Play interactive tour

Edit tour

Analysis Report cp573oYDUX.exe

Overview

General Information

Sample Name:	cp573oYDUX.exe
Analysis ID:	357426
MD5:	33cf3af09d2a1789a2bbad009a43edd5
SHA1:	ffe606addd5694451511dd347bbc85a404328c9d
SHA256:	8da32ea516feb3bc471ba01ed18cb0aca1a9f39966c86ca4624dd2cea2e226cd
Tags:	exeNanoCoreRAT
Infos:
Most interesting Screenshot:

Detection

Nanocore

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Detected Nanocore Rat

Found malware configuration

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for domain / URL

Multi AV Scanner detection for dropped file

Multi AV Scanner detection for submitted file

Sigma detected: NanoCore

Sigma detected: Scheduled temp file as task from temp location

Yara detected AntiVM_3

Yara detected Nanocore RAT

.NET source code contains potential unpacker

Allocates memory in foreign processes

C2 URLs / IPs found in malware configuration

Connects to many ports of the same IP (likely port scanning)

Hides that the sample has been downloaded from the Internet (zone.identifier)

Injects a PE file into a foreign processes

Machine Learning detection for dropped file

Machine Learning detection for sample

Protects its processes via BreakOnTermination flag

Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Uses dynamic DNS services

Uses schtasks.exe or at.exe to add and modify task schedules

Writes to foreign memory regions

Antivirus or Machine Learning detection for unpacked file

Contains capabilities to detect virtual machines

Contains functionality to call native functions

Contains functionality to open a port and listen for incoming connection (possibly a backdoor)

Contains long sleeps (>= 3 min)

Creates a DirectInput object (often for capturing keystrokes)

Creates a process in suspended mode (likely to inject code)

Detected TCP or UDP traffic on non-standard ports

Detected potential crypto function

Drops PE files

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

Found inlined nop instructions (likely shell or obfuscated code)

IP address seen in connection with other malware

Installs a raw input device (often for capturing keystrokes)

Internet Provider seen in connection with other malware

May sleep (evasive loops) to hinder dynamic analysis

Queries the volume information (name, serial number etc) of a device

Sample execution stops while process was sleeping (likely an evasion)

Sample file is different than original file name gathered from version info

Uses 32bit PE files

Uses code obfuscation techniques (call, push, ret)

Yara signature match

Classification

Startup

System is w10x64

cp573oYDUX.exe (PID: 7012 cmdline: 'C:\Users\user\Desktop\cp573oYDUX.exe' MD5: 33CF3AF09D2A1789A2BBAD009A43EDD5)

schtasks.exe (PID: 3800 cmdline: 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\eVEWVTvFLGVU' /XML 'C:\Users\user\AppData\Local\Temp\tmp53F8.tmp' MD5: 15FF7D8324231381BAD48A052F85DF04)

conhost.exe (PID: 4112 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)

RegSvcs.exe (PID: 2264 cmdline: {path} MD5: 71369277D09DA0830C8C59F9E22BB23A)

schtasks.exe (PID: 6632 cmdline: 'schtasks.exe' /create /f /tn 'DHCP Monitor' /xml 'C:\Users\user\AppData\Local\Temp\tmpFC43.tmp' MD5: 15FF7D8324231381BAD48A052F85DF04)

conhost.exe (PID: 6620 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)

schtasks.exe (PID: 5996 cmdline: 'schtasks.exe' /create /f /tn 'DHCP Monitor Task' /xml 'C:\Users\user\AppData\Local\Temp\tmpFF61.tmp' MD5: 15FF7D8324231381BAD48A052F85DF04)

conhost.exe (PID: 5144 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)

RegSvcs.exe (PID: 5692 cmdline: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe 0 MD5: 71369277D09DA0830C8C59F9E22BB23A)

conhost.exe (PID: 5684 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)

dhcpmon.exe (PID: 5680 cmdline: 'C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe' 0 MD5: 71369277D09DA0830C8C59F9E22BB23A)

conhost.exe (PID: 6916 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)

dhcpmon.exe (PID: 7144 cmdline: 'C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe' MD5: 71369277D09DA0830C8C59F9E22BB23A)

conhost.exe (PID: 7116 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)

cleanup

Malware Configuration

Threatname: NanoCore

{"Version": "1.2.2.0", "Mutex": "572eb7a9-aedf-4b39-8669-f7563dab8a38", "Group": "GREAT", "Domain1": "strongodss.ddns.net", "Domain2": "79.134.225.43", "Port": 58103, "KeyboardLogging": "Enable", "RunOnStartup": "Enable", "RequestElevation": "Disable", "BypassUAC": "Enable", "ClearZoneIdentifier": "Enable", "ClearAccessControl": "Enable", "SetCriticalProcess": "Enable", "PreventSystemSleep": "Enable", "ActivateAwayMode": "Enable", "EnableDebugMode": "Disable", "RunDelay": 0, "ConnectDelay": 4000, "RestartDelay": 5000, "TimeoutInterval": 5000, "KeepAliveTimeout": 30000, "MutexTimeout": 5000, "LanTimeout": 2500, "WanTimeout": 8009, "BufferSize": "02000100", "MaxPacketSize": "", "GCThreshold": "", "BypassUserAccountControlData": "<?xml version=\"1.0\" encoding=\"UTF-16\"?>\r\n<Task version=\"1.2\" xmlns=\"http://schemas.microsoft.com/windows/2004/02/mit/task\">\r\n  <RegistrationInfo />\r\n  <Triggers />\r\n  <Principals>\r\n    <Principal id=\"Author\">\r\n      <LogonType>InteractiveToken</LogonType>\r\n      <RunLevel>HighestAvailable</RunLevel>\r\n    </Principal>\r\n  </Principals>\r\n  <Settings>\r\n    <MultipleInstancesPolicy>Parallel</MultipleInstancesPolicy>\r\n    <DisallowStartIfOnBatteries>false</DisallowStartIfOnBatteries>\r\n    <StopIfGoingOnBatteries>false</StopIfGoingOnBatteries>\r\n    <AllowHardTerminate>true</AllowHardTerminate>\r\n    <StartWhenAvailable>false</StartWhenAvailable>\r\n    <RunOnlyIfNetworkAvailable>false</RunOnlyIfNetworkAvailable>\r\n    <IdleSettings>\r\n      <StopOnIdleEnd>false</StopOnIdleEnd>\r\n      <RestartOnIdle>false</RestartOnIdle>\r\n    </IdleSettings>\r\n    <AllowStartOnDemand>true</AllowStartOnDemand>\r\n    <Enabled>true</Enabled>\r\n    <Hidden>false</Hidden>\r\n    <RunOnlyIfIdle>false</RunOnlyIfIdle>\r\n    <WakeToRun>false</WakeToRun>\r\n    <ExecutionTimeLimit>PT0S</ExecutionTimeLimit>\r\n    <Priority>4</Priority>\r\n  </Settings>\r\n  <Actions Context=\"Author\">\r\n    <Exec>\r\n      <Command>\"#EXECUTABLEPATH\"</Command>\r\n      <Arguments>$(Arg0)</Arguments>\r\n    </Exec>\r\n  </Actions>\r\n</Task"}

Yara Overview

Memory Dumps

Source	Rule	Description	Author	Strings
00000007.00000002.600652707.0000000005030000.00000004.00000001.sdmp	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0xe75:$x1: NanoCore.ClientPluginHost 0xe8f:$x2: IClientNetworkHost
00000007.00000002.600652707.0000000005030000.00000004.00000001.sdmp	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0xe75:$x2: NanoCore.ClientPluginHost 0x1261:$s3: PipeExists 0x1136:$s4: PipeCreated 0xeb0:$s5: IClientLoggingHost
00000007.00000002.594405865.0000000000402000.00000040.00000001.sdmp	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0xff8d:$x1: NanoCore.ClientPluginHost 0xffca:$x2: IClientNetworkHost 0x13afd:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
00000007.00000002.594405865.0000000000402000.00000040.00000001.sdmp	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
00000007.00000002.594405865.0000000000402000.00000040.00000001.sdmp	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0xfcf5:$a: NanoCore 0xfd05:$a: NanoCore 0xff39:$a: NanoCore 0xff4d:$a: NanoCore 0xff8d:$a: NanoCore 0xfd54:$b: ClientPlugin 0xff56:$b: ClientPlugin 0xff96:$b: ClientPlugin 0xfe7b:$c: ProjectData 0x10882:$d: DESCrypto 0x1824e:$e: KeepAlive 0x1623c:$g: LogClientMessage 0x12437:$i: get_Connected 0x10bb8:$j: #=q 0x10be8:$j: #=q 0x10c04:$j: #=q 0x10c34:$j: #=q 0x10c50:$j: #=q 0x10c6c:$j: #=q 0x10c9c:$j: #=q 0x10cb8:$j: #=q
00000007.00000002.599620352.0000000003DA7000.00000004.00000001.sdmp	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
00000007.00000002.599620352.0000000003DA7000.00000004.00000001.sdmp	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0x8a7d:$a: NanoCore 0x8ad6:$a: NanoCore 0x8b13:$a: NanoCore 0x8b8c:$a: NanoCore 0xe121:$a: NanoCore 0xe16b:$a: NanoCore 0xe355:$a: NanoCore 0x21c74:$a: NanoCore 0x21c89:$a: NanoCore 0x21cbe:$a: NanoCore 0x3ac13:$a: NanoCore 0x3ac28:$a: NanoCore 0x3ac5d:$a: NanoCore 0x8adf:$b: ClientPlugin 0x8b1c:$b: ClientPlugin 0x941a:$b: ClientPlugin 0x9427:$b: ClientPlugin 0xdeba:$b: ClientPlugin 0xe12a:$b: ClientPlugin 0xe174:$b: ClientPlugin 0x21a30:$b: ClientPlugin
00000007.00000002.601347713.0000000005990000.00000004.00000001.sdmp	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x1646:$x1: NanoCore.ClientPluginHost
00000007.00000002.601347713.0000000005990000.00000004.00000001.sdmp	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0x1646:$x2: NanoCore.ClientPluginHost 0x1724:$s4: PipeCreated 0x1660:$s5: IClientLoggingHost
00000007.00000002.601373463.00000000059A0000.00000004.00000001.sdmp	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0xf7ad:$x1: NanoCore.ClientPluginHost 0xf7da:$x2: IClientNetworkHost
00000007.00000002.601373463.00000000059A0000.00000004.00000001.sdmp	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0xf7ad:$x2: NanoCore.ClientPluginHost 0x10888:$s4: PipeCreated 0xf7c7:$s5: IClientLoggingHost
00000007.00000002.601373463.00000000059A0000.00000004.00000001.sdmp	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
00000000.00000002.373693780.00000000042F3000.00000004.00000001.sdmp	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x44d0d:$x1: NanoCore.ClientPluginHost 0x13af4d:$x1: NanoCore.ClientPluginHost 0x44d4a:$x2: IClientNetworkHost 0x13af8a:$x2: IClientNetworkHost 0x4887d:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe 0x13eabd:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
00000000.00000002.373693780.00000000042F3000.00000004.00000001.sdmp	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
00000000.00000002.373693780.00000000042F3000.00000004.00000001.sdmp	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0x44a75:$a: NanoCore 0x44a85:$a: NanoCore 0x44cb9:$a: NanoCore 0x44ccd:$a: NanoCore 0x44d0d:$a: NanoCore 0x13acb5:$a: NanoCore 0x13acc5:$a: NanoCore 0x13aef9:$a: NanoCore 0x13af0d:$a: NanoCore 0x13af4d:$a: NanoCore 0x44ad4:$b: ClientPlugin 0x44cd6:$b: ClientPlugin 0x44d16:$b: ClientPlugin 0x13ad14:$b: ClientPlugin 0x13af16:$b: ClientPlugin 0x13af56:$b: ClientPlugin 0x44bfb:$c: ProjectData 0x13ae3b:$c: ProjectData 0x45602:$d: DESCrypto 0x13b842:$d: DESCrypto 0x4cfce:$e: KeepAlive
Process Memory Space: RegSvcs.exe PID: 2264	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x5042:$x1: NanoCore.ClientPluginHost 0x18d00:$x1: NanoCore.ClientPluginHost 0x735a1:$x1: NanoCore.ClientPluginHost 0x75c1c:$x1: NanoCore.ClientPluginHost 0x7b849:$x1: NanoCore.ClientPluginHost 0x8cb70:$x1: NanoCore.ClientPluginHost 0x2becb8:$x1: NanoCore.ClientPluginHost 0x2d2f38:$x1: NanoCore.ClientPluginHost 0x31209b:$x1: NanoCore.ClientPluginHost 0x314737:$x1: NanoCore.ClientPluginHost 0x5068:$x2: IClientNetworkHost 0x18d61:$x2: IClientNetworkHost 0x735c7:$x2: IClientNetworkHost 0x7b88e:$x2: IClientNetworkHost 0x8cbb5:$x2: IClientNetworkHost 0x2d2f7d:$x2: IClientNetworkHost 0x3120c1:$x2: IClientNetworkHost 0x1e166:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe 0x2c0d8:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
Process Memory Space: RegSvcs.exe PID: 2264	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
Process Memory Space: RegSvcs.exe PID: 2264	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0x4f34:$a: NanoCore 0x4fd5:$a: NanoCore 0x5042:$a: NanoCore 0x5103:$a: NanoCore 0x5fd4:$a: NanoCore 0x6027:$a: NanoCore 0x6060:$a: NanoCore 0x60d3:$a: NanoCore 0x18805:$a: NanoCore 0x18821:$a: NanoCore 0x1897c:$a: NanoCore 0x1898b:$a: NanoCore 0x18c64:$a: NanoCore 0x18c90:$a: NanoCore 0x18d00:$a: NanoCore 0x28742:$a: NanoCore 0x28754:$a: NanoCore 0x28790:$a: NanoCore 0x73493:$a: NanoCore 0x73534:$a: NanoCore 0x735a1:$a: NanoCore
Process Memory Space: cp573oYDUX.exe PID: 7012	JoeSecurity_AntiVM_3	Yara detected AntiVM_3	Joe Security
Click to see the 14 entries

Unpacked PEs

Source	Rule	Description	Author	Strings
7.2.RegSvcs.exe.5030000.7.raw.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0xe75:$x1: NanoCore.ClientPluginHost 0xe8f:$x2: IClientNetworkHost
7.2.RegSvcs.exe.5030000.7.raw.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0xe75:$x2: NanoCore.ClientPluginHost 0x1261:$s3: PipeExists 0x1136:$s4: PipeCreated 0xeb0:$s5: IClientLoggingHost
7.2.RegSvcs.exe.3daec9e.5.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x4083:$x1: NanoCore.ClientPluginHost
7.2.RegSvcs.exe.3daec9e.5.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0x4083:$x2: NanoCore.ClientPluginHost 0x4161:$s4: PipeCreated 0x409d:$s5: IClientLoggingHost
7.2.RegSvcs.exe.3db9511.3.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0xd9ad:$x1: NanoCore.ClientPluginHost 0xd9da:$x2: IClientNetworkHost
7.2.RegSvcs.exe.3db9511.3.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0xd9ad:$x2: NanoCore.ClientPluginHost 0xea88:$s4: PipeCreated 0xd9c7:$s5: IClientLoggingHost
7.2.RegSvcs.exe.3db9511.3.unpack	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
7.2.RegSvcs.exe.2d716fc.2.raw.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0xe75:$x1: NanoCore.ClientPluginHost 0x64c2:$x1: NanoCore.ClientPluginHost 0xe8f:$x2: IClientNetworkHost
7.2.RegSvcs.exe.2d716fc.2.raw.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0xe75:$x2: NanoCore.ClientPluginHost 0x64c2:$x2: NanoCore.ClientPluginHost 0x1261:$s3: PipeExists 0x1136:$s4: PipeCreated 0x65a0:$s4: PipeCreated 0xeb0:$s5: IClientLoggingHost 0x64dc:$s5: IClientLoggingHost
7.2.RegSvcs.exe.3daec9e.5.raw.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0xe75:$x1: NanoCore.ClientPluginHost 0x6483:$x1: NanoCore.ClientPluginHost 0x1a020:$x1: NanoCore.ClientPluginHost 0x32fbf:$x1: NanoCore.ClientPluginHost 0xe8f:$x2: IClientNetworkHost 0x1a04d:$x2: IClientNetworkHost 0x32fec:$x2: IClientNetworkHost
7.2.RegSvcs.exe.3daec9e.5.raw.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0xe75:$x2: NanoCore.ClientPluginHost 0x6483:$x2: NanoCore.ClientPluginHost 0x1a020:$x2: NanoCore.ClientPluginHost 0x32fbf:$x2: NanoCore.ClientPluginHost 0x1261:$s3: PipeExists 0x1136:$s4: PipeCreated 0x6561:$s4: PipeCreated 0x1b0fb:$s4: PipeCreated 0x3409a:$s4: PipeCreated 0xeb0:$s5: IClientLoggingHost 0x649d:$s5: IClientLoggingHost 0x1a03a:$s5: IClientLoggingHost 0x32fd9:$s5: IClientLoggingHost
7.2.RegSvcs.exe.3daec9e.5.raw.unpack	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
7.2.RegSvcs.exe.3daec9e.5.raw.unpack	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0xddf:$a: NanoCore 0xe38:$a: NanoCore 0xe75:$a: NanoCore 0xeee:$a: NanoCore 0x6483:$a: NanoCore 0x64cd:$a: NanoCore 0x66b7:$a: NanoCore 0x19fd6:$a: NanoCore 0x19feb:$a: NanoCore 0x1a020:$a: NanoCore 0x32f75:$a: NanoCore 0x32f8a:$a: NanoCore 0x32fbf:$a: NanoCore 0xe41:$b: ClientPlugin 0xe7e:$b: ClientPlugin 0x177c:$b: ClientPlugin 0x1789:$b: ClientPlugin 0x621c:$b: ClientPlugin 0x648c:$b: ClientPlugin 0x64d6:$b: ClientPlugin 0x19d92:$b: ClientPlugin
0.2.cp573oYDUX.exe.4327b80.2.raw.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x1018d:$x1: NanoCore.ClientPluginHost 0x1063cd:$x1: NanoCore.ClientPluginHost 0x101ca:$x2: IClientNetworkHost 0x10640a:$x2: IClientNetworkHost 0x13cfd:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe 0x109f3d:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
0.2.cp573oYDUX.exe.4327b80.2.raw.unpack	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
0.2.cp573oYDUX.exe.4327b80.2.raw.unpack	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0xfef5:$a: NanoCore 0xff05:$a: NanoCore 0x10139:$a: NanoCore 0x1014d:$a: NanoCore 0x1018d:$a: NanoCore 0x106135:$a: NanoCore 0x106145:$a: NanoCore 0x106379:$a: NanoCore 0x10638d:$a: NanoCore 0x1063cd:$a: NanoCore 0xff54:$b: ClientPlugin 0x10156:$b: ClientPlugin 0x10196:$b: ClientPlugin 0x106194:$b: ClientPlugin 0x106396:$b: ClientPlugin 0x1063d6:$b: ClientPlugin 0x1007b:$c: ProjectData 0x1062bb:$c: ProjectData 0x10a82:$d: DESCrypto 0x106cc2:$d: DESCrypto 0x1844e:$e: KeepAlive
7.2.RegSvcs.exe.59a0000.11.raw.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0xf7ad:$x1: NanoCore.ClientPluginHost 0xf7da:$x2: IClientNetworkHost
7.2.RegSvcs.exe.59a0000.11.raw.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0xf7ad:$x2: NanoCore.ClientPluginHost 0x10888:$s4: PipeCreated 0xf7c7:$s5: IClientLoggingHost
7.2.RegSvcs.exe.59a0000.11.raw.unpack	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
0.2.cp573oYDUX.exe.4327b80.2.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0xe38d:$x1: NanoCore.ClientPluginHost 0xe3ca:$x2: IClientNetworkHost 0x11efd:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
0.2.cp573oYDUX.exe.4327b80.2.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0xe105:$x1: NanoCore Client.exe 0xe38d:$x2: NanoCore.ClientPluginHost 0xf9c6:$s1: PluginCommand 0xf9ba:$s2: FileCommand 0x1086b:$s3: PipeExists 0x16622:$s4: PipeCreated 0xe3b7:$s5: IClientLoggingHost
0.2.cp573oYDUX.exe.4327b80.2.unpack	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
0.2.cp573oYDUX.exe.4327b80.2.unpack	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0xe0f5:$a: NanoCore 0xe105:$a: NanoCore 0xe339:$a: NanoCore 0xe34d:$a: NanoCore 0xe38d:$a: NanoCore 0xe154:$b: ClientPlugin 0xe356:$b: ClientPlugin 0xe396:$b: ClientPlugin 0xe27b:$c: ProjectData 0xec82:$d: DESCrypto 0x1664e:$e: KeepAlive 0x1463c:$g: LogClientMessage 0x10837:$i: get_Connected 0xefb8:$j: #=q 0xefe8:$j: #=q 0xf004:$j: #=q 0xf034:$j: #=q 0xf050:$j: #=q 0xf06c:$j: #=q 0xf09c:$j: #=q 0xf0b8:$j: #=q
7.2.RegSvcs.exe.59a0000.11.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0xd9ad:$x1: NanoCore.ClientPluginHost 0xd9da:$x2: IClientNetworkHost
7.2.RegSvcs.exe.59a0000.11.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0xd9ad:$x2: NanoCore.ClientPluginHost 0xea88:$s4: PipeCreated 0xd9c7:$s5: IClientLoggingHost
7.2.RegSvcs.exe.59a0000.11.unpack	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
7.2.RegSvcs.exe.5990000.9.raw.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x1646:$x1: NanoCore.ClientPluginHost
7.2.RegSvcs.exe.5990000.9.raw.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0x1646:$x2: NanoCore.ClientPluginHost 0x1724:$s4: PipeCreated 0x1660:$s5: IClientLoggingHost
7.2.RegSvcs.exe.3db9511.3.raw.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0xf7ad:$x1: NanoCore.ClientPluginHost 0x2874c:$x1: NanoCore.ClientPluginHost 0xf7da:$x2: IClientNetworkHost 0x28779:$x2: IClientNetworkHost
7.2.RegSvcs.exe.3db9511.3.raw.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0xf7ad:$x2: NanoCore.ClientPluginHost 0x2874c:$x2: NanoCore.ClientPluginHost 0x10888:$s4: PipeCreated 0x29827:$s4: PipeCreated 0xf7c7:$s5: IClientLoggingHost 0x28766:$s5: IClientLoggingHost
7.2.RegSvcs.exe.3db9511.3.raw.unpack	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
7.2.RegSvcs.exe.400000.0.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x1018d:$x1: NanoCore.ClientPluginHost 0x101ca:$x2: IClientNetworkHost 0x13cfd:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
7.2.RegSvcs.exe.400000.0.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0xff05:$x1: NanoCore Client.exe 0x1018d:$x2: NanoCore.ClientPluginHost 0x117c6:$s1: PluginCommand 0x117ba:$s2: FileCommand 0x1266b:$s3: PipeExists 0x18422:$s4: PipeCreated 0x101b7:$s5: IClientLoggingHost
7.2.RegSvcs.exe.400000.0.unpack	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
7.2.RegSvcs.exe.400000.0.unpack	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0xfef5:$a: NanoCore 0xff05:$a: NanoCore 0x10139:$a: NanoCore 0x1014d:$a: NanoCore 0x1018d:$a: NanoCore 0xff54:$b: ClientPlugin 0x10156:$b: ClientPlugin 0x10196:$b: ClientPlugin 0x1007b:$c: ProjectData 0x10a82:$d: DESCrypto 0x1844e:$e: KeepAlive 0x1643c:$g: LogClientMessage 0x12637:$i: get_Connected 0x10db8:$j: #=q 0x10de8:$j: #=q 0x10e04:$j: #=q 0x10e34:$j: #=q 0x10e50:$j: #=q 0x10e6c:$j: #=q 0x10e9c:$j: #=q 0x10eb8:$j: #=q
7.2.RegSvcs.exe.59a4629.10.raw.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0xb184:$x1: NanoCore.ClientPluginHost 0xb1b1:$x2: IClientNetworkHost
7.2.RegSvcs.exe.59a4629.10.raw.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0xb184:$x2: NanoCore.ClientPluginHost 0xc25f:$s4: PipeCreated 0xb19e:$s5: IClientLoggingHost
7.2.RegSvcs.exe.59a4629.10.raw.unpack	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
7.2.RegSvcs.exe.2d76578.1.raw.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x1646:$x1: NanoCore.ClientPluginHost
7.2.RegSvcs.exe.2d76578.1.raw.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0x1646:$x2: NanoCore.ClientPluginHost 0x1724:$s4: PipeCreated 0x1660:$s5: IClientLoggingHost
7.2.RegSvcs.exe.2d716fc.2.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x40c2:$x1: NanoCore.ClientPluginHost
7.2.RegSvcs.exe.2d716fc.2.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0x40c2:$x2: NanoCore.ClientPluginHost 0x41a0:$s4: PipeCreated 0x40dc:$s5: IClientLoggingHost
7.2.RegSvcs.exe.3db3adb.4.raw.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x1646:$x1: NanoCore.ClientPluginHost 0x151e3:$x1: NanoCore.ClientPluginHost 0x2e182:$x1: NanoCore.ClientPluginHost 0x15210:$x2: IClientNetworkHost 0x2e1af:$x2: IClientNetworkHost
7.2.RegSvcs.exe.3db3adb.4.raw.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0x1646:$x2: NanoCore.ClientPluginHost 0x151e3:$x2: NanoCore.ClientPluginHost 0x2e182:$x2: NanoCore.ClientPluginHost 0x1724:$s4: PipeCreated 0x162be:$s4: PipeCreated 0x2f25d:$s4: PipeCreated 0x1660:$s5: IClientLoggingHost 0x151fd:$s5: IClientLoggingHost 0x2e19c:$s5: IClientLoggingHost
7.2.RegSvcs.exe.3db3adb.4.raw.unpack	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
7.2.RegSvcs.exe.3db3adb.4.raw.unpack	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0x1646:$a: NanoCore 0x1690:$a: NanoCore 0x187a:$a: NanoCore 0x15199:$a: NanoCore 0x151ae:$a: NanoCore 0x151e3:$a: NanoCore 0x2e138:$a: NanoCore 0x2e14d:$a: NanoCore 0x2e182:$a: NanoCore 0x13df:$b: ClientPlugin 0x164f:$b: ClientPlugin 0x1699:$b: ClientPlugin 0x14f55:$b: ClientPlugin 0x14f70:$b: ClientPlugin 0x14fa0:$b: ClientPlugin 0x151b7:$b: ClientPlugin 0x151ec:$b: ClientPlugin 0x2def4:$b: ClientPlugin 0x2df0f:$b: ClientPlugin 0x2df3f:$b: ClientPlugin 0x2e156:$b: ClientPlugin
0.2.cp573oYDUX.exe.435c3a0.3.raw.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0xd1bad:$x1: NanoCore.ClientPluginHost 0xd1bea:$x2: IClientNetworkHost 0xd571d:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
0.2.cp573oYDUX.exe.435c3a0.3.raw.unpack	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
0.2.cp573oYDUX.exe.435c3a0.3.raw.unpack	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0xd1915:$a: NanoCore 0xd1925:$a: NanoCore 0xd1b59:$a: NanoCore 0xd1b6d:$a: NanoCore 0xd1bad:$a: NanoCore 0xd1974:$b: ClientPlugin 0xd1b76:$b: ClientPlugin 0xd1bb6:$b: ClientPlugin 0xd1a9b:$c: ProjectData 0xd24a2:$d: DESCrypto 0xd9e6e:$e: KeepAlive 0xd7e5c:$g: LogClientMessage 0xd4057:$i: get_Connected 0xd27d8:$j: #=q 0xd2808:$j: #=q 0xd2824:$j: #=q 0xd2854:$j: #=q 0xd2870:$j: #=q 0xd288c:$j: #=q 0xd28bc:$j: #=q 0xd28d8:$j: #=q
Click to see the 44 entries

Sigma Overview

System Summary:

Sigma detected: NanoCore

Show sources

Source: File created

Author: Joe Security: Data: EventID: 11, Image: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe, ProcessId: 2264, TargetFilename: C:\Users\user\AppData\Roaming\D06ED635-68F6-4E9A-955C-4899F5F57B9A\run.dat

Sigma detected: Scheduled temp file as task from temp location

Show sources

Source: Process started

Author: Joe Security: Data: Command: 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\eVEWVTvFLGVU' /XML 'C:\Users\user\AppData\Local\Temp\tmp53F8.tmp', CommandLine: 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\eVEWVTvFLGVU' /XML 'C:\Users\user\AppData\Local\Temp\tmp53F8.tmp', CommandLine|base64offset|contains: *j, Image: C:\Windows\SysWOW64\schtasks.exe, NewProcessName: C:\Windows\SysWOW64\schtasks.exe, OriginalFileName: C:\Windows\SysWOW64\schtasks.exe, ParentCommandLine: 'C:\Users\user\Desktop\cp573oYDUX.exe' , ParentImage: C:\Users\user\Desktop\cp573oYDUX.exe, ParentProcessId: 7012, ProcessCommandLine: 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\eVEWVTvFLGVU' /XML 'C:\Users\user\AppData\Local\Temp\tmp53F8.tmp', ProcessId: 3800

Signature Overview

Click to jump to signature section

Show All Signature Results

AV Detection:

Found malware configuration

Show sources

Source: 00000007.00000002.599620352.0000000003DA7000.00000004.00000001.sdmp

Malware Configuration Extractor: NanoCore {"Version": "1.2.2.0", "Mutex": "572eb7a9-aedf-4b39-8669-f7563dab8a38", "Group": "GREAT", "Domain1": "strongodss.ddns.net", "Domain2": "79.134.225.43", "Port": 58103, "KeyboardLogging": "Enable", "RunOnStartup": "Enable", "RequestElevation": "Disable", "BypassUAC": "Enable", "ClearZoneIdentifier": "Enable", "ClearAccessControl": "Enable", "SetCriticalProcess": "Enable", "PreventSystemSleep": "Enable", "ActivateAwayMode": "Enable", "EnableDebugMode": "Disable", "RunDelay": 0, "ConnectDelay": 4000, "RestartDelay": 5000, "TimeoutInterval": 5000, "KeepAliveTimeout": 30000, "MutexTimeout": 5000, "LanTimeout": 2500, "WanTimeout": 8009, "BufferSize": "02000100", "MaxPacketSize": "", "GCThreshold": "", "BypassUserAccountControlData": "<?xml version=\"1.0\" encoding=\"UTF-16\"?>\r\n<Task version=\"1.2\" xmlns=\"http://schemas.microsoft.com/windows/2004/02/mit/task\">\r\n <RegistrationInfo />\r\n <Triggers />\r\n <Principals>\r\n <Principal id=\"Author\">\r\n <LogonType>InteractiveToken</LogonType>\r\n <RunLevel>HighestAvailable</RunLevel>\r\n </Principal>\r\n </Principals>\r\n <Settings>\r\n <MultipleInstancesPolicy>Parallel</MultipleInstancesPolicy>\r\n <DisallowStartIfOnBatteries>false</DisallowStartIfOnBatteries>\r\n <StopIfGoingOnBatteries>false</StopIfGoingOnBatteries>\r\n <AllowHardTerminate>true</AllowHardTerminate>\r\n <StartWhenAvailable>false</StartWhenAvailable>\r\n <RunOnlyIfNetworkAvailable>false</RunOnlyIfNetworkAvailable>\r\n <IdleSettings>\r\n <StopOnIdleEnd>false</StopOnIdleEnd>\r\n <RestartOnIdle>false</RestartOnIdle>\r\n </IdleSettings>\r\n <AllowStartOnDemand>true</AllowStartOnDemand>\r\n <Enabled>true</Enabled>\r\n <Hidden>false</Hidden>\r\n <RunOnlyIfIdle>false</RunOnlyIfIdle>\r\n <WakeToRun>false</WakeToRun>\r\n <ExecutionTimeLimit>PT0S</ExecutionTimeLimit>\r\n <Priority>4</Priority>\r\n </Settings>\r\n <Actions Context=\"Author\">\r\n <Exec>\r\n <Command>\"#EXECUTABLEPATH\"</Command>\r\n <Arguments>$(Arg0)</Arguments>\r\n </Exec>\r\n </Actions>\r\n</Task"}

Multi AV Scanner detection for domain / URL

Show sources

Source: strongodss.ddns.net

Virustotal: Detection: 8%

Perma Link

Multi AV Scanner detection for dropped file

Show sources

Source: C:\Users\user\AppData\Roaming\eVEWVTvFLGVU.exe

ReversingLabs: Detection: 31%

Multi AV Scanner detection for submitted file

Show sources

Source: cp573oYDUX.exe	Virustotal: Detection: 32%			Perma Link
Source: cp573oYDUX.exe	ReversingLabs: Detection: 31%

Yara detected Nanocore RAT

Show sources

Source: Yara match	File source: 00000007.00000002.594405865.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000002.599620352.0000000003DA7000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000002.601373463.00000000059A0000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.373693780.00000000042F3000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: RegSvcs.exe PID: 2264, type: MEMORY
Source: Yara match	File source: 7.2.RegSvcs.exe.3db9511.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.RegSvcs.exe.3daec9e.5.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.cp573oYDUX.exe.4327b80.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.RegSvcs.exe.59a0000.11.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.cp573oYDUX.exe.4327b80.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.RegSvcs.exe.59a0000.11.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.RegSvcs.exe.3db9511.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.RegSvcs.exe.59a4629.10.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.RegSvcs.exe.3db3adb.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.cp573oYDUX.exe.435c3a0.3.raw.unpack, type: UNPACKEDPE

Machine Learning detection for dropped file

Show sources

Source: C:\Users\user\AppData\Roaming\eVEWVTvFLGVU.exe

Joe Sandbox ML: detected

Machine Learning detection for sample

Show sources

Source: cp573oYDUX.exe

Joe Sandbox ML: detected

Source: 7.2.RegSvcs.exe.400000.0.unpack	Avira: Label: TR/Dropper.MSIL.Gen7
Source: 7.2.RegSvcs.exe.59a0000.11.unpack	Avira: Label: TR/NanoCore.fadte

Compliance:

Uses 32bit PE files

Show sources

Source: cp573oYDUX.exe

Static PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE

Uses new MSVCR Dlls

Show sources

Source: C:\Users\user\Desktop\cp573oYDUX.exe

File opened: C:\Windows\WinSxS\x86_microsoft.vc80.crt_1fc8b3b9a1e18e3b_8.0.50727.9445_none_d08c58b4442ba54f\MSVCR80.dll

Jump to behavior

Contains modern PE file flags such as dynamic base (ASLR) or NX

Show sources

Source: cp573oYDUX.exe

Static PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT

Binary contains paths to debug symbols

Show sources

Source:	Binary string: C:\Users\Cole\Documents\Visual Studio 2013\Projects\NanoProtectPlugin\NanoProtectClient\obj\Debug\NanoProtectClient.pdb source: RegSvcs.exe, 00000007.00000002.599620352.0000000003DA7000.00000004.00000001.sdmp
Source:	Binary string: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.pdb source: RegSvcs.exe, 00000007.00000002.596359463.0000000002915000.00000004.00000040.sdmp
Source:	Binary string: System.EnterpriseServices.Wrapper.pdb source: dhcpmon.exe, 0000000E.00000002.381960692.00000000056A0000.00000002.00000001.sdmp, dhcpmon.exe, 00000012.00000002.402048380.00000000054C0000.00000002.00000001.sdmp
Source:	Binary string: indows\RegSvcs.pdbpdbvcs.pdb source: RegSvcs.exe, 00000007.00000002.596359463.0000000002915000.00000004.00000040.sdmp
Source:	Binary string: C:\Windows\symbols\exe\RegSvcs.pdb source: RegSvcs.exe, 00000007.00000002.596359463.0000000002915000.00000004.00000040.sdmp
Source:	Binary string: RegSvcs.pdb source: dhcpmon.exe, dhcpmon.exe.7.dr
Source:	Binary string: mscorrc.pdb source: cp573oYDUX.exe, 00000000.00000002.378302834.0000000006EF0000.00000002.00000001.sdmp, RegSvcs.exe, 00000007.00000002.601059671.00000000056A0000.00000002.00000001.sdmp, RegSvcs.exe, 0000000C.00000002.380452902.0000000005530000.00000002.00000001.sdmp, dhcpmon.exe, 0000000E.00000002.382213793.0000000005750000.00000002.00000001.sdmp

Software Vulnerabilities:

Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe

Code function: 4x nop then mov esp, ebp

7_2_02908917

Networking:

C2 URLs / IPs found in malware configuration

Show sources

Source: Malware configuration extractor	URLs: 79.134.225.43
Source: Malware configuration extractor	URLs: strongodss.ddns.net

Connects to many ports of the same IP (likely port scanning)

Show sources

Source: global traffic	TCP traffic: 79.134.225.43 ports 0,1,3,58103,5,8
Source: global traffic	TCP traffic: 87.237.165.78 ports 0,1,3,58103,5,8

Uses dynamic DNS services

Show sources

Source: unknown

DNS query: name: strongodss.ddns.net

Source: global traffic	TCP traffic: 192.168.2.6:49724 -> 87.237.165.78:58103
Source: global traffic	TCP traffic: 192.168.2.6:49729 -> 79.134.225.43:58103

Source: Joe Sandbox View

IP Address: 79.134.225.43 79.134.225.43

Source: Joe Sandbox View

ASN Name: FINK-TELECOM-SERVICESCH FINK-TELECOM-SERVICESCH

Source: unknown	TCP traffic detected without corresponding DNS query: 79.134.225.43
Source: unknown	TCP traffic detected without corresponding DNS query: 79.134.225.43
Source: unknown	TCP traffic detected without corresponding DNS query: 79.134.225.43
Source: unknown	TCP traffic detected without corresponding DNS query: 79.134.225.43
Source: unknown	TCP traffic detected without corresponding DNS query: 79.134.225.43
Source: unknown	TCP traffic detected without corresponding DNS query: 79.134.225.43
Source: unknown	TCP traffic detected without corresponding DNS query: 79.134.225.43
Source: unknown	TCP traffic detected without corresponding DNS query: 79.134.225.43
Source: unknown	TCP traffic detected without corresponding DNS query: 79.134.225.43
Source: unknown	TCP traffic detected without corresponding DNS query: 79.134.225.43
Source: unknown	TCP traffic detected without corresponding DNS query: 79.134.225.43
Source: unknown	TCP traffic detected without corresponding DNS query: 79.134.225.43
Source: unknown	TCP traffic detected without corresponding DNS query: 79.134.225.43
Source: unknown	TCP traffic detected without corresponding DNS query: 79.134.225.43
Source: unknown	TCP traffic detected without corresponding DNS query: 79.134.225.43
Source: unknown	TCP traffic detected without corresponding DNS query: 79.134.225.43
Source: unknown	TCP traffic detected without corresponding DNS query: 79.134.225.43
Source: unknown	TCP traffic detected without corresponding DNS query: 79.134.225.43
Source: unknown	TCP traffic detected without corresponding DNS query: 79.134.225.43
Source: unknown	TCP traffic detected without corresponding DNS query: 79.134.225.43
Source: unknown	TCP traffic detected without corresponding DNS query: 79.134.225.43
Source: unknown	TCP traffic detected without corresponding DNS query: 79.134.225.43
Source: unknown	TCP traffic detected without corresponding DNS query: 79.134.225.43
Source: unknown	TCP traffic detected without corresponding DNS query: 79.134.225.43
Source: unknown	TCP traffic detected without corresponding DNS query: 79.134.225.43
Source: unknown	TCP traffic detected without corresponding DNS query: 79.134.225.43
Source: unknown	TCP traffic detected without corresponding DNS query: 79.134.225.43

Source: unknown

DNS traffic detected: queries for: strongodss.ddns.net

Source: cp573oYDUX.exe, 00000000.00000003.329395807.0000000005253000.00000004.00000001.sdmp	String found in binary or memory: http://en.w
Source: cp573oYDUX.exe, 00000000.00000002.374864091.00000000053C0000.00000002.00000001.sdmp	String found in binary or memory: http://fontfabrik.com
Source: cp573oYDUX.exe, 00000000.00000003.337101264.0000000005281000.00000004.00000001.sdmp	String found in binary or memory: http://www.agfamonotype.
Source: cp573oYDUX.exe, 00000000.00000003.328781426.000000000527F000.00000004.00000001.sdmp	String found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0
Source: cp573oYDUX.exe, 00000000.00000003.329047446.0000000005281000.00000004.00000001.sdmp	String found in binary or memory: http://www.carterandcone.com
Source: cp573oYDUX.exe, 00000000.00000003.329047446.0000000005281000.00000004.00000001.sdmp	String found in binary or memory: http://www.carterandcone.com(
Source: cp573oYDUX.exe, 00000000.00000003.329047446.0000000005281000.00000004.00000001.sdmp	String found in binary or memory: http://www.carterandcone.com.
Source: cp573oYDUX.exe, 00000000.00000003.329047446.0000000005281000.00000004.00000001.sdmp	String found in binary or memory: http://www.carterandcone.comEac
Source: cp573oYDUX.exe, 00000000.00000003.329047446.0000000005281000.00000004.00000001.sdmp	String found in binary or memory: http://www.carterandcone.comTC
Source: cp573oYDUX.exe, 00000000.00000003.329047446.0000000005281000.00000004.00000001.sdmp	String found in binary or memory: http://www.carterandcone.comal
Source: cp573oYDUX.exe, 00000000.00000003.329047446.0000000005281000.00000004.00000001.sdmp	String found in binary or memory: http://www.carterandcone.comams
Source: cp573oYDUX.exe, 00000000.00000003.329047446.0000000005281000.00000004.00000001.sdmp	String found in binary or memory: http://www.carterandcone.comfacG5w
Source: cp573oYDUX.exe, 00000000.00000003.329047446.0000000005281000.00000004.00000001.sdmp	String found in binary or memory: http://www.carterandcone.comic
Source: cp573oYDUX.exe, 00000000.00000002.374864091.00000000053C0000.00000002.00000001.sdmp	String found in binary or memory: http://www.carterandcone.coml
Source: cp573oYDUX.exe, 00000000.00000003.329047446.0000000005281000.00000004.00000001.sdmp	String found in binary or memory: http://www.carterandcone.comn-u
Source: cp573oYDUX.exe, 00000000.00000003.329047446.0000000005281000.00000004.00000001.sdmp	String found in binary or memory: http://www.carterandcone.comona
Source: cp573oYDUX.exe, 00000000.00000003.329047446.0000000005281000.00000004.00000001.sdmp	String found in binary or memory: http://www.carterandcone.comtig55E
Source: cp573oYDUX.exe, 00000000.00000003.329047446.0000000005281000.00000004.00000001.sdmp	String found in binary or memory: http://www.carterandcone.comuct
Source: cp573oYDUX.exe, 00000000.00000003.331677577.000000000525A000.00000004.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com
Source: cp573oYDUX.exe, 00000000.00000003.332897804.000000000525A000.00000004.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com/_
Source: cp573oYDUX.exe, 00000000.00000002.374864091.00000000053C0000.00000002.00000001.sdmp, cp573oYDUX.exe, 00000000.00000003.333338294.000000000525A000.00000004.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com/designers
Source: cp573oYDUX.exe, 00000000.00000002.374864091.00000000053C0000.00000002.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com/designers/?
Source: cp573oYDUX.exe, 00000000.00000003.332932000.0000000005281000.00000004.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com/designers/cabarga.html
Source: cp573oYDUX.exe, 00000000.00000002.374864091.00000000053C0000.00000002.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com/designers/cabarga.htmlN
Source: cp573oYDUX.exe, 00000000.00000003.332869924.0000000005281000.00000004.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com/designers/cabarga.htmlp
Source: cp573oYDUX.exe, 00000000.00000003.332131926.0000000005281000.00000004.00000001.sdmp, cp573oYDUX.exe, 00000000.00000002.374864091.00000000053C0000.00000002.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com/designers/frere-jones.html
Source: cp573oYDUX.exe, 00000000.00000003.332131926.0000000005281000.00000004.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com/designers/frere-jones.html8p(
Source: cp573oYDUX.exe, 00000000.00000002.374864091.00000000053C0000.00000002.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com/designers8
Source: cp573oYDUX.exe, 00000000.00000002.374864091.00000000053C0000.00000002.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com/designers?
Source: cp573oYDUX.exe, 00000000.00000002.374864091.00000000053C0000.00000002.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com/designersG
Source: cp573oYDUX.exe, 00000000.00000003.332247018.000000000525A000.00000004.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com/designersa
Source: cp573oYDUX.exe, 00000000.00000003.333160694.000000000525A000.00000004.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com/designersr
Source: cp573oYDUX.exe, 00000000.00000003.333160694.000000000525A000.00000004.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com=
Source: cp573oYDUX.exe, 00000000.00000002.374558524.0000000005250000.00000004.00000001.sdmp	String found in binary or memory: http://www.fontbureau.coma
Source: cp573oYDUX.exe, 00000000.00000003.333507582.000000000525A000.00000004.00000001.sdmp	String found in binary or memory: http://www.fontbureau.comals
Source: cp573oYDUX.exe, 00000000.00000003.331677577.000000000525A000.00000004.00000001.sdmp	String found in binary or memory: http://www.fontbureau.comdi
Source: cp573oYDUX.exe, 00000000.00000003.331556678.000000000525A000.00000004.00000001.sdmp	String found in binary or memory: http://www.fontbureau.comgrito
Source: cp573oYDUX.exe, 00000000.00000003.331677577.000000000525A000.00000004.00000001.sdmp	String found in binary or memory: http://www.fontbureau.comiond
Source: cp573oYDUX.exe, 00000000.00000003.332598799.000000000525A000.00000004.00000001.sdmp	String found in binary or memory: http://www.fontbureau.comitudF
Source: cp573oYDUX.exe, 00000000.00000003.331677577.000000000525A000.00000004.00000001.sdmp	String found in binary or memory: http://www.fontbureau.comonyF
Source: cp573oYDUX.exe, 00000000.00000003.333160694.000000000525A000.00000004.00000001.sdmp	String found in binary or memory: http://www.fontbureau.comrsiv
Source: cp573oYDUX.exe, 00000000.00000003.333160694.000000000525A000.00000004.00000001.sdmp	String found in binary or memory: http://www.fontbureau.comt
Source: cp573oYDUX.exe, 00000000.00000003.332897804.000000000525A000.00000004.00000001.sdmp	String found in binary or memory: http://www.fontbureau.comueikM
Source: cp573oYDUX.exe, 00000000.00000003.327285488.0000000005285000.00000004.00000001.sdmp	String found in binary or memory: http://www.fonts.com
Source: cp573oYDUX.exe, 00000000.00000003.326989499.000000000116C000.00000004.00000001.sdmp	String found in binary or memory: http://www.fonts.comont
Source: cp573oYDUX.exe, 00000000.00000002.374864091.00000000053C0000.00000002.00000001.sdmp	String found in binary or memory: http://www.founder.com.cn/cn
Source: cp573oYDUX.exe, 00000000.00000003.328672332.000000000527F000.00000004.00000001.sdmp	String found in binary or memory: http://www.founder.com.cn/cn/
Source: cp573oYDUX.exe, 00000000.00000002.374864091.00000000053C0000.00000002.00000001.sdmp	String found in binary or memory: http://www.founder.com.cn/cn/bThe
Source: cp573oYDUX.exe, 00000000.00000002.374864091.00000000053C0000.00000002.00000001.sdmp	String found in binary or memory: http://www.founder.com.cn/cn/cThe
Source: cp573oYDUX.exe, 00000000.00000003.328391063.000000000527D000.00000004.00000001.sdmp	String found in binary or memory: http://www.founder.com.cn/cnhy/
Source: cp573oYDUX.exe, 00000000.00000002.374864091.00000000053C0000.00000002.00000001.sdmp	String found in binary or memory: http://www.galapagosdesign.com/DPlease
Source: cp573oYDUX.exe, 00000000.00000002.374864091.00000000053C0000.00000002.00000001.sdmp	String found in binary or memory: http://www.galapagosdesign.com/staff/dennis.htm
Source: cp573oYDUX.exe, 00000000.00000002.374864091.00000000053C0000.00000002.00000001.sdmp	String found in binary or memory: http://www.goodfont.co.kr
Source: cp573oYDUX.exe, 00000000.00000003.328160873.000000000525E000.00000004.00000001.sdmp	String found in binary or memory: http://www.goodfont.co.kr:
Source: cp573oYDUX.exe, 00000000.00000003.328160873.000000000525E000.00000004.00000001.sdmp	String found in binary or memory: http://www.goodfont.co.krnyis
Source: cp573oYDUX.exe, 00000000.00000003.330299816.000000000525A000.00000004.00000001.sdmp, cp573oYDUX.exe, 00000000.00000003.330044302.000000000525A000.00000004.00000001.sdmp	String found in binary or memory: http://www.jiyu-kobo.co.jp/
Source: cp573oYDUX.exe, 00000000.00000003.329818359.0000000005259000.00000004.00000001.sdmp	String found in binary or memory: http://www.jiyu-kobo.co.jp//typ
Source: cp573oYDUX.exe, 00000000.00000003.329395807.0000000005253000.00000004.00000001.sdmp	String found in binary or memory: http://www.jiyu-kobo.co.jp/F
Source: cp573oYDUX.exe, 00000000.00000003.329818359.0000000005259000.00000004.00000001.sdmp	String found in binary or memory: http://www.jiyu-kobo.co.jp/RJG
Source: cp573oYDUX.exe, 00000000.00000003.330163656.000000000525A000.00000004.00000001.sdmp	String found in binary or memory: http://www.jiyu-kobo.co.jp/Y0P
Source: cp573oYDUX.exe, 00000000.00000003.329818359.0000000005259000.00000004.00000001.sdmp	String found in binary or memory: http://www.jiyu-kobo.co.jp/_
Source: cp573oYDUX.exe, 00000000.00000003.330044302.000000000525A000.00000004.00000001.sdmp	String found in binary or memory: http://www.jiyu-kobo.co.jp/b
Source: cp573oYDUX.exe, 00000000.00000003.329939920.000000000525A000.00000004.00000001.sdmp	String found in binary or memory: http://www.jiyu-kobo.co.jp/i
Source: cp573oYDUX.exe, 00000000.00000003.330299816.000000000525A000.00000004.00000001.sdmp	String found in binary or memory: http://www.jiyu-kobo.co.jp/jp/
Source: cp573oYDUX.exe, 00000000.00000003.330163656.000000000525A000.00000004.00000001.sdmp	String found in binary or memory: http://www.jiyu-kobo.co.jp/jp/F
Source: cp573oYDUX.exe, 00000000.00000003.330163656.000000000525A000.00000004.00000001.sdmp	String found in binary or memory: http://www.jiyu-kobo.co.jp/jp/_
Source: cp573oYDUX.exe, 00000000.00000003.329395807.0000000005253000.00000004.00000001.sdmp	String found in binary or memory: http://www.jiyu-kobo.co.jp/s-c
Source: cp573oYDUX.exe, 00000000.00000002.374864091.00000000053C0000.00000002.00000001.sdmp	String found in binary or memory: http://www.sajatypeworks.com
Source: cp573oYDUX.exe, 00000000.00000002.374864091.00000000053C0000.00000002.00000001.sdmp	String found in binary or memory: http://www.sakkal.com
Source: cp573oYDUX.exe, 00000000.00000002.374864091.00000000053C0000.00000002.00000001.sdmp	String found in binary or memory: http://www.sandoll.co.kr
Source: cp573oYDUX.exe, 00000000.00000003.328160873.000000000525E000.00000004.00000001.sdmp	String found in binary or memory: http://www.sandoll.co.kr-h
Source: cp573oYDUX.exe, 00000000.00000003.328160873.000000000525E000.00000004.00000001.sdmp	String found in binary or memory: http://www.sandoll.co.krlns
Source: cp573oYDUX.exe, 00000000.00000003.328160873.000000000525E000.00000004.00000001.sdmp	String found in binary or memory: http://www.sandoll.co.krproductW
Source: cp573oYDUX.exe, 00000000.00000003.328160873.000000000525E000.00000004.00000001.sdmp	String found in binary or memory: http://www.sandoll.co.krx
Source: cp573oYDUX.exe, 00000000.00000002.374864091.00000000053C0000.00000002.00000001.sdmp	String found in binary or memory: http://www.tiro.com
Source: cp573oYDUX.exe, 00000000.00000002.374864091.00000000053C0000.00000002.00000001.sdmp	String found in binary or memory: http://www.typography.netD
Source: cp573oYDUX.exe, 00000000.00000003.333449545.000000000525A000.00000004.00000001.sdmp	String found in binary or memory: http://www.urwpp.de
Source: cp573oYDUX.exe, 00000000.00000002.374864091.00000000053C0000.00000002.00000001.sdmp	String found in binary or memory: http://www.urwpp.deDPlease
Source: cp573oYDUX.exe, 00000000.00000003.333507582.000000000525A000.00000004.00000001.sdmp	String found in binary or memory: http://www.urwpp.deX
Source: cp573oYDUX.exe, 00000000.00000003.333449545.000000000525A000.00000004.00000001.sdmp	String found in binary or memory: http://www.urwpp.deeg
Source: cp573oYDUX.exe, 00000000.00000003.328825494.0000000005280000.00000004.00000001.sdmp	String found in binary or memory: http://www.zhongyicts.com.cn

Key, Mouse, Clipboard, Microphone and Screen Capturing:

Source: dhcpmon.exe, 0000000E.00000002.379814239.0000000001588000.00000004.00000020.sdmp

Binary or memory string: <HOOK MODULE="DDRAW.DLL" FUNCTION="DirectDrawCreateEx"/>

Source: RegSvcs.exe, 00000007.00000002.599620352.0000000003DA7000.00000004.00000001.sdmp

Binary or memory string: RegisterRawInputDevices

E-Banking Fraud:

Yara detected Nanocore RAT

Show sources

Source: Yara match	File source: 00000007.00000002.594405865.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000002.599620352.0000000003DA7000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000002.601373463.00000000059A0000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.373693780.00000000042F3000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: RegSvcs.exe PID: 2264, type: MEMORY
Source: Yara match	File source: 7.2.RegSvcs.exe.3db9511.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.RegSvcs.exe.3daec9e.5.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.cp573oYDUX.exe.4327b80.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.RegSvcs.exe.59a0000.11.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.cp573oYDUX.exe.4327b80.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.RegSvcs.exe.59a0000.11.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.RegSvcs.exe.3db9511.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.RegSvcs.exe.59a4629.10.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.RegSvcs.exe.3db3adb.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.cp573oYDUX.exe.435c3a0.3.raw.unpack, type: UNPACKEDPE

Operating System Destruction:

Protects its processes via BreakOnTermination flag

Show sources

Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe

Process information set: 01 00 00 00

Jump to behavior

System Summary:

Malicious sample detected (through community Yara rule)

Show sources

Source: 00000007.00000002.600652707.0000000005030000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 00000007.00000002.594405865.0000000000402000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 00000007.00000002.594405865.0000000000402000.00000040.00000001.sdmp, type: MEMORY	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 00000007.00000002.599620352.0000000003DA7000.00000004.00000001.sdmp, type: MEMORY	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 00000007.00000002.601347713.0000000005990000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 00000007.00000002.601373463.00000000059A0000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 00000000.00000002.373693780.00000000042F3000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 00000000.00000002.373693780.00000000042F3000.00000004.00000001.sdmp, type: MEMORY	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: Process Memory Space: RegSvcs.exe PID: 2264, type: MEMORY	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: Process Memory Space: RegSvcs.exe PID: 2264, type: MEMORY	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 7.2.RegSvcs.exe.5030000.7.raw.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 7.2.RegSvcs.exe.3daec9e.5.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 7.2.RegSvcs.exe.3db9511.3.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 7.2.RegSvcs.exe.2d716fc.2.raw.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 7.2.RegSvcs.exe.3daec9e.5.raw.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 7.2.RegSvcs.exe.3daec9e.5.raw.unpack, type: UNPACKEDPE	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 0.2.cp573oYDUX.exe.4327b80.2.raw.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 0.2.cp573oYDUX.exe.4327b80.2.raw.unpack, type: UNPACKEDPE	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 7.2.RegSvcs.exe.59a0000.11.raw.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 0.2.cp573oYDUX.exe.4327b80.2.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 0.2.cp573oYDUX.exe.4327b80.2.unpack, type: UNPACKEDPE	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 7.2.RegSvcs.exe.59a0000.11.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 7.2.RegSvcs.exe.5990000.9.raw.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 7.2.RegSvcs.exe.3db9511.3.raw.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 7.2.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 7.2.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 7.2.RegSvcs.exe.59a4629.10.raw.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 7.2.RegSvcs.exe.2d76578.1.raw.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 7.2.RegSvcs.exe.2d716fc.2.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 7.2.RegSvcs.exe.3db3adb.4.raw.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 7.2.RegSvcs.exe.3db3adb.4.raw.unpack, type: UNPACKEDPE	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 0.2.cp573oYDUX.exe.435c3a0.3.raw.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 0.2.cp573oYDUX.exe.435c3a0.3.raw.unpack, type: UNPACKEDPE	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>

Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe	Code function: 7_2_04FB1836 NtQuerySystemInformation,	7_2_04FB1836
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe	Code function: 7_2_04FB1572 NtSetInformationProcess,	7_2_04FB1572
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe	Code function: 7_2_04FB1541 NtSetInformationProcess,	7_2_04FB1541
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe	Code function: 7_2_04FB17FB NtQuerySystemInformation,	7_2_04FB17FB

Source: C:\Users\user\Desktop\cp573oYDUX.exe	Code function: 0_2_007A77E7	0_2_007A77E7
Source: C:\Users\user\Desktop\cp573oYDUX.exe	Code function: 0_2_05022398	0_2_05022398
Source: C:\Users\user\Desktop\cp573oYDUX.exe	Code function: 0_2_05024DDF	0_2_05024DDF
Source: C:\Users\user\Desktop\cp573oYDUX.exe	Code function: 0_2_050230D1	0_2_050230D1
Source: C:\Users\user\Desktop\cp573oYDUX.exe	Code function: 0_2_050230E0	0_2_050230E0
Source: C:\Users\user\Desktop\cp573oYDUX.exe	Code function: 0_2_0502331B	0_2_0502331B
Source: C:\Users\user\Desktop\cp573oYDUX.exe	Code function: 0_2_05022389	0_2_05022389
Source: C:\Users\user\Desktop\cp573oYDUX.exe	Code function: 0_2_06DB48E6	0_2_06DB48E6
Source: C:\Users\user\Desktop\cp573oYDUX.exe	Code function: 0_2_06DB51FC	0_2_06DB51FC
Source: C:\Users\user\Desktop\cp573oYDUX.exe	Code function: 0_2_05020100	0_2_05020100
Source: C:\Users\user\Desktop\cp573oYDUX.exe	Code function: 0_2_05020110	0_2_05020110
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe	Code function: 7_2_02909A68	7_2_02909A68
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe	Code function: 7_2_02908E68	7_2_02908E68
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe	Code function: 7_2_029023A0	7_2_029023A0
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe	Code function: 7_2_02902FA8	7_2_02902FA8
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe	Code function: 7_2_0290B738	7_2_0290B738
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe	Code function: 7_2_02903850	7_2_02903850
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe	Code function: 7_2_02909B2F	7_2_02909B2F
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe	Code function: 7_2_0290306F	7_2_0290306F

Source: cp573oYDUX.exe	Binary or memory string: OriginalFilename vs cp573oYDUX.exe
Source: cp573oYDUX.exe, 00000000.00000002.374476566.0000000005120000.00000004.00000001.sdmp	Binary or memory string: OriginalFilenameBunifu.UI.dll4 vs cp573oYDUX.exe
Source: cp573oYDUX.exe, 00000000.00000002.380228840.0000000007930000.00000002.00000001.sdmp	Binary or memory string: originalfilename vs cp573oYDUX.exe
Source: cp573oYDUX.exe, 00000000.00000002.380228840.0000000007930000.00000002.00000001.sdmp	Binary or memory string: OriginalFilenamepropsys.dll.mui@ vs cp573oYDUX.exe
Source: cp573oYDUX.exe, 00000000.00000002.372857838.0000000003E11000.00000004.00000001.sdmp	Binary or memory string: OriginalFilenameAssemblyReferenceEntry.exeD vs cp573oYDUX.exe
Source: cp573oYDUX.exe, 00000000.00000002.378302834.0000000006EF0000.00000002.00000001.sdmp	Binary or memory string: OriginalFilenamemscorrc.dllT vs cp573oYDUX.exe
Source: cp573oYDUX.exe, 00000000.00000002.380044787.0000000007840000.00000002.00000001.sdmp	Binary or memory string: System.OriginalFileName vs cp573oYDUX.exe
Source: cp573oYDUX.exe	Binary or memory string: OriginalFilenameCA vs cp573oYDUX.exe

Source: cp573oYDUX.exe

Static PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE

Source: 00000007.00000002.600652707.0000000005030000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 00000007.00000002.600652707.0000000005030000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 00000007.00000002.594405865.0000000000402000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 00000007.00000002.594405865.0000000000402000.00000040.00000001.sdmp, type: MEMORY	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 00000007.00000002.599620352.0000000003DA7000.00000004.00000001.sdmp, type: MEMORY	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 00000007.00000002.601347713.0000000005990000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 00000007.00000002.601347713.0000000005990000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 00000007.00000002.601373463.00000000059A0000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 00000007.00000002.601373463.00000000059A0000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 00000000.00000002.373693780.00000000042F3000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 00000000.00000002.373693780.00000000042F3000.00000004.00000001.sdmp, type: MEMORY	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: Process Memory Space: RegSvcs.exe PID: 2264, type: MEMORY	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: Process Memory Space: RegSvcs.exe PID: 2264, type: MEMORY	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 7.2.RegSvcs.exe.5030000.7.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 7.2.RegSvcs.exe.5030000.7.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 7.2.RegSvcs.exe.3daec9e.5.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 7.2.RegSvcs.exe.3daec9e.5.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 7.2.RegSvcs.exe.3db9511.3.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 7.2.RegSvcs.exe.3db9511.3.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 7.2.RegSvcs.exe.2d716fc.2.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 7.2.RegSvcs.exe.2d716fc.2.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 7.2.RegSvcs.exe.3daec9e.5.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 7.2.RegSvcs.exe.3daec9e.5.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 7.2.RegSvcs.exe.3daec9e.5.raw.unpack, type: UNPACKEDPE	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 0.2.cp573oYDUX.exe.4327b80.2.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 0.2.cp573oYDUX.exe.4327b80.2.raw.unpack, type: UNPACKEDPE	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 7.2.RegSvcs.exe.59a0000.11.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 7.2.RegSvcs.exe.59a0000.11.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 0.2.cp573oYDUX.exe.4327b80.2.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 0.2.cp573oYDUX.exe.4327b80.2.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 0.2.cp573oYDUX.exe.4327b80.2.unpack, type: UNPACKEDPE	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 7.2.RegSvcs.exe.59a0000.11.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 7.2.RegSvcs.exe.59a0000.11.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 7.2.RegSvcs.exe.5990000.9.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 7.2.RegSvcs.exe.5990000.9.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 7.2.RegSvcs.exe.3db9511.3.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 7.2.RegSvcs.exe.3db9511.3.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 7.2.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 7.2.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 7.2.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 7.2.RegSvcs.exe.59a4629.10.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 7.2.RegSvcs.exe.59a4629.10.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 7.2.RegSvcs.exe.2d76578.1.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 7.2.RegSvcs.exe.2d76578.1.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 7.2.RegSvcs.exe.2d716fc.2.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 7.2.RegSvcs.exe.2d716fc.2.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 7.2.RegSvcs.exe.3db3adb.4.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 7.2.RegSvcs.exe.3db3adb.4.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 7.2.RegSvcs.exe.3db3adb.4.raw.unpack, type: UNPACKEDPE	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 0.2.cp573oYDUX.exe.435c3a0.3.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 0.2.cp573oYDUX.exe.435c3a0.3.raw.unpack, type: UNPACKEDPE	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore

Source: cp573oYDUX.exe	Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
Source: eVEWVTvFLGVU.exe.0.dr	Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ

Source: 7.2.RegSvcs.exe.400000.0.unpack, u0023u003dqjIje6jGWLd2EOkfZXKqBbgu003du003d.cs	Cryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'
Source: 7.2.RegSvcs.exe.400000.0.unpack, u0023u003dqVxXNKnhAcArgJoGGYXiyyQu003du003d.cs	Cryptographic APIs: 'CreateDecryptor'
Source: 7.2.RegSvcs.exe.400000.0.unpack, u0023u003dqVxXNKnhAcArgJoGGYXiyyQu003du003d.cs	Cryptographic APIs: 'TransformFinalBlock'

Source: classification engine

Classification label: mal100.troj.evad.winEXE@18/13@12/2

Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe	Code function: 7_2_04FB13F6 AdjustTokenPrivileges,		7_2_04FB13F6
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe	Code function: 7_2_04FB13BF AdjustTokenPrivileges,		7_2_04FB13BF

Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe

File created: C:\Program Files (x86)\DHCP Monitor

Jump to behavior

Source: C:\Users\user\Desktop\cp573oYDUX.exe

File created: C:\Users\user\AppData\Roaming\eVEWVTvFLGVU.exe

Jump to behavior

Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:4112:120:WilError_01
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5684:120:WilError_01
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6916:120:WilError_01
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7116:120:WilError_01
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5144:120:WilError_01
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe	Mutant created: \Sessions\1\BaseNamedObjects\Global\.net clr networking
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6620:120:WilError_01
Source: C:\Users\user\Desktop\cp573oYDUX.exe	Mutant created: \Sessions\1\BaseNamedObjects\iUCkNaGJKDECbn
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe	Mutant created: \Sessions\1\BaseNamedObjects\Global\{572eb7a9-aedf-4b39-8669-f7563dab8a38}

Source: C:\Users\user\Desktop\cp573oYDUX.exe

File created: C:\Users\user\AppData\Local\Temp\tmp53F8.tmp

Jump to behavior

Source: cp573oYDUX.exe

Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ

Source: C:\Users\user\Desktop\cp573oYDUX.exe	Section loaded: C:\Windows\assembly\NativeImages_v2.0.50727_32\mscorlib\9603718106bd57ecfbb18fefd769cab4\mscorlib.ni.dll	Jump to behavior
Source: C:\Users\user\Desktop\cp573oYDUX.exe	Section loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sorttbls.nlp	Jump to behavior
Source: C:\Users\user\Desktop\cp573oYDUX.exe	Section loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sortkey.nlp	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe	Section loaded: C:\Windows\assembly\NativeImages_v2.0.50727_32\mscorlib\9603718106bd57ecfbb18fefd769cab4\mscorlib.ni.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe	Section loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sorttbls.nlp	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe	Section loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sortkey.nlp	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe	Section loaded: C:\Windows\assembly\NativeImages_v2.0.50727_32\mscorlib\9603718106bd57ecfbb18fefd769cab4\mscorlib.ni.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe	Section loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sorttbls.nlp	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe	Section loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sortkey.nlp	Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Section loaded: C:\Windows\assembly\NativeImages_v2.0.50727_32\mscorlib\9603718106bd57ecfbb18fefd769cab4\mscorlib.ni.dll	Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Section loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sorttbls.nlp	Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Section loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sortkey.nlp	Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Section loaded: C:\Windows\assembly\NativeImages_v2.0.50727_32\mscorlib\9603718106bd57ecfbb18fefd769cab4\mscorlib.ni.dll	Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Section loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sorttbls.nlp	Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Section loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sortkey.nlp	Jump to behavior

Source: C:\Users\user\Desktop\cp573oYDUX.exe

File read: C:\Users\user\Desktop\desktop.ini

Jump to behavior

Source: C:\Users\user\Desktop\cp573oYDUX.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe	File read: C:\Windows\System32\drivers\etc\hosts			Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe	File read: C:\Windows\System32\drivers\etc\hosts			Jump to behavior

Source: cp573oYDUX.exe	Virustotal: Detection: 32%
Source: cp573oYDUX.exe	ReversingLabs: Detection: 31%

Source: C:\Users\user\Desktop\cp573oYDUX.exe

File read: C:\Users\user\Desktop\cp573oYDUX.exe

Jump to behavior

Source: unknown	Process created: C:\Users\user\Desktop\cp573oYDUX.exe 'C:\Users\user\Desktop\cp573oYDUX.exe'
Source: unknown	Process created: C:\Windows\SysWOW64\schtasks.exe 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\eVEWVTvFLGVU' /XML 'C:\Users\user\AppData\Local\Temp\tmp53F8.tmp'
Source: unknown	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknown	Process created: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe {path}
Source: unknown	Process created: C:\Windows\SysWOW64\schtasks.exe 'schtasks.exe' /create /f /tn 'DHCP Monitor' /xml 'C:\Users\user\AppData\Local\Temp\tmpFC43.tmp'
Source: unknown	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknown	Process created: C:\Windows\SysWOW64\schtasks.exe 'schtasks.exe' /create /f /tn 'DHCP Monitor Task' /xml 'C:\Users\user\AppData\Local\Temp\tmpFF61.tmp'
Source: unknown	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknown	Process created: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe 0
Source: unknown	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknown	Process created: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe 'C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe' 0
Source: unknown	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknown	Process created: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe 'C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe'
Source: unknown	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\cp573oYDUX.exe	Process created: C:\Windows\SysWOW64\schtasks.exe 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\eVEWVTvFLGVU' /XML 'C:\Users\user\AppData\Local\Temp\tmp53F8.tmp'	Jump to behavior
Source: C:\Users\user\Desktop\cp573oYDUX.exe	Process created: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe {path}	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe	Process created: C:\Windows\SysWOW64\schtasks.exe 'schtasks.exe' /create /f /tn 'DHCP Monitor' /xml 'C:\Users\user\AppData\Local\Temp\tmpFC43.tmp'	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe	Process created: C:\Windows\SysWOW64\schtasks.exe 'schtasks.exe' /create /f /tn 'DHCP Monitor Task' /xml 'C:\Users\user\AppData\Local\Temp\tmpFF61.tmp'	Jump to behavior

Source: C:\Users\user\Desktop\cp573oYDUX.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{CF4CC405-E2C5-4DDD-B3CE-5E7582D8C9FA}\InprocServer32

Jump to behavior

Source: Window Recorder

Window detected: More than 3 window changes detected

Source: C:\Users\user\Desktop\cp573oYDUX.exe

File opened: C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorrc.dll

Jump to behavior

Source: cp573oYDUX.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR

Source: C:\Users\user\Desktop\cp573oYDUX.exe

File opened: C:\Windows\WinSxS\x86_microsoft.vc80.crt_1fc8b3b9a1e18e3b_8.0.50727.9445_none_d08c58b4442ba54f\MSVCR80.dll

Jump to behavior

Source: cp573oYDUX.exe

Static PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT

Source:	Binary string: C:\Users\Cole\Documents\Visual Studio 2013\Projects\NanoProtectPlugin\NanoProtectClient\obj\Debug\NanoProtectClient.pdb source: RegSvcs.exe, 00000007.00000002.599620352.0000000003DA7000.00000004.00000001.sdmp
Source:	Binary string: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.pdb source: RegSvcs.exe, 00000007.00000002.596359463.0000000002915000.00000004.00000040.sdmp
Source:	Binary string: System.EnterpriseServices.Wrapper.pdb source: dhcpmon.exe, 0000000E.00000002.381960692.00000000056A0000.00000002.00000001.sdmp, dhcpmon.exe, 00000012.00000002.402048380.00000000054C0000.00000002.00000001.sdmp
Source:	Binary string: indows\RegSvcs.pdbpdbvcs.pdb source: RegSvcs.exe, 00000007.00000002.596359463.0000000002915000.00000004.00000040.sdmp
Source:	Binary string: C:\Windows\symbols\exe\RegSvcs.pdb source: RegSvcs.exe, 00000007.00000002.596359463.0000000002915000.00000004.00000040.sdmp
Source:	Binary string: RegSvcs.pdb source: dhcpmon.exe, dhcpmon.exe.7.dr
Source:	Binary string: mscorrc.pdb source: cp573oYDUX.exe, 00000000.00000002.378302834.0000000006EF0000.00000002.00000001.sdmp, RegSvcs.exe, 00000007.00000002.601059671.00000000056A0000.00000002.00000001.sdmp, RegSvcs.exe, 0000000C.00000002.380452902.0000000005530000.00000002.00000001.sdmp, dhcpmon.exe, 0000000E.00000002.382213793.0000000005750000.00000002.00000001.sdmp

Data Obfuscation:

.NET source code contains potential unpacker

Show sources

Source: cp573oYDUX.exe, Login.cs	.Net Code: set_Name System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: eVEWVTvFLGVU.exe.0.dr, Login.cs	.Net Code: set_Name System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: 0.2.cp573oYDUX.exe.7a0000.0.unpack, Login.cs	.Net Code: set_Name System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: 0.0.cp573oYDUX.exe.7a0000.0.unpack, Login.cs	.Net Code: set_Name System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: 7.2.RegSvcs.exe.400000.0.unpack, u0023u003dqjIje6jGWLd2EOkfZXKqBbgu003du003d.cs	.Net Code: #=q_FL69pQf17BUSAFbWYu1SStMAbdu$R1GJ8VY8UL5_EA= System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: 7.2.RegSvcs.exe.400000.0.unpack, u0023u003dqxoz66kOqvxr21iYXZYXWiumy9eZGwFWaiX4C5X8aecUu003d.cs	.Net Code: #=qKU0J1fiP8KA33eFK1owekQ== System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])

Source: C:\Users\user\Desktop\cp573oYDUX.exe

Code function: 0_2_05026A11 push ds; retf

0_2_05026A12

Source: initial sample	Static PE information: section name: .text entropy: 7.94883955827
Source: initial sample	Static PE information: section name: .text entropy: 7.94883955827

Source: 7.2.RegSvcs.exe.400000.0.unpack, u0023u003dqJT4I5hOweIku0024xYFEeDszbikglXCuquUdu0024v9AXtyq2nsu003d.cs	High entropy of concatenated method names: '#=qBeOBlH6CwHFnQdZWWBgZ_pemudZ6CfCVcfOQtgpeG$Y=', '#=q5v5cLSMFBaxiTtOEjscx86gN2ozXlfytiL6UmXnyWtg=', '#=q_XA5h2lVGHLcY9dK754wKGrOjAm6aBbwPxcUJXgJThJUz83kMbCL53G5uuOLP6Rq', '#=qIFfr$DrKqIieRc688$vylAlBsEnx9Z3$TxvrDsPURfM=', '#=qejgvNXJQvgM2GomZsygLjreyguSPQ29pQHqjR_a0dWk=', '#=qCGokdf0OOxeMJLDkXSfc3NPmwygIQ29RjKQWj$wbNGB9C1pPgma_891QiNyTRXcA', '#=qDqyUVyJLXCtYqhZ0$opqkomqhUBn2WCeEEvGAXlNQ$I=', '#=qdImPAY1o3YhbLtukwCQ91cISaeIEWRKSYrGZ3dTVnkY=', '#=qza7O1AHrroJC7yRIJz4wINR_Sgo4hDpQrj_OYfIrlJE=', '#=q6Ct3QmvVLFC7my$dL1uEiHGmXJ5qCuK4WIhDwfhPTFs='
Source: 7.2.RegSvcs.exe.400000.0.unpack, u0023u003dqWrm21vQ8CBMZP_RBTwpusAu003du003d.cs	High entropy of concatenated method names: '#=qCgU$tDqtOAyz2b$RwfSF7UzBcCAr0rFJWxm16x7Lre0=', '#=qeD3MBfedCIuKIQf9V1u2N3YS4VXE_FOHqw_XAjWtZK8=', '#=q$mvEHEBkZud$AdHPWqsMQnw5Xm5sD4vBSSmqrKuXGOk=', '#=qZaN94n8dM6tBEf$qCdY2kbTZb5BOW8Z134$2tNv7EJs=', '#=qtlZnL8mho$rv1eTFz0Mw9UYFC_yCabEZ0xtVePn6wR5aSHE7ti3UfKg2l7D0_xk8', '#=qVS$QmQjvFfsXSqQAKGSl6HGbkse2SG0XCab4upVjtRJkvhTEk$oIS2I9Zja7id1Q', '#=qxJg7RxTW1v5mnt12xXeJiYJv_bcctbtL2BCD5MjDi45Hlz6t8vwDNTv1Rv7tgIct', '#=qp$ZVC1r9spi890l$D7IwEd3faoKeWHvv42mVq8wIIWM=', '#=qCoWHlVuoVRMkOzC7RZubJCslkxaEWn9yZiIydECf69$ktj0IPD5wAwC2H5Cc8C$L', '#=qqs1moO$mYaS72OXOWe0Z6GycslEb6e9Ipoy7ppW0O5abIp05ajv8doqdJZHlN3cK'

Persistence and Installation Behavior:

Source: C:\Users\user\Desktop\cp573oYDUX.exe	File created: C:\Users\user\AppData\Roaming\eVEWVTvFLGVU.exe			Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe	File created: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe			Jump to dropped file

Boot Survival:

Uses schtasks.exe or at.exe to add and modify task schedules

Show sources

Source: unknown

Process created: C:\Windows\SysWOW64\schtasks.exe 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\eVEWVTvFLGVU' /XML 'C:\Users\user\AppData\Local\Temp\tmp53F8.tmp'

Hooking and other Techniques for Hiding and Protection:

Hides that the sample has been downloaded from the Internet (zone.identifier)

Show sources

Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe

File opened: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe:Zone.Identifier read attributes | delete

Jump to behavior

Source: C:\Users\user\Desktop\cp573oYDUX.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\cp573oYDUX.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\cp573oYDUX.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\cp573oYDUX.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\cp573oYDUX.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\cp573oYDUX.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\cp573oYDUX.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\cp573oYDUX.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\cp573oYDUX.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\cp573oYDUX.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\cp573oYDUX.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\cp573oYDUX.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\cp573oYDUX.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\cp573oYDUX.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\cp573oYDUX.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\cp573oYDUX.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\cp573oYDUX.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\cp573oYDUX.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\cp573oYDUX.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\cp573oYDUX.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\cp573oYDUX.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\cp573oYDUX.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\cp573oYDUX.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\cp573oYDUX.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\cp573oYDUX.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\cp573oYDUX.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\cp573oYDUX.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\cp573oYDUX.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\cp573oYDUX.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\cp573oYDUX.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\cp573oYDUX.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\cp573oYDUX.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\cp573oYDUX.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\cp573oYDUX.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\cp573oYDUX.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Malware Analysis System Evasion:

Yara detected AntiVM_3

Show sources

Source: Yara match

File source: Process Memory Space: cp573oYDUX.exe PID: 7012, type: MEMORY

Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)

Show sources

Source: C:\Users\user\Desktop\cp573oYDUX.exe

WMI Queries: IWbemServices::ExecQuery - ROOT\cimv2 : SELECT * FROM Win32_VideoController

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Show sources

Source: cp573oYDUX.exe, 00000000.00000002.371863417.000000000337E000.00000004.00000001.sdmp	Binary or memory string: WINE_GET_UNIX_FILE_NAME<
Source: cp573oYDUX.exe, 00000000.00000002.371863417.000000000337E000.00000004.00000001.sdmp	Binary or memory string: WINE_GET_UNIX_FILE_NAME
Source: cp573oYDUX.exe, 00000000.00000002.372804560.0000000003505000.00000004.00000001.sdmp	Binary or memory string: SBIEDLL.DLL

Source: C:\Users\user\Desktop\cp573oYDUX.exe	Registry key queried: HKEY_LOCAL_MACHINE\HARDWARE\DEVICEMAP\Scsi\Scsi Port 0\Scsi Bus 0\Target Id 0\Logical Unit Id 0 name: Identifier	Jump to behavior
Source: C:\Users\user\Desktop\cp573oYDUX.exe	Registry key queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System name: SystemBiosVersion	Jump to behavior
Source: C:\Users\user\Desktop\cp573oYDUX.exe	Registry key queried: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4d36e968-e325-11ce-bfc1-08002be10318}\0000 name: DriverDesc	Jump to behavior
Source: C:\Users\user\Desktop\cp573oYDUX.exe	File opened / queried: SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}	Jump to behavior
Source: C:\Users\user\Desktop\cp573oYDUX.exe	Registry key queried: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum name: 0	Jump to behavior
Source: C:\Users\user\Desktop\cp573oYDUX.exe	Registry key queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System name: VideoBiosVersion	Jump to behavior

Source: C:\Users\user\Desktop\cp573oYDUX.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Thread delayed: delay time: 922337203685477	Jump to behavior

Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe

Window / User API: foregroundWindowGot 788

Jump to behavior

Source: C:\Users\user\Desktop\cp573oYDUX.exe TID: 7080	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe TID: 6696	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe TID: 5700	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior

Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed

Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe

Code function: 7_2_04FB161A GetSystemInfo,

7_2_04FB161A

Source: cp573oYDUX.exe, 00000000.00000002.371863417.000000000337E000.00000004.00000001.sdmp	Binary or memory string: kr#"SOFTWARE\VMware, Inc.\VMware Tools<
Source: cp573oYDUX.exe, 00000000.00000002.371863417.000000000337E000.00000004.00000001.sdmp	Binary or memory string: VMware SVGA II<
Source: RegSvcs.exe, 00000007.00000002.595640226.0000000000D76000.00000004.00000020.sdmp	Binary or memory string: Hyper-V RAW.
Source: RegSvcs.exe, 00000007.00000002.601767423.0000000006390000.00000002.00000001.sdmp, RegSvcs.exe, 0000000C.00000002.380544790.0000000005590000.00000002.00000001.sdmp, dhcpmon.exe, 0000000E.00000002.382357491.00000000057B0000.00000002.00000001.sdmp	Binary or memory string: A Virtual Machine could not be started because Hyper-V is not installed.
Source: cp573oYDUX.exe, 00000000.00000002.371863417.000000000337E000.00000004.00000001.sdmp	Binary or memory string: vmware
Source: cp573oYDUX.exe, 00000000.00000002.371863417.000000000337E000.00000004.00000001.sdmp	Binary or memory string: kr&%C:\PROGRAM FILES\VMWARE\VMWARE TOOLS\<
Source: cp573oYDUX.exe, 00000000.00000002.371863417.000000000337E000.00000004.00000001.sdmp	Binary or memory string: krA"SOFTWARE\VMware, Inc.\VMware Tools
Source: cp573oYDUX.exe, 00000000.00000002.371863417.000000000337E000.00000004.00000001.sdmp	Binary or memory string: kr%C:\PROGRAM FILES\VMWARE\VMWARE TOOLS\
Source: cp573oYDUX.exe, 00000000.00000002.372804560.0000000003505000.00000004.00000001.sdmp	Binary or memory string: VMWARE<
Source: cp573oYDUX.exe, 00000000.00000002.371863417.000000000337E000.00000004.00000001.sdmp	Binary or memory string: kr87HKEY_LOCAL_MACHINE\SOFTWARE\VMware, Inc.\VMware Tools\.
Source: cp573oYDUX.exe, 00000000.00000002.372804560.0000000003505000.00000004.00000001.sdmp	Binary or memory string: VMWARE
Source: cp573oYDUX.exe, 00000000.00000002.371863417.000000000337E000.00000004.00000001.sdmp	Binary or memory string: kr"SOFTWARE\VMware, Inc.\VMware Tools
Source: cp573oYDUX.exe, 00000000.00000002.371863417.000000000337E000.00000004.00000001.sdmp	Binary or memory string: QEMU<
Source: RegSvcs.exe, 00000007.00000002.601767423.0000000006390000.00000002.00000001.sdmp, RegSvcs.exe, 0000000C.00000002.380544790.0000000005590000.00000002.00000001.sdmp, dhcpmon.exe, 0000000E.00000002.382357491.00000000057B0000.00000002.00000001.sdmp	Binary or memory string: A communication protocol error has occurred between the Hyper-V Host and Guest Compute Service.
Source: RegSvcs.exe, 00000007.00000002.601767423.0000000006390000.00000002.00000001.sdmp, RegSvcs.exe, 0000000C.00000002.380544790.0000000005590000.00000002.00000001.sdmp, dhcpmon.exe, 0000000E.00000002.382357491.00000000057B0000.00000002.00000001.sdmp	Binary or memory string: The communication protocol version between the Hyper-V Host and Guest Compute Services is not supported.
Source: cp573oYDUX.exe, 00000000.00000002.371863417.000000000337E000.00000004.00000001.sdmp	Binary or memory string: VMware SVGA II
Source: cp573oYDUX.exe, 00000000.00000002.371863417.000000000337E000.00000004.00000001.sdmp	Binary or memory string: kr#"SOFTWARE\VMware, Inc.\VMware ToolsH
Source: RegSvcs.exe, 00000007.00000002.595725348.0000000000DB7000.00000004.00000020.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dllTokenRoleProvider, System.Web, Version=2.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a"/>
Source: RegSvcs.exe, 00000007.00000002.601767423.0000000006390000.00000002.00000001.sdmp, RegSvcs.exe, 0000000C.00000002.380544790.0000000005590000.00000002.00000001.sdmp, dhcpmon.exe, 0000000E.00000002.382357491.00000000057B0000.00000002.00000001.sdmp	Binary or memory string: An unknown internal message was received by the Hyper-V Compute Service.

Anti Debugging:

Source: C:\Users\user\Desktop\cp573oYDUX.exe

Memory allocated: page read and write | page guard

Jump to behavior

HIPS / PFW / Operating System Protection Evasion:

Allocates memory in foreign processes

Show sources

Source: C:\Users\user\Desktop\cp573oYDUX.exe

Memory allocated: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe base: 400000 protect: page execute and read and write

Jump to behavior

Injects a PE file into a foreign processes

Show sources

Source: C:\Users\user\Desktop\cp573oYDUX.exe

Memory written: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe base: 400000 value starts with: 4D5A

Jump to behavior

Writes to foreign memory regions

Show sources

Source: C:\Users\user\Desktop\cp573oYDUX.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe base: 400000	Jump to behavior
Source: C:\Users\user\Desktop\cp573oYDUX.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe base: 402000	Jump to behavior
Source: C:\Users\user\Desktop\cp573oYDUX.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe base: 420000	Jump to behavior
Source: C:\Users\user\Desktop\cp573oYDUX.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe base: 422000	Jump to behavior
Source: C:\Users\user\Desktop\cp573oYDUX.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe base: 998008	Jump to behavior

Source: C:\Users\user\Desktop\cp573oYDUX.exe	Process created: C:\Windows\SysWOW64\schtasks.exe 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\eVEWVTvFLGVU' /XML 'C:\Users\user\AppData\Local\Temp\tmp53F8.tmp'	Jump to behavior
Source: C:\Users\user\Desktop\cp573oYDUX.exe	Process created: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe {path}	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe	Process created: C:\Windows\SysWOW64\schtasks.exe 'schtasks.exe' /create /f /tn 'DHCP Monitor' /xml 'C:\Users\user\AppData\Local\Temp\tmpFC43.tmp'	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe	Process created: C:\Windows\SysWOW64\schtasks.exe 'schtasks.exe' /create /f /tn 'DHCP Monitor Task' /xml 'C:\Users\user\AppData\Local\Temp\tmpFF61.tmp'	Jump to behavior

Source: RegSvcs.exe, 00000007.00000002.597871588.0000000002E89000.00000004.00000001.sdmp	Binary or memory string: Program Manager
Source: RegSvcs.exe, 00000007.00000002.596088903.0000000001430000.00000002.00000001.sdmp	Binary or memory string: Shell_TrayWnd
Source: RegSvcs.exe, 00000007.00000002.596088903.0000000001430000.00000002.00000001.sdmp	Binary or memory string: Progman
Source: RegSvcs.exe, 00000007.00000002.597664140.0000000002DF7000.00000004.00000001.sdmp	Binary or memory string: Program Managern could be made because the target machine actively refused it L
Source: RegSvcs.exe, 00000007.00000002.596088903.0000000001430000.00000002.00000001.sdmp	Binary or memory string: &Program Manager
Source: RegSvcs.exe, 00000007.00000002.596088903.0000000001430000.00000002.00000001.sdmp	Binary or memory string: Progmanlock
Source: RegSvcs.exe, 00000007.00000002.595725348.0000000000DB7000.00000004.00000020.sdmp	Binary or memory string: Program Manager (x86)\DHCP Monitor\dhcpmon.exe

Language, Device and Operating System Detection:

Source: C:\Users\user\Desktop\cp573oYDUX.exe	Queries volume information: C:\Windows\Fonts\arial.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\cp573oYDUX.exe	Queries volume information: C:\Windows\Fonts\ariali.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\cp573oYDUX.exe	Queries volume information: C:\Windows\Fonts\arialbd.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\cp573oYDUX.exe	Queries volume information: C:\Windows\Fonts\arialbi.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\cp573oYDUX.exe	Queries volume information: C:\Windows\Fonts\ARIALN.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\cp573oYDUX.exe	Queries volume information: C:\Windows\Fonts\ariblk.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\cp573oYDUX.exe	Queries volume information: C:\Windows\Fonts\ARIALNI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\cp573oYDUX.exe	Queries volume information: C:\Windows\Fonts\ARIALNB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\cp573oYDUX.exe	Queries volume information: C:\Windows\Fonts\ARIALNBI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\cp573oYDUX.exe	Queries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\cp573oYDUX.exe	Queries volume information: C:\Windows\Fonts\calibri.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\cp573oYDUX.exe	Queries volume information: C:\Windows\Fonts\calibril.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\cp573oYDUX.exe	Queries volume information: C:\Windows\Fonts\calibrii.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\cp573oYDUX.exe	Queries volume information: C:\Windows\Fonts\calibrili.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\cp573oYDUX.exe	Queries volume information: C:\Windows\Fonts\calibrib.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\cp573oYDUX.exe	Queries volume information: C:\Windows\Fonts\calibriz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\cp573oYDUX.exe	Queries volume information: C:\Windows\Fonts\cambria.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\cp573oYDUX.exe	Queries volume information: C:\Windows\Fonts\cambriai.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\cp573oYDUX.exe	Queries volume information: C:\Windows\Fonts\cambriab.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\cp573oYDUX.exe	Queries volume information: C:\Windows\Fonts\cambriaz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\cp573oYDUX.exe	Queries volume information: C:\Windows\Fonts\Candara.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\cp573oYDUX.exe	Queries volume information: C:\Windows\Fonts\Candarai.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\cp573oYDUX.exe	Queries volume information: C:\Windows\Fonts\Candarab.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\cp573oYDUX.exe	Queries volume information: C:\Windows\Fonts\Candaraz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\cp573oYDUX.exe	Queries volume information: C:\Windows\Fonts\comic.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\cp573oYDUX.exe	Queries volume information: C:\Windows\Fonts\comici.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\cp573oYDUX.exe	Queries volume information: C:\Windows\Fonts\comicbd.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\cp573oYDUX.exe	Queries volume information: C:\Windows\Fonts\comicz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\cp573oYDUX.exe	Queries volume information: C:\Windows\Fonts\consola.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\cp573oYDUX.exe	Queries volume information: C:\Windows\Fonts\consolai.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\cp573oYDUX.exe	Queries volume information: C:\Windows\Fonts\consolab.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\cp573oYDUX.exe	Queries volume information: C:\Windows\Fonts\consolaz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\cp573oYDUX.exe	Queries volume information: C:\Windows\Fonts\constan.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\cp573oYDUX.exe	Queries volume information: C:\Windows\Fonts\constani.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\cp573oYDUX.exe	Queries volume information: C:\Windows\Fonts\constanb.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\cp573oYDUX.exe	Queries volume information: C:\Windows\Fonts\constanz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\cp573oYDUX.exe	Queries volume information: C:\Windows\Fonts\corbel.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\cp573oYDUX.exe	Queries volume information: C:\Windows\Fonts\corbeli.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\cp573oYDUX.exe	Queries volume information: C:\Windows\Fonts\corbelb.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\cp573oYDUX.exe	Queries volume information: C:\Windows\Fonts\corbelz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\cp573oYDUX.exe	Queries volume information: C:\Windows\Fonts\cour.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\cp573oYDUX.exe	Queries volume information: C:\Windows\Fonts\couri.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\cp573oYDUX.exe	Queries volume information: C:\Windows\Fonts\courbd.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\cp573oYDUX.exe	Queries volume information: C:\Windows\Fonts\courbi.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\cp573oYDUX.exe	Queries volume information: C:\Windows\Fonts\ebrima.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\cp573oYDUX.exe	Queries volume information: C:\Windows\Fonts\ebrimabd.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\cp573oYDUX.exe	Queries volume information: C:\Windows\Fonts\framd.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\cp573oYDUX.exe	Queries volume information: C:\Windows\Fonts\FRADM.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\cp573oYDUX.exe	Queries volume information: C:\Windows\Fonts\framdit.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\cp573oYDUX.exe	Queries volume information: C:\Windows\Fonts\FRADMIT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\cp573oYDUX.exe	Queries volume information: C:\Windows\Fonts\FRAMDCN.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\cp573oYDUX.exe	Queries volume information: C:\Windows\Fonts\FRADMCN.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\cp573oYDUX.exe	Queries volume information: C:\Windows\Fonts\FRAHV.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\cp573oYDUX.exe	Queries volume information: C:\Windows\Fonts\FRAHVIT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\cp573oYDUX.exe	Queries volume information: C:\Windows\Fonts\Gabriola.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\cp573oYDUX.exe	Queries volume information: C:\Windows\Fonts\gadugi.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\cp573oYDUX.exe	Queries volume information: C:\Windows\Fonts\gadugib.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\cp573oYDUX.exe	Queries volume information: C:\Windows\Fonts\georgia.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\cp573oYDUX.exe	Queries volume information: C:\Windows\Fonts\georgiai.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\cp573oYDUX.exe	Queries volume information: C:\Windows\Fonts\georgiab.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\cp573oYDUX.exe	Queries volume information: C:\Windows\Fonts\georgiaz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\cp573oYDUX.exe	Queries volume information: C:\Windows\Fonts\impact.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\cp573oYDUX.exe	Queries volume information: C:\Windows\Fonts\Inkfree.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\cp573oYDUX.exe	Queries volume information: C:\Windows\Fonts\javatext.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\cp573oYDUX.exe	Queries volume information: C:\Windows\Fonts\LeelawUI.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\cp573oYDUX.exe	Queries volume information: C:\Windows\Fonts\LeelUIsl.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\cp573oYDUX.exe	Queries volume information: C:\Windows\Fonts\LeelaUIb.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\cp573oYDUX.exe	Queries volume information: C:\Windows\Fonts\lucon.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\cp573oYDUX.exe	Queries volume information: C:\Windows\Fonts\l_10646.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\cp573oYDUX.exe	Queries volume information: C:\Windows\Fonts\malgun.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\cp573oYDUX.exe	Queries volume information: C:\Windows\Fonts\malgunsl.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\cp573oYDUX.exe	Queries volume information: C:\Windows\Fonts\malgunbd.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\cp573oYDUX.exe	Queries volume information: C:\Windows\Fonts\himalaya.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\cp573oYDUX.exe	Queries volume information: C:\Windows\Fonts\msjh.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\cp573oYDUX.exe	Queries volume information: C:\Windows\Fonts\msjhl.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\cp573oYDUX.exe	Queries volume information: C:\Windows\Fonts\msjhbd.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\cp573oYDUX.exe	Queries volume information: C:\Windows\Fonts\ntailu.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\cp573oYDUX.exe	Queries volume information: C:\Windows\Fonts\ntailub.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\cp573oYDUX.exe	Queries volume information: C:\Windows\Fonts\phagspa.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\cp573oYDUX.exe	Queries volume information: C:\Windows\Fonts\phagspab.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\cp573oYDUX.exe	Queries volume information: C:\Windows\Fonts\micross.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\cp573oYDUX.exe	Queries volume information: C:\Windows\Fonts\taile.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\cp573oYDUX.exe	Queries volume information: C:\Windows\Fonts\taileb.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\cp573oYDUX.exe	Queries volume information: C:\Windows\Fonts\msyh.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\cp573oYDUX.exe	Queries volume information: C:\Windows\Fonts\msyhl.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\cp573oYDUX.exe	Queries volume information: C:\Windows\Fonts\msyhbd.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\cp573oYDUX.exe	Queries volume information: C:\Windows\Fonts\msyi.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\cp573oYDUX.exe	Queries volume information: C:\Windows\Fonts\mingliub.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\cp573oYDUX.exe	Queries volume information: C:\Windows\Fonts\monbaiti.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\cp573oYDUX.exe	Queries volume information: C:\Windows\Fonts\msgothic.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\cp573oYDUX.exe	Queries volume information: C:\Windows\Fonts\mvboli.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\cp573oYDUX.exe	Queries volume information: C:\Windows\Fonts\mmrtext.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\cp573oYDUX.exe	Queries volume information: C:\Windows\Fonts\mmrtextb.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\cp573oYDUX.exe	Queries volume information: C:\Windows\Fonts\Nirmala.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\cp573oYDUX.exe	Queries volume information: C:\Windows\Fonts\NirmalaS.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\cp573oYDUX.exe	Queries volume information: C:\Windows\Fonts\NirmalaB.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\cp573oYDUX.exe	Queries volume information: C:\Windows\Fonts\pala.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\cp573oYDUX.exe	Queries volume information: C:\Windows\Fonts\palai.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\cp573oYDUX.exe	Queries volume information: C:\Windows\Fonts\palab.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\cp573oYDUX.exe	Queries volume information: C:\Windows\Fonts\palabi.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\cp573oYDUX.exe	Queries volume information: C:\Windows\Fonts\segoepr.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\cp573oYDUX.exe	Queries volume information: C:\Windows\Fonts\segoeprb.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\cp573oYDUX.exe	Queries volume information: C:\Windows\Fonts\segoesc.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\cp573oYDUX.exe	Queries volume information: C:\Windows\Fonts\segoescb.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\cp573oYDUX.exe	Queries volume information: C:\Windows\Fonts\seguiemj.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\cp573oYDUX.exe	Queries volume information: C:\Windows\Fonts\seguihis.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\cp573oYDUX.exe	Queries volume information: C:\Windows\Fonts\seguisym.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\cp573oYDUX.exe	Queries volume information: C:\Windows\Fonts\simsun.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\cp573oYDUX.exe	Queries volume information: C:\Windows\Fonts\simsunb.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\cp573oYDUX.exe	Queries volume information: C:\Windows\Fonts\Sitka.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\cp573oYDUX.exe	Queries volume information: C:\Windows\Fonts\SitkaI.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\cp573oYDUX.exe	Queries volume information: C:\Windows\Fonts\SitkaB.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\cp573oYDUX.exe	Queries volume information: C:\Windows\Fonts\SitkaZ.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\cp573oYDUX.exe	Queries volume information: C:\Windows\Fonts\sylfaen.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\cp573oYDUX.exe	Queries volume information: C:\Windows\Fonts\symbol.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\cp573oYDUX.exe	Queries volume information: C:\Windows\Fonts\tahoma.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\cp573oYDUX.exe	Queries volume information: C:\Windows\Fonts\tahomabd.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\cp573oYDUX.exe	Queries volume information: C:\Windows\Fonts\trebuc.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\cp573oYDUX.exe	Queries volume information: C:\Windows\Fonts\trebucit.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\cp573oYDUX.exe	Queries volume information: C:\Windows\Fonts\trebucbd.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\cp573oYDUX.exe	Queries volume information: C:\Windows\Fonts\trebucbi.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\cp573oYDUX.exe	Queries volume information: C:\Windows\Fonts\verdana.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\cp573oYDUX.exe	Queries volume information: C:\Windows\Fonts\verdanai.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\cp573oYDUX.exe	Queries volume information: C:\Windows\Fonts\verdanab.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\cp573oYDUX.exe	Queries volume information: C:\Windows\Fonts\verdanaz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\cp573oYDUX.exe	Queries volume information: C:\Windows\Fonts\webdings.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\cp573oYDUX.exe	Queries volume information: C:\Windows\Fonts\wingding.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\cp573oYDUX.exe	Queries volume information: C:\Windows\Fonts\YuGothR.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\cp573oYDUX.exe	Queries volume information: C:\Windows\Fonts\YuGothM.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\cp573oYDUX.exe	Queries volume information: C:\Windows\Fonts\YuGothL.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\cp573oYDUX.exe	Queries volume information: C:\Windows\Fonts\YuGothB.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\cp573oYDUX.exe	Queries volume information: C:\Windows\Fonts\holomdl2.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\cp573oYDUX.exe	Queries volume information: C:\Windows\Fonts\CENTURY.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\cp573oYDUX.exe	Queries volume information: C:\Windows\Fonts\LEELAWAD.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\cp573oYDUX.exe	Queries volume information: C:\Windows\Fonts\LEELAWDB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\cp573oYDUX.exe	Queries volume information: C:\Windows\Fonts\MSUIGHUR.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\cp573oYDUX.exe	Queries volume information: C:\Windows\Fonts\MSUIGHUB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\cp573oYDUX.exe	Queries volume information: C:\Windows\Fonts\WINGDNG2.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\cp573oYDUX.exe	Queries volume information: C:\Windows\Fonts\WINGDNG3.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\cp573oYDUX.exe	Queries volume information: C:\Windows\Fonts\TEMPSITC.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\cp573oYDUX.exe	Queries volume information: C:\Windows\Fonts\PRISTINA.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\cp573oYDUX.exe	Queries volume information: C:\Windows\Fonts\PAPYRUS.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\cp573oYDUX.exe	Queries volume information: C:\Windows\Fonts\MISTRAL.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\cp573oYDUX.exe	Queries volume information: C:\Windows\Fonts\LHANDW.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\cp573oYDUX.exe	Queries volume information: C:\Windows\Fonts\ITCKRIST.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\cp573oYDUX.exe	Queries volume information: C:\Windows\Fonts\JUICE___.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\cp573oYDUX.exe	Queries volume information: C:\Windows\Fonts\FRSCRIPT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\cp573oYDUX.exe	Queries volume information: C:\Windows\Fonts\FREESCPT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\cp573oYDUX.exe	Queries volume information: C:\Windows\Fonts\BRADHITC.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\cp573oYDUX.exe	Queries volume information: C:\Windows\Fonts\OUTLOOK.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\cp573oYDUX.exe	Queries volume information: C:\Windows\Fonts\BKANT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\cp573oYDUX.exe	Queries volume information: C:\Windows\Fonts\ANTQUAI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\cp573oYDUX.exe	Queries volume information: C:\Windows\Fonts\ANTQUAB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\cp573oYDUX.exe	Queries volume information: C:\Windows\Fonts\ANTQUABI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\cp573oYDUX.exe	Queries volume information: C:\Windows\Fonts\GARA.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\cp573oYDUX.exe	Queries volume information: C:\Windows\Fonts\GARAIT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\cp573oYDUX.exe	Queries volume information: C:\Windows\Fonts\GARABD.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\cp573oYDUX.exe	Queries volume information: C:\Windows\Fonts\MTCORSVA.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\cp573oYDUX.exe	Queries volume information: C:\Windows\Fonts\GOTHIC.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\cp573oYDUX.exe	Queries volume information: C:\Windows\Fonts\GOTHICI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\cp573oYDUX.exe	Queries volume information: C:\Windows\Fonts\GOTHICB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\cp573oYDUX.exe	Queries volume information: C:\Windows\Fonts\GOTHICBI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\cp573oYDUX.exe	Queries volume information: C:\Windows\Fonts\ALGER.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\cp573oYDUX.exe	Queries volume information: C:\Windows\Fonts\BASKVILL.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\cp573oYDUX.exe	Queries volume information: C:\Windows\Fonts\BAUHS93.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\cp573oYDUX.exe	Queries volume information: C:\Windows\Fonts\BELL.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\cp573oYDUX.exe	Queries volume information: C:\Windows\Fonts\BELLI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\cp573oYDUX.exe	Queries volume information: C:\Windows\Fonts\BELLB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\cp573oYDUX.exe	Queries volume information: C:\Windows\Fonts\BRLNSR.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\cp573oYDUX.exe	Queries volume information: C:\Windows\Fonts\BRLNSDB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\cp573oYDUX.exe	Queries volume information: C:\Windows\Fonts\BRLNSB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\cp573oYDUX.exe	Queries volume information: C:\Windows\Fonts\BERNHC.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\cp573oYDUX.exe	Queries volume information: C:\Windows\Fonts\BOD_PSTC.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\cp573oYDUX.exe	Queries volume information: C:\Windows\Fonts\BRITANIC.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\cp573oYDUX.exe	Queries volume information: C:\Windows\Fonts\BROADW.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\cp573oYDUX.exe	Queries volume information: C:\Windows\Fonts\BRUSHSCI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\cp573oYDUX.exe	Queries volume information: C:\Windows\Fonts\CALIFR.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\cp573oYDUX.exe	Queries volume information: C:\Windows\Fonts\CALIFI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\cp573oYDUX.exe	Queries volume information: C:\Windows\Fonts\CALIFB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\cp573oYDUX.exe	Queries volume information: C:\Windows\Fonts\CENTAUR.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\cp573oYDUX.exe	Queries volume information: C:\Windows\Fonts\CHILLER.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\cp573oYDUX.exe	Queries volume information: C:\Windows\Fonts\COLONNA.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\cp573oYDUX.exe	Queries volume information: C:\Windows\Fonts\COOPBL.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\cp573oYDUX.exe	Queries volume information: C:\Windows\Fonts\FTLTLT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\cp573oYDUX.exe	Queries volume information: C:\Windows\Fonts\HARLOWSI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\cp573oYDUX.exe	Queries volume information: C:\Windows\Fonts\HARNGTON.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\cp573oYDUX.exe	Queries volume information: C:\Windows\Fonts\HTOWERT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\cp573oYDUX.exe	Queries volume information: C:\Windows\Fonts\HTOWERTI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\cp573oYDUX.exe	Queries volume information: C:\Windows\Fonts\JOKERMAN.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\cp573oYDUX.exe	Queries volume information: C:\Windows\Fonts\KUNSTLER.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\cp573oYDUX.exe	Queries volume information: C:\Windows\Fonts\LBRITE.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\cp573oYDUX.exe	Queries volume information: C:\Windows\Fonts\LBRITED.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\cp573oYDUX.exe	Queries volume information: C:\Windows\Fonts\LBRITEI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\cp573oYDUX.exe	Queries volume information: C:\Windows\Fonts\LBRITEDI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\cp573oYDUX.exe	Queries volume information: C:\Windows\Fonts\LCALLIG.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\cp573oYDUX.exe	Queries volume information: C:\Windows\Fonts\LFAX.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\cp573oYDUX.exe	Queries volume information: C:\Windows\Fonts\LFAXD.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\cp573oYDUX.exe	Queries volume information: C:\Windows\Fonts\LFAXI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\cp573oYDUX.exe	Queries volume information: C:\Windows\Fonts\LFAXDI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\cp573oYDUX.exe	Queries volume information: C:\Windows\Fonts\MAGNETOB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\cp573oYDUX.exe	Queries volume information: C:\Windows\Fonts\MATURASC.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\cp573oYDUX.exe	Queries volume information: C:\Windows\Fonts\MOD20.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\cp573oYDUX.exe	Queries volume information: C:\Windows\Fonts\NIAGENG.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\cp573oYDUX.exe	Queries volume information: C:\Windows\Fonts\NIAGSOL.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\cp573oYDUX.exe	Queries volume information: C:\Windows\Fonts\OLDENGL.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\cp573oYDUX.exe	Queries volume information: C:\Windows\Fonts\ONYX.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\cp573oYDUX.exe	Queries volume information: C:\Windows\Fonts\PARCHM.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\cp573oYDUX.exe	Queries volume information: C:\Windows\Fonts\PLAYBILL.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\cp573oYDUX.exe	Queries volume information: C:\Windows\Fonts\POORICH.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\cp573oYDUX.exe	Queries volume information: C:\Windows\Fonts\RAVIE.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\cp573oYDUX.exe	Queries volume information: C:\Windows\Fonts\INFROMAN.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\cp573oYDUX.exe	Queries volume information: C:\Windows\Fonts\SHOWG.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\cp573oYDUX.exe	Queries volume information: C:\Windows\Fonts\SNAP____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\cp573oYDUX.exe	Queries volume information: C:\Windows\Fonts\STENCIL.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\cp573oYDUX.exe	Queries volume information: C:\Windows\Fonts\VINERITC.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\cp573oYDUX.exe	Queries volume information: C:\Windows\Fonts\VIVALDII.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\cp573oYDUX.exe	Queries volume information: C:\Windows\Fonts\VLADIMIR.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\cp573oYDUX.exe	Queries volume information: C:\Windows\Fonts\LATINWD.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\cp573oYDUX.exe	Queries volume information: C:\Windows\Fonts\TCM_____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\cp573oYDUX.exe	Queries volume information: C:\Windows\Fonts\TCMI____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\cp573oYDUX.exe	Queries volume information: C:\Windows\Fonts\TCB_____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\cp573oYDUX.exe	Queries volume information: C:\Windows\Fonts\TCBI____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\cp573oYDUX.exe	Queries volume information: C:\Windows\Fonts\TCCM____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\cp573oYDUX.exe	Queries volume information: C:\Windows\Fonts\TCCB____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\cp573oYDUX.exe	Queries volume information: C:\Windows\Fonts\TCCEB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\cp573oYDUX.exe	Queries volume information: C:\Windows\Fonts\SCRIPTBL.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\cp573oYDUX.exe	Queries volume information: C:\Windows\Fonts\ROCK.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\cp573oYDUX.exe	Queries volume information: C:\Windows\Fonts\ROCKI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\cp573oYDUX.exe	Queries volume information: C:\Windows\Fonts\ROCKB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\cp573oYDUX.exe	Queries volume information: C:\Windows\Fonts\ROCKEB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\cp573oYDUX.exe	Queries volume information: C:\Windows\Fonts\ROCKBI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\cp573oYDUX.exe	Queries volume information: C:\Windows\Fonts\ROCC____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\cp573oYDUX.exe	Queries volume information: C:\Windows\Fonts\ROCCB___.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\cp573oYDUX.exe	Queries volume information: C:\Windows\Fonts\RAGE.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\cp573oYDUX.exe	Queries volume information: C:\Windows\Fonts\PERTILI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\cp573oYDUX.exe	Queries volume information: C:\Windows\Fonts\PERTIBD.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\cp573oYDUX.exe	Queries volume information: C:\Windows\Fonts\PER_____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\cp573oYDUX.exe	Queries volume information: C:\Windows\Fonts\PERI____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\cp573oYDUX.exe	Queries volume information: C:\Windows\Fonts\PERB____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\cp573oYDUX.exe	Queries volume information: C:\Windows\Fonts\PERBI___.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\cp573oYDUX.exe	Queries volume information: C:\Windows\Fonts\PALSCRI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\cp573oYDUX.exe	Queries volume information: C:\Windows\Fonts\OCRAEXT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\cp573oYDUX.exe	Queries volume information: C:\Windows\Fonts\MAIAN.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\cp573oYDUX.exe	Queries volume information: C:\Windows\Fonts\LTYPE.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\cp573oYDUX.exe	Queries volume information: C:\Windows\Fonts\LTYPEO.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\cp573oYDUX.exe	Queries volume information: C:\Windows\Fonts\LTYPEB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\cp573oYDUX.exe	Queries volume information: C:\Windows\Fonts\LTYPEBO.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\cp573oYDUX.exe	Queries volume information: C:\Windows\Fonts\LSANS.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\cp573oYDUX.exe	Queries volume information: C:\Windows\Fonts\LSANSD.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\cp573oYDUX.exe	Queries volume information: C:\Windows\Fonts\LSANSI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\cp573oYDUX.exe	Queries volume information: C:\Windows\Fonts\LSANSDI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\cp573oYDUX.exe	Queries volume information: C:\Windows\Fonts\IMPRISHA.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\cp573oYDUX.exe	Queries volume information: C:\Windows\Fonts\HATTEN.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\cp573oYDUX.exe	Queries volume information: C:\Windows\Fonts\GOUDYSTO.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\cp573oYDUX.exe	Queries volume information: C:\Windows\Fonts\GOUDOS.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\cp573oYDUX.exe	Queries volume information: C:\Windows\Fonts\GOUDOSI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\cp573oYDUX.exe	Queries volume information: C:\Windows\Fonts\GOUDOSB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\cp573oYDUX.exe	Queries volume information: C:\Windows\Fonts\GLECB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\cp573oYDUX.exe	Queries volume information: C:\Windows\Fonts\GIL_____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\cp573oYDUX.exe	Queries volume information: C:\Windows\Fonts\GILI____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\cp573oYDUX.exe	Queries volume information: C:\Windows\Fonts\GILB____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\cp573oYDUX.exe	Queries volume information: C:\Windows\Fonts\GILBI___.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\cp573oYDUX.exe	Queries volume information: C:\Windows\Fonts\GILC____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\cp573oYDUX.exe	Queries volume information: C:\Windows\Fonts\GLSNECB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\cp573oYDUX.exe	Queries volume information: C:\Windows\Fonts\GIGI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\cp573oYDUX.exe	Queries volume information: C:\Windows\Fonts\FRABK.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\cp573oYDUX.exe	Queries volume information: C:\Windows\Fonts\FRABKIT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\cp573oYDUX.exe	Queries volume information: C:\Windows\Fonts\FORTE.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\cp573oYDUX.exe	Queries volume information: C:\Windows\Fonts\FELIXTI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\cp573oYDUX.exe	Queries volume information: C:\Windows\Fonts\ERASMD.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\cp573oYDUX.exe	Queries volume information: C:\Windows\Fonts\ERASLGHT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\cp573oYDUX.exe	Queries volume information: C:\Windows\Fonts\ERASDEMI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\cp573oYDUX.exe	Queries volume information: C:\Windows\Fonts\ERASBD.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\cp573oYDUX.exe	Queries volume information: C:\Windows\Fonts\ENGR.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\cp573oYDUX.exe	Queries volume information: C:\Windows\Fonts\ELEPHNT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\cp573oYDUX.exe	Queries volume information: C:\Windows\Fonts\ELEPHNTI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\cp573oYDUX.exe	Queries volume information: C:\Windows\Fonts\ITCEDSCR.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\cp573oYDUX.exe	Queries volume information: C:\Windows\Fonts\CURLZ___.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\cp573oYDUX.exe	Queries volume information: C:\Windows\Fonts\COPRGTL.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\cp573oYDUX.exe	Queries volume information: C:\Windows\Fonts\COPRGTB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\cp573oYDUX.exe	Queries volume information: C:\Windows\Fonts\CENSCBK.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\cp573oYDUX.exe	Queries volume information: C:\Windows\Fonts\SCHLBKI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\cp573oYDUX.exe	Queries volume information: C:\Windows\Fonts\SCHLBKB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\cp573oYDUX.exe	Queries volume information: C:\Windows\Fonts\SCHLBKBI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\cp573oYDUX.exe	Queries volume information: C:\Windows\Fonts\CASTELAR.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\cp573oYDUX.exe	Queries volume information: C:\Windows\Fonts\CALIST.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\cp573oYDUX.exe	Queries volume information: C:\Windows\Fonts\CALISTI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\cp573oYDUX.exe	Queries volume information: C:\Windows\Fonts\CALISTB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\cp573oYDUX.exe	Queries volume information: C:\Windows\Fonts\CALISTBI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\cp573oYDUX.exe	Queries volume information: C:\Windows\Fonts\BOOKOS.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\cp573oYDUX.exe	Queries volume information: C:\Windows\Fonts\BOOKOSB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\cp573oYDUX.exe	Queries volume information: C:\Windows\Fonts\BOOKOSI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\cp573oYDUX.exe	Queries volume information: C:\Windows\Fonts\BOOKOSBI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\cp573oYDUX.exe	Queries volume information: C:\Windows\Fonts\BOD_R.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\cp573oYDUX.exe	Queries volume information: C:\Windows\Fonts\BOD_I.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\cp573oYDUX.exe	Queries volume information: C:\Windows\Fonts\BOD_B.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\cp573oYDUX.exe	Queries volume information: C:\Windows\Fonts\BOD_BI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\cp573oYDUX.exe	Queries volume information: C:\Windows\Fonts\BOD_CR.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\cp573oYDUX.exe	Queries volume information: C:\Windows\Fonts\BOD_BLAR.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\cp573oYDUX.exe	Queries volume information: C:\Windows\Fonts\BOD_CI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\cp573oYDUX.exe	Queries volume information: C:\Windows\Fonts\BOD_CB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\cp573oYDUX.exe	Queries volume information: C:\Windows\Fonts\BOD_BLAI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\cp573oYDUX.exe	Queries volume information: C:\Windows\Fonts\BOD_CBI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\cp573oYDUX.exe	Queries volume information: C:\Windows\Fonts\ITCBLKAD.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\cp573oYDUX.exe	Queries volume information: C:\Windows\Fonts\ARLRDBD.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\cp573oYDUX.exe	Queries volume information: C:\Windows\Fonts\AGENCYR.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\cp573oYDUX.exe	Queries volume information: C:\Windows\Fonts\AGENCYB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\cp573oYDUX.exe	Queries volume information: C:\Windows\Fonts\BSSYM7.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\cp573oYDUX.exe	Queries volume information: C:\Windows\Fonts\REFSAN.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\cp573oYDUX.exe	Queries volume information: C:\Windows\Fonts\REFSPCL.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\cp573oYDUX.exe	Queries volume information: C:\Windows\Fonts\MTEXTRA.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\cp573oYDUX.exe	Queries volume information: C:\Windows\Fonts\marlett.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\cp573oYDUX.exe	Queries volume information: C:\Windows\Fonts\micross.ttf VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe	Queries volume information: C:\Windows\assembly\GAC_32\System.EnterpriseServices\2.0.0.0__b03f5f7f11d50a3a\System.EnterpriseServices.dll VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe	Queries volume information: C:\Windows\assembly\GAC_32\System.EnterpriseServices\2.0.0.0__b03f5f7f11d50a3a\System.EnterpriseServices.dll VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe	Queries volume information: C:\Windows\assembly\GAC_32\System.EnterpriseServices\2.0.0.0__b03f5f7f11d50a3a\System.EnterpriseServices.Wrapper.dll VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe	Queries volume information: C:\Windows\assembly\GAC_32\System.EnterpriseServices\2.0.0.0__b03f5f7f11d50a3a\System.EnterpriseServices.Wrapper.dll VolumeInformation	Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Queries volume information: C:\Windows\assembly\GAC_32\System.EnterpriseServices\2.0.0.0__b03f5f7f11d50a3a\System.EnterpriseServices.dll VolumeInformation	Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Queries volume information: C:\Windows\assembly\GAC_32\System.EnterpriseServices\2.0.0.0__b03f5f7f11d50a3a\System.EnterpriseServices.dll VolumeInformation	Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Queries volume information: C:\Windows\assembly\GAC_32\System.EnterpriseServices\2.0.0.0__b03f5f7f11d50a3a\System.EnterpriseServices.Wrapper.dll VolumeInformation	Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Queries volume information: C:\Windows\assembly\GAC_32\System.EnterpriseServices\2.0.0.0__b03f5f7f11d50a3a\System.EnterpriseServices.Wrapper.dll VolumeInformation	Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Queries volume information: C:\Windows\assembly\GAC_32\System.EnterpriseServices\2.0.0.0__b03f5f7f11d50a3a\System.EnterpriseServices.dll VolumeInformation	Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Queries volume information: C:\Windows\assembly\GAC_32\System.EnterpriseServices\2.0.0.0__b03f5f7f11d50a3a\System.EnterpriseServices.dll VolumeInformation	Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Queries volume information: C:\Windows\assembly\GAC_32\System.EnterpriseServices\2.0.0.0__b03f5f7f11d50a3a\System.EnterpriseServices.Wrapper.dll VolumeInformation	Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Queries volume information: C:\Windows\assembly\GAC_32\System.EnterpriseServices\2.0.0.0__b03f5f7f11d50a3a\System.EnterpriseServices.Wrapper.dll VolumeInformation	Jump to behavior

Source: C:\Users\user\Desktop\cp573oYDUX.exe

Code function: 0_2_07220FF2 GetUserNameA,

0_2_07220FF2

Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Stealing of Sensitive Information:

Yara detected Nanocore RAT

Show sources

Source: Yara match	File source: 00000007.00000002.594405865.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000002.599620352.0000000003DA7000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000002.601373463.00000000059A0000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.373693780.00000000042F3000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: RegSvcs.exe PID: 2264, type: MEMORY
Source: Yara match	File source: 7.2.RegSvcs.exe.3db9511.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.RegSvcs.exe.3daec9e.5.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.cp573oYDUX.exe.4327b80.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.RegSvcs.exe.59a0000.11.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.cp573oYDUX.exe.4327b80.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.RegSvcs.exe.59a0000.11.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.RegSvcs.exe.3db9511.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.RegSvcs.exe.59a4629.10.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.RegSvcs.exe.3db3adb.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.cp573oYDUX.exe.435c3a0.3.raw.unpack, type: UNPACKEDPE

Remote Access Functionality:

Detected Nanocore Rat

Show sources

Source: RegSvcs.exe, 00000007.00000002.600652707.0000000005030000.00000004.00000001.sdmp	String found in binary or memory: NanoCore.ClientPluginHost
Source: RegSvcs.exe, 00000007.00000002.600652707.0000000005030000.00000004.00000001.sdmp	String found in binary or memory: <Module>mscorlibMicrosoft.VisualBasicMyApplicationNanoCore.MyMyComputerMyProjectMyWebServicesThreadSafeObjectProvider`1IClientNetworkNanoCore.ClientPluginIClientDataIClientAppIClientDataHostNanoCore.ClientPluginHostIClientNetworkHostIClientUIHostIClientLoggingHostIClientAppHostIClientNameObjectCollectionNanoCoreIClientReadOnlyNameObjectCollectionClientInvokeDelegateMicrosoft.VisualBasic.ApplicationServicesApplicationBase.ctorMicrosoft.VisualBasic.DevicesComputerSystemObject.cctorget_Computerm_ComputerObjectProviderget_Applicationm_AppObjectProviderUserget_Userm_UserObjectProviderget_WebServicesm_MyWebServicesObjectProviderApplicationWebServicesEqualsoGetHashCodeTypeGetTypeToStringCreate__Instance__TinstanceDispose__Instance__get_GetInstanceMicrosoft.VisualBasic.MyServices.InternalContextValue`1m_ContextGetInstanceReadPacketpipeNameparamsPipeCreatedPipeClosedConnectionStateChangedconnectedConnectionFailedhostportBuildingHostCacheVariableChangednameClientSettingChangedPluginUninstallingClientUninstallingget_Variablesget_ClientSettingsget_BuilderSettingsVariablesClientSettingsBuilderSettingsget_ConnectedClosePipePipeExistsRebuildHostCacheAddHostEntryDisconnectSendToServercompressConnectedInvokemethodstateLogClientMessagemessageExceptionLogClientExceptionexsiteRestartShutdownDisableProtectionRestoreProtectionUninstallEntryExistsSystem.Collections.GenericKeyValuePair`2GetEntriesGetValuedefaultValueSetValuevalueRemoveValueMulticastDelegateTargetObjectTargetMethodIAsyncResultAsyncCallbackBeginInvokeDelegateCallbackDelegateAsyncStateEndInvokeDelegateAsyncResultSystem.ComponentModelEditorBrowsableAttributeEditorBrowsableStateSystem.CodeDom.CompilerGeneratedCodeAttributeSystem.DiagnosticsDebuggerHiddenAttributeMicrosoft.VisualBasic.CompilerServicesStandardModuleAttributeHideModuleNameAttributeSystem.ComponentModel.DesignHelpKeywordAttributeSystem.Runtime.CompilerServicesRuntimeHelpersGetObjectValueRuntimeTypeHandleGetTypeFromHandleActivatorCreateInstanceMyGroupCollectionAttributeget_Valueset_ValueSystem.Runtime.InteropServicesComVisibleAttributeParamArrayAttributeCompilationRelaxationsAttributeRuntimeCompatibilityAttributeSystem.ReflectionAssemblyFileVersionAttributeGuidAttributeAssemblyTrademarkAttributeAssemblyCopyrightAttributeAssemblyProductAttributeAssemblyCompanyAttributeAssemblyDescriptionAttributeAssemblyTitleAttributeClientPluginClientPlugin.dll
Source: RegSvcs.exe, 00000007.00000002.599620352.0000000003DA7000.00000004.00000001.sdmp	String found in binary or memory: <Module>mscorlibMicrosoft.VisualBasicMyApplicationNanoProtectClient.MyMyComputerMyProjectMyWebServicesThreadSafeObjectProvider`1ClientMainNanoProtectClientClientPluginResourcesNanoProtectClient.My.ResourcesMySettingsMySettingsPropertyFunctionsNanoProtectClient.NanoProtectMicrosoft.VisualBasic.ApplicationServicesApplicationBase.ctorMicrosoft.VisualBasic.DevicesComputerSystemObject.cctorget_Computerm_ComputerObjectProviderget_Applicationm_AppObjectProviderUserget_Userm_UserObjectProviderget_WebServicesm_MyWebServicesObjectProviderApplicationWebServicesEqualsoGetHashCodeTypeGetTypeToStringCreate__Instance__TinstanceDispose__Instance__get_GetInstanceMicrosoft.VisualBasic.MyServices.InternalContextValue`1m_ContextGetInstanceNanoCore.ClientPluginHostIClientLoggingHostLoggingHostInitializePluginNanoCore.ClientPluginIClientNetwork_loggingHostBuildingHostCacheConnectionFailedhostportConnectionStateChangedconnectedPipeClosedpipeNamePipeCreatedReadPacketparamsSystem.ResourcesResourceManagerresourceManSystem.GlobalizationCultureInforesourceCultureget_ResourceManagerget_Cultureset_CulturevalueCultureSystem.ConfigurationApplicationSettingsBasedefaultInstanceget_DefaultDefaultget_SettingsSettingsGetProtectDirectoryGetProtectFileCreateProtectFileKillNanoCoreSystem.ComponentModelEditorBrowsableAttributeEditorBrowsableStateSystem.CodeDom.CompilerGeneratedCodeAttributeSystem.DiagnosticsDebuggerNonUserCodeAttributeDebuggerHiddenAttributeMicrosoft.VisualBasic.CompilerServicesStandardModuleAttributeHideModuleNameAttributeSystem.ComponentModel.DesignHelpKeywordAttributeSystem.Runtime.CompilerServicesRuntimeHelpersGetObjectValueRuntimeTypeHandleGetTypeFromHandleActivatorCreateInstanceMyGroupCollectionAttributeget_Valueset_ValueSystem.Runtime.InteropServicesComVisibleAttributeLogClientMessageSystem.IOFileExistsReferenceEqualsSystem.ReflectionAssemblyget_AssemblyCompilerGeneratedAttributeSettingsBaseSynchronizedEnvironmentSpecialFolderGetFolderPathPathCombineExceptionDirectoryDirectoryInfoCreateDirectoryFileStreamCreateProjectDataSetProjectErrorClearProjectErrorProcessGetCurrentProcessKillNanoProtectClient.Resources.resourcesDebuggableAttributeDebuggingModesCompilationRelaxationsAttributeRuntimeCompatibilityAttributeAssemblyFileVersionAttributeGuidAttributeAssemblyTrademarkAttributeAssemblyCopyrightAttributeAssemblyProductAttributeAssemblyCompanyAttributeAssemblyDescriptionAttributeAssemblyTitleAttributeNanoProtectClient.dlla[NanoProtect]: Checking for NanoProtect module..

Yara detected Nanocore RAT

Show sources

Source: Yara match	File source: 00000007.00000002.594405865.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000002.599620352.0000000003DA7000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000002.601373463.00000000059A0000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.373693780.00000000042F3000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: RegSvcs.exe PID: 2264, type: MEMORY
Source: Yara match	File source: 7.2.RegSvcs.exe.3db9511.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.RegSvcs.exe.3daec9e.5.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.cp573oYDUX.exe.4327b80.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.RegSvcs.exe.59a0000.11.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.cp573oYDUX.exe.4327b80.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.RegSvcs.exe.59a0000.11.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.RegSvcs.exe.3db9511.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.RegSvcs.exe.59a4629.10.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.RegSvcs.exe.3db3adb.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.cp573oYDUX.exe.435c3a0.3.raw.unpack, type: UNPACKEDPE

Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe	Code function: 7_2_04FB2B26 bind,		7_2_04FB2B26
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe	Code function: 7_2_04FB2AF6 bind,		7_2_04FB2AF6

Mitre Att&ck Matrix

Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Exfiltration	Command and Control	Network Effects	Remote Service Effects	Impact
Valid Accounts	Windows Management Instrumentation1	Scheduled Task/Job1	Access Token Manipulation1	Disable or Modify Tools1	Input Capture21	Account Discovery1	Remote Services	Archive Collected Data11	Exfiltration Over Other Network Medium	Encrypted Channel1	Eavesdrop on Insecure Network Communication	Remotely Track Device Without Authorization	Modify System Partition
Default Accounts	Scheduled Task/Job1	Boot or Logon Initialization Scripts	Process Injection312	Deobfuscate/Decode Files or Information1	LSASS Memory	File and Directory Discovery1	Remote Desktop Protocol	Input Capture21	Exfiltration Over Bluetooth	Non-Standard Port1	Exploit SS7 to Redirect Phone Calls/SMS	Remotely Wipe Data Without Authorization	Device Lockout
Domain Accounts	At (Linux)	Logon Script (Windows)	Scheduled Task/Job1	Obfuscated Files or Information3	Security Account Manager	System Information Discovery13	SMB/Windows Admin Shares	Data from Network Shared Drive	Automated Exfiltration	Remote Access Software1	Exploit SS7 to Track Device Location	Obtain Device Cloud Backups	Delete Device Data
Local Accounts	At (Windows)	Logon Script (Mac)	Logon Script (Mac)	Software Packing13	NTDS	Security Software Discovery311	Distributed Component Object Model	Input Capture	Scheduled Transfer	Non-Application Layer Protocol1	SIM Card Swap		Carrier Billing Fraud
Cloud Accounts	Cron	Network Logon Script	Network Logon Script	Masquerading2	LSA Secrets	Virtualization/Sandbox Evasion13	SSH	Keylogging	Data Transfer Size Limits	Application Layer Protocol21	Manipulate Device Communication		Manipulate App Store Rankings or Ratings
Replication Through Removable Media	Launchd	Rc.common	Rc.common	Virtualization/Sandbox Evasion13	Cached Domain Credentials	Process Discovery1	VNC	GUI Input Capture	Exfiltration Over C2 Channel	Multiband Communication	Jamming or Denial of Service		Abuse Accessibility Features
External Remote Services	Scheduled Task	Startup Items	Startup Items	Access Token Manipulation1	DCSync	Application Window Discovery1	Windows Remote Management	Web Portal Capture	Exfiltration Over Alternative Protocol	Commonly Used Port	Rogue Wi-Fi Access Points		Data Encrypted for Impact
Drive-by Compromise	Command and Scripting Interpreter	Scheduled Task/Job	Scheduled Task/Job	Process Injection312	Proc Filesystem	System Owner/User Discovery1	Shared Webroot	Credential API Hooking	Exfiltration Over Symmetric Encrypted Non-C2 Protocol	Application Layer Protocol	Downgrade to Insecure Protocols		Generate Fraudulent Advertising Revenue
Exploit Public-Facing Application	PowerShell	At (Linux)	At (Linux)	Hidden Files and Directories1	/etc/passwd and /etc/shadow	Remote System Discovery1	Software Deployment Tools	Data Staged	Exfiltration Over Asymmetric Encrypted Non-C2 Protocol	Web Protocols	Rogue Cellular Base Station		Data Destruction

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Source	Detection	Scanner	Label	Link
cp573oYDUX.exe	33%	Virustotal		Browse
cp573oYDUX.exe	31%	ReversingLabs	Win32.Trojan.AgentTesla
cp573oYDUX.exe	100%	Joe Sandbox ML

Dropped Files

Source	Detection	Scanner	Label	Link
C:\Users\user\AppData\Roaming\eVEWVTvFLGVU.exe	100%	Joe Sandbox ML
C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	0%	Metadefender		Browse
C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	0%	ReversingLabs
C:\Users\user\AppData\Roaming\eVEWVTvFLGVU.exe	31%	ReversingLabs	Win32.Trojan.AgentTesla

Unpacked PE Files

Source	Detection	Scanner	Label	Link	Download
7.2.RegSvcs.exe.400000.0.unpack	100%	Avira	TR/Dropper.MSIL.Gen7		Download File
7.2.RegSvcs.exe.59a0000.11.unpack	100%	Avira	TR/NanoCore.fadte		Download File

Domains

Source	Detection	Scanner	Label	Link
strongodss.ddns.net	8%	Virustotal		Browse

URLs

Source	Detection	Scanner	Label	Link
79.134.225.43	1%	Virustotal		Browse
79.134.225.43	0%	Avira URL Cloud	safe
http://www.carterandcone.comn-u	0%	URL Reputation	safe
http://www.carterandcone.comn-u	0%	URL Reputation	safe
http://www.carterandcone.comn-u	0%	URL Reputation	safe
http://www.carterandcone.comn-u	0%	URL Reputation	safe
http://www.fontbureau.comitudF	0%	Avira URL Cloud	safe
http://www.founder.com.cn/cn/bThe	0%	URL Reputation	safe
http://www.founder.com.cn/cn/bThe	0%	URL Reputation	safe
http://www.founder.com.cn/cn/bThe	0%	URL Reputation	safe
http://www.jiyu-kobo.co.jp/jp/F	0%	Avira URL Cloud	safe
http://www.carterandcone.comams	0%	Avira URL Cloud	safe
http://www.carterandcone.comal	0%	Avira URL Cloud	safe
http://www.tiro.com	0%	URL Reputation	safe
http://www.tiro.com	0%	URL Reputation	safe
http://www.tiro.com	0%	URL Reputation	safe
http://www.sandoll.co.kr-h	0%	Avira URL Cloud	safe
http://www.goodfont.co.kr	0%	URL Reputation	safe
http://www.goodfont.co.kr	0%	URL Reputation	safe
http://www.goodfont.co.kr	0%	URL Reputation	safe
http://www.carterandcone.com	0%	URL Reputation	safe
http://www.carterandcone.com	0%	URL Reputation	safe
http://www.carterandcone.com	0%	URL Reputation	safe
http://www.carterandcone.com(	0%	Avira URL Cloud	safe
http://www.carterandcone.com.	0%	URL Reputation	safe
http://www.carterandcone.com.	0%	URL Reputation	safe
http://www.carterandcone.com.	0%	URL Reputation	safe
http://www.sajatypeworks.com	0%	URL Reputation	safe
http://www.sajatypeworks.com	0%	URL Reputation	safe
http://www.sajatypeworks.com	0%	URL Reputation	safe
http://www.typography.netD	0%	URL Reputation	safe
http://www.typography.netD	0%	URL Reputation	safe
http://www.typography.netD	0%	URL Reputation	safe
http://www.founder.com.cn/cn/cThe	0%	URL Reputation	safe
http://www.founder.com.cn/cn/cThe	0%	URL Reputation	safe
http://www.founder.com.cn/cn/cThe	0%	URL Reputation	safe
http://www.jiyu-kobo.co.jp/jp/_	0%	Avira URL Cloud	safe
http://www.fonts.comont	0%	Avira URL Cloud	safe
http://www.galapagosdesign.com/staff/dennis.htm	0%	URL Reputation	safe
http://www.galapagosdesign.com/staff/dennis.htm	0%	URL Reputation	safe
http://www.galapagosdesign.com/staff/dennis.htm	0%	URL Reputation	safe
http://www.jiyu-kobo.co.jp//typ	0%	Avira URL Cloud	safe
http://fontfabrik.com	0%	URL Reputation	safe
http://fontfabrik.com	0%	URL Reputation	safe
http://fontfabrik.com	0%	URL Reputation	safe
http://www.sandoll.co.krproductW	0%	Avira URL Cloud	safe
http://www.carterandcone.comEac	0%	Avira URL Cloud	safe
http://www.founder.com.cn/cnhy/	0%	Avira URL Cloud	safe
http://www.galapagosdesign.com/DPlease	0%	URL Reputation	safe
http://www.galapagosdesign.com/DPlease	0%	URL Reputation	safe
http://www.galapagosdesign.com/DPlease	0%	URL Reputation	safe
http://www.fontbureau.comgrito	0%	URL Reputation	safe
http://www.fontbureau.comgrito	0%	URL Reputation	safe
http://www.fontbureau.comgrito	0%	URL Reputation	safe
http://www.carterandcone.comuct	0%	Avira URL Cloud	safe
http://www.fontbureau.comrsiv	0%	Avira URL Cloud	safe
http://www.sandoll.co.kr	0%	URL Reputation	safe
http://www.sandoll.co.kr	0%	URL Reputation	safe
http://www.sandoll.co.kr	0%	URL Reputation	safe
http://www.urwpp.deDPlease	0%	URL Reputation	safe
http://www.urwpp.deDPlease	0%	URL Reputation	safe
http://www.urwpp.deDPlease	0%	URL Reputation	safe
http://www.urwpp.de	0%	URL Reputation	safe
http://www.urwpp.de	0%	URL Reputation	safe
http://www.urwpp.de	0%	URL Reputation	safe
http://www.zhongyicts.com.cn	0%	URL Reputation	safe
http://www.zhongyicts.com.cn	0%	URL Reputation	safe
http://www.zhongyicts.com.cn	0%	URL Reputation	safe
http://www.sakkal.com	0%	URL Reputation	safe
http://www.sakkal.com	0%	URL Reputation	safe
http://www.sakkal.com	0%	URL Reputation	safe
http://www.fontbureau.com=	0%	Avira URL Cloud	safe
http://www.carterandcone.comic	0%	Avira URL Cloud	safe
http://www.goodfont.co.kr:	0%	Avira URL Cloud	safe
http://www.urwpp.deX	0%	Avira URL Cloud	safe
http://www.sandoll.co.krx	0%	Avira URL Cloud	safe
http://www.agfamonotype.	0%	URL Reputation	safe
http://www.agfamonotype.	0%	URL Reputation	safe
http://www.agfamonotype.	0%	URL Reputation	safe
http://www.carterandcone.comTC	0%	URL Reputation	safe
http://www.carterandcone.comTC	0%	URL Reputation	safe
http://www.carterandcone.comTC	0%	URL Reputation	safe
http://www.jiyu-kobo.co.jp/Y0P	0%	Avira URL Cloud	safe
http://www.fontbureau.comonyF	0%	Avira URL Cloud	safe
http://www.jiyu-kobo.co.jp/F	0%	URL Reputation	safe
http://www.jiyu-kobo.co.jp/F	0%	URL Reputation	safe
http://www.jiyu-kobo.co.jp/F	0%	URL Reputation	safe
http://www.jiyu-kobo.co.jp/jp/	0%	URL Reputation	safe
http://www.jiyu-kobo.co.jp/jp/	0%	URL Reputation	safe
http://www.jiyu-kobo.co.jp/jp/	0%	URL Reputation	safe
http://www.sandoll.co.krlns	0%	Avira URL Cloud	safe
http://www.carterandcone.comtig55E	0%	Avira URL Cloud	safe
http://www.fontbureau.coma	0%	URL Reputation	safe
http://www.fontbureau.coma	0%	URL Reputation	safe
http://www.fontbureau.coma	0%	URL Reputation	safe
http://en.w	0%	URL Reputation	safe
http://en.w	0%	URL Reputation	safe
http://en.w	0%	URL Reputation	safe
http://www.fontbureau.comdi	0%	Avira URL Cloud	safe
strongodss.ddns.net	0%	Avira URL Cloud	safe

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Antivirus Detection	Reputation
strongodss.ddns.net	87.237.165.78	true	true	8%, Virustotal, Browse	unknown

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
79.134.225.43	true	1%, Virustotal, Browse Avira URL Cloud: safe	unknown
strongodss.ddns.net	true	Avira URL Cloud: safe	unknown

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
http://www.fontbureau.com/designersG	cp573oYDUX.exe, 00000000.00000002.374864091.00000000053C0000.00000002.00000001.sdmp	false		high
http://www.carterandcone.comn-u	cp573oYDUX.exe, 00000000.00000003.329047446.0000000005281000.00000004.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://www.fontbureau.com/designers/?	cp573oYDUX.exe, 00000000.00000002.374864091.00000000053C0000.00000002.00000001.sdmp	false		high
http://www.fontbureau.comitudF	cp573oYDUX.exe, 00000000.00000003.332598799.000000000525A000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
http://www.founder.com.cn/cn/bThe	cp573oYDUX.exe, 00000000.00000002.374864091.00000000053C0000.00000002.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://www.jiyu-kobo.co.jp/jp/F	cp573oYDUX.exe, 00000000.00000003.330163656.000000000525A000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
http://www.fontbureau.com/designers?	cp573oYDUX.exe, 00000000.00000002.374864091.00000000053C0000.00000002.00000001.sdmp	false		high
http://www.carterandcone.comams	cp573oYDUX.exe, 00000000.00000003.329047446.0000000005281000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
http://www.carterandcone.comal	cp573oYDUX.exe, 00000000.00000003.329047446.0000000005281000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
http://www.tiro.com	cp573oYDUX.exe, 00000000.00000002.374864091.00000000053C0000.00000002.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://www.fontbureau.com/designers	cp573oYDUX.exe, 00000000.00000002.374864091.00000000053C0000.00000002.00000001.sdmp, cp573oYDUX.exe, 00000000.00000003.333338294.000000000525A000.00000004.00000001.sdmp	false		high
http://www.sandoll.co.kr-h	cp573oYDUX.exe, 00000000.00000003.328160873.000000000525E000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
http://www.goodfont.co.kr	cp573oYDUX.exe, 00000000.00000002.374864091.00000000053C0000.00000002.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://www.carterandcone.com	cp573oYDUX.exe, 00000000.00000003.329047446.0000000005281000.00000004.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://www.carterandcone.com(	cp573oYDUX.exe, 00000000.00000003.329047446.0000000005281000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	low
http://www.carterandcone.com.	cp573oYDUX.exe, 00000000.00000003.329047446.0000000005281000.00000004.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://www.sajatypeworks.com	cp573oYDUX.exe, 00000000.00000002.374864091.00000000053C0000.00000002.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://www.typography.netD	cp573oYDUX.exe, 00000000.00000002.374864091.00000000053C0000.00000002.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://www.founder.com.cn/cn/cThe	cp573oYDUX.exe, 00000000.00000002.374864091.00000000053C0000.00000002.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://www.jiyu-kobo.co.jp/jp/_	cp573oYDUX.exe, 00000000.00000003.330163656.000000000525A000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
http://www.fonts.comont	cp573oYDUX.exe, 00000000.00000003.326989499.000000000116C000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
http://www.galapagosdesign.com/staff/dennis.htm	cp573oYDUX.exe, 00000000.00000002.374864091.00000000053C0000.00000002.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://www.jiyu-kobo.co.jp//typ	cp573oYDUX.exe, 00000000.00000003.329818359.0000000005259000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
http://fontfabrik.com	cp573oYDUX.exe, 00000000.00000002.374864091.00000000053C0000.00000002.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://www.sandoll.co.krproductW	cp573oYDUX.exe, 00000000.00000003.328160873.000000000525E000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
http://www.fontbureau.com/designersa	cp573oYDUX.exe, 00000000.00000003.332247018.000000000525A000.00000004.00000001.sdmp	false		high
http://www.carterandcone.comEac	cp573oYDUX.exe, 00000000.00000003.329047446.0000000005281000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
http://www.founder.com.cn/cnhy/	cp573oYDUX.exe, 00000000.00000003.328391063.000000000527D000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
http://www.galapagosdesign.com/DPlease	cp573oYDUX.exe, 00000000.00000002.374864091.00000000053C0000.00000002.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://www.fontbureau.comgrito	cp573oYDUX.exe, 00000000.00000003.331556678.000000000525A000.00000004.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://www.carterandcone.comuct	cp573oYDUX.exe, 00000000.00000003.329047446.0000000005281000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
http://www.fontbureau.comrsiv	cp573oYDUX.exe, 00000000.00000003.333160694.000000000525A000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
http://www.fonts.com	cp573oYDUX.exe, 00000000.00000003.327285488.0000000005285000.00000004.00000001.sdmp	false		high
http://www.sandoll.co.kr	cp573oYDUX.exe, 00000000.00000002.374864091.00000000053C0000.00000002.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://www.urwpp.deDPlease	cp573oYDUX.exe, 00000000.00000002.374864091.00000000053C0000.00000002.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://www.urwpp.de	cp573oYDUX.exe, 00000000.00000003.333449545.000000000525A000.00000004.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://www.zhongyicts.com.cn	cp573oYDUX.exe, 00000000.00000003.328825494.0000000005280000.00000004.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://www.sakkal.com	cp573oYDUX.exe, 00000000.00000002.374864091.00000000053C0000.00000002.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://www.fontbureau.com=	cp573oYDUX.exe, 00000000.00000003.333160694.000000000525A000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	low
http://www.carterandcone.comic	cp573oYDUX.exe, 00000000.00000003.329047446.0000000005281000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
http://www.fontbureau.com/designersr	cp573oYDUX.exe, 00000000.00000003.333160694.000000000525A000.00000004.00000001.sdmp	false		high
http://www.goodfont.co.kr:	cp573oYDUX.exe, 00000000.00000003.328160873.000000000525E000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
http://www.urwpp.deX	cp573oYDUX.exe, 00000000.00000003.333507582.000000000525A000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
http://www.apache.org/licenses/LICENSE-2.0	cp573oYDUX.exe, 00000000.00000003.328781426.000000000527F000.00000004.00000001.sdmp	false		high
http://www.fontbureau.com	cp573oYDUX.exe, 00000000.00000003.331677577.000000000525A000.00000004.00000001.sdmp	false		high
http://www.fontbureau.com/_	cp573oYDUX.exe, 00000000.00000003.332897804.000000000525A000.00000004.00000001.sdmp	false		high
http://www.sandoll.co.krx	cp573oYDUX.exe, 00000000.00000003.328160873.000000000525E000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
http://www.agfamonotype.	cp573oYDUX.exe, 00000000.00000003.337101264.0000000005281000.00000004.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://www.fontbureau.com/designers/cabarga.htmlp	cp573oYDUX.exe, 00000000.00000003.332869924.0000000005281000.00000004.00000001.sdmp	false		high
http://www.carterandcone.comTC	cp573oYDUX.exe, 00000000.00000003.329047446.0000000005281000.00000004.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://www.jiyu-kobo.co.jp/Y0P	cp573oYDUX.exe, 00000000.00000003.330163656.000000000525A000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
http://www.fontbureau.comonyF	cp573oYDUX.exe, 00000000.00000003.331677577.000000000525A000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
http://www.jiyu-kobo.co.jp/F	cp573oYDUX.exe, 00000000.00000003.329395807.0000000005253000.00000004.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://www.jiyu-kobo.co.jp/jp/	cp573oYDUX.exe, 00000000.00000003.330299816.000000000525A000.00000004.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://www.sandoll.co.krlns	cp573oYDUX.exe, 00000000.00000003.328160873.000000000525E000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
http://www.carterandcone.comtig55E	cp573oYDUX.exe, 00000000.00000003.329047446.0000000005281000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
http://www.fontbureau.coma	cp573oYDUX.exe, 00000000.00000002.374558524.0000000005250000.00000004.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://en.w	cp573oYDUX.exe, 00000000.00000003.329395807.0000000005253000.00000004.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://www.fontbureau.comdi	cp573oYDUX.exe, 00000000.00000003.331677577.000000000525A000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
http://www.carterandcone.coml	cp573oYDUX.exe, 00000000.00000002.374864091.00000000053C0000.00000002.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://www.goodfont.co.krnyis	cp573oYDUX.exe, 00000000.00000003.328160873.000000000525E000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
http://www.fontbureau.com/designers/frere-jones.html8p(	cp573oYDUX.exe, 00000000.00000003.332131926.0000000005281000.00000004.00000001.sdmp	false		high
http://www.urwpp.deeg	cp573oYDUX.exe, 00000000.00000003.333449545.000000000525A000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
http://www.founder.com.cn/cn/	cp573oYDUX.exe, 00000000.00000003.328672332.000000000527F000.00000004.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://www.fontbureau.com/designers/cabarga.htmlN	cp573oYDUX.exe, 00000000.00000002.374864091.00000000053C0000.00000002.00000001.sdmp	false		high
http://www.jiyu-kobo.co.jp/RJG	cp573oYDUX.exe, 00000000.00000003.329818359.0000000005259000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
http://www.fontbureau.comiond	cp573oYDUX.exe, 00000000.00000003.331677577.000000000525A000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
http://www.founder.com.cn/cn	cp573oYDUX.exe, 00000000.00000002.374864091.00000000053C0000.00000002.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://www.fontbureau.com/designers/frere-jones.html	cp573oYDUX.exe, 00000000.00000003.332131926.0000000005281000.00000004.00000001.sdmp, cp573oYDUX.exe, 00000000.00000002.374864091.00000000053C0000.00000002.00000001.sdmp	false		high
http://www.carterandcone.comfacG5w	cp573oYDUX.exe, 00000000.00000003.329047446.0000000005281000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
http://www.fontbureau.com/designers/cabarga.html	cp573oYDUX.exe, 00000000.00000003.332932000.0000000005281000.00000004.00000001.sdmp	false		high
http://www.fontbureau.comt	cp573oYDUX.exe, 00000000.00000003.333160694.000000000525A000.00000004.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://www.jiyu-kobo.co.jp/	cp573oYDUX.exe, 00000000.00000003.330299816.000000000525A000.00000004.00000001.sdmp, cp573oYDUX.exe, 00000000.00000003.330044302.000000000525A000.00000004.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://www.carterandcone.comona	cp573oYDUX.exe, 00000000.00000003.329047446.0000000005281000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
http://www.jiyu-kobo.co.jp/i	cp573oYDUX.exe, 00000000.00000003.329939920.000000000525A000.00000004.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://www.fontbureau.com/designers8	cp573oYDUX.exe, 00000000.00000002.374864091.00000000053C0000.00000002.00000001.sdmp	false		high
http://www.fontbureau.comueikM	cp573oYDUX.exe, 00000000.00000003.332897804.000000000525A000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
http://www.fontbureau.comals	cp573oYDUX.exe, 00000000.00000003.333507582.000000000525A000.00000004.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://www.jiyu-kobo.co.jp/s-c	cp573oYDUX.exe, 00000000.00000003.329395807.0000000005253000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
http://www.jiyu-kobo.co.jp/b	cp573oYDUX.exe, 00000000.00000003.330044302.000000000525A000.00000004.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://www.jiyu-kobo.co.jp/_	cp573oYDUX.exe, 00000000.00000003.329818359.0000000005259000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown

Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public

IP	Domain	Country	Flag	ASN	ASN Name	Malicious
87.237.165.78	unknown	Russian Federation		49967	MTVHGB	true
79.134.225.43	unknown	Switzerland		6775	FINK-TELECOM-SERVICESCH	true

General Information

Joe Sandbox Version:	31.0.0 Emerald
Analysis ID:	357426
Start date:	24.02.2021
Start time:	16:09:26
Joe Sandbox Product:	CloudBasic
Overall analysis duration:	0h 9m 39s
Hypervisor based Inspection enabled:	false
Report type:	full
Sample file name:	cp573oYDUX.exe
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 85, IE 11, Adobe Reader DC 19, Java 8 Update 211
Number of analysed new started processes analysed:	34
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled HDC enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Detection:	MAL
Classification:	mal100.troj.evad.winEXE@18/13@12/2
EGA Information:	Failed
HDC Information:	Successful, ratio: 2.9% (good quality ratio 2.1%) Quality average: 53.3% Quality standard deviation: 40%
HCA Information:	Successful, ratio: 92% Number of executed functions: 380 Number of non-executed functions: 5
Cookbook Comments:	Adjust boot time Enable AMSI Found application associated with file extension: .exe
Warnings:	Show All Behavior information exceeds normal sizes, reducing to normal. Report will have missing behavior information. Exclude process from analysis (whitelisted): MpCmdRun.exe, audiodg.exe, BackgroundTransferHost.exe, WMIADAP.exe, backgroundTaskHost.exe, conhost.exe, svchost.exe, wuapihost.exe Excluded IPs from analysis (whitelisted): 52.147.198.201, 104.42.151.234, 23.54.113.53, 13.64.90.137, 52.255.188.83, 51.11.168.160, 52.155.217.156, 23.0.174.187, 23.0.174.185, 20.54.26.129, 51.103.5.159, 23.10.249.25, 23.10.249.26, 95.100.54.203 Excluded domains from analysis (whitelisted): au.download.windowsupdate.com.edgesuite.net, arc.msn.com.nsatc.net, store-images.s-microsoft.com-c.edgekey.net, a1449.dscg2.akamai.net, fs-wildcard.microsoft.com.edgekey.net, fs-wildcard.microsoft.com.edgekey.net.globalredir.akadns.net, arc.msn.com, vip1-par02p.wns.notify.trafficmanager.net, db5eap.displaycatalog.md.mp.microsoft.com.akadns.net, e12564.dspb.akamaiedge.net, wns.notify.trafficmanager.net, audownload.windowsupdate.nsatc.net, displaycatalog.mp.microsoft.com, watson.telemetry.microsoft.com, img-prod-cms-rt-microsoft-com.akamaized.net, prod.fs.microsoft.com.akadns.net, au-bg-shim.trafficmanager.net, displaycatalog-europeeap.md.mp.microsoft.com.akadns.net, skypedataprdcolwus17.cloudapp.net, client.wns.windows.com, fs.microsoft.com, displaycatalog-rp-europe.md.mp.microsoft.com.akadns.net, db3p-ris-pf-prod-atm.trafficmanager.net, displaycatalog.md.mp.microsoft.com.akadns.net, ris-prod.trafficmanager.net, ctldl.windowsupdate.com, e1723.g.akamaiedge.net, a767.dscg3.akamai.net, skypedataprdcoleus16.cloudapp.net, ris.api.iris.microsoft.com, skypedataprdcoleus17.cloudapp.net, store-images.s-microsoft.com, blobcollector.events.data.trafficmanager.net, skypedataprdcolwus16.cloudapp.net, displaycatalog-rp.md.mp.microsoft.com.akadns.net Report size exceeded maximum capacity and may have missing behavior information. Report size getting too big, too many NtAllocateVirtualMemory calls found. Report size getting too big, too many NtOpenKeyEx calls found. Report size getting too big, too many NtProtectVirtualMemory calls found. Report size getting too big, too many NtQueryValueKey calls found.

Simulations

Behavior and APIs

Time	Type	Description
16:10:21	API Interceptor	1x Sleep call for process: cp573oYDUX.exe modified
16:10:37	API Interceptor	853x Sleep call for process: RegSvcs.exe modified
16:10:38	Task Scheduler	Run new task: DHCP Monitor path: "C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe" s>$(Arg0)
16:10:38	Task Scheduler	Run new task: DHCP Monitor Task path: "C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe" s>$(Arg0)
16:10:40	Autostart	Run: HKLM\Software\Microsoft\Windows\CurrentVersion\Run DHCP Monitor C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe

Joe Sandbox View / Context

IPs

Match	Associated Sample Name / URL	SHA 256	Detection	Link
87.237.165.78	YoWPu2BQzA9FeDd.exe	Get hash	malicious	Browse
	M5QDAaK9yM.exe	Get hash	malicious	Browse
	TdX45jQWjj.exe	Get hash	malicious	Browse
79.134.225.43	YoWPu2BQzA9FeDd.exe	Get hash	malicious	Browse
	TdX45jQWjj.exe	Get hash	malicious	Browse
	JfRbEbUkpV39K4L.exe	Get hash	malicious	Browse
	Dachser Consulta de cliente saliente no. 000150849 - SKBMT03082020-0012-IMG0149.exe	Get hash	malicious	Browse
	290453721.xls	Get hash	malicious	Browse
	nUo0FukkVO.xls	Get hash	malicious	Browse

Domains

Match	Associated Sample Name / URL	SHA 256	Detection	Link	Context
strongodss.ddns.net	YoWPu2BQzA9FeDd.exe	Get hash	malicious	Browse	87.237.165.78
	M5QDAaK9yM.exe	Get hash	malicious	Browse	87.237.165.78
	TdX45jQWjj.exe	Get hash	malicious	Browse	87.237.165.78

ASN

Match	Associated Sample Name / URL	SHA 256	Detection	Link	Context
MTVHGB	YoWPu2BQzA9FeDd.exe	Get hash	malicious	Browse	87.237.165.78
	M5QDAaK9yM.exe	Get hash	malicious	Browse	87.237.165.78
	TdX45jQWjj.exe	Get hash	malicious	Browse	87.237.165.78
	QUOTATION 19 01 2021.exe	Get hash	malicious	Browse	87.237.165.162
FINK-TELECOM-SERVICESCH	YoWPu2BQzA9FeDd.exe	Get hash	malicious	Browse	79.134.225.43
	xF7GogN7tM.exe	Get hash	malicious	Browse	79.134.225.120
	TZgGVyMJYF.exe	Get hash	malicious	Browse	79.134.225.74
	ilpbALnKbE.exe	Get hash	malicious	Browse	79.134.225.103
	Documents.exe	Get hash	malicious	Browse	79.134.225.87
	SWcNyi2YBj.exe	Get hash	malicious	Browse	79.134.225.103
	Confirmation Transfer Note Ref Number0002636.exe	Get hash	malicious	Browse	79.134.225.8
	TdX45jQWjj.exe	Get hash	malicious	Browse	79.134.225.43
	e92b274943f4a3a557881ee0dd57772d.exe	Get hash	malicious	Browse	79.134.225.105
	WxTm2cWLHF.exe	Get hash	malicious	Browse	79.134.225.71
	Payment Confirmation.exe	Get hash	malicious	Browse	79.134.225.30
	rjHlt1zz28.exe	Get hash	malicious	Browse	79.134.225.49
	Deadly Variants of Covid 19.doc	Get hash	malicious	Browse	79.134.225.49
	document.exe	Get hash	malicious	Browse	79.134.225.122
	5293ea9467ea45e928620a5ed74440f5.exe	Get hash	malicious	Browse	79.134.225.105
	f1a14e6352036833f1c109e1bb2934f2.exe	Get hash	malicious	Browse	79.134.225.105
	256ec8f8f67b59c5e085b0bb63afcd13.exe	Get hash	malicious	Browse	79.134.225.105
	JOIN.exe	Get hash	malicious	Browse	79.134.225.30
	Delivery pdf.exe	Get hash	malicious	Browse	79.134.225.25
	d88e07467ddcf9e3b19fa972b9f000d1.exe	Get hash	malicious	Browse	79.134.225.105

JA3 Fingerprints

No context

Dropped Files

Match	Associated Sample Name / URL	SHA 256	Detection	Link
C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	receipt.exe	Get hash	malicious	Browse
	YoWPu2BQzA9FeDd.exe	Get hash	malicious	Browse
	M5QDAaK9yM.exe	Get hash	malicious	Browse
	oMWv1Zof2y.exe	Get hash	malicious	Browse
	TdX45jQWjj.exe	Get hash	malicious	Browse
	QTxFuxF5NQ.exe	Get hash	malicious	Browse
	a34b93ef-dea2-45f8-a5bf-4f6b0b5291c7.exe	Get hash	malicious	Browse
	3fcd8c19-af88-4cd9-87e7-0bfea1de01a1.exe	Get hash	malicious	Browse
	Vietnam Order.exe	Get hash	malicious	Browse
	Dhl Shipping Document.exe	Get hash	malicious	Browse
	PO-WJO-001, pdf.exe	Get hash	malicious	Browse
	byWuWAR5FD.exe	Get hash	malicious	Browse
	parcel_images.exe	Get hash	malicious	Browse
	0712020.exe	Get hash	malicious	Browse
	JfRbEbUkpV39K4L.exe	Get hash	malicious	Browse
	DECEMBER QUOTATION REQUEST FOR FR12007POH0008_PO0000143_ETQ.exe	Get hash	malicious	Browse
	DECEMBER QUOTATION REQUEST FOR FR12007POH0008_PO0000143_ETQ.exe	Get hash	malicious	Browse
	zC3edqmNNt.exe	Get hash	malicious	Browse
	Shipping Document.pdf..exe	Get hash	malicious	Browse
	PPR & CPR_HEA_DECEMBER 4 2020.exe	Get hash	malicious	Browse

Created / dropped Files

C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe Download File
Process:	C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe
File Type:	PE32 executable (console) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	32768
Entropy (8bit):	3.7515815714465193
Encrypted:	false
SSDEEP:	384:BOj9Y8/gS7SDriLGKq1MHR5U4Ag6ihJSxUCR1rgCPKabK2t0X5P7DZ+JgWSW72uw:B+gSAdN1MH3HAFRJngW2u
MD5:	71369277D09DA0830C8C59F9E22BB23A
SHA1:	37F9781314F0F6B7E9CB529A573F2B1C8DE9E93F
SHA-256:	D4527B7AD2FC4778CC5BE8709C95AEA44EAC0568B367EE14F7357D72898C3698
SHA-512:	2F470383E3C796C4CF212EC280854DBB9E7E8C8010CE6857E58F8E7066D7516B7CD7039BC5C0F547E1F5C7F9F2287869ADFFB2869800B08B2982A88BE96E9FB7
Malicious:	false
Antivirus:	Antivirus: Metadefender, Detection: 0%, Browse Antivirus: ReversingLabs, Detection: 0%
Joe Sandbox View:	Filename: receipt.exe, Detection: malicious, Browse Filename: YoWPu2BQzA9FeDd.exe, Detection: malicious, Browse Filename: M5QDAaK9yM.exe, Detection: malicious, Browse Filename: oMWv1Zof2y.exe, Detection: malicious, Browse Filename: TdX45jQWjj.exe, Detection: malicious, Browse Filename: QTxFuxF5NQ.exe, Detection: malicious, Browse Filename: a34b93ef-dea2-45f8-a5bf-4f6b0b5291c7.exe, Detection: malicious, Browse Filename: 3fcd8c19-af88-4cd9-87e7-0bfea1de01a1.exe, Detection: malicious, Browse Filename: Vietnam Order.exe, Detection: malicious, Browse Filename: Dhl Shipping Document.exe, Detection: malicious, Browse Filename: PO-WJO-001, pdf.exe, Detection: malicious, Browse Filename: byWuWAR5FD.exe, Detection: malicious, Browse Filename: parcel_images.exe, Detection: malicious, Browse Filename: 0712020.exe, Detection: malicious, Browse Filename: JfRbEbUkpV39K4L.exe, Detection: malicious, Browse Filename: DECEMBER QUOTATION REQUEST FOR FR12007POH0008_PO0000143_ETQ.exe, Detection: malicious, Browse Filename: DECEMBER QUOTATION REQUEST FOR FR12007POH0008_PO0000143_ETQ.exe, Detection: malicious, Browse Filename: zC3edqmNNt.exe, Detection: malicious, Browse Filename: Shipping Document.pdf..exe, Detection: malicious, Browse Filename: PPR & CPR_HEA_DECEMBER 4 2020.exe, Detection: malicious, Browse
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L.....{Z.................P... .......k... ........@.. ...............................[....@..................................k..K................................... k............................................... ............... ..H............text....K... ...P.................. ..`.rsrc................`..............@..@.reloc...............p..............@..B........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Microsoft\CLR_v2.0_32\UsageLogs\RegSvcs.exe.log Download File
Process:	C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe
File Type:	ASCII text, with CRLF line terminators
Category:	modified
Size (bytes):	120
Entropy (8bit):	5.016405576253028
Encrypted:	false
SSDEEP:	3:QHXMKaoWglAFXMWA2yTMGfsbNXLVd49Am12MFuAvOAsDeieVyn:Q3LawlAFXMWTyAGCFLIP12MUAvvrs
MD5:	50DEC1858E13F033E6DCA3CBFAD5E8DE
SHA1:	79AE1E9131B0FAF215B499D2F7B4C595AA120925
SHA-256:	14A557E226E3BA8620BB3A70035E1E316F1E9FB5C9E8F74C07110EE90B8D8AE4
SHA-512:	1BD73338DF685A5B57B0546E102ECFDEE65800410D6F77845E50456AC70DE72929088AF19B59647F01CBA7A5ACFB399C52D9EF2402A9451366586862EF88E7BF
Malicious:	false
Preview:	1,"fusion","GAC",0..2,"System.EnterpriseServices, Version=2.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a",0..

C:\Users\user\AppData\Local\Microsoft\CLR_v2.0_32\UsageLogs\cp573oYDUX.exe.log Download File
Process:	C:\Users\user\Desktop\cp573oYDUX.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	655
Entropy (8bit):	5.273171405160065
Encrypted:	false
SSDEEP:	12:Q3LaJU20NaL10U29hJ5g1B0U2ukyrFk70Ug+9Yz9t0U2WUXBQav:MLF20NaL329hJ5g522rWz2p29XBT
MD5:	2703120C370FBB4A8BA08C6D1754039E
SHA1:	EC0DB47BF00A4A828F796147619386C0BBEA66A1
SHA-256:	F95566974BC44F3A757CAFB1456D185D8F333AC84775089DE18310B90C18B1BC
SHA-512:	BC05A2A1BE5B122FC6D3DEA66EF4258522F13351B9754378395AAD019631E312CFD3BC990F3E3D5C7BB0BDBA1EAD54A2B34A96DEE2FCCD703721E98F6192ED48
Malicious:	true
Preview:	1,"fusion","GAC",0..3,"C:\Windows\assembly\NativeImages_v2.0.50727_32\System\1ffc437de59fb69ba2b865ffdc98ffd1\System.ni.dll",0..3,"C:\Windows\assembly\NativeImages_v2.0.50727_32\System.Drawing\54d944b3ca0ea1188d700fbd8089726b\System.Drawing.ni.dll",0..3,"C:\Windows\assembly\NativeImages_v2.0.50727_32\System.Windows.Forms\bd8d59c984c9f5f2695f64341115cdf0\System.Windows.Forms.ni.dll",0..3,"C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.VisualBas#\cd7c74fce2a0eab72cd25cbe4bb61614\Microsoft.VisualBasic.ni.dll",0..3,"C:\Windows\assembly\NativeImages_v2.0.50727_32\System.Management\4de99804c29261edb63c93616550f034\System.Management.ni.dll",0..

C:\Users\user\AppData\Local\Microsoft\CLR_v2.0_32\UsageLogs\dhcpmon.exe.log Download File
Process:	C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe
File Type:	ASCII text, with CRLF line terminators
Category:	modified
Size (bytes):	120
Entropy (8bit):	5.016405576253028
Encrypted:	false
SSDEEP:	3:QHXMKaoWglAFXMWA2yTMGfsbNXLVd49Am12MFuAvOAsDeieVyn:Q3LawlAFXMWTyAGCFLIP12MUAvvrs
MD5:	50DEC1858E13F033E6DCA3CBFAD5E8DE
SHA1:	79AE1E9131B0FAF215B499D2F7B4C595AA120925
SHA-256:	14A557E226E3BA8620BB3A70035E1E316F1E9FB5C9E8F74C07110EE90B8D8AE4
SHA-512:	1BD73338DF685A5B57B0546E102ECFDEE65800410D6F77845E50456AC70DE72929088AF19B59647F01CBA7A5ACFB399C52D9EF2402A9451366586862EF88E7BF
Malicious:	false
Preview:	1,"fusion","GAC",0..2,"System.EnterpriseServices, Version=2.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a",0..

C:\Users\user\AppData\Local\Temp\tmp53F8.tmp Download File
Process:	C:\Users\user\Desktop\cp573oYDUX.exe
File Type:	XML 1.0 document, ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	1657
Entropy (8bit):	5.169379230727161
Encrypted:	false
SSDEEP:	24:2dH4+SEqC/S7h2ulNMFp2O/rlMhEMjnGpwjpIgUYODOLD9RJh7h8gKB3yPtn:cbha7JlNQV/rydbz9I3YODOLNdq3a
MD5:	441C63E7DAD6297B2955622DAB7933C3
SHA1:	51158143E133CBCD60214C98416436E6E64344EA
SHA-256:	86B3D194F04436CA2A2AF48AD2670ED72F5CAC647A95323B9A8965E0172D7749
SHA-512:	D4A89A81B39D43A15F461978D59558C3D8367C9A518A312D0FE26417152F077B9CF3E53273968BDC97224EF2C518CD2CD8A9B6D235D29545149CC70BD186B847
Malicious:	true
Preview:	<?xml version="1.0" encoding="UTF-16"?>..<Task version="1.2" xmlns="http://schemas.microsoft.com/windows/2004/02/mit/task">.. <RegistrationInfo>.. <Date>2014-10-25T14:27:44.8929027</Date>.. <Author>computer\user</Author>.. </RegistrationInfo>.. <Triggers>.. <LogonTrigger>.. <Enabled>true</Enabled>.. <UserId>computer\user</UserId>.. </LogonTrigger>.. <RegistrationTrigger>.. <Enabled>false</Enabled>.. </RegistrationTrigger>.. </Triggers>.. <Principals>.. <Principal id="Author">.. <UserId>computer\user</UserId>.. <LogonType>InteractiveToken</LogonType>.. <RunLevel>LeastPrivilege</RunLevel>.. </Principal>.. </Principals>.. <Settings>.. <MultipleInstancesPolicy>StopExisting</MultipleInstancesPolicy>.. <DisallowStartIfOnBatteries>false</DisallowStartIfOnBatteries>.. <StopIfGoingOnBatteries>true</StopIfGoingOnBatteries>.. <AllowHardTerminate>false</AllowHardTerminate>.. <StartWhenAvail

C:\Users\user\AppData\Local\Temp\tmpFC43.tmp Download File
Process:	C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe
File Type:	XML 1.0 document, ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	1320
Entropy (8bit):	5.135021273392143
Encrypted:	false
SSDEEP:	24:2dH4+S/4oL600QlMhEMjn5pwjVLUYODOLG9RJh7h8gK0mn4xtn:cbk4oL600QydbQxIYODOLedq3Z4j
MD5:	40B11EF601FB28F9B2E69D36857BF2EC
SHA1:	B6454020AD2CEED193F4792B77001D0BD741B370
SHA-256:	C51E12D18CC664425F6711D8AE2507068884C7057092CFA11884100E1E9D49E1
SHA-512:	E3C5BCC714CBFCA4B8058DDCDDF231DCEFA69C15881CE3F8123E59ED45CFB5DA052B56E1945DCF8DC7F800D62F9A4EECB82BCA69A66A1530787AEFFEB15E2BD5
Malicious:	false
Preview:	<?xml version="1.0" encoding="UTF-16"?>..<Task version="1.2" xmlns="http://schemas.microsoft.com/windows/2004/02/mit/task">.. <RegistrationInfo />.. <Triggers />.. <Principals>.. <Principal id="Author">.. <LogonType>InteractiveToken</LogonType>.. <RunLevel>HighestAvailable</RunLevel>.. </Principal>.. </Principals>.. <Settings>.. <MultipleInstancesPolicy>Parallel</MultipleInstancesPolicy>.. <DisallowStartIfOnBatteries>false</DisallowStartIfOnBatteries>.. <StopIfGoingOnBatteries>false</StopIfGoingOnBatteries>.. <AllowHardTerminate>true</AllowHardTerminate>.. <StartWhenAvailable>false</StartWhenAvailable>.. <RunOnlyIfNetworkAvailable>false</RunOnlyIfNetworkAvailable>.. <IdleSettings>.. <StopOnIdleEnd>false</StopOnIdleEnd>.. <RestartOnIdle>false</RestartOnIdle>.. </IdleSettings>.. <AllowStartOnDemand>true</AllowStartOnDemand>.. <Enabled>true</Enabled>.. <Hidden>false</Hidden>.. <RunOnlyIfIdle>false</RunOnlyIfIdle>.. <Wak

C:\Users\user\AppData\Local\Temp\tmpFF61.tmp Download File
Process:	C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe
File Type:	XML 1.0 document, ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	1310
Entropy (8bit):	5.109425792877704
Encrypted:	false
SSDEEP:	24:2dH4+S/4oL600QlMhEMjn5pwjVLUYODOLG9RJh7h8gK0R3xtn:cbk4oL600QydbQxIYODOLedq3S3j
MD5:	5C2F41CFC6F988C859DA7D727AC2B62A
SHA1:	68999C85FC7E37BAB9216E0099836D40D4545C1C
SHA-256:	98B6E66B6C2173B9B91FC97FE51805340EFDE978B695453742EBAB631018398B
SHA-512:	B5DA5DA378D038AFBF8A7738E47921ED39F9B726E2CAA2993D915D9291A3322F94EFE8CCA6E7AD678A670DB19926B22B20E5028460FCC89CEA7F6635E7557334
Malicious:	false
Preview:	<?xml version="1.0" encoding="UTF-16"?>..<Task version="1.2" xmlns="http://schemas.microsoft.com/windows/2004/02/mit/task">.. <RegistrationInfo />.. <Triggers />.. <Principals>.. <Principal id="Author">.. <LogonType>InteractiveToken</LogonType>.. <RunLevel>HighestAvailable</RunLevel>.. </Principal>.. </Principals>.. <Settings>.. <MultipleInstancesPolicy>Parallel</MultipleInstancesPolicy>.. <DisallowStartIfOnBatteries>false</DisallowStartIfOnBatteries>.. <StopIfGoingOnBatteries>false</StopIfGoingOnBatteries>.. <AllowHardTerminate>true</AllowHardTerminate>.. <StartWhenAvailable>false</StartWhenAvailable>.. <RunOnlyIfNetworkAvailable>false</RunOnlyIfNetworkAvailable>.. <IdleSettings>.. <StopOnIdleEnd>false</StopOnIdleEnd>.. <RestartOnIdle>false</RestartOnIdle>.. </IdleSettings>.. <AllowStartOnDemand>true</AllowStartOnDemand>.. <Enabled>true</Enabled>.. <Hidden>false</Hidden>.. <RunOnlyIfIdle>false</RunOnlyIfIdle>.. <Wak

C:\Users\user\AppData\Roaming\D06ED635-68F6-4E9A-955C-4899F5F57B9A\run.dat Download File
Process:	C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe
File Type:	data
Category:	dropped
Size (bytes):	8
Entropy (8bit):	3.0
Encrypted:	false
SSDEEP:	3:PajVP:ijVP
MD5:	65075989286889C893451A913787CFA5
SHA1:	8FDFC75DD6A78C5D386915B78D732610065955FB
SHA-256:	59F0476D7901FADD5876D37ACFB8D8FA33FDB8279CA4F9B0FA44827C9FDE5B88
SHA-512:	C69DA3E0C0B01DF26EE2622B0683585FF4C3D318C718576351586571708AD5203D4825C8C84DB6137C3ACD5B94EA76F802B83A0B1956B88D9D14EA254A46AE02
Malicious:	true
Preview:	...!..H

C:\Users\user\AppData\Roaming\D06ED635-68F6-4E9A-955C-4899F5F57B9A\task.dat Download File
Process:	C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	57
Entropy (8bit):	4.795707286467131
Encrypted:	false
SSDEEP:	3:oMty8WbSX/MNn:oMLWus
MD5:	D685103573539B7E9FDBF5F1D7DD96CE
SHA1:	4B2FE6B5C0B37954B314FCAEE1F12237A9B02D07
SHA-256:	D78BC23B0CA3EDDF52D56AB85CDC30A71B3756569CB32AA2F6C28DBC23C76E8E
SHA-512:	17769A5944E8929323A34269ABEEF0861D5C6799B0A27F5545FBFADC80E5AB684A471AD6F6A7FC623002385154EA89DE94013051E09120AB94362E542AB0F1DD
Malicious:	false
Preview:	C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe

C:\Users\user\AppData\Roaming\eVEWVTvFLGVU.exe Download File
Process:	C:\Users\user\Desktop\cp573oYDUX.exe
File Type:	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	793600
Entropy (8bit):	7.943634916057093
Encrypted:	false
SSDEEP:	12288:ZEA3LLUEMjhvUbJG16KfU32GOK2F5WRPVba0G/JZgC498Fj31Q2QuUmz:bL0iG16KfYrOK26RPZaA2dFFT
MD5:	33CF3AF09D2A1789A2BBAD009A43EDD5
SHA1:	FFE606ADDD5694451511DD347BBC85A404328C9D
SHA-256:	8DA32EA516FEB3BC471BA01ED18CB0ACA1A9F39966C86CA4624DD2CEA2E226CD
SHA-512:	9534E6EC15F7D1C237E254A3DAC79C7E44CC4C7989F3DBB8A4F0B682A3F3CFBBD46E6DDDFFA0E2A7E6BBD3E2B74389492559A8AD89FED85309CB848D5A1F60CB
Malicious:	true
Antivirus:	Antivirus: Joe Sandbox ML, Detection: 100% Antivirus: ReversingLabs, Detection: 31%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...?.5`..............0..............0... ...@....@.. ....................................@..................................0..O....@.......................`....................................................... ............... ..H............text........ ...................... ..`.rsrc........@......................@..@.reloc.......`......................@..B.................0......H.......Ho...2......4...(...X...........................................&.(.........0..9........~.........,".r...p.....(....o....s............~.....+......0...........~.....+.."........0..!........(....r!..p~....o......t.....+......0..!........(....r1..p~....o......t.....+......0...........r5..p.+....0...........rA..p.+..".(.....^..}.....(.......(%.......(.......0..;........rO..pr...p.(...........,..(......+..s......o......( .....*..0..I........r...pr...p.(.......

\Device\ConDrv Download File
Process:	C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	1145
Entropy (8bit):	4.462201512373672
Encrypted:	false
SSDEEP:	24:zKLXkzPDObntKlglUEnfQtvNuNpKOK5aM9YJC:zKL0zPDQntKKH1MqJC
MD5:	46EBEB88876A00A52CC37B1F8E0D0438
SHA1:	5E5DB352F964E5F398301662FF558BD905798A65
SHA-256:	D65BD5A6CC112838AFE8FA70BF61FD13C1313BCE3EE3E76C50E454D7B581238B
SHA-512:	E713E6F304A469FB71235C598BC7E2C6F8458ABC61DAF3D1F364F66579CAFA4A7F3023E585BDA552FB400009E7805A8CA0311A50D5EDC9C2AD2D067772A071BE
Malicious:	false
Preview:	Microsoft (R) .NET Framework Services Installation Utility Version 2.0.50727.8922..Copyright (c) Microsoft Corporation. All rights reserved.....USAGE: regsvcs.exe [options] AssemblyName..Options:.. /? or /help Display this usage message... /fc Find or create target application (default)... /c Create target application, error if it already exists... /exapp Expect an existing application... /tlb:<tlbfile> Filename for the exported type library... /appname:<name> Use the specified name for the target application... /parname:<name> Use the specified name or id for the target partition... /extlb Use an existing type library... /reconfig Reconfigure existing target application (default)... /noreconfig Don't reconfigure existing target application... /u Uninstall target application... /nologo Suppress logo output... /quiet Suppress logo output and success output...

Static File Info

General
File type:	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Entropy (8bit):	7.943634916057093
TrID:	Win32 Executable (generic) Net Framework (10011505/4) 49.83% Win32 Executable (generic) a (10002005/4) 49.78% Generic CIL Executable (.NET, Mono, etc.) (73296/58) 0.36% Generic Win/DOS Executable (2004/3) 0.01% DOS Executable Generic (2002/1) 0.01%
File name:	cp573oYDUX.exe
File size:	793600
MD5:	33cf3af09d2a1789a2bbad009a43edd5
SHA1:	ffe606addd5694451511dd347bbc85a404328c9d
SHA256:	8da32ea516feb3bc471ba01ed18cb0aca1a9f39966c86ca4624dd2cea2e226cd
SHA512:	9534e6ec15f7d1c237e254a3dac79c7e44cc4c7989f3dbb8a4f0b682a3f3cfbbd46e6dddffa0e2a7e6bbd3e2b74389492559a8ad89fed85309cb848d5a1f60cb
SSDEEP:	12288:ZEA3LLUEMjhvUbJG16KfU32GOK2F5WRPVba0G/JZgC498Fj31Q2QuUmz:bL0iG16KfYrOK26RPZaA2dFFT
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...?.5`..............0..............0... ...@....@.. ....................................@................................

File Icon


Icon Hash:	00828e8e8686b000

Static PE Info

General
Entrypoint:	0x4c30d2
Entrypoint Section:	.text
Digitally signed:	false
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	32BIT_MACHINE, EXECUTABLE_IMAGE
DLL Characteristics:	NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
Time Stamp:	0x6035BA3F [Wed Feb 24 02:30:23 2021 UTC]
TLS Callbacks:
CLR (.Net) Version:	v2.0.50727
OS Version Major:	4
OS Version Minor:	0
File Version Major:	4
File Version Minor:	0
Subsystem Version Major:	4
Subsystem Version Minor:	0
Import Hash:	f34d5f2d4577ed6d9ceec516c1f5a744

Entrypoint Preview

Instruction
jmp dword ptr [00402000h]
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0xc3080	0x4f	.text
IMAGE_DIRECTORY_ENTRY_RESOURCE	0xc4000	0x5b4	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0xc6000	0xc	.reloc
IMAGE_DIRECTORY_ENTRY_DEBUG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x2000	0x8	.text
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x2008	0x48	.text
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x2000	0xc10d8	0xc1200	False	0.935377477751	data	7.94883955827	IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
.rsrc	0xc4000	0x5b4	0x600	False	0.430989583333	data	4.18690260245	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.reloc	0xc6000	0xc	0x200	False	0.044921875	data	0.0940979256627	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	Language	Country
RT_VERSION	0xc4090	0x324	data
RT_MANIFEST	0xc43c4	0x1ea	XML 1.0 document, UTF-8 Unicode (with BOM) text, with CRLF line terminators

Imports

DLL	Import
mscoree.dll	_CorExeMain

Version Infos

Description	Data
Translation	0x0000 0x04b0
LegalCopyright	Copyright 2016
Assembly Version	4.0.0.0
InternalName	Ck2rVn.exe
FileVersion	4.0.0.0
CompanyName
LegalTrademarks
Comments
ProductName	ITP_RMSS
ProductVersion	4.0.0.0
FileDescription	ITP_RMSS
OriginalFilename	Ck2rVn.exe

Network Behavior

Network Port Distribution

TCP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Feb 24, 2021 16:10:38.953803062 CET	49724	58103	192.168.2.6	87.237.165.78
Feb 24, 2021 16:10:38.982628107 CET	58103	49724	87.237.165.78	192.168.2.6
Feb 24, 2021 16:10:39.493839025 CET	49724	58103	192.168.2.6	87.237.165.78
Feb 24, 2021 16:10:39.523427963 CET	58103	49724	87.237.165.78	192.168.2.6
Feb 24, 2021 16:10:40.026274920 CET	49724	58103	192.168.2.6	87.237.165.78
Feb 24, 2021 16:10:40.055999041 CET	58103	49724	87.237.165.78	192.168.2.6
Feb 24, 2021 16:10:44.133502007 CET	49727	58103	192.168.2.6	87.237.165.78
Feb 24, 2021 16:10:44.162616014 CET	58103	49727	87.237.165.78	192.168.2.6
Feb 24, 2021 16:10:44.665113926 CET	49727	58103	192.168.2.6	87.237.165.78
Feb 24, 2021 16:10:44.692055941 CET	58103	49727	87.237.165.78	192.168.2.6
Feb 24, 2021 16:10:45.196480036 CET	49727	58103	192.168.2.6	87.237.165.78
Feb 24, 2021 16:10:45.223663092 CET	58103	49727	87.237.165.78	192.168.2.6
Feb 24, 2021 16:10:49.426067114 CET	49728	58103	192.168.2.6	87.237.165.78
Feb 24, 2021 16:10:49.453262091 CET	58103	49728	87.237.165.78	192.168.2.6
Feb 24, 2021 16:10:49.962439060 CET	49728	58103	192.168.2.6	87.237.165.78
Feb 24, 2021 16:10:49.989728928 CET	58103	49728	87.237.165.78	192.168.2.6
Feb 24, 2021 16:10:50.493711948 CET	49728	58103	192.168.2.6	87.237.165.78
Feb 24, 2021 16:10:50.523130894 CET	58103	49728	87.237.165.78	192.168.2.6
Feb 24, 2021 16:10:54.526827097 CET	49729	58103	192.168.2.6	79.134.225.43
Feb 24, 2021 16:10:54.562397957 CET	58103	49729	79.134.225.43	192.168.2.6
Feb 24, 2021 16:10:55.072269917 CET	49729	58103	192.168.2.6	79.134.225.43
Feb 24, 2021 16:10:55.104984045 CET	58103	49729	79.134.225.43	192.168.2.6
Feb 24, 2021 16:10:55.619213104 CET	49729	58103	192.168.2.6	79.134.225.43
Feb 24, 2021 16:10:55.651684046 CET	58103	49729	79.134.225.43	192.168.2.6
Feb 24, 2021 16:11:00.457012892 CET	49730	58103	192.168.2.6	79.134.225.43
Feb 24, 2021 16:11:00.491065025 CET	58103	49730	79.134.225.43	192.168.2.6
Feb 24, 2021 16:11:00.994596004 CET	49730	58103	192.168.2.6	79.134.225.43
Feb 24, 2021 16:11:01.029591084 CET	58103	49730	79.134.225.43	192.168.2.6
Feb 24, 2021 16:11:01.619633913 CET	49730	58103	192.168.2.6	79.134.225.43
Feb 24, 2021 16:11:01.652059078 CET	58103	49730	79.134.225.43	192.168.2.6
Feb 24, 2021 16:11:05.996933937 CET	49741	58103	192.168.2.6	79.134.225.43
Feb 24, 2021 16:11:06.029486895 CET	58103	49741	79.134.225.43	192.168.2.6
Feb 24, 2021 16:11:06.542004108 CET	49741	58103	192.168.2.6	79.134.225.43
Feb 24, 2021 16:11:06.574748039 CET	58103	49741	79.134.225.43	192.168.2.6
Feb 24, 2021 16:11:07.276410103 CET	49741	58103	192.168.2.6	79.134.225.43
Feb 24, 2021 16:11:07.309014082 CET	58103	49741	79.134.225.43	192.168.2.6
Feb 24, 2021 16:11:11.628916025 CET	49745	58103	192.168.2.6	87.237.165.78
Feb 24, 2021 16:11:11.656161070 CET	58103	49745	87.237.165.78	192.168.2.6
Feb 24, 2021 16:11:12.261209011 CET	49745	58103	192.168.2.6	87.237.165.78
Feb 24, 2021 16:11:12.288264990 CET	58103	49745	87.237.165.78	192.168.2.6
Feb 24, 2021 16:11:12.870593071 CET	49745	58103	192.168.2.6	87.237.165.78
Feb 24, 2021 16:11:12.898427010 CET	58103	49745	87.237.165.78	192.168.2.6
Feb 24, 2021 16:11:16.972337008 CET	49751	58103	192.168.2.6	87.237.165.78
Feb 24, 2021 16:11:17.000792980 CET	58103	49751	87.237.165.78	192.168.2.6
Feb 24, 2021 16:11:17.574356079 CET	49751	58103	192.168.2.6	87.237.165.78
Feb 24, 2021 16:11:17.601228952 CET	58103	49751	87.237.165.78	192.168.2.6
Feb 24, 2021 16:11:18.261704922 CET	49751	58103	192.168.2.6	87.237.165.78
Feb 24, 2021 16:11:18.291177988 CET	58103	49751	87.237.165.78	192.168.2.6
Feb 24, 2021 16:11:22.386017084 CET	49752	58103	192.168.2.6	87.237.165.78
Feb 24, 2021 16:11:22.413485050 CET	58103	49752	87.237.165.78	192.168.2.6
Feb 24, 2021 16:11:22.918452978 CET	49752	58103	192.168.2.6	87.237.165.78
Feb 24, 2021 16:11:22.946038961 CET	58103	49752	87.237.165.78	192.168.2.6
Feb 24, 2021 16:11:23.449760914 CET	49752	58103	192.168.2.6	87.237.165.78
Feb 24, 2021 16:11:23.476892948 CET	58103	49752	87.237.165.78	192.168.2.6
Feb 24, 2021 16:11:27.628334999 CET	49753	58103	192.168.2.6	79.134.225.43
Feb 24, 2021 16:11:27.662491083 CET	58103	49753	79.134.225.43	192.168.2.6
Feb 24, 2021 16:11:28.168908119 CET	49753	58103	192.168.2.6	79.134.225.43
Feb 24, 2021 16:11:28.202835083 CET	58103	49753	79.134.225.43	192.168.2.6
Feb 24, 2021 16:11:28.715854883 CET	49753	58103	192.168.2.6	79.134.225.43
Feb 24, 2021 16:11:28.750176907 CET	58103	49753	79.134.225.43	192.168.2.6
Feb 24, 2021 16:11:32.796241999 CET	49754	58103	192.168.2.6	79.134.225.43
Feb 24, 2021 16:11:32.829065084 CET	58103	49754	79.134.225.43	192.168.2.6
Feb 24, 2021 16:11:33.341175079 CET	49754	58103	192.168.2.6	79.134.225.43
Feb 24, 2021 16:11:33.373945951 CET	58103	49754	79.134.225.43	192.168.2.6
Feb 24, 2021 16:11:33.890563011 CET	49754	58103	192.168.2.6	79.134.225.43
Feb 24, 2021 16:11:33.924868107 CET	58103	49754	79.134.225.43	192.168.2.6
Feb 24, 2021 16:11:37.953883886 CET	49755	58103	192.168.2.6	79.134.225.43
Feb 24, 2021 16:11:37.986879110 CET	58103	49755	79.134.225.43	192.168.2.6
Feb 24, 2021 16:11:38.497858047 CET	49755	58103	192.168.2.6	79.134.225.43
Feb 24, 2021 16:11:38.531111002 CET	58103	49755	79.134.225.43	192.168.2.6
Feb 24, 2021 16:11:39.044795990 CET	49755	58103	192.168.2.6	79.134.225.43
Feb 24, 2021 16:11:39.077517033 CET	58103	49755	79.134.225.43	192.168.2.6
Feb 24, 2021 16:11:43.156795979 CET	49756	58103	192.168.2.6	87.237.165.78
Feb 24, 2021 16:11:43.186810017 CET	58103	49756	87.237.165.78	192.168.2.6
Feb 24, 2021 16:11:43.701292992 CET	49756	58103	192.168.2.6	87.237.165.78
Feb 24, 2021 16:11:43.728566885 CET	58103	49756	87.237.165.78	192.168.2.6
Feb 24, 2021 16:11:44.232594013 CET	49756	58103	192.168.2.6	87.237.165.78
Feb 24, 2021 16:11:44.260241985 CET	58103	49756	87.237.165.78	192.168.2.6
Feb 24, 2021 16:11:48.317481041 CET	49762	58103	192.168.2.6	87.237.165.78
Feb 24, 2021 16:11:48.344979048 CET	58103	49762	87.237.165.78	192.168.2.6
Feb 24, 2021 16:11:48.858040094 CET	49762	58103	192.168.2.6	87.237.165.78
Feb 24, 2021 16:11:48.885418892 CET	58103	49762	87.237.165.78	192.168.2.6
Feb 24, 2021 16:11:49.389276981 CET	49762	58103	192.168.2.6	87.237.165.78
Feb 24, 2021 16:11:49.416731119 CET	58103	49762	87.237.165.78	192.168.2.6
Feb 24, 2021 16:11:53.590868950 CET	49763	58103	192.168.2.6	87.237.165.78
Feb 24, 2021 16:11:53.618211031 CET	58103	49763	87.237.165.78	192.168.2.6
Feb 24, 2021 16:11:54.124125957 CET	49763	58103	192.168.2.6	87.237.165.78
Feb 24, 2021 16:11:54.152458906 CET	58103	49763	87.237.165.78	192.168.2.6
Feb 24, 2021 16:11:54.655369043 CET	49763	58103	192.168.2.6	87.237.165.78
Feb 24, 2021 16:11:56.654846907 CET	58103	49763	87.237.165.78	192.168.2.6
Feb 24, 2021 16:12:00.811273098 CET	49764	58103	192.168.2.6	79.134.225.43
Feb 24, 2021 16:12:00.844180107 CET	58103	49764	79.134.225.43	192.168.2.6
Feb 24, 2021 16:12:01.349611998 CET	49764	58103	192.168.2.6	79.134.225.43
Feb 24, 2021 16:12:01.386795998 CET	58103	49764	79.134.225.43	192.168.2.6
Feb 24, 2021 16:12:01.913440943 CET	49764	58103	192.168.2.6	79.134.225.43
Feb 24, 2021 16:12:01.947032928 CET	58103	49764	79.134.225.43	192.168.2.6
Feb 24, 2021 16:12:05.961186886 CET	49766	58103	192.168.2.6	79.134.225.43
Feb 24, 2021 16:12:05.993784904 CET	58103	49766	79.134.225.43	192.168.2.6
Feb 24, 2021 16:12:06.506625891 CET	49766	58103	192.168.2.6	79.134.225.43
Feb 24, 2021 16:12:06.539789915 CET	58103	49766	79.134.225.43	192.168.2.6
Feb 24, 2021 16:12:07.053597927 CET	49766	58103	192.168.2.6	79.134.225.43
Feb 24, 2021 16:12:07.086438894 CET	58103	49766	79.134.225.43	192.168.2.6
Feb 24, 2021 16:12:11.178606033 CET	49767	58103	192.168.2.6	79.134.225.43
Feb 24, 2021 16:12:11.212796926 CET	58103	49767	79.134.225.43	192.168.2.6
Feb 24, 2021 16:12:11.725977898 CET	49767	58103	192.168.2.6	79.134.225.43
Feb 24, 2021 16:12:11.759529114 CET	58103	49767	79.134.225.43	192.168.2.6
Feb 24, 2021 16:12:12.272780895 CET	49767	58103	192.168.2.6	79.134.225.43
Feb 24, 2021 16:12:12.305571079 CET	58103	49767	79.134.225.43	192.168.2.6
Feb 24, 2021 16:12:16.561340094 CET	49768	58103	192.168.2.6	87.237.165.78
Feb 24, 2021 16:12:16.589546919 CET	58103	49768	87.237.165.78	192.168.2.6
Feb 24, 2021 16:12:17.101301908 CET	49768	58103	192.168.2.6	87.237.165.78
Feb 24, 2021 16:12:17.129599094 CET	58103	49768	87.237.165.78	192.168.2.6
Feb 24, 2021 16:12:17.632742882 CET	49768	58103	192.168.2.6	87.237.165.78
Feb 24, 2021 16:12:17.661515951 CET	58103	49768	87.237.165.78	192.168.2.6
Feb 24, 2021 16:12:21.682888031 CET	49769	58103	192.168.2.6	87.237.165.78
Feb 24, 2021 16:12:21.714318991 CET	58103	49769	87.237.165.78	192.168.2.6
Feb 24, 2021 16:12:22.226788998 CET	49769	58103	192.168.2.6	87.237.165.78
Feb 24, 2021 16:12:22.253515959 CET	58103	49769	87.237.165.78	192.168.2.6
Feb 24, 2021 16:12:22.758187056 CET	49769	58103	192.168.2.6	87.237.165.78
Feb 24, 2021 16:12:22.785279989 CET	58103	49769	87.237.165.78	192.168.2.6

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Feb 24, 2021 16:10:07.518027067 CET	63791	53	192.168.2.6	8.8.8.8
Feb 24, 2021 16:10:07.529794931 CET	53	63791	8.8.8.8	192.168.2.6
Feb 24, 2021 16:10:08.229974031 CET	64267	53	192.168.2.6	8.8.8.8
Feb 24, 2021 16:10:08.242146015 CET	53	64267	8.8.8.8	192.168.2.6
Feb 24, 2021 16:10:08.897500038 CET	49448	53	192.168.2.6	8.8.8.8
Feb 24, 2021 16:10:08.910022974 CET	53	49448	8.8.8.8	192.168.2.6
Feb 24, 2021 16:10:09.922713995 CET	60342	53	192.168.2.6	8.8.8.8
Feb 24, 2021 16:10:09.934758902 CET	53	60342	8.8.8.8	192.168.2.6
Feb 24, 2021 16:10:09.958610058 CET	61346	53	192.168.2.6	8.8.8.8
Feb 24, 2021 16:10:09.976557016 CET	53	61346	8.8.8.8	192.168.2.6
Feb 24, 2021 16:10:10.592065096 CET	51774	53	192.168.2.6	8.8.8.8
Feb 24, 2021 16:10:10.604959965 CET	53	51774	8.8.8.8	192.168.2.6
Feb 24, 2021 16:10:11.916075945 CET	56023	53	192.168.2.6	8.8.8.8
Feb 24, 2021 16:10:11.928503036 CET	53	56023	8.8.8.8	192.168.2.6
Feb 24, 2021 16:10:12.923096895 CET	58384	53	192.168.2.6	8.8.8.8
Feb 24, 2021 16:10:12.934818029 CET	53	58384	8.8.8.8	192.168.2.6
Feb 24, 2021 16:10:13.814424992 CET	60261	53	192.168.2.6	8.8.8.8
Feb 24, 2021 16:10:13.828752995 CET	53	60261	8.8.8.8	192.168.2.6
Feb 24, 2021 16:10:14.830136061 CET	56061	53	192.168.2.6	8.8.8.8
Feb 24, 2021 16:10:14.843961000 CET	53	56061	8.8.8.8	192.168.2.6
Feb 24, 2021 16:10:15.931255102 CET	58336	53	192.168.2.6	8.8.8.8
Feb 24, 2021 16:10:15.942899942 CET	53	58336	8.8.8.8	192.168.2.6
Feb 24, 2021 16:10:16.926970005 CET	53781	53	192.168.2.6	8.8.8.8
Feb 24, 2021 16:10:16.939821959 CET	53	53781	8.8.8.8	192.168.2.6
Feb 24, 2021 16:10:18.007355928 CET	54064	53	192.168.2.6	8.8.8.8
Feb 24, 2021 16:10:18.019748926 CET	53	54064	8.8.8.8	192.168.2.6
Feb 24, 2021 16:10:19.094878912 CET	52811	53	192.168.2.6	8.8.8.8
Feb 24, 2021 16:10:19.107601881 CET	53	52811	8.8.8.8	192.168.2.6
Feb 24, 2021 16:10:20.110537052 CET	55299	53	192.168.2.6	8.8.8.8
Feb 24, 2021 16:10:20.125304937 CET	53	55299	8.8.8.8	192.168.2.6
Feb 24, 2021 16:10:20.831885099 CET	63745	53	192.168.2.6	8.8.8.8
Feb 24, 2021 16:10:20.844845057 CET	53	63745	8.8.8.8	192.168.2.6
Feb 24, 2021 16:10:21.523874044 CET	50055	53	192.168.2.6	8.8.8.8
Feb 24, 2021 16:10:21.535721064 CET	53	50055	8.8.8.8	192.168.2.6
Feb 24, 2021 16:10:22.613850117 CET	61374	53	192.168.2.6	8.8.8.8
Feb 24, 2021 16:10:22.626470089 CET	53	61374	8.8.8.8	192.168.2.6
Feb 24, 2021 16:10:38.918437958 CET	50339	53	192.168.2.6	8.8.8.8
Feb 24, 2021 16:10:38.940557003 CET	53	50339	8.8.8.8	192.168.2.6
Feb 24, 2021 16:10:43.555535078 CET	63307	53	192.168.2.6	8.8.8.8
Feb 24, 2021 16:10:43.569211006 CET	53	63307	8.8.8.8	192.168.2.6
Feb 24, 2021 16:10:44.119376898 CET	49694	53	192.168.2.6	8.8.8.8
Feb 24, 2021 16:10:44.131638050 CET	53	49694	8.8.8.8	192.168.2.6
Feb 24, 2021 16:10:49.411509037 CET	54982	53	192.168.2.6	8.8.8.8
Feb 24, 2021 16:10:49.424482107 CET	53	54982	8.8.8.8	192.168.2.6
Feb 24, 2021 16:11:01.354537010 CET	50010	53	192.168.2.6	8.8.8.8
Feb 24, 2021 16:11:01.367275000 CET	53	50010	8.8.8.8	192.168.2.6
Feb 24, 2021 16:11:01.961107969 CET	63718	53	192.168.2.6	8.8.8.8
Feb 24, 2021 16:11:01.973623037 CET	53	63718	8.8.8.8	192.168.2.6
Feb 24, 2021 16:11:02.452449083 CET	62116	53	192.168.2.6	8.8.8.8
Feb 24, 2021 16:11:02.465662003 CET	53	62116	8.8.8.8	192.168.2.6
Feb 24, 2021 16:11:02.775964975 CET	63816	53	192.168.2.6	8.8.8.8
Feb 24, 2021 16:11:02.793160915 CET	55014	53	192.168.2.6	8.8.8.8
Feb 24, 2021 16:11:02.794636011 CET	53	63816	8.8.8.8	192.168.2.6
Feb 24, 2021 16:11:02.807427883 CET	53	55014	8.8.8.8	192.168.2.6
Feb 24, 2021 16:11:03.064794064 CET	62208	53	192.168.2.6	8.8.8.8
Feb 24, 2021 16:11:03.078361034 CET	53	62208	8.8.8.8	192.168.2.6
Feb 24, 2021 16:11:03.339365005 CET	57574	53	192.168.2.6	8.8.8.8
Feb 24, 2021 16:11:03.354017019 CET	53	57574	8.8.8.8	192.168.2.6
Feb 24, 2021 16:11:03.961036921 CET	51818	53	192.168.2.6	8.8.8.8
Feb 24, 2021 16:11:03.974280119 CET	53	51818	8.8.8.8	192.168.2.6
Feb 24, 2021 16:11:04.277424097 CET	56628	53	192.168.2.6	8.8.8.8
Feb 24, 2021 16:11:04.291400909 CET	53	56628	8.8.8.8	192.168.2.6
Feb 24, 2021 16:11:05.023027897 CET	60778	53	192.168.2.6	8.8.8.8
Feb 24, 2021 16:11:05.034997940 CET	53	60778	8.8.8.8	192.168.2.6
Feb 24, 2021 16:11:06.226900101 CET	53799	53	192.168.2.6	8.8.8.8
Feb 24, 2021 16:11:06.240196943 CET	53	53799	8.8.8.8	192.168.2.6
Feb 24, 2021 16:11:08.062889099 CET	54683	53	192.168.2.6	8.8.8.8
Feb 24, 2021 16:11:08.075159073 CET	53	54683	8.8.8.8	192.168.2.6
Feb 24, 2021 16:11:08.394944906 CET	59329	53	192.168.2.6	8.8.8.8
Feb 24, 2021 16:11:08.408041000 CET	53	59329	8.8.8.8	192.168.2.6
Feb 24, 2021 16:11:11.606597900 CET	64021	53	192.168.2.6	8.8.8.8
Feb 24, 2021 16:11:11.627228975 CET	53	64021	8.8.8.8	192.168.2.6
Feb 24, 2021 16:11:12.298700094 CET	56129	53	192.168.2.6	8.8.8.8
Feb 24, 2021 16:11:12.314606905 CET	53	56129	8.8.8.8	192.168.2.6
Feb 24, 2021 16:11:16.955619097 CET	58177	53	192.168.2.6	8.8.8.8
Feb 24, 2021 16:11:16.970276117 CET	53	58177	8.8.8.8	192.168.2.6
Feb 24, 2021 16:11:22.370347023 CET	50700	53	192.168.2.6	8.8.8.8
Feb 24, 2021 16:11:22.384215117 CET	53	50700	8.8.8.8	192.168.2.6
Feb 24, 2021 16:11:43.134542942 CET	54069	53	192.168.2.6	8.8.8.8
Feb 24, 2021 16:11:43.154480934 CET	53	54069	8.8.8.8	192.168.2.6
Feb 24, 2021 16:11:43.965912104 CET	61178	53	192.168.2.6	8.8.8.8
Feb 24, 2021 16:11:43.979415894 CET	53	61178	8.8.8.8	192.168.2.6
Feb 24, 2021 16:11:44.294032097 CET	57017	53	192.168.2.6	8.8.8.8
Feb 24, 2021 16:11:44.306591988 CET	53	57017	8.8.8.8	192.168.2.6
Feb 24, 2021 16:11:46.697841883 CET	56327	53	192.168.2.6	8.8.8.8
Feb 24, 2021 16:11:46.715770006 CET	53	56327	8.8.8.8	192.168.2.6
Feb 24, 2021 16:11:48.302930117 CET	50243	53	192.168.2.6	8.8.8.8
Feb 24, 2021 16:11:48.315598965 CET	53	50243	8.8.8.8	192.168.2.6
Feb 24, 2021 16:11:53.576647997 CET	62055	53	192.168.2.6	8.8.8.8
Feb 24, 2021 16:11:53.589582920 CET	53	62055	8.8.8.8	192.168.2.6
Feb 24, 2021 16:12:05.182383060 CET	61249	53	192.168.2.6	8.8.8.8
Feb 24, 2021 16:12:05.194192886 CET	53	61249	8.8.8.8	192.168.2.6
Feb 24, 2021 16:12:16.545772076 CET	65252	53	192.168.2.6	8.8.8.8
Feb 24, 2021 16:12:16.559621096 CET	53	65252	8.8.8.8	192.168.2.6
Feb 24, 2021 16:12:21.669437885 CET	64367	53	192.168.2.6	8.8.8.8
Feb 24, 2021 16:12:21.681693077 CET	53	64367	8.8.8.8	192.168.2.6
Feb 24, 2021 16:12:26.796633959 CET	55066	53	192.168.2.6	8.8.8.8

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class
Feb 24, 2021 16:10:38.918437958 CET	192.168.2.6	8.8.8.8	0xd1ea	Standard query (0)	strongodss.ddns.net	A (IP address)	IN (0x0001)
Feb 24, 2021 16:10:44.119376898 CET	192.168.2.6	8.8.8.8	0x448d	Standard query (0)	strongodss.ddns.net	A (IP address)	IN (0x0001)
Feb 24, 2021 16:10:49.411509037 CET	192.168.2.6	8.8.8.8	0x4f17	Standard query (0)	strongodss.ddns.net	A (IP address)	IN (0x0001)
Feb 24, 2021 16:11:11.606597900 CET	192.168.2.6	8.8.8.8	0xac0b	Standard query (0)	strongodss.ddns.net	A (IP address)	IN (0x0001)
Feb 24, 2021 16:11:16.955619097 CET	192.168.2.6	8.8.8.8	0xe707	Standard query (0)	strongodss.ddns.net	A (IP address)	IN (0x0001)
Feb 24, 2021 16:11:22.370347023 CET	192.168.2.6	8.8.8.8	0x9ae5	Standard query (0)	strongodss.ddns.net	A (IP address)	IN (0x0001)
Feb 24, 2021 16:11:43.134542942 CET	192.168.2.6	8.8.8.8	0xb17	Standard query (0)	strongodss.ddns.net	A (IP address)	IN (0x0001)
Feb 24, 2021 16:11:48.302930117 CET	192.168.2.6	8.8.8.8	0x6eec	Standard query (0)	strongodss.ddns.net	A (IP address)	IN (0x0001)
Feb 24, 2021 16:11:53.576647997 CET	192.168.2.6	8.8.8.8	0x2f73	Standard query (0)	strongodss.ddns.net	A (IP address)	IN (0x0001)
Feb 24, 2021 16:12:16.545772076 CET	192.168.2.6	8.8.8.8	0xadff	Standard query (0)	strongodss.ddns.net	A (IP address)	IN (0x0001)
Feb 24, 2021 16:12:21.669437885 CET	192.168.2.6	8.8.8.8	0x448	Standard query (0)	strongodss.ddns.net	A (IP address)	IN (0x0001)
Feb 24, 2021 16:12:26.796633959 CET	192.168.2.6	8.8.8.8	0xa791	Standard query (0)	strongodss.ddns.net	A (IP address)	IN (0x0001)

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	Address	Type	Class
Feb 24, 2021 16:10:38.940557003 CET	8.8.8.8	192.168.2.6	0xd1ea	No error (0)	strongodss.ddns.net	87.237.165.78	A (IP address)	IN (0x0001)
Feb 24, 2021 16:10:44.131638050 CET	8.8.8.8	192.168.2.6	0x448d	No error (0)	strongodss.ddns.net	87.237.165.78	A (IP address)	IN (0x0001)
Feb 24, 2021 16:10:49.424482107 CET	8.8.8.8	192.168.2.6	0x4f17	No error (0)	strongodss.ddns.net	87.237.165.78	A (IP address)	IN (0x0001)
Feb 24, 2021 16:11:11.627228975 CET	8.8.8.8	192.168.2.6	0xac0b	No error (0)	strongodss.ddns.net	87.237.165.78	A (IP address)	IN (0x0001)
Feb 24, 2021 16:11:16.970276117 CET	8.8.8.8	192.168.2.6	0xe707	No error (0)	strongodss.ddns.net	87.237.165.78	A (IP address)	IN (0x0001)
Feb 24, 2021 16:11:22.384215117 CET	8.8.8.8	192.168.2.6	0x9ae5	No error (0)	strongodss.ddns.net	87.237.165.78	A (IP address)	IN (0x0001)
Feb 24, 2021 16:11:43.154480934 CET	8.8.8.8	192.168.2.6	0xb17	No error (0)	strongodss.ddns.net	87.237.165.78	A (IP address)	IN (0x0001)
Feb 24, 2021 16:11:48.315598965 CET	8.8.8.8	192.168.2.6	0x6eec	No error (0)	strongodss.ddns.net	87.237.165.78	A (IP address)	IN (0x0001)
Feb 24, 2021 16:11:53.589582920 CET	8.8.8.8	192.168.2.6	0x2f73	No error (0)	strongodss.ddns.net	87.237.165.78	A (IP address)	IN (0x0001)
Feb 24, 2021 16:12:16.559621096 CET	8.8.8.8	192.168.2.6	0xadff	No error (0)	strongodss.ddns.net	87.237.165.78	A (IP address)	IN (0x0001)
Feb 24, 2021 16:12:21.681693077 CET	8.8.8.8	192.168.2.6	0x448	No error (0)	strongodss.ddns.net	87.237.165.78	A (IP address)	IN (0x0001)

Code Manipulations

Statistics

CPU Usage

Click to jump to process

Memory Usage

Click to jump to process

High Level Behavior Distribution

Click to dive into process behavior distribution

Behavior

Click to jump to process

System Behavior

Analysis Process: cp573oYDUX.exe PID: 7012 Parent PID: 5888

General

Start time:	16:10:14
Start date:	24/02/2021
Path:	C:\Users\user\Desktop\cp573oYDUX.exe
Wow64 process (32bit):	true
Commandline:	'C:\Users\user\Desktop\cp573oYDUX.exe'
Imagebase:	0x7a0000
File size:	793600 bytes
MD5 hash:	33CF3AF09D2A1789A2BBAD009A43EDD5
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	.Net C# or VB.NET
Yara matches:	Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 00000000.00000002.373693780.00000000042F3000.00000004.00000001.sdmp, Author: Florian Roth Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 00000000.00000002.373693780.00000000042F3000.00000004.00000001.sdmp, Author: Joe Security Rule: NanoCore, Description: unknown, Source: 00000000.00000002.373693780.00000000042F3000.00000004.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
Reputation:	low

Chronological Activities

Analysis Process: schtasks.exe PID: 3800 Parent PID: 7012

General

Start time:	16:10:33
Start date:	24/02/2021
Path:	C:\Windows\SysWOW64\schtasks.exe
Wow64 process (32bit):	true
Commandline:	'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\eVEWVTvFLGVU' /XML 'C:\Users\user\AppData\Local\Temp\tmp53F8.tmp'
Imagebase:	0x120000
File size:	185856 bytes
MD5 hash:	15FF7D8324231381BAD48A052F85DF04
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Chronological Activities

Analysis Process: conhost.exe PID: 4112 Parent PID: 3800

General

Start time:	16:10:34
Start date:	24/02/2021
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff61de10000
File size:	625664 bytes
MD5 hash:	EA777DEEA782E8B4D7C7C33BBF8A4496
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Chronological Activities

Analysis Process: RegSvcs.exe PID: 2264 Parent PID: 7012

General

Start time:	16:10:34
Start date:	24/02/2021
Path:	C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe
Wow64 process (32bit):	true
Commandline:	{path}
Imagebase:	0x6c0000
File size:	32768 bytes
MD5 hash:	71369277D09DA0830C8C59F9E22BB23A
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	.Net C# or VB.NET
Yara matches:	Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 00000007.00000002.600652707.0000000005030000.00000004.00000001.sdmp, Author: Florian Roth Rule: Nanocore_RAT_Feb18_1, Description: Detects Nanocore RAT, Source: 00000007.00000002.600652707.0000000005030000.00000004.00000001.sdmp, Author: Florian Roth Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 00000007.00000002.594405865.0000000000402000.00000040.00000001.sdmp, Author: Florian Roth Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 00000007.00000002.594405865.0000000000402000.00000040.00000001.sdmp, Author: Joe Security Rule: NanoCore, Description: unknown, Source: 00000007.00000002.594405865.0000000000402000.00000040.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net> Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 00000007.00000002.599620352.0000000003DA7000.00000004.00000001.sdmp, Author: Joe Security Rule: NanoCore, Description: unknown, Source: 00000007.00000002.599620352.0000000003DA7000.00000004.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net> Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 00000007.00000002.601347713.0000000005990000.00000004.00000001.sdmp, Author: Florian Roth Rule: Nanocore_RAT_Feb18_1, Description: Detects Nanocore RAT, Source: 00000007.00000002.601347713.0000000005990000.00000004.00000001.sdmp, Author: Florian Roth Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 00000007.00000002.601373463.00000000059A0000.00000004.00000001.sdmp, Author: Florian Roth Rule: Nanocore_RAT_Feb18_1, Description: Detects Nanocore RAT, Source: 00000007.00000002.601373463.00000000059A0000.00000004.00000001.sdmp, Author: Florian Roth Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 00000007.00000002.601373463.00000000059A0000.00000004.00000001.sdmp, Author: Joe Security
Reputation:	moderate

Chronological Activities

Analysis Process: schtasks.exe PID: 6632 Parent PID: 2264

General

Start time:	16:10:36
Start date:	24/02/2021
Path:	C:\Windows\SysWOW64\schtasks.exe
Wow64 process (32bit):	true
Commandline:	'schtasks.exe' /create /f /tn 'DHCP Monitor' /xml 'C:\Users\user\AppData\Local\Temp\tmpFC43.tmp'
Imagebase:	0x120000
File size:	185856 bytes
MD5 hash:	15FF7D8324231381BAD48A052F85DF04
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Chronological Activities

Analysis Process: conhost.exe PID: 6620 Parent PID: 6632

General

Start time:	16:10:36
Start date:	24/02/2021
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff61de10000
File size:	625664 bytes
MD5 hash:	EA777DEEA782E8B4D7C7C33BBF8A4496
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Chronological Activities

Analysis Process: schtasks.exe PID: 5996 Parent PID: 2264

General

Start time:	16:10:36
Start date:	24/02/2021
Path:	C:\Windows\SysWOW64\schtasks.exe
Wow64 process (32bit):	true
Commandline:	'schtasks.exe' /create /f /tn 'DHCP Monitor Task' /xml 'C:\Users\user\AppData\Local\Temp\tmpFF61.tmp'
Imagebase:	0x120000
File size:	185856 bytes
MD5 hash:	15FF7D8324231381BAD48A052F85DF04
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Chronological Activities

Analysis Process: conhost.exe PID: 5144 Parent PID: 5996

General

Start time:	16:10:37
Start date:	24/02/2021
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff61de10000
File size:	625664 bytes
MD5 hash:	EA777DEEA782E8B4D7C7C33BBF8A4496
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Chronological Activities

Analysis Process: RegSvcs.exe PID: 5692 Parent PID: 936

General

Start time:	16:10:38
Start date:	24/02/2021
Path:	C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe
Wow64 process (32bit):	true
Commandline:	C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe 0
Imagebase:	0xbe0000
File size:	32768 bytes
MD5 hash:	71369277D09DA0830C8C59F9E22BB23A
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	.Net C# or VB.NET
Reputation:	moderate

Chronological Activities

Analysis Process: conhost.exe PID: 5684 Parent PID: 5692

General

Start time:	16:10:38
Start date:	24/02/2021
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff61de10000
File size:	625664 bytes
MD5 hash:	EA777DEEA782E8B4D7C7C33BBF8A4496
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Chronological Activities

Analysis Process: dhcpmon.exe PID: 5680 Parent PID: 936

General

Start time:	16:10:38
Start date:	24/02/2021
Path:	C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe
Wow64 process (32bit):	true
Commandline:	'C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe' 0
Imagebase:	0xe00000
File size:	32768 bytes
MD5 hash:	71369277D09DA0830C8C59F9E22BB23A
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	.Net C# or VB.NET
Antivirus matches:	Detection: 0%, Metadefender, Browse Detection: 0%, ReversingLabs
Reputation:	moderate

Chronological Activities

Analysis Process: conhost.exe PID: 6916 Parent PID: 5680

General

Start time:	16:10:39
Start date:	24/02/2021
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff61de10000
File size:	625664 bytes
MD5 hash:	EA777DEEA782E8B4D7C7C33BBF8A4496
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Chronological Activities

Analysis Process: dhcpmon.exe PID: 7144 Parent PID: 3440

General

Start time:	16:10:48
Start date:	24/02/2021
Path:	C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe
Wow64 process (32bit):	true
Commandline:	'C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe'
Imagebase:	0xc20000
File size:	32768 bytes
MD5 hash:	71369277D09DA0830C8C59F9E22BB23A
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	.Net C# or VB.NET
Reputation:	moderate

Chronological Activities

Analysis Process: conhost.exe PID: 7116 Parent PID: 7144

General

Start time:	16:10:49
Start date:	24/02/2021
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff61de10000
File size:	625664 bytes
MD5 hash:	EA777DEEA782E8B4D7C7C33BBF8A4496
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Chronological Activities

Disassembly

Code Analysis

Reset < >

Analysis Process: cp573oYDUX.exe PID: 7012 Parent PID: 5888 cp573oYDUX.exeCOMMON

Executed Functions

Function 06DB48E6, Relevance: 14.6, Strings: 11, Instructions: 837COMMON

Download Yara Rule

Strings

>_Ir, xrefs: 06DB4B13
?, xrefs: 06DB5050
8, xrefs: 06DB4E5B
?, xrefs: 06DB4CA6
X1kr, xrefs: 06DB4A0E
A, xrefs: 06DB579A
(, xrefs: 06DB53BC
z, xrefs: 06DB5331
?, xrefs: 06DB54D7
x, xrefs: 06DB5227
=, xrefs: 06DB4980

Memory Dump Source

Source File: 00000000.00000002.377039037.0000000006DB0000.00000040.00000001.sdmp, Offset: 06DB0000, based on PE: false

Similarity

API ID:
String ID: ($8$=$>_Ir$?$?$?$A$X1kr$x$z
API String ID: 0-716965509
Opcode ID: 3004680bdcc4b652b4443c01949bc63140618f395f185b3453011018dafd401d
Instruction ID: 09d5ced077914be561e5bdd46aa1f4338f87bf8bb019166d7cf830f1d03bb64a
Opcode Fuzzy Hash: 3004680bdcc4b652b4443c01949bc63140618f395f185b3453011018dafd401d
Instruction Fuzzy Hash: 01820770D46229CFEBA4DF28D844BEDB7B5AB49310F10A1E9C15EA7299DB744AC4CF40

Uniqueness

Uniqueness Score: -1.00%

Function 06DB51FC, Relevance: 8.0, Strings: 6, Instructions: 475COMMON

Download Yara Rule

Strings

?, xrefs: 06DB5050
A, xrefs: 06DB579A
(, xrefs: 06DB53BC
z, xrefs: 06DB5331
?, xrefs: 06DB54D7
x, xrefs: 06DB5227

Memory Dump Source

Source File: 00000000.00000002.377039037.0000000006DB0000.00000040.00000001.sdmp, Offset: 06DB0000, based on PE: false

Similarity

API ID:
String ID: ($?$?$A$x$z
API String ID: 0-248874012
Opcode ID: d00b412989d8123653abe26aa9cf84795e79ced42d9f8df036edeadd92221268
Instruction ID: 1d8f6e40cc214ee2433e448e8620cd0190c51db54487538bd0d60a1709d3dfc6
Opcode Fuzzy Hash: d00b412989d8123653abe26aa9cf84795e79ced42d9f8df036edeadd92221268
Instruction Fuzzy Hash: C2220670D4A229CFEBA4DF25D844BECB7B5AB49305F10A1E9C05E66295DB748AC4CF80

Uniqueness

Uniqueness Score: -1.00%

Function 07220FF2, Relevance: 1.6, APIs: 1, Instructions: 71COMMON

Download Yara Rule

APIs

GetUserNameA.ADVAPI32(?,00000E2C), ref: 07221059

Memory Dump Source

Source File: 00000000.00000002.379533672.0000000007220000.00000040.00000001.sdmp, Offset: 07220000, based on PE: false

Similarity

API ID: NameUser
String ID:
API String ID: 2645101109-0
Opcode ID: 4ec0066f2b1ef24c93bb43c30dd6ef77249b16b9fd0f6e9fc62b3658e96313b1
Instruction ID: 658f95ba8fbca0579f8308501f552ed95ad209b0d5bad2bfbf5dc37d37f20f81
Opcode Fuzzy Hash: 4ec0066f2b1ef24c93bb43c30dd6ef77249b16b9fd0f6e9fc62b3658e96313b1
Instruction Fuzzy Hash: C811A2B2510249BFE710DB28DC85FABBB9CEF45310F14846AEE45DB281D6B4E505CB71

Uniqueness

Uniqueness Score: -1.00%

Function 05020100, Relevance: 1.6, Instructions: 1563COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.374229378.0000000005020000.00000040.00000001.sdmp, Offset: 05020000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4c9aea7187170bcf2b801ebb07fc50764ce434cd8a8a587d5f1ca9668b54c4a6
Instruction ID: 98a6b8f38a8c0408c44d53d56635bede935b678da249ae5204e4d7b29a720652
Opcode Fuzzy Hash: 4c9aea7187170bcf2b801ebb07fc50764ce434cd8a8a587d5f1ca9668b54c4a6
Instruction Fuzzy Hash: 38F2A834A41218DFDB65DB64C898FA9B7B2FF4A301F5540E8D509AB361CB32AE85DF40

Uniqueness

Uniqueness Score: -1.00%

Function 05020110, Relevance: 1.6, Instructions: 1558COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.374229378.0000000005020000.00000040.00000001.sdmp, Offset: 05020000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d2452a5194bf7e9bd09235a2e932d130f45f0a4e7763cfee965c965453be1f3a
Instruction ID: 198505d59fba7a2655f5994e3a9d30d871bcd30ea96ef37ebe97b32cd8785deb
Opcode Fuzzy Hash: d2452a5194bf7e9bd09235a2e932d130f45f0a4e7763cfee965c965453be1f3a
Instruction Fuzzy Hash: DDF2A834A41218DFDB65DB64C898FA9B7B2FF4A301F5540E8D509AB361CB32AE85DF40

Uniqueness

Uniqueness Score: -1.00%

Function 05022398, Relevance: 1.4, Strings: 1, Instructions: 153COMMON

Download Yara Rule

Strings

X1kr, xrefs: 05022417

Memory Dump Source

Source File: 00000000.00000002.374229378.0000000005020000.00000040.00000001.sdmp, Offset: 05020000, based on PE: false

Similarity

API ID:
String ID: X1kr
API String ID: 0-844551562
Opcode ID: 96724fc7d8da95350ba31dbd1383f09ae6d75b5fa41b4c35ff82b77a0a657607
Instruction ID: 984bbde7b1fbef7590a79a0729377152c0c9403797ee4be5a7c189d65cba5df0
Opcode Fuzzy Hash: 96724fc7d8da95350ba31dbd1383f09ae6d75b5fa41b4c35ff82b77a0a657607
Instruction Fuzzy Hash: 3961A1B4E04218DFDB54DFE9E994AADBBF2BF88300F20952AE809A7354E7345945CF10

Uniqueness

Uniqueness Score: -1.00%

Function 05022389, Relevance: 1.4, Strings: 1, Instructions: 148COMMON

Download Yara Rule

Strings

X1kr, xrefs: 05022417

Memory Dump Source

Source File: 00000000.00000002.374229378.0000000005020000.00000040.00000001.sdmp, Offset: 05020000, based on PE: false

Similarity

API ID:
String ID: X1kr
API String ID: 0-844551562
Opcode ID: f592b8e2c19a0e4e1cac3a65dfd742169cce5eb8dcaef111c379b5cb62ccda47
Instruction ID: a880794e73aad6c9b47f6c56ca3501dabc7921f08c93658c320cdde28c2d52f7
Opcode Fuzzy Hash: f592b8e2c19a0e4e1cac3a65dfd742169cce5eb8dcaef111c379b5cb62ccda47
Instruction Fuzzy Hash: 6651B0B4E04218DFDB54DFE9E994AADBBF2BF88300F20952AE809A7354E7345945CF00

Uniqueness

Uniqueness Score: -1.00%

Function 050227A7, Relevance: 2.7, Strings: 2, Instructions: 199COMMON

Download Yara Rule

Strings

</kr, xrefs: 05022A66
,:kr, xrefs: 05022900

Memory Dump Source

Source File: 00000000.00000002.374229378.0000000005020000.00000040.00000001.sdmp, Offset: 05020000, based on PE: false

Similarity

API ID:
String ID: ,:kr$</kr
API String ID: 0-3694523141
Opcode ID: 7fe5e5bde14323df46c29bfdc6c989ccb3b70c4acd0ec0d5f0304c4e7a407eec
Instruction ID: 5c0912fd1282060b2093b9196016e2240659e18319a0ddd4f4d1c885e78badba
Opcode Fuzzy Hash: 7fe5e5bde14323df46c29bfdc6c989ccb3b70c4acd0ec0d5f0304c4e7a407eec
Instruction Fuzzy Hash: 30912478D01229CFDB24DFA4D884BEDBBB2BF49304F5481D9D508AB2A1DB709A85CF51

Uniqueness

Uniqueness Score: -1.00%

Function 06DB5874, Relevance: 2.7, Strings: 2, Instructions: 174COMMON

Download Yara Rule

Strings

A, xrefs: 06DB579A
?, xrefs: 06DB54D7

Memory Dump Source

Source File: 00000000.00000002.377039037.0000000006DB0000.00000040.00000001.sdmp, Offset: 06DB0000, based on PE: false

Similarity

API ID:
String ID: ?$A
API String ID: 0-541453087
Opcode ID: c6dbecdd8b2cfd78d1dc3bdd1b616403394538dc8f464d6d783de2ae67e1c556
Instruction ID: ddf38d510577d7dc469a4955409538042b3625053e4591fea9655431121662c6
Opcode Fuzzy Hash: c6dbecdd8b2cfd78d1dc3bdd1b616403394538dc8f464d6d783de2ae67e1c556
Instruction Fuzzy Hash: A0714870D45229CFEBA4CF24E8847ECB7B5AB4A311F10A1EAC15E76294DB744AC5CF80

Uniqueness

Uniqueness Score: -1.00%

Function 07220F92, Relevance: 1.6, APIs: 1, Instructions: 117COMMON

Download Yara Rule

APIs

GetUserNameA.ADVAPI32(?,00000E2C), ref: 07221059

Memory Dump Source

Source File: 00000000.00000002.379533672.0000000007220000.00000040.00000001.sdmp, Offset: 07220000, based on PE: false

Similarity

API ID: NameUser
String ID:
API String ID: 2645101109-0
Opcode ID: a7f6c79ebb198036f05c9d3156be9114e15b2bc5587fe31aaafda0119c392487
Instruction ID: 3875955cd0dc6383bd32cf15e1bde18f778b8f2664300b15d35141922fbe258e
Opcode Fuzzy Hash: a7f6c79ebb198036f05c9d3156be9114e15b2bc5587fe31aaafda0119c392487
Instruction Fuzzy Hash: 81318BB210A3C56FE7138B249C55BA6BFB89F03210F0985DBE984DB193D2689849C772

Uniqueness

Uniqueness Score: -1.00%

Function 07221DFB, Relevance: 1.6, APIs: 1, Instructions: 102COMMON

Download Yara Rule

APIs

DuplicateHandle.KERNELBASE(?,00000E2C), ref: 07221EAB

Memory Dump Source

Source File: 00000000.00000002.379533672.0000000007220000.00000040.00000001.sdmp, Offset: 07220000, based on PE: false

Similarity

API ID: DuplicateHandle
String ID:
API String ID: 3793708945-0
Opcode ID: 8a2d319411b95ac52715caa5072822cafcb5b2332fc908c7c28797d922d73fac
Instruction ID: 632a02e7170756524a047dd52f357994f292ba060d11e91e28d0b6effce2a9df
Opcode Fuzzy Hash: 8a2d319411b95ac52715caa5072822cafcb5b2332fc908c7c28797d922d73fac
Instruction Fuzzy Hash: E931A371004385BFE7228B65DC45F66BFACEF46310F04849BE985DB152D224A919DB71

Uniqueness

Uniqueness Score: -1.00%

Function 072216EA, Relevance: 1.6, APIs: 1, Instructions: 94COMMON

Download Yara Rule

APIs

GetTokenInformation.KERNELBASE(?,00000E2C,2F90C220,00000000,00000000,00000000,00000000), ref: 07221794

Memory Dump Source

Source File: 00000000.00000002.379533672.0000000007220000.00000040.00000001.sdmp, Offset: 07220000, based on PE: false

Similarity

API ID: InformationToken
String ID:
API String ID: 4114910276-0
Opcode ID: 3c37dbd648214210f9dbeb6a759f0b91c0bb3060a02d610091c70735e855d813
Instruction ID: 15679737efc258cf1721da91cad402aed79bbb9d5610c739d288da45d0ac2105
Opcode Fuzzy Hash: 3c37dbd648214210f9dbeb6a759f0b91c0bb3060a02d610091c70735e855d813
Instruction Fuzzy Hash: FA31D371409385AFEB228F65DC45F97BFB8EF46310F08849BE9849B152D220A909C771

Uniqueness

Uniqueness Score: -1.00%

Function 0291AC22, Relevance: 1.6, APIs: 1, Instructions: 92registryCOMMON

Download Yara Rule

APIs

RegOpenKeyExW.KERNELBASE(?,00000E2C), ref: 0291ACD1

Memory Dump Source

Source File: 00000000.00000002.369451952.000000000291A000.00000040.00000001.sdmp, Offset: 0291A000, based on PE: false

Similarity

API ID: Open
String ID:
API String ID: 71445658-0
Opcode ID: a98613ad3cf161d6f873c4e37b923cc1d354950562e3f00784ae0029ce569389
Instruction ID: 397d2cea3952bda084599e24c6612459df5363cd4c3f23ea9ae959b068507549
Opcode Fuzzy Hash: a98613ad3cf161d6f873c4e37b923cc1d354950562e3f00784ae0029ce569389
Instruction Fuzzy Hash: 0231B472504384AFE7228B25DC85F67BFBCEF06710F0884ABED859B152D265E809CB71

Uniqueness

Uniqueness Score: -1.00%

Function 07221278, Relevance: 1.6, APIs: 1, Instructions: 90fileCOMMON

Download Yara Rule

APIs

CreateFileW.KERNELBASE(?,?,?,?,?,?), ref: 07221319

Memory Dump Source

Source File: 00000000.00000002.379533672.0000000007220000.00000040.00000001.sdmp, Offset: 07220000, based on PE: false

Similarity

API ID: CreateFile
String ID:
API String ID: 823142352-0
Opcode ID: b9b12feb04dafb27c79c817aa48f2fa23f259b30220992eaa33716a01cc996d4
Instruction ID: 4ec0a124bee1a9bd8829a68c20c4e3b75636b3d9b05b1beb61d0cf692b9a8517
Opcode Fuzzy Hash: b9b12feb04dafb27c79c817aa48f2fa23f259b30220992eaa33716a01cc996d4
Instruction Fuzzy Hash: 6C319CB1504384AFE722CF65CC84F66BFE8EF45610F0884AEE9848B252D375E819CB71

Uniqueness

Uniqueness Score: -1.00%

Function 0722033A, Relevance: 1.6, APIs: 1, Instructions: 89synchronizationCOMMON

Download Yara Rule

APIs

CreateMutexW.KERNELBASE(?,?), ref: 072203E1

Memory Dump Source

Source File: 00000000.00000002.379533672.0000000007220000.00000040.00000001.sdmp, Offset: 07220000, based on PE: false

Similarity

API ID: CreateMutex
String ID:
API String ID: 1964310414-0
Opcode ID: 7981ef60c52db703838e6d43cfd6bfca658289a6dc6b7699f287ac5bc309121a
Instruction ID: 226d7c229517472e715723a0a95f9c71f5eb7a5c3435d44ec1d14748ff762f4e
Opcode Fuzzy Hash: 7981ef60c52db703838e6d43cfd6bfca658289a6dc6b7699f287ac5bc309121a
Instruction Fuzzy Hash: 203193B15097806FE722CB25DC85F56FFE8EF06310F18849AE984DB292D375E909C761

Uniqueness

Uniqueness Score: -1.00%

Function 0291AD19, Relevance: 1.6, APIs: 1, Instructions: 89registryCOMMON

Download Yara Rule

APIs

RegQueryValueExW.KERNELBASE(?,00000E2C,2F90C220,00000000,00000000,00000000,00000000), ref: 0291ADD4

Memory Dump Source

Source File: 00000000.00000002.369451952.000000000291A000.00000040.00000001.sdmp, Offset: 0291A000, based on PE: false

Similarity

API ID: QueryValue
String ID:
API String ID: 3660427363-0
Opcode ID: 2f7482314bf87f21df51d71db2da48281de993a48a38ef41b4a9e4d1c65a8d3f
Instruction ID: 78a7fe31d0bf4df1da753ab1aaaee53c29b7cd7017b7037a9471aa594bc52a2e
Opcode Fuzzy Hash: 2f7482314bf87f21df51d71db2da48281de993a48a38ef41b4a9e4d1c65a8d3f
Instruction Fuzzy Hash: CE31C7751057846FD722CB25CC44F92BFFCEF06310F08849AE985CB152D360E949CB61

Uniqueness

Uniqueness Score: -1.00%

Function 07220438, Relevance: 1.6, APIs: 1, Instructions: 86registryCOMMON

Download Yara Rule

APIs

RegQueryValueExW.KERNELBASE(?,00000E2C,?,?), ref: 072204EE

Memory Dump Source

Source File: 00000000.00000002.379533672.0000000007220000.00000040.00000001.sdmp, Offset: 07220000, based on PE: false

Similarity

API ID: QueryValue
String ID:
API String ID: 3660427363-0
Opcode ID: 41e15836639a050704ff5be585cc4998233cc31b6fd6c1301a40b01169f2f105
Instruction ID: 26ac63f9e7f1bb2b859b414c515fe629e063a60ac90ecb070ab476ddb0d1f89c
Opcode Fuzzy Hash: 41e15836639a050704ff5be585cc4998233cc31b6fd6c1301a40b01169f2f105
Instruction Fuzzy Hash: EB31D7B54097C06FD3138B259C51B61BF78FF47720F0A81DBE9848B5A3E225691AC7B1

Uniqueness

Uniqueness Score: -1.00%

Function 07221A1B, Relevance: 1.6, APIs: 1, Instructions: 85COMMON

Download Yara Rule

APIs

LsaOpenPolicy.ADVAPI32(?,00000E2C), ref: 07221AB7

Memory Dump Source

Source File: 00000000.00000002.379533672.0000000007220000.00000040.00000001.sdmp, Offset: 07220000, based on PE: false

Similarity

API ID: OpenPolicy
String ID:
API String ID: 2030686058-0
Opcode ID: e45130f56ddc742d3d1393e5bcf29faae962be2b51f519a36014cc73489200b3
Instruction ID: 1e773359345e46fdaf6a4912a1d4cb7f8b3c567e1b259624978158905efbb671
Opcode Fuzzy Hash: e45130f56ddc742d3d1393e5bcf29faae962be2b51f519a36014cc73489200b3
Instruction Fuzzy Hash: 8521A272504344AFE721CF65DC84F66FFBCEF45310F18849AED849B252D265E409CB61

Uniqueness

Uniqueness Score: -1.00%

Function 072210B7, Relevance: 1.6, APIs: 1, Instructions: 81COMMON

Download Yara Rule

APIs

FindWindowA.USER32(?,00000E2C), ref: 0722115A

Memory Dump Source

Source File: 00000000.00000002.379533672.0000000007220000.00000040.00000001.sdmp, Offset: 07220000, based on PE: false

Similarity

API ID: FindWindow
String ID:
API String ID: 134000473-0
Opcode ID: 1686a08dd7cebb39b1d44949abcda3e46fd78f59352ed6a3b8f3aae038e1f19b
Instruction ID: af11a5543598d92ea4d14c1dddee19a51136d976643d55eecf37325430ab90f0
Opcode Fuzzy Hash: 1686a08dd7cebb39b1d44949abcda3e46fd78f59352ed6a3b8f3aae038e1f19b
Instruction Fuzzy Hash: B42196B1409385AFE7228F24DC45F96BFA8EF46310F18849AE9449F192D278A949C761

Uniqueness

Uniqueness Score: -1.00%

Function 07221E2E, Relevance: 1.6, APIs: 1, Instructions: 80COMMON

Download Yara Rule

APIs

DuplicateHandle.KERNELBASE(?,00000E2C), ref: 07221EAB

Memory Dump Source

Source File: 00000000.00000002.379533672.0000000007220000.00000040.00000001.sdmp, Offset: 07220000, based on PE: false

Similarity

API ID: DuplicateHandle
String ID:
API String ID: 3793708945-0
Opcode ID: c9c8b92c554abd279ef2c7465ec28a339e752197a3d01944a55bce3f5fa837b9
Instruction ID: 932dcddfe53e65d43e44ba0fdcd884386d7ad517f3a060e682b3e9f89cd7f4f6
Opcode Fuzzy Hash: c9c8b92c554abd279ef2c7465ec28a339e752197a3d01944a55bce3f5fa837b9
Instruction Fuzzy Hash: A221C1B2500305BFEB219F64DC85F6BFBACEF05310F14886AEE459B251D670E4198B71

Uniqueness

Uniqueness Score: -1.00%

Function 07221370, Relevance: 1.6, APIs: 1, Instructions: 80COMMON

Download Yara Rule

APIs

GetFileType.KERNELBASE(?,00000E2C,2F90C220,00000000,00000000,00000000,00000000), ref: 07221405

Memory Dump Source

Source File: 00000000.00000002.379533672.0000000007220000.00000040.00000001.sdmp, Offset: 07220000, based on PE: false

Similarity

API ID: FileType
String ID:
API String ID: 3081899298-0
Opcode ID: f3b8c268c960d9a88513988c6d09d117b5903d392c462ffb8b9286e59774ba61
Instruction ID: 1cac7abf43d19e8191f275919cb5962b6786e188e889a4d7b86c54c9261c01ed
Opcode Fuzzy Hash: f3b8c268c960d9a88513988c6d09d117b5903d392c462ffb8b9286e59774ba61
Instruction Fuzzy Hash: C421D6B54493846FE7128B25DC41FA2BFA8EF47720F1880D7EE849B293D264A909C771

Uniqueness

Uniqueness Score: -1.00%

Function 0291A2AC, Relevance: 1.6, APIs: 1, Instructions: 77COMMON

Download Yara Rule

APIs

SetConsoleCtrlHandler.KERNELBASE(?,00000E2C,?,?), ref: 0291A346

Memory Dump Source

Source File: 00000000.00000002.369451952.000000000291A000.00000040.00000001.sdmp, Offset: 0291A000, based on PE: false

Similarity

API ID: ConsoleCtrlHandler
String ID:
API String ID: 1513847179-0
Opcode ID: b5a75e99e7310fe0589de87146c30db559e079d04d1d9fc16d9a2dc8da28723e
Instruction ID: 76fcbbc5cde3b3e0d7e14794babf23ea9463294a033602ae152da0213cd9cd20
Opcode Fuzzy Hash: b5a75e99e7310fe0589de87146c30db559e079d04d1d9fc16d9a2dc8da28723e
Instruction Fuzzy Hash: CB21A47144D3C06FD3138B259C51B22BFB8EF87620F0981DBE884CB653D225A919C7A2

Uniqueness

Uniqueness Score: -1.00%

Function 0722129A, Relevance: 1.6, APIs: 1, Instructions: 76fileCOMMON

Download Yara Rule

APIs

CreateFileW.KERNELBASE(?,?,?,?,?,?), ref: 07221319

Memory Dump Source

Source File: 00000000.00000002.379533672.0000000007220000.00000040.00000001.sdmp, Offset: 07220000, based on PE: false

Similarity

API ID: CreateFile
String ID:
API String ID: 823142352-0
Opcode ID: e063ac487906adfd663e6c6ba6f3a389a402b99b1db62359fef70b439dec2b9c
Instruction ID: f82b2011c3969a529666f7faec9db1a21558ef2b5a2d46b04391399857fd5542
Opcode Fuzzy Hash: e063ac487906adfd663e6c6ba6f3a389a402b99b1db62359fef70b439dec2b9c
Instruction Fuzzy Hash: 4E219AB1504644AFEB21DF65CC84F66FBE8EF08710F04846AEE858B651D371E419CB71

Uniqueness

Uniqueness Score: -1.00%

Function 07221F09, Relevance: 1.6, APIs: 1, Instructions: 75fileCOMMON

Download Yara Rule

APIs

DeleteFileW.KERNELBASE(?), ref: 07221F90

Memory Dump Source

Source File: 00000000.00000002.379533672.0000000007220000.00000040.00000001.sdmp, Offset: 07220000, based on PE: false

Similarity

API ID: DeleteFile
String ID:
API String ID: 4033686569-0
Opcode ID: 777e6eda8322b94d5ecaf2b88b9be08d0aadf317ee781777d8413884ee05547a
Instruction ID: d4f747b909ee93b0529b7e84818131af4ab8283398cd90feec777d84e2eb2c5a
Opcode Fuzzy Hash: 777e6eda8322b94d5ecaf2b88b9be08d0aadf317ee781777d8413884ee05547a
Instruction Fuzzy Hash: 1021B2725093C5AFDB12CB25DC51B92BFB8EF07210F0984DBDD848F263D2259909CB61

Uniqueness

Uniqueness Score: -1.00%

Function 07222769, Relevance: 1.6, APIs: 1, Instructions: 75COMMON

Download Yara Rule

APIs

LookupPrivilegeValueW.ADVAPI32(?,?,?), ref: 072227EA

Memory Dump Source

Source File: 00000000.00000002.379533672.0000000007220000.00000040.00000001.sdmp, Offset: 07220000, based on PE: false

Similarity

API ID: LookupPrivilegeValue
String ID:
API String ID: 3899507212-0
Opcode ID: cc924561510abca63ab99365dbd03a82c77100cbb926c4909afb1c0a4f2a9fdc
Instruction ID: 92c9d18af0a7fc889ef314ab4632535c47c748d5d2c595adefbd431d7f54c6cc
Opcode Fuzzy Hash: cc924561510abca63ab99365dbd03a82c77100cbb926c4909afb1c0a4f2a9fdc
Instruction Fuzzy Hash: BF21B3B1509381AFEB128F25DC40B52BFE8EF06210F0984DAED85DF253D265E808CB71

Uniqueness

Uniqueness Score: -1.00%

Function 0291AC52, Relevance: 1.6, APIs: 1, Instructions: 74registryCOMMON

Download Yara Rule

APIs

RegOpenKeyExW.KERNELBASE(?,00000E2C), ref: 0291ACD1

Memory Dump Source

Source File: 00000000.00000002.369451952.000000000291A000.00000040.00000001.sdmp, Offset: 0291A000, based on PE: false

Similarity

API ID: Open
String ID:
API String ID: 71445658-0
Opcode ID: eedf7581879d2f6494f4f33d03b11834cdea2f6314b2b78434c513f921018d74
Instruction ID: 97c54465da1248cc58221b139bb96b7f0d675881b2c8b8dc16d7b0f0e716613a
Opcode Fuzzy Hash: eedf7581879d2f6494f4f33d03b11834cdea2f6314b2b78434c513f921018d74
Instruction Fuzzy Hash: 28219D72500608AFE7219B69DC84F6BFBACEF14720F14885AEE459A241D664E808CBB1

Uniqueness

Uniqueness Score: -1.00%

Function 0722036E, Relevance: 1.6, APIs: 1, Instructions: 72synchronizationCOMMON

Download Yara Rule

APIs

CreateMutexW.KERNELBASE(?,?), ref: 072203E1

Memory Dump Source

Source File: 00000000.00000002.379533672.0000000007220000.00000040.00000001.sdmp, Offset: 07220000, based on PE: false

Similarity

API ID: CreateMutex
String ID:
API String ID: 1964310414-0
Opcode ID: b5d010f23813b6defe95e86aa373c0203638ff6698e43992fb4dbddacd1c7a8c
Instruction ID: d53671b4d76c9d90a12a9b117fbdc02754eaf63b3dd98fc72bf675313d285023
Opcode Fuzzy Hash: b5d010f23813b6defe95e86aa373c0203638ff6698e43992fb4dbddacd1c7a8c
Instruction Fuzzy Hash: 5A219FB1614201AFE720DF25DD85F66FBE8EF04710F14846AED449B241D7B5E405CB75

Uniqueness

Uniqueness Score: -1.00%

Function 07221A46, Relevance: 1.6, APIs: 1, Instructions: 72COMMON

Download Yara Rule

APIs

LsaOpenPolicy.ADVAPI32(?,00000E2C), ref: 07221AB7

Memory Dump Source

Source File: 00000000.00000002.379533672.0000000007220000.00000040.00000001.sdmp, Offset: 07220000, based on PE: false

Similarity

API ID: OpenPolicy
String ID:
API String ID: 2030686058-0
Opcode ID: 3e492721934ce870fe4a57da23df2dccc02a8ca5f364f3a461c31e8e3942fd3c
Instruction ID: 425bb6fd4bdb1055f9f72b98a4370c36c0e82e13d430564ac6393e07c361885f
Opcode Fuzzy Hash: 3e492721934ce870fe4a57da23df2dccc02a8ca5f364f3a461c31e8e3942fd3c
Instruction Fuzzy Hash: 9321AEB2500204BFE720DF69DC85F6BFBACEF44710F14846AEE449B241E664E419CB75

Uniqueness

Uniqueness Score: -1.00%

Function 07221522, Relevance: 1.6, APIs: 1, Instructions: 70fileCOMMON

Download Yara Rule

APIs

WriteFile.KERNELBASE(?,00000E2C,2F90C220,00000000,00000000,00000000,00000000), ref: 072215A1

Memory Dump Source

Source File: 00000000.00000002.379533672.0000000007220000.00000040.00000001.sdmp, Offset: 07220000, based on PE: false

Similarity

API ID: FileWrite
String ID:
API String ID: 3934441357-0
Opcode ID: 73893c3cafe33d61f340c707394284eb0639d13569ead0a7426a6111443f20a5
Instruction ID: 315112ef5f0d550f7d469292c4090ea9886cba23dac1632a0db063009e3fc2b7
Opcode Fuzzy Hash: 73893c3cafe33d61f340c707394284eb0639d13569ead0a7426a6111443f20a5
Instruction Fuzzy Hash: 9F21CF72404384AFEB228F65DC84F97FFB8EF46310F08849BEA459B252C274A418CB71

Uniqueness

Uniqueness Score: -1.00%

Function 0722172A, Relevance: 1.6, APIs: 1, Instructions: 69COMMON

Download Yara Rule

APIs

GetTokenInformation.KERNELBASE(?,00000E2C,2F90C220,00000000,00000000,00000000,00000000), ref: 07221794

Memory Dump Source

Source File: 00000000.00000002.379533672.0000000007220000.00000040.00000001.sdmp, Offset: 07220000, based on PE: false

Similarity

API ID: InformationToken
String ID:
API String ID: 4114910276-0
Opcode ID: b637b8e74874aee8434003f76d8fa7ac28a10554d49c5275ff680d4bfd6554b5
Instruction ID: b73f2e318d4dc379bf54937047bdd488702c0e8a701a9b2ea4154d1cc45e418e
Opcode Fuzzy Hash: b637b8e74874aee8434003f76d8fa7ac28a10554d49c5275ff680d4bfd6554b5
Instruction Fuzzy Hash: 2811CDB1500209AEEB219F65DC85FABBBACEF45320F14846BEE459B241D770E819CB71

Uniqueness

Uniqueness Score: -1.00%

Function 0291AD5A, Relevance: 1.6, APIs: 1, Instructions: 69registryCOMMON

Download Yara Rule

APIs

RegQueryValueExW.KERNELBASE(?,00000E2C,2F90C220,00000000,00000000,00000000,00000000), ref: 0291ADD4

Memory Dump Source

Source File: 00000000.00000002.369451952.000000000291A000.00000040.00000001.sdmp, Offset: 0291A000, based on PE: false

Similarity

API ID: QueryValue
String ID:
API String ID: 3660427363-0
Opcode ID: fde3211afbc93e40f08d3efcdba5cb0bd7f0375b1f63a9a3ed7792e136176657
Instruction ID: c98b581348f90330cc1a4e019564977a98650edc8a13ff62844a25266f43a594
Opcode Fuzzy Hash: fde3211afbc93e40f08d3efcdba5cb0bd7f0375b1f63a9a3ed7792e136176657
Instruction Fuzzy Hash: E8218E75601608AFE720CF26DC80FA7BBECEF04711F04856AEE459B251DB60E808CA71

Uniqueness

Uniqueness Score: -1.00%

Function 072221CC, Relevance: 1.6, APIs: 1, Instructions: 68injectionCOMMON

Download Yara Rule

APIs

WriteProcessMemory.KERNELBASE(?,?,?,?,?), ref: 0722224C

Memory Dump Source

Source File: 00000000.00000002.379533672.0000000007220000.00000040.00000001.sdmp, Offset: 07220000, based on PE: false

Similarity

API ID: MemoryProcessWrite
String ID:
API String ID: 3559483778-0
Opcode ID: aa5b38e270e61b79bf76fe031c34ff98a1bc10b0eb0577bb4a927abdf28addbd
Instruction ID: 7845cdd95664b9dac0009ebff06207a4d65cf4945e8c9073853ec09897201b26
Opcode Fuzzy Hash: aa5b38e270e61b79bf76fe031c34ff98a1bc10b0eb0577bb4a927abdf28addbd
Instruction Fuzzy Hash: CE21D0760093C1AFDB128B25DC84A96FFF4EF07220F0980DEED858B163D225E849DB21

Uniqueness

Uniqueness Score: -1.00%

Function 07220517, Relevance: 1.6, APIs: 1, Instructions: 67libraryCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNELBASE(?,00000E2C), ref: 072205A3

Memory Dump Source

Source File: 00000000.00000002.379533672.0000000007220000.00000040.00000001.sdmp, Offset: 07220000, based on PE: false

Similarity

API ID: LibraryLoad
String ID:
API String ID: 1029625771-0
Opcode ID: c3822055eecb41a8c707fad8f59cc3abde3201bb5131a52b09bf849e3d96a3f5
Instruction ID: 22eb98d4a6bc51b7766e2e6ab150848dd838d9d5f46fbc7c26aca04e452c4d3e
Opcode Fuzzy Hash: c3822055eecb41a8c707fad8f59cc3abde3201bb5131a52b09bf849e3d96a3f5
Instruction Fuzzy Hash: 6121B771504384BFE721CB15DC85F66FFA8EF46720F14809AFE445B292D264A949C762

Uniqueness

Uniqueness Score: -1.00%

Function 0291B42D, Relevance: 1.6, APIs: 1, Instructions: 65libraryCOMMON

Download Yara Rule

APIs

LoadLibraryShim.MSCOREE(?,?,?,?), ref: 0291B4A9

Memory Dump Source

Source File: 00000000.00000002.369451952.000000000291A000.00000040.00000001.sdmp, Offset: 0291A000, based on PE: false

Similarity

API ID: LibraryLoadShim
String ID:
API String ID: 1475914169-0
Opcode ID: c4f7906c00a16e51b09aae04f21399c322f04ea75aa7ff0e93cbe9c6f41b0639
Instruction ID: a886112323e7d9597ff0b33a552ecb0936018640b96d6897f1a12f62e9d265ad
Opcode Fuzzy Hash: c4f7906c00a16e51b09aae04f21399c322f04ea75aa7ff0e93cbe9c6f41b0639
Instruction Fuzzy Hash: 23219371509384AFD7228F15DC45B62BFE8EF56614F08808AED888B293D365E908C771

Uniqueness

Uniqueness Score: -1.00%

Function 0722232D, Relevance: 1.6, APIs: 1, Instructions: 62windowCOMMON

Download Yara Rule

APIs

PostMessageW.USER32(?,?,?,?), ref: 072223A1

Memory Dump Source

Source File: 00000000.00000002.379533672.0000000007220000.00000040.00000001.sdmp, Offset: 07220000, based on PE: false

Similarity

API ID: MessagePost
String ID:
API String ID: 410705778-0
Opcode ID: 508eb3b36c3aeb26ac15b4c7631ceffb44fbef24117805d90e771b871584a601
Instruction ID: 4c54b1499a29c8c897c6405aa5f02b15c1d24ecb8cc2745ad45eed60b0c8013d
Opcode Fuzzy Hash: 508eb3b36c3aeb26ac15b4c7631ceffb44fbef24117805d90e771b871584a601
Instruction Fuzzy Hash: 73218C714093C0AFDB138B25DC44A52FFB4EF07210F0984DBE9848F163D265A858DB62

Uniqueness

Uniqueness Score: -1.00%

Function 072210EE, Relevance: 1.6, APIs: 1, Instructions: 61COMMON

Download Yara Rule

APIs

FindWindowA.USER32(?,00000E2C), ref: 0722115A

Memory Dump Source

Source File: 00000000.00000002.379533672.0000000007220000.00000040.00000001.sdmp, Offset: 07220000, based on PE: false

Similarity

API ID: FindWindow
String ID:
API String ID: 134000473-0
Opcode ID: 39f4be36f44e8d10e6503046862a00f432822cb5f35e5d080798f41c8f348bfc
Instruction ID: c366b9ce649e3398075844a2617a0e26f8558400d422b874ae7f96ac5d2a6c90
Opcode Fuzzy Hash: 39f4be36f44e8d10e6503046862a00f432822cb5f35e5d080798f41c8f348bfc
Instruction Fuzzy Hash: 6F110A71510205BFFB20DF14DD85FA6FBA8EF45710F1484AAEE449F285D2B4A509CB71

Uniqueness

Uniqueness Score: -1.00%

Function 0291A5FB, Relevance: 1.6, APIs: 1, Instructions: 61COMMON

Download Yara Rule

APIs

DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 0291A666

Memory Dump Source

Source File: 00000000.00000002.369451952.000000000291A000.00000040.00000001.sdmp, Offset: 0291A000, based on PE: false

Similarity

API ID: DuplicateHandle
String ID:
API String ID: 3793708945-0
Opcode ID: 861200743fe65d846bfffbea43699335e0050ff9052835f3fb15ba0895610812
Instruction ID: 35a69eb48bb8df589c3184d7b10ad7153217fcce2bef7c9096beaf241e7915ca
Opcode Fuzzy Hash: 861200743fe65d846bfffbea43699335e0050ff9052835f3fb15ba0895610812
Instruction Fuzzy Hash: 9711A271409380AFDB228F55DC44B62FFF8EF4A210F0884DAEE858B252D275A418DB61

Uniqueness

Uniqueness Score: -1.00%

Function 07221542, Relevance: 1.6, APIs: 1, Instructions: 60fileCOMMON

Download Yara Rule

APIs

WriteFile.KERNELBASE(?,00000E2C,2F90C220,00000000,00000000,00000000,00000000), ref: 072215A1

Memory Dump Source

Source File: 00000000.00000002.379533672.0000000007220000.00000040.00000001.sdmp, Offset: 07220000, based on PE: false

Similarity

API ID: FileWrite
String ID:
API String ID: 3934441357-0
Opcode ID: 8ab4e3a8d03ea6ca3b518287599d2b97379d66a1ea881afb0342777cc47399c2
Instruction ID: 1694c73dbde3d7a105d24a7ec48b4e2b356e939e472d8ecd6a59aa5b157b875a
Opcode Fuzzy Hash: 8ab4e3a8d03ea6ca3b518287599d2b97379d66a1ea881afb0342777cc47399c2
Instruction Fuzzy Hash: C611B271400604BFEB218F59DC84F6AFBA8EF45310F1484ABEE459B241D6B5E519CBB1

Uniqueness

Uniqueness Score: -1.00%

Function 0722212B, Relevance: 1.6, APIs: 1, Instructions: 58COMMON

Download Yara Rule

APIs

ReadProcessMemory.KERNELBASE(?,?,?,?,?), ref: 07222190

Memory Dump Source

Source File: 00000000.00000002.379533672.0000000007220000.00000040.00000001.sdmp, Offset: 07220000, based on PE: false

Similarity

API ID: MemoryProcessRead
String ID:
API String ID: 1726664587-0
Opcode ID: ebdebcb579edbc3b2ed3471bc3c6f19b24b7902e7455dadfcfbe60e486403fb7
Instruction ID: f02141eb9ef204eb9d6911701dc6d71f9217784f9dc780dfdcf3bbfad38a5a8d
Opcode Fuzzy Hash: ebdebcb579edbc3b2ed3471bc3c6f19b24b7902e7455dadfcfbe60e486403fb7
Instruction Fuzzy Hash: 47119376509781AFDB228F25DC40A52FFB4EF06220F08809EEE858A663C275A559DB61

Uniqueness

Uniqueness Score: -1.00%

Function 0722053A, Relevance: 1.6, APIs: 1, Instructions: 56libraryCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNELBASE(?,00000E2C), ref: 072205A3

Memory Dump Source

Source File: 00000000.00000002.379533672.0000000007220000.00000040.00000001.sdmp, Offset: 07220000, based on PE: false

Similarity

API ID: LibraryLoad
String ID:
API String ID: 1029625771-0
Opcode ID: c43d93ef218a16ae210235465b57b9b7353d5435e8e9bea77b32876a9d50adc3
Instruction ID: a482bd45e4ce9fa077435694f43489d9863dd76e2b431485a36a9c6796bd5d23
Opcode Fuzzy Hash: c43d93ef218a16ae210235465b57b9b7353d5435e8e9bea77b32876a9d50adc3
Instruction Fuzzy Hash: BC11E1B1510204BFF7309B15DC81FAAFB98EF45720F14809AEE456A281D6B4E549CAB1

Uniqueness

Uniqueness Score: -1.00%

Function 072226BF, Relevance: 1.6, APIs: 1, Instructions: 56windowCOMMON

Download Yara Rule

APIs

PostMessageW.USER32(?,?,?,?), ref: 07222729

Memory Dump Source

Source File: 00000000.00000002.379533672.0000000007220000.00000040.00000001.sdmp, Offset: 07220000, based on PE: false

Similarity

API ID: MessagePost
String ID:
API String ID: 410705778-0
Opcode ID: 7efbbe74b4b083be54c8d8b034380b24626e604c313ff0665105204fe426a993
Instruction ID: dcd27f862e2125dd72f7f4f76b0ce42ab4deabc7b2a0ff7ddab802c8660cd6d6
Opcode Fuzzy Hash: 7efbbe74b4b083be54c8d8b034380b24626e604c313ff0665105204fe426a993
Instruction Fuzzy Hash: A511E271409380AFDB228F15DC45B52FFB4EF06324F0880DEED854B663C276A419DB61

Uniqueness

Uniqueness Score: -1.00%

Function 07222084, Relevance: 1.6, APIs: 1, Instructions: 55threadinjectionCOMMON

Download Yara Rule

APIs

SetThreadContext.KERNELBASE(?,?), ref: 072220E3

Memory Dump Source

Source File: 00000000.00000002.379533672.0000000007220000.00000040.00000001.sdmp, Offset: 07220000, based on PE: false

Similarity

API ID: ContextThread
String ID:
API String ID: 1591575202-0
Opcode ID: 9b9c08d08d794af2abcbe199c9383fde5e6a3df603cfc7aa5cc67077d9934f72
Instruction ID: d60c7853033925484316d0bdb556f28da6b0803d3a88ffdc3385959993f3766c
Opcode Fuzzy Hash: 9b9c08d08d794af2abcbe199c9383fde5e6a3df603cfc7aa5cc67077d9934f72
Instruction Fuzzy Hash: 3111C1B1504385AFD711CF15DC85F52FFE8EF06220F0980AEED458B262D275E908DB62

Uniqueness

Uniqueness Score: -1.00%

Function 072227A2, Relevance: 1.6, APIs: 1, Instructions: 53COMMON

Download Yara Rule

APIs

LookupPrivilegeValueW.ADVAPI32(?,?,?), ref: 072227EA

Memory Dump Source

Source File: 00000000.00000002.379533672.0000000007220000.00000040.00000001.sdmp, Offset: 07220000, based on PE: false

Similarity

API ID: LookupPrivilegeValue
String ID:
API String ID: 3899507212-0
Opcode ID: 87f46829859dcedb70d93657568aa10a2056db3f2a163cc88dd0ccd7da428dc9
Instruction ID: 67cb52eba4d0b906a6202b498cc8c2b3ad8d384b681a340c576a130605b2217a
Opcode Fuzzy Hash: 87f46829859dcedb70d93657568aa10a2056db3f2a163cc88dd0ccd7da428dc9
Instruction Fuzzy Hash: 021182B1614241EFE720DF29D885756FBD8EF04220F08806ADD09DB641D6B5E405DA71

Uniqueness

Uniqueness Score: -1.00%

Function 072213B2, Relevance: 1.6, APIs: 1, Instructions: 52COMMON

Download Yara Rule

APIs

GetFileType.KERNELBASE(?,00000E2C,2F90C220,00000000,00000000,00000000,00000000), ref: 07221405

Memory Dump Source

Source File: 00000000.00000002.379533672.0000000007220000.00000040.00000001.sdmp, Offset: 07220000, based on PE: false

Similarity

API ID: FileType
String ID:
API String ID: 3081899298-0
Opcode ID: e1156b678db3923917bd0b7a4b78a9494166b3995d50640415381b0a1518b59d
Instruction ID: 465ad524a5a395307394938b27b9cbaf820663b1ea42ac977214961e8e7eab66
Opcode Fuzzy Hash: e1156b678db3923917bd0b7a4b78a9494166b3995d50640415381b0a1518b59d
Instruction Fuzzy Hash: 1801C071510604BEE7109B19DC85FA6FB9CDF45720F5880ABEE489B241D6B4E409CAB1

Uniqueness

Uniqueness Score: -1.00%

Function 0291A42A, Relevance: 1.6, APIs: 1, Instructions: 50threadCOMMON

Download Yara Rule

APIs

ResumeThread.KERNELBASE(?), ref: 0291A480

Memory Dump Source

Source File: 00000000.00000002.369451952.000000000291A000.00000040.00000001.sdmp, Offset: 0291A000, based on PE: false

Similarity

API ID: ResumeThread
String ID:
API String ID: 947044025-0
Opcode ID: ee82779c5a2b7894aa9f1e8a1bc5c9a1e5aaca3cf95ac32de7d42ae11ff80cdb
Instruction ID: e8ce7bf3063945fb9975f041b3382db790000b809549aba4962b0f201c597ffd
Opcode Fuzzy Hash: ee82779c5a2b7894aa9f1e8a1bc5c9a1e5aaca3cf95ac32de7d42ae11ff80cdb
Instruction Fuzzy Hash: 161161754093C4AFD7128B15DC84B62FFB8DF46624F0880DEED899B293D275A908DB72

Uniqueness

Uniqueness Score: -1.00%

Function 0291AEF0, Relevance: 1.6, APIs: 1, Instructions: 50memoryCOMMON

Download Yara Rule

APIs

VirtualAllocEx.KERNELBASE(?,?,?,?,?), ref: 0291AF50

Memory Dump Source

Source File: 00000000.00000002.369451952.000000000291A000.00000040.00000001.sdmp, Offset: 0291A000, based on PE: false

Similarity

API ID: AllocVirtual
String ID:
API String ID: 4275171209-0
Opcode ID: f2c9cfb3364e97ee7a58890042f1e0a5f4881801d26c5f5ce9324de814337a2f
Instruction ID: fc0496ba871e5401c1d161cbafd0a0c02908fd836bbc508a9df93d29e4df5a5b
Opcode Fuzzy Hash: f2c9cfb3364e97ee7a58890042f1e0a5f4881801d26c5f5ce9324de814337a2f
Instruction Fuzzy Hash: 94118C72405784AFDB228F55DC44B56FFF4EF4A220F08849EEE854B662C375A818CB61

Uniqueness

Uniqueness Score: -1.00%

Function 07222206, Relevance: 1.5, APIs: 1, Instructions: 47injectionCOMMON

Download Yara Rule

APIs

WriteProcessMemory.KERNELBASE(?,?,?,?,?), ref: 0722224C

Memory Dump Source

Source File: 00000000.00000002.379533672.0000000007220000.00000040.00000001.sdmp, Offset: 07220000, based on PE: false

Similarity

API ID: MemoryProcessWrite
String ID:
API String ID: 3559483778-0
Opcode ID: 8e924dcf1de2dccccb226b545957e2b82847bb5fb6b0cc9942c41833994176a0
Instruction ID: 105b0e3c6809c8ec54d1c9f8d11e08c1450d9eb3c183c2fd1e314300aed0751c
Opcode Fuzzy Hash: 8e924dcf1de2dccccb226b545957e2b82847bb5fb6b0cc9942c41833994176a0
Instruction Fuzzy Hash: D601A175510601EFDB20CF15D884B66FBE4FF08320F08C16ADD458B661D272E419DB61

Uniqueness

Uniqueness Score: -1.00%

Function 07221F56, Relevance: 1.5, APIs: 1, Instructions: 47fileCOMMON

Download Yara Rule

APIs

DeleteFileW.KERNELBASE(?), ref: 07221F90

Memory Dump Source

Source File: 00000000.00000002.379533672.0000000007220000.00000040.00000001.sdmp, Offset: 07220000, based on PE: false

Similarity

API ID: DeleteFile
String ID:
API String ID: 4033686569-0
Opcode ID: cd8c0bc1d7e9ff6140150b39471266c0e25995861b757fb9ad4de2f520b0fe90
Instruction ID: ae11f4b38d5f5142e1b1338660ac31cefdb748c430f9cc48fbd1e6ccc792b647
Opcode Fuzzy Hash: cd8c0bc1d7e9ff6140150b39471266c0e25995861b757fb9ad4de2f520b0fe90
Instruction Fuzzy Hash: 350192B1510345AFD710CF69D885B66FBD8DF01220F1880AADE09CB645D7B4D415DB61

Uniqueness

Uniqueness Score: -1.00%

Function 0291B45E, Relevance: 1.5, APIs: 1, Instructions: 46libraryCOMMON

Download Yara Rule

APIs

LoadLibraryShim.MSCOREE(?,?,?,?), ref: 0291B4A9

Memory Dump Source

Source File: 00000000.00000002.369451952.000000000291A000.00000040.00000001.sdmp, Offset: 0291A000, based on PE: false

Similarity

API ID: LibraryLoadShim
String ID:
API String ID: 1475914169-0
Opcode ID: 2830306f4f193843b2793aa6ef320d06efc66311eb9727c267c86cc79fe15eab
Instruction ID: 029fbae76236c259f64fd49b011b0af21705a80e165af0d189d182fa9c8fbc5f
Opcode Fuzzy Hash: 2830306f4f193843b2793aa6ef320d06efc66311eb9727c267c86cc79fe15eab
Instruction Fuzzy Hash: 7F0180715006049FEB20DF1AD886B22FBE8EF14624F08C49ADD498B685D375E408CB71

Uniqueness

Uniqueness Score: -1.00%

Function 0291A622, Relevance: 1.5, APIs: 1, Instructions: 45COMMON

Download Yara Rule

APIs

DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 0291A666

Memory Dump Source

Source File: 00000000.00000002.369451952.000000000291A000.00000040.00000001.sdmp, Offset: 0291A000, based on PE: false

Similarity

API ID: DuplicateHandle
String ID:
API String ID: 3793708945-0
Opcode ID: f2135365fa085f974930e55f0c7f58a66564e1005650c58f3b81cb9866b8a9d3
Instruction ID: 4dab3b107675bae3f6caf112df9288d7cccc3b7a44b2df3ad9673528e6c6f225
Opcode Fuzzy Hash: f2135365fa085f974930e55f0c7f58a66564e1005650c58f3b81cb9866b8a9d3
Instruction Fuzzy Hash: 3B016D31401604EFDB218F56D944B56FFE4EF48320F08C9AADE494B611D375A418DF61

Uniqueness

Uniqueness Score: -1.00%

Function 072220A6, Relevance: 1.5, APIs: 1, Instructions: 44threadinjectionCOMMON

Download Yara Rule

APIs

SetThreadContext.KERNELBASE(?,?), ref: 072220E3

Memory Dump Source

Source File: 00000000.00000002.379533672.0000000007220000.00000040.00000001.sdmp, Offset: 07220000, based on PE: false

Similarity

API ID: ContextThread
String ID:
API String ID: 1591575202-0
Opcode ID: 2ed41e0f5499c45284a933dfd92e90f534e99efbfcfd51eb1eab6ca1ea82bb00
Instruction ID: 74631b00cc95b18a476a8bf1df8e19f48e47ad2dbb4929f790edac9a14697c2e
Opcode Fuzzy Hash: 2ed41e0f5499c45284a933dfd92e90f534e99efbfcfd51eb1eab6ca1ea82bb00
Instruction Fuzzy Hash: 0D01D4B5610201EFEB10CF19DC85B66FBE4FF05320F08C0AADE058B256D6B6E549DB62

Uniqueness

Uniqueness Score: -1.00%

Function 07222152, Relevance: 1.5, APIs: 1, Instructions: 43COMMON

Download Yara Rule

APIs

ReadProcessMemory.KERNELBASE(?,?,?,?,?), ref: 07222190

Memory Dump Source

Source File: 00000000.00000002.379533672.0000000007220000.00000040.00000001.sdmp, Offset: 07220000, based on PE: false

Similarity

API ID: MemoryProcessRead
String ID:
API String ID: 1726664587-0
Opcode ID: 8f298748773066d63527a611966e87e0f7609c6aef28319f8c585710baf5768e
Instruction ID: a1e3e4215fd05b24c34ed8dbdb3c6b5224bb7dc63e179059169bb6484b5918a6
Opcode Fuzzy Hash: 8f298748773066d63527a611966e87e0f7609c6aef28319f8c585710baf5768e
Instruction Fuzzy Hash: CC019275510601EFDB208F55DC84B56FFE0EF08320F08905EDE455A656C276E419DF62

Uniqueness

Uniqueness Score: -1.00%

Function 0722049E, Relevance: 1.5, APIs: 1, Instructions: 43registryCOMMON

Download Yara Rule

APIs

RegQueryValueExW.KERNELBASE(?,00000E2C,?,?), ref: 072204EE

Memory Dump Source

Source File: 00000000.00000002.379533672.0000000007220000.00000040.00000001.sdmp, Offset: 07220000, based on PE: false

Similarity

API ID: QueryValue
String ID:
API String ID: 3660427363-0
Opcode ID: cb2ac0b819a256fb17085ce4aa6498b6ddbaeffa2802caf03df8236cd140c83c
Instruction ID: 6fc4fc136e797f883b0b48d16a34e67951a23c1a74c0a55db873f107bd062725
Opcode Fuzzy Hash: cb2ac0b819a256fb17085ce4aa6498b6ddbaeffa2802caf03df8236cd140c83c
Instruction Fuzzy Hash: 5F016276500604ABD250DF16DC86F26FBA8FBC8B20F14815AED085B741E371F515CBE5

Uniqueness

Uniqueness Score: -1.00%

Function 0291A2F6, Relevance: 1.5, APIs: 1, Instructions: 43COMMON

Download Yara Rule

APIs

SetConsoleCtrlHandler.KERNELBASE(?,00000E2C,?,?), ref: 0291A346

Memory Dump Source

Source File: 00000000.00000002.369451952.000000000291A000.00000040.00000001.sdmp, Offset: 0291A000, based on PE: false

Similarity

API ID: ConsoleCtrlHandler
String ID:
API String ID: 1513847179-0
Opcode ID: d89d0350a2cc040f7a54a3e73f163d76dbaab43a87700ce07b5e1b4432f73f1e
Instruction ID: 99482db9347882c45a5dd21342b3a54168e321dd7fba8572fe88332cea2a8e37
Opcode Fuzzy Hash: d89d0350a2cc040f7a54a3e73f163d76dbaab43a87700ce07b5e1b4432f73f1e
Instruction Fuzzy Hash: D7016275500600ABD650DF16DC86F26FBA8FBC8B20F14815AED085B741E375F515CBE5

Uniqueness

Uniqueness Score: -1.00%

Function 072226EE, Relevance: 1.5, APIs: 1, Instructions: 42windowCOMMON

Download Yara Rule

APIs

PostMessageW.USER32(?,?,?,?), ref: 07222729

Memory Dump Source

Source File: 00000000.00000002.379533672.0000000007220000.00000040.00000001.sdmp, Offset: 07220000, based on PE: false

Similarity

API ID: MessagePost
String ID:
API String ID: 410705778-0
Opcode ID: d4abe32f98994a6455e5d1bce378d97ef8fba7558e8ccc64302d9df9476c56c1
Instruction ID: 9ad2b5080cccf99fc1671b7b6b277e764bfc07e6c98a20b5730240d5475fc5a8
Opcode Fuzzy Hash: d4abe32f98994a6455e5d1bce378d97ef8fba7558e8ccc64302d9df9476c56c1
Instruction Fuzzy Hash: A501BC75514601EFDB209F19D884B66FFE4EF08320F08C0AEDE494B652C2B2E419DB62

Uniqueness

Uniqueness Score: -1.00%

Function 0291AF12, Relevance: 1.5, APIs: 1, Instructions: 39memoryCOMMON

Download Yara Rule

APIs

VirtualAllocEx.KERNELBASE(?,?,?,?,?), ref: 0291AF50

Memory Dump Source

Source File: 00000000.00000002.369451952.000000000291A000.00000040.00000001.sdmp, Offset: 0291A000, based on PE: false

Similarity

API ID: AllocVirtual
String ID:
API String ID: 4275171209-0
Opcode ID: e4779d4f669dd53ed6e0c30d9946454b78d8146dc119bc55967b93dc585f77ec
Instruction ID: 033ef44135e08a235728fde3c3fb7977335163a7788e323620c4750e05f0234b
Opcode Fuzzy Hash: e4779d4f669dd53ed6e0c30d9946454b78d8146dc119bc55967b93dc585f77ec
Instruction Fuzzy Hash: 15018472400644DFDB218F56D844B66FFA4EF08320F08C4AADE490B722D375A818DF62

Uniqueness

Uniqueness Score: -1.00%

Function 07222366, Relevance: 1.5, APIs: 1, Instructions: 38windowCOMMON

Download Yara Rule

APIs

PostMessageW.USER32(?,?,?,?), ref: 072223A1

Memory Dump Source

Source File: 00000000.00000002.379533672.0000000007220000.00000040.00000001.sdmp, Offset: 07220000, based on PE: false

Similarity

API ID: MessagePost
String ID:
API String ID: 410705778-0
Opcode ID: 7fbca6396601b6f75e18b8c66c2819f421ab70760b5c131c94e347297e2e50d2
Instruction ID: 847db9816c465191159a1f25e10a7211b83119bbbd3bca8f1174a517d4570b3f
Opcode Fuzzy Hash: 7fbca6396601b6f75e18b8c66c2819f421ab70760b5c131c94e347297e2e50d2
Instruction Fuzzy Hash: B3017875414604EFDB208F55D884B6AFFE0FF09320F08949AEE490A612D2B6E459DBA2

Uniqueness

Uniqueness Score: -1.00%

Function 0291A44E, Relevance: 1.5, APIs: 1, Instructions: 35threadCOMMON

Download Yara Rule

APIs

ResumeThread.KERNELBASE(?), ref: 0291A480

Memory Dump Source

Source File: 00000000.00000002.369451952.000000000291A000.00000040.00000001.sdmp, Offset: 0291A000, based on PE: false

Similarity

API ID: ResumeThread
String ID:
API String ID: 947044025-0
Opcode ID: cb77a936b79d2ea6c0bb1853a79c246623af705df2a6228fb73314b00fc28f0a
Instruction ID: b4a8295b4d72723bc7b6ac68a4351a28d9a5f133d5cdeed800efbdca9cfbaad5
Opcode Fuzzy Hash: cb77a936b79d2ea6c0bb1853a79c246623af705df2a6228fb73314b00fc28f0a
Instruction Fuzzy Hash: 28F0A435405644DFD7108F56D889765FF94DF44320F18C0AADE494B356D2B5A808CE62

Uniqueness

Uniqueness Score: -1.00%

Function 06DB177E, Relevance: 1.4, Strings: 1, Instructions: 182COMMON

Download Yara Rule

Strings

:@Dr, xrefs: 06DB1913

Memory Dump Source

Source File: 00000000.00000002.377039037.0000000006DB0000.00000040.00000001.sdmp, Offset: 06DB0000, based on PE: false

Similarity

API ID:
String ID: :@Dr
API String ID: 0-3830894600
Opcode ID: 38998d90e06731cd9c4b68c4c5f6b5a25b70fcf6d063216fb5e670c2f8b6b71d
Instruction ID: 2407b2f907e1573e319983d405cd6f356b06d0ca4eb1bbaeabd565099fe46959
Opcode Fuzzy Hash: 38998d90e06731cd9c4b68c4c5f6b5a25b70fcf6d063216fb5e670c2f8b6b71d
Instruction Fuzzy Hash: 54812674E05228CFDB64DF25CC50BEDBBB6AB4A310F0096E9859A67394DB318E81CF40

Uniqueness

Uniqueness Score: -1.00%

Function 06DB189F, Relevance: 1.4, Strings: 1, Instructions: 177COMMON

Download Yara Rule

Strings

:@Dr, xrefs: 06DB1913

Memory Dump Source

Source File: 00000000.00000002.377039037.0000000006DB0000.00000040.00000001.sdmp, Offset: 06DB0000, based on PE: false

Similarity

API ID:
String ID: :@Dr
API String ID: 0-3830894600
Opcode ID: e5ace2315082ab24cbc5747c5fbf2067fdd608b133407b2390d580122cc41829
Instruction ID: b52c96f45783061aa6ba5c5d916ca56c8737570eb359b5d44dc8d5d2570c0fe5
Opcode Fuzzy Hash: e5ace2315082ab24cbc5747c5fbf2067fdd608b133407b2390d580122cc41829
Instruction Fuzzy Hash: 5E711574E05229CFDB64DF25CC50BEDBBB6AB59310F0096E9855A63394DB319E81CF40

Uniqueness

Uniqueness Score: -1.00%

Function 05022250, Relevance: 1.3, Strings: 1, Instructions: 91COMMON

Download Yara Rule

Strings

X1kr, xrefs: 0502234E

Memory Dump Source

Source File: 00000000.00000002.374229378.0000000005020000.00000040.00000001.sdmp, Offset: 05020000, based on PE: false

Similarity

API ID:
String ID: X1kr
API String ID: 0-844551562
Opcode ID: f74db6ca695e5bbd9da76f2224f2da1d76fa7732eb3a28b3baa98a49a8379a5a
Instruction ID: 36d82b40143a7d4176695ad4c919035588a330e977aa4a002269739de99d7112
Opcode Fuzzy Hash: f74db6ca695e5bbd9da76f2224f2da1d76fa7732eb3a28b3baa98a49a8379a5a
Instruction Fuzzy Hash: 6741A3B4E01218EFDB45DFA9E980AADBBF2BF88300F608169E905A7350DB359941CF50

Uniqueness

Uniqueness Score: -1.00%

Function 05022DA8, Relevance: .2, Instructions: 211COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.374229378.0000000005020000.00000040.00000001.sdmp, Offset: 05020000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6a59cd1d964491591bfd57362e35f1957b9e47f5af34bdfd0eef345544a8ef2c
Instruction ID: 1a92dfd0fcafca46633fdc0e6af92fa240ad725995ae4fc72253d1a805c61787
Opcode Fuzzy Hash: 6a59cd1d964491591bfd57362e35f1957b9e47f5af34bdfd0eef345544a8ef2c
Instruction Fuzzy Hash: 7D715974E08229CBDB54DFE9D854BAEBBB6BF89300F20842AD905BB284DB305D45CF51

Uniqueness

Uniqueness Score: -1.00%

Function 06DB3F22, Relevance: .1, Instructions: 110COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.377039037.0000000006DB0000.00000040.00000001.sdmp, Offset: 06DB0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e86c0e40b47fde32970cd9a750159d874c72bb5393b4551fa2f7dbcca9201f3e
Instruction ID: 2d274e1cad411c09afe2c1f65bbaef091cea1b55e211362cb613c4803c35a7d2
Opcode Fuzzy Hash: e86c0e40b47fde32970cd9a750159d874c72bb5393b4551fa2f7dbcca9201f3e
Instruction Fuzzy Hash: 8D312774C4E218CEEBA0CB55D8847F8BAF8AB2A355F147196D49BA218EC7348594CB90

Uniqueness

Uniqueness Score: -1.00%

Function 06DB0DD0, Relevance: .1, Instructions: 78COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.377039037.0000000006DB0000.00000040.00000001.sdmp, Offset: 06DB0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2ab544da4f77b284bf9c7e53dc0034ddc4d659d0bcf2d3ece3f1271adbb5c48c
Instruction ID: 3ec03302da9e4d0939a85dc5e7bc13bebd3f235eb3d01c7fb95e79ecd3db379d
Opcode Fuzzy Hash: 2ab544da4f77b284bf9c7e53dc0034ddc4d659d0bcf2d3ece3f1271adbb5c48c
Instruction Fuzzy Hash: 0431E570E09268CFDBA4DF25D8447EEB7B5AB49301F0065EAD44EA7254DB349AC4CF84

Uniqueness

Uniqueness Score: -1.00%

Function 05021CF8, Relevance: .1, Instructions: 61COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.374229378.0000000005020000.00000040.00000001.sdmp, Offset: 05020000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8bde9384b92968f8454098f9dedc11d69544ccfbc7df955a34bb7f1034930eb7
Instruction ID: 06e4f7bc7afe3176c13fd46d75d27c7f042f65d3b749f4402ab4803964a1bec3
Opcode Fuzzy Hash: 8bde9384b92968f8454098f9dedc11d69544ccfbc7df955a34bb7f1034930eb7
Instruction Fuzzy Hash: A821EEB4E042098BDB08DFA5E444ABEBFB6FF88300F619429D805A3250EA345A55CFA0

Uniqueness

Uniqueness Score: -1.00%

Function 06D31C60, Relevance: .1, Instructions: 60COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.376971676.0000000006D30000.00000040.00000001.sdmp, Offset: 06D30000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 11984417cfb08f7358f7440bdc3aba488ff394d24b1d44905c73a30b749fae90
Instruction ID: f459f845ea6f3a448c1c2daa99e7655cd0e7785203cc0d0d66f5f89bd1b22cfb
Opcode Fuzzy Hash: 11984417cfb08f7358f7440bdc3aba488ff394d24b1d44905c73a30b749fae90
Instruction Fuzzy Hash: B911B8B5608301AFD350CF19D880A5BFBE4FB88664F14896EF99897311D271EA148FA2

Uniqueness

Uniqueness Score: -1.00%

Function 02AC075C, Relevance: .1, Instructions: 59COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.369575548.0000000002AC0000.00000040.00000040.sdmp, Offset: 02AC0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0aa41bc7f8bc4872265a9bd49c96fc1005f8bf85c401d351ab177bb86d53e3b3
Instruction ID: 53757e5315096570a44f419476b15b61f3f66cfc86f5b7da78669353a8bc8397
Opcode Fuzzy Hash: 0aa41bc7f8bc4872265a9bd49c96fc1005f8bf85c401d351ab177bb86d53e3b3
Instruction Fuzzy Hash: EF118435204744EFD719CB24C984B26BBA5AB89B08F34C5ADE9491B653CB7BD803CE51

Uniqueness

Uniqueness Score: -1.00%

Function 05020006, Relevance: .1, Instructions: 59COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.374229378.0000000005020000.00000040.00000001.sdmp, Offset: 05020000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1a9ab36e2be7d01d628f9cc3ae7da25ec21af90f1831e2edc6d788895b28db0a
Instruction ID: 755dc87b28e45400fd86a51d566d7e98a8252d9bc0e3f7ac505860f1056a5e45
Opcode Fuzzy Hash: 1a9ab36e2be7d01d628f9cc3ae7da25ec21af90f1831e2edc6d788895b28db0a
Instruction Fuzzy Hash: BD11486084F3C59FE717AB74A8657297FB0AF43110F0A48DBC481DB1A3DA6C4C59DB26

Uniqueness

Uniqueness Score: -1.00%

Function 05021D08, Relevance: .1, Instructions: 53COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.374229378.0000000005020000.00000040.00000001.sdmp, Offset: 05020000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 764afc16403948a808fb23229ab2caafa034d25f8b9bd7498e346fdbe27d2862
Instruction ID: 07c670fa58745f1d47357db236b83f9180fd94ce57622e8c42b46cbcb6499f39
Opcode Fuzzy Hash: 764afc16403948a808fb23229ab2caafa034d25f8b9bd7498e346fdbe27d2862
Instruction Fuzzy Hash: BA21C2B4E042098FCB08EFA9D444AAEBFB6FF88300F509529D805B3354DB345A55CFA4

Uniqueness

Uniqueness Score: -1.00%

Function 0292ADBC, Relevance: .1, Instructions: 52COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.369462752.0000000002922000.00000040.00000001.sdmp, Offset: 02922000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 66ea576a6882324ff70bbad07368f279995366c7cdb88814dd3e58959cf91b86
Instruction ID: ded32ae9e1b7b306bc4c6891f8fa75555d366aff8294252779c2b2c39eebcb95
Opcode Fuzzy Hash: 66ea576a6882324ff70bbad07368f279995366c7cdb88814dd3e58959cf91b86
Instruction Fuzzy Hash: 3711ACB5608305AFD350CF59DC81E5BFBE8EB88660F14891EFD9997311D271E9048BA2

Uniqueness

Uniqueness Score: -1.00%

Function 06D31B04, Relevance: .1, Instructions: 52COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.376971676.0000000006D30000.00000040.00000001.sdmp, Offset: 06D30000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: bd8f548a38d5ecfd21d1214b4d58d66a7c4f0b56637b1df821a111e429386c33
Instruction ID: af5364715e66b296e069e2c731ea4ddc2b0a95e4552e4d5cb1fd286575038191
Opcode Fuzzy Hash: bd8f548a38d5ecfd21d1214b4d58d66a7c4f0b56637b1df821a111e429386c33
Instruction Fuzzy Hash: 8D11ECB5608301AFD350CF09DC80E5BFBE8EB88660F14891EFD9897311D271E9048BA2

Uniqueness

Uniqueness Score: -1.00%

Function 02AC0732, Relevance: .1, Instructions: 52COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.369575548.0000000002AC0000.00000040.00000040.sdmp, Offset: 02AC0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: eff4820b157387f327d19f80be72a6903ace2ada8be2e2992584428e39a3c961
Instruction ID: c3083a67e5a8acbe452f164418c34d4e2335bd20bcad66cde0572ec96b02edfb
Opcode Fuzzy Hash: eff4820b157387f327d19f80be72a6903ace2ada8be2e2992584428e39a3c961
Instruction Fuzzy Hash: 70116A355093C0DFC716CB20C990B55BFB1AB46208F2885EED8895B6A3C33A9817DB42

Uniqueness

Uniqueness Score: -1.00%

Function 06DB60D2, Relevance: .1, Instructions: 51COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.377039037.0000000006DB0000.00000040.00000001.sdmp, Offset: 06DB0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3c16aa1dec77cd5ac72374c91b115599441077c92e00b1c6c9ef2d5e6ce4f900
Instruction ID: fff053e59310f5d25d76f5d6f4fecdb37a6801ada68c1d20a57e5554a1d07ab1
Opcode Fuzzy Hash: 3c16aa1dec77cd5ac72374c91b115599441077c92e00b1c6c9ef2d5e6ce4f900
Instruction Fuzzy Hash: AF11FE70A49319CFDB50DF6898417E9777AAF4A210F2061D9845E673C5CB309E418F95

Uniqueness

Uniqueness Score: -1.00%

Function 02AC05CF, Relevance: .0, Instructions: 47COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.369575548.0000000002AC0000.00000040.00000040.sdmp, Offset: 02AC0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1cee964a7922e81d5f48508765948c8d48b2fc6014d6e66477b9e5feb26ea959
Instruction ID: 0c94d2b014d09307eb58dd23fce8eda13430e61be7bb4626bd763c62d212f648
Opcode Fuzzy Hash: 1cee964a7922e81d5f48508765948c8d48b2fc6014d6e66477b9e5feb26ea959
Instruction Fuzzy Hash: 7401DB765097806FD7128B16AC408A2FFF8DF86620708C0DFED898B612D125A509CB61

Uniqueness

Uniqueness Score: -1.00%

Function 02AC0724, Relevance: .0, Instructions: 41COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.369575548.0000000002AC0000.00000040.00000040.sdmp, Offset: 02AC0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: cb47dbf5dee8a2680fe8e51f5c536a656701fc6b0407fc1fed030798a88d1fc0
Instruction ID: fd78aa08c256ebf3ddde0028fa1414a0ae9ce699595a9d040bbb83f83d67e1d5
Opcode Fuzzy Hash: cb47dbf5dee8a2680fe8e51f5c536a656701fc6b0407fc1fed030798a88d1fc0
Instruction Fuzzy Hash: AD018035108684DFC706CB10C580B16BBA2EF4A318F28C6EDD8491B653C7379817DF41

Uniqueness

Uniqueness Score: -1.00%

Function 06DB2350, Relevance: .0, Instructions: 39COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.377039037.0000000006DB0000.00000040.00000001.sdmp, Offset: 06DB0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c7a0218faae01d2d2411c3d05f5872d402ae1080fed15aee03fd06e5b7d14fff
Instruction ID: 4abd7ccf761154c6c13cdba85330c59a3646a90af6829bd0899dc491e961e2c6
Opcode Fuzzy Hash: c7a0218faae01d2d2411c3d05f5872d402ae1080fed15aee03fd06e5b7d14fff
Instruction Fuzzy Hash: C001E538E08258CFDB60DF24D8407E9B7B5AB4A310F1051E9C98AA3305C7308A858F42

Uniqueness

Uniqueness Score: -1.00%

Function 02AC0818, Relevance: .0, Instructions: 31COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.369575548.0000000002AC0000.00000040.00000040.sdmp, Offset: 02AC0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 525cef522958239b2deb72ab7ac90410e2832b06fb356f1b7ca8807ee3c9392c
Instruction ID: ed1683e5c6ca644fbe62cbda4928666d80c06a8e7d4cac47236a51df35b78c64
Opcode Fuzzy Hash: 525cef522958239b2deb72ab7ac90410e2832b06fb356f1b7ca8807ee3c9392c
Instruction Fuzzy Hash: 33F0FB35108644DFC606CB40D980B15FBA2EB89718F24C6ADE9590B652C7379813DE81

Uniqueness

Uniqueness Score: -1.00%

Function 02AC05F6, Relevance: .0, Instructions: 27COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.369575548.0000000002AC0000.00000040.00000040.sdmp, Offset: 02AC0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8aabd3d754089c81a73f095243f3a2513fdfaf878b540c6c3e3ea15a61efb7da
Instruction ID: a0f2a825fc9b9d80912b42c0b12108a3dd4a0e86cae99d2f72435ba9768e87b3
Opcode Fuzzy Hash: 8aabd3d754089c81a73f095243f3a2513fdfaf878b540c6c3e3ea15a61efb7da
Instruction Fuzzy Hash: 56E06D766006009B9650DF0AEC81456F798EB88630B18C06FDD0D8B700E135B508CEA5

Uniqueness

Uniqueness Score: -1.00%

Function 0292AE0B, Relevance: .0, Instructions: 26COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.369462752.0000000002922000.00000040.00000001.sdmp, Offset: 02922000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7f652c7f83e8a2f821f69a4c16e2b570dd49d806b08986489251e38b4a79ed0f
Instruction ID: edb3b212f817467bcc2b1a345a8fcb8e09e6cab9c92c572c9a68d38dfbf654df
Opcode Fuzzy Hash: 7f652c7f83e8a2f821f69a4c16e2b570dd49d806b08986489251e38b4a79ed0f
Instruction Fuzzy Hash: A1E0D8B254020467D2109E0AEC81B57FB58DB84A30F14C55BEE081B701D171B5048AF5

Uniqueness

Uniqueness Score: -1.00%

Function 06D31B53, Relevance: .0, Instructions: 26COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.376971676.0000000006D30000.00000040.00000001.sdmp, Offset: 06D30000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 885d8459827341f518ae28b7d7a4e0b89a7b5be2d96f4216fcf263fda2e0f693
Instruction ID: 75fa37720afaa7629dfa633723e91bca28f26c54b82bd9b91b4877ab99f9fcca
Opcode Fuzzy Hash: 885d8459827341f518ae28b7d7a4e0b89a7b5be2d96f4216fcf263fda2e0f693
Instruction Fuzzy Hash: 55E0D87250030467D2509E0AAC81B57FB98DB84A30F14C55BEE0C1B702D172B5148AF5

Uniqueness

Uniqueness Score: -1.00%

Function 06D31CCB, Relevance: .0, Instructions: 26COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.376971676.0000000006D30000.00000040.00000001.sdmp, Offset: 06D30000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e842b6494a83d87e50f1e33b452f6bbc8a27b1d7ecbe1c726cfbf6b35ab46b4f
Instruction ID: 1d6b91892ac8df38d809b7a15f5e104ad9b6e8e477d270ce2b4f7f1b2c3368f1
Opcode Fuzzy Hash: e842b6494a83d87e50f1e33b452f6bbc8a27b1d7ecbe1c726cfbf6b35ab46b4f
Instruction Fuzzy Hash: 3FE0D8B254030067D2109E0AAC81B57FB98DB84A30F14C56BEE081B741D171B5148AE5

Uniqueness

Uniqueness Score: -1.00%

Function 06D31577, Relevance: .0, Instructions: 26COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.376971676.0000000006D30000.00000040.00000001.sdmp, Offset: 06D30000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1925235f8a9dc89846dd579a3f608ee733a148983100d5d0eb132c5c7ec3aa05
Instruction ID: dea3c2f7e0165e0c31c50a3caabd445b55a4f12b2078a90953a8dcb67798443c
Opcode Fuzzy Hash: 1925235f8a9dc89846dd579a3f608ee733a148983100d5d0eb132c5c7ec3aa05
Instruction Fuzzy Hash: 79E0D87250020067D2109E0AAC81B57FB98DB84A30F14C56BEE081B701D176B514CAE5

Uniqueness

Uniqueness Score: -1.00%

Function 06DB2DF3, Relevance: .0, Instructions: 25COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.377039037.0000000006DB0000.00000040.00000001.sdmp, Offset: 06DB0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: df8414dd0d99b6e895cbacceafbf70fc50ef5b935e201733cab6328b90e3d044
Instruction ID: ef42b75313c9c3187d0891fc84c745b0aa2e36f345788edd5ea9223bad2c04df
Opcode Fuzzy Hash: df8414dd0d99b6e895cbacceafbf70fc50ef5b935e201733cab6328b90e3d044
Instruction Fuzzy Hash: 0BE03971C85204DBD7109FA0E8067F8B774EB05302F1014A8C80277250D7755D64CA60

Uniqueness

Uniqueness Score: -1.00%

Function 050200B8, Relevance: .0, Instructions: 25COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.374229378.0000000005020000.00000040.00000001.sdmp, Offset: 05020000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 587fe12fc0a7e9682278e2b0842cc4bff883e4b16ef35c6f51784202d6de4796
Instruction ID: bd043f91a29e81dca98feafe822174588bde2007693844fe44e1386b1d1911e5
Opcode Fuzzy Hash: 587fe12fc0a7e9682278e2b0842cc4bff883e4b16ef35c6f51784202d6de4796
Instruction Fuzzy Hash: 91E09270D892489FCB19CBB58991BFEBBB1DF82300F1541EAC404B7292DA714E09DF55

Uniqueness

Uniqueness Score: -1.00%

Function 05020070, Relevance: .0, Instructions: 24COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.374229378.0000000005020000.00000040.00000001.sdmp, Offset: 05020000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2023a417a0bc4e68ac2f8f76c75b5f4b9478cc6cffd94b620ddec12d83e66c40
Instruction ID: c3e1d40980bd7a39bb281600021aebc320eb29a7fbb1dae45da0b89e7b7f373c
Opcode Fuzzy Hash: 2023a417a0bc4e68ac2f8f76c75b5f4b9478cc6cffd94b620ddec12d83e66c40
Instruction Fuzzy Hash: 7EE08C70987208A7CB58FBB4951673FB3A8DF83210F011CAC850223240DE315E28AA69

Uniqueness

Uniqueness Score: -1.00%

Function 06DB48A3, Relevance: .0, Instructions: 23COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.377039037.0000000006DB0000.00000040.00000001.sdmp, Offset: 06DB0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 69c932f52ab0417585cd8c5d99515c1bf243c15ab397571a43e2e8382f3843f4
Instruction ID: ff97e3f3fb0c49ea897668b11dfb5a41a308440bd85f0816ad136e0867f5392d
Opcode Fuzzy Hash: 69c932f52ab0417585cd8c5d99515c1bf243c15ab397571a43e2e8382f3843f4
Instruction Fuzzy Hash: C5F06575D48228DEEB50CF60CC44BECBBB95B09300F5050D6911DB6185D6705AC4CF50

Uniqueness

Uniqueness Score: -1.00%

Function 05029532, Relevance: .0, Instructions: 23COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.374229378.0000000005020000.00000040.00000001.sdmp, Offset: 05020000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e0fdf5276c43185fca2f09035a35236870654ebc45b7158558b82c6cf9c92885
Instruction ID: 2452290525517832c63fca521dfe2ae7ff5c34657b0c2b6f3923c269e74e0317
Opcode Fuzzy Hash: e0fdf5276c43185fca2f09035a35236870654ebc45b7158558b82c6cf9c92885
Instruction Fuzzy Hash: 41F09274946269CFCB60DF64E9497ACBBB1BB48314F118AEAC80AB7255CB701A85CF50

Uniqueness

Uniqueness Score: -1.00%

Function 05022629, Relevance: .0, Instructions: 23COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.374229378.0000000005020000.00000040.00000001.sdmp, Offset: 05020000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e3b81aa4fbb6d6489626d4b84e4d34077df017e867edd253a5aca4d495f47753
Instruction ID: 1ee0d478bb62fbd34ba3230f58016381945229efb02c6ddf13be2efeb77e4be5
Opcode Fuzzy Hash: e3b81aa4fbb6d6489626d4b84e4d34077df017e867edd253a5aca4d495f47753
Instruction Fuzzy Hash: 4DE01A76D49208EFCB10DFA5E5497ACB7B8EB48304F1184B9D805A3740D7316A69EF80

Uniqueness

Uniqueness Score: -1.00%

Function 06DB2E00, Relevance: .0, Instructions: 22COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.377039037.0000000006DB0000.00000040.00000001.sdmp, Offset: 06DB0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4bf7649ccc82526fa15b9208b01fcec186312323e04d3880f398c1180d459e22
Instruction ID: 86b33131abc88adbebe6e626b588bdb72e5476c59dabf5d8dc7c73a016979405
Opcode Fuzzy Hash: 4bf7649ccc82526fa15b9208b01fcec186312323e04d3880f398c1180d459e22
Instruction Fuzzy Hash: 62E04F30D45208DFD710EFB0E546AFDBB34EB06702F1015A8CC0677254DB716E64CAA4

Uniqueness

Uniqueness Score: -1.00%

Function 05022E68, Relevance: .0, Instructions: 22COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.374229378.0000000005020000.00000040.00000001.sdmp, Offset: 05020000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2f88720421649f4bd8f1fab29e3de230c4729b20755d89b78f90e68a6b7d617e
Instruction ID: 8cced70e7d0793f804a17008660a362f33f58386964d1496916265bdbdcc568c
Opcode Fuzzy Hash: 2f88720421649f4bd8f1fab29e3de230c4729b20755d89b78f90e68a6b7d617e
Instruction Fuzzy Hash: 51E0D634C8A309DFCB40EFE0E8003BC7BBCFB05200F1044A9C805A2600E7745994EF91

Uniqueness

Uniqueness Score: -1.00%

Function 050200C8, Relevance: .0, Instructions: 21COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.374229378.0000000005020000.00000040.00000001.sdmp, Offset: 05020000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f312364fa45a0afe80c990f096438cb2ee704ff304dc42e8c73db8d432f11b50
Instruction ID: 4d48b97fcbe9f94295a4d309cce5cd7061c13adb1a357c917560f677520fb75b
Opcode Fuzzy Hash: f312364fa45a0afe80c990f096438cb2ee704ff304dc42e8c73db8d432f11b50
Instruction Fuzzy Hash: ABE08C30D41208DBCB08DFA5C540BADB3B5EF86300F5151A9840873210EA305E14DE95

Uniqueness

Uniqueness Score: -1.00%

Function 029123F4, Relevance: .0, Instructions: 15COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.369446416.0000000002912000.00000040.00000001.sdmp, Offset: 02912000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 321ee9724353e43977d449e98feb0e2f43bb0ca6f4ab81d8ce0e741146287c30
Instruction ID: 57203a346be5daf404b35f9b0a5ac9e431acc5336de2d4aaff92d77a3c06897b
Opcode Fuzzy Hash: 321ee9724353e43977d449e98feb0e2f43bb0ca6f4ab81d8ce0e741146287c30
Instruction Fuzzy Hash: 71D05E79619A918FD3269B1CC1A9B953BD8AB51B08F4644FDEC008B6A3C368E981D200

Uniqueness

Uniqueness Score: -1.00%

Function 029123BC, Relevance: .0, Instructions: 14COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.369446416.0000000002912000.00000040.00000001.sdmp, Offset: 02912000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 431bb8ef88e765e947d55b75ebaa80d3966756317ea2896700b1260bdd27a52c
Instruction ID: ce9dd8afcc8d5ef58b8449c01e268d0d22d520372725c7ba25aaa688f6d5ed1f
Opcode Fuzzy Hash: 431bb8ef88e765e947d55b75ebaa80d3966756317ea2896700b1260bdd27a52c
Instruction Fuzzy Hash: C8D05E346002858FC715EB0DC694F5937D8AB41B04F0644E8AC008B662C3A4D882D600

Uniqueness

Uniqueness Score: -1.00%

Function 05025A20, Relevance: .0, Instructions: 13COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.374229378.0000000005020000.00000040.00000001.sdmp, Offset: 05020000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ecefd554bf7f481858b9d6c8c50ccec59c5ef515306fc7264c1633a593bcd046
Instruction ID: e5c859053c11b5afa6ba06fc8fe455fac58253260fbbff7d1e3727bed39483ea
Opcode Fuzzy Hash: ecefd554bf7f481858b9d6c8c50ccec59c5ef515306fc7264c1633a593bcd046
Instruction Fuzzy Hash: AEE00274945269DFCB60DF15E88869CB7B1BB08340F1085D69909A7344D3705E85CF19

Uniqueness

Uniqueness Score: -1.00%

Non-executed Functions

Function 050230D1, Relevance: 5.1, Strings: 4, Instructions: 140COMMON

Download Yara Rule

Strings

f]Ir, xrefs: 05023130
>_Ir, xrefs: 05023219
:@Dr, xrefs: 050231FC
`5kr, xrefs: 050232D5

Memory Dump Source

Source File: 00000000.00000002.374229378.0000000005020000.00000040.00000001.sdmp, Offset: 05020000, based on PE: false

Similarity

API ID:
String ID: :@Dr$>_Ir$`5kr$f]Ir
API String ID: 0-3492759196
Opcode ID: 117125f5afc62b7914bae21b2089cc38bf05ede29e24aae4f388287d3cc7f26c
Instruction ID: 63574b1659f79822cec977a57ae103d17d07ccc72d61fe9ed6f29b009f68311f
Opcode Fuzzy Hash: 117125f5afc62b7914bae21b2089cc38bf05ede29e24aae4f388287d3cc7f26c
Instruction Fuzzy Hash: 77516970E04218CBDB54EF6BE84079DBFF6FFC4304F158A29C904AB658DBB1181A8B51

Uniqueness

Uniqueness Score: -1.00%

Function 050230E0, Relevance: 5.1, Strings: 4, Instructions: 136COMMON

Download Yara Rule

Strings

f]Ir, xrefs: 05023130
>_Ir, xrefs: 05023219
:@Dr, xrefs: 050231FC
`5kr, xrefs: 050232D5

Memory Dump Source

Source File: 00000000.00000002.374229378.0000000005020000.00000040.00000001.sdmp, Offset: 05020000, based on PE: false

Similarity

API ID:
String ID: :@Dr$>_Ir$`5kr$f]Ir
API String ID: 0-3492759196
Opcode ID: bb45e44c98e8b95597599dddbceb2c691e8a340cbd0fc4235ad584e27b816409
Instruction ID: 7c994ac3b0a83ea2c4ff1ce08283114bc762efccfc6acfc746344cd6d2b104cf
Opcode Fuzzy Hash: bb45e44c98e8b95597599dddbceb2c691e8a340cbd0fc4235ad584e27b816409
Instruction Fuzzy Hash: CC514670E04218CBDB54EF6BE94079EBFF6FFC4304F158A29C904AB658DBB0191A8B51

Uniqueness

Uniqueness Score: -1.00%

Function 05024DDF, Relevance: 1.4, Strings: 1, Instructions: 173COMMON

Download Yara Rule

Strings

9, xrefs: 05025106

Memory Dump Source

Source File: 00000000.00000002.374229378.0000000005020000.00000040.00000001.sdmp, Offset: 05020000, based on PE: false

Similarity

API ID:
String ID: 9
API String ID: 0-2366072709
Opcode ID: d570fa8839ace0b169ae8d0d9aad40263b9ec2389d59c1c8ee9208173aa49be4
Instruction ID: c1867a9874ec60c771ac09d99b39b640c9716ef5bbacf478f5c79d094a4a29d7
Opcode Fuzzy Hash: d570fa8839ace0b169ae8d0d9aad40263b9ec2389d59c1c8ee9208173aa49be4
Instruction Fuzzy Hash: 13918FB0E006288BDBA4DF29DD9178CBBF1AF4A300F1181E9D24CA6255EB315ED5CF16

Uniqueness

Uniqueness Score: -1.00%

Function 007A77E7, Relevance: 1.0, Instructions: 951COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.368991183.00000000007A2000.00000002.00020000.sdmp, Offset: 007A0000, based on PE: true

Associated: 00000000.00000002.368982960.00000000007A0000.00000002.00020000.sdmp Download File

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f1d497de5647b56d393e6e8f671278b9f4b7bf3c1c75770274d2ff7aa0ab6260
Instruction ID: 1f69fa168357606b9b4dd86b06bca1115344e933dcae3d0f6d20748ae9ea1094
Opcode Fuzzy Hash: f1d497de5647b56d393e6e8f671278b9f4b7bf3c1c75770274d2ff7aa0ab6260
Instruction Fuzzy Hash: 5482D76144E3D19FC7878B348CB5592BFB0AE1322431E82DFD4C0CE4A7E61E595ADB62

Uniqueness

Uniqueness Score: -1.00%

Function 0502331B, Relevance: .1, Instructions: 111COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.374229378.0000000005020000.00000040.00000001.sdmp, Offset: 05020000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 72c773684318e6b39fc87662c222918dae212b44f050f91aaa11e265d80d9c93
Instruction ID: 0f78bc85dc110a61e9f353a2eca1e9f8cf248fd945eb6f1e6194959091a9a36a
Opcode Fuzzy Hash: 72c773684318e6b39fc87662c222918dae212b44f050f91aaa11e265d80d9c93
Instruction Fuzzy Hash: 284151B1E056188BEB6CCF6B9C4079EFAF7AFC9200F14C1BAC50CA6215DB3049868F55

Uniqueness

Uniqueness Score: -1.00%

Analysis Process: RegSvcs.exe PID: 2264 Parent PID: 7012 RegSvcs.exeCOMMON

Executed Functions

Function 0290B738, Relevance: 2.2, Strings: 1, Instructions: 910COMMON

Download Yara Rule

Strings

r, xrefs: 0290C1EC

Memory Dump Source

Source File: 00000007.00000002.596310699.0000000002900000.00000040.00000001.sdmp, Offset: 02900000, based on PE: false

Similarity

API ID:
String ID: r
API String ID: 0-1812594589
Opcode ID: 6977b0c3ee874d7af1169bfead3f516fe1f15b2f27f72b3a717dd22890ba4439
Instruction ID: 753aa13639767eb2d929e41ef05dde1d74b4d55d21f8f98f33b2f03e8c04514d
Opcode Fuzzy Hash: 6977b0c3ee874d7af1169bfead3f516fe1f15b2f27f72b3a717dd22890ba4439
Instruction Fuzzy Hash: ED823971A0060ACFCB14CF58C594AAEFBF2FF88314F158669D51AAB691D734E941CF90

Uniqueness

Uniqueness Score: -1.00%

Function 02903850, Relevance: 2.0, Strings: 1, Instructions: 755COMMON

Download Yara Rule

Strings

>_Ir, xrefs: 02903F9D

Memory Dump Source

Source File: 00000007.00000002.596310699.0000000002900000.00000040.00000001.sdmp, Offset: 02900000, based on PE: false

Similarity

API ID:
String ID: >_Ir
API String ID: 0-3386957151
Opcode ID: d50a8f9c588eff5c4f1e7bc732319688d4d43e0cb320e327928f56a0df87dcff
Instruction ID: 55be98c7a77fbf4a59ff16420563b5190703e483a4697c44f97b8840f3cbdc07
Opcode Fuzzy Hash: d50a8f9c588eff5c4f1e7bc732319688d4d43e0cb320e327928f56a0df87dcff
Instruction Fuzzy Hash: B452D471A04219CFCB04CF68C8C4AAEBBB6FF85300B15C5EAD9159B292C771ED41CB94

Uniqueness

Uniqueness Score: -1.00%

Function 04FB2AF6, Relevance: 1.6, APIs: 1, Instructions: 79networkCOMMON

Download Yara Rule

APIs

bind.WS2_32(?,00000E2C,30277B8A,00000000,00000000,00000000,00000000), ref: 04FB2B87

Memory Dump Source

Source File: 00000007.00000002.600439530.0000000004FB0000.00000040.00000001.sdmp, Offset: 04FB0000, based on PE: false

Similarity

API ID: bind
String ID:
API String ID: 1187836755-0
Opcode ID: c441e5193618af708e8e97f71bb7436b3db57e3666189f6468dbc564d8660f1b
Instruction ID: 62e1bb0a13a584f61939edc4775a00a2e0219a84ed8ddfabd46b10227434066a
Opcode Fuzzy Hash: c441e5193618af708e8e97f71bb7436b3db57e3666189f6468dbc564d8660f1b
Instruction Fuzzy Hash: 3B218171509384AFE712CF65DC45F96BFA8EF46310F0884DBEA84DB252D264A509CBB1

Uniqueness

Uniqueness Score: -1.00%

Function 04FB13BF, Relevance: 1.6, APIs: 1, Instructions: 75COMMON

Download Yara Rule

APIs

AdjustTokenPrivileges.KERNELBASE(?,?,?,?,?,?), ref: 04FB143F

Memory Dump Source

Source File: 00000007.00000002.600439530.0000000004FB0000.00000040.00000001.sdmp, Offset: 04FB0000, based on PE: false

Similarity

API ID: AdjustPrivilegesToken
String ID:
API String ID: 2874748243-0
Opcode ID: 32166186593bd7dc18bbc9f89ee69338be4543bcf1a58dde02a535969dadedb1
Instruction ID: 6d9b86e21e6fc2b80df9fe0ca39ac0364eaa7853ab3287cdcc464ad54ce3c3e3
Opcode Fuzzy Hash: 32166186593bd7dc18bbc9f89ee69338be4543bcf1a58dde02a535969dadedb1
Instruction Fuzzy Hash: DB21D175509784AFDB128F25DC50B92BFF4EF07310F0885DAE9858F163D271A908CBA2

Uniqueness

Uniqueness Score: -1.00%

Function 04FB17FB, Relevance: 1.6, APIs: 1, Instructions: 64nativeCOMMON

Download Yara Rule

APIs

NtQuerySystemInformation.NTDLL ref: 04FB1871

Memory Dump Source

Source File: 00000007.00000002.600439530.0000000004FB0000.00000040.00000001.sdmp, Offset: 04FB0000, based on PE: false

Similarity

API ID: InformationQuerySystem
String ID:
API String ID: 3562636166-0
Opcode ID: 02c56b6c0fd8e29e8923b8cc36340102d7dae800fb4b0d1f562aac8c1b772c71
Instruction ID: d19ac8b9007316594b2b59083ef08d0ac4de184c859b8b1fd6dc5784668762de
Opcode Fuzzy Hash: 02c56b6c0fd8e29e8923b8cc36340102d7dae800fb4b0d1f562aac8c1b772c71
Instruction Fuzzy Hash: 0C219D764097C0AFDB238B21DC51A52FFB0EF17354F0980DBE9C48B1A3D265A519DBA2

Uniqueness

Uniqueness Score: -1.00%

Function 04FB2B26, Relevance: 1.6, APIs: 1, Instructions: 62networkCOMMON

Download Yara Rule

APIs

bind.WS2_32(?,00000E2C,30277B8A,00000000,00000000,00000000,00000000), ref: 04FB2B87

Memory Dump Source

Source File: 00000007.00000002.600439530.0000000004FB0000.00000040.00000001.sdmp, Offset: 04FB0000, based on PE: false

Similarity

API ID: bind
String ID:
API String ID: 1187836755-0
Opcode ID: 4e9f64db1e9afcc95638e1c93fac9ec4f15b5bd51e62cff39b27ce0c3049adce
Instruction ID: d06ebacf82c2cfb8d8e5fdb27fe1a3c774af4858f74cf90582bbd4b9cfeed185
Opcode Fuzzy Hash: 4e9f64db1e9afcc95638e1c93fac9ec4f15b5bd51e62cff39b27ce0c3049adce
Instruction Fuzzy Hash: 8311B272500204AEE710CF55DC85F97FBA8EF05720F14C4A7EE499B241DA74A405CBB1

Uniqueness

Uniqueness Score: -1.00%

Function 04FB1541, Relevance: 1.6, APIs: 1, Instructions: 57nativeCOMMON

Download Yara Rule

APIs

NtSetInformationProcess.NTDLL(?,?,?,?), ref: 04FB15AD

Memory Dump Source

Source File: 00000007.00000002.600439530.0000000004FB0000.00000040.00000001.sdmp, Offset: 04FB0000, based on PE: false

Similarity

API ID: InformationProcess
String ID:
API String ID: 1801817001-0
Opcode ID: 75b255cc2c1c76484afb1cc4e34e007b2683754dd7a3621565d658176316ab7e
Instruction ID: c9ef88e389e3e39bd5ede49a74e12c257e96fac06d127d6cc70020ffc158849d
Opcode Fuzzy Hash: 75b255cc2c1c76484afb1cc4e34e007b2683754dd7a3621565d658176316ab7e
Instruction Fuzzy Hash: 1211BE72409384AFDB228F25DC41E92FFB4EF07324F09C0DAE9854B163D275A918CB62

Uniqueness

Uniqueness Score: -1.00%

Function 04FB13F6, Relevance: 1.6, APIs: 1, Instructions: 52COMMON

Download Yara Rule

APIs

AdjustTokenPrivileges.KERNELBASE(?,?,?,?,?,?), ref: 04FB143F

Memory Dump Source

Source File: 00000007.00000002.600439530.0000000004FB0000.00000040.00000001.sdmp, Offset: 04FB0000, based on PE: false

Similarity

API ID: AdjustPrivilegesToken
String ID:
API String ID: 2874748243-0
Opcode ID: 7f58e90389b6f19272d82604b9198b0ac9585c6c253c8ad131b00955df94c8ae
Instruction ID: d2914a3c0ee1d73013551543c352a13d7be330ba7fd903aa205ef40d7db3b01a
Opcode Fuzzy Hash: 7f58e90389b6f19272d82604b9198b0ac9585c6c253c8ad131b00955df94c8ae
Instruction Fuzzy Hash: DC119E31900604DFDB20CF56D944B96FBE4EF06320F08C4AAED858B612E371E419DFA1

Uniqueness

Uniqueness Score: -1.00%

Function 04FB161A, Relevance: 1.5, APIs: 1, Instructions: 39COMMON

Download Yara Rule

APIs

GetSystemInfo.KERNELBASE(?), ref: 04FB164C

Memory Dump Source

Source File: 00000007.00000002.600439530.0000000004FB0000.00000040.00000001.sdmp, Offset: 04FB0000, based on PE: false

Similarity

API ID: InfoSystem
String ID:
API String ID: 31276548-0
Opcode ID: 6b953353f7b82b44600e84239e5cfc7514d0b95db0ae4562fc76cd28e573a0be
Instruction ID: 0d757fa1bd959d0d0c5a83d225017583759c2d9c992da89745b7e877a13c7720
Opcode Fuzzy Hash: 6b953353f7b82b44600e84239e5cfc7514d0b95db0ae4562fc76cd28e573a0be
Instruction Fuzzy Hash: 5701AD759002409FDB10CF1AD9857A6FFA4EF05360F18C0ABDD498F202E2B5A808CFA2

Uniqueness

Uniqueness Score: -1.00%

Function 04FB1572, Relevance: 1.5, APIs: 1, Instructions: 38nativeCOMMON

Download Yara Rule

APIs

NtSetInformationProcess.NTDLL(?,?,?,?), ref: 04FB15AD

Memory Dump Source

Source File: 00000007.00000002.600439530.0000000004FB0000.00000040.00000001.sdmp, Offset: 04FB0000, based on PE: false

Similarity

API ID: InformationProcess
String ID:
API String ID: 1801817001-0
Opcode ID: 38a3b209e7421647abee5cc05b2bf7143a80da99c0ac18ccd9bd79cf60228aed
Instruction ID: 9f75492fca23baeaa89235a77ed9a59cd40aa345abcb5db93767cf42f230258b
Opcode Fuzzy Hash: 38a3b209e7421647abee5cc05b2bf7143a80da99c0ac18ccd9bd79cf60228aed
Instruction Fuzzy Hash: F701A235900604DFDB208F16D944B66FFA4FF05720F18C19ADE8A0B212D376A419DFB2

Uniqueness

Uniqueness Score: -1.00%

Function 04FB1836, Relevance: 1.5, APIs: 1, Instructions: 38nativeCOMMON

Download Yara Rule

APIs

NtQuerySystemInformation.NTDLL ref: 04FB1871

Memory Dump Source

Source File: 00000007.00000002.600439530.0000000004FB0000.00000040.00000001.sdmp, Offset: 04FB0000, based on PE: false

Similarity

API ID: InformationQuerySystem
String ID:
API String ID: 3562636166-0
Opcode ID: 38a3b209e7421647abee5cc05b2bf7143a80da99c0ac18ccd9bd79cf60228aed
Instruction ID: 646878b5cd093444fabfb275cd0ea90d312ae87851ab615e2fb6a47124041bbb
Opcode Fuzzy Hash: 38a3b209e7421647abee5cc05b2bf7143a80da99c0ac18ccd9bd79cf60228aed
Instruction Fuzzy Hash: DC018F36900600DFDB208F56D944B62FFA0FF05761F18C59ADE894B212D275E419DFA2

Uniqueness

Uniqueness Score: -1.00%

Function 02908E68, Relevance: .5, Instructions: 505COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.596310699.0000000002900000.00000040.00000001.sdmp, Offset: 02900000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: dcf6d2edc9cd8b770d2193ac066bcb7c5503369ab5c6fbc781bb6a84f71c2770
Instruction ID: 564ea04eeb6d0741fe46c50147b0e57890ef590f2b37de0bca8738ed5d047824
Opcode Fuzzy Hash: dcf6d2edc9cd8b770d2193ac066bcb7c5503369ab5c6fbc781bb6a84f71c2770
Instruction Fuzzy Hash: 9312C031E10219CFDB24DF79C4846ADBBF6BB88704F648969E4169B395CB78D842CF90

Uniqueness

Uniqueness Score: -1.00%

Function 029023A0, Relevance: .5, Instructions: 505COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.596310699.0000000002900000.00000040.00000001.sdmp, Offset: 02900000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4575be343c09d0a43520ef66349010e9a01c40437992d0d178c8cf72983330a5
Instruction ID: 1f2e909d925f2b702f3b191bfbdccab5c26c1ceadbfc6be1f26c6b47478ed864
Opcode Fuzzy Hash: 4575be343c09d0a43520ef66349010e9a01c40437992d0d178c8cf72983330a5
Instruction Fuzzy Hash: A712BB31E00219CFDB24DF69D8C87ADBBF6BF88304F24856AD8169B395DB749845CB50

Uniqueness

Uniqueness Score: -1.00%

Function 02909A68, Relevance: .2, Instructions: 239COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.596310699.0000000002900000.00000040.00000001.sdmp, Offset: 02900000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 493147675442bdec7b7365ae1d04e9c8987349ed1a78c48e0de187632e46cdd8
Instruction ID: eca71ede1d6015c4968cf5603183a22402b18b04678f2c8ec1205ec7b4f37e64
Opcode Fuzzy Hash: 493147675442bdec7b7365ae1d04e9c8987349ed1a78c48e0de187632e46cdd8
Instruction Fuzzy Hash: D0816E71F011199FD718DB69D880A6EBBF7AFC4710B2A8569E416DB396DE30DC01CB90

Uniqueness

Uniqueness Score: -1.00%

Function 02902FA8, Relevance: .2, Instructions: 239COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.596310699.0000000002900000.00000040.00000001.sdmp, Offset: 02900000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ce23f08715d55bc27f737b558d036f4b43dfc65b1bdce1659aada93b7e5c413b
Instruction ID: cc1156b3f39eb40d02933e683bfebaa5b5d48456638cd554d992e44ff91f4bdb
Opcode Fuzzy Hash: ce23f08715d55bc27f737b558d036f4b43dfc65b1bdce1659aada93b7e5c413b
Instruction Fuzzy Hash: 74817B32F011199FD718DB69D884A6EBBF3AFC8310F2A85B5E415AB395DE319C01CB94

Uniqueness

Uniqueness Score: -1.00%

Function 02909B2F, Relevance: .2, Instructions: 179COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.596310699.0000000002900000.00000040.00000001.sdmp, Offset: 02900000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4c779a25559df2b9e71e80a197c5213304430fceebe7e3140924b897806f809b
Instruction ID: c5691cf2399517e4ff6fa62106b81944dac05e0d2e0faa8088354bc4b1f643d7
Opcode Fuzzy Hash: 4c779a25559df2b9e71e80a197c5213304430fceebe7e3140924b897806f809b
Instruction Fuzzy Hash: DD516E72F014159FD718DB6DC980A5EBBE3AFC4710F2A8165E419DB3A9DE30DD019B84

Uniqueness

Uniqueness Score: -1.00%

Function 02908917, Relevance: .0, Instructions: 46COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.596310699.0000000002900000.00000040.00000001.sdmp, Offset: 02900000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5a9b5ac2fb49803fbf6b91c8c1cd9891084f49cf4a40f69fba361fbce72209df
Instruction ID: 668001c90a2ae7b1ec3205f62b7767940177e5b24db0ab9a5c3fde03cc1a7c1d
Opcode Fuzzy Hash: 5a9b5ac2fb49803fbf6b91c8c1cd9891084f49cf4a40f69fba361fbce72209df
Instruction Fuzzy Hash: 78018C35D05204DFC700EFB4E46876D7BB1FB4A301F205496C46663390DB389945CF51

Uniqueness

Uniqueness Score: -1.00%

Function 029009A0, Relevance: 5.1, Strings: 4, Instructions: 137COMMON

Download Yara Rule

Strings

X1kr, xrefs: 02900A50
X1kr, xrefs: 02900A5A
X1kr, xrefs: 02900A98
X1kr, xrefs: 02900AA2

Memory Dump Source

Source File: 00000007.00000002.596310699.0000000002900000.00000040.00000001.sdmp, Offset: 02900000, based on PE: false

Similarity

API ID:
String ID: X1kr$X1kr$X1kr$X1kr
API String ID: 0-2451847431
Opcode ID: a0855990594e126b311d6a2853a0954cd7eb78786b7fd7b5dd45293f432de3e0
Instruction ID: ac55019c4e2b359d773928d4ad2b70b5ae438a68dc603b5f28d60edd34319e87
Opcode Fuzzy Hash: a0855990594e126b311d6a2853a0954cd7eb78786b7fd7b5dd45293f432de3e0
Instruction Fuzzy Hash: 02419631B00205DFCF049BA8D894BAEB7F5FF85310F258569E5169B2A0DB71AD12CB90

Uniqueness

Uniqueness Score: -1.00%

Function 04FB01F4, Relevance: 3.1, APIs: 2, Instructions: 124COMMON

Download Yara Rule

APIs

FindCloseChangeNotification.KERNELBASE(?), ref: 04FB0264

Memory Dump Source

Source File: 00000007.00000002.600439530.0000000004FB0000.00000040.00000001.sdmp, Offset: 04FB0000, based on PE: false

Similarity

API ID: ChangeCloseFindNotification
String ID:
API String ID: 2591292051-0
Opcode ID: 906345b958d12b176664b49dc9a6b764e6668f9b7594db00d215dfacb93dc47f
Instruction ID: 482a3deed959523c413d5cd805e266cd736c15e6fc3b3790848212dccefa6a48
Opcode Fuzzy Hash: 906345b958d12b176664b49dc9a6b764e6668f9b7594db00d215dfacb93dc47f
Instruction Fuzzy Hash: 0041E775404744AFEB218F15DC85F96FFA8EF06320F08C49AED859B252D375A909CBA1

Uniqueness

Uniqueness Score: -1.00%

Function 02909D7B, Relevance: 2.7, Strings: 2, Instructions: 180COMMON

Download Yara Rule

Strings

, xrefs: 02909EBB
>_Ir, xrefs: 02909DEF

Memory Dump Source

Source File: 00000007.00000002.596310699.0000000002900000.00000040.00000001.sdmp, Offset: 02900000, based on PE: false

Similarity

API ID:
String ID: $>_Ir
API String ID: 0-1787506450
Opcode ID: 73b68f8791bdeb758fcba14ad08adf155c1fe55e3abed0de8ceb9338ed0867e7
Instruction ID: 9e91b551ea0891ce42c2edf4b5ee5bea1e0cd5f9a2c28c223e483c28bf77c685
Opcode Fuzzy Hash: 73b68f8791bdeb758fcba14ad08adf155c1fe55e3abed0de8ceb9338ed0867e7
Instruction Fuzzy Hash: B651D171F04108CFDB14DB68D9D06BEBBB2EBC5614B29887AD11ADB686DF359C02CB41

Uniqueness

Uniqueness Score: -1.00%

Function 029002E8, Relevance: 2.7, Strings: 2, Instructions: 175COMMON

Download Yara Rule

Strings

:@Dr, xrefs: 02900537
`5kr, xrefs: 029003A5

Memory Dump Source

Source File: 00000007.00000002.596310699.0000000002900000.00000040.00000001.sdmp, Offset: 02900000, based on PE: false

Similarity

API ID:
String ID: :@Dr$`5kr
API String ID: 0-2548079215
Opcode ID: 671621681416443e0c05d27fe3f9b65510933fef009423fa03f6065603b11260
Instruction ID: e69f220ba7df36ec508e979d17cd8029cd712e4ec36c8a4073286f040aaa38ea
Opcode Fuzzy Hash: 671621681416443e0c05d27fe3f9b65510933fef009423fa03f6065603b11260
Instruction Fuzzy Hash: 0A517F34A05205CFDB09DF68C590BAD7BF2EF89710F1484ADD50AAB3A1EB75AC41CB52

Uniqueness

Uniqueness Score: -1.00%

Function 029043C0, Relevance: 2.6, Strings: 2, Instructions: 107COMMON

Download Yara Rule

Strings

X1kr, xrefs: 029043AC
X1kr, xrefs: 029043A2

Memory Dump Source

Source File: 00000007.00000002.596310699.0000000002900000.00000040.00000001.sdmp, Offset: 02900000, based on PE: false

Similarity

API ID:
String ID: X1kr$X1kr
API String ID: 0-2397868964
Opcode ID: b1b13319898497706e919d3b6e0e1d202d86680126a76c506ad715d097e8941d
Instruction ID: 2daa46018b36d7841fac763699581ab4f9d437c7f2910a5db610239060d8d3ad
Opcode Fuzzy Hash: b1b13319898497706e919d3b6e0e1d202d86680126a76c506ad715d097e8941d
Instruction Fuzzy Hash: DE41C532600115CFCB00EF68EC849AE7BF6FF8431471485A9E5069B3B6DB31A915DF50

Uniqueness

Uniqueness Score: -1.00%

Function 029012A0, Relevance: 1.7, Strings: 1, Instructions: 460COMMON

Download Yara Rule

Strings

$ghr, xrefs: 02901349

Memory Dump Source

Source File: 00000007.00000002.596310699.0000000002900000.00000040.00000001.sdmp, Offset: 02900000, based on PE: false

Similarity

API ID:
String ID: $ghr
API String ID: 0-1352911727
Opcode ID: 5a42f47eab3ae6243f2f4edf56cf983d09c28513f7d09a8c52a49c3eb5991c36
Instruction ID: 8bb5b65dc0cd38482b54a4928462cd78d787d71ea37d6c7809bba4f59cb892f8
Opcode Fuzzy Hash: 5a42f47eab3ae6243f2f4edf56cf983d09c28513f7d09a8c52a49c3eb5991c36
Instruction Fuzzy Hash: 6422F635A00609CFCB24DF28C590A6ABBF6FF88300F5089A9D85A9B756DB34ED45CF51

Uniqueness

Uniqueness Score: -1.00%

Function 04FB2335, Relevance: 1.6, APIs: 1, Instructions: 135COMMON

Download Yara Rule

APIs

OpenFileMappingW.KERNELBASE(?,?), ref: 04FB2445

Memory Dump Source

Source File: 00000007.00000002.600439530.0000000004FB0000.00000040.00000001.sdmp, Offset: 04FB0000, based on PE: false

Similarity

API ID: FileMappingOpen
String ID:
API String ID: 1680863896-0
Opcode ID: ed718f3075359265214906188d42e04b13dee271c9c8af0f1a693d3a92a40abd
Instruction ID: 292b373c7aa6193c776adc50e11e175c2a2032a728a8fcdc1cc8152bf3e1ac31
Opcode Fuzzy Hash: ed718f3075359265214906188d42e04b13dee271c9c8af0f1a693d3a92a40abd
Instruction Fuzzy Hash: A441C371509380AFE7128B25DC45F92FFB8EF07620F1884DBE9849F293D265A509CB62

Uniqueness

Uniqueness Score: -1.00%

Function 04FB2908, Relevance: 1.6, APIs: 1, Instructions: 111COMMON

Download Yara Rule

APIs

getaddrinfo.WS2_32(?,00000E2C), ref: 04FB29EB

Memory Dump Source

Source File: 00000007.00000002.600439530.0000000004FB0000.00000040.00000001.sdmp, Offset: 04FB0000, based on PE: false

Similarity

API ID: getaddrinfo
String ID:
API String ID: 300660673-0
Opcode ID: 77c960b3d75fee9a8f226d39cb986da669f25bf51bd2ad7f667d5fab823bf962
Instruction ID: f58d3d0f57f63d9eebbb468627639294677e76a0a2ea0f74e281758aba2e4add
Opcode Fuzzy Hash: 77c960b3d75fee9a8f226d39cb986da669f25bf51bd2ad7f667d5fab823bf962
Instruction Fuzzy Hash: 5231F5B2404340AFE7228F21DC45FA6FFACEF46720F0489DAE9849F182D375A509CB61

Uniqueness

Uniqueness Score: -1.00%

Function 04FB1E9B, Relevance: 1.6, APIs: 1, Instructions: 103networkCOMMON

Download Yara Rule

APIs

WSASocketW.WS2_32 ref: 04FB1F56

Memory Dump Source

Source File: 00000007.00000002.600439530.0000000004FB0000.00000040.00000001.sdmp, Offset: 04FB0000, based on PE: false

Similarity

API ID: Socket
String ID:
API String ID: 38366605-0
Opcode ID: d26c270982c427ca40b8b6c3e83bda470689b53eb14563a2154da57633c0c124
Instruction ID: 93228dc00099789b5bb6a2f7653c741ccb7650c0cf872a75e03aabf2b0dd0407
Opcode Fuzzy Hash: d26c270982c427ca40b8b6c3e83bda470689b53eb14563a2154da57633c0c124
Instruction Fuzzy Hash: DE317C7150D7C0AFE7238B61DC54B96BFB4EF07210F0984DAE9C48F1A3C265A409CB62

Uniqueness

Uniqueness Score: -1.00%

Function 04FB1AAC, Relevance: 1.6, APIs: 1, Instructions: 101registryCOMMON

Download Yara Rule

APIs

RegQueryValueExW.KERNELBASE(?,00000E2C,?,?), ref: 04FB1B7E

Memory Dump Source

Source File: 00000007.00000002.600439530.0000000004FB0000.00000040.00000001.sdmp, Offset: 04FB0000, based on PE: false

Similarity

API ID: QueryValue
String ID:
API String ID: 3660427363-0
Opcode ID: f61d92aea659c18fc1267b533773d5bf2ab66de1f7f94f33bfad94c51cb72ba8
Instruction ID: 2e1acc4e2fadc18972e49fff743deed3318e5b1da423ac2f860e61fa3fcf5053
Opcode Fuzzy Hash: f61d92aea659c18fc1267b533773d5bf2ab66de1f7f94f33bfad94c51cb72ba8
Instruction Fuzzy Hash: B4313A6540E7C05FD3138B318C61A62BF74EF47614B0A85CBE884CF5A3D169691AC7B2

Uniqueness

Uniqueness Score: -1.00%

Function 04FB0EB8, Relevance: 1.6, APIs: 1, Instructions: 96COMMON

Download Yara Rule

APIs

DuplicateHandle.KERNELBASE(?,00000E2C), ref: 04FB0F5B

Memory Dump Source

Source File: 00000007.00000002.600439530.0000000004FB0000.00000040.00000001.sdmp, Offset: 04FB0000, based on PE: false

Similarity

API ID: DuplicateHandle
String ID:
API String ID: 3793708945-0
Opcode ID: 0b76e447020929c7db66b74478eab64cd2b1a2541fe868f96d1750ca560ef133
Instruction ID: 02f0bd6a1d9d8640bd7b19032f6a6542b49cd8fbea834f40cf2c5b7e75716c1c
Opcode Fuzzy Hash: 0b76e447020929c7db66b74478eab64cd2b1a2541fe868f96d1750ca560ef133
Instruction Fuzzy Hash: 8631B372504344AFEB228F65DC44FA7BFACEF46720F0488AAF985DB152D224A419CB71

Uniqueness

Uniqueness Score: -1.00%

Function 04FB0390, Relevance: 1.6, APIs: 1, Instructions: 93registryCOMMON

Download Yara Rule

APIs

RegQueryValueExA.KERNELBASE(?,00000E2C), ref: 04FB045E

Memory Dump Source

Source File: 00000007.00000002.600439530.0000000004FB0000.00000040.00000001.sdmp, Offset: 04FB0000, based on PE: false

Similarity

API ID: QueryValue
String ID:
API String ID: 3660427363-0
Opcode ID: 47c4cb92f02dc7de11466f804b90e8605e2c83d89e43e2e588b2bccd50bcf6e3
Instruction ID: 2154d623349c76c2e9dbea19034c45e351a3d41f05848ace05ecaeb42f5c6a97
Opcode Fuzzy Hash: 47c4cb92f02dc7de11466f804b90e8605e2c83d89e43e2e588b2bccd50bcf6e3
Instruction Fuzzy Hash: 7731A672004744AFE7228F11CC41FA7FFA8EF06714F14859EE9859B152D3B5A949CB61

Uniqueness

Uniqueness Score: -1.00%

Function 04FB0C58, Relevance: 1.6, APIs: 1, Instructions: 93COMMON

Download Yara Rule

APIs

GetTempFileNameW.KERNELBASE(?,00000E2C,?,?), ref: 04FB0D1A

Memory Dump Source

Source File: 00000007.00000002.600439530.0000000004FB0000.00000040.00000001.sdmp, Offset: 04FB0000, based on PE: false

Similarity

API ID: FileNameTemp
String ID:
API String ID: 745986568-0
Opcode ID: 8421eb865be562a3a0e86b1e4f885a8e03d0deed41801d6648c28e551bf70ea1
Instruction ID: 90c9595ade048edf78de95d5f00bbb5f6a7cc191ce13509d2cd426ca9c031ef7
Opcode Fuzzy Hash: 8421eb865be562a3a0e86b1e4f885a8e03d0deed41801d6648c28e551bf70ea1
Instruction Fuzzy Hash: D7316D6140D3C06FD7038B258C51B62BFB4EF47620F0E85DBD9848F5A3D2256819C7A2

Uniqueness

Uniqueness Score: -1.00%

Function 04FB07F4, Relevance: 1.6, APIs: 1, Instructions: 92fileCOMMON

Download Yara Rule

APIs

CreateFileW.KERNELBASE(?,?,?,?,?,?), ref: 04FB0899

Memory Dump Source

Source File: 00000007.00000002.600439530.0000000004FB0000.00000040.00000001.sdmp, Offset: 04FB0000, based on PE: false

Similarity

API ID: CreateFile
String ID:
API String ID: 823142352-0
Opcode ID: 0f5cdf05e2b1843c5a4d7d4363a051b730a27575e360f74af2e4be4242975ca5
Instruction ID: 1b4b02f010011edc9a7a4808b967aa1460251f13783e5088ea611a1016f58409
Opcode Fuzzy Hash: 0f5cdf05e2b1843c5a4d7d4363a051b730a27575e360f74af2e4be4242975ca5
Instruction Fuzzy Hash: DE316F71504380AFE722CF65DC44FA6BFE8EF46610F0884AEE9858B252D375E505CBB1

Uniqueness

Uniqueness Score: -1.00%

Function 04FB2DBB, Relevance: 1.6, APIs: 1, Instructions: 90windowCOMMON

Download Yara Rule

APIs

FormatMessageW.KERNELBASE(?,00000E2C,?,?), ref: 04FB2E76

Memory Dump Source

Source File: 00000007.00000002.600439530.0000000004FB0000.00000040.00000001.sdmp, Offset: 04FB0000, based on PE: false

Similarity

API ID: FormatMessage
String ID:
API String ID: 1306739567-0
Opcode ID: 734600b113b2a4add2dfa5ca7f94711be8c98493545b7b932069d99fe7087beb
Instruction ID: ec151dacb3fd390df84c3d9c174239e8778e8b8ad7810ad28e97beea1a07cd4e
Opcode Fuzzy Hash: 734600b113b2a4add2dfa5ca7f94711be8c98493545b7b932069d99fe7087beb
Instruction Fuzzy Hash: F3318F7640D7C06FD7038B218C61A52BFB4EF87710F1A80CBD9848F2A3E6246909C7A2

Uniqueness

Uniqueness Score: -1.00%

Function 04FB00F6, Relevance: 1.6, APIs: 1, Instructions: 89synchronizationCOMMON

Download Yara Rule

APIs

CreateMutexW.KERNELBASE(?,?), ref: 04FB019D

Memory Dump Source

Source File: 00000007.00000002.600439530.0000000004FB0000.00000040.00000001.sdmp, Offset: 04FB0000, based on PE: false

Similarity

API ID: CreateMutex
String ID:
API String ID: 1964310414-0
Opcode ID: fd7a8f8b1cf5b25542c0965fd3fd23ab00495ef86841c78a0970982171101b3d
Instruction ID: 0174047c143571165d748d421a15002d34df022ef5273274e064bbd58845366f
Opcode Fuzzy Hash: fd7a8f8b1cf5b25542c0965fd3fd23ab00495ef86841c78a0970982171101b3d
Instruction Fuzzy Hash: E53181715097806FE712CF25DC45F96FFE8EF06310F08849AE9848B292D375A909CB61

Uniqueness

Uniqueness Score: -1.00%

Function 04FB21FE, Relevance: 1.6, APIs: 1, Instructions: 87COMMON

Download Yara Rule

APIs

ConvertStringSecurityDescriptorToSecurityDescriptorW.ADVAPI32(?,00000E2C), ref: 04FB229B

Memory Dump Source

Source File: 00000007.00000002.600439530.0000000004FB0000.00000040.00000001.sdmp, Offset: 04FB0000, based on PE: false

Similarity

API ID: DescriptorSecurity$ConvertString
String ID:
API String ID: 3907675253-0
Opcode ID: 863ee1cb6324818846156e280f18070f8939eadbf994b7336987c618739098d8
Instruction ID: 10c6dceadab8162d4b7feca5bd03ea755d07bc3c2a915b797ff3a4b72c6275af
Opcode Fuzzy Hash: 863ee1cb6324818846156e280f18070f8939eadbf994b7336987c618739098d8
Instruction Fuzzy Hash: EC21C372504344AFE7218F65DC45FA7BFACEF46320F0885AAE984DB242D364A905CB61

Uniqueness

Uniqueness Score: -1.00%

Function 04FB0FB9, Relevance: 1.6, APIs: 1, Instructions: 87COMMON

Download Yara Rule

APIs

GetExitCodeProcess.KERNELBASE(?,00000E2C,30277B8A,00000000,00000000,00000000,00000000), ref: 04FB105C

Memory Dump Source

Source File: 00000007.00000002.600439530.0000000004FB0000.00000040.00000001.sdmp, Offset: 04FB0000, based on PE: false

Similarity

API ID: CodeExitProcess
String ID:
API String ID: 3861947596-0
Opcode ID: 403ba98581523cfaba211fdc28ad3aa8bb9b0b316795b24294f98b52f8fb8072
Instruction ID: 5634b902f71f0f75ba558be320b2cd1a0aae9f0411a201171a6f83447277ef21
Opcode Fuzzy Hash: 403ba98581523cfaba211fdc28ad3aa8bb9b0b316795b24294f98b52f8fb8072
Instruction Fuzzy Hash: A731E572509380AFEB128B25DC51F96BFB8EF47310F0884DBED849F193D664A509CBA1

Uniqueness

Uniqueness Score: -1.00%

Function 04FB249C, Relevance: 1.6, APIs: 1, Instructions: 87fileCOMMON

Download Yara Rule

APIs

MapViewOfFile.KERNELBASE ref: 04FB254E

Memory Dump Source

Source File: 00000007.00000002.600439530.0000000004FB0000.00000040.00000001.sdmp, Offset: 04FB0000, based on PE: false

Similarity

API ID: FileView
String ID:
API String ID: 3314676101-0
Opcode ID: 66aa6bb8803980eeea69f9a9cbe070ed5bd594a0a37c34012359fc5d68dd092f
Instruction ID: 22c0fe9890a3afb09c206e1907bf97309350610068b94aacbc905a37d892ea6e
Opcode Fuzzy Hash: 66aa6bb8803980eeea69f9a9cbe070ed5bd594a0a37c34012359fc5d68dd092f
Instruction Fuzzy Hash: 9C31D4B2404780AFE722CF55DC45F96FFF8EF06320F04859AE9849B252D375A509CBA1

Uniqueness

Uniqueness Score: -1.00%

Function 04FB04AB, Relevance: 1.6, APIs: 1, Instructions: 86registryCOMMON

Download Yara Rule

APIs

RegQueryValueExW.KERNELBASE(?,00000E2C,30277B8A,00000000,00000000,00000000,00000000), ref: 04FB055C

Memory Dump Source

Source File: 00000007.00000002.600439530.0000000004FB0000.00000040.00000001.sdmp, Offset: 04FB0000, based on PE: false

Similarity

API ID: QueryValue
String ID:
API String ID: 3660427363-0
Opcode ID: 7acd544e48cb536f8d81b65792fdc12f479a680002f8d5aef64dc1f48011802a
Instruction ID: 7f40034dcfa0330c388ab2aeb4d69a1aefbf1dfe17cfb6bfd63eb319b594e9b3
Opcode Fuzzy Hash: 7acd544e48cb536f8d81b65792fdc12f479a680002f8d5aef64dc1f48011802a
Instruction Fuzzy Hash: 5E31A071509780AFD722CB25DC44F93BFF8AF07310F0885DAE9859B1A2D264A809CB71

Uniqueness

Uniqueness Score: -1.00%

Function 04FB2946, Relevance: 1.6, APIs: 1, Instructions: 84COMMON

Download Yara Rule

APIs

getaddrinfo.WS2_32(?,00000E2C), ref: 04FB29EB

Memory Dump Source

Source File: 00000007.00000002.600439530.0000000004FB0000.00000040.00000001.sdmp, Offset: 04FB0000, based on PE: false

Similarity

API ID: getaddrinfo
String ID:
API String ID: 300660673-0
Opcode ID: c413ab298b54d575da419d92b308094ebecda3f05d3b16ec918f3c41c9a80893
Instruction ID: da125b4c2a811ef3ddfc9a47307f8d9d1b010e65824145e59d5a94ca08d550c1
Opcode Fuzzy Hash: c413ab298b54d575da419d92b308094ebecda3f05d3b16ec918f3c41c9a80893
Instruction Fuzzy Hash: E321D171500304AFFB21DF25CC85FA7FBACEF45710F10899AFE849A281D6B5A5098BB1

Uniqueness

Uniqueness Score: -1.00%

Function 04FB08F0, Relevance: 1.6, APIs: 1, Instructions: 80COMMON

Download Yara Rule

APIs

GetFileType.KERNELBASE(?,00000E2C,30277B8A,00000000,00000000,00000000,00000000), ref: 04FB0985

Memory Dump Source

Source File: 00000007.00000002.600439530.0000000004FB0000.00000040.00000001.sdmp, Offset: 04FB0000, based on PE: false

Similarity

API ID: FileType
String ID:
API String ID: 3081899298-0
Opcode ID: 14782966623dc4652d6792d2484949de62a037ebafc0934ba1e283343a2ff453
Instruction ID: f01a8050a917e730e9de16b0f34744b5cbc46fd951a8531d4a43c69235fe55c8
Opcode Fuzzy Hash: 14782966623dc4652d6792d2484949de62a037ebafc0934ba1e283343a2ff453
Instruction Fuzzy Hash: 3821FB754097846FE7128B25DC41FA2BFA8EF47720F1881D7EE848B293D2646909C7B1

Uniqueness

Uniqueness Score: -1.00%

Function 04FB0EDE, Relevance: 1.6, APIs: 1, Instructions: 80COMMON

Download Yara Rule

APIs

DuplicateHandle.KERNELBASE(?,00000E2C), ref: 04FB0F5B

Memory Dump Source

Source File: 00000007.00000002.600439530.0000000004FB0000.00000040.00000001.sdmp, Offset: 04FB0000, based on PE: false

Similarity

API ID: DuplicateHandle
String ID:
API String ID: 3793708945-0
Opcode ID: afd014989c5a9cd81f07969dd226bf8d4dbb2a83c2f380f91361a2a35cb95d3a
Instruction ID: e2944327b5d5868ce051f6866612960b913c9595db999aa64a89835fbd3ec1c3
Opcode Fuzzy Hash: afd014989c5a9cd81f07969dd226bf8d4dbb2a83c2f380f91361a2a35cb95d3a
Instruction Fuzzy Hash: B621C172500704AFEB218F65DC45FABFBACEF05720F04886AEE85DB251D670A4098BB1

Uniqueness

Uniqueness Score: -1.00%

Function 04FB02AB, Relevance: 1.6, APIs: 1, Instructions: 79registryCOMMON

Download Yara Rule

APIs

RegOpenKeyExA.KERNELBASE(?,00000E2C), ref: 04FB0353

Memory Dump Source

Source File: 00000007.00000002.600439530.0000000004FB0000.00000040.00000001.sdmp, Offset: 04FB0000, based on PE: false

Similarity

API ID: Open
String ID:
API String ID: 71445658-0
Opcode ID: 7628223ac6255088ca45d1abf75bdec90fdc426a0fef767809d48a4171638635
Instruction ID: 1d2c8d98935211c7942f407fde8ed83136e9e504619ff93d910eb6f85e58a4e3
Opcode Fuzzy Hash: 7628223ac6255088ca45d1abf75bdec90fdc426a0fef767809d48a4171638635
Instruction Fuzzy Hash: 6D21A675409780AFE7228F21DC45FA6FFB4EF07710F1884DAE9849B192D275A909CB71

Uniqueness

Uniqueness Score: -1.00%

Function 04FB222A, Relevance: 1.6, APIs: 1, Instructions: 76COMMON

Download Yara Rule

APIs

ConvertStringSecurityDescriptorToSecurityDescriptorW.ADVAPI32(?,00000E2C), ref: 04FB229B

Memory Dump Source

Source File: 00000007.00000002.600439530.0000000004FB0000.00000040.00000001.sdmp, Offset: 04FB0000, based on PE: false

Similarity

API ID: DescriptorSecurity$ConvertString
String ID:
API String ID: 3907675253-0
Opcode ID: 305a2a2ecc37070ffbe3f44a7bc104b0cb4fd63280efc13e6b8c28d14d6a76ff
Instruction ID: 060ce65b1ef7478c3e6385c03ee1f84d075820fe639da6adcc9c25e6b8c2c209
Opcode Fuzzy Hash: 305a2a2ecc37070ffbe3f44a7bc104b0cb4fd63280efc13e6b8c28d14d6a76ff
Instruction Fuzzy Hash: FB219572500204AFF7209F25DC49FABFB9CEF45710F14896AED45DB241D674E5058BB1

Uniqueness

Uniqueness Score: -1.00%

Function 04FB081A, Relevance: 1.6, APIs: 1, Instructions: 76fileCOMMON

Download Yara Rule

APIs

CreateFileW.KERNELBASE(?,?,?,?,?,?), ref: 04FB0899

Memory Dump Source

Source File: 00000007.00000002.600439530.0000000004FB0000.00000040.00000001.sdmp, Offset: 04FB0000, based on PE: false

Similarity

API ID: CreateFile
String ID:
API String ID: 823142352-0
Opcode ID: 7c695829b2d80e04287fb6e7e1dc5e010fef54be8d5860139f56996638784c58
Instruction ID: 295f92285b23d2341812e3d2e8abd7b988398fde289e965076b8aafa797eb810
Opcode Fuzzy Hash: 7c695829b2d80e04287fb6e7e1dc5e010fef54be8d5860139f56996638784c58
Instruction Fuzzy Hash: 5D219C75500700AFE721DF66C845FA7FBE8EF09710F14846AE9858B242E771E505CBB1

Uniqueness

Uniqueness Score: -1.00%

Function 04FB03CA, Relevance: 1.6, APIs: 1, Instructions: 75registryCOMMON

Download Yara Rule

APIs

RegQueryValueExA.KERNELBASE(?,00000E2C), ref: 04FB045E

Memory Dump Source

Source File: 00000007.00000002.600439530.0000000004FB0000.00000040.00000001.sdmp, Offset: 04FB0000, based on PE: false

Similarity

API ID: QueryValue
String ID:
API String ID: 3660427363-0
Opcode ID: e76e23eaa05bffd31d6fb935c5abbe207b1dd9ee726630dc062a9a3a4bb9be15
Instruction ID: 2e85f0e58d2d097e3eb84649855e1df4f3edc0d4b0a795803c351ca3969a80b7
Opcode Fuzzy Hash: e76e23eaa05bffd31d6fb935c5abbe207b1dd9ee726630dc062a9a3a4bb9be15
Instruction Fuzzy Hash: 4221F272100204AFFB218F15CC41FA7FBACEF05710F10896AFE859A281D6B1A509CBB1

Uniqueness

Uniqueness Score: -1.00%

Function 04FB09C0, Relevance: 1.6, APIs: 1, Instructions: 75COMMON

Download Yara Rule

APIs

setsockopt.WS2_32(?,00000E2C,30277B8A,00000000,00000000,00000000,00000000), ref: 04FB0A51

Memory Dump Source

Source File: 00000007.00000002.600439530.0000000004FB0000.00000040.00000001.sdmp, Offset: 04FB0000, based on PE: false

Similarity

API ID: setsockopt
String ID:
API String ID: 3981526788-0
Opcode ID: ad846c44e70fe13260a414e2e9de8193d6c933d8ba8488da42a6e6f0755b97f9
Instruction ID: 238c2e13b9a25fb7c4d63dff9d2eaef747b68bc0f8846daf08ed892c417cba6a
Opcode Fuzzy Hash: ad846c44e70fe13260a414e2e9de8193d6c933d8ba8488da42a6e6f0755b97f9
Instruction Fuzzy Hash: 3021A172409380AFE7228F65DC44F56BFB8EF46314F0884DBEA849B153D275A409CBB2

Uniqueness

Uniqueness Score: -1.00%

Function 04FB0B79, Relevance: 1.6, APIs: 1, Instructions: 75registryCOMMON

Download Yara Rule

APIs

RegSetValueExW.KERNELBASE(?,00000E2C,30277B8A,00000000,00000000,00000000,00000000), ref: 04FB0C10

Memory Dump Source

Source File: 00000007.00000002.600439530.0000000004FB0000.00000040.00000001.sdmp, Offset: 04FB0000, based on PE: false

Similarity

API ID: Value
String ID:
API String ID: 3702945584-0
Opcode ID: 48e703b7eb5e1881b76d5b60c0decefa3517504112027b0b65a84330cb44e419
Instruction ID: e5dda960005b7f1f716999e87b67a9f96250ca5b6a645e2e0ac090bdf573a663
Opcode Fuzzy Hash: 48e703b7eb5e1881b76d5b60c0decefa3517504112027b0b65a84330cb44e419
Instruction Fuzzy Hash: 9521AFB2504740AFE7228F15DC85F97FFB8EF06710F08859AE9859B252D764E809CBB1

Uniqueness

Uniqueness Score: -1.00%

Function 04FB123E, Relevance: 1.6, APIs: 1, Instructions: 75COMMON

Download Yara Rule

APIs

LookupPrivilegeValueW.ADVAPI32(?,?,?), ref: 04FB12BE

Memory Dump Source

Source File: 00000007.00000002.600439530.0000000004FB0000.00000040.00000001.sdmp, Offset: 04FB0000, based on PE: false

Similarity

API ID: LookupPrivilegeValue
String ID:
API String ID: 3899507212-0
Opcode ID: a2aebf42801e940e62f5f4183fcfda937924cb424e5739b13588a7ae1ae9cb01
Instruction ID: 86e84b80dc5949ad2c05007ed4e815aa71904d5fd5083eed0d7b75bda51d32c2
Opcode Fuzzy Hash: a2aebf42801e940e62f5f4183fcfda937924cb424e5739b13588a7ae1ae9cb01
Instruction Fuzzy Hash: 042192725093805FD7128F25DC95B92BFE8EF07220F0980EBD985CB253D225E809CB61

Uniqueness

Uniqueness Score: -1.00%

Function 04FB012A, Relevance: 1.6, APIs: 1, Instructions: 72synchronizationCOMMON

Download Yara Rule

APIs

CreateMutexW.KERNELBASE(?,?), ref: 04FB019D

Memory Dump Source

Source File: 00000007.00000002.600439530.0000000004FB0000.00000040.00000001.sdmp, Offset: 04FB0000, based on PE: false

Similarity

API ID: CreateMutex
String ID:
API String ID: 1964310414-0
Opcode ID: 0d7f70a1b12475fd0b2ebcd8c0f9b8fefac26dd56be349981b5fc974e6e25402
Instruction ID: cb22449dbdb0d49892375c48a6944bf1d45cb70b572a71807126704e629f9be5
Opcode Fuzzy Hash: 0d7f70a1b12475fd0b2ebcd8c0f9b8fefac26dd56be349981b5fc974e6e25402
Instruction Fuzzy Hash: 9D217F71500200AFE724DF25D945BABFBE8EF05710F14846AED859B341E771E505CAB5

Uniqueness

Uniqueness Score: -1.00%

Function 04FB10BF, Relevance: 1.6, APIs: 1, Instructions: 71fileCOMMON

Download Yara Rule

APIs

DeleteFileA.KERNELBASE(?,00000E2C), ref: 04FB114B

Memory Dump Source

Source File: 00000007.00000002.600439530.0000000004FB0000.00000040.00000001.sdmp, Offset: 04FB0000, based on PE: false

Similarity

API ID: DeleteFile
String ID:
API String ID: 4033686569-0
Opcode ID: 31aaee88ddb27a62225de8629cb018bc0ca247874aa4c50a1244f9eb61abab38
Instruction ID: 7f59ee7dcd80ee931d5de7f7f319c1ef24f5c53dc398f4d3df3865082f36cc13
Opcode Fuzzy Hash: 31aaee88ddb27a62225de8629cb018bc0ca247874aa4c50a1244f9eb61abab38
Instruction Fuzzy Hash: 4821D871504380AFE7218B25DC45FA6FFA8DF46720F14C09AFD459B292D374A945CB61

Uniqueness

Uniqueness Score: -1.00%

Function 04FB0A9B, Relevance: 1.6, APIs: 1, Instructions: 71fileCOMMON

Download Yara Rule

APIs

CopyFileW.KERNELBASE(?,?,?), ref: 04FB0B1E

Memory Dump Source

Source File: 00000007.00000002.600439530.0000000004FB0000.00000040.00000001.sdmp, Offset: 04FB0000, based on PE: false

Similarity

API ID: CopyFile
String ID:
API String ID: 1304948518-0
Opcode ID: 5faa58e00c94037d831162044b5dd59664a9777cf1341e13ca77a552363d333d
Instruction ID: 65dce821f197b59658255e2aa521fd7e2af4b8772a04e565101b67b5b58152f2
Opcode Fuzzy Hash: 5faa58e00c94037d831162044b5dd59664a9777cf1341e13ca77a552363d333d
Instruction Fuzzy Hash: B4217FB15093845FDB22CF25DC55B93BFA8AF16214F0880EAE984DB253E665E808CB61

Uniqueness

Uniqueness Score: -1.00%

Function 04FB0723, Relevance: 1.6, APIs: 1, Instructions: 71COMMON

Download Yara Rule

APIs

CreateDirectoryW.KERNELBASE(?,?), ref: 04FB079F

Memory Dump Source

Source File: 00000007.00000002.600439530.0000000004FB0000.00000040.00000001.sdmp, Offset: 04FB0000, based on PE: false

Similarity

API ID: CreateDirectory
String ID:
API String ID: 4241100979-0
Opcode ID: 8c3d27091909d31ea1bcfd9e0ce0471a077512bace839ae0165eff02b3677406
Instruction ID: 53f0e1f7a915f2085201e92337093ea72ed4aad4365f6cd5e34dd2bd5f598404
Opcode Fuzzy Hash: 8c3d27091909d31ea1bcfd9e0ce0471a077512bace839ae0165eff02b3677406
Instruction Fuzzy Hash: 0721A1B15053809FD711CF25DC45B92BFE8EF06210F1980EAED85CF152E274A909CB61

Uniqueness

Uniqueness Score: -1.00%

Function 04FB23DA, Relevance: 1.6, APIs: 1, Instructions: 68COMMON

Download Yara Rule

APIs

OpenFileMappingW.KERNELBASE(?,?), ref: 04FB2445

Memory Dump Source

Source File: 00000007.00000002.600439530.0000000004FB0000.00000040.00000001.sdmp, Offset: 04FB0000, based on PE: false

Similarity

API ID: FileMappingOpen
String ID:
API String ID: 1680863896-0
Opcode ID: 56ded7c08d3712fee165123c6e30aaf9687148588d310ca68fc4d6c8a5a27ffa
Instruction ID: a6f8f972e572bafc4f5013cec6332392b49fb57afbaa1f8cc0b7aaa0a549d4bd
Opcode Fuzzy Hash: 56ded7c08d3712fee165123c6e30aaf9687148588d310ca68fc4d6c8a5a27ffa
Instruction Fuzzy Hash: D021A171500600AFE721DF25CC49BA6FBD8EF05720F1484AAED859B642E371F405CBB1

Uniqueness

Uniqueness Score: -1.00%

Function 04FB148C, Relevance: 1.6, APIs: 1, Instructions: 68COMMON

Download Yara Rule

APIs

FindCloseChangeNotification.KERNELBASE(?), ref: 04FB14F8

Memory Dump Source

Source File: 00000007.00000002.600439530.0000000004FB0000.00000040.00000001.sdmp, Offset: 04FB0000, based on PE: false

Similarity

API ID: ChangeCloseFindNotification
String ID:
API String ID: 2591292051-0
Opcode ID: b3d5c056ebac40953797ab1dfe6633e6ca86a277894211b968a1773ba2b7fbec
Instruction ID: 20ff5d117531a2ec570f5fe2f12451cdfac7ab8b35caf4c02b358edcae1f0a7d
Opcode Fuzzy Hash: b3d5c056ebac40953797ab1dfe6633e6ca86a277894211b968a1773ba2b7fbec
Instruction Fuzzy Hash: 5021A1725093C05FDB028F25DC55A92BFB4AF07224F0980DAED858F263D275A908CB61

Uniqueness

Uniqueness Score: -1.00%

Function 04FB1EEA, Relevance: 1.6, APIs: 1, Instructions: 67networkCOMMON

Download Yara Rule

APIs

WSASocketW.WS2_32 ref: 04FB1F56

Memory Dump Source

Source File: 00000007.00000002.600439530.0000000004FB0000.00000040.00000001.sdmp, Offset: 04FB0000, based on PE: false

Similarity

API ID: Socket
String ID:
API String ID: 38366605-0
Opcode ID: 352ed914d423e33db40f9673313d23e6a373b5124763dca62c21e62faea48273
Instruction ID: ba2a9d1094688a41628dfe734625c8db927ea563e98718f02e5e36ceae068e16
Opcode Fuzzy Hash: 352ed914d423e33db40f9673313d23e6a373b5124763dca62c21e62faea48273
Instruction Fuzzy Hash: 0C21CD71500600AFEB21DF65DD45FA6FFE8EF09320F14846AEE858B242D3B1A409CBB1

Uniqueness

Uniqueness Score: -1.00%

Function 04FB24DA, Relevance: 1.6, APIs: 1, Instructions: 67fileCOMMON

Download Yara Rule

APIs

MapViewOfFile.KERNELBASE ref: 04FB254E

Memory Dump Source

Source File: 00000007.00000002.600439530.0000000004FB0000.00000040.00000001.sdmp, Offset: 04FB0000, based on PE: false

Similarity

API ID: FileView
String ID:
API String ID: 3314676101-0
Opcode ID: 733b215816c0d984c174ad5a7e70d8e80a5cd3249b5d829ed077766208a5ea7d
Instruction ID: 32bb779602b571d2fc3b17473206d2b556c912e7b3632c02d70f135ffb5253a7
Opcode Fuzzy Hash: 733b215816c0d984c174ad5a7e70d8e80a5cd3249b5d829ed077766208a5ea7d
Instruction Fuzzy Hash: F521AE71500600AFE721CF15DC89FA6FBE8EF09720F14859AEA849B251D371B509CBA1

Uniqueness

Uniqueness Score: -1.00%

Function 04FB04EA, Relevance: 1.6, APIs: 1, Instructions: 65registryCOMMON

Download Yara Rule

APIs

RegQueryValueExW.KERNELBASE(?,00000E2C,30277B8A,00000000,00000000,00000000,00000000), ref: 04FB055C

Memory Dump Source

Source File: 00000007.00000002.600439530.0000000004FB0000.00000040.00000001.sdmp, Offset: 04FB0000, based on PE: false

Similarity

API ID: QueryValue
String ID:
API String ID: 3660427363-0
Opcode ID: fb65b11f858fcab97a775985547b6ab993744850ecfb8766f3b1b2a6b5eaed76
Instruction ID: 028d5780621ed0261446d0024b38850b84500d9dee863b13037febe9bcad2f4b
Opcode Fuzzy Hash: fb65b11f858fcab97a775985547b6ab993744850ecfb8766f3b1b2a6b5eaed76
Instruction Fuzzy Hash: 91117F72500604AEEB20CF16DC81FA7FBE8EF06720F14C55AEA869B651D660F409CBB1

Uniqueness

Uniqueness Score: -1.00%

Function 04FB0B9E, Relevance: 1.6, APIs: 1, Instructions: 65registryCOMMON

Download Yara Rule

APIs

RegSetValueExW.KERNELBASE(?,00000E2C,30277B8A,00000000,00000000,00000000,00000000), ref: 04FB0C10

Memory Dump Source

Source File: 00000007.00000002.600439530.0000000004FB0000.00000040.00000001.sdmp, Offset: 04FB0000, based on PE: false

Similarity

API ID: Value
String ID:
API String ID: 3702945584-0
Opcode ID: 9e097a2d851b861df8c715ede0910aa77edfb5b0b75a53a05e61a78d6a95539e
Instruction ID: b0fe2e8f618636265cf7827711dbc71d5798c07b31da662ddddd3902000a5e4e
Opcode Fuzzy Hash: 9e097a2d851b861df8c715ede0910aa77edfb5b0b75a53a05e61a78d6a95539e
Instruction Fuzzy Hash: C11181B2500604AFEB219E16DC41FA7FBA8EF05710F14855AEE859B251DB70E406CAB1

Uniqueness

Uniqueness Score: -1.00%

Function 04FB118F, Relevance: 1.6, APIs: 1, Instructions: 63COMMON

Download Yara Rule

APIs

SetKernelObjectSecurity.KERNELBASE(?,?,?), ref: 04FB1202

Memory Dump Source

Source File: 00000007.00000002.600439530.0000000004FB0000.00000040.00000001.sdmp, Offset: 04FB0000, based on PE: false

Similarity

API ID: KernelObjectSecurity
String ID:
API String ID: 3015937269-0
Opcode ID: a0a4b427d95f0546fc2d8f45e79963f06b10796a04bc5b46a163a52f049a9e31
Instruction ID: 7e00b6ffb20800a381e85437eb3d11c40b136925f11d47fb096eaaa1fb465fd1
Opcode Fuzzy Hash: a0a4b427d95f0546fc2d8f45e79963f06b10796a04bc5b46a163a52f049a9e31
Instruction Fuzzy Hash: 8221AF755093809FD7128F25DC54A92FFB4EF07224F0980DFED848B2A3D275A949CB62

Uniqueness

Uniqueness Score: -1.00%

Function 04FB1006, Relevance: 1.6, APIs: 1, Instructions: 61COMMON

Download Yara Rule

APIs

GetExitCodeProcess.KERNELBASE(?,00000E2C,30277B8A,00000000,00000000,00000000,00000000), ref: 04FB105C

Memory Dump Source

Source File: 00000007.00000002.600439530.0000000004FB0000.00000040.00000001.sdmp, Offset: 04FB0000, based on PE: false

Similarity

API ID: CodeExitProcess
String ID:
API String ID: 3861947596-0
Opcode ID: b6d998c8f821cb38d41fbf65a36c073e541cb16733aabf11b9ff43d17f0d2f1e
Instruction ID: 1b57f6f18945eb6ea174f8bb5a90c080b0c1e2c191694f9be7aa2f88be359629
Opcode Fuzzy Hash: b6d998c8f821cb38d41fbf65a36c073e541cb16733aabf11b9ff43d17f0d2f1e
Instruction Fuzzy Hash: D611E371500644AFEB108F29DD85FABBB98EF45360F1484ABEE45DB241E674A4058BB1

Uniqueness

Uniqueness Score: -1.00%

Function 04FB09F2, Relevance: 1.6, APIs: 1, Instructions: 60COMMON

Download Yara Rule

APIs

setsockopt.WS2_32(?,00000E2C,30277B8A,00000000,00000000,00000000,00000000), ref: 04FB0A51

Memory Dump Source

Source File: 00000007.00000002.600439530.0000000004FB0000.00000040.00000001.sdmp, Offset: 04FB0000, based on PE: false

Similarity

API ID: setsockopt
String ID:
API String ID: 3981526788-0
Opcode ID: f97ada77df1c4a06ac77b552be57bacdf35aed8b3fe6ae88eab5bc905b88ee9f
Instruction ID: 16d1d162c9ef4332ed5bda38804ca4563fc58a027b2e9f2f624ab88fc2d45627
Opcode Fuzzy Hash: f97ada77df1c4a06ac77b552be57bacdf35aed8b3fe6ae88eab5bc905b88ee9f
Instruction Fuzzy Hash: D111B272500600AEEB21CF55DC45F97FBECEF05720F14886BEE499B241D675A4058BB2

Uniqueness

Uniqueness Score: -1.00%

Function 04FB10E2, Relevance: 1.6, APIs: 1, Instructions: 60fileCOMMON

Download Yara Rule

APIs

DeleteFileA.KERNELBASE(?,00000E2C), ref: 04FB114B

Memory Dump Source

Source File: 00000007.00000002.600439530.0000000004FB0000.00000040.00000001.sdmp, Offset: 04FB0000, based on PE: false

Similarity

API ID: DeleteFile
String ID:
API String ID: 4033686569-0
Opcode ID: 25bd54419f035f8be4a1744f2e0a415dd19c46f671e5d4b1511a8637557c20bb
Instruction ID: 206a017f74ca32d58594d71a40b031d198ac0fcbc20919514a637372f9c64827
Opcode Fuzzy Hash: 25bd54419f035f8be4a1744f2e0a415dd19c46f671e5d4b1511a8637557c20bb
Instruction Fuzzy Hash: 93112971600600AFF7209B15DD42FA6FB9CDF06720F14C06AEE459B382D6B4B505CBB1

Uniqueness

Uniqueness Score: -1.00%

Function 04FB02DE, Relevance: 1.6, APIs: 1, Instructions: 60registryCOMMON

Download Yara Rule

APIs

RegOpenKeyExA.KERNELBASE(?,00000E2C), ref: 04FB0353

Memory Dump Source

Source File: 00000007.00000002.600439530.0000000004FB0000.00000040.00000001.sdmp, Offset: 04FB0000, based on PE: false

Similarity

API ID: Open
String ID:
API String ID: 71445658-0
Opcode ID: 67135ea39bd31f0f955ecac7f33b51ec32c950f1ba26344b241c1cab0c44f9aa
Instruction ID: 6f5ea1aa293ec652d9f7f4821aec8b99b36dcf23c1ba4a843faebc4775d01f6f
Opcode Fuzzy Hash: 67135ea39bd31f0f955ecac7f33b51ec32c950f1ba26344b241c1cab0c44f9aa
Instruction Fuzzy Hash: 5C110131500700EFEB218F15CC85FA7FFA8EF05720F18849AEE855A291D6B1B509CBB1

Uniqueness

Uniqueness Score: -1.00%

Function 04FB1750, Relevance: 1.6, APIs: 1, Instructions: 60COMMON

Download Yara Rule

APIs

K32EnumProcesses.KERNEL32(?,?,?,30277B8A,00000000,?,?,?,?,?,?,?,?,72F43C38), ref: 04FB17B2

Memory Dump Source

Source File: 00000007.00000002.600439530.0000000004FB0000.00000040.00000001.sdmp, Offset: 04FB0000, based on PE: false

Similarity

API ID: EnumProcesses
String ID:
API String ID: 84517404-0
Opcode ID: 57e9f47e7e4c8b4c067b86f366a15e0c1c4d2017c5af5137bb57dc2d3f45688b
Instruction ID: ffd8cabefcfddfd4f4a9786e9c29fd732c0c226f24e0d9ad5f9f6c2e0d619027
Opcode Fuzzy Hash: 57e9f47e7e4c8b4c067b86f366a15e0c1c4d2017c5af5137bb57dc2d3f45688b
Instruction Fuzzy Hash: 81118175505384AFD711CF65DC85B97FFE8EF06220F1884AAED89CB252D275A808CB61

Uniqueness

Uniqueness Score: -1.00%

Function 04FB15EB, Relevance: 1.6, APIs: 1, Instructions: 54COMMON

Download Yara Rule

APIs

GetSystemInfo.KERNELBASE(?), ref: 04FB164C

Memory Dump Source

Source File: 00000007.00000002.600439530.0000000004FB0000.00000040.00000001.sdmp, Offset: 04FB0000, based on PE: false

Similarity

API ID: InfoSystem
String ID:
API String ID: 31276548-0
Opcode ID: ee1a38a0401bcce6a671a0d21096d626865a16fe1f65f888ea57d23116719487
Instruction ID: aa09960e9b33c0aa61f980734c3f3026eec6b863094937306ef17b905b2da21a
Opcode Fuzzy Hash: ee1a38a0401bcce6a671a0d21096d626865a16fe1f65f888ea57d23116719487
Instruction Fuzzy Hash: 44119D714093C0AFD7128F25D855A92BFF4EF47220F0D84EADD888F263D275A949CBA1

Uniqueness

Uniqueness Score: -1.00%

Function 04FB0AD6, Relevance: 1.6, APIs: 1, Instructions: 53fileCOMMON

Download Yara Rule

APIs

CopyFileW.KERNELBASE(?,?,?), ref: 04FB0B1E

Memory Dump Source

Source File: 00000007.00000002.600439530.0000000004FB0000.00000040.00000001.sdmp, Offset: 04FB0000, based on PE: false

Similarity

API ID: CopyFile
String ID:
API String ID: 1304948518-0
Opcode ID: 64469817c279650159b475c01c211e279a514a7245c7822616b2fbf5b0bf7b55
Instruction ID: 43f599bcb0d90760b5eb19c47df805352eade946ebc34b7b48140c90edd65e29
Opcode Fuzzy Hash: 64469817c279650159b475c01c211e279a514a7245c7822616b2fbf5b0bf7b55
Instruction Fuzzy Hash: 98115E72A006049FDB50CF2AD885B97FBD8EF05724F18C4AADD49DB242EA75E405CBB1

Uniqueness

Uniqueness Score: -1.00%

Function 04FB1276, Relevance: 1.6, APIs: 1, Instructions: 53COMMON

Download Yara Rule

APIs

LookupPrivilegeValueW.ADVAPI32(?,?,?), ref: 04FB12BE

Memory Dump Source

Source File: 00000007.00000002.600439530.0000000004FB0000.00000040.00000001.sdmp, Offset: 04FB0000, based on PE: false

Similarity

API ID: LookupPrivilegeValue
String ID:
API String ID: 3899507212-0
Opcode ID: 64469817c279650159b475c01c211e279a514a7245c7822616b2fbf5b0bf7b55
Instruction ID: bd8c0d895b9e18dddeaba5ca0bf1053006b80906a8afad308063af89bbac60cc
Opcode Fuzzy Hash: 64469817c279650159b475c01c211e279a514a7245c7822616b2fbf5b0bf7b55
Instruction Fuzzy Hash: F211A571A002009FEB10CF2AD985B96FBD8EF05360F08C1AADD49CB241E674E405CBB1

Uniqueness

Uniqueness Score: -1.00%

Function 04FB075A, Relevance: 1.6, APIs: 1, Instructions: 52COMMON

Download Yara Rule

APIs

CreateDirectoryW.KERNELBASE(?,?), ref: 04FB079F

Memory Dump Source

Source File: 00000007.00000002.600439530.0000000004FB0000.00000040.00000001.sdmp, Offset: 04FB0000, based on PE: false

Similarity

API ID: CreateDirectory
String ID:
API String ID: 4241100979-0
Opcode ID: 95c47fbe83176385ebc0ec0ab45920f4feed63ea7c8b2e3af86279f924efa188
Instruction ID: 0e2338ef73de10b7b7c6dc571d1cf0a368153a8c427847c99458232a5e6c3038
Opcode Fuzzy Hash: 95c47fbe83176385ebc0ec0ab45920f4feed63ea7c8b2e3af86279f924efa188
Instruction Fuzzy Hash: 3211A175A002009FDB10CF2AD885BA7FBD8EF05220F18C0AADD49CB642EA74E405CFA1

Uniqueness

Uniqueness Score: -1.00%

Function 04FB0932, Relevance: 1.6, APIs: 1, Instructions: 52COMMON

Download Yara Rule

APIs

GetFileType.KERNELBASE(?,00000E2C,30277B8A,00000000,00000000,00000000,00000000), ref: 04FB0985

Memory Dump Source

Source File: 00000007.00000002.600439530.0000000004FB0000.00000040.00000001.sdmp, Offset: 04FB0000, based on PE: false

Similarity

API ID: FileType
String ID:
API String ID: 3081899298-0
Opcode ID: 30310886d3d1c6c1ed6f7cb685efe80ccb90d5e33c35c9b63cf41678538673f5
Instruction ID: ae24a2962e6520e4483b93b7caed52bae754c895396b3e3801c97499742f20a9
Opcode Fuzzy Hash: 30310886d3d1c6c1ed6f7cb685efe80ccb90d5e33c35c9b63cf41678538673f5
Instruction Fuzzy Hash: EE01D276500604AEE710CF1ADC85FA7FBA8EF06720F14C097EF859B341DAB4A4098BB1

Uniqueness

Uniqueness Score: -1.00%

Function 04FB1772, Relevance: 1.5, APIs: 1, Instructions: 49COMMON

Download Yara Rule

APIs

K32EnumProcesses.KERNEL32(?,?,?,30277B8A,00000000,?,?,?,?,?,?,?,?,72F43C38), ref: 04FB17B2

Memory Dump Source

Source File: 00000007.00000002.600439530.0000000004FB0000.00000040.00000001.sdmp, Offset: 04FB0000, based on PE: false

Similarity

API ID: EnumProcesses
String ID:
API String ID: 84517404-0
Opcode ID: 697b2a4e224005a4da9f99a3967a6f85f10812c30d3d96195bf84aef6aecf0e4
Instruction ID: 03c0fab06139c4a1ef64c6482aca9d1c8539ffcb11fe7147d8fb2f4bc9997e0e
Opcode Fuzzy Hash: 697b2a4e224005a4da9f99a3967a6f85f10812c30d3d96195bf84aef6aecf0e4
Instruction Fuzzy Hash: 9F11A135A002049FDB10CF6AD984B96FBE8EF05320F28C0AADD49CB211E675E405CFA1

Uniqueness

Uniqueness Score: -1.00%

Function 04FB0CCA, Relevance: 1.5, APIs: 1, Instructions: 47COMMON

Download Yara Rule

APIs

GetTempFileNameW.KERNELBASE(?,00000E2C,?,?), ref: 04FB0D1A

Memory Dump Source

Source File: 00000007.00000002.600439530.0000000004FB0000.00000040.00000001.sdmp, Offset: 04FB0000, based on PE: false

Similarity

API ID: FileNameTemp
String ID:
API String ID: 745986568-0
Opcode ID: acf7def10430209e56426d5a842b74ec53b7fb4a9b92653258eb3dbfd32e1c3b
Instruction ID: 43c513d8b61f9cfae369b69a9f743d932c92f1fea823dc1883e8738c5aa1616c
Opcode Fuzzy Hash: acf7def10430209e56426d5a842b74ec53b7fb4a9b92653258eb3dbfd32e1c3b
Instruction Fuzzy Hash: 5B017176500600ABD710DF16DC86F26FBA8FB88B20F14816AED089B741E371B515CBE5

Uniqueness

Uniqueness Score: -1.00%

Function 04FB2E26, Relevance: 1.5, APIs: 1, Instructions: 47windowCOMMON

Download Yara Rule

APIs

FormatMessageW.KERNELBASE(?,00000E2C,?,?), ref: 04FB2E76

Memory Dump Source

Source File: 00000007.00000002.600439530.0000000004FB0000.00000040.00000001.sdmp, Offset: 04FB0000, based on PE: false

Similarity

API ID: FormatMessage
String ID:
API String ID: 1306739567-0
Opcode ID: bb96dc5f68c20c83490b705228400c0dbd5e53c65d7b26da489ed3add7b608be
Instruction ID: 1c114bbc28b1bf5a52cf18b9025ec9c6a713e3e98feff1a722cfa81b0c043af6
Opcode Fuzzy Hash: bb96dc5f68c20c83490b705228400c0dbd5e53c65d7b26da489ed3add7b608be
Instruction Fuzzy Hash: D8017176500600ABD710DF16DC86F26FBA8EB88B20F14816AED089B741E371B515CBE5

Uniqueness

Uniqueness Score: -1.00%

Function 04FB11C2, Relevance: 1.5, APIs: 1, Instructions: 45COMMON

Download Yara Rule

APIs

SetKernelObjectSecurity.KERNELBASE(?,?,?), ref: 04FB1202

Memory Dump Source

Source File: 00000007.00000002.600439530.0000000004FB0000.00000040.00000001.sdmp, Offset: 04FB0000, based on PE: false

Similarity

API ID: KernelObjectSecurity
String ID:
API String ID: 3015937269-0
Opcode ID: 507d883a7917b8d9cc479e640c3c9bd37f80c69233dfc43d80c280e7e867ca0f
Instruction ID: 11a4149556556b1acecb6c930c3ef76fca08dffa165268d204623c7927b77d50
Opcode Fuzzy Hash: 507d883a7917b8d9cc479e640c3c9bd37f80c69233dfc43d80c280e7e867ca0f
Instruction Fuzzy Hash: B30192356006009FDB10CF56D985BA6FBE4EF05360F08C0AADD458B652D271E459DFA1

Uniqueness

Uniqueness Score: -1.00%

Function 04FB14C6, Relevance: 1.5, APIs: 1, Instructions: 43COMMON

Download Yara Rule

APIs

FindCloseChangeNotification.KERNELBASE(?), ref: 04FB14F8

Memory Dump Source

Source File: 00000007.00000002.600439530.0000000004FB0000.00000040.00000001.sdmp, Offset: 04FB0000, based on PE: false

Similarity

API ID: ChangeCloseFindNotification
String ID:
API String ID: 2591292051-0
Opcode ID: 619809075bb6a76ff3ec565b5925cb2221b2b2719795e78572c6411fbb961e87
Instruction ID: 93978d48fc712354edbabfb65be162314c2cadf3a8bb2d7400c4887e93d0a204
Opcode Fuzzy Hash: 619809075bb6a76ff3ec565b5925cb2221b2b2719795e78572c6411fbb961e87
Instruction Fuzzy Hash: 4701D4319006009FDB10CF1AE985796FFE4EF01220F08C0ABDD4A8B202D2B5E408CFB2

Uniqueness

Uniqueness Score: -1.00%

Function 04FB0232, Relevance: 1.5, APIs: 1, Instructions: 43COMMON

Download Yara Rule

APIs

FindCloseChangeNotification.KERNELBASE(?), ref: 04FB0264

Memory Dump Source

Source File: 00000007.00000002.600439530.0000000004FB0000.00000040.00000001.sdmp, Offset: 04FB0000, based on PE: false

Similarity

API ID: ChangeCloseFindNotification
String ID:
API String ID: 2591292051-0
Opcode ID: c93f8162400b5b94f7877e6283cdf513d46c4c5f215bce4df974cf9d1e6ac67a
Instruction ID: 2bd0fb188617c4cb381cac21ff298119e282fec1081dc5ebef0a5c7624a8862d
Opcode Fuzzy Hash: c93f8162400b5b94f7877e6283cdf513d46c4c5f215bce4df974cf9d1e6ac67a
Instruction Fuzzy Hash: E8018F759006409FDB108F2AD8857A6FF94EF45320F18C4ABDD498B642EAB5E448DFA1

Uniqueness

Uniqueness Score: -1.00%

Function 04FB1B2E, Relevance: 1.5, APIs: 1, Instructions: 43registryCOMMON

Download Yara Rule

APIs

RegQueryValueExW.KERNELBASE(?,00000E2C,?,?), ref: 04FB1B7E

Memory Dump Source

Source File: 00000007.00000002.600439530.0000000004FB0000.00000040.00000001.sdmp, Offset: 04FB0000, based on PE: false

Similarity

API ID: QueryValue
String ID:
API String ID: 3660427363-0
Opcode ID: c5560956583c958152f15f69c8d8b89ba9d59df8776f8f45f714f5f0e0bf830e
Instruction ID: 262a6683a279b821f60b30b2bcb452b33759bd3aeed0c7bc43e34cb4e5c6c6ee
Opcode Fuzzy Hash: c5560956583c958152f15f69c8d8b89ba9d59df8776f8f45f714f5f0e0bf830e
Instruction Fuzzy Hash: 18016D76500604ABD210DF16DC86F26FBA8FB89B20F14C15AED085B741E371F926CBE6

Uniqueness

Uniqueness Score: -1.00%

Function 029020D0, Relevance: 1.4, Strings: 1, Instructions: 200COMMON

Download Yara Rule

Strings

r*+, xrefs: 0290230F

Memory Dump Source

Source File: 00000007.00000002.596310699.0000000002900000.00000040.00000001.sdmp, Offset: 02900000, based on PE: false

Similarity

API ID:
String ID: r*+
API String ID: 0-3221063712
Opcode ID: f42f206c4844d76e5a1d0bd2c37d59f7d29dd4c52a98e89b821afce0c0398d15
Instruction ID: 36d9384bcd0a8ba97c301c12b2a50f49d3eb89226b152f082611c9d103bb105b
Opcode Fuzzy Hash: f42f206c4844d76e5a1d0bd2c37d59f7d29dd4c52a98e89b821afce0c0398d15
Instruction Fuzzy Hash: 98713030E0820ADFCB44DFA8C5C9ABEBBB5FF45300F1084AAD9169B295D7749D45CB91

Uniqueness

Uniqueness Score: -1.00%

Function 02901458, Relevance: 1.4, Strings: 1, Instructions: 128COMMON

Download Yara Rule

Strings

$ghr, xrefs: 029014C7

Memory Dump Source

Source File: 00000007.00000002.596310699.0000000002900000.00000040.00000001.sdmp, Offset: 02900000, based on PE: false

Similarity

API ID:
String ID: $ghr
API String ID: 0-1352911727
Opcode ID: 68592b13291176884675475652774a2bc1e23a5de1eaaa6674a4d23a04d3b4cc
Instruction ID: 2b8792dbbee5b15c0bd2902a66b784c5bd4d8d28dd9de28be719f52c92fa8074
Opcode Fuzzy Hash: 68592b13291176884675475652774a2bc1e23a5de1eaaa6674a4d23a04d3b4cc
Instruction Fuzzy Hash: 18510835A00218CFDB54EF64D894B9DBBB2BF88304F5040EAD50AAB3A5CB759D89CF51

Uniqueness

Uniqueness Score: -1.00%

Function 02901290, Relevance: 1.4, Strings: 1, Instructions: 101COMMON

Download Yara Rule

Strings

$ghr, xrefs: 02901349

Memory Dump Source

Source File: 00000007.00000002.596310699.0000000002900000.00000040.00000001.sdmp, Offset: 02900000, based on PE: false

Similarity

API ID:
String ID: $ghr
API String ID: 0-1352911727
Opcode ID: 677f2c8a5e406f8523750a94c1baae04119f12acd06d0860b933781b506bc559
Instruction ID: acc296ce1a4156d65ffc8670783018c6bbcef755087420b5f779ca7c61a6c613
Opcode Fuzzy Hash: 677f2c8a5e406f8523750a94c1baae04119f12acd06d0860b933781b506bc559
Instruction Fuzzy Hash: 56412634A04219CFCB64EF68D880BADBBB5BF49300F1044AAD40EAB395DB309D84CF61

Uniqueness

Uniqueness Score: -1.00%

Function 02908CC0, Relevance: 1.3, Strings: 1, Instructions: 98COMMON

Download Yara Rule

Strings

r*+, xrefs: 02908DD7

Memory Dump Source

Source File: 00000007.00000002.596310699.0000000002900000.00000040.00000001.sdmp, Offset: 02900000, based on PE: false

Similarity

API ID:
String ID: r*+
API String ID: 0-3221063712
Opcode ID: 899db32c1cadde8594c3436c7c3b3e1ed1de072d2e22c8c6fcea281761777551
Instruction ID: 71c5f7eb3449c262e090ee21ffa6f4b761cd5839c7e9bacc7ac1ee825ca1d51f
Opcode Fuzzy Hash: 899db32c1cadde8594c3436c7c3b3e1ed1de072d2e22c8c6fcea281761777551
Instruction Fuzzy Hash: EC411A30F04209DFCB48DFA4C5856AEBBB5FF54304F6089AAD406E72A0DB389A41DF51

Uniqueness

Uniqueness Score: -1.00%

Function 02906F7D, Relevance: 1.3, Strings: 1, Instructions: 84COMMON

Download Yara Rule

Strings

cpW, xrefs: 02906F92

Memory Dump Source

Source File: 00000007.00000002.596310699.0000000002900000.00000040.00000001.sdmp, Offset: 02900000, based on PE: false

Similarity

API ID:
String ID: cpW
API String ID: 0-571129977
Opcode ID: afcf9c3e8f774417ba9d75e35e49d6daac9e3b253092b928ad361adc4b750275
Instruction ID: 16d53a55b35c0ad0a1c30fb17fd92b97d176fd4357cc81eaf8ae46281e16e583
Opcode Fuzzy Hash: afcf9c3e8f774417ba9d75e35e49d6daac9e3b253092b928ad361adc4b750275
Instruction Fuzzy Hash: DA318F32614214CBC714BB38E49559C3FA6EB8135435486BCE11BCB349DFB69C07DB91

Uniqueness

Uniqueness Score: -1.00%

Function 0290E2D9, Relevance: 1.3, Strings: 1, Instructions: 80COMMON

Download Yara Rule

Strings

lir, xrefs: 0290E393

Memory Dump Source

Source File: 00000007.00000002.596310699.0000000002900000.00000040.00000001.sdmp, Offset: 02900000, based on PE: false

Similarity

API ID:
String ID: lir
API String ID: 0-3872640509
Opcode ID: 7f5723f7ef9374e0cf8066191f3807040a254d90dcff104d846f740406ee87de
Instruction ID: 863e8d6510c9ac6abac68cf7617756d953559a33b45ddd397374b0ea27c65e63
Opcode Fuzzy Hash: 7f5723f7ef9374e0cf8066191f3807040a254d90dcff104d846f740406ee87de
Instruction Fuzzy Hash: 1F21B071604218CFCB158B79D4807BEBFE6AB88701F148C6AF486D7780DB319C42D7A1

Uniqueness

Uniqueness Score: -1.00%

Function 0290E839, Relevance: 1.3, Strings: 1, Instructions: 77COMMON

Download Yara Rule

Strings

xk(, xrefs: 0290E824

Memory Dump Source

Source File: 00000007.00000002.596310699.0000000002900000.00000040.00000001.sdmp, Offset: 02900000, based on PE: false

Similarity

API ID:
String ID: xk(
API String ID: 0-2626811935
Opcode ID: ef796f6cd37f447b50028aa4f9bf155f806adb29b3b069039b87f8e65d32652f
Instruction ID: 35bf293422a24eb1a9e159c6dbaa43c1567db5f474eb3abeb190749eaf1df3a2
Opcode Fuzzy Hash: ef796f6cd37f447b50028aa4f9bf155f806adb29b3b069039b87f8e65d32652f
Instruction Fuzzy Hash: E7110A367000189FCB24D6A988D1ABFBBEADFC5714F54886EE946C77D1CD61AC02C7A0

Uniqueness

Uniqueness Score: -1.00%

Function 029061E0, Relevance: 1.3, Strings: 1, Instructions: 69COMMON

Download Yara Rule

Strings

X1kr, xrefs: 02906251

Memory Dump Source

Source File: 00000007.00000002.596310699.0000000002900000.00000040.00000001.sdmp, Offset: 02900000, based on PE: false

Similarity

API ID:
String ID: X1kr
API String ID: 0-844551562
Opcode ID: 1392215fb5a78c47250eac2c16c4d90e270ca9c014ad6c019c2f0bdd2374cedb
Instruction ID: d1466b0a98b4f31e1ba57ad5bdb106c6e00ceebb28831ffce48971acad45a05f
Opcode Fuzzy Hash: 1392215fb5a78c47250eac2c16c4d90e270ca9c014ad6c019c2f0bdd2374cedb
Instruction Fuzzy Hash: B711BE31B0404C9FDB04ABAC94947BE76EA9BCC320F14043AD506E77C1DF209C608BA6

Uniqueness

Uniqueness Score: -1.00%

Function 0290A6F0, Relevance: 1.3, Strings: 1, Instructions: 47COMMON

Download Yara Rule

Strings

Huir, xrefs: 0290A723

Memory Dump Source

Source File: 00000007.00000002.596310699.0000000002900000.00000040.00000001.sdmp, Offset: 02900000, based on PE: false

Similarity

API ID:
String ID: Huir
API String ID: 0-669697419
Opcode ID: e1b15968a7baf0992b670e7007f1d81e74abd01b63a4fa105a144ebc2721f3be
Instruction ID: af07f6e543373d196ab5c20753e3e1df5060152230ce95839517572d02880a04
Opcode Fuzzy Hash: e1b15968a7baf0992b670e7007f1d81e74abd01b63a4fa105a144ebc2721f3be
Instruction Fuzzy Hash: E2F046317082146BC6403A7CECE2B7E3D5AABC0670B64832AB206CB3C4CE54AC0143F6

Uniqueness

Uniqueness Score: -1.00%

Function 02907811, Relevance: 1.3, Strings: 1, Instructions: 44COMMON

Download Yara Rule

Strings

Huir, xrefs: 02907843

Memory Dump Source

Source File: 00000007.00000002.596310699.0000000002900000.00000040.00000001.sdmp, Offset: 02900000, based on PE: false

Similarity

API ID:
String ID: Huir
API String ID: 0-669697419
Opcode ID: 308a42454ba45879acace3d01a3fc7f4575de64dfe367bc62d4fdef5929cbb76
Instruction ID: 663c7c2b4928d6ee17117d7d4ae7d9a368701db6415f929dfdc4db93e30800ee
Opcode Fuzzy Hash: 308a42454ba45879acace3d01a3fc7f4575de64dfe367bc62d4fdef5929cbb76
Instruction Fuzzy Hash: 80F0F4717082105BCB44AAEC98C1ABCBB96ABC1270768466EE506CB2D5EE58DC01C366

Uniqueness

Uniqueness Score: -1.00%

Function 02904710, Relevance: 1.3, Strings: 1, Instructions: 43COMMON

Download Yara Rule

Strings

X1kr, xrefs: 02904747

Memory Dump Source

Source File: 00000007.00000002.596310699.0000000002900000.00000040.00000001.sdmp, Offset: 02900000, based on PE: false

Similarity

API ID:
String ID: X1kr
API String ID: 0-844551562
Opcode ID: a0abf8af5a67e88afa18240254c60d7ef396c1956566c5e4229391f09a051eb8
Instruction ID: 2503f10f810cc8b5d79398b13e752d3478d63ce36a284fe81a63cd36ba077fd7
Opcode Fuzzy Hash: a0abf8af5a67e88afa18240254c60d7ef396c1956566c5e4229391f09a051eb8
Instruction Fuzzy Hash: 10F02B323002545FCA2927F9A4403BE32DA8BC5761F54043FE606C77C0DD26E8419791

Uniqueness

Uniqueness Score: -1.00%

Function 02907820, Relevance: 1.3, Strings: 1, Instructions: 40COMMON

Download Yara Rule

Strings

Huir, xrefs: 02907843

Memory Dump Source

Source File: 00000007.00000002.596310699.0000000002900000.00000040.00000001.sdmp, Offset: 02900000, based on PE: false

Similarity

API ID:
String ID: Huir
API String ID: 0-669697419
Opcode ID: 1553a5f16c0139bd72dd14b68c7116c21a32fb8139fb553640483536f9c56b12
Instruction ID: 2a351e7b1c4dc18cba511b35efa4248ce4dc35688cc3e6563cabeec2ff9aa53c
Opcode Fuzzy Hash: 1553a5f16c0139bd72dd14b68c7116c21a32fb8139fb553640483536f9c56b12
Instruction Fuzzy Hash: D0F0B43170811457CA447AADA8C0ABDBA8AABC5670764472EE51A8B3D5DE50AC01D3AA

Uniqueness

Uniqueness Score: -1.00%

Function 029063B8, Relevance: 1.3, Strings: 1, Instructions: 28COMMON

Download Yara Rule

Strings

lir, xrefs: 029063D6

Memory Dump Source

Source File: 00000007.00000002.596310699.0000000002900000.00000040.00000001.sdmp, Offset: 02900000, based on PE: false

Similarity

API ID:
String ID: lir
API String ID: 0-3872640509
Opcode ID: 2397509954ded76afe1e8848ab0147d2c73e984f5834e1445f9f0265773ab6b0
Instruction ID: 51e5efebd2918c7221e29c314c43341dd843fc3bc56b2869f9572e2463988ea5
Opcode Fuzzy Hash: 2397509954ded76afe1e8848ab0147d2c73e984f5834e1445f9f0265773ab6b0
Instruction Fuzzy Hash: 35E0DF3070A2542FCB166F79AC04ABF3B9C5E8175070505AAE402DA2D2CE194D1783E5

Uniqueness

Uniqueness Score: -1.00%

Function 029063C8, Relevance: 1.3, Strings: 1, Instructions: 20COMMON

Download Yara Rule

Strings

lir, xrefs: 029063D6

Memory Dump Source

Source File: 00000007.00000002.596310699.0000000002900000.00000040.00000001.sdmp, Offset: 02900000, based on PE: false

Similarity

API ID:
String ID: lir
API String ID: 0-3872640509
Opcode ID: d2bd1ebd26ff99f7f0cafce75282989bfe9baaaff1e48abf391397327eca7b93
Instruction ID: ac1bdbc42280fd7ccee97ca820157e3a09d25dcd1c21a3beeae32e18f87f9528
Opcode Fuzzy Hash: d2bd1ebd26ff99f7f0cafce75282989bfe9baaaff1e48abf391397327eca7b93
Instruction Fuzzy Hash: 0DD0A735705118278A047E7E9C04B7F374D9FC0A50705046EE506C63C0DE119C0253DD

Uniqueness

Uniqueness Score: -1.00%

Function 0290F4E0, Relevance: 1.2, Instructions: 1186COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.596310699.0000000002900000.00000040.00000001.sdmp, Offset: 02900000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7fda78dba343f7706072ea71d34422453ca2704f9553d0e383eb3f73ce9329b3
Instruction ID: 9490b2867bef5ceaed658ef00f4fe4d28431209d19f343e875d44dd5cb89bf36
Opcode Fuzzy Hash: 7fda78dba343f7706072ea71d34422453ca2704f9553d0e383eb3f73ce9329b3
Instruction Fuzzy Hash: 5B619D31A051099FCF34DFA8D4C0A7DB7F6AF84310F15856AE8059B6A1DB34EE81CB52

Uniqueness

Uniqueness Score: -1.00%

Function 02908102, Relevance: .3, Instructions: 280COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.596310699.0000000002900000.00000040.00000001.sdmp, Offset: 02900000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2a9cfca382818f94f9407c3a630bf5824bfd7c1bdd687a1fe7485587831f0d78
Instruction ID: f9f38eb95615b52df5c546901070e866c082f416fefe38a5fedd3bb02551a23c
Opcode Fuzzy Hash: 2a9cfca382818f94f9407c3a630bf5824bfd7c1bdd687a1fe7485587831f0d78
Instruction Fuzzy Hash: BFB1E534700605CFC725DB29C594A6ABBF6FF84310B54CAA9D85ACB795DB30EC42CB51

Uniqueness

Uniqueness Score: -1.00%

Function 029064D0, Relevance: .2, Instructions: 241COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.596310699.0000000002900000.00000040.00000001.sdmp, Offset: 02900000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1b79e04b75fd46cb3ae963901bce67d4c458a0e93238246c632fa1d331fa2fd9
Instruction ID: 918844906be5578f7d0cb25e9c24ee532bf7885ac9d7261bb8c2fbdf617adb3c
Opcode Fuzzy Hash: 1b79e04b75fd46cb3ae963901bce67d4c458a0e93238246c632fa1d331fa2fd9
Instruction Fuzzy Hash: 5B81AD31A00619CFDF15CF14C890ADEB7B6AF85304F0584A5D90AAF295DB71AE96CF90

Uniqueness

Uniqueness Score: -1.00%

Function 0290B190, Relevance: .2, Instructions: 231COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.596310699.0000000002900000.00000040.00000001.sdmp, Offset: 02900000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d9692e8c0dee19e2e935bce192bc73a7affdcadfe82bad8161e2554cc7158561
Instruction ID: 84941e6858f440f1f04a0c15f65d0f8fb30b1cefb5270dddca2c6ff8380c6c52
Opcode Fuzzy Hash: d9692e8c0dee19e2e935bce192bc73a7affdcadfe82bad8161e2554cc7158561
Instruction Fuzzy Hash: 4E81B1307006158BD704EB68C895BAEBBB7FFC4314FA0866CE2069B695DF749D0297D2

Uniqueness

Uniqueness Score: -1.00%

Function 02904DB8, Relevance: .2, Instructions: 188COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.596310699.0000000002900000.00000040.00000001.sdmp, Offset: 02900000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2b4c1a64493d2002263981f9ea801991c8c54846bd78de92868472e8d6ea4c64
Instruction ID: f5d4a91cc4d096216faad9cd38041235e308416fa0874aa82f63c1149cf2eb6c
Opcode Fuzzy Hash: 2b4c1a64493d2002263981f9ea801991c8c54846bd78de92868472e8d6ea4c64
Instruction Fuzzy Hash: DD61B331604249CFC705EB68D4D497E7BE6FBC43107149976E6068B7EADB30AC46CBA1

Uniqueness

Uniqueness Score: -1.00%

Function 0290EBC8, Relevance: .2, Instructions: 184COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.596310699.0000000002900000.00000040.00000001.sdmp, Offset: 02900000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e12cd78e2c7db770dfe07c86bd1a0e69c25b678c1054d7d4a378754f39ca277e
Instruction ID: 8dd2a533c66e8c7495fb78b8e3aad055041063872ed0f92a89500e747a6a5cc8
Opcode Fuzzy Hash: e12cd78e2c7db770dfe07c86bd1a0e69c25b678c1054d7d4a378754f39ca277e
Instruction Fuzzy Hash: 98712A35A00609DFDB19CF68C4D4BAEBBF5FF88314F148869D496A76A1CB31E881CB50

Uniqueness

Uniqueness Score: -1.00%

Function 0290EB57, Relevance: .2, Instructions: 168COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.596310699.0000000002900000.00000040.00000001.sdmp, Offset: 02900000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 276bec8540376622e372748038cc00e73bc0ca1d14492e7c81eb6e7e7127493d
Instruction ID: f7be365e74d2495c30b6c3f3e213f2434c6aa6547675ba886da3a107ceb69426
Opcode Fuzzy Hash: 276bec8540376622e372748038cc00e73bc0ca1d14492e7c81eb6e7e7127493d
Instruction Fuzzy Hash: 2D51B431A0460CDFDB25CB69C4C8BAABBF5EF88314F148D69D496976A1CB71E881CB50

Uniqueness

Uniqueness Score: -1.00%

Function 02907988, Relevance: .2, Instructions: 161COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.596310699.0000000002900000.00000040.00000001.sdmp, Offset: 02900000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2fb36411efea61cde8c6a8d5a58148d1ab08c69205c57bd84c942b936b1ca1cd
Instruction ID: e6dab55aa280827844c798a4c3eb1414d989294b09a36401a1fc941a43829bac
Opcode Fuzzy Hash: 2fb36411efea61cde8c6a8d5a58148d1ab08c69205c57bd84c942b936b1ca1cd
Instruction Fuzzy Hash: C1310631A0021DCFDF11CF55C8946DABBB6AF85314F5184A4D909BB245DBB07B8ACF90

Uniqueness

Uniqueness Score: -1.00%

Function 029075D8, Relevance: .2, Instructions: 159COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.596310699.0000000002900000.00000040.00000001.sdmp, Offset: 02900000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 827ba7e140a51a2a5e7bec4c5fb793033382e3a42fafdc1c663ba0f47a02fc68
Instruction ID: e157aaced8f51ba030c6d124dc8879222d18a7a58ba235ff487c942ef11f90a7
Opcode Fuzzy Hash: 827ba7e140a51a2a5e7bec4c5fb793033382e3a42fafdc1c663ba0f47a02fc68
Instruction Fuzzy Hash: 17512F31B002188FCB18DBBDC4946AEB7F7AFC4714B258569C406AB395DF31AD41CB91

Uniqueness

Uniqueness Score: -1.00%

Function 02908588, Relevance: .1, Instructions: 147COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.596310699.0000000002900000.00000040.00000001.sdmp, Offset: 02900000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5639b54a14dd614a8001f95419f180c8bb8e992ee115b393323de59de7481206
Instruction ID: 003ba5f2ed8e53be02b89b4c2d273eba3a71036706c5b421b7456b164d0299f6
Opcode Fuzzy Hash: 5639b54a14dd614a8001f95419f180c8bb8e992ee115b393323de59de7481206
Instruction Fuzzy Hash: F051E6B5E00618CFCB15DFA8C984A9DBBF1FF48314F20896AD85AA7394EB316945CF50

Uniqueness

Uniqueness Score: -1.00%

Function 02900682, Relevance: .1, Instructions: 141COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.596310699.0000000002900000.00000040.00000001.sdmp, Offset: 02900000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e90f194c0fa746f82276b84ecd592005691c75963a2b7fd8f8ef06ba0b3cf705
Instruction ID: 4afe34ad79516c2b5b9dd2873c52947c369fb9f3ff2d214a006231ab4142791b
Opcode Fuzzy Hash: e90f194c0fa746f82276b84ecd592005691c75963a2b7fd8f8ef06ba0b3cf705
Instruction Fuzzy Hash: 56413631608254CFC7047B79ED5DBAE3BA6EF80712B184A6AF902C62B1DF754C419F92

Uniqueness

Uniqueness Score: -1.00%

Function 02907FC2, Relevance: .1, Instructions: 136COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.596310699.0000000002900000.00000040.00000001.sdmp, Offset: 02900000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 96a4d7c9f20220477e92484a3cf3837198fe172cace02eab3d30b9aa9982cbd6
Instruction ID: b8e8fa4e810d1dd4f2f721e48e1552c7b2cbaa49badf046c5483341961f90def
Opcode Fuzzy Hash: 96a4d7c9f20220477e92484a3cf3837198fe172cace02eab3d30b9aa9982cbd6
Instruction Fuzzy Hash: 31511930B00219CFDB14DB78C594BADBBF6BF85344F6046A9D80ADB795DB319841CB61

Uniqueness

Uniqueness Score: -1.00%

Function 02900BC0, Relevance: .1, Instructions: 132COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.596310699.0000000002900000.00000040.00000001.sdmp, Offset: 02900000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 915d7ec64633766db9e91ede95153a3f1fa69d6a1427c3cc8a9910683b2f18f4
Instruction ID: c1cc328d8159b580cc321a248000877b6208438bd7a7d6ef316a5c830b21ea2c
Opcode Fuzzy Hash: 915d7ec64633766db9e91ede95153a3f1fa69d6a1427c3cc8a9910683b2f18f4
Instruction Fuzzy Hash: 47419331B041188FCB159F28C454BAE7BE6AFC5310F15846AE907EF2E1CEB29C0AC791

Uniqueness

Uniqueness Score: -1.00%

Function 02905920, Relevance: .1, Instructions: 126COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.596310699.0000000002900000.00000040.00000001.sdmp, Offset: 02900000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8af229dc9a924bafa895fcec3331400953d4aae96905ff80f1b6eb511efac605
Instruction ID: d9e2ce1773be4dda9e4ccbd3e0b4b3d5b6ce8b2f3140b158ee16fa5d05d0a9ef
Opcode Fuzzy Hash: 8af229dc9a924bafa895fcec3331400953d4aae96905ff80f1b6eb511efac605
Instruction Fuzzy Hash: AA417F31F052098FEB046776D89873E26ABBFC4610BD68869E816D73D5EF34C8058FA1

Uniqueness

Uniqueness Score: -1.00%

Function 029087C0, Relevance: .1, Instructions: 124COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.596310699.0000000002900000.00000040.00000001.sdmp, Offset: 02900000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2ad824596e7df4a4738da5204264a5501e515ea6c8e38501fba6b58f088ef49c
Instruction ID: 0f5adcb27039c79d1dac6f8ec003c0686a862c8ce14aa38c70981afed08465a6
Opcode Fuzzy Hash: 2ad824596e7df4a4738da5204264a5501e515ea6c8e38501fba6b58f088ef49c
Instruction Fuzzy Hash: 0C41D075B0010ADFC700CFA8C588AAEFBB4FF48314F208676D9259B691D731E846CB95

Uniqueness

Uniqueness Score: -1.00%

Function 02900690, Relevance: .1, Instructions: 123COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.596310699.0000000002900000.00000040.00000001.sdmp, Offset: 02900000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0c5d9443b5538361b7b319aba976496420dc1efeb25a5baff5f4402ab4e8eda4
Instruction ID: 6190a6fd4406569330bd90b2299b435cd4f8c1fc9713677dd4a0624f2017339d
Opcode Fuzzy Hash: 0c5d9443b5538361b7b319aba976496420dc1efeb25a5baff5f4402ab4e8eda4
Instruction Fuzzy Hash: 3041F531608204CBC7047B39ED5DB6E3AAAEF80712B184A69F902C62B5DF745C419F96

Uniqueness

Uniqueness Score: -1.00%

Function 02907158, Relevance: .1, Instructions: 120COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.596310699.0000000002900000.00000040.00000001.sdmp, Offset: 02900000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1b4494955f73d629a7974d783980e13dadfc304a661007007936246b6706436a
Instruction ID: c80c25c0c93da7841051ab9402d28cb525a969e6f0b076dff0a4f44db30f80e2
Opcode Fuzzy Hash: 1b4494955f73d629a7974d783980e13dadfc304a661007007936246b6706436a
Instruction Fuzzy Hash: 5A41BF36A01200CFC719AB69E49456E7BB6BB8C7013644179E806DB386CB369C55CBA1

Uniqueness

Uniqueness Score: -1.00%

Function 02907168, Relevance: .1, Instructions: 115COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.596310699.0000000002900000.00000040.00000001.sdmp, Offset: 02900000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 667af3580d7c53236584c8c78a13789c8f87f2cf8f1906cb84c9591c51727b6f
Instruction ID: d538efbe84aeec24b5eaae29d569da4e507e93e15c36766142d8318cdfc78a73
Opcode Fuzzy Hash: 667af3580d7c53236584c8c78a13789c8f87f2cf8f1906cb84c9591c51727b6f
Instruction Fuzzy Hash: B5418D36B01200CF8B19BF69E09456E7BA6BB8CA113644178E90AD7386DB369C55CBA1

Uniqueness

Uniqueness Score: -1.00%

Function 0290A918, Relevance: .1, Instructions: 114COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.596310699.0000000002900000.00000040.00000001.sdmp, Offset: 02900000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 02819326782db5977035c6646303f2a7707cd728cc431489bc5218e31d7a808f
Instruction ID: 26a47f9f2b828e8f76d774c3c30b0aa08db58ec430ec20e6e61f038656efb44c
Opcode Fuzzy Hash: 02819326782db5977035c6646303f2a7707cd728cc431489bc5218e31d7a808f
Instruction Fuzzy Hash: C841DE70B002058FC7249B69C4D476EBBE2FF85300F618929D65A8F785DB78D882CB90

Uniqueness

Uniqueness Score: -1.00%

Function 0290B530, Relevance: .1, Instructions: 113COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.596310699.0000000002900000.00000040.00000001.sdmp, Offset: 02900000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: de6b690853e49dbe459945e1ba6bc27bb43d7bc12abee198d9ccc7efeb53a99a
Instruction ID: 8f02c61c38b806035a02d3ae028103ac320481e15c8a4d633611f212fc6b7569
Opcode Fuzzy Hash: de6b690853e49dbe459945e1ba6bc27bb43d7bc12abee198d9ccc7efeb53a99a
Instruction Fuzzy Hash: 9D31F871A006698FCB14DBA9D5916AEBBF6FF88314F20442AE446E7780DB34EC41CB90

Uniqueness

Uniqueness Score: -1.00%

Function 0290A950, Relevance: .1, Instructions: 110COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.596310699.0000000002900000.00000040.00000001.sdmp, Offset: 02900000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0931d24200db754785994e50e24fcd46540e133f6b98ce20e2fe6b95fbe75e2b
Instruction ID: 84d4cddab1ec74f47818a76b96f6634e3f10f84735bc65ef4d60c2358d20e7be
Opcode Fuzzy Hash: 0931d24200db754785994e50e24fcd46540e133f6b98ce20e2fe6b95fbe75e2b
Instruction Fuzzy Hash: FE418D70B002058FC7189B69C4D472EBBE6FF85310F618A69D25B8F785DB79D882CB91

Uniqueness

Uniqueness Score: -1.00%

Function 029002DA, Relevance: .1, Instructions: 105COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.596310699.0000000002900000.00000040.00000001.sdmp, Offset: 02900000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: dc694a23a42d300ce5a864d8cd14e2a114ea2bd4c4c7ee01f82ea6f262603781
Instruction ID: d7ae44fc5125de0df4f431deb342d9c1e0325ffd2a25d232c87afd4f219ee992
Opcode Fuzzy Hash: dc694a23a42d300ce5a864d8cd14e2a114ea2bd4c4c7ee01f82ea6f262603781
Instruction Fuzzy Hash: 4F414630A05209CFDB59CF68C5A4BAEBBB6EF89710F14446DD506AB3E0EB71AC40CB51

Uniqueness

Uniqueness Score: -1.00%

Function 0290E628, Relevance: .1, Instructions: 102COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.596310699.0000000002900000.00000040.00000001.sdmp, Offset: 02900000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e98e2a7d933b45969c95ce645dd38d6c65a699486f98af389e7b9f373bcd4ba3
Instruction ID: 06969d6734b8b6e3676bc678b45a201b72eac0c5f1a8dedfafb32599a6517192
Opcode Fuzzy Hash: e98e2a7d933b45969c95ce645dd38d6c65a699486f98af389e7b9f373bcd4ba3
Instruction Fuzzy Hash: 67317E71A01208DFCB14DFA8D584BAEFBF5BB88310F248969D449A7392DB35D842CB90

Uniqueness

Uniqueness Score: -1.00%

Function 02905B51, Relevance: .1, Instructions: 100COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.596310699.0000000002900000.00000040.00000001.sdmp, Offset: 02900000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 353982edf88ba35f467c87582e85dbe2a4adc7c03834812cc5e0cab4e4ab5bc2
Instruction ID: d3642733f9d8b3636440c63cc0809f5840065fb2ce8549b594df2532e19e6577
Opcode Fuzzy Hash: 353982edf88ba35f467c87582e85dbe2a4adc7c03834812cc5e0cab4e4ab5bc2
Instruction Fuzzy Hash: 3D21D271B051185FCB08ABB988905FEBAEBABC9310B95453ED407E73C1EE358D018FA1

Uniqueness

Uniqueness Score: -1.00%

Function 029075C8, Relevance: .1, Instructions: 96COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.596310699.0000000002900000.00000040.00000001.sdmp, Offset: 02900000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 16a8cfa7cf0cb5ef7c55d69ee95621be97ebe0821417eee8183004e3b926c44e
Instruction ID: e6146547924a982c1b334e9e7fa74ed7999db6ab8bdf1f5c9f40231b4b7d9ab6
Opcode Fuzzy Hash: 16a8cfa7cf0cb5ef7c55d69ee95621be97ebe0821417eee8183004e3b926c44e
Instruction Fuzzy Hash: DE314F31E042488FCB04DBBDC4949EEFBF6AF88314B148569C856AB395DB31AD06CB91

Uniqueness

Uniqueness Score: -1.00%

Function 029045C8, Relevance: .1, Instructions: 95COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.596310699.0000000002900000.00000040.00000001.sdmp, Offset: 02900000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5660454158210673142f79c19854b23e888551954e195ab5194d5ee1cc1d5e9e
Instruction ID: 055c870a7c00a62fd511f1dfe408ada7becc85db31e77fbc5cfc231edbb28c7e
Opcode Fuzzy Hash: 5660454158210673142f79c19854b23e888551954e195ab5194d5ee1cc1d5e9e
Instruction Fuzzy Hash: D7214D71B0011D9FDB04DAE9D9C1BFFB7BDAB88204F20552AE719D3284FB70991587A1

Uniqueness

Uniqueness Score: -1.00%

Function 0290EEB8, Relevance: .1, Instructions: 94COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.596310699.0000000002900000.00000040.00000001.sdmp, Offset: 02900000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 362210c8a8a532aa582a32e94b250d80e99ec2fcf99aa560477d4bd520eaff1b
Instruction ID: 4b7e8097453e062b97b1d28364425fc37e20b705d9fd1bbb05e9ec371ce8a083
Opcode Fuzzy Hash: 362210c8a8a532aa582a32e94b250d80e99ec2fcf99aa560477d4bd520eaff1b
Instruction Fuzzy Hash: 53410730905B59CFD339CB2AC594766BBE2AF85309F14CC7ED1D686AE0DB76A441CB00

Uniqueness

Uniqueness Score: -1.00%

Function 0290E8A7, Relevance: .1, Instructions: 92COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.596310699.0000000002900000.00000040.00000001.sdmp, Offset: 02900000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b72b428b3240a477141ff6753cf494a566d5903f95f7903d7a8acdf635a4bfbb
Instruction ID: e77e93d072ac4f2f1682b1ea3b59621dc7241cd628ed245326066bede3acba37
Opcode Fuzzy Hash: b72b428b3240a477141ff6753cf494a566d5903f95f7903d7a8acdf635a4bfbb
Instruction Fuzzy Hash: DA315C70B00708CFCB54DFA9C5816AEBBF6AF88300F608829E556A7790DA75DD42CB51

Uniqueness

Uniqueness Score: -1.00%

Function 029050E0, Relevance: .1, Instructions: 92COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.596310699.0000000002900000.00000040.00000001.sdmp, Offset: 02900000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d7340926cccf0be30bf0f92d6fa1630cdf0be5f2c095a728bfb25b78cdd258e7
Instruction ID: ebc155faf8104f6d1dda64abadecf979accb5e9eedc0f9489b5372e4742b9236
Opcode Fuzzy Hash: d7340926cccf0be30bf0f92d6fa1630cdf0be5f2c095a728bfb25b78cdd258e7
Instruction Fuzzy Hash: 29215E71A003099FEB44DFA9C4546AEBBF6BFC8300F554529D506AB395EB70AD46CF80

Uniqueness

Uniqueness Score: -1.00%

Function 02900007, Relevance: .1, Instructions: 91COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.596310699.0000000002900000.00000040.00000001.sdmp, Offset: 02900000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f893832efa8bd82da367c0d92c825970b91bcf5e30cf2290ef6c2e5e696bdcef
Instruction ID: 840f40bd14e70aff56e3118218d14166602d7df66a85cacf3b28333f306979f6
Opcode Fuzzy Hash: f893832efa8bd82da367c0d92c825970b91bcf5e30cf2290ef6c2e5e696bdcef
Instruction Fuzzy Hash: 5731523064E3C5CFCB06AB74D8A5A597FB1AE42310B0549DEE481CB2A7D7744C45D713

Uniqueness

Uniqueness Score: -1.00%

Function 02905831, Relevance: .1, Instructions: 89COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.596310699.0000000002900000.00000040.00000001.sdmp, Offset: 02900000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 79033063e6b18c1f036072aee3e84911c5f5a5f779260a5ec986c0171857ae66
Instruction ID: 461204f90000a2cce96fa13b72f9d837caf0131488f8af3fb12bd79ae1e60670
Opcode Fuzzy Hash: 79033063e6b18c1f036072aee3e84911c5f5a5f779260a5ec986c0171857ae66
Instruction Fuzzy Hash: CB21E531B050089FDB08A7B9D8909BFBBABBFC8314B92457AD8179B291DD714D048BA1

Uniqueness

Uniqueness Score: -1.00%

Function 0290E43C, Relevance: .1, Instructions: 88COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.596310699.0000000002900000.00000040.00000001.sdmp, Offset: 02900000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 525a2e3a9486b37e6fa41387dcea5d4d210d9bfba117c97f6c6e239e43785d25
Instruction ID: 602acdd49aa24166a7c6c8b7c4a8b4a54ba2e46b5660e0293a1fb5efe1e865dc
Opcode Fuzzy Hash: 525a2e3a9486b37e6fa41387dcea5d4d210d9bfba117c97f6c6e239e43785d25
Instruction Fuzzy Hash: 5E313A313003028FC759A778C45066E7BE3AFC13187A4892CE5469F758DEB6ED039B84

Uniqueness

Uniqueness Score: -1.00%

Function 029043D0, Relevance: .1, Instructions: 87COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.596310699.0000000002900000.00000040.00000001.sdmp, Offset: 02900000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: bc517c15d3be46aae9bc9c5d5b56624010629550a15e73c6c6669516bdb3f69b
Instruction ID: f987b5c794fec2efde6c3d3018ba5fd728771ff20b6c0bda1795e67d24ec2a97
Opcode Fuzzy Hash: bc517c15d3be46aae9bc9c5d5b56624010629550a15e73c6c6669516bdb3f69b
Instruction Fuzzy Hash: 4F318F36600105CFCB00EF68EC849AE7BB6FF843147148569E5169B37ADB31A955DF50

Uniqueness

Uniqueness Score: -1.00%

Function 02908B08, Relevance: .1, Instructions: 87COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.596310699.0000000002900000.00000040.00000001.sdmp, Offset: 02900000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fbc5ed2d84faf63b607f3240e8bea6efed63076d001f1ff6a282161c0c8311b6
Instruction ID: f3ac686aa88affd94174863ac24075d7631e7d91b51c9395864e5ec3a86059cf
Opcode Fuzzy Hash: fbc5ed2d84faf63b607f3240e8bea6efed63076d001f1ff6a282161c0c8311b6
Instruction Fuzzy Hash: 33318E31B14204CFC758AB78E89956E3BB6BB84311764896EE007CB394DF388C42CB55

Uniqueness

Uniqueness Score: -1.00%

Function 02908C90, Relevance: .1, Instructions: 87COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.596310699.0000000002900000.00000040.00000001.sdmp, Offset: 02900000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: cab7ead8d467f2ed09b9e57aa8480fcfe27eb7589cedbdcea304159ef3c1017e
Instruction ID: ddec135720851d0cc21ce49d1daa8e7485de24220d8aea3795a52bb5ed88eba6
Opcode Fuzzy Hash: cab7ead8d467f2ed09b9e57aa8480fcfe27eb7589cedbdcea304159ef3c1017e
Instruction Fuzzy Hash: 7D316D30A08249DFCB44DFA4C5956FDBFB0FF55300F208AAAD402DB291D7388A45DB62

Uniqueness

Uniqueness Score: -1.00%

Function 029055E8, Relevance: .1, Instructions: 85COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.596310699.0000000002900000.00000040.00000001.sdmp, Offset: 02900000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a2d19f87f7f1cadff010887607bfae6149fa1e07fa02c87361a9273189e95b30
Instruction ID: 6e54c73637402028b86e6f15b3858112c52dfa4306fda601e88fec2b4f9568c8
Opcode Fuzzy Hash: a2d19f87f7f1cadff010887607bfae6149fa1e07fa02c87361a9273189e95b30
Instruction Fuzzy Hash: C2210330B00209CFDB14AFB8C4947BE7AE6BB88710F1A046AE502EB3D0DEB14D45CB94

Uniqueness

Uniqueness Score: -1.00%

Function 0290AB00, Relevance: .1, Instructions: 81COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.596310699.0000000002900000.00000040.00000001.sdmp, Offset: 02900000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 66d8b022053cf0b2a20a678aca374e9336355dfeb4623cafa3f80775281fc3bd
Instruction ID: dc8ae550cc0fcbea4897901eb3c6b0e218cec17afd56d15afe289ca3021f408f
Opcode Fuzzy Hash: 66d8b022053cf0b2a20a678aca374e9336355dfeb4623cafa3f80775281fc3bd
Instruction Fuzzy Hash: 61212171B103099FCB14EF74D881AAEB7B7AB84750F10497DE517AB294EB70A805CBE4

Uniqueness

Uniqueness Score: -1.00%

Function 029050D0, Relevance: .1, Instructions: 81COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.596310699.0000000002900000.00000040.00000001.sdmp, Offset: 02900000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 704cdd477c6a8d91644dcfd06d7ed024ee25630b27693145f9953d5f7db01e30
Instruction ID: 67346b1350343229ceb99f3840c561e01725e475a1580c311c6831ef508116df
Opcode Fuzzy Hash: 704cdd477c6a8d91644dcfd06d7ed024ee25630b27693145f9953d5f7db01e30
Instruction Fuzzy Hash: 7D218B71E043199FEF00CFA8C844AEEBBB2EF88310F514525D609AB290D7705A4ACF90

Uniqueness

Uniqueness Score: -1.00%

Function 02905B60, Relevance: .1, Instructions: 80COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.596310699.0000000002900000.00000040.00000001.sdmp, Offset: 02900000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: cabab86f528bea65104ec40be7e9ed7c27e84a7492673f682d41f51ec0211e5e
Instruction ID: 4d82b99f2d3337166148cbe03dd13b185a1882e9b16b7233decb7fa8daec49ba
Opcode Fuzzy Hash: cabab86f528bea65104ec40be7e9ed7c27e84a7492673f682d41f51ec0211e5e
Instruction Fuzzy Hash: 1D218471F041189FCB089B7984905BEBAEAABC8610F55483ED407E73C1ED35DD418FA5

Uniqueness

Uniqueness Score: -1.00%

Function 029021E9, Relevance: .1, Instructions: 76COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.596310699.0000000002900000.00000040.00000001.sdmp, Offset: 02900000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 01bcdd11aa7094fa5c3bbccbd7effc1b3e1cee7d3dc286e8b31483f311ee0f1b
Instruction ID: ff3d1e1ccc6b36d2c09a209bc1f059acce023ec9bf1cac65703327afa6b9057d
Opcode Fuzzy Hash: 01bcdd11aa7094fa5c3bbccbd7effc1b3e1cee7d3dc286e8b31483f311ee0f1b
Instruction Fuzzy Hash: 06311A70D0820DDFCB88DFE8C5897AE7BB1BB49304F1045AAD802972A5D7358A45CB52

Uniqueness

Uniqueness Score: -1.00%

Function 029090A6, Relevance: .1, Instructions: 75COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.596310699.0000000002900000.00000040.00000001.sdmp, Offset: 02900000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b02e34d06734f3f4a0e06608b3396034992ad25a62d2334a6a40575cbddcddac
Instruction ID: fbed3709df2d839bede070eec8d51b79df7633fa610d82fc5fd1ef49db9d2dc6
Opcode Fuzzy Hash: b02e34d06734f3f4a0e06608b3396034992ad25a62d2334a6a40575cbddcddac
Instruction Fuzzy Hash: AC315A30A10249CFEB60DF65C48979DBFB6BF84714F20C529D4059B395DBB89886CF81

Uniqueness

Uniqueness Score: -1.00%

Function 029025DE, Relevance: .1, Instructions: 75COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.596310699.0000000002900000.00000040.00000001.sdmp, Offset: 02900000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2bcfe8dc8187ae57f6866e5e1f5ce51ca77cd5283272c4519b66ef222fffc5a4
Instruction ID: 7b07710398bf228d412899eae28b146785f7a04bff460d71bf38290d0e163808
Opcode Fuzzy Hash: 2bcfe8dc8187ae57f6866e5e1f5ce51ca77cd5283272c4519b66ef222fffc5a4
Instruction Fuzzy Hash: E1318E70E0024ACFDB60DF65D88875EFBB6BF84318F14C629C4059B2A5DBB49989CF41

Uniqueness

Uniqueness Score: -1.00%

Function 0290D876, Relevance: .1, Instructions: 73COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.596310699.0000000002900000.00000040.00000001.sdmp, Offset: 02900000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0a9d26a30d2692a5f1599384c7f29aab562c441ff3b1b14f917d175fe215564a
Instruction ID: 214358891f0ce273b1e59edfca43ed39710aaaf0b4edeb261ccfad6d712a2c99
Opcode Fuzzy Hash: 0a9d26a30d2692a5f1599384c7f29aab562c441ff3b1b14f917d175fe215564a
Instruction Fuzzy Hash: 8F2106717003118BCB48AF28E41555DBFA1AB8631836488BDE5099F356DF76D80BDF90

Uniqueness

Uniqueness Score: -1.00%

Function 0290B520, Relevance: .1, Instructions: 71COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.596310699.0000000002900000.00000040.00000001.sdmp, Offset: 02900000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3a276033654bf9821819adc60f88eb40f9a5fd55badfa8d3d4c575626d7c58ac
Instruction ID: 1306afa3ff7fda6f74af8bbee381e51d2d655e888245dafb979e20a8ff91b3e9
Opcode Fuzzy Hash: 3a276033654bf9821819adc60f88eb40f9a5fd55badfa8d3d4c575626d7c58ac
Instruction Fuzzy Hash: DC21A1B6E106298FCB14CA99D8956AEFBB6FB89314F204529E856E3340D7349811CB90

Uniqueness

Uniqueness Score: -1.00%

Function 02905840, Relevance: .1, Instructions: 70COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.596310699.0000000002900000.00000040.00000001.sdmp, Offset: 02900000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: cc9cf5edd6113e4a1b9a7037153947541be80321235d276181d8733bf1b64389
Instruction ID: e4608322b0ae3a98b0c2759382ec7702b19faf4e4512249a3dcd27ce1628d91e
Opcode Fuzzy Hash: cc9cf5edd6113e4a1b9a7037153947541be80321235d276181d8733bf1b64389
Instruction Fuzzy Hash: A2118E31B101089FDB08A7BEC89497FBAEBAFC8714BD1493998179B3D1DD719C008BA1

Uniqueness

Uniqueness Score: -1.00%

Function 0290AAF0, Relevance: .1, Instructions: 69COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.596310699.0000000002900000.00000040.00000001.sdmp, Offset: 02900000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9c57de8407839d6bd0f27988517ef458170a0eb6e1915c2d72e892e4b25231fa
Instruction ID: 3b42d465805fa75315ea5e835087d2499407a6c92c26720b0d7d0478e79a71ee
Opcode Fuzzy Hash: 9c57de8407839d6bd0f27988517ef458170a0eb6e1915c2d72e892e4b25231fa
Instruction Fuzzy Hash: D4116371B143189FCB14DA75DC81BAEB7B6AB84750F14496EE603EB2C4EB70980187E4

Uniqueness

Uniqueness Score: -1.00%

Function 029021F8, Relevance: .1, Instructions: 69COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.596310699.0000000002900000.00000040.00000001.sdmp, Offset: 02900000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 52344245c0524fba809a2954d1d1152b30d15e147ef720fbf54986fd7326efea
Instruction ID: 9c703dfb917fcd53226c52ce5d723aa68aedb51be7eb7171a153e50dc91dccfb
Opcode Fuzzy Hash: 52344245c0524fba809a2954d1d1152b30d15e147ef720fbf54986fd7326efea
Instruction Fuzzy Hash: 12210C70D0820EDFCB48DFE8C5897BEBBB5BB48304F50456AD802972A1DB319A44CB52

Uniqueness

Uniqueness Score: -1.00%

Function 0290E750, Relevance: .1, Instructions: 68COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.596310699.0000000002900000.00000040.00000001.sdmp, Offset: 02900000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9e15636716418037bce910e8789b0cd5307220c8108aae96b8b440520124a709
Instruction ID: 3e27fc8f8a3bb6cfbbf6ebd8d51f57888a3565cf3a78f0af5106524ea436b344
Opcode Fuzzy Hash: 9e15636716418037bce910e8789b0cd5307220c8108aae96b8b440520124a709
Instruction Fuzzy Hash: E8214275A0011CDFCB54DF68C591ABEB7F5AB88710B20885ED64697280D735BD01CB91

Uniqueness

Uniqueness Score: -1.00%

Function 02905000, Relevance: .1, Instructions: 67COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.596310699.0000000002900000.00000040.00000001.sdmp, Offset: 02900000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ccd0e1ecf5e9dcafb5167fd80ec302aec4fa19443771bb9185da9ef054827574
Instruction ID: 3bd365070d02d96ed789ae02d57034327a70684b95d984d27df58739b6eb3cad
Opcode Fuzzy Hash: ccd0e1ecf5e9dcafb5167fd80ec302aec4fa19443771bb9185da9ef054827574
Instruction Fuzzy Hash: EF117232A00119CFCB44EBB9989076E7BF5AB84610B958579C91A973C5EF309D02CFE5

Uniqueness

Uniqueness Score: -1.00%

Function 029048C8, Relevance: .1, Instructions: 66COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.596310699.0000000002900000.00000040.00000001.sdmp, Offset: 02900000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6b8f9f1c93703aa648c259430d0e4f3f35c7a961d058fdb40297ca98061c0917
Instruction ID: 91c71a80bb90e570c6df0895a44ca810be98d5d37247ce6f5fbd6168d09fb977
Opcode Fuzzy Hash: 6b8f9f1c93703aa648c259430d0e4f3f35c7a961d058fdb40297ca98061c0917
Instruction Fuzzy Hash: B111A732F0411D9FCB08DA68D8909FE7B77BFC4B10B045839DA16B7280DD211A068791

Uniqueness

Uniqueness Score: -1.00%

Function 029048B9, Relevance: .1, Instructions: 65COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.596310699.0000000002900000.00000040.00000001.sdmp, Offset: 02900000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 78022970e2da839c2a93155476388e90286dfd821abc36191dd0426a0870eae4
Instruction ID: 7c9b69c0a8c73b441f973591a6ba500ccb31ca007aa0f7b8684ee6ab098f6d5e
Opcode Fuzzy Hash: 78022970e2da839c2a93155476388e90286dfd821abc36191dd0426a0870eae4
Instruction Fuzzy Hash: 7111A731E05219AFCB08DA64D8909FF7B76BFC5710B05553AE61267291D9201E06C791

Uniqueness

Uniqueness Score: -1.00%

Function 029011DF, Relevance: .1, Instructions: 64COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.596310699.0000000002900000.00000040.00000001.sdmp, Offset: 02900000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7165deb4f367ae79bf4b4357ea8f03cf61b92a04b088f83d624fc95a47f29e18
Instruction ID: efffc626fbd020952a8cce3ff77538d5ac78e3ae1a71d5805f3681af2da37fd0
Opcode Fuzzy Hash: 7165deb4f367ae79bf4b4357ea8f03cf61b92a04b088f83d624fc95a47f29e18
Instruction Fuzzy Hash: F51191343091848FC7499B3CD4949A97FEAAF8A300B1901EBE45ACB3F6CA654C09CB52

Uniqueness

Uniqueness Score: -1.00%

Function 02900B18, Relevance: .1, Instructions: 61COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.596310699.0000000002900000.00000040.00000001.sdmp, Offset: 02900000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7e8d717a2354f5fc685ee5a0f5f2e861852215201cb691e7891ff7792f2a3d53
Instruction ID: d45f6f3c27c5717b0a864fe2668ad8bd758c8168da89903102cf8a24aceab623
Opcode Fuzzy Hash: 7e8d717a2354f5fc685ee5a0f5f2e861852215201cb691e7891ff7792f2a3d53
Instruction Fuzzy Hash: 7A11AD31F5822DEECF20567488C1B6E62A99B44A89F208C6ED807EB2C0FF20C900D791

Uniqueness

Uniqueness Score: -1.00%

Function 0290E740, Relevance: .1, Instructions: 61COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.596310699.0000000002900000.00000040.00000001.sdmp, Offset: 02900000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: cf215031df5299ec729c4e430c4e8f4b9f5424a7aec755d88b967cfcee6491a9
Instruction ID: ce74e6d3fb4704d717c31faa180b8ba98a2dc839519a4e3bd35746fafcdd4926
Opcode Fuzzy Hash: cf215031df5299ec729c4e430c4e8f4b9f5424a7aec755d88b967cfcee6491a9
Instruction Fuzzy Hash: 7911547590510CDFCB54DF58C9C1ABEBBF5EB48710B50885AE685E3281D335BD01CB91

Uniqueness

Uniqueness Score: -1.00%

Function 02904520, Relevance: .1, Instructions: 61COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.596310699.0000000002900000.00000040.00000001.sdmp, Offset: 02900000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2b34d9beff7e14e8b7a003331d7ab87018ac598cb777cd5bbe3aa23ef247e47b
Instruction ID: a6a5ec3318c08859f3625e6a4739207b5dc66f33955f694ce9773292392b4ca2
Opcode Fuzzy Hash: 2b34d9beff7e14e8b7a003331d7ab87018ac598cb777cd5bbe3aa23ef247e47b
Instruction Fuzzy Hash: 1901CC32E045188FDF08DA59E4402EFB7AA9FC5721F04403EAE06AB3C0DA729D55CBD1

Uniqueness

Uniqueness Score: -1.00%

Function 0290CD68, Relevance: .1, Instructions: 61COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.596310699.0000000002900000.00000040.00000001.sdmp, Offset: 02900000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 07fb463ef8ebcc62d3ee47a0a0fb85286afe1c806f92746717f2f2ecd9e5f5a8
Instruction ID: 1f171696400590f4e4f5b5ac56f1decd766c13a36d710db83031e7f68b31e960
Opcode Fuzzy Hash: 07fb463ef8ebcc62d3ee47a0a0fb85286afe1c806f92746717f2f2ecd9e5f5a8
Instruction Fuzzy Hash: 15117331B001149FC748EB69C494A6E7BEB9FC8750724816AE806DB391CF32AC12CB95

Uniqueness

Uniqueness Score: -1.00%

Function 02906E88, Relevance: .1, Instructions: 60COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.596310699.0000000002900000.00000040.00000001.sdmp, Offset: 02900000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d1c7531669a6b5ec013db979114549bbaead16cf9ac1c65d3bf59a88586415c1
Instruction ID: 8152a6522628626b3556dabe22ecf6a4ad0619f7f21700faaf5e229525cf3330
Opcode Fuzzy Hash: d1c7531669a6b5ec013db979114549bbaead16cf9ac1c65d3bf59a88586415c1
Instruction Fuzzy Hash: D4115E32E00218DFDB54EBB8D8917EEBBB9EB84310F50413AD514D6285EB309A158FE1

Uniqueness

Uniqueness Score: -1.00%

Function 02905730, Relevance: .1, Instructions: 60COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.596310699.0000000002900000.00000040.00000001.sdmp, Offset: 02900000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 45e4e57da857befd16cad3fba7a5a2909a2c0525d116058f44e521c0938d1a24
Instruction ID: 998094da818ba457d76dc307c3527e892cc4a0443bc4a33bd444a988490a2ee0
Opcode Fuzzy Hash: 45e4e57da857befd16cad3fba7a5a2909a2c0525d116058f44e521c0938d1a24
Instruction Fuzzy Hash: B1118F32A05208DFD714DFB5E880ABE7BB9FB84340F60466AD515E6289E7359A41CFA0

Uniqueness

Uniqueness Score: -1.00%

Function 0290CE98, Relevance: .1, Instructions: 59COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.596310699.0000000002900000.00000040.00000001.sdmp, Offset: 02900000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ef05f8f604861b418db0e8893cf9fecaef11816dfdb4ed6eada27cb480041cc0
Instruction ID: 783a72ddfda0535486b963a001816a60b6422ef90cc02769492774cfbb255713
Opcode Fuzzy Hash: ef05f8f604861b418db0e8893cf9fecaef11816dfdb4ed6eada27cb480041cc0
Instruction Fuzzy Hash: FD115830308204CFC614A738D4D167E7BA69FC27147948D6EE14B8B681DF76EC42D796

Uniqueness

Uniqueness Score: -1.00%

Function 0290D0E8, Relevance: .1, Instructions: 59COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.596310699.0000000002900000.00000040.00000001.sdmp, Offset: 02900000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 72d5afdee7f02535bda7681209528638b40bbd18ff31f46bb43281a4ae566cb1
Instruction ID: 5cb7f932a17581b02e91cd8ec2b3080b32fa96deabe58fc10bfcd7b790f2c015
Opcode Fuzzy Hash: 72d5afdee7f02535bda7681209528638b40bbd18ff31f46bb43281a4ae566cb1
Instruction Fuzzy Hash: F9111934300605EFC768DA99D890A66F3AAFF88714B14C91DD95A47B90CB71FC52CBA4

Uniqueness

Uniqueness Score: -1.00%

Function 0290CA80, Relevance: .1, Instructions: 56COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.596310699.0000000002900000.00000040.00000001.sdmp, Offset: 02900000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8eb91851b6779d33f21d124b9040f2135f4faa9db62ed405e08b92729ce0284a
Instruction ID: d904f4b5ebca67c144dae96cb63c80f3cd48ffbf93316b950f0eb62b30bd67ce
Opcode Fuzzy Hash: 8eb91851b6779d33f21d124b9040f2135f4faa9db62ed405e08b92729ce0284a
Instruction Fuzzy Hash: 7A11CE317082549FC305BB38E859B2D3BAFEBC9711F1508A9E506DB398CBB49C42C7A4

Uniqueness

Uniqueness Score: -1.00%

Function 0290E149, Relevance: .1, Instructions: 56COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.596310699.0000000002900000.00000040.00000001.sdmp, Offset: 02900000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ca2e7f5e3f7867afbba65ac1f5ba5bfb0ff8a238006f034a583e5d19c088a5d6
Instruction ID: 23925ff7180e778cb415e23fc0acd3ce2cee1926ca3d955d2f900f1c6b71e532
Opcode Fuzzy Hash: ca2e7f5e3f7867afbba65ac1f5ba5bfb0ff8a238006f034a583e5d19c088a5d6
Instruction Fuzzy Hash: C101D4717002149FCB1827B9D859B2F7EDBEBC8764B14493AF406D7781DD758C0287A0

Uniqueness

Uniqueness Score: -1.00%

Function 02904FF0, Relevance: .1, Instructions: 55COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.596310699.0000000002900000.00000040.00000001.sdmp, Offset: 02900000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b2c70d53af4259010c33cbe4840131be56ded46a8ebd1bd2101b50fdd065f6ec
Instruction ID: 30fabc9ea9035376b0b73d56750ad6c55653556ccea5024b57a2892ad00f311d
Opcode Fuzzy Hash: b2c70d53af4259010c33cbe4840131be56ded46a8ebd1bd2101b50fdd065f6ec
Instruction Fuzzy Hash: 1F01A132E052189FCB40EBB99881BFF7BF5EB44610B85456AD519E3281EB314A01CFE6

Uniqueness

Uniqueness Score: -1.00%

Function 029054F8, Relevance: .1, Instructions: 55COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.596310699.0000000002900000.00000040.00000001.sdmp, Offset: 02900000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d665f22d62b26024f808fd5750fa239f343aa76ae6db4f682e783e3b235cba9c
Instruction ID: 5cc8b30cfaa685662ef8ea8dbec538fdf3a6f586ce1ff2ec8bdcf6b1f3ce2895
Opcode Fuzzy Hash: d665f22d62b26024f808fd5750fa239f343aa76ae6db4f682e783e3b235cba9c
Instruction Fuzzy Hash: 7C115132A152048FC754EFB9E885AAF7FBAFB88300B50456AD115D7295DB315941CFA0

Uniqueness

Uniqueness Score: -1.00%

Function 02904789, Relevance: .1, Instructions: 54COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.596310699.0000000002900000.00000040.00000001.sdmp, Offset: 02900000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 90b86d58e21640e2dc96c410a51bd8b89fe4bda7c0a8d82ebdf6713c45e2e3a9
Instruction ID: 42149adc1dc08c84c96484e02ab666b9fdf6ac91494369e52b924a78afbc3e73
Opcode Fuzzy Hash: 90b86d58e21640e2dc96c410a51bd8b89fe4bda7c0a8d82ebdf6713c45e2e3a9
Instruction Fuzzy Hash: AD016D31E012189FCB54DFB898506FF7BE2EB84310F20453AD509E7280EA344E469BE5

Uniqueness

Uniqueness Score: -1.00%

Function 02908581, Relevance: .1, Instructions: 53COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.596310699.0000000002900000.00000040.00000001.sdmp, Offset: 02900000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f13feecea13652c14481cde1d08533cf01dece9606b573f9a779e08ac9fb8c01
Instruction ID: ca607e059f31cec471798ea16c227a8d414c746075a24f66ae76d96012dbaa07
Opcode Fuzzy Hash: f13feecea13652c14481cde1d08533cf01dece9606b573f9a779e08ac9fb8c01
Instruction Fuzzy Hash: E311E532A05108DFDB15CBA8D884BEEBBF6FF88300F1045AAD502A72A4D7316E05CF91

Uniqueness

Uniqueness Score: -1.00%

Function 029005B9, Relevance: .1, Instructions: 53COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.596310699.0000000002900000.00000040.00000001.sdmp, Offset: 02900000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3c9b87802de2cf3639c5491479ea7400ebffd0fc86884ecc737c3038179af6b7
Instruction ID: 54cd2315fc4657be7de50cd7c37943d97a69f45f335010619383c36435a996c7
Opcode Fuzzy Hash: 3c9b87802de2cf3639c5491479ea7400ebffd0fc86884ecc737c3038179af6b7
Instruction Fuzzy Hash: 5001D1727081240FCB0A667DA8617BF6B9B9FC6650B68456FE106DB3C1CDA44C0393E2

Uniqueness

Uniqueness Score: -1.00%

Function 02904511, Relevance: .1, Instructions: 53COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.596310699.0000000002900000.00000040.00000001.sdmp, Offset: 02900000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3baa69193b731c28ec748159adfc494b0536ef55e4e3a5952efa14d3d4439c36
Instruction ID: 95870d0713b79e5d9893908e75808b29c3a94a194a128c9dc01bf2c90d73de22
Opcode Fuzzy Hash: 3baa69193b731c28ec748159adfc494b0536ef55e4e3a5952efa14d3d4439c36
Instruction Fuzzy Hash: F4014132E082488FCB088A2894502BFBBA69FC6310F0441BEE902D73C0CA658C15CBA1

Uniqueness

Uniqueness Score: -1.00%

Function 0290238F, Relevance: .1, Instructions: 52COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.596310699.0000000002900000.00000040.00000001.sdmp, Offset: 02900000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 157f25c4528bd6041a7c760260d23c7b038927bd93dfd0f85331c6bbd645b82d
Instruction ID: d742ef8ee870c4cb17089d1634c870c25aa5891f32bb0b1f4acc3da51abfd3f6
Opcode Fuzzy Hash: 157f25c4528bd6041a7c760260d23c7b038927bd93dfd0f85331c6bbd645b82d
Instruction Fuzzy Hash: 41114C70D0825DCFDB248FA5D9D8AAEBFB1BB44700F10486ED906A7780DB700946CF50

Uniqueness

Uniqueness Score: -1.00%

Function 029068CA, Relevance: .1, Instructions: 52COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.596310699.0000000002900000.00000040.00000001.sdmp, Offset: 02900000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8b17430d8a15be9eceb4d86793a407a9015b820c20aa4929afc6e241748bb4dd
Instruction ID: 3b72695e3631926231d43a928dd672221c96914b2da09800e424e2309ad4a2fa
Opcode Fuzzy Hash: 8b17430d8a15be9eceb4d86793a407a9015b820c20aa4929afc6e241748bb4dd
Instruction Fuzzy Hash: BF01B531E082198FDB145664A894AFE77ED9785760F00056BDD0AD32C1EB254A61CAD5

Uniqueness

Uniqueness Score: -1.00%

Function 02907E20, Relevance: .1, Instructions: 51COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.596310699.0000000002900000.00000040.00000001.sdmp, Offset: 02900000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1424ac51c8df4aebe6542ab8b14e7e1e45fc2c14bb5515c23692237b03b3982e
Instruction ID: e36504e6bcf1e63a42a6c8c13cbfba9e97170cf736ca2412072fb1a0529d10f5
Opcode Fuzzy Hash: 1424ac51c8df4aebe6542ab8b14e7e1e45fc2c14bb5515c23692237b03b3982e
Instruction Fuzzy Hash: C301AD30606108AFD7158A94C8A4AFFFBA29B84324F24482DD006EF2E0CB61BD02CB91

Uniqueness

Uniqueness Score: -1.00%

Function 02907E30, Relevance: .0, Instructions: 50COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.596310699.0000000002900000.00000040.00000001.sdmp, Offset: 02900000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2b3cfc18198e142ac27ba9c850b1055ec260da824b4d3f204b89611d2be541fb
Instruction ID: d4510cb997e364cb0f8c5003bef4b6122c02f30c137a0c55794f226c3fc0d0c6
Opcode Fuzzy Hash: 2b3cfc18198e142ac27ba9c850b1055ec260da824b4d3f204b89611d2be541fb
Instruction Fuzzy Hash: CF018031A0510CAFD7249A94C8D46FEFBA59B84624F10486AC117AB6A0CB617D01C791

Uniqueness

Uniqueness Score: -1.00%

Function 02905740, Relevance: .0, Instructions: 50COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.596310699.0000000002900000.00000040.00000001.sdmp, Offset: 02900000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d6b04f875b933a40c1e001e6d9a4377451ab71af3ed0a841479cd9e19dd3c392
Instruction ID: 66399134ddac502d0b190e47d40292e616f595f8afbbed565d0ecce73f9107c6
Opcode Fuzzy Hash: d6b04f875b933a40c1e001e6d9a4377451ab71af3ed0a841479cd9e19dd3c392
Instruction Fuzzy Hash: E1113032A00209CFD714EFB5D5806AE7BB9BB44340FA0456AD515E7285E731A941CBA1

Uniqueness

Uniqueness Score: -1.00%

Function 0290A890, Relevance: .0, Instructions: 50COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.596310699.0000000002900000.00000040.00000001.sdmp, Offset: 02900000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ada6f188c08892e00205a32b57a3fea02a9d95ea2910c3991096047dd2597e8b
Instruction ID: 6eddac41702c43dfed6735e262e1c7c5ef7badaaac4dec5a402c2e6421431a64
Opcode Fuzzy Hash: ada6f188c08892e00205a32b57a3fea02a9d95ea2910c3991096047dd2597e8b
Instruction Fuzzy Hash: D4018831A0420CDFDB188A58C894ABFBBB59B84314F10486ECA17A7680CB71A902DBD5

Uniqueness

Uniqueness Score: -1.00%

Function 0290E158, Relevance: .0, Instructions: 50COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.596310699.0000000002900000.00000040.00000001.sdmp, Offset: 02900000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: db5e62817b4f8c1efe0107971e1d423a43d23f7c299a968c9c8eaffbb74cf975
Instruction ID: 34fdd90875d71e4c691c1a5d64d353e526797b1ba5264c5f77c1fc5d65a500fb
Opcode Fuzzy Hash: db5e62817b4f8c1efe0107971e1d423a43d23f7c299a968c9c8eaffbb74cf975
Instruction Fuzzy Hash: 2201A2317002249FCB182BB9D858A6F7ADAEFC9764B54493AF407C7381DD718C0187A0

Uniqueness

Uniqueness Score: -1.00%

Function 02905508, Relevance: .0, Instructions: 49COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.596310699.0000000002900000.00000040.00000001.sdmp, Offset: 02900000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c6fe0860c2576dbbe117bf51a08cb2016a099a3db4620a0ca8eaa642bd070252
Instruction ID: 71b5a3ddc227ca797af8927808f3e1c56d97b06933231e1302708513319059cc
Opcode Fuzzy Hash: c6fe0860c2576dbbe117bf51a08cb2016a099a3db4620a0ca8eaa642bd070252
Instruction Fuzzy Hash: 57116132A112088FCB44EFB9E841AAE7FBAFB88300F50456AD115D7395EB319941CFE0

Uniqueness

Uniqueness Score: -1.00%

Function 0290A881, Relevance: .0, Instructions: 48COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.596310699.0000000002900000.00000040.00000001.sdmp, Offset: 02900000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e645c427d395d5126d9ca5300bfbfa5eddd25d2d1aff0afe3fe0b6b9abe0216a
Instruction ID: 1ff7326c8b269af8fbe0671fa14fdd29cadd6fd78fe9474726062b1ebba824b3
Opcode Fuzzy Hash: e645c427d395d5126d9ca5300bfbfa5eddd25d2d1aff0afe3fe0b6b9abe0216a
Instruction Fuzzy Hash: D8018C30A0430CDFDB188A64C8D9ABE7BB59B84304F15482ECA17A76C0CBA1A902DBD5

Uniqueness

Uniqueness Score: -1.00%

Function 0290CA71, Relevance: .0, Instructions: 46COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.596310699.0000000002900000.00000040.00000001.sdmp, Offset: 02900000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 01d8cb41f6b81e1cbe560bdc06dbd06f2a83ce454cbef8bf0ced2e85eeaa70b3
Instruction ID: befabf2e5c631306ed9e995bf5f04fde8c0e548646df6adcc3fce41fa46185c3
Opcode Fuzzy Hash: 01d8cb41f6b81e1cbe560bdc06dbd06f2a83ce454cbef8bf0ced2e85eeaa70b3
Instruction Fuzzy Hash: 2B01D4313042549FC701AB3CE489B6D3BEEBB8A315F2544B9E506CB399CB749C42CBA4

Uniqueness

Uniqueness Score: -1.00%

Function 0290AF40, Relevance: .0, Instructions: 46COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.596310699.0000000002900000.00000040.00000001.sdmp, Offset: 02900000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ca68ba9053b25fad4ac30c1d0c788cdc7083c82ad51908f82fb14825608f7546
Instruction ID: d545ac57c617f11cbc0ff62960dc336a7271882ef1439c48fb0fd01183d915a6
Opcode Fuzzy Hash: ca68ba9053b25fad4ac30c1d0c788cdc7083c82ad51908f82fb14825608f7546
Instruction Fuzzy Hash: 83014FB2F002099FCF50EBB9A84579EBBF8EB84614F10453AD718D3284EB319504CBE1

Uniqueness

Uniqueness Score: -1.00%

Function 029064C1, Relevance: .0, Instructions: 46COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.596310699.0000000002900000.00000040.00000001.sdmp, Offset: 02900000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b8eff93f0af6be231ee2ee3533020d484d3df3cbc7b3fb4bcd09a15ddf7cbe6c
Instruction ID: 94336543947f2ed63020fd11e50162fae583e9f3b50dfc0dbcec56f704bf275d
Opcode Fuzzy Hash: b8eff93f0af6be231ee2ee3533020d484d3df3cbc7b3fb4bcd09a15ddf7cbe6c
Instruction Fuzzy Hash: 6F01F731E093888FDB11863448609EE7FBA9B86710F4504EBD945DB2DAE7254924C7A2

Uniqueness

Uniqueness Score: -1.00%

Function 029055D9, Relevance: .0, Instructions: 46COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.596310699.0000000002900000.00000040.00000001.sdmp, Offset: 02900000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a969065526c51270e0be25772172343e9418e71a933ffa442523f6b9eeb4f8dd
Instruction ID: 391b2f10af95969fabb3c87f0ff8a7328f26debc4ec696bcf80b99bfdab31a85
Opcode Fuzzy Hash: a969065526c51270e0be25772172343e9418e71a933ffa442523f6b9eeb4f8dd
Instruction Fuzzy Hash: 50F0C832A051189FCB109A69EC405FFBFB6EB84374F15017BE509D3150EB314E258AE1

Uniqueness

Uniqueness Score: -1.00%

Function 02906E98, Relevance: .0, Instructions: 45COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.596310699.0000000002900000.00000040.00000001.sdmp, Offset: 02900000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3ff26128b4c82a29bf4e86a3546a80b739cdcb8f988d4a86a0282bd52f32af3f
Instruction ID: f434eda4f698172e3b70db0fa9ddf033e39961f41b39ae80df914fc827f9fe9c
Opcode Fuzzy Hash: 3ff26128b4c82a29bf4e86a3546a80b739cdcb8f988d4a86a0282bd52f32af3f
Instruction Fuzzy Hash: 22016272E00108DFDB50EBB9E8417AEBBF8EB84710F10413AD618D3285EB309955CBE1

Uniqueness

Uniqueness Score: -1.00%

Function 02904798, Relevance: .0, Instructions: 45COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.596310699.0000000002900000.00000040.00000001.sdmp, Offset: 02900000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: da3b91da6a85c59bd48a08cbe4d2314f4528ae5c6b5b527bc260b07d22fc4e37
Instruction ID: 9c710b0971393f5efc4aec2267fb58706c59b476dd49ced99df51e8ad91061cf
Opcode Fuzzy Hash: da3b91da6a85c59bd48a08cbe4d2314f4528ae5c6b5b527bc260b07d22fc4e37
Instruction Fuzzy Hash: AB014F31F001098FCB54EFBDC4506AFBBE6EB89350F10443AD509E7280FA354A4697D5

Uniqueness

Uniqueness Score: -1.00%

Function 0290B0B0, Relevance: .0, Instructions: 45COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.596310699.0000000002900000.00000040.00000001.sdmp, Offset: 02900000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6be975fa03881c2660da1dc5f170023a5363d9d0db0116a22c95f2a097908373
Instruction ID: a5df10429027bdd826149a5959962475935d1d8be2819f3c751dac3697607f24
Opcode Fuzzy Hash: 6be975fa03881c2660da1dc5f170023a5363d9d0db0116a22c95f2a097908373
Instruction Fuzzy Hash: 0B01A231300204DFC740B738E86656D7FB6EB882197588579E60BCB794EF759C038795

Uniqueness

Uniqueness Score: -1.00%

Function 029005C8, Relevance: .0, Instructions: 45COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.596310699.0000000002900000.00000040.00000001.sdmp, Offset: 02900000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c61f8b287ba259b4c402390b0a3a8291b24177f707ef4a11b84c59746a8cbfab
Instruction ID: 260f32499ced7d8e204aa8233057124548c0182c8ede47263e7736e388812d2b
Opcode Fuzzy Hash: c61f8b287ba259b4c402390b0a3a8291b24177f707ef4a11b84c59746a8cbfab
Instruction Fuzzy Hash: FEF0B4727001240BCA49767DA4517BF628F9BC4A50B98452EE20ADB3C4CEB08C0353E6

Uniqueness

Uniqueness Score: -1.00%

Function 02904700, Relevance: .0, Instructions: 44COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.596310699.0000000002900000.00000040.00000001.sdmp, Offset: 02900000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f8e764c1d48e6f955ae0da38a886116d6d2496b32b13f4ed81c8fd2a8ce852f8
Instruction ID: f58657425e3b445c17196bfc9096e8b5326a876c7891f0f659aa562406142548
Opcode Fuzzy Hash: f8e764c1d48e6f955ae0da38a886116d6d2496b32b13f4ed81c8fd2a8ce852f8
Instruction Fuzzy Hash: 43F08B31309194DFC71246F8A4A07BE37A6DFC6721B1104BFD206CB7D2EA265C01CB90

Uniqueness

Uniqueness Score: -1.00%

Function 0290AF30, Relevance: .0, Instructions: 44COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.596310699.0000000002900000.00000040.00000001.sdmp, Offset: 02900000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: bfbe2c74fc6975bb6e7bfdda53b6e2239da7b8307dd00192b799e8b27ca4bdd9
Instruction ID: c667baa996c1f6082f04d21bad296597537773d757df1acbdc0ac239226cd2dc
Opcode Fuzzy Hash: bfbe2c74fc6975bb6e7bfdda53b6e2239da7b8307dd00192b799e8b27ca4bdd9
Instruction Fuzzy Hash: A5018FB2A003499FCF50EB78E84575EBFF8EB44604F104539DB54D6284EB309604CBE1

Uniqueness

Uniqueness Score: -1.00%

Function 0290809F, Relevance: .0, Instructions: 44COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.596310699.0000000002900000.00000040.00000001.sdmp, Offset: 02900000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 41d0e0b232f8c00f2a417116095c10b12bd9f7b9746574225bcf04db30e95eba
Instruction ID: cf166a0dbd97472ee05d20f77e5de763e647ac83b5e14ae6fc7772989a23c347
Opcode Fuzzy Hash: 41d0e0b232f8c00f2a417116095c10b12bd9f7b9746574225bcf04db30e95eba
Instruction Fuzzy Hash: B2018C74B05248CFCB15EBB4D4905AEBBB6BF85704B6444AAC861AB386DB309802CF91

Uniqueness

Uniqueness Score: -1.00%

Function 02905E20, Relevance: .0, Instructions: 43COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.596310699.0000000002900000.00000040.00000001.sdmp, Offset: 02900000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: bfe4ef77762b796b9d832b855b0f1c30d6e05d7f57edddd935b302be1047fbf2
Instruction ID: d2d0969d30ff033761a2cdf5a728f805608920ac4919beb1628cb2c20a7bf86a
Opcode Fuzzy Hash: bfe4ef77762b796b9d832b855b0f1c30d6e05d7f57edddd935b302be1047fbf2
Instruction Fuzzy Hash: CFF08171E052199FCB60EFB898896AFBBF9AA84650B91092FD449D3280F63445018BD1

Uniqueness

Uniqueness Score: -1.00%

Function 02901218, Relevance: .0, Instructions: 42COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.596310699.0000000002900000.00000040.00000001.sdmp, Offset: 02900000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b17e4e1306cbf30987ac1631c557112af3994456f891cd2b60b092dca9565071
Instruction ID: 4f1d6e0502cb3686a22456d2e998499f7890543d2f44203a53c61599fd9ce879
Opcode Fuzzy Hash: b17e4e1306cbf30987ac1631c557112af3994456f891cd2b60b092dca9565071
Instruction Fuzzy Hash: B4013131304014CFC604AB2CD09896D7BEABFC9711B2545AAE50ACB7B5CFB19C09CB81

Uniqueness

Uniqueness Score: -1.00%

Function 0290A681, Relevance: .0, Instructions: 40COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.596310699.0000000002900000.00000040.00000001.sdmp, Offset: 02900000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: cafabb64f882d13aeceb9e5074b8f629aa2e5921d5557df1e5d6c9e19959ea02
Instruction ID: 23fda381a5c9dcd7f7e0beb89a0b7fb6be81eb3baebf026eda7dab600e54854e
Opcode Fuzzy Hash: cafabb64f882d13aeceb9e5074b8f629aa2e5921d5557df1e5d6c9e19959ea02
Instruction Fuzzy Hash: AFF0C2322092049FCB1566B8F89569D3FB6DBC5329719847EF10BCB781CE669C0387D1

Uniqueness

Uniqueness Score: -1.00%

Function 02908A28, Relevance: .0, Instructions: 40COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.596310699.0000000002900000.00000040.00000001.sdmp, Offset: 02900000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a1cf876661f28582abca9e5d99b0b687ad86470aa196f499433a5507819e2bf8
Instruction ID: 763e93f12430803578fe1f734d11e7fe9d54e323e27b6f51be962ee0fc4c8681
Opcode Fuzzy Hash: a1cf876661f28582abca9e5d99b0b687ad86470aa196f499433a5507819e2bf8
Instruction Fuzzy Hash: 6101E5B5E05209AFDB44DFA9C480ADEBBF1EF88304F2080AAD814A3385E7345A41CF51

Uniqueness

Uniqueness Score: -1.00%

Function 02905CD0, Relevance: .0, Instructions: 39COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.596310699.0000000002900000.00000040.00000001.sdmp, Offset: 02900000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 564f59485fa188b7e561b3a78db08a0b4771353779f68b818b4f14238208f0f1
Instruction ID: 9c3062484cf725ed9096a3f940fff244b1f9b5f378d65b4d0539c0dd912c3617
Opcode Fuzzy Hash: 564f59485fa188b7e561b3a78db08a0b4771353779f68b818b4f14238208f0f1
Instruction Fuzzy Hash: D1F06272E041149FCB54DF7DD88169FBBF5AF89320B55413AD408E3341EB348A118BE5

Uniqueness

Uniqueness Score: -1.00%

Function 0290B0C0, Relevance: .0, Instructions: 39COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.596310699.0000000002900000.00000040.00000001.sdmp, Offset: 02900000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ca661e8f9a412060a39a69e2aa75c6f00cebb1d11ae0a3a8ecf21f95a0f1749f
Instruction ID: 626e7df6a63d5e47bbe7df9fcb61f71ed89601f749d97e4aeb7957fd3ee0ef47
Opcode Fuzzy Hash: ca661e8f9a412060a39a69e2aa75c6f00cebb1d11ae0a3a8ecf21f95a0f1749f
Instruction Fuzzy Hash: BEF04F31300214CFC750BB79E86546D7BA6ABC83297548979E60BCB394DF719C02C795

Uniqueness

Uniqueness Score: -1.00%

Function 029068D8, Relevance: .0, Instructions: 38COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.596310699.0000000002900000.00000040.00000001.sdmp, Offset: 02900000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 891d91f79f968ca7643d4bd39cc25445e5b74c25e72578e05b7d57d9c1a351e7
Instruction ID: 7a9af1a6a2a2a5cef1948e02b69f693fa9ca79a934b75dc5b672cb1fcc6d95f1
Opcode Fuzzy Hash: 891d91f79f968ca7643d4bd39cc25445e5b74c25e72578e05b7d57d9c1a351e7
Instruction Fuzzy Hash: B1F0E231F0421D9F8B1CA269D8A06BF7BEE97C5790F00086BC916D77C0EF205A21C2E6

Uniqueness

Uniqueness Score: -1.00%

Function 029087B0, Relevance: .0, Instructions: 37COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.596310699.0000000002900000.00000040.00000001.sdmp, Offset: 02900000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 68231e45c4ea73ed8c5b5bb97f56b0d8e22c6f788f64ebacfe9cef76f55f562f
Instruction ID: 91db3787290ec58667e87f6e20a39b4906f2aa309dacd06a736f7c5487dbc823
Opcode Fuzzy Hash: 68231e45c4ea73ed8c5b5bb97f56b0d8e22c6f788f64ebacfe9cef76f55f562f
Instruction Fuzzy Hash: 4BF02430B18249DFC700C77488C08EFBFF0FF98250B1409A7E102DB5A6D234A902CBA1

Uniqueness

Uniqueness Score: -1.00%

Function 029045B9, Relevance: .0, Instructions: 35COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.596310699.0000000002900000.00000040.00000001.sdmp, Offset: 02900000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: bb43e5fbd9f57eef3a37305e981b15e215b65382fa9cc49fd9322995448abb4d
Instruction ID: 394c24404f16c4da5b646d87fdd2975b8665609b97aa62fa228c277718d924fc
Opcode Fuzzy Hash: bb43e5fbd9f57eef3a37305e981b15e215b65382fa9cc49fd9322995448abb4d
Instruction Fuzzy Hash: A4F0BE31E453595FCB50CAA99C45EEBBBF8EB85220F10016EE518D7152E2244A1487A1

Uniqueness

Uniqueness Score: -1.00%

Function 0290CD58, Relevance: .0, Instructions: 35COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.596310699.0000000002900000.00000040.00000001.sdmp, Offset: 02900000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e7348f4012a966f352d0acae3cc4aae63ef31e2820519c828dca2a82435a71da
Instruction ID: 813191c005d673e36de2575e35790ef12d11c27d16062e25be5e3b33aa28f8d7
Opcode Fuzzy Hash: e7348f4012a966f352d0acae3cc4aae63ef31e2820519c828dca2a82435a71da
Instruction Fuzzy Hash: D8F02B73B450282F8359739E585472F3B9FCBC4A60359422BF805D73C1DD229C1293EA

Uniqueness

Uniqueness Score: -1.00%

Function 02900908, Relevance: .0, Instructions: 34COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.596310699.0000000002900000.00000040.00000001.sdmp, Offset: 02900000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5b4c80abb3a85cb10ce5a4c687da0dff529a890319f53b4807030d53a0e4e90d
Instruction ID: 9e0446a8cef1da583f0631130173e363639658c777ee54861f74563b753a9776
Opcode Fuzzy Hash: 5b4c80abb3a85cb10ce5a4c687da0dff529a890319f53b4807030d53a0e4e90d
Instruction Fuzzy Hash: 18F0BE30D19248CFD7509FB8C894B6B7BF59F92350B020C6BC98397280D6B44D06CA51

Uniqueness

Uniqueness Score: -1.00%

Function 0290EAD9, Relevance: .0, Instructions: 33COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.596310699.0000000002900000.00000040.00000001.sdmp, Offset: 02900000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0f3bf17a7105e9cbb0f2882e5b94bac13abaa1cb2ea22068e2937e6853f885b8
Instruction ID: 6dde4b4822d4e605b99d6c125a37c3ba38032a9c80af63a2b1c5672ae6828aef
Opcode Fuzzy Hash: 0f3bf17a7105e9cbb0f2882e5b94bac13abaa1cb2ea22068e2937e6853f885b8
Instruction Fuzzy Hash: F4E02B322011146FC714969ED852B9B7F9ECBC27607048C2DE00AC7785DE72EC028391

Uniqueness

Uniqueness Score: -1.00%

Function 02905CE0, Relevance: .0, Instructions: 33COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.596310699.0000000002900000.00000040.00000001.sdmp, Offset: 02900000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 64863f39818b9cfc88f9d8dd30512ff1f1d49343f684a5d0246549e1b9db3791
Instruction ID: 03de84fedd03122c3ed56fe682b26f025a3534b162f412c2ad21720524c0d9ce
Opcode Fuzzy Hash: 64863f39818b9cfc88f9d8dd30512ff1f1d49343f684a5d0246549e1b9db3791
Instruction Fuzzy Hash: C4F03771E001195F8B84EBBD545459FBFFAABC8720B51413BD509E3341EB3099018BE9

Uniqueness

Uniqueness Score: -1.00%

Function 02900918, Relevance: .0, Instructions: 33COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.596310699.0000000002900000.00000040.00000001.sdmp, Offset: 02900000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ed27fc0ff7b16cdaf701384b4dd65c8fcb6bb61c94307f4105e6bc67ee19424d
Instruction ID: 531bee5a524bb448177e58299b57fa24627014274d011af0633d777f816721e3
Opcode Fuzzy Hash: ed27fc0ff7b16cdaf701384b4dd65c8fcb6bb61c94307f4105e6bc67ee19424d
Instruction Fuzzy Hash: 0BE0E532E1521CDF9B105AF9D884BAFBBA9DBD5760F004927DA17A3280D97049018291

Uniqueness

Uniqueness Score: -1.00%

Function 0290E598, Relevance: .0, Instructions: 32COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.596310699.0000000002900000.00000040.00000001.sdmp, Offset: 02900000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 498830187e85c0448be8dfb0976f887421948b0086dfb4f41e2c9e30c43202a1
Instruction ID: f2b5f3cf4ee3a6e2f2e2bb1b18a88ac797cc6365c65ff210050dbb6f3f942c22
Opcode Fuzzy Hash: 498830187e85c0448be8dfb0976f887421948b0086dfb4f41e2c9e30c43202a1
Instruction Fuzzy Hash: BEF05C312083505FCB11EA2CD86085F7FA6CBC37107048CAED085CB382EE65EC018390

Uniqueness

Uniqueness Score: -1.00%

Function 02906120, Relevance: .0, Instructions: 32COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.596310699.0000000002900000.00000040.00000001.sdmp, Offset: 02900000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c6cdd85fe28049d902f0b034ae96c49985fb58da9cfe696e1e43c6543e75c8b9
Instruction ID: ea1d80082b787db44c377c7a58158aead312a85928f44660a54b6dccb2ccb55a
Opcode Fuzzy Hash: c6cdd85fe28049d902f0b034ae96c49985fb58da9cfe696e1e43c6543e75c8b9
Instruction Fuzzy Hash: 6AF0E531B053515FC356522CA850BAEB7AE4BCE310F01047BF105CB2E2CD654D128364

Uniqueness

Uniqueness Score: -1.00%

Function 02905FD0, Relevance: .0, Instructions: 31COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.596310699.0000000002900000.00000040.00000001.sdmp, Offset: 02900000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: cb3afa5f64391cdaf6d2d7d53f5f8ba218c65a53958a4d5b4305058d652bb8fa
Instruction ID: 63c732023f36a31c26262268c66ae86fb43e92969b6b24344560e9a9ee940c73
Opcode Fuzzy Hash: cb3afa5f64391cdaf6d2d7d53f5f8ba218c65a53958a4d5b4305058d652bb8fa
Instruction Fuzzy Hash: 7FF0DA71D462199FCF50DFB9D849AEFBFF4EB89350F10056AE405E3241E3354A118BA5

Uniqueness

Uniqueness Score: -1.00%

Function 0290A698, Relevance: .0, Instructions: 30COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.596310699.0000000002900000.00000040.00000001.sdmp, Offset: 02900000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b9bb7c1c8d1e2db6dc27ca629746c9f83d52f01a49f403e88616515fcfbc7c9b
Instruction ID: a30997797852bd3fb613b4cd5a9e39d3e070940b66c7784c4a628fe11389605a
Opcode Fuzzy Hash: b9bb7c1c8d1e2db6dc27ca629746c9f83d52f01a49f403e88616515fcfbc7c9b
Instruction Fuzzy Hash: 87F08C312042048F8B14A66CF4505AD7BA6ABC5325368893DE20BCB340CE729C03CBD1

Uniqueness

Uniqueness Score: -1.00%

Function 0290D08E, Relevance: .0, Instructions: 30COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.596310699.0000000002900000.00000040.00000001.sdmp, Offset: 02900000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1a682b2ffe96d2bd78572bce2032b830f8b196c104fea293b71a199a79b25fa5
Instruction ID: 592d3ab23fe53162195697dcd4a3d738755ca349deeb5a8cd55005410e21af77
Opcode Fuzzy Hash: 1a682b2ffe96d2bd78572bce2032b830f8b196c104fea293b71a199a79b25fa5
Instruction Fuzzy Hash: C5E0D86270C15CAF861122BE9451CBE7BBBDAC6162319489BE10BC73A1DD528C17C3B3

Uniqueness

Uniqueness Score: -1.00%

Function 029057A2, Relevance: .0, Instructions: 29COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.596310699.0000000002900000.00000040.00000001.sdmp, Offset: 02900000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b5e2ebef240bb4c541cd8fcf5605e7ddd1661a5f7081e6bb5c84e60774a72a15
Instruction ID: 7934f5b4b5029558065a499e638596790a20e8b66895bcd1e04940bc1c688282
Opcode Fuzzy Hash: b5e2ebef240bb4c541cd8fcf5605e7ddd1661a5f7081e6bb5c84e60774a72a15
Instruction Fuzzy Hash: AAF03031B08108CFDB58BB78E8903BD7766AF84215BA18566DA16D62C1EF205901DFA6

Uniqueness

Uniqueness Score: -1.00%

Function 029077AF, Relevance: .0, Instructions: 29COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.596310699.0000000002900000.00000040.00000001.sdmp, Offset: 02900000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3f0da232c486c28c17b658de3eaf2ebe7493527ab3fc631d29ed734efee4d987
Instruction ID: 00c4d8a9b532e70bece28e983f257b37ba6b49cadc43ffc8408c934fbfaee379
Opcode Fuzzy Hash: 3f0da232c486c28c17b658de3eaf2ebe7493527ab3fc631d29ed734efee4d987
Instruction Fuzzy Hash: 85E06D30F051584FCA08B3F9A8A83EE66A79FC0A14F905938CA06CB7D1EE214D019B92

Uniqueness

Uniqueness Score: -1.00%

Function 02908C30, Relevance: .0, Instructions: 29COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.596310699.0000000002900000.00000040.00000001.sdmp, Offset: 02900000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7e8a15acbc5329fa52f98e4548f6a6ad97e2994120797281da77687ae3e66c1a
Instruction ID: f0a6d8eb64d67c76ea94bfcf5a507fdcc768a11293aa92989a5cd3313405bfaa
Opcode Fuzzy Hash: 7e8a15acbc5329fa52f98e4548f6a6ad97e2994120797281da77687ae3e66c1a
Instruction Fuzzy Hash: 36F0EC327072648FC7521B64A85C3653FB5EB4415131901ABEC02C7350DA384C01C791

Uniqueness

Uniqueness Score: -1.00%

Function 0290C2C8, Relevance: .0, Instructions: 28COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.596310699.0000000002900000.00000040.00000001.sdmp, Offset: 02900000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d12e016060d3d85396f318cd5725898074476333d24ee8693f69ae30c691d671
Instruction ID: 194eb6e38f06abeeb71d1357b819471527d019cae722609d4df9319dc7dcf2c5
Opcode Fuzzy Hash: d12e016060d3d85396f318cd5725898074476333d24ee8693f69ae30c691d671
Instruction Fuzzy Hash: 3DF03436200B408FC320CFAAD180A46BBF5EF896207148A6ED49A83A20D230F809CF55

Uniqueness

Uniqueness Score: -1.00%

Function 0290B670, Relevance: .0, Instructions: 27COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.596310699.0000000002900000.00000040.00000001.sdmp, Offset: 02900000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a944be9f3c3a81d2958c7ee9b74132a85387e1cdeff1bc2e36e41f01794c56fb
Instruction ID: 60e7ee30b3c1a46ec9b176a451b6aa1f65920d68f5a95adcae6d059cffaed0c9
Opcode Fuzzy Hash: a944be9f3c3a81d2958c7ee9b74132a85387e1cdeff1bc2e36e41f01794c56fb
Instruction Fuzzy Hash: 55E0D871500B105FC3249F6FD882643FBEAFBC4720F04CA3EE14992B00DB70A8074690

Uniqueness

Uniqueness Score: -1.00%

Function 029089D0, Relevance: .0, Instructions: 27COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.596310699.0000000002900000.00000040.00000001.sdmp, Offset: 02900000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 778085e6f9268122957e5de93bfad282f14fa4799b9121cbce885dbea5aa8736
Instruction ID: d7bc63fb78718bbfc639f55eb869190b2ee2c453f9f6c193223d5ddafbcf1f6d
Opcode Fuzzy Hash: 778085e6f9268122957e5de93bfad282f14fa4799b9121cbce885dbea5aa8736
Instruction Fuzzy Hash: 81F05875909288AFDB41DFA8D59049CBFB0EF0A210B1455DAC954EB243D2345E42CB41

Uniqueness

Uniqueness Score: -1.00%

Function 0290E5E8, Relevance: .0, Instructions: 27COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.596310699.0000000002900000.00000040.00000001.sdmp, Offset: 02900000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9d4bda4d73818a1858fbe1eb9efac687c178cbde1bbc1e8fefbddd01c4613c3f
Instruction ID: df75e6dfd9685b944c44dffa7105a64f2729e1b137071a1e1b9376223f1f62ec
Opcode Fuzzy Hash: 9d4bda4d73818a1858fbe1eb9efac687c178cbde1bbc1e8fefbddd01c4613c3f
Instruction Fuzzy Hash: 13E08671005638EFC26516E1F49A7B7B659E705121F148C5BF4CA82A86C926AC51C7D2

Uniqueness

Uniqueness Score: -1.00%

Function 029046B8, Relevance: .0, Instructions: 26COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.596310699.0000000002900000.00000040.00000001.sdmp, Offset: 02900000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c6961e4965280a06a0a995056fd7b4549584c4b089aa0719dbab9603d1147c86
Instruction ID: 6397614865fdb9598569b184fbae85875d06b1bf052d0758080e014a39e024f9
Opcode Fuzzy Hash: c6961e4965280a06a0a995056fd7b4549584c4b089aa0719dbab9603d1147c86
Instruction Fuzzy Hash: 90E046313400289BCA102AF9B4A46AE3689AB80751B141466F20BCB6A1EA1A880183C6

Uniqueness

Uniqueness Score: -1.00%

Function 0290EAE8, Relevance: .0, Instructions: 26COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.596310699.0000000002900000.00000040.00000001.sdmp, Offset: 02900000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 30d3af7719a61d39993c5dcdbb606f970af234697ef2e1d6e74e94dd9d8f7195
Instruction ID: 8c9b928cfb2342f38647f45b2f893450b25b1f7c265647bf507db016d7d86a97
Opcode Fuzzy Hash: 30d3af7719a61d39993c5dcdbb606f970af234697ef2e1d6e74e94dd9d8f7195
Instruction Fuzzy Hash: B2E0DF312101248B8624E69EE45096A7B99CBC67203108C2ED44A8B384EE72EC028790

Uniqueness

Uniqueness Score: -1.00%

Function 0290AFF1, Relevance: .0, Instructions: 26COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.596310699.0000000002900000.00000040.00000001.sdmp, Offset: 02900000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 759cd3bc30f991d98ed7d7d1af187af17afed14f8cd2035489720209e6d33602
Instruction ID: 26d3b5b41faab75f306cb3a5ed7452923819130ac3af65672947891bab3288c5
Opcode Fuzzy Hash: 759cd3bc30f991d98ed7d7d1af187af17afed14f8cd2035489720209e6d33602
Instruction Fuzzy Hash: 19E020353043245FC7443378D05975D7EEAA7CD651B100475E516D7795DD258C124751

Uniqueness

Uniqueness Score: -1.00%

Function 02905FE0, Relevance: .0, Instructions: 26COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.596310699.0000000002900000.00000040.00000001.sdmp, Offset: 02900000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 925b6342c8518a4e5351ea74b1235a3b9a8227194bcda59ae39529ae4c7b0902
Instruction ID: 551e9dbf6e036688e45ccbcf5fa38523a78cb02effee8fb76872ac54af33521f
Opcode Fuzzy Hash: 925b6342c8518a4e5351ea74b1235a3b9a8227194bcda59ae39529ae4c7b0902
Instruction Fuzzy Hash: C5E0C971E0020A9FCF50EFB9D849AEEBFF8EB49350F100476D109E3240E3355A118BA4

Uniqueness

Uniqueness Score: -1.00%

Function 0290F407, Relevance: .0, Instructions: 26COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.596310699.0000000002900000.00000040.00000001.sdmp, Offset: 02900000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 48398c5f5e1b85decd15ff79e3a5bbe83cbc7f1dd383b8f152e519cd3ae92c77
Instruction ID: adac861f848b9e0e924a9dfac035b803b9b23ef64c538679c5b2f697dc5c5ec2
Opcode Fuzzy Hash: 48398c5f5e1b85decd15ff79e3a5bbe83cbc7f1dd383b8f152e519cd3ae92c77
Instruction Fuzzy Hash: 57E08C723451242BDA04A6ADD853BF67B8ECB82360B0488AEF409D7B81C8269C0283C5

Uniqueness

Uniqueness Score: -1.00%

Function 02908C40, Relevance: .0, Instructions: 26COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.596310699.0000000002900000.00000040.00000001.sdmp, Offset: 02900000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: aeace90c6b0135b1b7f76d3518981bb06da6473884c57a61b8bb617a579cb8df
Instruction ID: a0af3e10becb6c014870ee1ac71c338c2b469a59f721ced548b432fd6f3f397d
Opcode Fuzzy Hash: aeace90c6b0135b1b7f76d3518981bb06da6473884c57a61b8bb617a579cb8df
Instruction Fuzzy Hash: 4EE09232B131349BC7606FACA4587287BFDEB886A1724416BDD07D3384DE309C018BD1

Uniqueness

Uniqueness Score: -1.00%

Function 0290E5A8, Relevance: .0, Instructions: 26COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.596310699.0000000002900000.00000040.00000001.sdmp, Offset: 02900000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: cfe0802b09c509b94ef734e6044d86f99f257fbbef0bb0a305d60a4b8b7bd0d3
Instruction ID: 1515597b0658a8f07df83c71b56b452cb352303c88bfdcba2886db8628dbc408
Opcode Fuzzy Hash: cfe0802b09c509b94ef734e6044d86f99f257fbbef0bb0a305d60a4b8b7bd0d3
Instruction Fuzzy Hash: 0AE026313045148F8B24EA5CD46096E7B9ACBC2B603548C3EE44ACB380FF72EC0287D0

Uniqueness

Uniqueness Score: -1.00%

Function 02906130, Relevance: .0, Instructions: 26COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.596310699.0000000002900000.00000040.00000001.sdmp, Offset: 02900000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 99e8a03ec5b0d90128745cb89adb7b7dfdce8299e9f399dab284a3b4b1acf678
Instruction ID: 3d5961871bc81a599bba20eba9e2a0a40c91fa497ce4801774038a0f931371b9
Opcode Fuzzy Hash: 99e8a03ec5b0d90128745cb89adb7b7dfdce8299e9f399dab284a3b4b1acf678
Instruction Fuzzy Hash: B8E0CD3170021967D615626DA411B1FF3EF8BCD755F10483EE209D73D1CD62AC4353A9

Uniqueness

Uniqueness Score: -1.00%

Function 0290D0A0, Relevance: .0, Instructions: 24COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.596310699.0000000002900000.00000040.00000001.sdmp, Offset: 02900000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 419e5b90b8721be04b58b344dc7965bf62c572e8f2557387863fc9735cbd51ff
Instruction ID: 6108b3ee1afde843c69205aacd47a57f4bb7e0e1ba11517dadf3f672560482ec
Opcode Fuzzy Hash: 419e5b90b8721be04b58b344dc7965bf62c572e8f2557387863fc9735cbd51ff
Instruction Fuzzy Hash: 0DE0122171801C9F451461AE5050CBE72ABDAC5662315446BA10B873A0DE929C12D3B6

Uniqueness

Uniqueness Score: -1.00%

Function 0290D0D8, Relevance: .0, Instructions: 24COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.596310699.0000000002900000.00000040.00000001.sdmp, Offset: 02900000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 42788bc2a10feeafb4e146affaa46f26db1a7e3c5cfa0e0aeeaf41265daf7177
Instruction ID: 717f7c7548d78a35b10f4c513c03e338b5dab3df2f26ea020a4df811dd15dc06
Opcode Fuzzy Hash: 42788bc2a10feeafb4e146affaa46f26db1a7e3c5cfa0e0aeeaf41265daf7177
Instruction Fuzzy Hash: B1E086353045159FC3289694D891B75B7A6DFCC231F14C97AD90987B80CB75EC038794

Uniqueness

Uniqueness Score: -1.00%

Function 02908AB8, Relevance: .0, Instructions: 23COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.596310699.0000000002900000.00000040.00000001.sdmp, Offset: 02900000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a6e8a6d21becf19400c5c17a5a3fe68ae1aeb905e5ed82da139d1d5bce4e9815
Instruction ID: 13b9aba91f3c51c0bf18b88269d30c758207b7cb8672446d9f4ac51492270e39
Opcode Fuzzy Hash: a6e8a6d21becf19400c5c17a5a3fe68ae1aeb905e5ed82da139d1d5bce4e9815
Instruction Fuzzy Hash: 38E0ED3130420DCFC600EB59E8C48693B5DF7503147509A66E9118AB59DFB0AD06C791

Uniqueness

Uniqueness Score: -1.00%

Function 02906882, Relevance: .0, Instructions: 23COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.596310699.0000000002900000.00000040.00000001.sdmp, Offset: 02900000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6fcd117a70c2beebcc8f2db9d0c78ed37f6e4e01c95971d1a4247c213c526292
Instruction ID: 1a2c53017e5f163878cab0f409fce12391843b5722fa04071e6f21f0e3df29bd
Opcode Fuzzy Hash: 6fcd117a70c2beebcc8f2db9d0c78ed37f6e4e01c95971d1a4247c213c526292
Instruction Fuzzy Hash: 3BE0867065D119CFEB0017A4A494FBD279C9B81250B08056EEE06D21D1CB948C518B6A

Uniqueness

Uniqueness Score: -1.00%

Function 029089E0, Relevance: .0, Instructions: 23COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.596310699.0000000002900000.00000040.00000001.sdmp, Offset: 02900000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8781ae1767abfeb26d0db5c3babac4f5682549c61ef75305975b7c73cfae5d93
Instruction ID: c885fe550759791ea3505dd3eee406f701d9666357af3a239cf42c930a127462
Opcode Fuzzy Hash: 8781ae1767abfeb26d0db5c3babac4f5682549c61ef75305975b7c73cfae5d93
Instruction Fuzzy Hash: 91E06D78D04208DFCB14EFA9D0856ADBBB5EB48304F1081A6981493341DB345A41DF41

Uniqueness

Uniqueness Score: -1.00%

Function 0290AAC0, Relevance: .0, Instructions: 22COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.596310699.0000000002900000.00000040.00000001.sdmp, Offset: 02900000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 264623e3e47a70c3ea70d8416b66f0a1fda943e3dfe9eac18d20f58106eb90b3
Instruction ID: 684a5cab849bdcb8482beba2ef1e07e09e00900b17ea41278dc8bcde0fba44d0
Opcode Fuzzy Hash: 264623e3e47a70c3ea70d8416b66f0a1fda943e3dfe9eac18d20f58106eb90b3
Instruction Fuzzy Hash: 63E05B72B017299FCF10D59EDA84655B6CB8788268B19C470FA0EC73C0FA15DC0283D0

Uniqueness

Uniqueness Score: -1.00%

Function 02906459, Relevance: .0, Instructions: 22COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.596310699.0000000002900000.00000040.00000001.sdmp, Offset: 02900000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6b6c7a1978f52289076182869cc139fda0e26d1130fe8a43bf78fb8078f8d5ba
Instruction ID: e505c3477fde80a9aaf4923581d949b0afefe6fdbeb8e32bc051765c1bb92d52
Opcode Fuzzy Hash: 6b6c7a1978f52289076182869cc139fda0e26d1130fe8a43bf78fb8078f8d5ba
Instruction Fuzzy Hash: 94E026717081140FCB04EABCD861EF96B999BC1304B1488EFD445D73D2C9738C038380

Uniqueness

Uniqueness Score: -1.00%

Function 02905DE8, Relevance: .0, Instructions: 22COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.596310699.0000000002900000.00000040.00000001.sdmp, Offset: 02900000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4132a145bf96beb0085ed2c798027bcb4dee079a3802e6515f11a1969ad22285
Instruction ID: 91b8b769cc36d8c66638a7933c0ba3c1d5ea20c866d245f7d143b6e8fdbd1b41
Opcode Fuzzy Hash: 4132a145bf96beb0085ed2c798027bcb4dee079a3802e6515f11a1969ad22285
Instruction Fuzzy Hash: ECE0CD306663556FC7156BB454D00BD37951AC162038109BFE045CB2C1D9194C42C7D0

Uniqueness

Uniqueness Score: -1.00%

Function 02900170, Relevance: .0, Instructions: 21COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.596310699.0000000002900000.00000040.00000001.sdmp, Offset: 02900000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e97819dccd81730f93808e8f70e87955ab625fc59752a16a95ce77aa80a6dd74
Instruction ID: 520c1788badfde03b5add5f507f005c21638cf49ff7bec2a1122ec352a7367fb
Opcode Fuzzy Hash: e97819dccd81730f93808e8f70e87955ab625fc59752a16a95ce77aa80a6dd74
Instruction Fuzzy Hash: 7AE0C23014E340CFC7069B70EC199AD3F75AF0621431406BEE406C7B72E77A8962CB51

Uniqueness

Uniqueness Score: -1.00%

Function 029002A0, Relevance: .0, Instructions: 20COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.596310699.0000000002900000.00000040.00000001.sdmp, Offset: 02900000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e5810cbb65dbc506ab68a16d55cf3abd6d4366359ebdef137c536085513d525e
Instruction ID: 9690944a94822153424d0e832e3d957e4b3f3dfa5e3669329a03a340500b3a26
Opcode Fuzzy Hash: e5810cbb65dbc506ab68a16d55cf3abd6d4366359ebdef137c536085513d525e
Instruction Fuzzy Hash: D8E0C23120D744CFC352C764ED95DA6BFF1BB86200308CD5ED48386D90C724AD01C711

Uniqueness

Uniqueness Score: -1.00%

Function 0290EB28, Relevance: .0, Instructions: 20COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.596310699.0000000002900000.00000040.00000001.sdmp, Offset: 02900000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ccfac7e44ee6103f0b85c5a7012bce7dee4a32845ec117cc573061c8474e06ec
Instruction ID: 4e718078f6fd0a8bc21f697d33db92777596fc61f1eb5948a56673b07cab8e2d
Opcode Fuzzy Hash: ccfac7e44ee6103f0b85c5a7012bce7dee4a32845ec117cc573061c8474e06ec
Instruction Fuzzy Hash: BEE0C27200A308DFC7208662D8D5396B7E9DB01211B048C1DD08F93A40C666A901C780

Uniqueness

Uniqueness Score: -1.00%

Function 02906888, Relevance: .0, Instructions: 20COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.596310699.0000000002900000.00000040.00000001.sdmp, Offset: 02900000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6c509ed09f179b82b158be9720fd32c524a56d30e7e1113107e0afe244f1e928
Instruction ID: 39a8c5bd988fc612c0daf6fa9b2b2411051656c41f54dacac19bd5ce284cf3cc
Opcode Fuzzy Hash: 6c509ed09f179b82b158be9720fd32c524a56d30e7e1113107e0afe244f1e928
Instruction Fuzzy Hash: 91D05B7160C519CFFA002795E494B6D36DDDB81651B080429EE0AD22D1DF95DC508BAF

Uniqueness

Uniqueness Score: -1.00%

Function 0290064F, Relevance: .0, Instructions: 19COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.596310699.0000000002900000.00000040.00000001.sdmp, Offset: 02900000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ce534eec58fe842cf93e0a0c86598253f5b46dbc925aa98eb784e5cf81b6e8de
Instruction ID: 36aa543af5e3cf4c6fd0851ec34ac4c0d1306ddb7329ca6adab06a1042589304
Opcode Fuzzy Hash: ce534eec58fe842cf93e0a0c86598253f5b46dbc925aa98eb784e5cf81b6e8de
Instruction Fuzzy Hash: 78D02EB288D2948FC38A0AB01C1A6E83B20EAA3200B158ABAC40282821C4620663CA02

Uniqueness

Uniqueness Score: -1.00%

Function 029057F6, Relevance: .0, Instructions: 19COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.596310699.0000000002900000.00000040.00000001.sdmp, Offset: 02900000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3b773d459c0f61fea6da613fb172d24bb68d5f4d01357fed827d78ff6265e9a6
Instruction ID: 5a5920256ebc5a76c832bbdafef8a327e3cad8c097e696bcd6b380cbbf8874e1
Opcode Fuzzy Hash: 3b773d459c0f61fea6da613fb172d24bb68d5f4d01357fed827d78ff6265e9a6
Instruction Fuzzy Hash: 3DD01235E08008CFCB44A7E8E9952ED7B71AB841257515976CE1796180DE210915CB96

Uniqueness

Uniqueness Score: -1.00%

Function 0290F418, Relevance: .0, Instructions: 19COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.596310699.0000000002900000.00000040.00000001.sdmp, Offset: 02900000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0bb8f5016446bbdeaa399dde0a08424f4003eba57a7a4f48078661be1be59282
Instruction ID: 5557efe258fcc70b928ccc85a38be349ff9747da86a3d2602abf44b1a0361788
Opcode Fuzzy Hash: 0bb8f5016446bbdeaa399dde0a08424f4003eba57a7a4f48078661be1be59282
Instruction Fuzzy Hash: CDD0A731304124175A44F5ACD811EBAB38ECBC675070488BEE909D7391CD729C0293D0

Uniqueness

Uniqueness Score: -1.00%

Function 0290A850, Relevance: .0, Instructions: 19COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.596310699.0000000002900000.00000040.00000001.sdmp, Offset: 02900000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f3455a775bdb6fe7d76eb1465e39e220390f87a3ead48273fe42b549945aee77
Instruction ID: 52bb4003aa78e408027dfea79ae61e49988520aad480ad9e38684321e65739f7
Opcode Fuzzy Hash: f3455a775bdb6fe7d76eb1465e39e220390f87a3ead48273fe42b549945aee77
Instruction Fuzzy Hash: 5CD0C2314083588FD3358A75D844776BAA96B41708F044D6ECA42059A08662E8C6C3DA

Uniqueness

Uniqueness Score: -1.00%

Function 02906468, Relevance: .0, Instructions: 19COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.596310699.0000000002900000.00000040.00000001.sdmp, Offset: 02900000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f83623544dfd7019757f525f87644c107bb6067310ef7bcf78202d8a99da5c38
Instruction ID: db9c9485052788e05198be972c96ab3037c8ab09f93cb15440fbeb70668b3380
Opcode Fuzzy Hash: f83623544dfd7019757f525f87644c107bb6067310ef7bcf78202d8a99da5c38
Instruction Fuzzy Hash: 64D0A771304124179E44F5ACD861DBA738ECBC575030488AFE809D7381CD72DC0283D4

Uniqueness

Uniqueness Score: -1.00%

Function 0290E5F8, Relevance: .0, Instructions: 19COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.596310699.0000000002900000.00000040.00000001.sdmp, Offset: 02900000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ddc1b1aac4e9a729737e8d73438bae38eb46c5117a40b970f4a9bfc2bb7b8d15
Instruction ID: 38925728ea6d5dad2b3609dbe36c51a46055c004fc541f50fb3dd9406479370f
Opcode Fuzzy Hash: ddc1b1aac4e9a729737e8d73438bae38eb46c5117a40b970f4a9bfc2bb7b8d15
Instruction Fuzzy Hash: B2D05E7110863CDFC6651AD4B0A85BBB29CAB08512B144CAFE8CB82586CA22AC01C3A1

Uniqueness

Uniqueness Score: -1.00%

Function 02907948, Relevance: .0, Instructions: 19COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.596310699.0000000002900000.00000040.00000001.sdmp, Offset: 02900000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f3455a775bdb6fe7d76eb1465e39e220390f87a3ead48273fe42b549945aee77
Instruction ID: 95ab060fba0dbd0ceb240b4595afc32036b048cd74347a46b0ffb5f2531bec01
Opcode Fuzzy Hash: f3455a775bdb6fe7d76eb1465e39e220390f87a3ead48273fe42b549945aee77
Instruction Fuzzy Hash: 14D0C23180836DCFC3354AE5E484BE2FAAA5B49F74F040E5FC0A645680C661F484C392

Uniqueness

Uniqueness Score: -1.00%

Function 0290EEA9, Relevance: .0, Instructions: 18COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.596310699.0000000002900000.00000040.00000001.sdmp, Offset: 02900000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 81eb35e45fe5f190046227b0201cf3cddb8625236178f176906c32cd3961cb47
Instruction ID: 15db524edd62f98c9ca7780e86f100951ca8a789c65269feb858edf575b0286f
Opcode Fuzzy Hash: 81eb35e45fe5f190046227b0201cf3cddb8625236178f176906c32cd3961cb47
Instruction Fuzzy Hash: 68D0A7B7D000188BD71451A0A6833AA7760CF00211F9108BADD0496AC0F625DA224781

Uniqueness

Uniqueness Score: -1.00%

Function 029046A9, Relevance: .0, Instructions: 16COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.596310699.0000000002900000.00000040.00000001.sdmp, Offset: 02900000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5c0c817309b6f92b15816341e41d3a50911e2a4e326ded5de63aa7a1406b390e
Instruction ID: 467306f576346055342f7e5b661d22f6c9a241290d261f77776b97940fde0587
Opcode Fuzzy Hash: 5c0c817309b6f92b15816341e41d3a50911e2a4e326ded5de63aa7a1406b390e
Instruction Fuzzy Hash: 8AD05E3054E3905FC7624BA098A0AFA3B649B02220B0542AAF802CA472D24E49428B61

Uniqueness

Uniqueness Score: -1.00%

Function 02905DF8, Relevance: .0, Instructions: 16COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.596310699.0000000002900000.00000040.00000001.sdmp, Offset: 02900000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4b99900eb062f239bd4d70f5eb9b7cf5f86968fa59a1782103aea0153f1e7af5
Instruction ID: f6f2076723980b14831cc172901fc2516e0be95ac4ee2a9a8018d2408f06ef5e
Opcode Fuzzy Hash: 4b99900eb062f239bd4d70f5eb9b7cf5f86968fa59a1782103aea0153f1e7af5
Instruction Fuzzy Hash: 02C01231B2512C6B8A1872BA98E966E218F0AC4A213C20D2AE40A8B381EC428C014AD5

Uniqueness

Uniqueness Score: -1.00%

Function 029073F8, Relevance: .0, Instructions: 15COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.596310699.0000000002900000.00000040.00000001.sdmp, Offset: 02900000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9a0939ec5680cffb9ecca245d0aafbbebb033a67d769e75d7ec85179cdc98f5e
Instruction ID: f711b831af40a516bdb1b1bdfdede435ced1eca6fec8a2c84b3c2bfe795b1f94
Opcode Fuzzy Hash: 9a0939ec5680cffb9ecca245d0aafbbebb033a67d769e75d7ec85179cdc98f5e
Instruction Fuzzy Hash: 1DD0423AA000088FC704DB88D5849D9F7F6FB88225F28C1A6D919A7251C732ED56CA50

Uniqueness

Uniqueness Score: -1.00%

Function 0290EB38, Relevance: .0, Instructions: 15COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.596310699.0000000002900000.00000040.00000001.sdmp, Offset: 02900000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 22a74dae7cc00dcbdf7f2eb971425ea4dc5ea2707004adcf6710ac878646cda3
Instruction ID: ea4d79372438f1d7d566d8155d2b692606e3b8f50c314cfcbd1754341cf74224
Opcode Fuzzy Hash: 22a74dae7cc00dcbdf7f2eb971425ea4dc5ea2707004adcf6710ac878646cda3
Instruction Fuzzy Hash: 0AD0A93200A20CCF83345A02D0904A2B3E8AA012223008C2ED09F83A808B62A800CB80

Uniqueness

Uniqueness Score: -1.00%

Function 02905F51, Relevance: .0, Instructions: 15COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.596310699.0000000002900000.00000040.00000001.sdmp, Offset: 02900000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4dc77c5e0d5ed138ea46c7034baa3eec244e958ffc6ad9c30b440542296f5388
Instruction ID: dbc549db821f078d9d64ffc79c4f894223ad49e77f5c5ed863aceb6839f4185c
Opcode Fuzzy Hash: 4dc77c5e0d5ed138ea46c7034baa3eec244e958ffc6ad9c30b440542296f5388
Instruction Fuzzy Hash: 49D0133018E3895FC75207706C947673F7C9D4311474501F6D547C5472D55D4D55CF61

Uniqueness

Uniqueness Score: -1.00%

Function 029064A0, Relevance: .0, Instructions: 15COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.596310699.0000000002900000.00000040.00000001.sdmp, Offset: 02900000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b4b74c22729f3180a11bbc1f9c28e72566fa221a828733e3ee6378986bbfe1d3
Instruction ID: e5b596be5d5653818242c1967fced81fa0dd8bdd6159e163429b8079947b2b0a
Opcode Fuzzy Hash: b4b74c22729f3180a11bbc1f9c28e72566fa221a828733e3ee6378986bbfe1d3
Instruction Fuzzy Hash: 47D022DF90C288CFCF03D9508C56A807A98E782302BDA04EFC0C0472AAE695C84AC241

Uniqueness

Uniqueness Score: -1.00%

Function 0290F450, Relevance: .0, Instructions: 14COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.596310699.0000000002900000.00000040.00000001.sdmp, Offset: 02900000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9764dfb2d645ed18b3c8c1d1e01bf0309c1549aa135306ca5a1d56dd874e4df6
Instruction ID: 8bb41ad24a79273791a04e9e520d70b02e9f7394eed07928ad24e31ea270478e
Opcode Fuzzy Hash: 9764dfb2d645ed18b3c8c1d1e01bf0309c1549aa135306ca5a1d56dd874e4df6
Instruction Fuzzy Hash: 6CC08CB344BA0C5FDE8423F0F88BB08370E9780A60F884020F608D2B42FE2CA412080A

Uniqueness

Uniqueness Score: -1.00%

Function 02907F2E, Relevance: .0, Instructions: 13COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.596310699.0000000002900000.00000040.00000001.sdmp, Offset: 02900000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6fbc4359368944cfa38760920e2f42a3287dbd1f4215ddd02cd4e36f9fcedb38
Instruction ID: 0371f6521c1a8c33b414172e70c2a61b329077f6e474b7cd1b8ac447e527664f
Opcode Fuzzy Hash: 6fbc4359368944cfa38760920e2f42a3287dbd1f4215ddd02cd4e36f9fcedb38
Instruction Fuzzy Hash: 76D05231A0060ECF8B41CFB1D9A09DE77F0BB082223200B2ADA129B3C1E7346C00CB20

Uniqueness

Uniqueness Score: -1.00%

Function 02905478, Relevance: .0, Instructions: 13COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.596310699.0000000002900000.00000040.00000001.sdmp, Offset: 02900000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: de6b5f9e82bd664cb21877064ceda3b799cee3d368b3986e7c00abb3b08e16cd
Instruction ID: 9241c2afac1dff44375a95b3b1f6d9f2d29a3b6acd282f6879ec1842972660d9
Opcode Fuzzy Hash: de6b5f9e82bd664cb21877064ceda3b799cee3d368b3986e7c00abb3b08e16cd
Instruction Fuzzy Hash: 5AD0C9310082488FDA2497AAFC8DBAD7A9CF74020AB864181D00E908A6DB208154CE12

Uniqueness

Uniqueness Score: -1.00%

Function 02900180, Relevance: .0, Instructions: 12COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.596310699.0000000002900000.00000040.00000001.sdmp, Offset: 02900000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 62f59a64cbdaa1f93f42edfe9d939559bb2a189ec729bae0687ab07904b90e87
Instruction ID: 5be9979eaf9f349fae368d71beca8eec290f5431094df17ba930a0e56a1fc129
Opcode Fuzzy Hash: 62f59a64cbdaa1f93f42edfe9d939559bb2a189ec729bae0687ab07904b90e87
Instruction Fuzzy Hash: 00D08C31200304CFCB083BB0E41CA2C33AABF8860A310087CE81787761EF37E881CA04

Uniqueness

Uniqueness Score: -1.00%

Function 0290CE68, Relevance: .0, Instructions: 11COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.596310699.0000000002900000.00000040.00000001.sdmp, Offset: 02900000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3015c897212f5b54385ec7681bafce1bfdcc295a13f3ea3173fb4e96221c0738
Instruction ID: 4d9c2c4f7ded801f34a4a0900985fc151e71787398839081923d32087a783e29
Opcode Fuzzy Hash: 3015c897212f5b54385ec7681bafce1bfdcc295a13f3ea3173fb4e96221c0738
Instruction Fuzzy Hash: 47C02B3340D4A00FE701A1309CB21C82F20DA8F0143FB0CC2C0C0DB042E234D0468E11

Uniqueness

Uniqueness Score: -1.00%

Function 02905D70, Relevance: .0, Instructions: 11COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.596310699.0000000002900000.00000040.00000001.sdmp, Offset: 02900000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: bd55bbf2792e5521217b514120596f7b207b20d99748605e01cb8027cde7c9a1
Instruction ID: 71e99dd3f21745794e8d580ea22288dae4dd674e3012f645774c5e06461b6e85
Opcode Fuzzy Hash: bd55bbf2792e5521217b514120596f7b207b20d99748605e01cb8027cde7c9a1
Instruction Fuzzy Hash: 2FC04C31214A0D8F9E1427F5AD5DB3E776CAE405553C50556E50A8A170EF2494405965

Uniqueness

Uniqueness Score: -1.00%

Function 02900660, Relevance: .0, Instructions: 10COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.596310699.0000000002900000.00000040.00000001.sdmp, Offset: 02900000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 922a44256fd5110e7906196087297a8d5944722a9221d9325f4cfabcf5d048e8
Instruction ID: 15852f1de059fd830dc10ff3ac05649d218ce65ba4ea0444b494b5f550bf3a77
Opcode Fuzzy Hash: 922a44256fd5110e7906196087297a8d5944722a9221d9325f4cfabcf5d048e8
Instruction Fuzzy Hash: 9EC02B3004962CCEC20417F06C08B3D720AD6D1301300CD31C406000308D3294B1CC11

Uniqueness

Uniqueness Score: -1.00%

Function 02905F60, Relevance: .0, Instructions: 9COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.596310699.0000000002900000.00000040.00000001.sdmp, Offset: 02900000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2d3ab7084dea4480d6f8cfc418beaf29ce122577c05816320f4eab3908d2280c
Instruction ID: 6141a1a16dba2bd68f54e9a7d3e6ff119450bb509f2de0da154d836766e9ce37
Opcode Fuzzy Hash: 2d3ab7084dea4480d6f8cfc418beaf29ce122577c05816320f4eab3908d2280c
Instruction Fuzzy Hash: 4AB09230244A0D8F46502BB1B98CB6A379CE944A057850025E60FC14A0EF2994008962

Uniqueness

Uniqueness Score: -1.00%

Function 0290741C, Relevance: .0, Instructions: 8COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.596310699.0000000002900000.00000040.00000001.sdmp, Offset: 02900000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9331830965d72d12fcbefa973c87c0cf332396a92bd300e1243d284f656f33ac
Instruction ID: ab7e4e67b46797a97d2ca17fc5c4d1c95c42f17e8de37f414bf9e0b683b77699
Opcode Fuzzy Hash: 9331830965d72d12fcbefa973c87c0cf332396a92bd300e1243d284f656f33ac
Instruction Fuzzy Hash: 32B092B7E08008C9DB009AC4B4813EDFB24F790235F104433C31492040C2721164D691

Uniqueness

Uniqueness Score: -1.00%

Function 0290F460, Relevance: .0, Instructions: 8COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.596310699.0000000002900000.00000040.00000001.sdmp, Offset: 02900000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: da5e1d2a8b8a7cb6f55cda0e4af7e4fc0d5e1a221210581bf3ca2ceb44d09aae
Instruction ID: 939fd026223930fa9226a60893bb4cd03d379d48237b6c1ed2d1f43d5ecaaaf5
Opcode Fuzzy Hash: da5e1d2a8b8a7cb6f55cda0e4af7e4fc0d5e1a221210581bf3ca2ceb44d09aae
Instruction Fuzzy Hash: 9BB0123254170C8BDDC833F0A40C71D734D19C05107C00421990D83340BE74A8044855

Uniqueness

Uniqueness Score: -1.00%

Function 02905D6C, Relevance: .0, Instructions: 8COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.596310699.0000000002900000.00000040.00000001.sdmp, Offset: 02900000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 91a3accb7d7c25b079e7ab60ccfb36bb04fcac8666a82a231d9cdf7b8a326eb5
Instruction ID: b8078b2791483f8ceb4c8f11cad886847b6260e929ec57a5c27302644cfcccf8
Opcode Fuzzy Hash: 91a3accb7d7c25b079e7ab60ccfb36bb04fcac8666a82a231d9cdf7b8a326eb5
Instruction Fuzzy Hash: B1B01231208D0D8E051427A0EA8DB3E331C6E000493810213D50E8E0B1FF50C490C9D6

Uniqueness

Uniqueness Score: -1.00%

Non-executed Functions

Analysis Process: RegSvcs.exe PID: 5692 Parent PID: 936 RegSvcs.exeCOMMON

Executed Functions

Function 02DB11D0, Relevance: 4.0, Strings: 3, Instructions: 222COMMON

Download Yara Rule

Strings

X1kr, xrefs: 02DB130B
X1kr, xrefs: 02DB1253
:@Dr, xrefs: 02DB1406

Memory Dump Source

Source File: 0000000C.00000002.379279399.0000000002DB0000.00000040.00000001.sdmp, Offset: 02DB0000, based on PE: false

Similarity

API ID:
String ID: :@Dr$X1kr$X1kr
API String ID: 0-2930718046
Opcode ID: 236b92d42de6ebd8f37d60fb26f5df71d2a52a4e37f3a459f27bdbd086c1a337
Instruction ID: 5e38e9181495111ed00ab7d4a8443ec0346d090f06fb49cf0655d5a71ffe34ec
Opcode Fuzzy Hash: 236b92d42de6ebd8f37d60fb26f5df71d2a52a4e37f3a459f27bdbd086c1a337
Instruction Fuzzy Hash: D6813734B00101CFCB05ABADC464A6EBAE7EFD4304F248169E50AAB7A4EE75DD41CB61

Uniqueness

Uniqueness Score: -1.00%

Function 02DB11C1, Relevance: 2.7, Strings: 2, Instructions: 180COMMON

Download Yara Rule

Strings

X1kr, xrefs: 02DB1253
:@Dr, xrefs: 02DB1406

Memory Dump Source

Source File: 0000000C.00000002.379279399.0000000002DB0000.00000040.00000001.sdmp, Offset: 02DB0000, based on PE: false

Similarity

API ID:
String ID: :@Dr$X1kr
API String ID: 0-2776031997
Opcode ID: e95875f17f2ddd403ba53c42b99c38faf80e0140ddbec155b0a888a71b4fca31
Instruction ID: 268307fa1100c6189452c94b4b637883052c1cadd977f1a8b25664b9b00e52cd
Opcode Fuzzy Hash: e95875f17f2ddd403ba53c42b99c38faf80e0140ddbec155b0a888a71b4fca31
Instruction Fuzzy Hash: 23613A34B00105CFDB059BADC464BAEBBF6EF94304F248169D90AAB7A0DE75DD41CB61

Uniqueness

Uniqueness Score: -1.00%

Function 013BA587, Relevance: 1.6, APIs: 1, Instructions: 83COMMON

Download Yara Rule

APIs

SearchPathW.KERNELBASE(?,00000E2C,?,?), ref: 013BA63A

Memory Dump Source

Source File: 0000000C.00000002.379084704.00000000013BA000.00000040.00000001.sdmp, Offset: 013BA000, based on PE: false

Similarity

API ID: PathSearch
String ID:
API String ID: 2203818243-0
Opcode ID: 6715e77599fb147fd8f425183fd9331dfdc5aa4bc556af2eadfa3b6fdf608ff4
Instruction ID: 89a3c8561bca4a552e967a737a62ac42654483f489e923f3845c0b340d36b19f
Opcode Fuzzy Hash: 6715e77599fb147fd8f425183fd9331dfdc5aa4bc556af2eadfa3b6fdf608ff4
Instruction Fuzzy Hash: 49319F7240D3C06FD3038B218C65B62BFB4EF43614F1A81CBD8848F193E624A909C7A2

Uniqueness

Uniqueness Score: -1.00%

Function 013BA4AA, Relevance: 1.6, APIs: 1, Instructions: 79fileCOMMON

Download Yara Rule

APIs

WriteFile.KERNELBASE(?,00000E2C,934D5A57,00000000,00000000,00000000,00000000), ref: 013BA53D

Memory Dump Source

Source File: 0000000C.00000002.379084704.00000000013BA000.00000040.00000001.sdmp, Offset: 013BA000, based on PE: false

Similarity

API ID: FileWrite
String ID:
API String ID: 3934441357-0
Opcode ID: 0a432950afdd95bb4982c7d214949f7862481b9b49ec3a5f3d2887ec9ccb21f7
Instruction ID: ee402baa79b624bfd64dad99e677ef3a409a92e42d03304f77c36f1061353225
Opcode Fuzzy Hash: 0a432950afdd95bb4982c7d214949f7862481b9b49ec3a5f3d2887ec9ccb21f7
Instruction Fuzzy Hash: B921A372409380AFD7128B65DC94F96BFB8EF06310F0884DBEA849F153D264A509CB71

Uniqueness

Uniqueness Score: -1.00%

Function 013BA5C6, Relevance: 1.6, APIs: 1, Instructions: 62COMMON

Download Yara Rule

APIs

SearchPathW.KERNELBASE(?,00000E2C,?,?), ref: 013BA63A

Memory Dump Source

Source File: 0000000C.00000002.379084704.00000000013BA000.00000040.00000001.sdmp, Offset: 013BA000, based on PE: false

Similarity

API ID: PathSearch
String ID:
API String ID: 2203818243-0
Opcode ID: 53e1e99a200ae07d6ee8e1ef7930ee8ca33dee70181329d9d0d36415c1376dcc
Instruction ID: 6285a53e3cd8f2b81930528e7a4e19f5cd7e948ee8f5250621f981e09a109ce9
Opcode Fuzzy Hash: 53e1e99a200ae07d6ee8e1ef7930ee8ca33dee70181329d9d0d36415c1376dcc
Instruction Fuzzy Hash: 7A11E2724043406FD311CB15DC46F72BFF8EB85A20F0585AAED489B642D270B915CBA1

Uniqueness

Uniqueness Score: -1.00%

Function 013BA1F4, Relevance: 1.6, APIs: 1, Instructions: 61COMMON

Download Yara Rule

APIs

GetConsoleOutputCP.KERNELBASE ref: 013BA269

Memory Dump Source

Source File: 0000000C.00000002.379084704.00000000013BA000.00000040.00000001.sdmp, Offset: 013BA000, based on PE: false

Similarity

API ID: ConsoleOutput
String ID:
API String ID: 3985236979-0
Opcode ID: bdd8447f2f912d3ecd8a3ffbb0c8a618027ddee2d4ec6146407e14cc7bb52e28
Instruction ID: c3f06ac1f0c321e20a34d11d5bc34171151b5fa67b91c4520f2cb0333689205c
Opcode Fuzzy Hash: bdd8447f2f912d3ecd8a3ffbb0c8a618027ddee2d4ec6146407e14cc7bb52e28
Instruction Fuzzy Hash: D0216D3540D7C49FD7138B258C95A92BFB4EF03220F0E80DBD9848F1A3D269A909CB62

Uniqueness

Uniqueness Score: -1.00%

Function 013BA4DE, Relevance: 1.6, APIs: 1, Instructions: 60fileCOMMON

Download Yara Rule

APIs

WriteFile.KERNELBASE(?,00000E2C,934D5A57,00000000,00000000,00000000,00000000), ref: 013BA53D

Memory Dump Source

Source File: 0000000C.00000002.379084704.00000000013BA000.00000040.00000001.sdmp, Offset: 013BA000, based on PE: false

Similarity

API ID: FileWrite
String ID:
API String ID: 3934441357-0
Opcode ID: 20b3904a12003261bc895d17639d5bd71653f626520f276d0d0c01cd228cffd7
Instruction ID: f11b1d224b00e9a2c49599cdacee4e14318bae5003c8aaf46bafcd5ab4f0f1f9
Opcode Fuzzy Hash: 20b3904a12003261bc895d17639d5bd71653f626520f276d0d0c01cd228cffd7
Instruction Fuzzy Hash: 0411BF72400604EEEB21CF59DC84FAAFBE8EF44320F1484ABEE859B651D774A5088B71

Uniqueness

Uniqueness Score: -1.00%

Function 013BA5EA, Relevance: 1.5, APIs: 1, Instructions: 47COMMON

Download Yara Rule

APIs

SearchPathW.KERNELBASE(?,00000E2C,?,?), ref: 013BA63A

Memory Dump Source

Source File: 0000000C.00000002.379084704.00000000013BA000.00000040.00000001.sdmp, Offset: 013BA000, based on PE: false

Similarity

API ID: PathSearch
String ID:
API String ID: 2203818243-0
Opcode ID: dea3e813837f5d8f50cd9bb8cb8b29bef3f251105e905cc9541f47eb0d774e09
Instruction ID: d2164eaba40746326e796d547ee18e3c3baf3025058172a4f38c5520d46ce049
Opcode Fuzzy Hash: dea3e813837f5d8f50cd9bb8cb8b29bef3f251105e905cc9541f47eb0d774e09
Instruction Fuzzy Hash: 1F017172500600AFD710DF16DC86F36FBE8EB88B20F14856AED089B741E771B915CBA5

Uniqueness

Uniqueness Score: -1.00%

Function 013BA23A, Relevance: 1.5, APIs: 1, Instructions: 34COMMON

Download Yara Rule

APIs

GetConsoleOutputCP.KERNELBASE ref: 013BA269

Memory Dump Source

Source File: 0000000C.00000002.379084704.00000000013BA000.00000040.00000001.sdmp, Offset: 013BA000, based on PE: false

Similarity

API ID: ConsoleOutput
String ID:
API String ID: 3985236979-0
Opcode ID: 00096cb4fea6f3ffaf0e706ee39a7da5e077fcf5f1304dde260cbebe8c6a4074
Instruction ID: 2f514a797ba0712093d8ddd7693b013dce03d5f57f8c17b66991bb5fa1c3216c
Opcode Fuzzy Hash: 00096cb4fea6f3ffaf0e706ee39a7da5e077fcf5f1304dde260cbebe8c6a4074
Instruction Fuzzy Hash: 2AF0A431804A44DFD7118F19D8C4761FFD4DF04624F18C0AADE094FB42D6B9A444CA62

Uniqueness

Uniqueness Score: -1.00%

Function 02DB010F, Relevance: 1.5, Strings: 1, Instructions: 226COMMON

Download Yara Rule

Strings

:@Dr, xrefs: 02DB02C5

Memory Dump Source

Source File: 0000000C.00000002.379279399.0000000002DB0000.00000040.00000001.sdmp, Offset: 02DB0000, based on PE: false

Similarity

API ID:
String ID: :@Dr
API String ID: 0-3830894600
Opcode ID: 7037c6ceb9e5983795a34d34e2e6ee6c5e8c21906442cc7e05b37153a01d23e4
Instruction ID: 276731e061fa981b563e2d3a75a5befc02c51010558d8b8a4a46add21b203e4f
Opcode Fuzzy Hash: 7037c6ceb9e5983795a34d34e2e6ee6c5e8c21906442cc7e05b37153a01d23e4
Instruction Fuzzy Hash: 67914874B01202CFCB16DF78E468AAA7BF2BF88741F148069D9069B7A4DF759D40CB91

Uniqueness

Uniqueness Score: -1.00%

Function 02DB040C, Relevance: .1, Instructions: 122COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.379279399.0000000002DB0000.00000040.00000001.sdmp, Offset: 02DB0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3df9c970768543e4a3e50266fc0619167b7a4c3424ab683159c5334d6e3b3eca
Instruction ID: 8bbd64cd5d597040be4bf2c9b9c3f8a2b83ab4eb461a9e650c90093ed88bc5f9
Opcode Fuzzy Hash: 3df9c970768543e4a3e50266fc0619167b7a4c3424ab683159c5334d6e3b3eca
Instruction Fuzzy Hash: 6F414770B00265CBEB269F78D4A87EE7AB1AF84706F144429D503AB7A0DFB58D45CB90

Uniqueness

Uniqueness Score: -1.00%

Function 02DB06E8, Relevance: .1, Instructions: 94COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.379279399.0000000002DB0000.00000040.00000001.sdmp, Offset: 02DB0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e44aa96b20731a623bbf8c29d3dd067f93774f4b3877fb248cffa832f4b7e496
Instruction ID: 06ad35d628b914cdde426f9487b26a0792eba6168117ecb278f548ca9b7405ee
Opcode Fuzzy Hash: e44aa96b20731a623bbf8c29d3dd067f93774f4b3877fb248cffa832f4b7e496
Instruction Fuzzy Hash: 91312B307012108FCB596B7CD02866E3BE2AF86309B2405BED506CF7A1EE35DD468B95

Uniqueness

Uniqueness Score: -1.00%

Function 02DB06F8, Relevance: .1, Instructions: 86COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.379279399.0000000002DB0000.00000040.00000001.sdmp, Offset: 02DB0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 39aefd71340aab3fd69aab0b18e0040925e04347fe1179f281fb33e6ce29106c
Instruction ID: 95a2e69a89cea5a52e4d7ff45f38234c26a530c30c28c46cac8c134157b708ef
Opcode Fuzzy Hash: 39aefd71340aab3fd69aab0b18e0040925e04347fe1179f281fb33e6ce29106c
Instruction Fuzzy Hash: F221F8307012108FCB59AB7DD02866E3AE6AF85309B1405BEE50ACF7A1EE36DC418B95

Uniqueness

Uniqueness Score: -1.00%

Function 02DB0ED0, Relevance: .0, Instructions: 50COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.379279399.0000000002DB0000.00000040.00000001.sdmp, Offset: 02DB0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4030e685300e197e590330f80de846c00315cd1a0e32d576403b92877a1b77dd
Instruction ID: 0b59a033b6916228460738c2a04935aa4683a6b96e28f6cb12737c33f99243cb
Opcode Fuzzy Hash: 4030e685300e197e590330f80de846c00315cd1a0e32d576403b92877a1b77dd
Instruction Fuzzy Hash: 0011AD38B00240CFC754DB6CE4889AA7BE6FF99314B1086BAE585C73A5DE746C04CB92

Uniqueness

Uniqueness Score: -1.00%

Function 02DB00A0, Relevance: .0, Instructions: 47COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.379279399.0000000002DB0000.00000040.00000001.sdmp, Offset: 02DB0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4bd2590090617aa79150db95714c327cde994a7e00026c39c9661397fb9a7ec0
Instruction ID: b6d41ed5a6c6692f7bcf172086d27541b7e2cc0471c83fb8e90090769a055a54
Opcode Fuzzy Hash: 4bd2590090617aa79150db95714c327cde994a7e00026c39c9661397fb9a7ec0
Instruction Fuzzy Hash: 7101D170D0938A9FCB41DFB8DC086DEBFF4EF0A214B1400AAC484E7112E6300A15CBA1

Uniqueness

Uniqueness Score: -1.00%

Function 02DB1070, Relevance: .0, Instructions: 41COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.379279399.0000000002DB0000.00000040.00000001.sdmp, Offset: 02DB0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ee1acf8679284ce9aebfb362e272557ce7990044cb441a001ecccd4f9c1a2f9b
Instruction ID: e2545c43a8c43564da5005b6c4fdf72a517aedf516a6225cd446a3c5dc3652c0
Opcode Fuzzy Hash: ee1acf8679284ce9aebfb362e272557ce7990044cb441a001ecccd4f9c1a2f9b
Instruction Fuzzy Hash: 78F09031300150EBD71496BE9920FAB779ADBC8660F24456AE70ACB290DE61DC008790

Uniqueness

Uniqueness Score: -1.00%

Function 02DB1060, Relevance: .0, Instructions: 39COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.379279399.0000000002DB0000.00000040.00000001.sdmp, Offset: 02DB0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b737476b72a6d96dfb6cb507b52a65ece530d2ed95480d56dddcd53839e29727
Instruction ID: 8d2a090f89047c304108743f9b98f0109ad9d8a111a2875fd37f492d774c875a
Opcode Fuzzy Hash: b737476b72a6d96dfb6cb507b52a65ece530d2ed95480d56dddcd53839e29727
Instruction Fuzzy Hash: 67F0B4307143C0AFD765467D5C20FBB3BA69FC5664F24456AEA49DB2D0DE74DC008754

Uniqueness

Uniqueness Score: -1.00%

Function 02DB10D0, Relevance: .0, Instructions: 33COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.379279399.0000000002DB0000.00000040.00000001.sdmp, Offset: 02DB0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 63f468c113c34e99f5c0835e8f5b2de5221125ac7b80c9f95cbe20a87e6d0bc0
Instruction ID: 796e9e49302488d8e1d03aaaffa3fefd5418ca8ad9f02e9e9cd47e22d80b9aa1
Opcode Fuzzy Hash: 63f468c113c34e99f5c0835e8f5b2de5221125ac7b80c9f95cbe20a87e6d0bc0
Instruction Fuzzy Hash: E8F058B0D1420AAFCB80DFAA98156EFBBF4FF46361B00417AD009D6100E2344A40CBA1

Uniqueness

Uniqueness Score: -1.00%

Function 02DB0F23, Relevance: .0, Instructions: 30COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.379279399.0000000002DB0000.00000040.00000001.sdmp, Offset: 02DB0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8aab052d544ef08b4dee807ab6ad1661e450f4393003ada98e2d71ab3a0858bb
Instruction ID: 378653c74d633f497eb37dad5ffaa5a4b24464d4bb5fd860e55ae3b21b6c394b
Opcode Fuzzy Hash: 8aab052d544ef08b4dee807ab6ad1661e450f4393003ada98e2d71ab3a0858bb
Instruction Fuzzy Hash: CAF058387142808FC7A5DBBCE4688A93BE6EF9A22431942EAE445DB271DE745C05CB91

Uniqueness

Uniqueness Score: -1.00%

Function 011805F6, Relevance: .0, Instructions: 27COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.378826298.0000000001180000.00000040.00000040.sdmp, Offset: 01180000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e100e81b8735954f5fdc36ea2774c358f34094591ea1323b2ef143dab358f7c7
Instruction ID: f82f956fc8d2f48b72b379d92fc758066e645a8ef176419b374f402ccefa0049
Opcode Fuzzy Hash: e100e81b8735954f5fdc36ea2774c358f34094591ea1323b2ef143dab358f7c7
Instruction Fuzzy Hash: 1FE092766046008BD650CF0BEC81462F7D8EB88630B18C07FDD0D8B701E635B504CEA5

Uniqueness

Uniqueness Score: -1.00%

Function 02DB00D0, Relevance: .0, Instructions: 23COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.379279399.0000000002DB0000.00000040.00000001.sdmp, Offset: 02DB0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d9213531a398b0203633d15765e9ef1242ff1e5f910a87025de9e26c9bc0d6db
Instruction ID: a66b0e8e8b6c3c0d951c5e8e4b75e668424a98d63250980238de751184b136c5
Opcode Fuzzy Hash: d9213531a398b0203633d15765e9ef1242ff1e5f910a87025de9e26c9bc0d6db
Instruction Fuzzy Hash: 65E092B1E0521E9F8F50EFB999456DFBFF8FB48291F20446AD609E3200E3315A118BE5

Uniqueness

Uniqueness Score: -1.00%

Function 02DB0F30, Relevance: .0, Instructions: 23COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.379279399.0000000002DB0000.00000040.00000001.sdmp, Offset: 02DB0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0e7879acfa4e047757a2ac7fec831c2e46a0cde705de846529031c4071b9bd68
Instruction ID: 515573600902de43cb273d4f24ddf341f9f2961aa6b66fc6ad1eae69b82839f4
Opcode Fuzzy Hash: 0e7879acfa4e047757a2ac7fec831c2e46a0cde705de846529031c4071b9bd68
Instruction Fuzzy Hash: 00E09A38300010CFC724EBACF04C8AA37EAEB9922031541AAE909D7370EE30AC00CBA1

Uniqueness

Uniqueness Score: -1.00%

Function 02DB10E0, Relevance: .0, Instructions: 22COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.379279399.0000000002DB0000.00000040.00000001.sdmp, Offset: 02DB0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3881ee03225379b9d743b48649eb17ff87a77eb7d3aa10cafc1490e6461b342b
Instruction ID: 31a680f6cd2c6a5cf9e9279d6178884a7256da0664c7d7a7d5df720754263e8d
Opcode Fuzzy Hash: 3881ee03225379b9d743b48649eb17ff87a77eb7d3aa10cafc1490e6461b342b
Instruction Fuzzy Hash: 40E0B6B1D012099ECB40EFBE98556DFBFF8EB48260F10403AD108E3200E23596118BE1

Uniqueness

Uniqueness Score: -1.00%

Function 013B23F4, Relevance: .0, Instructions: 15COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.379078506.00000000013B2000.00000040.00000001.sdmp, Offset: 013B2000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 18c0833cc5c03de5492bf03f3e1d42b758504675b20f219ba8e9adeb9f96a517
Instruction ID: 51ab5267309eb9a266f6b56b1bfa43d39167efbd865067630c16934a71dc79ea
Opcode Fuzzy Hash: 18c0833cc5c03de5492bf03f3e1d42b758504675b20f219ba8e9adeb9f96a517
Instruction Fuzzy Hash: 02D05E79315A818FE3268A1CC1A8BD63FA4EF51B09F4644FDE9008BA63C368E981D200

Uniqueness

Uniqueness Score: -1.00%

Function 013B23BC, Relevance: .0, Instructions: 14COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.379078506.00000000013B2000.00000040.00000001.sdmp, Offset: 013B2000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 568692c05d06560df626ac4e84ee4e14811475c911f7c34bd9cfd71e1fd25b08
Instruction ID: 88526e456dc2b4140fffee0baf65b8bf3b3951291424495650ba77d34784e426
Opcode Fuzzy Hash: 568692c05d06560df626ac4e84ee4e14811475c911f7c34bd9cfd71e1fd25b08
Instruction Fuzzy Hash: 84D05E342012818BD715DB0CC5D4F9A3BD4AB41B04F0645E8AE008BA62C3A4E8C1C600

Uniqueness

Uniqueness Score: -1.00%

Non-executed Functions

Analysis Process: dhcpmon.exe PID: 5680 Parent PID: 936 dhcpmon.exeCOMMON

Executed Functions

Function 013FA587, Relevance: 1.6, APIs: 1, Instructions: 83COMMON

Download Yara Rule

APIs

SearchPathW.KERNELBASE(?,00000E2C,?,?), ref: 013FA63A

Memory Dump Source

Source File: 0000000E.00000002.379590647.00000000013FA000.00000040.00000001.sdmp, Offset: 013FA000, based on PE: false

Similarity

API ID: PathSearch
String ID:
API String ID: 2203818243-0
Opcode ID: 73d2f0df925408d1b7b2427ed830df9112481b2a9f7bf9266b154de7e8921d4a
Instruction ID: bc1ceba60a966ba475dbcdd564bb6051f71880bccef1d29ad901ec1cb6bc2898
Opcode Fuzzy Hash: 73d2f0df925408d1b7b2427ed830df9112481b2a9f7bf9266b154de7e8921d4a
Instruction Fuzzy Hash: 60317F7250D3C06FD7138B259C65B62BFB4AF47614F1A81DBD8848F193E225A909C7A2

Uniqueness

Uniqueness Score: -1.00%

Function 013FA4AA, Relevance: 1.6, APIs: 1, Instructions: 79fileCOMMON

Download Yara Rule

APIs

WriteFile.KERNELBASE(?,00000E2C,796592DF,00000000,00000000,00000000,00000000), ref: 013FA53D

Memory Dump Source

Source File: 0000000E.00000002.379590647.00000000013FA000.00000040.00000001.sdmp, Offset: 013FA000, based on PE: false

Similarity

API ID: FileWrite
String ID:
API String ID: 3934441357-0
Opcode ID: 73d2db71da4c0ce47235f46ed198f31df2cc8800a128de9098c04d30dba058dc
Instruction ID: 44339014c1799cb4c21f9a71b120d06bda2f23f679af573f149f8d7e397f6518
Opcode Fuzzy Hash: 73d2db71da4c0ce47235f46ed198f31df2cc8800a128de9098c04d30dba058dc
Instruction Fuzzy Hash: C221A371409384AFD7128F65DC44F96BFB8EF06310F0885DBEA849F193D265A509C771

Uniqueness

Uniqueness Score: -1.00%

Function 013FA5C6, Relevance: 1.6, APIs: 1, Instructions: 62COMMON

Download Yara Rule

APIs

SearchPathW.KERNELBASE(?,00000E2C,?,?), ref: 013FA63A

Memory Dump Source

Source File: 0000000E.00000002.379590647.00000000013FA000.00000040.00000001.sdmp, Offset: 013FA000, based on PE: false

Similarity

API ID: PathSearch
String ID:
API String ID: 2203818243-0
Opcode ID: 4022b7ec73830efe065c3c8ee0a5d420e787de5b2862aa3c032c7906d3e4adb1
Instruction ID: 04688e54decba18c0a5378ad096ad829e7f7dffb620c6aa24bdfe216290f1595
Opcode Fuzzy Hash: 4022b7ec73830efe065c3c8ee0a5d420e787de5b2862aa3c032c7906d3e4adb1
Instruction Fuzzy Hash: E511E2715043406FD311CF15DC42F62BFB8EF85A20F0485AAED488B642E271B915CBA1

Uniqueness

Uniqueness Score: -1.00%

Function 013FA1F4, Relevance: 1.6, APIs: 1, Instructions: 61COMMON

Download Yara Rule

APIs

GetConsoleOutputCP.KERNELBASE ref: 013FA269

Memory Dump Source

Source File: 0000000E.00000002.379590647.00000000013FA000.00000040.00000001.sdmp, Offset: 013FA000, based on PE: false

Similarity

API ID: ConsoleOutput
String ID:
API String ID: 3985236979-0
Opcode ID: 98ec9b6a5991181afcb09e11bd3d27859ef6ddb7ec283972e2273c2fc32db91e
Instruction ID: 94b26caecaaca4423c2b3227b6a236e9dd6174b9b266cb46225e3bf95dea8019
Opcode Fuzzy Hash: 98ec9b6a5991181afcb09e11bd3d27859ef6ddb7ec283972e2273c2fc32db91e
Instruction Fuzzy Hash: 34216D3540D7C49FD7138B658C95A92BFB4EF07220F0E81DBDD848F1A3D269A909DB62

Uniqueness

Uniqueness Score: -1.00%

Function 013FA4DE, Relevance: 1.6, APIs: 1, Instructions: 60fileCOMMON

Download Yara Rule

APIs

WriteFile.KERNELBASE(?,00000E2C,796592DF,00000000,00000000,00000000,00000000), ref: 013FA53D

Memory Dump Source

Source File: 0000000E.00000002.379590647.00000000013FA000.00000040.00000001.sdmp, Offset: 013FA000, based on PE: false

Similarity

API ID: FileWrite
String ID:
API String ID: 3934441357-0
Opcode ID: 6f5d2e245ca1d37bf8641fb18323f53b22ed496a47f1ae4693418ef1914cc60e
Instruction ID: 9828b018e3a5662cdf8efad1a4945c2d26960fe008fa8e828b2ead02fd0a2e88
Opcode Fuzzy Hash: 6f5d2e245ca1d37bf8641fb18323f53b22ed496a47f1ae4693418ef1914cc60e
Instruction Fuzzy Hash: B611C171400204EFEB21CF59DC44FAAFBA8EF44724F14856BEE899B651D375A409CB71

Uniqueness

Uniqueness Score: -1.00%

Function 013FA5EA, Relevance: 1.5, APIs: 1, Instructions: 47COMMON

Download Yara Rule

APIs

SearchPathW.KERNELBASE(?,00000E2C,?,?), ref: 013FA63A

Memory Dump Source

Source File: 0000000E.00000002.379590647.00000000013FA000.00000040.00000001.sdmp, Offset: 013FA000, based on PE: false

Similarity

API ID: PathSearch
String ID:
API String ID: 2203818243-0
Opcode ID: eb630ddd0308c96e593e64acd0a372b951129f71040271887a31cc4b01af7d1e
Instruction ID: 75bd051932504670a2ba7f14ecd1e2d936e9c389fcb6566a4db1574b6d88fe2a
Opcode Fuzzy Hash: eb630ddd0308c96e593e64acd0a372b951129f71040271887a31cc4b01af7d1e
Instruction Fuzzy Hash: ED017172500600ABD710DF16DC86F66FBA8EB88B20F14856AED099B741E371B915CBA5

Uniqueness

Uniqueness Score: -1.00%

Function 013FA23A, Relevance: 1.5, APIs: 1, Instructions: 34COMMON

Download Yara Rule

APIs

GetConsoleOutputCP.KERNELBASE ref: 013FA269

Memory Dump Source

Source File: 0000000E.00000002.379590647.00000000013FA000.00000040.00000001.sdmp, Offset: 013FA000, based on PE: false

Similarity

API ID: ConsoleOutput
String ID:
API String ID: 3985236979-0
Opcode ID: c54c2e35b0ac50e21a8b665567dbe2822c95d47435a3bf64ab7a78fe705da332
Instruction ID: 7265c49e195d9627d96e498d18c7b9e443b064a1c09cfcf16f3ac166e5797d0b
Opcode Fuzzy Hash: c54c2e35b0ac50e21a8b665567dbe2822c95d47435a3bf64ab7a78fe705da332
Instruction Fuzzy Hash: F1F0C234A04644EFDB10CF19D884762FFA4EF04624F18C0AADE494F742D2BAA448CBA2

Uniqueness

Uniqueness Score: -1.00%

Function 014305D2, Relevance: .0, Instructions: 45COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000E.00000002.379652473.0000000001430000.00000040.00000040.sdmp, Offset: 01430000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 45f04beea2551ce47de81f80c35b860ce6a801d9c4c48478a8e2388ef9e50df9
Instruction ID: 49f0877b1066d84111d4d128ccf4f8ac20747f222dda035fcb1ea165cee08ead
Opcode Fuzzy Hash: 45f04beea2551ce47de81f80c35b860ce6a801d9c4c48478a8e2388ef9e50df9
Instruction Fuzzy Hash: CCF0F9B65083806FD7128F06EC40862FFA8DE86630748C5AFED498B611D225A908CB72

Uniqueness

Uniqueness Score: -1.00%

Function 014305F6, Relevance: .0, Instructions: 27COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000E.00000002.379652473.0000000001430000.00000040.00000040.sdmp, Offset: 01430000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 46602b4f2cb244bbbf1a41ba9e33d4bc2bf4f119e5fbe2b9640366b3fb4b96f5
Instruction ID: c67269130e0bd484235a7191fddfcb94bf1fd5b8e5ac1c9116041e271f606a65
Opcode Fuzzy Hash: 46602b4f2cb244bbbf1a41ba9e33d4bc2bf4f119e5fbe2b9640366b3fb4b96f5
Instruction Fuzzy Hash: 91E092766046008BD750CF0BEC41452F7D8EB88630B58C17FDC0D8BB00E236B505CEA5

Uniqueness

Uniqueness Score: -1.00%

Function 013F23F4, Relevance: .0, Instructions: 15COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000E.00000002.379581056.00000000013F2000.00000040.00000001.sdmp, Offset: 013F2000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6cbb527852a041cd3801330e6e83cb004b3eef087d668688869d384bf68475de
Instruction ID: 2dbfa26dde6c5158c9dcce4ce12aba27579794716ceae4634289a70ea6b9b51b
Opcode Fuzzy Hash: 6cbb527852a041cd3801330e6e83cb004b3eef087d668688869d384bf68475de
Instruction Fuzzy Hash: 13D05E79215A818FE3278A1CC1A8B963FA4AB51B08F4644FEE9008B663C3A8D981D210

Uniqueness

Uniqueness Score: -1.00%

Function 013F23BC, Relevance: .0, Instructions: 14COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000E.00000002.379581056.00000000013F2000.00000040.00000001.sdmp, Offset: 013F2000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 14ed32cae8ce899c7c9505e41ae04fcb01835bc96909dffb32d6ff5752d761f7
Instruction ID: 0f25d491dcf0822a3857ef97055b95e357a73f6d526103f4aacab7e49cc24822
Opcode Fuzzy Hash: 14ed32cae8ce899c7c9505e41ae04fcb01835bc96909dffb32d6ff5752d761f7
Instruction Fuzzy Hash: 1AD05E742006818BD715DB0CC594F5A3BD4EB41B04F0644EDAE008B662C3A8D881C600

Uniqueness

Uniqueness Score: -1.00%

Non-executed Functions

Analysis Process: dhcpmon.exe PID: 7144 Parent PID: 3440 dhcpmon.exeCOMMON

Executed Functions

Function 015805D7, Relevance: .0, Instructions: 42COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000012.00000002.401257756.0000000001580000.00000040.00000040.sdmp, Offset: 01580000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9c2e3ac713685bfab367193cff8feb2f191963384d7cd2d009bcf3ca348e0dab
Instruction ID: 099307a90b91a45c61373bd50ce2151991fb866c0d0a3acbcc2bd34e5b987f45
Opcode Fuzzy Hash: 9c2e3ac713685bfab367193cff8feb2f191963384d7cd2d009bcf3ca348e0dab
Instruction Fuzzy Hash: 49F0A9B65097805FD7128B06EC44862FFA8DA86630709C09FED498B611D165A904CB71

Uniqueness

Uniqueness Score: -1.00%

Function 015805F6, Relevance: .0, Instructions: 27COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000012.00000002.401257756.0000000001580000.00000040.00000040.sdmp, Offset: 01580000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ec1782625fe089e2ab687459132f47a3c9107cc8d39963a96434d170215d6ad4
Instruction ID: f22c7f2a4b5a69556ea281fe71e802f65c93e7f169125652492bc8b582109dba
Opcode Fuzzy Hash: ec1782625fe089e2ab687459132f47a3c9107cc8d39963a96434d170215d6ad4
Instruction Fuzzy Hash: 21E092B66407008BD650CF0BEC45852FBD8EB88630B18C07FDD0D8B700E176B504CEA5

Uniqueness

Uniqueness Score: -1.00%

Non-executed Functions

Description:	Adversaries may abuse Windows Management Instrumentation (WMI) to achieve execution. WMI is a Windows administration feature that provides a uniform environment for local and remote access to Windows system components. It relies on the WMI service for local and remote access and the server message block (SMB) and Remote Procedure Call Service (RPCS) for remote access. RPCS operates over port 135.
Tactics:	Execution
Data Sources:	Authentication logs, Netflow/Enclave netflow, Process command-line parameters, Process monitoring
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse task scheduling functionality to facilitate initial or recurring execution of malicious code. Utilities exist within all major operating systems to schedule programs or scripts to be executed at a specified date and time. A task can also be scheduled on a remote system, provided the proper authentication is met (ex: RPC and file and printer sharing in Windows environments). Scheduling a task on a remote system typically requires being a member of an admin or otherwise privileged group on the remote system.
Tactics:	Execution, Persistence, Privilege Escalation
Data Sources:	File monitoring, Process command-line parameters, Process monitoring, Windows event logs
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify access tokens to operate under a different user or system security context to perform actions and bypass access controls. Windows uses access tokens to determine the ownership of a running process. A user can manipulate access tokens to make a running process appear as though it is the child of a different process or belongs to someone other than the user that started the process. When this occurs, the process also takes on the security context associated with the new token.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	API monitoring, Access tokens, Authentication logs, Process command-line parameters, Process monitoring, Windows event logs
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	API monitoring, DLL monitoring, File monitoring, Named Pipes, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may disable security tools to avoid possible detection of their tools and activities. This can take the form of killing security software or event logging processes, deleting Registry keys so that tools do not start at run time, or other methods to interfere with security tools scanning or reporting information.
Tactics:	Defense Evasion
Data Sources:	File monitoring, Process command-line parameters, Services, Windows Registry
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use Obfuscated Files or Information to hide artifacts of an intrusion from analysis. They may require separate mechanisms to decode or deobfuscate that information depending on how they intend to use it. Methods for doing that include built-in functionality of malware or by using utilities present on the system.
Tactics:	Defense Evasion
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata, Email gateway, Environment variable, File monitoring, Malware reverse engineering, Network intrusion detection system, Network protocol analysis, Process command-line parameters, Process monitoring, Process use of network, SSL/TLS inspection, Windows event logs
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may perform software packing or virtual machine software protection to conceal their code. Software packing is a method of compressing or encrypting an executable. Packing an executable changes the file signature in an attempt to avoid signature-based detection. Most decompression techniques decompress the executable code in memory. Virtual machine software protection translates an executable's original code into a special format that only a special virtual machine can run. A virtual machine is then called to run this code.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata
Platforms:	macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata, File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may set files and directories to be hidden to evade detection mechanisms. To prevent normal users from accidentally changing special files on a system, most operating systems have the concept of a ‘hidden’ file. These files don’t show up when a user browses the file system with a GUI or when using normal commands on the command line. Users must explicitly ask to show the hidden files either via a series of Graphical User Interface (GUI) prompts or with command line switches ( `dir /a` for Windows and `ls –a` for Linux and macOS).
Tactics:	Defense Evasion
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use methods of capturing user input to obtain credentials or collect information. During normal system usage, users often provide credentials to various different locations, such as login pages/portals or system dialog boxes. Input capture mechanisms may be transparent to the user (e.g. Credential API Hooking ) or rely on deceiving the user into providing input into what they believe to be a genuine service (e.g. Web Portal Capture ).
Tactics:	Collection, Credential Access
Data Sources:	API monitoring, Binary file metadata, DLL monitoring, Kernel drivers, Loaded DLLs, PowerShell logs, Process command-line parameters, Process monitoring, User interface, Windows Registry, Windows event logs
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of accounts on a system or within an environment. This information can help adversaries determine which accounts exist to aid in follow-on behavior.
Tactics:	Discovery
Data Sources:	API monitoring, Azure activity logs, Office 365 account logs, Process command-line parameters, Process monitoring
Platforms:	AWS, Azure, Azure AD, GCP, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	AWS CloudTrail logs, Azure activity logs, Process command-line parameters, Process monitoring, Stackdriver logs
Platforms:	AWS, Azure, GCP, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	API monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to identify the primary user, currently logged in user, set of users that commonly uses a system, or whether a user is actively using the system. They may do this, for example, by retrieving account usernames or by using OS Credential Dumping . The information may be collected in a number of different ways using other Discovery techniques, because user and username details are prevalent throughout a system and include running process ownership, file/directory ownership, session information, and system logs. Adversaries may use the information from [System Owner/User Discovery](https://attack.mitre.org/techniques/T1033) during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Binary file metadata, File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Malware reverse engineering, Netflow/Enclave netflow, Packet capture, Process monitoring, Process use of network, SSL/TLS inspection
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using a protocol and port paring that are typically not associated. For example, HTTPS over port 8088or port 587as opposed to the traditional port 443. Adversaries may make changes to the standard port used by a protocol to bypass filtering or muddle analysis/parsing of network data.
Tactics:	Command and Control
Data Sources:	Netflow/Enclave netflow, Packet capture, Process monitoring, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading ...

Warning!

Analysis Report cp573oYDUX.exe

Overview

General Information

Detection

Signatures

Classification

Startup

Malware Configuration

Threatname: NanoCore

Yara Overview

Memory Dumps

Unpacked PEs

Sigma Overview

System Summary:

Signature Overview

AV Detection:

Compliance:

Software Vulnerabilities:

Networking:

Key, Mouse, Clipboard, Microphone and Screen Capturing:

E-Banking Fraud:

Operating System Destruction:

System Summary:

Data Obfuscation:

Persistence and Installation Behavior:

Boot Survival:

Hooking and other Techniques for Hiding and Protection:

Malware Analysis System Evasion:

Anti Debugging:

HIPS / PFW / Operating System Protection Evasion:

Language, Device and Operating System Detection:

Stealing of Sensitive Information:

Remote Access Functionality:

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

URLs from Memory and Binaries

Contacted IPs

Public

General Information

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASN

JA3 Fingerprints

Dropped Files

Created / dropped Files

Static File Info

General

File Icon

Static PE Info

General

Entrypoint Preview

Data Directories

Sections

Resources

Imports

Version Infos

Network Behavior

Network Port Distribution

TCP Packets

Description:	An adversary may use legitimate desktop support and remote access software, such as Team Viewer, Go2Assist, LogMein, AmmyyAdmin, etc, to establish an interactive command and control channel to target systems within networks. These services are commonly used as legitimate technical support software, and may be allowed by application control within a target environment. Remote access tools like VNC, Ammyy, and Teamviewer are used frequently when compared with other legitimate software commonly used by adversaries.
Tactics:	Command and Control
Data Sources:	Network intrusion detection system, Network protocol analysis, Process monitoring, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use a non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Host network interface, Netflow/Enclave netflow, Network intrusion detection system, Network protocol analysis, Packet capture, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	DNS records, Netflow/Enclave netflow, Network protocol analysis, Packet capture, Process monitoring, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre