922380.0000000002F51000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: lNCyFjhn7M.exe PID: 7036, type: MEMORY
Source: Yara match	File source: Process Memory Space: lNCyFjhn7M.exe PID: 6996, type: MEMORY
Source: Yara match	File source: 0.2.lNCyFjhn7M.exe.3ec88a0.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.lNCyFjhn7M.exe.3ec88a0.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.lNCyFjhn7M.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.lNCyFjhn7M.exe.3d6bdd0.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.lNCyFjhn7M.exe.3dc95f0.4.raw.unpack, type: UNPACKEDPE

Mitre Att&ck Matrix

Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Exfiltration	Command and Control	Network Effects	Remote Service Effects	Impact
Valid Accounts	Windows Management Instrumentation211	Path Interception	Access Token Manipulation1	Disable or Modify Tools11	OS Credential Dumping2	System Information Discovery114	Remote Services	Archive Collected Data11	Exfiltration Over Other Network Medium	Ingress Tool Transfer1	Eavesdrop on Insecure Network Communication	Remotely Track Device Without Authorization	Modify System Partition
Default Accounts	Native API1	Boot or Logon Initialization Scripts	Process Injection112	Deobfuscate/Decode Files or Information1	Credentials in Registry1	Query Registry1	Remote Desktop Protocol	Data from Local System2	Exfiltration Over Bluetooth	Encrypted Channel1	Exploit SS7 to Redirect Phone Calls/SMS	Remotely Wipe Data Without Authorization	Device Lockout
Domain Accounts	At (Linux)	Logon Script (Windows)	Logon Script (Windows)	Obfuscated Files or Information31	Security Account Manager	Security Software Discovery211	SMB/Windows Admin Shares	Email Collection1	Automated Exfiltration	Non-Standard Port1	Exploit SS7 to Track Device Location	Obtain Device Cloud Backups	Delete Device Data
Local Accounts	At (Windows)	Logon Script (Mac)	Logon Script (Mac)	Software Packing13	NTDS	Virtualization/Sandbox Evasion13	Distributed Component Object Model	Input Capture	Scheduled Transfer	Non-Application Layer Protocol1	SIM Card Swap		Carrier Billing Fraud
Cloud Accounts	Cron	Network Logon Script	Network Logon Script	Masquerading11	LSA Secrets	Process Discovery2	SSH	Keylogging	Data Transfer Size Limits	Application Layer Protocol111	Manipulate Device Communication		Manipulate App Store Rankings or Ratings
Replication Through Removable Media	Launchd	Rc.common	Rc.common	Virtualization/Sandbox Evasion13	Cached Domain Credentials	Application Window Discovery1	VNC	GUI Input Capture	Exfiltration Over C2 Channel	Multiband Communication	Jamming or Denial of Service		Abuse Accessibility Features
External Remote Services	Scheduled Task	Startup Items	Startup Items	Access Token Manipulation1	DCSync	Remote System Discovery1	Windows Remote Management	Web Portal Capture	Exfiltration Over Alternative Protocol	Commonly Used Port	Rogue Wi-Fi Access Points		Data Encrypted for Impact
Drive-by Compromise	Command and Scripting Interpreter	Scheduled Task/Job	Scheduled Task/Job	Process Injection112	Proc Filesystem	Network Service Scanning	Shared Webroot	Credential API Hooking	Exfiltration Over Symmetric Encrypted Non-C2 Protocol	Application Layer Protocol	Downgrade to Insecure Protocols		Generate Fraudulent Advertising Revenue

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Source	Detection	Scanner	Label	Link
lNCyFjhn7M.exe	27%	Metadefender		Browse
lNCyFjhn7M.exe	62%	ReversingLabs	ByteCode-MSIL.Trojan.AgentTesla

Dropped Files

No Antivirus matches

Unpacked PE Files

Source	Detection	Scanner	Label	Link	Download
1.2.lNCyFjhn7M.exe.400000.0.unpack	100%	Avira	TR/Spy.Gen8		Download File

Domains

No Antivirus matches

URLs

Source	Detection	Scanner	Label
https://femFzmplqt.net	0%	Avira URL Cloud	safe
http://127.0.0.1:HTTP/1.1	0%	Avira URL Cloud	safe
http://DynDns.comDynDNS	0%	URL Reputation	safe
http://DynDns.comDynDNS	0%	URL Reputation	safe
http://DynDns.comDynDNS	0%	URL Reputation	safe
http://cfWnht.com	0%	Avira URL Cloud	safe
https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zip%tordir%%ha	0%	URL Reputation	safe
https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zip%tordir%%ha	0%	URL Reputation	safe
https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zip%tordir%%ha	0%	URL Reputation	safe
https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zip	0%	URL Reputation	safe
https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zip	0%	URL Reputation	safe
https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zip	0%	URL Reputation	safe

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Antivirus Detection	Reputation
hybridgroupco.com	66.70.204.222	true	true		unknown
mail.hybridgroupco.com	unknown	unknown	true		unknown

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
https://femFzmplqt.net	true	Avira URL Cloud: safe	unknown

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
http://127.0.0.1:HTTP/1.1	lNCyFjhn7M.exe, 00000001.00000002.590922380.0000000002F51000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	low
http://DynDns.comDynDNS	lNCyFjhn7M.exe, 00000001.00000002.590922380.0000000002F51000.00000004.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://cfWnht.com	lNCyFjhn7M.exe, 00000001.00000002.590922380.0000000002F51000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zip%tordir%%ha	lNCyFjhn7M.exe, 00000001.00000002.590922380.0000000002F51000.00000004.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zip	lNCyFjhn7M.exe, 00000000.00000002.326906613.0000000003C04000.00000004.00000001.sdmp, lNCyFjhn7M.exe, 00000001.00000002.589195869.0000000000402000.00000040.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
https://stackpath.bootstrapcdn.com/bootstrap/4.5.0/css/bootstrap.min.css	lNCyFjhn7M.exe, 00000000.00000002.326698522.0000000002C01000.00000004.00000001.sdmp	false		high

Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public

IP	Domain	Country	Flag	ASN	ASN Name	Malicious
66.70.204.222	unknown	Canada		16276	OVHFR	true

Private

IP
192.168.2.1

General Information

Joe Sandbox Version:	31.0.0 Emerald
Analysis ID:	356766
Start date:	23.02.2021
Start time:	16:19:12
Joe Sandbox Product:	CloudBasic
Overall analysis duration:	0h 7m 52s
Hypervisor based Inspection enabled:	false
Report type:	full
Sample file name:	lNCyFjhn7M (renamed file extension from none to exe)
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 85, IE 11, Adobe Reader DC 19, Java 8 Update 211
Number of analysed new started processes analysed:	22
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled HDC enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Detection:	MAL
Classification:	mal100.troj.spyw.evad.winEXE@3/1@1/2
EGA Information:	Failed
HDC Information:	Failed
HCA Information:	Successful, ratio: 100% Number of executed functions: 240 Number of non-executed functions: 7
Cookbook Comments:	Adjust boot time Enable AMSI
Warnings:	Show All Exclude process from analysis (whitelisted): MpCmdRun.exe, audiodg.exe, BackgroundTransferHost.exe, WMIADAP.exe, backgroundTaskHost.exe, conhost.exe, svchost.exe, wuapihost.exe Excluded IPs from analysis (whitelisted): 204.79.197.200, 13.107.21.200, 51.104.139.180, 13.64.90.137, 40.88.32.150, 52.255.188.83, 23.211.6.115, 13.88.21.125, 8.248.131.254, 8.248.145.254, 8.248.115.254, 67.27.157.254, 67.27.157.126, 52.155.217.156, 51.103.5.159, 20.54.26.129, 92.122.213.247, 92.122.213.194, 51.104.144.132, 184.30.24.56 Excluded domains from analysis (whitelisted): arc.msn.com.nsatc.net, store-images.s-microsoft.com-c.edgekey.net, a1449.dscg2.akamai.net, fs-wildcard.microsoft.com.edgekey.net, fs-wildcard.microsoft.com.edgekey.net.globalredir.akadns.net, arc.msn.com, db5eap.displaycatalog.md.mp.microsoft.com.akadns.net, skypedataprdcoleus15.cloudapp.net, e12564.dspb.akamaiedge.net, wns.notify.trafficmanager.net, www-bing-com.dual-a-0001.a-msedge.net, audownload.windowsupdate.nsatc.net, displaycatalog.mp.microsoft.com, watson.telemetry.microsoft.com, auto.au.download.windowsupdate.com.c.footprint.net, img-prod-cms-rt-microsoft-com.akamaized.net, prod.fs.microsoft.com.akadns.net, au-bg-shim.trafficmanager.net, www.bing.com, displaycatalog-europeeap.md.mp.microsoft.com.akadns.net, skypedataprdcolwus17.cloudapp.net, client.wns.windows.com, fs.microsoft.com, dual-a-0001.a-msedge.net, displaycatalog-rp-europe.md.mp.microsoft.com.akadns.net, displaycatalog.md.mp.microsoft.com.akadns.net, ris-prod.trafficmanager.net, ctldl.windowsupdate.com, e1723.g.akamaiedge.net, ris.api.iris.microsoft.com, skypedataprdcoleus17.cloudapp.net, a-0001.a-afdentry.net.trafficmanager.net, store-images.s-microsoft.com, blobcollector.events.data.trafficmanager.net, skypedataprdcolwus15.cloudapp.net, displaycatalog-rp.md.mp.microsoft.com.akadns.net Report size getting too big, too many NtOpenKeyEx calls found. Report size getting too big, too many NtQueryValueKey calls found. VT rate limit hit for: /opt/package/joesandbox/database/analysis/356766/sample/lNCyFjhn7M.exe

Simulations

Behavior and APIs

Time	Type	Description
16:20:00	API Interceptor	1017x Sleep call for process: lNCyFjhn7M.exe modified

Joe Sandbox View / Context

IPs

Match	Associated Sample Name / URL	SHA 256	Detection	Link
66.70.204.222	Purchase Order___pdf ____________.exe	Get hash	malicious	Browse
	KUmKV28Ffx.exe	Get hash	malicious	Browse
	vWr4r97uMA.exe	Get hash	malicious	Browse
	6UYAC8WAoJ.exe	Get hash	malicious	Browse
	yTPzcGHfBU.exe	Get hash	malicious	Browse
	vJsYQ8IJVIyRNtZ.exe	Get hash	malicious	Browse
	SCAN G-0034905.EXE	Get hash	malicious	Browse
	TT swift copy.xlsx	Get hash	malicious	Browse
	RFQ_N0000000002.exe	Get hash	malicious	Browse
	SecuriteInfo.com.generic.ml.exe	Get hash	malicious	Browse
	Advance import payment swift.xlsx	Get hash	malicious	Browse
	Swift-Copy.exe	Get hash	malicious	Browse
	6Tr3ZITOfx.exe	Get hash	malicious	Browse
	Proforma-invoice.exe	Get hash	malicious	Browse
	2101-0006N.exe	Get hash	malicious	Browse
	Invoice-3990993.exe	Get hash	malicious	Browse
	PARTS REQUEST SO_30005141.exe	Get hash	malicious	Browse
	Yu2iMnAJBdOGPyv.exe	Get hash	malicious	Browse
	CONTRACT AGREEMENT.exe	Get hash	malicious	Browse
	PARTS REQUEST SO_30005141.exe	Get hash	malicious	Browse

Domains

Match	Associated Sample Name / URL	SHA 256	Detection	Link	Context

ASN

Match	Associated Sample Name / URL	SHA 256	Detection	Link	Context
OVHFR	Product List.exe	Get hash	malicious	Browse	144.217.69.193
	tEQjO7fbhJ.dll	Get hash	malicious	Browse	37.187.115.122
	qRoUqXAvyz.dll	Get hash	malicious	Browse	37.187.115.122
	v9tWEeYg4u.dll	Get hash	malicious	Browse	37.187.115.122
	1sAKtAszhK.dll	Get hash	malicious	Browse	37.187.115.122
	ClfwZpeLXt.dll	Get hash	malicious	Browse	37.187.115.122
	svhost.exe	Get hash	malicious	Browse	54.37.11.130
	SBll8nnAVc.dll	Get hash	malicious	Browse	37.187.115.122
	SecuriteInfo.com.Variant.Zusy.368685.25375.exe	Get hash	malicious	Browse	51.68.21.188
	0O9BJfVJi6fEMoS.exe	Get hash	malicious	Browse	94.23.162.163
	SecuriteInfo.com.Variant.Zusy.368685.25618.exe	Get hash	malicious	Browse	51.68.21.186
	Payment Transfer Copy of $274,876.00 for the invoice shipments.exe	Get hash	malicious	Browse	198.27.88.111
	Quotation Reques.exe	Get hash	malicious	Browse	51.83.43.226
	8TD8GfTtaW.exe	Get hash	malicious	Browse	51.68.21.186
	iKohUejteO.dll	Get hash	malicious	Browse	37.187.115.122
	PO No. 104393019_pdf.exe	Get hash	malicious	Browse	51.195.53.221
	nTqV6fxGXT.exe	Get hash	malicious	Browse	51.254.175.184
	Purchase Order___pdf ____________.exe	Get hash	malicious	Browse	66.70.204.222
	File Downloader [14.5].apk	Get hash	malicious	Browse	51.75.61.103
	PO_210222.exe	Get hash	malicious	Browse	213.186.33.5

JA3 Fingerprints

No context

Dropped Files

No context

Created / dropped Files

C:\Users\user\AppData\Local\Microsoft\CLR_v2.0_32\UsageLogs\lNCyFjhn7M.exe.log Download File
Process:	C:\Users\user\Desktop\lNCyFjhn7M.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	664
Entropy (8bit):	5.288448637977022
Encrypted:	false
SSDEEP:	12:Q3LaJU20NaL10Ug+9Yz9t0U29hJ5g1B0U2ukyrFk70U2xANlW3ANv:MLF20NaL3z2p29hJ5g522rW2xAi3A9
MD5:	B1DB55991C3DA14E35249AEA1BC357CA
SHA1:	0DD2D91198FDEF296441B12F1A906669B279700C
SHA-256:	34D3E48321D5010AD2BD1F3F0B728077E4F5A7F70D66FA36B57E5209580B6BDC
SHA-512:	BE38A31888C9C2F8047FA9C99672CB985179D325107514B7500DDA9523AE3E1D20B45EACC4E6C8A5D096360D0FBB98A120E63F38FFE324DF8A0559F6890CC801
Malicious:	true
Reputation:	moderate, very likely benign file
Preview:	1,"fusion","GAC",0..3,"C:\Windows\assembly\NativeImages_v2.0.50727_32\System\1ffc437de59fb69ba2b865ffdc98ffd1\System.ni.dll",0..3,"C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.VisualBas#\cd7c74fce2a0eab72cd25cbe4bb61614\Microsoft.VisualBasic.ni.dll",0..3,"C:\Windows\assembly\NativeImages_v2.0.50727_32\System.Drawing\54d944b3ca0ea1188d700fbd8089726b\System.Drawing.ni.dll",0..3,"C:\Windows\assembly\NativeImages_v2.0.50727_32\System.Windows.Forms\bd8d59c984c9f5f2695f64341115cdf0\System.Windows.Forms.ni.dll",0..3,"C:\Windows\assembly\NativeImages_v2.0.50727_32\System.Runtime.Remo#\35774dc3cd31b4550ab06c3354cf4ba5\System.Runtime.Remoting.ni.dll",0..

Static File Info

General
File type:	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Entropy (8bit):	7.345872374885046
TrID:	Win32 Executable (generic) Net Framework (10011505/4) 49.83% Win32 Executable (generic) a (10002005/4) 49.78% Generic CIL Executable (.NET, Mono, etc.) (73296/58) 0.36% Generic Win/DOS Executable (2004/3) 0.01% DOS Executable Generic (2002/1) 0.01%
File name:	lNCyFjhn7M.exe
File size:	1058816
MD5:	1ad8213451de5daa4ad536cd9c70e9ce
SHA1:	62c394dfc3094044454f0d25775ca87e6749787e
SHA256:	152dabf84b039a8c1412d8dea323051ee96b1696c3e551a049801c8a320d23e7
SHA512:	52e7b9c4458d0629599d9153c529840fa02100e20e4045b79be9647cc535defed5b7ba58013e66b59925e55b1041f96331e2a5d135c9fbb942754b48d148779a
SSDEEP:	24576:oeUFmaVji138QK0okoUXWX0f0QuTACN2N8T:w5sMyAN0f0vZ
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...^Q3`..............P..F...........e... ........@.. ....................................@................................

File Icon


Icon Hash:	68c8d0f0ccccf0d6

Static PE Info

General
Entrypoint:	0x4e658e
Entrypoint Section:	.text
Digitally signed:	false
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	32BIT_MACHINE, EXECUTABLE_IMAGE
DLL Characteristics:	NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
Time Stamp:	0x6033515E [Mon Feb 22 06:38:22 2021 UTC]
TLS Callbacks:
CLR (.Net) Version:	v2.0.50727
OS Version Major:	4
OS Version Minor:	0
File Version Major:	4
File Version Minor:	0
Subsystem Version Major:	4
Subsystem Version Minor:	0
Import Hash:	f34d5f2d4577ed6d9ceec516c1f5a744

Entrypoint Preview

Instruction
jmp dword ptr [00402000h]
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0xe653c	0x4f	.text
IMAGE_DIRECTORY_ENTRY_RESOURCE	0xe8000	0x1dd0c	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x106000	0xc	.reloc
IMAGE_DIRECTORY_ENTRY_DEBUG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x2000	0x8	.text
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x2008	0x48	.text
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x2000	0xe4594	0xe4600	False	0.703842321771	data	7.44014806301	IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
.rsrc	0xe8000	0x1dd0c	0x1de00	False	0.439788179916	data	5.78915682536	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.reloc	0x106000	0xc	0x200	False	0.044921875	data	0.101910425663	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type
RT_ICON	0xe8220	0x918d	PNG image data, 256 x 256, 8-bit/color RGBA, non-interlaced
RT_ICON	0xf13b0	0x25a8	dBase IV DBT of `.DBF, block length 9216, next free block index 40, next free block 16777215, next used block 16777215
RT_ICON	0xf3958	0x10a8	dBase IV DBT of @.DBF, block length 4096, next free block index 40, next free block 16777215, next used block 16777215
RT_ICON	0xf4a00	0x468	GLS_BINARY_LSB_FIRST
RT_ICON	0xf4e68	0x10828	data
RT_GROUP_ICON	0x105690	0x4c	data
RT_GROUP_ICON	0x1056dc	0x14	data
RT_VERSION	0x1056f0	0x42e	data
RT_MANIFEST	0x105b20	0x1ea	XML 1.0 document, UTF-8 Unicode (with BOM) text, with CRLF line terminators

Imports

DLL	Import
mscoree.dll	_CorExeMain

Version Infos

Description	Data
Translation	0x0000 0x04b0
LegalCopyright	Copyright 2009 by Dan Ariely
Assembly Version	30.4.0.0
InternalName	StaticIndexRangePartitionForIList.exe
FileVersion	30.4.0.0
CompanyName	Book by Dan Ariely
LegalTrademarks	HarperCollins
Comments	HarperCollins
ProductName	Predictably Irrational
ProductVersion	30.4.0.0
FileDescription	Predictably Irrational
OriginalFilename	StaticIndexRangePartitionForIList.exe

Network Behavior

Network Port Distribution

TCP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Feb 23, 2021 16:21:31.318799973 CET	49751	587	192.168.2.6	66.70.204.222
Feb 23, 2021 16:21:31.456989050 CET	587	49751	66.70.204.222	192.168.2.6
Feb 23, 2021 16:21:31.457139969 CET	49751	587	192.168.2.6	66.70.204.222
Feb 23, 2021 16:21:31.665958881 CET	49751	587	192.168.2.6	66.70.204.222
Feb 23, 2021 16:21:31.718816996 CET	587	49751	66.70.204.222	192.168.2.6
Feb 23, 2021 16:21:31.719008923 CET	49751	587	192.168.2.6	66.70.204.222
Feb 23, 2021 16:21:31.803447008 CET	587	49751	66.70.204.222	192.168.2.6
Feb 23, 2021 16:21:31.803639889 CET	49751	587	192.168.2.6	66.70.204.222
Feb 23, 2021 16:21:31.803764105 CET	587	49751	66.70.204.222	192.168.2.6
Feb 23, 2021 16:21:31.803836107 CET	49751	587	192.168.2.6	66.70.204.222

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Feb 23, 2021 16:19:52.792135000 CET	58377	53	192.168.2.6	8.8.8.8
Feb 23, 2021 16:19:52.820775986 CET	55074	53	192.168.2.6	8.8.8.8
Feb 23, 2021 16:19:52.842531919 CET	53	58377	8.8.8.8	192.168.2.6
Feb 23, 2021 16:19:52.872036934 CET	53	55074	8.8.8.8	192.168.2.6
Feb 23, 2021 16:19:53.203574896 CET	54513	53	192.168.2.6	8.8.8.8
Feb 23, 2021 16:19:53.252281904 CET	53	54513	8.8.8.8	192.168.2.6
Feb 23, 2021 16:19:54.607425928 CET	62044	53	192.168.2.6	8.8.8.8
Feb 23, 2021 16:19:54.658279896 CET	53	62044	8.8.8.8	192.168.2.6
Feb 23, 2021 16:19:55.402612925 CET	63791	53	192.168.2.6	8.8.8.8
Feb 23, 2021 16:19:55.454396963 CET	53	63791	8.8.8.8	192.168.2.6
Feb 23, 2021 16:19:56.085376024 CET	64267	53	192.168.2.6	8.8.8.8
Feb 23, 2021 16:19:56.155441046 CET	53	64267	8.8.8.8	192.168.2.6
Feb 23, 2021 16:19:56.271311998 CET	49448	53	192.168.2.6	8.8.8.8
Feb 23, 2021 16:19:56.323894024 CET	53	49448	8.8.8.8	192.168.2.6
Feb 23, 2021 16:19:57.539115906 CET	60342	53	192.168.2.6	8.8.8.8
Feb 23, 2021 16:19:57.590812922 CET	53	60342	8.8.8.8	192.168.2.6
Feb 23, 2021 16:19:58.791845083 CET	61346	53	192.168.2.6	8.8.8.8
Feb 23, 2021 16:19:58.840635061 CET	53	61346	8.8.8.8	192.168.2.6
Feb 23, 2021 16:20:00.154516935 CET	51774	53	192.168.2.6	8.8.8.8
Feb 23, 2021 16:20:00.205974102 CET	53	51774	8.8.8.8	192.168.2.6
Feb 23, 2021 16:20:02.735378027 CET	56023	53	192.168.2.6	8.8.8.8
Feb 23, 2021 16:20:02.792649031 CET	53	56023	8.8.8.8	192.168.2.6
Feb 23, 2021 16:20:03.938746929 CET	58384	53	192.168.2.6	8.8.8.8
Feb 23, 2021 16:20:03.990463972 CET	53	58384	8.8.8.8	192.168.2.6
Feb 23, 2021 16:20:05.118819952 CET	60261	53	192.168.2.6	8.8.8.8
Feb 23, 2021 16:20:05.170947075 CET	53	60261	8.8.8.8	192.168.2.6
Feb 23, 2021 16:20:06.277662992 CET	56061	53	192.168.2.6	8.8.8.8
Feb 23, 2021 16:20:06.328031063 CET	53	56061	8.8.8.8	192.168.2.6
Feb 23, 2021 16:20:07.139245987 CET	58336	53	192.168.2.6	8.8.8.8
Feb 23, 2021 16:20:07.190906048 CET	53	58336	8.8.8.8	192.168.2.6
Feb 23, 2021 16:20:08.570271969 CET	53781	53	192.168.2.6	8.8.8.8
Feb 23, 2021 16:20:08.619371891 CET	53	53781	8.8.8.8	192.168.2.6
Feb 23, 2021 16:20:09.345731974 CET	54064	53	192.168.2.6	8.8.8.8
Feb 23, 2021 16:20:09.397114992 CET	53	54064	8.8.8.8	192.168.2.6
Feb 23, 2021 16:20:10.477902889 CET	52811	53	192.168.2.6	8.8.8.8
Feb 23, 2021 16:20:10.526721954 CET	53	52811	8.8.8.8	192.168.2.6
Feb 23, 2021 16:20:11.701636076 CET	55299	53	192.168.2.6	8.8.8.8
Feb 23, 2021 16:20:11.753155947 CET	53	55299	8.8.8.8	192.168.2.6
Feb 23, 2021 16:20:13.449300051 CET	63745	53	192.168.2.6	8.8.8.8
Feb 23, 2021 16:20:13.497988939 CET	53	63745	8.8.8.8	192.168.2.6
Feb 23, 2021 16:20:15.916193962 CET	50055	53	192.168.2.6	8.8.8.8
Feb 23, 2021 16:20:15.967675924 CET	53	50055	8.8.8.8	192.168.2.6
Feb 23, 2021 16:20:18.307005882 CET	61374	53	192.168.2.6	8.8.8.8
Feb 23, 2021 16:20:18.367248058 CET	53	61374	8.8.8.8	192.168.2.6
Feb 23, 2021 16:20:29.234811068 CET	50339	53	192.168.2.6	8.8.8.8
Feb 23, 2021 16:20:29.286530018 CET	53	50339	8.8.8.8	192.168.2.6
Feb 23, 2021 16:20:48.007652044 CET	63307	53	192.168.2.6	8.8.8.8
Feb 23, 2021 16:20:48.076380968 CET	53	63307	8.8.8.8	192.168.2.6
Feb 23, 2021 16:20:48.227662086 CET	49694	53	192.168.2.6	8.8.8.8
Feb 23, 2021 16:20:48.282083988 CET	53	49694	8.8.8.8	192.168.2.6
Feb 23, 2021 16:20:49.480954885 CET	54982	53	192.168.2.6	8.8.8.8
Feb 23, 2021 16:20:49.557606936 CET	53	54982	8.8.8.8	192.168.2.6
Feb 23, 2021 16:20:50.114592075 CET	50010	53	192.168.2.6	8.8.8.8
Feb 23, 2021 16:20:50.176856995 CET	53	50010	8.8.8.8	192.168.2.6
Feb 23, 2021 16:20:50.295696020 CET	63718	53	192.168.2.6	8.8.8.8
Feb 23, 2021 16:20:50.352776051 CET	53	63718	8.8.8.8	192.168.2.6
Feb 23, 2021 16:20:50.758799076 CET	62116	53	192.168.2.6	8.8.8.8
Feb 23, 2021 16:20:50.837150097 CET	53	62116	8.8.8.8	192.168.2.6
Feb 23, 2021 16:20:51.097122908 CET	63816	53	192.168.2.6	8.8.8.8
Feb 23, 2021 16:20:51.171380997 CET	53	63816	8.8.8.8	192.168.2.6
Feb 23, 2021 16:20:51.273034096 CET	55014	53	192.168.2.6	8.8.8.8
Feb 23, 2021 16:20:51.336597919 CET	53	55014	8.8.8.8	192.168.2.6
Feb 23, 2021 16:20:51.807199001 CET	62208	53	192.168.2.6	8.8.8.8
Feb 23, 2021 16:20:51.869164944 CET	53	62208	8.8.8.8	192.168.2.6
Feb 23, 2021 16:20:52.487684965 CET	57574	53	192.168.2.6	8.8.8.8
Feb 23, 2021 16:20:52.552273989 CET	53	57574	8.8.8.8	192.168.2.6
Feb 23, 2021 16:20:53.173250914 CET	51818	53	192.168.2.6	8.8.8.8
Feb 23, 2021 16:20:53.233581066 CET	53	51818	8.8.8.8	192.168.2.6
Feb 23, 2021 16:20:54.306849003 CET	56628	53	192.168.2.6	8.8.8.8
Feb 23, 2021 16:20:54.361346960 CET	53	56628	8.8.8.8	192.168.2.6
Feb 23, 2021 16:20:55.820264101 CET	60778	53	192.168.2.6	8.8.8.8
Feb 23, 2021 16:20:55.884043932 CET	53	60778	8.8.8.8	192.168.2.6
Feb 23, 2021 16:20:56.319617987 CET	53799	53	192.168.2.6	8.8.8.8
Feb 23, 2021 16:20:56.381660938 CET	53	53799	8.8.8.8	192.168.2.6
Feb 23, 2021 16:20:56.967324972 CET	54683	53	192.168.2.6	8.8.8.8
Feb 23, 2021 16:20:57.028439045 CET	53	54683	8.8.8.8	192.168.2.6
Feb 23, 2021 16:21:26.924931049 CET	59329	53	192.168.2.6	8.8.8.8
Feb 23, 2021 16:21:26.973581076 CET	53	59329	8.8.8.8	192.168.2.6
Feb 23, 2021 16:21:27.380459070 CET	64021	53	192.168.2.6	8.8.8.8
Feb 23, 2021 16:21:27.452419043 CET	53	64021	8.8.8.8	192.168.2.6
Feb 23, 2021 16:21:31.233412981 CET	56129	53	192.168.2.6	8.8.8.8
Feb 23, 2021 16:21:31.303832054 CET	53	56129	8.8.8.8	192.168.2.6
Feb 23, 2021 16:21:33.438165903 CET	58177	53	192.168.2.6	8.8.8.8
Feb 23, 2021 16:21:33.501554966 CET	53	58177	8.8.8.8	192.168.2.6
Feb 23, 2021 16:21:51.188939095 CET	50700	53	192.168.2.6	8.8.8.8
Feb 23, 2021 16:21:51.237684011 CET	53	50700	8.8.8.8	192.168.2.6

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class
Feb 23, 2021 16:21:31.233412981 CET	192.168.2.6	8.8.8.8	0x4a25	Standard query (0)	mail.hybridgroupco.com	A (IP address)	IN (0x0001)

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	CName	Address	Type	Class
Feb 23, 2021 16:21:31.303832054 CET	8.8.8.8	192.168.2.6	0x4a25	No error (0)	mail.hybridgroupco.com	hybridgroupco.com		CNAME (Canonical name)	IN (0x0001)
Feb 23, 2021 16:21:31.303832054 CET	8.8.8.8	192.168.2.6	0x4a25	No error (0)	hybridgroupco.com		66.70.204.222	A (IP address)	IN (0x0001)

SMTP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP	Commands
Feb 23, 2021 16:21:31.718816996 CET	587	49751	66.70.204.222	192.168.2.6	220-server.wlcserver.com ESMTP Exim 4.93 #2 Tue, 23 Feb 2021 19:21:31 +0400 220-We do not authorize the use of this system to transport unsolicited, 220 and/or bulk e-mail.
Feb 23, 2021 16:21:31.803447008 CET	587	49751	66.70.204.222	192.168.2.6	421 server.wlcserver.com lost input connection

Code Manipulations

Statistics

CPU Usage

Click to jump to process

Memory Usage

Click to jump to process

High Level Behavior Distribution

Click to dive into process behavior distribution

Behavior

Click to jump to process

System Behavior

Analysis Process: lNCyFjhn7M.exe PID: 6996 Parent PID: 6008

General

Start time:	16:19:59
Start date:	23/02/2021
Path:	C:\Users\user\Desktop\lNCyFjhn7M.exe
Wow64 process (32bit):	true
Commandline:	'C:\Users\user\Desktop\lNCyFjhn7M.exe'
Imagebase:	0x540000
File size:	1058816 bytes
MD5 hash:	1AD8213451DE5DAA4AD536CD9C70E9CE
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	.Net C# or VB.NET
Yara matches:	Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000000.00000002.326906613.0000000003C04000.00000004.00000001.sdmp, Author: Joe Security Rule: JoeSecurity_AntiVM_3, Description: Yara detected AntiVM_3, Source: 00000000.00000002.326698522.0000000002C01000.00000004.00000001.sdmp, Author: Joe Security
Reputation:	low

Chronological Activities

Analysis Process: lNCyFjhn7M.exe PID: 7036 Parent PID: 6996

General

Start time:	16:20:00
Start date:	23/02/2021
Path:	C:\Users\user\Desktop\lNCyFjhn7M.exe
Wow64 process (32bit):	true
Commandline:	C:\Users\user\Desktop\lNCyFjhn7M.exe
Imagebase:	0x890000
File size:	1058816 bytes
MD5 hash:	1AD8213451DE5DAA4AD536CD9C70E9CE
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	.Net C# or VB.NET
Yara matches:	Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000001.00000002.589195869.0000000000402000.00000040.00000001.sdmp, Author: Joe Security Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000001.00000002.590922380.0000000002F51000.00000004.00000001.sdmp, Author: Joe Security Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000001.00000002.590922380.0000000002F51000.00000004.00000001.sdmp, Author: Joe Security
Reputation:	low

Chronological Activities

Disassembly

Code Analysis

Reset < >

Analysis Process: lNCyFjhn7M.exe PID: 6996 Parent PID: 6008 lNCyFjhn7M.exeCOMMON

Executed Functions

Function 04E00A28, Relevance: 1.3, Instructions: 1281COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.327964512.0000000004E00000.00000040.00000001.sdmp, Offset: 04E00000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7f4a43526b4f8b462074a081f2b840babddac917f4856155aed684e9cf6fae7b
Instruction ID: 58670da39db01f4853b9a2d4f9820e11e7607a4b4b6ff2675aead43ae8276da6
Opcode Fuzzy Hash: 7f4a43526b4f8b462074a081f2b840babddac917f4856155aed684e9cf6fae7b
Instruction Fuzzy Hash: 19D2A434A41219CFDB24DB24C998BE9B7B2FF8A305F1580E9D509AB761CB316E84DF41

Uniqueness

Uniqueness Score: -1.00%

Function 04E00A18, Relevance: 1.3, Instructions: 1273COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.327964512.0000000004E00000.00000040.00000001.sdmp, Offset: 04E00000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8fce8f13bdcaf21d4d0971758f160cb5ad15735d994eef0aadf04d224b18d4a7
Instruction ID: 969497e38c5ee7dc2200f0920de3fb0250e0b7cbf77da8e73f0e0662169f4356
Opcode Fuzzy Hash: 8fce8f13bdcaf21d4d0971758f160cb5ad15735d994eef0aadf04d224b18d4a7
Instruction Fuzzy Hash: 1AD2A534A41219CFDB24DB24C998BE9B7B2FF8A305F1580E9D509AB761CB316E84DF41

Uniqueness

Uniqueness Score: -1.00%

Function 04E09F70, Relevance: .2, Instructions: 204COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.327964512.0000000004E00000.00000040.00000001.sdmp, Offset: 04E00000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 19c11714ad5b4f3471dbeac3f7cd90e585b7a828ccd1ada82bb1645b536cc47f
Instruction ID: dac38c2ed2762ebcdc0dcf99f90251ffd0e896fcbf690d9741ed9e460580e923
Opcode Fuzzy Hash: 19c11714ad5b4f3471dbeac3f7cd90e585b7a828ccd1ada82bb1645b536cc47f
Instruction Fuzzy Hash: 838105B0E0121D8FDB04CFAAD4846AEBBF2BF59314F54D669D424AB295E730A981CF50

Uniqueness

Uniqueness Score: -1.00%

Function 04E03850, Relevance: .2, Instructions: 168COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.327964512.0000000004E00000.00000040.00000001.sdmp, Offset: 04E00000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 93ce60de795b3e04ef3c96931c72575cc616b8a95b5d259faf223cb27d25bad0
Instruction ID: b1cb6862188e31a6fa051a97406b8e6a3a4076372f39165e982498a5119cd3e5
Opcode Fuzzy Hash: 93ce60de795b3e04ef3c96931c72575cc616b8a95b5d259faf223cb27d25bad0
Instruction Fuzzy Hash: 016107B0D012488FDB04DFAAC4946ADFBF2BF98324F64D655D864AB395D730A941CF60

Uniqueness

Uniqueness Score: -1.00%

Function 04E03648, Relevance: .2, Instructions: 167COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.327964512.0000000004E00000.00000040.00000001.sdmp, Offset: 04E00000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a2ed798f46c023660d1956992c131c7cbcb59201bab67813460ba1a18d24d83c
Instruction ID: 8d3bfb828da38f6f8e07ed06c3cd8bf925d59e320039be5699a3b6d463f17282
Opcode Fuzzy Hash: a2ed798f46c023660d1956992c131c7cbcb59201bab67813460ba1a18d24d83c
Instruction Fuzzy Hash: 8651F5B1D002188BDF09DFAAC8505EEFBB2EF89314F54D129D924BB295EB3169428F50

Uniqueness

Uniqueness Score: -1.00%

Function 04E0AF90, Relevance: .2, Instructions: 156COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.327964512.0000000004E00000.00000040.00000001.sdmp, Offset: 04E00000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8ce9402024a70350e4d39dfb69e47ef287a692bdbe0446f4841bc324828b49f9
Instruction ID: 55b57e1891cdeea48d2a764b57377893ccbf869327073946c2c51c7268c69bb2
Opcode Fuzzy Hash: 8ce9402024a70350e4d39dfb69e47ef287a692bdbe0446f4841bc324828b49f9
Instruction Fuzzy Hash: F451E570D00228CFEB24DF66C8447EDBAB2BB99304F10D4EAD529B6294DB746AC18F10

Uniqueness

Uniqueness Score: -1.00%

Function 04E09F61, Relevance: .1, Instructions: 146COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.327964512.0000000004E00000.00000040.00000001.sdmp, Offset: 04E00000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fc0e68dfe3933edb1566801436f821e0aaa86de68f0e67d3314b509946329b1d
Instruction ID: 4fc22fc1e7dcf4986a4c743cf7dac7326bd79d4d79c7f4da0ec09d148a22c81c
Opcode Fuzzy Hash: fc0e68dfe3933edb1566801436f821e0aaa86de68f0e67d3314b509946329b1d
Instruction Fuzzy Hash: E251F7B0E0520C8FDB04CFAAD4446AEFBF2BF59314F14D56AD425AB296D734A9818F41

Uniqueness

Uniqueness Score: -1.00%

Function 04E03638, Relevance: .1, Instructions: 130COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.327964512.0000000004E00000.00000040.00000001.sdmp, Offset: 04E00000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 03ce7b6851ec0f01b4a40bfc230fc9c8b6424b42643db6633fb662061e457fe1
Instruction ID: e37052e8480a76c1cb4af405638220d40b869fcf630043d22c9d6352755c1e67
Opcode Fuzzy Hash: 03ce7b6851ec0f01b4a40bfc230fc9c8b6424b42643db6633fb662061e457fe1
Instruction Fuzzy Hash: D141EA71D002198BDF09CFABD8505EDFBB2AF89314F64D529D924AB295DA3059428F50

Uniqueness

Uniqueness Score: -1.00%

Function 04E0B8D1, Relevance: .1, Instructions: 80COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.327964512.0000000004E00000.00000040.00000001.sdmp, Offset: 04E00000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4f803e5a0c3f89f906dd0384c19a7ed975e513c13832db28aecf483d0d433a09
Instruction ID: c6ad184d4b78d0ff12a400a095e873bca5e19f083a3326da66612664dc7a46e8
Opcode Fuzzy Hash: 4f803e5a0c3f89f906dd0384c19a7ed975e513c13832db28aecf483d0d433a09
Instruction Fuzzy Hash: 3B318C70D052288FDB65DF68C880BECB7B6BB49305F0094EAD119A7295DB34AAC18F50

Uniqueness

Uniqueness Score: -1.00%

Function 04E02768, Relevance: 3.9, Strings: 3, Instructions: 138COMMON

Download Yara Rule

Strings

x, xrefs: 04E028AC
f, xrefs: 04E0291D
7, xrefs: 04E027F0

Memory Dump Source

Source File: 00000000.00000002.327964512.0000000004E00000.00000040.00000001.sdmp, Offset: 04E00000, based on PE: false

Similarity

API ID:
String ID: 7$f$x
API String ID: 0-421463256
Opcode ID: ab7e990e64c45c537462c2a46b421da563d2d7bea655528cca0e3a9571f0df5a
Instruction ID: a7e51e90c00d013b75b49f7eb1914902bc8bc159341189560ca6777520cfb20b
Opcode Fuzzy Hash: ab7e990e64c45c537462c2a46b421da563d2d7bea655528cca0e3a9571f0df5a
Instruction Fuzzy Hash: 9E51DD75C42218DEDB18CFA2C1487EEBAF4AB05349F14A499D121732D1D3785B88DF68

Uniqueness

Uniqueness Score: -1.00%

Function 04E005A8, Relevance: 2.7, Strings: 2, Instructions: 201COMMON

Download Yara Rule

Strings

:@Dr, xrefs: 04E006D4
`5kr, xrefs: 04E0072D

Memory Dump Source

Source File: 00000000.00000002.327964512.0000000004E00000.00000040.00000001.sdmp, Offset: 04E00000, based on PE: false

Similarity

API ID:
String ID: :@Dr$`5kr
API String ID: 0-2548079215
Opcode ID: fd62799f2af25b2bc959c9ff14a16df8f50804c7f8b103855e88bc0fcda3eb35
Instruction ID: dc09ede1a07a17fa927c70af5d6b964b09a0a427a978bd0afe574d042bc54f94
Opcode Fuzzy Hash: fd62799f2af25b2bc959c9ff14a16df8f50804c7f8b103855e88bc0fcda3eb35
Instruction Fuzzy Hash: 04912474E01218CFDB54DFA9D894BADBBF2BF88304F10906AD519AB390DB71A985CF50

Uniqueness

Uniqueness Score: -1.00%

Function 026EAB26, Relevance: 1.6, APIs: 1, Instructions: 92registryCOMMON

Download Yara Rule

APIs

RegOpenKeyExW.KERNELBASE(?,00000E2C), ref: 026EABD5

Memory Dump Source

Source File: 00000000.00000002.326208399.00000000026EA000.00000040.00000001.sdmp, Offset: 026EA000, based on PE: false

Similarity

API ID: Open
String ID:
API String ID: 71445658-0
Opcode ID: fc7a545451362ecfc497c530585836c06cd8b722b584bd3618f602091aa66c7e
Instruction ID: ef88c3eabc26539e00ccab06034610cbfb88d3ff437d9df9dfbd0d4677182ac6
Opcode Fuzzy Hash: fc7a545451362ecfc497c530585836c06cd8b722b584bd3618f602091aa66c7e
Instruction Fuzzy Hash: 9331B672544384AFE7228B65CC45F67BFBCEF06710F08859BED819B252D264A849C771

Uniqueness

Uniqueness Score: -1.00%

Function 026EAC1D, Relevance: 1.6, APIs: 1, Instructions: 89registryCOMMON

Download Yara Rule

APIs

RegQueryValueExW.KERNELBASE(?,00000E2C,0944C435,00000000,00000000,00000000,00000000), ref: 026EACD8

Memory Dump Source

Source File: 00000000.00000002.326208399.00000000026EA000.00000040.00000001.sdmp, Offset: 026EA000, based on PE: false

Similarity

API ID: QueryValue
String ID:
API String ID: 3660427363-0
Opcode ID: 54b8b58acac0d68fc60eb42829a04d2374d25bae7f2a00d8b0f882a065f22942
Instruction ID: 3b222df0aa84c8fb1f96a8fbc87f56d3162d010a210117284ab79c2ca399500e
Opcode Fuzzy Hash: 54b8b58acac0d68fc60eb42829a04d2374d25bae7f2a00d8b0f882a065f22942
Instruction Fuzzy Hash: AD31B371105384AFEB22CF61CC84F62BFB8EF06714F18849AE9858B252D360E849CB61

Uniqueness

Uniqueness Score: -1.00%

Function 026EAB56, Relevance: 1.6, APIs: 1, Instructions: 74registryCOMMON

Download Yara Rule

APIs

RegOpenKeyExW.KERNELBASE(?,00000E2C), ref: 026EABD5

Memory Dump Source

Source File: 00000000.00000002.326208399.00000000026EA000.00000040.00000001.sdmp, Offset: 026EA000, based on PE: false

Similarity

API ID: Open
String ID:
API String ID: 71445658-0
Opcode ID: e07aa759811bd2f03d7ddb66d08f1c261b2c3df236137d96901c69e3c380a542
Instruction ID: b9414110b236f6d114f0abf995f3e191a4971ca2cb32f50d44133e0fdf6dd43d
Opcode Fuzzy Hash: e07aa759811bd2f03d7ddb66d08f1c261b2c3df236137d96901c69e3c380a542
Instruction Fuzzy Hash: C621DE72500704AFEB209F64CC84FABFBECEF08710F14845BEE419B241D660E8088BB1

Uniqueness

Uniqueness Score: -1.00%

Function 026EAC5E, Relevance: 1.6, APIs: 1, Instructions: 69registryCOMMON

Download Yara Rule

APIs

RegQueryValueExW.KERNELBASE(?,00000E2C,0944C435,00000000,00000000,00000000,00000000), ref: 026EACD8

Memory Dump Source

Source File: 00000000.00000002.326208399.00000000026EA000.00000040.00000001.sdmp, Offset: 026EA000, based on PE: false

Similarity

API ID: QueryValue
String ID:
API String ID: 3660427363-0
Opcode ID: 66988c672ae5cb2b146e2ed8a950d4403d2536b748da8b6eadc3fd80859fad8d
Instruction ID: 265ad64b977293ebeee492919798027801032d2ab676f6d4cc1f8ae58572d6e1
Opcode Fuzzy Hash: 66988c672ae5cb2b146e2ed8a950d4403d2536b748da8b6eadc3fd80859fad8d
Instruction Fuzzy Hash: 7C218C71601604EFEB20CF55CC85FA7BBECEF04B10F18846AEA469B251D760E809CA71

Uniqueness

Uniqueness Score: -1.00%

Function 026EB265, Relevance: 1.6, APIs: 1, Instructions: 65libraryCOMMON

Download Yara Rule

APIs

LoadLibraryShim.MSCOREE(?,?,?,?), ref: 026EB2E1

Memory Dump Source

Source File: 00000000.00000002.326208399.00000000026EA000.00000040.00000001.sdmp, Offset: 026EA000, based on PE: false

Similarity

API ID: LibraryLoadShim
String ID:
API String ID: 1475914169-0
Opcode ID: b9483317794475a7e86802713fb7c17f35649f7f843f6894e883463649b0284a
Instruction ID: c6d49cc1332e9a4bdcb00941e4cfc44195b49d2a561d028eacdb4c0a2236470f
Opcode Fuzzy Hash: b9483317794475a7e86802713fb7c17f35649f7f843f6894e883463649b0284a
Instruction Fuzzy Hash: 4D2193755093845FDB228F25DC85B62BFE8EF46614F18808AED85CB253E365E508CB61

Uniqueness

Uniqueness Score: -1.00%

Function 026EB831, Relevance: 1.6, APIs: 1, Instructions: 62windowCOMMON

Download Yara Rule

APIs

PostMessageW.USER32(?,?,?,?), ref: 026EB8A5

Memory Dump Source

Source File: 00000000.00000002.326208399.00000000026EA000.00000040.00000001.sdmp, Offset: 026EA000, based on PE: false

Similarity

API ID: MessagePost
String ID:
API String ID: 410705778-0
Opcode ID: 51438e6c6cebbe4007c7b31758a829ef57e584988fff0b0184e0ec9de78ff2e4
Instruction ID: 001fc90a93c77ea360fef678599c98f7b18b6ff8cf3ef83920daf98694e1ce80
Opcode Fuzzy Hash: 51438e6c6cebbe4007c7b31758a829ef57e584988fff0b0184e0ec9de78ff2e4
Instruction Fuzzy Hash: 0D218C7150A3C0AFDB238F25DC44A52BFB4EF17210F0985DBE9858F263D265A858DB62

Uniqueness

Uniqueness Score: -1.00%

Function 026EA5AF, Relevance: 1.6, APIs: 1, Instructions: 61COMMON

Download Yara Rule

APIs

DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 026EA61A

Memory Dump Source

Source File: 00000000.00000002.326208399.00000000026EA000.00000040.00000001.sdmp, Offset: 026EA000, based on PE: false

Similarity

API ID: DuplicateHandle
String ID:
API String ID: 3793708945-0
Opcode ID: 9030d23cbfa386b13b95942332df9ab06e801d18c564ef25b2d56befb62ad7b0
Instruction ID: 100b5d79eb3b0e30c805520a33158d7ebb0cc874829a19bbbafe56abd35c9b13
Opcode Fuzzy Hash: 9030d23cbfa386b13b95942332df9ab06e801d18c564ef25b2d56befb62ad7b0
Instruction Fuzzy Hash: 1F118471409380AFDB228F55DC44B62FFF4EF4A710F1884DAEE858B262D375A518DB61

Uniqueness

Uniqueness Score: -1.00%

Function 026EA65A, Relevance: 1.6, APIs: 1, Instructions: 59COMMON

Download Yara Rule

APIs

SetErrorMode.KERNELBASE(?), ref: 026EA6CC

Memory Dump Source

Source File: 00000000.00000002.326208399.00000000026EA000.00000040.00000001.sdmp, Offset: 026EA000, based on PE: false

Similarity

API ID: ErrorMode
String ID:
API String ID: 2340568224-0
Opcode ID: 07b5b16c28303cc9920e64a3219b1ae0c2e359ced4643bbc6e0fb0a77fc0e865
Instruction ID: 7f9d9b1abe2af18e0d5d3ee5a7ce39ea9ec094502ec188308a92707b8efb5227
Opcode Fuzzy Hash: 07b5b16c28303cc9920e64a3219b1ae0c2e359ced4643bbc6e0fb0a77fc0e865
Instruction Fuzzy Hash: 8B11597540A3C49FDB128B25CC95A52BFB4DF07220F1A80DBD9858F2A3D2A95948CB72

Uniqueness

Uniqueness Score: -1.00%

Function 026EA9F0, Relevance: 1.5, APIs: 1, Instructions: 48COMMON

Download Yara Rule

APIs

SetWindowLongW.USER32 ref: 026EAA4A

Memory Dump Source

Source File: 00000000.00000002.326208399.00000000026EA000.00000040.00000001.sdmp, Offset: 026EA000, based on PE: false

Similarity

API ID: LongWindow
String ID:
API String ID: 1378638983-0
Opcode ID: b30c12cee981216ced4213904fc367b69a66e4549f40630f456631cdfbfbf796
Instruction ID: 12a3bfc0a947c326710213877b4ce0427c9a09aa5f1afe1d932e53b7e376d11e
Opcode Fuzzy Hash: b30c12cee981216ced4213904fc367b69a66e4549f40630f456631cdfbfbf796
Instruction Fuzzy Hash: 38118E31409784AFDB228F55DC85B52FFF4EF46620F08C4DAED854B262D375A918CBA2

Uniqueness

Uniqueness Score: -1.00%

Function 026EB296, Relevance: 1.5, APIs: 1, Instructions: 46libraryCOMMON

Download Yara Rule

APIs

LoadLibraryShim.MSCOREE(?,?,?,?), ref: 026EB2E1

Memory Dump Source

Source File: 00000000.00000002.326208399.00000000026EA000.00000040.00000001.sdmp, Offset: 026EA000, based on PE: false

Similarity

API ID: LibraryLoadShim
String ID:
API String ID: 1475914169-0
Opcode ID: 1fd1bde1f6f7b8db966c7efdf6d64009ccc97a3b69c726e48ab4b6a3007944ec
Instruction ID: cb0903b9c67b5ca965ceaccb08f9af498b8ad8eb7890bf6b60841586ceedb9bd
Opcode Fuzzy Hash: 1fd1bde1f6f7b8db966c7efdf6d64009ccc97a3b69c726e48ab4b6a3007944ec
Instruction Fuzzy Hash: 6D0180755016049FDB20CF19D885B26FBE4FF04724F18805ADD4A9B352E371E408CB71

Uniqueness

Uniqueness Score: -1.00%

Function 026EA5D6, Relevance: 1.5, APIs: 1, Instructions: 45COMMON

Download Yara Rule

APIs

DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 026EA61A

Memory Dump Source

Source File: 00000000.00000002.326208399.00000000026EA000.00000040.00000001.sdmp, Offset: 026EA000, based on PE: false

Similarity

API ID: DuplicateHandle
String ID:
API String ID: 3793708945-0
Opcode ID: 072720ed2a899e425faf668978b8d3427d0706c0ef851fac5c7cda5e35595167
Instruction ID: c75d374b83cc2d322087874a1e6ee8c8bb081b51424dd0ab762500ff05be54e8
Opcode Fuzzy Hash: 072720ed2a899e425faf668978b8d3427d0706c0ef851fac5c7cda5e35595167
Instruction Fuzzy Hash: 8A01AD71400600EFDB218F95D844B62FFE0EF48720F18C4AADE8A4B712D375A419CF61

Uniqueness

Uniqueness Score: -1.00%

Function 026EB86A, Relevance: 1.5, APIs: 1, Instructions: 38windowCOMMON

Download Yara Rule

APIs

PostMessageW.USER32(?,?,?,?), ref: 026EB8A5

Memory Dump Source

Source File: 00000000.00000002.326208399.00000000026EA000.00000040.00000001.sdmp, Offset: 026EA000, based on PE: false

Similarity

API ID: MessagePost
String ID:
API String ID: 410705778-0
Opcode ID: c8c5f7104ec39ea9e22ef40a7e06f63dbfbd8b1f01436cbc35526aafa837f648
Instruction ID: 02dfc35fc99bfd5cbcc13ae371499a21fdd5d5764e93e40f37982e12206d6ffa
Opcode Fuzzy Hash: c8c5f7104ec39ea9e22ef40a7e06f63dbfbd8b1f01436cbc35526aafa837f648
Instruction Fuzzy Hash: 90017C35501640DFDB208F55D885B66FFA0FF04324F18C49ADE5A0A326D2B5A458CFA2

Uniqueness

Uniqueness Score: -1.00%

Function 026EAA12, Relevance: 1.5, APIs: 1, Instructions: 37COMMON

Download Yara Rule

APIs

SetWindowLongW.USER32 ref: 026EAA4A

Memory Dump Source

Source File: 00000000.00000002.326208399.00000000026EA000.00000040.00000001.sdmp, Offset: 026EA000, based on PE: false

Similarity

API ID: LongWindow
String ID:
API String ID: 1378638983-0
Opcode ID: 1c32fd806f26cfae6424e6c2ea74fd7cbe715b9d49560734d294cc2761607d6b
Instruction ID: eec07cc1c98b4bf27105e8c4ba0f5f71588e89f9b897c01c9cb0151e24828f13
Opcode Fuzzy Hash: 1c32fd806f26cfae6424e6c2ea74fd7cbe715b9d49560734d294cc2761607d6b
Instruction Fuzzy Hash: DC01AD31501704DFDB208F49D985762FFA0EF04720F18C09ADE4A0B356D3B5A808CFA2

Uniqueness

Uniqueness Score: -1.00%

Function 026EA69A, Relevance: 1.5, APIs: 1, Instructions: 35COMMON

Download Yara Rule

APIs

SetErrorMode.KERNELBASE(?), ref: 026EA6CC

Memory Dump Source

Source File: 00000000.00000002.326208399.00000000026EA000.00000040.00000001.sdmp, Offset: 026EA000, based on PE: false

Similarity

API ID: ErrorMode
String ID:
API String ID: 2340568224-0
Opcode ID: 79fb888cd801e2fcacd7fc009170ba530e64cde1378e59189cef24cf1da525b8
Instruction ID: 2702ca3f0d14b686c26ed0e7055ab1d8af169f973df155a176a2390e133de5c0
Opcode Fuzzy Hash: 79fb888cd801e2fcacd7fc009170ba530e64cde1378e59189cef24cf1da525b8
Instruction Fuzzy Hash: EEF0AF74501644DFDB209F55D885762FFA0EF05720F28C09ADD4A4B316D2B5A848CEA2

Uniqueness

Uniqueness Score: -1.00%

Function 04E00598, Relevance: 1.4, Strings: 1, Instructions: 181COMMON

Download Yara Rule

Strings

:@Dr, xrefs: 04E006D4

Memory Dump Source

Source File: 00000000.00000002.327964512.0000000004E00000.00000040.00000001.sdmp, Offset: 04E00000, based on PE: false

Similarity

API ID:
String ID: :@Dr
API String ID: 0-3830894600
Opcode ID: 4c145d9c31ff881037f3492d4282266c925c402e870fe2469e749eb13f9c1ac2
Instruction ID: ebdcf6b4434e4cdb750aee91dff679e231b0c20514f46c335a50f10af92328ee
Opcode Fuzzy Hash: 4c145d9c31ff881037f3492d4282266c925c402e870fe2469e749eb13f9c1ac2
Instruction Fuzzy Hash: 8E713670E00218CFEB64DFA9D854BADBBF2BF89310F109069D519AB390DB71A985CF50

Uniqueness

Uniqueness Score: -1.00%

Function 04E07D77, Relevance: 1.3, Strings: 1, Instructions: 54COMMON

Download Yara Rule

Strings

e, xrefs: 04E07DCB

Memory Dump Source

Source File: 00000000.00000002.327964512.0000000004E00000.00000040.00000001.sdmp, Offset: 04E00000, based on PE: false

Similarity

API ID:
String ID: e
API String ID: 0-4024072794
Opcode ID: 9986dc7fc6c4f99da8cb3c243c3985b2d3d44bd728553128d12eb7ca08afc52a
Instruction ID: 1f2a8b8fc8b560e13778b51b5694035ef3b82ddef9347251059e1f9b4b3bb2cd
Opcode Fuzzy Hash: 9986dc7fc6c4f99da8cb3c243c3985b2d3d44bd728553128d12eb7ca08afc52a
Instruction Fuzzy Hash: BC21FAB4A052A4CFDB60CB28C984B9CB7B1AF05308F18D4D9C15DAB281C770AEC5CF59

Uniqueness

Uniqueness Score: -1.00%

Function 04E0B66C, Relevance: 1.3, Strings: 1, Instructions: 22COMMON

Download Yara Rule

Strings

(, xrefs: 04E0B6D8

Memory Dump Source

Source File: 00000000.00000002.327964512.0000000004E00000.00000040.00000001.sdmp, Offset: 04E00000, based on PE: false

Similarity

API ID:
String ID: (
API String ID: 0-3887548279
Opcode ID: 219652d3b49cdddf30cce7e295f3e0266c58ac21ef5a802f8bb7116f3a037e62
Instruction ID: 60d343821a54584e8ac5ab9497558bc9907a1601c1d9032d2532a392b43bdedf
Opcode Fuzzy Hash: 219652d3b49cdddf30cce7e295f3e0266c58ac21ef5a802f8bb7116f3a037e62
Instruction Fuzzy Hash: 63F01570D0222DCFDB248F58C885BD8B3B1FB05305F10A9C9C26A73281D7B02EC08E11

Uniqueness

Uniqueness Score: -1.00%

Function 04E0A6D0, Relevance: .3, Instructions: 309COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.327964512.0000000004E00000.00000040.00000001.sdmp, Offset: 04E00000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0aaf901ba4daf6f84903589b7d3f8ab1e1b25e67821155f7866e4a7c22208f35
Instruction ID: ba941a84da1368ef01b9d8db6af24e2d6e9fdc9097263e2fa0a36551c12e5b12
Opcode Fuzzy Hash: 0aaf901ba4daf6f84903589b7d3f8ab1e1b25e67821155f7866e4a7c22208f35
Instruction Fuzzy Hash: 28D1DC74D04218CFDB24DFA4D5987EDBBB1BF0A309F18A4AAC056A7290E7785AC5DF10

Uniqueness

Uniqueness Score: -1.00%

Function 04E0A6E0, Relevance: .3, Instructions: 308COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.327964512.0000000004E00000.00000040.00000001.sdmp, Offset: 04E00000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5e3754684c6b8e4cd509049436c3996709648ce9b4523891a5939fe5e498f979
Instruction ID: 9ea84f8dd9addcbbc019fce029a5df3cd754c05d65a5a2d82f6e1de2605ad2b7
Opcode Fuzzy Hash: 5e3754684c6b8e4cd509049436c3996709648ce9b4523891a5939fe5e498f979
Instruction Fuzzy Hash: A0D1DC74D00218CFDB24DFA4D5987EDBBB1BF1A309F18A46AC066A7290E7785AC4DF14

Uniqueness

Uniqueness Score: -1.00%

Function 04E0AC90, Relevance: .2, Instructions: 180COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.327964512.0000000004E00000.00000040.00000001.sdmp, Offset: 04E00000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 31bde91769b0f7e8065cc7b65397a1e6136d2bd7d9727a23cfae782e83cc2b89
Instruction ID: 6ffb6b9f53a159e080dcf5c1f03092ad2c49a47c957132d1336a1b9accac6590
Opcode Fuzzy Hash: 31bde91769b0f7e8065cc7b65397a1e6136d2bd7d9727a23cfae782e83cc2b89
Instruction Fuzzy Hash: 0171B274E0520CDFDB14DFA9D584AEDBBB2FB59305F20A02AD426A7280E7746982CF51

Uniqueness

Uniqueness Score: -1.00%

Function 04E0AC80, Relevance: .2, Instructions: 176COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.327964512.0000000004E00000.00000040.00000001.sdmp, Offset: 04E00000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 81d2e6678702d3c35754e846c4c3291ed2f1de502cd9f3dc79d4c866f62b968d
Instruction ID: bc4affd3635703b78db582051d290bdd18ea032dba365e6b2055df0e889a2723
Opcode Fuzzy Hash: 81d2e6678702d3c35754e846c4c3291ed2f1de502cd9f3dc79d4c866f62b968d
Instruction Fuzzy Hash: 7D71B274E0530CDFDB04DFA9D5846EDBBB2BB59305F20A02AD426AB291E7346982CF51

Uniqueness

Uniqueness Score: -1.00%

Function 04E0A318, Relevance: .1, Instructions: 149COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.327964512.0000000004E00000.00000040.00000001.sdmp, Offset: 04E00000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 10872a0b3ba89c22f0a0f95c2c7d3db5df032b55d494a9ac8431e467f676945b
Instruction ID: e81ec80043357a17e7d22c3aef7270e65e8cdd0da64c42d876416b78ab1adb26
Opcode Fuzzy Hash: 10872a0b3ba89c22f0a0f95c2c7d3db5df032b55d494a9ac8431e467f676945b
Instruction Fuzzy Hash: 4A512774E0120CDFDB00DFA9D544AEDBBB2FF69314F14E169D424A7291E734AA818F61

Uniqueness

Uniqueness Score: -1.00%

Function 04E03C90, Relevance: .1, Instructions: 144COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.327964512.0000000004E00000.00000040.00000001.sdmp, Offset: 04E00000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 85341dea9a1dbaa879f3e1379560b6add1644c7d1d8996b6dbb65bd32e4a7566
Instruction ID: a7dc9123d9aede61725fae84045f1207afe418130d619569d697b6b70aee1f30
Opcode Fuzzy Hash: 85341dea9a1dbaa879f3e1379560b6add1644c7d1d8996b6dbb65bd32e4a7566
Instruction Fuzzy Hash: E271F674A04259CFDB54DFA4E944B9CBBB1FB44304F1081EAD91AA7384DB746D81CF50

Uniqueness

Uniqueness Score: -1.00%

Function 04E00270, Relevance: .1, Instructions: 126COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.327964512.0000000004E00000.00000040.00000001.sdmp, Offset: 04E00000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9c2c387af92c786ef0aec90e1f9033f0f3f54c44c457cc3c8726660d6c5f1a27
Instruction ID: becb4115de121f90abcb4ffe3931846dad1242c975d08fc500bc12f78b5b8934
Opcode Fuzzy Hash: 9c2c387af92c786ef0aec90e1f9033f0f3f54c44c457cc3c8726660d6c5f1a27
Instruction Fuzzy Hash: 4E51A074E00218DFDB11CFA8D581BADBBF1BB4E710F1094A5E511AB3A1D774A980EF60

Uniqueness

Uniqueness Score: -1.00%

Function 04E03841, Relevance: .1, Instructions: 124COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.327964512.0000000004E00000.00000040.00000001.sdmp, Offset: 04E00000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1d5724001e74e2ec76251bb0c70300c138b8c842e6eaebb5e29230d1a7366f6a
Instruction ID: 4ed896f0f891969028f47b99f6786abad4d30185e2c48b56de85b1396316be6f
Opcode Fuzzy Hash: 1d5724001e74e2ec76251bb0c70300c138b8c842e6eaebb5e29230d1a7366f6a
Instruction Fuzzy Hash: 3B415AB0D012488FDB04CFAAD4946EDFBF2EF89324F54D255D864AB395E730A9418F60

Uniqueness

Uniqueness Score: -1.00%

Function 04E00280, Relevance: .1, Instructions: 113COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.327964512.0000000004E00000.00000040.00000001.sdmp, Offset: 04E00000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: db169c04625a7a939ed8bb23b86282cb779fac82baf9e82a58d1327bc1e3ca53
Instruction ID: 7b10594d9dc980c2d4840ea8d65d6ec7ea7bc51b655b0814cd7453c30cb123b7
Opcode Fuzzy Hash: db169c04625a7a939ed8bb23b86282cb779fac82baf9e82a58d1327bc1e3ca53
Instruction Fuzzy Hash: EC41A274E00218DFDB51DFA8D480BADBBF1BB4D714F1054A5E611AB3A0D774A980EF60

Uniqueness

Uniqueness Score: -1.00%

Function 04E03313, Relevance: .1, Instructions: 113COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.327964512.0000000004E00000.00000040.00000001.sdmp, Offset: 04E00000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8040ac84c0a63fbbc527f4a11b1046dabbf30a522de0053b96854bed3e6b7f4a
Instruction ID: c638fa62102840be004e6f7ca30241995292d8aeb2894a5493fb0a7a209fc2e4
Opcode Fuzzy Hash: 8040ac84c0a63fbbc527f4a11b1046dabbf30a522de0053b96854bed3e6b7f4a
Instruction Fuzzy Hash: 7C51D2B0E012488FCB44DFA9D9949EDBBF2FF89304F24906AD815AB354DB30A941CF54

Uniqueness

Uniqueness Score: -1.00%

Function 04E00007, Relevance: .1, Instructions: 110COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.327964512.0000000004E00000.00000040.00000001.sdmp, Offset: 04E00000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c4e7ec774965cf4a33d35ea0f99555870c27adb1f686e62d2da4363bed7bc7a6
Instruction ID: 3579eac24d61f81ad466f18be3f6550b4b131287238a3b7219542de222fe2e15
Opcode Fuzzy Hash: c4e7ec774965cf4a33d35ea0f99555870c27adb1f686e62d2da4363bed7bc7a6
Instruction Fuzzy Hash: B121A1A184E3C14FC7574730686579A7FB0AF53318F1A98DBC090EB1E3D568598BC7A2

Uniqueness

Uniqueness Score: -1.00%

Function 04E0B777, Relevance: .1, Instructions: 98COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.327964512.0000000004E00000.00000040.00000001.sdmp, Offset: 04E00000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0964759a4bba2df197f079098dc3355c6185b65193ee8bd495ba135bf5674b0a
Instruction ID: 04b8e459623e9ea7953684ad04f807e41b23a9191dd1e634f185fccf99b72ac3
Opcode Fuzzy Hash: 0964759a4bba2df197f079098dc3355c6185b65193ee8bd495ba135bf5674b0a
Instruction Fuzzy Hash: B641C0B4D00228CFDB24DFA4C885BDCBBB1BB49308F1495E9D529AB281D775AAC5CF50

Uniqueness

Uniqueness Score: -1.00%

Function 04E0B12E, Relevance: .1, Instructions: 98COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.327964512.0000000004E00000.00000040.00000001.sdmp, Offset: 04E00000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: aa5aabb88d036ce86b737454fc0905228be3037e53e62188fc1ea9c36a31fbdd
Instruction ID: 82a7cf9cf5709f1771fa015d5926b72d6febed7954d2c078953059caeee9a6f2
Opcode Fuzzy Hash: aa5aabb88d036ce86b737454fc0905228be3037e53e62188fc1ea9c36a31fbdd
Instruction Fuzzy Hash: 0A41DF74D00268CFDB64DFA4D9887ECB7B0BB49309F1095EAC12AA7290DB746AC4CF10

Uniqueness

Uniqueness Score: -1.00%

Function 026FA6D8, Relevance: .1, Instructions: 94COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.326212215.00000000026F2000.00000040.00000001.sdmp, Offset: 026F2000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 707f8555d84398ed867c4bacd72308e926bef57e823a7919c1082691e4225db3
Instruction ID: 628a45287096f06a615da3fc096dca9611e450f23c9fa943aa64d81e97e29940
Opcode Fuzzy Hash: 707f8555d84398ed867c4bacd72308e926bef57e823a7919c1082691e4225db3
Instruction Fuzzy Hash: EA31C3B2509344AFD310CF09EC41E57FFE8EB89620F18C85EFD8997211D271A905CBA2

Uniqueness

Uniqueness Score: -1.00%

Function 026FA930, Relevance: .1, Instructions: 89COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.326212215.00000000026F2000.00000040.00000001.sdmp, Offset: 026F2000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e3c89606cae682c273372bc942cf763aea4d4151bee66603cb911996c24ceee2
Instruction ID: 698152a9b42c0fd8fc46db91011879b947e25644a791354425d8983dee0d5152
Opcode Fuzzy Hash: e3c89606cae682c273372bc942cf763aea4d4151bee66603cb911996c24ceee2
Instruction Fuzzy Hash: D43191B2509340AFD710CF09DC41E57FFE8EB85620F08C85EFD9897212D271A414CBA2

Uniqueness

Uniqueness Score: -1.00%

Function 026FA806, Relevance: .1, Instructions: 88COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.326212215.00000000026F2000.00000040.00000001.sdmp, Offset: 026F2000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: eb068d928b7285ad82555674d41b14d62bee731449d4e47af70097697e089be8
Instruction ID: d97ef163cea439cff0a236a6e7aa54aa4c804811b125aedadccde0cbe293249f
Opcode Fuzzy Hash: eb068d928b7285ad82555674d41b14d62bee731449d4e47af70097697e089be8
Instruction Fuzzy Hash: E1217CB6649340AFD310CF19EC41E57FFE8EB89620F18C95EFD8897211D275A914CBA2

Uniqueness

Uniqueness Score: -1.00%

Function 026FA5AC, Relevance: .1, Instructions: 87COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.326212215.00000000026F2000.00000040.00000001.sdmp, Offset: 026F2000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: cf05d2494af38eb823806d6209c6488aa0bbc72de033f115f5fdf2ea9e43a3a9
Instruction ID: b573fe60276dd964421862af8bcc1b473f0f156032fd3e9f3b0b1c898fd570a2
Opcode Fuzzy Hash: cf05d2494af38eb823806d6209c6488aa0bbc72de033f115f5fdf2ea9e43a3a9
Instruction Fuzzy Hash: 07210572509340BFD7118F05EC41E67FFA8EB85A30F18C95EFD495B211D272B9058BA2

Uniqueness

Uniqueness Score: -1.00%

Function 026FA394, Relevance: .1, Instructions: 86COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.326212215.00000000026F2000.00000040.00000001.sdmp, Offset: 026F2000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e5ddaaf6272bb8faa724e049353beea1c7abaace057c16c9775dc44960c6e44c
Instruction ID: 7fd6ea5ef8b22d0ffe9558495cbce1edbbee37932622e902634febd63650b59d
Opcode Fuzzy Hash: e5ddaaf6272bb8faa724e049353beea1c7abaace057c16c9775dc44960c6e44c
Instruction Fuzzy Hash: 7D21E576545340AFD3108F05EC41D93FFE8EB85A30F18C95EFD495B211D271A8048BA1

Uniqueness

Uniqueness Score: -1.00%

Function 026FAAB4, Relevance: .1, Instructions: 82COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.326212215.00000000026F2000.00000040.00000001.sdmp, Offset: 026F2000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 61fb87ecf85633cac70ce561b0ad794422307b6282b1d4f44a4e23e40a5cd2b5
Instruction ID: e4b86c5d56cbdb8d981e350bc974af8c943ecead150578d10ffecb53da8aee59
Opcode Fuzzy Hash: 61fb87ecf85633cac70ce561b0ad794422307b6282b1d4f44a4e23e40a5cd2b5
Instruction Fuzzy Hash: 2A314BB550E3C19FD302CF258850A56BFF4EF8A614F0988DFE9C8DB252D2759908CB62

Uniqueness

Uniqueness Score: -1.00%

Function 026FA17C, Relevance: .1, Instructions: 79COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.326212215.00000000026F2000.00000040.00000001.sdmp, Offset: 026F2000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 845bba44edb36a901e222318a0634e86805c750807d85e2a804c782ce98048c2
Instruction ID: 00717879e1d76747cf61ad5c47c003b1b30fc09cd39fcd9d83c5fe963eaa104f
Opcode Fuzzy Hash: 845bba44edb36a901e222318a0634e86805c750807d85e2a804c782ce98048c2
Instruction Fuzzy Hash: 4521F9B6645340AFD7108F15EC45EA7FFA8EB85630F08C49FFD495B212D272A414CBA1

Uniqueness

Uniqueness Score: -1.00%

Function 026FA95A, Relevance: .1, Instructions: 75COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.326212215.00000000026F2000.00000040.00000001.sdmp, Offset: 026F2000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9afdee1047114cb87fda1248c3324187ca9c7f6e01a1cfc41b1da4fc0f570ceb
Instruction ID: 74e0483efa82f743031d5d07918dfc1868973fea5e36c3a0ee5fd0ac503b06ad
Opcode Fuzzy Hash: 9afdee1047114cb87fda1248c3324187ca9c7f6e01a1cfc41b1da4fc0f570ceb
Instruction Fuzzy Hash: 2E2130B6644304AFD350CF49EC41E67FBE8EB88A30F14C92EFD5997311D275A9148BA2

Uniqueness

Uniqueness Score: -1.00%

Function 026FA82E, Relevance: .1, Instructions: 75COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.326212215.00000000026F2000.00000040.00000001.sdmp, Offset: 026F2000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3120df1fb7885ed9794dec9eb192e5de46f1a5c69d0494e89e71242b6103d28c
Instruction ID: 878ec3c50de5adbf79a424b6621fc90f1fbd22eb8c33dc49ef3327e5b8aeb244
Opcode Fuzzy Hash: 3120df1fb7885ed9794dec9eb192e5de46f1a5c69d0494e89e71242b6103d28c
Instruction Fuzzy Hash: D32130B6644304AFD350CF49EC41E67FBE8EB88A30F14C92EFD4997311D275A9148BA2

Uniqueness

Uniqueness Score: -1.00%

Function 026FA702, Relevance: .1, Instructions: 75COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.326212215.00000000026F2000.00000040.00000001.sdmp, Offset: 026F2000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d93d28d27f5a966738719748a6ccf14f28218e3692dce779d6dee5abc1a57b39
Instruction ID: 38df1cf11bb4ecc0884aa050b01ce56ae4d1b3d72a62ed8acf36591353b5188e
Opcode Fuzzy Hash: d93d28d27f5a966738719748a6ccf14f28218e3692dce779d6dee5abc1a57b39
Instruction Fuzzy Hash: 9E212FB6644304AFD250CF4AEC41E57FBE8EB88A30F14C92EFD4997311D275A9148BA2

Uniqueness

Uniqueness Score: -1.00%

Function 04E024C8, Relevance: .1, Instructions: 74COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.327964512.0000000004E00000.00000040.00000001.sdmp, Offset: 04E00000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8a9e1b979ee7749f4dd30d41e3938e4cfb9c59da037f1ac43cad074e8003fd73
Instruction ID: 3837e0b5d716f164fc5b5776de8d9ad7f478e01e780258675ab2062ed97972c9
Opcode Fuzzy Hash: 8a9e1b979ee7749f4dd30d41e3938e4cfb9c59da037f1ac43cad074e8003fd73
Instruction Fuzzy Hash: 9B3107B0D01209DFCB04DFA9C1945EEFBF2BF49304F24E4AAD414A7295E734AA81CB91

Uniqueness

Uniqueness Score: -1.00%

Function 026FA5D6, Relevance: .1, Instructions: 69COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.326212215.00000000026F2000.00000040.00000001.sdmp, Offset: 026F2000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a752f2ddd7c6f31bc8d56bfae156a8a3ecc5e6a298ef24b5c5fa6f867e39245c
Instruction ID: b6b6e002b682eb0a46ebe0fbb14e77ec58ced99f00b63f5f9fc194e41a18e8d3
Opcode Fuzzy Hash: a752f2ddd7c6f31bc8d56bfae156a8a3ecc5e6a298ef24b5c5fa6f867e39245c
Instruction Fuzzy Hash: 08119676644304BFE6108F46EC41E67FBE8EB84A30F18C96AFD4D57211D275B5148AA1

Uniqueness

Uniqueness Score: -1.00%

Function 026FA3BE, Relevance: .1, Instructions: 69COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.326212215.00000000026F2000.00000040.00000001.sdmp, Offset: 026F2000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9683d636f2871f32438df0b79d596ea34408e36828dd6588e1a55e603b210979
Instruction ID: 9d458cc25131cf466b9abc1b2ac3416a5abc49c960d1b9cd107b6970996641a2
Opcode Fuzzy Hash: 9683d636f2871f32438df0b79d596ea34408e36828dd6588e1a55e603b210979
Instruction Fuzzy Hash: 4C11D672644300BFE6108F06EC41D67FBE8EB84A30F18C42AFD0C57210D271B5048AE1

Uniqueness

Uniqueness Score: -1.00%

Function 026FA62C, Relevance: .1, Instructions: 65COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.326212215.00000000026F2000.00000040.00000001.sdmp, Offset: 026F2000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: cd102625a307962ae884177f39863e4d9516e9c15dc956a7a73b03e2af20a5eb
Instruction ID: cb33fe241ef40f1d01ee3561afc4d318e96ec33774e21a385db6979ce1fe3e46
Opcode Fuzzy Hash: cd102625a307962ae884177f39863e4d9516e9c15dc956a7a73b03e2af20a5eb
Instruction Fuzzy Hash: 13216DB1509380AFD302CF15DC51957BFE4EF86620F09889AF9889B212D234A908CBA2

Uniqueness

Uniqueness Score: -1.00%

Function 026FA1A6, Relevance: .1, Instructions: 64COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.326212215.00000000026F2000.00000040.00000001.sdmp, Offset: 026F2000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 46b2ecee17b5de996a76e54214f0376c1c3575c672fa3f667eee5975a0aae9c5
Instruction ID: 52c4ee66fa2908767dcd2b65a48e9ef1f7b095a3c083e73af62475e0f1537a77
Opcode Fuzzy Hash: 46b2ecee17b5de996a76e54214f0376c1c3575c672fa3f667eee5975a0aae9c5
Instruction Fuzzy Hash: 4111A772640304BFE6108E0AAC41E66FB98EB84A30F58C56BFE095B211D672B5148AF1

Uniqueness

Uniqueness Score: -1.00%

Function 0279075C, Relevance: .1, Instructions: 59COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.326271196.0000000002790000.00000040.00000040.sdmp, Offset: 02790000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9c6b23794191a32904455caa4bcf8a52d7d3d463a2a9c8f72ef0e0f0969f9295
Instruction ID: b673edbb7df8da456fb8bbca29b2a9a091579f5bb04e995af00d06e05d5f9866
Opcode Fuzzy Hash: 9c6b23794191a32904455caa4bcf8a52d7d3d463a2a9c8f72ef0e0f0969f9295
Instruction Fuzzy Hash: D711E434204345EFDB05CB20D984B26BBE5AB88718F24C59CE9491B753C777D803CE51

Uniqueness

Uniqueness Score: -1.00%

Function 02790732, Relevance: .1, Instructions: 58COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.326271196.0000000002790000.00000040.00000040.sdmp, Offset: 02790000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 14ed16cbbb6818abcb8ab27b5490f9b7ae0a1e72d5b0d733a503255cb91f503e
Instruction ID: 2ec4770136dd88f972235d960037a93718f50004e79a524c68a31931cbb6c6e1
Opcode Fuzzy Hash: 14ed16cbbb6818abcb8ab27b5490f9b7ae0a1e72d5b0d733a503255cb91f503e
Instruction Fuzzy Hash: 8B2190352093C59FCB03CB20D890B55BFB1AB46314F1886EED8884B6A3C33B9817DB52

Uniqueness

Uniqueness Score: -1.00%

Function 04E0A5D8, Relevance: .1, Instructions: 57COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.327964512.0000000004E00000.00000040.00000001.sdmp, Offset: 04E00000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e2d4633cb148b15e0a919cff2a94f2b79e715b35c72e7944db2de98b1aa7ed0c
Instruction ID: a22411e676bf3641412a9005edaf0e14191c51fd09b328104a3726980275a269
Opcode Fuzzy Hash: e2d4633cb148b15e0a919cff2a94f2b79e715b35c72e7944db2de98b1aa7ed0c
Instruction Fuzzy Hash: F6210074E04209DFCB04DFA8D481AEEBBB4EB59300F10A569D912A7390DB34AA81DF80

Uniqueness

Uniqueness Score: -1.00%

Function 026FAAF5, Relevance: .1, Instructions: 56COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.326212215.00000000026F2000.00000040.00000001.sdmp, Offset: 026F2000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 508c3c80a92cf47aaaa24b50e0aa571ad45ea098f12720db0aa5e9f3dc20865f
Instruction ID: 84841d5cc5f8440614e2b56114b39073522b51097ea3e1d6f189540b544e1c60
Opcode Fuzzy Hash: 508c3c80a92cf47aaaa24b50e0aa571ad45ea098f12720db0aa5e9f3dc20865f
Instruction Fuzzy Hash: 1A11E9B5A08301AFD350CF19D881A5BFBE4FB88660F14892EF998D7311D371E9048FA2

Uniqueness

Uniqueness Score: -1.00%

Function 04E000F9, Relevance: .1, Instructions: 55COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.327964512.0000000004E00000.00000040.00000001.sdmp, Offset: 04E00000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8f738c80f3df25e5f5834b51dd780106e7a644d024ef97fad94a8a0077af6f0c
Instruction ID: 7166ab3c79918b2da636b098569302e5a7933dd4cd5f7d92e788b3c0bf2bee7a
Opcode Fuzzy Hash: 8f738c80f3df25e5f5834b51dd780106e7a644d024ef97fad94a8a0077af6f0c
Instruction Fuzzy Hash: 7A21CD34E0118ACFCF44EFA8D95459D7BBAFB4030CB14456CCA2697299DBB06E85CF51

Uniqueness

Uniqueness Score: -1.00%

Function 04E0A5E8, Relevance: .1, Instructions: 55COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.327964512.0000000004E00000.00000040.00000001.sdmp, Offset: 04E00000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 141344b901926e40494595bcca39e8b07abc8cdf735a0bef68c2c80c44472d4b
Instruction ID: abf1d4bc23e8098ae2d112511d8ce742a7a02dc1c646e63b7f2337a3488d4de6
Opcode Fuzzy Hash: 141344b901926e40494595bcca39e8b07abc8cdf735a0bef68c2c80c44472d4b
Instruction Fuzzy Hash: 8721E374E04209CFCB04CF98D595AEEBBB1EF58300F109569D911AB390DB30AE80DF90

Uniqueness

Uniqueness Score: -1.00%

Function 04E03A68, Relevance: .1, Instructions: 53COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.327964512.0000000004E00000.00000040.00000001.sdmp, Offset: 04E00000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8385ad86743eb1288f4c32f9813506f564abcddaafb92d7081e14acbf521cb7c
Instruction ID: b2d1fa429febf3ff3146f2d8c1b7c602f58fdd27a9bc09867c4799f42f863e97
Opcode Fuzzy Hash: 8385ad86743eb1288f4c32f9813506f564abcddaafb92d7081e14acbf521cb7c
Instruction Fuzzy Hash: 81212270A05218CFDB50DF68E948B9DBBB2FB4A300F1095EAD919E3291D7356E84CF51

Uniqueness

Uniqueness Score: -1.00%

Function 04E03A78, Relevance: .1, Instructions: 52COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.327964512.0000000004E00000.00000040.00000001.sdmp, Offset: 04E00000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 67fed4cba8fbcaaa5e8f7cfd91bd63e7d58740e4b54856ef589fccf95a6ced7e
Instruction ID: be3e691923b2d9ce86396bce9572706138cea45f8e5d159659a4b3b5e1ea20d1
Opcode Fuzzy Hash: 67fed4cba8fbcaaa5e8f7cfd91bd63e7d58740e4b54856ef589fccf95a6ced7e
Instruction Fuzzy Hash: 0721EE70E00218CFDB50DF68E98879CBBB2FB49300F1095A9D919E3280EB756E858F51

Uniqueness

Uniqueness Score: -1.00%

Function 026FA104, Relevance: .0, Instructions: 50COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.326212215.00000000026F2000.00000040.00000001.sdmp, Offset: 026F2000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ea16a1da0a3607dc4e2f06975d6227e2668f29c986b840e6d664248745e63242
Instruction ID: f9cfdcea8803d9caf2ef7452130f5dd6c0d9a5316caec17357917413cc8c0678
Opcode Fuzzy Hash: ea16a1da0a3607dc4e2f06975d6227e2668f29c986b840e6d664248745e63242
Instruction Fuzzy Hash: CE0124B114E3C06FE3128B255C55AA2BF78DF43620F0C80CBE9889F193D2566909C7B2

Uniqueness

Uniqueness Score: -1.00%

Function 04E00108, Relevance: .0, Instructions: 50COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.327964512.0000000004E00000.00000040.00000001.sdmp, Offset: 04E00000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f78849f59d2683fbc64488ec37fac2ea590db47c716451cb1f113780bc48b5da
Instruction ID: b0b0a0b2d7c79cc246b91aeb99ea3d1b56187012550576092f09de75e726ad54
Opcode Fuzzy Hash: f78849f59d2683fbc64488ec37fac2ea590db47c716451cb1f113780bc48b5da
Instruction Fuzzy Hash: 91114C34E0014ACBCF84EFA8D55499DBBBAFB4030CB105568DA2697388DBB06E55CF95

Uniqueness

Uniqueness Score: -1.00%

Function 027905CF, Relevance: .0, Instructions: 44COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.326271196.0000000002790000.00000040.00000040.sdmp, Offset: 02790000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 416882665aafc7190038aca70ff1428cb854af9e35d85da17171610f38955e57
Instruction ID: 30d61fcd90d3b57f9fd156d7af651dd8fda0f4088fedea13852f231901019939
Opcode Fuzzy Hash: 416882665aafc7190038aca70ff1428cb854af9e35d85da17171610f38955e57
Instruction Fuzzy Hash: BF01D67550D7806FD7128F16AC44862FFB8DF86620718C4EFED898B612D125A909CBB2

Uniqueness

Uniqueness Score: -1.00%

Function 04E0B4FA, Relevance: .0, Instructions: 42COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.327964512.0000000004E00000.00000040.00000001.sdmp, Offset: 04E00000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 05505a26b7222beb21081786c4ad2c830f345a5308167a5cf57f4c8a652242ef
Instruction ID: 3fdeba4538ade218c80c748912b797e550f9f21c512089d8891be5137fd7fb58
Opcode Fuzzy Hash: 05505a26b7222beb21081786c4ad2c830f345a5308167a5cf57f4c8a652242ef
Instruction Fuzzy Hash: 2A111571D44228CFDB64CFA4C884BECB7B2BB08304F1484E9D019A7295CB36AAC5DF10

Uniqueness

Uniqueness Score: -1.00%

Function 04E02448, Relevance: .0, Instructions: 42COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.327964512.0000000004E00000.00000040.00000001.sdmp, Offset: 04E00000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6c49e9cb9d10e1a7231808b8feaa08987450e200d7e8e2408ca85532f3dd5d35
Instruction ID: c9f73ea3e7019cf8209688f384a1301df0c629cb06e33f0d248c2b598f2173aa
Opcode Fuzzy Hash: 6c49e9cb9d10e1a7231808b8feaa08987450e200d7e8e2408ca85532f3dd5d35
Instruction Fuzzy Hash: E60188B0D002498FCB48DFB5D5545AEBFB2EB85304F10D0AAC964A3391DB302A81CF91

Uniqueness

Uniqueness Score: -1.00%

Function 04E003E8, Relevance: .0, Instructions: 39COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.327964512.0000000004E00000.00000040.00000001.sdmp, Offset: 04E00000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fde29d743446e4bf4f77e065976170a6d7456561c35ad435d07e2a4b35016a02
Instruction ID: f882cc3861b066f35370584de626de58ee2f9206d12f9afad296d45cfa7cce45
Opcode Fuzzy Hash: fde29d743446e4bf4f77e065976170a6d7456561c35ad435d07e2a4b35016a02
Instruction Fuzzy Hash: D8F0C2309062449FD719DBB08590AFF7B73DFD6104B189898900123185CE346E42EA50

Uniqueness

Uniqueness Score: -1.00%

Function 04E0B3A1, Relevance: .0, Instructions: 38COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.327964512.0000000004E00000.00000040.00000001.sdmp, Offset: 04E00000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 209a77d140ea1a13ebd559f77a7b11f1efb925b61fa46917b7f2fd9f6940ca57
Instruction ID: b57dc89776a9d6b1fd075abfc470d60de068c73958403f2f437f7b2dc2cf36f2
Opcode Fuzzy Hash: 209a77d140ea1a13ebd559f77a7b11f1efb925b61fa46917b7f2fd9f6940ca57
Instruction Fuzzy Hash: 8C11F3349002A8CFDB249F64DA58BECB7B1BB44305F0055E9C12AA62E4D7782EC5CF10

Uniqueness

Uniqueness Score: -1.00%

Function 04E00531, Relevance: .0, Instructions: 37COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.327964512.0000000004E00000.00000040.00000001.sdmp, Offset: 04E00000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1eb9d18dfd3ecbac80afc6d61e688b4e0b0b03344878917bf6fcd9d38d226ccd
Instruction ID: e32a9699a8adb92cdbc8ef03126e6b08edbafa3df6b140f0560376b3bc99e868
Opcode Fuzzy Hash: 1eb9d18dfd3ecbac80afc6d61e688b4e0b0b03344878917bf6fcd9d38d226ccd
Instruction Fuzzy Hash: FE014674E05248DFCB11CFA8E680A9DBFF0BB0A310F1095A9D914A7352E670AE85CF91

Uniqueness

Uniqueness Score: -1.00%

Function 04E03FBD, Relevance: .0, Instructions: 35COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.327964512.0000000004E00000.00000040.00000001.sdmp, Offset: 04E00000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3f3e02d95fe615b8c6079fc4ec1f364feb75e58532e299b6fefcf1b85f9c7c8b
Instruction ID: 7b3864b681536fe1f30439bf46cf5cd1f550fcd2b958037f5139263ae4a842a7
Opcode Fuzzy Hash: 3f3e02d95fe615b8c6079fc4ec1f364feb75e58532e299b6fefcf1b85f9c7c8b
Instruction Fuzzy Hash: 5901E270A00248CFEB14DFA8D584B9CBBB0FB05309F1095AAD918DB284CB75AD85CF51

Uniqueness

Uniqueness Score: -1.00%

Function 04E00070, Relevance: .0, Instructions: 33COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.327964512.0000000004E00000.00000040.00000001.sdmp, Offset: 04E00000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: cc908f2bead4ba0cab6008e99383b2e61c614ac7d5b39ffe627c8b16a4ed77ef
Instruction ID: 87702b58264e414fe6e4d7b412c5023713e302cb36ba4f082ebdd8470088f99d
Opcode Fuzzy Hash: cc908f2bead4ba0cab6008e99383b2e61c614ac7d5b39ffe627c8b16a4ed77ef
Instruction Fuzzy Hash: 31F08C70D412099BDBA89FA4D855BFFBAF4EB49704F106C2AC510F3280DA7569848FE4

Uniqueness

Uniqueness Score: -1.00%

Function 04E00451, Relevance: .0, Instructions: 33COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.327964512.0000000004E00000.00000040.00000001.sdmp, Offset: 04E00000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 55ece918d50f0fcc694471ad3f3f261f703c30e167b191b8f79e9c9466571aa2
Instruction ID: 21da6e5d034d095e7c073599ca43217249edb56d704cb3cf6678c9a93a9cfb19
Opcode Fuzzy Hash: 55ece918d50f0fcc694471ad3f3f261f703c30e167b191b8f79e9c9466571aa2
Instruction Fuzzy Hash: B3F09A70D453489FCF05DFB4D1146ADBF70EB06301F2098AAC810A3382E7326A91DF84

Uniqueness

Uniqueness Score: -1.00%

Function 04E02458, Relevance: .0, Instructions: 33COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.327964512.0000000004E00000.00000040.00000001.sdmp, Offset: 04E00000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ffb1c9ba9578739fab77d9f6ee2079de60c4cc07a8881ecf5723a74965c19f41
Instruction ID: 29ed0c943655362917af1c170b1792d5181296480da933ed722b151726d5bddb
Opcode Fuzzy Hash: ffb1c9ba9578739fab77d9f6ee2079de60c4cc07a8881ecf5723a74965c19f41
Instruction Fuzzy Hash: 700119B4D00209CFDF44DFA9D5446AEFBB2EB88304F10D56A8925A3340DB302A90CF95

Uniqueness

Uniqueness Score: -1.00%

Function 04E003F8, Relevance: .0, Instructions: 32COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.327964512.0000000004E00000.00000040.00000001.sdmp, Offset: 04E00000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: edab893f75fa2e5fc74341ad25b58c7d504e4e0807145557a52cd8ffb4126142
Instruction ID: 8680e76caa1631eaae0a99b7e7bb7a310124a4024d33271aadc14b104691fa1b
Opcode Fuzzy Hash: edab893f75fa2e5fc74341ad25b58c7d504e4e0807145557a52cd8ffb4126142
Instruction Fuzzy Hash: A1F01C30E422089BDB08EBF18990EBF73BBDFD9204B549C98940123284CE746F01E994

Uniqueness

Uniqueness Score: -1.00%

Function 02790818, Relevance: .0, Instructions: 31COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.326271196.0000000002790000.00000040.00000040.sdmp, Offset: 02790000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 525cef522958239b2deb72ab7ac90410e2832b06fb356f1b7ca8807ee3c9392c
Instruction ID: fa2c87b9a41e332d763b6ec1e99655ee758963c8a2b36b187fa17764489cf49b
Opcode Fuzzy Hash: 525cef522958239b2deb72ab7ac90410e2832b06fb356f1b7ca8807ee3c9392c
Instruction Fuzzy Hash: C4F0FB35204645DFC605CB40D940B15FBA2EB89718F24C6A9E9491B762C3379813DE81

Uniqueness

Uniqueness Score: -1.00%

Function 04E00220, Relevance: .0, Instructions: 31COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.327964512.0000000004E00000.00000040.00000001.sdmp, Offset: 04E00000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c54b7f09f91e076fbeec517cc18003366cd2c835c3c40da61c4016a3699064c6
Instruction ID: f6499b2f822b5fccbcb4163089d98803adf5f4b9a40e8b82bbc78261bc431775
Opcode Fuzzy Hash: c54b7f09f91e076fbeec517cc18003366cd2c835c3c40da61c4016a3699064c6
Instruction Fuzzy Hash: 0AF0EC34C0A348EFCB19DBB4B40429CBFB1AB02305F10A1AAC81483382D2316A95DB11

Uniqueness

Uniqueness Score: -1.00%

Function 04E0AC1C, Relevance: .0, Instructions: 30COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.327964512.0000000004E00000.00000040.00000001.sdmp, Offset: 04E00000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d2d263082e0298cdfea71a88b5acf29740e57db0724b4e1f0ecaea29f75b7bd0
Instruction ID: 353881359391dd34daa95ff86035eff094869a22db93eabd0708ae9a00187f4e
Opcode Fuzzy Hash: d2d263082e0298cdfea71a88b5acf29740e57db0724b4e1f0ecaea29f75b7bd0
Instruction Fuzzy Hash: 65F0677490434CDBCB05EF60E2446ACBB71EB45300F1182E5C85957281D7345E95CB85

Uniqueness

Uniqueness Score: -1.00%

Function 04E0BA3D, Relevance: .0, Instructions: 28COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.327964512.0000000004E00000.00000040.00000001.sdmp, Offset: 04E00000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2f8c6dec167eafa29f6e93ecfb06b2b4f5bb76108dd51971ea332622809d8980
Instruction ID: 24a25e247cfec9dea98c8e8a51b9dbfc7f528d1bb0ea7de9c2dcee74e5762add
Opcode Fuzzy Hash: 2f8c6dec167eafa29f6e93ecfb06b2b4f5bb76108dd51971ea332622809d8980
Instruction Fuzzy Hash: 6D01AF35A4022ADFCB61CB54C880BE8BBB5BB08308F0581E4E419A7251CB31AE85CF00

Uniqueness

Uniqueness Score: -1.00%

Function 027905F6, Relevance: .0, Instructions: 27COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.326271196.0000000002790000.00000040.00000040.sdmp, Offset: 02790000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c6fe6d9fa2a9e3a39056cc6f6cc160d4a97f2bb2d67fda3d2f71e4bbf6ada4fc
Instruction ID: 55dd3c474114f3d2794ef629f3b45f277e9c47aa333f02c62a3f988e874e5ca1
Opcode Fuzzy Hash: c6fe6d9fa2a9e3a39056cc6f6cc160d4a97f2bb2d67fda3d2f71e4bbf6ada4fc
Instruction Fuzzy Hash: A7E092766406008BD650CF0BEC81462F7D8EB88630B58C07FDC0D8B710E575B504CEE5

Uniqueness

Uniqueness Score: -1.00%

Function 04E032C0, Relevance: .0, Instructions: 27COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.327964512.0000000004E00000.00000040.00000001.sdmp, Offset: 04E00000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 633ec692ebf47b69ac851d3323baa39527e7d0b18b0a25e0b175230e9f30c1d0
Instruction ID: 33a6c870899b03da20a6f9dfa2726124d96314d76c446082c0a8ed54a829bce5
Opcode Fuzzy Hash: 633ec692ebf47b69ac851d3323baa39527e7d0b18b0a25e0b175230e9f30c1d0
Instruction Fuzzy Hash: C6F0A030845344AFCB15DF74D89299DBF31FF07300F14959ADC4067292C7315AA5DB59

Uniqueness

Uniqueness Score: -1.00%

Function 026FA8E7, Relevance: .0, Instructions: 26COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.326212215.00000000026F2000.00000040.00000001.sdmp, Offset: 026F2000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e44ec8d743c4af03630dccc158212fd7f23aea460de9a8f63e63e4cb6b4bba8f
Instruction ID: 4e644326f546daa67c165a103a843de67c48f0f16880cd66c9662d3a2169a8f8
Opcode Fuzzy Hash: e44ec8d743c4af03630dccc158212fd7f23aea460de9a8f63e63e4cb6b4bba8f
Instruction Fuzzy Hash: C5E0D8B2A4130067E2109F069C86F63FB58DB50A30F18C45BED085B301E1B1B5048AE1

Uniqueness

Uniqueness Score: -1.00%

Function 026FA567, Relevance: .0, Instructions: 26COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.326212215.00000000026F2000.00000040.00000001.sdmp, Offset: 026F2000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1806f54cfb9d33f00f8c6467a73dfee2e04be8c2a0800f2ffb45605bbb8d7626
Instruction ID: d793e89083c9d8b16fd4bc3cddd6d8e9f2078eb9088efed3676714c231646bd1
Opcode Fuzzy Hash: 1806f54cfb9d33f00f8c6467a73dfee2e04be8c2a0800f2ffb45605bbb8d7626
Instruction Fuzzy Hash: 6CE0D8B164130067E2209F069C86B63FB98DB44A30F68C457ED081B301E1B5B5048AE5

Uniqueness

Uniqueness Score: -1.00%

Function 026FA34F, Relevance: .0, Instructions: 26COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.326212215.00000000026F2000.00000040.00000001.sdmp, Offset: 026F2000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0079f7976828128025e18fa55c5dc7113b012a73dfb0978a86fd557b38902da1
Instruction ID: e5d21337a49cd9c800691e8ad86e8b27ff8183748638efea465da4726100ff94
Opcode Fuzzy Hash: 0079f7976828128025e18fa55c5dc7113b012a73dfb0978a86fd557b38902da1
Instruction Fuzzy Hash: D2E020B168130067E2209F06DC86B63FF9CDB40D30F58C457ED0C1B341E1B5B5048AE5

Uniqueness

Uniqueness Score: -1.00%

Function 026FAB57, Relevance: .0, Instructions: 26COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.326212215.00000000026F2000.00000040.00000001.sdmp, Offset: 026F2000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: cf5af93268a4f77ce8fee9a1fa24537a8739bfc31570c7dff43c81eb5ff907a8
Instruction ID: b89edb4d83106584b49bbeba1e01c1b72d20878094220c56ba34e8d9ac9c08b7
Opcode Fuzzy Hash: cf5af93268a4f77ce8fee9a1fa24537a8739bfc31570c7dff43c81eb5ff907a8
Instruction Fuzzy Hash: 26E0D8B26417046BE2109F069C86B63FF58DB80A30F58C467EE081B702E1B1B5148AE1

Uniqueness

Uniqueness Score: -1.00%

Function 026FA7BB, Relevance: .0, Instructions: 26COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.326212215.00000000026F2000.00000040.00000001.sdmp, Offset: 026F2000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9f41fbc6bca9219cd3b69cbd639e88513e4b7523e733cf2f3b7bda719f55d05b
Instruction ID: fbd9536053c5fb149c47ba9ac1a1feb49161a1ef56b761217fced513ee708f48
Opcode Fuzzy Hash: 9f41fbc6bca9219cd3b69cbd639e88513e4b7523e733cf2f3b7bda719f55d05b
Instruction Fuzzy Hash: F3E0D8B2A8130067E2109F069C86F63FB58DB50A30F18C45BED081B301E1B5B5048AE1

Uniqueness

Uniqueness Score: -1.00%

Function 026FA138, Relevance: .0, Instructions: 26COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.326212215.00000000026F2000.00000040.00000001.sdmp, Offset: 026F2000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0921bfb87dc1a5423d8ff4887aa6efc4473e650e2a03fb2d1e1e3d8369011fe0
Instruction ID: a7f32bd4b355f83f3092be6a6018ce7588f9f8cbfe7ef61cc6897592b76c60f1
Opcode Fuzzy Hash: 0921bfb87dc1a5423d8ff4887aa6efc4473e650e2a03fb2d1e1e3d8369011fe0
Instruction Fuzzy Hash: 72E0D8B168130067E2209F069C86B63FB58DB40930F58C457ED081B301E5B5B5048AE5

Uniqueness

Uniqueness Score: -1.00%

Function 026FA68F, Relevance: .0, Instructions: 26COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.326212215.00000000026F2000.00000040.00000001.sdmp, Offset: 026F2000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: bb990b4a783d8fb14f4256c92ea9577732ffc94304d5261612aeddbe6abe15cd
Instruction ID: c098dc9c196d1fd02591a9361790f137266b22ffe8a9d8c96fa3662c00cbcaea
Opcode Fuzzy Hash: bb990b4a783d8fb14f4256c92ea9577732ffc94304d5261612aeddbe6abe15cd
Instruction Fuzzy Hash: 76E0D8B2641304ABE2209F06DC86F63FF58DB50A30F18C45BED081B301E1B1B5048AF1

Uniqueness

Uniqueness Score: -1.00%

Function 04E0BE39, Relevance: .0, Instructions: 26COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.327964512.0000000004E00000.00000040.00000001.sdmp, Offset: 04E00000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 96a34635e5720b04b2b5aaa3ebee2ee4dc536dfd1c822ee456e5035ae4ee5fe9
Instruction ID: 2f5d6971668d65a6a978ce28a28a908b2f20f57da8f4b3e19e980e07302d89e6
Opcode Fuzzy Hash: 96a34635e5720b04b2b5aaa3ebee2ee4dc536dfd1c822ee456e5035ae4ee5fe9
Instruction Fuzzy Hash: FAF0A978D00208AFCB00DF94C4007ADBBB8EB88300F24D0A9D8156B381D23AAA43EF80

Uniqueness

Uniqueness Score: -1.00%

Function 04E09F18, Relevance: .0, Instructions: 25COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.327964512.0000000004E00000.00000040.00000001.sdmp, Offset: 04E00000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 05e679c3791854f36dacb5969d39607fa3e8f65f4713ab91538e9f7f66caa6d2
Instruction ID: f898fb19179be3f931b4ff0968a69cf2b6ab1a1cf1581342df46d2c488d06232
Opcode Fuzzy Hash: 05e679c3791854f36dacb5969d39607fa3e8f65f4713ab91538e9f7f66caa6d2
Instruction Fuzzy Hash: 61E09270D843089BCB00DFA4D5053ACBBB8EB45301F1091E9D805A3782D2386982DF41

Uniqueness

Uniqueness Score: -1.00%

Function 04E00460, Relevance: .0, Instructions: 24COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.327964512.0000000004E00000.00000040.00000001.sdmp, Offset: 04E00000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0fce3c5534668a8fea9a08075c43dda8ffae213c888523fe4dcef7a8f9d14391
Instruction ID: 3662fa09932eb3940577ee2b1447938146fac1bbe202b65bf3d69074c0e72e31
Opcode Fuzzy Hash: 0fce3c5534668a8fea9a08075c43dda8ffae213c888523fe4dcef7a8f9d14391
Instruction Fuzzy Hash: 67F0C974D41308DFCB44EFB4D4486AEBBB4EB05305F5059A9C91563380D775AA90CF95

Uniqueness

Uniqueness Score: -1.00%

Function 04E0BE88, Relevance: .0, Instructions: 22COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.327964512.0000000004E00000.00000040.00000001.sdmp, Offset: 04E00000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 37bdd2bacf4b6178f69fe66d52fca544fd349e5e9b3f6295ab72508df9518910
Instruction ID: 92496652e75b260eeb61c1e17012ad68f84e436618b1dc43465753a8049df171
Opcode Fuzzy Hash: 37bdd2bacf4b6178f69fe66d52fca544fd349e5e9b3f6295ab72508df9518910
Instruction Fuzzy Hash: AAE039B4A04208DFCB05CF94D540BACBBB1EB85304F2491DAC91897381C67A6A42CB40

Uniqueness

Uniqueness Score: -1.00%

Function 04E009D8, Relevance: .0, Instructions: 22COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.327964512.0000000004E00000.00000040.00000001.sdmp, Offset: 04E00000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 28543a72eb0dd529f9b127ffc45860768fec21c5d3035a71ab5b16e78b9deedf
Instruction ID: fa0b78e0d33bad5167e59ab01f7977df2496b3cc38eee8b7d96b2753285f5b23
Opcode Fuzzy Hash: 28543a72eb0dd529f9b127ffc45860768fec21c5d3035a71ab5b16e78b9deedf
Instruction Fuzzy Hash: DAE086318861589FCF15D774F5627FC7B319B42314F6051DAC94453241DA221E9ADB91

Uniqueness

Uniqueness Score: -1.00%

Function 04E0AF50, Relevance: .0, Instructions: 22COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.327964512.0000000004E00000.00000040.00000001.sdmp, Offset: 04E00000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 33f1a545be8f1b40950f4f741cfebce7a1ff02c1fcf6b92ce0ff351815c436ce
Instruction ID: b8e998f7945a521b76973014174805c449c2281fb6b2ecd2cf33a28efe0b2a4f
Opcode Fuzzy Hash: 33f1a545be8f1b40950f4f741cfebce7a1ff02c1fcf6b92ce0ff351815c436ce
Instruction Fuzzy Hash: B6E086B1C4530CDBD700EF64DA457BDB774EB51345F5055A4C80563290D734AA95DF80

Uniqueness

Uniqueness Score: -1.00%

Function 04E032D0, Relevance: .0, Instructions: 21COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.327964512.0000000004E00000.00000040.00000001.sdmp, Offset: 04E00000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 44bb73452aac564801b4cf0d1345881ae81e0062724b0496c4c62d0729f53564
Instruction ID: 6b19d7936a2195748ffb475d6dd06d1eb611510de88e72d0be6829bc8dc57eab
Opcode Fuzzy Hash: 44bb73452aac564801b4cf0d1345881ae81e0062724b0496c4c62d0729f53564
Instruction Fuzzy Hash: B7E0E630D41208EBCB55EF64D8459ADFB75FB46711F10A559DC0423390C7316AA4DB99

Uniqueness

Uniqueness Score: -1.00%

Function 04E0BE48, Relevance: .0, Instructions: 21COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.327964512.0000000004E00000.00000040.00000001.sdmp, Offset: 04E00000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d09f468c1629f7da6ef65ad8ffd2de7d6cbb5440a1e7ef24ef568172961410b1
Instruction ID: 370da63f5a6af0bd244de3d9e7c6f8dce344fab6737388fc0c7e9376a33f26a4
Opcode Fuzzy Hash: d09f468c1629f7da6ef65ad8ffd2de7d6cbb5440a1e7ef24ef568172961410b1
Instruction Fuzzy Hash: 07E01A74D0420CEFCB05DFA4D5406ADFBB8EB48300F10C1AADD5467391D636AA92EF90

Uniqueness

Uniqueness Score: -1.00%

Function 04E00230, Relevance: .0, Instructions: 21COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.327964512.0000000004E00000.00000040.00000001.sdmp, Offset: 04E00000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c0f47e71daa6a695f3365b1428941fd569c9bee08fe405da607a4cfe5c8006eb
Instruction ID: 95ceb28f2e8e16fc22ac5fbea9fbf0c974ce25e11c4108a747d168bc757963e7
Opcode Fuzzy Hash: c0f47e71daa6a695f3365b1428941fd569c9bee08fe405da607a4cfe5c8006eb
Instruction Fuzzy Hash: FFE04F34D05308DBCB04EFA8E10569CB7B5EB45305F10A0A9D81993341E7316E94DF81

Uniqueness

Uniqueness Score: -1.00%

Function 04E0BE98, Relevance: .0, Instructions: 20COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.327964512.0000000004E00000.00000040.00000001.sdmp, Offset: 04E00000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 53bd414bbbd8e10898a2334acf5c1dfd9317fc4469bd9573f0c2e529f08af729
Instruction ID: d124c02d5c26c695266a5909a1a000aeea2c2d27ec1649bce7846269a4bc06d6
Opcode Fuzzy Hash: 53bd414bbbd8e10898a2334acf5c1dfd9317fc4469bd9573f0c2e529f08af729
Instruction Fuzzy Hash: 4BE09A74D05208EFCB44DF98D541AADFBB4EB48304F10D5AAD91857381D635AA92DF81

Uniqueness

Uniqueness Score: -1.00%

Function 04E0AF60, Relevance: .0, Instructions: 18COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.327964512.0000000004E00000.00000040.00000001.sdmp, Offset: 04E00000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8d83c8a83b26ce6fe6f12c7a2afdb9f74ae4ba27318124cf5e60c8b94afb5734
Instruction ID: cc4fa4acee71624f4dc8a5093c2a94a8a597b6d5cb63abed7d928ee7f5d33f48
Opcode Fuzzy Hash: 8d83c8a83b26ce6fe6f12c7a2afdb9f74ae4ba27318124cf5e60c8b94afb5734
Instruction Fuzzy Hash: 3DD05E70D8930CDFCB04EFA4E5056BDBB78EB46301F50A6A9C819632C0D7302E95DE95

Uniqueness

Uniqueness Score: -1.00%

Function 04E000ED, Relevance: .0, Instructions: 17COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.327964512.0000000004E00000.00000040.00000001.sdmp, Offset: 04E00000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1e98b77ab46427dc0ad403a00c3768fc1b7054c5e558995e19f0ce1475c357f1
Instruction ID: 8d50964c19a572e363174010ceeb0769444f4f81788b5ae8c015b545587f7309
Opcode Fuzzy Hash: 1e98b77ab46427dc0ad403a00c3768fc1b7054c5e558995e19f0ce1475c357f1
Instruction Fuzzy Hash: D6D01736E02108CBCB00DFA4E0446ECB7B1EB89329F10982AC219A3240C33154948F94

Uniqueness

Uniqueness Score: -1.00%

Function 04E009E8, Relevance: .0, Instructions: 15COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.327964512.0000000004E00000.00000040.00000001.sdmp, Offset: 04E00000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ff556d72528b09f629cae1d25c83d0b6e9abefb68360fccc03cf96ef8b76ebcd
Instruction ID: e75b9dcb9fc933f7e7a9e97dcfe54c9b90129073ea67171cb038d460402f4bf7
Opcode Fuzzy Hash: ff556d72528b09f629cae1d25c83d0b6e9abefb68360fccc03cf96ef8b76ebcd
Instruction Fuzzy Hash: 5ED0A93084220CEBCF08EBA0EA11BADB329DB41301FA025A8890423280EA716E90DFD5

Uniqueness

Uniqueness Score: -1.00%

Function 026E23F4, Relevance: .0, Instructions: 15COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.326204998.00000000026E2000.00000040.00000001.sdmp, Offset: 026E2000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1a930efd943310d6e2a111c5aa79ca87a91ae0785519bc1e01078322af87329f
Instruction ID: 359ea1584f872ba6d37b53c62daa2a44469814635ebc91d44b8ed36eee33b5a7
Opcode Fuzzy Hash: 1a930efd943310d6e2a111c5aa79ca87a91ae0785519bc1e01078322af87329f
Instruction Fuzzy Hash: 6BD05E79216A818FD7268B1CC1B8B953BD9AF51B08F4644FDEC008B763C368D9D5D200

Uniqueness

Uniqueness Score: -1.00%

Function 04E000CD, Relevance: .0, Instructions: 14COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.327964512.0000000004E00000.00000040.00000001.sdmp, Offset: 04E00000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2fc4a188db0f010b395b00c087673ca22c7bba6071c86662f5d3f4569ed6d4be
Instruction ID: f6058d2073620ce8b8b5d7fc56ec736d2344e3528ff4ccc2081c899b1594a380
Opcode Fuzzy Hash: 2fc4a188db0f010b395b00c087673ca22c7bba6071c86662f5d3f4569ed6d4be
Instruction Fuzzy Hash: 2CD0C936E42108DF8F00DFF8E0444DCF776EB89226B10946AC615B3300C7319855CF54

Uniqueness

Uniqueness Score: -1.00%

Function 026E23BC, Relevance: .0, Instructions: 14COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.326204998.00000000026E2000.00000040.00000001.sdmp, Offset: 026E2000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5ca06d6879692e6c52b06e037318b651fb8212bf7f3eb67ce88fb8da3abe7a8b
Instruction ID: 18b71d00709611a3ad5fdd8aabee49f3f64f3ad86e317d46cf6eda0668b9c7da
Opcode Fuzzy Hash: 5ca06d6879692e6c52b06e037318b651fb8212bf7f3eb67ce88fb8da3abe7a8b
Instruction Fuzzy Hash: BDD05E342012818BCB15DB0CC5A4F5937D9AB41B04F1644E8AC018B762C3A4D881CA00

Uniqueness

Uniqueness Score: -1.00%

Function 04E09287, Relevance: .0, Instructions: 7COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.327964512.0000000004E00000.00000040.00000001.sdmp, Offset: 04E00000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d833924340d194ae066d8d50d06b8c55608c602ddb0a842759ce6ce2a624dba3
Instruction ID: e6463095ffcf06ee087d50a62812d53a00c5d5f88853483cabe35b4a5a8ed9d3
Opcode Fuzzy Hash: d833924340d194ae066d8d50d06b8c55608c602ddb0a842759ce6ce2a624dba3
Instruction Fuzzy Hash: D9C002B8905669DFCB20DF60DC446D8B7B0FB05305F0055D6D91AB2241D7302EC4CE04

Uniqueness

Uniqueness Score: -1.00%

Non-executed Functions

Function 04E042DF, Relevance: 5.1, Strings: 4, Instructions: 141COMMON

Download Yara Rule

Strings

f]Ir, xrefs: 04E04340
:@Dr, xrefs: 04E0440C
>_Ir, xrefs: 04E04429
`5kr, xrefs: 04E044E5

Memory Dump Source

Source File: 00000000.00000002.327964512.0000000004E00000.00000040.00000001.sdmp, Offset: 04E00000, based on PE: false

Similarity

API ID:
String ID: :@Dr$>_Ir$`5kr$f]Ir
API String ID: 0-3492759196
Opcode ID: fe4cf1e5f55eda68cee5723e2cae53286ad3e5e8f2a54048d815de84ecfaa359
Instruction ID: 97a61fbdbb9250a263902a4026f9b12090028b2c72f9ed5b125205d56518e258
Opcode Fuzzy Hash: fe4cf1e5f55eda68cee5723e2cae53286ad3e5e8f2a54048d815de84ecfaa359
Instruction Fuzzy Hash: FA517B70E01249CFDB88EF69D95079DBFB7FB84304F14E669D60897298DB7028968F50

Uniqueness

Uniqueness Score: -1.00%

Function 04E042F0, Relevance: 5.1, Strings: 4, Instructions: 136COMMON

Download Yara Rule

Strings

f]Ir, xrefs: 04E04340
:@Dr, xrefs: 04E0440C
>_Ir, xrefs: 04E04429
`5kr, xrefs: 04E044E5

Memory Dump Source

Source File: 00000000.00000002.327964512.0000000004E00000.00000040.00000001.sdmp, Offset: 04E00000, based on PE: false

Similarity

API ID:
String ID: :@Dr$>_Ir$`5kr$f]Ir
API String ID: 0-3492759196
Opcode ID: 16ea5da426f3b7ab64121699db1984f62f77278dc06f1687b7c4b9b11b5b735f
Instruction ID: d7d726a4a9175d46e3c51c34115796100d8180137d48a90b15145d3384476129
Opcode Fuzzy Hash: 16ea5da426f3b7ab64121699db1984f62f77278dc06f1687b7c4b9b11b5b735f
Instruction Fuzzy Hash: 6C518C70E01249CFDB88EF6AD95079DBBB6FF84304F14A669D608A7298DB7028568B50

Uniqueness

Uniqueness Score: -1.00%

Function 04E0424D, Relevance: 4.0, Strings: 3, Instructions: 201COMMON

Download Yara Rule

Strings

:@Dr, xrefs: 04E0440C
>_Ir, xrefs: 04E04429
`5kr, xrefs: 04E044E5

Memory Dump Source

Source File: 00000000.00000002.327964512.0000000004E00000.00000040.00000001.sdmp, Offset: 04E00000, based on PE: false

Similarity

API ID:
String ID: :@Dr$>_Ir$`5kr
API String ID: 0-771960798
Opcode ID: 63ed3dd0acd1c65e82585a8fe6ee6e0c29a776415e5dc6f8eb9b7b99afeb9f03
Instruction ID: 6873bb1de6c135990ded51c5296a4cfc84e36e3dd8c93f7d8bbfaedca6610ee6
Opcode Fuzzy Hash: 63ed3dd0acd1c65e82585a8fe6ee6e0c29a776415e5dc6f8eb9b7b99afeb9f03
Instruction Fuzzy Hash: 3361D170E05289CFDB44DB6AD94038DBFB2FF81308F14E66AC25597295DB7028978B51

Uniqueness

Uniqueness Score: -1.00%

Function 04E04538, Relevance: .3, Instructions: 320COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.327964512.0000000004E00000.00000040.00000001.sdmp, Offset: 04E00000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ecc17c4bd564d7310b1d30bcf69e5e25fd58c1e69f28feb64304177f297019fc
Instruction ID: 2ee1393dcec26a835958337d7457781e7efaa485066b9b523133c29e6ffdf83c
Opcode Fuzzy Hash: ecc17c4bd564d7310b1d30bcf69e5e25fd58c1e69f28feb64304177f297019fc
Instruction Fuzzy Hash: 0AF1A1B1E006288BDB68CF2AC98478DFBF2AF88304F54C5E9D54CA7215EB305A85DF15

Uniqueness

Uniqueness Score: -1.00%

Function 04E04529, Relevance: .3, Instructions: 318COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.327964512.0000000004E00000.00000040.00000001.sdmp, Offset: 04E00000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4a6beefacd41c82792d8a2d93ed65fde4a7108d85ac3a8e904a459fc511b50ce
Instruction ID: d15a8290a3aebe6f3c4b36e20573636f8bf5664896631d6d6efe6cf1342d1ce9
Opcode Fuzzy Hash: 4a6beefacd41c82792d8a2d93ed65fde4a7108d85ac3a8e904a459fc511b50ce
Instruction Fuzzy Hash: 61F1A1B1E006288BDB68CF2AC98478DFBF2AF88300F54C5E9D54CA7215EB305A95DF15

Uniqueness

Uniqueness Score: -1.00%

Function 04E0BED0, Relevance: .1, Instructions: 59COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.327964512.0000000004E00000.00000040.00000001.sdmp, Offset: 04E00000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8ed5d660e89545ef401fd582c3cdca70c0cb54251059bfb82fca2858e2dca0e7
Instruction ID: b0fd3be959442d3a0d9bcdac2153eeb619ec80869dc8b07acd896e9b52345d63
Opcode Fuzzy Hash: 8ed5d660e89545ef401fd582c3cdca70c0cb54251059bfb82fca2858e2dca0e7
Instruction Fuzzy Hash: E81107B0D452598ECB10CFB5C855BFEBBF0BB0A310F24A469D455B3280D7389A85CF68

Uniqueness

Uniqueness Score: -1.00%

Function 04E0BEE0, Relevance: .1, Instructions: 55COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.327964512.0000000004E00000.00000040.00000001.sdmp, Offset: 04E00000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a477fcc498fe13017b2cf028d533756b03ae8ad5ceb8862070707edbb8942876
Instruction ID: 78ad6db0aea8a10274f21236e299b03ce8c5291a50bcbfdc492eb071c514a6e9
Opcode Fuzzy Hash: a477fcc498fe13017b2cf028d533756b03ae8ad5ceb8862070707edbb8942876
Instruction Fuzzy Hash: D411F870D442199FCB54DFA9C844BFEBAF0BF0A310F14A469D415B3280D734AA84CFA8

Uniqueness

Uniqueness Score: -1.00%

Analysis Process: lNCyFjhn7M.exe PID: 7036 Parent PID: 6996 lNCyFjhn7M.exeCOMMON

Executed Functions

Function 0515D768, Relevance: 27.1, APIs: 1, Strings: 14, Instructions: 829libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 0515DEBD

Strings

X1kr, xrefs: 0515E03F
X1kr, xrefs: 0515E0C2
X1kr, xrefs: 0515DE06
X1kr, xrefs: 0515DF77
X1kr, xrefs: 0515DDA9
X1kr, xrefs: 0515D8EA
%, xrefs: 0515D8C0
X1kr, xrefs: 0515DD8A
,%, xrefs: 0515D8D2
X1kr, xrefs: 0515D87E
X1kr, xrefs: 0515D846
X1kr, xrefs: 0515DFA1
X1kr, xrefs: 0515DDE0
X1kr, xrefs: 0515E010

Memory Dump Source

Source File: 00000001.00000002.594031790.0000000005150000.00000040.00000001.sdmp, Offset: 05150000, based on PE: false

Similarity

API ID: InitializeThunk
String ID: ,%$X1kr$X1kr$X1kr$X1kr$X1kr$X1kr$X1kr$X1kr$X1kr$X1kr$X1kr$X1kr$%
API String ID: 2994545307-3058424830
Opcode ID: da9f100f2393df0491360f0300f0e145277bb4ab3a6d9534c2ae518d9b83702b
Instruction ID: 443d4b7e4c57ea79fc0e6ed17ebc6b3711337a796753fa41402a637f07bf8873
Opcode Fuzzy Hash: da9f100f2393df0491360f0300f0e145277bb4ab3a6d9534c2ae518d9b83702b
Instruction Fuzzy Hash: F6624C31E00229CFDB25DFA4C844B9EBBB6BF89310F1585E9D909AB254DB719E85CF40

Uniqueness

Uniqueness Score: -1.00%

Function 05B70679, Relevance: 23.5, Strings: 16, Instructions: 3502COMMON

Download Yara Rule

Strings

:@Dr, xrefs: 05B715A3
X1kr, xrefs: 05B70FC8
d, xrefs: 05B70EF2
X1kr, xrefs: 05B70FD8
X1kr, xrefs: 05B70F4B
X1kr, xrefs: 05B71325
X1kr, xrefs: 05B714CC
X1kr, xrefs: 05B71232
X1kr, xrefs: 05B7134B
X1kr, xrefs: 05B7114D
d, xrefs: 05B70ED8
X1kr, xrefs: 05B711B0
X1kr, xrefs: 05B7151B
X1kr, xrefs: 05B71274
X1kr, xrefs: 05B70B96
X1kr, xrefs: 05B71079

Memory Dump Source

Source File: 00000001.00000002.594548910.0000000005B70000.00000040.00000001.sdmp, Offset: 05B70000, based on PE: false

Similarity

API ID:
String ID: :@Dr$X1kr$X1kr$X1kr$X1kr$X1kr$X1kr$X1kr$X1kr$X1kr$X1kr$X1kr$X1kr$X1kr$d$d
API String ID: 0-1989323153
Opcode ID: cd918e3b58ab2f4beb003cae142ade1f71144338a5f77f8348a7aec3a06438c0
Instruction ID: b863d79d54fdca8be8714fb599a248338379f966f02026643f98cb23a7349461
Opcode Fuzzy Hash: cd918e3b58ab2f4beb003cae142ade1f71144338a5f77f8348a7aec3a06438c0
Instruction Fuzzy Hash: A063E575D00A299FDB65CF68C844A99FBF2BF89304F0584E6D90CAB221D771AE85CF41

Uniqueness

Uniqueness Score: -1.00%

Function 012B24F8, Relevance: 1.7, APIs: 1, Instructions: 155libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 012B255D

Memory Dump Source

Source File: 00000001.00000002.590203011.00000000012B0000.00000040.00000001.sdmp, Offset: 012B0000, based on PE: false

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 26c0a1b8810302d65a7eaec2254fb83cd837c20e1e0c8d215062f02424850670
Instruction ID: 8f1f082a9e13a746a2bf58d25a4341052157c6e256d70d066f4501525e55ac49
Opcode Fuzzy Hash: 26c0a1b8810302d65a7eaec2254fb83cd837c20e1e0c8d215062f02424850670
Instruction Fuzzy Hash: 2A512370B10205DFCB04EBB4D594AAEBBB6FF88314F248969D516DB384DF709845CBA1

Uniqueness

Uniqueness Score: -1.00%

Function 0117AF07, Relevance: 1.6, APIs: 1, Instructions: 75COMMON

Download Yara Rule

APIs

AdjustTokenPrivileges.KERNELBASE(?,?,?,?,?,?), ref: 0117AF87

Memory Dump Source

Source File: 00000001.00000002.589999631.000000000117A000.00000040.00000001.sdmp, Offset: 0117A000, based on PE: false

Similarity

API ID: AdjustPrivilegesToken
String ID:
API String ID: 2874748243-0
Opcode ID: e59f4d2aa304a317f50baf6cb8544c57e42cdb738123b8ef1e131c44c153b8e4
Instruction ID: 5549b4825a3798b03d1a608637c41ffbd8d115c654492a2916ed5b96e14cf0e0
Opcode Fuzzy Hash: e59f4d2aa304a317f50baf6cb8544c57e42cdb738123b8ef1e131c44c153b8e4
Instruction Fuzzy Hash: 2E219175509784AFEB178F25DC44B56BFB4EF06210F0884DAE9858F263D371D908CB62

Uniqueness

Uniqueness Score: -1.00%

Function 0117B089, Relevance: 1.6, APIs: 1, Instructions: 57nativeCOMMON

Download Yara Rule

APIs

NtQuerySystemInformation.NTDLL ref: 0117B0F5

Memory Dump Source

Source File: 00000001.00000002.589999631.000000000117A000.00000040.00000001.sdmp, Offset: 0117A000, based on PE: false

Similarity

API ID: InformationQuerySystem
String ID:
API String ID: 3562636166-0
Opcode ID: ef2ee06dbb5e2e8cc79799e02688882717b2765926ab0eb96f8a2acf3ce58375
Instruction ID: 406ca771f09e05cde7fa41bfadf7bb75b3e51e9203d83d21ad67ab2814728c4d
Opcode Fuzzy Hash: ef2ee06dbb5e2e8cc79799e02688882717b2765926ab0eb96f8a2acf3ce58375
Instruction Fuzzy Hash: 2D1181715093849FD7128F14DC45A52FFB4EF06314F0980DAE9844B263D275A918DB62

Uniqueness

Uniqueness Score: -1.00%

Function 0117AF3E, Relevance: 1.6, APIs: 1, Instructions: 52COMMON

Download Yara Rule

APIs

AdjustTokenPrivileges.KERNELBASE(?,?,?,?,?,?), ref: 0117AF87

Memory Dump Source

Source File: 00000001.00000002.589999631.000000000117A000.00000040.00000001.sdmp, Offset: 0117A000, based on PE: false

Similarity

API ID: AdjustPrivilegesToken
String ID:
API String ID: 2874748243-0
Opcode ID: 5b2917ba5cbcdd4d4548a8ddda0628ee1fc0ceec5f53e42ff46d05a3afdf0839
Instruction ID: 5d6ee08127ae7240ba794a97e6fd6b50899d07bb35c1346f5173ff3b8cd18aab
Opcode Fuzzy Hash: 5b2917ba5cbcdd4d4548a8ddda0628ee1fc0ceec5f53e42ff46d05a3afdf0839
Instruction Fuzzy Hash: 061170755006049FEB25CF69E884B5AFFE4EF04720F08C5AAEE458B652D771E418CB72

Uniqueness

Uniqueness Score: -1.00%

Function 0117A09A, Relevance: 1.5, APIs: 1, Instructions: 42networkCOMMON

Download Yara Rule

APIs

recv.WS2_32(?,?,?,?), ref: 0117A0D5

Memory Dump Source

Source File: 00000001.00000002.589999631.000000000117A000.00000040.00000001.sdmp, Offset: 0117A000, based on PE: false

Similarity

API ID: recv
String ID:
API String ID: 1507349165-0
Opcode ID: f2cd05c45f7df545a7720411dc2b9131958c13fcead8b1497ecc8630b1b401a1
Instruction ID: 781d017e231dd87be34cda115c79db58f18b32a59fd9a3655972e635b11b889d
Opcode Fuzzy Hash: f2cd05c45f7df545a7720411dc2b9131958c13fcead8b1497ecc8630b1b401a1
Instruction Fuzzy Hash: 47019A31500640DFEB25CF59E884B6AFFA4EF04720F18C4AADE498B212D3B5A008CB72

Uniqueness

Uniqueness Score: -1.00%

Function 0117B0BA, Relevance: 1.5, APIs: 1, Instructions: 38nativeCOMMON

Download Yara Rule

APIs

NtQuerySystemInformation.NTDLL ref: 0117B0F5

Memory Dump Source

Source File: 00000001.00000002.589999631.000000000117A000.00000040.00000001.sdmp, Offset: 0117A000, based on PE: false

Similarity

API ID: InformationQuerySystem
String ID:
API String ID: 3562636166-0
Opcode ID: 464163b88a1bb7d941dddf3ff2e852287eaae09170f0d4ffef10ade97ea809a9
Instruction ID: d144c00a4c97ecde483514ff9ce5385ac01727790b137d1e919f91ee6b898af7
Opcode Fuzzy Hash: 464163b88a1bb7d941dddf3ff2e852287eaae09170f0d4ffef10ade97ea809a9
Instruction Fuzzy Hash: 91018B31504644DFEB258F59E885B62FFB0EF08720F18C0AADE894B312C3B5A418CB62

Uniqueness

Uniqueness Score: -1.00%

Function 051530BA, Relevance: 10.0, APIs: 2, Strings: 3, Instructions: 1225libraryCOMMON

Download Yara Rule

APIs

KiUserExceptionDispatcher.NTDLL ref: 0515324C
LdrInitializeThunk.NTDLL ref: 051537E3

Strings

:@Dr, xrefs: 05153877
:@Dr, xrefs: 0515457D
:@Dr, xrefs: 051549BB

Memory Dump Source

Source File: 00000001.00000002.594031790.0000000005150000.00000040.00000001.sdmp, Offset: 05150000, based on PE: false

Similarity

API ID: DispatcherExceptionInitializeThunkUser
String ID: :@Dr$:@Dr$:@Dr
API String ID: 243558500-1395999109
Opcode ID: ce0848dc891411d88b4b1279c8a4c18fd78bcd0c24da4b476c275ee0551f99c5
Instruction ID: db7d1f7abf1a724cdce52251f05b2147fb23bd233e2eccee5fa97fe6b73dd431
Opcode Fuzzy Hash: ce0848dc891411d88b4b1279c8a4c18fd78bcd0c24da4b476c275ee0551f99c5
Instruction Fuzzy Hash: 36C29574A00628CFCB65DF68DC98A9DBBB6BB48312F1081E6D919E3354DB309E85CF15

Uniqueness

Uniqueness Score: -1.00%

Function 051599C0, Relevance: 6.3, APIs: 1, Strings: 2, Instructions: 1034libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 0515A538

Strings

P#, xrefs: 0515A14E
P#, xrefs: 05159EE2

Memory Dump Source

Source File: 00000001.00000002.594031790.0000000005150000.00000040.00000001.sdmp, Offset: 05150000, based on PE: false

Similarity

API ID: InitializeThunk
String ID: P#$P#
API String ID: 2994545307-2117210794
Opcode ID: 30a20cb1643b4b88161d7d5bd43344a60f1444a1042585b30e3d1941b4ade7e4
Instruction ID: 9a6f585b953552eb51b4c7383897ff734d02439fb75f8dd36365eeb75af3c3da
Opcode Fuzzy Hash: 30a20cb1643b4b88161d7d5bd43344a60f1444a1042585b30e3d1941b4ade7e4
Instruction Fuzzy Hash: F6921930A00205CFCB24DFB8C598AADBBF2FF48325F158569D82AAB355DB35D885CB51

Uniqueness

Uniqueness Score: -1.00%

Function 051530EA, Relevance: 5.9, APIs: 2, Strings: 1, Instructions: 691libraryCOMMON

Download Yara Rule

APIs

KiUserExceptionDispatcher.NTDLL ref: 0515324C
LdrInitializeThunk.NTDLL ref: 051537E3

Strings

:@Dr, xrefs: 05153877

Memory Dump Source

Source File: 00000001.00000002.594031790.0000000005150000.00000040.00000001.sdmp, Offset: 05150000, based on PE: false

Similarity

API ID: DispatcherExceptionInitializeThunkUser
String ID: :@Dr
API String ID: 243558500-3830894600
Opcode ID: 21aaac7d457d5d8161f917c16821ce188a47f2c6eb8c7d06d95f0fea78e09715
Instruction ID: 1a71bf6c5417a6489b7494912e591526880daf627793aff7007075b0560fca01
Opcode Fuzzy Hash: 21aaac7d457d5d8161f917c16821ce188a47f2c6eb8c7d06d95f0fea78e09715
Instruction Fuzzy Hash: 52726374A10628CFCBA5DF68DC98A9DBBF5FB48312F1181E6D919A3351DB309E848F05

Uniqueness

Uniqueness Score: -1.00%

Function 0515313E, Relevance: 5.9, APIs: 2, Strings: 1, Instructions: 679libraryCOMMON

Download Yara Rule

APIs

KiUserExceptionDispatcher.NTDLL ref: 0515324C
LdrInitializeThunk.NTDLL ref: 051537E3

Strings

:@Dr, xrefs: 05153877

Memory Dump Source

Source File: 00000001.00000002.594031790.0000000005150000.00000040.00000001.sdmp, Offset: 05150000, based on PE: false

Similarity

API ID: DispatcherExceptionInitializeThunkUser
String ID: :@Dr
API String ID: 243558500-3830894600
Opcode ID: 196e71cb4d79027e2d9d9160370b021a06ff31ac9524f140d0d8c36d9a87fe3d
Instruction ID: 9cde41f2655b12856b8bdf0b8d90c1fb3761ec00725df93e3d6c140fba2758a5
Opcode Fuzzy Hash: 196e71cb4d79027e2d9d9160370b021a06ff31ac9524f140d0d8c36d9a87fe3d
Instruction Fuzzy Hash: 7B727374A10628CFCBA5DF68DC98A9DBBF5FB48312F1181E6D919A3351DB309E848F05

Uniqueness

Uniqueness Score: -1.00%

Function 05153189, Relevance: 5.9, APIs: 2, Strings: 1, Instructions: 671libraryCOMMON

Download Yara Rule

APIs

KiUserExceptionDispatcher.NTDLL ref: 0515324C
LdrInitializeThunk.NTDLL ref: 051537E3

Strings

:@Dr, xrefs: 05153877

Memory Dump Source

Source File: 00000001.00000002.594031790.0000000005150000.00000040.00000001.sdmp, Offset: 05150000, based on PE: false

Similarity

API ID: DispatcherExceptionInitializeThunkUser
String ID: :@Dr
API String ID: 243558500-3830894600
Opcode ID: 1595c736a5b0f81813f0f884073933ae2fc535ced19677a6b9d116564fb3afb5
Instruction ID: cd93d8246efbdecd254645100af831a41cbc2d68fe15bd225be11609296e9c75
Opcode Fuzzy Hash: 1595c736a5b0f81813f0f884073933ae2fc535ced19677a6b9d116564fb3afb5
Instruction Fuzzy Hash: FA727374A10628CFCB65DF68DC98A9DBBF6FB48312F1181E6D919A3351DB309E848F05

Uniqueness

Uniqueness Score: -1.00%

Function 051531DD, Relevance: 5.9, APIs: 2, Strings: 1, Instructions: 659libraryCOMMON

Download Yara Rule

APIs

KiUserExceptionDispatcher.NTDLL ref: 0515324C
LdrInitializeThunk.NTDLL ref: 051537E3

Strings

:@Dr, xrefs: 05153877

Memory Dump Source

Source File: 00000001.00000002.594031790.0000000005150000.00000040.00000001.sdmp, Offset: 05150000, based on PE: false

Similarity

API ID: DispatcherExceptionInitializeThunkUser
String ID: :@Dr
API String ID: 243558500-3830894600
Opcode ID: 53d886c5bf755857532b9506d9e4fec18c7433b9e69caf5e6b3d92c24e266826
Instruction ID: ee1812d6cecc45e81ef2167b2b302d02c87a8314b2f9dd63eebc02a61aa5884c
Opcode Fuzzy Hash: 53d886c5bf755857532b9506d9e4fec18c7433b9e69caf5e6b3d92c24e266826
Instruction Fuzzy Hash: E6727374A10628CFCB65DF68DC98A9DBBF6FB48312F1181E6D919A3351DB309E848F05

Uniqueness

Uniqueness Score: -1.00%

Function 05153228, Relevance: 5.9, APIs: 2, Strings: 1, Instructions: 651libraryCOMMON

Download Yara Rule

APIs

KiUserExceptionDispatcher.NTDLL ref: 0515324C
LdrInitializeThunk.NTDLL ref: 051537E3

Strings

:@Dr, xrefs: 05153877

Memory Dump Source

Source File: 00000001.00000002.594031790.0000000005150000.00000040.00000001.sdmp, Offset: 05150000, based on PE: false

Similarity

API ID: DispatcherExceptionInitializeThunkUser
String ID: :@Dr
API String ID: 243558500-3830894600
Opcode ID: a56fab2ce6bc7aacae7f52ecd5a28d0082fe0f4e116ed48b57fcea7b6cd7b895
Instruction ID: 842bdb2a851630c36b72f96725582ebbfcb01191bee54a6d51b6646602643312
Opcode Fuzzy Hash: a56fab2ce6bc7aacae7f52ecd5a28d0082fe0f4e116ed48b57fcea7b6cd7b895
Instruction Fuzzy Hash: FB627274A10628CFCB65DF68DC98A9DBBF6FB48312F1181E6D919A3351DB309E848F05

Uniqueness

Uniqueness Score: -1.00%

Function 0515327C, Relevance: 4.1, APIs: 1, Strings: 1, Instructions: 641libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 051537E3

Strings

:@Dr, xrefs: 05153877

Memory Dump Source

Source File: 00000001.00000002.594031790.0000000005150000.00000040.00000001.sdmp, Offset: 05150000, based on PE: false

Similarity

API ID: InitializeThunk
String ID: :@Dr
API String ID: 2994545307-3830894600
Opcode ID: 151a6fe68ab747876faca8edb077954fafa6bcdbc1144770a11089e3a581d2d7
Instruction ID: 4b871940e228ced2aa04bd4cec2a1983a28cecf54bd34411d4f1e536e8e2c2a1
Opcode Fuzzy Hash: 151a6fe68ab747876faca8edb077954fafa6bcdbc1144770a11089e3a581d2d7
Instruction Fuzzy Hash: 54627374A10628CFCB65DF68DC98A9DBBF6FB48312F1181E6D919A3351DB309E848F05

Uniqueness

Uniqueness Score: -1.00%

Function 051532D0, Relevance: 4.1, APIs: 1, Strings: 1, Instructions: 631libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 051537E3

Strings

:@Dr, xrefs: 05153877

Memory Dump Source

Source File: 00000001.00000002.594031790.0000000005150000.00000040.00000001.sdmp, Offset: 05150000, based on PE: false

Similarity

API ID: InitializeThunk
String ID: :@Dr
API String ID: 2994545307-3830894600
Opcode ID: e82a839772cac5b14b85bb32757315144c09aedb81bd5824fc3ffe1e258eaab3
Instruction ID: 88fa4febb6d3d00b2e89d9a88eaf16de35633b90a24f135e53515e6c516a398e
Opcode Fuzzy Hash: e82a839772cac5b14b85bb32757315144c09aedb81bd5824fc3ffe1e258eaab3
Instruction Fuzzy Hash: D3628274A10628CFCB65DF68DC98A9DBBF6FB48312F1181E6D919A3351DB309E848F05

Uniqueness

Uniqueness Score: -1.00%

Function 05153324, Relevance: 4.1, APIs: 1, Strings: 1, Instructions: 621libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 051537E3

Strings

:@Dr, xrefs: 05153877

Memory Dump Source

Source File: 00000001.00000002.594031790.0000000005150000.00000040.00000001.sdmp, Offset: 05150000, based on PE: false

Similarity

API ID: InitializeThunk
String ID: :@Dr
API String ID: 2994545307-3830894600
Opcode ID: d38b9f67c989133f6f7b46592cd59d5e961f5104085b1deafcc05f85ccc12ad2
Instruction ID: 42e181c31e9da75e285a870fa3d890ce1e671960b5062f9de0237ff19af23cf7
Opcode Fuzzy Hash: d38b9f67c989133f6f7b46592cd59d5e961f5104085b1deafcc05f85ccc12ad2
Instruction Fuzzy Hash: D4627274A10628CFCB65DF68DC98A9DBBF6FB48312F1181E6D919A3351DB309E848F05

Uniqueness

Uniqueness Score: -1.00%

Function 05153378, Relevance: 4.1, APIs: 1, Strings: 1, Instructions: 609libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 051537E3

Strings

:@Dr, xrefs: 05153877

Memory Dump Source

Source File: 00000001.00000002.594031790.0000000005150000.00000040.00000001.sdmp, Offset: 05150000, based on PE: false

Similarity

API ID: InitializeThunk
String ID: :@Dr
API String ID: 2994545307-3830894600
Opcode ID: 6a416e19fe08e9b94e9397866b182b9eb747352300209c96b2750fe781b41386
Instruction ID: e42d481d2da4146565f4151e4199979de597c09f90524030ef5c448f3c08c70b
Opcode Fuzzy Hash: 6a416e19fe08e9b94e9397866b182b9eb747352300209c96b2750fe781b41386
Instruction Fuzzy Hash: 78628174A10628CFCB65DF68DC98A9DBBF6FB48312F1181E6D919A3351DB309E848F05

Uniqueness

Uniqueness Score: -1.00%

Function 051533C3, Relevance: 4.1, APIs: 1, Strings: 1, Instructions: 601libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 051537E3

Strings

:@Dr, xrefs: 05153877

Memory Dump Source

Source File: 00000001.00000002.594031790.0000000005150000.00000040.00000001.sdmp, Offset: 05150000, based on PE: false

Similarity

API ID: InitializeThunk
String ID: :@Dr
API String ID: 2994545307-3830894600
Opcode ID: ce9b34cde73c52dfeda888e31f477a19669899f84d4669594aaf9ef5692f8b0c
Instruction ID: b5771d43fb1e4deb4329a3362a641ef0f4124e2fd1097afb16cbe9ebb66d08d7
Opcode Fuzzy Hash: ce9b34cde73c52dfeda888e31f477a19669899f84d4669594aaf9ef5692f8b0c
Instruction Fuzzy Hash: BD628174A10628CFCB65DF68DC98A9DBBF6FB48312F1181E6D919A3351DB309E848F05

Uniqueness

Uniqueness Score: -1.00%

Function 05153417, Relevance: 4.1, APIs: 1, Strings: 1, Instructions: 591libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 051537E3

Strings

:@Dr, xrefs: 05153877

Memory Dump Source

Source File: 00000001.00000002.594031790.0000000005150000.00000040.00000001.sdmp, Offset: 05150000, based on PE: false

Similarity

API ID: InitializeThunk
String ID: :@Dr
API String ID: 2994545307-3830894600
Opcode ID: d3eeb2e44ae65a294f2d24e7fbbbcc8994c3e0435c21d7165ea2b931ddb9531a
Instruction ID: 1a2511b779edf81dde9bd7055172c67625ea05aed0cf8d4a731f4cfaf5fbe246
Opcode Fuzzy Hash: d3eeb2e44ae65a294f2d24e7fbbbcc8994c3e0435c21d7165ea2b931ddb9531a
Instruction Fuzzy Hash: 93528174A10628CFCB65DF68DC98A9DBBF6FB48312F1181E6D919A3351DB309E848F05

Uniqueness

Uniqueness Score: -1.00%

Function 0515346B, Relevance: 4.1, APIs: 1, Strings: 1, Instructions: 581libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 051537E3

Strings

:@Dr, xrefs: 05153877

Memory Dump Source

Source File: 00000001.00000002.594031790.0000000005150000.00000040.00000001.sdmp, Offset: 05150000, based on PE: false

Similarity

API ID: InitializeThunk
String ID: :@Dr
API String ID: 2994545307-3830894600
Opcode ID: 10add88fedb164f140f01c26d3f954007bf0365acb738d882da4715f33a7889c
Instruction ID: 8117118d239ad99772cdc6d06320f6f087aca7a95c1ba82539d9663c74327c9c
Opcode Fuzzy Hash: 10add88fedb164f140f01c26d3f954007bf0365acb738d882da4715f33a7889c
Instruction Fuzzy Hash: 12528074A00628CFCB65DF68DC98A9DBBF6FB48312F1181E6D919A3351DB309E858F05

Uniqueness

Uniqueness Score: -1.00%

Function 051534BF, Relevance: 4.1, APIs: 1, Strings: 1, Instructions: 571libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 051537E3

Strings

:@Dr, xrefs: 05153877

Memory Dump Source

Source File: 00000001.00000002.594031790.0000000005150000.00000040.00000001.sdmp, Offset: 05150000, based on PE: false

Similarity

API ID: InitializeThunk
String ID: :@Dr
API String ID: 2994545307-3830894600
Opcode ID: ab002bb2bead977008f831ec03993aaf146ff9b4b26640b0c0548c41d1a5d09f
Instruction ID: 167835074bbed2bb068b74866512f6cb1b66eec4a9954fe2cd162dc42f9bb02e
Opcode Fuzzy Hash: ab002bb2bead977008f831ec03993aaf146ff9b4b26640b0c0548c41d1a5d09f
Instruction Fuzzy Hash: AA528074A00628CFCB65DF68DC98A9DBBB6FB48312F1181E6D919A3351DB309E84CF05

Uniqueness

Uniqueness Score: -1.00%

Function 05153513, Relevance: 4.1, APIs: 1, Strings: 1, Instructions: 559libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 051537E3

Strings

:@Dr, xrefs: 05153877

Memory Dump Source

Source File: 00000001.00000002.594031790.0000000005150000.00000040.00000001.sdmp, Offset: 05150000, based on PE: false

Similarity

API ID: InitializeThunk
String ID: :@Dr
API String ID: 2994545307-3830894600
Opcode ID: c145556524ea3f5eac72d5b76c1574edfe867eb3088a996d1f376f8c4a67e9f6
Instruction ID: cb3c39c9ed34caf4a7dc9bbae4b4c14e87bc7912719c7e14e37b7d97336f7497
Opcode Fuzzy Hash: c145556524ea3f5eac72d5b76c1574edfe867eb3088a996d1f376f8c4a67e9f6
Instruction Fuzzy Hash: 18528074A00628CFCB65DF68DC98A9DBBB6FB48312F1181E6D919A3351DB309E85CF05

Uniqueness

Uniqueness Score: -1.00%

Function 0515355E, Relevance: 4.1, APIs: 1, Strings: 1, Instructions: 551libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 051537E3

Strings

:@Dr, xrefs: 05153877

Memory Dump Source

Source File: 00000001.00000002.594031790.0000000005150000.00000040.00000001.sdmp, Offset: 05150000, based on PE: false

Similarity

API ID: InitializeThunk
String ID: :@Dr
API String ID: 2994545307-3830894600
Opcode ID: 62b81303bd085e928deed491adffd3ff2535e09818a04d93e8c32874a7c4c864
Instruction ID: 2e92e61d9bc2fe61fb5e9399f27c792bfa55e63388c7fbc5b1f330c2208689f2
Opcode Fuzzy Hash: 62b81303bd085e928deed491adffd3ff2535e09818a04d93e8c32874a7c4c864
Instruction Fuzzy Hash: A7528074A00628CFCB65DF68DC98A9DBBB6FB48312F1181E6D919A3351DB309E84CF05

Uniqueness

Uniqueness Score: -1.00%

Function 051535B2, Relevance: 4.0, APIs: 1, Strings: 1, Instructions: 541libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 051537E3

Strings

:@Dr, xrefs: 05153877

Memory Dump Source

Source File: 00000001.00000002.594031790.0000000005150000.00000040.00000001.sdmp, Offset: 05150000, based on PE: false

Similarity

API ID: InitializeThunk
String ID: :@Dr
API String ID: 2994545307-3830894600
Opcode ID: 74fadea14a5ff86cd30d9a44cb240e71c5a3c472718f3927c4b249c6f3b253f9
Instruction ID: 0d79a099c5080aaaa2a12e150771557ac896d1050b9e33ee8d4df9abdcdf3779
Opcode Fuzzy Hash: 74fadea14a5ff86cd30d9a44cb240e71c5a3c472718f3927c4b249c6f3b253f9
Instruction Fuzzy Hash: 74428174A00628CFCB65DF68DC98A9DBBB6FB48312F1181E6D919A3351DB309E84CF05

Uniqueness

Uniqueness Score: -1.00%

Function 05153606, Relevance: 4.0, APIs: 1, Strings: 1, Instructions: 531libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 051537E3

Strings

:@Dr, xrefs: 05153877

Memory Dump Source

Source File: 00000001.00000002.594031790.0000000005150000.00000040.00000001.sdmp, Offset: 05150000, based on PE: false

Similarity

API ID: InitializeThunk
String ID: :@Dr
API String ID: 2994545307-3830894600
Opcode ID: 178686ad19b68ec35e1d490f21d7d08ccf99af0fb8133d84813a4aa44c747436
Instruction ID: ea9297b6e48bdfddbd3d71aa94f350f66753776094d26df5c659576400eebbf8
Opcode Fuzzy Hash: 178686ad19b68ec35e1d490f21d7d08ccf99af0fb8133d84813a4aa44c747436
Instruction Fuzzy Hash: 6B428074A00629CFCB65DF68DC98A9DBBB2FB48312F1181E6D919A3351DB309E85CF05

Uniqueness

Uniqueness Score: -1.00%

Function 0515365A, Relevance: 4.0, APIs: 1, Strings: 1, Instructions: 521libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 051537E3

Strings

:@Dr, xrefs: 05153877

Memory Dump Source

Source File: 00000001.00000002.594031790.0000000005150000.00000040.00000001.sdmp, Offset: 05150000, based on PE: false

Similarity

API ID: InitializeThunk
String ID: :@Dr
API String ID: 2994545307-3830894600
Opcode ID: f49b8f7a4f5f8586cb2a41eba92b6936c2d7e7590bbf842659270020c2452860
Instruction ID: 75795d82ea2ea17047468b1fe085db83573a7ee02d0ac9bae2c8787730ba7515
Opcode Fuzzy Hash: f49b8f7a4f5f8586cb2a41eba92b6936c2d7e7590bbf842659270020c2452860
Instruction Fuzzy Hash: C1428074A00629CFCB65DF68DC98A9DBBB2FB48312F1181E6D919A3351DB309E85CF05

Uniqueness

Uniqueness Score: -1.00%

Function 051536AE, Relevance: 4.0, APIs: 1, Strings: 1, Instructions: 511libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 051537E3

Strings

:@Dr, xrefs: 05153877

Memory Dump Source

Source File: 00000001.00000002.594031790.0000000005150000.00000040.00000001.sdmp, Offset: 05150000, based on PE: false

Similarity

API ID: InitializeThunk
String ID: :@Dr
API String ID: 2994545307-3830894600
Opcode ID: 133f245cf695e46f39304c49ab843fca3a7b576ba233c57feee70eb7a38820aa
Instruction ID: 5b792d5ab7fc19850203018605ce9b0162f25e1ea8010ba33e04cb79c9665a2b
Opcode Fuzzy Hash: 133f245cf695e46f39304c49ab843fca3a7b576ba233c57feee70eb7a38820aa
Instruction Fuzzy Hash: 8D428074A00629CFCB65DF68DC98A9DBBB2FB48312F1181E6D919A3351DB309E85CF05

Uniqueness

Uniqueness Score: -1.00%

Function 012B2498, Relevance: 1.7, APIs: 1, Instructions: 177libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 012B255D

Memory Dump Source

Source File: 00000001.00000002.590203011.00000000012B0000.00000040.00000001.sdmp, Offset: 012B0000, based on PE: false

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 45e19ab80dd9e9799c0a317b3619212a36c793548c539ec846e9a33baf81d157
Instruction ID: 8fc783c67e3ef7c2562b592d43cd7ca4bbe69d91d6f2cb564e179f023dec3167
Opcode Fuzzy Hash: 45e19ab80dd9e9799c0a317b3619212a36c793548c539ec846e9a33baf81d157
Instruction Fuzzy Hash: B951B270B14349DFCB05ABB8D894AAE7BB6FF84304F248579D505DB285EB309C46CBA1

Uniqueness

Uniqueness Score: -1.00%

Function 05A3219D, Relevance: 1.6, APIs: 1, Instructions: 135COMMON

Download Yara Rule

APIs

OpenFileMappingW.KERNELBASE(?,?), ref: 05A322AD

Memory Dump Source

Source File: 00000001.00000002.594525419.0000000005A30000.00000040.00000001.sdmp, Offset: 05A30000, based on PE: false

Similarity

API ID: FileMappingOpen
String ID:
API String ID: 1680863896-0
Opcode ID: 3d7a11aedf52e8a2723c9ab50f771787467d2e82d0308108a2c94b98a25ecdef
Instruction ID: 4d8d352ca0ff0dd7366bd9cc2083cd7dbcb0a0def99a1973b3083ce04f1f3eb6
Opcode Fuzzy Hash: 3d7a11aedf52e8a2723c9ab50f771787467d2e82d0308108a2c94b98a25ecdef
Instruction Fuzzy Hash: 9541E3711493806FE7128B65DC45F92FFB8EF02620F1884DBE9849F293D265A408CB61

Uniqueness

Uniqueness Score: -1.00%

Function 05A31C2D, Relevance: 1.6, APIs: 1, Instructions: 111networkCOMMON

Download Yara Rule

APIs

WSASocketW.WS2_32 ref: 05A31CF6

Memory Dump Source

Source File: 00000001.00000002.594525419.0000000005A30000.00000040.00000001.sdmp, Offset: 05A30000, based on PE: false

Similarity

API ID: Socket
String ID:
API String ID: 38366605-0
Opcode ID: 9ddebe9e3ddf6119dc3d2a50a20ecf4617b8093c8183748bb04afbb14aa982a2
Instruction ID: 8dfdba7c535e073682b52cec807127d7afd15bd12f99fb930aefecabb96cd87e
Opcode Fuzzy Hash: 9ddebe9e3ddf6119dc3d2a50a20ecf4617b8093c8183748bb04afbb14aa982a2
Instruction Fuzzy Hash: F8416A7150D7C0AFE7238B618C55F66BFB4AF07214F1984DBE9858F1A3C265A809CB72

Uniqueness

Uniqueness Score: -1.00%

Function 05A32A07, Relevance: 1.6, APIs: 1, Instructions: 99COMMON

Download Yara Rule

APIs

getaddrinfo.WS2_32(?,00000E2C), ref: 05A32ADB

Memory Dump Source

Source File: 00000001.00000002.594525419.0000000005A30000.00000040.00000001.sdmp, Offset: 05A30000, based on PE: false

Similarity

API ID: getaddrinfo
String ID:
API String ID: 300660673-0
Opcode ID: 564ba5a89d0666549387530648dfe3d50d81f11f01fa377f8b0bc7ce651c2b3f
Instruction ID: e6ebaa697cf7e37fa83ee824f236e41d03e251d70772c7a665b46b87c0a75364
Opcode Fuzzy Hash: 564ba5a89d0666549387530648dfe3d50d81f11f01fa377f8b0bc7ce651c2b3f
Instruction Fuzzy Hash: 3431A371004340AFF7229F61DC85FA6FFACEF46710F14499AFA849B182D375A549CB61

Uniqueness

Uniqueness Score: -1.00%

Function 05A32CB9, Relevance: 1.6, APIs: 1, Instructions: 92networkCOMMON

Download Yara Rule

APIs

WSAIoctl.WS2_32(?,00000E2C,02477BF8,00000000,00000000,00000000,00000000), ref: 05A32D6D

Memory Dump Source

Source File: 00000001.00000002.594525419.0000000005A30000.00000040.00000001.sdmp, Offset: 05A30000, based on PE: false

Similarity

API ID: Ioctl
String ID:
API String ID: 3041054344-0
Opcode ID: b52891a2b1aac85c000de519975be4a9111323727fe937913a9b636cfe5edaab
Instruction ID: d9a700034155e98f04939fe2973059040927a6f036b156fdada487d55c76f741
Opcode Fuzzy Hash: b52891a2b1aac85c000de519975be4a9111323727fe937913a9b636cfe5edaab
Instruction Fuzzy Hash: F8318175108780AFE7228F21DC45F92BFB8EF06714F08849BE9859B162D374E909CB71

Uniqueness

Uniqueness Score: -1.00%

Function 05A30DF4, Relevance: 1.6, APIs: 1, Instructions: 90fileCOMMON

Download Yara Rule

APIs

CreateFileW.KERNELBASE(?,?,?,?,?,?), ref: 05A30E95

Memory Dump Source

Source File: 00000001.00000002.594525419.0000000005A30000.00000040.00000001.sdmp, Offset: 05A30000, based on PE: false

Similarity

API ID: CreateFile
String ID:
API String ID: 823142352-0
Opcode ID: 0a4e088242fe45f047b9523ff982ffb3aeb5cd5d3824fac510c993f1e3ea4938
Instruction ID: 1f464f66b0437ba4bf6b95ed6fc782e65808c90e5820ef7ae3e02b1c12715346
Opcode Fuzzy Hash: 0a4e088242fe45f047b9523ff982ffb3aeb5cd5d3824fac510c993f1e3ea4938
Instruction Fuzzy Hash: F4318B71504340AFE722CB25CC45F66BFE8EF45624F1884AAE9858B252D375E809CB71

Uniqueness

Uniqueness Score: -1.00%

Function 0117A8D9, Relevance: 1.6, APIs: 1, Instructions: 90registryCOMMON

Download Yara Rule

APIs

RegOpenKeyExW.KERNELBASE(?,00000E2C), ref: 0117A989

Memory Dump Source

Source File: 00000001.00000002.589999631.000000000117A000.00000040.00000001.sdmp, Offset: 0117A000, based on PE: false

Similarity

API ID: Open
String ID:
API String ID: 71445658-0
Opcode ID: b3ad1cfe3ddd2000ee01102962f9f1e8ddd763ce395f801f5cdb59924bb7e1b1
Instruction ID: 4f6d8eb5d19d403b2be3a8d31e295f48fe301cbcedf565d6b73c8ae7f2a5cd24
Opcode Fuzzy Hash: b3ad1cfe3ddd2000ee01102962f9f1e8ddd763ce395f801f5cdb59924bb7e1b1
Instruction Fuzzy Hash: D631C572404344AFE7228B24DC84F67FFBCEF06710F08859BE9859B252D364A808CB71

Uniqueness

Uniqueness Score: -1.00%

Function 05A3206C, Relevance: 1.6, APIs: 1, Instructions: 89COMMON

Download Yara Rule

APIs

ConvertStringSecurityDescriptorToSecurityDescriptorW.ADVAPI32(?,00000E2C), ref: 05A32103

Memory Dump Source

Source File: 00000001.00000002.594525419.0000000005A30000.00000040.00000001.sdmp, Offset: 05A30000, based on PE: false

Similarity

API ID: DescriptorSecurity$ConvertString
String ID:
API String ID: 3907675253-0
Opcode ID: 048f76f7ada753fe498118c829ffaf8bd7310ae5949be4741d21de879e26854e
Instruction ID: e9046d16621de6e085f2584e0a0724c7865ba09e2285c4a9ee6acf879887a791
Opcode Fuzzy Hash: 048f76f7ada753fe498118c829ffaf8bd7310ae5949be4741d21de879e26854e
Instruction Fuzzy Hash: 7731AE72504344AFE7218B24DC45F66BFA8EF46720F0884ABE985DB252D264A809CB61

Uniqueness

Uniqueness Score: -1.00%

Function 0117A9D1, Relevance: 1.6, APIs: 1, Instructions: 89registryCOMMON

Download Yara Rule

APIs

RegQueryValueExW.KERNELBASE(?,00000E2C,02477BF8,00000000,00000000,00000000,00000000), ref: 0117AA8C

Memory Dump Source

Source File: 00000001.00000002.589999631.000000000117A000.00000040.00000001.sdmp, Offset: 0117A000, based on PE: false

Similarity

API ID: QueryValue
String ID:
API String ID: 3660427363-0
Opcode ID: 3be1240d5db11ba858215652a9277af29133b38bd54e0c0e34318b5cb288586e
Instruction ID: 1391b1a6717b6c94e87405c57ff2c06ff01d8d5325aa2f998bfa286d5a6bf8e0
Opcode Fuzzy Hash: 3be1240d5db11ba858215652a9277af29133b38bd54e0c0e34318b5cb288586e
Instruction Fuzzy Hash: C331B371105380AFE722CB25DC44F56BFF8EF06710F18849AE9858B253D364E949CB61

Uniqueness

Uniqueness Score: -1.00%

Function 05A32DB7, Relevance: 1.6, APIs: 1, Instructions: 87networkCOMMON

Download Yara Rule

APIs

WSAEventSelect.WS2_32(?,00000E2C,02477BF8,00000000,00000000,00000000,00000000), ref: 05A32E5E

Memory Dump Source

Source File: 00000001.00000002.594525419.0000000005A30000.00000040.00000001.sdmp, Offset: 05A30000, based on PE: false

Similarity

API ID: EventSelect
String ID:
API String ID: 31538577-0
Opcode ID: 66786bdf5adf6dabacf9a6d124d65857bdae7c7533287c979efbcb22b49d0d33
Instruction ID: fe711fc0eae557f946140b00ba0baadbf3c37a28c65708dec4f0a932b2e090e2
Opcode Fuzzy Hash: 66786bdf5adf6dabacf9a6d124d65857bdae7c7533287c979efbcb22b49d0d33
Instruction Fuzzy Hash: 2031AE72409384AFE7128B25DC55F96BFA8EF06314F1884DBEA849B253D224A509CB71

Uniqueness

Uniqueness Score: -1.00%

Function 05A32304, Relevance: 1.6, APIs: 1, Instructions: 87fileCOMMON

Download Yara Rule

APIs

MapViewOfFile.KERNELBASE ref: 05A323B6

Memory Dump Source

Source File: 00000001.00000002.594525419.0000000005A30000.00000040.00000001.sdmp, Offset: 05A30000, based on PE: false

Similarity

API ID: FileView
String ID:
API String ID: 3314676101-0
Opcode ID: 2a8475b95790544ae07f906a968976ae48dcf993584adaedfc5c51e7a2018522
Instruction ID: 26509af147d92854c57a4d2a35d5240e3222298fb2fbafb44c8e2a58e59c2359
Opcode Fuzzy Hash: 2a8475b95790544ae07f906a968976ae48dcf993584adaedfc5c51e7a2018522
Instruction Fuzzy Hash: 4A31C2B2404780AFE722CB55DC45F96FFF8EF06324F04859AE9849B252D375A509CB61

Uniqueness

Uniqueness Score: -1.00%

Function 0117B21C, Relevance: 1.6, APIs: 1, Instructions: 87COMMON

Download Yara Rule

APIs

TerminateProcess.KERNELBASE(?,00000E2C,02477BF8,00000000,00000000,00000000,00000000), ref: 0117B2B0

Memory Dump Source

Source File: 00000001.00000002.589999631.000000000117A000.00000040.00000001.sdmp, Offset: 0117A000, based on PE: false

Similarity

API ID: ProcessTerminate
String ID:
API String ID: 560597551-0
Opcode ID: 2d8c6631b33e5983442ea81751bd105b005c3a83f77b63d019924cab56e2135a
Instruction ID: cfac9aefcbf3b0f6e2f4aaadf14c974d52122c246baea0dd504e06d73bbb7408
Opcode Fuzzy Hash: 2d8c6631b33e5983442ea81751bd105b005c3a83f77b63d019924cab56e2135a
Instruction Fuzzy Hash: 9F21D672509380AFE7128B25DC45F96BFB8EF47720F0880EBE985DF293D264A509C761

Uniqueness

Uniqueness Score: -1.00%

Function 05A325B9, Relevance: 1.6, APIs: 1, Instructions: 85synchronizationCOMMON

Download Yara Rule

APIs

CreateMutexW.KERNELBASE(?,?), ref: 05A32659

Memory Dump Source

Source File: 00000001.00000002.594525419.0000000005A30000.00000040.00000001.sdmp, Offset: 05A30000, based on PE: false

Similarity

API ID: CreateMutex
String ID:
API String ID: 1964310414-0
Opcode ID: f41efee3e435eeb0e0ee90ab3b35e5653e804391114c24d5f7d70be735a82734
Instruction ID: 6721c39f79885829a016355d2c0c4ffbc3079b7ed9a196e47b2ffdd63495cf36
Opcode Fuzzy Hash: f41efee3e435eeb0e0ee90ab3b35e5653e804391114c24d5f7d70be735a82734
Instruction Fuzzy Hash: 4B3193B1509380AFE722CF25CC45F56FFE8EF05614F1884AEE9859B292D365E904CB61

Uniqueness

Uniqueness Score: -1.00%

Function 0117B309, Relevance: 1.6, APIs: 1, Instructions: 85windowCOMMON

Download Yara Rule

APIs

FormatMessageW.KERNELBASE(?,00000E2C,?,?), ref: 0117B3B6

Memory Dump Source

Source File: 00000001.00000002.589999631.000000000117A000.00000040.00000001.sdmp, Offset: 0117A000, based on PE: false

Similarity

API ID: FormatMessage
String ID:
API String ID: 1306739567-0
Opcode ID: bbeac1df7e6f36cb813b8b8c8b77504262e404afba741cd6d1fa971c3cd1bdc5
Instruction ID: f1af297922cc3b4b770a5d9ceecfc8aa475fa632b82c035894b766558e4c2150
Opcode Fuzzy Hash: bbeac1df7e6f36cb813b8b8c8b77504262e404afba741cd6d1fa971c3cd1bdc5
Instruction Fuzzy Hash: 4931937154D3C05FD7039B218C55B66BFB4EF87610F1980DBD984CF2A3E624A909C7A2

Uniqueness

Uniqueness Score: -1.00%

Function 05A32A36, Relevance: 1.6, APIs: 1, Instructions: 84COMMON

Download Yara Rule

APIs

getaddrinfo.WS2_32(?,00000E2C), ref: 05A32ADB

Memory Dump Source

Source File: 00000001.00000002.594525419.0000000005A30000.00000040.00000001.sdmp, Offset: 05A30000, based on PE: false

Similarity

API ID: getaddrinfo
String ID:
API String ID: 300660673-0
Opcode ID: 4c64f064db0ff89861a64898913e6b8065dbc23a3090159ccf8fda86a23e5419
Instruction ID: 6692cf9213531a1c1791902627813dc832a829f8935d32f0af67a1c002a3b4f6
Opcode Fuzzy Hash: 4c64f064db0ff89861a64898913e6b8065dbc23a3090159ccf8fda86a23e5419
Instruction Fuzzy Hash: 0521D171500304BFFB21DF24DC85FA6FBACEF44710F10886AFE459A281D6B5A5498B71

Uniqueness

Uniqueness Score: -1.00%

Function 05A31744, Relevance: 1.6, APIs: 1, Instructions: 84registryCOMMON

Download Yara Rule

APIs

RegQueryValueExW.KERNELBASE(?,00000E2C,02477BF8,00000000,00000000,00000000,00000000), ref: 05A317E0

Memory Dump Source

Source File: 00000001.00000002.594525419.0000000005A30000.00000040.00000001.sdmp, Offset: 05A30000, based on PE: false

Similarity

API ID: QueryValue
String ID:
API String ID: 3660427363-0
Opcode ID: a1dfaa02341d1ddd6127dbb3489ebca6ec26214e2e50fb4645f6d7353bd9ec8c
Instruction ID: 18727f17816c9230854629a6571c2f3c77a0c5d01938d4ebf2de5d4d777d3604
Opcode Fuzzy Hash: a1dfaa02341d1ddd6127dbb3489ebca6ec26214e2e50fb4645f6d7353bd9ec8c
Instruction Fuzzy Hash: 78219172109380AFE7228F64DC45F57BFB8EF06710F0884ABE985DB252D264E848CB71

Uniqueness

Uniqueness Score: -1.00%

Function 05A326B0, Relevance: 1.6, APIs: 1, Instructions: 83COMMON

Download Yara Rule

APIs

shutdown.WS2_32(?,00000E2C,02477BF8,00000000,00000000,00000000,00000000), ref: 05A32744

Memory Dump Source

Source File: 00000001.00000002.594525419.0000000005A30000.00000040.00000001.sdmp, Offset: 05A30000, based on PE: false

Similarity

API ID: shutdown
String ID:
API String ID: 2510479042-0
Opcode ID: 133e8d25489809bb5ccdb6c9b202a7c017fe61e3d08074b7dcfc9296d05fc6c9
Instruction ID: 84bd36532d89254f68f8b112eeb50a37aca9a90ca32680531fd6a7e053f814fd
Opcode Fuzzy Hash: 133e8d25489809bb5ccdb6c9b202a7c017fe61e3d08074b7dcfc9296d05fc6c9
Instruction Fuzzy Hash: 152127B5405380AFE712CB54DC86F66BFA8FF42324F0880EBE9449F192D374A405CB61

Uniqueness

Uniqueness Score: -1.00%

Function 05A31642, Relevance: 1.6, APIs: 1, Instructions: 83registryCOMMON

Download Yara Rule

APIs

RegOpenKeyExW.KERNELBASE(?,00000E2C), ref: 05A316D6

Memory Dump Source

Source File: 00000001.00000002.594525419.0000000005A30000.00000040.00000001.sdmp, Offset: 05A30000, based on PE: false

Similarity

API ID: Open
String ID:
API String ID: 71445658-0
Opcode ID: 8b24a31f5da4deb9e7505be4c562dae56beee3632bb8ffc335f9a9b271fc7688
Instruction ID: 79852267a9f2b8efcb2cc9045c7b460fc52b6263927c8e386152442083327fe5
Opcode Fuzzy Hash: 8b24a31f5da4deb9e7505be4c562dae56beee3632bb8ffc335f9a9b271fc7688
Instruction Fuzzy Hash: B4219F72504344AFE7228F64DC45F6AFFACEF45710F0884ABFD459B252D264A509CB71

Uniqueness

Uniqueness Score: -1.00%

Function 0117A120, Relevance: 1.6, APIs: 1, Instructions: 83networkCOMMON

Download Yara Rule

APIs

WSAStartup.WS2_32(?,00000E2C,?,?), ref: 0117A1C2

Memory Dump Source

Source File: 00000001.00000002.589999631.000000000117A000.00000040.00000001.sdmp, Offset: 0117A000, based on PE: false

Similarity

API ID: Startup
String ID:
API String ID: 724789610-0
Opcode ID: 813e171a13623d6e9f441b9ae633752e6cb7ae63d78abb5efc6d1feeb38aa2e4
Instruction ID: 10dfae5e7227d8ec4644dc9ec5e04b2c8234daa19eaa165ee303ba1306368f89
Opcode Fuzzy Hash: 813e171a13623d6e9f441b9ae633752e6cb7ae63d78abb5efc6d1feeb38aa2e4
Instruction Fuzzy Hash: A731D37140D3C06FD7128B358C55BA2BFB4EF47620F1985DBD9C48F293D225A909CBA2

Uniqueness

Uniqueness Score: -1.00%

Function 0117B711, Relevance: 1.6, APIs: 1, Instructions: 82COMMON

Download Yara Rule

APIs

K32GetModuleInformation.KERNEL32(?,00000E2C,02477BF8,00000000,00000000,00000000,00000000), ref: 0117B7A2

Memory Dump Source

Source File: 00000001.00000002.589999631.000000000117A000.00000040.00000001.sdmp, Offset: 0117A000, based on PE: false

Similarity

API ID: InformationModule
String ID:
API String ID: 3425974696-0
Opcode ID: b7ce2563446967633b2eed5e266721112049647f1d2aa0ddab66fb4c2c2e7124
Instruction ID: 8fccc565ce0bfb80c60f3e6a4f7e1254f55dbac8251710ff659af37c54247f10
Opcode Fuzzy Hash: b7ce2563446967633b2eed5e266721112049647f1d2aa0ddab66fb4c2c2e7124
Instruction Fuzzy Hash: C7218071549384AFE7128B25CC45FA6FFB8EF46210F0884ABE945DB292D364E908CB71

Uniqueness

Uniqueness Score: -1.00%

Function 0117B808, Relevance: 1.6, APIs: 1, Instructions: 81COMMON

Download Yara Rule

APIs

K32GetModuleFileNameExW.KERNEL32(?,00000E2C,?,?), ref: 0117B8AE

Memory Dump Source

Source File: 00000001.00000002.589999631.000000000117A000.00000040.00000001.sdmp, Offset: 0117A000, based on PE: false

Similarity

API ID: FileModuleName
String ID:
API String ID: 514040917-0
Opcode ID: 4f3aca8e0d84800477484c4c164c01dcdaac644585252fdd1e201360f9642ec0
Instruction ID: cad6b3c7a4cab151b1dac176cf24ded375a182407649412d9d6367cd496ba4e6
Opcode Fuzzy Hash: 4f3aca8e0d84800477484c4c164c01dcdaac644585252fdd1e201360f9642ec0
Instruction Fuzzy Hash: AE21A0715093C06FD3128B65CC55F66BFB8EF87610F1980DBE8848B2A3D624A909C7B2

Uniqueness

Uniqueness Score: -1.00%

Function 05A30EEC, Relevance: 1.6, APIs: 1, Instructions: 80COMMON

Download Yara Rule

APIs

GetFileType.KERNELBASE(?,00000E2C,02477BF8,00000000,00000000,00000000,00000000), ref: 05A30F81

Memory Dump Source

Source File: 00000001.00000002.594525419.0000000005A30000.00000040.00000001.sdmp, Offset: 05A30000, based on PE: false

Similarity

API ID: FileType
String ID:
API String ID: 3081899298-0
Opcode ID: 16ea126134e4bc8749f594fbe5581f1df1408b6c4f94f52c5a6350671918c34a
Instruction ID: ae1c90bc7da24e723f0f8391becfa2985209d266a5903bb375b2de8e10289164
Opcode Fuzzy Hash: 16ea126134e4bc8749f594fbe5581f1df1408b6c4f94f52c5a6350671918c34a
Instruction Fuzzy Hash: 2B21F8B54493806FE7128B25DC41FA2BFA8EF47724F1880D7ED949B293D2646909CB71

Uniqueness

Uniqueness Score: -1.00%

Function 05A31570, Relevance: 1.6, APIs: 1, Instructions: 78registryCOMMON

Download Yara Rule

APIs

RegEnumKeyExW.KERNELBASE(?,00000E2C,?,?), ref: 05A31616

Memory Dump Source

Source File: 00000001.00000002.594525419.0000000005A30000.00000040.00000001.sdmp, Offset: 05A30000, based on PE: false

Similarity

API ID: Enum
String ID:
API String ID: 2928410991-0
Opcode ID: 75f8dc7773fb4497e0175b401b5326a6723561b8c9d6fbf4525afeb7beb50bcd
Instruction ID: 6c34530c2cee82bea188f9f6196b7e682a87d16a68993998e3250286575a63fe
Opcode Fuzzy Hash: 75f8dc7773fb4497e0175b401b5326a6723561b8c9d6fbf4525afeb7beb50bcd
Instruction Fuzzy Hash: 2021716550E3C06FD3138B358C55A11BFB4EF87A10F1D81DFD8848B6A3D225A919C7A2

Uniqueness

Uniqueness Score: -1.00%

Function 05A32092, Relevance: 1.6, APIs: 1, Instructions: 76COMMON

Download Yara Rule

APIs

ConvertStringSecurityDescriptorToSecurityDescriptorW.ADVAPI32(?,00000E2C), ref: 05A32103

Memory Dump Source

Source File: 00000001.00000002.594525419.0000000005A30000.00000040.00000001.sdmp, Offset: 05A30000, based on PE: false

Similarity

API ID: DescriptorSecurity$ConvertString
String ID:
API String ID: 3907675253-0
Opcode ID: f00296a1d8e2de4c8980d4c7650e20ad9d0055934f39a1c2f48d82be797322f9
Instruction ID: 029005d53a20774b0077fd54184d180b476e4ea7023fe9c064413579410eb28c
Opcode Fuzzy Hash: f00296a1d8e2de4c8980d4c7650e20ad9d0055934f39a1c2f48d82be797322f9
Instruction Fuzzy Hash: 99218E71500304AFEB20DB29DC46F6AFBACEF44724F14846BFE45DB241D664E4098B71

Uniqueness

Uniqueness Score: -1.00%

Function 05A3069C, Relevance: 1.6, APIs: 1, Instructions: 76libraryCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNELBASE(?,00000E2C), ref: 05A30737

Memory Dump Source

Source File: 00000001.00000002.594525419.0000000005A30000.00000040.00000001.sdmp, Offset: 05A30000, based on PE: false

Similarity

API ID: LibraryLoad
String ID:
API String ID: 1029625771-0
Opcode ID: 4e0beb115058744d54119491f257c4bad41db8dd36970bd48c2af708545b3b6d
Instruction ID: 575449f28f5f048976bb0d3b7fe44a6eea1b9f3fe3fa1b1da0c2f393e9b5d7f8
Opcode Fuzzy Hash: 4e0beb115058744d54119491f257c4bad41db8dd36970bd48c2af708545b3b6d
Instruction Fuzzy Hash: 4921F871004380AFE7228B24CC45FA6FFA8EF06724F1480DAED855F192C264A949CB61

Uniqueness

Uniqueness Score: -1.00%

Function 05A30E16, Relevance: 1.6, APIs: 1, Instructions: 76fileCOMMON

Download Yara Rule

APIs

CreateFileW.KERNELBASE(?,?,?,?,?,?), ref: 05A30E95

Memory Dump Source

Source File: 00000001.00000002.594525419.0000000005A30000.00000040.00000001.sdmp, Offset: 05A30000, based on PE: false

Similarity

API ID: CreateFile
String ID:
API String ID: 823142352-0
Opcode ID: 6c73cb77d4ab28382c7294ea5513bbb0831ed76f99917b4644752ddaec364d17
Instruction ID: d2aad7b6cc5b6adcf66a1f96b26bc56b69d575744886c913c67c8a62acfaaa0a
Opcode Fuzzy Hash: 6c73cb77d4ab28382c7294ea5513bbb0831ed76f99917b4644752ddaec364d17
Instruction Fuzzy Hash: 11217A71604744AFE721DF65C889F66FBE8FF08614F14846AEA859B251D371E408CB71

Uniqueness

Uniqueness Score: -1.00%

Function 0117B570, Relevance: 1.6, APIs: 1, Instructions: 76registryCOMMON

Download Yara Rule

APIs

RegQueryValueExW.KERNELBASE(?,00000E2C,?,?), ref: 0117B60A

Memory Dump Source

Source File: 00000001.00000002.589999631.000000000117A000.00000040.00000001.sdmp, Offset: 0117A000, based on PE: false

Similarity

API ID: QueryValue
String ID:
API String ID: 3660427363-0
Opcode ID: 2777bcd4363915eed8b830533933534540af7c530e8549abedb8f211d52f63dc
Instruction ID: cbc876ee4003bd15aaaf169db94039a42f087254afc832c46a2511eeae81e8a3
Opcode Fuzzy Hash: 2777bcd4363915eed8b830533933534540af7c530e8549abedb8f211d52f63dc
Instruction Fuzzy Hash: 15210A755093C06FD3138B25CC51F62BFB4EF87A10F0981DBE8848B653D225A919C7B2

Uniqueness

Uniqueness Score: -1.00%

Function 05A30FBC, Relevance: 1.6, APIs: 1, Instructions: 75COMMON

Download Yara Rule

APIs

setsockopt.WS2_32(?,00000E2C,02477BF8,00000000,00000000,00000000,00000000), ref: 05A3104D

Memory Dump Source

Source File: 00000001.00000002.594525419.0000000005A30000.00000040.00000001.sdmp, Offset: 05A30000, based on PE: false

Similarity

API ID: setsockopt
String ID:
API String ID: 3981526788-0
Opcode ID: a66794bef09fc8476e1d87c3bff09a3d9ef42b008cd5f190bd8006df1f54af47
Instruction ID: 525b8571bba663d580ce31de97cb102a8d21c50d526ac1738aa1826fa5b68594
Opcode Fuzzy Hash: a66794bef09fc8476e1d87c3bff09a3d9ef42b008cd5f190bd8006df1f54af47
Instruction Fuzzy Hash: 4721A471409380AFE7228F65DC45F66FFB8EF46714F0884DBE9849B153D265A409CB71

Uniqueness

Uniqueness Score: -1.00%

Function 05A32BE6, Relevance: 1.6, APIs: 1, Instructions: 75COMMON

Download Yara Rule

APIs

ioctlsocket.WS2_32(?,00000E2C,02477BF8,00000000,00000000,00000000,00000000), ref: 05A32C6F

Memory Dump Source

Source File: 00000001.00000002.594525419.0000000005A30000.00000040.00000001.sdmp, Offset: 05A30000, based on PE: false

Similarity

API ID: ioctlsocket
String ID:
API String ID: 3577187118-0
Opcode ID: 50dfc40af4c43126efd109daf26a0b35a72612874285a497a211d590d3447681
Instruction ID: b4a2726819047e3499e12bd463a70f9ea1a54a545e72130b934ce46b02e225fe
Opcode Fuzzy Hash: 50dfc40af4c43126efd109daf26a0b35a72612874285a497a211d590d3447681
Instruction Fuzzy Hash: 6921D371009380AFE7128B24CC85F96BFB8EF46310F0884DBEA849F152D264A508C772

Uniqueness

Uniqueness Score: -1.00%

Function 0117A90A, Relevance: 1.6, APIs: 1, Instructions: 74registryCOMMON

Download Yara Rule

APIs

RegOpenKeyExW.KERNELBASE(?,00000E2C), ref: 0117A989

Memory Dump Source

Source File: 00000001.00000002.589999631.000000000117A000.00000040.00000001.sdmp, Offset: 0117A000, based on PE: false

Similarity

API ID: Open
String ID:
API String ID: 71445658-0
Opcode ID: 8ce72b00c80bf9581546fe10c0d6e2ba98934730cb989207448c8ef482cd5340
Instruction ID: 15d9ffd962131c41ac66225fb5bfb12859b85b3057558f2b3478e44258464e15
Opcode Fuzzy Hash: 8ce72b00c80bf9581546fe10c0d6e2ba98934730cb989207448c8ef482cd5340
Instruction Fuzzy Hash: 24219F72500604AEE7219B69DC45F6BFBACEF04710F18895BEE459B241D760E4188B71

Uniqueness

Uniqueness Score: -1.00%

Function 05A32EA8, Relevance: 1.6, APIs: 1, Instructions: 73COMMON

Download Yara Rule

APIs

GetAdaptersAddresses.IPHLPAPI(?,00000E2C,02477BF8,00000000,00000000,00000000,00000000), ref: 05A32F3D

Memory Dump Source

Source File: 00000001.00000002.594525419.0000000005A30000.00000040.00000001.sdmp, Offset: 05A30000, based on PE: false

Similarity

API ID: AdaptersAddresses
String ID:
API String ID: 2506852604-0
Opcode ID: f09d0d510b4238530676cea175fd869ba181ce09ff29e965981d7b4ce2317cc8
Instruction ID: 47b08e5d9127a4b11aa5d0f2d004257b2046397c86d77cdcfa2e91d3557dd525
Opcode Fuzzy Hash: f09d0d510b4238530676cea175fd869ba181ce09ff29e965981d7b4ce2317cc8
Instruction Fuzzy Hash: BE21F871408384AFE7228B15DC45F66FFB8EF06314F08849BE9845B153C265A508CB71

Uniqueness

Uniqueness Score: -1.00%

Function 05A31662, Relevance: 1.6, APIs: 1, Instructions: 73registryCOMMON

Download Yara Rule

APIs

RegOpenKeyExW.KERNELBASE(?,00000E2C), ref: 05A316D6

Memory Dump Source

Source File: 00000001.00000002.594525419.0000000005A30000.00000040.00000001.sdmp, Offset: 05A30000, based on PE: false

Similarity

API ID: Open
String ID:
API String ID: 71445658-0
Opcode ID: 31860b46bea2b38352d165fc9c65c0aa5a7a40b9539f608591d0491235916904
Instruction ID: 3752d342aba66ffdf879d76606c51d2797ccede6a05cfca3c0a0a091b06e9eb3
Opcode Fuzzy Hash: 31860b46bea2b38352d165fc9c65c0aa5a7a40b9539f608591d0491235916904
Instruction Fuzzy Hash: BC219D71500304AFEB209F65DC46F6AFBA8EF04724F18886BFE459B241D274A409CBB1

Uniqueness

Uniqueness Score: -1.00%

Function 05A31D4F, Relevance: 1.6, APIs: 1, Instructions: 73COMMON

Download Yara Rule

APIs

setsockopt.WS2_32(?,?,?,?,?), ref: 05A31DCC

Memory Dump Source

Source File: 00000001.00000002.594525419.0000000005A30000.00000040.00000001.sdmp, Offset: 05A30000, based on PE: false

Similarity

API ID: setsockopt
String ID:
API String ID: 3981526788-0
Opcode ID: 1e61403ca4d4008d23d9aee6535d58c98ca82e85e89240f7d6528a16ae0b9326
Instruction ID: c02e2abe6f736ff1afe2cd2e776da5a2d0525a5f35f56ae2715e0a48ff629d76
Opcode Fuzzy Hash: 1e61403ca4d4008d23d9aee6535d58c98ca82e85e89240f7d6528a16ae0b9326
Instruction Fuzzy Hash: 2B219C311497C09FDB128B65D884AA6BFB4EF07320F1D84DAE9848F163C2659959CB61

Uniqueness

Uniqueness Score: -1.00%

Function 0117B636, Relevance: 1.6, APIs: 1, Instructions: 73COMMON

Download Yara Rule

APIs

K32EnumProcessModules.KERNEL32(?,00000E2C,02477BF8,00000000,00000000,00000000,00000000), ref: 0117B6B2

Memory Dump Source

Source File: 00000001.00000002.589999631.000000000117A000.00000040.00000001.sdmp, Offset: 0117A000, based on PE: false

Similarity

API ID: EnumModulesProcess
String ID:
API String ID: 1082081703-0
Opcode ID: e901b8073837c6f5f0835013bef4af4348f19e05d5effa7141ad7717393efc0a
Instruction ID: 5b1ae5c7560a87be4479aa4ed83123eb0da02b32026aa2526df66b329ef44b4f
Opcode Fuzzy Hash: e901b8073837c6f5f0835013bef4af4348f19e05d5effa7141ad7717393efc0a
Instruction Fuzzy Hash: 8021B072108380AFE7128B65DC45F56FFB8EF46320F1884ABEA459B252D264A408CB71

Uniqueness

Uniqueness Score: -1.00%

Function 05A325E6, Relevance: 1.6, APIs: 1, Instructions: 72synchronizationCOMMON

Download Yara Rule

APIs

CreateMutexW.KERNELBASE(?,?), ref: 05A32659

Memory Dump Source

Source File: 00000001.00000002.594525419.0000000005A30000.00000040.00000001.sdmp, Offset: 05A30000, based on PE: false

Similarity

API ID: CreateMutex
String ID:
API String ID: 1964310414-0
Opcode ID: 17ac4f99b14e4821a95348a4bafa9f2858a4f6a1ae2aa39b20d2a4fe02160498
Instruction ID: 0061c07cf992fa8b36af07b50bca860b32ef74fcc86ef0a3ae5e074f254f8276
Opcode Fuzzy Hash: 17ac4f99b14e4821a95348a4bafa9f2858a4f6a1ae2aa39b20d2a4fe02160498
Instruction Fuzzy Hash: ED21BE75500240AFF720DF25DC86F66FBE8EF04724F14846AED858B241D770E405CA75

Uniqueness

Uniqueness Score: -1.00%

Function 05A32CF2, Relevance: 1.6, APIs: 1, Instructions: 72networkCOMMON

Download Yara Rule

APIs

WSAIoctl.WS2_32(?,00000E2C,02477BF8,00000000,00000000,00000000,00000000), ref: 05A32D6D

Memory Dump Source

Source File: 00000001.00000002.594525419.0000000005A30000.00000040.00000001.sdmp, Offset: 05A30000, based on PE: false

Similarity

API ID: Ioctl
String ID:
API String ID: 3041054344-0
Opcode ID: 4e225b11bed68e770cd1de8912cf73e67c6536af1ba8eeb92b10a181334b4b4f
Instruction ID: ff7f0f3cec118bf33780b36b3d93f194fd4f961643b2709b86a5a735673cf04c
Opcode Fuzzy Hash: 4e225b11bed68e770cd1de8912cf73e67c6536af1ba8eeb92b10a181334b4b4f
Instruction Fuzzy Hash: 0621A975100604AFEB20CF55DC81FA6FBE8EF08710F14846AEE468B211D670E408CB71

Uniqueness

Uniqueness Score: -1.00%

Function 0117ACEF, Relevance: 1.6, APIs: 1, Instructions: 72COMMON

Download Yara Rule

APIs

LookupPrivilegeValueW.ADVAPI32(?,?,?), ref: 0117AD6A

Memory Dump Source

Source File: 00000001.00000002.589999631.000000000117A000.00000040.00000001.sdmp, Offset: 0117A000, based on PE: false

Similarity

API ID: LookupPrivilegeValue
String ID:
API String ID: 3899507212-0
Opcode ID: 3f52ec9d6c77f903ebc6c5aa8ab247222146f9b49ace3692452f36845eb8b26e
Instruction ID: 8bb8760d68bde26f63bdeb23c210f0763f98ce449af0c86035ebed5d0f85b449
Opcode Fuzzy Hash: 3f52ec9d6c77f903ebc6c5aa8ab247222146f9b49ace3692452f36845eb8b26e
Instruction Fuzzy Hash: 25217F765093805FE7128B65DC95B96BFF8AF06210F0D80EAE985CB263D264D908C761

Uniqueness

Uniqueness Score: -1.00%

Function 05A31F94, Relevance: 1.6, APIs: 1, Instructions: 70registryCOMMON

Download Yara Rule

APIs

RegQueryValueExW.KERNELBASE(?,00000E2C,02477BF8,00000000,00000000,00000000,00000000), ref: 05A32018

Memory Dump Source

Source File: 00000001.00000002.594525419.0000000005A30000.00000040.00000001.sdmp, Offset: 05A30000, based on PE: false

Similarity

API ID: QueryValue
String ID:
API String ID: 3660427363-0
Opcode ID: fb104eab713491687c94192895a6a62e3f8ba6481fbde503d5eef38eec520244
Instruction ID: cdf6c98c0953601ee497e79f021e8b80d6198ceb995caec7e16a902427b2de76
Opcode Fuzzy Hash: fb104eab713491687c94192895a6a62e3f8ba6481fbde503d5eef38eec520244
Instruction Fuzzy Hash: A1216A72500204AEEB21CF15DC81FA7FBECEF45724F08846AFA569A251D361E808CBB1

Uniqueness

Uniqueness Score: -1.00%

Function 05A327AC, Relevance: 1.6, APIs: 1, Instructions: 69timeCOMMON

Download Yara Rule

APIs

GetProcessTimes.KERNELBASE(?,00000E2C,02477BF8,00000000,00000000,00000000,00000000), ref: 05A3281D

Memory Dump Source

Source File: 00000001.00000002.594525419.0000000005A30000.00000040.00000001.sdmp, Offset: 05A30000, based on PE: false

Similarity

API ID: ProcessTimes
String ID:
API String ID: 1995159646-0
Opcode ID: 147ae878ecadd6d5ebc7ad835a2257231fb108f8d44fc4df17aebdd79f757072
Instruction ID: daafca434cce5e3bd208adedc65f12a3f3bc0a45102665ff76793886137c497c
Opcode Fuzzy Hash: 147ae878ecadd6d5ebc7ad835a2257231fb108f8d44fc4df17aebdd79f757072
Instruction Fuzzy Hash: 9011AC72500204BFEB218F55DC85FA7FBACEF45720F14846AFE459B251D271A804CBB1

Uniqueness

Uniqueness Score: -1.00%

Function 05A3176E, Relevance: 1.6, APIs: 1, Instructions: 69registryCOMMON

Download Yara Rule

APIs

RegQueryValueExW.KERNELBASE(?,00000E2C,02477BF8,00000000,00000000,00000000,00000000), ref: 05A317E0

Memory Dump Source

Source File: 00000001.00000002.594525419.0000000005A30000.00000040.00000001.sdmp, Offset: 05A30000, based on PE: false

Similarity

API ID: QueryValue
String ID:
API String ID: 3660427363-0
Opcode ID: c9e231361a0d18ca47ca91fa6b5ac3acc2060520db92bec28b9fd7a47404e47b
Instruction ID: f21974169210ef13c62ccc49948dbb9a74b067b1dd873d1d9bc3cf5b774a59c3
Opcode Fuzzy Hash: c9e231361a0d18ca47ca91fa6b5ac3acc2060520db92bec28b9fd7a47404e47b
Instruction Fuzzy Hash: 0B218972500204AFEB21CF65DC86FA7BBECEF04724F18846BEE459B241D674E409CAB1

Uniqueness

Uniqueness Score: -1.00%

Function 05A32F7A, Relevance: 1.6, APIs: 1, Instructions: 69networkCOMMON

Download Yara Rule

APIs

WSAConnect.WS2_32(?,?,?,?,?,?,?), ref: 05A32FFE

Memory Dump Source

Source File: 00000001.00000002.594525419.0000000005A30000.00000040.00000001.sdmp, Offset: 05A30000, based on PE: false

Similarity

API ID: Connect
String ID:
API String ID: 3144859779-0
Opcode ID: 5656c1eb186aad61f8921aa5e7989bef0c9e025f0b1af5a3070e7bc3db59a3ba
Instruction ID: 359dd5e5b0fad8e427d7b2efeb4d052a7b3d52a329c952a3fdd3a6cc9a956d33
Opcode Fuzzy Hash: 5656c1eb186aad61f8921aa5e7989bef0c9e025f0b1af5a3070e7bc3db59a3ba
Instruction Fuzzy Hash: 6B21B0754093C0AFDB228F60CC45E92FFF4EF06210F0984DEE9858B123D275A508DB61

Uniqueness

Uniqueness Score: -1.00%

Function 0117AA12, Relevance: 1.6, APIs: 1, Instructions: 69registryCOMMON

Download Yara Rule

APIs

RegQueryValueExW.KERNELBASE(?,00000E2C,02477BF8,00000000,00000000,00000000,00000000), ref: 0117AA8C

Memory Dump Source

Source File: 00000001.00000002.589999631.000000000117A000.00000040.00000001.sdmp, Offset: 0117A000, based on PE: false

Similarity

API ID: QueryValue
String ID:
API String ID: 3660427363-0
Opcode ID: b0a0076298d09959af21c135b02fb8652d2c15825f79d382b36142c0551003c3
Instruction ID: 5bc045bb2b4d7fc3f72ea900433e1ca26de85e02e8b67537ab100582548ea4e5
Opcode Fuzzy Hash: b0a0076298d09959af21c135b02fb8652d2c15825f79d382b36142c0551003c3
Instruction Fuzzy Hash: E7216A71600604AEE721DF19DD84FABBBE8EF04710F18846AEA459B351D760E908CB72

Uniqueness

Uniqueness Score: -1.00%

Function 05A31A87, Relevance: 1.6, APIs: 1, Instructions: 68networkCOMMON

Download Yara Rule

APIs

GetNetworkParams.IPHLPAPI(?,00000E2C,02477BF8,00000000,00000000,00000000,00000000), ref: 05A31B08

Memory Dump Source

Source File: 00000001.00000002.594525419.0000000005A30000.00000040.00000001.sdmp, Offset: 05A30000, based on PE: false

Similarity

API ID: NetworkParams
String ID:
API String ID: 2134775280-0
Opcode ID: dc784c3762a6d724065539cc5641955bec49372bb8102f61601b0746bb71149a
Instruction ID: cdd6eeae40b11df5e2f935a0670eac4c8e346eb789a88c19bf6ba3da5849d4e6
Opcode Fuzzy Hash: dc784c3762a6d724065539cc5641955bec49372bb8102f61601b0746bb71149a
Instruction Fuzzy Hash: 1B21D271408384AFE7128F15CC45FA6FFB8EF46324F0884DBED849B253C264A449CB61

Uniqueness

Uniqueness Score: -1.00%

Function 05A32242, Relevance: 1.6, APIs: 1, Instructions: 68COMMON

Download Yara Rule

APIs

OpenFileMappingW.KERNELBASE(?,?), ref: 05A322AD

Memory Dump Source

Source File: 00000001.00000002.594525419.0000000005A30000.00000040.00000001.sdmp, Offset: 05A30000, based on PE: false

Similarity

API ID: FileMappingOpen
String ID:
API String ID: 1680863896-0
Opcode ID: 87e2631b0884a7a629493f08d69bda9e7b82248bd5fb7e2ffb34281d35cde511
Instruction ID: 825598def51aa3094cc0806ff09091fae8366481056e3f7ab82b610900b166aa
Opcode Fuzzy Hash: 87e2631b0884a7a629493f08d69bda9e7b82248bd5fb7e2ffb34281d35cde511
Instruction Fuzzy Hash: E421AC75500200AFE720DF65CC86FA6FBE8EF44724F14846AEE858B242E6B1E404CA71

Uniqueness

Uniqueness Score: -1.00%

Function 0117AFD4, Relevance: 1.6, APIs: 1, Instructions: 68COMMON

Download Yara Rule

APIs

FindCloseChangeNotification.KERNELBASE(?), ref: 0117B040

Memory Dump Source

Source File: 00000001.00000002.589999631.000000000117A000.00000040.00000001.sdmp, Offset: 0117A000, based on PE: false

Similarity

API ID: ChangeCloseFindNotification
String ID:
API String ID: 2591292051-0
Opcode ID: 664e1a7633cce5bf2a0a485cde189d834420f4e76ba4935c49a484cca0fcd87d
Instruction ID: 8d499fdf5693b47896d7cd1d224696e50c1dce5c7b4a8b0c0131a7d4318883b7
Opcode Fuzzy Hash: 664e1a7633cce5bf2a0a485cde189d834420f4e76ba4935c49a484cca0fcd87d
Instruction Fuzzy Hash: 1E21C3725093C05FEB038B25DC55A92BFB4AF07724F0980DBED858F263D2759908CB61

Uniqueness

Uniqueness Score: -1.00%

Function 05A31C8A, Relevance: 1.6, APIs: 1, Instructions: 67networkCOMMON

Download Yara Rule

APIs

WSASocketW.WS2_32 ref: 05A31CF6

Memory Dump Source

Source File: 00000001.00000002.594525419.0000000005A30000.00000040.00000001.sdmp, Offset: 05A30000, based on PE: false

Similarity

API ID: Socket
String ID:
API String ID: 38366605-0
Opcode ID: 7e155e0fea27b2e2c7a66b4292f07abc8daff86f78d2de446920b6692687de9d
Instruction ID: fd4bc71285e3a7e7928efd91077569454958ec771e8e9b9a6c261153317b2e30
Opcode Fuzzy Hash: 7e155e0fea27b2e2c7a66b4292f07abc8daff86f78d2de446920b6692687de9d
Instruction Fuzzy Hash: 2821CD71500600AFEB21DF65DC45FA6FBE9EF09724F14886AEE858B251D7B1A408CB71

Uniqueness

Uniqueness Score: -1.00%

Function 05A32342, Relevance: 1.6, APIs: 1, Instructions: 67fileCOMMON

Download Yara Rule

APIs

MapViewOfFile.KERNELBASE ref: 05A323B6

Memory Dump Source

Source File: 00000001.00000002.594525419.0000000005A30000.00000040.00000001.sdmp, Offset: 05A30000, based on PE: false

Similarity

API ID: FileView
String ID:
API String ID: 3314676101-0
Opcode ID: 9889c16a64d9924153f7830b459844cae6784bbafaed65ca517a6b6a032390df
Instruction ID: b15e36134af8b971e7c5e97b649518bce90497f1005b02dfc9bd709f4b0a6516
Opcode Fuzzy Hash: 9889c16a64d9924153f7830b459844cae6784bbafaed65ca517a6b6a032390df
Instruction Fuzzy Hash: 0021AC71500600EFE721DF25DC85FAAFBE8EF08724F14845AEA859B241D7B1A508CBB1

Uniqueness

Uniqueness Score: -1.00%

Function 0117B73E, Relevance: 1.6, APIs: 1, Instructions: 67COMMON

Download Yara Rule

APIs

K32GetModuleInformation.KERNEL32(?,00000E2C,02477BF8,00000000,00000000,00000000,00000000), ref: 0117B7A2

Memory Dump Source

Source File: 00000001.00000002.589999631.000000000117A000.00000040.00000001.sdmp, Offset: 0117A000, based on PE: false

Similarity

API ID: InformationModule
String ID:
API String ID: 3425974696-0
Opcode ID: 97271d0e8e820ffda673e1ca119430f348893263ff237b691f86a141dc2db0fa
Instruction ID: 8f55bb4ef6c4d9a299715f6287f2bf113f0fff5ebcf467aa01a543bc4ecf1b74
Opcode Fuzzy Hash: 97271d0e8e820ffda673e1ca119430f348893263ff237b691f86a141dc2db0fa
Instruction Fuzzy Hash: 9311AF71504604AFEB20CF29DC85F6AFBA8EF05710F18846BEE05DB281D760E404CB75

Uniqueness

Uniqueness Score: -1.00%

Function 0117AAFB, Relevance: 1.6, APIs: 1, Instructions: 67COMMON

Download Yara Rule

APIs

MkParseDisplayName.OLE32(?,00000E2C,?,?), ref: 0117AB7E

Memory Dump Source

Source File: 00000001.00000002.589999631.000000000117A000.00000040.00000001.sdmp, Offset: 0117A000, based on PE: false

Similarity

API ID: DisplayNameParse
String ID:
API String ID: 3580041360-0
Opcode ID: 9462643055af8a08f09e4f1c076a027078f542787ecc903674d9b4977cb8786c
Instruction ID: dd726bc4f2ed5b7cbe8ef79780303fbba9bc8a8ea85061484d8b74700ea02e7d
Opcode Fuzzy Hash: 9462643055af8a08f09e4f1c076a027078f542787ecc903674d9b4977cb8786c
Instruction Fuzzy Hash: BB21A5715493806FD3128B25CC41F72BFB8EF86A20F1981DBED848B653D225A915CBA2

Uniqueness

Uniqueness Score: -1.00%

Function 0117AC3B, Relevance: 1.6, APIs: 1, Instructions: 66COMMON

Download Yara Rule

APIs

FindCloseChangeNotification.KERNELBASE(?), ref: 0117ACA8

Memory Dump Source

Source File: 00000001.00000002.589999631.000000000117A000.00000040.00000001.sdmp, Offset: 0117A000, based on PE: false

Similarity

API ID: ChangeCloseFindNotification
String ID:
API String ID: 2591292051-0
Opcode ID: 85c9fa5085da3724e9577ed36e83257ad4aae41821d98fda46ed6ff01bded825
Instruction ID: 4d1fb9234a176e3b71eb605d7b0115a23e13a999240714fd634e06f4119bb9b7
Opcode Fuzzy Hash: 85c9fa5085da3724e9577ed36e83257ad4aae41821d98fda46ed6ff01bded825
Instruction Fuzzy Hash: 832190754093C06FEB138B25DC51B92BFB4EF07220F0984DBED858F253D2659948CB61

Uniqueness

Uniqueness Score: -1.00%

Function 05A31FA6, Relevance: 1.6, APIs: 1, Instructions: 65registryCOMMON

Download Yara Rule

APIs

RegQueryValueExW.KERNELBASE(?,00000E2C,02477BF8,00000000,00000000,00000000,00000000), ref: 05A32018

Memory Dump Source

Source File: 00000001.00000002.594525419.0000000005A30000.00000040.00000001.sdmp, Offset: 05A30000, based on PE: false

Similarity

API ID: QueryValue
String ID:
API String ID: 3660427363-0
Opcode ID: 72cceb02739239d4a8835d8989b4ab781499243e99a5f12458bb99e3d53f52c1
Instruction ID: a1ab01158f66b409ec736ab40b059d1eb15e93740717b83ce24f9e206d334dbf
Opcode Fuzzy Hash: 72cceb02739239d4a8835d8989b4ab781499243e99a5f12458bb99e3d53f52c1
Instruction Fuzzy Hash: 7711AC76500604AEEB20CF15DC82F67FBE8EF05714F1884ABEA469B251D6B4E808CB71

Uniqueness

Uniqueness Score: -1.00%

Function 05A327BE, Relevance: 1.6, APIs: 1, Instructions: 64timeCOMMON

Download Yara Rule

APIs

GetProcessTimes.KERNELBASE(?,00000E2C,02477BF8,00000000,00000000,00000000,00000000), ref: 05A3281D

Memory Dump Source

Source File: 00000001.00000002.594525419.0000000005A30000.00000040.00000001.sdmp, Offset: 05A30000, based on PE: false

Similarity

API ID: ProcessTimes
String ID:
API String ID: 1995159646-0
Opcode ID: 542d3c98888da89a9722dd1fea761a6cf6e29a14657d1a230eee5951b9a83bb3
Instruction ID: a1bd5202a90a928ce005ddeb6b5ae0c3b820d3b84eb32cfd881d48a124a09ff6
Opcode Fuzzy Hash: 542d3c98888da89a9722dd1fea761a6cf6e29a14657d1a230eee5951b9a83bb3
Instruction Fuzzy Hash: 5011D071500200AFEB21CF65DC45FAAFFA8EF04720F14846BEE459B241D674A405CB71

Uniqueness

Uniqueness Score: -1.00%

Function 05A32DFA, Relevance: 1.6, APIs: 1, Instructions: 63networkCOMMON

Download Yara Rule

APIs

WSAEventSelect.WS2_32(?,00000E2C,02477BF8,00000000,00000000,00000000,00000000), ref: 05A32E5E

Memory Dump Source

Source File: 00000001.00000002.594525419.0000000005A30000.00000040.00000001.sdmp, Offset: 05A30000, based on PE: false

Similarity

API ID: EventSelect
String ID:
API String ID: 31538577-0
Opcode ID: dee6d370cba7f3cfcd1af273c79f94e135262dce714af83be5e4908f3dcb22e6
Instruction ID: 11f1fafe9b6fe19e74ec9043c0bc9c6552f298ab4b1f6fbda19f5aff341b36b5
Opcode Fuzzy Hash: dee6d370cba7f3cfcd1af273c79f94e135262dce714af83be5e4908f3dcb22e6
Instruction Fuzzy Hash: F011B272400204AEEB11CF55DC86FABFFACEF45724F24846BEE459B241D674A5098B71

Uniqueness

Uniqueness Score: -1.00%

Function 0117B656, Relevance: 1.6, APIs: 1, Instructions: 63COMMON

Download Yara Rule

APIs

K32EnumProcessModules.KERNEL32(?,00000E2C,02477BF8,00000000,00000000,00000000,00000000), ref: 0117B6B2

Memory Dump Source

Source File: 00000001.00000002.589999631.000000000117A000.00000040.00000001.sdmp, Offset: 0117A000, based on PE: false

Similarity

API ID: EnumModulesProcess
String ID:
API String ID: 1082081703-0
Opcode ID: 0d910c54e78688b5611b619b1123a601bf8fc38dacd31356038a76f262ee6fa3
Instruction ID: 0158ba9792a3abc613630b931d5537daa160a0846aa293ad7b0fbe4547262fbf
Opcode Fuzzy Hash: 0d910c54e78688b5611b619b1123a601bf8fc38dacd31356038a76f262ee6fa3
Instruction Fuzzy Hash: 8411EF71504200AFEB218F29DC85FAAFBA8EF04720F14846BFE459B241D7B0A408CB72

Uniqueness

Uniqueness Score: -1.00%

Function 0117A836, Relevance: 1.6, APIs: 1, Instructions: 62COMMON

Download Yara Rule

APIs

SetErrorMode.KERNELBASE(?), ref: 0117A8A8

Memory Dump Source

Source File: 00000001.00000002.589999631.000000000117A000.00000040.00000001.sdmp, Offset: 0117A000, based on PE: false

Similarity

API ID: ErrorMode
String ID:
API String ID: 2340568224-0
Opcode ID: 94bf5c1f06b474a1e2f25333b1f8c8c827cc8da175dd95b19ed0637b5c021bcd
Instruction ID: 23815078ca98280351601afb7002d3dddd1cfa97f64d36f8edcd3ee78d9131ef
Opcode Fuzzy Hash: 94bf5c1f06b474a1e2f25333b1f8c8c827cc8da175dd95b19ed0637b5c021bcd
Instruction Fuzzy Hash: 08216A714093C4AFE7138B259C54A52BFB4DF07624F0D80DBDD859F2A3D2695908DB72

Uniqueness

Uniqueness Score: -1.00%

Function 0117A78B, Relevance: 1.6, APIs: 1, Instructions: 61COMMON

Download Yara Rule

APIs

DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 0117A7F6

Memory Dump Source

Source File: 00000001.00000002.589999631.000000000117A000.00000040.00000001.sdmp, Offset: 0117A000, based on PE: false

Similarity

API ID: DuplicateHandle
String ID:
API String ID: 3793708945-0
Opcode ID: d9fc218b4626ef99b6fd6ccb511374538a6bbd4492d811f1f70ba31b5adfd973
Instruction ID: f8785369128b8f0e931b978a0be90528c90450ff1f9741edc990998a645c45bb
Opcode Fuzzy Hash: d9fc218b4626ef99b6fd6ccb511374538a6bbd4492d811f1f70ba31b5adfd973
Instruction Fuzzy Hash: 7A11B472409380AFDB228F54DC44E62FFF4EF4A210F0884DAEE858B253D375A418DB61

Uniqueness

Uniqueness Score: -1.00%

Function 0117B25A, Relevance: 1.6, APIs: 1, Instructions: 61COMMON

Download Yara Rule

APIs

TerminateProcess.KERNELBASE(?,00000E2C,02477BF8,00000000,00000000,00000000,00000000), ref: 0117B2B0

Memory Dump Source

Source File: 00000001.00000002.589999631.000000000117A000.00000040.00000001.sdmp, Offset: 0117A000, based on PE: false

Similarity

API ID: ProcessTerminate
String ID:
API String ID: 560597551-0
Opcode ID: 74a35bbec0aad160f3b2cbb9daea91ff6d45bacb0bd7e4d42d48d5c09a9b4e52
Instruction ID: 4050b768593c3f6393bc6b40acd711e57d899ef3b1241d236cd0586247b1708f
Opcode Fuzzy Hash: 74a35bbec0aad160f3b2cbb9daea91ff6d45bacb0bd7e4d42d48d5c09a9b4e52
Instruction Fuzzy Hash: 5711E071504200AFEB118F29DC85BAAFBA8EF05720F1484ABEE05DB341D7B4A4048BB1

Uniqueness

Uniqueness Score: -1.00%

Function 05A30FEE, Relevance: 1.6, APIs: 1, Instructions: 60COMMON

Download Yara Rule

APIs

setsockopt.WS2_32(?,00000E2C,02477BF8,00000000,00000000,00000000,00000000), ref: 05A3104D

Memory Dump Source

Source File: 00000001.00000002.594525419.0000000005A30000.00000040.00000001.sdmp, Offset: 05A30000, based on PE: false

Similarity

API ID: setsockopt
String ID:
API String ID: 3981526788-0
Opcode ID: 5c21e6fb097bc8e08ea87220afc908b378b09bb263706b348c0bee5de365e136
Instruction ID: 110a47aaaa563814760c5250731e9181dca8062b34f49296b33acf3ec65e5de2
Opcode Fuzzy Hash: 5c21e6fb097bc8e08ea87220afc908b378b09bb263706b348c0bee5de365e136
Instruction Fuzzy Hash: 4A110131400200EFEB21CF55DC82FA6FBACEF05720F1484ABEE499B201D674A408CBB1

Uniqueness

Uniqueness Score: -1.00%

Function 05A3183A, Relevance: 1.6, APIs: 1, Instructions: 58COMMON

Download Yara Rule

APIs

GlobalMemoryStatusEx.KERNELBASE(?), ref: 05A31898

Memory Dump Source

Source File: 00000001.00000002.594525419.0000000005A30000.00000040.00000001.sdmp, Offset: 05A30000, based on PE: false

Similarity

API ID: GlobalMemoryStatus
String ID:
API String ID: 1890195054-0
Opcode ID: 840dedde323c797cb163e9311ef46018c423c361f9c1cb46e83732fe4901e087
Instruction ID: 554245c4d9ad174302558e9eecb8d949435ce3b5a2b620e892c0c0f2e9192ab0
Opcode Fuzzy Hash: 840dedde323c797cb163e9311ef46018c423c361f9c1cb46e83732fe4901e087
Instruction Fuzzy Hash: 6C11B2715093C4AFD7128F65DC45B92BFF8EF06220F0884EBED858F262D275A508CB61

Uniqueness

Uniqueness Score: -1.00%

Function 05A32C16, Relevance: 1.6, APIs: 1, Instructions: 58COMMON

Download Yara Rule

APIs

ioctlsocket.WS2_32(?,00000E2C,02477BF8,00000000,00000000,00000000,00000000), ref: 05A32C6F

Memory Dump Source

Source File: 00000001.00000002.594525419.0000000005A30000.00000040.00000001.sdmp, Offset: 05A30000, based on PE: false

Similarity

API ID: ioctlsocket
String ID:
API String ID: 3577187118-0
Opcode ID: 8b1526c36c2e120ad7913685d5dbc2f2a7d45dc3bdcf890400d23739b7c60677
Instruction ID: dda47d2321cfb3f89a24d08377c8c86d59c96f8ace14c2ace779e3f2022f28ca
Opcode Fuzzy Hash: 8b1526c36c2e120ad7913685d5dbc2f2a7d45dc3bdcf890400d23739b7c60677
Instruction Fuzzy Hash: 3E110271400200AFEB20CF25DC85FA6FBA8EF44724F18C4ABEE099B251D6B4A404CBB1

Uniqueness

Uniqueness Score: -1.00%

Function 05A31097, Relevance: 1.6, APIs: 1, Instructions: 57COMMON

Download Yara Rule

APIs

FindClose.KERNELBASE(?), ref: 05A31104

Memory Dump Source

Source File: 00000001.00000002.594525419.0000000005A30000.00000040.00000001.sdmp, Offset: 05A30000, based on PE: false

Similarity

API ID: CloseFind
String ID:
API String ID: 1863332320-0
Opcode ID: 0c3a67af151ba63ed7b36728942a467b50458e43e90c86fabcc2c06fc678a945
Instruction ID: 639c294f34f27a090b368767155d53781236672bdaee77c5a4d00f121f8819de
Opcode Fuzzy Hash: 0c3a67af151ba63ed7b36728942a467b50458e43e90c86fabcc2c06fc678a945
Instruction Fuzzy Hash: 8511D0755093C09FD7128B25DC45B92FFE4AF03324F0D80EBED858B263C264A908CB61

Uniqueness

Uniqueness Score: -1.00%

Function 05A326EE, Relevance: 1.6, APIs: 1, Instructions: 57COMMON

Download Yara Rule

APIs

shutdown.WS2_32(?,00000E2C,02477BF8,00000000,00000000,00000000,00000000), ref: 05A32744

Memory Dump Source

Source File: 00000001.00000002.594525419.0000000005A30000.00000040.00000001.sdmp, Offset: 05A30000, based on PE: false

Similarity

API ID: shutdown
String ID:
API String ID: 2510479042-0
Opcode ID: e2dc2fa1f55241ad0fcd513b34dafce3df2a7c08aaea7d2473cefbfe5f0e15de
Instruction ID: 026ca17d451e7877cecb9db278807b1e2c286f6c411e549f618d5f21d37dd273
Opcode Fuzzy Hash: e2dc2fa1f55241ad0fcd513b34dafce3df2a7c08aaea7d2473cefbfe5f0e15de
Instruction Fuzzy Hash: F311E575500204AFEB20CF19DC86FA6FFA8EF45724F1484A7EE44AB241D6B4A404CBB1

Uniqueness

Uniqueness Score: -1.00%

Function 05A306CE, Relevance: 1.6, APIs: 1, Instructions: 56libraryCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNELBASE(?,00000E2C), ref: 05A30737

Memory Dump Source

Source File: 00000001.00000002.594525419.0000000005A30000.00000040.00000001.sdmp, Offset: 05A30000, based on PE: false

Similarity

API ID: LibraryLoad
String ID:
API String ID: 1029625771-0
Opcode ID: 0cbebbe1cb803f11a00eba4e8190c1eeee12d143044feb0bc4978b90fd2689fa
Instruction ID: 622321e1aa8883fab783a488e0ef8c84f9bc2d7efef5a3e9cf36b42119cc8aaf
Opcode Fuzzy Hash: 0cbebbe1cb803f11a00eba4e8190c1eeee12d143044feb0bc4978b90fd2689fa
Instruction Fuzzy Hash: 4A11E571500704AFF720DB15DC8AFA6FFA8EF05724F24849AFE455A281D2B4A548CAB1

Uniqueness

Uniqueness Score: -1.00%

Function 05A32EDE, Relevance: 1.6, APIs: 1, Instructions: 56COMMON

Download Yara Rule

APIs

GetAdaptersAddresses.IPHLPAPI(?,00000E2C,02477BF8,00000000,00000000,00000000,00000000), ref: 05A32F3D

Memory Dump Source

Source File: 00000001.00000002.594525419.0000000005A30000.00000040.00000001.sdmp, Offset: 05A30000, based on PE: false

Similarity

API ID: AdaptersAddresses
String ID:
API String ID: 2506852604-0
Opcode ID: 2c6c1d5a49da19e249c6164202f6953781f21a0ddcfdfe0b4064826eb307f80d
Instruction ID: 6a55ba59a5e49e42559339b84361f3b5aea95b451f15fa1726f74f08329ffd43
Opcode Fuzzy Hash: 2c6c1d5a49da19e249c6164202f6953781f21a0ddcfdfe0b4064826eb307f80d
Instruction Fuzzy Hash: 75110E35000600EFEB208F15DC82FA6FFA8EF04724F1484ABFE459B251C2B1A418CBB2

Uniqueness

Uniqueness Score: -1.00%

Function 0117A44B, Relevance: 1.6, APIs: 1, Instructions: 54COMMON

Download Yara Rule

APIs

closesocket.WS2_32(?), ref: 0117A4AC

Memory Dump Source

Source File: 00000001.00000002.589999631.000000000117A000.00000040.00000001.sdmp, Offset: 0117A000, based on PE: false

Similarity

API ID: closesocket
String ID:
API String ID: 2781271927-0
Opcode ID: 7ae496bb08d68042be4057a00659970892b8dad65aa4264bb2363634d5af18bb
Instruction ID: 86415bfb53aeb4daf2d82a22f423cf450c390987cdac9e382e030f8330ca1459
Opcode Fuzzy Hash: 7ae496bb08d68042be4057a00659970892b8dad65aa4264bb2363634d5af18bb
Instruction Fuzzy Hash: 3211BF71449384AFD7128F24DC49B52BFB4EF06224F1884DBED498F253D279A408CBA2

Uniqueness

Uniqueness Score: -1.00%

Function 0117A078, Relevance: 1.6, APIs: 1, Instructions: 54networkCOMMON

Download Yara Rule

APIs

recv.WS2_32(?,?,?,?), ref: 0117A0D5

Memory Dump Source

Source File: 00000001.00000002.589999631.000000000117A000.00000040.00000001.sdmp, Offset: 0117A000, based on PE: false

Similarity

API ID: recv
String ID:
API String ID: 1507349165-0
Opcode ID: 5f7ea1e656efa45f3c5ace555f94f561a33aed067577878aa1d2578f7d944c5a
Instruction ID: de53f2cf05101233212fb24a8cf79f9271bdce75748f293870e79e89174b49df
Opcode Fuzzy Hash: 5f7ea1e656efa45f3c5ace555f94f561a33aed067577878aa1d2578f7d944c5a
Instruction Fuzzy Hash: 9711BF71449380AFDB22CF15EC44B56FFB4EF46224F08849AED848B252D275A408CB61

Uniqueness

Uniqueness Score: -1.00%

Function 05A31AB2, Relevance: 1.6, APIs: 1, Instructions: 53networkCOMMON

Download Yara Rule

APIs

GetNetworkParams.IPHLPAPI(?,00000E2C,02477BF8,00000000,00000000,00000000,00000000), ref: 05A31B08

Memory Dump Source

Source File: 00000001.00000002.594525419.0000000005A30000.00000040.00000001.sdmp, Offset: 05A30000, based on PE: false

Similarity

API ID: NetworkParams
String ID:
API String ID: 2134775280-0
Opcode ID: 04a8c8787b43ffade9c964e946df5dbd4f262054d3ebeb5163014fc600d684c0
Instruction ID: 3c4c59739054c5b4ba2ff8fff05bbc2000a8e743d9320b2cd6ecc09c16d1e74b
Opcode Fuzzy Hash: 04a8c8787b43ffade9c964e946df5dbd4f262054d3ebeb5163014fc600d684c0
Instruction Fuzzy Hash: 3A010031500204AEEB20CF15CC82FA6FFA8EF45724F1484ABFE449B241D6B4A409CBB1

Uniqueness

Uniqueness Score: -1.00%

Function 0117AD22, Relevance: 1.6, APIs: 1, Instructions: 53COMMON

Download Yara Rule

APIs

LookupPrivilegeValueW.ADVAPI32(?,?,?), ref: 0117AD6A

Memory Dump Source

Source File: 00000001.00000002.589999631.000000000117A000.00000040.00000001.sdmp, Offset: 0117A000, based on PE: false

Similarity

API ID: LookupPrivilegeValue
String ID:
API String ID: 3899507212-0
Opcode ID: 306dd641d04eea66795235808618d3153f8a45a7ba5c81dfb70e3d0d155d7b12
Instruction ID: fe1dca13fa6c7e3850d0489c37cff42715f482a2074ca8eb253ab3fc3e57e6f1
Opcode Fuzzy Hash: 306dd641d04eea66795235808618d3153f8a45a7ba5c81dfb70e3d0d155d7b12
Instruction Fuzzy Hash: F0118E71A002009FEB64CF29E885B5AFBE8EF04621F1880AADD49CB342D774E404CA72

Uniqueness

Uniqueness Score: -1.00%

Function 0515A4F8, Relevance: 1.6, APIs: 1, Instructions: 53libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 0515A538

Memory Dump Source

Source File: 00000001.00000002.594031790.0000000005150000.00000040.00000001.sdmp, Offset: 05150000, based on PE: false

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 259ce492a8b824783bc43f9b3ab03d3cafb7b0c0edc21d1daef93584b15419f5
Instruction ID: a593f51c6a1968f6dd05d77e73ede9c3f7db3bf4c8d56bc34e35cb7e6bd0d6f8
Opcode Fuzzy Hash: 259ce492a8b824783bc43f9b3ab03d3cafb7b0c0edc21d1daef93584b15419f5
Instruction Fuzzy Hash: 1D112B30A00219DFCB14EFB8D458BAEBBB2FF89311F208529D911A7340DB359881CB91

Uniqueness

Uniqueness Score: -1.00%

Function 05A30F2E, Relevance: 1.6, APIs: 1, Instructions: 52COMMON

Download Yara Rule

APIs

GetFileType.KERNELBASE(?,00000E2C,02477BF8,00000000,00000000,00000000,00000000), ref: 05A30F81

Memory Dump Source

Source File: 00000001.00000002.594525419.0000000005A30000.00000040.00000001.sdmp, Offset: 05A30000, based on PE: false

Similarity

API ID: FileType
String ID:
API String ID: 3081899298-0
Opcode ID: 2df52b9cf3c416110bb33d5dfee350804b6137cf3d2bae0a689c8fddc7ff37b0
Instruction ID: c46cbc6519fd8167e6c8d7552307181319decf49ea19f81f16c3d3919990520d
Opcode Fuzzy Hash: 2df52b9cf3c416110bb33d5dfee350804b6137cf3d2bae0a689c8fddc7ff37b0
Instruction Fuzzy Hash: 6401D271500604AFE720CB15DC8AFA6FFA8EF45724F1480A7EE459B241D6B4A5088AB2

Uniqueness

Uniqueness Score: -1.00%

Function 05A32FB2, Relevance: 1.5, APIs: 1, Instructions: 49networkCOMMON

Download Yara Rule

APIs

WSAConnect.WS2_32(?,?,?,?,?,?,?), ref: 05A32FFE

Memory Dump Source

Source File: 00000001.00000002.594525419.0000000005A30000.00000040.00000001.sdmp, Offset: 05A30000, based on PE: false

Similarity

API ID: Connect
String ID:
API String ID: 3144859779-0
Opcode ID: 5062ee9577664003fd1d86c4d5238b5f6ba52ecc85a0365e0ebf57af2ab92c11
Instruction ID: 128c3e8ba3b506a112a3676f8cf66c3d4b37c4ef714e322cab4d3bac09fb4ff7
Opcode Fuzzy Hash: 5062ee9577664003fd1d86c4d5238b5f6ba52ecc85a0365e0ebf57af2ab92c11
Instruction Fuzzy Hash: 78119A35404640AFEB20CF55D845F62FBE4EF08720F0888AAEE4A8B212D271E418DB61

Uniqueness

Uniqueness Score: -1.00%

Function 0117B85E, Relevance: 1.5, APIs: 1, Instructions: 47COMMON

Download Yara Rule

APIs

K32GetModuleFileNameExW.KERNEL32(?,00000E2C,?,?), ref: 0117B8AE

Memory Dump Source

Source File: 00000001.00000002.589999631.000000000117A000.00000040.00000001.sdmp, Offset: 0117A000, based on PE: false

Similarity

API ID: FileModuleName
String ID:
API String ID: 514040917-0
Opcode ID: 7ccb9d32d53442eeb1fc9c666b65627d932e156ad999e6f9ea92010eaea89ce9
Instruction ID: 1e04512eefe18c65de6697d49ac0b67cbbece8d87bbb00e7c08b2b526099c062
Opcode Fuzzy Hash: 7ccb9d32d53442eeb1fc9c666b65627d932e156ad999e6f9ea92010eaea89ce9
Instruction Fuzzy Hash: CE017172540600ABE710DF16DC86F66FBA8EB88B20F14816AED089B741E371F515CBA5

Uniqueness

Uniqueness Score: -1.00%

Function 0117A172, Relevance: 1.5, APIs: 1, Instructions: 47networkCOMMON

Download Yara Rule

APIs

WSAStartup.WS2_32(?,00000E2C,?,?), ref: 0117A1C2

Memory Dump Source

Source File: 00000001.00000002.589999631.000000000117A000.00000040.00000001.sdmp, Offset: 0117A000, based on PE: false

Similarity

API ID: Startup
String ID:
API String ID: 724789610-0
Opcode ID: 339de1a9708d3dcf426796fa31bb216516ef101b01a27b7f12c93710233a055b
Instruction ID: 0c0475859fe6f45ffd98a289f2c63aae2e42f136a20e39b8309464a27fc942a6
Opcode Fuzzy Hash: 339de1a9708d3dcf426796fa31bb216516ef101b01a27b7f12c93710233a055b
Instruction Fuzzy Hash: BE017171540600ABE710DF16DC86B66FBA8EB88A20F14816AED089B741E375F515CBA5

Uniqueness

Uniqueness Score: -1.00%

Function 0117B366, Relevance: 1.5, APIs: 1, Instructions: 47windowCOMMON

Download Yara Rule

APIs

FormatMessageW.KERNELBASE(?,00000E2C,?,?), ref: 0117B3B6

Memory Dump Source

Source File: 00000001.00000002.589999631.000000000117A000.00000040.00000001.sdmp, Offset: 0117A000, based on PE: false

Similarity

API ID: FormatMessage
String ID:
API String ID: 1306739567-0
Opcode ID: 2fe6094fc3c24c581482a9ce01a6afbcac864d1fc1a3d695cd8fc98f030a9b59
Instruction ID: dde16039ff8913e08b0ed0c3174f60d3d7f46be4c08773eff580c9745f9f9549
Opcode Fuzzy Hash: 2fe6094fc3c24c581482a9ce01a6afbcac864d1fc1a3d695cd8fc98f030a9b59
Instruction Fuzzy Hash: 5C017172540600ABE710DF16DC86F66FBA8EB88B20F14816AED099B741E371F515CBE5

Uniqueness

Uniqueness Score: -1.00%

Function 0117A7B2, Relevance: 1.5, APIs: 1, Instructions: 45COMMON

Download Yara Rule

APIs

DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 0117A7F6

Memory Dump Source

Source File: 00000001.00000002.589999631.000000000117A000.00000040.00000001.sdmp, Offset: 0117A000, based on PE: false

Similarity

API ID: DuplicateHandle
String ID:
API String ID: 3793708945-0
Opcode ID: 0324b77633b4fa4605d5989a254303c78e25d4813f7b5c3bf8bc31d532e479d7
Instruction ID: cfe0849fe58b0afd5ab4f5ed9d366f128ee59e469ae713c9a98a1e0aa70432b2
Opcode Fuzzy Hash: 0324b77633b4fa4605d5989a254303c78e25d4813f7b5c3bf8bc31d532e479d7
Instruction Fuzzy Hash: 61016D32404600EFDB218F55E844B66FFF4EF08721F18C5AADE494B652D376A419DF62

Uniqueness

Uniqueness Score: -1.00%

Function 05A31D8E, Relevance: 1.5, APIs: 1, Instructions: 43COMMON

Download Yara Rule

APIs

setsockopt.WS2_32(?,?,?,?,?), ref: 05A31DCC

Memory Dump Source

Source File: 00000001.00000002.594525419.0000000005A30000.00000040.00000001.sdmp, Offset: 05A30000, based on PE: false

Similarity

API ID: setsockopt
String ID:
API String ID: 3981526788-0
Opcode ID: 3e3afc51f77ddba67ce44ddd692e8503d4edec35f24457283b44f58b036d4c42
Instruction ID: efb0e66be6ee70f6ca0c8f461092666dd734bb6c6d7b5e9b8c6c1d5543926c18
Opcode Fuzzy Hash: 3e3afc51f77ddba67ce44ddd692e8503d4edec35f24457283b44f58b036d4c42
Instruction Fuzzy Hash: AE019E31400640DFDB20CF55D845F66FFE4EF05725F1884AAEE498B216D2B5A018CBB2

Uniqueness

Uniqueness Score: -1.00%

Function 05A315C6, Relevance: 1.5, APIs: 1, Instructions: 43registryCOMMON

Download Yara Rule

APIs

RegEnumKeyExW.KERNELBASE(?,00000E2C,?,?), ref: 05A31616

Memory Dump Source

Source File: 00000001.00000002.594525419.0000000005A30000.00000040.00000001.sdmp, Offset: 05A30000, based on PE: false

Similarity

API ID: Enum
String ID:
API String ID: 2928410991-0
Opcode ID: 77cadd484ceb5f1b20de8c72f5b7314881d928159c356fa1b3a61b1989fc0d7d
Instruction ID: 5ee438054d09074d221bd2adb694e88382066b1b2f74b3645c9d8b64d07a8a62
Opcode Fuzzy Hash: 77cadd484ceb5f1b20de8c72f5b7314881d928159c356fa1b3a61b1989fc0d7d
Instruction Fuzzy Hash: 0101A272500600ABD210DF16DC82F26FBA8FB88B20F14811AED085B741E371F515CBE5

Uniqueness

Uniqueness Score: -1.00%

Function 05A31866, Relevance: 1.5, APIs: 1, Instructions: 43COMMON

Download Yara Rule

APIs

GlobalMemoryStatusEx.KERNELBASE(?), ref: 05A31898

Memory Dump Source

Source File: 00000001.00000002.594525419.0000000005A30000.00000040.00000001.sdmp, Offset: 05A30000, based on PE: false

Similarity

API ID: GlobalMemoryStatus
String ID:
API String ID: 1890195054-0
Opcode ID: 0b0ee3375fa6f387bce287b7559b45cb68b737a39b70e5dc9655e57dc09f99fd
Instruction ID: 2a6b6af0d77789ae9c5b7c4886b3ea9ff341e9207c3c718c97e787cc52f96730
Opcode Fuzzy Hash: 0b0ee3375fa6f387bce287b7559b45cb68b737a39b70e5dc9655e57dc09f99fd
Instruction Fuzzy Hash: 16018F759003449FEB10CF29D886BA6FFE4EF04625F18C4ABED098B252D6B5A408CB61

Uniqueness

Uniqueness Score: -1.00%

Function 0117B00E, Relevance: 1.5, APIs: 1, Instructions: 43COMMON

Download Yara Rule

APIs

FindCloseChangeNotification.KERNELBASE(?), ref: 0117B040

Memory Dump Source

Source File: 00000001.00000002.589999631.000000000117A000.00000040.00000001.sdmp, Offset: 0117A000, based on PE: false

Similarity

API ID: ChangeCloseFindNotification
String ID:
API String ID: 2591292051-0
Opcode ID: 59ce36a9de6e2333ad2c37dd8d5c9cdc942899bb7efe4b43836e3ec55bd52703
Instruction ID: 97d97f53080fa138513a35e09ee979d0b270295535c4a95e8848261485dfee52
Opcode Fuzzy Hash: 59ce36a9de6e2333ad2c37dd8d5c9cdc942899bb7efe4b43836e3ec55bd52703
Instruction Fuzzy Hash: 0101B8315046009FEB15CF29E889B96FBA4EF00620F18C0ABDD4A8B702D7B5A408CB72

Uniqueness

Uniqueness Score: -1.00%

Function 0117B5BA, Relevance: 1.5, APIs: 1, Instructions: 43registryCOMMON

Download Yara Rule

APIs

RegQueryValueExW.KERNELBASE(?,00000E2C,?,?), ref: 0117B60A

Memory Dump Source

Source File: 00000001.00000002.589999631.000000000117A000.00000040.00000001.sdmp, Offset: 0117A000, based on PE: false

Similarity

API ID: QueryValue
String ID:
API String ID: 3660427363-0
Opcode ID: 1e88828f09b18743e2d2eb992d38b837a6fdb943c203a0170953e7c6a9a5a58e
Instruction ID: 1e152fd8eccc1e6b90c9885b2f4094cb4d5793ba59c2e794c96c405b34fc344b
Opcode Fuzzy Hash: 1e88828f09b18743e2d2eb992d38b837a6fdb943c203a0170953e7c6a9a5a58e
Instruction Fuzzy Hash: B501A272500600ABD210DF16DC82F26FBA8FB88B20F14811AED085B741E371F515CBE5

Uniqueness

Uniqueness Score: -1.00%

Function 0117AB2E, Relevance: 1.5, APIs: 1, Instructions: 43COMMON

Download Yara Rule

APIs

MkParseDisplayName.OLE32(?,00000E2C,?,?), ref: 0117AB7E

Memory Dump Source

Source File: 00000001.00000002.589999631.000000000117A000.00000040.00000001.sdmp, Offset: 0117A000, based on PE: false

Similarity

API ID: DisplayNameParse
String ID:
API String ID: 3580041360-0
Opcode ID: 92292b4dce006f1c9342ae5c425b2e77f9ce099db756f8344573d4bc7be40d9b
Instruction ID: b62a27c5dc11b85719618dc0362ee9a1b05479c13c6ad915828adc52fa6b758d
Opcode Fuzzy Hash: 92292b4dce006f1c9342ae5c425b2e77f9ce099db756f8344573d4bc7be40d9b
Instruction Fuzzy Hash: 6D016276540600ABD250DF16DC86F26FBA8FB88B20F14815AED185B741E371F515CBE5

Uniqueness

Uniqueness Score: -1.00%

Function 0117AC76, Relevance: 1.5, APIs: 1, Instructions: 43COMMON

Download Yara Rule

APIs

FindCloseChangeNotification.KERNELBASE(?), ref: 0117ACA8

Memory Dump Source

Source File: 00000001.00000002.589999631.000000000117A000.00000040.00000001.sdmp, Offset: 0117A000, based on PE: false

Similarity

API ID: ChangeCloseFindNotification
String ID:
API String ID: 2591292051-0
Opcode ID: 1a370a7071e093612710cecfd0244089ec0dfaf6bdfa16d625121b02a97ebcef
Instruction ID: 289a88b67ee9ee918859c19b96ded6bff2888fa29b9c3dc6027eb58de6275585
Opcode Fuzzy Hash: 1a370a7071e093612710cecfd0244089ec0dfaf6bdfa16d625121b02a97ebcef
Instruction Fuzzy Hash: 16018F71504240AFEB148F29E98576AFFA4EF04621F18C0ABDE099F352D6B5A508CB62

Uniqueness

Uniqueness Score: -1.00%

Function 05A310D2, Relevance: 1.5, APIs: 1, Instructions: 39COMMON

Download Yara Rule

APIs

FindClose.KERNELBASE(?), ref: 05A31104

Memory Dump Source

Source File: 00000001.00000002.594525419.0000000005A30000.00000040.00000001.sdmp, Offset: 05A30000, based on PE: false

Similarity

API ID: CloseFind
String ID:
API String ID: 1863332320-0
Opcode ID: cff93dd137851309a7954336523b6f859a48f4975a3e3b1818e0ce5cdbaebca0
Instruction ID: b9f229c2c510da07e801b5cefd346370356c391a6d77755f9fa4b659f3ebd658
Opcode Fuzzy Hash: cff93dd137851309a7954336523b6f859a48f4975a3e3b1818e0ce5cdbaebca0
Instruction Fuzzy Hash: 5501D1356007409FDB10CF19D886BA6FFE4EF05624F18C0ABED498B256D6B5E448CFA2

Uniqueness

Uniqueness Score: -1.00%

Function 0117A47A, Relevance: 1.5, APIs: 1, Instructions: 39COMMON

Download Yara Rule

APIs

closesocket.WS2_32(?), ref: 0117A4AC

Memory Dump Source

Source File: 00000001.00000002.589999631.000000000117A000.00000040.00000001.sdmp, Offset: 0117A000, based on PE: false

Similarity

API ID: closesocket
String ID:
API String ID: 2781271927-0
Opcode ID: 9ae4cd429ec23984aa8641c89f1b6009c314bcc1ea618178ad9631109674affc
Instruction ID: b37a2e3d8f0e4d9103e0eb0ba301aaa3fbc84f08815b8855545499a85a34e4a4
Opcode Fuzzy Hash: 9ae4cd429ec23984aa8641c89f1b6009c314bcc1ea618178ad9631109674affc
Instruction Fuzzy Hash: B7018F304042449FDB15CF19E889766FFA4EF04621F1CC0AADE098B302D2B5A404CAA2

Uniqueness

Uniqueness Score: -1.00%

Function 0117A876, Relevance: 1.5, APIs: 1, Instructions: 35COMMON

Download Yara Rule

APIs

SetErrorMode.KERNELBASE(?), ref: 0117A8A8

Memory Dump Source

Source File: 00000001.00000002.589999631.000000000117A000.00000040.00000001.sdmp, Offset: 0117A000, based on PE: false

Similarity

API ID: ErrorMode
String ID:
API String ID: 2340568224-0
Opcode ID: 62ed68617fdb8da35622565dba294ea6c4080d8d21c60bca62c2f647e266200f
Instruction ID: 923e89a5436ec68661dcf8934f42355393aa16cca75ccf0ee498d6eaa9c95291
Opcode Fuzzy Hash: 62ed68617fdb8da35622565dba294ea6c4080d8d21c60bca62c2f647e266200f
Instruction Fuzzy Hash: B0F0AF34900644DFEB248F19E885766FFA4EF04722F18C0AADD495B312D3B5A449CFA2

Uniqueness

Uniqueness Score: -1.00%

Function 05B73AB0, Relevance: 1.5, Strings: 1, Instructions: 231COMMON

Download Yara Rule

Strings

:@Dr, xrefs: 05B73CA5

Memory Dump Source

Source File: 00000001.00000002.594548910.0000000005B70000.00000040.00000001.sdmp, Offset: 05B70000, based on PE: false

Similarity

API ID:
String ID: :@Dr
API String ID: 0-3830894600
Opcode ID: 690d309727c7e3918ab409c5fddca175fe67d491ac95a02b25640b44f3232b7a
Instruction ID: 2b653b3ba8c0163160c0cc1c5396c12902ce393bb67d9d1926f4a40b9303e966
Opcode Fuzzy Hash: 690d309727c7e3918ab409c5fddca175fe67d491ac95a02b25640b44f3232b7a
Instruction Fuzzy Hash: 3B717430B001098BEF2466BCD450F7E7ED7EB89314F60487AE22AC7395DEA5DD819762

Uniqueness

Uniqueness Score: -1.00%

Function 05B73AB8, Relevance: 1.5, Strings: 1, Instructions: 227COMMON

Download Yara Rule

Strings

:@Dr, xrefs: 05B73CA5

Memory Dump Source

Source File: 00000001.00000002.594548910.0000000005B70000.00000040.00000001.sdmp, Offset: 05B70000, based on PE: false

Similarity

API ID:
String ID: :@Dr
API String ID: 0-3830894600
Opcode ID: df5df0f231437951e2d3811eaab55a6642c6d75a5cc254b8996563cbb516dc88
Instruction ID: 27caa84a196b51d881c18724b2f89aeb0753bd453b535968e2559aa529851ef9
Opcode Fuzzy Hash: df5df0f231437951e2d3811eaab55a6642c6d75a5cc254b8996563cbb516dc88
Instruction Fuzzy Hash: E7716330B001098BEF2466BCD450F7E7DDBEB88314F60487AE22AC7395DEA5DD819762

Uniqueness

Uniqueness Score: -1.00%

Function 05B74150, Relevance: .3, Instructions: 293COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.594548910.0000000005B70000.00000040.00000001.sdmp, Offset: 05B70000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 86d18f334f242fa160c7ea392ad0fe7ac6cfe7699d70c1781fcbbcc9837187a8
Instruction ID: 8ac7d0530d767c9ee4f0f2f3fc2932473e8872ec50169c7fc437d6755a167d08
Opcode Fuzzy Hash: 86d18f334f242fa160c7ea392ad0fe7ac6cfe7699d70c1781fcbbcc9837187a8
Instruction Fuzzy Hash: 0DA1BF35B002089FCB19ABB8C4546AD7BF3EF88301F14846AE5159B3A9EF35ED46CB51

Uniqueness

Uniqueness Score: -1.00%

Function 05B73DD8, Relevance: .3, Instructions: 286COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.594548910.0000000005B70000.00000040.00000001.sdmp, Offset: 05B70000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c2cba4b4b38e141bcfd3d575ee6e5f1b7ca2bbb1079910df1625cad81770411d
Instruction ID: a0a47c622f1626ab4390fd9145d7b85934fee4fd5bf58c736c319cdcab42d94d
Opcode Fuzzy Hash: c2cba4b4b38e141bcfd3d575ee6e5f1b7ca2bbb1079910df1625cad81770411d
Instruction Fuzzy Hash: CBA11170B043498FCB15ABB884186B97BE6EF86314F1448FAD525DB282EB35EC42C791

Uniqueness

Uniqueness Score: -1.00%

Function 05A4300E, Relevance: .1, Instructions: 63COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.594533326.0000000005A40000.00000040.00000001.sdmp, Offset: 05A40000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9168cd8bcecfa0dcc049bd2aafe26e0fd55bac589cecb72ed00bf8feb329b998
Instruction ID: 8d248e1ac7e7ec0a72dfd14468d8879bc49a5e99d76e953dcc3a58bc07d8c2e0
Opcode Fuzzy Hash: 9168cd8bcecfa0dcc049bd2aafe26e0fd55bac589cecb72ed00bf8feb329b998
Instruction Fuzzy Hash: 6521E5B5608341AFD340CF19D880A5BFBE4FF89660F14896EF998D7311D270E9048FA2

Uniqueness

Uniqueness Score: -1.00%

Function 05A43A80, Relevance: .1, Instructions: 60COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.594533326.0000000005A40000.00000040.00000001.sdmp, Offset: 05A40000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 99244cc06b7bdc404eb7f6aa820a5d1ab08db1e71cd844f888ed8dd1fed36f34
Instruction ID: 2526781f250718e3c8b55537170d68aa0f63a7fb2427592eb9bfa217e82caf82
Opcode Fuzzy Hash: 99244cc06b7bdc404eb7f6aa820a5d1ab08db1e71cd844f888ed8dd1fed36f34
Instruction Fuzzy Hash: 8B11BAB5648305AFD340CF19D881A5BFBE4FB88664F14896EF998D7311D271EA048FA2

Uniqueness

Uniqueness Score: -1.00%

Function 0105075C, Relevance: .1, Instructions: 59COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.589975841.0000000001050000.00000040.00000040.sdmp, Offset: 01050000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 98f3af9a8bcc0f5558ef59a2f727be6a2876a1dc1f6f509a275b7e156e28fbd0
Instruction ID: 0f6c7fb4e141229b9b98e190e57512ccc4089a5e5f793c174ec7c11975f49a85
Opcode Fuzzy Hash: 98f3af9a8bcc0f5558ef59a2f727be6a2876a1dc1f6f509a275b7e156e28fbd0
Instruction Fuzzy Hash: 2011C034604648EFD345CB24C984B2ABBD5BB88708F24C5DCED891B647C777D803CA51

Uniqueness

Uniqueness Score: -1.00%

Function 05A43924, Relevance: .1, Instructions: 52COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.594533326.0000000005A40000.00000040.00000001.sdmp, Offset: 05A40000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: eb5709429dc694a98a13f306302c41c19120e67f8fbdeda1a11c0cfd1acec612
Instruction ID: 476a04d5204f7f03bacae1fd5d7d9b138fd03b15d79f3392173c70bf98798f50
Opcode Fuzzy Hash: eb5709429dc694a98a13f306302c41c19120e67f8fbdeda1a11c0cfd1acec612
Instruction Fuzzy Hash: 8E11FAB5608305AFD350CF09DC81E5BFBE8EB88660F14892EFD9997311D271E9048FA2

Uniqueness

Uniqueness Score: -1.00%

Function 010505DC, Relevance: .0, Instructions: 39COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.589975841.0000000001050000.00000040.00000040.sdmp, Offset: 01050000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3ecb4dc0de08bd1fc579eb971b28410b5831a7c5b2c3bd6ed8869b804c6a789d
Instruction ID: 6306a11acdff8fca52a19ea9ca66e0732798c1c006405ee7ac6bd151b9467968
Opcode Fuzzy Hash: 3ecb4dc0de08bd1fc579eb971b28410b5831a7c5b2c3bd6ed8869b804c6a789d
Instruction Fuzzy Hash: 19F0C2765487806FD7118B0AEC41893FFE8DF8663070884AFED498B211D165B908CBA1

Uniqueness

Uniqueness Score: -1.00%

Function 05B7409E, Relevance: .0, Instructions: 37COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.594548910.0000000005B70000.00000040.00000001.sdmp, Offset: 05B70000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 63db847b485b7d9782a980799eb324409a058fd4c56f1c986775d3bc0c679c2f
Instruction ID: e7dbb94194dfd99329bf1dbda5f1c4216a830fbc73b8b2364c2133517ba94d20
Opcode Fuzzy Hash: 63db847b485b7d9782a980799eb324409a058fd4c56f1c986775d3bc0c679c2f
Instruction Fuzzy Hash: 99F0F672B005248BCF14BFB8B4452ACBFE2EB84215F214879D55993B84DF305D24C381

Uniqueness

Uniqueness Score: -1.00%

Function 0105075B, Relevance: .0, Instructions: 36COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.589975841.0000000001050000.00000040.00000040.sdmp, Offset: 01050000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ca6a0b5bf319edae8ca202dc0168e2bae9795885764f0213a0868f6c13540e57
Instruction ID: 4e23610d4212aa3807b81b889c5f2fea7bca011bea53eef4873a95356f2b0887
Opcode Fuzzy Hash: ca6a0b5bf319edae8ca202dc0168e2bae9795885764f0213a0868f6c13540e57
Instruction Fuzzy Hash: B1012935604688DFC756CB14C580B2ABBA2FB89718F28C6EDE9891B652C337D812DF41

Uniqueness

Uniqueness Score: -1.00%

Function 01050818, Relevance: .0, Instructions: 31COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.589975841.0000000001050000.00000040.00000040.sdmp, Offset: 01050000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 525cef522958239b2deb72ab7ac90410e2832b06fb356f1b7ca8807ee3c9392c
Instruction ID: 858242ae64e6f9b5e3990e6777f4f78bf26c11bbb6e73c592745eda5581226f3
Opcode Fuzzy Hash: 525cef522958239b2deb72ab7ac90410e2832b06fb356f1b7ca8807ee3c9392c
Instruction Fuzzy Hash: 18F0FB35504644DFC346CB44D940B2AFBA6FB89718F24C6A9E9890B656C3379813DE81

Uniqueness

Uniqueness Score: -1.00%

Function 010505F6, Relevance: .0, Instructions: 27COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.589975841.0000000001050000.00000040.00000040.sdmp, Offset: 01050000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: feb9c2aa7ce6378992a56dcde8c93a16371e73e9c71e5811306086e91a2c3cad
Instruction ID: 67ec13b6f3e9344db3c0f95c9a8fa4a440452f5261ce648340cfc589b0901880
Opcode Fuzzy Hash: feb9c2aa7ce6378992a56dcde8c93a16371e73e9c71e5811306086e91a2c3cad
Instruction Fuzzy Hash: F4E092766406008BD650CF0BEC41452F7D8EB88A31B18C07FDC0D8B700E575F504CEA5

Uniqueness

Uniqueness Score: -1.00%

Function 05A43083, Relevance: .0, Instructions: 26COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.594533326.0000000005A40000.00000040.00000001.sdmp, Offset: 05A40000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: bb97cbaaaa064ee01a3283cf98241958d0cbddfa2acecce0af4f79a3cd67cda0
Instruction ID: 59028a066f4c42c09d9863c31835b83e325ed45a0adbfb5ffdb064df075d9bf8
Opcode Fuzzy Hash: bb97cbaaaa064ee01a3283cf98241958d0cbddfa2acecce0af4f79a3cd67cda0
Instruction Fuzzy Hash: 70E0D87254030467E2108F069C82F53FB58DB40A30F14C467EE081F702D5B1B5148AE1

Uniqueness

Uniqueness Score: -1.00%

Function 05A43397, Relevance: .0, Instructions: 26COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.594533326.0000000005A40000.00000040.00000001.sdmp, Offset: 05A40000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5deaf7fcbe7622a36ba6c2109d2b80751c9ade9dff51bc72f83a476a23e82617
Instruction ID: a5616fc0bb5e2e27f41ad5a6c4cdf3bcd65c210ce0342eb6c577ab3ed6c2bd5e
Opcode Fuzzy Hash: 5deaf7fcbe7622a36ba6c2109d2b80751c9ade9dff51bc72f83a476a23e82617
Instruction Fuzzy Hash: 89E0D87264030467D2109E069C82F53FB98DB40A30F14C467EE091B701D1B2B514CEE1

Uniqueness

Uniqueness Score: -1.00%

Function 05A43AEB, Relevance: .0, Instructions: 26COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.594533326.0000000005A40000.00000040.00000001.sdmp, Offset: 05A40000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: dad6e1ea1038727cff8553e3123a1d4a1f7a4534000ec8cd94db80b5da262c72
Instruction ID: 164c9955a20aaa7732c0a831fc0c8e7738614e03915c658ab9a66a1cfd8f8d03
Opcode Fuzzy Hash: dad6e1ea1038727cff8553e3123a1d4a1f7a4534000ec8cd94db80b5da262c72
Instruction Fuzzy Hash: D4E0D8B254030467D2108E069C82F53FB98DB54A31F14C467EE0C1B701D1B1B5148AE1

Uniqueness

Uniqueness Score: -1.00%

Function 05A43973, Relevance: .0, Instructions: 26COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.594533326.0000000005A40000.00000040.00000001.sdmp, Offset: 05A40000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 995cf47ca0e21fc203deca37d95ee94d3eaaa3b11f1c0ee3d081da92571df77b
Instruction ID: baf2bec77b47a85d8ad57964f614f4f15986c6fc434b0b0b6537fcd88cb08222
Opcode Fuzzy Hash: 995cf47ca0e21fc203deca37d95ee94d3eaaa3b11f1c0ee3d081da92571df77b
Instruction Fuzzy Hash: FEE0D87254030467D2509E069C82F53FB98DB44A30F14C467EE0D1B702D1B2B5048AF1

Uniqueness

Uniqueness Score: -1.00%

Function 011723F4, Relevance: .0, Instructions: 15COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.589992920.0000000001172000.00000040.00000001.sdmp, Offset: 01172000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 864028e3370ab56f52b3cabd861400fd65e69494dd39eba6fdbfcc36f9abd26b
Instruction ID: 911a44c251930523f0ce48c5eecf4c050252b09d5860b624d7ae7d857e091516
Opcode Fuzzy Hash: 864028e3370ab56f52b3cabd861400fd65e69494dd39eba6fdbfcc36f9abd26b
Instruction Fuzzy Hash: B6D05E79315A818FE32A8A1CC1A8B953FB4AB51B04F5644FDE8008B763C368D982D200

Uniqueness

Uniqueness Score: -1.00%

Function 011723BC, Relevance: .0, Instructions: 14COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.589992920.0000000001172000.00000040.00000001.sdmp, Offset: 01172000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f67ce58a8aae9eae7e96dab265dce513498f63a670621588b700328e952c243c
Instruction ID: 408d43c771624ae899b488b8b1faada5909881ae4716cd5f38f771be67a70d2a
Opcode Fuzzy Hash: f67ce58a8aae9eae7e96dab265dce513498f63a670621588b700328e952c243c
Instruction Fuzzy Hash: 9FD05E342046818BD719DB0CC594F593BE4AB45B00F0644ECAD008B762C3B4D8C2C600

Uniqueness

Uniqueness Score: -1.00%

Non-executed Functions

Description:	Adversaries may abuse Windows Management Instrumentation (WMI) to achieve execution. WMI is a Windows administration feature that provides a uniform environment for local and remote access to Windows system components. It relies on the WMI service for local and remote access and the server message block (SMB) and Remote Procedure Call Service (RPCS) for remote access. RPCS operates over port 135.
Tactics:	Execution
Data Sources:	Authentication logs, Netflow/Enclave netflow, Process command-line parameters, Process monitoring
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may directly interact with the native OS application programming interface (API) to execute behaviors. Native APIs provide a controlled means of calling low-level OS services within the kernel, such as those involving hardware/devices, memory, and processes.These native APIs are leveraged by the OS during system boot (when other system components are not yet initialized) as well as carrying out tasks and requests during routine operations.
Tactics:	Execution
Data Sources:	API monitoring, Loaded DLLs, Process monitoring, System calls
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify access tokens to operate under a different user or system security context to perform actions and bypass access controls. Windows uses access tokens to determine the ownership of a running process. A user can manipulate access tokens to make a running process appear as though it is the child of a different process or belongs to someone other than the user that started the process. When this occurs, the process also takes on the security context associated with the new token.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	API monitoring, Access tokens, Authentication logs, Process command-line parameters, Process monitoring, Windows event logs
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	API monitoring, DLL monitoring, File monitoring, Named Pipes, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may disable security tools to avoid possible detection of their tools and activities. This can take the form of killing security software or event logging processes, deleting Registry keys so that tools do not start at run time, or other methods to interfere with security tools scanning or reporting information.
Tactics:	Defense Evasion
Data Sources:	File monitoring, Process command-line parameters, Services, Windows Registry
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use Obfuscated Files or Information to hide artifacts of an intrusion from analysis. They may require separate mechanisms to decode or deobfuscate that information depending on how they intend to use it. Methods for doing that include built-in functionality of malware or by using utilities present on the system.
Tactics:	Defense Evasion
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata, Email gateway, Environment variable, File monitoring, Malware reverse engineering, Network intrusion detection system, Network protocol analysis, Process command-line parameters, Process monitoring, Process use of network, SSL/TLS inspection, Windows event logs
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may perform software packing or virtual machine software protection to conceal their code. Software packing is a method of compressing or encrypting an executable. Packing an executable changes the file signature in an attempt to avoid signature-based detection. Most decompression techniques decompress the executable code in memory. Virtual machine software protection translates an executable's original code into a special format that only a special virtual machine can run. A virtual machine is then called to run this code.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata
Platforms:	macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata, File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to dump credentials to obtain account login and credential material, normally in the form of a hash or a clear text password, from the operating system and software. Credentials can then be used to perform Lateral Movement and access restricted information.
Tactics:	Credential Access
Data Sources:	API monitoring, PowerShell logs, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may search the Registry on compromised systems for insecurely stored credentials. The Windows Registry stores configuration information that can be used by the system or other programs. Adversaries may query the Registry looking for credentials and passwords that have been stored for use by other programs or services. Sometimes these credentials are used for automatic logons.
Tactics:	Credential Access
Data Sources:	Process command-line parameters, Process monitoring, Windows Registry
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	AWS CloudTrail logs, Azure activity logs, Process command-line parameters, Process monitoring, Stackdriver logs
Platforms:	AWS, Azure, GCP, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may interact with the Windows Registry to gather information about the system, configuration, and installed software.
Tactics:	Discovery
Data Sources:	Process command-line parameters, Process monitoring, Windows Registry
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	AWS CloudTrail logs, Azure activity logs, File monitoring, Process command-line parameters, Process monitoring, Stackdriver logs
Platforms:	AWS, Azure, Azure AD, GCP, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	API monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Binary file metadata, File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may search local system sources, such as file systems or local databases, to find files of interest and sensitive data prior to Exfiltration.
Tactics:	Collection
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may target user email to collect sensitive information. Emails may contain sensitive data, including trade secrets or personal information, that can prove valuable to adversaries. Adversaries can collect or forward email from mail servers or clients.
Tactics:	Collection
Data Sources:	Authentication logs, Email gateway, File monitoring, Mail server, Office 365 trace logs, Process monitoring, Process use of network
Platforms:	Office 365, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may transfer tools or other files from an external system into a compromised environment. Files may be copied from an external adversary controlled system through the command and control channel to bring tools into the victim network or through alternate protocols with another tool such as FTP. Files can also be copied over on Mac and Linux with native tools like scp, rsync, and sftp.
Tactics:	Command and Control
Data Sources:	File monitoring, Netflow/Enclave netflow, Network protocol analysis, Packet capture, Process command-line parameters, Process monitoring, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading ...

Warning!

Analysis Report lNCyFjhn7M

Overview

General Information

Detection

Signatures

Classification

Startup

Malware Configuration

Threatname: Agenttesla

Yara Overview

Memory Dumps

Unpacked PEs

Sigma Overview

Signature Overview

AV Detection:

Compliance:

Software Vulnerabilities:

Networking:

System Summary:

Data Obfuscation:

Hooking and other Techniques for Hiding and Protection:

Malware Analysis System Evasion:

Anti Debugging:

HIPS / PFW / Operating System Protection Evasion:

Language, Device and Operating System Detection:

Stealing of Sensitive Information:

Remote Access Functionality:

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

URLs from Memory and Binaries

Contacted IPs

Public

Private

General Information

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASN

JA3 Fingerprints

Dropped Files

Created / dropped Files

Static File Info

General

File Icon

Static PE Info

General

Entrypoint Preview

Data Directories

Sections

Resources

Imports

Version Infos

Network Behavior

Network Port Distribution

TCP Packets

UDP Packets

DNS Queries

DNS Answers

SMTP Packets

Code Manipulations

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Malware reverse engineering, Netflow/Enclave netflow, Packet capture, Process monitoring, Process use of network, SSL/TLS inspection
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using a protocol and port paring that are typically not associated. For example, HTTPS over port 8088or port 587as opposed to the traditional port 443. Adversaries may make changes to the standard port used by a protocol to bypass filtering or muddle analysis/parsing of network data.
Tactics:	Command and Control
Data Sources:	Netflow/Enclave netflow, Packet capture, Process monitoring, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use a non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Host network interface, Netflow/Enclave netflow, Network intrusion detection system, Network protocol analysis, Packet capture, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	DNS records, Netflow/Enclave netflow, Network protocol analysis, Packet capture, Process monitoring, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre