Play interactive tour

Edit tour

Analysis Report TdX45jQWjj.exe

Overview

General Information

Sample Name:	TdX45jQWjj.exe
Analysis ID:	356818
MD5:	f261164b55c3be5c3c86150ff2a7cc27
SHA1:	634a546e3841af29b068c7c6535206695eb704d0
SHA256:	b40e22d33523ae869ba4a9a9159d37d61ec056fc14dc3db7406d79620b801816
Tags:	exeNanoCoreRAT
Infos:
Most interesting Screenshot:

Detection

Nanocore

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Detected Nanocore Rat

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for domain / URL

Multi AV Scanner detection for dropped file

Multi AV Scanner detection for submitted file

Sigma detected: NanoCore

Sigma detected: Scheduled temp file as task from temp location

Yara detected AntiVM_3

Yara detected Nanocore RAT

.NET source code contains potential unpacker

Allocates memory in foreign processes

Connects to many ports of the same IP (likely port scanning)

Hides that the sample has been downloaded from the Internet (zone.identifier)

Injects a PE file into a foreign processes

Protects its processes via BreakOnTermination flag

Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Uses dynamic DNS services

Uses schtasks.exe or at.exe to add and modify task schedules

Writes to foreign memory regions

Antivirus or Machine Learning detection for unpacked file

Contains capabilities to detect virtual machines

Contains functionality to call native functions

Contains functionality to detect virtual machines (SLDT)

Contains functionality to open a port and listen for incoming connection (possibly a backdoor)

Contains long sleeps (>= 3 min)

Creates a DirectInput object (often for capturing keystrokes)

Creates a process in suspended mode (likely to inject code)

Detected TCP or UDP traffic on non-standard ports

Detected potential crypto function

Drops PE files

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

Found inlined nop instructions (likely shell or obfuscated code)

Installs a raw input device (often for capturing keystrokes)

Internet Provider seen in connection with other malware

May sleep (evasive loops) to hinder dynamic analysis

Queries the volume information (name, serial number etc) of a device

Sample execution stops while process was sleeping (likely an evasion)

Sample file is different than original file name gathered from version info

Uses 32bit PE files

Uses code obfuscation techniques (call, push, ret)

Yara signature match

Classification

Startup

System is w10x64

TdX45jQWjj.exe (PID: 6960 cmdline: 'C:\Users\user\Desktop\TdX45jQWjj.exe' MD5: F261164B55C3BE5C3C86150FF2A7CC27)

schtasks.exe (PID: 6004 cmdline: 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\RTOqzQABo' /XML 'C:\Users\user\AppData\Local\Temp\tmp84A9.tmp' MD5: 15FF7D8324231381BAD48A052F85DF04)

conhost.exe (PID: 6224 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)

RegSvcs.exe (PID: 3012 cmdline: {path} MD5: 71369277D09DA0830C8C59F9E22BB23A)

schtasks.exe (PID: 6936 cmdline: 'schtasks.exe' /create /f /tn 'DHCP Monitor' /xml 'C:\Users\user\AppData\Local\Temp\tmpDEF3.tmp' MD5: 15FF7D8324231381BAD48A052F85DF04)

conhost.exe (PID: 6920 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)

schtasks.exe (PID: 6668 cmdline: 'schtasks.exe' /create /f /tn 'DHCP Monitor Task' /xml 'C:\Users\user\AppData\Local\Temp\tmpE1E2.tmp' MD5: 15FF7D8324231381BAD48A052F85DF04)

conhost.exe (PID: 6688 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)

RegSvcs.exe (PID: 6716 cmdline: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe 0 MD5: 71369277D09DA0830C8C59F9E22BB23A)

conhost.exe (PID: 6800 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)

dhcpmon.exe (PID: 6808 cmdline: 'C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe' 0 MD5: 71369277D09DA0830C8C59F9E22BB23A)

conhost.exe (PID: 6812 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)

dhcpmon.exe (PID: 3028 cmdline: 'C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe' MD5: 71369277D09DA0830C8C59F9E22BB23A)

conhost.exe (PID: 1868 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)

cleanup

Malware Configuration

No configs have been found

Yara Overview

Memory Dumps

Source	Rule	Description	Author	Strings
00000000.00000002.395064094.00000000046E5000.00000004.00000001.sdmp	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0xc136d:$x1: NanoCore.ClientPluginHost 0xc13aa:$x2: IClientNetworkHost 0xc4edd:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
00000000.00000002.395064094.00000000046E5000.00000004.00000001.sdmp	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
00000000.00000002.395064094.00000000046E5000.00000004.00000001.sdmp	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0xc10d5:$a: NanoCore 0xc10e5:$a: NanoCore 0xc1319:$a: NanoCore 0xc132d:$a: NanoCore 0xc136d:$a: NanoCore 0xc1134:$b: ClientPlugin 0xc1336:$b: ClientPlugin 0xc1376:$b: ClientPlugin 0xc125b:$c: ProjectData 0xc1c62:$d: DESCrypto 0xc962e:$e: KeepAlive 0xc761c:$g: LogClientMessage 0xc3817:$i: get_Connected 0xc1f98:$j: #=q 0xc1fc8:$j: #=q 0xc1fe4:$j: #=q 0xc2014:$j: #=q 0xc2030:$j: #=q 0xc204c:$j: #=q 0xc207c:$j: #=q 0xc2098:$j: #=q
00000000.00000002.394099052.0000000004251000.00000004.00000001.sdmp	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x251a25:$x1: NanoCore.ClientPluginHost 0x251a62:$x2: IClientNetworkHost 0x255595:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
00000000.00000002.394099052.0000000004251000.00000004.00000001.sdmp	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
00000000.00000002.394099052.0000000004251000.00000004.00000001.sdmp	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0x25178d:$a: NanoCore 0x25179d:$a: NanoCore 0x2519d1:$a: NanoCore 0x2519e5:$a: NanoCore 0x251a25:$a: NanoCore 0x2517ec:$b: ClientPlugin 0x2519ee:$b: ClientPlugin 0x251a2e:$b: ClientPlugin 0x198534:$c: ProjectData 0x251913:$c: ProjectData 0x25231a:$d: DESCrypto 0x259ce6:$e: KeepAlive 0x257cd4:$g: LogClientMessage 0x253ecf:$i: get_Connected 0x252650:$j: #=q 0x252680:$j: #=q 0x25269c:$j: #=q 0x2526cc:$j: #=q 0x2526e8:$j: #=q 0x252704:$j: #=q 0x252734:$j: #=q
00000008.00000002.602153062.0000000005900000.00000004.00000001.sdmp	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0xe75:$x1: NanoCore.ClientPluginHost 0xe8f:$x2: IClientNetworkHost
00000008.00000002.602153062.0000000005900000.00000004.00000001.sdmp	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0xe75:$x2: NanoCore.ClientPluginHost 0x1261:$s3: PipeExists 0x1136:$s4: PipeCreated 0xeb0:$s5: IClientLoggingHost
00000008.00000002.595499721.0000000000402000.00000040.00000001.sdmp	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0xff8d:$x1: NanoCore.ClientPluginHost 0xffca:$x2: IClientNetworkHost 0x13afd:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
00000008.00000002.595499721.0000000000402000.00000040.00000001.sdmp	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
00000008.00000002.595499721.0000000000402000.00000040.00000001.sdmp	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0xfcf5:$a: NanoCore 0xfd05:$a: NanoCore 0xff39:$a: NanoCore 0xff4d:$a: NanoCore 0xff8d:$a: NanoCore 0xfd54:$b: ClientPlugin 0xff56:$b: ClientPlugin 0xff96:$b: ClientPlugin 0xfe7b:$c: ProjectData 0x10882:$d: DESCrypto 0x1824e:$e: KeepAlive 0x1623c:$g: LogClientMessage 0x12437:$i: get_Connected 0x10bb8:$j: #=q 0x10be8:$j: #=q 0x10c04:$j: #=q 0x10c34:$j: #=q 0x10c50:$j: #=q 0x10c6c:$j: #=q 0x10c9c:$j: #=q 0x10cb8:$j: #=q
00000008.00000002.602225959.0000000005B90000.00000004.00000001.sdmp	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x1646:$x1: NanoCore.ClientPluginHost
00000008.00000002.602225959.0000000005B90000.00000004.00000001.sdmp	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0x1646:$x2: NanoCore.ClientPluginHost 0x1724:$s4: PipeCreated 0x1660:$s5: IClientLoggingHost
00000008.00000002.602238562.0000000005BA0000.00000004.00000001.sdmp	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0xf7ad:$x1: NanoCore.ClientPluginHost 0xf7da:$x2: IClientNetworkHost
00000008.00000002.602238562.0000000005BA0000.00000004.00000001.sdmp	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0xf7ad:$x2: NanoCore.ClientPluginHost 0x10888:$s4: PipeCreated 0xf7c7:$s5: IClientLoggingHost
00000008.00000002.602238562.0000000005BA0000.00000004.00000001.sdmp	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
00000008.00000002.600580275.0000000003F27000.00000004.00000001.sdmp	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
00000008.00000002.600580275.0000000003F27000.00000004.00000001.sdmp	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0x8a7d:$a: NanoCore 0x8ad6:$a: NanoCore 0x8b13:$a: NanoCore 0x8b8c:$a: NanoCore 0xe121:$a: NanoCore 0xe16b:$a: NanoCore 0xe355:$a: NanoCore 0x21c74:$a: NanoCore 0x21c89:$a: NanoCore 0x21cbe:$a: NanoCore 0x3ac13:$a: NanoCore 0x3ac28:$a: NanoCore 0x3ac5d:$a: NanoCore 0x8adf:$b: ClientPlugin 0x8b1c:$b: ClientPlugin 0x941a:$b: ClientPlugin 0x9427:$b: ClientPlugin 0xdeba:$b: ClientPlugin 0xe12a:$b: ClientPlugin 0xe174:$b: ClientPlugin 0x21a30:$b: ClientPlugin
Process Memory Space: RegSvcs.exe PID: 3012	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x92eb6:$x1: NanoCore.ClientPluginHost 0x95552:$x1: NanoCore.ClientPluginHost 0xd918d:$x1: NanoCore.ClientPluginHost 0x1cd88c:$x1: NanoCore.ClientPluginHost 0x2eaf01:$x1: NanoCore.ClientPluginHost 0x3078b9:$x1: NanoCore.ClientPluginHost 0x334f73:$x1: NanoCore.ClientPluginHost 0x3375ee:$x1: NanoCore.ClientPluginHost 0x33d21b:$x1: NanoCore.ClientPluginHost 0x34e542:$x1: NanoCore.ClientPluginHost 0x92edc:$x2: IClientNetworkHost 0xd91b3:$x2: IClientNetworkHost 0x1cd8ed:$x2: IClientNetworkHost 0x3078fe:$x2: IClientNetworkHost 0x334f99:$x2: IClientNetworkHost 0x33d260:$x2: IClientNetworkHost 0x34e587:$x2: IClientNetworkHost 0x1d2cf2:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe 0x1e0c64:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
Process Memory Space: RegSvcs.exe PID: 3012	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
Process Memory Space: RegSvcs.exe PID: 3012	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0x92da8:$a: NanoCore 0x92e49:$a: NanoCore 0x92eb6:$a: NanoCore 0x92f77:$a: NanoCore 0x93e48:$a: NanoCore 0x93e9b:$a: NanoCore 0x93ed4:$a: NanoCore 0x93f47:$a: NanoCore 0x95552:$a: NanoCore 0x955cc:$a: NanoCore 0x95938:$a: NanoCore 0x963f6:$a: NanoCore 0x9643c:$a: NanoCore 0x96603:$a: NanoCore 0xc7abf:$a: NanoCore 0xd907f:$a: NanoCore 0xd9120:$a: NanoCore 0xd918d:$a: NanoCore 0xd924e:$a: NanoCore 0xda11f:$a: NanoCore 0xda172:$a: NanoCore
Process Memory Space: TdX45jQWjj.exe PID: 6960	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x11306c:$x1: NanoCore.ClientPluginHost 0x18e2fb:$x1: NanoCore.ClientPluginHost 0x1130cd:$x2: IClientNetworkHost 0x18e35c:$x2: IClientNetworkHost 0x1184d2:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe 0x126444:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe 0x193761:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe 0x1a16d3:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
Process Memory Space: TdX45jQWjj.exe PID: 6960	JoeSecurity_AntiVM_3	Yara detected AntiVM_3	Joe Security
Process Memory Space: TdX45jQWjj.exe PID: 6960	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
Process Memory Space: TdX45jQWjj.exe PID: 6960	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0x112b71:$a: NanoCore 0x112b8d:$a: NanoCore 0x112ce8:$a: NanoCore 0x112cf7:$a: NanoCore 0x112fd0:$a: NanoCore 0x112ffc:$a: NanoCore 0x11306c:$a: NanoCore 0x122aae:$a: NanoCore 0x122ac0:$a: NanoCore 0x122afc:$a: NanoCore 0x18de00:$a: NanoCore 0x18de1c:$a: NanoCore 0x18df77:$a: NanoCore 0x18df86:$a: NanoCore 0x18e25f:$a: NanoCore 0x18e28b:$a: NanoCore 0x18e2fb:$a: NanoCore 0x19dd3d:$a: NanoCore 0x19dd4f:$a: NanoCore 0x19dd8b:$a: NanoCore 0x112c18:$b: ClientPlugin
Click to see the 20 entries

Unpacked PEs

Source	Rule	Description	Author	Strings
8.2.RegSvcs.exe.2ef16fc.1.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x40c2:$x1: NanoCore.ClientPluginHost
8.2.RegSvcs.exe.2ef16fc.1.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0x40c2:$x2: NanoCore.ClientPluginHost 0x41a0:$s4: PipeCreated 0x40dc:$s5: IClientLoggingHost
8.2.RegSvcs.exe.3f2ec9e.5.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x4083:$x1: NanoCore.ClientPluginHost
8.2.RegSvcs.exe.3f2ec9e.5.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0x4083:$x2: NanoCore.ClientPluginHost 0x4161:$s4: PipeCreated 0x409d:$s5: IClientLoggingHost
8.2.RegSvcs.exe.5b90000.9.raw.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x1646:$x1: NanoCore.ClientPluginHost
8.2.RegSvcs.exe.5b90000.9.raw.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0x1646:$x2: NanoCore.ClientPluginHost 0x1724:$s4: PipeCreated 0x1660:$s5: IClientLoggingHost
8.2.RegSvcs.exe.5ba0000.11.raw.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0xf7ad:$x1: NanoCore.ClientPluginHost 0xf7da:$x2: IClientNetworkHost
8.2.RegSvcs.exe.5ba0000.11.raw.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0xf7ad:$x2: NanoCore.ClientPluginHost 0x10888:$s4: PipeCreated 0xf7c7:$s5: IClientLoggingHost
8.2.RegSvcs.exe.5ba0000.11.raw.unpack	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
8.2.RegSvcs.exe.3f33adb.3.raw.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x1646:$x1: NanoCore.ClientPluginHost 0x151e3:$x1: NanoCore.ClientPluginHost 0x2e182:$x1: NanoCore.ClientPluginHost 0x15210:$x2: IClientNetworkHost 0x2e1af:$x2: IClientNetworkHost
8.2.RegSvcs.exe.3f33adb.3.raw.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0x1646:$x2: NanoCore.ClientPluginHost 0x151e3:$x2: NanoCore.ClientPluginHost 0x2e182:$x2: NanoCore.ClientPluginHost 0x1724:$s4: PipeCreated 0x162be:$s4: PipeCreated 0x2f25d:$s4: PipeCreated 0x1660:$s5: IClientLoggingHost 0x151fd:$s5: IClientLoggingHost 0x2e19c:$s5: IClientLoggingHost
8.2.RegSvcs.exe.3f33adb.3.raw.unpack	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
8.2.RegSvcs.exe.3f33adb.3.raw.unpack	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0x1646:$a: NanoCore 0x1690:$a: NanoCore 0x187a:$a: NanoCore 0x15199:$a: NanoCore 0x151ae:$a: NanoCore 0x151e3:$a: NanoCore 0x2e138:$a: NanoCore 0x2e14d:$a: NanoCore 0x2e182:$a: NanoCore 0x13df:$b: ClientPlugin 0x164f:$b: ClientPlugin 0x1699:$b: ClientPlugin 0x14f55:$b: ClientPlugin 0x14f70:$b: ClientPlugin 0x14fa0:$b: ClientPlugin 0x151b7:$b: ClientPlugin 0x151ec:$b: ClientPlugin 0x2def4:$b: ClientPlugin 0x2df0f:$b: ClientPlugin 0x2df3f:$b: ClientPlugin 0x2e156:$b: ClientPlugin
0.2.TdX45jQWjj.exe.4492898.1.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0xe38d:$x1: NanoCore.ClientPluginHost 0xe3ca:$x2: IClientNetworkHost 0x11efd:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
0.2.TdX45jQWjj.exe.4492898.1.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0xe105:$x1: NanoCore Client.exe 0xe38d:$x2: NanoCore.ClientPluginHost 0xf9c6:$s1: PluginCommand 0xf9ba:$s2: FileCommand 0x1086b:$s3: PipeExists 0x16622:$s4: PipeCreated 0xe3b7:$s5: IClientLoggingHost
0.2.TdX45jQWjj.exe.4492898.1.unpack	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
0.2.TdX45jQWjj.exe.4492898.1.unpack	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0xe0f5:$a: NanoCore 0xe105:$a: NanoCore 0xe339:$a: NanoCore 0xe34d:$a: NanoCore 0xe38d:$a: NanoCore 0xe154:$b: ClientPlugin 0xe356:$b: ClientPlugin 0xe396:$b: ClientPlugin 0xe27b:$c: ProjectData 0xec82:$d: DESCrypto 0x1664e:$e: KeepAlive 0x1463c:$g: LogClientMessage 0x10837:$i: get_Connected 0xefb8:$j: #=q 0xefe8:$j: #=q 0xf004:$j: #=q 0xf034:$j: #=q 0xf050:$j: #=q 0xf06c:$j: #=q 0xf09c:$j: #=q 0xf0b8:$j: #=q
8.2.RegSvcs.exe.400000.0.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x1018d:$x1: NanoCore.ClientPluginHost 0x101ca:$x2: IClientNetworkHost 0x13cfd:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
8.2.RegSvcs.exe.400000.0.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0xff05:$x1: NanoCore Client.exe 0x1018d:$x2: NanoCore.ClientPluginHost 0x117c6:$s1: PluginCommand 0x117ba:$s2: FileCommand 0x1266b:$s3: PipeExists 0x18422:$s4: PipeCreated 0x101b7:$s5: IClientLoggingHost
8.2.RegSvcs.exe.400000.0.unpack	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
8.2.RegSvcs.exe.400000.0.unpack	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0xfef5:$a: NanoCore 0xff05:$a: NanoCore 0x10139:$a: NanoCore 0x1014d:$a: NanoCore 0x1018d:$a: NanoCore 0xff54:$b: ClientPlugin 0x10156:$b: ClientPlugin 0x10196:$b: ClientPlugin 0x1007b:$c: ProjectData 0x10a82:$d: DESCrypto 0x1844e:$e: KeepAlive 0x1643c:$g: LogClientMessage 0x12637:$i: get_Connected 0x10db8:$j: #=q 0x10de8:$j: #=q 0x10e04:$j: #=q 0x10e34:$j: #=q 0x10e50:$j: #=q 0x10e6c:$j: #=q 0x10e9c:$j: #=q 0x10eb8:$j: #=q
0.2.TdX45jQWjj.exe.43917e8.2.raw.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x11123d:$x1: NanoCore.ClientPluginHost 0x11127a:$x2: IClientNetworkHost 0x114dad:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
0.2.TdX45jQWjj.exe.43917e8.2.raw.unpack	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
0.2.TdX45jQWjj.exe.43917e8.2.raw.unpack	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0x110fa5:$a: NanoCore 0x110fb5:$a: NanoCore 0x1111e9:$a: NanoCore 0x1111fd:$a: NanoCore 0x11123d:$a: NanoCore 0x111004:$b: ClientPlugin 0x111206:$b: ClientPlugin 0x111246:$b: ClientPlugin 0x57d4c:$c: ProjectData 0x11112b:$c: ProjectData 0x111b32:$d: DESCrypto 0x1194fe:$e: KeepAlive 0x1174ec:$g: LogClientMessage 0x1136e7:$i: get_Connected 0x111e68:$j: #=q 0x111e98:$j: #=q 0x111eb4:$j: #=q 0x111ee4:$j: #=q 0x111f00:$j: #=q 0x111f1c:$j: #=q 0x111f4c:$j: #=q
8.2.RegSvcs.exe.3f2ec9e.5.raw.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0xe75:$x1: NanoCore.ClientPluginHost 0x6483:$x1: NanoCore.ClientPluginHost 0x1a020:$x1: NanoCore.ClientPluginHost 0x32fbf:$x1: NanoCore.ClientPluginHost 0xe8f:$x2: IClientNetworkHost 0x1a04d:$x2: IClientNetworkHost 0x32fec:$x2: IClientNetworkHost
8.2.RegSvcs.exe.3f2ec9e.5.raw.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0xe75:$x2: NanoCore.ClientPluginHost 0x6483:$x2: NanoCore.ClientPluginHost 0x1a020:$x2: NanoCore.ClientPluginHost 0x32fbf:$x2: NanoCore.ClientPluginHost 0x1261:$s3: PipeExists 0x1136:$s4: PipeCreated 0x6561:$s4: PipeCreated 0x1b0fb:$s4: PipeCreated 0x3409a:$s4: PipeCreated 0xeb0:$s5: IClientLoggingHost 0x649d:$s5: IClientLoggingHost 0x1a03a:$s5: IClientLoggingHost 0x32fd9:$s5: IClientLoggingHost
8.2.RegSvcs.exe.3f2ec9e.5.raw.unpack	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
8.2.RegSvcs.exe.3f2ec9e.5.raw.unpack	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0xddf:$a: NanoCore 0xe38:$a: NanoCore 0xe75:$a: NanoCore 0xeee:$a: NanoCore 0x6483:$a: NanoCore 0x64cd:$a: NanoCore 0x66b7:$a: NanoCore 0x19fd6:$a: NanoCore 0x19feb:$a: NanoCore 0x1a020:$a: NanoCore 0x32f75:$a: NanoCore 0x32f8a:$a: NanoCore 0x32fbf:$a: NanoCore 0xe41:$b: ClientPlugin 0xe7e:$b: ClientPlugin 0x177c:$b: ClientPlugin 0x1789:$b: ClientPlugin 0x621c:$b: ClientPlugin 0x648c:$b: ClientPlugin 0x64d6:$b: ClientPlugin 0x19d92:$b: ClientPlugin
8.2.RegSvcs.exe.3f39511.4.raw.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0xf7ad:$x1: NanoCore.ClientPluginHost 0x2874c:$x1: NanoCore.ClientPluginHost 0xf7da:$x2: IClientNetworkHost 0x28779:$x2: IClientNetworkHost
8.2.RegSvcs.exe.3f39511.4.raw.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0xf7ad:$x2: NanoCore.ClientPluginHost 0x2874c:$x2: NanoCore.ClientPluginHost 0x10888:$s4: PipeCreated 0x29827:$s4: PipeCreated 0xf7c7:$s5: IClientLoggingHost 0x28766:$s5: IClientLoggingHost
8.2.RegSvcs.exe.3f39511.4.raw.unpack	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
0.2.TdX45jQWjj.exe.4492898.1.raw.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x1018d:$x1: NanoCore.ClientPluginHost 0x101ca:$x2: IClientNetworkHost 0x13cfd:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
0.2.TdX45jQWjj.exe.4492898.1.raw.unpack	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
0.2.TdX45jQWjj.exe.4492898.1.raw.unpack	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0xfef5:$a: NanoCore 0xff05:$a: NanoCore 0x10139:$a: NanoCore 0x1014d:$a: NanoCore 0x1018d:$a: NanoCore 0xff54:$b: ClientPlugin 0x10156:$b: ClientPlugin 0x10196:$b: ClientPlugin 0x1007b:$c: ProjectData 0x10a82:$d: DESCrypto 0x1844e:$e: KeepAlive 0x1643c:$g: LogClientMessage 0x12637:$i: get_Connected 0x10db8:$j: #=q 0x10de8:$j: #=q 0x10e04:$j: #=q 0x10e34:$j: #=q 0x10e50:$j: #=q 0x10e6c:$j: #=q 0x10e9c:$j: #=q 0x10eb8:$j: #=q
8.2.RegSvcs.exe.5ba0000.11.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0xd9ad:$x1: NanoCore.ClientPluginHost 0xd9da:$x2: IClientNetworkHost
8.2.RegSvcs.exe.5ba0000.11.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0xd9ad:$x2: NanoCore.ClientPluginHost 0xea88:$s4: PipeCreated 0xd9c7:$s5: IClientLoggingHost
8.2.RegSvcs.exe.5ba0000.11.unpack	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
0.2.TdX45jQWjj.exe.46e55c0.3.raw.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0xc0dad:$x1: NanoCore.ClientPluginHost 0xc0dea:$x2: IClientNetworkHost 0xc491d:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
0.2.TdX45jQWjj.exe.46e55c0.3.raw.unpack	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
0.2.TdX45jQWjj.exe.46e55c0.3.raw.unpack	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0xc0b15:$a: NanoCore 0xc0b25:$a: NanoCore 0xc0d59:$a: NanoCore 0xc0d6d:$a: NanoCore 0xc0dad:$a: NanoCore 0xc0b74:$b: ClientPlugin 0xc0d76:$b: ClientPlugin 0xc0db6:$b: ClientPlugin 0xc0c9b:$c: ProjectData 0xc16a2:$d: DESCrypto 0xc906e:$e: KeepAlive 0xc705c:$g: LogClientMessage 0xc3257:$i: get_Connected 0xc19d8:$j: #=q 0xc1a08:$j: #=q 0xc1a24:$j: #=q 0xc1a54:$j: #=q 0xc1a70:$j: #=q 0xc1a8c:$j: #=q 0xc1abc:$j: #=q 0xc1ad8:$j: #=q
8.2.RegSvcs.exe.5ba4629.10.raw.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0xb184:$x1: NanoCore.ClientPluginHost 0xb1b1:$x2: IClientNetworkHost
8.2.RegSvcs.exe.5ba4629.10.raw.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0xb184:$x2: NanoCore.ClientPluginHost 0xc25f:$s4: PipeCreated 0xb19e:$s5: IClientLoggingHost
8.2.RegSvcs.exe.5ba4629.10.raw.unpack	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
8.2.RegSvcs.exe.5900000.8.raw.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0xe75:$x1: NanoCore.ClientPluginHost 0xe8f:$x2: IClientNetworkHost
8.2.RegSvcs.exe.5900000.8.raw.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0xe75:$x2: NanoCore.ClientPluginHost 0x1261:$s3: PipeExists 0x1136:$s4: PipeCreated 0xeb0:$s5: IClientLoggingHost
8.2.RegSvcs.exe.3f39511.4.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0xd9ad:$x1: NanoCore.ClientPluginHost 0xd9da:$x2: IClientNetworkHost
8.2.RegSvcs.exe.3f39511.4.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0xd9ad:$x2: NanoCore.ClientPluginHost 0xea88:$s4: PipeCreated 0xd9c7:$s5: IClientLoggingHost
8.2.RegSvcs.exe.3f39511.4.unpack	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
8.2.RegSvcs.exe.2ef16fc.1.raw.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0xe75:$x1: NanoCore.ClientPluginHost 0x64c2:$x1: NanoCore.ClientPluginHost 0xe8f:$x2: IClientNetworkHost
8.2.RegSvcs.exe.2ef16fc.1.raw.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0xe75:$x2: NanoCore.ClientPluginHost 0x64c2:$x2: NanoCore.ClientPluginHost 0x1261:$s3: PipeExists 0x1136:$s4: PipeCreated 0x65a0:$s4: PipeCreated 0xeb0:$s5: IClientLoggingHost 0x64dc:$s5: IClientLoggingHost
8.2.RegSvcs.exe.2ef6578.2.raw.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x1646:$x1: NanoCore.ClientPluginHost
8.2.RegSvcs.exe.2ef6578.2.raw.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0x1646:$x2: NanoCore.ClientPluginHost 0x1724:$s4: PipeCreated 0x1660:$s5: IClientLoggingHost
Click to see the 47 entries

Sigma Overview

System Summary:

Sigma detected: NanoCore

Show sources

Source: File created

Author: Joe Security: Data: EventID: 11, Image: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe, ProcessId: 3012, TargetFilename: C:\Users\user\AppData\Roaming\D06ED635-68F6-4E9A-955C-4899F5F57B9A\run.dat

Sigma detected: Scheduled temp file as task from temp location

Show sources

Source: Process started

Author: Joe Security: Data: Command: 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\RTOqzQABo' /XML 'C:\Users\user\AppData\Local\Temp\tmp84A9.tmp', CommandLine: 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\RTOqzQABo' /XML 'C:\Users\user\AppData\Local\Temp\tmp84A9.tmp', CommandLine|base64offset|contains: *j, Image: C:\Windows\SysWOW64\schtasks.exe, NewProcessName: C:\Windows\SysWOW64\schtasks.exe, OriginalFileName: C:\Windows\SysWOW64\schtasks.exe, ParentCommandLine: 'C:\Users\user\Desktop\TdX45jQWjj.exe' , ParentImage: C:\Users\user\Desktop\TdX45jQWjj.exe, ParentProcessId: 6960, ProcessCommandLine: 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\RTOqzQABo' /XML 'C:\Users\user\AppData\Local\Temp\tmp84A9.tmp', ProcessId: 6004

Signature Overview

Click to jump to signature section

Show All Signature Results

AV Detection:

Multi AV Scanner detection for domain / URL

Show sources

Source: strongodss.ddns.net

Virustotal: Detection: 8%

Perma Link

Multi AV Scanner detection for dropped file

Show sources

Source: C:\Users\user\AppData\Roaming\RTOqzQABo.exe

ReversingLabs: Detection: 18%

Multi AV Scanner detection for submitted file

Show sources

Source: TdX45jQWjj.exe

ReversingLabs: Detection: 18%

Yara detected Nanocore RAT

Show sources

Source: Yara match	File source: 00000000.00000002.395064094.00000000046E5000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.394099052.0000000004251000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000008.00000002.595499721.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000008.00000002.602238562.0000000005BA0000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000008.00000002.600580275.0000000003F27000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: RegSvcs.exe PID: 3012, type: MEMORY
Source: Yara match	File source: Process Memory Space: TdX45jQWjj.exe PID: 6960, type: MEMORY
Source: Yara match	File source: 8.2.RegSvcs.exe.5ba0000.11.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 8.2.RegSvcs.exe.3f33adb.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.TdX45jQWjj.exe.4492898.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 8.2.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.TdX45jQWjj.exe.43917e8.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 8.2.RegSvcs.exe.3f2ec9e.5.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 8.2.RegSvcs.exe.3f39511.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.TdX45jQWjj.exe.4492898.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 8.2.RegSvcs.exe.5ba0000.11.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.TdX45jQWjj.exe.46e55c0.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 8.2.RegSvcs.exe.5ba4629.10.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 8.2.RegSvcs.exe.3f39511.4.unpack, type: UNPACKEDPE

Source: 8.2.RegSvcs.exe.400000.0.unpack	Avira: Label: TR/Dropper.MSIL.Gen7
Source: 8.2.RegSvcs.exe.5ba0000.11.unpack	Avira: Label: TR/NanoCore.fadte

Compliance:

Uses 32bit PE files

Show sources

Source: TdX45jQWjj.exe

Static PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE

Uses new MSVCR Dlls

Show sources

Source: C:\Users\user\Desktop\TdX45jQWjj.exe

File opened: C:\Windows\WinSxS\x86_microsoft.vc80.crt_1fc8b3b9a1e18e3b_8.0.50727.9445_none_d08c58b4442ba54f\MSVCR80.dll

Jump to behavior

Contains modern PE file flags such as dynamic base (ASLR) or NX

Show sources

Source: TdX45jQWjj.exe

Static PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT

Binary contains paths to debug symbols

Show sources

Source:	Binary string: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.pdb source: RegSvcs.exe, 00000008.00000002.596585124.00000000011C5000.00000004.00000040.sdmp
Source:	Binary string: C:\Users\Cole\Documents\Visual Studio 2013\Projects\NanoProtectPlugin\NanoProtectClient\obj\Debug\NanoProtectClient.pdb source: RegSvcs.exe, 00000008.00000002.598166054.0000000002EE1000.00000004.00000001.sdmp
Source:	Binary string: System.EnterpriseServices.Wrapper.pdb source: RegSvcs.exe, 0000000E.00000002.406605593.0000000004A70000.00000002.00000001.sdmp, dhcpmon.exe, 00000012.00000002.414673187.0000000005020000.00000002.00000001.sdmp
Source:	Binary string: indows\RegSvcs.pdbpdbvcs.pdb source: RegSvcs.exe, 00000008.00000002.596585124.00000000011C5000.00000004.00000040.sdmp
Source:	Binary string: C:\Windows\symbols\exe\RegSvcs.pdb source: RegSvcs.exe, 00000008.00000002.596585124.00000000011C5000.00000004.00000040.sdmp
Source:	Binary string: RegSvcs.pdb source: dhcpmon.exe, dhcpmon.exe.8.dr
Source:	Binary string: mscorrc.pdb source: TdX45jQWjj.exe, 00000000.00000002.406858007.0000000008610000.00000002.00000001.sdmp, RegSvcs.exe, 00000008.00000002.602087565.00000000058A0000.00000002.00000001.sdmp, RegSvcs.exe, 0000000E.00000002.407150676.0000000004B20000.00000002.00000001.sdmp, dhcpmon.exe, 00000010.00000002.407442223.00000000050F0000.00000002.00000001.sdmp

Software Vulnerabilities:

Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe

Code function: 4x nop then mov esp, ebp

8_2_050A891F

Networking:

Connects to many ports of the same IP (likely port scanning)

Show sources

Source: global traffic	TCP traffic: 79.134.225.43 ports 0,1,3,58103,5,8
Source: global traffic	TCP traffic: 87.237.165.78 ports 0,1,3,58103,5,8

Uses dynamic DNS services

Show sources

Source: unknown

DNS query: name: strongodss.ddns.net

Source: global traffic	TCP traffic: 192.168.2.6:49728 -> 87.237.165.78:58103
Source: global traffic	TCP traffic: 192.168.2.6:49733 -> 79.134.225.43:58103

Source: Joe Sandbox View

ASN Name: FINK-TELECOM-SERVICESCH FINK-TELECOM-SERVICESCH

Source: unknown	TCP traffic detected without corresponding DNS query: 79.134.225.43
Source: unknown	TCP traffic detected without corresponding DNS query: 79.134.225.43
Source: unknown	TCP traffic detected without corresponding DNS query: 79.134.225.43
Source: unknown	TCP traffic detected without corresponding DNS query: 79.134.225.43
Source: unknown	TCP traffic detected without corresponding DNS query: 79.134.225.43
Source: unknown	TCP traffic detected without corresponding DNS query: 79.134.225.43
Source: unknown	TCP traffic detected without corresponding DNS query: 79.134.225.43
Source: unknown	TCP traffic detected without corresponding DNS query: 79.134.225.43
Source: unknown	TCP traffic detected without corresponding DNS query: 79.134.225.43
Source: unknown	TCP traffic detected without corresponding DNS query: 79.134.225.43
Source: unknown	TCP traffic detected without corresponding DNS query: 79.134.225.43
Source: unknown	TCP traffic detected without corresponding DNS query: 79.134.225.43
Source: unknown	TCP traffic detected without corresponding DNS query: 79.134.225.43
Source: unknown	TCP traffic detected without corresponding DNS query: 79.134.225.43
Source: unknown	TCP traffic detected without corresponding DNS query: 79.134.225.43
Source: unknown	TCP traffic detected without corresponding DNS query: 79.134.225.43
Source: unknown	TCP traffic detected without corresponding DNS query: 79.134.225.43
Source: unknown	TCP traffic detected without corresponding DNS query: 79.134.225.43
Source: unknown	TCP traffic detected without corresponding DNS query: 79.134.225.43
Source: unknown	TCP traffic detected without corresponding DNS query: 79.134.225.43
Source: unknown	TCP traffic detected without corresponding DNS query: 79.134.225.43
Source: unknown	TCP traffic detected without corresponding DNS query: 79.134.225.43
Source: unknown	TCP traffic detected without corresponding DNS query: 79.134.225.43
Source: unknown	TCP traffic detected without corresponding DNS query: 79.134.225.43
Source: unknown	TCP traffic detected without corresponding DNS query: 79.134.225.43
Source: unknown	TCP traffic detected without corresponding DNS query: 79.134.225.43
Source: unknown	TCP traffic detected without corresponding DNS query: 79.134.225.43

Source: unknown

DNS traffic detected: queries for: strongodss.ddns.net

Source: TdX45jQWjj.exe	String found in binary or memory: http://code.google.com/feeds/p/topicalmemorysystem/downloads/basic.xml
Source: TdX45jQWjj.exe	String found in binary or memory: http://code.google.com/p/topicalmemorysystem/
Source: TdX45jQWjj.exe, 00000000.00000003.330218742.000000000559D000.00000004.00000001.sdmp, TdX45jQWjj.exe, 00000000.00000002.405149050.0000000006822000.00000004.00000001.sdmp	String found in binary or memory: http://fontfabrik.com
Source: TdX45jQWjj.exe	String found in binary or memory: http://topicalmemorysystem.googlecode.com/files/
Source: TdX45jQWjj.exe, 00000000.00000002.405149050.0000000006822000.00000004.00000001.sdmp	String found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0
Source: TdX45jQWjj.exe	String found in binary or memory: http://www.biblegateway.com/passage/?search=
Source: TdX45jQWjj.exe	String found in binary or memory: http://www.biblija.net/biblija.cgi?m=
Source: TdX45jQWjj.exe	String found in binary or memory: http://www.blueletterbible.org/Bible.cfm?b=
Source: TdX45jQWjj.exe, 00000000.00000002.405149050.0000000006822000.00000004.00000001.sdmp	String found in binary or memory: http://www.carterandcone.coml
Source: TdX45jQWjj.exe	String found in binary or memory: http://www.esvstudybible.org/search?q=
Source: TdX45jQWjj.exe	String found in binary or memory: http://www.esvstudybible.org/search?q=Whttp://www.blueletterbible.org/Bible.cfm?b=
Source: TdX45jQWjj.exe, 00000000.00000002.405149050.0000000006822000.00000004.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com
Source: TdX45jQWjj.exe, 00000000.00000003.341606484.0000000005566000.00000004.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com.TTF
Source: TdX45jQWjj.exe, 00000000.00000002.405149050.0000000006822000.00000004.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com/designers
Source: TdX45jQWjj.exe, 00000000.00000002.405149050.0000000006822000.00000004.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com/designers/?
Source: TdX45jQWjj.exe, 00000000.00000002.405149050.0000000006822000.00000004.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com/designers/cabarga.htmlN
Source: TdX45jQWjj.exe, 00000000.00000003.337840613.000000000557F000.00000004.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com/designers/f
Source: TdX45jQWjj.exe, 00000000.00000002.405149050.0000000006822000.00000004.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com/designers/frere-jones.html
Source: TdX45jQWjj.exe, 00000000.00000002.405149050.0000000006822000.00000004.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com/designers8
Source: TdX45jQWjj.exe, 00000000.00000002.405149050.0000000006822000.00000004.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com/designers?
Source: TdX45jQWjj.exe, 00000000.00000002.405149050.0000000006822000.00000004.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com/designersG
Source: TdX45jQWjj.exe, 00000000.00000003.341606484.0000000005566000.00000004.00000001.sdmp	String found in binary or memory: http://www.fontbureau.comC
Source: TdX45jQWjj.exe, 00000000.00000003.341606484.0000000005566000.00000004.00000001.sdmp	String found in binary or memory: http://www.fontbureau.comH
Source: TdX45jQWjj.exe, 00000000.00000002.395767153.0000000005560000.00000004.00000001.sdmp	String found in binary or memory: http://www.fontbureau.coma
Source: TdX45jQWjj.exe, 00000000.00000003.341606484.0000000005566000.00000004.00000001.sdmp	String found in binary or memory: http://www.fontbureau.comalsF
Source: TdX45jQWjj.exe, 00000000.00000002.395767153.0000000005560000.00000004.00000001.sdmp	String found in binary or memory: http://www.fontbureau.comldco
Source: TdX45jQWjj.exe, 00000000.00000003.341606484.0000000005566000.00000004.00000001.sdmp	String found in binary or memory: http://www.fontbureau.comsiefd
Source: TdX45jQWjj.exe, 00000000.00000002.405149050.0000000006822000.00000004.00000001.sdmp	String found in binary or memory: http://www.fonts.com
Source: TdX45jQWjj.exe, 00000000.00000003.329977481.000000000559D000.00000004.00000001.sdmp	String found in binary or memory: http://www.fonts.comW
Source: TdX45jQWjj.exe, 00000000.00000003.333029459.0000000005566000.00000004.00000001.sdmp	String found in binary or memory: http://www.founder.c
Source: TdX45jQWjj.exe, 00000000.00000002.405149050.0000000006822000.00000004.00000001.sdmp	String found in binary or memory: http://www.founder.com.cn/cn
Source: TdX45jQWjj.exe, 00000000.00000002.405149050.0000000006822000.00000004.00000001.sdmp	String found in binary or memory: http://www.founder.com.cn/cn/bThe
Source: TdX45jQWjj.exe, 00000000.00000002.405149050.0000000006822000.00000004.00000001.sdmp	String found in binary or memory: http://www.founder.com.cn/cn/cThe
Source: TdX45jQWjj.exe, 00000000.00000003.331982815.0000000005563000.00000004.00000001.sdmp	String found in binary or memory: http://www.founder.com.cn/cn4
Source: TdX45jQWjj.exe, 00000000.00000003.332432427.0000000005571000.00000004.00000001.sdmp	String found in binary or memory: http://www.founder.com.cn/cnW
Source: TdX45jQWjj.exe, 00000000.00000003.332121914.0000000005563000.00000004.00000001.sdmp	String found in binary or memory: http://www.founder.com.cn/cna-d
Source: TdX45jQWjj.exe, 00000000.00000003.332432427.0000000005571000.00000004.00000001.sdmp	String found in binary or memory: http://www.founder.com.cn/cnf
Source: TdX45jQWjj.exe, 00000000.00000003.332121914.0000000005563000.00000004.00000001.sdmp	String found in binary or memory: http://www.founder.com.cn/cnr-t
Source: TdX45jQWjj.exe, 00000000.00000002.405149050.0000000006822000.00000004.00000001.sdmp	String found in binary or memory: http://www.galapagosdesign.com/DPlease
Source: TdX45jQWjj.exe, 00000000.00000002.405149050.0000000006822000.00000004.00000001.sdmp	String found in binary or memory: http://www.galapagosdesign.com/staff/dennis.htm
Source: TdX45jQWjj.exe, 00000000.00000002.405149050.0000000006822000.00000004.00000001.sdmp	String found in binary or memory: http://www.goodfont.co.kr
Source: TdX45jQWjj.exe, 00000000.00000002.405149050.0000000006822000.00000004.00000001.sdmp, TdX45jQWjj.exe, 00000000.00000003.335447637.0000000005566000.00000004.00000001.sdmp	String found in binary or memory: http://www.jiyu-kobo.co.jp/
Source: TdX45jQWjj.exe, 00000000.00000003.335242026.0000000005566000.00000004.00000001.sdmp	String found in binary or memory: http://www.jiyu-kobo.co.jp/C
Source: TdX45jQWjj.exe, 00000000.00000003.335242026.0000000005566000.00000004.00000001.sdmp	String found in binary or memory: http://www.jiyu-kobo.co.jp/d
Source: TdX45jQWjj.exe, 00000000.00000003.335242026.0000000005566000.00000004.00000001.sdmp	String found in binary or memory: http://www.jiyu-kobo.co.jp/jp/
Source: TdX45jQWjj.exe, 00000000.00000002.405149050.0000000006822000.00000004.00000001.sdmp, TdX45jQWjj.exe, 00000000.00000003.329212871.000000000166D000.00000004.00000001.sdmp	String found in binary or memory: http://www.sajatypeworks.com
Source: TdX45jQWjj.exe, 00000000.00000003.329212871.000000000166D000.00000004.00000001.sdmp	String found in binary or memory: http://www.sajatypeworks.com.
Source: TdX45jQWjj.exe, 00000000.00000003.329212871.000000000166D000.00000004.00000001.sdmp	String found in binary or memory: http://www.sajatypeworks.comn-u
Source: TdX45jQWjj.exe, 00000000.00000003.329212871.000000000166D000.00000004.00000001.sdmp	String found in binary or memory: http://www.sajatypeworks.comt-b
Source: TdX45jQWjj.exe, 00000000.00000002.405149050.0000000006822000.00000004.00000001.sdmp	String found in binary or memory: http://www.sakkal.com
Source: TdX45jQWjj.exe, 00000000.00000003.335896168.0000000005572000.00000004.00000001.sdmp	String found in binary or memory: http://www.sakkal.com8
Source: TdX45jQWjj.exe, 00000000.00000003.336154433.0000000005572000.00000004.00000001.sdmp	String found in binary or memory: http://www.sakkal.comX
Source: TdX45jQWjj.exe, 00000000.00000002.405149050.0000000006822000.00000004.00000001.sdmp	String found in binary or memory: http://www.sandoll.co.kr
Source: TdX45jQWjj.exe, 00000000.00000002.405149050.0000000006822000.00000004.00000001.sdmp	String found in binary or memory: http://www.tiro.com
Source: TdX45jQWjj.exe, 00000000.00000003.334600510.000000000557B000.00000004.00000001.sdmp	String found in binary or memory: http://www.tiro.com0
Source: TdX45jQWjj.exe, 00000000.00000003.332995890.000000000556B000.00000004.00000001.sdmp	String found in binary or memory: http://www.tiro.com6
Source: TdX45jQWjj.exe, 00000000.00000003.334600510.000000000557B000.00000004.00000001.sdmp	String found in binary or memory: http://www.tiro.comicx
Source: TdX45jQWjj.exe, 00000000.00000002.405149050.0000000006822000.00000004.00000001.sdmp	String found in binary or memory: http://www.typography.netD
Source: TdX45jQWjj.exe, 00000000.00000003.342496493.000000000557F000.00000004.00000001.sdmp	String found in binary or memory: http://www.urwpp.de
Source: TdX45jQWjj.exe, 00000000.00000003.342118309.000000000557F000.00000004.00000001.sdmp	String found in binary or memory: http://www.urwpp.de&
Source: TdX45jQWjj.exe, 00000000.00000002.405149050.0000000006822000.00000004.00000001.sdmp	String found in binary or memory: http://www.urwpp.deDPlease
Source: TdX45jQWjj.exe, 00000000.00000003.342496493.000000000557F000.00000004.00000001.sdmp	String found in binary or memory: http://www.urwpp.deF0
Source: TdX45jQWjj.exe, 00000000.00000003.337611054.000000000557F000.00000004.00000001.sdmp	String found in binary or memory: http://www.urwpp.deas
Source: TdX45jQWjj.exe, 00000000.00000003.337507075.000000000557F000.00000004.00000001.sdmp	String found in binary or memory: http://www.urwpp.deq
Source: TdX45jQWjj.exe, 00000000.00000002.405149050.0000000006822000.00000004.00000001.sdmp	String found in binary or memory: http://www.zhongyicts.com.cn

Key, Mouse, Clipboard, Microphone and Screen Capturing:

Source: TdX45jQWjj.exe, 00000000.00000002.389051570.0000000001170000.00000004.00000020.sdmp

Binary or memory string: <HOOK MODULE="DDRAW.DLL" FUNCTION="DirectDrawCreateEx"/>

Source: RegSvcs.exe, 00000008.00000002.602238562.0000000005BA0000.00000004.00000001.sdmp

Binary or memory string: RegisterRawInputDevices

E-Banking Fraud:

Yara detected Nanocore RAT

Show sources

Source: Yara match	File source: 00000000.00000002.395064094.00000000046E5000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.394099052.0000000004251000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000008.00000002.595499721.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000008.00000002.602238562.0000000005BA0000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000008.00000002.600580275.0000000003F27000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: RegSvcs.exe PID: 3012, type: MEMORY
Source: Yara match	File source: Process Memory Space: TdX45jQWjj.exe PID: 6960, type: MEMORY
Source: Yara match	File source: 8.2.RegSvcs.exe.5ba0000.11.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 8.2.RegSvcs.exe.3f33adb.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.TdX45jQWjj.exe.4492898.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 8.2.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.TdX45jQWjj.exe.43917e8.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 8.2.RegSvcs.exe.3f2ec9e.5.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 8.2.RegSvcs.exe.3f39511.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.TdX45jQWjj.exe.4492898.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 8.2.RegSvcs.exe.5ba0000.11.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.TdX45jQWjj.exe.46e55c0.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 8.2.RegSvcs.exe.5ba4629.10.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 8.2.RegSvcs.exe.3f39511.4.unpack, type: UNPACKEDPE

Operating System Destruction:

Protects its processes via BreakOnTermination flag

Show sources

Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe

Process information set: 01 00 00 00

Jump to behavior

System Summary:

Malicious sample detected (through community Yara rule)

Show sources

Source: 00000000.00000002.395064094.00000000046E5000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 00000000.00000002.395064094.00000000046E5000.00000004.00000001.sdmp, type: MEMORY	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 00000000.00000002.394099052.0000000004251000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 00000000.00000002.394099052.0000000004251000.00000004.00000001.sdmp, type: MEMORY	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 00000008.00000002.602153062.0000000005900000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 00000008.00000002.595499721.0000000000402000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 00000008.00000002.595499721.0000000000402000.00000040.00000001.sdmp, type: MEMORY	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 00000008.00000002.602225959.0000000005B90000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 00000008.00000002.602238562.0000000005BA0000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 00000008.00000002.600580275.0000000003F27000.00000004.00000001.sdmp, type: MEMORY	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: Process Memory Space: RegSvcs.exe PID: 3012, type: MEMORY	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: Process Memory Space: RegSvcs.exe PID: 3012, type: MEMORY	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: Process Memory Space: TdX45jQWjj.exe PID: 6960, type: MEMORY	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: Process Memory Space: TdX45jQWjj.exe PID: 6960, type: MEMORY	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 8.2.RegSvcs.exe.2ef16fc.1.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 8.2.RegSvcs.exe.3f2ec9e.5.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 8.2.RegSvcs.exe.5b90000.9.raw.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 8.2.RegSvcs.exe.5ba0000.11.raw.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 8.2.RegSvcs.exe.3f33adb.3.raw.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 8.2.RegSvcs.exe.3f33adb.3.raw.unpack, type: UNPACKEDPE	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 0.2.TdX45jQWjj.exe.4492898.1.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 0.2.TdX45jQWjj.exe.4492898.1.unpack, type: UNPACKEDPE	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 8.2.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 8.2.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 0.2.TdX45jQWjj.exe.43917e8.2.raw.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 0.2.TdX45jQWjj.exe.43917e8.2.raw.unpack, type: UNPACKEDPE	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 8.2.RegSvcs.exe.3f2ec9e.5.raw.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 8.2.RegSvcs.exe.3f2ec9e.5.raw.unpack, type: UNPACKEDPE	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 8.2.RegSvcs.exe.3f39511.4.raw.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 0.2.TdX45jQWjj.exe.4492898.1.raw.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 0.2.TdX45jQWjj.exe.4492898.1.raw.unpack, type: UNPACKEDPE	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 8.2.RegSvcs.exe.5ba0000.11.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 0.2.TdX45jQWjj.exe.46e55c0.3.raw.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 0.2.TdX45jQWjj.exe.46e55c0.3.raw.unpack, type: UNPACKEDPE	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 8.2.RegSvcs.exe.5ba4629.10.raw.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 8.2.RegSvcs.exe.5900000.8.raw.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 8.2.RegSvcs.exe.3f39511.4.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 8.2.RegSvcs.exe.2ef16fc.1.raw.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 8.2.RegSvcs.exe.2ef6578.2.raw.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth

Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe	Code function: 8_2_051D1836 NtQuerySystemInformation,	8_2_051D1836
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe	Code function: 8_2_051D1572 NtSetInformationProcess,	8_2_051D1572
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe	Code function: 8_2_051D1541 NtSetInformationProcess,	8_2_051D1541
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe	Code function: 8_2_051D17FB NtQuerySystemInformation,	8_2_051D17FB

Source: C:\Users\user\Desktop\TdX45jQWjj.exe	Code function: 0_2_015DA150	0_2_015DA150
Source: C:\Users\user\Desktop\TdX45jQWjj.exe	Code function: 0_2_015D38C0	0_2_015D38C0
Source: C:\Users\user\Desktop\TdX45jQWjj.exe	Code function: 0_2_015DA140	0_2_015DA140
Source: C:\Users\user\Desktop\TdX45jQWjj.exe	Code function: 0_2_015D45F8	0_2_015D45F8
Source: C:\Users\user\Desktop\TdX45jQWjj.exe	Code function: 0_2_015D483F	0_2_015D483F
Source: C:\Users\user\Desktop\TdX45jQWjj.exe	Code function: 0_2_015D38B0	0_2_015D38B0
Source: C:\Users\user\Desktop\TdX45jQWjj.exe	Code function: 0_2_015D6307	0_2_015D6307
Source: C:\Users\user\Desktop\TdX45jQWjj.exe	Code function: 0_2_015D4608	0_2_015D4608
Source: C:\Users\user\Desktop\TdX45jQWjj.exe	Code function: 0_2_06D47484	0_2_06D47484
Source: C:\Users\user\Desktop\TdX45jQWjj.exe	Code function: 0_2_06D407C4	0_2_06D407C4
Source: C:\Users\user\Desktop\TdX45jQWjj.exe	Code function: 0_2_015D029F	0_2_015D029F
Source: C:\Users\user\Desktop\TdX45jQWjj.exe	Code function: 0_2_015D02B0	0_2_015D02B0
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe	Code function: 8_2_011E7ABE	8_2_011E7ABE
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe	Code function: 8_2_050A3850	8_2_050A3850
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe	Code function: 8_2_050AB748	8_2_050AB748
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe	Code function: 8_2_050A2FA8	8_2_050A2FA8
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe	Code function: 8_2_050A23A0	8_2_050A23A0
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe	Code function: 8_2_050A9A78	8_2_050A9A78
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe	Code function: 8_2_050A8E78	8_2_050A8E78
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe	Code function: 8_2_050A306F	8_2_050A306F
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe	Code function: 8_2_050AA320	8_2_050AA320
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe	Code function: 8_2_050A9B3F	8_2_050A9B3F

Source: TdX45jQWjj.exe, 00000000.00000002.395064094.00000000046E5000.00000004.00000001.sdmp	Binary or memory string: OriginalFilename vs TdX45jQWjj.exe
Source: TdX45jQWjj.exe, 00000000.00000002.394099052.0000000004251000.00000004.00000001.sdmp	Binary or memory string: OriginalFilenameAssemblyReferenceEntry.exeD vs TdX45jQWjj.exe
Source: TdX45jQWjj.exe, 00000000.00000002.405108942.00000000067C0000.00000004.00000001.sdmp	Binary or memory string: OriginalFilenameBunifu.UI.dll4 vs TdX45jQWjj.exe
Source: TdX45jQWjj.exe, 00000000.00000002.407955141.0000000008C90000.00000002.00000001.sdmp	Binary or memory string: System.OriginalFileName vs TdX45jQWjj.exe
Source: TdX45jQWjj.exe, 00000000.00000002.406858007.0000000008610000.00000002.00000001.sdmp	Binary or memory string: OriginalFilenamemscorrc.dllT vs TdX45jQWjj.exe
Source: TdX45jQWjj.exe, 00000000.00000002.408876294.0000000008D80000.00000002.00000001.sdmp	Binary or memory string: originalfilename vs TdX45jQWjj.exe
Source: TdX45jQWjj.exe, 00000000.00000002.408876294.0000000008D80000.00000002.00000001.sdmp	Binary or memory string: OriginalFilenamepropsys.dll.mui@ vs TdX45jQWjj.exe
Source: TdX45jQWjj.exe	Binary or memory string: OriginalFilename vs TdX45jQWjj.exe

Source: TdX45jQWjj.exe

Static PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE

Source: 00000000.00000002.395064094.00000000046E5000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 00000000.00000002.395064094.00000000046E5000.00000004.00000001.sdmp, type: MEMORY	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 00000000.00000002.394099052.0000000004251000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 00000000.00000002.394099052.0000000004251000.00000004.00000001.sdmp, type: MEMORY	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 00000008.00000002.602153062.0000000005900000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 00000008.00000002.602153062.0000000005900000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 00000008.00000002.595499721.0000000000402000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 00000008.00000002.595499721.0000000000402000.00000040.00000001.sdmp, type: MEMORY	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 00000008.00000002.602225959.0000000005B90000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 00000008.00000002.602225959.0000000005B90000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 00000008.00000002.602238562.0000000005BA0000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 00000008.00000002.602238562.0000000005BA0000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 00000008.00000002.600580275.0000000003F27000.00000004.00000001.sdmp, type: MEMORY	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: Process Memory Space: RegSvcs.exe PID: 3012, type: MEMORY	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: Process Memory Space: RegSvcs.exe PID: 3012, type: MEMORY	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: Process Memory Space: TdX45jQWjj.exe PID: 6960, type: MEMORY	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: Process Memory Space: TdX45jQWjj.exe PID: 6960, type: MEMORY	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 8.2.RegSvcs.exe.2ef16fc.1.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 8.2.RegSvcs.exe.2ef16fc.1.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 8.2.RegSvcs.exe.3f2ec9e.5.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 8.2.RegSvcs.exe.3f2ec9e.5.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 8.2.RegSvcs.exe.5b90000.9.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 8.2.RegSvcs.exe.5b90000.9.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 8.2.RegSvcs.exe.5ba0000.11.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 8.2.RegSvcs.exe.5ba0000.11.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 8.2.RegSvcs.exe.3f33adb.3.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 8.2.RegSvcs.exe.3f33adb.3.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 8.2.RegSvcs.exe.3f33adb.3.raw.unpack, type: UNPACKEDPE	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 0.2.TdX45jQWjj.exe.4492898.1.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 0.2.TdX45jQWjj.exe.4492898.1.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 0.2.TdX45jQWjj.exe.4492898.1.unpack, type: UNPACKEDPE	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 8.2.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 8.2.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 8.2.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 0.2.TdX45jQWjj.exe.43917e8.2.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 0.2.TdX45jQWjj.exe.43917e8.2.raw.unpack, type: UNPACKEDPE	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 8.2.RegSvcs.exe.3f2ec9e.5.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 8.2.RegSvcs.exe.3f2ec9e.5.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 8.2.RegSvcs.exe.3f2ec9e.5.raw.unpack, type: UNPACKEDPE	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 8.2.RegSvcs.exe.3f39511.4.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 8.2.RegSvcs.exe.3f39511.4.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 0.2.TdX45jQWjj.exe.4492898.1.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 0.2.TdX45jQWjj.exe.4492898.1.raw.unpack, type: UNPACKEDPE	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 8.2.RegSvcs.exe.5ba0000.11.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 8.2.RegSvcs.exe.5ba0000.11.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 0.2.TdX45jQWjj.exe.46e55c0.3.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 0.2.TdX45jQWjj.exe.46e55c0.3.raw.unpack, type: UNPACKEDPE	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 8.2.RegSvcs.exe.5ba4629.10.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 8.2.RegSvcs.exe.5ba4629.10.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 8.2.RegSvcs.exe.5900000.8.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 8.2.RegSvcs.exe.5900000.8.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 8.2.RegSvcs.exe.3f39511.4.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 8.2.RegSvcs.exe.3f39511.4.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 8.2.RegSvcs.exe.2ef16fc.1.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 8.2.RegSvcs.exe.2ef16fc.1.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 8.2.RegSvcs.exe.2ef6578.2.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 8.2.RegSvcs.exe.2ef6578.2.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/

Source: 8.2.RegSvcs.exe.400000.0.unpack, u0023u003dqjIje6jGWLd2EOkfZXKqBbgu003du003d.cs	Cryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'
Source: 8.2.RegSvcs.exe.400000.0.unpack, u0023u003dqVxXNKnhAcArgJoGGYXiyyQu003du003d.cs	Cryptographic APIs: 'CreateDecryptor'
Source: 8.2.RegSvcs.exe.400000.0.unpack, u0023u003dqVxXNKnhAcArgJoGGYXiyyQu003du003d.cs	Cryptographic APIs: 'TransformFinalBlock'

Source: classification engine

Classification label: mal100.troj.evad.winEXE@18/13@10/2

Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe	Code function: 8_2_051D13F6 AdjustTokenPrivileges,		8_2_051D13F6
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe	Code function: 8_2_051D13BF AdjustTokenPrivileges,		8_2_051D13BF

Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe

File created: C:\Program Files (x86)\DHCP Monitor

Jump to behavior

Source: C:\Users\user\Desktop\TdX45jQWjj.exe

File created: C:\Users\user\AppData\Roaming\RTOqzQABo.exe

Jump to behavior

Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6812:120:WilError_01
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6800:120:WilError_01
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe	Mutant created: \Sessions\1\BaseNamedObjects\Global\.net clr networking
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6920:120:WilError_01
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6688:120:WilError_01
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6224:120:WilError_01
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:1868:120:WilError_01
Source: C:\Users\user\Desktop\TdX45jQWjj.exe	Mutant created: \Sessions\1\BaseNamedObjects\ebczztAXVVdyft
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe	Mutant created: \Sessions\1\BaseNamedObjects\Global\{572eb7a9-aedf-4b39-8669-f7563dab8a38}

Source: C:\Users\user\Desktop\TdX45jQWjj.exe

File created: C:\Users\user\AppData\Local\Temp\tmp84A9.tmp

Jump to behavior

Source: TdX45jQWjj.exe

Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ

Source: C:\Users\user\Desktop\TdX45jQWjj.exe	Section loaded: C:\Windows\assembly\NativeImages_v2.0.50727_32\mscorlib\9603718106bd57ecfbb18fefd769cab4\mscorlib.ni.dll	Jump to behavior
Source: C:\Users\user\Desktop\TdX45jQWjj.exe	Section loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sorttbls.nlp	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe	Section loaded: C:\Windows\assembly\NativeImages_v2.0.50727_32\mscorlib\9603718106bd57ecfbb18fefd769cab4\mscorlib.ni.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe	Section loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sorttbls.nlp	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe	Section loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sortkey.nlp	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe	Section loaded: C:\Windows\assembly\NativeImages_v2.0.50727_32\mscorlib\9603718106bd57ecfbb18fefd769cab4\mscorlib.ni.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe	Section loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sorttbls.nlp	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe	Section loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sortkey.nlp	Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Section loaded: C:\Windows\assembly\NativeImages_v2.0.50727_32\mscorlib\9603718106bd57ecfbb18fefd769cab4\mscorlib.ni.dll	Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Section loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sorttbls.nlp	Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Section loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sortkey.nlp	Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Section loaded: C:\Windows\assembly\NativeImages_v2.0.50727_32\mscorlib\9603718106bd57ecfbb18fefd769cab4\mscorlib.ni.dll	Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Section loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sorttbls.nlp	Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Section loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sortkey.nlp	Jump to behavior

Source: C:\Users\user\Desktop\TdX45jQWjj.exe

File read: C:\Users\user\Desktop\desktop.ini

Jump to behavior

Source: C:\Users\user\Desktop\TdX45jQWjj.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe	File read: C:\Windows\System32\drivers\etc\hosts			Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe	File read: C:\Windows\System32\drivers\etc\hosts			Jump to behavior

Source: TdX45jQWjj.exe

ReversingLabs: Detection: 18%

Source: C:\Users\user\Desktop\TdX45jQWjj.exe

File read: C:\Users\user\Desktop\TdX45jQWjj.exe

Jump to behavior

Source: unknown	Process created: C:\Users\user\Desktop\TdX45jQWjj.exe 'C:\Users\user\Desktop\TdX45jQWjj.exe'
Source: unknown	Process created: C:\Windows\SysWOW64\schtasks.exe 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\RTOqzQABo' /XML 'C:\Users\user\AppData\Local\Temp\tmp84A9.tmp'
Source: unknown	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknown	Process created: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe {path}
Source: unknown	Process created: C:\Windows\SysWOW64\schtasks.exe 'schtasks.exe' /create /f /tn 'DHCP Monitor' /xml 'C:\Users\user\AppData\Local\Temp\tmpDEF3.tmp'
Source: unknown	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknown	Process created: C:\Windows\SysWOW64\schtasks.exe 'schtasks.exe' /create /f /tn 'DHCP Monitor Task' /xml 'C:\Users\user\AppData\Local\Temp\tmpE1E2.tmp'
Source: unknown	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknown	Process created: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe 0
Source: unknown	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknown	Process created: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe 'C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe' 0
Source: unknown	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknown	Process created: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe 'C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe'
Source: unknown	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\TdX45jQWjj.exe	Process created: C:\Windows\SysWOW64\schtasks.exe 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\RTOqzQABo' /XML 'C:\Users\user\AppData\Local\Temp\tmp84A9.tmp'	Jump to behavior
Source: C:\Users\user\Desktop\TdX45jQWjj.exe	Process created: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe {path}	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe	Process created: C:\Windows\SysWOW64\schtasks.exe 'schtasks.exe' /create /f /tn 'DHCP Monitor' /xml 'C:\Users\user\AppData\Local\Temp\tmpDEF3.tmp'	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe	Process created: C:\Windows\SysWOW64\schtasks.exe 'schtasks.exe' /create /f /tn 'DHCP Monitor Task' /xml 'C:\Users\user\AppData\Local\Temp\tmpE1E2.tmp'	Jump to behavior

Source: C:\Users\user\Desktop\TdX45jQWjj.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{CF4CC405-E2C5-4DDD-B3CE-5E7582D8C9FA}\InprocServer32

Jump to behavior

Source: Window Recorder

Window detected: More than 3 window changes detected

Source: C:\Users\user\Desktop\TdX45jQWjj.exe

File opened: C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorrc.dll

Jump to behavior

Source: TdX45jQWjj.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR

Source: C:\Users\user\Desktop\TdX45jQWjj.exe

File opened: C:\Windows\WinSxS\x86_microsoft.vc80.crt_1fc8b3b9a1e18e3b_8.0.50727.9445_none_d08c58b4442ba54f\MSVCR80.dll

Jump to behavior

Source: TdX45jQWjj.exe

Static PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT

Source:	Binary string: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.pdb source: RegSvcs.exe, 00000008.00000002.596585124.00000000011C5000.00000004.00000040.sdmp
Source:	Binary string: C:\Users\Cole\Documents\Visual Studio 2013\Projects\NanoProtectPlugin\NanoProtectClient\obj\Debug\NanoProtectClient.pdb source: RegSvcs.exe, 00000008.00000002.598166054.0000000002EE1000.00000004.00000001.sdmp
Source:	Binary string: System.EnterpriseServices.Wrapper.pdb source: RegSvcs.exe, 0000000E.00000002.406605593.0000000004A70000.00000002.00000001.sdmp, dhcpmon.exe, 00000012.00000002.414673187.0000000005020000.00000002.00000001.sdmp
Source:	Binary string: indows\RegSvcs.pdbpdbvcs.pdb source: RegSvcs.exe, 00000008.00000002.596585124.00000000011C5000.00000004.00000040.sdmp
Source:	Binary string: C:\Windows\symbols\exe\RegSvcs.pdb source: RegSvcs.exe, 00000008.00000002.596585124.00000000011C5000.00000004.00000040.sdmp
Source:	Binary string: RegSvcs.pdb source: dhcpmon.exe, dhcpmon.exe.8.dr
Source:	Binary string: mscorrc.pdb source: TdX45jQWjj.exe, 00000000.00000002.406858007.0000000008610000.00000002.00000001.sdmp, RegSvcs.exe, 00000008.00000002.602087565.00000000058A0000.00000002.00000001.sdmp, RegSvcs.exe, 0000000E.00000002.407150676.0000000004B20000.00000002.00000001.sdmp, dhcpmon.exe, 00000010.00000002.407442223.00000000050F0000.00000002.00000001.sdmp

Data Obfuscation:

.NET source code contains potential unpacker

Show sources

Source: 8.2.RegSvcs.exe.400000.0.unpack, u0023u003dqjIje6jGWLd2EOkfZXKqBbgu003du003d.cs	.Net Code: #=q_FL69pQf17BUSAFbWYu1SStMAbdu$R1GJ8VY8UL5_EA= System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: 8.2.RegSvcs.exe.400000.0.unpack, u0023u003dqxoz66kOqvxr21iYXZYXWiumy9eZGwFWaiX4C5X8aecUu003d.cs	.Net Code: #=qKU0J1fiP8KA33eFK1owekQ== System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])

Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe	Code function: 8_2_011EAE1B push cs; retf	8_2_011EAE33
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe	Code function: 8_2_011EAD34 push cs; retf	8_2_011EAD4B
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe	Code function: 8_2_011E74B8 push ebp; ret	8_2_011E74B9
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe	Code function: 8_2_011E74AC push ecx; ret	8_2_011E74AD
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe	Code function: 8_2_011EADA8 push cs; retf	8_2_011EADBF

Source: initial sample	Static PE information: section name: .text entropy: 6.88263810957
Source: initial sample	Static PE information: section name: .text entropy: 6.88263810957

Source: 8.2.RegSvcs.exe.400000.0.unpack, u0023u003dqWrm21vQ8CBMZP_RBTwpusAu003du003d.cs	High entropy of concatenated method names: '#=qCgU$tDqtOAyz2b$RwfSF7UzBcCAr0rFJWxm16x7Lre0=', '#=qeD3MBfedCIuKIQf9V1u2N3YS4VXE_FOHqw_XAjWtZK8=', '#=q$mvEHEBkZud$AdHPWqsMQnw5Xm5sD4vBSSmqrKuXGOk=', '#=qZaN94n8dM6tBEf$qCdY2kbTZb5BOW8Z134$2tNv7EJs=', '#=qtlZnL8mho$rv1eTFz0Mw9UYFC_yCabEZ0xtVePn6wR5aSHE7ti3UfKg2l7D0_xk8', '#=qVS$QmQjvFfsXSqQAKGSl6HGbkse2SG0XCab4upVjtRJkvhTEk$oIS2I9Zja7id1Q', '#=qxJg7RxTW1v5mnt12xXeJiYJv_bcctbtL2BCD5MjDi45Hlz6t8vwDNTv1Rv7tgIct', '#=qp$ZVC1r9spi890l$D7IwEd3faoKeWHvv42mVq8wIIWM=', '#=qCoWHlVuoVRMkOzC7RZubJCslkxaEWn9yZiIydECf69$ktj0IPD5wAwC2H5Cc8C$L', '#=qqs1moO$mYaS72OXOWe0Z6GycslEb6e9Ipoy7ppW0O5abIp05ajv8doqdJZHlN3cK'
Source: 8.2.RegSvcs.exe.400000.0.unpack, u0023u003dqJT4I5hOweIku0024xYFEeDszbikglXCuquUdu0024v9AXtyq2nsu003d.cs	High entropy of concatenated method names: '#=qBeOBlH6CwHFnQdZWWBgZ_pemudZ6CfCVcfOQtgpeG$Y=', '#=q5v5cLSMFBaxiTtOEjscx86gN2ozXlfytiL6UmXnyWtg=', '#=q_XA5h2lVGHLcY9dK754wKGrOjAm6aBbwPxcUJXgJThJUz83kMbCL53G5uuOLP6Rq', '#=qIFfr$DrKqIieRc688$vylAlBsEnx9Z3$TxvrDsPURfM=', '#=qejgvNXJQvgM2GomZsygLjreyguSPQ29pQHqjR_a0dWk=', '#=qCGokdf0OOxeMJLDkXSfc3NPmwygIQ29RjKQWj$wbNGB9C1pPgma_891QiNyTRXcA', '#=qDqyUVyJLXCtYqhZ0$opqkomqhUBn2WCeEEvGAXlNQ$I=', '#=qdImPAY1o3YhbLtukwCQ91cISaeIEWRKSYrGZ3dTVnkY=', '#=qza7O1AHrroJC7yRIJz4wINR_Sgo4hDpQrj_OYfIrlJE=', '#=q6Ct3QmvVLFC7my$dL1uEiHGmXJ5qCuK4WIhDwfhPTFs='

Persistence and Installation Behavior:

Source: C:\Users\user\Desktop\TdX45jQWjj.exe	File created: C:\Users\user\AppData\Roaming\RTOqzQABo.exe			Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe	File created: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe			Jump to dropped file

Boot Survival:

Uses schtasks.exe or at.exe to add and modify task schedules

Show sources

Source: unknown

Process created: C:\Windows\SysWOW64\schtasks.exe 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\RTOqzQABo' /XML 'C:\Users\user\AppData\Local\Temp\tmp84A9.tmp'

Hooking and other Techniques for Hiding and Protection:

Hides that the sample has been downloaded from the Internet (zone.identifier)

Show sources

Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe

File opened: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe:Zone.Identifier read attributes | delete

Jump to behavior

Source: C:\Users\user\Desktop\TdX45jQWjj.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\TdX45jQWjj.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\TdX45jQWjj.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\TdX45jQWjj.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\TdX45jQWjj.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\TdX45jQWjj.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\TdX45jQWjj.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\TdX45jQWjj.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\TdX45jQWjj.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\TdX45jQWjj.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\TdX45jQWjj.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\TdX45jQWjj.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\TdX45jQWjj.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\TdX45jQWjj.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\TdX45jQWjj.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\TdX45jQWjj.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\TdX45jQWjj.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\TdX45jQWjj.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\TdX45jQWjj.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\TdX45jQWjj.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\TdX45jQWjj.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\TdX45jQWjj.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\TdX45jQWjj.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\TdX45jQWjj.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\TdX45jQWjj.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\TdX45jQWjj.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\TdX45jQWjj.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\TdX45jQWjj.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\TdX45jQWjj.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\TdX45jQWjj.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\TdX45jQWjj.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\TdX45jQWjj.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\TdX45jQWjj.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\TdX45jQWjj.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\TdX45jQWjj.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\TdX45jQWjj.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Malware Analysis System Evasion:

Yara detected AntiVM_3

Show sources

Source: Yara match

File source: Process Memory Space: TdX45jQWjj.exe PID: 6960, type: MEMORY

Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)

Show sources

Source: C:\Users\user\Desktop\TdX45jQWjj.exe

WMI Queries: IWbemServices::ExecQuery - ROOT\cimv2 : SELECT * FROM Win32_VideoController

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Show sources

Source: TdX45jQWjj.exe, 00000000.00000002.390647590.0000000003251000.00000004.00000001.sdmp	Binary or memory string: WINE_GET_UNIX_FILE_NAME<
Source: TdX45jQWjj.exe, 00000000.00000002.390647590.0000000003251000.00000004.00000001.sdmp	Binary or memory string: WINE_GET_UNIX_FILE_NAME
Source: TdX45jQWjj.exe, 00000000.00000002.392822198.0000000003654000.00000004.00000001.sdmp	Binary or memory string: SBIEDLL.DLL

Source: C:\Users\user\Desktop\TdX45jQWjj.exe	Registry key queried: HKEY_LOCAL_MACHINE\HARDWARE\DEVICEMAP\Scsi\Scsi Port 0\Scsi Bus 0\Target Id 0\Logical Unit Id 0 name: Identifier	Jump to behavior
Source: C:\Users\user\Desktop\TdX45jQWjj.exe	Registry key queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System name: SystemBiosVersion	Jump to behavior
Source: C:\Users\user\Desktop\TdX45jQWjj.exe	Registry key queried: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4d36e968-e325-11ce-bfc1-08002be10318}\0000 name: DriverDesc	Jump to behavior
Source: C:\Users\user\Desktop\TdX45jQWjj.exe	File opened / queried: SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}	Jump to behavior
Source: C:\Users\user\Desktop\TdX45jQWjj.exe	Registry key queried: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum name: 0	Jump to behavior
Source: C:\Users\user\Desktop\TdX45jQWjj.exe	Registry key queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System name: VideoBiosVersion	Jump to behavior

Source: C:\Users\user\Desktop\TdX45jQWjj.exe

Code function: 0_2_01108340 sldt word ptr [eax]

0_2_01108340

Source: C:\Users\user\Desktop\TdX45jQWjj.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Thread delayed: delay time: 922337203685477	Jump to behavior

Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe

Window / User API: foregroundWindowGot 734

Jump to behavior

Source: C:\Users\user\Desktop\TdX45jQWjj.exe TID: 6984	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe TID: 7104	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe TID: 4632	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior

Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed

Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe

Code function: 8_2_051D161A GetSystemInfo,

8_2_051D161A

Source: TdX45jQWjj.exe, 00000000.00000002.390647590.0000000003251000.00000004.00000001.sdmp	Binary or memory string: kr#"SOFTWARE\VMware, Inc.\VMware Tools<
Source: TdX45jQWjj.exe, 00000000.00000003.388341495.0000000001203000.00000004.00000001.sdmp	Binary or memory string: VMware
Source: TdX45jQWjj.exe, 00000000.00000002.390647590.0000000003251000.00000004.00000001.sdmp	Binary or memory string: VMware SVGA II<
Source: RegSvcs.exe, 00000008.00000003.403350534.0000000000DFA000.00000004.00000001.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll{
Source: RegSvcs.exe, 00000008.00000002.602591369.0000000006460000.00000002.00000001.sdmp, RegSvcs.exe, 0000000E.00000002.407440709.0000000004B80000.00000002.00000001.sdmp, dhcpmon.exe, 00000010.00000002.407708649.0000000005150000.00000002.00000001.sdmp	Binary or memory string: A Virtual Machine could not be started because Hyper-V is not installed.
Source: TdX45jQWjj.exe, 00000000.00000002.390647590.0000000003251000.00000004.00000001.sdmp	Binary or memory string: vmware
Source: TdX45jQWjj.exe, 00000000.00000002.390647590.0000000003251000.00000004.00000001.sdmp	Binary or memory string: kr&%C:\PROGRAM FILES\VMWARE\VMWARE TOOLS\<
Source: TdX45jQWjj.exe, 00000000.00000002.390647590.0000000003251000.00000004.00000001.sdmp	Binary or memory string: krA"SOFTWARE\VMware, Inc.\VMware Tools
Source: TdX45jQWjj.exe, 00000000.00000002.390647590.0000000003251000.00000004.00000001.sdmp	Binary or memory string: kr%C:\PROGRAM FILES\VMWARE\VMWARE TOOLS\
Source: TdX45jQWjj.exe, 00000000.00000003.388341495.0000000001203000.00000004.00000001.sdmp	Binary or memory string: Win32_VideoController(Standard display types)VMwareLN81D5VWWin32_VideoControllerU8Y22OM9VideoController120060621000000.000000-00059181677display.infMSBDACPYZYXKEPCI\VEN_15AD&DEV_0405&SUBSYS_040515AD&REV_00\3&61AAA01&0&78OKWin32_ComputerSystemcomputer1280 x 1024 x 4294967296 colorsNZ4_DGR8
Source: TdX45jQWjj.exe, 00000000.00000002.390647590.0000000003251000.00000004.00000001.sdmp	Binary or memory string: VMWARE<
Source: TdX45jQWjj.exe, 00000000.00000002.390647590.0000000003251000.00000004.00000001.sdmp	Binary or memory string: kr87HKEY_LOCAL_MACHINE\SOFTWARE\VMware, Inc.\VMware Tools\.
Source: TdX45jQWjj.exe, 00000000.00000002.390647590.0000000003251000.00000004.00000001.sdmp	Binary or memory string: VMWARE
Source: TdX45jQWjj.exe, 00000000.00000002.390647590.0000000003251000.00000004.00000001.sdmp	Binary or memory string: kr"SOFTWARE\VMware, Inc.\VMware Tools
Source: TdX45jQWjj.exe, 00000000.00000003.388341495.0000000001203000.00000004.00000001.sdmp	Binary or memory string: Win32_VideoController(Standard display types)VMwareLN81D5VWWin3
Source: TdX45jQWjj.exe, 00000000.00000002.390647590.0000000003251000.00000004.00000001.sdmp	Binary or memory string: QEMU<
Source: RegSvcs.exe, 00000008.00000002.602591369.0000000006460000.00000002.00000001.sdmp, RegSvcs.exe, 0000000E.00000002.407440709.0000000004B80000.00000002.00000001.sdmp, dhcpmon.exe, 00000010.00000002.407708649.0000000005150000.00000002.00000001.sdmp	Binary or memory string: A communication protocol error has occurred between the Hyper-V Host and Guest Compute Service.
Source: RegSvcs.exe, 00000008.00000002.602591369.0000000006460000.00000002.00000001.sdmp, RegSvcs.exe, 0000000E.00000002.407440709.0000000004B80000.00000002.00000001.sdmp, dhcpmon.exe, 00000010.00000002.407708649.0000000005150000.00000002.00000001.sdmp	Binary or memory string: The communication protocol version between the Hyper-V Host and Guest Compute Services is not supported.
Source: TdX45jQWjj.exe, 00000000.00000002.390647590.0000000003251000.00000004.00000001.sdmp	Binary or memory string: VMware SVGA II
Source: TdX45jQWjj.exe, 00000000.00000002.390647590.0000000003251000.00000004.00000001.sdmp	Binary or memory string: kr#"SOFTWARE\VMware, Inc.\VMware ToolsH
Source: RegSvcs.exe, 00000008.00000002.602591369.0000000006460000.00000002.00000001.sdmp, RegSvcs.exe, 0000000E.00000002.407440709.0000000004B80000.00000002.00000001.sdmp, dhcpmon.exe, 00000010.00000002.407708649.0000000005150000.00000002.00000001.sdmp	Binary or memory string: An unknown internal message was received by the Hyper-V Compute Service.

Anti Debugging:

Source: C:\Users\user\Desktop\TdX45jQWjj.exe

Memory allocated: page read and write | page guard

Jump to behavior

HIPS / PFW / Operating System Protection Evasion:

Allocates memory in foreign processes

Show sources

Source: C:\Users\user\Desktop\TdX45jQWjj.exe

Memory allocated: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe base: 400000 protect: page execute and read and write

Jump to behavior

Injects a PE file into a foreign processes

Show sources

Source: C:\Users\user\Desktop\TdX45jQWjj.exe

Memory written: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe base: 400000 value starts with: 4D5A

Jump to behavior

Writes to foreign memory regions

Show sources

Source: C:\Users\user\Desktop\TdX45jQWjj.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe base: 400000	Jump to behavior
Source: C:\Users\user\Desktop\TdX45jQWjj.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe base: 402000	Jump to behavior
Source: C:\Users\user\Desktop\TdX45jQWjj.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe base: 420000	Jump to behavior
Source: C:\Users\user\Desktop\TdX45jQWjj.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe base: 422000	Jump to behavior
Source: C:\Users\user\Desktop\TdX45jQWjj.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe base: A39008	Jump to behavior

Source: C:\Users\user\Desktop\TdX45jQWjj.exe	Process created: C:\Windows\SysWOW64\schtasks.exe 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\RTOqzQABo' /XML 'C:\Users\user\AppData\Local\Temp\tmp84A9.tmp'	Jump to behavior
Source: C:\Users\user\Desktop\TdX45jQWjj.exe	Process created: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe {path}	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe	Process created: C:\Windows\SysWOW64\schtasks.exe 'schtasks.exe' /create /f /tn 'DHCP Monitor' /xml 'C:\Users\user\AppData\Local\Temp\tmpDEF3.tmp'	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe	Process created: C:\Windows\SysWOW64\schtasks.exe 'schtasks.exe' /create /f /tn 'DHCP Monitor Task' /xml 'C:\Users\user\AppData\Local\Temp\tmpE1E2.tmp'	Jump to behavior

Source: RegSvcs.exe, 00000008.00000003.455367738.0000000000E0F000.00000004.00000001.sdmp	Binary or memory string: Program Manager (x86)\DHCP Monitor\dhcpmon.exegSvcs.exe
Source: RegSvcs.exe, 00000008.00000002.599974764.000000000312D000.00000004.00000001.sdmp	Binary or memory string: Program Manager
Source: RegSvcs.exe, 00000008.00000002.597160174.0000000001690000.00000002.00000001.sdmp	Binary or memory string: Shell_TrayWnd
Source: RegSvcs.exe, 00000008.00000002.597160174.0000000001690000.00000002.00000001.sdmp	Binary or memory string: Progman
Source: RegSvcs.exe, 00000008.00000003.455302856.0000000000DBF000.00000004.00000001.sdmp	Binary or memory string: Program Manager4}
Source: RegSvcs.exe, 00000008.00000002.597160174.0000000001690000.00000002.00000001.sdmp	Binary or memory string: &Program Manager
Source: RegSvcs.exe, 00000008.00000003.532563250.0000000000DBF000.00000004.00000001.sdmp	Binary or memory string: Program Managerx
Source: RegSvcs.exe, 00000008.00000002.597160174.0000000001690000.00000002.00000001.sdmp	Binary or memory string: Progmanlock

Language, Device and Operating System Detection:

Source: C:\Users\user\Desktop\TdX45jQWjj.exe	Queries volume information: C:\Windows\Fonts\arial.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\TdX45jQWjj.exe	Queries volume information: C:\Windows\Fonts\ariali.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\TdX45jQWjj.exe	Queries volume information: C:\Windows\Fonts\arialbd.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\TdX45jQWjj.exe	Queries volume information: C:\Windows\Fonts\arialbi.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\TdX45jQWjj.exe	Queries volume information: C:\Windows\Fonts\ARIALN.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\TdX45jQWjj.exe	Queries volume information: C:\Windows\Fonts\ariblk.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\TdX45jQWjj.exe	Queries volume information: C:\Windows\Fonts\ARIALNI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\TdX45jQWjj.exe	Queries volume information: C:\Windows\Fonts\ARIALNB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\TdX45jQWjj.exe	Queries volume information: C:\Windows\Fonts\ARIALNBI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\TdX45jQWjj.exe	Queries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\TdX45jQWjj.exe	Queries volume information: C:\Windows\Fonts\calibri.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\TdX45jQWjj.exe	Queries volume information: C:\Windows\Fonts\calibril.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\TdX45jQWjj.exe	Queries volume information: C:\Windows\Fonts\calibrii.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\TdX45jQWjj.exe	Queries volume information: C:\Windows\Fonts\calibrili.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\TdX45jQWjj.exe	Queries volume information: C:\Windows\Fonts\calibrib.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\TdX45jQWjj.exe	Queries volume information: C:\Windows\Fonts\calibriz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\TdX45jQWjj.exe	Queries volume information: C:\Windows\Fonts\cambria.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\TdX45jQWjj.exe	Queries volume information: C:\Windows\Fonts\cambriai.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\TdX45jQWjj.exe	Queries volume information: C:\Windows\Fonts\cambriab.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\TdX45jQWjj.exe	Queries volume information: C:\Windows\Fonts\cambriaz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\TdX45jQWjj.exe	Queries volume information: C:\Windows\Fonts\Candara.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\TdX45jQWjj.exe	Queries volume information: C:\Windows\Fonts\Candarai.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\TdX45jQWjj.exe	Queries volume information: C:\Windows\Fonts\Candarab.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\TdX45jQWjj.exe	Queries volume information: C:\Windows\Fonts\Candaraz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\TdX45jQWjj.exe	Queries volume information: C:\Windows\Fonts\comic.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\TdX45jQWjj.exe	Queries volume information: C:\Windows\Fonts\comici.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\TdX45jQWjj.exe	Queries volume information: C:\Windows\Fonts\comicbd.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\TdX45jQWjj.exe	Queries volume information: C:\Windows\Fonts\comicz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\TdX45jQWjj.exe	Queries volume information: C:\Windows\Fonts\consola.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\TdX45jQWjj.exe	Queries volume information: C:\Windows\Fonts\consolai.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\TdX45jQWjj.exe	Queries volume information: C:\Windows\Fonts\consolab.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\TdX45jQWjj.exe	Queries volume information: C:\Windows\Fonts\consolaz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\TdX45jQWjj.exe	Queries volume information: C:\Windows\Fonts\constan.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\TdX45jQWjj.exe	Queries volume information: C:\Windows\Fonts\constani.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\TdX45jQWjj.exe	Queries volume information: C:\Windows\Fonts\constanb.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\TdX45jQWjj.exe	Queries volume information: C:\Windows\Fonts\constanz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\TdX45jQWjj.exe	Queries volume information: C:\Windows\Fonts\corbel.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\TdX45jQWjj.exe	Queries volume information: C:\Windows\Fonts\corbeli.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\TdX45jQWjj.exe	Queries volume information: C:\Windows\Fonts\corbelb.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\TdX45jQWjj.exe	Queries volume information: C:\Windows\Fonts\corbelz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\TdX45jQWjj.exe	Queries volume information: C:\Windows\Fonts\cour.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\TdX45jQWjj.exe	Queries volume information: C:\Windows\Fonts\couri.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\TdX45jQWjj.exe	Queries volume information: C:\Windows\Fonts\courbd.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\TdX45jQWjj.exe	Queries volume information: C:\Windows\Fonts\courbi.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\TdX45jQWjj.exe	Queries volume information: C:\Windows\Fonts\ebrima.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\TdX45jQWjj.exe	Queries volume information: C:\Windows\Fonts\ebrimabd.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\TdX45jQWjj.exe	Queries volume information: C:\Windows\Fonts\framd.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\TdX45jQWjj.exe	Queries volume information: C:\Windows\Fonts\FRADM.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\TdX45jQWjj.exe	Queries volume information: C:\Windows\Fonts\framdit.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\TdX45jQWjj.exe	Queries volume information: C:\Windows\Fonts\FRADMIT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\TdX45jQWjj.exe	Queries volume information: C:\Windows\Fonts\FRAMDCN.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\TdX45jQWjj.exe	Queries volume information: C:\Windows\Fonts\FRADMCN.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\TdX45jQWjj.exe	Queries volume information: C:\Windows\Fonts\FRAHV.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\TdX45jQWjj.exe	Queries volume information: C:\Windows\Fonts\FRAHVIT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\TdX45jQWjj.exe	Queries volume information: C:\Windows\Fonts\Gabriola.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\TdX45jQWjj.exe	Queries volume information: C:\Windows\Fonts\gadugi.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\TdX45jQWjj.exe	Queries volume information: C:\Windows\Fonts\gadugib.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\TdX45jQWjj.exe	Queries volume information: C:\Windows\Fonts\georgia.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\TdX45jQWjj.exe	Queries volume information: C:\Windows\Fonts\georgiai.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\TdX45jQWjj.exe	Queries volume information: C:\Windows\Fonts\georgiab.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\TdX45jQWjj.exe	Queries volume information: C:\Windows\Fonts\georgiaz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\TdX45jQWjj.exe	Queries volume information: C:\Windows\Fonts\impact.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\TdX45jQWjj.exe	Queries volume information: C:\Windows\Fonts\Inkfree.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\TdX45jQWjj.exe	Queries volume information: C:\Windows\Fonts\javatext.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\TdX45jQWjj.exe	Queries volume information: C:\Windows\Fonts\LeelawUI.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\TdX45jQWjj.exe	Queries volume information: C:\Windows\Fonts\LeelUIsl.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\TdX45jQWjj.exe	Queries volume information: C:\Windows\Fonts\LeelaUIb.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\TdX45jQWjj.exe	Queries volume information: C:\Windows\Fonts\lucon.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\TdX45jQWjj.exe	Queries volume information: C:\Windows\Fonts\l_10646.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\TdX45jQWjj.exe	Queries volume information: C:\Windows\Fonts\malgun.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\TdX45jQWjj.exe	Queries volume information: C:\Windows\Fonts\malgunsl.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\TdX45jQWjj.exe	Queries volume information: C:\Windows\Fonts\malgunbd.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\TdX45jQWjj.exe	Queries volume information: C:\Windows\Fonts\himalaya.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\TdX45jQWjj.exe	Queries volume information: C:\Windows\Fonts\msjh.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\TdX45jQWjj.exe	Queries volume information: C:\Windows\Fonts\msjhl.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\TdX45jQWjj.exe	Queries volume information: C:\Windows\Fonts\msjhbd.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\TdX45jQWjj.exe	Queries volume information: C:\Windows\Fonts\ntailu.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\TdX45jQWjj.exe	Queries volume information: C:\Windows\Fonts\ntailub.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\TdX45jQWjj.exe	Queries volume information: C:\Windows\Fonts\phagspa.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\TdX45jQWjj.exe	Queries volume information: C:\Windows\Fonts\phagspab.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\TdX45jQWjj.exe	Queries volume information: C:\Windows\Fonts\micross.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\TdX45jQWjj.exe	Queries volume information: C:\Windows\Fonts\taile.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\TdX45jQWjj.exe	Queries volume information: C:\Windows\Fonts\taileb.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\TdX45jQWjj.exe	Queries volume information: C:\Windows\Fonts\msyh.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\TdX45jQWjj.exe	Queries volume information: C:\Windows\Fonts\msyhl.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\TdX45jQWjj.exe	Queries volume information: C:\Windows\Fonts\msyhbd.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\TdX45jQWjj.exe	Queries volume information: C:\Windows\Fonts\msyi.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\TdX45jQWjj.exe	Queries volume information: C:\Windows\Fonts\mingliub.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\TdX45jQWjj.exe	Queries volume information: C:\Windows\Fonts\monbaiti.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\TdX45jQWjj.exe	Queries volume information: C:\Windows\Fonts\msgothic.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\TdX45jQWjj.exe	Queries volume information: C:\Windows\Fonts\mvboli.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\TdX45jQWjj.exe	Queries volume information: C:\Windows\Fonts\mmrtext.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\TdX45jQWjj.exe	Queries volume information: C:\Windows\Fonts\mmrtextb.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\TdX45jQWjj.exe	Queries volume information: C:\Windows\Fonts\Nirmala.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\TdX45jQWjj.exe	Queries volume information: C:\Windows\Fonts\NirmalaS.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\TdX45jQWjj.exe	Queries volume information: C:\Windows\Fonts\NirmalaB.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\TdX45jQWjj.exe	Queries volume information: C:\Windows\Fonts\pala.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\TdX45jQWjj.exe	Queries volume information: C:\Windows\Fonts\palai.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\TdX45jQWjj.exe	Queries volume information: C:\Windows\Fonts\palab.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\TdX45jQWjj.exe	Queries volume information: C:\Windows\Fonts\palabi.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\TdX45jQWjj.exe	Queries volume information: C:\Windows\Fonts\segoepr.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\TdX45jQWjj.exe	Queries volume information: C:\Windows\Fonts\segoeprb.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\TdX45jQWjj.exe	Queries volume information: C:\Windows\Fonts\segoesc.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\TdX45jQWjj.exe	Queries volume information: C:\Windows\Fonts\segoescb.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\TdX45jQWjj.exe	Queries volume information: C:\Windows\Fonts\seguiemj.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\TdX45jQWjj.exe	Queries volume information: C:\Windows\Fonts\seguihis.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\TdX45jQWjj.exe	Queries volume information: C:\Windows\Fonts\seguisym.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\TdX45jQWjj.exe	Queries volume information: C:\Windows\Fonts\simsun.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\TdX45jQWjj.exe	Queries volume information: C:\Windows\Fonts\simsunb.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\TdX45jQWjj.exe	Queries volume information: C:\Windows\Fonts\Sitka.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\TdX45jQWjj.exe	Queries volume information: C:\Windows\Fonts\SitkaI.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\TdX45jQWjj.exe	Queries volume information: C:\Windows\Fonts\SitkaB.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\TdX45jQWjj.exe	Queries volume information: C:\Windows\Fonts\SitkaZ.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\TdX45jQWjj.exe	Queries volume information: C:\Windows\Fonts\sylfaen.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\TdX45jQWjj.exe	Queries volume information: C:\Windows\Fonts\symbol.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\TdX45jQWjj.exe	Queries volume information: C:\Windows\Fonts\tahoma.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\TdX45jQWjj.exe	Queries volume information: C:\Windows\Fonts\tahomabd.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\TdX45jQWjj.exe	Queries volume information: C:\Windows\Fonts\trebuc.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\TdX45jQWjj.exe	Queries volume information: C:\Windows\Fonts\trebucit.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\TdX45jQWjj.exe	Queries volume information: C:\Windows\Fonts\trebucbd.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\TdX45jQWjj.exe	Queries volume information: C:\Windows\Fonts\trebucbi.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\TdX45jQWjj.exe	Queries volume information: C:\Windows\Fonts\verdana.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\TdX45jQWjj.exe	Queries volume information: C:\Windows\Fonts\verdanai.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\TdX45jQWjj.exe	Queries volume information: C:\Windows\Fonts\verdanab.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\TdX45jQWjj.exe	Queries volume information: C:\Windows\Fonts\verdanaz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\TdX45jQWjj.exe	Queries volume information: C:\Windows\Fonts\webdings.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\TdX45jQWjj.exe	Queries volume information: C:\Windows\Fonts\wingding.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\TdX45jQWjj.exe	Queries volume information: C:\Windows\Fonts\YuGothR.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\TdX45jQWjj.exe	Queries volume information: C:\Windows\Fonts\YuGothM.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\TdX45jQWjj.exe	Queries volume information: C:\Windows\Fonts\YuGothL.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\TdX45jQWjj.exe	Queries volume information: C:\Windows\Fonts\YuGothB.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\TdX45jQWjj.exe	Queries volume information: C:\Windows\Fonts\holomdl2.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\TdX45jQWjj.exe	Queries volume information: C:\Windows\Fonts\CENTURY.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\TdX45jQWjj.exe	Queries volume information: C:\Windows\Fonts\LEELAWAD.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\TdX45jQWjj.exe	Queries volume information: C:\Windows\Fonts\LEELAWDB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\TdX45jQWjj.exe	Queries volume information: C:\Windows\Fonts\MSUIGHUR.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\TdX45jQWjj.exe	Queries volume information: C:\Windows\Fonts\MSUIGHUB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\TdX45jQWjj.exe	Queries volume information: C:\Windows\Fonts\WINGDNG2.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\TdX45jQWjj.exe	Queries volume information: C:\Windows\Fonts\WINGDNG3.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\TdX45jQWjj.exe	Queries volume information: C:\Windows\Fonts\TEMPSITC.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\TdX45jQWjj.exe	Queries volume information: C:\Windows\Fonts\PRISTINA.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\TdX45jQWjj.exe	Queries volume information: C:\Windows\Fonts\PAPYRUS.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\TdX45jQWjj.exe	Queries volume information: C:\Windows\Fonts\MISTRAL.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\TdX45jQWjj.exe	Queries volume information: C:\Windows\Fonts\LHANDW.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\TdX45jQWjj.exe	Queries volume information: C:\Windows\Fonts\ITCKRIST.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\TdX45jQWjj.exe	Queries volume information: C:\Windows\Fonts\JUICE___.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\TdX45jQWjj.exe	Queries volume information: C:\Windows\Fonts\FRSCRIPT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\TdX45jQWjj.exe	Queries volume information: C:\Windows\Fonts\FREESCPT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\TdX45jQWjj.exe	Queries volume information: C:\Windows\Fonts\BRADHITC.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\TdX45jQWjj.exe	Queries volume information: C:\Windows\Fonts\OUTLOOK.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\TdX45jQWjj.exe	Queries volume information: C:\Windows\Fonts\BKANT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\TdX45jQWjj.exe	Queries volume information: C:\Windows\Fonts\ANTQUAI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\TdX45jQWjj.exe	Queries volume information: C:\Windows\Fonts\ANTQUAB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\TdX45jQWjj.exe	Queries volume information: C:\Windows\Fonts\ANTQUABI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\TdX45jQWjj.exe	Queries volume information: C:\Windows\Fonts\GARA.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\TdX45jQWjj.exe	Queries volume information: C:\Windows\Fonts\GARAIT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\TdX45jQWjj.exe	Queries volume information: C:\Windows\Fonts\GARABD.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\TdX45jQWjj.exe	Queries volume information: C:\Windows\Fonts\MTCORSVA.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\TdX45jQWjj.exe	Queries volume information: C:\Windows\Fonts\GOTHIC.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\TdX45jQWjj.exe	Queries volume information: C:\Windows\Fonts\GOTHICI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\TdX45jQWjj.exe	Queries volume information: C:\Windows\Fonts\GOTHICB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\TdX45jQWjj.exe	Queries volume information: C:\Windows\Fonts\GOTHICBI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\TdX45jQWjj.exe	Queries volume information: C:\Windows\Fonts\ALGER.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\TdX45jQWjj.exe	Queries volume information: C:\Windows\Fonts\BASKVILL.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\TdX45jQWjj.exe	Queries volume information: C:\Windows\Fonts\BAUHS93.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\TdX45jQWjj.exe	Queries volume information: C:\Windows\Fonts\BELL.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\TdX45jQWjj.exe	Queries volume information: C:\Windows\Fonts\BELLI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\TdX45jQWjj.exe	Queries volume information: C:\Windows\Fonts\BELLB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\TdX45jQWjj.exe	Queries volume information: C:\Windows\Fonts\BRLNSR.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\TdX45jQWjj.exe	Queries volume information: C:\Windows\Fonts\BRLNSDB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\TdX45jQWjj.exe	Queries volume information: C:\Windows\Fonts\BRLNSB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\TdX45jQWjj.exe	Queries volume information: C:\Windows\Fonts\BERNHC.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\TdX45jQWjj.exe	Queries volume information: C:\Windows\Fonts\BOD_PSTC.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\TdX45jQWjj.exe	Queries volume information: C:\Windows\Fonts\BRITANIC.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\TdX45jQWjj.exe	Queries volume information: C:\Windows\Fonts\BROADW.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\TdX45jQWjj.exe	Queries volume information: C:\Windows\Fonts\BRUSHSCI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\TdX45jQWjj.exe	Queries volume information: C:\Windows\Fonts\CALIFR.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\TdX45jQWjj.exe	Queries volume information: C:\Windows\Fonts\CALIFI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\TdX45jQWjj.exe	Queries volume information: C:\Windows\Fonts\CALIFB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\TdX45jQWjj.exe	Queries volume information: C:\Windows\Fonts\CENTAUR.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\TdX45jQWjj.exe	Queries volume information: C:\Windows\Fonts\CHILLER.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\TdX45jQWjj.exe	Queries volume information: C:\Windows\Fonts\COLONNA.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\TdX45jQWjj.exe	Queries volume information: C:\Windows\Fonts\COOPBL.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\TdX45jQWjj.exe	Queries volume information: C:\Windows\Fonts\FTLTLT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\TdX45jQWjj.exe	Queries volume information: C:\Windows\Fonts\HARLOWSI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\TdX45jQWjj.exe	Queries volume information: C:\Windows\Fonts\HARNGTON.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\TdX45jQWjj.exe	Queries volume information: C:\Windows\Fonts\HTOWERT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\TdX45jQWjj.exe	Queries volume information: C:\Windows\Fonts\HTOWERTI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\TdX45jQWjj.exe	Queries volume information: C:\Windows\Fonts\JOKERMAN.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\TdX45jQWjj.exe	Queries volume information: C:\Windows\Fonts\KUNSTLER.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\TdX45jQWjj.exe	Queries volume information: C:\Windows\Fonts\LBRITE.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\TdX45jQWjj.exe	Queries volume information: C:\Windows\Fonts\LBRITED.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\TdX45jQWjj.exe	Queries volume information: C:\Windows\Fonts\LBRITEI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\TdX45jQWjj.exe	Queries volume information: C:\Windows\Fonts\LBRITEDI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\TdX45jQWjj.exe	Queries volume information: C:\Windows\Fonts\LCALLIG.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\TdX45jQWjj.exe	Queries volume information: C:\Windows\Fonts\LFAX.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\TdX45jQWjj.exe	Queries volume information: C:\Windows\Fonts\LFAXD.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\TdX45jQWjj.exe	Queries volume information: C:\Windows\Fonts\LFAXI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\TdX45jQWjj.exe	Queries volume information: C:\Windows\Fonts\LFAXDI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\TdX45jQWjj.exe	Queries volume information: C:\Windows\Fonts\MAGNETOB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\TdX45jQWjj.exe	Queries volume information: C:\Windows\Fonts\MATURASC.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\TdX45jQWjj.exe	Queries volume information: C:\Windows\Fonts\MOD20.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\TdX45jQWjj.exe	Queries volume information: C:\Windows\Fonts\NIAGENG.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\TdX45jQWjj.exe	Queries volume information: C:\Windows\Fonts\NIAGSOL.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\TdX45jQWjj.exe	Queries volume information: C:\Windows\Fonts\OLDENGL.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\TdX45jQWjj.exe	Queries volume information: C:\Windows\Fonts\ONYX.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\TdX45jQWjj.exe	Queries volume information: C:\Windows\Fonts\PARCHM.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\TdX45jQWjj.exe	Queries volume information: C:\Windows\Fonts\PLAYBILL.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\TdX45jQWjj.exe	Queries volume information: C:\Windows\Fonts\POORICH.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\TdX45jQWjj.exe	Queries volume information: C:\Windows\Fonts\RAVIE.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\TdX45jQWjj.exe	Queries volume information: C:\Windows\Fonts\INFROMAN.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\TdX45jQWjj.exe	Queries volume information: C:\Windows\Fonts\SHOWG.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\TdX45jQWjj.exe	Queries volume information: C:\Windows\Fonts\SNAP____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\TdX45jQWjj.exe	Queries volume information: C:\Windows\Fonts\STENCIL.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\TdX45jQWjj.exe	Queries volume information: C:\Windows\Fonts\VINERITC.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\TdX45jQWjj.exe	Queries volume information: C:\Windows\Fonts\VIVALDII.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\TdX45jQWjj.exe	Queries volume information: C:\Windows\Fonts\VLADIMIR.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\TdX45jQWjj.exe	Queries volume information: C:\Windows\Fonts\LATINWD.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\TdX45jQWjj.exe	Queries volume information: C:\Windows\Fonts\TCM_____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\TdX45jQWjj.exe	Queries volume information: C:\Windows\Fonts\TCMI____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\TdX45jQWjj.exe	Queries volume information: C:\Windows\Fonts\TCB_____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\TdX45jQWjj.exe	Queries volume information: C:\Windows\Fonts\TCBI____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\TdX45jQWjj.exe	Queries volume information: C:\Windows\Fonts\TCCM____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\TdX45jQWjj.exe	Queries volume information: C:\Windows\Fonts\TCCB____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\TdX45jQWjj.exe	Queries volume information: C:\Windows\Fonts\TCCEB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\TdX45jQWjj.exe	Queries volume information: C:\Windows\Fonts\SCRIPTBL.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\TdX45jQWjj.exe	Queries volume information: C:\Windows\Fonts\ROCK.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\TdX45jQWjj.exe	Queries volume information: C:\Windows\Fonts\ROCKI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\TdX45jQWjj.exe	Queries volume information: C:\Windows\Fonts\ROCKB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\TdX45jQWjj.exe	Queries volume information: C:\Windows\Fonts\ROCKEB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\TdX45jQWjj.exe	Queries volume information: C:\Windows\Fonts\ROCKBI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\TdX45jQWjj.exe	Queries volume information: C:\Windows\Fonts\ROCC____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\TdX45jQWjj.exe	Queries volume information: C:\Windows\Fonts\ROCCB___.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\TdX45jQWjj.exe	Queries volume information: C:\Windows\Fonts\RAGE.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\TdX45jQWjj.exe	Queries volume information: C:\Windows\Fonts\PERTILI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\TdX45jQWjj.exe	Queries volume information: C:\Windows\Fonts\PERTIBD.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\TdX45jQWjj.exe	Queries volume information: C:\Windows\Fonts\PER_____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\TdX45jQWjj.exe	Queries volume information: C:\Windows\Fonts\PERI____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\TdX45jQWjj.exe	Queries volume information: C:\Windows\Fonts\PERB____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\TdX45jQWjj.exe	Queries volume information: C:\Windows\Fonts\PERBI___.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\TdX45jQWjj.exe	Queries volume information: C:\Windows\Fonts\PALSCRI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\TdX45jQWjj.exe	Queries volume information: C:\Windows\Fonts\OCRAEXT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\TdX45jQWjj.exe	Queries volume information: C:\Windows\Fonts\MAIAN.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\TdX45jQWjj.exe	Queries volume information: C:\Windows\Fonts\LTYPE.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\TdX45jQWjj.exe	Queries volume information: C:\Windows\Fonts\LTYPEO.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\TdX45jQWjj.exe	Queries volume information: C:\Windows\Fonts\LTYPEB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\TdX45jQWjj.exe	Queries volume information: C:\Windows\Fonts\LTYPEBO.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\TdX45jQWjj.exe	Queries volume information: C:\Windows\Fonts\LSANS.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\TdX45jQWjj.exe	Queries volume information: C:\Windows\Fonts\LSANSD.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\TdX45jQWjj.exe	Queries volume information: C:\Windows\Fonts\LSANSI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\TdX45jQWjj.exe	Queries volume information: C:\Windows\Fonts\LSANSDI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\TdX45jQWjj.exe	Queries volume information: C:\Windows\Fonts\IMPRISHA.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\TdX45jQWjj.exe	Queries volume information: C:\Windows\Fonts\HATTEN.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\TdX45jQWjj.exe	Queries volume information: C:\Windows\Fonts\GOUDYSTO.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\TdX45jQWjj.exe	Queries volume information: C:\Windows\Fonts\GOUDOS.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\TdX45jQWjj.exe	Queries volume information: C:\Windows\Fonts\GOUDOSI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\TdX45jQWjj.exe	Queries volume information: C:\Windows\Fonts\GOUDOSB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\TdX45jQWjj.exe	Queries volume information: C:\Windows\Fonts\GLECB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\TdX45jQWjj.exe	Queries volume information: C:\Windows\Fonts\GIL_____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\TdX45jQWjj.exe	Queries volume information: C:\Windows\Fonts\GILI____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\TdX45jQWjj.exe	Queries volume information: C:\Windows\Fonts\GILB____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\TdX45jQWjj.exe	Queries volume information: C:\Windows\Fonts\GILBI___.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\TdX45jQWjj.exe	Queries volume information: C:\Windows\Fonts\GILC____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\TdX45jQWjj.exe	Queries volume information: C:\Windows\Fonts\GLSNECB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\TdX45jQWjj.exe	Queries volume information: C:\Windows\Fonts\GIGI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\TdX45jQWjj.exe	Queries volume information: C:\Windows\Fonts\FRABK.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\TdX45jQWjj.exe	Queries volume information: C:\Windows\Fonts\FRABKIT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\TdX45jQWjj.exe	Queries volume information: C:\Windows\Fonts\FORTE.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\TdX45jQWjj.exe	Queries volume information: C:\Windows\Fonts\FELIXTI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\TdX45jQWjj.exe	Queries volume information: C:\Windows\Fonts\ERASMD.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\TdX45jQWjj.exe	Queries volume information: C:\Windows\Fonts\ERASLGHT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\TdX45jQWjj.exe	Queries volume information: C:\Windows\Fonts\ERASDEMI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\TdX45jQWjj.exe	Queries volume information: C:\Windows\Fonts\ERASBD.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\TdX45jQWjj.exe	Queries volume information: C:\Windows\Fonts\ENGR.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\TdX45jQWjj.exe	Queries volume information: C:\Windows\Fonts\ELEPHNT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\TdX45jQWjj.exe	Queries volume information: C:\Windows\Fonts\ELEPHNTI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\TdX45jQWjj.exe	Queries volume information: C:\Windows\Fonts\ITCEDSCR.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\TdX45jQWjj.exe	Queries volume information: C:\Windows\Fonts\CURLZ___.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\TdX45jQWjj.exe	Queries volume information: C:\Windows\Fonts\COPRGTL.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\TdX45jQWjj.exe	Queries volume information: C:\Windows\Fonts\COPRGTB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\TdX45jQWjj.exe	Queries volume information: C:\Windows\Fonts\CENSCBK.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\TdX45jQWjj.exe	Queries volume information: C:\Windows\Fonts\SCHLBKI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\TdX45jQWjj.exe	Queries volume information: C:\Windows\Fonts\SCHLBKB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\TdX45jQWjj.exe	Queries volume information: C:\Windows\Fonts\SCHLBKBI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\TdX45jQWjj.exe	Queries volume information: C:\Windows\Fonts\CASTELAR.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\TdX45jQWjj.exe	Queries volume information: C:\Windows\Fonts\CALIST.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\TdX45jQWjj.exe	Queries volume information: C:\Windows\Fonts\CALISTI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\TdX45jQWjj.exe	Queries volume information: C:\Windows\Fonts\CALISTB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\TdX45jQWjj.exe	Queries volume information: C:\Windows\Fonts\CALISTBI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\TdX45jQWjj.exe	Queries volume information: C:\Windows\Fonts\BOOKOS.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\TdX45jQWjj.exe	Queries volume information: C:\Windows\Fonts\BOOKOSB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\TdX45jQWjj.exe	Queries volume information: C:\Windows\Fonts\BOOKOSI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\TdX45jQWjj.exe	Queries volume information: C:\Windows\Fonts\BOOKOSBI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\TdX45jQWjj.exe	Queries volume information: C:\Windows\Fonts\BOD_R.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\TdX45jQWjj.exe	Queries volume information: C:\Windows\Fonts\BOD_I.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\TdX45jQWjj.exe	Queries volume information: C:\Windows\Fonts\BOD_B.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\TdX45jQWjj.exe	Queries volume information: C:\Windows\Fonts\BOD_BI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\TdX45jQWjj.exe	Queries volume information: C:\Windows\Fonts\BOD_CR.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\TdX45jQWjj.exe	Queries volume information: C:\Windows\Fonts\BOD_BLAR.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\TdX45jQWjj.exe	Queries volume information: C:\Windows\Fonts\BOD_CI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\TdX45jQWjj.exe	Queries volume information: C:\Windows\Fonts\BOD_CB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\TdX45jQWjj.exe	Queries volume information: C:\Windows\Fonts\BOD_BLAI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\TdX45jQWjj.exe	Queries volume information: C:\Windows\Fonts\BOD_CBI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\TdX45jQWjj.exe	Queries volume information: C:\Windows\Fonts\ITCBLKAD.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\TdX45jQWjj.exe	Queries volume information: C:\Windows\Fonts\ARLRDBD.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\TdX45jQWjj.exe	Queries volume information: C:\Windows\Fonts\AGENCYR.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\TdX45jQWjj.exe	Queries volume information: C:\Windows\Fonts\AGENCYB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\TdX45jQWjj.exe	Queries volume information: C:\Windows\Fonts\BSSYM7.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\TdX45jQWjj.exe	Queries volume information: C:\Windows\Fonts\REFSAN.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\TdX45jQWjj.exe	Queries volume information: C:\Windows\Fonts\REFSPCL.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\TdX45jQWjj.exe	Queries volume information: C:\Windows\Fonts\MTEXTRA.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\TdX45jQWjj.exe	Queries volume information: C:\Windows\Fonts\marlett.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\TdX45jQWjj.exe	Queries volume information: C:\Windows\Fonts\segoeuii.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\TdX45jQWjj.exe	Queries volume information: C:\Windows\Fonts\segoeuiz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\TdX45jQWjj.exe	Queries volume information: C:\Windows\Fonts\micross.ttf VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe	Queries volume information: C:\Windows\assembly\GAC_32\System.EnterpriseServices\2.0.0.0__b03f5f7f11d50a3a\System.EnterpriseServices.dll VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe	Queries volume information: C:\Windows\assembly\GAC_32\System.EnterpriseServices\2.0.0.0__b03f5f7f11d50a3a\System.EnterpriseServices.dll VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe	Queries volume information: C:\Windows\assembly\GAC_32\System.EnterpriseServices\2.0.0.0__b03f5f7f11d50a3a\System.EnterpriseServices.Wrapper.dll VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe	Queries volume information: C:\Windows\assembly\GAC_32\System.EnterpriseServices\2.0.0.0__b03f5f7f11d50a3a\System.EnterpriseServices.Wrapper.dll VolumeInformation	Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Queries volume information: C:\Windows\assembly\GAC_32\System.EnterpriseServices\2.0.0.0__b03f5f7f11d50a3a\System.EnterpriseServices.dll VolumeInformation	Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Queries volume information: C:\Windows\assembly\GAC_32\System.EnterpriseServices\2.0.0.0__b03f5f7f11d50a3a\System.EnterpriseServices.dll VolumeInformation	Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Queries volume information: C:\Windows\assembly\GAC_32\System.EnterpriseServices\2.0.0.0__b03f5f7f11d50a3a\System.EnterpriseServices.Wrapper.dll VolumeInformation	Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Queries volume information: C:\Windows\assembly\GAC_32\System.EnterpriseServices\2.0.0.0__b03f5f7f11d50a3a\System.EnterpriseServices.Wrapper.dll VolumeInformation	Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Queries volume information: C:\Windows\assembly\GAC_32\System.EnterpriseServices\2.0.0.0__b03f5f7f11d50a3a\System.EnterpriseServices.dll VolumeInformation	Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Queries volume information: C:\Windows\assembly\GAC_32\System.EnterpriseServices\2.0.0.0__b03f5f7f11d50a3a\System.EnterpriseServices.dll VolumeInformation	Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Queries volume information: C:\Windows\assembly\GAC_32\System.EnterpriseServices\2.0.0.0__b03f5f7f11d50a3a\System.EnterpriseServices.Wrapper.dll VolumeInformation	Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Queries volume information: C:\Windows\assembly\GAC_32\System.EnterpriseServices\2.0.0.0__b03f5f7f11d50a3a\System.EnterpriseServices.Wrapper.dll VolumeInformation	Jump to behavior

Source: C:\Users\user\Desktop\TdX45jQWjj.exe

Code function: 0_2_0679195A GetUserNameA,

0_2_0679195A

Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Stealing of Sensitive Information:

Yara detected Nanocore RAT

Show sources

Source: Yara match	File source: 00000000.00000002.395064094.00000000046E5000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.394099052.0000000004251000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000008.00000002.595499721.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000008.00000002.602238562.0000000005BA0000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000008.00000002.600580275.0000000003F27000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: RegSvcs.exe PID: 3012, type: MEMORY
Source: Yara match	File source: Process Memory Space: TdX45jQWjj.exe PID: 6960, type: MEMORY
Source: Yara match	File source: 8.2.RegSvcs.exe.5ba0000.11.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 8.2.RegSvcs.exe.3f33adb.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.TdX45jQWjj.exe.4492898.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 8.2.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.TdX45jQWjj.exe.43917e8.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 8.2.RegSvcs.exe.3f2ec9e.5.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 8.2.RegSvcs.exe.3f39511.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.TdX45jQWjj.exe.4492898.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 8.2.RegSvcs.exe.5ba0000.11.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.TdX45jQWjj.exe.46e55c0.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 8.2.RegSvcs.exe.5ba4629.10.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 8.2.RegSvcs.exe.3f39511.4.unpack, type: UNPACKEDPE

Remote Access Functionality:

Detected Nanocore Rat

Show sources

Source: TdX45jQWjj.exe, 00000000.00000002.395064094.00000000046E5000.00000004.00000001.sdmp	String found in binary or memory: NanoCore.ClientPluginHost
Source: RegSvcs.exe, 00000008.00000002.598166054.0000000002EE1000.00000004.00000001.sdmp	String found in binary or memory: NanoCore.ClientPluginHost
Source: RegSvcs.exe, 00000008.00000002.598166054.0000000002EE1000.00000004.00000001.sdmp	String found in binary or memory: <Module>mscorlibMicrosoft.VisualBasicMyApplicationNanoCore.MyMyComputerMyProjectMyWebServicesThreadSafeObjectProvider`1IClientNetworkNanoCore.ClientPluginIClientDataIClientAppIClientDataHostNanoCore.ClientPluginHostIClientNetworkHostIClientUIHostIClientLoggingHostIClientAppHostIClientNameObjectCollectionNanoCoreIClientReadOnlyNameObjectCollectionClientInvokeDelegateMicrosoft.VisualBasic.ApplicationServicesApplicationBase.ctorMicrosoft.VisualBasic.DevicesComputerSystemObject.cctorget_Computerm_ComputerObjectProviderget_Applicationm_AppObjectProviderUserget_Userm_UserObjectProviderget_WebServicesm_MyWebServicesObjectProviderApplicationWebServicesEqualsoGetHashCodeTypeGetTypeToStringCreate__Instance__TinstanceDispose__Instance__get_GetInstanceMicrosoft.VisualBasic.MyServices.InternalContextValue`1m_ContextGetInstanceReadPacketpipeNameparamsPipeCreatedPipeClosedConnectionStateChangedconnectedConnectionFailedhostportBuildingHostCacheVariableChangednameClientSettingChangedPluginUninstallingClientUninstallingget_Variablesget_ClientSettingsget_BuilderSettingsVariablesClientSettingsBuilderSettingsget_ConnectedClosePipePipeExistsRebuildHostCacheAddHostEntryDisconnectSendToServercompressConnectedInvokemethodstateLogClientMessagemessageExceptionLogClientExceptionexsiteRestartShutdownDisableProtectionRestoreProtectionUninstallEntryExistsSystem.Collections.GenericKeyValuePair`2GetEntriesGetValuedefaultValueSetValuevalueRemoveValueMulticastDelegateTargetObjectTargetMethodIAsyncResultAsyncCallbackBeginInvokeDelegateCallbackDelegateAsyncStateEndInvokeDelegateAsyncResultSystem.ComponentModelEditorBrowsableAttributeEditorBrowsableStateSystem.CodeDom.CompilerGeneratedCodeAttributeSystem.DiagnosticsDebuggerHiddenAttributeMicrosoft.VisualBasic.CompilerServicesStandardModuleAttributeHideModuleNameAttributeSystem.ComponentModel.DesignHelpKeywordAttributeSystem.Runtime.CompilerServicesRuntimeHelpersGetObjectValueRuntimeTypeHandleGetTypeFromHandleActivatorCreateInstanceMyGroupCollectionAttributeget_Valueset_ValueSystem.Runtime.InteropServicesComVisibleAttributeParamArrayAttributeCompilationRelaxationsAttributeRuntimeCompatibilityAttributeSystem.ReflectionAssemblyFileVersionAttributeGuidAttributeAssemblyTrademarkAttributeAssemblyCopyrightAttributeAssemblyProductAttributeAssemblyCompanyAttributeAssemblyDescriptionAttributeAssemblyTitleAttributeClientPluginClientPlugin.dll
Source: RegSvcs.exe, 00000008.00000002.598166054.0000000002EE1000.00000004.00000001.sdmp	String found in binary or memory: <Module>mscorlibMicrosoft.VisualBasicMyApplicationNanoProtectClient.MyMyComputerMyProjectMyWebServicesThreadSafeObjectProvider`1ClientMainNanoProtectClientClientPluginResourcesNanoProtectClient.My.ResourcesMySettingsMySettingsPropertyFunctionsNanoProtectClient.NanoProtectMicrosoft.VisualBasic.ApplicationServicesApplicationBase.ctorMicrosoft.VisualBasic.DevicesComputerSystemObject.cctorget_Computerm_ComputerObjectProviderget_Applicationm_AppObjectProviderUserget_Userm_UserObjectProviderget_WebServicesm_MyWebServicesObjectProviderApplicationWebServicesEqualsoGetHashCodeTypeGetTypeToStringCreate__Instance__TinstanceDispose__Instance__get_GetInstanceMicrosoft.VisualBasic.MyServices.InternalContextValue`1m_ContextGetInstanceNanoCore.ClientPluginHostIClientLoggingHostLoggingHostInitializePluginNanoCore.ClientPluginIClientNetwork_loggingHostBuildingHostCacheConnectionFailedhostportConnectionStateChangedconnectedPipeClosedpipeNamePipeCreatedReadPacketparamsSystem.ResourcesResourceManagerresourceManSystem.GlobalizationCultureInforesourceCultureget_ResourceManagerget_Cultureset_CulturevalueCultureSystem.ConfigurationApplicationSettingsBasedefaultInstanceget_DefaultDefaultget_SettingsSettingsGetProtectDirectoryGetProtectFileCreateProtectFileKillNanoCoreSystem.ComponentModelEditorBrowsableAttributeEditorBrowsableStateSystem.CodeDom.CompilerGeneratedCodeAttributeSystem.DiagnosticsDebuggerNonUserCodeAttributeDebuggerHiddenAttributeMicrosoft.VisualBasic.CompilerServicesStandardModuleAttributeHideModuleNameAttributeSystem.ComponentModel.DesignHelpKeywordAttributeSystem.Runtime.CompilerServicesRuntimeHelpersGetObjectValueRuntimeTypeHandleGetTypeFromHandleActivatorCreateInstanceMyGroupCollectionAttributeget_Valueset_ValueSystem.Runtime.InteropServicesComVisibleAttributeLogClientMessageSystem.IOFileExistsReferenceEqualsSystem.ReflectionAssemblyget_AssemblyCompilerGeneratedAttributeSettingsBaseSynchronizedEnvironmentSpecialFolderGetFolderPathPathCombineExceptionDirectoryDirectoryInfoCreateDirectoryFileStreamCreateProjectDataSetProjectErrorClearProjectErrorProcessGetCurrentProcessKillNanoProtectClient.Resources.resourcesDebuggableAttributeDebuggingModesCompilationRelaxationsAttributeRuntimeCompatibilityAttributeAssemblyFileVersionAttributeGuidAttributeAssemblyTrademarkAttributeAssemblyCopyrightAttributeAssemblyProductAttributeAssemblyCompanyAttributeAssemblyDescriptionAttributeAssemblyTitleAttributeNanoProtectClient.dlla[NanoProtect]: Checking for NanoProtect module..

Yara detected Nanocore RAT

Show sources

Source: Yara match	File source: 00000000.00000002.395064094.00000000046E5000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.394099052.0000000004251000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000008.00000002.595499721.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000008.00000002.602238562.0000000005BA0000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000008.00000002.600580275.0000000003F27000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: RegSvcs.exe PID: 3012, type: MEMORY
Source: Yara match	File source: Process Memory Space: TdX45jQWjj.exe PID: 6960, type: MEMORY
Source: Yara match	File source: 8.2.RegSvcs.exe.5ba0000.11.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 8.2.RegSvcs.exe.3f33adb.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.TdX45jQWjj.exe.4492898.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 8.2.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.TdX45jQWjj.exe.43917e8.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 8.2.RegSvcs.exe.3f2ec9e.5.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 8.2.RegSvcs.exe.3f39511.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.TdX45jQWjj.exe.4492898.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 8.2.RegSvcs.exe.5ba0000.11.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.TdX45jQWjj.exe.46e55c0.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 8.2.RegSvcs.exe.5ba4629.10.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 8.2.RegSvcs.exe.3f39511.4.unpack, type: UNPACKEDPE

Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe	Code function: 8_2_051D2B26 bind,		8_2_051D2B26
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe	Code function: 8_2_051D2AF6 bind,		8_2_051D2AF6

Mitre Att&ck Matrix

Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Exfiltration	Command and Control	Network Effects	Remote Service Effects	Impact
Valid Accounts	Windows Management Instrumentation1	Scheduled Task/Job1	Access Token Manipulation1	Disable or Modify Tools1	Input Capture21	Account Discovery1	Remote Services	Archive Collected Data11	Exfiltration Over Other Network Medium	Encrypted Channel1	Eavesdrop on Insecure Network Communication	Remotely Track Device Without Authorization	Modify System Partition
Default Accounts	Scheduled Task/Job1	Boot or Logon Initialization Scripts	Process Injection312	Deobfuscate/Decode Files or Information1	LSASS Memory	File and Directory Discovery1	Remote Desktop Protocol	Input Capture21	Exfiltration Over Bluetooth	Non-Standard Port1	Exploit SS7 to Redirect Phone Calls/SMS	Remotely Wipe Data Without Authorization	Device Lockout
Domain Accounts	At (Linux)	Logon Script (Windows)	Scheduled Task/Job1	Obfuscated Files or Information3	Security Account Manager	System Information Discovery13	SMB/Windows Admin Shares	Data from Network Shared Drive	Automated Exfiltration	Remote Access Software1	Exploit SS7 to Track Device Location	Obtain Device Cloud Backups	Delete Device Data
Local Accounts	At (Windows)	Logon Script (Mac)	Logon Script (Mac)	Software Packing12	NTDS	Security Software Discovery311	Distributed Component Object Model	Input Capture	Scheduled Transfer	Non-Application Layer Protocol1	SIM Card Swap		Carrier Billing Fraud
Cloud Accounts	Cron	Network Logon Script	Network Logon Script	Masquerading2	LSA Secrets	Virtualization/Sandbox Evasion14	SSH	Keylogging	Data Transfer Size Limits	Application Layer Protocol11	Manipulate Device Communication		Manipulate App Store Rankings or Ratings
Replication Through Removable Media	Launchd	Rc.common	Rc.common	Virtualization/Sandbox Evasion14	Cached Domain Credentials	Process Discovery1	VNC	GUI Input Capture	Exfiltration Over C2 Channel	Multiband Communication	Jamming or Denial of Service		Abuse Accessibility Features
External Remote Services	Scheduled Task	Startup Items	Startup Items	Access Token Manipulation1	DCSync	Application Window Discovery1	Windows Remote Management	Web Portal Capture	Exfiltration Over Alternative Protocol	Commonly Used Port	Rogue Wi-Fi Access Points		Data Encrypted for Impact
Drive-by Compromise	Command and Scripting Interpreter	Scheduled Task/Job	Scheduled Task/Job	Process Injection312	Proc Filesystem	System Owner/User Discovery1	Shared Webroot	Credential API Hooking	Exfiltration Over Symmetric Encrypted Non-C2 Protocol	Application Layer Protocol	Downgrade to Insecure Protocols		Generate Fraudulent Advertising Revenue
Exploit Public-Facing Application	PowerShell	At (Linux)	At (Linux)	Hidden Files and Directories1	/etc/passwd and /etc/shadow	Remote System Discovery1	Software Deployment Tools	Data Staged	Exfiltration Over Asymmetric Encrypted Non-C2 Protocol	Web Protocols	Rogue Cellular Base Station		Data Destruction

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Source	Detection	Scanner	Label	Link
TdX45jQWjj.exe	19%	ReversingLabs	Win32.Trojan.AgentTesla

Dropped Files

Source	Detection	Scanner	Label	Link
C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	0%	Metadefender		Browse
C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	0%	ReversingLabs
C:\Users\user\AppData\Roaming\RTOqzQABo.exe	19%	ReversingLabs	Win32.Trojan.AgentTesla

Unpacked PE Files

Source	Detection	Scanner	Label	Link	Download
8.2.RegSvcs.exe.400000.0.unpack	100%	Avira	TR/Dropper.MSIL.Gen7		Download File
8.2.RegSvcs.exe.5ba0000.11.unpack	100%	Avira	TR/NanoCore.fadte		Download File

Domains

Source	Detection	Scanner	Label	Link
strongodss.ddns.net	8%	Virustotal		Browse

URLs

Source	Detection	Scanner	Label	Link
http://www.sajatypeworks.com.	0%	Virustotal		Browse
http://www.sajatypeworks.com.	0%	Avira URL Cloud	safe
http://www.tiro.com6	0%	Avira URL Cloud	safe
http://www.founder.com.cn/cn/bThe	0%	URL Reputation	safe
http://www.founder.com.cn/cn/bThe	0%	URL Reputation	safe
http://www.founder.com.cn/cn/bThe	0%	URL Reputation	safe
http://www.founder.com.cn/cn/bThe	0%	URL Reputation	safe
http://www.founder.com.cn/cnW	0%	Avira URL Cloud	safe
http://www.sajatypeworks.comn-u	0%	Avira URL Cloud	safe
http://www.tiro.com0	0%	Avira URL Cloud	safe
http://www.founder.com.cn/cna-d	0%	Avira URL Cloud	safe
http://www.tiro.com	0%	URL Reputation	safe
http://www.tiro.com	0%	URL Reputation	safe
http://www.tiro.com	0%	URL Reputation	safe
http://www.esvstudybible.org/search?q=Whttp://www.blueletterbible.org/Bible.cfm?b=	0%	Avira URL Cloud	safe
http://www.founder.c	0%	URL Reputation	safe
http://www.founder.c	0%	URL Reputation	safe
http://www.founder.c	0%	URL Reputation	safe
http://www.goodfont.co.kr	0%	URL Reputation	safe
http://www.goodfont.co.kr	0%	URL Reputation	safe
http://www.goodfont.co.kr	0%	URL Reputation	safe
http://topicalmemorysystem.googlecode.com/files/	0%	Avira URL Cloud	safe
http://www.fontbureau.comalsF	0%	URL Reputation	safe
http://www.fontbureau.comalsF	0%	URL Reputation	safe
http://www.fontbureau.comalsF	0%	URL Reputation	safe
http://www.sajatypeworks.com	0%	URL Reputation	safe
http://www.sajatypeworks.com	0%	URL Reputation	safe
http://www.sajatypeworks.com	0%	URL Reputation	safe
http://www.typography.netD	0%	URL Reputation	safe
http://www.typography.netD	0%	URL Reputation	safe
http://www.typography.netD	0%	URL Reputation	safe
http://www.founder.com.cn/cn/cThe	0%	URL Reputation	safe
http://www.founder.com.cn/cn/cThe	0%	URL Reputation	safe
http://www.founder.com.cn/cn/cThe	0%	URL Reputation	safe
http://www.galapagosdesign.com/staff/dennis.htm	0%	URL Reputation	safe
http://www.galapagosdesign.com/staff/dennis.htm	0%	URL Reputation	safe
http://www.galapagosdesign.com/staff/dennis.htm	0%	URL Reputation	safe
http://fontfabrik.com	0%	URL Reputation	safe
http://fontfabrik.com	0%	URL Reputation	safe
http://fontfabrik.com	0%	URL Reputation	safe
http://www.founder.com.cn/cnr-t	0%	Avira URL Cloud	safe
http://www.galapagosdesign.com/DPlease	0%	URL Reputation	safe
http://www.galapagosdesign.com/DPlease	0%	URL Reputation	safe
http://www.galapagosdesign.com/DPlease	0%	URL Reputation	safe
http://www.urwpp.de&	0%	Avira URL Cloud	safe
http://www.sandoll.co.kr	0%	URL Reputation	safe
http://www.sandoll.co.kr	0%	URL Reputation	safe
http://www.sandoll.co.kr	0%	URL Reputation	safe
http://www.urwpp.deDPlease	0%	URL Reputation	safe
http://www.urwpp.deDPlease	0%	URL Reputation	safe
http://www.urwpp.deDPlease	0%	URL Reputation	safe
http://www.urwpp.de	0%	URL Reputation	safe
http://www.urwpp.de	0%	URL Reputation	safe
http://www.urwpp.de	0%	URL Reputation	safe
http://www.zhongyicts.com.cn	0%	URL Reputation	safe
http://www.zhongyicts.com.cn	0%	URL Reputation	safe
http://www.zhongyicts.com.cn	0%	URL Reputation	safe
http://www.founder.com.cn/cnf	0%	Avira URL Cloud	safe
http://www.sajatypeworks.comt-b	0%	Avira URL Cloud	safe
http://www.sakkal.com	0%	URL Reputation	safe
http://www.sakkal.com	0%	URL Reputation	safe
http://www.sakkal.com	0%	URL Reputation	safe
http://www.fontbureau.com.TTF	0%	URL Reputation	safe
http://www.fontbureau.com.TTF	0%	URL Reputation	safe
http://www.fontbureau.com.TTF	0%	URL Reputation	safe
http://www.sakkal.comX	0%	Avira URL Cloud	safe
http://www.fontbureau.comC	0%	Avira URL Cloud	safe
http://www.tiro.comicx	0%	Avira URL Cloud	safe
http://www.fontbureau.comsiefd	0%	Avira URL Cloud	safe
http://www.fontbureau.comH	0%	Avira URL Cloud	safe
http://www.urwpp.deas	0%	Avira URL Cloud	safe
http://www.esvstudybible.org/search?q=	0%	Avira URL Cloud	safe
http://www.jiyu-kobo.co.jp/C	0%	Avira URL Cloud	safe
http://www.urwpp.deF0	0%	Avira URL Cloud	safe
http://www.jiyu-kobo.co.jp/jp/	0%	URL Reputation	safe
http://www.jiyu-kobo.co.jp/jp/	0%	URL Reputation	safe
http://www.jiyu-kobo.co.jp/jp/	0%	URL Reputation	safe
http://www.fontbureau.coma	0%	URL Reputation	safe
http://www.fontbureau.coma	0%	URL Reputation	safe
http://www.fontbureau.coma	0%	URL Reputation	safe
http://www.fonts.comW	0%	Avira URL Cloud	safe
http://www.sakkal.com8	0%	Avira URL Cloud	safe
http://www.carterandcone.coml	0%	URL Reputation	safe
http://www.carterandcone.coml	0%	URL Reputation	safe
http://www.carterandcone.coml	0%	URL Reputation	safe
http://www.founder.com.cn/cn	0%	URL Reputation	safe
http://www.founder.com.cn/cn	0%	URL Reputation	safe
http://www.founder.com.cn/cn	0%	URL Reputation	safe
http://www.urwpp.deq	0%	Avira URL Cloud	safe
http://www.fontbureau.comldco	0%	Avira URL Cloud	safe
http://www.jiyu-kobo.co.jp/	0%	URL Reputation	safe
http://www.jiyu-kobo.co.jp/	0%	URL Reputation	safe
http://www.jiyu-kobo.co.jp/	0%	URL Reputation	safe
http://www.founder.com.cn/cn4	0%	Avira URL Cloud	safe
http://www.jiyu-kobo.co.jp/d	0%	URL Reputation	safe
http://www.jiyu-kobo.co.jp/d	0%	URL Reputation	safe
http://www.jiyu-kobo.co.jp/d	0%	URL Reputation	safe

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Antivirus Detection	Reputation
strongodss.ddns.net	87.237.165.78	true	true	8%, Virustotal, Browse	unknown

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
http://www.sajatypeworks.com.	TdX45jQWjj.exe, 00000000.00000003.329212871.000000000166D000.00000004.00000001.sdmp	false	0%, Virustotal, Browse Avira URL Cloud: safe	unknown
http://www.fontbureau.com/designersG	TdX45jQWjj.exe, 00000000.00000002.405149050.0000000006822000.00000004.00000001.sdmp	false		high
http://www.fontbureau.com/designers/?	TdX45jQWjj.exe, 00000000.00000002.405149050.0000000006822000.00000004.00000001.sdmp	false		high
http://www.tiro.com6	TdX45jQWjj.exe, 00000000.00000003.332995890.000000000556B000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
http://www.founder.com.cn/cn/bThe	TdX45jQWjj.exe, 00000000.00000002.405149050.0000000006822000.00000004.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://www.founder.com.cn/cnW	TdX45jQWjj.exe, 00000000.00000003.332432427.0000000005571000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
http://www.fontbureau.com/designers?	TdX45jQWjj.exe, 00000000.00000002.405149050.0000000006822000.00000004.00000001.sdmp	false		high
http://www.sajatypeworks.comn-u	TdX45jQWjj.exe, 00000000.00000003.329212871.000000000166D000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
http://www.tiro.com0	TdX45jQWjj.exe, 00000000.00000003.334600510.000000000557B000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
http://www.founder.com.cn/cna-d	TdX45jQWjj.exe, 00000000.00000003.332121914.0000000005563000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
http://www.tiro.com	TdX45jQWjj.exe, 00000000.00000002.405149050.0000000006822000.00000004.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://www.esvstudybible.org/search?q=Whttp://www.blueletterbible.org/Bible.cfm?b=	TdX45jQWjj.exe	false	Avira URL Cloud: safe	unknown
http://www.fontbureau.com/designers	TdX45jQWjj.exe, 00000000.00000002.405149050.0000000006822000.00000004.00000001.sdmp	false		high
http://www.founder.c	TdX45jQWjj.exe, 00000000.00000003.333029459.0000000005566000.00000004.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://www.goodfont.co.kr	TdX45jQWjj.exe, 00000000.00000002.405149050.0000000006822000.00000004.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://topicalmemorysystem.googlecode.com/files/	TdX45jQWjj.exe	false	Avira URL Cloud: safe	unknown
http://www.fontbureau.comalsF	TdX45jQWjj.exe, 00000000.00000003.341606484.0000000005566000.00000004.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://www.sajatypeworks.com	TdX45jQWjj.exe, 00000000.00000002.405149050.0000000006822000.00000004.00000001.sdmp, TdX45jQWjj.exe, 00000000.00000003.329212871.000000000166D000.00000004.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://www.typography.netD	TdX45jQWjj.exe, 00000000.00000002.405149050.0000000006822000.00000004.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://www.founder.com.cn/cn/cThe	TdX45jQWjj.exe, 00000000.00000002.405149050.0000000006822000.00000004.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://www.galapagosdesign.com/staff/dennis.htm	TdX45jQWjj.exe, 00000000.00000002.405149050.0000000006822000.00000004.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://fontfabrik.com	TdX45jQWjj.exe, 00000000.00000003.330218742.000000000559D000.00000004.00000001.sdmp, TdX45jQWjj.exe, 00000000.00000002.405149050.0000000006822000.00000004.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://www.blueletterbible.org/Bible.cfm?b=	TdX45jQWjj.exe	false		high
http://www.founder.com.cn/cnr-t	TdX45jQWjj.exe, 00000000.00000003.332121914.0000000005563000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
http://www.galapagosdesign.com/DPlease	TdX45jQWjj.exe, 00000000.00000002.405149050.0000000006822000.00000004.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://www.urwpp.de&	TdX45jQWjj.exe, 00000000.00000003.342118309.000000000557F000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	low
http://www.fonts.com	TdX45jQWjj.exe, 00000000.00000002.405149050.0000000006822000.00000004.00000001.sdmp	false		high
http://www.sandoll.co.kr	TdX45jQWjj.exe, 00000000.00000002.405149050.0000000006822000.00000004.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://www.urwpp.deDPlease	TdX45jQWjj.exe, 00000000.00000002.405149050.0000000006822000.00000004.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://www.urwpp.de	TdX45jQWjj.exe, 00000000.00000003.342496493.000000000557F000.00000004.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://www.zhongyicts.com.cn	TdX45jQWjj.exe, 00000000.00000002.405149050.0000000006822000.00000004.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://www.founder.com.cn/cnf	TdX45jQWjj.exe, 00000000.00000003.332432427.0000000005571000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
http://www.sajatypeworks.comt-b	TdX45jQWjj.exe, 00000000.00000003.329212871.000000000166D000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
http://www.sakkal.com	TdX45jQWjj.exe, 00000000.00000002.405149050.0000000006822000.00000004.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://www.fontbureau.com.TTF	TdX45jQWjj.exe, 00000000.00000003.341606484.0000000005566000.00000004.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://www.sakkal.comX	TdX45jQWjj.exe, 00000000.00000003.336154433.0000000005572000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
http://www.fontbureau.comC	TdX45jQWjj.exe, 00000000.00000003.341606484.0000000005566000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
http://www.tiro.comicx	TdX45jQWjj.exe, 00000000.00000003.334600510.000000000557B000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
http://www.apache.org/licenses/LICENSE-2.0	TdX45jQWjj.exe, 00000000.00000002.405149050.0000000006822000.00000004.00000001.sdmp	false		high
http://www.fontbureau.com	TdX45jQWjj.exe, 00000000.00000002.405149050.0000000006822000.00000004.00000001.sdmp	false		high
http://www.fontbureau.comsiefd	TdX45jQWjj.exe, 00000000.00000003.341606484.0000000005566000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
http://www.fontbureau.comH	TdX45jQWjj.exe, 00000000.00000003.341606484.0000000005566000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
http://www.biblegateway.com/passage/?search=	TdX45jQWjj.exe	false		high
http://www.urwpp.deas	TdX45jQWjj.exe, 00000000.00000003.337611054.000000000557F000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
http://www.esvstudybible.org/search?q=	TdX45jQWjj.exe	false	Avira URL Cloud: safe	unknown
http://www.jiyu-kobo.co.jp/C	TdX45jQWjj.exe, 00000000.00000003.335242026.0000000005566000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
http://www.urwpp.deF0	TdX45jQWjj.exe, 00000000.00000003.342496493.000000000557F000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
http://www.jiyu-kobo.co.jp/jp/	TdX45jQWjj.exe, 00000000.00000003.335242026.0000000005566000.00000004.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://www.fontbureau.coma	TdX45jQWjj.exe, 00000000.00000002.395767153.0000000005560000.00000004.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://www.fonts.comW	TdX45jQWjj.exe, 00000000.00000003.329977481.000000000559D000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
http://www.biblija.net/biblija.cgi?m=	TdX45jQWjj.exe	false		high
http://www.sakkal.com8	TdX45jQWjj.exe, 00000000.00000003.335896168.0000000005572000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
http://www.carterandcone.coml	TdX45jQWjj.exe, 00000000.00000002.405149050.0000000006822000.00000004.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://www.fontbureau.com/designers/cabarga.htmlN	TdX45jQWjj.exe, 00000000.00000002.405149050.0000000006822000.00000004.00000001.sdmp	false		high
http://www.founder.com.cn/cn	TdX45jQWjj.exe, 00000000.00000002.405149050.0000000006822000.00000004.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://www.fontbureau.com/designers/frere-jones.html	TdX45jQWjj.exe, 00000000.00000002.405149050.0000000006822000.00000004.00000001.sdmp	false		high
http://www.urwpp.deq	TdX45jQWjj.exe, 00000000.00000003.337507075.000000000557F000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
http://www.fontbureau.comldco	TdX45jQWjj.exe, 00000000.00000002.395767153.0000000005560000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
http://www.jiyu-kobo.co.jp/	TdX45jQWjj.exe, 00000000.00000002.405149050.0000000006822000.00000004.00000001.sdmp, TdX45jQWjj.exe, 00000000.00000003.335447637.0000000005566000.00000004.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://www.founder.com.cn/cn4	TdX45jQWjj.exe, 00000000.00000003.331982815.0000000005563000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
http://www.fontbureau.com/designers8	TdX45jQWjj.exe, 00000000.00000002.405149050.0000000006822000.00000004.00000001.sdmp	false		high
http://www.jiyu-kobo.co.jp/d	TdX45jQWjj.exe, 00000000.00000003.335242026.0000000005566000.00000004.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://www.fontbureau.com/designers/f	TdX45jQWjj.exe, 00000000.00000003.337840613.000000000557F000.00000004.00000001.sdmp	false		high

Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public

IP	Domain	Country	Flag	ASN	ASN Name	Malicious
87.237.165.78	unknown	Russian Federation		49967	MTVHGB	true
79.134.225.43	unknown	Switzerland		6775	FINK-TELECOM-SERVICESCH	true

General Information

Joe Sandbox Version:	31.0.0 Emerald
Analysis ID:	356818
Start date:	23.02.2021
Start time:	17:16:26
Joe Sandbox Product:	CloudBasic
Overall analysis duration:	0h 10m 5s
Hypervisor based Inspection enabled:	false
Report type:	full
Sample file name:	TdX45jQWjj.exe
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 85, IE 11, Adobe Reader DC 19, Java 8 Update 211
Number of analysed new started processes analysed:	34
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled HDC enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Detection:	MAL
Classification:	mal100.troj.evad.winEXE@18/13@10/2
EGA Information:	Failed
HDC Information:	Successful, ratio: 1.7% (good quality ratio 1.2%) Quality average: 43% Quality standard deviation: 34.1%
HCA Information:	Successful, ratio: 98% Number of executed functions: 424 Number of non-executed functions: 6
Cookbook Comments:	Adjust boot time Enable AMSI Found application associated with file extension: .exe
Warnings:	Show All Behavior information exceeds normal sizes, reducing to normal. Report will have missing behavior information. Exclude process from analysis (whitelisted): MpCmdRun.exe, audiodg.exe, BackgroundTransferHost.exe, WMIADAP.exe, backgroundTaskHost.exe, conhost.exe, svchost.exe, wuapihost.exe Excluded IPs from analysis (whitelisted): 13.64.90.137, 23.211.6.115, 52.255.188.83, 104.43.139.144, 104.43.193.48, 168.61.161.212, 51.104.139.180, 8.248.131.254, 8.253.207.121, 8.253.204.121, 67.26.73.254, 8.248.137.254, 51.103.5.159, 52.155.217.156, 92.122.213.247, 92.122.213.194, 20.54.26.129, 184.30.24.56 Excluded domains from analysis (whitelisted): arc.msn.com.nsatc.net, store-images.s-microsoft.com-c.edgekey.net, a1449.dscg2.akamai.net, fs-wildcard.microsoft.com.edgekey.net, fs-wildcard.microsoft.com.edgekey.net.globalredir.akadns.net, arc.msn.com, db5eap.displaycatalog.md.mp.microsoft.com.akadns.net, e12564.dspb.akamaiedge.net, wns.notify.trafficmanager.net, audownload.windowsupdate.nsatc.net, displaycatalog.mp.microsoft.com, watson.telemetry.microsoft.com, auto.au.download.windowsupdate.com.c.footprint.net, img-prod-cms-rt-microsoft-com.akamaized.net, prod.fs.microsoft.com.akadns.net, au-bg-shim.trafficmanager.net, displaycatalog-europeeap.md.mp.microsoft.com.akadns.net, skypedataprdcolwus17.cloudapp.net, client.wns.windows.com, fs.microsoft.com, displaycatalog-rp-europe.md.mp.microsoft.com.akadns.net, displaycatalog.md.mp.microsoft.com.akadns.net, ris-prod.trafficmanager.net, skypedataprdcolcus17.cloudapp.net, ctldl.windowsupdate.com, e1723.g.akamaiedge.net, skypedataprdcolcus16.cloudapp.net, skypedataprdcolcus15.cloudapp.net, ris.api.iris.microsoft.com, skypedataprdcoleus17.cloudapp.net, store-images.s-microsoft.com, blobcollector.events.data.trafficmanager.net, displaycatalog-rp.md.mp.microsoft.com.akadns.net Report size exceeded maximum capacity and may have missing behavior information. Report size getting too big, too many NtAllocateVirtualMemory calls found. Report size getting too big, too many NtOpenKeyEx calls found. Report size getting too big, too many NtProtectVirtualMemory calls found. Report size getting too big, too many NtQueryValueKey calls found.

Simulations

Behavior and APIs

Time	Type	Description
17:17:26	API Interceptor	2x Sleep call for process: TdX45jQWjj.exe modified
17:17:47	API Interceptor	749x Sleep call for process: RegSvcs.exe modified
17:17:47	Autostart	Run: HKLM\Software\Microsoft\Windows\CurrentVersion\Run DHCP Monitor C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe
17:17:48	Task Scheduler	Run new task: DHCP Monitor path: "C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe" s>$(Arg0)
17:17:48	Task Scheduler	Run new task: DHCP Monitor Task path: "C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe" s>$(Arg0)

Joe Sandbox View / Context

IPs

Match	Associated Sample Name / URL	SHA 256	Detection	Link
79.134.225.43	JfRbEbUkpV39K4L.exe	Get hash	malicious	Browse
	Dachser Consulta de cliente saliente no. 000150849 - SKBMT03082020-0012-IMG0149.exe	Get hash	malicious	Browse
	290453721.xls	Get hash	malicious	Browse
	nUo0FukkVO.xls	Get hash	malicious	Browse

Domains

Match	Associated Sample Name / URL	SHA 256	Detection	Link	Context

ASN

Match	Associated Sample Name / URL	SHA 256	Detection	Link	Context
MTVHGB	QUOTATION 19 01 2021.exe	Get hash	malicious	Browse	87.237.165.162
FINK-TELECOM-SERVICESCH	e92b274943f4a3a557881ee0dd57772d.exe	Get hash	malicious	Browse	79.134.225.105
	WxTm2cWLHF.exe	Get hash	malicious	Browse	79.134.225.71
	Payment Confirmation.exe	Get hash	malicious	Browse	79.134.225.30
	rjHlt1zz28.exe	Get hash	malicious	Browse	79.134.225.49
	Deadly Variants of Covid 19.doc	Get hash	malicious	Browse	79.134.225.49
	document.exe	Get hash	malicious	Browse	79.134.225.122
	5293ea9467ea45e928620a5ed74440f5.exe	Get hash	malicious	Browse	79.134.225.105
	f1a14e6352036833f1c109e1bb2934f2.exe	Get hash	malicious	Browse	79.134.225.105
	256ec8f8f67b59c5e085b0bb63afcd13.exe	Get hash	malicious	Browse	79.134.225.105
	JOIN.exe	Get hash	malicious	Browse	79.134.225.30
	Delivery pdf.exe	Get hash	malicious	Browse	79.134.225.25
	d88e07467ddcf9e3b19fa972b9f000d1.exe	Get hash	malicious	Browse	79.134.225.105
	fnfqzfwC44.exe	Get hash	malicious	Browse	79.134.225.25
	Solicitud de oferta 6100003768.exe	Get hash	malicious	Browse	79.134.225.96
	Nrfgylra.exe	Get hash	malicious	Browse	79.134.225.96
	HTQ19-P0401-Q0539 NE-Q22940 GR2P5 TYPBLDG-NASER AL FERDAN.exe	Get hash	malicious	Browse	79.134.225.62
	HTQ19-P0401-Q0539 NE-Q22940 GR2P5 TYPBLDG-NASER AL FERDAN.exe	Get hash	malicious	Browse	79.134.225.62
	HTQ19-P0401-Q0539 NE-Q22940 GR2P5 TYPBLDG-NASER AL FERDAN.exe	Get hash	malicious	Browse	79.134.225.62
	Form pdf.exe	Get hash	malicious	Browse	79.134.225.25
	Quotation 3342688.exe	Get hash	malicious	Browse	79.134.225.120

JA3 Fingerprints

No context

Dropped Files

Match	Associated Sample Name / URL	SHA 256	Detection	Link
C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	a34b93ef-dea2-45f8-a5bf-4f6b0b5291c7.exe	Get hash	malicious	Browse
	3fcd8c19-af88-4cd9-87e7-0bfea1de01a1.exe	Get hash	malicious	Browse
	Vietnam Order.exe	Get hash	malicious	Browse
	Dhl Shipping Document.exe	Get hash	malicious	Browse
	PO-WJO-001, pdf.exe	Get hash	malicious	Browse
	byWuWAR5FD.exe	Get hash	malicious	Browse
	parcel_images.exe	Get hash	malicious	Browse
	0712020.exe	Get hash	malicious	Browse
	JfRbEbUkpV39K4L.exe	Get hash	malicious	Browse
	DECEMBER QUOTATION REQUEST FOR FR12007POH0008_PO0000143_ETQ.exe	Get hash	malicious	Browse
	DECEMBER QUOTATION REQUEST FOR FR12007POH0008_PO0000143_ETQ.exe	Get hash	malicious	Browse
	zC3edqmNNt.exe	Get hash	malicious	Browse
	Shipping Document.pdf..exe	Get hash	malicious	Browse
	PPR & CPR_HEA_DECEMBER 4 2020.exe	Get hash	malicious	Browse
	AdministratorDownloadsBL,.rar.exe	Get hash	malicious	Browse
	signed_19272.zip(#U007e18 KB) (2).exe	Get hash	malicious	Browse
	TT Swift Copy..,.exe	Get hash	malicious	Browse
	Invoice-.exe	Get hash	malicious	Browse
	Invoice..,.exe	Get hash	malicious	Browse
	Bank Update Info.exe	Get hash	malicious	Browse

Created / dropped Files

C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe Download File
Process:	C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe
File Type:	PE32 executable (console) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	32768
Entropy (8bit):	3.7515815714465193
Encrypted:	false
SSDEEP:	384:BOj9Y8/gS7SDriLGKq1MHR5U4Ag6ihJSxUCR1rgCPKabK2t0X5P7DZ+JgWSW72uw:B+gSAdN1MH3HAFRJngW2u
MD5:	71369277D09DA0830C8C59F9E22BB23A
SHA1:	37F9781314F0F6B7E9CB529A573F2B1C8DE9E93F
SHA-256:	D4527B7AD2FC4778CC5BE8709C95AEA44EAC0568B367EE14F7357D72898C3698
SHA-512:	2F470383E3C796C4CF212EC280854DBB9E7E8C8010CE6857E58F8E7066D7516B7CD7039BC5C0F547E1F5C7F9F2287869ADFFB2869800B08B2982A88BE96E9FB7
Malicious:	false
Antivirus:	Antivirus: Metadefender, Detection: 0%, Browse Antivirus: ReversingLabs, Detection: 0%
Joe Sandbox View:	Filename: a34b93ef-dea2-45f8-a5bf-4f6b0b5291c7.exe, Detection: malicious, Browse Filename: 3fcd8c19-af88-4cd9-87e7-0bfea1de01a1.exe, Detection: malicious, Browse Filename: Vietnam Order.exe, Detection: malicious, Browse Filename: Dhl Shipping Document.exe, Detection: malicious, Browse Filename: PO-WJO-001, pdf.exe, Detection: malicious, Browse Filename: byWuWAR5FD.exe, Detection: malicious, Browse Filename: parcel_images.exe, Detection: malicious, Browse Filename: 0712020.exe, Detection: malicious, Browse Filename: JfRbEbUkpV39K4L.exe, Detection: malicious, Browse Filename: DECEMBER QUOTATION REQUEST FOR FR12007POH0008_PO0000143_ETQ.exe, Detection: malicious, Browse Filename: DECEMBER QUOTATION REQUEST FOR FR12007POH0008_PO0000143_ETQ.exe, Detection: malicious, Browse Filename: zC3edqmNNt.exe, Detection: malicious, Browse Filename: Shipping Document.pdf..exe, Detection: malicious, Browse Filename: PPR & CPR_HEA_DECEMBER 4 2020.exe, Detection: malicious, Browse Filename: AdministratorDownloadsBL,.rar.exe, Detection: malicious, Browse Filename: signed_19272.zip(#U007e18 KB) (2).exe, Detection: malicious, Browse Filename: TT Swift Copy..,.exe, Detection: malicious, Browse Filename: Invoice-.exe, Detection: malicious, Browse Filename: Invoice..,.exe, Detection: malicious, Browse Filename: Bank Update Info.exe, Detection: malicious, Browse
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L.....{Z.................P... .......k... ........@.. ...............................[....@..................................k..K................................... k............................................... ............... ..H............text....K... ...P.................. ..`.rsrc................`..............@..@.reloc...............p..............@..B........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Microsoft\CLR_v2.0_32\UsageLogs\RegSvcs.exe.log Download File
Process:	C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe
File Type:	ASCII text, with CRLF line terminators
Category:	modified
Size (bytes):	120
Entropy (8bit):	5.016405576253028
Encrypted:	false
SSDEEP:	3:QHXMKaoWglAFXMWA2yTMGfsbNXLVd49Am12MFuAvOAsDeieVyn:Q3LawlAFXMWTyAGCFLIP12MUAvvrs
MD5:	50DEC1858E13F033E6DCA3CBFAD5E8DE
SHA1:	79AE1E9131B0FAF215B499D2F7B4C595AA120925
SHA-256:	14A557E226E3BA8620BB3A70035E1E316F1E9FB5C9E8F74C07110EE90B8D8AE4
SHA-512:	1BD73338DF685A5B57B0546E102ECFDEE65800410D6F77845E50456AC70DE72929088AF19B59647F01CBA7A5ACFB399C52D9EF2402A9451366586862EF88E7BF
Malicious:	false
Preview:	1,"fusion","GAC",0..2,"System.EnterpriseServices, Version=2.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a",0..

C:\Users\user\AppData\Local\Microsoft\CLR_v2.0_32\UsageLogs\TdX45jQWjj.exe.log Download File
Process:	C:\Users\user\Desktop\TdX45jQWjj.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	655
Entropy (8bit):	5.273171405160065
Encrypted:	false
SSDEEP:	12:Q3LaJU20NaL10U29hJ5g1B0U2ukyrFk70Ug+9Yz9t0U2WUXBQav:MLF20NaL329hJ5g522rWz2p29XBT
MD5:	2703120C370FBB4A8BA08C6D1754039E
SHA1:	EC0DB47BF00A4A828F796147619386C0BBEA66A1
SHA-256:	F95566974BC44F3A757CAFB1456D185D8F333AC84775089DE18310B90C18B1BC
SHA-512:	BC05A2A1BE5B122FC6D3DEA66EF4258522F13351B9754378395AAD019631E312CFD3BC990F3E3D5C7BB0BDBA1EAD54A2B34A96DEE2FCCD703721E98F6192ED48
Malicious:	true
Preview:	1,"fusion","GAC",0..3,"C:\Windows\assembly\NativeImages_v2.0.50727_32\System\1ffc437de59fb69ba2b865ffdc98ffd1\System.ni.dll",0..3,"C:\Windows\assembly\NativeImages_v2.0.50727_32\System.Drawing\54d944b3ca0ea1188d700fbd8089726b\System.Drawing.ni.dll",0..3,"C:\Windows\assembly\NativeImages_v2.0.50727_32\System.Windows.Forms\bd8d59c984c9f5f2695f64341115cdf0\System.Windows.Forms.ni.dll",0..3,"C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.VisualBas#\cd7c74fce2a0eab72cd25cbe4bb61614\Microsoft.VisualBasic.ni.dll",0..3,"C:\Windows\assembly\NativeImages_v2.0.50727_32\System.Management\4de99804c29261edb63c93616550f034\System.Management.ni.dll",0..

C:\Users\user\AppData\Local\Microsoft\CLR_v2.0_32\UsageLogs\dhcpmon.exe.log Download File
Process:	C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe
File Type:	ASCII text, with CRLF line terminators
Category:	modified
Size (bytes):	120
Entropy (8bit):	5.016405576253028
Encrypted:	false
SSDEEP:	3:QHXMKaoWglAFXMWA2yTMGfsbNXLVd49Am12MFuAvOAsDeieVyn:Q3LawlAFXMWTyAGCFLIP12MUAvvrs
MD5:	50DEC1858E13F033E6DCA3CBFAD5E8DE
SHA1:	79AE1E9131B0FAF215B499D2F7B4C595AA120925
SHA-256:	14A557E226E3BA8620BB3A70035E1E316F1E9FB5C9E8F74C07110EE90B8D8AE4
SHA-512:	1BD73338DF685A5B57B0546E102ECFDEE65800410D6F77845E50456AC70DE72929088AF19B59647F01CBA7A5ACFB399C52D9EF2402A9451366586862EF88E7BF
Malicious:	false
Preview:	1,"fusion","GAC",0..2,"System.EnterpriseServices, Version=2.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a",0..

C:\Users\user\AppData\Local\Temp\tmp84A9.tmp Download File
Process:	C:\Users\user\Desktop\TdX45jQWjj.exe
File Type:	XML 1.0 document, ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	1654
Entropy (8bit):	5.164840508589519
Encrypted:	false
SSDEEP:	24:2dH4+SEqC/S7h2ulNMFp2O/rlMhEMjnGpwjpIgUYODOLD9RJh7h8gKB3GNtn:cbha7JlNQV/rydbz9I3YODOLNdq3m
MD5:	96AE2E087DAE15CE7270C5FB8128CC1E
SHA1:	F3F852F3B0134DCB9B3E3F0DB1901E0462CE9930
SHA-256:	BB20A3526C68DB79050BC2325F6C3DD8AA632A70453916E5BA989EBC9CCC3201
SHA-512:	135FF3B63071F8B48191E42B6EA6500429CC3969D675120173EF1DDEBE64DC448F3F4FA6DFFBA45D4CDC1EBB07B909C8DEB5DD3899CEA9A746A862727E91F55F
Malicious:	true
Preview:	<?xml version="1.0" encoding="UTF-16"?>..<Task version="1.2" xmlns="http://schemas.microsoft.com/windows/2004/02/mit/task">.. <RegistrationInfo>.. <Date>2014-10-25T14:27:44.8929027</Date>.. <Author>computer\user</Author>.. </RegistrationInfo>.. <Triggers>.. <LogonTrigger>.. <Enabled>true</Enabled>.. <UserId>computer\user</UserId>.. </LogonTrigger>.. <RegistrationTrigger>.. <Enabled>false</Enabled>.. </RegistrationTrigger>.. </Triggers>.. <Principals>.. <Principal id="Author">.. <UserId>computer\user</UserId>.. <LogonType>InteractiveToken</LogonType>.. <RunLevel>LeastPrivilege</RunLevel>.. </Principal>.. </Principals>.. <Settings>.. <MultipleInstancesPolicy>StopExisting</MultipleInstancesPolicy>.. <DisallowStartIfOnBatteries>false</DisallowStartIfOnBatteries>.. <StopIfGoingOnBatteries>true</StopIfGoingOnBatteries>.. <AllowHardTerminate>false</AllowHardTerminate>.. <StartWhenAvail

C:\Users\user\AppData\Local\Temp\tmpDEF3.tmp Download File
Process:	C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe
File Type:	XML 1.0 document, ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	1320
Entropy (8bit):	5.135021273392143
Encrypted:	false
SSDEEP:	24:2dH4+S/4oL600QlMhEMjn5pwjVLUYODOLG9RJh7h8gK0mn4xtn:cbk4oL600QydbQxIYODOLedq3Z4j
MD5:	40B11EF601FB28F9B2E69D36857BF2EC
SHA1:	B6454020AD2CEED193F4792B77001D0BD741B370
SHA-256:	C51E12D18CC664425F6711D8AE2507068884C7057092CFA11884100E1E9D49E1
SHA-512:	E3C5BCC714CBFCA4B8058DDCDDF231DCEFA69C15881CE3F8123E59ED45CFB5DA052B56E1945DCF8DC7F800D62F9A4EECB82BCA69A66A1530787AEFFEB15E2BD5
Malicious:	false
Preview:	<?xml version="1.0" encoding="UTF-16"?>..<Task version="1.2" xmlns="http://schemas.microsoft.com/windows/2004/02/mit/task">.. <RegistrationInfo />.. <Triggers />.. <Principals>.. <Principal id="Author">.. <LogonType>InteractiveToken</LogonType>.. <RunLevel>HighestAvailable</RunLevel>.. </Principal>.. </Principals>.. <Settings>.. <MultipleInstancesPolicy>Parallel</MultipleInstancesPolicy>.. <DisallowStartIfOnBatteries>false</DisallowStartIfOnBatteries>.. <StopIfGoingOnBatteries>false</StopIfGoingOnBatteries>.. <AllowHardTerminate>true</AllowHardTerminate>.. <StartWhenAvailable>false</StartWhenAvailable>.. <RunOnlyIfNetworkAvailable>false</RunOnlyIfNetworkAvailable>.. <IdleSettings>.. <StopOnIdleEnd>false</StopOnIdleEnd>.. <RestartOnIdle>false</RestartOnIdle>.. </IdleSettings>.. <AllowStartOnDemand>true</AllowStartOnDemand>.. <Enabled>true</Enabled>.. <Hidden>false</Hidden>.. <RunOnlyIfIdle>false</RunOnlyIfIdle>.. <Wak

C:\Users\user\AppData\Local\Temp\tmpE1E2.tmp Download File
Process:	C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe
File Type:	XML 1.0 document, ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	1310
Entropy (8bit):	5.109425792877704
Encrypted:	false
SSDEEP:	24:2dH4+S/4oL600QlMhEMjn5pwjVLUYODOLG9RJh7h8gK0R3xtn:cbk4oL600QydbQxIYODOLedq3S3j
MD5:	5C2F41CFC6F988C859DA7D727AC2B62A
SHA1:	68999C85FC7E37BAB9216E0099836D40D4545C1C
SHA-256:	98B6E66B6C2173B9B91FC97FE51805340EFDE978B695453742EBAB631018398B
SHA-512:	B5DA5DA378D038AFBF8A7738E47921ED39F9B726E2CAA2993D915D9291A3322F94EFE8CCA6E7AD678A670DB19926B22B20E5028460FCC89CEA7F6635E7557334
Malicious:	false
Preview:	<?xml version="1.0" encoding="UTF-16"?>..<Task version="1.2" xmlns="http://schemas.microsoft.com/windows/2004/02/mit/task">.. <RegistrationInfo />.. <Triggers />.. <Principals>.. <Principal id="Author">.. <LogonType>InteractiveToken</LogonType>.. <RunLevel>HighestAvailable</RunLevel>.. </Principal>.. </Principals>.. <Settings>.. <MultipleInstancesPolicy>Parallel</MultipleInstancesPolicy>.. <DisallowStartIfOnBatteries>false</DisallowStartIfOnBatteries>.. <StopIfGoingOnBatteries>false</StopIfGoingOnBatteries>.. <AllowHardTerminate>true</AllowHardTerminate>.. <StartWhenAvailable>false</StartWhenAvailable>.. <RunOnlyIfNetworkAvailable>false</RunOnlyIfNetworkAvailable>.. <IdleSettings>.. <StopOnIdleEnd>false</StopOnIdleEnd>.. <RestartOnIdle>false</RestartOnIdle>.. </IdleSettings>.. <AllowStartOnDemand>true</AllowStartOnDemand>.. <Enabled>true</Enabled>.. <Hidden>false</Hidden>.. <RunOnlyIfIdle>false</RunOnlyIfIdle>.. <Wak

C:\Users\user\AppData\Roaming\D06ED635-68F6-4E9A-955C-4899F5F57B9A\run.dat Download File
Process:	C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe
File Type:	ISO-8859 text, with no line terminators
Category:	dropped
Size (bytes):	8
Entropy (8bit):	2.75
Encrypted:	false
SSDEEP:	3:cg99t:cgF
MD5:	BC4D62E76C99B9DA2A2D11CAA27D85C5
SHA1:	FEBCC76A90A831BC18602642DA89F8A119A97791
SHA-256:	3F30A21FD0FBCF36E808D2B80AA932C54E57D6E82497C9219329DBE4F2018B41
SHA-512:	BBFD205513B3BF65D77F9ECF4C48A1F34324F9748C43005269F7E3D1934ECE2380CC7ACCBAAAA5BC398C6CD91B43A446072B30F91775D0C1101CC1321C0C52B4
Malicious:	true
Preview:	b.'.a..H

C:\Users\user\AppData\Roaming\D06ED635-68F6-4E9A-955C-4899F5F57B9A\task.dat Download File
Process:	C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	57
Entropy (8bit):	4.795707286467131
Encrypted:	false
SSDEEP:	3:oMty8WbSX/MNn:oMLWus
MD5:	D685103573539B7E9FDBF5F1D7DD96CE
SHA1:	4B2FE6B5C0B37954B314FCAEE1F12237A9B02D07
SHA-256:	D78BC23B0CA3EDDF52D56AB85CDC30A71B3756569CB32AA2F6C28DBC23C76E8E
SHA-512:	17769A5944E8929323A34269ABEEF0861D5C6799B0A27F5545FBFADC80E5AB684A471AD6F6A7FC623002385154EA89DE94013051E09120AB94362E542AB0F1DD
Malicious:	false
Preview:	C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe

C:\Users\user\AppData\Roaming\RTOqzQABo.exe Download File
Process:	C:\Users\user\Desktop\TdX45jQWjj.exe
File Type:	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	724480
Entropy (8bit):	6.873898218108219
Encrypted:	false
SSDEEP:	12288:4U1KZEwKE03lKYxU/3JHrcnfgqIxI9f105FnYGK53:4U1bE03lpS3JLcnf3e+y59S53
MD5:	F261164B55C3BE5C3C86150FF2A7CC27
SHA1:	634A546E3841AF29B068C7C6535206695EB704D0
SHA-256:	B40E22D33523AE869BA4A9A9159D37D61EC056FC14DC3DB7406D79620B801816
SHA-512:	2E082DF070977B7884D7E40E4811C1BE215872681A4E2120E3035805850DCE52D886EF923E0B8D9B96819AC5532E1209CB1B39E1CBD1E24C552B6DA593EF7AEE
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 19%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...T.4`..............0.............."... ...@....@.. ....................................@.................................d"..O....@.......................`....................................................... ............... ..H............text........ ...................... ..`.rsrc........@......................@..@.reloc.......`......................@..B................."......H.......,[...............C..H..............................................}.....(.......(......{....r...p~/...(....o......{....o....&..0............r...p(....&......o....&......................n..t.....o......{....o....&.....(.....~..{....o......{....o....(......0..+.........,..{.......+....,...{....o........(.......0............s ...}.........(!...s".....s#...}.....s$...}.....s$...}......{....s%...}.....s&...}.....s$...}.....s$...}.....s'...}.....{....o(.....{....o(..

\Device\ConDrv Download File
Process:	C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	1145
Entropy (8bit):	4.462201512373672
Encrypted:	false
SSDEEP:	24:zKLXkzPDObntKlglUEnfQtvNuNpKOK5aM9YJC:zKL0zPDQntKKH1MqJC
MD5:	46EBEB88876A00A52CC37B1F8E0D0438
SHA1:	5E5DB352F964E5F398301662FF558BD905798A65
SHA-256:	D65BD5A6CC112838AFE8FA70BF61FD13C1313BCE3EE3E76C50E454D7B581238B
SHA-512:	E713E6F304A469FB71235C598BC7E2C6F8458ABC61DAF3D1F364F66579CAFA4A7F3023E585BDA552FB400009E7805A8CA0311A50D5EDC9C2AD2D067772A071BE
Malicious:	false
Preview:	Microsoft (R) .NET Framework Services Installation Utility Version 2.0.50727.8922..Copyright (c) Microsoft Corporation. All rights reserved.....USAGE: regsvcs.exe [options] AssemblyName..Options:.. /? or /help Display this usage message... /fc Find or create target application (default)... /c Create target application, error if it already exists... /exapp Expect an existing application... /tlb:<tlbfile> Filename for the exported type library... /appname:<name> Use the specified name for the target application... /parname:<name> Use the specified name or id for the target partition... /extlb Use an existing type library... /reconfig Reconfigure existing target application (default)... /noreconfig Don't reconfigure existing target application... /u Uninstall target application... /nologo Suppress logo output... /quiet Suppress logo output and success output...

Static File Info

General
File type:	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Entropy (8bit):	6.873898218108219
TrID:	Win32 Executable (generic) Net Framework (10011505/4) 49.80% Win32 Executable (generic) a (10002005/4) 49.75% Generic CIL Executable (.NET, Mono, etc.) (73296/58) 0.36% Windows Screen Saver (13104/52) 0.07% Generic Win/DOS Executable (2004/3) 0.01%
File name:	TdX45jQWjj.exe
File size:	724480
MD5:	f261164b55c3be5c3c86150ff2a7cc27
SHA1:	634a546e3841af29b068c7c6535206695eb704d0
SHA256:	b40e22d33523ae869ba4a9a9159d37d61ec056fc14dc3db7406d79620b801816
SHA512:	2e082df070977b7884d7e40e4811c1be215872681a4e2120e3035805850dce52d886ef923e0b8d9b96819ac5532e1209cb1b39e1cbd1e24c552b6da593ef7aee
SSDEEP:	12288:4U1KZEwKE03lKYxU/3JHrcnfgqIxI9f105FnYGK53:4U1bE03lpS3JLcnf3e+y59S53
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...T.4`..............0.............."... ...@....@.. ....................................@................................

File Icon


Icon Hash:	00828e8e8686b000

Static PE Info

General
Entrypoint:	0x4b22b6
Entrypoint Section:	.text
Digitally signed:	false
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	32BIT_MACHINE, EXECUTABLE_IMAGE
DLL Characteristics:	NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
Time Stamp:	0x6034B054 [Tue Feb 23 07:35:48 2021 UTC]
TLS Callbacks:
CLR (.Net) Version:	v2.0.50727
OS Version Major:	4
OS Version Minor:	0
File Version Major:	4
File Version Minor:	0
Subsystem Version Major:	4
Subsystem Version Minor:	0
Import Hash:	f34d5f2d4577ed6d9ceec516c1f5a744

Entrypoint Preview

Instruction
jmp dword ptr [00402000h]
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0xb2264	0x4f	.text
IMAGE_DIRECTORY_ENTRY_RESOURCE	0xb4000	0x5bc	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0xb6000	0xc	.reloc
IMAGE_DIRECTORY_ENTRY_DEBUG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x2000	0x8	.text
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x2008	0x48	.text
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x2000	0xb02bc	0xb0400	False	0.647197750443	data	6.88263810957	IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
.rsrc	0xb4000	0x5bc	0x600	False	0.429036458333	data	4.1755308999	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.reloc	0xb6000	0xc	0x200	False	0.044921875	data	0.101910425663	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	Language	Country
RT_VERSION	0xb4090	0x32c	data
RT_MANIFEST	0xb43cc	0x1ea	XML 1.0 document, UTF-8 Unicode (with BOM) text, with CRLF line terminators

Imports

DLL	Import
mscoree.dll	_CorExeMain

Version Infos

Description	Data
Translation	0x0000 0x04b0
LegalCopyright	Copyright 2016
Assembly Version	1.0.0.0
InternalName	yKpW14.exe
FileVersion	1.0.0.0
CompanyName
LegalTrademarks
Comments
ProductName	Core.Numero
ProductVersion	1.0.0.0
FileDescription	Core.Numero
OriginalFilename	yKpW14.exe

Network Behavior

Network Port Distribution

TCP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Feb 23, 2021 17:17:49.816740036 CET	49728	58103	192.168.2.6	87.237.165.78
Feb 23, 2021 17:17:49.866312027 CET	58103	49728	87.237.165.78	192.168.2.6
Feb 23, 2021 17:17:50.469731092 CET	49728	58103	192.168.2.6	87.237.165.78
Feb 23, 2021 17:17:50.518347025 CET	58103	49728	87.237.165.78	192.168.2.6
Feb 23, 2021 17:17:51.167937994 CET	49728	58103	192.168.2.6	87.237.165.78
Feb 23, 2021 17:17:51.216872931 CET	58103	49728	87.237.165.78	192.168.2.6
Feb 23, 2021 17:17:56.111509085 CET	49729	58103	192.168.2.6	87.237.165.78
Feb 23, 2021 17:17:56.160279036 CET	58103	49729	87.237.165.78	192.168.2.6
Feb 23, 2021 17:17:56.668401003 CET	49729	58103	192.168.2.6	87.237.165.78
Feb 23, 2021 17:17:56.719479084 CET	58103	49729	87.237.165.78	192.168.2.6
Feb 23, 2021 17:17:57.358163118 CET	49729	58103	192.168.2.6	87.237.165.78
Feb 23, 2021 17:17:57.408514023 CET	58103	49729	87.237.165.78	192.168.2.6
Feb 23, 2021 17:18:01.533585072 CET	49730	58103	192.168.2.6	87.237.165.78
Feb 23, 2021 17:18:01.582025051 CET	58103	49730	87.237.165.78	192.168.2.6
Feb 23, 2021 17:18:02.090732098 CET	49730	58103	192.168.2.6	87.237.165.78
Feb 23, 2021 17:18:02.139506102 CET	58103	49730	87.237.165.78	192.168.2.6
Feb 23, 2021 17:18:02.653309107 CET	49730	58103	192.168.2.6	87.237.165.78
Feb 23, 2021 17:18:02.701766014 CET	58103	49730	87.237.165.78	192.168.2.6
Feb 23, 2021 17:18:06.780617952 CET	49733	58103	192.168.2.6	79.134.225.43
Feb 23, 2021 17:18:06.863351107 CET	58103	49733	79.134.225.43	192.168.2.6
Feb 23, 2021 17:18:07.372442961 CET	49733	58103	192.168.2.6	79.134.225.43
Feb 23, 2021 17:18:07.452433109 CET	58103	49733	79.134.225.43	192.168.2.6
Feb 23, 2021 17:18:07.966236115 CET	49733	58103	192.168.2.6	79.134.225.43
Feb 23, 2021 17:18:08.046123981 CET	58103	49733	79.134.225.43	192.168.2.6
Feb 23, 2021 17:18:12.063834906 CET	49734	58103	192.168.2.6	79.134.225.43
Feb 23, 2021 17:18:12.143503904 CET	58103	49734	79.134.225.43	192.168.2.6
Feb 23, 2021 17:18:12.747900963 CET	49734	58103	192.168.2.6	79.134.225.43
Feb 23, 2021 17:18:12.828243971 CET	58103	49734	79.134.225.43	192.168.2.6
Feb 23, 2021 17:18:13.435470104 CET	49734	58103	192.168.2.6	79.134.225.43
Feb 23, 2021 17:18:13.512624979 CET	58103	49734	79.134.225.43	192.168.2.6
Feb 23, 2021 17:18:17.515353918 CET	49737	58103	192.168.2.6	79.134.225.43
Feb 23, 2021 17:18:17.592787981 CET	58103	49737	79.134.225.43	192.168.2.6
Feb 23, 2021 17:18:18.138947964 CET	49737	58103	192.168.2.6	79.134.225.43
Feb 23, 2021 17:18:18.218111992 CET	58103	49737	79.134.225.43	192.168.2.6
Feb 23, 2021 17:18:18.810132980 CET	49737	58103	192.168.2.6	79.134.225.43
Feb 23, 2021 17:18:18.886920929 CET	58103	49737	79.134.225.43	192.168.2.6
Feb 23, 2021 17:18:23.099721909 CET	49750	58103	192.168.2.6	87.237.165.78
Feb 23, 2021 17:18:23.148130894 CET	58103	49750	87.237.165.78	192.168.2.6
Feb 23, 2021 17:18:23.655040979 CET	49750	58103	192.168.2.6	87.237.165.78
Feb 23, 2021 17:18:23.703653097 CET	58103	49750	87.237.165.78	192.168.2.6
Feb 23, 2021 17:18:24.217570066 CET	49750	58103	192.168.2.6	87.237.165.78
Feb 23, 2021 17:18:24.266292095 CET	58103	49750	87.237.165.78	192.168.2.6
Feb 23, 2021 17:18:28.430910110 CET	49753	58103	192.168.2.6	87.237.165.78
Feb 23, 2021 17:18:28.479902983 CET	58103	49753	87.237.165.78	192.168.2.6
Feb 23, 2021 17:18:29.030546904 CET	49753	58103	192.168.2.6	87.237.165.78
Feb 23, 2021 17:18:29.081515074 CET	58103	49753	87.237.165.78	192.168.2.6
Feb 23, 2021 17:18:29.602902889 CET	49753	58103	192.168.2.6	87.237.165.78
Feb 23, 2021 17:18:29.656091928 CET	58103	49753	87.237.165.78	192.168.2.6
Feb 23, 2021 17:18:33.783016920 CET	49754	58103	192.168.2.6	87.237.165.78
Feb 23, 2021 17:18:33.831398964 CET	58103	49754	87.237.165.78	192.168.2.6
Feb 23, 2021 17:18:34.343411922 CET	49754	58103	192.168.2.6	87.237.165.78
Feb 23, 2021 17:18:34.391799927 CET	58103	49754	87.237.165.78	192.168.2.6
Feb 23, 2021 17:18:34.906061888 CET	49754	58103	192.168.2.6	87.237.165.78
Feb 23, 2021 17:18:34.957196951 CET	58103	49754	87.237.165.78	192.168.2.6
Feb 23, 2021 17:18:38.970818996 CET	49755	58103	192.168.2.6	79.134.225.43
Feb 23, 2021 17:18:39.052138090 CET	58103	49755	79.134.225.43	192.168.2.6
Feb 23, 2021 17:18:39.562731028 CET	49755	58103	192.168.2.6	79.134.225.43
Feb 23, 2021 17:18:39.642889977 CET	58103	49755	79.134.225.43	192.168.2.6
Feb 23, 2021 17:18:40.156390905 CET	49755	58103	192.168.2.6	79.134.225.43
Feb 23, 2021 17:18:40.237574100 CET	58103	49755	79.134.225.43	192.168.2.6
Feb 23, 2021 17:18:44.253082037 CET	49756	58103	192.168.2.6	79.134.225.43
Feb 23, 2021 17:18:44.330132961 CET	58103	49756	79.134.225.43	192.168.2.6
Feb 23, 2021 17:18:44.844403982 CET	49756	58103	192.168.2.6	79.134.225.43
Feb 23, 2021 17:18:44.923239946 CET	58103	49756	79.134.225.43	192.168.2.6
Feb 23, 2021 17:18:45.438157082 CET	49756	58103	192.168.2.6	79.134.225.43
Feb 23, 2021 17:18:45.515690088 CET	58103	49756	79.134.225.43	192.168.2.6
Feb 23, 2021 17:18:49.533921003 CET	49760	58103	192.168.2.6	79.134.225.43
Feb 23, 2021 17:18:49.613707066 CET	58103	49760	79.134.225.43	192.168.2.6
Feb 23, 2021 17:18:50.126089096 CET	49760	58103	192.168.2.6	79.134.225.43
Feb 23, 2021 17:18:50.203037977 CET	58103	49760	79.134.225.43	192.168.2.6
Feb 23, 2021 17:18:50.708053112 CET	49760	58103	192.168.2.6	79.134.225.43
Feb 23, 2021 17:18:50.788264036 CET	58103	49760	79.134.225.43	192.168.2.6
Feb 23, 2021 17:18:54.901932001 CET	49761	58103	192.168.2.6	87.237.165.78
Feb 23, 2021 17:18:54.953493118 CET	58103	49761	87.237.165.78	192.168.2.6
Feb 23, 2021 17:18:55.454627037 CET	49761	58103	192.168.2.6	87.237.165.78
Feb 23, 2021 17:18:55.502931118 CET	58103	49761	87.237.165.78	192.168.2.6
Feb 23, 2021 17:18:56.017488003 CET	49761	58103	192.168.2.6	87.237.165.78
Feb 23, 2021 17:18:56.066579103 CET	58103	49761	87.237.165.78	192.168.2.6
Feb 23, 2021 17:19:00.350300074 CET	49762	58103	192.168.2.6	87.237.165.78
Feb 23, 2021 17:19:00.398675919 CET	58103	49762	87.237.165.78	192.168.2.6
Feb 23, 2021 17:19:00.970395088 CET	49762	58103	192.168.2.6	87.237.165.78
Feb 23, 2021 17:19:01.021527052 CET	58103	49762	87.237.165.78	192.168.2.6
Feb 23, 2021 17:19:01.565815926 CET	49762	58103	192.168.2.6	87.237.165.78
Feb 23, 2021 17:19:01.614341021 CET	58103	49762	87.237.165.78	192.168.2.6
Feb 23, 2021 17:19:05.837376118 CET	49765	58103	192.168.2.6	87.237.165.78
Feb 23, 2021 17:19:05.886914968 CET	58103	49765	87.237.165.78	192.168.2.6
Feb 23, 2021 17:19:06.396033049 CET	49765	58103	192.168.2.6	87.237.165.78
Feb 23, 2021 17:19:06.444776058 CET	58103	49765	87.237.165.78	192.168.2.6
Feb 23, 2021 17:19:06.960246086 CET	49765	58103	192.168.2.6	87.237.165.78
Feb 23, 2021 17:19:07.011647940 CET	58103	49765	87.237.165.78	192.168.2.6
Feb 23, 2021 17:19:11.158442974 CET	49766	58103	192.168.2.6	79.134.225.43
Feb 23, 2021 17:19:11.239665031 CET	58103	49766	79.134.225.43	192.168.2.6
Feb 23, 2021 17:19:11.745487928 CET	49766	58103	192.168.2.6	79.134.225.43
Feb 23, 2021 17:19:11.825278044 CET	58103	49766	79.134.225.43	192.168.2.6
Feb 23, 2021 17:19:12.339214087 CET	49766	58103	192.168.2.6	79.134.225.43
Feb 23, 2021 17:19:12.419230938 CET	58103	49766	79.134.225.43	192.168.2.6
Feb 23, 2021 17:19:16.531472921 CET	49767	58103	192.168.2.6	79.134.225.43
Feb 23, 2021 17:19:16.608556032 CET	58103	49767	79.134.225.43	192.168.2.6
Feb 23, 2021 17:19:17.120801926 CET	49767	58103	192.168.2.6	79.134.225.43
Feb 23, 2021 17:19:17.199274063 CET	58103	49767	79.134.225.43	192.168.2.6
Feb 23, 2021 17:19:17.714587927 CET	49767	58103	192.168.2.6	79.134.225.43
Feb 23, 2021 17:19:17.792783976 CET	58103	49767	79.134.225.43	192.168.2.6
Feb 23, 2021 17:19:21.904134989 CET	49768	58103	192.168.2.6	79.134.225.43
Feb 23, 2021 17:19:21.981551886 CET	58103	49768	79.134.225.43	192.168.2.6
Feb 23, 2021 17:19:22.496238947 CET	49768	58103	192.168.2.6	79.134.225.43
Feb 23, 2021 17:19:22.573374033 CET	58103	49768	79.134.225.43	192.168.2.6
Feb 23, 2021 17:19:23.074433088 CET	49768	58103	192.168.2.6	79.134.225.43
Feb 23, 2021 17:19:23.151515007 CET	58103	49768	79.134.225.43	192.168.2.6
Feb 23, 2021 17:19:27.216268063 CET	49769	58103	192.168.2.6	87.237.165.78
Feb 23, 2021 17:19:27.267390966 CET	58103	49769	87.237.165.78	192.168.2.6
Feb 23, 2021 17:19:27.777924061 CET	49769	58103	192.168.2.6	87.237.165.78
Feb 23, 2021 17:19:27.826313019 CET	58103	49769	87.237.165.78	192.168.2.6

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Feb 23, 2021 17:17:09.184077024 CET	53	54513	8.8.8.8	192.168.2.6
Feb 23, 2021 17:17:10.261516094 CET	62044	53	192.168.2.6	8.8.8.8
Feb 23, 2021 17:17:10.318402052 CET	53	62044	8.8.8.8	192.168.2.6
Feb 23, 2021 17:17:10.698014975 CET	63791	53	192.168.2.6	8.8.8.8
Feb 23, 2021 17:17:10.764590025 CET	53	63791	8.8.8.8	192.168.2.6
Feb 23, 2021 17:17:11.418453932 CET	64267	53	192.168.2.6	8.8.8.8
Feb 23, 2021 17:17:11.477303028 CET	53	64267	8.8.8.8	192.168.2.6
Feb 23, 2021 17:17:12.567426920 CET	49448	53	192.168.2.6	8.8.8.8
Feb 23, 2021 17:17:12.618798971 CET	53	49448	8.8.8.8	192.168.2.6
Feb 23, 2021 17:17:13.725222111 CET	60342	53	192.168.2.6	8.8.8.8
Feb 23, 2021 17:17:13.776582956 CET	53	60342	8.8.8.8	192.168.2.6
Feb 23, 2021 17:17:15.202279091 CET	61346	53	192.168.2.6	8.8.8.8
Feb 23, 2021 17:17:15.250933886 CET	53	61346	8.8.8.8	192.168.2.6
Feb 23, 2021 17:17:16.409442902 CET	51774	53	192.168.2.6	8.8.8.8
Feb 23, 2021 17:17:16.458087921 CET	53	51774	8.8.8.8	192.168.2.6
Feb 23, 2021 17:17:17.203763962 CET	56023	53	192.168.2.6	8.8.8.8
Feb 23, 2021 17:17:17.252573013 CET	53	56023	8.8.8.8	192.168.2.6
Feb 23, 2021 17:17:18.513149977 CET	58384	53	192.168.2.6	8.8.8.8
Feb 23, 2021 17:17:18.564690113 CET	53	58384	8.8.8.8	192.168.2.6
Feb 23, 2021 17:17:21.420331001 CET	60261	53	192.168.2.6	8.8.8.8
Feb 23, 2021 17:17:21.473280907 CET	53	60261	8.8.8.8	192.168.2.6
Feb 23, 2021 17:17:22.546210051 CET	56061	53	192.168.2.6	8.8.8.8
Feb 23, 2021 17:17:22.594912052 CET	53	56061	8.8.8.8	192.168.2.6
Feb 23, 2021 17:17:23.544114113 CET	58336	53	192.168.2.6	8.8.8.8
Feb 23, 2021 17:17:23.597176075 CET	53	58336	8.8.8.8	192.168.2.6
Feb 23, 2021 17:17:24.718357086 CET	53781	53	192.168.2.6	8.8.8.8
Feb 23, 2021 17:17:24.771702051 CET	53	53781	8.8.8.8	192.168.2.6
Feb 23, 2021 17:17:25.781019926 CET	54064	53	192.168.2.6	8.8.8.8
Feb 23, 2021 17:17:25.831368923 CET	53	54064	8.8.8.8	192.168.2.6
Feb 23, 2021 17:17:26.665043116 CET	52811	53	192.168.2.6	8.8.8.8
Feb 23, 2021 17:17:26.713695049 CET	53	52811	8.8.8.8	192.168.2.6
Feb 23, 2021 17:17:28.045661926 CET	55299	53	192.168.2.6	8.8.8.8
Feb 23, 2021 17:17:28.105572939 CET	53	55299	8.8.8.8	192.168.2.6
Feb 23, 2021 17:17:29.242130041 CET	63745	53	192.168.2.6	8.8.8.8
Feb 23, 2021 17:17:29.292561054 CET	53	63745	8.8.8.8	192.168.2.6
Feb 23, 2021 17:17:30.302110910 CET	50055	53	192.168.2.6	8.8.8.8
Feb 23, 2021 17:17:30.353559971 CET	53	50055	8.8.8.8	192.168.2.6
Feb 23, 2021 17:17:45.749149084 CET	61374	53	192.168.2.6	8.8.8.8
Feb 23, 2021 17:17:45.803076982 CET	53	61374	8.8.8.8	192.168.2.6
Feb 23, 2021 17:17:49.724088907 CET	50339	53	192.168.2.6	8.8.8.8
Feb 23, 2021 17:17:49.785586119 CET	53	50339	8.8.8.8	192.168.2.6
Feb 23, 2021 17:17:56.046478987 CET	63307	53	192.168.2.6	8.8.8.8
Feb 23, 2021 17:17:56.108705044 CET	53	63307	8.8.8.8	192.168.2.6
Feb 23, 2021 17:18:01.465342045 CET	49694	53	192.168.2.6	8.8.8.8
Feb 23, 2021 17:18:01.531475067 CET	53	49694	8.8.8.8	192.168.2.6
Feb 23, 2021 17:18:04.277283907 CET	54982	53	192.168.2.6	8.8.8.8
Feb 23, 2021 17:18:04.327717066 CET	53	54982	8.8.8.8	192.168.2.6
Feb 23, 2021 17:18:05.928406000 CET	50010	53	192.168.2.6	8.8.8.8
Feb 23, 2021 17:18:06.000159979 CET	53	50010	8.8.8.8	192.168.2.6
Feb 23, 2021 17:18:16.739250898 CET	63718	53	192.168.2.6	8.8.8.8
Feb 23, 2021 17:18:16.822832108 CET	53	63718	8.8.8.8	192.168.2.6
Feb 23, 2021 17:18:17.364798069 CET	62116	53	192.168.2.6	8.8.8.8
Feb 23, 2021 17:18:17.422219038 CET	53	62116	8.8.8.8	192.168.2.6
Feb 23, 2021 17:18:18.057244062 CET	63816	53	192.168.2.6	8.8.8.8
Feb 23, 2021 17:18:18.072122097 CET	55014	53	192.168.2.6	8.8.8.8
Feb 23, 2021 17:18:18.116528034 CET	53	63816	8.8.8.8	192.168.2.6
Feb 23, 2021 17:18:18.131342888 CET	53	55014	8.8.8.8	192.168.2.6
Feb 23, 2021 17:18:18.182094097 CET	62208	53	192.168.2.6	8.8.8.8
Feb 23, 2021 17:18:18.250031948 CET	53	62208	8.8.8.8	192.168.2.6
Feb 23, 2021 17:18:18.626137972 CET	57574	53	192.168.2.6	8.8.8.8
Feb 23, 2021 17:18:18.686405897 CET	53	57574	8.8.8.8	192.168.2.6
Feb 23, 2021 17:18:19.258896112 CET	51818	53	192.168.2.6	8.8.8.8
Feb 23, 2021 17:18:19.342488050 CET	53	51818	8.8.8.8	192.168.2.6
Feb 23, 2021 17:18:19.996468067 CET	56628	53	192.168.2.6	8.8.8.8
Feb 23, 2021 17:18:20.056597948 CET	53	56628	8.8.8.8	192.168.2.6
Feb 23, 2021 17:18:20.854536057 CET	60778	53	192.168.2.6	8.8.8.8
Feb 23, 2021 17:18:20.913292885 CET	53	60778	8.8.8.8	192.168.2.6
Feb 23, 2021 17:18:22.093715906 CET	53799	53	192.168.2.6	8.8.8.8
Feb 23, 2021 17:18:22.142374039 CET	53	53799	8.8.8.8	192.168.2.6
Feb 23, 2021 17:18:23.032670975 CET	54683	53	192.168.2.6	8.8.8.8
Feb 23, 2021 17:18:23.097532034 CET	53	54683	8.8.8.8	192.168.2.6
Feb 23, 2021 17:18:23.788300991 CET	59329	53	192.168.2.6	8.8.8.8
Feb 23, 2021 17:18:23.845614910 CET	53	59329	8.8.8.8	192.168.2.6
Feb 23, 2021 17:18:24.421181917 CET	64021	53	192.168.2.6	8.8.8.8
Feb 23, 2021 17:18:24.478604078 CET	53	64021	8.8.8.8	192.168.2.6
Feb 23, 2021 17:18:28.319880962 CET	56129	53	192.168.2.6	8.8.8.8
Feb 23, 2021 17:18:28.378196001 CET	53	56129	8.8.8.8	192.168.2.6
Feb 23, 2021 17:18:33.718417883 CET	58177	53	192.168.2.6	8.8.8.8
Feb 23, 2021 17:18:33.780843973 CET	53	58177	8.8.8.8	192.168.2.6
Feb 23, 2021 17:18:48.620522022 CET	50700	53	192.168.2.6	8.8.8.8
Feb 23, 2021 17:18:48.695178986 CET	53	50700	8.8.8.8	192.168.2.6
Feb 23, 2021 17:18:54.838036060 CET	54069	53	192.168.2.6	8.8.8.8
Feb 23, 2021 17:18:54.900182009 CET	53	54069	8.8.8.8	192.168.2.6
Feb 23, 2021 17:19:00.232599974 CET	61178	53	192.168.2.6	8.8.8.8
Feb 23, 2021 17:19:00.292726040 CET	53	61178	8.8.8.8	192.168.2.6
Feb 23, 2021 17:19:01.121434927 CET	57017	53	192.168.2.6	8.8.8.8
Feb 23, 2021 17:19:01.172938108 CET	53	57017	8.8.8.8	192.168.2.6
Feb 23, 2021 17:19:02.884172916 CET	56327	53	192.168.2.6	8.8.8.8
Feb 23, 2021 17:19:02.941157103 CET	53	56327	8.8.8.8	192.168.2.6
Feb 23, 2021 17:19:05.774005890 CET	50243	53	192.168.2.6	8.8.8.8
Feb 23, 2021 17:19:05.835586071 CET	53	50243	8.8.8.8	192.168.2.6
Feb 23, 2021 17:19:27.155184031 CET	62055	53	192.168.2.6	8.8.8.8
Feb 23, 2021 17:19:27.215336084 CET	53	62055	8.8.8.8	192.168.2.6

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class
Feb 23, 2021 17:17:49.724088907 CET	192.168.2.6	8.8.8.8	0x8dda	Standard query (0)	strongodss.ddns.net	A (IP address)	IN (0x0001)
Feb 23, 2021 17:17:56.046478987 CET	192.168.2.6	8.8.8.8	0x7f93	Standard query (0)	strongodss.ddns.net	A (IP address)	IN (0x0001)
Feb 23, 2021 17:18:01.465342045 CET	192.168.2.6	8.8.8.8	0x5766	Standard query (0)	strongodss.ddns.net	A (IP address)	IN (0x0001)
Feb 23, 2021 17:18:23.032670975 CET	192.168.2.6	8.8.8.8	0xcdaa	Standard query (0)	strongodss.ddns.net	A (IP address)	IN (0x0001)
Feb 23, 2021 17:18:28.319880962 CET	192.168.2.6	8.8.8.8	0xf0	Standard query (0)	strongodss.ddns.net	A (IP address)	IN (0x0001)
Feb 23, 2021 17:18:33.718417883 CET	192.168.2.6	8.8.8.8	0x8db7	Standard query (0)	strongodss.ddns.net	A (IP address)	IN (0x0001)
Feb 23, 2021 17:18:54.838036060 CET	192.168.2.6	8.8.8.8	0xe570	Standard query (0)	strongodss.ddns.net	A (IP address)	IN (0x0001)
Feb 23, 2021 17:19:00.232599974 CET	192.168.2.6	8.8.8.8	0xb91e	Standard query (0)	strongodss.ddns.net	A (IP address)	IN (0x0001)
Feb 23, 2021 17:19:05.774005890 CET	192.168.2.6	8.8.8.8	0xd6c9	Standard query (0)	strongodss.ddns.net	A (IP address)	IN (0x0001)
Feb 23, 2021 17:19:27.155184031 CET	192.168.2.6	8.8.8.8	0x9f73	Standard query (0)	strongodss.ddns.net	A (IP address)	IN (0x0001)

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	Address	Type	Class
Feb 23, 2021 17:17:49.785586119 CET	8.8.8.8	192.168.2.6	0x8dda	No error (0)	strongodss.ddns.net	87.237.165.78	A (IP address)	IN (0x0001)
Feb 23, 2021 17:17:56.108705044 CET	8.8.8.8	192.168.2.6	0x7f93	No error (0)	strongodss.ddns.net	87.237.165.78	A (IP address)	IN (0x0001)
Feb 23, 2021 17:18:01.531475067 CET	8.8.8.8	192.168.2.6	0x5766	No error (0)	strongodss.ddns.net	87.237.165.78	A (IP address)	IN (0x0001)
Feb 23, 2021 17:18:23.097532034 CET	8.8.8.8	192.168.2.6	0xcdaa	No error (0)	strongodss.ddns.net	87.237.165.78	A (IP address)	IN (0x0001)
Feb 23, 2021 17:18:28.378196001 CET	8.8.8.8	192.168.2.6	0xf0	No error (0)	strongodss.ddns.net	87.237.165.78	A (IP address)	IN (0x0001)
Feb 23, 2021 17:18:33.780843973 CET	8.8.8.8	192.168.2.6	0x8db7	No error (0)	strongodss.ddns.net	87.237.165.78	A (IP address)	IN (0x0001)
Feb 23, 2021 17:18:54.900182009 CET	8.8.8.8	192.168.2.6	0xe570	No error (0)	strongodss.ddns.net	87.237.165.78	A (IP address)	IN (0x0001)
Feb 23, 2021 17:19:00.292726040 CET	8.8.8.8	192.168.2.6	0xb91e	No error (0)	strongodss.ddns.net	87.237.165.78	A (IP address)	IN (0x0001)
Feb 23, 2021 17:19:05.835586071 CET	8.8.8.8	192.168.2.6	0xd6c9	No error (0)	strongodss.ddns.net	87.237.165.78	A (IP address)	IN (0x0001)
Feb 23, 2021 17:19:27.215336084 CET	8.8.8.8	192.168.2.6	0x9f73	No error (0)	strongodss.ddns.net	87.237.165.78	A (IP address)	IN (0x0001)

Code Manipulations

Statistics

CPU Usage

Click to jump to process

Memory Usage

Click to jump to process

High Level Behavior Distribution

Click to dive into process behavior distribution

Behavior

Click to jump to process

System Behavior

Analysis Process: TdX45jQWjj.exe PID: 6960 Parent PID: 5928

General

Start time:	17:17:16
Start date:	23/02/2021
Path:	C:\Users\user\Desktop\TdX45jQWjj.exe
Wow64 process (32bit):	true
Commandline:	'C:\Users\user\Desktop\TdX45jQWjj.exe'
Imagebase:	0xa50000
File size:	724480 bytes
MD5 hash:	F261164B55C3BE5C3C86150FF2A7CC27
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	.Net C# or VB.NET
Yara matches:	Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 00000000.00000002.395064094.00000000046E5000.00000004.00000001.sdmp, Author: Florian Roth Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 00000000.00000002.395064094.00000000046E5000.00000004.00000001.sdmp, Author: Joe Security Rule: NanoCore, Description: unknown, Source: 00000000.00000002.395064094.00000000046E5000.00000004.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net> Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 00000000.00000002.394099052.0000000004251000.00000004.00000001.sdmp, Author: Florian Roth Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 00000000.00000002.394099052.0000000004251000.00000004.00000001.sdmp, Author: Joe Security Rule: NanoCore, Description: unknown, Source: 00000000.00000002.394099052.0000000004251000.00000004.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
Reputation:	low

Chronological Activities

Analysis Process: schtasks.exe PID: 6004 Parent PID: 6960

General

Start time:	17:17:43
Start date:	23/02/2021
Path:	C:\Windows\SysWOW64\schtasks.exe
Wow64 process (32bit):	true
Commandline:	'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\RTOqzQABo' /XML 'C:\Users\user\AppData\Local\Temp\tmp84A9.tmp'
Imagebase:	0x120000
File size:	185856 bytes
MD5 hash:	15FF7D8324231381BAD48A052F85DF04
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Chronological Activities

Analysis Process: conhost.exe PID: 6224 Parent PID: 6004

General

Start time:	17:17:44
Start date:	23/02/2021
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff61de10000
File size:	625664 bytes
MD5 hash:	EA777DEEA782E8B4D7C7C33BBF8A4496
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Chronological Activities

Analysis Process: RegSvcs.exe PID: 3012 Parent PID: 6960

General

Start time:	17:17:44
Start date:	23/02/2021
Path:	C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe
Wow64 process (32bit):	true
Commandline:	{path}
Imagebase:	0x8d0000
File size:	32768 bytes
MD5 hash:	71369277D09DA0830C8C59F9E22BB23A
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	.Net C# or VB.NET
Yara matches:	Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 00000008.00000002.602153062.0000000005900000.00000004.00000001.sdmp, Author: Florian Roth Rule: Nanocore_RAT_Feb18_1, Description: Detects Nanocore RAT, Source: 00000008.00000002.602153062.0000000005900000.00000004.00000001.sdmp, Author: Florian Roth Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 00000008.00000002.595499721.0000000000402000.00000040.00000001.sdmp, Author: Florian Roth Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 00000008.00000002.595499721.0000000000402000.00000040.00000001.sdmp, Author: Joe Security Rule: NanoCore, Description: unknown, Source: 00000008.00000002.595499721.0000000000402000.00000040.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net> Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 00000008.00000002.602225959.0000000005B90000.00000004.00000001.sdmp, Author: Florian Roth Rule: Nanocore_RAT_Feb18_1, Description: Detects Nanocore RAT, Source: 00000008.00000002.602225959.0000000005B90000.00000004.00000001.sdmp, Author: Florian Roth Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 00000008.00000002.602238562.0000000005BA0000.00000004.00000001.sdmp, Author: Florian Roth Rule: Nanocore_RAT_Feb18_1, Description: Detects Nanocore RAT, Source: 00000008.00000002.602238562.0000000005BA0000.00000004.00000001.sdmp, Author: Florian Roth Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 00000008.00000002.602238562.0000000005BA0000.00000004.00000001.sdmp, Author: Joe Security Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 00000008.00000002.600580275.0000000003F27000.00000004.00000001.sdmp, Author: Joe Security Rule: NanoCore, Description: unknown, Source: 00000008.00000002.600580275.0000000003F27000.00000004.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
Reputation:	moderate

Chronological Activities

Analysis Process: schtasks.exe PID: 6936 Parent PID: 3012

General

Start time:	17:17:46
Start date:	23/02/2021
Path:	C:\Windows\SysWOW64\schtasks.exe
Wow64 process (32bit):	true
Commandline:	'schtasks.exe' /create /f /tn 'DHCP Monitor' /xml 'C:\Users\user\AppData\Local\Temp\tmpDEF3.tmp'
Imagebase:	0x120000
File size:	185856 bytes
MD5 hash:	15FF7D8324231381BAD48A052F85DF04
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Chronological Activities

Analysis Process: conhost.exe PID: 6920 Parent PID: 6936

General

Start time:	17:17:46
Start date:	23/02/2021
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff61de10000
File size:	625664 bytes
MD5 hash:	EA777DEEA782E8B4D7C7C33BBF8A4496
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Chronological Activities

Analysis Process: schtasks.exe PID: 6668 Parent PID: 3012

General

Start time:	17:17:46
Start date:	23/02/2021
Path:	C:\Windows\SysWOW64\schtasks.exe
Wow64 process (32bit):	true
Commandline:	'schtasks.exe' /create /f /tn 'DHCP Monitor Task' /xml 'C:\Users\user\AppData\Local\Temp\tmpE1E2.tmp'
Imagebase:	0x120000
File size:	185856 bytes
MD5 hash:	15FF7D8324231381BAD48A052F85DF04
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Chronological Activities

Analysis Process: conhost.exe PID: 6688 Parent PID: 6668

General

Start time:	17:17:47
Start date:	23/02/2021
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff61de10000
File size:	625664 bytes
MD5 hash:	EA777DEEA782E8B4D7C7C33BBF8A4496
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Chronological Activities

Analysis Process: RegSvcs.exe PID: 6716 Parent PID: 936

General

Start time:	17:17:48
Start date:	23/02/2021
Path:	C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe
Wow64 process (32bit):	true
Commandline:	C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe 0
Imagebase:	0x90000
File size:	32768 bytes
MD5 hash:	71369277D09DA0830C8C59F9E22BB23A
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	.Net C# or VB.NET
Reputation:	moderate

Chronological Activities

Analysis Process: conhost.exe PID: 6800 Parent PID: 6716

General

Start time:	17:17:48
Start date:	23/02/2021
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff61de10000
File size:	625664 bytes
MD5 hash:	EA777DEEA782E8B4D7C7C33BBF8A4496
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Chronological Activities

Analysis Process: dhcpmon.exe PID: 6808 Parent PID: 936

General

Start time:	17:17:48
Start date:	23/02/2021
Path:	C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe
Wow64 process (32bit):	true
Commandline:	'C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe' 0
Imagebase:	0x7a0000
File size:	32768 bytes
MD5 hash:	71369277D09DA0830C8C59F9E22BB23A
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	.Net C# or VB.NET
Antivirus matches:	Detection: 0%, Metadefender, Browse Detection: 0%, ReversingLabs
Reputation:	moderate

Chronological Activities

Analysis Process: conhost.exe PID: 6812 Parent PID: 6808

General

Start time:	17:17:48
Start date:	23/02/2021
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff61de10000
File size:	625664 bytes
MD5 hash:	EA777DEEA782E8B4D7C7C33BBF8A4496
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Chronological Activities

Analysis Process: dhcpmon.exe PID: 3028 Parent PID: 3440

General

Start time:	17:17:55
Start date:	23/02/2021
Path:	C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe
Wow64 process (32bit):	true
Commandline:	'C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe'
Imagebase:	0x790000
File size:	32768 bytes
MD5 hash:	71369277D09DA0830C8C59F9E22BB23A
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	.Net C# or VB.NET
Reputation:	moderate

Chronological Activities

Analysis Process: conhost.exe PID: 1868 Parent PID: 3028

General

Start time:	17:17:56
Start date:	23/02/2021
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff61de10000
File size:	625664 bytes
MD5 hash:	EA777DEEA782E8B4D7C7C33BBF8A4496
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language

Chronological Activities

Disassembly

Code Analysis

Reset < >

Analysis Process: TdX45jQWjj.exe PID: 6960 Parent PID: 5928 TdX45jQWjj.exeCOMMON

Executed Functions

Function 06D47484, Relevance: 5.9, Strings: 4, Instructions: 905COMMON

Download Yara Rule

Strings

(, xrefs: 06D47F8D
>_Ir, xrefs: 06D47563
X1kr, xrefs: 06D476B9
;, xrefs: 06D47CB1

Memory Dump Source

Source File: 00000000.00000002.405661474.0000000006D40000.00000040.00000001.sdmp, Offset: 06D40000, based on PE: false

Similarity

API ID:
String ID: ($;$>_Ir$X1kr
API String ID: 0-1780266103
Opcode ID: 88f2f4df272ec4136b27d95748bccf2e9fa0f7286aabd5d3997099afff8be94c
Instruction ID: 619c65c0004ab1df14cca38e2b9d867b6a615c813f2a666e3534919e70e004dd
Opcode Fuzzy Hash: 88f2f4df272ec4136b27d95748bccf2e9fa0f7286aabd5d3997099afff8be94c
Instruction Fuzzy Hash: 6692B070D46229CFEBA4EF28C984BEDB6B5AB49304F1091E9C15DA7291DB748EC4CF41

Uniqueness

Uniqueness Score: -1.00%

Function 06D407C4, Relevance: 2.4, Strings: 1, Instructions: 1115COMMON

Download Yara Rule

Strings

(>6p, xrefs: 06D414DE

Memory Dump Source

Source File: 00000000.00000002.405661474.0000000006D40000.00000040.00000001.sdmp, Offset: 06D40000, based on PE: false

Similarity

API ID:
String ID: (>6p
API String ID: 0-3006165022
Opcode ID: 13ea0a31d19dbb5f8fee2a6a6f1581d0016697f0743e2f4b68edce925aefeaf5
Instruction ID: 6776059c0bda8565795e06ed34cda78d2362fc36e82956a9f566c4b57bf52efa
Opcode Fuzzy Hash: 13ea0a31d19dbb5f8fee2a6a6f1581d0016697f0743e2f4b68edce925aefeaf5
Instruction Fuzzy Hash: 8DB2F374D45229CFDBA4EF64C8487EAB7B6EB8A304F1084E9C549A7290DB759EC0CF50

Uniqueness

Uniqueness Score: -1.00%

Function 015D02B0, Relevance: 1.9, Instructions: 1913COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.389328762.00000000015D0000.00000040.00000001.sdmp, Offset: 015D0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2e106d60e46f26a0f97fd1dbbc2e535046eb0d8edbeb2eb7102378f95f30b80e
Instruction ID: 00a4892c60b19a2746cb6c995665d7f829765b947c3df2153ec850cc57ca150d
Opcode Fuzzy Hash: 2e106d60e46f26a0f97fd1dbbc2e535046eb0d8edbeb2eb7102378f95f30b80e
Instruction Fuzzy Hash: 2A13D834A41219CFCB25DB68C894BE9B7B2FF89305F5141E9D509AB361CB71AE85CF80

Uniqueness

Uniqueness Score: -1.00%

Function 015D029F, Relevance: 1.9, Instructions: 1912COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.389328762.00000000015D0000.00000040.00000001.sdmp, Offset: 015D0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6572b0b1afcc27b62623b5b59d0d2fd4e1ff67f2a2d8c809cb485ca3acdab61f
Instruction ID: 1ece668d0f5b9ca33d4d523456a16a06b17395d551ab0dc85f185d1ceb713e40
Opcode Fuzzy Hash: 6572b0b1afcc27b62623b5b59d0d2fd4e1ff67f2a2d8c809cb485ca3acdab61f
Instruction Fuzzy Hash: 0813D834A41219CFCB25DB68C894BE9B7B2FF89305F5141E9D509AB361CB71AE85CF80

Uniqueness

Uniqueness Score: -1.00%

Function 0679195A, Relevance: 1.6, APIs: 1, Instructions: 71COMMON

Download Yara Rule

APIs

GetUserNameA.ADVAPI32(?,00000E2C), ref: 067919C1

Memory Dump Source

Source File: 00000000.00000002.405071025.0000000006790000.00000040.00000001.sdmp, Offset: 06790000, based on PE: false

Similarity

API ID: NameUser
String ID:
API String ID: 2645101109-0
Opcode ID: 5a0e5260db57c6f5f12886928875b2bda1651f87710f1346bb1315f12d747a96
Instruction ID: 40a90fd03db366836ae1cf02152aae8c5496de6c46520e9ce3a7faf2b5805227
Opcode Fuzzy Hash: 5a0e5260db57c6f5f12886928875b2bda1651f87710f1346bb1315f12d747a96
Instruction Fuzzy Hash: 2C11A272500204AFFB20DB25DC85FAABBDCEF05720F14846BEE05DB281D6B4A5088BB1

Uniqueness

Uniqueness Score: -1.00%

Function 015D38C0, Relevance: 1.4, Strings: 1, Instructions: 153COMMON

Download Yara Rule

Strings

X1kr, xrefs: 015D393F

Memory Dump Source

Source File: 00000000.00000002.389328762.00000000015D0000.00000040.00000001.sdmp, Offset: 015D0000, based on PE: false

Similarity

API ID:
String ID: X1kr
API String ID: 0-844551562
Opcode ID: 58464dfa18f05d42f8ca5b2e20ed2ab89021c02dbfb598fefa9e567741549fa3
Instruction ID: 0c54a6b563546718e9ec04e500d87b0de16956658c698fb868e2d76e1c111d29
Opcode Fuzzy Hash: 58464dfa18f05d42f8ca5b2e20ed2ab89021c02dbfb598fefa9e567741549fa3
Instruction Fuzzy Hash: B96192B4E05218DFDB68DFE9D984A9DBBF2BF88300F20942AD419AB354E7745981CF11

Uniqueness

Uniqueness Score: -1.00%

Function 015D38B0, Relevance: 1.4, Strings: 1, Instructions: 147COMMON

Download Yara Rule

Strings

X1kr, xrefs: 015D393F

Memory Dump Source

Source File: 00000000.00000002.389328762.00000000015D0000.00000040.00000001.sdmp, Offset: 015D0000, based on PE: false

Similarity

API ID:
String ID: X1kr
API String ID: 0-844551562
Opcode ID: ddb202840c53242609790af20924949ffe46719c94a9502f487ec0d08eb7d829
Instruction ID: e633af2cd87c05dfe8f4d9338d1be171ecf0d6e5f7c27c1bf830b4eb91b5d1d0
Opcode Fuzzy Hash: ddb202840c53242609790af20924949ffe46719c94a9502f487ec0d08eb7d829
Instruction Fuzzy Hash: 6D51A2B4E05208DFDB68DFA9D88469DBBF2FF88300F20902AE419AB354E7745981CF11

Uniqueness

Uniqueness Score: -1.00%

Function 015DA140, Relevance: 1.3, Strings: 1, Instructions: 58COMMON

Download Yara Rule

Strings

<, xrefs: 015DA715

Memory Dump Source

Source File: 00000000.00000002.389328762.00000000015D0000.00000040.00000001.sdmp, Offset: 015D0000, based on PE: false

Similarity

API ID:
String ID: <
API String ID: 0-4251816714
Opcode ID: 90b656026d720610fbf3ff9705fbb558418dd0fdf9d6f9110d0cf06789011db6
Instruction ID: 31476536d17293a90b9bf5c475b34057ce0051761488852c43d7bb50ae2eff5c
Opcode Fuzzy Hash: 90b656026d720610fbf3ff9705fbb558418dd0fdf9d6f9110d0cf06789011db6
Instruction Fuzzy Hash: E211CE71E057489BEB5CDFABD84019EFAF7BFC8200F14C0769809AB269EB7405468F51

Uniqueness

Uniqueness Score: -1.00%

Function 015DA150, Relevance: 1.3, Strings: 1, Instructions: 52COMMON

Download Yara Rule

Strings

<, xrefs: 015DA715

Memory Dump Source

Source File: 00000000.00000002.389328762.00000000015D0000.00000040.00000001.sdmp, Offset: 015D0000, based on PE: false

Similarity

API ID:
String ID: <
API String ID: 0-4251816714
Opcode ID: d53f37e9467b34e08f8bafd92a2caf5d411abd0421dcf17ab8160a1770d9e1ec
Instruction ID: 33ff4a893b8fcd61b4358ff1b4f7028498f9f2b52426e5ec4e8502b2ffb7eca6
Opcode Fuzzy Hash: d53f37e9467b34e08f8bafd92a2caf5d411abd0421dcf17ab8160a1770d9e1ec
Instruction Fuzzy Hash: B6119B71E056089BEB1CDFABD84459EFAF7BFC8200F14D47A8819AB268EB7405468F51

Uniqueness

Uniqueness Score: -1.00%

Function 06D44261, Relevance: 14.1, Strings: 11, Instructions: 391COMMON

Download Yara Rule

Strings

1, xrefs: 06D440EA
=, xrefs: 06D43F6A
<, xrefs: 06D44119
<, xrefs: 06D43F3B
>, xrefs: 06D43EDA
:@Dr, xrefs: 06D444B4
,, xrefs: 06D442A7
2, xrefs: 06D440AB
3, xrefs: 06D440F8
?, xrefs: 06D43F5C
5, xrefs: 06D44245

Memory Dump Source

Source File: 00000000.00000002.405661474.0000000006D40000.00000040.00000001.sdmp, Offset: 06D40000, based on PE: false

Similarity

API ID:
String ID: ,$1$2$3$5$:@Dr$<$<$=$>$?
API String ID: 0-2874204946
Opcode ID: 4a2b3cfd21b0220cdcfcbf775428be42706671fef66850a65d91fed085312f7d
Instruction ID: 6ee6c42937a2296e40d7cb37872d5405dee4f45505c7c633f55c20137f5b1894
Opcode Fuzzy Hash: 4a2b3cfd21b0220cdcfcbf775428be42706671fef66850a65d91fed085312f7d
Instruction Fuzzy Hash: 4FF14A7494A229CFEB60EF69D840BEDBBB9FB4A304F115199C55A67381C7348E81CF90

Uniqueness

Uniqueness Score: -1.00%

Function 015D3CE1, Relevance: 3.9, Strings: 3, Instructions: 195COMMON

Download Yara Rule

Strings

</kr, xrefs: 015D3F8E
,:kr, xrefs: 015D3E28
9, xrefs: 015D3EC9

Memory Dump Source

Source File: 00000000.00000002.389328762.00000000015D0000.00000040.00000001.sdmp, Offset: 015D0000, based on PE: false

Similarity

API ID:
String ID: ,:kr$9$</kr
API String ID: 0-3816814219
Opcode ID: a1436f6251b7a9f28fca82e42c6bf9c25a1d3fb4744333e257e6803f56075e8f
Instruction ID: ad084c088a6fb285f006c16f6faabad598b7fa5bc982433e3a312efff3ff8106
Opcode Fuzzy Hash: a1436f6251b7a9f28fca82e42c6bf9c25a1d3fb4744333e257e6803f56075e8f
Instruction Fuzzy Hash: A1910570D01228CFDB60DFA9C884BEDBBB2FF45314F148599D508AB291DB719A85CF52

Uniqueness

Uniqueness Score: -1.00%

Function 067918FA, Relevance: 1.6, APIs: 1, Instructions: 116COMMON

Download Yara Rule

APIs

GetUserNameA.ADVAPI32(?,00000E2C), ref: 067919C1

Memory Dump Source

Source File: 00000000.00000002.405071025.0000000006790000.00000040.00000001.sdmp, Offset: 06790000, based on PE: false

Similarity

API ID: NameUser
String ID:
API String ID: 2645101109-0
Opcode ID: dc5953332befb953aba15f62a434ca2a624000a32fa9dad6bbb3019cb2089504
Instruction ID: e2fd10497f2a2b01a80cf84693fd07c07d7303d7c96378137ff98063ef28ebc2
Opcode Fuzzy Hash: dc5953332befb953aba15f62a434ca2a624000a32fa9dad6bbb3019cb2089504
Instruction Fuzzy Hash: B8319C7210A3C56FE7138B349C55BA6BFB89F03210F0984DBE985DF193D2689849C772

Uniqueness

Uniqueness Score: -1.00%

Function 06792763, Relevance: 1.6, APIs: 1, Instructions: 102COMMON

Download Yara Rule

APIs

DuplicateHandle.KERNELBASE(?,00000E2C), ref: 06792813

Memory Dump Source

Source File: 00000000.00000002.405071025.0000000006790000.00000040.00000001.sdmp, Offset: 06790000, based on PE: false

Similarity

API ID: DuplicateHandle
String ID:
API String ID: 3793708945-0
Opcode ID: 30337a29569b46e4db4cf103e74f323cf9f27a981e1d0c357b08d01af1c54a0b
Instruction ID: a59ea5ebe7b5e30136ae474b60db2e8a6e38754562cec4fd45e2e962697a01b6
Opcode Fuzzy Hash: 30337a29569b46e4db4cf103e74f323cf9f27a981e1d0c357b08d01af1c54a0b
Instruction Fuzzy Hash: 5B31A371404384AFEB228B65DC45FA6BFACEF06710F0484ABE985DB252D264A909CB71

Uniqueness

Uniqueness Score: -1.00%

Function 06792052, Relevance: 1.6, APIs: 1, Instructions: 94COMMON

Download Yara Rule

APIs

GetTokenInformation.KERNELBASE(?,00000E2C,0985F3E9,00000000,00000000,00000000,00000000), ref: 067920FC

Memory Dump Source

Source File: 00000000.00000002.405071025.0000000006790000.00000040.00000001.sdmp, Offset: 06790000, based on PE: false

Similarity

API ID: InformationToken
String ID:
API String ID: 4114910276-0
Opcode ID: b0ac2148bc6617926e61f23cbe86b1ed8959631a534e72d65483217100d8d880
Instruction ID: 5fdb1bcd772fbcf0349abcaef101241a6066a8855bbfc63c365cbd26c3c7a19b
Opcode Fuzzy Hash: b0ac2148bc6617926e61f23cbe86b1ed8959631a534e72d65483217100d8d880
Instruction Fuzzy Hash: 5B31B571509384AFEB228F64DC55FA7BFB8EF06310F08849BEA84DB153D225A509C7B1

Uniqueness

Uniqueness Score: -1.00%

Function 010FAC22, Relevance: 1.6, APIs: 1, Instructions: 92registryCOMMON

Download Yara Rule

APIs

RegOpenKeyExW.KERNELBASE(?,00000E2C), ref: 010FACD1

Memory Dump Source

Source File: 00000000.00000002.388879061.00000000010FA000.00000040.00000001.sdmp, Offset: 010FA000, based on PE: false

Similarity

API ID: Open
String ID:
API String ID: 71445658-0
Opcode ID: 75380aa41543b9905469eedfa1319b3fa8bbb24a226827cf654fd9af6ef24d28
Instruction ID: 07aaf81b0a57047cf2a6ef1858ff99e0cad02ca738a8a24ccbbc2db663a863ae
Opcode Fuzzy Hash: 75380aa41543b9905469eedfa1319b3fa8bbb24a226827cf654fd9af6ef24d28
Instruction Fuzzy Hash: 9D31B672544384AFE7228B25CC45F67BFFCEF06710F04849BEE859B152D265A809CB71

Uniqueness

Uniqueness Score: -1.00%

Function 06791BE0, Relevance: 1.6, APIs: 1, Instructions: 90fileCOMMON

Download Yara Rule

APIs

CreateFileW.KERNELBASE(?,?,?,?,?,?), ref: 06791C81

Memory Dump Source

Source File: 00000000.00000002.405071025.0000000006790000.00000040.00000001.sdmp, Offset: 06790000, based on PE: false

Similarity

API ID: CreateFile
String ID:
API String ID: 823142352-0
Opcode ID: 304beb473896b51f50b9cd13b889a43edb236d5a37bc05314becf31531a84d11
Instruction ID: 28bf6d8f06e7ee989027491e1795e40b072c32863517e7a060866073a46d424e
Opcode Fuzzy Hash: 304beb473896b51f50b9cd13b889a43edb236d5a37bc05314becf31531a84d11
Instruction Fuzzy Hash: 74317C71504340AFEB22CF65DC84F66BFE8EF46610F0885AEE9858B252D375E819CB71

Uniqueness

Uniqueness Score: -1.00%

Function 06790CA2, Relevance: 1.6, APIs: 1, Instructions: 89synchronizationCOMMON

Download Yara Rule

APIs

CreateMutexW.KERNELBASE(?,?), ref: 06790D49

Memory Dump Source

Source File: 00000000.00000002.405071025.0000000006790000.00000040.00000001.sdmp, Offset: 06790000, based on PE: false

Similarity

API ID: CreateMutex
String ID:
API String ID: 1964310414-0
Opcode ID: 8b930d8b99f7ec3b30c4949e3894a4fa60cc454c5c09215bf785766bcf5af9fe
Instruction ID: 1ef7b1bf0a079ccef67a4132fe9906e4e0c72a3d7db33ba1b6729c6be2dbf1d9
Opcode Fuzzy Hash: 8b930d8b99f7ec3b30c4949e3894a4fa60cc454c5c09215bf785766bcf5af9fe
Instruction Fuzzy Hash: 033173755097806FE712CB25DC85F56FFE8EF06210F18849EE984CB293D365A909CB71

Uniqueness

Uniqueness Score: -1.00%

Function 010FAD19, Relevance: 1.6, APIs: 1, Instructions: 89registryCOMMON

Download Yara Rule

APIs

RegQueryValueExW.KERNELBASE(?,00000E2C,0985F3E9,00000000,00000000,00000000,00000000), ref: 010FADD4

Memory Dump Source

Source File: 00000000.00000002.388879061.00000000010FA000.00000040.00000001.sdmp, Offset: 010FA000, based on PE: false

Similarity

API ID: QueryValue
String ID:
API String ID: 3660427363-0
Opcode ID: 64076956090d8f3053d81424498690896b4a1be71590d1a7e15017342176c2b1
Instruction ID: 774bbe9d242de0496ae67b84c25b7e4bcac33c25e2f0cc6a0a8afcd294e6ea34
Opcode Fuzzy Hash: 64076956090d8f3053d81424498690896b4a1be71590d1a7e15017342176c2b1
Instruction Fuzzy Hash: F6318471505384AFE722CB25CC45F92BFF8EF06710F18849AEA85CB253D264E549CB61

Uniqueness

Uniqueness Score: -1.00%

Function 06790DA0, Relevance: 1.6, APIs: 1, Instructions: 86registryCOMMON

Download Yara Rule

APIs

RegQueryValueExW.KERNELBASE(?,00000E2C,?,?), ref: 06790E56

Memory Dump Source

Source File: 00000000.00000002.405071025.0000000006790000.00000040.00000001.sdmp, Offset: 06790000, based on PE: false

Similarity

API ID: QueryValue
String ID:
API String ID: 3660427363-0
Opcode ID: b64a662c8f09272bf01ceeac265513740d82960112cb39c1430e58771e8bd4c4
Instruction ID: 85297e4459194196636717402353c16db8715482d8d38c3df7dc2a1d91154619
Opcode Fuzzy Hash: b64a662c8f09272bf01ceeac265513740d82960112cb39c1430e58771e8bd4c4
Instruction Fuzzy Hash: 1A31A9754097C05FD31387259C51B61BFB4EF47610F0A81DBE9848B663E225691AC7B1

Uniqueness

Uniqueness Score: -1.00%

Function 06792383, Relevance: 1.6, APIs: 1, Instructions: 85COMMON

Download Yara Rule

APIs

LsaOpenPolicy.ADVAPI32(?,00000E2C), ref: 0679241F

Memory Dump Source

Source File: 00000000.00000002.405071025.0000000006790000.00000040.00000001.sdmp, Offset: 06790000, based on PE: false

Similarity

API ID: OpenPolicy
String ID:
API String ID: 2030686058-0
Opcode ID: 2a6d6e49b14c51e4be4fb01ac440ac66f0f5911b04a5e576197e065311527c38
Instruction ID: 7f82b5af8d253cf38e7f5a704d14b3af9e5c93951e66f2ffdcb388e8140460b6
Opcode Fuzzy Hash: 2a6d6e49b14c51e4be4fb01ac440ac66f0f5911b04a5e576197e065311527c38
Instruction Fuzzy Hash: 6221CE72504344AFEB21DB24DC84FA6BFE8EF06710F08849AED849B252D224A908CB65

Uniqueness

Uniqueness Score: -1.00%

Function 06791A1F, Relevance: 1.6, APIs: 1, Instructions: 81COMMON

Download Yara Rule

APIs

FindWindowA.USER32(?,00000E2C), ref: 06791AC2

Memory Dump Source

Source File: 00000000.00000002.405071025.0000000006790000.00000040.00000001.sdmp, Offset: 06790000, based on PE: false

Similarity

API ID: FindWindow
String ID:
API String ID: 134000473-0
Opcode ID: 5a9f58b6264c3f83695219f7b24fdde903a932791b55c18c1455a44753e7d119
Instruction ID: 162db42f925834b01d4aaf4fcc8570553f15a978027f32c38f2c5d5c13177ac6
Opcode Fuzzy Hash: 5a9f58b6264c3f83695219f7b24fdde903a932791b55c18c1455a44753e7d119
Instruction Fuzzy Hash: E6219671409380AFEB228B24DC45F96BFB8EF46310F1884DBE9449F192D2B86949C771

Uniqueness

Uniqueness Score: -1.00%

Function 06791CD8, Relevance: 1.6, APIs: 1, Instructions: 80COMMON

Download Yara Rule

APIs

GetFileType.KERNELBASE(?,00000E2C,0985F3E9,00000000,00000000,00000000,00000000), ref: 06791D6D

Memory Dump Source

Source File: 00000000.00000002.405071025.0000000006790000.00000040.00000001.sdmp, Offset: 06790000, based on PE: false

Similarity

API ID: FileType
String ID:
API String ID: 3081899298-0
Opcode ID: d1d10c4027d1db1449ac9b018947d93c8c6e35c69f579f7f891e831c77208674
Instruction ID: 73e4e1abdc00fe58cfaa59987f42c2182d9a400a94ee0dccb66fca4528101901
Opcode Fuzzy Hash: d1d10c4027d1db1449ac9b018947d93c8c6e35c69f579f7f891e831c77208674
Instruction Fuzzy Hash: 6D21F8B64493806FE7128B25DC41FA2BFA8DF47720F1884DBEE848B293D2646909C771

Uniqueness

Uniqueness Score: -1.00%

Function 06792796, Relevance: 1.6, APIs: 1, Instructions: 80COMMON

Download Yara Rule

APIs

DuplicateHandle.KERNELBASE(?,00000E2C), ref: 06792813

Memory Dump Source

Source File: 00000000.00000002.405071025.0000000006790000.00000040.00000001.sdmp, Offset: 06790000, based on PE: false

Similarity

API ID: DuplicateHandle
String ID:
API String ID: 3793708945-0
Opcode ID: 0c5df2d28f006e2743c276b12d75d91f7eccba3574cf85a76cfa347265087eae
Instruction ID: 33be99a51f5e23da9a2d52be32bdc0829bae52a77476e89c94194d9007f7d09b
Opcode Fuzzy Hash: 0c5df2d28f006e2743c276b12d75d91f7eccba3574cf85a76cfa347265087eae
Instruction Fuzzy Hash: 0F21BD72500604BFEB219F65DC85FABBBECEF04720F04886AEE45DB251D674A5088BB1

Uniqueness

Uniqueness Score: -1.00%

Function 010FA2AC, Relevance: 1.6, APIs: 1, Instructions: 77COMMON

Download Yara Rule

APIs

SetConsoleCtrlHandler.KERNELBASE(?,00000E2C,?,?), ref: 010FA346

Memory Dump Source

Source File: 00000000.00000002.388879061.00000000010FA000.00000040.00000001.sdmp, Offset: 010FA000, based on PE: false

Similarity

API ID: ConsoleCtrlHandler
String ID:
API String ID: 1513847179-0
Opcode ID: 06379a0b171f0bd5ec8410b661b507c83257c228ca703e84e3f997c35baea35a
Instruction ID: f7752d77d12402ff060c59bf278f0cb7fa6a8d4a49ca3f5e3f238d2955b795fd
Opcode Fuzzy Hash: 06379a0b171f0bd5ec8410b661b507c83257c228ca703e84e3f997c35baea35a
Instruction Fuzzy Hash: 6021C47554D3C06FD3138B259C51B22BFB4EF87A10F0980DBE884CB653D225A919C7A2

Uniqueness

Uniqueness Score: -1.00%

Function 06791C02, Relevance: 1.6, APIs: 1, Instructions: 76fileCOMMON

Download Yara Rule

APIs

CreateFileW.KERNELBASE(?,?,?,?,?,?), ref: 06791C81

Memory Dump Source

Source File: 00000000.00000002.405071025.0000000006790000.00000040.00000001.sdmp, Offset: 06790000, based on PE: false

Similarity

API ID: CreateFile
String ID:
API String ID: 823142352-0
Opcode ID: 8ec4b8d7628197a7ebb15d66edfc7f73c00b0dd46fc19e5ab4a1afedd63e67d7
Instruction ID: 9a4888fef05b378444ae8cece336e7f0c8b922eefc0b1b58a0f44de22c9b45a3
Opcode Fuzzy Hash: 8ec4b8d7628197a7ebb15d66edfc7f73c00b0dd46fc19e5ab4a1afedd63e67d7
Instruction Fuzzy Hash: 83219A75900200AFEB21CF65D885F66FBE8EF09610F04896AEA858B342E371E418CB71

Uniqueness

Uniqueness Score: -1.00%

Function 06792871, Relevance: 1.6, APIs: 1, Instructions: 75fileCOMMON

Download Yara Rule

APIs

DeleteFileW.KERNELBASE(?), ref: 067928F8

Memory Dump Source

Source File: 00000000.00000002.405071025.0000000006790000.00000040.00000001.sdmp, Offset: 06790000, based on PE: false

Similarity

API ID: DeleteFile
String ID:
API String ID: 4033686569-0
Opcode ID: 25082e906d6275267b014517e082993a87b3aaefff14fac03077c43c7ba80b8b
Instruction ID: 9cd591bc8ef14a40392db143aac8ad7075ef94867fb84f251ccd2f3f004c3401
Opcode Fuzzy Hash: 25082e906d6275267b014517e082993a87b3aaefff14fac03077c43c7ba80b8b
Instruction Fuzzy Hash: 382192725093C09FDB168B25DC55B92BFB4EF06210F0984DBDD859F263D2659908CB71

Uniqueness

Uniqueness Score: -1.00%

Function 010FAC52, Relevance: 1.6, APIs: 1, Instructions: 74registryCOMMON

Download Yara Rule

APIs

RegOpenKeyExW.KERNELBASE(?,00000E2C), ref: 010FACD1

Memory Dump Source

Source File: 00000000.00000002.388879061.00000000010FA000.00000040.00000001.sdmp, Offset: 010FA000, based on PE: false

Similarity

API ID: Open
String ID:
API String ID: 71445658-0
Opcode ID: d9ea5bf9ae2e234d837d0a4f44ed4271184e05fa293ce894d002ed9c8153c1c6
Instruction ID: 2229762f24d91265368617a91efcd636709229c603db7ab926c3e1c3420dfb26
Opcode Fuzzy Hash: d9ea5bf9ae2e234d837d0a4f44ed4271184e05fa293ce894d002ed9c8153c1c6
Instruction Fuzzy Hash: 4F21A172500704EFE7219B69DC85F6BFBECEF04710F14845BEE859B641D664E4088BB1

Uniqueness

Uniqueness Score: -1.00%

Function 06790CD6, Relevance: 1.6, APIs: 1, Instructions: 72synchronizationCOMMON

Download Yara Rule

APIs

CreateMutexW.KERNELBASE(?,?), ref: 06790D49

Memory Dump Source

Source File: 00000000.00000002.405071025.0000000006790000.00000040.00000001.sdmp, Offset: 06790000, based on PE: false

Similarity

API ID: CreateMutex
String ID:
API String ID: 1964310414-0
Opcode ID: 4696e1e2fca23604c4f29e4acb5231ac8fcb6820f1fe89a15482a702b53d6cdc
Instruction ID: 5ea6deebd12a0305fb03b957de0ef463e5e9c8a53fda84710c51ce3e7f5c8d09
Opcode Fuzzy Hash: 4696e1e2fca23604c4f29e4acb5231ac8fcb6820f1fe89a15482a702b53d6cdc
Instruction Fuzzy Hash: B521AC71500200AFFB20DB29D885BA6FBE8EF04610F1484AEEE488B342E670E504CB71

Uniqueness

Uniqueness Score: -1.00%

Function 067923AE, Relevance: 1.6, APIs: 1, Instructions: 72COMMON

Download Yara Rule

APIs

LsaOpenPolicy.ADVAPI32(?,00000E2C), ref: 0679241F

Memory Dump Source

Source File: 00000000.00000002.405071025.0000000006790000.00000040.00000001.sdmp, Offset: 06790000, based on PE: false

Similarity

API ID: OpenPolicy
String ID:
API String ID: 2030686058-0
Opcode ID: fbf7e1f045fcc101aabfdf42d7b54ca5532d9364b14fbef75d517bcd7c1a5358
Instruction ID: 8aa5bdebbb3ebbd09bdafd2d08f83b4a0bdfcb996bd2f8cc1820312b8b4842f6
Opcode Fuzzy Hash: fbf7e1f045fcc101aabfdf42d7b54ca5532d9364b14fbef75d517bcd7c1a5358
Instruction Fuzzy Hash: 4821DE71500204AFFB20EB28EC45F6AFBECEF04710F14846AEE44DB242D264A9088B75

Uniqueness

Uniqueness Score: -1.00%

Function 06791E8A, Relevance: 1.6, APIs: 1, Instructions: 70fileCOMMON

Download Yara Rule

APIs

WriteFile.KERNELBASE(?,00000E2C,0985F3E9,00000000,00000000,00000000,00000000), ref: 06791F09

Memory Dump Source

Source File: 00000000.00000002.405071025.0000000006790000.00000040.00000001.sdmp, Offset: 06790000, based on PE: false

Similarity

API ID: FileWrite
String ID:
API String ID: 3934441357-0
Opcode ID: f241aa102ac0d51ac4c435e2aa437866f4c6756d24899d5e46d3d7b9899f604d
Instruction ID: 1730eb7cd60cf2b091fcc1dfa2aeb12039a1f283161e6cad8777424e4b7a7ab6
Opcode Fuzzy Hash: f241aa102ac0d51ac4c435e2aa437866f4c6756d24899d5e46d3d7b9899f604d
Instruction Fuzzy Hash: 38219272405344AFEB228F65DC45F57FFB8EF46310F0884ABEA459B252D264A408CB71

Uniqueness

Uniqueness Score: -1.00%

Function 06792092, Relevance: 1.6, APIs: 1, Instructions: 69COMMON

Download Yara Rule

APIs

GetTokenInformation.KERNELBASE(?,00000E2C,0985F3E9,00000000,00000000,00000000,00000000), ref: 067920FC

Memory Dump Source

Source File: 00000000.00000002.405071025.0000000006790000.00000040.00000001.sdmp, Offset: 06790000, based on PE: false

Similarity

API ID: InformationToken
String ID:
API String ID: 4114910276-0
Opcode ID: e61a93792d62299e4a9f06a181b64ab3c32967fa2a62b2cac25040027547f5bd
Instruction ID: 926d7cbb0c6469ebc1382ee8c95bf1b7be28a8c443e95b36507261a3a7aa1998
Opcode Fuzzy Hash: e61a93792d62299e4a9f06a181b64ab3c32967fa2a62b2cac25040027547f5bd
Instruction Fuzzy Hash: 4211AC71500204AEEB219F65DC85FABBBECEF05320F14846BEE49DB251E674A5088BB1

Uniqueness

Uniqueness Score: -1.00%

Function 010FAD5A, Relevance: 1.6, APIs: 1, Instructions: 69registryCOMMON

Download Yara Rule

APIs

RegQueryValueExW.KERNELBASE(?,00000E2C,0985F3E9,00000000,00000000,00000000,00000000), ref: 010FADD4

Memory Dump Source

Source File: 00000000.00000002.388879061.00000000010FA000.00000040.00000001.sdmp, Offset: 010FA000, based on PE: false

Similarity

API ID: QueryValue
String ID:
API String ID: 3660427363-0
Opcode ID: 8b7fad827237950502d3a7cab4061b05e883825796ce758c5ccd229187d50bb1
Instruction ID: 4db9a1d0a4643e50abd75d6f1176360eadb19366e2a10c7dc690fce3e1c6d158
Opcode Fuzzy Hash: 8b7fad827237950502d3a7cab4061b05e883825796ce758c5ccd229187d50bb1
Instruction Fuzzy Hash: 96216F75600604EFE721DE29CC85FA7BBECEF04711F04849AEE8A9B691D664E408CA71

Uniqueness

Uniqueness Score: -1.00%

Function 06792B34, Relevance: 1.6, APIs: 1, Instructions: 68injectionCOMMON

Download Yara Rule

APIs

WriteProcessMemory.KERNELBASE(?,?,?,?,?), ref: 06792BB4

Memory Dump Source

Source File: 00000000.00000002.405071025.0000000006790000.00000040.00000001.sdmp, Offset: 06790000, based on PE: false

Similarity

API ID: MemoryProcessWrite
String ID:
API String ID: 3559483778-0
Opcode ID: 0a58be80beb3088b4d6183a4a23298a2c008aef9cb75df749ad094ebb0463200
Instruction ID: f97035a0d6f17dbdcb2327ff4d0b8d86d54b930bb9c58ff5217dca7a1b223e64
Opcode Fuzzy Hash: 0a58be80beb3088b4d6183a4a23298a2c008aef9cb75df749ad094ebb0463200
Instruction Fuzzy Hash: 4421CF76509780AFDB128F25DC85AA6FFF4EF06210F0980DED9858B163D224A948DB61

Uniqueness

Uniqueness Score: -1.00%

Function 06790E7F, Relevance: 1.6, APIs: 1, Instructions: 67libraryCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNELBASE(?,00000E2C), ref: 06790F0B

Memory Dump Source

Source File: 00000000.00000002.405071025.0000000006790000.00000040.00000001.sdmp, Offset: 06790000, based on PE: false

Similarity

API ID: LibraryLoad
String ID:
API String ID: 1029625771-0
Opcode ID: 8a606fa214c5e843453e5954091cbc05772338f313946b0390b3213e4840cfb2
Instruction ID: e453d56b275608669e72d59f145bfa8065c2dc73d9bf552e9b6df04e3eaefdab
Opcode Fuzzy Hash: 8a606fa214c5e843453e5954091cbc05772338f313946b0390b3213e4840cfb2
Instruction Fuzzy Hash: C921E771505380AFE721CB14DC85FA6FFA8DF46720F14809EFE449B292D264A949CB62

Uniqueness

Uniqueness Score: -1.00%

Function 06790007, Relevance: 1.6, APIs: 1, Instructions: 67COMMON

Download Yara Rule

APIs

DrawTextExW.USER32(?,?,?,?,?,?), ref: 06790083

Memory Dump Source

Source File: 00000000.00000002.405071025.0000000006790000.00000040.00000001.sdmp, Offset: 06790000, based on PE: false

Similarity

API ID: DrawText
String ID:
API String ID: 2175133113-0
Opcode ID: b9dc4dc059d4deecf0e7053802b85c2746cb832935cdf96b4993197ca0768861
Instruction ID: 5ec4784e03421afe785be64097c4d6b26caafb39ef8c536c0a3e1cc51bf69eac
Opcode Fuzzy Hash: b9dc4dc059d4deecf0e7053802b85c2746cb832935cdf96b4993197ca0768861
Instruction Fuzzy Hash: 77214F71505784AFDB228F65DC45B62BFF8EF06210F09849AED858B262D275E908CB72

Uniqueness

Uniqueness Score: -1.00%

Function 010FB7C9, Relevance: 1.6, APIs: 1, Instructions: 65libraryCOMMON

Download Yara Rule

APIs

LoadLibraryShim.MSCOREE(?,?,?,?), ref: 010FB845

Memory Dump Source

Source File: 00000000.00000002.388879061.00000000010FA000.00000040.00000001.sdmp, Offset: 010FA000, based on PE: false

Similarity

API ID: LibraryLoadShim
String ID:
API String ID: 1475914169-0
Opcode ID: b24248244e688c2ad3a897ebbe45090958ea428daf0c8c4bdb97ac6949fdd435
Instruction ID: cefb359b7484830718be23861bd71d40caf122c20bd479263556a9b95cd984e0
Opcode Fuzzy Hash: b24248244e688c2ad3a897ebbe45090958ea428daf0c8c4bdb97ac6949fdd435
Instruction Fuzzy Hash: 4921C075509380AFE7228A25DC45B62BFE8EF46610F0880CEEE84CB253D275E809CB61

Uniqueness

Uniqueness Score: -1.00%

Function 06792C95, Relevance: 1.6, APIs: 1, Instructions: 62windowCOMMON

Download Yara Rule

APIs

PostMessageW.USER32(?,?,?,?), ref: 06792D09

Memory Dump Source

Source File: 00000000.00000002.405071025.0000000006790000.00000040.00000001.sdmp, Offset: 06790000, based on PE: false

Similarity

API ID: MessagePost
String ID:
API String ID: 410705778-0
Opcode ID: 990dd7b43cd17168735aa05a4782d477019783f3a38b29c2ed9633f676fd97db
Instruction ID: 0db54aec01f37832996c8cbcbedb0d73762b7fe6a1beb585976c9e94e12a2790
Opcode Fuzzy Hash: 990dd7b43cd17168735aa05a4782d477019783f3a38b29c2ed9633f676fd97db
Instruction Fuzzy Hash: A6218E714093C0AFDB138B25DC44A91BFB4EF07210F0984DAED848F263D265A918DB62

Uniqueness

Uniqueness Score: -1.00%

Function 06791A56, Relevance: 1.6, APIs: 1, Instructions: 61COMMON

Download Yara Rule

APIs

FindWindowA.USER32(?,00000E2C), ref: 06791AC2

Memory Dump Source

Source File: 00000000.00000002.405071025.0000000006790000.00000040.00000001.sdmp, Offset: 06790000, based on PE: false

Similarity

API ID: FindWindow
String ID:
API String ID: 134000473-0
Opcode ID: a917eab122e6cae1e2ca09f5dd9aca2641e3dfdf06172345e8743a77b2b0c60c
Instruction ID: 1ac360d9ef49ba6e4ba720f80409b240935c340deffd4c6331eb054349533436
Opcode Fuzzy Hash: a917eab122e6cae1e2ca09f5dd9aca2641e3dfdf06172345e8743a77b2b0c60c
Instruction Fuzzy Hash: 2A11E771500200AFFB20DF15DC85FA6FBE8DF44710F1484AAEE449B245D2B4A509CBB1

Uniqueness

Uniqueness Score: -1.00%

Function 010FA5FB, Relevance: 1.6, APIs: 1, Instructions: 61COMMON

Download Yara Rule

APIs

DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 010FA666

Memory Dump Source

Source File: 00000000.00000002.388879061.00000000010FA000.00000040.00000001.sdmp, Offset: 010FA000, based on PE: false

Similarity

API ID: DuplicateHandle
String ID:
API String ID: 3793708945-0
Opcode ID: 564a6b59c1850f43eecfdc7cb5dfa570c2193f8b2c12499abc00fcd585942d9c
Instruction ID: 547bdc2611bd27b996cb79072c941bb0be44d9d42baf12e7e428315ecbc46c1e
Opcode Fuzzy Hash: 564a6b59c1850f43eecfdc7cb5dfa570c2193f8b2c12499abc00fcd585942d9c
Instruction Fuzzy Hash: 10117271409780AFDB238F55DC44A62FFF4EF4A210F0884DEEE898B652D275A518DB61

Uniqueness

Uniqueness Score: -1.00%

Function 06791EAA, Relevance: 1.6, APIs: 1, Instructions: 60fileCOMMON

Download Yara Rule

APIs

WriteFile.KERNELBASE(?,00000E2C,0985F3E9,00000000,00000000,00000000,00000000), ref: 06791F09

Memory Dump Source

Source File: 00000000.00000002.405071025.0000000006790000.00000040.00000001.sdmp, Offset: 06790000, based on PE: false

Similarity

API ID: FileWrite
String ID:
API String ID: 3934441357-0
Opcode ID: e1fc5fba43f0c96ea16a14ee32439eb5f9ad7cae04c343e349490cdd8a4bbf38
Instruction ID: 551e6e556ad7b0f22ac2724198639a7fb49a4ebe38734574d83675ad03396ad6
Opcode Fuzzy Hash: e1fc5fba43f0c96ea16a14ee32439eb5f9ad7cae04c343e349490cdd8a4bbf38
Instruction Fuzzy Hash: 7B11BF71500204AFEB219F55DC85FA6FBE8EF04720F1484ABEE459B251D774A4198BB1

Uniqueness

Uniqueness Score: -1.00%

Function 06792A93, Relevance: 1.6, APIs: 1, Instructions: 58COMMON

Download Yara Rule

APIs

ReadProcessMemory.KERNELBASE(?,?,?,?,?), ref: 06792AF8

Memory Dump Source

Source File: 00000000.00000002.405071025.0000000006790000.00000040.00000001.sdmp, Offset: 06790000, based on PE: false

Similarity

API ID: MemoryProcessRead
String ID:
API String ID: 1726664587-0
Opcode ID: 03a7e302dd24e5a307de60725ce7e4048f5eb7d3c89d5b4b6c9981b13d7d692c
Instruction ID: b2716898d542170324600a94417b5477e76df608e8feff7386a6ca9ff0879250
Opcode Fuzzy Hash: 03a7e302dd24e5a307de60725ce7e4048f5eb7d3c89d5b4b6c9981b13d7d692c
Instruction Fuzzy Hash: 8B11E676409780AFDB228F21DC40A52FFF4EF06320F0880DEEE858B263D275A558DB61

Uniqueness

Uniqueness Score: -1.00%

Function 06792EE3, Relevance: 1.6, APIs: 1, Instructions: 56windowCOMMON

Download Yara Rule

APIs

PostMessageW.USER32(?,?,?,?), ref: 06792F4D

Memory Dump Source

Source File: 00000000.00000002.405071025.0000000006790000.00000040.00000001.sdmp, Offset: 06790000, based on PE: false

Similarity

API ID: MessagePost
String ID:
API String ID: 410705778-0
Opcode ID: ef16856da37a2a9274c34a0e971e47cc8c352dd2e5efb3695e727e046ebca899
Instruction ID: 4e499870d1e680ee9675aa3b3dd86bcf3ed0e966e77cff8e886c24eb8893476b
Opcode Fuzzy Hash: ef16856da37a2a9274c34a0e971e47cc8c352dd2e5efb3695e727e046ebca899
Instruction Fuzzy Hash: DC11E271409380AFDB228F25DC45B52FFB4EF06324F0880DEEE858B263C275A518DB61

Uniqueness

Uniqueness Score: -1.00%

Function 06790EA2, Relevance: 1.6, APIs: 1, Instructions: 56libraryCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNELBASE(?,00000E2C), ref: 06790F0B

Memory Dump Source

Source File: 00000000.00000002.405071025.0000000006790000.00000040.00000001.sdmp, Offset: 06790000, based on PE: false

Similarity

API ID: LibraryLoad
String ID:
API String ID: 1029625771-0
Opcode ID: 8012d4e18dde962984afb2817e875b4ba8f11768361388416dbfc053a39a3503
Instruction ID: 3798cba22f4be2bff0dbcb741a8014fb660afde06995d896adbeb68eaf05ab4b
Opcode Fuzzy Hash: 8012d4e18dde962984afb2817e875b4ba8f11768361388416dbfc053a39a3503
Instruction Fuzzy Hash: 1111CE71510204AEFB209B15DC85BA6FBA8DF05720F14809AEE459A281D2A8A609CBB5

Uniqueness

Uniqueness Score: -1.00%

Function 067929EC, Relevance: 1.6, APIs: 1, Instructions: 55threadinjectionCOMMON

Download Yara Rule

APIs

SetThreadContext.KERNELBASE(?,?), ref: 06792A4B

Memory Dump Source

Source File: 00000000.00000002.405071025.0000000006790000.00000040.00000001.sdmp, Offset: 06790000, based on PE: false

Similarity

API ID: ContextThread
String ID:
API String ID: 1591575202-0
Opcode ID: 4ab627b9a7afd93ac48737e73dacaac5e0169f1f42f9517142a25460642e6ec4
Instruction ID: 743653437cfdc441a168bc6e2be32ae5263c03298421fe49224d25702375243a
Opcode Fuzzy Hash: 4ab627b9a7afd93ac48737e73dacaac5e0169f1f42f9517142a25460642e6ec4
Instruction Fuzzy Hash: A8119476505384AFDB21CF15DC85B66FFE8EF06220F09809EED458B262D274E948CB71

Uniqueness

Uniqueness Score: -1.00%

Function 06790032, Relevance: 1.6, APIs: 1, Instructions: 52COMMON

Download Yara Rule

APIs

DrawTextExW.USER32(?,?,?,?,?,?), ref: 06790083

Memory Dump Source

Source File: 00000000.00000002.405071025.0000000006790000.00000040.00000001.sdmp, Offset: 06790000, based on PE: false

Similarity

API ID: DrawText
String ID:
API String ID: 2175133113-0
Opcode ID: dd4706ba88a1e45b740f3de996ab76ec0fdbf263b71fb97a60a6fef8c2d911e8
Instruction ID: 73b4c294cd3033536aedf397c5ad57e51a72a05a8562dac94364991180efeea0
Opcode Fuzzy Hash: dd4706ba88a1e45b740f3de996ab76ec0fdbf263b71fb97a60a6fef8c2d911e8
Instruction Fuzzy Hash: 2A114C319106049FEB60CF69E885B66FBE8EF04610F0884AEDE458B212D275E408CB72

Uniqueness

Uniqueness Score: -1.00%

Function 06791D1A, Relevance: 1.6, APIs: 1, Instructions: 52COMMON

Download Yara Rule

APIs

GetFileType.KERNELBASE(?,00000E2C,0985F3E9,00000000,00000000,00000000,00000000), ref: 06791D6D

Memory Dump Source

Source File: 00000000.00000002.405071025.0000000006790000.00000040.00000001.sdmp, Offset: 06790000, based on PE: false

Similarity

API ID: FileType
String ID:
API String ID: 3081899298-0
Opcode ID: 0e6f5c4bec8f618bbc979f67de62894bf32bc7fb0cc1fefdf1eb39a2dc30c089
Instruction ID: 0329c4f5c66d81658d7df1f782488b8109847f013227c3f20ee58c651846dc5e
Opcode Fuzzy Hash: 0e6f5c4bec8f618bbc979f67de62894bf32bc7fb0cc1fefdf1eb39a2dc30c089
Instruction Fuzzy Hash: B201D275900604AEFB20CB15DC85FA6FBE8DF05720F64C09BEE059B341D6B4A408CBB1

Uniqueness

Uniqueness Score: -1.00%

Function 010FA42A, Relevance: 1.6, APIs: 1, Instructions: 50threadCOMMON

Download Yara Rule

APIs

ResumeThread.KERNELBASE(?), ref: 010FA480

Memory Dump Source

Source File: 00000000.00000002.388879061.00000000010FA000.00000040.00000001.sdmp, Offset: 010FA000, based on PE: false

Similarity

API ID: ResumeThread
String ID:
API String ID: 947044025-0
Opcode ID: 3c56ae8c89f5b8cd2cba0af4a1034dc6c5664e53db8d056582b4e27720698027
Instruction ID: 5bc2b3f313f6a63f476ddb249414e2b44e44fd664d597bd45563cac268967588
Opcode Fuzzy Hash: 3c56ae8c89f5b8cd2cba0af4a1034dc6c5664e53db8d056582b4e27720698027
Instruction Fuzzy Hash: F0118275509384AFD7128F15DC44B62FFB4DF46620F0880DEEE858B253D279A808CB72

Uniqueness

Uniqueness Score: -1.00%

Function 010FAEF0, Relevance: 1.6, APIs: 1, Instructions: 50memoryCOMMON

Download Yara Rule

APIs

VirtualAllocEx.KERNELBASE(?,?,?,?,?), ref: 010FAF50

Memory Dump Source

Source File: 00000000.00000002.388879061.00000000010FA000.00000040.00000001.sdmp, Offset: 010FA000, based on PE: false

Similarity

API ID: AllocVirtual
String ID:
API String ID: 4275171209-0
Opcode ID: 857b83aa88a0ca14c83f71ed15c8ce311d8605265ed9248205e5214fec6c30fd
Instruction ID: d8ccb952b70551102b165bb2bf928d51bae6b26d436646dcc365384788192935
Opcode Fuzzy Hash: 857b83aa88a0ca14c83f71ed15c8ce311d8605265ed9248205e5214fec6c30fd
Instruction Fuzzy Hash: 9A118C72405784AFDB228F55DC45A52FFF4EF0A220F08849EEE894B662C375A418CB61

Uniqueness

Uniqueness Score: -1.00%

Function 010FAAEC, Relevance: 1.5, APIs: 1, Instructions: 48COMMON

Download Yara Rule

APIs

SetWindowLongW.USER32 ref: 010FAB46

Memory Dump Source

Source File: 00000000.00000002.388879061.00000000010FA000.00000040.00000001.sdmp, Offset: 010FA000, based on PE: false

Similarity

API ID: LongWindow
String ID:
API String ID: 1378638983-0
Opcode ID: 51669e5139a7885f7c3cbb2deb2982cd2ea1a520061837f2ac815b7846209ab1
Instruction ID: 5ed2e1d6e34a4c804a555ace896ce090a1d26d830485ad62764acc3a1129b27d
Opcode Fuzzy Hash: 51669e5139a7885f7c3cbb2deb2982cd2ea1a520061837f2ac815b7846209ab1
Instruction Fuzzy Hash: 62117035509784AFD7228F15DC85B52FFF4EF46620F0884DAEE898B263D275A418CB62

Uniqueness

Uniqueness Score: -1.00%

Function 06792B6E, Relevance: 1.5, APIs: 1, Instructions: 47injectionCOMMON

Download Yara Rule

APIs

WriteProcessMemory.KERNELBASE(?,?,?,?,?), ref: 06792BB4

Memory Dump Source

Source File: 00000000.00000002.405071025.0000000006790000.00000040.00000001.sdmp, Offset: 06790000, based on PE: false

Similarity

API ID: MemoryProcessWrite
String ID:
API String ID: 3559483778-0
Opcode ID: 3c42073fc45ff4215c4978c23e3e6b93e578f2e056b7dc6bb3b394dc406fb24d
Instruction ID: 532b68423edbaea61c14c837b98f5aecc960fc6c497a8fc8de774b352f61fd00
Opcode Fuzzy Hash: 3c42073fc45ff4215c4978c23e3e6b93e578f2e056b7dc6bb3b394dc406fb24d
Instruction Fuzzy Hash: B6018E35500600EFDB609F15E885B66FBE4EF04210F18C0AADD458B612E271E518CBB1

Uniqueness

Uniqueness Score: -1.00%

Function 067928BE, Relevance: 1.5, APIs: 1, Instructions: 47fileCOMMON

Download Yara Rule

APIs

DeleteFileW.KERNELBASE(?), ref: 067928F8

Memory Dump Source

Source File: 00000000.00000002.405071025.0000000006790000.00000040.00000001.sdmp, Offset: 06790000, based on PE: false

Similarity

API ID: DeleteFile
String ID:
API String ID: 4033686569-0
Opcode ID: 9d7b200752c1138e2a80c284922d6a7e46d13c48f9c9545ab4446e26a624de86
Instruction ID: 614fdf79774450f49bfbd568574fae2beaa9642fc21c477743d39ec2e6754f2f
Opcode Fuzzy Hash: 9d7b200752c1138e2a80c284922d6a7e46d13c48f9c9545ab4446e26a624de86
Instruction Fuzzy Hash: 9E01B571A14240AFEB50DF29E885766FBD8DF04220F18C0AADD09DB346D674D508CBB1

Uniqueness

Uniqueness Score: -1.00%

Function 010FB7FA, Relevance: 1.5, APIs: 1, Instructions: 46libraryCOMMON

Download Yara Rule

APIs

LoadLibraryShim.MSCOREE(?,?,?,?), ref: 010FB845

Memory Dump Source

Source File: 00000000.00000002.388879061.00000000010FA000.00000040.00000001.sdmp, Offset: 010FA000, based on PE: false

Similarity

API ID: LibraryLoadShim
String ID:
API String ID: 1475914169-0
Opcode ID: 9b7621b43f754ce6ef757c90e17a29bc90078228a4d7c8bf6803905652383d4d
Instruction ID: 82337f667b24d4efdd38360dfeca219166cb8efb20957efb2fc6919ac0168276
Opcode Fuzzy Hash: 9b7621b43f754ce6ef757c90e17a29bc90078228a4d7c8bf6803905652383d4d
Instruction Fuzzy Hash: DD0180755006409FEB60DF19D886B26FFE4EF44620F18809EDE898B712D275E409CF71

Uniqueness

Uniqueness Score: -1.00%

Function 010FA622, Relevance: 1.5, APIs: 1, Instructions: 45COMMON

Download Yara Rule

APIs

DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 010FA666

Memory Dump Source

Source File: 00000000.00000002.388879061.00000000010FA000.00000040.00000001.sdmp, Offset: 010FA000, based on PE: false

Similarity

API ID: DuplicateHandle
String ID:
API String ID: 3793708945-0
Opcode ID: 66fe34c022fdd6140a2973d2380ad050eb61325a6d6689febb56d92bb5a36ebf
Instruction ID: f304ac5605265a1834cbd8dcd304b4234e339b890c2428946123b898142303ee
Opcode Fuzzy Hash: 66fe34c022fdd6140a2973d2380ad050eb61325a6d6689febb56d92bb5a36ebf
Instruction Fuzzy Hash: 5B018031500700EFDB228F55D945B56FFE4EF48720F08C5AEDE898B612D275A418DF61

Uniqueness

Uniqueness Score: -1.00%

Function 06792A0E, Relevance: 1.5, APIs: 1, Instructions: 44threadinjectionCOMMON

Download Yara Rule

APIs

SetThreadContext.KERNELBASE(?,?), ref: 06792A4B

Memory Dump Source

Source File: 00000000.00000002.405071025.0000000006790000.00000040.00000001.sdmp, Offset: 06790000, based on PE: false

Similarity

API ID: ContextThread
String ID:
API String ID: 1591575202-0
Opcode ID: d5023e1b60ae8731aedb9f19833ccadf85cd1e5759c1f7d98e6f1746f27e2340
Instruction ID: 4e2b477673f2b4cd4f635e568b0d407d175c661abaee8b28d7536a85b84c7ac9
Opcode Fuzzy Hash: d5023e1b60ae8731aedb9f19833ccadf85cd1e5759c1f7d98e6f1746f27e2340
Instruction Fuzzy Hash: 3C01B136A10244AFEB609F15E885B66FBD8EF04220F08C0AADE158B352D674E908CB71

Uniqueness

Uniqueness Score: -1.00%

Function 06790E06, Relevance: 1.5, APIs: 1, Instructions: 43registryCOMMON

Download Yara Rule

APIs

RegQueryValueExW.KERNELBASE(?,00000E2C,?,?), ref: 06790E56

Memory Dump Source

Source File: 00000000.00000002.405071025.0000000006790000.00000040.00000001.sdmp, Offset: 06790000, based on PE: false

Similarity

API ID: QueryValue
String ID:
API String ID: 3660427363-0
Opcode ID: c6c68c98c99d14ea46cd47c974e94c972d49e52bf1cc7b91ca7ca2d203af55b6
Instruction ID: 056c7a52fbbe4e76d6d9282c5a3f1b5d07e05336f081c8a5319683fad81d726b
Opcode Fuzzy Hash: c6c68c98c99d14ea46cd47c974e94c972d49e52bf1cc7b91ca7ca2d203af55b6
Instruction Fuzzy Hash: FE01A276500600ABD310DF16DC86F26FBA8FB88B20F14811AED088B741E371F515CBE5

Uniqueness

Uniqueness Score: -1.00%

Function 06792ABA, Relevance: 1.5, APIs: 1, Instructions: 43COMMON

Download Yara Rule

APIs

ReadProcessMemory.KERNELBASE(?,?,?,?,?), ref: 06792AF8

Memory Dump Source

Source File: 00000000.00000002.405071025.0000000006790000.00000040.00000001.sdmp, Offset: 06790000, based on PE: false

Similarity

API ID: MemoryProcessRead
String ID:
API String ID: 1726664587-0
Opcode ID: 6f3a8592d14d0d6aadc0b7a59b0cfd88a0e7ccfd54d05fd09a5f1629d756dae2
Instruction ID: 4cc86e10da3f9ebfc2fea9a1b260219c0b92703fc14f057b850b8d669e6ec252
Opcode Fuzzy Hash: 6f3a8592d14d0d6aadc0b7a59b0cfd88a0e7ccfd54d05fd09a5f1629d756dae2
Instruction Fuzzy Hash: 79019E36500740EFDB219F15E885B66FFE4EF04320F08C09EDE468A612E2B5A558DFB2

Uniqueness

Uniqueness Score: -1.00%

Function 010FA2F6, Relevance: 1.5, APIs: 1, Instructions: 43COMMON

Download Yara Rule

APIs

SetConsoleCtrlHandler.KERNELBASE(?,00000E2C,?,?), ref: 010FA346

Memory Dump Source

Source File: 00000000.00000002.388879061.00000000010FA000.00000040.00000001.sdmp, Offset: 010FA000, based on PE: false

Similarity

API ID: ConsoleCtrlHandler
String ID:
API String ID: 1513847179-0
Opcode ID: 181ca59fadd7b60430974f146ba61d5442d6a60fe9acd8d23987003e71ab112c
Instruction ID: 7497c1667abec20cf472c8687d800f9e9eb5555c2ffe7d9ce3a85273bc897a97
Opcode Fuzzy Hash: 181ca59fadd7b60430974f146ba61d5442d6a60fe9acd8d23987003e71ab112c
Instruction Fuzzy Hash: 1E016275540600ABD710DF16DC86F26FBA8FB88B20F14815AED089B741E375F515CBE5

Uniqueness

Uniqueness Score: -1.00%

Function 06792F12, Relevance: 1.5, APIs: 1, Instructions: 42windowCOMMON

Download Yara Rule

APIs

PostMessageW.USER32(?,?,?,?), ref: 06792F4D

Memory Dump Source

Source File: 00000000.00000002.405071025.0000000006790000.00000040.00000001.sdmp, Offset: 06790000, based on PE: false

Similarity

API ID: MessagePost
String ID:
API String ID: 410705778-0
Opcode ID: 2879bd985039da58e92f4faccf6678db9c568a8026778cbb71376272a57fe8fa
Instruction ID: 10b38d6b93a2456ebb81d3f061911b5811cc84631db9116f55151a691c64d58b
Opcode Fuzzy Hash: 2879bd985039da58e92f4faccf6678db9c568a8026778cbb71376272a57fe8fa
Instruction Fuzzy Hash: 5301B135500600EFDB209F15D885B66FFE5EF04324F08C09EEE4A8B622D2B5A518DFB1

Uniqueness

Uniqueness Score: -1.00%

Function 010FAF12, Relevance: 1.5, APIs: 1, Instructions: 39memoryCOMMON

Download Yara Rule

APIs

VirtualAllocEx.KERNELBASE(?,?,?,?,?), ref: 010FAF50

Memory Dump Source

Source File: 00000000.00000002.388879061.00000000010FA000.00000040.00000001.sdmp, Offset: 010FA000, based on PE: false

Similarity

API ID: AllocVirtual
String ID:
API String ID: 4275171209-0
Opcode ID: 82e639fe3923dee7c670369f8513c22fa9fe1b0b62f6cdd84c21b645128ebae5
Instruction ID: 3b20861ecd75d269ebaccda594cde05d608714aafff26bce18ef022df10f69d0
Opcode Fuzzy Hash: 82e639fe3923dee7c670369f8513c22fa9fe1b0b62f6cdd84c21b645128ebae5
Instruction Fuzzy Hash: 70017C75500600DFDB218F55D885B66FFE0EF08720F18849EDE894B662D2B5A418DFA2

Uniqueness

Uniqueness Score: -1.00%

Function 06792CCE, Relevance: 1.5, APIs: 1, Instructions: 38windowCOMMON

Download Yara Rule

APIs

PostMessageW.USER32(?,?,?,?), ref: 06792D09

Memory Dump Source

Source File: 00000000.00000002.405071025.0000000006790000.00000040.00000001.sdmp, Offset: 06790000, based on PE: false

Similarity

API ID: MessagePost
String ID:
API String ID: 410705778-0
Opcode ID: e7422dc2b41be0f6c350b6861314a66bc52bf28d23bafb11e21360a0f841a1b5
Instruction ID: ad3ced73870bced38deec6a61af4a43d8e4b882bdb38fc6b1a37fa3a08cbcebd
Opcode Fuzzy Hash: e7422dc2b41be0f6c350b6861314a66bc52bf28d23bafb11e21360a0f841a1b5
Instruction Fuzzy Hash: D6017C35910644EFEB609F15E884B66FFE0EF08320F18C49ADE494A716D2B5A518CBB2

Uniqueness

Uniqueness Score: -1.00%

Function 010FAB0E, Relevance: 1.5, APIs: 1, Instructions: 37COMMON

Download Yara Rule

APIs

SetWindowLongW.USER32 ref: 010FAB46

Memory Dump Source

Source File: 00000000.00000002.388879061.00000000010FA000.00000040.00000001.sdmp, Offset: 010FA000, based on PE: false

Similarity

API ID: LongWindow
String ID:
API String ID: 1378638983-0
Opcode ID: fdbd5b009839c4a7e14c6b1ea2ac57857de53c80f633506c2d9bd36a8830ffe2
Instruction ID: 34c09361501a3dd866794165095085ca7cb2989943e9f7b2fbdfaebc6335a640
Opcode Fuzzy Hash: fdbd5b009839c4a7e14c6b1ea2ac57857de53c80f633506c2d9bd36a8830ffe2
Instruction Fuzzy Hash: E4018B35504608DFDB208F19D886B56FFA0EF04720F08C49ADE8A4B653C2B5A408CBA2

Uniqueness

Uniqueness Score: -1.00%

Function 010FA44E, Relevance: 1.5, APIs: 1, Instructions: 35threadCOMMON

Download Yara Rule

APIs

ResumeThread.KERNELBASE(?), ref: 010FA480

Memory Dump Source

Source File: 00000000.00000002.388879061.00000000010FA000.00000040.00000001.sdmp, Offset: 010FA000, based on PE: false

Similarity

API ID: ResumeThread
String ID:
API String ID: 947044025-0
Opcode ID: 6cca006fdcdb8bc67c05210dd69952e98bf39655187a95533ab23364ceb738fb
Instruction ID: e33a83095834d3c443d085fd7e536235acb104df8a9a6aafdd74ffe71b1d834f
Opcode Fuzzy Hash: 6cca006fdcdb8bc67c05210dd69952e98bf39655187a95533ab23364ceb738fb
Instruction Fuzzy Hash: 66F08135504644DFDB108F19D889765FF94DF44720F18C0AEDE894B756D6B9A408CEB2

Uniqueness

Uniqueness Score: -1.00%

Function 06D4274D, Relevance: 1.4, Strings: 1, Instructions: 169COMMON

Download Yara Rule

Strings

a, xrefs: 06D424F5

Memory Dump Source

Source File: 00000000.00000002.405661474.0000000006D40000.00000040.00000001.sdmp, Offset: 06D40000, based on PE: false

Similarity

API ID:
String ID: a
API String ID: 0-3904355907
Opcode ID: 922421446c8bcf105a32846a0f676e29683f639acb9994db0bec7067528f3f4d
Instruction ID: a57f0509f4c17441859947b89e3b01b4598391cd18204345df7134a863214e7f
Opcode Fuzzy Hash: 922421446c8bcf105a32846a0f676e29683f639acb9994db0bec7067528f3f4d
Instruction Fuzzy Hash: 8661C174D09228CFEBA0DF68D8847EDBBB5EB4A314F1051A9E45DA7281D7348E85CF44

Uniqueness

Uniqueness Score: -1.00%

Function 06D41373, Relevance: 1.4, Strings: 1, Instructions: 126COMMON

Download Yara Rule

Strings

(>6p, xrefs: 06D414DE

Memory Dump Source

Source File: 00000000.00000002.405661474.0000000006D40000.00000040.00000001.sdmp, Offset: 06D40000, based on PE: false

Similarity

API ID:
String ID: (>6p
API String ID: 0-3006165022
Opcode ID: 2a3755ff8bbff357df2125f0618027317e0aea6cdbb187b0dfa38178139eab5f
Instruction ID: e1fd18c76352cf896f11b0dbae99af7b375d1f98c1aef9b8813052a05424ed41
Opcode Fuzzy Hash: 2a3755ff8bbff357df2125f0618027317e0aea6cdbb187b0dfa38178139eab5f
Instruction Fuzzy Hash: 90510374D0122ACFDBA5EF64C8587ADB7B6EB8A300F1085E99449A7291DB349EC1CF41

Uniqueness

Uniqueness Score: -1.00%

Function 06D4148E, Relevance: 1.3, Strings: 1, Instructions: 77COMMON

Download Yara Rule

Strings

(>6p, xrefs: 06D414DE

Memory Dump Source

Source File: 00000000.00000002.405661474.0000000006D40000.00000040.00000001.sdmp, Offset: 06D40000, based on PE: false

Similarity

API ID:
String ID: (>6p
API String ID: 0-3006165022
Opcode ID: ed44b19932cfbec0a1b621e8bd53893d274204c039cce296f5f050867e52d28c
Instruction ID: fc11db38a5aef2a7fd247675f140eb667898115b9b706d6eb2019a6896f87905
Opcode Fuzzy Hash: ed44b19932cfbec0a1b621e8bd53893d274204c039cce296f5f050867e52d28c
Instruction Fuzzy Hash: F831F0B4D0122ACFCBA9EB24C8547EDB7B9AB4A300F1051E9D449A7240DB749FC1CF41

Uniqueness

Uniqueness Score: -1.00%

Function 06D4448B, Relevance: 1.3, Strings: 1, Instructions: 77COMMON

Download Yara Rule

Strings

:@Dr, xrefs: 06D444B4

Memory Dump Source

Source File: 00000000.00000002.405661474.0000000006D40000.00000040.00000001.sdmp, Offset: 06D40000, based on PE: false

Similarity

API ID:
String ID: :@Dr
API String ID: 0-3830894600
Opcode ID: 1c28d554efbbbe0faa227d5c9bc07f0879f367860c1aba2677832e77f58f9062
Instruction ID: 2adae79746c143eb7a1173fb85e2dd135bcccfed50392bc94bd7319fb3ca9b06
Opcode Fuzzy Hash: 1c28d554efbbbe0faa227d5c9bc07f0879f367860c1aba2677832e77f58f9062
Instruction Fuzzy Hash: 9631E134A01269CFEB64DB68CC50BA9BBB2FF85300F1081EAC54D2B395DA355E85CF21

Uniqueness

Uniqueness Score: -1.00%

Function 015DAEB0, Relevance: 1.3, Strings: 1, Instructions: 53COMMON

Download Yara Rule

Strings

eWq^, xrefs: 015DAEE3, 015DAEE8

Memory Dump Source

Source File: 00000000.00000002.389328762.00000000015D0000.00000040.00000001.sdmp, Offset: 015D0000, based on PE: false

Similarity

API ID:
String ID: eWq^
API String ID: 0-2947350136
Opcode ID: 0ed6b3aad8594129006f27c467f1ee36371eb94a328b3ef1c2bd926ce06f7003
Instruction ID: 32a0884238b570123b0bcc0eee639f20ea97127d18785b58151afdcc5eef9f10
Opcode Fuzzy Hash: 0ed6b3aad8594129006f27c467f1ee36371eb94a328b3ef1c2bd926ce06f7003
Instruction Fuzzy Hash: E0118C70E0030DDFCB19DFB8D5516ADBB72FB85204F1086A999096B381DBB59D41DF40

Uniqueness

Uniqueness Score: -1.00%

Function 06D48C0B, Relevance: 1.3, Strings: 1, Instructions: 53COMMON

Download Yara Rule

Strings

Uq^, xrefs: 06D48C92, 06D48C97

Memory Dump Source

Source File: 00000000.00000002.405661474.0000000006D40000.00000040.00000001.sdmp, Offset: 06D40000, based on PE: false

Similarity

API ID:
String ID: Uq^
API String ID: 0-2582887146
Opcode ID: 9cfdff277eeff4ce300f5644aef2783a0ae31bec7fe7ed4ca0b06bd6b161cbc7
Instruction ID: 5b1c5e2c3c8a77df25648dff502d2ab596e7fdfb058df5c3a362d520be6227c7
Opcode Fuzzy Hash: 9cfdff277eeff4ce300f5644aef2783a0ae31bec7fe7ed4ca0b06bd6b161cbc7
Instruction Fuzzy Hash: 3B118270D4A118CFEBA0DF78D9407E9B77AAB4A214F1055DAC45DA73C2CA308E429F84

Uniqueness

Uniqueness Score: -1.00%

Function 015DAEC0, Relevance: 1.3, Strings: 1, Instructions: 32COMMON

Download Yara Rule

Strings

eWq^, xrefs: 015DAEE3, 015DAEE8

Memory Dump Source

Source File: 00000000.00000002.389328762.00000000015D0000.00000040.00000001.sdmp, Offset: 015D0000, based on PE: false

Similarity

API ID:
String ID: eWq^
API String ID: 0-2947350136
Opcode ID: faf79d7e7b859dd7b94730ed3b3d67245e8b72460e9ec9c3266e19b782f07499
Instruction ID: 96fea8ed575f192ef171c9ec035c6197a43bef1075fe9fff66aa66899c1f589e
Opcode Fuzzy Hash: faf79d7e7b859dd7b94730ed3b3d67245e8b72460e9ec9c3266e19b782f07499
Instruction Fuzzy Hash: 55F0B430E0120DDFCB04EFB8D955A9E7B75FB80204F10466895096B385DFB46D41DB95

Uniqueness

Uniqueness Score: -1.00%

Function 015D7A47, Relevance: 1.3, Strings: 1, Instructions: 30COMMON

Download Yara Rule

Strings

|, xrefs: 015D840D

Memory Dump Source

Source File: 00000000.00000002.389328762.00000000015D0000.00000040.00000001.sdmp, Offset: 015D0000, based on PE: false

Similarity

API ID:
String ID: |
API String ID: 0-2343686810
Opcode ID: 54d79fce3a119bd73078a40c47aaff9150b087a325dd82de77e063770625c089
Instruction ID: 653e32f3606b6bde183825e4487115a3ebc5f4070fef1e5617c8ca8509a19d3a
Opcode Fuzzy Hash: 54d79fce3a119bd73078a40c47aaff9150b087a325dd82de77e063770625c089
Instruction Fuzzy Hash: 7D01B674A06268CFEB34CF58D884B9DB7B0BB0A308F4055E9D509AB241C7709E84CF15

Uniqueness

Uniqueness Score: -1.00%

Function 06D48437, Relevance: .2, Instructions: 174COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.405661474.0000000006D40000.00000040.00000001.sdmp, Offset: 06D40000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 73d8c214d6d8bc9754f89d580b019754895abe4aea5aeec8bae3bf9e10847cc7
Instruction ID: be44f4b9d7cf9488de122c0f3f4f21503fff33c0e68ed4235028c90b974294f7
Opcode Fuzzy Hash: 73d8c214d6d8bc9754f89d580b019754895abe4aea5aeec8bae3bf9e10847cc7
Instruction Fuzzy Hash: 1A71F770C45229CFDBA4EF24C8447ECB6B5AB45345F1091EAC15EB6291DB748EC4DF80

Uniqueness

Uniqueness Score: -1.00%

Function 015D23F8, Relevance: .1, Instructions: 119COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.389328762.00000000015D0000.00000040.00000001.sdmp, Offset: 015D0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f68f6e48fa8ac282d32747fd115da0479c64faf3fd3fbda98f543e7f0d0ed076
Instruction ID: 42b9471890c7aa3deca89af72b3e0265d28d9f3803eaa0e1a00b1a64cc34794f
Opcode Fuzzy Hash: f68f6e48fa8ac282d32747fd115da0479c64faf3fd3fbda98f543e7f0d0ed076
Instruction Fuzzy Hash: BB51F374D00218DFDB18DFA9D8487EEBFB2BF88304F108029D9156B294DBB95A85CF90

Uniqueness

Uniqueness Score: -1.00%

Function 015D3681, Relevance: .1, Instructions: 106COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.389328762.00000000015D0000.00000040.00000001.sdmp, Offset: 015D0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6b6e5e127ec798463cb6bf9bdf46bbbeea668f6066752ec6e38cfacf73a01374
Instruction ID: 1249cfcc425a2af042989320375856212fd988bd42fcd54048cb3a677281c92b
Opcode Fuzzy Hash: 6b6e5e127ec798463cb6bf9bdf46bbbeea668f6066752ec6e38cfacf73a01374
Instruction Fuzzy Hash: 8051C0B4E00268CFEB65DF2AC8497DCBAB5BB89304F0080EA894CA7251DB755EC5DF11

Uniqueness

Uniqueness Score: -1.00%

Function 015D23E9, Relevance: .1, Instructions: 104COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.389328762.00000000015D0000.00000040.00000001.sdmp, Offset: 015D0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5082bb13c2d11cd2b2bd199dac1f592f0e100ce76183bd066369331166cf30df
Instruction ID: bea1dc2549fc4f5c93f46403e2d0cb550fdeaf03fb74b64b589ef560f60f50e9
Opcode Fuzzy Hash: 5082bb13c2d11cd2b2bd199dac1f592f0e100ce76183bd066369331166cf30df
Instruction Fuzzy Hash: 1541E374D01208DFDB19DFA9D8486EEBFB2BF88304F108069D915A7294DB755A85CF90

Uniqueness

Uniqueness Score: -1.00%

Function 015D0142, Relevance: .1, Instructions: 83COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.389328762.00000000015D0000.00000040.00000001.sdmp, Offset: 015D0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e453eb79374fef8b974f46f52616d1c75a7572a035e3fc1bcf2805fb3a45f38a
Instruction ID: 190b1c28e88958a194568ba613bf1f9941d2f5462c81ba4bd95cebaab524836b
Opcode Fuzzy Hash: e453eb79374fef8b974f46f52616d1c75a7572a035e3fc1bcf2805fb3a45f38a
Instruction Fuzzy Hash: B631F571E01209CFCB49EFA8E994AEDBBF5FF8A210F105169E405A7290DB715D41CF90

Uniqueness

Uniqueness Score: -1.00%

Function 015D0150, Relevance: .1, Instructions: 80COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.389328762.00000000015D0000.00000040.00000001.sdmp, Offset: 015D0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fe9de4786272823260944346afaadc15804c3e10c27d27c13ba0512b41cb7b23
Instruction ID: 5b6886c138a5efa03c4c8ef06b0db42205285a1b5b90895bb80cb29cf223fbe5
Opcode Fuzzy Hash: fe9de4786272823260944346afaadc15804c3e10c27d27c13ba0512b41cb7b23
Instruction Fuzzy Hash: 2A31E230E01209CFCB48EFA8E998AEDBBF5FF49210F205169E409A7290DBB05D41CF90

Uniqueness

Uniqueness Score: -1.00%

Function 06D438F3, Relevance: .1, Instructions: 76COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.405661474.0000000006D40000.00000040.00000001.sdmp, Offset: 06D40000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 46ba2633b84fd3f4f4fd98fb9deb6d93573c759bdcaf32fe280956d31e5f9b8c
Instruction ID: 9ee05caf509bb376d8c4c208a83258b4eef18208233cc3b8f60be0ac2ef15f7d
Opcode Fuzzy Hash: 46ba2633b84fd3f4f4fd98fb9deb6d93573c759bdcaf32fe280956d31e5f9b8c
Instruction Fuzzy Hash: D231F274D49269CFDFA0EF6AC8047EDB7B5AB89301F0150EA8449A7290DB348E84CF80

Uniqueness

Uniqueness Score: -1.00%

Function 015D0006, Relevance: .1, Instructions: 68COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.389328762.00000000015D0000.00000040.00000001.sdmp, Offset: 015D0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3b36fda5ae99ff40ccf23e12c97f0ef106f44f90f988daea62ef4177946fd0c4
Instruction ID: 1cfdebf15e66295d2d7699fbb07f63d9b51587c72801916dc181b680b448821b
Opcode Fuzzy Hash: 3b36fda5ae99ff40ccf23e12c97f0ef106f44f90f988daea62ef4177946fd0c4
Instruction Fuzzy Hash: 5F115B3048F3C49FC3579B7088755AA3FB0AF43210B1A49DBC480CB4A3C66A5E59D766

Uniqueness

Uniqueness Score: -1.00%

Function 07171C60, Relevance: .1, Instructions: 60COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.405787763.0000000007170000.00000040.00000001.sdmp, Offset: 07170000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c2e00d70c45e5b0c64699b9856c9682a428f5ed5daaf00fb7089d263c42f1937
Instruction ID: 734895a010b11b36901550210bc0f0e2939981aee4eed64e1ea63202e1668805
Opcode Fuzzy Hash: c2e00d70c45e5b0c64699b9856c9682a428f5ed5daaf00fb7089d263c42f1937
Instruction Fuzzy Hash: 1811D8B5608301AFD340CF19D880A5BFBE4FB88664F04896EF998D7311D271EA048FA2

Uniqueness

Uniqueness Score: -1.00%

Function 015C075C, Relevance: .1, Instructions: 59COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.389320248.00000000015C0000.00000040.00000040.sdmp, Offset: 015C0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d2074b05d5350c44d5df4f296262dbbf1ef9978715fded69227c349b2b30c0a9
Instruction ID: d0b78203b9e5cd2e0bbd383124a31c920989065dc7aa4f39fe553de29a3a4423
Opcode Fuzzy Hash: d2074b05d5350c44d5df4f296262dbbf1ef9978715fded69227c349b2b30c0a9
Instruction Fuzzy Hash: 52119338204244DFD719CF54C984B2ABBD5BB48B18F24C99DE9491B693C77BD403CA51

Uniqueness

Uniqueness Score: -1.00%

Function 07171B04, Relevance: .1, Instructions: 52COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.405787763.0000000007170000.00000040.00000001.sdmp, Offset: 07170000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e58be67158e218258494de046595c933ae5f987ae10edee3fcbe932e577f17ec
Instruction ID: 6aa49fa616e32e4a15d03c608f81df85468c40b27879fc60f873e0c7d2858af3
Opcode Fuzzy Hash: e58be67158e218258494de046595c933ae5f987ae10edee3fcbe932e577f17ec
Instruction Fuzzy Hash: 3911ECB5608301AFD350CF19DC81E5BFBE8EB88660F14891EFD9997311D271E9048FA2

Uniqueness

Uniqueness Score: -1.00%

Function 0110ADBC, Relevance: .1, Instructions: 52COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.388905483.0000000001102000.00000040.00000001.sdmp, Offset: 01102000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: de06c082433a3fb7875445f9a6f44081f8ab9f1bfbb77903f10f54040d4dc881
Instruction ID: 854c777f7f68a3877b3e3e030f5c644eaa89de5b5ef1c7c8bfb15e9b4ebd0719
Opcode Fuzzy Hash: de06c082433a3fb7875445f9a6f44081f8ab9f1bfbb77903f10f54040d4dc881
Instruction Fuzzy Hash: D411ECB5608301AFD350CF19DC81E5BFBE8EB88660F14891EFD9997311D271E9048FA2

Uniqueness

Uniqueness Score: -1.00%

Function 015C05D0, Relevance: .0, Instructions: 45COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.389320248.00000000015C0000.00000040.00000040.sdmp, Offset: 015C0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 11f9eeb5c87f41af68c4382b59b4c27b69b854bf24048d38c554bc656deeca68
Instruction ID: eec57240a45decebad5a8d8cb1ca3d6c9ea69a85c0bbe9432cf4683ecc578f6f
Opcode Fuzzy Hash: 11f9eeb5c87f41af68c4382b59b4c27b69b854bf24048d38c554bc656deeca68
Instruction Fuzzy Hash: 3B01A7765097806FD7128F16DC44862FFB8DF86620719849FED898B612D2257909CB71

Uniqueness

Uniqueness Score: -1.00%

Function 015C074A, Relevance: .0, Instructions: 45COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.389320248.00000000015C0000.00000040.00000040.sdmp, Offset: 015C0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 94a02273c7415859ae14f11409b8e9f622163e8573413e701f7af9a810e6236a
Instruction ID: 623002d4b3c44c5aecfebc5913efd82f1ad1982d42f5875f1369698cca8d7ce4
Opcode Fuzzy Hash: 94a02273c7415859ae14f11409b8e9f622163e8573413e701f7af9a810e6236a
Instruction Fuzzy Hash: DD113D34109284DFC706CB60C990B15BBA1AB46608F2886EEE8895B693C33A9806CB41

Uniqueness

Uniqueness Score: -1.00%

Function 06D439C3, Relevance: .0, Instructions: 42COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.405661474.0000000006D40000.00000040.00000001.sdmp, Offset: 06D40000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 149b458adbc002e88efe0d1f99af1c78f8f37381dd03e21617c2792dd7786cca
Instruction ID: 29444745d1dfca81ecfc8668e0c5ccbf0364ab15030c0ee5db232721f7ca2d88
Opcode Fuzzy Hash: 149b458adbc002e88efe0d1f99af1c78f8f37381dd03e21617c2792dd7786cca
Instruction Fuzzy Hash: DC01C274D451A8CFDFA0EF6AC805BECB7B4AF89305F0150EA8049A6250D7348E84CE80

Uniqueness

Uniqueness Score: -1.00%

Function 06D44DD6, Relevance: .0, Instructions: 36COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.405661474.0000000006D40000.00000040.00000001.sdmp, Offset: 06D40000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 12275ef70f4a2911719a527e52344f14aa7df15be194231f803a27915c91307d
Instruction ID: 2e172b9bce4eb0b736320f93ccb5ed8ed5da68b6ed1d8acd172b0694df9c46c7
Opcode Fuzzy Hash: 12275ef70f4a2911719a527e52344f14aa7df15be194231f803a27915c91307d
Instruction Fuzzy Hash: 39015A78A09358CFDB60DF18D4847A9BBB4FF4B210F1041D6989DAB282C7318E81CF82

Uniqueness

Uniqueness Score: -1.00%

Function 015C0818, Relevance: .0, Instructions: 31COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.389320248.00000000015C0000.00000040.00000040.sdmp, Offset: 015C0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 525cef522958239b2deb72ab7ac90410e2832b06fb356f1b7ca8807ee3c9392c
Instruction ID: c0c5431736a6152274527a2fa03c48a4e1e1d935a4bdcb8bce011121bd4379d2
Opcode Fuzzy Hash: 525cef522958239b2deb72ab7ac90410e2832b06fb356f1b7ca8807ee3c9392c
Instruction Fuzzy Hash: FAF0FB39104644DFC606CF44D940B26FBE2FB89718F24CAADE9490B652C3379813DE81

Uniqueness

Uniqueness Score: -1.00%

Function 015DA7C0, Relevance: .0, Instructions: 27COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.389328762.00000000015D0000.00000040.00000001.sdmp, Offset: 015D0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 97045f6d6cd5ed6a8f9edda2e47a41b26e7dd57cdf47a726804fa8aa84cbbeb7
Instruction ID: 80bc7cfa8ae6f843d0961fb753e0f51e6e81cecdc417556cd2f6c2d7962bc1f8
Opcode Fuzzy Hash: 97045f6d6cd5ed6a8f9edda2e47a41b26e7dd57cdf47a726804fa8aa84cbbeb7
Instruction Fuzzy Hash: FAF01935D062588FDB25CF28ED58B99BBB0FB04204F0041E6C44DA7246CB741F84CF60

Uniqueness

Uniqueness Score: -1.00%

Function 015C05F6, Relevance: .0, Instructions: 27COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.389320248.00000000015C0000.00000040.00000040.sdmp, Offset: 015C0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8fddfa08521e1185d5644521fa13d9b9b272e56c4e7b652da081a67744202a97
Instruction ID: 885397a106b2f89d851b629e654185f9ea952f2490a41bac02a168f37345521f
Opcode Fuzzy Hash: 8fddfa08521e1185d5644521fa13d9b9b272e56c4e7b652da081a67744202a97
Instruction Fuzzy Hash: F2E092766406008BD650CF0BEC81452F7D8EB88630B18C07FDD0D8B700E179B508CFA5

Uniqueness

Uniqueness Score: -1.00%

Function 06D45981, Relevance: .0, Instructions: 26COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.405661474.0000000006D40000.00000040.00000001.sdmp, Offset: 06D40000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f5c2808fd8cd692ad3a2b49f462cb1228fd6efce591639431aaeb19acc593fe8
Instruction ID: 7be4ab72bfb83a716c929e61f454274c309b8b8c0ae9956a24037d1d64390750
Opcode Fuzzy Hash: f5c2808fd8cd692ad3a2b49f462cb1228fd6efce591639431aaeb19acc593fe8
Instruction Fuzzy Hash: F5F0ED70D4A348DFD745EF60E4086A87BB4EB42305F1001E8D80863296EAB66E80CF92

Uniqueness

Uniqueness Score: -1.00%

Function 07171B53, Relevance: .0, Instructions: 26COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.405787763.0000000007170000.00000040.00000001.sdmp, Offset: 07170000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8ee8e51f29a3e516a3954c25a0ccf7189d24dc7bf4dc51fae5584275d2a2bc5c
Instruction ID: d976d80066e7affc1ed5a4d4c0de24abebc44415511faefd141698fe57ca2fae
Opcode Fuzzy Hash: 8ee8e51f29a3e516a3954c25a0ccf7189d24dc7bf4dc51fae5584275d2a2bc5c
Instruction Fuzzy Hash: 53E0D87264130467D2509E06DC86B53FB98DB44A30F14C55BEE0D5B302E1B6B5148AF5

Uniqueness

Uniqueness Score: -1.00%

Function 07171CCB, Relevance: .0, Instructions: 26COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.405787763.0000000007170000.00000040.00000001.sdmp, Offset: 07170000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4067cf1980803c3ff42680af5ed5ff88b310437f9fabfa3e0fd68c23afed6f1b
Instruction ID: 749274d419a5baaa46d6a8771748063a8787b4bc02044a02a43482f6d9f6c61b
Opcode Fuzzy Hash: 4067cf1980803c3ff42680af5ed5ff88b310437f9fabfa3e0fd68c23afed6f1b
Instruction Fuzzy Hash: E0E0D8B264130067D2108E069C86B53FB98EB44A30F14C56BEE085B301E1B5B5188AE5

Uniqueness

Uniqueness Score: -1.00%

Function 07171577, Relevance: .0, Instructions: 26COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.405787763.0000000007170000.00000040.00000001.sdmp, Offset: 07170000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fa795e3fe609b5ff171ca2d4e0674796ec3577a36d9bad061d5bf1f7a8165946
Instruction ID: 5969c5a108ce5093a060569dd334fcc1ec84f0af9cdae3e8e80de621b16a5dfa
Opcode Fuzzy Hash: fa795e3fe609b5ff171ca2d4e0674796ec3577a36d9bad061d5bf1f7a8165946
Instruction Fuzzy Hash: 5CE0D87264130067D2109E069C86B53FB98DB40A30F14C55BEE095B301E1B6B514CEE5

Uniqueness

Uniqueness Score: -1.00%

Function 0110AE0B, Relevance: .0, Instructions: 26COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.388905483.0000000001102000.00000040.00000001.sdmp, Offset: 01102000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d34a911233d86e5005ea46c568b47c3ebea3f4414a310dae8be2b9810df3c723
Instruction ID: 348f145ff45c7f87ca0c80fd07c3a33f9751fe408b3ee64409c058157b172480
Opcode Fuzzy Hash: d34a911233d86e5005ea46c568b47c3ebea3f4414a310dae8be2b9810df3c723
Instruction Fuzzy Hash: CEE0D872A4130467D2108F069C86B53FB58DB40A30F14C55BEE0D5B301E1B5B5148AF5

Uniqueness

Uniqueness Score: -1.00%

Function 015D0070, Relevance: .0, Instructions: 24COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.389328762.00000000015D0000.00000040.00000001.sdmp, Offset: 015D0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9b34fe0839b2e2585393c34421605e4a9db5f56f3c12e3e897081274602b59f9
Instruction ID: 231906d2ab7e5f208a25e2ca9b917ac2f013dc32891d0180763c8c3cb006368a
Opcode Fuzzy Hash: 9b34fe0839b2e2585393c34421605e4a9db5f56f3c12e3e897081274602b59f9
Instruction Fuzzy Hash: BBE08670983209D7C61CF7B8851677F7364DB42200F101CA8810123180CEB55E10DA95

Uniqueness

Uniqueness Score: -1.00%

Function 06D4743B, Relevance: .0, Instructions: 24COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.405661474.0000000006D40000.00000040.00000001.sdmp, Offset: 06D40000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a724b39ae1240f91382e4b5b1d4d6f953c7cdcc9cf89e5141cf418bf0b355d54
Instruction ID: b80087f8c99d7acffca008c6c9df91b2c91d837651a627cf074af8a64f62fac9
Opcode Fuzzy Hash: a724b39ae1240f91382e4b5b1d4d6f953c7cdcc9cf89e5141cf418bf0b355d54
Instruction Fuzzy Hash: 80F01C75D582189FEB51DF60CC48BECBBB8AB0D701F0040D5E14DA6181DB705B84DF54

Uniqueness

Uniqueness Score: -1.00%

Function 015D3B50, Relevance: .0, Instructions: 23COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.389328762.00000000015D0000.00000040.00000001.sdmp, Offset: 015D0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 31ed2e1f9ebc862b1538e49f4d3c0fc8594e5011ce4c28b310dccce50c8d9988
Instruction ID: 87ad50fed854882ea4316df33eabd5ebf708c265403c548751b1ad0b352e7e35
Opcode Fuzzy Hash: 31ed2e1f9ebc862b1538e49f4d3c0fc8594e5011ce4c28b310dccce50c8d9988
Instruction Fuzzy Hash: D4E065B0C09308EFDB96DFA8D8042ACBFB0FB49301F1081AAC854A3350E6711A80CF42

Uniqueness

Uniqueness Score: -1.00%

Function 06D45990, Relevance: .0, Instructions: 22COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.405661474.0000000006D40000.00000040.00000001.sdmp, Offset: 06D40000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a3c1d6de0e0ff5e3b69806f098134c2c1080a79806920b38da7b4edbd47e64a6
Instruction ID: 7cd764fa8ab64733336ed7260218ccd1eb024296214bdf902d224211d805f533
Opcode Fuzzy Hash: a3c1d6de0e0ff5e3b69806f098134c2c1080a79806920b38da7b4edbd47e64a6
Instruction Fuzzy Hash: DCE08670D0520CDFD714FF60F5096AD7BB4E745315F1041A8D80923245DBB26D80CF91

Uniqueness

Uniqueness Score: -1.00%

Function 010F23F4, Relevance: .0, Instructions: 15COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.388869069.00000000010F2000.00000040.00000001.sdmp, Offset: 010F2000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5b5dc74eef127de78a3b5ec0f6d1aee216d919340e10386f0b6e5931e18fc538
Instruction ID: c383f24b6b01f00b0a1ab2f76ea20155448d9ba5bccbe3444a263e68a152dbef
Opcode Fuzzy Hash: 5b5dc74eef127de78a3b5ec0f6d1aee216d919340e10386f0b6e5931e18fc538
Instruction Fuzzy Hash: 4ED05E79215A818FE3278A1CC1A9B953FE4AB51B04F4644FEE9408BA63C7A8E9D1D210

Uniqueness

Uniqueness Score: -1.00%

Function 010F23BC, Relevance: .0, Instructions: 14COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.388869069.00000000010F2000.00000040.00000001.sdmp, Offset: 010F2000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f3d8b73849cdfa5149bfcaf487f930743381bb877c111827e18a556e569d2098
Instruction ID: 3fbac819ac9b7994406913627bde33f87ab73282aa290fbd5eef8319f8b8b0ac
Opcode Fuzzy Hash: f3d8b73849cdfa5149bfcaf487f930743381bb877c111827e18a556e569d2098
Instruction Fuzzy Hash: 08D05E742006818BD715DB0CC595F593BD4EB41B00F0684ECAE408BA62C3A4D881C600

Uniqueness

Uniqueness Score: -1.00%

Function 06D42461, Relevance: .0, Instructions: 10COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.405661474.0000000006D40000.00000040.00000001.sdmp, Offset: 06D40000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9ee87d4866bc04438dddb282773d0747fba735dc198d2b3db1f28e3b305e83e2
Instruction ID: 4673ef726366564e98e87958419f6a235f9ae91a835360a2a682e4325a65f028
Opcode Fuzzy Hash: 9ee87d4866bc04438dddb282773d0747fba735dc198d2b3db1f28e3b305e83e2
Instruction Fuzzy Hash: 02D06C74D04228CFCB64CF78C8806E9B7B5AB4E310F6082AAD468A2290D7309E81CF80

Uniqueness

Uniqueness Score: -1.00%

Function 06D44352, Relevance: .0, Instructions: 7COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.405661474.0000000006D40000.00000040.00000001.sdmp, Offset: 06D40000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0a58b69c97449c8798648d8024909c7388d3d3112ce7eb0e7a8ced11831ce051
Instruction ID: ff4ea65910d0afee1cbc5c6f20f04705daa9002ba9aa6798f1e133cd8c20b26f
Opcode Fuzzy Hash: 0a58b69c97449c8798648d8024909c7388d3d3112ce7eb0e7a8ced11831ce051
Instruction Fuzzy Hash: FFA0113008E220CBF380BA82A0083BC28BE830A200E08220880AE02003C2B88B088E80

Uniqueness

Uniqueness Score: -1.00%

Non-executed Functions

Function 015D45F8, Relevance: 5.1, Strings: 4, Instructions: 139COMMON

Download Yara Rule

Strings

f]Ir, xrefs: 015D4658
:@Dr, xrefs: 015D4724
>_Ir, xrefs: 015D4741
`5kr, xrefs: 015D47FD

Memory Dump Source

Source File: 00000000.00000002.389328762.00000000015D0000.00000040.00000001.sdmp, Offset: 015D0000, based on PE: false

Similarity

API ID:
String ID: :@Dr$>_Ir$`5kr$f]Ir
API String ID: 0-3492759196
Opcode ID: bced9314ca8317f0d31cd5e63498bb76502f45925264d94234880c1cf48fabfd
Instruction ID: a7dc99623d3beca56604a367980801b9d19efd65f733bf2ef46cda4f72f6eb0c
Opcode Fuzzy Hash: bced9314ca8317f0d31cd5e63498bb76502f45925264d94234880c1cf48fabfd
Instruction Fuzzy Hash: 4E518830E00609CFD749DF6EE85478DBBF6FB98304F648139D219AB258EBB05882CB50

Uniqueness

Uniqueness Score: -1.00%

Function 015D4608, Relevance: 5.1, Strings: 4, Instructions: 136COMMON

Download Yara Rule

Strings

f]Ir, xrefs: 015D4658
:@Dr, xrefs: 015D4724
>_Ir, xrefs: 015D4741
`5kr, xrefs: 015D47FD

Memory Dump Source

Source File: 00000000.00000002.389328762.00000000015D0000.00000040.00000001.sdmp, Offset: 015D0000, based on PE: false

Similarity

API ID:
String ID: :@Dr$>_Ir$`5kr$f]Ir
API String ID: 0-3492759196
Opcode ID: 790af884721528594635b4bd1d7876222298f5d822604c9f68870c9fb232d912
Instruction ID: 7fe1611f12b205a2417172278c7b14cd3ea59cf3997075919590021899d02a9a
Opcode Fuzzy Hash: 790af884721528594635b4bd1d7876222298f5d822604c9f68870c9fb232d912
Instruction Fuzzy Hash: 35516630E01609CFD749DF6EE89478DBBE6FB98304F24C139D219AB258DBB05882CB51

Uniqueness

Uniqueness Score: -1.00%

Function 015D6307, Relevance: 1.4, Strings: 1, Instructions: 173COMMON

Download Yara Rule

Strings

9, xrefs: 015D662E

Memory Dump Source

Source File: 00000000.00000002.389328762.00000000015D0000.00000040.00000001.sdmp, Offset: 015D0000, based on PE: false

Similarity

API ID:
String ID: 9
API String ID: 0-2366072709
Opcode ID: c899a527df4af6e9e6fddd2ae00f6d5d4fc978267fef551507ce8ec2af3ddf22
Instruction ID: 0bff7a5ee3ce558d693544038ede74e1ea1a262cd431a0c3a84c1bcdae8b8cd7
Opcode Fuzzy Hash: c899a527df4af6e9e6fddd2ae00f6d5d4fc978267fef551507ce8ec2af3ddf22
Instruction Fuzzy Hash: F8916FB1E006288BDBA4DF29C9917C8BBF1EF4A300F5181E9D14CA6255EB319ED5CF16

Uniqueness

Uniqueness Score: -1.00%

Function 01108340, Relevance: .2, Instructions: 163COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.388905483.0000000001102000.00000040.00000001.sdmp, Offset: 01102000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 936800d56364f7b8ec01cbf2b99dd6dd2601b1994791cf23094da0a36fe6ad97
Instruction ID: 1d4db8e14385fb00212367c5c47aa9ba725040d69fc76275a474246f0a1a2044
Opcode Fuzzy Hash: 936800d56364f7b8ec01cbf2b99dd6dd2601b1994791cf23094da0a36fe6ad97
Instruction Fuzzy Hash: ED619A3988F7C06FD7438B749D654903FB1AE0725831E86DBC4C49E4B3D2AA191ADB62

Uniqueness

Uniqueness Score: -1.00%

Function 015D483F, Relevance: .1, Instructions: 112COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.389328762.00000000015D0000.00000040.00000001.sdmp, Offset: 015D0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c9a298f2fcbdc28de0f75cf624360d117f0af9176ee8b71039fdd45fa3e31be9
Instruction ID: 642a2cf53f081ad23af65d2d67f636326524043d16cba2ee1dad4c5a367e9c49
Opcode Fuzzy Hash: c9a298f2fcbdc28de0f75cf624360d117f0af9176ee8b71039fdd45fa3e31be9
Instruction Fuzzy Hash: 7B414DB1D016188BEB6CCF6B8D4079EFAF7BFC9200F14C1BA851CAA215DB7049868F55

Uniqueness

Uniqueness Score: -1.00%

Analysis Process: RegSvcs.exe PID: 3012 Parent PID: 6960 RegSvcs.exeCOMMON

Executed Functions

Function 050A3850, Relevance: 2.0, Strings: 1, Instructions: 760COMMON

Download Yara Rule

Strings

>_Ir, xrefs: 050A3F9D

Memory Dump Source

Source File: 00000008.00000002.601516704.00000000050A0000.00000040.00000001.sdmp, Offset: 050A0000, based on PE: false

Similarity

API ID:
String ID: >_Ir
API String ID: 0-3386957151
Opcode ID: c60ba3e72e446704c651c60ce812ae8a5bf4d899f14bd8ed59d46e7e3f542e96
Instruction ID: 894a873fd5f76990c73a64579d613dd26cda805f03c63236036c0980a113a638
Opcode Fuzzy Hash: c60ba3e72e446704c651c60ce812ae8a5bf4d899f14bd8ed59d46e7e3f542e96
Instruction Fuzzy Hash: E652C172A00215CFCB15CFA8E8849BEBBF2FF84300B2589A6D5159F256D771ED41CB90

Uniqueness

Uniqueness Score: -1.00%

Function 051D2AF6, Relevance: 1.6, APIs: 1, Instructions: 79networkCOMMON

Download Yara Rule

APIs

bind.WS2_32(?,00000E2C,2A25310B,00000000,00000000,00000000,00000000), ref: 051D2B87

Memory Dump Source

Source File: 00000008.00000002.601704120.00000000051D0000.00000040.00000001.sdmp, Offset: 051D0000, based on PE: false

Similarity

API ID: bind
String ID:
API String ID: 1187836755-0
Opcode ID: d9e142258f58a45007018c8248795f1c3e791078e6191a3a0a03ce06c87b922b
Instruction ID: 0266ab8712a4846e35800040fcf0fa23118d08c321919cb1ae4fd4f55d0e94f4
Opcode Fuzzy Hash: d9e142258f58a45007018c8248795f1c3e791078e6191a3a0a03ce06c87b922b
Instruction Fuzzy Hash: 76219F76408384AFE712CB25CC84F96BFA8AF46310F0884DBEA849B252D374A508CB71

Uniqueness

Uniqueness Score: -1.00%

Function 051D13BF, Relevance: 1.6, APIs: 1, Instructions: 75COMMON

Download Yara Rule

APIs

AdjustTokenPrivileges.KERNELBASE(?,?,?,?,?,?), ref: 051D143F

Memory Dump Source

Source File: 00000008.00000002.601704120.00000000051D0000.00000040.00000001.sdmp, Offset: 051D0000, based on PE: false

Similarity

API ID: AdjustPrivilegesToken
String ID:
API String ID: 2874748243-0
Opcode ID: 927cd18272e5db4c6c155a44876e5693ea9b9737289fb429a405a5ad23b658e3
Instruction ID: ce041d68cf1dbcb8a4b4351b036cbed1c0aee0a5ad76c63abf6413e2a831bfc4
Opcode Fuzzy Hash: 927cd18272e5db4c6c155a44876e5693ea9b9737289fb429a405a5ad23b658e3
Instruction Fuzzy Hash: E821BF75509384AFDB228F25DC40F62BFF4EF06210F0884DAE9858B163D3749908CB72

Uniqueness

Uniqueness Score: -1.00%

Function 051D17FB, Relevance: 1.6, APIs: 1, Instructions: 64nativeCOMMON

Download Yara Rule

APIs

NtQuerySystemInformation.NTDLL ref: 051D1871

Memory Dump Source

Source File: 00000008.00000002.601704120.00000000051D0000.00000040.00000001.sdmp, Offset: 051D0000, based on PE: false

Similarity

API ID: InformationQuerySystem
String ID:
API String ID: 3562636166-0
Opcode ID: 4689e4c03ddc4ce21c92b5b94ff1f0dfdc4a3541dfbaaded73d523428cc37041
Instruction ID: c1f50bfbb4b196c93480e0854d576532e0c0681022117e7cfb295953d4d9ad35
Opcode Fuzzy Hash: 4689e4c03ddc4ce21c92b5b94ff1f0dfdc4a3541dfbaaded73d523428cc37041
Instruction Fuzzy Hash: CF21AE724097C0AFDB238B20DC41A62FFB0EF17314F0984DBE9844B1A3D265A509DB62

Uniqueness

Uniqueness Score: -1.00%

Function 051D2B26, Relevance: 1.6, APIs: 1, Instructions: 62networkCOMMON

Download Yara Rule

APIs

bind.WS2_32(?,00000E2C,2A25310B,00000000,00000000,00000000,00000000), ref: 051D2B87

Memory Dump Source

Source File: 00000008.00000002.601704120.00000000051D0000.00000040.00000001.sdmp, Offset: 051D0000, based on PE: false

Similarity

API ID: bind
String ID:
API String ID: 1187836755-0
Opcode ID: f48e1de0792c80fe1e7a73260a771753157807a0ef9d82a5efc5df1505fdcd5e
Instruction ID: 2dd2e537d4bbe44cc06b29adbdbcd40ff71e880f010ddad55ea218df1e630735
Opcode Fuzzy Hash: f48e1de0792c80fe1e7a73260a771753157807a0ef9d82a5efc5df1505fdcd5e
Instruction Fuzzy Hash: 6E11BF76500204AFE720CF65DC85FA7FBA8EF44320F1484ABEE599B241D7B4A408CBB1

Uniqueness

Uniqueness Score: -1.00%

Function 051D1541, Relevance: 1.6, APIs: 1, Instructions: 57nativeCOMMON

Download Yara Rule

APIs

NtSetInformationProcess.NTDLL(?,?,?,?), ref: 051D15AD

Memory Dump Source

Source File: 00000008.00000002.601704120.00000000051D0000.00000040.00000001.sdmp, Offset: 051D0000, based on PE: false

Similarity

API ID: InformationProcess
String ID:
API String ID: 1801817001-0
Opcode ID: 2e1b407517d33cf7e22bbc26a7673eb16efc90588150a79f00e2ee3d23a30422
Instruction ID: e1101753d572a79d79dfc12d1f298d60eeb2a6b313329ad7647e2b466d69d19c
Opcode Fuzzy Hash: 2e1b407517d33cf7e22bbc26a7673eb16efc90588150a79f00e2ee3d23a30422
Instruction Fuzzy Hash: 0D11BE72409380AFDB228B25DC40A62FFB4EF07310F0980DAE9854B163C275A908CB62

Uniqueness

Uniqueness Score: -1.00%

Function 051D13F6, Relevance: 1.6, APIs: 1, Instructions: 52COMMON

Download Yara Rule

APIs

AdjustTokenPrivileges.KERNELBASE(?,?,?,?,?,?), ref: 051D143F

Memory Dump Source

Source File: 00000008.00000002.601704120.00000000051D0000.00000040.00000001.sdmp, Offset: 051D0000, based on PE: false

Similarity

API ID: AdjustPrivilegesToken
String ID:
API String ID: 2874748243-0
Opcode ID: 30791d4404c37f4aeda233948fbd39c863b119a6d952edaadaa539fca7340d3b
Instruction ID: e119dca08d22c8b90178196db5fcdcaeeeb251313e24cf8f892ef4ee7f19fe9d
Opcode Fuzzy Hash: 30791d4404c37f4aeda233948fbd39c863b119a6d952edaadaa539fca7340d3b
Instruction Fuzzy Hash: D5115E71540604AFDB21CF65D984B66FFE4EF04320F08C4AAEE458B611D775E818DB71

Uniqueness

Uniqueness Score: -1.00%

Function 051D161A, Relevance: 1.5, APIs: 1, Instructions: 39COMMON

Download Yara Rule

APIs

GetSystemInfo.KERNELBASE(?), ref: 051D164C

Memory Dump Source

Source File: 00000008.00000002.601704120.00000000051D0000.00000040.00000001.sdmp, Offset: 051D0000, based on PE: false

Similarity

API ID: InfoSystem
String ID:
API String ID: 31276548-0
Opcode ID: 0051a6a91aa7126098986c8a34e10bf8b0ff4336917cf788815a9911d1937a10
Instruction ID: c4478669f1d54ba98142584237ee9ab06d86f9d037c6ba21c993eb1b3922d988
Opcode Fuzzy Hash: 0051a6a91aa7126098986c8a34e10bf8b0ff4336917cf788815a9911d1937a10
Instruction Fuzzy Hash: 5C01A270844240AFDB20CF15D985766FF94EF04320F18C4AADE088F206D3B5A404CB71

Uniqueness

Uniqueness Score: -1.00%

Function 051D1836, Relevance: 1.5, APIs: 1, Instructions: 38nativeCOMMON

Download Yara Rule

APIs

NtQuerySystemInformation.NTDLL ref: 051D1871

Memory Dump Source

Source File: 00000008.00000002.601704120.00000000051D0000.00000040.00000001.sdmp, Offset: 051D0000, based on PE: false

Similarity

API ID: InformationQuerySystem
String ID:
API String ID: 3562636166-0
Opcode ID: 193232be53836a707e12ceecaa08828efa2556dfe27f83299c6a39a4b6248554
Instruction ID: e2faae87f601560b71cab8729257a36512549bb232ee1f5fb2a25aa7f08cd333
Opcode Fuzzy Hash: 193232be53836a707e12ceecaa08828efa2556dfe27f83299c6a39a4b6248554
Instruction Fuzzy Hash: 5F018B31800640EFDB20CF55D984B22FFA1FF08320F18C49ADE491B212D3B5A418CB72

Uniqueness

Uniqueness Score: -1.00%

Function 051D1572, Relevance: 1.5, APIs: 1, Instructions: 38nativeCOMMON

Download Yara Rule

APIs

NtSetInformationProcess.NTDLL(?,?,?,?), ref: 051D15AD

Memory Dump Source

Source File: 00000008.00000002.601704120.00000000051D0000.00000040.00000001.sdmp, Offset: 051D0000, based on PE: false

Similarity

API ID: InformationProcess
String ID:
API String ID: 1801817001-0
Opcode ID: 193232be53836a707e12ceecaa08828efa2556dfe27f83299c6a39a4b6248554
Instruction ID: 0a5f1e2c03660d358412dece459e2095277d1124062ea87872dd2d08f2662d32
Opcode Fuzzy Hash: 193232be53836a707e12ceecaa08828efa2556dfe27f83299c6a39a4b6248554
Instruction Fuzzy Hash: 70017C35400604AFDB20CF19D984B26FFA0FF09320F18C49ADE4A0A211C375A418CF72

Uniqueness

Uniqueness Score: -1.00%

Function 050AB748, Relevance: .9, Instructions: 897COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.601516704.00000000050A0000.00000040.00000001.sdmp, Offset: 050A0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7808c1da0f515f674bc39a960b8374114c70be14514efb9bc71e9aa5e9c00008
Instruction ID: 41d3ad7295a490dccb1bbe7ca263963ef3b5c21012aa9ec47ea6dfd279912aeb
Opcode Fuzzy Hash: 7808c1da0f515f674bc39a960b8374114c70be14514efb9bc71e9aa5e9c00008
Instruction Fuzzy Hash: CC823671A00609DFDB14CFA8D984AAEFBF2FF88310F158569D41AAB655D730E981CF90

Uniqueness

Uniqueness Score: -1.00%

Function 050A23A0, Relevance: .5, Instructions: 505COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.601516704.00000000050A0000.00000040.00000001.sdmp, Offset: 050A0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9168a7f0f4f6dc93af8e1a18f3b38d1f8cd0b391fd77470f6765e57636c9e6d9
Instruction ID: ff3d178ba17dc9267d9acfdae298a502b3eab18fdb6f856952636384f8070719
Opcode Fuzzy Hash: 9168a7f0f4f6dc93af8e1a18f3b38d1f8cd0b391fd77470f6765e57636c9e6d9
Instruction Fuzzy Hash: 79129C36A04226CFCB28DFB9E58066DBBF3BF84304F548179D426AF259DB749885CB50

Uniqueness

Uniqueness Score: -1.00%

Function 050A8E78, Relevance: .5, Instructions: 505COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.601516704.00000000050A0000.00000040.00000001.sdmp, Offset: 050A0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9f0305fc52e49f8e8e4c327b757df86af76d8cb78ff98ac5f30eb0a6c2170aed
Instruction ID: 2881fad43ce24aa608f568123bcba6d3f47b7a2ae6d83e75912979fb2f7cbd89
Opcode Fuzzy Hash: 9f0305fc52e49f8e8e4c327b757df86af76d8cb78ff98ac5f30eb0a6c2170aed
Instruction Fuzzy Hash: 3412AC32A04225CFCB14DFB9E485A6DBBF2BF88304F68896AE4169B355DB75D841CF40

Uniqueness

Uniqueness Score: -1.00%

Function 050A2FA8, Relevance: .2, Instructions: 239COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.601516704.00000000050A0000.00000040.00000001.sdmp, Offset: 050A0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fcb57029999b7008729f174e71132bcb681354d868f8b66782b244a4672b40f4
Instruction ID: 887bb64d872f471b65c1c40bf0d461abd5ee00e62d232e416bb92e5804091d4b
Opcode Fuzzy Hash: fcb57029999b7008729f174e71132bcb681354d868f8b66782b244a4672b40f4
Instruction Fuzzy Hash: F781A172F001159BDB18DBA9D854AAEBBF3AFC8310F2A8575E415EB355DE31DC018B90

Uniqueness

Uniqueness Score: -1.00%

Function 050A9A78, Relevance: .2, Instructions: 239COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.601516704.00000000050A0000.00000040.00000001.sdmp, Offset: 050A0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 49a00d0c789c8df04b89d896b1dc124960e42fde14af7b7574ece6356bde916b
Instruction ID: 928eb9c9a41f0c25dcf798e50782f2a24c1d7e1389672aafc1f677082cfdeaea
Opcode Fuzzy Hash: 49a00d0c789c8df04b89d896b1dc124960e42fde14af7b7574ece6356bde916b
Instruction Fuzzy Hash: 6C817E72F111159BDB18DBA9D980A6EBBE3AFC4350F298575E416EB369DE309C018B80

Uniqueness

Uniqueness Score: -1.00%

Function 050A9B3F, Relevance: .2, Instructions: 179COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.601516704.00000000050A0000.00000040.00000001.sdmp, Offset: 050A0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b9097b561237cab69fdb42b4ef6600aae1f84b6287e3710e9c9654a792ac98fc
Instruction ID: e798e71948a9b337ae770ed2b748e43c9c9278b4ee8cdca975e190d089aba134
Opcode Fuzzy Hash: b9097b561237cab69fdb42b4ef6600aae1f84b6287e3710e9c9654a792ac98fc
Instruction Fuzzy Hash: 4C517E72F014159BD728DBADD980A6EBBE3AFC4310F2AC165D405EB3A9DE30DD418B80

Uniqueness

Uniqueness Score: -1.00%

Function 050A891F, Relevance: .0, Instructions: 46COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.601516704.00000000050A0000.00000040.00000001.sdmp, Offset: 050A0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1fc85f494d459ba89d061f3810c21e7a28c8049b46dd5310e7fc07d8413c4698
Instruction ID: 638972f7b3b026f0d2150f56f68b399eaa7ca51b59ea9feafee3de9228b72a37
Opcode Fuzzy Hash: 1fc85f494d459ba89d061f3810c21e7a28c8049b46dd5310e7fc07d8413c4698
Instruction Fuzzy Hash: 14018838805204EFCB40EFA1E4987AC7BB6FB0E301F1495A9E946A7259DB305E84CF51

Uniqueness

Uniqueness Score: -1.00%

Function 050A09A5, Relevance: 5.2, Strings: 4, Instructions: 175COMMON

Download Yara Rule

Strings

X1kr, xrefs: 050A0A5A
X1kr, xrefs: 050A0A98
X1kr, xrefs: 050A0AA2
X1kr, xrefs: 050A0A50

Memory Dump Source

Source File: 00000008.00000002.601516704.00000000050A0000.00000040.00000001.sdmp, Offset: 050A0000, based on PE: false

Similarity

API ID:
String ID: X1kr$X1kr$X1kr$X1kr
API String ID: 0-2451847431
Opcode ID: ef5c49a51325548b305bed77134539acc07de4f623fbc4cb8cc856047b8a9926
Instruction ID: 8360ebeb318d4ad8209b6f749cbcf358b113d27443a68f7f696f5016914b19ca
Opcode Fuzzy Hash: ef5c49a51325548b305bed77134539acc07de4f623fbc4cb8cc856047b8a9926
Instruction Fuzzy Hash: AC51B632B50215EFCB14DBE8E968A7EB7F2BF84304F218565E5169F254DB31AD02CB80

Uniqueness

Uniqueness Score: -1.00%

Function 050A02E8, Relevance: 2.7, Strings: 2, Instructions: 173COMMON

Download Yara Rule

Strings

`5kr, xrefs: 050A03A5
:@Dr, xrefs: 050A0537

Memory Dump Source

Source File: 00000008.00000002.601516704.00000000050A0000.00000040.00000001.sdmp, Offset: 050A0000, based on PE: false

Similarity

API ID:
String ID: :@Dr$`5kr
API String ID: 0-2548079215
Opcode ID: 1a22017d77412d2e48a3a606d5611233b8b16a5f1783cc106ae45c02ee57abc3
Instruction ID: 62152275282145dd7d90ced3cb82b6cb8700d3d29a654d11bb636049c33d6edc
Opcode Fuzzy Hash: 1a22017d77412d2e48a3a606d5611233b8b16a5f1783cc106ae45c02ee57abc3
Instruction Fuzzy Hash: 26517D32A05209CFDB58DFA8D468A6E7BF3FF89710F148469D506AB391DB71AC01CB52

Uniqueness

Uniqueness Score: -1.00%

Function 050A12A0, Relevance: 1.7, Strings: 1, Instructions: 460COMMON

Download Yara Rule

Strings

$ghr, xrefs: 050A1349

Memory Dump Source

Source File: 00000008.00000002.601516704.00000000050A0000.00000040.00000001.sdmp, Offset: 050A0000, based on PE: false

Similarity

API ID:
String ID: $ghr
API String ID: 0-1352911727
Opcode ID: 93b8c09d64ccdd95d020d683845bedd96e0e727e70c4cd3448e69e5afcb424cc
Instruction ID: 1565f1588cf1ba2da3b1dd6e044bc666a94693b9e6acd5e87a81825d3fa9e09c
Opcode Fuzzy Hash: 93b8c09d64ccdd95d020d683845bedd96e0e727e70c4cd3448e69e5afcb424cc
Instruction Fuzzy Hash: E822F334A00615CFCB24DF68D490A6EBBF2BF88340F148699D85AAB755DB34AD85CF81

Uniqueness

Uniqueness Score: -1.00%

Function 051D2335, Relevance: 1.6, APIs: 1, Instructions: 135COMMON

Download Yara Rule

APIs

OpenFileMappingW.KERNELBASE(?,?), ref: 051D2445

Memory Dump Source

Source File: 00000008.00000002.601704120.00000000051D0000.00000040.00000001.sdmp, Offset: 051D0000, based on PE: false

Similarity

API ID: FileMappingOpen
String ID:
API String ID: 1680863896-0
Opcode ID: 8d1317173f1f7d21cca316c44eae60204001312e39b26acf60c2e7335cc5be3d
Instruction ID: 7aff9ab5d25260f5301f8805da26a3e1ebc33a11a08e58adbc70f4b12d6e11ba
Opcode Fuzzy Hash: 8d1317173f1f7d21cca316c44eae60204001312e39b26acf60c2e7335cc5be3d
Instruction Fuzzy Hash: 4241B1755093806FE7128B25DC55FA2FFB8EF46220F1884DBEE849B293D365A908C771

Uniqueness

Uniqueness Score: -1.00%

Function 051D2908, Relevance: 1.6, APIs: 1, Instructions: 111COMMON

Download Yara Rule

APIs

getaddrinfo.WS2_32(?,00000E2C), ref: 051D29EB

Memory Dump Source

Source File: 00000008.00000002.601704120.00000000051D0000.00000040.00000001.sdmp, Offset: 051D0000, based on PE: false

Similarity

API ID: getaddrinfo
String ID:
API String ID: 300660673-0
Opcode ID: 24dde7ab206944dd509d9c1e56865b8c89c4297edacfbe3a8e9fa213eb5458fd
Instruction ID: fe0c4b4228bb6c5fcd15e0fc5c70867522f68bf7be1834465e749fd829494747
Opcode Fuzzy Hash: 24dde7ab206944dd509d9c1e56865b8c89c4297edacfbe3a8e9fa213eb5458fd
Instruction Fuzzy Hash: 4331E9B2504340AFE7228B60DC45FA6FFACEF46710F14859AE9849F192D3B5A509CB71

Uniqueness

Uniqueness Score: -1.00%

Function 051D1E9B, Relevance: 1.6, APIs: 1, Instructions: 103networkCOMMON

Download Yara Rule

APIs

WSASocketW.WS2_32 ref: 051D1F56

Memory Dump Source

Source File: 00000008.00000002.601704120.00000000051D0000.00000040.00000001.sdmp, Offset: 051D0000, based on PE: false

Similarity

API ID: Socket
String ID:
API String ID: 38366605-0
Opcode ID: 53a5d7866ea4a3286b1de36847761502183a11757877a912e754755a3f3b6670
Instruction ID: 4cee5320a0c94a410b170292e6ebc98ac9c6041716ca20b8ac5f17013ef162fd
Opcode Fuzzy Hash: 53a5d7866ea4a3286b1de36847761502183a11757877a912e754755a3f3b6670
Instruction Fuzzy Hash: F1316F7154D380AFE7238B65DC54B66FFB5EF06210F0984DAE9858B1A3C365A409CB72

Uniqueness

Uniqueness Score: -1.00%

Function 051D1AAC, Relevance: 1.6, APIs: 1, Instructions: 101registryCOMMON

Download Yara Rule

APIs

RegQueryValueExW.KERNELBASE(?,00000E2C,?,?), ref: 051D1B7E

Memory Dump Source

Source File: 00000008.00000002.601704120.00000000051D0000.00000040.00000001.sdmp, Offset: 051D0000, based on PE: false

Similarity

API ID: QueryValue
String ID:
API String ID: 3660427363-0
Opcode ID: 2c875c44f920c76066f7fcf08e4215897199ceefa02a3107ac7fc3df25691956
Instruction ID: 69161949bfc80bad7fa9794f73597a694fb930bb62f316094b69e1a670ce54d9
Opcode Fuzzy Hash: 2c875c44f920c76066f7fcf08e4215897199ceefa02a3107ac7fc3df25691956
Instruction Fuzzy Hash: A8314B6540E3C06FD3138B318C61A62BF74EF47614B0E85CBE884CF5A3D269691AC772

Uniqueness

Uniqueness Score: -1.00%

Function 051D0EB8, Relevance: 1.6, APIs: 1, Instructions: 96COMMON

Download Yara Rule

APIs

DuplicateHandle.KERNELBASE(?,00000E2C), ref: 051D0F5B

Memory Dump Source

Source File: 00000008.00000002.601704120.00000000051D0000.00000040.00000001.sdmp, Offset: 051D0000, based on PE: false

Similarity

API ID: DuplicateHandle
String ID:
API String ID: 3793708945-0
Opcode ID: 039a7ce9e841c45af510abb370185031dfdc63f6c25c11c640c8919c857a5f33
Instruction ID: 7126fe45eebfca4c9aacf97d1167b05fb28b4ad5149c637fc397888e123f68e0
Opcode Fuzzy Hash: 039a7ce9e841c45af510abb370185031dfdc63f6c25c11c640c8919c857a5f33
Instruction Fuzzy Hash: F331A172404344AFEB228B65DC44F67FFACEF46310F0488AAF985DB152D224A919CB71

Uniqueness

Uniqueness Score: -1.00%

Function 051D0C58, Relevance: 1.6, APIs: 1, Instructions: 93COMMON

Download Yara Rule

APIs

GetTempFileNameW.KERNELBASE(?,00000E2C,?,?), ref: 051D0D1A

Memory Dump Source

Source File: 00000008.00000002.601704120.00000000051D0000.00000040.00000001.sdmp, Offset: 051D0000, based on PE: false

Similarity

API ID: FileNameTemp
String ID:
API String ID: 745986568-0
Opcode ID: c5a106481dd1b79f7e82a6a887f61a3a212e8ddfa5700fd726d313a46521e292
Instruction ID: 4d3f3da643b2445b0e94eb5fbadd9b422c6e542ad5e84dee716c4b5d85bae9e9
Opcode Fuzzy Hash: c5a106481dd1b79f7e82a6a887f61a3a212e8ddfa5700fd726d313a46521e292
Instruction Fuzzy Hash: EA314D6140D3C06FD7038B658C51B62BFB4EF47610F0E85DBD9849F5A3D225A919C7A2

Uniqueness

Uniqueness Score: -1.00%

Function 051D0390, Relevance: 1.6, APIs: 1, Instructions: 93registryCOMMON

Download Yara Rule

APIs

RegQueryValueExA.KERNELBASE(?,00000E2C), ref: 051D045E

Memory Dump Source

Source File: 00000008.00000002.601704120.00000000051D0000.00000040.00000001.sdmp, Offset: 051D0000, based on PE: false

Similarity

API ID: QueryValue
String ID:
API String ID: 3660427363-0
Opcode ID: cf53f8fa1cd78b4708dc01384356c235f0e13253268a9cd876137a442977c32e
Instruction ID: 0bc55c8f0b60b6ab757e29b8e230a2bbef17fd6dc83155ef35222b693fa40a0b
Opcode Fuzzy Hash: cf53f8fa1cd78b4708dc01384356c235f0e13253268a9cd876137a442977c32e
Instruction Fuzzy Hash: 7031D572004344AFE7228F20CC41FA6FFB8EF06714F04859EEA859B192D3B5A949CB71

Uniqueness

Uniqueness Score: -1.00%

Function 011DAA02, Relevance: 1.6, APIs: 1, Instructions: 92registryCOMMON

Download Yara Rule

APIs

RegOpenKeyExW.KERNELBASE(?,00000E2C), ref: 011DAAB1

Memory Dump Source

Source File: 00000008.00000002.596627246.00000000011DA000.00000040.00000001.sdmp, Offset: 011DA000, based on PE: false

Similarity

API ID: Open
String ID:
API String ID: 71445658-0
Opcode ID: 469011a93102d8d44f4d9b6a55ed48607d651bad80547ca14de16f7d4d38bfb2
Instruction ID: cb252fb21741d0a80f8d51e62a1b1e61f167168b3ba2d140a0c54d57bb798a39
Opcode Fuzzy Hash: 469011a93102d8d44f4d9b6a55ed48607d651bad80547ca14de16f7d4d38bfb2
Instruction Fuzzy Hash: 7831A272544384AFE7228B25DC85F67BFACEF06710F08859BED819B152D264A909CB71

Uniqueness

Uniqueness Score: -1.00%

Function 051D07F4, Relevance: 1.6, APIs: 1, Instructions: 92fileCOMMON

Download Yara Rule

APIs

CreateFileW.KERNELBASE(?,?,?,?,?,?), ref: 051D0899

Memory Dump Source

Source File: 00000008.00000002.601704120.00000000051D0000.00000040.00000001.sdmp, Offset: 051D0000, based on PE: false

Similarity

API ID: CreateFile
String ID:
API String ID: 823142352-0
Opcode ID: 5e1919b8a1bb5595926f5a238c283a83354ce3bbe8c817b35c500fd3fd090b38
Instruction ID: 43acece4dd4205515774ad9e46a2b5c5582625ed19e25bbe407cbf2d5ff1e082
Opcode Fuzzy Hash: 5e1919b8a1bb5595926f5a238c283a83354ce3bbe8c817b35c500fd3fd090b38
Instruction Fuzzy Hash: 0F316D71904380AFE722CB65DC44F66FFE8EF49610F0884AEE9858B252D375E909CB71

Uniqueness

Uniqueness Score: -1.00%

Function 051D2DBB, Relevance: 1.6, APIs: 1, Instructions: 90windowCOMMON

Download Yara Rule

APIs

FormatMessageW.KERNELBASE(?,00000E2C,?,?), ref: 051D2E76

Memory Dump Source

Source File: 00000008.00000002.601704120.00000000051D0000.00000040.00000001.sdmp, Offset: 051D0000, based on PE: false

Similarity

API ID: FormatMessage
String ID:
API String ID: 1306739567-0
Opcode ID: 082565411dabf86be6f14c5e5b4b12187a12cccf906275c2ad3fa3bead79db16
Instruction ID: 050444ed06f106be0790fe05e6c47c53db6fe70e3697f34b4af48d4e983fd34a
Opcode Fuzzy Hash: 082565411dabf86be6f14c5e5b4b12187a12cccf906275c2ad3fa3bead79db16
Instruction Fuzzy Hash: 7231817240D3C06FD7038B218C61A66BFB4EF47710F1A80CBD9848F2A3E6246909C7A2

Uniqueness

Uniqueness Score: -1.00%

Function 011DAAF9, Relevance: 1.6, APIs: 1, Instructions: 89registryCOMMON

Download Yara Rule

APIs

RegQueryValueExW.KERNELBASE(?,00000E2C,2A25310B,00000000,00000000,00000000,00000000), ref: 011DABB4

Memory Dump Source

Source File: 00000008.00000002.596627246.00000000011DA000.00000040.00000001.sdmp, Offset: 011DA000, based on PE: false

Similarity

API ID: QueryValue
String ID:
API String ID: 3660427363-0
Opcode ID: 71e831acb3def423f0164653b0ada02d185979bd52375fa692bf88027d8f6b86
Instruction ID: 05c8f72ef1401e71c90b4268e5a5f7c87159a2fc12716932ae1b63214af031bf
Opcode Fuzzy Hash: 71e831acb3def423f0164653b0ada02d185979bd52375fa692bf88027d8f6b86
Instruction Fuzzy Hash: A5319371509384AFE722CB25DC44F62BFB8EF06310F18889AE9859B153D364E549CB61

Uniqueness

Uniqueness Score: -1.00%

Function 051D00F6, Relevance: 1.6, APIs: 1, Instructions: 89synchronizationCOMMON

Download Yara Rule

APIs

CreateMutexW.KERNELBASE(?,?), ref: 051D019D

Memory Dump Source

Source File: 00000008.00000002.601704120.00000000051D0000.00000040.00000001.sdmp, Offset: 051D0000, based on PE: false

Similarity

API ID: CreateMutex
String ID:
API String ID: 1964310414-0
Opcode ID: 113a5898d9bee85635044e1c0bb3d3097c6f6d3ed272b1b283b285a7308605c7
Instruction ID: a42c0dc18db352aa03e1c7d237d92247ac521372283f586bafab876705c42c64
Opcode Fuzzy Hash: 113a5898d9bee85635044e1c0bb3d3097c6f6d3ed272b1b283b285a7308605c7
Instruction Fuzzy Hash: 8F318F71509780AFE712CB25DC85F56FFE8EF06210F08849AE9848B292E375E909CB71

Uniqueness

Uniqueness Score: -1.00%

Function 051D249C, Relevance: 1.6, APIs: 1, Instructions: 87fileCOMMON

Download Yara Rule

APIs

MapViewOfFile.KERNELBASE ref: 051D254E

Memory Dump Source

Source File: 00000008.00000002.601704120.00000000051D0000.00000040.00000001.sdmp, Offset: 051D0000, based on PE: false

Similarity

API ID: FileView
String ID:
API String ID: 3314676101-0
Opcode ID: 50980049c98e8cdb2ba5bdb48e359539857f40c43c7f7e69c621b5779bfb9b38
Instruction ID: a1a9edf15c52a5e7951ac0ed3addda4f33e344ca48466be111401615f5676269
Opcode Fuzzy Hash: 50980049c98e8cdb2ba5bdb48e359539857f40c43c7f7e69c621b5779bfb9b38
Instruction Fuzzy Hash: 0531A472404780AFE722CB55DC85F96FFF8EF0A320F04859AE9849B252D375A549CB71

Uniqueness

Uniqueness Score: -1.00%

Function 051D0FB9, Relevance: 1.6, APIs: 1, Instructions: 87COMMON

Download Yara Rule

APIs

GetExitCodeProcess.KERNELBASE(?,00000E2C,2A25310B,00000000,00000000,00000000,00000000), ref: 051D105C

Memory Dump Source

Source File: 00000008.00000002.601704120.00000000051D0000.00000040.00000001.sdmp, Offset: 051D0000, based on PE: false

Similarity

API ID: CodeExitProcess
String ID:
API String ID: 3861947596-0
Opcode ID: 4d3787767e538d5d01ce9587d28f08dd69e1f9c2e4df35e8b320af53ad593368
Instruction ID: c91e51d8ef0db826046b235460159812501122c8caad0206971a16e66f7a6dcf
Opcode Fuzzy Hash: 4d3787767e538d5d01ce9587d28f08dd69e1f9c2e4df35e8b320af53ad593368
Instruction Fuzzy Hash: 0431E372549380AFEB128B25DC51FA6BFB8EF46310F0884DBED849F193D664A909C771

Uniqueness

Uniqueness Score: -1.00%

Function 051D21FE, Relevance: 1.6, APIs: 1, Instructions: 87COMMON

Download Yara Rule

APIs

ConvertStringSecurityDescriptorToSecurityDescriptorW.ADVAPI32(?,00000E2C), ref: 051D229B

Memory Dump Source

Source File: 00000008.00000002.601704120.00000000051D0000.00000040.00000001.sdmp, Offset: 051D0000, based on PE: false

Similarity

API ID: DescriptorSecurity$ConvertString
String ID:
API String ID: 3907675253-0
Opcode ID: 5f289d8b35843bf025ef473f234e531114a45da339ce24f94654655db3f6d7ed
Instruction ID: 7db5188f6cfef4d8bd9aa3b2ed84c7838f5929474f40ec9ba4546bbffabe658b
Opcode Fuzzy Hash: 5f289d8b35843bf025ef473f234e531114a45da339ce24f94654655db3f6d7ed
Instruction Fuzzy Hash: 39218F72504344AFE7219B65DC85F6BFFACEB45310F0885AAF944DB242D774A908CB71

Uniqueness

Uniqueness Score: -1.00%

Function 051D04AB, Relevance: 1.6, APIs: 1, Instructions: 86registryCOMMON

Download Yara Rule

APIs

RegQueryValueExW.KERNELBASE(?,00000E2C,2A25310B,00000000,00000000,00000000,00000000), ref: 051D055C

Memory Dump Source

Source File: 00000008.00000002.601704120.00000000051D0000.00000040.00000001.sdmp, Offset: 051D0000, based on PE: false

Similarity

API ID: QueryValue
String ID:
API String ID: 3660427363-0
Opcode ID: 6cf8adee4f023c909f20ce011c79b5071b0bf5309fe790a433e34e097c58f361
Instruction ID: 3e6a76f0e5d63f31aec63a7ac5ec21abefb4a23bcaedd0f09399e4b854027398
Opcode Fuzzy Hash: 6cf8adee4f023c909f20ce011c79b5071b0bf5309fe790a433e34e097c58f361
Instruction Fuzzy Hash: 0C317171509780AFD722CB65DC44F52FFB8AF0B310F0885DAE9859B162D365A909CB71

Uniqueness

Uniqueness Score: -1.00%

Function 051D2946, Relevance: 1.6, APIs: 1, Instructions: 84COMMON

Download Yara Rule

APIs

getaddrinfo.WS2_32(?,00000E2C), ref: 051D29EB

Memory Dump Source

Source File: 00000008.00000002.601704120.00000000051D0000.00000040.00000001.sdmp, Offset: 051D0000, based on PE: false

Similarity

API ID: getaddrinfo
String ID:
API String ID: 300660673-0
Opcode ID: d820c3607796b48abbad722f5479d47ef048e96ed55526111ab0dbfa5bc97ff2
Instruction ID: 6545b973b9cbb29e4ed6a67399db309b06fe135ab959b65a5e9a5b9b1e38fdcc
Opcode Fuzzy Hash: d820c3607796b48abbad722f5479d47ef048e96ed55526111ab0dbfa5bc97ff2
Instruction Fuzzy Hash: 2A21BF71100204AFFB31DB64CC85FAAFBACEB44710F10885AFA449A281D7B5A5098B71

Uniqueness

Uniqueness Score: -1.00%

Function 011DA120, Relevance: 1.6, APIs: 1, Instructions: 83networkCOMMON

Download Yara Rule

APIs

WSAStartup.WS2_32(?,00000E2C,?,?), ref: 011DA1C2

Memory Dump Source

Source File: 00000008.00000002.596627246.00000000011DA000.00000040.00000001.sdmp, Offset: 011DA000, based on PE: false

Similarity

API ID: Startup
String ID:
API String ID: 724789610-0
Opcode ID: 8ed853e9eab6ca36405a982c3f03ffd312599bf126f3c4f1cfe52b8d14399424
Instruction ID: 7ed26094abc44c1f3d7ac3327bc4b9a813c117e197c2566e0594dbdb9cef9456
Opcode Fuzzy Hash: 8ed853e9eab6ca36405a982c3f03ffd312599bf126f3c4f1cfe52b8d14399424
Instruction Fuzzy Hash: 6B31D37140D3C06FD7128B358C55B66BFB4EF47620F1981DBD9848F293D225A919CBA2

Uniqueness

Uniqueness Score: -1.00%

Function 051D0EDE, Relevance: 1.6, APIs: 1, Instructions: 80COMMON

Download Yara Rule

APIs

DuplicateHandle.KERNELBASE(?,00000E2C), ref: 051D0F5B

Memory Dump Source

Source File: 00000008.00000002.601704120.00000000051D0000.00000040.00000001.sdmp, Offset: 051D0000, based on PE: false

Similarity

API ID: DuplicateHandle
String ID:
API String ID: 3793708945-0
Opcode ID: b29d3dc84154832ca776bd9f79e5aacdd88a62749b46cae551cabee084d32c8d
Instruction ID: d667f1b866b935df23fe52cd7d56d7e9f4519f40e22f8d3008cda8effc3a8b38
Opcode Fuzzy Hash: b29d3dc84154832ca776bd9f79e5aacdd88a62749b46cae551cabee084d32c8d
Instruction Fuzzy Hash: 7D21B072500704AFEB219F64DC88F6BFBACEF08310F14886AEE45DB251E774A5088B71

Uniqueness

Uniqueness Score: -1.00%

Function 051D08F0, Relevance: 1.6, APIs: 1, Instructions: 80COMMON

Download Yara Rule

APIs

GetFileType.KERNELBASE(?,00000E2C,2A25310B,00000000,00000000,00000000,00000000), ref: 051D0985

Memory Dump Source

Source File: 00000008.00000002.601704120.00000000051D0000.00000040.00000001.sdmp, Offset: 051D0000, based on PE: false

Similarity

API ID: FileType
String ID:
API String ID: 3081899298-0
Opcode ID: 396131f4c5a6aaebe1554a4a8c0bbed800ccbe9273c117f16abc9084b0a35acf
Instruction ID: a60735706ad6e01172b7218aca1a5c2f0cc64dfe5f45afa6249f4b710b9dfe68
Opcode Fuzzy Hash: 396131f4c5a6aaebe1554a4a8c0bbed800ccbe9273c117f16abc9084b0a35acf
Instruction Fuzzy Hash: 2121F8B54097806FE7138B25DC81FA2BFA8EF47720F1884D7EE849B293D2646909C771

Uniqueness

Uniqueness Score: -1.00%

Function 051D02AB, Relevance: 1.6, APIs: 1, Instructions: 79registryCOMMON

Download Yara Rule

APIs

RegOpenKeyExA.KERNELBASE(?,00000E2C), ref: 051D0353

Memory Dump Source

Source File: 00000008.00000002.601704120.00000000051D0000.00000040.00000001.sdmp, Offset: 051D0000, based on PE: false

Similarity

API ID: Open
String ID:
API String ID: 71445658-0
Opcode ID: 0b71661df401142d327affb5ea43dc2db8fb097dd9efa19eeb13b89f99061ca0
Instruction ID: e2d0b6bfc06436f205793b898f000471664f207b4544aeda373d2529075b12cb
Opcode Fuzzy Hash: 0b71661df401142d327affb5ea43dc2db8fb097dd9efa19eeb13b89f99061ca0
Instruction Fuzzy Hash: A121A375009380AFE7228B20DC45FA6FFB8EF06310F1884DAE9849B192D365A909CB71

Uniqueness

Uniqueness Score: -1.00%

Function 011DAF50, Relevance: 1.6, APIs: 1, Instructions: 77COMMON

Download Yara Rule

APIs

GetUserNameW.ADVAPI32(?,00000E2C,?,?), ref: 011DAFEA

Memory Dump Source

Source File: 00000008.00000002.596627246.00000000011DA000.00000040.00000001.sdmp, Offset: 011DA000, based on PE: false

Similarity

API ID: NameUser
String ID:
API String ID: 2645101109-0
Opcode ID: ed733f34c2ec2d9e8a102b06c1e8555447a850cbcfd6fabf6ae0090e04d69b12
Instruction ID: 23d00cdde06fcd2f775ca13fc053ea38a96c4ce6d360c00ee4b49462ed6989d5
Opcode Fuzzy Hash: ed733f34c2ec2d9e8a102b06c1e8555447a850cbcfd6fabf6ae0090e04d69b12
Instruction Fuzzy Hash: 1E21B67144D3C06FD3138B259C51B22BFB4EF87610F0A81DBE884CB553D225A919C7A2

Uniqueness

Uniqueness Score: -1.00%

Function 051D081A, Relevance: 1.6, APIs: 1, Instructions: 76fileCOMMON

Download Yara Rule

APIs

CreateFileW.KERNELBASE(?,?,?,?,?,?), ref: 051D0899

Memory Dump Source

Source File: 00000008.00000002.601704120.00000000051D0000.00000040.00000001.sdmp, Offset: 051D0000, based on PE: false

Similarity

API ID: CreateFile
String ID:
API String ID: 823142352-0
Opcode ID: a339377ee83ba84695bad9b7fc3cf7582543af10c3370af5b2b992df7b0dc103
Instruction ID: 403c513340f046eba13c3c181265a460c7ee3a2fe70352e10d4ac00e553502ab
Opcode Fuzzy Hash: a339377ee83ba84695bad9b7fc3cf7582543af10c3370af5b2b992df7b0dc103
Instruction Fuzzy Hash: D0217C75900600AFEB21DF65DD89F66FBE8FF08710F14846AEA858B251E3B1E404CBB1

Uniqueness

Uniqueness Score: -1.00%

Function 051D222A, Relevance: 1.6, APIs: 1, Instructions: 76COMMON

Download Yara Rule

APIs

ConvertStringSecurityDescriptorToSecurityDescriptorW.ADVAPI32(?,00000E2C), ref: 051D229B

Memory Dump Source

Source File: 00000008.00000002.601704120.00000000051D0000.00000040.00000001.sdmp, Offset: 051D0000, based on PE: false

Similarity

API ID: DescriptorSecurity$ConvertString
String ID:
API String ID: 3907675253-0
Opcode ID: c8d333b7eb08fc1db3d86e876541d4fe1628e6c3714d53480f8ab342f0098c5b
Instruction ID: 17c9244b683fa213d28c193d3eb64dc79d1b044def70d4dec3dcdb8a411ba228
Opcode Fuzzy Hash: c8d333b7eb08fc1db3d86e876541d4fe1628e6c3714d53480f8ab342f0098c5b
Instruction Fuzzy Hash: AB218B76600204AFEB20DA29DC85F6BFBACEB44720F14846AFE55DB241D774E8098B71

Uniqueness

Uniqueness Score: -1.00%

Function 051D123E, Relevance: 1.6, APIs: 1, Instructions: 75COMMON

Download Yara Rule

APIs

LookupPrivilegeValueW.ADVAPI32(?,?,?), ref: 051D12BE

Memory Dump Source

Source File: 00000008.00000002.601704120.00000000051D0000.00000040.00000001.sdmp, Offset: 051D0000, based on PE: false

Similarity

API ID: LookupPrivilegeValue
String ID:
API String ID: 3899507212-0
Opcode ID: 7410e72b03041f0527abd797e0d57d376b527fb0fd45028adcb4251d40489cbf
Instruction ID: 0d2d7f9d0fe2e3eae74fd27fd0ddc48dcef329cbef2a5d9163948a7fd152be8c
Opcode Fuzzy Hash: 7410e72b03041f0527abd797e0d57d376b527fb0fd45028adcb4251d40489cbf
Instruction Fuzzy Hash: 06219072509380AFD7128B25DC95B92BFE8EF06220F1984EBE985CB653D225D808C771

Uniqueness

Uniqueness Score: -1.00%

Function 051D0B79, Relevance: 1.6, APIs: 1, Instructions: 75registryCOMMON

Download Yara Rule

APIs

RegSetValueExW.KERNELBASE(?,00000E2C,2A25310B,00000000,00000000,00000000,00000000), ref: 051D0C10

Memory Dump Source

Source File: 00000008.00000002.601704120.00000000051D0000.00000040.00000001.sdmp, Offset: 051D0000, based on PE: false

Similarity

API ID: Value
String ID:
API String ID: 3702945584-0
Opcode ID: 254458788df3b23f2425039cb7a721191592aac163a22ba5a3a947d7762ddef3
Instruction ID: 232dcfa6a421568d8d6506159f75cf92f1256c88cfc7308e00fefe24c689a8a1
Opcode Fuzzy Hash: 254458788df3b23f2425039cb7a721191592aac163a22ba5a3a947d7762ddef3
Instruction Fuzzy Hash: FB219DB6508744AFE7218B15DC85F67FFF8EF09310F08889AE9859B252D364E809CB71

Uniqueness

Uniqueness Score: -1.00%

Function 051D03CA, Relevance: 1.6, APIs: 1, Instructions: 75registryCOMMON

Download Yara Rule

APIs

RegQueryValueExA.KERNELBASE(?,00000E2C), ref: 051D045E

Memory Dump Source

Source File: 00000008.00000002.601704120.00000000051D0000.00000040.00000001.sdmp, Offset: 051D0000, based on PE: false

Similarity

API ID: QueryValue
String ID:
API String ID: 3660427363-0
Opcode ID: 5e0ea56132a1891f4c538239f25d100f8d7f639ef083e04ded2c2173f658c1cd
Instruction ID: 667fe50facd7aaf4a67f66db2697907d04d81c9e2b848ab5e2d08a6ff92e0865
Opcode Fuzzy Hash: 5e0ea56132a1891f4c538239f25d100f8d7f639ef083e04ded2c2173f658c1cd
Instruction Fuzzy Hash: F621AF72500204AFEB319F15DC85FB6FBA8EB08710F14895AEA459A281D7B1A949CBB1

Uniqueness

Uniqueness Score: -1.00%

Function 051D09C0, Relevance: 1.6, APIs: 1, Instructions: 75COMMON

Download Yara Rule

APIs

setsockopt.WS2_32(?,00000E2C,2A25310B,00000000,00000000,00000000,00000000), ref: 051D0A51

Memory Dump Source

Source File: 00000008.00000002.601704120.00000000051D0000.00000040.00000001.sdmp, Offset: 051D0000, based on PE: false

Similarity

API ID: setsockopt
String ID:
API String ID: 3981526788-0
Opcode ID: 3d6f7da12750229209f44728ce24bf41051de575755be359f1c30944fc741858
Instruction ID: d8385d6c52b7f751e5bb3dbf1be4bee73a34544a77add8a1b9e4bbc818112293
Opcode Fuzzy Hash: 3d6f7da12750229209f44728ce24bf41051de575755be359f1c30944fc741858
Instruction Fuzzy Hash: 96216072409380AFE7228F65DD44F66FFB8EF46314F0884DBEA849B153D265A509CB72

Uniqueness

Uniqueness Score: -1.00%

Function 011DAA32, Relevance: 1.6, APIs: 1, Instructions: 74registryCOMMON

Download Yara Rule

APIs

RegOpenKeyExW.KERNELBASE(?,00000E2C), ref: 011DAAB1

Memory Dump Source

Source File: 00000008.00000002.596627246.00000000011DA000.00000040.00000001.sdmp, Offset: 011DA000, based on PE: false

Similarity

API ID: Open
String ID:
API String ID: 71445658-0
Opcode ID: 150981e0a8f729d47a7113113b94128b3430000eeee148709e5fc498c4be81d5
Instruction ID: fb4051955d6212fa9db49e381dcddb1014861a062acce6515772934cf7857634
Opcode Fuzzy Hash: 150981e0a8f729d47a7113113b94128b3430000eeee148709e5fc498c4be81d5
Instruction Fuzzy Hash: 93219D72500604AFE721DB29DD84F6BFBECEF08710F14855BEE459B241D764E9088BB2

Uniqueness

Uniqueness Score: -1.00%

Function 051D012A, Relevance: 1.6, APIs: 1, Instructions: 72synchronizationCOMMON

Download Yara Rule

APIs

CreateMutexW.KERNELBASE(?,?), ref: 051D019D

Memory Dump Source

Source File: 00000008.00000002.601704120.00000000051D0000.00000040.00000001.sdmp, Offset: 051D0000, based on PE: false

Similarity

API ID: CreateMutex
String ID:
API String ID: 1964310414-0
Opcode ID: 4cc635c2e2e2a7c91e38a3b0531a1426553214003975e417f87faa98c83e31b3
Instruction ID: a83a8f272104e88f56c5e76087b3115f1a7348342b630d9d21abc007e4c645e1
Opcode Fuzzy Hash: 4cc635c2e2e2a7c91e38a3b0531a1426553214003975e417f87faa98c83e31b3
Instruction Fuzzy Hash: 94219D71504200AFE720DF25DD89F6AFBE8EF09710F1484AAEE499B241E775E904CB75

Uniqueness

Uniqueness Score: -1.00%

Function 051D0723, Relevance: 1.6, APIs: 1, Instructions: 71COMMON

Download Yara Rule

APIs

CreateDirectoryW.KERNELBASE(?,?), ref: 051D079F

Memory Dump Source

Source File: 00000008.00000002.601704120.00000000051D0000.00000040.00000001.sdmp, Offset: 051D0000, based on PE: false

Similarity

API ID: CreateDirectory
String ID:
API String ID: 4241100979-0
Opcode ID: f4e600eceb8d734aab7e9ea9aef00280a913a5499a53e1e9b9235217a9b75836
Instruction ID: b279e1a5122a2f6d15a5ba350547720f1e8cd4d80ead45ec4e99cefbdd4b323a
Opcode Fuzzy Hash: f4e600eceb8d734aab7e9ea9aef00280a913a5499a53e1e9b9235217a9b75836
Instruction Fuzzy Hash: 4A2183725093809FD751CB25DC89B56BFE8EF06210F0984EAE985DF252E374D909CB71

Uniqueness

Uniqueness Score: -1.00%

Function 051D0A9B, Relevance: 1.6, APIs: 1, Instructions: 71fileCOMMON

Download Yara Rule

APIs

CopyFileW.KERNELBASE(?,?,?), ref: 051D0B1E

Memory Dump Source

Source File: 00000008.00000002.601704120.00000000051D0000.00000040.00000001.sdmp, Offset: 051D0000, based on PE: false

Similarity

API ID: CopyFile
String ID:
API String ID: 1304948518-0
Opcode ID: b732472a0386cc2231e7e72448ddce0a61dd42ee7d91cb0de7b9614b82cce167
Instruction ID: 5db9eca2b4f1e0965a3644e75ccf87bd33f43b7c088d16d5dd9c1462a7b35fce
Opcode Fuzzy Hash: b732472a0386cc2231e7e72448ddce0a61dd42ee7d91cb0de7b9614b82cce167
Instruction Fuzzy Hash: 9B2180B65093845FD722CB25DC95B62FFE8AF06314F0880EAED85DB253E265E808C771

Uniqueness

Uniqueness Score: -1.00%

Function 051D10BF, Relevance: 1.6, APIs: 1, Instructions: 71fileCOMMON

Download Yara Rule

APIs

DeleteFileA.KERNELBASE(?,00000E2C), ref: 051D114B

Memory Dump Source

Source File: 00000008.00000002.601704120.00000000051D0000.00000040.00000001.sdmp, Offset: 051D0000, based on PE: false

Similarity

API ID: DeleteFile
String ID:
API String ID: 4033686569-0
Opcode ID: ffcf4a9415118ac6bc9caf8201cbbef27f659fe8b865479dceb48662e8a141d1
Instruction ID: a9015faecf6adc80d1706502685a84210d2688c6f9b0c1b26d229e5212a5f4ad
Opcode Fuzzy Hash: ffcf4a9415118ac6bc9caf8201cbbef27f659fe8b865479dceb48662e8a141d1
Instruction Fuzzy Hash: 7321D871504380BFE7218B25DC85F66FFA8EF46710F14C09AFD459B192D364A944C761

Uniqueness

Uniqueness Score: -1.00%

Function 011DAB3A, Relevance: 1.6, APIs: 1, Instructions: 69registryCOMMON

Download Yara Rule

APIs

RegQueryValueExW.KERNELBASE(?,00000E2C,2A25310B,00000000,00000000,00000000,00000000), ref: 011DABB4

Memory Dump Source

Source File: 00000008.00000002.596627246.00000000011DA000.00000040.00000001.sdmp, Offset: 011DA000, based on PE: false

Similarity

API ID: QueryValue
String ID:
API String ID: 3660427363-0
Opcode ID: 814f33a1c3b1746be459562a796333a86030f62cd70966a0fecdd6a7e31e94c8
Instruction ID: 063a6b0609c982850791e1ce94125385270eb1e9c32c47f2a1dbf2fd7ca59fe1
Opcode Fuzzy Hash: 814f33a1c3b1746be459562a796333a86030f62cd70966a0fecdd6a7e31e94c8
Instruction Fuzzy Hash: D9216A71600604AFEB25CE29DC80F67FBECEF04710F1888AAEA459B251D7A4E509CB71

Uniqueness

Uniqueness Score: -1.00%

Function 051D148C, Relevance: 1.6, APIs: 1, Instructions: 68COMMON

Download Yara Rule

APIs

FindCloseChangeNotification.KERNELBASE(?), ref: 051D14F8

Memory Dump Source

Source File: 00000008.00000002.601704120.00000000051D0000.00000040.00000001.sdmp, Offset: 051D0000, based on PE: false

Similarity

API ID: ChangeCloseFindNotification
String ID:
API String ID: 2591292051-0
Opcode ID: d5f754600a90f9893148b761fa575b5cd6ea5d9391cc219dcf7e2c0d24f2b6d7
Instruction ID: f49ab78b93f15858df50e31ff39ae02e3f07dd8e573f633d936ee2bdb0eb4db5
Opcode Fuzzy Hash: d5f754600a90f9893148b761fa575b5cd6ea5d9391cc219dcf7e2c0d24f2b6d7
Instruction Fuzzy Hash: E521A1725093C06FDB138B25DC54A92BFB4AF07224F0980DAED858F263D2759908CB71

Uniqueness

Uniqueness Score: -1.00%

Function 051D23DA, Relevance: 1.6, APIs: 1, Instructions: 68COMMON

Download Yara Rule

APIs

OpenFileMappingW.KERNELBASE(?,?), ref: 051D2445

Memory Dump Source

Source File: 00000008.00000002.601704120.00000000051D0000.00000040.00000001.sdmp, Offset: 051D0000, based on PE: false

Similarity

API ID: FileMappingOpen
String ID:
API String ID: 1680863896-0
Opcode ID: c896a573ecc85feda7d0680065a4321e04d6b2376ec00604cbc767cc879d86fc
Instruction ID: a9e40ec34013f5290c8817eb32b4e2586a6146e7bd7f01bede5eb03958bd0eb3
Opcode Fuzzy Hash: c896a573ecc85feda7d0680065a4321e04d6b2376ec00604cbc767cc879d86fc
Instruction Fuzzy Hash: DE21AE75500200AFE720DF25CC85F66FBE8EF04320F14846AEE999B241D375E804CA71

Uniqueness

Uniqueness Score: -1.00%

Function 051D01F4, Relevance: 1.6, APIs: 1, Instructions: 68COMMON

Download Yara Rule

APIs

FindCloseChangeNotification.KERNELBASE(?), ref: 051D0264

Memory Dump Source

Source File: 00000008.00000002.601704120.00000000051D0000.00000040.00000001.sdmp, Offset: 051D0000, based on PE: false

Similarity

API ID: ChangeCloseFindNotification
String ID:
API String ID: 2591292051-0
Opcode ID: 554ffe7fcb809e6cc58dc92a7a24ccc7d3e61b04453766c628139657643fcc82
Instruction ID: 08b93e9a928fc7e2c9c427cf9a22eafb70e4f4f4af8d74e4fc8a4c7eb2b5326e
Opcode Fuzzy Hash: 554ffe7fcb809e6cc58dc92a7a24ccc7d3e61b04453766c628139657643fcc82
Instruction Fuzzy Hash: 5321A175809784AFD712CB24DD99B51BFA8FF46220F0884DAED849B653E374A908CB61

Uniqueness

Uniqueness Score: -1.00%

Function 051D24DA, Relevance: 1.6, APIs: 1, Instructions: 67fileCOMMON

Download Yara Rule

APIs

MapViewOfFile.KERNELBASE ref: 051D254E

Memory Dump Source

Source File: 00000008.00000002.601704120.00000000051D0000.00000040.00000001.sdmp, Offset: 051D0000, based on PE: false

Similarity

API ID: FileView
String ID:
API String ID: 3314676101-0
Opcode ID: 4fad89dc8043f29cf5899843b16815a9e2e4e394b4d8e5e56a5ec822fa10b308
Instruction ID: 78f264faeb062fcec46a03b6d1fc21b7bf2dbb36b4d930e96e06e69ed7114e5c
Opcode Fuzzy Hash: 4fad89dc8043f29cf5899843b16815a9e2e4e394b4d8e5e56a5ec822fa10b308
Instruction Fuzzy Hash: AA21AE71500600AFE721DF25DD85FA6FBE9EF08320F14845AEA849B251D3B5E509CB71

Uniqueness

Uniqueness Score: -1.00%

Function 051D1EEA, Relevance: 1.6, APIs: 1, Instructions: 67networkCOMMON

Download Yara Rule

APIs

WSASocketW.WS2_32 ref: 051D1F56

Memory Dump Source

Source File: 00000008.00000002.601704120.00000000051D0000.00000040.00000001.sdmp, Offset: 051D0000, based on PE: false

Similarity

API ID: Socket
String ID:
API String ID: 38366605-0
Opcode ID: b3ff3c4fdf60b97a1dfc3dcab91881c21a6805730211ba1c2337e67bc160719a
Instruction ID: d366fb8ce529a24c28e2956a86cacbb8b8d35cdfab078bbf6fbac741efac911f
Opcode Fuzzy Hash: b3ff3c4fdf60b97a1dfc3dcab91881c21a6805730211ba1c2337e67bc160719a
Instruction Fuzzy Hash: 7D219D71500600AFEB21DF65DD85F66FFE9EF08320F14846AEE859B251D3B5A408CB71

Uniqueness

Uniqueness Score: -1.00%

Function 051D0B9E, Relevance: 1.6, APIs: 1, Instructions: 65registryCOMMON

Download Yara Rule

APIs

RegSetValueExW.KERNELBASE(?,00000E2C,2A25310B,00000000,00000000,00000000,00000000), ref: 051D0C10

Memory Dump Source

Source File: 00000008.00000002.601704120.00000000051D0000.00000040.00000001.sdmp, Offset: 051D0000, based on PE: false

Similarity

API ID: Value
String ID:
API String ID: 3702945584-0
Opcode ID: 37c7b8e6196b6e99290ec92255a53b6a695906241eb041c8821f32142f521229
Instruction ID: 6c0cf5e63a31fcb586b892a37df5a8ad0c47d2af261f50ddaa0259e4ba340b51
Opcode Fuzzy Hash: 37c7b8e6196b6e99290ec92255a53b6a695906241eb041c8821f32142f521229
Instruction Fuzzy Hash: 7811BB72504604AFEB20DF25CC85F67FBE8EF08710F0488AAEE459B241E770E409CA72

Uniqueness

Uniqueness Score: -1.00%

Function 051D04EA, Relevance: 1.6, APIs: 1, Instructions: 65registryCOMMON

Download Yara Rule

APIs

RegQueryValueExW.KERNELBASE(?,00000E2C,2A25310B,00000000,00000000,00000000,00000000), ref: 051D055C

Memory Dump Source

Source File: 00000008.00000002.601704120.00000000051D0000.00000040.00000001.sdmp, Offset: 051D0000, based on PE: false

Similarity

API ID: QueryValue
String ID:
API String ID: 3660427363-0
Opcode ID: 0bbf17673e2877d249859193f521802f853d94e5c68860998c537157ae1ef522
Instruction ID: 21676e0cbb7da853a907a79606011190b5b1353c03bc4da890075b44cdfd0533
Opcode Fuzzy Hash: 0bbf17673e2877d249859193f521802f853d94e5c68860998c537157ae1ef522
Instruction Fuzzy Hash: B0116A72500604EEEB21CE15DC84F67FBE8EF09720F14846AEE469B251E765E509CB71

Uniqueness

Uniqueness Score: -1.00%

Function 051D118F, Relevance: 1.6, APIs: 1, Instructions: 63COMMON

Download Yara Rule

APIs

SetKernelObjectSecurity.KERNELBASE(?,?,?), ref: 051D1202

Memory Dump Source

Source File: 00000008.00000002.601704120.00000000051D0000.00000040.00000001.sdmp, Offset: 051D0000, based on PE: false

Similarity

API ID: KernelObjectSecurity
String ID:
API String ID: 3015937269-0
Opcode ID: 35fad0750e87c37eadb3a5208677d35b009a725b8ed58801ebde5822e63194d5
Instruction ID: 785e45c2aba2e86567d081282ee7a4cc366b1e99e190ce9cb73fc01486b66abd
Opcode Fuzzy Hash: 35fad0750e87c37eadb3a5208677d35b009a725b8ed58801ebde5822e63194d5
Instruction Fuzzy Hash: E0217275509380AFD7128B25DC84A62FFB4EF06214F1980DFED858B163D375E949CB61

Uniqueness

Uniqueness Score: -1.00%

Function 011DA51F, Relevance: 1.6, APIs: 1, Instructions: 61COMMON

Download Yara Rule

APIs

DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 011DA58A

Memory Dump Source

Source File: 00000008.00000002.596627246.00000000011DA000.00000040.00000001.sdmp, Offset: 011DA000, based on PE: false

Similarity

API ID: DuplicateHandle
String ID:
API String ID: 3793708945-0
Opcode ID: 73c63afe03606b9064829625124bba09e48e58f02153aa167082c69a227bd505
Instruction ID: 46fd61920b9de92aad2d1490b894e3d2ab22bbc853c95509ea633895a25f07fe
Opcode Fuzzy Hash: 73c63afe03606b9064829625124bba09e48e58f02153aa167082c69a227bd505
Instruction Fuzzy Hash: 25117271409380AFDB228F55DC44A62FFF4EF4A210F0885DAEE858B152D375A518DB61

Uniqueness

Uniqueness Score: -1.00%

Function 011DB7CA, Relevance: 1.6, APIs: 1, Instructions: 61windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,?,?,?), ref: 011DB841

Memory Dump Source

Source File: 00000008.00000002.596627246.00000000011DA000.00000040.00000001.sdmp, Offset: 011DA000, based on PE: false

Similarity

API ID: MessageSend
String ID:
API String ID: 3850602802-0
Opcode ID: b872efef843abf20f847e1198e4715a1378723419f372970f258736361ee9968
Instruction ID: bdca6f2644b812ff2b9157553df9bad0e0da30c425b37ebfb130fee9cb0a0bd9
Opcode Fuzzy Hash: b872efef843abf20f847e1198e4715a1378723419f372970f258736361ee9968
Instruction Fuzzy Hash: 49218E714097C09FDB138B25DC51AA2BFB0EF07210F0D84DAEDC54F163D265A958DB61

Uniqueness

Uniqueness Score: -1.00%

Function 051D1006, Relevance: 1.6, APIs: 1, Instructions: 61COMMON

Download Yara Rule

APIs

GetExitCodeProcess.KERNELBASE(?,00000E2C,2A25310B,00000000,00000000,00000000,00000000), ref: 051D105C

Memory Dump Source

Source File: 00000008.00000002.601704120.00000000051D0000.00000040.00000001.sdmp, Offset: 051D0000, based on PE: false

Similarity

API ID: CodeExitProcess
String ID:
API String ID: 3861947596-0
Opcode ID: 1d54530dc060b18f8d288ff64656ec9b7e6cd22f4b4b70da44e9d2c37b404bd8
Instruction ID: d0aef543e231bdd68194344f1683644c9a1611943b9307cd5093355b4778121f
Opcode Fuzzy Hash: 1d54530dc060b18f8d288ff64656ec9b7e6cd22f4b4b70da44e9d2c37b404bd8
Instruction Fuzzy Hash: CB11A071500244AFEB21DF29DD85FABFBA8EF45320F1484ABEE05DB241D6B4A404CB71

Uniqueness

Uniqueness Score: -1.00%

Function 051D1750, Relevance: 1.6, APIs: 1, Instructions: 60COMMON

Download Yara Rule

APIs

K32EnumProcesses.KERNEL32(?,?,?,2A25310B,00000000,?,?,?,?,?,?,?,?,72F43C38), ref: 051D17B2

Memory Dump Source

Source File: 00000008.00000002.601704120.00000000051D0000.00000040.00000001.sdmp, Offset: 051D0000, based on PE: false

Similarity

API ID: EnumProcesses
String ID:
API String ID: 84517404-0
Opcode ID: 5d85af7ea1a8e68a7d0c6f0feac5233612d660f32c7afdc5f7d3933d1b79411c
Instruction ID: 720087a2939224a9c5a2e5deced7724c195076dc11a37ca54232804f6f55bb7e
Opcode Fuzzy Hash: 5d85af7ea1a8e68a7d0c6f0feac5233612d660f32c7afdc5f7d3933d1b79411c
Instruction Fuzzy Hash: BD118171505384AFD721CF65DC84BA6FFE8EF05220F0884AAED49CB262D374E808CB61

Uniqueness

Uniqueness Score: -1.00%

Function 051D02DE, Relevance: 1.6, APIs: 1, Instructions: 60registryCOMMON

Download Yara Rule

APIs

RegOpenKeyExA.KERNELBASE(?,00000E2C), ref: 051D0353

Memory Dump Source

Source File: 00000008.00000002.601704120.00000000051D0000.00000040.00000001.sdmp, Offset: 051D0000, based on PE: false

Similarity

API ID: Open
String ID:
API String ID: 71445658-0
Opcode ID: 626ca6be866a6581d26aae5724845d22709d34a35c9f213fba900c2336afd3a7
Instruction ID: f0aae712d8a70e6958d3d066ca61fc3870931fc0ad265f603fa8697326582b6a
Opcode Fuzzy Hash: 626ca6be866a6581d26aae5724845d22709d34a35c9f213fba900c2336afd3a7
Instruction Fuzzy Hash: 8D119A71500600BFEB31DF15DC85F6AFFA8EF09720F14849AEE455A291D3B5A509CBB2

Uniqueness

Uniqueness Score: -1.00%

Function 051D09F2, Relevance: 1.6, APIs: 1, Instructions: 60COMMON

Download Yara Rule

APIs

setsockopt.WS2_32(?,00000E2C,2A25310B,00000000,00000000,00000000,00000000), ref: 051D0A51

Memory Dump Source

Source File: 00000008.00000002.601704120.00000000051D0000.00000040.00000001.sdmp, Offset: 051D0000, based on PE: false

Similarity

API ID: setsockopt
String ID:
API String ID: 3981526788-0
Opcode ID: 9895880aaee6ec5dd95ed04fb2340dece54bbc118aaabf54a08ff9da013a4d96
Instruction ID: 3a56a5bfb9ef3284e7d3f27417e7328566b896cccbf60e4f17f9d79bca79038f
Opcode Fuzzy Hash: 9895880aaee6ec5dd95ed04fb2340dece54bbc118aaabf54a08ff9da013a4d96
Instruction Fuzzy Hash: 3E11BF71400600AFEB21CF65DD85F66FBA8EF48320F1484ABEE499B241D378A508CBB1

Uniqueness

Uniqueness Score: -1.00%

Function 051D10E2, Relevance: 1.6, APIs: 1, Instructions: 60fileCOMMON

Download Yara Rule

APIs

DeleteFileA.KERNELBASE(?,00000E2C), ref: 051D114B

Memory Dump Source

Source File: 00000008.00000002.601704120.00000000051D0000.00000040.00000001.sdmp, Offset: 051D0000, based on PE: false

Similarity

API ID: DeleteFile
String ID:
API String ID: 4033686569-0
Opcode ID: 4d05e00bc39220e2d11e97bfc9e02afc484f0ff8cbd1b30ae3d89f1ddac3f488
Instruction ID: 9f20f5c277211a4f3a2213a807826d62e44d51c300aa7bc4fd0e98f7d8ecfb0a
Opcode Fuzzy Hash: 4d05e00bc39220e2d11e97bfc9e02afc484f0ff8cbd1b30ae3d89f1ddac3f488
Instruction Fuzzy Hash: 6E11C671640604BFF720DB25DC85F76FB98DF05720F14C06AEE459A281D7B4A549CA71

Uniqueness

Uniqueness Score: -1.00%

Function 011DBB4F, Relevance: 1.6, APIs: 1, Instructions: 59windowCOMMON

Download Yara Rule

APIs

PostMessageW.USER32(?,?,?,?), ref: 011DBBB9

Memory Dump Source

Source File: 00000008.00000002.596627246.00000000011DA000.00000040.00000001.sdmp, Offset: 011DA000, based on PE: false

Similarity

API ID: MessagePost
String ID:
API String ID: 410705778-0
Opcode ID: 62a1c4ff23d82f1a19c02390556aa1342e477d16306a2fd763b3374b1bbd6713
Instruction ID: 98674046693a2b605e333fa084fe90632caca54fdd1509c807f0925e64cd8db7
Opcode Fuzzy Hash: 62a1c4ff23d82f1a19c02390556aa1342e477d16306a2fd763b3374b1bbd6713
Instruction Fuzzy Hash: 2911BE35409380AFDB228F25CC45A52FFB4EF06220F0884DEED858B563D275A458DB62

Uniqueness

Uniqueness Score: -1.00%

Function 011DBE05, Relevance: 1.6, APIs: 1, Instructions: 58windowCOMMON

Download Yara Rule

APIs

DispatchMessageW.USER32(?), ref: 011DBE70

Memory Dump Source

Source File: 00000008.00000002.596627246.00000000011DA000.00000040.00000001.sdmp, Offset: 011DA000, based on PE: false

Similarity

API ID: DispatchMessage
String ID:
API String ID: 2061451462-0
Opcode ID: 2d2f48fd8155c4f843a3fa8bd0cec61cd1a434bdfea96ad4336a298b3638a672
Instruction ID: 332ad1ca774289d669b8cc0f5b8cce1cfbce96f56f447aaa070928cad1f699f3
Opcode Fuzzy Hash: 2d2f48fd8155c4f843a3fa8bd0cec61cd1a434bdfea96ad4336a298b3638a672
Instruction Fuzzy Hash: E1117C754093C0AFDB138B259C44B61BFB4EF47624F0984DAED858F263D2756808CB62

Uniqueness

Uniqueness Score: -1.00%

Function 011DB71E, Relevance: 1.6, APIs: 1, Instructions: 57windowCOMMON

Download Yara Rule

APIs

CreateIconFromResourceEx.USER32 ref: 011DB78A

Memory Dump Source

Source File: 00000008.00000002.596627246.00000000011DA000.00000040.00000001.sdmp, Offset: 011DA000, based on PE: false

Similarity

API ID: CreateFromIconResource
String ID:
API String ID: 3668623891-0
Opcode ID: d39a275cf97d185d7fd16a9ac75abfe1a1938674913685bd3009202c32461278
Instruction ID: 7ff8b41653145979a8b32b9071143d55eaafd0c68e472cd0d5fb7f14689d7978
Opcode Fuzzy Hash: d39a275cf97d185d7fd16a9ac75abfe1a1938674913685bd3009202c32461278
Instruction Fuzzy Hash: B6119031408780AFDB228F64DC44A52FFF4EF4A310F09849EEE858B562D375A418CB61

Uniqueness

Uniqueness Score: -1.00%

Function 011DBEB4, Relevance: 1.6, APIs: 1, Instructions: 56fileCOMMON

Download Yara Rule

APIs

DeleteFileW.KERNELBASE(?), ref: 011DBF0C

Memory Dump Source

Source File: 00000008.00000002.596627246.00000000011DA000.00000040.00000001.sdmp, Offset: 011DA000, based on PE: false

Similarity

API ID: DeleteFile
String ID:
API String ID: 4033686569-0
Opcode ID: 1a88a2c8f202becec05b741dc1085328beaa9a8b5522ec4a30b800bdd8019534
Instruction ID: 2883ea49587e4599186fee4c4326c162e376dd8db020ec2f0f09c51e8e01da96
Opcode Fuzzy Hash: 1a88a2c8f202becec05b741dc1085328beaa9a8b5522ec4a30b800bdd8019534
Instruction Fuzzy Hash: 4D118F725093809FD715CF29DC85B56BFE8EF46220F0980EAEE45CB252D275E848CB61

Uniqueness

Uniqueness Score: -1.00%

Function 051D15EB, Relevance: 1.6, APIs: 1, Instructions: 54COMMON

Download Yara Rule

APIs

GetSystemInfo.KERNELBASE(?), ref: 051D164C

Memory Dump Source

Source File: 00000008.00000002.601704120.00000000051D0000.00000040.00000001.sdmp, Offset: 051D0000, based on PE: false

Similarity

API ID: InfoSystem
String ID:
API String ID: 31276548-0
Opcode ID: 4030269fb292bdd8f4febb7d75f443f99124f2f870b99fe7cedd64d22ae25c50
Instruction ID: a0c7ebb73793cfb126d75361bcbe1714fcdfcf8c257e0d6e434d87486c94de03
Opcode Fuzzy Hash: 4030269fb292bdd8f4febb7d75f443f99124f2f870b99fe7cedd64d22ae25c50
Instruction Fuzzy Hash: 05116D714093C4AFDB128B65D855A62FFF4EF46220F0D84EADD888F263D279A548CB61

Uniqueness

Uniqueness Score: -1.00%

Function 051D1276, Relevance: 1.6, APIs: 1, Instructions: 53COMMON

Download Yara Rule

APIs

LookupPrivilegeValueW.ADVAPI32(?,?,?), ref: 051D12BE

Memory Dump Source

Source File: 00000008.00000002.601704120.00000000051D0000.00000040.00000001.sdmp, Offset: 051D0000, based on PE: false

Similarity

API ID: LookupPrivilegeValue
String ID:
API String ID: 3899507212-0
Opcode ID: 1946585c35ed46735f638a8d64dad4d43bb56cd462fdeea66ca84a315d04af7d
Instruction ID: c05ef134467e6122dac9ef2a98d9f5233132ecfd9bab830e33c03f1dc6a09855
Opcode Fuzzy Hash: 1946585c35ed46735f638a8d64dad4d43bb56cd462fdeea66ca84a315d04af7d
Instruction Fuzzy Hash: 2011A572A44200AFDB20CF6AD985B66FBD8EF04220F18C4AADD09CB645D775D404CB71

Uniqueness

Uniqueness Score: -1.00%

Function 051D0AD6, Relevance: 1.6, APIs: 1, Instructions: 53fileCOMMON

Download Yara Rule

APIs

CopyFileW.KERNELBASE(?,?,?), ref: 051D0B1E

Memory Dump Source

Source File: 00000008.00000002.601704120.00000000051D0000.00000040.00000001.sdmp, Offset: 051D0000, based on PE: false

Similarity

API ID: CopyFile
String ID:
API String ID: 1304948518-0
Opcode ID: 1946585c35ed46735f638a8d64dad4d43bb56cd462fdeea66ca84a315d04af7d
Instruction ID: 387413975e151d6e08ee8216323d8feb18a8c983fb4e9ab4ba1566765c71cfef
Opcode Fuzzy Hash: 1946585c35ed46735f638a8d64dad4d43bb56cd462fdeea66ca84a315d04af7d
Instruction Fuzzy Hash: 691170766042049FDB20DF29D889B66FBD8EB08314F1884AADD49DB241E774E404CA71

Uniqueness

Uniqueness Score: -1.00%

Function 011DA75B, Relevance: 1.6, APIs: 1, Instructions: 52comCOMMON

Download Yara Rule

APIs

OleInitialize.OLE32(?), ref: 011DA7BC

Memory Dump Source

Source File: 00000008.00000002.596627246.00000000011DA000.00000040.00000001.sdmp, Offset: 011DA000, based on PE: false

Similarity

API ID: Initialize
String ID:
API String ID: 2538663250-0
Opcode ID: 23ee0fda75a61becf233a971d2bdc62822d1556b88489cc8688f7352415b4eb4
Instruction ID: f77a3d690ecf86a71834fa2cd8debad14dbda017991516db02ab867462ebe8c6
Opcode Fuzzy Hash: 23ee0fda75a61becf233a971d2bdc62822d1556b88489cc8688f7352415b4eb4
Instruction Fuzzy Hash: 6711A071449384AFD712CF15DC85B52BFB8EF46220F0884DAEE499F253D376A548CBA2

Uniqueness

Uniqueness Score: -1.00%

Function 051D0932, Relevance: 1.6, APIs: 1, Instructions: 52COMMON

Download Yara Rule

APIs

GetFileType.KERNELBASE(?,00000E2C,2A25310B,00000000,00000000,00000000,00000000), ref: 051D0985

Memory Dump Source

Source File: 00000008.00000002.601704120.00000000051D0000.00000040.00000001.sdmp, Offset: 051D0000, based on PE: false

Similarity

API ID: FileType
String ID:
API String ID: 3081899298-0
Opcode ID: 2d427a1e5c573f1e06e103fb20e71beddd39b55e1f03ac2cbe0d804dfb9aa6f7
Instruction ID: fd6ba353340aa157a1d57c6f06d50c0275f10f6ec2d763f70a17481b45ea63f0
Opcode Fuzzy Hash: 2d427a1e5c573f1e06e103fb20e71beddd39b55e1f03ac2cbe0d804dfb9aa6f7
Instruction Fuzzy Hash: 5401D271500604AEE720DB19DC85F76FFA8EF49720F14C097EE489B241D7B4A408CAB1

Uniqueness

Uniqueness Score: -1.00%

Function 051D075A, Relevance: 1.6, APIs: 1, Instructions: 52COMMON

Download Yara Rule

APIs

CreateDirectoryW.KERNELBASE(?,?), ref: 051D079F

Memory Dump Source

Source File: 00000008.00000002.601704120.00000000051D0000.00000040.00000001.sdmp, Offset: 051D0000, based on PE: false

Similarity

API ID: CreateDirectory
String ID:
API String ID: 4241100979-0
Opcode ID: 19f942b351253a363e51fd474d1664614a9116668505ab2431103130e3e7209a
Instruction ID: 216717c37300cae89c5d9e8c0d1ed83cad5cd7ebb61d47cc763d2b038c792ee8
Opcode Fuzzy Hash: 19f942b351253a363e51fd474d1664614a9116668505ab2431103130e3e7209a
Instruction Fuzzy Hash: DB117C716002009FDB60DF29D888B66FBD8EB08220F08C0AADD49DF641E774E504CF71

Uniqueness

Uniqueness Score: -1.00%

Function 051D1772, Relevance: 1.5, APIs: 1, Instructions: 49COMMON

Download Yara Rule

APIs

K32EnumProcesses.KERNEL32(?,?,?,2A25310B,00000000,?,?,?,?,?,?,?,?,72F43C38), ref: 051D17B2

Memory Dump Source

Source File: 00000008.00000002.601704120.00000000051D0000.00000040.00000001.sdmp, Offset: 051D0000, based on PE: false

Similarity

API ID: EnumProcesses
String ID:
API String ID: 84517404-0
Opcode ID: 065e260684dfe540e75ae31aff5628bfdca774990d789ff5a4275344d8149c52
Instruction ID: ac0494e0207c14bb70a04f43c715588debc0018c9a478ce955026c4806d3dd8a
Opcode Fuzzy Hash: 065e260684dfe540e75ae31aff5628bfdca774990d789ff5a4275344d8149c52
Instruction Fuzzy Hash: 21116175540204AFDB60DF69D884B66FFE4EF04220F18C4AADD498B251D775E444CB71

Uniqueness

Uniqueness Score: -1.00%

Function 011DA8CC, Relevance: 1.5, APIs: 1, Instructions: 48COMMON

Download Yara Rule

APIs

SetWindowLongW.USER32(?,?,?), ref: 011DA926

Memory Dump Source

Source File: 00000008.00000002.596627246.00000000011DA000.00000040.00000001.sdmp, Offset: 011DA000, based on PE: false

Similarity

API ID: LongWindow
String ID:
API String ID: 1378638983-0
Opcode ID: 0e3095719beddf404d460451d074ca3c5a3ad49eed7b0a53608233ed836a2749
Instruction ID: 998f8cbcaf14325201dc1a388406c20a0c7af1c3fa12da65c44eebbef41ded26
Opcode Fuzzy Hash: 0e3095719beddf404d460451d074ca3c5a3ad49eed7b0a53608233ed836a2749
Instruction Fuzzy Hash: C1117C75409784AFD726CF15DC85A52FFB4EF06220F09C4DAEE854B262D375A818CB62

Uniqueness

Uniqueness Score: -1.00%

Function 011DA172, Relevance: 1.5, APIs: 1, Instructions: 47networkCOMMON

Download Yara Rule

APIs

WSAStartup.WS2_32(?,00000E2C,?,?), ref: 011DA1C2

Memory Dump Source

Source File: 00000008.00000002.596627246.00000000011DA000.00000040.00000001.sdmp, Offset: 011DA000, based on PE: false

Similarity

API ID: Startup
String ID:
API String ID: 724789610-0
Opcode ID: 92752a79c16eebea4c4f34d73f44e38f17eb87c487948bf5d7e514470f041789
Instruction ID: 81463e721e8fb7d1d10a94af48a23d8462054b56f3314ef5efde2b0cca5ef3ab
Opcode Fuzzy Hash: 92752a79c16eebea4c4f34d73f44e38f17eb87c487948bf5d7e514470f041789
Instruction Fuzzy Hash: F1017171900600ABD710DF16DD86B36FBA8FB88B20F14816AED089B741E375F515CBA5

Uniqueness

Uniqueness Score: -1.00%

Function 011DBED2, Relevance: 1.5, APIs: 1, Instructions: 47fileCOMMON

Download Yara Rule

APIs

DeleteFileW.KERNELBASE(?), ref: 011DBF0C

Memory Dump Source

Source File: 00000008.00000002.596627246.00000000011DA000.00000040.00000001.sdmp, Offset: 011DA000, based on PE: false

Similarity

API ID: DeleteFile
String ID:
API String ID: 4033686569-0
Opcode ID: 04022a40a9bd59b1f64c3972015d52955a2e76d16a96e6a20cbf6d6e1b47291f
Instruction ID: 4649c917d10ffa56518555267e8b2738444836d53f3c1ae2147d342c265b8f82
Opcode Fuzzy Hash: 04022a40a9bd59b1f64c3972015d52955a2e76d16a96e6a20cbf6d6e1b47291f
Instruction Fuzzy Hash: F9019E71A042009FDB14DF29D885766FF98EF05220F08C0EADE0ACB246D775E408CF62

Uniqueness

Uniqueness Score: -1.00%

Function 051D2E26, Relevance: 1.5, APIs: 1, Instructions: 47windowCOMMON

Download Yara Rule

APIs

FormatMessageW.KERNELBASE(?,00000E2C,?,?), ref: 051D2E76

Memory Dump Source

Source File: 00000008.00000002.601704120.00000000051D0000.00000040.00000001.sdmp, Offset: 051D0000, based on PE: false

Similarity

API ID: FormatMessage
String ID:
API String ID: 1306739567-0
Opcode ID: 63e70d75c68564056fdd249b42e95241aba9a5e503c479d6284992c807c146f5
Instruction ID: 343812671007b39a6dc07582cdf4a1a22aa8c15fdb2557ce74219f7a29330ee9
Opcode Fuzzy Hash: 63e70d75c68564056fdd249b42e95241aba9a5e503c479d6284992c807c146f5
Instruction Fuzzy Hash: 71015E72900600ABD610DF16DD86B36FBA8EB88B20F14816AED089B741E371B515CBA5

Uniqueness

Uniqueness Score: -1.00%

Function 051D0CCA, Relevance: 1.5, APIs: 1, Instructions: 47COMMON

Download Yara Rule

APIs

GetTempFileNameW.KERNELBASE(?,00000E2C,?,?), ref: 051D0D1A

Memory Dump Source

Source File: 00000008.00000002.601704120.00000000051D0000.00000040.00000001.sdmp, Offset: 051D0000, based on PE: false

Similarity

API ID: FileNameTemp
String ID:
API String ID: 745986568-0
Opcode ID: 3cb0b3141b2fdab492e96ead0085a833b64a98c865a0270646ab71a18fdf60d0
Instruction ID: f5832aa4722cb029ce2da68480eb8244e2af1cb3d4d921f85f3373eb95fe1f56
Opcode Fuzzy Hash: 3cb0b3141b2fdab492e96ead0085a833b64a98c865a0270646ab71a18fdf60d0
Instruction Fuzzy Hash: E6015E72900600ABD610DF16DD86B36FBA8FB88B20F14816AED089B741E371B515CBA5

Uniqueness

Uniqueness Score: -1.00%

Function 011DA546, Relevance: 1.5, APIs: 1, Instructions: 45COMMON

Download Yara Rule

APIs

DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 011DA58A

Memory Dump Source

Source File: 00000008.00000002.596627246.00000000011DA000.00000040.00000001.sdmp, Offset: 011DA000, based on PE: false

Similarity

API ID: DuplicateHandle
String ID:
API String ID: 3793708945-0
Opcode ID: 7f3439e42adb23a71c38f2cbc152163d1ee6a87400826ec045e43082e3723082
Instruction ID: f135d4a5a466f53180d983e512afe1a37c05babb1c8e7724fc4c2d4736ccd2c4
Opcode Fuzzy Hash: 7f3439e42adb23a71c38f2cbc152163d1ee6a87400826ec045e43082e3723082
Instruction Fuzzy Hash: 10015B31400600AFDB25CF55E944B66FFE4EF08320F08C59ADE494B616D375A018DF62

Uniqueness

Uniqueness Score: -1.00%

Function 011DB746, Relevance: 1.5, APIs: 1, Instructions: 45windowCOMMON

Download Yara Rule

APIs

CreateIconFromResourceEx.USER32 ref: 011DB78A

Memory Dump Source

Source File: 00000008.00000002.596627246.00000000011DA000.00000040.00000001.sdmp, Offset: 011DA000, based on PE: false

Similarity

API ID: CreateFromIconResource
String ID:
API String ID: 3668623891-0
Opcode ID: f36c56e2721cfec2c5471fe323ca3cf53964b84187c2ae1ccede835baa2cd5a2
Instruction ID: e253ade183378f22f5a3017f9ae4e9cfbe27bed1537182d0062fb0e6534957aa
Opcode Fuzzy Hash: f36c56e2721cfec2c5471fe323ca3cf53964b84187c2ae1ccede835baa2cd5a2
Instruction Fuzzy Hash: 11015B31404A00AFDB258F95D984B66FFE4EF09720F09C5AADE4A4A652D375A018DB62

Uniqueness

Uniqueness Score: -1.00%

Function 051D11C2, Relevance: 1.5, APIs: 1, Instructions: 45COMMON

Download Yara Rule

APIs

SetKernelObjectSecurity.KERNELBASE(?,?,?), ref: 051D1202

Memory Dump Source

Source File: 00000008.00000002.601704120.00000000051D0000.00000040.00000001.sdmp, Offset: 051D0000, based on PE: false

Similarity

API ID: KernelObjectSecurity
String ID:
API String ID: 3015937269-0
Opcode ID: eb81116d5eab3b1217ff9309c5f9f5928e396c9e3f1e990257ff368194344d47
Instruction ID: 71f7ca6d1494ec826e6791a1b18e4a616f9d677282ae7a2875ce5fb65983d35f
Opcode Fuzzy Hash: eb81116d5eab3b1217ff9309c5f9f5928e396c9e3f1e990257ff368194344d47
Instruction Fuzzy Hash: 77019E75500600AFDB20CF65D885B66FBE4EF04320F18C0AADE498B651D371E448CB71

Uniqueness

Uniqueness Score: -1.00%

Function 011DAF9A, Relevance: 1.5, APIs: 1, Instructions: 43COMMON

Download Yara Rule

APIs

GetUserNameW.ADVAPI32(?,00000E2C,?,?), ref: 011DAFEA

Memory Dump Source

Source File: 00000008.00000002.596627246.00000000011DA000.00000040.00000001.sdmp, Offset: 011DA000, based on PE: false

Similarity

API ID: NameUser
String ID:
API String ID: 2645101109-0
Opcode ID: 2c59cb55d3c2d1135e5850315e8c33909d8e0d66ffefa70b7f160ff826f44429
Instruction ID: 7b45771b743578749708c4142b12dd60e902aaf0115de014e259319879a1cf47
Opcode Fuzzy Hash: 2c59cb55d3c2d1135e5850315e8c33909d8e0d66ffefa70b7f160ff826f44429
Instruction Fuzzy Hash: 3F018B72900600ABD210DF16DC82B36FBA8FB88B20F14815AED085B741E331F916CAA6

Uniqueness

Uniqueness Score: -1.00%

Function 051D0232, Relevance: 1.5, APIs: 1, Instructions: 43COMMON

Download Yara Rule

APIs

FindCloseChangeNotification.KERNELBASE(?), ref: 051D0264

Memory Dump Source

Source File: 00000008.00000002.601704120.00000000051D0000.00000040.00000001.sdmp, Offset: 051D0000, based on PE: false

Similarity

API ID: ChangeCloseFindNotification
String ID:
API String ID: 2591292051-0
Opcode ID: f641f5bff24fa2fbc7a69267d1682a0fb35a8a52d42049f370b68c22ca1b5641
Instruction ID: 3a02ce3141900872606f1e5942579a6bdb4bdc649a5fe270ddeec7503acdd405
Opcode Fuzzy Hash: f641f5bff24fa2fbc7a69267d1682a0fb35a8a52d42049f370b68c22ca1b5641
Instruction Fuzzy Hash: 8001DF319012009FDB24CF29D988766FF94EF48320F08C4ABDD498B602E7B5E448CB71

Uniqueness

Uniqueness Score: -1.00%

Function 051D1B2E, Relevance: 1.5, APIs: 1, Instructions: 43registryCOMMON

Download Yara Rule

APIs

RegQueryValueExW.KERNELBASE(?,00000E2C,?,?), ref: 051D1B7E

Memory Dump Source

Source File: 00000008.00000002.601704120.00000000051D0000.00000040.00000001.sdmp, Offset: 051D0000, based on PE: false

Similarity

API ID: QueryValue
String ID:
API String ID: 3660427363-0
Opcode ID: e328499c194fa8472570333fa4e0c227aa28ea92282fab331e3f2bd46d83e0fa
Instruction ID: 74f7dc10c3577e450fc33dbba7e03faea94396529ec01d661c37025ad9e520fe
Opcode Fuzzy Hash: e328499c194fa8472570333fa4e0c227aa28ea92282fab331e3f2bd46d83e0fa
Instruction Fuzzy Hash: 3A014B76900604ABD214DF16DD86F36FBA8FB88B20F14C15AED085B741E371F916CAA6

Uniqueness

Uniqueness Score: -1.00%

Function 051D14C6, Relevance: 1.5, APIs: 1, Instructions: 43COMMON

Download Yara Rule

APIs

FindCloseChangeNotification.KERNELBASE(?), ref: 051D14F8

Memory Dump Source

Source File: 00000008.00000002.601704120.00000000051D0000.00000040.00000001.sdmp, Offset: 051D0000, based on PE: false

Similarity

API ID: ChangeCloseFindNotification
String ID:
API String ID: 2591292051-0
Opcode ID: 48c52ed0df4a748797d6a2ecc02346a8d2ea6226713eaed4f38e08bfed5a53d8
Instruction ID: f096b5dcb1369b52bc5b2b85530c4beea47405c498a6e947b5938de0553a124c
Opcode Fuzzy Hash: 48c52ed0df4a748797d6a2ecc02346a8d2ea6226713eaed4f38e08bfed5a53d8
Instruction Fuzzy Hash: B101D4315002009FDB10DF29E985766FFE4EF05220F08C0ABDD0A8B206D3B5E448CB72

Uniqueness

Uniqueness Score: -1.00%

Function 011DBB7E, Relevance: 1.5, APIs: 1, Instructions: 42windowCOMMON

Download Yara Rule

APIs

PostMessageW.USER32(?,?,?,?), ref: 011DBBB9

Memory Dump Source

Source File: 00000008.00000002.596627246.00000000011DA000.00000040.00000001.sdmp, Offset: 011DA000, based on PE: false

Similarity

API ID: MessagePost
String ID:
API String ID: 410705778-0
Opcode ID: ce5f987ad1ca61a26795c3e5770f7454feba8214b0daa668b927c27388daae99
Instruction ID: 3ded11bdbb760db341cea175118794c956e3e212e5e2edfd2de12f8aa68e7180
Opcode Fuzzy Hash: ce5f987ad1ca61a26795c3e5770f7454feba8214b0daa668b927c27388daae99
Instruction Fuzzy Hash: 1701B135504600DFDB258F19D884B66FFA0EF05320F08C09ADE464B626C371E418CB62

Uniqueness

Uniqueness Score: -1.00%

Function 011DA78A, Relevance: 1.5, APIs: 1, Instructions: 39comCOMMON

Download Yara Rule

APIs

OleInitialize.OLE32(?), ref: 011DA7BC

Memory Dump Source

Source File: 00000008.00000002.596627246.00000000011DA000.00000040.00000001.sdmp, Offset: 011DA000, based on PE: false

Similarity

API ID: Initialize
String ID:
API String ID: 2538663250-0
Opcode ID: 02b901cd6a4aa6323b7344f508a282dc532be985ed19b40dc685a182d7ae5a6a
Instruction ID: fa4970f50fb5aac07a87b7f876f46cf8614c619129dac87bdf6c20b6364c7d43
Opcode Fuzzy Hash: 02b901cd6a4aa6323b7344f508a282dc532be985ed19b40dc685a182d7ae5a6a
Instruction Fuzzy Hash: D601AD75800640DFDB14DF19E984766FFE4EF04320F18C4AADE098F206D3BAA508CBA2

Uniqueness

Uniqueness Score: -1.00%

Function 011DB806, Relevance: 1.5, APIs: 1, Instructions: 38windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,?,?,?), ref: 011DB841

Memory Dump Source

Source File: 00000008.00000002.596627246.00000000011DA000.00000040.00000001.sdmp, Offset: 011DA000, based on PE: false

Similarity

API ID: MessageSend
String ID:
API String ID: 3850602802-0
Opcode ID: 75c51e31bfb476fea1ef386baac53e99f88556575e35c67b23451f36431917bc
Instruction ID: 9c9de5426ec884c83d1c540054928ba0100277afda40f2a463783f2ca5382257
Opcode Fuzzy Hash: 75c51e31bfb476fea1ef386baac53e99f88556575e35c67b23451f36431917bc
Instruction Fuzzy Hash: 9B018F31804644DFDB258F16D885B66FFA0EF09320F08C49ADE4A4B226D375A418CB62

Uniqueness

Uniqueness Score: -1.00%

Function 011DA8EE, Relevance: 1.5, APIs: 1, Instructions: 37COMMON

Download Yara Rule

APIs

SetWindowLongW.USER32(?,?,?), ref: 011DA926

Memory Dump Source

Source File: 00000008.00000002.596627246.00000000011DA000.00000040.00000001.sdmp, Offset: 011DA000, based on PE: false

Similarity

API ID: LongWindow
String ID:
API String ID: 1378638983-0
Opcode ID: c52253e27e9da00c133ff38dabd0ba62127a9a526362ba723982b994f2ba1867
Instruction ID: d805e37a8893ad867a6b65dd03107d69967b090c38869203583f1da31ea1b03f
Opcode Fuzzy Hash: c52253e27e9da00c133ff38dabd0ba62127a9a526362ba723982b994f2ba1867
Instruction Fuzzy Hash: 8E01D635400604DFDB29CF15E885762FFA0EF05320F08C49ADE450B212D3B5A408CF72

Uniqueness

Uniqueness Score: -1.00%

Function 011DBE3E, Relevance: 1.5, APIs: 1, Instructions: 35windowCOMMON

Download Yara Rule

APIs

DispatchMessageW.USER32(?), ref: 011DBE70

Memory Dump Source

Source File: 00000008.00000002.596627246.00000000011DA000.00000040.00000001.sdmp, Offset: 011DA000, based on PE: false

Similarity

API ID: DispatchMessage
String ID:
API String ID: 2061451462-0
Opcode ID: 9f32e5db08b899601efc04360099729cca22b4f196abbfa1236b09a4073bc731
Instruction ID: fe235b7ff9632df48d07270ea146a962e1acf82e330aa8c4af5b3bb913f4b8a0
Opcode Fuzzy Hash: 9f32e5db08b899601efc04360099729cca22b4f196abbfa1236b09a4073bc731
Instruction Fuzzy Hash: E6F0C235808644DFDB24CF1AD884762FFA0EF05320F18D4AADE4A4B316D3B5A408CFA2

Uniqueness

Uniqueness Score: -1.00%

Function 011DA372, Relevance: 1.5, APIs: 1, Instructions: 35COMMON

Download Yara Rule

APIs

SetErrorMode.KERNELBASE(?), ref: 011DA3A4

Memory Dump Source

Source File: 00000008.00000002.596627246.00000000011DA000.00000040.00000001.sdmp, Offset: 011DA000, based on PE: false

Similarity

API ID: ErrorMode
String ID:
API String ID: 2340568224-0
Opcode ID: 9f32e5db08b899601efc04360099729cca22b4f196abbfa1236b09a4073bc731
Instruction ID: fec85842012da07421321af5560bfa0092d69adf07edf18e7054c7f487ec4ac0
Opcode Fuzzy Hash: 9f32e5db08b899601efc04360099729cca22b4f196abbfa1236b09a4073bc731
Instruction Fuzzy Hash: E2F0AF34804644EFDB25CF1AE984766FFA0EF04320F18D09ADE494B616DBB9A448CB62

Uniqueness

Uniqueness Score: -1.00%

Function 050A9D8B, Relevance: 1.4, Strings: 1, Instructions: 179COMMON

Download Yara Rule

Strings

>_Ir, xrefs: 050A9DFF

Memory Dump Source

Source File: 00000008.00000002.601516704.00000000050A0000.00000040.00000001.sdmp, Offset: 050A0000, based on PE: false

Similarity

API ID:
String ID: >_Ir
API String ID: 0-3386957151
Opcode ID: 42d1343510a13e86a90f16f1ce341186f32946e29cc59ce86f4c020662df052f
Instruction ID: 5bed78e3d8c638c4df63cdd70d3e3b56a53c68523349eaa176ff0c0b572a1da1
Opcode Fuzzy Hash: 42d1343510a13e86a90f16f1ce341186f32946e29cc59ce86f4c020662df052f
Instruction Fuzzy Hash: 6C511336F041048FCB44DFB9E8445BEBBF3FBC4214B29887AD51ADB256EB3198028B51

Uniqueness

Uniqueness Score: -1.00%

Function 050A1458, Relevance: 1.4, Strings: 1, Instructions: 128COMMON

Download Yara Rule

Strings

$ghr, xrefs: 050A14C7

Memory Dump Source

Source File: 00000008.00000002.601516704.00000000050A0000.00000040.00000001.sdmp, Offset: 050A0000, based on PE: false

Similarity

API ID:
String ID: $ghr
API String ID: 0-1352911727
Opcode ID: a3eeed31fcf105fbda569777d303c26077dde1add63b0734946ed1aeabeae8cb
Instruction ID: 04249cef04a1f52784e9a9263212ffc9693fb200278f5e6c3079861aae8f79dc
Opcode Fuzzy Hash: a3eeed31fcf105fbda569777d303c26077dde1add63b0734946ed1aeabeae8cb
Instruction Fuzzy Hash: 3A510834A00218CFDB54DFA4D894B9DBBB2BF48300F1441EAE40AAB365DB359D85CF91

Uniqueness

Uniqueness Score: -1.00%

Function 050A1290, Relevance: 1.3, Strings: 1, Instructions: 99COMMON

Download Yara Rule

Strings

$ghr, xrefs: 050A1349

Memory Dump Source

Source File: 00000008.00000002.601516704.00000000050A0000.00000040.00000001.sdmp, Offset: 050A0000, based on PE: false

Similarity

API ID:
String ID: $ghr
API String ID: 0-1352911727
Opcode ID: 22d849960e394d47e6948dc67e56326c58dc3be7062a7d8e75fbd0607f6db759
Instruction ID: bcaa22d9577cf2a86c019eaa79574714c20ae2a8013b406c35969072600c27de
Opcode Fuzzy Hash: 22d849960e394d47e6948dc67e56326c58dc3be7062a7d8e75fbd0607f6db759
Instruction Fuzzy Hash: 5E411B35E04219DFCB64DFA9E840B9DBBB2BF49344F1045A9D40AAB355DB309D84CF51

Uniqueness

Uniqueness Score: -1.00%

Function 050A21F8, Relevance: 1.3, Strings: 1, Instructions: 98COMMON

Download Yara Rule

Strings

r*+, xrefs: 050A230F

Memory Dump Source

Source File: 00000008.00000002.601516704.00000000050A0000.00000040.00000001.sdmp, Offset: 050A0000, based on PE: false

Similarity

API ID:
String ID: r*+
API String ID: 0-3221063712
Opcode ID: 293ce2e262ac84d8645ae47659bbc2b5274675b4c49abe1bc2fb369a1c55e143
Instruction ID: 30f563d6a69119bb913c4d4c6bdf50a397ef1c776fcb2f04b20c2a0a78ec8a69
Opcode Fuzzy Hash: 293ce2e262ac84d8645ae47659bbc2b5274675b4c49abe1bc2fb369a1c55e143
Instruction Fuzzy Hash: 74411935E0820ADFCB98DBE5D5456AEBBF2FB44300F10817AD412AB264E7358A45CF51

Uniqueness

Uniqueness Score: -1.00%

Function 050A8CD0, Relevance: 1.3, Strings: 1, Instructions: 98COMMON

Download Yara Rule

Strings

r*+, xrefs: 050A8DE7

Memory Dump Source

Source File: 00000008.00000002.601516704.00000000050A0000.00000040.00000001.sdmp, Offset: 050A0000, based on PE: false

Similarity

API ID:
String ID: r*+
API String ID: 0-3221063712
Opcode ID: d4dba7c9f19ae1bca82d12ac42a1fc62e1ca9116c951e43bcc974920dd6162e3
Instruction ID: 6ee85c23390e3cc87b844c5ee579bef97530e4f4ee8adfa40020f0f0d7b0324d
Opcode Fuzzy Hash: d4dba7c9f19ae1bca82d12ac42a1fc62e1ca9116c951e43bcc974920dd6162e3
Instruction Fuzzy Hash: 93413531E04649DFDB48DFE4D1456AEBBB2FF54304F2484AAD802EB260DB355A45CF52

Uniqueness

Uniqueness Score: -1.00%

Function 050A6F8F, Relevance: 1.3, Strings: 1, Instructions: 82COMMON

Download Yara Rule

Strings

mW, xrefs: 050A6F9A

Memory Dump Source

Source File: 00000008.00000002.601516704.00000000050A0000.00000040.00000001.sdmp, Offset: 050A0000, based on PE: false

Similarity

API ID:
String ID: mW
API String ID: 0-3395524699
Opcode ID: c4e82d583bb15d9117a42862f88c98c6d590ef54d048d7c9303a87cce53f4ed0
Instruction ID: 8a23399a19e3448b40de5ef06963c54014a7f5cf9e54acee700364f302bffb05
Opcode Fuzzy Hash: c4e82d583bb15d9117a42862f88c98c6d590ef54d048d7c9303a87cce53f4ed0
Instruction Fuzzy Hash: 78316C35620202CBC719AB79E45815C7FA2FF853583988A6CE516DF388DF72AC46CBC1

Uniqueness

Uniqueness Score: -1.00%

Function 050AE2E9, Relevance: 1.3, Strings: 1, Instructions: 76COMMON

Download Yara Rule

Strings

lir, xrefs: 050AE3A3

Memory Dump Source

Source File: 00000008.00000002.601516704.00000000050A0000.00000040.00000001.sdmp, Offset: 050A0000, based on PE: false

Similarity

API ID:
String ID: lir
API String ID: 0-3872640509
Opcode ID: 8af5b8142d60a227d23f5056922c1a71a840efb4ccb9c9a28af88b55dacaf4c5
Instruction ID: 1bf5499d82b9ba9f83800dc259e797e43b9032acc8e8fe34a784e9aa90917d2f
Opcode Fuzzy Hash: 8af5b8142d60a227d23f5056922c1a71a840efb4ccb9c9a28af88b55dacaf4c5
Instruction Fuzzy Hash: D321AF77A04614CBCB24CBE8E0082BEBBFABB88315F14447AE547EB340DB319C4187A1

Uniqueness

Uniqueness Score: -1.00%

Function 050A61D1, Relevance: 1.3, Strings: 1, Instructions: 74COMMON

Download Yara Rule

Strings

X1kr, xrefs: 050A6251

Memory Dump Source

Source File: 00000008.00000002.601516704.00000000050A0000.00000040.00000001.sdmp, Offset: 050A0000, based on PE: false

Similarity

API ID:
String ID: X1kr
API String ID: 0-844551562
Opcode ID: f2ebe46062af74927be6512a931f3117adb54d5f180e97864feaa4a644808198
Instruction ID: 9126f8a81b84235db3d23efd72507b1ec9c09e43b15843d2e39b98cef06f3bfc
Opcode Fuzzy Hash: f2ebe46062af74927be6512a931f3117adb54d5f180e97864feaa4a644808198
Instruction Fuzzy Hash: 3521C033F045459FCB54DAF8A4147FE7AF3ABC8220F28013AC552E7780EE269C408762

Uniqueness

Uniqueness Score: -1.00%

Function 050AA700, Relevance: 1.3, Strings: 1, Instructions: 45COMMON

Download Yara Rule

Strings

Huir, xrefs: 050AA733

Memory Dump Source

Source File: 00000008.00000002.601516704.00000000050A0000.00000040.00000001.sdmp, Offset: 050A0000, based on PE: false

Similarity

API ID:
String ID: Huir
API String ID: 0-669697419
Opcode ID: 8d91552cb1e120aba6b15586ccd08d4656fcbb85425f745a42a8f2ae07392250
Instruction ID: 0452a92e11e0e8e9b771f0d26c891917e4ff6879b458d87d4abb2e70246e87ac
Opcode Fuzzy Hash: 8d91552cb1e120aba6b15586ccd08d4656fcbb85425f745a42a8f2ae07392250
Instruction Fuzzy Hash: C4F04C3270821053CA5579ECAD80B3F7A9BABC1270B64032EA516CB3C4DE509C0183A6

Uniqueness

Uniqueness Score: -1.00%

Function 050A4710, Relevance: 1.3, Strings: 1, Instructions: 43COMMON

Download Yara Rule

Strings

X1kr, xrefs: 050A4747

Memory Dump Source

Source File: 00000008.00000002.601516704.00000000050A0000.00000040.00000001.sdmp, Offset: 050A0000, based on PE: false

Similarity

API ID:
String ID: X1kr
API String ID: 0-844551562
Opcode ID: 4801517ae6022c1f33b9df6beb226b5159838d5491e8eae315107b9eba880dc9
Instruction ID: fd82f43d97cd27189ea9e48ed4b86144e7abf4b715d1e8eeb41ea8fc996f99f7
Opcode Fuzzy Hash: 4801517ae6022c1f33b9df6beb226b5159838d5491e8eae315107b9eba880dc9
Instruction Fuzzy Hash: DCF0E03B3012909BCE666AF9B5107BD32CB9BC6665F54003FD105CFB80DD76D8825361

Uniqueness

Uniqueness Score: -1.00%

Function 050A7870, Relevance: 1.3, Strings: 1, Instructions: 41COMMON

Download Yara Rule

Strings

Huir, xrefs: 050A78A3

Memory Dump Source

Source File: 00000008.00000002.601516704.00000000050A0000.00000040.00000001.sdmp, Offset: 050A0000, based on PE: false

Similarity

API ID:
String ID: Huir
API String ID: 0-669697419
Opcode ID: 2b3dc6bd13684d48da5180f367393dda5beffffd2c6c68ef7007cf8f8baea35b
Instruction ID: 20e5176c0a6044fa9121031b9c24bb7a3e951519a46c2629009b5d0f77953547
Opcode Fuzzy Hash: 2b3dc6bd13684d48da5180f367393dda5beffffd2c6c68ef7007cf8f8baea35b
Instruction Fuzzy Hash: A9F0F67274825047C749AEECAC80A7D3E97EBC5260374836FD216CB2C5DE245C0183A6

Uniqueness

Uniqueness Score: -1.00%

Function 050A7880, Relevance: 1.3, Strings: 1, Instructions: 40COMMON

Download Yara Rule

Strings

Huir, xrefs: 050A78A3

Memory Dump Source

Source File: 00000008.00000002.601516704.00000000050A0000.00000040.00000001.sdmp, Offset: 050A0000, based on PE: false

Similarity

API ID:
String ID: Huir
API String ID: 0-669697419
Opcode ID: 649072a88d852936250336130861ebc1917b91b240625f028c1778aa57de2df5
Instruction ID: e60e4e355e3b3a577759e74882cf41f6de3117a9a11d8aa3555fa7a3c28bd63c
Opcode Fuzzy Hash: 649072a88d852936250336130861ebc1917b91b240625f028c1778aa57de2df5
Instruction Fuzzy Hash: E0F0E93274811053C6587AECAC80A3E7A8BEBC5670774832EA116DB3C5DF64AC0183B6

Uniqueness

Uniqueness Score: -1.00%

Function 050A63B8, Relevance: 1.3, Strings: 1, Instructions: 28COMMON

Download Yara Rule

Strings

lir, xrefs: 050A63D6

Memory Dump Source

Source File: 00000008.00000002.601516704.00000000050A0000.00000040.00000001.sdmp, Offset: 050A0000, based on PE: false

Similarity

API ID:
String ID: lir
API String ID: 0-3872640509
Opcode ID: 03444baeaf0f2cc506d6d4f17c422f10d4970906538d615c82b087aec68684a2
Instruction ID: b60e915a2d3298a3f1deace80f7c529c2d97163405c0817f6c9205e3ea0af78d
Opcode Fuzzy Hash: 03444baeaf0f2cc506d6d4f17c422f10d4970906538d615c82b087aec68684a2
Instruction Fuzzy Hash: 7BE02636B092501BCB1A5EB858146BE3F99ABC150030948ABE002DA2C1DA124E03839A

Uniqueness

Uniqueness Score: -1.00%

Function 050A63C8, Relevance: 1.3, Strings: 1, Instructions: 20COMMON

Download Yara Rule

Strings

lir, xrefs: 050A63D6

Memory Dump Source

Source File: 00000008.00000002.601516704.00000000050A0000.00000040.00000001.sdmp, Offset: 050A0000, based on PE: false

Similarity

API ID:
String ID: lir
API String ID: 0-3872640509
Opcode ID: b3741e7fc6e1c1930c97b45e32debba0c4de07a1a62ae44d85ecb5156a65e8ca
Instruction ID: 61872807870729f4f6418ab69450672fd428cded731b9bd17b4d2bdf56215403
Opcode Fuzzy Hash: b3741e7fc6e1c1930c97b45e32debba0c4de07a1a62ae44d85ecb5156a65e8ca
Instruction Fuzzy Hash: EBD0A726B0551423491C6EFE580463F378EABC0950308442EE517DA3C0EE119C0283EE

Uniqueness

Uniqueness Score: -1.00%

Function 050A7B90, Relevance: .3, Instructions: 284COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.601516704.00000000050A0000.00000040.00000001.sdmp, Offset: 050A0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3dd3397bd61323553c27f45519758480e9e4f6d6f77e520c2eacb404f2396037
Instruction ID: d6f15d5322c908425419be3a99b13aab818aa51b1930c56bf3e44f9543fa6ad4
Opcode Fuzzy Hash: 3dd3397bd61323553c27f45519758480e9e4f6d6f77e520c2eacb404f2396037
Instruction Fuzzy Hash: BE91B531A04205DFCB05DFA8D880AAEBFB3FF85300F548569D909AF256DB70AD46CB91

Uniqueness

Uniqueness Score: -1.00%

Function 050A64B0, Relevance: .2, Instructions: 241COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.601516704.00000000050A0000.00000040.00000001.sdmp, Offset: 050A0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c69d9e97ffa10931b9d4faa0d960b112728579544a22799745c0bf6fa830a376
Instruction ID: 93436e1d921e8b23d447b0301474e58660606283af78cfab93ac32e3fea8ad08
Opcode Fuzzy Hash: c69d9e97ffa10931b9d4faa0d960b112728579544a22799745c0bf6fa830a376
Instruction Fuzzy Hash: 28817232A00519CFCF15CF64D8909EEB7B3BF85304F1585A5D80AAF255DB72AA86CF90

Uniqueness

Uniqueness Score: -1.00%

Function 050AB1A0, Relevance: .2, Instructions: 227COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.601516704.00000000050A0000.00000040.00000001.sdmp, Offset: 050A0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: cf881ed9703ac9f1b64381cbfcd7040f080b407d5b326775b42bc7a25eda9be5
Instruction ID: 1c771cb6ed5b3207123dc12356d5412206df4138509cf2019d8972817cf3df23
Opcode Fuzzy Hash: cf881ed9703ac9f1b64381cbfcd7040f080b407d5b326775b42bc7a25eda9be5
Instruction Fuzzy Hash: 1081D031B005068BD708EBB8C894B6EBBB7FFC4304FA48669D6159B694DF71AC0687D1

Uniqueness

Uniqueness Score: -1.00%

Function 050AEBD8, Relevance: .2, Instructions: 184COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.601516704.00000000050A0000.00000040.00000001.sdmp, Offset: 050A0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c58a897f2f5a268be5e1e159c746fb8d287215869847ca3a39b24a95eb16b041
Instruction ID: 226e104cd82908d4987d960fd9b1df9bad7de02d82782860faf3e1a69e7a2a41
Opcode Fuzzy Hash: c58a897f2f5a268be5e1e159c746fb8d287215869847ca3a39b24a95eb16b041
Instruction Fuzzy Hash: 8A715C36A04644CFDB54CFA8E494BADBBF6BF88314F188559D812A7761CB31E881CF90

Uniqueness

Uniqueness Score: -1.00%

Function 050A79E8, Relevance: .2, Instructions: 161COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.601516704.00000000050A0000.00000040.00000001.sdmp, Offset: 050A0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b9cbb93216f0d2faf425b0a2af8e67f8b24c762a1b4f665c1906832ad6b86c5a
Instruction ID: c0392cf2a2e31541792757bc436bb9ef161f9aaca3763b20caec6a9cac25f599
Opcode Fuzzy Hash: b9cbb93216f0d2faf425b0a2af8e67f8b24c762a1b4f665c1906832ad6b86c5a
Instruction Fuzzy Hash: 5131083291021ACFCF15CF94D8546DEBBB2FF85304F5185A4D909BB255DB706A8ACF80

Uniqueness

Uniqueness Score: -1.00%

Function 050AEB67, Relevance: .2, Instructions: 161COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.601516704.00000000050A0000.00000040.00000001.sdmp, Offset: 050A0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d404149f96ebe74996ad47db2d635e26023213138be2a7aaee86bac88c00432c
Instruction ID: c56f03f19d20e2fc2f2173cc7f8c1adcd30dd8d143af2705b41469a74e17d82c
Opcode Fuzzy Hash: d404149f96ebe74996ad47db2d635e26023213138be2a7aaee86bac88c00432c
Instruction Fuzzy Hash: 2D51A232A04644CFEB24CFA8E488BAEBBFABF48314F148569D45397751D730E885CB50

Uniqueness

Uniqueness Score: -1.00%

Function 050A7638, Relevance: .2, Instructions: 159COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.601516704.00000000050A0000.00000040.00000001.sdmp, Offset: 050A0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 08ff89b4043a125140791f7551849afbed8668a9f36e9e0068abf9672bc2f766
Instruction ID: 43011a15875138e048740f486f6863e0de0bb097c18bd835cb70110592ba4700
Opcode Fuzzy Hash: 08ff89b4043a125140791f7551849afbed8668a9f36e9e0068abf9672bc2f766
Instruction Fuzzy Hash: EF514C32B002158BCB59EBB9D554AAEB7F3BFC4310B258569C40AAB385DF31AD41CB94

Uniqueness

Uniqueness Score: -1.00%

Function 050A7ED0, Relevance: .1, Instructions: 147COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.601516704.00000000050A0000.00000040.00000001.sdmp, Offset: 050A0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 09c269eba9cccb8e4377ee5b6de631d6a6d57426aa96e01eeec5327787b642cd
Instruction ID: 0d5a48b5371828cd08659e959a36117fc5a64563e757acc58facdb85f3edb42c
Opcode Fuzzy Hash: 09c269eba9cccb8e4377ee5b6de631d6a6d57426aa96e01eeec5327787b642cd
Instruction Fuzzy Hash: 3F512876D00618CFCB64DFA8D584A9DFBF1FF48300F20856AD55AA7295E7316986CF80

Uniqueness

Uniqueness Score: -1.00%

Function 050A81A1, Relevance: .1, Instructions: 143COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.601516704.00000000050A0000.00000040.00000001.sdmp, Offset: 050A0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 75f22f0e564c5d232cca9be4fff9376326a55a18ed639fb0757038d930582929
Instruction ID: 408a47aafed491acde069d9874fc4047147db69851f06598ff274b254d12de7a
Opcode Fuzzy Hash: 75f22f0e564c5d232cca9be4fff9376326a55a18ed639fb0757038d930582929
Instruction Fuzzy Hash: BA514A35A00215CFDB54DBB4D588BAD7BF2BF85300F2482A9D90ADB795EB309C41CB61

Uniqueness

Uniqueness Score: -1.00%

Function 050A0BC0, Relevance: .1, Instructions: 132COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.601516704.00000000050A0000.00000040.00000001.sdmp, Offset: 050A0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 010d0d4a7ae47a24141fc27d99ac42d58bc1c8f6ec8c9eaba6f41e4b7e2ccbfe
Instruction ID: 892dbede3bbd54b7f0dc5500be83f06f5469a538dcddb81283ab9a847eb6d86d
Opcode Fuzzy Hash: 010d0d4a7ae47a24141fc27d99ac42d58bc1c8f6ec8c9eaba6f41e4b7e2ccbfe
Instruction Fuzzy Hash: 4D41B732B041188FD715DF68D4286AE7BE7AFC5310F15806AE907EF391CE729D058791

Uniqueness

Uniqueness Score: -1.00%

Function 050A0682, Relevance: .1, Instructions: 129COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.601516704.00000000050A0000.00000040.00000001.sdmp, Offset: 050A0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1889be31f3b2c5d67a224613b505b90eb11e705faeed6ac6f2b86a69e32a67fb
Instruction ID: 79a46a728ff34c487e45730f8b671b668b10c5326f38bab4cd24fd57896a581c
Opcode Fuzzy Hash: 1889be31f3b2c5d67a224613b505b90eb11e705faeed6ac6f2b86a69e32a67fb
Instruction Fuzzy Hash: AB415A31A042058BE72DABF8E91C56D3BE6BF80705714497AF512DE2E8DF704C818BD5

Uniqueness

Uniqueness Score: -1.00%

Function 050A5920, Relevance: .1, Instructions: 126COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.601516704.00000000050A0000.00000040.00000001.sdmp, Offset: 050A0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 54e61b1b8fd154756f4a1507c14626fce01aca8c90f577f6395084d468ea9e78
Instruction ID: 2c1508254eee5b9877fbd6787442708a57665ac6abd0abaf447abd844aa3ee30
Opcode Fuzzy Hash: 54e61b1b8fd154756f4a1507c14626fce01aca8c90f577f6395084d468ea9e78
Instruction Fuzzy Hash: EF418F32B052018BEF59A7F5B81873E36E77F98650B158479E417DF288EE34CC418B91

Uniqueness

Uniqueness Score: -1.00%

Function 050A87C8, Relevance: .1, Instructions: 123COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.601516704.00000000050A0000.00000040.00000001.sdmp, Offset: 050A0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9337b7b6b31b1dd2b6306f5b2110dbf82c7a32b754fe576a3c9d2a21394e5117
Instruction ID: 901bf4cd33e0cfac46ad892506db600b71a243ddfd9389b3c56e72089c21027d
Opcode Fuzzy Hash: 9337b7b6b31b1dd2b6306f5b2110dbf82c7a32b754fe576a3c9d2a21394e5117
Instruction Fuzzy Hash: 6141AE76A04106CFCB04DFA8E5889AEFBF1FF84310F10C6AAD416A7291DB30E855CB91

Uniqueness

Uniqueness Score: -1.00%

Function 050A7160, Relevance: .1, Instructions: 121COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.601516704.00000000050A0000.00000040.00000001.sdmp, Offset: 050A0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 70b06986b79f45aa9442f37382972fd9cc5edb96aaee0ae6f440b6f050e49739
Instruction ID: 5496645d05a2fc320c255edf7605e4bf87fc30956e478c043b5770f34887c8f6
Opcode Fuzzy Hash: 70b06986b79f45aa9442f37382972fd9cc5edb96aaee0ae6f440b6f050e49739
Instruction Fuzzy Hash: 43418039701211CF8B19FBB9E05416D7BF2BF8D2103584179E946EB786DB32AC85CB91

Uniqueness

Uniqueness Score: -1.00%

Function 050AB540, Relevance: .1, Instructions: 117COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.601516704.00000000050A0000.00000040.00000001.sdmp, Offset: 050A0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b994024adc4030365d413c2d211fbf3f5cbda34e3b373a30177b006b92f9666e
Instruction ID: e6e4fe035958353bed2dec1c649a728a364f3cefef7a3522bd752386eaa53936
Opcode Fuzzy Hash: b994024adc4030365d413c2d211fbf3f5cbda34e3b373a30177b006b92f9666e
Instruction Fuzzy Hash: 6341F372A006658BCB18CBA8D9806BEBBF2FFC8304B644529E456D7750DB35EC41CB90

Uniqueness

Uniqueness Score: -1.00%

Function 050A7170, Relevance: .1, Instructions: 115COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.601516704.00000000050A0000.00000040.00000001.sdmp, Offset: 050A0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0f87586853f047f545aa09d64c80de8d04486e9926a55bdbb259fd3f777c399a
Instruction ID: 91f926e5aaadd5fcb9434982a060965310a3a32832eb0908a1c15ea27928fa41
Opcode Fuzzy Hash: 0f87586853f047f545aa09d64c80de8d04486e9926a55bdbb259fd3f777c399a
Instruction Fuzzy Hash: 3D418239701111CF8B19FFAAE05415D77E2BF8D2103540178E906EB786DB32AC81CB91

Uniqueness

Uniqueness Score: -1.00%

Function 050A02DA, Relevance: .1, Instructions: 107COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.601516704.00000000050A0000.00000040.00000001.sdmp, Offset: 050A0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: be2803e959c68c5062caa0a7fd3b5113e9bfed0f68d701e713cb07a865baa7c6
Instruction ID: 5213ade3f6813c103d53ad320901fd669b0e8c8b9265b53cc997eba91640a9a0
Opcode Fuzzy Hash: be2803e959c68c5062caa0a7fd3b5113e9bfed0f68d701e713cb07a865baa7c6
Instruction Fuzzy Hash: 44416032A01609CFDB58CBA8D068BAD7BF7FF89710F144469D502AB350DB719C41CB51

Uniqueness

Uniqueness Score: -1.00%

Function 050A0170, Relevance: .1, Instructions: 103COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.601516704.00000000050A0000.00000040.00000001.sdmp, Offset: 050A0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e6a496a50ca1b44f5c59468c83aa76c739a4649a9da4849803049b534f6f6469
Instruction ID: 4e6a84a18f5e59ceb0ffb2d3487d37700c40c1b3f71be05e3e51a2aecc4da840
Opcode Fuzzy Hash: e6a496a50ca1b44f5c59468c83aa76c739a4649a9da4849803049b534f6f6469
Instruction Fuzzy Hash: 0531BE707013048FEB148FB8D894F2A7BEAFF8A740F944469E5469B380EA71BC00CB64

Uniqueness

Uniqueness Score: -1.00%

Function 050AB531, Relevance: .1, Instructions: 101COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.601516704.00000000050A0000.00000040.00000001.sdmp, Offset: 050A0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5a189e367e05ace5932fdaa1efd2b3c75c9b436ed524f6e279dfaab8be1d284e
Instruction ID: 443a23ea84c720773e1f86f238147c7f2dc9daa92b1acc1e121cf23a940b67be
Opcode Fuzzy Hash: 5a189e367e05ace5932fdaa1efd2b3c75c9b436ed524f6e279dfaab8be1d284e
Instruction Fuzzy Hash: 2D31D0B6F002158BCB18DBA9D8506AEFBB2FFC8300F508539E95AD7300D771A9018BA0

Uniqueness

Uniqueness Score: -1.00%

Function 050AE638, Relevance: .1, Instructions: 99COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.601516704.00000000050A0000.00000040.00000001.sdmp, Offset: 050A0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5a1476a75fc48e0c0f1e4b3112403b04587f1617bfe36ef3a71547b3a7cb2d46
Instruction ID: ee0591158d92da739bbc53c827132b7a7126695c21fa8d7b4622ec12e42aca08
Opcode Fuzzy Hash: 5a1476a75fc48e0c0f1e4b3112403b04587f1617bfe36ef3a71547b3a7cb2d46
Instruction Fuzzy Hash: F5316F72A00215CFCB54DFA8D544AAEFBFABF88354F248579D40AA7241DB31DC81CB90

Uniqueness

Uniqueness Score: -1.00%

Function 050A20D0, Relevance: .1, Instructions: 98COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.601516704.00000000050A0000.00000040.00000001.sdmp, Offset: 050A0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3c05bda6b14728effbf2ec1add320beb7982cab1569f79f93e5705b765fcb434
Instruction ID: aa60cc37054573c61715f158ebe6accb7485ee0394be5b8ea35d3d2deeaeaed0
Opcode Fuzzy Hash: 3c05bda6b14728effbf2ec1add320beb7982cab1569f79f93e5705b765fcb434
Instruction Fuzzy Hash: 7631B435A08217DFCB04DFA8E890A7E7BF2FF84300B15857AD6069B255E730AC81CB91

Uniqueness

Uniqueness Score: -1.00%

Function 050A7628, Relevance: .1, Instructions: 97COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.601516704.00000000050A0000.00000040.00000001.sdmp, Offset: 050A0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3ea281a20decb009a0aee7348e0842a68030a9949f6b16e7d125f518d3440244
Instruction ID: 4c2655fb1bff0dacccdd26e5a9ab1ec47831918abcfc6eb61ae0e32864d4d631
Opcode Fuzzy Hash: 3ea281a20decb009a0aee7348e0842a68030a9949f6b16e7d125f518d3440244
Instruction Fuzzy Hash: 77314E32E002198BCB14DBB9D5549EEBBF3FF94314B108569C416AB395DA31AD46CB90

Uniqueness

Uniqueness Score: -1.00%

Function 050A45C8, Relevance: .1, Instructions: 95COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.601516704.00000000050A0000.00000040.00000001.sdmp, Offset: 050A0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d9e5d248286309e5d49117f1ffd883ac6f7a242f96e58b1833ca914832c4cb6c
Instruction ID: d4544bda33c973b539c688aae963ea8e54601eb4f563945c86d93c8b5a7cd010
Opcode Fuzzy Hash: d9e5d248286309e5d49117f1ffd883ac6f7a242f96e58b1833ca914832c4cb6c
Instruction Fuzzy Hash: 29214176B0011A9BDF44DAE9ED41AFEB7FAABC8204F104126E619D7240EBB0590587A2

Uniqueness

Uniqueness Score: -1.00%

Function 050AEEB9, Relevance: .1, Instructions: 95COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.601516704.00000000050A0000.00000040.00000001.sdmp, Offset: 050A0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5a0e690d0b4c6bfcee2ba8222e2263324f74f57fd63a2d15c26e97b1a93ac908
Instruction ID: 97fb40289f10a88ffd16101fc77f3818e45399f2c1e611bf52674fbec47d3f6a
Opcode Fuzzy Hash: 5a0e690d0b4c6bfcee2ba8222e2263324f74f57fd63a2d15c26e97b1a93ac908
Instruction Fuzzy Hash: F0416872904B81CFE379CF6AD54176ABBF6FF84309F14886ED09786AA0DB35A441CB00

Uniqueness

Uniqueness Score: -1.00%

Function 050A0006, Relevance: .1, Instructions: 94COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.601516704.00000000050A0000.00000040.00000001.sdmp, Offset: 050A0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8317f6e442b19b3926c1a112d28b225004fbbc52653b728e7100daa64b41d366
Instruction ID: fa5e50fa440d4bd864991db801ea88ab99da1d090c7206fbc05a8759d4230ecb
Opcode Fuzzy Hash: 8317f6e442b19b3926c1a112d28b225004fbbc52653b728e7100daa64b41d366
Instruction Fuzzy Hash: 7E318030109386CFC706EBB4D86855C7FF1BF46210B4989AAE091CF166DB784C85CB12

Uniqueness

Uniqueness Score: -1.00%

Function 050A50E0, Relevance: .1, Instructions: 92COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.601516704.00000000050A0000.00000040.00000001.sdmp, Offset: 050A0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6d0782e7ac5a3aa80780e4e70431564ef4ee6012237e702977130bb9a197cdbd
Instruction ID: 9bdd45fd12f0218f8201fac95514e4aab79c2e4547fc362536781cea56a9a699
Opcode Fuzzy Hash: 6d0782e7ac5a3aa80780e4e70431564ef4ee6012237e702977130bb9a197cdbd
Instruction Fuzzy Hash: 21216B32A003099FEF04DBE9D8146AEBBF7BF88300F554529D50AAF255EB70A945CB80

Uniqueness

Uniqueness Score: -1.00%

Function 050A8CA0, Relevance: .1, Instructions: 91COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.601516704.00000000050A0000.00000040.00000001.sdmp, Offset: 050A0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8f5cadd347aad32f64bcf8ee79de8e05586c6b633a8053156cb37ab86b4815b3
Instruction ID: 51a1385416f137442406cfab013bfdc31457d8085d2f1e43dae2021361e53d41
Opcode Fuzzy Hash: 8f5cadd347aad32f64bcf8ee79de8e05586c6b633a8053156cb37ab86b4815b3
Instruction Fuzzy Hash: B931BC31D08688DFDB45CFB4E5546AE7FB2FF11304F1884AAD802EB291DA355A05CB52

Uniqueness

Uniqueness Score: -1.00%

Function 050AE8B7, Relevance: .1, Instructions: 91COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.601516704.00000000050A0000.00000040.00000001.sdmp, Offset: 050A0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7b410244e01e1725b4d83e1f9dc08b92dbbad50f46ffa3280a9eefa477563084
Instruction ID: 8a96542e0f022d41d6218dd0fb3ac5a283a597046631145c8e38893aa8452035
Opcode Fuzzy Hash: 7b410244e01e1725b4d83e1f9dc08b92dbbad50f46ffa3280a9eefa477563084
Instruction Fuzzy Hash: C5315A71B00305CFCB54DBA9D4846AEBBF6BB88200B504429D506E7754EB75EC42CBA1

Uniqueness

Uniqueness Score: -1.00%

Function 050AE44C, Relevance: .1, Instructions: 88COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.601516704.00000000050A0000.00000040.00000001.sdmp, Offset: 050A0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5e26550021d2c7b3b45e1c959c4bc3bd35c872d1f9430e81fb7d8f8df5fce5ad
Instruction ID: e39e6e22d0196440e977a3ff8bef9c68e5d7eaac7dc2673f59b7bf5fec3c16dd
Opcode Fuzzy Hash: 5e26550021d2c7b3b45e1c959c4bc3bd35c872d1f9430e81fb7d8f8df5fce5ad
Instruction Fuzzy Hash: 3B3118317007028FC699AB78C49066A7BE3AFC53187A4892CD5469F758DFB6ED038B84

Uniqueness

Uniqueness Score: -1.00%

Function 050A8B10, Relevance: .1, Instructions: 88COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.601516704.00000000050A0000.00000040.00000001.sdmp, Offset: 050A0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: dd35752b5360e504a88eb99b1fbe097f486f576fb22ee7b646c0bfb76b076628
Instruction ID: 280b1a4a2c2cba93a7571cf49929b39910e0de3ca4c666b6f54eaf760b5dadfb
Opcode Fuzzy Hash: dd35752b5360e504a88eb99b1fbe097f486f576fb22ee7b646c0bfb76b076628
Instruction Fuzzy Hash: 7F318B71B24200CFCB49EFB8E45856E3BA3FF84215358866AE406DB294EF359D42CB95

Uniqueness

Uniqueness Score: -1.00%

Function 050A5B51, Relevance: .1, Instructions: 87COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.601516704.00000000050A0000.00000040.00000001.sdmp, Offset: 050A0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ba01c4178c61e9ecf1542533035b07173b971734c30477dd73d4c14be244c278
Instruction ID: 911dd6085837a4127febb3d4f188353b8de00b4262a0733b93342a1711853014
Opcode Fuzzy Hash: ba01c4178c61e9ecf1542533035b07173b971734c30477dd73d4c14be244c278
Instruction Fuzzy Hash: 2C21CF32B012049FDF18DAF998505BEBAE7BBC9210F14843AD407EB386EE31DC4187A1

Uniqueness

Uniqueness Score: -1.00%

Function 050A43C0, Relevance: .1, Instructions: 87COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.601516704.00000000050A0000.00000040.00000001.sdmp, Offset: 050A0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4f70356efa65fe9eccd98654d2ce3bfbac0b5e2e531ce5519eabb5264a23df9b
Instruction ID: 3803f7e9f51f0d55a8c5cf171d6c4b4862a507d94b359ad25ee91c81c96d8450
Opcode Fuzzy Hash: 4f70356efa65fe9eccd98654d2ce3bfbac0b5e2e531ce5519eabb5264a23df9b
Instruction Fuzzy Hash: 2B31B636504111CFCB18EFF8E8488AD7BF2FF8430471485B9E5169F2AADB319995CB91

Uniqueness

Uniqueness Score: -1.00%

Function 050A55E8, Relevance: .1, Instructions: 85COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.601516704.00000000050A0000.00000040.00000001.sdmp, Offset: 050A0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c0b0ff81ca9f0651d9e095f0b095d2b6a6eb32fd46da48a339d0c958bde9eec1
Instruction ID: da02089c27080292172ffbfa02b6ab6bec32b46a97aefcb6adcb15c34b7fc9c7
Opcode Fuzzy Hash: c0b0ff81ca9f0651d9e095f0b095d2b6a6eb32fd46da48a339d0c958bde9eec1
Instruction Fuzzy Hash: 7521F131B002058BDF14AFB8E8507FE7AE2BBC8710F19006AE502EB3D0DEB149418B90

Uniqueness

Uniqueness Score: -1.00%

Function 050A6057, Relevance: .1, Instructions: 84COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.601516704.00000000050A0000.00000040.00000001.sdmp, Offset: 050A0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4a32c4ce9c3e61deacc78621c98a3af318a19babc8c8900e208f25929ce86bd4
Instruction ID: ee85d34901a935ee879d6b5be520849d027c2de7b59dcce6c2f77f19560c5fed
Opcode Fuzzy Hash: 4a32c4ce9c3e61deacc78621c98a3af318a19babc8c8900e208f25929ce86bd4
Instruction Fuzzy Hash: 0321D131B006048BC715DBB9D854B6EBBF2AFC9214F28816ED256CB6A1CE329C058755

Uniqueness

Uniqueness Score: -1.00%

Function 050AAE28, Relevance: .1, Instructions: 81COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.601516704.00000000050A0000.00000040.00000001.sdmp, Offset: 050A0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a2a00297498b3c8f1da3d60ec340f809242106eb538b8877f73b55cd8afe28aa
Instruction ID: 144f0daceeae1804bc3cadce99023e380347a59a699828d69f55a9eadf38a20a
Opcode Fuzzy Hash: a2a00297498b3c8f1da3d60ec340f809242106eb538b8877f73b55cd8afe28aa
Instruction Fuzzy Hash: BD216072B006459FCB28DFF4E8409AEB7F2BB88654F104969D002AB2D1DB71AC01CBA0

Uniqueness

Uniqueness Score: -1.00%

Function 050A5831, Relevance: .1, Instructions: 79COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.601516704.00000000050A0000.00000040.00000001.sdmp, Offset: 050A0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a89261f0a842cbe41e23135cfb289bcb627ab8890cce4753f26fcc924ede8838
Instruction ID: 322a96d5a86dcd47e9bbc4c71a12c8a78bde4b1af5d5efe58828862a4f286815
Opcode Fuzzy Hash: a89261f0a842cbe41e23135cfb289bcb627ab8890cce4753f26fcc924ede8838
Instruction Fuzzy Hash: 5321C332B001019BCF08A6FAE8549BFBBEBBFE5214B51453AD402DF791ED714C0187A1

Uniqueness

Uniqueness Score: -1.00%

Function 050A4F10, Relevance: .1, Instructions: 79COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.601516704.00000000050A0000.00000040.00000001.sdmp, Offset: 050A0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3d8984a4ffa6c26811e7dd06d9d1cd17dd56dd118d742cf2e0e3f7f3df114386
Instruction ID: 1b0a8bdd95b2771b9b6a07394e9c98235fa17ba2a25dddcc499a9bcbb4f5ab8a
Opcode Fuzzy Hash: 3d8984a4ffa6c26811e7dd06d9d1cd17dd56dd118d742cf2e0e3f7f3df114386
Instruction Fuzzy Hash: 8C21C63B2092148BCB04E6B6F8919BD3B57FFC0351750A627E5578F68ADBB06C42C792

Uniqueness

Uniqueness Score: -1.00%

Function 050A48B9, Relevance: .1, Instructions: 78COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.601516704.00000000050A0000.00000040.00000001.sdmp, Offset: 050A0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8007d9bf8e97d0366848b303b4065d636ba8ed1d3033b79bfdfbdaba52744605
Instruction ID: d0d097599547b1c512483130839fbd10427a9ca6e60f12fad2739a2758406d6f
Opcode Fuzzy Hash: 8007d9bf8e97d0366848b303b4065d636ba8ed1d3033b79bfdfbdaba52744605
Instruction Fuzzy Hash: D311D337B141199FCF09DAB8E8605FE7BB7AFC9710F04442AD502B7240DE612A068790

Uniqueness

Uniqueness Score: -1.00%

Function 050A43D0, Relevance: .1, Instructions: 78COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.601516704.00000000050A0000.00000040.00000001.sdmp, Offset: 050A0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6fab705596c5c98ba12d3f2f721c980b50b51119fa4ad84cd377bcaad680d2e4
Instruction ID: ac5ed390239183d763acc0447b180f9131f014bc577049c7d758af343f0dcd1a
Opcode Fuzzy Hash: 6fab705596c5c98ba12d3f2f721c980b50b51119fa4ad84cd377bcaad680d2e4
Instruction Fuzzy Hash: B931B436600115CFCB18EFE9E8448AD7BF2FF8430470481B9E516AF3A9DB319895DB90

Uniqueness

Uniqueness Score: -1.00%

Function 050A21E8, Relevance: .1, Instructions: 76COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.601516704.00000000050A0000.00000040.00000001.sdmp, Offset: 050A0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: bf13a4292327f6e45dc7df5c85c43ec90d36038bf73d09eebbbc8be94c647567
Instruction ID: 360e5b8124e0f85d80aa2024857e5138abd6453e7f692af37570c6f72625f4af
Opcode Fuzzy Hash: bf13a4292327f6e45dc7df5c85c43ec90d36038bf73d09eebbbc8be94c647567
Instruction Fuzzy Hash: 9631043590820AEFCB98DFE4D1446BEBBF2FF45300F1041BAD412AB664E6358A45CB52

Uniqueness

Uniqueness Score: -1.00%

Function 050A25DE, Relevance: .1, Instructions: 75COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.601516704.00000000050A0000.00000040.00000001.sdmp, Offset: 050A0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f010b15c0106d8eeb518ddea1fd4a3bb9ba3f4edc51b3e0901a131c74e1fe200
Instruction ID: 0daad1ca5b58d7e1efff5a1eeda2ca4285d295a9d3041aa31c9ca8e978409067
Opcode Fuzzy Hash: f010b15c0106d8eeb518ddea1fd4a3bb9ba3f4edc51b3e0901a131c74e1fe200
Instruction Fuzzy Hash: 4C316A35A10246CFDB68DFE5E54465EBBE2BF84314F20C279C025AF258DBB49489CF81

Uniqueness

Uniqueness Score: -1.00%

Function 050A90B6, Relevance: .1, Instructions: 75COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.601516704.00000000050A0000.00000040.00000001.sdmp, Offset: 050A0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 15ee98d73ee13af96d667b5f39f50c93d960a1740ae68b9187780593286dcdb2
Instruction ID: 93e56df68fddd63301feeaac6e8a322fc271eb352b171947bac0efcde02e6927
Opcode Fuzzy Hash: 15ee98d73ee13af96d667b5f39f50c93d960a1740ae68b9187780593286dcdb2
Instruction Fuzzy Hash: 05319A31E10249CBDB60DFA5D445A5EBFF2BF84314F18CA29D4149B254DFB4A889CF41

Uniqueness

Uniqueness Score: -1.00%

Function 050AD886, Relevance: .1, Instructions: 73COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.601516704.00000000050A0000.00000040.00000001.sdmp, Offset: 050A0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6f8359a5a8e732758bc11ad6ddd474a5f8d3503dcc267415f96a83e0cd671c41
Instruction ID: 10b720073a38107625bebfa49bcfa0ca56c2349e025ddcb7e5281cd60d70e05e
Opcode Fuzzy Hash: 6f8359a5a8e732758bc11ad6ddd474a5f8d3503dcc267415f96a83e0cd671c41
Instruction Fuzzy Hash: 2F21CC70711211CBCB4D9F68D518059BFA2AF8631836889ACA509EF395DF72D98BCFC4

Uniqueness

Uniqueness Score: -1.00%

Function 050A4511, Relevance: .1, Instructions: 71COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.601516704.00000000050A0000.00000040.00000001.sdmp, Offset: 050A0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7916eb218033332094ef1573f573b182a273cdf7f09152de8d03266512dbc86a
Instruction ID: 70e8b21de347b328f7c8e6cf97a0f7b447fad861441a1c1e51e53e0a17a35dce
Opcode Fuzzy Hash: 7916eb218033332094ef1573f573b182a273cdf7f09152de8d03266512dbc86a
Instruction Fuzzy Hash: 99110137E041018BCF15CAB8A4101FFBBA39FC6220F04447EE9469B282DAA29805CB90

Uniqueness

Uniqueness Score: -1.00%

Function 050A5840, Relevance: .1, Instructions: 70COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.601516704.00000000050A0000.00000040.00000001.sdmp, Offset: 050A0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5418cf0d8b033216efb0760320a5c04d27b372903e720408b22c30a1afe3ade9
Instruction ID: 28a32cb12e1f7f194e6ec21da94f3cd2e26d3357f051c63dec5e7aa86b3d0435
Opcode Fuzzy Hash: 5418cf0d8b033216efb0760320a5c04d27b372903e720408b22c30a1afe3ade9
Instruction Fuzzy Hash: 0C11D0327000159BCF08E6FAE85497FBAEBBFD9214B90453A90139F791ED719C0087A1

Uniqueness

Uniqueness Score: -1.00%

Function 050A50D0, Relevance: .1, Instructions: 68COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.601516704.00000000050A0000.00000040.00000001.sdmp, Offset: 050A0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 65888d90c05730e2c68fc7b019044c37356cdb24c12a1dd33f9c98aabe1e4ab6
Instruction ID: f3a6d4c362727cb7f5dd46c2d698c4d8248c2af6c3a2bbcd1768dd9d7cf52702
Opcode Fuzzy Hash: 65888d90c05730e2c68fc7b019044c37356cdb24c12a1dd33f9c98aabe1e4ab6
Instruction Fuzzy Hash: B4117C329003099FDF11CFE5D8046EEBBF2AF89310F544829C909BB250E770658ACF80

Uniqueness

Uniqueness Score: -1.00%

Function 050AE760, Relevance: .1, Instructions: 68COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.601516704.00000000050A0000.00000040.00000001.sdmp, Offset: 050A0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 652f9b3886984ee001af7db6e44cb2fed4faa52facd7b61b6269eb782c1640da
Instruction ID: 64261ac7e88e8f2f630c3c88dff9a7ca29464a98f8c383f5a8d31c0b02c9013e
Opcode Fuzzy Hash: 652f9b3886984ee001af7db6e44cb2fed4faa52facd7b61b6269eb782c1640da
Instruction Fuzzy Hash: 9921A572A00115DFCB95DFE8D6509BEBBFAFF88710B20806AD40AE7601D731AD01CBA1

Uniqueness

Uniqueness Score: -1.00%

Function 050AAE19, Relevance: .1, Instructions: 68COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.601516704.00000000050A0000.00000040.00000001.sdmp, Offset: 050A0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f3db745799679cc7eca80ccc572ce746d2531c379e05c97bfa78e227341c97ac
Instruction ID: 3b627ebee3bae49cfb9b0e1eb593ebc712bdd1359a3d595bd1df3cb2d7c7d9a6
Opcode Fuzzy Hash: f3db745799679cc7eca80ccc572ce746d2531c379e05c97bfa78e227341c97ac
Instruction Fuzzy Hash: 1F11D672B042059FCB18DEE4E840A6EB7F3BB84740F104969E502EB3C1EB719C00C7A5

Uniqueness

Uniqueness Score: -1.00%

Function 050A5000, Relevance: .1, Instructions: 67COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.601516704.00000000050A0000.00000040.00000001.sdmp, Offset: 050A0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 218641886c2b907cd61fab37effbaf3394cf4b03b289dddbd7b5f310b6f3396c
Instruction ID: 741f3237f2b840bd4d14070f92666cba60f4456ebc94abf6606937b6005cbdda
Opcode Fuzzy Hash: 218641886c2b907cd61fab37effbaf3394cf4b03b289dddbd7b5f310b6f3396c
Instruction Fuzzy Hash: DA116D32A00125CFCB54EBF9E8506AE7AE2BB84610B544575C516AB285EF309942CBE6

Uniqueness

Uniqueness Score: -1.00%

Function 050A5730, Relevance: .1, Instructions: 65COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.601516704.00000000050A0000.00000040.00000001.sdmp, Offset: 050A0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8278bb1e40fb9fcea8023a4aea9b2ccf8660968778c17616b383939da69be98c
Instruction ID: f2d07ec5ccc633c915cefcdf59e146c60b0fd75f0ee3550d9e05ece9cbf4a24c
Opcode Fuzzy Hash: 8278bb1e40fb9fcea8023a4aea9b2ccf8660968778c17616b383939da69be98c
Instruction Fuzzy Hash: C0116A72A15205CFDB55DFB9F980ABE77B2FF84340F20426AD405BB285E7319981CB94

Uniqueness

Uniqueness Score: -1.00%

Function 050A7EC0, Relevance: .1, Instructions: 63COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.601516704.00000000050A0000.00000040.00000001.sdmp, Offset: 050A0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1e0e68e25f123a3b8709b57d8c80c685f705a3fcfe9e78fd91c1e9ad121272b5
Instruction ID: 6f43710764c9163efe4abf887d7a8cd2e7243b0a998b0151814f3055a484f0a0
Opcode Fuzzy Hash: 1e0e68e25f123a3b8709b57d8c80c685f705a3fcfe9e78fd91c1e9ad121272b5
Instruction Fuzzy Hash: 8011D632904144DFCB16CBB4E804AEEBBF2FF89300F1085A6D551AB1A2D3316E4ACBD1

Uniqueness

Uniqueness Score: -1.00%

Function 01260845, Relevance: .1, Instructions: 62COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.596948553.0000000001260000.00000040.00000040.sdmp, Offset: 01260000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ed9a1372ff8bd78337512c13baaeaf6daeb74200ab239a8edd41aa90e1ef952e
Instruction ID: afc3e25ac7b91b5bb8432210134bf6b09d2eea8914e6e4bb1730efbb3a7b022b
Opcode Fuzzy Hash: ed9a1372ff8bd78337512c13baaeaf6daeb74200ab239a8edd41aa90e1ef952e
Instruction Fuzzy Hash: BF219F3550E3C18FC707CB24C850B15BFB1AF47614F2986EED9858B6A3D73A8846DB52

Uniqueness

Uniqueness Score: -1.00%

Function 050A54F8, Relevance: .1, Instructions: 62COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.601516704.00000000050A0000.00000040.00000001.sdmp, Offset: 050A0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 113ecc4e4a27cd15a248da1c1494fc3702a072f13849e574c22d835f90dcef5a
Instruction ID: 678a2e89f63bbe589a20ba65e5e3ac6ade886963b79d0aa49aadf25cdba7ae1a
Opcode Fuzzy Hash: 113ecc4e4a27cd15a248da1c1494fc3702a072f13849e574c22d835f90dcef5a
Instruction Fuzzy Hash: 3E115E31A112158FCF44EFF9E8556EE7BA2FF89300B50462AD1059B286E7319981CBC1

Uniqueness

Uniqueness Score: -1.00%

Function 050A46A9, Relevance: .1, Instructions: 62COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.601516704.00000000050A0000.00000040.00000001.sdmp, Offset: 050A0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: db48ad4163aa73f86df6bbe6d058a91df6de6de6d7f42892593e8ad3b168c007
Instruction ID: c173cb82ac3969408a99458d981e0f0239266e7633c96a5217c7e24cf17aa8bb
Opcode Fuzzy Hash: db48ad4163aa73f86df6bbe6d058a91df6de6de6d7f42892593e8ad3b168c007
Instruction Fuzzy Hash: 4E01B53B7142509FCF669AF8B4246FE37D6DBD6354F1004BBE006CB691D9A698024792

Uniqueness

Uniqueness Score: -1.00%

Function 050AB6C8, Relevance: .1, Instructions: 62COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.601516704.00000000050A0000.00000040.00000001.sdmp, Offset: 050A0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b85e17c305f9eed8d99554056346d8667da88492e88793c45b6d9957412ee0d2
Instruction ID: 5301d2d1c33c82971e9001068381e38df335a23e4fe8b8e3474b29717646d2fb
Opcode Fuzzy Hash: b85e17c305f9eed8d99554056346d8667da88492e88793c45b6d9957412ee0d2
Instruction Fuzzy Hash: E6118C732047949BC71792A8BE50B6D7B56EFC2661F1A416BD504DBA81CE289C01C7E2

Uniqueness

Uniqueness Score: -1.00%

Function 050ACD78, Relevance: .1, Instructions: 61COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.601516704.00000000050A0000.00000040.00000001.sdmp, Offset: 050A0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 691b95cc0c21aac08296bb73c893367eb7c4d2c977364bcddcd1d226010e0165
Instruction ID: 7ddb0198c119c9aa5852c384724d0e06254212e7d2572f7412acd5bfc0e5a525
Opcode Fuzzy Hash: 691b95cc0c21aac08296bb73c893367eb7c4d2c977364bcddcd1d226010e0165
Instruction Fuzzy Hash: B211A3327001119FDB48EBA9E450AAE77E7AFC87507298179E406DB351CF32AC12C7D4

Uniqueness

Uniqueness Score: -1.00%

Function 0126087C, Relevance: .1, Instructions: 59COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.596948553.0000000001260000.00000040.00000040.sdmp, Offset: 01260000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 180db8954c96d37ca6717733370b0452e2bf600c8b24c8f5729727fe16730fa2
Instruction ID: 930ec2de21af6061720739eae7c7e61a43ed8b1ca28d230cb147276bc02b6d02
Opcode Fuzzy Hash: 180db8954c96d37ca6717733370b0452e2bf600c8b24c8f5729727fe16730fa2
Instruction Fuzzy Hash: E9110634214384DFE305CB14C584F26BBD9AB88B08F24C99CFA490B683C777D843DA95

Uniqueness

Uniqueness Score: -1.00%

Function 050ACEA8, Relevance: .1, Instructions: 59COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.601516704.00000000050A0000.00000040.00000001.sdmp, Offset: 050A0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d02b6d7f072123683e939ac8c9a0816104806b3abd64208020222b670fa3d3e1
Instruction ID: 304a94d531c0e5c422f0321bec3968fcf96416aebce593c0a0aa1d1924bb5f8b
Opcode Fuzzy Hash: d02b6d7f072123683e939ac8c9a0816104806b3abd64208020222b670fa3d3e1
Instruction Fuzzy Hash: 5C11C431308601CBD61CE7B8915013EBBE3BBC1604389886DE51BDB341DF72AC028791

Uniqueness

Uniqueness Score: -1.00%

Function 050AE750, Relevance: .1, Instructions: 58COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.601516704.00000000050A0000.00000040.00000001.sdmp, Offset: 050A0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 331105bbb37db869e78474875fa1309b96b1dcf4aaf547ccb6ad78f00f807ae0
Instruction ID: f2da13d733ad468ba7bc93f2c79016312ea710548533aa186d8f5bcf150c66a9
Opcode Fuzzy Hash: 331105bbb37db869e78474875fa1309b96b1dcf4aaf547ccb6ad78f00f807ae0
Instruction Fuzzy Hash: 2A118276901105DFCB94CFD8E6459BEBBFAFF48311B20806AD44AE7201D331AD01CB91

Uniqueness

Uniqueness Score: -1.00%

Function 050ACA90, Relevance: .1, Instructions: 56COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.601516704.00000000050A0000.00000040.00000001.sdmp, Offset: 050A0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f2be12a6caf5d99a32d722843bc4a5beb623038d7372c259839d2ce6efb8deb4
Instruction ID: 49c685de58dca9c62c2fbb263603eea4e6ed43ad5fc35a9b49f8d5ad893d069c
Opcode Fuzzy Hash: f2be12a6caf5d99a32d722843bc4a5beb623038d7372c259839d2ce6efb8deb4
Instruction Fuzzy Hash: 3D11C2317142609FD709AF79A41473D3BABFBC9214F094568F406EB388CE319C42C784

Uniqueness

Uniqueness Score: -1.00%

Function 050A4FF0, Relevance: .1, Instructions: 55COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.601516704.00000000050A0000.00000040.00000001.sdmp, Offset: 050A0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 930031a8be1c519f895c28317bb98ba92c644dc340438597238120ae4de3e3d6
Instruction ID: 62eb004916074c8a674ee064dd2347221a2564cf21679902f07dcad6970b237a
Opcode Fuzzy Hash: 930031a8be1c519f895c28317bb98ba92c644dc340438597238120ae4de3e3d6
Instruction Fuzzy Hash: 1D01C473E04215DFCF44EBF4BC10AAE7BE2BF84210B54456AC515E7681EB715901CBE6

Uniqueness

Uniqueness Score: -1.00%

Function 050AE159, Relevance: .1, Instructions: 54COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.601516704.00000000050A0000.00000040.00000001.sdmp, Offset: 050A0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 75476b3a3bda748e604c4380723e15d4df9d710dfef0c639b83591316a0b6ffb
Instruction ID: 57c330a27945d76e8d75f98475721634475f8958ba737a86b82ed63ece6bde75
Opcode Fuzzy Hash: 75476b3a3bda748e604c4380723e15d4df9d710dfef0c639b83591316a0b6ffb
Instruction Fuzzy Hash: 5E01D8727042219FDB1827F9E81892F7ADAFFD9659B14443EE416DB381DE718C4283E0

Uniqueness

Uniqueness Score: -1.00%

Function 050A11DF, Relevance: .1, Instructions: 54COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.601516704.00000000050A0000.00000040.00000001.sdmp, Offset: 050A0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 313db0f7b3fe41f3744789a10724b3c20e1898332a5e6661b026584c4fd8315c
Instruction ID: cefa64910c07a0db76d30fad85983dbe4ae1194272d3b2a7547734680f5de544
Opcode Fuzzy Hash: 313db0f7b3fe41f3744789a10724b3c20e1898332a5e6661b026584c4fd8315c
Instruction Fuzzy Hash: 02113C31708190CFC706DB68E41886D7FB6AF96200B1902EBE052CF6A6DB658C19C792

Uniqueness

Uniqueness Score: -1.00%

Function 050A238F, Relevance: .1, Instructions: 54COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.601516704.00000000050A0000.00000040.00000001.sdmp, Offset: 050A0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 321834ed34b459154a73e6e6cc61caa8e3a9da3f8ceb21549470e4d0d8004a7d
Instruction ID: 237d3ba7c6951347883a6b16a71ac8a1a44cc83ef640817753b5cb7643105280
Opcode Fuzzy Hash: 321834ed34b459154a73e6e6cc61caa8e3a9da3f8ceb21549470e4d0d8004a7d
Instruction Fuzzy Hash: BB116A7680825ACFCB28CFB4E5546AEBBB2AB45304F00483ED502AB644DB711982CF90

Uniqueness

Uniqueness Score: -1.00%

Function 050A4789, Relevance: .1, Instructions: 52COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.601516704.00000000050A0000.00000040.00000001.sdmp, Offset: 050A0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: bece4e87c7b455ac5eb44c516141b8cda499605c2bbf7541547956ac7fd7d950
Instruction ID: c1e4332625918dc6df8dfc7e4ccf99839d89ccf7b53d5d24f6a03f50eb7f9112
Opcode Fuzzy Hash: bece4e87c7b455ac5eb44c516141b8cda499605c2bbf7541547956ac7fd7d950
Instruction Fuzzy Hash: 80014071E002098FCF94DFBC94546EE7BF2EB99310F20487FD509E7280EA355A469B95

Uniqueness

Uniqueness Score: -1.00%

Function 011EAEC0, Relevance: .1, Instructions: 52COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.596664481.00000000011E2000.00000040.00000001.sdmp, Offset: 011E2000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: eb4c7519d4900ba5cff9220ae6d6f45a830e289f4c98a722d84dbba64f3af897
Instruction ID: 3a4b31948342e429d4db25ea9c154253b6b98587f8f7f37e6e1e41199629e264
Opcode Fuzzy Hash: eb4c7519d4900ba5cff9220ae6d6f45a830e289f4c98a722d84dbba64f3af897
Instruction Fuzzy Hash: 9411DAB5A08301AFD350CF19DC80A57FBE8EB88660F14895EFD9897311D271E9048BA2

Uniqueness

Uniqueness Score: -1.00%

Function 050A05B9, Relevance: .1, Instructions: 51COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.601516704.00000000050A0000.00000040.00000001.sdmp, Offset: 050A0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 00c90dc2a07930f6b94f97bbc22319fc71ce15f360723e5425d5bd9c9514c18a
Instruction ID: 462b716cfe63e3f91a6d0ccb239212eb56aa04d2d289c214ff70bf415e08b415
Opcode Fuzzy Hash: 00c90dc2a07930f6b94f97bbc22319fc71ce15f360723e5425d5bd9c9514c18a
Instruction Fuzzy Hash: DE01F4217042210BCB4A777DA8203BF6A9B9FCA954798445FD106DF385CE719C0343E2

Uniqueness

Uniqueness Score: -1.00%

Function 050AE168, Relevance: .0, Instructions: 50COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.601516704.00000000050A0000.00000040.00000001.sdmp, Offset: 050A0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0a40888611e452dc441da3921b718f0764fefa8011c63d0df7f5124ff9acbe4e
Instruction ID: 705018782126317cbc4275d842c928bb51a010a5c0ba2c720b5d0b7e3aff2390
Opcode Fuzzy Hash: 0a40888611e452dc441da3921b718f0764fefa8011c63d0df7f5124ff9acbe4e
Instruction Fuzzy Hash: 7001A2327002219FCB182BF9E81896F7ADAFFD9664714453AE416DB380DE718C4183E0

Uniqueness

Uniqueness Score: -1.00%

Function 050AAD90, Relevance: .0, Instructions: 50COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.601516704.00000000050A0000.00000040.00000001.sdmp, Offset: 050A0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f73941bd0c833f936ec00b2af5018b1ea8345322890411217bfd5a48f86574a2
Instruction ID: 1968bec679636a981684bfb7c636c179fb8e3fd19ed953d4886166f550bebe8e
Opcode Fuzzy Hash: f73941bd0c833f936ec00b2af5018b1ea8345322890411217bfd5a48f86574a2
Instruction Fuzzy Hash: E801B532B059448BCB14CA98E8506BFBBF29B84315F10446EC147A76C0CF716D01C7D1

Uniqueness

Uniqueness Score: -1.00%

Function 050A5740, Relevance: .0, Instructions: 50COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.601516704.00000000050A0000.00000040.00000001.sdmp, Offset: 050A0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7c48f15c7a6bf32de1c4e9992574ee6267ef1242e88fabd4482ecc3fae4a0370
Instruction ID: 154daebf10a5e5bab8825dbf5c9f6e20268bad79138323f855e7fab7d4cfb0f1
Opcode Fuzzy Hash: 7c48f15c7a6bf32de1c4e9992574ee6267ef1242e88fabd4482ecc3fae4a0370
Instruction Fuzzy Hash: 72113031A04205CFDB55EFB5F980ABE7BB6BF44340F60422AD505BA285E7319981CB91

Uniqueness

Uniqueness Score: -1.00%

Function 050A7E38, Relevance: .0, Instructions: 50COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.601516704.00000000050A0000.00000040.00000001.sdmp, Offset: 050A0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 82de405af13531b02ccbae31914437e02a05759d4b52443b5d4bb3b0ba6dc8d0
Instruction ID: 3be6d0fbbc798901890b729b87c823582f62f4a8c74bd3e142e511efb38f5d1c
Opcode Fuzzy Hash: 82de405af13531b02ccbae31914437e02a05759d4b52443b5d4bb3b0ba6dc8d0
Instruction Fuzzy Hash: BB015E32A081049BCB1CDF98E950ABEBBF6EB88654F14846EC516A7642CF71AD0187D1

Uniqueness

Uniqueness Score: -1.00%

Function 050A7E28, Relevance: .0, Instructions: 49COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.601516704.00000000050A0000.00000040.00000001.sdmp, Offset: 050A0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6edc71238aae359910af1659d205c3c9a429836b468e35ec23ae21b8f7aece46
Instruction ID: ec6b5e8cb79eec2466c4ce300ef7290685ff68a75eadd73faefaf013f5f2f6fe
Opcode Fuzzy Hash: 6edc71238aae359910af1659d205c3c9a429836b468e35ec23ae21b8f7aece46
Instruction Fuzzy Hash: C0015232A081448FC75DDFA8D9546BEBBF7DB88344F14886DC406AB692CB719D028791

Uniqueness

Uniqueness Score: -1.00%

Function 050AAD80, Relevance: .0, Instructions: 48COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.601516704.00000000050A0000.00000040.00000001.sdmp, Offset: 050A0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fa746dd7fffa06ca6782148447e3bc9a7b271775a7b21f5b84359b0dfbe3727f
Instruction ID: 24d9fb53dc27548f8cbbad2481607f0049db6fc4dba36c69f9ce2c52ea519b6a
Opcode Fuzzy Hash: fa746dd7fffa06ca6782148447e3bc9a7b271775a7b21f5b84359b0dfbe3727f
Instruction Fuzzy Hash: FF01B132704A848BDB18CA94E851BBFBBF29B84316F14442EC547AB7C0DFA1AC01C7D1

Uniqueness

Uniqueness Score: -1.00%

Function 012605D0, Relevance: .0, Instructions: 46COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.596948553.0000000001260000.00000040.00000040.sdmp, Offset: 01260000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 96399c93bf9f57da6692436dc46d69f64c2d6116346eea395eef2f67faab34e8
Instruction ID: a552bd89c63d4ef08cee0071eed29c0934554371bfa235a02c6941ba746f405e
Opcode Fuzzy Hash: 96399c93bf9f57da6692436dc46d69f64c2d6116346eea395eef2f67faab34e8
Instruction Fuzzy Hash: B401D1765087409FC316CF16AC51896BFACEB85230B18C4AFE949CB252D225E848CBB9

Uniqueness

Uniqueness Score: -1.00%

Function 050AAF50, Relevance: .0, Instructions: 46COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.601516704.00000000050A0000.00000040.00000001.sdmp, Offset: 050A0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 903f54d696f2e626fb62aee277534d549392c549311a006ecda63c7ef0300dd5
Instruction ID: 6d791bbf800cfe72a992a1164c7288c8413d38239d62495ffba5202ed7b4a664
Opcode Fuzzy Hash: 903f54d696f2e626fb62aee277534d549392c549311a006ecda63c7ef0300dd5
Instruction Fuzzy Hash: EA012C72F102199FCB90EFB9A8057AEBBF4EB44210F10423AE609E7284EB315504CBD1

Uniqueness

Uniqueness Score: -1.00%

Function 050A6E90, Relevance: .0, Instructions: 46COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.601516704.00000000050A0000.00000040.00000001.sdmp, Offset: 050A0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 70483b1992dc45b342e67980db205c85260ee0cc9d49c46ae4797dc1ea9db99d
Instruction ID: b932ac56cfcbb2f3898db006656f6976be17f8af3d87f2f9df6683add979bef3
Opcode Fuzzy Hash: 70483b1992dc45b342e67980db205c85260ee0cc9d49c46ae4797dc1ea9db99d
Instruction Fuzzy Hash: 28017C71E102088FCF50EBB9E9607EEBBF5FB44200F54013AE544E6285E7315A82CBD0

Uniqueness

Uniqueness Score: -1.00%

Function 050A05C8, Relevance: .0, Instructions: 45COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.601516704.00000000050A0000.00000040.00000001.sdmp, Offset: 050A0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5d5373cda1b150ead2e77726e2357d4d3ab18a4f016aa5c6a65b3e4ae36b41d7
Instruction ID: 6a45bbb62a27d37e9f27404d322a7d37b5563c5c4100f4218ad8369f644b9e64
Opcode Fuzzy Hash: 5d5373cda1b150ead2e77726e2357d4d3ab18a4f016aa5c6a65b3e4ae36b41d7
Instruction Fuzzy Hash: 9AF0B46270012547CA4C76BEA4217BF66CB9BC8955798412EE106EF384CEB18C0303D6

Uniqueness

Uniqueness Score: -1.00%

Function 050A6EA0, Relevance: .0, Instructions: 45COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.601516704.00000000050A0000.00000040.00000001.sdmp, Offset: 050A0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1d2d25c4a9ce81f57bfed2e9bf17460e72171254bf8f5471e561a90f9da9fc27
Instruction ID: 9948b80c5f33cf88bbc49d5d7d455119c2084f76639691469d4f92f3175580bf
Opcode Fuzzy Hash: 1d2d25c4a9ce81f57bfed2e9bf17460e72171254bf8f5471e561a90f9da9fc27
Instruction Fuzzy Hash: 85014F72F002189FDB50EBB9E8417EEBBF4EB44250F10413AD508E7285EB315985CBD1

Uniqueness

Uniqueness Score: -1.00%

Function 012605C0, Relevance: .0, Instructions: 43COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.596948553.0000000001260000.00000040.00000040.sdmp, Offset: 01260000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a6d6fde2cd3702cf89f164736c34abca2307d21b37850cca3c97837af4483403
Instruction ID: 30a0708cd62ab397f1f1a2194832786e8d05a78e2fa5b17d4f6844f4d0374dc5
Opcode Fuzzy Hash: a6d6fde2cd3702cf89f164736c34abca2307d21b37850cca3c97837af4483403
Instruction Fuzzy Hash: DAF0F4715087806FC3128B16EC40863FFE8EF86630708C4ABED888B212D135B908CB71

Uniqueness

Uniqueness Score: -1.00%

Function 050ACA81, Relevance: .0, Instructions: 43COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.601516704.00000000050A0000.00000040.00000001.sdmp, Offset: 050A0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e7fa29df756bc4d4d6454f215ccde8112f1cff4f0bef663bafff55dbe6b41609
Instruction ID: 672b67f79da5ae42356555a5b6829a6acdc699a0303c16534a87b92db05e4ab2
Opcode Fuzzy Hash: e7fa29df756bc4d4d6454f215ccde8112f1cff4f0bef663bafff55dbe6b41609
Instruction Fuzzy Hash: D001B531714264DFD7069F28E55472C3BA7BB95205F0A0564F406EB299CA305C82CB84

Uniqueness

Uniqueness Score: -1.00%

Function 012605D7, Relevance: .0, Instructions: 42COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.596948553.0000000001260000.00000040.00000040.sdmp, Offset: 01260000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: bda367aee7f9f4ad9b558fe82b652281beab17b9da139e4615466c7b16480e29
Instruction ID: f4416b85927efb8dedb75b665e953f52398b42798e4d67b22972af9f0c85c0c0
Opcode Fuzzy Hash: bda367aee7f9f4ad9b558fe82b652281beab17b9da139e4615466c7b16480e29
Instruction Fuzzy Hash: B4F0A4B65097806FD7128B16EC40862FFA8EA86620709C49FED498B612D225A908CB72

Uniqueness

Uniqueness Score: -1.00%

Function 050AB0C0, Relevance: .0, Instructions: 42COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.601516704.00000000050A0000.00000040.00000001.sdmp, Offset: 050A0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b290e469def947a4e8ceef1a5f06ce396c5e8a054a6b7e838d15133246ef98e0
Instruction ID: 093d8bdac9f3092b0f370df58ad93e84be7b309e834cc51da8744c5700b3c7c4
Opcode Fuzzy Hash: b290e469def947a4e8ceef1a5f06ce396c5e8a054a6b7e838d15133246ef98e0
Instruction Fuzzy Hash: 3C01A232700201CBC745FB78E91565C7BE3AF8821179C8679EA0ADB354EF31DC028791

Uniqueness

Uniqueness Score: -1.00%

Function 050A1218, Relevance: .0, Instructions: 42COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.601516704.00000000050A0000.00000040.00000001.sdmp, Offset: 050A0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0156d5b573f7783ba4ae5dda84652ea074f1a8ba930145ca8b2c657ff3b9f14d
Instruction ID: 3f9723efe677b7f50e81c50334dffb08bdfa3a38ab5cb78ea94c15d028271330
Opcode Fuzzy Hash: 0156d5b573f7783ba4ae5dda84652ea074f1a8ba930145ca8b2c657ff3b9f14d
Instruction Fuzzy Hash: 33011D31304010CBC608EB6DE05896D7BEBBFC5610B2441AAE506CB7A5DFB5DC59C781

Uniqueness

Uniqueness Score: -1.00%

Function 050A5CD0, Relevance: .0, Instructions: 41COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.601516704.00000000050A0000.00000040.00000001.sdmp, Offset: 050A0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c8d6cbaad33c3646aa8f34bd13cc542fd2620e698415de37c78a627f8842c525
Instruction ID: 5d01f99a8af91cb48ba16c9f801909528d03b5de5ad1d32d18d2ab6f28a41ba5
Opcode Fuzzy Hash: c8d6cbaad33c3646aa8f34bd13cc542fd2620e698415de37c78a627f8842c525
Instruction Fuzzy Hash: 27F06272E002158F8F94EBBC98156EFBBF5AF89354B15416AC409E3742EB308A06C7D5

Uniqueness

Uniqueness Score: -1.00%

Function 050AAF40, Relevance: .0, Instructions: 41COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.601516704.00000000050A0000.00000040.00000001.sdmp, Offset: 050A0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a751216ecbcce15b4a521490040f5cae199cdd513ae0d05a275123244abf99c8
Instruction ID: 37af1475413933fb2c7a21033d7afe4764ede715b2b65f9f371f8f8a9c2bfbe2
Opcode Fuzzy Hash: a751216ecbcce15b4a521490040f5cae199cdd513ae0d05a275123244abf99c8
Instruction Fuzzy Hash: 68014FB1F102198FCB90EFF8A9467ADBBE4EB54610F20462ADA44E7284EB305541CBD1

Uniqueness

Uniqueness Score: -1.00%

Function 050A8A30, Relevance: .0, Instructions: 40COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.601516704.00000000050A0000.00000040.00000001.sdmp, Offset: 050A0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: aa6ef60f83163d4abab8766fdd3b78442b296e0b37bdc1325b5af19277d237a5
Instruction ID: 1c4f30644cb7e85e33f69b56dd6af28278176bcee2c5c39ff3456f66d00e1af7
Opcode Fuzzy Hash: aa6ef60f83163d4abab8766fdd3b78442b296e0b37bdc1325b5af19277d237a5
Instruction Fuzzy Hash: 4F01E2B5E00208EFDB48DFA9D480AEEBBF5EF98300F1085AAD805A3345E7305A80DF50

Uniqueness

Uniqueness Score: -1.00%

Function 050AAEB9, Relevance: .0, Instructions: 40COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.601516704.00000000050A0000.00000040.00000001.sdmp, Offset: 050A0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ab023ab8922ee657272aba5026bcfda00aa8e15806df4621f5e96f752508df25
Instruction ID: e7e088507cb9fda2ca1b3ad429fac6ebd7d07acd0465b51cb90f6c4eb42d8ed2
Opcode Fuzzy Hash: ab023ab8922ee657272aba5026bcfda00aa8e15806df4621f5e96f752508df25
Instruction Fuzzy Hash: 74F0D130B002159BCF08EBF8E881AAE7776BB88214F204A65E5009B389DFB1990187A4

Uniqueness

Uniqueness Score: -1.00%

Function 050AB0D0, Relevance: .0, Instructions: 39COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.601516704.00000000050A0000.00000040.00000001.sdmp, Offset: 050A0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3c4da03246d43c5ed107b59cf4549b382e7ee5619078627984b22e9629094dfe
Instruction ID: 2e5884429a6ae4f95373faabedccd3bba0cc8308d71e3f52afa29fdaaa9ce7c7
Opcode Fuzzy Hash: 3c4da03246d43c5ed107b59cf4549b382e7ee5619078627984b22e9629094dfe
Instruction Fuzzy Hash: A8F04F31300211CBC745FB79E81555D7BE7ABC82247988679EA0BCB354EF71AC028B91

Uniqueness

Uniqueness Score: -1.00%

Function 050A87B8, Relevance: .0, Instructions: 39COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.601516704.00000000050A0000.00000040.00000001.sdmp, Offset: 050A0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ba775690f8e8456cfc17730f43767f789f02cbc393b3bb05d5aa5cede7fbd229
Instruction ID: 03ac2e87269644e197e2212727d3be461df708ce5ac4a834fa560d2ef23009bf
Opcode Fuzzy Hash: ba775690f8e8456cfc17730f43767f789f02cbc393b3bb05d5aa5cede7fbd229
Instruction Fuzzy Hash: 97F06D76E08245CFCB02CAB5AA448AFBBB6AFA5210B1084A7D102A7621D2359905CB61

Uniqueness

Uniqueness Score: -1.00%

Function 050A68D0, Relevance: .0, Instructions: 38COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.601516704.00000000050A0000.00000040.00000001.sdmp, Offset: 050A0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c0276aa5c5d21f4411633412f564034bd1a1c4eb7a4a2f63b6f820981b5beced
Instruction ID: 82d08ad88f4049847decb150704deae95635aee3908e884a7ad1000da3f3b5f5
Opcode Fuzzy Hash: c0276aa5c5d21f4411633412f564034bd1a1c4eb7a4a2f63b6f820981b5beced
Instruction Fuzzy Hash: ADF0F633E08345AADB54D6B4B4146FF7BF78785254F04447AC94997285E6374A0186D1

Uniqueness

Uniqueness Score: -1.00%

Function 050A68E0, Relevance: .0, Instructions: 38COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.601516704.00000000050A0000.00000040.00000001.sdmp, Offset: 050A0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7bd15c46ab5af7a2f763487c572da5ccb9f1d160d6294e2d14a9a8b8902ed5b4
Instruction ID: 6645cfd4054d47e423fbe99d1b52745d06a228a72601f3b13ae11d58c7688c9d
Opcode Fuzzy Hash: 7bd15c46ab5af7a2f763487c572da5ccb9f1d160d6294e2d14a9a8b8902ed5b4
Instruction Fuzzy Hash: 6DF0BE33F08115AB8B54D2B9B8205BF7AFB9785694F084066C90ADB785EE325A0586D2

Uniqueness

Uniqueness Score: -1.00%

Function 050A64A0, Relevance: .0, Instructions: 37COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.601516704.00000000050A0000.00000040.00000001.sdmp, Offset: 050A0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 72ee8a1410a7c3305e2c00164f7feecb5e434d26a0a0c7cae87deca6483a363c
Instruction ID: adf0e74e05903f00d5a74a88c1e4eeee1f4a424ee419e3fe0c0a09f97336555d
Opcode Fuzzy Hash: 72ee8a1410a7c3305e2c00164f7feecb5e434d26a0a0c7cae87deca6483a363c
Instruction Fuzzy Hash: 89F02432E042058FDB60D2B9A4106FF7BF6DB84754F44417BCD06A7281EA334A0286C1

Uniqueness

Uniqueness Score: -1.00%

Function 050AA691, Relevance: .0, Instructions: 36COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.601516704.00000000050A0000.00000040.00000001.sdmp, Offset: 050A0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b0f9792367067dffd8c502f9cd755f5d061217f87791606530409270dcd6332f
Instruction ID: 9de8ad1a7320eb3f82c5df176b1f2ed1a8c8d6b14497673d58f915ba80985a00
Opcode Fuzzy Hash: b0f9792367067dffd8c502f9cd755f5d061217f87791606530409270dcd6332f
Instruction Fuzzy Hash: A5F0F6727042408FCB0A97E8B81426D3FA2ABC521931D846ED50ADB691EE719C07CB91

Uniqueness

Uniqueness Score: -1.00%

Function 050ACD68, Relevance: .0, Instructions: 35COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.601516704.00000000050A0000.00000040.00000001.sdmp, Offset: 050A0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 72823781b8064c2ea96a4c2e80acf52f675ccaef6f6d024c084ad939766c089a
Instruction ID: c11b95f6bd07e58285ea9f874c84544d3352c0b520aeac4a9b3d33cb307114ff
Opcode Fuzzy Hash: 72823781b8064c2ea96a4c2e80acf52f675ccaef6f6d024c084ad939766c089a
Instruction Fuzzy Hash: E6F055737040602B866962DC281066F3BEBCBD066036A013BF405D7380CE22AC0243FA

Uniqueness

Uniqueness Score: -1.00%

Function 050A55D9, Relevance: .0, Instructions: 34COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.601516704.00000000050A0000.00000040.00000001.sdmp, Offset: 050A0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b4610df0e5acbd36753ca39cf7950087c44a51cc20fc5eafa8e6037ad93082a3
Instruction ID: b147fb61d6941fd3cdd76b4736831a8804f084b73b28daaabdfad8eab4386616
Opcode Fuzzy Hash: b4610df0e5acbd36753ca39cf7950087c44a51cc20fc5eafa8e6037ad93082a3
Instruction Fuzzy Hash: 32E02233B102482B8F115478A8681EFBBEBEBC4230F04483BDA09E3281F962651282E0

Uniqueness

Uniqueness Score: -1.00%

Function 050A0918, Relevance: .0, Instructions: 33COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.601516704.00000000050A0000.00000040.00000001.sdmp, Offset: 050A0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: cfebd1c59500871db0173f6544c12872816a3288605a7a9c65e7d491ca7a3414
Instruction ID: 9d16a6e5ad1d03b617c52dbcb20df6d8ddf71500f4b2710763a253338118c701
Opcode Fuzzy Hash: cfebd1c59500871db0173f6544c12872816a3288605a7a9c65e7d491ca7a3414
Instruction Fuzzy Hash: ABE0E533E1521C9BAB5099F8F8285AFBBAA97C5350F004437DA07A7244D971484242D2

Uniqueness

Uniqueness Score: -1.00%

Function 050A45B9, Relevance: .0, Instructions: 33COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.601516704.00000000050A0000.00000040.00000001.sdmp, Offset: 050A0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ed6f5ba8aac324b1bb370b4d19cd2c2ad804388f112057b0572fc505e1ba11fd
Instruction ID: 6978eff221a50f51b97e59bb409c30f7d8de6f9c297eb74f0b27852d611e421c
Opcode Fuzzy Hash: ed6f5ba8aac324b1bb370b4d19cd2c2ad804388f112057b0572fc505e1ba11fd
Instruction Fuzzy Hash: A3F0E271E043695FCB90CBB99C05BAEBBF8EBC5210F0141BED508D7152E2305A04CBA1

Uniqueness

Uniqueness Score: -1.00%

Function 050A6861, Relevance: .0, Instructions: 33COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.601516704.00000000050A0000.00000040.00000001.sdmp, Offset: 050A0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e22fdb2b2050d54fc57a6644c48c5365647deda4131d186e0ad185c361dc9118
Instruction ID: 666fffc3350be5f64e2d4d182009000093df3f2704d55e00a9434388f7d27fe5
Opcode Fuzzy Hash: e22fdb2b2050d54fc57a6644c48c5365647deda4131d186e0ad185c361dc9118
Instruction Fuzzy Hash: 0AF0F672E0C3858FEB526BE474145AC3BE9AFA1258F4E01FBC4558B152E7A608408751

Uniqueness

Uniqueness Score: -1.00%

Function 050A4700, Relevance: .0, Instructions: 32COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.601516704.00000000050A0000.00000040.00000001.sdmp, Offset: 050A0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e585bf693ff21eb3fef0356ceeb0b999c9d86838858334b7a90deb7dbf6011eb
Instruction ID: 225f8dae5deaa35131bfb6b8242ab3953339d55dd2920e172fdf3b7c5dda3262
Opcode Fuzzy Hash: e585bf693ff21eb3fef0356ceeb0b999c9d86838858334b7a90deb7dbf6011eb
Instruction Fuzzy Hash: 2BE0223B2093C0AFCF2386F4B9207FD27A6DBD3294F41007BE001CF641E4A268028310

Uniqueness

Uniqueness Score: -1.00%

Function 050A5FD0, Relevance: .0, Instructions: 32COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.601516704.00000000050A0000.00000040.00000001.sdmp, Offset: 050A0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4e0119d1107ee276b45a16a8addc4a93d1207eaf22f9593b75b37dbcb126c221
Instruction ID: 7bd0aa3f8e74ae5d488abcc7211474140cd3ad7b942cde0fee6b5bbe781450af
Opcode Fuzzy Hash: 4e0119d1107ee276b45a16a8addc4a93d1207eaf22f9593b75b37dbcb126c221
Instruction Fuzzy Hash: A2F01771E053499FCF64DFF8A849AEEBFF5EB89204F10447AD559E6200E63646018BA0

Uniqueness

Uniqueness Score: -1.00%

Function 01260938, Relevance: .0, Instructions: 31COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.596948553.0000000001260000.00000040.00000040.sdmp, Offset: 01260000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 525cef522958239b2deb72ab7ac90410e2832b06fb356f1b7ca8807ee3c9392c
Instruction ID: 0051cfe9aa32a2ccddda3558afa79df4aa604f8d0726296bb6f0dcd11ab008bb
Opcode Fuzzy Hash: 525cef522958239b2deb72ab7ac90410e2832b06fb356f1b7ca8807ee3c9392c
Instruction Fuzzy Hash: E8F01D35114645DFC306DF04D540B15FBA6EB89718F24CAADE9490B752C337D813DA85

Uniqueness

Uniqueness Score: -1.00%

Function 050A6120, Relevance: .0, Instructions: 31COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.601516704.00000000050A0000.00000040.00000001.sdmp, Offset: 050A0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e5e1129be6d796a12d469756fec812db46de0c83c10608d5687e0e9f8338e65e
Instruction ID: ba3b2a230946d86acbde0fa58f09b313c63afca3120b986f79b404eb74c86872
Opcode Fuzzy Hash: e5e1129be6d796a12d469756fec812db46de0c83c10608d5687e0e9f8338e65e
Instruction Fuzzy Hash: 52F0E532B043525FC71AD6BC641066EABBB4BDA218F1E047FD115DB292DD225C028764

Uniqueness

Uniqueness Score: -1.00%

Function 050AA6A8, Relevance: .0, Instructions: 30COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.601516704.00000000050A0000.00000040.00000001.sdmp, Offset: 050A0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a655fef1698c3300f8a728a2c3ebfd58393714a33484638bac340fae67d1c7f7
Instruction ID: 1dde643185b2a5aec983a849c6a659e3562c8247efae5be21e510360845c01f4
Opcode Fuzzy Hash: a655fef1698c3300f8a728a2c3ebfd58393714a33484638bac340fae67d1c7f7
Instruction Fuzzy Hash: F5F01C323042008F8F08A6ACB41456D7BA7ABC5229368853DE60ADB650DF72AC478B91

Uniqueness

Uniqueness Score: -1.00%

Function 050AE5A8, Relevance: .0, Instructions: 29COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.601516704.00000000050A0000.00000040.00000001.sdmp, Offset: 050A0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: cb585be4311dd143560cdd720c085bd41ba7aa84edede654e669b60f3cb65249
Instruction ID: 9e051b4be9f53e32522af9ed8977fc313e2a3eeeb021716fc5e33cbe1fc84368
Opcode Fuzzy Hash: cb585be4311dd143560cdd720c085bd41ba7aa84edede654e669b60f3cb65249
Instruction Fuzzy Hash: B8F0E5322056618BC716D7F8EA204AD3BAADFC252431988AEC54AEB342FF71DC054390

Uniqueness

Uniqueness Score: -1.00%

Function 050A780F, Relevance: .0, Instructions: 29COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.601516704.00000000050A0000.00000040.00000001.sdmp, Offset: 050A0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8a26904f2b3b81add859f2a54522cd032b5024c15cf0a0f8cd482872435da4c6
Instruction ID: a073641cd8d83c5c6b42aa002e44a3b9f8ab694197756d8b0b0eed992aee6453
Opcode Fuzzy Hash: 8a26904f2b3b81add859f2a54522cd032b5024c15cf0a0f8cd482872435da4c6
Instruction Fuzzy Hash: 1BE09B37B011114FDB54B3F9B8183EE66969FC0554F804438C516DFBC4EE114D45C792

Uniqueness

Uniqueness Score: -1.00%

Function 050A8C38, Relevance: .0, Instructions: 29COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.601516704.00000000050A0000.00000040.00000001.sdmp, Offset: 050A0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 02315eb0ba6e0519407f786276951971c1a260d5847e87d7fff6cdef8fe27525
Instruction ID: 8e650fd7adfef876a070eecc818b181e77066b2dba8df6bd73619cd639100f59
Opcode Fuzzy Hash: 02315eb0ba6e0519407f786276951971c1a260d5847e87d7fff6cdef8fe27525
Instruction Fuzzy Hash: D7F0E533B0A2604BCB621BB4B82C6597FFAEF49291B1541ABFD02D7742DA315C00CBD2

Uniqueness

Uniqueness Score: -1.00%

Function 050A57A2, Relevance: .0, Instructions: 29COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.601516704.00000000050A0000.00000040.00000001.sdmp, Offset: 050A0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d5ef4c81fb4e46ac4fc438cfafa3033c1651aac611e82dd96a386301a8277541
Instruction ID: ec4e489d0bc3202fa456efa58583006bbf289f594fb9353529b29093f57cd324
Opcode Fuzzy Hash: d5ef4c81fb4e46ac4fc438cfafa3033c1651aac611e82dd96a386301a8277541
Instruction Fuzzy Hash: 86F08C32B04004CBDF49EBF9FA502FD77A2AF80204B608136D216AB184EE3008418B91

Uniqueness

Uniqueness Score: -1.00%

Function 050AEAE9, Relevance: .0, Instructions: 29COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.601516704.00000000050A0000.00000040.00000001.sdmp, Offset: 050A0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: bbcd0f00609706ec8d47f8a0ab5a5ed96f87689b44f3396430fae68f4d451a4f
Instruction ID: 50647092dbeabd191629eb12f223b29da35dfe71d19dd7a7ae7c07c4f69540cb
Opcode Fuzzy Hash: bbcd0f00609706ec8d47f8a0ab5a5ed96f87689b44f3396430fae68f4d451a4f
Instruction Fuzzy Hash: C7E02B733206118BC328D5DCE5255AF77CA9BC5A55705852DC51BDB344FF329C064790

Uniqueness

Uniqueness Score: -1.00%

Function 050AC2D8, Relevance: .0, Instructions: 28COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.601516704.00000000050A0000.00000040.00000001.sdmp, Offset: 050A0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e5704756dc73da343de8544da8f5f3e1ccdbe9ba398cef9ed46acc9a03cb30df
Instruction ID: b1ec20523cceebacea5737b4dda3e81cca18d1d37af6ce9de6b60778e6e17070
Opcode Fuzzy Hash: e5704756dc73da343de8544da8f5f3e1ccdbe9ba398cef9ed46acc9a03cb30df
Instruction Fuzzy Hash: C3F03A37204B408FD330CFA9E140A1ABBF6FF882207158A6EE49AC3A10D370F9048B51

Uniqueness

Uniqueness Score: -1.00%

Function 012605F6, Relevance: .0, Instructions: 27COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.596948553.0000000001260000.00000040.00000040.sdmp, Offset: 01260000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1d73c2538d2f3fa199d0420eb2d96a9f2639ac2cbc62d5f996e8c43c1be8754b
Instruction ID: 553e730127a440e60c1019b072d85e058d1ed6755a992d26fbfb3667898a69e1
Opcode Fuzzy Hash: 1d73c2538d2f3fa199d0420eb2d96a9f2639ac2cbc62d5f996e8c43c1be8754b
Instruction Fuzzy Hash: 4AE09276A006008BD650DF0BEC81462FBD8EB88630B18C47FDD0D8B700E235F504CEA5

Uniqueness

Uniqueness Score: -1.00%

Function 050A0916, Relevance: .0, Instructions: 27COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.601516704.00000000050A0000.00000040.00000001.sdmp, Offset: 050A0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a15f8ffbd97b1c610881fff7288a668a4d7a938a2dd7bb3967eaad8e3333e18f
Instruction ID: 4de045e0ca2c397fa40b4978fbb0010eee5edcb3fbf2715a8baedfde1f2d3cb7
Opcode Fuzzy Hash: a15f8ffbd97b1c610881fff7288a668a4d7a938a2dd7bb3967eaad8e3333e18f
Instruction Fuzzy Hash: B1E02232E2621C8BE7609AF4A82857F7AAB5BC5340F00442B8903A7344C9704C424281

Uniqueness

Uniqueness Score: -1.00%

Function 050A89D8, Relevance: .0, Instructions: 27COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.601516704.00000000050A0000.00000040.00000001.sdmp, Offset: 050A0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: aada147dfed5bc3d27f9f3155b1c923d819359f5214ddbace27d86609777927b
Instruction ID: 07993363ca8f4eb43ded5caf28fd36b3e819bbb3bcf2f24ef59f1da2e3443d62
Opcode Fuzzy Hash: aada147dfed5bc3d27f9f3155b1c923d819359f5214ddbace27d86609777927b
Instruction Fuzzy Hash: DCF058B9D09288AFCB41DFA8D58049DBBB4EF1B200B2455EBC946DB603E6345E46CB41

Uniqueness

Uniqueness Score: -1.00%

Function 050A6880, Relevance: .0, Instructions: 27COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.601516704.00000000050A0000.00000040.00000001.sdmp, Offset: 050A0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 106792d722724aef8ad2c2167bb4af110c2e45318d84b6164ba79da541360e07
Instruction ID: baae062a9147371e658a488c79c1128c7d0d78b7ad1888e8fa6cd84cc7115575
Opcode Fuzzy Hash: 106792d722724aef8ad2c2167bb4af110c2e45318d84b6164ba79da541360e07
Instruction Fuzzy Hash: B1E02233D0C2458FEB1916E434006AC3BFDAB51294B0E02ABC912CA281D69A4C418BA6

Uniqueness

Uniqueness Score: -1.00%

Function 050AD09E, Relevance: .0, Instructions: 27COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.601516704.00000000050A0000.00000040.00000001.sdmp, Offset: 050A0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 14eb1b84b1a0b049ff58f87dd0de13f0de59b8a4295577acce1c18015ca9f4f3
Instruction ID: 9f4e8bb824d264a5cfc190b4640d00c21b3f493610dd54936e29a6c75372c039
Opcode Fuzzy Hash: 14eb1b84b1a0b049ff58f87dd0de13f0de59b8a4295577acce1c18015ca9f4f3
Instruction Fuzzy Hash: EBE0D8A77181409FC71692A86010A7D37A76AC105231A44978107CB761DD518C038362

Uniqueness

Uniqueness Score: -1.00%

Function 050A6130, Relevance: .0, Instructions: 26COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.601516704.00000000050A0000.00000040.00000001.sdmp, Offset: 050A0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5b7b29b314ca348be48d0b374e06ee38ac432083083f1d3ff9df0930ecb855cd
Instruction ID: 577ed63fca1f8a4d90855a0d70fe4130e871df5aa6d46e95a7e0568cbdf774f7
Opcode Fuzzy Hash: 5b7b29b314ca348be48d0b374e06ee38ac432083083f1d3ff9df0930ecb855cd
Instruction Fuzzy Hash: 2CE0863170021667C619A1ED641072EF6EF4BD9655F19443A921697380CD62AC4243A9

Uniqueness

Uniqueness Score: -1.00%

Function 050AE5B8, Relevance: .0, Instructions: 26COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.601516704.00000000050A0000.00000040.00000001.sdmp, Offset: 050A0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 333fc1779c9ff163476b0740551df85a2c8f843a57beefbdd8c7c04bcf6fd0d9
Instruction ID: 564f0609c8e18a292e7987aaaa69e7978fdf6c53b14d164e619fd55d14968dd2
Opcode Fuzzy Hash: 333fc1779c9ff163476b0740551df85a2c8f843a57beefbdd8c7c04bcf6fd0d9
Instruction Fuzzy Hash: FCE04832300525974628D6ADE51086E77DEDBC5564354842DD51A9B344FF72DC0147D0

Uniqueness

Uniqueness Score: -1.00%

Function 050A8C48, Relevance: .0, Instructions: 26COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.601516704.00000000050A0000.00000040.00000001.sdmp, Offset: 050A0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9418eff204fc9bcab6ef54c8f2dcc65c7164686d38d49443d52ba1c787bbae93
Instruction ID: 811e5fb28002db6eaf6ca40432e26170c26675daf9a9d24348a0bc040828e957
Opcode Fuzzy Hash: 9418eff204fc9bcab6ef54c8f2dcc65c7164686d38d49443d52ba1c787bbae93
Instruction Fuzzy Hash: 23E06D32B1612087C7A46EA9A4185297BEAEB886D1325817AE906D7344DE708C00CBD2

Uniqueness

Uniqueness Score: -1.00%

Function 050AEAF8, Relevance: .0, Instructions: 26COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.601516704.00000000050A0000.00000040.00000001.sdmp, Offset: 050A0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a00e29ade61d7c0daf0f41422ee9f0e68cd4a3101d8269bb36c21da4298ad268
Instruction ID: 1849d6ed706e55e0543db97afcaba3b0d1128fd382e8fb697bab4c1e9adea4f1
Opcode Fuzzy Hash: a00e29ade61d7c0daf0f41422ee9f0e68cd4a3101d8269bb36c21da4298ad268
Instruction Fuzzy Hash: 8BE0DF323205218B8228D6DCE52886FBBDFEBC1664354852EC51B9B304EF72EC0687D0

Uniqueness

Uniqueness Score: -1.00%

Function 011EAF0F, Relevance: .0, Instructions: 26COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.596664481.00000000011E2000.00000040.00000001.sdmp, Offset: 011E2000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0ff3b1b80a853caf3b45c0e99591a8f04b4d37587be47d98b26fa8ec5a0c288a
Instruction ID: 456ccaac8073ef81a066d8a4d06ea9f465c0cafb9e75d8e92e4087241b0c75d6
Opcode Fuzzy Hash: 0ff3b1b80a853caf3b45c0e99591a8f04b4d37587be47d98b26fa8ec5a0c288a
Instruction Fuzzy Hash: 03E0D87290020467D2109E069C81B63FB5CEB44A30F14C557EF0C1B301D271B504CAF5

Uniqueness

Uniqueness Score: -1.00%

Function 050AF417, Relevance: .0, Instructions: 25COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.601516704.00000000050A0000.00000040.00000001.sdmp, Offset: 050A0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 43c37140ed6c7fbaceccc389414be08feeac7c0d02baa3d011702f68ac5e9792
Instruction ID: f25516a58920f76034150b396ab9ad10bbe5b4d8ecd6addfee8bd5f58ea55391
Opcode Fuzzy Hash: 43c37140ed6c7fbaceccc389414be08feeac7c0d02baa3d011702f68ac5e9792
Instruction Fuzzy Hash: 66E0CD727512241FD7489AEC98515FA77CBDBC9654B05842FD905D77C1DA225C0387D0

Uniqueness

Uniqueness Score: -1.00%

Function 050A5DE8, Relevance: .0, Instructions: 24COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.601516704.00000000050A0000.00000040.00000001.sdmp, Offset: 050A0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3bb7e2d0473a0b053e9f0052107afc63fc9bc583f0898690e1bd0baffff760b8
Instruction ID: 1c089a73f9cb539ba54dcab87f9b2879ff02880a59b5b3ebd93c220290f4d7fc
Opcode Fuzzy Hash: 3bb7e2d0473a0b053e9f0052107afc63fc9bc583f0898690e1bd0baffff760b8
Instruction Fuzzy Hash: 75E08633A652515FCF6BA6E468210FD3B662BA221475105AFD006CB643E9150C018790

Uniqueness

Uniqueness Score: -1.00%

Function 050AE5F8, Relevance: .0, Instructions: 24COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.601516704.00000000050A0000.00000040.00000001.sdmp, Offset: 050A0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ec50cf8205589d9d1a859992effc1523a0f5af28bdb529e930e75571aa98aaad
Instruction ID: 706daf3d216eea97040da82989b3dcf7f709f33f69084f3ee98e17548c97c93b
Opcode Fuzzy Hash: ec50cf8205589d9d1a859992effc1523a0f5af28bdb529e930e75571aa98aaad
Instruction Fuzzy Hash: 1EE02673408310C7C76199E4F8246BE73DEA7C9683F040D2EE94683140CA21BC0187E2

Uniqueness

Uniqueness Score: -1.00%

Function 050AD0B0, Relevance: .0, Instructions: 24COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.601516704.00000000050A0000.00000040.00000001.sdmp, Offset: 050A0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6bf04a59f0a7b02bcd14c769270d8bda52d367a408d257e6d7621dc605279498
Instruction ID: 0a784423fd7f18012f1ec83ce3f697983f9510a576c169bcd60891a46d872997
Opcode Fuzzy Hash: 6bf04a59f0a7b02bcd14c769270d8bda52d367a408d257e6d7621dc605279498
Instruction Fuzzy Hash: A6E01223714015DB4615A1AE6010E7E739BBAC5566365416B9107C7B60DD929C12C3A2

Uniqueness

Uniqueness Score: -1.00%

Function 050A89E8, Relevance: .0, Instructions: 23COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.601516704.00000000050A0000.00000040.00000001.sdmp, Offset: 050A0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4e4d6674d62d716fe3c1b6a417eff2edd681418422588a37f8d3a9006828f0b4
Instruction ID: d5902ab555839c0543fe25ff3ca7af44bcdfa4aba8d9773760599850be50b3cc
Opcode Fuzzy Hash: 4e4d6674d62d716fe3c1b6a417eff2edd681418422588a37f8d3a9006828f0b4
Instruction Fuzzy Hash: 52E0ED78D14208EFDB54EFA9E14569DBBF5EF48304F14D5A69C0593345EB306A40DF41

Uniqueness

Uniqueness Score: -1.00%

Function 050AB001, Relevance: .0, Instructions: 23COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.601516704.00000000050A0000.00000040.00000001.sdmp, Offset: 050A0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: bf45112e1f04c9f8c1a58a48b75a3551b6b10442451854287384ebc94efc15ec
Instruction ID: fc879dc1e298444b7e9f48a0d8b444c5f43818a31c2d2cce7910eb899d312f20
Opcode Fuzzy Hash: bf45112e1f04c9f8c1a58a48b75a3551b6b10442451854287384ebc94efc15ec
Instruction Fuzzy Hash: AFE0863A704220CBDB44BBF8A11D76D7AE7ABEC651F10016ADA26EB3A5DD358C114721

Uniqueness

Uniqueness Score: -1.00%

Function 050A8AC0, Relevance: .0, Instructions: 23COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.601516704.00000000050A0000.00000040.00000001.sdmp, Offset: 050A0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b2a8c58104a47bdd2c6b50f2b3ee4c306ebb9aba3399a1046f8901a9a66cd57f
Instruction ID: 66f7755300d0f2d77e29bea7c133c6c38028f46f7379cf28b7a675772ce67398
Opcode Fuzzy Hash: b2a8c58104a47bdd2c6b50f2b3ee4c306ebb9aba3399a1046f8901a9a66cd57f
Instruction Fuzzy Hash: 3CE05972214219CBD600EF99F88085D3B6AFF60314754D666E9069A61CDBB1AD06C781

Uniqueness

Uniqueness Score: -1.00%

Function 050A6459, Relevance: .0, Instructions: 22COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.601516704.00000000050A0000.00000040.00000001.sdmp, Offset: 050A0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0748565d552ba2f39a69f3af1a2fba471bdde010f94047b41423fc459ac8ded7
Instruction ID: 2f8a6a231825e3191bb6b651c2be3b64c189b32e043c4a9468d4c216083bfdef
Opcode Fuzzy Hash: 0748565d552ba2f39a69f3af1a2fba471bdde010f94047b41423fc459ac8ded7
Instruction Fuzzy Hash: 5AE048317003145BD758D768D5117B977D99FC5218B15845FD807E7381D7729C028BD0

Uniqueness

Uniqueness Score: -1.00%

Function 050AB680, Relevance: .0, Instructions: 22COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.601516704.00000000050A0000.00000040.00000001.sdmp, Offset: 050A0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 93022cbf2cb0573c559178f67585d3307531b8b6177d2a2578709867c666bc80
Instruction ID: 05bf324a4dea6cb7e2ef2b58817d62b68cd95bea6aa96ba7d0b02120e93cb571
Opcode Fuzzy Hash: 93022cbf2cb0573c559178f67585d3307531b8b6177d2a2578709867c666bc80
Instruction Fuzzy Hash: 24E01276A04B104FD3349F6AA401152FBF6BBD42217159A3FC55987604DB7469098B90

Uniqueness

Uniqueness Score: -1.00%

Function 050A02A0, Relevance: .0, Instructions: 21COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.601516704.00000000050A0000.00000040.00000001.sdmp, Offset: 050A0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1a675525c25665def99d440d3af9323d6a772e22c6748043b65342284d3b4f77
Instruction ID: 9c2f3fcd2ecb6e6bda31e1cc7710d8f5e7267de5f423b911ed62149eaa1b5651
Opcode Fuzzy Hash: 1a675525c25665def99d440d3af9323d6a772e22c6748043b65342284d3b4f77
Instruction Fuzzy Hash: 1BE0C231409704CFC76686B4E42D8CD7BF1FB956007848C4AD0828B558D7217D41C710

Uniqueness

Uniqueness Score: -1.00%

Function 050A6890, Relevance: .0, Instructions: 20COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.601516704.00000000050A0000.00000040.00000001.sdmp, Offset: 050A0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e63264c72f4a2a1c17fa09091a19b0cc6580ad28e93a248c182fd6c4572977ef
Instruction ID: 3da70eeb5d4376b6a3c9c9bbf78e8f28afba91743eea9fed5b8742372314ed86
Opcode Fuzzy Hash: e63264c72f4a2a1c17fa09091a19b0cc6580ad28e93a248c182fd6c4572977ef
Instruction Fuzzy Hash: B9D05B32E0C115C7FA1466D5740476D35DED7446D5B0D0136DE16C6240DAD78C8057DA

Uniqueness

Uniqueness Score: -1.00%

Function 050A79A8, Relevance: .0, Instructions: 19COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.601516704.00000000050A0000.00000040.00000001.sdmp, Offset: 050A0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 607d3bef1b45902b201863b1d53d2827a45d6bbbb60b4909a72c1d42d3bbdc45
Instruction ID: 9d09b209f269c13a3189d15967a5cab853c08fbf33126a67d58c85eb49521d90
Opcode Fuzzy Hash: 607d3bef1b45902b201863b1d53d2827a45d6bbbb60b4909a72c1d42d3bbdc45
Instruction Fuzzy Hash: 9FD0C23300C310CEC736DAE5B400A6EBBEBEB85218F04885F8183055408561E084C3A2

Uniqueness

Uniqueness Score: -1.00%

Function 050AF428, Relevance: .0, Instructions: 19COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.601516704.00000000050A0000.00000040.00000001.sdmp, Offset: 050A0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f7577c65995f09e59cbd1308727709e7452066f900685cb73e980c078c4035a5
Instruction ID: 5451844e567f04b5b5782406611cb517df7cfcb021d9ae03533164105aea65f8
Opcode Fuzzy Hash: f7577c65995f09e59cbd1308727709e7452066f900685cb73e980c078c4035a5
Instruction Fuzzy Hash: E7D0A7313011381B550CEAEDC8108BA73CFDBC5514304C86EA50AEB3C0CE73AC0243D0

Uniqueness

Uniqueness Score: -1.00%

Function 050A6468, Relevance: .0, Instructions: 19COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.601516704.00000000050A0000.00000040.00000001.sdmp, Offset: 050A0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 636c104ad0ec20f44b28e20f4c50c2aeab77f1757083e7bc8f9a8c27be9e118f
Instruction ID: 0149e53085b0889a766f21c524f39dd85ad4d37f816b0d479435281cec17e5e9
Opcode Fuzzy Hash: 636c104ad0ec20f44b28e20f4c50c2aeab77f1757083e7bc8f9a8c27be9e118f
Instruction Fuzzy Hash: 85D05E31700128179918A6ADD8109BA738EDBC5554304845EA90AE7380CE62AC0243D0

Uniqueness

Uniqueness Score: -1.00%

Function 050A57F6, Relevance: .0, Instructions: 19COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.601516704.00000000050A0000.00000040.00000001.sdmp, Offset: 050A0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 82f20f6402b69fd496b210b88d830b78d021225868c6b1b6aee45e49276fd422
Instruction ID: 5b02fadf0a2201f272d2ce4c75fbaa8522bd76332da8191341849ac491adb9e2
Opcode Fuzzy Hash: 82f20f6402b69fd496b210b88d830b78d021225868c6b1b6aee45e49276fd422
Instruction Fuzzy Hash: 54D0EC36A04004CB9E14A7E4BA552EC7BA2AA84124B105476C216A7140DE3104554792

Uniqueness

Uniqueness Score: -1.00%

Function 050AE608, Relevance: .0, Instructions: 19COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.601516704.00000000050A0000.00000040.00000001.sdmp, Offset: 050A0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4e5c302d6db057c0db27f29c26710b0b398a4281e1c4cb453d3ba48f517b04e0
Instruction ID: 957d449dff1125e95801479c53d7e5b2f071de1f95c9a963184fe28abade730a
Opcode Fuzzy Hash: 4e5c302d6db057c0db27f29c26710b0b398a4281e1c4cb453d3ba48f517b04e0
Instruction Fuzzy Hash: 51D05E73518220DBCA66DEE4F0205FEB29EA7C9592B004E2AE54B87140CA22B80183E1

Uniqueness

Uniqueness Score: -1.00%

Function 050A064F, Relevance: .0, Instructions: 19COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.601516704.00000000050A0000.00000040.00000001.sdmp, Offset: 050A0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: af5e3a63d309f87dbba6153e75ddc72eea2ebf70d6f7b8a8d927a720f9b92a91
Instruction ID: 85a9f5ce17ed64a2a0f8ffa7b9fadd961323b6b16cc6a41825a8f73eb009f300
Opcode Fuzzy Hash: af5e3a63d309f87dbba6153e75ddc72eea2ebf70d6f7b8a8d927a720f9b92a91
Instruction Fuzzy Hash: 58D02E328853009FC3498AF068290EC3BA1DAE3229B0084B6C40082820C1374AAB8B41

Uniqueness

Uniqueness Score: -1.00%

Function 050AEB38, Relevance: .0, Instructions: 17COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.601516704.00000000050A0000.00000040.00000001.sdmp, Offset: 050A0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6b03a471ea18ca6bc9813e6dd0e3f65b1d68999ef7b64c3287b7d9cf65900c77
Instruction ID: fddab590ec253569126c053ed499a51049150bf2b06e4902485143865a5ebedd
Opcode Fuzzy Hash: 6b03a471ea18ca6bc9813e6dd0e3f65b1d68999ef7b64c3287b7d9cf65900c77
Instruction Fuzzy Hash: 41D02EB382A200CBC720DAE0F5A82AF7B2A9B00A07F050C2DC40B47A80CA31A9088340

Uniqueness

Uniqueness Score: -1.00%

Function 011D23F4, Relevance: .0, Instructions: 15COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.596606961.00000000011D2000.00000040.00000001.sdmp, Offset: 011D2000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e0c24801ef60055af5577af03982e40d96ed58ac043bdb217fd25451911fa8c7
Instruction ID: 602d449556105374d5d6d2dbb7fa504d89c41fcb5900d222f709e9a7a8053e76
Opcode Fuzzy Hash: e0c24801ef60055af5577af03982e40d96ed58ac043bdb217fd25451911fa8c7
Instruction Fuzzy Hash: 83D05E79315A818FE32B8A1CC1A8B953FA4AB51B04F5644FDEC008B663C368D981D200

Uniqueness

Uniqueness Score: -1.00%

Function 050A7400, Relevance: .0, Instructions: 15COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.601516704.00000000050A0000.00000040.00000001.sdmp, Offset: 050A0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9a0939ec5680cffb9ecca245d0aafbbebb033a67d769e75d7ec85179cdc98f5e
Instruction ID: c8a893c37e0441b9c71b7f38dc513a8027bf23c9d1aa610c0837cb799da69981
Opcode Fuzzy Hash: 9a0939ec5680cffb9ecca245d0aafbbebb033a67d769e75d7ec85179cdc98f5e
Instruction Fuzzy Hash: 08D0423AA001048FCB04DB88E5949DDF7F1EB88225F28C1A6D915A7251C732ED56CA50

Uniqueness

Uniqueness Score: -1.00%

Function 050AEB48, Relevance: .0, Instructions: 15COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.601516704.00000000050A0000.00000040.00000001.sdmp, Offset: 050A0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4069614fc7e06e52fa802dfe3cbff9e48f33fb68fefb2073643fdf57b9fb5a84
Instruction ID: d627d1483367556ced061370322330e1110c06dba90db20ca3a3d820701448bc
Opcode Fuzzy Hash: 4069614fc7e06e52fa802dfe3cbff9e48f33fb68fefb2073643fdf57b9fb5a84
Instruction Fuzzy Hash: A6D0123353A214DB8324EAD5F45C4AF776FEA45A267004D6EE40B47640DB72BC48C7E5

Uniqueness

Uniqueness Score: -1.00%

Function 050AEEC8, Relevance: .0, Instructions: 15COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.601516704.00000000050A0000.00000040.00000001.sdmp, Offset: 050A0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ef8995e02223a2b00473d6c37ef27e813075f6599115876efbdcc45491c0a55f
Instruction ID: 194a9c462dfa57b2d27d05498a22e7ca13f43775196d5dae7cfb303d4fac2ff7
Opcode Fuzzy Hash: ef8995e02223a2b00473d6c37ef27e813075f6599115876efbdcc45491c0a55f
Instruction Fuzzy Hash: C0C08033604214D34B14F5F5BD054EDF79DDD45155B40047ADD1857540E631991543D1

Uniqueness

Uniqueness Score: -1.00%

Function 011D23BC, Relevance: .0, Instructions: 14COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.596606961.00000000011D2000.00000040.00000001.sdmp, Offset: 011D2000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6af05ff16e25079ee24dd6904520fa871d287b22c2f233f5131044831213347b
Instruction ID: d52bed099885cf08681b67f6e03aa17359e14a0aa18a4395676f2f2f717690b4
Opcode Fuzzy Hash: 6af05ff16e25079ee24dd6904520fa871d287b22c2f233f5131044831213347b
Instruction Fuzzy Hash: 9CD05E342042818BD719DB0CC594F593BD4AB85B00F0645E8AD108B662C7B4D881C600

Uniqueness

Uniqueness Score: -1.00%

Function 050A5D5F, Relevance: .0, Instructions: 14COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.601516704.00000000050A0000.00000040.00000001.sdmp, Offset: 050A0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 277b9fa618e7ca8101ad4d4f993f21f35ce24f3a2737a17b507444f5f140001a
Instruction ID: 3a48fad3a9adb685656c3f557178ef6b57e6977715fd0c810760c167fc207914
Opcode Fuzzy Hash: 277b9fa618e7ca8101ad4d4f993f21f35ce24f3a2737a17b507444f5f140001a
Instruction Fuzzy Hash: EFD0123300EBC98ECB62A7F0796877C3BB56F031047040597C4558F423DA119552D7A2

Uniqueness

Uniqueness Score: -1.00%

Function 050A5F50, Relevance: .0, Instructions: 14COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.601516704.00000000050A0000.00000040.00000001.sdmp, Offset: 050A0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 60c4df53043817da440582db2d306206b9cf2b8eaabaf347a32ad4825f71ead3
Instruction ID: 3dee621f4440651bc93a50dd0b047cb64fab52c9060f5f2cc524bd48dea4f9a3
Opcode Fuzzy Hash: 60c4df53043817da440582db2d306206b9cf2b8eaabaf347a32ad4825f71ead3
Instruction Fuzzy Hash: A4D0C7315CD3C56BCB52DAF4780559D7FB6599311470444EFD489C9416D5364505C712

Uniqueness

Uniqueness Score: -1.00%

Function 050A811E, Relevance: .0, Instructions: 13COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.601516704.00000000050A0000.00000040.00000001.sdmp, Offset: 050A0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1761a9e34e6c53d1507437aa081a66e74e09cf86fc86eb311c63d750ecaeb633
Instruction ID: 4a013898967f654d25c4ecb76b4344bddee441bcdbdda10cafb878066f03bf56
Opcode Fuzzy Hash: 1761a9e34e6c53d1507437aa081a66e74e09cf86fc86eb311c63d750ecaeb633
Instruction Fuzzy Hash: 35D05270A00208CF8B51CFF2EA100EE3BF1BF09220320032AE802AB389E3340C80CB40

Uniqueness

Uniqueness Score: -1.00%

Function 050A5478, Relevance: .0, Instructions: 13COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.601516704.00000000050A0000.00000040.00000001.sdmp, Offset: 050A0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f00f2338bec4427c5c377bf3c05661a8427d2dab0b848897e99e72dc2e365409
Instruction ID: 7b41c3f44574f78d9f5d6b68475cce9777cc4b967bcf89d463160ce46ea88df5
Opcode Fuzzy Hash: f00f2338bec4427c5c377bf3c05661a8427d2dab0b848897e99e72dc2e365409
Instruction Fuzzy Hash: 05D0C932008205DBEE7857F87C0D72E3AD9B70020EB0400A1D82688455DB704090C752

Uniqueness

Uniqueness Score: -1.00%

Function 050A0180, Relevance: .0, Instructions: 12COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.601516704.00000000050A0000.00000040.00000001.sdmp, Offset: 050A0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e1d9b469cc18fb914eb34a3af57f61a5decec5f5c82102be1bf7056b2a11a574
Instruction ID: dd54f9ae72245fdff187c359d500dffbde9b137b00aec349b40b0ed4a0df0c9a
Opcode Fuzzy Hash: e1d9b469cc18fb914eb34a3af57f61a5decec5f5c82102be1bf7056b2a11a574
Instruction Fuzzy Hash: 3AD01230210304CFCB2C2BF1E01842C33AAAF88306780087CE8268B758EF36E8C0CB44

Uniqueness

Uniqueness Score: -1.00%

Function 050AF460, Relevance: .0, Instructions: 12COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.601516704.00000000050A0000.00000040.00000001.sdmp, Offset: 050A0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2742aec033566d7fe796932438a5ee9f70847c0481a7d831e592da52c308dc6e
Instruction ID: 390698d2194527fa253c8fb6e1728bfb006ab9f32f8fa3062ad81be398ec9c2d
Opcode Fuzzy Hash: 2742aec033566d7fe796932438a5ee9f70847c0481a7d831e592da52c308dc6e
Instruction Fuzzy Hash: F1C0C0358463045BCF9023F0F4443DC3B584780310F0000329824462A1FB340816CB00

Uniqueness

Uniqueness Score: -1.00%

Function 050A5D70, Relevance: .0, Instructions: 11COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.601516704.00000000050A0000.00000040.00000001.sdmp, Offset: 050A0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: dc629a4ea8572e331e989a6b6161cad1aeb5cf545e2657204147f4ac9024853f
Instruction ID: 7ebf0057e99e5e8d04d6592a5e6d0d9dc58535f65ba3c972b7c93aceb604c665
Opcode Fuzzy Hash: dc629a4ea8572e331e989a6b6161cad1aeb5cf545e2657204147f4ac9024853f
Instruction Fuzzy Hash: 8BC08C32204E068F9E7827F07C0D63E37E96A400013800024E40A8E000EE2080408295

Uniqueness

Uniqueness Score: -1.00%

Function 050ACE78, Relevance: .0, Instructions: 11COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.601516704.00000000050A0000.00000040.00000001.sdmp, Offset: 050A0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b93f95db8ca25f2c06aa1ff33166f371c1224644cd3abbe3e582ff123b784063
Instruction ID: 3702c6a31b49155c3c8849956dbf51b61d60496208809d7ffc2ec6d641fb4f67
Opcode Fuzzy Hash: b93f95db8ca25f2c06aa1ff33166f371c1224644cd3abbe3e582ff123b784063
Instruction Fuzzy Hash: ACC08C6340D6100FEB085B6148602843B71AB871187FA2CCBC090E7282E325F0444B21

Uniqueness

Uniqueness Score: -1.00%

Function 050A0660, Relevance: .0, Instructions: 10COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.601516704.00000000050A0000.00000040.00000001.sdmp, Offset: 050A0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4428ae8be513995a1e70d00681f6c0000499f1a17020f9476d8a333aba0fd839
Instruction ID: 0dab1d94f4f687a3682710613bd5a3a00140db896335eeffd841566bbd6837bd
Opcode Fuzzy Hash: 4428ae8be513995a1e70d00681f6c0000499f1a17020f9476d8a333aba0fd839
Instruction Fuzzy Hash: 62C02B3204530CCEC21CA7F2380C53D720B96C130E700C431C501000208D33D4B18A51

Uniqueness

Uniqueness Score: -1.00%

Function 050A5F60, Relevance: .0, Instructions: 9COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.601516704.00000000050A0000.00000040.00000001.sdmp, Offset: 050A0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 635403e01dd791b583571d3677cf00fee2973e19ca04d9662845525afea01f59
Instruction ID: fa1d6fd0459ef4c1ebe4382803fcb607ff99e75e006110c6271084e7fa1207f9
Opcode Fuzzy Hash: 635403e01dd791b583571d3677cf00fee2973e19ca04d9662845525afea01f59
Instruction Fuzzy Hash: 02B09232244A4ECB4AA42BF57A0EA6D37EEBA085093440025E52FC4508EA3194508762

Uniqueness

Uniqueness Score: -1.00%

Function 050A7424, Relevance: .0, Instructions: 8COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.601516704.00000000050A0000.00000040.00000001.sdmp, Offset: 050A0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9331830965d72d12fcbefa973c87c0cf332396a92bd300e1243d284f656f33ac
Instruction ID: 4139faf8f3147676d13a341cd23481a6315fe9ea24966a082183da55dd3a30c4
Opcode Fuzzy Hash: 9331830965d72d12fcbefa973c87c0cf332396a92bd300e1243d284f656f33ac
Instruction Fuzzy Hash: A0B092B7A04108C9DF00DAC4B4413EEFB20E790225F108133C71052000D33201A48691

Uniqueness

Uniqueness Score: -1.00%

Function 050AF470, Relevance: .0, Instructions: 8COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.601516704.00000000050A0000.00000040.00000001.sdmp, Offset: 050A0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4f8841aec0031a77c3319130b454676080e5d254e624065794ceaaa667c0e304
Instruction ID: 0161a884bb5c5c33ea647930db33b13961c2e978c6a8420d1de2cce5b4619ec3
Opcode Fuzzy Hash: 4f8841aec0031a77c3319130b454676080e5d254e624065794ceaaa667c0e304
Instruction Fuzzy Hash: 97B0123164170C47DD9433F0B00C11DB38C59808107840021691D4B200BF74A440C655

Uniqueness

Uniqueness Score: -1.00%

Non-executed Functions

Function 050A0D93, Relevance: 5.2, Strings: 4, Instructions: 249COMMON

Download Yara Rule

Strings

0jr, xrefs: 050A0F8E
,:kr, xrefs: 050A0E38
:@Dr, xrefs: 050A10CB
X1kr, xrefs: 050A0F1C

Memory Dump Source

Source File: 00000008.00000002.601516704.00000000050A0000.00000040.00000001.sdmp, Offset: 050A0000, based on PE: false

Similarity

API ID:
String ID: ,:kr$0jr$:@Dr$X1kr
API String ID: 0-1245831938
Opcode ID: 750683897eac76b49a9b3d36935cfeb7ab1283d0685a75e656f139119cb7ee54
Instruction ID: c8846552a782adc8d14984a909fe4f801dc893acb52ed4e42a6d558b0a1fb264
Opcode Fuzzy Hash: 750683897eac76b49a9b3d36935cfeb7ab1283d0685a75e656f139119cb7ee54
Instruction Fuzzy Hash: D7B1A670A04344CFD3A4DF78D160B6ABBE2BF94704F60596EE5898B399EF719841CB42

Uniqueness

Uniqueness Score: -1.00%

Analysis Process: RegSvcs.exe PID: 6716 Parent PID: 936 RegSvcs.exeCOMMON

Executed Functions

Function 0086A587, Relevance: 1.6, APIs: 1, Instructions: 83COMMON

Download Yara Rule

APIs

SearchPathW.KERNELBASE(?,00000E2C,?,?), ref: 0086A63A

Memory Dump Source

Source File: 0000000E.00000002.404318068.000000000086A000.00000040.00000001.sdmp, Offset: 0086A000, based on PE: false

Similarity

API ID: PathSearch
String ID:
API String ID: 2203818243-0
Opcode ID: 91ac2a967e9e52b2cf8ebf11dfc0e2743c7bf8c00abf0df5a82dbacd03a686dc
Instruction ID: ccfebd2e53d5d3a8f7e1d62de74df60a5d4ac655f71da4ddcf764f449ee84be5
Opcode Fuzzy Hash: 91ac2a967e9e52b2cf8ebf11dfc0e2743c7bf8c00abf0df5a82dbacd03a686dc
Instruction Fuzzy Hash: 7B316D7250D3C06FD3138B259C55B62BFB4AF87614F1A81DBD8848F193E625A909C7B2

Uniqueness

Uniqueness Score: -1.00%

Function 0086A4AA, Relevance: 1.6, APIs: 1, Instructions: 79fileCOMMON

Download Yara Rule

APIs

WriteFile.KERNELBASE(?,00000E2C,8CA77033,00000000,00000000,00000000,00000000), ref: 0086A53D

Memory Dump Source

Source File: 0000000E.00000002.404318068.000000000086A000.00000040.00000001.sdmp, Offset: 0086A000, based on PE: false

Similarity

API ID: FileWrite
String ID:
API String ID: 3934441357-0
Opcode ID: 37c54fcedd8179d6e923b18ae60038dc7f8388e549c8792f55ab7e1351b1bcf0
Instruction ID: 616937a817cbcf8220e023f5b185a34b57e393410f95e744520d26d61407de7a
Opcode Fuzzy Hash: 37c54fcedd8179d6e923b18ae60038dc7f8388e549c8792f55ab7e1351b1bcf0
Instruction Fuzzy Hash: 40219171409380AFD7228B65DC44F96BFB8EF46310F0884DBEA849F153D264A509CB72

Uniqueness

Uniqueness Score: -1.00%

Function 0086A5C6, Relevance: 1.6, APIs: 1, Instructions: 62COMMON

Download Yara Rule

APIs

SearchPathW.KERNELBASE(?,00000E2C,?,?), ref: 0086A63A

Memory Dump Source

Source File: 0000000E.00000002.404318068.000000000086A000.00000040.00000001.sdmp, Offset: 0086A000, based on PE: false

Similarity

API ID: PathSearch
String ID:
API String ID: 2203818243-0
Opcode ID: 32acb8c04b37996944f444f52aed9393dfeb550ea0cb8766a084b3e7ab8d1d45
Instruction ID: ca33be07daccd7ed64d13bccfc7ad7935937dff0e954c04512b823ee5ace4d08
Opcode Fuzzy Hash: 32acb8c04b37996944f444f52aed9393dfeb550ea0cb8766a084b3e7ab8d1d45
Instruction Fuzzy Hash: 0111E271404340AFD311CB15DC46F63FFB8EF85A20F0485AAED488B642D271B915CBA1

Uniqueness

Uniqueness Score: -1.00%

Function 0086A1F4, Relevance: 1.6, APIs: 1, Instructions: 61COMMON

Download Yara Rule

APIs

GetConsoleOutputCP.KERNELBASE ref: 0086A269

Memory Dump Source

Source File: 0000000E.00000002.404318068.000000000086A000.00000040.00000001.sdmp, Offset: 0086A000, based on PE: false

Similarity

API ID: ConsoleOutput
String ID:
API String ID: 3985236979-0
Opcode ID: b1f29d92325aeee878b15fb65dcb576bc7e846570e1b9004465a150c8b38ab0c
Instruction ID: 4f24a4fb22d0bb581448752ce79f4c58524a2f63d0de3448b6776ca4ee54f388
Opcode Fuzzy Hash: b1f29d92325aeee878b15fb65dcb576bc7e846570e1b9004465a150c8b38ab0c
Instruction Fuzzy Hash: 5B215C3540E7C49FD7138B258C95A52BFB4EF03220F0A81DBD9848F1A3D269A909CB62

Uniqueness

Uniqueness Score: -1.00%

Function 0086A4DE, Relevance: 1.6, APIs: 1, Instructions: 60fileCOMMON

Download Yara Rule

APIs

WriteFile.KERNELBASE(?,00000E2C,8CA77033,00000000,00000000,00000000,00000000), ref: 0086A53D

Memory Dump Source

Source File: 0000000E.00000002.404318068.000000000086A000.00000040.00000001.sdmp, Offset: 0086A000, based on PE: false

Similarity

API ID: FileWrite
String ID:
API String ID: 3934441357-0
Opcode ID: 383a59b75fd1473be752b4bf6530109062fab27f07764e2b875e51f1e75aa9e9
Instruction ID: 4bc9359d42df508fc730da94e029d9a01adf7606b53ee1588badbc0b81693634
Opcode Fuzzy Hash: 383a59b75fd1473be752b4bf6530109062fab27f07764e2b875e51f1e75aa9e9
Instruction Fuzzy Hash: A911BF71400604EEEB21CF95DC84F6AFBA8EF44320F14846BEE45AB251D675A509CBB2

Uniqueness

Uniqueness Score: -1.00%

Function 0086A5EA, Relevance: 1.5, APIs: 1, Instructions: 47COMMON

Download Yara Rule

APIs

SearchPathW.KERNELBASE(?,00000E2C,?,?), ref: 0086A63A

Memory Dump Source

Source File: 0000000E.00000002.404318068.000000000086A000.00000040.00000001.sdmp, Offset: 0086A000, based on PE: false

Similarity

API ID: PathSearch
String ID:
API String ID: 2203818243-0
Opcode ID: b0f1040abd0171321af6b8f54d68bc5b3e419ebb55ebd99d09aa68de3833fccc
Instruction ID: bf3acda8f39a1771822b370edc3ce4053bbd061b2bc2cd0837006893791ff00e
Opcode Fuzzy Hash: b0f1040abd0171321af6b8f54d68bc5b3e419ebb55ebd99d09aa68de3833fccc
Instruction Fuzzy Hash: EB017176500600ABD710DF16DC86F26FBA8FB88B20F14856AED089B741E771B515CBE5

Uniqueness

Uniqueness Score: -1.00%

Function 0086A23A, Relevance: 1.5, APIs: 1, Instructions: 34COMMON

Download Yara Rule

APIs

GetConsoleOutputCP.KERNELBASE ref: 0086A269

Memory Dump Source

Source File: 0000000E.00000002.404318068.000000000086A000.00000040.00000001.sdmp, Offset: 0086A000, based on PE: false

Similarity

API ID: ConsoleOutput
String ID:
API String ID: 3985236979-0
Opcode ID: 916d9f7d1e0ef441af8d1b705bc81dd07e17d4b8e2dc168690426bf49a1945fa
Instruction ID: 02a0848ee6fa0dfb18da28ff3e73f449526c18124691d7ed0f137e3bb6101128
Opcode Fuzzy Hash: 916d9f7d1e0ef441af8d1b705bc81dd07e17d4b8e2dc168690426bf49a1945fa
Instruction Fuzzy Hash: 07F0AF30804644DFDB108F15D884762FFA4FF04720F18C0AADE499F302D2BAA948CEA2

Uniqueness

Uniqueness Score: -1.00%

Function 00862477, Relevance: .2, Instructions: 211COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000E.00000002.404308703.0000000000862000.00000040.00000001.sdmp, Offset: 00862000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5626dcc4dc771b710fc881ef366de5a5463e5769ca2d0aa097b405591b705b98
Instruction ID: 6b2815134bf90d9789472443db32a40141add60b7b29794d9cbfc28e4f7607fb
Opcode Fuzzy Hash: 5626dcc4dc771b710fc881ef366de5a5463e5769ca2d0aa097b405591b705b98
Instruction Fuzzy Hash: 60617BA290EBD94FDB679734683D695BF76FA63310B0B41CBD482CF0A3D5084849C72A

Uniqueness

Uniqueness Score: -1.00%

Function 008623F4, Relevance: .0, Instructions: 15COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000E.00000002.404308703.0000000000862000.00000040.00000001.sdmp, Offset: 00862000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e229c18594f5c3d7f244a031f7a77b2ece26f9298f93899a03ddbe26d4ae0d38
Instruction ID: 28cdde15b6d62567090436401776493b59066fdf853dd583350fe1655686a49e
Opcode Fuzzy Hash: e229c18594f5c3d7f244a031f7a77b2ece26f9298f93899a03ddbe26d4ae0d38
Instruction Fuzzy Hash: DCD05E79215A818FD326CA1CC1A8BA53B94FF52B04F4744FDE800CB663CB68D981D200

Uniqueness

Uniqueness Score: -1.00%

Function 008623BC, Relevance: .0, Instructions: 14COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000E.00000002.404308703.0000000000862000.00000040.00000001.sdmp, Offset: 00862000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: bcc7525c8212a4edd26b84c2b8227b7fb92d1d67e07de746c4356b8986273e4f
Instruction ID: 53376d69cca34db19e221e069d83310f2795f56f9540058a5dd95e9660bad977
Opcode Fuzzy Hash: bcc7525c8212a4edd26b84c2b8227b7fb92d1d67e07de746c4356b8986273e4f
Instruction Fuzzy Hash: 2DD05E342006818BC715DB0CD694F5937D4FB41B00F0645E9AC00CB772C7A8DC81C600

Uniqueness

Uniqueness Score: -1.00%

Non-executed Functions

Analysis Process: dhcpmon.exe PID: 6808 Parent PID: 936 dhcpmon.exeCOMMON

Executed Functions

Function 050011D0, Relevance: 4.0, Strings: 3, Instructions: 222COMMON

Download Yara Rule

Strings

X1kr, xrefs: 05001253
X1kr, xrefs: 0500130B
:@Dr, xrefs: 05001406

Memory Dump Source

Source File: 00000010.00000002.406976589.0000000005000000.00000040.00000001.sdmp, Offset: 05000000, based on PE: false

Similarity

API ID:
String ID: :@Dr$X1kr$X1kr
API String ID: 0-2930718046
Opcode ID: 92112221737aacb556a0816c240eae44d8d8fd1ab50f22c55a8d844fbe6dbac2
Instruction ID: 55adbceedea4973bf683431b635e646d169e328a08420f248719288c8075242b
Opcode Fuzzy Hash: 92112221737aacb556a0816c240eae44d8d8fd1ab50f22c55a8d844fbe6dbac2
Instruction Fuzzy Hash: A9814634B001118FDB54EBADC854E6EBBE7AFC4304F249469DA0ADB7A4DE709D41CBA1

Uniqueness

Uniqueness Score: -1.00%

Function 050011C1, Relevance: 2.7, Strings: 2, Instructions: 178COMMON

Download Yara Rule

Strings

X1kr, xrefs: 05001253
:@Dr, xrefs: 05001406

Memory Dump Source

Source File: 00000010.00000002.406976589.0000000005000000.00000040.00000001.sdmp, Offset: 05000000, based on PE: false

Similarity

API ID:
String ID: :@Dr$X1kr
API String ID: 0-2776031997
Opcode ID: 962a491c1c4480aee08491dac02c0b0d361914e08feb771c13360028724a93e5
Instruction ID: 367bb99ca4c9f1502086880d102ef9389b922c0bb0b6138de55d7f5e296d2594
Opcode Fuzzy Hash: 962a491c1c4480aee08491dac02c0b0d361914e08feb771c13360028724a93e5
Instruction Fuzzy Hash: 21615734B001018FDB54EBA9D854A7EBBF7AF84304F249069DA06DB7A5DE709D81CB61

Uniqueness

Uniqueness Score: -1.00%

Function 0284A587, Relevance: 1.6, APIs: 1, Instructions: 83COMMON

Download Yara Rule

APIs

SearchPathW.KERNELBASE(?,00000E2C,?,?), ref: 0284A63A

Memory Dump Source

Source File: 00000010.00000002.404526474.000000000284A000.00000040.00000001.sdmp, Offset: 0284A000, based on PE: false

Similarity

API ID: PathSearch
String ID:
API String ID: 2203818243-0
Opcode ID: b0e30277d8ed20e03c736d0981bfa01979c2b26818c17c498ddbdb6c00edbed4
Instruction ID: c1615984cc0866f7374bf7f8cddc2de7963dd68c43d3031ac491b78786efcd0b
Opcode Fuzzy Hash: b0e30277d8ed20e03c736d0981bfa01979c2b26818c17c498ddbdb6c00edbed4
Instruction Fuzzy Hash: 0B319F7240D3C06FD3038B218C65B62BFB4EF43614F1A81CBD8848F193E224A909C7A2

Uniqueness

Uniqueness Score: -1.00%

Function 0284A4AA, Relevance: 1.6, APIs: 1, Instructions: 79fileCOMMON

Download Yara Rule

APIs

WriteFile.KERNELBASE(?,00000E2C,974FDA0A,00000000,00000000,00000000,00000000), ref: 0284A53D

Memory Dump Source

Source File: 00000010.00000002.404526474.000000000284A000.00000040.00000001.sdmp, Offset: 0284A000, based on PE: false

Similarity

API ID: FileWrite
String ID:
API String ID: 3934441357-0
Opcode ID: 6f353028dc6fbe87faa8a253086c6bbcbec6311b2d5297d739d519c335bea098
Instruction ID: 810db1954f77683986fa153b8d6650dd8c9eca8649231e5c8d518b1b8e0a0243
Opcode Fuzzy Hash: 6f353028dc6fbe87faa8a253086c6bbcbec6311b2d5297d739d519c335bea098
Instruction Fuzzy Hash: C321A376409384AFE7128B65DC54F96BFB8EF06310F0884DBE9849F153D264A509CB71

Uniqueness

Uniqueness Score: -1.00%

Function 0284A5C6, Relevance: 1.6, APIs: 1, Instructions: 62COMMON

Download Yara Rule

APIs

SearchPathW.KERNELBASE(?,00000E2C,?,?), ref: 0284A63A

Memory Dump Source

Source File: 00000010.00000002.404526474.000000000284A000.00000040.00000001.sdmp, Offset: 0284A000, based on PE: false

Similarity

API ID: PathSearch
String ID:
API String ID: 2203818243-0
Opcode ID: a196525fa3adcd1bdc772c20c2e5397bce23d5f13bbbf0b41f8567d46bff83ea
Instruction ID: df2797bfff159fe86100b709c1f14fbcd76466076aa5dd4146cc6f81b0d96ae9
Opcode Fuzzy Hash: a196525fa3adcd1bdc772c20c2e5397bce23d5f13bbbf0b41f8567d46bff83ea
Instruction Fuzzy Hash: D111E2724043406FD311CB15DC46F77BFB8EB85A20F0485AAED488B642E270B915CBA1

Uniqueness

Uniqueness Score: -1.00%

Function 0284A1F4, Relevance: 1.6, APIs: 1, Instructions: 61COMMON

Download Yara Rule

APIs

GetConsoleOutputCP.KERNELBASE ref: 0284A269

Memory Dump Source

Source File: 00000010.00000002.404526474.000000000284A000.00000040.00000001.sdmp, Offset: 0284A000, based on PE: false

Similarity

API ID: ConsoleOutput
String ID:
API String ID: 3985236979-0
Opcode ID: c96a99ee41473dc75ec71ec22c64123c81ed2406f46fa9b8d4170d3b56861ab7
Instruction ID: 8237150e00f6134db3be31931e48ae926fb88c0f328b308eebecce13d5e8ba9d
Opcode Fuzzy Hash: c96a99ee41473dc75ec71ec22c64123c81ed2406f46fa9b8d4170d3b56861ab7
Instruction Fuzzy Hash: 55215E3540D7C45FD7138B258C95692BFB4EF03220F0A81DBDD848F163D269A909DB62

Uniqueness

Uniqueness Score: -1.00%

Function 0284A4DE, Relevance: 1.6, APIs: 1, Instructions: 60fileCOMMON

Download Yara Rule

APIs

WriteFile.KERNELBASE(?,00000E2C,974FDA0A,00000000,00000000,00000000,00000000), ref: 0284A53D

Memory Dump Source

Source File: 00000010.00000002.404526474.000000000284A000.00000040.00000001.sdmp, Offset: 0284A000, based on PE: false

Similarity

API ID: FileWrite
String ID:
API String ID: 3934441357-0
Opcode ID: 8e1b5e10a324efe02ecf8f03c471260b9e51b8dcc10d4e2c682c8aa5621aa54d
Instruction ID: 8fd691badf59caf46dcc8ed645290b6e02c3780eae3de4aa88a40e93f966c38c
Opcode Fuzzy Hash: 8e1b5e10a324efe02ecf8f03c471260b9e51b8dcc10d4e2c682c8aa5621aa54d
Instruction Fuzzy Hash: 4E11C176400604EFEB21CF95DD84FAAFBA8EF44320F14846BEE499F251D675A408CB71

Uniqueness

Uniqueness Score: -1.00%

Function 0284A5EA, Relevance: 1.5, APIs: 1, Instructions: 47COMMON

Download Yara Rule

APIs

SearchPathW.KERNELBASE(?,00000E2C,?,?), ref: 0284A63A

Memory Dump Source

Source File: 00000010.00000002.404526474.000000000284A000.00000040.00000001.sdmp, Offset: 0284A000, based on PE: false

Similarity

API ID: PathSearch
String ID:
API String ID: 2203818243-0
Opcode ID: f05044948a2bb76ccf51ef7239792d4c9ef378aa0d99dd6a95bcba43764e206a
Instruction ID: 1fe9e769c8899647d4e49bd5f1ecabcba522cb43d562ae1b78122abce169683d
Opcode Fuzzy Hash: f05044948a2bb76ccf51ef7239792d4c9ef378aa0d99dd6a95bcba43764e206a
Instruction Fuzzy Hash: 75017172900600AFD710DF16DC86F76FBA8FB88B20F14856AED089B741E371B515CBA5

Uniqueness

Uniqueness Score: -1.00%

Function 0284A23A, Relevance: 1.5, APIs: 1, Instructions: 34COMMON

Download Yara Rule

APIs

GetConsoleOutputCP.KERNELBASE ref: 0284A269

Memory Dump Source

Source File: 00000010.00000002.404526474.000000000284A000.00000040.00000001.sdmp, Offset: 0284A000, based on PE: false

Similarity

API ID: ConsoleOutput
String ID:
API String ID: 3985236979-0
Opcode ID: 664e7a84651b6a85cda27dc5ec2d723e77569c194c52f134726fea2305e93b7d
Instruction ID: 58f47e04151caeacf448c70c7164ef95248076fad54cef354d4915a3a685b72f
Opcode Fuzzy Hash: 664e7a84651b6a85cda27dc5ec2d723e77569c194c52f134726fea2305e93b7d
Instruction Fuzzy Hash: 0AF0AF399046489FDB108F15D884762FF94EF04624F28C0AADD098F216D6BAA448DAA2

Uniqueness

Uniqueness Score: -1.00%

Function 0500010F, Relevance: 1.4, Strings: 1, Instructions: 193COMMON

Download Yara Rule

Strings

:@Dr, xrefs: 050002C5

Memory Dump Source

Source File: 00000010.00000002.406976589.0000000005000000.00000040.00000001.sdmp, Offset: 05000000, based on PE: false

Similarity

API ID:
String ID: :@Dr
API String ID: 0-3830894600
Opcode ID: c0fe7f4ab8d8d4bb588d9e3377082988770483a699fb017d177b5b4d3ad9a4df
Instruction ID: 7bc63bc62d27ebe3bd1da7d2124d688b030c32dfe7bf0eebe74fe9850abcd6ba
Opcode Fuzzy Hash: c0fe7f4ab8d8d4bb588d9e3377082988770483a699fb017d177b5b4d3ad9a4df
Instruction Fuzzy Hash: 12718F38B00261CFD759EB29E468B6D7BE3BB98340F4885A9D806873D5CF759D81CB80

Uniqueness

Uniqueness Score: -1.00%

Function 02842477, Relevance: .2, Instructions: 211COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000010.00000002.404511290.0000000002842000.00000040.00000001.sdmp, Offset: 02842000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 35a6c3a004e64abc54eaf6bb0955d8777c33ab7422df5c837821f03296ef18e7
Instruction ID: 832eb63be9bb7882ce312032dd97082040285154f5eefde6a10476743625b436
Opcode Fuzzy Hash: 35a6c3a004e64abc54eaf6bb0955d8777c33ab7422df5c837821f03296ef18e7
Instruction Fuzzy Hash: EF61A35D90E3CD4FC74797746839654BF729E5325874BA1CBFC84CB0ABD9084849C32A

Uniqueness

Uniqueness Score: -1.00%

Function 0500040C, Relevance: .1, Instructions: 122COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000010.00000002.406976589.0000000005000000.00000040.00000001.sdmp, Offset: 05000000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ecaa49ca46b418b64c8ae9ac8a706b81460effd0ef51a8d42b2577fcd9f7cea8
Instruction ID: dd730bb8cdcf848c55ada5d0aeda3d571b0afc23e37e7050a8f4bcce356f8081
Opcode Fuzzy Hash: ecaa49ca46b418b64c8ae9ac8a706b81460effd0ef51a8d42b2577fcd9f7cea8
Instruction Fuzzy Hash: 4D417C70B40325CBEB14AF65E06CBAE7EF2AF84304F546429D502AB2D0DFB9C945CB90

Uniqueness

Uniqueness Score: -1.00%

Function 050006E8, Relevance: .1, Instructions: 93COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000010.00000002.406976589.0000000005000000.00000040.00000001.sdmp, Offset: 05000000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 730a18e0c953ad4aa52d37ef34f457b6eaabbc35c4450006b9c01b10790071ae
Instruction ID: 9e7e941a7151e66990e10781b5a17271eabd82438843b04fb822c0b947fe9398
Opcode Fuzzy Hash: 730a18e0c953ad4aa52d37ef34f457b6eaabbc35c4450006b9c01b10790071ae
Instruction Fuzzy Hash: C3311E307052108FC7996B7DD02862E3BE2AF86305B1504BEE506CF7E5EE36DC468B95

Uniqueness

Uniqueness Score: -1.00%

Function 050006F8, Relevance: .1, Instructions: 86COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000010.00000002.406976589.0000000005000000.00000040.00000001.sdmp, Offset: 05000000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f0c2b7a31f0c547207c761785a899c95eeb270da4402a30211a14e6d8c34e0af
Instruction ID: 1d00232e836dc0ba13dc096bcc828c6be5b09681f261c68699031124e4d6fa0c
Opcode Fuzzy Hash: f0c2b7a31f0c547207c761785a899c95eeb270da4402a30211a14e6d8c34e0af
Instruction Fuzzy Hash: CE210A307012108FC799AB7DD02862E3AE2AFC5309B1404BAE506CF7E5EE36DC458B95

Uniqueness

Uniqueness Score: -1.00%

Function 029D05CF, Relevance: .0, Instructions: 45COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000010.00000002.404692476.00000000029D0000.00000040.00000040.sdmp, Offset: 029D0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4b37c1699ba75cb434b802ada094ad3976ed2ca98cfd7da8bc650cc7296cfc9a
Instruction ID: b6b52097243709dd65853142d1846a2a957c0fc13e5a981d1d25bb1040571899
Opcode Fuzzy Hash: 4b37c1699ba75cb434b802ada094ad3976ed2ca98cfd7da8bc650cc7296cfc9a
Instruction Fuzzy Hash: 7201AE765497805FC7528B16EC40897FFF8EF46230709C4ABED898B212D175B949CB71

Uniqueness

Uniqueness Score: -1.00%

Function 05001070, Relevance: .0, Instructions: 41COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000010.00000002.406976589.0000000005000000.00000040.00000001.sdmp, Offset: 05000000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1e7de36b443fb56cb8d8ed193c0b0bf727fd226f35e3e66d74519df31771b9ea
Instruction ID: 3472e437cdf1f4045fd48307dbdf59472d33236061f53a291925f3789679af17
Opcode Fuzzy Hash: 1e7de36b443fb56cb8d8ed193c0b0bf727fd226f35e3e66d74519df31771b9ea
Instruction Fuzzy Hash: 99F05435300150ABE714967EAD11F7B77DBEBC4760F14456AF609CB2C1DEA1D8018795

Uniqueness

Uniqueness Score: -1.00%

Function 05001060, Relevance: .0, Instructions: 40COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000010.00000002.406976589.0000000005000000.00000040.00000001.sdmp, Offset: 05000000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 737abca4a8621ab2293f60e96530d40d8d30e5ef6358b171dc6f378124e5709e
Instruction ID: 1ae95a8a0442360289937c3408c69f9ff34fb1db9e0f7eb647ec896fb83de65d
Opcode Fuzzy Hash: 737abca4a8621ab2293f60e96530d40d8d30e5ef6358b171dc6f378124e5709e
Instruction Fuzzy Hash: 95F024343042C06EE36582B95C10F7B2FA79F81710F144096F644CB2C2DDA488028751

Uniqueness

Uniqueness Score: -1.00%

Function 05000F22, Relevance: .0, Instructions: 31COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000010.00000002.406976589.0000000005000000.00000040.00000001.sdmp, Offset: 05000000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 33b6141f30e1b695364d5e01d4e6d53dd6c4227046093fa2aa26679ab17e429f
Instruction ID: 4247f27cc6ad58070ccf38e5bf609e437730c225aae87fde690a7c8d186acbeb
Opcode Fuzzy Hash: 33b6141f30e1b695364d5e01d4e6d53dd6c4227046093fa2aa26679ab17e429f
Instruction Fuzzy Hash: 95F0E2342052A08FC362EBBCD4649A53FEAEF4A21031841EAE905CB776CA215C42C781

Uniqueness

Uniqueness Score: -1.00%

Function 050000C0, Relevance: .0, Instructions: 30COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000010.00000002.406976589.0000000005000000.00000040.00000001.sdmp, Offset: 05000000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e78ba8ab4f2e37bd8262b5d9c309132d306d4371c8529d630d0b8fb76825b152
Instruction ID: 37e97f75250deb38ccee15078c6220fad6574e12779208176d7a60ee15aca49d
Opcode Fuzzy Hash: e78ba8ab4f2e37bd8262b5d9c309132d306d4371c8529d630d0b8fb76825b152
Instruction Fuzzy Hash: AFF03771D451599FCF41DFF8D8955EFBFF4EE49250F1044A6E544E3601E2340611CB90

Uniqueness

Uniqueness Score: -1.00%

Function 050010D0, Relevance: .0, Instructions: 27COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000010.00000002.406976589.0000000005000000.00000040.00000001.sdmp, Offset: 05000000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 60d818c4d9061eefb1222ee6e465f65775b677aedb936c80f43dc600dbf44c71
Instruction ID: 4a9d0903df0e86acd82f11aa641d839b0c275558ad6a3dd88cd9217a50731930
Opcode Fuzzy Hash: 60d818c4d9061eefb1222ee6e465f65775b677aedb936c80f43dc600dbf44c71
Instruction Fuzzy Hash: 04E039B1D062499ECB41DFF8A8556EFBFF5EF49220F0040A6D508E2A02E2340266CB91

Uniqueness

Uniqueness Score: -1.00%

Function 029D05F6, Relevance: .0, Instructions: 27COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000010.00000002.404692476.00000000029D0000.00000040.00000040.sdmp, Offset: 029D0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7c50de2eedb2edccd650fca0d1a821a87c98d194c26af345eab11396174d0767
Instruction ID: cd45ef289c3818caf5b95d4a23704c61562c98278bf28ee55b4966e86df54e8d
Opcode Fuzzy Hash: 7c50de2eedb2edccd650fca0d1a821a87c98d194c26af345eab11396174d0767
Instruction Fuzzy Hash: 73E09276A046008BD650CF0BEC81462F7D8EB88630B18C07FDC0D8B701E135B504CEA5

Uniqueness

Uniqueness Score: -1.00%

Function 05000F30, Relevance: .0, Instructions: 23COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000010.00000002.406976589.0000000005000000.00000040.00000001.sdmp, Offset: 05000000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0ab3c7ef15f10713d65af5c4bb72f4128961d0bbbd1bdc023aa1843db23a669a
Instruction ID: 482617701e603ab44c8fcea398a3de879078c3295bf3ce4c20424c2e115bf478
Opcode Fuzzy Hash: 0ab3c7ef15f10713d65af5c4bb72f4128961d0bbbd1bdc023aa1843db23a669a
Instruction Fuzzy Hash: A9E0D8347001208FC364FB7DE458D9537EBEB892107144176E50AC7364CE315C40CBC1

Uniqueness

Uniqueness Score: -1.00%

Function 050000D0, Relevance: .0, Instructions: 23COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000010.00000002.406976589.0000000005000000.00000040.00000001.sdmp, Offset: 05000000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a18032ef5c56faf338ff10693a91e9c0d8d51a345f58c8684d6f823f3b85e0fb
Instruction ID: 51837a6705b41101adff28b6ed583e5d2288b6c6612dbed5e5d3f490ff903fba
Opcode Fuzzy Hash: a18032ef5c56faf338ff10693a91e9c0d8d51a345f58c8684d6f823f3b85e0fb
Instruction Fuzzy Hash: 5DE09A75D0521D9F8F40DFB999455DEBFF8FB48250F500466D518E3200E33556118BE1

Uniqueness

Uniqueness Score: -1.00%

Function 050010E0, Relevance: .0, Instructions: 22COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000010.00000002.406976589.0000000005000000.00000040.00000001.sdmp, Offset: 05000000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1c62e797c120aa411211cadfee90bccd871114c4c95f57319ffb9d7527d14db1
Instruction ID: 7114142e2d0c3e5983aea2014193f94edbd4162131f9c280a35934401e54e18b
Opcode Fuzzy Hash: 1c62e797c120aa411211cadfee90bccd871114c4c95f57319ffb9d7527d14db1
Instruction Fuzzy Hash: 50E0B6B1D002099ECB40EFBEAC456DFBFF8EB48260F10403AD108E3240E23552518BE1

Uniqueness

Uniqueness Score: -1.00%

Function 028423F4, Relevance: .0, Instructions: 15COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000010.00000002.404511290.0000000002842000.00000040.00000001.sdmp, Offset: 02842000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8a401ece94d479af09663e960b8e1a560c9042bbfc2079831bcf4e6119a6ef53
Instruction ID: 443c3fed3eaa480fe5f9b066c7e74272dddd13e2224d529e93256bd25a075db6
Opcode Fuzzy Hash: 8a401ece94d479af09663e960b8e1a560c9042bbfc2079831bcf4e6119a6ef53
Instruction Fuzzy Hash: 6CD05B7D2156814FD316CA1CC168B653B94FB51B04F4684FDFC00CB667C754D581D100

Uniqueness

Uniqueness Score: -1.00%

Function 028423BC, Relevance: .0, Instructions: 14COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000010.00000002.404511290.0000000002842000.00000040.00000001.sdmp, Offset: 02842000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3a5b411c25ed21e008a5b6630b3560bd6c70226669a5b8e5e52e1e1f99f48a53
Instruction ID: 12a38c75e528ec709f138eba4084c634a20d5be59de8449e7d4aafdc8864a3d7
Opcode Fuzzy Hash: 3a5b411c25ed21e008a5b6630b3560bd6c70226669a5b8e5e52e1e1f99f48a53
Instruction Fuzzy Hash: 67D05E382042858BC715DB0CC594F5937E4AB41B08F0A45E8BC00CB676C7A8D881C600

Uniqueness

Uniqueness Score: -1.00%

Non-executed Functions

Analysis Process: dhcpmon.exe PID: 3028 Parent PID: 3440 dhcpmon.exeCOMMON

Executed Functions

Function 02B00818, Relevance: 4.1, Strings: 3, Instructions: 371COMMON

Download Yara Rule

Strings

\,, xrefs: 02B00D18
\,, xrefs: 02B00D50
\,, xrefs: 02B00CBC

Memory Dump Source

Source File: 00000012.00000002.414047452.0000000002B00000.00000040.00000001.sdmp, Offset: 02B00000, based on PE: false

Similarity

API ID:
String ID: \,$\,$\,
API String ID: 0-146963247
Opcode ID: d3662a76ea1dd5dd061837b09e3d444452d39cf931c93bfd358a3f35b4f73730
Instruction ID: 52253f358129d1a619b3e4e3c5f258091018c4728d0787d782d599fe2948a8cf
Opcode Fuzzy Hash: d3662a76ea1dd5dd061837b09e3d444452d39cf931c93bfd358a3f35b4f73730
Instruction Fuzzy Hash: 42F17130600651CFD719EF66D8C4B2A7BA3FBC4314B14C9ADC94A8B398DB71E846DB91

Uniqueness

Uniqueness Score: -1.00%

Function 02B0010F, Relevance: 2.7, Strings: 2, Instructions: 195COMMON

Download Yara Rule

Strings

:@Dr, xrefs: 02B002C5
\,, xrefs: 02B00249

Memory Dump Source

Source File: 00000012.00000002.414047452.0000000002B00000.00000040.00000001.sdmp, Offset: 02B00000, based on PE: false

Similarity

API ID:
String ID: :@Dr$\,
API String ID: 0-1809902370
Opcode ID: bd2d90a7ad9a091186a0e68aeaa25d67b814d0abac9447e0070435da70a29c0e
Instruction ID: 8385f6b31127a42b0b3420e7d09fa36243f7f6fe2fb6536e34e941b342034672
Opcode Fuzzy Hash: bd2d90a7ad9a091186a0e68aeaa25d67b814d0abac9447e0070435da70a29c0e
Instruction Fuzzy Hash: FE715B30B101518FC719EB79D898B697BE3BF88340F1485A9E80E9B3E5CB719D85CB90

Uniqueness

Uniqueness Score: -1.00%

Function 02B00DD0, Relevance: 2.6, Strings: 2, Instructions: 70COMMON

Download Yara Rule

Strings

\,, xrefs: 02B00E17
\,, xrefs: 02B00E05

Memory Dump Source

Source File: 00000012.00000002.414047452.0000000002B00000.00000040.00000001.sdmp, Offset: 02B00000, based on PE: false

Similarity

API ID:
String ID: \,$\,
API String ID: 0-414197431
Opcode ID: 1a3e6f02d9da766ee5160bf637845ccb289f83287d448afe4d8859ad28dce490
Instruction ID: 3156cdeee0f2ba5a108715eb02d298b086ed7cdbe00bd15a22cd0988a06d0bb2
Opcode Fuzzy Hash: 1a3e6f02d9da766ee5160bf637845ccb289f83287d448afe4d8859ad28dce490
Instruction Fuzzy Hash: 96210530B042849FC705E7BD88516AD7FA6AFC5210B1040EAC909AB6D6CE308D06C7A2

Uniqueness

Uniqueness Score: -1.00%

Function 00D5A4AA, Relevance: 1.6, APIs: 1, Instructions: 79fileCOMMON

Download Yara Rule

APIs

WriteFile.KERNELBASE(?,00000E2C,8102AA85,00000000,00000000,00000000,00000000), ref: 00D5A53D

Memory Dump Source

Source File: 00000012.00000002.413606551.0000000000D5A000.00000040.00000001.sdmp, Offset: 00D5A000, based on PE: false

Similarity

API ID: FileWrite
String ID:
API String ID: 3934441357-0
Opcode ID: e4ed782f786e637d4db79e383840826ab5fef03270dfff8a2d8e5491069be868
Instruction ID: de4f3744ae99b6bdfd55dfdf990585b57e80680aa9e77e2fb54bfc012fb5179d
Opcode Fuzzy Hash: e4ed782f786e637d4db79e383840826ab5fef03270dfff8a2d8e5491069be868
Instruction Fuzzy Hash: BA21A371409380AFDB128B65DC44F96BFB8EF46310F0885DBE9849F153D264A509C772

Uniqueness

Uniqueness Score: -1.00%

Function 00D5A336, Relevance: 1.6, APIs: 1, Instructions: 62COMMON

Download Yara Rule

APIs

FindCloseChangeNotification.KERNELBASE(?), ref: 00D5A39C

Memory Dump Source

Source File: 00000012.00000002.413606551.0000000000D5A000.00000040.00000001.sdmp, Offset: 00D5A000, based on PE: false

Similarity

API ID: ChangeCloseFindNotification
String ID:
API String ID: 2591292051-0
Opcode ID: 2364188ddb948385142c1edd01b753df7f91c3f721c219b213c556958e7cd6d6
Instruction ID: c5488608d80d8445de18a8e42775c19f17e3b8997c561337d035a1d9adf0b1e3
Opcode Fuzzy Hash: 2364188ddb948385142c1edd01b753df7f91c3f721c219b213c556958e7cd6d6
Instruction Fuzzy Hash: 39219D714093C09FD7128B25DC45A56BFB4EF02220F0984EBDD85CF263D279A848CB62

Uniqueness

Uniqueness Score: -1.00%

Function 00D5A1F4, Relevance: 1.6, APIs: 1, Instructions: 61COMMON

Download Yara Rule

APIs

GetConsoleOutputCP.KERNELBASE ref: 00D5A269

Memory Dump Source

Source File: 00000012.00000002.413606551.0000000000D5A000.00000040.00000001.sdmp, Offset: 00D5A000, based on PE: false

Similarity

API ID: ConsoleOutput
String ID:
API String ID: 3985236979-0
Opcode ID: aa2d2f560638245e845941593eccea3c2555b0a2ecdd863a25d16e6bb9ef4c4c
Instruction ID: c64a7cd8b28717fe5832beea7e0f073a7ed3875b66690d7111308fa35e055e9c
Opcode Fuzzy Hash: aa2d2f560638245e845941593eccea3c2555b0a2ecdd863a25d16e6bb9ef4c4c
Instruction Fuzzy Hash: 86214A3540D7C49FD7138B258C95A56BFB4EF03220F0E81DBDD848F1A3D269A949CB62

Uniqueness

Uniqueness Score: -1.00%

Function 00D5A4DE, Relevance: 1.6, APIs: 1, Instructions: 60fileCOMMON

Download Yara Rule

APIs

WriteFile.KERNELBASE(?,00000E2C,8102AA85,00000000,00000000,00000000,00000000), ref: 00D5A53D

Memory Dump Source

Source File: 00000012.00000002.413606551.0000000000D5A000.00000040.00000001.sdmp, Offset: 00D5A000, based on PE: false

Similarity

API ID: FileWrite
String ID:
API String ID: 3934441357-0
Opcode ID: cd430e154cbbf4e67eab0a788411043a39fdebeda2986fb7ea4dbd496ba2c732
Instruction ID: 2361aa50a5d0338503576c370806e509cd8a33cbec675bf41e18c4b7516dffa9
Opcode Fuzzy Hash: cd430e154cbbf4e67eab0a788411043a39fdebeda2986fb7ea4dbd496ba2c732
Instruction Fuzzy Hash: 1A11C171400200EFEB21CF59DC44F6AFBA8EF44320F14856BEE459B251E674A408CB72

Uniqueness

Uniqueness Score: -1.00%

Function 00D5A36A, Relevance: 1.5, APIs: 1, Instructions: 43COMMON

Download Yara Rule

APIs

FindCloseChangeNotification.KERNELBASE(?), ref: 00D5A39C

Memory Dump Source

Source File: 00000012.00000002.413606551.0000000000D5A000.00000040.00000001.sdmp, Offset: 00D5A000, based on PE: false

Similarity

API ID: ChangeCloseFindNotification
String ID:
API String ID: 2591292051-0
Opcode ID: a42fae3cb3f171b87d0f439ee1ebb49994cd5271a3d5fdd843d69e429ee9bbcf
Instruction ID: c00cd7f363c1c6d06681ecc7288861ecb4f0decd7303b5719e09dd531dba6db4
Opcode Fuzzy Hash: a42fae3cb3f171b87d0f439ee1ebb49994cd5271a3d5fdd843d69e429ee9bbcf
Instruction Fuzzy Hash: C701BC31504244DFEB108F69D88476AFF94DF00321F18C1ABDD498B202D6B5A408CA72

Uniqueness

Uniqueness Score: -1.00%

Function 00D5A23A, Relevance: 1.5, APIs: 1, Instructions: 34COMMON

Download Yara Rule

APIs

GetConsoleOutputCP.KERNELBASE ref: 00D5A269

Memory Dump Source

Source File: 00000012.00000002.413606551.0000000000D5A000.00000040.00000001.sdmp, Offset: 00D5A000, based on PE: false

Similarity

API ID: ConsoleOutput
String ID:
API String ID: 3985236979-0
Opcode ID: b231755a863430e9733dd961d8dcd1fe160eb5225205b359f385f25f4ba50f27
Instruction ID: 7389b04a40a9c01d5ae41b14c456b61e1d47b786873b80cc4fdc45e1692bbd4a
Opcode Fuzzy Hash: b231755a863430e9733dd961d8dcd1fe160eb5225205b359f385f25f4ba50f27
Instruction Fuzzy Hash: EFF0C230804644DFDB10CF19D885766FF90EF04721F18D1AADD494F602D6BAE848CBB6

Uniqueness

Uniqueness Score: -1.00%

Function 02B006E8, Relevance: .1, Instructions: 93COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000012.00000002.414047452.0000000002B00000.00000040.00000001.sdmp, Offset: 02B00000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 38d744bec9fae1e59d3a988c2b985599ee24a66564efa7b32d880d62feb228e9
Instruction ID: 4202c98ff2813fca031dac96529ad1c139f56c56bf703a8c4d955069c25a25e4
Opcode Fuzzy Hash: 38d744bec9fae1e59d3a988c2b985599ee24a66564efa7b32d880d62feb228e9
Instruction Fuzzy Hash: 9331FA307012108FC7596B7DD46862E3BE2EF86309B1404BAE506CF7E5DE3ADC468795

Uniqueness

Uniqueness Score: -1.00%

Function 02B006F8, Relevance: .1, Instructions: 86COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000012.00000002.414047452.0000000002B00000.00000040.00000001.sdmp, Offset: 02B00000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8c18d01508295a1b9bf12cee7f343cc2ec78a8f99a30c56aafa6f4c2f62aafb3
Instruction ID: 51fbbd84d0dc4504f61970345ca7c887cca5ec557e6bc83bf43101f511b440c8
Opcode Fuzzy Hash: 8c18d01508295a1b9bf12cee7f343cc2ec78a8f99a30c56aafa6f4c2f62aafb3
Instruction Fuzzy Hash: 6421FB307012108FCB597B7DD15862E3AD2EF86309B1404BAE506CF7E1EE35DC458795

Uniqueness

Uniqueness Score: -1.00%

Function 029A05CF, Relevance: .0, Instructions: 44COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000012.00000002.413970595.00000000029A0000.00000040.00000040.sdmp, Offset: 029A0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e0295a032f9f4e0faa3d9640e69c6890620079d0be7214d0c661fa6500667fc2
Instruction ID: 90d1b0b74a3bf7e83577061ae08e0320c9b935b1cdc3c5ae44686835ef4b9a48
Opcode Fuzzy Hash: e0295a032f9f4e0faa3d9640e69c6890620079d0be7214d0c661fa6500667fc2
Instruction Fuzzy Hash: F9018B76509780AFD7128B16EC44866FFF8DF86620749C09FED498B611E2256914CB72

Uniqueness

Uniqueness Score: -1.00%

Function 02B00EF7, Relevance: .0, Instructions: 29COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000012.00000002.414047452.0000000002B00000.00000040.00000001.sdmp, Offset: 02B00000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f76274627e35e9d3e48b3a6e843206cd2d980c99e7911bd604f871b67e44f19e
Instruction ID: 8a17f9d677d0a8dee35bfa54a34dbc1acc2bfb2329317b199ef2d828c00c0537
Opcode Fuzzy Hash: f76274627e35e9d3e48b3a6e843206cd2d980c99e7911bd604f871b67e44f19e
Instruction Fuzzy Hash: 76F08934B482904FC301F77DD4546693FE69F8A210B1445EBD449D7766D9225C05C791

Uniqueness

Uniqueness Score: -1.00%

Function 029A05F6, Relevance: .0, Instructions: 27COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000012.00000002.413970595.00000000029A0000.00000040.00000040.sdmp, Offset: 029A0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fab09a04fd31f564feee5301a6f6ddc0f7a14d68d749771873de1ec517071f67
Instruction ID: 277cd56c4d1205dd7533720f87a4166384e3cd2c6b119b5e975dc79738c5f465
Opcode Fuzzy Hash: fab09a04fd31f564feee5301a6f6ddc0f7a14d68d749771873de1ec517071f67
Instruction Fuzzy Hash: 08E092766046008FD650CF0BEC41456F7D8EB88630B18C07FDC0D8B700E639B504CEA5

Uniqueness

Uniqueness Score: -1.00%

Function 02B000D0, Relevance: .0, Instructions: 23COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000012.00000002.414047452.0000000002B00000.00000040.00000001.sdmp, Offset: 02B00000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f101fc13209b299a226f9856a37fb1b1322f6876d400a4fb819586cf5ab7b885
Instruction ID: 37c83bbcd44a1964079462cbf6b4ee671b32bbe7239aff0bf0321272292d8e61
Opcode Fuzzy Hash: f101fc13209b299a226f9856a37fb1b1322f6876d400a4fb819586cf5ab7b885
Instruction Fuzzy Hash: 75E09A71D0521D9F8F40EFB999456DEBFF8EB48250F500466D518F3200E3315A558BE1

Uniqueness

Uniqueness Score: -1.00%

Function 02B00DC0, Relevance: .0, Instructions: 23COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000012.00000002.414047452.0000000002B00000.00000040.00000001.sdmp, Offset: 02B00000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0f4cca0f2f210c1975ae34677febb3394be590e85ac9f9fe573b1869eaf81da5
Instruction ID: 1a572f17b39f16afd25f23f7af1a25a8aeda728615345f054ed96fb61d590a8f
Opcode Fuzzy Hash: 0f4cca0f2f210c1975ae34677febb3394be590e85ac9f9fe573b1869eaf81da5
Instruction Fuzzy Hash: 14E026306046806FC301A7B4DC596E87F70DF07110F1480E1DC889B6E2CB228807C7D1

Uniqueness

Uniqueness Score: -1.00%

Function 02B003C5, Relevance: .0, Instructions: 23COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000012.00000002.414047452.0000000002B00000.00000040.00000001.sdmp, Offset: 02B00000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: bee7e5c53d4e3f3385df57e6a4b75fb931a4f5233422b9d812c091816392c17c
Instruction ID: 0492ced3864d6e559b163692e7f77c537ece6cc228ef6c08958738f342eb9833
Opcode Fuzzy Hash: bee7e5c53d4e3f3385df57e6a4b75fb931a4f5233422b9d812c091816392c17c
Instruction Fuzzy Hash: 86F01C70A002258FEB15EBB4C5987AD7EF1AF89304F100899D406B62E0DF740A88CB44

Uniqueness

Uniqueness Score: -1.00%

Function 02B00F08, Relevance: .0, Instructions: 23COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000012.00000002.414047452.0000000002B00000.00000040.00000001.sdmp, Offset: 02B00000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0f9842c66c8f2d3b4964846aac4224abc039dec04cfa163947775cc176f99433
Instruction ID: 0fabecd3f5513ca4c20cc0d041b2e024411ffd23435977bd147d0d112d314c36
Opcode Fuzzy Hash: 0f9842c66c8f2d3b4964846aac4224abc039dec04cfa163947775cc176f99433
Instruction Fuzzy Hash: 5AE01A34B101208FC344FB6DE454A5A37EBAB89220B1446AAD90DD73A9DA71AC04CBA1

Uniqueness

Uniqueness Score: -1.00%

Function 00D523F4, Relevance: .0, Instructions: 15COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000012.00000002.413592322.0000000000D52000.00000040.00000001.sdmp, Offset: 00D52000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 10ea3d76e5ec9b028e65c9491a386423d0bea03f602fa492c9107636a4ce4b7c
Instruction ID: 7d741a7952cf86447e2a76a43c5a37eb73c3a9f60b3e0950bfed53822f80ef8b
Opcode Fuzzy Hash: 10ea3d76e5ec9b028e65c9491a386423d0bea03f602fa492c9107636a4ce4b7c
Instruction Fuzzy Hash: 98D05E79215A818FD7268A1CC1A9BA53B94AB62B05F4A44FDEC008B663C368D989D210

Uniqueness

Uniqueness Score: -1.00%

Function 00D523BC, Relevance: .0, Instructions: 14COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000012.00000002.413592322.0000000000D52000.00000040.00000001.sdmp, Offset: 00D52000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c8dc2457805214f96a83092b600fbaad54ea88e54b162fcb7c504ca5e20f52a0
Instruction ID: 49c873213a2416a7bc97d60b7d83eea6fec19d1a2d191a426a04506c6cc2fe20
Opcode Fuzzy Hash: c8dc2457805214f96a83092b600fbaad54ea88e54b162fcb7c504ca5e20f52a0
Instruction Fuzzy Hash: F7D05E342002818BDB15DB0CC594F6937D4AB42B01F0A44ECAC008B662C3A9DC89C610

Uniqueness

Uniqueness Score: -1.00%

Non-executed Functions

Description:	Adversaries may abuse Windows Management Instrumentation (WMI) to achieve execution. WMI is a Windows administration feature that provides a uniform environment for local and remote access to Windows system components. It relies on the WMI service for local and remote access and the server message block (SMB) and Remote Procedure Call Service (RPCS) for remote access. RPCS operates over port 135.
Tactics:	Execution
Data Sources:	Authentication logs, Netflow/Enclave netflow, Process command-line parameters, Process monitoring
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse task scheduling functionality to facilitate initial or recurring execution of malicious code. Utilities exist within all major operating systems to schedule programs or scripts to be executed at a specified date and time. A task can also be scheduled on a remote system, provided the proper authentication is met (ex: RPC and file and printer sharing in Windows environments). Scheduling a task on a remote system typically requires being a member of an admin or otherwise privileged group on the remote system.
Tactics:	Execution, Persistence, Privilege Escalation
Data Sources:	File monitoring, Process command-line parameters, Process monitoring, Windows event logs
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify access tokens to operate under a different user or system security context to perform actions and bypass access controls. Windows uses access tokens to determine the ownership of a running process. A user can manipulate access tokens to make a running process appear as though it is the child of a different process or belongs to someone other than the user that started the process. When this occurs, the process also takes on the security context associated with the new token.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	API monitoring, Access tokens, Authentication logs, Process command-line parameters, Process monitoring, Windows event logs
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	API monitoring, DLL monitoring, File monitoring, Named Pipes, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may disable security tools to avoid possible detection of their tools and activities. This can take the form of killing security software or event logging processes, deleting Registry keys so that tools do not start at run time, or other methods to interfere with security tools scanning or reporting information.
Tactics:	Defense Evasion
Data Sources:	File monitoring, Process command-line parameters, Services, Windows Registry
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use Obfuscated Files or Information to hide artifacts of an intrusion from analysis. They may require separate mechanisms to decode or deobfuscate that information depending on how they intend to use it. Methods for doing that include built-in functionality of malware or by using utilities present on the system.
Tactics:	Defense Evasion
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata, Email gateway, Environment variable, File monitoring, Malware reverse engineering, Network intrusion detection system, Network protocol analysis, Process command-line parameters, Process monitoring, Process use of network, SSL/TLS inspection, Windows event logs
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may perform software packing or virtual machine software protection to conceal their code. Software packing is a method of compressing or encrypting an executable. Packing an executable changes the file signature in an attempt to avoid signature-based detection. Most decompression techniques decompress the executable code in memory. Virtual machine software protection translates an executable's original code into a special format that only a special virtual machine can run. A virtual machine is then called to run this code.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata
Platforms:	macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata, File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may set files and directories to be hidden to evade detection mechanisms. To prevent normal users from accidentally changing special files on a system, most operating systems have the concept of a ‘hidden’ file. These files don’t show up when a user browses the file system with a GUI or when using normal commands on the command line. Users must explicitly ask to show the hidden files either via a series of Graphical User Interface (GUI) prompts or with command line switches ( `dir /a` for Windows and `ls –a` for Linux and macOS).
Tactics:	Defense Evasion
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use methods of capturing user input to obtain credentials or collect information. During normal system usage, users often provide credentials to various different locations, such as login pages/portals or system dialog boxes. Input capture mechanisms may be transparent to the user (e.g. Credential API Hooking ) or rely on deceiving the user into providing input into what they believe to be a genuine service (e.g. Web Portal Capture ).
Tactics:	Collection, Credential Access
Data Sources:	API monitoring, Binary file metadata, DLL monitoring, Kernel drivers, Loaded DLLs, PowerShell logs, Process command-line parameters, Process monitoring, User interface, Windows Registry, Windows event logs
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of accounts on a system or within an environment. This information can help adversaries determine which accounts exist to aid in follow-on behavior.
Tactics:	Discovery
Data Sources:	API monitoring, Azure activity logs, Office 365 account logs, Process command-line parameters, Process monitoring
Platforms:	AWS, Azure, Azure AD, GCP, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	AWS CloudTrail logs, Azure activity logs, Process command-line parameters, Process monitoring, Stackdriver logs
Platforms:	AWS, Azure, GCP, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	API monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to identify the primary user, currently logged in user, set of users that commonly uses a system, or whether a user is actively using the system. They may do this, for example, by retrieving account usernames or by using OS Credential Dumping . The information may be collected in a number of different ways using other Discovery techniques, because user and username details are prevalent throughout a system and include running process ownership, file/directory ownership, session information, and system logs. Adversaries may use the information from [System Owner/User Discovery](https://attack.mitre.org/techniques/T1033) during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Binary file metadata, File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Malware reverse engineering, Netflow/Enclave netflow, Packet capture, Process monitoring, Process use of network, SSL/TLS inspection
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using a protocol and port paring that are typically not associated. For example, HTTPS over port 8088or port 587as opposed to the traditional port 443. Adversaries may make changes to the standard port used by a protocol to bypass filtering or muddle analysis/parsing of network data.
Tactics:	Command and Control
Data Sources:	Netflow/Enclave netflow, Packet capture, Process monitoring, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading ...

Warning!

Analysis Report TdX45jQWjj.exe

Overview

General Information

Detection

Signatures

Classification

Startup

Malware Configuration

Yara Overview

Memory Dumps

Unpacked PEs

Sigma Overview

System Summary:

Signature Overview

AV Detection:

Compliance:

Software Vulnerabilities:

Networking:

Key, Mouse, Clipboard, Microphone and Screen Capturing:

E-Banking Fraud:

Operating System Destruction:

System Summary:

Data Obfuscation:

Persistence and Installation Behavior:

Boot Survival:

Hooking and other Techniques for Hiding and Protection:

Malware Analysis System Evasion:

Anti Debugging:

HIPS / PFW / Operating System Protection Evasion:

Language, Device and Operating System Detection:

Stealing of Sensitive Information:

Remote Access Functionality:

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

URLs from Memory and Binaries

Contacted IPs

Public

General Information

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASN

JA3 Fingerprints

Dropped Files

Created / dropped Files

Static File Info

General

File Icon

Static PE Info

General

Entrypoint Preview

Data Directories

Sections

Resources

Imports

Version Infos

Network Behavior

Network Port Distribution

TCP Packets

UDP Packets

DNS Queries

Description:	An adversary may use legitimate desktop support and remote access software, such as Team Viewer, Go2Assist, LogMein, AmmyyAdmin, etc, to establish an interactive command and control channel to target systems within networks. These services are commonly used as legitimate technical support software, and may be allowed by application control within a target environment. Remote access tools like VNC, Ammyy, and Teamviewer are used frequently when compared with other legitimate software commonly used by adversaries.
Tactics:	Command and Control
Data Sources:	Network intrusion detection system, Network protocol analysis, Process monitoring, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use a non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Host network interface, Netflow/Enclave netflow, Network intrusion detection system, Network protocol analysis, Packet capture, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	DNS records, Netflow/Enclave netflow, Network protocol analysis, Packet capture, Process monitoring, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre