Play interactive tour

Edit tour

Analysis Report QTxFuxF5NQ.exe

Overview

General Information

Sample Name:	QTxFuxF5NQ.exe
Analysis ID:	356819
MD5:	06ab01b61a81d223e61fc64a11b50a39
SHA1:	6ea28b8ba49d332c9c937b1d2bf4a212bb50ab65
SHA256:	8a7d56c6c4f937173a0a45145765feb562b1fae368d9297a03dd4ea098d90d03
Tags:	exeNanoCoreRAT
Infos:
Most interesting Screenshot:

Detection

Nanocore

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Detected Nanocore Rat

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for dropped file

Multi AV Scanner detection for submitted file

Sigma detected: NanoCore

Sigma detected: Scheduled temp file as task from temp location

Yara detected AntiVM_3

Yara detected Nanocore RAT

.NET source code contains potential unpacker

.NET source code contains very large strings

Hides that the sample has been downloaded from the Internet (zone.identifier)

Injects a PE file into a foreign processes

Machine Learning detection for dropped file

Machine Learning detection for sample

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Uses dynamic DNS services

Uses schtasks.exe or at.exe to add and modify task schedules

Writes to foreign memory regions

Antivirus or Machine Learning detection for unpacked file

Contains capabilities to detect virtual machines

Contains functionality to call native functions

Contains functionality to open a port and listen for incoming connection (possibly a backdoor)

Contains long sleeps (>= 3 min)

Creates a DirectInput object (often for capturing keystrokes)

Creates a process in suspended mode (likely to inject code)

Detected TCP or UDP traffic on non-standard ports

Detected potential crypto function

Drops PE files

Enables debug privileges

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

Found inlined nop instructions (likely shell or obfuscated code)

Installs a raw input device (often for capturing keystrokes)

Internet Provider seen in connection with other malware

May sleep (evasive loops) to hinder dynamic analysis

Queries the volume information (name, serial number etc) of a device

Sample execution stops while process was sleeping (likely an evasion)

Sample file is different than original file name gathered from version info

Uses 32bit PE files

Yara signature match

Classification

Startup

System is w10x64

QTxFuxF5NQ.exe (PID: 7084 cmdline: 'C:\Users\user\Desktop\QTxFuxF5NQ.exe' MD5: 06AB01B61A81D223E61FC64A11B50A39)

schtasks.exe (PID: 2848 cmdline: 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\CDaJolZUw' /XML 'C:\Users\user\AppData\Local\Temp\tmp1954.tmp' MD5: 15FF7D8324231381BAD48A052F85DF04)

conhost.exe (PID: 6532 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)

RegSvcs.exe (PID: 6120 cmdline: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe MD5: 71369277D09DA0830C8C59F9E22BB23A)

schtasks.exe (PID: 6700 cmdline: 'schtasks.exe' /create /f /tn 'DHCP Monitor' /xml 'C:\Users\user\AppData\Local\Temp\tmp22E3.tmp' MD5: 15FF7D8324231381BAD48A052F85DF04)

conhost.exe (PID: 5796 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)

schtasks.exe (PID: 2220 cmdline: 'schtasks.exe' /create /f /tn 'DHCP Monitor Task' /xml 'C:\Users\user\AppData\Local\Temp\tmp2601.tmp' MD5: 15FF7D8324231381BAD48A052F85DF04)

conhost.exe (PID: 2188 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)

RegSvcs.exe (PID: 4424 cmdline: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe 0 MD5: 71369277D09DA0830C8C59F9E22BB23A)

conhost.exe (PID: 7016 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)

dhcpmon.exe (PID: 6812 cmdline: 'C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe' 0 MD5: 71369277D09DA0830C8C59F9E22BB23A)

conhost.exe (PID: 6852 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)

dhcpmon.exe (PID: 6560 cmdline: 'C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe' MD5: 71369277D09DA0830C8C59F9E22BB23A)

conhost.exe (PID: 6568 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)

cleanup

Malware Configuration

No configs have been found

Yara Overview

Memory Dumps

Source	Rule	Description	Author	Strings
00000006.00000002.911962759.0000000000402000.00000040.00000001.sdmp	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0xff8d:$x1: NanoCore.ClientPluginHost 0xffca:$x2: IClientNetworkHost 0x13afd:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
00000006.00000002.911962759.0000000000402000.00000040.00000001.sdmp	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
00000006.00000002.911962759.0000000000402000.00000040.00000001.sdmp	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0xfcf5:$a: NanoCore 0xfd05:$a: NanoCore 0xff39:$a: NanoCore 0xff4d:$a: NanoCore 0xff8d:$a: NanoCore 0xfd54:$b: ClientPlugin 0xff56:$b: ClientPlugin 0xff96:$b: ClientPlugin 0xfe7b:$c: ProjectData 0x10882:$d: DESCrypto 0x1824e:$e: KeepAlive 0x1623c:$g: LogClientMessage 0x12437:$i: get_Connected 0x10bb8:$j: #=q 0x10be8:$j: #=q 0x10c04:$j: #=q 0x10c34:$j: #=q 0x10c50:$j: #=q 0x10c6c:$j: #=q 0x10c9c:$j: #=q 0x10cb8:$j: #=q
00000006.00000002.915278946.0000000006140000.00000004.00000001.sdmp	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0xf7ad:$x1: NanoCore.ClientPluginHost 0xf7da:$x2: IClientNetworkHost
00000006.00000002.915278946.0000000006140000.00000004.00000001.sdmp	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0xf7ad:$x2: NanoCore.ClientPluginHost 0x10888:$s4: PipeCreated 0xf7c7:$s5: IClientLoggingHost
00000006.00000002.915278946.0000000006140000.00000004.00000001.sdmp	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
00000006.00000002.915159896.0000000005EB0000.00000004.00000001.sdmp	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0xe75:$x1: NanoCore.ClientPluginHost 0xe8f:$x2: IClientNetworkHost
00000006.00000002.915159896.0000000005EB0000.00000004.00000001.sdmp	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0xe75:$x2: NanoCore.ClientPluginHost 0x1261:$s3: PipeExists 0x1136:$s4: PipeCreated 0xeb0:$s5: IClientLoggingHost
00000000.00000002.664714275.0000000004729000.00000004.00000001.sdmp	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x1fc62d:$x1: NanoCore.ClientPluginHost 0x22f04d:$x1: NanoCore.ClientPluginHost 0x1fc66a:$x2: IClientNetworkHost 0x22f08a:$x2: IClientNetworkHost 0x20019d:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe 0x232bbd:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
00000000.00000002.664714275.0000000004729000.00000004.00000001.sdmp	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
00000000.00000002.664714275.0000000004729000.00000004.00000001.sdmp	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0x1fc395:$a: NanoCore 0x1fc3a5:$a: NanoCore 0x1fc5d9:$a: NanoCore 0x1fc5ed:$a: NanoCore 0x1fc62d:$a: NanoCore 0x22edb5:$a: NanoCore 0x22edc5:$a: NanoCore 0x22eff9:$a: NanoCore 0x22f00d:$a: NanoCore 0x22f04d:$a: NanoCore 0x1fc3f4:$b: ClientPlugin 0x1fc5f6:$b: ClientPlugin 0x1fc636:$b: ClientPlugin 0x22ee14:$b: ClientPlugin 0x22f016:$b: ClientPlugin 0x22f056:$b: ClientPlugin 0xbd132:$c: ProjectData 0x117152:$c: ProjectData 0x1fc51b:$c: ProjectData 0x22ef3b:$c: ProjectData 0x1fcf22:$d: DESCrypto
00000006.00000002.914314431.000000000463D000.00000004.00000001.sdmp	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
00000006.00000002.914314431.000000000463D000.00000004.00000001.sdmp	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0xda8d:$a: NanoCore 0xdae6:$a: NanoCore 0xdb23:$a: NanoCore 0xdb9c:$a: NanoCore 0x21247:$a: NanoCore 0x2125c:$a: NanoCore 0x21291:$a: NanoCore 0x3a233:$a: NanoCore 0x3a248:$a: NanoCore 0x3a27d:$a: NanoCore 0xdaef:$b: ClientPlugin 0xdb2c:$b: ClientPlugin 0xe42a:$b: ClientPlugin 0xe437:$b: ClientPlugin 0x21003:$b: ClientPlugin 0x2101e:$b: ClientPlugin 0x2104e:$b: ClientPlugin 0x21265:$b: ClientPlugin 0x2129a:$b: ClientPlugin 0x39fef:$b: ClientPlugin 0x3a00a:$b: ClientPlugin
00000000.00000002.663880375.00000000036D1000.00000004.00000001.sdmp	JoeSecurity_AntiVM_3	Yara detected AntiVM_3	Joe Security
00000000.00000002.663609170.0000000003661000.00000004.00000001.sdmp	JoeSecurity_AntiVM_3	Yara detected AntiVM_3	Joe Security
Process Memory Space: RegSvcs.exe PID: 6120	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x374d4:$x1: NanoCore.ClientPluginHost 0x9a0df:$x1: NanoCore.ClientPluginHost 0xc6345:$x1: NanoCore.ClientPluginHost 0x111906:$x1: NanoCore.ClientPluginHost 0x18c74f:$x1: NanoCore.ClientPluginHost 0x19230e:$x1: NanoCore.ClientPluginHost 0x1a36ce:$x1: NanoCore.ClientPluginHost 0x37535:$x2: IClientNetworkHost 0x9a124:$x2: IClientNetworkHost 0xc636b:$x2: IClientNetworkHost 0x11192c:$x2: IClientNetworkHost 0x18c775:$x2: IClientNetworkHost 0x192353:$x2: IClientNetworkHost 0x1a3713:$x2: IClientNetworkHost 0x3c93a:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe 0x4a8ac:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
Process Memory Space: RegSvcs.exe PID: 6120	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
Process Memory Space: RegSvcs.exe PID: 6120	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0x36fd9:$a: NanoCore 0x36ff5:$a: NanoCore 0x37150:$a: NanoCore 0x3715f:$a: NanoCore 0x37438:$a: NanoCore 0x37464:$a: NanoCore 0x374d4:$a: NanoCore 0x46f16:$a: NanoCore 0x46f28:$a: NanoCore 0x46f64:$a: NanoCore 0x9a059:$a: NanoCore 0x9a086:$a: NanoCore 0x9a0df:$a: NanoCore 0xa18ee:$a: NanoCore 0xa1901:$a: NanoCore 0xa1933:$a: NanoCore 0xc6237:$a: NanoCore 0xc62d8:$a: NanoCore 0xc6345:$a: NanoCore 0xc6406:$a: NanoCore 0xc72d7:$a: NanoCore
Process Memory Space: QTxFuxF5NQ.exe PID: 7084	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x1387fd:$x1: NanoCore.ClientPluginHost 0x157249:$x1: NanoCore.ClientPluginHost 0x13885e:$x2: IClientNetworkHost 0x1572aa:$x2: IClientNetworkHost 0x13dc63:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe 0x14bbd5:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe 0x15c6af:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe 0x16a621:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
Process Memory Space: QTxFuxF5NQ.exe PID: 7084	JoeSecurity_AntiVM_3	Yara detected AntiVM_3	Joe Security
Process Memory Space: QTxFuxF5NQ.exe PID: 7084	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
Process Memory Space: QTxFuxF5NQ.exe PID: 7084	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0x138302:$a: NanoCore 0x13831e:$a: NanoCore 0x138479:$a: NanoCore 0x138488:$a: NanoCore 0x138761:$a: NanoCore 0x13878d:$a: NanoCore 0x1387fd:$a: NanoCore 0x14823f:$a: NanoCore 0x148251:$a: NanoCore 0x14828d:$a: NanoCore 0x156d4e:$a: NanoCore 0x156d6a:$a: NanoCore 0x156ec5:$a: NanoCore 0x156ed4:$a: NanoCore 0x1571ad:$a: NanoCore 0x1571d9:$a: NanoCore 0x157249:$a: NanoCore 0x166c8b:$a: NanoCore 0x166c9d:$a: NanoCore 0x166cd9:$a: NanoCore 0x1383a9:$b: ClientPlugin
Click to see the 17 entries

Unpacked PEs

Source	Rule	Description	Author	Strings
6.2.RegSvcs.exe.465310d.3.raw.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0xb184:$x1: NanoCore.ClientPluginHost 0x24170:$x1: NanoCore.ClientPluginHost 0xb1b1:$x2: IClientNetworkHost 0x2419d:$x2: IClientNetworkHost
6.2.RegSvcs.exe.465310d.3.raw.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0xb184:$x2: NanoCore.ClientPluginHost 0x24170:$x2: NanoCore.ClientPluginHost 0xc25f:$s4: PipeCreated 0x2524b:$s4: PipeCreated 0xb19e:$s5: IClientLoggingHost 0x2418a:$s5: IClientLoggingHost
6.2.RegSvcs.exe.465310d.3.raw.unpack	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
6.2.RegSvcs.exe.6144629.9.raw.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0xb184:$x1: NanoCore.ClientPluginHost 0xb1b1:$x2: IClientNetworkHost
6.2.RegSvcs.exe.6144629.9.raw.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0xb184:$x2: NanoCore.ClientPluginHost 0xc25f:$s4: PipeCreated 0xb19e:$s5: IClientLoggingHost
6.2.RegSvcs.exe.6144629.9.raw.unpack	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
6.2.RegSvcs.exe.6140000.8.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0xd9ad:$x1: NanoCore.ClientPluginHost 0xd9da:$x2: IClientNetworkHost
6.2.RegSvcs.exe.6140000.8.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0xd9ad:$x2: NanoCore.ClientPluginHost 0xea88:$s4: PipeCreated 0xd9c7:$s5: IClientLoggingHost
6.2.RegSvcs.exe.6140000.8.unpack	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
6.2.RegSvcs.exe.464eae4.4.raw.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0xf7ad:$x1: NanoCore.ClientPluginHost 0x28799:$x1: NanoCore.ClientPluginHost 0xf7da:$x2: IClientNetworkHost 0x287c6:$x2: IClientNetworkHost
6.2.RegSvcs.exe.464eae4.4.raw.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0xf7ad:$x2: NanoCore.ClientPluginHost 0x28799:$x2: NanoCore.ClientPluginHost 0x10888:$s4: PipeCreated 0x29874:$s4: PipeCreated 0xf7c7:$s5: IClientLoggingHost 0x287b3:$s5: IClientLoggingHost
6.2.RegSvcs.exe.464eae4.4.raw.unpack	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
6.2.RegSvcs.exe.400000.0.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x1018d:$x1: NanoCore.ClientPluginHost 0x101ca:$x2: IClientNetworkHost 0x13cfd:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
6.2.RegSvcs.exe.400000.0.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0xff05:$x1: NanoCore Client.exe 0x1018d:$x2: NanoCore.ClientPluginHost 0x117c6:$s1: PluginCommand 0x117ba:$s2: FileCommand 0x1266b:$s3: PipeExists 0x18422:$s4: PipeCreated 0x101b7:$s5: IClientLoggingHost
6.2.RegSvcs.exe.400000.0.unpack	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
6.2.RegSvcs.exe.400000.0.unpack	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0xfef5:$a: NanoCore 0xff05:$a: NanoCore 0x10139:$a: NanoCore 0x1014d:$a: NanoCore 0x1018d:$a: NanoCore 0xff54:$b: ClientPlugin 0x10156:$b: ClientPlugin 0x10196:$b: ClientPlugin 0x1007b:$c: ProjectData 0x10a82:$d: DESCrypto 0x1844e:$e: KeepAlive 0x1643c:$g: LogClientMessage 0x12637:$i: get_Connected 0x10db8:$j: #=q 0x10de8:$j: #=q 0x10e04:$j: #=q 0x10e34:$j: #=q 0x10e50:$j: #=q 0x10e6c:$j: #=q 0x10e9c:$j: #=q 0x10eb8:$j: #=q
0.2.QTxFuxF5NQ.exe.49154a0.4.raw.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x1018d:$x1: NanoCore.ClientPluginHost 0x42bad:$x1: NanoCore.ClientPluginHost 0x101ca:$x2: IClientNetworkHost 0x42bea:$x2: IClientNetworkHost 0x13cfd:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe 0x4671d:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
0.2.QTxFuxF5NQ.exe.49154a0.4.raw.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0xff05:$x1: NanoCore Client.exe 0x42925:$x1: NanoCore Client.exe 0x1018d:$x2: NanoCore.ClientPluginHost 0x42bad:$x2: NanoCore.ClientPluginHost 0x117c6:$s1: PluginCommand 0x441e6:$s1: PluginCommand 0x117ba:$s2: FileCommand 0x441da:$s2: FileCommand 0x1266b:$s3: PipeExists 0x4508b:$s3: PipeExists 0x18422:$s4: PipeCreated 0x4ae42:$s4: PipeCreated 0x101b7:$s5: IClientLoggingHost 0x42bd7:$s5: IClientLoggingHost
0.2.QTxFuxF5NQ.exe.49154a0.4.raw.unpack	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
0.2.QTxFuxF5NQ.exe.49154a0.4.raw.unpack	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0xfef5:$a: NanoCore 0xff05:$a: NanoCore 0x10139:$a: NanoCore 0x1014d:$a: NanoCore 0x1018d:$a: NanoCore 0x42915:$a: NanoCore 0x42925:$a: NanoCore 0x42b59:$a: NanoCore 0x42b6d:$a: NanoCore 0x42bad:$a: NanoCore 0xff54:$b: ClientPlugin 0x10156:$b: ClientPlugin 0x10196:$b: ClientPlugin 0x42974:$b: ClientPlugin 0x42b76:$b: ClientPlugin 0x42bb6:$b: ClientPlugin 0x1007b:$c: ProjectData 0x42a9b:$c: ProjectData 0x10a82:$d: DESCrypto 0x434a2:$d: DESCrypto 0x1844e:$e: KeepAlive
0.2.QTxFuxF5NQ.exe.367c884.1.raw.unpack	JoeSecurity_AntiVM_3	Yara detected AntiVM_3	Joe Security
6.2.RegSvcs.exe.4649cae.5.raw.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0xe75:$x1: NanoCore.ClientPluginHost 0x145e3:$x1: NanoCore.ClientPluginHost 0x2d5cf:$x1: NanoCore.ClientPluginHost 0xe8f:$x2: IClientNetworkHost 0x14610:$x2: IClientNetworkHost 0x2d5fc:$x2: IClientNetworkHost
6.2.RegSvcs.exe.4649cae.5.raw.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0xe75:$x2: NanoCore.ClientPluginHost 0x145e3:$x2: NanoCore.ClientPluginHost 0x2d5cf:$x2: NanoCore.ClientPluginHost 0x1261:$s3: PipeExists 0x1136:$s4: PipeCreated 0x156be:$s4: PipeCreated 0x2e6aa:$s4: PipeCreated 0xeb0:$s5: IClientLoggingHost 0x145fd:$s5: IClientLoggingHost 0x2d5e9:$s5: IClientLoggingHost
6.2.RegSvcs.exe.4649cae.5.raw.unpack	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
6.2.RegSvcs.exe.4649cae.5.raw.unpack	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0xddf:$a: NanoCore 0xe38:$a: NanoCore 0xe75:$a: NanoCore 0xeee:$a: NanoCore 0x14599:$a: NanoCore 0x145ae:$a: NanoCore 0x145e3:$a: NanoCore 0x2d585:$a: NanoCore 0x2d59a:$a: NanoCore 0x2d5cf:$a: NanoCore 0xe41:$b: ClientPlugin 0xe7e:$b: ClientPlugin 0x177c:$b: ClientPlugin 0x1789:$b: ClientPlugin 0x14355:$b: ClientPlugin 0x14370:$b: ClientPlugin 0x143a0:$b: ClientPlugin 0x145b7:$b: ClientPlugin 0x145ec:$b: ClientPlugin 0x2d341:$b: ClientPlugin 0x2d35c:$b: ClientPlugin
0.2.QTxFuxF5NQ.exe.49154a0.4.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0xe38d:$x1: NanoCore.ClientPluginHost 0xe3ca:$x2: IClientNetworkHost 0x11efd:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
0.2.QTxFuxF5NQ.exe.49154a0.4.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0xe105:$x1: NanoCore Client.exe 0xe38d:$x2: NanoCore.ClientPluginHost 0xf9c6:$s1: PluginCommand 0xf9ba:$s2: FileCommand 0x1086b:$s3: PipeExists 0x16622:$s4: PipeCreated 0xe3b7:$s5: IClientLoggingHost
0.2.QTxFuxF5NQ.exe.49154a0.4.unpack	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
0.2.QTxFuxF5NQ.exe.49154a0.4.unpack	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0xe0f5:$a: NanoCore 0xe105:$a: NanoCore 0xe339:$a: NanoCore 0xe34d:$a: NanoCore 0xe38d:$a: NanoCore 0xe154:$b: ClientPlugin 0xe356:$b: ClientPlugin 0xe396:$b: ClientPlugin 0xe27b:$c: ProjectData 0xec82:$d: DESCrypto 0x1664e:$e: KeepAlive 0x1463c:$g: LogClientMessage 0x10837:$i: get_Connected 0xefb8:$j: #=q 0xefe8:$j: #=q 0xf004:$j: #=q 0xf034:$j: #=q 0xf050:$j: #=q 0xf06c:$j: #=q 0xf09c:$j: #=q 0xf0b8:$j: #=q
6.2.RegSvcs.exe.5eb0000.7.raw.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0xe75:$x1: NanoCore.ClientPluginHost 0xe8f:$x2: IClientNetworkHost
6.2.RegSvcs.exe.5eb0000.7.raw.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0xe75:$x2: NanoCore.ClientPluginHost 0x1261:$s3: PipeExists 0x1136:$s4: PipeCreated 0xeb0:$s5: IClientLoggingHost
6.2.RegSvcs.exe.464eae4.4.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0xd9ad:$x1: NanoCore.ClientPluginHost 0xd9da:$x2: IClientNetworkHost
6.2.RegSvcs.exe.464eae4.4.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0xd9ad:$x2: NanoCore.ClientPluginHost 0xea88:$s4: PipeCreated 0xd9c7:$s5: IClientLoggingHost
6.2.RegSvcs.exe.464eae4.4.unpack	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
6.2.RegSvcs.exe.6140000.8.raw.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0xf7ad:$x1: NanoCore.ClientPluginHost 0xf7da:$x2: IClientNetworkHost
6.2.RegSvcs.exe.6140000.8.raw.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0xf7ad:$x2: NanoCore.ClientPluginHost 0x10888:$s4: PipeCreated 0xf7c7:$s5: IClientLoggingHost
6.2.RegSvcs.exe.6140000.8.raw.unpack	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
0.2.QTxFuxF5NQ.exe.47c8fd0.3.raw.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x15c65d:$x1: NanoCore.ClientPluginHost 0x18f07d:$x1: NanoCore.ClientPluginHost 0x15c69a:$x2: IClientNetworkHost 0x18f0ba:$x2: IClientNetworkHost 0x1601cd:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe 0x192bed:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
0.2.QTxFuxF5NQ.exe.47c8fd0.3.raw.unpack	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
0.2.QTxFuxF5NQ.exe.47c8fd0.3.raw.unpack	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0x15c3c5:$a: NanoCore 0x15c3d5:$a: NanoCore 0x15c609:$a: NanoCore 0x15c61d:$a: NanoCore 0x15c65d:$a: NanoCore 0x18ede5:$a: NanoCore 0x18edf5:$a: NanoCore 0x18f029:$a: NanoCore 0x18f03d:$a: NanoCore 0x18f07d:$a: NanoCore 0x15c424:$b: ClientPlugin 0x15c626:$b: ClientPlugin 0x15c666:$b: ClientPlugin 0x18ee44:$b: ClientPlugin 0x18f046:$b: ClientPlugin 0x18f086:$b: ClientPlugin 0x1d162:$c: ProjectData 0x77182:$c: ProjectData 0x15c54b:$c: ProjectData 0x18ef6b:$c: ProjectData 0x15cf52:$d: DESCrypto
6.2.RegSvcs.exe.36116e0.2.raw.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0xe75:$x1: NanoCore.ClientPluginHost 0xe8f:$x2: IClientNetworkHost
0.2.QTxFuxF5NQ.exe.4822ff0.2.raw.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x10263d:$x1: NanoCore.ClientPluginHost 0x13505d:$x1: NanoCore.ClientPluginHost 0x10267a:$x2: IClientNetworkHost 0x13509a:$x2: IClientNetworkHost 0x1061ad:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe 0x138bcd:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
0.2.QTxFuxF5NQ.exe.4822ff0.2.raw.unpack	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
0.2.QTxFuxF5NQ.exe.4822ff0.2.raw.unpack	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0x1023a5:$a: NanoCore 0x1023b5:$a: NanoCore 0x1025e9:$a: NanoCore 0x1025fd:$a: NanoCore 0x10263d:$a: NanoCore 0x134dc5:$a: NanoCore 0x134dd5:$a: NanoCore 0x135009:$a: NanoCore 0x13501d:$a: NanoCore 0x13505d:$a: NanoCore 0x102404:$b: ClientPlugin 0x102606:$b: ClientPlugin 0x102646:$b: ClientPlugin 0x134e24:$b: ClientPlugin 0x135026:$b: ClientPlugin 0x135066:$b: ClientPlugin 0x1d162:$c: ProjectData 0x10252b:$c: ProjectData 0x134f4b:$c: ProjectData 0x102f32:$d: DESCrypto 0x135952:$d: DESCrypto
Click to see the 39 entries

Sigma Overview

System Summary:

Sigma detected: NanoCore

Show sources

Source: File created

Author: Joe Security: Data: EventID: 11, Image: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe, ProcessId: 6120, TargetFilename: C:\Users\user\AppData\Roaming\D06ED635-68F6-4E9A-955C-4899F5F57B9A\run.dat

Sigma detected: Scheduled temp file as task from temp location

Show sources

Source: Process started

Author: Joe Security: Data: Command: 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\CDaJolZUw' /XML 'C:\Users\user\AppData\Local\Temp\tmp1954.tmp', CommandLine: 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\CDaJolZUw' /XML 'C:\Users\user\AppData\Local\Temp\tmp1954.tmp', CommandLine|base64offset|contains: *j, Image: C:\Windows\SysWOW64\schtasks.exe, NewProcessName: C:\Windows\SysWOW64\schtasks.exe, OriginalFileName: C:\Windows\SysWOW64\schtasks.exe, ParentCommandLine: 'C:\Users\user\Desktop\QTxFuxF5NQ.exe' , ParentImage: C:\Users\user\Desktop\QTxFuxF5NQ.exe, ParentProcessId: 7084, ProcessCommandLine: 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\CDaJolZUw' /XML 'C:\Users\user\AppData\Local\Temp\tmp1954.tmp', ProcessId: 2848

Signature Overview

Click to jump to signature section

Show All Signature Results

AV Detection:

Multi AV Scanner detection for dropped file

Show sources

Source: C:\Users\user\AppData\Roaming\CDaJolZUw.exe

ReversingLabs: Detection: 33%

Multi AV Scanner detection for submitted file

Show sources

Source: QTxFuxF5NQ.exe

ReversingLabs: Detection: 33%

Yara detected Nanocore RAT

Show sources

Source: Yara match	File source: 00000006.00000002.911962759.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000002.915278946.0000000006140000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.664714275.0000000004729000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000002.914314431.000000000463D000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: RegSvcs.exe PID: 6120, type: MEMORY
Source: Yara match	File source: Process Memory Space: QTxFuxF5NQ.exe PID: 7084, type: MEMORY
Source: Yara match	File source: 6.2.RegSvcs.exe.465310d.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 6.2.RegSvcs.exe.6144629.9.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 6.2.RegSvcs.exe.6140000.8.unpack, type: UNPACKEDPE
Source: Yara match	File source: 6.2.RegSvcs.exe.464eae4.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 6.2.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.QTxFuxF5NQ.exe.49154a0.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 6.2.RegSvcs.exe.4649cae.5.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.QTxFuxF5NQ.exe.49154a0.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 6.2.RegSvcs.exe.464eae4.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 6.2.RegSvcs.exe.6140000.8.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.QTxFuxF5NQ.exe.47c8fd0.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.QTxFuxF5NQ.exe.4822ff0.2.raw.unpack, type: UNPACKEDPE

Machine Learning detection for dropped file

Show sources

Source: C:\Users\user\AppData\Roaming\CDaJolZUw.exe

Joe Sandbox ML: detected

Machine Learning detection for sample

Show sources

Source: QTxFuxF5NQ.exe

Joe Sandbox ML: detected

Source: 6.2.RegSvcs.exe.6140000.8.unpack	Avira: Label: TR/NanoCore.fadte
Source: 6.2.RegSvcs.exe.400000.0.unpack	Avira: Label: TR/Dropper.MSIL.Gen7

Compliance:

Uses 32bit PE files

Show sources

Source: QTxFuxF5NQ.exe

Static PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE

Uses new MSVCR Dlls

Show sources

Source: C:\Users\user\Desktop\QTxFuxF5NQ.exe

File opened: C:\Windows\WinSxS\x86_microsoft.vc80.crt_1fc8b3b9a1e18e3b_8.0.50727.9445_none_d08c58b4442ba54f\MSVCR80.dll

Jump to behavior

Contains modern PE file flags such as dynamic base (ASLR) or NX

Show sources

Source: QTxFuxF5NQ.exe

Static PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT

Binary contains paths to debug symbols

Show sources

Source:	Binary string: .pdb_ source: QTxFuxF5NQ.exe, 00000000.00000002.661856455.00000000015CD000.00000004.00000020.sdmp
Source:	Binary string: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.pdb source: RegSvcs.exe, 00000006.00000002.913254707.0000000003145000.00000004.00000040.sdmp
Source:	Binary string: System.EnterpriseServices.Wrapper.pdb source: RegSvcs.exe, 0000000B.00000002.671984110.00000000051B0000.00000002.00000001.sdmp, dhcpmon.exe, 0000000D.00000002.675513074.0000000005140000.00000002.00000001.sdmp, dhcpmon.exe, 00000010.00000002.688584110.0000000004E40000.00000002.00000001.sdmp
Source:	Binary string: indows\mscorlib.pdbpdblib.pdb source: RegSvcs.exe, 00000006.00000002.913254707.0000000003145000.00000004.00000040.sdmp
Source:	Binary string: indows\RegSvcs.pdbpdbvcs.pdb source: RegSvcs.exe, 00000006.00000002.913254707.0000000003145000.00000004.00000040.sdmp
Source:	Binary string: C:\Windows\symbols\exe\RegSvcs.pdb source: RegSvcs.exe, 00000006.00000002.913254707.0000000003145000.00000004.00000040.sdmp
Source:	Binary string: RegSvcs.pdb source: dhcpmon.exe, dhcpmon.exe.6.dr
Source:	Binary string: mscorrc.pdb source: QTxFuxF5NQ.exe, 00000000.00000002.669858463.0000000008A20000.00000002.00000001.sdmp, RegSvcs.exe, 00000006.00000002.915087376.0000000005E50000.00000002.00000001.sdmp, RegSvcs.exe, 0000000B.00000002.672928697.0000000005260000.00000002.00000001.sdmp, dhcpmon.exe, 0000000D.00000002.675714982.00000000051F0000.00000002.00000001.sdmp

Software Vulnerabilities:

Source: C:\Users\user\Desktop\QTxFuxF5NQ.exe	Code function: 4x nop then mov dword ptr [ebp-1Ch], 00000000h	0_2_08C795C8
Source: C:\Users\user\Desktop\QTxFuxF5NQ.exe	Code function: 4x nop then mov dword ptr [ebp-1Ch], 00000000h	0_2_08C795B7
Source: C:\Users\user\Desktop\QTxFuxF5NQ.exe	Code function: 4x nop then mov dword ptr [ebp-1Ch], 00000000h	0_2_08C79690
Source: C:\Users\user\Desktop\QTxFuxF5NQ.exe	Code function: 4x nop then mov dword ptr [ebp-1Ch], 00000000h	0_2_08C7967F

Networking:

Uses dynamic DNS services

Show sources

Source: unknown

DNS query: name: jeksabide.duckdns.org

Source: global traffic

TCP traffic: 192.168.2.4:49745 -> 197.210.135.138:8989

Source: Joe Sandbox View

ASN Name: VCG-ASNG VCG-ASNG

Source: unknown

DNS traffic detected: queries for: jeksabide.duckdns.org

Source: QTxFuxF5NQ.exe, 00000000.00000002.665678742.0000000005A10000.00000002.00000001.sdmp	String found in binary or memory: http://fontfabrik.com
Source: QTxFuxF5NQ.exe, 00000000.00000003.648543186.000000000592D000.00000004.00000001.sdmp	String found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0
Source: QTxFuxF5NQ.exe, 00000000.00000003.649124659.000000000592A000.00000004.00000001.sdmp, QTxFuxF5NQ.exe, 00000000.00000003.648851674.0000000005936000.00000004.00000001.sdmp	String found in binary or memory: http://www.carterandcone.com
Source: QTxFuxF5NQ.exe, 00000000.00000003.648851674.0000000005936000.00000004.00000001.sdmp	String found in binary or memory: http://www.carterandcone.comatn
Source: QTxFuxF5NQ.exe, 00000000.00000003.648851674.0000000005936000.00000004.00000001.sdmp	String found in binary or memory: http://www.carterandcone.comficU
Source: QTxFuxF5NQ.exe, 00000000.00000002.665678742.0000000005A10000.00000002.00000001.sdmp	String found in binary or memory: http://www.carterandcone.coml
Source: QTxFuxF5NQ.exe, 00000000.00000003.648851674.0000000005936000.00000004.00000001.sdmp	String found in binary or memory: http://www.carterandcone.comles-
Source: QTxFuxF5NQ.exe, 00000000.00000003.648851674.0000000005936000.00000004.00000001.sdmp	String found in binary or memory: http://www.carterandcone.comy
Source: QTxFuxF5NQ.exe, 00000000.00000003.648851674.0000000005936000.00000004.00000001.sdmp	String found in binary or memory: http://www.carterandcone.comyrlO
Source: QTxFuxF5NQ.exe, 00000000.00000003.650201372.000000000592C000.00000004.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com
Source: QTxFuxF5NQ.exe, 00000000.00000002.665678742.0000000005A10000.00000002.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com/designers
Source: QTxFuxF5NQ.exe, 00000000.00000003.650237541.000000000592C000.00000004.00000001.sdmp, QTxFuxF5NQ.exe, 00000000.00000003.650188936.0000000001A8B000.00000004.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com/designers/
Source: QTxFuxF5NQ.exe, 00000000.00000002.665678742.0000000005A10000.00000002.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com/designers/?
Source: QTxFuxF5NQ.exe, 00000000.00000002.665678742.0000000005A10000.00000002.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com/designers/cabarga.htmlN
Source: QTxFuxF5NQ.exe, 00000000.00000002.665678742.0000000005A10000.00000002.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com/designers/frere-user.html
Source: QTxFuxF5NQ.exe, 00000000.00000002.665678742.0000000005A10000.00000002.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com/designers8
Source: QTxFuxF5NQ.exe, 00000000.00000002.665678742.0000000005A10000.00000002.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com/designers?
Source: QTxFuxF5NQ.exe, 00000000.00000002.665678742.0000000005A10000.00000002.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com/designersG
Source: QTxFuxF5NQ.exe, 00000000.00000003.650237541.000000000592C000.00000004.00000001.sdmp	String found in binary or memory: http://www.fontbureau.comF
Source: QTxFuxF5NQ.exe, 00000000.00000003.650201372.000000000592C000.00000004.00000001.sdmp	String found in binary or memory: http://www.fontbureau.comalic
Source: QTxFuxF5NQ.exe, 00000000.00000002.665566951.0000000005920000.00000004.00000001.sdmp	String found in binary or memory: http://www.fontbureau.comoitu
Source: QTxFuxF5NQ.exe, 00000000.00000002.665566951.0000000005920000.00000004.00000001.sdmp	String found in binary or memory: http://www.fontbureau.comtH
Source: QTxFuxF5NQ.exe, 00000000.00000002.665678742.0000000005A10000.00000002.00000001.sdmp	String found in binary or memory: http://www.fonts.com
Source: QTxFuxF5NQ.exe, 00000000.00000002.665678742.0000000005A10000.00000002.00000001.sdmp	String found in binary or memory: http://www.founder.com.cn/cn
Source: QTxFuxF5NQ.exe, 00000000.00000002.665678742.0000000005A10000.00000002.00000001.sdmp	String found in binary or memory: http://www.founder.com.cn/cn/bThe
Source: QTxFuxF5NQ.exe, 00000000.00000002.665678742.0000000005A10000.00000002.00000001.sdmp	String found in binary or memory: http://www.founder.com.cn/cn/cThe
Source: QTxFuxF5NQ.exe, 00000000.00000003.647604832.0000000005930000.00000004.00000001.sdmp	String found in binary or memory: http://www.founder.com.cn/cnS
Source: QTxFuxF5NQ.exe, 00000000.00000003.647650814.0000000001A8B000.00000004.00000001.sdmp	String found in binary or memory: http://www.founder.com.cn/cnTF
Source: QTxFuxF5NQ.exe, 00000000.00000003.647604832.0000000005930000.00000004.00000001.sdmp	String found in binary or memory: http://www.founder.com.cn/cnate
Source: QTxFuxF5NQ.exe, 00000000.00000002.665678742.0000000005A10000.00000002.00000001.sdmp	String found in binary or memory: http://www.galapagosdesign.com/DPlease
Source: QTxFuxF5NQ.exe, 00000000.00000002.665678742.0000000005A10000.00000002.00000001.sdmp	String found in binary or memory: http://www.galapagosdesign.com/staff/dennis.htm
Source: QTxFuxF5NQ.exe, 00000000.00000002.665678742.0000000005A10000.00000002.00000001.sdmp	String found in binary or memory: http://www.goodfont.co.kr
Source: QTxFuxF5NQ.exe, 00000000.00000003.649439715.000000000592C000.00000004.00000001.sdmp	String found in binary or memory: http://www.jiyu-kobo.co.jp/
Source: QTxFuxF5NQ.exe, 00000000.00000003.649439715.000000000592C000.00000004.00000001.sdmp	String found in binary or memory: http://www.jiyu-kobo.co.jp/$
Source: QTxFuxF5NQ.exe, 00000000.00000003.649439715.000000000592C000.00000004.00000001.sdmp	String found in binary or memory: http://www.jiyu-kobo.co.jp/-
Source: QTxFuxF5NQ.exe, 00000000.00000003.649407889.000000000592A000.00000004.00000001.sdmp	String found in binary or memory: http://www.jiyu-kobo.co.jp/6
Source: QTxFuxF5NQ.exe, 00000000.00000003.649407889.000000000592A000.00000004.00000001.sdmp	String found in binary or memory: http://www.jiyu-kobo.co.jp/?
Source: QTxFuxF5NQ.exe, 00000000.00000003.649407889.000000000592A000.00000004.00000001.sdmp	String found in binary or memory: http://www.jiyu-kobo.co.jp/H
Source: QTxFuxF5NQ.exe, 00000000.00000003.649439715.000000000592C000.00000004.00000001.sdmp	String found in binary or memory: http://www.jiyu-kobo.co.jp/c
Source: QTxFuxF5NQ.exe, 00000000.00000003.649439715.000000000592C000.00000004.00000001.sdmp	String found in binary or memory: http://www.jiyu-kobo.co.jp/jp/
Source: QTxFuxF5NQ.exe, 00000000.00000003.649124659.000000000592A000.00000004.00000001.sdmp	String found in binary or memory: http://www.jiyu-kobo.co.jp/jp/H
Source: QTxFuxF5NQ.exe, 00000000.00000003.649439715.000000000592C000.00000004.00000001.sdmp	String found in binary or memory: http://www.jiyu-kobo.co.jp/y
Source: QTxFuxF5NQ.exe, 00000000.00000002.665678742.0000000005A10000.00000002.00000001.sdmp	String found in binary or memory: http://www.sajatypeworks.com
Source: QTxFuxF5NQ.exe, 00000000.00000002.665678742.0000000005A10000.00000002.00000001.sdmp	String found in binary or memory: http://www.sakkal.com
Source: QTxFuxF5NQ.exe, 00000000.00000002.665678742.0000000005A10000.00000002.00000001.sdmp	String found in binary or memory: http://www.sandoll.co.kr
Source: QTxFuxF5NQ.exe, 00000000.00000002.665678742.0000000005A10000.00000002.00000001.sdmp	String found in binary or memory: http://www.tiro.com
Source: QTxFuxF5NQ.exe, 00000000.00000002.665678742.0000000005A10000.00000002.00000001.sdmp	String found in binary or memory: http://www.typography.netD
Source: QTxFuxF5NQ.exe, 00000000.00000003.650237541.000000000592C000.00000004.00000001.sdmp	String found in binary or memory: http://www.urwpp.de9
Source: QTxFuxF5NQ.exe, 00000000.00000002.665678742.0000000005A10000.00000002.00000001.sdmp	String found in binary or memory: http://www.urwpp.deDPlease
Source: QTxFuxF5NQ.exe, 00000000.00000003.650237541.000000000592C000.00000004.00000001.sdmp	String found in binary or memory: http://www.urwpp.deo
Source: QTxFuxF5NQ.exe, 00000000.00000002.665678742.0000000005A10000.00000002.00000001.sdmp	String found in binary or memory: http://www.zhongyicts.com.cn
Source: QTxFuxF5NQ.exe, 00000000.00000002.663880375.00000000036D1000.00000004.00000001.sdmp	String found in binary or memory: https://stackpath.bootstrapcdn.com/bootstrap/4.5.0/css/bootstrap.min.css

Key, Mouse, Clipboard, Microphone and Screen Capturing:

Source: QTxFuxF5NQ.exe, 00000000.00000002.661741104.0000000001590000.00000004.00000020.sdmp

Binary or memory string: <HOOK MODULE="DDRAW.DLL" FUNCTION="DirectDrawCreateEx"/>

Source: RegSvcs.exe, 00000006.00000002.915278946.0000000006140000.00000004.00000001.sdmp

Binary or memory string: RegisterRawInputDevices

E-Banking Fraud:

Yara detected Nanocore RAT

Show sources

Source: Yara match	File source: 00000006.00000002.911962759.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000002.915278946.0000000006140000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.664714275.0000000004729000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000002.914314431.000000000463D000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: RegSvcs.exe PID: 6120, type: MEMORY
Source: Yara match	File source: Process Memory Space: QTxFuxF5NQ.exe PID: 7084, type: MEMORY
Source: Yara match	File source: 6.2.RegSvcs.exe.465310d.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 6.2.RegSvcs.exe.6144629.9.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 6.2.RegSvcs.exe.6140000.8.unpack, type: UNPACKEDPE
Source: Yara match	File source: 6.2.RegSvcs.exe.464eae4.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 6.2.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.QTxFuxF5NQ.exe.49154a0.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 6.2.RegSvcs.exe.4649cae.5.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.QTxFuxF5NQ.exe.49154a0.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 6.2.RegSvcs.exe.464eae4.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 6.2.RegSvcs.exe.6140000.8.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.QTxFuxF5NQ.exe.47c8fd0.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.QTxFuxF5NQ.exe.4822ff0.2.raw.unpack, type: UNPACKEDPE

System Summary:

Malicious sample detected (through community Yara rule)

Show sources

Source: 00000006.00000002.911962759.0000000000402000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 00000006.00000002.911962759.0000000000402000.00000040.00000001.sdmp, type: MEMORY	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 00000006.00000002.915278946.0000000006140000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 00000006.00000002.915159896.0000000005EB0000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 00000000.00000002.664714275.0000000004729000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 00000000.00000002.664714275.0000000004729000.00000004.00000001.sdmp, type: MEMORY	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 00000006.00000002.914314431.000000000463D000.00000004.00000001.sdmp, type: MEMORY	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: Process Memory Space: RegSvcs.exe PID: 6120, type: MEMORY	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: Process Memory Space: RegSvcs.exe PID: 6120, type: MEMORY	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: Process Memory Space: QTxFuxF5NQ.exe PID: 7084, type: MEMORY	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: Process Memory Space: QTxFuxF5NQ.exe PID: 7084, type: MEMORY	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 6.2.RegSvcs.exe.465310d.3.raw.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 6.2.RegSvcs.exe.6144629.9.raw.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 6.2.RegSvcs.exe.6140000.8.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 6.2.RegSvcs.exe.464eae4.4.raw.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 6.2.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 6.2.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 0.2.QTxFuxF5NQ.exe.49154a0.4.raw.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 0.2.QTxFuxF5NQ.exe.49154a0.4.raw.unpack, type: UNPACKEDPE	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 6.2.RegSvcs.exe.4649cae.5.raw.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 6.2.RegSvcs.exe.4649cae.5.raw.unpack, type: UNPACKEDPE	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 0.2.QTxFuxF5NQ.exe.49154a0.4.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 0.2.QTxFuxF5NQ.exe.49154a0.4.unpack, type: UNPACKEDPE	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 6.2.RegSvcs.exe.5eb0000.7.raw.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 6.2.RegSvcs.exe.464eae4.4.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 6.2.RegSvcs.exe.6140000.8.raw.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 0.2.QTxFuxF5NQ.exe.47c8fd0.3.raw.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 0.2.QTxFuxF5NQ.exe.47c8fd0.3.raw.unpack, type: UNPACKEDPE	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 6.2.RegSvcs.exe.36116e0.2.raw.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 0.2.QTxFuxF5NQ.exe.4822ff0.2.raw.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 0.2.QTxFuxF5NQ.exe.4822ff0.2.raw.unpack, type: UNPACKEDPE	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>

.NET source code contains very large strings

Show sources

Source: QTxFuxF5NQ.exe, LogIn.cs	Long String: Length: 13656
Source: CDaJolZUw.exe.0.dr, LogIn.cs	Long String: Length: 13656
Source: 0.0.QTxFuxF5NQ.exe.e90000.0.unpack, LogIn.cs	Long String: Length: 13656

Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe	Code function: 6_2_0317180A NtQuerySystemInformation,		6_2_0317180A
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe	Code function: 6_2_031717CF NtQuerySystemInformation,		6_2_031717CF

Source: C:\Users\user\Desktop\QTxFuxF5NQ.exe	Code function: 0_2_0315FB90	0_2_0315FB90
Source: C:\Users\user\Desktop\QTxFuxF5NQ.exe	Code function: 0_2_0315FD98	0_2_0315FD98
Source: C:\Users\user\Desktop\QTxFuxF5NQ.exe	Code function: 0_2_03150B88	0_2_03150B88
Source: C:\Users\user\Desktop\QTxFuxF5NQ.exe	Code function: 0_2_0315D018	0_2_0315D018
Source: C:\Users\user\Desktop\QTxFuxF5NQ.exe	Code function: 0_2_03150B77	0_2_03150B77
Source: C:\Users\user\Desktop\QTxFuxF5NQ.exe	Code function: 0_2_0315FB81	0_2_0315FB81
Source: C:\Users\user\Desktop\QTxFuxF5NQ.exe	Code function: 0_2_0315D008	0_2_0315D008
Source: C:\Users\user\Desktop\QTxFuxF5NQ.exe	Code function: 0_2_0315E8F0	0_2_0315E8F0
Source: C:\Users\user\Desktop\QTxFuxF5NQ.exe	Code function: 0_2_0315E8EE	0_2_0315E8EE
Source: C:\Users\user\Desktop\QTxFuxF5NQ.exe	Code function: 0_2_08C763C0	0_2_08C763C0
Source: C:\Users\user\Desktop\QTxFuxF5NQ.exe	Code function: 0_2_08C708E1	0_2_08C708E1
Source: C:\Users\user\Desktop\QTxFuxF5NQ.exe	Code function: 0_2_08C708F0	0_2_08C708F0
Source: C:\Users\user\Desktop\QTxFuxF5NQ.exe	Code function: 0_2_08C781D8	0_2_08C781D8
Source: C:\Users\user\Desktop\QTxFuxF5NQ.exe	Code function: 0_2_08C781E8	0_2_08C781E8
Source: C:\Users\user\Desktop\QTxFuxF5NQ.exe	Code function: 0_2_08C70B38	0_2_08C70B38
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe	Code function: 6_2_031023A0	6_2_031023A0
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe	Code function: 6_2_03102FA8	6_2_03102FA8
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe	Code function: 6_2_0310B238	6_2_0310B238
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe	Code function: 6_2_031089D8	6_2_031089D8
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe	Code function: 6_2_03103850	6_2_03103850
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe	Code function: 6_2_0310969F	6_2_0310969F
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe	Code function: 6_2_031095D8	6_2_031095D8
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe	Code function: 6_2_0310306F	6_2_0310306F

Source: QTxFuxF5NQ.exe	Binary or memory string: OriginalFilename vs QTxFuxF5NQ.exe
Source: QTxFuxF5NQ.exe, 00000000.00000002.667831770.0000000006B00000.00000002.00000001.sdmp	Binary or memory string: OriginalFilenamenlsbres.dllj% vs QTxFuxF5NQ.exe
Source: QTxFuxF5NQ.exe, 00000000.00000002.670105598.0000000008BE0000.00000004.00000001.sdmp	Binary or memory string: OriginalFilenameLegacyPathHandling.dllN vs QTxFuxF5NQ.exe
Source: QTxFuxF5NQ.exe, 00000000.00000002.669858463.0000000008A20000.00000002.00000001.sdmp	Binary or memory string: OriginalFilenamemscorrc.dllT vs QTxFuxF5NQ.exe
Source: QTxFuxF5NQ.exe, 00000000.00000000.643920398.0000000000E92000.00000002.00020000.sdmp	Binary or memory string: OriginalFilenameAction.exe6 vs QTxFuxF5NQ.exe
Source: QTxFuxF5NQ.exe, 00000000.00000002.669525319.0000000007480000.00000002.00000001.sdmp	Binary or memory string: System.OriginalFileName vs QTxFuxF5NQ.exe
Source: QTxFuxF5NQ.exe, 00000000.00000002.669716790.00000000089A0000.00000004.00000001.sdmp	Binary or memory string: OriginalFilenameAsyncState.dllF vs QTxFuxF5NQ.exe
Source: QTxFuxF5NQ.exe, 00000000.00000002.661741104.0000000001590000.00000004.00000020.sdmp	Binary or memory string: OriginalFilenamemscorwks.dllT vs QTxFuxF5NQ.exe
Source: QTxFuxF5NQ.exe, 00000000.00000002.669676572.0000000007650000.00000002.00000001.sdmp	Binary or memory string: OriginalFilenamenlsbres.dll.muij% vs QTxFuxF5NQ.exe
Source: QTxFuxF5NQ.exe, 00000000.00000002.669628440.00000000074E0000.00000002.00000001.sdmp	Binary or memory string: originalfilename vs QTxFuxF5NQ.exe
Source: QTxFuxF5NQ.exe, 00000000.00000002.669628440.00000000074E0000.00000002.00000001.sdmp	Binary or memory string: OriginalFilenamepropsys.dll.mui@ vs QTxFuxF5NQ.exe
Source: QTxFuxF5NQ.exe	Binary or memory string: OriginalFilenameAction.exe6 vs QTxFuxF5NQ.exe

Source: QTxFuxF5NQ.exe

Static PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE

Source: 00000006.00000002.911962759.0000000000402000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 00000006.00000002.911962759.0000000000402000.00000040.00000001.sdmp, type: MEMORY	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 00000006.00000002.915278946.0000000006140000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 00000006.00000002.915278946.0000000006140000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 00000006.00000002.915159896.0000000005EB0000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 00000006.00000002.915159896.0000000005EB0000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 00000000.00000002.664714275.0000000004729000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 00000000.00000002.664714275.0000000004729000.00000004.00000001.sdmp, type: MEMORY	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 00000006.00000002.914314431.000000000463D000.00000004.00000001.sdmp, type: MEMORY	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: Process Memory Space: RegSvcs.exe PID: 6120, type: MEMORY	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: Process Memory Space: RegSvcs.exe PID: 6120, type: MEMORY	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: Process Memory Space: QTxFuxF5NQ.exe PID: 7084, type: MEMORY	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: Process Memory Space: QTxFuxF5NQ.exe PID: 7084, type: MEMORY	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 6.2.RegSvcs.exe.465310d.3.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 6.2.RegSvcs.exe.465310d.3.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 6.2.RegSvcs.exe.6144629.9.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 6.2.RegSvcs.exe.6144629.9.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 6.2.RegSvcs.exe.6140000.8.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 6.2.RegSvcs.exe.6140000.8.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 6.2.RegSvcs.exe.464eae4.4.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 6.2.RegSvcs.exe.464eae4.4.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 6.2.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 6.2.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 6.2.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 0.2.QTxFuxF5NQ.exe.49154a0.4.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 0.2.QTxFuxF5NQ.exe.49154a0.4.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 0.2.QTxFuxF5NQ.exe.49154a0.4.raw.unpack, type: UNPACKEDPE	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 6.2.RegSvcs.exe.4649cae.5.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 6.2.RegSvcs.exe.4649cae.5.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 6.2.RegSvcs.exe.4649cae.5.raw.unpack, type: UNPACKEDPE	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 0.2.QTxFuxF5NQ.exe.49154a0.4.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 0.2.QTxFuxF5NQ.exe.49154a0.4.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 0.2.QTxFuxF5NQ.exe.49154a0.4.unpack, type: UNPACKEDPE	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 6.2.RegSvcs.exe.5eb0000.7.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 6.2.RegSvcs.exe.5eb0000.7.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 6.2.RegSvcs.exe.464eae4.4.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 6.2.RegSvcs.exe.464eae4.4.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 6.2.RegSvcs.exe.6140000.8.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 6.2.RegSvcs.exe.6140000.8.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 0.2.QTxFuxF5NQ.exe.47c8fd0.3.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 0.2.QTxFuxF5NQ.exe.47c8fd0.3.raw.unpack, type: UNPACKEDPE	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 6.2.RegSvcs.exe.36116e0.2.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 0.2.QTxFuxF5NQ.exe.4822ff0.2.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 0.2.QTxFuxF5NQ.exe.4822ff0.2.raw.unpack, type: UNPACKEDPE	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore

Source: QTxFuxF5NQ.exe	Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
Source: CDaJolZUw.exe.0.dr	Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ

Source: 6.2.RegSvcs.exe.400000.0.unpack, u0023u003dqVxXNKnhAcArgJoGGYXiyyQu003du003d.cs	Cryptographic APIs: 'CreateDecryptor'
Source: 6.2.RegSvcs.exe.400000.0.unpack, u0023u003dqVxXNKnhAcArgJoGGYXiyyQu003du003d.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: 6.2.RegSvcs.exe.400000.0.unpack, u0023u003dqjIje6jGWLd2EOkfZXKqBbgu003du003d.cs	Cryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'

Source: QTxFuxF5NQ.exe, LogIn.cs	Base64 encoded string: 'GIdDNNZNNNNRNNNN//8NNYtNNNNNNNNNDNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNtNNNNN4sht4NgNaAVotOGZ0uITucplOjpz9apzSgVTAuoz5iqPOvMFOlqJ4tnJ4tER9GVT1iMTHhQD0XWNNNNNNNNNODEDNNGNRQNViu868NNNNNNNNNNBNNNvRYNINNNPNNNNNTNNNNNNNNlw8NNNNtNNNNDNNNNNNNRDNtNNNNNtNNONNNNNNNNNNRNNNNNNNNNNPNNNNNNtNNNNNNNNZNDVHNNONNNONNNNNNRNNNRNNNNNNNNONNNNNNNNNNNNNNNUt/NNOCNNNNNRNNNBDQNNNNNNNNNNNNNNNNNNNNNNNNNTNNNNjNNNOpCjNNUNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNVNNNPNNNNNNNNNNNNNNNPPNNNRtNNNNNNNNNNNNNNP50MKu0NNNN0O8NNNNtNNNNVNNNNNVNNNNNNNNNNNNNNNNNNPNNNTNhpaAlLjNNNBDQNNNNDNNNNNDNNNNvNNNNNNNNNNNNNNNNNNONNNONYaWyoT9wNNNZNNNNNTNNNNNPNNNNWtNNNNNNNNNNNNNNNNNNDNNNDtNNNNNNNNNNNNNNNNNNNNPfCjNNNNNNNRtNNNNPNNHNhPHNNBjLNNNQNNNNNNNNNXD+NNP4NNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNO4PXOLNNNbdWtNPXOpNNNbNXdMmTNNNPbNONNNRpkxNNNdNNtNNOUZnNNNXtNZNNNEmTjNNPbNRNNNRXuZjNDNDNNNNNDNNRDO+NDNNOT8pNNNXPvfNOvbGZNRNRNNNNNVNNORNstVNNNEiUDNNPtbeNNLdRmNONONNNNNQNNNENU4QNNNRok4NNNbXXjNTXuZjNDNDNNNNONNNRDO+ONNNOT8sNNNXPvfNOvbGZNVNCNNNNNHNNORNstHNNNDHXPNNNNbYOljuptRNNUQDODNNNvtuNNNXolVNNNcmVjNNPtjVtNHNNNDNNU4SNNNRPvfNOvbGZNRNPjNNNNLNNORNstLNNNDXXjNTXvVNNbNTNNNRXyMmQNNNOvtxNNNXqNLNNNXNOjNNOPbrNvtyNNNXXtNNRmNONNfNNNNUNNNENU4UNNNRPvfNOvbNRmNONNfNNNNUNNNENPtANNNTPvfNOvc+pwfNNUPNPNNNOUV7NNOjtNxNNNElBjNNpVNXNNNRXxbNNvtzNNNXNNZROFtENNNTNPbNNOZjONO0NNNNPNNNRDOmWjNNPtbTVYvPNDNtXWbONT8bNNNXXPxNNNbNNvtINNNTOPtHNNNTPjpbRjNNOtZbSDNNOvtFNNNTQNtbXtNNPt0WolfNNNbqzuZRRDEiYNNNPuhnRjHEOKV9NNOjTOvAStNNNFtgNNNXWuLbYtNNPtNdRmNSNWpNNNNWNNNENPtiNNNXN28jNNNXPjVPwzxK2cRspTRZNb5cS9LK2usJwF8NNNRANb5cS9bGOORRRjHJRjLeBtxEOtVEOcRVLDpEO5SugWjEOjAiZDNNPusn/tRGPORVRjxEPFjTSuZUNPfVNORUS9LGOjNEOusJRjLEOuRSZpNWNb5cTAbK1usnS9nAYjNNNFtlNNNXqNHNNOfXXjNTXtNGZNHNctNNNNbNNORNStfPomZNNNbGOkVUXQDNNNbZPNwLTgtAPEsnS9nAYjNNNEZRPOsnRjtJRjxeDjtK2uZXSuZYXl0PRDxEP281NNNXRjjFQPt2NNNXXQpNNNbJRDDUTvt4NNNXNNpn1tfEPksJRjfEPkRXZp0EPEsJRjxEPERVZopEOOLbBDNNPuZSRDHK2usJwF8NNNRGOuRRTuRTSuRTwzxbBNNNPtNEOtbeNNLdNNNGZNVNXNNNNNfNNORNN3WYNNOjXQbNNNbbBjNNPaZwNNNXPjpPomjNNNc0VtNNNDbeNNLdRmNRNRbNNNNZNNNENNWiZDNNPuuopm0NNNbYNz8kNNNXTAbZSt0eUjpPPEuiCtNNPu8DXQ8NNNbbDNNNPz9ONNNXWtxL1t0WPQUqO29PNNNXPvfNOvbNNOZjNDNUNNNNQDNNRDNHPvfNOvcTNNVJztVKztVLzvtENNNTNPbNNNNGZNZNVNNNNN4NNORNsttNNNE+PDNNOU4XNNNRXORNNNLNpwfNNUNXXjNTXuZjNtNFNNNNQjNNRDNPNluQNNNXXRDNNNbXXjNTXtNNRmNONNjNNNNDNNNENNVbEDNNPtbeNNLdRmNONONNNNNENNNENANWNNNPXPRNNNbXXjNTXuZjNDNZNNNNQtNNRDNPXRLNNNbXXjNTXuZjNtNqNNNNRtNNRDNPwNLNNOfH/tRYOljVXNRNNPfXXjHNNtbeNNLdWtNQ/uHTNNNoXvLNNvtzNNNXNPbNNNNGZNVNADNNNOZNNORNNagVNNNXo0xNNNbYO4jWNNNoSC4OQNtfSPtPNNNePjW7FNNNPtqiFtNNPtNNNNpXXjNTXyVNNvtzNNNXNNWmFjNNPa1VNNNXXv4bTNNNObNZNNNRXu4PXPLNNNbdNNOPH0cPNDNONNNNNNNZNNNNqwVhZP41ZQplAjNNNNNSNTjNNNPbPDNNV34NNODXNNOjPDNNV1A0pzyhM3ZNNNNNuOZNNTDNNNNwIIZN6OZNNONNNNNwE1IWENNNNCtGNNQ0ONNNV0Wfo2VNNNNNNNNNNtNNNIpIbtxWQjNNNCbOZjNJNNNONNNNBDNNNNfNNNNZNNNNVjNNNORNNNOYNNNNCjNNNOZNNNNTNNNNPtNNNNjNNNNWNNNNNDNNNNDNNNNONNNNNjNNNNZNNNNPNNNNNNNZODRNNNNNNNLNdtBJOjLNSjFJOjLNztYZOt8NQttNNNLN2jXzODLNwDBzODLN/tBzODLNltBzODLN4jBzODL
Source: CDaJolZUw.exe.0.dr, LogIn.cs	Base64 encoded string: 'GIdDNNZNNNNRNNNN//8NNYtNNNNNNNNNDNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNtNNNNN4sht4NgNaAVotOGZ0uITucplOjpz9apzSgVTAuoz5iqPOvMFOlqJ4tnJ4tER9GVT1iMTHhQD0XWNNNNNNNNNODEDNNGNRQNViu868NNNNNNNNNNBNNNvRYNINNNPNNNNNTNNNNNNNNlw8NNNNtNNNNDNNNNNNNRDNtNNNNNtNNONNNNNNNNNNRNNNNNNNNNNPNNNNNNtNNNNNNNNZNDVHNNONNNONNNNNNRNNNRNNNNNNNNONNNNNNNNNNNNNNNUt/NNOCNNNNNRNNNBDQNNNNNNNNNNNNNNNNNNNNNNNNNTNNNNjNNNOpCjNNUNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNVNNNPNNNNNNNNNNNNNNNPPNNNRtNNNNNNNNNNNNNNP50MKu0NNNN0O8NNNNtNNNNVNNNNNVNNNNNNNNNNNNNNNNNNPNNNTNhpaAlLjNNNBDQNNNNDNNNNNDNNNNvNNNNNNNNNNNNNNNNNNONNNONYaWyoT9wNNNZNNNNNTNNNNNPNNNNWtNNNNNNNNNNNNNNNNNNDNNNDtNNNNNNNNNNNNNNNNNNNNPfCjNNNNNNNRtNNNNPNNHNhPHNNBjLNNNQNNNNNNNNNXD+NNP4NNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNO4PXOLNNNbdWtNPXOpNNNbNXdMmTNNNPbNONNNRpkxNNNdNNtNNOUZnNNNXtNZNNNEmTjNNPbNRNNNRXuZjNDNDNNNNNDNNRDO+NDNNOT8pNNNXPvfNOvbGZNRNRNNNNNVNNORNstVNNNEiUDNNPtbeNNLdRmNONONNNNNQNNNENU4QNNNRok4NNNbXXjNTXuZjNDNDNNNNONNNRDO+ONNNOT8sNNNXPvfNOvbGZNVNCNNNNNHNNORNstHNNNDHXPNNNNbYOljuptRNNUQDODNNNvtuNNNXolVNNNcmVjNNPtjVtNHNNNDNNU4SNNNRPvfNOvbGZNRNPjNNNNLNNORNstLNNNDXXjNTXvVNNbNTNNNRXyMmQNNNOvtxNNNXqNLNNNXNOjNNOPbrNvtyNNNXXtNNRmNONNfNNNNUNNNENU4UNNNRPvfNOvbNRmNONNfNNNNUNNNENPtANNNTPvfNOvc+pwfNNUPNPNNNOUV7NNOjtNxNNNElBjNNpVNXNNNRXxbNNvtzNNNXNNZROFtENNNTNPbNNOZjONO0NNNNPNNNRDOmWjNNPtbTVYvPNDNtXWbONT8bNNNXXPxNNNbNNvtINNNTOPtHNNNTPjpbRjNNOtZbSDNNOvtFNNNTQNtbXtNNPt0WolfNNNbqzuZRRDEiYNNNPuhnRjHEOKV9NNOjTOvAStNNNFtgNNNXWuLbYtNNPtNdRmNSNWpNNNNWNNNENPtiNNNXN28jNNNXPjVPwzxK2cRspTRZNb5cS9LK2usJwF8NNNRANb5cS9bGOORRRjHJRjLeBtxEOtVEOcRVLDpEO5SugWjEOjAiZDNNPusn/tRGPORVRjxEPFjTSuZUNPfVNORUS9LGOjNEOusJRjLEOuRSZpNWNb5cTAbK1usnS9nAYjNNNFtlNNNXqNHNNOfXXjNTXtNGZNHNctNNNNbNNORNStfPomZNNNbGOkVUXQDNNNbZPNwLTgtAPEsnS9nAYjNNNEZRPOsnRjtJRjxeDjtK2uZXSuZYXl0PRDxEP281NNNXRjjFQPt2NNNXXQpNNNbJRDDUTvt4NNNXNNpn1tfEPksJRjfEPkRXZp0EPEsJRjxEPERVZopEOOLbBDNNPuZSRDHK2usJwF8NNNRGOuRRTuRTSuRTwzxbBNNNPtNEOtbeNNLdNNNGZNVNXNNNNNfNNORNN3WYNNOjXQbNNNbbBjNNPaZwNNNXPjpPomjNNNc0VtNNNDbeNNLdRmNRNRbNNNNZNNNENNWiZDNNPuuopm0NNNbYNz8kNNNXTAbZSt0eUjpPPEuiCtNNPu8DXQ8NNNbbDNNNPz9ONNNXWtxL1t0WPQUqO29PNNNXPvfNOvbNNOZjNDNUNNNNQDNNRDNHPvfNOvcTNNVJztVKztVLzvtENNNTNPbNNNNGZNZNVNNNNN4NNORNsttNNNE+PDNNOU4XNNNRXORNNNLNpwfNNUNXXjNTXuZjNtNFNNNNQjNNRDNPNluQNNNXXRDNNNbXXjNTXtNNRmNONNjNNNNDNNNENNVbEDNNPtbeNNLdRmNONONNNNNENNNENANWNNNPXPRNNNbXXjNTXuZjNDNZNNNNQtNNRDNPXRLNNNbXXjNTXuZjNtNqNNNNRtNNRDNPwNLNNOfH/tRYOljVXNRNNPfXXjHNNtbeNNLdWtNQ/uHTNNNoXvLNNvtzNNNXNPbNNNNGZNVNADNNNOZNNORNNagVNNNXo0xNNNbYO4jWNNNoSC4OQNtfSPtPNNNePjW7FNNNPtqiFtNNPtNNNNpXXjNTXyVNNvtzNNNXNNWmFjNNPa1VNNNXXv4bTNNNObNZNNNRXu4PXPLNNNbdNNOPH0cPNDNONNNNNNNZNNNNqwVhZP41ZQplAjNNNNNSNTjNNNPbPDNNV34NNODXNNOjPDNNV1A0pzyhM3ZNNNNNuOZNNTDNNNNwIIZN6OZNNONNNNNwE1IWENNNNCtGNNQ0ONNNV0Wfo2VNNNNNNNNNNtNNNIpIbtxWQjNNNCbOZjNJNNNONNNNBDNNNNfNNNNZNNNNVjNNNORNNNOYNNNNCjNNNOZNNNNTNNNNPtNNNNjNNNNWNNNNNDNNNNDNNNNONNNNNjNNNNZNNNNPNNNNNNNZODRNNNNNNNLNdtBJOjLNSjFJOjLNztYZOt8NQttNNNLN2jXzODLNwDBzODLN/tBzODLNltBzODLN4jBzODL
Source: 0.0.QTxFuxF5NQ.exe.e90000.0.unpack, LogIn.cs	Base64 encoded string: 'GIdDNNZNNNNRNNNN//8NNYtNNNNNNNNNDNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNtNNNNN4sht4NgNaAVotOGZ0uITucplOjpz9apzSgVTAuoz5iqPOvMFOlqJ4tnJ4tER9GVT1iMTHhQD0XWNNNNNNNNNODEDNNGNRQNViu868NNNNNNNNNNBNNNvRYNINNNPNNNNNTNNNNNNNNlw8NNNNtNNNNDNNNNNNNRDNtNNNNNtNNONNNNNNNNNNRNNNNNNNNNNPNNNNNNtNNNNNNNNZNDVHNNONNNONNNNNNRNNNRNNNNNNNNONNNNNNNNNNNNNNNUt/NNOCNNNNNRNNNBDQNNNNNNNNNNNNNNNNNNNNNNNNNTNNNNjNNNOpCjNNUNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNVNNNPNNNNNNNNNNNNNNNPPNNNRtNNNNNNNNNNNNNNP50MKu0NNNN0O8NNNNtNNNNVNNNNNVNNNNNNNNNNNNNNNNNNPNNNTNhpaAlLjNNNBDQNNNNDNNNNNDNNNNvNNNNNNNNNNNNNNNNNNONNNONYaWyoT9wNNNZNNNNNTNNNNNPNNNNWtNNNNNNNNNNNNNNNNNNDNNNDtNNNNNNNNNNNNNNNNNNNNPfCjNNNNNNNRtNNNNPNNHNhPHNNBjLNNNQNNNNNNNNNXD+NNP4NNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNO4PXOLNNNbdWtNPXOpNNNbNXdMmTNNNPbNONNNRpkxNNNdNNtNNOUZnNNNXtNZNNNEmTjNNPbNRNNNRXuZjNDNDNNNNNDNNRDO+NDNNOT8pNNNXPvfNOvbGZNRNRNNNNNVNNORNstVNNNEiUDNNPtbeNNLdRmNONONNNNNQNNNENU4QNNNRok4NNNbXXjNTXuZjNDNDNNNNONNNRDO+ONNNOT8sNNNXPvfNOvbGZNVNCNNNNNHNNORNstHNNNDHXPNNNNbYOljuptRNNUQDODNNNvtuNNNXolVNNNcmVjNNPtjVtNHNNNDNNU4SNNNRPvfNOvbGZNRNPjNNNNLNNORNstLNNNDXXjNTXvVNNbNTNNNRXyMmQNNNOvtxNNNXqNLNNNXNOjNNOPbrNvtyNNNXXtNNRmNONNfNNNNUNNNENU4UNNNRPvfNOvbNRmNONNfNNNNUNNNENPtANNNTPvfNOvc+pwfNNUPNPNNNOUV7NNOjtNxNNNElBjNNpVNXNNNRXxbNNvtzNNNXNNZROFtENNNTNPbNNOZjONO0NNNNPNNNRDOmWjNNPtbTVYvPNDNtXWbONT8bNNNXXPxNNNbNNvtINNNTOPtHNNNTPjpbRjNNOtZbSDNNOvtFNNNTQNtbXtNNPt0WolfNNNbqzuZRRDEiYNNNPuhnRjHEOKV9NNOjTOvAStNNNFtgNNNXWuLbYtNNPtNdRmNSNWpNNNNWNNNENPtiNNNXN28jNNNXPjVPwzxK2cRspTRZNb5cS9LK2usJwF8NNNRANb5cS9bGOORRRjHJRjLeBtxEOtVEOcRVLDpEO5SugWjEOjAiZDNNPusn/tRGPORVRjxEPFjTSuZUNPfVNORUS9LGOjNEOusJRjLEOuRSZpNWNb5cTAbK1usnS9nAYjNNNFtlNNNXqNHNNOfXXjNTXtNGZNHNctNNNNbNNORNStfPomZNNNbGOkVUXQDNNNbZPNwLTgtAPEsnS9nAYjNNNEZRPOsnRjtJRjxeDjtK2uZXSuZYXl0PRDxEP281NNNXRjjFQPt2NNNXXQpNNNbJRDDUTvt4NNNXNNpn1tfEPksJRjfEPkRXZp0EPEsJRjxEPERVZopEOOLbBDNNPuZSRDHK2usJwF8NNNRGOuRRTuRTSuRTwzxbBNNNPtNEOtbeNNLdNNNGZNVNXNNNNNfNNORNN3WYNNOjXQbNNNbbBjNNPaZwNNNXPjpPomjNNNc0VtNNNDbeNNLdRmNRNRbNNNNZNNNENNWiZDNNPuuopm0NNNbYNz8kNNNXTAbZSt0eUjpPPEuiCtNNPu8DXQ8NNNbbDNNNPz9ONNNXWtxL1t0WPQUqO29PNNNXPvfNOvbNNOZjNDNUNNNNQDNNRDNHPvfNOvcTNNVJztVKztVLzvtENNNTNPbNNNNGZNZNVNNNNN4NNORNsttNNNE+PDNNOU4XNNNRXORNNNLNpwfNNUNXXjNTXuZjNtNFNNNNQjNNRDNPNluQNNNXXRDNNNbXXjNTXtNNRmNONNjNNNNDNNNENNVbEDNNPtbeNNLdRmNONONNNNNENNNENANWNNNPXPRNNNbXXjNTXuZjNDNZNNNNQtNNRDNPXRLNNNbXXjNTXuZjNtNqNNNNRtNNRDNPwNLNNOfH/tRYOljVXNRNNPfXXjHNNtbeNNLdWtNQ/uHTNNNoXvLNNvtzNNNXNPbNNNNGZNVNADNNNOZNNORNNagVNNNXo0xNNNbYO4jWNNNoSC4OQNtfSPtPNNNePjW7FNNNPtqiFtNNPtNNNNpXXjNTXyVNNvtzNNNXNNWmFjNNPa1VNNNXXv4bTNNNObNZNNNRXu4PXPLNNNbdNNOPH0cPNDNONNNNNNNZNNNNqwVhZP41ZQplAjNNNNNSNTjNNNPbPDNNV34NNODXNNOjPDNNV1A0pzyhM3ZNNNNNuOZNNTDNNNNwIIZN6OZNNONNNNNwE1IWENNNNCtGNNQ0ONNNV0Wfo2VNNNNNNNNNNtNNNIpIbtxWQjNNNCbOZjNJNNNONNNNBDNNNNfNNNNZNNNNVjNNNORNNNOYNNNNCjNNNOZNNNNTNNNNPtNNNNjNNNNWNNNNNDNNNNDNNNNONNNNNjNNNNZNNNNPNNNNNNNZODRNNNNNNNLNdtBJOjLNSjFJOjLNztYZOt8NQttNNNLN2jXzODLNwDBzODLN/tBzODLNltBzODLN4jBzODL

Source: classification engine

Classification label: mal100.troj.evad.winEXE@18/14@6/2

Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe	Code function: 6_2_0317149A AdjustTokenPrivileges,		6_2_0317149A
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe	Code function: 6_2_03171463 AdjustTokenPrivileges,		6_2_03171463

Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe

File created: C:\Program Files (x86)\DHCP Monitor

Jump to behavior

Source: C:\Users\user\Desktop\QTxFuxF5NQ.exe

File created: C:\Users\user\AppData\Roaming\CDaJolZUw.exe

Jump to behavior

Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6568:120:WilError_01
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7016:120:WilError_01
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe	Mutant created: \Sessions\1\BaseNamedObjects\Global\{d1eedee3-a368-42e8-8e32-51ef24536fc1}
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe	Mutant created: \Sessions\1\BaseNamedObjects\Global\.net clr networking
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6532:120:WilError_01
Source: C:\Users\user\Desktop\QTxFuxF5NQ.exe	Mutant created: \Sessions\1\BaseNamedObjects\HCyoIwmRvdsUJa
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:2188:120:WilError_01
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6852:120:WilError_01
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5796:120:WilError_01

Source: C:\Users\user\Desktop\QTxFuxF5NQ.exe

File created: C:\Users\user\AppData\Local\Temp\tmp1954.tmp

Jump to behavior

Source: QTxFuxF5NQ.exe

Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ

Source: C:\Users\user\Desktop\QTxFuxF5NQ.exe	Section loaded: C:\Windows\assembly\NativeImages_v2.0.50727_32\mscorlib\9603718106bd57ecfbb18fefd769cab4\mscorlib.ni.dll	Jump to behavior
Source: C:\Users\user\Desktop\QTxFuxF5NQ.exe	Section loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sorttbls.nlp	Jump to behavior
Source: C:\Users\user\Desktop\QTxFuxF5NQ.exe	Section loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sortkey.nlp	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe	Section loaded: C:\Windows\assembly\NativeImages_v2.0.50727_32\mscorlib\9603718106bd57ecfbb18fefd769cab4\mscorlib.ni.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe	Section loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sorttbls.nlp	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe	Section loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sortkey.nlp	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe	Section loaded: C:\Windows\assembly\NativeImages_v2.0.50727_32\mscorlib\9603718106bd57ecfbb18fefd769cab4\mscorlib.ni.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe	Section loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sorttbls.nlp	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe	Section loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sortkey.nlp	Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Section loaded: C:\Windows\assembly\NativeImages_v2.0.50727_32\mscorlib\9603718106bd57ecfbb18fefd769cab4\mscorlib.ni.dll	Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Section loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sorttbls.nlp	Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Section loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sortkey.nlp	Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Section loaded: C:\Windows\assembly\NativeImages_v2.0.50727_32\mscorlib\9603718106bd57ecfbb18fefd769cab4\mscorlib.ni.dll	Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Section loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sorttbls.nlp	Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Section loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sortkey.nlp	Jump to behavior

Source: C:\Users\user\Desktop\QTxFuxF5NQ.exe

File read: C:\Users\user\Desktop\desktop.ini

Jump to behavior

Source: C:\Users\user\Desktop\QTxFuxF5NQ.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: QTxFuxF5NQ.exe, 00000000.00000002.663880375.00000000036D1000.00000004.00000001.sdmp	Binary or memory string: INSERT INTO Itens_Aluguel VALUES(@aluguelID, @aviaoID, @validade);
Source: QTxFuxF5NQ.exe, 00000000.00000002.663880375.00000000036D1000.00000004.00000001.sdmp	Binary or memory string: Insert into Clientes values (@nome, @cpf, @rg, @cidade, @endereco, @uf, @telefone);

Source: QTxFuxF5NQ.exe

ReversingLabs: Detection: 33%

Source: C:\Users\user\Desktop\QTxFuxF5NQ.exe

File read: C:\Users\user\Desktop\QTxFuxF5NQ.exe

Jump to behavior

Source: unknown	Process created: C:\Users\user\Desktop\QTxFuxF5NQ.exe 'C:\Users\user\Desktop\QTxFuxF5NQ.exe'
Source: unknown	Process created: C:\Windows\SysWOW64\schtasks.exe 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\CDaJolZUw' /XML 'C:\Users\user\AppData\Local\Temp\tmp1954.tmp'
Source: unknown	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknown	Process created: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe
Source: unknown	Process created: C:\Windows\SysWOW64\schtasks.exe 'schtasks.exe' /create /f /tn 'DHCP Monitor' /xml 'C:\Users\user\AppData\Local\Temp\tmp22E3.tmp'
Source: unknown	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknown	Process created: C:\Windows\SysWOW64\schtasks.exe 'schtasks.exe' /create /f /tn 'DHCP Monitor Task' /xml 'C:\Users\user\AppData\Local\Temp\tmp2601.tmp'
Source: unknown	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknown	Process created: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe 0
Source: unknown	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknown	Process created: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe 'C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe' 0
Source: unknown	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknown	Process created: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe 'C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe'
Source: unknown	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\QTxFuxF5NQ.exe	Process created: C:\Windows\SysWOW64\schtasks.exe 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\CDaJolZUw' /XML 'C:\Users\user\AppData\Local\Temp\tmp1954.tmp'	Jump to behavior
Source: C:\Users\user\Desktop\QTxFuxF5NQ.exe	Process created: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe	Process created: C:\Windows\SysWOW64\schtasks.exe 'schtasks.exe' /create /f /tn 'DHCP Monitor' /xml 'C:\Users\user\AppData\Local\Temp\tmp22E3.tmp'	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe	Process created: C:\Windows\SysWOW64\schtasks.exe 'schtasks.exe' /create /f /tn 'DHCP Monitor Task' /xml 'C:\Users\user\AppData\Local\Temp\tmp2601.tmp'	Jump to behavior

Source: C:\Users\user\Desktop\QTxFuxF5NQ.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{95E15D0A-66E6-93D9-C53C-76E6219D3341}\InProcServer32

Jump to behavior

Source: Window Recorder

Window detected: More than 3 window changes detected

Source: C:\Users\user\Desktop\QTxFuxF5NQ.exe

File opened: C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorrc.dll

Jump to behavior

Source: QTxFuxF5NQ.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR

Source: C:\Users\user\Desktop\QTxFuxF5NQ.exe

File opened: C:\Windows\WinSxS\x86_microsoft.vc80.crt_1fc8b3b9a1e18e3b_8.0.50727.9445_none_d08c58b4442ba54f\MSVCR80.dll

Jump to behavior

Source: QTxFuxF5NQ.exe

Static PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT

Source:	Binary string: .pdb_ source: QTxFuxF5NQ.exe, 00000000.00000002.661856455.00000000015CD000.00000004.00000020.sdmp
Source:	Binary string: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.pdb source: RegSvcs.exe, 00000006.00000002.913254707.0000000003145000.00000004.00000040.sdmp
Source:	Binary string: System.EnterpriseServices.Wrapper.pdb source: RegSvcs.exe, 0000000B.00000002.671984110.00000000051B0000.00000002.00000001.sdmp, dhcpmon.exe, 0000000D.00000002.675513074.0000000005140000.00000002.00000001.sdmp, dhcpmon.exe, 00000010.00000002.688584110.0000000004E40000.00000002.00000001.sdmp
Source:	Binary string: indows\mscorlib.pdbpdblib.pdb source: RegSvcs.exe, 00000006.00000002.913254707.0000000003145000.00000004.00000040.sdmp
Source:	Binary string: indows\RegSvcs.pdbpdbvcs.pdb source: RegSvcs.exe, 00000006.00000002.913254707.0000000003145000.00000004.00000040.sdmp
Source:	Binary string: C:\Windows\symbols\exe\RegSvcs.pdb source: RegSvcs.exe, 00000006.00000002.913254707.0000000003145000.00000004.00000040.sdmp
Source:	Binary string: RegSvcs.pdb source: dhcpmon.exe, dhcpmon.exe.6.dr
Source:	Binary string: mscorrc.pdb source: QTxFuxF5NQ.exe, 00000000.00000002.669858463.0000000008A20000.00000002.00000001.sdmp, RegSvcs.exe, 00000006.00000002.915087376.0000000005E50000.00000002.00000001.sdmp, RegSvcs.exe, 0000000B.00000002.672928697.0000000005260000.00000002.00000001.sdmp, dhcpmon.exe, 0000000D.00000002.675714982.00000000051F0000.00000002.00000001.sdmp

Data Obfuscation:

.NET source code contains potential unpacker

Show sources

Source: QTxFuxF5NQ.exe, BoundHandle.cs	.Net Code: .ctor System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: CDaJolZUw.exe.0.dr, BoundHandle.cs	.Net Code: .ctor System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: 0.0.QTxFuxF5NQ.exe.e90000.0.unpack, BoundHandle.cs	.Net Code: .ctor System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: 6.2.RegSvcs.exe.400000.0.unpack, u0023u003dqxoz66kOqvxr21iYXZYXWiumy9eZGwFWaiX4C5X8aecUu003d.cs	.Net Code: #=qKU0J1fiP8KA33eFK1owekQ== System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: 6.2.RegSvcs.exe.400000.0.unpack, u0023u003dqjIje6jGWLd2EOkfZXKqBbgu003du003d.cs	.Net Code: #=q_FL69pQf17BUSAFbWYu1SStMAbdu$R1GJ8VY8UL5_EA= System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])

Source: initial sample	Static PE information: section name: .text entropy: 7.50649235458
Source: initial sample	Static PE information: section name: .text entropy: 7.50649235458

Source: 6.2.RegSvcs.exe.400000.0.unpack, u0023u003dqJT4I5hOweIku0024xYFEeDszbikglXCuquUdu0024v9AXtyq2nsu003d.cs	High entropy of concatenated method names: '#=qBeOBlH6CwHFnQdZWWBgZ_pemudZ6CfCVcfOQtgpeG$Y=', '#=q5v5cLSMFBaxiTtOEjscx86gN2ozXlfytiL6UmXnyWtg=', '#=q_XA5h2lVGHLcY9dK754wKGrOjAm6aBbwPxcUJXgJThJUz83kMbCL53G5uuOLP6Rq', '#=qIFfr$DrKqIieRc688$vylAlBsEnx9Z3$TxvrDsPURfM=', '#=qejgvNXJQvgM2GomZsygLjreyguSPQ29pQHqjR_a0dWk=', '#=qCGokdf0OOxeMJLDkXSfc3NPmwygIQ29RjKQWj$wbNGB9C1pPgma_891QiNyTRXcA', '#=qDqyUVyJLXCtYqhZ0$opqkomqhUBn2WCeEEvGAXlNQ$I=', '#=qdImPAY1o3YhbLtukwCQ91cISaeIEWRKSYrGZ3dTVnkY=', '#=qza7O1AHrroJC7yRIJz4wINR_Sgo4hDpQrj_OYfIrlJE=', '#=q6Ct3QmvVLFC7my$dL1uEiHGmXJ5qCuK4WIhDwfhPTFs='
Source: 6.2.RegSvcs.exe.400000.0.unpack, u0023u003dqWrm21vQ8CBMZP_RBTwpusAu003du003d.cs	High entropy of concatenated method names: '#=qCgU$tDqtOAyz2b$RwfSF7UzBcCAr0rFJWxm16x7Lre0=', '#=qeD3MBfedCIuKIQf9V1u2N3YS4VXE_FOHqw_XAjWtZK8=', '#=q$mvEHEBkZud$AdHPWqsMQnw5Xm5sD4vBSSmqrKuXGOk=', '#=qZaN94n8dM6tBEf$qCdY2kbTZb5BOW8Z134$2tNv7EJs=', '#=qtlZnL8mho$rv1eTFz0Mw9UYFC_yCabEZ0xtVePn6wR5aSHE7ti3UfKg2l7D0_xk8', '#=qVS$QmQjvFfsXSqQAKGSl6HGbkse2SG0XCab4upVjtRJkvhTEk$oIS2I9Zja7id1Q', '#=qxJg7RxTW1v5mnt12xXeJiYJv_bcctbtL2BCD5MjDi45Hlz6t8vwDNTv1Rv7tgIct', '#=qp$ZVC1r9spi890l$D7IwEd3faoKeWHvv42mVq8wIIWM=', '#=qCoWHlVuoVRMkOzC7RZubJCslkxaEWn9yZiIydECf69$ktj0IPD5wAwC2H5Cc8C$L', '#=qqs1moO$mYaS72OXOWe0Z6GycslEb6e9Ipoy7ppW0O5abIp05ajv8doqdJZHlN3cK'

Persistence and Installation Behavior:

Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe	File created: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe			Jump to dropped file
Source: C:\Users\user\Desktop\QTxFuxF5NQ.exe	File created: C:\Users\user\AppData\Roaming\CDaJolZUw.exe			Jump to dropped file

Boot Survival:

Uses schtasks.exe or at.exe to add and modify task schedules

Show sources

Source: unknown

Process created: C:\Windows\SysWOW64\schtasks.exe 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\CDaJolZUw' /XML 'C:\Users\user\AppData\Local\Temp\tmp1954.tmp'

Hooking and other Techniques for Hiding and Protection:

Hides that the sample has been downloaded from the Internet (zone.identifier)

Show sources

Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe

File opened: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe:Zone.Identifier read attributes | delete

Jump to behavior

Source: C:\Users\user\Desktop\QTxFuxF5NQ.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\QTxFuxF5NQ.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\QTxFuxF5NQ.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\QTxFuxF5NQ.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\QTxFuxF5NQ.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\QTxFuxF5NQ.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\QTxFuxF5NQ.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\QTxFuxF5NQ.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\QTxFuxF5NQ.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\QTxFuxF5NQ.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\QTxFuxF5NQ.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\QTxFuxF5NQ.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\QTxFuxF5NQ.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\QTxFuxF5NQ.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\QTxFuxF5NQ.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\QTxFuxF5NQ.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\QTxFuxF5NQ.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\QTxFuxF5NQ.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\QTxFuxF5NQ.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\QTxFuxF5NQ.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\QTxFuxF5NQ.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\QTxFuxF5NQ.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\QTxFuxF5NQ.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\QTxFuxF5NQ.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\QTxFuxF5NQ.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\QTxFuxF5NQ.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\QTxFuxF5NQ.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\QTxFuxF5NQ.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\QTxFuxF5NQ.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\QTxFuxF5NQ.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\QTxFuxF5NQ.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\QTxFuxF5NQ.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\QTxFuxF5NQ.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\QTxFuxF5NQ.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\QTxFuxF5NQ.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\QTxFuxF5NQ.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Malware Analysis System Evasion:

Yara detected AntiVM_3

Show sources

Source: Yara match	File source: 00000000.00000002.663880375.00000000036D1000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.663609170.0000000003661000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: QTxFuxF5NQ.exe PID: 7084, type: MEMORY
Source: Yara match	File source: 0.2.QTxFuxF5NQ.exe.367c884.1.raw.unpack, type: UNPACKEDPE

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Show sources

Source: QTxFuxF5NQ.exe, 00000000.00000002.663880375.00000000036D1000.00000004.00000001.sdmp	Binary or memory string: SBIEDLL.DLL
Source: QTxFuxF5NQ.exe, 00000000.00000002.663880375.00000000036D1000.00000004.00000001.sdmp	Binary or memory string: KERNEL32.DLL.WINE_GET_UNIX_FILE_NAME

Source: C:\Users\user\Desktop\QTxFuxF5NQ.exe

File opened / queried: SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}

Jump to behavior

Source: C:\Users\user\Desktop\QTxFuxF5NQ.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Thread delayed: delay time: 922337203685477	Jump to behavior

Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe	Window / User API: threadDelayed 799			Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe	Window / User API: foregroundWindowGot 965			Jump to behavior

Source: C:\Users\user\Desktop\QTxFuxF5NQ.exe TID: 7088	Thread sleep time: -101904s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\QTxFuxF5NQ.exe TID: 7088	Thread sleep time: -30000s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\QTxFuxF5NQ.exe TID: 7116	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe TID: 6860	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe TID: 5032	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior

Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed

Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe

Code function: 6_2_031711C2 GetSystemInfo,

6_2_031711C2

Source: QTxFuxF5NQ.exe, 00000000.00000002.663880375.00000000036D1000.00000004.00000001.sdmp	Binary or memory string: InstallPathJC:\PROGRAM FILES\VMWARE\VMWARE TOOLS\
Source: RegSvcs.exe, 00000006.00000002.915841834.0000000006A00000.00000002.00000001.sdmp, RegSvcs.exe, 0000000B.00000002.673246588.00000000052C0000.00000002.00000001.sdmp, dhcpmon.exe, 0000000D.00000002.675792517.0000000005250000.00000002.00000001.sdmp	Binary or memory string: A Virtual Machine could not be started because Hyper-V is not installed.
Source: QTxFuxF5NQ.exe, 00000000.00000002.663880375.00000000036D1000.00000004.00000001.sdmp	Binary or memory string: vmware
Source: RegSvcs.exe, 00000006.00000002.915841834.0000000006A00000.00000002.00000001.sdmp, RegSvcs.exe, 0000000B.00000002.673246588.00000000052C0000.00000002.00000001.sdmp, dhcpmon.exe, 0000000D.00000002.675792517.0000000005250000.00000002.00000001.sdmp	Binary or memory string: A communication protocol error has occurred between the Hyper-V Host and Guest Compute Service.
Source: RegSvcs.exe, 00000006.00000002.915841834.0000000006A00000.00000002.00000001.sdmp, RegSvcs.exe, 0000000B.00000002.673246588.00000000052C0000.00000002.00000001.sdmp, dhcpmon.exe, 0000000D.00000002.675792517.0000000005250000.00000002.00000001.sdmp	Binary or memory string: The communication protocol version between the Hyper-V Host and Guest Compute Services is not supported.
Source: QTxFuxF5NQ.exe, 00000000.00000002.663880375.00000000036D1000.00000004.00000001.sdmp	Binary or memory string: VMware SVGA II
Source: QTxFuxF5NQ.exe, 00000000.00000002.663880375.00000000036D1000.00000004.00000001.sdmp	Binary or memory string: VMWAREDSOFTWARE\VMware, Inc.\VMware Tools
Source: RegSvcs.exe, 00000006.00000002.915841834.0000000006A00000.00000002.00000001.sdmp, RegSvcs.exe, 0000000B.00000002.673246588.00000000052C0000.00000002.00000001.sdmp, dhcpmon.exe, 0000000D.00000002.675792517.0000000005250000.00000002.00000001.sdmp	Binary or memory string: An unknown internal message was received by the Hyper-V Compute Service.

Source: C:\Users\user\Desktop\QTxFuxF5NQ.exe

Process information queried: ProcessInformation

Jump to behavior

Anti Debugging:

Source: C:\Users\user\Desktop\QTxFuxF5NQ.exe

Process token adjusted: Debug

Jump to behavior

Source: C:\Users\user\Desktop\QTxFuxF5NQ.exe

Memory allocated: page read and write | page guard

Jump to behavior

HIPS / PFW / Operating System Protection Evasion:

Injects a PE file into a foreign processes

Show sources

Source: C:\Users\user\Desktop\QTxFuxF5NQ.exe

Memory written: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe base: 400000 value starts with: 4D5A

Jump to behavior

Writes to foreign memory regions

Show sources

Source: C:\Users\user\Desktop\QTxFuxF5NQ.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe base: 400000	Jump to behavior
Source: C:\Users\user\Desktop\QTxFuxF5NQ.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe base: 402000	Jump to behavior
Source: C:\Users\user\Desktop\QTxFuxF5NQ.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe base: 420000	Jump to behavior
Source: C:\Users\user\Desktop\QTxFuxF5NQ.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe base: 422000	Jump to behavior
Source: C:\Users\user\Desktop\QTxFuxF5NQ.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe base: 10B8008	Jump to behavior

Source: C:\Users\user\Desktop\QTxFuxF5NQ.exe	Process created: C:\Windows\SysWOW64\schtasks.exe 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\CDaJolZUw' /XML 'C:\Users\user\AppData\Local\Temp\tmp1954.tmp'	Jump to behavior
Source: C:\Users\user\Desktop\QTxFuxF5NQ.exe	Process created: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe	Process created: C:\Windows\SysWOW64\schtasks.exe 'schtasks.exe' /create /f /tn 'DHCP Monitor' /xml 'C:\Users\user\AppData\Local\Temp\tmp22E3.tmp'	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe	Process created: C:\Windows\SysWOW64\schtasks.exe 'schtasks.exe' /create /f /tn 'DHCP Monitor Task' /xml 'C:\Users\user\AppData\Local\Temp\tmp2601.tmp'	Jump to behavior

Source: RegSvcs.exe, 00000006.00000002.912752287.00000000015A5000.00000004.00000020.sdmp	Binary or memory string: Program Manager (x86)\DHCP Monitor\dhcpmon.exegSvcs.exe
Source: RegSvcs.exe, 00000006.00000002.913839229.00000000036BD000.00000004.00000001.sdmp	Binary or memory string: Program Manager
Source: RegSvcs.exe, 00000006.00000002.912971913.0000000001C50000.00000002.00000001.sdmp	Binary or memory string: Shell_TrayWnd
Source: RegSvcs.exe, 00000006.00000002.912971913.0000000001C50000.00000002.00000001.sdmp	Binary or memory string: Progman
Source: RegSvcs.exe, 00000006.00000002.914200393.00000000038AA000.00000004.00000001.sdmp	Binary or memory string: Program ManagerP
Source: RegSvcs.exe, 00000006.00000002.912971913.0000000001C50000.00000002.00000001.sdmp	Binary or memory string: Progmanlock
Source: RegSvcs.exe, 00000006.00000003.667375681.00000000015AE000.00000004.00000001.sdmp	Binary or memory string: Program Managert$

Language, Device and Operating System Detection:

Source: C:\Users\user\Desktop\QTxFuxF5NQ.exe	Queries volume information: C:\Windows\Fonts\arial.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\QTxFuxF5NQ.exe	Queries volume information: C:\Windows\Fonts\ariali.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\QTxFuxF5NQ.exe	Queries volume information: C:\Windows\Fonts\arialbd.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\QTxFuxF5NQ.exe	Queries volume information: C:\Windows\Fonts\arialbi.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\QTxFuxF5NQ.exe	Queries volume information: C:\Windows\Fonts\ARIALN.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\QTxFuxF5NQ.exe	Queries volume information: C:\Windows\Fonts\ariblk.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\QTxFuxF5NQ.exe	Queries volume information: C:\Windows\Fonts\ARIALNI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\QTxFuxF5NQ.exe	Queries volume information: C:\Windows\Fonts\ARIALNB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\QTxFuxF5NQ.exe	Queries volume information: C:\Windows\Fonts\ARIALNBI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\QTxFuxF5NQ.exe	Queries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\QTxFuxF5NQ.exe	Queries volume information: C:\Windows\Fonts\calibri.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\QTxFuxF5NQ.exe	Queries volume information: C:\Windows\Fonts\calibril.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\QTxFuxF5NQ.exe	Queries volume information: C:\Windows\Fonts\calibrii.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\QTxFuxF5NQ.exe	Queries volume information: C:\Windows\Fonts\calibrili.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\QTxFuxF5NQ.exe	Queries volume information: C:\Windows\Fonts\calibrib.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\QTxFuxF5NQ.exe	Queries volume information: C:\Windows\Fonts\calibriz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\QTxFuxF5NQ.exe	Queries volume information: C:\Windows\Fonts\cambria.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\QTxFuxF5NQ.exe	Queries volume information: C:\Windows\Fonts\cambriai.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\QTxFuxF5NQ.exe	Queries volume information: C:\Windows\Fonts\cambriab.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\QTxFuxF5NQ.exe	Queries volume information: C:\Windows\Fonts\cambriaz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\QTxFuxF5NQ.exe	Queries volume information: C:\Windows\Fonts\Candara.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\QTxFuxF5NQ.exe	Queries volume information: C:\Windows\Fonts\Candarai.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\QTxFuxF5NQ.exe	Queries volume information: C:\Windows\Fonts\Candarab.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\QTxFuxF5NQ.exe	Queries volume information: C:\Windows\Fonts\Candaraz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\QTxFuxF5NQ.exe	Queries volume information: C:\Windows\Fonts\comic.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\QTxFuxF5NQ.exe	Queries volume information: C:\Windows\Fonts\comici.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\QTxFuxF5NQ.exe	Queries volume information: C:\Windows\Fonts\comicbd.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\QTxFuxF5NQ.exe	Queries volume information: C:\Windows\Fonts\comicz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\QTxFuxF5NQ.exe	Queries volume information: C:\Windows\Fonts\consola.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\QTxFuxF5NQ.exe	Queries volume information: C:\Windows\Fonts\consolai.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\QTxFuxF5NQ.exe	Queries volume information: C:\Windows\Fonts\consolab.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\QTxFuxF5NQ.exe	Queries volume information: C:\Windows\Fonts\consolaz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\QTxFuxF5NQ.exe	Queries volume information: C:\Windows\Fonts\constan.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\QTxFuxF5NQ.exe	Queries volume information: C:\Windows\Fonts\constani.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\QTxFuxF5NQ.exe	Queries volume information: C:\Windows\Fonts\constanb.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\QTxFuxF5NQ.exe	Queries volume information: C:\Windows\Fonts\constanz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\QTxFuxF5NQ.exe	Queries volume information: C:\Windows\Fonts\corbel.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\QTxFuxF5NQ.exe	Queries volume information: C:\Windows\Fonts\corbeli.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\QTxFuxF5NQ.exe	Queries volume information: C:\Windows\Fonts\corbelb.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\QTxFuxF5NQ.exe	Queries volume information: C:\Windows\Fonts\corbelz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\QTxFuxF5NQ.exe	Queries volume information: C:\Windows\Fonts\cour.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\QTxFuxF5NQ.exe	Queries volume information: C:\Windows\Fonts\couri.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\QTxFuxF5NQ.exe	Queries volume information: C:\Windows\Fonts\courbd.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\QTxFuxF5NQ.exe	Queries volume information: C:\Windows\Fonts\courbi.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\QTxFuxF5NQ.exe	Queries volume information: C:\Windows\Fonts\ebrima.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\QTxFuxF5NQ.exe	Queries volume information: C:\Windows\Fonts\ebrimabd.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\QTxFuxF5NQ.exe	Queries volume information: C:\Windows\Fonts\framd.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\QTxFuxF5NQ.exe	Queries volume information: C:\Windows\Fonts\FRADM.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\QTxFuxF5NQ.exe	Queries volume information: C:\Windows\Fonts\framdit.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\QTxFuxF5NQ.exe	Queries volume information: C:\Windows\Fonts\FRADMIT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\QTxFuxF5NQ.exe	Queries volume information: C:\Windows\Fonts\FRAMDCN.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\QTxFuxF5NQ.exe	Queries volume information: C:\Windows\Fonts\FRADMCN.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\QTxFuxF5NQ.exe	Queries volume information: C:\Windows\Fonts\FRAHV.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\QTxFuxF5NQ.exe	Queries volume information: C:\Windows\Fonts\FRAHVIT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\QTxFuxF5NQ.exe	Queries volume information: C:\Windows\Fonts\Gabriola.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\QTxFuxF5NQ.exe	Queries volume information: C:\Windows\Fonts\gadugi.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\QTxFuxF5NQ.exe	Queries volume information: C:\Windows\Fonts\gadugib.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\QTxFuxF5NQ.exe	Queries volume information: C:\Windows\Fonts\georgia.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\QTxFuxF5NQ.exe	Queries volume information: C:\Windows\Fonts\georgiai.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\QTxFuxF5NQ.exe	Queries volume information: C:\Windows\Fonts\georgiab.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\QTxFuxF5NQ.exe	Queries volume information: C:\Windows\Fonts\georgiaz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\QTxFuxF5NQ.exe	Queries volume information: C:\Windows\Fonts\impact.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\QTxFuxF5NQ.exe	Queries volume information: C:\Windows\Fonts\Inkfree.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\QTxFuxF5NQ.exe	Queries volume information: C:\Windows\Fonts\javatext.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\QTxFuxF5NQ.exe	Queries volume information: C:\Windows\Fonts\LeelawUI.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\QTxFuxF5NQ.exe	Queries volume information: C:\Windows\Fonts\LeelUIsl.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\QTxFuxF5NQ.exe	Queries volume information: C:\Windows\Fonts\LeelaUIb.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\QTxFuxF5NQ.exe	Queries volume information: C:\Windows\Fonts\lucon.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\QTxFuxF5NQ.exe	Queries volume information: C:\Windows\Fonts\l_10646.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\QTxFuxF5NQ.exe	Queries volume information: C:\Windows\Fonts\malgun.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\QTxFuxF5NQ.exe	Queries volume information: C:\Windows\Fonts\malgunsl.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\QTxFuxF5NQ.exe	Queries volume information: C:\Windows\Fonts\malgunbd.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\QTxFuxF5NQ.exe	Queries volume information: C:\Windows\Fonts\himalaya.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\QTxFuxF5NQ.exe	Queries volume information: C:\Windows\Fonts\msjh.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\QTxFuxF5NQ.exe	Queries volume information: C:\Windows\Fonts\msjhl.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\QTxFuxF5NQ.exe	Queries volume information: C:\Windows\Fonts\msjhbd.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\QTxFuxF5NQ.exe	Queries volume information: C:\Windows\Fonts\ntailu.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\QTxFuxF5NQ.exe	Queries volume information: C:\Windows\Fonts\ntailub.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\QTxFuxF5NQ.exe	Queries volume information: C:\Windows\Fonts\phagspa.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\QTxFuxF5NQ.exe	Queries volume information: C:\Windows\Fonts\phagspab.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\QTxFuxF5NQ.exe	Queries volume information: C:\Windows\Fonts\micross.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\QTxFuxF5NQ.exe	Queries volume information: C:\Windows\Fonts\taile.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\QTxFuxF5NQ.exe	Queries volume information: C:\Windows\Fonts\taileb.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\QTxFuxF5NQ.exe	Queries volume information: C:\Windows\Fonts\msyh.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\QTxFuxF5NQ.exe	Queries volume information: C:\Windows\Fonts\msyhl.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\QTxFuxF5NQ.exe	Queries volume information: C:\Windows\Fonts\msyhbd.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\QTxFuxF5NQ.exe	Queries volume information: C:\Windows\Fonts\msyi.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\QTxFuxF5NQ.exe	Queries volume information: C:\Windows\Fonts\mingliub.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\QTxFuxF5NQ.exe	Queries volume information: C:\Windows\Fonts\monbaiti.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\QTxFuxF5NQ.exe	Queries volume information: C:\Windows\Fonts\msgothic.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\QTxFuxF5NQ.exe	Queries volume information: C:\Windows\Fonts\mvboli.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\QTxFuxF5NQ.exe	Queries volume information: C:\Windows\Fonts\mmrtext.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\QTxFuxF5NQ.exe	Queries volume information: C:\Windows\Fonts\mmrtextb.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\QTxFuxF5NQ.exe	Queries volume information: C:\Windows\Fonts\Nirmala.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\QTxFuxF5NQ.exe	Queries volume information: C:\Windows\Fonts\NirmalaS.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\QTxFuxF5NQ.exe	Queries volume information: C:\Windows\Fonts\NirmalaB.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\QTxFuxF5NQ.exe	Queries volume information: C:\Windows\Fonts\pala.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\QTxFuxF5NQ.exe	Queries volume information: C:\Windows\Fonts\palai.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\QTxFuxF5NQ.exe	Queries volume information: C:\Windows\Fonts\palab.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\QTxFuxF5NQ.exe	Queries volume information: C:\Windows\Fonts\palabi.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\QTxFuxF5NQ.exe	Queries volume information: C:\Windows\Fonts\segoepr.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\QTxFuxF5NQ.exe	Queries volume information: C:\Windows\Fonts\segoeprb.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\QTxFuxF5NQ.exe	Queries volume information: C:\Windows\Fonts\segoesc.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\QTxFuxF5NQ.exe	Queries volume information: C:\Windows\Fonts\segoescb.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\QTxFuxF5NQ.exe	Queries volume information: C:\Windows\Fonts\seguiemj.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\QTxFuxF5NQ.exe	Queries volume information: C:\Windows\Fonts\seguihis.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\QTxFuxF5NQ.exe	Queries volume information: C:\Windows\Fonts\seguisym.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\QTxFuxF5NQ.exe	Queries volume information: C:\Windows\Fonts\simsun.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\QTxFuxF5NQ.exe	Queries volume information: C:\Windows\Fonts\simsunb.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\QTxFuxF5NQ.exe	Queries volume information: C:\Windows\Fonts\Sitka.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\QTxFuxF5NQ.exe	Queries volume information: C:\Windows\Fonts\SitkaI.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\QTxFuxF5NQ.exe	Queries volume information: C:\Windows\Fonts\SitkaB.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\QTxFuxF5NQ.exe	Queries volume information: C:\Windows\Fonts\SitkaZ.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\QTxFuxF5NQ.exe	Queries volume information: C:\Windows\Fonts\sylfaen.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\QTxFuxF5NQ.exe	Queries volume information: C:\Windows\Fonts\symbol.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\QTxFuxF5NQ.exe	Queries volume information: C:\Windows\Fonts\tahoma.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\QTxFuxF5NQ.exe	Queries volume information: C:\Windows\Fonts\tahomabd.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\QTxFuxF5NQ.exe	Queries volume information: C:\Windows\Fonts\trebuc.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\QTxFuxF5NQ.exe	Queries volume information: C:\Windows\Fonts\trebucit.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\QTxFuxF5NQ.exe	Queries volume information: C:\Windows\Fonts\trebucbd.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\QTxFuxF5NQ.exe	Queries volume information: C:\Windows\Fonts\trebucbi.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\QTxFuxF5NQ.exe	Queries volume information: C:\Windows\Fonts\verdana.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\QTxFuxF5NQ.exe	Queries volume information: C:\Windows\Fonts\verdanai.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\QTxFuxF5NQ.exe	Queries volume information: C:\Windows\Fonts\verdanab.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\QTxFuxF5NQ.exe	Queries volume information: C:\Windows\Fonts\verdanaz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\QTxFuxF5NQ.exe	Queries volume information: C:\Windows\Fonts\webdings.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\QTxFuxF5NQ.exe	Queries volume information: C:\Windows\Fonts\wingding.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\QTxFuxF5NQ.exe	Queries volume information: C:\Windows\Fonts\YuGothR.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\QTxFuxF5NQ.exe	Queries volume information: C:\Windows\Fonts\YuGothM.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\QTxFuxF5NQ.exe	Queries volume information: C:\Windows\Fonts\YuGothL.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\QTxFuxF5NQ.exe	Queries volume information: C:\Windows\Fonts\YuGothB.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\QTxFuxF5NQ.exe	Queries volume information: C:\Windows\Fonts\holomdl2.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\QTxFuxF5NQ.exe	Queries volume information: C:\Windows\Fonts\CENTURY.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\QTxFuxF5NQ.exe	Queries volume information: C:\Windows\Fonts\LEELAWAD.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\QTxFuxF5NQ.exe	Queries volume information: C:\Windows\Fonts\LEELAWDB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\QTxFuxF5NQ.exe	Queries volume information: C:\Windows\Fonts\MSUIGHUR.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\QTxFuxF5NQ.exe	Queries volume information: C:\Windows\Fonts\MSUIGHUB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\QTxFuxF5NQ.exe	Queries volume information: C:\Windows\Fonts\WINGDNG2.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\QTxFuxF5NQ.exe	Queries volume information: C:\Windows\Fonts\WINGDNG3.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\QTxFuxF5NQ.exe	Queries volume information: C:\Windows\Fonts\TEMPSITC.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\QTxFuxF5NQ.exe	Queries volume information: C:\Windows\Fonts\PRISTINA.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\QTxFuxF5NQ.exe	Queries volume information: C:\Windows\Fonts\PAPYRUS.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\QTxFuxF5NQ.exe	Queries volume information: C:\Windows\Fonts\MISTRAL.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\QTxFuxF5NQ.exe	Queries volume information: C:\Windows\Fonts\LHANDW.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\QTxFuxF5NQ.exe	Queries volume information: C:\Windows\Fonts\ITCKRIST.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\QTxFuxF5NQ.exe	Queries volume information: C:\Windows\Fonts\JUICE___.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\QTxFuxF5NQ.exe	Queries volume information: C:\Windows\Fonts\FRSCRIPT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\QTxFuxF5NQ.exe	Queries volume information: C:\Windows\Fonts\FREESCPT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\QTxFuxF5NQ.exe	Queries volume information: C:\Windows\Fonts\BRADHITC.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\QTxFuxF5NQ.exe	Queries volume information: C:\Windows\Fonts\OUTLOOK.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\QTxFuxF5NQ.exe	Queries volume information: C:\Windows\Fonts\BKANT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\QTxFuxF5NQ.exe	Queries volume information: C:\Windows\Fonts\ANTQUAI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\QTxFuxF5NQ.exe	Queries volume information: C:\Windows\Fonts\ANTQUAB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\QTxFuxF5NQ.exe	Queries volume information: C:\Windows\Fonts\ANTQUABI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\QTxFuxF5NQ.exe	Queries volume information: C:\Windows\Fonts\GARA.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\QTxFuxF5NQ.exe	Queries volume information: C:\Windows\Fonts\GARAIT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\QTxFuxF5NQ.exe	Queries volume information: C:\Windows\Fonts\GARABD.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\QTxFuxF5NQ.exe	Queries volume information: C:\Windows\Fonts\MTCORSVA.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\QTxFuxF5NQ.exe	Queries volume information: C:\Windows\Fonts\GOTHIC.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\QTxFuxF5NQ.exe	Queries volume information: C:\Windows\Fonts\GOTHICI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\QTxFuxF5NQ.exe	Queries volume information: C:\Windows\Fonts\GOTHICB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\QTxFuxF5NQ.exe	Queries volume information: C:\Windows\Fonts\GOTHICBI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\QTxFuxF5NQ.exe	Queries volume information: C:\Windows\Fonts\ALGER.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\QTxFuxF5NQ.exe	Queries volume information: C:\Windows\Fonts\BASKVILL.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\QTxFuxF5NQ.exe	Queries volume information: C:\Windows\Fonts\BAUHS93.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\QTxFuxF5NQ.exe	Queries volume information: C:\Windows\Fonts\BELL.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\QTxFuxF5NQ.exe	Queries volume information: C:\Windows\Fonts\BELLI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\QTxFuxF5NQ.exe	Queries volume information: C:\Windows\Fonts\BELLB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\QTxFuxF5NQ.exe	Queries volume information: C:\Windows\Fonts\BRLNSR.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\QTxFuxF5NQ.exe	Queries volume information: C:\Windows\Fonts\BRLNSDB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\QTxFuxF5NQ.exe	Queries volume information: C:\Windows\Fonts\BRLNSB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\QTxFuxF5NQ.exe	Queries volume information: C:\Windows\Fonts\BERNHC.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\QTxFuxF5NQ.exe	Queries volume information: C:\Windows\Fonts\BOD_PSTC.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\QTxFuxF5NQ.exe	Queries volume information: C:\Windows\Fonts\BRITANIC.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\QTxFuxF5NQ.exe	Queries volume information: C:\Windows\Fonts\BROADW.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\QTxFuxF5NQ.exe	Queries volume information: C:\Windows\Fonts\BRUSHSCI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\QTxFuxF5NQ.exe	Queries volume information: C:\Windows\Fonts\CALIFR.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\QTxFuxF5NQ.exe	Queries volume information: C:\Windows\Fonts\CALIFI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\QTxFuxF5NQ.exe	Queries volume information: C:\Windows\Fonts\CALIFB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\QTxFuxF5NQ.exe	Queries volume information: C:\Windows\Fonts\CENTAUR.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\QTxFuxF5NQ.exe	Queries volume information: C:\Windows\Fonts\CHILLER.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\QTxFuxF5NQ.exe	Queries volume information: C:\Windows\Fonts\COLONNA.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\QTxFuxF5NQ.exe	Queries volume information: C:\Windows\Fonts\COOPBL.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\QTxFuxF5NQ.exe	Queries volume information: C:\Windows\Fonts\FTLTLT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\QTxFuxF5NQ.exe	Queries volume information: C:\Windows\Fonts\HARLOWSI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\QTxFuxF5NQ.exe	Queries volume information: C:\Windows\Fonts\HARNGTON.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\QTxFuxF5NQ.exe	Queries volume information: C:\Windows\Fonts\HTOWERT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\QTxFuxF5NQ.exe	Queries volume information: C:\Windows\Fonts\HTOWERTI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\QTxFuxF5NQ.exe	Queries volume information: C:\Windows\Fonts\JOKERMAN.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\QTxFuxF5NQ.exe	Queries volume information: C:\Windows\Fonts\KUNSTLER.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\QTxFuxF5NQ.exe	Queries volume information: C:\Windows\Fonts\LBRITE.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\QTxFuxF5NQ.exe	Queries volume information: C:\Windows\Fonts\LBRITED.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\QTxFuxF5NQ.exe	Queries volume information: C:\Windows\Fonts\LBRITEI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\QTxFuxF5NQ.exe	Queries volume information: C:\Windows\Fonts\LBRITEDI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\QTxFuxF5NQ.exe	Queries volume information: C:\Windows\Fonts\LCALLIG.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\QTxFuxF5NQ.exe	Queries volume information: C:\Windows\Fonts\LFAX.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\QTxFuxF5NQ.exe	Queries volume information: C:\Windows\Fonts\LFAXD.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\QTxFuxF5NQ.exe	Queries volume information: C:\Windows\Fonts\LFAXI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\QTxFuxF5NQ.exe	Queries volume information: C:\Windows\Fonts\LFAXDI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\QTxFuxF5NQ.exe	Queries volume information: C:\Windows\Fonts\MAGNETOB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\QTxFuxF5NQ.exe	Queries volume information: C:\Windows\Fonts\MATURASC.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\QTxFuxF5NQ.exe	Queries volume information: C:\Windows\Fonts\MOD20.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\QTxFuxF5NQ.exe	Queries volume information: C:\Windows\Fonts\NIAGENG.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\QTxFuxF5NQ.exe	Queries volume information: C:\Windows\Fonts\NIAGSOL.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\QTxFuxF5NQ.exe	Queries volume information: C:\Windows\Fonts\OLDENGL.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\QTxFuxF5NQ.exe	Queries volume information: C:\Windows\Fonts\ONYX.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\QTxFuxF5NQ.exe	Queries volume information: C:\Windows\Fonts\PARCHM.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\QTxFuxF5NQ.exe	Queries volume information: C:\Windows\Fonts\PLAYBILL.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\QTxFuxF5NQ.exe	Queries volume information: C:\Windows\Fonts\POORICH.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\QTxFuxF5NQ.exe	Queries volume information: C:\Windows\Fonts\RAVIE.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\QTxFuxF5NQ.exe	Queries volume information: C:\Windows\Fonts\INFROMAN.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\QTxFuxF5NQ.exe	Queries volume information: C:\Windows\Fonts\SHOWG.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\QTxFuxF5NQ.exe	Queries volume information: C:\Windows\Fonts\SNAP____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\QTxFuxF5NQ.exe	Queries volume information: C:\Windows\Fonts\STENCIL.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\QTxFuxF5NQ.exe	Queries volume information: C:\Windows\Fonts\VINERITC.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\QTxFuxF5NQ.exe	Queries volume information: C:\Windows\Fonts\VIVALDII.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\QTxFuxF5NQ.exe	Queries volume information: C:\Windows\Fonts\VLADIMIR.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\QTxFuxF5NQ.exe	Queries volume information: C:\Windows\Fonts\LATINWD.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\QTxFuxF5NQ.exe	Queries volume information: C:\Windows\Fonts\TCM_____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\QTxFuxF5NQ.exe	Queries volume information: C:\Windows\Fonts\TCMI____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\QTxFuxF5NQ.exe	Queries volume information: C:\Windows\Fonts\TCB_____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\QTxFuxF5NQ.exe	Queries volume information: C:\Windows\Fonts\TCBI____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\QTxFuxF5NQ.exe	Queries volume information: C:\Windows\Fonts\TCCM____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\QTxFuxF5NQ.exe	Queries volume information: C:\Windows\Fonts\TCCB____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\QTxFuxF5NQ.exe	Queries volume information: C:\Windows\Fonts\TCCEB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\QTxFuxF5NQ.exe	Queries volume information: C:\Windows\Fonts\SCRIPTBL.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\QTxFuxF5NQ.exe	Queries volume information: C:\Windows\Fonts\ROCK.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\QTxFuxF5NQ.exe	Queries volume information: C:\Windows\Fonts\ROCKI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\QTxFuxF5NQ.exe	Queries volume information: C:\Windows\Fonts\ROCKB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\QTxFuxF5NQ.exe	Queries volume information: C:\Windows\Fonts\ROCKEB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\QTxFuxF5NQ.exe	Queries volume information: C:\Windows\Fonts\ROCKBI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\QTxFuxF5NQ.exe	Queries volume information: C:\Windows\Fonts\ROCC____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\QTxFuxF5NQ.exe	Queries volume information: C:\Windows\Fonts\ROCCB___.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\QTxFuxF5NQ.exe	Queries volume information: C:\Windows\Fonts\RAGE.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\QTxFuxF5NQ.exe	Queries volume information: C:\Windows\Fonts\PERTILI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\QTxFuxF5NQ.exe	Queries volume information: C:\Windows\Fonts\PERTIBD.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\QTxFuxF5NQ.exe	Queries volume information: C:\Windows\Fonts\PER_____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\QTxFuxF5NQ.exe	Queries volume information: C:\Windows\Fonts\PERI____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\QTxFuxF5NQ.exe	Queries volume information: C:\Windows\Fonts\PERB____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\QTxFuxF5NQ.exe	Queries volume information: C:\Windows\Fonts\PERBI___.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\QTxFuxF5NQ.exe	Queries volume information: C:\Windows\Fonts\PALSCRI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\QTxFuxF5NQ.exe	Queries volume information: C:\Windows\Fonts\OCRAEXT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\QTxFuxF5NQ.exe	Queries volume information: C:\Windows\Fonts\MAIAN.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\QTxFuxF5NQ.exe	Queries volume information: C:\Windows\Fonts\LTYPE.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\QTxFuxF5NQ.exe	Queries volume information: C:\Windows\Fonts\LTYPEO.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\QTxFuxF5NQ.exe	Queries volume information: C:\Windows\Fonts\LTYPEB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\QTxFuxF5NQ.exe	Queries volume information: C:\Windows\Fonts\LTYPEBO.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\QTxFuxF5NQ.exe	Queries volume information: C:\Windows\Fonts\LSANS.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\QTxFuxF5NQ.exe	Queries volume information: C:\Windows\Fonts\LSANSD.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\QTxFuxF5NQ.exe	Queries volume information: C:\Windows\Fonts\LSANSI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\QTxFuxF5NQ.exe	Queries volume information: C:\Windows\Fonts\LSANSDI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\QTxFuxF5NQ.exe	Queries volume information: C:\Windows\Fonts\IMPRISHA.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\QTxFuxF5NQ.exe	Queries volume information: C:\Windows\Fonts\HATTEN.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\QTxFuxF5NQ.exe	Queries volume information: C:\Windows\Fonts\GOUDYSTO.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\QTxFuxF5NQ.exe	Queries volume information: C:\Windows\Fonts\GOUDOS.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\QTxFuxF5NQ.exe	Queries volume information: C:\Windows\Fonts\GOUDOSI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\QTxFuxF5NQ.exe	Queries volume information: C:\Windows\Fonts\GOUDOSB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\QTxFuxF5NQ.exe	Queries volume information: C:\Windows\Fonts\GLECB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\QTxFuxF5NQ.exe	Queries volume information: C:\Windows\Fonts\GIL_____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\QTxFuxF5NQ.exe	Queries volume information: C:\Windows\Fonts\GILI____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\QTxFuxF5NQ.exe	Queries volume information: C:\Windows\Fonts\GILB____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\QTxFuxF5NQ.exe	Queries volume information: C:\Windows\Fonts\GILBI___.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\QTxFuxF5NQ.exe	Queries volume information: C:\Windows\Fonts\GILC____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\QTxFuxF5NQ.exe	Queries volume information: C:\Windows\Fonts\GLSNECB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\QTxFuxF5NQ.exe	Queries volume information: C:\Windows\Fonts\GIGI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\QTxFuxF5NQ.exe	Queries volume information: C:\Windows\Fonts\FRABK.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\QTxFuxF5NQ.exe	Queries volume information: C:\Windows\Fonts\FRABKIT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\QTxFuxF5NQ.exe	Queries volume information: C:\Windows\Fonts\FORTE.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\QTxFuxF5NQ.exe	Queries volume information: C:\Windows\Fonts\FELIXTI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\QTxFuxF5NQ.exe	Queries volume information: C:\Windows\Fonts\ERASMD.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\QTxFuxF5NQ.exe	Queries volume information: C:\Windows\Fonts\ERASLGHT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\QTxFuxF5NQ.exe	Queries volume information: C:\Windows\Fonts\ERASDEMI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\QTxFuxF5NQ.exe	Queries volume information: C:\Windows\Fonts\ERASBD.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\QTxFuxF5NQ.exe	Queries volume information: C:\Windows\Fonts\ENGR.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\QTxFuxF5NQ.exe	Queries volume information: C:\Windows\Fonts\ELEPHNT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\QTxFuxF5NQ.exe	Queries volume information: C:\Windows\Fonts\ELEPHNTI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\QTxFuxF5NQ.exe	Queries volume information: C:\Windows\Fonts\ITCEDSCR.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\QTxFuxF5NQ.exe	Queries volume information: C:\Windows\Fonts\CURLZ___.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\QTxFuxF5NQ.exe	Queries volume information: C:\Windows\Fonts\COPRGTL.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\QTxFuxF5NQ.exe	Queries volume information: C:\Windows\Fonts\COPRGTB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\QTxFuxF5NQ.exe	Queries volume information: C:\Windows\Fonts\CENSCBK.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\QTxFuxF5NQ.exe	Queries volume information: C:\Windows\Fonts\SCHLBKI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\QTxFuxF5NQ.exe	Queries volume information: C:\Windows\Fonts\SCHLBKB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\QTxFuxF5NQ.exe	Queries volume information: C:\Windows\Fonts\SCHLBKBI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\QTxFuxF5NQ.exe	Queries volume information: C:\Windows\Fonts\CASTELAR.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\QTxFuxF5NQ.exe	Queries volume information: C:\Windows\Fonts\CALIST.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\QTxFuxF5NQ.exe	Queries volume information: C:\Windows\Fonts\CALISTI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\QTxFuxF5NQ.exe	Queries volume information: C:\Windows\Fonts\CALISTB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\QTxFuxF5NQ.exe	Queries volume information: C:\Windows\Fonts\CALISTBI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\QTxFuxF5NQ.exe	Queries volume information: C:\Windows\Fonts\BOOKOS.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\QTxFuxF5NQ.exe	Queries volume information: C:\Windows\Fonts\BOOKOSB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\QTxFuxF5NQ.exe	Queries volume information: C:\Windows\Fonts\BOOKOSI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\QTxFuxF5NQ.exe	Queries volume information: C:\Windows\Fonts\BOOKOSBI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\QTxFuxF5NQ.exe	Queries volume information: C:\Windows\Fonts\BOD_R.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\QTxFuxF5NQ.exe	Queries volume information: C:\Windows\Fonts\BOD_I.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\QTxFuxF5NQ.exe	Queries volume information: C:\Windows\Fonts\BOD_B.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\QTxFuxF5NQ.exe	Queries volume information: C:\Windows\Fonts\BOD_BI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\QTxFuxF5NQ.exe	Queries volume information: C:\Windows\Fonts\BOD_CR.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\QTxFuxF5NQ.exe	Queries volume information: C:\Windows\Fonts\BOD_BLAR.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\QTxFuxF5NQ.exe	Queries volume information: C:\Windows\Fonts\BOD_CI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\QTxFuxF5NQ.exe	Queries volume information: C:\Windows\Fonts\BOD_CB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\QTxFuxF5NQ.exe	Queries volume information: C:\Windows\Fonts\BOD_BLAI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\QTxFuxF5NQ.exe	Queries volume information: C:\Windows\Fonts\BOD_CBI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\QTxFuxF5NQ.exe	Queries volume information: C:\Windows\Fonts\ITCBLKAD.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\QTxFuxF5NQ.exe	Queries volume information: C:\Windows\Fonts\ARLRDBD.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\QTxFuxF5NQ.exe	Queries volume information: C:\Windows\Fonts\AGENCYR.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\QTxFuxF5NQ.exe	Queries volume information: C:\Windows\Fonts\AGENCYB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\QTxFuxF5NQ.exe	Queries volume information: C:\Windows\Fonts\BSSYM7.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\QTxFuxF5NQ.exe	Queries volume information: C:\Windows\Fonts\REFSAN.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\QTxFuxF5NQ.exe	Queries volume information: C:\Windows\Fonts\REFSPCL.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\QTxFuxF5NQ.exe	Queries volume information: C:\Windows\Fonts\MTEXTRA.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\QTxFuxF5NQ.exe	Queries volume information: C:\Windows\Fonts\marlett.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\QTxFuxF5NQ.exe	Queries volume information: C:\Windows\Fonts\micross.ttf VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe	Queries volume information: C:\Windows\assembly\GAC_32\System.EnterpriseServices\2.0.0.0__b03f5f7f11d50a3a\System.EnterpriseServices.dll VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe	Queries volume information: C:\Windows\assembly\GAC_32\System.EnterpriseServices\2.0.0.0__b03f5f7f11d50a3a\System.EnterpriseServices.dll VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe	Queries volume information: C:\Windows\assembly\GAC_32\System.EnterpriseServices\2.0.0.0__b03f5f7f11d50a3a\System.EnterpriseServices.Wrapper.dll VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe	Queries volume information: C:\Windows\assembly\GAC_32\System.EnterpriseServices\2.0.0.0__b03f5f7f11d50a3a\System.EnterpriseServices.Wrapper.dll VolumeInformation	Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Queries volume information: C:\Windows\assembly\GAC_32\System.EnterpriseServices\2.0.0.0__b03f5f7f11d50a3a\System.EnterpriseServices.dll VolumeInformation	Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Queries volume information: C:\Windows\assembly\GAC_32\System.EnterpriseServices\2.0.0.0__b03f5f7f11d50a3a\System.EnterpriseServices.dll VolumeInformation	Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Queries volume information: C:\Windows\assembly\GAC_32\System.EnterpriseServices\2.0.0.0__b03f5f7f11d50a3a\System.EnterpriseServices.Wrapper.dll VolumeInformation	Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Queries volume information: C:\Windows\assembly\GAC_32\System.EnterpriseServices\2.0.0.0__b03f5f7f11d50a3a\System.EnterpriseServices.Wrapper.dll VolumeInformation	Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Queries volume information: C:\Windows\assembly\GAC_32\System.EnterpriseServices\2.0.0.0__b03f5f7f11d50a3a\System.EnterpriseServices.dll VolumeInformation	Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Queries volume information: C:\Windows\assembly\GAC_32\System.EnterpriseServices\2.0.0.0__b03f5f7f11d50a3a\System.EnterpriseServices.dll VolumeInformation	Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Queries volume information: C:\Windows\assembly\GAC_32\System.EnterpriseServices\2.0.0.0__b03f5f7f11d50a3a\System.EnterpriseServices.Wrapper.dll VolumeInformation	Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Queries volume information: C:\Windows\assembly\GAC_32\System.EnterpriseServices\2.0.0.0__b03f5f7f11d50a3a\System.EnterpriseServices.Wrapper.dll VolumeInformation	Jump to behavior

Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Stealing of Sensitive Information:

Yara detected Nanocore RAT

Show sources

Source: Yara match	File source: 00000006.00000002.911962759.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000002.915278946.0000000006140000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.664714275.0000000004729000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000002.914314431.000000000463D000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: RegSvcs.exe PID: 6120, type: MEMORY
Source: Yara match	File source: Process Memory Space: QTxFuxF5NQ.exe PID: 7084, type: MEMORY
Source: Yara match	File source: 6.2.RegSvcs.exe.465310d.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 6.2.RegSvcs.exe.6144629.9.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 6.2.RegSvcs.exe.6140000.8.unpack, type: UNPACKEDPE
Source: Yara match	File source: 6.2.RegSvcs.exe.464eae4.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 6.2.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.QTxFuxF5NQ.exe.49154a0.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 6.2.RegSvcs.exe.4649cae.5.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.QTxFuxF5NQ.exe.49154a0.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 6.2.RegSvcs.exe.464eae4.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 6.2.RegSvcs.exe.6140000.8.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.QTxFuxF5NQ.exe.47c8fd0.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.QTxFuxF5NQ.exe.4822ff0.2.raw.unpack, type: UNPACKEDPE

Remote Access Functionality:

Detected Nanocore Rat

Show sources

Source: QTxFuxF5NQ.exe, 00000000.00000002.664714275.0000000004729000.00000004.00000001.sdmp	String found in binary or memory: NanoCore.ClientPluginHost
Source: RegSvcs.exe, 00000006.00000002.911962759.0000000000402000.00000040.00000001.sdmp	String found in binary or memory: NanoCore.ClientPluginHost
Source: RegSvcs.exe, 00000006.00000002.913737384.0000000003601000.00000004.00000001.sdmp	String found in binary or memory: <Module>mscorlibMicrosoft.VisualBasicMyApplicationNanoCore.MyMyComputerMyProjectMyWebServicesThreadSafeObjectProvider`1IClientNetworkNanoCore.ClientPluginIClientDataIClientAppIClientDataHostNanoCore.ClientPluginHostIClientNetworkHostIClientUIHostIClientLoggingHostIClientAppHostIClientNameObjectCollectionNanoCoreIClientReadOnlyNameObjectCollectionClientInvokeDelegateMicrosoft.VisualBasic.ApplicationServicesApplicationBase.ctorMicrosoft.VisualBasic.DevicesComputerSystemObject.cctorget_Computerm_ComputerObjectProviderget_Applicationm_AppObjectProviderUserget_Userm_UserObjectProviderget_WebServicesm_MyWebServicesObjectProviderApplicationWebServicesEqualsoGetHashCodeTypeGetTypeToStringCreate__Instance__TinstanceDispose__Instance__get_GetInstanceMicrosoft.VisualBasic.MyServices.InternalContextValue`1m_ContextGetInstanceReadPacketpipeNameparamsPipeCreatedPipeClosedConnectionStateChangedconnectedConnectionFailedhostportBuildingHostCacheVariableChangednameClientSettingChangedPluginUninstallingClientUninstallingget_Variablesget_ClientSettingsget_BuilderSettingsVariablesClientSettingsBuilderSettingsget_ConnectedClosePipePipeExistsRebuildHostCacheAddHostEntryDisconnectSendToServercompressConnectedInvokemethodstateLogClientMessagemessageExceptionLogClientExceptionexsiteRestartShutdownDisableProtectionRestoreProtectionUninstallEntryExistsSystem.Collections.GenericKeyValuePair`2GetEntriesGetValuedefaultValueSetValuevalueRemoveValueMulticastDelegateTargetObjectTargetMethodIAsyncResultAsyncCallbackBeginInvokeDelegateCallbackDelegateAsyncStateEndInvokeDelegateAsyncResultSystem.ComponentModelEditorBrowsableAttributeEditorBrowsableStateSystem.CodeDom.CompilerGeneratedCodeAttributeSystem.DiagnosticsDebuggerHiddenAttributeMicrosoft.VisualBasic.CompilerServicesStandardModuleAttributeHideModuleNameAttributeSystem.ComponentModel.DesignHelpKeywordAttributeSystem.Runtime.CompilerServicesRuntimeHelpersGetObjectValueRuntimeTypeHandleGetTypeFromHandleActivatorCreateInstanceMyGroupCollectionAttributeget_Valueset_ValueSystem.Runtime.InteropServicesComVisibleAttributeParamArrayAttributeCompilationRelaxationsAttributeRuntimeCompatibilityAttributeSystem.ReflectionAssemblyFileVersionAttributeGuidAttributeAssemblyTrademarkAttributeAssemblyCopyrightAttributeAssemblyProductAttributeAssemblyCompanyAttributeAssemblyDescriptionAttributeAssemblyTitleAttributeClientPluginClientPlugin.dll

Yara detected Nanocore RAT

Show sources

Source: Yara match	File source: 00000006.00000002.911962759.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000002.915278946.0000000006140000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.664714275.0000000004729000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000002.914314431.000000000463D000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: RegSvcs.exe PID: 6120, type: MEMORY
Source: Yara match	File source: Process Memory Space: QTxFuxF5NQ.exe PID: 7084, type: MEMORY
Source: Yara match	File source: 6.2.RegSvcs.exe.465310d.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 6.2.RegSvcs.exe.6144629.9.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 6.2.RegSvcs.exe.6140000.8.unpack, type: UNPACKEDPE
Source: Yara match	File source: 6.2.RegSvcs.exe.464eae4.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 6.2.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.QTxFuxF5NQ.exe.49154a0.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 6.2.RegSvcs.exe.4649cae.5.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.QTxFuxF5NQ.exe.49154a0.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 6.2.RegSvcs.exe.464eae4.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 6.2.RegSvcs.exe.6140000.8.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.QTxFuxF5NQ.exe.47c8fd0.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.QTxFuxF5NQ.exe.4822ff0.2.raw.unpack, type: UNPACKEDPE

Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe	Code function: 6_2_031729EA bind,		6_2_031729EA
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe	Code function: 6_2_03172998 bind,		6_2_03172998

Mitre Att&ck Matrix

Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Exfiltration	Command and Control	Network Effects	Remote Service Effects	Impact
Valid Accounts	Scheduled Task/Job1	Scheduled Task/Job1	Access Token Manipulation1	Masquerading2	Input Capture21	Security Software Discovery211	Remote Services	Input Capture21	Exfiltration Over Other Network Medium	Encrypted Channel1	Eavesdrop on Insecure Network Communication	Remotely Track Device Without Authorization	Modify System Partition
Default Accounts	Scheduled Task/Job	Boot or Logon Initialization Scripts	Process Injection212	Virtualization/Sandbox Evasion3	LSASS Memory	Virtualization/Sandbox Evasion3	Remote Desktop Protocol	Archive Collected Data11	Exfiltration Over Bluetooth	Non-Standard Port1	Exploit SS7 to Redirect Phone Calls/SMS	Remotely Wipe Data Without Authorization	Device Lockout
Domain Accounts	At (Linux)	Logon Script (Windows)	Scheduled Task/Job1	Disable or Modify Tools1	Security Account Manager	Process Discovery2	SMB/Windows Admin Shares	Data from Network Shared Drive	Automated Exfiltration	Remote Access Software1	Exploit SS7 to Track Device Location	Obtain Device Cloud Backups	Delete Device Data
Local Accounts	At (Windows)	Logon Script (Mac)	Logon Script (Mac)	Access Token Manipulation1	NTDS	Application Window Discovery1	Distributed Component Object Model	Input Capture	Scheduled Transfer	Non-Application Layer Protocol1	SIM Card Swap		Carrier Billing Fraud
Cloud Accounts	Cron	Network Logon Script	Network Logon Script	Process Injection212	LSA Secrets	File and Directory Discovery1	SSH	Keylogging	Data Transfer Size Limits	Application Layer Protocol11	Manipulate Device Communication		Manipulate App Store Rankings or Ratings
Replication Through Removable Media	Launchd	Rc.common	Rc.common	Deobfuscate/Decode Files or Information1	Cached Domain Credentials	System Information Discovery13	VNC	GUI Input Capture	Exfiltration Over C2 Channel	Multiband Communication	Jamming or Denial of Service		Abuse Accessibility Features
External Remote Services	Scheduled Task	Startup Items	Startup Items	Hidden Files and Directories1	DCSync	Network Sniffing	Windows Remote Management	Web Portal Capture	Exfiltration Over Alternative Protocol	Commonly Used Port	Rogue Wi-Fi Access Points		Data Encrypted for Impact
Drive-by Compromise	Command and Scripting Interpreter	Scheduled Task/Job	Scheduled Task/Job	Obfuscated Files or Information21	Proc Filesystem	Network Service Scanning	Shared Webroot	Credential API Hooking	Exfiltration Over Symmetric Encrypted Non-C2 Protocol	Application Layer Protocol	Downgrade to Insecure Protocols		Generate Fraudulent Advertising Revenue
Exploit Public-Facing Application	PowerShell	At (Linux)	At (Linux)	Software Packing13	/etc/passwd and /etc/shadow	System Network Connections Discovery	Software Deployment Tools	Data Staged	Exfiltration Over Asymmetric Encrypted Non-C2 Protocol	Web Protocols	Rogue Cellular Base Station		Data Destruction

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Source	Detection	Scanner	Label	Link
QTxFuxF5NQ.exe	33%	ReversingLabs	Win32.Trojan.AgentTesla
QTxFuxF5NQ.exe	100%	Joe Sandbox ML

Dropped Files

Source	Detection	Scanner	Label	Link
C:\Users\user\AppData\Roaming\CDaJolZUw.exe	100%	Joe Sandbox ML
C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	0%	Metadefender		Browse
C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	0%	ReversingLabs
C:\Users\user\AppData\Roaming\CDaJolZUw.exe	33%	ReversingLabs	Win32.Trojan.AgentTesla

Unpacked PE Files

Source	Detection	Scanner	Label	Link	Download
6.2.RegSvcs.exe.6140000.8.unpack	100%	Avira	TR/NanoCore.fadte		Download File
6.2.RegSvcs.exe.400000.0.unpack	100%	Avira	TR/Dropper.MSIL.Gen7		Download File

Domains

No Antivirus matches

URLs

Source	Detection	Scanner	Label
http://www.founder.com.cn/cn/bThe	0%	URL Reputation	safe
http://www.founder.com.cn/cn/bThe	0%	URL Reputation	safe
http://www.founder.com.cn/cn/bThe	0%	URL Reputation	safe
http://www.jiyu-kobo.co.jp/jp/H	0%	Avira URL Cloud	safe
http://www.founder.com.cn/cnS	0%	Avira URL Cloud	safe
http://www.fontbureau.comtH	0%	Avira URL Cloud	safe
http://www.tiro.com	0%	URL Reputation	safe
http://www.tiro.com	0%	URL Reputation	safe
http://www.tiro.com	0%	URL Reputation	safe
http://www.goodfont.co.kr	0%	URL Reputation	safe
http://www.goodfont.co.kr	0%	URL Reputation	safe
http://www.goodfont.co.kr	0%	URL Reputation	safe
http://www.carterandcone.com	0%	URL Reputation	safe
http://www.carterandcone.com	0%	URL Reputation	safe
http://www.carterandcone.com	0%	URL Reputation	safe
http://www.sajatypeworks.com	0%	URL Reputation	safe
http://www.sajatypeworks.com	0%	URL Reputation	safe
http://www.sajatypeworks.com	0%	URL Reputation	safe
http://www.typography.netD	0%	URL Reputation	safe
http://www.typography.netD	0%	URL Reputation	safe
http://www.typography.netD	0%	URL Reputation	safe
http://www.founder.com.cn/cn/cThe	0%	URL Reputation	safe
http://www.founder.com.cn/cn/cThe	0%	URL Reputation	safe
http://www.founder.com.cn/cn/cThe	0%	URL Reputation	safe
http://www.urwpp.de9	0%	Avira URL Cloud	safe
http://www.galapagosdesign.com/staff/dennis.htm	0%	URL Reputation	safe
http://www.galapagosdesign.com/staff/dennis.htm	0%	URL Reputation	safe
http://www.galapagosdesign.com/staff/dennis.htm	0%	URL Reputation	safe
http://fontfabrik.com	0%	URL Reputation	safe
http://fontfabrik.com	0%	URL Reputation	safe
http://fontfabrik.com	0%	URL Reputation	safe
http://www.jiyu-kobo.co.jp/6	0%	Avira URL Cloud	safe
http://www.jiyu-kobo.co.jp/-	0%	Avira URL Cloud	safe
http://www.carterandcone.comficU	0%	Avira URL Cloud	safe
http://www.galapagosdesign.com/DPlease	0%	URL Reputation	safe
http://www.galapagosdesign.com/DPlease	0%	URL Reputation	safe
http://www.galapagosdesign.com/DPlease	0%	URL Reputation	safe
http://www.carterandcone.comles-	0%	Avira URL Cloud	safe
http://www.sandoll.co.kr	0%	URL Reputation	safe
http://www.sandoll.co.kr	0%	URL Reputation	safe
http://www.sandoll.co.kr	0%	URL Reputation	safe
http://www.urwpp.deDPlease	0%	URL Reputation	safe
http://www.urwpp.deDPlease	0%	URL Reputation	safe
http://www.urwpp.deDPlease	0%	URL Reputation	safe
http://www.carterandcone.comyrlO	0%	Avira URL Cloud	safe
http://www.jiyu-kobo.co.jp/$	0%	Avira URL Cloud	safe
http://www.zhongyicts.com.cn	0%	URL Reputation	safe
http://www.zhongyicts.com.cn	0%	URL Reputation	safe
http://www.zhongyicts.com.cn	0%	URL Reputation	safe
http://www.sakkal.com	0%	URL Reputation	safe
http://www.sakkal.com	0%	URL Reputation	safe
http://www.sakkal.com	0%	URL Reputation	safe
http://www.carterandcone.comatn	0%	Avira URL Cloud	safe
http://www.fontbureau.comF	0%	URL Reputation	safe
http://www.fontbureau.comF	0%	URL Reputation	safe
http://www.fontbureau.comF	0%	URL Reputation	safe
http://www.founder.com.cn/cnTF	0%	Avira URL Cloud	safe
http://www.jiyu-kobo.co.jp/H	0%	URL Reputation	safe
http://www.jiyu-kobo.co.jp/H	0%	URL Reputation	safe
http://www.jiyu-kobo.co.jp/H	0%	URL Reputation	safe
http://www.jiyu-kobo.co.jp/jp/	0%	URL Reputation	safe
http://www.jiyu-kobo.co.jp/jp/	0%	URL Reputation	safe
http://www.jiyu-kobo.co.jp/jp/	0%	URL Reputation	safe
http://www.jiyu-kobo.co.jp/?	0%	Avira URL Cloud	safe
http://www.carterandcone.coml	0%	URL Reputation	safe
http://www.carterandcone.coml	0%	URL Reputation	safe
http://www.carterandcone.coml	0%	URL Reputation	safe
http://www.jiyu-kobo.co.jp/y	0%	Avira URL Cloud	safe
http://www.founder.com.cn/cn	0%	URL Reputation	safe
http://www.founder.com.cn/cn	0%	URL Reputation	safe
http://www.founder.com.cn/cn	0%	URL Reputation	safe
http://www.fontbureau.comoitu	0%	URL Reputation	safe
http://www.fontbureau.comoitu	0%	URL Reputation	safe
http://www.fontbureau.comoitu	0%	URL Reputation	safe
http://www.carterandcone.comy	0%	Avira URL Cloud	safe
http://www.urwpp.deo	0%	Avira URL Cloud	safe
http://www.jiyu-kobo.co.jp/	0%	URL Reputation	safe
http://www.jiyu-kobo.co.jp/	0%	URL Reputation	safe
http://www.jiyu-kobo.co.jp/	0%	URL Reputation	safe
http://www.fontbureau.comalic	0%	URL Reputation	safe
http://www.fontbureau.comalic	0%	URL Reputation	safe
http://www.fontbureau.comalic	0%	URL Reputation	safe
http://www.jiyu-kobo.co.jp/c	0%	Avira URL Cloud	safe
http://www.founder.com.cn/cnate	0%	Avira URL Cloud	safe

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Antivirus Detection	Reputation
jeksabide.duckdns.org	197.210.135.138	true	true		unknown

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
http://www.fontbureau.com/designersG	QTxFuxF5NQ.exe, 00000000.00000002.665678742.0000000005A10000.00000002.00000001.sdmp	false		high
http://www.fontbureau.com/designers/?	QTxFuxF5NQ.exe, 00000000.00000002.665678742.0000000005A10000.00000002.00000001.sdmp	false		high
http://www.founder.com.cn/cn/bThe	QTxFuxF5NQ.exe, 00000000.00000002.665678742.0000000005A10000.00000002.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://www.fontbureau.com/designers?	QTxFuxF5NQ.exe, 00000000.00000002.665678742.0000000005A10000.00000002.00000001.sdmp	false		high
http://www.jiyu-kobo.co.jp/jp/H	QTxFuxF5NQ.exe, 00000000.00000003.649124659.000000000592A000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
http://www.founder.com.cn/cnS	QTxFuxF5NQ.exe, 00000000.00000003.647604832.0000000005930000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
http://www.fontbureau.comtH	QTxFuxF5NQ.exe, 00000000.00000002.665566951.0000000005920000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
http://www.tiro.com	QTxFuxF5NQ.exe, 00000000.00000002.665678742.0000000005A10000.00000002.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://www.fontbureau.com/designers	QTxFuxF5NQ.exe, 00000000.00000002.665678742.0000000005A10000.00000002.00000001.sdmp	false		high
http://www.goodfont.co.kr	QTxFuxF5NQ.exe, 00000000.00000002.665678742.0000000005A10000.00000002.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://www.carterandcone.com	QTxFuxF5NQ.exe, 00000000.00000003.649124659.000000000592A000.00000004.00000001.sdmp, QTxFuxF5NQ.exe, 00000000.00000003.648851674.0000000005936000.00000004.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
https://stackpath.bootstrapcdn.com/bootstrap/4.5.0/css/bootstrap.min.css	QTxFuxF5NQ.exe, 00000000.00000002.663880375.00000000036D1000.00000004.00000001.sdmp	false		high
http://www.sajatypeworks.com	QTxFuxF5NQ.exe, 00000000.00000002.665678742.0000000005A10000.00000002.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://www.typography.netD	QTxFuxF5NQ.exe, 00000000.00000002.665678742.0000000005A10000.00000002.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://www.founder.com.cn/cn/cThe	QTxFuxF5NQ.exe, 00000000.00000002.665678742.0000000005A10000.00000002.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://www.urwpp.de9	QTxFuxF5NQ.exe, 00000000.00000003.650237541.000000000592C000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
http://www.galapagosdesign.com/staff/dennis.htm	QTxFuxF5NQ.exe, 00000000.00000002.665678742.0000000005A10000.00000002.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://fontfabrik.com	QTxFuxF5NQ.exe, 00000000.00000002.665678742.0000000005A10000.00000002.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://www.jiyu-kobo.co.jp/6	QTxFuxF5NQ.exe, 00000000.00000003.649407889.000000000592A000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
http://www.jiyu-kobo.co.jp/-	QTxFuxF5NQ.exe, 00000000.00000003.649439715.000000000592C000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
http://www.carterandcone.comficU	QTxFuxF5NQ.exe, 00000000.00000003.648851674.0000000005936000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
http://www.galapagosdesign.com/DPlease	QTxFuxF5NQ.exe, 00000000.00000002.665678742.0000000005A10000.00000002.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://www.carterandcone.comles-	QTxFuxF5NQ.exe, 00000000.00000003.648851674.0000000005936000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	low
http://www.fonts.com	QTxFuxF5NQ.exe, 00000000.00000002.665678742.0000000005A10000.00000002.00000001.sdmp	false		high
http://www.sandoll.co.kr	QTxFuxF5NQ.exe, 00000000.00000002.665678742.0000000005A10000.00000002.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://www.urwpp.deDPlease	QTxFuxF5NQ.exe, 00000000.00000002.665678742.0000000005A10000.00000002.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://www.carterandcone.comyrlO	QTxFuxF5NQ.exe, 00000000.00000003.648851674.0000000005936000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
http://www.jiyu-kobo.co.jp/$	QTxFuxF5NQ.exe, 00000000.00000003.649439715.000000000592C000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
http://www.zhongyicts.com.cn	QTxFuxF5NQ.exe, 00000000.00000002.665678742.0000000005A10000.00000002.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://www.sakkal.com	QTxFuxF5NQ.exe, 00000000.00000002.665678742.0000000005A10000.00000002.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://www.carterandcone.comatn	QTxFuxF5NQ.exe, 00000000.00000003.648851674.0000000005936000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
http://www.apache.org/licenses/LICENSE-2.0	QTxFuxF5NQ.exe, 00000000.00000003.648543186.000000000592D000.00000004.00000001.sdmp	false		high
http://www.fontbureau.com	QTxFuxF5NQ.exe, 00000000.00000003.650201372.000000000592C000.00000004.00000001.sdmp	false		high
http://www.fontbureau.comF	QTxFuxF5NQ.exe, 00000000.00000003.650237541.000000000592C000.00000004.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://www.founder.com.cn/cnTF	QTxFuxF5NQ.exe, 00000000.00000003.647650814.0000000001A8B000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
http://www.jiyu-kobo.co.jp/H	QTxFuxF5NQ.exe, 00000000.00000003.649407889.000000000592A000.00000004.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://www.jiyu-kobo.co.jp/jp/	QTxFuxF5NQ.exe, 00000000.00000003.649439715.000000000592C000.00000004.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://www.jiyu-kobo.co.jp/?	QTxFuxF5NQ.exe, 00000000.00000003.649407889.000000000592A000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
http://www.carterandcone.coml	QTxFuxF5NQ.exe, 00000000.00000002.665678742.0000000005A10000.00000002.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://www.jiyu-kobo.co.jp/y	QTxFuxF5NQ.exe, 00000000.00000003.649439715.000000000592C000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
http://www.fontbureau.com/designers/cabarga.htmlN	QTxFuxF5NQ.exe, 00000000.00000002.665678742.0000000005A10000.00000002.00000001.sdmp	false		high
http://www.founder.com.cn/cn	QTxFuxF5NQ.exe, 00000000.00000002.665678742.0000000005A10000.00000002.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://www.fontbureau.com/designers/frere-user.html	QTxFuxF5NQ.exe, 00000000.00000002.665678742.0000000005A10000.00000002.00000001.sdmp	false		high
http://www.fontbureau.comoitu	QTxFuxF5NQ.exe, 00000000.00000002.665566951.0000000005920000.00000004.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://www.carterandcone.comy	QTxFuxF5NQ.exe, 00000000.00000003.648851674.0000000005936000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
http://www.urwpp.deo	QTxFuxF5NQ.exe, 00000000.00000003.650237541.000000000592C000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
http://www.jiyu-kobo.co.jp/	QTxFuxF5NQ.exe, 00000000.00000003.649439715.000000000592C000.00000004.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://www.fontbureau.com/designers8	QTxFuxF5NQ.exe, 00000000.00000002.665678742.0000000005A10000.00000002.00000001.sdmp	false		high
http://www.fontbureau.comalic	QTxFuxF5NQ.exe, 00000000.00000003.650201372.000000000592C000.00000004.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://www.jiyu-kobo.co.jp/c	QTxFuxF5NQ.exe, 00000000.00000003.649439715.000000000592C000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
http://www.founder.com.cn/cnate	QTxFuxF5NQ.exe, 00000000.00000003.647604832.0000000005930000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
http://www.fontbureau.com/designers/	QTxFuxF5NQ.exe, 00000000.00000003.650237541.000000000592C000.00000004.00000001.sdmp, QTxFuxF5NQ.exe, 00000000.00000003.650188936.0000000001A8B000.00000004.00000001.sdmp	false		high

Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public

IP	Domain	Country	Flag	ASN	ASN Name	Malicious
197.210.135.138	unknown	Nigeria		29465	VCG-ASNG	true

Private

IP
127.0.0.1

General Information

Joe Sandbox Version:	31.0.0 Emerald
Analysis ID:	356819
Start date:	23.02.2021
Start time:	17:16:54
Joe Sandbox Product:	CloudBasic
Overall analysis duration:	0h 9m 33s
Hypervisor based Inspection enabled:	false
Report type:	full
Sample file name:	QTxFuxF5NQ.exe
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 85, IE 11, Adobe Reader DC 19, Java 8 Update 211
Number of analysed new started processes analysed:	28
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled HDC enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Detection:	MAL
Classification:	mal100.troj.evad.winEXE@18/14@6/2
EGA Information:	Failed
HDC Information:	Successful, ratio: 18.5% (good quality ratio 13%) Quality average: 43.6% Quality standard deviation: 35.8%
HCA Information:	Successful, ratio: 96% Number of executed functions: 394 Number of non-executed functions: 11
Cookbook Comments:	Adjust boot time Enable AMSI Found application associated with file extension: .exe
Warnings:	Show All Behavior information exceeds normal sizes, reducing to normal. Report will have missing behavior information. Exclude process from analysis (whitelisted): BackgroundTransferHost.exe, backgroundTaskHost.exe, svchost.exe, wuapihost.exe Excluded IPs from analysis (whitelisted): 168.61.161.212, 52.255.188.83, 23.211.6.115, 104.43.193.48, 51.104.139.180, 52.155.217.156, 93.184.221.240, 20.54.26.129, 92.122.213.194, 92.122.213.247, 51.11.168.160 Excluded domains from analysis (whitelisted): arc.msn.com.nsatc.net, store-images.s-microsoft.com-c.edgekey.net, a1449.dscg2.akamai.net, arc.msn.com, wu.azureedge.net, db5eap.displaycatalog.md.mp.microsoft.com.akadns.net, e12564.dspb.akamaiedge.net, audownload.windowsupdate.nsatc.net, cs11.wpc.v0cdn.net, hlb.apr-52dd2-0.edgecastdns.net, displaycatalog.mp.microsoft.com, watson.telemetry.microsoft.com, img-prod-cms-rt-microsoft-com.akamaized.net, wu.wpc.apr-52dd2.edgecastdns.net, au-bg-shim.trafficmanager.net, displaycatalog-europeeap.md.mp.microsoft.com.akadns.net, displaycatalog-rp-europe.md.mp.microsoft.com.akadns.net, wu.ec.azureedge.net, displaycatalog.md.mp.microsoft.com.akadns.net, ris-prod.trafficmanager.net, skypedataprdcolcus17.cloudapp.net, ctldl.windowsupdate.com, skypedataprdcolcus15.cloudapp.net, ris.api.iris.microsoft.com, skypedataprdcoleus17.cloudapp.net, store-images.s-microsoft.com, blobcollector.events.data.trafficmanager.net, displaycatalog-rp.md.mp.microsoft.com.akadns.net Report size exceeded maximum capacity and may have missing behavior information. Report size getting too big, too many NtAllocateVirtualMemory calls found. Report size getting too big, too many NtOpenKeyEx calls found. Report size getting too big, too many NtProtectVirtualMemory calls found. Report size getting too big, too many NtQueryValueKey calls found. VT rate limit hit for: /opt/package/joesandbox/database/analysis/356819/sample/QTxFuxF5NQ.exe

Simulations

Behavior and APIs

Time	Type	Description
17:17:44	API Interceptor	2x Sleep call for process: QTxFuxF5NQ.exe modified
17:17:49	Task Scheduler	Run new task: DHCP Monitor path: "C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe" s>$(Arg0)
17:17:50	API Interceptor	991x Sleep call for process: RegSvcs.exe modified
17:17:50	Autostart	Run: HKLM\Software\Microsoft\Windows\CurrentVersion\Run DHCP Monitor C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe
17:17:52	Task Scheduler	Run new task: DHCP Monitor Task path: "C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe" s>$(Arg0)

Joe Sandbox View / Context

IPs

No context

Domains

No context

ASN

Match	Associated Sample Name / URL	SHA 256	Detection	Link	Context
VCG-ASNG	New Order 863127 PDF.exe	Get hash	malicious	Browse	197.210.84.206
	RFQ.exe	Get hash	malicious	Browse	197.210.84.140
	byWuWAR5FD.exe	Get hash	malicious	Browse	197.210.227.110
	SecuriteInfo.com.Trojan.Hosts.48193.21585.exe	Get hash	malicious	Browse	197.210.227.121
	GkNa5RLWZn.exe	Get hash	malicious	Browse	197.210.54.168
	UB49a85Up2.exe	Get hash	malicious	Browse	197.210.55.215
	821fAlqHyd.exe	Get hash	malicious	Browse	197.210.226.56
	gOSX6e0xbh.exe	Get hash	malicious	Browse	197.210.54.65
	Ave_Maria.exe	Get hash	malicious	Browse	102.89.0.155
	intelgraphics.exe	Get hash	malicious	Browse	197.210.44.160
	UNAUTHORIZED SIM SWAP.pdf.exe	Get hash	malicious	Browse	197.210.76.112
	BID PRICE.exe	Get hash	malicious	Browse	197.210.54.48
	0ChV2CB7Wd.exe	Get hash	malicious	Browse	197.210.65.39
	PcIaBdTsjR.exe	Get hash	malicious	Browse	197.210.65.39
	dTW87b9q0h.exe	Get hash	malicious	Browse	197.210.84.141
	bKVII0uuu5.xls	Get hash	malicious	Browse	197.210.85.232
	Partner Letter- DStv and GOtv Price Adjustment October 2020.pdf.exe	Get hash	malicious	Browse	197.210.45.204
	DHL AWB TRACKING DETAILS.exe	Get hash	malicious	Browse	197.210.227.36
	DHL AWB TRACKING DETAILS.exe	Get hash	malicious	Browse	197.210.85.85
	Invoice.exe	Get hash	malicious	Browse	197.210.76.69

JA3 Fingerprints

No context

Dropped Files

Match	Associated Sample Name / URL	SHA 256	Detection	Link
C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	a34b93ef-dea2-45f8-a5bf-4f6b0b5291c7.exe	Get hash	malicious	Browse
	3fcd8c19-af88-4cd9-87e7-0bfea1de01a1.exe	Get hash	malicious	Browse
	Vietnam Order.exe	Get hash	malicious	Browse
	Dhl Shipping Document.exe	Get hash	malicious	Browse
	PO-WJO-001, pdf.exe	Get hash	malicious	Browse
	byWuWAR5FD.exe	Get hash	malicious	Browse
	parcel_images.exe	Get hash	malicious	Browse
	0712020.exe	Get hash	malicious	Browse
	JfRbEbUkpV39K4L.exe	Get hash	malicious	Browse
	DECEMBER QUOTATION REQUEST FOR FR12007POH0008_PO0000143_ETQ.exe	Get hash	malicious	Browse
	DECEMBER QUOTATION REQUEST FOR FR12007POH0008_PO0000143_ETQ.exe	Get hash	malicious	Browse
	zC3edqmNNt.exe	Get hash	malicious	Browse
	Shipping Document.pdf..exe	Get hash	malicious	Browse
	PPR & CPR_HEA_DECEMBER 4 2020.exe	Get hash	malicious	Browse
	AdministratorDownloadsBL,.rar.exe	Get hash	malicious	Browse
	signed_19272.zip(#U007e18 KB) (2).exe	Get hash	malicious	Browse
	TT Swift Copy..,.exe	Get hash	malicious	Browse
	Invoice-.exe	Get hash	malicious	Browse
	Invoice..,.exe	Get hash	malicious	Browse
	Bank Update Info.exe	Get hash	malicious	Browse

Created / dropped Files

C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe Download File
Process:	C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe
File Type:	PE32 executable (console) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	32768
Entropy (8bit):	3.7515815714465193
Encrypted:	false
SSDEEP:	384:BOj9Y8/gS7SDriLGKq1MHR5U4Ag6ihJSxUCR1rgCPKabK2t0X5P7DZ+JgWSW72uw:B+gSAdN1MH3HAFRJngW2u
MD5:	71369277D09DA0830C8C59F9E22BB23A
SHA1:	37F9781314F0F6B7E9CB529A573F2B1C8DE9E93F
SHA-256:	D4527B7AD2FC4778CC5BE8709C95AEA44EAC0568B367EE14F7357D72898C3698
SHA-512:	2F470383E3C796C4CF212EC280854DBB9E7E8C8010CE6857E58F8E7066D7516B7CD7039BC5C0F547E1F5C7F9F2287869ADFFB2869800B08B2982A88BE96E9FB7
Malicious:	false
Antivirus:	Antivirus: Metadefender, Detection: 0%, Browse Antivirus: ReversingLabs, Detection: 0%
Joe Sandbox View:	Filename: a34b93ef-dea2-45f8-a5bf-4f6b0b5291c7.exe, Detection: malicious, Browse Filename: 3fcd8c19-af88-4cd9-87e7-0bfea1de01a1.exe, Detection: malicious, Browse Filename: Vietnam Order.exe, Detection: malicious, Browse Filename: Dhl Shipping Document.exe, Detection: malicious, Browse Filename: PO-WJO-001, pdf.exe, Detection: malicious, Browse Filename: byWuWAR5FD.exe, Detection: malicious, Browse Filename: parcel_images.exe, Detection: malicious, Browse Filename: 0712020.exe, Detection: malicious, Browse Filename: JfRbEbUkpV39K4L.exe, Detection: malicious, Browse Filename: DECEMBER QUOTATION REQUEST FOR FR12007POH0008_PO0000143_ETQ.exe, Detection: malicious, Browse Filename: DECEMBER QUOTATION REQUEST FOR FR12007POH0008_PO0000143_ETQ.exe, Detection: malicious, Browse Filename: zC3edqmNNt.exe, Detection: malicious, Browse Filename: Shipping Document.pdf..exe, Detection: malicious, Browse Filename: PPR & CPR_HEA_DECEMBER 4 2020.exe, Detection: malicious, Browse Filename: AdministratorDownloadsBL,.rar.exe, Detection: malicious, Browse Filename: signed_19272.zip(#U007e18 KB) (2).exe, Detection: malicious, Browse Filename: TT Swift Copy..,.exe, Detection: malicious, Browse Filename: Invoice-.exe, Detection: malicious, Browse Filename: Invoice..,.exe, Detection: malicious, Browse Filename: Bank Update Info.exe, Detection: malicious, Browse
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L.....{Z.................P... .......k... ........@.. ...............................[....@..................................k..K................................... k............................................... ............... ..H............text....K... ...P.................. ..`.rsrc................`..............@..@.reloc...............p..............@..B........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Microsoft\CLR_v2.0_32\UsageLogs\QTxFuxF5NQ.exe.log Download File
Process:	C:\Users\user\Desktop\QTxFuxF5NQ.exe
File Type:	ASCII text, with CRLF line terminators
Category:	modified
Size (bytes):	664
Entropy (8bit):	5.288448637977022
Encrypted:	false
SSDEEP:	12:Q3LaJU20NaL10Ug+9Yz9t0U29hJ5g1B0U2ukyrFk70U2xANlW3ANv:MLF20NaL3z2p29hJ5g522rW2xAi3A9
MD5:	B1DB55991C3DA14E35249AEA1BC357CA
SHA1:	0DD2D91198FDEF296441B12F1A906669B279700C
SHA-256:	34D3E48321D5010AD2BD1F3F0B728077E4F5A7F70D66FA36B57E5209580B6BDC
SHA-512:	BE38A31888C9C2F8047FA9C99672CB985179D325107514B7500DDA9523AE3E1D20B45EACC4E6C8A5D096360D0FBB98A120E63F38FFE324DF8A0559F6890CC801
Malicious:	true
Preview:	1,"fusion","GAC",0..3,"C:\Windows\assembly\NativeImages_v2.0.50727_32\System\1ffc437de59fb69ba2b865ffdc98ffd1\System.ni.dll",0..3,"C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.VisualBas#\cd7c74fce2a0eab72cd25cbe4bb61614\Microsoft.VisualBasic.ni.dll",0..3,"C:\Windows\assembly\NativeImages_v2.0.50727_32\System.Drawing\54d944b3ca0ea1188d700fbd8089726b\System.Drawing.ni.dll",0..3,"C:\Windows\assembly\NativeImages_v2.0.50727_32\System.Windows.Forms\bd8d59c984c9f5f2695f64341115cdf0\System.Windows.Forms.ni.dll",0..3,"C:\Windows\assembly\NativeImages_v2.0.50727_32\System.Runtime.Remo#\35774dc3cd31b4550ab06c3354cf4ba5\System.Runtime.Remoting.ni.dll",0..

C:\Users\user\AppData\Local\Microsoft\CLR_v2.0_32\UsageLogs\RegSvcs.exe.log Download File
Process:	C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe
File Type:	ASCII text, with CRLF line terminators
Category:	modified
Size (bytes):	120
Entropy (8bit):	5.016405576253028
Encrypted:	false
SSDEEP:	3:QHXMKaoWglAFXMWA2yTMGfsbNXLVd49Am12MFuAvOAsDeieVyn:Q3LawlAFXMWTyAGCFLIP12MUAvvrs
MD5:	50DEC1858E13F033E6DCA3CBFAD5E8DE
SHA1:	79AE1E9131B0FAF215B499D2F7B4C595AA120925
SHA-256:	14A557E226E3BA8620BB3A70035E1E316F1E9FB5C9E8F74C07110EE90B8D8AE4
SHA-512:	1BD73338DF685A5B57B0546E102ECFDEE65800410D6F77845E50456AC70DE72929088AF19B59647F01CBA7A5ACFB399C52D9EF2402A9451366586862EF88E7BF
Malicious:	false
Preview:	1,"fusion","GAC",0..2,"System.EnterpriseServices, Version=2.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a",0..

C:\Users\user\AppData\Local\Microsoft\CLR_v2.0_32\UsageLogs\dhcpmon.exe.log Download File
Process:	C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe
File Type:	ASCII text, with CRLF line terminators
Category:	modified
Size (bytes):	120
Entropy (8bit):	5.016405576253028
Encrypted:	false
SSDEEP:	3:QHXMKaoWglAFXMWA2yTMGfsbNXLVd49Am12MFuAvOAsDeieVyn:Q3LawlAFXMWTyAGCFLIP12MUAvvrs
MD5:	50DEC1858E13F033E6DCA3CBFAD5E8DE
SHA1:	79AE1E9131B0FAF215B499D2F7B4C595AA120925
SHA-256:	14A557E226E3BA8620BB3A70035E1E316F1E9FB5C9E8F74C07110EE90B8D8AE4
SHA-512:	1BD73338DF685A5B57B0546E102ECFDEE65800410D6F77845E50456AC70DE72929088AF19B59647F01CBA7A5ACFB399C52D9EF2402A9451366586862EF88E7BF
Malicious:	false
Preview:	1,"fusion","GAC",0..2,"System.EnterpriseServices, Version=2.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a",0..

C:\Users\user\AppData\Local\Temp\tmp1954.tmp Download File
Process:	C:\Users\user\Desktop\QTxFuxF5NQ.exe
File Type:	XML 1.0 document, ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	1642
Entropy (8bit):	5.181947585021207
Encrypted:	false
SSDEEP:	24:2dH4+SEqC/S7hblNMFp//rlMhEMjnGpwjpIgUYODOLD9RJh7h8gKBG+Ytn:cbhK79lNQR/rydbz9I3YODOLNdq3Be
MD5:	7EA3C0DCFA0736E599EAE357623E123E
SHA1:	C868BD43D2B9E7FC6D1FDC6031B34AD3D5F3C110
SHA-256:	886600D81211213FA3AEB10935B0D9418844D23FF667F4C91C08A5DF1B4A9AD9
SHA-512:	F9F37862F0196E363D0815A364D2236E72CF430690CDB641F85431FBAD3D4BD19B6802A1569CDC96BC8803FA62DB873DC411B1B65817E59D1E32613F2C41A219
Malicious:	true
Preview:	<?xml version="1.0" encoding="UTF-16"?>..<Task version="1.2" xmlns="http://schemas.microsoft.com/windows/2004/02/mit/task">.. <RegistrationInfo>.. <Date>2014-10-25T14:27:44.8929027</Date>.. <Author>computer\user</Author>.. </RegistrationInfo>.. <Triggers>.. <LogonTrigger>.. <Enabled>true</Enabled>.. <UserId>computer\user</UserId>.. </LogonTrigger>.. <RegistrationTrigger>.. <Enabled>false</Enabled>.. </RegistrationTrigger>.. </Triggers>.. <Principals>.. <Principal id="Author">.. <UserId>computer\user</UserId>.. <LogonType>InteractiveToken</LogonType>.. <RunLevel>LeastPrivilege</RunLevel>.. </Principal>.. </Principals>.. <Settings>.. <MultipleInstancesPolicy>StopExisting</MultipleInstancesPolicy>.. <DisallowStartIfOnBatteries>false</DisallowStartIfOnBatteries>.. <StopIfGoingOnBatteries>true</StopIfGoingOnBatteries>.. <AllowHardTerminate>false</AllowHardTerminate>.. <StartWhenAvailable>true

C:\Users\user\AppData\Local\Temp\tmp22E3.tmp Download File
Process:	C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe
File Type:	XML 1.0 document, ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	1320
Entropy (8bit):	5.135021273392143
Encrypted:	false
SSDEEP:	24:2dH4+S/4oL600QlMhEMjn5pwjVLUYODOLG9RJh7h8gK0mn4xtn:cbk4oL600QydbQxIYODOLedq3Z4j
MD5:	40B11EF601FB28F9B2E69D36857BF2EC
SHA1:	B6454020AD2CEED193F4792B77001D0BD741B370
SHA-256:	C51E12D18CC664425F6711D8AE2507068884C7057092CFA11884100E1E9D49E1
SHA-512:	E3C5BCC714CBFCA4B8058DDCDDF231DCEFA69C15881CE3F8123E59ED45CFB5DA052B56E1945DCF8DC7F800D62F9A4EECB82BCA69A66A1530787AEFFEB15E2BD5
Malicious:	false
Preview:	<?xml version="1.0" encoding="UTF-16"?>..<Task version="1.2" xmlns="http://schemas.microsoft.com/windows/2004/02/mit/task">.. <RegistrationInfo />.. <Triggers />.. <Principals>.. <Principal id="Author">.. <LogonType>InteractiveToken</LogonType>.. <RunLevel>HighestAvailable</RunLevel>.. </Principal>.. </Principals>.. <Settings>.. <MultipleInstancesPolicy>Parallel</MultipleInstancesPolicy>.. <DisallowStartIfOnBatteries>false</DisallowStartIfOnBatteries>.. <StopIfGoingOnBatteries>false</StopIfGoingOnBatteries>.. <AllowHardTerminate>true</AllowHardTerminate>.. <StartWhenAvailable>false</StartWhenAvailable>.. <RunOnlyIfNetworkAvailable>false</RunOnlyIfNetworkAvailable>.. <IdleSettings>.. <StopOnIdleEnd>false</StopOnIdleEnd>.. <RestartOnIdle>false</RestartOnIdle>.. </IdleSettings>.. <AllowStartOnDemand>true</AllowStartOnDemand>.. <Enabled>true</Enabled>.. <Hidden>false</Hidden>.. <RunOnlyIfIdle>false</RunOnlyIfIdle>.. <Wak

C:\Users\user\AppData\Local\Temp\tmp2601.tmp Download File
Process:	C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe
File Type:	XML 1.0 document, ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	1310
Entropy (8bit):	5.109425792877704
Encrypted:	false
SSDEEP:	24:2dH4+S/4oL600QlMhEMjn5pwjVLUYODOLG9RJh7h8gK0R3xtn:cbk4oL600QydbQxIYODOLedq3S3j
MD5:	5C2F41CFC6F988C859DA7D727AC2B62A
SHA1:	68999C85FC7E37BAB9216E0099836D40D4545C1C
SHA-256:	98B6E66B6C2173B9B91FC97FE51805340EFDE978B695453742EBAB631018398B
SHA-512:	B5DA5DA378D038AFBF8A7738E47921ED39F9B726E2CAA2993D915D9291A3322F94EFE8CCA6E7AD678A670DB19926B22B20E5028460FCC89CEA7F6635E7557334
Malicious:	false
Preview:	<?xml version="1.0" encoding="UTF-16"?>..<Task version="1.2" xmlns="http://schemas.microsoft.com/windows/2004/02/mit/task">.. <RegistrationInfo />.. <Triggers />.. <Principals>.. <Principal id="Author">.. <LogonType>InteractiveToken</LogonType>.. <RunLevel>HighestAvailable</RunLevel>.. </Principal>.. </Principals>.. <Settings>.. <MultipleInstancesPolicy>Parallel</MultipleInstancesPolicy>.. <DisallowStartIfOnBatteries>false</DisallowStartIfOnBatteries>.. <StopIfGoingOnBatteries>false</StopIfGoingOnBatteries>.. <AllowHardTerminate>true</AllowHardTerminate>.. <StartWhenAvailable>false</StartWhenAvailable>.. <RunOnlyIfNetworkAvailable>false</RunOnlyIfNetworkAvailable>.. <IdleSettings>.. <StopOnIdleEnd>false</StopOnIdleEnd>.. <RestartOnIdle>false</RestartOnIdle>.. </IdleSettings>.. <AllowStartOnDemand>true</AllowStartOnDemand>.. <Enabled>true</Enabled>.. <Hidden>false</Hidden>.. <RunOnlyIfIdle>false</RunOnlyIfIdle>.. <Wak

C:\Users\user\AppData\Roaming\CDaJolZUw.exe Download File
Process:	C:\Users\user\Desktop\QTxFuxF5NQ.exe
File Type:	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	535552
Entropy (8bit):	7.495164981186751
Encrypted:	false
SSDEEP:	12288:tYsEVi1E5M04vDTPGHKXSCCCP1uZuBG6v8eqDwx0:jCubGHJCCCPCd28y0
MD5:	06AB01B61A81D223E61FC64A11B50A39
SHA1:	6EA28B8BA49D332C9C937B1D2BF4A212BB50AB65
SHA-256:	8A7D56C6C4F937173A0A45145765FEB562B1FAE368D9297A03DD4EA098D90D03
SHA-512:	D5F8C74F975416FBE561891D0972C30823E4A97820474CA80E0E0F619E472CF5D24BB816A2474F8E4E75EF23C3537D4DEA35A892ED2C081BF2B1157805B113C4
Malicious:	true
Antivirus:	Antivirus: Joe Sandbox ML, Detection: 100% Antivirus: ReversingLabs, Detection: 33%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....H4`..............P.............R7... ...@....@.. ....................................@..................................7..O....@.......................`....................................................... ............... ..H............text...X.... ...................... ..`.rsrc........@......................@..@.reloc.......`.....................@..B................47......H........x...R..........0....k...........................................0............(....(..........(.....o..........................( ......(!......("......(#......($....N..(....o....(%....&..(&.....s'........s(........s)........s........s+............0...........~....o,....+...0...........~....o-....+...0...........~....o.....+...0...........~....o/....+...0...........~....o0....+...0..<........~.....(1.....,!r...p.....(2...o3...s4............~.....+..*.0......

C:\Users\user\AppData\Roaming\CDaJolZUw.exe:Zone.Identifier Download File
Process:	C:\Users\user\Desktop\QTxFuxF5NQ.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	26
Entropy (8bit):	3.95006375643621
Encrypted:	false
SSDEEP:	3:ggPYV:rPYV
MD5:	187F488E27DB4AF347237FE461A079AD
SHA1:	6693BA299EC1881249D59262276A0D2CB21F8E64
SHA-256:	255A65D30841AB4082BD9D0EEA79D49C5EE88F56136157D8D6156AEF11C12309
SHA-512:	89879F237C0C051EBE784D0690657A6827A312A82735DA42DAD5F744D734FC545BEC9642C19D14C05B2F01FF53BC731530C92F7327BB7DC9CDE1B60FB21CD64E
Malicious:	true
Preview:	[ZoneTransfer]....ZoneId=0

C:\Users\user\AppData\Roaming\D06ED635-68F6-4E9A-955C-4899F5F57B9A\run.dat Download File
Process:	C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe
File Type:	International EBCDIC text, with no line terminators, with overstriking
Category:	dropped
Size (bytes):	8
Entropy (8bit):	2.75
Encrypted:	false
SSDEEP:	3:9:9
MD5:	B1AC2045F509E6B5575DAA5961450BC4
SHA1:	230DC9351CD262D7EEBCC9EE349A16839A086A3F
SHA-256:	EEA82E0E44BE864935EA202E13EAE4B7516D90EF5CB77098998C78FF68E7CD38
SHA-512:	FB73FF2C3E3DAA16367469938316ADBFB192311F31985F0135C55089B5EB3C4B6E060FEC913A8F769CD14A7D6078E62DBCE87F8419DD2EEBC7CF3880164683CE
Malicious:	true
Preview:	.V.....H

C:\Users\user\AppData\Roaming\D06ED635-68F6-4E9A-955C-4899F5F57B9A\task.dat Download File
Process:	C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	57
Entropy (8bit):	4.795707286467131
Encrypted:	false
SSDEEP:	3:oMty8WbSX/MNn:oMLWus
MD5:	D685103573539B7E9FDBF5F1D7DD96CE
SHA1:	4B2FE6B5C0B37954B314FCAEE1F12237A9B02D07
SHA-256:	D78BC23B0CA3EDDF52D56AB85CDC30A71B3756569CB32AA2F6C28DBC23C76E8E
SHA-512:	17769A5944E8929323A34269ABEEF0861D5C6799B0A27F5545FBFADC80E5AB684A471AD6F6A7FC623002385154EA89DE94013051E09120AB94362E542AB0F1DD
Malicious:	false
Preview:	C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe

\Device\ConDrv Download File
Process:	C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	1145
Entropy (8bit):	4.462201512373672
Encrypted:	false
SSDEEP:	24:zKLXkzPDObntKlglUEnfQtvNuNpKOK5aM9YJC:zKL0zPDQntKKH1MqJC
MD5:	46EBEB88876A00A52CC37B1F8E0D0438
SHA1:	5E5DB352F964E5F398301662FF558BD905798A65
SHA-256:	D65BD5A6CC112838AFE8FA70BF61FD13C1313BCE3EE3E76C50E454D7B581238B
SHA-512:	E713E6F304A469FB71235C598BC7E2C6F8458ABC61DAF3D1F364F66579CAFA4A7F3023E585BDA552FB400009E7805A8CA0311A50D5EDC9C2AD2D067772A071BE
Malicious:	false
Preview:	Microsoft (R) .NET Framework Services Installation Utility Version 2.0.50727.8922..Copyright (c) Microsoft Corporation. All rights reserved.....USAGE: regsvcs.exe [options] AssemblyName..Options:.. /? or /help Display this usage message... /fc Find or create target application (default)... /c Create target application, error if it already exists... /exapp Expect an existing application... /tlb:<tlbfile> Filename for the exported type library... /appname:<name> Use the specified name for the target application... /parname:<name> Use the specified name or id for the target partition... /extlb Use an existing type library... /reconfig Reconfigure existing target application (default)... /noreconfig Don't reconfigure existing target application... /u Uninstall target application... /nologo Suppress logo output... /quiet Suppress logo output and success output...

Static File Info

General
File type:	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Entropy (8bit):	7.495164981186751
TrID:	Win32 Executable (generic) Net Framework (10011505/4) 49.80% Win32 Executable (generic) a (10002005/4) 49.75% Generic CIL Executable (.NET, Mono, etc.) (73296/58) 0.36% Windows Screen Saver (13104/52) 0.07% Generic Win/DOS Executable (2004/3) 0.01%
File name:	QTxFuxF5NQ.exe
File size:	535552
MD5:	06ab01b61a81d223e61fc64a11b50a39
SHA1:	6ea28b8ba49d332c9c937b1d2bf4a212bb50ab65
SHA256:	8a7d56c6c4f937173a0a45145765feb562b1fae368d9297a03dd4ea098d90d03
SHA512:	d5f8c74f975416fbe561891d0972c30823e4a97820474ca80e0e0f619e472cf5d24bb816a2474f8e4e75ef23c3537d4dea35a892ed2c081bf2b1157805b113c4
SSDEEP:	12288:tYsEVi1E5M04vDTPGHKXSCCCP1uZuBG6v8eqDwx0:jCubGHJCCCPCd28y0
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....H4`..............P.............R7... ...@....@.. ....................................@................................

File Icon


Icon Hash:	00828e8e8686b000

Static PE Info

General
Entrypoint:	0x483752
Entrypoint Section:	.text
Digitally signed:	false
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	32BIT_MACHINE, EXECUTABLE_IMAGE
DLL Characteristics:	NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
Time Stamp:	0x6034480F [Tue Feb 23 00:10:55 2021 UTC]
TLS Callbacks:
CLR (.Net) Version:	v2.0.50727
OS Version Major:	4
OS Version Minor:	0
File Version Major:	4
File Version Minor:	0
Subsystem Version Major:	4
Subsystem Version Minor:	0
Import Hash:	f34d5f2d4577ed6d9ceec516c1f5a744

Entrypoint Preview

Instruction
jmp dword ptr [00402000h]
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0x83700	0x4f	.text
IMAGE_DIRECTORY_ENTRY_RESOURCE	0x84000	0xfd0	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x86000	0xc	.reloc
IMAGE_DIRECTORY_ENTRY_DEBUG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x2000	0x8	.text
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x2008	0x48	.text
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x2000	0x81758	0x81800	False	0.776619811776	data	7.50649235458	IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
.rsrc	0x84000	0xfd0	0x1000	False	0.3974609375	data	4.98417791982	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.reloc	0x86000	0xc	0x200	False	0.044921875	data	0.101910425663	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	Language	Country
RT_VERSION	0x84090	0x31c	data
RT_MANIFEST	0x843bc	0xc0f	XML 1.0 document, UTF-8 Unicode (with BOM) text

Imports

DLL	Import
mscoree.dll	_CorExeMain

Version Infos

Description	Data
Translation	0x0000 0x04b0
LegalCopyright	Copyright 2018
Assembly Version	1.0.0.0
InternalName	Action.exe
FileVersion	1.0.0.0
CompanyName
LegalTrademarks
Comments
ProductName	RegisterVB
ProductVersion	1.0.0.0
FileDescription	RegisterVB
OriginalFilename	Action.exe

Network Behavior

Network Port Distribution

TCP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Feb 23, 2021 17:17:52.870034933 CET	49745	8989	192.168.2.4	197.210.135.138
Feb 23, 2021 17:17:56.010488033 CET	49745	8989	192.168.2.4	197.210.135.138
Feb 23, 2021 17:18:02.012639999 CET	49745	8989	192.168.2.4	197.210.135.138
Feb 23, 2021 17:18:11.898427963 CET	49750	8989	192.168.2.4	197.210.135.138
Feb 23, 2021 17:18:14.902717113 CET	49750	8989	192.168.2.4	197.210.135.138
Feb 23, 2021 17:18:20.903213978 CET	49750	8989	192.168.2.4	197.210.135.138
Feb 23, 2021 17:18:30.250741005 CET	49757	8989	192.168.2.4	197.210.135.138
Feb 23, 2021 17:18:33.263607979 CET	49757	8989	192.168.2.4	197.210.135.138
Feb 23, 2021 17:18:39.279761076 CET	49757	8989	192.168.2.4	197.210.135.138
Feb 23, 2021 17:19:04.357513905 CET	49772	8989	192.168.2.4	197.210.135.138
Feb 23, 2021 17:19:07.360349894 CET	49772	8989	192.168.2.4	197.210.135.138
Feb 23, 2021 17:19:13.376389027 CET	49772	8989	192.168.2.4	197.210.135.138
Feb 23, 2021 17:19:21.708725929 CET	49774	8989	192.168.2.4	197.210.135.138
Feb 23, 2021 17:19:24.721059084 CET	49774	8989	192.168.2.4	197.210.135.138
Feb 23, 2021 17:19:30.737267017 CET	49774	8989	192.168.2.4	197.210.135.138
Feb 23, 2021 17:19:38.780620098 CET	49776	8989	192.168.2.4	197.210.135.138
Feb 23, 2021 17:19:41.784950018 CET	49776	8989	192.168.2.4	197.210.135.138
Feb 23, 2021 17:19:47.785478115 CET	49776	8989	192.168.2.4	197.210.135.138

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Feb 23, 2021 17:17:33.112857103 CET	53	58028	8.8.8.8	192.168.2.4
Feb 23, 2021 17:17:35.156117916 CET	53097	53	192.168.2.4	8.8.8.8
Feb 23, 2021 17:17:35.208527088 CET	53	53097	8.8.8.8	192.168.2.4
Feb 23, 2021 17:17:35.967366934 CET	49257	53	192.168.2.4	8.8.8.8
Feb 23, 2021 17:17:36.024481058 CET	53	49257	8.8.8.8	192.168.2.4
Feb 23, 2021 17:17:36.908479929 CET	62389	53	192.168.2.4	8.8.8.8
Feb 23, 2021 17:17:36.917710066 CET	49910	53	192.168.2.4	8.8.8.8
Feb 23, 2021 17:17:36.970102072 CET	53	62389	8.8.8.8	192.168.2.4
Feb 23, 2021 17:17:36.978503942 CET	53	49910	8.8.8.8	192.168.2.4
Feb 23, 2021 17:17:38.186949015 CET	55854	53	192.168.2.4	8.8.8.8
Feb 23, 2021 17:17:38.238738060 CET	53	55854	8.8.8.8	192.168.2.4
Feb 23, 2021 17:17:39.288774967 CET	64549	53	192.168.2.4	8.8.8.8
Feb 23, 2021 17:17:39.348469973 CET	53	64549	8.8.8.8	192.168.2.4
Feb 23, 2021 17:17:40.148591042 CET	63153	53	192.168.2.4	8.8.8.8
Feb 23, 2021 17:17:40.199114084 CET	53	63153	8.8.8.8	192.168.2.4
Feb 23, 2021 17:17:41.325800896 CET	52991	53	192.168.2.4	8.8.8.8
Feb 23, 2021 17:17:41.377269030 CET	53	52991	8.8.8.8	192.168.2.4
Feb 23, 2021 17:17:42.468820095 CET	53700	53	192.168.2.4	8.8.8.8
Feb 23, 2021 17:17:42.520406008 CET	53	53700	8.8.8.8	192.168.2.4
Feb 23, 2021 17:17:43.347155094 CET	51726	53	192.168.2.4	8.8.8.8
Feb 23, 2021 17:17:43.398762941 CET	53	51726	8.8.8.8	192.168.2.4
Feb 23, 2021 17:17:44.379580021 CET	56794	53	192.168.2.4	8.8.8.8
Feb 23, 2021 17:17:44.428309917 CET	53	56794	8.8.8.8	192.168.2.4
Feb 23, 2021 17:17:45.531502008 CET	56534	53	192.168.2.4	8.8.8.8
Feb 23, 2021 17:17:45.580095053 CET	53	56534	8.8.8.8	192.168.2.4
Feb 23, 2021 17:17:46.647998095 CET	56627	53	192.168.2.4	8.8.8.8
Feb 23, 2021 17:17:46.708534002 CET	53	56627	8.8.8.8	192.168.2.4
Feb 23, 2021 17:17:47.759473085 CET	56621	53	192.168.2.4	8.8.8.8
Feb 23, 2021 17:17:47.808342934 CET	53	56621	8.8.8.8	192.168.2.4
Feb 23, 2021 17:17:48.907426119 CET	63116	53	192.168.2.4	8.8.8.8
Feb 23, 2021 17:17:48.956129074 CET	53	63116	8.8.8.8	192.168.2.4
Feb 23, 2021 17:17:50.163281918 CET	64078	53	192.168.2.4	8.8.8.8
Feb 23, 2021 17:17:50.214752913 CET	53	64078	8.8.8.8	192.168.2.4
Feb 23, 2021 17:17:51.249070883 CET	64801	53	192.168.2.4	8.8.8.8
Feb 23, 2021 17:17:51.299072027 CET	53	64801	8.8.8.8	192.168.2.4
Feb 23, 2021 17:17:52.638619900 CET	61721	53	192.168.2.4	8.8.8.8
Feb 23, 2021 17:17:52.816646099 CET	51255	53	192.168.2.4	8.8.8.8
Feb 23, 2021 17:17:52.860063076 CET	53	61721	8.8.8.8	192.168.2.4
Feb 23, 2021 17:17:52.868854046 CET	53	51255	8.8.8.8	192.168.2.4
Feb 23, 2021 17:17:53.654639959 CET	61522	53	192.168.2.4	8.8.8.8
Feb 23, 2021 17:17:53.706198931 CET	53	61522	8.8.8.8	192.168.2.4
Feb 23, 2021 17:18:07.994263887 CET	52337	53	192.168.2.4	8.8.8.8
Feb 23, 2021 17:18:08.045980930 CET	53	52337	8.8.8.8	192.168.2.4
Feb 23, 2021 17:18:11.673760891 CET	55046	53	192.168.2.4	8.8.8.8
Feb 23, 2021 17:18:11.896399021 CET	53	55046	8.8.8.8	192.168.2.4
Feb 23, 2021 17:18:27.961555004 CET	49612	53	192.168.2.4	8.8.8.8
Feb 23, 2021 17:18:28.018769979 CET	53	49612	8.8.8.8	192.168.2.4
Feb 23, 2021 17:18:28.690170050 CET	49285	53	192.168.2.4	8.8.8.8
Feb 23, 2021 17:18:28.760432005 CET	53	49285	8.8.8.8	192.168.2.4
Feb 23, 2021 17:18:29.108568907 CET	50601	53	192.168.2.4	8.8.8.8
Feb 23, 2021 17:18:29.167959929 CET	53	50601	8.8.8.8	192.168.2.4
Feb 23, 2021 17:18:29.321527958 CET	60875	53	192.168.2.4	8.8.8.8
Feb 23, 2021 17:18:29.378681898 CET	53	60875	8.8.8.8	192.168.2.4
Feb 23, 2021 17:18:29.799036026 CET	56448	53	192.168.2.4	8.8.8.8
Feb 23, 2021 17:18:29.856096983 CET	59172	53	192.168.2.4	8.8.8.8
Feb 23, 2021 17:18:29.870553970 CET	53	56448	8.8.8.8	192.168.2.4
Feb 23, 2021 17:18:29.915478945 CET	53	59172	8.8.8.8	192.168.2.4
Feb 23, 2021 17:18:30.016415119 CET	62420	53	192.168.2.4	8.8.8.8
Feb 23, 2021 17:18:30.248186111 CET	53	62420	8.8.8.8	192.168.2.4
Feb 23, 2021 17:18:30.423396111 CET	60579	53	192.168.2.4	8.8.8.8
Feb 23, 2021 17:18:30.472065926 CET	53	60579	8.8.8.8	192.168.2.4
Feb 23, 2021 17:18:31.040520906 CET	50183	53	192.168.2.4	8.8.8.8
Feb 23, 2021 17:18:31.122072935 CET	53	50183	8.8.8.8	192.168.2.4
Feb 23, 2021 17:18:31.730104923 CET	61531	53	192.168.2.4	8.8.8.8
Feb 23, 2021 17:18:31.787012100 CET	53	61531	8.8.8.8	192.168.2.4
Feb 23, 2021 17:18:33.247946978 CET	49228	53	192.168.2.4	8.8.8.8
Feb 23, 2021 17:18:33.307434082 CET	53	49228	8.8.8.8	192.168.2.4
Feb 23, 2021 17:18:34.757982969 CET	59794	53	192.168.2.4	8.8.8.8
Feb 23, 2021 17:18:34.821521044 CET	53	59794	8.8.8.8	192.168.2.4
Feb 23, 2021 17:18:35.374767065 CET	55916	53	192.168.2.4	8.8.8.8
Feb 23, 2021 17:18:35.438473940 CET	53	55916	8.8.8.8	192.168.2.4
Feb 23, 2021 17:18:47.132163048 CET	52752	53	192.168.2.4	8.8.8.8
Feb 23, 2021 17:18:47.196331024 CET	53	52752	8.8.8.8	192.168.2.4
Feb 23, 2021 17:19:04.276197910 CET	60542	53	192.168.2.4	8.8.8.8
Feb 23, 2021 17:19:04.333688974 CET	53	60542	8.8.8.8	192.168.2.4
Feb 23, 2021 17:19:20.433358908 CET	60689	53	192.168.2.4	8.8.8.8
Feb 23, 2021 17:19:20.484214067 CET	53	60689	8.8.8.8	192.168.2.4
Feb 23, 2021 17:19:21.484606028 CET	64206	53	192.168.2.4	8.8.8.8
Feb 23, 2021 17:19:21.707307100 CET	53	64206	8.8.8.8	192.168.2.4
Feb 23, 2021 17:19:22.631076097 CET	50904	53	192.168.2.4	8.8.8.8
Feb 23, 2021 17:19:22.698132038 CET	53	50904	8.8.8.8	192.168.2.4
Feb 23, 2021 17:19:38.558481932 CET	57525	53	192.168.2.4	8.8.8.8
Feb 23, 2021 17:19:38.778891087 CET	53	57525	8.8.8.8	192.168.2.4

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class
Feb 23, 2021 17:17:52.638619900 CET	192.168.2.4	8.8.8.8	0x87db	Standard query (0)	jeksabide.duckdns.org	A (IP address)	IN (0x0001)
Feb 23, 2021 17:18:11.673760891 CET	192.168.2.4	8.8.8.8	0x4df5	Standard query (0)	jeksabide.duckdns.org	A (IP address)	IN (0x0001)
Feb 23, 2021 17:18:30.016415119 CET	192.168.2.4	8.8.8.8	0xee98	Standard query (0)	jeksabide.duckdns.org	A (IP address)	IN (0x0001)
Feb 23, 2021 17:19:04.276197910 CET	192.168.2.4	8.8.8.8	0x743b	Standard query (0)	jeksabide.duckdns.org	A (IP address)	IN (0x0001)
Feb 23, 2021 17:19:21.484606028 CET	192.168.2.4	8.8.8.8	0x2d2a	Standard query (0)	jeksabide.duckdns.org	A (IP address)	IN (0x0001)
Feb 23, 2021 17:19:38.558481932 CET	192.168.2.4	8.8.8.8	0xef8b	Standard query (0)	jeksabide.duckdns.org	A (IP address)	IN (0x0001)

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	Address	Type	Class
Feb 23, 2021 17:17:52.860063076 CET	8.8.8.8	192.168.2.4	0x87db	No error (0)	jeksabide.duckdns.org	197.210.135.138	A (IP address)	IN (0x0001)
Feb 23, 2021 17:18:11.896399021 CET	8.8.8.8	192.168.2.4	0x4df5	No error (0)	jeksabide.duckdns.org	197.210.135.138	A (IP address)	IN (0x0001)
Feb 23, 2021 17:18:30.248186111 CET	8.8.8.8	192.168.2.4	0xee98	No error (0)	jeksabide.duckdns.org	197.210.135.138	A (IP address)	IN (0x0001)
Feb 23, 2021 17:19:04.333688974 CET	8.8.8.8	192.168.2.4	0x743b	No error (0)	jeksabide.duckdns.org	197.210.135.138	A (IP address)	IN (0x0001)
Feb 23, 2021 17:19:21.707307100 CET	8.8.8.8	192.168.2.4	0x2d2a	No error (0)	jeksabide.duckdns.org	197.210.135.138	A (IP address)	IN (0x0001)
Feb 23, 2021 17:19:38.778891087 CET	8.8.8.8	192.168.2.4	0xef8b	No error (0)	jeksabide.duckdns.org	197.210.135.138	A (IP address)	IN (0x0001)

Code Manipulations

Statistics

CPU Usage

Click to jump to process

Memory Usage

Click to jump to process

High Level Behavior Distribution

Click to dive into process behavior distribution

Behavior

Click to jump to process

System Behavior

Analysis Process: QTxFuxF5NQ.exe PID: 7084 Parent PID: 5888

General

Start time:	17:17:39
Start date:	23/02/2021
Path:	C:\Users\user\Desktop\QTxFuxF5NQ.exe
Wow64 process (32bit):	true
Commandline:	'C:\Users\user\Desktop\QTxFuxF5NQ.exe'
Imagebase:	0xe90000
File size:	535552 bytes
MD5 hash:	06AB01B61A81D223E61FC64A11B50A39
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	.Net C# or VB.NET
Yara matches:	Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 00000000.00000002.664714275.0000000004729000.00000004.00000001.sdmp, Author: Florian Roth Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 00000000.00000002.664714275.0000000004729000.00000004.00000001.sdmp, Author: Joe Security Rule: NanoCore, Description: unknown, Source: 00000000.00000002.664714275.0000000004729000.00000004.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net> Rule: JoeSecurity_AntiVM_3, Description: Yara detected AntiVM_3, Source: 00000000.00000002.663880375.00000000036D1000.00000004.00000001.sdmp, Author: Joe Security Rule: JoeSecurity_AntiVM_3, Description: Yara detected AntiVM_3, Source: 00000000.00000002.663609170.0000000003661000.00000004.00000001.sdmp, Author: Joe Security
Reputation:	low

Chronological Activities

Analysis Process: schtasks.exe PID: 2848 Parent PID: 7084

General

Start time:	17:17:46
Start date:	23/02/2021
Path:	C:\Windows\SysWOW64\schtasks.exe
Wow64 process (32bit):	true
Commandline:	'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\CDaJolZUw' /XML 'C:\Users\user\AppData\Local\Temp\tmp1954.tmp'
Imagebase:	0x1330000
File size:	185856 bytes
MD5 hash:	15FF7D8324231381BAD48A052F85DF04
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Chronological Activities

Analysis Process: conhost.exe PID: 6532 Parent PID: 2848

General

Start time:	17:17:46
Start date:	23/02/2021
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff724c50000
File size:	625664 bytes
MD5 hash:	EA777DEEA782E8B4D7C7C33BBF8A4496
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Chronological Activities

Analysis Process: RegSvcs.exe PID: 6120 Parent PID: 7084

General

Start time:	17:17:46
Start date:	23/02/2021
Path:	C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe
Wow64 process (32bit):	true
Commandline:	C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe
Imagebase:	0xe80000
File size:	32768 bytes
MD5 hash:	71369277D09DA0830C8C59F9E22BB23A
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	.Net C# or VB.NET
Yara matches:	Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 00000006.00000002.911962759.0000000000402000.00000040.00000001.sdmp, Author: Florian Roth Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 00000006.00000002.911962759.0000000000402000.00000040.00000001.sdmp, Author: Joe Security Rule: NanoCore, Description: unknown, Source: 00000006.00000002.911962759.0000000000402000.00000040.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net> Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 00000006.00000002.915278946.0000000006140000.00000004.00000001.sdmp, Author: Florian Roth Rule: Nanocore_RAT_Feb18_1, Description: Detects Nanocore RAT, Source: 00000006.00000002.915278946.0000000006140000.00000004.00000001.sdmp, Author: Florian Roth Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 00000006.00000002.915278946.0000000006140000.00000004.00000001.sdmp, Author: Joe Security Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 00000006.00000002.915159896.0000000005EB0000.00000004.00000001.sdmp, Author: Florian Roth Rule: Nanocore_RAT_Feb18_1, Description: Detects Nanocore RAT, Source: 00000006.00000002.915159896.0000000005EB0000.00000004.00000001.sdmp, Author: Florian Roth Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 00000006.00000002.914314431.000000000463D000.00000004.00000001.sdmp, Author: Joe Security Rule: NanoCore, Description: unknown, Source: 00000006.00000002.914314431.000000000463D000.00000004.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
Reputation:	moderate

Chronological Activities

Analysis Process: schtasks.exe PID: 6700 Parent PID: 6120

General

Start time:	17:17:48
Start date:	23/02/2021
Path:	C:\Windows\SysWOW64\schtasks.exe
Wow64 process (32bit):	true
Commandline:	'schtasks.exe' /create /f /tn 'DHCP Monitor' /xml 'C:\Users\user\AppData\Local\Temp\tmp22E3.tmp'
Imagebase:	0x1330000
File size:	185856 bytes
MD5 hash:	15FF7D8324231381BAD48A052F85DF04
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Chronological Activities

Analysis Process: conhost.exe PID: 5796 Parent PID: 6700

General

Start time:	17:17:48
Start date:	23/02/2021
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff724c50000
File size:	625664 bytes
MD5 hash:	EA777DEEA782E8B4D7C7C33BBF8A4496
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Chronological Activities

Analysis Process: schtasks.exe PID: 2220 Parent PID: 6120

General

Start time:	17:17:49
Start date:	23/02/2021
Path:	C:\Windows\SysWOW64\schtasks.exe
Wow64 process (32bit):	true
Commandline:	'schtasks.exe' /create /f /tn 'DHCP Monitor Task' /xml 'C:\Users\user\AppData\Local\Temp\tmp2601.tmp'
Imagebase:	0x1330000
File size:	185856 bytes
MD5 hash:	15FF7D8324231381BAD48A052F85DF04
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Chronological Activities

Analysis Process: conhost.exe PID: 2188 Parent PID: 2220

General

Start time:	17:17:49
Start date:	23/02/2021
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff724c50000
File size:	625664 bytes
MD5 hash:	EA777DEEA782E8B4D7C7C33BBF8A4496
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Chronological Activities

Analysis Process: RegSvcs.exe PID: 4424 Parent PID: 968

General

Start time:	17:17:49
Start date:	23/02/2021
Path:	C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe
Wow64 process (32bit):	true
Commandline:	C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe 0
Imagebase:	0x7d0000
File size:	32768 bytes
MD5 hash:	71369277D09DA0830C8C59F9E22BB23A
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	.Net C# or VB.NET
Reputation:	moderate

Chronological Activities

Analysis Process: conhost.exe PID: 7016 Parent PID: 4424

General

Start time:	17:17:50
Start date:	23/02/2021
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff724c50000
File size:	625664 bytes
MD5 hash:	EA777DEEA782E8B4D7C7C33BBF8A4496
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Chronological Activities

Analysis Process: dhcpmon.exe PID: 6812 Parent PID: 968

General

Start time:	17:17:52
Start date:	23/02/2021
Path:	C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe
Wow64 process (32bit):	true
Commandline:	'C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe' 0
Imagebase:	0x8c0000
File size:	32768 bytes
MD5 hash:	71369277D09DA0830C8C59F9E22BB23A
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	.Net C# or VB.NET
Antivirus matches:	Detection: 0%, Metadefender, Browse Detection: 0%, ReversingLabs
Reputation:	moderate

Chronological Activities

Analysis Process: conhost.exe PID: 6852 Parent PID: 6812

General

Start time:	17:17:52
Start date:	23/02/2021
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff724c50000
File size:	625664 bytes
MD5 hash:	EA777DEEA782E8B4D7C7C33BBF8A4496
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Chronological Activities

Analysis Process: dhcpmon.exe PID: 6560 Parent PID: 3424

General

Start time:	17:17:59
Start date:	23/02/2021
Path:	C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe
Wow64 process (32bit):	true
Commandline:	'C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe'
Imagebase:	0x5a0000
File size:	32768 bytes
MD5 hash:	71369277D09DA0830C8C59F9E22BB23A
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	.Net C# or VB.NET
Reputation:	moderate

Chronological Activities

Analysis Process: conhost.exe PID: 6568 Parent PID: 6560

General

Start time:	17:17:59
Start date:	23/02/2021
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff724c50000
File size:	625664 bytes
MD5 hash:	EA777DEEA782E8B4D7C7C33BBF8A4496
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Chronological Activities

Disassembly

Code Analysis

Reset < >

Analysis Process: QTxFuxF5NQ.exe PID: 7084 Parent PID: 5888 QTxFuxF5NQ.exeCOMMON

Executed Functions

Function 0315D018, Relevance: 17.1, Strings: 13, Instructions: 888COMMON

Download Yara Rule

Strings

m, xrefs: 0315D9C1
&, xrefs: 0315DCBA
t, xrefs: 0315D4FB
\, xrefs: 0315D2E2
?, xrefs: 0315D670
U, xrefs: 0315D8A1
N, xrefs: 0315DE01
h, xrefs: 0315DA1C
F, xrefs: 0315DB4E
_, xrefs: 0315DD69
., xrefs: 0315D44E
-, xrefs: 0315D373
=, xrefs: 0315DA50

Memory Dump Source

Source File: 00000000.00000002.662415630.0000000003150000.00000040.00000001.sdmp, Offset: 03150000, based on PE: false

Similarity

API ID:
String ID: &$-$.$=$?$F$N$U$\$_$h$m$t
API String ID: 0-2137078230
Opcode ID: a59f6bac0ae5c9c413d271647673654345db2a8313c310a944fde38ab3987b64
Instruction ID: ca5d6420bb579de076dd44d432f2f820cdc86b57c239739006a233d632645dc0
Opcode Fuzzy Hash: a59f6bac0ae5c9c413d271647673654345db2a8313c310a944fde38ab3987b64
Instruction Fuzzy Hash: 5C82E3B1C05268CFEB28CFA2D9583EDFAB5BB49349F149099D519B7291C7780AC8CF14

Uniqueness

Uniqueness Score: -1.00%

Function 0315D008, Relevance: 15.5, Strings: 12, Instructions: 478COMMON

Download Yara Rule

Strings

K, xrefs: 0315D9E9
!, xrefs: 0315D991
,, xrefs: 0315DC65
X, xrefs: 0315DDC8
D, xrefs: 0315D64C
G, xrefs: 0315D405
[, xrefs: 0315D34F
o, xrefs: 0315D2AF
7, xrefs: 0315DD5B
F, xrefs: 0315DB4E
Y, xrefs: 0315D85A
=, xrefs: 0315DA50

Memory Dump Source

Source File: 00000000.00000002.662415630.0000000003150000.00000040.00000001.sdmp, Offset: 03150000, based on PE: false

Similarity

API ID:
String ID: !$,$7$=$D$F$G$K$X$Y$[$o
API String ID: 0-3673748993
Opcode ID: eef66df93a2176446b08bb55730279e062771b369f6d9f82b481c3a8c480468f
Instruction ID: 739fa6d7a58c142dcd776ee0f27ddf3eb3726c209d7f4ed9804c22bee0bdae4b
Opcode Fuzzy Hash: eef66df93a2176446b08bb55730279e062771b369f6d9f82b481c3a8c480468f
Instruction Fuzzy Hash: 5622E6B1C05268CFEB28CFA6D9583EDFAB5BB49349F1481D9D559B6291C7780AC8CF00

Uniqueness

Uniqueness Score: -1.00%

Function 03150B77, Relevance: 7.7, Strings: 1, Instructions: 6448COMMON

Download Yara Rule

Strings

<mQp, xrefs: 0315157B

Memory Dump Source

Source File: 00000000.00000002.662415630.0000000003150000.00000040.00000001.sdmp, Offset: 03150000, based on PE: false

Similarity

API ID:
String ID: <mQp
API String ID: 0-672390495
Opcode ID: d57e99cc80bf0a3847e6edbf3cbfb5bd49d0f7f0a46d761b33677263555cbfa9
Instruction ID: 1cedcd55ec25d5b5d7ea40f180941a7d6230175b4d193bbb3d1b7c1d1a88204d
Opcode Fuzzy Hash: d57e99cc80bf0a3847e6edbf3cbfb5bd49d0f7f0a46d761b33677263555cbfa9
Instruction Fuzzy Hash: 8BE3A474A41219CFDB64DB24C894EA9B7B2FF8A305F1541E9E809AB361CF356E85CF01

Uniqueness

Uniqueness Score: -1.00%

Function 03150B88, Relevance: 7.7, Strings: 1, Instructions: 6443COMMON

Download Yara Rule

Strings

<mQp, xrefs: 0315157B

Memory Dump Source

Source File: 00000000.00000002.662415630.0000000003150000.00000040.00000001.sdmp, Offset: 03150000, based on PE: false

Similarity

API ID:
String ID: <mQp
API String ID: 0-672390495
Opcode ID: ade4f2e4251f9fe7c656b52017e1b2d74f830a67e3348d8daf7a04df47c6162c
Instruction ID: 826812f4db8d5c5b6a7b92891966a2a2e985235509fe4b59cfc5024fd09a5872
Opcode Fuzzy Hash: ade4f2e4251f9fe7c656b52017e1b2d74f830a67e3348d8daf7a04df47c6162c
Instruction Fuzzy Hash: 32E3A474A41219CFDB64DB24C894EA9B7B2FF8A305F1541E9E809AB361CF356E85CF01

Uniqueness

Uniqueness Score: -1.00%

Function 08C763C0, Relevance: .2, Instructions: 200COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.670205798.0000000008C70000.00000040.00000001.sdmp, Offset: 08C70000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: edb2916a5baea004360ce3b6fed604e2b2bb5c2b5b92d5053c3d826f4ddcb0e1
Instruction ID: e63954c5cddea662daf2afe54488d150c98cc34323f78609c5993d303520edcd
Opcode Fuzzy Hash: edb2916a5baea004360ce3b6fed604e2b2bb5c2b5b92d5053c3d826f4ddcb0e1
Instruction Fuzzy Hash: 6F8122B4D04658CFCB44CFAAD884AADFBF2BF98316F648219E415AB358D7309942CF50

Uniqueness

Uniqueness Score: -1.00%

Function 0315FD98, Relevance: .2, Instructions: 168COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.662415630.0000000003150000.00000040.00000001.sdmp, Offset: 03150000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 86a2252e81184b8c8a4f2f60bea3243313c991f5a9fa93c7477e4c3cd0ac75a0
Instruction ID: 9610cbb80d6c9584b4f5320b74680f7544d2f20b05352bfa2f8284b370485201
Opcode Fuzzy Hash: 86a2252e81184b8c8a4f2f60bea3243313c991f5a9fa93c7477e4c3cd0ac75a0
Instruction Fuzzy Hash: 29611675D00109CFCB04DFAEC884AADFBF6BF89325B65C259E824A7395D73099428F60

Uniqueness

Uniqueness Score: -1.00%

Function 0315FB90, Relevance: .2, Instructions: 167COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.662415630.0000000003150000.00000040.00000001.sdmp, Offset: 03150000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c48226a7e5bff0677537080b8f291f93c1bd880e31dd9060bd8a1d8f8e700210
Instruction ID: abba903363c615198488a76e35d35d10429fd35d09377fb93cb580122714a32e
Opcode Fuzzy Hash: c48226a7e5bff0677537080b8f291f93c1bd880e31dd9060bd8a1d8f8e700210
Instruction Fuzzy Hash: 4551E571D00219CBDF08CFAAC8409EDFBB6BF89315F64C529E924BB254DB7159028F50

Uniqueness

Uniqueness Score: -1.00%

Function 0315FB81, Relevance: .1, Instructions: 129COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.662415630.0000000003150000.00000040.00000001.sdmp, Offset: 03150000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3dce2f1242d166bc3ae9bf86ad7e801cb9926e8896088265484b99f3df8bdf1d
Instruction ID: 94c3d2bc8a5811d2f46864e2433832be249482f5203b7f8cf55426393cd51e9b
Opcode Fuzzy Hash: 3dce2f1242d166bc3ae9bf86ad7e801cb9926e8896088265484b99f3df8bdf1d
Instruction Fuzzy Hash: 5351F771E00219CBDB08CFBAC8409DDFBF6AF89325F64C16AD914BB264DB7059428F51

Uniqueness

Uniqueness Score: -1.00%

Function 0315E0B8, Relevance: 10.5, Strings: 8, Instructions: 493COMMON

Download Yara Rule

Strings

m, xrefs: 0315E4BD
^, xrefs: 0315E7A6
>, xrefs: 0315E3FD
d, xrefs: 0315E6B1
), xrefs: 0315E318
&, xrefs: 0315E449
W, xrefs: 0315E5FB
[, xrefs: 0315E3A2

Memory Dump Source

Source File: 00000000.00000002.662415630.0000000003150000.00000040.00000001.sdmp, Offset: 03150000, based on PE: false

Similarity

API ID:
String ID: &$)$>$W$[$^$d$m
API String ID: 0-1240731744
Opcode ID: 9094739e781921f3402f1185e72646b827171315aa506e3242cf680844ffc000
Instruction ID: 7595f48dd3ae56326d3ac0cddb5a989867fdd2d60563ac59f34e02c3030460b1
Opcode Fuzzy Hash: 9094739e781921f3402f1185e72646b827171315aa506e3242cf680844ffc000
Instruction Fuzzy Hash: E722B2B5C06368CEEB28CFA2C5587EDFAB4BB49349F149099D41977291C3780B89CF64

Uniqueness

Uniqueness Score: -1.00%

Function 0315E0A8, Relevance: 7.8, Strings: 6, Instructions: 280COMMON

Download Yara Rule

Strings

m, xrefs: 0315E4BD
3, xrefs: 0315E68D
), xrefs: 0315E318
s, xrefs: 0315E384
Y, xrefs: 0315E5B1
u, xrefs: 0315E776

Memory Dump Source

Source File: 00000000.00000002.662415630.0000000003150000.00000040.00000001.sdmp, Offset: 03150000, based on PE: false

Similarity

API ID:
String ID: )$3$Y$m$s$u
API String ID: 0-1506992482
Opcode ID: 7b3935ac6547c505cf47eeee48c6edcbe58f227ebacc13551f0e8a4139a6b804
Instruction ID: 12c93d946d12e5dc1c3b1c79aac8bf17db8e5f49c3de6f10ea15abd23ac49b12
Opcode Fuzzy Hash: 7b3935ac6547c505cf47eeee48c6edcbe58f227ebacc13551f0e8a4139a6b804
Instruction Fuzzy Hash: B9D1C3B1C05368CFEB28CF91C9583EDFAB5BB49349F149199D4187A291C7B90A89CF50

Uniqueness

Uniqueness Score: -1.00%

Function 0315A16F, Relevance: 1.9, Instructions: 1906COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.662415630.0000000003150000.00000040.00000001.sdmp, Offset: 03150000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e76f5afac74ca9c6531db7287fc82f7355a29b8fbe684fb6a7883050c7272909
Instruction ID: e8ade57f09a68b40fb4fdb906b284bd6c321195ab518be817b0fa31c03a5ae2c
Opcode Fuzzy Hash: e76f5afac74ca9c6531db7287fc82f7355a29b8fbe684fb6a7883050c7272909
Instruction Fuzzy Hash: C513B374A01218CFDB65DF24C998A99B7F6FF89305F1141E9E409AB360CB36AE85CF11

Uniqueness

Uniqueness Score: -1.00%

Function 0315A1B0, Relevance: 1.9, Instructions: 1897COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.662415630.0000000003150000.00000040.00000001.sdmp, Offset: 03150000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c50afc29a351600053e4142f1f1b75fc96957aac2ed5e4662a2f23aa31d83efb
Instruction ID: 4b0443d97f194888f94a8a4d63857e6570b4df2291a2b1f0f1c98df55727ff8b
Opcode Fuzzy Hash: c50afc29a351600053e4142f1f1b75fc96957aac2ed5e4662a2f23aa31d83efb
Instruction Fuzzy Hash: 4513B374A01218CFDB65DF24C998A99B7F6FF89305F1141E9E409AB360CB36AE85CF11

Uniqueness

Uniqueness Score: -1.00%

Function 0315A1C0, Relevance: 1.9, Instructions: 1892COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.662415630.0000000003150000.00000040.00000001.sdmp, Offset: 03150000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6ece942983f82ba2da975957692fcb8b3bffd5cf67044c599434963bb16a12bb
Instruction ID: 0088bdd508fae488dc6891d3f8cfd29b6b9f626df647bc139c13ba5b5d0d10f3
Opcode Fuzzy Hash: 6ece942983f82ba2da975957692fcb8b3bffd5cf67044c599434963bb16a12bb
Instruction Fuzzy Hash: EA13A374A01218CFDB65DF24C998A99B7F6FF89305F1141E9E409AB360CB36AE85CF11

Uniqueness

Uniqueness Score: -1.00%

Function 031505B0, Relevance: 1.5, Strings: 1, Instructions: 201COMMON

Download Yara Rule

Strings

:@fq, xrefs: 031506DC

Memory Dump Source

Source File: 00000000.00000002.662415630.0000000003150000.00000040.00000001.sdmp, Offset: 03150000, based on PE: false

Similarity

API ID:
String ID: :@fq
API String ID: 0-3673016210
Opcode ID: 8a591c71f0bbf4c139f603e17cf5809d60329aca585fda980c229bbda7cf50e3
Instruction ID: 6dbd0e6c79cbeea157264fdc1c62d83eb28a74d6b46e199e249c3725cd5b6c81
Opcode Fuzzy Hash: 8a591c71f0bbf4c139f603e17cf5809d60329aca585fda980c229bbda7cf50e3
Instruction Fuzzy Hash: 4591C274E01218CFDB14CFA9C894BADBBF1BF49310F1481A9E919AB3A4DB719985CF50

Uniqueness

Uniqueness Score: -1.00%

Function 031505A0, Relevance: 1.4, Strings: 1, Instructions: 174COMMON

Download Yara Rule

Strings

:@fq, xrefs: 031506DC

Memory Dump Source

Source File: 00000000.00000002.662415630.0000000003150000.00000040.00000001.sdmp, Offset: 03150000, based on PE: false

Similarity

API ID:
String ID: :@fq
API String ID: 0-3673016210
Opcode ID: fea6c6abc5ee5f59e396279d8054b735585a1fa9153c4078b87917ffd40f0577
Instruction ID: 8a69f1f1188ca9f19b965207dd811c407d91dc4f32e4e95f21d55cb0b4c87a61
Opcode Fuzzy Hash: fea6c6abc5ee5f59e396279d8054b735585a1fa9153c4078b87917ffd40f0577
Instruction Fuzzy Hash: 8671D274D01218CFDB24CFA9C494BADBBF2BF49310F1481A9E919AB3A4DB719985CF50

Uniqueness

Uniqueness Score: -1.00%

Function 08C77938, Relevance: 1.4, Strings: 1, Instructions: 163COMMON

Download Yara Rule

Strings

:@fq, xrefs: 08C77A16

Memory Dump Source

Source File: 00000000.00000002.670205798.0000000008C70000.00000040.00000001.sdmp, Offset: 08C70000, based on PE: false

Similarity

API ID:
String ID: :@fq
API String ID: 0-3673016210
Opcode ID: 741acff2a44e8ca6f24c1059fd7d4c9f66c7151b69e437cb6b896ac4d5181802
Instruction ID: 25a6aa690f885cba7b56be58d553e218bf81eb08cc23c12abad5ed8acf2087dc
Opcode Fuzzy Hash: 741acff2a44e8ca6f24c1059fd7d4c9f66c7151b69e437cb6b896ac4d5181802
Instruction Fuzzy Hash: C261CD74E01208DFDB04DFA5D894AAEBBB2FF89305F20812AD915B73A4DB345A41CF55

Uniqueness

Uniqueness Score: -1.00%

Function 08C7792A, Relevance: 1.4, Strings: 1, Instructions: 162COMMON

Download Yara Rule

Strings

:@fq, xrefs: 08C77A16

Memory Dump Source

Source File: 00000000.00000002.670205798.0000000008C70000.00000040.00000001.sdmp, Offset: 08C70000, based on PE: false

Similarity

API ID:
String ID: :@fq
API String ID: 0-3673016210
Opcode ID: 5865bf1e152b8a5f1f1421b8fcdb971d51a3a0a8d74d3dca424b290a8bbfbfa6
Instruction ID: b0cbd22105f60ea97f3cccad0c05738d7e3b4f6b9c1de832bbf0daf670e72e95
Opcode Fuzzy Hash: 5865bf1e152b8a5f1f1421b8fcdb971d51a3a0a8d74d3dca424b290a8bbfbfa6
Instruction Fuzzy Hash: 6661BE74E01218DFDB04DFA9D894AADBBB2FF89301F20812AD915AB3A4DB345941CF55

Uniqueness

Uniqueness Score: -1.00%

Function 08C787CC, Relevance: 1.4, Strings: 1, Instructions: 137COMMON

Download Yara Rule

Strings

(, xrefs: 08C78407

Memory Dump Source

Source File: 00000000.00000002.670205798.0000000008C70000.00000040.00000001.sdmp, Offset: 08C70000, based on PE: false

Similarity

API ID:
String ID: (
API String ID: 0-3887548279
Opcode ID: 49b736d86e161011f671c7dd4a5ab8b075cc39691f323aa914ba9978935e8f90
Instruction ID: 862c3fa815ac93333834c26d3cd4b9f50d9c15e0c6e1a4d11ad24768cf9e52ea
Opcode Fuzzy Hash: 49b736d86e161011f671c7dd4a5ab8b075cc39691f323aa914ba9978935e8f90
Instruction Fuzzy Hash: A6619B74901229CFDB64DF68C888BEDBBB2FB49306F1081EAD509A7251DB349E85CF51

Uniqueness

Uniqueness Score: -1.00%

Function 08C78333, Relevance: 1.4, Strings: 1, Instructions: 136COMMON

Download Yara Rule

Strings

(, xrefs: 08C78407

Memory Dump Source

Source File: 00000000.00000002.670205798.0000000008C70000.00000040.00000001.sdmp, Offset: 08C70000, based on PE: false

Similarity

API ID:
String ID: (
API String ID: 0-3887548279
Opcode ID: 618f7f7f80a836181b3a20b6a93b9febb3daf8144b6cfb12c9f3a554793bab0d
Instruction ID: 1cc3caa34760fcafc3f9d951d2ec5a4ffb03fbac0f44743d2b52275056737a3c
Opcode Fuzzy Hash: 618f7f7f80a836181b3a20b6a93b9febb3daf8144b6cfb12c9f3a554793bab0d
Instruction Fuzzy Hash: EA51BD34900268CFCB64DF65C988BECBBB1FB89316F1081EAD509A7291DB359A85CF51

Uniqueness

Uniqueness Score: -1.00%

Function 08C78892, Relevance: 1.3, Strings: 1, Instructions: 42COMMON

Download Yara Rule

Strings

>_kq, xrefs: 08C78906

Memory Dump Source

Source File: 00000000.00000002.670205798.0000000008C70000.00000040.00000001.sdmp, Offset: 08C70000, based on PE: false

Similarity

API ID:
String ID: >_kq
API String ID: 0-4149988037
Opcode ID: f7dc7095063723b9b7a86a01eaf57f3a9edfc940cc37ef65959888117d24a092
Instruction ID: 3e5e38aeca8452999560ebc38357956debd5c4441a48883916ae243b8b9dad80
Opcode Fuzzy Hash: f7dc7095063723b9b7a86a01eaf57f3a9edfc940cc37ef65959888117d24a092
Instruction Fuzzy Hash: 2611AF74E01229CFDB64DF68C959BDCB7B1BB8A305F1040E9864DAB245D7349E81CF42

Uniqueness

Uniqueness Score: -1.00%

Function 08C77498, Relevance: .3, Instructions: 254COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.670205798.0000000008C70000.00000040.00000001.sdmp, Offset: 08C70000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: df3355568ae5587cfa82e9dfdddd0cc77bd0771b22a53f6f0ac68e4a735d1d5f
Instruction ID: 1403904bda7c6745d52f78c046bbbb6291a3de8778197e96241f713653e68003
Opcode Fuzzy Hash: df3355568ae5587cfa82e9dfdddd0cc77bd0771b22a53f6f0ac68e4a735d1d5f
Instruction Fuzzy Hash: A4A14674E41308DBEB14DFA5D894BADBBB2BF89701F208029E6057B390DB71A842CF54

Uniqueness

Uniqueness Score: -1.00%

Function 08C70049, Relevance: .2, Instructions: 201COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.670205798.0000000008C70000.00000040.00000001.sdmp, Offset: 08C70000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 87c48ff3874c48c8a4391be2d4a7d139b234a9e721790a12f4b9c3c32bc230b2
Instruction ID: fd4bebb0679e35090418ec19a85f415e12f0298566b8df095441528c7e0ed868
Opcode Fuzzy Hash: 87c48ff3874c48c8a4391be2d4a7d139b234a9e721790a12f4b9c3c32bc230b2
Instruction Fuzzy Hash: B3912670900389CFCB10DFA8E948B9CBBF1FB4931AF1485AAD40AAB355DB749985CF54

Uniqueness

Uniqueness Score: -1.00%

Function 08C70070, Relevance: .2, Instructions: 189COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.670205798.0000000008C70000.00000040.00000001.sdmp, Offset: 08C70000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 904a0386b2968137577c3e36f9e88d408257b2fcf6096ec4d3ad4379312421cd
Instruction ID: cab32ba0e22dd7f612d85dab32ec1d5cba2e20b9260f283fafef4973b46913de
Opcode Fuzzy Hash: 904a0386b2968137577c3e36f9e88d408257b2fcf6096ec4d3ad4379312421cd
Instruction Fuzzy Hash: 9A912370900389CFCB10DFA8E948B9CBBF1FB4931AF10856AD40AAB355EB749985CF54

Uniqueness

Uniqueness Score: -1.00%

Function 08C76AF8, Relevance: .2, Instructions: 189COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.670205798.0000000008C70000.00000040.00000001.sdmp, Offset: 08C70000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f25cd54efbdcca3ea3588b22a08606ff400c6e1ca6615a4d1f2be1086f43465b
Instruction ID: 9e21bf605d9e639e05dc1d1dc6feb8f279ccf66535e07fe715bd16434fe4e7f5
Opcode Fuzzy Hash: f25cd54efbdcca3ea3588b22a08606ff400c6e1ca6615a4d1f2be1086f43465b
Instruction Fuzzy Hash: 5B91D074D01629CFDB24CFA5D948BADBBB1FB09306F1085A9D409B7381DB785A89CF50

Uniqueness

Uniqueness Score: -1.00%

Function 08C79280, Relevance: .2, Instructions: 187COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.670205798.0000000008C70000.00000040.00000001.sdmp, Offset: 08C70000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7974e3ea8b795b8c9a52bf94f532eaa5a358e41eda56f1072a3da05988bb5df5
Instruction ID: af6dd6b09805c406dcf47943bde5d4980068916b5b6a38175771e918dbc152eb
Opcode Fuzzy Hash: 7974e3ea8b795b8c9a52bf94f532eaa5a358e41eda56f1072a3da05988bb5df5
Instruction Fuzzy Hash: 6171EFB0D15218CBDB14DFAAD488BADBBF5BB49306F20952AD019B7285D778848ACF00

Uniqueness

Uniqueness Score: -1.00%

Function 08C70138, Relevance: .2, Instructions: 156COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.670205798.0000000008C70000.00000040.00000001.sdmp, Offset: 08C70000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c2121e0aac7354df4c85466b533d8b043b5caec0f7a89e056a1a92f8463675e8
Instruction ID: 9c5799526e6aa43bdce1dba5a29fac50a04bd2a39b817cc6301cff6210ca17ad
Opcode Fuzzy Hash: c2121e0aac7354df4c85466b533d8b043b5caec0f7a89e056a1a92f8463675e8
Instruction Fuzzy Hash: 28710570900349CFDB14DFA8E448B9CBBB1FB4931AF10856AE409AB355EB749D85CF54

Uniqueness

Uniqueness Score: -1.00%

Function 08C763B1, Relevance: .1, Instructions: 147COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.670205798.0000000008C70000.00000040.00000001.sdmp, Offset: 08C70000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c520fd0a4982e0705bbb5dc9960fa1c6be95c1729115f7df214e710c5ca4a878
Instruction ID: 6452aec256b1fa0e1bedc58722e4731a50c56f317741b93674d490146b83733a
Opcode Fuzzy Hash: c520fd0a4982e0705bbb5dc9960fa1c6be95c1729115f7df214e710c5ca4a878
Instruction Fuzzy Hash: B4511470D04658CFCB04CFAAD844AADBBF2BF99316F14812AE415AB3A8D7349942CF11

Uniqueness

Uniqueness Score: -1.00%

Function 08C76E14, Relevance: .1, Instructions: 145COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.670205798.0000000008C70000.00000040.00000001.sdmp, Offset: 08C70000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 39ea7c61d87abdc5f609b215d6d9320602e447d1c5730d02c004913d00310b0e
Instruction ID: 289b3ec71761863fa960aa472ee3429e554e326c07e5cf9f6c588fe953212c46
Opcode Fuzzy Hash: 39ea7c61d87abdc5f609b215d6d9320602e447d1c5730d02c004913d00310b0e
Instruction Fuzzy Hash: 8851CF74D01629CFDB24DFB5D988BADBBB1FB0A306F1085A9D449A3391DB349A85CF10

Uniqueness

Uniqueness Score: -1.00%

Function 08C76AE8, Relevance: .1, Instructions: 144COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.670205798.0000000008C70000.00000040.00000001.sdmp, Offset: 08C70000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4b0df2f793ddfd751e7c505dcdf02a4a584b64ea91b7245f49211b12b9f18d92
Instruction ID: fa6c8f8520b7af0f0794dba39d954962a89c9a4e43f8db38d540ce69753a2ad7
Opcode Fuzzy Hash: 4b0df2f793ddfd751e7c505dcdf02a4a584b64ea91b7245f49211b12b9f18d92
Instruction Fuzzy Hash: FE51E1B0D01729CFDB24CFA5C958BEDBBB1BB09305F1085A9D409A7391DB784A89CF50

Uniqueness

Uniqueness Score: -1.00%

Function 08C70404, Relevance: .1, Instructions: 142COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.670205798.0000000008C70000.00000040.00000001.sdmp, Offset: 08C70000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 80665dc99d9d6c5c3824c54ad0b0c18befe02d39b454cdd540194137c0556eff
Instruction ID: 5d680ad15333c9ff8529d406e84ce5e2452684c30b7f6a3f243d9def0441c821
Opcode Fuzzy Hash: 80665dc99d9d6c5c3824c54ad0b0c18befe02d39b454cdd540194137c0556eff
Instruction Fuzzy Hash: 2D615870900389CFDB10DFA8E948B9CBBB1FB4530AF1085AAD40AAB355EB749D85CF44

Uniqueness

Uniqueness Score: -1.00%

Function 08C76C53, Relevance: .1, Instructions: 141COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.670205798.0000000008C70000.00000040.00000001.sdmp, Offset: 08C70000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4fe4516c874d3f97d26c7884c6a218f1a1f2b6e14b025ff7b2b9481db4d2132b
Instruction ID: 4ebe8959be1439c0bb522d3fe430b3b5b9d9652ecef9b391ab59f928e2bb59f9
Opcode Fuzzy Hash: 4fe4516c874d3f97d26c7884c6a218f1a1f2b6e14b025ff7b2b9481db4d2132b
Instruction Fuzzy Hash: FC510074C05629CFDB24CFA5D948BEDBAB0FB19306F1055AAD409A3391DB785A89CF10

Uniqueness

Uniqueness Score: -1.00%

Function 08C767B8, Relevance: .1, Instructions: 140COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.670205798.0000000008C70000.00000040.00000001.sdmp, Offset: 08C70000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 482b8b01e78e51121bf8864e3053b971173589ae837c9ba8c9e5bb99ba63bcb4
Instruction ID: d37f696e242828be7d42b4ff68ceba00003611434f1a5694cfc3b428f0e8dce3
Opcode Fuzzy Hash: 482b8b01e78e51121bf8864e3053b971173589ae837c9ba8c9e5bb99ba63bcb4
Instruction Fuzzy Hash: 25513470D05A09DFDB00DFAAC484AEDBBF2AF59326F24D559D424B7391E7309A418B60

Uniqueness

Uniqueness Score: -1.00%

Function 08C76EF2, Relevance: .1, Instructions: 130COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.670205798.0000000008C70000.00000040.00000001.sdmp, Offset: 08C70000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b67ad92dc89a0a65dbb3909f8dbeda172e0d5d9342f34a04837c02c2c3e056f7
Instruction ID: 5bf6c55eaaf44d8f952606264a7db556942ca390adf0cb4e8bc672c452332c1f
Opcode Fuzzy Hash: b67ad92dc89a0a65dbb3909f8dbeda172e0d5d9342f34a04837c02c2c3e056f7
Instruction Fuzzy Hash: 3551C274D05629CFDB24CFB5C548BEDBAB0FB19306F2085AAD409A3391D7749A85CF10

Uniqueness

Uniqueness Score: -1.00%

Function 08C79270, Relevance: .1, Instructions: 129COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.670205798.0000000008C70000.00000040.00000001.sdmp, Offset: 08C70000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b3988f9561e51574b65a53a69e8cbb7680cb6f77077dd1e749b176fef2e3bbf3
Instruction ID: 0bb34c4ae6b749e50ef4a6a921973775649d845bacb261062bbb18cebf58ea07
Opcode Fuzzy Hash: b3988f9561e51574b65a53a69e8cbb7680cb6f77077dd1e749b176fef2e3bbf3
Instruction Fuzzy Hash: CE51FEB0D15218CBDB14DFBAD888BADBFF1BB49302F10952AD005B7294D778858ACF00

Uniqueness

Uniqueness Score: -1.00%

Function 08C70293, Relevance: .1, Instructions: 126COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.670205798.0000000008C70000.00000040.00000001.sdmp, Offset: 08C70000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b29ff7b9192855a834b79053e266b801b1bc11009820ea594479157f7d69afa3
Instruction ID: 41b2cffaa973e2f712ec5d5e0aa0fa0fe6b6832eaab487473fff3ade95a0cdd3
Opcode Fuzzy Hash: b29ff7b9192855a834b79053e266b801b1bc11009820ea594479157f7d69afa3
Instruction Fuzzy Hash: DD51E470D00349CFDB10DFA8E548B9CBBB1FB4931AF10856AE40AA7345EB749985CF50

Uniqueness

Uniqueness Score: -1.00%

Function 08C7010C, Relevance: .1, Instructions: 124COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.670205798.0000000008C70000.00000040.00000001.sdmp, Offset: 08C70000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f6d2394cb823afbdc77dff93b3f044d29a8895b47f64dbc41ef76738e81bcd3b
Instruction ID: 61834c6cd5caa76f3f121960f9186c4cb81fe55ae368f9d0226f32b24ebad7e1
Opcode Fuzzy Hash: f6d2394cb823afbdc77dff93b3f044d29a8895b47f64dbc41ef76738e81bcd3b
Instruction Fuzzy Hash: EE51D470900389CFDB10DFA8E948B9CBBB1FB4531AF1085AAD40AA7359EB749D85CF54

Uniqueness

Uniqueness Score: -1.00%

Function 03150270, Relevance: .1, Instructions: 122COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.662415630.0000000003150000.00000040.00000001.sdmp, Offset: 03150000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c65d5964c740263bfbeca3e229f64acd57ae21cbeae87050c526435ae1f2be17
Instruction ID: 319a3a64e75adac88d2e58bd91cff37eba0ad2daf05b261cb9f29ace9d313534
Opcode Fuzzy Hash: c65d5964c740263bfbeca3e229f64acd57ae21cbeae87050c526435ae1f2be17
Instruction Fuzzy Hash: 4151AE78A00208DFDB14CFA8C884AADBBF1FF4D310F14449AE912AB365D735A980DF60

Uniqueness

Uniqueness Score: -1.00%

Function 031591C1, Relevance: .1, Instructions: 120COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.662415630.0000000003150000.00000040.00000001.sdmp, Offset: 03150000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1359e4709d88a4f2fff7b1c6c09a77e5a377eea64f639dd39542fea509e45692
Instruction ID: aebd4cb2e402e52eddcfd6d87042c068d655f221065e01070d5b911d07b4fd44
Opcode Fuzzy Hash: 1359e4709d88a4f2fff7b1c6c09a77e5a377eea64f639dd39542fea509e45692
Instruction Fuzzy Hash: BA419134945308DFCB64DFA8D5456ACBF75FF4A310F2082EAD8046B269CB709E55CB52

Uniqueness

Uniqueness Score: -1.00%

Function 08C76FC9, Relevance: .1, Instructions: 118COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.670205798.0000000008C70000.00000040.00000001.sdmp, Offset: 08C70000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7d6301277bd85946f000c9b5f3a4ab39d9606abed37296dda6c86f0d8853f771
Instruction ID: e7f87bf3e6edad5d7137268d5fd2268942f77a33bc1953947fd65e23f09ad545
Opcode Fuzzy Hash: 7d6301277bd85946f000c9b5f3a4ab39d9606abed37296dda6c86f0d8853f771
Instruction Fuzzy Hash: 1251F074D0572ACFDB24CF75C948BADBBB0BB1A306F2045AAD449A3391DB349A85CF10

Uniqueness

Uniqueness Score: -1.00%

Function 0315FD88, Relevance: .1, Instructions: 117COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.662415630.0000000003150000.00000040.00000001.sdmp, Offset: 03150000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c88b2e2457126f396e1310bf2af7c9c76cf347943022abcc041e661cf78dc633
Instruction ID: 5ee2134de8ebeb3e162440dc1424a2c1562dea0019de719763e95a5e2eec441d
Opcode Fuzzy Hash: c88b2e2457126f396e1310bf2af7c9c76cf347943022abcc041e661cf78dc633
Instruction Fuzzy Hash: 62411B71D01109DFCB04CFAED844A9DFBF6BF89325B55C65AE824AB3A5DB3099028F50

Uniqueness

Uniqueness Score: -1.00%

Function 03150280, Relevance: .1, Instructions: 117COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.662415630.0000000003150000.00000040.00000001.sdmp, Offset: 03150000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b2d758396a694710dbb88f158d6d6918000ad73859cd01cff4c1a2d772814869
Instruction ID: 45498943c4cfbdbb22d8bf546058589aacd2383d453f013520c5de8027f816cc
Opcode Fuzzy Hash: b2d758396a694710dbb88f158d6d6918000ad73859cd01cff4c1a2d772814869
Instruction Fuzzy Hash: 90418D78A00208DFDB14DFA8C984AADBBF1BF4D310F144499E911AB364D735A990DF60

Uniqueness

Uniqueness Score: -1.00%

Function 08C76BC6, Relevance: .1, Instructions: 115COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.670205798.0000000008C70000.00000040.00000001.sdmp, Offset: 08C70000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e293c4cf6b1a4827d22ce600fadf9b1f4b643880b4f80f309cd8fabc907d8c22
Instruction ID: 03840b4e369963d05d418ff063fd197f87fcf2b4d2230ff374b344ac729fc87a
Opcode Fuzzy Hash: e293c4cf6b1a4827d22ce600fadf9b1f4b643880b4f80f309cd8fabc907d8c22
Instruction Fuzzy Hash: 1951DD74D01629CFDB64CFA5C948BADBBB1BB0A306F2085AAD409A3381DB345A85CF11

Uniqueness

Uniqueness Score: -1.00%

Function 0315F858, Relevance: .1, Instructions: 112COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.662415630.0000000003150000.00000040.00000001.sdmp, Offset: 03150000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 27a8b90c46f1802fa68330f1d3629530ea5ef5ae2701b4831c350c766ede927f
Instruction ID: 25ebd58e62bc0301be21e409b3b2724d8c66c89c88aedf40ff318c82a011cd7d
Opcode Fuzzy Hash: 27a8b90c46f1802fa68330f1d3629530ea5ef5ae2701b4831c350c766ede927f
Instruction Fuzzy Hash: B451B1B4E01209DFCB48DFA9D5849ADBBF2FF89314F24816AE809AB364DB345945CF50

Uniqueness

Uniqueness Score: -1.00%

Function 08C76C1D, Relevance: .1, Instructions: 111COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.670205798.0000000008C70000.00000040.00000001.sdmp, Offset: 08C70000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: df801e631e492fb0e26451066f38467d5adb9327d4b0c5d7e142b5f0e8fddfe4
Instruction ID: f241ed7b6872a6984f867b07ad51a72538d0c91f0412e2afe56e2a9d33e04ac9
Opcode Fuzzy Hash: df801e631e492fb0e26451066f38467d5adb9327d4b0c5d7e142b5f0e8fddfe4
Instruction Fuzzy Hash: 0B51DE74D01729CFDB64CF75C848BADBAB1FB09306F1085AAD409A3381DB345A85CF10

Uniqueness

Uniqueness Score: -1.00%

Function 08C76ECD, Relevance: .1, Instructions: 111COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.670205798.0000000008C70000.00000040.00000001.sdmp, Offset: 08C70000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3fbbdb28011379451dc8a63108bf9c922791db98fbc06f946ea75fdf79c6dafc
Instruction ID: aba15c8299a6519574957bf9493918410345ede6f974a80e8c52f3a17023bbbc
Opcode Fuzzy Hash: 3fbbdb28011379451dc8a63108bf9c922791db98fbc06f946ea75fdf79c6dafc
Instruction Fuzzy Hash: 7B41E274D0572ACFDB24CFB5D548BADBAB1FB19306F2045AAD409A3381DB349A85CF10

Uniqueness

Uniqueness Score: -1.00%

Function 08C76B9F, Relevance: .1, Instructions: 110COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.670205798.0000000008C70000.00000040.00000001.sdmp, Offset: 08C70000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 78a3ead3b63edcd8f024d70c64919a668ac9d0085141886fa2a9da8fd4100081
Instruction ID: 9a8c00e75a68e128d0e2dfce39c7d4b0a69308007b6fefd8a34aa09aa10020e6
Opcode Fuzzy Hash: 78a3ead3b63edcd8f024d70c64919a668ac9d0085141886fa2a9da8fd4100081
Instruction Fuzzy Hash: E7410274D0572ACFDB24CF75C948BADBBB0BB1A306F2045AAD449A3381DB345A86CF50

Uniqueness

Uniqueness Score: -1.00%

Function 0315F868, Relevance: .1, Instructions: 105COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.662415630.0000000003150000.00000040.00000001.sdmp, Offset: 03150000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: af862974371e6b8e654ca86ab256eea77e375d45be0303dd27c01ecbf2174e1e
Instruction ID: b74f576949e9aef6c373b2edc892ff50eb2b6b2c2091c7c400f5b5880117204a
Opcode Fuzzy Hash: af862974371e6b8e654ca86ab256eea77e375d45be0303dd27c01ecbf2174e1e
Instruction Fuzzy Hash: D64190B4E01209DFCB48DFA9D58499DBBF2FF88304F148169E809AB364DB349945CF55

Uniqueness

Uniqueness Score: -1.00%

Function 08C767A8, Relevance: .1, Instructions: 104COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.670205798.0000000008C70000.00000040.00000001.sdmp, Offset: 08C70000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f02df7edf5f284bfd7caf8e5125bbd69e11c89dc4a8cf76ed5bb31b96ac4c257
Instruction ID: 6ea3b34e46f9dd5d40af4869ecc4f4e11f841ecfbdca57125bfa9679b6d6f71f
Opcode Fuzzy Hash: f02df7edf5f284bfd7caf8e5125bbd69e11c89dc4a8cf76ed5bb31b96ac4c257
Instruction Fuzzy Hash: 0B415270C05A08CFDB00DFBAC884FEDBBB2AF69326F549559D424B7391E7308A458B61

Uniqueness

Uniqueness Score: -1.00%

Function 08C76C10, Relevance: .1, Instructions: 103COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.670205798.0000000008C70000.00000040.00000001.sdmp, Offset: 08C70000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a8efce95ddd9e6d3e55b8f72f5ba762019940badb26c3a8734904c6cdaae87e4
Instruction ID: 53fe2ca3a2ad83c95e80d8db2609eece73321c57cccf6fb536d6d69375108df8
Opcode Fuzzy Hash: a8efce95ddd9e6d3e55b8f72f5ba762019940badb26c3a8734904c6cdaae87e4
Instruction Fuzzy Hash: 8F41CF74D0162ACFDB64CFB5C948BADBAB1FB19306F2085AAD409A3381DB745A85CF10

Uniqueness

Uniqueness Score: -1.00%

Function 08C77289, Relevance: .1, Instructions: 92COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.670205798.0000000008C70000.00000040.00000001.sdmp, Offset: 08C70000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a7418af69c0b169150c34dfe15919fb18b22279d197f6c129d20f7abfb8624f5
Instruction ID: a828fa10d66a23bc8586948a4a180bd7a426b33047236f04dd400964c632af61
Opcode Fuzzy Hash: a7418af69c0b169150c34dfe15919fb18b22279d197f6c129d20f7abfb8624f5
Instruction Fuzzy Hash: 67312B71E01218DFCB04DFA6E884AEDBBB6FB89311F209429E506B7394DB309945CB54

Uniqueness

Uniqueness Score: -1.00%

Function 08C77298, Relevance: .1, Instructions: 90COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.670205798.0000000008C70000.00000040.00000001.sdmp, Offset: 08C70000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: cc7312c503c5c065efbff3c1b6a34d922e38b57888370f3530f10aebe57f12d4
Instruction ID: e4ecabe5167210e9f6dda4b98d4d7a55bcb36093796509e78243ac02f283ad4c
Opcode Fuzzy Hash: cc7312c503c5c065efbff3c1b6a34d922e38b57888370f3530f10aebe57f12d4
Instruction Fuzzy Hash: D7314870E0521CDBDB04DFA6E984AEEBBB6FB89312F20E429E905B7344DB305845CB55

Uniqueness

Uniqueness Score: -1.00%

Function 03150AA9, Relevance: .1, Instructions: 79COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.662415630.0000000003150000.00000040.00000001.sdmp, Offset: 03150000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 457f9438d357fe5ddef9d83831b40dac68ba0197331e2af8b5fe0b1214137aec
Instruction ID: d7704436e611629146df172565165f3f55daa9c53c0f97060f2d0d3be41aa088
Opcode Fuzzy Hash: 457f9438d357fe5ddef9d83831b40dac68ba0197331e2af8b5fe0b1214137aec
Instruction Fuzzy Hash: D9210731902904BFEB44DBFCD854A9DFBB2AF89314F2500BAD201E72A1C7346E95CB12

Uniqueness

Uniqueness Score: -1.00%

Function 08C78277, Relevance: .1, Instructions: 76COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.670205798.0000000008C70000.00000040.00000001.sdmp, Offset: 08C70000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 579369840174b8be872021db040846495519ace4681083a125128fb4eed2395c
Instruction ID: aed794c5519f613c97505d2ccb8bc32b4b7e5d9633434ae74f9e303545b70600
Opcode Fuzzy Hash: 579369840174b8be872021db040846495519ace4681083a125128fb4eed2395c
Instruction Fuzzy Hash: 4231E274E002189FDB64CF68CD45BDCBBF1FB89304F1084A9E618A7291D775AA82CF45

Uniqueness

Uniqueness Score: -1.00%

Function 03150AB8, Relevance: .1, Instructions: 73COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.662415630.0000000003150000.00000040.00000001.sdmp, Offset: 03150000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 875bdd70e90c9cebe157b3230899448cf61721ce50799ffc8866e7fea797d993
Instruction ID: 94c27ea370c63bc63cb7e7e85a7514b32185095f32a037a7ab8d6e820a6be369
Opcode Fuzzy Hash: 875bdd70e90c9cebe157b3230899448cf61721ce50799ffc8866e7fea797d993
Instruction Fuzzy Hash: 35110D31902808BFEB44DBFCD844A9DF772AF8D314F2500B9D205A3660C7346E54CB52

Uniqueness

Uniqueness Score: -1.00%

Function 0315DEA0, Relevance: .1, Instructions: 68COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.662415630.0000000003150000.00000040.00000001.sdmp, Offset: 03150000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1227d059411d8b4c52c27a00720dfa8f2a7e68ccc2914d8377ba309030519dd2
Instruction ID: 05f44da15bb344353b61aeb2533cf26a71a571019725eccdb5168c5579c0e059
Opcode Fuzzy Hash: 1227d059411d8b4c52c27a00720dfa8f2a7e68ccc2914d8377ba309030519dd2
Instruction Fuzzy Hash: 3021C474D00219DFCB08DFA9D5849AEFBF2BF48310F2585AAD814B7314D7749A82CB90

Uniqueness

Uniqueness Score: -1.00%

Function 03170724, Relevance: .1, Instructions: 63COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.662449255.0000000003170000.00000040.00000040.sdmp, Offset: 03170000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ff63f8e9f1853244004c64dd4065f806d67f8a56ac7224f6ae161a8c1e695d07
Instruction ID: 75011147e2ec63ace5c27637175ebb34b18e21b25fa030995f3a096d44a7ebf4
Opcode Fuzzy Hash: ff63f8e9f1853244004c64dd4065f806d67f8a56ac7224f6ae161a8c1e695d07
Instruction Fuzzy Hash: A721393510D3C19FC717CB60C890B95BFB1AF4A204F2D86EED4849B6A3C72A9946CB52

Uniqueness

Uniqueness Score: -1.00%

Function 03150018, Relevance: .1, Instructions: 62COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.662415630.0000000003150000.00000040.00000001.sdmp, Offset: 03150000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 74332857154d1b92ac643b977992e816755b98a2e83cc263a9bb737e62f208ea
Instruction ID: 6b09ea9c2cee7bcfcf2c4e06e0ace75c3cafb43bad142f9a5b7260670cde7fbf
Opcode Fuzzy Hash: 74332857154d1b92ac643b977992e816755b98a2e83cc263a9bb737e62f208ea
Instruction Fuzzy Hash: FF11C13185E3C58FC756CBB4C8657AABFB0AF0B310F1944AFC440E7292D6B81848CB92

Uniqueness

Uniqueness Score: -1.00%

Function 08C702C4, Relevance: .1, Instructions: 62COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.670205798.0000000008C70000.00000040.00000001.sdmp, Offset: 08C70000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8c4cf04c659b0cee2b286c53521134c718095c556ce71d30bbc0a5e13dc9b1a8
Instruction ID: 905c02e2343b051fc3cc8d1ee0e05906e23a74e6fa5dd0f384cf309f3496ce8d
Opcode Fuzzy Hash: 8c4cf04c659b0cee2b286c53521134c718095c556ce71d30bbc0a5e13dc9b1a8
Instruction Fuzzy Hash: 6431B274900309CFDB64DF68D898BACBBB1FB88305F1081A9E40AA7756EB749D81CF54

Uniqueness

Uniqueness Score: -1.00%

Function 031500F8, Relevance: .1, Instructions: 59COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.662415630.0000000003150000.00000040.00000001.sdmp, Offset: 03150000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b355d9326c676ceee1271affe1b25d3142d67af5d4421d85d74c836341545b7c
Instruction ID: e6a463eb848fd35804a32b2ea2b22e0a3d62478ac7162d3d60c06054af863663
Opcode Fuzzy Hash: b355d9326c676ceee1271affe1b25d3142d67af5d4421d85d74c836341545b7c
Instruction Fuzzy Hash: 58215E3090020ACFCB54EFA8E55899DBBB2FF81304B11826FD901A7368DFB59E44CB52

Uniqueness

Uniqueness Score: -1.00%

Function 08C76A30, Relevance: .1, Instructions: 59COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.670205798.0000000008C70000.00000040.00000001.sdmp, Offset: 08C70000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8088aa1e55857c121e4f82b0dd081f823c1e18f449ab9ed8172ce89821c9ffac
Instruction ID: 212850bbd42056623ce13ce41d55451b25a6b4d67ae01861d52bdef2817ffc79
Opcode Fuzzy Hash: 8088aa1e55857c121e4f82b0dd081f823c1e18f449ab9ed8172ce89821c9ffac
Instruction Fuzzy Hash: 6121C274E0560ACFCB04DF99C495AAEBBB1FF58310F10C1AAD905AB364DB30AA41CB90

Uniqueness

Uniqueness Score: -1.00%

Function 0317075C, Relevance: .1, Instructions: 59COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.662449255.0000000003170000.00000040.00000040.sdmp, Offset: 03170000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 90e1270563a14174e281bdef72526804e1657120acece2d5d619abc686e66079
Instruction ID: 3aef8cc9336e2df1ce897decab37f7c1c4ac77f44df5ec47dcc3c5168015b5c3
Opcode Fuzzy Hash: 90e1270563a14174e281bdef72526804e1657120acece2d5d619abc686e66079
Instruction Fuzzy Hash: 0D11B435204344DFD315CB14C980B66BBA5EB4C708F2CC5ACE9890B652C77BD843CE51

Uniqueness

Uniqueness Score: -1.00%

Function 0315DE90, Relevance: .1, Instructions: 51COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.662415630.0000000003150000.00000040.00000001.sdmp, Offset: 03150000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: aeda077b4b931685ba650587cc082fed138955e0d9b4df8973b18c9cc19c1183
Instruction ID: 0ce77b514e253caccf6bfe3ce3fca48450a1e4e609172538742b885fe6a099f5
Opcode Fuzzy Hash: aeda077b4b931685ba650587cc082fed138955e0d9b4df8973b18c9cc19c1183
Instruction Fuzzy Hash: F711B670D45209CFCB18CFA9D4815EEBBF1AF49311F2495AAD404B7255D7389A86CB90

Uniqueness

Uniqueness Score: -1.00%

Function 03150108, Relevance: .0, Instructions: 50COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.662415630.0000000003150000.00000040.00000001.sdmp, Offset: 03150000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7d83e22f3afb886298dee9dfe88c910466a8b48d22f93d2642b568e65af34770
Instruction ID: e0b513c345dd05b6b621d6b447d1619b3975583d8db8d0a0ecec91ddf389f857
Opcode Fuzzy Hash: 7d83e22f3afb886298dee9dfe88c910466a8b48d22f93d2642b568e65af34770
Instruction Fuzzy Hash: 45112E7090010ADFCB14EFA8E54C99DBBB2FB85305B11425EDA15A7368EFB19E04CB52

Uniqueness

Uniqueness Score: -1.00%

Function 08C762D8, Relevance: .0, Instructions: 48COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.670205798.0000000008C70000.00000040.00000001.sdmp, Offset: 08C70000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e23c3de0f53e9870bf1d4d5dab0db7563101ad8f04b813044146d565834ba635
Instruction ID: f40f3c7ba154174adf1e25190d1fd9b9d3d7528c7a9665640a2dd88e71424d7c
Opcode Fuzzy Hash: e23c3de0f53e9870bf1d4d5dab0db7563101ad8f04b813044146d565834ba635
Instruction Fuzzy Hash: 931139B4D04209DFCB05DFAAC4449AEBFB6FF99301F2481AAD814A7355DA304A41DF91

Uniqueness

Uniqueness Score: -1.00%

Function 08C78BCD, Relevance: .0, Instructions: 48COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.670205798.0000000008C70000.00000040.00000001.sdmp, Offset: 08C70000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ef01c28bc3bce74af6e32a585ad9643521e91ef35f745da584637024ec5ea9ee
Instruction ID: 5c9149e2e4fa480c74ed165042f1582ba09741464bbec5c5e74afa6ef8778c7e
Opcode Fuzzy Hash: ef01c28bc3bce74af6e32a585ad9643521e91ef35f745da584637024ec5ea9ee
Instruction Fuzzy Hash: 2921CF70D41228CFDB64DF69C884BDCB7B5BB49305F4080EAD609A7280D7359E86CF52

Uniqueness

Uniqueness Score: -1.00%

Function 08C7860B, Relevance: .0, Instructions: 46COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.670205798.0000000008C70000.00000040.00000001.sdmp, Offset: 08C70000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 853071c99f585db8473b964ea052442cf54484d6dfa9562d88af75f1e2b1f8ba
Instruction ID: aa8c63a92bfaf438a77e44a8ee726489827430c32b739025a43a7e28746f278b
Opcode Fuzzy Hash: 853071c99f585db8473b964ea052442cf54484d6dfa9562d88af75f1e2b1f8ba
Instruction Fuzzy Hash: 2311DF78900228CFDB24CF25C988BD9BBB1FB06316F0084E9E509A7251C3359BC6CF56

Uniqueness

Uniqueness Score: -1.00%

Function 031705CF, Relevance: .0, Instructions: 44COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.662449255.0000000003170000.00000040.00000040.sdmp, Offset: 03170000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 90d7c28f3496c214201285a9ec6d3ed46c6aa4de6f8e77b0ffb90294ba6f283d
Instruction ID: 6b8d005ecfd17ca7dcecef67751e2843d6ed40023e1aec73eabbbabe6c5c2fe4
Opcode Fuzzy Hash: 90d7c28f3496c214201285a9ec6d3ed46c6aa4de6f8e77b0ffb90294ba6f283d
Instruction Fuzzy Hash: 3E01DB7650D7805FD712CB06DC40862FFB8EF46630709C09FEC49CB612D125A904CB75

Uniqueness

Uniqueness Score: -1.00%

Function 08C7895A, Relevance: .0, Instructions: 43COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.670205798.0000000008C70000.00000040.00000001.sdmp, Offset: 08C70000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fb7f32c81a5c76779528d9177ce42bd94ea92fb48a2291e4d24ac5614183e490
Instruction ID: 0f75f59e326aa1cf302b0a25cc61e8af01be7f557790528425d88173521da045
Opcode Fuzzy Hash: fb7f32c81a5c76779528d9177ce42bd94ea92fb48a2291e4d24ac5614183e490
Instruction Fuzzy Hash: D911CA38804228CFDB25CFA4C948BDDBBB1FB49306F1482EAD509A7241D7749AC9CF65

Uniqueness

Uniqueness Score: -1.00%

Function 08C78C8D, Relevance: .0, Instructions: 42COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.670205798.0000000008C70000.00000040.00000001.sdmp, Offset: 08C70000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1f4151a31aa912de1ea2ec8703bfed108b29a6495f96828f67ec5ce4878be0a1
Instruction ID: e8fb8692e65e4b2ef95ad38592b4abc73be2dd2848999c7d526dac5edb035ba7
Opcode Fuzzy Hash: 1f4151a31aa912de1ea2ec8703bfed108b29a6495f96828f67ec5ce4878be0a1
Instruction Fuzzy Hash: B811E574901228CFDB24CF25C989BD8BBB1FB45316F0084E9D509A3295C3399BC6CF55

Uniqueness

Uniqueness Score: -1.00%

Function 031503E8, Relevance: .0, Instructions: 41COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.662415630.0000000003150000.00000040.00000001.sdmp, Offset: 03150000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 807819233d12d89c790b5714b383f23926d381b7fb36c4c3245f5a5be99b0bfb
Instruction ID: 4bd02617037ec2079ee29abb6220147b90b2eba768afa530736eacb9898c3328
Opcode Fuzzy Hash: 807819233d12d89c790b5714b383f23926d381b7fb36c4c3245f5a5be99b0bfb
Instruction Fuzzy Hash: 92F09034A8A204DFD70CCBB0D510BEF77B29FCA314F2158AAC40573795CAB94E81D665

Uniqueness

Uniqueness Score: -1.00%

Function 08C762E8, Relevance: .0, Instructions: 41COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.670205798.0000000008C70000.00000040.00000001.sdmp, Offset: 08C70000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a7403d35a25d9b32e2aa9fb9332366a00666dcadef737d738ff0b31363f62128
Instruction ID: 1b35af6548924633dcf7455ccfd5df7221ba79dc8b3430c739418a8248ab1c29
Opcode Fuzzy Hash: a7403d35a25d9b32e2aa9fb9332366a00666dcadef737d738ff0b31363f62128
Instruction Fuzzy Hash: B201E5B4E0020ADBCB04DFAAC4849AEBBB6BB98301F2481A9D814A3354DB305A41CF91

Uniqueness

Uniqueness Score: -1.00%

Function 08C77BA8, Relevance: .0, Instructions: 41COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.670205798.0000000008C70000.00000040.00000001.sdmp, Offset: 08C70000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4e155257b05094f5e275dabdea00b077f3ec155d0eec521d85b72582e976a99e
Instruction ID: efba4144e6aa078843ff7e31d48e48914816e0873f4336e858c358d92054e65f
Opcode Fuzzy Hash: 4e155257b05094f5e275dabdea00b077f3ec155d0eec521d85b72582e976a99e
Instruction Fuzzy Hash: 1001AD74809308EFCB05DFA8D8946BDBFB5FB4A302F1085DAE81193351DB305959CB51

Uniqueness

Uniqueness Score: -1.00%

Function 08C791B7, Relevance: .0, Instructions: 40COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.670205798.0000000008C70000.00000040.00000001.sdmp, Offset: 08C70000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: bfc4b3743bc7bafc6816104928d11afdb2fd862cb118a97a453775a83266d2bb
Instruction ID: eaf0303574b09f071f9a2f42e15d4d68c551a28e9fa6f44f1540830b3ff5add9
Opcode Fuzzy Hash: bfc4b3743bc7bafc6816104928d11afdb2fd862cb118a97a453775a83266d2bb
Instruction Fuzzy Hash: 9B018670E05208AFDB04DFB6C455A6DBBB6FF86305F1084ADC805A7391DB348A44CB91

Uniqueness

Uniqueness Score: -1.00%

Function 03150006, Relevance: .0, Instructions: 37COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.662415630.0000000003150000.00000040.00000001.sdmp, Offset: 03150000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6dc5f1cffb061f1323c32ce4eeb6bea033673b015ba0d1b9aa8add96f8a9aa98
Instruction ID: 158485516b943061e2bf2dccca6ed2e9eecfb46eda12879c50ca1c9160e6cbe2
Opcode Fuzzy Hash: 6dc5f1cffb061f1323c32ce4eeb6bea033673b015ba0d1b9aa8add96f8a9aa98
Instruction Fuzzy Hash: 70F06271C1A3848FD756CBB4C8253AEBFB0AB0E344F1508ABD450F7292C77849488BA5

Uniqueness

Uniqueness Score: -1.00%

Function 08C78718, Relevance: .0, Instructions: 36COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.670205798.0000000008C70000.00000040.00000001.sdmp, Offset: 08C70000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: cf385a4beb4c136c89fee2843e0d86f0374bb6f515629d124a6e3aae6c893fb1
Instruction ID: 7bbff9001ac7a4aa3fdb83c3b16f699784614a972805a2f0bba9cd3a525112db
Opcode Fuzzy Hash: cf385a4beb4c136c89fee2843e0d86f0374bb6f515629d124a6e3aae6c893fb1
Instruction Fuzzy Hash: DC11FC74904228CFDB60CF29C888BD9BBB1EB48305F4480E9D50CA3240D7349AC6CF45

Uniqueness

Uniqueness Score: -1.00%

Function 03150070, Relevance: .0, Instructions: 33COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.662415630.0000000003150000.00000040.00000001.sdmp, Offset: 03150000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: cb48435290d5e2be9339ec7583752eb89e43d955888dc2faf1c61a0a626ee7e7
Instruction ID: ea9f20bf6544c1f9c5483870ea8d85ddfaed3968ddcadace7958529e9ca46d4c
Opcode Fuzzy Hash: cb48435290d5e2be9339ec7583752eb89e43d955888dc2faf1c61a0a626ee7e7
Instruction Fuzzy Hash: F0F05871D112099BDB68DFA8C855BAFFEF4AB0D340F10182AD420B3280DBB459448BE9

Uniqueness

Uniqueness Score: -1.00%

Function 03150538, Relevance: .0, Instructions: 32COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.662415630.0000000003150000.00000040.00000001.sdmp, Offset: 03150000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f64d6213df56526e9160dea8981447cdfbc6d7ee00ebf250480d60cb55962120
Instruction ID: 3d89533b23a5d71c2937c7d94393bcf99754acfab86a4ed687d0440a782b03ed
Opcode Fuzzy Hash: f64d6213df56526e9160dea8981447cdfbc6d7ee00ebf250480d60cb55962120
Instruction Fuzzy Hash: 86011FB4D45209DFCB04DFA8C48099DBBB0FB09310F2048AAE810AB366D378DE85CB91

Uniqueness

Uniqueness Score: -1.00%

Function 031503F8, Relevance: .0, Instructions: 32COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.662415630.0000000003150000.00000040.00000001.sdmp, Offset: 03150000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: cd686bb640122ab6725d60907c4236e75ae7ee1d0d179d3a0770f0d3fc22d8dd
Instruction ID: 655d5086f3cff77474defd5ea59e4c4fab5d189ea84c5abf4653be1399dd72ac
Opcode Fuzzy Hash: cd686bb640122ab6725d60907c4236e75ae7ee1d0d179d3a0770f0d3fc22d8dd
Instruction Fuzzy Hash: 1CF0C034A4A108DBD70CDBB0C650FAFB376DBC9304F215458D509337858EB59F41D6A9

Uniqueness

Uniqueness Score: -1.00%

Function 0315045A, Relevance: .0, Instructions: 31COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.662415630.0000000003150000.00000040.00000001.sdmp, Offset: 03150000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4d5d094b3338fac1b8e48b299c08481f0a167d45ba0ec84728b11af00477c346
Instruction ID: 6e0ff343e1d31993808ae724aa8b7b60fec8c9ec9a413258fba4582581cd89ea
Opcode Fuzzy Hash: 4d5d094b3338fac1b8e48b299c08481f0a167d45ba0ec84728b11af00477c346
Instruction Fuzzy Hash: B9F0FF30C85309DFCB15DFB8C4086ADBBB0FF46215F6189AEC814A7361D7B88A52CB51

Uniqueness

Uniqueness Score: -1.00%

Function 03170818, Relevance: .0, Instructions: 31COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.662449255.0000000003170000.00000040.00000040.sdmp, Offset: 03170000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8388fa57679453dc7b04d871bb3dcfd317d9f8cb342853e5fed44ee7779b5e3e
Instruction ID: 96b6b5c85758cabf51814936714a40c3cacd5fdf8f787a1f54e6e152b62fa6f6
Opcode Fuzzy Hash: 8388fa57679453dc7b04d871bb3dcfd317d9f8cb342853e5fed44ee7779b5e3e
Instruction Fuzzy Hash: 9FF0FB35104644DFC306CB40D940B25FBA6EB8D718F28C6A9E9890B752C337D813DA81

Uniqueness

Uniqueness Score: -1.00%

Function 031509E1, Relevance: .0, Instructions: 30COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.662415630.0000000003150000.00000040.00000001.sdmp, Offset: 03150000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2040c66980f7536a5ee3a530b8f6028fccb867d42bb9b8a375908d4a97b044d1
Instruction ID: 866acaf79e07f873bed51e1db34de5d0427800e8effc20af0ff9bc46b90958b4
Opcode Fuzzy Hash: 2040c66980f7536a5ee3a530b8f6028fccb867d42bb9b8a375908d4a97b044d1
Instruction Fuzzy Hash: F5F03A30910248DBCB08EBA4C955A9DBB71EF92304F2052AEC4007B3A4DF309E54CB41

Uniqueness

Uniqueness Score: -1.00%

Function 08C78983, Relevance: .0, Instructions: 30COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.670205798.0000000008C70000.00000040.00000001.sdmp, Offset: 08C70000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1bd05909ce598b0e64622a3364192df2a989741d749eb78b9aaf3a4e455c783c
Instruction ID: 1fd2a3f5c1e2b1740b4b72f8598cabea862330ef4e630a0df5c7dc036bd153f4
Opcode Fuzzy Hash: 1bd05909ce598b0e64622a3364192df2a989741d749eb78b9aaf3a4e455c783c
Instruction Fuzzy Hash: FD011435D04228CFDF20CF61C848BECBBB5FB09305F1480EAD109A2291C3398A86CF56

Uniqueness

Uniqueness Score: -1.00%

Function 08C77EB8, Relevance: .0, Instructions: 30COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.670205798.0000000008C70000.00000040.00000001.sdmp, Offset: 08C70000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2bf5856f75a53e710c62e36d43dc8ea7c7bdacd90ecc8614902f21f7af8d5480
Instruction ID: d3e2f32b0f4caeb25617a5012b1431bed124ad49ab6fb3fc28382fa402a8ec92
Opcode Fuzzy Hash: 2bf5856f75a53e710c62e36d43dc8ea7c7bdacd90ecc8614902f21f7af8d5480
Instruction Fuzzy Hash: 87F05E31949208DFC704DFA4E454AA8BBB4FB4A205F1492EEC84563351C7305E59CB85

Uniqueness

Uniqueness Score: -1.00%

Function 0315F808, Relevance: .0, Instructions: 29COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.662415630.0000000003150000.00000040.00000001.sdmp, Offset: 03150000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4a426699bebf30876698ef6f3f9baa20bfaa133dec55e873184fed56a804dc05
Instruction ID: eb3d24544ea3f8fce95878ee6335a224dc081db21fcff111826394d99478bacd
Opcode Fuzzy Hash: 4a426699bebf30876698ef6f3f9baa20bfaa133dec55e873184fed56a804dc05
Instruction Fuzzy Hash: D8F08C30840308DFCB15DFA8D854AADBF71FF46320F1084AEE8405B2A1C3784D92CB50

Uniqueness

Uniqueness Score: -1.00%

Function 08C784E5, Relevance: .0, Instructions: 29COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.670205798.0000000008C70000.00000040.00000001.sdmp, Offset: 08C70000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8d5194a539081a21d49599c850e990776e564aa370e94a6cb74784d9b51ab0fd
Instruction ID: 7786ecba66f8b7f7797d3b60d565860a5fd9e4975f35f064cddd32caadbead94
Opcode Fuzzy Hash: 8d5194a539081a21d49599c850e990776e564aa370e94a6cb74784d9b51ab0fd
Instruction Fuzzy Hash: 4701EF30900228CFCB64DFA4C884BECBBB2BB49305F2080AAD509B7251CB359E86CF41

Uniqueness

Uniqueness Score: -1.00%

Function 08C78A6B, Relevance: .0, Instructions: 29COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.670205798.0000000008C70000.00000040.00000001.sdmp, Offset: 08C70000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0ab655c6a891750b1de3662117caff994fb51019f75aaed17ae7a5be2f464da5
Instruction ID: 2b7c6c74363387ca279cb782170828aa49a18db78c7f53e14ca459109d68ebfb
Opcode Fuzzy Hash: 0ab655c6a891750b1de3662117caff994fb51019f75aaed17ae7a5be2f464da5
Instruction Fuzzy Hash: 3FF01434914268CFCB24DF65C8987E8B772FB49312F5081EAC1096B280CB349E82CF15

Uniqueness

Uniqueness Score: -1.00%

Function 08C77867, Relevance: .0, Instructions: 28COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.670205798.0000000008C70000.00000040.00000001.sdmp, Offset: 08C70000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7b5a26e3a8e1fef39a66873885d0a4f05b1defab14ec0589b9ad875934081325
Instruction ID: e5d6a6860044756b99214407ec06024488bab8f327e8cc65cf8016b8071d065b
Opcode Fuzzy Hash: 7b5a26e3a8e1fef39a66873885d0a4f05b1defab14ec0589b9ad875934081325
Instruction Fuzzy Hash: 55E06D30809208DFC715DFB4D4589A87FB4EF02305F2045DDD4016B2A1CB311D5EDB91

Uniqueness

Uniqueness Score: -1.00%

Function 08C773D9, Relevance: .0, Instructions: 28COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.670205798.0000000008C70000.00000040.00000001.sdmp, Offset: 08C70000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9169c96ab0ae25c2b2c5d96fe3a0c6e7e1e9564d366275935a5068eb5c8ae6ee
Instruction ID: cb73655704132887e0e7096b3977b46165ff009907e53317bb50695079663423
Opcode Fuzzy Hash: 9169c96ab0ae25c2b2c5d96fe3a0c6e7e1e9564d366275935a5068eb5c8ae6ee
Instruction Fuzzy Hash: 5FF0A77140A2689FC306DFB4D8109A9BF74EF47301F1040DED4418B292C7304A59D761

Uniqueness

Uniqueness Score: -1.00%

Function 03150548, Relevance: .0, Instructions: 27COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.662415630.0000000003150000.00000040.00000001.sdmp, Offset: 03150000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 05ee7bc28b862de79e8cd3f23e45463568672a1691265cfcaea0a9dc55191fa8
Instruction ID: b1a787a89ddfacec28d7cc50870726297d29f6f361840173fe7c6040743a1be1
Opcode Fuzzy Hash: 05ee7bc28b862de79e8cd3f23e45463568672a1691265cfcaea0a9dc55191fa8
Instruction Fuzzy Hash: E0F0DAB4D40209DFCB14DF98C54499DBBB4FB48300F1045A9EC10A7315D770EE55DB91

Uniqueness

Uniqueness Score: -1.00%

Function 08C79028, Relevance: .0, Instructions: 27COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.670205798.0000000008C70000.00000040.00000001.sdmp, Offset: 08C70000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e1f739195b627167a31d2b5fa25705569a4e06ed4610b158c6f7369c454df1c8
Instruction ID: 57d4e7d3019688d50e2a5f06dec9766055c3fb9dcce238343a2bd9c5aff8ec2c
Opcode Fuzzy Hash: e1f739195b627167a31d2b5fa25705569a4e06ed4610b158c6f7369c454df1c8
Instruction Fuzzy Hash: 97F08230909348AFCB11DFA8D450AA8BFB4AF49304F14C1EED84497392C7355A5ADB91

Uniqueness

Uniqueness Score: -1.00%

Function 08C77210, Relevance: .0, Instructions: 27COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.670205798.0000000008C70000.00000040.00000001.sdmp, Offset: 08C70000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: caa1ab4e0700f8a0f5507f5a6182ba012838cfb87322ace270b6dbcdb6244eef
Instruction ID: ed3a6bced1d8064f9beb13138ccc4fcf8b7568877ba6c0229293ab347cdfb3af
Opcode Fuzzy Hash: caa1ab4e0700f8a0f5507f5a6182ba012838cfb87322ace270b6dbcdb6244eef
Instruction Fuzzy Hash: 03E09230809258DFC716EFA4D850AAC7FB4AB07201F1041EED4459B292EB345D1ED7D1

Uniqueness

Uniqueness Score: -1.00%

Function 031705F6, Relevance: .0, Instructions: 27COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.662449255.0000000003170000.00000040.00000040.sdmp, Offset: 03170000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5c4e6a84e19e2c5e9b18ada99bac6e94d4fe30141ad8a485abbf3afdf4037f6d
Instruction ID: 0b916af5a6d57686f7159bda7c42893290695604ea12371e01ab9cfa0ee9c563
Opcode Fuzzy Hash: 5c4e6a84e19e2c5e9b18ada99bac6e94d4fe30141ad8a485abbf3afdf4037f6d
Instruction Fuzzy Hash: A1E092766046045BD650CF0BEC41452FBD8EB84630718C07FDC0D8B700E535F504CEA5

Uniqueness

Uniqueness Score: -1.00%

Function 031509F0, Relevance: .0, Instructions: 26COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.662415630.0000000003150000.00000040.00000001.sdmp, Offset: 03150000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f1ce310ddaf2496c89fea6f1df9fd3d4a195051d51da00d9ab76b9b0d4fdaa84
Instruction ID: c587c954258f423c126842d31fb084f4793326cddcb5d09caea40c0dd90a37ec
Opcode Fuzzy Hash: f1ce310ddaf2496c89fea6f1df9fd3d4a195051d51da00d9ab76b9b0d4fdaa84
Instruction Fuzzy Hash: 58F0393090020DEBCB08EBA4DA99AADBB71EF41304F2052AD9804273A4DF30AF54CB81

Uniqueness

Uniqueness Score: -1.00%

Function 03150220, Relevance: .0, Instructions: 26COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.662415630.0000000003150000.00000040.00000001.sdmp, Offset: 03150000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 33db9df284a6e02a0b0cfd64b5afc9bb20960adaa016e5e08ab4699dba7ecbf8
Instruction ID: a951a7cb7e0b4b2863f036da9df250ba689e1fdffb8956135e5607d65603fe61
Opcode Fuzzy Hash: 33db9df284a6e02a0b0cfd64b5afc9bb20960adaa016e5e08ab4699dba7ecbf8
Instruction Fuzzy Hash: 7BF08C30809344DFCB55CFE8A4405DCBFB1EB4A310F2040AAD84593321D7314AA4CB41

Uniqueness

Uniqueness Score: -1.00%

Function 08C77DDF, Relevance: .0, Instructions: 26COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.670205798.0000000008C70000.00000040.00000001.sdmp, Offset: 08C70000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9c01eebd90cecd30627de8b421fc8be93e5f90386f265533de0752ed1363d49b
Instruction ID: 88cd1c32f02eb40e9f2ea3742850b6ea0694a026c2f0476756d4219930c1a471
Opcode Fuzzy Hash: 9c01eebd90cecd30627de8b421fc8be93e5f90386f265533de0752ed1363d49b
Instruction Fuzzy Hash: 73F08C70809248EFCB02CFA8D044ADCBFB0BB09310F2481EED84197361D3354A59DB91

Uniqueness

Uniqueness Score: -1.00%

Function 08C76038, Relevance: .0, Instructions: 25COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.670205798.0000000008C70000.00000040.00000001.sdmp, Offset: 08C70000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2c5eba88d6a49a1c1d7ca541f48e9fdd73af5a91f03eed5fca7582697b3b245a
Instruction ID: 0878dc5545326e361364e33cccfc9a46429f62414a20bf694b96baf963d65a35
Opcode Fuzzy Hash: 2c5eba88d6a49a1c1d7ca541f48e9fdd73af5a91f03eed5fca7582697b3b245a
Instruction Fuzzy Hash: 98F03034809208EFC705DFA8D194AA8BBF4FF4A304F1481EDD80897352D7305A19DB95

Uniqueness

Uniqueness Score: -1.00%

Function 08C76298, Relevance: .0, Instructions: 25COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.670205798.0000000008C70000.00000040.00000001.sdmp, Offset: 08C70000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e75ab81d9f6a6930d95573d9ca978b7a89e36e9cc8446558a9c6e2c1093e6b5c
Instruction ID: 9793daf0fa2583a09b001f4f5807d46c1277d41f64de24a178fa0885af26f953
Opcode Fuzzy Hash: e75ab81d9f6a6930d95573d9ca978b7a89e36e9cc8446558a9c6e2c1093e6b5c
Instruction Fuzzy Hash: D9E06D708592449FCB11EBF4D454A997F70EB1B305F1441DED405D7262DB30091DDB21

Uniqueness

Uniqueness Score: -1.00%

Function 03150468, Relevance: .0, Instructions: 24COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.662415630.0000000003150000.00000040.00000001.sdmp, Offset: 03150000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: df51c6b54c79816069be980fb4ba7e8552ab6bf6bd831f297a093d4784358b2a
Instruction ID: d8da5e03fffa8a8da30203f48897d1dbe1b3d69c3dcb3784e8d12bda3245773a
Opcode Fuzzy Hash: df51c6b54c79816069be980fb4ba7e8552ab6bf6bd831f297a093d4784358b2a
Instruction Fuzzy Hash: 1CF0C274D41208EFCB14EFB8D5489AEBBB1FB49305F2089ADD814A3354DB709A62CB95

Uniqueness

Uniqueness Score: -1.00%

Function 08C778E9, Relevance: .0, Instructions: 23COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.670205798.0000000008C70000.00000040.00000001.sdmp, Offset: 08C70000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a17b7744533a44918ebbe9d30e0ba873ad141e932b0508c68eccfbeccf63f498
Instruction ID: 126eea69e046a03b3c53c03a19c188cfc9b041ecbf3a4ec58995731a53c607b6
Opcode Fuzzy Hash: a17b7744533a44918ebbe9d30e0ba873ad141e932b0508c68eccfbeccf63f498
Instruction Fuzzy Hash: B2E0DF30906208DBDB14EFB8D458BAC7F74FB46306F2051ACC40427391CB700AAAEB90

Uniqueness

Uniqueness Score: -1.00%

Function 08C708A0, Relevance: .0, Instructions: 22COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.670205798.0000000008C70000.00000040.00000001.sdmp, Offset: 08C70000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 768ab5cd38cb47b8c0b0b5f9137b6be6bbd2a0faf0bd71399490efd3392fe91a
Instruction ID: ac591d06d8a20a4f84225a77e8a23c1cefbf7452a7d6fb1691c7431a0538c1fb
Opcode Fuzzy Hash: 768ab5cd38cb47b8c0b0b5f9137b6be6bbd2a0faf0bd71399490efd3392fe91a
Instruction Fuzzy Hash: C6E09A3084B388DECB02DB78E048BAD7FB0AB06325F1441EDC848AB692DA300948CF91

Uniqueness

Uniqueness Score: -1.00%

Function 08C77461, Relevance: .0, Instructions: 22COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.670205798.0000000008C70000.00000040.00000001.sdmp, Offset: 08C70000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 861fa9af3a7c7ff543904a038ee4fe2d08d48b17a7a76652619ba0e60eb8b0b0
Instruction ID: 500080679423bb0c8a7a000833046d0f07dae118cc0d9766332e716591e96038
Opcode Fuzzy Hash: 861fa9af3a7c7ff543904a038ee4fe2d08d48b17a7a76652619ba0e60eb8b0b0
Instruction Fuzzy Hash: A9E04F315492889FC7129FF49414ABA7F789B07201B1451DDC049A72A3C671091ADF21

Uniqueness

Uniqueness Score: -1.00%

Function 08C77250, Relevance: .0, Instructions: 22COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.670205798.0000000008C70000.00000040.00000001.sdmp, Offset: 08C70000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b541dea62bedca1b84d20cc548fe502fbef1c1cae89151c95e0fd828a6a40bda
Instruction ID: 2caec7c374b5a76f74fed0964fd55b48d98de3c75db10b3a013f0fdd4175bba2
Opcode Fuzzy Hash: b541dea62bedca1b84d20cc548fe502fbef1c1cae89151c95e0fd828a6a40bda
Instruction Fuzzy Hash: A5E0863044A288DECB12DF74D554BFA7FB8AB17201F1451DCD54D57292CB710A0CCB61

Uniqueness

Uniqueness Score: -1.00%

Function 08C7923A, Relevance: .0, Instructions: 22COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.670205798.0000000008C70000.00000040.00000001.sdmp, Offset: 08C70000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b6da248365b9b28039fd42b57376467fd9793ff8eb3bf07837b85f24c569fa70
Instruction ID: 73db155b0149c57a7beee6273b4457e042311fff735e434f3caa9c754802b1e3
Opcode Fuzzy Hash: b6da248365b9b28039fd42b57376467fd9793ff8eb3bf07837b85f24c569fa70
Instruction Fuzzy Hash: 25E0463100E2849FC70AABA4C410AA47F79AB0B315B2805DDC8454B2A2CB36495DEBA2

Uniqueness

Uniqueness Score: -1.00%

Function 0315F818, Relevance: .0, Instructions: 21COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.662415630.0000000003150000.00000040.00000001.sdmp, Offset: 03150000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 065ee3bad88d04b5ed1b7dd4f485ec2577664a7895fd9ab0bbc859be56a0ecc7
Instruction ID: 252d01941da7a0e6e215251f58ba45b07f069c7511147e3caa642340bee77bb8
Opcode Fuzzy Hash: 065ee3bad88d04b5ed1b7dd4f485ec2577664a7895fd9ab0bbc859be56a0ecc7
Instruction Fuzzy Hash: CCE08630800108EFCB14EFA8D84599EBF75FB45301F10D06DEC04233A4C7305A61DB55

Uniqueness

Uniqueness Score: -1.00%

Function 03150230, Relevance: .0, Instructions: 21COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.662415630.0000000003150000.00000040.00000001.sdmp, Offset: 03150000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: da30539e6d29cb9c89fcc9cd94acd5fa4f926f1ed69f643e3bf2c2e988999ade
Instruction ID: 1e17e7d33470adc88475a241259ce4e4c8bb197ba2537a2e9be6add9caff358f
Opcode Fuzzy Hash: da30539e6d29cb9c89fcc9cd94acd5fa4f926f1ed69f643e3bf2c2e988999ade
Instruction Fuzzy Hash: 1AE04634909308DFCB18DFA8E50599CBBB6EB4D301F2090A9EC09A3350EB719E94CB81

Uniqueness

Uniqueness Score: -1.00%

Function 08C77830, Relevance: .0, Instructions: 21COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.670205798.0000000008C70000.00000040.00000001.sdmp, Offset: 08C70000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c25573e09fb2bae041422e74cd5484ff51271adf421ed7423aa4e106e57b8667
Instruction ID: 64aac51bf8a9be823f97cfeb3a115454e76f5321cfeaa848a0b824f96761193f
Opcode Fuzzy Hash: c25573e09fb2bae041422e74cd5484ff51271adf421ed7423aa4e106e57b8667
Instruction Fuzzy Hash: 96E0866010A209DFD711EFA8C598AA87BB8AF07209F2405EDD44497152DB715D19D351

Uniqueness

Uniqueness Score: -1.00%

Function 08C79038, Relevance: .0, Instructions: 21COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.670205798.0000000008C70000.00000040.00000001.sdmp, Offset: 08C70000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 911344069fa1b31b7294cd7c161daeefa837f2b06c7d35a4166d3b9158224e4c
Instruction ID: 9c02cd02ad68b3efccde72ab7a3c80352d427297c445b2bff052d719849b0925
Opcode Fuzzy Hash: 911344069fa1b31b7294cd7c161daeefa837f2b06c7d35a4166d3b9158224e4c
Instruction Fuzzy Hash: C7E0E574904208ABCB14DFA8D444AACBFB8AB48315F14C1AEE85893341D7359A56DB90

Uniqueness

Uniqueness Score: -1.00%

Function 08C77DF0, Relevance: .0, Instructions: 20COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.670205798.0000000008C70000.00000040.00000001.sdmp, Offset: 08C70000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d8d05e38a9a83463e459185c4ad8a3e7fb925b733a45bce1c834d0f8488d629b
Instruction ID: abee4aafcdcc96a388f758b43e54277040dd7111bd02898b26c4ffc98df0cf58
Opcode Fuzzy Hash: d8d05e38a9a83463e459185c4ad8a3e7fb925b733a45bce1c834d0f8488d629b
Instruction Fuzzy Hash: 0CE09274D0420CEFCB05DFA8D448AADBBB4FB48315F2081AAEC04A7351D731AA64DF95

Uniqueness

Uniqueness Score: -1.00%

Function 08C76768, Relevance: .0, Instructions: 20COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.670205798.0000000008C70000.00000040.00000001.sdmp, Offset: 08C70000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f529d7a3935a0160016316d450090e1b88562ecbd343e97da2fb86d583e21151
Instruction ID: 7892035278470ee339a805020ce2b086fa43e1782392ae9a6c8cfb873ca74957
Opcode Fuzzy Hash: f529d7a3935a0160016316d450090e1b88562ecbd343e97da2fb86d583e21151
Instruction Fuzzy Hash: 63E0DFB082A2889ECB50EFF8D008BED7FB0AB06225F1441EDC84553352E7700684CB51

Uniqueness

Uniqueness Score: -1.00%

Function 08C76048, Relevance: .0, Instructions: 19COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.670205798.0000000008C70000.00000040.00000001.sdmp, Offset: 08C70000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5a551343f8a30c7c62298ea5092e214061518b14f2ec43847a9c0f18a452045c
Instruction ID: 5f7bd8a5f876b096578bbe9f61007a53b235fe4caf4c4bb15a114eeb11bad7ed
Opcode Fuzzy Hash: 5a551343f8a30c7c62298ea5092e214061518b14f2ec43847a9c0f18a452045c
Instruction Fuzzy Hash: 45E09274D04208EBCB04DFA8E148AADBBB8AB48305F1081A9D808A7351D6316A55CB95

Uniqueness

Uniqueness Score: -1.00%

Function 03159322, Relevance: .0, Instructions: 18COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.662415630.0000000003150000.00000040.00000001.sdmp, Offset: 03150000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 85221e414be3c2234c5ad92e079892c57084001c7508cc7e5cbf60a281c80efd
Instruction ID: 5f4fe3c8e47db4d1018ee455172d2f54c3da34d1d61db2b2150ea5d4910dab19
Opcode Fuzzy Hash: 85221e414be3c2234c5ad92e079892c57084001c7508cc7e5cbf60a281c80efd
Instruction Fuzzy Hash: E3E0C234449344CFC341CFB084156987BB49F06210F1500DDD80887361D6B84D01C762

Uniqueness

Uniqueness Score: -1.00%

Function 08C79188, Relevance: .0, Instructions: 18COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.670205798.0000000008C70000.00000040.00000001.sdmp, Offset: 08C70000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 08e43cfbc553f43390ea5cad7e65d8fb8de16ed39aa2ce85ea607cc326cd151a
Instruction ID: 3be677a3b22ca933daa50233fcdccc8d8dcbde71bedb35723adf283c11039ff3
Opcode Fuzzy Hash: 08e43cfbc553f43390ea5cad7e65d8fb8de16ed39aa2ce85ea607cc326cd151a
Instruction Fuzzy Hash: 73D0C72100A3058FC311ABA4C8583A03BB8EB0320AF281889C0088B2A2877188AEC320

Uniqueness

Uniqueness Score: -1.00%

Function 031500ED, Relevance: .0, Instructions: 17COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.662415630.0000000003150000.00000040.00000001.sdmp, Offset: 03150000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8fc426c1460f74b414b7837144b10e896c303703397e98d07d3114626426e1ad
Instruction ID: 5e4e8fe5485076f98cef56c82359ce2125293f163c4be0f0805edce5c7266816
Opcode Fuzzy Hash: 8fc426c1460f74b414b7837144b10e896c303703397e98d07d3114626426e1ad
Instruction Fuzzy Hash: BED01736D05208CFCB04CFA4E0842ECF770FB8D325F10842AC624A3310C33144558F50

Uniqueness

Uniqueness Score: -1.00%

Function 08C708B0, Relevance: .0, Instructions: 17COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.670205798.0000000008C70000.00000040.00000001.sdmp, Offset: 08C70000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6d064ad6fbfb7bee0de3d5e25f88e5740f02e42ca224d5e90cfce4515bccbf55
Instruction ID: 1ca6a737f6bf741b702a92207f5a71a84193bb5d8be3e3076eb92e5d1e6e0712
Opcode Fuzzy Hash: 6d064ad6fbfb7bee0de3d5e25f88e5740f02e42ca224d5e90cfce4515bccbf55
Instruction Fuzzy Hash: 92D05E70806608DBCB00EFB8E4497ADBFB8EB0531AF1001ECD80863741E7305A94CBD1

Uniqueness

Uniqueness Score: -1.00%

Function 08C77470, Relevance: .0, Instructions: 16COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.670205798.0000000008C70000.00000040.00000001.sdmp, Offset: 08C70000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8df39f4459e042670a8d07e2b1fc58a5700cff88330273aaa783aca22ac60b0b
Instruction ID: faa50851a5fe6ac82e8002c2e56fe3309fc2ecd406aefa59ef7365c4ae677048
Opcode Fuzzy Hash: 8df39f4459e042670a8d07e2b1fc58a5700cff88330273aaa783aca22ac60b0b
Instruction Fuzzy Hash: 2CD0A93040520CDBC700DFE6D408B6ABB7CE706206F0020ACD408632019BB05A10CAA0

Uniqueness

Uniqueness Score: -1.00%

Function 08C79248, Relevance: .0, Instructions: 16COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.670205798.0000000008C70000.00000040.00000001.sdmp, Offset: 08C70000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b2bf80d8e3743af62fdfbdee1d39656574f536df34d5d2d576ea32116d1cf12b
Instruction ID: 5798ae70a811895c480854f50a10a8f34360ceeedbbf2aa4ed1a0c7ccdd0ff1e
Opcode Fuzzy Hash: b2bf80d8e3743af62fdfbdee1d39656574f536df34d5d2d576ea32116d1cf12b
Instruction Fuzzy Hash: 5AD0A97044A208DBC714EAA9C400B6ABB7DEB0271AF6005ACC80803351DB369A04DB90

Uniqueness

Uniqueness Score: -1.00%

Function 08C77840, Relevance: .0, Instructions: 15COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.670205798.0000000008C70000.00000040.00000001.sdmp, Offset: 08C70000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e4869c8f358b6b9b1feae5f4cc94a7dc2b677e44238cf4d5bd04566626f47e25
Instruction ID: 185162c62fc2f8f75d9f61351daca272ff24b6e402a23db18d77ed4ec972af38
Opcode Fuzzy Hash: e4869c8f358b6b9b1feae5f4cc94a7dc2b677e44238cf4d5bd04566626f47e25
Instruction Fuzzy Hash: 73D0C96065610DDAD710EBA9D548B6DBBBCA70621AF10199CA808A3601EA715A14D691

Uniqueness

Uniqueness Score: -1.00%

Function 031500CD, Relevance: .0, Instructions: 14COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.662415630.0000000003150000.00000040.00000001.sdmp, Offset: 03150000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ec04b1e3d1421514129a1c031ef9af7c4247dcd3500843ad4b77fe75d33b58fe
Instruction ID: a215ca9c992cbe012e1c7f7cf39d261f47d31d98b6b90aff42fb12f035cc8f59
Opcode Fuzzy Hash: ec04b1e3d1421514129a1c031ef9af7c4247dcd3500843ad4b77fe75d33b58fe
Instruction Fuzzy Hash: 49D09236E45108CF8B148AA8E4440DCF771EBC9225B10916AC624A2310C73198168F50

Uniqueness

Uniqueness Score: -1.00%

Function 03159330, Relevance: .0, Instructions: 13COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.662415630.0000000003150000.00000040.00000001.sdmp, Offset: 03150000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8c06d89e22de5fe5e8cb495902091ed5f2263130cf09f44c389fac7d12953328
Instruction ID: c5d047c40f12c409e62569314a7b47c18030cd7489cedc5126e9aa676eeb49fd
Opcode Fuzzy Hash: 8c06d89e22de5fe5e8cb495902091ed5f2263130cf09f44c389fac7d12953328
Instruction Fuzzy Hash: DCC0807084610CDFC754DFA8D516B6DBB6CD705714F1400ACAC0C13350DBB16E10C7A2

Uniqueness

Uniqueness Score: -1.00%

Function 08C716B9, Relevance: .0, Instructions: 13COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.670205798.0000000008C70000.00000040.00000001.sdmp, Offset: 08C70000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4988253a26755716e2c7153b836e10bcd6475689a3ae028dfb265e4aa2413da6
Instruction ID: 7397021a653b7a53afcb0607fae36f46b0bf7df1a9f6d866dbd55d08412148ba
Opcode Fuzzy Hash: 4988253a26755716e2c7153b836e10bcd6475689a3ae028dfb265e4aa2413da6
Instruction Fuzzy Hash: CAE0F6B8908228DFDB61CF35C884AD9BBB0BB0A301F4042DAD84EA3300DB305E818F84

Uniqueness

Uniqueness Score: -1.00%

Function 08C79198, Relevance: .0, Instructions: 12COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.670205798.0000000008C70000.00000040.00000001.sdmp, Offset: 08C70000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f348a4793a35c8817561db4918c65add48036e4f716ea230fb2a47c8ca61baf6
Instruction ID: 4c41235d513bfd9c118b432595523d50a3406697ee31ed8b84cc6534387b6813
Opcode Fuzzy Hash: f348a4793a35c8817561db4918c65add48036e4f716ea230fb2a47c8ca61baf6
Instruction Fuzzy Hash: E2C02B33045B0487D6202AA4A40C331BEBCF30331BF082C0C900C0131287F594F8C650

Uniqueness

Uniqueness Score: -1.00%

Function 08C74F79, Relevance: .0, Instructions: 12COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.670205798.0000000008C70000.00000040.00000001.sdmp, Offset: 08C70000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f751ca5a27ae92b46885093d1368b720306ec0579e99d07e3b626898779d548f
Instruction ID: e9f11222148b46d52a45204cae25ea131d17f3283dbde131e2f7238dbdefc067
Opcode Fuzzy Hash: f751ca5a27ae92b46885093d1368b720306ec0579e99d07e3b626898779d548f
Instruction Fuzzy Hash: 08E076B4D152288FCB65CF25CD446DABBB1AB5A305F5492EA984DA2310D7325E85CF40

Uniqueness

Uniqueness Score: -1.00%

Non-executed Functions

Function 0315E8F0, Relevance: 13.4, Strings: 10, Instructions: 907COMMON

Download Yara Rule

Strings

l, xrefs: 0315F175
J, xrefs: 0315F3F8
#, xrefs: 0315F579
', xrefs: 0315F2E7
=, xrefs: 0315F456
:, xrefs: 0315F0BC
+, xrefs: 0315F342
w, xrefs: 0315EB00
@, xrefs: 0315ECB2
p, xrefs: 0315ED74

Memory Dump Source

Source File: 00000000.00000002.662415630.0000000003150000.00000040.00000001.sdmp, Offset: 03150000, based on PE: false

Similarity

API ID:
String ID: #$'$+$:$=$@$J$l$p$w
API String ID: 0-44647363
Opcode ID: 217b1307f7283db4e990937c05e6798f2a5afcf02e33cc204f454d4cdcf514e6
Instruction ID: 23271e62abd211c30b63450991d255df92b26a5bdc900ee20716ddafd403b735
Opcode Fuzzy Hash: 217b1307f7283db4e990937c05e6798f2a5afcf02e33cc204f454d4cdcf514e6
Instruction Fuzzy Hash: 2A8214B1C05268CFEB28CFA2C9183EDFAB5AB49349F149099D519B7291C7784BC9CF14

Uniqueness

Uniqueness Score: -1.00%

Function 0315E8EE, Relevance: 11.7, Strings: 9, Instructions: 492COMMON

Download Yara Rule

Strings

s, xrefs: 0315F3C8
r, xrefs: 0315F070
M, xrefs: 0315EC8E
V, xrefs: 0315F2F6
*, xrefs: 0315F540
c, xrefs: 0315F297
,, xrefs: 0315ED44
d, xrefs: 0315F142
w, xrefs: 0315EB00

Memory Dump Source

Source File: 00000000.00000002.662415630.0000000003150000.00000040.00000001.sdmp, Offset: 03150000, based on PE: false

Similarity

API ID:
String ID: *$,$M$V$c$d$r$s$w
API String ID: 0-114772015
Opcode ID: cec9601a62b1adb0e69b9d8a00da813a27f81f98eb1c37edbeb5cb4ed7fc3d2b
Instruction ID: 0ec1829dc7551ee62ed74c483482333b377a7e2a147b012a3224567f68764ac4
Opcode Fuzzy Hash: cec9601a62b1adb0e69b9d8a00da813a27f81f98eb1c37edbeb5cb4ed7fc3d2b
Instruction Fuzzy Hash: 5822F7B1C05268CFEB28CFA6C9183EDFAB5BB49349F1480D9D519A7291C7784AC9CF50

Uniqueness

Uniqueness Score: -1.00%

Function 08C708E1, Relevance: 3.9, Strings: 3, Instructions: 142COMMON

Download Yara Rule

Strings

:@fq, xrefs: 08C70A0C
f]kq, xrefs: 08C70940
>_kq, xrefs: 08C70A29

Memory Dump Source

Source File: 00000000.00000002.670205798.0000000008C70000.00000040.00000001.sdmp, Offset: 08C70000, based on PE: false

Similarity

API ID:
String ID: :@fq$>_kq$f]kq
API String ID: 0-1744552541
Opcode ID: fe06ae894bf41e1997cd3bf958a2ea4283a7158a2a26475c03779375d5182867
Instruction ID: 2178b0c40e85a72d434cba3caee5d9022fb7d7cfe577399491d2bb90c1da6111
Opcode Fuzzy Hash: fe06ae894bf41e1997cd3bf958a2ea4283a7158a2a26475c03779375d5182867
Instruction Fuzzy Hash: AB512B70A0024ACBDB14DF6AE448B99BBF6FB84309F14812EE0049B36CEF745919CB91

Uniqueness

Uniqueness Score: -1.00%

Function 08C708F0, Relevance: 3.9, Strings: 3, Instructions: 136COMMON

Download Yara Rule

Strings

:@fq, xrefs: 08C70A0C
f]kq, xrefs: 08C70940
>_kq, xrefs: 08C70A29

Memory Dump Source

Source File: 00000000.00000002.670205798.0000000008C70000.00000040.00000001.sdmp, Offset: 08C70000, based on PE: false

Similarity

API ID:
String ID: :@fq$>_kq$f]kq
API String ID: 0-1744552541
Opcode ID: bc8dfa9dfdaf101dc4691d08a08eace86cbc44a404c648f348434959b2e29256
Instruction ID: ee4855e1c16a9bf72477588c9e70402208cc45700acccd78e7b7f00a38e4da71
Opcode Fuzzy Hash: bc8dfa9dfdaf101dc4691d08a08eace86cbc44a404c648f348434959b2e29256
Instruction Fuzzy Hash: 7C511A70E0064A8BDB14DF6AE448B99BBF6FB94309F14812EE0049736CEF7459598B91

Uniqueness

Uniqueness Score: -1.00%

Function 08C70B38, Relevance: 1.4, Strings: 1, Instructions: 106COMMON

Download Yara Rule

Strings

V, xrefs: 08C737D1

Memory Dump Source

Source File: 00000000.00000002.670205798.0000000008C70000.00000040.00000001.sdmp, Offset: 08C70000, based on PE: false

Similarity

API ID:
String ID: V
API String ID: 0-1342839628
Opcode ID: 6b8e5d15e063e5f35beb052b875f03cd4aeb367d2936eaea5d19ce3563bbcee1
Instruction ID: 352f584f0e1f2bebfe013e6dfe16471148a5aa7b33b3390253115002aa3fc8f3
Opcode Fuzzy Hash: 6b8e5d15e063e5f35beb052b875f03cd4aeb367d2936eaea5d19ce3563bbcee1
Instruction Fuzzy Hash: 544120B1D056588BEB6CCF6B8D4078AFAF7BFC8305F14C5BA850DA6215EB3005858F15

Uniqueness

Uniqueness Score: -1.00%

Function 08C781D8, Relevance: .1, Instructions: 68COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.670205798.0000000008C70000.00000040.00000001.sdmp, Offset: 08C70000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2cdb453f9e6171cbc247b5bce95fe9dd390cc298d501d3b4efbd14471ce1ae94
Instruction ID: 6f74d26d8635e8e5b088451f50f38628e2d69010f2d7bcf93cae19c2028839a1
Opcode Fuzzy Hash: 2cdb453f9e6171cbc247b5bce95fe9dd390cc298d501d3b4efbd14471ce1ae94
Instruction Fuzzy Hash: 7E21FA71D046298BDB28CF6BC8447EEBAF7ABC5301F15C0BAC528A7614DB300A85CF15

Uniqueness

Uniqueness Score: -1.00%

Function 08C795B7, Relevance: .1, Instructions: 67COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.670205798.0000000008C70000.00000040.00000001.sdmp, Offset: 08C70000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 42de7f35f559908c6ffe61e220499d25210e71e48d1896cb3b609d5bf4cd98d4
Instruction ID: c277abd1c4cc6b4e06cb35f6e3ee0a54034623267724dd67d310ff2473fa43ad
Opcode Fuzzy Hash: 42de7f35f559908c6ffe61e220499d25210e71e48d1896cb3b609d5bf4cd98d4
Instruction Fuzzy Hash: 25219D70C452898ECB51CFA9C4887EEBFF1AF0A311F1441AED454B7292D7388649CF69

Uniqueness

Uniqueness Score: -1.00%

Function 08C781E8, Relevance: .1, Instructions: 63COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.670205798.0000000008C70000.00000040.00000001.sdmp, Offset: 08C70000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 930b4aece785ef8ae50a13d0fe4f39bbfda90d1de82cc3b6c3d5bb85d5ef09f2
Instruction ID: cb1ef8c03bf33913dac8a4c1b623df0a2a69f53b843f532a84bc04991197f45b
Opcode Fuzzy Hash: 930b4aece785ef8ae50a13d0fe4f39bbfda90d1de82cc3b6c3d5bb85d5ef09f2
Instruction Fuzzy Hash: 4721C9B1D046198BDB28CF6B88047EEBAF7ABD9301F15C0BAC518A6654EB340A85CF55

Uniqueness

Uniqueness Score: -1.00%

Function 08C7967F, Relevance: .1, Instructions: 60COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.670205798.0000000008C70000.00000040.00000001.sdmp, Offset: 08C70000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f4e36b9f929551134582e1043f781ac374a44c315e071829da749d395eb79973
Instruction ID: 273ef109011a07fd9c2bd273b1a713be0644423466a32281f0877a272510511c
Opcode Fuzzy Hash: f4e36b9f929551134582e1043f781ac374a44c315e071829da749d395eb79973
Instruction Fuzzy Hash: D711F670D502599EDB54DFA9C458BFEBFF0AB0A301F249469E405F7280D7788A49CF64

Uniqueness

Uniqueness Score: -1.00%

Function 08C795C8, Relevance: .1, Instructions: 55COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.670205798.0000000008C70000.00000040.00000001.sdmp, Offset: 08C70000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d22f3e9ce0189134d668a1af5ea1d521ef9dfc6650983d7bb976c7ab2a548cfa
Instruction ID: 204f059f5e5c8e17a5dbca7429ebec3e1758bdcbbaa067b6c54a4ae5f4552a99
Opcode Fuzzy Hash: d22f3e9ce0189134d668a1af5ea1d521ef9dfc6650983d7bb976c7ab2a548cfa
Instruction Fuzzy Hash: 34110670D042199ECB54CFAAC854BEEBEF1AF0A301F149169E015B3280D7788A48CFA8

Uniqueness

Uniqueness Score: -1.00%

Function 08C79690, Relevance: .1, Instructions: 55COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.670205798.0000000008C70000.00000040.00000001.sdmp, Offset: 08C70000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0b92468127d4fd5621cb096fa0ca538f00b8cb5db5000b91b28448e2fca09ffc
Instruction ID: 87ecd17b1a109b4e556bfcb0844b00ce6c7d2e8a0728c15133defd16d600df74
Opcode Fuzzy Hash: 0b92468127d4fd5621cb096fa0ca538f00b8cb5db5000b91b28448e2fca09ffc
Instruction Fuzzy Hash: 93110670D142199ECB54DFAAC844BEEBEF4BF0A301F14946AE405B3280D7788A45CF68

Uniqueness

Uniqueness Score: -1.00%

Analysis Process: RegSvcs.exe PID: 6120 Parent PID: 7084 RegSvcs.exeCOMMON

Executed Functions

Function 0310B238, Relevance: 2.2, Strings: 1, Instructions: 956COMMON

Download Yara Rule

Strings

r, xrefs: 0310BD5C

Memory Dump Source

Source File: 00000006.00000002.913178689.0000000003100000.00000040.00000001.sdmp, Offset: 03100000, based on PE: false

Similarity

API ID:
String ID: r
API String ID: 0-1812594589
Opcode ID: 7595cd3b7b8a125bf8632bba26113c9811899a606c6ae614999a04e7d89b7e6f
Instruction ID: 1e1133ddd7586449b92bb0fa7e4e9f0aefd6a72dd9ebcc5d08fa37515500f574
Opcode Fuzzy Hash: 7595cd3b7b8a125bf8632bba26113c9811899a606c6ae614999a04e7d89b7e6f
Instruction Fuzzy Hash: CF925674A046098FCB14CF69C490AADFBF2FF88310F25C5A9D45AAB695D770E981CF90

Uniqueness

Uniqueness Score: -1.00%

Function 03103850, Relevance: 2.0, Strings: 1, Instructions: 760COMMON

Download Yara Rule

Strings

>_kq, xrefs: 03103F9D

Memory Dump Source

Source File: 00000006.00000002.913178689.0000000003100000.00000040.00000001.sdmp, Offset: 03100000, based on PE: false

Similarity

API ID:
String ID: >_kq
API String ID: 0-4149988037
Opcode ID: eea1828c326a514d7c411b7add2367d4ed292e8e0babfcff160a3061bcd61209
Instruction ID: 8dbf999d10f22e8ba3159502e5636ecacb16f8e72c3d3ef706cbb78ec7294b85
Opcode Fuzzy Hash: eea1828c326a514d7c411b7add2367d4ed292e8e0babfcff160a3061bcd61209
Instruction Fuzzy Hash: 5252E775A00215CFCB15CF68C8849AAFBF6FF49300B19C9A6D4259F296C7B1EC45CB91

Uniqueness

Uniqueness Score: -1.00%

Function 03172998, Relevance: 1.6, APIs: 1, Instructions: 94networkCOMMON

Download Yara Rule

APIs

bind.WS2_32(?,00000E2C,B14A1E94,00000000,00000000,00000000,00000000), ref: 03172A4B

Memory Dump Source

Source File: 00000006.00000002.913279398.0000000003170000.00000040.00000001.sdmp, Offset: 03170000, based on PE: false

Similarity

API ID: bind
String ID:
API String ID: 1187836755-0
Opcode ID: 9fdc58f6ce90ab8ff209b81dff75d4302dfc9d04998f4fd9dc6a82feb6e12694
Instruction ID: b48cc82c7d3dc929a8718ef75c5dbd90c850a62156a9dff44a1d919a73e59c08
Opcode Fuzzy Hash: 9fdc58f6ce90ab8ff209b81dff75d4302dfc9d04998f4fd9dc6a82feb6e12694
Instruction Fuzzy Hash: 593149B150A3C05FD7238B359C55B92BFB89F07214F0D88DBE9849F1A3D2689849CB72

Uniqueness

Uniqueness Score: -1.00%

Function 03171463, Relevance: 1.6, APIs: 1, Instructions: 75COMMON

Download Yara Rule

APIs

AdjustTokenPrivileges.KERNELBASE(?,?,?,?,?,?), ref: 031714E3

Memory Dump Source

Source File: 00000006.00000002.913279398.0000000003170000.00000040.00000001.sdmp, Offset: 03170000, based on PE: false

Similarity

API ID: AdjustPrivilegesToken
String ID:
API String ID: 2874748243-0
Opcode ID: b01cb4c9126f066c43019c05e9a6591629ed63151bd823178102688e5f2eadff
Instruction ID: 2c0258dd50d4cb0dfcb36550e91e50920719d30f4e6c21a6d2f563040286af98
Opcode Fuzzy Hash: b01cb4c9126f066c43019c05e9a6591629ed63151bd823178102688e5f2eadff
Instruction Fuzzy Hash: 21217E76509784AFDB228F25DC40B92BFB4AF06210F0D84EAE9858B562D3749908CB62

Uniqueness

Uniqueness Score: -1.00%

Function 031717CF, Relevance: 1.6, APIs: 1, Instructions: 64nativeCOMMON

Download Yara Rule

APIs

NtQuerySystemInformation.NTDLL(?,?,?,?), ref: 03171845

Memory Dump Source

Source File: 00000006.00000002.913279398.0000000003170000.00000040.00000001.sdmp, Offset: 03170000, based on PE: false

Similarity

API ID: InformationQuerySystem
String ID:
API String ID: 3562636166-0
Opcode ID: 504c033f26d7218241539aa9c22c04a8a5e4a16765fa0a298e2ee2cecd2e4950
Instruction ID: 323bb87a69db5b3bc5c4af535db02f7eb375e49fd4daa4aa59bcf059e4a9b777
Opcode Fuzzy Hash: 504c033f26d7218241539aa9c22c04a8a5e4a16765fa0a298e2ee2cecd2e4950
Instruction Fuzzy Hash: FE21AE764097C0AFDB238B21DC41A52FFB4EF16314F0D84DBE9848B563D269A909DB62

Uniqueness

Uniqueness Score: -1.00%

Function 031729EA, Relevance: 1.6, APIs: 1, Instructions: 62networkCOMMON

Download Yara Rule

APIs

bind.WS2_32(?,00000E2C,B14A1E94,00000000,00000000,00000000,00000000), ref: 03172A4B

Memory Dump Source

Source File: 00000006.00000002.913279398.0000000003170000.00000040.00000001.sdmp, Offset: 03170000, based on PE: false

Similarity

API ID: bind
String ID:
API String ID: 1187836755-0
Opcode ID: 3cd62d21ead1841eee67e392dbf91704353042061e8bb2a9e60ecfeae5a13c10
Instruction ID: 917e96f08c8f28b657d0e637ca8e84d53b48650f7c11a36d541dd4d275ce010b
Opcode Fuzzy Hash: 3cd62d21ead1841eee67e392dbf91704353042061e8bb2a9e60ecfeae5a13c10
Instruction Fuzzy Hash: A711D0B1500304AFE721CF15DC84FA6FBACEF08320F0888AAED049B641D374E405CAB1

Uniqueness

Uniqueness Score: -1.00%

Function 0317149A, Relevance: 1.6, APIs: 1, Instructions: 52COMMON

Download Yara Rule

APIs

AdjustTokenPrivileges.KERNELBASE(?,?,?,?,?,?), ref: 031714E3

Memory Dump Source

Source File: 00000006.00000002.913279398.0000000003170000.00000040.00000001.sdmp, Offset: 03170000, based on PE: false

Similarity

API ID: AdjustPrivilegesToken
String ID:
API String ID: 2874748243-0
Opcode ID: 963029b8796bfa6def90bb9eb3bd9f43fd09ed057ee7bbdfaaa60ca20a40ffb8
Instruction ID: 5fb36dc84dfcad2c792bc4457329b5d060ec38381181ca79806a86e03fadbffd
Opcode Fuzzy Hash: 963029b8796bfa6def90bb9eb3bd9f43fd09ed057ee7bbdfaaa60ca20a40ffb8
Instruction Fuzzy Hash: BF114C765003049FDB21CF56D844B66FBE8EF08320F0C84AAED4A8B655D375E454CB61

Uniqueness

Uniqueness Score: -1.00%

Function 031711C2, Relevance: 1.5, APIs: 1, Instructions: 39COMMON

Download Yara Rule

APIs

GetSystemInfo.KERNELBASE(?), ref: 031711F4

Memory Dump Source

Source File: 00000006.00000002.913279398.0000000003170000.00000040.00000001.sdmp, Offset: 03170000, based on PE: false

Similarity

API ID: InfoSystem
String ID:
API String ID: 31276548-0
Opcode ID: 67d52ad4be65464c31d922b5c679d697eb07441859cc35c4fd4638a38a245147
Instruction ID: b18820f5334d967a88f7abfcc3a28185bf6e624e2cbf2b3e8d5ba1600ce9d827
Opcode Fuzzy Hash: 67d52ad4be65464c31d922b5c679d697eb07441859cc35c4fd4638a38a245147
Instruction Fuzzy Hash: 3001A2709043409FDB20CF56E8847A6FBA4EF08320F1CC4AADD488F646D378A548CAA2

Uniqueness

Uniqueness Score: -1.00%

Function 0317180A, Relevance: 1.5, APIs: 1, Instructions: 38nativeCOMMON

Download Yara Rule

APIs

NtQuerySystemInformation.NTDLL(?,?,?,?), ref: 03171845

Memory Dump Source

Source File: 00000006.00000002.913279398.0000000003170000.00000040.00000001.sdmp, Offset: 03170000, based on PE: false

Similarity

API ID: InformationQuerySystem
String ID:
API String ID: 3562636166-0
Opcode ID: 9353e69fd846d0bd6b8b50a61ed16c1282c736eb5ec465e9b7ffa33d6e179d0f
Instruction ID: 13e8b6f958631359199a4490de5070ee92cabfa3f68650b99383d64bf673d042
Opcode Fuzzy Hash: 9353e69fd846d0bd6b8b50a61ed16c1282c736eb5ec465e9b7ffa33d6e179d0f
Instruction Fuzzy Hash: A1017C355003409FDB20CF46D844B66FBA4EF08720F0CC4AADD490B616D379A458CBA2

Uniqueness

Uniqueness Score: -1.00%

Function 031023A0, Relevance: .5, Instructions: 505COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.913178689.0000000003100000.00000040.00000001.sdmp, Offset: 03100000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6541d2abb34cb698090b055b301b90b4eeb5d4aa9f52c89617b271da4943fee3
Instruction ID: e06fdde094390d2ff05dfefaec0f76b6bfc75452f497348d25e3b63bdfc6c6f7
Opcode Fuzzy Hash: 6541d2abb34cb698090b055b301b90b4eeb5d4aa9f52c89617b271da4943fee3
Instruction Fuzzy Hash: 9112BF30A00215CFCB28CF69C4986AEB7F2FF89344F198969D415EB295DBB5DC86CB50

Uniqueness

Uniqueness Score: -1.00%

Function 031089D8, Relevance: .5, Instructions: 505COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.913178689.0000000003100000.00000040.00000001.sdmp, Offset: 03100000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 88b43326465e41ae4eb8f9d6cc59756a0bd5778a34e518aa6fb1bf2f9879f805
Instruction ID: 2f2a1a3f8ca1afe33eb85b803c993f653bdb93b7f4bd54b875e725a8d806c2f1
Opcode Fuzzy Hash: 88b43326465e41ae4eb8f9d6cc59756a0bd5778a34e518aa6fb1bf2f9879f805
Instruction Fuzzy Hash: F712CE34E04215CFDB28CF75D49466EBBF2FF88304F1995A9E416AB291DBB48882CF40

Uniqueness

Uniqueness Score: -1.00%

Function 03102FA8, Relevance: .2, Instructions: 239COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.913178689.0000000003100000.00000040.00000001.sdmp, Offset: 03100000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f4371e0c0b3cf60c26862985a609b357f3bb554344e916c24d8e9c052c65f5c7
Instruction ID: ba2ab2f795834075ff801c27642e730d62827a6d41be84a2f25db5ffb4433488
Opcode Fuzzy Hash: f4371e0c0b3cf60c26862985a609b357f3bb554344e916c24d8e9c052c65f5c7
Instruction Fuzzy Hash: A681CD36F011159BD718DB68C984A6EB7F3AFC8310F2AC465E415AB3A9DF70DC418B90

Uniqueness

Uniqueness Score: -1.00%

Function 031701F4, Relevance: 3.1, APIs: 2, Instructions: 100synchronizationCOMMON

Download Yara Rule

APIs

CreateMutexW.KERNELBASE(?,?), ref: 0317019D
FindCloseChangeNotification.KERNELBASE(?), ref: 03170264

Memory Dump Source

Source File: 00000006.00000002.913279398.0000000003170000.00000040.00000001.sdmp, Offset: 03170000, based on PE: false

Similarity

API ID: ChangeCloseCreateFindMutexNotification
String ID:
API String ID: 2967213129-0
Opcode ID: 007e34d1a3127a3e49d6a51e1b4b8c222b187149c56fd657e3dd0f01664b2755
Instruction ID: 70fdcc66887cce526d29ccef4005d98742eca8159246f7f22d8eaf2331148ada
Opcode Fuzzy Hash: 007e34d1a3127a3e49d6a51e1b4b8c222b187149c56fd657e3dd0f01664b2755
Instruction Fuzzy Hash: CF31D2B14053809FE711CF25E985796BFA8EF0A324F0C84EBED848F252D3759909CB61

Uniqueness

Uniqueness Score: -1.00%

Function 03102D58, Relevance: 2.6, Strings: 2, Instructions: 136COMMON

Download Yara Rule

Strings

, xrefs: 03102E76
>_kq, xrefs: 03102DA5

Memory Dump Source

Source File: 00000006.00000002.913178689.0000000003100000.00000040.00000001.sdmp, Offset: 03100000, based on PE: false

Similarity

API ID:
String ID: $>_kq
API String ID: 0-1412446344
Opcode ID: 173e70ffb12af13162c8dace01d3f4dd0aeabb2b3945124c35c7a7fa5155950a
Instruction ID: 1eba94389231d37cf8f4759856b78fa269b4589d8ba47472def4a5446c606e8e
Opcode Fuzzy Hash: 173e70ffb12af13162c8dace01d3f4dd0aeabb2b3945124c35c7a7fa5155950a
Instruction Fuzzy Hash: 6D41B430F442558FCB14CF69C8885BEBB72ABCD214B29CC76C415DB685C7B5E8538752

Uniqueness

Uniqueness Score: -1.00%

Function 03171950, Relevance: 1.6, APIs: 1, Instructions: 124networkCOMMON

Download Yara Rule

APIs

DnsQuery_A.DNSAPI(?,00000E2C,?,?), ref: 03171A46

Memory Dump Source

Source File: 00000006.00000002.913279398.0000000003170000.00000040.00000001.sdmp, Offset: 03170000, based on PE: false

Similarity

API ID: Query_
String ID:
API String ID: 428220571-0
Opcode ID: d99b271bbc2a81fc7684ac13c9b9b974e599ea2ae22ab30f942608b8e51d8729
Instruction ID: 064b679b1aebd44624e2349d8f7d02dd33d63cb2fb064c0eedcb4ebb49fd8a87
Opcode Fuzzy Hash: d99b271bbc2a81fc7684ac13c9b9b974e599ea2ae22ab30f942608b8e51d8729
Instruction Fuzzy Hash: F841126540E7C06FD3138B358C61A61BFB4EF47614B0E85CBD884CB5A3D159690AD7B2

Uniqueness

Uniqueness Score: -1.00%

Function 03170EB8, Relevance: 1.6, APIs: 1, Instructions: 96COMMON

Download Yara Rule

APIs

DuplicateHandle.KERNELBASE(?,00000E2C), ref: 03170F5B

Memory Dump Source

Source File: 00000006.00000002.913279398.0000000003170000.00000040.00000001.sdmp, Offset: 03170000, based on PE: false

Similarity

API ID: DuplicateHandle
String ID:
API String ID: 3793708945-0
Opcode ID: c7528e2fd30a533fae604821f0f1924bb783bfa174e2c45f9fa245f53e751f5d
Instruction ID: d2e0cc05f210be02984986dbde40e1d5833fc8f8f90d6430287cec465c052324
Opcode Fuzzy Hash: c7528e2fd30a533fae604821f0f1924bb783bfa174e2c45f9fa245f53e751f5d
Instruction Fuzzy Hash: C13195715043446FEB228F65DC44FA7BFACEF09320F0888AAF985DB152D224E959CB61

Uniqueness

Uniqueness Score: -1.00%

Function 03170C58, Relevance: 1.6, APIs: 1, Instructions: 93COMMON

Download Yara Rule

APIs

GetTempFileNameW.KERNELBASE(?,00000E2C,?,?), ref: 03170D1A

Memory Dump Source

Source File: 00000006.00000002.913279398.0000000003170000.00000040.00000001.sdmp, Offset: 03170000, based on PE: false

Similarity

API ID: FileNameTemp
String ID:
API String ID: 745986568-0
Opcode ID: d6401ce7ef13b0c78ea669c016501b66350e56000388da69eec9915da14878ab
Instruction ID: eb57dc75976541066e60d3fc1c689fa42c93e9207dadb48ba415e1adb7611c84
Opcode Fuzzy Hash: d6401ce7ef13b0c78ea669c016501b66350e56000388da69eec9915da14878ab
Instruction Fuzzy Hash: 03315A6140E7C06FD7138B258C51B62BFB4EF47620F0E85DBD9848F5A3D225A91AC7A2

Uniqueness

Uniqueness Score: -1.00%

Function 03170390, Relevance: 1.6, APIs: 1, Instructions: 93registryCOMMON

Download Yara Rule

APIs

RegQueryValueExA.KERNELBASE(?,00000E2C), ref: 0317045E

Memory Dump Source

Source File: 00000006.00000002.913279398.0000000003170000.00000040.00000001.sdmp, Offset: 03170000, based on PE: false

Similarity

API ID: QueryValue
String ID:
API String ID: 3660427363-0
Opcode ID: 50627245e237f81ab3773386a837c07cd55ff6fceac754ec5e338d6e5eb7547a
Instruction ID: 236123c278ee859584cd23c90a6cca2838fb27c4773dadc50b90ad22952c9ed4
Opcode Fuzzy Hash: 50627245e237f81ab3773386a837c07cd55ff6fceac754ec5e338d6e5eb7547a
Instruction Fuzzy Hash: 103192B2004344AFE7228F15CC41FA6FFB8EF06714F18899EE9859B192D365A949CB61

Uniqueness

Uniqueness Score: -1.00%

Function 03172B83, Relevance: 1.6, APIs: 1, Instructions: 92windowCOMMON

Download Yara Rule

APIs

FormatMessageW.KERNELBASE(?,00000E2C,?,?), ref: 03172C42

Memory Dump Source

Source File: 00000006.00000002.913279398.0000000003170000.00000040.00000001.sdmp, Offset: 03170000, based on PE: false

Similarity

API ID: FormatMessage
String ID:
API String ID: 1306739567-0
Opcode ID: 36dff471d63f3876f99771b27320a9fb27ec12463fac168eac23960a3807f555
Instruction ID: 6aaf3b084c98d0d3cfd71f8cbaeb12fef6e0cee59bacdd4369bfea39e0c2d212
Opcode Fuzzy Hash: 36dff471d63f3876f99771b27320a9fb27ec12463fac168eac23960a3807f555
Instruction Fuzzy Hash: 45317C7140E3C55FD7139B258C61A66BFB4EF47710F1A80CBD9848F2A3E624A909C7A2

Uniqueness

Uniqueness Score: -1.00%

Function 031707F4, Relevance: 1.6, APIs: 1, Instructions: 92fileCOMMON

Download Yara Rule

APIs

CreateFileW.KERNELBASE(?,?,?,?,?,?), ref: 03170899

Memory Dump Source

Source File: 00000006.00000002.913279398.0000000003170000.00000040.00000001.sdmp, Offset: 03170000, based on PE: false

Similarity

API ID: CreateFile
String ID:
API String ID: 823142352-0
Opcode ID: 489b212d9d9d08da8ec8c6711bf2d73275ec09bd6c9c14b771f739581936e9e3
Instruction ID: 91a6085b0d2d36e71f30bdf31837137a96de19fc1049869f5dd800de70cf9d5f
Opcode Fuzzy Hash: 489b212d9d9d08da8ec8c6711bf2d73275ec09bd6c9c14b771f739581936e9e3
Instruction Fuzzy Hash: 64316DB1505380AFE722CF65DC44B66BFE8EF09610F0884AEE9858B252D375E909DB61

Uniqueness

Uniqueness Score: -1.00%

Function 03172720, Relevance: 1.6, APIs: 1, Instructions: 89timeCOMMON

Download Yara Rule

APIs

GetProcessTimes.KERNELBASE(?,00000E2C,B14A1E94,00000000,00000000,00000000,00000000), ref: 031727BD

Memory Dump Source

Source File: 00000006.00000002.913279398.0000000003170000.00000040.00000001.sdmp, Offset: 03170000, based on PE: false

Similarity

API ID: ProcessTimes
String ID:
API String ID: 1995159646-0
Opcode ID: 9eed6d3cccd4de8312e4ba40e5559fa91bedd6ecff090ed33c7fb10632825354
Instruction ID: 1d6a98a679c387e5782cf6e458c47c36a0fbe45035570c5e7ffde963175941c2
Opcode Fuzzy Hash: 9eed6d3cccd4de8312e4ba40e5559fa91bedd6ecff090ed33c7fb10632825354
Instruction Fuzzy Hash: 2031A5B25093806FE7228F25DD45B96BFB8EF06320F0884EAE985DB153D335D905CB61

Uniqueness

Uniqueness Score: -1.00%

Function 03170FB9, Relevance: 1.6, APIs: 1, Instructions: 89COMMON

Download Yara Rule

APIs

GetExitCodeProcess.KERNELBASE(?,00000E2C,B14A1E94,00000000,00000000,00000000,00000000), ref: 0317105C

Memory Dump Source

Source File: 00000006.00000002.913279398.0000000003170000.00000040.00000001.sdmp, Offset: 03170000, based on PE: false

Similarity

API ID: CodeExitProcess
String ID:
API String ID: 3861947596-0
Opcode ID: 5c8f73fd5ab84c44ef8244924bf94b0f8fc3e10d440be29f4c8e0adb3208a1f7
Instruction ID: 3536066686c49e0d1e0e5e9f54b5dd446ae8f17e53067ce5a3a2822ffb9c0218
Opcode Fuzzy Hash: 5c8f73fd5ab84c44ef8244924bf94b0f8fc3e10d440be29f4c8e0adb3208a1f7
Instruction Fuzzy Hash: E031C8715093C06FE712CB25DC55FA6BFB8EF46710F0D44DAE9849F1A3D624A908C761

Uniqueness

Uniqueness Score: -1.00%

Function 031700F6, Relevance: 1.6, APIs: 1, Instructions: 89synchronizationCOMMON

Download Yara Rule

APIs

CreateMutexW.KERNELBASE(?,?), ref: 0317019D

Memory Dump Source

Source File: 00000006.00000002.913279398.0000000003170000.00000040.00000001.sdmp, Offset: 03170000, based on PE: false

Similarity

API ID: CreateMutex
String ID:
API String ID: 1964310414-0
Opcode ID: e4c1f9ac0c0c689fb3af1c600eeeac4f9f0e334680a17db6be5a4f0263343eea
Instruction ID: d391783a5bc4ae6fcb2ebe8e673c77f9b198c80741994933c2e2731fee4ef3b5
Opcode Fuzzy Hash: e4c1f9ac0c0c689fb3af1c600eeeac4f9f0e334680a17db6be5a4f0263343eea
Instruction Fuzzy Hash: 633173B15097806FE722CB25DC85B56FFF8EF0A310F09849AE984CB292D375E909C761

Uniqueness

Uniqueness Score: -1.00%

Function 031722B4, Relevance: 1.6, APIs: 1, Instructions: 87fileCOMMON

Download Yara Rule

APIs

MapViewOfFile.KERNELBASE ref: 03172366

Memory Dump Source

Source File: 00000006.00000002.913279398.0000000003170000.00000040.00000001.sdmp, Offset: 03170000, based on PE: false

Similarity

API ID: FileView
String ID:
API String ID: 3314676101-0
Opcode ID: 0c4f252b3a432e3ac08c713a5c098901e128dc1423022192e21bb5fcf0f7459b
Instruction ID: 587d2baa1355e5ac7efe2a0782d1a51f25770d106fb23a58f4be30e23d27b5b2
Opcode Fuzzy Hash: 0c4f252b3a432e3ac08c713a5c098901e128dc1423022192e21bb5fcf0f7459b
Instruction Fuzzy Hash: D131B3B2404780AFE722CB15DC45F96FFF8EF0A320F08459AE9849B152D375A509CB61

Uniqueness

Uniqueness Score: -1.00%

Function 031704AB, Relevance: 1.6, APIs: 1, Instructions: 86registryCOMMON

Download Yara Rule

APIs

RegQueryValueExW.KERNELBASE(?,00000E2C,B14A1E94,00000000,00000000,00000000,00000000), ref: 0317055C

Memory Dump Source

Source File: 00000006.00000002.913279398.0000000003170000.00000040.00000001.sdmp, Offset: 03170000, based on PE: false

Similarity

API ID: QueryValue
String ID:
API String ID: 3660427363-0
Opcode ID: ef1ee7952922f3e84804e8e85ae83da33c4af3999354302562cf8079fbc97a18
Instruction ID: 19177226c720a76f82b315bf8a365822e893c15745a9b3c3b8db77cb3568c466
Opcode Fuzzy Hash: ef1ee7952922f3e84804e8e85ae83da33c4af3999354302562cf8079fbc97a18
Instruction Fuzzy Hash: EC316F711097806FD722CB25DC44B92FFB8AF0A610F0C85DAE9859B1A2D264E908CB71

Uniqueness

Uniqueness Score: -1.00%

Function 03170EDE, Relevance: 1.6, APIs: 1, Instructions: 80COMMON

Download Yara Rule

APIs

DuplicateHandle.KERNELBASE(?,00000E2C), ref: 03170F5B

Memory Dump Source

Source File: 00000006.00000002.913279398.0000000003170000.00000040.00000001.sdmp, Offset: 03170000, based on PE: false

Similarity

API ID: DuplicateHandle
String ID:
API String ID: 3793708945-0
Opcode ID: cc11ced15ed4e863e32067b471ab66e890edc68328caa1dc97e4e523eba7094b
Instruction ID: fd2ba04a7d0f4d984a5b33f22d37f6a289e1caf83e27f6db2111cf3c69f1f3e5
Opcode Fuzzy Hash: cc11ced15ed4e863e32067b471ab66e890edc68328caa1dc97e4e523eba7094b
Instruction Fuzzy Hash: 01218171500704AFEB21CF65DC44FAAFBACEF08320F08886AE9459A551D634E5458B61

Uniqueness

Uniqueness Score: -1.00%

Function 031702AB, Relevance: 1.6, APIs: 1, Instructions: 79registryCOMMON

Download Yara Rule

APIs

RegOpenKeyExA.KERNELBASE(?,00000E2C), ref: 03170353

Memory Dump Source

Source File: 00000006.00000002.913279398.0000000003170000.00000040.00000001.sdmp, Offset: 03170000, based on PE: false

Similarity

API ID: Open
String ID:
API String ID: 71445658-0
Opcode ID: da24a2c1fb8867d2f84a8ddbb2a5e247715bec357f40445f36a42c908cd3fdf8
Instruction ID: d4a9eb38a05323f16c08afb6e11d3d3111e03ad61f8e1b278710d640ad58d7f8
Opcode Fuzzy Hash: da24a2c1fb8867d2f84a8ddbb2a5e247715bec357f40445f36a42c908cd3fdf8
Instruction Fuzzy Hash: 7721B571009380AFE7228F21DC45FA6FFB8EF06310F0884DAE9848B193D275A909CB71

Uniqueness

Uniqueness Score: -1.00%

Function 031721D2, Relevance: 1.6, APIs: 1, Instructions: 78COMMON

Download Yara Rule

APIs

OpenFileMappingW.KERNELBASE(?,?), ref: 0317225D

Memory Dump Source

Source File: 00000006.00000002.913279398.0000000003170000.00000040.00000001.sdmp, Offset: 03170000, based on PE: false

Similarity

API ID: FileMappingOpen
String ID:
API String ID: 1680863896-0
Opcode ID: 727f226087b168a942ab6ecb388d8562b2a62767a66da60b696b18e4b1373bd4
Instruction ID: e6faa884921a77d42f703049fa6424eacd8db6f98440fd39699502dd2a37e4ec
Opcode Fuzzy Hash: 727f226087b168a942ab6ecb388d8562b2a62767a66da60b696b18e4b1373bd4
Instruction Fuzzy Hash: BA2180B1505380AFE721CB25CC45F66FFB8EF09320F08849EE9848B252D375E909C765

Uniqueness

Uniqueness Score: -1.00%

Function 03171A72, Relevance: 1.6, APIs: 1, Instructions: 77networkCOMMON

Download Yara Rule

APIs

WSASocketW.WS2_32(?,?,?,?,?), ref: 03171AFE

Memory Dump Source

Source File: 00000006.00000002.913279398.0000000003170000.00000040.00000001.sdmp, Offset: 03170000, based on PE: false

Similarity

API ID: Socket
String ID:
API String ID: 38366605-0
Opcode ID: 4690c30cabfeec3a0c3b75ea4b62f469e39a524475a6f2dbcc91914fe4bb0a33
Instruction ID: 6a5925dad5db24a28736f40f889d0b84bc58c2f5ba99d6d2654b06dd5dbbe744
Opcode Fuzzy Hash: 4690c30cabfeec3a0c3b75ea4b62f469e39a524475a6f2dbcc91914fe4bb0a33
Instruction Fuzzy Hash: 03217E71505780AFE722CF65DD44F56FFB8EF09310F08859EE9858B652D375A408CB61

Uniqueness

Uniqueness Score: -1.00%

Function 031708F0, Relevance: 1.6, APIs: 1, Instructions: 77COMMON

Download Yara Rule

APIs

GetFileType.KERNELBASE(?,00000E2C,B14A1E94,00000000,00000000,00000000,00000000), ref: 03170985

Memory Dump Source

Source File: 00000006.00000002.913279398.0000000003170000.00000040.00000001.sdmp, Offset: 03170000, based on PE: false

Similarity

API ID: FileType
String ID:
API String ID: 3081899298-0
Opcode ID: a35eb6f3c3b00dd55cf9fb835dbc0a1f36a47c271201a3ca1390a874dca51b4c
Instruction ID: 909d111610e5fe232b9e7e9a68e5a3c64a14e68742346df68b4e49a98491af30
Opcode Fuzzy Hash: a35eb6f3c3b00dd55cf9fb835dbc0a1f36a47c271201a3ca1390a874dca51b4c
Instruction Fuzzy Hash: E421C2B64097846FE712CB25DC40BA3BFBCEF46720F1884DAE9849B153D224A909C7B1

Uniqueness

Uniqueness Score: -1.00%

Function 0317081A, Relevance: 1.6, APIs: 1, Instructions: 76fileCOMMON

Download Yara Rule

APIs

CreateFileW.KERNELBASE(?,?,?,?,?,?), ref: 03170899

Memory Dump Source

Source File: 00000006.00000002.913279398.0000000003170000.00000040.00000001.sdmp, Offset: 03170000, based on PE: false

Similarity

API ID: CreateFile
String ID:
API String ID: 823142352-0
Opcode ID: ef264827196bb8f56d079cbaaf8db515684887ce84a61c0feeb0149b22d17c9a
Instruction ID: 09aff70a0f0902724c535ce46b5f298b7186fe30f69bdd4fdb0bce0bc6577aef
Opcode Fuzzy Hash: ef264827196bb8f56d079cbaaf8db515684887ce84a61c0feeb0149b22d17c9a
Instruction Fuzzy Hash: CD218E71900700AFE721DF66DD44B66FBE8EF08710F08846EE9858B651D775E504CBB1

Uniqueness

Uniqueness Score: -1.00%

Function 03170B79, Relevance: 1.6, APIs: 1, Instructions: 75registryCOMMON

Download Yara Rule

APIs

RegSetValueExW.KERNELBASE(?,00000E2C,B14A1E94,00000000,00000000,00000000,00000000), ref: 03170C10

Memory Dump Source

Source File: 00000006.00000002.913279398.0000000003170000.00000040.00000001.sdmp, Offset: 03170000, based on PE: false

Similarity

API ID: Value
String ID:
API String ID: 3702945584-0
Opcode ID: f16201603aba2bd3caa4a0a60341b1c525d2181e66444c2a55d1f0c31240d943
Instruction ID: 408f6fdab63fac2727dbdd034cb400c9c72310fddce178317a1de97b3490b9ab
Opcode Fuzzy Hash: f16201603aba2bd3caa4a0a60341b1c525d2181e66444c2a55d1f0c31240d943
Instruction Fuzzy Hash: DD21ACB2504340AFE722CE15CC84F67FFBCEF09310F08849AE9859B252D324E908CB61

Uniqueness

Uniqueness Score: -1.00%

Function 031709C0, Relevance: 1.6, APIs: 1, Instructions: 75fileCOMMON

Download Yara Rule

APIs

WriteFile.KERNELBASE(?,00000E2C,B14A1E94,00000000,00000000,00000000,00000000), ref: 03170A51

Memory Dump Source

Source File: 00000006.00000002.913279398.0000000003170000.00000040.00000001.sdmp, Offset: 03170000, based on PE: false

Similarity

API ID: FileWrite
String ID:
API String ID: 3934441357-0
Opcode ID: 77be1335dbdbbeb70e0e1557c98f4aff8a7b769f49005761a8577a7d6a8b55ad
Instruction ID: 87dbc659902209130489edf10b7ee1d6bfa0cd47d038d038569f1f0e77c0e2eb
Opcode Fuzzy Hash: 77be1335dbdbbeb70e0e1557c98f4aff8a7b769f49005761a8577a7d6a8b55ad
Instruction Fuzzy Hash: 94219071409380AFE722CF25DD44F56BFB8EF06314F0884DBE9849B153C274A909CB62

Uniqueness

Uniqueness Score: -1.00%

Function 031703CA, Relevance: 1.6, APIs: 1, Instructions: 75registryCOMMON

Download Yara Rule

APIs

RegQueryValueExA.KERNELBASE(?,00000E2C), ref: 0317045E

Memory Dump Source

Source File: 00000006.00000002.913279398.0000000003170000.00000040.00000001.sdmp, Offset: 03170000, based on PE: false

Similarity

API ID: QueryValue
String ID:
API String ID: 3660427363-0
Opcode ID: b008f98ef8cb4f8e93218a24380523bddcbb8c55f5c5396bbdbe4db8568ed6f6
Instruction ID: 8637fc4a1cace513f3ae30774d51bcc65421b6d44f1893d3f607de6303ad589c
Opcode Fuzzy Hash: b008f98ef8cb4f8e93218a24380523bddcbb8c55f5c5396bbdbe4db8568ed6f6
Instruction Fuzzy Hash: 6F21C272100304AFEB31DF15DC41FA6FBACEF08710F14895AEA869A581D7B5A949CBB1

Uniqueness

Uniqueness Score: -1.00%

Function 0317012A, Relevance: 1.6, APIs: 1, Instructions: 72synchronizationCOMMON

Download Yara Rule

APIs

CreateMutexW.KERNELBASE(?,?), ref: 0317019D

Memory Dump Source

Source File: 00000006.00000002.913279398.0000000003170000.00000040.00000001.sdmp, Offset: 03170000, based on PE: false

Similarity

API ID: CreateMutex
String ID:
API String ID: 1964310414-0
Opcode ID: a54550c5ec162637f5d8a6022453a3a248d3f981146ce29d4fbe880800b333fe
Instruction ID: 9bf0a7a92884dee59c8ed9e97cc2e64387d947b3f8ab0406694ca3bc184db2c2
Opcode Fuzzy Hash: a54550c5ec162637f5d8a6022453a3a248d3f981146ce29d4fbe880800b333fe
Instruction Fuzzy Hash: 22219271600340AFE720DF69DD85B6AFBE8EF08320F08846AED458B641D775E904CB71

Uniqueness

Uniqueness Score: -1.00%

Function 03170723, Relevance: 1.6, APIs: 1, Instructions: 71COMMON

Download Yara Rule

APIs

CreateDirectoryW.KERNELBASE(?,?), ref: 0317079F

Memory Dump Source

Source File: 00000006.00000002.913279398.0000000003170000.00000040.00000001.sdmp, Offset: 03170000, based on PE: false

Similarity

API ID: CreateDirectory
String ID:
API String ID: 4241100979-0
Opcode ID: e881d7db37256e5c82738a1305f496de7bb1dec3c330607415b39f16537f282b
Instruction ID: 1ee63392e3e42bdaebe9f516a2c1c368d195d785b41e6fd33b6f76b7806c821b
Opcode Fuzzy Hash: e881d7db37256e5c82738a1305f496de7bb1dec3c330607415b39f16537f282b
Instruction Fuzzy Hash: 962160725093809FD751CB25DC44B96BFF8EF06214F0D84EAE985CF552D3249948CB61

Uniqueness

Uniqueness Score: -1.00%

Function 03170A9B, Relevance: 1.6, APIs: 1, Instructions: 71fileCOMMON

Download Yara Rule

APIs

CopyFileW.KERNELBASE(?,?,?), ref: 03170B1E

Memory Dump Source

Source File: 00000006.00000002.913279398.0000000003170000.00000040.00000001.sdmp, Offset: 03170000, based on PE: false

Similarity

API ID: CopyFile
String ID:
API String ID: 1304948518-0
Opcode ID: 120e988517c7307afeb7d759e3dd33cedc426776be88ec0e210b92114ea03981
Instruction ID: af480e60f9df9e1740265dbc4204e24f3e90c5e7429b03e048dd7f5d439beb24
Opcode Fuzzy Hash: 120e988517c7307afeb7d759e3dd33cedc426776be88ec0e210b92114ea03981
Instruction Fuzzy Hash: 0D2180B55093845FD722CB29DC55B92BFE8AF1A218F0D84EAED84CB253D225D908C761

Uniqueness

Uniqueness Score: -1.00%

Function 031710BF, Relevance: 1.6, APIs: 1, Instructions: 71fileCOMMON

Download Yara Rule

APIs

DeleteFileA.KERNELBASE(?,00000E2C), ref: 0317114B

Memory Dump Source

Source File: 00000006.00000002.913279398.0000000003170000.00000040.00000001.sdmp, Offset: 03170000, based on PE: false

Similarity

API ID: DeleteFile
String ID:
API String ID: 4033686569-0
Opcode ID: bedd463ea670c14cb47e235dfa4de660d05da7ff81d65b31ff7b9f6daead04a0
Instruction ID: 6ea1e9f1d782cebfe59557d08ace4fcdfa5027338117b4218b68faf8bdbc9920
Opcode Fuzzy Hash: bedd463ea670c14cb47e235dfa4de660d05da7ff81d65b31ff7b9f6daead04a0
Instruction Fuzzy Hash: B721C3715453846FE721CB25DC45FA6BFA8EF05720F1880AAFD458F192D364A948CB62

Uniqueness

Uniqueness Score: -1.00%

Function 03171530, Relevance: 1.6, APIs: 1, Instructions: 68COMMON

Download Yara Rule

APIs

FindCloseChangeNotification.KERNELBASE(?), ref: 0317159C

Memory Dump Source

Source File: 00000006.00000002.913279398.0000000003170000.00000040.00000001.sdmp, Offset: 03170000, based on PE: false

Similarity

API ID: ChangeCloseFindNotification
String ID:
API String ID: 2591292051-0
Opcode ID: d4f6a536ecd01bc5d0efff9c784d8a62b46f7ea2a7e5987c5979fd5dc25b0671
Instruction ID: df37dc67c67c87cad26a64db6b6106f977b91c352ac8aff22f1062cc0ed3846f
Opcode Fuzzy Hash: d4f6a536ecd01bc5d0efff9c784d8a62b46f7ea2a7e5987c5979fd5dc25b0671
Instruction Fuzzy Hash: 0121A1725093C45FDB12CB25DC94692BFB4AF07224F0D84EAED858F663D2749908CB62

Uniqueness

Uniqueness Score: -1.00%

Function 031721F2, Relevance: 1.6, APIs: 1, Instructions: 68COMMON

Download Yara Rule

APIs

OpenFileMappingW.KERNELBASE(?,?), ref: 0317225D

Memory Dump Source

Source File: 00000006.00000002.913279398.0000000003170000.00000040.00000001.sdmp, Offset: 03170000, based on PE: false

Similarity

API ID: FileMappingOpen
String ID:
API String ID: 1680863896-0
Opcode ID: 0041792f195b31e512e804ba10ec4ca5efaec0a4f644b90b4dddaf3c2826ad8f
Instruction ID: 8b079202775b205e0490f14cc8c9f75a1d65ceef2ba64b163d015a3921536dd3
Opcode Fuzzy Hash: 0041792f195b31e512e804ba10ec4ca5efaec0a4f644b90b4dddaf3c2826ad8f
Instruction Fuzzy Hash: 7F21F3B1500304AFE720DF25CC45B66FBE8EF08320F18886EED458B641D375E906CA71

Uniqueness

Uniqueness Score: -1.00%

Function 03171A92, Relevance: 1.6, APIs: 1, Instructions: 67networkCOMMON

Download Yara Rule

APIs

WSASocketW.WS2_32(?,?,?,?,?), ref: 03171AFE

Memory Dump Source

Source File: 00000006.00000002.913279398.0000000003170000.00000040.00000001.sdmp, Offset: 03170000, based on PE: false

Similarity

API ID: Socket
String ID:
API String ID: 38366605-0
Opcode ID: 2741f018a165989a56ef56c71ce82c8eb0ba25770c31594ffded7118032d4024
Instruction ID: 1159578bbede7af224e193222582375894038bb00b51b52c53ccc74574c90302
Opcode Fuzzy Hash: 2741f018a165989a56ef56c71ce82c8eb0ba25770c31594ffded7118032d4024
Instruction Fuzzy Hash: D5219D71500740AFEB21CF65DD45B66FBF8EF08320F08886AEE859B651D375A408CB61

Uniqueness

Uniqueness Score: -1.00%

Function 031722F2, Relevance: 1.6, APIs: 1, Instructions: 67fileCOMMON

Download Yara Rule

APIs

MapViewOfFile.KERNELBASE ref: 03172366

Memory Dump Source

Source File: 00000006.00000002.913279398.0000000003170000.00000040.00000001.sdmp, Offset: 03170000, based on PE: false

Similarity

API ID: FileView
String ID:
API String ID: 3314676101-0
Opcode ID: d2e86f872e139e098b8615ef16504f582f4ff7062a2497520b64693285b8858f
Instruction ID: 0f3d760dbe6df3bc58b559fb36123b69579f2757f6af8e012756098c4ae2e647
Opcode Fuzzy Hash: d2e86f872e139e098b8615ef16504f582f4ff7062a2497520b64693285b8858f
Instruction Fuzzy Hash: 4C219D71500244AFE721CF66CD85FA6FBE8EF08320F08895EE9859B641D775A509CBA1

Uniqueness

Uniqueness Score: -1.00%

Function 03170B9E, Relevance: 1.6, APIs: 1, Instructions: 65registryCOMMON

Download Yara Rule

APIs

RegSetValueExW.KERNELBASE(?,00000E2C,B14A1E94,00000000,00000000,00000000,00000000), ref: 03170C10

Memory Dump Source

Source File: 00000006.00000002.913279398.0000000003170000.00000040.00000001.sdmp, Offset: 03170000, based on PE: false

Similarity

API ID: Value
String ID:
API String ID: 3702945584-0
Opcode ID: d084113f0f8fbbef165e9226e81b8bc3141a6d7ea2728db92afb2ec94cf22034
Instruction ID: 093bdb8da9a099ab2218ce75d1abe066d43a9f85a16b080cd8cb64c4aab3e0c2
Opcode Fuzzy Hash: d084113f0f8fbbef165e9226e81b8bc3141a6d7ea2728db92afb2ec94cf22034
Instruction Fuzzy Hash: E0118EB6600304AFEB21CE15DC85B67FBACEF08720F08849AED459B646D774E544CA72

Uniqueness

Uniqueness Score: -1.00%

Function 031704EA, Relevance: 1.6, APIs: 1, Instructions: 65registryCOMMON

Download Yara Rule

APIs

RegQueryValueExW.KERNELBASE(?,00000E2C,B14A1E94,00000000,00000000,00000000,00000000), ref: 0317055C

Memory Dump Source

Source File: 00000006.00000002.913279398.0000000003170000.00000040.00000001.sdmp, Offset: 03170000, based on PE: false

Similarity

API ID: QueryValue
String ID:
API String ID: 3660427363-0
Opcode ID: ecf8e81c606cd27ddd637db4b8994c00486019dbf1e9f66d65c435b482f80d46
Instruction ID: 949616ac2e90f98b014ae2f40da32a3544027ecd19e3cdbee1f481bcb960ef23
Opcode Fuzzy Hash: ecf8e81c606cd27ddd637db4b8994c00486019dbf1e9f66d65c435b482f80d46
Instruction Fuzzy Hash: 41117FB1500704AFEB21CE15DC84F67FBECEF08720F08845AE9459B652D764E544CA71

Uniqueness

Uniqueness Score: -1.00%

Function 0317275E, Relevance: 1.6, APIs: 1, Instructions: 64timeCOMMON

Download Yara Rule

APIs

GetProcessTimes.KERNELBASE(?,00000E2C,B14A1E94,00000000,00000000,00000000,00000000), ref: 031727BD

Memory Dump Source

Source File: 00000006.00000002.913279398.0000000003170000.00000040.00000001.sdmp, Offset: 03170000, based on PE: false

Similarity

API ID: ProcessTimes
String ID:
API String ID: 1995159646-0
Opcode ID: bd65cce7ba028a1f99872aa41a4f97601ef255c1fcdbd94a31cfeaeedbd13588
Instruction ID: ab6b0e5ff7cf5b96293096b390f021087537d70b10a093015c4e37a37ce79e63
Opcode Fuzzy Hash: bd65cce7ba028a1f99872aa41a4f97601ef255c1fcdbd94a31cfeaeedbd13588
Instruction Fuzzy Hash: 0A11E272500300AFEB21CF69DD45BAAFBE8EF08720F08886AED458B645D374E445CBB1

Uniqueness

Uniqueness Score: -1.00%

Function 031712F8, Relevance: 1.6, APIs: 1, Instructions: 64COMMON

Download Yara Rule

APIs

LookupPrivilegeValueW.ADVAPI32(?,?,?), ref: 03171362

Memory Dump Source

Source File: 00000006.00000002.913279398.0000000003170000.00000040.00000001.sdmp, Offset: 03170000, based on PE: false

Similarity

API ID: LookupPrivilegeValue
String ID:
API String ID: 3899507212-0
Opcode ID: 7e9213298d192e27834dfb40351752ed242ed823645afb443384fa2678e96eb9
Instruction ID: fc97f71f7a263ce54493df8209ec2864e6cb98e9a7fc9b3055d0c1abbb204374
Opcode Fuzzy Hash: 7e9213298d192e27834dfb40351752ed242ed823645afb443384fa2678e96eb9
Instruction Fuzzy Hash: 26114D725053809FD721CF25DC85B96BFE8EF05220F0D84AAE945CB652D324E804CB61

Uniqueness

Uniqueness Score: -1.00%

Function 03171006, Relevance: 1.6, APIs: 1, Instructions: 61COMMON

Download Yara Rule

APIs

GetExitCodeProcess.KERNELBASE(?,00000E2C,B14A1E94,00000000,00000000,00000000,00000000), ref: 0317105C

Memory Dump Source

Source File: 00000006.00000002.913279398.0000000003170000.00000040.00000001.sdmp, Offset: 03170000, based on PE: false

Similarity

API ID: CodeExitProcess
String ID:
API String ID: 3861947596-0
Opcode ID: 4c094bc111f8feb55f717a9bc2a55d8cc99f63f9a1fd1c859ddb94cf31d334b9
Instruction ID: a28c18e5c2570760a994d9e3162d251257b3a3cce16fa8ba6c06291383a380d6
Opcode Fuzzy Hash: 4c094bc111f8feb55f717a9bc2a55d8cc99f63f9a1fd1c859ddb94cf31d334b9
Instruction Fuzzy Hash: 46119171500344AFEB21CF2ADC85BAABBA8DF44720F1884AAED459B245D678E544CAB1

Uniqueness

Uniqueness Score: -1.00%

Function 03171724, Relevance: 1.6, APIs: 1, Instructions: 60COMMON

Download Yara Rule

APIs

K32EnumProcesses.KERNEL32(?,?,?,B14A1E94,00000000,?,?,?,?,?,?,?,?,72203C38), ref: 03171786

Memory Dump Source

Source File: 00000006.00000002.913279398.0000000003170000.00000040.00000001.sdmp, Offset: 03170000, based on PE: false

Similarity

API ID: EnumProcesses
String ID:
API String ID: 84517404-0
Opcode ID: ef20486d46676ee1ce75f1b9df6278740e39f95eb774bf7093995485f0387b53
Instruction ID: 775d0e96a2527d16bf8d28606319789b8dc0e0033510a05190beb1c887ab74ec
Opcode Fuzzy Hash: ef20486d46676ee1ce75f1b9df6278740e39f95eb774bf7093995485f0387b53
Instruction Fuzzy Hash: 57116D71505384AFD721CF65DC84B96FFF8EF05220F0D84AAED458B252D334A808CB61

Uniqueness

Uniqueness Score: -1.00%

Function 031702DE, Relevance: 1.6, APIs: 1, Instructions: 60registryCOMMON

Download Yara Rule

APIs

RegOpenKeyExA.KERNELBASE(?,00000E2C), ref: 03170353

Memory Dump Source

Source File: 00000006.00000002.913279398.0000000003170000.00000040.00000001.sdmp, Offset: 03170000, based on PE: false

Similarity

API ID: Open
String ID:
API String ID: 71445658-0
Opcode ID: 4301f75893efb5a685fa3f398728d3f17c246346c1e785f5a385a7e6c1a11ce8
Instruction ID: f6f62f4e1976d7629206ebcaf3b92d9c5c9ff09a000ae80c6aa749fb8069c8a7
Opcode Fuzzy Hash: 4301f75893efb5a685fa3f398728d3f17c246346c1e785f5a385a7e6c1a11ce8
Instruction Fuzzy Hash: A811C171100304AFEB31CF15DC41FA6FBA8FF08720F18849AEE454A696D375A548CBB2

Uniqueness

Uniqueness Score: -1.00%

Function 031709F2, Relevance: 1.6, APIs: 1, Instructions: 60fileCOMMON

Download Yara Rule

APIs

WriteFile.KERNELBASE(?,00000E2C,B14A1E94,00000000,00000000,00000000,00000000), ref: 03170A51

Memory Dump Source

Source File: 00000006.00000002.913279398.0000000003170000.00000040.00000001.sdmp, Offset: 03170000, based on PE: false

Similarity

API ID: FileWrite
String ID:
API String ID: 3934441357-0
Opcode ID: 1d6a3ee7b2eeb2e40b60cbc1ebfebe02e4e5d3c44c85ff9bea125da9ecc302d4
Instruction ID: b954f65c31118e9c9ee26eb110d87feeb8926ef13c39295601419549daec80d7
Opcode Fuzzy Hash: 1d6a3ee7b2eeb2e40b60cbc1ebfebe02e4e5d3c44c85ff9bea125da9ecc302d4
Instruction Fuzzy Hash: 9311C171500304AFEB21CF55DC44FA6FBA8EF08720F0884AAED499B645D374E508CBB1

Uniqueness

Uniqueness Score: -1.00%

Function 031710E2, Relevance: 1.6, APIs: 1, Instructions: 60fileCOMMON

Download Yara Rule

APIs

DeleteFileA.KERNELBASE(?,00000E2C), ref: 0317114B

Memory Dump Source

Source File: 00000006.00000002.913279398.0000000003170000.00000040.00000001.sdmp, Offset: 03170000, based on PE: false

Similarity

API ID: DeleteFile
String ID:
API String ID: 4033686569-0
Opcode ID: d8c64c566431235c67a7f3f9970270262c31419580af7d7c3b9df5ac46bf9f4a
Instruction ID: ef12d50e0ed6ebfebeaa9853ae5a6a3497f20025b1a0e112192583cd4e27bb08
Opcode Fuzzy Hash: d8c64c566431235c67a7f3f9970270262c31419580af7d7c3b9df5ac46bf9f4a
Instruction Fuzzy Hash: CC11A371640304AFE720DA25DC45BA6FBA8DF04720F1880AAED458E685D6B4A944CAB1

Uniqueness

Uniqueness Score: -1.00%

Function 0317118F, Relevance: 1.6, APIs: 1, Instructions: 56COMMON

Download Yara Rule

APIs

GetSystemInfo.KERNELBASE(?), ref: 031711F4

Memory Dump Source

Source File: 00000006.00000002.913279398.0000000003170000.00000040.00000001.sdmp, Offset: 03170000, based on PE: false

Similarity

API ID: InfoSystem
String ID:
API String ID: 31276548-0
Opcode ID: 88696a07b3d1f34cfc7c81f6cabdf7cbe0ebae8d067c1ce4fc9698abc52bdd48
Instruction ID: de056d68919f9c8aec5eeba9610594d58052a0d4813d23a442ec8c573a971f23
Opcode Fuzzy Hash: 88696a07b3d1f34cfc7c81f6cabdf7cbe0ebae8d067c1ce4fc9698abc52bdd48
Instruction Fuzzy Hash: FA114C714093C09FD7128B65DC44796BFB4EF46224F1D84EBED848F153C279A949CB62

Uniqueness

Uniqueness Score: -1.00%

Function 0317131A, Relevance: 1.6, APIs: 1, Instructions: 53COMMON

Download Yara Rule

APIs

LookupPrivilegeValueW.ADVAPI32(?,?,?), ref: 03171362

Memory Dump Source

Source File: 00000006.00000002.913279398.0000000003170000.00000040.00000001.sdmp, Offset: 03170000, based on PE: false

Similarity

API ID: LookupPrivilegeValue
String ID:
API String ID: 3899507212-0
Opcode ID: fb6a952966524136e0d8d8482d85bb2a3cf6c575fafef84c7053c02f5eac7538
Instruction ID: c208e2641dc80e80665cc7c923535cf350e80c7119bd806977246a3f1ff90ff0
Opcode Fuzzy Hash: fb6a952966524136e0d8d8482d85bb2a3cf6c575fafef84c7053c02f5eac7538
Instruction Fuzzy Hash: 031125756003409FDB60CF6AD985766FBE8EF08620F1C84BADD49CBA45D774E444CA71

Uniqueness

Uniqueness Score: -1.00%

Function 03170AD6, Relevance: 1.6, APIs: 1, Instructions: 53fileCOMMON

Download Yara Rule

APIs

CopyFileW.KERNELBASE(?,?,?), ref: 03170B1E

Memory Dump Source

Source File: 00000006.00000002.913279398.0000000003170000.00000040.00000001.sdmp, Offset: 03170000, based on PE: false

Similarity

API ID: CopyFile
String ID:
API String ID: 1304948518-0
Opcode ID: fb6a952966524136e0d8d8482d85bb2a3cf6c575fafef84c7053c02f5eac7538
Instruction ID: d32ad63e8a34ac41e3ec4be86da20f670d5368ff4ed056f1d9513653b32aa64b
Opcode Fuzzy Hash: fb6a952966524136e0d8d8482d85bb2a3cf6c575fafef84c7053c02f5eac7538
Instruction Fuzzy Hash: 2F115EB56003048FDB60CF6AD889756FBE8EF08628F1C84AADD49CB646D774E544CA71

Uniqueness

Uniqueness Score: -1.00%

Function 03170932, Relevance: 1.6, APIs: 1, Instructions: 52COMMON

Download Yara Rule

APIs

GetFileType.KERNELBASE(?,00000E2C,B14A1E94,00000000,00000000,00000000,00000000), ref: 03170985

Memory Dump Source

Source File: 00000006.00000002.913279398.0000000003170000.00000040.00000001.sdmp, Offset: 03170000, based on PE: false

Similarity

API ID: FileType
String ID:
API String ID: 3081899298-0
Opcode ID: 90a150dba925c290a4daed4043fd4eba01db330cefa31b641da910a5ba4de3aa
Instruction ID: 0089f25fd90bc6ec3ebf6f39c3c5841c611a19b351a8679a7675a412aedac2ee
Opcode Fuzzy Hash: 90a150dba925c290a4daed4043fd4eba01db330cefa31b641da910a5ba4de3aa
Instruction Fuzzy Hash: 7201D671500744AFE721CF15DC45BA6FBACDF48720F588096ED489B246D378E544CAB1

Uniqueness

Uniqueness Score: -1.00%

Function 0317075A, Relevance: 1.6, APIs: 1, Instructions: 52COMMON

Download Yara Rule

APIs

CreateDirectoryW.KERNELBASE(?,?), ref: 0317079F

Memory Dump Source

Source File: 00000006.00000002.913279398.0000000003170000.00000040.00000001.sdmp, Offset: 03170000, based on PE: false

Similarity

API ID: CreateDirectory
String ID:
API String ID: 4241100979-0
Opcode ID: 6388476287ac6864e9d8203b7b1326442a7b238557bc62ee6561e2afb0f18882
Instruction ID: a3f47fbd6409834291b06c3053ae306cfe744dd3316790d403aa1c9e0a0ed49a
Opcode Fuzzy Hash: 6388476287ac6864e9d8203b7b1326442a7b238557bc62ee6561e2afb0f18882
Instruction Fuzzy Hash: 42115E756003448FDB60CF2AD884BA6FBE8EF08620F0C84AADD49CB645E774E544CF61

Uniqueness

Uniqueness Score: -1.00%

Function 03171746, Relevance: 1.5, APIs: 1, Instructions: 49COMMON

Download Yara Rule

APIs

K32EnumProcesses.KERNEL32(?,?,?,B14A1E94,00000000,?,?,?,?,?,?,?,?,72203C38), ref: 03171786

Memory Dump Source

Source File: 00000006.00000002.913279398.0000000003170000.00000040.00000001.sdmp, Offset: 03170000, based on PE: false

Similarity

API ID: EnumProcesses
String ID:
API String ID: 84517404-0
Opcode ID: 6d20c383504ffe3527ac9cd1c4abeb6888f0d15c76839f3f4a3495db6d35567c
Instruction ID: 822d12dd27e0a72899aa96626fad3b6b6c0f44799668c35fa84dff75114c27cc
Opcode Fuzzy Hash: 6d20c383504ffe3527ac9cd1c4abeb6888f0d15c76839f3f4a3495db6d35567c
Instruction Fuzzy Hash: 74116D756003449FDB60CF6AD884BA6FBE8EF08720F0C84BADD498B655D374E544CB61

Uniqueness

Uniqueness Score: -1.00%

Function 03170CCA, Relevance: 1.5, APIs: 1, Instructions: 47COMMON

Download Yara Rule

APIs

GetTempFileNameW.KERNELBASE(?,00000E2C,?,?), ref: 03170D1A

Memory Dump Source

Source File: 00000006.00000002.913279398.0000000003170000.00000040.00000001.sdmp, Offset: 03170000, based on PE: false

Similarity

API ID: FileNameTemp
String ID:
API String ID: 745986568-0
Opcode ID: fb016f706bfd52f0131bf33af4c01ff9d56768db33c179cf5e6b66fb5e1035d2
Instruction ID: 3a8e7dd8d3a5b66e7c1073023108c716261a8b55ff4a9f4a5dd294e3ee03ada3
Opcode Fuzzy Hash: fb016f706bfd52f0131bf33af4c01ff9d56768db33c179cf5e6b66fb5e1035d2
Instruction Fuzzy Hash: DE01B171500600ABD310DF1ADC81B76FBA8FB89B20F14812AED088B641D231B915CBE1

Uniqueness

Uniqueness Score: -1.00%

Function 03172BF2, Relevance: 1.5, APIs: 1, Instructions: 47windowCOMMON

Download Yara Rule

APIs

FormatMessageW.KERNELBASE(?,00000E2C,?,?), ref: 03172C42

Memory Dump Source

Source File: 00000006.00000002.913279398.0000000003170000.00000040.00000001.sdmp, Offset: 03170000, based on PE: false

Similarity

API ID: FormatMessage
String ID:
API String ID: 1306739567-0
Opcode ID: d2dd210a8b9b4673d383346c71066f89ed500ac9eccb219db2ef90df005f2461
Instruction ID: 07ca4a88961454f569445b1dc6631b83f177ee4e6e29d1e91c399266407ea26c
Opcode Fuzzy Hash: d2dd210a8b9b4673d383346c71066f89ed500ac9eccb219db2ef90df005f2461
Instruction Fuzzy Hash: 4701B171500604ABD310DF1ADC81B76FBA8EB89B20F14812AED088B641D231B915CBE1

Uniqueness

Uniqueness Score: -1.00%

Function 03170232, Relevance: 1.5, APIs: 1, Instructions: 43COMMON

Download Yara Rule

APIs

FindCloseChangeNotification.KERNELBASE(?), ref: 03170264

Memory Dump Source

Source File: 00000006.00000002.913279398.0000000003170000.00000040.00000001.sdmp, Offset: 03170000, based on PE: false

Similarity

API ID: ChangeCloseFindNotification
String ID:
API String ID: 2591292051-0
Opcode ID: bf16587d41b4dbb35adb6b1651c11fddfa9f6a098004075ff897f96333858c9d
Instruction ID: c28e90a83d793088130b1800b047120b8b72faebd845ea2c4211446974f0b6b2
Opcode Fuzzy Hash: bf16587d41b4dbb35adb6b1651c11fddfa9f6a098004075ff897f96333858c9d
Instruction Fuzzy Hash: A8018F769003409FDB50CF6AD9847A6FBA4EF48320F0CC4ABDD498F646D779E544CAA2

Uniqueness

Uniqueness Score: -1.00%

Function 0317156A, Relevance: 1.5, APIs: 1, Instructions: 43COMMON

Download Yara Rule

APIs

FindCloseChangeNotification.KERNELBASE(?), ref: 0317159C

Memory Dump Source

Source File: 00000006.00000002.913279398.0000000003170000.00000040.00000001.sdmp, Offset: 03170000, based on PE: false

Similarity

API ID: ChangeCloseFindNotification
String ID:
API String ID: 2591292051-0
Opcode ID: 5d662403c5699486e73b55e543e04f9d662b45fc3abbeef88e4fd99872c76e0e
Instruction ID: dcd62371e2d4b04eba5cd974563b0354e8326a46d9d2a2fd938119fdc6742bed
Opcode Fuzzy Hash: 5d662403c5699486e73b55e543e04f9d662b45fc3abbeef88e4fd99872c76e0e
Instruction Fuzzy Hash: 91019E715003449BD724CF1AD884756FBA4EB05220F0880AADD4A8B645D674E448CB62

Uniqueness

Uniqueness Score: -1.00%

Function 031719F6, Relevance: 1.5, APIs: 1, Instructions: 43networkCOMMON

Download Yara Rule

APIs

DnsQuery_A.DNSAPI(?,00000E2C,?,?), ref: 03171A46

Memory Dump Source

Source File: 00000006.00000002.913279398.0000000003170000.00000040.00000001.sdmp, Offset: 03170000, based on PE: false

Similarity

API ID: Query_
String ID:
API String ID: 428220571-0
Opcode ID: a795e38061eb55b47c6eb25478b719163d858ce2b8db0edadeb531e26dec6404
Instruction ID: 3341af88581969baed26e3763016117e6bd497199e7441c372b518233c6ebd55
Opcode Fuzzy Hash: a795e38061eb55b47c6eb25478b719163d858ce2b8db0edadeb531e26dec6404
Instruction Fuzzy Hash: 7701A271500604ABD214DF1ADC82B36FBE8FB89B20F14811AED084B741D271F916CBE5

Uniqueness

Uniqueness Score: -1.00%

Function 031002E8, Relevance: 1.5, Strings: 1, Instructions: 224COMMON

Download Yara Rule

Strings

:@fq, xrefs: 03100537

Memory Dump Source

Source File: 00000006.00000002.913178689.0000000003100000.00000040.00000001.sdmp, Offset: 03100000, based on PE: false

Similarity

API ID:
String ID: :@fq
API String ID: 0-3673016210
Opcode ID: 6c6aa5783272cb2c302130318e37ac2f5e562edfa1c2f22265d5c6b8d58e164d
Instruction ID: 210401fac5b1c2f96fad742a9e56cd99a1e79dbc97c9ae259a8f8d60f85c424c
Opcode Fuzzy Hash: 6c6aa5783272cb2c302130318e37ac2f5e562edfa1c2f22265d5c6b8d58e164d
Instruction Fuzzy Hash: 19719E30B042059FDB09DB68C45076E7BF3EF8D310F1984AEE506AB3A5DB75AC458B52

Uniqueness

Uniqueness Score: -1.00%

Function 031021F8, Relevance: 1.3, Strings: 1, Instructions: 98COMMON

Download Yara Rule

Strings

r*+, xrefs: 0310230F

Memory Dump Source

Source File: 00000006.00000002.913178689.0000000003100000.00000040.00000001.sdmp, Offset: 03100000, based on PE: false

Similarity

API ID:
String ID: r*+
API String ID: 0-3221063712
Opcode ID: b31e607af40de4d673866b7b7f662bf22d7693931ef3c5ae1702adaea52a547a
Instruction ID: f46bd4dcd80eee8f63d0c5bc747cd8e627dd56aefa99487901f3665988d5ab26
Opcode Fuzzy Hash: b31e607af40de4d673866b7b7f662bf22d7693931ef3c5ae1702adaea52a547a
Instruction Fuzzy Hash: 41411A30E09209DFCB58DFE5C1596BEBBB1FB4C300F5184AAD406A72A4DBB58A46CF51

Uniqueness

Uniqueness Score: -1.00%

Function 03108830, Relevance: 1.3, Strings: 1, Instructions: 98COMMON

Download Yara Rule

Strings

r*+, xrefs: 03108947

Memory Dump Source

Source File: 00000006.00000002.913178689.0000000003100000.00000040.00000001.sdmp, Offset: 03100000, based on PE: false

Similarity

API ID:
String ID: r*+
API String ID: 0-3221063712
Opcode ID: 63058297cde987d1f727501129719ea0047f894a3d9ea8fb9f5d9745479a628f
Instruction ID: adfc9c4872d1eca14e021059e794cc7e48db4f4b5bd441b9e7a4945093a10198
Opcode Fuzzy Hash: 63058297cde987d1f727501129719ea0047f894a3d9ea8fb9f5d9745479a628f
Instruction Fuzzy Hash: E7415E34E08209DFDB18DFA5C5856BEBBB1FF88304F14806AD446E72A4DB758A81CF52

Uniqueness

Uniqueness Score: -1.00%

Function 031050E0, Relevance: 1.3, Strings: 1, Instructions: 92COMMON

Download Yara Rule

Strings

d@q, xrefs: 031051BC

Memory Dump Source

Source File: 00000006.00000002.913178689.0000000003100000.00000040.00000001.sdmp, Offset: 03100000, based on PE: false

Similarity

API ID:
String ID: d@q
API String ID: 0-1277414842
Opcode ID: d81708de89b578aed80665e52266cc49249f5af9595ef663608ebf359ec4c6f0
Instruction ID: 9a4bd54821a4af0608debb6b460a810bd1f7c68a05afe3997301c1a6e91e7830
Opcode Fuzzy Hash: d81708de89b578aed80665e52266cc49249f5af9595ef663608ebf359ec4c6f0
Instruction Fuzzy Hash: 76215131E043099FDB04DFA5C41469EBBF7AF89300F554429D50AAF395DBB09986CB91

Uniqueness

Uniqueness Score: -1.00%

Function 031054F8, Relevance: 1.3, Strings: 1, Instructions: 69COMMON

Download Yara Rule

Strings

'un, xrefs: 0310554F

Memory Dump Source

Source File: 00000006.00000002.913178689.0000000003100000.00000040.00000001.sdmp, Offset: 03100000, based on PE: false

Similarity

API ID:
String ID: 'un
API String ID: 0-898863481
Opcode ID: 1ff4c326dbdbd32b11d64764f238f647b0e8e5d88e0a21a8738e8bd377d08b27
Instruction ID: a7a4bb23d4c32ef8c6951eec2a94651ef5791f08f0ff3a7c10d1329aaa52c2a2
Opcode Fuzzy Hash: 1ff4c326dbdbd32b11d64764f238f647b0e8e5d88e0a21a8738e8bd377d08b27
Instruction Fuzzy Hash: 1E21CD35A152059FCB04EFB8A8456EE7FB3EB8A304B405029D1028B295EB355D82CF82

Uniqueness

Uniqueness Score: -1.00%

Function 031050D0, Relevance: 1.3, Strings: 1, Instructions: 67COMMON

Download Yara Rule

Strings

d@q, xrefs: 031051BC

Memory Dump Source

Source File: 00000006.00000002.913178689.0000000003100000.00000040.00000001.sdmp, Offset: 03100000, based on PE: false

Similarity

API ID:
String ID: d@q
API String ID: 0-1277414842
Opcode ID: 1bfd3333fa19fde377a0836cb523d5751fb2723cef16954a0160ad7e7b0fad0f
Instruction ID: d43ca19ad0ade04a2969a134b746887ceeef4aab0374194fb8fd6b567828dc85
Opcode Fuzzy Hash: 1bfd3333fa19fde377a0836cb523d5751fb2723cef16954a0160ad7e7b0fad0f
Instruction Fuzzy Hash: 5D112B71D043499FDF04CFA4C4546DEBBF2AF8A300F158525C509AF255EBB0698ACF91

Uniqueness

Uniqueness Score: -1.00%

Function 031012A0, Relevance: .5, Instructions: 460COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.913178689.0000000003100000.00000040.00000001.sdmp, Offset: 03100000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 14c36e8a105e36a6b1fd3f1fb478773b2a5fc7cc837c7ed340b8559c47d4eab5
Instruction ID: 7bd5d10ef24eb21197d6124a8fe35bed940487592051fd74d93c6c7a0d6c73fe
Opcode Fuzzy Hash: 14c36e8a105e36a6b1fd3f1fb478773b2a5fc7cc837c7ed340b8559c47d4eab5
Instruction Fuzzy Hash: 82220578A00605CFCB24DF28C480AAAB7F2FF49310F5585A9E85A9B755DB39ED85CF40

Uniqueness

Uniqueness Score: -1.00%

Function 0310AD10, Relevance: .3, Instructions: 269COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.913178689.0000000003100000.00000040.00000001.sdmp, Offset: 03100000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: cc9274205caaec5bcf56c05935b1f86938b650d43fd9187297efe05deb57a0e5
Instruction ID: ca1668a854f29fbd0aa31f71b446baa1092dfe62a3b7539fa4325d05aa9f00a1
Opcode Fuzzy Hash: cc9274205caaec5bcf56c05935b1f86938b650d43fd9187297efe05deb57a0e5
Instruction Fuzzy Hash: A291E2306006168BD704EF69D458B6EBBA3FFC5304F10862EE1168B6A8CFB1DC468BD1

Uniqueness

Uniqueness Score: -1.00%

Function 03106220, Relevance: .2, Instructions: 241COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.913178689.0000000003100000.00000040.00000001.sdmp, Offset: 03100000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 588b9641a09d071426398733f3b17b37fed4372d254a4f8b5ec537f7597a0f6b
Instruction ID: bd41696f3008118a7ab9fae9ae40097a7f9196b96533f928986dc81cc33ea978
Opcode Fuzzy Hash: 588b9641a09d071426398733f3b17b37fed4372d254a4f8b5ec537f7597a0f6b
Instruction Fuzzy Hash: FB817E31A00619CFCF15CF64C8909DAB7B2EF89304F05C595D80AAF255DBB5AE9ACF90

Uniqueness

Uniqueness Score: -1.00%

Function 03104DB8, Relevance: .2, Instructions: 241COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.913178689.0000000003100000.00000040.00000001.sdmp, Offset: 03100000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: da505ed3ebb85d7a2525df5cba30eef28af32cc546439fb12a8ee9b9cf913d5b
Instruction ID: 596ef88ebfb80926da52db822b7dd9c55d816ea497c83424f182a30f178b2827
Opcode Fuzzy Hash: da505ed3ebb85d7a2525df5cba30eef28af32cc546439fb12a8ee9b9cf913d5b
Instruction Fuzzy Hash: 4081E334604241CFCB09DB79D5949BE7BE3EF8A300715C4A6D5068B2D9DFB5AC82CB92

Uniqueness

Uniqueness Score: -1.00%

Function 0310BE89, Relevance: .2, Instructions: 219COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.913178689.0000000003100000.00000040.00000001.sdmp, Offset: 03100000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fe00a6b871fe5a1f02f7f03358b26a016154268921417a375b1874cf3c79a12d
Instruction ID: cf0672ce823d7c15aa23a11a239809131fc7a030af0513fba70ea593cd8447b4
Opcode Fuzzy Hash: fe00a6b871fe5a1f02f7f03358b26a016154268921417a375b1874cf3c79a12d
Instruction Fuzzy Hash: CC7114316083418FC319CF58C894A66BBF6FF89310B1AC5AAD55ACF692D7B0E845CF94

Uniqueness

Uniqueness Score: -1.00%

Function 0310B459, Relevance: .2, Instructions: 212COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.913178689.0000000003100000.00000040.00000001.sdmp, Offset: 03100000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ca8e95a281268ca1ad16819fdef9b998cc418e4d2b31abd360e7b2d18ab3981d
Instruction ID: a900ba5e6a980c64e005f19675b97f005e06fef0506f8cbbfe40db6157bc8602
Opcode Fuzzy Hash: ca8e95a281268ca1ad16819fdef9b998cc418e4d2b31abd360e7b2d18ab3981d
Instruction Fuzzy Hash: 23A12274A046099FCB18CF69C494AAEFBB2BF88310F14C5A9D45AA7794D770E981CF90

Uniqueness

Uniqueness Score: -1.00%

Function 0310F090, Relevance: .2, Instructions: 184COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.913178689.0000000003100000.00000040.00000001.sdmp, Offset: 03100000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3141c6b99232a6d17f506b4671964bea6ce2e54fc0053b684bfedbca7bd33576
Instruction ID: e31aa18c399b2121dede11a455c2fb9c16d961040d862e4c276f7c21cdbb9152
Opcode Fuzzy Hash: 3141c6b99232a6d17f506b4671964bea6ce2e54fc0053b684bfedbca7bd33576
Instruction Fuzzy Hash: 09713C34A00205CFDB28DF69C485BADBBF1BF4C324F198559D456AB6A1CBB1E882CF50

Uniqueness

Uniqueness Score: -1.00%

Function 0310E330, Relevance: .2, Instructions: 164COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.913178689.0000000003100000.00000040.00000001.sdmp, Offset: 03100000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5581cd400a88e28c4635b2763624587ef4d04428f381d39ec4bc59f48b1828f5
Instruction ID: 39850bf426126a5f5ff91f7c4fda2040227603c21a7714fb7c35c265d7abe0b0
Opcode Fuzzy Hash: 5581cd400a88e28c4635b2763624587ef4d04428f381d39ec4bc59f48b1828f5
Instruction Fuzzy Hash: 2751A431A00519DFCF18DFA5D4848ADB7B7FF88310B058869E906EF255DB71AD86CBA0

Uniqueness

Uniqueness Score: -1.00%

Function 031076D8, Relevance: .2, Instructions: 161COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.913178689.0000000003100000.00000040.00000001.sdmp, Offset: 03100000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0f1d823b964178424730d4f69e4a0bc90877d36929680a6b14f6ee0ee17a33ed
Instruction ID: 7f51c3bd1c0fa91b97b2adc1baf9af12124090772e9a6de92decf3787daa164d
Opcode Fuzzy Hash: 0f1d823b964178424730d4f69e4a0bc90877d36929680a6b14f6ee0ee17a33ed
Instruction Fuzzy Hash: F1313931900619CFDF15CF54C8986DAB7B2AF89305F118495D509BB195DBB0BA8ACFC0

Uniqueness

Uniqueness Score: -1.00%

Function 03107328, Relevance: .2, Instructions: 159COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.913178689.0000000003100000.00000040.00000001.sdmp, Offset: 03100000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7a810464e66dec627ef4e8da4854b57d92da7682a98791a7f69b8e2b2af24627
Instruction ID: 18b86e0d56ba0d8c088a732f77b7b09e044b3c3dab761c0230df9972cdc5a236
Opcode Fuzzy Hash: 7a810464e66dec627ef4e8da4854b57d92da7682a98791a7f69b8e2b2af24627
Instruction Fuzzy Hash: 68512B35F002198BCB18DBB9C4506AEB7F3AF88310B258569D44AAB3D5DB71AD42CB91

Uniqueness

Uniqueness Score: -1.00%

Function 03107C18, Relevance: .1, Instructions: 147COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.913178689.0000000003100000.00000040.00000001.sdmp, Offset: 03100000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1ae1115e1ca36cd61b1a061151b9ee7085fbd441209015ab538674c9cbd175fd
Instruction ID: f5b27a63d84dbdf775c50594b06e92ad6f3eca1c50026300aae40316a7e9763b
Opcode Fuzzy Hash: 1ae1115e1ca36cd61b1a061151b9ee7085fbd441209015ab538674c9cbd175fd
Instruction Fuzzy Hash: 355102B4D00219CFCB28DFA8C98469DBBF1FF48310F25856AD45AA7294EB316D86CF50

Uniqueness

Uniqueness Score: -1.00%

Function 03107EF0, Relevance: .1, Instructions: 139COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.913178689.0000000003100000.00000040.00000001.sdmp, Offset: 03100000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: cf5f29269574cb2e9532e1e7870272585965d09327c04ef0112bd5cb86d56194
Instruction ID: 2be113d12f065011a55c41a9202ccf4172546a57b4e686d950f19c7088f5208a
Opcode Fuzzy Hash: cf5f29269574cb2e9532e1e7870272585965d09327c04ef0112bd5cb86d56194
Instruction Fuzzy Hash: 79512A34A04215CFCB24DB78C588BAD77F2BF89300F6481A9D45ADB295DB70EC81CB51

Uniqueness

Uniqueness Score: -1.00%

Function 0310CDF8, Relevance: .1, Instructions: 136COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.913178689.0000000003100000.00000040.00000001.sdmp, Offset: 03100000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3ee56b67204cefa24d1182f742b2c549a062a49071e8dfaf75ec412e8a1cb11c
Instruction ID: 50efcca718812bf93cef335d3073b3edf42cb42ba9a83b6b39200cad84cbc40b
Opcode Fuzzy Hash: 3ee56b67204cefa24d1182f742b2c549a062a49071e8dfaf75ec412e8a1cb11c
Instruction Fuzzy Hash: F441A130A00705DFD728DF79C4845ABBFE2FB8C310B25C639D4569B695DBB5A8428F90

Uniqueness

Uniqueness Score: -1.00%

Function 03106C8A, Relevance: .1, Instructions: 136COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.913178689.0000000003100000.00000040.00000001.sdmp, Offset: 03100000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3bd25cc805e330d5cdd740ed4f4a89ef1fb45cb7a33bf945cc1354198c124fac
Instruction ID: dddf5ca12ed07edbe5dbf4e3584ae828bdb73bbda3adb3ed0c43bd0113c9f45b
Opcode Fuzzy Hash: 3bd25cc805e330d5cdd740ed4f4a89ef1fb45cb7a33bf945cc1354198c124fac
Instruction Fuzzy Hash: 0B5109306043418FCB29DB34E5586AE3BE2EF86394704556EE146CB295EFB68C87CF81

Uniqueness

Uniqueness Score: -1.00%

Function 03102BF8, Relevance: .1, Instructions: 134COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.913178689.0000000003100000.00000040.00000001.sdmp, Offset: 03100000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f62f86fba16904af8ca550f48e5ac7513c72832d276c3c2e6a52ee6176952c1c
Instruction ID: 407622921a19b4b09f42a9d8162b42e8366b3a1f7406ac79b29145bfe176b148
Opcode Fuzzy Hash: f62f86fba16904af8ca550f48e5ac7513c72832d276c3c2e6a52ee6176952c1c
Instruction Fuzzy Hash: A941143050D3948FC719C724899C578BFB4EF4A200B1A89A7D496CB2A2C7B29C47C752

Uniqueness

Uniqueness Score: -1.00%

Function 03100BC0, Relevance: .1, Instructions: 132COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.913178689.0000000003100000.00000040.00000001.sdmp, Offset: 03100000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 66a8098b3ffd7846f56e6a889bb009b6d2be72c0928de08ad6a9ce46aa3d3e39
Instruction ID: 0e7f391c517fdee42540867a58fb5cdc640d05548841393fb91bb8168ade1bda
Opcode Fuzzy Hash: 66a8098b3ffd7846f56e6a889bb009b6d2be72c0928de08ad6a9ce46aa3d3e39
Instruction Fuzzy Hash: 2E419631B051088FC719DF68D4147AE77E7AF8D310F1680AAE906AF3A1CFB29D468791

Uniqueness

Uniqueness Score: -1.00%

Function 03100980, Relevance: .1, Instructions: 132COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.913178689.0000000003100000.00000040.00000001.sdmp, Offset: 03100000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3241d03a081f156da0913de7efd0ff428b374c137ae20c27ccba59254266b268
Instruction ID: 164c6096f0f7d277cfe054e4940af0293d4f746311431371e7ee1d48deb50e8a
Opcode Fuzzy Hash: 3241d03a081f156da0913de7efd0ff428b374c137ae20c27ccba59254266b268
Instruction Fuzzy Hash: E7410435B002059FCB14DBA9D494BAEB7F2FF8D304F258159E4469B391CBB0AC4AC781

Uniqueness

Uniqueness Score: -1.00%

Function 03100682, Relevance: .1, Instructions: 128COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.913178689.0000000003100000.00000040.00000001.sdmp, Offset: 03100000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: bf159a28a5642c2e867a5e40371f9142dd0ffe0cfd96cc69f26d739abdabb3c4
Instruction ID: 6f757e0a236b3427153b47f8d3de47efed6c15717e98971f08f874af7a18d15b
Opcode Fuzzy Hash: bf159a28a5642c2e867a5e40371f9142dd0ffe0cfd96cc69f26d739abdabb3c4
Instruction Fuzzy Hash: 33418B306003058FC724AB35E81C66D3BA7BF88797755857AF502CB2BADFB48C418B92

Uniqueness

Uniqueness Score: -1.00%

Function 03101458, Relevance: .1, Instructions: 128COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.913178689.0000000003100000.00000040.00000001.sdmp, Offset: 03100000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d2015cbc19f431a5afd6dc079bdf626b80c6d6b981e1081eb3cb8f9a15c42617
Instruction ID: 3e5f8254dd244d7c4bd7c3f48105da1a54dfcd6fdc81e021156c98f98dd9de5c
Opcode Fuzzy Hash: d2015cbc19f431a5afd6dc079bdf626b80c6d6b981e1081eb3cb8f9a15c42617
Instruction Fuzzy Hash: 4A51F074A00219CFDB14DF64C894B99BBF2BF49304F5140EAE40AAB3A5DB799D88CF51

Uniqueness

Uniqueness Score: -1.00%

Function 03105920, Relevance: .1, Instructions: 126COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.913178689.0000000003100000.00000040.00000001.sdmp, Offset: 03100000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fada874fe467eeed223138f13a7087d79c99389dbf184bc1ad96b9f7cf30f9bc
Instruction ID: 1aa42db633ed7f83c2f678b26e162764f5291ac9155ba941c8c15755193da840
Opcode Fuzzy Hash: fada874fe467eeed223138f13a7087d79c99389dbf184bc1ad96b9f7cf30f9bc
Instruction Fuzzy Hash: 03418F30B083028BDB18A775941933E3697AF8E650B598879E407DB3D5EFB4DC428F91

Uniqueness

Uniqueness Score: -1.00%

Function 03106EA8, Relevance: .1, Instructions: 124COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.913178689.0000000003100000.00000040.00000001.sdmp, Offset: 03100000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fe20193a98d04b7fff2418b3410df26e5e9e87d74059b02230259361e9d6362b
Instruction ID: 5004f9e195cc9a9590b6fcb013a3fc5da5ba121ce65b4afa89d79245f7bcbc24
Opcode Fuzzy Hash: fe20193a98d04b7fff2418b3410df26e5e9e87d74059b02230259361e9d6362b
Instruction Fuzzy Hash: C2419038A01200CFCB09EF76D0545AE7BF2FB8E7013584069E946EB392DB369C86DB51

Uniqueness

Uniqueness Score: -1.00%

Function 03100690, Relevance: .1, Instructions: 123COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.913178689.0000000003100000.00000040.00000001.sdmp, Offset: 03100000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2e1e8ab030eedd4a129ee906fb832ef9031c9879e203928a54cc3b533aaa2a4a
Instruction ID: 670fb95f3ad44bcb8daa614242aac26faade89b24104466731169a912f68f20e
Opcode Fuzzy Hash: 2e1e8ab030eedd4a129ee906fb832ef9031c9879e203928a54cc3b533aaa2a4a
Instruction Fuzzy Hash: 45416D312003058BD724AB35E84D66E3BA7BF88797755853AF502CB2BADF75CC418B92

Uniqueness

Uniqueness Score: -1.00%

Function 03109228, Relevance: .1, Instructions: 118COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.913178689.0000000003100000.00000040.00000001.sdmp, Offset: 03100000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 43d4a3697a7d2e5f6f1fc9dcd961a58e351aced6a9022eb6e91c24f9662e89d7
Instruction ID: 281518c3655886642e3e7949f09fafc28260f52f45d0a19ce44e40aaf35e37b0
Opcode Fuzzy Hash: 43d4a3697a7d2e5f6f1fc9dcd961a58e351aced6a9022eb6e91c24f9662e89d7
Instruction Fuzzy Hash: 7F41C63060D2919FC74AD7A884B85757FE8AF4E304B0A85A7E495CB6F3C7B19C81C752

Uniqueness

Uniqueness Score: -1.00%

Function 0310B090, Relevance: .1, Instructions: 116COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.913178689.0000000003100000.00000040.00000001.sdmp, Offset: 03100000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7160e02cfdddb6cf748556cd32b2202c3da72a6e7ef9dd57ce7d5cfd521536a4
Instruction ID: 79e6cd6787b3f4888427d719bfe1ef7ecfac1db2180f3fad9bb6da837b226332
Opcode Fuzzy Hash: 7160e02cfdddb6cf748556cd32b2202c3da72a6e7ef9dd57ce7d5cfd521536a4
Instruction Fuzzy Hash: 7C410371A086658BCB04DBA9D89456EBBF2FF8D310B14846EE446D7790DBB1EC02CB91

Uniqueness

Uniqueness Score: -1.00%

Function 03106EB8, Relevance: .1, Instructions: 115COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.913178689.0000000003100000.00000040.00000001.sdmp, Offset: 03100000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9925fb624dedb56b3be8258621089a7e27d34f4a84253ab47e709f7d30d9d269
Instruction ID: 35850f0877cf86d8ff0fe2330e6e505c5e568a613bfdb748b2177fea381aaf44
Opcode Fuzzy Hash: 9925fb624dedb56b3be8258621089a7e27d34f4a84253ab47e709f7d30d9d269
Instruction Fuzzy Hash: 0B417138B01200CF8B09EF76E0545AE7BE2FB8E7153544468E906EB391DF769C86DB51

Uniqueness

Uniqueness Score: -1.00%

Function 03108678, Relevance: .1, Instructions: 110COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.913178689.0000000003100000.00000040.00000001.sdmp, Offset: 03100000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fc6c8f756314aa668535b20f41dbd366ce82ddc9a02968abcf07406d866097d3
Instruction ID: 8eff184a9afed37d5c7c3f0d22f1fc5f7a256416fb198442df96ff04586b1b4c
Opcode Fuzzy Hash: fc6c8f756314aa668535b20f41dbd366ce82ddc9a02968abcf07406d866097d3
Instruction Fuzzy Hash: 9731D334718254CFCB09EB39E44896D3BA3FF89384716856AE0428B2D8DFB49C82CB51

Uniqueness

Uniqueness Score: -1.00%

Function 03108510, Relevance: .1, Instructions: 109COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.913178689.0000000003100000.00000040.00000001.sdmp, Offset: 03100000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 050bfeaea94d8ed0320fceca7cf70c948db4c798007113162fd18ddf2b551c77
Instruction ID: 55bdbed8c0dd00b4c87037693f558ed1335dfdfb4a8b40c3f53862c4caa31492
Opcode Fuzzy Hash: 050bfeaea94d8ed0320fceca7cf70c948db4c798007113162fd18ddf2b551c77
Instruction Fuzzy Hash: B541AC35A08106CFCB04DBA8C584AAEF7F1FF49320F29C6A6D516DB291D770D896CB91

Uniqueness

Uniqueness Score: -1.00%

Function 031002DA, Relevance: .1, Instructions: 107COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.913178689.0000000003100000.00000040.00000001.sdmp, Offset: 03100000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b1bb26e2e2d0ce5451edcc72db6a627d2cffd789757d473dcf62e5eede8a2038
Instruction ID: 0a2b684a360e9c413ebb47ce7107be2aeddfc8b5a27876812cc46457297c4ca1
Opcode Fuzzy Hash: b1bb26e2e2d0ce5451edcc72db6a627d2cffd789757d473dcf62e5eede8a2038
Instruction Fuzzy Hash: C2413B30A01205DFDB19CB68C454BAE7BB6FF8E710F2944A9D402AF3A5DBB19C81CB55

Uniqueness

Uniqueness Score: -1.00%

Function 03100170, Relevance: .1, Instructions: 106COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.913178689.0000000003100000.00000040.00000001.sdmp, Offset: 03100000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 76c269f6c6ff82e55ccdfa2db79da89501bdb62848f5d6d1fbc5aa69d78f7da0
Instruction ID: 106dcf86caccc230f115dbe17f92c8e91b14a4af31c01f9767e0533d391560fb
Opcode Fuzzy Hash: 76c269f6c6ff82e55ccdfa2db79da89501bdb62848f5d6d1fbc5aa69d78f7da0
Instruction Fuzzy Hash: AA31CE307053449FEB118B78D890B2A3BB9EF8E780F5404AAE445CB396EB75EC01CB61

Uniqueness

Uniqueness Score: -1.00%

Function 031009A9, Relevance: .1, Instructions: 105COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.913178689.0000000003100000.00000040.00000001.sdmp, Offset: 03100000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c50891e6d25e45ae3b5162321d0993cdcc8c31744553a98802b56082d26748b8
Instruction ID: cee6266ce3df8dd6b58958f5f259031236f9a51f74ad6ceb9d9e726757d9154d
Opcode Fuzzy Hash: c50891e6d25e45ae3b5162321d0993cdcc8c31744553a98802b56082d26748b8
Instruction Fuzzy Hash: F9416D35B002059FCB14DFA9D498A6EB7F6FF88305F658169E5069B3A5CB71AC06CB80

Uniqueness

Uniqueness Score: -1.00%

Function 0310E321, Relevance: .1, Instructions: 104COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.913178689.0000000003100000.00000040.00000001.sdmp, Offset: 03100000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d4675fda68202e981b9734bc9646ea86bc07a7cedce3ea9b44202d04ae7f1f45
Instruction ID: af0efdc95a77622e0edab7303bde067ae1f843743dab79d76f73ab793dba734f
Opcode Fuzzy Hash: d4675fda68202e981b9734bc9646ea86bc07a7cedce3ea9b44202d04ae7f1f45
Instruction Fuzzy Hash: B331E431A04609DFCF08DFA5D8448AEBBB7FF48300F05446AE506AF2A1DB71AD45CB61

Uniqueness

Uniqueness Score: -1.00%

Function 03101290, Relevance: .1, Instructions: 101COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.913178689.0000000003100000.00000040.00000001.sdmp, Offset: 03100000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: dad41578df99aaf0292e28ea3f9e28b0db19845ffb4b561d0677454c127a1705
Instruction ID: 5e114744e55349e26fb5a9f0d977fa177ee1cf500a8cd189992c6e961adf045f
Opcode Fuzzy Hash: dad41578df99aaf0292e28ea3f9e28b0db19845ffb4b561d0677454c127a1705
Instruction Fuzzy Hash: 0C411774A04219DFDB14DF64D884BAEBBB2BF4A304F1140AAD40AAB394DB759D84CF51

Uniqueness

Uniqueness Score: -1.00%

Function 0310E208, Relevance: .1, Instructions: 100COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.913178689.0000000003100000.00000040.00000001.sdmp, Offset: 03100000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 36a3c81c5510fd87bff15929ffb8aa9e075d9a12d9d1b953083ccb67e08583e5
Instruction ID: 3e5c00bc5409ebe98ae80a6ca8841d726e61b6093513efff02e6c685a9ccefdd
Opcode Fuzzy Hash: 36a3c81c5510fd87bff15929ffb8aa9e075d9a12d9d1b953083ccb67e08583e5
Instruction Fuzzy Hash: 51315E75A04604DFCB58DFAAC544AAEFBF5BF8C210F198969D409E7680DB709C81CBA0

Uniqueness

Uniqueness Score: -1.00%

Function 031020D0, Relevance: .1, Instructions: 99COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.913178689.0000000003100000.00000040.00000001.sdmp, Offset: 03100000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: efbd32991b8a64d5a3d6bc3d9c236e9e3583346c19b558065568986a4e4b5fb1
Instruction ID: 1daaa3ba8602cfc13502936e2e360d44a37d7ad767318745ae8701a75f3be739
Opcode Fuzzy Hash: efbd32991b8a64d5a3d6bc3d9c236e9e3583346c19b558065568986a4e4b5fb1
Instruction Fuzzy Hash: F9316430B04305DFCB15DF58C89567E77B6FF89300B268896D5059B295DBB0EC82C792

Uniqueness

Uniqueness Score: -1.00%

Function 0310ACFF, Relevance: .1, Instructions: 99COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.913178689.0000000003100000.00000040.00000001.sdmp, Offset: 03100000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6e3ef9f5bfb6468c67a355080b74989a04924a041c0ba53d70eaae0db62bc1d5
Instruction ID: 32b588112f108d64cad41f422c5ad2184c3eb69704c5cf5db2f2b720b4d8792d
Opcode Fuzzy Hash: 6e3ef9f5bfb6468c67a355080b74989a04924a041c0ba53d70eaae0db62bc1d5
Instruction Fuzzy Hash: A6314D30B102158FDB049BA9C859B7EBBF7AFC9705F254069E106DB2A5DF718C058B91

Uniqueness

Uniqueness Score: -1.00%

Function 03100007, Relevance: .1, Instructions: 98COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.913178689.0000000003100000.00000040.00000001.sdmp, Offset: 03100000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b848fba415859cf2036b5ff02212b458e7f9fa8503cf135b6a2bf61e28cf8785
Instruction ID: d1d63d6e49326876159047647ab65f1c419528125db86aea031b2c6d97aa4d68
Opcode Fuzzy Hash: b848fba415859cf2036b5ff02212b458e7f9fa8503cf135b6a2bf61e28cf8785
Instruction Fuzzy Hash: 8A31263010E3C18FCB57DB7498A85593FB2AF4720470A85DFD485CB1ABDB799849CB22

Uniqueness

Uniqueness Score: -1.00%

Function 0310D381, Relevance: .1, Instructions: 95COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.913178689.0000000003100000.00000040.00000001.sdmp, Offset: 03100000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 38ec254d9292075daae66d8bfd237099ff255f415d96d573d2dc92d4b42ea7c0
Instruction ID: eac899759355a76b658c4f6e2ac3c772087083180a6ffbdec583ed57aba12719
Opcode Fuzzy Hash: 38ec254d9292075daae66d8bfd237099ff255f415d96d573d2dc92d4b42ea7c0
Instruction Fuzzy Hash: AE314B706053008FC7599B38A41959A7BB2EB4A30C32489AEA505DF3AADF76DD47CFC0

Uniqueness

Uniqueness Score: -1.00%

Function 031045C8, Relevance: .1, Instructions: 95COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.913178689.0000000003100000.00000040.00000001.sdmp, Offset: 03100000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 616b27bd46dbe3418e9ca2515ccd741986ca4de0b2aa5538d7128550d50fe092
Instruction ID: cd68a9b3622d9827da0e42828000ef7212afbb0518db8d1be217676023f13a78
Opcode Fuzzy Hash: 616b27bd46dbe3418e9ca2515ccd741986ca4de0b2aa5538d7128550d50fe092
Instruction Fuzzy Hash: 3E214171B0011A9BDB44DAA6D9C1AFFB7BDFB88204F14412AE719D3180FFB15D458BA1

Uniqueness

Uniqueness Score: -1.00%

Function 0310E777, Relevance: .1, Instructions: 94COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.913178689.0000000003100000.00000040.00000001.sdmp, Offset: 03100000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ffef5920c10b8fd59a3d584fdcefa0aa78ff7349d63246a44ce4c0141ab50a39
Instruction ID: 926532364e68c6e31e117a106e4288fc45875ddcc7037d440d316daddd311605
Opcode Fuzzy Hash: ffef5920c10b8fd59a3d584fdcefa0aa78ff7349d63246a44ce4c0141ab50a39
Instruction Fuzzy Hash: 88316F74B00604CFCB14DF768485AAEBBF6AF8C600B50442EE506A7790DB75E842CB90

Uniqueness

Uniqueness Score: -1.00%

Function 0310EA98, Relevance: .1, Instructions: 94COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.913178689.0000000003100000.00000040.00000001.sdmp, Offset: 03100000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a446b6d016f5c07f6dee788754dfc1dd94618c4a14eeeb16c1c1a9e6877be9bb
Instruction ID: 2672f4a71017810f5e65a3ece802e76123b5a42dbcdf13b9f41797b6836cce2c
Opcode Fuzzy Hash: a446b6d016f5c07f6dee788754dfc1dd94618c4a14eeeb16c1c1a9e6877be9bb
Instruction Fuzzy Hash: 76410630905F50CFD739CB2AC544766FBE2BF89305F588C6EC19796AA0DBB5A481CB10

Uniqueness

Uniqueness Score: -1.00%

Function 03108800, Relevance: .1, Instructions: 94COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.913178689.0000000003100000.00000040.00000001.sdmp, Offset: 03100000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5368050ab62dd7014532bb9006fa0fafc95662206e4e685e73f053ba4b00d867
Instruction ID: 14009ed86e216b3bb96467364d87cab7dc6488f4a2c03d2255591f1bd303d521
Opcode Fuzzy Hash: 5368050ab62dd7014532bb9006fa0fafc95662206e4e685e73f053ba4b00d867
Instruction Fuzzy Hash: 5431AE30D08209DFCB09DBB5C4956BDBFB0BF4A300F1584ABD542E7295D7B08981CB62

Uniqueness

Uniqueness Score: -1.00%

Function 0310CE60, Relevance: .1, Instructions: 93COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.913178689.0000000003100000.00000040.00000001.sdmp, Offset: 03100000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 12bb5269c1bb0c54221c87ba74eb1979733d0fceffd5855e18b7fe0a2d28ad57
Instruction ID: ae5addca8225e5b4e162da9a2f9046a2560d9768aad42423ed5b3d206fc62b86
Opcode Fuzzy Hash: 12bb5269c1bb0c54221c87ba74eb1979733d0fceffd5855e18b7fe0a2d28ad57
Instruction Fuzzy Hash: 29315E30A00305DFD728DFB9C4546AFBBF2EB8D300F55863AD4069B295DBB5A8818F91

Uniqueness

Uniqueness Score: -1.00%

Function 0310731A, Relevance: .1, Instructions: 92COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.913178689.0000000003100000.00000040.00000001.sdmp, Offset: 03100000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b81ae99a2951df3548a4813a8b36a1547065353725d5b22778b1afec664fd795
Instruction ID: 2dfa1cce5c2903c6be25c72b1c95c1f973257b56d10938459fe58b4b026978f4
Opcode Fuzzy Hash: b81ae99a2951df3548a4813a8b36a1547065353725d5b22778b1afec664fd795
Instruction Fuzzy Hash: 5B314F35E002098FDB08DBB9C4549EEF7F3AF89310B158569D81AAF395DB71AC46CB90

Uniqueness

Uniqueness Score: -1.00%

Function 031043CE, Relevance: .1, Instructions: 88COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.913178689.0000000003100000.00000040.00000001.sdmp, Offset: 03100000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6806874c1e0d2b0694b8d7b782324c8dd4360dd5be4d29083429359d358d4388
Instruction ID: 14e05a8aeb4d342648f714b9967e23568875888a917b82da7a0d5bdeded14b41
Opcode Fuzzy Hash: 6806874c1e0d2b0694b8d7b782324c8dd4360dd5be4d29083429359d358d4388
Instruction Fuzzy Hash: 3431AB35600205CFCB14EF68D8888AE7BF2FF8934471484A9E5069B27ADF36AC95DF40

Uniqueness

Uniqueness Score: -1.00%

Function 03106CCE, Relevance: .1, Instructions: 88COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.913178689.0000000003100000.00000040.00000001.sdmp, Offset: 03100000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 14cc16ab1941c0933fcfbbf4607e7732a541eee355c3db7d9f077192ac1b9dfd
Instruction ID: 5364b5ae9f951442b63d737da3e011ffd4870677b11d611e9d5902fe05c8ceb0
Opcode Fuzzy Hash: 14cc16ab1941c0933fcfbbf4607e7732a541eee355c3db7d9f077192ac1b9dfd
Instruction Fuzzy Hash: 97319E342103018BCB18AF39E0595AE3BE2EF86358344956EE146DB354EF7A8C87CF81

Uniqueness

Uniqueness Score: -1.00%

Function 03105B51, Relevance: .1, Instructions: 87COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.913178689.0000000003100000.00000040.00000001.sdmp, Offset: 03100000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 31f5ca97627553975e00b1484442d546e7bc54b6ef97299758cca8672aa91552
Instruction ID: f2a0c534c32d35a2ea9a607eeb80e4d9c983bd6ffef77e71395dd8a880cd6253
Opcode Fuzzy Hash: 31f5ca97627553975e00b1484442d546e7bc54b6ef97299758cca8672aa91552
Instruction Fuzzy Hash: FF21C431B082049FCB08DBB985502BEB6E79FCE610B25847ED407EB381DEB5DC458BA5

Uniqueness

Uniqueness Score: -1.00%

Function 031043D0, Relevance: .1, Instructions: 87COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.913178689.0000000003100000.00000040.00000001.sdmp, Offset: 03100000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: dd134b8eef8b907fec27bab526dea871e74ac3808d078964677aa252ac7ca411
Instruction ID: 911c0bd52e522e041a67a49952803ed303978556587547586fe3c50cdf9b9458
Opcode Fuzzy Hash: dd134b8eef8b907fec27bab526dea871e74ac3808d078964677aa252ac7ca411
Instruction Fuzzy Hash: FD31A935600205CFCB14EF68D8888AE7BF2FF4934470484A9E5069B2BADF36AC95DF40

Uniqueness

Uniqueness Score: -1.00%

Function 0310E021, Relevance: .1, Instructions: 87COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.913178689.0000000003100000.00000040.00000001.sdmp, Offset: 03100000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 76d1ae0dadd2c8935e6b23106576f85df1e3d70927d72648172d02f82350afd8
Instruction ID: 734c104bd9c1f7dd15abd2dd6764199a8aa3a35b34efac8a2891124b342923f4
Opcode Fuzzy Hash: 76d1ae0dadd2c8935e6b23106576f85df1e3d70927d72648172d02f82350afd8
Instruction Fuzzy Hash: 223138303017068BC7A5AB39D45066E77A3BFD86047A48A2DD1469F798DFB6E9038B80

Uniqueness

Uniqueness Score: -1.00%

Function 031055E8, Relevance: .1, Instructions: 85COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.913178689.0000000003100000.00000040.00000001.sdmp, Offset: 03100000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4c56d9ded047d056d89469b7a51923b5a861e8355c6a847b7dc071edd97a3988
Instruction ID: 37bd2804788f286b29775d021a146f4cfd4cde9b3f84f6cf3fbc1b224d12fc02
Opcode Fuzzy Hash: 4c56d9ded047d056d89469b7a51923b5a861e8355c6a847b7dc071edd97a3988
Instruction Fuzzy Hash: 9A210030B042058FDB18DB79C4557AEBAE7AB8C710F19006AE502EB3D1DFF58C858B91

Uniqueness

Uniqueness Score: -1.00%

Function 03108688, Relevance: .1, Instructions: 81COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.913178689.0000000003100000.00000040.00000001.sdmp, Offset: 03100000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 59a2e2cae5c6c49a961b4ae985d42b6ffbf8a57cbb46e05bfd1545d35711fb4b
Instruction ID: e8e801b4abc93b1dfb95568fb58d4dc19ee14cc4d1fd92a11f7596ddb91420d2
Opcode Fuzzy Hash: 59a2e2cae5c6c49a961b4ae985d42b6ffbf8a57cbb46e05bfd1545d35711fb4b
Instruction Fuzzy Hash: CA218D34B14210CFCB48EB39E45992E3BA3EB883557118469E142DB3D4EFB59C82CF41

Uniqueness

Uniqueness Score: -1.00%

Function 0310A988, Relevance: .1, Instructions: 81COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.913178689.0000000003100000.00000040.00000001.sdmp, Offset: 03100000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6c58a18d87f4e5c67c68fc5e6c1216d4729c34bac1b745200abb28adf3f35eba
Instruction ID: 740426b081f8d1ef02346cd002605f096cbad5a6f2bd3f8493c9281388059ca0
Opcode Fuzzy Hash: 6c58a18d87f4e5c67c68fc5e6c1216d4729c34bac1b745200abb28adf3f35eba
Instruction Fuzzy Hash: 95216230B04359DFCB18DB75D9409AEB7B6AF9C740F11496AE542AB294DFB0AD80CB90

Uniqueness

Uniqueness Score: -1.00%

Function 03105B60, Relevance: .1, Instructions: 80COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.913178689.0000000003100000.00000040.00000001.sdmp, Offset: 03100000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d26eac616bba35524f059d9e39cda87a315c9df2f5af0dd0269af34a03072158
Instruction ID: 84fa3cfd71fb8e18661ba3e42833badf9c960efecc0ddd90710eb739bfa77854
Opcode Fuzzy Hash: d26eac616bba35524f059d9e39cda87a315c9df2f5af0dd0269af34a03072158
Instruction Fuzzy Hash: 7F21D431B042048FCB1CDA7985502BEB6EB9BCE610F15843ED407EB381DE74DD858BA5

Uniqueness

Uniqueness Score: -1.00%

Function 0310EA89, Relevance: .1, Instructions: 80COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.913178689.0000000003100000.00000040.00000001.sdmp, Offset: 03100000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 06a911f838b57375a550b93d6770377548232885816b5dd64a2e9ef94771c956
Instruction ID: 6d5f33fb7df0eceb617c4154c49f4a3d5a707d497fd8d017f5346d27a2a7319a
Opcode Fuzzy Hash: 06a911f838b57375a550b93d6770377548232885816b5dd64a2e9ef94771c956
Instruction Fuzzy Hash: 1131E470905F50CFD329CB2A8544766FBF2BF89305F588C6ED09786AA1DBB5A485CB20

Uniqueness

Uniqueness Score: -1.00%

Function 03105831, Relevance: .1, Instructions: 80COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.913178689.0000000003100000.00000040.00000001.sdmp, Offset: 03100000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ae0a0aa98427988071c9089867d3e58eb27d6c41ea39f60ed5deedbf7293effd
Instruction ID: bb4db906035c698b3b3a8b1d9d9993ef9414a443f79d502afafeb0d1c39ab0ff
Opcode Fuzzy Hash: ae0a0aa98427988071c9089867d3e58eb27d6c41ea39f60ed5deedbf7293effd
Instruction Fuzzy Hash: 2221D434B082149FDB08E7BA945067FBBABAFCF210755456AE4439F3D2DEB08C018B61

Uniqueness

Uniqueness Score: -1.00%

Function 03105DE8, Relevance: .1, Instructions: 77COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.913178689.0000000003100000.00000040.00000001.sdmp, Offset: 03100000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9d5fd6c1a0671294eb4077ce9e98bb3fb9678c265eb657b583a6bdbb3695708d
Instruction ID: d06e22796f8971b830416c3c08a97f0f24b92f39beda2b5b96c720c743a74b04
Opcode Fuzzy Hash: 9d5fd6c1a0671294eb4077ce9e98bb3fb9678c265eb657b583a6bdbb3695708d
Instruction Fuzzy Hash: 42216B316183458FCB29E7B454141BDBB979F8B61032846AFC0978B1D2CFB58816CB56

Uniqueness

Uniqueness Score: -1.00%

Function 031021E9, Relevance: .1, Instructions: 76COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.913178689.0000000003100000.00000040.00000001.sdmp, Offset: 03100000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: dcf42c9ec4d384ae0f6dd2b91e2f3d672af728fb9b35b5e0ec0b8fae155731fd
Instruction ID: 7288fddb288720932eb34437751c2c5f10d517e0dcbda9c63cb827957980d05b
Opcode Fuzzy Hash: dcf42c9ec4d384ae0f6dd2b91e2f3d672af728fb9b35b5e0ec0b8fae155731fd
Instruction Fuzzy Hash: 14312770D0820DDFCB58DFE4C0486BDBBB1FB4D300F11499AD402A72A4DBB59A86CB52

Uniqueness

Uniqueness Score: -1.00%

Function 031025DE, Relevance: .1, Instructions: 75COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.913178689.0000000003100000.00000040.00000001.sdmp, Offset: 03100000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 880b49c97207eb115d91338294e7c0124519876fbfbfd393a4631480811bfe87
Instruction ID: dd07ed5a4c831a0666d486e36744a5c69c4d8cbd5c2bc12ff62e5eede62fcaa2
Opcode Fuzzy Hash: 880b49c97207eb115d91338294e7c0124519876fbfbfd393a4631480811bfe87
Instruction Fuzzy Hash: 67316E30A00345CFDB60CF66D45865EBBF2BF88354F28D5A9D404AB2A9DBB4D48ACF41

Uniqueness

Uniqueness Score: -1.00%

Function 03108C16, Relevance: .1, Instructions: 75COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.913178689.0000000003100000.00000040.00000001.sdmp, Offset: 03100000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b65a3bbe46ba28782f925c9da18267607b9ee94beb33e3575fd7ec12bca2f0b9
Instruction ID: 41a1876d86890bf648326451719219c36a84317b7606d85ca602cc2eb63167c6
Opcode Fuzzy Hash: b65a3bbe46ba28782f925c9da18267607b9ee94beb33e3575fd7ec12bca2f0b9
Instruction Fuzzy Hash: 4B319A34E00249CFDB20DF66D44835ABBF2BF88318F18D56AE4149B295DBB498C6CF41

Uniqueness

Uniqueness Score: -1.00%

Function 031008AF, Relevance: .1, Instructions: 72COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.913178689.0000000003100000.00000040.00000001.sdmp, Offset: 03100000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b087df528afdb32899a2371c15fd9f8aad2975453aa45cfe5bf8e1ded86564be
Instruction ID: 14d9479a2da99b4715319701df073d1d285451f4efa5880bc08373096148b9dd
Opcode Fuzzy Hash: b087df528afdb32899a2371c15fd9f8aad2975453aa45cfe5bf8e1ded86564be
Instruction Fuzzy Hash: 74113631A043548FC719CFB89894B7FBBA5AF8E35070742ABD946DB291CBA09C45C790

Uniqueness

Uniqueness Score: -1.00%

Function 0310DEB8, Relevance: .1, Instructions: 70COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.913178689.0000000003100000.00000040.00000001.sdmp, Offset: 03100000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5e28750b53e38243bf898128763c4cd8b1e391547cbe5aedc55d2262ba78fd3d
Instruction ID: fdc45f07549f7142cc8b40f46d34586961c969465de1fa530c74f783edcdc488
Opcode Fuzzy Hash: 5e28750b53e38243bf898128763c4cd8b1e391547cbe5aedc55d2262ba78fd3d
Instruction Fuzzy Hash: E421F334A04218CBC718CBA5E4147EABBF5BB4C305F1185B9F546A7280DBB1DC82CB90

Uniqueness

Uniqueness Score: -1.00%

Function 031046A9, Relevance: .1, Instructions: 70COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.913178689.0000000003100000.00000040.00000001.sdmp, Offset: 03100000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8cc3e7b4dfd926b7bfa4bddfa717870aeec25d9393facd588d1eb853bf27e7bc
Instruction ID: 14e717f52c7fa86f9a5a8363109861a704eaf2c3d676376af027afd7b74a53f2
Opcode Fuzzy Hash: 8cc3e7b4dfd926b7bfa4bddfa717870aeec25d9393facd588d1eb853bf27e7bc
Instruction Fuzzy Hash: A011E7316093D05FCB1697B554603FA3FA48F8B251B0944FBD185CF292DB6588468761

Uniqueness

Uniqueness Score: -1.00%

Function 0310A978, Relevance: .1, Instructions: 70COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.913178689.0000000003100000.00000040.00000001.sdmp, Offset: 03100000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e73eb5df3b5a703e6ce5a7136693d25bd62c9c8be9d79a456be94e5a47145eed
Instruction ID: a2e476250fa57612c847f6ae85d20977dd57d8dc9900e440b279a18137a29d0a
Opcode Fuzzy Hash: e73eb5df3b5a703e6ce5a7136693d25bd62c9c8be9d79a456be94e5a47145eed
Instruction Fuzzy Hash: 9311D630B04359DFCB18DB75D941AAE77B6AF9C700F16456AE582AB2C0DFB0DD408791

Uniqueness

Uniqueness Score: -1.00%

Function 03105840, Relevance: .1, Instructions: 70COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.913178689.0000000003100000.00000040.00000001.sdmp, Offset: 03100000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1b5abce6ce87a5731de70181b2119f339fba15e3bf4f42814981b1cf22c5ba6f
Instruction ID: 4b12fe13821aaa54160317009c0148f5ae0775c6c178859472e0d1c19afb9934
Opcode Fuzzy Hash: 1b5abce6ce87a5731de70181b2119f339fba15e3bf4f42814981b1cf22c5ba6f
Instruction Fuzzy Hash: BD11D3347042149BDB0CE7BA9450A7FB6EBAFCE610B51453AE4179F3D1DEB18C004BA0

Uniqueness

Uniqueness Score: -1.00%

Function 031048B9, Relevance: .1, Instructions: 69COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.913178689.0000000003100000.00000040.00000001.sdmp, Offset: 03100000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c522baf78ed524e02421cc5c5a5070f1a562dd7c79d091387e66817384cf79e6
Instruction ID: dfdad33c87a01d7db4a5e044c61c8db930bcba21e5635d544690e88c13692137
Opcode Fuzzy Hash: c522baf78ed524e02421cc5c5a5070f1a562dd7c79d091387e66817384cf79e6
Instruction Fuzzy Hash: 1E110831F081559FCF09CAB5D4905FEB7B3AFCE310B054479DA82BB180DF606A068B51

Uniqueness

Uniqueness Score: -1.00%

Function 0310E620, Relevance: .1, Instructions: 68COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.913178689.0000000003100000.00000040.00000001.sdmp, Offset: 03100000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3885f618a5a0248c1de855051a3231c326ecee9a5118155745260467749448c4
Instruction ID: fcdd4cc747612a9ddc95b378a3d97fca0265dc03f2d35812545987740adf519c
Opcode Fuzzy Hash: 3885f618a5a0248c1de855051a3231c326ecee9a5118155745260467749448c4
Instruction Fuzzy Hash: 18218171A00918CFCB58DFAAD5509BEBBF5EB8C310F11886ED506E7280D7B1AD51CBA1

Uniqueness

Uniqueness Score: -1.00%

Function 0310E611, Relevance: .1, Instructions: 64COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.913178689.0000000003100000.00000040.00000001.sdmp, Offset: 03100000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4bf5c82d3c845ecf32747d5387f3f4f8db25f2828b717860838df3e14332b1d0
Instruction ID: bbdd7a5ed8f641b619f5fba50e11eeacf82cf965ff96b852160a280624c0ccf2
Opcode Fuzzy Hash: 4bf5c82d3c845ecf32747d5387f3f4f8db25f2828b717860838df3e14332b1d0
Instruction Fuzzy Hash: C6114F71A05908DFCB58CF5AE5449BEBBF9EB8C310F11846AE506A3280D371AD52CFB1

Uniqueness

Uniqueness Score: -1.00%

Function 03107C08, Relevance: .1, Instructions: 62COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.913178689.0000000003100000.00000040.00000001.sdmp, Offset: 03100000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 29f40ac20b08f5c880090afae02c9aebbe6c146138b9f696a390f2d5c7eeaf4f
Instruction ID: 140a37a32a48155f44ac3827cd9c4954002450a06fe3f37b10658de1cb6f75fd
Opcode Fuzzy Hash: 29f40ac20b08f5c880090afae02c9aebbe6c146138b9f696a390f2d5c7eeaf4f
Instruction Fuzzy Hash: 4E21A2319082859FCB15CF78C9446EEBFF1AF4A340F1940AAD441AB1E2D7716D49CBA2

Uniqueness

Uniqueness Score: -1.00%

Function 03100B18, Relevance: .1, Instructions: 61COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.913178689.0000000003100000.00000040.00000001.sdmp, Offset: 03100000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7b75a96cd6a7b816df69e3cf412e1e13ceb216928fd520a3eea9f2b4cfb79fbc
Instruction ID: cca971c241456155c11a68b801706ccf4642661d004622eeaff143f5e040a666
Opcode Fuzzy Hash: 7b75a96cd6a7b816df69e3cf412e1e13ceb216928fd520a3eea9f2b4cfb79fbc
Instruction Fuzzy Hash: 5111E138B58226EBCB68D5358C4077E72995B5C68EF12846A8C03EB6C0DFF0C980C390

Uniqueness

Uniqueness Score: -1.00%

Function 03105730, Relevance: .1, Instructions: 61COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.913178689.0000000003100000.00000040.00000001.sdmp, Offset: 03100000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2142a4e3d36358f5bf834f531ca3bef5e49f060e0cc9a1c601270af0a276989a
Instruction ID: ec56a733193a88c6bf50a1c909239159a5c5cdd37af225d644ae755d6300ffb4
Opcode Fuzzy Hash: 2142a4e3d36358f5bf834f531ca3bef5e49f060e0cc9a1c601270af0a276989a
Instruction Fuzzy Hash: 37117C31A04209CFDB14DBB4D5806EEBBB3EB4A344F60416AD4059B284E7769D42CB51

Uniqueness

Uniqueness Score: -1.00%

Function 03104520, Relevance: .1, Instructions: 61COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.913178689.0000000003100000.00000040.00000001.sdmp, Offset: 03100000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 223bf872d36e7327c962ee4d76ae71f582c88109c8142f1eb94418f9a7cd368e
Instruction ID: 6ac862c2e9bb970e0fcfb305917c987b4f7fbecc00069c6b276df93cfcec688c
Opcode Fuzzy Hash: 223bf872d36e7327c962ee4d76ae71f582c88109c8142f1eb94418f9a7cd368e
Instruction Fuzzy Hash: 7801C436E0451487CF08D99AE4401EFB3A69FCD321F05403EAE069B380DFB29D458BD0

Uniqueness

Uniqueness Score: -1.00%

Function 0310C5E0, Relevance: .1, Instructions: 61COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.913178689.0000000003100000.00000040.00000001.sdmp, Offset: 03100000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 77a983db50a5731e43facaf6eabd03195ee1ef43cbd8f5d9b20fafd424a28d39
Instruction ID: 0bc7edea1208201d9a9b09aff7a6eaeb34d2d3475c648b5e2d02788c85607653
Opcode Fuzzy Hash: 77a983db50a5731e43facaf6eabd03195ee1ef43cbd8f5d9b20fafd424a28d39
Instruction Fuzzy Hash: 731100747003508FC3028738E45472E3BA7ABD9211F090899F542CB3A6DFB48C82CB91

Uniqueness

Uniqueness Score: -1.00%

Function 0310C8D8, Relevance: .1, Instructions: 61COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.913178689.0000000003100000.00000040.00000001.sdmp, Offset: 03100000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 74920aa798b099e36cad610a6694f615c6c21f134f1b9ab810b8b58cdb20e8e9
Instruction ID: e86c1bf10609018dbbb4eb7b3d309ecb60d6886dc425246222f87213bc6e6e3d
Opcode Fuzzy Hash: 74920aa798b099e36cad610a6694f615c6c21f134f1b9ab810b8b58cdb20e8e9
Instruction Fuzzy Hash: DA119E34B001049BC708EB6AD450A6EB7EBAFDD7107198169E84ADF390CF72EC02CB90

Uniqueness

Uniqueness Score: -1.00%

Function 0310CA08, Relevance: .1, Instructions: 59COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.913178689.0000000003100000.00000040.00000001.sdmp, Offset: 03100000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 03491f154b79983eee2294fd669e83e79baad1761738915384d77a1405802daa
Instruction ID: 1d227b999693cd55179749cd454ca251e0dc00de0b51fbbddab77aa1dbea44cc
Opcode Fuzzy Hash: 03491f154b79983eee2294fd669e83e79baad1761738915384d77a1405802daa
Instruction Fuzzy Hash: 1911C830308641CBC318E769D14052DBB939FDA3547559A1E914B6F3D1EFB2DC828F92

Uniqueness

Uniqueness Score: -1.00%

Function 031B087C, Relevance: .1, Instructions: 59COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.913330534.00000000031B0000.00000040.00000040.sdmp, Offset: 031B0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 77138e8ae8d3eddbdf8cad0e219f3ce461181605e90ae552a3a379d81809483b
Instruction ID: 8635cf3038581862eff0e16fd15960e713e9367aa39651021f73060a4bf636a6
Opcode Fuzzy Hash: 77138e8ae8d3eddbdf8cad0e219f3ce461181605e90ae552a3a379d81809483b
Instruction Fuzzy Hash: 2D11D334604384DFD315CB14D980B6BFBA5EB8C718F28C9ADE9490B642C77BD853CA91

Uniqueness

Uniqueness Score: -1.00%

Function 0310DD28, Relevance: .1, Instructions: 58COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.913178689.0000000003100000.00000040.00000001.sdmp, Offset: 03100000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f1ed58d0734d7ff32fd5142347899ec9327532b4c118063edbbf1197ed11bb7c
Instruction ID: 9c88505dd0b1b92327eeebea02dd5aafddeee39c49fba70d889010dfe91ca237
Opcode Fuzzy Hash: f1ed58d0734d7ff32fd5142347899ec9327532b4c118063edbbf1197ed11bb7c
Instruction Fuzzy Hash: 2601D6347113159FCB141BB558145AF7BAAEF8A654721487EE407D7392CE71CC028760

Uniqueness

Uniqueness Score: -1.00%

Function 031048C8, Relevance: .1, Instructions: 58COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.913178689.0000000003100000.00000040.00000001.sdmp, Offset: 03100000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: edb270388001073a7aa717af2d671920bc08a03ebf300758a2a8239c09317512
Instruction ID: 243e9426d561b1e301ef9981770b034c023b9c614d340dbbb2c17553ce85717a
Opcode Fuzzy Hash: edb270388001073a7aa717af2d671920bc08a03ebf300758a2a8239c09317512
Instruction Fuzzy Hash: E801DB31F0811A9BCF09DEA5D8805EFB3A7ABCC710B054439DA46B7280DF606D468BA1

Uniqueness

Uniqueness Score: -1.00%

Function 031B0846, Relevance: .1, Instructions: 58COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.913330534.00000000031B0000.00000040.00000040.sdmp, Offset: 031B0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 51f8e274454fa3f581c2edf5e9d0975665f64f78a4ae4397aed12a068b851c9d
Instruction ID: aa8732abe9f22945a1514d539e946f6a9feebc27fd7186881dd081ee9141e333
Opcode Fuzzy Hash: 51f8e274454fa3f581c2edf5e9d0975665f64f78a4ae4397aed12a068b851c9d
Instruction Fuzzy Hash: B421493514D7C08FD707CB60C950B55BFB1AF4B618F2985EED4898B6A3C33A8816CB62

Uniqueness

Uniqueness Score: -1.00%

Function 031061A0, Relevance: .1, Instructions: 57COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.913178689.0000000003100000.00000040.00000001.sdmp, Offset: 03100000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0b7cc1c83937d4496ee5c6abd68b0032a3ef186d3371f9a933d77d4ad749176a
Instruction ID: 27c267619e22374e8b74e88faaa4f3898d6da2cdc0dcf1a893d1b7aa414bf87e
Opcode Fuzzy Hash: 0b7cc1c83937d4496ee5c6abd68b0032a3ef186d3371f9a933d77d4ad749176a
Instruction Fuzzy Hash: 46014530B042104FCB44D278A8604FE7BEADBCD250B0484AFD90AE72C1DB794C1293D1

Uniqueness

Uniqueness Score: -1.00%

Function 0310238F, Relevance: .1, Instructions: 56COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.913178689.0000000003100000.00000040.00000001.sdmp, Offset: 03100000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 12eb0addfc212df6393fcfc079b7ee79f20aaa3ee260d9149017aad41f2c9f64
Instruction ID: e9a87a5e1673889fe92ddfab304a4828d17fcff67aaebbc51abffc697f239768
Opcode Fuzzy Hash: 12eb0addfc212df6393fcfc079b7ee79f20aaa3ee260d9149017aad41f2c9f64
Instruction Fuzzy Hash: 32116D70804295DFCB28CFA4C4996AEBFB1EB4E300F1049AED542AB784DBB55887DF50

Uniqueness

Uniqueness Score: -1.00%

Function 03104511, Relevance: .1, Instructions: 56COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.913178689.0000000003100000.00000040.00000001.sdmp, Offset: 03100000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 523f952a8f4cda9e0f66820564ec481ded975fea0ccf11e96feb20db0e4c1eaf
Instruction ID: ef6006e9b517a9eb2bdd729879345da1e69ba3313341066312b830211473e1df
Opcode Fuzzy Hash: 523f952a8f4cda9e0f66820564ec481ded975fea0ccf11e96feb20db0e4c1eaf
Instruction Fuzzy Hash: 8E01D635E042508BCF09CAA994501BF77A65FCF210B0945BEAA46DB282DFA58C058B91

Uniqueness

Uniqueness Score: -1.00%

Function 031011DF, Relevance: .1, Instructions: 56COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.913178689.0000000003100000.00000040.00000001.sdmp, Offset: 03100000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4bc61fe8ad60c06cd156b9a1aad8001b5bd88e5a9028f102cf449f85a3fd1e44
Instruction ID: 435966d0f6198db4f9bb320470998c4747a60cfd236b01a1b0128872ad2777cd
Opcode Fuzzy Hash: 4bc61fe8ad60c06cd156b9a1aad8001b5bd88e5a9028f102cf449f85a3fd1e44
Instruction Fuzzy Hash: F31133343091909FC71AD728D4685697FF6AF9F30172A41FBE046CB2B6CBA94C498751

Uniqueness

Uniqueness Score: -1.00%

Function 0310A418, Relevance: .1, Instructions: 56COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.913178689.0000000003100000.00000040.00000001.sdmp, Offset: 03100000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7d96fa8ad0062937568e76d41bd4fbd56570470544bb9dad7723275cfb40bc2d
Instruction ID: 45f409f2f8b2ea0e5200dd78f0c77b38f6145c901898e88a38c0e97490879d31
Opcode Fuzzy Hash: 7d96fa8ad0062937568e76d41bd4fbd56570470544bb9dad7723275cfb40bc2d
Instruction Fuzzy Hash: AE11E9346047409BCB19DB64C568B7E7FB16F8E310F1D455DC196EB2C5DBA1AC42C782

Uniqueness

Uniqueness Score: -1.00%

Function 0310C558, Relevance: .1, Instructions: 55COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.913178689.0000000003100000.00000040.00000001.sdmp, Offset: 03100000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e03816bccc02637a93e0940b90ff19c72bbd470c7a6b81c5eb3580e3a441b8ec
Instruction ID: daa4957fdb15b154b609daded34d1409371ab6930ac2b1cbdb18048dd30840c8
Opcode Fuzzy Hash: e03816bccc02637a93e0940b90ff19c72bbd470c7a6b81c5eb3580e3a441b8ec
Instruction Fuzzy Hash: 86113C347006148FC714DB6DC58482EF7FAFF893203258699E46ACB7A0CB71EC018B90

Uniqueness

Uniqueness Score: -1.00%

Function 03104FF0, Relevance: .1, Instructions: 54COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.913178689.0000000003100000.00000040.00000001.sdmp, Offset: 03100000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: afbb9cebcf94edf02c2b2d12a718568dc635703c182720950a4d6541b56e36ab
Instruction ID: d9cb5d9e34b05f15ee48b8c1d17e947135455c1d9820cdbb03c09ee7b3ed3e20
Opcode Fuzzy Hash: afbb9cebcf94edf02c2b2d12a718568dc635703c182720950a4d6541b56e36ab
Instruction Fuzzy Hash: 8F01D631E08205CFCB44DBB895507FE7BF2EB8E250B148466C509E7289EBB04941CFE6

Uniqueness

Uniqueness Score: -1.00%

Function 03104789, Relevance: .1, Instructions: 52COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.913178689.0000000003100000.00000040.00000001.sdmp, Offset: 03100000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f15673ae35159ccbfbb6e656f60df707442c1e857c724422245920766c2059b8
Instruction ID: 8626809eec5f1408770176a20a25c14afe7c170c6008a6482fe6b81987a3844f
Opcode Fuzzy Hash: f15673ae35159ccbfbb6e656f60df707442c1e857c724422245920766c2059b8
Instruction Fuzzy Hash: A5018431F042499FCB94EFB884542EE7BF2EF99310F10847EC149E7241EA354A06D7A1

Uniqueness

Uniqueness Score: -1.00%

Function 031005B9, Relevance: .1, Instructions: 51COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.913178689.0000000003100000.00000040.00000001.sdmp, Offset: 03100000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d735142babaf484b112d0ee50f4c1eb53424528aa1bf0dfecebbf56876dd1f82
Instruction ID: baa783c976414d038a8cbb876ce435cae4afa65f3b48725fb6bda42e399f238a
Opcode Fuzzy Hash: d735142babaf484b112d0ee50f4c1eb53424528aa1bf0dfecebbf56876dd1f82
Instruction Fuzzy Hash: 940142313042640FCB09A63D94206AE3BCB9FCA648718405EE102DB394CEB8AC4693D6

Uniqueness

Uniqueness Score: -1.00%

Function 03107B1A, Relevance: .0, Instructions: 50COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.913178689.0000000003100000.00000040.00000001.sdmp, Offset: 03100000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4e5e25d986e19f5e6d844cc56d786904d4b0a3bc89704d97aa29971e10f2ca57
Instruction ID: 6e3e80450a5a7eb90b683018bb3b8876397d4f838a1184128d6a8c40337fe23e
Opcode Fuzzy Hash: 4e5e25d986e19f5e6d844cc56d786904d4b0a3bc89704d97aa29971e10f2ca57
Instruction Fuzzy Hash: 20019230A081849FCB29DB64C5947BEBFB29B8D700F19459EC056AB7C5CBB5BD42C781

Uniqueness

Uniqueness Score: -1.00%

Function 03107B28, Relevance: .0, Instructions: 50COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.913178689.0000000003100000.00000040.00000001.sdmp, Offset: 03100000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: bb0c125e7325acb4841c762f9618cf7eae9ac010d8f0ad142f1c6c2847bfe96b
Instruction ID: e63c1344bb5bcb7b9cba923aa5c8ab97e0837d3144198f883be6c5f5b79cc92e
Opcode Fuzzy Hash: bb0c125e7325acb4841c762f9618cf7eae9ac010d8f0ad142f1c6c2847bfe96b
Instruction Fuzzy Hash: 7A017131A081089BCB28DA54C951BBFFBF2AB8C614F19456EC516A77C0CBB5BD41C7D1

Uniqueness

Uniqueness Score: -1.00%

Function 03105740, Relevance: .0, Instructions: 50COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.913178689.0000000003100000.00000040.00000001.sdmp, Offset: 03100000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6948345f121239caecc7c9d32527b64999404885da3534eb14d2677226e9039d
Instruction ID: 8d4f541ea14f19f9e5ba14a8d74edd43cee7c261fd3f3a443ad684c99131cfe6
Opcode Fuzzy Hash: 6948345f121239caecc7c9d32527b64999404885da3534eb14d2677226e9039d
Instruction Fuzzy Hash: D3118E30A04209CFD704DFB5D9816AE77F7FB4A380FA0412AE405A7284E7769D81CF91

Uniqueness

Uniqueness Score: -1.00%

Function 0310DD38, Relevance: .0, Instructions: 50COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.913178689.0000000003100000.00000040.00000001.sdmp, Offset: 03100000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 14bb45da5ee424a0ee629c29a56d9a2aa09d35ce75c9a93deba186c0424b69d9
Instruction ID: 328f44350649e165473bf526795229137b8ed55416dd5b7d29c73d9bd7ab832b
Opcode Fuzzy Hash: 14bb45da5ee424a0ee629c29a56d9a2aa09d35ce75c9a93deba186c0424b69d9
Instruction Fuzzy Hash: 2A01D4357103159BCB182BBAA80862F7A9BAF8D624710443EE407D7395DE71CC0183A0

Uniqueness

Uniqueness Score: -1.00%

Function 0310A428, Relevance: .0, Instructions: 50COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.913178689.0000000003100000.00000040.00000001.sdmp, Offset: 03100000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5e077da37fa60b5773729f8724e32aa1368e785c9273c8750d37e7b5ea84e4dd
Instruction ID: 17b5959a0dabce997f5821b76971ae09f260ca0eda52e425bb3faa981518a7a4
Opcode Fuzzy Hash: 5e077da37fa60b5773729f8724e32aa1368e785c9273c8750d37e7b5ea84e4dd
Instruction Fuzzy Hash: C401F135A04304CBCB28DE54C858BBFBBB1AF8C610F19442EC116EB2C0CBB1AD4587D2

Uniqueness

Uniqueness Score: -1.00%

Function 03105508, Relevance: .0, Instructions: 49COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.913178689.0000000003100000.00000040.00000001.sdmp, Offset: 03100000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b451dec91f94f2a26c96d326cecca17e431da82b80aa089c6f76942c8d4dc5fd
Instruction ID: cd1891aa10c56edfdcaf2bae8943f8cc9362e6db3223e2a3292179ee55eb92c6
Opcode Fuzzy Hash: b451dec91f94f2a26c96d326cecca17e431da82b80aa089c6f76942c8d4dc5fd
Instruction Fuzzy Hash: AE115B30A152058FCB44EFB8E945AEF7BF7EB8E304B504439D10687294EB365981CB92

Uniqueness

Uniqueness Score: -1.00%

Function 0310AAA0, Relevance: .0, Instructions: 48COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.913178689.0000000003100000.00000040.00000001.sdmp, Offset: 03100000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5c7622a465f9cceafe48ce148783cb39ca108dc17fd42b03f7df0930c2995992
Instruction ID: dfbaf51e03cf1a434f8a280ea5134ad97d021084a7876cfa601900b82d54aba4
Opcode Fuzzy Hash: 5c7622a465f9cceafe48ce148783cb39ca108dc17fd42b03f7df0930c2995992
Instruction Fuzzy Hash: 76017C30A103098FCF50EBB998487AABFF6EB49310F1451AAD544E6285EB709941CB92

Uniqueness

Uniqueness Score: -1.00%

Function 0310A260, Relevance: .0, Instructions: 47COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.913178689.0000000003100000.00000040.00000001.sdmp, Offset: 03100000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 98f83b509b4a9b0ff1505c3c1ff010beda09304ad451b62cfe5152b86ef6f830
Instruction ID: 65363d7d1d47a1f7d3fbfe258fe53043452aa4d8f01eee56826b72797d8ae921
Opcode Fuzzy Hash: 98f83b509b4a9b0ff1505c3c1ff010beda09304ad451b62cfe5152b86ef6f830
Instruction Fuzzy Hash: ADF0783170C35017C70866BD6C80AAD6F877FCE330361422AE1059F3C9CE624C0143A2

Uniqueness

Uniqueness Score: -1.00%

Function 031B05CF, Relevance: .0, Instructions: 47COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.913330534.00000000031B0000.00000040.00000040.sdmp, Offset: 031B0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 08454aa2faf92f487b441a12cd10efa1ba7b3ba5c93f20fcfcd9b9f4957b02ca
Instruction ID: b5eca2da816ef4ab5c143e20838c8a0c5ab34c0735b13ea6d15d95dc4913724f
Opcode Fuzzy Hash: 08454aa2faf92f487b441a12cd10efa1ba7b3ba5c93f20fcfcd9b9f4957b02ca
Instruction Fuzzy Hash: 790162B65097856FD712CF06DC44863FFB8EB86630709C49BEC49CB652D225A908CBB1

Uniqueness

Uniqueness Score: -1.00%

Function 0310AAB0, Relevance: .0, Instructions: 46COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.913178689.0000000003100000.00000040.00000001.sdmp, Offset: 03100000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 60020d7bd727147bd20708f40f142cdee4102db4e7645cd2ede26fd3dfb8424f
Instruction ID: 134e51d6ac39d3ace4150f749ae07a033fddb3180e0910522b431f2bf0cf605b
Opcode Fuzzy Hash: 60020d7bd727147bd20708f40f142cdee4102db4e7645cd2ede26fd3dfb8424f
Instruction Fuzzy Hash: E5014F75E103099FCB54EBB9E90579FBBF5EB88210F10417AD608E3280FB7599508BD1

Uniqueness

Uniqueness Score: -1.00%

Function 03107562, Relevance: .0, Instructions: 46COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.913178689.0000000003100000.00000040.00000001.sdmp, Offset: 03100000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f67f94b935f14d85106f1d20b294ea6c5892cf9695e29f157c447f298473148b
Instruction ID: 314de99a5da86f0606d0075a09df546100d5db2be7058c9fca787a8521b4f813
Opcode Fuzzy Hash: f67f94b935f14d85106f1d20b294ea6c5892cf9695e29f157c447f298473148b
Instruction Fuzzy Hash: 83F0F93130C39417CB1466BD9C90BBD6F8B6FC7320B65425EE1559F2DDCE645C058362

Uniqueness

Uniqueness Score: -1.00%

Function 03105000, Relevance: .0, Instructions: 46COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.913178689.0000000003100000.00000040.00000001.sdmp, Offset: 03100000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 44cb3c54cc46f204c03bee288a57e288c6a65881bf3efa0402bb53ffdd82906f
Instruction ID: 4f666e1a3c8a664b21ed8795e1e3053c32c9015d600c5aa0da5a75050bd67397
Opcode Fuzzy Hash: 44cb3c54cc46f204c03bee288a57e288c6a65881bf3efa0402bb53ffdd82906f
Instruction Fuzzy Hash: C0018431E08209CFCB44DBB999406AE7AE6EB8E240B558426C509E7284FBB159418BE1

Uniqueness

Uniqueness Score: -1.00%

Function 03104798, Relevance: .0, Instructions: 45COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.913178689.0000000003100000.00000040.00000001.sdmp, Offset: 03100000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b0ac68e77bf1b62992f021693b3f6fcd153b5e8d0d76a96f86eac612b6e73278
Instruction ID: 4dd3a23f247c92999e6eece699d6095aa86708370ba65df9ce91e6a3c6865605
Opcode Fuzzy Hash: b0ac68e77bf1b62992f021693b3f6fcd153b5e8d0d76a96f86eac612b6e73278
Instruction Fuzzy Hash: 8E014F31F0010A8FCB54EFBD84446AEBBE7EB99350F10843AC109E7280EE354A4687D1

Uniqueness

Uniqueness Score: -1.00%

Function 03106BD8, Relevance: .0, Instructions: 45COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.913178689.0000000003100000.00000040.00000001.sdmp, Offset: 03100000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 71040ed7771d7410c1d1a5a196147f7d34641f0cb1e3b13ca06fb736325908a6
Instruction ID: e5e029a11979c9aacf8b56cff39175979d166f2de3044b58127c44d0be7f20a3
Opcode Fuzzy Hash: 71040ed7771d7410c1d1a5a196147f7d34641f0cb1e3b13ca06fb736325908a6
Instruction Fuzzy Hash: 7C01BC70E002099FCB50DF78D9447EEBBF4EF49350F14416AC408E7281EB758981CB90

Uniqueness

Uniqueness Score: -1.00%

Function 03106BE8, Relevance: .0, Instructions: 45COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.913178689.0000000003100000.00000040.00000001.sdmp, Offset: 03100000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 90c55599c943b7ec55af75727196bc0ee409b7902b575e8988fbdc3b71873599
Instruction ID: 1ad1489d1a47b3ccf51a10dd22f0da3179c194f3a59bb32c71e0cd258858d52d
Opcode Fuzzy Hash: 90c55599c943b7ec55af75727196bc0ee409b7902b575e8988fbdc3b71873599
Instruction Fuzzy Hash: 90018B71E002099FDB50DBB9E9447EFBBF4EB88360F10413AC508E7280EB7599908BD0

Uniqueness

Uniqueness Score: -1.00%

Function 03104710, Relevance: .0, Instructions: 43COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.913178689.0000000003100000.00000040.00000001.sdmp, Offset: 03100000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1e83577bd461169e599a96d813108a1cfd7d8d196c515495a2d43402840fb97d
Instruction ID: 4a2f859b88011721d87c6234ae9fe4a4f800a1eddff9ed4f4f10199df94cb57f
Opcode Fuzzy Hash: 1e83577bd461169e599a96d813108a1cfd7d8d196c515495a2d43402840fb97d
Instruction Fuzzy Hash: 29F02B363003104BCB2D96BA54043BE32DA8BCE652F44003EE306DB7C0DFB68C824350

Uniqueness

Uniqueness Score: -1.00%

Function 0310A1F1, Relevance: .0, Instructions: 43COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.913178689.0000000003100000.00000040.00000001.sdmp, Offset: 03100000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b5a0b489768305e92e193ccb3ccc85a809a1a4b5e35f6b21a9cf90869f5345f2
Instruction ID: 73545e5cfcaab33157d28d488dd46ca4eea7105242a87da80733dcbc25e744f4
Opcode Fuzzy Hash: b5a0b489768305e92e193ccb3ccc85a809a1a4b5e35f6b21a9cf90869f5345f2
Instruction Fuzzy Hash: 6301D6316083D14FC715A768A8145A87F739FCB21430D44AFE189CB2E5DE729C478B52

Uniqueness

Uniqueness Score: -1.00%

Function 0310AC20, Relevance: .0, Instructions: 43COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.913178689.0000000003100000.00000040.00000001.sdmp, Offset: 03100000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 703d51983ef9597e2b124526c0e3b79801e578f1c9294e37b520f06b23692a74
Instruction ID: 1d95b9a7897986effcfeb6ac7dff02f9267d6fd27c4ef3a51f0df664b333fb56
Opcode Fuzzy Hash: 703d51983ef9597e2b124526c0e3b79801e578f1c9294e37b520f06b23692a74
Instruction Fuzzy Hash: 4701F7343043408FC705EB39E51956A7BA3EF8921430684BEE146D7394EF71CC428B91

Uniqueness

Uniqueness Score: -1.00%

Function 03101218, Relevance: .0, Instructions: 42COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.913178689.0000000003100000.00000040.00000001.sdmp, Offset: 03100000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5b2e8cd05e6a61bc9cf0c901685736d452eab60a0fde51b632b4b32859c3455f
Instruction ID: 03c94e751e0f883a7964f5453466f4f3e6ff054845ceea8ebb2e170d9d239920
Opcode Fuzzy Hash: 5b2e8cd05e6a61bc9cf0c901685736d452eab60a0fde51b632b4b32859c3455f
Instruction Fuzzy Hash: 50013134304110DBC708DB29D05896AB7EAFFDD74172641BAE506CB7B4CFBA9C898781

Uniqueness

Uniqueness Score: -1.00%

Function 03108500, Relevance: .0, Instructions: 41COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.913178689.0000000003100000.00000040.00000001.sdmp, Offset: 03100000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7f28fdd0850c04ed4cf8cf30a9902d9c2911d4463f16596ff6187ffafb36eaf4
Instruction ID: ea5761e0e134ed596dec30912a516958a1660b97fcb846197c6291ff6a2dc292
Opcode Fuzzy Hash: 7f28fdd0850c04ed4cf8cf30a9902d9c2911d4463f16596ff6187ffafb36eaf4
Instruction Fuzzy Hash: 67F0F634A0C245EFCB05CBA4A8418AFBFF4EE4A250F0684A3E102D7292D7B1984587A2

Uniqueness

Uniqueness Score: -1.00%

Function 03106210, Relevance: .0, Instructions: 40COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.913178689.0000000003100000.00000040.00000001.sdmp, Offset: 03100000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 99a3c825f395e9fbd7a82a95f51a1821ec621f6535d509d0a3fa4d81e832839f
Instruction ID: a5b7ab1ef444533141040a7138181cb553424c861f6a5d8bc0aa1041db6e8dc6
Opcode Fuzzy Hash: 99a3c825f395e9fbd7a82a95f51a1821ec621f6535d509d0a3fa4d81e832839f
Instruction Fuzzy Hash: 59F04630B042408FCF14C27898546FE7BA5CBCE340F0444AAC946972C1DB781D5287C1

Uniqueness

Uniqueness Score: -1.00%

Function 0310A270, Relevance: .0, Instructions: 40COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.913178689.0000000003100000.00000040.00000001.sdmp, Offset: 03100000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e1761dd8b4176f178d972fcb0326633299d40abcfff602d0fdd4509b692b36fe
Instruction ID: 942cba90566fd43208828ca03fe8173ee36d6d6d15fa71d425f80b9fb44f5149
Opcode Fuzzy Hash: e1761dd8b4176f178d972fcb0326633299d40abcfff602d0fdd4509b692b36fe
Instruction Fuzzy Hash: D6F0E03170C31453C61865AD5840A7D658B7FCD3307A1433EA515DF3DCCE658C0543A1

Uniqueness

Uniqueness Score: -1.00%

Function 03107570, Relevance: .0, Instructions: 40COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.913178689.0000000003100000.00000040.00000001.sdmp, Offset: 03100000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4740b55230fd8dfac685a1e2824c687389bd347493867bd2cd62c9b21dd8dcc3
Instruction ID: 65bec94c716de6be7905288432d96058aad85a5669be51c4e51bfd996cafaad1
Opcode Fuzzy Hash: 4740b55230fd8dfac685a1e2824c687389bd347493867bd2cd62c9b21dd8dcc3
Instruction Fuzzy Hash: EAF0E03130831417C61865AD5C80B7D658B7BC5370761431EB11ADF3DCCE65AC0543A1

Uniqueness

Uniqueness Score: -1.00%

Function 03106619, Relevance: .0, Instructions: 39COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.913178689.0000000003100000.00000040.00000001.sdmp, Offset: 03100000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: cf5e8cac0898cc344ea430b74c76e6d07664fa173b5c50f8a4d60d5cbfa1f9a1
Instruction ID: 99c061eadbc09e3c80149a78c5fd01ca208b47508e05c30d5830b708d6331699
Opcode Fuzzy Hash: cf5e8cac0898cc344ea430b74c76e6d07664fa173b5c50f8a4d60d5cbfa1f9a1
Instruction Fuzzy Hash: 51F0F030F042198FDB58D2389850AFE77F5EB8A390F0146A6C906972C0EB652A668685

Uniqueness

Uniqueness Score: -1.00%

Function 0310EA28, Relevance: .0, Instructions: 38COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.913178689.0000000003100000.00000040.00000001.sdmp, Offset: 03100000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 918faafb638254e05496cb9ba96ab60aa3c554fce5039f5bd51c807b788483a4
Instruction ID: 83b52d3b8aa3a7a68840fde01677caee39b48fd98ab8860fd2a66cf5a069efdc
Opcode Fuzzy Hash: 918faafb638254e05496cb9ba96ab60aa3c554fce5039f5bd51c807b788483a4
Instruction Fuzzy Hash: 41F050B2509790D7D73AC1665C443A55E447B8E220F0E19F7E98BFB1C3CAE448458371

Uniqueness

Uniqueness Score: -1.00%

Function 03106628, Relevance: .0, Instructions: 38COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.913178689.0000000003100000.00000040.00000001.sdmp, Offset: 03100000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d472a1f345401fbc706d4b41d1891417ad46947d46657ebf1e95e0bfb86aa742
Instruction ID: d97b6dd4f89ce6c601a41b427516ae7f73fc025dc19bb210e795362edc7b64fa
Opcode Fuzzy Hash: d472a1f345401fbc706d4b41d1891417ad46947d46657ebf1e95e0bfb86aa742
Instruction Fuzzy Hash: A9F0E931B042159BCB08D27498105BF77EAD7CD790F014566C907972C0FFA95E6142D2

Uniqueness

Uniqueness Score: -1.00%

Function 03105CD0, Relevance: .0, Instructions: 38COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.913178689.0000000003100000.00000040.00000001.sdmp, Offset: 03100000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ff05eab2e631fe0bd1f9b130dc42d85df10dca7dc6f4b616b9ef40c93a97e04a
Instruction ID: e204f55a17b0e07dcacd4179b1b0dfa2007082ad6f509b8bc10b2a2ca54f92df
Opcode Fuzzy Hash: ff05eab2e631fe0bd1f9b130dc42d85df10dca7dc6f4b616b9ef40c93a97e04a
Instruction Fuzzy Hash: 71F0C271E041158F8F84DFBC984169EBBF6EF89354B05427AC408E7345EB309942CBE6

Uniqueness

Uniqueness Score: -1.00%

Function 0310EFB8, Relevance: .0, Instructions: 37COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.913178689.0000000003100000.00000040.00000001.sdmp, Offset: 03100000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 75881073c61f1823c32f37402b8f54c76e0a89c8529729edaa44e28115d8a6a9
Instruction ID: 32afc1660bb414719c35b3b906211ca5d6d13193f37b7f5444e6b884d597ebd6
Opcode Fuzzy Hash: 75881073c61f1823c32f37402b8f54c76e0a89c8529729edaa44e28115d8a6a9
Instruction Fuzzy Hash: E6F0E2316453645FD750E3B4A8114BD3B5A9AC5210308C89BE81DCB393CF618C024BE2

Uniqueness

Uniqueness Score: -1.00%

Function 031055D9, Relevance: .0, Instructions: 34COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.913178689.0000000003100000.00000040.00000001.sdmp, Offset: 03100000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b7f0d8b4a39fd16c33f7f9f0d89b9ef0f9163f4d8ab83057d8f58d5c1e384d02
Instruction ID: 0f6a968970fe9a3f44aa33a09a6b84256c219908fe186e7f438354ecf5c2cf70
Opcode Fuzzy Hash: b7f0d8b4a39fd16c33f7f9f0d89b9ef0f9163f4d8ab83057d8f58d5c1e384d02
Instruction Fuzzy Hash: 76F0E536B081981ECF0555BC68542EFBFAA9B87330F0844BAD644D7142EA5154128291

Uniqueness

Uniqueness Score: -1.00%

Function 031087A1, Relevance: .0, Instructions: 33COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.913178689.0000000003100000.00000040.00000001.sdmp, Offset: 03100000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 221edc3a3b61a1f1c438ef29c6d26f46d7a4c7c580f24b834c04d16c7a66afb7
Instruction ID: f5584946ff6114818da94d5ad58c0806ecab0ba8b5f9e03250a5a7d7141dbb71
Opcode Fuzzy Hash: 221edc3a3b61a1f1c438ef29c6d26f46d7a4c7c580f24b834c04d16c7a66afb7
Instruction Fuzzy Hash: 6CF0E235A093A04FC7264768A8245693FE6DB4E36032900D6E9C2D3399EE604C018BE2

Uniqueness

Uniqueness Score: -1.00%

Function 03100918, Relevance: .0, Instructions: 33COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.913178689.0000000003100000.00000040.00000001.sdmp, Offset: 03100000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 101c02111bb143cf42f19d427711a84bb528c8b6c0b09129671921ea4a38809e
Instruction ID: 37f99a157f5689eafc82b3183b6d4f7f53c1568725c6f3c561998ba4b70658b7
Opcode Fuzzy Hash: 101c02111bb143cf42f19d427711a84bb528c8b6c0b09129671921ea4a38809e
Instruction Fuzzy Hash: 09E05532E14218CB9B149AF598047AFB7A9978C260F034437990BA3284DFF0888982C1

Uniqueness

Uniqueness Score: -1.00%

Function 0310E178, Relevance: .0, Instructions: 33COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.913178689.0000000003100000.00000040.00000001.sdmp, Offset: 03100000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1894f5c317e525cf667be56fb4bf5e66ad5280285f28a03f9f7bb2e624d00e4a
Instruction ID: b8098b484acae143da13bb84d72c063752f4b27382ff9571eb54b185d1647d8c
Opcode Fuzzy Hash: 1894f5c317e525cf667be56fb4bf5e66ad5280285f28a03f9f7bb2e624d00e4a
Instruction Fuzzy Hash: 66F0A731305A918BC365D769C4209AABB97CBC962031D4C5FD44BCB7C2DB72D8068760

Uniqueness

Uniqueness Score: -1.00%

Function 031045B9, Relevance: .0, Instructions: 33COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.913178689.0000000003100000.00000040.00000001.sdmp, Offset: 03100000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8965bed262ab75907f05372a65153b75cf82930c9fed87161c38cf9024fc24e8
Instruction ID: 237a40c001d8ff479f0de9bc54b772ca212a31af938d5e19437d597840bccfde
Opcode Fuzzy Hash: 8965bed262ab75907f05372a65153b75cf82930c9fed87161c38cf9024fc24e8
Instruction Fuzzy Hash: 07F0BE30E043595FCB50CB689C41BAFBFF8AF8A300F0440AAD648D7192E2305914C761

Uniqueness

Uniqueness Score: -1.00%

Function 0310C8C8, Relevance: .0, Instructions: 33COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.913178689.0000000003100000.00000040.00000001.sdmp, Offset: 03100000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5d1149542f8fad1dfb13c6fc902f9b462d25f2b3d76601a08fe61218695a1708
Instruction ID: d3f90f3e34f2f41a17e5d818c0e024f973eaedab101eed7da21edf4b071b0900
Opcode Fuzzy Hash: 5d1149542f8fad1dfb13c6fc902f9b462d25f2b3d76601a08fe61218695a1708
Instruction Fuzzy Hash: E5F05C72B042100FC369A279541523F379B8FCC62131D426EE485DF7C1DE615C0243EA

Uniqueness

Uniqueness Score: -1.00%

Function 03105CE0, Relevance: .0, Instructions: 33COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.913178689.0000000003100000.00000040.00000001.sdmp, Offset: 03100000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ec4687afa07051f9e7fc5f51b45a2bbbec86f95b404a7235c7d98087ff1f1635
Instruction ID: cf104617a495ff7aa17e8e6d6e6c76740a87a79692f689dc0aa927c99bb97885
Opcode Fuzzy Hash: ec4687afa07051f9e7fc5f51b45a2bbbec86f95b404a7235c7d98087ff1f1635
Instruction Fuzzy Hash: C3F0A071E002198F8B80EFBD984469FBBFAEBCC620B11413AD408F3340EB3499418BE5

Uniqueness

Uniqueness Score: -1.00%

Function 0310DF2D, Relevance: .0, Instructions: 31COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.913178689.0000000003100000.00000040.00000001.sdmp, Offset: 03100000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e68f2134bdef61474375e8ae0fab42f59a1f69ef2fdee1bcd3f0866457d3a30e
Instruction ID: de248c498ff71196ff19f044c0b40c59c4eda2fb912237c42fba604299880eeb
Opcode Fuzzy Hash: e68f2134bdef61474375e8ae0fab42f59a1f69ef2fdee1bcd3f0866457d3a30e
Instruction Fuzzy Hash: C9F027757001148787589AA5E8102BDB3D6F7C8251B21802BE603D6294DF759C178B90

Uniqueness

Uniqueness Score: -1.00%

Function 031B0938, Relevance: .0, Instructions: 31COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.913330534.00000000031B0000.00000040.00000040.sdmp, Offset: 031B0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8388fa57679453dc7b04d871bb3dcfd317d9f8cb342853e5fed44ee7779b5e3e
Instruction ID: 0cf0eef34db629e8008ed622f7fb42b63a338d85438c66361ae715e55900ad92
Opcode Fuzzy Hash: 8388fa57679453dc7b04d871bb3dcfd317d9f8cb342853e5fed44ee7779b5e3e
Instruction Fuzzy Hash: 9AF01D35104644DFC306CF00D540B66FBA6EB8D718F24C6ADE9490B752C337D813DA81

Uniqueness

Uniqueness Score: -1.00%

Function 0310E9A8, Relevance: .0, Instructions: 30COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.913178689.0000000003100000.00000040.00000001.sdmp, Offset: 03100000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f070a2a609b9a1dc42f343646a5a28aa3f04cd959d5bec3c0aa327bffea1ae34
Instruction ID: 82ddd0aa397253a4e85b13e072a6362835f1a5e026439085407980b662a01cae
Opcode Fuzzy Hash: f070a2a609b9a1dc42f343646a5a28aa3f04cd959d5bec3c0aa327bffea1ae34
Instruction Fuzzy Hash: 01F0EC722057304BC365D66DC5205696769CFD5510305485FC9CADB352EF73C8054760

Uniqueness

Uniqueness Score: -1.00%

Function 0310E9F9, Relevance: .0, Instructions: 30COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.913178689.0000000003100000.00000040.00000001.sdmp, Offset: 03100000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b771121ecf344a25035332a155142e4d5c63c462a137d75b5fbb9d4b72c53aab
Instruction ID: c4f907a82559b1acf9bb4203c66e6b3782cfb200c22a583fe2b890e8052b8cc9
Opcode Fuzzy Hash: b771121ecf344a25035332a155142e4d5c63c462a137d75b5fbb9d4b72c53aab
Instruction Fuzzy Hash: 04E0D83121E610DBC6298557A8044E2BB79FA8E1763121DEBE14EA61918B91A94587F0

Uniqueness

Uniqueness Score: -1.00%

Function 031057A2, Relevance: .0, Instructions: 29COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.913178689.0000000003100000.00000040.00000001.sdmp, Offset: 03100000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 795ca3f2a2c3fdb4cf112cc828eaaeb342df013be5db175ad1dc1feaa7819573
Instruction ID: 72db553d0ae0370354fea71a64e5759f0fe82c397fecdec95e1b933e617d0712
Opcode Fuzzy Hash: 795ca3f2a2c3fdb4cf112cc828eaaeb342df013be5db175ad1dc1feaa7819573
Instruction Fuzzy Hash: 59F0A031F0C104CBDB0CEBB8E8502AD77A39FC9244BA1817AD5069A1C0EFA55C818B52

Uniqueness

Uniqueness Score: -1.00%

Function 0310CBFE, Relevance: .0, Instructions: 29COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.913178689.0000000003100000.00000040.00000001.sdmp, Offset: 03100000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 621054379bbb10834a9f6578747d0fa2af3b138b17ce13c28fbfd44fdd43bf97
Instruction ID: 386cca81913838d0cc036177f01326495501294fe4499c062454c69224ff1f85
Opcode Fuzzy Hash: 621054379bbb10834a9f6578747d0fa2af3b138b17ce13c28fbfd44fdd43bf97
Instruction Fuzzy Hash: 53E068313080508B8A1DE26C92310BD268B0EDE96231B815BE107CF2A1DE918C8183E2

Uniqueness

Uniqueness Score: -1.00%

Function 031074FF, Relevance: .0, Instructions: 29COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.913178689.0000000003100000.00000040.00000001.sdmp, Offset: 03100000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f3e3f346127623984618a485e28f38a69c24ae0264cb840a087cb8d03e168a16
Instruction ID: dc53b2f4ffccbc28e456eaa1b459d91c5b3c6b500c9825f3fbedaba1fe5873dd
Opcode Fuzzy Hash: f3e3f346127623984618a485e28f38a69c24ae0264cb840a087cb8d03e168a16
Instruction Fuzzy Hash: 88E06534B053144BCB1CF3B9945439D66525FC8A58F85043DC60ACFAC5EF608C028792

Uniqueness

Uniqueness Score: -1.00%

Function 0310B1E2, Relevance: .0, Instructions: 27COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.913178689.0000000003100000.00000040.00000001.sdmp, Offset: 03100000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3ddaf45724330d89e1d97e294c1b50c64d82f59a28f5dcfe3fdcba0ea196800d
Instruction ID: 19359613385e8ddef2ce606735fcd1438d21e743ef1b19857050f4d50af9a989
Opcode Fuzzy Hash: 3ddaf45724330d89e1d97e294c1b50c64d82f59a28f5dcfe3fdcba0ea196800d
Instruction Fuzzy Hash: 89E06530904B104F8335DF2B9801853FFFDFED56107158A6FA45587565DB70A91987E1

Uniqueness

Uniqueness Score: -1.00%

Function 031B05F6, Relevance: .0, Instructions: 27COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.913330534.00000000031B0000.00000040.00000040.sdmp, Offset: 031B0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 469ac4dd78ba7393abcf03d012c66290ef5c99a9fb16405225a4581e62a97401
Instruction ID: 7b2689cf18dd6f92e6d735fefa4b7b25184df12e18cb69b3045a685ffe85d6c4
Opcode Fuzzy Hash: 469ac4dd78ba7393abcf03d012c66290ef5c99a9fb16405225a4581e62a97401
Instruction Fuzzy Hash: 8DE06D766006049BD650CF0AEC414A2FBD8EB84630718C06BDC0D8B700E539B5048EA5

Uniqueness

Uniqueness Score: -1.00%

Function 031046B8, Relevance: .0, Instructions: 26COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.913178689.0000000003100000.00000040.00000001.sdmp, Offset: 03100000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2299dc1c51b6e37fab696dbf4b911dfc9bacbafe298f43290316a1f4a182f344
Instruction ID: e045cddfaba74fd66b30b9fabcecc7aab4253cbcee716cbc95a85a123267bf2a
Opcode Fuzzy Hash: 2299dc1c51b6e37fab696dbf4b911dfc9bacbafe298f43290316a1f4a182f344
Instruction Fuzzy Hash: 4FE0863130011587C72466FBB4546BE33CAAF45355B1440A6F20ACB6A1EE57CC0147C6

Uniqueness

Uniqueness Score: -1.00%

Function 03106101, Relevance: .0, Instructions: 26COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.913178689.0000000003100000.00000040.00000001.sdmp, Offset: 03100000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a418a19fd11d31a8dbb500f5391b236fc354076e596c710adf9c9985a153138b
Instruction ID: ffc403486fb3f5998895325f6a3e6672f032c66141f1a68553437de85b5b76a5
Opcode Fuzzy Hash: a418a19fd11d31a8dbb500f5391b236fc354076e596c710adf9c9985a153138b
Instruction Fuzzy Hash: 78E06F207043910FCB224B388C206BE7B6BAFC224030888ABE441CA243CF248C078395

Uniqueness

Uniqueness Score: -1.00%

Function 0310E188, Relevance: .0, Instructions: 26COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.913178689.0000000003100000.00000040.00000001.sdmp, Offset: 03100000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4fff97f6c1a66bf163345f2c52dd75984d18c989cc12ca84572517d2cadc7c54
Instruction ID: c66db58c7380641ac8ef54dedd62321f4297e750da841b07e8991677b17d3ce5
Opcode Fuzzy Hash: 4fff97f6c1a66bf163345f2c52dd75984d18c989cc12ca84572517d2cadc7c54
Instruction Fuzzy Hash: 9AE02032300521978324D65EC42096AF7DEDBC56203058C2FD50ACB341DFB2DC0147E0

Uniqueness

Uniqueness Score: -1.00%

Function 0310E9B8, Relevance: .0, Instructions: 26COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.913178689.0000000003100000.00000040.00000001.sdmp, Offset: 03100000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: be787e4d9457b0e61f0edc7cb68ea6f66b9128f23388c89d97425c8f5429c5f5
Instruction ID: 6844b849d87d53f00aec07ddb366aa37c4c896c47e8d7a1dd841fbbb03e9b67f
Opcode Fuzzy Hash: be787e4d9457b0e61f0edc7cb68ea6f66b9128f23388c89d97425c8f5429c5f5
Instruction Fuzzy Hash: 05E0D832204620878364E65EC41086A779EDBC5520300886FD9CA8B342DFB2DC0147A0

Uniqueness

Uniqueness Score: -1.00%

Function 0310AB60, Relevance: .0, Instructions: 25COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.913178689.0000000003100000.00000040.00000001.sdmp, Offset: 03100000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5d1a85bd995405a702f67e0e2c82763ef1e10bb62ba466249576e5f9e38f1698
Instruction ID: e712718b10fd3cc488778bffa142f9ee2fd7797ebf9cd55ea21140ef5912c585
Opcode Fuzzy Hash: 5d1a85bd995405a702f67e0e2c82763ef1e10bb62ba466249576e5f9e38f1698
Instruction Fuzzy Hash: 1EE06835B4C3808FCB06A7B890292397FE65F9F20130500DEE086CB3D6DEA08C418703

Uniqueness

Uniqueness Score: -1.00%

Function 0310B198, Relevance: .0, Instructions: 25COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.913178689.0000000003100000.00000040.00000001.sdmp, Offset: 03100000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 71df8864e9cc6042e0cbf2d240347c46a3cac29860875ab2459529b7c8f04710
Instruction ID: 87a266422bfca7dcbf0c7617503911992fe0053857a7a12a9931e016f5208c79
Opcode Fuzzy Hash: 71df8864e9cc6042e0cbf2d240347c46a3cac29860875ab2459529b7c8f04710
Instruction Fuzzy Hash: 1FE0ED30508A44CFC764DA5AE590652B7EAFF49361BA0986AE087C7E94D7F1F8C18B40

Uniqueness

Uniqueness Score: -1.00%

Function 031065C8, Relevance: .0, Instructions: 24COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.913178689.0000000003100000.00000040.00000001.sdmp, Offset: 03100000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 818106f20e9c101d8dea7dc4f4b0fafdacb6b062a968f46318f17929c06ac8d4
Instruction ID: 668e8b76c1007632ec3e8a35320dbdb893edbabf0b4a494561b082e54454c824
Opcode Fuzzy Hash: 818106f20e9c101d8dea7dc4f4b0fafdacb6b062a968f46318f17929c06ac8d4
Instruction Fuzzy Hash: 40E068316082028BD3189798A4186B93B88DF45350F05007FD806821E2CBD988918315

Uniqueness

Uniqueness Score: -1.00%

Function 0310E1C9, Relevance: .0, Instructions: 24COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.913178689.0000000003100000.00000040.00000001.sdmp, Offset: 03100000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4b27ac62a435f6bce8b20dc9f5a8f6837bde6d3598d43831082bb2b1f8b009bc
Instruction ID: 26cafcb096bc26e833d38f3f55cb4833bed64b5f66b68f21cc5e3d9a7d46d2a3
Opcode Fuzzy Hash: 4b27ac62a435f6bce8b20dc9f5a8f6837bde6d3598d43831082bb2b1f8b009bc
Instruction Fuzzy Hash: E1E08631108B24DFC3189557C448AB6F769A76D751B120D6BF54BC62D0D7B2988187F1

Uniqueness

Uniqueness Score: -1.00%

Function 0310CC10, Relevance: .0, Instructions: 24COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.913178689.0000000003100000.00000040.00000001.sdmp, Offset: 03100000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2825ee56a7283af628ff7b04c48e92216e42a337a038b7bfc17593c83b27e799
Instruction ID: 910605f536adcdc656292980c2d8c3c53077e35aaf58bc555c081848b85278a1
Opcode Fuzzy Hash: 2825ee56a7283af628ff7b04c48e92216e42a337a038b7bfc17593c83b27e799
Instruction Fuzzy Hash: 3EE0C2313040109B452CA61ED12187E72CB9EDDEA2316812FB1078F2A0CED29C8187E6

Uniqueness

Uniqueness Score: -1.00%

Function 031002A0, Relevance: .0, Instructions: 21COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.913178689.0000000003100000.00000040.00000001.sdmp, Offset: 03100000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 85f37b94c70fdba27c732e0747f7c0a557b28f748ae963e7dd27079d1a724a6d
Instruction ID: 9dd1968286515e8a03d3ae7fafcd30ab404a9feba5db63b3d35adc22281e2b18
Opcode Fuzzy Hash: 85f37b94c70fdba27c732e0747f7c0a557b28f748ae963e7dd27079d1a724a6d
Instruction Fuzzy Hash: 93E08C3010D7888FCBA6976494699A57FB0AF4B3003069D8BD4C28A49ACBB0AC469721

Uniqueness

Uniqueness Score: -1.00%

Function 0310A3BE, Relevance: .0, Instructions: 20COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.913178689.0000000003100000.00000040.00000001.sdmp, Offset: 03100000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8eb0c353b39a5389abe67796d6381c3072f77a9a9e319fe0f1ae4b99b06f32c6
Instruction ID: 79b7421198d0587f33b30dbfe9d1af6e9bf280c365438024fd09e15ddd84baea
Opcode Fuzzy Hash: 8eb0c353b39a5389abe67796d6381c3072f77a9a9e319fe0f1ae4b99b06f32c6
Instruction Fuzzy Hash: 80E08C310083509BC329C635A4086A6B7A85F09704F06055AEA430E9C0C7E2E0C4C392

Uniqueness

Uniqueness Score: -1.00%

Function 03106110, Relevance: .0, Instructions: 20COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.913178689.0000000003100000.00000040.00000001.sdmp, Offset: 03100000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 915a935fa41895dd12637694cf287f045497adc3bbb8b6274399196e708e68c9
Instruction ID: 8769dbcddb79a2bda4dd7337caea4fb372c8528e6d2e006751f627c17196564f
Opcode Fuzzy Hash: 915a935fa41895dd12637694cf287f045497adc3bbb8b6274399196e708e68c9
Instruction Fuzzy Hash: 40D0A7257413261B9724AA7B9C00A7F368FABC4996304881DF505DB341DF64DC0243D5

Uniqueness

Uniqueness Score: -1.00%

Function 031065D8, Relevance: .0, Instructions: 20COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.913178689.0000000003100000.00000040.00000001.sdmp, Offset: 03100000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 306bf971c93d1b137ad15c5090ff43453ee9ce0af763958a7d01b173b6dad2b8
Instruction ID: 2022a0a748e6904eb091938c708749614b18ed6e874d75d02b23374cfb690660
Opcode Fuzzy Hash: 306bf971c93d1b137ad15c5090ff43453ee9ce0af763958a7d01b173b6dad2b8
Instruction Fuzzy Hash: C5D02B3120811687D31463DDA404669358CCB48291B450036E90AC22D6CFD5CCD083A6

Uniqueness

Uniqueness Score: -1.00%

Function 0310EFC8, Relevance: .0, Instructions: 19COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.913178689.0000000003100000.00000040.00000001.sdmp, Offset: 03100000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ceba6c6126bac50407a2b9f2226bacaa97becd1021831d649df3208e21be250b
Instruction ID: d95fd4bd102902e469a20873cd00bd16abd5bc67ad297d6a3e124b3ece3e9c69
Opcode Fuzzy Hash: ceba6c6126bac50407a2b9f2226bacaa97becd1021831d649df3208e21be250b
Instruction Fuzzy Hash: B8D0A7213401355BE644E5ADD8108BAB38FDBC9924304C85FE919DB352CF72DC0243D0

Uniqueness

Uniqueness Score: -1.00%

Function 031057F6, Relevance: .0, Instructions: 19COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.913178689.0000000003100000.00000040.00000001.sdmp, Offset: 03100000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 85cf85d39b278d57114386df8a617fd6b1e43c5f1f102f82695d42b278b061ea
Instruction ID: efaa834ecbc8e095cb14ebdd2317df6cfc4034bbd202d48d19d1de5a23d9cddc
Opcode Fuzzy Hash: 85cf85d39b278d57114386df8a617fd6b1e43c5f1f102f82695d42b278b061ea
Instruction Fuzzy Hash: 46D0C235F0C108CBCB0CE7F5A9941ECBB729BCC125B011077C50796580EFB048854B92

Uniqueness

Uniqueness Score: -1.00%

Function 0310864D, Relevance: .0, Instructions: 19COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.913178689.0000000003100000.00000040.00000001.sdmp, Offset: 03100000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 96653f49fa454df36e4c4e39c2e2aacd351a092c4dfcec1d1fb3cf6883bbf18b
Instruction ID: 6ddb026e4a42dced779f8b1b3ff1a2a269876d8c9f5d4351b078f6c8ed7c494f
Opcode Fuzzy Hash: 96653f49fa454df36e4c4e39c2e2aacd351a092c4dfcec1d1fb3cf6883bbf18b
Instruction Fuzzy Hash: BCE0463101828ECBCB04CB24E48898D3F25FB48388B128616F4014B29CEFB09DAA8B40

Uniqueness

Uniqueness Score: -1.00%

Function 0310064F, Relevance: .0, Instructions: 19COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.913178689.0000000003100000.00000040.00000001.sdmp, Offset: 03100000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1ffef75dccb9f401e6860fc91a29d38df70f9c237a95a120a4612362fa6156a3
Instruction ID: e04f6dfc01be208fb3b494cde3ac4a6032a13f307c5ed2cd6bd018c57d70a2f8
Opcode Fuzzy Hash: 1ffef75dccb9f401e6860fc91a29d38df70f9c237a95a120a4612362fa6156a3
Instruction Fuzzy Hash: FED05BB28452508FC3589A705C1A5F83762EF9B2057158966D80143521C67669439A05

Uniqueness

Uniqueness Score: -1.00%

Function 03107698, Relevance: .0, Instructions: 19COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.913178689.0000000003100000.00000040.00000001.sdmp, Offset: 03100000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5f351f1a07c28bd8fa67cdefa778ecb1cf7d1afdf0c27725f3fef542b1275cb7
Instruction ID: 10941bc810ab1ece6926987991e4e5c36ef99d48aae67a66d52f7a1cde75c290
Opcode Fuzzy Hash: 5f351f1a07c28bd8fa67cdefa778ecb1cf7d1afdf0c27725f3fef542b1275cb7
Instruction Fuzzy Hash: 88D0C231009310DBE339E67EA8046BAB7D95B4E304F0A045E80430A6D0C7E1B0C487A2

Uniqueness

Uniqueness Score: -1.00%

Function 03102D20, Relevance: .0, Instructions: 19COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.913178689.0000000003100000.00000040.00000001.sdmp, Offset: 03100000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fdecd99e63d4885abf99e9bfe0713ffe3d76eff910deaefdc713ae0ca33b6a17
Instruction ID: 9afd6db2f602c3a7e0899d12effc6395e3fe06980e7f5643550439ab2a0550ff
Opcode Fuzzy Hash: fdecd99e63d4885abf99e9bfe0713ffe3d76eff910deaefdc713ae0ca33b6a17
Instruction Fuzzy Hash: D0E0123014D3849FC75A8758AC197A47F709F1F301F094DD7D0AB990D7C6A159468716

Uniqueness

Uniqueness Score: -1.00%

Function 031061B0, Relevance: .0, Instructions: 19COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.913178689.0000000003100000.00000040.00000001.sdmp, Offset: 03100000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: be814ba8b1f30cacb10974dfdc08d88c63e301cc9971842201ad9f1d7fac269e
Instruction ID: b956e42154bbb5d372f9b7637505e1cc07934bba71b09228e9302d74366741df
Opcode Fuzzy Hash: be814ba8b1f30cacb10974dfdc08d88c63e301cc9971842201ad9f1d7fac269e
Instruction Fuzzy Hash: 35D05E213402245BE644E5ADD8508BA738FDBC9524704885FA909DB352CF729C0253D0

Uniqueness

Uniqueness Score: -1.00%

Function 0310E1D8, Relevance: .0, Instructions: 19COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.913178689.0000000003100000.00000040.00000001.sdmp, Offset: 03100000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4d05c25de2ba10e4965893e5737bba7c76a56270d5a694e843aab189a28c5efa
Instruction ID: f2c237e0c339f84d389c6d7756a3647fdf278787d78e9c4d024e45252d435aac
Opcode Fuzzy Hash: 4d05c25de2ba10e4965893e5737bba7c76a56270d5a694e843aab189a28c5efa
Instruction Fuzzy Hash: 56D05E31108E24DBC62CD657D404AB2F69DB71D7627124D2BF54B866D0CBF198C187F1

Uniqueness

Uniqueness Score: -1.00%

Function 03109350, Relevance: .0, Instructions: 18COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.913178689.0000000003100000.00000040.00000001.sdmp, Offset: 03100000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 79f8a0ba6c5d905f766a28de3244192cffd104b222c50a967535b24a6029b5af
Instruction ID: de8d9fba6a06bed0d26e966df238895e1faad62659fa3fd3c63230bf94309026
Opcode Fuzzy Hash: 79f8a0ba6c5d905f766a28de3244192cffd104b222c50a967535b24a6029b5af
Instruction Fuzzy Hash: 4AD0123444D344DBC21597759C69B647B34AF4E304F568582A14B5E1F3D791A0509B46

Uniqueness

Uniqueness Score: -1.00%

Function 0310862F, Relevance: .0, Instructions: 16COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.913178689.0000000003100000.00000040.00000001.sdmp, Offset: 03100000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: dfe31d34911efd5f5b98a8b4076c85f752a39fb47c42015101777775b07f99a7
Instruction ID: 40fcd2c2ea31e30017052726bab09dedfbb97a0349c2bb6ded47deb5beda4e2d
Opcode Fuzzy Hash: dfe31d34911efd5f5b98a8b4076c85f752a39fb47c42015101777775b07f99a7
Instruction Fuzzy Hash: AEE0EC3111824ECBCB04DF14E48899D3B61FB48388B12C616F4014B198EFB09DA98B41

Uniqueness

Uniqueness Score: -1.00%

Function 03105DF8, Relevance: .0, Instructions: 16COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.913178689.0000000003100000.00000040.00000001.sdmp, Offset: 03100000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f1e9b158be36913e6193f4d7fa8b9ea2768390c19ad200f13e4ca727a71c8c7f
Instruction ID: f2f4f35be91841b0fa53f0df987efb9bdcc088f440a5f763c4ba8e13f34bfc06
Opcode Fuzzy Hash: f1e9b158be36913e6193f4d7fa8b9ea2768390c19ad200f13e4ca727a71c8c7f
Instruction Fuzzy Hash: F9C01231729215574A1CB1BA181416E618F069E921381092F940A8B381ED914C5106D9

Uniqueness

Uniqueness Score: -1.00%

Function 0310EA08, Relevance: .0, Instructions: 15COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.913178689.0000000003100000.00000040.00000001.sdmp, Offset: 03100000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d063d81e405681b203ae1ac67a03aaedd5c50a65ce486abf8729f582aa0ff5e5
Instruction ID: 21e4b9ab5f5cca3abf5c80f142b5d5b542e54d4e7e4e14ce1e847f9e1b63b31d
Opcode Fuzzy Hash: d063d81e405681b203ae1ac67a03aaedd5c50a65ce486abf8729f582aa0ff5e5
Instruction Fuzzy Hash: 64D0A730418A10C7422CC607E0004617378B64D2613026CADD00B375808BE1F8C087B0

Uniqueness

Uniqueness Score: -1.00%

Function 03107148, Relevance: .0, Instructions: 15COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.913178689.0000000003100000.00000040.00000001.sdmp, Offset: 03100000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9a0939ec5680cffb9ecca245d0aafbbebb033a67d769e75d7ec85179cdc98f5e
Instruction ID: 898961013fb0146758a9ae580655cdb25ecf6e9fa743d3edf24575158445035e
Opcode Fuzzy Hash: 9a0939ec5680cffb9ecca245d0aafbbebb033a67d769e75d7ec85179cdc98f5e
Instruction Fuzzy Hash: 27D0423AA00004CFC704CB88D5849D9F7F2FB88225F28C1A6D915A7291C732ED56CA50

Uniqueness

Uniqueness Score: -1.00%

Function 03105D5F, Relevance: .0, Instructions: 14COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.913178689.0000000003100000.00000040.00000001.sdmp, Offset: 03100000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d0cc53e89879ed789cc00950af399f9fa0a663d519c059f4e7e025cce825e728
Instruction ID: ce10391054f3986dcb832614638cf2f7f78ae39338036deec62db87d526cff94
Opcode Fuzzy Hash: d0cc53e89879ed789cc00950af399f9fa0a663d519c059f4e7e025cce825e728
Instruction Fuzzy Hash: B3D0A93000DBC28FCB12CBA4D8A87203FA81E0710030801E3C0498F062DA90A880DB42

Uniqueness

Uniqueness Score: -1.00%

Function 03107E66, Relevance: .0, Instructions: 13COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.913178689.0000000003100000.00000040.00000001.sdmp, Offset: 03100000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 895b103046d6a975d535e72068d14d73bae1fa2b3f91bd7e808fbb3ae1122233
Instruction ID: c2e3c4b05f996807e34426d9fa7d216ccddcc445927f636ea562374eed8754a6
Opcode Fuzzy Hash: 895b103046d6a975d535e72068d14d73bae1fa2b3f91bd7e808fbb3ae1122233
Instruction Fuzzy Hash: F4D05230A0120ADF8B56CF72DA100EE37F0EB0A320321032AD902AB3C5F735AC808B00

Uniqueness

Uniqueness Score: -1.00%

Function 0310F001, Relevance: .0, Instructions: 13COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.913178689.0000000003100000.00000040.00000001.sdmp, Offset: 03100000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2977dbaf1c541447232d8a6057bad6f8cf5ce694628e2f0a4c870952f5a25de1
Instruction ID: 64a471f879d6213c3b46ca4e1f3d06d72765bb00a4ebddddd86a7300b1e9da20
Opcode Fuzzy Hash: 2977dbaf1c541447232d8a6057bad6f8cf5ce694628e2f0a4c870952f5a25de1
Instruction Fuzzy Hash: 6AD0122450E7C58FC743B3B098141253F290F47110B4985D6E49C8F2A3EE998915C773

Uniqueness

Uniqueness Score: -1.00%

Function 03105478, Relevance: .0, Instructions: 13COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.913178689.0000000003100000.00000040.00000001.sdmp, Offset: 03100000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f4c5c551c4a32fafb43f3fc94d2031890542427a4b667d991fe79761377bdb27
Instruction ID: 89d2e35f6cb22d9c7ae71ef297354ea698940d8f97f3168598b265a83821e287
Opcode Fuzzy Hash: f4c5c551c4a32fafb43f3fc94d2031890542427a4b667d991fe79761377bdb27
Instruction Fuzzy Hash: 34D0C93400C7049BD7349BAA640E3AD7E6EA70B64BB4900A1E006C08A7EBA0C090CF12

Uniqueness

Uniqueness Score: -1.00%

Function 03100180, Relevance: .0, Instructions: 12COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.913178689.0000000003100000.00000040.00000001.sdmp, Offset: 03100000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f564c285b3dc71e15d4281db7739d91862ac2621701f3590780e12cb04b3119d
Instruction ID: ce269f631530e96390ac1f98dc14c09d8d73b7277df98e44c37a0bd4e35fc68f
Opcode Fuzzy Hash: f564c285b3dc71e15d4281db7739d91862ac2621701f3590780e12cb04b3119d
Instruction Fuzzy Hash: 6ED01230251304CFCB197B70F01D41C3765AB45209341087CD80687755EF3BE890CB04

Uniqueness

Uniqueness Score: -1.00%

Function 03102D30, Relevance: .0, Instructions: 11COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.913178689.0000000003100000.00000040.00000001.sdmp, Offset: 03100000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c62a444ad8faa2ed57d92c4b8dc4d6b89bcf139b27b99070362ef65c44096e73
Instruction ID: 0c561c14df5ebb6568c7fb8d50617449560dfe3bfe0458aeab87399879f84ed0
Opcode Fuzzy Hash: c62a444ad8faa2ed57d92c4b8dc4d6b89bcf139b27b99070362ef65c44096e73
Instruction Fuzzy Hash: 8FC0923418C708E7EAAC9284BC1EFB87218970CB06F924C42B22F180E95BF1AD924357

Uniqueness

Uniqueness Score: -1.00%

Function 03105D70, Relevance: .0, Instructions: 11COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.913178689.0000000003100000.00000040.00000001.sdmp, Offset: 03100000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a8fa80ca4620a0af71a10c798f7a44033a8a6c9375568b05f788487c01352374
Instruction ID: d2cbd1b1042c62e965adbab3be0de9bb5922720c3a57bdab936225a99ceaf1a0
Opcode Fuzzy Hash: a8fa80ca4620a0af71a10c798f7a44033a8a6c9375568b05f788487c01352374
Instruction Fuzzy Hash: 49C08C30218B098F8B2467B16C0F22D3B5D5B45045380016AB40ECA062EF64D4004B56

Uniqueness

Uniqueness Score: -1.00%

Function 03100660, Relevance: .0, Instructions: 10COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.913178689.0000000003100000.00000040.00000001.sdmp, Offset: 03100000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 10a22d951dd61b5eb97796c7e3677f22f65da358794e9b8ce1cc663c8e535aef
Instruction ID: 11c5860f6d9ada72f316e379750b98390bb517bde0355076b5bc99aa632c4cb3
Opcode Fuzzy Hash: 10a22d951dd61b5eb97796c7e3677f22f65da358794e9b8ce1cc663c8e535aef
Instruction Fuzzy Hash: EBC02B30045314CFC36C96701C0953D721B67CC305340C435A402001218FB2B4D18911

Uniqueness

Uniqueness Score: -1.00%

Function 0310C9D9, Relevance: .0, Instructions: 9COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.913178689.0000000003100000.00000040.00000001.sdmp, Offset: 03100000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4a17a5ee45e5ec7ccb7019b4ae233f1bf7e300b9a0467cd00639e8652a23ffad
Instruction ID: 12667e1cdacceb3020a82d76cf091badd1bc129d55669112d72b64e93bd4d3c6
Opcode Fuzzy Hash: 4a17a5ee45e5ec7ccb7019b4ae233f1bf7e300b9a0467cd00639e8652a23ffad
Instruction Fuzzy Hash: CCC08C7411E3C04FDF2707304524A113F71AE8A20A30848CBF0C8862E3C424D012CB1A

Uniqueness

Uniqueness Score: -1.00%

Function 031061F1, Relevance: .0, Instructions: 9COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.913178689.0000000003100000.00000040.00000001.sdmp, Offset: 03100000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2528300efe1e7f7a373eb51e609e1cc476ea887c4f989d02d60ad028db472278
Instruction ID: b949b83da6cfa2557ebe9ce0fbe47d290d8615c3642464d127c63490200cd501
Opcode Fuzzy Hash: 2528300efe1e7f7a373eb51e609e1cc476ea887c4f989d02d60ad028db472278
Instruction Fuzzy Hash: D2C0482930E3C00ECB9303280C688953F7129A31043CE24DA82D586B67E0684905E322

Uniqueness

Uniqueness Score: -1.00%

Function 0310D3B0, Relevance: .0, Instructions: 8COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.913178689.0000000003100000.00000040.00000001.sdmp, Offset: 03100000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d3b8833eca5a2d17b8188ce0455c0223a7a7c48cf1025f2e5aabd1150fc71df2
Instruction ID: 76f55d641e4874882a7ba1336f8ec489b6c922e2166d70c10a5940bd06edaa5b
Opcode Fuzzy Hash: d3b8833eca5a2d17b8188ce0455c0223a7a7c48cf1025f2e5aabd1150fc71df2
Instruction Fuzzy Hash: 38B09B3000430CD78354D655E84A5597758F9062513811115E505450DD9FA56D8187A5

Uniqueness

Uniqueness Score: -1.00%

Function 03102EC0, Relevance: .0, Instructions: 8COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.913178689.0000000003100000.00000040.00000001.sdmp, Offset: 03100000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fa1a10fb828c9ea5abdb63f024771f00b3c338d22aa88cdc8005e8694de99348
Instruction ID: 825f2506e61a20a8a5b008a896915515a88b8a379753581068e062547fb5e155
Opcode Fuzzy Hash: fa1a10fb828c9ea5abdb63f024771f00b3c338d22aa88cdc8005e8694de99348
Instruction Fuzzy Hash: E3B012302443084B6750A6B5680CA12338C464440974404A4980CC0001FA64D0A02240

Uniqueness

Uniqueness Score: -1.00%

Function 0310716C, Relevance: .0, Instructions: 8COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.913178689.0000000003100000.00000040.00000001.sdmp, Offset: 03100000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9331830965d72d12fcbefa973c87c0cf332396a92bd300e1243d284f656f33ac
Instruction ID: 4e90458a349840f6771323f318a635b9280aaf086cfd61cb0c4ba0741ad6b2b1
Opcode Fuzzy Hash: 9331830965d72d12fcbefa973c87c0cf332396a92bd300e1243d284f656f33ac
Instruction Fuzzy Hash: 85B092B7A04008CADB00CA84F4413EEF720F798225F104023C31052180C37211A48691

Uniqueness

Uniqueness Score: -1.00%

Function 0310F010, Relevance: .0, Instructions: 8COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.913178689.0000000003100000.00000040.00000001.sdmp, Offset: 03100000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d7c54ef6d2bc0614aa1b2314294ef1ed7b2182feb01993c7abace11db9b702ce
Instruction ID: 7ed7c75e2956c13eca5fc381ff4f089f8a9c0dc9dc0b550644605c5fb30b98e9
Opcode Fuzzy Hash: d7c54ef6d2bc0614aa1b2314294ef1ed7b2182feb01993c7abace11db9b702ce
Instruction Fuzzy Hash: F5B0123454070C87CE9033F5F80801C7B4C0E441007C04411781D47283BEA8A4000A51

Uniqueness

Uniqueness Score: -1.00%

Non-executed Functions

Analysis Process: RegSvcs.exe PID: 4424 Parent PID: 968 RegSvcs.exeCOMMON

Executed Functions

Function 00FCA587, Relevance: 1.6, APIs: 1, Instructions: 83COMMON

Download Yara Rule

APIs

SearchPathW.KERNELBASE(?,00000E2C,?,?), ref: 00FCA63A

Memory Dump Source

Source File: 0000000B.00000002.670099829.0000000000FCA000.00000040.00000001.sdmp, Offset: 00FCA000, based on PE: false

Similarity

API ID: PathSearch
String ID:
API String ID: 2203818243-0
Opcode ID: 8c6acd6d72aba163f6e8702972746c39a55c01341d7fc1b0975400e70908e028
Instruction ID: 5c51178a99c5a90864a7ba449c27cce833f589a33d3dedba05beb381a33aa519
Opcode Fuzzy Hash: 8c6acd6d72aba163f6e8702972746c39a55c01341d7fc1b0975400e70908e028
Instruction Fuzzy Hash: C231AC7240D3C56FD313CB258C61B62BFB4EF47614F0A81DBD8848F193E224A909C7A2

Uniqueness

Uniqueness Score: -1.00%

Function 00FCA4AA, Relevance: 1.6, APIs: 1, Instructions: 79fileCOMMON

Download Yara Rule

APIs

WriteFile.KERNELBASE(?,00000E2C,A3F00174,00000000,00000000,00000000,00000000), ref: 00FCA53D

Memory Dump Source

Source File: 0000000B.00000002.670099829.0000000000FCA000.00000040.00000001.sdmp, Offset: 00FCA000, based on PE: false

Similarity

API ID: FileWrite
String ID:
API String ID: 3934441357-0
Opcode ID: 928c6b9e358a953753333d4131a635c106550c312d8afee9c08c4b998778aab0
Instruction ID: b33d4b74c18e2b887aee51e815ba10cea6826324c996efba3c139a92aae73553
Opcode Fuzzy Hash: 928c6b9e358a953753333d4131a635c106550c312d8afee9c08c4b998778aab0
Instruction Fuzzy Hash: 6E219171409384AFD7228F659C45F96BFB8EF06310F0884DBE9849F153D224A408CB72

Uniqueness

Uniqueness Score: -1.00%

Function 00FCA5C6, Relevance: 1.6, APIs: 1, Instructions: 62COMMON

Download Yara Rule

APIs

SearchPathW.KERNELBASE(?,00000E2C,?,?), ref: 00FCA63A

Memory Dump Source

Source File: 0000000B.00000002.670099829.0000000000FCA000.00000040.00000001.sdmp, Offset: 00FCA000, based on PE: false

Similarity

API ID: PathSearch
String ID:
API String ID: 2203818243-0
Opcode ID: e1f74bc46446ccce52b68c6da89607c17f6152e7bf0e61c6aa0fbf9e8c0e4b51
Instruction ID: c6f614bf7800796cf19b2847180f6e1cc99629330a1b32853d3904c3db710eea
Opcode Fuzzy Hash: e1f74bc46446ccce52b68c6da89607c17f6152e7bf0e61c6aa0fbf9e8c0e4b51
Instruction Fuzzy Hash: C011E2714042406FD321CF19DC41F72FFF8EF8AA20F0485AAED488B642D230B915CBA1

Uniqueness

Uniqueness Score: -1.00%

Function 00FCA4DE, Relevance: 1.6, APIs: 1, Instructions: 60fileCOMMON

Download Yara Rule

APIs

WriteFile.KERNELBASE(?,00000E2C,A3F00174,00000000,00000000,00000000,00000000), ref: 00FCA53D

Memory Dump Source

Source File: 0000000B.00000002.670099829.0000000000FCA000.00000040.00000001.sdmp, Offset: 00FCA000, based on PE: false

Similarity

API ID: FileWrite
String ID:
API String ID: 3934441357-0
Opcode ID: fb66b19e3e67240b0e1a2755f5d4866cb682cd6fd026be9ddc229a8756a4c330
Instruction ID: 0b365c081776e4c5198504982d5d9bfa0952e6954b66ed453260fe5941349828
Opcode Fuzzy Hash: fb66b19e3e67240b0e1a2755f5d4866cb682cd6fd026be9ddc229a8756a4c330
Instruction Fuzzy Hash: ED11C4B2500304AFEB21CF55DD45F56FBA8EF44324F18C86AED459B156D274E404DB72

Uniqueness

Uniqueness Score: -1.00%

Function 00FCA1F4, Relevance: 1.6, APIs: 1, Instructions: 60COMMON

Download Yara Rule

APIs

GetConsoleOutputCP.KERNELBASE ref: 00FCA269

Memory Dump Source

Source File: 0000000B.00000002.670099829.0000000000FCA000.00000040.00000001.sdmp, Offset: 00FCA000, based on PE: false

Similarity

API ID: ConsoleOutput
String ID:
API String ID: 3985236979-0
Opcode ID: 51366e5d563d50b5d3044b7a4cf551f1ed35e741dbf287a47be5d13afaf7ac05
Instruction ID: 41289b4d4bd29b99f0e2278615dc210bdaef98f5ff0eac29f619aea6cb0223f7
Opcode Fuzzy Hash: 51366e5d563d50b5d3044b7a4cf551f1ed35e741dbf287a47be5d13afaf7ac05
Instruction Fuzzy Hash: 1C21AC7540D3C45FD7138B658C95682BFB4EF07224F0E80DBD8848F1A3D268A909D762

Uniqueness

Uniqueness Score: -1.00%

Function 00FCA5EA, Relevance: 1.5, APIs: 1, Instructions: 47COMMON

Download Yara Rule

APIs

SearchPathW.KERNELBASE(?,00000E2C,?,?), ref: 00FCA63A

Memory Dump Source

Source File: 0000000B.00000002.670099829.0000000000FCA000.00000040.00000001.sdmp, Offset: 00FCA000, based on PE: false

Similarity

API ID: PathSearch
String ID:
API String ID: 2203818243-0
Opcode ID: 86e23b99fbfa5fca4c6728bcc59b9a9df2f1b1c19a8983c0fa288a842c8b5512
Instruction ID: ccc8fccb0501ee8a5144b1a1eaa49d9aaa8ce41145405936ed8dbadc5d3e0720
Opcode Fuzzy Hash: 86e23b99fbfa5fca4c6728bcc59b9a9df2f1b1c19a8983c0fa288a842c8b5512
Instruction Fuzzy Hash: C001B171500600AFD310DF1ADC81B36FBA8EB89B20F14852AED088B641E231B915CBA1

Uniqueness

Uniqueness Score: -1.00%

Function 00FCA23A, Relevance: 1.5, APIs: 1, Instructions: 34COMMON

Download Yara Rule

APIs

GetConsoleOutputCP.KERNELBASE ref: 00FCA269

Memory Dump Source

Source File: 0000000B.00000002.670099829.0000000000FCA000.00000040.00000001.sdmp, Offset: 00FCA000, based on PE: false

Similarity

API ID: ConsoleOutput
String ID:
API String ID: 3985236979-0
Opcode ID: 129260566230d1b84a101789595ea86379b3680b4a795f89da68a35c5a759f1e
Instruction ID: a2ba284b776158884270dc6a12756d21e838b3d786fcfebaff7621d17c96b9e5
Opcode Fuzzy Hash: 129260566230d1b84a101789595ea86379b3680b4a795f89da68a35c5a759f1e
Instruction Fuzzy Hash: 1FF0AF319043458FDB20CF5AD985BA1FBA0EF05734F18C0AADD094F656D37AA948DAA2

Uniqueness

Uniqueness Score: -1.00%

Function 00FC23F4, Relevance: .0, Instructions: 15COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.670089477.0000000000FC2000.00000040.00000001.sdmp, Offset: 00FC2000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2c3530f687dbbbff14893a2f4aaea9eb8bad2e4d654e2a661aa095533f944509
Instruction ID: f0bef77982a57b89bcf38745ddc793fe66fc13bf28d426d0264c4c914d66e321
Opcode Fuzzy Hash: 2c3530f687dbbbff14893a2f4aaea9eb8bad2e4d654e2a661aa095533f944509
Instruction Fuzzy Hash: 60D05E79605A924FD32ACA1CC2A9F953BE4EB51B14F4644FDE8008B667C369DA81E200

Uniqueness

Uniqueness Score: -1.00%

Function 00FC23BC, Relevance: .0, Instructions: 14COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.670089477.0000000000FC2000.00000040.00000001.sdmp, Offset: 00FC2000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f320cfb516dc4bfd6c2111a301cb2ad11783a99123730cb827fe1358392be4d2
Instruction ID: d9e1cad0f7fa838a00c1e89c41cd88b2d4295a2386e9e86d2364433548f67e69
Opcode Fuzzy Hash: f320cfb516dc4bfd6c2111a301cb2ad11783a99123730cb827fe1358392be4d2
Instruction Fuzzy Hash: 2CD05E347002824BC719DB0CC295F5937D4EB41B10F0644ECAC008B266C7A8DC81D600

Uniqueness

Uniqueness Score: -1.00%

Non-executed Functions

Analysis Process: dhcpmon.exe PID: 6812 Parent PID: 968 dhcpmon.exeCOMMON

Executed Functions

Function 0119A587, Relevance: 1.6, APIs: 1, Instructions: 83COMMON

Download Yara Rule

APIs

SearchPathW.KERNELBASE(?,00000E2C,?,?), ref: 0119A63A

Memory Dump Source

Source File: 0000000D.00000002.674252989.000000000119A000.00000040.00000001.sdmp, Offset: 0119A000, based on PE: false

Similarity

API ID: PathSearch
String ID:
API String ID: 2203818243-0
Opcode ID: 7df0d9d1d76d9c4812b4fea12ec9100f587c363f55c6bd568f57b054fb3ad32e
Instruction ID: 80ce36458a918b9f40f7ef8f07357df87f306a69ada6cc3ad17be38fdc2b4033
Opcode Fuzzy Hash: 7df0d9d1d76d9c4812b4fea12ec9100f587c363f55c6bd568f57b054fb3ad32e
Instruction Fuzzy Hash: CB319C7290D3C56FD3138B259C51B62BFB4EF47624F0A81DBD8848F193D224A909C7A2

Uniqueness

Uniqueness Score: -1.00%

Function 0119A4AA, Relevance: 1.6, APIs: 1, Instructions: 79fileCOMMON

Download Yara Rule

APIs

WriteFile.KERNELBASE(?,00000E2C,DFA5DB86,00000000,00000000,00000000,00000000), ref: 0119A53D

Memory Dump Source

Source File: 0000000D.00000002.674252989.000000000119A000.00000040.00000001.sdmp, Offset: 0119A000, based on PE: false

Similarity

API ID: FileWrite
String ID:
API String ID: 3934441357-0
Opcode ID: b7480491f26cf87ab97ef86d794901bea1a5dc4ba2fa9a50457d011cda87441b
Instruction ID: b3580924b7fcc4f7d8521b16ce1142c7a4798eb39d8a0f0c14374b1d15d5cd2a
Opcode Fuzzy Hash: b7480491f26cf87ab97ef86d794901bea1a5dc4ba2fa9a50457d011cda87441b
Instruction Fuzzy Hash: 64216D71409380AFEB228F659C44F96BFB8EF06310F0885DBE9849F153D264A509CB72

Uniqueness

Uniqueness Score: -1.00%

Function 0119A5C6, Relevance: 1.6, APIs: 1, Instructions: 62COMMON

Download Yara Rule

APIs

SearchPathW.KERNELBASE(?,00000E2C,?,?), ref: 0119A63A

Memory Dump Source

Source File: 0000000D.00000002.674252989.000000000119A000.00000040.00000001.sdmp, Offset: 0119A000, based on PE: false

Similarity

API ID: PathSearch
String ID:
API String ID: 2203818243-0
Opcode ID: de22c86084965f550fa24d8616fd644a8ae2fce3feec4e225c98706b7930d5df
Instruction ID: 13a87d8d514c9f96d78f4b594cd90f7a51ae7b309c4e3ecfb7edb5329d8deb1c
Opcode Fuzzy Hash: de22c86084965f550fa24d8616fd644a8ae2fce3feec4e225c98706b7930d5df
Instruction Fuzzy Hash: 6811E271404240AFD321CF15DC41F62BFB8EF8AA20F0585AAED489B642D234B915CBA1

Uniqueness

Uniqueness Score: -1.00%

Function 0119A4DE, Relevance: 1.6, APIs: 1, Instructions: 60fileCOMMON

Download Yara Rule

APIs

WriteFile.KERNELBASE(?,00000E2C,DFA5DB86,00000000,00000000,00000000,00000000), ref: 0119A53D

Memory Dump Source

Source File: 0000000D.00000002.674252989.000000000119A000.00000040.00000001.sdmp, Offset: 0119A000, based on PE: false

Similarity

API ID: FileWrite
String ID:
API String ID: 3934441357-0
Opcode ID: 971cd57ba33f7165043d0c746d72256d43a1460102d4a69cae211a83eebba0b4
Instruction ID: b7f657bd22959d3a3de50328e21d1c7fa25eb988bff5111a3573dd6650edc398
Opcode Fuzzy Hash: 971cd57ba33f7165043d0c746d72256d43a1460102d4a69cae211a83eebba0b4
Instruction Fuzzy Hash: F7118F71500304AFEB22CF59EC84F6AFBA8EF44720F14846AED459B656D774E408CBB2

Uniqueness

Uniqueness Score: -1.00%

Function 0119A1F4, Relevance: 1.6, APIs: 1, Instructions: 60COMMON

Download Yara Rule

APIs

GetConsoleOutputCP.KERNELBASE ref: 0119A269

Memory Dump Source

Source File: 0000000D.00000002.674252989.000000000119A000.00000040.00000001.sdmp, Offset: 0119A000, based on PE: false

Similarity

API ID: ConsoleOutput
String ID:
API String ID: 3985236979-0
Opcode ID: 18fbdb304ccb2d0ac3b0e2fad3a10580e053e59a2d89eda9090fcd9425ef34b6
Instruction ID: 81d4ef8ebbf8bbab93c4cf9bf6323bebd0dba046660e4a4532f17ee36b7f2aa3
Opcode Fuzzy Hash: 18fbdb304ccb2d0ac3b0e2fad3a10580e053e59a2d89eda9090fcd9425ef34b6
Instruction Fuzzy Hash: 33216A7540E7C05FD7138B659C95692BFB4EF07220F0E80DBD9848F2A3D269A909C762

Uniqueness

Uniqueness Score: -1.00%

Function 0119A5EA, Relevance: 1.5, APIs: 1, Instructions: 47COMMON

Download Yara Rule

APIs

SearchPathW.KERNELBASE(?,00000E2C,?,?), ref: 0119A63A

Memory Dump Source

Source File: 0000000D.00000002.674252989.000000000119A000.00000040.00000001.sdmp, Offset: 0119A000, based on PE: false

Similarity

API ID: PathSearch
String ID:
API String ID: 2203818243-0
Opcode ID: ac606bef1c67ae3992acd476edb29c26d50e68b969cadbb7b0460a0aa551bca4
Instruction ID: 11045864b737041b5dd2f680cee31ee1082b62afab7e57059eb8ec762812d06a
Opcode Fuzzy Hash: ac606bef1c67ae3992acd476edb29c26d50e68b969cadbb7b0460a0aa551bca4
Instruction Fuzzy Hash: 6801B171900600AFD310DF1ADC85B26FBA8FB88B20F14852AED089B741D231B915CBA1

Uniqueness

Uniqueness Score: -1.00%

Function 0119A23A, Relevance: 1.5, APIs: 1, Instructions: 34COMMON

Download Yara Rule

APIs

GetConsoleOutputCP.KERNELBASE ref: 0119A269

Memory Dump Source

Source File: 0000000D.00000002.674252989.000000000119A000.00000040.00000001.sdmp, Offset: 0119A000, based on PE: false

Similarity

API ID: ConsoleOutput
String ID:
API String ID: 3985236979-0
Opcode ID: 35752b6466f44c125260bd7ffff1d06de0cc77abfbc24e2ef15bb18ec53b26a1
Instruction ID: 79df66321ee1d90e5a93df732bd54736f679a2110e8bed0c75cf633358d37c24
Opcode Fuzzy Hash: 35752b6466f44c125260bd7ffff1d06de0cc77abfbc24e2ef15bb18ec53b26a1
Instruction Fuzzy Hash: 49F0A9309043448FDB248F0AE984761FBA0EF04620F18C0EADD094F646E37AA448CAA2

Uniqueness

Uniqueness Score: -1.00%

Function 02A2025D, Relevance: .5, Instructions: 458COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.674392045.0000000002A20000.00000040.00000040.sdmp, Offset: 02A20000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fb590fbc9181b5df0305a23415491d6a72362d425b18252f5fe20390e40a072d
Instruction ID: 945ec13a87e555791ef1f24e5de15becc938ad2660e5078eb4dc646bfc54f1a0
Opcode Fuzzy Hash: fb590fbc9181b5df0305a23415491d6a72362d425b18252f5fe20390e40a072d
Instruction Fuzzy Hash: E131046654E3C15FD7038B359C249A2BFB89F43220B0E81DBD885CF5A3D229980DC772

Uniqueness

Uniqueness Score: -1.00%

Function 02A205CF, Relevance: .0, Instructions: 45COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.674392045.0000000002A20000.00000040.00000040.sdmp, Offset: 02A20000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 37a54182fbe33bf2ec22a73e1c83de3db1b4e3e364567cb6e7e433252512c5ea
Instruction ID: 4914ee0af384d7d322fd548165c2631f950a76326e95bd925a30236525adc9bf
Opcode Fuzzy Hash: 37a54182fbe33bf2ec22a73e1c83de3db1b4e3e364567cb6e7e433252512c5ea
Instruction Fuzzy Hash: 8B018B765097806FD7118F16DC44C73FFB8EE46630719C19FEC89CB612D225A909CB61

Uniqueness

Uniqueness Score: -1.00%

Function 02A205AF, Relevance: .0, Instructions: 42COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.674392045.0000000002A20000.00000040.00000040.sdmp, Offset: 02A20000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 247d3b5afb2fe70aed6fae0354191d38fdd68d607485f011e41bbb1c5dc3b4c1
Instruction ID: 6c444212b4ff6f17b18d94cbe99777b2cc505a3bff25a0cf862808f738b59148
Opcode Fuzzy Hash: 247d3b5afb2fe70aed6fae0354191d38fdd68d607485f011e41bbb1c5dc3b4c1
Instruction Fuzzy Hash: 73F0A9755086406FD711CF0AEC41CA6FFE8EB85630B14C46FEC499B611D236F504CB65

Uniqueness

Uniqueness Score: -1.00%

Function 02A205BF, Relevance: .0, Instructions: 35COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.674392045.0000000002A20000.00000040.00000040.sdmp, Offset: 02A20000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d0a1cf94cddbf06bf5c0c919b9d9b44aa89d5e9631a9f76811968975ebf2a5df
Instruction ID: 1e00826e4583e31f648bf57ba3f9c0b2147b30bb9d31c71fb3c27704c44a1a6d
Opcode Fuzzy Hash: d0a1cf94cddbf06bf5c0c919b9d9b44aa89d5e9631a9f76811968975ebf2a5df
Instruction Fuzzy Hash: 71F0B4726046409BDB10CF0AEC419A2FBE4EB84630B14C46BDC4997701D236F505CBA5

Uniqueness

Uniqueness Score: -1.00%

Function 02A205F6, Relevance: .0, Instructions: 27COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.674392045.0000000002A20000.00000040.00000040.sdmp, Offset: 02A20000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ad8b23df54b0a307dee771fd1693d2a165b2fe31e52ee31b417d07f012c439f5
Instruction ID: 353cdc80fd1b1ac81b7df742052a28d6b05eae89275d5423ed8e3c3541e609d8
Opcode Fuzzy Hash: ad8b23df54b0a307dee771fd1693d2a165b2fe31e52ee31b417d07f012c439f5
Instruction Fuzzy Hash: D9E09276A046005BD650CF0AEC81852FBD8EB84630718C07FDC0D8B700E539F504CEA5

Uniqueness

Uniqueness Score: -1.00%

Function 011923F4, Relevance: .0, Instructions: 15COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.674246285.0000000001192000.00000040.00000001.sdmp, Offset: 01192000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 47908444b5c20e71b86537c30cd7bc42ab5ef6c0205c2dcad9fb3567df5ef716
Instruction ID: 4108e233b04c4a7914c51e500dfdd771935f62eff7ed5c3ad91e33cbed070d7e
Opcode Fuzzy Hash: 47908444b5c20e71b86537c30cd7bc42ab5ef6c0205c2dcad9fb3567df5ef716
Instruction Fuzzy Hash: F9D05E79305A915FE72A8A1CC1A8B953FE4BB61B04F5644F9E8008B667C369D681D200

Uniqueness

Uniqueness Score: -1.00%

Function 011923BC, Relevance: .0, Instructions: 14COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.674246285.0000000001192000.00000040.00000001.sdmp, Offset: 01192000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f8dd4325d6e8757273d9b8654d2f96f397d253817d50f739e2456c93b4e0dd8c
Instruction ID: 77983b5756651ad9872752684db1ab9fb630c140f0162a4d397afd4045c0d9a5
Opcode Fuzzy Hash: f8dd4325d6e8757273d9b8654d2f96f397d253817d50f739e2456c93b4e0dd8c
Instruction Fuzzy Hash: 75D05E342042814BDB19DB0CC194F593BD4AB45B00F0644E8AD108B266C7B4E981C600

Uniqueness

Uniqueness Score: -1.00%

Non-executed Functions

Analysis Process: dhcpmon.exe PID: 6560 Parent PID: 3424 dhcpmon.exeCOMMON

Executed Functions

Function 00D7A4AA, Relevance: 1.6, APIs: 1, Instructions: 79fileCOMMON

Download Yara Rule

APIs

WriteFile.KERNELBASE(?,00000E2C,CB0906CC,00000000,00000000,00000000,00000000), ref: 00D7A53D

Memory Dump Source

Source File: 00000010.00000002.687777929.0000000000D7A000.00000040.00000001.sdmp, Offset: 00D7A000, based on PE: false

Similarity

API ID: FileWrite
String ID:
API String ID: 3934441357-0
Opcode ID: 8e20589258101e8bbb67f1afe1ee5195d0ddbdcb79065b7482dea08249e18e23
Instruction ID: 5d6133c24073d730f8a86d81a0161bb29c58f49a8c34c861da8f6a918eeb0000
Opcode Fuzzy Hash: 8e20589258101e8bbb67f1afe1ee5195d0ddbdcb79065b7482dea08249e18e23
Instruction Fuzzy Hash: 24218371409380AFE7228F65DC44F96BFB8EF46310F0884DBE9849F153D265A509CB72

Uniqueness

Uniqueness Score: -1.00%

Function 00D7A336, Relevance: 1.6, APIs: 1, Instructions: 62COMMON

Download Yara Rule

APIs

FindCloseChangeNotification.KERNELBASE(?), ref: 00D7A39C

Memory Dump Source

Source File: 00000010.00000002.687777929.0000000000D7A000.00000040.00000001.sdmp, Offset: 00D7A000, based on PE: false

Similarity

API ID: ChangeCloseFindNotification
String ID:
API String ID: 2591292051-0
Opcode ID: 149634db06e13b7475bdf91d567dfea2ee629b041f29299d600d0ff94fbd8a4c
Instruction ID: 282da370901e141eb99128742df4ca1b3775b9d4e70a2056070df5295215d148
Opcode Fuzzy Hash: 149634db06e13b7475bdf91d567dfea2ee629b041f29299d600d0ff94fbd8a4c
Instruction Fuzzy Hash: 41216D715093C09FD7128F65DC45656BFB4EF46220F0984EBED89CF163D279A848CB62

Uniqueness

Uniqueness Score: -1.00%

Function 00D7A1F4, Relevance: 1.6, APIs: 1, Instructions: 60COMMON

Download Yara Rule

APIs

GetConsoleOutputCP.KERNELBASE ref: 00D7A269

Memory Dump Source

Source File: 00000010.00000002.687777929.0000000000D7A000.00000040.00000001.sdmp, Offset: 00D7A000, based on PE: false

Similarity

API ID: ConsoleOutput
String ID:
API String ID: 3985236979-0
Opcode ID: 26a7d6662d188b10d116bc0fba5095aae760de0e3f87a51d0c73af25e1bf25d0
Instruction ID: 08b24dae3783cc7c02b9e2180309aae302625eb5574e31820eab7fd4232bedfd
Opcode Fuzzy Hash: 26a7d6662d188b10d116bc0fba5095aae760de0e3f87a51d0c73af25e1bf25d0
Instruction Fuzzy Hash: 6D21A97540E3C05FD7138B259C94686BFB4EF43220F0E80DBD9848F2A3D269A909CB72

Uniqueness

Uniqueness Score: -1.00%

Function 00D7A4DE, Relevance: 1.6, APIs: 1, Instructions: 60fileCOMMON

Download Yara Rule

APIs

WriteFile.KERNELBASE(?,00000E2C,CB0906CC,00000000,00000000,00000000,00000000), ref: 00D7A53D

Memory Dump Source

Source File: 00000010.00000002.687777929.0000000000D7A000.00000040.00000001.sdmp, Offset: 00D7A000, based on PE: false

Similarity

API ID: FileWrite
String ID:
API String ID: 3934441357-0
Opcode ID: 74165fe8c58f67f48696dfd639d70a055f3088ad04b4a3af9393cfa4d38495ca
Instruction ID: 68c3a04a73a7e99e38c1606f33fde19207dc9d4ff84f122e0e00bcc9643b9662
Opcode Fuzzy Hash: 74165fe8c58f67f48696dfd639d70a055f3088ad04b4a3af9393cfa4d38495ca
Instruction Fuzzy Hash: 7F11C471500300AFEB21CF59DC44F5AFBA8EF44320F14C46AED899B155D274E404CB72

Uniqueness

Uniqueness Score: -1.00%

Function 00D7A36A, Relevance: 1.5, APIs: 1, Instructions: 43COMMON

Download Yara Rule

APIs

FindCloseChangeNotification.KERNELBASE(?), ref: 00D7A39C

Memory Dump Source

Source File: 00000010.00000002.687777929.0000000000D7A000.00000040.00000001.sdmp, Offset: 00D7A000, based on PE: false

Similarity

API ID: ChangeCloseFindNotification
String ID:
API String ID: 2591292051-0
Opcode ID: da5b15a98dab457295f66fbf0a7feb74b3c555e8bdddd47cb733f82c3355b662
Instruction ID: e77728e8dea63acdc16d549dfeeb1769d5a7632c91b2b1aa9888b158a3fec95f
Opcode Fuzzy Hash: da5b15a98dab457295f66fbf0a7feb74b3c555e8bdddd47cb733f82c3355b662
Instruction Fuzzy Hash: 37018475504340CFDB208F59D88475AFB94DF44321F18C4ABDD498F656E775D404DA72

Uniqueness

Uniqueness Score: -1.00%

Function 00D7A23A, Relevance: 1.5, APIs: 1, Instructions: 34COMMON

Download Yara Rule

APIs

GetConsoleOutputCP.KERNELBASE ref: 00D7A269

Memory Dump Source

Source File: 00000010.00000002.687777929.0000000000D7A000.00000040.00000001.sdmp, Offset: 00D7A000, based on PE: false

Similarity

API ID: ConsoleOutput
String ID:
API String ID: 3985236979-0
Opcode ID: 153ca4aff53cbd379dd9c50630362d43e513e7c7956b8e08672fe3c49b4cc756
Instruction ID: da63705ce63f7395bb1a5a1198c32da3051b25e72f4135923b2b950deaf4fdb9
Opcode Fuzzy Hash: 153ca4aff53cbd379dd9c50630362d43e513e7c7956b8e08672fe3c49b4cc756
Instruction Fuzzy Hash: A3F0AF309043408FDB108F0AD884765FBA4EF44720F18D0AADD494F656E37AE844CAB6

Uniqueness

Uniqueness Score: -1.00%

Function 00D72477, Relevance: .2, Instructions: 188COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000010.00000002.687772219.0000000000D72000.00000040.00000001.sdmp, Offset: 00D72000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: eb0cf599f49f4af70506ccaadfbbd4e6792407bde647ae7b0da61a10be805c66
Instruction ID: fbe4d410bd2e337c5d7ef96c440179ec011448c6ea0ba8862ecd10ed75ef7d59
Opcode Fuzzy Hash: eb0cf599f49f4af70506ccaadfbbd4e6792407bde647ae7b0da61a10be805c66
Instruction Fuzzy Hash: 1A515A6691E3C25FDB03463858366A4BFB19F63721B4E80CBD488CF1E3E1595989C372

Uniqueness

Uniqueness Score: -1.00%

Function 00DB05CF, Relevance: .0, Instructions: 44COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000010.00000002.687816987.0000000000DB0000.00000040.00000040.sdmp, Offset: 00DB0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6c6f5f53a19bf05c0eb6cbca0bd4881a6bc30b8f07ddb87fc87ddca2ae33120d
Instruction ID: 369c5a6f36149295a2b3dee75dd023fc5db37fda095920b87c0605f6a25a9e54
Opcode Fuzzy Hash: 6c6f5f53a19bf05c0eb6cbca0bd4881a6bc30b8f07ddb87fc87ddca2ae33120d
Instruction Fuzzy Hash: 9601DBB150D3806FD7118B15EC40862FFB8DA86620709C09FEC89CB652D125A904CB75

Uniqueness

Uniqueness Score: -1.00%

Function 00DB05F6, Relevance: .0, Instructions: 27COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000010.00000002.687816987.0000000000DB0000.00000040.00000040.sdmp, Offset: 00DB0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 162931b253725957cd5793e18a20144ba2d8cc47d2cd295f837e51f5518899cb
Instruction ID: aca9888b4b2ada083261ad8a2b7bbc27530cf04d48eb6430207d9c697da73f99
Opcode Fuzzy Hash: 162931b253725957cd5793e18a20144ba2d8cc47d2cd295f837e51f5518899cb
Instruction Fuzzy Hash: 44E092B6A006005BD650DF0AFC41452FBE8EB84630718C07FDC4D8B711E636F504CEA5

Uniqueness

Uniqueness Score: -1.00%

Function 00D723F4, Relevance: .0, Instructions: 15COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000010.00000002.687772219.0000000000D72000.00000040.00000001.sdmp, Offset: 00D72000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 092bad21c1b312a9224dcc449329af1f6a863d229b64dae8b3db38b32fafcef2
Instruction ID: 36253d137d9d952d74320bf4a220f95f3241435a99690d838bde1c45469c2549
Opcode Fuzzy Hash: 092bad21c1b312a9224dcc449329af1f6a863d229b64dae8b3db38b32fafcef2
Instruction Fuzzy Hash: 8ED05E79205AD18FD3268A1CC1A9BA53BD4AB61B08F4A84F9E8008B667C369DA81D210

Uniqueness

Uniqueness Score: -1.00%

Function 00D723BC, Relevance: .0, Instructions: 14COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000010.00000002.687772219.0000000000D72000.00000040.00000001.sdmp, Offset: 00D72000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fef9c56ed9d249c09c8140cb85b45c7301d923456b19ab96e73234b2cdc2d935
Instruction ID: 6197d4eb61ff6fdd1316da38c0919f445c3aa51ac3f9b9c7bed08f3ba1142fee
Opcode Fuzzy Hash: fef9c56ed9d249c09c8140cb85b45c7301d923456b19ab96e73234b2cdc2d935
Instruction Fuzzy Hash: 92D05E342006814BC715DB0CC194F6937D4AB41B00F0A84ECAC008B666C7A9DC81C610

Uniqueness

Uniqueness Score: -1.00%

Non-executed Functions

Description:	Adversaries may abuse task scheduling functionality to facilitate initial or recurring execution of malicious code. Utilities exist within all major operating systems to schedule programs or scripts to be executed at a specified date and time. A task can also be scheduled on a remote system, provided the proper authentication is met (ex: RPC and file and printer sharing in Windows environments). Scheduling a task on a remote system typically requires being a member of an admin or otherwise privileged group on the remote system.
Tactics:	Execution, Persistence, Privilege Escalation
Data Sources:	File monitoring, Process command-line parameters, Process monitoring, Windows event logs
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify access tokens to operate under a different user or system security context to perform actions and bypass access controls. Windows uses access tokens to determine the ownership of a running process. A user can manipulate access tokens to make a running process appear as though it is the child of a different process or belongs to someone other than the user that started the process. When this occurs, the process also takes on the security context associated with the new token.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	API monitoring, Access tokens, Authentication logs, Process command-line parameters, Process monitoring, Windows event logs
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	API monitoring, DLL monitoring, File monitoring, Named Pipes, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata, File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may disable security tools to avoid possible detection of their tools and activities. This can take the form of killing security software or event logging processes, deleting Registry keys so that tools do not start at run time, or other methods to interfere with security tools scanning or reporting information.
Tactics:	Defense Evasion
Data Sources:	File monitoring, Process command-line parameters, Services, Windows Registry
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use Obfuscated Files or Information to hide artifacts of an intrusion from analysis. They may require separate mechanisms to decode or deobfuscate that information depending on how they intend to use it. Methods for doing that include built-in functionality of malware or by using utilities present on the system.
Tactics:	Defense Evasion
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may set files and directories to be hidden to evade detection mechanisms. To prevent normal users from accidentally changing special files on a system, most operating systems have the concept of a ‘hidden’ file. These files don’t show up when a user browses the file system with a GUI or when using normal commands on the command line. Users must explicitly ask to show the hidden files either via a series of Graphical User Interface (GUI) prompts or with command line switches ( `dir /a` for Windows and `ls –a` for Linux and macOS).
Tactics:	Defense Evasion
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata, Email gateway, Environment variable, File monitoring, Malware reverse engineering, Network intrusion detection system, Network protocol analysis, Process command-line parameters, Process monitoring, Process use of network, SSL/TLS inspection, Windows event logs
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may perform software packing or virtual machine software protection to conceal their code. Software packing is a method of compressing or encrypting an executable. Packing an executable changes the file signature in an attempt to avoid signature-based detection. Most decompression techniques decompress the executable code in memory. Virtual machine software protection translates an executable's original code into a special format that only a special virtual machine can run. A virtual machine is then called to run this code.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata
Platforms:	macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use methods of capturing user input to obtain credentials or collect information. During normal system usage, users often provide credentials to various different locations, such as login pages/portals or system dialog boxes. Input capture mechanisms may be transparent to the user (e.g. Credential API Hooking ) or rely on deceiving the user into providing input into what they believe to be a genuine service (e.g. Web Portal Capture ).
Tactics:	Collection, Credential Access
Data Sources:	API monitoring, Binary file metadata, DLL monitoring, Kernel drivers, Loaded DLLs, PowerShell logs, Process command-line parameters, Process monitoring, User interface, Windows Registry, Windows event logs
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	AWS CloudTrail logs, Azure activity logs, File monitoring, Process command-line parameters, Process monitoring, Stackdriver logs
Platforms:	AWS, Azure, Azure AD, GCP, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	API monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	AWS CloudTrail logs, Azure activity logs, Process command-line parameters, Process monitoring, Stackdriver logs
Platforms:	AWS, Azure, GCP, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Binary file metadata, File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Malware reverse engineering, Netflow/Enclave netflow, Packet capture, Process monitoring, Process use of network, SSL/TLS inspection
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using a protocol and port paring that are typically not associated. For example, HTTPS over port 8088or port 587as opposed to the traditional port 443. Adversaries may make changes to the standard port used by a protocol to bypass filtering or muddle analysis/parsing of network data.
Tactics:	Command and Control
Data Sources:	Netflow/Enclave netflow, Packet capture, Process monitoring, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may use legitimate desktop support and remote access software, such as Team Viewer, Go2Assist, LogMein, AmmyyAdmin, etc, to establish an interactive command and control channel to target systems within networks. These services are commonly used as legitimate technical support software, and may be allowed by application control within a target environment. Remote access tools like VNC, Ammyy, and Teamviewer are used frequently when compared with other legitimate software commonly used by adversaries.
Tactics:	Command and Control
Data Sources:	Network intrusion detection system, Network protocol analysis, Process monitoring, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use a non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Host network interface, Netflow/Enclave netflow, Network intrusion detection system, Network protocol analysis, Packet capture, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading ...

Warning!

Analysis Report QTxFuxF5NQ.exe

Overview

General Information

Detection

Signatures

Classification

Startup

Malware Configuration

Yara Overview

Memory Dumps

Unpacked PEs

Sigma Overview

System Summary:

Signature Overview

AV Detection:

Compliance:

Software Vulnerabilities:

Networking:

Key, Mouse, Clipboard, Microphone and Screen Capturing:

E-Banking Fraud:

System Summary:

Data Obfuscation:

Persistence and Installation Behavior:

Boot Survival:

Hooking and other Techniques for Hiding and Protection:

Malware Analysis System Evasion:

Anti Debugging:

HIPS / PFW / Operating System Protection Evasion:

Language, Device and Operating System Detection:

Stealing of Sensitive Information:

Remote Access Functionality:

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

URLs from Memory and Binaries

Contacted IPs

Public

Private

General Information

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASN

JA3 Fingerprints

Dropped Files

Created / dropped Files

Static File Info

General

File Icon

Static PE Info

General

Entrypoint Preview

Data Directories

Sections

Resources

Imports

Version Infos

Network Behavior

Network Port Distribution

TCP Packets

UDP Packets

DNS Queries

Description:	Adversaries may communicate using application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	DNS records, Netflow/Enclave netflow, Network protocol analysis, Packet capture, Process monitoring, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre