Play interactive tour

Edit tour

Analysis Report Y5XyMnx8Ng.exe

Overview

General Information

Sample Name:	Y5XyMnx8Ng.exe
Analysis ID:	357424
MD5:	5bd6a6dbda26ada813c6f60fdfc7ba70
SHA1:	20d05385be36213404ca178bf15e39d0587dd73f
SHA256:	205f2ef71a4a099b8cac6b0df7be7d04f5ca0c65e31fb1c00158f656cf2785c3
Tags:	exeNanoCoreRAT
Infos:
Most interesting Screenshot:

Detection

Nanocore

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Detected Nanocore Rat

Found malware configuration

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for dropped file

Multi AV Scanner detection for submitted file

Sigma detected: NanoCore

Sigma detected: Scheduled temp file as task from temp location

Yara detected AntiVM_3

Yara detected Nanocore RAT

.NET source code contains potential unpacker

Allocates memory in foreign processes

C2 URLs / IPs found in malware configuration

Connects to many ports of the same IP (likely port scanning)

Hides that the sample has been downloaded from the Internet (zone.identifier)

Injects a PE file into a foreign processes

Machine Learning detection for dropped file

Machine Learning detection for sample

Protects its processes via BreakOnTermination flag

Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Uses dynamic DNS services

Uses schtasks.exe or at.exe to add and modify task schedules

Writes to foreign memory regions

Antivirus or Machine Learning detection for unpacked file

Contains capabilities to detect virtual machines

Contains functionality to call native functions

Contains functionality to open a port and listen for incoming connection (possibly a backdoor)

Contains long sleeps (>= 3 min)

Creates a DirectInput object (often for capturing keystrokes)

Creates a process in suspended mode (likely to inject code)

Detected TCP or UDP traffic on non-standard ports

Detected potential crypto function

Drops PE files

Enables debug privileges

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

Found inlined nop instructions (likely shell or obfuscated code)

IP address seen in connection with other malware

Installs a raw input device (often for capturing keystrokes)

Internet Provider seen in connection with other malware

May sleep (evasive loops) to hinder dynamic analysis

Queries the volume information (name, serial number etc) of a device

Sample execution stops while process was sleeping (likely an evasion)

Sample file is different than original file name gathered from version info

Uses 32bit PE files

Uses code obfuscation techniques (call, push, ret)

Yara signature match

Classification

Startup

System is w10x64

Y5XyMnx8Ng.exe (PID: 6372 cmdline: 'C:\Users\user\Desktop\Y5XyMnx8Ng.exe' MD5: 5BD6A6DBDA26ADA813C6F60FDFC7BA70)

schtasks.exe (PID: 5812 cmdline: 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\LbSNAHQmeXYAoG' /XML 'C:\Users\user\AppData\Local\Temp\tmp8EF2.tmp' MD5: 15FF7D8324231381BAD48A052F85DF04)

conhost.exe (PID: 3180 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)

RegSvcs.exe (PID: 5464 cmdline: {path} MD5: 71369277D09DA0830C8C59F9E22BB23A)

schtasks.exe (PID: 6292 cmdline: 'schtasks.exe' /create /f /tn 'DHCP Monitor' /xml 'C:\Users\user\AppData\Local\Temp\tmp3911.tmp' MD5: 15FF7D8324231381BAD48A052F85DF04)

conhost.exe (PID: 6036 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)

schtasks.exe (PID: 6352 cmdline: 'schtasks.exe' /create /f /tn 'DHCP Monitor Task' /xml 'C:\Users\user\AppData\Local\Temp\tmp3C8D.tmp' MD5: 15FF7D8324231381BAD48A052F85DF04)

conhost.exe (PID: 1968 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)

RegSvcs.exe (PID: 6384 cmdline: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe 0 MD5: 71369277D09DA0830C8C59F9E22BB23A)

conhost.exe (PID: 2172 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)

dhcpmon.exe (PID: 6200 cmdline: 'C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe' 0 MD5: 71369277D09DA0830C8C59F9E22BB23A)

conhost.exe (PID: 5828 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)

dhcpmon.exe (PID: 6404 cmdline: 'C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe' MD5: 71369277D09DA0830C8C59F9E22BB23A)

conhost.exe (PID: 5680 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)

cleanup

Malware Configuration

Threatname: NanoCore

{"Version": "1.2.2.0", "Mutex": "572eb7a9-aedf-4b39-8669-f7563dab8a38", "Group": "GREAT", "Domain1": "strongodss.ddns.net", "Domain2": "79.134.225.43", "Port": 58103, "KeyboardLogging": "Enable", "RunOnStartup": "Enable", "RequestElevation": "Disable", "BypassUAC": "Enable", "ClearZoneIdentifier": "Enable", "ClearAccessControl": "Enable", "SetCriticalProcess": "Enable", "PreventSystemSleep": "Enable", "ActivateAwayMode": "Enable", "EnableDebugMode": "Disable", "RunDelay": 0, "ConnectDelay": 4000, "RestartDelay": 5000, "TimeoutInterval": 5000, "KeepAliveTimeout": 30000, "MutexTimeout": 5000, "LanTimeout": 2500, "WanTimeout": 8009, "BufferSize": "02000100", "MaxPacketSize": "", "GCThreshold": "", "BypassUserAccountControlData": "<?xml version=\"1.0\" encoding=\"UTF-16\"?>\r\n<Task version=\"1.2\" xmlns=\"http://schemas.microsoft.com/windows/2004/02/mit/task\">\r\n  <RegistrationInfo />\r\n  <Triggers />\r\n  <Principals>\r\n    <Principal id=\"Author\">\r\n      <LogonType>InteractiveToken</LogonType>\r\n      <RunLevel>HighestAvailable</RunLevel>\r\n    </Principal>\r\n  </Principals>\r\n  <Settings>\r\n    <MultipleInstancesPolicy>Parallel</MultipleInstancesPolicy>\r\n    <DisallowStartIfOnBatteries>false</DisallowStartIfOnBatteries>\r\n    <StopIfGoingOnBatteries>false</StopIfGoingOnBatteries>\r\n    <AllowHardTerminate>true</AllowHardTerminate>\r\n    <StartWhenAvailable>false</StartWhenAvailable>\r\n    <RunOnlyIfNetworkAvailable>false</RunOnlyIfNetworkAvailable>\r\n    <IdleSettings>\r\n      <StopOnIdleEnd>false</StopOnIdleEnd>\r\n      <RestartOnIdle>false</RestartOnIdle>\r\n    </IdleSettings>\r\n    <AllowStartOnDemand>true</AllowStartOnDemand>\r\n    <Enabled>true</Enabled>\r\n    <Hidden>false</Hidden>\r\n    <RunOnlyIfIdle>false</RunOnlyIfIdle>\r\n    <WakeToRun>false</WakeToRun>\r\n    <ExecutionTimeLimit>PT0S</ExecutionTimeLimit>\r\n    <Priority>4</Priority>\r\n  </Settings>\r\n  <Actions Context=\"Author\">\r\n    <Exec>\r\n      <Command>\"#EXECUTABLEPATH\"</Command>\r\n      <Arguments>$(Arg0)</Arguments>\r\n    </Exec>\r\n  </Actions>\r\n</Task"}

Yara Overview

Memory Dumps

Source	Rule	Description	Author	Strings
00000008.00000002.494335612.0000000005710000.00000004.00000001.sdmp	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0xf7ad:$x1: NanoCore.ClientPluginHost 0xf7da:$x2: IClientNetworkHost
00000008.00000002.494335612.0000000005710000.00000004.00000001.sdmp	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0xf7ad:$x2: NanoCore.ClientPluginHost 0x10888:$s4: PipeCreated 0xf7c7:$s5: IClientLoggingHost
00000008.00000002.494335612.0000000005710000.00000004.00000001.sdmp	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
00000008.00000002.483906093.0000000000402000.00000040.00000001.sdmp	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0xff8d:$x1: NanoCore.ClientPluginHost 0xffca:$x2: IClientNetworkHost 0x13afd:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
00000008.00000002.483906093.0000000000402000.00000040.00000001.sdmp	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
00000008.00000002.483906093.0000000000402000.00000040.00000001.sdmp	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0xfcf5:$a: NanoCore 0xfd05:$a: NanoCore 0xff39:$a: NanoCore 0xff4d:$a: NanoCore 0xff8d:$a: NanoCore 0xfd54:$b: ClientPlugin 0xff56:$b: ClientPlugin 0xff96:$b: ClientPlugin 0xfe7b:$c: ProjectData 0x10882:$d: DESCrypto 0x1824e:$e: KeepAlive 0x1623c:$g: LogClientMessage 0x12437:$i: get_Connected 0x10bb8:$j: #=q 0x10be8:$j: #=q 0x10c04:$j: #=q 0x10c34:$j: #=q 0x10c50:$j: #=q 0x10c6c:$j: #=q 0x10c9c:$j: #=q 0x10cb8:$j: #=q
00000000.00000002.273575013.0000000003C11000.00000004.00000001.sdmp	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x10072d:$x1: NanoCore.ClientPluginHost 0x10076a:$x2: IClientNetworkHost 0x10429d:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
00000000.00000002.273575013.0000000003C11000.00000004.00000001.sdmp	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
00000000.00000002.273575013.0000000003C11000.00000004.00000001.sdmp	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0x100495:$a: NanoCore 0x1004a5:$a: NanoCore 0x1006d9:$a: NanoCore 0x1006ed:$a: NanoCore 0x10072d:$a: NanoCore 0x1004f4:$b: ClientPlugin 0x1006f6:$b: ClientPlugin 0x100736:$b: ClientPlugin 0x10061b:$c: ProjectData 0x101022:$d: DESCrypto 0x1089ee:$e: KeepAlive 0x1069dc:$g: LogClientMessage 0x102bd7:$i: get_Connected 0x101358:$j: #=q 0x101388:$j: #=q 0x1013a4:$j: #=q 0x1013d4:$j: #=q 0x1013f0:$j: #=q 0x10140c:$j: #=q 0x10143c:$j: #=q 0x101458:$j: #=q
00000000.00000002.274362960.00000000040F1000.00000004.00000001.sdmp	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x44fed:$x1: NanoCore.ClientPluginHost 0x4502a:$x2: IClientNetworkHost 0x48b5d:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
00000000.00000002.274362960.00000000040F1000.00000004.00000001.sdmp	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
00000000.00000002.274362960.00000000040F1000.00000004.00000001.sdmp	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0x44d55:$a: NanoCore 0x44d65:$a: NanoCore 0x44f99:$a: NanoCore 0x44fad:$a: NanoCore 0x44fed:$a: NanoCore 0x44db4:$b: ClientPlugin 0x44fb6:$b: ClientPlugin 0x44ff6:$b: ClientPlugin 0x44edb:$c: ProjectData 0x458e2:$d: DESCrypto 0x4d2ae:$e: KeepAlive 0x4b29c:$g: LogClientMessage 0x47497:$i: get_Connected 0x45c18:$j: #=q 0x45c48:$j: #=q 0x45c64:$j: #=q 0x45c94:$j: #=q 0x45cb0:$j: #=q 0x45ccc:$j: #=q 0x45cfc:$j: #=q 0x45d18:$j: #=q
00000008.00000002.492975177.0000000003BBB000.00000004.00000001.sdmp	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
00000008.00000002.492975177.0000000003BBB000.00000004.00000001.sdmp	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0x14a7d:$a: NanoCore 0x14ad6:$a: NanoCore 0x14b13:$a: NanoCore 0x14b8c:$a: NanoCore 0x1a121:$a: NanoCore 0x1a16b:$a: NanoCore 0x1a355:$a: NanoCore 0x2dc74:$a: NanoCore 0x2dc89:$a: NanoCore 0x2dcbe:$a: NanoCore 0x46c13:$a: NanoCore 0x46c28:$a: NanoCore 0x46c5d:$a: NanoCore 0x14adf:$b: ClientPlugin 0x14b1c:$b: ClientPlugin 0x1541a:$b: ClientPlugin 0x15427:$b: ClientPlugin 0x19eba:$b: ClientPlugin 0x1a12a:$b: ClientPlugin 0x1a174:$b: ClientPlugin 0x2da30:$b: ClientPlugin
00000008.00000002.494301167.0000000005700000.00000004.00000001.sdmp	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x1646:$x1: NanoCore.ClientPluginHost
00000008.00000002.494301167.0000000005700000.00000004.00000001.sdmp	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0x1646:$x2: NanoCore.ClientPluginHost 0x1724:$s4: PipeCreated 0x1660:$s5: IClientLoggingHost
00000008.00000002.493799082.0000000004E80000.00000004.00000001.sdmp	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0xe75:$x1: NanoCore.ClientPluginHost 0xe8f:$x2: IClientNetworkHost
00000008.00000002.493799082.0000000004E80000.00000004.00000001.sdmp	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0xe75:$x2: NanoCore.ClientPluginHost 0x1261:$s3: PipeExists 0x1136:$s4: PipeCreated 0xeb0:$s5: IClientLoggingHost
Process Memory Space: RegSvcs.exe PID: 5464	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x681d8:$x1: NanoCore.ClientPluginHost 0x6a874:$x1: NanoCore.ClientPluginHost 0xfbae6:$x1: NanoCore.ClientPluginHost 0x1a37bb:$x1: NanoCore.ClientPluginHost 0x261fb4:$x1: NanoCore.ClientPluginHost 0x26462f:$x1: NanoCore.ClientPluginHost 0x26a25c:$x1: NanoCore.ClientPluginHost 0x27b583:$x1: NanoCore.ClientPluginHost 0x29b06e:$x1: NanoCore.ClientPluginHost 0x2a9da0:$x1: NanoCore.ClientPluginHost 0x681fe:$x2: IClientNetworkHost 0xfbb2b:$x2: IClientNetworkHost 0x1a381c:$x2: IClientNetworkHost 0x261fda:$x2: IClientNetworkHost 0x26a2a1:$x2: IClientNetworkHost 0x27b5c8:$x2: IClientNetworkHost 0x2a9dc6:$x2: IClientNetworkHost 0x1a8c21:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe 0x1b6b93:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
Process Memory Space: RegSvcs.exe PID: 5464	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
Process Memory Space: RegSvcs.exe PID: 5464	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0x680ca:$a: NanoCore 0x6816b:$a: NanoCore 0x681d8:$a: NanoCore 0x68299:$a: NanoCore 0x6916a:$a: NanoCore 0x691bd:$a: NanoCore 0x691f6:$a: NanoCore 0x69269:$a: NanoCore 0x6a874:$a: NanoCore 0x6a8ee:$a: NanoCore 0x6ac5a:$a: NanoCore 0x6b718:$a: NanoCore 0x6b75e:$a: NanoCore 0x6b925:$a: NanoCore 0xfba60:$a: NanoCore 0xfba8d:$a: NanoCore 0xfbae6:$a: NanoCore 0x1032f5:$a: NanoCore 0x103308:$a: NanoCore 0x10333a:$a: NanoCore 0x15df38:$a: NanoCore
Process Memory Space: Y5XyMnx8Ng.exe PID: 6372	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x558109:$x1: NanoCore.ClientPluginHost 0x55816a:$x2: IClientNetworkHost 0x55d56f:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe 0x56b4e1:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
Process Memory Space: Y5XyMnx8Ng.exe PID: 6372	JoeSecurity_AntiVM_3	Yara detected AntiVM_3	Joe Security
Process Memory Space: Y5XyMnx8Ng.exe PID: 6372	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
Process Memory Space: Y5XyMnx8Ng.exe PID: 6372	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0x557c0e:$a: NanoCore 0x557c2a:$a: NanoCore 0x557d85:$a: NanoCore 0x557d94:$a: NanoCore 0x55806d:$a: NanoCore 0x558099:$a: NanoCore 0x558109:$a: NanoCore 0x567b4b:$a: NanoCore 0x567b5d:$a: NanoCore 0x567b99:$a: NanoCore 0x557cb5:$b: ClientPlugin 0x557dde:$b: ClientPlugin 0x5580a2:$b: ClientPlugin 0x558112:$b: ClientPlugin 0x567b66:$b: ClientPlugin 0x567ba2:$b: ClientPlugin 0x3000c1:$c: ProjectData 0x301cad:$c: ProjectData 0x557f2b:$c: ProjectData 0x567a98:$c: ProjectData 0xbfd221:$c: ProjectData
Click to see the 20 entries

Unpacked PEs

Source	Rule	Description	Author	Strings
8.2.RegSvcs.exe.3bcec9e.5.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x4083:$x1: NanoCore.ClientPluginHost
8.2.RegSvcs.exe.3bcec9e.5.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0x4083:$x2: NanoCore.ClientPluginHost 0x4161:$s4: PipeCreated 0x409d:$s5: IClientLoggingHost
8.2.RegSvcs.exe.2b91488.3.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x40c2:$x1: NanoCore.ClientPluginHost
8.2.RegSvcs.exe.2b91488.3.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0x40c2:$x2: NanoCore.ClientPluginHost 0x41a0:$s4: PipeCreated 0x40dc:$s5: IClientLoggingHost
8.2.RegSvcs.exe.5700000.9.raw.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x1646:$x1: NanoCore.ClientPluginHost
8.2.RegSvcs.exe.5700000.9.raw.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0x1646:$x2: NanoCore.ClientPluginHost 0x1724:$s4: PipeCreated 0x1660:$s5: IClientLoggingHost
8.2.RegSvcs.exe.5710000.11.raw.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0xf7ad:$x1: NanoCore.ClientPluginHost 0xf7da:$x2: IClientNetworkHost
8.2.RegSvcs.exe.5710000.11.raw.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0xf7ad:$x2: NanoCore.ClientPluginHost 0x10888:$s4: PipeCreated 0xf7c7:$s5: IClientLoggingHost
8.2.RegSvcs.exe.5710000.11.raw.unpack	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
8.2.RegSvcs.exe.400000.0.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x1018d:$x1: NanoCore.ClientPluginHost 0x101ca:$x2: IClientNetworkHost 0x13cfd:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
8.2.RegSvcs.exe.400000.0.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0xff05:$x1: NanoCore Client.exe 0x1018d:$x2: NanoCore.ClientPluginHost 0x117c6:$s1: PluginCommand 0x117ba:$s2: FileCommand 0x1266b:$s3: PipeExists 0x18422:$s4: PipeCreated 0x101b7:$s5: IClientLoggingHost
8.2.RegSvcs.exe.400000.0.unpack	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
8.2.RegSvcs.exe.400000.0.unpack	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0xfef5:$a: NanoCore 0xff05:$a: NanoCore 0x10139:$a: NanoCore 0x1014d:$a: NanoCore 0x1018d:$a: NanoCore 0xff54:$b: ClientPlugin 0x10156:$b: ClientPlugin 0x10196:$b: ClientPlugin 0x1007b:$c: ProjectData 0x10a82:$d: DESCrypto 0x1844e:$e: KeepAlive 0x1643c:$g: LogClientMessage 0x12637:$i: get_Connected 0x10db8:$j: #=q 0x10de8:$j: #=q 0x10e04:$j: #=q 0x10e34:$j: #=q 0x10e50:$j: #=q 0x10e6c:$j: #=q 0x10e9c:$j: #=q 0x10eb8:$j: #=q
8.2.RegSvcs.exe.4e80000.7.raw.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0xe75:$x1: NanoCore.ClientPluginHost 0xe8f:$x2: IClientNetworkHost
8.2.RegSvcs.exe.4e80000.7.raw.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0xe75:$x2: NanoCore.ClientPluginHost 0x1261:$s3: PipeExists 0x1136:$s4: PipeCreated 0xeb0:$s5: IClientLoggingHost
8.2.RegSvcs.exe.5710000.11.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0xd9ad:$x1: NanoCore.ClientPluginHost 0xd9da:$x2: IClientNetworkHost
8.2.RegSvcs.exe.5710000.11.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0xd9ad:$x2: NanoCore.ClientPluginHost 0xea88:$s4: PipeCreated 0xd9c7:$s5: IClientLoggingHost
8.2.RegSvcs.exe.5710000.11.unpack	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
0.2.Y5XyMnx8Ng.exe.4125e60.2.raw.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x1018d:$x1: NanoCore.ClientPluginHost 0x101ca:$x2: IClientNetworkHost 0x13cfd:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
0.2.Y5XyMnx8Ng.exe.4125e60.2.raw.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0xff05:$x1: NanoCore Client.exe 0x1018d:$x2: NanoCore.ClientPluginHost 0x117c6:$s1: PluginCommand 0x117ba:$s2: FileCommand 0x1266b:$s3: PipeExists 0x18422:$s4: PipeCreated 0x101b7:$s5: IClientLoggingHost
0.2.Y5XyMnx8Ng.exe.4125e60.2.raw.unpack	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
0.2.Y5XyMnx8Ng.exe.4125e60.2.raw.unpack	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0xfef5:$a: NanoCore 0xff05:$a: NanoCore 0x10139:$a: NanoCore 0x1014d:$a: NanoCore 0x1018d:$a: NanoCore 0xff54:$b: ClientPlugin 0x10156:$b: ClientPlugin 0x10196:$b: ClientPlugin 0x1007b:$c: ProjectData 0x10a82:$d: DESCrypto 0x1844e:$e: KeepAlive 0x1643c:$g: LogClientMessage 0x12637:$i: get_Connected 0x10db8:$j: #=q 0x10de8:$j: #=q 0x10e04:$j: #=q 0x10e34:$j: #=q 0x10e50:$j: #=q 0x10e6c:$j: #=q 0x10e9c:$j: #=q 0x10eb8:$j: #=q
8.2.RegSvcs.exe.2b96304.2.raw.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x1646:$x1: NanoCore.ClientPluginHost
8.2.RegSvcs.exe.2b96304.2.raw.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0x1646:$x2: NanoCore.ClientPluginHost 0x1724:$s4: PipeCreated 0x1660:$s5: IClientLoggingHost
8.2.RegSvcs.exe.3bd9511.6.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0xd9ad:$x1: NanoCore.ClientPluginHost 0xd9da:$x2: IClientNetworkHost
8.2.RegSvcs.exe.3bd9511.6.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0xd9ad:$x2: NanoCore.ClientPluginHost 0xea88:$s4: PipeCreated 0xd9c7:$s5: IClientLoggingHost
8.2.RegSvcs.exe.3bd9511.6.unpack	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
8.2.RegSvcs.exe.5714629.10.raw.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0xb184:$x1: NanoCore.ClientPluginHost 0xb1b1:$x2: IClientNetworkHost
8.2.RegSvcs.exe.5714629.10.raw.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0xb184:$x2: NanoCore.ClientPluginHost 0xc25f:$s4: PipeCreated 0xb19e:$s5: IClientLoggingHost
8.2.RegSvcs.exe.5714629.10.raw.unpack	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
8.2.RegSvcs.exe.3bd9511.6.raw.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0xf7ad:$x1: NanoCore.ClientPluginHost 0x2874c:$x1: NanoCore.ClientPluginHost 0xf7da:$x2: IClientNetworkHost 0x28779:$x2: IClientNetworkHost
8.2.RegSvcs.exe.3bd9511.6.raw.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0xf7ad:$x2: NanoCore.ClientPluginHost 0x2874c:$x2: NanoCore.ClientPluginHost 0x10888:$s4: PipeCreated 0x29827:$s4: PipeCreated 0xf7c7:$s5: IClientLoggingHost 0x28766:$s5: IClientLoggingHost
8.2.RegSvcs.exe.3bd9511.6.raw.unpack	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
0.2.Y5XyMnx8Ng.exe.4125e60.2.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0xe38d:$x1: NanoCore.ClientPluginHost 0xe3ca:$x2: IClientNetworkHost 0x11efd:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
0.2.Y5XyMnx8Ng.exe.4125e60.2.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0xe105:$x1: NanoCore Client.exe 0xe38d:$x2: NanoCore.ClientPluginHost 0xf9c6:$s1: PluginCommand 0xf9ba:$s2: FileCommand 0x1086b:$s3: PipeExists 0x16622:$s4: PipeCreated 0xe3b7:$s5: IClientLoggingHost
0.2.Y5XyMnx8Ng.exe.4125e60.2.unpack	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
0.2.Y5XyMnx8Ng.exe.4125e60.2.unpack	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0xe0f5:$a: NanoCore 0xe105:$a: NanoCore 0xe339:$a: NanoCore 0xe34d:$a: NanoCore 0xe38d:$a: NanoCore 0xe154:$b: ClientPlugin 0xe356:$b: ClientPlugin 0xe396:$b: ClientPlugin 0xe27b:$c: ProjectData 0xec82:$d: DESCrypto 0x1664e:$e: KeepAlive 0x1463c:$g: LogClientMessage 0x10837:$i: get_Connected 0xefb8:$j: #=q 0xefe8:$j: #=q 0xf004:$j: #=q 0xf034:$j: #=q 0xf050:$j: #=q 0xf06c:$j: #=q 0xf09c:$j: #=q 0xf0b8:$j: #=q
8.2.RegSvcs.exe.3bcec9e.5.raw.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0xe75:$x1: NanoCore.ClientPluginHost 0x6483:$x1: NanoCore.ClientPluginHost 0x1a020:$x1: NanoCore.ClientPluginHost 0x32fbf:$x1: NanoCore.ClientPluginHost 0xe8f:$x2: IClientNetworkHost 0x1a04d:$x2: IClientNetworkHost 0x32fec:$x2: IClientNetworkHost
8.2.RegSvcs.exe.3bcec9e.5.raw.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0xe75:$x2: NanoCore.ClientPluginHost 0x6483:$x2: NanoCore.ClientPluginHost 0x1a020:$x2: NanoCore.ClientPluginHost 0x32fbf:$x2: NanoCore.ClientPluginHost 0x1261:$s3: PipeExists 0x1136:$s4: PipeCreated 0x6561:$s4: PipeCreated 0x1b0fb:$s4: PipeCreated 0x3409a:$s4: PipeCreated 0xeb0:$s5: IClientLoggingHost 0x649d:$s5: IClientLoggingHost 0x1a03a:$s5: IClientLoggingHost 0x32fd9:$s5: IClientLoggingHost
8.2.RegSvcs.exe.3bcec9e.5.raw.unpack	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
8.2.RegSvcs.exe.3bcec9e.5.raw.unpack	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0xddf:$a: NanoCore 0xe38:$a: NanoCore 0xe75:$a: NanoCore 0xeee:$a: NanoCore 0x6483:$a: NanoCore 0x64cd:$a: NanoCore 0x66b7:$a: NanoCore 0x19fd6:$a: NanoCore 0x19feb:$a: NanoCore 0x1a020:$a: NanoCore 0x32f75:$a: NanoCore 0x32f8a:$a: NanoCore 0x32fbf:$a: NanoCore 0xe41:$b: ClientPlugin 0xe7e:$b: ClientPlugin 0x177c:$b: ClientPlugin 0x1789:$b: ClientPlugin 0x621c:$b: ClientPlugin 0x648c:$b: ClientPlugin 0x64d6:$b: ClientPlugin 0x19d92:$b: ClientPlugin
8.2.RegSvcs.exe.3bd3adb.4.raw.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x1646:$x1: NanoCore.ClientPluginHost 0x151e3:$x1: NanoCore.ClientPluginHost 0x2e182:$x1: NanoCore.ClientPluginHost 0x15210:$x2: IClientNetworkHost 0x2e1af:$x2: IClientNetworkHost
8.2.RegSvcs.exe.3bd3adb.4.raw.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0x1646:$x2: NanoCore.ClientPluginHost 0x151e3:$x2: NanoCore.ClientPluginHost 0x2e182:$x2: NanoCore.ClientPluginHost 0x1724:$s4: PipeCreated 0x162be:$s4: PipeCreated 0x2f25d:$s4: PipeCreated 0x1660:$s5: IClientLoggingHost 0x151fd:$s5: IClientLoggingHost 0x2e19c:$s5: IClientLoggingHost
8.2.RegSvcs.exe.3bd3adb.4.raw.unpack	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
8.2.RegSvcs.exe.3bd3adb.4.raw.unpack	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0x1646:$a: NanoCore 0x1690:$a: NanoCore 0x187a:$a: NanoCore 0x15199:$a: NanoCore 0x151ae:$a: NanoCore 0x151e3:$a: NanoCore 0x2e138:$a: NanoCore 0x2e14d:$a: NanoCore 0x2e182:$a: NanoCore 0x13df:$b: ClientPlugin 0x164f:$b: ClientPlugin 0x1699:$b: ClientPlugin 0x14f55:$b: ClientPlugin 0x14f70:$b: ClientPlugin 0x14fa0:$b: ClientPlugin 0x151b7:$b: ClientPlugin 0x151ec:$b: ClientPlugin 0x2def4:$b: ClientPlugin 0x2df0f:$b: ClientPlugin 0x2df3f:$b: ClientPlugin 0x2e156:$b: ClientPlugin
8.2.RegSvcs.exe.2b91488.3.raw.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0xe75:$x1: NanoCore.ClientPluginHost 0x64c2:$x1: NanoCore.ClientPluginHost 0xe8f:$x2: IClientNetworkHost
8.2.RegSvcs.exe.2b91488.3.raw.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0xe75:$x2: NanoCore.ClientPluginHost 0x64c2:$x2: NanoCore.ClientPluginHost 0x1261:$s3: PipeExists 0x1136:$s4: PipeCreated 0x65a0:$s4: PipeCreated 0xeb0:$s5: IClientLoggingHost 0x64dc:$s5: IClientLoggingHost
Click to see the 42 entries

Sigma Overview

System Summary:

Sigma detected: NanoCore

Show sources

Source: File created

Author: Joe Security: Data: EventID: 11, Image: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe, ProcessId: 5464, TargetFilename: C:\Users\user\AppData\Roaming\D06ED635-68F6-4E9A-955C-4899F5F57B9A\run.dat

Sigma detected: Scheduled temp file as task from temp location

Show sources

Source: Process started

Author: Joe Security: Data: Command: 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\LbSNAHQmeXYAoG' /XML 'C:\Users\user\AppData\Local\Temp\tmp8EF2.tmp', CommandLine: 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\LbSNAHQmeXYAoG' /XML 'C:\Users\user\AppData\Local\Temp\tmp8EF2.tmp', CommandLine|base64offset|contains: *j, Image: C:\Windows\SysWOW64\schtasks.exe, NewProcessName: C:\Windows\SysWOW64\schtasks.exe, OriginalFileName: C:\Windows\SysWOW64\schtasks.exe, ParentCommandLine: 'C:\Users\user\Desktop\Y5XyMnx8Ng.exe' , ParentImage: C:\Users\user\Desktop\Y5XyMnx8Ng.exe, ParentProcessId: 6372, ProcessCommandLine: 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\LbSNAHQmeXYAoG' /XML 'C:\Users\user\AppData\Local\Temp\tmp8EF2.tmp', ProcessId: 5812

Signature Overview

Click to jump to signature section

Show All Signature Results

AV Detection:

Found malware configuration

Show sources

Source: 00000008.00000002.492975177.0000000003BBB000.00000004.00000001.sdmp

Malware Configuration Extractor: NanoCore {"Version": "1.2.2.0", "Mutex": "572eb7a9-aedf-4b39-8669-f7563dab8a38", "Group": "GREAT", "Domain1": "strongodss.ddns.net", "Domain2": "79.134.225.43", "Port": 58103, "KeyboardLogging": "Enable", "RunOnStartup": "Enable", "RequestElevation": "Disable", "BypassUAC": "Enable", "ClearZoneIdentifier": "Enable", "ClearAccessControl": "Enable", "SetCriticalProcess": "Enable", "PreventSystemSleep": "Enable", "ActivateAwayMode": "Enable", "EnableDebugMode": "Disable", "RunDelay": 0, "ConnectDelay": 4000, "RestartDelay": 5000, "TimeoutInterval": 5000, "KeepAliveTimeout": 30000, "MutexTimeout": 5000, "LanTimeout": 2500, "WanTimeout": 8009, "BufferSize": "02000100", "MaxPacketSize": "", "GCThreshold": "", "BypassUserAccountControlData": "<?xml version=\"1.0\" encoding=\"UTF-16\"?>\r\n<Task version=\"1.2\" xmlns=\"http://schemas.microsoft.com/windows/2004/02/mit/task\">\r\n <RegistrationInfo />\r\n <Triggers />\r\n <Principals>\r\n <Principal id=\"Author\">\r\n <LogonType>InteractiveToken</LogonType>\r\n <RunLevel>HighestAvailable</RunLevel>\r\n </Principal>\r\n </Principals>\r\n <Settings>\r\n <MultipleInstancesPolicy>Parallel</MultipleInstancesPolicy>\r\n <DisallowStartIfOnBatteries>false</DisallowStartIfOnBatteries>\r\n <StopIfGoingOnBatteries>false</StopIfGoingOnBatteries>\r\n <AllowHardTerminate>true</AllowHardTerminate>\r\n <StartWhenAvailable>false</StartWhenAvailable>\r\n <RunOnlyIfNetworkAvailable>false</RunOnlyIfNetworkAvailable>\r\n <IdleSettings>\r\n <StopOnIdleEnd>false</StopOnIdleEnd>\r\n <RestartOnIdle>false</RestartOnIdle>\r\n </IdleSettings>\r\n <AllowStartOnDemand>true</AllowStartOnDemand>\r\n <Enabled>true</Enabled>\r\n <Hidden>false</Hidden>\r\n <RunOnlyIfIdle>false</RunOnlyIfIdle>\r\n <WakeToRun>false</WakeToRun>\r\n <ExecutionTimeLimit>PT0S</ExecutionTimeLimit>\r\n <Priority>4</Priority>\r\n </Settings>\r\n <Actions Context=\"Author\">\r\n <Exec>\r\n <Command>\"#EXECUTABLEPATH\"</Command>\r\n <Arguments>$(Arg0)</Arguments>\r\n </Exec>\r\n </Actions>\r\n</Task"}

Multi AV Scanner detection for dropped file

Show sources

Source: C:\Users\user\AppData\Roaming\LbSNAHQmeXYAoG.exe

ReversingLabs: Detection: 38%

Multi AV Scanner detection for submitted file

Show sources

Source: Y5XyMnx8Ng.exe	Virustotal: Detection: 25%			Perma Link
Source: Y5XyMnx8Ng.exe	ReversingLabs: Detection: 38%

Yara detected Nanocore RAT

Show sources

Source: Yara match	File source: 00000008.00000002.494335612.0000000005710000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000008.00000002.483906093.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.273575013.0000000003C11000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.274362960.00000000040F1000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000008.00000002.492975177.0000000003BBB000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: RegSvcs.exe PID: 5464, type: MEMORY
Source: Yara match	File source: Process Memory Space: Y5XyMnx8Ng.exe PID: 6372, type: MEMORY
Source: Yara match	File source: 8.2.RegSvcs.exe.5710000.11.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 8.2.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 8.2.RegSvcs.exe.5710000.11.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.Y5XyMnx8Ng.exe.4125e60.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 8.2.RegSvcs.exe.3bd9511.6.unpack, type: UNPACKEDPE
Source: Yara match	File source: 8.2.RegSvcs.exe.5714629.10.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 8.2.RegSvcs.exe.3bd9511.6.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.Y5XyMnx8Ng.exe.4125e60.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 8.2.RegSvcs.exe.3bcec9e.5.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 8.2.RegSvcs.exe.3bd3adb.4.raw.unpack, type: UNPACKEDPE

Machine Learning detection for dropped file

Show sources

Source: C:\Users\user\AppData\Roaming\LbSNAHQmeXYAoG.exe

Joe Sandbox ML: detected

Machine Learning detection for sample

Show sources

Source: Y5XyMnx8Ng.exe

Joe Sandbox ML: detected

Source: 8.2.RegSvcs.exe.400000.0.unpack	Avira: Label: TR/Dropper.MSIL.Gen7
Source: 8.2.RegSvcs.exe.5710000.11.unpack	Avira: Label: TR/NanoCore.fadte

Compliance:

Uses 32bit PE files

Show sources

Source: Y5XyMnx8Ng.exe

Static PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE

Uses new MSVCR Dlls

Show sources

Source: C:\Users\user\Desktop\Y5XyMnx8Ng.exe

File opened: C:\Windows\WinSxS\x86_microsoft.vc80.crt_1fc8b3b9a1e18e3b_8.0.50727.9445_none_d08c58b4442ba54f\MSVCR80.dll

Jump to behavior

Contains modern PE file flags such as dynamic base (ASLR) or NX

Show sources

Source: Y5XyMnx8Ng.exe

Static PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT

Binary contains paths to debug symbols

Show sources

Source:	Binary string: C:\Users\Cole\Documents\Visual Studio 2013\Projects\NanoProtectPlugin\NanoProtectClient\obj\Debug\NanoProtectClient.pdb source: RegSvcs.exe, 00000008.00000002.490972657.0000000002B81000.00000004.00000001.sdmp
Source:	Binary string: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.pdb source: RegSvcs.exe, 00000008.00000002.487808964.0000000002665000.00000004.00000040.sdmp
Source:	Binary string: System.EnterpriseServices.Wrapper.pdb source: dhcpmon.exe, 00000019.00000002.302260092.0000000005140000.00000002.00000001.sdmp
Source:	Binary string: indows\mscorlib.pdbpdblib.pdb source: RegSvcs.exe, 00000008.00000002.487808964.0000000002665000.00000004.00000040.sdmp
Source:	Binary string: indows\RegSvcs.pdbpdbvcs.pdb source: RegSvcs.exe, 00000008.00000002.487808964.0000000002665000.00000004.00000040.sdmp
Source:	Binary string: C:\Windows\symbols\exe\RegSvcs.pdb source: RegSvcs.exe, 00000008.00000002.487808964.0000000002665000.00000004.00000040.sdmp
Source:	Binary string: RegSvcs.pdb source: dhcpmon.exe, dhcpmon.exe.8.dr
Source:	Binary string: mscorrc.pdb source: Y5XyMnx8Ng.exe, 00000000.00000002.278970967.0000000006DC0000.00000002.00000001.sdmp, RegSvcs.exe, 00000008.00000002.494053967.0000000005420000.00000002.00000001.sdmp, RegSvcs.exe, 0000000D.00000002.281231117.0000000005260000.00000002.00000001.sdmp, dhcpmon.exe, 0000000F.00000002.284297730.00000000051F0000.00000002.00000001.sdmp

Software Vulnerabilities:

Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe

Code function: 4x nop then mov esp, ebp

8_2_026C8917

Networking:

C2 URLs / IPs found in malware configuration

Show sources

Source: Malware configuration extractor	URLs: 79.134.225.43
Source: Malware configuration extractor	URLs: strongodss.ddns.net

Connects to many ports of the same IP (likely port scanning)

Show sources

Source: global traffic	TCP traffic: 79.134.225.43 ports 0,1,3,58103,5,8
Source: global traffic	TCP traffic: 87.237.165.78 ports 0,1,3,58103,5,8

Uses dynamic DNS services

Show sources

Source: unknown

DNS query: name: strongodss.ddns.net

Source: global traffic	TCP traffic: 192.168.2.3:49721 -> 87.237.165.78:58103
Source: global traffic	TCP traffic: 192.168.2.3:49726 -> 79.134.225.43:58103

Source: Joe Sandbox View

IP Address: 79.134.225.43 79.134.225.43

Source: Joe Sandbox View

ASN Name: FINK-TELECOM-SERVICESCH FINK-TELECOM-SERVICESCH

Source: unknown	TCP traffic detected without corresponding DNS query: 79.134.225.43
Source: unknown	TCP traffic detected without corresponding DNS query: 79.134.225.43
Source: unknown	TCP traffic detected without corresponding DNS query: 79.134.225.43
Source: unknown	TCP traffic detected without corresponding DNS query: 79.134.225.43
Source: unknown	TCP traffic detected without corresponding DNS query: 79.134.225.43
Source: unknown	TCP traffic detected without corresponding DNS query: 79.134.225.43
Source: unknown	TCP traffic detected without corresponding DNS query: 79.134.225.43
Source: unknown	TCP traffic detected without corresponding DNS query: 79.134.225.43
Source: unknown	TCP traffic detected without corresponding DNS query: 79.134.225.43
Source: unknown	TCP traffic detected without corresponding DNS query: 79.134.225.43
Source: unknown	TCP traffic detected without corresponding DNS query: 79.134.225.43
Source: unknown	TCP traffic detected without corresponding DNS query: 79.134.225.43
Source: unknown	TCP traffic detected without corresponding DNS query: 79.134.225.43
Source: unknown	TCP traffic detected without corresponding DNS query: 79.134.225.43
Source: unknown	TCP traffic detected without corresponding DNS query: 79.134.225.43
Source: unknown	TCP traffic detected without corresponding DNS query: 79.134.225.43
Source: unknown	TCP traffic detected without corresponding DNS query: 79.134.225.43
Source: unknown	TCP traffic detected without corresponding DNS query: 79.134.225.43
Source: unknown	TCP traffic detected without corresponding DNS query: 79.134.225.43
Source: unknown	TCP traffic detected without corresponding DNS query: 79.134.225.43
Source: unknown	TCP traffic detected without corresponding DNS query: 79.134.225.43
Source: unknown	TCP traffic detected without corresponding DNS query: 79.134.225.43
Source: unknown	TCP traffic detected without corresponding DNS query: 79.134.225.43
Source: unknown	TCP traffic detected without corresponding DNS query: 79.134.225.43
Source: unknown	TCP traffic detected without corresponding DNS query: 79.134.225.43
Source: unknown	TCP traffic detected without corresponding DNS query: 79.134.225.43
Source: unknown	TCP traffic detected without corresponding DNS query: 79.134.225.43

Source: unknown

DNS traffic detected: queries for: strongodss.ddns.net

Source: Y5XyMnx8Ng.exe, 00000000.00000002.275100610.0000000005290000.00000002.00000001.sdmp	String found in binary or memory: http://fontfabrik.com
Source: Y5XyMnx8Ng.exe, 00000000.00000002.275100610.0000000005290000.00000002.00000001.sdmp	String found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0
Source: Y5XyMnx8Ng.exe, 00000000.00000002.275100610.0000000005290000.00000002.00000001.sdmp	String found in binary or memory: http://www.carterandcone.coml
Source: Y5XyMnx8Ng.exe, 00000000.00000003.221812778.0000000004FD9000.00000004.00000001.sdmp	String found in binary or memory: http://www.fontbureau.co
Source: Y5XyMnx8Ng.exe, 00000000.00000002.275100610.0000000005290000.00000002.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com
Source: Y5XyMnx8Ng.exe, 00000000.00000003.222347558.0000000004FAF000.00000004.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com.TTFt
Source: Y5XyMnx8Ng.exe, 00000000.00000002.275100610.0000000005290000.00000002.00000001.sdmp, Y5XyMnx8Ng.exe, 00000000.00000003.222322158.0000000004FD9000.00000004.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com/designers
Source: Y5XyMnx8Ng.exe, 00000000.00000003.221812778.0000000004FD9000.00000004.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com/designers$
Source: Y5XyMnx8Ng.exe, 00000000.00000003.220682724.0000000004FD9000.00000004.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com/designers/
Source: Y5XyMnx8Ng.exe, 00000000.00000002.275100610.0000000005290000.00000002.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com/designers/?
Source: Y5XyMnx8Ng.exe, 00000000.00000003.222028980.0000000004FAC000.00000004.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com/designers/cabarga.html
Source: Y5XyMnx8Ng.exe, 00000000.00000002.275100610.0000000005290000.00000002.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com/designers/cabarga.htmlN
Source: Y5XyMnx8Ng.exe, 00000000.00000003.222028980.0000000004FAC000.00000004.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com/designers/cabarga.htmlo
Source: Y5XyMnx8Ng.exe, 00000000.00000002.275100610.0000000005290000.00000002.00000001.sdmp, Y5XyMnx8Ng.exe, 00000000.00000003.221423345.0000000004FD9000.00000004.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com/designers/frere-jones.html
Source: Y5XyMnx8Ng.exe, 00000000.00000003.221561815.0000000004FAF000.00000004.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com/designers/frere-jones.html.
Source: Y5XyMnx8Ng.exe, 00000000.00000003.221121855.0000000004FD9000.00000004.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com/designers2
Source: Y5XyMnx8Ng.exe, 00000000.00000002.275100610.0000000005290000.00000002.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com/designers8
Source: Y5XyMnx8Ng.exe, 00000000.00000003.230809390.0000000004FD9000.00000004.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com/designers9
Source: Y5XyMnx8Ng.exe, 00000000.00000002.275100610.0000000005290000.00000002.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com/designers?
Source: Y5XyMnx8Ng.exe, 00000000.00000003.221121855.0000000004FD9000.00000004.00000001.sdmp, Y5XyMnx8Ng.exe, 00000000.00000002.275100610.0000000005290000.00000002.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com/designersG
Source: Y5XyMnx8Ng.exe, 00000000.00000003.221047138.0000000004FD9000.00000004.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com/designersP
Source: Y5XyMnx8Ng.exe, 00000000.00000003.222477602.0000000004FD9000.00000004.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com/designersb
Source: Y5XyMnx8Ng.exe, 00000000.00000003.230715828.0000000004FD9000.00000004.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com/designersi
Source: Y5XyMnx8Ng.exe, 00000000.00000003.220778598.0000000004FD9000.00000004.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com/designersp
Source: Y5XyMnx8Ng.exe, 00000000.00000003.222028980.0000000004FAC000.00000004.00000001.sdmp	String found in binary or memory: http://www.fontbureau.comF
Source: Y5XyMnx8Ng.exe, 00000000.00000003.222347558.0000000004FAF000.00000004.00000001.sdmp	String found in binary or memory: http://www.fontbureau.comJVR
Source: Y5XyMnx8Ng.exe, 00000000.00000003.222528263.0000000004FAE000.00000004.00000001.sdmp	String found in binary or memory: http://www.fontbureau.comTTFd
Source: Y5XyMnx8Ng.exe, 00000000.00000002.274744752.0000000004FAA000.00000004.00000001.sdmp	String found in binary or memory: http://www.fontbureau.comafV
Source: Y5XyMnx8Ng.exe, 00000000.00000003.222347558.0000000004FAF000.00000004.00000001.sdmp	String found in binary or memory: http://www.fontbureau.comalsdpV
Source: Y5XyMnx8Ng.exe, 00000000.00000003.221561815.0000000004FAF000.00000004.00000001.sdmp	String found in binary or memory: http://www.fontbureau.comd
Source: Y5XyMnx8Ng.exe, 00000000.00000003.221561815.0000000004FAF000.00000004.00000001.sdmp	String found in binary or memory: http://www.fontbureau.comdaJVR
Source: Y5XyMnx8Ng.exe, 00000000.00000003.221561815.0000000004FAF000.00000004.00000001.sdmp	String found in binary or memory: http://www.fontbureau.comdoVu
Source: Y5XyMnx8Ng.exe, 00000000.00000003.222028980.0000000004FAC000.00000004.00000001.sdmp	String found in binary or memory: http://www.fontbureau.comdsed
Source: Y5XyMnx8Ng.exe, 00000000.00000003.222347558.0000000004FAF000.00000004.00000001.sdmp	String found in binary or memory: http://www.fontbureau.comm
Source: Y5XyMnx8Ng.exe, 00000000.00000003.222347558.0000000004FAF000.00000004.00000001.sdmp	String found in binary or memory: http://www.fontbureau.comoVu
Source: Y5XyMnx8Ng.exe, 00000000.00000003.222347558.0000000004FAF000.00000004.00000001.sdmp	String found in binary or memory: http://www.fontbureau.comoitu
Source: Y5XyMnx8Ng.exe, 00000000.00000003.222028980.0000000004FAC000.00000004.00000001.sdmp	String found in binary or memory: http://www.fontbureau.comtu9
Source: Y5XyMnx8Ng.exe, 00000000.00000002.275100610.0000000005290000.00000002.00000001.sdmp	String found in binary or memory: http://www.fonts.com
Source: Y5XyMnx8Ng.exe, 00000000.00000002.275100610.0000000005290000.00000002.00000001.sdmp	String found in binary or memory: http://www.founder.com.cn/cn
Source: Y5XyMnx8Ng.exe, 00000000.00000003.217090225.0000000004FE0000.00000004.00000001.sdmp	String found in binary or memory: http://www.founder.com.cn/cn/
Source: Y5XyMnx8Ng.exe, 00000000.00000002.275100610.0000000005290000.00000002.00000001.sdmp	String found in binary or memory: http://www.founder.com.cn/cn/bThe
Source: Y5XyMnx8Ng.exe, 00000000.00000002.275100610.0000000005290000.00000002.00000001.sdmp	String found in binary or memory: http://www.founder.com.cn/cn/cThe
Source: Y5XyMnx8Ng.exe, 00000000.00000003.216885369.0000000004FDF000.00000004.00000001.sdmp	String found in binary or memory: http://www.founder.com.cn/cn/u9
Source: Y5XyMnx8Ng.exe, 00000000.00000003.216954032.0000000004FD9000.00000004.00000001.sdmp	String found in binary or memory: http://www.founder.com.cn/cn/u:
Source: Y5XyMnx8Ng.exe, 00000000.00000003.225264485.0000000004FD9000.00000004.00000001.sdmp	String found in binary or memory: http://www.galapagosdesign.com/
Source: Y5XyMnx8Ng.exe, 00000000.00000002.275100610.0000000005290000.00000002.00000001.sdmp	String found in binary or memory: http://www.galapagosdesign.com/DPlease
Source: Y5XyMnx8Ng.exe, 00000000.00000002.275100610.0000000005290000.00000002.00000001.sdmp	String found in binary or memory: http://www.galapagosdesign.com/staff/dennis.htm
Source: Y5XyMnx8Ng.exe, 00000000.00000003.226090976.0000000004FBA000.00000004.00000001.sdmp	String found in binary or memory: http://www.galapagosdesign.com/staff/dennis.htm:
Source: Y5XyMnx8Ng.exe, 00000000.00000003.225264485.0000000004FD9000.00000004.00000001.sdmp	String found in binary or memory: http://www.galapagosdesign.com/staff/dennis.htmA
Source: Y5XyMnx8Ng.exe, 00000000.00000002.275100610.0000000005290000.00000002.00000001.sdmp	String found in binary or memory: http://www.goodfont.co.kr
Source: Y5XyMnx8Ng.exe, 00000000.00000002.275100610.0000000005290000.00000002.00000001.sdmp, Y5XyMnx8Ng.exe, 00000000.00000003.218060578.0000000004FAD000.00000004.00000001.sdmp, Y5XyMnx8Ng.exe, 00000000.00000003.218561435.0000000004FA3000.00000004.00000001.sdmp	String found in binary or memory: http://www.jiyu-kobo.co.jp/
Source: Y5XyMnx8Ng.exe, 00000000.00000003.218060578.0000000004FAD000.00000004.00000001.sdmp	String found in binary or memory: http://www.jiyu-kobo.co.jp/)
Source: Y5XyMnx8Ng.exe, 00000000.00000003.218142700.0000000004FAD000.00000004.00000001.sdmp	String found in binary or memory: http://www.jiyu-kobo.co.jp/3VY
Source: Y5XyMnx8Ng.exe, 00000000.00000003.218561435.0000000004FA3000.00000004.00000001.sdmp	String found in binary or memory: http://www.jiyu-kobo.co.jp/8V
Source: Y5XyMnx8Ng.exe, 00000000.00000003.218171595.0000000004FA8000.00000004.00000001.sdmp	String found in binary or memory: http://www.jiyu-kobo.co.jp/JVR
Source: Y5XyMnx8Ng.exe, 00000000.00000003.218561435.0000000004FA3000.00000004.00000001.sdmp	String found in binary or memory: http://www.jiyu-kobo.co.jp/Y0
Source: Y5XyMnx8Ng.exe, 00000000.00000003.218060578.0000000004FAD000.00000004.00000001.sdmp	String found in binary or memory: http://www.jiyu-kobo.co.jp/ch
Source: Y5XyMnx8Ng.exe, 00000000.00000003.218561435.0000000004FA3000.00000004.00000001.sdmp, Y5XyMnx8Ng.exe, 00000000.00000003.218681710.0000000004FAC000.00000004.00000001.sdmp	String found in binary or memory: http://www.jiyu-kobo.co.jp/jp/
Source: Y5XyMnx8Ng.exe, 00000000.00000003.218060578.0000000004FAD000.00000004.00000001.sdmp	String found in binary or memory: http://www.jiyu-kobo.co.jp/nly
Source: Y5XyMnx8Ng.exe, 00000000.00000003.218060578.0000000004FAD000.00000004.00000001.sdmp	String found in binary or memory: http://www.jiyu-kobo.co.jp/nt
Source: Y5XyMnx8Ng.exe, 00000000.00000003.217807198.0000000004FA3000.00000004.00000001.sdmp	String found in binary or memory: http://www.jiyu-kobo.co.jp/oVu
Source: Y5XyMnx8Ng.exe, 00000000.00000003.218171595.0000000004FA8000.00000004.00000001.sdmp	String found in binary or memory: http://www.jiyu-kobo.co.jp/s
Source: Y5XyMnx8Ng.exe, 00000000.00000002.275100610.0000000005290000.00000002.00000001.sdmp	String found in binary or memory: http://www.sajatypeworks.com
Source: Y5XyMnx8Ng.exe, 00000000.00000002.275100610.0000000005290000.00000002.00000001.sdmp	String found in binary or memory: http://www.sakkal.com
Source: Y5XyMnx8Ng.exe, 00000000.00000002.275100610.0000000005290000.00000002.00000001.sdmp	String found in binary or memory: http://www.sandoll.co.kr
Source: Y5XyMnx8Ng.exe, 00000000.00000002.275100610.0000000005290000.00000002.00000001.sdmp	String found in binary or memory: http://www.tiro.com
Source: Y5XyMnx8Ng.exe, 00000000.00000003.216954032.0000000004FD9000.00000004.00000001.sdmp	String found in binary or memory: http://www.tiro.como
Source: Y5XyMnx8Ng.exe, 00000000.00000002.275100610.0000000005290000.00000002.00000001.sdmp	String found in binary or memory: http://www.typography.netD
Source: Y5XyMnx8Ng.exe, 00000000.00000003.222528263.0000000004FAE000.00000004.00000001.sdmp	String found in binary or memory: http://www.urwpp.de
Source: Y5XyMnx8Ng.exe, 00000000.00000003.222528263.0000000004FAE000.00000004.00000001.sdmp	String found in binary or memory: http://www.urwpp.de.h
Source: Y5XyMnx8Ng.exe, 00000000.00000002.275100610.0000000005290000.00000002.00000001.sdmp	String found in binary or memory: http://www.urwpp.deDPlease
Source: Y5XyMnx8Ng.exe, 00000000.00000003.222528263.0000000004FAE000.00000004.00000001.sdmp	String found in binary or memory: http://www.urwpp.deF
Source: Y5XyMnx8Ng.exe, 00000000.00000003.222528263.0000000004FAE000.00000004.00000001.sdmp	String found in binary or memory: http://www.urwpp.delarKh
Source: Y5XyMnx8Ng.exe, 00000000.00000002.275100610.0000000005290000.00000002.00000001.sdmp	String found in binary or memory: http://www.zhongyicts.com.cn

Key, Mouse, Clipboard, Microphone and Screen Capturing:

Source: dhcpmon.exe, 0000000F.00000002.282991349.0000000000F08000.00000004.00000020.sdmp

Binary or memory string: <HOOK MODULE="DDRAW.DLL" FUNCTION="DirectDrawCreateEx"/>

Source: RegSvcs.exe, 00000008.00000002.494335612.0000000005710000.00000004.00000001.sdmp

Binary or memory string: RegisterRawInputDevices

E-Banking Fraud:

Yara detected Nanocore RAT

Show sources

Source: Yara match	File source: 00000008.00000002.494335612.0000000005710000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000008.00000002.483906093.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.273575013.0000000003C11000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.274362960.00000000040F1000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000008.00000002.492975177.0000000003BBB000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: RegSvcs.exe PID: 5464, type: MEMORY
Source: Yara match	File source: Process Memory Space: Y5XyMnx8Ng.exe PID: 6372, type: MEMORY
Source: Yara match	File source: 8.2.RegSvcs.exe.5710000.11.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 8.2.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 8.2.RegSvcs.exe.5710000.11.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.Y5XyMnx8Ng.exe.4125e60.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 8.2.RegSvcs.exe.3bd9511.6.unpack, type: UNPACKEDPE
Source: Yara match	File source: 8.2.RegSvcs.exe.5714629.10.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 8.2.RegSvcs.exe.3bd9511.6.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.Y5XyMnx8Ng.exe.4125e60.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 8.2.RegSvcs.exe.3bcec9e.5.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 8.2.RegSvcs.exe.3bd3adb.4.raw.unpack, type: UNPACKEDPE

Operating System Destruction:

Protects its processes via BreakOnTermination flag

Show sources

Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe

Process information set: 01 00 00 00

Jump to behavior

System Summary:

Malicious sample detected (through community Yara rule)

Show sources

Source: 00000008.00000002.494335612.0000000005710000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 00000008.00000002.483906093.0000000000402000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 00000008.00000002.483906093.0000000000402000.00000040.00000001.sdmp, type: MEMORY	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 00000000.00000002.273575013.0000000003C11000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 00000000.00000002.273575013.0000000003C11000.00000004.00000001.sdmp, type: MEMORY	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 00000000.00000002.274362960.00000000040F1000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 00000000.00000002.274362960.00000000040F1000.00000004.00000001.sdmp, type: MEMORY	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 00000008.00000002.492975177.0000000003BBB000.00000004.00000001.sdmp, type: MEMORY	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 00000008.00000002.494301167.0000000005700000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 00000008.00000002.493799082.0000000004E80000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: Process Memory Space: RegSvcs.exe PID: 5464, type: MEMORY	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: Process Memory Space: RegSvcs.exe PID: 5464, type: MEMORY	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: Process Memory Space: Y5XyMnx8Ng.exe PID: 6372, type: MEMORY	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: Process Memory Space: Y5XyMnx8Ng.exe PID: 6372, type: MEMORY	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 8.2.RegSvcs.exe.3bcec9e.5.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 8.2.RegSvcs.exe.2b91488.3.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 8.2.RegSvcs.exe.5700000.9.raw.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 8.2.RegSvcs.exe.5710000.11.raw.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 8.2.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 8.2.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 8.2.RegSvcs.exe.4e80000.7.raw.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 8.2.RegSvcs.exe.5710000.11.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 0.2.Y5XyMnx8Ng.exe.4125e60.2.raw.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 0.2.Y5XyMnx8Ng.exe.4125e60.2.raw.unpack, type: UNPACKEDPE	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 8.2.RegSvcs.exe.2b96304.2.raw.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 8.2.RegSvcs.exe.3bd9511.6.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 8.2.RegSvcs.exe.5714629.10.raw.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 8.2.RegSvcs.exe.3bd9511.6.raw.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 0.2.Y5XyMnx8Ng.exe.4125e60.2.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 0.2.Y5XyMnx8Ng.exe.4125e60.2.unpack, type: UNPACKEDPE	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 8.2.RegSvcs.exe.3bcec9e.5.raw.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 8.2.RegSvcs.exe.3bcec9e.5.raw.unpack, type: UNPACKEDPE	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 8.2.RegSvcs.exe.3bd3adb.4.raw.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 8.2.RegSvcs.exe.3bd3adb.4.raw.unpack, type: UNPACKEDPE	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 8.2.RegSvcs.exe.2b91488.3.raw.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth

Source: C:\Users\user\Desktop\Y5XyMnx8Ng.exe	Code function: 0_2_070C2A9E NtQuerySystemInformation,	0_2_070C2A9E
Source: C:\Users\user\Desktop\Y5XyMnx8Ng.exe	Code function: 0_2_070C2A6D NtQuerySystemInformation,	0_2_070C2A6D
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe	Code function: 8_2_02721836 NtQuerySystemInformation,	8_2_02721836
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe	Code function: 8_2_02721572 NtSetInformationProcess,	8_2_02721572
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe	Code function: 8_2_02721541 NtSetInformationProcess,	8_2_02721541
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe	Code function: 8_2_027217FB NtQuerySystemInformation,	8_2_027217FB

Source: C:\Users\user\Desktop\Y5XyMnx8Ng.exe	Code function: 0_2_04D98C28	0_2_04D98C28
Source: C:\Users\user\Desktop\Y5XyMnx8Ng.exe	Code function: 0_2_04D92398	0_2_04D92398
Source: C:\Users\user\Desktop\Y5XyMnx8Ng.exe	Code function: 0_2_04D930D1	0_2_04D930D1
Source: C:\Users\user\Desktop\Y5XyMnx8Ng.exe	Code function: 0_2_04D98CCE	0_2_04D98CCE
Source: C:\Users\user\Desktop\Y5XyMnx8Ng.exe	Code function: 0_2_04D930E0	0_2_04D930E0
Source: C:\Users\user\Desktop\Y5XyMnx8Ng.exe	Code function: 0_2_04D98C17	0_2_04D98C17
Source: C:\Users\user\Desktop\Y5XyMnx8Ng.exe	Code function: 0_2_04D94DDF	0_2_04D94DDF
Source: C:\Users\user\Desktop\Y5XyMnx8Ng.exe	Code function: 0_2_04D92389	0_2_04D92389
Source: C:\Users\user\Desktop\Y5XyMnx8Ng.exe	Code function: 0_2_04D9331B	0_2_04D9331B
Source: C:\Users\user\Desktop\Y5XyMnx8Ng.exe	Code function: 0_2_067C54C9	0_2_067C54C9
Source: C:\Users\user\Desktop\Y5XyMnx8Ng.exe	Code function: 0_2_067C3B27	0_2_067C3B27
Source: C:\Users\user\Desktop\Y5XyMnx8Ng.exe	Code function: 0_2_04D90110	0_2_04D90110
Source: C:\Users\user\Desktop\Y5XyMnx8Ng.exe	Code function: 0_2_04D90100	0_2_04D90100
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe	Code function: 8_2_00C37AC1	8_2_00C37AC1
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe	Code function: 8_2_026C9A68	8_2_026C9A68
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe	Code function: 8_2_026C8E68	8_2_026C8E68
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe	Code function: 8_2_026C2FA8	8_2_026C2FA8
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe	Code function: 8_2_026C23A0	8_2_026C23A0
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe	Code function: 8_2_026C3970	8_2_026C3970
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe	Code function: 8_2_026C9B2F	8_2_026C9B2F
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe	Code function: 8_2_026CB738	8_2_026CB738
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe	Code function: 8_2_026CA310	8_2_026CA310
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe	Code function: 8_2_026C306F	8_2_026C306F

Source: Y5XyMnx8Ng.exe, 00000000.00000002.279706744.00000000076E0000.00000002.00000001.sdmp	Binary or memory string: System.OriginalFileName vs Y5XyMnx8Ng.exe
Source: Y5XyMnx8Ng.exe, 00000000.00000002.268326275.00000000005F4000.00000002.00020000.sdmp	Binary or memory string: OriginalFilenamev, vs Y5XyMnx8Ng.exe
Source: Y5XyMnx8Ng.exe, 00000000.00000002.273755283.0000000003D55000.00000004.00000001.sdmp	Binary or memory string: OriginalFilenameAssemblyReferenceEntry.exeD vs Y5XyMnx8Ng.exe
Source: Y5XyMnx8Ng.exe, 00000000.00000002.279114179.0000000006EC0000.00000004.00000001.sdmp	Binary or memory string: OriginalFilenameBunifu.UI.dll4 vs Y5XyMnx8Ng.exe
Source: Y5XyMnx8Ng.exe, 00000000.00000002.279913440.00000000077D0000.00000002.00000001.sdmp	Binary or memory string: originalfilename vs Y5XyMnx8Ng.exe
Source: Y5XyMnx8Ng.exe, 00000000.00000002.279913440.00000000077D0000.00000002.00000001.sdmp	Binary or memory string: OriginalFilenamepropsys.dll.mui@ vs Y5XyMnx8Ng.exe
Source: Y5XyMnx8Ng.exe, 00000000.00000002.278970967.0000000006DC0000.00000002.00000001.sdmp	Binary or memory string: OriginalFilenamemscorrc.dllT vs Y5XyMnx8Ng.exe
Source: Y5XyMnx8Ng.exe	Binary or memory string: OriginalFilenamev, vs Y5XyMnx8Ng.exe

Source: Y5XyMnx8Ng.exe

Static PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE

Source: 00000008.00000002.494335612.0000000005710000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 00000008.00000002.494335612.0000000005710000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 00000008.00000002.483906093.0000000000402000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 00000008.00000002.483906093.0000000000402000.00000040.00000001.sdmp, type: MEMORY	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 00000000.00000002.273575013.0000000003C11000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 00000000.00000002.273575013.0000000003C11000.00000004.00000001.sdmp, type: MEMORY	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 00000000.00000002.274362960.00000000040F1000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 00000000.00000002.274362960.00000000040F1000.00000004.00000001.sdmp, type: MEMORY	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 00000008.00000002.492975177.0000000003BBB000.00000004.00000001.sdmp, type: MEMORY	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 00000008.00000002.494301167.0000000005700000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 00000008.00000002.494301167.0000000005700000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 00000008.00000002.493799082.0000000004E80000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 00000008.00000002.493799082.0000000004E80000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: Process Memory Space: RegSvcs.exe PID: 5464, type: MEMORY	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: Process Memory Space: RegSvcs.exe PID: 5464, type: MEMORY	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: Process Memory Space: Y5XyMnx8Ng.exe PID: 6372, type: MEMORY	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: Process Memory Space: Y5XyMnx8Ng.exe PID: 6372, type: MEMORY	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 8.2.RegSvcs.exe.3bcec9e.5.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 8.2.RegSvcs.exe.3bcec9e.5.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 8.2.RegSvcs.exe.2b91488.3.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 8.2.RegSvcs.exe.2b91488.3.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 8.2.RegSvcs.exe.5700000.9.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 8.2.RegSvcs.exe.5700000.9.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 8.2.RegSvcs.exe.5710000.11.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 8.2.RegSvcs.exe.5710000.11.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 8.2.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 8.2.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 8.2.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 8.2.RegSvcs.exe.4e80000.7.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 8.2.RegSvcs.exe.4e80000.7.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 8.2.RegSvcs.exe.5710000.11.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 8.2.RegSvcs.exe.5710000.11.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 0.2.Y5XyMnx8Ng.exe.4125e60.2.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 0.2.Y5XyMnx8Ng.exe.4125e60.2.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 0.2.Y5XyMnx8Ng.exe.4125e60.2.raw.unpack, type: UNPACKEDPE	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 8.2.RegSvcs.exe.2b96304.2.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 8.2.RegSvcs.exe.2b96304.2.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 8.2.RegSvcs.exe.3bd9511.6.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 8.2.RegSvcs.exe.3bd9511.6.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 8.2.RegSvcs.exe.5714629.10.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 8.2.RegSvcs.exe.5714629.10.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 8.2.RegSvcs.exe.3bd9511.6.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 8.2.RegSvcs.exe.3bd9511.6.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 0.2.Y5XyMnx8Ng.exe.4125e60.2.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 0.2.Y5XyMnx8Ng.exe.4125e60.2.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 0.2.Y5XyMnx8Ng.exe.4125e60.2.unpack, type: UNPACKEDPE	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 8.2.RegSvcs.exe.3bcec9e.5.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 8.2.RegSvcs.exe.3bcec9e.5.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 8.2.RegSvcs.exe.3bcec9e.5.raw.unpack, type: UNPACKEDPE	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 8.2.RegSvcs.exe.3bd3adb.4.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 8.2.RegSvcs.exe.3bd3adb.4.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 8.2.RegSvcs.exe.3bd3adb.4.raw.unpack, type: UNPACKEDPE	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 8.2.RegSvcs.exe.2b91488.3.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 8.2.RegSvcs.exe.2b91488.3.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/

Source: Y5XyMnx8Ng.exe	Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
Source: LbSNAHQmeXYAoG.exe.0.dr	Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ

Source: 8.2.RegSvcs.exe.400000.0.unpack, u0023u003dqjIje6jGWLd2EOkfZXKqBbgu003du003d.cs	Cryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'
Source: 8.2.RegSvcs.exe.400000.0.unpack, u0023u003dqVxXNKnhAcArgJoGGYXiyyQu003du003d.cs	Cryptographic APIs: 'CreateDecryptor'
Source: 8.2.RegSvcs.exe.400000.0.unpack, u0023u003dqVxXNKnhAcArgJoGGYXiyyQu003du003d.cs	Cryptographic APIs: 'TransformFinalBlock'

Source: classification engine

Classification label: mal100.troj.evad.winEXE@18/13@11/2

Source: C:\Users\user\Desktop\Y5XyMnx8Ng.exe	Code function: 0_2_070C2922 AdjustTokenPrivileges,	0_2_070C2922
Source: C:\Users\user\Desktop\Y5XyMnx8Ng.exe	Code function: 0_2_070C28EB AdjustTokenPrivileges,	0_2_070C28EB
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe	Code function: 8_2_027213F6 AdjustTokenPrivileges,	8_2_027213F6
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe	Code function: 8_2_027213BF AdjustTokenPrivileges,	8_2_027213BF

Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe

File created: C:\Program Files (x86)\DHCP Monitor

Jump to behavior

Source: C:\Users\user\Desktop\Y5XyMnx8Ng.exe

File created: C:\Users\user\AppData\Roaming\LbSNAHQmeXYAoG.exe

Jump to behavior

Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6036:120:WilError_01
Source: C:\Users\user\Desktop\Y5XyMnx8Ng.exe	Mutant created: \Sessions\1\BaseNamedObjects\qAuJsXfdqbt
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:1968:120:WilError_01
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe	Mutant created: \Sessions\1\BaseNamedObjects\Global\.net clr networking
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:3180:120:WilError_01
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5828:120:WilError_01
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:2172:120:WilError_01
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5680:120:WilError_01
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe	Mutant created: \Sessions\1\BaseNamedObjects\Global\{572eb7a9-aedf-4b39-8669-f7563dab8a38}

Source: C:\Users\user\Desktop\Y5XyMnx8Ng.exe

File created: C:\Users\user\AppData\Local\Temp\tmp8EF2.tmp

Jump to behavior

Source: Y5XyMnx8Ng.exe

Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ

Source: C:\Users\user\Desktop\Y5XyMnx8Ng.exe	Section loaded: C:\Windows\assembly\NativeImages_v2.0.50727_32\mscorlib\9603718106bd57ecfbb18fefd769cab4\mscorlib.ni.dll	Jump to behavior
Source: C:\Users\user\Desktop\Y5XyMnx8Ng.exe	Section loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sorttbls.nlp	Jump to behavior
Source: C:\Users\user\Desktop\Y5XyMnx8Ng.exe	Section loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sortkey.nlp	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe	Section loaded: C:\Windows\assembly\NativeImages_v2.0.50727_32\mscorlib\9603718106bd57ecfbb18fefd769cab4\mscorlib.ni.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe	Section loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sorttbls.nlp	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe	Section loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sortkey.nlp	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe	Section loaded: C:\Windows\assembly\NativeImages_v2.0.50727_32\mscorlib\9603718106bd57ecfbb18fefd769cab4\mscorlib.ni.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe	Section loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sorttbls.nlp	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe	Section loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sortkey.nlp	Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Section loaded: C:\Windows\assembly\NativeImages_v2.0.50727_32\mscorlib\9603718106bd57ecfbb18fefd769cab4\mscorlib.ni.dll	Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Section loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sorttbls.nlp	Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Section loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sortkey.nlp	Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Section loaded: C:\Windows\assembly\NativeImages_v2.0.50727_32\mscorlib\9603718106bd57ecfbb18fefd769cab4\mscorlib.ni.dll	Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Section loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sorttbls.nlp	Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Section loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sortkey.nlp	Jump to behavior

Source: C:\Users\user\Desktop\Y5XyMnx8Ng.exe

File read: C:\Users\user\Desktop\desktop.ini

Jump to behavior

Source: C:\Users\user\Desktop\Y5XyMnx8Ng.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe	File read: C:\Windows\System32\drivers\etc\hosts			Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe	File read: C:\Windows\System32\drivers\etc\hosts			Jump to behavior

Source: Y5XyMnx8Ng.exe	Virustotal: Detection: 25%
Source: Y5XyMnx8Ng.exe	ReversingLabs: Detection: 38%

Source: C:\Users\user\Desktop\Y5XyMnx8Ng.exe

File read: C:\Users\user\Desktop\Y5XyMnx8Ng.exe

Jump to behavior

Source: unknown	Process created: C:\Users\user\Desktop\Y5XyMnx8Ng.exe 'C:\Users\user\Desktop\Y5XyMnx8Ng.exe'
Source: unknown	Process created: C:\Windows\SysWOW64\schtasks.exe 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\LbSNAHQmeXYAoG' /XML 'C:\Users\user\AppData\Local\Temp\tmp8EF2.tmp'
Source: unknown	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknown	Process created: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe {path}
Source: unknown	Process created: C:\Windows\SysWOW64\schtasks.exe 'schtasks.exe' /create /f /tn 'DHCP Monitor' /xml 'C:\Users\user\AppData\Local\Temp\tmp3911.tmp'
Source: unknown	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknown	Process created: C:\Windows\SysWOW64\schtasks.exe 'schtasks.exe' /create /f /tn 'DHCP Monitor Task' /xml 'C:\Users\user\AppData\Local\Temp\tmp3C8D.tmp'
Source: unknown	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknown	Process created: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe 0
Source: unknown	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknown	Process created: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe 'C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe' 0
Source: unknown	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknown	Process created: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe 'C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe'
Source: unknown	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\Y5XyMnx8Ng.exe	Process created: C:\Windows\SysWOW64\schtasks.exe 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\LbSNAHQmeXYAoG' /XML 'C:\Users\user\AppData\Local\Temp\tmp8EF2.tmp'	Jump to behavior
Source: C:\Users\user\Desktop\Y5XyMnx8Ng.exe	Process created: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe {path}	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe	Process created: C:\Windows\SysWOW64\schtasks.exe 'schtasks.exe' /create /f /tn 'DHCP Monitor' /xml 'C:\Users\user\AppData\Local\Temp\tmp3911.tmp'	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe	Process created: C:\Windows\SysWOW64\schtasks.exe 'schtasks.exe' /create /f /tn 'DHCP Monitor Task' /xml 'C:\Users\user\AppData\Local\Temp\tmp3C8D.tmp'	Jump to behavior

Source: C:\Users\user\Desktop\Y5XyMnx8Ng.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{CF4CC405-E2C5-4DDD-B3CE-5E7582D8C9FA}\InprocServer32

Jump to behavior

Source: Window Recorder

Window detected: More than 3 window changes detected

Source: C:\Users\user\Desktop\Y5XyMnx8Ng.exe

File opened: C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorrc.dll

Jump to behavior

Source: Y5XyMnx8Ng.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR

Source: C:\Users\user\Desktop\Y5XyMnx8Ng.exe

File opened: C:\Windows\WinSxS\x86_microsoft.vc80.crt_1fc8b3b9a1e18e3b_8.0.50727.9445_none_d08c58b4442ba54f\MSVCR80.dll

Jump to behavior

Source: Y5XyMnx8Ng.exe

Static PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT

Source:	Binary string: C:\Users\Cole\Documents\Visual Studio 2013\Projects\NanoProtectPlugin\NanoProtectClient\obj\Debug\NanoProtectClient.pdb source: RegSvcs.exe, 00000008.00000002.490972657.0000000002B81000.00000004.00000001.sdmp
Source:	Binary string: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.pdb source: RegSvcs.exe, 00000008.00000002.487808964.0000000002665000.00000004.00000040.sdmp
Source:	Binary string: System.EnterpriseServices.Wrapper.pdb source: dhcpmon.exe, 00000019.00000002.302260092.0000000005140000.00000002.00000001.sdmp
Source:	Binary string: indows\mscorlib.pdbpdblib.pdb source: RegSvcs.exe, 00000008.00000002.487808964.0000000002665000.00000004.00000040.sdmp
Source:	Binary string: indows\RegSvcs.pdbpdbvcs.pdb source: RegSvcs.exe, 00000008.00000002.487808964.0000000002665000.00000004.00000040.sdmp
Source:	Binary string: C:\Windows\symbols\exe\RegSvcs.pdb source: RegSvcs.exe, 00000008.00000002.487808964.0000000002665000.00000004.00000040.sdmp
Source:	Binary string: RegSvcs.pdb source: dhcpmon.exe, dhcpmon.exe.8.dr
Source:	Binary string: mscorrc.pdb source: Y5XyMnx8Ng.exe, 00000000.00000002.278970967.0000000006DC0000.00000002.00000001.sdmp, RegSvcs.exe, 00000008.00000002.494053967.0000000005420000.00000002.00000001.sdmp, RegSvcs.exe, 0000000D.00000002.281231117.0000000005260000.00000002.00000001.sdmp, dhcpmon.exe, 0000000F.00000002.284297730.00000000051F0000.00000002.00000001.sdmp

Data Obfuscation:

.NET source code contains potential unpacker

Show sources

Source: Y5XyMnx8Ng.exe, Login.cs	.Net Code: set_Name System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: LbSNAHQmeXYAoG.exe.0.dr, Login.cs	.Net Code: set_Name System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: 0.0.Y5XyMnx8Ng.exe.530000.0.unpack, Login.cs	.Net Code: set_Name System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: 0.2.Y5XyMnx8Ng.exe.530000.0.unpack, Login.cs	.Net Code: set_Name System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: 8.2.RegSvcs.exe.400000.0.unpack, u0023u003dqxoz66kOqvxr21iYXZYXWiumy9eZGwFWaiX4C5X8aecUu003d.cs	.Net Code: #=qKU0J1fiP8KA33eFK1owekQ== System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: 8.2.RegSvcs.exe.400000.0.unpack, u0023u003dqjIje6jGWLd2EOkfZXKqBbgu003du003d.cs	.Net Code: #=q_FL69pQf17BUSAFbWYu1SStMAbdu$R1GJ8VY8UL5_EA= System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])

Source: C:\Users\user\Desktop\Y5XyMnx8Ng.exe	Code function: 0_2_04D96A11 push ds; retf	0_2_04D96A12
Source: C:\Users\user\Desktop\Y5XyMnx8Ng.exe	Code function: 0_2_067C31AB push es; ret	0_2_067C31AC
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe	Code function: 8_2_00C3CAC0 pushfd ; ret	8_2_00C3CB42
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe	Code function: 8_2_00C3CB68 pushfd ; ret	8_2_00C3CB72
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe	Code function: 8_2_00C3CB78 pushfd ; ret	8_2_00C3CBA2
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe	Code function: 8_2_00C3CB28 pushfd ; ret	8_2_00C3CB32
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe	Code function: 8_2_00C3ADA8 push cs; retf	8_2_00C3ADBF
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe	Code function: 8_2_00C39D74 push 7800C3CBh; retf	8_2_00C39D79
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe	Code function: 8_2_00C3AD34 push cs; retf	8_2_00C3AD4B
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe	Code function: 8_2_00C3AE1B push cs; retf	8_2_00C3AE33
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe	Code function: 8_2_00C39E18 push 9E4400F2h; ret	8_2_00C39E1E

Source: initial sample	Static PE information: section name: .text entropy: 7.94843846597
Source: initial sample	Static PE information: section name: .text entropy: 7.94843846597

Source: 8.2.RegSvcs.exe.400000.0.unpack, u0023u003dqJT4I5hOweIku0024xYFEeDszbikglXCuquUdu0024v9AXtyq2nsu003d.cs	High entropy of concatenated method names: '#=qBeOBlH6CwHFnQdZWWBgZ_pemudZ6CfCVcfOQtgpeG$Y=', '#=q5v5cLSMFBaxiTtOEjscx86gN2ozXlfytiL6UmXnyWtg=', '#=q_XA5h2lVGHLcY9dK754wKGrOjAm6aBbwPxcUJXgJThJUz83kMbCL53G5uuOLP6Rq', '#=qIFfr$DrKqIieRc688$vylAlBsEnx9Z3$TxvrDsPURfM=', '#=qejgvNXJQvgM2GomZsygLjreyguSPQ29pQHqjR_a0dWk=', '#=qCGokdf0OOxeMJLDkXSfc3NPmwygIQ29RjKQWj$wbNGB9C1pPgma_891QiNyTRXcA', '#=qDqyUVyJLXCtYqhZ0$opqkomqhUBn2WCeEEvGAXlNQ$I=', '#=qdImPAY1o3YhbLtukwCQ91cISaeIEWRKSYrGZ3dTVnkY=', '#=qza7O1AHrroJC7yRIJz4wINR_Sgo4hDpQrj_OYfIrlJE=', '#=q6Ct3QmvVLFC7my$dL1uEiHGmXJ5qCuK4WIhDwfhPTFs='
Source: 8.2.RegSvcs.exe.400000.0.unpack, u0023u003dqWrm21vQ8CBMZP_RBTwpusAu003du003d.cs	High entropy of concatenated method names: '#=qCgU$tDqtOAyz2b$RwfSF7UzBcCAr0rFJWxm16x7Lre0=', '#=qeD3MBfedCIuKIQf9V1u2N3YS4VXE_FOHqw_XAjWtZK8=', '#=q$mvEHEBkZud$AdHPWqsMQnw5Xm5sD4vBSSmqrKuXGOk=', '#=qZaN94n8dM6tBEf$qCdY2kbTZb5BOW8Z134$2tNv7EJs=', '#=qtlZnL8mho$rv1eTFz0Mw9UYFC_yCabEZ0xtVePn6wR5aSHE7ti3UfKg2l7D0_xk8', '#=qVS$QmQjvFfsXSqQAKGSl6HGbkse2SG0XCab4upVjtRJkvhTEk$oIS2I9Zja7id1Q', '#=qxJg7RxTW1v5mnt12xXeJiYJv_bcctbtL2BCD5MjDi45Hlz6t8vwDNTv1Rv7tgIct', '#=qp$ZVC1r9spi890l$D7IwEd3faoKeWHvv42mVq8wIIWM=', '#=qCoWHlVuoVRMkOzC7RZubJCslkxaEWn9yZiIydECf69$ktj0IPD5wAwC2H5Cc8C$L', '#=qqs1moO$mYaS72OXOWe0Z6GycslEb6e9Ipoy7ppW0O5abIp05ajv8doqdJZHlN3cK'

Persistence and Installation Behavior:

Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe	File created: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe			Jump to dropped file
Source: C:\Users\user\Desktop\Y5XyMnx8Ng.exe	File created: C:\Users\user\AppData\Roaming\LbSNAHQmeXYAoG.exe			Jump to dropped file

Boot Survival:

Uses schtasks.exe or at.exe to add and modify task schedules

Show sources

Source: unknown

Process created: C:\Windows\SysWOW64\schtasks.exe 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\LbSNAHQmeXYAoG' /XML 'C:\Users\user\AppData\Local\Temp\tmp8EF2.tmp'

Hooking and other Techniques for Hiding and Protection:

Hides that the sample has been downloaded from the Internet (zone.identifier)

Show sources

Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe

File opened: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe:Zone.Identifier read attributes | delete

Jump to behavior

Source: C:\Users\user\Desktop\Y5XyMnx8Ng.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Y5XyMnx8Ng.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Y5XyMnx8Ng.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Y5XyMnx8Ng.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Y5XyMnx8Ng.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Y5XyMnx8Ng.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Y5XyMnx8Ng.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Y5XyMnx8Ng.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Y5XyMnx8Ng.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Y5XyMnx8Ng.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Y5XyMnx8Ng.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Y5XyMnx8Ng.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Y5XyMnx8Ng.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Y5XyMnx8Ng.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Y5XyMnx8Ng.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Y5XyMnx8Ng.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Y5XyMnx8Ng.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Y5XyMnx8Ng.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Y5XyMnx8Ng.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Y5XyMnx8Ng.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Y5XyMnx8Ng.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Y5XyMnx8Ng.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Y5XyMnx8Ng.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Y5XyMnx8Ng.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Y5XyMnx8Ng.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Y5XyMnx8Ng.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Y5XyMnx8Ng.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Y5XyMnx8Ng.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Y5XyMnx8Ng.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Y5XyMnx8Ng.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Y5XyMnx8Ng.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Y5XyMnx8Ng.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Y5XyMnx8Ng.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Y5XyMnx8Ng.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Y5XyMnx8Ng.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Y5XyMnx8Ng.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Y5XyMnx8Ng.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Malware Analysis System Evasion:

Yara detected AntiVM_3

Show sources

Source: Yara match

File source: Process Memory Space: Y5XyMnx8Ng.exe PID: 6372, type: MEMORY

Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)

Show sources

Source: C:\Users\user\Desktop\Y5XyMnx8Ng.exe

WMI Queries: IWbemServices::ExecQuery - ROOT\cimv2 : SELECT * FROM Win32_VideoController

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Show sources

Source: Y5XyMnx8Ng.exe, 00000000.00000002.270288505.0000000002C11000.00000004.00000001.sdmp	Binary or memory string: WINE_GET_UNIX_FILE_NAME<
Source: Y5XyMnx8Ng.exe, 00000000.00000002.270288505.0000000002C11000.00000004.00000001.sdmp	Binary or memory string: WINE_GET_UNIX_FILE_NAME
Source: Y5XyMnx8Ng.exe, 00000000.00000002.271289539.0000000003185000.00000004.00000001.sdmp	Binary or memory string: SBIEDLL.DLL

Source: C:\Users\user\Desktop\Y5XyMnx8Ng.exe	Registry key queried: HKEY_LOCAL_MACHINE\HARDWARE\DEVICEMAP\Scsi\Scsi Port 0\Scsi Bus 0\Target Id 0\Logical Unit Id 0 name: Identifier	Jump to behavior
Source: C:\Users\user\Desktop\Y5XyMnx8Ng.exe	Registry key queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System name: SystemBiosVersion	Jump to behavior
Source: C:\Users\user\Desktop\Y5XyMnx8Ng.exe	Registry key queried: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4d36e968-e325-11ce-bfc1-08002be10318}\0000 name: DriverDesc	Jump to behavior
Source: C:\Users\user\Desktop\Y5XyMnx8Ng.exe	File opened / queried: SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}	Jump to behavior
Source: C:\Users\user\Desktop\Y5XyMnx8Ng.exe	Registry key queried: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum name: 0	Jump to behavior
Source: C:\Users\user\Desktop\Y5XyMnx8Ng.exe	Registry key queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System name: VideoBiosVersion	Jump to behavior

Source: C:\Users\user\Desktop\Y5XyMnx8Ng.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Thread delayed: delay time: 922337203685477	Jump to behavior

Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe

Window / User API: foregroundWindowGot 748

Jump to behavior

Source: C:\Users\user\Desktop\Y5XyMnx8Ng.exe TID: 6400	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe TID: 6464	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe TID: 2344	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior

Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed

Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe

Code function: 8_2_0272161A GetSystemInfo,

8_2_0272161A

Source: Y5XyMnx8Ng.exe, 00000000.00000002.270288505.0000000002C11000.00000004.00000001.sdmp	Binary or memory string: kr#"SOFTWARE\VMware, Inc.\VMware Tools<
Source: Y5XyMnx8Ng.exe, 00000000.00000002.271289539.0000000003185000.00000004.00000001.sdmp	Binary or memory string: VMware SVGA II<
Source: RegSvcs.exe, 00000008.00000002.494961160.0000000005FD0000.00000002.00000001.sdmp, RegSvcs.exe, 0000000D.00000002.281641062.00000000052C0000.00000002.00000001.sdmp, dhcpmon.exe, 0000000F.00000002.284382168.0000000005250000.00000002.00000001.sdmp	Binary or memory string: A Virtual Machine could not be started because Hyper-V is not installed.
Source: Y5XyMnx8Ng.exe, 00000000.00000002.270288505.0000000002C11000.00000004.00000001.sdmp	Binary or memory string: vmware
Source: Y5XyMnx8Ng.exe, 00000000.00000002.270288505.0000000002C11000.00000004.00000001.sdmp	Binary or memory string: kr&%C:\PROGRAM FILES\VMWARE\VMWARE TOOLS\<
Source: Y5XyMnx8Ng.exe, 00000000.00000002.270288505.0000000002C11000.00000004.00000001.sdmp	Binary or memory string: krA"SOFTWARE\VMware, Inc.\VMware Tools
Source: Y5XyMnx8Ng.exe, 00000000.00000002.270288505.0000000002C11000.00000004.00000001.sdmp	Binary or memory string: kr%C:\PROGRAM FILES\VMWARE\VMWARE TOOLS\
Source: Y5XyMnx8Ng.exe, 00000000.00000002.271289539.0000000003185000.00000004.00000001.sdmp	Binary or memory string: VMWARE<
Source: Y5XyMnx8Ng.exe, 00000000.00000002.270288505.0000000002C11000.00000004.00000001.sdmp	Binary or memory string: kr87HKEY_LOCAL_MACHINE\SOFTWARE\VMware, Inc.\VMware Tools\.
Source: RegSvcs.exe, 00000008.00000002.485437819.0000000000928000.00000004.00000020.sdmp	Binary or memory string: Hyper-V RAW
Source: Y5XyMnx8Ng.exe, 00000000.00000002.271289539.0000000003185000.00000004.00000001.sdmp	Binary or memory string: VMWARE
Source: Y5XyMnx8Ng.exe, 00000000.00000002.270288505.0000000002C11000.00000004.00000001.sdmp	Binary or memory string: kr"SOFTWARE\VMware, Inc.\VMware Tools
Source: RegSvcs.exe, 00000008.00000002.485704154.0000000000959000.00000004.00000020.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll'
Source: Y5XyMnx8Ng.exe, 00000000.00000002.270288505.0000000002C11000.00000004.00000001.sdmp	Binary or memory string: QEMU<
Source: RegSvcs.exe, 00000008.00000002.494961160.0000000005FD0000.00000002.00000001.sdmp, RegSvcs.exe, 0000000D.00000002.281641062.00000000052C0000.00000002.00000001.sdmp, dhcpmon.exe, 0000000F.00000002.284382168.0000000005250000.00000002.00000001.sdmp	Binary or memory string: A communication protocol error has occurred between the Hyper-V Host and Guest Compute Service.
Source: RegSvcs.exe, 00000008.00000002.494961160.0000000005FD0000.00000002.00000001.sdmp, RegSvcs.exe, 0000000D.00000002.281641062.00000000052C0000.00000002.00000001.sdmp, dhcpmon.exe, 0000000F.00000002.284382168.0000000005250000.00000002.00000001.sdmp	Binary or memory string: The communication protocol version between the Hyper-V Host and Guest Compute Services is not supported.
Source: Y5XyMnx8Ng.exe, 00000000.00000002.271289539.0000000003185000.00000004.00000001.sdmp	Binary or memory string: VMware SVGA II
Source: Y5XyMnx8Ng.exe, 00000000.00000002.270288505.0000000002C11000.00000004.00000001.sdmp	Binary or memory string: kr#"SOFTWARE\VMware, Inc.\VMware ToolsH
Source: RegSvcs.exe, 00000008.00000002.494961160.0000000005FD0000.00000002.00000001.sdmp, RegSvcs.exe, 0000000D.00000002.281641062.00000000052C0000.00000002.00000001.sdmp, dhcpmon.exe, 0000000F.00000002.284382168.0000000005250000.00000002.00000001.sdmp	Binary or memory string: An unknown internal message was received by the Hyper-V Compute Service.

Anti Debugging:

Source: C:\Users\user\Desktop\Y5XyMnx8Ng.exe

Process token adjusted: Debug

Jump to behavior

Source: C:\Users\user\Desktop\Y5XyMnx8Ng.exe

Memory allocated: page read and write | page guard

Jump to behavior

HIPS / PFW / Operating System Protection Evasion:

Allocates memory in foreign processes

Show sources

Source: C:\Users\user\Desktop\Y5XyMnx8Ng.exe

Memory allocated: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe base: 400000 protect: page execute and read and write

Jump to behavior

Injects a PE file into a foreign processes

Show sources

Source: C:\Users\user\Desktop\Y5XyMnx8Ng.exe

Memory written: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe base: 400000 value starts with: 4D5A

Jump to behavior

Writes to foreign memory regions

Show sources

Source: C:\Users\user\Desktop\Y5XyMnx8Ng.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe base: 400000	Jump to behavior
Source: C:\Users\user\Desktop\Y5XyMnx8Ng.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe base: 402000	Jump to behavior
Source: C:\Users\user\Desktop\Y5XyMnx8Ng.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe base: 420000	Jump to behavior
Source: C:\Users\user\Desktop\Y5XyMnx8Ng.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe base: 422000	Jump to behavior
Source: C:\Users\user\Desktop\Y5XyMnx8Ng.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe base: 6FC008	Jump to behavior

Source: C:\Users\user\Desktop\Y5XyMnx8Ng.exe	Process created: C:\Windows\SysWOW64\schtasks.exe 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\LbSNAHQmeXYAoG' /XML 'C:\Users\user\AppData\Local\Temp\tmp8EF2.tmp'	Jump to behavior
Source: C:\Users\user\Desktop\Y5XyMnx8Ng.exe	Process created: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe {path}	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe	Process created: C:\Windows\SysWOW64\schtasks.exe 'schtasks.exe' /create /f /tn 'DHCP Monitor' /xml 'C:\Users\user\AppData\Local\Temp\tmp3911.tmp'	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe	Process created: C:\Windows\SysWOW64\schtasks.exe 'schtasks.exe' /create /f /tn 'DHCP Monitor Task' /xml 'C:\Users\user\AppData\Local\Temp\tmp3C8D.tmp'	Jump to behavior

Source: RegSvcs.exe, 00000008.00000002.485437819.0000000000928000.00000004.00000020.sdmp	Binary or memory string: Program Manager (x86)\DHCP Monitor\dhcpmon.exegSvcs.exe
Source: RegSvcs.exe, 00000008.00000002.492739877.0000000002DDA000.00000004.00000001.sdmp	Binary or memory string: Program Manager
Source: RegSvcs.exe, 00000008.00000002.487561869.0000000001140000.00000002.00000001.sdmp	Binary or memory string: Shell_TrayWnd
Source: RegSvcs.exe, 00000008.00000002.487561869.0000000001140000.00000002.00000001.sdmp	Binary or memory string: Progman
Source: RegSvcs.exe, 00000008.00000002.487561869.0000000001140000.00000002.00000001.sdmp	Binary or memory string: Progmanlock

Language, Device and Operating System Detection:

Source: C:\Users\user\Desktop\Y5XyMnx8Ng.exe	Queries volume information: C:\Windows\Fonts\arial.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Y5XyMnx8Ng.exe	Queries volume information: C:\Windows\Fonts\ariali.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Y5XyMnx8Ng.exe	Queries volume information: C:\Windows\Fonts\arialbd.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Y5XyMnx8Ng.exe	Queries volume information: C:\Windows\Fonts\arialbi.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Y5XyMnx8Ng.exe	Queries volume information: C:\Windows\Fonts\ARIALN.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Y5XyMnx8Ng.exe	Queries volume information: C:\Windows\Fonts\ariblk.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Y5XyMnx8Ng.exe	Queries volume information: C:\Windows\Fonts\ARIALNI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Y5XyMnx8Ng.exe	Queries volume information: C:\Windows\Fonts\ARIALNB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Y5XyMnx8Ng.exe	Queries volume information: C:\Windows\Fonts\ARIALNBI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Y5XyMnx8Ng.exe	Queries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Y5XyMnx8Ng.exe	Queries volume information: C:\Windows\Fonts\calibri.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Y5XyMnx8Ng.exe	Queries volume information: C:\Windows\Fonts\calibril.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Y5XyMnx8Ng.exe	Queries volume information: C:\Windows\Fonts\calibrii.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Y5XyMnx8Ng.exe	Queries volume information: C:\Windows\Fonts\calibrili.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Y5XyMnx8Ng.exe	Queries volume information: C:\Windows\Fonts\calibrib.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Y5XyMnx8Ng.exe	Queries volume information: C:\Windows\Fonts\calibriz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Y5XyMnx8Ng.exe	Queries volume information: C:\Windows\Fonts\cambria.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Y5XyMnx8Ng.exe	Queries volume information: C:\Windows\Fonts\cambriai.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Y5XyMnx8Ng.exe	Queries volume information: C:\Windows\Fonts\cambriab.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Y5XyMnx8Ng.exe	Queries volume information: C:\Windows\Fonts\cambriaz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Y5XyMnx8Ng.exe	Queries volume information: C:\Windows\Fonts\Candara.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Y5XyMnx8Ng.exe	Queries volume information: C:\Windows\Fonts\Candarai.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Y5XyMnx8Ng.exe	Queries volume information: C:\Windows\Fonts\Candarab.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Y5XyMnx8Ng.exe	Queries volume information: C:\Windows\Fonts\Candaraz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Y5XyMnx8Ng.exe	Queries volume information: C:\Windows\Fonts\comic.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Y5XyMnx8Ng.exe	Queries volume information: C:\Windows\Fonts\comici.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Y5XyMnx8Ng.exe	Queries volume information: C:\Windows\Fonts\comicbd.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Y5XyMnx8Ng.exe	Queries volume information: C:\Windows\Fonts\comicz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Y5XyMnx8Ng.exe	Queries volume information: C:\Windows\Fonts\consola.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Y5XyMnx8Ng.exe	Queries volume information: C:\Windows\Fonts\consolai.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Y5XyMnx8Ng.exe	Queries volume information: C:\Windows\Fonts\consolab.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Y5XyMnx8Ng.exe	Queries volume information: C:\Windows\Fonts\consolaz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Y5XyMnx8Ng.exe	Queries volume information: C:\Windows\Fonts\constan.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Y5XyMnx8Ng.exe	Queries volume information: C:\Windows\Fonts\constani.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Y5XyMnx8Ng.exe	Queries volume information: C:\Windows\Fonts\constanb.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Y5XyMnx8Ng.exe	Queries volume information: C:\Windows\Fonts\constanz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Y5XyMnx8Ng.exe	Queries volume information: C:\Windows\Fonts\corbel.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Y5XyMnx8Ng.exe	Queries volume information: C:\Windows\Fonts\corbeli.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Y5XyMnx8Ng.exe	Queries volume information: C:\Windows\Fonts\corbelb.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Y5XyMnx8Ng.exe	Queries volume information: C:\Windows\Fonts\corbelz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Y5XyMnx8Ng.exe	Queries volume information: C:\Windows\Fonts\cour.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Y5XyMnx8Ng.exe	Queries volume information: C:\Windows\Fonts\couri.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Y5XyMnx8Ng.exe	Queries volume information: C:\Windows\Fonts\courbd.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Y5XyMnx8Ng.exe	Queries volume information: C:\Windows\Fonts\courbi.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Y5XyMnx8Ng.exe	Queries volume information: C:\Windows\Fonts\ebrima.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Y5XyMnx8Ng.exe	Queries volume information: C:\Windows\Fonts\ebrimabd.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Y5XyMnx8Ng.exe	Queries volume information: C:\Windows\Fonts\framd.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Y5XyMnx8Ng.exe	Queries volume information: C:\Windows\Fonts\FRADM.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Y5XyMnx8Ng.exe	Queries volume information: C:\Windows\Fonts\framdit.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Y5XyMnx8Ng.exe	Queries volume information: C:\Windows\Fonts\FRADMIT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Y5XyMnx8Ng.exe	Queries volume information: C:\Windows\Fonts\FRAMDCN.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Y5XyMnx8Ng.exe	Queries volume information: C:\Windows\Fonts\FRADMCN.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Y5XyMnx8Ng.exe	Queries volume information: C:\Windows\Fonts\FRAHV.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Y5XyMnx8Ng.exe	Queries volume information: C:\Windows\Fonts\FRAHVIT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Y5XyMnx8Ng.exe	Queries volume information: C:\Windows\Fonts\Gabriola.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Y5XyMnx8Ng.exe	Queries volume information: C:\Windows\Fonts\gadugi.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Y5XyMnx8Ng.exe	Queries volume information: C:\Windows\Fonts\gadugib.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Y5XyMnx8Ng.exe	Queries volume information: C:\Windows\Fonts\georgia.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Y5XyMnx8Ng.exe	Queries volume information: C:\Windows\Fonts\georgiai.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Y5XyMnx8Ng.exe	Queries volume information: C:\Windows\Fonts\georgiab.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Y5XyMnx8Ng.exe	Queries volume information: C:\Windows\Fonts\georgiaz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Y5XyMnx8Ng.exe	Queries volume information: C:\Windows\Fonts\impact.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Y5XyMnx8Ng.exe	Queries volume information: C:\Windows\Fonts\Inkfree.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Y5XyMnx8Ng.exe	Queries volume information: C:\Windows\Fonts\javatext.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Y5XyMnx8Ng.exe	Queries volume information: C:\Windows\Fonts\LeelawUI.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Y5XyMnx8Ng.exe	Queries volume information: C:\Windows\Fonts\LeelUIsl.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Y5XyMnx8Ng.exe	Queries volume information: C:\Windows\Fonts\LeelaUIb.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Y5XyMnx8Ng.exe	Queries volume information: C:\Windows\Fonts\lucon.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Y5XyMnx8Ng.exe	Queries volume information: C:\Windows\Fonts\l_10646.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Y5XyMnx8Ng.exe	Queries volume information: C:\Windows\Fonts\malgun.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Y5XyMnx8Ng.exe	Queries volume information: C:\Windows\Fonts\malgunsl.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Y5XyMnx8Ng.exe	Queries volume information: C:\Windows\Fonts\malgunbd.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Y5XyMnx8Ng.exe	Queries volume information: C:\Windows\Fonts\himalaya.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Y5XyMnx8Ng.exe	Queries volume information: C:\Windows\Fonts\msjh.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Y5XyMnx8Ng.exe	Queries volume information: C:\Windows\Fonts\msjhl.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Y5XyMnx8Ng.exe	Queries volume information: C:\Windows\Fonts\msjhbd.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Y5XyMnx8Ng.exe	Queries volume information: C:\Windows\Fonts\ntailu.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Y5XyMnx8Ng.exe	Queries volume information: C:\Windows\Fonts\ntailub.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Y5XyMnx8Ng.exe	Queries volume information: C:\Windows\Fonts\phagspa.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Y5XyMnx8Ng.exe	Queries volume information: C:\Windows\Fonts\phagspab.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Y5XyMnx8Ng.exe	Queries volume information: C:\Windows\Fonts\micross.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Y5XyMnx8Ng.exe	Queries volume information: C:\Windows\Fonts\taile.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Y5XyMnx8Ng.exe	Queries volume information: C:\Windows\Fonts\taileb.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Y5XyMnx8Ng.exe	Queries volume information: C:\Windows\Fonts\msyh.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Y5XyMnx8Ng.exe	Queries volume information: C:\Windows\Fonts\msyhl.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Y5XyMnx8Ng.exe	Queries volume information: C:\Windows\Fonts\msyhbd.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Y5XyMnx8Ng.exe	Queries volume information: C:\Windows\Fonts\msyi.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Y5XyMnx8Ng.exe	Queries volume information: C:\Windows\Fonts\mingliub.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Y5XyMnx8Ng.exe	Queries volume information: C:\Windows\Fonts\monbaiti.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Y5XyMnx8Ng.exe	Queries volume information: C:\Windows\Fonts\msgothic.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Y5XyMnx8Ng.exe	Queries volume information: C:\Windows\Fonts\mvboli.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Y5XyMnx8Ng.exe	Queries volume information: C:\Windows\Fonts\mmrtext.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Y5XyMnx8Ng.exe	Queries volume information: C:\Windows\Fonts\mmrtextb.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Y5XyMnx8Ng.exe	Queries volume information: C:\Windows\Fonts\Nirmala.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Y5XyMnx8Ng.exe	Queries volume information: C:\Windows\Fonts\NirmalaS.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Y5XyMnx8Ng.exe	Queries volume information: C:\Windows\Fonts\NirmalaB.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Y5XyMnx8Ng.exe	Queries volume information: C:\Windows\Fonts\pala.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Y5XyMnx8Ng.exe	Queries volume information: C:\Windows\Fonts\palai.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Y5XyMnx8Ng.exe	Queries volume information: C:\Windows\Fonts\palab.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Y5XyMnx8Ng.exe	Queries volume information: C:\Windows\Fonts\palabi.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Y5XyMnx8Ng.exe	Queries volume information: C:\Windows\Fonts\segoepr.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Y5XyMnx8Ng.exe	Queries volume information: C:\Windows\Fonts\segoeprb.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Y5XyMnx8Ng.exe	Queries volume information: C:\Windows\Fonts\segoesc.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Y5XyMnx8Ng.exe	Queries volume information: C:\Windows\Fonts\segoescb.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Y5XyMnx8Ng.exe	Queries volume information: C:\Windows\Fonts\segoeuii.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Y5XyMnx8Ng.exe	Queries volume information: C:\Windows\Fonts\seguisli.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Y5XyMnx8Ng.exe	Queries volume information: C:\Windows\Fonts\seguili.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Y5XyMnx8Ng.exe	Queries volume information: C:\Windows\Fonts\seguisbi.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Y5XyMnx8Ng.exe	Queries volume information: C:\Windows\Fonts\segoeuiz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Y5XyMnx8Ng.exe	Queries volume information: C:\Windows\Fonts\seguibl.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Y5XyMnx8Ng.exe	Queries volume information: C:\Windows\Fonts\seguibli.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Y5XyMnx8Ng.exe	Queries volume information: C:\Windows\Fonts\seguiemj.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Y5XyMnx8Ng.exe	Queries volume information: C:\Windows\Fonts\seguihis.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Y5XyMnx8Ng.exe	Queries volume information: C:\Windows\Fonts\seguisym.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Y5XyMnx8Ng.exe	Queries volume information: C:\Windows\Fonts\simsun.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Y5XyMnx8Ng.exe	Queries volume information: C:\Windows\Fonts\simsunb.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Y5XyMnx8Ng.exe	Queries volume information: C:\Windows\Fonts\Sitka.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Y5XyMnx8Ng.exe	Queries volume information: C:\Windows\Fonts\SitkaI.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Y5XyMnx8Ng.exe	Queries volume information: C:\Windows\Fonts\SitkaB.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Y5XyMnx8Ng.exe	Queries volume information: C:\Windows\Fonts\SitkaZ.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Y5XyMnx8Ng.exe	Queries volume information: C:\Windows\Fonts\sylfaen.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Y5XyMnx8Ng.exe	Queries volume information: C:\Windows\Fonts\symbol.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Y5XyMnx8Ng.exe	Queries volume information: C:\Windows\Fonts\tahoma.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Y5XyMnx8Ng.exe	Queries volume information: C:\Windows\Fonts\tahomabd.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Y5XyMnx8Ng.exe	Queries volume information: C:\Windows\Fonts\timesi.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Y5XyMnx8Ng.exe	Queries volume information: C:\Windows\Fonts\timesbd.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Y5XyMnx8Ng.exe	Queries volume information: C:\Windows\Fonts\timesbi.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Y5XyMnx8Ng.exe	Queries volume information: C:\Windows\Fonts\trebuc.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Y5XyMnx8Ng.exe	Queries volume information: C:\Windows\Fonts\trebucit.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Y5XyMnx8Ng.exe	Queries volume information: C:\Windows\Fonts\trebucbd.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Y5XyMnx8Ng.exe	Queries volume information: C:\Windows\Fonts\trebucbi.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Y5XyMnx8Ng.exe	Queries volume information: C:\Windows\Fonts\verdana.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Y5XyMnx8Ng.exe	Queries volume information: C:\Windows\Fonts\verdanai.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Y5XyMnx8Ng.exe	Queries volume information: C:\Windows\Fonts\verdanab.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Y5XyMnx8Ng.exe	Queries volume information: C:\Windows\Fonts\verdanaz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Y5XyMnx8Ng.exe	Queries volume information: C:\Windows\Fonts\webdings.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Y5XyMnx8Ng.exe	Queries volume information: C:\Windows\Fonts\wingding.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Y5XyMnx8Ng.exe	Queries volume information: C:\Windows\Fonts\YuGothR.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Y5XyMnx8Ng.exe	Queries volume information: C:\Windows\Fonts\YuGothM.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Y5XyMnx8Ng.exe	Queries volume information: C:\Windows\Fonts\YuGothL.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Y5XyMnx8Ng.exe	Queries volume information: C:\Windows\Fonts\YuGothB.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Y5XyMnx8Ng.exe	Queries volume information: C:\Windows\Fonts\holomdl2.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Y5XyMnx8Ng.exe	Queries volume information: C:\Windows\Fonts\CENTURY.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Y5XyMnx8Ng.exe	Queries volume information: C:\Windows\Fonts\LEELAWAD.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Y5XyMnx8Ng.exe	Queries volume information: C:\Windows\Fonts\LEELAWDB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Y5XyMnx8Ng.exe	Queries volume information: C:\Windows\Fonts\MSUIGHUR.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Y5XyMnx8Ng.exe	Queries volume information: C:\Windows\Fonts\MSUIGHUB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Y5XyMnx8Ng.exe	Queries volume information: C:\Windows\Fonts\WINGDNG2.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Y5XyMnx8Ng.exe	Queries volume information: C:\Windows\Fonts\WINGDNG3.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Y5XyMnx8Ng.exe	Queries volume information: C:\Windows\Fonts\TEMPSITC.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Y5XyMnx8Ng.exe	Queries volume information: C:\Windows\Fonts\PRISTINA.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Y5XyMnx8Ng.exe	Queries volume information: C:\Windows\Fonts\PAPYRUS.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Y5XyMnx8Ng.exe	Queries volume information: C:\Windows\Fonts\MISTRAL.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Y5XyMnx8Ng.exe	Queries volume information: C:\Windows\Fonts\LHANDW.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Y5XyMnx8Ng.exe	Queries volume information: C:\Windows\Fonts\ITCKRIST.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Y5XyMnx8Ng.exe	Queries volume information: C:\Windows\Fonts\JUICE___.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Y5XyMnx8Ng.exe	Queries volume information: C:\Windows\Fonts\FRSCRIPT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Y5XyMnx8Ng.exe	Queries volume information: C:\Windows\Fonts\FREESCPT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Y5XyMnx8Ng.exe	Queries volume information: C:\Windows\Fonts\BRADHITC.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Y5XyMnx8Ng.exe	Queries volume information: C:\Windows\Fonts\OUTLOOK.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Y5XyMnx8Ng.exe	Queries volume information: C:\Windows\Fonts\BKANT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Y5XyMnx8Ng.exe	Queries volume information: C:\Windows\Fonts\ANTQUAI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Y5XyMnx8Ng.exe	Queries volume information: C:\Windows\Fonts\ANTQUAB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Y5XyMnx8Ng.exe	Queries volume information: C:\Windows\Fonts\ANTQUABI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Y5XyMnx8Ng.exe	Queries volume information: C:\Windows\Fonts\GARA.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Y5XyMnx8Ng.exe	Queries volume information: C:\Windows\Fonts\GARAIT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Y5XyMnx8Ng.exe	Queries volume information: C:\Windows\Fonts\GARABD.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Y5XyMnx8Ng.exe	Queries volume information: C:\Windows\Fonts\MTCORSVA.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Y5XyMnx8Ng.exe	Queries volume information: C:\Windows\Fonts\GOTHIC.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Y5XyMnx8Ng.exe	Queries volume information: C:\Windows\Fonts\GOTHICI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Y5XyMnx8Ng.exe	Queries volume information: C:\Windows\Fonts\GOTHICB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Y5XyMnx8Ng.exe	Queries volume information: C:\Windows\Fonts\GOTHICBI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Y5XyMnx8Ng.exe	Queries volume information: C:\Windows\Fonts\ALGER.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Y5XyMnx8Ng.exe	Queries volume information: C:\Windows\Fonts\BASKVILL.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Y5XyMnx8Ng.exe	Queries volume information: C:\Windows\Fonts\BAUHS93.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Y5XyMnx8Ng.exe	Queries volume information: C:\Windows\Fonts\BELL.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Y5XyMnx8Ng.exe	Queries volume information: C:\Windows\Fonts\BELLI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Y5XyMnx8Ng.exe	Queries volume information: C:\Windows\Fonts\BELLB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Y5XyMnx8Ng.exe	Queries volume information: C:\Windows\Fonts\BRLNSR.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Y5XyMnx8Ng.exe	Queries volume information: C:\Windows\Fonts\BRLNSDB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Y5XyMnx8Ng.exe	Queries volume information: C:\Windows\Fonts\BRLNSB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Y5XyMnx8Ng.exe	Queries volume information: C:\Windows\Fonts\BERNHC.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Y5XyMnx8Ng.exe	Queries volume information: C:\Windows\Fonts\BOD_PSTC.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Y5XyMnx8Ng.exe	Queries volume information: C:\Windows\Fonts\BRITANIC.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Y5XyMnx8Ng.exe	Queries volume information: C:\Windows\Fonts\BROADW.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Y5XyMnx8Ng.exe	Queries volume information: C:\Windows\Fonts\BRUSHSCI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Y5XyMnx8Ng.exe	Queries volume information: C:\Windows\Fonts\CALIFR.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Y5XyMnx8Ng.exe	Queries volume information: C:\Windows\Fonts\CALIFI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Y5XyMnx8Ng.exe	Queries volume information: C:\Windows\Fonts\CALIFB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Y5XyMnx8Ng.exe	Queries volume information: C:\Windows\Fonts\CENTAUR.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Y5XyMnx8Ng.exe	Queries volume information: C:\Windows\Fonts\CHILLER.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Y5XyMnx8Ng.exe	Queries volume information: C:\Windows\Fonts\COLONNA.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Y5XyMnx8Ng.exe	Queries volume information: C:\Windows\Fonts\COOPBL.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Y5XyMnx8Ng.exe	Queries volume information: C:\Windows\Fonts\FTLTLT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Y5XyMnx8Ng.exe	Queries volume information: C:\Windows\Fonts\HARLOWSI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Y5XyMnx8Ng.exe	Queries volume information: C:\Windows\Fonts\HARNGTON.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Y5XyMnx8Ng.exe	Queries volume information: C:\Windows\Fonts\HTOWERT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Y5XyMnx8Ng.exe	Queries volume information: C:\Windows\Fonts\HTOWERTI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Y5XyMnx8Ng.exe	Queries volume information: C:\Windows\Fonts\JOKERMAN.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Y5XyMnx8Ng.exe	Queries volume information: C:\Windows\Fonts\KUNSTLER.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Y5XyMnx8Ng.exe	Queries volume information: C:\Windows\Fonts\LBRITE.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Y5XyMnx8Ng.exe	Queries volume information: C:\Windows\Fonts\LBRITED.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Y5XyMnx8Ng.exe	Queries volume information: C:\Windows\Fonts\LBRITEI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Y5XyMnx8Ng.exe	Queries volume information: C:\Windows\Fonts\LBRITEDI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Y5XyMnx8Ng.exe	Queries volume information: C:\Windows\Fonts\LCALLIG.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Y5XyMnx8Ng.exe	Queries volume information: C:\Windows\Fonts\LFAX.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Y5XyMnx8Ng.exe	Queries volume information: C:\Windows\Fonts\LFAXD.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Y5XyMnx8Ng.exe	Queries volume information: C:\Windows\Fonts\LFAXI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Y5XyMnx8Ng.exe	Queries volume information: C:\Windows\Fonts\LFAXDI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Y5XyMnx8Ng.exe	Queries volume information: C:\Windows\Fonts\MAGNETOB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Y5XyMnx8Ng.exe	Queries volume information: C:\Windows\Fonts\MATURASC.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Y5XyMnx8Ng.exe	Queries volume information: C:\Windows\Fonts\MOD20.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Y5XyMnx8Ng.exe	Queries volume information: C:\Windows\Fonts\NIAGENG.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Y5XyMnx8Ng.exe	Queries volume information: C:\Windows\Fonts\NIAGSOL.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Y5XyMnx8Ng.exe	Queries volume information: C:\Windows\Fonts\OLDENGL.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Y5XyMnx8Ng.exe	Queries volume information: C:\Windows\Fonts\ONYX.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Y5XyMnx8Ng.exe	Queries volume information: C:\Windows\Fonts\PARCHM.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Y5XyMnx8Ng.exe	Queries volume information: C:\Windows\Fonts\PLAYBILL.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Y5XyMnx8Ng.exe	Queries volume information: C:\Windows\Fonts\POORICH.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Y5XyMnx8Ng.exe	Queries volume information: C:\Windows\Fonts\RAVIE.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Y5XyMnx8Ng.exe	Queries volume information: C:\Windows\Fonts\INFROMAN.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Y5XyMnx8Ng.exe	Queries volume information: C:\Windows\Fonts\SHOWG.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Y5XyMnx8Ng.exe	Queries volume information: C:\Windows\Fonts\SNAP____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Y5XyMnx8Ng.exe	Queries volume information: C:\Windows\Fonts\STENCIL.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Y5XyMnx8Ng.exe	Queries volume information: C:\Windows\Fonts\VINERITC.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Y5XyMnx8Ng.exe	Queries volume information: C:\Windows\Fonts\VIVALDII.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Y5XyMnx8Ng.exe	Queries volume information: C:\Windows\Fonts\VLADIMIR.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Y5XyMnx8Ng.exe	Queries volume information: C:\Windows\Fonts\LATINWD.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Y5XyMnx8Ng.exe	Queries volume information: C:\Windows\Fonts\TCM_____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Y5XyMnx8Ng.exe	Queries volume information: C:\Windows\Fonts\TCMI____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Y5XyMnx8Ng.exe	Queries volume information: C:\Windows\Fonts\TCB_____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Y5XyMnx8Ng.exe	Queries volume information: C:\Windows\Fonts\TCBI____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Y5XyMnx8Ng.exe	Queries volume information: C:\Windows\Fonts\TCCM____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Y5XyMnx8Ng.exe	Queries volume information: C:\Windows\Fonts\TCCB____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Y5XyMnx8Ng.exe	Queries volume information: C:\Windows\Fonts\TCCEB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Y5XyMnx8Ng.exe	Queries volume information: C:\Windows\Fonts\SCRIPTBL.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Y5XyMnx8Ng.exe	Queries volume information: C:\Windows\Fonts\ROCK.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Y5XyMnx8Ng.exe	Queries volume information: C:\Windows\Fonts\ROCKI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Y5XyMnx8Ng.exe	Queries volume information: C:\Windows\Fonts\ROCKB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Y5XyMnx8Ng.exe	Queries volume information: C:\Windows\Fonts\ROCKEB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Y5XyMnx8Ng.exe	Queries volume information: C:\Windows\Fonts\ROCKBI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Y5XyMnx8Ng.exe	Queries volume information: C:\Windows\Fonts\ROCC____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Y5XyMnx8Ng.exe	Queries volume information: C:\Windows\Fonts\ROCCB___.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Y5XyMnx8Ng.exe	Queries volume information: C:\Windows\Fonts\RAGE.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Y5XyMnx8Ng.exe	Queries volume information: C:\Windows\Fonts\PERTILI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Y5XyMnx8Ng.exe	Queries volume information: C:\Windows\Fonts\PERTIBD.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Y5XyMnx8Ng.exe	Queries volume information: C:\Windows\Fonts\PER_____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Y5XyMnx8Ng.exe	Queries volume information: C:\Windows\Fonts\PERI____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Y5XyMnx8Ng.exe	Queries volume information: C:\Windows\Fonts\PERB____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Y5XyMnx8Ng.exe	Queries volume information: C:\Windows\Fonts\PERBI___.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Y5XyMnx8Ng.exe	Queries volume information: C:\Windows\Fonts\PALSCRI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Y5XyMnx8Ng.exe	Queries volume information: C:\Windows\Fonts\OCRAEXT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Y5XyMnx8Ng.exe	Queries volume information: C:\Windows\Fonts\MAIAN.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Y5XyMnx8Ng.exe	Queries volume information: C:\Windows\Fonts\LTYPE.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Y5XyMnx8Ng.exe	Queries volume information: C:\Windows\Fonts\LTYPEO.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Y5XyMnx8Ng.exe	Queries volume information: C:\Windows\Fonts\LTYPEB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Y5XyMnx8Ng.exe	Queries volume information: C:\Windows\Fonts\LTYPEBO.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Y5XyMnx8Ng.exe	Queries volume information: C:\Windows\Fonts\LSANS.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Y5XyMnx8Ng.exe	Queries volume information: C:\Windows\Fonts\LSANSD.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Y5XyMnx8Ng.exe	Queries volume information: C:\Windows\Fonts\LSANSI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Y5XyMnx8Ng.exe	Queries volume information: C:\Windows\Fonts\LSANSDI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Y5XyMnx8Ng.exe	Queries volume information: C:\Windows\Fonts\IMPRISHA.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Y5XyMnx8Ng.exe	Queries volume information: C:\Windows\Fonts\HATTEN.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Y5XyMnx8Ng.exe	Queries volume information: C:\Windows\Fonts\GOUDYSTO.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Y5XyMnx8Ng.exe	Queries volume information: C:\Windows\Fonts\GOUDOS.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Y5XyMnx8Ng.exe	Queries volume information: C:\Windows\Fonts\GOUDOSI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Y5XyMnx8Ng.exe	Queries volume information: C:\Windows\Fonts\GOUDOSB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Y5XyMnx8Ng.exe	Queries volume information: C:\Windows\Fonts\GLECB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Y5XyMnx8Ng.exe	Queries volume information: C:\Windows\Fonts\GIL_____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Y5XyMnx8Ng.exe	Queries volume information: C:\Windows\Fonts\GILI____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Y5XyMnx8Ng.exe	Queries volume information: C:\Windows\Fonts\GILB____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Y5XyMnx8Ng.exe	Queries volume information: C:\Windows\Fonts\GILBI___.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Y5XyMnx8Ng.exe	Queries volume information: C:\Windows\Fonts\GILC____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Y5XyMnx8Ng.exe	Queries volume information: C:\Windows\Fonts\GLSNECB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Y5XyMnx8Ng.exe	Queries volume information: C:\Windows\Fonts\GIGI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Y5XyMnx8Ng.exe	Queries volume information: C:\Windows\Fonts\FRABK.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Y5XyMnx8Ng.exe	Queries volume information: C:\Windows\Fonts\FRABKIT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Y5XyMnx8Ng.exe	Queries volume information: C:\Windows\Fonts\FORTE.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Y5XyMnx8Ng.exe	Queries volume information: C:\Windows\Fonts\FELIXTI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Y5XyMnx8Ng.exe	Queries volume information: C:\Windows\Fonts\ERASMD.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Y5XyMnx8Ng.exe	Queries volume information: C:\Windows\Fonts\ERASLGHT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Y5XyMnx8Ng.exe	Queries volume information: C:\Windows\Fonts\ERASDEMI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Y5XyMnx8Ng.exe	Queries volume information: C:\Windows\Fonts\ERASBD.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Y5XyMnx8Ng.exe	Queries volume information: C:\Windows\Fonts\ENGR.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Y5XyMnx8Ng.exe	Queries volume information: C:\Windows\Fonts\ELEPHNT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Y5XyMnx8Ng.exe	Queries volume information: C:\Windows\Fonts\ELEPHNTI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Y5XyMnx8Ng.exe	Queries volume information: C:\Windows\Fonts\ITCEDSCR.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Y5XyMnx8Ng.exe	Queries volume information: C:\Windows\Fonts\CURLZ___.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Y5XyMnx8Ng.exe	Queries volume information: C:\Windows\Fonts\COPRGTL.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Y5XyMnx8Ng.exe	Queries volume information: C:\Windows\Fonts\COPRGTB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Y5XyMnx8Ng.exe	Queries volume information: C:\Windows\Fonts\CENSCBK.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Y5XyMnx8Ng.exe	Queries volume information: C:\Windows\Fonts\SCHLBKI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Y5XyMnx8Ng.exe	Queries volume information: C:\Windows\Fonts\SCHLBKB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Y5XyMnx8Ng.exe	Queries volume information: C:\Windows\Fonts\SCHLBKBI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Y5XyMnx8Ng.exe	Queries volume information: C:\Windows\Fonts\CASTELAR.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Y5XyMnx8Ng.exe	Queries volume information: C:\Windows\Fonts\CALIST.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Y5XyMnx8Ng.exe	Queries volume information: C:\Windows\Fonts\CALISTI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Y5XyMnx8Ng.exe	Queries volume information: C:\Windows\Fonts\CALISTB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Y5XyMnx8Ng.exe	Queries volume information: C:\Windows\Fonts\CALISTBI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Y5XyMnx8Ng.exe	Queries volume information: C:\Windows\Fonts\BOOKOS.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Y5XyMnx8Ng.exe	Queries volume information: C:\Windows\Fonts\BOOKOSB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Y5XyMnx8Ng.exe	Queries volume information: C:\Windows\Fonts\BOOKOSI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Y5XyMnx8Ng.exe	Queries volume information: C:\Windows\Fonts\BOOKOSBI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Y5XyMnx8Ng.exe	Queries volume information: C:\Windows\Fonts\BOD_R.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Y5XyMnx8Ng.exe	Queries volume information: C:\Windows\Fonts\BOD_I.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Y5XyMnx8Ng.exe	Queries volume information: C:\Windows\Fonts\BOD_B.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Y5XyMnx8Ng.exe	Queries volume information: C:\Windows\Fonts\BOD_BI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Y5XyMnx8Ng.exe	Queries volume information: C:\Windows\Fonts\BOD_CR.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Y5XyMnx8Ng.exe	Queries volume information: C:\Windows\Fonts\BOD_BLAR.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Y5XyMnx8Ng.exe	Queries volume information: C:\Windows\Fonts\BOD_CI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Y5XyMnx8Ng.exe	Queries volume information: C:\Windows\Fonts\BOD_CB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Y5XyMnx8Ng.exe	Queries volume information: C:\Windows\Fonts\BOD_BLAI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Y5XyMnx8Ng.exe	Queries volume information: C:\Windows\Fonts\BOD_CBI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Y5XyMnx8Ng.exe	Queries volume information: C:\Windows\Fonts\ITCBLKAD.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Y5XyMnx8Ng.exe	Queries volume information: C:\Windows\Fonts\ARLRDBD.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Y5XyMnx8Ng.exe	Queries volume information: C:\Windows\Fonts\AGENCYR.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Y5XyMnx8Ng.exe	Queries volume information: C:\Windows\Fonts\AGENCYB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Y5XyMnx8Ng.exe	Queries volume information: C:\Windows\Fonts\BSSYM7.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Y5XyMnx8Ng.exe	Queries volume information: C:\Windows\Fonts\REFSAN.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Y5XyMnx8Ng.exe	Queries volume information: C:\Windows\Fonts\REFSPCL.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Y5XyMnx8Ng.exe	Queries volume information: C:\Windows\Fonts\MTEXTRA.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Y5XyMnx8Ng.exe	Queries volume information: C:\Windows\Fonts\marlett.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Y5XyMnx8Ng.exe	Queries volume information: C:\Windows\Fonts\micross.ttf VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe	Queries volume information: C:\Windows\assembly\GAC_32\System.EnterpriseServices\2.0.0.0__b03f5f7f11d50a3a\System.EnterpriseServices.dll VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe	Queries volume information: C:\Windows\assembly\GAC_32\System.EnterpriseServices\2.0.0.0__b03f5f7f11d50a3a\System.EnterpriseServices.dll VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe	Queries volume information: C:\Windows\assembly\GAC_32\System.EnterpriseServices\2.0.0.0__b03f5f7f11d50a3a\System.EnterpriseServices.Wrapper.dll VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe	Queries volume information: C:\Windows\assembly\GAC_32\System.EnterpriseServices\2.0.0.0__b03f5f7f11d50a3a\System.EnterpriseServices.Wrapper.dll VolumeInformation	Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Queries volume information: C:\Windows\assembly\GAC_32\System.EnterpriseServices\2.0.0.0__b03f5f7f11d50a3a\System.EnterpriseServices.dll VolumeInformation	Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Queries volume information: C:\Windows\assembly\GAC_32\System.EnterpriseServices\2.0.0.0__b03f5f7f11d50a3a\System.EnterpriseServices.dll VolumeInformation	Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Queries volume information: C:\Windows\assembly\GAC_32\System.EnterpriseServices\2.0.0.0__b03f5f7f11d50a3a\System.EnterpriseServices.Wrapper.dll VolumeInformation	Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Queries volume information: C:\Windows\assembly\GAC_32\System.EnterpriseServices\2.0.0.0__b03f5f7f11d50a3a\System.EnterpriseServices.Wrapper.dll VolumeInformation	Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Queries volume information: C:\Windows\assembly\GAC_32\System.EnterpriseServices\2.0.0.0__b03f5f7f11d50a3a\System.EnterpriseServices.dll VolumeInformation	Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Queries volume information: C:\Windows\assembly\GAC_32\System.EnterpriseServices\2.0.0.0__b03f5f7f11d50a3a\System.EnterpriseServices.dll VolumeInformation	Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Queries volume information: C:\Windows\assembly\GAC_32\System.EnterpriseServices\2.0.0.0__b03f5f7f11d50a3a\System.EnterpriseServices.Wrapper.dll VolumeInformation	Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Queries volume information: C:\Windows\assembly\GAC_32\System.EnterpriseServices\2.0.0.0__b03f5f7f11d50a3a\System.EnterpriseServices.Wrapper.dll VolumeInformation	Jump to behavior

Source: C:\Users\user\Desktop\Y5XyMnx8Ng.exe

Code function: 0_2_070C0FF2 GetUserNameA,

0_2_070C0FF2

Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Stealing of Sensitive Information:

Yara detected Nanocore RAT

Show sources

Source: Yara match	File source: 00000008.00000002.494335612.0000000005710000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000008.00000002.483906093.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.273575013.0000000003C11000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.274362960.00000000040F1000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000008.00000002.492975177.0000000003BBB000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: RegSvcs.exe PID: 5464, type: MEMORY
Source: Yara match	File source: Process Memory Space: Y5XyMnx8Ng.exe PID: 6372, type: MEMORY
Source: Yara match	File source: 8.2.RegSvcs.exe.5710000.11.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 8.2.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 8.2.RegSvcs.exe.5710000.11.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.Y5XyMnx8Ng.exe.4125e60.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 8.2.RegSvcs.exe.3bd9511.6.unpack, type: UNPACKEDPE
Source: Yara match	File source: 8.2.RegSvcs.exe.5714629.10.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 8.2.RegSvcs.exe.3bd9511.6.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.Y5XyMnx8Ng.exe.4125e60.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 8.2.RegSvcs.exe.3bcec9e.5.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 8.2.RegSvcs.exe.3bd3adb.4.raw.unpack, type: UNPACKEDPE

Remote Access Functionality:

Detected Nanocore Rat

Show sources

Source: Y5XyMnx8Ng.exe, 00000000.00000002.274362960.00000000040F1000.00000004.00000001.sdmp	String found in binary or memory: NanoCore.ClientPluginHost
Source: RegSvcs.exe, 00000008.00000002.490972657.0000000002B81000.00000004.00000001.sdmp	String found in binary or memory: NanoCore.ClientPluginHost
Source: RegSvcs.exe, 00000008.00000002.490972657.0000000002B81000.00000004.00000001.sdmp	String found in binary or memory: <Module>mscorlibMicrosoft.VisualBasicMyApplicationNanoCore.MyMyComputerMyProjectMyWebServicesThreadSafeObjectProvider`1IClientNetworkNanoCore.ClientPluginIClientDataIClientAppIClientDataHostNanoCore.ClientPluginHostIClientNetworkHostIClientUIHostIClientLoggingHostIClientAppHostIClientNameObjectCollectionNanoCoreIClientReadOnlyNameObjectCollectionClientInvokeDelegateMicrosoft.VisualBasic.ApplicationServicesApplicationBase.ctorMicrosoft.VisualBasic.DevicesComputerSystemObject.cctorget_Computerm_ComputerObjectProviderget_Applicationm_AppObjectProviderUserget_Userm_UserObjectProviderget_WebServicesm_MyWebServicesObjectProviderApplicationWebServicesEqualsoGetHashCodeTypeGetTypeToStringCreate__Instance__TinstanceDispose__Instance__get_GetInstanceMicrosoft.VisualBasic.MyServices.InternalContextValue`1m_ContextGetInstanceReadPacketpipeNameparamsPipeCreatedPipeClosedConnectionStateChangedconnectedConnectionFailedhostportBuildingHostCacheVariableChangednameClientSettingChangedPluginUninstallingClientUninstallingget_Variablesget_ClientSettingsget_BuilderSettingsVariablesClientSettingsBuilderSettingsget_ConnectedClosePipePipeExistsRebuildHostCacheAddHostEntryDisconnectSendToServercompressConnectedInvokemethodstateLogClientMessagemessageExceptionLogClientExceptionexsiteRestartShutdownDisableProtectionRestoreProtectionUninstallEntryExistsSystem.Collections.GenericKeyValuePair`2GetEntriesGetValuedefaultValueSetValuevalueRemoveValueMulticastDelegateTargetObjectTargetMethodIAsyncResultAsyncCallbackBeginInvokeDelegateCallbackDelegateAsyncStateEndInvokeDelegateAsyncResultSystem.ComponentModelEditorBrowsableAttributeEditorBrowsableStateSystem.CodeDom.CompilerGeneratedCodeAttributeSystem.DiagnosticsDebuggerHiddenAttributeMicrosoft.VisualBasic.CompilerServicesStandardModuleAttributeHideModuleNameAttributeSystem.ComponentModel.DesignHelpKeywordAttributeSystem.Runtime.CompilerServicesRuntimeHelpersGetObjectValueRuntimeTypeHandleGetTypeFromHandleActivatorCreateInstanceMyGroupCollectionAttributeget_Valueset_ValueSystem.Runtime.InteropServicesComVisibleAttributeParamArrayAttributeCompilationRelaxationsAttributeRuntimeCompatibilityAttributeSystem.ReflectionAssemblyFileVersionAttributeGuidAttributeAssemblyTrademarkAttributeAssemblyCopyrightAttributeAssemblyProductAttributeAssemblyCompanyAttributeAssemblyDescriptionAttributeAssemblyTitleAttributeClientPluginClientPlugin.dll
Source: RegSvcs.exe, 00000008.00000002.490972657.0000000002B81000.00000004.00000001.sdmp	String found in binary or memory: <Module>mscorlibMicrosoft.VisualBasicMyApplicationNanoProtectClient.MyMyComputerMyProjectMyWebServicesThreadSafeObjectProvider`1ClientMainNanoProtectClientClientPluginResourcesNanoProtectClient.My.ResourcesMySettingsMySettingsPropertyFunctionsNanoProtectClient.NanoProtectMicrosoft.VisualBasic.ApplicationServicesApplicationBase.ctorMicrosoft.VisualBasic.DevicesComputerSystemObject.cctorget_Computerm_ComputerObjectProviderget_Applicationm_AppObjectProviderUserget_Userm_UserObjectProviderget_WebServicesm_MyWebServicesObjectProviderApplicationWebServicesEqualsoGetHashCodeTypeGetTypeToStringCreate__Instance__TinstanceDispose__Instance__get_GetInstanceMicrosoft.VisualBasic.MyServices.InternalContextValue`1m_ContextGetInstanceNanoCore.ClientPluginHostIClientLoggingHostLoggingHostInitializePluginNanoCore.ClientPluginIClientNetwork_loggingHostBuildingHostCacheConnectionFailedhostportConnectionStateChangedconnectedPipeClosedpipeNamePipeCreatedReadPacketparamsSystem.ResourcesResourceManagerresourceManSystem.GlobalizationCultureInforesourceCultureget_ResourceManagerget_Cultureset_CulturevalueCultureSystem.ConfigurationApplicationSettingsBasedefaultInstanceget_DefaultDefaultget_SettingsSettingsGetProtectDirectoryGetProtectFileCreateProtectFileKillNanoCoreSystem.ComponentModelEditorBrowsableAttributeEditorBrowsableStateSystem.CodeDom.CompilerGeneratedCodeAttributeSystem.DiagnosticsDebuggerNonUserCodeAttributeDebuggerHiddenAttributeMicrosoft.VisualBasic.CompilerServicesStandardModuleAttributeHideModuleNameAttributeSystem.ComponentModel.DesignHelpKeywordAttributeSystem.Runtime.CompilerServicesRuntimeHelpersGetObjectValueRuntimeTypeHandleGetTypeFromHandleActivatorCreateInstanceMyGroupCollectionAttributeget_Valueset_ValueSystem.Runtime.InteropServicesComVisibleAttributeLogClientMessageSystem.IOFileExistsReferenceEqualsSystem.ReflectionAssemblyget_AssemblyCompilerGeneratedAttributeSettingsBaseSynchronizedEnvironmentSpecialFolderGetFolderPathPathCombineExceptionDirectoryDirectoryInfoCreateDirectoryFileStreamCreateProjectDataSetProjectErrorClearProjectErrorProcessGetCurrentProcessKillNanoProtectClient.Resources.resourcesDebuggableAttributeDebuggingModesCompilationRelaxationsAttributeRuntimeCompatibilityAttributeAssemblyFileVersionAttributeGuidAttributeAssemblyTrademarkAttributeAssemblyCopyrightAttributeAssemblyProductAttributeAssemblyCompanyAttributeAssemblyDescriptionAttributeAssemblyTitleAttributeNanoProtectClient.dlla[NanoProtect]: Checking for NanoProtect module..

Yara detected Nanocore RAT

Show sources

Source: Yara match	File source: 00000008.00000002.494335612.0000000005710000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000008.00000002.483906093.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.273575013.0000000003C11000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.274362960.00000000040F1000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000008.00000002.492975177.0000000003BBB000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: RegSvcs.exe PID: 5464, type: MEMORY
Source: Yara match	File source: Process Memory Space: Y5XyMnx8Ng.exe PID: 6372, type: MEMORY
Source: Yara match	File source: 8.2.RegSvcs.exe.5710000.11.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 8.2.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 8.2.RegSvcs.exe.5710000.11.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.Y5XyMnx8Ng.exe.4125e60.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 8.2.RegSvcs.exe.3bd9511.6.unpack, type: UNPACKEDPE
Source: Yara match	File source: 8.2.RegSvcs.exe.5714629.10.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 8.2.RegSvcs.exe.3bd9511.6.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.Y5XyMnx8Ng.exe.4125e60.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 8.2.RegSvcs.exe.3bcec9e.5.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 8.2.RegSvcs.exe.3bd3adb.4.raw.unpack, type: UNPACKEDPE

Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe	Code function: 8_2_02722B26 bind,		8_2_02722B26
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe	Code function: 8_2_02722AF6 bind,		8_2_02722AF6

Mitre Att&ck Matrix

Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Exfiltration	Command and Control	Network Effects	Remote Service Effects	Impact
Valid Accounts	Windows Management Instrumentation1	Scheduled Task/Job1	Access Token Manipulation1	Disable or Modify Tools1	Input Capture21	Account Discovery1	Remote Services	Archive Collected Data11	Exfiltration Over Other Network Medium	Encrypted Channel1	Eavesdrop on Insecure Network Communication	Remotely Track Device Without Authorization	Modify System Partition
Default Accounts	Scheduled Task/Job1	Boot or Logon Initialization Scripts	Process Injection312	Deobfuscate/Decode Files or Information1	LSASS Memory	File and Directory Discovery1	Remote Desktop Protocol	Input Capture21	Exfiltration Over Bluetooth	Non-Standard Port1	Exploit SS7 to Redirect Phone Calls/SMS	Remotely Wipe Data Without Authorization	Device Lockout
Domain Accounts	At (Linux)	Logon Script (Windows)	Scheduled Task/Job1	Obfuscated Files or Information3	Security Account Manager	System Information Discovery13	SMB/Windows Admin Shares	Data from Network Shared Drive	Automated Exfiltration	Remote Access Software1	Exploit SS7 to Track Device Location	Obtain Device Cloud Backups	Delete Device Data
Local Accounts	At (Windows)	Logon Script (Mac)	Logon Script (Mac)	Software Packing13	NTDS	Security Software Discovery311	Distributed Component Object Model	Input Capture	Scheduled Transfer	Non-Application Layer Protocol1	SIM Card Swap		Carrier Billing Fraud
Cloud Accounts	Cron	Network Logon Script	Network Logon Script	Masquerading2	LSA Secrets	Virtualization/Sandbox Evasion13	SSH	Keylogging	Data Transfer Size Limits	Application Layer Protocol21	Manipulate Device Communication		Manipulate App Store Rankings or Ratings
Replication Through Removable Media	Launchd	Rc.common	Rc.common	Virtualization/Sandbox Evasion13	Cached Domain Credentials	Process Discovery1	VNC	GUI Input Capture	Exfiltration Over C2 Channel	Multiband Communication	Jamming or Denial of Service		Abuse Accessibility Features
External Remote Services	Scheduled Task	Startup Items	Startup Items	Access Token Manipulation1	DCSync	Application Window Discovery1	Windows Remote Management	Web Portal Capture	Exfiltration Over Alternative Protocol	Commonly Used Port	Rogue Wi-Fi Access Points		Data Encrypted for Impact
Drive-by Compromise	Command and Scripting Interpreter	Scheduled Task/Job	Scheduled Task/Job	Process Injection312	Proc Filesystem	System Owner/User Discovery1	Shared Webroot	Credential API Hooking	Exfiltration Over Symmetric Encrypted Non-C2 Protocol	Application Layer Protocol	Downgrade to Insecure Protocols		Generate Fraudulent Advertising Revenue
Exploit Public-Facing Application	PowerShell	At (Linux)	At (Linux)	Hidden Files and Directories1	/etc/passwd and /etc/shadow	Remote System Discovery1	Software Deployment Tools	Data Staged	Exfiltration Over Asymmetric Encrypted Non-C2 Protocol	Web Protocols	Rogue Cellular Base Station		Data Destruction

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Source	Detection	Scanner	Label	Link
Y5XyMnx8Ng.exe	25%	Virustotal		Browse
Y5XyMnx8Ng.exe	38%	ReversingLabs	Win32.Trojan.Wacatac
Y5XyMnx8Ng.exe	100%	Joe Sandbox ML

Dropped Files

Source	Detection	Scanner	Label	Link
C:\Users\user\AppData\Roaming\LbSNAHQmeXYAoG.exe	100%	Joe Sandbox ML
C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	0%	Metadefender		Browse
C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	0%	ReversingLabs
C:\Users\user\AppData\Roaming\LbSNAHQmeXYAoG.exe	38%	ReversingLabs	Win32.Trojan.Wacatac

Unpacked PE Files

Source	Detection	Scanner	Label	Link	Download
8.2.RegSvcs.exe.400000.0.unpack	100%	Avira	TR/Dropper.MSIL.Gen7		Download File
8.2.RegSvcs.exe.5710000.11.unpack	100%	Avira	TR/NanoCore.fadte		Download File

Domains

No Antivirus matches

URLs

Source	Detection	Scanner	Label
http://www.galapagosdesign.com/staff/dennis.htm:	0%	Avira URL Cloud	safe
79.134.225.43	0%	Avira URL Cloud	safe
http://www.founder.com.cn/cn/bThe	0%	URL Reputation	safe
http://www.founder.com.cn/cn/bThe	0%	URL Reputation	safe
http://www.founder.com.cn/cn/bThe	0%	URL Reputation	safe
http://www.urwpp.de.h	0%	Avira URL Cloud	safe
http://www.galapagosdesign.com/staff/dennis.htmA	0%	Avira URL Cloud	safe
http://www.fontbureau.comtu9	0%	Avira URL Cloud	safe
http://www.tiro.com	0%	URL Reputation	safe
http://www.tiro.com	0%	URL Reputation	safe
http://www.tiro.com	0%	URL Reputation	safe
http://www.goodfont.co.kr	0%	URL Reputation	safe
http://www.goodfont.co.kr	0%	URL Reputation	safe
http://www.goodfont.co.kr	0%	URL Reputation	safe
http://www.fontbureau.comafV	0%	Avira URL Cloud	safe
http://www.jiyu-kobo.co.jp/8V	0%	Avira URL Cloud	safe
http://www.sajatypeworks.com	0%	URL Reputation	safe
http://www.sajatypeworks.com	0%	URL Reputation	safe
http://www.sajatypeworks.com	0%	URL Reputation	safe
http://www.typography.netD	0%	URL Reputation	safe
http://www.typography.netD	0%	URL Reputation	safe
http://www.typography.netD	0%	URL Reputation	safe
http://www.founder.com.cn/cn/cThe	0%	URL Reputation	safe
http://www.founder.com.cn/cn/cThe	0%	URL Reputation	safe
http://www.founder.com.cn/cn/cThe	0%	URL Reputation	safe
http://www.galapagosdesign.com/staff/dennis.htm	0%	URL Reputation	safe
http://www.galapagosdesign.com/staff/dennis.htm	0%	URL Reputation	safe
http://www.galapagosdesign.com/staff/dennis.htm	0%	URL Reputation	safe
http://www.jiyu-kobo.co.jp/ch	0%	Avira URL Cloud	safe
http://fontfabrik.com	0%	URL Reputation	safe
http://fontfabrik.com	0%	URL Reputation	safe
http://fontfabrik.com	0%	URL Reputation	safe
http://www.fontbureau.com.TTFt	0%	Avira URL Cloud	safe
http://www.urwpp.delarKh	0%	Avira URL Cloud	safe
http://www.fontbureau.comdoVu	0%	Avira URL Cloud	safe
http://www.galapagosdesign.com/DPlease	0%	URL Reputation	safe
http://www.galapagosdesign.com/DPlease	0%	URL Reputation	safe
http://www.galapagosdesign.com/DPlease	0%	URL Reputation	safe
http://www.jiyu-kobo.co.jp/)	0%	Avira URL Cloud	safe
http://www.jiyu-kobo.co.jp/Y0	0%	URL Reputation	safe
http://www.jiyu-kobo.co.jp/Y0	0%	URL Reputation	safe
http://www.jiyu-kobo.co.jp/Y0	0%	URL Reputation	safe
http://www.fontbureau.comalsdpV	0%	Avira URL Cloud	safe
http://www.founder.com.cn/cn/u:	0%	Avira URL Cloud	safe
http://www.sandoll.co.kr	0%	URL Reputation	safe
http://www.sandoll.co.kr	0%	URL Reputation	safe
http://www.sandoll.co.kr	0%	URL Reputation	safe
http://www.urwpp.deDPlease	0%	URL Reputation	safe
http://www.urwpp.deDPlease	0%	URL Reputation	safe
http://www.urwpp.deDPlease	0%	URL Reputation	safe
http://www.founder.com.cn/cn/u9	0%	Avira URL Cloud	safe
http://www.urwpp.de	0%	URL Reputation	safe
http://www.urwpp.de	0%	URL Reputation	safe
http://www.urwpp.de	0%	URL Reputation	safe
http://www.zhongyicts.com.cn	0%	URL Reputation	safe
http://www.zhongyicts.com.cn	0%	URL Reputation	safe
http://www.zhongyicts.com.cn	0%	URL Reputation	safe
http://www.sakkal.com	0%	URL Reputation	safe
http://www.sakkal.com	0%	URL Reputation	safe
http://www.sakkal.com	0%	URL Reputation	safe
http://www.galapagosdesign.com/	0%	URL Reputation	safe
http://www.galapagosdesign.com/	0%	URL Reputation	safe
http://www.galapagosdesign.com/	0%	URL Reputation	safe
http://www.jiyu-kobo.co.jp/nt	0%	Avira URL Cloud	safe
http://www.fontbureau.comF	0%	URL Reputation	safe
http://www.fontbureau.comF	0%	URL Reputation	safe
http://www.fontbureau.comF	0%	URL Reputation	safe
http://www.tiro.como	0%	Avira URL Cloud	safe
http://www.jiyu-kobo.co.jp/3VY	0%	Avira URL Cloud	safe
http://www.fontbureau.co	0%	Avira URL Cloud	safe
http://www.urwpp.deF	0%	Avira URL Cloud	safe
http://www.fontbureau.comJVR	0%	Avira URL Cloud	safe
http://www.fontbureau.comdaJVR	0%	Avira URL Cloud	safe
http://www.jiyu-kobo.co.jp/jp/	0%	URL Reputation	safe
http://www.jiyu-kobo.co.jp/jp/	0%	URL Reputation	safe
http://www.jiyu-kobo.co.jp/jp/	0%	URL Reputation	safe
http://www.fontbureau.comTTFd	0%	Avira URL Cloud	safe
http://www.fontbureau.comd	0%	URL Reputation	safe
http://www.fontbureau.comd	0%	URL Reputation	safe
http://www.fontbureau.comd	0%	URL Reputation	safe
strongodss.ddns.net	0%	Avira URL Cloud	safe
http://www.carterandcone.coml	0%	URL Reputation	safe
http://www.carterandcone.coml	0%	URL Reputation	safe
http://www.carterandcone.coml	0%	URL Reputation	safe
http://www.fontbureau.comoVu	0%	Avira URL Cloud	safe
http://www.founder.com.cn/cn/	0%	URL Reputation	safe
http://www.founder.com.cn/cn/	0%	URL Reputation	safe
http://www.founder.com.cn/cn/	0%	URL Reputation	safe
http://www.founder.com.cn/cn	0%	URL Reputation	safe
http://www.founder.com.cn/cn	0%	URL Reputation	safe
http://www.founder.com.cn/cn	0%	URL Reputation	safe
http://www.fontbureau.comoitu	0%	URL Reputation	safe
http://www.fontbureau.comoitu	0%	URL Reputation	safe
http://www.fontbureau.comoitu	0%	URL Reputation	safe
http://www.jiyu-kobo.co.jp/oVu	0%	Avira URL Cloud	safe
http://www.jiyu-kobo.co.jp/s	0%	URL Reputation	safe
http://www.jiyu-kobo.co.jp/s	0%	URL Reputation	safe
http://www.jiyu-kobo.co.jp/s	0%	URL Reputation	safe
http://www.fontbureau.comm	0%	URL Reputation	safe
http://www.fontbureau.comm	0%	URL Reputation	safe

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Antivirus Detection	Reputation
strongodss.ddns.net	87.237.165.78	true	true		unknown

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
79.134.225.43	true	Avira URL Cloud: safe	unknown
strongodss.ddns.net	true	Avira URL Cloud: safe	unknown

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
http://www.galapagosdesign.com/staff/dennis.htm:	Y5XyMnx8Ng.exe, 00000000.00000003.226090976.0000000004FBA000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
http://www.fontbureau.com/designersG	Y5XyMnx8Ng.exe, 00000000.00000003.221121855.0000000004FD9000.00000004.00000001.sdmp, Y5XyMnx8Ng.exe, 00000000.00000002.275100610.0000000005290000.00000002.00000001.sdmp	false		high
http://www.fontbureau.com/designers/?	Y5XyMnx8Ng.exe, 00000000.00000002.275100610.0000000005290000.00000002.00000001.sdmp	false		high
http://www.founder.com.cn/cn/bThe	Y5XyMnx8Ng.exe, 00000000.00000002.275100610.0000000005290000.00000002.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://www.urwpp.de.h	Y5XyMnx8Ng.exe, 00000000.00000003.222528263.0000000004FAE000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
http://www.galapagosdesign.com/staff/dennis.htmA	Y5XyMnx8Ng.exe, 00000000.00000003.225264485.0000000004FD9000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
http://www.fontbureau.com/designers?	Y5XyMnx8Ng.exe, 00000000.00000002.275100610.0000000005290000.00000002.00000001.sdmp	false		high
http://www.fontbureau.comtu9	Y5XyMnx8Ng.exe, 00000000.00000003.222028980.0000000004FAC000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
http://www.fontbureau.com/designers/frere-jones.html.	Y5XyMnx8Ng.exe, 00000000.00000003.221561815.0000000004FAF000.00000004.00000001.sdmp	false		high
http://www.tiro.com	Y5XyMnx8Ng.exe, 00000000.00000002.275100610.0000000005290000.00000002.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://www.fontbureau.com/designers	Y5XyMnx8Ng.exe, 00000000.00000002.275100610.0000000005290000.00000002.00000001.sdmp, Y5XyMnx8Ng.exe, 00000000.00000003.222322158.0000000004FD9000.00000004.00000001.sdmp	false		high
http://www.goodfont.co.kr	Y5XyMnx8Ng.exe, 00000000.00000002.275100610.0000000005290000.00000002.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://www.fontbureau.com/designersP	Y5XyMnx8Ng.exe, 00000000.00000003.221047138.0000000004FD9000.00000004.00000001.sdmp	false		high
http://www.fontbureau.comafV	Y5XyMnx8Ng.exe, 00000000.00000002.274744752.0000000004FAA000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
http://www.jiyu-kobo.co.jp/8V	Y5XyMnx8Ng.exe, 00000000.00000003.218561435.0000000004FA3000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
http://www.sajatypeworks.com	Y5XyMnx8Ng.exe, 00000000.00000002.275100610.0000000005290000.00000002.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://www.fontbureau.com/designersi	Y5XyMnx8Ng.exe, 00000000.00000003.230715828.0000000004FD9000.00000004.00000001.sdmp	false		high
http://www.typography.netD	Y5XyMnx8Ng.exe, 00000000.00000002.275100610.0000000005290000.00000002.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://www.founder.com.cn/cn/cThe	Y5XyMnx8Ng.exe, 00000000.00000002.275100610.0000000005290000.00000002.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://www.galapagosdesign.com/staff/dennis.htm	Y5XyMnx8Ng.exe, 00000000.00000002.275100610.0000000005290000.00000002.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://www.jiyu-kobo.co.jp/ch	Y5XyMnx8Ng.exe, 00000000.00000003.218060578.0000000004FAD000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
http://fontfabrik.com	Y5XyMnx8Ng.exe, 00000000.00000002.275100610.0000000005290000.00000002.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://www.fontbureau.com.TTFt	Y5XyMnx8Ng.exe, 00000000.00000003.222347558.0000000004FAF000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
http://www.urwpp.delarKh	Y5XyMnx8Ng.exe, 00000000.00000003.222528263.0000000004FAE000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
http://www.fontbureau.com/designersb	Y5XyMnx8Ng.exe, 00000000.00000003.222477602.0000000004FD9000.00000004.00000001.sdmp	false		high
http://www.fontbureau.comdoVu	Y5XyMnx8Ng.exe, 00000000.00000003.221561815.0000000004FAF000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
http://www.galapagosdesign.com/DPlease	Y5XyMnx8Ng.exe, 00000000.00000002.275100610.0000000005290000.00000002.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://www.jiyu-kobo.co.jp/)	Y5XyMnx8Ng.exe, 00000000.00000003.218060578.0000000004FAD000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
http://www.jiyu-kobo.co.jp/Y0	Y5XyMnx8Ng.exe, 00000000.00000003.218561435.0000000004FA3000.00000004.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://www.fontbureau.comalsdpV	Y5XyMnx8Ng.exe, 00000000.00000003.222347558.0000000004FAF000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
http://www.fonts.com	Y5XyMnx8Ng.exe, 00000000.00000002.275100610.0000000005290000.00000002.00000001.sdmp	false		high
http://www.founder.com.cn/cn/u:	Y5XyMnx8Ng.exe, 00000000.00000003.216954032.0000000004FD9000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
http://www.sandoll.co.kr	Y5XyMnx8Ng.exe, 00000000.00000002.275100610.0000000005290000.00000002.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://www.urwpp.deDPlease	Y5XyMnx8Ng.exe, 00000000.00000002.275100610.0000000005290000.00000002.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://www.founder.com.cn/cn/u9	Y5XyMnx8Ng.exe, 00000000.00000003.216885369.0000000004FDF000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
http://www.urwpp.de	Y5XyMnx8Ng.exe, 00000000.00000003.222528263.0000000004FAE000.00000004.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://www.zhongyicts.com.cn	Y5XyMnx8Ng.exe, 00000000.00000002.275100610.0000000005290000.00000002.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://www.fontbureau.com/designersp	Y5XyMnx8Ng.exe, 00000000.00000003.220778598.0000000004FD9000.00000004.00000001.sdmp	false		high
http://www.sakkal.com	Y5XyMnx8Ng.exe, 00000000.00000002.275100610.0000000005290000.00000002.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://www.apache.org/licenses/LICENSE-2.0	Y5XyMnx8Ng.exe, 00000000.00000002.275100610.0000000005290000.00000002.00000001.sdmp	false		high
http://www.fontbureau.com	Y5XyMnx8Ng.exe, 00000000.00000002.275100610.0000000005290000.00000002.00000001.sdmp	false		high
http://www.galapagosdesign.com/	Y5XyMnx8Ng.exe, 00000000.00000003.225264485.0000000004FD9000.00000004.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://www.jiyu-kobo.co.jp/nt	Y5XyMnx8Ng.exe, 00000000.00000003.218060578.0000000004FAD000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
http://www.fontbureau.comF	Y5XyMnx8Ng.exe, 00000000.00000003.222028980.0000000004FAC000.00000004.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://www.fontbureau.com/designers/cabarga.htmlo	Y5XyMnx8Ng.exe, 00000000.00000003.222028980.0000000004FAC000.00000004.00000001.sdmp	false		high
http://www.tiro.como	Y5XyMnx8Ng.exe, 00000000.00000003.216954032.0000000004FD9000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
http://www.jiyu-kobo.co.jp/3VY	Y5XyMnx8Ng.exe, 00000000.00000003.218142700.0000000004FAD000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
http://www.fontbureau.co	Y5XyMnx8Ng.exe, 00000000.00000003.221812778.0000000004FD9000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
http://www.urwpp.deF	Y5XyMnx8Ng.exe, 00000000.00000003.222528263.0000000004FAE000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
http://www.fontbureau.comJVR	Y5XyMnx8Ng.exe, 00000000.00000003.222347558.0000000004FAF000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
http://www.fontbureau.comdaJVR	Y5XyMnx8Ng.exe, 00000000.00000003.221561815.0000000004FAF000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
http://www.jiyu-kobo.co.jp/jp/	Y5XyMnx8Ng.exe, 00000000.00000003.218561435.0000000004FA3000.00000004.00000001.sdmp, Y5XyMnx8Ng.exe, 00000000.00000003.218681710.0000000004FAC000.00000004.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://www.fontbureau.comTTFd	Y5XyMnx8Ng.exe, 00000000.00000003.222528263.0000000004FAE000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
http://www.fontbureau.comd	Y5XyMnx8Ng.exe, 00000000.00000003.221561815.0000000004FAF000.00000004.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://www.carterandcone.coml	Y5XyMnx8Ng.exe, 00000000.00000002.275100610.0000000005290000.00000002.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://www.fontbureau.comoVu	Y5XyMnx8Ng.exe, 00000000.00000003.222347558.0000000004FAF000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
http://www.founder.com.cn/cn/	Y5XyMnx8Ng.exe, 00000000.00000003.217090225.0000000004FE0000.00000004.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://www.fontbureau.com/designers/cabarga.htmlN	Y5XyMnx8Ng.exe, 00000000.00000002.275100610.0000000005290000.00000002.00000001.sdmp	false		high
http://www.founder.com.cn/cn	Y5XyMnx8Ng.exe, 00000000.00000002.275100610.0000000005290000.00000002.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://www.fontbureau.com/designers/frere-jones.html	Y5XyMnx8Ng.exe, 00000000.00000002.275100610.0000000005290000.00000002.00000001.sdmp, Y5XyMnx8Ng.exe, 00000000.00000003.221423345.0000000004FD9000.00000004.00000001.sdmp	false		high
http://www.fontbureau.comoitu	Y5XyMnx8Ng.exe, 00000000.00000003.222347558.0000000004FAF000.00000004.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://www.jiyu-kobo.co.jp/oVu	Y5XyMnx8Ng.exe, 00000000.00000003.217807198.0000000004FA3000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
http://www.jiyu-kobo.co.jp/s	Y5XyMnx8Ng.exe, 00000000.00000003.218171595.0000000004FA8000.00000004.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://www.fontbureau.com/designers/cabarga.html	Y5XyMnx8Ng.exe, 00000000.00000003.222028980.0000000004FAC000.00000004.00000001.sdmp	false		high
http://www.fontbureau.com/designers$	Y5XyMnx8Ng.exe, 00000000.00000003.221812778.0000000004FD9000.00000004.00000001.sdmp	false		high
http://www.fontbureau.comm	Y5XyMnx8Ng.exe, 00000000.00000003.222347558.0000000004FAF000.00000004.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://www.jiyu-kobo.co.jp/	Y5XyMnx8Ng.exe, 00000000.00000002.275100610.0000000005290000.00000002.00000001.sdmp, Y5XyMnx8Ng.exe, 00000000.00000003.218060578.0000000004FAD000.00000004.00000001.sdmp, Y5XyMnx8Ng.exe, 00000000.00000003.218561435.0000000004FA3000.00000004.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://www.fontbureau.com/designers9	Y5XyMnx8Ng.exe, 00000000.00000003.230809390.0000000004FD9000.00000004.00000001.sdmp	false		high
http://www.fontbureau.com/designers8	Y5XyMnx8Ng.exe, 00000000.00000002.275100610.0000000005290000.00000002.00000001.sdmp	false		high
http://www.fontbureau.comdsed	Y5XyMnx8Ng.exe, 00000000.00000003.222028980.0000000004FAC000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
http://www.jiyu-kobo.co.jp/nly	Y5XyMnx8Ng.exe, 00000000.00000003.218060578.0000000004FAD000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
http://www.fontbureau.com/designers/	Y5XyMnx8Ng.exe, 00000000.00000003.220682724.0000000004FD9000.00000004.00000001.sdmp	false		high
http://www.jiyu-kobo.co.jp/JVR	Y5XyMnx8Ng.exe, 00000000.00000003.218171595.0000000004FA8000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
http://www.fontbureau.com/designers2	Y5XyMnx8Ng.exe, 00000000.00000003.221121855.0000000004FD9000.00000004.00000001.sdmp	false		high

Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public

IP	Domain	Country	Flag	ASN	ASN Name	Malicious
87.237.165.78	unknown	Russian Federation		49967	MTVHGB	true
79.134.225.43	unknown	Switzerland		6775	FINK-TELECOM-SERVICESCH	true

General Information

Joe Sandbox Version:	31.0.0 Emerald
Analysis ID:	357424
Start date:	24.02.2021
Start time:	16:08:49
Joe Sandbox Product:	CloudBasic
Overall analysis duration:	0h 9m 50s
Hypervisor based Inspection enabled:	false
Report type:	full
Sample file name:	Y5XyMnx8Ng.exe
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 85, IE 11, Adobe Reader DC 19, Java 8 Update 211
Number of analysed new started processes analysed:	40
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled HDC enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Detection:	MAL
Classification:	mal100.troj.evad.winEXE@18/13@11/2
EGA Information:	Failed
HDC Information:	Successful, ratio: 2.1% (good quality ratio 1.5%) Quality average: 51.1% Quality standard deviation: 38%
HCA Information:	Successful, ratio: 92% Number of executed functions: 417 Number of non-executed functions: 5
Cookbook Comments:	Adjust boot time Enable AMSI Found application associated with file extension: .exe
Warnings:	Show All Behavior information exceeds normal sizes, reducing to normal. Report will have missing behavior information. Exclude process from analysis (whitelisted): taskhostw.exe, MpCmdRun.exe, audiodg.exe, BackgroundTransferHost.exe, RuntimeBroker.exe, backgroundTaskHost.exe, SgrmBroker.exe, conhost.exe, svchost.exe, UsoClient.exe Excluded IPs from analysis (whitelisted): 2.22.152.11, 52.147.198.201, 204.79.197.200, 13.107.21.200, 104.42.151.234, 13.88.21.125, 23.54.113.53, 23.54.113.104, 51.104.139.180, 23.0.174.187, 23.0.174.185, 51.11.168.160, 23.10.249.25, 23.10.249.26, 52.155.217.156, 20.54.26.129 Excluded domains from analysis (whitelisted): storeedgefd.dsx.mp.microsoft.com.edgekey.net.globalredir.akadns.net, au.download.windowsupdate.com.edgesuite.net, arc.msn.com.nsatc.net, store-images.s-microsoft.com-c.edgekey.net, fs-wildcard.microsoft.com.edgekey.net, fs-wildcard.microsoft.com.edgekey.net.globalredir.akadns.net, a1449.dscg2.akamai.net, storeedgefd.xbetservices.akadns.net, arc.msn.com, db5eap.displaycatalog.md.mp.microsoft.com.akadns.net, e12564.dspb.akamaiedge.net, www-bing-com.dual-a-0001.a-msedge.net, audownload.windowsupdate.nsatc.net, displaycatalog.mp.microsoft.com, watson.telemetry.microsoft.com, img-prod-cms-rt-microsoft-com.akamaized.net, prod.fs.microsoft.com.akadns.net, au-bg-shim.trafficmanager.net, storeedgefd.dsx.mp.microsoft.com, www.bing.com, displaycatalog-europeeap.md.mp.microsoft.com.akadns.net, fs.microsoft.com, dual-a-0001.a-msedge.net, displaycatalog-rp-europe.md.mp.microsoft.com.akadns.net, displaycatalog.md.mp.microsoft.com.akadns.net, ris-prod.trafficmanager.net, e1723.g.akamaiedge.net, ctldl.windowsupdate.com, a767.dscg3.akamai.net, storeedgefd.dsx.mp.microsoft.com.edgekey.net, skypedataprdcoleus16.cloudapp.net, ris.api.iris.microsoft.com, a-0001.a-afdentry.net.trafficmanager.net, store-images.s-microsoft.com, blobcollector.events.data.trafficmanager.net, e16646.dscg.akamaiedge.net, skypedataprdcolwus16.cloudapp.net, skypedataprdcolwus15.cloudapp.net, displaycatalog-rp.md.mp.microsoft.com.akadns.net Report size exceeded maximum capacity and may have missing behavior information. Report size getting too big, too many NtAllocateVirtualMemory calls found. Report size getting too big, too many NtOpenKeyEx calls found. Report size getting too big, too many NtProtectVirtualMemory calls found. Report size getting too big, too many NtQueryValueKey calls found.

Simulations

Behavior and APIs

Time	Type	Description
16:09:50	API Interceptor	1x Sleep call for process: Y5XyMnx8Ng.exe modified
16:10:10	Task Scheduler	Run new task: DHCP Monitor path: "C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe" s>$(Arg0)
16:10:11	API Interceptor	811x Sleep call for process: RegSvcs.exe modified
16:10:13	Task Scheduler	Run new task: DHCP Monitor Task path: "C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe" s>$(Arg0)
16:10:13	Autostart	Run: HKLM\Software\Microsoft\Windows\CurrentVersion\Run DHCP Monitor C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe

Joe Sandbox View / Context

IPs

Match	Associated Sample Name / URL	SHA 256	Detection	Link
87.237.165.78	YoWPu2BQzA9FeDd.exe	Get hash	malicious	Browse
	M5QDAaK9yM.exe	Get hash	malicious	Browse
	TdX45jQWjj.exe	Get hash	malicious	Browse
79.134.225.43	YoWPu2BQzA9FeDd.exe	Get hash	malicious	Browse
	TdX45jQWjj.exe	Get hash	malicious	Browse
	JfRbEbUkpV39K4L.exe	Get hash	malicious	Browse
	Dachser Consulta de cliente saliente no. 000150849 - SKBMT03082020-0012-IMG0149.exe	Get hash	malicious	Browse
	290453721.xls	Get hash	malicious	Browse
	nUo0FukkVO.xls	Get hash	malicious	Browse

Domains

Match	Associated Sample Name / URL	SHA 256	Detection	Link	Context
strongodss.ddns.net	YoWPu2BQzA9FeDd.exe	Get hash	malicious	Browse	87.237.165.78
	M5QDAaK9yM.exe	Get hash	malicious	Browse	87.237.165.78
	TdX45jQWjj.exe	Get hash	malicious	Browse	87.237.165.78

ASN

Match	Associated Sample Name / URL	SHA 256	Detection	Link	Context
MTVHGB	YoWPu2BQzA9FeDd.exe	Get hash	malicious	Browse	87.237.165.78
	M5QDAaK9yM.exe	Get hash	malicious	Browse	87.237.165.78
	TdX45jQWjj.exe	Get hash	malicious	Browse	87.237.165.78
	QUOTATION 19 01 2021.exe	Get hash	malicious	Browse	87.237.165.162
FINK-TELECOM-SERVICESCH	YoWPu2BQzA9FeDd.exe	Get hash	malicious	Browse	79.134.225.43
	xF7GogN7tM.exe	Get hash	malicious	Browse	79.134.225.120
	TZgGVyMJYF.exe	Get hash	malicious	Browse	79.134.225.74
	ilpbALnKbE.exe	Get hash	malicious	Browse	79.134.225.103
	Documents.exe	Get hash	malicious	Browse	79.134.225.87
	SWcNyi2YBj.exe	Get hash	malicious	Browse	79.134.225.103
	Confirmation Transfer Note Ref Number0002636.exe	Get hash	malicious	Browse	79.134.225.8
	TdX45jQWjj.exe	Get hash	malicious	Browse	79.134.225.43
	e92b274943f4a3a557881ee0dd57772d.exe	Get hash	malicious	Browse	79.134.225.105
	WxTm2cWLHF.exe	Get hash	malicious	Browse	79.134.225.71
	Payment Confirmation.exe	Get hash	malicious	Browse	79.134.225.30
	rjHlt1zz28.exe	Get hash	malicious	Browse	79.134.225.49
	Deadly Variants of Covid 19.doc	Get hash	malicious	Browse	79.134.225.49
	document.exe	Get hash	malicious	Browse	79.134.225.122
	5293ea9467ea45e928620a5ed74440f5.exe	Get hash	malicious	Browse	79.134.225.105
	f1a14e6352036833f1c109e1bb2934f2.exe	Get hash	malicious	Browse	79.134.225.105
	256ec8f8f67b59c5e085b0bb63afcd13.exe	Get hash	malicious	Browse	79.134.225.105
	JOIN.exe	Get hash	malicious	Browse	79.134.225.30
	Delivery pdf.exe	Get hash	malicious	Browse	79.134.225.25
	d88e07467ddcf9e3b19fa972b9f000d1.exe	Get hash	malicious	Browse	79.134.225.105

JA3 Fingerprints

No context

Dropped Files

Match	Associated Sample Name / URL	SHA 256	Detection	Link
C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	receipt.exe	Get hash	malicious	Browse
	YoWPu2BQzA9FeDd.exe	Get hash	malicious	Browse
	M5QDAaK9yM.exe	Get hash	malicious	Browse
	oMWv1Zof2y.exe	Get hash	malicious	Browse
	TdX45jQWjj.exe	Get hash	malicious	Browse
	QTxFuxF5NQ.exe	Get hash	malicious	Browse
	a34b93ef-dea2-45f8-a5bf-4f6b0b5291c7.exe	Get hash	malicious	Browse
	3fcd8c19-af88-4cd9-87e7-0bfea1de01a1.exe	Get hash	malicious	Browse
	Vietnam Order.exe	Get hash	malicious	Browse
	Dhl Shipping Document.exe	Get hash	malicious	Browse
	PO-WJO-001, pdf.exe	Get hash	malicious	Browse
	byWuWAR5FD.exe	Get hash	malicious	Browse
	parcel_images.exe	Get hash	malicious	Browse
	0712020.exe	Get hash	malicious	Browse
	JfRbEbUkpV39K4L.exe	Get hash	malicious	Browse
	DECEMBER QUOTATION REQUEST FOR FR12007POH0008_PO0000143_ETQ.exe	Get hash	malicious	Browse
	DECEMBER QUOTATION REQUEST FOR FR12007POH0008_PO0000143_ETQ.exe	Get hash	malicious	Browse
	zC3edqmNNt.exe	Get hash	malicious	Browse
	Shipping Document.pdf..exe	Get hash	malicious	Browse
	PPR & CPR_HEA_DECEMBER 4 2020.exe	Get hash	malicious	Browse

Created / dropped Files

C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe Download File
Process:	C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe
File Type:	PE32 executable (console) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	32768
Entropy (8bit):	3.7515815714465193
Encrypted:	false
SSDEEP:	384:BOj9Y8/gS7SDriLGKq1MHR5U4Ag6ihJSxUCR1rgCPKabK2t0X5P7DZ+JgWSW72uw:B+gSAdN1MH3HAFRJngW2u
MD5:	71369277D09DA0830C8C59F9E22BB23A
SHA1:	37F9781314F0F6B7E9CB529A573F2B1C8DE9E93F
SHA-256:	D4527B7AD2FC4778CC5BE8709C95AEA44EAC0568B367EE14F7357D72898C3698
SHA-512:	2F470383E3C796C4CF212EC280854DBB9E7E8C8010CE6857E58F8E7066D7516B7CD7039BC5C0F547E1F5C7F9F2287869ADFFB2869800B08B2982A88BE96E9FB7
Malicious:	false
Antivirus:	Antivirus: Metadefender, Detection: 0%, Browse Antivirus: ReversingLabs, Detection: 0%
Joe Sandbox View:	Filename: receipt.exe, Detection: malicious, Browse Filename: YoWPu2BQzA9FeDd.exe, Detection: malicious, Browse Filename: M5QDAaK9yM.exe, Detection: malicious, Browse Filename: oMWv1Zof2y.exe, Detection: malicious, Browse Filename: TdX45jQWjj.exe, Detection: malicious, Browse Filename: QTxFuxF5NQ.exe, Detection: malicious, Browse Filename: a34b93ef-dea2-45f8-a5bf-4f6b0b5291c7.exe, Detection: malicious, Browse Filename: 3fcd8c19-af88-4cd9-87e7-0bfea1de01a1.exe, Detection: malicious, Browse Filename: Vietnam Order.exe, Detection: malicious, Browse Filename: Dhl Shipping Document.exe, Detection: malicious, Browse Filename: PO-WJO-001, pdf.exe, Detection: malicious, Browse Filename: byWuWAR5FD.exe, Detection: malicious, Browse Filename: parcel_images.exe, Detection: malicious, Browse Filename: 0712020.exe, Detection: malicious, Browse Filename: JfRbEbUkpV39K4L.exe, Detection: malicious, Browse Filename: DECEMBER QUOTATION REQUEST FOR FR12007POH0008_PO0000143_ETQ.exe, Detection: malicious, Browse Filename: DECEMBER QUOTATION REQUEST FOR FR12007POH0008_PO0000143_ETQ.exe, Detection: malicious, Browse Filename: zC3edqmNNt.exe, Detection: malicious, Browse Filename: Shipping Document.pdf..exe, Detection: malicious, Browse Filename: PPR & CPR_HEA_DECEMBER 4 2020.exe, Detection: malicious, Browse
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L.....{Z.................P... .......k... ........@.. ...............................[....@..................................k..K................................... k............................................... ............... ..H............text....K... ...P.................. ..`.rsrc................`..............@..@.reloc...............p..............@..B........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Microsoft\CLR_v2.0_32\UsageLogs\RegSvcs.exe.log Download File
Process:	C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe
File Type:	ASCII text, with CRLF line terminators
Category:	modified
Size (bytes):	120
Entropy (8bit):	5.016405576253028
Encrypted:	false
SSDEEP:	3:QHXMKaoWglAFXMWA2yTMGfsbNXLVd49Am12MFuAvOAsDeieVyn:Q3LawlAFXMWTyAGCFLIP12MUAvvrs
MD5:	50DEC1858E13F033E6DCA3CBFAD5E8DE
SHA1:	79AE1E9131B0FAF215B499D2F7B4C595AA120925
SHA-256:	14A557E226E3BA8620BB3A70035E1E316F1E9FB5C9E8F74C07110EE90B8D8AE4
SHA-512:	1BD73338DF685A5B57B0546E102ECFDEE65800410D6F77845E50456AC70DE72929088AF19B59647F01CBA7A5ACFB399C52D9EF2402A9451366586862EF88E7BF
Malicious:	false
Preview:	1,"fusion","GAC",0..2,"System.EnterpriseServices, Version=2.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a",0..

C:\Users\user\AppData\Local\Microsoft\CLR_v2.0_32\UsageLogs\Y5XyMnx8Ng.exe.log Download File
Process:	C:\Users\user\Desktop\Y5XyMnx8Ng.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	655
Entropy (8bit):	5.273171405160065
Encrypted:	false
SSDEEP:	12:Q3LaJU20NaL10U29hJ5g1B0U2ukyrFk70Ug+9Yz9t0U2WUXBQav:MLF20NaL329hJ5g522rWz2p29XBT
MD5:	2703120C370FBB4A8BA08C6D1754039E
SHA1:	EC0DB47BF00A4A828F796147619386C0BBEA66A1
SHA-256:	F95566974BC44F3A757CAFB1456D185D8F333AC84775089DE18310B90C18B1BC
SHA-512:	BC05A2A1BE5B122FC6D3DEA66EF4258522F13351B9754378395AAD019631E312CFD3BC990F3E3D5C7BB0BDBA1EAD54A2B34A96DEE2FCCD703721E98F6192ED48
Malicious:	true
Preview:	1,"fusion","GAC",0..3,"C:\Windows\assembly\NativeImages_v2.0.50727_32\System\1ffc437de59fb69ba2b865ffdc98ffd1\System.ni.dll",0..3,"C:\Windows\assembly\NativeImages_v2.0.50727_32\System.Drawing\54d944b3ca0ea1188d700fbd8089726b\System.Drawing.ni.dll",0..3,"C:\Windows\assembly\NativeImages_v2.0.50727_32\System.Windows.Forms\bd8d59c984c9f5f2695f64341115cdf0\System.Windows.Forms.ni.dll",0..3,"C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.VisualBas#\cd7c74fce2a0eab72cd25cbe4bb61614\Microsoft.VisualBasic.ni.dll",0..3,"C:\Windows\assembly\NativeImages_v2.0.50727_32\System.Management\4de99804c29261edb63c93616550f034\System.Management.ni.dll",0..

C:\Users\user\AppData\Local\Microsoft\CLR_v2.0_32\UsageLogs\dhcpmon.exe.log Download File
Process:	C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe
File Type:	ASCII text, with CRLF line terminators
Category:	modified
Size (bytes):	120
Entropy (8bit):	5.016405576253028
Encrypted:	false
SSDEEP:	3:QHXMKaoWglAFXMWA2yTMGfsbNXLVd49Am12MFuAvOAsDeieVyn:Q3LawlAFXMWTyAGCFLIP12MUAvvrs
MD5:	50DEC1858E13F033E6DCA3CBFAD5E8DE
SHA1:	79AE1E9131B0FAF215B499D2F7B4C595AA120925
SHA-256:	14A557E226E3BA8620BB3A70035E1E316F1E9FB5C9E8F74C07110EE90B8D8AE4
SHA-512:	1BD73338DF685A5B57B0546E102ECFDEE65800410D6F77845E50456AC70DE72929088AF19B59647F01CBA7A5ACFB399C52D9EF2402A9451366586862EF88E7BF
Malicious:	false
Preview:	1,"fusion","GAC",0..2,"System.EnterpriseServices, Version=2.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a",0..

C:\Users\user\AppData\Local\Temp\tmp3911.tmp Download File
Process:	C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe
File Type:	XML 1.0 document, ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	1320
Entropy (8bit):	5.135021273392143
Encrypted:	false
SSDEEP:	24:2dH4+S/4oL600QlMhEMjn5pwjVLUYODOLG9RJh7h8gK0mn4xtn:cbk4oL600QydbQxIYODOLedq3Z4j
MD5:	40B11EF601FB28F9B2E69D36857BF2EC
SHA1:	B6454020AD2CEED193F4792B77001D0BD741B370
SHA-256:	C51E12D18CC664425F6711D8AE2507068884C7057092CFA11884100E1E9D49E1
SHA-512:	E3C5BCC714CBFCA4B8058DDCDDF231DCEFA69C15881CE3F8123E59ED45CFB5DA052B56E1945DCF8DC7F800D62F9A4EECB82BCA69A66A1530787AEFFEB15E2BD5
Malicious:	false
Preview:	<?xml version="1.0" encoding="UTF-16"?>..<Task version="1.2" xmlns="http://schemas.microsoft.com/windows/2004/02/mit/task">.. <RegistrationInfo />.. <Triggers />.. <Principals>.. <Principal id="Author">.. <LogonType>InteractiveToken</LogonType>.. <RunLevel>HighestAvailable</RunLevel>.. </Principal>.. </Principals>.. <Settings>.. <MultipleInstancesPolicy>Parallel</MultipleInstancesPolicy>.. <DisallowStartIfOnBatteries>false</DisallowStartIfOnBatteries>.. <StopIfGoingOnBatteries>false</StopIfGoingOnBatteries>.. <AllowHardTerminate>true</AllowHardTerminate>.. <StartWhenAvailable>false</StartWhenAvailable>.. <RunOnlyIfNetworkAvailable>false</RunOnlyIfNetworkAvailable>.. <IdleSettings>.. <StopOnIdleEnd>false</StopOnIdleEnd>.. <RestartOnIdle>false</RestartOnIdle>.. </IdleSettings>.. <AllowStartOnDemand>true</AllowStartOnDemand>.. <Enabled>true</Enabled>.. <Hidden>false</Hidden>.. <RunOnlyIfIdle>false</RunOnlyIfIdle>.. <Wak

C:\Users\user\AppData\Local\Temp\tmp3C8D.tmp Download File
Process:	C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe
File Type:	XML 1.0 document, ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	1310
Entropy (8bit):	5.109425792877704
Encrypted:	false
SSDEEP:	24:2dH4+S/4oL600QlMhEMjn5pwjVLUYODOLG9RJh7h8gK0R3xtn:cbk4oL600QydbQxIYODOLedq3S3j
MD5:	5C2F41CFC6F988C859DA7D727AC2B62A
SHA1:	68999C85FC7E37BAB9216E0099836D40D4545C1C
SHA-256:	98B6E66B6C2173B9B91FC97FE51805340EFDE978B695453742EBAB631018398B
SHA-512:	B5DA5DA378D038AFBF8A7738E47921ED39F9B726E2CAA2993D915D9291A3322F94EFE8CCA6E7AD678A670DB19926B22B20E5028460FCC89CEA7F6635E7557334
Malicious:	false
Preview:	<?xml version="1.0" encoding="UTF-16"?>..<Task version="1.2" xmlns="http://schemas.microsoft.com/windows/2004/02/mit/task">.. <RegistrationInfo />.. <Triggers />.. <Principals>.. <Principal id="Author">.. <LogonType>InteractiveToken</LogonType>.. <RunLevel>HighestAvailable</RunLevel>.. </Principal>.. </Principals>.. <Settings>.. <MultipleInstancesPolicy>Parallel</MultipleInstancesPolicy>.. <DisallowStartIfOnBatteries>false</DisallowStartIfOnBatteries>.. <StopIfGoingOnBatteries>false</StopIfGoingOnBatteries>.. <AllowHardTerminate>true</AllowHardTerminate>.. <StartWhenAvailable>false</StartWhenAvailable>.. <RunOnlyIfNetworkAvailable>false</RunOnlyIfNetworkAvailable>.. <IdleSettings>.. <StopOnIdleEnd>false</StopOnIdleEnd>.. <RestartOnIdle>false</RestartOnIdle>.. </IdleSettings>.. <AllowStartOnDemand>true</AllowStartOnDemand>.. <Enabled>true</Enabled>.. <Hidden>false</Hidden>.. <RunOnlyIfIdle>false</RunOnlyIfIdle>.. <Wak

C:\Users\user\AppData\Local\Temp\tmp8EF2.tmp Download File
Process:	C:\Users\user\Desktop\Y5XyMnx8Ng.exe
File Type:	XML 1.0 document, ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	1647
Entropy (8bit):	5.20290519634611
Encrypted:	false
SSDEEP:	24:2dH4+SEqC/Q7hxlNMFp1/rlMhEMjnGpwjpIgUYODOLD9RJh7h8gKBwtn:cbh47TlNQ//rydbz9I3YODOLNdq3k
MD5:	E61FE83EB8C07A1076C95D63A2E9C7E8
SHA1:	C45541423ECB8762EE2F8DAAF34BABA2E9932BE0
SHA-256:	8B817FAE8E4FD7B9A5D2604048DC837FE26167B6E8C58EA18F7EF3F43BA638CF
SHA-512:	C405B90523CDCB4624D47DDEF092321756983C3FD14472E1F74509A1CCDB670925B1F8179021CCB6FCBF4FF0848E713347F7D58CE94C888F545D961E627F7777
Malicious:	true
Preview:	<?xml version="1.0" encoding="UTF-16"?>..<Task version="1.2" xmlns="http://schemas.microsoft.com/windows/2004/02/mit/task">.. <RegistrationInfo>.. <Date>2014-10-25T14:27:44.8929027</Date>.. <Author>computer\user</Author>.. </RegistrationInfo>.. <Triggers>.. <LogonTrigger>.. <Enabled>true</Enabled>.. <UserId>computer\user</UserId>.. </LogonTrigger>.. <RegistrationTrigger>.. <Enabled>false</Enabled>.. </RegistrationTrigger>.. </Triggers>.. <Principals>.. <Principal id="Author">.. <UserId>computer\user</UserId>.. <LogonType>InteractiveToken</LogonType>.. <RunLevel>LeastPrivilege</RunLevel>.. </Principal>.. </Principals>.. <Settings>.. <MultipleInstancesPolicy>StopExisting</MultipleInstancesPolicy>.. <DisallowStartIfOnBatteries>false</DisallowStartIfOnBatteries>.. <StopIfGoingOnBatteries>true</StopIfGoingOnBatteries>.. <AllowHardTerminate>false</AllowHardTerminate>.. <StartWhenAvailable>true

C:\Users\user\AppData\Roaming\D06ED635-68F6-4E9A-955C-4899F5F57B9A\run.dat Download File
Process:	C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe
File Type:	ISO-8859 text, with no line terminators
Category:	dropped
Size (bytes):	8
Entropy (8bit):	3.0
Encrypted:	false
SSDEEP:	3:TuXt:U
MD5:	CF402C854B880FB79472DA48A88A3E43
SHA1:	C8A90AC6594C04B69F33AF27F72CE9A150C3203D
SHA-256:	8221288A0BD2019F58D6583BADF7C0E3C921078EB6D9C7F5A35FD39A40FC0699
SHA-512:	D135A204BCD0303455CF17FA1CA13880E47011B793F80263164DABAC29F95537C409263AA2A1E57D8C2862F083CA52D4608852D3F2E08D9D2142A7EB2A7451A2
Malicious:	true
Preview:	..m.!..H

C:\Users\user\AppData\Roaming\D06ED635-68F6-4E9A-955C-4899F5F57B9A\task.dat Download File
Process:	C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	57
Entropy (8bit):	4.795707286467131
Encrypted:	false
SSDEEP:	3:oMty8WbSX/MNn:oMLWus
MD5:	D685103573539B7E9FDBF5F1D7DD96CE
SHA1:	4B2FE6B5C0B37954B314FCAEE1F12237A9B02D07
SHA-256:	D78BC23B0CA3EDDF52D56AB85CDC30A71B3756569CB32AA2F6C28DBC23C76E8E
SHA-512:	17769A5944E8929323A34269ABEEF0861D5C6799B0A27F5545FBFADC80E5AB684A471AD6F6A7FC623002385154EA89DE94013051E09120AB94362E542AB0F1DD
Malicious:	false
Preview:	C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe

C:\Users\user\AppData\Roaming\LbSNAHQmeXYAoG.exe Download File
Process:	C:\Users\user\Desktop\Y5XyMnx8Ng.exe
File Type:	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	790016
Entropy (8bit):	7.9432068049127045
Encrypted:	false
SSDEEP:	12288:wEd3LLUEMjhvUbJG16Kfd/b2ze6Mg5saYrwOnkG4WuCmcoevatwmWFoH8l/MM:3L0iG16KfdD6zsaykItmcoQatwmY8qr
MD5:	5BD6A6DBDA26ADA813C6F60FDFC7BA70
SHA1:	20D05385BE36213404CA178BF15E39D0587DD73F
SHA-256:	205F2EF71A4A099B8CAC6B0DF7BE7D04F5CA0C65E31FB1C00158F656CF2785C3
SHA-512:	DF3E138E62994C2E640EC4C2B4DDE795512D3D23ECFB49B932EED2DDC451A96447A9C9435E0C1E38D567B9523C02D906E20208DD49AC7D66C456701620362E28
Malicious:	true
Antivirus:	Antivirus: Joe Sandbox ML, Detection: 100% Antivirus: ReversingLabs, Detection: 38%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...4.5`..............0.............F"... ...@....@.. ....................................@..................................!..O....@.......................`....................................................... ............... ..H............text...L.... ...................... ..`.rsrc........@......................@..@.reloc.......`......................@..B................("......H.......Ho...2......4...,...............................................&.(.........0..9........~.........,".r...p.....(....o....s............~.....+......0...........~.....+.."........0..!........(....r!..p~....o......t.....+......0..!........(....r1..p~....o......t.....+......0...........r5..p.+....0...........rA..p.+..".(.....^..}.....(.......(%.......(.......0..;........rQ..pr...p.(...........,..(......+..s......o......( .....*..0..I........r...pr...p.(.......

\Device\ConDrv Download File
Process:	C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	1145
Entropy (8bit):	4.462201512373672
Encrypted:	false
SSDEEP:	24:zKLXkzPDObntKlglUEnfQtvNuNpKOK5aM9YJC:zKL0zPDQntKKH1MqJC
MD5:	46EBEB88876A00A52CC37B1F8E0D0438
SHA1:	5E5DB352F964E5F398301662FF558BD905798A65
SHA-256:	D65BD5A6CC112838AFE8FA70BF61FD13C1313BCE3EE3E76C50E454D7B581238B
SHA-512:	E713E6F304A469FB71235C598BC7E2C6F8458ABC61DAF3D1F364F66579CAFA4A7F3023E585BDA552FB400009E7805A8CA0311A50D5EDC9C2AD2D067772A071BE
Malicious:	false
Preview:	Microsoft (R) .NET Framework Services Installation Utility Version 2.0.50727.8922..Copyright (c) Microsoft Corporation. All rights reserved.....USAGE: regsvcs.exe [options] AssemblyName..Options:.. /? or /help Display this usage message... /fc Find or create target application (default)... /c Create target application, error if it already exists... /exapp Expect an existing application... /tlb:<tlbfile> Filename for the exported type library... /appname:<name> Use the specified name for the target application... /parname:<name> Use the specified name or id for the target partition... /extlb Use an existing type library... /reconfig Reconfigure existing target application (default)... /noreconfig Don't reconfigure existing target application... /u Uninstall target application... /nologo Suppress logo output... /quiet Suppress logo output and success output...

Static File Info

General
File type:	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Entropy (8bit):	7.9432068049127045
TrID:	Win32 Executable (generic) Net Framework (10011505/4) 49.83% Win32 Executable (generic) a (10002005/4) 49.78% Generic CIL Executable (.NET, Mono, etc.) (73296/58) 0.36% Generic Win/DOS Executable (2004/3) 0.01% DOS Executable Generic (2002/1) 0.01%
File name:	Y5XyMnx8Ng.exe
File size:	790016
MD5:	5bd6a6dbda26ada813c6f60fdfc7ba70
SHA1:	20d05385be36213404ca178bf15e39d0587dd73f
SHA256:	205f2ef71a4a099b8cac6b0df7be7d04f5ca0c65e31fb1c00158f656cf2785c3
SHA512:	df3e138e62994c2e640ec4c2b4dde795512d3d23ecfb49b932eed2ddc451a96447a9c9435e0c1e38d567b9523c02d906e20208dd49ac7d66c456701620362e28
SSDEEP:	12288:wEd3LLUEMjhvUbJG16Kfd/b2ze6Mg5saYrwOnkG4WuCmcoevatwmWFoH8l/MM:3L0iG16KfdD6zsaykItmcoQatwmY8qr
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...4.5`..............0.............F"... ...@....@.. ....................................@................................

File Icon


Icon Hash:	00828e8e8686b000

Static PE Info

General
Entrypoint:	0x4c2246
Entrypoint Section:	.text
Digitally signed:	false
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	32BIT_MACHINE, EXECUTABLE_IMAGE
DLL Characteristics:	NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
Time Stamp:	0x6035AE34 [Wed Feb 24 01:39:00 2021 UTC]
TLS Callbacks:
CLR (.Net) Version:	v2.0.50727
OS Version Major:	4
OS Version Minor:	0
File Version Major:	4
File Version Minor:	0
Subsystem Version Major:	4
Subsystem Version Minor:	0
Import Hash:	f34d5f2d4577ed6d9ceec516c1f5a744

Entrypoint Preview

Instruction
jmp dword ptr [00402000h]
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0xc21f4	0x4f	.text
IMAGE_DIRECTORY_ENTRY_RESOURCE	0xc4000	0x5b4	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0xc6000	0xc	.reloc
IMAGE_DIRECTORY_ENTRY_DEBUG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x2000	0x8	.text
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x2008	0x48	.text
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x2000	0xc024c	0xc0400	False	0.935183680104	data	7.94843846597	IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
.rsrc	0xc4000	0x5b4	0x600	False	0.431640625	data	4.21916130547	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.reloc	0xc6000	0xc	0x200	False	0.044921875	data	0.0980041756627	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	Language	Country
RT_VERSION	0xc4090	0x324	data
RT_MANIFEST	0xc43c4	0x1ea	XML 1.0 document, UTF-8 Unicode (with BOM) text, with CRLF line terminators

Imports

DLL	Import
mscoree.dll	_CorExeMain

Version Infos

Description	Data
Translation	0x0000 0x04b0
LegalCopyright	Copyright 2016
Assembly Version	4.0.0.0
InternalName	vSI.exe
FileVersion	4.0.0.0
CompanyName
LegalTrademarks
Comments
ProductName	ITP_RMSS
ProductVersion	4.0.0.0
FileDescription	ITP_RMSS
OriginalFilename	vSI.exe

Network Behavior

Network Port Distribution

TCP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Feb 24, 2021 16:10:12.533143997 CET	49721	58103	192.168.2.3	87.237.165.78
Feb 24, 2021 16:10:12.560343981 CET	58103	49721	87.237.165.78	192.168.2.3
Feb 24, 2021 16:10:13.123317957 CET	49721	58103	192.168.2.3	87.237.165.78
Feb 24, 2021 16:10:13.150600910 CET	58103	49721	87.237.165.78	192.168.2.3
Feb 24, 2021 16:10:13.757090092 CET	49721	58103	192.168.2.3	87.237.165.78
Feb 24, 2021 16:10:13.785631895 CET	58103	49721	87.237.165.78	192.168.2.3
Feb 24, 2021 16:10:19.076946020 CET	49724	58103	192.168.2.3	87.237.165.78
Feb 24, 2021 16:10:19.107546091 CET	58103	49724	87.237.165.78	192.168.2.3
Feb 24, 2021 16:10:19.651211023 CET	49724	58103	192.168.2.3	87.237.165.78
Feb 24, 2021 16:10:19.678690910 CET	58103	49724	87.237.165.78	192.168.2.3
Feb 24, 2021 16:10:20.257462025 CET	49724	58103	192.168.2.3	87.237.165.78
Feb 24, 2021 16:10:20.284785032 CET	58103	49724	87.237.165.78	192.168.2.3
Feb 24, 2021 16:10:24.380441904 CET	49725	58103	192.168.2.3	87.237.165.78
Feb 24, 2021 16:10:24.409280062 CET	58103	49725	87.237.165.78	192.168.2.3
Feb 24, 2021 16:10:25.047492027 CET	49725	58103	192.168.2.3	87.237.165.78
Feb 24, 2021 16:10:25.074667931 CET	58103	49725	87.237.165.78	192.168.2.3
Feb 24, 2021 16:10:25.656824112 CET	49725	58103	192.168.2.3	87.237.165.78
Feb 24, 2021 16:10:25.684272051 CET	58103	49725	87.237.165.78	192.168.2.3
Feb 24, 2021 16:10:29.727997065 CET	49726	58103	192.168.2.3	79.134.225.43
Feb 24, 2021 16:10:29.760649920 CET	58103	49726	79.134.225.43	192.168.2.3
Feb 24, 2021 16:10:30.268054962 CET	49726	58103	192.168.2.3	79.134.225.43
Feb 24, 2021 16:10:30.301914930 CET	58103	49726	79.134.225.43	192.168.2.3
Feb 24, 2021 16:10:30.813908100 CET	49726	58103	192.168.2.3	79.134.225.43
Feb 24, 2021 16:10:30.846590996 CET	58103	49726	79.134.225.43	192.168.2.3
Feb 24, 2021 16:10:34.955918074 CET	49728	58103	192.168.2.3	79.134.225.43
Feb 24, 2021 16:10:34.988707066 CET	58103	49728	79.134.225.43	192.168.2.3
Feb 24, 2021 16:10:35.579500914 CET	49728	58103	192.168.2.3	79.134.225.43
Feb 24, 2021 16:10:35.612328053 CET	58103	49728	79.134.225.43	192.168.2.3
Feb 24, 2021 16:10:36.282670975 CET	49728	58103	192.168.2.3	79.134.225.43
Feb 24, 2021 16:10:36.315766096 CET	58103	49728	79.134.225.43	192.168.2.3
Feb 24, 2021 16:10:40.331837893 CET	49729	58103	192.168.2.3	79.134.225.43
Feb 24, 2021 16:10:40.364761114 CET	58103	49729	79.134.225.43	192.168.2.3
Feb 24, 2021 16:10:40.876931906 CET	49729	58103	192.168.2.3	79.134.225.43
Feb 24, 2021 16:10:40.914079905 CET	58103	49729	79.134.225.43	192.168.2.3
Feb 24, 2021 16:10:41.423758984 CET	49729	58103	192.168.2.3	79.134.225.43
Feb 24, 2021 16:10:41.456362009 CET	58103	49729	79.134.225.43	192.168.2.3
Feb 24, 2021 16:10:45.681472063 CET	49730	58103	192.168.2.3	87.237.165.78
Feb 24, 2021 16:10:45.710315943 CET	58103	49730	87.237.165.78	192.168.2.3
Feb 24, 2021 16:10:46.221097946 CET	49730	58103	192.168.2.3	87.237.165.78
Feb 24, 2021 16:10:46.248971939 CET	58103	49730	87.237.165.78	192.168.2.3
Feb 24, 2021 16:10:46.752454042 CET	49730	58103	192.168.2.3	87.237.165.78
Feb 24, 2021 16:10:46.782939911 CET	58103	49730	87.237.165.78	192.168.2.3
Feb 24, 2021 16:10:50.995347977 CET	49731	58103	192.168.2.3	87.237.165.78
Feb 24, 2021 16:10:51.022494078 CET	58103	49731	87.237.165.78	192.168.2.3
Feb 24, 2021 16:10:51.533984900 CET	49731	58103	192.168.2.3	87.237.165.78
Feb 24, 2021 16:10:51.561500072 CET	58103	49731	87.237.165.78	192.168.2.3
Feb 24, 2021 16:10:52.065284967 CET	49731	58103	192.168.2.3	87.237.165.78
Feb 24, 2021 16:10:52.093585014 CET	58103	49731	87.237.165.78	192.168.2.3
Feb 24, 2021 16:10:56.166809082 CET	49732	58103	192.168.2.3	87.237.165.78
Feb 24, 2021 16:10:56.195791960 CET	58103	49732	87.237.165.78	192.168.2.3
Feb 24, 2021 16:10:56.706290960 CET	49732	58103	192.168.2.3	87.237.165.78
Feb 24, 2021 16:10:56.736602068 CET	58103	49732	87.237.165.78	192.168.2.3
Feb 24, 2021 16:10:57.237741947 CET	49732	58103	192.168.2.3	87.237.165.78
Feb 24, 2021 16:10:57.264682055 CET	58103	49732	87.237.165.78	192.168.2.3
Feb 24, 2021 16:11:01.270438910 CET	49739	58103	192.168.2.3	79.134.225.43
Feb 24, 2021 16:11:01.303239107 CET	58103	49739	79.134.225.43	192.168.2.3
Feb 24, 2021 16:11:01.816044092 CET	49739	58103	192.168.2.3	79.134.225.43
Feb 24, 2021 16:11:01.848630905 CET	58103	49739	79.134.225.43	192.168.2.3
Feb 24, 2021 16:11:02.362986088 CET	49739	58103	192.168.2.3	79.134.225.43
Feb 24, 2021 16:11:02.396814108 CET	58103	49739	79.134.225.43	192.168.2.3
Feb 24, 2021 16:11:06.429452896 CET	49740	58103	192.168.2.3	79.134.225.43
Feb 24, 2021 16:11:06.463603020 CET	58103	49740	79.134.225.43	192.168.2.3
Feb 24, 2021 16:11:06.972877026 CET	49740	58103	192.168.2.3	79.134.225.43
Feb 24, 2021 16:11:07.007544994 CET	58103	49740	79.134.225.43	192.168.2.3
Feb 24, 2021 16:11:07.519614935 CET	49740	58103	192.168.2.3	79.134.225.43
Feb 24, 2021 16:11:07.552390099 CET	58103	49740	79.134.225.43	192.168.2.3
Feb 24, 2021 16:11:11.568758011 CET	49746	58103	192.168.2.3	79.134.225.43
Feb 24, 2021 16:11:11.601488113 CET	58103	49746	79.134.225.43	192.168.2.3
Feb 24, 2021 16:11:12.114870071 CET	49746	58103	192.168.2.3	79.134.225.43
Feb 24, 2021 16:11:12.147849083 CET	58103	49746	79.134.225.43	192.168.2.3
Feb 24, 2021 16:11:12.662959099 CET	49746	58103	192.168.2.3	79.134.225.43
Feb 24, 2021 16:11:12.696906090 CET	58103	49746	79.134.225.43	192.168.2.3
Feb 24, 2021 16:11:16.757277012 CET	49747	58103	192.168.2.3	87.237.165.78
Feb 24, 2021 16:11:16.785811901 CET	58103	49747	87.237.165.78	192.168.2.3
Feb 24, 2021 16:11:17.302103043 CET	49747	58103	192.168.2.3	87.237.165.78
Feb 24, 2021 16:11:17.331185102 CET	58103	49747	87.237.165.78	192.168.2.3
Feb 24, 2021 16:11:17.833460093 CET	49747	58103	192.168.2.3	87.237.165.78
Feb 24, 2021 16:11:17.860521078 CET	58103	49747	87.237.165.78	192.168.2.3
Feb 24, 2021 16:11:21.924900055 CET	49748	58103	192.168.2.3	87.237.165.78
Feb 24, 2021 16:11:21.952218056 CET	58103	49748	87.237.165.78	192.168.2.3
Feb 24, 2021 16:11:22.458440065 CET	49748	58103	192.168.2.3	87.237.165.78
Feb 24, 2021 16:11:22.485619068 CET	58103	49748	87.237.165.78	192.168.2.3
Feb 24, 2021 16:11:22.989789009 CET	49748	58103	192.168.2.3	87.237.165.78
Feb 24, 2021 16:11:23.018168926 CET	58103	49748	87.237.165.78	192.168.2.3
Feb 24, 2021 16:11:27.147738934 CET	49756	58103	192.168.2.3	87.237.165.78
Feb 24, 2021 16:11:27.175889969 CET	58103	49756	87.237.165.78	192.168.2.3
Feb 24, 2021 16:11:27.677603006 CET	49756	58103	192.168.2.3	87.237.165.78
Feb 24, 2021 16:11:27.705015898 CET	58103	49756	87.237.165.78	192.168.2.3
Feb 24, 2021 16:11:28.208844900 CET	49756	58103	192.168.2.3	87.237.165.78
Feb 24, 2021 16:11:28.237665892 CET	58103	49756	87.237.165.78	192.168.2.3
Feb 24, 2021 16:11:32.268532038 CET	49761	58103	192.168.2.3	79.134.225.43
Feb 24, 2021 16:11:32.301124096 CET	58103	49761	79.134.225.43	192.168.2.3
Feb 24, 2021 16:11:32.803134918 CET	49761	58103	192.168.2.3	79.134.225.43
Feb 24, 2021 16:11:32.835714102 CET	58103	49761	79.134.225.43	192.168.2.3
Feb 24, 2021 16:11:33.350023985 CET	49761	58103	192.168.2.3	79.134.225.43
Feb 24, 2021 16:11:33.382822990 CET	58103	49761	79.134.225.43	192.168.2.3
Feb 24, 2021 16:11:37.758483887 CET	49762	58103	192.168.2.3	79.134.225.43
Feb 24, 2021 16:11:37.791282892 CET	58103	49762	79.134.225.43	192.168.2.3
Feb 24, 2021 16:11:38.303525925 CET	49762	58103	192.168.2.3	79.134.225.43
Feb 24, 2021 16:11:38.336097002 CET	58103	49762	79.134.225.43	192.168.2.3
Feb 24, 2021 16:11:38.850409985 CET	49762	58103	192.168.2.3	79.134.225.43
Feb 24, 2021 16:11:38.883090019 CET	58103	49762	79.134.225.43	192.168.2.3
Feb 24, 2021 16:11:42.900038004 CET	49763	58103	192.168.2.3	79.134.225.43
Feb 24, 2021 16:11:42.932969093 CET	58103	49763	79.134.225.43	192.168.2.3
Feb 24, 2021 16:11:43.444749117 CET	49763	58103	192.168.2.3	79.134.225.43
Feb 24, 2021 16:11:43.478876114 CET	58103	49763	79.134.225.43	192.168.2.3
Feb 24, 2021 16:11:43.991660118 CET	49763	58103	192.168.2.3	79.134.225.43
Feb 24, 2021 16:11:44.025800943 CET	58103	49763	79.134.225.43	192.168.2.3
Feb 24, 2021 16:11:48.099822998 CET	49764	58103	192.168.2.3	87.237.165.78
Feb 24, 2021 16:11:48.126844883 CET	58103	49764	87.237.165.78	192.168.2.3
Feb 24, 2021 16:11:48.632486105 CET	49764	58103	192.168.2.3	87.237.165.78
Feb 24, 2021 16:11:48.660392046 CET	58103	49764	87.237.165.78	192.168.2.3
Feb 24, 2021 16:11:49.163836002 CET	49764	58103	192.168.2.3	87.237.165.78
Feb 24, 2021 16:11:49.190886021 CET	58103	49764	87.237.165.78	192.168.2.3
Feb 24, 2021 16:11:53.213537931 CET	49765	58103	192.168.2.3	87.237.165.78
Feb 24, 2021 16:11:53.242130995 CET	58103	49765	87.237.165.78	192.168.2.3
Feb 24, 2021 16:11:53.757869959 CET	49765	58103	192.168.2.3	87.237.165.78
Feb 24, 2021 16:11:53.785444021 CET	58103	49765	87.237.165.78	192.168.2.3
Feb 24, 2021 16:11:54.289184093 CET	49765	58103	192.168.2.3	87.237.165.78
Feb 24, 2021 16:11:54.316253901 CET	58103	49765	87.237.165.78	192.168.2.3

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Feb 24, 2021 16:09:34.962903023 CET	58643	53	192.168.2.3	8.8.8.8
Feb 24, 2021 16:09:35.001048088 CET	53	58643	8.8.8.8	192.168.2.3
Feb 24, 2021 16:09:35.563812017 CET	60985	53	192.168.2.3	8.8.8.8
Feb 24, 2021 16:09:35.576246977 CET	53	60985	8.8.8.8	192.168.2.3
Feb 24, 2021 16:09:35.645147085 CET	56777	53	192.168.2.3	8.8.8.8
Feb 24, 2021 16:09:35.657057047 CET	53	56777	8.8.8.8	192.168.2.3
Feb 24, 2021 16:09:36.236988068 CET	50200	53	192.168.2.3	8.8.8.8
Feb 24, 2021 16:09:36.249538898 CET	53	50200	8.8.8.8	192.168.2.3
Feb 24, 2021 16:09:37.237097979 CET	51281	53	192.168.2.3	8.8.8.8
Feb 24, 2021 16:09:37.249413013 CET	53	51281	8.8.8.8	192.168.2.3
Feb 24, 2021 16:09:38.251844883 CET	49199	53	192.168.2.3	8.8.8.8
Feb 24, 2021 16:09:38.264933109 CET	53	49199	8.8.8.8	192.168.2.3
Feb 24, 2021 16:09:38.662730932 CET	50620	53	192.168.2.3	8.8.8.8
Feb 24, 2021 16:09:38.680517912 CET	53	50620	8.8.8.8	192.168.2.3
Feb 24, 2021 16:09:39.442451954 CET	64938	53	192.168.2.3	8.8.8.8
Feb 24, 2021 16:09:39.455857038 CET	53	64938	8.8.8.8	192.168.2.3
Feb 24, 2021 16:09:40.795653105 CET	60152	53	192.168.2.3	8.8.8.8
Feb 24, 2021 16:09:40.808948040 CET	53	60152	8.8.8.8	192.168.2.3
Feb 24, 2021 16:09:41.904604912 CET	57544	53	192.168.2.3	8.8.8.8
Feb 24, 2021 16:09:41.919425964 CET	53	57544	8.8.8.8	192.168.2.3
Feb 24, 2021 16:09:43.047470093 CET	55984	53	192.168.2.3	8.8.8.8
Feb 24, 2021 16:09:43.059814930 CET	53	55984	8.8.8.8	192.168.2.3
Feb 24, 2021 16:09:44.306821108 CET	64185	53	192.168.2.3	8.8.8.8
Feb 24, 2021 16:09:44.319124937 CET	53	64185	8.8.8.8	192.168.2.3
Feb 24, 2021 16:09:45.135375977 CET	65110	53	192.168.2.3	8.8.8.8
Feb 24, 2021 16:09:45.148333073 CET	53	65110	8.8.8.8	192.168.2.3
Feb 24, 2021 16:09:48.856286049 CET	58361	53	192.168.2.3	8.8.8.8
Feb 24, 2021 16:09:48.868217945 CET	53	58361	8.8.8.8	192.168.2.3
Feb 24, 2021 16:09:53.001827002 CET	63492	53	192.168.2.3	8.8.8.8
Feb 24, 2021 16:09:53.044313908 CET	53	63492	8.8.8.8	192.168.2.3
Feb 24, 2021 16:09:54.032480955 CET	60831	53	192.168.2.3	8.8.8.8
Feb 24, 2021 16:09:54.046848059 CET	53	60831	8.8.8.8	192.168.2.3
Feb 24, 2021 16:09:54.677936077 CET	60100	53	192.168.2.3	8.8.8.8
Feb 24, 2021 16:09:54.690352917 CET	53	60100	8.8.8.8	192.168.2.3
Feb 24, 2021 16:09:55.502053022 CET	53195	53	192.168.2.3	8.8.8.8
Feb 24, 2021 16:09:55.514400005 CET	53	53195	8.8.8.8	192.168.2.3
Feb 24, 2021 16:09:56.381470919 CET	50141	53	192.168.2.3	8.8.8.8
Feb 24, 2021 16:09:56.393313885 CET	53	50141	8.8.8.8	192.168.2.3
Feb 24, 2021 16:10:02.328959942 CET	53023	53	192.168.2.3	8.8.8.8
Feb 24, 2021 16:10:02.341932058 CET	53	53023	8.8.8.8	192.168.2.3
Feb 24, 2021 16:10:04.517302036 CET	49563	53	192.168.2.3	8.8.8.8
Feb 24, 2021 16:10:04.529119968 CET	53	49563	8.8.8.8	192.168.2.3
Feb 24, 2021 16:10:06.100166082 CET	51352	53	192.168.2.3	8.8.8.8
Feb 24, 2021 16:10:06.112436056 CET	53	51352	8.8.8.8	192.168.2.3
Feb 24, 2021 16:10:06.430387020 CET	59349	53	192.168.2.3	8.8.8.8
Feb 24, 2021 16:10:06.448478937 CET	53	59349	8.8.8.8	192.168.2.3
Feb 24, 2021 16:10:12.494995117 CET	57084	53	192.168.2.3	8.8.8.8
Feb 24, 2021 16:10:12.515024900 CET	53	57084	8.8.8.8	192.168.2.3
Feb 24, 2021 16:10:17.301676989 CET	58823	53	192.168.2.3	8.8.8.8
Feb 24, 2021 16:10:17.313827038 CET	53	58823	8.8.8.8	192.168.2.3
Feb 24, 2021 16:10:19.046977043 CET	57568	53	192.168.2.3	8.8.8.8
Feb 24, 2021 16:10:19.069571018 CET	53	57568	8.8.8.8	192.168.2.3
Feb 24, 2021 16:10:24.355799913 CET	50540	53	192.168.2.3	8.8.8.8
Feb 24, 2021 16:10:24.378185987 CET	53	50540	8.8.8.8	192.168.2.3
Feb 24, 2021 16:10:31.779824018 CET	54366	53	192.168.2.3	8.8.8.8
Feb 24, 2021 16:10:31.798311949 CET	53	54366	8.8.8.8	192.168.2.3
Feb 24, 2021 16:10:45.665477037 CET	53034	53	192.168.2.3	8.8.8.8
Feb 24, 2021 16:10:45.679471970 CET	53	53034	8.8.8.8	192.168.2.3
Feb 24, 2021 16:10:50.969990969 CET	57762	53	192.168.2.3	8.8.8.8
Feb 24, 2021 16:10:50.982461929 CET	53	57762	8.8.8.8	192.168.2.3
Feb 24, 2021 16:10:56.150626898 CET	55435	53	192.168.2.3	8.8.8.8
Feb 24, 2021 16:10:56.164819956 CET	53	55435	8.8.8.8	192.168.2.3
Feb 24, 2021 16:11:00.175910950 CET	50713	53	192.168.2.3	8.8.8.8
Feb 24, 2021 16:11:00.188209057 CET	53	50713	8.8.8.8	192.168.2.3
Feb 24, 2021 16:11:10.023477077 CET	56132	53	192.168.2.3	8.8.8.8
Feb 24, 2021 16:11:10.036223888 CET	53	56132	8.8.8.8	192.168.2.3
Feb 24, 2021 16:11:16.742165089 CET	58987	53	192.168.2.3	8.8.8.8
Feb 24, 2021 16:11:16.755805969 CET	53	58987	8.8.8.8	192.168.2.3
Feb 24, 2021 16:11:21.909015894 CET	56579	53	192.168.2.3	8.8.8.8
Feb 24, 2021 16:11:21.921886921 CET	53	56579	8.8.8.8	192.168.2.3
Feb 24, 2021 16:11:24.093780994 CET	60633	53	192.168.2.3	8.8.8.8
Feb 24, 2021 16:11:24.106976032 CET	53	60633	8.8.8.8	192.168.2.3
Feb 24, 2021 16:11:24.641074896 CET	61292	53	192.168.2.3	8.8.8.8
Feb 24, 2021 16:11:24.653902054 CET	53	61292	8.8.8.8	192.168.2.3
Feb 24, 2021 16:11:25.124650955 CET	63619	53	192.168.2.3	8.8.8.8
Feb 24, 2021 16:11:25.137247086 CET	53	63619	8.8.8.8	192.168.2.3
Feb 24, 2021 16:11:25.476217985 CET	64938	53	192.168.2.3	8.8.8.8
Feb 24, 2021 16:11:25.488652945 CET	53	64938	8.8.8.8	192.168.2.3
Feb 24, 2021 16:11:25.934799910 CET	61946	53	192.168.2.3	8.8.8.8
Feb 24, 2021 16:11:25.942636967 CET	64910	53	192.168.2.3	8.8.8.8
Feb 24, 2021 16:11:25.955234051 CET	53	64910	8.8.8.8	192.168.2.3
Feb 24, 2021 16:11:25.967046022 CET	53	61946	8.8.8.8	192.168.2.3
Feb 24, 2021 16:11:26.422049999 CET	52123	53	192.168.2.3	8.8.8.8
Feb 24, 2021 16:11:26.435072899 CET	53	52123	8.8.8.8	192.168.2.3
Feb 24, 2021 16:11:27.133759022 CET	56130	53	192.168.2.3	8.8.8.8
Feb 24, 2021 16:11:27.143636942 CET	56338	53	192.168.2.3	8.8.8.8
Feb 24, 2021 16:11:27.146339893 CET	53	56130	8.8.8.8	192.168.2.3
Feb 24, 2021 16:11:27.158008099 CET	53	56338	8.8.8.8	192.168.2.3
Feb 24, 2021 16:11:27.831820011 CET	59420	53	192.168.2.3	8.8.8.8
Feb 24, 2021 16:11:27.844815969 CET	53	59420	8.8.8.8	192.168.2.3
Feb 24, 2021 16:11:28.594331026 CET	58784	53	192.168.2.3	8.8.8.8
Feb 24, 2021 16:11:28.609221935 CET	53	58784	8.8.8.8	192.168.2.3
Feb 24, 2021 16:11:29.027743101 CET	63978	53	192.168.2.3	8.8.8.8
Feb 24, 2021 16:11:29.042020082 CET	53	63978	8.8.8.8	192.168.2.3
Feb 24, 2021 16:11:48.078160048 CET	62938	53	192.168.2.3	8.8.8.8
Feb 24, 2021 16:11:48.098563910 CET	53	62938	8.8.8.8	192.168.2.3
Feb 24, 2021 16:11:53.198249102 CET	55708	53	192.168.2.3	8.8.8.8
Feb 24, 2021 16:11:53.212601900 CET	53	55708	8.8.8.8	192.168.2.3

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class
Feb 24, 2021 16:10:12.494995117 CET	192.168.2.3	8.8.8.8	0x827b	Standard query (0)	strongodss.ddns.net	A (IP address)	IN (0x0001)
Feb 24, 2021 16:10:19.046977043 CET	192.168.2.3	8.8.8.8	0xb011	Standard query (0)	strongodss.ddns.net	A (IP address)	IN (0x0001)
Feb 24, 2021 16:10:24.355799913 CET	192.168.2.3	8.8.8.8	0x7a43	Standard query (0)	strongodss.ddns.net	A (IP address)	IN (0x0001)
Feb 24, 2021 16:10:45.665477037 CET	192.168.2.3	8.8.8.8	0x4f9	Standard query (0)	strongodss.ddns.net	A (IP address)	IN (0x0001)
Feb 24, 2021 16:10:50.969990969 CET	192.168.2.3	8.8.8.8	0x2628	Standard query (0)	strongodss.ddns.net	A (IP address)	IN (0x0001)
Feb 24, 2021 16:10:56.150626898 CET	192.168.2.3	8.8.8.8	0xe64d	Standard query (0)	strongodss.ddns.net	A (IP address)	IN (0x0001)
Feb 24, 2021 16:11:16.742165089 CET	192.168.2.3	8.8.8.8	0x9cbe	Standard query (0)	strongodss.ddns.net	A (IP address)	IN (0x0001)
Feb 24, 2021 16:11:21.909015894 CET	192.168.2.3	8.8.8.8	0x9e7d	Standard query (0)	strongodss.ddns.net	A (IP address)	IN (0x0001)
Feb 24, 2021 16:11:27.133759022 CET	192.168.2.3	8.8.8.8	0xec71	Standard query (0)	strongodss.ddns.net	A (IP address)	IN (0x0001)
Feb 24, 2021 16:11:48.078160048 CET	192.168.2.3	8.8.8.8	0x427d	Standard query (0)	strongodss.ddns.net	A (IP address)	IN (0x0001)
Feb 24, 2021 16:11:53.198249102 CET	192.168.2.3	8.8.8.8	0x28a1	Standard query (0)	strongodss.ddns.net	A (IP address)	IN (0x0001)

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	Address	Type	Class
Feb 24, 2021 16:10:12.515024900 CET	8.8.8.8	192.168.2.3	0x827b	No error (0)	strongodss.ddns.net	87.237.165.78	A (IP address)	IN (0x0001)
Feb 24, 2021 16:10:19.069571018 CET	8.8.8.8	192.168.2.3	0xb011	No error (0)	strongodss.ddns.net	87.237.165.78	A (IP address)	IN (0x0001)
Feb 24, 2021 16:10:24.378185987 CET	8.8.8.8	192.168.2.3	0x7a43	No error (0)	strongodss.ddns.net	87.237.165.78	A (IP address)	IN (0x0001)
Feb 24, 2021 16:10:45.679471970 CET	8.8.8.8	192.168.2.3	0x4f9	No error (0)	strongodss.ddns.net	87.237.165.78	A (IP address)	IN (0x0001)
Feb 24, 2021 16:10:50.982461929 CET	8.8.8.8	192.168.2.3	0x2628	No error (0)	strongodss.ddns.net	87.237.165.78	A (IP address)	IN (0x0001)
Feb 24, 2021 16:10:56.164819956 CET	8.8.8.8	192.168.2.3	0xe64d	No error (0)	strongodss.ddns.net	87.237.165.78	A (IP address)	IN (0x0001)
Feb 24, 2021 16:11:16.755805969 CET	8.8.8.8	192.168.2.3	0x9cbe	No error (0)	strongodss.ddns.net	87.237.165.78	A (IP address)	IN (0x0001)
Feb 24, 2021 16:11:21.921886921 CET	8.8.8.8	192.168.2.3	0x9e7d	No error (0)	strongodss.ddns.net	87.237.165.78	A (IP address)	IN (0x0001)
Feb 24, 2021 16:11:27.146339893 CET	8.8.8.8	192.168.2.3	0xec71	No error (0)	strongodss.ddns.net	87.237.165.78	A (IP address)	IN (0x0001)
Feb 24, 2021 16:11:48.098563910 CET	8.8.8.8	192.168.2.3	0x427d	No error (0)	strongodss.ddns.net	87.237.165.78	A (IP address)	IN (0x0001)
Feb 24, 2021 16:11:53.212601900 CET	8.8.8.8	192.168.2.3	0x28a1	No error (0)	strongodss.ddns.net	87.237.165.78	A (IP address)	IN (0x0001)

Code Manipulations

Statistics

CPU Usage

Click to jump to process

Memory Usage

Click to jump to process

High Level Behavior Distribution

Click to dive into process behavior distribution

Behavior

Click to jump to process

System Behavior

Analysis Process: Y5XyMnx8Ng.exe PID: 6372 Parent PID: 5716

General

Start time:	16:09:42
Start date:	24/02/2021
Path:	C:\Users\user\Desktop\Y5XyMnx8Ng.exe
Wow64 process (32bit):	true
Commandline:	'C:\Users\user\Desktop\Y5XyMnx8Ng.exe'
Imagebase:	0x530000
File size:	790016 bytes
MD5 hash:	5BD6A6DBDA26ADA813C6F60FDFC7BA70
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	.Net C# or VB.NET
Yara matches:	Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 00000000.00000002.273575013.0000000003C11000.00000004.00000001.sdmp, Author: Florian Roth Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 00000000.00000002.273575013.0000000003C11000.00000004.00000001.sdmp, Author: Joe Security Rule: NanoCore, Description: unknown, Source: 00000000.00000002.273575013.0000000003C11000.00000004.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net> Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 00000000.00000002.274362960.00000000040F1000.00000004.00000001.sdmp, Author: Florian Roth Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 00000000.00000002.274362960.00000000040F1000.00000004.00000001.sdmp, Author: Joe Security Rule: NanoCore, Description: unknown, Source: 00000000.00000002.274362960.00000000040F1000.00000004.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
Reputation:	low

Chronological Activities

Analysis Process: schtasks.exe PID: 5812 Parent PID: 6372

General

Start time:	16:10:06
Start date:	24/02/2021
Path:	C:\Windows\SysWOW64\schtasks.exe
Wow64 process (32bit):	true
Commandline:	'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\LbSNAHQmeXYAoG' /XML 'C:\Users\user\AppData\Local\Temp\tmp8EF2.tmp'
Imagebase:	0x320000
File size:	185856 bytes
MD5 hash:	15FF7D8324231381BAD48A052F85DF04
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Chronological Activities

Analysis Process: conhost.exe PID: 3180 Parent PID: 5812

General

Start time:	16:10:06
Start date:	24/02/2021
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff6b2800000
File size:	625664 bytes
MD5 hash:	EA777DEEA782E8B4D7C7C33BBF8A4496
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Chronological Activities

Analysis Process: RegSvcs.exe PID: 5464 Parent PID: 6372

General

Start time:	16:10:07
Start date:	24/02/2021
Path:	C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe
Wow64 process (32bit):	true
Commandline:	{path}
Imagebase:	0x440000
File size:	32768 bytes
MD5 hash:	71369277D09DA0830C8C59F9E22BB23A
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	.Net C# or VB.NET
Yara matches:	Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 00000008.00000002.494335612.0000000005710000.00000004.00000001.sdmp, Author: Florian Roth Rule: Nanocore_RAT_Feb18_1, Description: Detects Nanocore RAT, Source: 00000008.00000002.494335612.0000000005710000.00000004.00000001.sdmp, Author: Florian Roth Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 00000008.00000002.494335612.0000000005710000.00000004.00000001.sdmp, Author: Joe Security Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 00000008.00000002.483906093.0000000000402000.00000040.00000001.sdmp, Author: Florian Roth Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 00000008.00000002.483906093.0000000000402000.00000040.00000001.sdmp, Author: Joe Security Rule: NanoCore, Description: unknown, Source: 00000008.00000002.483906093.0000000000402000.00000040.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net> Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 00000008.00000002.492975177.0000000003BBB000.00000004.00000001.sdmp, Author: Joe Security Rule: NanoCore, Description: unknown, Source: 00000008.00000002.492975177.0000000003BBB000.00000004.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net> Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 00000008.00000002.494301167.0000000005700000.00000004.00000001.sdmp, Author: Florian Roth Rule: Nanocore_RAT_Feb18_1, Description: Detects Nanocore RAT, Source: 00000008.00000002.494301167.0000000005700000.00000004.00000001.sdmp, Author: Florian Roth Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 00000008.00000002.493799082.0000000004E80000.00000004.00000001.sdmp, Author: Florian Roth Rule: Nanocore_RAT_Feb18_1, Description: Detects Nanocore RAT, Source: 00000008.00000002.493799082.0000000004E80000.00000004.00000001.sdmp, Author: Florian Roth
Reputation:	moderate

Chronological Activities

Analysis Process: schtasks.exe PID: 6292 Parent PID: 5464

General

Start time:	16:10:09
Start date:	24/02/2021
Path:	C:\Windows\SysWOW64\schtasks.exe
Wow64 process (32bit):	true
Commandline:	'schtasks.exe' /create /f /tn 'DHCP Monitor' /xml 'C:\Users\user\AppData\Local\Temp\tmp3911.tmp'
Imagebase:	0x320000
File size:	185856 bytes
MD5 hash:	15FF7D8324231381BAD48A052F85DF04
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Chronological Activities

Analysis Process: conhost.exe PID: 6036 Parent PID: 6292

General

Start time:	16:10:09
Start date:	24/02/2021
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff6b2800000
File size:	625664 bytes
MD5 hash:	EA777DEEA782E8B4D7C7C33BBF8A4496
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Chronological Activities

Analysis Process: schtasks.exe PID: 6352 Parent PID: 5464

General

Start time:	16:10:10
Start date:	24/02/2021
Path:	C:\Windows\SysWOW64\schtasks.exe
Wow64 process (32bit):	true
Commandline:	'schtasks.exe' /create /f /tn 'DHCP Monitor Task' /xml 'C:\Users\user\AppData\Local\Temp\tmp3C8D.tmp'
Imagebase:	0x320000
File size:	185856 bytes
MD5 hash:	15FF7D8324231381BAD48A052F85DF04
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Chronological Activities

Analysis Process: conhost.exe PID: 1968 Parent PID: 6352

General

Start time:	16:10:10
Start date:	24/02/2021
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff6b2800000
File size:	625664 bytes
MD5 hash:	EA777DEEA782E8B4D7C7C33BBF8A4496
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Chronological Activities

Analysis Process: RegSvcs.exe PID: 6384 Parent PID: 528

General

Start time:	16:10:10
Start date:	24/02/2021
Path:	C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe
Wow64 process (32bit):	true
Commandline:	C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe 0
Imagebase:	0x7d0000
File size:	32768 bytes
MD5 hash:	71369277D09DA0830C8C59F9E22BB23A
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	.Net C# or VB.NET
Reputation:	moderate

Chronological Activities

Analysis Process: conhost.exe PID: 2172 Parent PID: 6384

General

Start time:	16:10:11
Start date:	24/02/2021
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff6b2800000
File size:	625664 bytes
MD5 hash:	EA777DEEA782E8B4D7C7C33BBF8A4496
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Chronological Activities

Analysis Process: dhcpmon.exe PID: 6200 Parent PID: 528

General

Start time:	16:10:13
Start date:	24/02/2021
Path:	C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe
Wow64 process (32bit):	true
Commandline:	'C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe' 0
Imagebase:	0x8c0000
File size:	32768 bytes
MD5 hash:	71369277D09DA0830C8C59F9E22BB23A
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	.Net C# or VB.NET
Antivirus matches:	Detection: 0%, Metadefender, Browse Detection: 0%, ReversingLabs
Reputation:	moderate

Chronological Activities

Analysis Process: conhost.exe PID: 5828 Parent PID: 6200

General

Start time:	16:10:13
Start date:	24/02/2021
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff6b2800000
File size:	625664 bytes
MD5 hash:	EA777DEEA782E8B4D7C7C33BBF8A4496
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Chronological Activities

Analysis Process: dhcpmon.exe PID: 6404 Parent PID: 3388

General

Start time:	16:10:22
Start date:	24/02/2021
Path:	C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe
Wow64 process (32bit):	true
Commandline:	'C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe'
Imagebase:	0x760000
File size:	32768 bytes
MD5 hash:	71369277D09DA0830C8C59F9E22BB23A
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	.Net C# or VB.NET
Reputation:	moderate

Chronological Activities

Analysis Process: conhost.exe PID: 5680 Parent PID: 6404

General

Start time:	16:10:22
Start date:	24/02/2021
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff6b2800000
File size:	625664 bytes
MD5 hash:	EA777DEEA782E8B4D7C7C33BBF8A4496
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language

Chronological Activities

Disassembly

Code Analysis

Reset < >

Analysis Process: Y5XyMnx8Ng.exe PID: 6372 Parent PID: 5716 Y5XyMnx8Ng.exeCOMMON

Executed Functions

Function 067C54C9, Relevance: 14.6, Strings: 11, Instructions: 897COMMON

Download Yara Rule

Strings

X1kr, xrefs: 067C5692
n, xrefs: 067C6365
i, xrefs: 067C5889
i, xrefs: 067C5CCE
r, xrefs: 067C5BF9
o, xrefs: 067C5A2C
w, xrefs: 067C5563
n, xrefs: 067C5E09
>_Ir, xrefs: 067C55ED
(, xrefs: 067C5F62
v, xrefs: 067C607D

Memory Dump Source

Source File: 00000000.00000002.278419169.00000000067C0000.00000040.00000001.sdmp, Offset: 067C0000, based on PE: false

Similarity

API ID:
String ID: ($>_Ir$X1kr$i$i$n$n$o$r$v$w
API String ID: 0-875549068
Opcode ID: e2c2d5d5aae78947e372127bc31fab87be193fdaaea4eae827dcf90284b4a6d2
Instruction ID: 3f5ad60557982cf1c9f7c7dbe7d9cec65553f32723e6261d102e8ef33edc2be4
Opcode Fuzzy Hash: e2c2d5d5aae78947e372127bc31fab87be193fdaaea4eae827dcf90284b4a6d2
Instruction Fuzzy Hash: 64821270D46229CFEBA4DF24C888BEDBBB1AB49324F1091ED800DA7291DB755AC4CF51

Uniqueness

Uniqueness Score: -1.00%

Function 070C28EB, Relevance: 1.6, APIs: 1, Instructions: 75COMMON

Download Yara Rule

APIs

AdjustTokenPrivileges.KERNELBASE(?,?,?,?,?,?), ref: 070C296B

Memory Dump Source

Source File: 00000000.00000002.279366717.00000000070C0000.00000040.00000001.sdmp, Offset: 070C0000, based on PE: false

Similarity

API ID: AdjustPrivilegesToken
String ID:
API String ID: 2874748243-0
Opcode ID: 6295fda5fcd4a066ebda0f7bd55efad166d8931f66947a1aab59658e4eb51768
Instruction ID: 1f80a1bb32c6c12f3adc8376bebf674fcd60ed191bca904c8be86927838505cc
Opcode Fuzzy Hash: 6295fda5fcd4a066ebda0f7bd55efad166d8931f66947a1aab59658e4eb51768
Instruction Fuzzy Hash: 6A21BFB6509380AFDB22CF25DC40B56BFF4EF06310F0885EAE9858B563D2709908DB62

Uniqueness

Uniqueness Score: -1.00%

Function 070C0FF2, Relevance: 1.6, APIs: 1, Instructions: 71COMMON

Download Yara Rule

APIs

GetUserNameA.ADVAPI32(?,00000E2C), ref: 070C1059

Memory Dump Source

Source File: 00000000.00000002.279366717.00000000070C0000.00000040.00000001.sdmp, Offset: 070C0000, based on PE: false

Similarity

API ID: NameUser
String ID:
API String ID: 2645101109-0
Opcode ID: 1071b49458f7e856da90c8b16e2734a87b7e69b2aace5a681bcee6615d89f079
Instruction ID: 304d63a638800502820978cfdb47171080280e59ce7e036edf6fdc8143c004a8
Opcode Fuzzy Hash: 1071b49458f7e856da90c8b16e2734a87b7e69b2aace5a681bcee6615d89f079
Instruction Fuzzy Hash: 4911A2B2500248AFF720DB24DC45FAABB9CEF45310F24856AEE05DB241D6B4A5058B71

Uniqueness

Uniqueness Score: -1.00%

Function 04D90100, Relevance: 1.6, Instructions: 1566COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.274560268.0000000004D90000.00000040.00000001.sdmp, Offset: 04D90000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b7c2ead141e508fff9b2033c4d14077ec2d5ef5a02b10219cf2b8943c6379faa
Instruction ID: 963182f3f15770f54478a1790b857deefff1e50db0a653a1f928990fe079df04
Opcode Fuzzy Hash: b7c2ead141e508fff9b2033c4d14077ec2d5ef5a02b10219cf2b8943c6379faa
Instruction Fuzzy Hash: ABF2B734A41218DFDB65DB64C898FA9B7B2FF4A301F5540E8D509AB361CB32AE85DF40

Uniqueness

Uniqueness Score: -1.00%

Function 04D90110, Relevance: 1.6, Instructions: 1558COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.274560268.0000000004D90000.00000040.00000001.sdmp, Offset: 04D90000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fbce0d62b65cbd92ba440505d975d200c195ed9f8148e14124b6a65d1cb37e45
Instruction ID: 73413714f017fceb9dfcc65efdc5659b73b33e8534b7ca85840b6687f9b99c49
Opcode Fuzzy Hash: fbce0d62b65cbd92ba440505d975d200c195ed9f8148e14124b6a65d1cb37e45
Instruction Fuzzy Hash: 5FF2A734A41218DFDB65DB64C898FA9B7B2FF4A301F5540E8D509AB361CB32AE85DF40

Uniqueness

Uniqueness Score: -1.00%

Function 070C2A6D, Relevance: 1.6, APIs: 1, Instructions: 57nativeCOMMON

Download Yara Rule

APIs

NtQuerySystemInformation.NTDLL(?,?,?,?), ref: 070C2AD9

Memory Dump Source

Source File: 00000000.00000002.279366717.00000000070C0000.00000040.00000001.sdmp, Offset: 070C0000, based on PE: false

Similarity

API ID: InformationQuerySystem
String ID:
API String ID: 3562636166-0
Opcode ID: 90a80146dcc7b51180e215f04042a19bb511331b8846360cd247ec167adf2f2b
Instruction ID: ec8dbf3b77581f61feec997d85a7781ed809607f7710f914d61778b4cd0fd0c3
Opcode Fuzzy Hash: 90a80146dcc7b51180e215f04042a19bb511331b8846360cd247ec167adf2f2b
Instruction Fuzzy Hash: 321181714093C49FD7228F24DC45A52FFB4EF06314F0984DAE9844B663D275A918DB62

Uniqueness

Uniqueness Score: -1.00%

Function 070C2922, Relevance: 1.6, APIs: 1, Instructions: 52COMMON

Download Yara Rule

APIs

AdjustTokenPrivileges.KERNELBASE(?,?,?,?,?,?), ref: 070C296B

Memory Dump Source

Source File: 00000000.00000002.279366717.00000000070C0000.00000040.00000001.sdmp, Offset: 070C0000, based on PE: false

Similarity

API ID: AdjustPrivilegesToken
String ID:
API String ID: 2874748243-0
Opcode ID: 8b43d801d4599d748beabf798c1755c0f070f195b02b514bda47f39921e1866d
Instruction ID: 2e408e4fea9a947894201f88bae919bd4ab00a5a83b232cc1817489e2a160e8c
Opcode Fuzzy Hash: 8b43d801d4599d748beabf798c1755c0f070f195b02b514bda47f39921e1866d
Instruction Fuzzy Hash: FB118C755006009FDB60CF65D884B6AFBE4FF44220F0885AEEE498BA12D271E418DB61

Uniqueness

Uniqueness Score: -1.00%

Function 070C2A9E, Relevance: 1.5, APIs: 1, Instructions: 38nativeCOMMON

Download Yara Rule

APIs

NtQuerySystemInformation.NTDLL(?,?,?,?), ref: 070C2AD9

Memory Dump Source

Source File: 00000000.00000002.279366717.00000000070C0000.00000040.00000001.sdmp, Offset: 070C0000, based on PE: false

Similarity

API ID: InformationQuerySystem
String ID:
API String ID: 3562636166-0
Opcode ID: 9f9d0fba584fdb02e23de07f7eed39fe3db3fdad2b75f5e8fbacaf1f5557b319
Instruction ID: 4b34d604bbb9ffb2a5a18578fedd6f4e46e963ab14a86483c95229961d9b54df
Opcode Fuzzy Hash: 9f9d0fba584fdb02e23de07f7eed39fe3db3fdad2b75f5e8fbacaf1f5557b319
Instruction Fuzzy Hash: 31017C754006449FDB20CF55D984B2AFFA0FF08320F08859ADE494BA16D2B5A418DB62

Uniqueness

Uniqueness Score: -1.00%

Function 04D92398, Relevance: 1.4, Strings: 1, Instructions: 153COMMON

Download Yara Rule

Strings

X1kr, xrefs: 04D92417

Memory Dump Source

Source File: 00000000.00000002.274560268.0000000004D90000.00000040.00000001.sdmp, Offset: 04D90000, based on PE: false

Similarity

API ID:
String ID: X1kr
API String ID: 0-844551562
Opcode ID: 6cbb9e1b3d02374ba7bfcfe37941f737d89d9a530d896cb48f6268aee7a9f01b
Instruction ID: f4e45d7ba6bc71ac241f277b2dd09aae19c322a6239a5116d6df7f631aa3cb8d
Opcode Fuzzy Hash: 6cbb9e1b3d02374ba7bfcfe37941f737d89d9a530d896cb48f6268aee7a9f01b
Instruction Fuzzy Hash: 6C6170B4E00218DFDB54DFA9D994A9DBBF2BF88300F20956AD819E7354EB34A941CF50

Uniqueness

Uniqueness Score: -1.00%

Function 04D92389, Relevance: 1.4, Strings: 1, Instructions: 151COMMON

Download Yara Rule

Strings

X1kr, xrefs: 04D92417

Memory Dump Source

Source File: 00000000.00000002.274560268.0000000004D90000.00000040.00000001.sdmp, Offset: 04D90000, based on PE: false

Similarity

API ID:
String ID: X1kr
API String ID: 0-844551562
Opcode ID: 09f03cf0968aa41c8631e63aeb734e4ef8e99814a4c0a5aa2f1b2fdf57519768
Instruction ID: ffb3e7f52f8dbd440e9ec6578c273bce6ce6209ee1fcaea181abfe9bf035f776
Opcode Fuzzy Hash: 09f03cf0968aa41c8631e63aeb734e4ef8e99814a4c0a5aa2f1b2fdf57519768
Instruction Fuzzy Hash: 126180B4E00208DFDB54DFA9D994A9DBBF2BF89300F20956AE819E7354EB349945CF10

Uniqueness

Uniqueness Score: -1.00%

Function 067C3B27, Relevance: .1, Instructions: 85COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.278419169.00000000067C0000.00000040.00000001.sdmp, Offset: 067C0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 356ad848d6ec9ba7ef50a485ad6100d823d0b5655a44657b5528a572a5770cd9
Instruction ID: b260e12e18fb4b78eecbab36b926248f83f8ed3d02c1b896caef41c75a641567
Opcode Fuzzy Hash: 356ad848d6ec9ba7ef50a485ad6100d823d0b5655a44657b5528a572a5770cd9
Instruction Fuzzy Hash: 4F31EEB1D096088FEB58CF6BD8401AEFBF7AFC9310F14C16EC8186A265EB3009428A44

Uniqueness

Uniqueness Score: -1.00%

Function 04D98C17, Relevance: .1, Instructions: 71COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.274560268.0000000004D90000.00000040.00000001.sdmp, Offset: 04D90000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: acc00cd5f0245edc6de3e9330d328f680826aab1b9c0a69044a1a92f8d715e7f
Instruction ID: 9529aa2fbdae92b4d16ff6ef40c2d70b879d2201d7058fbb20109d5eb7bc064e
Opcode Fuzzy Hash: acc00cd5f0245edc6de3e9330d328f680826aab1b9c0a69044a1a92f8d715e7f
Instruction Fuzzy Hash: 6621DFB1E056499BDB18DF6BD84469DBBF3BFC9300F14C1BAD818A6264EB3015459F50

Uniqueness

Uniqueness Score: -1.00%

Function 04D98C28, Relevance: .1, Instructions: 57COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.274560268.0000000004D90000.00000040.00000001.sdmp, Offset: 04D90000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c1c9d3618800dab532ef1b9b6a4d9909fb19ba086dc78f43ab0cee111e754901
Instruction ID: 1e47267181f5965f7b24bd06d9296318cb4ce186f27dabd398fc7771d50bbf0d
Opcode Fuzzy Hash: c1c9d3618800dab532ef1b9b6a4d9909fb19ba086dc78f43ab0cee111e754901
Instruction Fuzzy Hash: 3811C9B1E056099BEB1CDFABD84069EFAF7BFC9300F14C179D918A6268EB3015469F50

Uniqueness

Uniqueness Score: -1.00%

Function 04D98CCE, Relevance: .1, Instructions: 55COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.274560268.0000000004D90000.00000040.00000001.sdmp, Offset: 04D90000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9e5734688d9be8b3ac3d2de75e5d7b0ff5e6bf1e7f7db395ba7e42d3fd875749
Instruction ID: 7a8908f73105552f4490a22cea5158be2a7eb3e973daf467ff5c9fa10737c5ce
Opcode Fuzzy Hash: 9e5734688d9be8b3ac3d2de75e5d7b0ff5e6bf1e7f7db395ba7e42d3fd875749
Instruction Fuzzy Hash: A911EAB0E056098BDB58CF6BC84029DBBF7BFC9200F14C1BAD919E6364EB3059459F00

Uniqueness

Uniqueness Score: -1.00%

Function 067C063F, Relevance: 2.9, Strings: 2, Instructions: 354COMMON

Download Yara Rule

Strings

C, xrefs: 067C0731
:@Dr, xrefs: 067C0BBA

Memory Dump Source

Source File: 00000000.00000002.278419169.00000000067C0000.00000040.00000001.sdmp, Offset: 067C0000, based on PE: false

Similarity

API ID:
String ID: :@Dr$C
API String ID: 0-300834809
Opcode ID: ae4cfc11662cd44838ac8c1a15a38d3f2ac9cf1d2632c1cd2f3ba816fbe00bd5
Instruction ID: cd17234f7789800892e18c49681e8bf76e3642ac9c32cdef4a3d2da24be289cc
Opcode Fuzzy Hash: ae4cfc11662cd44838ac8c1a15a38d3f2ac9cf1d2632c1cd2f3ba816fbe00bd5
Instruction Fuzzy Hash: 9CE1C274D49228CFEBA4CF68C8447EDB7B5AB4A324F1091EEC40AA7251D7365AC1CF94

Uniqueness

Uniqueness Score: -1.00%

Function 04D927A7, Relevance: 2.7, Strings: 2, Instructions: 199COMMON

Download Yara Rule

Strings

</kr, xrefs: 04D92A66
,:kr, xrefs: 04D92900

Memory Dump Source

Source File: 00000000.00000002.274560268.0000000004D90000.00000040.00000001.sdmp, Offset: 04D90000, based on PE: false

Similarity

API ID:
String ID: ,:kr$</kr
API String ID: 0-3694523141
Opcode ID: f11a421babde33f7cfd4d3570a2111234d0d80f65fbb58f89099853ddb3c9f08
Instruction ID: 668d48e4f662024b3dc9b6817a9a87a5d6bd6c47312f8bc5ca6c3c2fd19ff7ef
Opcode Fuzzy Hash: f11a421babde33f7cfd4d3570a2111234d0d80f65fbb58f89099853ddb3c9f08
Instruction Fuzzy Hash: 1791D074E01228DFDB20DFA4C884BADBBF2BF4A314F1485D9D508AB251DB30AA85CF51

Uniqueness

Uniqueness Score: -1.00%

Function 067C6430, Relevance: 2.7, Strings: 2, Instructions: 176COMMON

Download Yara Rule

Strings

n, xrefs: 067C6365
v, xrefs: 067C607D

Memory Dump Source

Source File: 00000000.00000002.278419169.00000000067C0000.00000040.00000001.sdmp, Offset: 067C0000, based on PE: false

Similarity

API ID:
String ID: n$v
API String ID: 0-4119202455
Opcode ID: 4cb044ebd7cb291032d5d73e8981140b2813dca83b7a5f8219a8869948b76a97
Instruction ID: a7d1a0b6752891a11566eb2639a64b9209c2788ac994424aadd9ae4649c4eed7
Opcode Fuzzy Hash: 4cb044ebd7cb291032d5d73e8981140b2813dca83b7a5f8219a8869948b76a97
Instruction Fuzzy Hash: EC712270C49269CFEBA4DF28C9847ECB6B5AB45325F1091EE811EA7292DB344AC5CF50

Uniqueness

Uniqueness Score: -1.00%

Function 070C0F92, Relevance: 1.6, APIs: 1, Instructions: 116COMMON

Download Yara Rule

APIs

GetUserNameA.ADVAPI32(?,00000E2C), ref: 070C1059

Memory Dump Source

Source File: 00000000.00000002.279366717.00000000070C0000.00000040.00000001.sdmp, Offset: 070C0000, based on PE: false

Similarity

API ID: NameUser
String ID:
API String ID: 2645101109-0
Opcode ID: 7c99d2d4cb8bee7ece44e0c0565574ea47036927989e5e70f4dc7682b4f14777
Instruction ID: 82c1c60705239399bf82226e3a3c9a2d81073e61bc6678325e9dd53d715150ec
Opcode Fuzzy Hash: 7c99d2d4cb8bee7ece44e0c0565574ea47036927989e5e70f4dc7682b4f14777
Instruction Fuzzy Hash: 59316DB210A3C46FE7138B348C54BA6BFB89F03210F1985DBE984DB193D2659849C772

Uniqueness

Uniqueness Score: -1.00%

Function 070C1DFB, Relevance: 1.6, APIs: 1, Instructions: 102COMMON

Download Yara Rule

APIs

DuplicateHandle.KERNELBASE(?,00000E2C), ref: 070C1EAB

Memory Dump Source

Source File: 00000000.00000002.279366717.00000000070C0000.00000040.00000001.sdmp, Offset: 070C0000, based on PE: false

Similarity

API ID: DuplicateHandle
String ID:
API String ID: 3793708945-0
Opcode ID: 4dd61b6c6da4956a2c44e70c5025cc2d44ea907315c9a3225dda22cc9f27f8b2
Instruction ID: f492bf47d58968dafd60e09b5d21a0b24701bd323756c1bf7ba474479e846969
Opcode Fuzzy Hash: 4dd61b6c6da4956a2c44e70c5025cc2d44ea907315c9a3225dda22cc9f27f8b2
Instruction Fuzzy Hash: 6E31A3B1004384AFE7228B65DC45F6ABFACEF46310F0485ABE985DB252D224A909DB71

Uniqueness

Uniqueness Score: -1.00%

Function 070C16EA, Relevance: 1.6, APIs: 1, Instructions: 94COMMON

Download Yara Rule

APIs

GetTokenInformation.KERNELBASE(?,00000E2C,BB8FF849,00000000,00000000,00000000,00000000), ref: 070C1794

Memory Dump Source

Source File: 00000000.00000002.279366717.00000000070C0000.00000040.00000001.sdmp, Offset: 070C0000, based on PE: false

Similarity

API ID: InformationToken
String ID:
API String ID: 4114910276-0
Opcode ID: 8eeea3cb04162654e799599ed1309097f4dec79bee3b726c3c6155bfa0aa9a02
Instruction ID: 7040f744c05e37bf37c9b7d79fc851af551f04b3cc2333f186283b4b06e2991c
Opcode Fuzzy Hash: 8eeea3cb04162654e799599ed1309097f4dec79bee3b726c3c6155bfa0aa9a02
Instruction Fuzzy Hash: AE31B5B1409384AFEB22CF65DC45F97BFB8EF06310F08859BE9859B153D224A909C771

Uniqueness

Uniqueness Score: -1.00%

Function 00D8AC22, Relevance: 1.6, APIs: 1, Instructions: 92registryCOMMON

Download Yara Rule

APIs

RegOpenKeyExW.KERNELBASE(?,00000E2C), ref: 00D8ACD1

Memory Dump Source

Source File: 00000000.00000002.268904357.0000000000D8A000.00000040.00000001.sdmp, Offset: 00D8A000, based on PE: false

Similarity

API ID: Open
String ID:
API String ID: 71445658-0
Opcode ID: d4c5b6f4f7614f5afde94eb248aaf1ed8541c0141efa110509a482df955ac8aa
Instruction ID: f5ff33101b11aa853cef7604cfb3857f7a0802e733643a6f3ef324efba7da7e6
Opcode Fuzzy Hash: d4c5b6f4f7614f5afde94eb248aaf1ed8541c0141efa110509a482df955ac8aa
Instruction Fuzzy Hash: FF31B472504384AFE7228B25CC45F67BFBCEF06710F0884ABED819B252D265A809CB71

Uniqueness

Uniqueness Score: -1.00%

Function 070C1278, Relevance: 1.6, APIs: 1, Instructions: 90fileCOMMON

Download Yara Rule

APIs

CreateFileW.KERNELBASE(?,?,?,?,?,?), ref: 070C1319

Memory Dump Source

Source File: 00000000.00000002.279366717.00000000070C0000.00000040.00000001.sdmp, Offset: 070C0000, based on PE: false

Similarity

API ID: CreateFile
String ID:
API String ID: 823142352-0
Opcode ID: fe473dc762d393c7a71fbd7eead2525efc292d5e6a73f9b7afffeaacc68b16c4
Instruction ID: 9e96f24c785b6300f486781baefb0704c0cfa493e1933a84398bd10e870f1b0e
Opcode Fuzzy Hash: fe473dc762d393c7a71fbd7eead2525efc292d5e6a73f9b7afffeaacc68b16c4
Instruction Fuzzy Hash: 89319CB1504384AFE722CF65CC44F66BFE8EF45610F0885AEE9848B252D365E809CB71

Uniqueness

Uniqueness Score: -1.00%

Function 00D8AD19, Relevance: 1.6, APIs: 1, Instructions: 89registryCOMMON

Download Yara Rule

APIs

RegQueryValueExW.KERNELBASE(?,00000E2C,BB8FF849,00000000,00000000,00000000,00000000), ref: 00D8ADD4

Memory Dump Source

Source File: 00000000.00000002.268904357.0000000000D8A000.00000040.00000001.sdmp, Offset: 00D8A000, based on PE: false

Similarity

API ID: QueryValue
String ID:
API String ID: 3660427363-0
Opcode ID: 2e477e655dd4a0a88e37270af780ce9a70289aa02eb256545bb3d192f4039959
Instruction ID: 1a8955d98ee5234ff28ca0106f7abd1c8d442d1cc20276466295037874086e48
Opcode Fuzzy Hash: 2e477e655dd4a0a88e37270af780ce9a70289aa02eb256545bb3d192f4039959
Instruction Fuzzy Hash: 87319371509384AFE722CB25CC44FA2BFF8EF06310F18849BE985CB252D264E949CB71

Uniqueness

Uniqueness Score: -1.00%

Function 070C033A, Relevance: 1.6, APIs: 1, Instructions: 89synchronizationCOMMON

Download Yara Rule

APIs

CreateMutexW.KERNELBASE(?,?), ref: 070C03E1

Memory Dump Source

Source File: 00000000.00000002.279366717.00000000070C0000.00000040.00000001.sdmp, Offset: 070C0000, based on PE: false

Similarity

API ID: CreateMutex
String ID:
API String ID: 1964310414-0
Opcode ID: 208014bd9147ab5e00db3c3c7a65ca7250f709cfb9c905e95d9e2128ff7becae
Instruction ID: 628b9b28e59460272efdf0eac4ce93f6a47e5294cb85c865d85ea4a59a6ed29a
Opcode Fuzzy Hash: 208014bd9147ab5e00db3c3c7a65ca7250f709cfb9c905e95d9e2128ff7becae
Instruction Fuzzy Hash: 67318FB1509780AFE712CB25DC84F56FFE8EF06210F08859EE984DB292D365A909CB61

Uniqueness

Uniqueness Score: -1.00%

Function 070C0438, Relevance: 1.6, APIs: 1, Instructions: 86registryCOMMON

Download Yara Rule

APIs

RegQueryValueExW.KERNELBASE(?,00000E2C,?,?), ref: 070C04EE

Memory Dump Source

Source File: 00000000.00000002.279366717.00000000070C0000.00000040.00000001.sdmp, Offset: 070C0000, based on PE: false

Similarity

API ID: QueryValue
String ID:
API String ID: 3660427363-0
Opcode ID: 5c762572f51c8d7102a773055151e6def4aa5ba44081ba5947f5c1b21477b9b8
Instruction ID: 18cce8e24d0a0a327ec6ccfe24ad7a8fc30c7f07042e65f10f1f9e5303f7ee95
Opcode Fuzzy Hash: 5c762572f51c8d7102a773055151e6def4aa5ba44081ba5947f5c1b21477b9b8
Instruction Fuzzy Hash: 9231D9B54097C05FD3138B259C51B62BF74EF47720F0A81DBD8848B663E2256916C771

Uniqueness

Uniqueness Score: -1.00%

Function 070C1A1B, Relevance: 1.6, APIs: 1, Instructions: 85COMMON

Download Yara Rule

APIs

LsaOpenPolicy.ADVAPI32(?,00000E2C), ref: 070C1AB7

Memory Dump Source

Source File: 00000000.00000002.279366717.00000000070C0000.00000040.00000001.sdmp, Offset: 070C0000, based on PE: false

Similarity

API ID: OpenPolicy
String ID:
API String ID: 2030686058-0
Opcode ID: d2ca6adff8cb50466070bae86fe9e75951b139989280cb12bc80518b9c6337a6
Instruction ID: df86eeb65c7b75749581c304e4680ad234ecc93e9286629003161fcc1612a8ee
Opcode Fuzzy Hash: d2ca6adff8cb50466070bae86fe9e75951b139989280cb12bc80518b9c6337a6
Instruction Fuzzy Hash: 5721A2B2504384AFE721CF65DC44F6AFFE8EF45310F08899AED849B252D324A809CB61

Uniqueness

Uniqueness Score: -1.00%

Function 070C10B7, Relevance: 1.6, APIs: 1, Instructions: 81COMMON

Download Yara Rule

APIs

FindWindowA.USER32(?,00000E2C), ref: 070C115A

Memory Dump Source

Source File: 00000000.00000002.279366717.00000000070C0000.00000040.00000001.sdmp, Offset: 070C0000, based on PE: false

Similarity

API ID: FindWindow
String ID:
API String ID: 134000473-0
Opcode ID: b673fb6ac90c5a05b692b01bcc4f78f4d62747b49b00f8d1018f5ef15454b50d
Instruction ID: d2d08604f45afd9ba682dbe90161581dad37fb6f90bcf4278ab1ed150428d274
Opcode Fuzzy Hash: b673fb6ac90c5a05b692b01bcc4f78f4d62747b49b00f8d1018f5ef15454b50d
Instruction Fuzzy Hash: B22196B1409384AFE722CF24DC41F96BFA8EF46310F18859AE9449F192D2786949C761

Uniqueness

Uniqueness Score: -1.00%

Function 070C1E2E, Relevance: 1.6, APIs: 1, Instructions: 80COMMON

Download Yara Rule

APIs

DuplicateHandle.KERNELBASE(?,00000E2C), ref: 070C1EAB

Memory Dump Source

Source File: 00000000.00000002.279366717.00000000070C0000.00000040.00000001.sdmp, Offset: 070C0000, based on PE: false

Similarity

API ID: DuplicateHandle
String ID:
API String ID: 3793708945-0
Opcode ID: 33c713648cb7a547acb87e5a967e4339696bfe16f7f28532591d56ac0b2764f6
Instruction ID: ea42dc0ad9cf81f78d39503004a85b884a3f8e29fa93a97e94a7431f84bbef7c
Opcode Fuzzy Hash: 33c713648cb7a547acb87e5a967e4339696bfe16f7f28532591d56ac0b2764f6
Instruction Fuzzy Hash: 2221B0B2500204AFEB21DF65DC44F6BBBECEF05310F14896AEE45DB251D670A4098B71

Uniqueness

Uniqueness Score: -1.00%

Function 070C1370, Relevance: 1.6, APIs: 1, Instructions: 80COMMON

Download Yara Rule

APIs

GetFileType.KERNELBASE(?,00000E2C,BB8FF849,00000000,00000000,00000000,00000000), ref: 070C1405

Memory Dump Source

Source File: 00000000.00000002.279366717.00000000070C0000.00000040.00000001.sdmp, Offset: 070C0000, based on PE: false

Similarity

API ID: FileType
String ID:
API String ID: 3081899298-0
Opcode ID: e4b2ce7d2583ce45d6899cfd74a7cf4f580be67451351b546606170d7c03ba3c
Instruction ID: c27859ddc5d04e508890c3bed27a69a40c0d9c9fe053f46512d9ae4980b7a0c4
Opcode Fuzzy Hash: e4b2ce7d2583ce45d6899cfd74a7cf4f580be67451351b546606170d7c03ba3c
Instruction Fuzzy Hash: 942106B54093806FE7128B25DC41FA6BFA8EF07720F1881DBED848B293D2646909C771

Uniqueness

Uniqueness Score: -1.00%

Function 00D8A2AC, Relevance: 1.6, APIs: 1, Instructions: 77COMMON

Download Yara Rule

APIs

SetConsoleCtrlHandler.KERNELBASE(?,00000E2C,?,?), ref: 00D8A346

Memory Dump Source

Source File: 00000000.00000002.268904357.0000000000D8A000.00000040.00000001.sdmp, Offset: 00D8A000, based on PE: false

Similarity

API ID: ConsoleCtrlHandler
String ID:
API String ID: 1513847179-0
Opcode ID: 830b7b5d13a9aa759fde006d5b4632d427021c5070bff6f226f6dfbbb6d1b8e4
Instruction ID: a5cf71045f4cd92bf67ddfa936e52ba5aef3b3575bee7cf272e8dab741893acc
Opcode Fuzzy Hash: 830b7b5d13a9aa759fde006d5b4632d427021c5070bff6f226f6dfbbb6d1b8e4
Instruction Fuzzy Hash: 8821B67544D3C06FD3138B259C51B22BFB4EF87620F0981DBE884CB653D225A919C7B2

Uniqueness

Uniqueness Score: -1.00%

Function 070C129A, Relevance: 1.6, APIs: 1, Instructions: 76fileCOMMON

Download Yara Rule

APIs

CreateFileW.KERNELBASE(?,?,?,?,?,?), ref: 070C1319

Memory Dump Source

Source File: 00000000.00000002.279366717.00000000070C0000.00000040.00000001.sdmp, Offset: 070C0000, based on PE: false

Similarity

API ID: CreateFile
String ID:
API String ID: 823142352-0
Opcode ID: d56e8eaccc6da3bc34362b12cecd7fe04febebf96edc704e3980b19929f3063b
Instruction ID: 693bd3f48876f1114aa455c03f78c4d80c6b4d44001817324fc750681a15b8e5
Opcode Fuzzy Hash: d56e8eaccc6da3bc34362b12cecd7fe04febebf96edc704e3980b19929f3063b
Instruction Fuzzy Hash: DA219AB5500604AFEB21CF65C884B6AFBE8EF08710F14856EEA858B652D371E405CB71

Uniqueness

Uniqueness Score: -1.00%

Function 070C1F09, Relevance: 1.6, APIs: 1, Instructions: 75fileCOMMON

Download Yara Rule

APIs

DeleteFileW.KERNELBASE(?), ref: 070C1F90

Memory Dump Source

Source File: 00000000.00000002.279366717.00000000070C0000.00000040.00000001.sdmp, Offset: 070C0000, based on PE: false

Similarity

API ID: DeleteFile
String ID:
API String ID: 4033686569-0
Opcode ID: b7cd4b85703b14b0fa436ab77d276e58f23ff5f746ca60f82db23f756b5a2e92
Instruction ID: bdfce52b1098f452291e4ceb4ddb04c75d9e4c86a94c6cd5d4d3c32b249ff857
Opcode Fuzzy Hash: b7cd4b85703b14b0fa436ab77d276e58f23ff5f746ca60f82db23f756b5a2e92
Instruction Fuzzy Hash: 6F21B2B25093C49FDB12CF25DC51A92BFB8EF07210F0984DBDD848F263D2259909CB61

Uniqueness

Uniqueness Score: -1.00%

Function 070C2769, Relevance: 1.6, APIs: 1, Instructions: 75COMMON

Download Yara Rule

APIs

LookupPrivilegeValueW.ADVAPI32(?,?,?), ref: 070C27EA

Memory Dump Source

Source File: 00000000.00000002.279366717.00000000070C0000.00000040.00000001.sdmp, Offset: 070C0000, based on PE: false

Similarity

API ID: LookupPrivilegeValue
String ID:
API String ID: 3899507212-0
Opcode ID: 767ba67e791e56ab9c19078037ae841ea0c39215c5639b92dc29df2aa3d957b0
Instruction ID: eac02902411114234589eb008b7dae0d8eb7e085dffc7fdd28381c278b97b7f3
Opcode Fuzzy Hash: 767ba67e791e56ab9c19078037ae841ea0c39215c5639b92dc29df2aa3d957b0
Instruction Fuzzy Hash: 7421A1B15093809FEB12CF25DC40B56BFE8EF06210F0885DEED85DB653D264E808CB61

Uniqueness

Uniqueness Score: -1.00%

Function 00D8AC52, Relevance: 1.6, APIs: 1, Instructions: 74registryCOMMON

Download Yara Rule

APIs

RegOpenKeyExW.KERNELBASE(?,00000E2C), ref: 00D8ACD1

Memory Dump Source

Source File: 00000000.00000002.268904357.0000000000D8A000.00000040.00000001.sdmp, Offset: 00D8A000, based on PE: false

Similarity

API ID: Open
String ID:
API String ID: 71445658-0
Opcode ID: ee241681a0b283ec035cad12e3b080a01f45b578530083f1fbdef80a481d367b
Instruction ID: 5285529bdbd35cddbb0bdfb889922bc24d5f65ad2a76c3946e0a6cc6c2ab2e84
Opcode Fuzzy Hash: ee241681a0b283ec035cad12e3b080a01f45b578530083f1fbdef80a481d367b
Instruction Fuzzy Hash: EB21AE72500604AFF721AF69DC84F6BFBECEF14710F14846BEE459B241D664E9098BB2

Uniqueness

Uniqueness Score: -1.00%

Function 070C1A46, Relevance: 1.6, APIs: 1, Instructions: 72COMMON

Download Yara Rule

APIs

LsaOpenPolicy.ADVAPI32(?,00000E2C), ref: 070C1AB7

Memory Dump Source

Source File: 00000000.00000002.279366717.00000000070C0000.00000040.00000001.sdmp, Offset: 070C0000, based on PE: false

Similarity

API ID: OpenPolicy
String ID:
API String ID: 2030686058-0
Opcode ID: 91bb3dd575dd749825a8ff49d0ea5cf00d73a1e2f5dcbc2eebbe79881291dc00
Instruction ID: cda01662af5c7c4976aa279bff7c24045735e65d588ce67d6df48528735f147c
Opcode Fuzzy Hash: 91bb3dd575dd749825a8ff49d0ea5cf00d73a1e2f5dcbc2eebbe79881291dc00
Instruction Fuzzy Hash: 3321C0B2500204AFE720DF69DC44F6BFBECEF44710F18896AEE449B242D670A4098B75

Uniqueness

Uniqueness Score: -1.00%

Function 070C036E, Relevance: 1.6, APIs: 1, Instructions: 72synchronizationCOMMON

Download Yara Rule

APIs

CreateMutexW.KERNELBASE(?,?), ref: 070C03E1

Memory Dump Source

Source File: 00000000.00000002.279366717.00000000070C0000.00000040.00000001.sdmp, Offset: 070C0000, based on PE: false

Similarity

API ID: CreateMutex
String ID:
API String ID: 1964310414-0
Opcode ID: e9c65f733f6b2f32690168dd379751259bb96858a602d65c638df37cec457a30
Instruction ID: d0bc9d8721c2e63ad1e31fe7be66c970300b865e154ef40872424cad3c78e0f4
Opcode Fuzzy Hash: e9c65f733f6b2f32690168dd379751259bb96858a602d65c638df37cec457a30
Instruction Fuzzy Hash: 2621A9B1600200EFE720DF25CD84B6AFBE8EF04710F14856EEE489B242D6B5E804CB75

Uniqueness

Uniqueness Score: -1.00%

Function 070C1522, Relevance: 1.6, APIs: 1, Instructions: 70fileCOMMON

Download Yara Rule

APIs

WriteFile.KERNELBASE(?,00000E2C,BB8FF849,00000000,00000000,00000000,00000000), ref: 070C15A1

Memory Dump Source

Source File: 00000000.00000002.279366717.00000000070C0000.00000040.00000001.sdmp, Offset: 070C0000, based on PE: false

Similarity

API ID: FileWrite
String ID:
API String ID: 3934441357-0
Opcode ID: f232a9a9fceebd93b966ed5fcb9462b498c6796be62fbddcdd460735a639b6ef
Instruction ID: 20a3f487fea7dc9305a9be463dc67c341c88acacd5814892588378a5941b3a9c
Opcode Fuzzy Hash: f232a9a9fceebd93b966ed5fcb9462b498c6796be62fbddcdd460735a639b6ef
Instruction Fuzzy Hash: 04216272405384AFDB22CF65DC44F57FFB8EF46310F0885ABEA459B252C265A508CB71

Uniqueness

Uniqueness Score: -1.00%

Function 00D8AD5A, Relevance: 1.6, APIs: 1, Instructions: 69registryCOMMON

Download Yara Rule

APIs

RegQueryValueExW.KERNELBASE(?,00000E2C,BB8FF849,00000000,00000000,00000000,00000000), ref: 00D8ADD4

Memory Dump Source

Source File: 00000000.00000002.268904357.0000000000D8A000.00000040.00000001.sdmp, Offset: 00D8A000, based on PE: false

Similarity

API ID: QueryValue
String ID:
API String ID: 3660427363-0
Opcode ID: 995dae74af70646c05248eaf6311295e1f0777f80a2da305f081bc9a6b92d336
Instruction ID: 465e0d37dc22ca0b64b841f008a84d208642aff7c33e92e991a141940f9c5fdd
Opcode Fuzzy Hash: 995dae74af70646c05248eaf6311295e1f0777f80a2da305f081bc9a6b92d336
Instruction Fuzzy Hash: 11216F75600604AEE721DE29CC80FA7BBE8EF04711F18846BE945DB651D660E805CB72

Uniqueness

Uniqueness Score: -1.00%

Function 070C172A, Relevance: 1.6, APIs: 1, Instructions: 69COMMON

Download Yara Rule

APIs

GetTokenInformation.KERNELBASE(?,00000E2C,BB8FF849,00000000,00000000,00000000,00000000), ref: 070C1794

Memory Dump Source

Source File: 00000000.00000002.279366717.00000000070C0000.00000040.00000001.sdmp, Offset: 070C0000, based on PE: false

Similarity

API ID: InformationToken
String ID:
API String ID: 4114910276-0
Opcode ID: 4167a43ac36cc5f1c85399719b76cf641561c3892035a5f76d4272b062cf48e1
Instruction ID: 3f8bc011e65046600dacc7aac10db2e2019bdfbd347131c125b2861012e37349
Opcode Fuzzy Hash: 4167a43ac36cc5f1c85399719b76cf641561c3892035a5f76d4272b062cf48e1
Instruction Fuzzy Hash: 301190B1500204AFEB21CF65DC45FABBBECEF05310F14856BEA459B251D674A8048B71

Uniqueness

Uniqueness Score: -1.00%

Function 070C21CC, Relevance: 1.6, APIs: 1, Instructions: 68injectionCOMMON

Download Yara Rule

APIs

WriteProcessMemory.KERNELBASE(?,?,?,?,?), ref: 070C224C

Memory Dump Source

Source File: 00000000.00000002.279366717.00000000070C0000.00000040.00000001.sdmp, Offset: 070C0000, based on PE: false

Similarity

API ID: MemoryProcessWrite
String ID:
API String ID: 3559483778-0
Opcode ID: 2a1abad3f585ca4bf83743bfab269098bf8dcc9dbd9e584647d7f0b35180489b
Instruction ID: 29cc720c4090c5ef9bda08fbc9f8c1f2f2d1eb94bacd63f88bd099e722b5a6e7
Opcode Fuzzy Hash: 2a1abad3f585ca4bf83743bfab269098bf8dcc9dbd9e584647d7f0b35180489b
Instruction Fuzzy Hash: 0221CF760093C0AFDB12CB25DC44A96FFF4EF06220F0980DEE9858B663D224A848DB21

Uniqueness

Uniqueness Score: -1.00%

Function 070C0517, Relevance: 1.6, APIs: 1, Instructions: 67libraryCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNELBASE(?,00000E2C), ref: 070C05A3

Memory Dump Source

Source File: 00000000.00000002.279366717.00000000070C0000.00000040.00000001.sdmp, Offset: 070C0000, based on PE: false

Similarity

API ID: LibraryLoad
String ID:
API String ID: 1029625771-0
Opcode ID: 7f07f4c6369c13bceaeba018a16d54cd7a7464e4bd94527dd7a9ec94c00b053a
Instruction ID: 160afa778c8b820d18caed3ce39b5746b67756ddb3abe05df3b78998a6b809b7
Opcode Fuzzy Hash: 7f07f4c6369c13bceaeba018a16d54cd7a7464e4bd94527dd7a9ec94c00b053a
Instruction Fuzzy Hash: 5521E771105384AFE721CB14CC85F66FFA8DF46720F14809AFE445B292D264A948C762

Uniqueness

Uniqueness Score: -1.00%

Function 00D8B42D, Relevance: 1.6, APIs: 1, Instructions: 65libraryCOMMON

Download Yara Rule

APIs

LoadLibraryShim.MSCOREE(?,?,?,?), ref: 00D8B4A9

Memory Dump Source

Source File: 00000000.00000002.268904357.0000000000D8A000.00000040.00000001.sdmp, Offset: 00D8A000, based on PE: false

Similarity

API ID: LibraryLoadShim
String ID:
API String ID: 1475914169-0
Opcode ID: 2df782a9ce9c4f7a82e96b362e4799788ea1e3a6fccdaac3c30e135bfe9053af
Instruction ID: ba4b46e003506bd4d232bfb677f4578a80ae491cb7000486ab03342cc2a3189d
Opcode Fuzzy Hash: 2df782a9ce9c4f7a82e96b362e4799788ea1e3a6fccdaac3c30e135bfe9053af
Instruction Fuzzy Hash: 962193755093846FD7228E25DC45B62BFE8EF16724F0C809AED848B253D375A908C771

Uniqueness

Uniqueness Score: -1.00%

Function 070C232D, Relevance: 1.6, APIs: 1, Instructions: 62windowCOMMON

Download Yara Rule

APIs

PostMessageW.USER32(?,?,?,?), ref: 070C23A1

Memory Dump Source

Source File: 00000000.00000002.279366717.00000000070C0000.00000040.00000001.sdmp, Offset: 070C0000, based on PE: false

Similarity

API ID: MessagePost
String ID:
API String ID: 410705778-0
Opcode ID: 8c496be658dc62915a206b7f984a93dd989dbd3ff34d544574b4acd5808bdcde
Instruction ID: 7f8b1b7dce5261f2c6ca815cb893ef3e4b654dc827b5634d7a82380f718f5c37
Opcode Fuzzy Hash: 8c496be658dc62915a206b7f984a93dd989dbd3ff34d544574b4acd5808bdcde
Instruction Fuzzy Hash: B9218C7140A3C0AFDB238F25CC44A56FFB4EF07210F0985DBE9848F663D265A818DB62

Uniqueness

Uniqueness Score: -1.00%

Function 00D8A5FB, Relevance: 1.6, APIs: 1, Instructions: 61COMMON

Download Yara Rule

APIs

DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 00D8A666

Memory Dump Source

Source File: 00000000.00000002.268904357.0000000000D8A000.00000040.00000001.sdmp, Offset: 00D8A000, based on PE: false

Similarity

API ID: DuplicateHandle
String ID:
API String ID: 3793708945-0
Opcode ID: cdd6f23586d42d4c383db180c6500dd7c730bf2c18f3698ef6e1525d7a04a4db
Instruction ID: e5f7503c33daeddf140c9b1db4d2bd750a6a6890b1d402986b98f5d839e90f80
Opcode Fuzzy Hash: cdd6f23586d42d4c383db180c6500dd7c730bf2c18f3698ef6e1525d7a04a4db
Instruction Fuzzy Hash: D811B471409780AFDB228F54DC44A62FFF4EF4A310F0C84DAEE858B262D275A818DB71

Uniqueness

Uniqueness Score: -1.00%

Function 070C10EE, Relevance: 1.6, APIs: 1, Instructions: 61COMMON

Download Yara Rule

APIs

FindWindowA.USER32(?,00000E2C), ref: 070C115A

Memory Dump Source

Source File: 00000000.00000002.279366717.00000000070C0000.00000040.00000001.sdmp, Offset: 070C0000, based on PE: false

Similarity

API ID: FindWindow
String ID:
API String ID: 134000473-0
Opcode ID: b45492d84d635b249d5d606cf349bf530ac1490c2009bc54da8525c9603e791b
Instruction ID: 39d3e6c16ee6af86fdcf42c93bf4a5715cad4a67c6f68cc760b0187b0627cf06
Opcode Fuzzy Hash: b45492d84d635b249d5d606cf349bf530ac1490c2009bc54da8525c9603e791b
Instruction Fuzzy Hash: 3C11E7B1500204AFFB20DF15DC41FAAFFA8DF45710F1485AAEE449B382D2B8A505CB71

Uniqueness

Uniqueness Score: -1.00%

Function 070C1542, Relevance: 1.6, APIs: 1, Instructions: 60fileCOMMON

Download Yara Rule

APIs

WriteFile.KERNELBASE(?,00000E2C,BB8FF849,00000000,00000000,00000000,00000000), ref: 070C15A1

Memory Dump Source

Source File: 00000000.00000002.279366717.00000000070C0000.00000040.00000001.sdmp, Offset: 070C0000, based on PE: false

Similarity

API ID: FileWrite
String ID:
API String ID: 3934441357-0
Opcode ID: 9003e0e70888fd53c8e3e94c11503bb9700857d023909532009ee069cd5cff30
Instruction ID: 9b74e7cb39a9840e0b558cb513c275ff53e636a156e11615d6a29c074fe0a728
Opcode Fuzzy Hash: 9003e0e70888fd53c8e3e94c11503bb9700857d023909532009ee069cd5cff30
Instruction Fuzzy Hash: 0F11BFB1400204EFEB21CF69DC40FAAFFA8EF45320F14856BEE459B252C674A5098BB1

Uniqueness

Uniqueness Score: -1.00%

Function 070C212B, Relevance: 1.6, APIs: 1, Instructions: 58COMMON

Download Yara Rule

APIs

ReadProcessMemory.KERNELBASE(?,?,?,?,?), ref: 070C2190

Memory Dump Source

Source File: 00000000.00000002.279366717.00000000070C0000.00000040.00000001.sdmp, Offset: 070C0000, based on PE: false

Similarity

API ID: MemoryProcessRead
String ID:
API String ID: 1726664587-0
Opcode ID: daffd608cd73f3ebf31549c2a9d28ad17d902020eaeec1f35dd6ecf5b211c034
Instruction ID: 21c53ec080f0935959f97c3524be593c035bad5986eb21eeb31c16d217a9bfba
Opcode Fuzzy Hash: daffd608cd73f3ebf31549c2a9d28ad17d902020eaeec1f35dd6ecf5b211c034
Instruction Fuzzy Hash: BC110476009780AFDB228F21DC40A56FFF4EF06320F0881DEEE858B663C275A458DB61

Uniqueness

Uniqueness Score: -1.00%

Function 070C053A, Relevance: 1.6, APIs: 1, Instructions: 56libraryCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNELBASE(?,00000E2C), ref: 070C05A3

Memory Dump Source

Source File: 00000000.00000002.279366717.00000000070C0000.00000040.00000001.sdmp, Offset: 070C0000, based on PE: false

Similarity

API ID: LibraryLoad
String ID:
API String ID: 1029625771-0
Opcode ID: 06f3b34b5922276a9461db197d56967264bcc8a496b99b9e01e2fd8b8a4e2cee
Instruction ID: 7a3f73d921d0c4078ed341300e329da1fd12c750f853fa2757fdb1c43f3c460a
Opcode Fuzzy Hash: 06f3b34b5922276a9461db197d56967264bcc8a496b99b9e01e2fd8b8a4e2cee
Instruction Fuzzy Hash: 3111CEB5500304EFE720DB15DC81BABFB98DF05720F1485AAEE455B281D6A4A549CAB1

Uniqueness

Uniqueness Score: -1.00%

Function 070C26BF, Relevance: 1.6, APIs: 1, Instructions: 56windowCOMMON

Download Yara Rule

APIs

PostMessageW.USER32(?,?,?,?), ref: 070C2729

Memory Dump Source

Source File: 00000000.00000002.279366717.00000000070C0000.00000040.00000001.sdmp, Offset: 070C0000, based on PE: false

Similarity

API ID: MessagePost
String ID:
API String ID: 410705778-0
Opcode ID: d8f31131587a6c7b7f0bba19b9394bb0f2b48265131579018a7bd49b20e7625f
Instruction ID: be6c7f3d16f2661fd8109ed17198e143a8904dcdd091b12185e2316ff3904149
Opcode Fuzzy Hash: d8f31131587a6c7b7f0bba19b9394bb0f2b48265131579018a7bd49b20e7625f
Instruction Fuzzy Hash: A611BE75409380AFDB22CF25DC45B56FFB4EF06224F0884AEED854B663C275A418CB61

Uniqueness

Uniqueness Score: -1.00%

Function 070C2084, Relevance: 1.6, APIs: 1, Instructions: 55threadinjectionCOMMON

Download Yara Rule

APIs

SetThreadContext.KERNELBASE(?,?), ref: 070C20E3

Memory Dump Source

Source File: 00000000.00000002.279366717.00000000070C0000.00000040.00000001.sdmp, Offset: 070C0000, based on PE: false

Similarity

API ID: ContextThread
String ID:
API String ID: 1591575202-0
Opcode ID: 01908989c29613ca7e98c130459a2f1241ca9763abe38993d1cae96d59a6fd6d
Instruction ID: 4324c5d5b1c83bb08af843619653f88bb93f81117800458322c88a7d42d2d83c
Opcode Fuzzy Hash: 01908989c29613ca7e98c130459a2f1241ca9763abe38993d1cae96d59a6fd6d
Instruction Fuzzy Hash: 6711C1B15053849FD711CF25DC85B56FFE8EF06220F0980AEED458B262D274E848CB72

Uniqueness

Uniqueness Score: -1.00%

Function 070C27A2, Relevance: 1.6, APIs: 1, Instructions: 53COMMON

Download Yara Rule

APIs

LookupPrivilegeValueW.ADVAPI32(?,?,?), ref: 070C27EA

Memory Dump Source

Source File: 00000000.00000002.279366717.00000000070C0000.00000040.00000001.sdmp, Offset: 070C0000, based on PE: false

Similarity

API ID: LookupPrivilegeValue
String ID:
API String ID: 3899507212-0
Opcode ID: e85bc11ac3c81f9d9f85aa9d245ccc843e267f5b1ed67ad48eb95f07408bb66e
Instruction ID: 5c1c29e5572c07983212401e8134ccd84bac5ef5cb2dcdc39fcb1655b11b17a0
Opcode Fuzzy Hash: e85bc11ac3c81f9d9f85aa9d245ccc843e267f5b1ed67ad48eb95f07408bb66e
Instruction Fuzzy Hash: DF115EB16012419FDB60CF29D88576AFBE8EF04620F1885AEDD49DBB42D674E408CA71

Uniqueness

Uniqueness Score: -1.00%

Function 070C13B2, Relevance: 1.6, APIs: 1, Instructions: 52COMMON

Download Yara Rule

APIs

GetFileType.KERNELBASE(?,00000E2C,BB8FF849,00000000,00000000,00000000,00000000), ref: 070C1405

Memory Dump Source

Source File: 00000000.00000002.279366717.00000000070C0000.00000040.00000001.sdmp, Offset: 070C0000, based on PE: false

Similarity

API ID: FileType
String ID:
API String ID: 3081899298-0
Opcode ID: f42d278b90329e01ef2e3e7a00eacb5d23d14d9fd29f1e535d20b6d64480a0c5
Instruction ID: a0ed41429cfaf2f6cbe1f11106580c836e587e251f7d04d7099dcfb8c4cdfbc4
Opcode Fuzzy Hash: f42d278b90329e01ef2e3e7a00eacb5d23d14d9fd29f1e535d20b6d64480a0c5
Instruction Fuzzy Hash: CB01C0B1500604AEE720CB15DC85FAAFB9CDF05720F5881ABEE459B342D6A4A4498AB1

Uniqueness

Uniqueness Score: -1.00%

Function 00D8AEF0, Relevance: 1.6, APIs: 1, Instructions: 50memoryCOMMON

Download Yara Rule

APIs

VirtualAllocEx.KERNELBASE(?,?,?,?,?), ref: 00D8AF50

Memory Dump Source

Source File: 00000000.00000002.268904357.0000000000D8A000.00000040.00000001.sdmp, Offset: 00D8A000, based on PE: false

Similarity

API ID: AllocVirtual
String ID:
API String ID: 4275171209-0
Opcode ID: 41b1b8924cc64508b5686be6c2a7fb2bcdefba64a5c4e5ceb63b48dcbb807027
Instruction ID: 46f282c6182b9c114bf0cc84e0284bed0103efb6f5803edb036f12f490839fdf
Opcode Fuzzy Hash: 41b1b8924cc64508b5686be6c2a7fb2bcdefba64a5c4e5ceb63b48dcbb807027
Instruction Fuzzy Hash: 96119E72405784AFDB228F15DC44E56FFF4EF0A320F08849EEE854B662C375A818CB62

Uniqueness

Uniqueness Score: -1.00%

Function 00D8A42A, Relevance: 1.6, APIs: 1, Instructions: 50COMMON

Download Yara Rule

APIs

SetErrorMode.KERNELBASE(?), ref: 00D8A480

Memory Dump Source

Source File: 00000000.00000002.268904357.0000000000D8A000.00000040.00000001.sdmp, Offset: 00D8A000, based on PE: false

Similarity

API ID: ErrorMode
String ID:
API String ID: 2340568224-0
Opcode ID: 9f4e37d2b28b34bd8bed6169899d0e93a676ca6e12f89be322a1252bcd2733b2
Instruction ID: 998f7d5d594592900d18e797dcd3f0f4e10fbe7edf5e2b3c9ba5217bb5009660
Opcode Fuzzy Hash: 9f4e37d2b28b34bd8bed6169899d0e93a676ca6e12f89be322a1252bcd2733b2
Instruction Fuzzy Hash: 05113075409384AFDB128B15DC44B62BFA4DF46624F0880DAED854B252D265A908DB72

Uniqueness

Uniqueness Score: -1.00%

Function 070C2206, Relevance: 1.5, APIs: 1, Instructions: 47injectionCOMMON

Download Yara Rule

APIs

WriteProcessMemory.KERNELBASE(?,?,?,?,?), ref: 070C224C

Memory Dump Source

Source File: 00000000.00000002.279366717.00000000070C0000.00000040.00000001.sdmp, Offset: 070C0000, based on PE: false

Similarity

API ID: MemoryProcessWrite
String ID:
API String ID: 3559483778-0
Opcode ID: d8c13fa80f0afc7ba4c5b3960c457e9dd46b176040fb991ab7ed4de82d9032a1
Instruction ID: a336ec6a79415697e3d1fe75182475281b836bebfcf04b5dd053fe2a9db05cd0
Opcode Fuzzy Hash: d8c13fa80f0afc7ba4c5b3960c457e9dd46b176040fb991ab7ed4de82d9032a1
Instruction Fuzzy Hash: 5D018B75500600AFDB20CF19D884B6AFBE4FF08220F0881AEED498BA62D271E418DB61

Uniqueness

Uniqueness Score: -1.00%

Function 070C1F56, Relevance: 1.5, APIs: 1, Instructions: 47fileCOMMON

Download Yara Rule

APIs

DeleteFileW.KERNELBASE(?), ref: 070C1F90

Memory Dump Source

Source File: 00000000.00000002.279366717.00000000070C0000.00000040.00000001.sdmp, Offset: 070C0000, based on PE: false

Similarity

API ID: DeleteFile
String ID:
API String ID: 4033686569-0
Opcode ID: ffdcab369de4607a2646cbed3ff811202d144b8ae211a35a5fd12e0879cf919f
Instruction ID: 755bf1b28dcd3171cd3e5883f0ab7e36139507aa0b9dfe44b4efa281fd173028
Opcode Fuzzy Hash: ffdcab369de4607a2646cbed3ff811202d144b8ae211a35a5fd12e0879cf919f
Instruction Fuzzy Hash: A4018CB19002499FEB50CF6AE88576ABFD8EF01220F0885AADE09CB746D674E404CA61

Uniqueness

Uniqueness Score: -1.00%

Function 00D8B45E, Relevance: 1.5, APIs: 1, Instructions: 46libraryCOMMON

Download Yara Rule

APIs

LoadLibraryShim.MSCOREE(?,?,?,?), ref: 00D8B4A9

Memory Dump Source

Source File: 00000000.00000002.268904357.0000000000D8A000.00000040.00000001.sdmp, Offset: 00D8A000, based on PE: false

Similarity

API ID: LibraryLoadShim
String ID:
API String ID: 1475914169-0
Opcode ID: 1ffc5a297d43cc06dc6fb17874e6e3f169713717db5fd79eecc3ed44ce5dc1ab
Instruction ID: b02be28a0d9bab1c7588c8b1fbb56b77a95e816387e0067d08464301091167df
Opcode Fuzzy Hash: 1ffc5a297d43cc06dc6fb17874e6e3f169713717db5fd79eecc3ed44ce5dc1ab
Instruction Fuzzy Hash: 44018C755006009FDB20EE19D886B22FFE8EF14724F1884AAED498B752D375E808CB72

Uniqueness

Uniqueness Score: -1.00%

Function 00D8A622, Relevance: 1.5, APIs: 1, Instructions: 45COMMON

Download Yara Rule

APIs

DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 00D8A666

Memory Dump Source

Source File: 00000000.00000002.268904357.0000000000D8A000.00000040.00000001.sdmp, Offset: 00D8A000, based on PE: false

Similarity

API ID: DuplicateHandle
String ID:
API String ID: 3793708945-0
Opcode ID: 0cb378001daca67a9345a6e962434fae395a17bae04f0c9cd8ef8c1ef42a5027
Instruction ID: 288a8be4c9da0250664ae1f9e2d5bcdef13b9a732d280047f81acfce72b02fa5
Opcode Fuzzy Hash: 0cb378001daca67a9345a6e962434fae395a17bae04f0c9cd8ef8c1ef42a5027
Instruction Fuzzy Hash: 1D016D31400A40EFEB219F59D845B66FFE4EF48320F18C9AADE894B616D275E418DF72

Uniqueness

Uniqueness Score: -1.00%

Function 070C20A6, Relevance: 1.5, APIs: 1, Instructions: 44threadinjectionCOMMON

Download Yara Rule

APIs

SetThreadContext.KERNELBASE(?,?), ref: 070C20E3

Memory Dump Source

Source File: 00000000.00000002.279366717.00000000070C0000.00000040.00000001.sdmp, Offset: 070C0000, based on PE: false

Similarity

API ID: ContextThread
String ID:
API String ID: 1591575202-0
Opcode ID: 8b9cbce495f2276d5c1ebe845c0d071d45efaa2fcfa38aefe767bca683f0da59
Instruction ID: 7fe5b6d6cdd9e2e990ab6027abbd9e10ac88c07879ed8812a2d24eaa641c7611
Opcode Fuzzy Hash: 8b9cbce495f2276d5c1ebe845c0d071d45efaa2fcfa38aefe767bca683f0da59
Instruction Fuzzy Hash: F0019EB56002409FEB20CF15D88576AFBE4EF04320F18C1ABDE058B752D675E448CA62

Uniqueness

Uniqueness Score: -1.00%

Function 00D8A2F6, Relevance: 1.5, APIs: 1, Instructions: 43COMMON

Download Yara Rule

APIs

SetConsoleCtrlHandler.KERNELBASE(?,00000E2C,?,?), ref: 00D8A346

Memory Dump Source

Source File: 00000000.00000002.268904357.0000000000D8A000.00000040.00000001.sdmp, Offset: 00D8A000, based on PE: false

Similarity

API ID: ConsoleCtrlHandler
String ID:
API String ID: 1513847179-0
Opcode ID: c269e0c293137ffaad8a9f61930c711f1cf8ad4b6b819315934d73e868753388
Instruction ID: bb6f2e5eeed80786636b128daf2d3179b09e914a35c7aa6f8c7bbd73ad8b34a7
Opcode Fuzzy Hash: c269e0c293137ffaad8a9f61930c711f1cf8ad4b6b819315934d73e868753388
Instruction Fuzzy Hash: A101A275500600ABD210DF16DC82F36FBA8FB88B20F14815AED084B741E331F515CBE5

Uniqueness

Uniqueness Score: -1.00%

Function 070C2152, Relevance: 1.5, APIs: 1, Instructions: 43COMMON

Download Yara Rule

APIs

ReadProcessMemory.KERNELBASE(?,?,?,?,?), ref: 070C2190

Memory Dump Source

Source File: 00000000.00000002.279366717.00000000070C0000.00000040.00000001.sdmp, Offset: 070C0000, based on PE: false

Similarity

API ID: MemoryProcessRead
String ID:
API String ID: 1726664587-0
Opcode ID: 499825dd30f0d52a1dc0087a141e2c090fd29083fe618ce6c757a74969266a88
Instruction ID: 20c2587177ba075bab4e147cea31de95fbe7f6fae48da86ad1351465fcfaaaee
Opcode Fuzzy Hash: 499825dd30f0d52a1dc0087a141e2c090fd29083fe618ce6c757a74969266a88
Instruction Fuzzy Hash: 2C019E76500600EFDB208F55DC84B6AFFE0EF18320F0885AEDE464BB52C271A458DF62

Uniqueness

Uniqueness Score: -1.00%

Function 070C049E, Relevance: 1.5, APIs: 1, Instructions: 43registryCOMMON

Download Yara Rule

APIs

RegQueryValueExW.KERNELBASE(?,00000E2C,?,?), ref: 070C04EE

Memory Dump Source

Source File: 00000000.00000002.279366717.00000000070C0000.00000040.00000001.sdmp, Offset: 070C0000, based on PE: false

Similarity

API ID: QueryValue
String ID:
API String ID: 3660427363-0
Opcode ID: c1be9be63f0c8f366e98d7d5d1cabccba49d85e3a7c48d43fb53228ba6e7964b
Instruction ID: dab1b878badeb1d8aa9554d3b3cf730c6a0389aff4664f90812cb0f00e025a6f
Opcode Fuzzy Hash: c1be9be63f0c8f366e98d7d5d1cabccba49d85e3a7c48d43fb53228ba6e7964b
Instruction Fuzzy Hash: AC016276500604ABD254DF16DC86F36FBA8FB88B20F14815AED085B741E371F515CBE5

Uniqueness

Uniqueness Score: -1.00%

Function 070C26EE, Relevance: 1.5, APIs: 1, Instructions: 42windowCOMMON

Download Yara Rule

APIs

PostMessageW.USER32(?,?,?,?), ref: 070C2729

Memory Dump Source

Source File: 00000000.00000002.279366717.00000000070C0000.00000040.00000001.sdmp, Offset: 070C0000, based on PE: false

Similarity

API ID: MessagePost
String ID:
API String ID: 410705778-0
Opcode ID: d14cec83183de667c439e672965e854ddb0e271d8c41ed65e64e26652fb2e53e
Instruction ID: c8f238def1789b2654f5930519167abc6fbabd1ace75969a06d3c76dad71456b
Opcode Fuzzy Hash: d14cec83183de667c439e672965e854ddb0e271d8c41ed65e64e26652fb2e53e
Instruction Fuzzy Hash: DC019A75500640DFDB20CF15D885B6AFFE4EF04320F0882AEDE4A4BA22C275A418DBA2

Uniqueness

Uniqueness Score: -1.00%

Function 00D8AF12, Relevance: 1.5, APIs: 1, Instructions: 39memoryCOMMON

Download Yara Rule

APIs

VirtualAllocEx.KERNELBASE(?,?,?,?,?), ref: 00D8AF50

Memory Dump Source

Source File: 00000000.00000002.268904357.0000000000D8A000.00000040.00000001.sdmp, Offset: 00D8A000, based on PE: false

Similarity

API ID: AllocVirtual
String ID:
API String ID: 4275171209-0
Opcode ID: 2e07b0694d949ddac81b873037bae0b71991b4c29f4f55088e369a071670ed43
Instruction ID: 5103e5fc61fb7c74a7c7d806ac9a68a0135b0da493f359372fb6129bd82a10d4
Opcode Fuzzy Hash: 2e07b0694d949ddac81b873037bae0b71991b4c29f4f55088e369a071670ed43
Instruction Fuzzy Hash: 0D017C75400640DFEB209F59D844B66FFA0EF08320F18859AEE890B622D2B5E418DBB2

Uniqueness

Uniqueness Score: -1.00%

Function 070C2366, Relevance: 1.5, APIs: 1, Instructions: 38windowCOMMON

Download Yara Rule

APIs

PostMessageW.USER32(?,?,?,?), ref: 070C23A1

Memory Dump Source

Source File: 00000000.00000002.279366717.00000000070C0000.00000040.00000001.sdmp, Offset: 070C0000, based on PE: false

Similarity

API ID: MessagePost
String ID:
API String ID: 410705778-0
Opcode ID: f337fe3febab78deace248f52d15676f9cc6731ce793e766add4bc0df0c56d8a
Instruction ID: ffc7a3fa704607dd60e207e6985b40b904d0c7cdd46d6fca71797b5f4579c05d
Opcode Fuzzy Hash: f337fe3febab78deace248f52d15676f9cc6731ce793e766add4bc0df0c56d8a
Instruction Fuzzy Hash: A1017C75400644DFDB20CF15D844B2AFFA0FF05320F08859EDE490B612D2B5A458CBB2

Uniqueness

Uniqueness Score: -1.00%

Function 00D8A44E, Relevance: 1.5, APIs: 1, Instructions: 35COMMON

Download Yara Rule

APIs

SetErrorMode.KERNELBASE(?), ref: 00D8A480

Memory Dump Source

Source File: 00000000.00000002.268904357.0000000000D8A000.00000040.00000001.sdmp, Offset: 00D8A000, based on PE: false

Similarity

API ID: ErrorMode
String ID:
API String ID: 2340568224-0
Opcode ID: 8193801acd756f66b98d7ac783d24b445f636bc54c19f0066af333c95bdd7109
Instruction ID: 8b691551e702d1382d5bc5ef986f717e12741b8388892bcee228c42cf5ad989d
Opcode Fuzzy Hash: 8193801acd756f66b98d7ac783d24b445f636bc54c19f0066af333c95bdd7109
Instruction Fuzzy Hash: 92F081754046449FEB109F19D888765FF94DF04320F18C0ABDD494B316D2F5A408CBB2

Uniqueness

Uniqueness Score: -1.00%

Function 067C23FC, Relevance: 1.4, Strings: 1, Instructions: 171COMMON

Download Yara Rule

Strings

:@Dr, xrefs: 067C24AA

Memory Dump Source

Source File: 00000000.00000002.278419169.00000000067C0000.00000040.00000001.sdmp, Offset: 067C0000, based on PE: false

Similarity

API ID:
String ID: :@Dr
API String ID: 0-3830894600
Opcode ID: 5210eff72132f840a02fce3d1f28c035239e70c598315850773750092eb8e2e3
Instruction ID: a87ef9e65d8779e25ec5812e105c1476e38ef03197ac92d944aebb7195b85497
Opcode Fuzzy Hash: 5210eff72132f840a02fce3d1f28c035239e70c598315850773750092eb8e2e3
Instruction Fuzzy Hash: B3711274A45219CFEB64DF64C950BEDBBB6EB4A300F1094E98909A7741DB709E80DF50

Uniqueness

Uniqueness Score: -1.00%

Function 067C261D, Relevance: 1.4, Strings: 1, Instructions: 170COMMON

Download Yara Rule

Strings

:@Dr, xrefs: 067C24AA

Memory Dump Source

Source File: 00000000.00000002.278419169.00000000067C0000.00000040.00000001.sdmp, Offset: 067C0000, based on PE: false

Similarity

API ID:
String ID: :@Dr
API String ID: 0-3830894600
Opcode ID: 1f066eb6c701b31b6399d5bd05b0b4caf683ce956a6449ab5f5edf06ed9289d2
Instruction ID: ff400df177fb81103488caef2f55453853b74f1fef9a4be08a76162361c00b3f
Opcode Fuzzy Hash: 1f066eb6c701b31b6399d5bd05b0b4caf683ce956a6449ab5f5edf06ed9289d2
Instruction Fuzzy Hash: 63711274A45219CFEB64DF64C950BEDBBB6EB4A300F1094E9890DA7741DB709E80DF60

Uniqueness

Uniqueness Score: -1.00%

Function 067C0A2A, Relevance: 1.4, Strings: 1, Instructions: 138COMMON

Download Yara Rule

Strings

C, xrefs: 067C0731

Memory Dump Source

Source File: 00000000.00000002.278419169.00000000067C0000.00000040.00000001.sdmp, Offset: 067C0000, based on PE: false

Similarity

API ID:
String ID: C
API String ID: 0-1037565863
Opcode ID: f25f46e31c16ed501494f1066b755e9d5851d83c77c6732325788c17338308b0
Instruction ID: 89694a2a809a886ac67a67e902ad4d6ca14fdb9a05aeabb309c0895c699df8e3
Opcode Fuzzy Hash: f25f46e31c16ed501494f1066b755e9d5851d83c77c6732325788c17338308b0
Instruction Fuzzy Hash: 3451C1B4D05228CFDBA4CF68C8447EDBBB5EB4A321F1091EDC419A7290D7365A81CF94

Uniqueness

Uniqueness Score: -1.00%

Function 04D92250, Relevance: 1.3, Strings: 1, Instructions: 95COMMON

Download Yara Rule

Strings

X1kr, xrefs: 04D9234E

Memory Dump Source

Source File: 00000000.00000002.274560268.0000000004D90000.00000040.00000001.sdmp, Offset: 04D90000, based on PE: false

Similarity

API ID:
String ID: X1kr
API String ID: 0-844551562
Opcode ID: db5ad571d358664d2b4e4bf6346e1d451258ba7ab1588655566d1f43c7d4a881
Instruction ID: 4797425d1be104af29fc63a775536c230de003928e048d7aac589c389b0e783c
Opcode Fuzzy Hash: db5ad571d358664d2b4e4bf6346e1d451258ba7ab1588655566d1f43c7d4a881
Instruction Fuzzy Hash: 0141AF74E01208EFDB05DFA9D980AEDBBF2BF89300F608569E805A7354DB35A941DB61

Uniqueness

Uniqueness Score: -1.00%

Function 067C2473, Relevance: 1.3, Strings: 1, Instructions: 79COMMON

Download Yara Rule

Strings

:@Dr, xrefs: 067C24AA

Memory Dump Source

Source File: 00000000.00000002.278419169.00000000067C0000.00000040.00000001.sdmp, Offset: 067C0000, based on PE: false

Similarity

API ID:
String ID: :@Dr
API String ID: 0-3830894600
Opcode ID: 996df5aa0bf5afd30f505483f2883e77ea9ddef090dae835b54cc1277e940609
Instruction ID: 6ee37fcff95047c4e3f4b9ea9c4b6b59d4b3ce6615f07da67419b2f01d3f389b
Opcode Fuzzy Hash: 996df5aa0bf5afd30f505483f2883e77ea9ddef090dae835b54cc1277e940609
Instruction Fuzzy Hash: 6B315974A4022ACFEB64DB24C850BE9BBB2FF85304F1080E9894967755EB745EC1DF11

Uniqueness

Uniqueness Score: -1.00%

Function 04D9B4DD, Relevance: 1.3, Strings: 1, Instructions: 55COMMON

Download Yara Rule

Strings

f, xrefs: 04D9B546

Memory Dump Source

Source File: 00000000.00000002.274560268.0000000004D90000.00000040.00000001.sdmp, Offset: 04D90000, based on PE: false

Similarity

API ID:
String ID: f
API String ID: 0-1993550816
Opcode ID: e2d399f2ab4640d51dc200e22e679397f7c832880cc3113afe64768c8dc1d4e2
Instruction ID: 5ec6f99af917ad83eda55472b53dae3ea4618bef72447da4a3cd0087d6fca447
Opcode Fuzzy Hash: e2d399f2ab4640d51dc200e22e679397f7c832880cc3113afe64768c8dc1d4e2
Instruction Fuzzy Hash: A6113A70A48119CBCFA0CF55E8887BDB3B9BB45310F029596D46EA2241E630FE819F50

Uniqueness

Uniqueness Score: -1.00%

Function 04D9B8DE, Relevance: 1.3, Strings: 1, Instructions: 14COMMON

Download Yara Rule

Strings

U, xrefs: 04D9B8DE

Memory Dump Source

Source File: 00000000.00000002.274560268.0000000004D90000.00000040.00000001.sdmp, Offset: 04D90000, based on PE: false

Similarity

API ID:
String ID: U
API String ID: 0-3372436214
Opcode ID: 1442cf1c0bfe7216234677f9b6dbdb58208e56b66096e34242dc650568165254
Instruction ID: 82e344915cd82ade337882d7b1204785172bf50fb2036bc8562661e26b5e4372
Opcode Fuzzy Hash: 1442cf1c0bfe7216234677f9b6dbdb58208e56b66096e34242dc650568165254
Instruction Fuzzy Hash: 60D06774E09348DBCF04CBE6E0845ACBBB5BB05300F012016945AEB201E2706D019B10

Uniqueness

Uniqueness Score: -1.00%

Function 04D92DA8, Relevance: .1, Instructions: 94COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.274560268.0000000004D90000.00000040.00000001.sdmp, Offset: 04D90000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 01724dbaf783c910de64a10d21576533b652321d4af6913fcc26c8509eff9baf
Instruction ID: 6c69b5c8648c57e10f557ef61e9cbf59d6d1f1699a4b7f84903a3ad8fe8925a1
Opcode Fuzzy Hash: 01724dbaf783c910de64a10d21576533b652321d4af6913fcc26c8509eff9baf
Instruction Fuzzy Hash: 43310430B043559FDB04EBA8885466EBFB6BF86700F2444AAD505EB392DF30AD04CBA1

Uniqueness

Uniqueness Score: -1.00%

Function 04D99AF8, Relevance: .1, Instructions: 89COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.274560268.0000000004D90000.00000040.00000001.sdmp, Offset: 04D90000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 924a50d913e88ab0e287011d7475b3d3c74bfe5f1860843a8240df0ce1f5ebc4
Instruction ID: 538d99b85c4e8f1a742dc0aec4aa21120f0c5580fa5d3ef57b68831d3603d35a
Opcode Fuzzy Hash: 924a50d913e88ab0e287011d7475b3d3c74bfe5f1860843a8240df0ce1f5ebc4
Instruction Fuzzy Hash: D93102B4E09208DFCB00DFA9C494AADBBF1FB49304F1091AAD845A7351DB38AD41DF64

Uniqueness

Uniqueness Score: -1.00%

Function 02700724, Relevance: .1, Instructions: 79COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.269116232.0000000002700000.00000040.00000040.sdmp, Offset: 02700000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f26737358a61eb464c45e16c19799994080f15f53cde1a0c63b7f116868a96da
Instruction ID: e50b77c3fd1c79daa4fc731894316cc9b4faba195772f6f2ad5b2e94285bc8d3
Opcode Fuzzy Hash: f26737358a61eb464c45e16c19799994080f15f53cde1a0c63b7f116868a96da
Instruction Fuzzy Hash: B231523150D3C5CFC7138B64D890765BFA1AF47228F19C5EBD8858B693C33A980ACB52

Uniqueness

Uniqueness Score: -1.00%

Function 067C1A9D, Relevance: .1, Instructions: 78COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.278419169.00000000067C0000.00000040.00000001.sdmp, Offset: 067C0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8205b9984fefbff448c75b8fc850240e538d8430b0b6fa7e0fac7a82a4ed6cd2
Instruction ID: 333b8346251c40789bc2d23bc94644d58271a27a74e35f3e5a23b561cc3e74c2
Opcode Fuzzy Hash: 8205b9984fefbff448c75b8fc850240e538d8430b0b6fa7e0fac7a82a4ed6cd2
Instruction Fuzzy Hash: 9031E274D4A228CFEBA4DF24D8547ECB7B5AB49320F50A1EED009A3252EB305A90CF44

Uniqueness

Uniqueness Score: -1.00%

Function 04D90016, Relevance: .1, Instructions: 67COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.274560268.0000000004D90000.00000040.00000001.sdmp, Offset: 04D90000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 542e20f51bf31bbaa2a1e9497a909425f8d89e326b11f2e73f07e661cab1597b
Instruction ID: c58954f86c5be05d7135d0b4bbd840295b6f4a45c6dc1ac0db2130c400884123
Opcode Fuzzy Hash: 542e20f51bf31bbaa2a1e9497a909425f8d89e326b11f2e73f07e661cab1597b
Instruction Fuzzy Hash: 23111B6058F3C49FD707977098B25AA7FB0DE0321070A14DBC881DB0A3D5285D0ADB32

Uniqueness

Uniqueness Score: -1.00%

Function 04D91CF8, Relevance: .1, Instructions: 62COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.274560268.0000000004D90000.00000040.00000001.sdmp, Offset: 04D90000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 72a482849a7b464894204c50b7dc1299c84f7ad535f21ef58fa70e137b52f46b
Instruction ID: 82585b5b106dcfbcfb00a78c1db894bce20476686ac10368906e222a61ce2b89
Opcode Fuzzy Hash: 72a482849a7b464894204c50b7dc1299c84f7ad535f21ef58fa70e137b52f46b
Instruction Fuzzy Hash: FD21E4B4D002099FDB04DFA5D845AEEBFB2FF88304F20916AD805A3354EB345A56CFA1

Uniqueness

Uniqueness Score: -1.00%

Function 0270072C, Relevance: .1, Instructions: 61COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.269116232.0000000002700000.00000040.00000040.sdmp, Offset: 02700000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 24061e8571cb171b7cf25b1a4dd29e318e04bfd04de91a0aa5f4af9b6eab1fb3
Instruction ID: d946fcb2fc2447cfb89708047e92bdd506eff8e2472b5c8952b4c9bbfb9a614c
Opcode Fuzzy Hash: 24061e8571cb171b7cf25b1a4dd29e318e04bfd04de91a0aa5f4af9b6eab1fb3
Instruction Fuzzy Hash: DE215E3550D3C19FCB078B60D890B65BFB1AF47218F1985DAD4858B6A3C33A980ACB52

Uniqueness

Uniqueness Score: -1.00%

Function 06C61C60, Relevance: .1, Instructions: 60COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.278635293.0000000006C60000.00000040.00000001.sdmp, Offset: 06C60000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a4495f3ae0b9e83d60c42839a190c12d84129ef7a7ccfd0423f653ba504bf8b0
Instruction ID: 99137cc4d2c3ca79324c90377c1a920fb607c7a32f7d74c2e662dbecbe593543
Opcode Fuzzy Hash: a4495f3ae0b9e83d60c42839a190c12d84129ef7a7ccfd0423f653ba504bf8b0
Instruction Fuzzy Hash: D211EAB5608301AFD340CF19D880A5BFBE4FB88664F04896EF998D7311D331EA148FA2

Uniqueness

Uniqueness Score: -1.00%

Function 0270075C, Relevance: .1, Instructions: 59COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.269116232.0000000002700000.00000040.00000040.sdmp, Offset: 02700000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 89167d039dace3e76dd264d88c442b48b6bde504c0995d305c778c7f59ebde8d
Instruction ID: bd37d53495e00c0eb5bfcca47bdf7bf3a0cce919ae2c0daa159542c1489aafc9
Opcode Fuzzy Hash: 89167d039dace3e76dd264d88c442b48b6bde504c0995d305c778c7f59ebde8d
Instruction Fuzzy Hash: 2511E434208285EFD705CB20C9C4B26BBE5AB88728F24C59DE9491B683C77BE807CE51

Uniqueness

Uniqueness Score: -1.00%

Function 04D91D08, Relevance: .1, Instructions: 53COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.274560268.0000000004D90000.00000040.00000001.sdmp, Offset: 04D90000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: da289b9818bae27bdd973f2e5b5d597a71fdb9f12d57e6dfbd224898a2cd06f4
Instruction ID: 7e2cebc7d455141bac51e24508edc1bc95ca31a5a01ee2988ed65f22010e95f4
Opcode Fuzzy Hash: da289b9818bae27bdd973f2e5b5d597a71fdb9f12d57e6dfbd224898a2cd06f4
Instruction Fuzzy Hash: C921B7B4D002099FDB04DFA5D945AAEBFB2FF88304F10912AD805B3354DB345955CFA5

Uniqueness

Uniqueness Score: -1.00%

Function 00D9ADBC, Relevance: .1, Instructions: 52COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.268922228.0000000000D92000.00000040.00000001.sdmp, Offset: 00D92000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7d7e68eb82e6117bea91a8d21ebf9eaf77ac4a02444ea6145793b93cc9de111d
Instruction ID: 111d251a569ca26c1fc5851db6c18ce81d752e4f42ae2f9cda925d388a96b02b
Opcode Fuzzy Hash: 7d7e68eb82e6117bea91a8d21ebf9eaf77ac4a02444ea6145793b93cc9de111d
Instruction Fuzzy Hash: 4B11ECB5608301AFD350CF19DC40E5BFBE8EB88660F14892EFD9997311D271E9148BA2

Uniqueness

Uniqueness Score: -1.00%

Function 06C61B04, Relevance: .1, Instructions: 52COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.278635293.0000000006C60000.00000040.00000001.sdmp, Offset: 06C60000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a07b5671945e41cead0b9bcfd40d1c8e6d9a1a84b6e8f34befbcc11b1d6da315
Instruction ID: 642aae72e2224b2da00eaff61cad3fa9b39c7eee704c32780652a91c2a71c980
Opcode Fuzzy Hash: a07b5671945e41cead0b9bcfd40d1c8e6d9a1a84b6e8f34befbcc11b1d6da315
Instruction Fuzzy Hash: F911E8B5608301AFD350CF19DC80E5BFBE8EB88660F14892EFD9997311D271E9148BA2

Uniqueness

Uniqueness Score: -1.00%

Function 027005CF, Relevance: .0, Instructions: 44COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.269116232.0000000002700000.00000040.00000040.sdmp, Offset: 02700000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 90aaa5add62a83dc80edda569002f7df81f6656e4bd6457c1342b454da02dd15
Instruction ID: ded0b06a267bde0cbef1f117b309ad01de0bce394ec2f8d4378eaec28310330b
Opcode Fuzzy Hash: 90aaa5add62a83dc80edda569002f7df81f6656e4bd6457c1342b454da02dd15
Instruction Fuzzy Hash: 1401D67550D7C06FD7128F16AC41862FFB8DF86220708C4EFED898B712D125A809CB72

Uniqueness

Uniqueness Score: -1.00%

Function 067C3AA0, Relevance: .0, Instructions: 43COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.278419169.00000000067C0000.00000040.00000001.sdmp, Offset: 067C0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c2b4136a8097b21fe52041447ebf3b5d8ef51cc3b92109809a868aaa58605eaf
Instruction ID: 47f985d54d9fd15ff7ad031e008457c8a1e64fdb876490dcd7b3f4584c5c07c0
Opcode Fuzzy Hash: c2b4136a8097b21fe52041447ebf3b5d8ef51cc3b92109809a868aaa58605eaf
Instruction Fuzzy Hash: F6113C71829740DFD332DB60C80462ABFF9AF8A305B9644DEC882AB19AC2317946CB51

Uniqueness

Uniqueness Score: -1.00%

Function 04D98CDD, Relevance: .0, Instructions: 39COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.274560268.0000000004D90000.00000040.00000001.sdmp, Offset: 04D90000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: be3ffa1c982acad84ec235cf9fe25fe725358ae789324d8c54dee45649ed7ad3
Instruction ID: eec0f1f66e347b424648dcad7ac6b498a027d0ae02e60094330ff3f30e993a8c
Opcode Fuzzy Hash: be3ffa1c982acad84ec235cf9fe25fe725358ae789324d8c54dee45649ed7ad3
Instruction Fuzzy Hash: 7C017CB0E05609CBDB18DF5BC8406EEBBF7BFC9300F24C169D419A6268EB3059499F00

Uniqueness

Uniqueness Score: -1.00%

Function 04D99A79, Relevance: .0, Instructions: 37COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.274560268.0000000004D90000.00000040.00000001.sdmp, Offset: 04D90000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a75a3efd7b84bc5fa20b4b6a28ef71426fa75751fc271c435ff1fa90c6ee3c52
Instruction ID: b9ef9cda6617d654918523509e1d34257b8b575fdd3e0055c5a2e386299452e7
Opcode Fuzzy Hash: a75a3efd7b84bc5fa20b4b6a28ef71426fa75751fc271c435ff1fa90c6ee3c52
Instruction Fuzzy Hash: D901A930A05288DFCB00EBB8D8A086DBF71FF42300B1501AAD805AB3A6CA325E01DB65

Uniqueness

Uniqueness Score: -1.00%

Function 067C2FEF, Relevance: .0, Instructions: 35COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.278419169.00000000067C0000.00000040.00000001.sdmp, Offset: 067C0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c4769400e443b5c2d70cb61e42d011f1ee6f3249b3b2fd03c321321ed8bdbb69
Instruction ID: 7374f5c30ae59fb9cc7797650275924a8ac4e47893252f76ca91aeb70141b89e
Opcode Fuzzy Hash: c4769400e443b5c2d70cb61e42d011f1ee6f3249b3b2fd03c321321ed8bdbb69
Instruction Fuzzy Hash: B401EC78919218CFEB90DF54D844BA8B7BAFB0A325F1091DDD809A7361C7315E85CF51

Uniqueness

Uniqueness Score: -1.00%

Function 04D99A88, Relevance: .0, Instructions: 32COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.274560268.0000000004D90000.00000040.00000001.sdmp, Offset: 04D90000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6ee6844e1e998ff9e2de833371de751dc21d8a9d33ae79d6de4d5db81f377e8b
Instruction ID: dc4ef2cbdced68be4af1cd162aef15621429423585918af3ec6ca17a0b53b1d3
Opcode Fuzzy Hash: 6ee6844e1e998ff9e2de833371de751dc21d8a9d33ae79d6de4d5db81f377e8b
Instruction Fuzzy Hash: 6BF0BE30A0020CDBCF00FBB8D891A6DBBB5FB45304F1006ADE805A7384CA716E05DBA5

Uniqueness

Uniqueness Score: -1.00%

Function 02700818, Relevance: .0, Instructions: 31COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.269116232.0000000002700000.00000040.00000040.sdmp, Offset: 02700000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 525cef522958239b2deb72ab7ac90410e2832b06fb356f1b7ca8807ee3c9392c
Instruction ID: 59cec5fe82a7b1dbfb17b8f74c9283351ea5b2f3d050efac662c1b9659dadb4e
Opcode Fuzzy Hash: 525cef522958239b2deb72ab7ac90410e2832b06fb356f1b7ca8807ee3c9392c
Instruction Fuzzy Hash: 05F0FB35108645DFC606CB40D980B15FBE2FB89718F24C6A9E9491B692C337A813DE81

Uniqueness

Uniqueness Score: -1.00%

Function 04D98CEC, Relevance: .0, Instructions: 31COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.274560268.0000000004D90000.00000040.00000001.sdmp, Offset: 04D90000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 62555ea68f78e9f670d27f94acce6fb5565044962248bd2a84c5d8f2b87f05f5
Instruction ID: 81f070daa56073603a6a229964c9a0e0fb997d42d93eceb70d7b88ec367de25c
Opcode Fuzzy Hash: 62555ea68f78e9f670d27f94acce6fb5565044962248bd2a84c5d8f2b87f05f5
Instruction Fuzzy Hash: 6EF0A4B0D09249CBCB14CF5AC8846EDBFB6BB85310F20C2A9D419A7354D7701945DF40

Uniqueness

Uniqueness Score: -1.00%

Function 067C547C, Relevance: .0, Instructions: 29COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.278419169.00000000067C0000.00000040.00000001.sdmp, Offset: 067C0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7ec5418d964558bf85b13acf73e448e52908a857bba55f29f8ac2cebb8e9d982
Instruction ID: 56aa430a027808d67737f34efedb69507b9fa1c6a68edd77898cd249a78fdce1
Opcode Fuzzy Hash: 7ec5418d964558bf85b13acf73e448e52908a857bba55f29f8ac2cebb8e9d982
Instruction Fuzzy Hash: 5CF03075948218AEEB60CA618C41BEDB7B8AB09710F10909DA219B52C1DB706794CF64

Uniqueness

Uniqueness Score: -1.00%

Function 027005F6, Relevance: .0, Instructions: 27COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.269116232.0000000002700000.00000040.00000040.sdmp, Offset: 02700000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 727d94e0f61cc20b2877ecfb3c18222ce535a55932cbb985c2626ee2aaeed7ee
Instruction ID: 7892ffa53e031ce09bc8ced161eafe6a1539a64d0e14d598aff75749598e2a46
Opcode Fuzzy Hash: 727d94e0f61cc20b2877ecfb3c18222ce535a55932cbb985c2626ee2aaeed7ee
Instruction Fuzzy Hash: 7EE092766016008BD650CF0BEC41456FBD8EB88630B18C47FDC0D8B701E135B504CEA5

Uniqueness

Uniqueness Score: -1.00%

Function 00D9AE0B, Relevance: .0, Instructions: 26COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.268922228.0000000000D92000.00000040.00000001.sdmp, Offset: 00D92000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a0d9cd3acea14c71b703c57714a3336d6b075fdd69db72225eb97bf19f99bcdc
Instruction ID: 9fa60f55b23e9a1f371bcb806a6dd7bfdadb54d7776484de1ad0c9e16d5a5886
Opcode Fuzzy Hash: a0d9cd3acea14c71b703c57714a3336d6b075fdd69db72225eb97bf19f99bcdc
Instruction Fuzzy Hash: E6E0D872A5120467D2508F069C41B53FB58DB40A30F14C567EE0D1B702D171B5148AF5

Uniqueness

Uniqueness Score: -1.00%

Function 06C61CCB, Relevance: .0, Instructions: 26COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.278635293.0000000006C60000.00000040.00000001.sdmp, Offset: 06C60000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6f1f4f8cc34443d992a04bbfc059abb1da85315adea14d7f8335093f5a4e67c5
Instruction ID: a5fa0b1575b2fbc7a882ffdb751517eac22fd1ee93f10ba0af2706edcd9d149a
Opcode Fuzzy Hash: 6f1f4f8cc34443d992a04bbfc059abb1da85315adea14d7f8335093f5a4e67c5
Instruction Fuzzy Hash: 98E0D8B255130067D2508E069C45B53FF98EB44A30F14C567ED081B702D171B5148AF5

Uniqueness

Uniqueness Score: -1.00%

Function 06C61B53, Relevance: .0, Instructions: 26COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.278635293.0000000006C60000.00000040.00000001.sdmp, Offset: 06C60000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3da23658b7ef1b26592e0d803edb3b307d5d1539180984d8f57369d7236aa5f5
Instruction ID: 158ce68d6a3a51e0b1ab88564f4e5779dad719cfd7cb885e5a5c707f357c5264
Opcode Fuzzy Hash: 3da23658b7ef1b26592e0d803edb3b307d5d1539180984d8f57369d7236aa5f5
Instruction Fuzzy Hash: 40E0D87250130467D2509E06DC85B53FF98DB44A30F14C567EE0D1B702D172B5148AF5

Uniqueness

Uniqueness Score: -1.00%

Function 06C61577, Relevance: .0, Instructions: 26COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.278635293.0000000006C60000.00000040.00000001.sdmp, Offset: 06C60000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 85cc5d15c772ddd51cb244c2253b6e515ac9f68ec6610f010314e28322971fdb
Instruction ID: 891e0eed1d1802cfe1fd8187f421797d66fc5df0c69b6e5995159cef29da9c2f
Opcode Fuzzy Hash: 85cc5d15c772ddd51cb244c2253b6e515ac9f68ec6610f010314e28322971fdb
Instruction Fuzzy Hash: 86E0D87251120067D2509E069C45B53FF98DB40A30F14C567EE091B702D172B514CAF5

Uniqueness

Uniqueness Score: -1.00%

Function 04D92629, Relevance: .0, Instructions: 26COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.274560268.0000000004D90000.00000040.00000001.sdmp, Offset: 04D90000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 79a0d3f35c47c99c8e401d16f1776c6795e8c1a50af2b66e715e45ce3577eb37
Instruction ID: a32b05136fdeec343455be0ae2c43af7958c07199db73bda02968cbba0d63be8
Opcode Fuzzy Hash: 79a0d3f35c47c99c8e401d16f1776c6795e8c1a50af2b66e715e45ce3577eb37
Instruction Fuzzy Hash: 4FF03974909308AFCB00AFA4E95459DBBB4FB8A300F2484EAC844A3752D6359A05DF51

Uniqueness

Uniqueness Score: -1.00%

Function 04D900B8, Relevance: .0, Instructions: 25COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.274560268.0000000004D90000.00000040.00000001.sdmp, Offset: 04D90000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 287e849e631914543a5d5eb13e47ccbc885264d479e19ede924a2aea6b824f72
Instruction ID: cae4d8e0012cb12c9035dd29c06aca6fb121ee4f9bca53cfe41917eff93ab097
Opcode Fuzzy Hash: 287e849e631914543a5d5eb13e47ccbc885264d479e19ede924a2aea6b824f72
Instruction Fuzzy Hash: 6EE06D70905208AFCB09DBA5C942BA9BBB4DF46300F1550EA9408A7262DA305E04CBA5

Uniqueness

Uniqueness Score: -1.00%

Function 04D92E68, Relevance: .0, Instructions: 25COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.274560268.0000000004D90000.00000040.00000001.sdmp, Offset: 04D90000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: aac634e53d07ddf3f929f26a5b8940cede5eab61c9f52f0fbac96d8dff25cd39
Instruction ID: 7dc7f9171b6cdb456132b53dcf8495883cad8e8f50f2979b21ac26ca46e11a84
Opcode Fuzzy Hash: aac634e53d07ddf3f929f26a5b8940cede5eab61c9f52f0fbac96d8dff25cd39
Instruction Fuzzy Hash: 2AE09230804348DFC7009FA4D9445687FB8BF07300F1444DAC440D7262D7316900DF61

Uniqueness

Uniqueness Score: -1.00%

Function 04D90070, Relevance: .0, Instructions: 24COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.274560268.0000000004D90000.00000040.00000001.sdmp, Offset: 04D90000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ffb0b1cf3d9bd6fbe0ccbc5ef920b552203047b94da1b0eff1fae7be468246a0
Instruction ID: 7eeac7e9b7f9958858ade665fad9d6a7c974a21925a21636e2a08d70a969baec
Opcode Fuzzy Hash: ffb0b1cf3d9bd6fbe0ccbc5ef920b552203047b94da1b0eff1fae7be468246a0
Instruction Fuzzy Hash: 24E08C70643208E7CB08FBB4991263FB3A8DB43300F0018AC850973251CE325E109A75

Uniqueness

Uniqueness Score: -1.00%

Function 067C3AE8, Relevance: .0, Instructions: 22COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.278419169.00000000067C0000.00000040.00000001.sdmp, Offset: 067C0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c52d12df0f28faca58b800bb965b90ae045469b4c6f8cbfe58e53f91bef542ca
Instruction ID: 4b94bd6c540096addcbffe50765e72c40c5ddf311ff942178be5566047cb58e6
Opcode Fuzzy Hash: c52d12df0f28faca58b800bb965b90ae045469b4c6f8cbfe58e53f91bef542ca
Instruction Fuzzy Hash: 26E04F70915308DFD744EF60E945B6D7B34EB4A311F10409AD80567350DBB16D54CAA4

Uniqueness

Uniqueness Score: -1.00%

Function 04D900C8, Relevance: .0, Instructions: 21COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.274560268.0000000004D90000.00000040.00000001.sdmp, Offset: 04D90000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8fc6e34145089317071d30a2f2adb80a13761afb0930e1e7ed8b012e794dbf52
Instruction ID: b8f9295bf1fbfe922964a701e54455e1bc918f4470953264a4e108203eae94c4
Opcode Fuzzy Hash: 8fc6e34145089317071d30a2f2adb80a13761afb0930e1e7ed8b012e794dbf52
Instruction Fuzzy Hash: ACE0EC70D01208EBCB08DFA5D942BADB3B5EF46300F5051A99408B3261DA716E14DAA5

Uniqueness

Uniqueness Score: -1.00%

Function 04D98DD2, Relevance: .0, Instructions: 18COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.274560268.0000000004D90000.00000040.00000001.sdmp, Offset: 04D90000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 34c773f2bb36e78eed7012ea7f3747b4304e3ef7e4b32f459efc67b477742394
Instruction ID: 948a068064d82b59f602eba272284b0b6781dfade608a613c91e6f6b9cfb8980
Opcode Fuzzy Hash: 34c773f2bb36e78eed7012ea7f3747b4304e3ef7e4b32f459efc67b477742394
Instruction Fuzzy Hash: 4DE092B8E09318CFCF20DBB4D80449CBBF4BA1A714B54121AD099E7352E3349C029A12

Uniqueness

Uniqueness Score: -1.00%

Function 00D823F4, Relevance: .0, Instructions: 15COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.268894956.0000000000D82000.00000040.00000001.sdmp, Offset: 00D82000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e8f0f3e0a7df101f7118a24b85678254d117b41a751278fca3b09b55c1bc261b
Instruction ID: 352826fdb154303cf3d9c0ade1566327806e6575aa38782e4a7e18b51f5976d8
Opcode Fuzzy Hash: e8f0f3e0a7df101f7118a24b85678254d117b41a751278fca3b09b55c1bc261b
Instruction Fuzzy Hash: 1BD05E79215A818FD3269A1CC1A9BA53B94AB61B04F4A44FEE8008B663C368D981D220

Uniqueness

Uniqueness Score: -1.00%

Function 00D823BC, Relevance: .0, Instructions: 14COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.268894956.0000000000D82000.00000040.00000001.sdmp, Offset: 00D82000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 980de396b325b1a834675272f32b0f4f8966249fdfc0492945af25b39b268083
Instruction ID: 85333fabf1a7ce0c3e536ed02d04a889d755e96eb2171f879129f7c090cff4fb
Opcode Fuzzy Hash: 980de396b325b1a834675272f32b0f4f8966249fdfc0492945af25b39b268083
Instruction Fuzzy Hash: 95D05E342002818BC716EB0CC5A4F6937D4AB41B00F0A44ECBC008BA62C3A9DD81C610

Uniqueness

Uniqueness Score: -1.00%

Function 04D95A20, Relevance: .0, Instructions: 13COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.274560268.0000000004D90000.00000040.00000001.sdmp, Offset: 04D90000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5f1a865fe6b4457dcd0eb5e759b7b2e343785342eb8dfc76c3a3e9e1ff1b0232
Instruction ID: 69fbbac5fd4778255b75c74cffd9916d746445ea433a6ba76569944bd2eb4c79
Opcode Fuzzy Hash: 5f1a865fe6b4457dcd0eb5e759b7b2e343785342eb8dfc76c3a3e9e1ff1b0232
Instruction Fuzzy Hash: 44E00278A56269DFCB60DF14D898698B7B0BB09340F1485D79849E3304D370AE81DF19

Uniqueness

Uniqueness Score: -1.00%

Non-executed Functions

Function 04D930D1, Relevance: 5.2, Strings: 4, Instructions: 151COMMON

Download Yara Rule

Strings

f]Ir, xrefs: 04D93130
`5kr, xrefs: 04D932D5
>_Ir, xrefs: 04D93219
:@Dr, xrefs: 04D931FC

Memory Dump Source

Source File: 00000000.00000002.274560268.0000000004D90000.00000040.00000001.sdmp, Offset: 04D90000, based on PE: false

Similarity

API ID:
String ID: :@Dr$>_Ir$`5kr$f]Ir
API String ID: 0-3492759196
Opcode ID: 37a9776dfa1d72facd059f9bc538f0a1bf70395e892bb1c1ff0b6e524f7123a8
Instruction ID: 9c6be8df240860ad30dd20ffde796f1ce1f3e4eaec1bafdb3a0c9c5e8e2544bb
Opcode Fuzzy Hash: 37a9776dfa1d72facd059f9bc538f0a1bf70395e892bb1c1ff0b6e524f7123a8
Instruction Fuzzy Hash: 19512A70A00248CFD744EF69E98579DBBF2FF89304F24816AD515EB368DBB15C068B61

Uniqueness

Uniqueness Score: -1.00%

Function 04D930E0, Relevance: 5.1, Strings: 4, Instructions: 136COMMON

Download Yara Rule

Strings

f]Ir, xrefs: 04D93130
`5kr, xrefs: 04D932D5
>_Ir, xrefs: 04D93219
:@Dr, xrefs: 04D931FC

Memory Dump Source

Source File: 00000000.00000002.274560268.0000000004D90000.00000040.00000001.sdmp, Offset: 04D90000, based on PE: false

Similarity

API ID:
String ID: :@Dr$>_Ir$`5kr$f]Ir
API String ID: 0-3492759196
Opcode ID: 455e4c0a41725c9e20be5b1f78d5fc76a59f9d3708db15611c9aa61c1fd14e69
Instruction ID: a1b520fa987540424ec09e9beb6ffa9b09f49d26275853b579e0cc1ef7178d37
Opcode Fuzzy Hash: 455e4c0a41725c9e20be5b1f78d5fc76a59f9d3708db15611c9aa61c1fd14e69
Instruction Fuzzy Hash: 00510A70A00209CBD744EF6AD94579DBFF6FF89304F24912AD514EB368EBB158068BA1

Uniqueness

Uniqueness Score: -1.00%

Function 04D94DDF, Relevance: 1.4, Strings: 1, Instructions: 173COMMON

Download Yara Rule

Strings

9, xrefs: 04D95106

Memory Dump Source

Source File: 00000000.00000002.274560268.0000000004D90000.00000040.00000001.sdmp, Offset: 04D90000, based on PE: false

Similarity

API ID:
String ID: 9
API String ID: 0-2366072709
Opcode ID: b86b2c4809a1b78df0f685719ed43b5051b2c0dd9c9fbd54103038d2f4cd50c3
Instruction ID: ae8caaef546cabcc51dcf79bdc2b49acb320f43439190b65d1304db5e7d227cf
Opcode Fuzzy Hash: b86b2c4809a1b78df0f685719ed43b5051b2c0dd9c9fbd54103038d2f4cd50c3
Instruction Fuzzy Hash: 359181B0E006288BDBA4DF29C991789BBF1EF4A300F1181E9D14CE6255EB319ED5CF16

Uniqueness

Uniqueness Score: -1.00%

Function 04D9331B, Relevance: .1, Instructions: 128COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.274560268.0000000004D90000.00000040.00000001.sdmp, Offset: 04D90000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 840d83135a4dfd0ce46853366b01c680c02d01757dd8f170522b05ac548fde51
Instruction ID: a57d44860f740aa77bd8e89d32436d647862b72dad68d85b364afbfe668811f7
Opcode Fuzzy Hash: 840d83135a4dfd0ce46853366b01c680c02d01757dd8f170522b05ac548fde51
Instruction Fuzzy Hash: E5516DB1E056188BEB5CCF6B8D4079AFBF3AFC9200F14C1BAC51CA6215DB3059868F55

Uniqueness

Uniqueness Score: -1.00%

Analysis Process: RegSvcs.exe PID: 5464 Parent PID: 6372 RegSvcs.exeCOMMON

Executed Functions

Function 026C3970, Relevance: 1.8, Strings: 1, Instructions: 579COMMON

Download Yara Rule

Strings

>_Ir, xrefs: 026C3F9D

Memory Dump Source

Source File: 00000008.00000002.487849920.00000000026C0000.00000040.00000001.sdmp, Offset: 026C0000, based on PE: false

Similarity

API ID:
String ID: >_Ir
API String ID: 0-3386957151
Opcode ID: 54347301004d60b3b34f6e9a57508ec12d43d54f00c427776cd5d16c94444511
Instruction ID: 9949f292bb8de52c3e868b1ac4351ba77317b24810c8c6bf6e481ceff3512d81
Opcode Fuzzy Hash: 54347301004d60b3b34f6e9a57508ec12d43d54f00c427776cd5d16c94444511
Instruction Fuzzy Hash: CE22AE71A04205CFCB05DF98C9849B9BBB2FF85310B29C5AAE9159F356D731EC62CB90

Uniqueness

Uniqueness Score: -1.00%

Function 02722AF6, Relevance: 1.6, APIs: 1, Instructions: 79networkCOMMON

Download Yara Rule

APIs

bind.WS2_32(?,00000E2C,CFC42305,00000000,00000000,00000000,00000000), ref: 02722B87

Memory Dump Source

Source File: 00000008.00000002.487970491.0000000002720000.00000040.00000001.sdmp, Offset: 02720000, based on PE: false

Similarity

API ID: bind
String ID:
API String ID: 1187836755-0
Opcode ID: 2087a5b762bdaf6e5cdb5d013e503459cd15c0f41ccacb7e9ed3e1822eecf0a0
Instruction ID: 5cfaba0a3de67d205e2e5f2b73000bf6f0558f62ab3475a884b61f5d4df9762d
Opcode Fuzzy Hash: 2087a5b762bdaf6e5cdb5d013e503459cd15c0f41ccacb7e9ed3e1822eecf0a0
Instruction Fuzzy Hash: FE217F71509384AFE7128B65DC44F96BFB8AF46310F08849BEA84DB152D264A909CB71

Uniqueness

Uniqueness Score: -1.00%

Function 027213BF, Relevance: 1.6, APIs: 1, Instructions: 75COMMON

Download Yara Rule

APIs

AdjustTokenPrivileges.KERNELBASE(?,?,?,?,?,?), ref: 0272143F

Memory Dump Source

Source File: 00000008.00000002.487970491.0000000002720000.00000040.00000001.sdmp, Offset: 02720000, based on PE: false

Similarity

API ID: AdjustPrivilegesToken
String ID:
API String ID: 2874748243-0
Opcode ID: a5754e584f308d8527f726499016d409a1048e00330fb23873b4ef2b15b99e72
Instruction ID: ac060c27245f1757461495c62ea9d9126c19a1ea79e29d64241a3b3762a51440
Opcode Fuzzy Hash: a5754e584f308d8527f726499016d409a1048e00330fb23873b4ef2b15b99e72
Instruction Fuzzy Hash: DF21D175509784AFDB128F25DC40B52BFF4EF06310F0985DAE9888F163D3709908DB62

Uniqueness

Uniqueness Score: -1.00%

Function 027217FB, Relevance: 1.6, APIs: 1, Instructions: 64nativeCOMMON

Download Yara Rule

APIs

NtQuerySystemInformation.NTDLL(?,?,?,?), ref: 02721871

Memory Dump Source

Source File: 00000008.00000002.487970491.0000000002720000.00000040.00000001.sdmp, Offset: 02720000, based on PE: false

Similarity

API ID: InformationQuerySystem
String ID:
API String ID: 3562636166-0
Opcode ID: 3364f7ee6a03b5bc0f9df834741625741c084cf3023c265e5088afec704f9435
Instruction ID: 6d0eef8d48cfe3d7269894efdcbc9f08884fb84054d4e0c165e7d02c1a19ac96
Opcode Fuzzy Hash: 3364f7ee6a03b5bc0f9df834741625741c084cf3023c265e5088afec704f9435
Instruction Fuzzy Hash: 102181754097C0AFDB138B21DC45A51FFB4EF17224F0984DBE9844B163D265A50DDB62

Uniqueness

Uniqueness Score: -1.00%

Function 02722B26, Relevance: 1.6, APIs: 1, Instructions: 62networkCOMMON

Download Yara Rule

APIs

bind.WS2_32(?,00000E2C,CFC42305,00000000,00000000,00000000,00000000), ref: 02722B87

Memory Dump Source

Source File: 00000008.00000002.487970491.0000000002720000.00000040.00000001.sdmp, Offset: 02720000, based on PE: false

Similarity

API ID: bind
String ID:
API String ID: 1187836755-0
Opcode ID: c4cdf56c0e530f16757debfe31662f5746fc8076382528af80e397778425c575
Instruction ID: 1809f9bbe78adc66135c76dd03de14db129e6e0ab51dc065867fbda2e8003022
Opcode Fuzzy Hash: c4cdf56c0e530f16757debfe31662f5746fc8076382528af80e397778425c575
Instruction Fuzzy Hash: 2411B271500204AFE710CF65DC85FA6FBA8EF45320F1484ABEE49DB252E674E408CB71

Uniqueness

Uniqueness Score: -1.00%

Function 02721541, Relevance: 1.6, APIs: 1, Instructions: 57nativeCOMMON

Download Yara Rule

APIs

NtSetInformationProcess.NTDLL(?,?,?,?), ref: 027215AD

Memory Dump Source

Source File: 00000008.00000002.487970491.0000000002720000.00000040.00000001.sdmp, Offset: 02720000, based on PE: false

Similarity

API ID: InformationProcess
String ID:
API String ID: 1801817001-0
Opcode ID: 29955dfaf8ed140e5e860c80e41ff6221b4b2cb3902952e1823edd9a0ed8035e
Instruction ID: 94bd8c4e4e9187750ccc59461270fd8c7c65d781210f916b03c571368be64d7c
Opcode Fuzzy Hash: 29955dfaf8ed140e5e860c80e41ff6221b4b2cb3902952e1823edd9a0ed8035e
Instruction Fuzzy Hash: 9A118E72409784AFDB228F25DC45A52FFB4EF06314F0980DAE9858B163D275A918DB62

Uniqueness

Uniqueness Score: -1.00%

Function 027213F6, Relevance: 1.6, APIs: 1, Instructions: 52COMMON

Download Yara Rule

APIs

AdjustTokenPrivileges.KERNELBASE(?,?,?,?,?,?), ref: 0272143F

Memory Dump Source

Source File: 00000008.00000002.487970491.0000000002720000.00000040.00000001.sdmp, Offset: 02720000, based on PE: false

Similarity

API ID: AdjustPrivilegesToken
String ID:
API String ID: 2874748243-0
Opcode ID: c708b3b9d3120ed891c00a86d125a599be623daee519d9e3ed61e9f4fc37fe64
Instruction ID: 53cf34c2d1f9ef762cb94b5b1a989ab4ca9f027e76e120fe4152a61f6f62b79a
Opcode Fuzzy Hash: c708b3b9d3120ed891c00a86d125a599be623daee519d9e3ed61e9f4fc37fe64
Instruction Fuzzy Hash: 19115A715006049FDB20CF65D884B66FFE8FF08220F18C4AAEE498B622D375E418DB71

Uniqueness

Uniqueness Score: -1.00%

Function 0272161A, Relevance: 1.5, APIs: 1, Instructions: 39COMMON

Download Yara Rule

APIs

GetSystemInfo.KERNELBASE(?), ref: 0272164C

Memory Dump Source

Source File: 00000008.00000002.487970491.0000000002720000.00000040.00000001.sdmp, Offset: 02720000, based on PE: false

Similarity

API ID: InfoSystem
String ID:
API String ID: 31276548-0
Opcode ID: 81df0281aa10a302093eb470ca817e8c543bfab9bd90a5d1dd4e76494a6b00dd
Instruction ID: ae01764a811dd62b026e3167e5b7253935bdb72e0b2083da2a4c4f348e268919
Opcode Fuzzy Hash: 81df0281aa10a302093eb470ca817e8c543bfab9bd90a5d1dd4e76494a6b00dd
Instruction Fuzzy Hash: 5601AD70804244DFDB10CF19D88576AFFA4EF44220F58C4AADD089F216D6B9A408CFB2

Uniqueness

Uniqueness Score: -1.00%

Function 02721572, Relevance: 1.5, APIs: 1, Instructions: 38nativeCOMMON

Download Yara Rule

APIs

NtSetInformationProcess.NTDLL(?,?,?,?), ref: 027215AD

Memory Dump Source

Source File: 00000008.00000002.487970491.0000000002720000.00000040.00000001.sdmp, Offset: 02720000, based on PE: false

Similarity

API ID: InformationProcess
String ID:
API String ID: 1801817001-0
Opcode ID: be3adbd9ad95bf6ffc75cb2f60bf3951e472d163797a8dd9082644efaf8726b8
Instruction ID: 48b22905df57b4cfc4259a2851e3e92998333bd0a20d1f606ddccce05df80c3f
Opcode Fuzzy Hash: be3adbd9ad95bf6ffc75cb2f60bf3951e472d163797a8dd9082644efaf8726b8
Instruction Fuzzy Hash: CF018B35404614DFDB208F16D884B66FFA8FF08320F18C09ADE8A5B216D3B6A418CF72

Uniqueness

Uniqueness Score: -1.00%

Function 02721836, Relevance: 1.5, APIs: 1, Instructions: 38nativeCOMMON

Download Yara Rule

APIs

NtQuerySystemInformation.NTDLL(?,?,?,?), ref: 02721871

Memory Dump Source

Source File: 00000008.00000002.487970491.0000000002720000.00000040.00000001.sdmp, Offset: 02720000, based on PE: false

Similarity

API ID: InformationQuerySystem
String ID:
API String ID: 3562636166-0
Opcode ID: be3adbd9ad95bf6ffc75cb2f60bf3951e472d163797a8dd9082644efaf8726b8
Instruction ID: 245d052e1b07a7aee58155e9069c76e4e6a3bf6307e4411398fcb213bb2d2c8a
Opcode Fuzzy Hash: be3adbd9ad95bf6ffc75cb2f60bf3951e472d163797a8dd9082644efaf8726b8
Instruction Fuzzy Hash: 5F018B31900A44DFDB208F15D985B62FFA0FF08320F18C59ADE495B616D3B6A418CBB2

Uniqueness

Uniqueness Score: -1.00%

Function 026C8E68, Relevance: .5, Instructions: 505COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.487849920.00000000026C0000.00000040.00000001.sdmp, Offset: 026C0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a011c12aeb809b9a949417735e08762d391ddfcfbfeae28b78aaf3fd7ccae6a8
Instruction ID: cb121fc87cdd74a1f9d34f30db9912df9200ad564ae7a746a4b8c50bc680c637
Opcode Fuzzy Hash: a011c12aeb809b9a949417735e08762d391ddfcfbfeae28b78aaf3fd7ccae6a8
Instruction Fuzzy Hash: 29129670A01215CBCB28EF69C58477DBBB2FB88315F64856ED4169B398CB78D942CF80

Uniqueness

Uniqueness Score: -1.00%

Function 026C23A0, Relevance: .5, Instructions: 505COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.487849920.00000000026C0000.00000040.00000001.sdmp, Offset: 026C0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 289cff7a74fff3f0cc0808abdcdaab7e74297740de5af879b2ec83b5c0eb1aa0
Instruction ID: cb4de4defce98bd0f92ad45dd1bb452bd7aebf0a16431a99403ec4ac0daa20a2
Opcode Fuzzy Hash: 289cff7a74fff3f0cc0808abdcdaab7e74297740de5af879b2ec83b5c0eb1aa0
Instruction Fuzzy Hash: F0128830A14215CFDB28EF69C9A477EBBB2FB88304F24812EDC069B355DB759946CB50

Uniqueness

Uniqueness Score: -1.00%

Function 026C9A68, Relevance: .2, Instructions: 239COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.487849920.00000000026C0000.00000040.00000001.sdmp, Offset: 026C0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7c853427ccc14ec06dad21536e02ecf8e1785e1a08dd041cd27072761a7415de
Instruction ID: 6a9a70ab48faab4342d15c817a4ef386d99cc07adf1f4e946cb22dec332b97ef
Opcode Fuzzy Hash: 7c853427ccc14ec06dad21536e02ecf8e1785e1a08dd041cd27072761a7415de
Instruction Fuzzy Hash: 1A816E71F011159BD718EBA9D880A7EBBF3EFC4314B298169D416AB395DE31ED01CB90

Uniqueness

Uniqueness Score: -1.00%

Function 026C2FA8, Relevance: .2, Instructions: 239COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.487849920.00000000026C0000.00000040.00000001.sdmp, Offset: 026C0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b1f62e38bdb8e3b2ed0be18469813fd9e0217a902076a8434256cf1864a6b419
Instruction ID: 96da40cf70f162ce9103b321ba000a8f62ae5a438bfacc4f1c13b726984e38ff
Opcode Fuzzy Hash: b1f62e38bdb8e3b2ed0be18469813fd9e0217a902076a8434256cf1864a6b419
Instruction Fuzzy Hash: 8C817D72F011559BDB18EB69D990A6EBBE3EFC4310B29C0B9D4059B355DE319C01CB90

Uniqueness

Uniqueness Score: -1.00%

Function 026C9B2F, Relevance: .2, Instructions: 179COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.487849920.00000000026C0000.00000040.00000001.sdmp, Offset: 026C0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3491b6f438c4c367da7f15457919c744c1e45e48e33ace0a0f0d2c9b32be78b9
Instruction ID: 0722bd2b607452cf4ff12d045145670939bca4e1c1d829d56da729beab3247bd
Opcode Fuzzy Hash: 3491b6f438c4c367da7f15457919c744c1e45e48e33ace0a0f0d2c9b32be78b9
Instruction Fuzzy Hash: 3A514072F014159BD718EB6DC980A6EBBE3EFC4310F2A8165D415EB3A9DE30ED019B94

Uniqueness

Uniqueness Score: -1.00%

Function 026C8917, Relevance: .0, Instructions: 46COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.487849920.00000000026C0000.00000040.00000001.sdmp, Offset: 026C0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1bcd6bbede21524296cd797e47ec2b152afe340c3e9c344d10ab09384f06bf00
Instruction ID: b0900670d3e1646c23c16af9d2eb0b87ce084f7e617bdf18d27638b6dde1c85e
Opcode Fuzzy Hash: 1bcd6bbede21524296cd797e47ec2b152afe340c3e9c344d10ab09384f06bf00
Instruction Fuzzy Hash: 9F019A34D05240CFC716FF60EA687AD7BB1EB0B306F20549ACA4667294C7349E44CF42

Uniqueness

Uniqueness Score: -1.00%

Function 026C09A5, Relevance: 5.2, Strings: 4, Instructions: 175COMMON

Download Yara Rule

Strings

X1kr, xrefs: 026C0A5A
X1kr, xrefs: 026C0A50
X1kr, xrefs: 026C0A98
X1kr, xrefs: 026C0AA2

Memory Dump Source

Source File: 00000008.00000002.487849920.00000000026C0000.00000040.00000001.sdmp, Offset: 026C0000, based on PE: false

Similarity

API ID:
String ID: X1kr$X1kr$X1kr$X1kr
API String ID: 0-2451847431
Opcode ID: d8211f2391390e180d76629bce4daa80159c7f1d31dfc4e08e93e5a8a8c6de6f
Instruction ID: 91341ccc4b07c09b3c4ecf5aabbfd98cf051ccabe4f1bc29420601a7eaade0c2
Opcode Fuzzy Hash: d8211f2391390e180d76629bce4daa80159c7f1d31dfc4e08e93e5a8a8c6de6f
Instruction Fuzzy Hash: 8D51A131B14255EFCB14EBA8D854B7EB7B2EF84304F318569E506DB6A0DB31AD02CB90

Uniqueness

Uniqueness Score: -1.00%

Function 026C9D7B, Relevance: 2.7, Strings: 2, Instructions: 188COMMON

Download Yara Rule

Strings

, xrefs: 026C9EBB
>_Ir, xrefs: 026C9DEF

Memory Dump Source

Source File: 00000008.00000002.487849920.00000000026C0000.00000040.00000001.sdmp, Offset: 026C0000, based on PE: false

Similarity

API ID:
String ID: $>_Ir
API String ID: 0-1787506450
Opcode ID: be4b40129876cd4476e2ab2b0f5eebff473fadd267efa9e2c3bfcf6ffc4d13c2
Instruction ID: 683f9bd63b05ad5c5148641fb323997e06612e88db16d8a742c848d63b448007
Opcode Fuzzy Hash: be4b40129876cd4476e2ab2b0f5eebff473fadd267efa9e2c3bfcf6ffc4d13c2
Instruction Fuzzy Hash: 3C51BFB1F051448FDB18EB6998445BEBBA2EFC9314B25847AD10ADB245DB31E802CB91

Uniqueness

Uniqueness Score: -1.00%

Function 026C02E8, Relevance: 2.7, Strings: 2, Instructions: 180COMMON

Download Yara Rule

Strings

:@Dr, xrefs: 026C0537
`5kr, xrefs: 026C03A5

Memory Dump Source

Source File: 00000008.00000002.487849920.00000000026C0000.00000040.00000001.sdmp, Offset: 026C0000, based on PE: false

Similarity

API ID:
String ID: :@Dr$`5kr
API String ID: 0-2548079215
Opcode ID: 8f36b7acd3ab43ba1afdca4848b436f8a6711c2155f74070e60aab7b66ded0d6
Instruction ID: 890313b174ccf5e09005263715a449e850c62bdd378b1dd54482ef32923ed600
Opcode Fuzzy Hash: 8f36b7acd3ab43ba1afdca4848b436f8a6711c2155f74070e60aab7b66ded0d6
Instruction Fuzzy Hash: 28616C34A05205DFDB08EB68D550B7E7BF2EF89700F2484ADD50AAB7A1DB719C06CB51

Uniqueness

Uniqueness Score: -1.00%

Function 026C43C0, Relevance: 2.6, Strings: 2, Instructions: 109COMMON

Download Yara Rule

Strings

X1kr, xrefs: 026C43A2
X1kr, xrefs: 026C43AC

Memory Dump Source

Source File: 00000008.00000002.487849920.00000000026C0000.00000040.00000001.sdmp, Offset: 026C0000, based on PE: false

Similarity

API ID:
String ID: X1kr$X1kr
API String ID: 0-2397868964
Opcode ID: 4e7944e3c3d1beaa619c46c55323ba46224b900f1cbdb4cb12175d8a3fa93998
Instruction ID: b333a2479e12748a999db41d5191af85303838c4448fbc9ed63099fb760ed15c
Opcode Fuzzy Hash: 4e7944e3c3d1beaa619c46c55323ba46224b900f1cbdb4cb12175d8a3fa93998
Instruction Fuzzy Hash: 5241BD31601150CFCB05FF68ED54AAE7BF2FF8431872481AAE5069B67ADB31A917DB40

Uniqueness

Uniqueness Score: -1.00%

Function 026C12A0, Relevance: 1.7, Strings: 1, Instructions: 460COMMON

Download Yara Rule

Strings

$ghr, xrefs: 026C1349

Memory Dump Source

Source File: 00000008.00000002.487849920.00000000026C0000.00000040.00000001.sdmp, Offset: 026C0000, based on PE: false

Similarity

API ID:
String ID: $ghr
API String ID: 0-1352911727
Opcode ID: b38579e8f3838bfb607854ec883fdfb9013ce38854af7f248bbf3de184d2c8cb
Instruction ID: ffd2f44f27bdc5d306dfbd712e27a0c4cfa52dbb6f62ce330fe47f4b32b1d4f3
Opcode Fuzzy Hash: b38579e8f3838bfb607854ec883fdfb9013ce38854af7f248bbf3de184d2c8cb
Instruction Fuzzy Hash: 2022E734A01615CFC724EF28C590A6ABBF2FF89304F20C599D85A9BB56DB34AD46CF41

Uniqueness

Uniqueness Score: -1.00%

Function 02722335, Relevance: 1.6, APIs: 1, Instructions: 135COMMON

Download Yara Rule

APIs

OpenFileMappingW.KERNELBASE(?,?), ref: 02722445

Memory Dump Source

Source File: 00000008.00000002.487970491.0000000002720000.00000040.00000001.sdmp, Offset: 02720000, based on PE: false

Similarity

API ID: FileMappingOpen
String ID:
API String ID: 1680863896-0
Opcode ID: b8076a21db60659e277774c0b6308a819157e2a73cb7296da58754af9bd33ccb
Instruction ID: 4604453dd36e296562b4efbe4718711f13b800c640585e3e0a808f140f9ed316
Opcode Fuzzy Hash: b8076a21db60659e277774c0b6308a819157e2a73cb7296da58754af9bd33ccb
Instruction Fuzzy Hash: 0441B2715093806FE7128B25DC45F92FFB8EF46620F1884DBEE849F293D265A908C772

Uniqueness

Uniqueness Score: -1.00%

Function 02722908, Relevance: 1.6, APIs: 1, Instructions: 111COMMON

Download Yara Rule

APIs

getaddrinfo.WS2_32(?,00000E2C), ref: 027229EB

Memory Dump Source

Source File: 00000008.00000002.487970491.0000000002720000.00000040.00000001.sdmp, Offset: 02720000, based on PE: false

Similarity

API ID: getaddrinfo
String ID:
API String ID: 300660673-0
Opcode ID: 5bb77f4e4eaec8989a8b6412f72a05fb70564efb578a7ecc6b7b768595cfea90
Instruction ID: 05842725722defe99cc5c90b66ea5e7bff5f9601c8252ea943e145c6f81a99e6
Opcode Fuzzy Hash: 5bb77f4e4eaec8989a8b6412f72a05fb70564efb578a7ecc6b7b768595cfea90
Instruction Fuzzy Hash: 1C31C6B2504340AFE7228B20DC45FA6FFACEF46710F14899AE9849A192D775A909CB71

Uniqueness

Uniqueness Score: -1.00%

Function 02721E9B, Relevance: 1.6, APIs: 1, Instructions: 104networkCOMMON

Download Yara Rule

APIs

WSASocketW.WS2_32 ref: 02721F56

Memory Dump Source

Source File: 00000008.00000002.487970491.0000000002720000.00000040.00000001.sdmp, Offset: 02720000, based on PE: false

Similarity

API ID: Socket
String ID:
API String ID: 38366605-0
Opcode ID: 7fb819bd1ca183c56a5e6864775a85f14cf3b0439095e5583d45ad1fc53fe397
Instruction ID: 4debd846c7f1bf115075075f2d8bb30fed5764a49395669d19b07231b40b514a
Opcode Fuzzy Hash: 7fb819bd1ca183c56a5e6864775a85f14cf3b0439095e5583d45ad1fc53fe397
Instruction Fuzzy Hash: 5A317C7150E7C0AFE7238B619C54B56BFB4EF07210F0985DBE9848F1A3C365A809CB62

Uniqueness

Uniqueness Score: -1.00%

Function 02721AAC, Relevance: 1.6, APIs: 1, Instructions: 101registryCOMMON

Download Yara Rule

APIs

RegQueryValueExW.KERNELBASE(?,00000E2C,?,?), ref: 02721B7E

Memory Dump Source

Source File: 00000008.00000002.487970491.0000000002720000.00000040.00000001.sdmp, Offset: 02720000, based on PE: false

Similarity

API ID: QueryValue
String ID:
API String ID: 3660427363-0
Opcode ID: bad3f806c84d34d5bcfe8a372f55f91ccb6dacf62858326d5997caaa5f460b10
Instruction ID: d41b48d8f5d4705260cc1e6812a224235d835cb97006067c0495c81622f8c0a3
Opcode Fuzzy Hash: bad3f806c84d34d5bcfe8a372f55f91ccb6dacf62858326d5997caaa5f460b10
Instruction Fuzzy Hash: E9316B6540E3C05FD3138B319C61A62BF74EF87614B0E80CBE884CF5A3D169691AC772

Uniqueness

Uniqueness Score: -1.00%

Function 02720EB8, Relevance: 1.6, APIs: 1, Instructions: 96COMMON

Download Yara Rule

APIs

DuplicateHandle.KERNELBASE(?,00000E2C), ref: 02720F5B

Memory Dump Source

Source File: 00000008.00000002.487970491.0000000002720000.00000040.00000001.sdmp, Offset: 02720000, based on PE: false

Similarity

API ID: DuplicateHandle
String ID:
API String ID: 3793708945-0
Opcode ID: b3f88adbe85df80a0a8966164f5a2012be9888006edd9b3cd281706ccc99109a
Instruction ID: 15eac127322d11e7b963e5c935174676f51a942b76ff9ded461e1657f144691f
Opcode Fuzzy Hash: b3f88adbe85df80a0a8966164f5a2012be9888006edd9b3cd281706ccc99109a
Instruction Fuzzy Hash: D731B372104344AFEB228B65DC44F67BFBCEF46310F0488AAF985DB152D224A819CB71

Uniqueness

Uniqueness Score: -1.00%

Function 02720C58, Relevance: 1.6, APIs: 1, Instructions: 93COMMON

Download Yara Rule

APIs

GetTempFileNameW.KERNELBASE(?,00000E2C,?,?), ref: 02720D1A

Memory Dump Source

Source File: 00000008.00000002.487970491.0000000002720000.00000040.00000001.sdmp, Offset: 02720000, based on PE: false

Similarity

API ID: FileNameTemp
String ID:
API String ID: 745986568-0
Opcode ID: 2cd75f9f29a5bf62422b70ad15e90b4849d0bb79f544c78f135c44a963b53f2b
Instruction ID: 67d778af37d45dcd47380fb2018855d39c1d6e2e62a152b524ea4efae86b04b7
Opcode Fuzzy Hash: 2cd75f9f29a5bf62422b70ad15e90b4849d0bb79f544c78f135c44a963b53f2b
Instruction Fuzzy Hash: 4D317C6140D3C06FD7038B259C51B62BFB4EF87610F0E85DBE9848F5A3D225A81AC7B2

Uniqueness

Uniqueness Score: -1.00%

Function 02720390, Relevance: 1.6, APIs: 1, Instructions: 93registryCOMMON

Download Yara Rule

APIs

RegQueryValueExA.KERNELBASE(?,00000E2C), ref: 0272045E

Memory Dump Source

Source File: 00000008.00000002.487970491.0000000002720000.00000040.00000001.sdmp, Offset: 02720000, based on PE: false

Similarity

API ID: QueryValue
String ID:
API String ID: 3660427363-0
Opcode ID: 5b6825f5e07085c33913299a397d183d05a2342d15bf739c871f1a2367f66b56
Instruction ID: 0b7ff668e60500dc86e09928a92a47956097f4cf57be237453ead4409c18dceb
Opcode Fuzzy Hash: 5b6825f5e07085c33913299a397d183d05a2342d15bf739c871f1a2367f66b56
Instruction Fuzzy Hash: EA31D572004344AFE7228F21DC41FA6FFB8EF06710F14859EEA859B192D3A5A949CB71

Uniqueness

Uniqueness Score: -1.00%

Function 027207F4, Relevance: 1.6, APIs: 1, Instructions: 92fileCOMMON

Download Yara Rule

APIs

CreateFileW.KERNELBASE(?,?,?,?,?,?), ref: 02720899

Memory Dump Source

Source File: 00000008.00000002.487970491.0000000002720000.00000040.00000001.sdmp, Offset: 02720000, based on PE: false

Similarity

API ID: CreateFile
String ID:
API String ID: 823142352-0
Opcode ID: 25edf2fb1ef7dcd2d777f229b92f5cbe02647f2b6870508aa4dba9576ed75556
Instruction ID: 08ece9158de9660d0d9aae6af7fbba0979018f43475206364fa5dd6d3e0b0e54
Opcode Fuzzy Hash: 25edf2fb1ef7dcd2d777f229b92f5cbe02647f2b6870508aa4dba9576ed75556
Instruction Fuzzy Hash: 71316DB1504380AFE722CB65DC45F66BFE8EF45610F0884AEE9858B252D365E809DB71

Uniqueness

Uniqueness Score: -1.00%

Function 00C2AA02, Relevance: 1.6, APIs: 1, Instructions: 92registryCOMMON

Download Yara Rule

APIs

RegOpenKeyExW.KERNELBASE(?,00000E2C), ref: 00C2AAB1

Memory Dump Source

Source File: 00000008.00000002.487090284.0000000000C2A000.00000040.00000001.sdmp, Offset: 00C2A000, based on PE: false

Similarity

API ID: Open
String ID:
API String ID: 71445658-0
Opcode ID: a5d0e7c92f133d1cc9afb19be5f2f60f72cc07acb312ec734dc7a8386042a843
Instruction ID: 393c25af66151767ee39d34591a26864c1ef40ccde9424298731ca7a3517157f
Opcode Fuzzy Hash: a5d0e7c92f133d1cc9afb19be5f2f60f72cc07acb312ec734dc7a8386042a843
Instruction Fuzzy Hash: FC31A072544384AFE7228B25DC45FA7FFBCEF06710F0884ABED819B152D264A909CB71

Uniqueness

Uniqueness Score: -1.00%

Function 0272307B, Relevance: 1.6, APIs: 1, Instructions: 90windowCOMMON

Download Yara Rule

APIs

FormatMessageW.KERNELBASE(?,00000E2C,?,?), ref: 02723136

Memory Dump Source

Source File: 00000008.00000002.487970491.0000000002720000.00000040.00000001.sdmp, Offset: 02720000, based on PE: false

Similarity

API ID: FormatMessage
String ID:
API String ID: 1306739567-0
Opcode ID: 790a86e99ae6f2323a5d4ed48fe91f39bb3dd4b1fbc40a81aba9fb0b79f86b20
Instruction ID: fce796b5119d3e4654fa545cb14e85c23f60103fe7d515d4f3a460548f0561b0
Opcode Fuzzy Hash: 790a86e99ae6f2323a5d4ed48fe91f39bb3dd4b1fbc40a81aba9fb0b79f86b20
Instruction Fuzzy Hash: 4D31817250D7C05FD7038B218C61A56BFB4EF87610F1A80CBD984CF1A3E6246909C7B2

Uniqueness

Uniqueness Score: -1.00%

Function 027200F6, Relevance: 1.6, APIs: 1, Instructions: 89synchronizationCOMMON

Download Yara Rule

APIs

CreateMutexW.KERNELBASE(?,?), ref: 0272019D

Memory Dump Source

Source File: 00000008.00000002.487970491.0000000002720000.00000040.00000001.sdmp, Offset: 02720000, based on PE: false

Similarity

API ID: CreateMutex
String ID:
API String ID: 1964310414-0
Opcode ID: a7b5545a1990ec458c42b374be00fe8e52fc6ea639efb17cb74fddc20d689eaa
Instruction ID: 0ac65f529dce72d6f5386add4b7b50a13a11417da703874202d13f01336529dc
Opcode Fuzzy Hash: a7b5545a1990ec458c42b374be00fe8e52fc6ea639efb17cb74fddc20d689eaa
Instruction Fuzzy Hash: 943181715097806FE712CB25DC45F5AFFF8EF06210F08849AE984CB292D365A909C771

Uniqueness

Uniqueness Score: -1.00%

Function 00C2AAF9, Relevance: 1.6, APIs: 1, Instructions: 89registryCOMMON

Download Yara Rule

APIs

RegQueryValueExW.KERNELBASE(?,00000E2C,CFC42305,00000000,00000000,00000000,00000000), ref: 00C2ABB4

Memory Dump Source

Source File: 00000008.00000002.487090284.0000000000C2A000.00000040.00000001.sdmp, Offset: 00C2A000, based on PE: false

Similarity

API ID: QueryValue
String ID:
API String ID: 3660427363-0
Opcode ID: e6b936e0f15dc8b96d086afdf23ab79e5cb0a1be8c3f76bb4bd2b374bf4e3c33
Instruction ID: 03ab2111675158e20552e23bca7106a527ca91eb17017bfc062686f54280d694
Opcode Fuzzy Hash: e6b936e0f15dc8b96d086afdf23ab79e5cb0a1be8c3f76bb4bd2b374bf4e3c33
Instruction Fuzzy Hash: 7A319372109384AFE722CB25DC45F52BFB8EF06310F18849AE985CB152D264E949CB71

Uniqueness

Uniqueness Score: -1.00%

Function 027221FE, Relevance: 1.6, APIs: 1, Instructions: 87COMMON

Download Yara Rule

APIs

ConvertStringSecurityDescriptorToSecurityDescriptorW.ADVAPI32(?,00000E2C), ref: 0272229B

Memory Dump Source

Source File: 00000008.00000002.487970491.0000000002720000.00000040.00000001.sdmp, Offset: 02720000, based on PE: false

Similarity

API ID: DescriptorSecurity$ConvertString
String ID:
API String ID: 3907675253-0
Opcode ID: e57c91c2f087fae8cecb067395e4653b523ad3c656c636591b76bd9f1d6fd1f5
Instruction ID: 502c419e6118aef0b3a8d02613c8d6f8b3445816f8d15408f21d9ecab9b290f9
Opcode Fuzzy Hash: e57c91c2f087fae8cecb067395e4653b523ad3c656c636591b76bd9f1d6fd1f5
Instruction Fuzzy Hash: 4421BF72504344AFE7218B65DC45F6BBFECEB45310F0885AAED44DB242D764E808CB61

Uniqueness

Uniqueness Score: -1.00%

Function 02720FB9, Relevance: 1.6, APIs: 1, Instructions: 87COMMON

Download Yara Rule

APIs

GetExitCodeProcess.KERNELBASE(?,00000E2C,CFC42305,00000000,00000000,00000000,00000000), ref: 0272105C

Memory Dump Source

Source File: 00000008.00000002.487970491.0000000002720000.00000040.00000001.sdmp, Offset: 02720000, based on PE: false

Similarity

API ID: CodeExitProcess
String ID:
API String ID: 3861947596-0
Opcode ID: 49cd22dac6f0e95b22258c6f6c5af1585d8a78567577d9a57bf08d1866dc41e5
Instruction ID: ff29dd6b79ccc11e0489db59a537c94204d5fb3141d91c8f1593c8d6bb295383
Opcode Fuzzy Hash: 49cd22dac6f0e95b22258c6f6c5af1585d8a78567577d9a57bf08d1866dc41e5
Instruction Fuzzy Hash: 9F31F572509380AFEB128B25DC41F96BFB8EF46310F0884DBED849F193D624A909C771

Uniqueness

Uniqueness Score: -1.00%

Function 0272249C, Relevance: 1.6, APIs: 1, Instructions: 87fileCOMMON

Download Yara Rule

APIs

MapViewOfFile.KERNELBASE ref: 0272254E

Memory Dump Source

Source File: 00000008.00000002.487970491.0000000002720000.00000040.00000001.sdmp, Offset: 02720000, based on PE: false

Similarity

API ID: FileView
String ID:
API String ID: 3314676101-0
Opcode ID: a9246c2a4afbb67dbca9220aac85453d9077d8a1de775af24c433386f60b22d5
Instruction ID: 96378d74f5366b089e572d793de1851a3692f1fb4256e7dec7ae90cf6258b7c4
Opcode Fuzzy Hash: a9246c2a4afbb67dbca9220aac85453d9077d8a1de775af24c433386f60b22d5
Instruction Fuzzy Hash: AB31A472404780AFE722CB55DC45F96FFF8EF06320F04859AE9849B252D365A549CB61

Uniqueness

Uniqueness Score: -1.00%

Function 027204AB, Relevance: 1.6, APIs: 1, Instructions: 86registryCOMMON

Download Yara Rule

APIs

RegQueryValueExW.KERNELBASE(?,00000E2C,CFC42305,00000000,00000000,00000000,00000000), ref: 0272055C

Memory Dump Source

Source File: 00000008.00000002.487970491.0000000002720000.00000040.00000001.sdmp, Offset: 02720000, based on PE: false

Similarity

API ID: QueryValue
String ID:
API String ID: 3660427363-0
Opcode ID: 3e046aa2454ceabeb74ca8ba4899772c1068bbee93780d2226334d421654252a
Instruction ID: 054cfc7bef9406359841245cdef5cfe0818b70475df5e8706e09236346f24b1f
Opcode Fuzzy Hash: 3e046aa2454ceabeb74ca8ba4899772c1068bbee93780d2226334d421654252a
Instruction Fuzzy Hash: 35318071109780AFD722CB65DC44F92BFF8AF07310F0885DAE9859B1A2D364E909CB71

Uniqueness

Uniqueness Score: -1.00%

Function 02722946, Relevance: 1.6, APIs: 1, Instructions: 84COMMON

Download Yara Rule

APIs

getaddrinfo.WS2_32(?,00000E2C), ref: 027229EB

Memory Dump Source

Source File: 00000008.00000002.487970491.0000000002720000.00000040.00000001.sdmp, Offset: 02720000, based on PE: false

Similarity

API ID: getaddrinfo
String ID:
API String ID: 300660673-0
Opcode ID: bc4cf7d4b8cbcb5afa1bdc560f0b5e3a70dd90992c9588a425ca47ebc722b08c
Instruction ID: 19589602b13dd153396fae8363ef9e36d7cda3ceaac7cf898e8a285b8cf1dbf2
Opcode Fuzzy Hash: bc4cf7d4b8cbcb5afa1bdc560f0b5e3a70dd90992c9588a425ca47ebc722b08c
Instruction Fuzzy Hash: 9521BF71100204AFFB219B24DC85FAAFBACEB44710F10895AFE449A181D6B5A5498B71

Uniqueness

Uniqueness Score: -1.00%

Function 00C2A120, Relevance: 1.6, APIs: 1, Instructions: 83networkCOMMON

Download Yara Rule

APIs

WSAStartup.WS2_32(?,00000E2C,?,?), ref: 00C2A1C2

Memory Dump Source

Source File: 00000008.00000002.487090284.0000000000C2A000.00000040.00000001.sdmp, Offset: 00C2A000, based on PE: false

Similarity

API ID: Startup
String ID:
API String ID: 724789610-0
Opcode ID: 7fc6cab8c7262fc62a06603251b2800afe4259ee68e0bd337952423001ea1f4b
Instruction ID: 41f8329b68ded1dc1713f6d5f7a0e793fc4981e2dd48267b7639cb14e5b54434
Opcode Fuzzy Hash: 7fc6cab8c7262fc62a06603251b2800afe4259ee68e0bd337952423001ea1f4b
Instruction Fuzzy Hash: 9831D37140D3C06FD7028B358C55BA6BFB4EF87620F1985DBD984CF1A3D225A919CBA2

Uniqueness

Uniqueness Score: -1.00%

Function 027208F0, Relevance: 1.6, APIs: 1, Instructions: 80COMMON

Download Yara Rule

APIs

GetFileType.KERNELBASE(?,00000E2C,CFC42305,00000000,00000000,00000000,00000000), ref: 02720985

Memory Dump Source

Source File: 00000008.00000002.487970491.0000000002720000.00000040.00000001.sdmp, Offset: 02720000, based on PE: false

Similarity

API ID: FileType
String ID:
API String ID: 3081899298-0
Opcode ID: fc7da5c14c72c088f087dd11e27bc651ae6c704cfe8bf99746f666d3b2eb6a9e
Instruction ID: 0dca274b08fbd890642d14d0f953a175f86f43ce99e1d46f6ff25181df14c9fb
Opcode Fuzzy Hash: fc7da5c14c72c088f087dd11e27bc651ae6c704cfe8bf99746f666d3b2eb6a9e
Instruction Fuzzy Hash: 8D21D6B54097806FE7128B25DC41BA2BFB8EF47720F1880D7EE849B293D2646909C771

Uniqueness

Uniqueness Score: -1.00%

Function 02720EDE, Relevance: 1.6, APIs: 1, Instructions: 80COMMON

Download Yara Rule

APIs

DuplicateHandle.KERNELBASE(?,00000E2C), ref: 02720F5B

Memory Dump Source

Source File: 00000008.00000002.487970491.0000000002720000.00000040.00000001.sdmp, Offset: 02720000, based on PE: false

Similarity

API ID: DuplicateHandle
String ID:
API String ID: 3793708945-0
Opcode ID: d8bf9e929f84522d62cc31e9297c69303463128ca584f2f1a807e17aa20861a4
Instruction ID: ae7875308e289a355ce9efdf2e4a400eb70f56af58ca5ea4b4d582db547e73c2
Opcode Fuzzy Hash: d8bf9e929f84522d62cc31e9297c69303463128ca584f2f1a807e17aa20861a4
Instruction Fuzzy Hash: 2821BD72500704AFEB21CF65DC84FABFBACEF49320F04886AEE45DB251D670A4088B71

Uniqueness

Uniqueness Score: -1.00%

Function 027202AB, Relevance: 1.6, APIs: 1, Instructions: 79registryCOMMON

Download Yara Rule

APIs

RegOpenKeyExA.KERNELBASE(?,00000E2C), ref: 02720353

Memory Dump Source

Source File: 00000008.00000002.487970491.0000000002720000.00000040.00000001.sdmp, Offset: 02720000, based on PE: false

Similarity

API ID: Open
String ID:
API String ID: 71445658-0
Opcode ID: 589868c7c3415ad4869f37d9791ef0fd1877b6644fe65a70d014b8d260ac7e67
Instruction ID: fcf776acfe8f0b7bf551f547150dd61aa2ccaf34f5752acafd476592fc9b7ff2
Opcode Fuzzy Hash: 589868c7c3415ad4869f37d9791ef0fd1877b6644fe65a70d014b8d260ac7e67
Instruction Fuzzy Hash: A921B575009780AFE7228F21DC45FA6FFB8EF06310F1884DAE9849B193D365A909CB71

Uniqueness

Uniqueness Score: -1.00%

Function 00C2AF50, Relevance: 1.6, APIs: 1, Instructions: 77COMMON

Download Yara Rule

APIs

GetUserNameW.ADVAPI32(?,00000E2C,?,?), ref: 00C2AFEA

Memory Dump Source

Source File: 00000008.00000002.487090284.0000000000C2A000.00000040.00000001.sdmp, Offset: 00C2A000, based on PE: false

Similarity

API ID: NameUser
String ID:
API String ID: 2645101109-0
Opcode ID: 62e2f3356231a3a52b44182989f162117e8ef5d9355f9ee7310da88b09bd0ea7
Instruction ID: 8f4083744ec5cf8d24033fc60b4161add7b1466f4d0676cb0b642a2f01c554b3
Opcode Fuzzy Hash: 62e2f3356231a3a52b44182989f162117e8ef5d9355f9ee7310da88b09bd0ea7
Instruction Fuzzy Hash: B721867154D7C06FD3138B259C51B62BFB8EF87610F0A81DBE884CB553D225A919C7B2

Uniqueness

Uniqueness Score: -1.00%

Function 0272222A, Relevance: 1.6, APIs: 1, Instructions: 76COMMON

Download Yara Rule

APIs

ConvertStringSecurityDescriptorToSecurityDescriptorW.ADVAPI32(?,00000E2C), ref: 0272229B

Memory Dump Source

Source File: 00000008.00000002.487970491.0000000002720000.00000040.00000001.sdmp, Offset: 02720000, based on PE: false

Similarity

API ID: DescriptorSecurity$ConvertString
String ID:
API String ID: 3907675253-0
Opcode ID: 50aa69e78dfa2a3c49a5170312d5af3a6d70d46ef7dd5a18e68be006aa9ef832
Instruction ID: e00939bcc8cb4f81724b9b7ba1a1cdf8a9c8ab816fbabe28493f8220d1db2ba4
Opcode Fuzzy Hash: 50aa69e78dfa2a3c49a5170312d5af3a6d70d46ef7dd5a18e68be006aa9ef832
Instruction Fuzzy Hash: A021CF72600204AFEB209F29DC85FABFBECEF44710F14846AED44DB242D665E8098B71

Uniqueness

Uniqueness Score: -1.00%

Function 0272081A, Relevance: 1.6, APIs: 1, Instructions: 76fileCOMMON

Download Yara Rule

APIs

CreateFileW.KERNELBASE(?,?,?,?,?,?), ref: 02720899

Memory Dump Source

Source File: 00000008.00000002.487970491.0000000002720000.00000040.00000001.sdmp, Offset: 02720000, based on PE: false

Similarity

API ID: CreateFile
String ID:
API String ID: 823142352-0
Opcode ID: 38794800004448e47ddeb36c8d0c00d048b0e45c66429e13979b7cc9acb4ca58
Instruction ID: a5aee9f3b843ad64d8d1635dfa714a51539181a5e3a9b9d2e4e65d67fba8018b
Opcode Fuzzy Hash: 38794800004448e47ddeb36c8d0c00d048b0e45c66429e13979b7cc9acb4ca58
Instruction Fuzzy Hash: 83219A75500640AFEB21DF65D885B67FBE8EF08210F14846AEA858B252D371E408CBB1

Uniqueness

Uniqueness Score: -1.00%

Function 02720B79, Relevance: 1.6, APIs: 1, Instructions: 75registryCOMMON

Download Yara Rule

APIs

RegSetValueExW.KERNELBASE(?,00000E2C,CFC42305,00000000,00000000,00000000,00000000), ref: 02720C10

Memory Dump Source

Source File: 00000008.00000002.487970491.0000000002720000.00000040.00000001.sdmp, Offset: 02720000, based on PE: false

Similarity

API ID: Value
String ID:
API String ID: 3702945584-0
Opcode ID: b70cc167e824e311278f387dc06b37625bababbe78abd1fa4df3e6a92f4e0e1d
Instruction ID: c53b9d0faf294af6e372d1957648b94fc9e0250348c2817561f4c7ab6ce8ba1c
Opcode Fuzzy Hash: b70cc167e824e311278f387dc06b37625bababbe78abd1fa4df3e6a92f4e0e1d
Instruction Fuzzy Hash: 7D219DB2504740AFE7218B15DC85FA7FFB8EF16310F08849AE9859B252D364E849CB71

Uniqueness

Uniqueness Score: -1.00%

Function 0272123E, Relevance: 1.6, APIs: 1, Instructions: 75COMMON

Download Yara Rule

APIs

LookupPrivilegeValueW.ADVAPI32(?,?,?), ref: 027212BE

Memory Dump Source

Source File: 00000008.00000002.487970491.0000000002720000.00000040.00000001.sdmp, Offset: 02720000, based on PE: false

Similarity

API ID: LookupPrivilegeValue
String ID:
API String ID: 3899507212-0
Opcode ID: 521bfbe65991cab6b4131560dd697daad661c5a2c2b8ad4b316f989fda3b5040
Instruction ID: 9d59eb905f8c2a1b11da4af565cff145c2dbce7a0b1c208b0910047d81057cc0
Opcode Fuzzy Hash: 521bfbe65991cab6b4131560dd697daad661c5a2c2b8ad4b316f989fda3b5040
Instruction Fuzzy Hash: D72162725093805FD7128B25DC95B92BFF8EF46220F0984DBE989CB553D225D849CB61

Uniqueness

Uniqueness Score: -1.00%

Function 027209C0, Relevance: 1.6, APIs: 1, Instructions: 75COMMON

Download Yara Rule

APIs

setsockopt.WS2_32(?,00000E2C,CFC42305,00000000,00000000,00000000,00000000), ref: 02720A51

Memory Dump Source

Source File: 00000008.00000002.487970491.0000000002720000.00000040.00000001.sdmp, Offset: 02720000, based on PE: false

Similarity

API ID: setsockopt
String ID:
API String ID: 3981526788-0
Opcode ID: 449374e60e32cce5490d90baaabede7037ffa229e0b2987c0c2b5861523e94e2
Instruction ID: 4341bb23ba36e77d28fcddf624795de7342c9db9a8031ff84d9f40ed80d9be6a
Opcode Fuzzy Hash: 449374e60e32cce5490d90baaabede7037ffa229e0b2987c0c2b5861523e94e2
Instruction Fuzzy Hash: F121A172409380AFE7228F65DC44F56FFB8EF46314F0884DBEA849B153C265A909CB72

Uniqueness

Uniqueness Score: -1.00%

Function 027203CA, Relevance: 1.6, APIs: 1, Instructions: 75registryCOMMON

Download Yara Rule

APIs

RegQueryValueExA.KERNELBASE(?,00000E2C), ref: 0272045E

Memory Dump Source

Source File: 00000008.00000002.487970491.0000000002720000.00000040.00000001.sdmp, Offset: 02720000, based on PE: false

Similarity

API ID: QueryValue
String ID:
API String ID: 3660427363-0
Opcode ID: 878eeea705596272d6b64b5abfaf25c80e97f244dcae09ab138eb12d3f38fc19
Instruction ID: 9823864d7f5228130c5586e62e30fdb16c95803cafa28d98a8979b3c7a0392eb
Opcode Fuzzy Hash: 878eeea705596272d6b64b5abfaf25c80e97f244dcae09ab138eb12d3f38fc19
Instruction Fuzzy Hash: 2021CF72100604AFFB219F15DC81FA7FBACEF05710F14895AEE469A281D6B1A549CBB1

Uniqueness

Uniqueness Score: -1.00%

Function 00C2AA32, Relevance: 1.6, APIs: 1, Instructions: 74registryCOMMON

Download Yara Rule

APIs

RegOpenKeyExW.KERNELBASE(?,00000E2C), ref: 00C2AAB1

Memory Dump Source

Source File: 00000008.00000002.487090284.0000000000C2A000.00000040.00000001.sdmp, Offset: 00C2A000, based on PE: false

Similarity

API ID: Open
String ID:
API String ID: 71445658-0
Opcode ID: 906d351095469a33c7c70ee195314a728e5eff6725b881b11653530d84fef97f
Instruction ID: f5d608e3223f34d28abaabce252534efa3a416e564bfebf59900d35cb0e7babf
Opcode Fuzzy Hash: 906d351095469a33c7c70ee195314a728e5eff6725b881b11653530d84fef97f
Instruction Fuzzy Hash: B221CD72500604EFE7219B25DD85FABFBECEF08710F14845AEE419A641D660E908CBB2

Uniqueness

Uniqueness Score: -1.00%

Function 0272012A, Relevance: 1.6, APIs: 1, Instructions: 72synchronizationCOMMON

Download Yara Rule

APIs

CreateMutexW.KERNELBASE(?,?), ref: 0272019D

Memory Dump Source

Source File: 00000008.00000002.487970491.0000000002720000.00000040.00000001.sdmp, Offset: 02720000, based on PE: false

Similarity

API ID: CreateMutex
String ID:
API String ID: 1964310414-0
Opcode ID: 7a128cb120c985eebce1ff7eecb04f791d4ffe8dcbeb798424ad9901e2879658
Instruction ID: 001c38cae116815f3153e3430769255031e9e4363c161fe62d9dad4df5bae1e0
Opcode Fuzzy Hash: 7a128cb120c985eebce1ff7eecb04f791d4ffe8dcbeb798424ad9901e2879658
Instruction Fuzzy Hash: FA21BB71600250AFE720DF25DC85BAAFBE8EF05210F1484AAED489B242E770E908CA71

Uniqueness

Uniqueness Score: -1.00%

Function 02720723, Relevance: 1.6, APIs: 1, Instructions: 71COMMON

Download Yara Rule

APIs

CreateDirectoryW.KERNELBASE(?,?), ref: 0272079F

Memory Dump Source

Source File: 00000008.00000002.487970491.0000000002720000.00000040.00000001.sdmp, Offset: 02720000, based on PE: false

Similarity

API ID: CreateDirectory
String ID:
API String ID: 4241100979-0
Opcode ID: f0ee53617f53bcae566f0032618aff4d965d7688c7be713588849ecce47fe2b4
Instruction ID: 818422e10beb70544b13f18da9e6581c11665596f8d4833b6eee83423126039c
Opcode Fuzzy Hash: f0ee53617f53bcae566f0032618aff4d965d7688c7be713588849ecce47fe2b4
Instruction Fuzzy Hash: C621AFB25093809FDB12CB25DC84B56BFE8EF16214F0984EAE944CF262D324E908CB71

Uniqueness

Uniqueness Score: -1.00%

Function 027210BF, Relevance: 1.6, APIs: 1, Instructions: 71fileCOMMON

Download Yara Rule

APIs

DeleteFileA.KERNELBASE(?,00000E2C), ref: 0272114B

Memory Dump Source

Source File: 00000008.00000002.487970491.0000000002720000.00000040.00000001.sdmp, Offset: 02720000, based on PE: false

Similarity

API ID: DeleteFile
String ID:
API String ID: 4033686569-0
Opcode ID: ee530eb55971c2d41049e87df0fcf84f1650968930402441eca6371b945c76ca
Instruction ID: e3cdeae5e63aa91c28c3481ee0511d7133aba0809a2e5d77dc1562e91a01f47c
Opcode Fuzzy Hash: ee530eb55971c2d41049e87df0fcf84f1650968930402441eca6371b945c76ca
Instruction Fuzzy Hash: 5E21D871504380AFE7218B25DC45FA6FFA8EF46710F14C09AFD459B192D374A948C762

Uniqueness

Uniqueness Score: -1.00%

Function 02720A9B, Relevance: 1.6, APIs: 1, Instructions: 71fileCOMMON

Download Yara Rule

APIs

CopyFileW.KERNELBASE(?,?,?), ref: 02720B1E

Memory Dump Source

Source File: 00000008.00000002.487970491.0000000002720000.00000040.00000001.sdmp, Offset: 02720000, based on PE: false

Similarity

API ID: CopyFile
String ID:
API String ID: 1304948518-0
Opcode ID: 2e69c0e1b4d5d9987a31114bd9408929827934caa201628ac68683a470be7324
Instruction ID: 1c848a907c54cbbcc350a9faa693cf953fa2b85005c50bbec2ec1a6e178e6267
Opcode Fuzzy Hash: 2e69c0e1b4d5d9987a31114bd9408929827934caa201628ac68683a470be7324
Instruction Fuzzy Hash: 282192B15093845FD722CF25DC55B62BFE8EF56214F0980EAED84DB253E225D808C771

Uniqueness

Uniqueness Score: -1.00%

Function 027201F4, Relevance: 1.6, APIs: 1, Instructions: 69COMMON

Download Yara Rule

APIs

FindCloseChangeNotification.KERNELBASE(?), ref: 02720264

Memory Dump Source

Source File: 00000008.00000002.487970491.0000000002720000.00000040.00000001.sdmp, Offset: 02720000, based on PE: false

Similarity

API ID: ChangeCloseFindNotification
String ID:
API String ID: 2591292051-0
Opcode ID: aef6568412dfb0e0edf5a27936c636ed443123c8ed6088a57a5bd6609c7c556b
Instruction ID: 578da7564dabb94c72bc110092ea1543488385d786e7f814dfe99a738eb41054
Opcode Fuzzy Hash: aef6568412dfb0e0edf5a27936c636ed443123c8ed6088a57a5bd6609c7c556b
Instruction Fuzzy Hash: C621D4B14097849FD7128B14DC45752BFA8EF52224F0980DBDD449F163E2349908CB71

Uniqueness

Uniqueness Score: -1.00%

Function 00C2AB3A, Relevance: 1.6, APIs: 1, Instructions: 69registryCOMMON

Download Yara Rule

APIs

RegQueryValueExW.KERNELBASE(?,00000E2C,CFC42305,00000000,00000000,00000000,00000000), ref: 00C2ABB4

Memory Dump Source

Source File: 00000008.00000002.487090284.0000000000C2A000.00000040.00000001.sdmp, Offset: 00C2A000, based on PE: false

Similarity

API ID: QueryValue
String ID:
API String ID: 3660427363-0
Opcode ID: e3f193b756513f9c8607cc9f4c367d06bb74c9c407ccd513d018704dd916ff0a
Instruction ID: cdf85849f647da97f01fc2cfde510ffc8b479e5a323f7206e29f6c1a9aa9ead3
Opcode Fuzzy Hash: e3f193b756513f9c8607cc9f4c367d06bb74c9c407ccd513d018704dd916ff0a
Instruction Fuzzy Hash: 7D218E75600604AFE720CF25DC84F67FBECEF05710F1484AAED459B651D660E908CA72

Uniqueness

Uniqueness Score: -1.00%

Function 027223DA, Relevance: 1.6, APIs: 1, Instructions: 68COMMON

Download Yara Rule

APIs

OpenFileMappingW.KERNELBASE(?,?), ref: 02722445

Memory Dump Source

Source File: 00000008.00000002.487970491.0000000002720000.00000040.00000001.sdmp, Offset: 02720000, based on PE: false

Similarity

API ID: FileMappingOpen
String ID:
API String ID: 1680863896-0
Opcode ID: 96d22d8febdbbfc6ebf066f4c3883c70563065abb0b344106b4981b3e30449bd
Instruction ID: a2e6c2651d89b15fce1ef6e7470c36eba89ec318a81cbd4b92037f42fa50face
Opcode Fuzzy Hash: 96d22d8febdbbfc6ebf066f4c3883c70563065abb0b344106b4981b3e30449bd
Instruction Fuzzy Hash: 8E21AEB1504600AFE720DF25DC45B66FBE8EF44320F14846AEE899B242D771E908CA71

Uniqueness

Uniqueness Score: -1.00%

Function 0272148C, Relevance: 1.6, APIs: 1, Instructions: 68COMMON

Download Yara Rule

APIs

FindCloseChangeNotification.KERNELBASE(?), ref: 027214F8

Memory Dump Source

Source File: 00000008.00000002.487970491.0000000002720000.00000040.00000001.sdmp, Offset: 02720000, based on PE: false

Similarity

API ID: ChangeCloseFindNotification
String ID:
API String ID: 2591292051-0
Opcode ID: 7fef62ee3fc6bc42633efac40b0522cdeaff0cea09addff55b46d115be8248f4
Instruction ID: a4dc4660d71a409b6f10e122b71702320b9c2b0859769ac77d9c8707adfcebd4
Opcode Fuzzy Hash: 7fef62ee3fc6bc42633efac40b0522cdeaff0cea09addff55b46d115be8248f4
Instruction Fuzzy Hash: 8F21C0725093C05FDB038B25DC54B92BFB8AF47224F0980DAED858F263D274A908CB72

Uniqueness

Uniqueness Score: -1.00%

Function 02721EEA, Relevance: 1.6, APIs: 1, Instructions: 67networkCOMMON

Download Yara Rule

APIs

WSASocketW.WS2_32 ref: 02721F56

Memory Dump Source

Source File: 00000008.00000002.487970491.0000000002720000.00000040.00000001.sdmp, Offset: 02720000, based on PE: false

Similarity

API ID: Socket
String ID:
API String ID: 38366605-0
Opcode ID: 60d831c2eec972c714eef57e752ce552abce51e3c7560c7837da57fbbe3e83f6
Instruction ID: 3f0018d4b08d8c29d00678a34dec1f7ca504fef88f08af4799f45e7878aad7de
Opcode Fuzzy Hash: 60d831c2eec972c714eef57e752ce552abce51e3c7560c7837da57fbbe3e83f6
Instruction Fuzzy Hash: 0821CD71500600AFEB21DF65DC44FA6FFE8EF09320F14886AEE899A252D371A408CB71

Uniqueness

Uniqueness Score: -1.00%

Function 027224DA, Relevance: 1.6, APIs: 1, Instructions: 67fileCOMMON

Download Yara Rule

APIs

MapViewOfFile.KERNELBASE ref: 0272254E

Memory Dump Source

Source File: 00000008.00000002.487970491.0000000002720000.00000040.00000001.sdmp, Offset: 02720000, based on PE: false

Similarity

API ID: FileView
String ID:
API String ID: 3314676101-0
Opcode ID: 7af42e056480c02ac197bc6b9bcc801da4b82ef9e515eabb6616c6cc7f1279b2
Instruction ID: 8f21c6176a0a3c7a9fbd6a4907b8b54663b53c1c16529b2747358fb0cdf1ce24
Opcode Fuzzy Hash: 7af42e056480c02ac197bc6b9bcc801da4b82ef9e515eabb6616c6cc7f1279b2
Instruction Fuzzy Hash: 1F219D71500600AFE721CF26DC85FA6FBE8EF08320F14849AEE849B252D775E509CBB1

Uniqueness

Uniqueness Score: -1.00%

Function 027204EA, Relevance: 1.6, APIs: 1, Instructions: 65registryCOMMON

Download Yara Rule

APIs

RegQueryValueExW.KERNELBASE(?,00000E2C,CFC42305,00000000,00000000,00000000,00000000), ref: 0272055C

Memory Dump Source

Source File: 00000008.00000002.487970491.0000000002720000.00000040.00000001.sdmp, Offset: 02720000, based on PE: false

Similarity

API ID: QueryValue
String ID:
API String ID: 3660427363-0
Opcode ID: 8fd980c936b3bae1a600ac506cbb654bdc67bb3d3273a3ea4442413cedfab67b
Instruction ID: 4052209bad33702445c0fdddafd03aab6dd7ca74e72f1535c085b4e9276172cd
Opcode Fuzzy Hash: 8fd980c936b3bae1a600ac506cbb654bdc67bb3d3273a3ea4442413cedfab67b
Instruction Fuzzy Hash: B511AC72500A14AFEB20CF16DC80F67FBECEF18720F04846AEA469B251D760E408CB71

Uniqueness

Uniqueness Score: -1.00%

Function 02720B9E, Relevance: 1.6, APIs: 1, Instructions: 65registryCOMMON

Download Yara Rule

APIs

RegSetValueExW.KERNELBASE(?,00000E2C,CFC42305,00000000,00000000,00000000,00000000), ref: 02720C10

Memory Dump Source

Source File: 00000008.00000002.487970491.0000000002720000.00000040.00000001.sdmp, Offset: 02720000, based on PE: false

Similarity

API ID: Value
String ID:
API String ID: 3702945584-0
Opcode ID: 37c027a010815c0a8224e0ff47cdde3253b0e0e80295cdfa570d1c5bc76144bd
Instruction ID: d7e1c63631fa51b2490ebf399f22bc09bd3b5b2d21312064f927b9a14f8e78b7
Opcode Fuzzy Hash: 37c027a010815c0a8224e0ff47cdde3253b0e0e80295cdfa570d1c5bc76144bd
Instruction Fuzzy Hash: 34119DB2600604AFEB209F15DC85FA7FBECEF15710F14846AEE459B241E770E449CA71

Uniqueness

Uniqueness Score: -1.00%

Function 0272118F, Relevance: 1.6, APIs: 1, Instructions: 63COMMON

Download Yara Rule

APIs

SetKernelObjectSecurity.KERNELBASE(?,?,?), ref: 02721202

Memory Dump Source

Source File: 00000008.00000002.487970491.0000000002720000.00000040.00000001.sdmp, Offset: 02720000, based on PE: false

Similarity

API ID: KernelObjectSecurity
String ID:
API String ID: 3015937269-0
Opcode ID: e9ccdea1429e16ebbbbaa308695800c9aadfefae44a7cdea9bc1c54d7b3fc7b3
Instruction ID: 5a3be6ae95323474a4c4b31a55a22409607db121ed0c01cb3a401e304e6869ce
Opcode Fuzzy Hash: e9ccdea1429e16ebbbbaa308695800c9aadfefae44a7cdea9bc1c54d7b3fc7b3
Instruction Fuzzy Hash: 1D216D755093809FD7228B25DC45B62FFB4EF06214F0980DBED858B2A3D275A949CB62

Uniqueness

Uniqueness Score: -1.00%

Function 02721006, Relevance: 1.6, APIs: 1, Instructions: 61COMMON

Download Yara Rule

APIs

GetExitCodeProcess.KERNELBASE(?,00000E2C,CFC42305,00000000,00000000,00000000,00000000), ref: 0272105C

Memory Dump Source

Source File: 00000008.00000002.487970491.0000000002720000.00000040.00000001.sdmp, Offset: 02720000, based on PE: false

Similarity

API ID: CodeExitProcess
String ID:
API String ID: 3861947596-0
Opcode ID: 30a1c64b5a48bd629d96bb217a6232891ee3bb0a26cfba8fb4bc67673a8f4db9
Instruction ID: 52242706d0357efb13562f3600d4be48efd338896f64b7ba304eee62328bb483
Opcode Fuzzy Hash: 30a1c64b5a48bd629d96bb217a6232891ee3bb0a26cfba8fb4bc67673a8f4db9
Instruction Fuzzy Hash: 4A11E771500244AFEB208F25DC45B67FFA8EF45320F14846BEE08DB241D674A408CB71

Uniqueness

Uniqueness Score: -1.00%

Function 00C2B7CA, Relevance: 1.6, APIs: 1, Instructions: 61windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,?,?,?), ref: 00C2B841

Memory Dump Source

Source File: 00000008.00000002.487090284.0000000000C2A000.00000040.00000001.sdmp, Offset: 00C2A000, based on PE: false

Similarity

API ID: MessageSend
String ID:
API String ID: 3850602802-0
Opcode ID: 80fa17927ec3513f3d2342ad754660584628177f951191fb7301c907611e83ae
Instruction ID: 12d0f0443ac073aa02608fb7a95a7f226c1e38b043cc10aee64703531a283f8e
Opcode Fuzzy Hash: 80fa17927ec3513f3d2342ad754660584628177f951191fb7301c907611e83ae
Instruction Fuzzy Hash: CC218C724097C09FDB128B21DC54AA2BFB4EF1B320F0D84DAEDC44F163D265A958DB62

Uniqueness

Uniqueness Score: -1.00%

Function 00C2A51F, Relevance: 1.6, APIs: 1, Instructions: 61COMMON

Download Yara Rule

APIs

DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 00C2A58A

Memory Dump Source

Source File: 00000008.00000002.487090284.0000000000C2A000.00000040.00000001.sdmp, Offset: 00C2A000, based on PE: false

Similarity

API ID: DuplicateHandle
String ID:
API String ID: 3793708945-0
Opcode ID: 92cb5256cb175a0329e15b767f922e9239b5427601e38bd2a32d2e68ee0e248e
Instruction ID: 46316aa2888a50b34791d6dc167f9e766ce87cc624b65389db9bffc49e9b0946
Opcode Fuzzy Hash: 92cb5256cb175a0329e15b767f922e9239b5427601e38bd2a32d2e68ee0e248e
Instruction Fuzzy Hash: 3611B471409780AFDB228F50DC44A62FFF4EF4A310F0884DAEE858B562D275A918DB71

Uniqueness

Uniqueness Score: -1.00%

Function 02721750, Relevance: 1.6, APIs: 1, Instructions: 60COMMON

Download Yara Rule

APIs

K32EnumProcesses.KERNEL32(?,?,?,CFC42305,00000000,?,?,?,?,?,?,?,?,72F43C38), ref: 027217B2

Memory Dump Source

Source File: 00000008.00000002.487970491.0000000002720000.00000040.00000001.sdmp, Offset: 02720000, based on PE: false

Similarity

API ID: EnumProcesses
String ID:
API String ID: 84517404-0
Opcode ID: d318cb9df7ee7f0c02ebc2bc65744b2d61845b5f088f19e4fe0ce010ea38f48e
Instruction ID: 787ff98faf9af371fb70a7d8892233d36ffe422cbe53f689a6e602c23a8ecaa3
Opcode Fuzzy Hash: d318cb9df7ee7f0c02ebc2bc65744b2d61845b5f088f19e4fe0ce010ea38f48e
Instruction Fuzzy Hash: 46117F715053849FD711CF65DC84B96FFE8EF46220F0884AAED49CB262D375A808CB61

Uniqueness

Uniqueness Score: -1.00%

Function 027209F2, Relevance: 1.6, APIs: 1, Instructions: 60COMMON

Download Yara Rule

APIs

setsockopt.WS2_32(?,00000E2C,CFC42305,00000000,00000000,00000000,00000000), ref: 02720A51

Memory Dump Source

Source File: 00000008.00000002.487970491.0000000002720000.00000040.00000001.sdmp, Offset: 02720000, based on PE: false

Similarity

API ID: setsockopt
String ID:
API String ID: 3981526788-0
Opcode ID: a5deb14371c0a380102fbee915932f07ed713049fd8e82a03e69689f72027ba6
Instruction ID: e621ab71d548518fea5cdcbf33a94a8f4b68743062b661e5cdace282e3c06649
Opcode Fuzzy Hash: a5deb14371c0a380102fbee915932f07ed713049fd8e82a03e69689f72027ba6
Instruction Fuzzy Hash: D411BF71500604AFEB21CF55DC45FA6FFB8EF55320F14846BEE499B251D274A508CBB1

Uniqueness

Uniqueness Score: -1.00%

Function 027210E2, Relevance: 1.6, APIs: 1, Instructions: 60fileCOMMON

Download Yara Rule

APIs

DeleteFileA.KERNELBASE(?,00000E2C), ref: 0272114B

Memory Dump Source

Source File: 00000008.00000002.487970491.0000000002720000.00000040.00000001.sdmp, Offset: 02720000, based on PE: false

Similarity

API ID: DeleteFile
String ID:
API String ID: 4033686569-0
Opcode ID: ff15ed3bc69d312cabc69899eed73277704b09e913bfd05cb23191720fcd6ca2
Instruction ID: f3bed663501ea7874cdde487314579a1a197de2111e22e560b7cc33ee0bf11e3
Opcode Fuzzy Hash: ff15ed3bc69d312cabc69899eed73277704b09e913bfd05cb23191720fcd6ca2
Instruction Fuzzy Hash: 1A112971600600BFF7209B25DC42FB6FB98EF05720F14C06AEE099B281D6B4A508CB71

Uniqueness

Uniqueness Score: -1.00%

Function 027202DE, Relevance: 1.6, APIs: 1, Instructions: 60registryCOMMON

Download Yara Rule

APIs

RegOpenKeyExA.KERNELBASE(?,00000E2C), ref: 02720353

Memory Dump Source

Source File: 00000008.00000002.487970491.0000000002720000.00000040.00000001.sdmp, Offset: 02720000, based on PE: false

Similarity

API ID: Open
String ID:
API String ID: 71445658-0
Opcode ID: bd54421105e8f30348042987aeaaa31644051c88797c5280053560db22dab547
Instruction ID: c498020ba38e513e696129b071815f293f733f995b60a19051d99993aef568dc
Opcode Fuzzy Hash: bd54421105e8f30348042987aeaaa31644051c88797c5280053560db22dab547
Instruction Fuzzy Hash: 1B110E31104700EFEB218F15DD81FAAFFA8EF05720F14849EEE455A292C2B1A508CBB2

Uniqueness

Uniqueness Score: -1.00%

Function 00C2BB4F, Relevance: 1.6, APIs: 1, Instructions: 59windowCOMMON

Download Yara Rule

APIs

PostMessageW.USER32(?,?,?,?), ref: 00C2BBB9

Memory Dump Source

Source File: 00000008.00000002.487090284.0000000000C2A000.00000040.00000001.sdmp, Offset: 00C2A000, based on PE: false

Similarity

API ID: MessagePost
String ID:
API String ID: 410705778-0
Opcode ID: ed847ab05c02e774b8b2003983c6b0dc808872015a7097d69a5fe17b4c4f2e6a
Instruction ID: 262a724ca1e69f3a0d5b68f08a55b5e2bf07a0a9451e349eb3bb0acd82b94c80
Opcode Fuzzy Hash: ed847ab05c02e774b8b2003983c6b0dc808872015a7097d69a5fe17b4c4f2e6a
Instruction Fuzzy Hash: 1C1100350093C0AFDB228F21DC45B52FFB4EF06320F0884DEED858B563D265A808CB62

Uniqueness

Uniqueness Score: -1.00%

Function 00C2BE05, Relevance: 1.6, APIs: 1, Instructions: 58windowCOMMON

Download Yara Rule

APIs

DispatchMessageW.USER32(?), ref: 00C2BE70

Memory Dump Source

Source File: 00000008.00000002.487090284.0000000000C2A000.00000040.00000001.sdmp, Offset: 00C2A000, based on PE: false

Similarity

API ID: DispatchMessage
String ID:
API String ID: 2061451462-0
Opcode ID: 49d2344c07c08ba0925f9d66ddbdb607adfc14cba75cab9ce458736fdb66a576
Instruction ID: 4e2a2b42134d7aa519211254420a80d9660f885205fdec1abcb600a0b0527b10
Opcode Fuzzy Hash: 49d2344c07c08ba0925f9d66ddbdb607adfc14cba75cab9ce458736fdb66a576
Instruction Fuzzy Hash: 40118E754097C0AFD7138B25DC44B61BFB4EF47624F0980DAED848F263D2656908CB72

Uniqueness

Uniqueness Score: -1.00%

Function 00C2B71E, Relevance: 1.6, APIs: 1, Instructions: 57windowCOMMON

Download Yara Rule

APIs

CreateIconFromResourceEx.USER32 ref: 00C2B78A

Memory Dump Source

Source File: 00000008.00000002.487090284.0000000000C2A000.00000040.00000001.sdmp, Offset: 00C2A000, based on PE: false

Similarity

API ID: CreateFromIconResource
String ID:
API String ID: 3668623891-0
Opcode ID: afc5d445d85f965ada8cb344459a6e8578b4bf6791709ceb525ef29c4c13e775
Instruction ID: 77ff9810d73541b9060e3077f2d363db55d5d2a58e534701effa772207319fa0
Opcode Fuzzy Hash: afc5d445d85f965ada8cb344459a6e8578b4bf6791709ceb525ef29c4c13e775
Instruction Fuzzy Hash: 5F11A231408380AFDB228F54DC44A52FFF4EF4A310F09859EEE858B522D375A818DB61

Uniqueness

Uniqueness Score: -1.00%

Function 00C2BEB4, Relevance: 1.6, APIs: 1, Instructions: 56fileCOMMON

Download Yara Rule

APIs

DeleteFileW.KERNELBASE(?), ref: 00C2BF0C

Memory Dump Source

Source File: 00000008.00000002.487090284.0000000000C2A000.00000040.00000001.sdmp, Offset: 00C2A000, based on PE: false

Similarity

API ID: DeleteFile
String ID:
API String ID: 4033686569-0
Opcode ID: fd262d5eca0971f0a7277501b43b85f7b0a8d9e55103bb0406bd233fd5150e5c
Instruction ID: abd56242da15d32b18d1d7ad524b19587b3f89f2c74f4631d5f44141d2599f03
Opcode Fuzzy Hash: fd262d5eca0971f0a7277501b43b85f7b0a8d9e55103bb0406bd233fd5150e5c
Instruction Fuzzy Hash: A5118F715053809FD711CF65DC85B56FFE8EF46320F0884AAED45CB652D274E948CB61

Uniqueness

Uniqueness Score: -1.00%

Function 027215EB, Relevance: 1.6, APIs: 1, Instructions: 54COMMON

Download Yara Rule

APIs

GetSystemInfo.KERNELBASE(?), ref: 0272164C

Memory Dump Source

Source File: 00000008.00000002.487970491.0000000002720000.00000040.00000001.sdmp, Offset: 02720000, based on PE: false

Similarity

API ID: InfoSystem
String ID:
API String ID: 31276548-0
Opcode ID: dbe668e8aed43b6780afbdb32283c8f5f987177450ea1586f3291a887bbe719e
Instruction ID: 9a861440b287662578a111b8f1184ec75b9bdfe4c68dfcdad2c3c6c33f42a486
Opcode Fuzzy Hash: dbe668e8aed43b6780afbdb32283c8f5f987177450ea1586f3291a887bbe719e
Instruction Fuzzy Hash: DE118B714093C4AFD7128B24D845B96BFF4EF46220F0D84EADD888F163C275A948CB61

Uniqueness

Uniqueness Score: -1.00%

Function 02721276, Relevance: 1.6, APIs: 1, Instructions: 53COMMON

Download Yara Rule

APIs

LookupPrivilegeValueW.ADVAPI32(?,?,?), ref: 027212BE

Memory Dump Source

Source File: 00000008.00000002.487970491.0000000002720000.00000040.00000001.sdmp, Offset: 02720000, based on PE: false

Similarity

API ID: LookupPrivilegeValue
String ID:
API String ID: 3899507212-0
Opcode ID: 37bb59243ea852c8692e286024ca722161c7566822de0eecb1c76124dd9d8e52
Instruction ID: 9b433c3d99d29cc2a4f2bd800b4f410b9f74c2628b09dd704cd18a4a6770e26a
Opcode Fuzzy Hash: 37bb59243ea852c8692e286024ca722161c7566822de0eecb1c76124dd9d8e52
Instruction Fuzzy Hash: 30118E71A002009FEB10CF2AD885B57FBE8EF44220F08C4AAED09DB246D674E408CF71

Uniqueness

Uniqueness Score: -1.00%

Function 02720AD6, Relevance: 1.6, APIs: 1, Instructions: 53fileCOMMON

Download Yara Rule

APIs

CopyFileW.KERNELBASE(?,?,?), ref: 02720B1E

Memory Dump Source

Source File: 00000008.00000002.487970491.0000000002720000.00000040.00000001.sdmp, Offset: 02720000, based on PE: false

Similarity

API ID: CopyFile
String ID:
API String ID: 1304948518-0
Opcode ID: 37bb59243ea852c8692e286024ca722161c7566822de0eecb1c76124dd9d8e52
Instruction ID: a7ce18ca2f1329af165ff6ff32a597999fb44acdf9b81e961aec7d9035fcac1f
Opcode Fuzzy Hash: 37bb59243ea852c8692e286024ca722161c7566822de0eecb1c76124dd9d8e52
Instruction Fuzzy Hash: 09118EB16002049FDB20CF29DC85B66FFE8EF54224F18C4AADD09DB642E674E408CB71

Uniqueness

Uniqueness Score: -1.00%

Function 0272075A, Relevance: 1.6, APIs: 1, Instructions: 52COMMON

Download Yara Rule

APIs

CreateDirectoryW.KERNELBASE(?,?), ref: 0272079F

Memory Dump Source

Source File: 00000008.00000002.487970491.0000000002720000.00000040.00000001.sdmp, Offset: 02720000, based on PE: false

Similarity

API ID: CreateDirectory
String ID:
API String ID: 4241100979-0
Opcode ID: e5ddc64e43b6f09bf860b4cfdc1530d792bd0700edc4c777b4c4fcac459a90a6
Instruction ID: b5301f886d83ed615a876a5bec30f78f56d670e4ba22f3c2b5d86f8681e5dbaa
Opcode Fuzzy Hash: e5ddc64e43b6f09bf860b4cfdc1530d792bd0700edc4c777b4c4fcac459a90a6
Instruction Fuzzy Hash: 481179716002059FEB10CF29D884B6AFBE8AB14220F08C4AADD09DB742D774E808CF71

Uniqueness

Uniqueness Score: -1.00%

Function 02720932, Relevance: 1.6, APIs: 1, Instructions: 52COMMON

Download Yara Rule

APIs

GetFileType.KERNELBASE(?,00000E2C,CFC42305,00000000,00000000,00000000,00000000), ref: 02720985

Memory Dump Source

Source File: 00000008.00000002.487970491.0000000002720000.00000040.00000001.sdmp, Offset: 02720000, based on PE: false

Similarity

API ID: FileType
String ID:
API String ID: 3081899298-0
Opcode ID: 7591164c3b168dd89fac3f974ea435ab3b8d846d61b097b84545e6005243334f
Instruction ID: b4a1496fa435da25f87ee80457630e634a644400d29d4954a1a7f7669fdcdf4a
Opcode Fuzzy Hash: 7591164c3b168dd89fac3f974ea435ab3b8d846d61b097b84545e6005243334f
Instruction Fuzzy Hash: DC01D271500604AFE710CB19DC85FA6FFACEF55720F14C097EE85AB241D6B4A508CAB1

Uniqueness

Uniqueness Score: -1.00%

Function 00C2A75B, Relevance: 1.6, APIs: 1, Instructions: 52COMMON

Download Yara Rule

APIs

closesocket.WS2_32(?), ref: 00C2A7BC

Memory Dump Source

Source File: 00000008.00000002.487090284.0000000000C2A000.00000040.00000001.sdmp, Offset: 00C2A000, based on PE: false

Similarity

API ID: closesocket
String ID:
API String ID: 2781271927-0
Opcode ID: b695ae6f4de9508a8e4fbf397c88186444e188186542b76972d2e739e78dc8e0
Instruction ID: 21e590f41136224153d6538193ef9707692119fde4b0eb5055dc4938813e003f
Opcode Fuzzy Hash: b695ae6f4de9508a8e4fbf397c88186444e188186542b76972d2e739e78dc8e0
Instruction Fuzzy Hash: 08119E71449384AFD712CF15EC85B52BFB4EF46220F0884DAED489F253D275A948CBA2

Uniqueness

Uniqueness Score: -1.00%

Function 02721772, Relevance: 1.5, APIs: 1, Instructions: 49COMMON

Download Yara Rule

APIs

K32EnumProcesses.KERNEL32(?,?,?,CFC42305,00000000,?,?,?,?,?,?,?,?,72F43C38), ref: 027217B2

Memory Dump Source

Source File: 00000008.00000002.487970491.0000000002720000.00000040.00000001.sdmp, Offset: 02720000, based on PE: false

Similarity

API ID: EnumProcesses
String ID:
API String ID: 84517404-0
Opcode ID: 8b3d0a8d005b6e988dec8720b0a4c75c4410d12698c89e2c7c36b633ebc175af
Instruction ID: 98155c9da9323debb76c720d7a162bfa38c5c31347da92b8bb5423e5c3498241
Opcode Fuzzy Hash: 8b3d0a8d005b6e988dec8720b0a4c75c4410d12698c89e2c7c36b633ebc175af
Instruction Fuzzy Hash: CF115B756006459FDB10CF69D884BA6FFE8FF44220F18C4AADD498B256D675E408CB61

Uniqueness

Uniqueness Score: -1.00%

Function 00C2A8CC, Relevance: 1.5, APIs: 1, Instructions: 48COMMON

Download Yara Rule

APIs

SetWindowLongW.USER32(?,?,?), ref: 00C2A926

Memory Dump Source

Source File: 00000008.00000002.487090284.0000000000C2A000.00000040.00000001.sdmp, Offset: 00C2A000, based on PE: false

Similarity

API ID: LongWindow
String ID:
API String ID: 1378638983-0
Opcode ID: 3b8d9e4661abea404fa3c092e446b3cea3fb1699e0e5a13ba6e50b20ad7dde98
Instruction ID: e5ed08928d7dd6057d4d56569a9790f71a42a743797e8f418c398314480cf161
Opcode Fuzzy Hash: 3b8d9e4661abea404fa3c092e446b3cea3fb1699e0e5a13ba6e50b20ad7dde98
Instruction Fuzzy Hash: C111CE31409784AFC7228F15DC85A52FFF4EF06320F09C4DAEE854B262D275A948CB62

Uniqueness

Uniqueness Score: -1.00%

Function 027230E6, Relevance: 1.5, APIs: 1, Instructions: 47windowCOMMON

Download Yara Rule

APIs

FormatMessageW.KERNELBASE(?,00000E2C,?,?), ref: 02723136

Memory Dump Source

Source File: 00000008.00000002.487970491.0000000002720000.00000040.00000001.sdmp, Offset: 02720000, based on PE: false

Similarity

API ID: FormatMessage
String ID:
API String ID: 1306739567-0
Opcode ID: 9eb4743a829276539c6557498e1b1f955276d11359073b04f25a9c9951c61162
Instruction ID: 86b9891f4881ac9b78c41f7663769d494c42d73bb7e930484d20bf44e47d5eed
Opcode Fuzzy Hash: 9eb4743a829276539c6557498e1b1f955276d11359073b04f25a9c9951c61162
Instruction Fuzzy Hash: 69015E72500600ABD710DF16DC86B66FBA8EB88A20F14856AED089B645E331B915CBA5

Uniqueness

Uniqueness Score: -1.00%

Function 02720CCA, Relevance: 1.5, APIs: 1, Instructions: 47COMMON

Download Yara Rule

APIs

GetTempFileNameW.KERNELBASE(?,00000E2C,?,?), ref: 02720D1A

Memory Dump Source

Source File: 00000008.00000002.487970491.0000000002720000.00000040.00000001.sdmp, Offset: 02720000, based on PE: false

Similarity

API ID: FileNameTemp
String ID:
API String ID: 745986568-0
Opcode ID: cbac74d596aa464959c8836d22553e572d81ccebfd531ed20e7fa43df7dd8e31
Instruction ID: c6dcf7344609c5a1665406d9b75d8c64e5868596c807718715611deceee7ef9b
Opcode Fuzzy Hash: cbac74d596aa464959c8836d22553e572d81ccebfd531ed20e7fa43df7dd8e31
Instruction Fuzzy Hash: C4015E72500600ABD710DF16DC86B66FBA8FB88A20F14856AED089B645E231B915CBA5

Uniqueness

Uniqueness Score: -1.00%

Function 00C2BED2, Relevance: 1.5, APIs: 1, Instructions: 47fileCOMMON

Download Yara Rule

APIs

DeleteFileW.KERNELBASE(?), ref: 00C2BF0C

Memory Dump Source

Source File: 00000008.00000002.487090284.0000000000C2A000.00000040.00000001.sdmp, Offset: 00C2A000, based on PE: false

Similarity

API ID: DeleteFile
String ID:
API String ID: 4033686569-0
Opcode ID: b7a945c33b280edeabe019fc9796e5dbe5a39a8c7b3ea6fc27ddb63c8776fa99
Instruction ID: 680f48180ffcfc708fa79b7cb559ce5d5a3f0781c735074da5578d38e5bf23f0
Opcode Fuzzy Hash: b7a945c33b280edeabe019fc9796e5dbe5a39a8c7b3ea6fc27ddb63c8776fa99
Instruction Fuzzy Hash: 5C0180756046009FD710CF6AE985766FBA8DF44320F18C4AADD09CB646D774E904CA61

Uniqueness

Uniqueness Score: -1.00%

Function 00C2A172, Relevance: 1.5, APIs: 1, Instructions: 47networkCOMMON

Download Yara Rule

APIs

WSAStartup.WS2_32(?,00000E2C,?,?), ref: 00C2A1C2

Memory Dump Source

Source File: 00000008.00000002.487090284.0000000000C2A000.00000040.00000001.sdmp, Offset: 00C2A000, based on PE: false

Similarity

API ID: Startup
String ID:
API String ID: 724789610-0
Opcode ID: ff84907b77ec046125649f48865de3e36bf308b7c437193853ee26ed2cfc423c
Instruction ID: a50188b77c6e0b47b180b02c951b21c2ea6874e2b2c6ca4aec3515bad241f4a3
Opcode Fuzzy Hash: ff84907b77ec046125649f48865de3e36bf308b7c437193853ee26ed2cfc423c
Instruction Fuzzy Hash: 3F017171500600ABD710DF16DC86B76FBA8FBC8A20F14856AED089B745E335F915CBA5

Uniqueness

Uniqueness Score: -1.00%

Function 027211C2, Relevance: 1.5, APIs: 1, Instructions: 45COMMON

Download Yara Rule

APIs

SetKernelObjectSecurity.KERNELBASE(?,?,?), ref: 02721202

Memory Dump Source

Source File: 00000008.00000002.487970491.0000000002720000.00000040.00000001.sdmp, Offset: 02720000, based on PE: false

Similarity

API ID: KernelObjectSecurity
String ID:
API String ID: 3015937269-0
Opcode ID: e6c14541d60ae42ed51373f8be857863acf921ad95960298c7a2acb406b301d0
Instruction ID: 3ff45487a6464f47def4e7be1167ce96ecfa162d8f069681c926f7ff3f160169
Opcode Fuzzy Hash: e6c14541d60ae42ed51373f8be857863acf921ad95960298c7a2acb406b301d0
Instruction Fuzzy Hash: A0018C356006449FDB20CF65D885B66FBE4FF05220F48C0AAEE498B652D771E448CF71

Uniqueness

Uniqueness Score: -1.00%

Function 00C2A546, Relevance: 1.5, APIs: 1, Instructions: 45COMMON

Download Yara Rule

APIs

DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 00C2A58A

Memory Dump Source

Source File: 00000008.00000002.487090284.0000000000C2A000.00000040.00000001.sdmp, Offset: 00C2A000, based on PE: false

Similarity

API ID: DuplicateHandle
String ID:
API String ID: 3793708945-0
Opcode ID: 98df4a5b4ea575f83e3ccd3553426f776835f55a368eb3cca07684e09706282d
Instruction ID: 3990b8c5e697682fa8a162d1cb976097e143ddae98b64a791a611e2a2e6fc797
Opcode Fuzzy Hash: 98df4a5b4ea575f83e3ccd3553426f776835f55a368eb3cca07684e09706282d
Instruction Fuzzy Hash: 69016D31400A00EFDB218F55E944B56FFE4EF48320F18C9AADE498AA16D275E418DF62

Uniqueness

Uniqueness Score: -1.00%

Function 00C2B746, Relevance: 1.5, APIs: 1, Instructions: 45windowCOMMON

Download Yara Rule

APIs

CreateIconFromResourceEx.USER32 ref: 00C2B78A

Memory Dump Source

Source File: 00000008.00000002.487090284.0000000000C2A000.00000040.00000001.sdmp, Offset: 00C2A000, based on PE: false

Similarity

API ID: CreateFromIconResource
String ID:
API String ID: 3668623891-0
Opcode ID: c98460960c0b39c7186d0852426b62ceca3b21be064ed9ba028cff6f89c44b7f
Instruction ID: 2ce327ff287285884617c2719c48197bdacd658ef5de5ef7d11e17060f5307ee
Opcode Fuzzy Hash: c98460960c0b39c7186d0852426b62ceca3b21be064ed9ba028cff6f89c44b7f
Instruction Fuzzy Hash: 2B016D31400600EFDB218F55E844B66FFE4EF48720F18C5AADE498AA26D375E818DF71

Uniqueness

Uniqueness Score: -1.00%

Function 02720232, Relevance: 1.5, APIs: 1, Instructions: 43COMMON

Download Yara Rule

APIs

FindCloseChangeNotification.KERNELBASE(?), ref: 02720264

Memory Dump Source

Source File: 00000008.00000002.487970491.0000000002720000.00000040.00000001.sdmp, Offset: 02720000, based on PE: false

Similarity

API ID: ChangeCloseFindNotification
String ID:
API String ID: 2591292051-0
Opcode ID: ffb12451ecea70931bf3794319500a5d4750a7bbc60c36d14d69d1bca78bf20e
Instruction ID: ab67b65edfb4a8ec7dc6677fec08282ac12342c580158d394fcfe24bc88bf24d
Opcode Fuzzy Hash: ffb12451ecea70931bf3794319500a5d4750a7bbc60c36d14d69d1bca78bf20e
Instruction Fuzzy Hash: 4901DF719002009FDB108F29D884766FFE4EF44220F18C4ABDD098B206D675E408CB71

Uniqueness

Uniqueness Score: -1.00%

Function 02721B2E, Relevance: 1.5, APIs: 1, Instructions: 43registryCOMMON

Download Yara Rule

APIs

RegQueryValueExW.KERNELBASE(?,00000E2C,?,?), ref: 02721B7E

Memory Dump Source

Source File: 00000008.00000002.487970491.0000000002720000.00000040.00000001.sdmp, Offset: 02720000, based on PE: false

Similarity

API ID: QueryValue
String ID:
API String ID: 3660427363-0
Opcode ID: 15e04aeaaf1676d3f1d9df4151d93c62a63c90e6df9b1422fa06945be0351d6c
Instruction ID: f83437bc63d77b38bfafab59f8e9238483b04231717aba0bb31ec902fa3ab650
Opcode Fuzzy Hash: 15e04aeaaf1676d3f1d9df4151d93c62a63c90e6df9b1422fa06945be0351d6c
Instruction Fuzzy Hash: B6014F76500604ABD210DF16DC86F26FBA8FB89B20F14815AED085B745E371F515CAA5

Uniqueness

Uniqueness Score: -1.00%

Function 027214C6, Relevance: 1.5, APIs: 1, Instructions: 43COMMON

Download Yara Rule

APIs

FindCloseChangeNotification.KERNELBASE(?), ref: 027214F8

Memory Dump Source

Source File: 00000008.00000002.487970491.0000000002720000.00000040.00000001.sdmp, Offset: 02720000, based on PE: false

Similarity

API ID: ChangeCloseFindNotification
String ID:
API String ID: 2591292051-0
Opcode ID: 60c6a1cef00238784e148b68d0c690d444abdea4e126452fe3522853e60cf2e3
Instruction ID: b93958e338eac2921d25c2ff21b8c23a9ea84d37e94defbb99d2357bce881f05
Opcode Fuzzy Hash: 60c6a1cef00238784e148b68d0c690d444abdea4e126452fe3522853e60cf2e3
Instruction Fuzzy Hash: 7E01DF715046009FDB10CF2AE885796FFE8EF44220F08C0ABDD0A8B206D2B4E408CBB2

Uniqueness

Uniqueness Score: -1.00%

Function 00C2AF9A, Relevance: 1.5, APIs: 1, Instructions: 43COMMON

Download Yara Rule

APIs

GetUserNameW.ADVAPI32(?,00000E2C,?,?), ref: 00C2AFEA

Memory Dump Source

Source File: 00000008.00000002.487090284.0000000000C2A000.00000040.00000001.sdmp, Offset: 00C2A000, based on PE: false

Similarity

API ID: NameUser
String ID:
API String ID: 2645101109-0
Opcode ID: 798da99e8b6607d84fa507ccf4b2a273c5f7baddc19afacb070ec42b028b34d6
Instruction ID: ce6a149259d24e7bc17b44f3a8ab612887c903bee96b2adb0ba8ca8776e63f81
Opcode Fuzzy Hash: 798da99e8b6607d84fa507ccf4b2a273c5f7baddc19afacb070ec42b028b34d6
Instruction Fuzzy Hash: 22018F71500600ABD210DF16DC82B26FBA8FB88A20F14815AED084B741E331F515CAA5

Uniqueness

Uniqueness Score: -1.00%

Function 00C2BB7E, Relevance: 1.5, APIs: 1, Instructions: 42windowCOMMON

Download Yara Rule

APIs

PostMessageW.USER32(?,?,?,?), ref: 00C2BBB9

Memory Dump Source

Source File: 00000008.00000002.487090284.0000000000C2A000.00000040.00000001.sdmp, Offset: 00C2A000, based on PE: false

Similarity

API ID: MessagePost
String ID:
API String ID: 410705778-0
Opcode ID: 606c4c19a68db2cce062198867b8f8dd923e7131065a6b857ef6f639fcf9d6ef
Instruction ID: 0ab79336befff42353bb25d818bc857d488466154844e0cdebac5b017d37119b
Opcode Fuzzy Hash: 606c4c19a68db2cce062198867b8f8dd923e7131065a6b857ef6f639fcf9d6ef
Instruction Fuzzy Hash: AE01B135504600DFDB208F16E845B66FFA4EF04320F18C09AEE458BA25D371E818DB61

Uniqueness

Uniqueness Score: -1.00%

Function 00C2A78A, Relevance: 1.5, APIs: 1, Instructions: 39COMMON

Download Yara Rule

APIs

closesocket.WS2_32(?), ref: 00C2A7BC

Memory Dump Source

Source File: 00000008.00000002.487090284.0000000000C2A000.00000040.00000001.sdmp, Offset: 00C2A000, based on PE: false

Similarity

API ID: closesocket
String ID:
API String ID: 2781271927-0
Opcode ID: 1adda322f5bb3e51daf09cfae029170bb6551a002047b1ea3e5a5b7815ab5779
Instruction ID: 7fc7950a404fecb700b0d57d5a9e4862ef290b732e85eefd77859614849f440f
Opcode Fuzzy Hash: 1adda322f5bb3e51daf09cfae029170bb6551a002047b1ea3e5a5b7815ab5779
Instruction Fuzzy Hash: 5D01AD748046409FDB10CF15E984766FFE4EF44720F18C4AADE088F606D2B9A908CBB2

Uniqueness

Uniqueness Score: -1.00%

Function 00C2B806, Relevance: 1.5, APIs: 1, Instructions: 38windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,?,?,?), ref: 00C2B841

Memory Dump Source

Source File: 00000008.00000002.487090284.0000000000C2A000.00000040.00000001.sdmp, Offset: 00C2A000, based on PE: false

Similarity

API ID: MessageSend
String ID:
API String ID: 3850602802-0
Opcode ID: 0ef8bb467dd248ded8e37e1ea5469e72924a14df8b542890fec703d5c5b4a427
Instruction ID: f7d75ad1cd0850c838bb3903fb86243eb7ad540939c271137b8a59875b0c1797
Opcode Fuzzy Hash: 0ef8bb467dd248ded8e37e1ea5469e72924a14df8b542890fec703d5c5b4a427
Instruction Fuzzy Hash: 3A01A231400644DFDB208F16E984B66FFA4EF08320F18C09ADE494B666D375A918DF72

Uniqueness

Uniqueness Score: -1.00%

Function 00C2A8EE, Relevance: 1.5, APIs: 1, Instructions: 37COMMON

Download Yara Rule

APIs

SetWindowLongW.USER32(?,?,?), ref: 00C2A926

Memory Dump Source

Source File: 00000008.00000002.487090284.0000000000C2A000.00000040.00000001.sdmp, Offset: 00C2A000, based on PE: false

Similarity

API ID: LongWindow
String ID:
API String ID: 1378638983-0
Opcode ID: 6c860c965314ece121c65f638990a44bbec219fa0db1dd9572e63ac267c7f119
Instruction ID: 4e33f1c479cadc81b249f169a1ea5a0461816e611280608af107e57c528a5e46
Opcode Fuzzy Hash: 6c860c965314ece121c65f638990a44bbec219fa0db1dd9572e63ac267c7f119
Instruction Fuzzy Hash: E901D135400604DFDB209F06E885762FFA4EF09320F18C0AADE4A4B616D2B5A848DF72

Uniqueness

Uniqueness Score: -1.00%

Function 00C2A372, Relevance: 1.5, APIs: 1, Instructions: 35COMMON

Download Yara Rule

APIs

SetErrorMode.KERNELBASE(?), ref: 00C2A3A4

Memory Dump Source

Source File: 00000008.00000002.487090284.0000000000C2A000.00000040.00000001.sdmp, Offset: 00C2A000, based on PE: false

Similarity

API ID: ErrorMode
String ID:
API String ID: 2340568224-0
Opcode ID: 0ac1eb4c8c5c0928339568b9ac4ce98ecfcd1c59c7f2d0a7bc7bb447355c0369
Instruction ID: 6b00133d8e66959bfe519266bcfd820f1f34f2722b460b34789a8845faf196a1
Opcode Fuzzy Hash: 0ac1eb4c8c5c0928339568b9ac4ce98ecfcd1c59c7f2d0a7bc7bb447355c0369
Instruction Fuzzy Hash: 48F08C34504744EFDB20CF16E985766FFA4EF04320F28C09ADD494BA26D6B9E508CE62

Uniqueness

Uniqueness Score: -1.00%

Function 00C2BE3E, Relevance: 1.5, APIs: 1, Instructions: 35windowCOMMON

Download Yara Rule

APIs

DispatchMessageW.USER32(?), ref: 00C2BE70

Memory Dump Source

Source File: 00000008.00000002.487090284.0000000000C2A000.00000040.00000001.sdmp, Offset: 00C2A000, based on PE: false

Similarity

API ID: DispatchMessage
String ID:
API String ID: 2061451462-0
Opcode ID: 0ac1eb4c8c5c0928339568b9ac4ce98ecfcd1c59c7f2d0a7bc7bb447355c0369
Instruction ID: ade067667b17c3e116ff41c6e277fc7a8a857f0205f2c78c55236d9df0c7a5ad
Opcode Fuzzy Hash: 0ac1eb4c8c5c0928339568b9ac4ce98ecfcd1c59c7f2d0a7bc7bb447355c0369
Instruction Fuzzy Hash: C8F0A435904A44DFD710CF15E8857A1FFA4EF04320F18C09ADE494B616D3B5A948DAB2

Uniqueness

Uniqueness Score: -1.00%

Function 026C0681, Relevance: 1.4, Strings: 1, Instructions: 135COMMON

Download Yara Rule

Strings

Z0r^, xrefs: 026C06A1, 026C06A6

Memory Dump Source

Source File: 00000008.00000002.487849920.00000000026C0000.00000040.00000001.sdmp, Offset: 026C0000, based on PE: false

Similarity

API ID:
String ID: Z0r^
API String ID: 0-2787802662
Opcode ID: dcdb533e89713450bfa52fee715125d4c47b5db18b29ae8b8a970063792d4484
Instruction ID: a12a7bec95d27484e2fa76b9a369d67f74dc15df1acd8771a8c6d11c7efe2f5c
Opcode Fuzzy Hash: dcdb533e89713450bfa52fee715125d4c47b5db18b29ae8b8a970063792d4484
Instruction Fuzzy Hash: 38413C71618210CBD7297B38ED1C76E3BA6EF80705B14467AE402C76B1DF614C02EBA5

Uniqueness

Uniqueness Score: -1.00%

Function 026C1458, Relevance: 1.4, Strings: 1, Instructions: 128COMMON

Download Yara Rule

Strings

$ghr, xrefs: 026C14C7

Memory Dump Source

Source File: 00000008.00000002.487849920.00000000026C0000.00000040.00000001.sdmp, Offset: 026C0000, based on PE: false

Similarity

API ID:
String ID: $ghr
API String ID: 0-1352911727
Opcode ID: 7dfe852be39d8a96bdfc9103820736c08c8b6a50915e6f323e8c9917df330b6b
Instruction ID: cc81b08c79b489502420544f730338a80a26ceebdf02844f9ea865f1af29a044
Opcode Fuzzy Hash: 7dfe852be39d8a96bdfc9103820736c08c8b6a50915e6f323e8c9917df330b6b
Instruction Fuzzy Hash: D151F734A01214CFDB14EF68D994BADBBB2BF49304F5040EAD40AAB766CB359D85CF51

Uniqueness

Uniqueness Score: -1.00%

Function 026C8CC0, Relevance: 1.3, Strings: 1, Instructions: 98COMMON

Download Yara Rule

Strings

r*+, xrefs: 026C8DD7

Memory Dump Source

Source File: 00000008.00000002.487849920.00000000026C0000.00000040.00000001.sdmp, Offset: 026C0000, based on PE: false

Similarity

API ID:
String ID: r*+
API String ID: 0-3221063712
Opcode ID: ad8274855a8fa636cfb3aaf96e111414e61ca7635701157050996cb8f21ffb12
Instruction ID: c73ac4d3e15e398fc1c5de91f38d6d9fd3b5fb632f60bb59173abf131b0b851b
Opcode Fuzzy Hash: ad8274855a8fa636cfb3aaf96e111414e61ca7635701157050996cb8f21ffb12
Instruction Fuzzy Hash: 88412930E04209DFDB59EFA5C5856BEBBB1FF54304F2084AAD402A73A4D734AE42DB52

Uniqueness

Uniqueness Score: -1.00%

Function 026C21F8, Relevance: 1.3, Strings: 1, Instructions: 98COMMON

Download Yara Rule

Strings

r*+, xrefs: 026C230F

Memory Dump Source

Source File: 00000008.00000002.487849920.00000000026C0000.00000040.00000001.sdmp, Offset: 026C0000, based on PE: false

Similarity

API ID:
String ID: r*+
API String ID: 0-3221063712
Opcode ID: 855cd611d41c1ae0fc46efe56fc7d988cadf5090584cd752da9df293ea7142e6
Instruction ID: fed2ed003e45705f9c0e1d15fadafcbe3440f1fbbbbdd6957947b9e295754677
Opcode Fuzzy Hash: 855cd611d41c1ae0fc46efe56fc7d988cadf5090584cd752da9df293ea7142e6
Instruction Fuzzy Hash: 7B41FB70E04209DFCB48EBA5C5956BEBBB1FB44304F20806EDC0697265DB399A46CF51

Uniqueness

Uniqueness Score: -1.00%

Function 026C129F, Relevance: 1.3, Strings: 1, Instructions: 95COMMON

Download Yara Rule

Strings

$ghr, xrefs: 026C1349

Memory Dump Source

Source File: 00000008.00000002.487849920.00000000026C0000.00000040.00000001.sdmp, Offset: 026C0000, based on PE: false

Similarity

API ID:
String ID: $ghr
API String ID: 0-1352911727
Opcode ID: 461bb6dd9fa1a95394e1968efca5ddd0458114e3ad15b2aa61d2af0ca48cd1c3
Instruction ID: 64cea28c2abb630677e548c823632b1d046442da0f7348f95ff5e4e5b9068c1f
Opcode Fuzzy Hash: 461bb6dd9fa1a95394e1968efca5ddd0458114e3ad15b2aa61d2af0ca48cd1c3
Instruction Fuzzy Hash: 9B41D534A04218DFCB64EB68D894BADBBB1AF4A344F1040EAD40EAB756DB309D85CF51

Uniqueness

Uniqueness Score: -1.00%

Function 026C8B08, Relevance: 1.3, Strings: 1, Instructions: 87COMMON

Download Yara Rule

Strings

B0r^, xrefs: 026C8B36, 026C8B3B

Memory Dump Source

Source File: 00000008.00000002.487849920.00000000026C0000.00000040.00000001.sdmp, Offset: 026C0000, based on PE: false

Similarity

API ID:
String ID: B0r^
API String ID: 0-2378324970
Opcode ID: 339adaf663303daf184778c2c8dff612e6a0577bfe96b3463b7bda93a082e0ae
Instruction ID: a6e8779684584015ba23d0862507aa9ee0497b228b13ff5e27378f65720193a2
Opcode Fuzzy Hash: 339adaf663303daf184778c2c8dff612e6a0577bfe96b3463b7bda93a082e0ae
Instruction Fuzzy Hash: 4B318C70B04200DFC759FB39E45866D3BA2EB84326725856EE107CB699EF34CC02CB91

Uniqueness

Uniqueness Score: -1.00%

Function 026CE2D9, Relevance: 1.3, Strings: 1, Instructions: 82COMMON

Download Yara Rule

Strings

lir, xrefs: 026CE393

Memory Dump Source

Source File: 00000008.00000002.487849920.00000000026C0000.00000040.00000001.sdmp, Offset: 026C0000, based on PE: false

Similarity

API ID:
String ID: lir
API String ID: 0-3872640509
Opcode ID: 9194be961987dbb1d480b221c0888d974e42776762912e42660c82186b08783a
Instruction ID: 84272631d38fb8a41d7c56e1ddceb9d78fcb0152b07059bd2776c7f7f2ad0edb
Opcode Fuzzy Hash: 9194be961987dbb1d480b221c0888d974e42776762912e42660c82186b08783a
Instruction Fuzzy Hash: 2C21B071A04A14CBCB18EB6990406BEBBF5EB88715F34447EE44ADB340DB76AC42CB91

Uniqueness

Uniqueness Score: -1.00%

Function 026CD879, Relevance: 1.3, Strings: 1, Instructions: 71COMMON

Download Yara Rule

Strings

m<0r^, xrefs: 026CD974

Memory Dump Source

Source File: 00000008.00000002.487849920.00000000026C0000.00000040.00000001.sdmp, Offset: 026C0000, based on PE: false

Similarity

API ID:
String ID: m<0r^
API String ID: 0-559260084
Opcode ID: f62759439776e9ba71b9b794f6f69bb3cd8d9f70bebea62ba79d76f9d5c74ad5
Instruction ID: c08167802896c1d3b25669796b1bfef3a5c924a21f35799cb0fc78b70b115dce
Opcode Fuzzy Hash: f62759439776e9ba71b9b794f6f69bb3cd8d9f70bebea62ba79d76f9d5c74ad5
Instruction Fuzzy Hash: BE212B707012118FDB49EF28D51505D7BA1EB8632D36489BCA5099F79AEF76DC07CB80

Uniqueness

Uniqueness Score: -1.00%

Function 026C61D4, Relevance: 1.3, Strings: 1, Instructions: 70COMMON

Download Yara Rule

Strings

X1kr, xrefs: 026C6251

Memory Dump Source

Source File: 00000008.00000002.487849920.00000000026C0000.00000040.00000001.sdmp, Offset: 026C0000, based on PE: false

Similarity

API ID:
String ID: X1kr
API String ID: 0-844551562
Opcode ID: 95d42c7b7e3c32564e1c14fc703cbab24102c32dc20319756d0ea50dfce7848d
Instruction ID: 4dd10855965a36779588547f7db6fda360bf68096db7c5fb0384f4d10fa3cfa0
Opcode Fuzzy Hash: 95d42c7b7e3c32564e1c14fc703cbab24102c32dc20319756d0ea50dfce7848d
Instruction Fuzzy Hash: E611A531B140549FCB14BBA8D4943BE3BA6DBC8320F64003ED506E7785DE298C02D76A

Uniqueness

Uniqueness Score: -1.00%

Function 026CCA80, Relevance: 1.3, Strings: 1, Instructions: 56COMMON

Download Yara Rule

Strings

=0r^, xrefs: 026CCB11, 026CCB16

Memory Dump Source

Source File: 00000008.00000002.487849920.00000000026C0000.00000040.00000001.sdmp, Offset: 026C0000, based on PE: false

Similarity

API ID:
String ID: =0r^
API String ID: 0-3198085920
Opcode ID: 8634692725d3f1d2285a43eab26b4fa2af6b4b3fdd6d9c0f19adae35d0f2c57e
Instruction ID: 76c804ff217684095dd3ac8be581782f39af1d7aa9eaa0dc445f3cab2976fc7d
Opcode Fuzzy Hash: 8634692725d3f1d2285a43eab26b4fa2af6b4b3fdd6d9c0f19adae35d0f2c57e
Instruction Fuzzy Hash: D8117C707042609FE305FB78E95872D3B9AEB89725F250469E50ADB389CA74EC42C794

Uniqueness

Uniqueness Score: -1.00%

Function 026CA6F0, Relevance: 1.3, Strings: 1, Instructions: 50COMMON

Download Yara Rule

Strings

Huir, xrefs: 026CA723

Memory Dump Source

Source File: 00000008.00000002.487849920.00000000026C0000.00000040.00000001.sdmp, Offset: 026C0000, based on PE: false

Similarity

API ID:
String ID: Huir
API String ID: 0-669697419
Opcode ID: 2515fe8678b109c04e9792aea6d7402770a71a449d4208fd7f19ebdd8003dd36
Instruction ID: 5b0a819171d68b7bc737a0682b6b9c7360d5b7861f08f6eb27f067f0d6465719
Opcode Fuzzy Hash: 2515fe8678b109c04e9792aea6d7402770a71a449d4208fd7f19ebdd8003dd36
Instruction Fuzzy Hash: A7F0283130825867C6587EAC7C60A7E7E6AFBC1620774423EF506CB3D5DE115C0293B6

Uniqueness

Uniqueness Score: -1.00%

Function 026C7811, Relevance: 1.3, Strings: 1, Instructions: 46COMMON

Download Yara Rule

Strings

Huir, xrefs: 026C7843

Memory Dump Source

Source File: 00000008.00000002.487849920.00000000026C0000.00000040.00000001.sdmp, Offset: 026C0000, based on PE: false

Similarity

API ID:
String ID: Huir
API String ID: 0-669697419
Opcode ID: f3e1792a8073b383d46654553207138b77efdc1c591c2eb3e69c9d1d2947d86d
Instruction ID: ac0922b7cd1305252bab69d9ef29732c519f8230a4345fa344c47976448bc5df
Opcode Fuzzy Hash: f3e1792a8073b383d46654553207138b77efdc1c591c2eb3e69c9d1d2947d86d
Instruction Fuzzy Hash: 59F0D13170D25057CB093A6C589097D7F5ADBC6270368427EA216CB2D6DD588C028366

Uniqueness

Uniqueness Score: -1.00%

Function 026C4710, Relevance: 1.3, Strings: 1, Instructions: 43COMMON

Download Yara Rule

Strings

X1kr, xrefs: 026C4747

Memory Dump Source

Source File: 00000008.00000002.487849920.00000000026C0000.00000040.00000001.sdmp, Offset: 026C0000, based on PE: false

Similarity

API ID:
String ID: X1kr
API String ID: 0-844551562
Opcode ID: 19202f4880d46a4ab04c5ce1a92c52cde762f6ee1b7ce2781c20df3ac8583331
Instruction ID: d792e370bad6ffbd5f028317f7a1efc2364c58923085edbb9cfb7336f375553b
Opcode Fuzzy Hash: 19202f4880d46a4ab04c5ce1a92c52cde762f6ee1b7ce2781c20df3ac8583331
Instruction Fuzzy Hash: 2FF0BB327012509BCA29B6FD94203BD32DADBC5765F64003FD60AC7780DD7AD8429761

Uniqueness

Uniqueness Score: -1.00%

Function 026C7820, Relevance: 1.3, Strings: 1, Instructions: 40COMMON

Download Yara Rule

Strings

Huir, xrefs: 026C7843

Memory Dump Source

Source File: 00000008.00000002.487849920.00000000026C0000.00000040.00000001.sdmp, Offset: 026C0000, based on PE: false

Similarity

API ID:
String ID: Huir
API String ID: 0-669697419
Opcode ID: f454c2ada7b56575208a590123391e61319045c219153c761670c43fd9ce736f
Instruction ID: c0c547dffde2f41741fb8dae9017cd93a658f4644880a9fa6c8a7018d5fcc6ac
Opcode Fuzzy Hash: f454c2ada7b56575208a590123391e61319045c219153c761670c43fd9ce736f
Instruction Fuzzy Hash: 1BF0B47170911053CA497A6DA880A3DBA8EEBC56707B4433EB216DB3D5DE509C0293A6

Uniqueness

Uniqueness Score: -1.00%

Function 026C63C8, Relevance: 1.3, Strings: 1, Instructions: 20COMMON

Download Yara Rule

Strings

lir, xrefs: 026C63D6

Memory Dump Source

Source File: 00000008.00000002.487849920.00000000026C0000.00000040.00000001.sdmp, Offset: 026C0000, based on PE: false

Similarity

API ID:
String ID: lir
API String ID: 0-3872640509
Opcode ID: 80090c14602e02cd73c10a5e4c1ea6c0adb81eba50af9c7ce94422e145a6b34e
Instruction ID: c5458d008d5d8624b781b00cdcf3e1849789cacc5b1d845f731f4ebfcb5b6830
Opcode Fuzzy Hash: 80090c14602e02cd73c10a5e4c1ea6c0adb81eba50af9c7ce94422e145a6b34e
Instruction Fuzzy Hash: 1CD0A735705224239A05BE7EAC0077F374D9BC0E50744446EF506D63C0DE019C0153DE

Uniqueness

Uniqueness Score: -1.00%

Function 026C63C7, Relevance: 1.3, Strings: 1, Instructions: 20COMMON

Download Yara Rule

Strings

lir, xrefs: 026C63D6

Memory Dump Source

Source File: 00000008.00000002.487849920.00000000026C0000.00000040.00000001.sdmp, Offset: 026C0000, based on PE: false

Similarity

API ID:
String ID: lir
API String ID: 0-3872640509
Opcode ID: 10febfa6f68f23122ba0bfa5b4adc864e61dec94a4cd313103ae58e2bb23763e
Instruction ID: 664f403aa0206e667f9c05e71ca5f2defbbbf493f44e0090cecfc40d9e24f514
Opcode Fuzzy Hash: 10febfa6f68f23122ba0bfa5b4adc864e61dec94a4cd313103ae58e2bb23763e
Instruction Fuzzy Hash: 99D05E357491642A9B15AA7968106BF3B4D9BC0A40704456EE407D63C1DE014806939E

Uniqueness

Uniqueness Score: -1.00%

Function 026C6468, Relevance: 1.3, Strings: 1, Instructions: 19COMMON

Download Yara Rule

Strings

%R0r^, xrefs: 026C6478, 026C647D

Memory Dump Source

Source File: 00000008.00000002.487849920.00000000026C0000.00000040.00000001.sdmp, Offset: 026C0000, based on PE: false

Similarity

API ID:
String ID: %R0r^
API String ID: 0-2452566540
Opcode ID: ea43cee6677fe19398b466b4c2d75c04f1c54eb4b67dc6f9392f2e415dbfe703
Instruction ID: 0bd3bc4766e3f57fc6018352e33475f03c9522c41b16e6e7fcb43b5706f442cc
Opcode Fuzzy Hash: ea43cee6677fe19398b466b4c2d75c04f1c54eb4b67dc6f9392f2e415dbfe703
Instruction Fuzzy Hash: 05D0A77131413467AE04E5ACD851C7AB78ECBC5714704846FA80AD7381CD72DC0243D0

Uniqueness

Uniqueness Score: -1.00%

Function 026C6467, Relevance: 1.3, Strings: 1, Instructions: 19COMMON

Download Yara Rule

Strings

%R0r^, xrefs: 026C6478, 026C647D

Memory Dump Source

Source File: 00000008.00000002.487849920.00000000026C0000.00000040.00000001.sdmp, Offset: 026C0000, based on PE: false

Similarity

API ID:
String ID: %R0r^
API String ID: 0-2452566540
Opcode ID: 729c1dde9ddbd585658e98f6dfb089246f6f2256d564f5f27c456507b275b372
Instruction ID: 43052b7c80f106180e4869704094409727e15fba4a86d9cb38fb9ac30ece69c4
Opcode Fuzzy Hash: 729c1dde9ddbd585658e98f6dfb089246f6f2256d564f5f27c456507b275b372
Instruction Fuzzy Hash: 0FD05B717580245B9F04D57C9851CBDA749CBC5714704446FE406D7781C9628C024780

Uniqueness

Uniqueness Score: -1.00%

Function 026CEBC8, Relevance: .4, Instructions: 378COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.487849920.00000000026C0000.00000040.00000001.sdmp, Offset: 026C0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0a76355a6d04914bac875548c71555eba41b4694a32cec64533cd484e001db08
Instruction ID: 98240bb6d5d2bf7a1c9a2e7a2c1de92f3739b5305a6daadb2e766e1891503ba4
Opcode Fuzzy Hash: 0a76355a6d04914bac875548c71555eba41b4694a32cec64533cd484e001db08
Instruction Fuzzy Hash: 4EE15C70A00245DFDB18EB69C494BBDBBF2EF48324F24855ED4169B791C736E882CB91

Uniqueness

Uniqueness Score: -1.00%

Function 026C85D8, Relevance: .2, Instructions: 249COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.487849920.00000000026C0000.00000040.00000001.sdmp, Offset: 026C0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8ff992111d75382149d572494afe41282abeeca3d5aa0333899e311db371094e
Instruction ID: d25bf24f0a179c4bc7af3df51b8c0b6d3e19d4386c4bfeb6ac5d1f21df23b296
Opcode Fuzzy Hash: 8ff992111d75382149d572494afe41282abeeca3d5aa0333899e311db371094e
Instruction Fuzzy Hash: F1A13875D04219CFCB29EFA8C584AADBBF1FF48314F20856AD416A7790E731A846CB91

Uniqueness

Uniqueness Score: -1.00%

Function 026CB190, Relevance: .2, Instructions: 243COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.487849920.00000000026C0000.00000040.00000001.sdmp, Offset: 026C0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: da177662ef92a764b995c38a88bc8f3c4d6d9f4c314004e70f76f41699487c47
Instruction ID: e81b994b490366db5f51a3fb0d8d2321c028cb3623bba084ab12246b07d69572
Opcode Fuzzy Hash: da177662ef92a764b995c38a88bc8f3c4d6d9f4c314004e70f76f41699487c47
Instruction Fuzzy Hash: F281D130B005159BD704EB68C891A6E7BA6FFC4314FA0867CE2059B699DF70AC129BD1

Uniqueness

Uniqueness Score: -1.00%

Function 026C64D0, Relevance: .2, Instructions: 241COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.487849920.00000000026C0000.00000040.00000001.sdmp, Offset: 026C0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b7decd5de5fb03628ec9f9c4d8858613631805b849faf41e668a6a15357d2cc4
Instruction ID: bd198ba3edf8e978b3cea58a8574093d427aa29b310690f070ddeb70811f55ed
Opcode Fuzzy Hash: b7decd5de5fb03628ec9f9c4d8858613631805b849faf41e668a6a15357d2cc4
Instruction Fuzzy Hash: 8681A031A00619CFCF15DF14C8906EAB7B6EF85304F65C4A9C90AAF205DB71EA86CF94

Uniqueness

Uniqueness Score: -1.00%

Function 026CA8B8, Relevance: .2, Instructions: 163COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.487849920.00000000026C0000.00000040.00000001.sdmp, Offset: 026C0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 62d9b3b7a8cd09a6f6b5f0d3b5cd3340ab60571a0b6b8e6482ce4f619519beb2
Instruction ID: bb53ed5aebe9d72ca49cce0f9e69977f3c5fa73bfcac984e9c28d1389c8b408d
Opcode Fuzzy Hash: 62d9b3b7a8cd09a6f6b5f0d3b5cd3340ab60571a0b6b8e6482ce4f619519beb2
Instruction Fuzzy Hash: 7A51E270A04109CBD718EFE9C59467EBBA2EB84314F30896EC14B9B745DB75EC42CB91

Uniqueness

Uniqueness Score: -1.00%

Function 026C7988, Relevance: .2, Instructions: 161COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.487849920.00000000026C0000.00000040.00000001.sdmp, Offset: 026C0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: edd31f28311ba0226a60fe569c7e7dddbaec7b9d988db6a8c9d2117b238b6025
Instruction ID: c569284b79305c299bea8fe47ec19e73923d36b853539c4f45348cd9779f3529
Opcode Fuzzy Hash: edd31f28311ba0226a60fe569c7e7dddbaec7b9d988db6a8c9d2117b238b6025
Instruction Fuzzy Hash: 4631F831900619CBDF15DF54CC546DABBB6EF85305F518498D9097B215DBB06B8ACF80

Uniqueness

Uniqueness Score: -1.00%

Function 026C75D8, Relevance: .2, Instructions: 159COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.487849920.00000000026C0000.00000040.00000001.sdmp, Offset: 026C0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 53bf5e190e9904242fa33d7cd1b1a77f27402dbce7ca11f78c7e55a86dd618c6
Instruction ID: 0ae80d18d52a308c328442b6d501c5fcf7506ae208f6c6131723ab20a8f13950
Opcode Fuzzy Hash: 53bf5e190e9904242fa33d7cd1b1a77f27402dbce7ca11f78c7e55a86dd618c6
Instruction Fuzzy Hash: 1E513031B002148BCB09EBB9C4506AEF7F7EFC4314B24856DC80AAB355DE35AC42CB94

Uniqueness

Uniqueness Score: -1.00%

Function 026C7F19, Relevance: .1, Instructions: 142COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.487849920.00000000026C0000.00000040.00000001.sdmp, Offset: 026C0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d09aa375936e817c30879a9dae193620775e1a665dad7c89b79755df192db9d8
Instruction ID: 5b890f136ae979c31f408cfa9eb95d090f87ffc72d9a4021f192fed7e84d6d46
Opcode Fuzzy Hash: d09aa375936e817c30879a9dae193620775e1a665dad7c89b79755df192db9d8
Instruction Fuzzy Hash: 25512730A00215CFDB25EB78C594AADBBF6FF85354F2092A9D40A9B395DB30A841CB61

Uniqueness

Uniqueness Score: -1.00%

Function 026C5920, Relevance: .1, Instructions: 126COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.487849920.00000000026C0000.00000040.00000001.sdmp, Offset: 026C0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: de1bdcd903f4a5849b863b5df53be7a3760a27dd86e5c010691fc8b1f28d7d14
Instruction ID: 868d3b92675e3de5688f284fb8bd95b9ff4fc98a106668da2a316d76d1e8cbb9
Opcode Fuzzy Hash: de1bdcd903f4a5849b863b5df53be7a3760a27dd86e5c010691fc8b1f28d7d14
Instruction Fuzzy Hash: BD417C30B152418BDB187BB69C1433E36A6EFC4611BA485ADE807E7395EF35E802CB95

Uniqueness

Uniqueness Score: -1.00%

Function 026C7158, Relevance: .1, Instructions: 119COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.487849920.00000000026C0000.00000040.00000001.sdmp, Offset: 026C0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 016573159f18cfa530f299aae31503905381e002eab6d874f7d1ef7f49f90c74
Instruction ID: 01205fd4a0f22d047caef26c5682399ed276d79456a9fc4fcf0094181f40fc0c
Opcode Fuzzy Hash: 016573159f18cfa530f299aae31503905381e002eab6d874f7d1ef7f49f90c74
Instruction Fuzzy Hash: A7418B34602250CFCB05FB69A56016EBBF2BB8D311364006DDD0A9BB96DF3A9C46DB91

Uniqueness

Uniqueness Score: -1.00%

Function 026CB530, Relevance: .1, Instructions: 117COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.487849920.00000000026C0000.00000040.00000001.sdmp, Offset: 026C0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6d92a7bbb4871e5808cefc4d16543244cf6e505243488d37ec1ac991019fd06d
Instruction ID: 5cce3fea120cc3cae17e49d66a5db33fd8320e9b6beadf281741193b5bf2aec8
Opcode Fuzzy Hash: 6d92a7bbb4871e5808cefc4d16543244cf6e505243488d37ec1ac991019fd06d
Instruction Fuzzy Hash: A141C371B006648BCB14EBAAD8916BEB7F2FF88318B60442DE45AD7754DB34EC41CB90

Uniqueness

Uniqueness Score: -1.00%

Function 026C7168, Relevance: .1, Instructions: 115COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.487849920.00000000026C0000.00000040.00000001.sdmp, Offset: 026C0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 094be885b5dcb05bd8c6747f3017fb254d33df3c63c265aac52d5dffed4a208b
Instruction ID: cbab2fa218e105acd493310a2c8cccdae1969638584caf8992f30d4c6b99ba7a
Opcode Fuzzy Hash: 094be885b5dcb05bd8c6747f3017fb254d33df3c63c265aac52d5dffed4a208b
Instruction Fuzzy Hash: E7417C34602250CF8B05FB69E15016EB7E2FB8C215364006CDD0A97B8ADF3A9C42DB91

Uniqueness

Uniqueness Score: -1.00%

Function 026CE628, Relevance: .1, Instructions: 109COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.487849920.00000000026C0000.00000040.00000001.sdmp, Offset: 026C0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 91174f670f0c3f0ab12febbee20a567d9b384f4e69c1717a6b9a357c58173401
Instruction ID: 102bf0041a7c40b15dc53cf6f8c54682f6b4236fce90d93ddfe91c7f7183703a
Opcode Fuzzy Hash: 91174f670f0c3f0ab12febbee20a567d9b384f4e69c1717a6b9a357c58173401
Instruction Fuzzy Hash: D7414C71A11205CFCB58FF6AC544ABEBBB1EB48214F34916DD40AA7342D7369D42CBA0

Uniqueness

Uniqueness Score: -1.00%

Function 026C02D9, Relevance: .1, Instructions: 105COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.487849920.00000000026C0000.00000040.00000001.sdmp, Offset: 026C0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 75fded25f23e13c43cc9ee77380a610ec065db531a3618aea9ac317f04d11427
Instruction ID: 0a54548d1cb11fa18a9382438f7870f2ee3e48394c80edff867c54e09ba02ca8
Opcode Fuzzy Hash: 75fded25f23e13c43cc9ee77380a610ec065db531a3618aea9ac317f04d11427
Instruction Fuzzy Hash: 1E417C30E05205CFDB18EB68C4A4BBEBBB2EF88710F24846DD506AB7A1DB719C01CB51

Uniqueness

Uniqueness Score: -1.00%

Function 026C20D0, Relevance: .1, Instructions: 102COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.487849920.00000000026C0000.00000040.00000001.sdmp, Offset: 026C0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e948446499a5484889d5f4a0450c4defb154d27966fde072ae30d3a24326857f
Instruction ID: d72f025f3873b7f953041df8e84c4b2cd29be056ef6a5b430dc720a48139bfcf
Opcode Fuzzy Hash: e948446499a5484889d5f4a0450c4defb154d27966fde072ae30d3a24326857f
Instruction Fuzzy Hash: E7317230B09286DFCB05EF68C8A067E7BB1EB85310B25806BCE559B795D7709C42C791

Uniqueness

Uniqueness Score: -1.00%

Function 026CE8A7, Relevance: .1, Instructions: 97COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.487849920.00000000026C0000.00000040.00000001.sdmp, Offset: 026C0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 19f5c3ed8c81cdd502555cd959ff81edcf8c915bb9dcacff04d7aa1ba9168052
Instruction ID: 1f6aeb5d6114cb0740ab968cd21f63b9ef467bc25d9e3ec05113f88525d3e4a5
Opcode Fuzzy Hash: 19f5c3ed8c81cdd502555cd959ff81edcf8c915bb9dcacff04d7aa1ba9168052
Instruction Fuzzy Hash: B9316D30B01604DFCB68EB6984806AEBBF6FB88310B60443DD50697795EB76DC42CB91

Uniqueness

Uniqueness Score: -1.00%

Function 026C45C8, Relevance: .1, Instructions: 95COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.487849920.00000000026C0000.00000040.00000001.sdmp, Offset: 026C0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 71af4e8f052e2a0c80de33ba6db12815eead2f8700befbb003f3beda26519ae5
Instruction ID: da0e13c0ff6ccec83d33879e92eed1904518d82cb0cf803bc1b250b03bd1b8ad
Opcode Fuzzy Hash: 71af4e8f052e2a0c80de33ba6db12815eead2f8700befbb003f3beda26519ae5
Instruction Fuzzy Hash: 08219571B041199BDB04FA9ADD91AFEB3B9EB84304F30412AE619D3245EF705905C761

Uniqueness

Uniqueness Score: -1.00%

Function 026CF120, Relevance: .1, Instructions: 94COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.487849920.00000000026C0000.00000040.00000001.sdmp, Offset: 026C0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3e6ca54a9c581c08f0dd15688f3730bf908a019cf6f750f7db1c6f3a569fdd66
Instruction ID: bb0855d166294b33d56335619dd1dca9c3bba3a1f00beeacc454ca96f7bec336
Opcode Fuzzy Hash: 3e6ca54a9c581c08f0dd15688f3730bf908a019cf6f750f7db1c6f3a569fdd66
Instruction Fuzzy Hash: E7410870504B51CBD339EB6AC540776BBF2EF85309F24886EC09A86FA4CB79A446CB40

Uniqueness

Uniqueness Score: -1.00%

Function 026C50E0, Relevance: .1, Instructions: 92COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.487849920.00000000026C0000.00000040.00000001.sdmp, Offset: 026C0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 33b0d7c7b7f51b5a8fdfb97f7a01eae18f90a9e787887c1bc146cc3472c66fbd
Instruction ID: 69ca13914a987d752a33129c63846f61d697edec3471a2d24ae899f201a7dfdb
Opcode Fuzzy Hash: 33b0d7c7b7f51b5a8fdfb97f7a01eae18f90a9e787887c1bc146cc3472c66fbd
Instruction Fuzzy Hash: 4D215171A003099FDF04EFA9C8186AEBBF6EF84300F644529D50ABB755DB746946CB80

Uniqueness

Uniqueness Score: -1.00%

Function 026CF238, Relevance: .1, Instructions: 91COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.487849920.00000000026C0000.00000040.00000001.sdmp, Offset: 026C0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: dd02d5079acbdaf91982144a300d9d6863d109c7cf861a3ee26bd7122b84583c
Instruction ID: 95327200a16280cfc261a9aa9fa4fd482508960a0164b1e4167dfb247399b3a0
Opcode Fuzzy Hash: dd02d5079acbdaf91982144a300d9d6863d109c7cf861a3ee26bd7122b84583c
Instruction Fuzzy Hash: E0311474A00248EFCB04DFA8C580AADBBF2FF48314F24846ED409AB715D736A942CF90

Uniqueness

Uniqueness Score: -1.00%

Function 026C5831, Relevance: .1, Instructions: 90COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.487849920.00000000026C0000.00000040.00000001.sdmp, Offset: 026C0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0a8cc031712895cf331b60d4144db99b4c1844a54d0a4532f029ad6fb64317f7
Instruction ID: 8bd4a2d5fb82f1a5cafe4147a82871818c913e89c688ee10f413f4bf31518523
Opcode Fuzzy Hash: 0a8cc031712895cf331b60d4144db99b4c1844a54d0a4532f029ad6fb64317f7
Instruction Fuzzy Hash: CE21F3317090549BCB08B7B99C609BEBBA6EFC8214BA0417ED407AB691DD745C06C7A1

Uniqueness

Uniqueness Score: -1.00%

Function 026C5B51, Relevance: .1, Instructions: 89COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.487849920.00000000026C0000.00000040.00000001.sdmp, Offset: 026C0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7c13d1a381b424af4ee43914c61643cea2ea7f1354536affee43536582ba21f9
Instruction ID: d9f9b81193a40f1c3c978c35aa03cca682737f61e56dfb57bbb60bd02c4df38f
Opcode Fuzzy Hash: 7c13d1a381b424af4ee43914c61643cea2ea7f1354536affee43536582ba21f9
Instruction Fuzzy Hash: 7821AE71B051059FCB19AAB9C8605FEBAE2ABC9210BA4447ED407FB781DD35DC428BA1

Uniqueness

Uniqueness Score: -1.00%

Function 026CE43C, Relevance: .1, Instructions: 88COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.487849920.00000000026C0000.00000040.00000001.sdmp, Offset: 026C0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ce97e3968a2871fd491d4815ab1c6d357256743a667fcc6d72faeefa0b0c8b25
Instruction ID: 3c57adcd092d5a20e70a77db1a95c8f796235226bc5308d71cdfc2d1686c7078
Opcode Fuzzy Hash: ce97e3968a2871fd491d4815ab1c6d357256743a667fcc6d72faeefa0b0c8b25
Instruction Fuzzy Hash: F8313A313003128FC759A778C45166E7BE3AFC17187A4892CD1469F798DEB6ED039B84

Uniqueness

Uniqueness Score: -1.00%

Function 026C75D7, Relevance: .1, Instructions: 88COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.487849920.00000000026C0000.00000040.00000001.sdmp, Offset: 026C0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7328848f961f3da54923f5287a9067d4b72c0d5576ce8e75d44883a08e65776d
Instruction ID: 9c27f9536b0d38ca8a8f82ceec23eccfada215cfe38275447de9b48c6856fcc0
Opcode Fuzzy Hash: 7328848f961f3da54923f5287a9067d4b72c0d5576ce8e75d44883a08e65776d
Instruction Fuzzy Hash: 37312F31E042188FCB09EBB9C4509AEFBF3EF84314B24856DC816AB355DA31AD46CB90

Uniqueness

Uniqueness Score: -1.00%

Function 026C43D0, Relevance: .1, Instructions: 87COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.487849920.00000000026C0000.00000040.00000001.sdmp, Offset: 026C0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2b76db9e3096e50b792b80b93f12a58e533c3e8307d7cd206a7ade56ca0a1b2a
Instruction ID: 2f4564db63c43a6520a48aeb14f14580ca5aab0b931370919b12f436e12da116
Opcode Fuzzy Hash: 2b76db9e3096e50b792b80b93f12a58e533c3e8307d7cd206a7ade56ca0a1b2a
Instruction Fuzzy Hash: 9231DF31611115CFCB04FF68ED54AAE7BB2FF84318B2481A9E5069B27ACB31A957DF40

Uniqueness

Uniqueness Score: -1.00%

Function 026C55E8, Relevance: .1, Instructions: 85COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.487849920.00000000026C0000.00000040.00000001.sdmp, Offset: 026C0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3cfc0bf4bf77a0ce6fa873903f9df707ee1ef27bdf97b1d977972ca48c788a3b
Instruction ID: 70494a87205f17ab31da969d61967f016f22efa4035b1dc4629ab0f4bab81b61
Opcode Fuzzy Hash: 3cfc0bf4bf77a0ce6fa873903f9df707ee1ef27bdf97b1d977972ca48c788a3b
Instruction Fuzzy Hash: E621F430B102058BDB18BF79C8507BE7AE2EB88710F68006EE502FB3E0DEB159458790

Uniqueness

Uniqueness Score: -1.00%

Function 026CAE18, Relevance: .1, Instructions: 81COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.487849920.00000000026C0000.00000040.00000001.sdmp, Offset: 026C0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e0bd823a91acdf56793d7c517ddf3bffc87fa17e0bb7819bdf9db49921ea17e7
Instruction ID: 8abc94307bf403f58f189912ff09c16902fea2bdb1c2acbf19b41aa505a23ae1
Opcode Fuzzy Hash: e0bd823a91acdf56793d7c517ddf3bffc87fa17e0bb7819bdf9db49921ea17e7
Instruction Fuzzy Hash: 4B216570B00209DBCB18EFB9D8419AEB7B5FB88750F20496DE142AB744DB70AC41D7E4

Uniqueness

Uniqueness Score: -1.00%

Function 026C50D0, Relevance: .1, Instructions: 81COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.487849920.00000000026C0000.00000040.00000001.sdmp, Offset: 026C0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c455b691657f6ae4c65c9aec3a85ff0000227293ffd3cd4e4acab7d852475a86
Instruction ID: fc8418c63153f436d4f61aa4756a4a99731d74a827ac3ee037249ccffd6050c6
Opcode Fuzzy Hash: c455b691657f6ae4c65c9aec3a85ff0000227293ffd3cd4e4acab7d852475a86
Instruction Fuzzy Hash: 8121B0719053198FDF00DFA8D8186EEBFB1EF84314F604569C50ABB251D770664ACB81

Uniqueness

Uniqueness Score: -1.00%

Function 026C6F8C, Relevance: .1, Instructions: 80COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.487849920.00000000026C0000.00000040.00000001.sdmp, Offset: 026C0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 253698a6b7401985242e7c64d0c78aee8cedbf2da25d94519796974d6a4903a3
Instruction ID: 73c03086a6f9e0875cac6dbe0d2d761b2a831824fd26fa9e8f27aa60a9372a96
Opcode Fuzzy Hash: 253698a6b7401985242e7c64d0c78aee8cedbf2da25d94519796974d6a4903a3
Instruction Fuzzy Hash: A9318930610340CBC718EB38E5550ADBBA2EF853293548A7CE1079B749EF76AC07EB81

Uniqueness

Uniqueness Score: -1.00%

Function 026CB520, Relevance: .1, Instructions: 78COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.487849920.00000000026C0000.00000040.00000001.sdmp, Offset: 026C0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: edbfc9ee59e0e654e4daa88b8863559965264d2a9a7109327541a09d1b8f9443
Instruction ID: eeddab5a61941619ff87965df700d6085aba205f275a0c46f623883f68d9ae64
Opcode Fuzzy Hash: edbfc9ee59e0e654e4daa88b8863559965264d2a9a7109327541a09d1b8f9443
Instruction Fuzzy Hash: 8C21C1B2A002654BCB04DFA9D8455BEFBB2FB89314F24443EE459E7241D334AD11CB90

Uniqueness

Uniqueness Score: -1.00%

Function 026C90A6, Relevance: .1, Instructions: 75COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.487849920.00000000026C0000.00000040.00000001.sdmp, Offset: 026C0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 03f4c32389f7e87d344b17f6b9f8ea16383c0577e96757ad9abd8dbfea0dc2ee
Instruction ID: 558a257f96645b3ce0f1ce0f7d0463311bab239ffd1ad4a549882adb9357e30a
Opcode Fuzzy Hash: 03f4c32389f7e87d344b17f6b9f8ea16383c0577e96757ad9abd8dbfea0dc2ee
Instruction Fuzzy Hash: 9331AE30E01205CBDB50EFA5C48476DBBB1FF84325F20856DC4059B358DBB49885DF81

Uniqueness

Uniqueness Score: -1.00%

Function 026C25DE, Relevance: .1, Instructions: 75COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.487849920.00000000026C0000.00000040.00000001.sdmp, Offset: 026C0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 325045471faee05c33afdb7f110e1662abae8b42c696cc41eb23b308a3ed3ec2
Instruction ID: c42fe8474850dd1a936adedde9743f3481a6b98182dd52e47e07ef8f49be4c6b
Opcode Fuzzy Hash: 325045471faee05c33afdb7f110e1662abae8b42c696cc41eb23b308a3ed3ec2
Instruction Fuzzy Hash: FC318D70A10286CFDB60EF69D95476EBBB2FF84314F20C52DC8059B265DBB49989CF81

Uniqueness

Uniqueness Score: -1.00%

Function 026CAE09, Relevance: .1, Instructions: 73COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.487849920.00000000026C0000.00000040.00000001.sdmp, Offset: 026C0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7c449ec937aeaa1d680113524b8385f85736b90ab80e833fb81f2a52e0b7152a
Instruction ID: 4c236be9435e4a9ac56207c79d71c8bd4038f1f0538a1e7fc2456f8b6c3543bf
Opcode Fuzzy Hash: 7c449ec937aeaa1d680113524b8385f85736b90ab80e833fb81f2a52e0b7152a
Instruction Fuzzy Hash: A111A2B0B1421CABCB18AFA9E841A7E76B5EB8C744F20496DE542D7380DB709C01E7E1

Uniqueness

Uniqueness Score: -1.00%

Function 026C8CB0, Relevance: .1, Instructions: 73COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.487849920.00000000026C0000.00000040.00000001.sdmp, Offset: 026C0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2e0c7f6dfea9b9c87132835a6ab2745492e3847ec8a24a0c756b39523cc40276
Instruction ID: 6ab6c7a041a7b722322895e23128c82a530f826fb5fd98f3e847dd169a0df727
Opcode Fuzzy Hash: 2e0c7f6dfea9b9c87132835a6ab2745492e3847ec8a24a0c756b39523cc40276
Instruction Fuzzy Hash: D4315930A04209DFCB6AEFA8D1556BDBBB1FF55304F2044AED402AB394D734AE42DB52

Uniqueness

Uniqueness Score: -1.00%

Function 026C5840, Relevance: .1, Instructions: 70COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.487849920.00000000026C0000.00000040.00000001.sdmp, Offset: 026C0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9d8587fee1d7e50307ecaccd4a3a6049021f58f6e5c690e616da773c56db7701
Instruction ID: e94d9f57fcb26a05157cb8dfff4097e46e0982fe9f034c40b22e78a003b7037a
Opcode Fuzzy Hash: 9d8587fee1d7e50307ecaccd4a3a6049021f58f6e5c690e616da773c56db7701
Instruction Fuzzy Hash: 8311BE307111549BCB0CB7BA9C6093FBAEBEFC8314BA0453E9407AB795DD74AC0187A1

Uniqueness

Uniqueness Score: -1.00%

Function 026C21F7, Relevance: .1, Instructions: 69COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.487849920.00000000026C0000.00000040.00000001.sdmp, Offset: 026C0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: daa6fdc8986bd4102bb623e84af75d437cf130260819b3cb8258401a90db636f
Instruction ID: 831a63423d10b540dea0d35431e6caf442ad6fa9aac976e37ef656f3645fe344
Opcode Fuzzy Hash: daa6fdc8986bd4102bb623e84af75d437cf130260819b3cb8258401a90db636f
Instruction Fuzzy Hash: F921FD70D08209DFCB48EFA8C5A57BDBBB1FB44304F20416EDC0297669DB799A45CB52

Uniqueness

Uniqueness Score: -1.00%

Function 026CE740, Relevance: .1, Instructions: 68COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.487849920.00000000026C0000.00000040.00000001.sdmp, Offset: 026C0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c879b61447be3db786880ef9c5915af44f0ef509fb7c935e63cea219dcfc212f
Instruction ID: 19991603e269798284f013db022be48a98da0574a667c8c8bea727eab3de3bc7
Opcode Fuzzy Hash: c879b61447be3db786880ef9c5915af44f0ef509fb7c935e63cea219dcfc212f
Instruction Fuzzy Hash: 94215E71A05105DFCB68EA68C545ABAB7F5EB58714B34807ED606E3201E336AD03CBA1

Uniqueness

Uniqueness Score: -1.00%

Function 026CE750, Relevance: .1, Instructions: 68COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.487849920.00000000026C0000.00000040.00000001.sdmp, Offset: 026C0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b57a7fab3f0378a2a4244ba43a58c2f0bf607f96d14c75c6afddd6db29c974bc
Instruction ID: 46610ade8ecd1f786959d732bf31f8b6ca9ba2e97579758e7ffecc2307caede9
Opcode Fuzzy Hash: b57a7fab3f0378a2a4244ba43a58c2f0bf607f96d14c75c6afddd6db29c974bc
Instruction Fuzzy Hash: 45214D31A04114DFCB58EFA8C551ABEB7F5EB88710B30806ED60AE7640D736AD12CBE1

Uniqueness

Uniqueness Score: -1.00%

Function 026C5000, Relevance: .1, Instructions: 67COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.487849920.00000000026C0000.00000040.00000001.sdmp, Offset: 026C0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 85b0f26f1fad0d880b74ce59bf24d610868784f05c24addfd5c1483a1ba34c2b
Instruction ID: fae46f1c8ff4b3abff0e76e983645ef733e8b16b242c391735d6fd9ccbfc5a65
Opcode Fuzzy Hash: 85b0f26f1fad0d880b74ce59bf24d610868784f05c24addfd5c1483a1ba34c2b
Instruction Fuzzy Hash: 65116031B05255CFCB48BBB8985037E7BA1EB84624BA5457DC906E7385EF30A902CBE5

Uniqueness

Uniqueness Score: -1.00%

Function 026C48C7, Relevance: .1, Instructions: 66COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.487849920.00000000026C0000.00000040.00000001.sdmp, Offset: 026C0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 777844ddf0a1f84946c65a51f53b9e623aed3898aefc982a9eacd40559b58dc2
Instruction ID: 05fcb2f9147f5d8d76f503fecb8302709c86e3e1c84fb7fdd43cb71d09ef85d5
Opcode Fuzzy Hash: 777844ddf0a1f84946c65a51f53b9e623aed3898aefc982a9eacd40559b58dc2
Instruction Fuzzy Hash: CE119132A051299ACF1DEAA8D8609FEBBB7EFC4710F14542ED906B7281DE205A078791

Uniqueness

Uniqueness Score: -1.00%

Function 026CC9D8, Relevance: .1, Instructions: 63COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.487849920.00000000026C0000.00000040.00000001.sdmp, Offset: 026C0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 099477f6a8e7799bc40a894b40bc729703f483321eb77bb971b815b9439e2951
Instruction ID: 585c023e4256e4fc7aef9cf2ad5f89d5eb9e0f8db3105c1114a2f7a2f9d58e2f
Opcode Fuzzy Hash: 099477f6a8e7799bc40a894b40bc729703f483321eb77bb971b815b9439e2951
Instruction Fuzzy Hash: AB112E747046048FC718EB6CC494D7ABBE6EF89314725859EE45AC7361DB30EC418B50

Uniqueness

Uniqueness Score: -1.00%

Function 026CCD68, Relevance: .1, Instructions: 61COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.487849920.00000000026C0000.00000040.00000001.sdmp, Offset: 026C0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3bc9031ed34e695fdcba7d2fb3058f70d3e7e6d03e809bc8b98b1804c2a94c4a
Instruction ID: 091f55c678fcfb633bfc1d76ed933c1cf0ce27438e3fc1d94ac8ac824ffbe3cb
Opcode Fuzzy Hash: 3bc9031ed34e695fdcba7d2fb3058f70d3e7e6d03e809bc8b98b1804c2a94c4a
Instruction Fuzzy Hash: 4A113D70700110ABC748BB69D450A7E7BE7DBC9754724806EE80A9B791CF31AC12DB95

Uniqueness

Uniqueness Score: -1.00%

Function 026C451F, Relevance: .1, Instructions: 61COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.487849920.00000000026C0000.00000040.00000001.sdmp, Offset: 026C0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0df929e5b85312d54e7d67af6fbf687d08860d95f0166b847f4404667dcb8592
Instruction ID: 9cd9fe377f14d7f27b7be282224a49aecbff322d4b703c085a18db89ce8f2cc6
Opcode Fuzzy Hash: 0df929e5b85312d54e7d67af6fbf687d08860d95f0166b847f4404667dcb8592
Instruction Fuzzy Hash: 1E01C472E085148BCF08EA59A4202FFB7A2DFC5311F64417EAD06EB380DE769906CB91

Uniqueness

Uniqueness Score: -1.00%

Function 02730846, Relevance: .1, Instructions: 60COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.487990211.0000000002730000.00000040.00000040.sdmp, Offset: 02730000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 24b2e16f4df0942e62b4d4191c6ab40913fafb4d397f77cb08c8bbf59baed87d
Instruction ID: 0d23167d4e676e56463e60c47f079d639ce2cd2613b1a45690430f416a9edda9
Opcode Fuzzy Hash: 24b2e16f4df0942e62b4d4191c6ab40913fafb4d397f77cb08c8bbf59baed87d
Instruction Fuzzy Hash: 00214C7510A3C48FD707CB20D850B55BFB1AF57318F1A85DAD8898F6A3C33A8806CB52

Uniqueness

Uniqueness Score: -1.00%

Function 0273087C, Relevance: .1, Instructions: 59COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.487990211.0000000002730000.00000040.00000040.sdmp, Offset: 02730000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6d78f9f58af8eb50fde39e65dc1e58648494abf32d24f4ebf1cc865bdd07ad78
Instruction ID: 0460a24c56be9b5949281e52f04e8839c28499bf7e50050ec1de149cdb8149c7
Opcode Fuzzy Hash: 6d78f9f58af8eb50fde39e65dc1e58648494abf32d24f4ebf1cc865bdd07ad78
Instruction Fuzzy Hash: 94112934204384DFE306CB24C540B66BBD1EB88708F24C99CE9491B643C77BD803CA91

Uniqueness

Uniqueness Score: -1.00%

Function 026CCE98, Relevance: .1, Instructions: 59COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.487849920.00000000026C0000.00000040.00000001.sdmp, Offset: 026C0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 677861e8b0bcac8e000b4788574e284a59b1f5377c289d7296ada8b4b07cacd4
Instruction ID: 031edc97a4d52053ce4f01d6ab2d1e9218b621ff067bc3e31173d970e296497b
Opcode Fuzzy Hash: 677861e8b0bcac8e000b4788574e284a59b1f5377c289d7296ada8b4b07cacd4
Instruction Fuzzy Hash: 9311B270318200CBD31CB738911113ABB92DFC6718764886EA15F9B681DF72E803DB96

Uniqueness

Uniqueness Score: -1.00%

Function 026CD0E8, Relevance: .1, Instructions: 59COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.487849920.00000000026C0000.00000040.00000001.sdmp, Offset: 026C0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 90af7c16e5e9954ecde75248cde26969cbaba32623674aced0b1491e9f1fd6ce
Instruction ID: 6734278e90e38ef200029f212f38b386e9f9bd5eb023aea9204b74452ae4db6c
Opcode Fuzzy Hash: 90af7c16e5e9954ecde75248cde26969cbaba32623674aced0b1491e9f1fd6ce
Instruction Fuzzy Hash: 8611F634300601ABD628EA59C890A76F3E6FB88664B24C52DD95A87F91CB71FC52DB90

Uniqueness

Uniqueness Score: -1.00%

Function 026C6E88, Relevance: .1, Instructions: 58COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.487849920.00000000026C0000.00000040.00000001.sdmp, Offset: 026C0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3654562d27723df27bee26576b618438d1cd4d44f0aef5e1ce8275f92d65b743
Instruction ID: 42b8841caeff4612fcffa663c459842e4efca446d1546dd4b88da2e8764cf106
Opcode Fuzzy Hash: 3654562d27723df27bee26576b618438d1cd4d44f0aef5e1ce8275f92d65b743
Instruction Fuzzy Hash: 73119171E05158CFCB00FBB8D8607BEBBB5EB84614F20056ED50997681EB304906CBD6

Uniqueness

Uniqueness Score: -1.00%

Function 026CE149, Relevance: .1, Instructions: 58COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.487849920.00000000026C0000.00000040.00000001.sdmp, Offset: 026C0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2763983068b423888278fc4715a306d205a2a76733c57ca7c0432a3bbbf468dc
Instruction ID: 78f2f1b4eaf15df6b470330a034a36c724e8871f8021eab93c74dc0439e4f71a
Opcode Fuzzy Hash: 2763983068b423888278fc4715a306d205a2a76733c57ca7c0432a3bbbf468dc
Instruction Fuzzy Hash: 9701F5317152209FCB1837B9981463F7EAAEFC9224764453EE406C7B82DD368C02C3A5

Uniqueness

Uniqueness Score: -1.00%

Function 026C0C6F, Relevance: .1, Instructions: 57COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.487849920.00000000026C0000.00000040.00000001.sdmp, Offset: 026C0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3a9be77be0ecbe499cd18890902079e4d2d610bae1f403806a2e9f24d21b0c26
Instruction ID: ea5c698d5bccf26f9d2941d37aba577d69d7c0cade1527b11d018f9736667fbb
Opcode Fuzzy Hash: 3a9be77be0ecbe499cd18890902079e4d2d610bae1f403806a2e9f24d21b0c26
Instruction Fuzzy Hash: 7C1127313050149FC748AB2DD454A7E7BE6EFC8350B24406AE507CB7A5CE729C0ADB92

Uniqueness

Uniqueness Score: -1.00%

Function 026C0C70, Relevance: .1, Instructions: 57COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.487849920.00000000026C0000.00000040.00000001.sdmp, Offset: 026C0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: cdeba73449f425267635fc05a6c5c6246b6c8cfe25b7017ee675927c9e03bbe8
Instruction ID: 59fc09e15707ae741cdb42a80d47b8640ab57a1e992fbec962df4b57048f5596
Opcode Fuzzy Hash: cdeba73449f425267635fc05a6c5c6246b6c8cfe25b7017ee675927c9e03bbe8
Instruction Fuzzy Hash: F6113931304014DBC748AB2DD454A6E7BDAEFC8350B24406AE507CB7A5DE729C0AD792

Uniqueness

Uniqueness Score: -1.00%

Function 026C11DF, Relevance: .1, Instructions: 57COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.487849920.00000000026C0000.00000040.00000001.sdmp, Offset: 026C0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 685aefb086bc6f0309b807526639b72723d85a902d470617448eacef9a9eb5c8
Instruction ID: ae15bbb089136a063fb2811d74010aec26e209d8f7d10f54438ee9027591165f
Opcode Fuzzy Hash: 685aefb086bc6f0309b807526639b72723d85a902d470617448eacef9a9eb5c8
Instruction Fuzzy Hash: 1411333430D1908FC706A72CD4A45797FE5AF9720072541EFD446CF6BBCA694C4ACB52

Uniqueness

Uniqueness Score: -1.00%

Function 026C4700, Relevance: .1, Instructions: 53COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.487849920.00000000026C0000.00000040.00000001.sdmp, Offset: 026C0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ed31237f473ba51c8deb7d73ed8f0ee10400bc94deef7d30bdcf69d4598ded65
Instruction ID: 787d46cef2b2c14c0603782b54ef96067b6ad6b29e1767ed430f164d91abea78
Opcode Fuzzy Hash: ed31237f473ba51c8deb7d73ed8f0ee10400bc94deef7d30bdcf69d4598ded65
Instruction Fuzzy Hash: F901A2317091509FCB25B6B9A4303FE3BA5DBC6664F3500BFE506CB796DE2A88028791

Uniqueness

Uniqueness Score: -1.00%

Function 00C3AEC0, Relevance: .1, Instructions: 52COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.487124856.0000000000C32000.00000040.00000001.sdmp, Offset: 00C32000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0f5f8ec8ab190b77caa5bc0cbd085abd04776609e98a0babbbdf689841f4f527
Instruction ID: 58c83d91b5ff1f9c01742bc278395495481f053efaf29085e9a4c9dc3b746f26
Opcode Fuzzy Hash: 0f5f8ec8ab190b77caa5bc0cbd085abd04776609e98a0babbbdf689841f4f527
Instruction Fuzzy Hash: D811ECB5608301AFD350CF09DC41E57FBE8EB88660F14895EFD9897311D271E9048BA2

Uniqueness

Uniqueness Score: -1.00%

Function 026C4FF0, Relevance: .1, Instructions: 52COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.487849920.00000000026C0000.00000040.00000001.sdmp, Offset: 026C0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: eaa61068024107e0ec7d03deda547cb1819a44c3a5f1f03862f59ba62a193d88
Instruction ID: 90498a2642ab37d3c882c38f5d5ac53bcbd99e66e4b1d96727e42cc57ad9d1a8
Opcode Fuzzy Hash: eaa61068024107e0ec7d03deda547cb1819a44c3a5f1f03862f59ba62a193d88
Instruction Fuzzy Hash: AA01C431F152558FCB44FBB89C503FE7BE1EB44220BA4406EC80AE7681EB305542CBE6

Uniqueness

Uniqueness Score: -1.00%

Function 026C68CA, Relevance: .1, Instructions: 52COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.487849920.00000000026C0000.00000040.00000001.sdmp, Offset: 026C0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1355097a4c32f8691f199092209016aaf008e736422aadc34de7090ef286b3ee
Instruction ID: 07ecc2c61313e3deb76832bd5054eb40e62f9a63a43bd79dd43492f419cbed30
Opcode Fuzzy Hash: 1355097a4c32f8691f199092209016aaf008e736422aadc34de7090ef286b3ee
Instruction Fuzzy Hash: E101F931B1D1558BD71C7274E8247BE7BE9D7C5254F14006FDD0AD3282EA254902C7D6

Uniqueness

Uniqueness Score: -1.00%

Function 026C4789, Relevance: .1, Instructions: 51COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.487849920.00000000026C0000.00000040.00000001.sdmp, Offset: 026C0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: be0378ec22a94d2ad040e734e1d0ba8927465d0c76607193f6e78e78ab606a3a
Instruction ID: b75486ebcef315c7f55c4093f7d10ecd315422e7c55e072b4bf2aa7716ec9908
Opcode Fuzzy Hash: be0378ec22a94d2ad040e734e1d0ba8927465d0c76607193f6e78e78ab606a3a
Instruction Fuzzy Hash: 9F018031E051598FCB55EFBC98602EE7FE2DB85310F20447FC409E7281EA394986C791

Uniqueness

Uniqueness Score: -1.00%

Function 026C5740, Relevance: .0, Instructions: 50COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.487849920.00000000026C0000.00000040.00000001.sdmp, Offset: 026C0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 00c1890e4eb11ffdbfd0a5dfcc92de32bd0e300ab0ac59b3c7b80d75ff7e99fd
Instruction ID: 94fc7b9111534237a3af4626bf68b86779c580fdd0d1c0e21ccb72e18312c9e3
Opcode Fuzzy Hash: 00c1890e4eb11ffdbfd0a5dfcc92de32bd0e300ab0ac59b3c7b80d75ff7e99fd
Instruction Fuzzy Hash: 56115E30A05205CFD714EFB9E9406BE7BB6EF84344FA0413ED506A7285E732A942CBA1

Uniqueness

Uniqueness Score: -1.00%

Function 026C573F, Relevance: .0, Instructions: 50COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.487849920.00000000026C0000.00000040.00000001.sdmp, Offset: 026C0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 144d4b2d90aeedfe4c4bff28400a323a189ac26e249494e4828f129edaa83e1d
Instruction ID: 9759b59f1e3cd3b521e04a5b8f31d78d34fd3a5ce8995b0d6f3a691e0d79665d
Opcode Fuzzy Hash: 144d4b2d90aeedfe4c4bff28400a323a189ac26e249494e4828f129edaa83e1d
Instruction Fuzzy Hash: FD115230A05205CFD714EFB9E9406BE7BB1EF84344F60413ED406B7685E731A942CBA1

Uniqueness

Uniqueness Score: -1.00%

Function 026C84F0, Relevance: .0, Instructions: 50COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.487849920.00000000026C0000.00000040.00000001.sdmp, Offset: 026C0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fcbbfb27acd6b8b9f6fa870b321325836b8cfc6251139ccfce58d2d977355e4e
Instruction ID: 1fab5625120d94f9806dd84606e4d4f909312187f2a289d1c4b695ac6838b32c
Opcode Fuzzy Hash: fcbbfb27acd6b8b9f6fa870b321325836b8cfc6251139ccfce58d2d977355e4e
Instruction Fuzzy Hash: F1019231A041049BD76AAA58D8506BFBBB2DB84354F60446EC107A7240CFB1AD03CBD1

Uniqueness

Uniqueness Score: -1.00%

Function 026CE158, Relevance: .0, Instructions: 50COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.487849920.00000000026C0000.00000040.00000001.sdmp, Offset: 026C0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8065bc5542f768170a6a84eefc8416a5e58abead403eb53b4ba59522ee7751ec
Instruction ID: 90f2191ac3ae7814dfe9f6fa573c3130e504b84400ce50e2421abeaaabd083e2
Opcode Fuzzy Hash: 8065bc5542f768170a6a84eefc8416a5e58abead403eb53b4ba59522ee7751ec
Instruction Fuzzy Hash: 6601D6317102209BCB183BB99818A3F7AEAEFC8724760453EE407D7781DD758C02C7A0

Uniqueness

Uniqueness Score: -1.00%

Function 026CE157, Relevance: .0, Instructions: 50COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.487849920.00000000026C0000.00000040.00000001.sdmp, Offset: 026C0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 09dfd422754bd527a4aab4971b05bb0b6a5304f9524f1b74db528b0d3b0c7577
Instruction ID: a25c7be583223300d567d92045f8bb26308a62717ef5d7fa8e4b2f32f18e2b05
Opcode Fuzzy Hash: 09dfd422754bd527a4aab4971b05bb0b6a5304f9524f1b74db528b0d3b0c7577
Instruction Fuzzy Hash: 2401A2317102209FCB183BB9A818A7F7AAAEFC8324720453EE407D7B81DD758C02C7A0

Uniqueness

Uniqueness Score: -1.00%

Function 026CF677, Relevance: .0, Instructions: 49COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.487849920.00000000026C0000.00000040.00000001.sdmp, Offset: 026C0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 88aad05daab2904b7bf8ddd96766f11c98d2425a94d75ba484e55a0b7eafee1a
Instruction ID: 117f836fb7e699f1735a89bdf7e0eef6b4697f57e0f6e215a757148f383c2608
Opcode Fuzzy Hash: 88aad05daab2904b7bf8ddd96766f11c98d2425a94d75ba484e55a0b7eafee1a
Instruction Fuzzy Hash: 55014472B4D2242FDB1AF63DAC110FDBB5ECAC271471904AFE401DB792DA628C0283C2

Uniqueness

Uniqueness Score: -1.00%

Function 026C0070, Relevance: .0, Instructions: 49COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.487849920.00000000026C0000.00000040.00000001.sdmp, Offset: 026C0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ada311bca6ccf66b3c0b39268297b83221c9d41df1f37ef4fa7ce9650b7a2b07
Instruction ID: a777c338129ef9b0d2678fc661fb8880ffc69668c88e9de0fd4ec972ad3aedbc
Opcode Fuzzy Hash: ada311bca6ccf66b3c0b39268297b83221c9d41df1f37ef4fa7ce9650b7a2b07
Instruction Fuzzy Hash: 62113DB0615346EFCB08FB78D44562D7BE1FF80315B10992DE54687B14EB708802EB52

Uniqueness

Uniqueness Score: -1.00%

Function 026C5507, Relevance: .0, Instructions: 49COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.487849920.00000000026C0000.00000040.00000001.sdmp, Offset: 026C0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 408ed006dc87f489f18908d79b1b937128ea0489827aea4c0ee6998f4e74054e
Instruction ID: abf7f3d7ce67e01a651f6aa5ce70996ffcaf9d61be9cfc0a4c3e8baf6bd02560
Opcode Fuzzy Hash: 408ed006dc87f489f18908d79b1b937128ea0489827aea4c0ee6998f4e74054e
Instruction Fuzzy Hash: 35113C30A162048FCB14FFB8E941AAE7BA2EB88304F50452AD106D7695DB306942CB90

Uniqueness

Uniqueness Score: -1.00%

Function 026CCA71, Relevance: .0, Instructions: 48COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.487849920.00000000026C0000.00000040.00000001.sdmp, Offset: 026C0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 77393e7afb4104d51e95adcf66699c2313044bf568d89153db52d6edb962133d
Instruction ID: e0f8b7d5e1e95767ab5ff3c2c523d243f9cbd73e2ffdc694134f3f99ba960d58
Opcode Fuzzy Hash: 77393e7afb4104d51e95adcf66699c2313044bf568d89153db52d6edb962133d
Instruction Fuzzy Hash: B711D2703042549FD701FB78E958B693BE6EF8A319F2504B5E506D739AC734AC42CB94

Uniqueness

Uniqueness Score: -1.00%

Function 026C84E1, Relevance: .0, Instructions: 47COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.487849920.00000000026C0000.00000040.00000001.sdmp, Offset: 026C0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a72b6c6fbd85a6ee279e79528668cf6c0771fdd090d060de7a4a90629f7cc1b8
Instruction ID: 5c5d15f5f6d39b7f165b7052b35abd54aa671fb2efb56499a9006591671e5be6
Opcode Fuzzy Hash: a72b6c6fbd85a6ee279e79528668cf6c0771fdd090d060de7a4a90629f7cc1b8
Instruction Fuzzy Hash: 53019E31A08205DFD76AAA28C954A7F7BF39B85300F64446EC007AB780DFB59D03CB82

Uniqueness

Uniqueness Score: -1.00%

Function 026CB0B0, Relevance: .0, Instructions: 47COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.487849920.00000000026C0000.00000040.00000001.sdmp, Offset: 026C0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f73ea4b6bb60cfb7207f551955371c74b6cec290b952cc7d020908b351af7479
Instruction ID: ff4af143ffc1bb4d4320fe655b8a1a35af487465980b9f7995d7f726e27f61b9
Opcode Fuzzy Hash: f73ea4b6bb60cfb7207f551955371c74b6cec290b952cc7d020908b351af7479
Instruction Fuzzy Hash: 2D01A231700241EFC704B738E81A5797BA6EB893697148579D60ACBB68DF75AC03CB92

Uniqueness

Uniqueness Score: -1.00%

Function 026CAF40, Relevance: .0, Instructions: 46COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.487849920.00000000026C0000.00000040.00000001.sdmp, Offset: 026C0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 58e4e4d94dc871c7259ecaadebdb17ef4c2534209f85ec1e91e538bdc524490d
Instruction ID: 0b3cede4ccd7327acb6b23d41135b76938ee05b6cc078a461100a6a4a7897146
Opcode Fuzzy Hash: 58e4e4d94dc871c7259ecaadebdb17ef4c2534209f85ec1e91e538bdc524490d
Instruction Fuzzy Hash: 52012CB2E002199FDB50EFB9E9057AEBBF4EB44215F20413AD618D3284EB319904CBE1

Uniqueness

Uniqueness Score: -1.00%

Function 026C5E20, Relevance: .0, Instructions: 45COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.487849920.00000000026C0000.00000040.00000001.sdmp, Offset: 026C0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 004776c744c34d397e19d18b3377ac8fed102e41cad4473bcd672ee906106cfc
Instruction ID: 4894d14820467a17f2e9519dbe0095c438cb725102993cf0ecdad5baf4334961
Opcode Fuzzy Hash: 004776c744c34d397e19d18b3377ac8fed102e41cad4473bcd672ee906106cfc
Instruction Fuzzy Hash: B9F0D171E252595F8F14FBB85C852FF7FF5AE98210BA0017FE40BE3281EA2185028BD1

Uniqueness

Uniqueness Score: -1.00%

Function 026C6E98, Relevance: .0, Instructions: 45COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.487849920.00000000026C0000.00000040.00000001.sdmp, Offset: 026C0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 50bd002832d488d664ef0badafaea1f758c1064268dea7af717cf8515bd6aeda
Instruction ID: 48a7030daf335b000f80ff23dd74a5f674b12f09b880de4abf1349d5fe7dcd47
Opcode Fuzzy Hash: 50bd002832d488d664ef0badafaea1f758c1064268dea7af717cf8515bd6aeda
Instruction Fuzzy Hash: 77014F71E01108DFDB50EBBDE9417AEBBF9EB84214F20453AD608D3685EB305945CBE5

Uniqueness

Uniqueness Score: -1.00%

Function 026C239F, Relevance: .0, Instructions: 45COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.487849920.00000000026C0000.00000040.00000001.sdmp, Offset: 026C0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8cb6afe40c2fdfb525bd20dad82785fd179e105ac8df8915abf13b5c6dc1f240
Instruction ID: 27a603b7935f76659ffc7da0b929432f1b9a961d0f5f6c429d3cf1eaf41e4398
Opcode Fuzzy Hash: 8cb6afe40c2fdfb525bd20dad82785fd179e105ac8df8915abf13b5c6dc1f240
Instruction Fuzzy Hash: A2111B70D18259DFDB18AFA8D9606BEBFB1EB44344F20846EDD06A7744DB714842CF51

Uniqueness

Uniqueness Score: -1.00%

Function 026C05C8, Relevance: .0, Instructions: 45COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.487849920.00000000026C0000.00000040.00000001.sdmp, Offset: 026C0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a5b25b7d2b15632d1a01665f4dab911c2b7971091a05d63805a5575114fd0e54
Instruction ID: 61e68f7eac770c650a0df1ef0055a027c052c13f541bdb2f1cdf5f3fc1e1ca1f
Opcode Fuzzy Hash: a5b25b7d2b15632d1a01665f4dab911c2b7971091a05d63805a5575114fd0e54
Instruction Fuzzy Hash: EEF0B47170013057CA4C7A7DA41177F728B9BC4B50BA4412EE106DB384CEB08C0363D6

Uniqueness

Uniqueness Score: -1.00%

Function 026C05C7, Relevance: .0, Instructions: 45COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.487849920.00000000026C0000.00000040.00000001.sdmp, Offset: 026C0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 363fbd3e95cd9c611342e0c895d6bf5b6f32523fc9468a9f5474eaa6be909b3a
Instruction ID: 64f120eca175f0b373f079db0e3df8a0bcc95d1dae85d5c3b5c7e77e08d5e26d
Opcode Fuzzy Hash: 363fbd3e95cd9c611342e0c895d6bf5b6f32523fc9468a9f5474eaa6be909b3a
Instruction Fuzzy Hash: 40F0BE717000305BCB4DBA7DA4217BF669B9BC8B50BA8412FE106EB385CEB08C0363D6

Uniqueness

Uniqueness Score: -1.00%

Function 027305CF, Relevance: .0, Instructions: 44COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.487990211.0000000002730000.00000040.00000040.sdmp, Offset: 02730000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a4bcae3dfd031411376304d89f9c2ae990b955dabb4b79b445a6c5b2f66acbab
Instruction ID: a9da2cbd4fa6e38188af1d4caa35193d5ecf2374db77eac6a32df41701203422
Opcode Fuzzy Hash: a4bcae3dfd031411376304d89f9c2ae990b955dabb4b79b445a6c5b2f66acbab
Instruction Fuzzy Hash: 7D01DB7650D7805FD7028B16EC40862FFB8EE86230749C1DFED498B612D225A504CB72

Uniqueness

Uniqueness Score: -1.00%

Function 026C55D9, Relevance: .0, Instructions: 44COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.487849920.00000000026C0000.00000040.00000001.sdmp, Offset: 026C0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3c5ae158fe4ba09827f7eb86189ce22b6796fd808ce4bedb0d4f9b62d1f36858
Instruction ID: 2e7164d87bef3b6d20c7ac4de924a7e3b001cabfd163812e7bd85c7f9bfe2d40
Opcode Fuzzy Hash: 3c5ae158fe4ba09827f7eb86189ce22b6796fd808ce4bedb0d4f9b62d1f36858
Instruction Fuzzy Hash: 9BF04432A081808FCB05676CEC541FEBF62EE80224F5402AFD606D3161EB21152286D2

Uniqueness

Uniqueness Score: -1.00%

Function 026C1218, Relevance: .0, Instructions: 42COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.487849920.00000000026C0000.00000040.00000001.sdmp, Offset: 026C0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 100c9f63cd0a3d6c15ef8043d3bf9519dd081317275d8dcf6767e91324577292
Instruction ID: b0c9e2c0e7f732f5d2a67ba77f7999245598f4b373ceac166231c9286dafd8b2
Opcode Fuzzy Hash: 100c9f63cd0a3d6c15ef8043d3bf9519dd081317275d8dcf6767e91324577292
Instruction Fuzzy Hash: 54011234304014CBC608A72CD09497977EAFFD671472441EEE50ACB76ACF759C4ACB81

Uniqueness

Uniqueness Score: -1.00%

Function 026CA681, Relevance: .0, Instructions: 42COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.487849920.00000000026C0000.00000040.00000001.sdmp, Offset: 026C0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 94c3abada7ebf4a6113a49561bc0c2d9cdbb181be03dc904cb4e6ec707d81072
Instruction ID: 97fd2de8aae9c3441ff7be8369248b777a9d68b01a55113d1a718d5608925f7f
Opcode Fuzzy Hash: 94c3abada7ebf4a6113a49561bc0c2d9cdbb181be03dc904cb4e6ec707d81072
Instruction Fuzzy Hash: 8BF0D1312092449FC716ABB9B8240A83F61DBC232D32944AEE006CB791DA619C06C392

Uniqueness

Uniqueness Score: -1.00%

Function 026CAF33, Relevance: .0, Instructions: 42COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.487849920.00000000026C0000.00000040.00000001.sdmp, Offset: 026C0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8d1e2d74b9082778ac75bb3e4970eb05e8a23396f592bd2abf5acdaa9f7eb254
Instruction ID: 400590eb0b9351e5e2d6d4f9b5f52294b257b9339250d3d2753956afa7a14edb
Opcode Fuzzy Hash: 8d1e2d74b9082778ac75bb3e4970eb05e8a23396f592bd2abf5acdaa9f7eb254
Instruction Fuzzy Hash: D1014FB1E002199FCB50EFB9D90576EBBF4EB44215F204129DA18D7284EB349944CBE1

Uniqueness

Uniqueness Score: -1.00%

Function 026CD0D8, Relevance: .0, Instructions: 42COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.487849920.00000000026C0000.00000040.00000001.sdmp, Offset: 026C0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c2053c18420b58154b20c7b9031c1af9d273c5969db57b445f2a627a3505f451
Instruction ID: 8b71810553a397b485ef4866f8f9b7a460a46078eaaee3b7656e2d6355d26ce7
Opcode Fuzzy Hash: c2053c18420b58154b20c7b9031c1af9d273c5969db57b445f2a627a3505f451
Instruction Fuzzy Hash: 64F0C235304641AFC328AA19D850976B7E6EBC9324B24C43EE94A87F91CB71FC03DB91

Uniqueness

Uniqueness Score: -1.00%

Function 026C64C1, Relevance: .0, Instructions: 41COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.487849920.00000000026C0000.00000040.00000001.sdmp, Offset: 026C0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0d551a3e76e4363401c0707c7b7919c50745d6b9aadee25101cb22c9b3314d35
Instruction ID: c891cc2f8076008c33240809125eb2b61e9a8e5bfb6b1849f61d44c3d171b992
Opcode Fuzzy Hash: 0d551a3e76e4363401c0707c7b7919c50745d6b9aadee25101cb22c9b3314d35
Instruction Fuzzy Hash: 13F04C31A0C1504BCB24A67888205FEBFD9C7C5224F6441AEC906E32C5E6288507C7C9

Uniqueness

Uniqueness Score: -1.00%

Function 026C8A28, Relevance: .0, Instructions: 40COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.487849920.00000000026C0000.00000040.00000001.sdmp, Offset: 026C0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 30734676822536a9e4af1f453e54e9cac3c3ac5a72af75aa3f98324b79b4d39e
Instruction ID: 765d17171d0eb67715f0229a669ba2f3065eaee488d1b8a9f0daea2dfeb14f0f
Opcode Fuzzy Hash: 30734676822536a9e4af1f453e54e9cac3c3ac5a72af75aa3f98324b79b4d39e
Instruction Fuzzy Hash: 65010CB4E042099FDB14DFA9D490AADBFF1EF98304F2081AAD805A7345D7345A41DF51

Uniqueness

Uniqueness Score: -1.00%

Function 026CAEA9, Relevance: .0, Instructions: 40COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.487849920.00000000026C0000.00000040.00000001.sdmp, Offset: 026C0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 124ef6d146fcfd437c6a8a2c4890e646eb8d5a1f0de4706e5d2e11df80f55918
Instruction ID: 5cfa65ac202c4bb89c49f2404f195c3d6613934dfa042a4501ee8d0d20ba8aa6
Opcode Fuzzy Hash: 124ef6d146fcfd437c6a8a2c4890e646eb8d5a1f0de4706e5d2e11df80f55918
Instruction Fuzzy Hash: 26F08630B002199BCB05EBB8ED81AAE7775FB88704F204959E6059B385DF749D0197E5

Uniqueness

Uniqueness Score: -1.00%

Function 026CEB59, Relevance: .0, Instructions: 40COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.487849920.00000000026C0000.00000040.00000001.sdmp, Offset: 026C0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c283e7d081ecec7870792f6885b88f24ec919772bd4a95be205bce8953c9022e
Instruction ID: e81f6d159f925fdc3fc41c55e23d5abd2d83f1e1ac5ec600da04d617ab38a3cc
Opcode Fuzzy Hash: c283e7d081ecec7870792f6885b88f24ec919772bd4a95be205bce8953c9022e
Instruction Fuzzy Hash: 84F0E9329093945BDB39316469447B67FF8D785225F2901BED94BDB242E6574C02C371

Uniqueness

Uniqueness Score: -1.00%

Function 026C6878, Relevance: .0, Instructions: 39COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.487849920.00000000026C0000.00000040.00000001.sdmp, Offset: 026C0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8f54fa08a81c9a93cd20b8228c4c8a5a0af054b6c668e8eb6597203383a2927b
Instruction ID: 27aa3ef3560a61babe06314040bb111fb3ed01a0671786603cc067b2e674ecd0
Opcode Fuzzy Hash: 8f54fa08a81c9a93cd20b8228c4c8a5a0af054b6c668e8eb6597203383a2927b
Instruction Fuzzy Hash: D0F0E932A0E5608BEB1437B5A8206FC7B6DDFC1654734016FEA0AD7292DF5508068B7B

Uniqueness

Uniqueness Score: -1.00%

Function 026CB0C0, Relevance: .0, Instructions: 39COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.487849920.00000000026C0000.00000040.00000001.sdmp, Offset: 026C0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d81bae893c799465beb5191dc11082a52b05a7a6978a84463a8e1d5e895e64a5
Instruction ID: bb439a058dcee2d413ead9cb3cac3a1c4ae6d3d5d4db807b7dc0cbbacf646ed7
Opcode Fuzzy Hash: d81bae893c799465beb5191dc11082a52b05a7a6978a84463a8e1d5e895e64a5
Instruction Fuzzy Hash: 7EF0AF30300210DBC704FB79E91A569BBA6EBC83693248579D60BCBB58DF719C02CB91

Uniqueness

Uniqueness Score: -1.00%

Function 026C85C8, Relevance: .0, Instructions: 39COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.487849920.00000000026C0000.00000040.00000001.sdmp, Offset: 026C0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7530e1656bfee071c6542a8891236bd937f4981d6386a076817b0d8cad789fbd
Instruction ID: 4e8ba77bfbf426864e1707555364be9c7b3fc73b8d3c935063d9b02bb949649b
Opcode Fuzzy Hash: 7530e1656bfee071c6542a8891236bd937f4981d6386a076817b0d8cad789fbd
Instruction Fuzzy Hash: 3EF0B475A0C284DFC766F6B998858FFBFF2EFA5200764417BE102D7251D2B0490ACB96

Uniqueness

Uniqueness Score: -1.00%

Function 026C68D8, Relevance: .0, Instructions: 38COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.487849920.00000000026C0000.00000040.00000001.sdmp, Offset: 026C0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3a03ef5f4f698635bb1549f0f4848d3ac20b02e371e944537516eee2c6b870bc
Instruction ID: 138d3aff17ee14a652d32bfadaba22b205f7875e265ca83f0cc16503920e602a
Opcode Fuzzy Hash: 3a03ef5f4f698635bb1549f0f4848d3ac20b02e371e944537516eee2c6b870bc
Instruction Fuzzy Hash: 2FF0BE70B081169A8B1CB269D8206BF7BEED7C5690F20006FC90A93281EE245A03C2DA

Uniqueness

Uniqueness Score: -1.00%

Function 026C5CD0, Relevance: .0, Instructions: 38COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.487849920.00000000026C0000.00000040.00000001.sdmp, Offset: 026C0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 65038160e137757835ad5dce9a4bc2a7bb80dc313abf6a7d632d46e6b9dda975
Instruction ID: ea22401d47a38486832fe6d728a39582cc4fa8c6ad592e7d4ac26a581afd7531
Opcode Fuzzy Hash: 65038160e137757835ad5dce9a4bc2a7bb80dc313abf6a7d632d46e6b9dda975
Instruction Fuzzy Hash: 5AF06272E041159F8F50EFBC545069EBBF5EF89214B55017AD908F3241EB34A902CBD9

Uniqueness

Uniqueness Score: -1.00%

Function 026C7439, Relevance: .0, Instructions: 37COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.487849920.00000000026C0000.00000040.00000001.sdmp, Offset: 026C0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 449b64a134d94d9a19d0bb88ff71a7ea12a8ce1a46774c68a8458fba97c9f2c1
Instruction ID: 4f8821e592d7d5d75a0652fce7fa46196e67dc0553b47baac6089704855bd588
Opcode Fuzzy Hash: 449b64a134d94d9a19d0bb88ff71a7ea12a8ce1a46774c68a8458fba97c9f2c1
Instruction Fuzzy Hash: 30F0F072E000588ECB11DBA8E844AEEFB64EB80224F10817FD50593641EB324417CB81

Uniqueness

Uniqueness Score: -1.00%

Function 026C0D34, Relevance: .0, Instructions: 36COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.487849920.00000000026C0000.00000040.00000001.sdmp, Offset: 026C0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 50aca1394fd3f6e6ec4bbd4387e6cf5cea382044312aac88c724b608410c86bc
Instruction ID: 059658e1db0ccb62756b649253903d1fcd2738aa1860db7e1dc04662762a41eb
Opcode Fuzzy Hash: 50aca1394fd3f6e6ec4bbd4387e6cf5cea382044312aac88c724b608410c86bc
Instruction Fuzzy Hash: 0DF09031310100DFC704AB28D898BA97BE6FBC5215B3484BDE44ACB766CB719C06CB41

Uniqueness

Uniqueness Score: -1.00%

Function 026CB670, Relevance: .0, Instructions: 35COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.487849920.00000000026C0000.00000040.00000001.sdmp, Offset: 026C0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 64f91020fe08438b4a1bfd6ffa900c642706fc7ea8ed33f8f13cfe82fe6f7148
Instruction ID: c60d996ef80217a5c8560126061b68d62ec3fe42c391cc27b09c9941497ac4ce
Opcode Fuzzy Hash: 64f91020fe08438b4a1bfd6ffa900c642706fc7ea8ed33f8f13cfe82fe6f7148
Instruction Fuzzy Hash: 19F027719047505BC335AA2FE8414B3FBF9F9C56243288B3FD148C2A10DBB058064790

Uniqueness

Uniqueness Score: -1.00%

Function 026CEAD9, Relevance: .0, Instructions: 35COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.487849920.00000000026C0000.00000040.00000001.sdmp, Offset: 026C0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7d934badf2aa2f09e82b3ad7e423bcf8dfc4f95353a031c1d4d6948f5e42c4d9
Instruction ID: 7dcbdcc9d161835ae9ed3dd57cfc770fe1bed30ad7923e8e8b92df12700bee08
Opcode Fuzzy Hash: 7d934badf2aa2f09e82b3ad7e423bcf8dfc4f95353a031c1d4d6948f5e42c4d9
Instruction Fuzzy Hash: FBF0E5722556605FC725B2AC99108BB7FB9DBC7714364447EE40ACB342EF63AC0287E1

Uniqueness

Uniqueness Score: -1.00%

Function 026CCD58, Relevance: .0, Instructions: 35COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.487849920.00000000026C0000.00000040.00000001.sdmp, Offset: 026C0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6a979d2c7a85af4f36f900f08d7a4b050da7d56e694e238724f83fd06e794769
Instruction ID: 74f34393eeec3aed021382bd2dd3d863517fed93745402a7442103663e24e551
Opcode Fuzzy Hash: 6a979d2c7a85af4f36f900f08d7a4b050da7d56e694e238724f83fd06e794769
Instruction Fuzzy Hash: DAF0E5B27090202B8359329D582073F3B9BCBC5660379026FE90ED7781CE15EC1293EA

Uniqueness

Uniqueness Score: -1.00%

Function 026C8028, Relevance: .0, Instructions: 34COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.487849920.00000000026C0000.00000040.00000001.sdmp, Offset: 026C0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7b84148c2f8af2fce059926a2d18fdb6616704a72783a85c748126fc0df465b9
Instruction ID: 026f45a6abf3eb119d79d1318f7b74bac9271328bb4cbb5cddc63c20dd8e8018
Opcode Fuzzy Hash: 7b84148c2f8af2fce059926a2d18fdb6616704a72783a85c748126fc0df465b9
Instruction Fuzzy Hash: D1F02439605214CBC712E778E5808ADBB76FF82254370449FD80517347E732E406CFA4

Uniqueness

Uniqueness Score: -1.00%

Function 026C0918, Relevance: .0, Instructions: 33COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.487849920.00000000026C0000.00000040.00000001.sdmp, Offset: 026C0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8af9b955d661a002034c486dcfe072eab30f058045cbb498afd138fd7a4e46ae
Instruction ID: 19159dd1826b827d537035815a63c2bd4852fd884ef5d2297e83372bbadc4053
Opcode Fuzzy Hash: 8af9b955d661a002034c486dcfe072eab30f058045cbb498afd138fd7a4e46ae
Instruction Fuzzy Hash: D6E0E532E19218EA9B587AF898006BFBBA9D7D5250F20452B9A17A3300D970481282D1

Uniqueness

Uniqueness Score: -1.00%

Function 026C45B9, Relevance: .0, Instructions: 33COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.487849920.00000000026C0000.00000040.00000001.sdmp, Offset: 026C0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7b03ce8df134907a277f73b9bf09d076bf1a6fba93565306a3d41c64c435dcd9
Instruction ID: 1a422767a87c785b3fd3321d75d600700198e5e60d7a234f3133e0a9da3368e1
Opcode Fuzzy Hash: 7b03ce8df134907a277f73b9bf09d076bf1a6fba93565306a3d41c64c435dcd9
Instruction Fuzzy Hash: 4DF0E231E4939A5FCB12DBB95C51AAEBFF89B86214F1500AFD148E7192E2600904C762

Uniqueness

Uniqueness Score: -1.00%

Function 026CE598, Relevance: .0, Instructions: 32COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.487849920.00000000026C0000.00000040.00000001.sdmp, Offset: 026C0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b2923aaef58217745450393e76cda4ea075aafc83db8590e534824890be8b4c1
Instruction ID: f83b3a0ff9b2032958d88dfb056ea390f8c02372b0d048db172dcc69a1e6bae4
Opcode Fuzzy Hash: b2923aaef58217745450393e76cda4ea075aafc83db8590e534824890be8b4c1
Instruction Fuzzy Hash: D6F082312096919F8715FB68942047A7F75CBC662479888AED046CB392EA63DC068391

Uniqueness

Uniqueness Score: -1.00%

Function 02730938, Relevance: .0, Instructions: 31COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.487990211.0000000002730000.00000040.00000040.sdmp, Offset: 02730000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 525cef522958239b2deb72ab7ac90410e2832b06fb356f1b7ca8807ee3c9392c
Instruction ID: 2d7deb8e445d9de7009dcc945f006456a99e866e2162bc8be2d49c55e2172a9a
Opcode Fuzzy Hash: 525cef522958239b2deb72ab7ac90410e2832b06fb356f1b7ca8807ee3c9392c
Instruction Fuzzy Hash: ABF01D35104644DFC306DF00D540B16FBA2FB89718F24C6ADE9491B752C337E813DA81

Uniqueness

Uniqueness Score: -1.00%

Function 026C46A9, Relevance: .0, Instructions: 31COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.487849920.00000000026C0000.00000040.00000001.sdmp, Offset: 026C0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c83cc55012385cc6a188f3731541a1db4c3213b42a79152ec75c1f49904539b1
Instruction ID: 249a18791e97e049bfe9b6d504aa45e0b50fe3500fd455cf259750d099838c23
Opcode Fuzzy Hash: c83cc55012385cc6a188f3731541a1db4c3213b42a79152ec75c1f49904539b1
Instruction Fuzzy Hash: D8F0303160D1905FCB12B7B968B46FD3FA19F82210B3900DFE44BCB6A6D95988069382

Uniqueness

Uniqueness Score: -1.00%

Function 026C4F6F, Relevance: .0, Instructions: 31COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.487849920.00000000026C0000.00000040.00000001.sdmp, Offset: 026C0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fb67eea0bf3a049fece9a9fe5beb156d92c374142d76a5dc3b07880241b59e67
Instruction ID: da5117c14e293c5770a830157039bea92a82348bde9de7e29589e5ac07fbf69f
Opcode Fuzzy Hash: fb67eea0bf3a049fece9a9fe5beb156d92c374142d76a5dc3b07880241b59e67
Instruction Fuzzy Hash: AAF0BD3421A105CBC308F76DEAA09B93B26FBC4718770462ED51647A9EEFB41907CB85

Uniqueness

Uniqueness Score: -1.00%

Function 026C4F70, Relevance: .0, Instructions: 31COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.487849920.00000000026C0000.00000040.00000001.sdmp, Offset: 026C0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 99501b99e796ac89809f756ed9f21db8cd60cb2f45869cacbb579f29bf96f545
Instruction ID: 12c138baac9cda5f2dc47f683c1bdd5dec6f08ab67a77cc5eef30881fa7b41a1
Opcode Fuzzy Hash: 99501b99e796ac89809f756ed9f21db8cd60cb2f45869cacbb579f29bf96f545
Instruction Fuzzy Hash: B2F0D034216205C7C308F76DEAA09793B66FBC4718770462ED51207A9EEFB42D07C795

Uniqueness

Uniqueness Score: -1.00%

Function 026CA698, Relevance: .0, Instructions: 30COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.487849920.00000000026C0000.00000040.00000001.sdmp, Offset: 026C0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5eb89a5a45a1cd0583d532c693b5108b9f48e71b3b83d1585be6b650285f0dde
Instruction ID: 02a5aeb822b70f8e8c8471cc5690e2f281047754ddecf6cff7dbe34776ed882f
Opcode Fuzzy Hash: 5eb89a5a45a1cd0583d532c693b5108b9f48e71b3b83d1585be6b650285f0dde
Instruction Fuzzy Hash: B0F0A031300104DB8708EA6DB8145697BA6EBC5339328853EE10BCB780CE72EC03D791

Uniqueness

Uniqueness Score: -1.00%

Function 026C8C30, Relevance: .0, Instructions: 30COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.487849920.00000000026C0000.00000040.00000001.sdmp, Offset: 026C0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 57a0de9f68fb5c488a30e6f00fb1564593453e4459b0558905ee2b4155f2a2a2
Instruction ID: 9f00545af78912b601533c9332a7377c1b18ee924bf92394263cd9ac718f75c8
Opcode Fuzzy Hash: 57a0de9f68fb5c488a30e6f00fb1564593453e4459b0558905ee2b4155f2a2a2
Instruction Fuzzy Hash: 39F0E535A072519FCB2327A8E9283343FB4EB0A2D232501AFDD42C7755DA344C01CBD2

Uniqueness

Uniqueness Score: -1.00%

Function 026C5D5F, Relevance: .0, Instructions: 30COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.487849920.00000000026C0000.00000040.00000001.sdmp, Offset: 026C0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 376dee0478ea9fdfe4cfc9c4cb2f64e3829a24c8585ccecf6e6bbae4c4274a23
Instruction ID: fbf4ab42ca4dfecec1b546b3bf931ceb806382b36072ae410b0e7d50de45adc5
Opcode Fuzzy Hash: 376dee0478ea9fdfe4cfc9c4cb2f64e3829a24c8585ccecf6e6bbae4c4274a23
Instruction Fuzzy Hash: C9E0E53560D7918FCB1577B52C652FD3F65CD420143A4029FD9079F0A2DE242406C75B

Uniqueness

Uniqueness Score: -1.00%

Function 026C6120, Relevance: .0, Instructions: 30COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.487849920.00000000026C0000.00000040.00000001.sdmp, Offset: 026C0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c2695a20af6b895058546e77e444e48ed8be57430f75694d427fd45af324fc4f
Instruction ID: 21b772e06ce737b771d0d50b55186c65564c1a6b92227bb15fe787a9ab5d4fa1
Opcode Fuzzy Hash: c2695a20af6b895058546e77e444e48ed8be57430f75694d427fd45af324fc4f
Instruction Fuzzy Hash: C7E0E5307092911FC31A623C582172EBB6A4BCA301F1604AFE105C7BD3CC254C038365

Uniqueness

Uniqueness Score: -1.00%

Function 026C5FD0, Relevance: .0, Instructions: 29COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.487849920.00000000026C0000.00000040.00000001.sdmp, Offset: 026C0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5c91bd19a93b44e75e3275496f2e91eb7f3042bb309edc38ca995cbb9d8d8874
Instruction ID: 382ea9101c9c1851f5d76dc77c39937863c165edb64c22c01f1ceb1a8fd7a988
Opcode Fuzzy Hash: 5c91bd19a93b44e75e3275496f2e91eb7f3042bb309edc38ca995cbb9d8d8874
Instruction Fuzzy Hash: F3F03A71E1928A9FCF50DFB89849AEEBFF4EB89200F10046AD019E3242E2350511CBA1

Uniqueness

Uniqueness Score: -1.00%

Function 026C77AF, Relevance: .0, Instructions: 29COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.487849920.00000000026C0000.00000040.00000001.sdmp, Offset: 026C0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 35f2a9f01a30dad04c54a4aaa6251bf58fc4f09ad3b2717cd829852fced9e250
Instruction ID: f62df511068717d822fc71481dfb5dc4dbc08abc319e10cdec4e2d5e63bfe06e
Opcode Fuzzy Hash: 35f2a9f01a30dad04c54a4aaa6251bf58fc4f09ad3b2717cd829852fced9e250
Instruction Fuzzy Hash: E0E03031B011548BCB04B3F998303AE76568F80A14BA0053CCA0ADB681EE6549018B96

Uniqueness

Uniqueness Score: -1.00%

Function 026C57A2, Relevance: .0, Instructions: 29COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.487849920.00000000026C0000.00000040.00000001.sdmp, Offset: 026C0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 551bf3978b8dc44bf98b4059ba467225c3b2cf8254a8107aa697e73793fee791
Instruction ID: 9b308b0bd5bd3b470ef815b725147c47b35aaae2a4ecc70b2dc966b32c7f504c
Opcode Fuzzy Hash: 551bf3978b8dc44bf98b4059ba467225c3b2cf8254a8107aa697e73793fee791
Instruction Fuzzy Hash: DDF01C31A09114CBDB58BBB8ED143BD7761DB84214BB0857AD607A71D1EF206942C765

Uniqueness

Uniqueness Score: -1.00%

Function 026CD08E, Relevance: .0, Instructions: 29COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.487849920.00000000026C0000.00000040.00000001.sdmp, Offset: 026C0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: bcbb48e2341d58d41e2b63e160672255cf68904e61334bb3f368d35b180f95a0
Instruction ID: e0830db500d62a6b9dd38d15aa71c656f8c8db87346544c876d208a86333fea8
Opcode Fuzzy Hash: bcbb48e2341d58d41e2b63e160672255cf68904e61334bb3f368d35b180f95a0
Instruction Fuzzy Hash: 0AE0486271D1D49B87193A2D501047E77A7DAC657233940BFD50BCB362DD528C17D393

Uniqueness

Uniqueness Score: -1.00%

Function 026CE5E8, Relevance: .0, Instructions: 29COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.487849920.00000000026C0000.00000040.00000001.sdmp, Offset: 026C0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 71e8b2230b4dcd6007c0128fbef3654d2bbe048b05d6ef0090c4d82177b346e3
Instruction ID: 9bb1f2c0901594d8bcf34a14eb0e6cfc9258f3b1f5674d391be345245dd37f5f
Opcode Fuzzy Hash: 71e8b2230b4dcd6007c0128fbef3654d2bbe048b05d6ef0090c4d82177b346e3
Instruction Fuzzy Hash: F2E0203101D7B0CFC32D396264190B17774E709111734046FE486C6113F6179C43C7D2

Uniqueness

Uniqueness Score: -1.00%

Function 026C89D0, Relevance: .0, Instructions: 28COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.487849920.00000000026C0000.00000040.00000001.sdmp, Offset: 026C0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 43e09147b8f6ca026232f674be86e3bb1c2b5dbbaa069650673240e16fa89e2b
Instruction ID: d5ce5e76be95ef12c52ef98c197ea09ba5c7032cf05f0c6d344f105ef81aa8ee
Opcode Fuzzy Hash: 43e09147b8f6ca026232f674be86e3bb1c2b5dbbaa069650673240e16fa89e2b
Instruction Fuzzy Hash: 49F05874D09248EFDB19EFA9D4946ADBBB4EF59304F1080EBC80497246E7345A44DF82

Uniqueness

Uniqueness Score: -1.00%

Function 027305F6, Relevance: .0, Instructions: 27COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.487990211.0000000002730000.00000040.00000040.sdmp, Offset: 02730000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 33254eff6640db63caad9c2a21658b559b44e299907e9eded1c8fe1f74a16de3
Instruction ID: 5771c800218322f72a30c7a15ada7d40fb44c695a7178b564cea66814c929919
Opcode Fuzzy Hash: 33254eff6640db63caad9c2a21658b559b44e299907e9eded1c8fe1f74a16de3
Instruction Fuzzy Hash: A0E06D76604A008B9650CF0AEC41462FBA8EB88630B18C06FDC0D8B700E135B5048EA5

Uniqueness

Uniqueness Score: -1.00%

Function 026C88C9, Relevance: .0, Instructions: 27COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.487849920.00000000026C0000.00000040.00000001.sdmp, Offset: 026C0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8e3786283e8040f96d3956ec78087167c620ca44a3a5a7da5015ab759a4bd892
Instruction ID: 631ac1f0a362be2ae2488c22c2a73e873d102fa960a7dd1cfd13df7b43305234
Opcode Fuzzy Hash: 8e3786283e8040f96d3956ec78087167c620ca44a3a5a7da5015ab759a4bd892
Instruction Fuzzy Hash: 03E06D30C0A348CFC701EFB8E95A6ACBF30EF42205F1056DAD80467696DB745A49DF96

Uniqueness

Uniqueness Score: -1.00%

Function 00C3AF0F, Relevance: .0, Instructions: 26COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.487124856.0000000000C32000.00000040.00000001.sdmp, Offset: 00C32000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8aa7953e1246605ab25b1c6fe7bee772840c16697ed1dd6f5822f64e7b149814
Instruction ID: d30e90896daf9181ef386c60aa7fbe3afc1fcfe8acbf75e46f76775811662a4a
Opcode Fuzzy Hash: 8aa7953e1246605ab25b1c6fe7bee772840c16697ed1dd6f5822f64e7b149814
Instruction Fuzzy Hash: 7CE0D872A0060467D2108E06AC46B63FB5CEB44A30F14C557EE0C5B305E171B5048AF5

Uniqueness

Uniqueness Score: -1.00%

Function 026CEAE8, Relevance: .0, Instructions: 26COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.487849920.00000000026C0000.00000040.00000001.sdmp, Offset: 026C0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fdfaec7cd0837708fcd14a93a38b28d645506109c136c010e0244204be9c2c26
Instruction ID: 70cba3d7f9d044292f2a3ad9ebb00637330858aabe5cae1c14a22a3281c02c9f
Opcode Fuzzy Hash: fdfaec7cd0837708fcd14a93a38b28d645506109c136c010e0244204be9c2c26
Instruction Fuzzy Hash: B1E0DF322201209B8628E69CD5108BA7BA9CBC2A20360842ED40A8B345EEB3EC028790

Uniqueness

Uniqueness Score: -1.00%

Function 026C8C40, Relevance: .0, Instructions: 26COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.487849920.00000000026C0000.00000040.00000001.sdmp, Offset: 026C0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 50632f74665eacd82b6a2c84122961ddde644576f64db3cd1e2b198b8101d959
Instruction ID: f051059eb6d20578b983bf2cb15be09ec81c801eaa75043b7a8cdb5f35401ca8
Opcode Fuzzy Hash: 50632f74665eacd82b6a2c84122961ddde644576f64db3cd1e2b198b8101d959
Instruction Fuzzy Hash: D7E06D35B1312197C7666BA8E5187287BE9EB88692334416FDE06D3748DE308C01CBD2

Uniqueness

Uniqueness Score: -1.00%

Function 026C6130, Relevance: .0, Instructions: 26COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.487849920.00000000026C0000.00000040.00000001.sdmp, Offset: 026C0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d4934b96b96a2414975294114d40eb8cc8ea3811aba4db7f787523111030226a
Instruction ID: 38c953832bdb1b5f32dc52bf6ea2a9855d64c3dac089f52f4423c42b3a7e9b1e
Opcode Fuzzy Hash: d4934b96b96a2414975294114d40eb8cc8ea3811aba4db7f787523111030226a
Instruction Fuzzy Hash: F8E0863170022567C219726D9411B2FF29E8BC9756F20043EA20697791CC62AC0353A9

Uniqueness

Uniqueness Score: -1.00%

Function 026C0917, Relevance: .0, Instructions: 26COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.487849920.00000000026C0000.00000040.00000001.sdmp, Offset: 026C0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 964bf35e1dbd71165fda3d7766b50bfd1f482c75456b23c9f19588d87074325e
Instruction ID: 5a4ffafb493911307c44c39437115bf60de41c70dd5049f3addba1ccbe2e2c8f
Opcode Fuzzy Hash: 964bf35e1dbd71165fda3d7766b50bfd1f482c75456b23c9f19588d87074325e
Instruction Fuzzy Hash: 97E0D830E19254EAD76C7AF4881477F7EA9CBD6340F24552F9D07A3341D9B04C43C691

Uniqueness

Uniqueness Score: -1.00%

Function 026CE5A8, Relevance: .0, Instructions: 26COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.487849920.00000000026C0000.00000040.00000001.sdmp, Offset: 026C0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: abd9f69952ce96c795286cb4a946cd5c3304993c08ed75417eb22397dab0c9d5
Instruction ID: 0c7c4722d5c00b1ca34d2bdc38cb8329969a9441e306de6a71098cc422d526d5
Opcode Fuzzy Hash: abd9f69952ce96c795286cb4a946cd5c3304993c08ed75417eb22397dab0c9d5
Instruction Fuzzy Hash: BBE04831314511574614FA5DD51046E77A9CBC5A643A4842DD50ACB785EFB3EC0287D0

Uniqueness

Uniqueness Score: -1.00%

Function 026C8AB0, Relevance: .0, Instructions: 25COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.487849920.00000000026C0000.00000040.00000001.sdmp, Offset: 026C0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7d07f5d606a23e7a21789b0ee0e5a95dbad47217bb4f92b69a614441dee425a3
Instruction ID: d6eb8862283fabf8a0be6f557b6aa5fe5ac809f2119c868f01d8fd2f2d4a020a
Opcode Fuzzy Hash: 7d07f5d606a23e7a21789b0ee0e5a95dbad47217bb4f92b69a614441dee425a3
Instruction Fuzzy Hash: 8CF0E53020420DDBC715FB58D9C49793B59F754314770967AEA118B61CDBB1ED07C781

Uniqueness

Uniqueness Score: -1.00%

Function 026CAFF3, Relevance: .0, Instructions: 25COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.487849920.00000000026C0000.00000040.00000001.sdmp, Offset: 026C0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9ba2f6d48eeb870facde2455862a2cec959bd1157673a8ce14a493774deb51ce
Instruction ID: 7cc65dba2fd817ebfa31909bf3a248e5a373e4213f2bfde8c112aa364ba9d800
Opcode Fuzzy Hash: 9ba2f6d48eeb870facde2455862a2cec959bd1157673a8ce14a493774deb51ce
Instruction Fuzzy Hash: F1E020353042249BD785B778D0197397BD6DB8D362B10002EDA1AC73D4DE39CC01C791

Uniqueness

Uniqueness Score: -1.00%

Function 026CD0A0, Relevance: .0, Instructions: 24COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.487849920.00000000026C0000.00000040.00000001.sdmp, Offset: 026C0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 885f549b9e3eaba4d3842c3317b18bf306a1418c1d9ac40fae718ba93f4b4e69
Instruction ID: 7b310b3561a6b0fd49b06873a4e7357d63a90dbc962a0570a74ddf936c40a1f0
Opcode Fuzzy Hash: 885f549b9e3eaba4d3842c3317b18bf306a1418c1d9ac40fae718ba93f4b4e69
Instruction Fuzzy Hash: 02E01221718098A74518796E501087E728BDBC5672325407F910787360DD929C13D392

Uniqueness

Uniqueness Score: -1.00%

Function 026C8AB8, Relevance: .0, Instructions: 23COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.487849920.00000000026C0000.00000040.00000001.sdmp, Offset: 026C0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d771b17c99876f5f9ede8995b8d285e43f24c5aead09ecf6fdac1140809afece
Instruction ID: f5757732ea49e1b25cbe487abb6970af0fb956b2361e82c190a9712bebd4879c
Opcode Fuzzy Hash: d771b17c99876f5f9ede8995b8d285e43f24c5aead09ecf6fdac1140809afece
Instruction Fuzzy Hash: 03E0123020420DCBC719FB98E9C49793B59FB50318760966AEA018BA1CDFB1ED07C781

Uniqueness

Uniqueness Score: -1.00%

Function 026C89E0, Relevance: .0, Instructions: 23COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.487849920.00000000026C0000.00000040.00000001.sdmp, Offset: 026C0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: dc00575ab91d397cdbffa446a269f9e1fd3b8f88c734f8a0f6836aea36a8521e
Instruction ID: 647da4a11da67b4f804b887d5b006c32e8690c0d06db24adec1e0f4257f790e5
Opcode Fuzzy Hash: dc00575ab91d397cdbffa446a269f9e1fd3b8f88c734f8a0f6836aea36a8521e
Instruction Fuzzy Hash: 5EE0ED74D04208DFDB18EFA9D1846ADBBB5EF48305F2095AA980593345D7345A41DF41

Uniqueness

Uniqueness Score: -1.00%

Function 026C88D8, Relevance: .0, Instructions: 22COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.487849920.00000000026C0000.00000040.00000001.sdmp, Offset: 026C0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f00ca605bbda30133676db608c55028de8c3f9477ae6794fbb8f69abf3bbca24
Instruction ID: 2da45214f605889a0c7b3badaca956ae65e5443f7085dce785fa6447252e7757
Opcode Fuzzy Hash: f00ca605bbda30133676db608c55028de8c3f9477ae6794fbb8f69abf3bbca24
Instruction Fuzzy Hash: 61E08C30C01208DBCB00EFB8E946A6DBB74FB42316F1055ADD90423244CB705A44CF9A

Uniqueness

Uniqueness Score: -1.00%

Function 026C5DE8, Relevance: .0, Instructions: 21COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.487849920.00000000026C0000.00000040.00000001.sdmp, Offset: 026C0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 654e7305bb3675e8f235c188c87ea6df2be2deb7f15b7ace87b5ac61522ea549
Instruction ID: 03b98b95e9f45c55607fc84c58aa92d0e5791b2ad44a44c7d8425c136fa5b53b
Opcode Fuzzy Hash: 654e7305bb3675e8f235c188c87ea6df2be2deb7f15b7ace87b5ac61522ea549
Instruction Fuzzy Hash: F1E0122126F2D55FCB1A72B818F00BD3F6649C651139505EFA447DB297DC099C0693D1

Uniqueness

Uniqueness Score: -1.00%

Function 026CEB28, Relevance: .0, Instructions: 20COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.487849920.00000000026C0000.00000040.00000001.sdmp, Offset: 026C0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 60f2826f40394c2010000d19efeb3d86edc3613f7799e6ca6170310d05bc4f65
Instruction ID: 19ff516dbaaa54d697a1f1c896e2bebb9622013bf1719a194c3598754ae943cb
Opcode Fuzzy Hash: 60f2826f40394c2010000d19efeb3d86edc3613f7799e6ca6170310d05bc4f65
Instruction Fuzzy Hash: C2E0C23210B244CFC72CEA24EE502B1BBF6DB01216B28096ED05B43715D6639D02C7C0

Uniqueness

Uniqueness Score: -1.00%

Function 026C6888, Relevance: .0, Instructions: 20COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.487849920.00000000026C0000.00000040.00000001.sdmp, Offset: 026C0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 461ef30cdf4c803e699ed5de0a6dad8100d145390b4e0f75d43b339ee49b2762
Instruction ID: 2e10824c66dbbad63c5bdbc4afff778aa9e6ad81b397836275c57af57d8019c6
Opcode Fuzzy Hash: 461ef30cdf4c803e699ed5de0a6dad8100d145390b4e0f75d43b339ee49b2762
Instruction Fuzzy Hash: D8D02B3061D515C7EA0433A4E81077D328CDBC0650F24002DEE06D2281CF858C4187BF

Uniqueness

Uniqueness Score: -1.00%

Function 026CF688, Relevance: .0, Instructions: 19COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.487849920.00000000026C0000.00000040.00000001.sdmp, Offset: 026C0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 80e8e902d60b5bf7750e0369a3f321df0d573f84ff79f49c4f38a638e27c5458
Instruction ID: 51fbde9c78c9e675f383cc05ac32462fa84e541e48aacf7835c3eb789edd92f3
Opcode Fuzzy Hash: 80e8e902d60b5bf7750e0369a3f321df0d573f84ff79f49c4f38a638e27c5458
Instruction Fuzzy Hash: 3AD0A771314134676A04E5ACDC119BAB78ECBC5710704886EA40AD7381CD729C0243D0

Uniqueness

Uniqueness Score: -1.00%

Function 026C57F6, Relevance: .0, Instructions: 19COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.487849920.00000000026C0000.00000040.00000001.sdmp, Offset: 026C0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1d1154b1b71f2ca5b3f7a40c62a3551db50ed93934a7d32a77a1ce3b773e31c6
Instruction ID: b75ce691f5b6191e3c28dfca771f42b5f2955c251fb0154c4ed265d17a071f88
Opcode Fuzzy Hash: 1d1154b1b71f2ca5b3f7a40c62a3551db50ed93934a7d32a77a1ce3b773e31c6
Instruction Fuzzy Hash: 1CD01231E0E024CBCF08B7E8ED552FC7B71DB84125760557EC60BA6151DE201907C791

Uniqueness

Uniqueness Score: -1.00%

Function 026C7948, Relevance: .0, Instructions: 19COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.487849920.00000000026C0000.00000040.00000001.sdmp, Offset: 026C0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b464ef7dea05efbd55ebb909b8fd8de735617315e7ce5498fd3d538917eed07a
Instruction ID: d965c80a3b306fa8039d0774999cbd0f31d574e392cae1faa4d4d567bc7a4b3b
Opcode Fuzzy Hash: b464ef7dea05efbd55ebb909b8fd8de735617315e7ce5498fd3d538917eed07a
Instruction Fuzzy Hash: 8AD0C231008365CBC37F6AA5A404B72FAAEDB49A14F14065FC08745600C661E585CBD2

Uniqueness

Uniqueness Score: -1.00%

Function 026CE5F8, Relevance: .0, Instructions: 19COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.487849920.00000000026C0000.00000040.00000001.sdmp, Offset: 026C0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c4e952d0a7265e978a5132a82616029a0cbf7f58efca1fde893fdd2546bc984d
Instruction ID: f340ba4d7932ff45aa8716b1498a1b61968f1d24b94a7406099222e9e9241224
Opcode Fuzzy Hash: c4e952d0a7265e978a5132a82616029a0cbf7f58efca1fde893fdd2546bc984d
Instruction Fuzzy Hash: 4ED05E31128270DBC66D7A9790185B2B2B8EB08522B30482EE48B82103DA23E803C3A5

Uniqueness

Uniqueness Score: -1.00%

Function 00C223F4, Relevance: .0, Instructions: 15COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.487041378.0000000000C22000.00000040.00000001.sdmp, Offset: 00C22000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7a05934b6273eb0ea517461c81ffbcc3e7df2bab8230f58f7e371f30ace4baf5
Instruction ID: fb1645c6cb68d03bf445e4b9534f97e1c2ff7a03afc0a6c20758e0cdf69594b2
Opcode Fuzzy Hash: 7a05934b6273eb0ea517461c81ffbcc3e7df2bab8230f58f7e371f30ace4baf5
Instruction Fuzzy Hash: 3ED05E79215A919FD3269A1CD1A8B953B94AB51B04F4644FEE8008BA63C368DA81E610

Uniqueness

Uniqueness Score: -1.00%

Function 026CF6C0, Relevance: .0, Instructions: 15COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.487849920.00000000026C0000.00000040.00000001.sdmp, Offset: 026C0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 192542a16f1f75aaffe4b2941f59588daeb718f8938e0967e016406f383564c9
Instruction ID: f3b6660230481db548b6093f4ee8b773eb198cb7b4d8cadae75c76a18613f96d
Opcode Fuzzy Hash: 192542a16f1f75aaffe4b2941f59588daeb718f8938e0967e016406f383564c9
Instruction Fuzzy Hash: E5D0226121F7C80FDB22337020281383F3589434303B800ABD88D8F733FA95441B8722

Uniqueness

Uniqueness Score: -1.00%

Function 026CEB38, Relevance: .0, Instructions: 15COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.487849920.00000000026C0000.00000040.00000001.sdmp, Offset: 026C0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9e0e000815b569aa9462e28028580ce31243854022449028cc3dc4cf6eeab28a
Instruction ID: 379c01eba7c0d5d898ec848d56df5b4aa5ecd4b2b8593bd9947732a127a4f4e9
Opcode Fuzzy Hash: 9e0e000815b569aa9462e28028580ce31243854022449028cc3dc4cf6eeab28a
Instruction Fuzzy Hash: 51D0C93110A618DB832CAA55D6504B2B3F9EB45622324496ED01F476049B63AC42C791

Uniqueness

Uniqueness Score: -1.00%

Function 026C73F8, Relevance: .0, Instructions: 15COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.487849920.00000000026C0000.00000040.00000001.sdmp, Offset: 026C0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9a0939ec5680cffb9ecca245d0aafbbebb033a67d769e75d7ec85179cdc98f5e
Instruction ID: b97fbe0acbc0a28f327845f594b095715471142d3c2cbff637c8b020ad794e9c
Opcode Fuzzy Hash: 9a0939ec5680cffb9ecca245d0aafbbebb033a67d769e75d7ec85179cdc98f5e
Instruction Fuzzy Hash: D5D0423AA000048FC705DB88D5849D9F7F1EB88225F28C1AAD915A7251C732ED56CE50

Uniqueness

Uniqueness Score: -1.00%

Function 00C223BC, Relevance: .0, Instructions: 14COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.487041378.0000000000C22000.00000040.00000001.sdmp, Offset: 00C22000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fb5762b1a6ad5d66945bfc2c98c89c62d4d1ad9aba39b051a7cce29e479cf3f6
Instruction ID: 78a7e1628279cab0c47191d0fee9cb6723ec98eeaace714fa0e4af5642243641
Opcode Fuzzy Hash: fb5762b1a6ad5d66945bfc2c98c89c62d4d1ad9aba39b051a7cce29e479cf3f6
Instruction Fuzzy Hash: 0ED05E382002818BC719DB0CD594F5937D8AF41B00F0644E8AC108BA72C3A8DD81C600

Uniqueness

Uniqueness Score: -1.00%

Function 026C7E96, Relevance: .0, Instructions: 13COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.487849920.00000000026C0000.00000040.00000001.sdmp, Offset: 026C0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 430451d0636912afba1a5b710a6cad845df414346d4d9713bc7f95bb25c493bb
Instruction ID: db5ab113ae23f8236bbed49e875c10533f82f4fab4ebd48c77ef8c7722d82247
Opcode Fuzzy Hash: 430451d0636912afba1a5b710a6cad845df414346d4d9713bc7f95bb25c493bb
Instruction Fuzzy Hash: EAD0A971A11209CFCB12EF79EA100EDBBF0EB48220720032AE8029B381E7341D02CF20

Uniqueness

Uniqueness Score: -1.00%

Function 026C5478, Relevance: .0, Instructions: 13COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.487849920.00000000026C0000.00000040.00000001.sdmp, Offset: 026C0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d069ebc4afe82479fabd059bff74eb666a7d2c43b615dd0fb8e3e1a727263f33
Instruction ID: 0aca7ad73ddf86843191fdc7f23fcd9b1f832d36c3aa97f931c342581243eefd
Opcode Fuzzy Hash: d069ebc4afe82479fabd059bff74eb666a7d2c43b615dd0fb8e3e1a727263f33
Instruction Fuzzy Hash: A3D0C9700182448BD72437A87D0D77E3A5CE74030AB948189E407B0522DB357154CA52

Uniqueness

Uniqueness Score: -1.00%

Function 026C017F, Relevance: .0, Instructions: 12COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.487849920.00000000026C0000.00000040.00000001.sdmp, Offset: 026C0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b0d65ac251d6fa71e2ff9c7d53f94b3fcf51921e60a2bb4a8ff3ba3753717a1b
Instruction ID: 5e372b13f68fea029484156759077afd29e3cbac25d36093783942146ba7a9f6
Opcode Fuzzy Hash: b0d65ac251d6fa71e2ff9c7d53f94b3fcf51921e60a2bb4a8ff3ba3753717a1b
Instruction Fuzzy Hash: 6ED01275245304DFCB196B74E419A6C3B71AF4524631049BDD807C7B60DB77C441CE00

Uniqueness

Uniqueness Score: -1.00%

Function 026C0180, Relevance: .0, Instructions: 12COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.487849920.00000000026C0000.00000040.00000001.sdmp, Offset: 026C0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 42644d7292c77efd572c34d19a7e0740995dab2aa8d208f6905ebd94d34e642b
Instruction ID: a578d05b8d1819edcd61f8ee16a2a5828c45f5b451ecf592585473c3c73e3194
Opcode Fuzzy Hash: 42644d7292c77efd572c34d19a7e0740995dab2aa8d208f6905ebd94d34e642b
Instruction Fuzzy Hash: 45D01271211304CFCB082B74E41962C3365AF45206300487CD80787750DF36D841CA04

Uniqueness

Uniqueness Score: -1.00%

Function 026C02B1, Relevance: .0, Instructions: 11COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.487849920.00000000026C0000.00000040.00000001.sdmp, Offset: 026C0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2ef50fce9302e85bc9d3185cb2b2ae90523ad113dabc61bfa0aac03d183ae187
Instruction ID: 16b023927c5206b3ab11af56be7ef20b3a437ca7bc8383228c859baf2f4788c4
Opcode Fuzzy Hash: 2ef50fce9302e85bc9d3185cb2b2ae90523ad113dabc61bfa0aac03d183ae187
Instruction Fuzzy Hash: 62C01231208600C7C258B708F5804B577A1FB84710310C91DE45757618CB70FC02C740

Uniqueness

Uniqueness Score: -1.00%

Function 026C5D70, Relevance: .0, Instructions: 11COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.487849920.00000000026C0000.00000040.00000001.sdmp, Offset: 026C0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2f180b3ae8a5b1badfc83ec450b8eab8b4a98bd40436fed4df4007eae246e219
Instruction ID: 42993e98038ead8827b4cae5d33e883f322b7c524fd76a8535346e2cd17eba11
Opcode Fuzzy Hash: 2f180b3ae8a5b1badfc83ec450b8eab8b4a98bd40436fed4df4007eae246e219
Instruction Fuzzy Hash: 07C04C30214B058F9E5837B57D1D73E77689A505453D00159F90B9A160EF65B400959A

Uniqueness

Uniqueness Score: -1.00%

Function 026CCE68, Relevance: .0, Instructions: 10COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.487849920.00000000026C0000.00000040.00000001.sdmp, Offset: 026C0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c9f4c2843c443cd87bc000eeeada63fab6a4503cfa7588daf375124b17d97e58
Instruction ID: 98c166a0b0a100802a59b42d0d0aaf87c0e1833c30c7bc037a11ae9a5c9c24d4
Opcode Fuzzy Hash: c9f4c2843c443cd87bc000eeeada63fab6a4503cfa7588daf375124b17d97e58
Instruction Fuzzy Hash: 82C08C3180A2908FCB45A770E2682083B20EB0A20AB310DB5D002C3199C338C880DF00

Uniqueness

Uniqueness Score: -1.00%

Function 026C0660, Relevance: .0, Instructions: 10COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.487849920.00000000026C0000.00000040.00000001.sdmp, Offset: 026C0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a36d7d2eed4e3b01c126f9b0e2df3a4bfad7a6a7679ac5a648a638ff44760f77
Instruction ID: 18b0cc01616d6215d520780ab277f4295e187f4c7d9993b85ab97938e941119e
Opcode Fuzzy Hash: a36d7d2eed4e3b01c126f9b0e2df3a4bfad7a6a7679ac5a648a638ff44760f77
Instruction Fuzzy Hash: CDC09B71059664CEC25C7F766D0563D7259D7D1305770C4399505501318D729473D955

Uniqueness

Uniqueness Score: -1.00%

Function 026C065F, Relevance: .0, Instructions: 10COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.487849920.00000000026C0000.00000040.00000001.sdmp, Offset: 026C0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b4924741186c81875ace520f4a2b814d21c61fb5e22a1f00842732c3f5d91270
Instruction ID: b3d92ed23d16c6a68e524b78675d9074a84036e405dd3524db27bf146afc03d1
Opcode Fuzzy Hash: b4924741186c81875ace520f4a2b814d21c61fb5e22a1f00842732c3f5d91270
Instruction Fuzzy Hash: 3AC08C7108E1A0CDC3287B72280097D7B10DBA2301330853EC40250121C9724063CD01

Uniqueness

Uniqueness Score: -1.00%

Function 026C64A0, Relevance: .0, Instructions: 10COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.487849920.00000000026C0000.00000040.00000001.sdmp, Offset: 026C0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 32431c7cff6dbd16d315de0cf0624aaaece8317f19dcd31996fc345dbf903715
Instruction ID: 66548faa3ed8a2b98c4c652e9190c52b27d64b3ad8fece802977e3653ca9195c
Opcode Fuzzy Hash: 32431c7cff6dbd16d315de0cf0624aaaece8317f19dcd31996fc345dbf903715
Instruction Fuzzy Hash: 65C08CCEE084A8DDCB321960652A7946F68A7D1201FCE50FB885013B9AE59C98088110

Uniqueness

Uniqueness Score: -1.00%

Function 026C5F60, Relevance: .0, Instructions: 9COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.487849920.00000000026C0000.00000040.00000001.sdmp, Offset: 026C0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e50d74be3f5b3d18ca5dc42eecd6ba000dfc36a9db6ac3aaef6bacafa87f5dd5
Instruction ID: 85806e4e4bb7313ac4be998d4e32c69a40c85d7d3ed337c08b495004f4d51754
Opcode Fuzzy Hash: e50d74be3f5b3d18ca5dc42eecd6ba000dfc36a9db6ac3aaef6bacafa87f5dd5
Instruction Fuzzy Hash: D7B09230264B098B56583BB16D0C37A379CD9445457940019E56FD1111EF72A4018962

Uniqueness

Uniqueness Score: -1.00%

Function 026CF6D0, Relevance: .0, Instructions: 8COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.487849920.00000000026C0000.00000040.00000001.sdmp, Offset: 026C0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3b2d529a10344e411ca7058d883128ade73c0c85c6fedcdc1fb67b343d9c7d88
Instruction ID: 799ac552377b5bcc027ed9c7737f1cf582c5bd9c64b06da5d9532955e1b3c2c2
Opcode Fuzzy Hash: 3b2d529a10344e411ca7058d883128ade73c0c85c6fedcdc1fb67b343d9c7d88
Instruction Fuzzy Hash: 6EB0123054270C47DD8433F0640C32D739D59805107C00029A90D43700BE7AA4144859

Uniqueness

Uniqueness Score: -1.00%

Function 026C5F5F, Relevance: .0, Instructions: 8COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.487849920.00000000026C0000.00000040.00000001.sdmp, Offset: 026C0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b6ad16ff7656beb2dc36561236eecdb3bcd1fb507ddf2b1312fa5994fdbd9ccf
Instruction ID: 489dc77d773888055c5a05d46846993c016a7ce5083bb1042fd2bcc06e538140
Opcode Fuzzy Hash: b6ad16ff7656beb2dc36561236eecdb3bcd1fb507ddf2b1312fa5994fdbd9ccf
Instruction Fuzzy Hash: 57B0123425D3456A5F2927712C8477E3F68C840084364015EE81FE1522DE62A0068D01

Uniqueness

Uniqueness Score: -1.00%

Function 026C741C, Relevance: .0, Instructions: 8COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.487849920.00000000026C0000.00000040.00000001.sdmp, Offset: 026C0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9331830965d72d12fcbefa973c87c0cf332396a92bd300e1243d284f656f33ac
Instruction ID: d4f12566ce13c8b6d4f1320551551fff899f974c4388c893ba28a1c44bc14b3e
Opcode Fuzzy Hash: 9331830965d72d12fcbefa973c87c0cf332396a92bd300e1243d284f656f33ac
Instruction Fuzzy Hash: A0B092B7E04008CADB00AA84B4413EDFB34E790225F208037C31092000C2320175DA91

Uniqueness

Uniqueness Score: -1.00%

Non-executed Functions

Function 026C0D93, Relevance: 5.2, Strings: 4, Instructions: 249COMMON

Download Yara Rule

Strings

0jr, xrefs: 026C0F8E
,:kr, xrefs: 026C0E38
:@Dr, xrefs: 026C10CB
X1kr, xrefs: 026C0F1C

Memory Dump Source

Source File: 00000008.00000002.487849920.00000000026C0000.00000040.00000001.sdmp, Offset: 026C0000, based on PE: false

Similarity

API ID:
String ID: ,:kr$0jr$:@Dr$X1kr
API String ID: 0-1245831938
Opcode ID: 17884a987bfab749a3c59a618d02aed43beb95ef70c1b63e3ad06734b678dbfb
Instruction ID: 557646d6bf377f5686cb3129c85d9f4d02cfba6eb8ec4308cf08130c86557eb1
Opcode Fuzzy Hash: 17884a987bfab749a3c59a618d02aed43beb95ef70c1b63e3ad06734b678dbfb
Instruction Fuzzy Hash: A2B1B770A05344CFD3A4DF7CD260B6ABBE2BB94704F50996EE5498B399DF719842CB02

Uniqueness

Uniqueness Score: -1.00%

Analysis Process: RegSvcs.exe PID: 6384 Parent PID: 528 RegSvcs.exeCOMMON

Executed Functions

Function 02B811D0, Relevance: 4.0, Strings: 3, Instructions: 222COMMON

Download Yara Rule

Strings

:@Dr, xrefs: 02B81406
X1kr, xrefs: 02B8130B
X1kr, xrefs: 02B81253

Memory Dump Source

Source File: 0000000D.00000002.278839774.0000000002B80000.00000040.00000001.sdmp, Offset: 02B80000, based on PE: false

Similarity

API ID:
String ID: :@Dr$X1kr$X1kr
API String ID: 0-2930718046
Opcode ID: 7c89c2c639caa53423a9482e2bc7c4d3f7e7101d5b0027e117b64b3d04405d0e
Instruction ID: 9c39cba0d9903b3eeb798a82495f89eb5484488f5c7b6858cb0852c5f81994d3
Opcode Fuzzy Hash: 7c89c2c639caa53423a9482e2bc7c4d3f7e7101d5b0027e117b64b3d04405d0e
Instruction Fuzzy Hash: 6C813774B001059FDB04EBADC454B7EBAE7EFC4304F688469D90A9B7A4DE709D42CB61

Uniqueness

Uniqueness Score: -1.00%

Function 02B811C1, Relevance: 2.7, Strings: 2, Instructions: 180COMMON

Download Yara Rule

Strings

:@Dr, xrefs: 02B81406
X1kr, xrefs: 02B81253

Memory Dump Source

Source File: 0000000D.00000002.278839774.0000000002B80000.00000040.00000001.sdmp, Offset: 02B80000, based on PE: false

Similarity

API ID:
String ID: :@Dr$X1kr
API String ID: 0-2776031997
Opcode ID: e5ef764494c58a960054f3e87bf0a8d7b667a6fba1bed578837667ef33b2ad77
Instruction ID: 16c91f765c79bf55cdede9d6f063f6cf4717cc97a1d62ed0a30e4fe6eae29fda
Opcode Fuzzy Hash: e5ef764494c58a960054f3e87bf0a8d7b667a6fba1bed578837667ef33b2ad77
Instruction Fuzzy Hash: 04615A34B011059FDB04ABADC454B6EBBF7EF84304F6880A9D90A9B7A5DF709D42CB61

Uniqueness

Uniqueness Score: -1.00%

Function 02B80120, Relevance: 1.4, Strings: 1, Instructions: 186COMMON

Download Yara Rule

Strings

:@Dr, xrefs: 02B802C5

Memory Dump Source

Source File: 0000000D.00000002.278839774.0000000002B80000.00000040.00000001.sdmp, Offset: 02B80000, based on PE: false

Similarity

API ID:
String ID: :@Dr
API String ID: 0-3830894600
Opcode ID: 9572c896806dd646bcd3fcabc02d359e565a3d4f219a6cfb236d6a0f6f432207
Instruction ID: b57e344f765a2c018b5161f6b14f0795b3fd8e53594f1babe941bd0424ac9016
Opcode Fuzzy Hash: 9572c896806dd646bcd3fcabc02d359e565a3d4f219a6cfb236d6a0f6f432207
Instruction Fuzzy Hash: 43713D34B00205CFC718FB68D468B697BE7EF89344F1484A9E80AD73A4CBB59D84CB94

Uniqueness

Uniqueness Score: -1.00%

Function 02B8040C, Relevance: .1, Instructions: 122COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.278839774.0000000002B80000.00000040.00000001.sdmp, Offset: 02B80000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0e89277598bf13d9037e12086b255b40a1c0ca60ecf749549c6042d7caca6291
Instruction ID: 2f1d676c20626f9da99ddc7a39c78cd5ebacf9aa6d89b1c10534e4c36fc30da7
Opcode Fuzzy Hash: 0e89277598bf13d9037e12086b255b40a1c0ca60ecf749549c6042d7caca6291
Instruction Fuzzy Hash: CA418130B40326CFEB14BF64C4A97AE7FB1AF85344F1408A8D5069B3A1CFB58949CB90

Uniqueness

Uniqueness Score: -1.00%

Function 02B806E8, Relevance: .1, Instructions: 94COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.278839774.0000000002B80000.00000040.00000001.sdmp, Offset: 02B80000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f6eadc2b98a06fec80fab3c3803bbdee394a024e3eb9a5ff12d41570d9d19947
Instruction ID: 4d96f1a8da03eb5102b8b3a6acb22abcb2055d1f87ecf5e585bd43ffb9ff3156
Opcode Fuzzy Hash: f6eadc2b98a06fec80fab3c3803bbdee394a024e3eb9a5ff12d41570d9d19947
Instruction Fuzzy Hash: 72312A307012108FCB597B7CD12862E3AE2EF86309B2404BAE40ACF7A1EE36DC458795

Uniqueness

Uniqueness Score: -1.00%

Function 02B806F8, Relevance: .1, Instructions: 86COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.278839774.0000000002B80000.00000040.00000001.sdmp, Offset: 02B80000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 07f96e90b027abc3838a38e60432c0092e4699b6f4ca7bc48a5e213754361682
Instruction ID: fa4ddf376f069cdf1c687a85d8d844536ba8b93643ca262ec4ffe3d72ff821d3
Opcode Fuzzy Hash: 07f96e90b027abc3838a38e60432c0092e4699b6f4ca7bc48a5e213754361682
Instruction Fuzzy Hash: 3F21FB307012108FCB597B7DD12862E3AD6EF85309B1404BAE50ACF7A1EE35DC458795

Uniqueness

Uniqueness Score: -1.00%

Function 02B8010F, Relevance: .1, Instructions: 76COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.278839774.0000000002B80000.00000040.00000001.sdmp, Offset: 02B80000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b3660b3a077d04c93e24f2427c89ef90ab603aeff5d4ac72fab7aaf7180570a9
Instruction ID: be111cbf994c98c5fe8c2e2791dc319bd4d860b806484b89573e05e96a9a8656
Opcode Fuzzy Hash: b3660b3a077d04c93e24f2427c89ef90ab603aeff5d4ac72fab7aaf7180570a9
Instruction Fuzzy Hash: 9A216071E052489FDB20EF79C8557EEBFF2AB86240F1404AAE449E7360D7750A49CBA0

Uniqueness

Uniqueness Score: -1.00%

Function 02A605CF, Relevance: .0, Instructions: 46COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.278774735.0000000002A60000.00000040.00000040.sdmp, Offset: 02A60000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8a1eb1c2aa5e0d7dbc32eabcb843caf8b879664d562da2b99d2821ed481b31c4
Instruction ID: 7bc679b0e644ad429cdb8ebab027b42269e8aa0202f66b2443d741b4209f05eb
Opcode Fuzzy Hash: 8a1eb1c2aa5e0d7dbc32eabcb843caf8b879664d562da2b99d2821ed481b31c4
Instruction Fuzzy Hash: 4101A7755097806FD7128B16EC40862FFB8DE86620708C4DFED898B612D225A909CB71

Uniqueness

Uniqueness Score: -1.00%

Function 02B81070, Relevance: .0, Instructions: 41COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.278839774.0000000002B80000.00000040.00000001.sdmp, Offset: 02B80000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 90a7acb9ecb5f875081de3337d18b9a53e4a0e3ab0d4c75d3e3a17f557b94255
Instruction ID: 1ad5ce2b7988768d654b64eb8a7817c6fd2e787a85a0d68ec1d7fbe32ad383ef
Opcode Fuzzy Hash: 90a7acb9ecb5f875081de3337d18b9a53e4a0e3ab0d4c75d3e3a17f557b94255
Instruction Fuzzy Hash: 56F0B431310150ABD714AA7D9D11F6B77DADBC4761F1444AAF60DCB280DE61D80187A0

Uniqueness

Uniqueness Score: -1.00%

Function 02B81060, Relevance: .0, Instructions: 39COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.278839774.0000000002B80000.00000040.00000001.sdmp, Offset: 02B80000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 05424bddcaed654f31942726bd6276d20c51d137dc32bbcede9c618a46260f46
Instruction ID: 9992e55ae3dbc080a143515a2486da1af1fd6ebe2bfbf3c77425b6e0c10e349d
Opcode Fuzzy Hash: 05424bddcaed654f31942726bd6276d20c51d137dc32bbcede9c618a46260f46
Instruction Fuzzy Hash: 13F0E9313143C0BFD7116A795C12F673EAADFC6660F1440AAE64CDB2C1DE65C8018374

Uniqueness

Uniqueness Score: -1.00%

Function 02B810D0, Relevance: .0, Instructions: 33COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.278839774.0000000002B80000.00000040.00000001.sdmp, Offset: 02B80000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7ce80cef5d2f771d97ec17b433755c0431bc8aa8203d173ac7208ef39acb1690
Instruction ID: 7c8bdacc8ed87498a0e4d3585ef287e4d0c04836403a2a36dbd393a20ae701ba
Opcode Fuzzy Hash: 7ce80cef5d2f771d97ec17b433755c0431bc8aa8203d173ac7208ef39acb1690
Instruction Fuzzy Hash: 73F01CB1E15609AFCF50EEAE98026DFBFF8EB56261F104066D159D7200E23545018BE1

Uniqueness

Uniqueness Score: -1.00%

Function 02B800C0, Relevance: .0, Instructions: 30COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.278839774.0000000002B80000.00000040.00000001.sdmp, Offset: 02B80000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2ea753d676a1d0999f239b5ee1ab378bbbc59f34977ced7eb67585fcce4f7b82
Instruction ID: aac4ef59310d5d0f927f1cb57f49e437ceadf85b9db556c516b352091c51db36
Opcode Fuzzy Hash: 2ea753d676a1d0999f239b5ee1ab378bbbc59f34977ced7eb67585fcce4f7b82
Instruction Fuzzy Hash: 72F0A771E092498FCF10DFB898455DFBFF1EA5A250B2000AAD549E3311E2310605CBA0

Uniqueness

Uniqueness Score: -1.00%

Function 02B80F22, Relevance: .0, Instructions: 28COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.278839774.0000000002B80000.00000040.00000001.sdmp, Offset: 02B80000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 82396366ec28a9d87ce236f809daf3ea889f461281b9eca2c66ba99d8f5c0f0e
Instruction ID: 9676c4b251ca0214e5268b74efb66c91ae3588af1106eef67b1daa781d24cb23
Opcode Fuzzy Hash: 82396366ec28a9d87ce236f809daf3ea889f461281b9eca2c66ba99d8f5c0f0e
Instruction Fuzzy Hash: CBF08C392042449FC745EB68D46899A3BEEEF8A21431A40EAE806CB376CA605C04CB91

Uniqueness

Uniqueness Score: -1.00%

Function 02A605F6, Relevance: .0, Instructions: 27COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.278774735.0000000002A60000.00000040.00000040.sdmp, Offset: 02A60000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b7d07700d183dfe928629293a78418f7a7bd5822e177461c4b4dbc842720e1c1
Instruction ID: d27021905aa704eccdce34c3f2492000cb5a9cbee08bab8019a9b4dabe54f682
Opcode Fuzzy Hash: b7d07700d183dfe928629293a78418f7a7bd5822e177461c4b4dbc842720e1c1
Instruction Fuzzy Hash: 83E06D766006008B9650CF0AEC41452FB98EB88630B18C06FDC0D8BB01E135B5058FA5

Uniqueness

Uniqueness Score: -1.00%

Function 02B80F30, Relevance: .0, Instructions: 23COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.278839774.0000000002B80000.00000040.00000001.sdmp, Offset: 02B80000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5c95fc4d7760cd4a57f7119ff9270d413d6d2279e62c82360507552eacca5d28
Instruction ID: c12d5bc2cb5da16f17e4a255ad32f8b36545c8a6e992f29e6b75ca3f780622d4
Opcode Fuzzy Hash: 5c95fc4d7760cd4a57f7119ff9270d413d6d2279e62c82360507552eacca5d28
Instruction Fuzzy Hash: 1EE012397001149FC754EB6CE46895A37EEEF892157154066E90AC7375DA706C44CB91

Uniqueness

Uniqueness Score: -1.00%

Function 02B800D0, Relevance: .0, Instructions: 23COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.278839774.0000000002B80000.00000040.00000001.sdmp, Offset: 02B80000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 72d610899453b306e0567a3895ff63aedd682fba4a6f339d3928fab4cc7f83ac
Instruction ID: cbb2a3c692dc9bedbc7e9ba61f922968841be57d8f9c55b972a6b0665d6edda7
Opcode Fuzzy Hash: 72d610899453b306e0567a3895ff63aedd682fba4a6f339d3928fab4cc7f83ac
Instruction Fuzzy Hash: 33E09A71D0521D9F8F40EFB999455DEFFF8EB49250F100466E509E3200E3315615CBE1

Uniqueness

Uniqueness Score: -1.00%

Function 02B810E0, Relevance: .0, Instructions: 22COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.278839774.0000000002B80000.00000040.00000001.sdmp, Offset: 02B80000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1d0eedaafcd44f40614753eabe145d3533ac6e06dc3f56820caa425b6d683eda
Instruction ID: 20cafb64283e989edada35b3486eb88a9b372f6dccb91d4ea4be700ec03e442d
Opcode Fuzzy Hash: 1d0eedaafcd44f40614753eabe145d3533ac6e06dc3f56820caa425b6d683eda
Instruction Fuzzy Hash: C2E0B6B1D112099FCB40EFBE98456EFBFF8EB48260F10407AD108E3200E6355251CBE1

Uniqueness

Uniqueness Score: -1.00%

Non-executed Functions

Analysis Process: dhcpmon.exe PID: 6200 Parent PID: 528 dhcpmon.exeCOMMON

Executed Functions

Function 010B11D0, Relevance: 4.0, Strings: 3, Instructions: 222COMMON

Download Yara Rule

Strings

X1kr, xrefs: 010B130B
X1kr, xrefs: 010B1253
:@Dr, xrefs: 010B1406

Memory Dump Source

Source File: 0000000F.00000002.283192423.00000000010B0000.00000040.00000001.sdmp, Offset: 010B0000, based on PE: false

Similarity

API ID:
String ID: :@Dr$X1kr$X1kr
API String ID: 0-2930718046
Opcode ID: 253426e739a4925e70732a5bfc0c419b23bbff6236de4ece741f0071e86d7873
Instruction ID: c4f7501b5e2b96a09e3bbb350f5ca5080bc9c9967de495ab00cfb6265eebfdb6
Opcode Fuzzy Hash: 253426e739a4925e70732a5bfc0c419b23bbff6236de4ece741f0071e86d7873
Instruction Fuzzy Hash: 38814B74B001058FDB04EBBDD464A6EBBE7EFC4300F24846AD60AAB7A5DE749D41CB61

Uniqueness

Uniqueness Score: -1.00%

Function 010B0120, Relevance: 2.7, Strings: 2, Instructions: 186COMMON

Download Yara Rule

Strings

:@Dr, xrefs: 010B02C5
\,, xrefs: 010B0249

Memory Dump Source

Source File: 0000000F.00000002.283192423.00000000010B0000.00000040.00000001.sdmp, Offset: 010B0000, based on PE: false

Similarity

API ID:
String ID: :@Dr$\,
API String ID: 0-1809902370
Opcode ID: 4a2af8a1d2b6820e2192dd527cb039dde33db73b14ba18bd20fddd520f459bdf
Instruction ID: 1ae34ffb477d60826ad145222fc2e0928edba9c771adcc9fdce678419930e5f7
Opcode Fuzzy Hash: 4a2af8a1d2b6820e2192dd527cb039dde33db73b14ba18bd20fddd520f459bdf
Instruction Fuzzy Hash: AE7130347102058FD718EB79D598AAE7BF3BB88340F14846AE906D73A9CF759D45CB80

Uniqueness

Uniqueness Score: -1.00%

Function 010B040C, Relevance: .1, Instructions: 122COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000F.00000002.283192423.00000000010B0000.00000040.00000001.sdmp, Offset: 010B0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1fff1357825f1b69f1f78f5a3e2ec96f4eaa93ef80441eb04ae8198b3f4e5adb
Instruction ID: 1288bab7f9e603d7058495b7f070ebb11cfc1b41007e20a64047cb40fd8c5525
Opcode Fuzzy Hash: 1fff1357825f1b69f1f78f5a3e2ec96f4eaa93ef80441eb04ae8198b3f4e5adb
Instruction Fuzzy Hash: 77417C70A00215CFEB149F79C4987EF7EF1AB88304F24406AE542AB2A4CFB58945CB90

Uniqueness

Uniqueness Score: -1.00%

Function 010B06F8, Relevance: .1, Instructions: 86COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000F.00000002.283192423.00000000010B0000.00000040.00000001.sdmp, Offset: 010B0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 17c53d102c11c398d60f7fdb724b20c9fc319d75fe1e7885720650e0ac7b3adf
Instruction ID: 2f3673230912628f780d97d206c836f42655ae96f5b287149544553b493eb77f
Opcode Fuzzy Hash: 17c53d102c11c398d60f7fdb724b20c9fc319d75fe1e7885720650e0ac7b3adf
Instruction Fuzzy Hash: A521F8307012108FC759BB7DD128A2E3AE2AF85305B1404BEE50ACF7A5EE36DC458B95

Uniqueness

Uniqueness Score: -1.00%

Function 00EE05D1, Relevance: .0, Instructions: 45COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000F.00000002.282915847.0000000000EE0000.00000040.00000040.sdmp, Offset: 00EE0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2ebed6b4c81263532ffbf5375c35feeff67c7324c97970274b8ac4ecc175f068
Instruction ID: 731bce5fdf75364a8867968ac65ac0ba6705c242aa3cb3a340a1eb2e8ce175ac
Opcode Fuzzy Hash: 2ebed6b4c81263532ffbf5375c35feeff67c7324c97970274b8ac4ecc175f068
Instruction Fuzzy Hash: E201D6725097806FD7128B06AC40863FFE8DE86620709C09FED898B612D125A808CBB2

Uniqueness

Uniqueness Score: -1.00%

Function 010B1070, Relevance: .0, Instructions: 41COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000F.00000002.283192423.00000000010B0000.00000040.00000001.sdmp, Offset: 010B0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fcd27d61c0de59f73794c4a6daa241c55d8c6031b9de19c47e83947814cfce3b
Instruction ID: eedfe48d9a7b3020c37321502dd1b171b72a3abcdfea348a0d49a76c94b42e87
Opcode Fuzzy Hash: fcd27d61c0de59f73794c4a6daa241c55d8c6031b9de19c47e83947814cfce3b
Instruction Fuzzy Hash: 21F0E931350150ABD714A6BDAD51FAB77DADBC4760F14456AF70DCB281DEB1DC008794

Uniqueness

Uniqueness Score: -1.00%

Function 00EE05F6, Relevance: .0, Instructions: 27COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000F.00000002.282915847.0000000000EE0000.00000040.00000040.sdmp, Offset: 00EE0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 16f6f75dab768da083923df14080fae4258d7da6f8020c8a7921401f8de2b844
Instruction ID: 482accd199d5ede15634b359de9925f8c476967ea6868cd8abab9f5ed1d0a909
Opcode Fuzzy Hash: 16f6f75dab768da083923df14080fae4258d7da6f8020c8a7921401f8de2b844
Instruction Fuzzy Hash: BFE09276A006409BD650CF0BEC41462F7D8EB88630B18C07FDC0D8B700E136B504CEA6

Uniqueness

Uniqueness Score: -1.00%

Function 010B00D0, Relevance: .0, Instructions: 23COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000F.00000002.283192423.00000000010B0000.00000040.00000001.sdmp, Offset: 010B0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0881a83710c8c2c9acdf23c4d5d0200200bd645b8ce7da948cd4fc747ae811b6
Instruction ID: d7c4a362ec17e04b21d77674afda9424690e5691054f82377247a58596972314
Opcode Fuzzy Hash: 0881a83710c8c2c9acdf23c4d5d0200200bd645b8ce7da948cd4fc747ae811b6
Instruction Fuzzy Hash: CEE07EB1E0521A9F8F40EFBA99455DEBFF8EA48250B20046AE608E3200E2315A158BE5

Uniqueness

Uniqueness Score: -1.00%

Function 010B0F30, Relevance: .0, Instructions: 23COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000F.00000002.283192423.00000000010B0000.00000040.00000001.sdmp, Offset: 010B0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ee8aef1568c06b5f928d682e40f6033f4342a3e1ff1b97c666ad2e76bb5700f7
Instruction ID: 63ec99112cfecf1845dc6477dfbc26a1b05b43beadc60ff6b5cbae9e4fae1eae
Opcode Fuzzy Hash: ee8aef1568c06b5f928d682e40f6033f4342a3e1ff1b97c666ad2e76bb5700f7
Instruction Fuzzy Hash: ACE092343501149FC704EB7CE56889A37EAEB892103104067E40AC7375CA706C04CBC1

Uniqueness

Uniqueness Score: -1.00%

Function 010B10E0, Relevance: .0, Instructions: 22COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000F.00000002.283192423.00000000010B0000.00000040.00000001.sdmp, Offset: 010B0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 42d298787620db4ee2ea969b3f74fb4eeab69d23a86bd71285cdc80f6447fcdb
Instruction ID: 4da96d4aa1a0e835917eb65661e80291b91c6b015515bceda677dd31e133394a
Opcode Fuzzy Hash: 42d298787620db4ee2ea969b3f74fb4eeab69d23a86bd71285cdc80f6447fcdb
Instruction Fuzzy Hash: 01E0B6B1D012099ECB40EFBEA8556DFBFF8EB48260F10443AD108E3200E23552518BE1

Uniqueness

Uniqueness Score: -1.00%

Non-executed Functions

Analysis Process: dhcpmon.exe PID: 6404 Parent PID: 3388 dhcpmon.exeCOMMON

Executed Functions

Function 0293A4AA, Relevance: 1.6, APIs: 1, Instructions: 79fileCOMMON

Download Yara Rule

APIs

WriteFile.KERNELBASE(?,00000E2C,E0879605,00000000,00000000,00000000,00000000), ref: 0293A53D

Memory Dump Source

Source File: 00000019.00000002.301525835.000000000293A000.00000040.00000001.sdmp, Offset: 0293A000, based on PE: false

Similarity

API ID: FileWrite
String ID:
API String ID: 3934441357-0
Opcode ID: c89cf35c830d133c15c56e58405246471bfd39afedfdff471a2ee095a705f604
Instruction ID: e51d885d8cbb2658eaf116efc0bc433010fc3c87353a9a9a4151fb79aca61a2e
Opcode Fuzzy Hash: c89cf35c830d133c15c56e58405246471bfd39afedfdff471a2ee095a705f604
Instruction Fuzzy Hash: 0F218372409380AFD7128F65DC54F96BFB8EF46310F0885DBE9849F153D265A909C771

Uniqueness

Uniqueness Score: -1.00%

Function 0293A336, Relevance: 1.6, APIs: 1, Instructions: 62COMMON

Download Yara Rule

APIs

FindCloseChangeNotification.KERNELBASE(?), ref: 0293A39C

Memory Dump Source

Source File: 00000019.00000002.301525835.000000000293A000.00000040.00000001.sdmp, Offset: 0293A000, based on PE: false

Similarity

API ID: ChangeCloseFindNotification
String ID:
API String ID: 2591292051-0
Opcode ID: 0cfc166ca39084166d7f00e28c4d2d47974487e3fb592b590d674c7862f77d7e
Instruction ID: 90dfabf037a6d5945b5635a8defd6ee32d805ef3fbf403fc77109796f7b9f21f
Opcode Fuzzy Hash: 0cfc166ca39084166d7f00e28c4d2d47974487e3fb592b590d674c7862f77d7e
Instruction Fuzzy Hash: 0C215C715093C49FD7128B25DC45A56BFB4EF46220F0984EBDD85CF263D278A948CB61

Uniqueness

Uniqueness Score: -1.00%

Function 0293A1F4, Relevance: 1.6, APIs: 1, Instructions: 61COMMON

Download Yara Rule

APIs

GetConsoleOutputCP.KERNELBASE ref: 0293A269

Memory Dump Source

Source File: 00000019.00000002.301525835.000000000293A000.00000040.00000001.sdmp, Offset: 0293A000, based on PE: false

Similarity

API ID: ConsoleOutput
String ID:
API String ID: 3985236979-0
Opcode ID: 73048ba566191215804d29259a92364bda8007d6439c5a8c72e5d209f2fb855f
Instruction ID: 428924d20cd4da9d73826a966fb75071e512b1463b34c1628ac67b9cf42f5356
Opcode Fuzzy Hash: 73048ba566191215804d29259a92364bda8007d6439c5a8c72e5d209f2fb855f
Instruction Fuzzy Hash: C4216D3540D7C49FD7138B258C95A52BFB4EF07220F0E81DBD9848F1A3D369A909CB62

Uniqueness

Uniqueness Score: -1.00%

Function 0293A4DE, Relevance: 1.6, APIs: 1, Instructions: 60fileCOMMON

Download Yara Rule

APIs

WriteFile.KERNELBASE(?,00000E2C,E0879605,00000000,00000000,00000000,00000000), ref: 0293A53D

Memory Dump Source

Source File: 00000019.00000002.301525835.000000000293A000.00000040.00000001.sdmp, Offset: 0293A000, based on PE: false

Similarity

API ID: FileWrite
String ID:
API String ID: 3934441357-0
Opcode ID: 24cbbd7ffb9d2562256f5f227c1f98082815dbd6c7cd9372e658e560eef5861f
Instruction ID: 8321e7b14ad853419035be94e8f36c982d80e9e682c8d8e8107bca1e9fad0d8a
Opcode Fuzzy Hash: 24cbbd7ffb9d2562256f5f227c1f98082815dbd6c7cd9372e658e560eef5861f
Instruction Fuzzy Hash: 9911BF72400200EFEB21CF55DC84F6AFBA8EF45320F14896BEE899B251D275A408CB71

Uniqueness

Uniqueness Score: -1.00%

Function 0293A36A, Relevance: 1.5, APIs: 1, Instructions: 43COMMON

Download Yara Rule

APIs

FindCloseChangeNotification.KERNELBASE(?), ref: 0293A39C

Memory Dump Source

Source File: 00000019.00000002.301525835.000000000293A000.00000040.00000001.sdmp, Offset: 0293A000, based on PE: false

Similarity

API ID: ChangeCloseFindNotification
String ID:
API String ID: 2591292051-0
Opcode ID: 29f8f58b0dacff715210a9edde69bf9674717e06029d3c57ede46e216b062463
Instruction ID: 15e6b2491a7bc338e3d317503429883670e2092075077a830510555005feedcf
Opcode Fuzzy Hash: 29f8f58b0dacff715210a9edde69bf9674717e06029d3c57ede46e216b062463
Instruction Fuzzy Hash: 08018F75504244DFDB119F29D884766FF94DF44320F18C4ABDD498F256D6B5A408CB61

Uniqueness

Uniqueness Score: -1.00%

Function 0293A23A, Relevance: 1.5, APIs: 1, Instructions: 34COMMON

Download Yara Rule

APIs

GetConsoleOutputCP.KERNELBASE ref: 0293A269

Memory Dump Source

Source File: 00000019.00000002.301525835.000000000293A000.00000040.00000001.sdmp, Offset: 0293A000, based on PE: false

Similarity

API ID: ConsoleOutput
String ID:
API String ID: 3985236979-0
Opcode ID: 60a477822c1ff337457f596c78a90b565ac47f5a37a6f123ce9422a09f668d9e
Instruction ID: 1bb756049883fe7677d11cf9fc03176763775de7a3afe73318e98f04a90529a3
Opcode Fuzzy Hash: 60a477822c1ff337457f596c78a90b565ac47f5a37a6f123ce9422a09f668d9e
Instruction Fuzzy Hash: E9F0C230804644DFDB11CF1AD884762FFD4EF04620F28C0AADD894F316D3BAA848CBA2

Uniqueness

Uniqueness Score: -1.00%

Function 02932477, Relevance: .2, Instructions: 211COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000019.00000002.301517908.0000000002932000.00000040.00000001.sdmp, Offset: 02932000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e2c830f376f484b43dd17361cf64ffe7098b261c6aa10de6ad210ebf9161d7cf
Instruction ID: 2455f6c5f1feb25e1c58af1026de84d8810249416cc7b91ebe8810be534143e1
Opcode Fuzzy Hash: e2c830f376f484b43dd17361cf64ffe7098b261c6aa10de6ad210ebf9161d7cf
Instruction Fuzzy Hash: 0F517FA2E0E3C35FC70747346879694BFB69E5316871A61DBDC84CF0E3D2088E4A9326

Uniqueness

Uniqueness Score: -1.00%

Function 010205D0, Relevance: .0, Instructions: 44COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000019.00000002.301452314.0000000001020000.00000040.00000040.sdmp, Offset: 01020000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 05d94c9c3a89bd6611efcb9347938eb8f9a36ba1345ea1973b629ff167db7133
Instruction ID: 60890a4096ef6a5e97c7147c6c81b4d1b7ffa81add54854887db693f394b7f98
Opcode Fuzzy Hash: 05d94c9c3a89bd6611efcb9347938eb8f9a36ba1345ea1973b629ff167db7133
Instruction Fuzzy Hash: C201DB7150D7805FD7128B16DC40862FFF8DF86120709C4DFED49CB652E125A809CB72

Uniqueness

Uniqueness Score: -1.00%

Function 0102063B, Relevance: .0, Instructions: 28COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000019.00000002.301452314.0000000001020000.00000040.00000040.sdmp, Offset: 01020000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a4ee868208deea0ba6cd077ce8d5516a0d3934c20df601fc81c69b85b7b3ff34
Instruction ID: d876937af706a196998cdf631cffed95dd0192493f91d2f0a1d7bebf3fd5e4bb
Opcode Fuzzy Hash: a4ee868208deea0ba6cd077ce8d5516a0d3934c20df601fc81c69b85b7b3ff34
Instruction Fuzzy Hash: AAE092766446109BD650CF0BEC854A6F794EB88630B18C07FEC4D8B704F279A504CFA5

Uniqueness

Uniqueness Score: -1.00%

Function 010205F6, Relevance: .0, Instructions: 27COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000019.00000002.301452314.0000000001020000.00000040.00000040.sdmp, Offset: 01020000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6bec5d60df1b5e9ddbc7a4fcd272d568c82bdca26dac124906fe7a89204130bc
Instruction ID: b3fe82986f4c5c2406e3a242d5555a19957ba9ce36dfb1f91ebd8e10fce3d4b5
Opcode Fuzzy Hash: 6bec5d60df1b5e9ddbc7a4fcd272d568c82bdca26dac124906fe7a89204130bc
Instruction Fuzzy Hash: 78E092766046008BD650CF0BEC81452F7D8EB88630B18C07FDC0D8B700F135B504CEA5

Uniqueness

Uniqueness Score: -1.00%

Function 029323F4, Relevance: .0, Instructions: 15COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000019.00000002.301517908.0000000002932000.00000040.00000001.sdmp, Offset: 02932000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c2927559e8d2ef08222ec12779e8c30ef37efa9c9752683b72511ce76e231a14
Instruction ID: 2bab34c1b48b6496b2f356204e9a539156f6ecdf55d2216a520c0e8736427363
Opcode Fuzzy Hash: c2927559e8d2ef08222ec12779e8c30ef37efa9c9752683b72511ce76e231a14
Instruction Fuzzy Hash: 50D05E79619A818FD3278B1CC1A8B953B98AB51B18F4644FDEC008B663C368E981D200

Uniqueness

Uniqueness Score: -1.00%

Function 029323BC, Relevance: .0, Instructions: 14COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000019.00000002.301517908.0000000002932000.00000040.00000001.sdmp, Offset: 02932000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: bc45ce7356cb88c301c136a842e485db780390384c9526a8592a64c041d47cf1
Instruction ID: 8782e2913e5e0497d26e5bc261d3c07dcfb41d385d1f325ff21b004e0348b364
Opcode Fuzzy Hash: bc45ce7356cb88c301c136a842e485db780390384c9526a8592a64c041d47cf1
Instruction Fuzzy Hash: 41D05E346402818BC716EB0CC594F5977D8AB41F04F0644E8AC008B662C3A4DC81C600

Uniqueness

Uniqueness Score: -1.00%

Non-executed Functions

Description:	Adversaries may abuse Windows Management Instrumentation (WMI) to achieve execution. WMI is a Windows administration feature that provides a uniform environment for local and remote access to Windows system components. It relies on the WMI service for local and remote access and the server message block (SMB) and Remote Procedure Call Service (RPCS) for remote access. RPCS operates over port 135.
Tactics:	Execution
Data Sources:	Authentication logs, Netflow/Enclave netflow, Process command-line parameters, Process monitoring
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse task scheduling functionality to facilitate initial or recurring execution of malicious code. Utilities exist within all major operating systems to schedule programs or scripts to be executed at a specified date and time. A task can also be scheduled on a remote system, provided the proper authentication is met (ex: RPC and file and printer sharing in Windows environments). Scheduling a task on a remote system typically requires being a member of an admin or otherwise privileged group on the remote system.
Tactics:	Execution, Persistence, Privilege Escalation
Data Sources:	File monitoring, Process command-line parameters, Process monitoring, Windows event logs
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify access tokens to operate under a different user or system security context to perform actions and bypass access controls. Windows uses access tokens to determine the ownership of a running process. A user can manipulate access tokens to make a running process appear as though it is the child of a different process or belongs to someone other than the user that started the process. When this occurs, the process also takes on the security context associated with the new token.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	API monitoring, Access tokens, Authentication logs, Process command-line parameters, Process monitoring, Windows event logs
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	API monitoring, DLL monitoring, File monitoring, Named Pipes, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may disable security tools to avoid possible detection of their tools and activities. This can take the form of killing security software or event logging processes, deleting Registry keys so that tools do not start at run time, or other methods to interfere with security tools scanning or reporting information.
Tactics:	Defense Evasion
Data Sources:	File monitoring, Process command-line parameters, Services, Windows Registry
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use Obfuscated Files or Information to hide artifacts of an intrusion from analysis. They may require separate mechanisms to decode or deobfuscate that information depending on how they intend to use it. Methods for doing that include built-in functionality of malware or by using utilities present on the system.
Tactics:	Defense Evasion
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata, Email gateway, Environment variable, File monitoring, Malware reverse engineering, Network intrusion detection system, Network protocol analysis, Process command-line parameters, Process monitoring, Process use of network, SSL/TLS inspection, Windows event logs
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may perform software packing or virtual machine software protection to conceal their code. Software packing is a method of compressing or encrypting an executable. Packing an executable changes the file signature in an attempt to avoid signature-based detection. Most decompression techniques decompress the executable code in memory. Virtual machine software protection translates an executable's original code into a special format that only a special virtual machine can run. A virtual machine is then called to run this code.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata
Platforms:	macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata, File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may set files and directories to be hidden to evade detection mechanisms. To prevent normal users from accidentally changing special files on a system, most operating systems have the concept of a ‘hidden’ file. These files don’t show up when a user browses the file system with a GUI or when using normal commands on the command line. Users must explicitly ask to show the hidden files either via a series of Graphical User Interface (GUI) prompts or with command line switches ( `dir /a` for Windows and `ls –a` for Linux and macOS).
Tactics:	Defense Evasion
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use methods of capturing user input to obtain credentials or collect information. During normal system usage, users often provide credentials to various different locations, such as login pages/portals or system dialog boxes. Input capture mechanisms may be transparent to the user (e.g. Credential API Hooking ) or rely on deceiving the user into providing input into what they believe to be a genuine service (e.g. Web Portal Capture ).
Tactics:	Collection, Credential Access
Data Sources:	API monitoring, Binary file metadata, DLL monitoring, Kernel drivers, Loaded DLLs, PowerShell logs, Process command-line parameters, Process monitoring, User interface, Windows Registry, Windows event logs
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of accounts on a system or within an environment. This information can help adversaries determine which accounts exist to aid in follow-on behavior.
Tactics:	Discovery
Data Sources:	API monitoring, Azure activity logs, Office 365 account logs, Process command-line parameters, Process monitoring
Platforms:	AWS, Azure, Azure AD, GCP, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	AWS CloudTrail logs, Azure activity logs, Process command-line parameters, Process monitoring, Stackdriver logs
Platforms:	AWS, Azure, GCP, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	API monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to identify the primary user, currently logged in user, set of users that commonly uses a system, or whether a user is actively using the system. They may do this, for example, by retrieving account usernames or by using OS Credential Dumping . The information may be collected in a number of different ways using other Discovery techniques, because user and username details are prevalent throughout a system and include running process ownership, file/directory ownership, session information, and system logs. Adversaries may use the information from [System Owner/User Discovery](https://attack.mitre.org/techniques/T1033) during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Binary file metadata, File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Malware reverse engineering, Netflow/Enclave netflow, Packet capture, Process monitoring, Process use of network, SSL/TLS inspection
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using a protocol and port paring that are typically not associated. For example, HTTPS over port 8088or port 587as opposed to the traditional port 443. Adversaries may make changes to the standard port used by a protocol to bypass filtering or muddle analysis/parsing of network data.
Tactics:	Command and Control
Data Sources:	Netflow/Enclave netflow, Packet capture, Process monitoring, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading ...

Warning!

Analysis Report Y5XyMnx8Ng.exe

Overview

General Information

Detection

Signatures

Classification

Startup

Malware Configuration

Threatname: NanoCore

Yara Overview

Memory Dumps

Unpacked PEs

Sigma Overview

System Summary:

Signature Overview

AV Detection:

Compliance:

Software Vulnerabilities:

Networking:

Key, Mouse, Clipboard, Microphone and Screen Capturing:

E-Banking Fraud:

Operating System Destruction:

System Summary:

Data Obfuscation:

Persistence and Installation Behavior:

Boot Survival:

Hooking and other Techniques for Hiding and Protection:

Malware Analysis System Evasion:

Anti Debugging:

HIPS / PFW / Operating System Protection Evasion:

Language, Device and Operating System Detection:

Stealing of Sensitive Information:

Remote Access Functionality:

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

URLs from Memory and Binaries

Contacted IPs

Public

General Information

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASN

JA3 Fingerprints

Dropped Files

Created / dropped Files

Static File Info

General

File Icon

Static PE Info

General

Entrypoint Preview

Data Directories

Sections

Resources

Imports

Version Infos

Network Behavior

Network Port Distribution

TCP Packets

Description:	An adversary may use legitimate desktop support and remote access software, such as Team Viewer, Go2Assist, LogMein, AmmyyAdmin, etc, to establish an interactive command and control channel to target systems within networks. These services are commonly used as legitimate technical support software, and may be allowed by application control within a target environment. Remote access tools like VNC, Ammyy, and Teamviewer are used frequently when compared with other legitimate software commonly used by adversaries.
Tactics:	Command and Control
Data Sources:	Network intrusion detection system, Network protocol analysis, Process monitoring, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use a non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Host network interface, Netflow/Enclave netflow, Network intrusion detection system, Network protocol analysis, Packet capture, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	DNS records, Netflow/Enclave netflow, Network protocol analysis, Packet capture, Process monitoring, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre