Play interactive tour

Edit tour

Analysis Report bbbe7872ea466446da60c4da50020cbb.exe

Overview

General Information

Sample Name:	bbbe7872ea466446da60c4da50020cbb.exe
Analysis ID:	358272
MD5:	88ef84e623f21af8c30d3bba321a7448
SHA1:	701339b101c76fa1ba159c66b48ef2f9b6d73aa8
SHA256:	0095c39f2d6f62dea9fd6d066decab6f0a7acab87829f659efd01bc1d2564bd0
Tags:	exeNanoCorenVpnRAT
Infos:
Most interesting Screenshot:

Detection

Nanocore

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Detected Nanocore Rat

Found malware configuration

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for dropped file

Multi AV Scanner detection for submitted file

Sigma detected: NanoCore

Sigma detected: Scheduled temp file as task from temp location

Yara detected AntiVM_3

Yara detected Nanocore RAT

.NET source code contains potential unpacker

.NET source code contains very large strings

C2 URLs / IPs found in malware configuration

Hides that the sample has been downloaded from the Internet (zone.identifier)

Injects a PE file into a foreign processes

Machine Learning detection for dropped file

Machine Learning detection for sample

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Uses schtasks.exe or at.exe to add and modify task schedules

Antivirus or Machine Learning detection for unpacked file

Contains long sleeps (>= 3 min)

Creates a process in suspended mode (likely to inject code)

Detected TCP or UDP traffic on non-standard ports

Detected potential crypto function

Drops PE files

Enables debug privileges

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

Found inlined nop instructions (likely shell or obfuscated code)

IP address seen in connection with other malware

Installs a raw input device (often for capturing keystrokes)

Internet Provider seen in connection with other malware

May sleep (evasive loops) to hinder dynamic analysis

Queries the volume information (name, serial number etc) of a device

Sample execution stops while process was sleeping (likely an evasion)

Sample file is different than original file name gathered from version info

Uses 32bit PE files

Uses code obfuscation techniques (call, push, ret)

Yara signature match

Classification

Startup

System is w10x64

bbbe7872ea466446da60c4da50020cbb.exe (PID: 6780 cmdline: 'C:\Users\user\Desktop\bbbe7872ea466446da60c4da50020cbb.exe' MD5: 88EF84E623F21AF8C30D3BBA321A7448)

bbbe7872ea466446da60c4da50020cbb.exe (PID: 6996 cmdline: C:\Users\user\Desktop\bbbe7872ea466446da60c4da50020cbb.exe MD5: 88EF84E623F21AF8C30D3BBA321A7448)

schtasks.exe (PID: 7072 cmdline: 'schtasks.exe' /create /f /tn 'DHCP Monitor' /xml 'C:\Users\user\AppData\Local\Temp\tmp7E95.tmp' MD5: 15FF7D8324231381BAD48A052F85DF04)

conhost.exe (PID: 7080 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)

schtasks.exe (PID: 7124 cmdline: 'schtasks.exe' /create /f /tn 'DHCP Monitor Task' /xml 'C:\Users\user\AppData\Local\Temp\tmp81B3.tmp' MD5: 15FF7D8324231381BAD48A052F85DF04)

conhost.exe (PID: 7132 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)

bbbe7872ea466446da60c4da50020cbb.exe (PID: 5620 cmdline: C:\Users\user\Desktop\bbbe7872ea466446da60c4da50020cbb.exe 0 MD5: 88EF84E623F21AF8C30D3BBA321A7448)

bbbe7872ea466446da60c4da50020cbb.exe (PID: 348 cmdline: C:\Users\user\Desktop\bbbe7872ea466446da60c4da50020cbb.exe MD5: 88EF84E623F21AF8C30D3BBA321A7448)

dhcpmon.exe (PID: 5656 cmdline: 'C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe' 0 MD5: 88EF84E623F21AF8C30D3BBA321A7448)

dhcpmon.exe (PID: 6240 cmdline: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe MD5: 88EF84E623F21AF8C30D3BBA321A7448)

dhcpmon.exe (PID: 6332 cmdline: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe MD5: 88EF84E623F21AF8C30D3BBA321A7448)

dhcpmon.exe (PID: 6084 cmdline: 'C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe' MD5: 88EF84E623F21AF8C30D3BBA321A7448)

dhcpmon.exe (PID: 6340 cmdline: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe MD5: 88EF84E623F21AF8C30D3BBA321A7448)

cleanup

Malware Configuration

Threatname: NanoCore

{"Version": "1.2.2.0", "Mutex": "94----", "Group": "V-HASH", "Domain1": "cloudhost.myfirewall.org", "Domain2": "cloudhost.myfirewall.org", "Port": 5654, "KeyboardLogging": "Enable", "RunOnStartup": "Enable", "RequestElevation": "Disable", "BypassUAC": "Enable", "ClearZoneIdentifier": "Enable", "ClearAccessControl": "Disable", "SetCriticalProcess": "Disable", "PreventSystemSleep": "Enable", "ActivateAwayMode": "Disable", "EnableDebugMode": "Disable", "RunDelay": 0, "ConnectDelay": 4000, "RestartDelay": 5000, "TimeoutInterval": 5000, "KeepAliveTimeout": 30000, "MutexTimeout": 5000, "LanTimeout": 2500, "WanTimeout": 8000, "BufferSize": "ffff0000", "MaxPacketSize": "0000a000", "GCThreshold": "0000a000", "UseCustomDNS": "Enable", "PrimaryDNSServer": "cloudhost.myfirewall.org", "BackupDNSServer": "cloudhost.myfirewall.org", "BypassUserAccountControlData": "<?xml version=\"1.0\" encoding=\"UTF-16\"?>\r\n<Task version=\"1.2\" xmlns=\"http://schemas.microsoft.com/windows/2004/02/mit/task\">\r\n  <RegistrationInfo />\r\n  <Triggers />\r\n  <Principals>\r\n    <Principal id=\"Author\">\r\n      <LogonType>InteractiveToken</LogonType>\r\n      <RunLevel>HighestAvailable</RunLevel>\r\n    </Principal>\r\n  </Principals>\r\n  <Settings>\r\n    <MultipleInstancesPolicy>Parallel</MultipleInstancesPolicy>\r\n    <DisallowStartIfOnBatteries>false</DisallowStartIfOnBatteries>\r\n    <StopIfGoingOnBatteries>false</StopIfGoingOnBatteries>\r\n    <AllowHardTerminate>true</AllowHardTerminate>\r\n    <StartWhenAvailable>false</StartWhenAvailable>\r\n    <RunOnlyIfNetworkAvailable>false</RunOnlyIfNetworkAvailable>\r\n    <IdleSettings>\r\n      <StopOnIdleEnd>false</StopOnIdleEnd>\r\n      <RestartOnIdle>false</RestartOnIdle>\r\n    </IdleSettings>\r\n    <AllowStartOnDemand>true</AllowStartOnDemand>\r\n    <Enabled>true</Enabled>\r\n    <Hidden>false</Hidden>\r\n    <RunOnlyIfIdle>false</RunOnlyIfIdle>\r\n    <WakeToRun>false</WakeToRun>\r\n    <ExecutionTimeLimit>PT0S</ExecutionTimeLimit>\r\n    <Priority>4</Priority>\r\n  </Settings>\r\n  <Actions Context=\"Author\">\r\n    <Exec>\r\n      <Command>\"#EXECUTABLEPATH\"</Command>\r\n      <Arguments>$(Arg0)</Arguments>\r\n    </Exec>\r\n  </Actions>\r\n</Task"}

Yara Overview

Memory Dumps

Source	Rule	Description	Author	Strings
0000000C.00000002.375004523.0000000000402000.00000040.00000001.sdmp	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0xff8d:$x1: NanoCore.ClientPluginHost 0xffca:$x2: IClientNetworkHost 0x13afd:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
0000000C.00000002.375004523.0000000000402000.00000040.00000001.sdmp	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
0000000C.00000002.375004523.0000000000402000.00000040.00000001.sdmp	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0xfcf5:$a: NanoCore 0xfd05:$a: NanoCore 0xff39:$a: NanoCore 0xff4d:$a: NanoCore 0xff8d:$a: NanoCore 0xfd54:$b: ClientPlugin 0xff56:$b: ClientPlugin 0xff96:$b: ClientPlugin 0xfe7b:$c: ProjectData 0x10882:$d: DESCrypto 0x1824e:$e: KeepAlive 0x1623c:$g: LogClientMessage 0x12437:$i: get_Connected 0x10bb8:$j: #=q 0x10be8:$j: #=q 0x10c04:$j: #=q 0x10c34:$j: #=q 0x10c50:$j: #=q 0x10c6c:$j: #=q 0x10c9c:$j: #=q 0x10cb8:$j: #=q
0000000E.00000002.381191346.0000000003D31000.00000004.00000001.sdmp	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
0000000E.00000002.381191346.0000000003D31000.00000004.00000001.sdmp	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0x49a5d:$a: NanoCore 0x49ab6:$a: NanoCore 0x49af3:$a: NanoCore 0x49b6c:$a: NanoCore 0x5d217:$a: NanoCore 0x5d22c:$a: NanoCore 0x5d261:$a: NanoCore 0x76233:$a: NanoCore 0x76248:$a: NanoCore 0x7627d:$a: NanoCore 0x49abf:$b: ClientPlugin 0x49afc:$b: ClientPlugin 0x4a3fa:$b: ClientPlugin 0x4a407:$b: ClientPlugin 0x5cfd3:$b: ClientPlugin 0x5cfee:$b: ClientPlugin 0x5d01e:$b: ClientPlugin 0x5d235:$b: ClientPlugin 0x5d26a:$b: ClientPlugin 0x75fef:$b: ClientPlugin 0x7600a:$b: ClientPlugin
0000000C.00000002.377624667.0000000002DA1000.00000004.00000001.sdmp	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
0000000C.00000002.377624667.0000000002DA1000.00000004.00000001.sdmp	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0x238ff:$a: NanoCore 0x23958:$a: NanoCore 0x23995:$a: NanoCore 0x23a0e:$a: NanoCore 0x23961:$b: ClientPlugin 0x2399e:$b: ClientPlugin 0x2429c:$b: ClientPlugin 0x242a9:$b: ClientPlugin 0x1b686:$e: KeepAlive 0x23de9:$g: LogClientMessage 0x23d69:$i: get_Connected 0x15931:$j: #=q 0x15961:$j: #=q 0x1599d:$j: #=q 0x159c5:$j: #=q 0x159f5:$j: #=q 0x15a25:$j: #=q 0x15a55:$j: #=q 0x15a85:$j: #=q 0x15aa1:$j: #=q 0x15ad1:$j: #=q
00000004.00000002.592467577.0000000000402000.00000040.00000001.sdmp	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0xff8d:$x1: NanoCore.ClientPluginHost 0xffca:$x2: IClientNetworkHost 0x13afd:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
00000004.00000002.592467577.0000000000402000.00000040.00000001.sdmp	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
00000004.00000002.592467577.0000000000402000.00000040.00000001.sdmp	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0xfcf5:$a: NanoCore 0xfd05:$a: NanoCore 0xff39:$a: NanoCore 0xff4d:$a: NanoCore 0xff8d:$a: NanoCore 0xfd54:$b: ClientPlugin 0xff56:$b: ClientPlugin 0xff96:$b: ClientPlugin 0xfe7b:$c: ProjectData 0x10882:$d: DESCrypto 0x1824e:$e: KeepAlive 0x1623c:$g: LogClientMessage 0x12437:$i: get_Connected 0x10bb8:$j: #=q 0x10be8:$j: #=q 0x10c04:$j: #=q 0x10c34:$j: #=q 0x10c50:$j: #=q 0x10c6c:$j: #=q 0x10c9c:$j: #=q 0x10cb8:$j: #=q
0000000A.00000002.365772164.0000000003DF1000.00000004.00000001.sdmp	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x2ba2fd:$x1: NanoCore.ClientPluginHost 0x2ecd1d:$x1: NanoCore.ClientPluginHost 0x2ba33a:$x2: IClientNetworkHost 0x2ecd5a:$x2: IClientNetworkHost 0x2bde6d:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe 0x2f088d:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
0000000A.00000002.365772164.0000000003DF1000.00000004.00000001.sdmp	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
0000000A.00000002.365772164.0000000003DF1000.00000004.00000001.sdmp	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0x2ba065:$a: NanoCore 0x2ba075:$a: NanoCore 0x2ba2a9:$a: NanoCore 0x2ba2bd:$a: NanoCore 0x2ba2fd:$a: NanoCore 0x2eca85:$a: NanoCore 0x2eca95:$a: NanoCore 0x2eccc9:$a: NanoCore 0x2eccdd:$a: NanoCore 0x2ecd1d:$a: NanoCore 0x2ba0c4:$b: ClientPlugin 0x2ba2c6:$b: ClientPlugin 0x2ba306:$b: ClientPlugin 0x2ecae4:$b: ClientPlugin 0x2ecce6:$b: ClientPlugin 0x2ecd26:$b: ClientPlugin 0x17dad0:$c: ProjectData 0x1d66f0:$c: ProjectData 0x2ba1eb:$c: ProjectData 0x2ecc0b:$c: ProjectData 0x2babf2:$d: DESCrypto
0000000A.00000002.364695909.0000000002DF1000.00000004.00000001.sdmp	JoeSecurity_AntiVM_3	Yara detected AntiVM_3	Joe Security
00000004.00000002.597683140.0000000003D07000.00000004.00000001.sdmp	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
00000004.00000002.597683140.0000000003D07000.00000004.00000001.sdmp	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0x3a5d:$a: NanoCore 0x3ab6:$a: NanoCore 0x3af3:$a: NanoCore 0x3b6c:$a: NanoCore 0x17217:$a: NanoCore 0x1722c:$a: NanoCore 0x17261:$a: NanoCore 0x30233:$a: NanoCore 0x30248:$a: NanoCore 0x3027d:$a: NanoCore 0x3abf:$b: ClientPlugin 0x3afc:$b: ClientPlugin 0x43fa:$b: ClientPlugin 0x4407:$b: ClientPlugin 0x16fd3:$b: ClientPlugin 0x16fee:$b: ClientPlugin 0x1701e:$b: ClientPlugin 0x17235:$b: ClientPlugin 0x1726a:$b: ClientPlugin 0x2ffef:$b: ClientPlugin 0x3000a:$b: ClientPlugin
0000000F.00000002.379503086.0000000002831000.00000004.00000001.sdmp	JoeSecurity_AntiVM_3	Yara detected AntiVM_3	Joe Security
0000000E.00000002.381077094.0000000002D31000.00000004.00000001.sdmp	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
0000000E.00000002.381077094.0000000002D31000.00000004.00000001.sdmp	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0x238a7:$a: NanoCore 0x23900:$a: NanoCore 0x2393d:$a: NanoCore 0x239b6:$a: NanoCore 0x23909:$b: ClientPlugin 0x23946:$b: ClientPlugin 0x24244:$b: ClientPlugin 0x24251:$b: ClientPlugin 0x1b62e:$e: KeepAlive 0x23d91:$g: LogClientMessage 0x23d11:$i: get_Connected 0x158d9:$j: #=q 0x15909:$j: #=q 0x15945:$j: #=q 0x1596d:$j: #=q 0x1599d:$j: #=q 0x159cd:$j: #=q 0x159fd:$j: #=q 0x15a2d:$j: #=q 0x15a49:$j: #=q 0x15a79:$j: #=q
0000000B.00000002.367529312.0000000003F61000.00000004.00000001.sdmp	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x2ba2fd:$x1: NanoCore.ClientPluginHost 0x2ecd1d:$x1: NanoCore.ClientPluginHost 0x2ba33a:$x2: IClientNetworkHost 0x2ecd5a:$x2: IClientNetworkHost 0x2bde6d:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe 0x2f088d:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
0000000B.00000002.367529312.0000000003F61000.00000004.00000001.sdmp	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
0000000B.00000002.367529312.0000000003F61000.00000004.00000001.sdmp	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0x2ba065:$a: NanoCore 0x2ba075:$a: NanoCore 0x2ba2a9:$a: NanoCore 0x2ba2bd:$a: NanoCore 0x2ba2fd:$a: NanoCore 0x2eca85:$a: NanoCore 0x2eca95:$a: NanoCore 0x2eccc9:$a: NanoCore 0x2eccdd:$a: NanoCore 0x2ecd1d:$a: NanoCore 0x2ba0c4:$b: ClientPlugin 0x2ba2c6:$b: ClientPlugin 0x2ba306:$b: ClientPlugin 0x2ecae4:$b: ClientPlugin 0x2ecce6:$b: ClientPlugin 0x2ecd26:$b: ClientPlugin 0x17dad0:$c: ProjectData 0x1d66f0:$c: ProjectData 0x2ba1eb:$c: ProjectData 0x2ecc0b:$c: ProjectData 0x2babf2:$d: DESCrypto
00000010.00000002.391674013.0000000004001000.00000004.00000001.sdmp	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
00000010.00000002.391674013.0000000004001000.00000004.00000001.sdmp	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0x49a5d:$a: NanoCore 0x49ab6:$a: NanoCore 0x49af3:$a: NanoCore 0x49b6c:$a: NanoCore 0x5d217:$a: NanoCore 0x5d22c:$a: NanoCore 0x5d261:$a: NanoCore 0x76233:$a: NanoCore 0x76248:$a: NanoCore 0x7627d:$a: NanoCore 0x49abf:$b: ClientPlugin 0x49afc:$b: ClientPlugin 0x4a3fa:$b: ClientPlugin 0x4a407:$b: ClientPlugin 0x5cfd3:$b: ClientPlugin 0x5cfee:$b: ClientPlugin 0x5d01e:$b: ClientPlugin 0x5d235:$b: ClientPlugin 0x5d26a:$b: ClientPlugin 0x75fef:$b: ClientPlugin 0x7600a:$b: ClientPlugin
0000000E.00000002.378479336.0000000000402000.00000040.00000001.sdmp	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0xff8d:$x1: NanoCore.ClientPluginHost 0xffca:$x2: IClientNetworkHost 0x13afd:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
0000000E.00000002.378479336.0000000000402000.00000040.00000001.sdmp	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
0000000E.00000002.378479336.0000000000402000.00000040.00000001.sdmp	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0xfcf5:$a: NanoCore 0xfd05:$a: NanoCore 0xff39:$a: NanoCore 0xff4d:$a: NanoCore 0xff8d:$a: NanoCore 0xfd54:$b: ClientPlugin 0xff56:$b: ClientPlugin 0xff96:$b: ClientPlugin 0xfe7b:$c: ProjectData 0x10882:$d: DESCrypto 0x1824e:$e: KeepAlive 0x1623c:$g: LogClientMessage 0x12437:$i: get_Connected 0x10bb8:$j: #=q 0x10be8:$j: #=q 0x10c04:$j: #=q 0x10c34:$j: #=q 0x10c50:$j: #=q 0x10c6c:$j: #=q 0x10c9c:$j: #=q 0x10cb8:$j: #=q
00000000.00000002.343834467.0000000002D51000.00000004.00000001.sdmp	JoeSecurity_AntiVM_3	Yara detected AntiVM_3	Joe Security
0000000F.00000002.380529240.0000000003831000.00000004.00000001.sdmp	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x2ba2fd:$x1: NanoCore.ClientPluginHost 0x2ecd1d:$x1: NanoCore.ClientPluginHost 0x2ba33a:$x2: IClientNetworkHost 0x2ecd5a:$x2: IClientNetworkHost 0x2bde6d:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe 0x2f088d:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
0000000F.00000002.380529240.0000000003831000.00000004.00000001.sdmp	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
0000000F.00000002.380529240.0000000003831000.00000004.00000001.sdmp	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0x2ba065:$a: NanoCore 0x2ba075:$a: NanoCore 0x2ba2a9:$a: NanoCore 0x2ba2bd:$a: NanoCore 0x2ba2fd:$a: NanoCore 0x2eca85:$a: NanoCore 0x2eca95:$a: NanoCore 0x2eccc9:$a: NanoCore 0x2eccdd:$a: NanoCore 0x2ecd1d:$a: NanoCore 0x2ba0c4:$b: ClientPlugin 0x2ba2c6:$b: ClientPlugin 0x2ba306:$b: ClientPlugin 0x2ecae4:$b: ClientPlugin 0x2ecce6:$b: ClientPlugin 0x2ecd26:$b: ClientPlugin 0x17dad0:$c: ProjectData 0x1d66f0:$c: ProjectData 0x2ba1eb:$c: ProjectData 0x2ecc0b:$c: ProjectData 0x2babf2:$d: DESCrypto
00000010.00000002.390499078.0000000000402000.00000040.00000001.sdmp	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0xff8d:$x1: NanoCore.ClientPluginHost 0xffca:$x2: IClientNetworkHost 0x13afd:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
00000010.00000002.390499078.0000000000402000.00000040.00000001.sdmp	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
00000010.00000002.390499078.0000000000402000.00000040.00000001.sdmp	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0xfcf5:$a: NanoCore 0xfd05:$a: NanoCore 0xff39:$a: NanoCore 0xff4d:$a: NanoCore 0xff8d:$a: NanoCore 0xfd54:$b: ClientPlugin 0xff56:$b: ClientPlugin 0xff96:$b: ClientPlugin 0xfe7b:$c: ProjectData 0x10882:$d: DESCrypto 0x1824e:$e: KeepAlive 0x1623c:$g: LogClientMessage 0x12437:$i: get_Connected 0x10bb8:$j: #=q 0x10be8:$j: #=q 0x10c04:$j: #=q 0x10c34:$j: #=q 0x10c50:$j: #=q 0x10c6c:$j: #=q 0x10c9c:$j: #=q 0x10cb8:$j: #=q
0000000C.00000002.377737091.0000000003DA1000.00000004.00000001.sdmp	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
0000000C.00000002.377737091.0000000003DA1000.00000004.00000001.sdmp	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0x49a5d:$a: NanoCore 0x49ab6:$a: NanoCore 0x49af3:$a: NanoCore 0x49b6c:$a: NanoCore 0x5d217:$a: NanoCore 0x5d22c:$a: NanoCore 0x5d261:$a: NanoCore 0x76233:$a: NanoCore 0x76248:$a: NanoCore 0x7627d:$a: NanoCore 0x49abf:$b: ClientPlugin 0x49afc:$b: ClientPlugin 0x4a3fa:$b: ClientPlugin 0x4a407:$b: ClientPlugin 0x5cfd3:$b: ClientPlugin 0x5cfee:$b: ClientPlugin 0x5d01e:$b: ClientPlugin 0x5d235:$b: ClientPlugin 0x5d26a:$b: ClientPlugin 0x75fef:$b: ClientPlugin 0x7600a:$b: ClientPlugin
00000010.00000002.391635582.0000000003001000.00000004.00000001.sdmp	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
00000010.00000002.391635582.0000000003001000.00000004.00000001.sdmp	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0x238a7:$a: NanoCore 0x23900:$a: NanoCore 0x2393d:$a: NanoCore 0x239b6:$a: NanoCore 0x23909:$b: ClientPlugin 0x23946:$b: ClientPlugin 0x24244:$b: ClientPlugin 0x24251:$b: ClientPlugin 0x1b62e:$e: KeepAlive 0x23d91:$g: LogClientMessage 0x23d11:$i: get_Connected 0x158d9:$j: #=q 0x15909:$j: #=q 0x15945:$j: #=q 0x1596d:$j: #=q 0x1599d:$j: #=q 0x159cd:$j: #=q 0x159fd:$j: #=q 0x15a2d:$j: #=q 0x15a49:$j: #=q 0x15a79:$j: #=q
00000000.00000002.344108345.0000000003D51000.00000004.00000001.sdmp	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x2ba2fd:$x1: NanoCore.ClientPluginHost 0x2ecd1d:$x1: NanoCore.ClientPluginHost 0x2ba33a:$x2: IClientNetworkHost 0x2ecd5a:$x2: IClientNetworkHost 0x2bde6d:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe 0x2f088d:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
00000000.00000002.344108345.0000000003D51000.00000004.00000001.sdmp	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
00000000.00000002.344108345.0000000003D51000.00000004.00000001.sdmp	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0x2ba065:$a: NanoCore 0x2ba075:$a: NanoCore 0x2ba2a9:$a: NanoCore 0x2ba2bd:$a: NanoCore 0x2ba2fd:$a: NanoCore 0x2eca85:$a: NanoCore 0x2eca95:$a: NanoCore 0x2eccc9:$a: NanoCore 0x2eccdd:$a: NanoCore 0x2ecd1d:$a: NanoCore 0x2ba0c4:$b: ClientPlugin 0x2ba2c6:$b: ClientPlugin 0x2ba306:$b: ClientPlugin 0x2ecae4:$b: ClientPlugin 0x2ecce6:$b: ClientPlugin 0x2ecd26:$b: ClientPlugin 0x17dad0:$c: ProjectData 0x1d66f0:$c: ProjectData 0x2ba1eb:$c: ProjectData 0x2ecc0b:$c: ProjectData 0x2babf2:$d: DESCrypto
0000000B.00000002.367072310.0000000002F61000.00000004.00000001.sdmp	JoeSecurity_AntiVM_3	Yara detected AntiVM_3	Joe Security
Process Memory Space: bbbe7872ea466446da60c4da50020cbb.exe PID: 348	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0xdb0d:$x1: NanoCore.ClientPluginHost 0x3689b:$x1: NanoCore.ClientPluginHost 0x6b627:$x1: NanoCore.ClientPluginHost 0x711e6:$x1: NanoCore.ClientPluginHost 0x825bf:$x1: NanoCore.ClientPluginHost 0xdb6e:$x2: IClientNetworkHost 0x368c1:$x2: IClientNetworkHost 0x6b64d:$x2: IClientNetworkHost 0x7122b:$x2: IClientNetworkHost 0x82604:$x2: IClientNetworkHost 0x12f73:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe 0x20ee5:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
Process Memory Space: bbbe7872ea466446da60c4da50020cbb.exe PID: 348	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
Process Memory Space: bbbe7872ea466446da60c4da50020cbb.exe PID: 348	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0xd612:$a: NanoCore 0xd62e:$a: NanoCore 0xd789:$a: NanoCore 0xd798:$a: NanoCore 0xda71:$a: NanoCore 0xda9d:$a: NanoCore 0xdb0d:$a: NanoCore 0x1d54f:$a: NanoCore 0x1d561:$a: NanoCore 0x1d59d:$a: NanoCore 0x29912:$a: NanoCore 0x29998:$a: NanoCore 0x29ae9:$a: NanoCore 0x3678d:$a: NanoCore 0x3682e:$a: NanoCore 0x3689b:$a: NanoCore 0x3695c:$a: NanoCore 0x3782d:$a: NanoCore 0x37880:$a: NanoCore 0x378b9:$a: NanoCore 0x3792c:$a: NanoCore
Process Memory Space: dhcpmon.exe PID: 5656	JoeSecurity_AntiVM_3	Yara detected AntiVM_3	Joe Security
Process Memory Space: dhcpmon.exe PID: 6340	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x29cf0:$x1: NanoCore.ClientPluginHost 0x2f8af:$x1: NanoCore.ClientPluginHost 0x40c88:$x1: NanoCore.ClientPluginHost 0x570c9:$x1: NanoCore.ClientPluginHost 0x8160b:$x1: NanoCore.ClientPluginHost 0x29d16:$x2: IClientNetworkHost 0x2f8f4:$x2: IClientNetworkHost 0x40ccd:$x2: IClientNetworkHost 0x5712a:$x2: IClientNetworkHost 0x81631:$x2: IClientNetworkHost 0x5c52f:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe 0x6a4a1:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
Process Memory Space: dhcpmon.exe PID: 6340	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
Process Memory Space: dhcpmon.exe PID: 6340	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0x29be2:$a: NanoCore 0x29c83:$a: NanoCore 0x29cf0:$a: NanoCore 0x29db1:$a: NanoCore 0x2ac82:$a: NanoCore 0x2acd5:$a: NanoCore 0x2ad0e:$a: NanoCore 0x2ad81:$a: NanoCore 0x2f829:$a: NanoCore 0x2f856:$a: NanoCore 0x2f8af:$a: NanoCore 0x370be:$a: NanoCore 0x370d1:$a: NanoCore 0x37103:$a: NanoCore 0x40c02:$a: NanoCore 0x40c2f:$a: NanoCore 0x40c88:$a: NanoCore 0x48497:$a: NanoCore 0x484aa:$a: NanoCore 0x484dc:$a: NanoCore 0x56bce:$a: NanoCore
Process Memory Space: dhcpmon.exe PID: 6084	JoeSecurity_AntiVM_3	Yara detected AntiVM_3	Joe Security
Process Memory Space: bbbe7872ea466446da60c4da50020cbb.exe PID: 5620	JoeSecurity_AntiVM_3	Yara detected AntiVM_3	Joe Security
Process Memory Space: dhcpmon.exe PID: 6332	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x102db:$x1: NanoCore.ClientPluginHost 0x15e9a:$x1: NanoCore.ClientPluginHost 0x27273:$x1: NanoCore.ClientPluginHost 0x6dbc9:$x1: NanoCore.ClientPluginHost 0x78531:$x1: NanoCore.ClientPluginHost 0x10301:$x2: IClientNetworkHost 0x15edf:$x2: IClientNetworkHost 0x272b8:$x2: IClientNetworkHost 0x6dbef:$x2: IClientNetworkHost 0x78592:$x2: IClientNetworkHost 0x7d997:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe 0x8b909:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
Process Memory Space: dhcpmon.exe PID: 6332	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
Process Memory Space: dhcpmon.exe PID: 6332	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0x101cd:$a: NanoCore 0x1026e:$a: NanoCore 0x102db:$a: NanoCore 0x1039c:$a: NanoCore 0x1126d:$a: NanoCore 0x112c0:$a: NanoCore 0x112f9:$a: NanoCore 0x1136c:$a: NanoCore 0x15e14:$a: NanoCore 0x15e41:$a: NanoCore 0x15e9a:$a: NanoCore 0x1d6a9:$a: NanoCore 0x1d6bc:$a: NanoCore 0x1d6ee:$a: NanoCore 0x271ed:$a: NanoCore 0x2721a:$a: NanoCore 0x27273:$a: NanoCore 0x2ea82:$a: NanoCore 0x2ea95:$a: NanoCore 0x2eac7:$a: NanoCore 0x373d3:$a: NanoCore
Process Memory Space: bbbe7872ea466446da60c4da50020cbb.exe PID: 6780	JoeSecurity_AntiVM_3	Yara detected AntiVM_3	Joe Security
Process Memory Space: bbbe7872ea466446da60c4da50020cbb.exe PID: 6996	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0xae55e:$x1: NanoCore.ClientPluginHost 0x13a25a:$x1: NanoCore.ClientPluginHost 0x13fe19:$x1: NanoCore.ClientPluginHost 0x151218:$x1: NanoCore.ClientPluginHost 0x1ad370:$x1: NanoCore.ClientPluginHost 0xae5bf:$x2: IClientNetworkHost 0x13a280:$x2: IClientNetworkHost 0x13fe5e:$x2: IClientNetworkHost 0x15125d:$x2: IClientNetworkHost 0x1ad396:$x2: IClientNetworkHost 0xb39c4:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe 0xc1936:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
Process Memory Space: bbbe7872ea466446da60c4da50020cbb.exe PID: 6996	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
Process Memory Space: bbbe7872ea466446da60c4da50020cbb.exe PID: 6996	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0x424b6:$a: NanoCore 0xae063:$a: NanoCore 0xae07f:$a: NanoCore 0xae1da:$a: NanoCore 0xae1e9:$a: NanoCore 0xae4c2:$a: NanoCore 0xae4ee:$a: NanoCore 0xae55e:$a: NanoCore 0xbdfa0:$a: NanoCore 0xbdfb2:$a: NanoCore 0xbdfee:$a: NanoCore 0x13a14c:$a: NanoCore 0x13a1ed:$a: NanoCore 0x13a25a:$a: NanoCore 0x13a31b:$a: NanoCore 0x13b1ec:$a: NanoCore 0x13b23f:$a: NanoCore 0x13b278:$a: NanoCore 0x13b2eb:$a: NanoCore 0x13fd93:$a: NanoCore 0x13fdc0:$a: NanoCore
Click to see the 53 entries

Unpacked PEs

Source	Rule	Description	Author	Strings
16.2.dhcpmon.exe.40530dd.3.raw.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0xb184:$x1: NanoCore.ClientPluginHost 0x241a0:$x1: NanoCore.ClientPluginHost 0xb1b1:$x2: IClientNetworkHost 0x241cd:$x2: IClientNetworkHost
16.2.dhcpmon.exe.40530dd.3.raw.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0xb184:$x2: NanoCore.ClientPluginHost 0x241a0:$x2: NanoCore.ClientPluginHost 0xc25f:$s4: PipeCreated 0x2527b:$s4: PipeCreated 0xb19e:$s5: IClientLoggingHost 0x241ba:$s5: IClientLoggingHost
16.2.dhcpmon.exe.40530dd.3.raw.unpack	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
14.2.dhcpmon.exe.2d53ac8.2.raw.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0xe75:$x1: NanoCore.ClientPluginHost 0xe8f:$x2: IClientNetworkHost
14.2.dhcpmon.exe.2d53ac8.2.raw.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0xe75:$x2: NanoCore.ClientPluginHost 0x1261:$s3: PipeExists 0x1136:$s4: PipeCreated 0xeb0:$s5: IClientLoggingHost
15.2.dhcpmon.exe.3adb170.3.raw.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x1018d:$x1: NanoCore.ClientPluginHost 0x42bad:$x1: NanoCore.ClientPluginHost 0x101ca:$x2: IClientNetworkHost 0x42bea:$x2: IClientNetworkHost 0x13cfd:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe 0x4671d:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
15.2.dhcpmon.exe.3adb170.3.raw.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0xff05:$x1: NanoCore Client.exe 0x42925:$x1: NanoCore Client.exe 0x1018d:$x2: NanoCore.ClientPluginHost 0x42bad:$x2: NanoCore.ClientPluginHost 0x117c6:$s1: PluginCommand 0x441e6:$s1: PluginCommand 0x117ba:$s2: FileCommand 0x441da:$s2: FileCommand 0x1266b:$s3: PipeExists 0x4508b:$s3: PipeExists 0x18422:$s4: PipeCreated 0x4ae42:$s4: PipeCreated 0x101b7:$s5: IClientLoggingHost 0x42bd7:$s5: IClientLoggingHost
15.2.dhcpmon.exe.3adb170.3.raw.unpack	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
15.2.dhcpmon.exe.3adb170.3.raw.unpack	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0xfef5:$a: NanoCore 0xff05:$a: NanoCore 0x10139:$a: NanoCore 0x1014d:$a: NanoCore 0x1018d:$a: NanoCore 0x42915:$a: NanoCore 0x42925:$a: NanoCore 0x42b59:$a: NanoCore 0x42b6d:$a: NanoCore 0x42bad:$a: NanoCore 0xff54:$b: ClientPlugin 0x10156:$b: ClientPlugin 0x10196:$b: ClientPlugin 0x42974:$b: ClientPlugin 0x42b76:$b: ClientPlugin 0x42bb6:$b: ClientPlugin 0x1007b:$c: ProjectData 0x42a9b:$c: ProjectData 0x10a82:$d: DESCrypto 0x434a2:$d: DESCrypto 0x1844e:$e: KeepAlive
14.2.dhcpmon.exe.400000.0.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x1018d:$x1: NanoCore.ClientPluginHost 0x101ca:$x2: IClientNetworkHost 0x13cfd:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
14.2.dhcpmon.exe.400000.0.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0xff05:$x1: NanoCore Client.exe 0x1018d:$x2: NanoCore.ClientPluginHost 0x117c6:$s1: PluginCommand 0x117ba:$s2: FileCommand 0x1266b:$s3: PipeExists 0x18422:$s4: PipeCreated 0x101b7:$s5: IClientLoggingHost
14.2.dhcpmon.exe.400000.0.unpack	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
14.2.dhcpmon.exe.400000.0.unpack	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0xfef5:$a: NanoCore 0xff05:$a: NanoCore 0x10139:$a: NanoCore 0x1014d:$a: NanoCore 0x1018d:$a: NanoCore 0xff54:$b: ClientPlugin 0x10156:$b: ClientPlugin 0x10196:$b: ClientPlugin 0x1007b:$c: ProjectData 0x10a82:$d: DESCrypto 0x1844e:$e: KeepAlive 0x1643c:$g: LogClientMessage 0x12637:$i: get_Connected 0x10db8:$j: #=q 0x10de8:$j: #=q 0x10e04:$j: #=q 0x10e34:$j: #=q 0x10e50:$j: #=q 0x10e6c:$j: #=q 0x10e9c:$j: #=q 0x10eb8:$j: #=q
12.2.bbbe7872ea466446da60c4da50020cbb.exe.3deeab4.4.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0xd9ad:$x1: NanoCore.ClientPluginHost 0xd9da:$x2: IClientNetworkHost
12.2.bbbe7872ea466446da60c4da50020cbb.exe.3deeab4.4.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0xd9ad:$x2: NanoCore.ClientPluginHost 0xea88:$s4: PipeCreated 0xd9c7:$s5: IClientLoggingHost
12.2.bbbe7872ea466446da60c4da50020cbb.exe.3deeab4.4.unpack	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
12.2.bbbe7872ea466446da60c4da50020cbb.exe.3de9c7e.5.raw.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0xe75:$x1: NanoCore.ClientPluginHost 0x145e3:$x1: NanoCore.ClientPluginHost 0x2d5ff:$x1: NanoCore.ClientPluginHost 0xe8f:$x2: IClientNetworkHost 0x14610:$x2: IClientNetworkHost 0x2d62c:$x2: IClientNetworkHost
12.2.bbbe7872ea466446da60c4da50020cbb.exe.3de9c7e.5.raw.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0xe75:$x2: NanoCore.ClientPluginHost 0x145e3:$x2: NanoCore.ClientPluginHost 0x2d5ff:$x2: NanoCore.ClientPluginHost 0x1261:$s3: PipeExists 0x1136:$s4: PipeCreated 0x156be:$s4: PipeCreated 0x2e6da:$s4: PipeCreated 0xeb0:$s5: IClientLoggingHost 0x145fd:$s5: IClientLoggingHost 0x2d619:$s5: IClientLoggingHost
12.2.bbbe7872ea466446da60c4da50020cbb.exe.3de9c7e.5.raw.unpack	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
12.2.bbbe7872ea466446da60c4da50020cbb.exe.3de9c7e.5.raw.unpack	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0xddf:$a: NanoCore 0xe38:$a: NanoCore 0xe75:$a: NanoCore 0xeee:$a: NanoCore 0x14599:$a: NanoCore 0x145ae:$a: NanoCore 0x145e3:$a: NanoCore 0x2d5b5:$a: NanoCore 0x2d5ca:$a: NanoCore 0x2d5ff:$a: NanoCore 0xe41:$b: ClientPlugin 0xe7e:$b: ClientPlugin 0x177c:$b: ClientPlugin 0x1789:$b: ClientPlugin 0x14355:$b: ClientPlugin 0x14370:$b: ClientPlugin 0x143a0:$b: ClientPlugin 0x145b7:$b: ClientPlugin 0x145ec:$b: ClientPlugin 0x2d371:$b: ClientPlugin 0x2d38c:$b: ClientPlugin
14.2.dhcpmon.exe.3d79c7e.4.raw.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0xe75:$x1: NanoCore.ClientPluginHost 0x145e3:$x1: NanoCore.ClientPluginHost 0x2d5ff:$x1: NanoCore.ClientPluginHost 0xe8f:$x2: IClientNetworkHost 0x14610:$x2: IClientNetworkHost 0x2d62c:$x2: IClientNetworkHost
14.2.dhcpmon.exe.3d79c7e.4.raw.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0xe75:$x2: NanoCore.ClientPluginHost 0x145e3:$x2: NanoCore.ClientPluginHost 0x2d5ff:$x2: NanoCore.ClientPluginHost 0x1261:$s3: PipeExists 0x1136:$s4: PipeCreated 0x156be:$s4: PipeCreated 0x2e6da:$s4: PipeCreated 0xeb0:$s5: IClientLoggingHost 0x145fd:$s5: IClientLoggingHost 0x2d619:$s5: IClientLoggingHost
14.2.dhcpmon.exe.3d79c7e.4.raw.unpack	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
14.2.dhcpmon.exe.3d79c7e.4.raw.unpack	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0xddf:$a: NanoCore 0xe38:$a: NanoCore 0xe75:$a: NanoCore 0xeee:$a: NanoCore 0x14599:$a: NanoCore 0x145ae:$a: NanoCore 0x145e3:$a: NanoCore 0x2d5b5:$a: NanoCore 0x2d5ca:$a: NanoCore 0x2d5ff:$a: NanoCore 0xe41:$b: ClientPlugin 0xe7e:$b: ClientPlugin 0x177c:$b: ClientPlugin 0x1789:$b: ClientPlugin 0x14355:$b: ClientPlugin 0x14370:$b: ClientPlugin 0x143a0:$b: ClientPlugin 0x145b7:$b: ClientPlugin 0x145ec:$b: ClientPlugin 0x2d371:$b: ClientPlugin 0x2d38c:$b: ClientPlugin
14.2.dhcpmon.exe.3d7eab4.5.raw.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0xf7ad:$x1: NanoCore.ClientPluginHost 0x287c9:$x1: NanoCore.ClientPluginHost 0xf7da:$x2: IClientNetworkHost 0x287f6:$x2: IClientNetworkHost
14.2.dhcpmon.exe.3d7eab4.5.raw.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0xf7ad:$x2: NanoCore.ClientPluginHost 0x287c9:$x2: NanoCore.ClientPluginHost 0x10888:$s4: PipeCreated 0x298a4:$s4: PipeCreated 0xf7c7:$s5: IClientLoggingHost 0x287e3:$s5: IClientLoggingHost
14.2.dhcpmon.exe.3d7eab4.5.raw.unpack	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
12.2.bbbe7872ea466446da60c4da50020cbb.exe.400000.0.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x1018d:$x1: NanoCore.ClientPluginHost 0x101ca:$x2: IClientNetworkHost 0x13cfd:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
12.2.bbbe7872ea466446da60c4da50020cbb.exe.400000.0.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0xff05:$x1: NanoCore Client.exe 0x1018d:$x2: NanoCore.ClientPluginHost 0x117c6:$s1: PluginCommand 0x117ba:$s2: FileCommand 0x1266b:$s3: PipeExists 0x18422:$s4: PipeCreated 0x101b7:$s5: IClientLoggingHost
12.2.bbbe7872ea466446da60c4da50020cbb.exe.400000.0.unpack	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
12.2.bbbe7872ea466446da60c4da50020cbb.exe.400000.0.unpack	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0xfef5:$a: NanoCore 0xff05:$a: NanoCore 0x10139:$a: NanoCore 0x1014d:$a: NanoCore 0x1018d:$a: NanoCore 0xff54:$b: ClientPlugin 0x10156:$b: ClientPlugin 0x10196:$b: ClientPlugin 0x1007b:$c: ProjectData 0x10a82:$d: DESCrypto 0x1844e:$e: KeepAlive 0x1643c:$g: LogClientMessage 0x12637:$i: get_Connected 0x10db8:$j: #=q 0x10de8:$j: #=q 0x10e04:$j: #=q 0x10e34:$j: #=q 0x10e50:$j: #=q 0x10e6c:$j: #=q 0x10e9c:$j: #=q 0x10eb8:$j: #=q
15.2.dhcpmon.exe.28588ac.1.raw.unpack	JoeSecurity_AntiVM_3	Yara detected AntiVM_3	Joe Security
11.2.dhcpmon.exe.40c14a0.3.raw.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x159e5d:$x1: NanoCore.ClientPluginHost 0x18c87d:$x1: NanoCore.ClientPluginHost 0x159e9a:$x2: IClientNetworkHost 0x18c8ba:$x2: IClientNetworkHost 0x15d9cd:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe 0x1903ed:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
11.2.dhcpmon.exe.40c14a0.3.raw.unpack	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
11.2.dhcpmon.exe.40c14a0.3.raw.unpack	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0x159bc5:$a: NanoCore 0x159bd5:$a: NanoCore 0x159e09:$a: NanoCore 0x159e1d:$a: NanoCore 0x159e5d:$a: NanoCore 0x18c5e5:$a: NanoCore 0x18c5f5:$a: NanoCore 0x18c829:$a: NanoCore 0x18c83d:$a: NanoCore 0x18c87d:$a: NanoCore 0x159c24:$b: ClientPlugin 0x159e26:$b: ClientPlugin 0x159e66:$b: ClientPlugin 0x18c644:$b: ClientPlugin 0x18c846:$b: ClientPlugin 0x18c886:$b: ClientPlugin 0x1d630:$c: ProjectData 0x76250:$c: ProjectData 0x159d4b:$c: ProjectData 0x18c76b:$c: ProjectData 0x15a752:$d: DESCrypto
4.2.bbbe7872ea466446da60c4da50020cbb.exe.3d0eab4.4.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0xd9ad:$x1: NanoCore.ClientPluginHost 0xd9da:$x2: IClientNetworkHost
4.2.bbbe7872ea466446da60c4da50020cbb.exe.3d0eab4.4.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0xd9ad:$x2: NanoCore.ClientPluginHost 0xea88:$s4: PipeCreated 0xd9c7:$s5: IClientLoggingHost
4.2.bbbe7872ea466446da60c4da50020cbb.exe.3d0eab4.4.unpack	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
12.2.bbbe7872ea466446da60c4da50020cbb.exe.2dc3b20.2.raw.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0xe75:$x1: NanoCore.ClientPluginHost 0xe8f:$x2: IClientNetworkHost
12.2.bbbe7872ea466446da60c4da50020cbb.exe.2dc3b20.2.raw.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0xe75:$x2: NanoCore.ClientPluginHost 0x1261:$s3: PipeExists 0x1136:$s4: PipeCreated 0xeb0:$s5: IClientLoggingHost
10.2.bbbe7872ea466446da60c4da50020cbb.exe.409b170.2.raw.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x1018d:$x1: NanoCore.ClientPluginHost 0x42bad:$x1: NanoCore.ClientPluginHost 0x101ca:$x2: IClientNetworkHost 0x42bea:$x2: IClientNetworkHost 0x13cfd:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe 0x4671d:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
10.2.bbbe7872ea466446da60c4da50020cbb.exe.409b170.2.raw.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0xff05:$x1: NanoCore Client.exe 0x42925:$x1: NanoCore Client.exe 0x1018d:$x2: NanoCore.ClientPluginHost 0x42bad:$x2: NanoCore.ClientPluginHost 0x117c6:$s1: PluginCommand 0x441e6:$s1: PluginCommand 0x117ba:$s2: FileCommand 0x441da:$s2: FileCommand 0x1266b:$s3: PipeExists 0x4508b:$s3: PipeExists 0x18422:$s4: PipeCreated 0x4ae42:$s4: PipeCreated 0x101b7:$s5: IClientLoggingHost 0x42bd7:$s5: IClientLoggingHost
10.2.bbbe7872ea466446da60c4da50020cbb.exe.409b170.2.raw.unpack	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
10.2.bbbe7872ea466446da60c4da50020cbb.exe.409b170.2.raw.unpack	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0xfef5:$a: NanoCore 0xff05:$a: NanoCore 0x10139:$a: NanoCore 0x1014d:$a: NanoCore 0x1018d:$a: NanoCore 0x42915:$a: NanoCore 0x42925:$a: NanoCore 0x42b59:$a: NanoCore 0x42b6d:$a: NanoCore 0x42bad:$a: NanoCore 0xff54:$b: ClientPlugin 0x10156:$b: ClientPlugin 0x10196:$b: ClientPlugin 0x42974:$b: ClientPlugin 0x42b76:$b: ClientPlugin 0x42bb6:$b: ClientPlugin 0x1007b:$c: ProjectData 0x42a9b:$c: ProjectData 0x10a82:$d: DESCrypto 0x434a2:$d: DESCrypto 0x1844e:$e: KeepAlive
15.2.dhcpmon.exe.3adb170.3.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0xe38d:$x1: NanoCore.ClientPluginHost 0xe3ca:$x2: IClientNetworkHost 0x11efd:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
15.2.dhcpmon.exe.3adb170.3.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0xe105:$x1: NanoCore Client.exe 0xe38d:$x2: NanoCore.ClientPluginHost 0xf9c6:$s1: PluginCommand 0xf9ba:$s2: FileCommand 0x1086b:$s3: PipeExists 0x16622:$s4: PipeCreated 0xe3b7:$s5: IClientLoggingHost
15.2.dhcpmon.exe.3adb170.3.unpack	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
15.2.dhcpmon.exe.3adb170.3.unpack	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0xe0f5:$a: NanoCore 0xe105:$a: NanoCore 0xe339:$a: NanoCore 0xe34d:$a: NanoCore 0xe38d:$a: NanoCore 0xe154:$b: ClientPlugin 0xe356:$b: ClientPlugin 0xe396:$b: ClientPlugin 0xe27b:$c: ProjectData 0xec82:$d: DESCrypto 0x1664e:$e: KeepAlive 0x1463c:$g: LogClientMessage 0x10837:$i: get_Connected 0xefb8:$j: #=q 0xefe8:$j: #=q 0xf004:$j: #=q 0xf034:$j: #=q 0xf050:$j: #=q 0xf06c:$j: #=q 0xf09c:$j: #=q 0xf0b8:$j: #=q
4.2.bbbe7872ea466446da60c4da50020cbb.exe.400000.0.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x1018d:$x1: NanoCore.ClientPluginHost 0x101ca:$x2: IClientNetworkHost 0x13cfd:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
4.2.bbbe7872ea466446da60c4da50020cbb.exe.400000.0.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0xff05:$x1: NanoCore Client.exe 0x1018d:$x2: NanoCore.ClientPluginHost 0x117c6:$s1: PluginCommand 0x117ba:$s2: FileCommand 0x1266b:$s3: PipeExists 0x18422:$s4: PipeCreated 0x101b7:$s5: IClientLoggingHost
4.2.bbbe7872ea466446da60c4da50020cbb.exe.400000.0.unpack	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
4.2.bbbe7872ea466446da60c4da50020cbb.exe.400000.0.unpack	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0xfef5:$a: NanoCore 0xff05:$a: NanoCore 0x10139:$a: NanoCore 0x1014d:$a: NanoCore 0x1018d:$a: NanoCore 0xff54:$b: ClientPlugin 0x10156:$b: ClientPlugin 0x10196:$b: ClientPlugin 0x1007b:$c: ProjectData 0x10a82:$d: DESCrypto 0x1844e:$e: KeepAlive 0x1643c:$g: LogClientMessage 0x12637:$i: get_Connected 0x10db8:$j: #=q 0x10de8:$j: #=q 0x10e04:$j: #=q 0x10e34:$j: #=q 0x10e50:$j: #=q 0x10e6c:$j: #=q 0x10e9c:$j: #=q 0x10eb8:$j: #=q
16.2.dhcpmon.exe.4049c7e.5.raw.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0xe75:$x1: NanoCore.ClientPluginHost 0x145e3:$x1: NanoCore.ClientPluginHost 0x2d5ff:$x1: NanoCore.ClientPluginHost 0xe8f:$x2: IClientNetworkHost 0x14610:$x2: IClientNetworkHost 0x2d62c:$x2: IClientNetworkHost
16.2.dhcpmon.exe.4049c7e.5.raw.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0xe75:$x2: NanoCore.ClientPluginHost 0x145e3:$x2: NanoCore.ClientPluginHost 0x2d5ff:$x2: NanoCore.ClientPluginHost 0x1261:$s3: PipeExists 0x1136:$s4: PipeCreated 0x156be:$s4: PipeCreated 0x2e6da:$s4: PipeCreated 0xeb0:$s5: IClientLoggingHost 0x145fd:$s5: IClientLoggingHost 0x2d619:$s5: IClientLoggingHost
16.2.dhcpmon.exe.4049c7e.5.raw.unpack	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
16.2.dhcpmon.exe.4049c7e.5.raw.unpack	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0xddf:$a: NanoCore 0xe38:$a: NanoCore 0xe75:$a: NanoCore 0xeee:$a: NanoCore 0x14599:$a: NanoCore 0x145ae:$a: NanoCore 0x145e3:$a: NanoCore 0x2d5b5:$a: NanoCore 0x2d5ca:$a: NanoCore 0x2d5ff:$a: NanoCore 0xe41:$b: ClientPlugin 0xe7e:$b: ClientPlugin 0x177c:$b: ClientPlugin 0x1789:$b: ClientPlugin 0x14355:$b: ClientPlugin 0x14370:$b: ClientPlugin 0x143a0:$b: ClientPlugin 0x145b7:$b: ClientPlugin 0x145ec:$b: ClientPlugin 0x2d371:$b: ClientPlugin 0x2d38c:$b: ClientPlugin
12.2.bbbe7872ea466446da60c4da50020cbb.exe.3df30dd.3.raw.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0xb184:$x1: NanoCore.ClientPluginHost 0x241a0:$x1: NanoCore.ClientPluginHost 0xb1b1:$x2: IClientNetworkHost 0x241cd:$x2: IClientNetworkHost
12.2.bbbe7872ea466446da60c4da50020cbb.exe.3df30dd.3.raw.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0xb184:$x2: NanoCore.ClientPluginHost 0x241a0:$x2: NanoCore.ClientPluginHost 0xc25f:$s4: PipeCreated 0x2527b:$s4: PipeCreated 0xb19e:$s5: IClientLoggingHost 0x241ba:$s5: IClientLoggingHost
12.2.bbbe7872ea466446da60c4da50020cbb.exe.3df30dd.3.raw.unpack	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
4.2.bbbe7872ea466446da60c4da50020cbb.exe.2cd1690.2.raw.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0xe75:$x1: NanoCore.ClientPluginHost 0xe8f:$x2: IClientNetworkHost
4.2.bbbe7872ea466446da60c4da50020cbb.exe.2cd1690.2.raw.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0xe75:$x2: NanoCore.ClientPluginHost 0x1261:$s3: PipeExists 0x1136:$s4: PipeCreated 0xeb0:$s5: IClientLoggingHost
11.2.dhcpmon.exe.420b170.4.raw.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x1018d:$x1: NanoCore.ClientPluginHost 0x42bad:$x1: NanoCore.ClientPluginHost 0x101ca:$x2: IClientNetworkHost 0x42bea:$x2: IClientNetworkHost 0x13cfd:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe 0x4671d:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
11.2.dhcpmon.exe.420b170.4.raw.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0xff05:$x1: NanoCore Client.exe 0x42925:$x1: NanoCore Client.exe 0x1018d:$x2: NanoCore.ClientPluginHost 0x42bad:$x2: NanoCore.ClientPluginHost 0x117c6:$s1: PluginCommand 0x441e6:$s1: PluginCommand 0x117ba:$s2: FileCommand 0x441da:$s2: FileCommand 0x1266b:$s3: PipeExists 0x4508b:$s3: PipeExists 0x18422:$s4: PipeCreated 0x4ae42:$s4: PipeCreated 0x101b7:$s5: IClientLoggingHost 0x42bd7:$s5: IClientLoggingHost
11.2.dhcpmon.exe.420b170.4.raw.unpack	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
11.2.dhcpmon.exe.420b170.4.raw.unpack	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0xfef5:$a: NanoCore 0xff05:$a: NanoCore 0x10139:$a: NanoCore 0x1014d:$a: NanoCore 0x1018d:$a: NanoCore 0x42915:$a: NanoCore 0x42925:$a: NanoCore 0x42b59:$a: NanoCore 0x42b6d:$a: NanoCore 0x42bad:$a: NanoCore 0xff54:$b: ClientPlugin 0x10156:$b: ClientPlugin 0x10196:$b: ClientPlugin 0x42974:$b: ClientPlugin 0x42b76:$b: ClientPlugin 0x42bb6:$b: ClientPlugin 0x1007b:$c: ProjectData 0x42a9b:$c: ProjectData 0x10a82:$d: DESCrypto 0x434a2:$d: DESCrypto 0x1844e:$e: KeepAlive
11.2.dhcpmon.exe.420b170.4.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0xe38d:$x1: NanoCore.ClientPluginHost 0xe3ca:$x2: IClientNetworkHost 0x11efd:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
11.2.dhcpmon.exe.420b170.4.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0xe105:$x1: NanoCore Client.exe 0xe38d:$x2: NanoCore.ClientPluginHost 0xf9c6:$s1: PluginCommand 0xf9ba:$s2: FileCommand 0x1086b:$s3: PipeExists 0x16622:$s4: PipeCreated 0xe3b7:$s5: IClientLoggingHost
11.2.dhcpmon.exe.420b170.4.unpack	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
11.2.dhcpmon.exe.420b170.4.unpack	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0xe0f5:$a: NanoCore 0xe105:$a: NanoCore 0xe339:$a: NanoCore 0xe34d:$a: NanoCore 0xe38d:$a: NanoCore 0xe154:$b: ClientPlugin 0xe356:$b: ClientPlugin 0xe396:$b: ClientPlugin 0xe27b:$c: ProjectData 0xec82:$d: DESCrypto 0x1664e:$e: KeepAlive 0x1463c:$g: LogClientMessage 0x10837:$i: get_Connected 0xefb8:$j: #=q 0xefe8:$j: #=q 0xf004:$j: #=q 0xf034:$j: #=q 0xf050:$j: #=q 0xf06c:$j: #=q 0xf09c:$j: #=q 0xf0b8:$j: #=q
14.2.dhcpmon.exe.3d830dd.3.raw.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0xb184:$x1: NanoCore.ClientPluginHost 0x241a0:$x1: NanoCore.ClientPluginHost 0xb1b1:$x2: IClientNetworkHost 0x241cd:$x2: IClientNetworkHost
14.2.dhcpmon.exe.3d830dd.3.raw.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0xb184:$x2: NanoCore.ClientPluginHost 0x241a0:$x2: NanoCore.ClientPluginHost 0xc25f:$s4: PipeCreated 0x2527b:$s4: PipeCreated 0xb19e:$s5: IClientLoggingHost 0x241ba:$s5: IClientLoggingHost
14.2.dhcpmon.exe.3d830dd.3.raw.unpack	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
4.2.bbbe7872ea466446da60c4da50020cbb.exe.3d0eab4.4.raw.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0xf7ad:$x1: NanoCore.ClientPluginHost 0x287c9:$x1: NanoCore.ClientPluginHost 0xf7da:$x2: IClientNetworkHost 0x287f6:$x2: IClientNetworkHost
4.2.bbbe7872ea466446da60c4da50020cbb.exe.3d0eab4.4.raw.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0xf7ad:$x2: NanoCore.ClientPluginHost 0x287c9:$x2: NanoCore.ClientPluginHost 0x10888:$s4: PipeCreated 0x298a4:$s4: PipeCreated 0xf7c7:$s5: IClientLoggingHost 0x287e3:$s5: IClientLoggingHost
4.2.bbbe7872ea466446da60c4da50020cbb.exe.3d0eab4.4.raw.unpack	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
16.2.dhcpmon.exe.404eab4.4.raw.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0xf7ad:$x1: NanoCore.ClientPluginHost 0x287c9:$x1: NanoCore.ClientPluginHost 0xf7da:$x2: IClientNetworkHost 0x287f6:$x2: IClientNetworkHost
16.2.dhcpmon.exe.404eab4.4.raw.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0xf7ad:$x2: NanoCore.ClientPluginHost 0x287c9:$x2: NanoCore.ClientPluginHost 0x10888:$s4: PipeCreated 0x298a4:$s4: PipeCreated 0xf7c7:$s5: IClientLoggingHost 0x287e3:$s5: IClientLoggingHost
16.2.dhcpmon.exe.404eab4.4.raw.unpack	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
0.2.bbbe7872ea466446da60c4da50020cbb.exe.3f0a0c0.2.raw.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x10123d:$x1: NanoCore.ClientPluginHost 0x133c5d:$x1: NanoCore.ClientPluginHost 0x10127a:$x2: IClientNetworkHost 0x133c9a:$x2: IClientNetworkHost 0x104dad:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe 0x1377cd:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
0.2.bbbe7872ea466446da60c4da50020cbb.exe.3f0a0c0.2.raw.unpack	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
0.2.bbbe7872ea466446da60c4da50020cbb.exe.3f0a0c0.2.raw.unpack	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0x100fa5:$a: NanoCore 0x100fb5:$a: NanoCore 0x1011e9:$a: NanoCore 0x1011fd:$a: NanoCore 0x10123d:$a: NanoCore 0x1339c5:$a: NanoCore 0x1339d5:$a: NanoCore 0x133c09:$a: NanoCore 0x133c1d:$a: NanoCore 0x133c5d:$a: NanoCore 0x101004:$b: ClientPlugin 0x101206:$b: ClientPlugin 0x101246:$b: ClientPlugin 0x133a24:$b: ClientPlugin 0x133c26:$b: ClientPlugin 0x133c66:$b: ClientPlugin 0x1d630:$c: ProjectData 0x10112b:$c: ProjectData 0x133b4b:$c: ProjectData 0x101b32:$d: DESCrypto 0x134552:$d: DESCrypto
11.2.dhcpmon.exe.411a0c0.2.raw.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x10123d:$x1: NanoCore.ClientPluginHost 0x133c5d:$x1: NanoCore.ClientPluginHost 0x10127a:$x2: IClientNetworkHost 0x133c9a:$x2: IClientNetworkHost 0x104dad:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe 0x1377cd:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
11.2.dhcpmon.exe.411a0c0.2.raw.unpack	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
11.2.dhcpmon.exe.411a0c0.2.raw.unpack	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0x100fa5:$a: NanoCore 0x100fb5:$a: NanoCore 0x1011e9:$a: NanoCore 0x1011fd:$a: NanoCore 0x10123d:$a: NanoCore 0x1339c5:$a: NanoCore 0x1339d5:$a: NanoCore 0x133c09:$a: NanoCore 0x133c1d:$a: NanoCore 0x133c5d:$a: NanoCore 0x101004:$b: ClientPlugin 0x101206:$b: ClientPlugin 0x101246:$b: ClientPlugin 0x133a24:$b: ClientPlugin 0x133c26:$b: ClientPlugin 0x133c66:$b: ClientPlugin 0x1d630:$c: ProjectData 0x10112b:$c: ProjectData 0x133b4b:$c: ProjectData 0x101b32:$d: DESCrypto 0x134552:$d: DESCrypto
12.2.bbbe7872ea466446da60c4da50020cbb.exe.3deeab4.4.raw.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0xf7ad:$x1: NanoCore.ClientPluginHost 0x287c9:$x1: NanoCore.ClientPluginHost 0xf7da:$x2: IClientNetworkHost 0x287f6:$x2: IClientNetworkHost
12.2.bbbe7872ea466446da60c4da50020cbb.exe.3deeab4.4.raw.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0xf7ad:$x2: NanoCore.ClientPluginHost 0x287c9:$x2: NanoCore.ClientPluginHost 0x10888:$s4: PipeCreated 0x298a4:$s4: PipeCreated 0xf7c7:$s5: IClientLoggingHost 0x287e3:$s5: IClientLoggingHost
12.2.bbbe7872ea466446da60c4da50020cbb.exe.3deeab4.4.raw.unpack	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
15.2.dhcpmon.exe.39914a0.4.raw.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x159e5d:$x1: NanoCore.ClientPluginHost 0x18c87d:$x1: NanoCore.ClientPluginHost 0x159e9a:$x2: IClientNetworkHost 0x18c8ba:$x2: IClientNetworkHost 0x15d9cd:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe 0x1903ed:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
15.2.dhcpmon.exe.39914a0.4.raw.unpack	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
15.2.dhcpmon.exe.39914a0.4.raw.unpack	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0x159bc5:$a: NanoCore 0x159bd5:$a: NanoCore 0x159e09:$a: NanoCore 0x159e1d:$a: NanoCore 0x159e5d:$a: NanoCore 0x18c5e5:$a: NanoCore 0x18c5f5:$a: NanoCore 0x18c829:$a: NanoCore 0x18c83d:$a: NanoCore 0x18c87d:$a: NanoCore 0x159c24:$b: ClientPlugin 0x159e26:$b: ClientPlugin 0x159e66:$b: ClientPlugin 0x18c644:$b: ClientPlugin 0x18c846:$b: ClientPlugin 0x18c886:$b: ClientPlugin 0x1d630:$c: ProjectData 0x76250:$c: ProjectData 0x159d4b:$c: ProjectData 0x18c76b:$c: ProjectData 0x15a752:$d: DESCrypto
16.2.dhcpmon.exe.404eab4.4.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0xd9ad:$x1: NanoCore.ClientPluginHost 0xd9da:$x2: IClientNetworkHost
16.2.dhcpmon.exe.404eab4.4.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0xd9ad:$x2: NanoCore.ClientPluginHost 0xea88:$s4: PipeCreated 0xd9c7:$s5: IClientLoggingHost
16.2.dhcpmon.exe.404eab4.4.unpack	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
0.2.bbbe7872ea466446da60c4da50020cbb.exe.3ffb170.4.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0xe38d:$x1: NanoCore.ClientPluginHost 0xe3ca:$x2: IClientNetworkHost 0x11efd:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
0.2.bbbe7872ea466446da60c4da50020cbb.exe.3ffb170.4.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0xe105:$x1: NanoCore Client.exe 0xe38d:$x2: NanoCore.ClientPluginHost 0xf9c6:$s1: PluginCommand 0xf9ba:$s2: FileCommand 0x1086b:$s3: PipeExists 0x16622:$s4: PipeCreated 0xe3b7:$s5: IClientLoggingHost
0.2.bbbe7872ea466446da60c4da50020cbb.exe.3ffb170.4.unpack	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
0.2.bbbe7872ea466446da60c4da50020cbb.exe.3ffb170.4.unpack	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0xe0f5:$a: NanoCore 0xe105:$a: NanoCore 0xe339:$a: NanoCore 0xe34d:$a: NanoCore 0xe38d:$a: NanoCore 0xe154:$b: ClientPlugin 0xe356:$b: ClientPlugin 0xe396:$b: ClientPlugin 0xe27b:$c: ProjectData 0xec82:$d: DESCrypto 0x1664e:$e: KeepAlive 0x1463c:$g: LogClientMessage 0x10837:$i: get_Connected 0xefb8:$j: #=q 0xefe8:$j: #=q 0xf004:$j: #=q 0xf034:$j: #=q 0xf050:$j: #=q 0xf06c:$j: #=q 0xf09c:$j: #=q 0xf0b8:$j: #=q
4.2.bbbe7872ea466446da60c4da50020cbb.exe.3d130dd.3.raw.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0xb184:$x1: NanoCore.ClientPluginHost 0x241a0:$x1: NanoCore.ClientPluginHost 0xb1b1:$x2: IClientNetworkHost 0x241cd:$x2: IClientNetworkHost
4.2.bbbe7872ea466446da60c4da50020cbb.exe.3d130dd.3.raw.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0xb184:$x2: NanoCore.ClientPluginHost 0x241a0:$x2: NanoCore.ClientPluginHost 0xc25f:$s4: PipeCreated 0x2527b:$s4: PipeCreated 0xb19e:$s5: IClientLoggingHost 0x241ba:$s5: IClientLoggingHost
4.2.bbbe7872ea466446da60c4da50020cbb.exe.3d130dd.3.raw.unpack	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
16.2.dhcpmon.exe.400000.0.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x1018d:$x1: NanoCore.ClientPluginHost 0x101ca:$x2: IClientNetworkHost 0x13cfd:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
16.2.dhcpmon.exe.400000.0.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0xff05:$x1: NanoCore Client.exe 0x1018d:$x2: NanoCore.ClientPluginHost 0x117c6:$s1: PluginCommand 0x117ba:$s2: FileCommand 0x1266b:$s3: PipeExists 0x18422:$s4: PipeCreated 0x101b7:$s5: IClientLoggingHost
16.2.dhcpmon.exe.400000.0.unpack	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
16.2.dhcpmon.exe.400000.0.unpack	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0xfef5:$a: NanoCore 0xff05:$a: NanoCore 0x10139:$a: NanoCore 0x1014d:$a: NanoCore 0x1018d:$a: NanoCore 0xff54:$b: ClientPlugin 0x10156:$b: ClientPlugin 0x10196:$b: ClientPlugin 0x1007b:$c: ProjectData 0x10a82:$d: DESCrypto 0x1844e:$e: KeepAlive 0x1643c:$g: LogClientMessage 0x12637:$i: get_Connected 0x10db8:$j: #=q 0x10de8:$j: #=q 0x10e04:$j: #=q 0x10e34:$j: #=q 0x10e50:$j: #=q 0x10e6c:$j: #=q 0x10e9c:$j: #=q 0x10eb8:$j: #=q
14.2.dhcpmon.exe.3d7eab4.5.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0xd9ad:$x1: NanoCore.ClientPluginHost 0xd9da:$x2: IClientNetworkHost
14.2.dhcpmon.exe.3d7eab4.5.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0xd9ad:$x2: NanoCore.ClientPluginHost 0xea88:$s4: PipeCreated 0xd9c7:$s5: IClientLoggingHost
14.2.dhcpmon.exe.3d7eab4.5.unpack	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
0.2.bbbe7872ea466446da60c4da50020cbb.exe.3eb14a0.3.raw.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x159e5d:$x1: NanoCore.ClientPluginHost 0x18c87d:$x1: NanoCore.ClientPluginHost 0x159e9a:$x2: IClientNetworkHost 0x18c8ba:$x2: IClientNetworkHost 0x15d9cd:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe 0x1903ed:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
0.2.bbbe7872ea466446da60c4da50020cbb.exe.3eb14a0.3.raw.unpack	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
0.2.bbbe7872ea466446da60c4da50020cbb.exe.3eb14a0.3.raw.unpack	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0x159bc5:$a: NanoCore 0x159bd5:$a: NanoCore 0x159e09:$a: NanoCore 0x159e1d:$a: NanoCore 0x159e5d:$a: NanoCore 0x18c5e5:$a: NanoCore 0x18c5f5:$a: NanoCore 0x18c829:$a: NanoCore 0x18c83d:$a: NanoCore 0x18c87d:$a: NanoCore 0x159c24:$b: ClientPlugin 0x159e26:$b: ClientPlugin 0x159e66:$b: ClientPlugin 0x18c644:$b: ClientPlugin 0x18c846:$b: ClientPlugin 0x18c886:$b: ClientPlugin 0x1d630:$c: ProjectData 0x76250:$c: ProjectData 0x159d4b:$c: ProjectData 0x18c76b:$c: ProjectData 0x15a752:$d: DESCrypto
16.2.dhcpmon.exe.3023ac8.2.raw.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0xe75:$x1: NanoCore.ClientPluginHost 0xe8f:$x2: IClientNetworkHost
16.2.dhcpmon.exe.3023ac8.2.raw.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0xe75:$x2: NanoCore.ClientPluginHost 0x1261:$s3: PipeExists 0x1136:$s4: PipeCreated 0xeb0:$s5: IClientLoggingHost
10.2.bbbe7872ea466446da60c4da50020cbb.exe.3f514a0.3.raw.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x159e5d:$x1: NanoCore.ClientPluginHost 0x18c87d:$x1: NanoCore.ClientPluginHost 0x159e9a:$x2: IClientNetworkHost 0x18c8ba:$x2: IClientNetworkHost 0x15d9cd:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe 0x1903ed:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
10.2.bbbe7872ea466446da60c4da50020cbb.exe.3f514a0.3.raw.unpack	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
10.2.bbbe7872ea466446da60c4da50020cbb.exe.3f514a0.3.raw.unpack	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0x159bc5:$a: NanoCore 0x159bd5:$a: NanoCore 0x159e09:$a: NanoCore 0x159e1d:$a: NanoCore 0x159e5d:$a: NanoCore 0x18c5e5:$a: NanoCore 0x18c5f5:$a: NanoCore 0x18c829:$a: NanoCore 0x18c83d:$a: NanoCore 0x18c87d:$a: NanoCore 0x159c24:$b: ClientPlugin 0x159e26:$b: ClientPlugin 0x159e66:$b: ClientPlugin 0x18c644:$b: ClientPlugin 0x18c846:$b: ClientPlugin 0x18c886:$b: ClientPlugin 0x1d630:$c: ProjectData 0x76250:$c: ProjectData 0x159d4b:$c: ProjectData 0x18c76b:$c: ProjectData 0x15a752:$d: DESCrypto
0.2.bbbe7872ea466446da60c4da50020cbb.exe.2d78900.1.raw.unpack	JoeSecurity_AntiVM_3	Yara detected AntiVM_3	Joe Security
4.2.bbbe7872ea466446da60c4da50020cbb.exe.3d09c7e.5.raw.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0xe75:$x1: NanoCore.ClientPluginHost 0x145e3:$x1: NanoCore.ClientPluginHost 0x2d5ff:$x1: NanoCore.ClientPluginHost 0xe8f:$x2: IClientNetworkHost 0x14610:$x2: IClientNetworkHost 0x2d62c:$x2: IClientNetworkHost
4.2.bbbe7872ea466446da60c4da50020cbb.exe.3d09c7e.5.raw.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0xe75:$x2: NanoCore.ClientPluginHost 0x145e3:$x2: NanoCore.ClientPluginHost 0x2d5ff:$x2: NanoCore.ClientPluginHost 0x1261:$s3: PipeExists 0x1136:$s4: PipeCreated 0x156be:$s4: PipeCreated 0x2e6da:$s4: PipeCreated 0xeb0:$s5: IClientLoggingHost 0x145fd:$s5: IClientLoggingHost 0x2d619:$s5: IClientLoggingHost
4.2.bbbe7872ea466446da60c4da50020cbb.exe.3d09c7e.5.raw.unpack	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
4.2.bbbe7872ea466446da60c4da50020cbb.exe.3d09c7e.5.raw.unpack	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0xddf:$a: NanoCore 0xe38:$a: NanoCore 0xe75:$a: NanoCore 0xeee:$a: NanoCore 0x14599:$a: NanoCore 0x145ae:$a: NanoCore 0x145e3:$a: NanoCore 0x2d5b5:$a: NanoCore 0x2d5ca:$a: NanoCore 0x2d5ff:$a: NanoCore 0xe41:$b: ClientPlugin 0xe7e:$b: ClientPlugin 0x177c:$b: ClientPlugin 0x1789:$b: ClientPlugin 0x14355:$b: ClientPlugin 0x14370:$b: ClientPlugin 0x143a0:$b: ClientPlugin 0x145b7:$b: ClientPlugin 0x145ec:$b: ClientPlugin 0x2d371:$b: ClientPlugin 0x2d38c:$b: ClientPlugin
15.2.dhcpmon.exe.39ea0c0.2.raw.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x10123d:$x1: NanoCore.ClientPluginHost 0x133c5d:$x1: NanoCore.ClientPluginHost 0x10127a:$x2: IClientNetworkHost 0x133c9a:$x2: IClientNetworkHost 0x104dad:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe 0x1377cd:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
15.2.dhcpmon.exe.39ea0c0.2.raw.unpack	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
15.2.dhcpmon.exe.39ea0c0.2.raw.unpack	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0x100fa5:$a: NanoCore 0x100fb5:$a: NanoCore 0x1011e9:$a: NanoCore 0x1011fd:$a: NanoCore 0x10123d:$a: NanoCore 0x1339c5:$a: NanoCore 0x1339d5:$a: NanoCore 0x133c09:$a: NanoCore 0x133c1d:$a: NanoCore 0x133c5d:$a: NanoCore 0x101004:$b: ClientPlugin 0x101206:$b: ClientPlugin 0x101246:$b: ClientPlugin 0x133a24:$b: ClientPlugin 0x133c26:$b: ClientPlugin 0x133c66:$b: ClientPlugin 0x1d630:$c: ProjectData 0x10112b:$c: ProjectData 0x133b4b:$c: ProjectData 0x101b32:$d: DESCrypto 0x134552:$d: DESCrypto
10.2.bbbe7872ea466446da60c4da50020cbb.exe.409b170.2.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0xe38d:$x1: NanoCore.ClientPluginHost 0xe3ca:$x2: IClientNetworkHost 0x11efd:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
10.2.bbbe7872ea466446da60c4da50020cbb.exe.409b170.2.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0xe105:$x1: NanoCore Client.exe 0xe38d:$x2: NanoCore.ClientPluginHost 0xf9c6:$s1: PluginCommand 0xf9ba:$s2: FileCommand 0x1086b:$s3: PipeExists 0x16622:$s4: PipeCreated 0xe3b7:$s5: IClientLoggingHost
10.2.bbbe7872ea466446da60c4da50020cbb.exe.409b170.2.unpack	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
10.2.bbbe7872ea466446da60c4da50020cbb.exe.409b170.2.unpack	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0xe0f5:$a: NanoCore 0xe105:$a: NanoCore 0xe339:$a: NanoCore 0xe34d:$a: NanoCore 0xe38d:$a: NanoCore 0xe154:$b: ClientPlugin 0xe356:$b: ClientPlugin 0xe396:$b: ClientPlugin 0xe27b:$c: ProjectData 0xec82:$d: DESCrypto 0x1664e:$e: KeepAlive 0x1463c:$g: LogClientMessage 0x10837:$i: get_Connected 0xefb8:$j: #=q 0xefe8:$j: #=q 0xf004:$j: #=q 0xf034:$j: #=q 0xf050:$j: #=q 0xf06c:$j: #=q 0xf09c:$j: #=q 0xf0b8:$j: #=q
0.2.bbbe7872ea466446da60c4da50020cbb.exe.3ffb170.4.raw.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x1018d:$x1: NanoCore.ClientPluginHost 0x42bad:$x1: NanoCore.ClientPluginHost 0x101ca:$x2: IClientNetworkHost 0x42bea:$x2: IClientNetworkHost 0x13cfd:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe 0x4671d:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
0.2.bbbe7872ea466446da60c4da50020cbb.exe.3ffb170.4.raw.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0xff05:$x1: NanoCore Client.exe 0x42925:$x1: NanoCore Client.exe 0x1018d:$x2: NanoCore.ClientPluginHost 0x42bad:$x2: NanoCore.ClientPluginHost 0x117c6:$s1: PluginCommand 0x441e6:$s1: PluginCommand 0x117ba:$s2: FileCommand 0x441da:$s2: FileCommand 0x1266b:$s3: PipeExists 0x4508b:$s3: PipeExists 0x18422:$s4: PipeCreated 0x4ae42:$s4: PipeCreated 0x101b7:$s5: IClientLoggingHost 0x42bd7:$s5: IClientLoggingHost
10.2.bbbe7872ea466446da60c4da50020cbb.exe.3faa0c0.4.raw.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x10123d:$x1: NanoCore.ClientPluginHost 0x133c5d:$x1: NanoCore.ClientPluginHost 0x10127a:$x2: IClientNetworkHost 0x133c9a:$x2: IClientNetworkHost 0x104dad:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe 0x1377cd:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
10.2.bbbe7872ea466446da60c4da50020cbb.exe.3faa0c0.4.raw.unpack	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
10.2.bbbe7872ea466446da60c4da50020cbb.exe.3faa0c0.4.raw.unpack	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0x100fa5:$a: NanoCore 0x100fb5:$a: NanoCore 0x1011e9:$a: NanoCore 0x1011fd:$a: NanoCore 0x10123d:$a: NanoCore 0x1339c5:$a: NanoCore 0x1339d5:$a: NanoCore 0x133c09:$a: NanoCore 0x133c1d:$a: NanoCore 0x133c5d:$a: NanoCore 0x101004:$b: ClientPlugin 0x101206:$b: ClientPlugin 0x101246:$b: ClientPlugin 0x133a24:$b: ClientPlugin 0x133c26:$b: ClientPlugin 0x133c66:$b: ClientPlugin 0x1d630:$c: ProjectData 0x10112b:$c: ProjectData 0x133b4b:$c: ProjectData 0x101b32:$d: DESCrypto 0x134552:$d: DESCrypto
0.2.bbbe7872ea466446da60c4da50020cbb.exe.3ffb170.4.raw.unpack	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
0.2.bbbe7872ea466446da60c4da50020cbb.exe.3ffb170.4.raw.unpack	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0xfef5:$a: NanoCore 0xff05:$a: NanoCore 0x10139:$a: NanoCore 0x1014d:$a: NanoCore 0x1018d:$a: NanoCore 0x42915:$a: NanoCore 0x42925:$a: NanoCore 0x42b59:$a: NanoCore 0x42b6d:$a: NanoCore 0x42bad:$a: NanoCore 0xff54:$b: ClientPlugin 0x10156:$b: ClientPlugin 0x10196:$b: ClientPlugin 0x42974:$b: ClientPlugin 0x42b76:$b: ClientPlugin 0x42bb6:$b: ClientPlugin 0x1007b:$c: ProjectData 0x42a9b:$c: ProjectData 0x10a82:$d: DESCrypto 0x434a2:$d: DESCrypto 0x1844e:$e: KeepAlive
10.2.bbbe7872ea466446da60c4da50020cbb.exe.2e18918.1.raw.unpack	JoeSecurity_AntiVM_3	Yara detected AntiVM_3	Joe Security
11.2.dhcpmon.exe.2f888c4.1.raw.unpack	JoeSecurity_AntiVM_3	Yara detected AntiVM_3	Joe Security
Click to see the 131 entries

Sigma Overview

System Summary:

Sigma detected: NanoCore

Show sources

Source: File created

Author: Joe Security: Data: EventID: 11, Image: C:\Users\user\Desktop\bbbe7872ea466446da60c4da50020cbb.exe, ProcessId: 6996, TargetFilename: C:\Users\user\AppData\Roaming\D06ED635-68F6-4E9A-955C-4899F5F57B9A\run.dat

Sigma detected: Scheduled temp file as task from temp location

Show sources

Source: Process started

Author: Joe Security: Data: Command: 'schtasks.exe' /create /f /tn 'DHCP Monitor' /xml 'C:\Users\user\AppData\Local\Temp\tmp7E95.tmp', CommandLine: 'schtasks.exe' /create /f /tn 'DHCP Monitor' /xml 'C:\Users\user\AppData\Local\Temp\tmp7E95.tmp', CommandLine|base64offset|contains: j, Image: C:\Windows\SysWOW64\schtasks.exe, NewProcessName: C:\Windows\SysWOW64\schtasks.exe, OriginalFileName: C:\Windows\SysWOW64\schtasks.exe, ParentCommandLine: C:\Users\user\Desktop\bbbe7872ea466446da60c4da50020cbb.exe, ParentImage: C:\Users\user\Desktop\bbbe7872ea466446da60c4da50020cbb.exe, ParentProcessId: 6996, ProcessCommandLine: 'schtasks.exe' /create /f /tn 'DHCP Monitor' /xml 'C:\Users\user\AppData\Local\Temp\tmp7E95.tmp', ProcessId: 7072

Signature Overview

Click to jump to signature section

Show All Signature Results

AV Detection:

Found malware configuration

Show sources

Source: 0000000E.00000002.381191346.0000000003D31000.00000004.00000001.sdmp

Malware Configuration Extractor: NanoCore {"Version": "1.2.2.0", "Mutex": "94----", "Group": "V-HASH", "Domain1": "cloudhost.myfirewall.org", "Domain2": "cloudhost.myfirewall.org", "Port": 5654, "KeyboardLogging": "Enable", "RunOnStartup": "Enable", "RequestElevation": "Disable", "BypassUAC": "Enable", "ClearZoneIdentifier": "Enable", "ClearAccessControl": "Disable", "SetCriticalProcess": "Disable", "PreventSystemSleep": "Enable", "ActivateAwayMode": "Disable", "EnableDebugMode": "Disable", "RunDelay": 0, "ConnectDelay": 4000, "RestartDelay": 5000, "TimeoutInterval": 5000, "KeepAliveTimeout": 30000, "MutexTimeout": 5000, "LanTimeout": 2500, "WanTimeout": 8000, "BufferSize": "ffff0000", "MaxPacketSize": "0000a000", "GCThreshold": "0000a000", "UseCustomDNS": "Enable", "PrimaryDNSServer": "cloudhost.myfirewall.org", "BackupDNSServer": "cloudhost.myfirewall.org", "BypassUserAccountControlData": "<?xml version=\"1.0\" encoding=\"UTF-16\"?>\r\n<Task version=\"1.2\" xmlns=\"http://schemas.microsoft.com/windows/2004/02/mit/task\">\r\n <RegistrationInfo />\r\n <Triggers />\r\n <Principals>\r\n <Principal id=\"Author\">\r\n <LogonType>InteractiveToken</LogonType>\r\n <RunLevel>HighestAvailable</RunLevel>\r\n </Principal>\r\n </Principals>\r\n <Settings>\r\n <MultipleInstancesPolicy>Parallel</MultipleInstancesPolicy>\r\n <DisallowStartIfOnBatteries>false</DisallowStartIfOnBatteries>\r\n <StopIfGoingOnBatteries>false</StopIfGoingOnBatteries>\r\n <AllowHardTerminate>true</AllowHardTerminate>\r\n <StartWhenAvailable>false</StartWhenAvailable>\r\n <RunOnlyIfNetworkAvailable>false</RunOnlyIfNetworkAvailable>\r\n <IdleSettings>\r\n <StopOnIdleEnd>false</StopOnIdleEnd>\r\n <RestartOnIdle>false</RestartOnIdle>\r\n </IdleSettings>\r\n <AllowStartOnDemand>true</AllowStartOnDemand>\r\n <Enabled>true</Enabled>\r\n <Hidden>false</Hidden>\r\n <RunOnlyIfIdle>false</RunOnlyIfIdle>\r\n <WakeToRun>false</WakeToRun>\r\n <ExecutionTimeLimit>PT0S</ExecutionTimeLimit>\r\n <Priority>4</Priority>\r\n </Settings>\r\n <Actions Context=\"Author\">\r\n <Exec>\r\n <Command>\"#EXECUTABLEPATH\"</Command>\r\n <Arguments>$(Arg0)</Arguments>\r\n </Exec>\r\n </Actions>\r\n</Task"}

Multi AV Scanner detection for dropped file

Show sources

Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe

ReversingLabs: Detection: 34%

Multi AV Scanner detection for submitted file

Show sources

Source: bbbe7872ea466446da60c4da50020cbb.exe

ReversingLabs: Detection: 34%

Yara detected Nanocore RAT

Show sources

Source: Yara match	File source: 0000000C.00000002.375004523.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000E.00000002.381191346.0000000003D31000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000C.00000002.377624667.0000000002DA1000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.592467577.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000A.00000002.365772164.0000000003DF1000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.597683140.0000000003D07000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000E.00000002.381077094.0000000002D31000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000B.00000002.367529312.0000000003F61000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000010.00000002.391674013.0000000004001000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000E.00000002.378479336.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000F.00000002.380529240.0000000003831000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000010.00000002.390499078.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000C.00000002.377737091.0000000003DA1000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000010.00000002.391635582.0000000003001000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.344108345.0000000003D51000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: bbbe7872ea466446da60c4da50020cbb.exe PID: 348, type: MEMORY
Source: Yara match	File source: Process Memory Space: dhcpmon.exe PID: 6340, type: MEMORY
Source: Yara match	File source: Process Memory Space: dhcpmon.exe PID: 6332, type: MEMORY
Source: Yara match	File source: Process Memory Space: bbbe7872ea466446da60c4da50020cbb.exe PID: 6996, type: MEMORY
Source: Yara match	File source: 16.2.dhcpmon.exe.40530dd.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 15.2.dhcpmon.exe.3adb170.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 14.2.dhcpmon.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 12.2.bbbe7872ea466446da60c4da50020cbb.exe.3deeab4.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 12.2.bbbe7872ea466446da60c4da50020cbb.exe.3de9c7e.5.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 14.2.dhcpmon.exe.3d79c7e.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 14.2.dhcpmon.exe.3d7eab4.5.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 12.2.bbbe7872ea466446da60c4da50020cbb.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 11.2.dhcpmon.exe.40c14a0.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.bbbe7872ea466446da60c4da50020cbb.exe.3d0eab4.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 10.2.bbbe7872ea466446da60c4da50020cbb.exe.409b170.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 15.2.dhcpmon.exe.3adb170.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.bbbe7872ea466446da60c4da50020cbb.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 16.2.dhcpmon.exe.4049c7e.5.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 12.2.bbbe7872ea466446da60c4da50020cbb.exe.3df30dd.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 11.2.dhcpmon.exe.420b170.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 11.2.dhcpmon.exe.420b170.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 14.2.dhcpmon.exe.3d830dd.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.bbbe7872ea466446da60c4da50020cbb.exe.3d0eab4.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 16.2.dhcpmon.exe.404eab4.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.bbbe7872ea466446da60c4da50020cbb.exe.3f0a0c0.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 11.2.dhcpmon.exe.411a0c0.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 12.2.bbbe7872ea466446da60c4da50020cbb.exe.3deeab4.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 15.2.dhcpmon.exe.39914a0.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 16.2.dhcpmon.exe.404eab4.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.bbbe7872ea466446da60c4da50020cbb.exe.3ffb170.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.bbbe7872ea466446da60c4da50020cbb.exe.3d130dd.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 16.2.dhcpmon.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 14.2.dhcpmon.exe.3d7eab4.5.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.bbbe7872ea466446da60c4da50020cbb.exe.3eb14a0.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 10.2.bbbe7872ea466446da60c4da50020cbb.exe.3f514a0.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.bbbe7872ea466446da60c4da50020cbb.exe.3d09c7e.5.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 15.2.dhcpmon.exe.39ea0c0.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 10.2.bbbe7872ea466446da60c4da50020cbb.exe.409b170.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 10.2.bbbe7872ea466446da60c4da50020cbb.exe.3faa0c0.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.bbbe7872ea466446da60c4da50020cbb.exe.3ffb170.4.raw.unpack, type: UNPACKEDPE

Machine Learning detection for dropped file

Show sources

Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe

Joe Sandbox ML: detected

Machine Learning detection for sample

Show sources

Source: bbbe7872ea466446da60c4da50020cbb.exe

Joe Sandbox ML: detected

Source: 14.2.dhcpmon.exe.400000.0.unpack	Avira: Label: TR/Dropper.MSIL.Gen7
Source: 12.2.bbbe7872ea466446da60c4da50020cbb.exe.400000.0.unpack	Avira: Label: TR/Dropper.MSIL.Gen7
Source: 4.2.bbbe7872ea466446da60c4da50020cbb.exe.400000.0.unpack	Avira: Label: TR/Dropper.MSIL.Gen7
Source: 16.2.dhcpmon.exe.400000.0.unpack	Avira: Label: TR/Dropper.MSIL.Gen7

Compliance:

Uses 32bit PE files

Show sources

Source: bbbe7872ea466446da60c4da50020cbb.exe

Static PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE

Uses new MSVCR Dlls

Show sources

Source: C:\Users\user\Desktop\bbbe7872ea466446da60c4da50020cbb.exe

File opened: C:\Windows\WinSxS\x86_microsoft.vc80.crt_1fc8b3b9a1e18e3b_8.0.50727.9445_none_d08c58b4442ba54f\MSVCR80.dll

Jump to behavior

Contains modern PE file flags such as dynamic base (ASLR) or NX

Show sources

Source: bbbe7872ea466446da60c4da50020cbb.exe

Static PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT

Binary contains paths to debug symbols

Show sources

Source:

Binary string: mscorrc.pdb source: bbbe7872ea466446da60c4da50020cbb.exe, 00000000.00000002.348914863.0000000008030000.00000002.00000001.sdmp, bbbe7872ea466446da60c4da50020cbb.exe, 0000000A.00000002.369455397.0000000007BC0000.00000002.00000001.sdmp, dhcpmon.exe, 0000000B.00000002.372863219.0000000007CF0000.00000002.00000001.sdmp, dhcpmon.exe, 0000000F.00000002.386840376.0000000007650000.00000002.00000001.sdmp

Software Vulnerabilities:

Source: C:\Users\user\Desktop\bbbe7872ea466446da60c4da50020cbb.exe	Code function: 4x nop then mov dword ptr [ebp-1Ch], 00000000h	0_2_04F0D098
Source: C:\Users\user\Desktop\bbbe7872ea466446da60c4da50020cbb.exe	Code function: 4x nop then mov dword ptr [ebp-1Ch], 00000000h	10_2_0296D098
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Code function: 4x nop then mov dword ptr [ebp-1Ch], 00000000h	11_2_02B0D0D8

Networking:

C2 URLs / IPs found in malware configuration

Show sources

Source: Malware configuration extractor

URLs: cloudhost.myfirewall.org

Source: global traffic

TCP traffic: 192.168.2.6:49712 -> 79.134.225.105:5654

Source: Joe Sandbox View

IP Address: 79.134.225.105 79.134.225.105

Source: Joe Sandbox View

ASN Name: FINK-TELECOM-SERVICESCH FINK-TELECOM-SERVICESCH

Source: unknown

DNS traffic detected: queries for: cloudhost.myfirewall.org

Source: bbbe7872ea466446da60c4da50020cbb.exe, 00000000.00000003.325630674.00000000051A9000.00000004.00000001.sdmp	String found in binary or memory: http://en.w
Source: bbbe7872ea466446da60c4da50020cbb.exe, 00000000.00000002.348097971.00000000063B2000.00000004.00000001.sdmp, bbbe7872ea466446da60c4da50020cbb.exe, 0000000A.00000002.367125363.0000000005320000.00000002.00000001.sdmp, dhcpmon.exe, 0000000B.00000002.370057992.0000000005450000.00000002.00000001.sdmp, dhcpmon.exe, 0000000F.00000002.382568285.0000000004EB0000.00000002.00000001.sdmp	String found in binary or memory: http://fontfabrik.com
Source: dhcpmon.exe, dhcpmon.exe, 0000000E.00000002.378594437.0000000000502000.00000002.00020000.sdmp, dhcpmon.exe, 0000000F.00000000.371490717.0000000000042000.00000002.00020000.sdmp, dhcpmon.exe, 00000010.00000002.390560823.00000000008F2000.00000002.00020000.sdmp, bbbe7872ea466446da60c4da50020cbb.exe	String found in binary or memory: http://inchat.kro.kr
Source: dhcpmon.exe, dhcpmon.exe, 0000000E.00000002.378594437.0000000000502000.00000002.00020000.sdmp, dhcpmon.exe, 0000000F.00000000.371490717.0000000000042000.00000002.00020000.sdmp, dhcpmon.exe, 00000010.00000002.390560823.00000000008F2000.00000002.00020000.sdmp, bbbe7872ea466446da60c4da50020cbb.exe	String found in binary or memory: http://schooldb.inchat.kro.kr/
Source: bbbe7872ea466446da60c4da50020cbb.exe, 00000000.00000002.348097971.00000000063B2000.00000004.00000001.sdmp, bbbe7872ea466446da60c4da50020cbb.exe, 0000000A.00000002.367125363.0000000005320000.00000002.00000001.sdmp, dhcpmon.exe, 0000000B.00000002.370057992.0000000005450000.00000002.00000001.sdmp, dhcpmon.exe, 0000000F.00000002.382568285.0000000004EB0000.00000002.00000001.sdmp	String found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0
Source: bbbe7872ea466446da60c4da50020cbb.exe, 00000000.00000003.330244134.00000000051DD000.00000004.00000001.sdmp	String found in binary or memory: http://www.ascendercorp.com/typedesigners.html
Source: bbbe7872ea466446da60c4da50020cbb.exe, 00000000.00000003.329135863.00000000051A7000.00000004.00000001.sdmp	String found in binary or memory: http://www.carterandcone.com
Source: bbbe7872ea466446da60c4da50020cbb.exe, 00000000.00000003.329135863.00000000051A7000.00000004.00000001.sdmp	String found in binary or memory: http://www.carterandcone.com&
Source: bbbe7872ea466446da60c4da50020cbb.exe, 00000000.00000003.328197714.00000000051A6000.00000004.00000001.sdmp	String found in binary or memory: http://www.carterandcone.com.
Source: bbbe7872ea466446da60c4da50020cbb.exe, 00000000.00000003.328197714.00000000051A6000.00000004.00000001.sdmp	String found in binary or memory: http://www.carterandcone.comTC
Source: bbbe7872ea466446da60c4da50020cbb.exe, 00000000.00000003.328197714.00000000051A6000.00000004.00000001.sdmp	String found in binary or memory: http://www.carterandcone.comTCw
Source: bbbe7872ea466446da60c4da50020cbb.exe, 00000000.00000002.348097971.00000000063B2000.00000004.00000001.sdmp, bbbe7872ea466446da60c4da50020cbb.exe, 0000000A.00000002.367125363.0000000005320000.00000002.00000001.sdmp, dhcpmon.exe, 0000000B.00000002.370057992.0000000005450000.00000002.00000001.sdmp, dhcpmon.exe, 0000000F.00000002.382568285.0000000004EB0000.00000002.00000001.sdmp	String found in binary or memory: http://www.carterandcone.coml
Source: bbbe7872ea466446da60c4da50020cbb.exe, 00000000.00000003.328197714.00000000051A6000.00000004.00000001.sdmp	String found in binary or memory: http://www.carterandcone.como.
Source: bbbe7872ea466446da60c4da50020cbb.exe, 00000000.00000003.328197714.00000000051A6000.00000004.00000001.sdmp	String found in binary or memory: http://www.carterandcone.comormD
Source: bbbe7872ea466446da60c4da50020cbb.exe, 00000000.00000002.348097971.00000000063B2000.00000004.00000001.sdmp, bbbe7872ea466446da60c4da50020cbb.exe, 0000000A.00000002.367125363.0000000005320000.00000002.00000001.sdmp, dhcpmon.exe, 0000000B.00000002.370057992.0000000005450000.00000002.00000001.sdmp, dhcpmon.exe, 0000000F.00000002.382568285.0000000004EB0000.00000002.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com
Source: dhcpmon.exe, 0000000F.00000002.382568285.0000000004EB0000.00000002.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com/designers
Source: bbbe7872ea466446da60c4da50020cbb.exe, 00000000.00000002.348097971.00000000063B2000.00000004.00000001.sdmp, bbbe7872ea466446da60c4da50020cbb.exe, 0000000A.00000002.367125363.0000000005320000.00000002.00000001.sdmp, dhcpmon.exe, 0000000B.00000002.370057992.0000000005450000.00000002.00000001.sdmp, dhcpmon.exe, 0000000F.00000002.382568285.0000000004EB0000.00000002.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com/designers/?
Source: bbbe7872ea466446da60c4da50020cbb.exe, 00000000.00000003.333166545.00000000051D5000.00000004.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com/designers/cabarga.html
Source: bbbe7872ea466446da60c4da50020cbb.exe, 00000000.00000002.348097971.00000000063B2000.00000004.00000001.sdmp, bbbe7872ea466446da60c4da50020cbb.exe, 0000000A.00000002.367125363.0000000005320000.00000002.00000001.sdmp, dhcpmon.exe, 0000000B.00000002.370057992.0000000005450000.00000002.00000001.sdmp, dhcpmon.exe, 0000000F.00000002.382568285.0000000004EB0000.00000002.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com/designers/cabarga.htmlN
Source: bbbe7872ea466446da60c4da50020cbb.exe, 00000000.00000003.333166545.00000000051D5000.00000004.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com/designers/cabarga.htmlo
Source: bbbe7872ea466446da60c4da50020cbb.exe, 00000000.00000003.332711004.00000000051D5000.00000004.00000001.sdmp, bbbe7872ea466446da60c4da50020cbb.exe, 00000000.00000002.348097971.00000000063B2000.00000004.00000001.sdmp, bbbe7872ea466446da60c4da50020cbb.exe, 0000000A.00000002.367125363.0000000005320000.00000002.00000001.sdmp, dhcpmon.exe, 0000000B.00000002.370057992.0000000005450000.00000002.00000001.sdmp, dhcpmon.exe, 0000000F.00000002.382568285.0000000004EB0000.00000002.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com/designers/frere-jones.html
Source: bbbe7872ea466446da60c4da50020cbb.exe, 00000000.00000002.348097971.00000000063B2000.00000004.00000001.sdmp, bbbe7872ea466446da60c4da50020cbb.exe, 0000000A.00000002.367125363.0000000005320000.00000002.00000001.sdmp, dhcpmon.exe, 0000000B.00000002.370057992.0000000005450000.00000002.00000001.sdmp, dhcpmon.exe, 0000000F.00000002.382568285.0000000004EB0000.00000002.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com/designers8
Source: bbbe7872ea466446da60c4da50020cbb.exe, 00000000.00000002.348097971.00000000063B2000.00000004.00000001.sdmp, bbbe7872ea466446da60c4da50020cbb.exe, 0000000A.00000002.367125363.0000000005320000.00000002.00000001.sdmp, dhcpmon.exe, 0000000B.00000002.370057992.0000000005450000.00000002.00000001.sdmp, dhcpmon.exe, 0000000F.00000002.382568285.0000000004EB0000.00000002.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com/designers?
Source: bbbe7872ea466446da60c4da50020cbb.exe, 00000000.00000002.348097971.00000000063B2000.00000004.00000001.sdmp, bbbe7872ea466446da60c4da50020cbb.exe, 0000000A.00000002.367125363.0000000005320000.00000002.00000001.sdmp, dhcpmon.exe, 0000000B.00000002.370057992.0000000005450000.00000002.00000001.sdmp, dhcpmon.exe, 0000000F.00000002.382568285.0000000004EB0000.00000002.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com/designersG
Source: bbbe7872ea466446da60c4da50020cbb.exe, 00000000.00000002.348097971.00000000063B2000.00000004.00000001.sdmp, bbbe7872ea466446da60c4da50020cbb.exe, 0000000A.00000002.367125363.0000000005320000.00000002.00000001.sdmp, dhcpmon.exe, 0000000B.00000002.370057992.0000000005450000.00000002.00000001.sdmp, dhcpmon.exe, 0000000F.00000002.382568285.0000000004EB0000.00000002.00000001.sdmp	String found in binary or memory: http://www.fonts.com
Source: bbbe7872ea466446da60c4da50020cbb.exe, 00000000.00000002.348097971.00000000063B2000.00000004.00000001.sdmp, bbbe7872ea466446da60c4da50020cbb.exe, 0000000A.00000002.367125363.0000000005320000.00000002.00000001.sdmp, dhcpmon.exe, 0000000B.00000002.370057992.0000000005450000.00000002.00000001.sdmp, dhcpmon.exe, 0000000F.00000002.382568285.0000000004EB0000.00000002.00000001.sdmp	String found in binary or memory: http://www.founder.com.cn/cn
Source: bbbe7872ea466446da60c4da50020cbb.exe, 00000000.00000003.327774459.00000000051AB000.00000004.00000001.sdmp	String found in binary or memory: http://www.founder.com.cn/cn/
Source: bbbe7872ea466446da60c4da50020cbb.exe, 00000000.00000002.348097971.00000000063B2000.00000004.00000001.sdmp, bbbe7872ea466446da60c4da50020cbb.exe, 0000000A.00000002.367125363.0000000005320000.00000002.00000001.sdmp, dhcpmon.exe, 0000000B.00000002.370057992.0000000005450000.00000002.00000001.sdmp, dhcpmon.exe, 0000000F.00000002.382568285.0000000004EB0000.00000002.00000001.sdmp	String found in binary or memory: http://www.founder.com.cn/cn/bThe
Source: bbbe7872ea466446da60c4da50020cbb.exe, 00000000.00000002.348097971.00000000063B2000.00000004.00000001.sdmp, bbbe7872ea466446da60c4da50020cbb.exe, 0000000A.00000002.367125363.0000000005320000.00000002.00000001.sdmp, dhcpmon.exe, 0000000B.00000002.370057992.0000000005450000.00000002.00000001.sdmp, dhcpmon.exe, 0000000F.00000002.382568285.0000000004EB0000.00000002.00000001.sdmp	String found in binary or memory: http://www.founder.com.cn/cn/cThe
Source: dhcpmon.exe, dhcpmon.exe, 0000000E.00000002.378594437.0000000000502000.00000002.00020000.sdmp, dhcpmon.exe, 0000000F.00000000.371490717.0000000000042000.00000002.00020000.sdmp, dhcpmon.exe, 00000010.00000002.390560823.00000000008F2000.00000002.00020000.sdmp, bbbe7872ea466446da60c4da50020cbb.exe	String found in binary or memory: http://www.gagalive.kr/livechat1.swf?chatroom=inchat-
Source: bbbe7872ea466446da60c4da50020cbb.exe, 00000000.00000003.334789389.00000000051D5000.00000004.00000001.sdmp	String found in binary or memory: http://www.galapagosdesign.com/
Source: bbbe7872ea466446da60c4da50020cbb.exe, 00000000.00000002.348097971.00000000063B2000.00000004.00000001.sdmp, bbbe7872ea466446da60c4da50020cbb.exe, 0000000A.00000002.367125363.0000000005320000.00000002.00000001.sdmp, dhcpmon.exe, 0000000B.00000002.370057992.0000000005450000.00000002.00000001.sdmp, dhcpmon.exe, 0000000F.00000002.382568285.0000000004EB0000.00000002.00000001.sdmp	String found in binary or memory: http://www.galapagosdesign.com/DPlease
Source: bbbe7872ea466446da60c4da50020cbb.exe, 00000000.00000002.348097971.00000000063B2000.00000004.00000001.sdmp, bbbe7872ea466446da60c4da50020cbb.exe, 0000000A.00000002.367125363.0000000005320000.00000002.00000001.sdmp, dhcpmon.exe, 0000000B.00000002.370057992.0000000005450000.00000002.00000001.sdmp, dhcpmon.exe, 0000000F.00000002.382568285.0000000004EB0000.00000002.00000001.sdmp	String found in binary or memory: http://www.galapagosdesign.com/staff/dennis.htm
Source: bbbe7872ea466446da60c4da50020cbb.exe, 00000000.00000002.348097971.00000000063B2000.00000004.00000001.sdmp, bbbe7872ea466446da60c4da50020cbb.exe, 0000000A.00000002.367125363.0000000005320000.00000002.00000001.sdmp, dhcpmon.exe, 0000000B.00000002.370057992.0000000005450000.00000002.00000001.sdmp, dhcpmon.exe, 0000000F.00000002.382568285.0000000004EB0000.00000002.00000001.sdmp	String found in binary or memory: http://www.goodfont.co.kr
Source: bbbe7872ea466446da60c4da50020cbb.exe, 00000000.00000002.348097971.00000000063B2000.00000004.00000001.sdmp, bbbe7872ea466446da60c4da50020cbb.exe, 0000000A.00000002.367125363.0000000005320000.00000002.00000001.sdmp, dhcpmon.exe, 0000000B.00000002.370057992.0000000005450000.00000002.00000001.sdmp, dhcpmon.exe, 0000000F.00000002.382568285.0000000004EB0000.00000002.00000001.sdmp	String found in binary or memory: http://www.jiyu-kobo.co.jp/
Source: bbbe7872ea466446da60c4da50020cbb.exe, 00000000.00000003.329603375.00000000051A8000.00000004.00000001.sdmp	String found in binary or memory: http://www.jiyu-kobo.co.jp/(
Source: bbbe7872ea466446da60c4da50020cbb.exe, 00000000.00000003.329603375.00000000051A8000.00000004.00000001.sdmp	String found in binary or memory: http://www.jiyu-kobo.co.jp//
Source: bbbe7872ea466446da60c4da50020cbb.exe, 00000000.00000003.329603375.00000000051A8000.00000004.00000001.sdmp	String found in binary or memory: http://www.jiyu-kobo.co.jp/D
Source: bbbe7872ea466446da60c4da50020cbb.exe, 00000000.00000003.329603375.00000000051A8000.00000004.00000001.sdmp	String found in binary or memory: http://www.jiyu-kobo.co.jp/vvT
Source: bbbe7872ea466446da60c4da50020cbb.exe, 00000000.00000002.348097971.00000000063B2000.00000004.00000001.sdmp, bbbe7872ea466446da60c4da50020cbb.exe, 0000000A.00000002.367125363.0000000005320000.00000002.00000001.sdmp, dhcpmon.exe, 0000000B.00000002.370057992.0000000005450000.00000002.00000001.sdmp, dhcpmon.exe, 0000000F.00000002.382568285.0000000004EB0000.00000002.00000001.sdmp	String found in binary or memory: http://www.sajatypeworks.com
Source: bbbe7872ea466446da60c4da50020cbb.exe, 00000000.00000002.348097971.00000000063B2000.00000004.00000001.sdmp, bbbe7872ea466446da60c4da50020cbb.exe, 0000000A.00000002.367125363.0000000005320000.00000002.00000001.sdmp, dhcpmon.exe, 0000000B.00000002.370057992.0000000005450000.00000002.00000001.sdmp, dhcpmon.exe, 0000000F.00000002.382568285.0000000004EB0000.00000002.00000001.sdmp	String found in binary or memory: http://www.sakkal.com
Source: bbbe7872ea466446da60c4da50020cbb.exe, 00000000.00000002.348097971.00000000063B2000.00000004.00000001.sdmp, bbbe7872ea466446da60c4da50020cbb.exe, 0000000A.00000002.367125363.0000000005320000.00000002.00000001.sdmp, dhcpmon.exe, 0000000B.00000002.370057992.0000000005450000.00000002.00000001.sdmp, dhcpmon.exe, 0000000F.00000002.382568285.0000000004EB0000.00000002.00000001.sdmp	String found in binary or memory: http://www.sandoll.co.kr
Source: dhcpmon.exe, 0000000F.00000002.382568285.0000000004EB0000.00000002.00000001.sdmp	String found in binary or memory: http://www.tiro.com
Source: bbbe7872ea466446da60c4da50020cbb.exe, 00000000.00000002.348097971.00000000063B2000.00000004.00000001.sdmp, bbbe7872ea466446da60c4da50020cbb.exe, 0000000A.00000002.367125363.0000000005320000.00000002.00000001.sdmp, dhcpmon.exe, 0000000B.00000002.370057992.0000000005450000.00000002.00000001.sdmp, dhcpmon.exe, 0000000F.00000002.382568285.0000000004EB0000.00000002.00000001.sdmp	String found in binary or memory: http://www.typography.netD
Source: bbbe7872ea466446da60c4da50020cbb.exe, 00000000.00000002.348097971.00000000063B2000.00000004.00000001.sdmp, bbbe7872ea466446da60c4da50020cbb.exe, 0000000A.00000002.367125363.0000000005320000.00000002.00000001.sdmp, dhcpmon.exe, 0000000B.00000002.370057992.0000000005450000.00000002.00000001.sdmp, dhcpmon.exe, 0000000F.00000002.382568285.0000000004EB0000.00000002.00000001.sdmp	String found in binary or memory: http://www.urwpp.deDPlease
Source: bbbe7872ea466446da60c4da50020cbb.exe, 00000000.00000002.348097971.00000000063B2000.00000004.00000001.sdmp, bbbe7872ea466446da60c4da50020cbb.exe, 0000000A.00000002.367125363.0000000005320000.00000002.00000001.sdmp, dhcpmon.exe, 0000000B.00000002.370057992.0000000005450000.00000002.00000001.sdmp, dhcpmon.exe, 0000000F.00000002.382568285.0000000004EB0000.00000002.00000001.sdmp	String found in binary or memory: http://www.zhongyicts.com.cn
Source: bbbe7872ea466446da60c4da50020cbb.exe, 00000000.00000003.328197714.00000000051A6000.00000004.00000001.sdmp	String found in binary or memory: http://www.zhongyicts.com.cnp
Source: bbbe7872ea466446da60c4da50020cbb.exe, 00000000.00000002.343834467.0000000002D51000.00000004.00000001.sdmp, bbbe7872ea466446da60c4da50020cbb.exe, 0000000A.00000002.364695909.0000000002DF1000.00000004.00000001.sdmp, dhcpmon.exe, 0000000B.00000002.367072310.0000000002F61000.00000004.00000001.sdmp, dhcpmon.exe, 0000000F.00000002.379503086.0000000002831000.00000004.00000001.sdmp	String found in binary or memory: https://stackpath.bootstrapcdn.com/bootstrap/4.5.0/css/bootstrap.min.css

Key, Mouse, Clipboard, Microphone and Screen Capturing:

Source: bbbe7872ea466446da60c4da50020cbb.exe, 00000004.00000002.597683140.0000000003D07000.00000004.00000001.sdmp

Binary or memory string: RegisterRawInputDevices

E-Banking Fraud:

Yara detected Nanocore RAT

Show sources

Source: Yara match	File source: 0000000C.00000002.375004523.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000E.00000002.381191346.0000000003D31000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000C.00000002.377624667.0000000002DA1000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.592467577.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000A.00000002.365772164.0000000003DF1000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.597683140.0000000003D07000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000E.00000002.381077094.0000000002D31000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000B.00000002.367529312.0000000003F61000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000010.00000002.391674013.0000000004001000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000E.00000002.378479336.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000F.00000002.380529240.0000000003831000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000010.00000002.390499078.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000C.00000002.377737091.0000000003DA1000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000010.00000002.391635582.0000000003001000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.344108345.0000000003D51000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: bbbe7872ea466446da60c4da50020cbb.exe PID: 348, type: MEMORY
Source: Yara match	File source: Process Memory Space: dhcpmon.exe PID: 6340, type: MEMORY
Source: Yara match	File source: Process Memory Space: dhcpmon.exe PID: 6332, type: MEMORY
Source: Yara match	File source: Process Memory Space: bbbe7872ea466446da60c4da50020cbb.exe PID: 6996, type: MEMORY
Source: Yara match	File source: 16.2.dhcpmon.exe.40530dd.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 15.2.dhcpmon.exe.3adb170.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 14.2.dhcpmon.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 12.2.bbbe7872ea466446da60c4da50020cbb.exe.3deeab4.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 12.2.bbbe7872ea466446da60c4da50020cbb.exe.3de9c7e.5.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 14.2.dhcpmon.exe.3d79c7e.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 14.2.dhcpmon.exe.3d7eab4.5.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 12.2.bbbe7872ea466446da60c4da50020cbb.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 11.2.dhcpmon.exe.40c14a0.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.bbbe7872ea466446da60c4da50020cbb.exe.3d0eab4.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 10.2.bbbe7872ea466446da60c4da50020cbb.exe.409b170.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 15.2.dhcpmon.exe.3adb170.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.bbbe7872ea466446da60c4da50020cbb.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 16.2.dhcpmon.exe.4049c7e.5.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 12.2.bbbe7872ea466446da60c4da50020cbb.exe.3df30dd.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 11.2.dhcpmon.exe.420b170.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 11.2.dhcpmon.exe.420b170.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 14.2.dhcpmon.exe.3d830dd.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.bbbe7872ea466446da60c4da50020cbb.exe.3d0eab4.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 16.2.dhcpmon.exe.404eab4.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.bbbe7872ea466446da60c4da50020cbb.exe.3f0a0c0.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 11.2.dhcpmon.exe.411a0c0.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 12.2.bbbe7872ea466446da60c4da50020cbb.exe.3deeab4.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 15.2.dhcpmon.exe.39914a0.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 16.2.dhcpmon.exe.404eab4.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.bbbe7872ea466446da60c4da50020cbb.exe.3ffb170.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.bbbe7872ea466446da60c4da50020cbb.exe.3d130dd.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 16.2.dhcpmon.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 14.2.dhcpmon.exe.3d7eab4.5.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.bbbe7872ea466446da60c4da50020cbb.exe.3eb14a0.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 10.2.bbbe7872ea466446da60c4da50020cbb.exe.3f514a0.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.bbbe7872ea466446da60c4da50020cbb.exe.3d09c7e.5.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 15.2.dhcpmon.exe.39ea0c0.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 10.2.bbbe7872ea466446da60c4da50020cbb.exe.409b170.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 10.2.bbbe7872ea466446da60c4da50020cbb.exe.3faa0c0.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.bbbe7872ea466446da60c4da50020cbb.exe.3ffb170.4.raw.unpack, type: UNPACKEDPE

System Summary:

Malicious sample detected (through community Yara rule)

Show sources

Source: 0000000C.00000002.375004523.0000000000402000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 0000000C.00000002.375004523.0000000000402000.00000040.00000001.sdmp, type: MEMORY	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 0000000E.00000002.381191346.0000000003D31000.00000004.00000001.sdmp, type: MEMORY	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 0000000C.00000002.377624667.0000000002DA1000.00000004.00000001.sdmp, type: MEMORY	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 00000004.00000002.592467577.0000000000402000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 00000004.00000002.592467577.0000000000402000.00000040.00000001.sdmp, type: MEMORY	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 0000000A.00000002.365772164.0000000003DF1000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 0000000A.00000002.365772164.0000000003DF1000.00000004.00000001.sdmp, type: MEMORY	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 00000004.00000002.597683140.0000000003D07000.00000004.00000001.sdmp, type: MEMORY	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 0000000E.00000002.381077094.0000000002D31000.00000004.00000001.sdmp, type: MEMORY	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 0000000B.00000002.367529312.0000000003F61000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 0000000B.00000002.367529312.0000000003F61000.00000004.00000001.sdmp, type: MEMORY	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 00000010.00000002.391674013.0000000004001000.00000004.00000001.sdmp, type: MEMORY	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 0000000E.00000002.378479336.0000000000402000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 0000000E.00000002.378479336.0000000000402000.00000040.00000001.sdmp, type: MEMORY	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 0000000F.00000002.380529240.0000000003831000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 0000000F.00000002.380529240.0000000003831000.00000004.00000001.sdmp, type: MEMORY	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 00000010.00000002.390499078.0000000000402000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 00000010.00000002.390499078.0000000000402000.00000040.00000001.sdmp, type: MEMORY	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 0000000C.00000002.377737091.0000000003DA1000.00000004.00000001.sdmp, type: MEMORY	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 00000010.00000002.391635582.0000000003001000.00000004.00000001.sdmp, type: MEMORY	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 00000000.00000002.344108345.0000000003D51000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 00000000.00000002.344108345.0000000003D51000.00000004.00000001.sdmp, type: MEMORY	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: Process Memory Space: bbbe7872ea466446da60c4da50020cbb.exe PID: 348, type: MEMORY	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: Process Memory Space: bbbe7872ea466446da60c4da50020cbb.exe PID: 348, type: MEMORY	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: Process Memory Space: dhcpmon.exe PID: 6340, type: MEMORY	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: Process Memory Space: dhcpmon.exe PID: 6340, type: MEMORY	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: Process Memory Space: dhcpmon.exe PID: 6332, type: MEMORY	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: Process Memory Space: dhcpmon.exe PID: 6332, type: MEMORY	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: Process Memory Space: bbbe7872ea466446da60c4da50020cbb.exe PID: 6996, type: MEMORY	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: Process Memory Space: bbbe7872ea466446da60c4da50020cbb.exe PID: 6996, type: MEMORY	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 16.2.dhcpmon.exe.40530dd.3.raw.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 14.2.dhcpmon.exe.2d53ac8.2.raw.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 15.2.dhcpmon.exe.3adb170.3.raw.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 15.2.dhcpmon.exe.3adb170.3.raw.unpack, type: UNPACKEDPE	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 14.2.dhcpmon.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 14.2.dhcpmon.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 12.2.bbbe7872ea466446da60c4da50020cbb.exe.3deeab4.4.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 12.2.bbbe7872ea466446da60c4da50020cbb.exe.3de9c7e.5.raw.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 12.2.bbbe7872ea466446da60c4da50020cbb.exe.3de9c7e.5.raw.unpack, type: UNPACKEDPE	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 14.2.dhcpmon.exe.3d79c7e.4.raw.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 14.2.dhcpmon.exe.3d79c7e.4.raw.unpack, type: UNPACKEDPE	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 14.2.dhcpmon.exe.3d7eab4.5.raw.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 12.2.bbbe7872ea466446da60c4da50020cbb.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 12.2.bbbe7872ea466446da60c4da50020cbb.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 11.2.dhcpmon.exe.40c14a0.3.raw.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 11.2.dhcpmon.exe.40c14a0.3.raw.unpack, type: UNPACKEDPE	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 4.2.bbbe7872ea466446da60c4da50020cbb.exe.3d0eab4.4.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 12.2.bbbe7872ea466446da60c4da50020cbb.exe.2dc3b20.2.raw.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 10.2.bbbe7872ea466446da60c4da50020cbb.exe.409b170.2.raw.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 10.2.bbbe7872ea466446da60c4da50020cbb.exe.409b170.2.raw.unpack, type: UNPACKEDPE	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 15.2.dhcpmon.exe.3adb170.3.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 15.2.dhcpmon.exe.3adb170.3.unpack, type: UNPACKEDPE	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 4.2.bbbe7872ea466446da60c4da50020cbb.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 4.2.bbbe7872ea466446da60c4da50020cbb.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 16.2.dhcpmon.exe.4049c7e.5.raw.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 16.2.dhcpmon.exe.4049c7e.5.raw.unpack, type: UNPACKEDPE	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 12.2.bbbe7872ea466446da60c4da50020cbb.exe.3df30dd.3.raw.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 4.2.bbbe7872ea466446da60c4da50020cbb.exe.2cd1690.2.raw.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 11.2.dhcpmon.exe.420b170.4.raw.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 11.2.dhcpmon.exe.420b170.4.raw.unpack, type: UNPACKEDPE	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 11.2.dhcpmon.exe.420b170.4.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 11.2.dhcpmon.exe.420b170.4.unpack, type: UNPACKEDPE	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 14.2.dhcpmon.exe.3d830dd.3.raw.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 4.2.bbbe7872ea466446da60c4da50020cbb.exe.3d0eab4.4.raw.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 16.2.dhcpmon.exe.404eab4.4.raw.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 0.2.bbbe7872ea466446da60c4da50020cbb.exe.3f0a0c0.2.raw.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 0.2.bbbe7872ea466446da60c4da50020cbb.exe.3f0a0c0.2.raw.unpack, type: UNPACKEDPE	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 11.2.dhcpmon.exe.411a0c0.2.raw.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 11.2.dhcpmon.exe.411a0c0.2.raw.unpack, type: UNPACKEDPE	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 12.2.bbbe7872ea466446da60c4da50020cbb.exe.3deeab4.4.raw.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 15.2.dhcpmon.exe.39914a0.4.raw.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 15.2.dhcpmon.exe.39914a0.4.raw.unpack, type: UNPACKEDPE	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 16.2.dhcpmon.exe.404eab4.4.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 0.2.bbbe7872ea466446da60c4da50020cbb.exe.3ffb170.4.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 0.2.bbbe7872ea466446da60c4da50020cbb.exe.3ffb170.4.unpack, type: UNPACKEDPE	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 4.2.bbbe7872ea466446da60c4da50020cbb.exe.3d130dd.3.raw.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 16.2.dhcpmon.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 16.2.dhcpmon.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 14.2.dhcpmon.exe.3d7eab4.5.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 0.2.bbbe7872ea466446da60c4da50020cbb.exe.3eb14a0.3.raw.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 0.2.bbbe7872ea466446da60c4da50020cbb.exe.3eb14a0.3.raw.unpack, type: UNPACKEDPE	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 16.2.dhcpmon.exe.3023ac8.2.raw.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 10.2.bbbe7872ea466446da60c4da50020cbb.exe.3f514a0.3.raw.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 10.2.bbbe7872ea466446da60c4da50020cbb.exe.3f514a0.3.raw.unpack, type: UNPACKEDPE	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 4.2.bbbe7872ea466446da60c4da50020cbb.exe.3d09c7e.5.raw.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 4.2.bbbe7872ea466446da60c4da50020cbb.exe.3d09c7e.5.raw.unpack, type: UNPACKEDPE	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 15.2.dhcpmon.exe.39ea0c0.2.raw.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 15.2.dhcpmon.exe.39ea0c0.2.raw.unpack, type: UNPACKEDPE	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 10.2.bbbe7872ea466446da60c4da50020cbb.exe.409b170.2.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 10.2.bbbe7872ea466446da60c4da50020cbb.exe.409b170.2.unpack, type: UNPACKEDPE	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 0.2.bbbe7872ea466446da60c4da50020cbb.exe.3ffb170.4.raw.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 10.2.bbbe7872ea466446da60c4da50020cbb.exe.3faa0c0.4.raw.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 10.2.bbbe7872ea466446da60c4da50020cbb.exe.3faa0c0.4.raw.unpack, type: UNPACKEDPE	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 0.2.bbbe7872ea466446da60c4da50020cbb.exe.3ffb170.4.raw.unpack, type: UNPACKEDPE	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>

.NET source code contains very large strings

Show sources

Source: bbbe7872ea466446da60c4da50020cbb.exe, frmLogin.cs	Long String: Length: 13656
Source: 0.2.bbbe7872ea466446da60c4da50020cbb.exe.590000.0.unpack, frmLogin.cs	Long String: Length: 13656
Source: 0.0.bbbe7872ea466446da60c4da50020cbb.exe.590000.0.unpack, frmLogin.cs	Long String: Length: 13656
Source: dhcpmon.exe.4.dr, frmLogin.cs	Long String: Length: 13656
Source: 4.0.bbbe7872ea466446da60c4da50020cbb.exe.620000.0.unpack, frmLogin.cs	Long String: Length: 13656
Source: 4.2.bbbe7872ea466446da60c4da50020cbb.exe.620000.1.unpack, frmLogin.cs	Long String: Length: 13656
Source: 10.0.bbbe7872ea466446da60c4da50020cbb.exe.720000.0.unpack, frmLogin.cs	Long String: Length: 13656
Source: 10.2.bbbe7872ea466446da60c4da50020cbb.exe.720000.0.unpack, frmLogin.cs	Long String: Length: 13656
Source: 11.2.dhcpmon.exe.720000.0.unpack, frmLogin.cs	Long String: Length: 13656

Source: C:\Users\user\Desktop\bbbe7872ea466446da60c4da50020cbb.exe	Code function: 0_2_0059AC81	0_2_0059AC81
Source: C:\Users\user\Desktop\bbbe7872ea466446da60c4da50020cbb.exe	Code function: 0_2_04F052D8	0_2_04F052D8
Source: C:\Users\user\Desktop\bbbe7872ea466446da60c4da50020cbb.exe	Code function: 0_2_04F04890	0_2_04F04890
Source: C:\Users\user\Desktop\bbbe7872ea466446da60c4da50020cbb.exe	Code function: 0_2_04F04688	0_2_04F04688
Source: C:\Users\user\Desktop\bbbe7872ea466446da60c4da50020cbb.exe	Code function: 0_2_04F052C8	0_2_04F052C8
Source: C:\Users\user\Desktop\bbbe7872ea466446da60c4da50020cbb.exe	Code function: 0_2_04F04678	0_2_04F04678
Source: C:\Users\user\Desktop\bbbe7872ea466446da60c4da50020cbb.exe	Code function: 0_2_04F0C198	0_2_04F0C198
Source: C:\Users\user\Desktop\bbbe7872ea466446da60c4da50020cbb.exe	Code function: 0_2_0059AF8E	0_2_0059AF8E
Source: C:\Users\user\Desktop\bbbe7872ea466446da60c4da50020cbb.exe	Code function: 4_2_0062AC81	4_2_0062AC81
Source: C:\Users\user\Desktop\bbbe7872ea466446da60c4da50020cbb.exe	Code function: 4_2_01117AC1	4_2_01117AC1
Source: C:\Users\user\Desktop\bbbe7872ea466446da60c4da50020cbb.exe	Code function: 4_2_0062AF8E	4_2_0062AF8E
Source: C:\Users\user\Desktop\bbbe7872ea466446da60c4da50020cbb.exe	Code function: 10_2_0072AC81	10_2_0072AC81
Source: C:\Users\user\Desktop\bbbe7872ea466446da60c4da50020cbb.exe	Code function: 10_2_01072E09	10_2_01072E09
Source: C:\Users\user\Desktop\bbbe7872ea466446da60c4da50020cbb.exe	Code function: 10_2_02964890	10_2_02964890
Source: C:\Users\user\Desktop\bbbe7872ea466446da60c4da50020cbb.exe	Code function: 10_2_02964688	10_2_02964688
Source: C:\Users\user\Desktop\bbbe7872ea466446da60c4da50020cbb.exe	Code function: 10_2_029652D8	10_2_029652D8
Source: C:\Users\user\Desktop\bbbe7872ea466446da60c4da50020cbb.exe	Code function: 10_2_02964880	10_2_02964880
Source: C:\Users\user\Desktop\bbbe7872ea466446da60c4da50020cbb.exe	Code function: 10_2_029652C8	10_2_029652C8
Source: C:\Users\user\Desktop\bbbe7872ea466446da60c4da50020cbb.exe	Code function: 10_2_02964678	10_2_02964678
Source: C:\Users\user\Desktop\bbbe7872ea466446da60c4da50020cbb.exe	Code function: 10_2_0296C198	10_2_0296C198
Source: C:\Users\user\Desktop\bbbe7872ea466446da60c4da50020cbb.exe	Code function: 10_2_0072AF8E	10_2_0072AF8E
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Code function: 11_2_00EC2E09	11_2_00EC2E09
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Code function: 11_2_02B04890	11_2_02B04890
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Code function: 11_2_02B04688	11_2_02B04688
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Code function: 11_2_02B052D8	11_2_02B052D8
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Code function: 11_2_02B052C8	11_2_02B052C8
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Code function: 11_2_02B04678	11_2_02B04678
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Code function: 11_2_02B0C198	11_2_02B0C198
Source: C:\Users\user\Desktop\bbbe7872ea466446da60c4da50020cbb.exe	Code function: 12_2_0079AC81	12_2_0079AC81
Source: C:\Users\user\Desktop\bbbe7872ea466446da60c4da50020cbb.exe	Code function: 12_2_04FD2FA8	12_2_04FD2FA8
Source: C:\Users\user\Desktop\bbbe7872ea466446da60c4da50020cbb.exe	Code function: 12_2_04FD23A0	12_2_04FD23A0
Source: C:\Users\user\Desktop\bbbe7872ea466446da60c4da50020cbb.exe	Code function: 12_2_04FD3850	12_2_04FD3850
Source: C:\Users\user\Desktop\bbbe7872ea466446da60c4da50020cbb.exe	Code function: 12_2_04FD306F	12_2_04FD306F
Source: C:\Users\user\Desktop\bbbe7872ea466446da60c4da50020cbb.exe	Code function: 12_2_0079AF8E	12_2_0079AF8E
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Code function: 13_2_001FAC81	13_2_001FAC81
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Code function: 13_2_001FAF8E	13_2_001FAF8E
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Code function: 14_2_0050AC81	14_2_0050AC81
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Code function: 14_2_04D423A0	14_2_04D423A0
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Code function: 14_2_04D42FA8	14_2_04D42FA8
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Code function: 14_2_04D43850	14_2_04D43850
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Code function: 14_2_04D4306F	14_2_04D4306F
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Code function: 14_2_0050AF8E	14_2_0050AF8E

Source: bbbe7872ea466446da60c4da50020cbb.exe, 00000000.00000002.342613471.000000000060A000.00000002.00020000.sdmp	Binary or memory string: OriginalFilenameSystemLazyDebugView.exe. vs bbbe7872ea466446da60c4da50020cbb.exe
Source: bbbe7872ea466446da60c4da50020cbb.exe, 00000000.00000002.343834467.0000000002D51000.00000004.00000001.sdmp	Binary or memory string: OriginalFilenameAsyncState.dllF vs bbbe7872ea466446da60c4da50020cbb.exe
Source: bbbe7872ea466446da60c4da50020cbb.exe, 00000000.00000002.348914863.0000000008030000.00000002.00000001.sdmp	Binary or memory string: OriginalFilenamemscorrc.dllT vs bbbe7872ea466446da60c4da50020cbb.exe
Source: bbbe7872ea466446da60c4da50020cbb.exe, 00000000.00000002.349527090.00000000081F0000.00000004.00000001.sdmp	Binary or memory string: OriginalFilenameLegacyPathHandling.dllN vs bbbe7872ea466446da60c4da50020cbb.exe
Source: bbbe7872ea466446da60c4da50020cbb.exe, 00000004.00000002.597683140.0000000003D07000.00000004.00000001.sdmp	Binary or memory string: OriginalFilenameClientPlugin.dll4 vs bbbe7872ea466446da60c4da50020cbb.exe
Source: bbbe7872ea466446da60c4da50020cbb.exe, 00000004.00000002.597683140.0000000003D07000.00000004.00000001.sdmp	Binary or memory string: OriginalFilenameLzma#.dll4 vs bbbe7872ea466446da60c4da50020cbb.exe
Source: bbbe7872ea466446da60c4da50020cbb.exe, 00000004.00000002.597683140.0000000003D07000.00000004.00000001.sdmp	Binary or memory string: OriginalFilenameSurveillanceExClientPlugin.dll4 vs bbbe7872ea466446da60c4da50020cbb.exe
Source: bbbe7872ea466446da60c4da50020cbb.exe, 00000004.00000000.340812552.000000000069A000.00000002.00020000.sdmp	Binary or memory string: OriginalFilenameSystemLazyDebugView.exe. vs bbbe7872ea466446da60c4da50020cbb.exe
Source: bbbe7872ea466446da60c4da50020cbb.exe, 0000000A.00000000.350174572.000000000079A000.00000002.00020000.sdmp	Binary or memory string: OriginalFilenameSystemLazyDebugView.exe. vs bbbe7872ea466446da60c4da50020cbb.exe
Source: bbbe7872ea466446da60c4da50020cbb.exe, 0000000A.00000002.370141196.0000000007D70000.00000004.00000001.sdmp	Binary or memory string: OriginalFilenameLegacyPathHandling.dllN vs bbbe7872ea466446da60c4da50020cbb.exe
Source: bbbe7872ea466446da60c4da50020cbb.exe, 0000000A.00000002.364695909.0000000002DF1000.00000004.00000001.sdmp	Binary or memory string: OriginalFilenameAsyncState.dllF vs bbbe7872ea466446da60c4da50020cbb.exe
Source: bbbe7872ea466446da60c4da50020cbb.exe, 0000000A.00000002.369455397.0000000007BC0000.00000002.00000001.sdmp	Binary or memory string: OriginalFilenamemscorrc.dllT vs bbbe7872ea466446da60c4da50020cbb.exe
Source: bbbe7872ea466446da60c4da50020cbb.exe, 0000000C.00000000.353961165.000000000080A000.00000002.00020000.sdmp	Binary or memory string: OriginalFilenameSystemLazyDebugView.exe. vs bbbe7872ea466446da60c4da50020cbb.exe
Source: bbbe7872ea466446da60c4da50020cbb.exe, 0000000C.00000002.377624667.0000000002DA1000.00000004.00000001.sdmp	Binary or memory string: OriginalFilenameSurveillanceExClientPlugin.dll4 vs bbbe7872ea466446da60c4da50020cbb.exe
Source: bbbe7872ea466446da60c4da50020cbb.exe, 0000000C.00000002.377624667.0000000002DA1000.00000004.00000001.sdmp	Binary or memory string: OriginalFilenameClientPlugin.dll4 vs bbbe7872ea466446da60c4da50020cbb.exe
Source: bbbe7872ea466446da60c4da50020cbb.exe, 0000000C.00000002.378738155.00000000050F0000.00000002.00000001.sdmp	Binary or memory string: OriginalFilenameuser32j% vs bbbe7872ea466446da60c4da50020cbb.exe
Source: bbbe7872ea466446da60c4da50020cbb.exe, 0000000C.00000002.377737091.0000000003DA1000.00000004.00000001.sdmp	Binary or memory string: OriginalFilenameLzma#.dll4 vs bbbe7872ea466446da60c4da50020cbb.exe
Source: bbbe7872ea466446da60c4da50020cbb.exe	Binary or memory string: OriginalFilenameSystemLazyDebugView.exe. vs bbbe7872ea466446da60c4da50020cbb.exe

Source: bbbe7872ea466446da60c4da50020cbb.exe

Static PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE

Source: 0000000C.00000002.375004523.0000000000402000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 0000000C.00000002.375004523.0000000000402000.00000040.00000001.sdmp, type: MEMORY	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 0000000E.00000002.381191346.0000000003D31000.00000004.00000001.sdmp, type: MEMORY	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 0000000C.00000002.377624667.0000000002DA1000.00000004.00000001.sdmp, type: MEMORY	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 00000004.00000002.592467577.0000000000402000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 00000004.00000002.592467577.0000000000402000.00000040.00000001.sdmp, type: MEMORY	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 0000000A.00000002.365772164.0000000003DF1000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 0000000A.00000002.365772164.0000000003DF1000.00000004.00000001.sdmp, type: MEMORY	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 00000004.00000002.597683140.0000000003D07000.00000004.00000001.sdmp, type: MEMORY	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 0000000E.00000002.381077094.0000000002D31000.00000004.00000001.sdmp, type: MEMORY	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 0000000B.00000002.367529312.0000000003F61000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 0000000B.00000002.367529312.0000000003F61000.00000004.00000001.sdmp, type: MEMORY	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 00000010.00000002.391674013.0000000004001000.00000004.00000001.sdmp, type: MEMORY	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 0000000E.00000002.378479336.0000000000402000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 0000000E.00000002.378479336.0000000000402000.00000040.00000001.sdmp, type: MEMORY	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 0000000F.00000002.380529240.0000000003831000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 0000000F.00000002.380529240.0000000003831000.00000004.00000001.sdmp, type: MEMORY	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 00000010.00000002.390499078.0000000000402000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 00000010.00000002.390499078.0000000000402000.00000040.00000001.sdmp, type: MEMORY	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 0000000C.00000002.377737091.0000000003DA1000.00000004.00000001.sdmp, type: MEMORY	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 00000010.00000002.391635582.0000000003001000.00000004.00000001.sdmp, type: MEMORY	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 00000000.00000002.344108345.0000000003D51000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 00000000.00000002.344108345.0000000003D51000.00000004.00000001.sdmp, type: MEMORY	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: Process Memory Space: bbbe7872ea466446da60c4da50020cbb.exe PID: 348, type: MEMORY	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: Process Memory Space: bbbe7872ea466446da60c4da50020cbb.exe PID: 348, type: MEMORY	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: Process Memory Space: dhcpmon.exe PID: 6340, type: MEMORY	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: Process Memory Space: dhcpmon.exe PID: 6340, type: MEMORY	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: Process Memory Space: dhcpmon.exe PID: 6332, type: MEMORY	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: Process Memory Space: dhcpmon.exe PID: 6332, type: MEMORY	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: Process Memory Space: bbbe7872ea466446da60c4da50020cbb.exe PID: 6996, type: MEMORY	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: Process Memory Space: bbbe7872ea466446da60c4da50020cbb.exe PID: 6996, type: MEMORY	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 16.2.dhcpmon.exe.40530dd.3.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 16.2.dhcpmon.exe.40530dd.3.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 14.2.dhcpmon.exe.2d53ac8.2.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 14.2.dhcpmon.exe.2d53ac8.2.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 15.2.dhcpmon.exe.3adb170.3.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 15.2.dhcpmon.exe.3adb170.3.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 15.2.dhcpmon.exe.3adb170.3.raw.unpack, type: UNPACKEDPE	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 14.2.dhcpmon.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 14.2.dhcpmon.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 14.2.dhcpmon.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 12.2.bbbe7872ea466446da60c4da50020cbb.exe.3deeab4.4.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 12.2.bbbe7872ea466446da60c4da50020cbb.exe.3deeab4.4.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 12.2.bbbe7872ea466446da60c4da50020cbb.exe.3de9c7e.5.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 12.2.bbbe7872ea466446da60c4da50020cbb.exe.3de9c7e.5.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 12.2.bbbe7872ea466446da60c4da50020cbb.exe.3de9c7e.5.raw.unpack, type: UNPACKEDPE	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 14.2.dhcpmon.exe.3d79c7e.4.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 14.2.dhcpmon.exe.3d79c7e.4.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 14.2.dhcpmon.exe.3d79c7e.4.raw.unpack, type: UNPACKEDPE	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 14.2.dhcpmon.exe.3d7eab4.5.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 14.2.dhcpmon.exe.3d7eab4.5.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 12.2.bbbe7872ea466446da60c4da50020cbb.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 12.2.bbbe7872ea466446da60c4da50020cbb.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 12.2.bbbe7872ea466446da60c4da50020cbb.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 11.2.dhcpmon.exe.40c14a0.3.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 11.2.dhcpmon.exe.40c14a0.3.raw.unpack, type: UNPACKEDPE	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 4.2.bbbe7872ea466446da60c4da50020cbb.exe.3d0eab4.4.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 4.2.bbbe7872ea466446da60c4da50020cbb.exe.3d0eab4.4.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 12.2.bbbe7872ea466446da60c4da50020cbb.exe.2dc3b20.2.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 12.2.bbbe7872ea466446da60c4da50020cbb.exe.2dc3b20.2.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 10.2.bbbe7872ea466446da60c4da50020cbb.exe.409b170.2.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 10.2.bbbe7872ea466446da60c4da50020cbb.exe.409b170.2.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 10.2.bbbe7872ea466446da60c4da50020cbb.exe.409b170.2.raw.unpack, type: UNPACKEDPE	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 15.2.dhcpmon.exe.3adb170.3.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 15.2.dhcpmon.exe.3adb170.3.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 15.2.dhcpmon.exe.3adb170.3.unpack, type: UNPACKEDPE	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 4.2.bbbe7872ea466446da60c4da50020cbb.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 4.2.bbbe7872ea466446da60c4da50020cbb.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 4.2.bbbe7872ea466446da60c4da50020cbb.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 16.2.dhcpmon.exe.4049c7e.5.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 16.2.dhcpmon.exe.4049c7e.5.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 16.2.dhcpmon.exe.4049c7e.5.raw.unpack, type: UNPACKEDPE	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 12.2.bbbe7872ea466446da60c4da50020cbb.exe.3df30dd.3.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 12.2.bbbe7872ea466446da60c4da50020cbb.exe.3df30dd.3.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 4.2.bbbe7872ea466446da60c4da50020cbb.exe.2cd1690.2.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 4.2.bbbe7872ea466446da60c4da50020cbb.exe.2cd1690.2.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 11.2.dhcpmon.exe.420b170.4.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 11.2.dhcpmon.exe.420b170.4.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 11.2.dhcpmon.exe.420b170.4.raw.unpack, type: UNPACKEDPE	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 11.2.dhcpmon.exe.420b170.4.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 11.2.dhcpmon.exe.420b170.4.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 11.2.dhcpmon.exe.420b170.4.unpack, type: UNPACKEDPE	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 14.2.dhcpmon.exe.3d830dd.3.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 14.2.dhcpmon.exe.3d830dd.3.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 4.2.bbbe7872ea466446da60c4da50020cbb.exe.3d0eab4.4.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 4.2.bbbe7872ea466446da60c4da50020cbb.exe.3d0eab4.4.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 16.2.dhcpmon.exe.404eab4.4.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 16.2.dhcpmon.exe.404eab4.4.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 0.2.bbbe7872ea466446da60c4da50020cbb.exe.3f0a0c0.2.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 0.2.bbbe7872ea466446da60c4da50020cbb.exe.3f0a0c0.2.raw.unpack, type: UNPACKEDPE	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 11.2.dhcpmon.exe.411a0c0.2.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 11.2.dhcpmon.exe.411a0c0.2.raw.unpack, type: UNPACKEDPE	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 12.2.bbbe7872ea466446da60c4da50020cbb.exe.3deeab4.4.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 12.2.bbbe7872ea466446da60c4da50020cbb.exe.3deeab4.4.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 15.2.dhcpmon.exe.39914a0.4.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 15.2.dhcpmon.exe.39914a0.4.raw.unpack, type: UNPACKEDPE	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 16.2.dhcpmon.exe.404eab4.4.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 16.2.dhcpmon.exe.404eab4.4.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 0.2.bbbe7872ea466446da60c4da50020cbb.exe.3ffb170.4.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 0.2.bbbe7872ea466446da60c4da50020cbb.exe.3ffb170.4.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 0.2.bbbe7872ea466446da60c4da50020cbb.exe.3ffb170.4.unpack, type: UNPACKEDPE	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 4.2.bbbe7872ea466446da60c4da50020cbb.exe.3d130dd.3.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 4.2.bbbe7872ea466446da60c4da50020cbb.exe.3d130dd.3.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 16.2.dhcpmon.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 16.2.dhcpmon.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 16.2.dhcpmon.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 14.2.dhcpmon.exe.3d7eab4.5.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 14.2.dhcpmon.exe.3d7eab4.5.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 0.2.bbbe7872ea466446da60c4da50020cbb.exe.3eb14a0.3.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 0.2.bbbe7872ea466446da60c4da50020cbb.exe.3eb14a0.3.raw.unpack, type: UNPACKEDPE	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 16.2.dhcpmon.exe.3023ac8.2.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 16.2.dhcpmon.exe.3023ac8.2.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 10.2.bbbe7872ea466446da60c4da50020cbb.exe.3f514a0.3.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 10.2.bbbe7872ea466446da60c4da50020cbb.exe.3f514a0.3.raw.unpack, type: UNPACKEDPE	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 4.2.bbbe7872ea466446da60c4da50020cbb.exe.3d09c7e.5.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 4.2.bbbe7872ea466446da60c4da50020cbb.exe.3d09c7e.5.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 4.2.bbbe7872ea466446da60c4da50020cbb.exe.3d09c7e.5.raw.unpack, type: UNPACKEDPE	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 15.2.dhcpmon.exe.39ea0c0.2.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 15.2.dhcpmon.exe.39ea0c0.2.raw.unpack, type: UNPACKEDPE	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 10.2.bbbe7872ea466446da60c4da50020cbb.exe.409b170.2.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 10.2.bbbe7872ea466446da60c4da50020cbb.exe.409b170.2.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 10.2.bbbe7872ea466446da60c4da50020cbb.exe.409b170.2.unpack, type: UNPACKEDPE	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 0.2.bbbe7872ea466446da60c4da50020cbb.exe.3ffb170.4.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 0.2.bbbe7872ea466446da60c4da50020cbb.exe.3ffb170.4.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 10.2.bbbe7872ea466446da60c4da50020cbb.exe.3faa0c0.4.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 10.2.bbbe7872ea466446da60c4da50020cbb.exe.3faa0c0.4.raw.unpack, type: UNPACKEDPE	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 0.2.bbbe7872ea466446da60c4da50020cbb.exe.3ffb170.4.raw.unpack, type: UNPACKEDPE	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore

Source: bbbe7872ea466446da60c4da50020cbb.exe	Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
Source: dhcpmon.exe.4.dr	Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ

Source: 4.2.bbbe7872ea466446da60c4da50020cbb.exe.400000.0.unpack, u0023u003dqjIje6jGWLd2EOkfZXKqBbgu003du003d.cs	Cryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'
Source: 4.2.bbbe7872ea466446da60c4da50020cbb.exe.400000.0.unpack, u0023u003dqVxXNKnhAcArgJoGGYXiyyQu003du003d.cs	Cryptographic APIs: 'CreateDecryptor'
Source: 4.2.bbbe7872ea466446da60c4da50020cbb.exe.400000.0.unpack, u0023u003dqVxXNKnhAcArgJoGGYXiyyQu003du003d.cs	Cryptographic APIs: 'TransformFinalBlock'

Source: bbbe7872ea466446da60c4da50020cbb.exe, frmLogin.cs	Base64 encoded string: 'GIdDNNZNNNNRNNNN//8NNYtNNNNNNNNNDNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNtNNNNN4sht4NgNaAVotOGZ0uITucplOjpz9apzSgVTAuoz5iqPOvMFOlqJ4tnJ4tER9GVT1iMTHhQD0XWNNNNNNNNNODEDNNGNRQNViu868NNNNNNNNNNBNNNvRYNINNNPNNNNNTNNNNNNNNlw8NNNNtNNNNDNNNNNNNRDNtNNNNNtNNONNNNNNNNNNRNNNNNNNNNNPNNNNNNtNNNNNNNNZNDVHNNONNNONNNNNNRNNNRNNNNNNNNONNNNNNNNNNNNNNNUt/NNOCNNNNNRNNNBDQNNNNNNNNNNNNNNNNNNNNNNNNNTNNNNjNNNOpCjNNUNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNVNNNPNNNNNNNNNNNNNNNPPNNNRtNNNNNNNNNNNNNNP50MKu0NNNN0O8NNNNtNNNNVNNNNNVNNNNNNNNNNNNNNNNNNPNNNTNhpaAlLjNNNBDQNNNNDNNNNNDNNNNvNNNNNNNNNNNNNNNNNNONNNONYaWyoT9wNNNZNNNNNTNNNNNPNNNNWtNNNNNNNNNNNNNNNNNNDNNNDtNNNNNNNNNNNNNNNNNNNNPfCjNNNNNNNRtNNNNPNNHNhPHNNBjLNNNQNNNNNNNNNXD+NNP4NNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNO4PXOLNNNbdWtNPXOpNNNbNXdMmTNNNPbNONNNRpkxNNNdNNtNNOUZnNNNXtNZNNNEmTjNNPbNRNNNRXuZjNDNDNNNNNDNNRDO+NDNNOT8pNNNXPvfNOvbGZNRNRNNNNNVNNORNstVNNNEiUDNNPtbeNNLdRmNONONNNNNQNNNENU4QNNNRok4NNNbXXjNTXuZjNDNDNNNNONNNRDO+ONNNOT8sNNNXPvfNOvbGZNVNCNNNNNHNNORNstHNNNDHXPNNNNbYOljuptRNNUQDODNNNvtuNNNXolVNNNcmVjNNPtjVtNHNNNDNNU4SNNNRPvfNOvbGZNRNPjNNNNLNNORNstLNNNDXXjNTXvVNNbNTNNNRXyMmQNNNOvtxNNNXqNLNNNXNOjNNOPbrNvtyNNNXXtNNRmNONNfNNNNUNNNENU4UNNNRPvfNOvbNRmNONNfNNNNUNNNENPtANNNTPvfNOvc+pwfNNUPNPNNNOUV7NNOjtNxNNNElBjNNpVNXNNNRXxbNNvtzNNNXNNZROFtENNNTNPbNNOZjONO0NNNNPNNNRDOmWjNNPtbTVYvPNDNtXWbONT8bNNNXXPxNNNbNNvtINNNTOPtHNNNTPjpbRjNNOtZbSDNNOvtFNNNTQNtbXtNNPt0WolfNNNbqzuZRRDEiYNNNPuhnRjHEOKV9NNOjTOvAStNNNFtgNNNXWuLbYtNNPtNdRmNSNWpNNNNWNNNENPtiNNNXN28jNNNXPjVPwzxK2cRspTRZNb5cS9LK2usJwF8NNNRANb5cS9bGOORRRjHJRjLeBtxEOtVEOcRVLDpEO5SugWjEOjAiZDNNPusn/tRGPORVRjxEPFjTSuZUNPfVNORUS9LGOjNEOusJRjLEOuRSZpNWNb5cTAbK1usnS9nAYjNNNFtlNNNXqNHNNOfXXjNTXtNGZNHNctNNNNbNNORNStfPomZNNNbGOkVUXQDNNNbZPNwLTgtAPEsnS9nAYjNNNEZRPOsnRjtJRjxeDjtK2uZXSuZYXl0PRDxEP281NNNXRjjFQPt2NNNXXQpNNNbJRDDUTvt4NNNXNNpn1tfEPksJRjfEPkRXZp0EPEsJRjxEPERVZopEOOLbBDNNPuZSRDHK2usJwF8NNNRGOuRRTuRTSuRTwzxbBNNNPtNEOtbeNNLdNNNGZNVNXNNNNNfNNORNN3WYNNOjXQbNNNbbBjNNPaZwNNNXPjpPomjNNNc0VtNNNDbeNNLdRmNRNRbNNNNZNNNENNWiZDNNPuuopm0NNNbYNz8kNNNXTAbZSt0eUjpPPEuiCtNNPu8DXQ8NNNbbDNNNPz9ONNNXWtxL1t0WPQUqO29PNNNXPvfNOvbNNOZjNDNUNNNNQDNNRDNHPvfNOvcTNNVJztVKztVLzvtENNNTNPbNNNNGZNZNVNNNNN4NNORNsttNNNE+PDNNOU4XNNNRXORNNNLNpwfNNUNXXjNTXuZjNtNFNNNNQjNNRDNPNluQNNNXXRDNNNbXXjNTXtNNRmNONNjNNNNDNNNENNVbEDNNPtbeNNLdRmNONONNNNNENNNENANWNNNPXPRNNNbXXjNTXuZjNDNZNNNNQtNNRDNPXRLNNNbXXjNTXuZjNtNqNNNNRtNNRDNPwNLNNOfH/tRYOljVXNRNNPfXXjHNNtbeNNLdWtNQ/uHTNNNoXvLNNvtzNNNXNPbNNNNGZNVNADNNNOZNNORNNagVNNNXo0xNNNbYO4jWNNNoSC4OQNtfSPtPNNNePjW7FNNNPtqiFtNNPtNNNNpXXjNTXyVNNvtzNNNXNNWmFjNNPa1VNNNXXv4bTNNNObNZNNNRXu4PXPLNNNbdNNOPH0cPNDNONNNNNNNZNNNNqwVhZP41ZQplAjNNNNNSNTjNNNPbPDNNV34NNODXNNOjPDNNV1A0pzyhM3ZNNNNNuOZNNTDNNNNwIIZN6OZNNONNNNNwE1IWENNNNCtGNNQ0ONNNV0Wfo2VNNNNNNNNNNtNNNIpIbtxWQjNNNCbOZjNJNNNONNNNBDNNNNfNNNNZNNNNVjNNNORNNNOYNNNNCjNNNOZNNNNTNNNNPtNNNNjNNNNWNNNNNDNNNNDNNNNONNNNNjNNNNZNNNNPNNNNNNNZODRNNNNNNNLNdtBJOjLNSjFJOjLNztYZOt8NQttNNNLN2jXzODLNwDBzODLN/tBzODLNltBzODLN4jBzODL
Source: 0.2.bbbe7872ea466446da60c4da50020cbb.exe.590000.0.unpack, frmLogin.cs	Base64 encoded string: 'GIdDNNZNNNNRNNNN//8NNYtNNNNNNNNNDNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNtNNNNN4sht4NgNaAVotOGZ0uITucplOjpz9apzSgVTAuoz5iqPOvMFOlqJ4tnJ4tER9GVT1iMTHhQD0XWNNNNNNNNNODEDNNGNRQNViu868NNNNNNNNNNBNNNvRYNINNNPNNNNNTNNNNNNNNlw8NNNNtNNNNDNNNNNNNRDNtNNNNNtNNONNNNNNNNNNRNNNNNNNNNNPNNNNNNtNNNNNNNNZNDVHNNONNNONNNNNNRNNNRNNNNNNNNONNNNNNNNNNNNNNNUt/NNOCNNNNNRNNNBDQNNNNNNNNNNNNNNNNNNNNNNNNNTNNNNjNNNOpCjNNUNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNVNNNPNNNNNNNNNNNNNNNPPNNNRtNNNNNNNNNNNNNNP50MKu0NNNN0O8NNNNtNNNNVNNNNNVNNNNNNNNNNNNNNNNNNPNNNTNhpaAlLjNNNBDQNNNNDNNNNNDNNNNvNNNNNNNNNNNNNNNNNNONNNONYaWyoT9wNNNZNNNNNTNNNNNPNNNNWtNNNNNNNNNNNNNNNNNNDNNNDtNNNNNNNNNNNNNNNNNNNNPfCjNNNNNNNRtNNNNPNNHNhPHNNBjLNNNQNNNNNNNNNXD+NNP4NNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNO4PXOLNNNbdWtNPXOpNNNbNXdMmTNNNPbNONNNRpkxNNNdNNtNNOUZnNNNXtNZNNNEmTjNNPbNRNNNRXuZjNDNDNNNNNDNNRDO+NDNNOT8pNNNXPvfNOvbGZNRNRNNNNNVNNORNstVNNNEiUDNNPtbeNNLdRmNONONNNNNQNNNENU4QNNNRok4NNNbXXjNTXuZjNDNDNNNNONNNRDO+ONNNOT8sNNNXPvfNOvbGZNVNCNNNNNHNNORNstHNNNDHXPNNNNbYOljuptRNNUQDODNNNvtuNNNXolVNNNcmVjNNPtjVtNHNNNDNNU4SNNNRPvfNOvbGZNRNPjNNNNLNNORNstLNNNDXXjNTXvVNNbNTNNNRXyMmQNNNOvtxNNNXqNLNNNXNOjNNOPbrNvtyNNNXXtNNRmNONNfNNNNUNNNENU4UNNNRPvfNOvbNRmNONNfNNNNUNNNENPtANNNTPvfNOvc+pwfNNUPNPNNNOUV7NNOjtNxNNNElBjNNpVNXNNNRXxbNNvtzNNNXNNZROFtENNNTNPbNNOZjONO0NNNNPNNNRDOmWjNNPtbTVYvPNDNtXWbONT8bNNNXXPxNNNbNNvtINNNTOPtHNNNTPjpbRjNNOtZbSDNNOvtFNNNTQNtbXtNNPt0WolfNNNbqzuZRRDEiYNNNPuhnRjHEOKV9NNOjTOvAStNNNFtgNNNXWuLbYtNNPtNdRmNSNWpNNNNWNNNENPtiNNNXN28jNNNXPjVPwzxK2cRspTRZNb5cS9LK2usJwF8NNNRANb5cS9bGOORRRjHJRjLeBtxEOtVEOcRVLDpEO5SugWjEOjAiZDNNPusn/tRGPORVRjxEPFjTSuZUNPfVNORUS9LGOjNEOusJRjLEOuRSZpNWNb5cTAbK1usnS9nAYjNNNFtlNNNXqNHNNOfXXjNTXtNGZNHNctNNNNbNNORNStfPomZNNNbGOkVUXQDNNNbZPNwLTgtAPEsnS9nAYjNNNEZRPOsnRjtJRjxeDjtK2uZXSuZYXl0PRDxEP281NNNXRjjFQPt2NNNXXQpNNNbJRDDUTvt4NNNXNNpn1tfEPksJRjfEPkRXZp0EPEsJRjxEPERVZopEOOLbBDNNPuZSRDHK2usJwF8NNNRGOuRRTuRTSuRTwzxbBNNNPtNEOtbeNNLdNNNGZNVNXNNNNNfNNORNN3WYNNOjXQbNNNbbBjNNPaZwNNNXPjpPomjNNNc0VtNNNDbeNNLdRmNRNRbNNNNZNNNENNWiZDNNPuuopm0NNNbYNz8kNNNXTAbZSt0eUjpPPEuiCtNNPu8DXQ8NNNbbDNNNPz9ONNNXWtxL1t0WPQUqO29PNNNXPvfNOvbNNOZjNDNUNNNNQDNNRDNHPvfNOvcTNNVJztVKztVLzvtENNNTNPbNNNNGZNZNVNNNNN4NNORNsttNNNE+PDNNOU4XNNNRXORNNNLNpwfNNUNXXjNTXuZjNtNFNNNNQjNNRDNPNluQNNNXXRDNNNbXXjNTXtNNRmNONNjNNNNDNNNENNVbEDNNPtbeNNLdRmNONONNNNNENNNENANWNNNPXPRNNNbXXjNTXuZjNDNZNNNNQtNNRDNPXRLNNNbXXjNTXuZjNtNqNNNNRtNNRDNPwNLNNOfH/tRYOljVXNRNNPfXXjHNNtbeNNLdWtNQ/uHTNNNoXvLNNvtzNNNXNPbNNNNGZNVNADNNNOZNNORNNagVNNNXo0xNNNbYO4jWNNNoSC4OQNtfSPtPNNNePjW7FNNNPtqiFtNNPtNNNNpXXjNTXyVNNvtzNNNXNNWmFjNNPa1VNNNXXv4bTNNNObNZNNNRXu4PXPLNNNbdNNOPH0cPNDNONNNNNNNZNNNNqwVhZP41ZQplAjNNNNNSNTjNNNPbPDNNV34NNODXNNOjPDNNV1A0pzyhM3ZNNNNNuOZNNTDNNNNwIIZN6OZNNONNNNNwE1IWENNNNCtGNNQ0ONNNV0Wfo2VNNNNNNNNNNtNNNIpIbtxWQjNNNCbOZjNJNNNONNNNBDNNNNfNNNNZNNNNVjNNNORNNNOYNNNNCjNNNOZNNNNTNNNNPtNNNNjNNNNWNNNNNDNNNNDNNNNONNNNNjNNNNZNNNNPNNNNNNNZODRNNNNNNNLNdtBJOjLNSjFJOjLNztYZOt8NQttNNNLN2jXzODLNwDBzODLN/tBzODLNltBzODLN4jBzODL
Source: 0.0.bbbe7872ea466446da60c4da50020cbb.exe.590000.0.unpack, frmLogin.cs	Base64 encoded string: 'GIdDNNZNNNNRNNNN//8NNYtNNNNNNNNNDNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNtNNNNN4sht4NgNaAVotOGZ0uITucplOjpz9apzSgVTAuoz5iqPOvMFOlqJ4tnJ4tER9GVT1iMTHhQD0XWNNNNNNNNNODEDNNGNRQNViu868NNNNNNNNNNBNNNvRYNINNNPNNNNNTNNNNNNNNlw8NNNNtNNNNDNNNNNNNRDNtNNNNNtNNONNNNNNNNNNRNNNNNNNNNNPNNNNNNtNNNNNNNNZNDVHNNONNNONNNNNNRNNNRNNNNNNNNONNNNNNNNNNNNNNNUt/NNOCNNNNNRNNNBDQNNNNNNNNNNNNNNNNNNNNNNNNNTNNNNjNNNOpCjNNUNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNVNNNPNNNNNNNNNNNNNNNPPNNNRtNNNNNNNNNNNNNNP50MKu0NNNN0O8NNNNtNNNNVNNNNNVNNNNNNNNNNNNNNNNNNPNNNTNhpaAlLjNNNBDQNNNNDNNNNNDNNNNvNNNNNNNNNNNNNNNNNNONNNONYaWyoT9wNNNZNNNNNTNNNNNPNNNNWtNNNNNNNNNNNNNNNNNNDNNNDtNNNNNNNNNNNNNNNNNNNNPfCjNNNNNNNRtNNNNPNNHNhPHNNBjLNNNQNNNNNNNNNXD+NNP4NNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNO4PXOLNNNbdWtNPXOpNNNbNXdMmTNNNPbNONNNRpkxNNNdNNtNNOUZnNNNXtNZNNNEmTjNNPbNRNNNRXuZjNDNDNNNNNDNNRDO+NDNNOT8pNNNXPvfNOvbGZNRNRNNNNNVNNORNstVNNNEiUDNNPtbeNNLdRmNONONNNNNQNNNENU4QNNNRok4NNNbXXjNTXuZjNDNDNNNNONNNRDO+ONNNOT8sNNNXPvfNOvbGZNVNCNNNNNHNNORNstHNNNDHXPNNNNbYOljuptRNNUQDODNNNvtuNNNXolVNNNcmVjNNPtjVtNHNNNDNNU4SNNNRPvfNOvbGZNRNPjNNNNLNNORNstLNNNDXXjNTXvVNNbNTNNNRXyMmQNNNOvtxNNNXqNLNNNXNOjNNOPbrNvtyNNNXXtNNRmNONNfNNNNUNNNENU4UNNNRPvfNOvbNRmNONNfNNNNUNNNENPtANNNTPvfNOvc+pwfNNUPNPNNNOUV7NNOjtNxNNNElBjNNpVNXNNNRXxbNNvtzNNNXNNZROFtENNNTNPbNNOZjONO0NNNNPNNNRDOmWjNNPtbTVYvPNDNtXWbONT8bNNNXXPxNNNbNNvtINNNTOPtHNNNTPjpbRjNNOtZbSDNNOvtFNNNTQNtbXtNNPt0WolfNNNbqzuZRRDEiYNNNPuhnRjHEOKV9NNOjTOvAStNNNFtgNNNXWuLbYtNNPtNdRmNSNWpNNNNWNNNENPtiNNNXN28jNNNXPjVPwzxK2cRspTRZNb5cS9LK2usJwF8NNNRANb5cS9bGOORRRjHJRjLeBtxEOtVEOcRVLDpEO5SugWjEOjAiZDNNPusn/tRGPORVRjxEPFjTSuZUNPfVNORUS9LGOjNEOusJRjLEOuRSZpNWNb5cTAbK1usnS9nAYjNNNFtlNNNXqNHNNOfXXjNTXtNGZNHNctNNNNbNNORNStfPomZNNNbGOkVUXQDNNNbZPNwLTgtAPEsnS9nAYjNNNEZRPOsnRjtJRjxeDjtK2uZXSuZYXl0PRDxEP281NNNXRjjFQPt2NNNXXQpNNNbJRDDUTvt4NNNXNNpn1tfEPksJRjfEPkRXZp0EPEsJRjxEPERVZopEOOLbBDNNPuZSRDHK2usJwF8NNNRGOuRRTuRTSuRTwzxbBNNNPtNEOtbeNNLdNNNGZNVNXNNNNNfNNORNN3WYNNOjXQbNNNbbBjNNPaZwNNNXPjpPomjNNNc0VtNNNDbeNNLdRmNRNRbNNNNZNNNENNWiZDNNPuuopm0NNNbYNz8kNNNXTAbZSt0eUjpPPEuiCtNNPu8DXQ8NNNbbDNNNPz9ONNNXWtxL1t0WPQUqO29PNNNXPvfNOvbNNOZjNDNUNNNNQDNNRDNHPvfNOvcTNNVJztVKztVLzvtENNNTNPbNNNNGZNZNVNNNNN4NNORNsttNNNE+PDNNOU4XNNNRXORNNNLNpwfNNUNXXjNTXuZjNtNFNNNNQjNNRDNPNluQNNNXXRDNNNbXXjNTXtNNRmNONNjNNNNDNNNENNVbEDNNPtbeNNLdRmNONONNNNNENNNENANWNNNPXPRNNNbXXjNTXuZjNDNZNNNNQtNNRDNPXRLNNNbXXjNTXuZjNtNqNNNNRtNNRDNPwNLNNOfH/tRYOljVXNRNNPfXXjHNNtbeNNLdWtNQ/uHTNNNoXvLNNvtzNNNXNPbNNNNGZNVNADNNNOZNNORNNagVNNNXo0xNNNbYO4jWNNNoSC4OQNtfSPtPNNNePjW7FNNNPtqiFtNNPtNNNNpXXjNTXyVNNvtzNNNXNNWmFjNNPa1VNNNXXv4bTNNNObNZNNNRXu4PXPLNNNbdNNOPH0cPNDNONNNNNNNZNNNNqwVhZP41ZQplAjNNNNNSNTjNNNPbPDNNV34NNODXNNOjPDNNV1A0pzyhM3ZNNNNNuOZNNTDNNNNwIIZN6OZNNONNNNNwE1IWENNNNCtGNNQ0ONNNV0Wfo2VNNNNNNNNNNtNNNIpIbtxWQjNNNCbOZjNJNNNONNNNBDNNNNfNNNNZNNNNVjNNNORNNNOYNNNNCjNNNOZNNNNTNNNNPtNNNNjNNNNWNNNNNDNNNNDNNNNONNNNNjNNNNZNNNNPNNNNNNNZODRNNNNNNNLNdtBJOjLNSjFJOjLNztYZOt8NQttNNNLN2jXzODLNwDBzODLN/tBzODLNltBzODLN4jBzODL
Source: dhcpmon.exe.4.dr, frmLogin.cs	Base64 encoded string: 'GIdDNNZNNNNRNNNN//8NNYtNNNNNNNNNDNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNtNNNNN4sht4NgNaAVotOGZ0uITucplOjpz9apzSgVTAuoz5iqPOvMFOlqJ4tnJ4tER9GVT1iMTHhQD0XWNNNNNNNNNODEDNNGNRQNViu868NNNNNNNNNNBNNNvRYNINNNPNNNNNTNNNNNNNNlw8NNNNtNNNNDNNNNNNNRDNtNNNNNtNNONNNNNNNNNNRNNNNNNNNNNPNNNNNNtNNNNNNNNZNDVHNNONNNONNNNNNRNNNRNNNNNNNNONNNNNNNNNNNNNNNUt/NNOCNNNNNRNNNBDQNNNNNNNNNNNNNNNNNNNNNNNNNTNNNNjNNNOpCjNNUNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNVNNNPNNNNNNNNNNNNNNNPPNNNRtNNNNNNNNNNNNNNP50MKu0NNNN0O8NNNNtNNNNVNNNNNVNNNNNNNNNNNNNNNNNNPNNNTNhpaAlLjNNNBDQNNNNDNNNNNDNNNNvNNNNNNNNNNNNNNNNNNONNNONYaWyoT9wNNNZNNNNNTNNNNNPNNNNWtNNNNNNNNNNNNNNNNNNDNNNDtNNNNNNNNNNNNNNNNNNNNPfCjNNNNNNNRtNNNNPNNHNhPHNNBjLNNNQNNNNNNNNNXD+NNP4NNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNO4PXOLNNNbdWtNPXOpNNNbNXdMmTNNNPbNONNNRpkxNNNdNNtNNOUZnNNNXtNZNNNEmTjNNPbNRNNNRXuZjNDNDNNNNNDNNRDO+NDNNOT8pNNNXPvfNOvbGZNRNRNNNNNVNNORNstVNNNEiUDNNPtbeNNLdRmNONONNNNNQNNNENU4QNNNRok4NNNbXXjNTXuZjNDNDNNNNONNNRDO+ONNNOT8sNNNXPvfNOvbGZNVNCNNNNNHNNORNstHNNNDHXPNNNNbYOljuptRNNUQDODNNNvtuNNNXolVNNNcmVjNNPtjVtNHNNNDNNU4SNNNRPvfNOvbGZNRNPjNNNNLNNORNstLNNNDXXjNTXvVNNbNTNNNRXyMmQNNNOvtxNNNXqNLNNNXNOjNNOPbrNvtyNNNXXtNNRmNONNfNNNNUNNNENU4UNNNRPvfNOvbNRmNONNfNNNNUNNNENPtANNNTPvfNOvc+pwfNNUPNPNNNOUV7NNOjtNxNNNElBjNNpVNXNNNRXxbNNvtzNNNXNNZROFtENNNTNPbNNOZjONO0NNNNPNNNRDOmWjNNPtbTVYvPNDNtXWbONT8bNNNXXPxNNNbNNvtINNNTOPtHNNNTPjpbRjNNOtZbSDNNOvtFNNNTQNtbXtNNPt0WolfNNNbqzuZRRDEiYNNNPuhnRjHEOKV9NNOjTOvAStNNNFtgNNNXWuLbYtNNPtNdRmNSNWpNNNNWNNNENPtiNNNXN28jNNNXPjVPwzxK2cRspTRZNb5cS9LK2usJwF8NNNRANb5cS9bGOORRRjHJRjLeBtxEOtVEOcRVLDpEO5SugWjEOjAiZDNNPusn/tRGPORVRjxEPFjTSuZUNPfVNORUS9LGOjNEOusJRjLEOuRSZpNWNb5cTAbK1usnS9nAYjNNNFtlNNNXqNHNNOfXXjNTXtNGZNHNctNNNNbNNORNStfPomZNNNbGOkVUXQDNNNbZPNwLTgtAPEsnS9nAYjNNNEZRPOsnRjtJRjxeDjtK2uZXSuZYXl0PRDxEP281NNNXRjjFQPt2NNNXXQpNNNbJRDDUTvt4NNNXNNpn1tfEPksJRjfEPkRXZp0EPEsJRjxEPERVZopEOOLbBDNNPuZSRDHK2usJwF8NNNRGOuRRTuRTSuRTwzxbBNNNPtNEOtbeNNLdNNNGZNVNXNNNNNfNNORNN3WYNNOjXQbNNNbbBjNNPaZwNNNXPjpPomjNNNc0VtNNNDbeNNLdRmNRNRbNNNNZNNNENNWiZDNNPuuopm0NNNbYNz8kNNNXTAbZSt0eUjpPPEuiCtNNPu8DXQ8NNNbbDNNNPz9ONNNXWtxL1t0WPQUqO29PNNNXPvfNOvbNNOZjNDNUNNNNQDNNRDNHPvfNOvcTNNVJztVKztVLzvtENNNTNPbNNNNGZNZNVNNNNN4NNORNsttNNNE+PDNNOU4XNNNRXORNNNLNpwfNNUNXXjNTXuZjNtNFNNNNQjNNRDNPNluQNNNXXRDNNNbXXjNTXtNNRmNONNjNNNNDNNNENNVbEDNNPtbeNNLdRmNONONNNNNENNNENANWNNNPXPRNNNbXXjNTXuZjNDNZNNNNQtNNRDNPXRLNNNbXXjNTXuZjNtNqNNNNRtNNRDNPwNLNNOfH/tRYOljVXNRNNPfXXjHNNtbeNNLdWtNQ/uHTNNNoXvLNNvtzNNNXNPbNNNNGZNVNADNNNOZNNORNNagVNNNXo0xNNNbYO4jWNNNoSC4OQNtfSPtPNNNePjW7FNNNPtqiFtNNPtNNNNpXXjNTXyVNNvtzNNNXNNWmFjNNPa1VNNNXXv4bTNNNObNZNNNRXu4PXPLNNNbdNNOPH0cPNDNONNNNNNNZNNNNqwVhZP41ZQplAjNNNNNSNTjNNNPbPDNNV34NNODXNNOjPDNNV1A0pzyhM3ZNNNNNuOZNNTDNNNNwIIZN6OZNNONNNNNwE1IWENNNNCtGNNQ0ONNNV0Wfo2VNNNNNNNNNNtNNNIpIbtxWQjNNNCbOZjNJNNNONNNNBDNNNNfNNNNZNNNNVjNNNORNNNOYNNNNCjNNNOZNNNNTNNNNPtNNNNjNNNNWNNNNNDNNNNDNNNNONNNNNjNNNNZNNNNPNNNNNNNZODRNNNNNNNLNdtBJOjLNSjFJOjLNztYZOt8NQttNNNLN2jXzODLNwDBzODLN/tBzODLNltBzODLN4jBzODL
Source: 4.0.bbbe7872ea466446da60c4da50020cbb.exe.620000.0.unpack, frmLogin.cs	Base64 encoded string: 'GIdDNNZNNNNRNNNN//8NNYtNNNNNNNNNDNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNtNNNNN4sht4NgNaAVotOGZ0uITucplOjpz9apzSgVTAuoz5iqPOvMFOlqJ4tnJ4tER9GVT1iMTHhQD0XWNNNNNNNNNODEDNNGNRQNViu868NNNNNNNNNNBNNNvRYNINNNPNNNNNTNNNNNNNNlw8NNNNtNNNNDNNNNNNNRDNtNNNNNtNNONNNNNNNNNNRNNNNNNNNNNPNNNNNNtNNNNNNNNZNDVHNNONNNONNNNNNRNNNRNNNNNNNNONNNNNNNNNNNNNNNUt/NNOCNNNNNRNNNBDQNNNNNNNNNNNNNNNNNNNNNNNNNTNNNNjNNNOpCjNNUNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNVNNNPNNNNNNNNNNNNNNNPPNNNRtNNNNNNNNNNNNNNP50MKu0NNNN0O8NNNNtNNNNVNNNNNVNNNNNNNNNNNNNNNNNNPNNNTNhpaAlLjNNNBDQNNNNDNNNNNDNNNNvNNNNNNNNNNNNNNNNNNONNNONYaWyoT9wNNNZNNNNNTNNNNNPNNNNWtNNNNNNNNNNNNNNNNNNDNNNDtNNNNNNNNNNNNNNNNNNNNPfCjNNNNNNNRtNNNNPNNHNhPHNNBjLNNNQNNNNNNNNNXD+NNP4NNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNO4PXOLNNNbdWtNPXOpNNNbNXdMmTNNNPbNONNNRpkxNNNdNNtNNOUZnNNNXtNZNNNEmTjNNPbNRNNNRXuZjNDNDNNNNNDNNRDO+NDNNOT8pNNNXPvfNOvbGZNRNRNNNNNVNNORNstVNNNEiUDNNPtbeNNLdRmNONONNNNNQNNNENU4QNNNRok4NNNbXXjNTXuZjNDNDNNNNONNNRDO+ONNNOT8sNNNXPvfNOvbGZNVNCNNNNNHNNORNstHNNNDHXPNNNNbYOljuptRNNUQDODNNNvtuNNNXolVNNNcmVjNNPtjVtNHNNNDNNU4SNNNRPvfNOvbGZNRNPjNNNNLNNORNstLNNNDXXjNTXvVNNbNTNNNRXyMmQNNNOvtxNNNXqNLNNNXNOjNNOPbrNvtyNNNXXtNNRmNONNfNNNNUNNNENU4UNNNRPvfNOvbNRmNONNfNNNNUNNNENPtANNNTPvfNOvc+pwfNNUPNPNNNOUV7NNOjtNxNNNElBjNNpVNXNNNRXxbNNvtzNNNXNNZROFtENNNTNPbNNOZjONO0NNNNPNNNRDOmWjNNPtbTVYvPNDNtXWbONT8bNNNXXPxNNNbNNvtINNNTOPtHNNNTPjpbRjNNOtZbSDNNOvtFNNNTQNtbXtNNPt0WolfNNNbqzuZRRDEiYNNNPuhnRjHEOKV9NNOjTOvAStNNNFtgNNNXWuLbYtNNPtNdRmNSNWpNNNNWNNNENPtiNNNXN28jNNNXPjVPwzxK2cRspTRZNb5cS9LK2usJwF8NNNRANb5cS9bGOORRRjHJRjLeBtxEOtVEOcRVLDpEO5SugWjEOjAiZDNNPusn/tRGPORVRjxEPFjTSuZUNPfVNORUS9LGOjNEOusJRjLEOuRSZpNWNb5cTAbK1usnS9nAYjNNNFtlNNNXqNHNNOfXXjNTXtNGZNHNctNNNNbNNORNStfPomZNNNbGOkVUXQDNNNbZPNwLTgtAPEsnS9nAYjNNNEZRPOsnRjtJRjxeDjtK2uZXSuZYXl0PRDxEP281NNNXRjjFQPt2NNNXXQpNNNbJRDDUTvt4NNNXNNpn1tfEPksJRjfEPkRXZp0EPEsJRjxEPERVZopEOOLbBDNNPuZSRDHK2usJwF8NNNRGOuRRTuRTSuRTwzxbBNNNPtNEOtbeNNLdNNNGZNVNXNNNNNfNNORNN3WYNNOjXQbNNNbbBjNNPaZwNNNXPjpPomjNNNc0VtNNNDbeNNLdRmNRNRbNNNNZNNNENNWiZDNNPuuopm0NNNbYNz8kNNNXTAbZSt0eUjpPPEuiCtNNPu8DXQ8NNNbbDNNNPz9ONNNXWtxL1t0WPQUqO29PNNNXPvfNOvbNNOZjNDNUNNNNQDNNRDNHPvfNOvcTNNVJztVKztVLzvtENNNTNPbNNNNGZNZNVNNNNN4NNORNsttNNNE+PDNNOU4XNNNRXORNNNLNpwfNNUNXXjNTXuZjNtNFNNNNQjNNRDNPNluQNNNXXRDNNNbXXjNTXtNNRmNONNjNNNNDNNNENNVbEDNNPtbeNNLdRmNONONNNNNENNNENANWNNNPXPRNNNbXXjNTXuZjNDNZNNNNQtNNRDNPXRLNNNbXXjNTXuZjNtNqNNNNRtNNRDNPwNLNNOfH/tRYOljVXNRNNPfXXjHNNtbeNNLdWtNQ/uHTNNNoXvLNNvtzNNNXNPbNNNNGZNVNADNNNOZNNORNNagVNNNXo0xNNNbYO4jWNNNoSC4OQNtfSPtPNNNePjW7FNNNPtqiFtNNPtNNNNpXXjNTXyVNNvtzNNNXNNWmFjNNPa1VNNNXXv4bTNNNObNZNNNRXu4PXPLNNNbdNNOPH0cPNDNONNNNNNNZNNNNqwVhZP41ZQplAjNNNNNSNTjNNNPbPDNNV34NNODXNNOjPDNNV1A0pzyhM3ZNNNNNuOZNNTDNNNNwIIZN6OZNNONNNNNwE1IWENNNNCtGNNQ0ONNNV0Wfo2VNNNNNNNNNNtNNNIpIbtxWQjNNNCbOZjNJNNNONNNNBDNNNNfNNNNZNNNNVjNNNORNNNOYNNNNCjNNNOZNNNNTNNNNPtNNNNjNNNNWNNNNNDNNNNDNNNNONNNNNjNNNNZNNNNPNNNNNNNZODRNNNNNNNLNdtBJOjLNSjFJOjLNztYZOt8NQttNNNLN2jXzODLNwDBzODLN/tBzODLNltBzODLN4jBzODL
Source: 4.2.bbbe7872ea466446da60c4da50020cbb.exe.620000.1.unpack, frmLogin.cs	Base64 encoded string: 'GIdDNNZNNNNRNNNN//8NNYtNNNNNNNNNDNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNtNNNNN4sht4NgNaAVotOGZ0uITucplOjpz9apzSgVTAuoz5iqPOvMFOlqJ4tnJ4tER9GVT1iMTHhQD0XWNNNNNNNNNODEDNNGNRQNViu868NNNNNNNNNNBNNNvRYNINNNPNNNNNTNNNNNNNNlw8NNNNtNNNNDNNNNNNNRDNtNNNNNtNNONNNNNNNNNNRNNNNNNNNNNPNNNNNNtNNNNNNNNZNDVHNNONNNONNNNNNRNNNRNNNNNNNNONNNNNNNNNNNNNNNUt/NNOCNNNNNRNNNBDQNNNNNNNNNNNNNNNNNNNNNNNNNTNNNNjNNNOpCjNNUNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNVNNNPNNNNNNNNNNNNNNNPPNNNRtNNNNNNNNNNNNNNP50MKu0NNNN0O8NNNNtNNNNVNNNNNVNNNNNNNNNNNNNNNNNNPNNNTNhpaAlLjNNNBDQNNNNDNNNNNDNNNNvNNNNNNNNNNNNNNNNNNONNNONYaWyoT9wNNNZNNNNNTNNNNNPNNNNWtNNNNNNNNNNNNNNNNNNDNNNDtNNNNNNNNNNNNNNNNNNNNPfCjNNNNNNNRtNNNNPNNHNhPHNNBjLNNNQNNNNNNNNNXD+NNP4NNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNO4PXOLNNNbdWtNPXOpNNNbNXdMmTNNNPbNONNNRpkxNNNdNNtNNOUZnNNNXtNZNNNEmTjNNPbNRNNNRXuZjNDNDNNNNNDNNRDO+NDNNOT8pNNNXPvfNOvbGZNRNRNNNNNVNNORNstVNNNEiUDNNPtbeNNLdRmNONONNNNNQNNNENU4QNNNRok4NNNbXXjNTXuZjNDNDNNNNONNNRDO+ONNNOT8sNNNXPvfNOvbGZNVNCNNNNNHNNORNstHNNNDHXPNNNNbYOljuptRNNUQDODNNNvtuNNNXolVNNNcmVjNNPtjVtNHNNNDNNU4SNNNRPvfNOvbGZNRNPjNNNNLNNORNstLNNNDXXjNTXvVNNbNTNNNRXyMmQNNNOvtxNNNXqNLNNNXNOjNNOPbrNvtyNNNXXtNNRmNONNfNNNNUNNNENU4UNNNRPvfNOvbNRmNONNfNNNNUNNNENPtANNNTPvfNOvc+pwfNNUPNPNNNOUV7NNOjtNxNNNElBjNNpVNXNNNRXxbNNvtzNNNXNNZROFtENNNTNPbNNOZjONO0NNNNPNNNRDOmWjNNPtbTVYvPNDNtXWbONT8bNNNXXPxNNNbNNvtINNNTOPtHNNNTPjpbRjNNOtZbSDNNOvtFNNNTQNtbXtNNPt0WolfNNNbqzuZRRDEiYNNNPuhnRjHEOKV9NNOjTOvAStNNNFtgNNNXWuLbYtNNPtNdRmNSNWpNNNNWNNNENPtiNNNXN28jNNNXPjVPwzxK2cRspTRZNb5cS9LK2usJwF8NNNRANb5cS9bGOORRRjHJRjLeBtxEOtVEOcRVLDpEO5SugWjEOjAiZDNNPusn/tRGPORVRjxEPFjTSuZUNPfVNORUS9LGOjNEOusJRjLEOuRSZpNWNb5cTAbK1usnS9nAYjNNNFtlNNNXqNHNNOfXXjNTXtNGZNHNctNNNNbNNORNStfPomZNNNbGOkVUXQDNNNbZPNwLTgtAPEsnS9nAYjNNNEZRPOsnRjtJRjxeDjtK2uZXSuZYXl0PRDxEP281NNNXRjjFQPt2NNNXXQpNNNbJRDDUTvt4NNNXNNpn1tfEPksJRjfEPkRXZp0EPEsJRjxEPERVZopEOOLbBDNNPuZSRDHK2usJwF8NNNRGOuRRTuRTSuRTwzxbBNNNPtNEOtbeNNLdNNNGZNVNXNNNNNfNNORNN3WYNNOjXQbNNNbbBjNNPaZwNNNXPjpPomjNNNc0VtNNNDbeNNLdRmNRNRbNNNNZNNNENNWiZDNNPuuopm0NNNbYNz8kNNNXTAbZSt0eUjpPPEuiCtNNPu8DXQ8NNNbbDNNNPz9ONNNXWtxL1t0WPQUqO29PNNNXPvfNOvbNNOZjNDNUNNNNQDNNRDNHPvfNOvcTNNVJztVKztVLzvtENNNTNPbNNNNGZNZNVNNNNN4NNORNsttNNNE+PDNNOU4XNNNRXORNNNLNpwfNNUNXXjNTXuZjNtNFNNNNQjNNRDNPNluQNNNXXRDNNNbXXjNTXtNNRmNONNjNNNNDNNNENNVbEDNNPtbeNNLdRmNONONNNNNENNNENANWNNNPXPRNNNbXXjNTXuZjNDNZNNNNQtNNRDNPXRLNNNbXXjNTXuZjNtNqNNNNRtNNRDNPwNLNNOfH/tRYOljVXNRNNPfXXjHNNtbeNNLdWtNQ/uHTNNNoXvLNNvtzNNNXNPbNNNNGZNVNADNNNOZNNORNNagVNNNXo0xNNNbYO4jWNNNoSC4OQNtfSPtPNNNePjW7FNNNPtqiFtNNPtNNNNpXXjNTXyVNNvtzNNNXNNWmFjNNPa1VNNNXXv4bTNNNObNZNNNRXu4PXPLNNNbdNNOPH0cPNDNONNNNNNNZNNNNqwVhZP41ZQplAjNNNNNSNTjNNNPbPDNNV34NNODXNNOjPDNNV1A0pzyhM3ZNNNNNuOZNNTDNNNNwIIZN6OZNNONNNNNwE1IWENNNNCtGNNQ0ONNNV0Wfo2VNNNNNNNNNNtNNNIpIbtxWQjNNNCbOZjNJNNNONNNNBDNNNNfNNNNZNNNNVjNNNORNNNOYNNNNCjNNNOZNNNNTNNNNPtNNNNjNNNNWNNNNNDNNNNDNNNNONNNNNjNNNNZNNNNPNNNNNNNZODRNNNNNNNLNdtBJOjLNSjFJOjLNztYZOt8NQttNNNLN2jXzODLNwDBzODLN/tBzODLNltBzODLN4jBzODL
Source: 10.0.bbbe7872ea466446da60c4da50020cbb.exe.720000.0.unpack, frmLogin.cs	Base64 encoded string: 'GIdDNNZNNNNRNNNN//8NNYtNNNNNNNNNDNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNtNNNNN4sht4NgNaAVotOGZ0uITucplOjpz9apzSgVTAuoz5iqPOvMFOlqJ4tnJ4tER9GVT1iMTHhQD0XWNNNNNNNNNODEDNNGNRQNViu868NNNNNNNNNNBNNNvRYNINNNPNNNNNTNNNNNNNNlw8NNNNtNNNNDNNNNNNNRDNtNNNNNtNNONNNNNNNNNNRNNNNNNNNNNPNNNNNNtNNNNNNNNZNDVHNNONNNONNNNNNRNNNRNNNNNNNNONNNNNNNNNNNNNNNUt/NNOCNNNNNRNNNBDQNNNNNNNNNNNNNNNNNNNNNNNNNTNNNNjNNNOpCjNNUNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNVNNNPNNNNNNNNNNNNNNNPPNNNRtNNNNNNNNNNNNNNP50MKu0NNNN0O8NNNNtNNNNVNNNNNVNNNNNNNNNNNNNNNNNNPNNNTNhpaAlLjNNNBDQNNNNDNNNNNDNNNNvNNNNNNNNNNNNNNNNNNONNNONYaWyoT9wNNNZNNNNNTNNNNNPNNNNWtNNNNNNNNNNNNNNNNNNDNNNDtNNNNNNNNNNNNNNNNNNNNPfCjNNNNNNNRtNNNNPNNHNhPHNNBjLNNNQNNNNNNNNNXD+NNP4NNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNO4PXOLNNNbdWtNPXOpNNNbNXdMmTNNNPbNONNNRpkxNNNdNNtNNOUZnNNNXtNZNNNEmTjNNPbNRNNNRXuZjNDNDNNNNNDNNRDO+NDNNOT8pNNNXPvfNOvbGZNRNRNNNNNVNNORNstVNNNEiUDNNPtbeNNLdRmNONONNNNNQNNNENU4QNNNRok4NNNbXXjNTXuZjNDNDNNNNONNNRDO+ONNNOT8sNNNXPvfNOvbGZNVNCNNNNNHNNORNstHNNNDHXPNNNNbYOljuptRNNUQDODNNNvtuNNNXolVNNNcmVjNNPtjVtNHNNNDNNU4SNNNRPvfNOvbGZNRNPjNNNNLNNORNstLNNNDXXjNTXvVNNbNTNNNRXyMmQNNNOvtxNNNXqNLNNNXNOjNNOPbrNvtyNNNXXtNNRmNONNfNNNNUNNNENU4UNNNRPvfNOvbNRmNONNfNNNNUNNNENPtANNNTPvfNOvc+pwfNNUPNPNNNOUV7NNOjtNxNNNElBjNNpVNXNNNRXxbNNvtzNNNXNNZROFtENNNTNPbNNOZjONO0NNNNPNNNRDOmWjNNPtbTVYvPNDNtXWbONT8bNNNXXPxNNNbNNvtINNNTOPtHNNNTPjpbRjNNOtZbSDNNOvtFNNNTQNtbXtNNPt0WolfNNNbqzuZRRDEiYNNNPuhnRjHEOKV9NNOjTOvAStNNNFtgNNNXWuLbYtNNPtNdRmNSNWpNNNNWNNNENPtiNNNXN28jNNNXPjVPwzxK2cRspTRZNb5cS9LK2usJwF8NNNRANb5cS9bGOORRRjHJRjLeBtxEOtVEOcRVLDpEO5SugWjEOjAiZDNNPusn/tRGPORVRjxEPFjTSuZUNPfVNORUS9LGOjNEOusJRjLEOuRSZpNWNb5cTAbK1usnS9nAYjNNNFtlNNNXqNHNNOfXXjNTXtNGZNHNctNNNNbNNORNStfPomZNNNbGOkVUXQDNNNbZPNwLTgtAPEsnS9nAYjNNNEZRPOsnRjtJRjxeDjtK2uZXSuZYXl0PRDxEP281NNNXRjjFQPt2NNNXXQpNNNbJRDDUTvt4NNNXNNpn1tfEPksJRjfEPkRXZp0EPEsJRjxEPERVZopEOOLbBDNNPuZSRDHK2usJwF8NNNRGOuRRTuRTSuRTwzxbBNNNPtNEOtbeNNLdNNNGZNVNXNNNNNfNNORNN3WYNNOjXQbNNNbbBjNNPaZwNNNXPjpPomjNNNc0VtNNNDbeNNLdRmNRNRbNNNNZNNNENNWiZDNNPuuopm0NNNbYNz8kNNNXTAbZSt0eUjpPPEuiCtNNPu8DXQ8NNNbbDNNNPz9ONNNXWtxL1t0WPQUqO29PNNNXPvfNOvbNNOZjNDNUNNNNQDNNRDNHPvfNOvcTNNVJztVKztVLzvtENNNTNPbNNNNGZNZNVNNNNN4NNORNsttNNNE+PDNNOU4XNNNRXORNNNLNpwfNNUNXXjNTXuZjNtNFNNNNQjNNRDNPNluQNNNXXRDNNNbXXjNTXtNNRmNONNjNNNNDNNNENNVbEDNNPtbeNNLdRmNONONNNNNENNNENANWNNNPXPRNNNbXXjNTXuZjNDNZNNNNQtNNRDNPXRLNNNbXXjNTXuZjNtNqNNNNRtNNRDNPwNLNNOfH/tRYOljVXNRNNPfXXjHNNtbeNNLdWtNQ/uHTNNNoXvLNNvtzNNNXNPbNNNNGZNVNADNNNOZNNORNNagVNNNXo0xNNNbYO4jWNNNoSC4OQNtfSPtPNNNePjW7FNNNPtqiFtNNPtNNNNpXXjNTXyVNNvtzNNNXNNWmFjNNPa1VNNNXXv4bTNNNObNZNNNRXu4PXPLNNNbdNNOPH0cPNDNONNNNNNNZNNNNqwVhZP41ZQplAjNNNNNSNTjNNNPbPDNNV34NNODXNNOjPDNNV1A0pzyhM3ZNNNNNuOZNNTDNNNNwIIZN6OZNNONNNNNwE1IWENNNNCtGNNQ0ONNNV0Wfo2VNNNNNNNNNNtNNNIpIbtxWQjNNNCbOZjNJNNNONNNNBDNNNNfNNNNZNNNNVjNNNORNNNOYNNNNCjNNNOZNNNNTNNNNPtNNNNjNNNNWNNNNNDNNNNDNNNNONNNNNjNNNNZNNNNPNNNNNNNZODRNNNNNNNLNdtBJOjLNSjFJOjLNztYZOt8NQttNNNLN2jXzODLNwDBzODLN/tBzODLNltBzODLN4jBzODL
Source: 10.2.bbbe7872ea466446da60c4da50020cbb.exe.720000.0.unpack, frmLogin.cs	Base64 encoded string: 'GIdDNNZNNNNRNNNN//8NNYtNNNNNNNNNDNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNtNNNNN4sht4NgNaAVotOGZ0uITucplOjpz9apzSgVTAuoz5iqPOvMFOlqJ4tnJ4tER9GVT1iMTHhQD0XWNNNNNNNNNODEDNNGNRQNViu868NNNNNNNNNNBNNNvRYNINNNPNNNNNTNNNNNNNNlw8NNNNtNNNNDNNNNNNNRDNtNNNNNtNNONNNNNNNNNNRNNNNNNNNNNPNNNNNNtNNNNNNNNZNDVHNNONNNONNNNNNRNNNRNNNNNNNNONNNNNNNNNNNNNNNUt/NNOCNNNNNRNNNBDQNNNNNNNNNNNNNNNNNNNNNNNNNTNNNNjNNNOpCjNNUNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNVNNNPNNNNNNNNNNNNNNNPPNNNRtNNNNNNNNNNNNNNP50MKu0NNNN0O8NNNNtNNNNVNNNNNVNNNNNNNNNNNNNNNNNNPNNNTNhpaAlLjNNNBDQNNNNDNNNNNDNNNNvNNNNNNNNNNNNNNNNNNONNNONYaWyoT9wNNNZNNNNNTNNNNNPNNNNWtNNNNNNNNNNNNNNNNNNDNNNDtNNNNNNNNNNNNNNNNNNNNPfCjNNNNNNNRtNNNNPNNHNhPHNNBjLNNNQNNNNNNNNNXD+NNP4NNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNO4PXOLNNNbdWtNPXOpNNNbNXdMmTNNNPbNONNNRpkxNNNdNNtNNOUZnNNNXtNZNNNEmTjNNPbNRNNNRXuZjNDNDNNNNNDNNRDO+NDNNOT8pNNNXPvfNOvbGZNRNRNNNNNVNNORNstVNNNEiUDNNPtbeNNLdRmNONONNNNNQNNNENU4QNNNRok4NNNbXXjNTXuZjNDNDNNNNONNNRDO+ONNNOT8sNNNXPvfNOvbGZNVNCNNNNNHNNORNstHNNNDHXPNNNNbYOljuptRNNUQDODNNNvtuNNNXolVNNNcmVjNNPtjVtNHNNNDNNU4SNNNRPvfNOvbGZNRNPjNNNNLNNORNstLNNNDXXjNTXvVNNbNTNNNRXyMmQNNNOvtxNNNXqNLNNNXNOjNNOPbrNvtyNNNXXtNNRmNONNfNNNNUNNNENU4UNNNRPvfNOvbNRmNONNfNNNNUNNNENPtANNNTPvfNOvc+pwfNNUPNPNNNOUV7NNOjtNxNNNElBjNNpVNXNNNRXxbNNvtzNNNXNNZROFtENNNTNPbNNOZjONO0NNNNPNNNRDOmWjNNPtbTVYvPNDNtXWbONT8bNNNXXPxNNNbNNvtINNNTOPtHNNNTPjpbRjNNOtZbSDNNOvtFNNNTQNtbXtNNPt0WolfNNNbqzuZRRDEiYNNNPuhnRjHEOKV9NNOjTOvAStNNNFtgNNNXWuLbYtNNPtNdRmNSNWpNNNNWNNNENPtiNNNXN28jNNNXPjVPwzxK2cRspTRZNb5cS9LK2usJwF8NNNRANb5cS9bGOORRRjHJRjLeBtxEOtVEOcRVLDpEO5SugWjEOjAiZDNNPusn/tRGPORVRjxEPFjTSuZUNPfVNORUS9LGOjNEOusJRjLEOuRSZpNWNb5cTAbK1usnS9nAYjNNNFtlNNNXqNHNNOfXXjNTXtNGZNHNctNNNNbNNORNStfPomZNNNbGOkVUXQDNNNbZPNwLTgtAPEsnS9nAYjNNNEZRPOsnRjtJRjxeDjtK2uZXSuZYXl0PRDxEP281NNNXRjjFQPt2NNNXXQpNNNbJRDDUTvt4NNNXNNpn1tfEPksJRjfEPkRXZp0EPEsJRjxEPERVZopEOOLbBDNNPuZSRDHK2usJwF8NNNRGOuRRTuRTSuRTwzxbBNNNPtNEOtbeNNLdNNNGZNVNXNNNNNfNNORNN3WYNNOjXQbNNNbbBjNNPaZwNNNXPjpPomjNNNc0VtNNNDbeNNLdRmNRNRbNNNNZNNNENNWiZDNNPuuopm0NNNbYNz8kNNNXTAbZSt0eUjpPPEuiCtNNPu8DXQ8NNNbbDNNNPz9ONNNXWtxL1t0WPQUqO29PNNNXPvfNOvbNNOZjNDNUNNNNQDNNRDNHPvfNOvcTNNVJztVKztVLzvtENNNTNPbNNNNGZNZNVNNNNN4NNORNsttNNNE+PDNNOU4XNNNRXORNNNLNpwfNNUNXXjNTXuZjNtNFNNNNQjNNRDNPNluQNNNXXRDNNNbXXjNTXtNNRmNONNjNNNNDNNNENNVbEDNNPtbeNNLdRmNONONNNNNENNNENANWNNNPXPRNNNbXXjNTXuZjNDNZNNNNQtNNRDNPXRLNNNbXXjNTXuZjNtNqNNNNRtNNRDNPwNLNNOfH/tRYOljVXNRNNPfXXjHNNtbeNNLdWtNQ/uHTNNNoXvLNNvtzNNNXNPbNNNNGZNVNADNNNOZNNORNNagVNNNXo0xNNNbYO4jWNNNoSC4OQNtfSPtPNNNePjW7FNNNPtqiFtNNPtNNNNpXXjNTXyVNNvtzNNNXNNWmFjNNPa1VNNNXXv4bTNNNObNZNNNRXu4PXPLNNNbdNNOPH0cPNDNONNNNNNNZNNNNqwVhZP41ZQplAjNNNNNSNTjNNNPbPDNNV34NNODXNNOjPDNNV1A0pzyhM3ZNNNNNuOZNNTDNNNNwIIZN6OZNNONNNNNwE1IWENNNNCtGNNQ0ONNNV0Wfo2VNNNNNNNNNNtNNNIpIbtxWQjNNNCbOZjNJNNNONNNNBDNNNNfNNNNZNNNNVjNNNORNNNOYNNNNCjNNNOZNNNNTNNNNPtNNNNjNNNNWNNNNNDNNNNDNNNNONNNNNjNNNNZNNNNPNNNNNNNZODRNNNNNNNLNdtBJOjLNSjFJOjLNztYZOt8NQttNNNLN2jXzODLNwDBzODLN/tBzODLNltBzODLN4jBzODL
Source: 11.2.dhcpmon.exe.720000.0.unpack, frmLogin.cs	Base64 encoded string: 'GIdDNNZNNNNRNNNN//8NNYtNNNNNNNNNDNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNtNNNNN4sht4NgNaAVotOGZ0uITucplOjpz9apzSgVTAuoz5iqPOvMFOlqJ4tnJ4tER9GVT1iMTHhQD0XWNNNNNNNNNODEDNNGNRQNViu868NNNNNNNNNNBNNNvRYNINNNPNNNNNTNNNNNNNNlw8NNNNtNNNNDNNNNNNNRDNtNNNNNtNNONNNNNNNNNNRNNNNNNNNNNPNNNNNNtNNNNNNNNZNDVHNNONNNONNNNNNRNNNRNNNNNNNNONNNNNNNNNNNNNNNUt/NNOCNNNNNRNNNBDQNNNNNNNNNNNNNNNNNNNNNNNNNTNNNNjNNNOpCjNNUNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNVNNNPNNNNNNNNNNNNNNNPPNNNRtNNNNNNNNNNNNNNP50MKu0NNNN0O8NNNNtNNNNVNNNNNVNNNNNNNNNNNNNNNNNNPNNNTNhpaAlLjNNNBDQNNNNDNNNNNDNNNNvNNNNNNNNNNNNNNNNNNONNNONYaWyoT9wNNNZNNNNNTNNNNNPNNNNWtNNNNNNNNNNNNNNNNNNDNNNDtNNNNNNNNNNNNNNNNNNNNPfCjNNNNNNNRtNNNNPNNHNhPHNNBjLNNNQNNNNNNNNNXD+NNP4NNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNO4PXOLNNNbdWtNPXOpNNNbNXdMmTNNNPbNONNNRpkxNNNdNNtNNOUZnNNNXtNZNNNEmTjNNPbNRNNNRXuZjNDNDNNNNNDNNRDO+NDNNOT8pNNNXPvfNOvbGZNRNRNNNNNVNNORNstVNNNEiUDNNPtbeNNLdRmNONONNNNNQNNNENU4QNNNRok4NNNbXXjNTXuZjNDNDNNNNONNNRDO+ONNNOT8sNNNXPvfNOvbGZNVNCNNNNNHNNORNstHNNNDHXPNNNNbYOljuptRNNUQDODNNNvtuNNNXolVNNNcmVjNNPtjVtNHNNNDNNU4SNNNRPvfNOvbGZNRNPjNNNNLNNORNstLNNNDXXjNTXvVNNbNTNNNRXyMmQNNNOvtxNNNXqNLNNNXNOjNNOPbrNvtyNNNXXtNNRmNONNfNNNNUNNNENU4UNNNRPvfNOvbNRmNONNfNNNNUNNNENPtANNNTPvfNOvc+pwfNNUPNPNNNOUV7NNOjtNxNNNElBjNNpVNXNNNRXxbNNvtzNNNXNNZROFtENNNTNPbNNOZjONO0NNNNPNNNRDOmWjNNPtbTVYvPNDNtXWbONT8bNNNXXPxNNNbNNvtINNNTOPtHNNNTPjpbRjNNOtZbSDNNOvtFNNNTQNtbXtNNPt0WolfNNNbqzuZRRDEiYNNNPuhnRjHEOKV9NNOjTOvAStNNNFtgNNNXWuLbYtNNPtNdRmNSNWpNNNNWNNNENPtiNNNXN28jNNNXPjVPwzxK2cRspTRZNb5cS9LK2usJwF8NNNRANb5cS9bGOORRRjHJRjLeBtxEOtVEOcRVLDpEO5SugWjEOjAiZDNNPusn/tRGPORVRjxEPFjTSuZUNPfVNORUS9LGOjNEOusJRjLEOuRSZpNWNb5cTAbK1usnS9nAYjNNNFtlNNNXqNHNNOfXXjNTXtNGZNHNctNNNNbNNORNStfPomZNNNbGOkVUXQDNNNbZPNwLTgtAPEsnS9nAYjNNNEZRPOsnRjtJRjxeDjtK2uZXSuZYXl0PRDxEP281NNNXRjjFQPt2NNNXXQpNNNbJRDDUTvt4NNNXNNpn1tfEPksJRjfEPkRXZp0EPEsJRjxEPERVZopEOOLbBDNNPuZSRDHK2usJwF8NNNRGOuRRTuRTSuRTwzxbBNNNPtNEOtbeNNLdNNNGZNVNXNNNNNfNNORNN3WYNNOjXQbNNNbbBjNNPaZwNNNXPjpPomjNNNc0VtNNNDbeNNLdRmNRNRbNNNNZNNNENNWiZDNNPuuopm0NNNbYNz8kNNNXTAbZSt0eUjpPPEuiCtNNPu8DXQ8NNNbbDNNNPz9ONNNXWtxL1t0WPQUqO29PNNNXPvfNOvbNNOZjNDNUNNNNQDNNRDNHPvfNOvcTNNVJztVKztVLzvtENNNTNPbNNNNGZNZNVNNNNN4NNORNsttNNNE+PDNNOU4XNNNRXORNNNLNpwfNNUNXXjNTXuZjNtNFNNNNQjNNRDNPNluQNNNXXRDNNNbXXjNTXtNNRmNONNjNNNNDNNNENNVbEDNNPtbeNNLdRmNONONNNNNENNNENANWNNNPXPRNNNbXXjNTXuZjNDNZNNNNQtNNRDNPXRLNNNbXXjNTXuZjNtNqNNNNRtNNRDNPwNLNNOfH/tRYOljVXNRNNPfXXjHNNtbeNNLdWtNQ/uHTNNNoXvLNNvtzNNNXNPbNNNNGZNVNADNNNOZNNORNNagVNNNXo0xNNNbYO4jWNNNoSC4OQNtfSPtPNNNePjW7FNNNPtqiFtNNPtNNNNpXXjNTXyVNNvtzNNNXNNWmFjNNPa1VNNNXXv4bTNNNObNZNNNRXu4PXPLNNNbdNNOPH0cPNDNONNNNNNNZNNNNqwVhZP41ZQplAjNNNNNSNTjNNNPbPDNNV34NNODXNNOjPDNNV1A0pzyhM3ZNNNNNuOZNNTDNNNNwIIZN6OZNNONNNNNwE1IWENNNNCtGNNQ0ONNNV0Wfo2VNNNNNNNNNNtNNNIpIbtxWQjNNNCbOZjNJNNNONNNNBDNNNNfNNNNZNNNNVjNNNORNNNOYNNNNCjNNNOZNNNNTNNNNPtNNNNjNNNNWNNNNNDNNNNDNNNNONNNNNjNNNNZNNNNPNNNNNNNZODRNNNNNNNLNdtBJOjLNSjFJOjLNztYZOt8NQttNNNLN2jXzODLNwDBzODLN/tBzODLNltBzODLN4jBzODL

Source: classification engine

Classification label: mal100.troj.evad.winEXE@20/8@20/1

Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Code function: 11_2_051706DA AdjustTokenPrivileges,		11_2_051706DA
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Code function: 11_2_051706A3 AdjustTokenPrivileges,		11_2_051706A3

Source: C:\Users\user\Desktop\bbbe7872ea466446da60c4da50020cbb.exe

File created: C:\Program Files (x86)\DHCP Monitor

Jump to behavior

Source: C:\Users\user\Desktop\bbbe7872ea466446da60c4da50020cbb.exe

File created: C:\Users\user\AppData\Local\Microsoft\CLR_v2.0_32\UsageLogs\bbbe7872ea466446da60c4da50020cbb.exe.log

Jump to behavior

Source: C:\Users\user\Desktop\bbbe7872ea466446da60c4da50020cbb.exe	Mutant created: \Sessions\1\BaseNamedObjects\Global\.net clr networking
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7080:120:WilError_01
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7132:120:WilError_01
Source: C:\Users\user\Desktop\bbbe7872ea466446da60c4da50020cbb.exe	Mutant created: \Sessions\1\BaseNamedObjects\Global\{d1470c94-c693-4be3-b7c3-884d57fb2b86}

Source: C:\Users\user\Desktop\bbbe7872ea466446da60c4da50020cbb.exe

File created: C:\Users\user\AppData\Local\Temp\tmp7E95.tmp

Jump to behavior

Source: bbbe7872ea466446da60c4da50020cbb.exe

Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ

Source: C:\Users\user\Desktop\bbbe7872ea466446da60c4da50020cbb.exe	Section loaded: C:\Windows\assembly\NativeImages_v2.0.50727_32\mscorlib\9603718106bd57ecfbb18fefd769cab4\mscorlib.ni.dll	Jump to behavior
Source: C:\Users\user\Desktop\bbbe7872ea466446da60c4da50020cbb.exe	Section loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sorttbls.nlp	Jump to behavior
Source: C:\Users\user\Desktop\bbbe7872ea466446da60c4da50020cbb.exe	Section loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sortkey.nlp	Jump to behavior
Source: C:\Users\user\Desktop\bbbe7872ea466446da60c4da50020cbb.exe	Section loaded: C:\Windows\assembly\NativeImages_v2.0.50727_32\mscorlib\9603718106bd57ecfbb18fefd769cab4\mscorlib.ni.dll	Jump to behavior
Source: C:\Users\user\Desktop\bbbe7872ea466446da60c4da50020cbb.exe	Section loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sorttbls.nlp	Jump to behavior
Source: C:\Users\user\Desktop\bbbe7872ea466446da60c4da50020cbb.exe	Section loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sortkey.nlp	Jump to behavior
Source: C:\Users\user\Desktop\bbbe7872ea466446da60c4da50020cbb.exe	Section loaded: C:\Windows\assembly\NativeImages_v2.0.50727_32\mscorlib\9603718106bd57ecfbb18fefd769cab4\mscorlib.ni.dll	Jump to behavior
Source: C:\Users\user\Desktop\bbbe7872ea466446da60c4da50020cbb.exe	Section loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sorttbls.nlp	Jump to behavior
Source: C:\Users\user\Desktop\bbbe7872ea466446da60c4da50020cbb.exe	Section loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sortkey.nlp	Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Section loaded: C:\Windows\assembly\NativeImages_v2.0.50727_32\mscorlib\9603718106bd57ecfbb18fefd769cab4\mscorlib.ni.dll	Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Section loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sorttbls.nlp	Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Section loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sortkey.nlp	Jump to behavior
Source: C:\Users\user\Desktop\bbbe7872ea466446da60c4da50020cbb.exe	Section loaded: C:\Windows\assembly\NativeImages_v2.0.50727_32\mscorlib\9603718106bd57ecfbb18fefd769cab4\mscorlib.ni.dll	Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Section loaded: C:\Windows\assembly\NativeImages_v2.0.50727_32\mscorlib\9603718106bd57ecfbb18fefd769cab4\mscorlib.ni.dll	Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Section loaded: C:\Windows\assembly\NativeImages_v2.0.50727_32\mscorlib\9603718106bd57ecfbb18fefd769cab4\mscorlib.ni.dll	Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Section loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sorttbls.nlp	Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Section loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sortkey.nlp	Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Section loaded: C:\Windows\assembly\NativeImages_v2.0.50727_32\mscorlib\9603718106bd57ecfbb18fefd769cab4\mscorlib.ni.dll

Source: C:\Users\user\Desktop\bbbe7872ea466446da60c4da50020cbb.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: bbbe7872ea466446da60c4da50020cbb.exe, 00000000.00000002.343834467.0000000002D51000.00000004.00000001.sdmp, bbbe7872ea466446da60c4da50020cbb.exe, 0000000A.00000002.364695909.0000000002DF1000.00000004.00000001.sdmp, dhcpmon.exe, 0000000B.00000002.367072310.0000000002F61000.00000004.00000001.sdmp, dhcpmon.exe, 0000000F.00000002.379503086.0000000002831000.00000004.00000001.sdmp	Binary or memory string: INSERT INTO Itens_Aluguel VALUES(@aluguelID, @aviaoID, @validade);
Source: bbbe7872ea466446da60c4da50020cbb.exe, 00000000.00000002.343834467.0000000002D51000.00000004.00000001.sdmp, bbbe7872ea466446da60c4da50020cbb.exe, 0000000A.00000002.364695909.0000000002DF1000.00000004.00000001.sdmp, dhcpmon.exe, 0000000B.00000002.367072310.0000000002F61000.00000004.00000001.sdmp, dhcpmon.exe, 0000000F.00000002.379503086.0000000002831000.00000004.00000001.sdmp	Binary or memory string: Insert into Clientes values (@nome, @cpf, @rg, @cidade, @endereco, @uf, @telefone);

Source: bbbe7872ea466446da60c4da50020cbb.exe

ReversingLabs: Detection: 34%

Source: C:\Users\user\Desktop\bbbe7872ea466446da60c4da50020cbb.exe

File read: C:\Users\user\Desktop\bbbe7872ea466446da60c4da50020cbb.exe

Jump to behavior

Source: unknown	Process created: C:\Users\user\Desktop\bbbe7872ea466446da60c4da50020cbb.exe 'C:\Users\user\Desktop\bbbe7872ea466446da60c4da50020cbb.exe'
Source: unknown	Process created: C:\Users\user\Desktop\bbbe7872ea466446da60c4da50020cbb.exe C:\Users\user\Desktop\bbbe7872ea466446da60c4da50020cbb.exe
Source: unknown	Process created: C:\Windows\SysWOW64\schtasks.exe 'schtasks.exe' /create /f /tn 'DHCP Monitor' /xml 'C:\Users\user\AppData\Local\Temp\tmp7E95.tmp'
Source: unknown	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknown	Process created: C:\Windows\SysWOW64\schtasks.exe 'schtasks.exe' /create /f /tn 'DHCP Monitor Task' /xml 'C:\Users\user\AppData\Local\Temp\tmp81B3.tmp'
Source: unknown	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknown	Process created: C:\Users\user\Desktop\bbbe7872ea466446da60c4da50020cbb.exe C:\Users\user\Desktop\bbbe7872ea466446da60c4da50020cbb.exe 0
Source: unknown	Process created: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe 'C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe' 0
Source: unknown	Process created: C:\Users\user\Desktop\bbbe7872ea466446da60c4da50020cbb.exe C:\Users\user\Desktop\bbbe7872ea466446da60c4da50020cbb.exe
Source: unknown	Process created: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe
Source: unknown	Process created: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe
Source: unknown	Process created: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe 'C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe'
Source: unknown	Process created: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe
Source: C:\Users\user\Desktop\bbbe7872ea466446da60c4da50020cbb.exe	Process created: C:\Users\user\Desktop\bbbe7872ea466446da60c4da50020cbb.exe C:\Users\user\Desktop\bbbe7872ea466446da60c4da50020cbb.exe	Jump to behavior
Source: C:\Users\user\Desktop\bbbe7872ea466446da60c4da50020cbb.exe	Process created: C:\Windows\SysWOW64\schtasks.exe 'schtasks.exe' /create /f /tn 'DHCP Monitor' /xml 'C:\Users\user\AppData\Local\Temp\tmp7E95.tmp'	Jump to behavior
Source: C:\Users\user\Desktop\bbbe7872ea466446da60c4da50020cbb.exe	Process created: C:\Windows\SysWOW64\schtasks.exe 'schtasks.exe' /create /f /tn 'DHCP Monitor Task' /xml 'C:\Users\user\AppData\Local\Temp\tmp81B3.tmp'	Jump to behavior
Source: C:\Users\user\Desktop\bbbe7872ea466446da60c4da50020cbb.exe	Process created: C:\Users\user\Desktop\bbbe7872ea466446da60c4da50020cbb.exe C:\Users\user\Desktop\bbbe7872ea466446da60c4da50020cbb.exe	Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process created: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process created: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process created: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Jump to behavior

Source: C:\Users\user\Desktop\bbbe7872ea466446da60c4da50020cbb.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0A29FF9E-7F9C-4437-8B11-F424491E3931}\InprocServer32

Jump to behavior

Source: C:\Users\user\Desktop\bbbe7872ea466446da60c4da50020cbb.exe

File opened: C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorrc.dll

Jump to behavior

Source: bbbe7872ea466446da60c4da50020cbb.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR

Source: C:\Users\user\Desktop\bbbe7872ea466446da60c4da50020cbb.exe

File opened: C:\Windows\WinSxS\x86_microsoft.vc80.crt_1fc8b3b9a1e18e3b_8.0.50727.9445_none_d08c58b4442ba54f\MSVCR80.dll

Jump to behavior

Source: bbbe7872ea466446da60c4da50020cbb.exe

Static PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT

Source:

Data Obfuscation:

.NET source code contains potential unpacker

Show sources

Source: 4.2.bbbe7872ea466446da60c4da50020cbb.exe.400000.0.unpack, u0023u003dqjIje6jGWLd2EOkfZXKqBbgu003du003d.cs	.Net Code: #=q_FL69pQf17BUSAFbWYu1SStMAbdu$R1GJ8VY8UL5_EA= System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: 4.2.bbbe7872ea466446da60c4da50020cbb.exe.400000.0.unpack, u0023u003dqxoz66kOqvxr21iYXZYXWiumy9eZGwFWaiX4C5X8aecUu003d.cs	.Net Code: #=qKU0J1fiP8KA33eFK1owekQ== System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])

Source: C:\Users\user\Desktop\bbbe7872ea466446da60c4da50020cbb.exe	Code function: 0_2_04F08420 pushad ; iretd	0_2_04F08421
Source: C:\Users\user\Desktop\bbbe7872ea466446da60c4da50020cbb.exe	Code function: 4_2_0111AD35 push cs; retf	4_2_0111AD4B
Source: C:\Users\user\Desktop\bbbe7872ea466446da60c4da50020cbb.exe	Code function: 4_2_01119D74 push eax; retf	4_2_01119D75
Source: C:\Users\user\Desktop\bbbe7872ea466446da60c4da50020cbb.exe	Code function: 4_2_01119D78 pushad ; retf	4_2_01119D79
Source: C:\Users\user\Desktop\bbbe7872ea466446da60c4da50020cbb.exe	Code function: 4_2_0111ADA9 push cs; retf	4_2_0111ADBF
Source: C:\Users\user\Desktop\bbbe7872ea466446da60c4da50020cbb.exe	Code function: 4_2_011174B8 push ebp; ret	4_2_011174B9
Source: C:\Users\user\Desktop\bbbe7872ea466446da60c4da50020cbb.exe	Code function: 4_2_011174AC push ecx; ret	4_2_011174AD
Source: C:\Users\user\Desktop\bbbe7872ea466446da60c4da50020cbb.exe	Code function: 4_2_0111ACC1 push cs; retf	4_2_0111ACD7
Source: C:\Users\user\Desktop\bbbe7872ea466446da60c4da50020cbb.exe	Code function: 10_2_02968420 pushad ; iretd	10_2_02968421
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Code function: 11_2_02B08420 pushad ; iretd	11_2_02B08421

Source: initial sample	Static PE information: section name: .text entropy: 7.59845021391
Source: initial sample	Static PE information: section name: .text entropy: 7.59845021391

Source: 4.2.bbbe7872ea466446da60c4da50020cbb.exe.400000.0.unpack, u0023u003dqWrm21vQ8CBMZP_RBTwpusAu003du003d.cs	High entropy of concatenated method names: '#=qCgU$tDqtOAyz2b$RwfSF7UzBcCAr0rFJWxm16x7Lre0=', '#=qeD3MBfedCIuKIQf9V1u2N3YS4VXE_FOHqw_XAjWtZK8=', '#=q$mvEHEBkZud$AdHPWqsMQnw5Xm5sD4vBSSmqrKuXGOk=', '#=qZaN94n8dM6tBEf$qCdY2kbTZb5BOW8Z134$2tNv7EJs=', '#=qtlZnL8mho$rv1eTFz0Mw9UYFC_yCabEZ0xtVePn6wR5aSHE7ti3UfKg2l7D0_xk8', '#=qVS$QmQjvFfsXSqQAKGSl6HGbkse2SG0XCab4upVjtRJkvhTEk$oIS2I9Zja7id1Q', '#=qxJg7RxTW1v5mnt12xXeJiYJv_bcctbtL2BCD5MjDi45Hlz6t8vwDNTv1Rv7tgIct', '#=qp$ZVC1r9spi890l$D7IwEd3faoKeWHvv42mVq8wIIWM=', '#=qCoWHlVuoVRMkOzC7RZubJCslkxaEWn9yZiIydECf69$ktj0IPD5wAwC2H5Cc8C$L', '#=qqs1moO$mYaS72OXOWe0Z6GycslEb6e9Ipoy7ppW0O5abIp05ajv8doqdJZHlN3cK'
Source: 4.2.bbbe7872ea466446da60c4da50020cbb.exe.400000.0.unpack, u0023u003dqJT4I5hOweIku0024xYFEeDszbikglXCuquUdu0024v9AXtyq2nsu003d.cs	High entropy of concatenated method names: '#=qBeOBlH6CwHFnQdZWWBgZ_pemudZ6CfCVcfOQtgpeG$Y=', '#=q5v5cLSMFBaxiTtOEjscx86gN2ozXlfytiL6UmXnyWtg=', '#=q_XA5h2lVGHLcY9dK754wKGrOjAm6aBbwPxcUJXgJThJUz83kMbCL53G5uuOLP6Rq', '#=qIFfr$DrKqIieRc688$vylAlBsEnx9Z3$TxvrDsPURfM=', '#=qejgvNXJQvgM2GomZsygLjreyguSPQ29pQHqjR_a0dWk=', '#=qCGokdf0OOxeMJLDkXSfc3NPmwygIQ29RjKQWj$wbNGB9C1pPgma_891QiNyTRXcA', '#=qDqyUVyJLXCtYqhZ0$opqkomqhUBn2WCeEEvGAXlNQ$I=', '#=qdImPAY1o3YhbLtukwCQ91cISaeIEWRKSYrGZ3dTVnkY=', '#=qza7O1AHrroJC7yRIJz4wINR_Sgo4hDpQrj_OYfIrlJE=', '#=q6Ct3QmvVLFC7my$dL1uEiHGmXJ5qCuK4WIhDwfhPTFs='

Persistence and Installation Behavior:

Source: C:\Users\user\Desktop\bbbe7872ea466446da60c4da50020cbb.exe

File created: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe

Jump to dropped file

Boot Survival:

Uses schtasks.exe or at.exe to add and modify task schedules

Show sources

Source: unknown

Process created: C:\Windows\SysWOW64\schtasks.exe 'schtasks.exe' /create /f /tn 'DHCP Monitor' /xml 'C:\Users\user\AppData\Local\Temp\tmp7E95.tmp'

Hooking and other Techniques for Hiding and Protection:

Hides that the sample has been downloaded from the Internet (zone.identifier)

Show sources

Source: C:\Users\user\Desktop\bbbe7872ea466446da60c4da50020cbb.exe

File opened: C:\Users\user\Desktop\bbbe7872ea466446da60c4da50020cbb.exe:Zone.Identifier read attributes | delete

Jump to behavior

Source: C:\Users\user\Desktop\bbbe7872ea466446da60c4da50020cbb.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\bbbe7872ea466446da60c4da50020cbb.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\bbbe7872ea466446da60c4da50020cbb.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\bbbe7872ea466446da60c4da50020cbb.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\bbbe7872ea466446da60c4da50020cbb.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\bbbe7872ea466446da60c4da50020cbb.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\bbbe7872ea466446da60c4da50020cbb.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\bbbe7872ea466446da60c4da50020cbb.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\bbbe7872ea466446da60c4da50020cbb.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\bbbe7872ea466446da60c4da50020cbb.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\bbbe7872ea466446da60c4da50020cbb.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\bbbe7872ea466446da60c4da50020cbb.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\bbbe7872ea466446da60c4da50020cbb.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\bbbe7872ea466446da60c4da50020cbb.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\bbbe7872ea466446da60c4da50020cbb.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\bbbe7872ea466446da60c4da50020cbb.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\bbbe7872ea466446da60c4da50020cbb.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\bbbe7872ea466446da60c4da50020cbb.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\bbbe7872ea466446da60c4da50020cbb.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\bbbe7872ea466446da60c4da50020cbb.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\bbbe7872ea466446da60c4da50020cbb.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\bbbe7872ea466446da60c4da50020cbb.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\bbbe7872ea466446da60c4da50020cbb.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\bbbe7872ea466446da60c4da50020cbb.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\bbbe7872ea466446da60c4da50020cbb.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\bbbe7872ea466446da60c4da50020cbb.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\bbbe7872ea466446da60c4da50020cbb.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\bbbe7872ea466446da60c4da50020cbb.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\bbbe7872ea466446da60c4da50020cbb.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\bbbe7872ea466446da60c4da50020cbb.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\bbbe7872ea466446da60c4da50020cbb.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\bbbe7872ea466446da60c4da50020cbb.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\bbbe7872ea466446da60c4da50020cbb.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\bbbe7872ea466446da60c4da50020cbb.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\bbbe7872ea466446da60c4da50020cbb.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\bbbe7872ea466446da60c4da50020cbb.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\bbbe7872ea466446da60c4da50020cbb.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\bbbe7872ea466446da60c4da50020cbb.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\bbbe7872ea466446da60c4da50020cbb.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\bbbe7872ea466446da60c4da50020cbb.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\bbbe7872ea466446da60c4da50020cbb.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\bbbe7872ea466446da60c4da50020cbb.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\bbbe7872ea466446da60c4da50020cbb.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\bbbe7872ea466446da60c4da50020cbb.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\bbbe7872ea466446da60c4da50020cbb.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\bbbe7872ea466446da60c4da50020cbb.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\bbbe7872ea466446da60c4da50020cbb.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\bbbe7872ea466446da60c4da50020cbb.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\bbbe7872ea466446da60c4da50020cbb.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\bbbe7872ea466446da60c4da50020cbb.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\bbbe7872ea466446da60c4da50020cbb.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\bbbe7872ea466446da60c4da50020cbb.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\bbbe7872ea466446da60c4da50020cbb.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\bbbe7872ea466446da60c4da50020cbb.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\bbbe7872ea466446da60c4da50020cbb.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\bbbe7872ea466446da60c4da50020cbb.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\bbbe7872ea466446da60c4da50020cbb.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\bbbe7872ea466446da60c4da50020cbb.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\bbbe7872ea466446da60c4da50020cbb.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\bbbe7872ea466446da60c4da50020cbb.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\bbbe7872ea466446da60c4da50020cbb.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\bbbe7872ea466446da60c4da50020cbb.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\bbbe7872ea466446da60c4da50020cbb.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\bbbe7872ea466446da60c4da50020cbb.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\bbbe7872ea466446da60c4da50020cbb.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\bbbe7872ea466446da60c4da50020cbb.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\bbbe7872ea466446da60c4da50020cbb.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\bbbe7872ea466446da60c4da50020cbb.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\bbbe7872ea466446da60c4da50020cbb.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\bbbe7872ea466446da60c4da50020cbb.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\bbbe7872ea466446da60c4da50020cbb.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\bbbe7872ea466446da60c4da50020cbb.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\bbbe7872ea466446da60c4da50020cbb.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\bbbe7872ea466446da60c4da50020cbb.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\bbbe7872ea466446da60c4da50020cbb.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\bbbe7872ea466446da60c4da50020cbb.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\bbbe7872ea466446da60c4da50020cbb.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\bbbe7872ea466446da60c4da50020cbb.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\bbbe7872ea466446da60c4da50020cbb.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\bbbe7872ea466446da60c4da50020cbb.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\bbbe7872ea466446da60c4da50020cbb.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\bbbe7872ea466446da60c4da50020cbb.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\bbbe7872ea466446da60c4da50020cbb.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\bbbe7872ea466446da60c4da50020cbb.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\bbbe7872ea466446da60c4da50020cbb.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\bbbe7872ea466446da60c4da50020cbb.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\bbbe7872ea466446da60c4da50020cbb.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\bbbe7872ea466446da60c4da50020cbb.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\bbbe7872ea466446da60c4da50020cbb.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\bbbe7872ea466446da60c4da50020cbb.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\bbbe7872ea466446da60c4da50020cbb.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\bbbe7872ea466446da60c4da50020cbb.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\bbbe7872ea466446da60c4da50020cbb.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\bbbe7872ea466446da60c4da50020cbb.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\bbbe7872ea466446da60c4da50020cbb.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\bbbe7872ea466446da60c4da50020cbb.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\bbbe7872ea466446da60c4da50020cbb.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\bbbe7872ea466446da60c4da50020cbb.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\bbbe7872ea466446da60c4da50020cbb.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\bbbe7872ea466446da60c4da50020cbb.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\bbbe7872ea466446da60c4da50020cbb.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\bbbe7872ea466446da60c4da50020cbb.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\bbbe7872ea466446da60c4da50020cbb.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\bbbe7872ea466446da60c4da50020cbb.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\bbbe7872ea466446da60c4da50020cbb.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\bbbe7872ea466446da60c4da50020cbb.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\bbbe7872ea466446da60c4da50020cbb.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\bbbe7872ea466446da60c4da50020cbb.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\bbbe7872ea466446da60c4da50020cbb.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\bbbe7872ea466446da60c4da50020cbb.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\bbbe7872ea466446da60c4da50020cbb.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\bbbe7872ea466446da60c4da50020cbb.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\bbbe7872ea466446da60c4da50020cbb.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\bbbe7872ea466446da60c4da50020cbb.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\bbbe7872ea466446da60c4da50020cbb.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\bbbe7872ea466446da60c4da50020cbb.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\bbbe7872ea466446da60c4da50020cbb.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\bbbe7872ea466446da60c4da50020cbb.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX

Malware Analysis System Evasion:

Yara detected AntiVM_3

Show sources

Source: Yara match	File source: 0000000A.00000002.364695909.0000000002DF1000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000F.00000002.379503086.0000000002831000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.343834467.0000000002D51000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000B.00000002.367072310.0000000002F61000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: dhcpmon.exe PID: 5656, type: MEMORY
Source: Yara match	File source: Process Memory Space: dhcpmon.exe PID: 6084, type: MEMORY
Source: Yara match	File source: Process Memory Space: bbbe7872ea466446da60c4da50020cbb.exe PID: 5620, type: MEMORY
Source: Yara match	File source: Process Memory Space: bbbe7872ea466446da60c4da50020cbb.exe PID: 6780, type: MEMORY
Source: Yara match	File source: 15.2.dhcpmon.exe.28588ac.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.bbbe7872ea466446da60c4da50020cbb.exe.2d78900.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 10.2.bbbe7872ea466446da60c4da50020cbb.exe.2e18918.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 11.2.dhcpmon.exe.2f888c4.1.raw.unpack, type: UNPACKEDPE

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Show sources

Source: bbbe7872ea466446da60c4da50020cbb.exe, 00000000.00000002.343834467.0000000002D51000.00000004.00000001.sdmp, bbbe7872ea466446da60c4da50020cbb.exe, 0000000A.00000002.364695909.0000000002DF1000.00000004.00000001.sdmp, dhcpmon.exe, 0000000B.00000002.367072310.0000000002F61000.00000004.00000001.sdmp, dhcpmon.exe, 0000000F.00000002.379503086.0000000002831000.00000004.00000001.sdmp	Binary or memory string: SBIEDLL.DLL
Source: bbbe7872ea466446da60c4da50020cbb.exe, 00000000.00000002.343834467.0000000002D51000.00000004.00000001.sdmp, bbbe7872ea466446da60c4da50020cbb.exe, 0000000A.00000002.364695909.0000000002DF1000.00000004.00000001.sdmp, dhcpmon.exe, 0000000B.00000002.367072310.0000000002F61000.00000004.00000001.sdmp, dhcpmon.exe, 0000000F.00000002.379503086.0000000002831000.00000004.00000001.sdmp	Binary or memory string: KERNEL32.DLL.WINE_GET_UNIX_FILE_NAME

Source: C:\Users\user\Desktop\bbbe7872ea466446da60c4da50020cbb.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\Desktop\bbbe7872ea466446da60c4da50020cbb.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\Desktop\bbbe7872ea466446da60c4da50020cbb.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\Desktop\bbbe7872ea466446da60c4da50020cbb.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Thread delayed: delay time: 922337203685477

Source: C:\Users\user\Desktop\bbbe7872ea466446da60c4da50020cbb.exe

Window / User API: foregroundWindowGot 894

Jump to behavior

Source: C:\Users\user\Desktop\bbbe7872ea466446da60c4da50020cbb.exe TID: 6784	Thread sleep time: -103297s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\bbbe7872ea466446da60c4da50020cbb.exe TID: 6808	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\bbbe7872ea466446da60c4da50020cbb.exe TID: 3912	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\bbbe7872ea466446da60c4da50020cbb.exe TID: 3912	Thread sleep count: 174 > 30	Jump to behavior
Source: C:\Users\user\Desktop\bbbe7872ea466446da60c4da50020cbb.exe TID: 3912	Thread sleep count: 271 > 30	Jump to behavior
Source: C:\Users\user\Desktop\bbbe7872ea466446da60c4da50020cbb.exe TID: 4876	Thread sleep count: 296 > 30	Jump to behavior
Source: C:\Users\user\Desktop\bbbe7872ea466446da60c4da50020cbb.exe TID: 492	Thread sleep time: -220000s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\bbbe7872ea466446da60c4da50020cbb.exe TID: 4828	Thread sleep time: -99751s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\bbbe7872ea466446da60c4da50020cbb.exe TID: 4064	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe TID: 4704	Thread sleep time: -100504s >= -30000s	Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe TID: 4532	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\bbbe7872ea466446da60c4da50020cbb.exe TID: 6328	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe TID: 6024	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe TID: 5960	Thread sleep time: -103946s >= -30000s	Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe TID: 5720	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe TID: 4744	Thread sleep time: -922337203685477s >= -30000s

Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed

Source: dhcpmon.exe, 0000000F.00000002.379503086.0000000002831000.00000004.00000001.sdmp	Binary or memory string: InstallPathJC:\PROGRAM FILES\VMWARE\VMWARE TOOLS\
Source: dhcpmon.exe, 0000000F.00000002.379503086.0000000002831000.00000004.00000001.sdmp	Binary or memory string: vmware
Source: dhcpmon.exe, 0000000F.00000002.379503086.0000000002831000.00000004.00000001.sdmp	Binary or memory string: VMware SVGA II
Source: dhcpmon.exe, 0000000F.00000002.379503086.0000000002831000.00000004.00000001.sdmp	Binary or memory string: VMWAREDSOFTWARE\VMware, Inc.\VMware Tools

Source: C:\Users\user\Desktop\bbbe7872ea466446da60c4da50020cbb.exe

Process information queried: ProcessInformation

Jump to behavior

Anti Debugging:

Source: C:\Users\user\Desktop\bbbe7872ea466446da60c4da50020cbb.exe	Process token adjusted: Debug			Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process token adjusted: Debug			Jump to behavior

Source: C:\Users\user\Desktop\bbbe7872ea466446da60c4da50020cbb.exe

Memory allocated: page read and write | page guard

Jump to behavior

HIPS / PFW / Operating System Protection Evasion:

Injects a PE file into a foreign processes

Show sources

Source: C:\Users\user\Desktop\bbbe7872ea466446da60c4da50020cbb.exe	Memory written: C:\Users\user\Desktop\bbbe7872ea466446da60c4da50020cbb.exe base: 400000 value starts with: 4D5A	Jump to behavior
Source: C:\Users\user\Desktop\bbbe7872ea466446da60c4da50020cbb.exe	Memory written: C:\Users\user\Desktop\bbbe7872ea466446da60c4da50020cbb.exe base: 400000 value starts with: 4D5A	Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Memory written: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe base: 400000 value starts with: 4D5A	Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Memory written: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe base: 400000 value starts with: 4D5A	Jump to behavior

Source: C:\Users\user\Desktop\bbbe7872ea466446da60c4da50020cbb.exe	Process created: C:\Users\user\Desktop\bbbe7872ea466446da60c4da50020cbb.exe C:\Users\user\Desktop\bbbe7872ea466446da60c4da50020cbb.exe	Jump to behavior
Source: C:\Users\user\Desktop\bbbe7872ea466446da60c4da50020cbb.exe	Process created: C:\Windows\SysWOW64\schtasks.exe 'schtasks.exe' /create /f /tn 'DHCP Monitor' /xml 'C:\Users\user\AppData\Local\Temp\tmp7E95.tmp'	Jump to behavior
Source: C:\Users\user\Desktop\bbbe7872ea466446da60c4da50020cbb.exe	Process created: C:\Windows\SysWOW64\schtasks.exe 'schtasks.exe' /create /f /tn 'DHCP Monitor Task' /xml 'C:\Users\user\AppData\Local\Temp\tmp81B3.tmp'	Jump to behavior
Source: C:\Users\user\Desktop\bbbe7872ea466446da60c4da50020cbb.exe	Process created: C:\Users\user\Desktop\bbbe7872ea466446da60c4da50020cbb.exe C:\Users\user\Desktop\bbbe7872ea466446da60c4da50020cbb.exe	Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process created: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process created: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process created: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Jump to behavior

Source: bbbe7872ea466446da60c4da50020cbb.exe, 00000004.00000002.597421773.0000000002F4B000.00000004.00000001.sdmp	Binary or memory string: Program Manager
Source: bbbe7872ea466446da60c4da50020cbb.exe, 00000004.00000002.594434140.0000000001360000.00000002.00000001.sdmp	Binary or memory string: Shell_TrayWnd
Source: bbbe7872ea466446da60c4da50020cbb.exe, 00000004.00000002.594434140.0000000001360000.00000002.00000001.sdmp	Binary or memory string: Progman
Source: bbbe7872ea466446da60c4da50020cbb.exe, 00000004.00000002.594434140.0000000001360000.00000002.00000001.sdmp	Binary or memory string: &Program Manager
Source: bbbe7872ea466446da60c4da50020cbb.exe, 00000004.00000002.597421773.0000000002F4B000.00000004.00000001.sdmp	Binary or memory string: Program Managerv
Source: bbbe7872ea466446da60c4da50020cbb.exe, 00000004.00000002.594434140.0000000001360000.00000002.00000001.sdmp	Binary or memory string: Progmanlock

Language, Device and Operating System Detection:

Source: C:\Users\user\Desktop\bbbe7872ea466446da60c4da50020cbb.exe	Queries volume information: C:\Windows\Fonts\arial.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\bbbe7872ea466446da60c4da50020cbb.exe	Queries volume information: C:\Windows\Fonts\ariali.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\bbbe7872ea466446da60c4da50020cbb.exe	Queries volume information: C:\Windows\Fonts\arialbd.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\bbbe7872ea466446da60c4da50020cbb.exe	Queries volume information: C:\Windows\Fonts\arialbi.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\bbbe7872ea466446da60c4da50020cbb.exe	Queries volume information: C:\Windows\Fonts\ARIALN.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\bbbe7872ea466446da60c4da50020cbb.exe	Queries volume information: C:\Windows\Fonts\ariblk.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\bbbe7872ea466446da60c4da50020cbb.exe	Queries volume information: C:\Windows\Fonts\ARIALNI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\bbbe7872ea466446da60c4da50020cbb.exe	Queries volume information: C:\Windows\Fonts\ARIALNB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\bbbe7872ea466446da60c4da50020cbb.exe	Queries volume information: C:\Windows\Fonts\ARIALNBI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\bbbe7872ea466446da60c4da50020cbb.exe	Queries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\bbbe7872ea466446da60c4da50020cbb.exe	Queries volume information: C:\Windows\Fonts\calibri.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\bbbe7872ea466446da60c4da50020cbb.exe	Queries volume information: C:\Windows\Fonts\calibril.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\bbbe7872ea466446da60c4da50020cbb.exe	Queries volume information: C:\Windows\Fonts\calibrii.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\bbbe7872ea466446da60c4da50020cbb.exe	Queries volume information: C:\Windows\Fonts\calibrili.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\bbbe7872ea466446da60c4da50020cbb.exe	Queries volume information: C:\Windows\Fonts\calibrib.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\bbbe7872ea466446da60c4da50020cbb.exe	Queries volume information: C:\Windows\Fonts\calibriz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\bbbe7872ea466446da60c4da50020cbb.exe	Queries volume information: C:\Windows\Fonts\cambria.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\bbbe7872ea466446da60c4da50020cbb.exe	Queries volume information: C:\Windows\Fonts\cambriai.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\bbbe7872ea466446da60c4da50020cbb.exe	Queries volume information: C:\Windows\Fonts\cambriab.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\bbbe7872ea466446da60c4da50020cbb.exe	Queries volume information: C:\Windows\Fonts\cambriaz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\bbbe7872ea466446da60c4da50020cbb.exe	Queries volume information: C:\Windows\Fonts\Candara.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\bbbe7872ea466446da60c4da50020cbb.exe	Queries volume information: C:\Windows\Fonts\Candarai.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\bbbe7872ea466446da60c4da50020cbb.exe	Queries volume information: C:\Windows\Fonts\Candarab.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\bbbe7872ea466446da60c4da50020cbb.exe	Queries volume information: C:\Windows\Fonts\Candaraz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\bbbe7872ea466446da60c4da50020cbb.exe	Queries volume information: C:\Windows\Fonts\comic.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\bbbe7872ea466446da60c4da50020cbb.exe	Queries volume information: C:\Windows\Fonts\comici.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\bbbe7872ea466446da60c4da50020cbb.exe	Queries volume information: C:\Windows\Fonts\comicbd.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\bbbe7872ea466446da60c4da50020cbb.exe	Queries volume information: C:\Windows\Fonts\comicz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\bbbe7872ea466446da60c4da50020cbb.exe	Queries volume information: C:\Windows\Fonts\consola.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\bbbe7872ea466446da60c4da50020cbb.exe	Queries volume information: C:\Windows\Fonts\consolai.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\bbbe7872ea466446da60c4da50020cbb.exe	Queries volume information: C:\Windows\Fonts\consolab.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\bbbe7872ea466446da60c4da50020cbb.exe	Queries volume information: C:\Windows\Fonts\consolaz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\bbbe7872ea466446da60c4da50020cbb.exe	Queries volume information: C:\Windows\Fonts\constan.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\bbbe7872ea466446da60c4da50020cbb.exe	Queries volume information: C:\Windows\Fonts\constani.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\bbbe7872ea466446da60c4da50020cbb.exe	Queries volume information: C:\Windows\Fonts\constanb.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\bbbe7872ea466446da60c4da50020cbb.exe	Queries volume information: C:\Windows\Fonts\constanz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\bbbe7872ea466446da60c4da50020cbb.exe	Queries volume information: C:\Windows\Fonts\corbel.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\bbbe7872ea466446da60c4da50020cbb.exe	Queries volume information: C:\Windows\Fonts\corbeli.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\bbbe7872ea466446da60c4da50020cbb.exe	Queries volume information: C:\Windows\Fonts\corbelb.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\bbbe7872ea466446da60c4da50020cbb.exe	Queries volume information: C:\Windows\Fonts\corbelz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\bbbe7872ea466446da60c4da50020cbb.exe	Queries volume information: C:\Windows\Fonts\cour.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\bbbe7872ea466446da60c4da50020cbb.exe	Queries volume information: C:\Windows\Fonts\couri.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\bbbe7872ea466446da60c4da50020cbb.exe	Queries volume information: C:\Windows\Fonts\courbd.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\bbbe7872ea466446da60c4da50020cbb.exe	Queries volume information: C:\Windows\Fonts\courbi.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\bbbe7872ea466446da60c4da50020cbb.exe	Queries volume information: C:\Windows\Fonts\ebrima.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\bbbe7872ea466446da60c4da50020cbb.exe	Queries volume information: C:\Windows\Fonts\ebrimabd.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\bbbe7872ea466446da60c4da50020cbb.exe	Queries volume information: C:\Windows\Fonts\framd.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\bbbe7872ea466446da60c4da50020cbb.exe	Queries volume information: C:\Windows\Fonts\FRADM.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\bbbe7872ea466446da60c4da50020cbb.exe	Queries volume information: C:\Windows\Fonts\framdit.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\bbbe7872ea466446da60c4da50020cbb.exe	Queries volume information: C:\Windows\Fonts\FRADMIT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\bbbe7872ea466446da60c4da50020cbb.exe	Queries volume information: C:\Windows\Fonts\FRAMDCN.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\bbbe7872ea466446da60c4da50020cbb.exe	Queries volume information: C:\Windows\Fonts\FRADMCN.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\bbbe7872ea466446da60c4da50020cbb.exe	Queries volume information: C:\Windows\Fonts\FRAHV.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\bbbe7872ea466446da60c4da50020cbb.exe	Queries volume information: C:\Windows\Fonts\FRAHVIT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\bbbe7872ea466446da60c4da50020cbb.exe	Queries volume information: C:\Windows\Fonts\Gabriola.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\bbbe7872ea466446da60c4da50020cbb.exe	Queries volume information: C:\Windows\Fonts\gadugi.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\bbbe7872ea466446da60c4da50020cbb.exe	Queries volume information: C:\Windows\Fonts\gadugib.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\bbbe7872ea466446da60c4da50020cbb.exe	Queries volume information: C:\Windows\Fonts\georgia.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\bbbe7872ea466446da60c4da50020cbb.exe	Queries volume information: C:\Windows\Fonts\georgiai.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\bbbe7872ea466446da60c4da50020cbb.exe	Queries volume information: C:\Windows\Fonts\georgiab.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\bbbe7872ea466446da60c4da50020cbb.exe	Queries volume information: C:\Windows\Fonts\georgiaz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\bbbe7872ea466446da60c4da50020cbb.exe	Queries volume information: C:\Windows\Fonts\impact.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\bbbe7872ea466446da60c4da50020cbb.exe	Queries volume information: C:\Windows\Fonts\Inkfree.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\bbbe7872ea466446da60c4da50020cbb.exe	Queries volume information: C:\Windows\Fonts\javatext.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\bbbe7872ea466446da60c4da50020cbb.exe	Queries volume information: C:\Windows\Fonts\LeelawUI.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\bbbe7872ea466446da60c4da50020cbb.exe	Queries volume information: C:\Windows\Fonts\LeelUIsl.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\bbbe7872ea466446da60c4da50020cbb.exe	Queries volume information: C:\Windows\Fonts\LeelaUIb.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\bbbe7872ea466446da60c4da50020cbb.exe	Queries volume information: C:\Windows\Fonts\lucon.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\bbbe7872ea466446da60c4da50020cbb.exe	Queries volume information: C:\Windows\Fonts\l_10646.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\bbbe7872ea466446da60c4da50020cbb.exe	Queries volume information: C:\Windows\Fonts\malgun.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\bbbe7872ea466446da60c4da50020cbb.exe	Queries volume information: C:\Windows\Fonts\malgunsl.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\bbbe7872ea466446da60c4da50020cbb.exe	Queries volume information: C:\Windows\Fonts\malgunbd.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\bbbe7872ea466446da60c4da50020cbb.exe	Queries volume information: C:\Windows\Fonts\himalaya.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\bbbe7872ea466446da60c4da50020cbb.exe	Queries volume information: C:\Windows\Fonts\msjh.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\bbbe7872ea466446da60c4da50020cbb.exe	Queries volume information: C:\Windows\Fonts\msjhl.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\bbbe7872ea466446da60c4da50020cbb.exe	Queries volume information: C:\Windows\Fonts\msjhbd.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\bbbe7872ea466446da60c4da50020cbb.exe	Queries volume information: C:\Windows\Fonts\ntailu.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\bbbe7872ea466446da60c4da50020cbb.exe	Queries volume information: C:\Windows\Fonts\ntailub.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\bbbe7872ea466446da60c4da50020cbb.exe	Queries volume information: C:\Windows\Fonts\phagspa.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\bbbe7872ea466446da60c4da50020cbb.exe	Queries volume information: C:\Windows\Fonts\phagspab.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\bbbe7872ea466446da60c4da50020cbb.exe	Queries volume information: C:\Windows\Fonts\micross.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\bbbe7872ea466446da60c4da50020cbb.exe	Queries volume information: C:\Windows\Fonts\taile.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\bbbe7872ea466446da60c4da50020cbb.exe	Queries volume information: C:\Windows\Fonts\taileb.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\bbbe7872ea466446da60c4da50020cbb.exe	Queries volume information: C:\Windows\Fonts\msyh.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\bbbe7872ea466446da60c4da50020cbb.exe	Queries volume information: C:\Windows\Fonts\msyhl.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\bbbe7872ea466446da60c4da50020cbb.exe	Queries volume information: C:\Windows\Fonts\msyhbd.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\bbbe7872ea466446da60c4da50020cbb.exe	Queries volume information: C:\Windows\Fonts\msyi.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\bbbe7872ea466446da60c4da50020cbb.exe	Queries volume information: C:\Windows\Fonts\mingliub.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\bbbe7872ea466446da60c4da50020cbb.exe	Queries volume information: C:\Windows\Fonts\monbaiti.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\bbbe7872ea466446da60c4da50020cbb.exe	Queries volume information: C:\Windows\Fonts\msgothic.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\bbbe7872ea466446da60c4da50020cbb.exe	Queries volume information: C:\Windows\Fonts\mvboli.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\bbbe7872ea466446da60c4da50020cbb.exe	Queries volume information: C:\Windows\Fonts\mmrtext.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\bbbe7872ea466446da60c4da50020cbb.exe	Queries volume information: C:\Windows\Fonts\mmrtextb.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\bbbe7872ea466446da60c4da50020cbb.exe	Queries volume information: C:\Windows\Fonts\Nirmala.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\bbbe7872ea466446da60c4da50020cbb.exe	Queries volume information: C:\Windows\Fonts\NirmalaS.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\bbbe7872ea466446da60c4da50020cbb.exe	Queries volume information: C:\Windows\Fonts\NirmalaB.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\bbbe7872ea466446da60c4da50020cbb.exe	Queries volume information: C:\Windows\Fonts\pala.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\bbbe7872ea466446da60c4da50020cbb.exe	Queries volume information: C:\Windows\Fonts\palai.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\bbbe7872ea466446da60c4da50020cbb.exe	Queries volume information: C:\Windows\Fonts\palab.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\bbbe7872ea466446da60c4da50020cbb.exe	Queries volume information: C:\Windows\Fonts\palabi.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\bbbe7872ea466446da60c4da50020cbb.exe	Queries volume information: C:\Windows\Fonts\segoepr.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\bbbe7872ea466446da60c4da50020cbb.exe	Queries volume information: C:\Windows\Fonts\segoeprb.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\bbbe7872ea466446da60c4da50020cbb.exe	Queries volume information: C:\Windows\Fonts\segoesc.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\bbbe7872ea466446da60c4da50020cbb.exe	Queries volume information: C:\Windows\Fonts\segoescb.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\bbbe7872ea466446da60c4da50020cbb.exe	Queries volume information: C:\Windows\Fonts\seguiemj.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\bbbe7872ea466446da60c4da50020cbb.exe	Queries volume information: C:\Windows\Fonts\seguihis.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\bbbe7872ea466446da60c4da50020cbb.exe	Queries volume information: C:\Windows\Fonts\seguisym.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\bbbe7872ea466446da60c4da50020cbb.exe	Queries volume information: C:\Windows\Fonts\simsun.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\bbbe7872ea466446da60c4da50020cbb.exe	Queries volume information: C:\Windows\Fonts\simsunb.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\bbbe7872ea466446da60c4da50020cbb.exe	Queries volume information: C:\Windows\Fonts\Sitka.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\bbbe7872ea466446da60c4da50020cbb.exe	Queries volume information: C:\Windows\Fonts\SitkaI.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\bbbe7872ea466446da60c4da50020cbb.exe	Queries volume information: C:\Windows\Fonts\SitkaB.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\bbbe7872ea466446da60c4da50020cbb.exe	Queries volume information: C:\Windows\Fonts\SitkaZ.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\bbbe7872ea466446da60c4da50020cbb.exe	Queries volume information: C:\Windows\Fonts\sylfaen.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\bbbe7872ea466446da60c4da50020cbb.exe	Queries volume information: C:\Windows\Fonts\symbol.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\bbbe7872ea466446da60c4da50020cbb.exe	Queries volume information: C:\Windows\Fonts\tahoma.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\bbbe7872ea466446da60c4da50020cbb.exe	Queries volume information: C:\Windows\Fonts\tahomabd.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\bbbe7872ea466446da60c4da50020cbb.exe	Queries volume information: C:\Windows\Fonts\trebuc.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\bbbe7872ea466446da60c4da50020cbb.exe	Queries volume information: C:\Windows\Fonts\trebucit.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\bbbe7872ea466446da60c4da50020cbb.exe	Queries volume information: C:\Windows\Fonts\trebucbd.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\bbbe7872ea466446da60c4da50020cbb.exe	Queries volume information: C:\Windows\Fonts\trebucbi.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\bbbe7872ea466446da60c4da50020cbb.exe	Queries volume information: C:\Windows\Fonts\verdana.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\bbbe7872ea466446da60c4da50020cbb.exe	Queries volume information: C:\Windows\Fonts\verdanai.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\bbbe7872ea466446da60c4da50020cbb.exe	Queries volume information: C:\Windows\Fonts\verdanab.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\bbbe7872ea466446da60c4da50020cbb.exe	Queries volume information: C:\Windows\Fonts\verdanaz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\bbbe7872ea466446da60c4da50020cbb.exe	Queries volume information: C:\Windows\Fonts\webdings.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\bbbe7872ea466446da60c4da50020cbb.exe	Queries volume information: C:\Windows\Fonts\wingding.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\bbbe7872ea466446da60c4da50020cbb.exe	Queries volume information: C:\Windows\Fonts\YuGothR.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\bbbe7872ea466446da60c4da50020cbb.exe	Queries volume information: C:\Windows\Fonts\YuGothM.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\bbbe7872ea466446da60c4da50020cbb.exe	Queries volume information: C:\Windows\Fonts\YuGothL.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\bbbe7872ea466446da60c4da50020cbb.exe	Queries volume information: C:\Windows\Fonts\YuGothB.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\bbbe7872ea466446da60c4da50020cbb.exe	Queries volume information: C:\Windows\Fonts\holomdl2.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\bbbe7872ea466446da60c4da50020cbb.exe	Queries volume information: C:\Windows\Fonts\CENTURY.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\bbbe7872ea466446da60c4da50020cbb.exe	Queries volume information: C:\Windows\Fonts\LEELAWAD.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\bbbe7872ea466446da60c4da50020cbb.exe	Queries volume information: C:\Windows\Fonts\LEELAWDB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\bbbe7872ea466446da60c4da50020cbb.exe	Queries volume information: C:\Windows\Fonts\MSUIGHUR.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\bbbe7872ea466446da60c4da50020cbb.exe	Queries volume information: C:\Windows\Fonts\MSUIGHUB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\bbbe7872ea466446da60c4da50020cbb.exe	Queries volume information: C:\Windows\Fonts\WINGDNG2.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\bbbe7872ea466446da60c4da50020cbb.exe	Queries volume information: C:\Windows\Fonts\WINGDNG3.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\bbbe7872ea466446da60c4da50020cbb.exe	Queries volume information: C:\Windows\Fonts\TEMPSITC.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\bbbe7872ea466446da60c4da50020cbb.exe	Queries volume information: C:\Windows\Fonts\PRISTINA.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\bbbe7872ea466446da60c4da50020cbb.exe	Queries volume information: C:\Windows\Fonts\PAPYRUS.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\bbbe7872ea466446da60c4da50020cbb.exe	Queries volume information: C:\Windows\Fonts\MISTRAL.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\bbbe7872ea466446da60c4da50020cbb.exe	Queries volume information: C:\Windows\Fonts\LHANDW.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\bbbe7872ea466446da60c4da50020cbb.exe	Queries volume information: C:\Windows\Fonts\ITCKRIST.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\bbbe7872ea466446da60c4da50020cbb.exe	Queries volume information: C:\Windows\Fonts\JUICE___.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\bbbe7872ea466446da60c4da50020cbb.exe	Queries volume information: C:\Windows\Fonts\FRSCRIPT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\bbbe7872ea466446da60c4da50020cbb.exe	Queries volume information: C:\Windows\Fonts\FREESCPT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\bbbe7872ea466446da60c4da50020cbb.exe	Queries volume information: C:\Windows\Fonts\BRADHITC.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\bbbe7872ea466446da60c4da50020cbb.exe	Queries volume information: C:\Windows\Fonts\OUTLOOK.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\bbbe7872ea466446da60c4da50020cbb.exe	Queries volume information: C:\Windows\Fonts\BKANT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\bbbe7872ea466446da60c4da50020cbb.exe	Queries volume information: C:\Windows\Fonts\ANTQUAI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\bbbe7872ea466446da60c4da50020cbb.exe	Queries volume information: C:\Windows\Fonts\ANTQUAB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\bbbe7872ea466446da60c4da50020cbb.exe	Queries volume information: C:\Windows\Fonts\ANTQUABI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\bbbe7872ea466446da60c4da50020cbb.exe	Queries volume information: C:\Windows\Fonts\GARA.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\bbbe7872ea466446da60c4da50020cbb.exe	Queries volume information: C:\Windows\Fonts\GARAIT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\bbbe7872ea466446da60c4da50020cbb.exe	Queries volume information: C:\Windows\Fonts\GARABD.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\bbbe7872ea466446da60c4da50020cbb.exe	Queries volume information: C:\Windows\Fonts\MTCORSVA.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\bbbe7872ea466446da60c4da50020cbb.exe	Queries volume information: C:\Windows\Fonts\GOTHIC.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\bbbe7872ea466446da60c4da50020cbb.exe	Queries volume information: C:\Windows\Fonts\GOTHICI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\bbbe7872ea466446da60c4da50020cbb.exe	Queries volume information: C:\Windows\Fonts\GOTHICB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\bbbe7872ea466446da60c4da50020cbb.exe	Queries volume information: C:\Windows\Fonts\GOTHICBI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\bbbe7872ea466446da60c4da50020cbb.exe	Queries volume information: C:\Windows\Fonts\ALGER.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\bbbe7872ea466446da60c4da50020cbb.exe	Queries volume information: C:\Windows\Fonts\BASKVILL.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\bbbe7872ea466446da60c4da50020cbb.exe	Queries volume information: C:\Windows\Fonts\BAUHS93.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\bbbe7872ea466446da60c4da50020cbb.exe	Queries volume information: C:\Windows\Fonts\BELL.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\bbbe7872ea466446da60c4da50020cbb.exe	Queries volume information: C:\Windows\Fonts\BELLI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\bbbe7872ea466446da60c4da50020cbb.exe	Queries volume information: C:\Windows\Fonts\BELLB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\bbbe7872ea466446da60c4da50020cbb.exe	Queries volume information: C:\Windows\Fonts\BRLNSR.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\bbbe7872ea466446da60c4da50020cbb.exe	Queries volume information: C:\Windows\Fonts\BRLNSDB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\bbbe7872ea466446da60c4da50020cbb.exe	Queries volume information: C:\Windows\Fonts\BRLNSB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\bbbe7872ea466446da60c4da50020cbb.exe	Queries volume information: C:\Windows\Fonts\BERNHC.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\bbbe7872ea466446da60c4da50020cbb.exe	Queries volume information: C:\Windows\Fonts\BOD_PSTC.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\bbbe7872ea466446da60c4da50020cbb.exe	Queries volume information: C:\Windows\Fonts\BRITANIC.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\bbbe7872ea466446da60c4da50020cbb.exe	Queries volume information: C:\Windows\Fonts\BROADW.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\bbbe7872ea466446da60c4da50020cbb.exe	Queries volume information: C:\Windows\Fonts\BRUSHSCI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\bbbe7872ea466446da60c4da50020cbb.exe	Queries volume information: C:\Windows\Fonts\CALIFR.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\bbbe7872ea466446da60c4da50020cbb.exe	Queries volume information: C:\Windows\Fonts\CALIFI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\bbbe7872ea466446da60c4da50020cbb.exe	Queries volume information: C:\Windows\Fonts\CALIFB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\bbbe7872ea466446da60c4da50020cbb.exe	Queries volume information: C:\Windows\Fonts\CENTAUR.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\bbbe7872ea466446da60c4da50020cbb.exe	Queries volume information: C:\Windows\Fonts\CHILLER.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\bbbe7872ea466446da60c4da50020cbb.exe	Queries volume information: C:\Windows\Fonts\COLONNA.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\bbbe7872ea466446da60c4da50020cbb.exe	Queries volume information: C:\Windows\Fonts\COOPBL.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\bbbe7872ea466446da60c4da50020cbb.exe	Queries volume information: C:\Windows\Fonts\FTLTLT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\bbbe7872ea466446da60c4da50020cbb.exe	Queries volume information: C:\Windows\Fonts\HARLOWSI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\bbbe7872ea466446da60c4da50020cbb.exe	Queries volume information: C:\Windows\Fonts\HARNGTON.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\bbbe7872ea466446da60c4da50020cbb.exe	Queries volume information: C:\Windows\Fonts\HTOWERT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\bbbe7872ea466446da60c4da50020cbb.exe	Queries volume information: C:\Windows\Fonts\HTOWERTI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\bbbe7872ea466446da60c4da50020cbb.exe	Queries volume information: C:\Windows\Fonts\JOKERMAN.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\bbbe7872ea466446da60c4da50020cbb.exe	Queries volume information: C:\Windows\Fonts\KUNSTLER.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\bbbe7872ea466446da60c4da50020cbb.exe	Queries volume information: C:\Windows\Fonts\LBRITE.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\bbbe7872ea466446da60c4da50020cbb.exe	Queries volume information: C:\Windows\Fonts\LBRITED.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\bbbe7872ea466446da60c4da50020cbb.exe	Queries volume information: C:\Windows\Fonts\LBRITEI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\bbbe7872ea466446da60c4da50020cbb.exe	Queries volume information: C:\Windows\Fonts\LBRITEDI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\bbbe7872ea466446da60c4da50020cbb.exe	Queries volume information: C:\Windows\Fonts\LCALLIG.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\bbbe7872ea466446da60c4da50020cbb.exe	Queries volume information: C:\Windows\Fonts\LFAX.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\bbbe7872ea466446da60c4da50020cbb.exe	Queries volume information: C:\Windows\Fonts\LFAXD.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\bbbe7872ea466446da60c4da50020cbb.exe	Queries volume information: C:\Windows\Fonts\LFAXI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\bbbe7872ea466446da60c4da50020cbb.exe	Queries volume information: C:\Windows\Fonts\LFAXDI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\bbbe7872ea466446da60c4da50020cbb.exe	Queries volume information: C:\Windows\Fonts\MAGNETOB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\bbbe7872ea466446da60c4da50020cbb.exe	Queries volume information: C:\Windows\Fonts\MATURASC.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\bbbe7872ea466446da60c4da50020cbb.exe	Queries volume information: C:\Windows\Fonts\MOD20.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\bbbe7872ea466446da60c4da50020cbb.exe	Queries volume information: C:\Windows\Fonts\NIAGENG.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\bbbe7872ea466446da60c4da50020cbb.exe	Queries volume information: C:\Windows\Fonts\NIAGSOL.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\bbbe7872ea466446da60c4da50020cbb.exe	Queries volume information: C:\Windows\Fonts\OLDENGL.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\bbbe7872ea466446da60c4da50020cbb.exe	Queries volume information: C:\Windows\Fonts\ONYX.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\bbbe7872ea466446da60c4da50020cbb.exe	Queries volume information: C:\Windows\Fonts\PARCHM.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\bbbe7872ea466446da60c4da50020cbb.exe	Queries volume information: C:\Windows\Fonts\PLAYBILL.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\bbbe7872ea466446da60c4da50020cbb.exe	Queries volume information: C:\Windows\Fonts\POORICH.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\bbbe7872ea466446da60c4da50020cbb.exe	Queries volume information: C:\Windows\Fonts\RAVIE.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\bbbe7872ea466446da60c4da50020cbb.exe	Queries volume information: C:\Windows\Fonts\INFROMAN.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\bbbe7872ea466446da60c4da50020cbb.exe	Queries volume information: C:\Windows\Fonts\SHOWG.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\bbbe7872ea466446da60c4da50020cbb.exe	Queries volume information: C:\Windows\Fonts\SNAP____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\bbbe7872ea466446da60c4da50020cbb.exe	Queries volume information: C:\Windows\Fonts\STENCIL.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\bbbe7872ea466446da60c4da50020cbb.exe	Queries volume information: C:\Windows\Fonts\VINERITC.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\bbbe7872ea466446da60c4da50020cbb.exe	Queries volume information: C:\Windows\Fonts\VIVALDII.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\bbbe7872ea466446da60c4da50020cbb.exe	Queries volume information: C:\Windows\Fonts\VLADIMIR.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\bbbe7872ea466446da60c4da50020cbb.exe	Queries volume information: C:\Windows\Fonts\LATINWD.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\bbbe7872ea466446da60c4da50020cbb.exe	Queries volume information: C:\Windows\Fonts\TCM_____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\bbbe7872ea466446da60c4da50020cbb.exe	Queries volume information: C:\Windows\Fonts\TCMI____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\bbbe7872ea466446da60c4da50020cbb.exe	Queries volume information: C:\Windows\Fonts\TCB_____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\bbbe7872ea466446da60c4da50020cbb.exe	Queries volume information: C:\Windows\Fonts\TCBI____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\bbbe7872ea466446da60c4da50020cbb.exe	Queries volume information: C:\Windows\Fonts\TCCM____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\bbbe7872ea466446da60c4da50020cbb.exe	Queries volume information: C:\Windows\Fonts\TCCB____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\bbbe7872ea466446da60c4da50020cbb.exe	Queries volume information: C:\Windows\Fonts\TCCEB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\bbbe7872ea466446da60c4da50020cbb.exe	Queries volume information: C:\Windows\Fonts\SCRIPTBL.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\bbbe7872ea466446da60c4da50020cbb.exe	Queries volume information: C:\Windows\Fonts\ROCK.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\bbbe7872ea466446da60c4da50020cbb.exe	Queries volume information: C:\Windows\Fonts\ROCKI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\bbbe7872ea466446da60c4da50020cbb.exe	Queries volume information: C:\Windows\Fonts\ROCKB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\bbbe7872ea466446da60c4da50020cbb.exe	Queries volume information: C:\Windows\Fonts\ROCKEB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\bbbe7872ea466446da60c4da50020cbb.exe	Queries volume information: C:\Windows\Fonts\ROCKBI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\bbbe7872ea466446da60c4da50020cbb.exe	Queries volume information: C:\Windows\Fonts\ROCC____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\bbbe7872ea466446da60c4da50020cbb.exe	Queries volume information: C:\Windows\Fonts\ROCCB___.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\bbbe7872ea466446da60c4da50020cbb.exe	Queries volume information: C:\Windows\Fonts\RAGE.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\bbbe7872ea466446da60c4da50020cbb.exe	Queries volume information: C:\Windows\Fonts\PERTILI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\bbbe7872ea466446da60c4da50020cbb.exe	Queries volume information: C:\Windows\Fonts\PERTIBD.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\bbbe7872ea466446da60c4da50020cbb.exe	Queries volume information: C:\Windows\Fonts\PER_____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\bbbe7872ea466446da60c4da50020cbb.exe	Queries volume information: C:\Windows\Fonts\PERI____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\bbbe7872ea466446da60c4da50020cbb.exe	Queries volume information: C:\Windows\Fonts\PERB____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\bbbe7872ea466446da60c4da50020cbb.exe	Queries volume information: C:\Windows\Fonts\PERBI___.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\bbbe7872ea466446da60c4da50020cbb.exe	Queries volume information: C:\Windows\Fonts\PALSCRI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\bbbe7872ea466446da60c4da50020cbb.exe	Queries volume information: C:\Windows\Fonts\OCRAEXT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\bbbe7872ea466446da60c4da50020cbb.exe	Queries volume information: C:\Windows\Fonts\MAIAN.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\bbbe7872ea466446da60c4da50020cbb.exe	Queries volume information: C:\Windows\Fonts\LTYPE.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\bbbe7872ea466446da60c4da50020cbb.exe	Queries volume information: C:\Windows\Fonts\LTYPEO.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\bbbe7872ea466446da60c4da50020cbb.exe	Queries volume information: C:\Windows\Fonts\LTYPEB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\bbbe7872ea466446da60c4da50020cbb.exe	Queries volume information: C:\Windows\Fonts\LTYPEBO.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\bbbe7872ea466446da60c4da50020cbb.exe	Queries volume information: C:\Windows\Fonts\LSANS.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\bbbe7872ea466446da60c4da50020cbb.exe	Queries volume information: C:\Windows\Fonts\LSANSD.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\bbbe7872ea466446da60c4da50020cbb.exe	Queries volume information: C:\Windows\Fonts\LSANSI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\bbbe7872ea466446da60c4da50020cbb.exe	Queries volume information: C:\Windows\Fonts\LSANSDI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\bbbe7872ea466446da60c4da50020cbb.exe	Queries volume information: C:\Windows\Fonts\IMPRISHA.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\bbbe7872ea466446da60c4da50020cbb.exe	Queries volume information: C:\Windows\Fonts\HATTEN.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\bbbe7872ea466446da60c4da50020cbb.exe	Queries volume information: C:\Windows\Fonts\GOUDYSTO.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\bbbe7872ea466446da60c4da50020cbb.exe	Queries volume information: C:\Windows\Fonts\GOUDOS.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\bbbe7872ea466446da60c4da50020cbb.exe	Queries volume information: C:\Windows\Fonts\GOUDOSI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\bbbe7872ea466446da60c4da50020cbb.exe	Queries volume information: C:\Windows\Fonts\GOUDOSB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\bbbe7872ea466446da60c4da50020cbb.exe	Queries volume information: C:\Windows\Fonts\GLECB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\bbbe7872ea466446da60c4da50020cbb.exe	Queries volume information: C:\Windows\Fonts\GIL_____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\bbbe7872ea466446da60c4da50020cbb.exe	Queries volume information: C:\Windows\Fonts\GILI____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\bbbe7872ea466446da60c4da50020cbb.exe	Queries volume information: C:\Windows\Fonts\GILB____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\bbbe7872ea466446da60c4da50020cbb.exe	Queries volume information: C:\Windows\Fonts\GILBI___.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\bbbe7872ea466446da60c4da50020cbb.exe	Queries volume information: C:\Windows\Fonts\GILC____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\bbbe7872ea466446da60c4da50020cbb.exe	Queries volume information: C:\Windows\Fonts\GLSNECB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\bbbe7872ea466446da60c4da50020cbb.exe	Queries volume information: C:\Windows\Fonts\GIGI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\bbbe7872ea466446da60c4da50020cbb.exe	Queries volume information: C:\Windows\Fonts\FRABK.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\bbbe7872ea466446da60c4da50020cbb.exe	Queries volume information: C:\Windows\Fonts\FRABKIT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\bbbe7872ea466446da60c4da50020cbb.exe	Queries volume information: C:\Windows\Fonts\FORTE.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\bbbe7872ea466446da60c4da50020cbb.exe	Queries volume information: C:\Windows\Fonts\FELIXTI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\bbbe7872ea466446da60c4da50020cbb.exe	Queries volume information: C:\Windows\Fonts\ERASMD.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\bbbe7872ea466446da60c4da50020cbb.exe	Queries volume information: C:\Windows\Fonts\ERASLGHT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\bbbe7872ea466446da60c4da50020cbb.exe	Queries volume information: C:\Windows\Fonts\ERASDEMI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\bbbe7872ea466446da60c4da50020cbb.exe	Queries volume information: C:\Windows\Fonts\ERASBD.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\bbbe7872ea466446da60c4da50020cbb.exe	Queries volume information: C:\Windows\Fonts\ENGR.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\bbbe7872ea466446da60c4da50020cbb.exe	Queries volume information: C:\Windows\Fonts\ELEPHNT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\bbbe7872ea466446da60c4da50020cbb.exe	Queries volume information: C:\Windows\Fonts\ELEPHNTI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\bbbe7872ea466446da60c4da50020cbb.exe	Queries volume information: C:\Windows\Fonts\ITCEDSCR.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\bbbe7872ea466446da60c4da50020cbb.exe	Queries volume information: C:\Windows\Fonts\CURLZ___.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\bbbe7872ea466446da60c4da50020cbb.exe	Queries volume information: C:\Windows\Fonts\COPRGTL.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\bbbe7872ea466446da60c4da50020cbb.exe	Queries volume information: C:\Windows\Fonts\COPRGTB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\bbbe7872ea466446da60c4da50020cbb.exe	Queries volume information: C:\Windows\Fonts\CENSCBK.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\bbbe7872ea466446da60c4da50020cbb.exe	Queries volume information: C:\Windows\Fonts\SCHLBKI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\bbbe7872ea466446da60c4da50020cbb.exe	Queries volume information: C:\Windows\Fonts\SCHLBKB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\bbbe7872ea466446da60c4da50020cbb.exe	Queries volume information: C:\Windows\Fonts\SCHLBKBI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\bbbe7872ea466446da60c4da50020cbb.exe	Queries volume information: C:\Windows\Fonts\CASTELAR.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\bbbe7872ea466446da60c4da50020cbb.exe	Queries volume information: C:\Windows\Fonts\CALIST.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\bbbe7872ea466446da60c4da50020cbb.exe	Queries volume information: C:\Windows\Fonts\CALISTI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\bbbe7872ea466446da60c4da50020cbb.exe	Queries volume information: C:\Windows\Fonts\CALISTB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\bbbe7872ea466446da60c4da50020cbb.exe	Queries volume information: C:\Windows\Fonts\CALISTBI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\bbbe7872ea466446da60c4da50020cbb.exe	Queries volume information: C:\Windows\Fonts\BOOKOS.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\bbbe7872ea466446da60c4da50020cbb.exe	Queries volume information: C:\Windows\Fonts\BOOKOSB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\bbbe7872ea466446da60c4da50020cbb.exe	Queries volume information: C:\Windows\Fonts\BOOKOSI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\bbbe7872ea466446da60c4da50020cbb.exe	Queries volume information: C:\Windows\Fonts\BOOKOSBI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\bbbe7872ea466446da60c4da50020cbb.exe	Queries volume information: C:\Windows\Fonts\BOD_R.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\bbbe7872ea466446da60c4da50020cbb.exe	Queries volume information: C:\Windows\Fonts\BOD_I.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\bbbe7872ea466446da60c4da50020cbb.exe	Queries volume information: C:\Windows\Fonts\BOD_B.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\bbbe7872ea466446da60c4da50020cbb.exe	Queries volume information: C:\Windows\Fonts\BOD_BI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\bbbe7872ea466446da60c4da50020cbb.exe	Queries volume information: C:\Windows\Fonts\BOD_CR.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\bbbe7872ea466446da60c4da50020cbb.exe	Queries volume information: C:\Windows\Fonts\BOD_BLAR.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\bbbe7872ea466446da60c4da50020cbb.exe	Queries volume information: C:\Windows\Fonts\BOD_CI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\bbbe7872ea466446da60c4da50020cbb.exe	Queries volume information: C:\Windows\Fonts\BOD_CB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\bbbe7872ea466446da60c4da50020cbb.exe	Queries volume information: C:\Windows\Fonts\BOD_BLAI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\bbbe7872ea466446da60c4da50020cbb.exe	Queries volume information: C:\Windows\Fonts\BOD_CBI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\bbbe7872ea466446da60c4da50020cbb.exe	Queries volume information: C:\Windows\Fonts\ITCBLKAD.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\bbbe7872ea466446da60c4da50020cbb.exe	Queries volume information: C:\Windows\Fonts\ARLRDBD.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\bbbe7872ea466446da60c4da50020cbb.exe	Queries volume information: C:\Windows\Fonts\AGENCYR.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\bbbe7872ea466446da60c4da50020cbb.exe	Queries volume information: C:\Windows\Fonts\AGENCYB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\bbbe7872ea466446da60c4da50020cbb.exe	Queries volume information: C:\Windows\Fonts\BSSYM7.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\bbbe7872ea466446da60c4da50020cbb.exe	Queries volume information: C:\Windows\Fonts\REFSAN.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\bbbe7872ea466446da60c4da50020cbb.exe	Queries volume information: C:\Windows\Fonts\REFSPCL.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\bbbe7872ea466446da60c4da50020cbb.exe	Queries volume information: C:\Windows\Fonts\MTEXTRA.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\bbbe7872ea466446da60c4da50020cbb.exe	Queries volume information: C:\Windows\Fonts\marlett.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\bbbe7872ea466446da60c4da50020cbb.exe	Queries volume information: C:\Windows\Fonts\micross.ttf VolumeInformation	Jump to behavior

Source: C:\Users\user\Desktop\bbbe7872ea466446da60c4da50020cbb.exe

Code function: 4_2_0110AF9A GetUserNameW,

4_2_0110AF9A

Source: C:\Users\user\Desktop\bbbe7872ea466446da60c4da50020cbb.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Stealing of Sensitive Information:

Yara detected Nanocore RAT

Show sources

Source: Yara match	File source: 0000000C.00000002.375004523.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000E.00000002.381191346.0000000003D31000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000C.00000002.377624667.0000000002DA1000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.592467577.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000A.00000002.365772164.0000000003DF1000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.597683140.0000000003D07000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000E.00000002.381077094.0000000002D31000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000B.00000002.367529312.0000000003F61000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000010.00000002.391674013.0000000004001000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000E.00000002.378479336.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000F.00000002.380529240.0000000003831000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000010.00000002.390499078.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000C.00000002.377737091.0000000003DA1000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000010.00000002.391635582.0000000003001000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.344108345.0000000003D51000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: bbbe7872ea466446da60c4da50020cbb.exe PID: 348, type: MEMORY
Source: Yara match	File source: Process Memory Space: dhcpmon.exe PID: 6340, type: MEMORY
Source: Yara match	File source: Process Memory Space: dhcpmon.exe PID: 6332, type: MEMORY
Source: Yara match	File source: Process Memory Space: bbbe7872ea466446da60c4da50020cbb.exe PID: 6996, type: MEMORY
Source: Yara match	File source: 16.2.dhcpmon.exe.40530dd.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 15.2.dhcpmon.exe.3adb170.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 14.2.dhcpmon.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 12.2.bbbe7872ea466446da60c4da50020cbb.exe.3deeab4.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 12.2.bbbe7872ea466446da60c4da50020cbb.exe.3de9c7e.5.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 14.2.dhcpmon.exe.3d79c7e.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 14.2.dhcpmon.exe.3d7eab4.5.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 12.2.bbbe7872ea466446da60c4da50020cbb.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 11.2.dhcpmon.exe.40c14a0.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.bbbe7872ea466446da60c4da50020cbb.exe.3d0eab4.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 10.2.bbbe7872ea466446da60c4da50020cbb.exe.409b170.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 15.2.dhcpmon.exe.3adb170.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.bbbe7872ea466446da60c4da50020cbb.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 16.2.dhcpmon.exe.4049c7e.5.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 12.2.bbbe7872ea466446da60c4da50020cbb.exe.3df30dd.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 11.2.dhcpmon.exe.420b170.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 11.2.dhcpmon.exe.420b170.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 14.2.dhcpmon.exe.3d830dd.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.bbbe7872ea466446da60c4da50020cbb.exe.3d0eab4.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 16.2.dhcpmon.exe.404eab4.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.bbbe7872ea466446da60c4da50020cbb.exe.3f0a0c0.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 11.2.dhcpmon.exe.411a0c0.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 12.2.bbbe7872ea466446da60c4da50020cbb.exe.3deeab4.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 15.2.dhcpmon.exe.39914a0.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 16.2.dhcpmon.exe.404eab4.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.bbbe7872ea466446da60c4da50020cbb.exe.3ffb170.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.bbbe7872ea466446da60c4da50020cbb.exe.3d130dd.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 16.2.dhcpmon.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 14.2.dhcpmon.exe.3d7eab4.5.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.bbbe7872ea466446da60c4da50020cbb.exe.3eb14a0.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 10.2.bbbe7872ea466446da60c4da50020cbb.exe.3f514a0.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.bbbe7872ea466446da60c4da50020cbb.exe.3d09c7e.5.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 15.2.dhcpmon.exe.39ea0c0.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 10.2.bbbe7872ea466446da60c4da50020cbb.exe.409b170.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 10.2.bbbe7872ea466446da60c4da50020cbb.exe.3faa0c0.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.bbbe7872ea466446da60c4da50020cbb.exe.3ffb170.4.raw.unpack, type: UNPACKEDPE

Remote Access Functionality:

Detected Nanocore Rat

Show sources

Source: bbbe7872ea466446da60c4da50020cbb.exe, 00000004.00000002.592467577.0000000000402000.00000040.00000001.sdmp	String found in binary or memory: NanoCore.ClientPluginHost
Source: bbbe7872ea466446da60c4da50020cbb.exe, 00000004.00000002.597683140.0000000003D07000.00000004.00000001.sdmp	String found in binary or memory: <Module>mscorlibMicrosoft.VisualBasicMyApplicationNanoCore.MyMyComputerMyProjectMyWebServicesThreadSafeObjectProvider`1IClientNetworkNanoCore.ClientPluginIClientDataIClientAppIClientDataHostNanoCore.ClientPluginHostIClientNetworkHostIClientUIHostIClientLoggingHostIClientAppHostIClientNameObjectCollectionNanoCoreIClientReadOnlyNameObjectCollectionClientInvokeDelegateMicrosoft.VisualBasic.ApplicationServicesApplicationBase.ctorMicrosoft.VisualBasic.DevicesComputerSystemObject.cctorget_Computerm_ComputerObjectProviderget_Applicationm_AppObjectProviderUserget_Userm_UserObjectProviderget_WebServicesm_MyWebServicesObjectProviderApplicationWebServicesEqualsoGetHashCodeTypeGetTypeToStringCreate__Instance__TinstanceDispose__Instance__get_GetInstanceMicrosoft.VisualBasic.MyServices.InternalContextValue`1m_ContextGetInstanceReadPacketpipeNameparamsPipeCreatedPipeClosedConnectionStateChangedconnectedConnectionFailedhostportBuildingHostCacheVariableChangednameClientSettingChangedPluginUninstallingClientUninstallingget_Variablesget_ClientSettingsget_BuilderSettingsVariablesClientSettingsBuilderSettingsget_ConnectedClosePipePipeExistsRebuildHostCacheAddHostEntryDisconnectSendToServercompressConnectedInvokemethodstateLogClientMessagemessageExceptionLogClientExceptionexsiteRestartShutdownDisableProtectionRestoreProtectionUninstallEntryExistsSystem.Collections.GenericKeyValuePair`2GetEntriesGetValuedefaultValueSetValuevalueRemoveValueMulticastDelegateTargetObjectTargetMethodIAsyncResultAsyncCallbackBeginInvokeDelegateCallbackDelegateAsyncStateEndInvokeDelegateAsyncResultSystem.ComponentModelEditorBrowsableAttributeEditorBrowsableStateSystem.CodeDom.CompilerGeneratedCodeAttributeSystem.DiagnosticsDebuggerHiddenAttributeMicrosoft.VisualBasic.CompilerServicesStandardModuleAttributeHideModuleNameAttributeSystem.ComponentModel.DesignHelpKeywordAttributeSystem.Runtime.CompilerServicesRuntimeHelpersGetObjectValueRuntimeTypeHandleGetTypeFromHandleActivatorCreateInstanceMyGroupCollectionAttributeget_Valueset_ValueSystem.Runtime.InteropServicesComVisibleAttributeParamArrayAttributeCompilationRelaxationsAttributeRuntimeCompatibilityAttributeSystem.ReflectionAssemblyFileVersionAttributeGuidAttributeAssemblyTrademarkAttributeAssemblyCopyrightAttributeAssemblyProductAttributeAssemblyCompanyAttributeAssemblyDescriptionAttributeAssemblyTitleAttributeClientPluginClientPlugin.dll
Source: bbbe7872ea466446da60c4da50020cbb.exe, 0000000C.00000002.375004523.0000000000402000.00000040.00000001.sdmp	String found in binary or memory: NanoCore.ClientPluginHost
Source: bbbe7872ea466446da60c4da50020cbb.exe, 0000000C.00000002.377624667.0000000002DA1000.00000004.00000001.sdmp	String found in binary or memory: <Module>mscorlibMicrosoft.VisualBasicMyApplicationNanoCore.MyMyComputerMyProjectMyWebServicesThreadSafeObjectProvider`1IClientNetworkNanoCore.ClientPluginIClientDataIClientAppIClientDataHostNanoCore.ClientPluginHostIClientNetworkHostIClientUIHostIClientLoggingHostIClientAppHostIClientNameObjectCollectionNanoCoreIClientReadOnlyNameObjectCollectionClientInvokeDelegateMicrosoft.VisualBasic.ApplicationServicesApplicationBase.ctorMicrosoft.VisualBasic.DevicesComputerSystemObject.cctorget_Computerm_ComputerObjectProviderget_Applicationm_AppObjectProviderUserget_Userm_UserObjectProviderget_WebServicesm_MyWebServicesObjectProviderApplicationWebServicesEqualsoGetHashCodeTypeGetTypeToStringCreate__Instance__TinstanceDispose__Instance__get_GetInstanceMicrosoft.VisualBasic.MyServices.InternalContextValue`1m_ContextGetInstanceReadPacketpipeNameparamsPipeCreatedPipeClosedConnectionStateChangedconnectedConnectionFailedhostportBuildingHostCacheVariableChangednameClientSettingChangedPluginUninstallingClientUninstallingget_Variablesget_ClientSettingsget_BuilderSettingsVariablesClientSettingsBuilderSettingsget_ConnectedClosePipePipeExistsRebuildHostCacheAddHostEntryDisconnectSendToServercompressConnectedInvokemethodstateLogClientMessagemessageExceptionLogClientExceptionexsiteRestartShutdownDisableProtectionRestoreProtectionUninstallEntryExistsSystem.Collections.GenericKeyValuePair`2GetEntriesGetValuedefaultValueSetValuevalueRemoveValueMulticastDelegateTargetObjectTargetMethodIAsyncResultAsyncCallbackBeginInvokeDelegateCallbackDelegateAsyncStateEndInvokeDelegateAsyncResultSystem.ComponentModelEditorBrowsableAttributeEditorBrowsableStateSystem.CodeDom.CompilerGeneratedCodeAttributeSystem.DiagnosticsDebuggerHiddenAttributeMicrosoft.VisualBasic.CompilerServicesStandardModuleAttributeHideModuleNameAttributeSystem.ComponentModel.DesignHelpKeywordAttributeSystem.Runtime.CompilerServicesRuntimeHelpersGetObjectValueRuntimeTypeHandleGetTypeFromHandleActivatorCreateInstanceMyGroupCollectionAttributeget_Valueset_ValueSystem.Runtime.InteropServicesComVisibleAttributeParamArrayAttributeCompilationRelaxationsAttributeRuntimeCompatibilityAttributeSystem.ReflectionAssemblyFileVersionAttributeGuidAttributeAssemblyTrademarkAttributeAssemblyCopyrightAttributeAssemblyProductAttributeAssemblyCompanyAttributeAssemblyDescriptionAttributeAssemblyTitleAttributeClientPluginClientPlugin.dll
Source: dhcpmon.exe, 0000000E.00000002.381191346.0000000003D31000.00000004.00000001.sdmp	String found in binary or memory: NanoCore.ClientPluginHost
Source: dhcpmon.exe, 0000000E.00000002.381191346.0000000003D31000.00000004.00000001.sdmp	String found in binary or memory: <Module>mscorlibMicrosoft.VisualBasicMyApplicationNanoCore.MyMyComputerMyProjectMyWebServicesThreadSafeObjectProvider`1IClientNetworkNanoCore.ClientPluginIClientDataIClientAppIClientDataHostNanoCore.ClientPluginHostIClientNetworkHostIClientUIHostIClientLoggingHostIClientAppHostIClientNameObjectCollectionNanoCoreIClientReadOnlyNameObjectCollectionClientInvokeDelegateMicrosoft.VisualBasic.ApplicationServicesApplicationBase.ctorMicrosoft.VisualBasic.DevicesComputerSystemObject.cctorget_Computerm_ComputerObjectProviderget_Applicationm_AppObjectProviderUserget_Userm_UserObjectProviderget_WebServicesm_MyWebServicesObjectProviderApplicationWebServicesEqualsoGetHashCodeTypeGetTypeToStringCreate__Instance__TinstanceDispose__Instance__get_GetInstanceMicrosoft.VisualBasic.MyServices.InternalContextValue`1m_ContextGetInstanceReadPacketpipeNameparamsPipeCreatedPipeClosedConnectionStateChangedconnectedConnectionFailedhostportBuildingHostCacheVariableChangednameClientSettingChangedPluginUninstallingClientUninstallingget_Variablesget_ClientSettingsget_BuilderSettingsVariablesClientSettingsBuilderSettingsget_ConnectedClosePipePipeExistsRebuildHostCacheAddHostEntryDisconnectSendToServercompressConnectedInvokemethodstateLogClientMessagemessageExceptionLogClientExceptionexsiteRestartShutdownDisableProtectionRestoreProtectionUninstallEntryExistsSystem.Collections.GenericKeyValuePair`2GetEntriesGetValuedefaultValueSetValuevalueRemoveValueMulticastDelegateTargetObjectTargetMethodIAsyncResultAsyncCallbackBeginInvokeDelegateCallbackDelegateAsyncStateEndInvokeDelegateAsyncResultSystem.ComponentModelEditorBrowsableAttributeEditorBrowsableStateSystem.CodeDom.CompilerGeneratedCodeAttributeSystem.DiagnosticsDebuggerHiddenAttributeMicrosoft.VisualBasic.CompilerServicesStandardModuleAttributeHideModuleNameAttributeSystem.ComponentModel.DesignHelpKeywordAttributeSystem.Runtime.CompilerServicesRuntimeHelpersGetObjectValueRuntimeTypeHandleGetTypeFromHandleActivatorCreateInstanceMyGroupCollectionAttributeget_Valueset_ValueSystem.Runtime.InteropServicesComVisibleAttributeParamArrayAttributeCompilationRelaxationsAttributeRuntimeCompatibilityAttributeSystem.ReflectionAssemblyFileVersionAttributeGuidAttributeAssemblyTrademarkAttributeAssemblyCopyrightAttributeAssemblyProductAttributeAssemblyCompanyAttributeAssemblyDescriptionAttributeAssemblyTitleAttributeClientPluginClientPlugin.dll
Source: dhcpmon.exe, 00000010.00000002.391674013.0000000004001000.00000004.00000001.sdmp	String found in binary or memory: NanoCore.ClientPluginHost
Source: dhcpmon.exe, 00000010.00000002.391674013.0000000004001000.00000004.00000001.sdmp	String found in binary or memory: <Module>mscorlibMicrosoft.VisualBasicMyApplicationNanoCore.MyMyComputerMyProjectMyWebServicesThreadSafeObjectProvider`1IClientNetworkNanoCore.ClientPluginIClientDataIClientAppIClientDataHostNanoCore.ClientPluginHostIClientNetworkHostIClientUIHostIClientLoggingHostIClientAppHostIClientNameObjectCollectionNanoCoreIClientReadOnlyNameObjectCollectionClientInvokeDelegateMicrosoft.VisualBasic.ApplicationServicesApplicationBase.ctorMicrosoft.VisualBasic.DevicesComputerSystemObject.cctorget_Computerm_ComputerObjectProviderget_Applicationm_AppObjectProviderUserget_Userm_UserObjectProviderget_WebServicesm_MyWebServicesObjectProviderApplicationWebServicesEqualsoGetHashCodeTypeGetTypeToStringCreate__Instance__TinstanceDispose__Instance__get_GetInstanceMicrosoft.VisualBasic.MyServices.InternalContextValue`1m_ContextGetInstanceReadPacketpipeNameparamsPipeCreatedPipeClosedConnectionStateChangedconnectedConnectionFailedhostportBuildingHostCacheVariableChangednameClientSettingChangedPluginUninstallingClientUninstallingget_Variablesget_ClientSettingsget_BuilderSettingsVariablesClientSettingsBuilderSettingsget_ConnectedClosePipePipeExistsRebuildHostCacheAddHostEntryDisconnectSendToServercompressConnectedInvokemethodstateLogClientMessagemessageExceptionLogClientExceptionexsiteRestartShutdownDisableProtectionRestoreProtectionUninstallEntryExistsSystem.Collections.GenericKeyValuePair`2GetEntriesGetValuedefaultValueSetValuevalueRemoveValueMulticastDelegateTargetObjectTargetMethodIAsyncResultAsyncCallbackBeginInvokeDelegateCallbackDelegateAsyncStateEndInvokeDelegateAsyncResultSystem.ComponentModelEditorBrowsableAttributeEditorBrowsableStateSystem.CodeDom.CompilerGeneratedCodeAttributeSystem.DiagnosticsDebuggerHiddenAttributeMicrosoft.VisualBasic.CompilerServicesStandardModuleAttributeHideModuleNameAttributeSystem.ComponentModel.DesignHelpKeywordAttributeSystem.Runtime.CompilerServicesRuntimeHelpersGetObjectValueRuntimeTypeHandleGetTypeFromHandleActivatorCreateInstanceMyGroupCollectionAttributeget_Valueset_ValueSystem.Runtime.InteropServicesComVisibleAttributeParamArrayAttributeCompilationRelaxationsAttributeRuntimeCompatibilityAttributeSystem.ReflectionAssemblyFileVersionAttributeGuidAttributeAssemblyTrademarkAttributeAssemblyCopyrightAttributeAssemblyProductAttributeAssemblyCompanyAttributeAssemblyDescriptionAttributeAssemblyTitleAttributeClientPluginClientPlugin.dll

Yara detected Nanocore RAT

Show sources

Source: Yara match	File source: 0000000C.00000002.375004523.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000E.00000002.381191346.0000000003D31000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000C.00000002.377624667.0000000002DA1000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.592467577.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000A.00000002.365772164.0000000003DF1000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.597683140.0000000003D07000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000E.00000002.381077094.0000000002D31000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000B.00000002.367529312.0000000003F61000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000010.00000002.391674013.0000000004001000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000E.00000002.378479336.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000F.00000002.380529240.0000000003831000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000010.00000002.390499078.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000C.00000002.377737091.0000000003DA1000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000010.00000002.391635582.0000000003001000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.344108345.0000000003D51000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: bbbe7872ea466446da60c4da50020cbb.exe PID: 348, type: MEMORY
Source: Yara match	File source: Process Memory Space: dhcpmon.exe PID: 6340, type: MEMORY
Source: Yara match	File source: Process Memory Space: dhcpmon.exe PID: 6332, type: MEMORY
Source: Yara match	File source: Process Memory Space: bbbe7872ea466446da60c4da50020cbb.exe PID: 6996, type: MEMORY
Source: Yara match	File source: 16.2.dhcpmon.exe.40530dd.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 15.2.dhcpmon.exe.3adb170.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 14.2.dhcpmon.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 12.2.bbbe7872ea466446da60c4da50020cbb.exe.3deeab4.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 12.2.bbbe7872ea466446da60c4da50020cbb.exe.3de9c7e.5.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 14.2.dhcpmon.exe.3d79c7e.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 14.2.dhcpmon.exe.3d7eab4.5.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 12.2.bbbe7872ea466446da60c4da50020cbb.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 11.2.dhcpmon.exe.40c14a0.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.bbbe7872ea466446da60c4da50020cbb.exe.3d0eab4.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 10.2.bbbe7872ea466446da60c4da50020cbb.exe.409b170.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 15.2.dhcpmon.exe.3adb170.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.bbbe7872ea466446da60c4da50020cbb.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 16.2.dhcpmon.exe.4049c7e.5.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 12.2.bbbe7872ea466446da60c4da50020cbb.exe.3df30dd.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 11.2.dhcpmon.exe.420b170.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 11.2.dhcpmon.exe.420b170.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 14.2.dhcpmon.exe.3d830dd.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.bbbe7872ea466446da60c4da50020cbb.exe.3d0eab4.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 16.2.dhcpmon.exe.404eab4.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.bbbe7872ea466446da60c4da50020cbb.exe.3f0a0c0.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 11.2.dhcpmon.exe.411a0c0.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 12.2.bbbe7872ea466446da60c4da50020cbb.exe.3deeab4.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 15.2.dhcpmon.exe.39914a0.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 16.2.dhcpmon.exe.404eab4.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.bbbe7872ea466446da60c4da50020cbb.exe.3ffb170.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.bbbe7872ea466446da60c4da50020cbb.exe.3d130dd.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 16.2.dhcpmon.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 14.2.dhcpmon.exe.3d7eab4.5.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.bbbe7872ea466446da60c4da50020cbb.exe.3eb14a0.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 10.2.bbbe7872ea466446da60c4da50020cbb.exe.3f514a0.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.bbbe7872ea466446da60c4da50020cbb.exe.3d09c7e.5.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 15.2.dhcpmon.exe.39ea0c0.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 10.2.bbbe7872ea466446da60c4da50020cbb.exe.409b170.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 10.2.bbbe7872ea466446da60c4da50020cbb.exe.3faa0c0.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.bbbe7872ea466446da60c4da50020cbb.exe.3ffb170.4.raw.unpack, type: UNPACKEDPE

Mitre Att&ck Matrix

Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Exfiltration	Command and Control	Network Effects	Remote Service Effects	Impact
Valid Accounts	Scheduled Task/Job1	Scheduled Task/Job1	Access Token Manipulation1	Masquerading2	Input Capture11	Security Software Discovery21	Remote Services	Input Capture11	Exfiltration Over Other Network Medium	Encrypted Channel1	Eavesdrop on Insecure Network Communication	Remotely Track Device Without Authorization	Modify System Partition
Default Accounts	Scheduled Task/Job	Boot or Logon Initialization Scripts	Process Injection112	Virtualization/Sandbox Evasion2	LSASS Memory	Virtualization/Sandbox Evasion2	Remote Desktop Protocol	Archive Collected Data11	Exfiltration Over Bluetooth	Non-Standard Port1	Exploit SS7 to Redirect Phone Calls/SMS	Remotely Wipe Data Without Authorization	Device Lockout
Domain Accounts	At (Linux)	Logon Script (Windows)	Scheduled Task/Job1	Disable or Modify Tools1	Security Account Manager	Process Discovery2	SMB/Windows Admin Shares	Data from Network Shared Drive	Automated Exfiltration	Remote Access Software1	Exploit SS7 to Track Device Location	Obtain Device Cloud Backups	Delete Device Data
Local Accounts	At (Windows)	Logon Script (Mac)	Logon Script (Mac)	Access Token Manipulation1	NTDS	Application Window Discovery1	Distributed Component Object Model	Input Capture	Scheduled Transfer	Non-Application Layer Protocol1	SIM Card Swap		Carrier Billing Fraud
Cloud Accounts	Cron	Network Logon Script	Network Logon Script	Process Injection112	LSA Secrets	Account Discovery1	SSH	Keylogging	Data Transfer Size Limits	Application Layer Protocol11	Manipulate Device Communication		Manipulate App Store Rankings or Ratings
Replication Through Removable Media	Launchd	Rc.common	Rc.common	Deobfuscate/Decode Files or Information1	Cached Domain Credentials	System Owner/User Discovery1	VNC	GUI Input Capture	Exfiltration Over C2 Channel	Multiband Communication	Jamming or Denial of Service		Abuse Accessibility Features
External Remote Services	Scheduled Task	Startup Items	Startup Items	Hidden Files and Directories1	DCSync	System Information Discovery12	Windows Remote Management	Web Portal Capture	Exfiltration Over Alternative Protocol	Commonly Used Port	Rogue Wi-Fi Access Points		Data Encrypted for Impact
Drive-by Compromise	Command and Scripting Interpreter	Scheduled Task/Job	Scheduled Task/Job	Obfuscated Files or Information31	Proc Filesystem	Network Service Scanning	Shared Webroot	Credential API Hooking	Exfiltration Over Symmetric Encrypted Non-C2 Protocol	Application Layer Protocol	Downgrade to Insecure Protocols		Generate Fraudulent Advertising Revenue
Exploit Public-Facing Application	PowerShell	At (Linux)	At (Linux)	Software Packing13	/etc/passwd and /etc/shadow	System Network Connections Discovery	Software Deployment Tools	Data Staged	Exfiltration Over Asymmetric Encrypted Non-C2 Protocol	Web Protocols	Rogue Cellular Base Station		Data Destruction

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Source	Detection	Scanner	Label	Link
bbbe7872ea466446da60c4da50020cbb.exe	35%	ReversingLabs	ByteCode-MSIL.Trojan.AgentTesla
bbbe7872ea466446da60c4da50020cbb.exe	100%	Joe Sandbox ML

Dropped Files

Source	Detection	Scanner	Label	Link
C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	100%	Joe Sandbox ML
C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	35%	ReversingLabs	ByteCode-MSIL.Trojan.AgentTesla

Unpacked PE Files

Source	Detection	Scanner	Label	Download
14.2.dhcpmon.exe.400000.0.unpack	100%	Avira	TR/Dropper.MSIL.Gen7	Download File
12.2.bbbe7872ea466446da60c4da50020cbb.exe.400000.0.unpack	100%	Avira	TR/Dropper.MSIL.Gen7	Download File
4.2.bbbe7872ea466446da60c4da50020cbb.exe.400000.0.unpack	100%	Avira	TR/Dropper.MSIL.Gen7	Download File
16.2.dhcpmon.exe.400000.0.unpack	100%	Avira	TR/Dropper.MSIL.Gen7	Download File

Domains

Source	Detection	Scanner	Label	Link
cloudhost.myfirewall.org	1%	Virustotal		Browse

URLs

Source	Detection	Scanner	Label
cloudhost.myfirewall.org	0%	Avira URL Cloud	safe
http://www.carterandcone.com&	0%	Avira URL Cloud	safe
http://www.founder.com.cn/cn/bThe	0%	URL Reputation	safe
http://www.founder.com.cn/cn/bThe	0%	URL Reputation	safe
http://www.founder.com.cn/cn/bThe	0%	URL Reputation	safe
http://www.carterandcone.comormD	0%	Avira URL Cloud	safe
http://www.tiro.com	0%	URL Reputation	safe
http://www.tiro.com	0%	URL Reputation	safe
http://www.tiro.com	0%	URL Reputation	safe
http://www.goodfont.co.kr	0%	URL Reputation	safe
http://www.goodfont.co.kr	0%	URL Reputation	safe
http://www.goodfont.co.kr	0%	URL Reputation	safe
http://www.carterandcone.com	0%	URL Reputation	safe
http://www.carterandcone.com	0%	URL Reputation	safe
http://www.carterandcone.com	0%	URL Reputation	safe
http://www.carterandcone.com.	0%	URL Reputation	safe
http://www.carterandcone.com.	0%	URL Reputation	safe
http://www.carterandcone.com.	0%	URL Reputation	safe
http://www.sajatypeworks.com	0%	URL Reputation	safe
http://www.sajatypeworks.com	0%	URL Reputation	safe
http://www.sajatypeworks.com	0%	URL Reputation	safe
http://www.typography.netD	0%	URL Reputation	safe
http://www.typography.netD	0%	URL Reputation	safe
http://www.typography.netD	0%	URL Reputation	safe
http://www.founder.com.cn/cn/cThe	0%	URL Reputation	safe
http://www.founder.com.cn/cn/cThe	0%	URL Reputation	safe
http://www.founder.com.cn/cn/cThe	0%	URL Reputation	safe
http://www.galapagosdesign.com/staff/dennis.htm	0%	URL Reputation	safe
http://www.galapagosdesign.com/staff/dennis.htm	0%	URL Reputation	safe
http://www.galapagosdesign.com/staff/dennis.htm	0%	URL Reputation	safe
http://fontfabrik.com	0%	URL Reputation	safe
http://fontfabrik.com	0%	URL Reputation	safe
http://fontfabrik.com	0%	URL Reputation	safe
http://www.jiyu-kobo.co.jp//	0%	URL Reputation	safe
http://www.jiyu-kobo.co.jp//	0%	URL Reputation	safe
http://www.jiyu-kobo.co.jp//	0%	URL Reputation	safe
http://www.galapagosdesign.com/DPlease	0%	URL Reputation	safe
http://www.galapagosdesign.com/DPlease	0%	URL Reputation	safe
http://www.galapagosdesign.com/DPlease	0%	URL Reputation	safe
http://www.ascendercorp.com/typedesigners.html	0%	URL Reputation	safe
http://www.ascendercorp.com/typedesigners.html	0%	URL Reputation	safe
http://www.ascendercorp.com/typedesigners.html	0%	URL Reputation	safe
http://www.jiyu-kobo.co.jp/(	0%	URL Reputation	safe
http://www.jiyu-kobo.co.jp/(	0%	URL Reputation	safe
http://www.jiyu-kobo.co.jp/(	0%	URL Reputation	safe
http://www.sandoll.co.kr	0%	URL Reputation	safe
http://www.sandoll.co.kr	0%	URL Reputation	safe
http://www.sandoll.co.kr	0%	URL Reputation	safe
http://www.urwpp.deDPlease	0%	URL Reputation	safe
http://www.urwpp.deDPlease	0%	URL Reputation	safe
http://www.urwpp.deDPlease	0%	URL Reputation	safe
http://www.zhongyicts.com.cn	0%	URL Reputation	safe
http://www.zhongyicts.com.cn	0%	URL Reputation	safe
http://www.zhongyicts.com.cn	0%	URL Reputation	safe
http://www.carterandcone.como.	0%	URL Reputation	safe
http://www.carterandcone.como.	0%	URL Reputation	safe
http://www.carterandcone.como.	0%	URL Reputation	safe
http://www.sakkal.com	0%	URL Reputation	safe
http://www.sakkal.com	0%	URL Reputation	safe
http://www.sakkal.com	0%	URL Reputation	safe
http://www.galapagosdesign.com/	0%	URL Reputation	safe
http://www.galapagosdesign.com/	0%	URL Reputation	safe
http://www.galapagosdesign.com/	0%	URL Reputation	safe
http://www.carterandcone.comTC	0%	URL Reputation	safe
http://www.carterandcone.comTC	0%	URL Reputation	safe
http://www.carterandcone.comTC	0%	URL Reputation	safe
http://www.zhongyicts.com.cnp	0%	Avira URL Cloud	safe
http://www.jiyu-kobo.co.jp/D	0%	Avira URL Cloud	safe
http://www.gagalive.kr/livechat1.swf?chatroom=inchat-	0%	Avira URL Cloud	safe
http://en.w	0%	URL Reputation	safe
http://en.w	0%	URL Reputation	safe
http://en.w	0%	URL Reputation	safe
http://www.carterandcone.coml	0%	URL Reputation	safe
http://www.carterandcone.coml	0%	URL Reputation	safe
http://www.carterandcone.coml	0%	URL Reputation	safe
http://www.founder.com.cn/cn/	0%	URL Reputation	safe
http://www.founder.com.cn/cn/	0%	URL Reputation	safe
http://www.founder.com.cn/cn/	0%	URL Reputation	safe
http://www.founder.com.cn/cn	0%	URL Reputation	safe
http://www.founder.com.cn/cn	0%	URL Reputation	safe
http://www.founder.com.cn/cn	0%	URL Reputation	safe
http://www.carterandcone.comTCw	0%	Avira URL Cloud	safe
http://www.jiyu-kobo.co.jp/	0%	URL Reputation	safe
http://www.jiyu-kobo.co.jp/	0%	URL Reputation	safe
http://www.jiyu-kobo.co.jp/	0%	URL Reputation	safe
http://www.jiyu-kobo.co.jp/vvT	0%	Avira URL Cloud	safe

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Antivirus Detection	Reputation
cloudhost.myfirewall.org	79.134.225.105	true	true	1%, Virustotal, Browse	unknown

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
cloudhost.myfirewall.org	true	Avira URL Cloud: safe	unknown

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
http://www.fontbureau.com/designersG	bbbe7872ea466446da60c4da50020cbb.exe, 00000000.00000002.348097971.00000000063B2000.00000004.00000001.sdmp, bbbe7872ea466446da60c4da50020cbb.exe, 0000000A.00000002.367125363.0000000005320000.00000002.00000001.sdmp, dhcpmon.exe, 0000000B.00000002.370057992.0000000005450000.00000002.00000001.sdmp, dhcpmon.exe, 0000000F.00000002.382568285.0000000004EB0000.00000002.00000001.sdmp	false		high
http://www.carterandcone.com&	bbbe7872ea466446da60c4da50020cbb.exe, 00000000.00000003.329135863.00000000051A7000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	low
http://www.fontbureau.com/designers/?	bbbe7872ea466446da60c4da50020cbb.exe, 00000000.00000002.348097971.00000000063B2000.00000004.00000001.sdmp, bbbe7872ea466446da60c4da50020cbb.exe, 0000000A.00000002.367125363.0000000005320000.00000002.00000001.sdmp, dhcpmon.exe, 0000000B.00000002.370057992.0000000005450000.00000002.00000001.sdmp, dhcpmon.exe, 0000000F.00000002.382568285.0000000004EB0000.00000002.00000001.sdmp	false		high
http://www.founder.com.cn/cn/bThe	bbbe7872ea466446da60c4da50020cbb.exe, 00000000.00000002.348097971.00000000063B2000.00000004.00000001.sdmp, bbbe7872ea466446da60c4da50020cbb.exe, 0000000A.00000002.367125363.0000000005320000.00000002.00000001.sdmp, dhcpmon.exe, 0000000B.00000002.370057992.0000000005450000.00000002.00000001.sdmp, dhcpmon.exe, 0000000F.00000002.382568285.0000000004EB0000.00000002.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://www.fontbureau.com/designers?	bbbe7872ea466446da60c4da50020cbb.exe, 00000000.00000002.348097971.00000000063B2000.00000004.00000001.sdmp, bbbe7872ea466446da60c4da50020cbb.exe, 0000000A.00000002.367125363.0000000005320000.00000002.00000001.sdmp, dhcpmon.exe, 0000000B.00000002.370057992.0000000005450000.00000002.00000001.sdmp, dhcpmon.exe, 0000000F.00000002.382568285.0000000004EB0000.00000002.00000001.sdmp	false		high
http://www.carterandcone.comormD	bbbe7872ea466446da60c4da50020cbb.exe, 00000000.00000003.328197714.00000000051A6000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
http://www.tiro.com	dhcpmon.exe, 0000000F.00000002.382568285.0000000004EB0000.00000002.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://www.fontbureau.com/designers	dhcpmon.exe, 0000000F.00000002.382568285.0000000004EB0000.00000002.00000001.sdmp	false		high
http://www.goodfont.co.kr	bbbe7872ea466446da60c4da50020cbb.exe, 00000000.00000002.348097971.00000000063B2000.00000004.00000001.sdmp, bbbe7872ea466446da60c4da50020cbb.exe, 0000000A.00000002.367125363.0000000005320000.00000002.00000001.sdmp, dhcpmon.exe, 0000000B.00000002.370057992.0000000005450000.00000002.00000001.sdmp, dhcpmon.exe, 0000000F.00000002.382568285.0000000004EB0000.00000002.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://www.carterandcone.com	bbbe7872ea466446da60c4da50020cbb.exe, 00000000.00000003.329135863.00000000051A7000.00000004.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
https://stackpath.bootstrapcdn.com/bootstrap/4.5.0/css/bootstrap.min.css	bbbe7872ea466446da60c4da50020cbb.exe, 00000000.00000002.343834467.0000000002D51000.00000004.00000001.sdmp, bbbe7872ea466446da60c4da50020cbb.exe, 0000000A.00000002.364695909.0000000002DF1000.00000004.00000001.sdmp, dhcpmon.exe, 0000000B.00000002.367072310.0000000002F61000.00000004.00000001.sdmp, dhcpmon.exe, 0000000F.00000002.379503086.0000000002831000.00000004.00000001.sdmp	false		high
http://www.carterandcone.com.	bbbe7872ea466446da60c4da50020cbb.exe, 00000000.00000003.328197714.00000000051A6000.00000004.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://www.sajatypeworks.com	bbbe7872ea466446da60c4da50020cbb.exe, 00000000.00000002.348097971.00000000063B2000.00000004.00000001.sdmp, bbbe7872ea466446da60c4da50020cbb.exe, 0000000A.00000002.367125363.0000000005320000.00000002.00000001.sdmp, dhcpmon.exe, 0000000B.00000002.370057992.0000000005450000.00000002.00000001.sdmp, dhcpmon.exe, 0000000F.00000002.382568285.0000000004EB0000.00000002.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://www.typography.netD	bbbe7872ea466446da60c4da50020cbb.exe, 00000000.00000002.348097971.00000000063B2000.00000004.00000001.sdmp, bbbe7872ea466446da60c4da50020cbb.exe, 0000000A.00000002.367125363.0000000005320000.00000002.00000001.sdmp, dhcpmon.exe, 0000000B.00000002.370057992.0000000005450000.00000002.00000001.sdmp, dhcpmon.exe, 0000000F.00000002.382568285.0000000004EB0000.00000002.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://www.founder.com.cn/cn/cThe	bbbe7872ea466446da60c4da50020cbb.exe, 00000000.00000002.348097971.00000000063B2000.00000004.00000001.sdmp, bbbe7872ea466446da60c4da50020cbb.exe, 0000000A.00000002.367125363.0000000005320000.00000002.00000001.sdmp, dhcpmon.exe, 0000000B.00000002.370057992.0000000005450000.00000002.00000001.sdmp, dhcpmon.exe, 0000000F.00000002.382568285.0000000004EB0000.00000002.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://www.galapagosdesign.com/staff/dennis.htm	bbbe7872ea466446da60c4da50020cbb.exe, 00000000.00000002.348097971.00000000063B2000.00000004.00000001.sdmp, bbbe7872ea466446da60c4da50020cbb.exe, 0000000A.00000002.367125363.0000000005320000.00000002.00000001.sdmp, dhcpmon.exe, 0000000B.00000002.370057992.0000000005450000.00000002.00000001.sdmp, dhcpmon.exe, 0000000F.00000002.382568285.0000000004EB0000.00000002.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://fontfabrik.com	bbbe7872ea466446da60c4da50020cbb.exe, 00000000.00000002.348097971.00000000063B2000.00000004.00000001.sdmp, bbbe7872ea466446da60c4da50020cbb.exe, 0000000A.00000002.367125363.0000000005320000.00000002.00000001.sdmp, dhcpmon.exe, 0000000B.00000002.370057992.0000000005450000.00000002.00000001.sdmp, dhcpmon.exe, 0000000F.00000002.382568285.0000000004EB0000.00000002.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://www.jiyu-kobo.co.jp//	bbbe7872ea466446da60c4da50020cbb.exe, 00000000.00000003.329603375.00000000051A8000.00000004.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://www.galapagosdesign.com/DPlease	bbbe7872ea466446da60c4da50020cbb.exe, 00000000.00000002.348097971.00000000063B2000.00000004.00000001.sdmp, bbbe7872ea466446da60c4da50020cbb.exe, 0000000A.00000002.367125363.0000000005320000.00000002.00000001.sdmp, dhcpmon.exe, 0000000B.00000002.370057992.0000000005450000.00000002.00000001.sdmp, dhcpmon.exe, 0000000F.00000002.382568285.0000000004EB0000.00000002.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://www.ascendercorp.com/typedesigners.html	bbbe7872ea466446da60c4da50020cbb.exe, 00000000.00000003.330244134.00000000051DD000.00000004.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://www.jiyu-kobo.co.jp/(	bbbe7872ea466446da60c4da50020cbb.exe, 00000000.00000003.329603375.00000000051A8000.00000004.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://www.fonts.com	bbbe7872ea466446da60c4da50020cbb.exe, 00000000.00000002.348097971.00000000063B2000.00000004.00000001.sdmp, bbbe7872ea466446da60c4da50020cbb.exe, 0000000A.00000002.367125363.0000000005320000.00000002.00000001.sdmp, dhcpmon.exe, 0000000B.00000002.370057992.0000000005450000.00000002.00000001.sdmp, dhcpmon.exe, 0000000F.00000002.382568285.0000000004EB0000.00000002.00000001.sdmp	false		high
http://www.sandoll.co.kr	bbbe7872ea466446da60c4da50020cbb.exe, 00000000.00000002.348097971.00000000063B2000.00000004.00000001.sdmp, bbbe7872ea466446da60c4da50020cbb.exe, 0000000A.00000002.367125363.0000000005320000.00000002.00000001.sdmp, dhcpmon.exe, 0000000B.00000002.370057992.0000000005450000.00000002.00000001.sdmp, dhcpmon.exe, 0000000F.00000002.382568285.0000000004EB0000.00000002.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://www.urwpp.deDPlease	bbbe7872ea466446da60c4da50020cbb.exe, 00000000.00000002.348097971.00000000063B2000.00000004.00000001.sdmp, bbbe7872ea466446da60c4da50020cbb.exe, 0000000A.00000002.367125363.0000000005320000.00000002.00000001.sdmp, dhcpmon.exe, 0000000B.00000002.370057992.0000000005450000.00000002.00000001.sdmp, dhcpmon.exe, 0000000F.00000002.382568285.0000000004EB0000.00000002.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://www.zhongyicts.com.cn	bbbe7872ea466446da60c4da50020cbb.exe, 00000000.00000002.348097971.00000000063B2000.00000004.00000001.sdmp, bbbe7872ea466446da60c4da50020cbb.exe, 0000000A.00000002.367125363.0000000005320000.00000002.00000001.sdmp, dhcpmon.exe, 0000000B.00000002.370057992.0000000005450000.00000002.00000001.sdmp, dhcpmon.exe, 0000000F.00000002.382568285.0000000004EB0000.00000002.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://www.carterandcone.como.	bbbe7872ea466446da60c4da50020cbb.exe, 00000000.00000003.328197714.00000000051A6000.00000004.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://www.sakkal.com	bbbe7872ea466446da60c4da50020cbb.exe, 00000000.00000002.348097971.00000000063B2000.00000004.00000001.sdmp, bbbe7872ea466446da60c4da50020cbb.exe, 0000000A.00000002.367125363.0000000005320000.00000002.00000001.sdmp, dhcpmon.exe, 0000000B.00000002.370057992.0000000005450000.00000002.00000001.sdmp, dhcpmon.exe, 0000000F.00000002.382568285.0000000004EB0000.00000002.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://schooldb.inchat.kro.kr/	dhcpmon.exe, dhcpmon.exe, 0000000E.00000002.378594437.0000000000502000.00000002.00020000.sdmp, dhcpmon.exe, 0000000F.00000000.371490717.0000000000042000.00000002.00020000.sdmp, dhcpmon.exe, 00000010.00000002.390560823.00000000008F2000.00000002.00020000.sdmp, bbbe7872ea466446da60c4da50020cbb.exe	false		high
http://www.apache.org/licenses/LICENSE-2.0	bbbe7872ea466446da60c4da50020cbb.exe, 00000000.00000002.348097971.00000000063B2000.00000004.00000001.sdmp, bbbe7872ea466446da60c4da50020cbb.exe, 0000000A.00000002.367125363.0000000005320000.00000002.00000001.sdmp, dhcpmon.exe, 0000000B.00000002.370057992.0000000005450000.00000002.00000001.sdmp, dhcpmon.exe, 0000000F.00000002.382568285.0000000004EB0000.00000002.00000001.sdmp	false		high
http://www.fontbureau.com	bbbe7872ea466446da60c4da50020cbb.exe, 00000000.00000002.348097971.00000000063B2000.00000004.00000001.sdmp, bbbe7872ea466446da60c4da50020cbb.exe, 0000000A.00000002.367125363.0000000005320000.00000002.00000001.sdmp, dhcpmon.exe, 0000000B.00000002.370057992.0000000005450000.00000002.00000001.sdmp, dhcpmon.exe, 0000000F.00000002.382568285.0000000004EB0000.00000002.00000001.sdmp	false		high
http://www.galapagosdesign.com/	bbbe7872ea466446da60c4da50020cbb.exe, 00000000.00000003.334789389.00000000051D5000.00000004.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://inchat.kro.kr	dhcpmon.exe, dhcpmon.exe, 0000000E.00000002.378594437.0000000000502000.00000002.00020000.sdmp, dhcpmon.exe, 0000000F.00000000.371490717.0000000000042000.00000002.00020000.sdmp, dhcpmon.exe, 00000010.00000002.390560823.00000000008F2000.00000002.00020000.sdmp, bbbe7872ea466446da60c4da50020cbb.exe	false		high
http://www.fontbureau.com/designers/cabarga.htmlo	bbbe7872ea466446da60c4da50020cbb.exe, 00000000.00000003.333166545.00000000051D5000.00000004.00000001.sdmp	false		high
http://www.carterandcone.comTC	bbbe7872ea466446da60c4da50020cbb.exe, 00000000.00000003.328197714.00000000051A6000.00000004.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://www.zhongyicts.com.cnp	bbbe7872ea466446da60c4da50020cbb.exe, 00000000.00000003.328197714.00000000051A6000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
http://www.jiyu-kobo.co.jp/D	bbbe7872ea466446da60c4da50020cbb.exe, 00000000.00000003.329603375.00000000051A8000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
http://www.gagalive.kr/livechat1.swf?chatroom=inchat-	dhcpmon.exe, dhcpmon.exe, 0000000E.00000002.378594437.0000000000502000.00000002.00020000.sdmp, dhcpmon.exe, 0000000F.00000000.371490717.0000000000042000.00000002.00020000.sdmp, dhcpmon.exe, 00000010.00000002.390560823.00000000008F2000.00000002.00020000.sdmp, bbbe7872ea466446da60c4da50020cbb.exe	false	Avira URL Cloud: safe	unknown
http://en.w	bbbe7872ea466446da60c4da50020cbb.exe, 00000000.00000003.325630674.00000000051A9000.00000004.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://www.carterandcone.coml	bbbe7872ea466446da60c4da50020cbb.exe, 00000000.00000002.348097971.00000000063B2000.00000004.00000001.sdmp, bbbe7872ea466446da60c4da50020cbb.exe, 0000000A.00000002.367125363.0000000005320000.00000002.00000001.sdmp, dhcpmon.exe, 0000000B.00000002.370057992.0000000005450000.00000002.00000001.sdmp, dhcpmon.exe, 0000000F.00000002.382568285.0000000004EB0000.00000002.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://www.founder.com.cn/cn/	bbbe7872ea466446da60c4da50020cbb.exe, 00000000.00000003.327774459.00000000051AB000.00000004.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://www.fontbureau.com/designers/cabarga.htmlN	bbbe7872ea466446da60c4da50020cbb.exe, 00000000.00000002.348097971.00000000063B2000.00000004.00000001.sdmp, bbbe7872ea466446da60c4da50020cbb.exe, 0000000A.00000002.367125363.0000000005320000.00000002.00000001.sdmp, dhcpmon.exe, 0000000B.00000002.370057992.0000000005450000.00000002.00000001.sdmp, dhcpmon.exe, 0000000F.00000002.382568285.0000000004EB0000.00000002.00000001.sdmp	false		high
http://www.founder.com.cn/cn	bbbe7872ea466446da60c4da50020cbb.exe, 00000000.00000002.348097971.00000000063B2000.00000004.00000001.sdmp, bbbe7872ea466446da60c4da50020cbb.exe, 0000000A.00000002.367125363.0000000005320000.00000002.00000001.sdmp, dhcpmon.exe, 0000000B.00000002.370057992.0000000005450000.00000002.00000001.sdmp, dhcpmon.exe, 0000000F.00000002.382568285.0000000004EB0000.00000002.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://www.fontbureau.com/designers/frere-jones.html	bbbe7872ea466446da60c4da50020cbb.exe, 00000000.00000003.332711004.00000000051D5000.00000004.00000001.sdmp, bbbe7872ea466446da60c4da50020cbb.exe, 00000000.00000002.348097971.00000000063B2000.00000004.00000001.sdmp, bbbe7872ea466446da60c4da50020cbb.exe, 0000000A.00000002.367125363.0000000005320000.00000002.00000001.sdmp, dhcpmon.exe, 0000000B.00000002.370057992.0000000005450000.00000002.00000001.sdmp, dhcpmon.exe, 0000000F.00000002.382568285.0000000004EB0000.00000002.00000001.sdmp	false		high
http://www.fontbureau.com/designers/cabarga.html	bbbe7872ea466446da60c4da50020cbb.exe, 00000000.00000003.333166545.00000000051D5000.00000004.00000001.sdmp	false		high
http://www.carterandcone.comTCw	bbbe7872ea466446da60c4da50020cbb.exe, 00000000.00000003.328197714.00000000051A6000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
http://www.jiyu-kobo.co.jp/	bbbe7872ea466446da60c4da50020cbb.exe, 00000000.00000002.348097971.00000000063B2000.00000004.00000001.sdmp, bbbe7872ea466446da60c4da50020cbb.exe, 0000000A.00000002.367125363.0000000005320000.00000002.00000001.sdmp, dhcpmon.exe, 0000000B.00000002.370057992.0000000005450000.00000002.00000001.sdmp, dhcpmon.exe, 0000000F.00000002.382568285.0000000004EB0000.00000002.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://www.jiyu-kobo.co.jp/vvT	bbbe7872ea466446da60c4da50020cbb.exe, 00000000.00000003.329603375.00000000051A8000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
http://www.fontbureau.com/designers8	bbbe7872ea466446da60c4da50020cbb.exe, 00000000.00000002.348097971.00000000063B2000.00000004.00000001.sdmp, bbbe7872ea466446da60c4da50020cbb.exe, 0000000A.00000002.367125363.0000000005320000.00000002.00000001.sdmp, dhcpmon.exe, 0000000B.00000002.370057992.0000000005450000.00000002.00000001.sdmp, dhcpmon.exe, 0000000F.00000002.382568285.0000000004EB0000.00000002.00000001.sdmp	false		high

Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public

IP	Domain	Country	Flag	ASN	ASN Name	Malicious
79.134.225.105	unknown	Switzerland		6775	FINK-TELECOM-SERVICESCH	true

General Information

Joe Sandbox Version:	31.0.0 Emerald
Analysis ID:	358272
Start date:	25.02.2021
Start time:	11:23:48
Joe Sandbox Product:	CloudBasic
Overall analysis duration:	0h 13m 35s
Hypervisor based Inspection enabled:	false
Report type:	full
Sample file name:	bbbe7872ea466446da60c4da50020cbb.exe
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 85, IE 11, Adobe Reader DC 19, Java 8 Update 211
Number of analysed new started processes analysed:	37
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled HDC enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Detection:	MAL
Classification:	mal100.troj.evad.winEXE@20/8@20/1
EGA Information:	Failed
HDC Information:	Successful, ratio: 0.7% (good quality ratio 0.6%) Quality average: 61.9% Quality standard deviation: 18.7%
HCA Information:	Successful, ratio: 86% Number of executed functions: 451 Number of non-executed functions: 5
Cookbook Comments:	Adjust boot time Enable AMSI Found application associated with file extension: .exe
Warnings:	Show All Behavior information exceeds normal sizes, reducing to normal. Report will have missing behavior information. Exclude process from analysis (whitelisted): MpCmdRun.exe, audiodg.exe, BackgroundTransferHost.exe, WMIADAP.exe, backgroundTaskHost.exe, conhost.exe, svchost.exe, wuapihost.exe Excluded IPs from analysis (whitelisted): 51.103.5.186, 104.43.139.144, 204.79.197.200, 13.107.21.200, 23.218.209.198, 104.42.151.234, 92.122.145.220, 52.255.188.83, 51.104.144.132, 67.26.75.254, 8.253.207.120, 8.248.147.254, 67.27.158.254, 8.248.137.254, 52.155.217.156, 51.103.5.159, 20.54.26.129, 92.122.213.247, 92.122.213.194, 104.43.193.48, 51.104.139.180, 184.30.20.56 Excluded domains from analysis (whitelisted): storeedgefd.dsx.mp.microsoft.com.edgekey.net.globalredir.akadns.net, arc.msn.com.nsatc.net, store-images.s-microsoft.com-c.edgekey.net, a1449.dscg2.akamai.net, fs-wildcard.microsoft.com.edgekey.net, fs-wildcard.microsoft.com.edgekey.net.globalredir.akadns.net, storeedgefd.xbetservices.akadns.net, arc.msn.com, db5eap.displaycatalog.md.mp.microsoft.com.akadns.net, e12564.dspb.akamaiedge.net, wns.notify.trafficmanager.net, www-bing-com.dual-a-0001.a-msedge.net, audownload.windowsupdate.nsatc.net, displaycatalog.mp.microsoft.com, watson.telemetry.microsoft.com, auto.au.download.windowsupdate.com.c.footprint.net, img-prod-cms-rt-microsoft-com.akamaized.net, prod.fs.microsoft.com.akadns.net, au-bg-shim.trafficmanager.net, storeedgefd.dsx.mp.microsoft.com, www.bing.com, displaycatalog-europeeap.md.mp.microsoft.com.akadns.net, client.wns.windows.com, fs.microsoft.com, dual-a-0001.a-msedge.net, displaycatalog-rp-europe.md.mp.microsoft.com.akadns.net, displaycatalog.md.mp.microsoft.com.akadns.net, ris-prod.trafficmanager.net, ctldl.windowsupdate.com, e1723.g.akamaiedge.net, skypedataprdcolcus16.cloudapp.net, storeedgefd.dsx.mp.microsoft.com.edgekey.net, skypedataprdcolcus15.cloudapp.net, ris.api.iris.microsoft.com, skypedataprdcoleus17.cloudapp.net, a-0001.a-afdentry.net.trafficmanager.net, store-images.s-microsoft.com, blobcollector.events.data.trafficmanager.net, e16646.dscg.akamaiedge.net, skypedataprdcolwus16.cloudapp.net, vip2-par02p.wns.notify.trafficmanager.net, displaycatalog-rp.md.mp.microsoft.com.akadns.net Report creation exceeded maximum time and may have missing disassembly code information. Report size exceeded maximum capacity and may have missing behavior information. Report size getting too big, too many NtAllocateVirtualMemory calls found. Report size getting too big, too many NtQueryValueKey calls found.

Simulations

Behavior and APIs

Time	Type	Description
11:24:42	API Interceptor	911x Sleep call for process: bbbe7872ea466446da60c4da50020cbb.exe modified
11:24:47	Task Scheduler	Run new task: DHCP Monitor path: "C:\Users\user\Desktop\bbbe7872ea466446da60c4da50020cbb.exe" s>$(Arg0)
11:24:48	Task Scheduler	Run new task: DHCP Monitor Task path: "C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe" s>$(Arg0)
11:24:49	API Interceptor	2x Sleep call for process: dhcpmon.exe modified
11:24:49	Autostart	Run: HKLM\Software\Microsoft\Windows\CurrentVersion\Run DHCP Monitor C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe

Joe Sandbox View / Context

IPs

Match	Associated Sample Name / URL	SHA 256	Detection	Link
79.134.225.105	e92b274943f4a3a557881ee0dd57772d.exe	Get hash	malicious	Browse
	5293ea9467ea45e928620a5ed74440f5.exe	Get hash	malicious	Browse
	f1a14e6352036833f1c109e1bb2934f2.exe	Get hash	malicious	Browse
	256ec8f8f67b59c5e085b0bb63afcd13.exe	Get hash	malicious	Browse
	d88e07467ddcf9e3b19fa972b9f000d1.exe	Get hash	malicious	Browse
	73a4f40d0affe5eea89174f8917bba73.exe	Get hash	malicious	Browse
	9a08c8a2b49d6348f2ef35f85a1c6351.exe	Get hash	malicious	Browse
	7eec14e7cec4dc93fbf53e08998b2340.exe	Get hash	malicious	Browse
	f2a22415c1b108ce91fd76e3320431d0.exe	Get hash	malicious	Browse
	1d8eff2bc76e46dc186fa501e24f5cb1.exe	Get hash	malicious	Browse
	1464bbe24dac1f403f15b3c3860f37ca.exe	Get hash	malicious	Browse
	1d78424ce6944359d546dbcbc030f19e.exe	Get hash	malicious	Browse
	84ab43f7eda35ae038b199d3a3586b77.exe	Get hash	malicious	Browse
	Require_Quote_20200128 SSG.pdf ind.exe	Get hash	malicious	Browse
	DHL FILE 987634732.exe	Get hash	malicious	Browse
	file.exe	Get hash	malicious	Browse
	NKF20205 LIST.exe	Get hash	malicious	Browse
	URGENT PO.exe	Get hash	malicious	Browse
	scan002947779488.exe	Get hash	malicious	Browse

Domains

Match	Associated Sample Name / URL	SHA 256	Detection	Link	Context
cloudhost.myfirewall.org	e92b274943f4a3a557881ee0dd57772d.exe	Get hash	malicious	Browse	79.134.225.105
	256ec8f8f67b59c5e085b0bb63afcd13.exe	Get hash	malicious	Browse	79.134.225.105
	9a08c8a2b49d6348f2ef35f85a1c6351.exe	Get hash	malicious	Browse	79.134.225.105
	zSDBuG8gDl.exe	Get hash	malicious	Browse	185.229.243.67
	65d1beae1fc7eb126cd4a9b277afb942.exe	Get hash	malicious	Browse	79.134.225.96
	f2a22415c1b108ce91fd76e3320431d0.exe	Get hash	malicious	Browse	79.134.225.105
	1d8eff2bc76e46dc186fa501e24f5cb1.exe	Get hash	malicious	Browse	79.134.225.105
	5134b758f8eb77424254ce67f4697ffe.exe	Get hash	malicious	Browse	79.134.225.96
	1d8eff2bc76e46dc186fa501e24f5cb1.exe	Get hash	malicious	Browse	79.134.225.96
	460f7e6048ed3ca91f1573a7410fedd6.exe	Get hash	malicious	Browse	79.134.225.96
	1d78424ce6944359d546dbcbc030f19e.exe	Get hash	malicious	Browse	79.134.225.105

ASN

Match	Associated Sample Name / URL	SHA 256	Detection	Link	Context
FINK-TELECOM-SERVICESCH	cp573oYDUX.exe	Get hash	malicious	Browse	79.134.225.43
	Y5XyMnx8Ng.exe	Get hash	malicious	Browse	79.134.225.43
	YoWPu2BQzA9FeDd.exe	Get hash	malicious	Browse	79.134.225.43
	xF7GogN7tM.exe	Get hash	malicious	Browse	79.134.225.120
	TZgGVyMJYF.exe	Get hash	malicious	Browse	79.134.225.74
	ilpbALnKbE.exe	Get hash	malicious	Browse	79.134.225.103
	Documents.exe	Get hash	malicious	Browse	79.134.225.87
	SWcNyi2YBj.exe	Get hash	malicious	Browse	79.134.225.103
	Confirmation Transfer Note Ref Number0002636.exe	Get hash	malicious	Browse	79.134.225.8
	TdX45jQWjj.exe	Get hash	malicious	Browse	79.134.225.43
	e92b274943f4a3a557881ee0dd57772d.exe	Get hash	malicious	Browse	79.134.225.105
	WxTm2cWLHF.exe	Get hash	malicious	Browse	79.134.225.71
	Payment Confirmation.exe	Get hash	malicious	Browse	79.134.225.30
	rjHlt1zz28.exe	Get hash	malicious	Browse	79.134.225.49
	Deadly Variants of Covid 19.doc	Get hash	malicious	Browse	79.134.225.49
	document.exe	Get hash	malicious	Browse	79.134.225.122
	5293ea9467ea45e928620a5ed74440f5.exe	Get hash	malicious	Browse	79.134.225.105
	f1a14e6352036833f1c109e1bb2934f2.exe	Get hash	malicious	Browse	79.134.225.105
	256ec8f8f67b59c5e085b0bb63afcd13.exe	Get hash	malicious	Browse	79.134.225.105
	JOIN.exe	Get hash	malicious	Browse	79.134.225.30

JA3 Fingerprints

No context

Dropped Files

No context

Created / dropped Files

C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe Download File
Process:	C:\Users\user\Desktop\bbbe7872ea466446da60c4da50020cbb.exe
File Type:	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	487424
Entropy (8bit):	7.585377119878555
Encrypted:	false
SSDEEP:	12288:13Wp0pFZhvpNkMtT4vH2PEe4nU7YTRwiQSBuDG9RDQ1Ln:1ZFZDWocvHwt4bqDMDQF
MD5:	88EF84E623F21AF8C30D3BBA321A7448
SHA1:	701339B101C76FA1BA159C66B48EF2F9B6D73AA8
SHA-256:	0095C39F2D6F62DEA9FD6D066DECAB6F0A7ACAB87829F659EFD01BC1D2564BD0
SHA-512:	2441191F7FE76BFEF584960ED21EC576DD36D0FD37882F77A91A0FC05921A7B459E030FCBC4E3A3207F55BA9D8992CDD69F20A87C1837FF2EAC13C1F89D16035
Malicious:	true
Antivirus:	Antivirus: Joe Sandbox ML, Detection: 100% Antivirus: ReversingLabs, Detection: 35%
Reputation:	low
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L.....6`..............P..f............... ........@.. ....................................@....................................O.................................................................................... ............... ..H............text...4d... ...f.................. ..`.rsrc................h..............@..@.reloc...............n..............@..B........................H...........lE...........:...I...........................................0............(....(..........(.....o..........................(.......( ......(!......("......(#....N..(....o....($....&..(%.....s&........s'........s(........s)........s............0...........~....o+....+...0...........~....o,....+...0...........~....o-....+...0...........~....o.....+...0...........~....o/....+...0..<........~.....(0.....,!r...p.....(1...o2...s3............~.....+...0......

C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe:Zone.Identifier Download File
Process:	C:\Users\user\Desktop\bbbe7872ea466446da60c4da50020cbb.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	26
Entropy (8bit):	3.95006375643621
Encrypted:	false
SSDEEP:	3:ggPYV:rPYV
MD5:	187F488E27DB4AF347237FE461A079AD
SHA1:	6693BA299EC1881249D59262276A0D2CB21F8E64
SHA-256:	255A65D30841AB4082BD9D0EEA79D49C5EE88F56136157D8D6156AEF11C12309
SHA-512:	89879F237C0C051EBE784D0690657A6827A312A82735DA42DAD5F744D734FC545BEC9642C19D14C05B2F01FF53BC731530C92F7327BB7DC9CDE1B60FB21CD64E
Malicious:	true
Reputation:	high, very likely benign file
Preview:	[ZoneTransfer]....ZoneId=0

C:\Users\user\AppData\Local\Microsoft\CLR_v2.0_32\UsageLogs\bbbe7872ea466446da60c4da50020cbb.exe.log Download File
Process:	C:\Users\user\Desktop\bbbe7872ea466446da60c4da50020cbb.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	664
Entropy (8bit):	5.288448637977022
Encrypted:	false
SSDEEP:	12:Q3LaJU20NaL10Ug+9Yz9t0U29hJ5g1B0U2ukyrFk70U2xANlW3ANv:MLF20NaL3z2p29hJ5g522rW2xAi3A9
MD5:	B1DB55991C3DA14E35249AEA1BC357CA
SHA1:	0DD2D91198FDEF296441B12F1A906669B279700C
SHA-256:	34D3E48321D5010AD2BD1F3F0B728077E4F5A7F70D66FA36B57E5209580B6BDC
SHA-512:	BE38A31888C9C2F8047FA9C99672CB985179D325107514B7500DDA9523AE3E1D20B45EACC4E6C8A5D096360D0FBB98A120E63F38FFE324DF8A0559F6890CC801
Malicious:	true
Reputation:	moderate, very likely benign file
Preview:	1,"fusion","GAC",0..3,"C:\Windows\assembly\NativeImages_v2.0.50727_32\System\1ffc437de59fb69ba2b865ffdc98ffd1\System.ni.dll",0..3,"C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.VisualBas#\cd7c74fce2a0eab72cd25cbe4bb61614\Microsoft.VisualBasic.ni.dll",0..3,"C:\Windows\assembly\NativeImages_v2.0.50727_32\System.Drawing\54d944b3ca0ea1188d700fbd8089726b\System.Drawing.ni.dll",0..3,"C:\Windows\assembly\NativeImages_v2.0.50727_32\System.Windows.Forms\bd8d59c984c9f5f2695f64341115cdf0\System.Windows.Forms.ni.dll",0..3,"C:\Windows\assembly\NativeImages_v2.0.50727_32\System.Runtime.Remo#\35774dc3cd31b4550ab06c3354cf4ba5\System.Runtime.Remoting.ni.dll",0..

C:\Users\user\AppData\Local\Microsoft\CLR_v2.0_32\UsageLogs\dhcpmon.exe.log Download File
Process:	C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	664
Entropy (8bit):	5.288448637977022
Encrypted:	false
SSDEEP:	12:Q3LaJU20NaL10Ug+9Yz9t0U29hJ5g1B0U2ukyrFk70U2xANlW3ANv:MLF20NaL3z2p29hJ5g522rW2xAi3A9
MD5:	B1DB55991C3DA14E35249AEA1BC357CA
SHA1:	0DD2D91198FDEF296441B12F1A906669B279700C
SHA-256:	34D3E48321D5010AD2BD1F3F0B728077E4F5A7F70D66FA36B57E5209580B6BDC
SHA-512:	BE38A31888C9C2F8047FA9C99672CB985179D325107514B7500DDA9523AE3E1D20B45EACC4E6C8A5D096360D0FBB98A120E63F38FFE324DF8A0559F6890CC801
Malicious:	false
Reputation:	moderate, very likely benign file
Preview:	1,"fusion","GAC",0..3,"C:\Windows\assembly\NativeImages_v2.0.50727_32\System\1ffc437de59fb69ba2b865ffdc98ffd1\System.ni.dll",0..3,"C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.VisualBas#\cd7c74fce2a0eab72cd25cbe4bb61614\Microsoft.VisualBasic.ni.dll",0..3,"C:\Windows\assembly\NativeImages_v2.0.50727_32\System.Drawing\54d944b3ca0ea1188d700fbd8089726b\System.Drawing.ni.dll",0..3,"C:\Windows\assembly\NativeImages_v2.0.50727_32\System.Windows.Forms\bd8d59c984c9f5f2695f64341115cdf0\System.Windows.Forms.ni.dll",0..3,"C:\Windows\assembly\NativeImages_v2.0.50727_32\System.Runtime.Remo#\35774dc3cd31b4550ab06c3354cf4ba5\System.Runtime.Remoting.ni.dll",0..

C:\Users\user\AppData\Local\Temp\tmp7E95.tmp Download File
Process:	C:\Users\user\Desktop\bbbe7872ea466446da60c4da50020cbb.exe
File Type:	XML 1.0 document, ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	1325
Entropy (8bit):	5.142681781286418
Encrypted:	false
SSDEEP:	24:2dH4+S/4oL600QlMhEMjn5pwjVLUYODOLG9RJh7h8gK0VxuDxtn:cbk4oL600QydbQxIYODOLedq3iij
MD5:	84A099124F6C7EE51E18E71DC7BC3A9B
SHA1:	1711144C438CBDF89365DB7FA6321956BC973CF7
SHA-256:	8239178C04A3BA7C0A51E29EA046C53C7DFD6434CA19F053730578CEB231B4F9
SHA-512:	E3653310916ADF9C0A96AAC010900B7E2A7B7156651A06B53E75110A212A1C9A6489CE58E9D856B8A4DD473612D91C760D5855B9E3200496B3D4204DF4AA91AF
Malicious:	true
Preview:	<?xml version="1.0" encoding="UTF-16"?>..<Task version="1.2" xmlns="http://schemas.microsoft.com/windows/2004/02/mit/task">.. <RegistrationInfo />.. <Triggers />.. <Principals>.. <Principal id="Author">.. <LogonType>InteractiveToken</LogonType>.. <RunLevel>HighestAvailable</RunLevel>.. </Principal>.. </Principals>.. <Settings>.. <MultipleInstancesPolicy>Parallel</MultipleInstancesPolicy>.. <DisallowStartIfOnBatteries>false</DisallowStartIfOnBatteries>.. <StopIfGoingOnBatteries>false</StopIfGoingOnBatteries>.. <AllowHardTerminate>true</AllowHardTerminate>.. <StartWhenAvailable>false</StartWhenAvailable>.. <RunOnlyIfNetworkAvailable>false</RunOnlyIfNetworkAvailable>.. <IdleSettings>.. <StopOnIdleEnd>false</StopOnIdleEnd>.. <RestartOnIdle>false</RestartOnIdle>.. </IdleSettings>.. <AllowStartOnDemand>true</AllowStartOnDemand>.. <Enabled>true</Enabled>.. <Hidden>false</Hidden>.. <RunOnlyIfIdle>false</RunOnlyIfIdle>.. <Wak

C:\Users\user\AppData\Local\Temp\tmp81B3.tmp Download File
Process:	C:\Users\user\Desktop\bbbe7872ea466446da60c4da50020cbb.exe
File Type:	XML 1.0 document, ASCII text, with CRLF line terminators
Category:	modified
Size (bytes):	1310
Entropy (8bit):	5.109425792877704
Encrypted:	false
SSDEEP:	24:2dH4+S/4oL600QlMhEMjn5pwjVLUYODOLG9RJh7h8gK0R3xtn:cbk4oL600QydbQxIYODOLedq3S3j
MD5:	5C2F41CFC6F988C859DA7D727AC2B62A
SHA1:	68999C85FC7E37BAB9216E0099836D40D4545C1C
SHA-256:	98B6E66B6C2173B9B91FC97FE51805340EFDE978B695453742EBAB631018398B
SHA-512:	B5DA5DA378D038AFBF8A7738E47921ED39F9B726E2CAA2993D915D9291A3322F94EFE8CCA6E7AD678A670DB19926B22B20E5028460FCC89CEA7F6635E7557334
Malicious:	false
Preview:	<?xml version="1.0" encoding="UTF-16"?>..<Task version="1.2" xmlns="http://schemas.microsoft.com/windows/2004/02/mit/task">.. <RegistrationInfo />.. <Triggers />.. <Principals>.. <Principal id="Author">.. <LogonType>InteractiveToken</LogonType>.. <RunLevel>HighestAvailable</RunLevel>.. </Principal>.. </Principals>.. <Settings>.. <MultipleInstancesPolicy>Parallel</MultipleInstancesPolicy>.. <DisallowStartIfOnBatteries>false</DisallowStartIfOnBatteries>.. <StopIfGoingOnBatteries>false</StopIfGoingOnBatteries>.. <AllowHardTerminate>true</AllowHardTerminate>.. <StartWhenAvailable>false</StartWhenAvailable>.. <RunOnlyIfNetworkAvailable>false</RunOnlyIfNetworkAvailable>.. <IdleSettings>.. <StopOnIdleEnd>false</StopOnIdleEnd>.. <RestartOnIdle>false</RestartOnIdle>.. </IdleSettings>.. <AllowStartOnDemand>true</AllowStartOnDemand>.. <Enabled>true</Enabled>.. <Hidden>false</Hidden>.. <RunOnlyIfIdle>false</RunOnlyIfIdle>.. <Wak

C:\Users\user\AppData\Roaming\D06ED635-68F6-4E9A-955C-4899F5F57B9A\run.dat Download File
Process:	C:\Users\user\Desktop\bbbe7872ea466446da60c4da50020cbb.exe
File Type:	data
Category:	dropped
Size (bytes):	8
Entropy (8bit):	3.0
Encrypted:	false
SSDEEP:	3:hn:h
MD5:	D31129909503FD8FFBD27BEC609FAEFB
SHA1:	31E23DEAE7A4A3318FEDE87058CD39880371C5A6
SHA-256:	A8BD14E933B3B91C59B72BBE9F0CE37D00BFD53DC4E41A838E4488F8B1C4FDC4
SHA-512:	C3CC657202070CF423E811054FBB0C4DC48BC2545DD7DC0DD2FD4D392F17985C71D920E918FD145F2DEE0C85691CD4F43F664B13A0E07B279DC1A63E7D57AE38
Malicious:	true
Preview:	..E....H

C:\Users\user\AppData\Roaming\D06ED635-68F6-4E9A-955C-4899F5F57B9A\task.dat Download File
Process:	C:\Users\user\Desktop\bbbe7872ea466446da60c4da50020cbb.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	62
Entropy (8bit):	4.443732754068415
Encrypted:	false
SSDEEP:	3:oNN2+WHAuK1T95RbXVQHLNn:oNN2RguuhbXVQrNn
MD5:	1305CC0074A93B66ED5F48F9F5525B0A
SHA1:	FF47387DBEDCF1D78859AE5E69D68087E9D001B8
SHA-256:	2683F197FE07E73150EFC619A6D18BD2D459B37B243B109A350F697E50033E38
SHA-512:	54CAD3A91F06B1651FEF9F3B34ED4DCC4445D36D4E77E8F61A8C74049ADD13CBFDB8F246CFDE78CB634170234D04C30726B5E4956955FDCEE7AC5760E1A8881C
Malicious:	false
Preview:	C:\Users\user\Desktop\bbbe7872ea466446da60c4da50020cbb.exe

Static File Info

General
File type:	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Entropy (8bit):	7.585377119878555
TrID:	Win32 Executable (generic) Net Framework (10011505/4) 49.80% Win32 Executable (generic) a (10002005/4) 49.75% Generic CIL Executable (.NET, Mono, etc.) (73296/58) 0.36% Windows Screen Saver (13104/52) 0.07% Generic Win/DOS Executable (2004/3) 0.01%
File name:	bbbe7872ea466446da60c4da50020cbb.exe
File size:	487424
MD5:	88ef84e623f21af8c30d3bba321a7448
SHA1:	701339b101c76fa1ba159c66b48ef2f9b6d73aa8
SHA256:	0095c39f2d6f62dea9fd6d066decab6f0a7acab87829f659efd01bc1d2564bd0
SHA512:	2441191f7fe76bfef584960ed21ec576dd36d0fd37882f77a91a0fc05921a7b459e030fcbc4e3a3207f55ba9d8992cdd69f20a87c1837ff2eac13c1f89d16035
SSDEEP:	12288:13Wp0pFZhvpNkMtT4vH2PEe4nU7YTRwiQSBuDG9RDQ1Ln:1ZFZDWocvHwt4bqDMDQF
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L.....6`..............P..f............... ........@.. ....................................@................................

File Icon


Icon Hash:	00828e8e8686b000

Static PE Info

General
Entrypoint:	0x47842e
Entrypoint Section:	.text
Digitally signed:	false
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	32BIT_MACHINE, EXECUTABLE_IMAGE
DLL Characteristics:	NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
Time Stamp:	0x6036DFEC [Wed Feb 24 23:23:24 2021 UTC]
TLS Callbacks:
CLR (.Net) Version:	v2.0.50727
OS Version Major:	4
OS Version Minor:	0
File Version Major:	4
File Version Minor:	0
Subsystem Version Major:	4
Subsystem Version Minor:	0
Import Hash:	f34d5f2d4577ed6d9ceec516c1f5a744

Entrypoint Preview

Instruction
jmp dword ptr [00402000h]
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0x783dc	0x4f	.text
IMAGE_DIRECTORY_ENTRY_RESOURCE	0x7a000	0x5dc	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x7c000	0xc	.reloc
IMAGE_DIRECTORY_ENTRY_DEBUG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x2000	0x8	.text
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x2008	0x48	.text
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x2000	0x76434	0x76600	False	0.81248968783	data	7.59845021391	IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
.rsrc	0x7a000	0x5dc	0x600	False	0.43359375	data	4.18581494296	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.reloc	0x7c000	0xc	0x200	False	0.044921875	data	0.101910425663	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	Language	Country
RT_VERSION	0x7a090	0x34c	data
RT_MANIFEST	0x7a3ec	0x1ea	XML 1.0 document, UTF-8 Unicode (with BOM) text, with CRLF line terminators

Imports

DLL	Import
mscoree.dll	_CorExeMain

Version Infos

Description	Data
Translation	0x0000 0x04b0
LegalCopyright	Copyright 2016 - 2021
Assembly Version	1.0.0.0
InternalName	SystemLazyDebugView.exe
FileVersion	1.0.0.0
CompanyName
LegalTrademarks
Comments
ProductName	ASM PS
ProductVersion	1.0.0.0
FileDescription	ASM PS
OriginalFilename	SystemLazyDebugView.exe

Network Behavior

Network Port Distribution

TCP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Feb 25, 2021 11:24:48.626800060 CET	49712	5654	192.168.2.6	79.134.225.105
Feb 25, 2021 11:24:48.709671974 CET	5654	49712	79.134.225.105	192.168.2.6
Feb 25, 2021 11:24:49.325844049 CET	49712	5654	192.168.2.6	79.134.225.105
Feb 25, 2021 11:24:49.410424948 CET	5654	49712	79.134.225.105	192.168.2.6
Feb 25, 2021 11:24:50.025794983 CET	49712	5654	192.168.2.6	79.134.225.105
Feb 25, 2021 11:24:50.109920979 CET	5654	49712	79.134.225.105	192.168.2.6
Feb 25, 2021 11:24:54.695738077 CET	49713	5654	192.168.2.6	79.134.225.105
Feb 25, 2021 11:24:54.783087969 CET	5654	49713	79.134.225.105	192.168.2.6
Feb 25, 2021 11:24:55.354371071 CET	49713	5654	192.168.2.6	79.134.225.105
Feb 25, 2021 11:24:55.439676046 CET	5654	49713	79.134.225.105	192.168.2.6
Feb 25, 2021 11:24:56.058144093 CET	49713	5654	192.168.2.6	79.134.225.105
Feb 25, 2021 11:24:56.145593882 CET	5654	49713	79.134.225.105	192.168.2.6
Feb 25, 2021 11:25:00.273941040 CET	49714	5654	192.168.2.6	79.134.225.105
Feb 25, 2021 11:25:00.358505964 CET	5654	49714	79.134.225.105	192.168.2.6
Feb 25, 2021 11:25:00.870687962 CET	49714	5654	192.168.2.6	79.134.225.105
Feb 25, 2021 11:25:00.955174923 CET	5654	49714	79.134.225.105	192.168.2.6
Feb 25, 2021 11:25:01.464282036 CET	49714	5654	192.168.2.6	79.134.225.105
Feb 25, 2021 11:25:01.547135115 CET	5654	49714	79.134.225.105	192.168.2.6
Feb 25, 2021 11:25:05.998193979 CET	49721	5654	192.168.2.6	79.134.225.105
Feb 25, 2021 11:25:06.080715895 CET	5654	49721	79.134.225.105	192.168.2.6
Feb 25, 2021 11:25:06.589694977 CET	49721	5654	192.168.2.6	79.134.225.105
Feb 25, 2021 11:25:06.673861980 CET	5654	49721	79.134.225.105	192.168.2.6
Feb 25, 2021 11:25:07.183506966 CET	49721	5654	192.168.2.6	79.134.225.105
Feb 25, 2021 11:25:07.266280890 CET	5654	49721	79.134.225.105	192.168.2.6
Feb 25, 2021 11:25:11.364681959 CET	49727	5654	192.168.2.6	79.134.225.105
Feb 25, 2021 11:25:11.450200081 CET	5654	49727	79.134.225.105	192.168.2.6
Feb 25, 2021 11:25:12.121423006 CET	49727	5654	192.168.2.6	79.134.225.105
Feb 25, 2021 11:25:12.209835052 CET	5654	49727	79.134.225.105	192.168.2.6
Feb 25, 2021 11:25:12.824589014 CET	49727	5654	192.168.2.6	79.134.225.105
Feb 25, 2021 11:25:12.910170078 CET	5654	49727	79.134.225.105	192.168.2.6
Feb 25, 2021 11:25:17.076725006 CET	49730	5654	192.168.2.6	79.134.225.105
Feb 25, 2021 11:25:17.161436081 CET	5654	49730	79.134.225.105	192.168.2.6
Feb 25, 2021 11:25:17.668745041 CET	49730	5654	192.168.2.6	79.134.225.105
Feb 25, 2021 11:25:17.751597881 CET	5654	49730	79.134.225.105	192.168.2.6
Feb 25, 2021 11:25:18.262532949 CET	49730	5654	192.168.2.6	79.134.225.105
Feb 25, 2021 11:25:18.347594023 CET	5654	49730	79.134.225.105	192.168.2.6
Feb 25, 2021 11:25:22.442135096 CET	49731	5654	192.168.2.6	79.134.225.105
Feb 25, 2021 11:25:22.529938936 CET	5654	49731	79.134.225.105	192.168.2.6
Feb 25, 2021 11:25:23.044122934 CET	49731	5654	192.168.2.6	79.134.225.105
Feb 25, 2021 11:25:23.132652044 CET	5654	49731	79.134.225.105	192.168.2.6
Feb 25, 2021 11:25:23.637950897 CET	49731	5654	192.168.2.6	79.134.225.105
Feb 25, 2021 11:25:23.730770111 CET	5654	49731	79.134.225.105	192.168.2.6
Feb 25, 2021 11:25:27.997536898 CET	49738	5654	192.168.2.6	79.134.225.105
Feb 25, 2021 11:25:28.080324888 CET	5654	49738	79.134.225.105	192.168.2.6
Feb 25, 2021 11:25:28.591954947 CET	49738	5654	192.168.2.6	79.134.225.105
Feb 25, 2021 11:25:28.677618027 CET	5654	49738	79.134.225.105	192.168.2.6
Feb 25, 2021 11:25:29.202150106 CET	49738	5654	192.168.2.6	79.134.225.105
Feb 25, 2021 11:25:29.284926891 CET	5654	49738	79.134.225.105	192.168.2.6
Feb 25, 2021 11:25:33.562685013 CET	49745	5654	192.168.2.6	79.134.225.105
Feb 25, 2021 11:25:33.648861885 CET	5654	49745	79.134.225.105	192.168.2.6
Feb 25, 2021 11:25:34.201298952 CET	49745	5654	192.168.2.6	79.134.225.105
Feb 25, 2021 11:25:34.294214010 CET	5654	49745	79.134.225.105	192.168.2.6
Feb 25, 2021 11:25:34.904462099 CET	49745	5654	192.168.2.6	79.134.225.105
Feb 25, 2021 11:25:34.989918947 CET	5654	49745	79.134.225.105	192.168.2.6
Feb 25, 2021 11:25:39.131872892 CET	49752	5654	192.168.2.6	79.134.225.105
Feb 25, 2021 11:25:39.214664936 CET	5654	49752	79.134.225.105	192.168.2.6
Feb 25, 2021 11:25:39.717439890 CET	49752	5654	192.168.2.6	79.134.225.105
Feb 25, 2021 11:25:39.800367117 CET	5654	49752	79.134.225.105	192.168.2.6
Feb 25, 2021 11:25:40.311438084 CET	49752	5654	192.168.2.6	79.134.225.105
Feb 25, 2021 11:25:40.394157887 CET	5654	49752	79.134.225.105	192.168.2.6
Feb 25, 2021 11:25:44.567759037 CET	49753	5654	192.168.2.6	79.134.225.105
Feb 25, 2021 11:25:44.653165102 CET	5654	49753	79.134.225.105	192.168.2.6
Feb 25, 2021 11:25:45.155433893 CET	49753	5654	192.168.2.6	79.134.225.105
Feb 25, 2021 11:25:45.240783930 CET	5654	49753	79.134.225.105	192.168.2.6
Feb 25, 2021 11:25:45.749188900 CET	49753	5654	192.168.2.6	79.134.225.105
Feb 25, 2021 11:25:45.835782051 CET	5654	49753	79.134.225.105	192.168.2.6
Feb 25, 2021 11:25:49.973664045 CET	49757	5654	192.168.2.6	79.134.225.105
Feb 25, 2021 11:25:50.060617924 CET	5654	49757	79.134.225.105	192.168.2.6
Feb 25, 2021 11:25:50.562046051 CET	49757	5654	192.168.2.6	79.134.225.105
Feb 25, 2021 11:25:50.651330948 CET	5654	49757	79.134.225.105	192.168.2.6
Feb 25, 2021 11:25:51.155955076 CET	49757	5654	192.168.2.6	79.134.225.105
Feb 25, 2021 11:26:07.282320023 CET	49761	5654	192.168.2.6	79.134.225.105
Feb 25, 2021 11:26:07.372164011 CET	5654	49761	79.134.225.105	192.168.2.6
Feb 25, 2021 11:26:07.876277924 CET	49761	5654	192.168.2.6	79.134.225.105
Feb 25, 2021 11:26:07.958929062 CET	5654	49761	79.134.225.105	192.168.2.6
Feb 25, 2021 11:26:08.469770908 CET	49761	5654	192.168.2.6	79.134.225.105
Feb 25, 2021 11:26:08.552668095 CET	5654	49761	79.134.225.105	192.168.2.6
Feb 25, 2021 11:26:12.692601919 CET	49764	5654	192.168.2.6	79.134.225.105
Feb 25, 2021 11:26:12.779438972 CET	5654	49764	79.134.225.105	192.168.2.6
Feb 25, 2021 11:26:13.282622099 CET	49764	5654	192.168.2.6	79.134.225.105
Feb 25, 2021 11:26:13.368633032 CET	5654	49764	79.134.225.105	192.168.2.6
Feb 25, 2021 11:26:13.876403093 CET	49764	5654	192.168.2.6	79.134.225.105
Feb 25, 2021 11:26:13.963768005 CET	5654	49764	79.134.225.105	192.168.2.6
Feb 25, 2021 11:26:18.590110064 CET	49765	5654	192.168.2.6	79.134.225.105
Feb 25, 2021 11:26:18.677874088 CET	5654	49765	79.134.225.105	192.168.2.6
Feb 25, 2021 11:26:19.189440966 CET	49765	5654	192.168.2.6	79.134.225.105
Feb 25, 2021 11:26:19.277095079 CET	5654	49765	79.134.225.105	192.168.2.6
Feb 25, 2021 11:26:19.783225060 CET	49765	5654	192.168.2.6	79.134.225.105
Feb 25, 2021 11:26:19.868992090 CET	5654	49765	79.134.225.105	192.168.2.6
Feb 25, 2021 11:26:24.321764946 CET	49766	5654	192.168.2.6	79.134.225.105
Feb 25, 2021 11:26:24.409323931 CET	5654	49766	79.134.225.105	192.168.2.6
Feb 25, 2021 11:26:24.928036928 CET	49766	5654	192.168.2.6	79.134.225.105
Feb 25, 2021 11:26:25.013566017 CET	5654	49766	79.134.225.105	192.168.2.6
Feb 25, 2021 11:26:25.518033028 CET	49766	5654	192.168.2.6	79.134.225.105
Feb 25, 2021 11:26:25.603816032 CET	5654	49766	79.134.225.105	192.168.2.6
Feb 25, 2021 11:26:29.753073931 CET	49768	5654	192.168.2.6	79.134.225.105
Feb 25, 2021 11:26:29.837347031 CET	5654	49768	79.134.225.105	192.168.2.6
Feb 25, 2021 11:26:30.354100943 CET	49768	5654	192.168.2.6	79.134.225.105
Feb 25, 2021 11:26:30.436645985 CET	5654	49768	79.134.225.105	192.168.2.6
Feb 25, 2021 11:26:30.947804928 CET	49768	5654	192.168.2.6	79.134.225.105
Feb 25, 2021 11:26:31.032757044 CET	5654	49768	79.134.225.105	192.168.2.6
Feb 25, 2021 11:26:35.211364031 CET	49769	5654	192.168.2.6	79.134.225.105
Feb 25, 2021 11:26:35.296966076 CET	5654	49769	79.134.225.105	192.168.2.6
Feb 25, 2021 11:26:35.807610989 CET	49769	5654	192.168.2.6	79.134.225.105
Feb 25, 2021 11:26:35.895150900 CET	5654	49769	79.134.225.105	192.168.2.6
Feb 25, 2021 11:26:36.401412964 CET	49769	5654	192.168.2.6	79.134.225.105
Feb 25, 2021 11:26:36.494445086 CET	5654	49769	79.134.225.105	192.168.2.6
Feb 25, 2021 11:26:40.640090942 CET	49770	5654	192.168.2.6	79.134.225.105
Feb 25, 2021 11:26:40.726814032 CET	5654	49770	79.134.225.105	192.168.2.6
Feb 25, 2021 11:26:41.230178118 CET	49770	5654	192.168.2.6	79.134.225.105
Feb 25, 2021 11:26:41.315733910 CET	5654	49770	79.134.225.105	192.168.2.6
Feb 25, 2021 11:26:41.823728085 CET	49770	5654	192.168.2.6	79.134.225.105
Feb 25, 2021 11:26:41.916594028 CET	5654	49770	79.134.225.105	192.168.2.6
Feb 25, 2021 11:26:45.977226973 CET	49771	5654	192.168.2.6	79.134.225.105
Feb 25, 2021 11:26:46.059777021 CET	5654	49771	79.134.225.105	192.168.2.6

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Feb 25, 2021 11:24:27.117582083 CET	57725	53	192.168.2.6	8.8.8.8
Feb 25, 2021 11:24:27.166593075 CET	53	57725	8.8.8.8	192.168.2.6
Feb 25, 2021 11:24:28.176310062 CET	49283	53	192.168.2.6	8.8.8.8
Feb 25, 2021 11:24:28.217499971 CET	58377	53	192.168.2.6	8.8.8.8
Feb 25, 2021 11:24:28.225069046 CET	53	49283	8.8.8.8	192.168.2.6
Feb 25, 2021 11:24:28.269035101 CET	53	58377	8.8.8.8	192.168.2.6
Feb 25, 2021 11:24:29.046103001 CET	55074	53	192.168.2.6	8.8.8.8
Feb 25, 2021 11:24:29.118208885 CET	53	55074	8.8.8.8	192.168.2.6
Feb 25, 2021 11:24:29.214934111 CET	54513	53	192.168.2.6	8.8.8.8
Feb 25, 2021 11:24:29.264540911 CET	53	54513	8.8.8.8	192.168.2.6
Feb 25, 2021 11:24:30.449815035 CET	62044	53	192.168.2.6	8.8.8.8
Feb 25, 2021 11:24:30.501537085 CET	53	62044	8.8.8.8	192.168.2.6
Feb 25, 2021 11:24:32.090500116 CET	63791	53	192.168.2.6	8.8.8.8
Feb 25, 2021 11:24:32.160540104 CET	53	63791	8.8.8.8	192.168.2.6
Feb 25, 2021 11:24:33.270864010 CET	64267	53	192.168.2.6	8.8.8.8
Feb 25, 2021 11:24:33.319513083 CET	53	64267	8.8.8.8	192.168.2.6
Feb 25, 2021 11:24:34.359849930 CET	49448	53	192.168.2.6	8.8.8.8
Feb 25, 2021 11:24:34.411431074 CET	53	49448	8.8.8.8	192.168.2.6
Feb 25, 2021 11:24:48.212694883 CET	60342	53	192.168.2.6	8.8.8.8
Feb 25, 2021 11:24:48.389832020 CET	53	60342	8.8.8.8	192.168.2.6
Feb 25, 2021 11:24:54.637378931 CET	61346	53	192.168.2.6	8.8.8.8
Feb 25, 2021 11:24:54.694610119 CET	53	61346	8.8.8.8	192.168.2.6
Feb 25, 2021 11:25:00.210314035 CET	51774	53	192.168.2.6	8.8.8.8
Feb 25, 2021 11:25:00.270603895 CET	53	51774	8.8.8.8	192.168.2.6
Feb 25, 2021 11:25:03.047249079 CET	56023	53	192.168.2.6	8.8.8.8
Feb 25, 2021 11:25:03.095995903 CET	53	56023	8.8.8.8	192.168.2.6
Feb 25, 2021 11:25:04.005820990 CET	58384	53	192.168.2.6	8.8.8.8
Feb 25, 2021 11:25:04.054773092 CET	53	58384	8.8.8.8	192.168.2.6
Feb 25, 2021 11:25:04.948786020 CET	60261	53	192.168.2.6	8.8.8.8
Feb 25, 2021 11:25:04.997585058 CET	53	60261	8.8.8.8	192.168.2.6
Feb 25, 2021 11:25:05.491166115 CET	56061	53	192.168.2.6	8.8.8.8
Feb 25, 2021 11:25:05.542964935 CET	53	56061	8.8.8.8	192.168.2.6
Feb 25, 2021 11:25:05.925417900 CET	58336	53	192.168.2.6	8.8.8.8
Feb 25, 2021 11:25:05.988379002 CET	53	58336	8.8.8.8	192.168.2.6
Feb 25, 2021 11:25:06.118753910 CET	53781	53	192.168.2.6	8.8.8.8
Feb 25, 2021 11:25:06.167573929 CET	53	53781	8.8.8.8	192.168.2.6
Feb 25, 2021 11:25:07.061675072 CET	54064	53	192.168.2.6	8.8.8.8
Feb 25, 2021 11:25:07.110531092 CET	53	54064	8.8.8.8	192.168.2.6
Feb 25, 2021 11:25:08.066205025 CET	52811	53	192.168.2.6	8.8.8.8
Feb 25, 2021 11:25:08.115267038 CET	53	52811	8.8.8.8	192.168.2.6
Feb 25, 2021 11:25:08.901803970 CET	55299	53	192.168.2.6	8.8.8.8
Feb 25, 2021 11:25:08.962486029 CET	53	55299	8.8.8.8	192.168.2.6
Feb 25, 2021 11:25:10.411164999 CET	63745	53	192.168.2.6	8.8.8.8
Feb 25, 2021 11:25:10.468545914 CET	53	63745	8.8.8.8	192.168.2.6
Feb 25, 2021 11:25:11.305735111 CET	50055	53	192.168.2.6	8.8.8.8
Feb 25, 2021 11:25:11.363370895 CET	53	50055	8.8.8.8	192.168.2.6
Feb 25, 2021 11:25:13.473772049 CET	61374	53	192.168.2.6	8.8.8.8
Feb 25, 2021 11:25:13.523927927 CET	53	61374	8.8.8.8	192.168.2.6
Feb 25, 2021 11:25:14.458923101 CET	50339	53	192.168.2.6	8.8.8.8
Feb 25, 2021 11:25:14.508641005 CET	53	50339	8.8.8.8	192.168.2.6
Feb 25, 2021 11:25:17.018151045 CET	63307	53	192.168.2.6	8.8.8.8
Feb 25, 2021 11:25:17.075424910 CET	53	63307	8.8.8.8	192.168.2.6
Feb 25, 2021 11:25:22.383959055 CET	49694	53	192.168.2.6	8.8.8.8
Feb 25, 2021 11:25:22.440958977 CET	53	49694	8.8.8.8	192.168.2.6
Feb 25, 2021 11:25:22.454272032 CET	54982	53	192.168.2.6	8.8.8.8
Feb 25, 2021 11:25:22.506934881 CET	53	54982	8.8.8.8	192.168.2.6
Feb 25, 2021 11:25:25.711648941 CET	50010	53	192.168.2.6	8.8.8.8
Feb 25, 2021 11:25:25.768949032 CET	53	50010	8.8.8.8	192.168.2.6
Feb 25, 2021 11:25:26.315239906 CET	63718	53	192.168.2.6	8.8.8.8
Feb 25, 2021 11:25:26.366815090 CET	53	63718	8.8.8.8	192.168.2.6
Feb 25, 2021 11:25:27.118741989 CET	62116	53	192.168.2.6	8.8.8.8
Feb 25, 2021 11:25:27.126820087 CET	63816	53	192.168.2.6	8.8.8.8
Feb 25, 2021 11:25:27.175472021 CET	53	63816	8.8.8.8	192.168.2.6
Feb 25, 2021 11:25:27.175956011 CET	53	62116	8.8.8.8	192.168.2.6
Feb 25, 2021 11:25:27.606359005 CET	55014	53	192.168.2.6	8.8.8.8
Feb 25, 2021 11:25:27.663378954 CET	53	55014	8.8.8.8	192.168.2.6
Feb 25, 2021 11:25:27.907069921 CET	62208	53	192.168.2.6	8.8.8.8
Feb 25, 2021 11:25:27.952208042 CET	57574	53	192.168.2.6	8.8.8.8
Feb 25, 2021 11:25:27.964279890 CET	53	62208	8.8.8.8	192.168.2.6
Feb 25, 2021 11:25:28.019773006 CET	53	57574	8.8.8.8	192.168.2.6
Feb 25, 2021 11:25:28.168005943 CET	51818	53	192.168.2.6	8.8.8.8
Feb 25, 2021 11:25:28.225503922 CET	53	51818	8.8.8.8	192.168.2.6
Feb 25, 2021 11:25:28.942802906 CET	56628	53	192.168.2.6	8.8.8.8
Feb 25, 2021 11:25:29.002837896 CET	53	56628	8.8.8.8	192.168.2.6
Feb 25, 2021 11:25:30.171575069 CET	60778	53	192.168.2.6	8.8.8.8
Feb 25, 2021 11:25:30.232163906 CET	53	60778	8.8.8.8	192.168.2.6
Feb 25, 2021 11:25:31.825973988 CET	53799	53	192.168.2.6	8.8.8.8
Feb 25, 2021 11:25:31.874722958 CET	53	53799	8.8.8.8	192.168.2.6
Feb 25, 2021 11:25:33.121190071 CET	54683	53	192.168.2.6	8.8.8.8
Feb 25, 2021 11:25:33.173006058 CET	53	54683	8.8.8.8	192.168.2.6
Feb 25, 2021 11:25:33.444616079 CET	59329	53	192.168.2.6	8.8.8.8
Feb 25, 2021 11:25:33.494067907 CET	53	59329	8.8.8.8	192.168.2.6
Feb 25, 2021 11:25:33.657452106 CET	64021	53	192.168.2.6	8.8.8.8
Feb 25, 2021 11:25:33.707140923 CET	53	64021	8.8.8.8	192.168.2.6
Feb 25, 2021 11:25:36.012670040 CET	56129	53	192.168.2.6	8.8.8.8
Feb 25, 2021 11:25:36.075216055 CET	53	56129	8.8.8.8	192.168.2.6
Feb 25, 2021 11:25:39.068284988 CET	58177	53	192.168.2.6	8.8.8.8
Feb 25, 2021 11:25:39.117019892 CET	53	58177	8.8.8.8	192.168.2.6
Feb 25, 2021 11:25:44.506081104 CET	50700	53	192.168.2.6	8.8.8.8
Feb 25, 2021 11:25:44.566046000 CET	53	50700	8.8.8.8	192.168.2.6
Feb 25, 2021 11:25:45.987143993 CET	54069	53	192.168.2.6	8.8.8.8
Feb 25, 2021 11:25:46.037607908 CET	53	54069	8.8.8.8	192.168.2.6
Feb 25, 2021 11:25:47.105782032 CET	61178	53	192.168.2.6	8.8.8.8
Feb 25, 2021 11:25:47.158185005 CET	53	61178	8.8.8.8	192.168.2.6
Feb 25, 2021 11:25:48.100619078 CET	57017	53	192.168.2.6	8.8.8.8
Feb 25, 2021 11:25:48.150759935 CET	53	57017	8.8.8.8	192.168.2.6
Feb 25, 2021 11:25:49.913017988 CET	56327	53	192.168.2.6	8.8.8.8
Feb 25, 2021 11:25:49.971278906 CET	53	56327	8.8.8.8	192.168.2.6
Feb 25, 2021 11:26:04.542124987 CET	50243	53	192.168.2.6	8.8.8.8
Feb 25, 2021 11:26:04.593692064 CET	53	50243	8.8.8.8	192.168.2.6
Feb 25, 2021 11:26:04.987422943 CET	62055	53	192.168.2.6	8.8.8.8
Feb 25, 2021 11:26:05.052566051 CET	53	62055	8.8.8.8	192.168.2.6
Feb 25, 2021 11:26:07.228221893 CET	61249	53	192.168.2.6	8.8.8.8
Feb 25, 2021 11:26:07.280585051 CET	53	61249	8.8.8.8	192.168.2.6
Feb 25, 2021 11:26:08.916820049 CET	65252	53	192.168.2.6	8.8.8.8
Feb 25, 2021 11:26:08.977189064 CET	53	65252	8.8.8.8	192.168.2.6
Feb 25, 2021 11:26:12.625998974 CET	64367	53	192.168.2.6	8.8.8.8
Feb 25, 2021 11:26:12.690673113 CET	53	64367	8.8.8.8	192.168.2.6
Feb 25, 2021 11:26:18.522969007 CET	55066	53	192.168.2.6	8.8.8.8
Feb 25, 2021 11:26:18.585977077 CET	53	55066	8.8.8.8	192.168.2.6
Feb 25, 2021 11:26:24.260216951 CET	60211	53	192.168.2.6	8.8.8.8
Feb 25, 2021 11:26:24.320557117 CET	53	60211	8.8.8.8	192.168.2.6
Feb 25, 2021 11:26:28.934892893 CET	56570	53	192.168.2.6	8.8.8.8
Feb 25, 2021 11:26:28.983767033 CET	53	56570	8.8.8.8	192.168.2.6
Feb 25, 2021 11:26:29.690567017 CET	58454	53	192.168.2.6	8.8.8.8
Feb 25, 2021 11:26:29.752105951 CET	53	58454	8.8.8.8	192.168.2.6
Feb 25, 2021 11:26:35.151140928 CET	55180	53	192.168.2.6	8.8.8.8
Feb 25, 2021 11:26:35.208693981 CET	53	55180	8.8.8.8	192.168.2.6
Feb 25, 2021 11:26:40.576133966 CET	58721	53	192.168.2.6	8.8.8.8
Feb 25, 2021 11:26:40.637666941 CET	53	58721	8.8.8.8	192.168.2.6
Feb 25, 2021 11:26:45.918656111 CET	57691	53	192.168.2.6	8.8.8.8
Feb 25, 2021 11:26:45.976176023 CET	53	57691	8.8.8.8	192.168.2.6

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class
Feb 25, 2021 11:24:48.212694883 CET	192.168.2.6	8.8.8.8	0xeff6	Standard query (0)	cloudhost.myfirewall.org	A (IP address)	IN (0x0001)
Feb 25, 2021 11:24:54.637378931 CET	192.168.2.6	8.8.8.8	0x104c	Standard query (0)	cloudhost.myfirewall.org	A (IP address)	IN (0x0001)
Feb 25, 2021 11:25:00.210314035 CET	192.168.2.6	8.8.8.8	0xc159	Standard query (0)	cloudhost.myfirewall.org	A (IP address)	IN (0x0001)
Feb 25, 2021 11:25:05.925417900 CET	192.168.2.6	8.8.8.8	0x556a	Standard query (0)	cloudhost.myfirewall.org	A (IP address)	IN (0x0001)
Feb 25, 2021 11:25:11.305735111 CET	192.168.2.6	8.8.8.8	0xeb5	Standard query (0)	cloudhost.myfirewall.org	A (IP address)	IN (0x0001)
Feb 25, 2021 11:25:17.018151045 CET	192.168.2.6	8.8.8.8	0x3637	Standard query (0)	cloudhost.myfirewall.org	A (IP address)	IN (0x0001)
Feb 25, 2021 11:25:22.383959055 CET	192.168.2.6	8.8.8.8	0x15a1	Standard query (0)	cloudhost.myfirewall.org	A (IP address)	IN (0x0001)
Feb 25, 2021 11:25:27.907069921 CET	192.168.2.6	8.8.8.8	0x8fb3	Standard query (0)	cloudhost.myfirewall.org	A (IP address)	IN (0x0001)
Feb 25, 2021 11:25:33.444616079 CET	192.168.2.6	8.8.8.8	0x9128	Standard query (0)	cloudhost.myfirewall.org	A (IP address)	IN (0x0001)
Feb 25, 2021 11:25:39.068284988 CET	192.168.2.6	8.8.8.8	0xc65d	Standard query (0)	cloudhost.myfirewall.org	A (IP address)	IN (0x0001)
Feb 25, 2021 11:25:44.506081104 CET	192.168.2.6	8.8.8.8	0xbda7	Standard query (0)	cloudhost.myfirewall.org	A (IP address)	IN (0x0001)
Feb 25, 2021 11:25:49.913017988 CET	192.168.2.6	8.8.8.8	0x1d2f	Standard query (0)	cloudhost.myfirewall.org	A (IP address)	IN (0x0001)
Feb 25, 2021 11:26:07.228221893 CET	192.168.2.6	8.8.8.8	0xafc0	Standard query (0)	cloudhost.myfirewall.org	A (IP address)	IN (0x0001)
Feb 25, 2021 11:26:12.625998974 CET	192.168.2.6	8.8.8.8	0xb43d	Standard query (0)	cloudhost.myfirewall.org	A (IP address)	IN (0x0001)
Feb 25, 2021 11:26:18.522969007 CET	192.168.2.6	8.8.8.8	0xd2af	Standard query (0)	cloudhost.myfirewall.org	A (IP address)	IN (0x0001)
Feb 25, 2021 11:26:24.260216951 CET	192.168.2.6	8.8.8.8	0xd4ec	Standard query (0)	cloudhost.myfirewall.org	A (IP address)	IN (0x0001)
Feb 25, 2021 11:26:29.690567017 CET	192.168.2.6	8.8.8.8	0xd408	Standard query (0)	cloudhost.myfirewall.org	A (IP address)	IN (0x0001)
Feb 25, 2021 11:26:35.151140928 CET	192.168.2.6	8.8.8.8	0x1c71	Standard query (0)	cloudhost.myfirewall.org	A (IP address)	IN (0x0001)
Feb 25, 2021 11:26:40.576133966 CET	192.168.2.6	8.8.8.8	0x1429	Standard query (0)	cloudhost.myfirewall.org	A (IP address)	IN (0x0001)
Feb 25, 2021 11:26:45.918656111 CET	192.168.2.6	8.8.8.8	0x7f8d	Standard query (0)	cloudhost.myfirewall.org	A (IP address)	IN (0x0001)

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	Address	Type	Class
Feb 25, 2021 11:24:48.389832020 CET	8.8.8.8	192.168.2.6	0xeff6	No error (0)	cloudhost.myfirewall.org	79.134.225.105	A (IP address)	IN (0x0001)
Feb 25, 2021 11:24:54.694610119 CET	8.8.8.8	192.168.2.6	0x104c	No error (0)	cloudhost.myfirewall.org	79.134.225.105	A (IP address)	IN (0x0001)
Feb 25, 2021 11:25:00.270603895 CET	8.8.8.8	192.168.2.6	0xc159	No error (0)	cloudhost.myfirewall.org	79.134.225.105	A (IP address)	IN (0x0001)
Feb 25, 2021 11:25:05.988379002 CET	8.8.8.8	192.168.2.6	0x556a	No error (0)	cloudhost.myfirewall.org	79.134.225.105	A (IP address)	IN (0x0001)
Feb 25, 2021 11:25:11.363370895 CET	8.8.8.8	192.168.2.6	0xeb5	No error (0)	cloudhost.myfirewall.org	79.134.225.105	A (IP address)	IN (0x0001)
Feb 25, 2021 11:25:17.075424910 CET	8.8.8.8	192.168.2.6	0x3637	No error (0)	cloudhost.myfirewall.org	79.134.225.105	A (IP address)	IN (0x0001)
Feb 25, 2021 11:25:22.440958977 CET	8.8.8.8	192.168.2.6	0x15a1	No error (0)	cloudhost.myfirewall.org	79.134.225.105	A (IP address)	IN (0x0001)
Feb 25, 2021 11:25:27.964279890 CET	8.8.8.8	192.168.2.6	0x8fb3	No error (0)	cloudhost.myfirewall.org	79.134.225.105	A (IP address)	IN (0x0001)
Feb 25, 2021 11:25:33.494067907 CET	8.8.8.8	192.168.2.6	0x9128	No error (0)	cloudhost.myfirewall.org	79.134.225.105	A (IP address)	IN (0x0001)
Feb 25, 2021 11:25:39.117019892 CET	8.8.8.8	192.168.2.6	0xc65d	No error (0)	cloudhost.myfirewall.org	79.134.225.105	A (IP address)	IN (0x0001)
Feb 25, 2021 11:25:44.566046000 CET	8.8.8.8	192.168.2.6	0xbda7	No error (0)	cloudhost.myfirewall.org	79.134.225.105	A (IP address)	IN (0x0001)
Feb 25, 2021 11:25:49.971278906 CET	8.8.8.8	192.168.2.6	0x1d2f	No error (0)	cloudhost.myfirewall.org	79.134.225.105	A (IP address)	IN (0x0001)
Feb 25, 2021 11:26:07.280585051 CET	8.8.8.8	192.168.2.6	0xafc0	No error (0)	cloudhost.myfirewall.org	79.134.225.105	A (IP address)	IN (0x0001)
Feb 25, 2021 11:26:12.690673113 CET	8.8.8.8	192.168.2.6	0xb43d	No error (0)	cloudhost.myfirewall.org	79.134.225.105	A (IP address)	IN (0x0001)
Feb 25, 2021 11:26:18.585977077 CET	8.8.8.8	192.168.2.6	0xd2af	No error (0)	cloudhost.myfirewall.org	79.134.225.105	A (IP address)	IN (0x0001)
Feb 25, 2021 11:26:24.320557117 CET	8.8.8.8	192.168.2.6	0xd4ec	No error (0)	cloudhost.myfirewall.org	79.134.225.105	A (IP address)	IN (0x0001)
Feb 25, 2021 11:26:29.752105951 CET	8.8.8.8	192.168.2.6	0xd408	No error (0)	cloudhost.myfirewall.org	79.134.225.105	A (IP address)	IN (0x0001)
Feb 25, 2021 11:26:35.208693981 CET	8.8.8.8	192.168.2.6	0x1c71	No error (0)	cloudhost.myfirewall.org	79.134.225.105	A (IP address)	IN (0x0001)
Feb 25, 2021 11:26:40.637666941 CET	8.8.8.8	192.168.2.6	0x1429	No error (0)	cloudhost.myfirewall.org	79.134.225.105	A (IP address)	IN (0x0001)
Feb 25, 2021 11:26:45.976176023 CET	8.8.8.8	192.168.2.6	0x7f8d	No error (0)	cloudhost.myfirewall.org	79.134.225.105	A (IP address)	IN (0x0001)

Code Manipulations

Statistics

CPU Usage

Click to jump to process

Memory Usage

Click to jump to process

High Level Behavior Distribution

Click to dive into process behavior distribution

Behavior

Click to jump to process

System Behavior

Analysis Process: bbbe7872ea466446da60c4da50020cbb.exe PID: 6780 Parent PID: 5892

General

Start time:	11:24:36
Start date:	25/02/2021
Path:	C:\Users\user\Desktop\bbbe7872ea466446da60c4da50020cbb.exe
Wow64 process (32bit):	true
Commandline:	'C:\Users\user\Desktop\bbbe7872ea466446da60c4da50020cbb.exe'
Imagebase:	0x590000
File size:	487424 bytes
MD5 hash:	88EF84E623F21AF8C30D3BBA321A7448
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	.Net C# or VB.NET
Yara matches:	Rule: JoeSecurity_AntiVM_3, Description: Yara detected AntiVM_3, Source: 00000000.00000002.343834467.0000000002D51000.00000004.00000001.sdmp, Author: Joe Security Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 00000000.00000002.344108345.0000000003D51000.00000004.00000001.sdmp, Author: Florian Roth Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 00000000.00000002.344108345.0000000003D51000.00000004.00000001.sdmp, Author: Joe Security Rule: NanoCore, Description: unknown, Source: 00000000.00000002.344108345.0000000003D51000.00000004.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
Reputation:	low

Chronological Activities

Analysis Process: bbbe7872ea466446da60c4da50020cbb.exe PID: 6996 Parent PID: 6780

General

Start time:	11:24:43
Start date:	25/02/2021
Path:	C:\Users\user\Desktop\bbbe7872ea466446da60c4da50020cbb.exe
Wow64 process (32bit):	true
Commandline:	C:\Users\user\Desktop\bbbe7872ea466446da60c4da50020cbb.exe
Imagebase:	0x620000
File size:	487424 bytes
MD5 hash:	88EF84E623F21AF8C30D3BBA321A7448
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	.Net C# or VB.NET
Yara matches:	Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 00000004.00000002.592467577.0000000000402000.00000040.00000001.sdmp, Author: Florian Roth Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 00000004.00000002.592467577.0000000000402000.00000040.00000001.sdmp, Author: Joe Security Rule: NanoCore, Description: unknown, Source: 00000004.00000002.592467577.0000000000402000.00000040.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net> Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 00000004.00000002.597683140.0000000003D07000.00000004.00000001.sdmp, Author: Joe Security Rule: NanoCore, Description: unknown, Source: 00000004.00000002.597683140.0000000003D07000.00000004.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
Reputation:	low

Chronological Activities

Analysis Process: schtasks.exe PID: 7072 Parent PID: 6996

General

Start time:	11:24:45
Start date:	25/02/2021
Path:	C:\Windows\SysWOW64\schtasks.exe
Wow64 process (32bit):	true
Commandline:	'schtasks.exe' /create /f /tn 'DHCP Monitor' /xml 'C:\Users\user\AppData\Local\Temp\tmp7E95.tmp'
Imagebase:	0x340000
File size:	185856 bytes
MD5 hash:	15FF7D8324231381BAD48A052F85DF04
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Chronological Activities

Analysis Process: conhost.exe PID: 7080 Parent PID: 7072

General

Start time:	11:24:45
Start date:	25/02/2021
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff61de10000
File size:	625664 bytes
MD5 hash:	EA777DEEA782E8B4D7C7C33BBF8A4496
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Chronological Activities

Analysis Process: schtasks.exe PID: 7124 Parent PID: 6996

General

Start time:	11:24:46
Start date:	25/02/2021
Path:	C:\Windows\SysWOW64\schtasks.exe
Wow64 process (32bit):	true
Commandline:	'schtasks.exe' /create /f /tn 'DHCP Monitor Task' /xml 'C:\Users\user\AppData\Local\Temp\tmp81B3.tmp'
Imagebase:	0x340000
File size:	185856 bytes
MD5 hash:	15FF7D8324231381BAD48A052F85DF04
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Chronological Activities

Analysis Process: conhost.exe PID: 7132 Parent PID: 7124

General

Start time:	11:24:46
Start date:	25/02/2021
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff61de10000
File size:	625664 bytes
MD5 hash:	EA777DEEA782E8B4D7C7C33BBF8A4496
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Chronological Activities

Analysis Process: bbbe7872ea466446da60c4da50020cbb.exe PID: 5620 Parent PID: 936

General

Start time:	11:24:48
Start date:	25/02/2021
Path:	C:\Users\user\Desktop\bbbe7872ea466446da60c4da50020cbb.exe
Wow64 process (32bit):	true
Commandline:	C:\Users\user\Desktop\bbbe7872ea466446da60c4da50020cbb.exe 0
Imagebase:	0x720000
File size:	487424 bytes
MD5 hash:	88EF84E623F21AF8C30D3BBA321A7448
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	.Net C# or VB.NET
Yara matches:	Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 0000000A.00000002.365772164.0000000003DF1000.00000004.00000001.sdmp, Author: Florian Roth Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 0000000A.00000002.365772164.0000000003DF1000.00000004.00000001.sdmp, Author: Joe Security Rule: NanoCore, Description: unknown, Source: 0000000A.00000002.365772164.0000000003DF1000.00000004.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net> Rule: JoeSecurity_AntiVM_3, Description: Yara detected AntiVM_3, Source: 0000000A.00000002.364695909.0000000002DF1000.00000004.00000001.sdmp, Author: Joe Security
Reputation:	low

Chronological Activities

Analysis Process: dhcpmon.exe PID: 5656 Parent PID: 936

General

Start time:	11:24:48
Start date:	25/02/2021
Path:	C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe
Wow64 process (32bit):	true
Commandline:	'C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe' 0
Imagebase:	0x720000
File size:	487424 bytes
MD5 hash:	88EF84E623F21AF8C30D3BBA321A7448
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	.Net C# or VB.NET
Yara matches:	Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 0000000B.00000002.367529312.0000000003F61000.00000004.00000001.sdmp, Author: Florian Roth Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 0000000B.00000002.367529312.0000000003F61000.00000004.00000001.sdmp, Author: Joe Security Rule: NanoCore, Description: unknown, Source: 0000000B.00000002.367529312.0000000003F61000.00000004.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net> Rule: JoeSecurity_AntiVM_3, Description: Yara detected AntiVM_3, Source: 0000000B.00000002.367072310.0000000002F61000.00000004.00000001.sdmp, Author: Joe Security
Antivirus matches:	Detection: 100%, Joe Sandbox ML Detection: 35%, ReversingLabs
Reputation:	low

Chronological Activities

Analysis Process: bbbe7872ea466446da60c4da50020cbb.exe PID: 348 Parent PID: 5620

General

Start time:	11:24:49
Start date:	25/02/2021
Path:	C:\Users\user\Desktop\bbbe7872ea466446da60c4da50020cbb.exe
Wow64 process (32bit):	true
Commandline:	C:\Users\user\Desktop\bbbe7872ea466446da60c4da50020cbb.exe
Imagebase:	0x790000
File size:	487424 bytes
MD5 hash:	88EF84E623F21AF8C30D3BBA321A7448
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	.Net C# or VB.NET
Yara matches:	Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 0000000C.00000002.375004523.0000000000402000.00000040.00000001.sdmp, Author: Florian Roth Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 0000000C.00000002.375004523.0000000000402000.00000040.00000001.sdmp, Author: Joe Security Rule: NanoCore, Description: unknown, Source: 0000000C.00000002.375004523.0000000000402000.00000040.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net> Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 0000000C.00000002.377624667.0000000002DA1000.00000004.00000001.sdmp, Author: Joe Security Rule: NanoCore, Description: unknown, Source: 0000000C.00000002.377624667.0000000002DA1000.00000004.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net> Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 0000000C.00000002.377737091.0000000003DA1000.00000004.00000001.sdmp, Author: Joe Security Rule: NanoCore, Description: unknown, Source: 0000000C.00000002.377737091.0000000003DA1000.00000004.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
Reputation:	low

Chronological Activities

Analysis Process: dhcpmon.exe PID: 6240 Parent PID: 5656

General

Start time:	11:24:52
Start date:	25/02/2021
Path:	C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe
Wow64 process (32bit):	false
Commandline:	C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe
Imagebase:	0x1f0000
File size:	487424 bytes
MD5 hash:	88EF84E623F21AF8C30D3BBA321A7448
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	low

Chronological Activities

Analysis Process: dhcpmon.exe PID: 6332 Parent PID: 5656

General

Start time:	11:24:54
Start date:	25/02/2021
Path:	C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe
Wow64 process (32bit):	true
Commandline:	C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe
Imagebase:	0x500000
File size:	487424 bytes
MD5 hash:	88EF84E623F21AF8C30D3BBA321A7448
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	.Net C# or VB.NET
Yara matches:	Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 0000000E.00000002.381191346.0000000003D31000.00000004.00000001.sdmp, Author: Joe Security Rule: NanoCore, Description: unknown, Source: 0000000E.00000002.381191346.0000000003D31000.00000004.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net> Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 0000000E.00000002.381077094.0000000002D31000.00000004.00000001.sdmp, Author: Joe Security Rule: NanoCore, Description: unknown, Source: 0000000E.00000002.381077094.0000000002D31000.00000004.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net> Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 0000000E.00000002.378479336.0000000000402000.00000040.00000001.sdmp, Author: Florian Roth Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 0000000E.00000002.378479336.0000000000402000.00000040.00000001.sdmp, Author: Joe Security Rule: NanoCore, Description: unknown, Source: 0000000E.00000002.378479336.0000000000402000.00000040.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
Reputation:	low

Chronological Activities

Analysis Process: dhcpmon.exe PID: 6084 Parent PID: 3440

General

Start time:	11:24:58
Start date:	25/02/2021
Path:	C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe
Wow64 process (32bit):	true
Commandline:	'C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe'
Imagebase:	0x40000
File size:	487424 bytes
MD5 hash:	88EF84E623F21AF8C30D3BBA321A7448
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	.Net C# or VB.NET
Yara matches:	Rule: JoeSecurity_AntiVM_3, Description: Yara detected AntiVM_3, Source: 0000000F.00000002.379503086.0000000002831000.00000004.00000001.sdmp, Author: Joe Security Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 0000000F.00000002.380529240.0000000003831000.00000004.00000001.sdmp, Author: Florian Roth Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 0000000F.00000002.380529240.0000000003831000.00000004.00000001.sdmp, Author: Joe Security Rule: NanoCore, Description: unknown, Source: 0000000F.00000002.380529240.0000000003831000.00000004.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
Reputation:	low

Chronological Activities

Analysis Process: dhcpmon.exe PID: 6340 Parent PID: 6084

General

Start time:	11:24:59
Start date:	25/02/2021
Path:	C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe
Wow64 process (32bit):	true
Commandline:	C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe
Imagebase:	0x8f0000
File size:	487424 bytes
MD5 hash:	88EF84E623F21AF8C30D3BBA321A7448
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	.Net C# or VB.NET
Yara matches:	Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 00000010.00000002.391674013.0000000004001000.00000004.00000001.sdmp, Author: Joe Security Rule: NanoCore, Description: unknown, Source: 00000010.00000002.391674013.0000000004001000.00000004.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net> Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 00000010.00000002.390499078.0000000000402000.00000040.00000001.sdmp, Author: Florian Roth Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 00000010.00000002.390499078.0000000000402000.00000040.00000001.sdmp, Author: Joe Security Rule: NanoCore, Description: unknown, Source: 00000010.00000002.390499078.0000000000402000.00000040.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net> Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 00000010.00000002.391635582.0000000003001000.00000004.00000001.sdmp, Author: Joe Security Rule: NanoCore, Description: unknown, Source: 00000010.00000002.391635582.0000000003001000.00000004.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
Reputation:	low

Chronological Activities

Disassembly

Code Analysis

Reset < >

Analysis Process: bbbe7872ea466446da60c4da50020cbb.exe PID: 6780 Parent PID: 5892 bbbe7872ea466446da60c4da50020cbb.exeCOMMON

Executed Functions

Function 04F052C8, Relevance: 5.1, Strings: 4, Instructions: 140COMMON

Download Yara Rule

Strings

:@Dr, xrefs: 04F053F4
f]Ir, xrefs: 04F05328
>_Ir, xrefs: 04F05411
`5kr, xrefs: 04F054CD

Memory Dump Source

Source File: 00000000.00000002.344657910.0000000004F00000.00000040.00000001.sdmp, Offset: 04F00000, based on PE: false

Similarity

API ID:
String ID: :@Dr$>_Ir$`5kr$f]Ir
API String ID: 0-3492759196
Opcode ID: fda90e7643eb1f821dd3e7acd1221142cb445016fb72e5e009e1955f41e0757c
Instruction ID: 8455917756fee057be2e4b49509af28606b3c7abf587cace1bfe63b7d5b10a22
Opcode Fuzzy Hash: fda90e7643eb1f821dd3e7acd1221142cb445016fb72e5e009e1955f41e0757c
Instruction Fuzzy Hash: 76515B71E00209CFD788EF69E94579DBBF2FF85314F24D529E208AB398DBB019068B51

Uniqueness

Uniqueness Score: -1.00%

Function 04F052D8, Relevance: 5.1, Strings: 4, Instructions: 136COMMON

Download Yara Rule

Strings

:@Dr, xrefs: 04F053F4
f]Ir, xrefs: 04F05328
>_Ir, xrefs: 04F05411
`5kr, xrefs: 04F054CD

Memory Dump Source

Source File: 00000000.00000002.344657910.0000000004F00000.00000040.00000001.sdmp, Offset: 04F00000, based on PE: false

Similarity

API ID:
String ID: :@Dr$>_Ir$`5kr$f]Ir
API String ID: 0-3492759196
Opcode ID: b9472b7f6c2c7d9948c3d5041633209a49350a6ddb72ae09b8a5e6f058509d2c
Instruction ID: ddd49ec04f991d5ea2326234c063beaea79ad5a4bd76094bb0426e8aa313e8cc
Opcode Fuzzy Hash: b9472b7f6c2c7d9948c3d5041633209a49350a6ddb72ae09b8a5e6f058509d2c
Instruction Fuzzy Hash: C7513A70E04209CBD788EB6AE94579DBBF2FF85314F24D529E208AB358DBB019068B51

Uniqueness

Uniqueness Score: -1.00%

Function 04F04890, Relevance: .2, Instructions: 168COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.344657910.0000000004F00000.00000040.00000001.sdmp, Offset: 04F00000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2f29d1d3d86d7d8d7511d352339241957d57775071850904ef84f17cdb22eb9a
Instruction ID: dcca1336ed955fe31a0016cc0bb831acbfb6cc90d48e5dfeb965c02d68254c37
Opcode Fuzzy Hash: 2f29d1d3d86d7d8d7511d352339241957d57775071850904ef84f17cdb22eb9a
Instruction Fuzzy Hash: 916127B0D002488FDB04DFAAD5946ADFBF2BF88324F64C265E524A7395D730A942DF61

Uniqueness

Uniqueness Score: -1.00%

Function 04F04688, Relevance: .2, Instructions: 167COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.344657910.0000000004F00000.00000040.00000001.sdmp, Offset: 04F00000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: bfa1ea38d451765b7a8ff7a3a3e60b167d595349b6b9cadf634b3e2f2964bc16
Instruction ID: ad3f174002cfdb8a102031d20d1f7c7f8166a6a2922dfbec5186133425dceb14
Opcode Fuzzy Hash: bfa1ea38d451765b7a8ff7a3a3e60b167d595349b6b9cadf634b3e2f2964bc16
Instruction Fuzzy Hash: D751C371E002188BDF09DFEAC9509EDFBB2EF89325F54C129D514BB291EB3169029F50

Uniqueness

Uniqueness Score: -1.00%

Function 04F04678, Relevance: .1, Instructions: 128COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.344657910.0000000004F00000.00000040.00000001.sdmp, Offset: 04F00000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 88cbcf4d5ab1664e41afbb66024012d101dd19530ed67ee317c17ea3fbef2079
Instruction ID: 4fecb6904882a19bc2e3a985167ffcd0610639b5835878460454454823fea3c7
Opcode Fuzzy Hash: 88cbcf4d5ab1664e41afbb66024012d101dd19530ed67ee317c17ea3fbef2079
Instruction Fuzzy Hash: ED410571E002588BDB09DFAAC9406EDFBF2AFC9315F64C129D514AB295EA306902CF50

Uniqueness

Uniqueness Score: -1.00%

Function 04F005A8, Relevance: 2.7, Strings: 2, Instructions: 201COMMON

Download Yara Rule

Strings

`5kr, xrefs: 04F0072D
:@Dr, xrefs: 04F006D4

Memory Dump Source

Source File: 00000000.00000002.344657910.0000000004F00000.00000040.00000001.sdmp, Offset: 04F00000, based on PE: false

Similarity

API ID:
String ID: :@Dr$`5kr
API String ID: 0-2548079215
Opcode ID: f2b7ae62a865e68f58bbcbe18b7b015dca9b06fce24de1e24aa41c0bcff6459a
Instruction ID: 07a8c52d70d345a7c39b4a9e18fc4347c0ffbaeef80fe6af330f2c3e8474af84
Opcode Fuzzy Hash: f2b7ae62a865e68f58bbcbe18b7b015dca9b06fce24de1e24aa41c0bcff6459a
Instruction Fuzzy Hash: 75910374E01218CFDB54CFA9D894BADBBF2BF89310F109069D509AB3A0DB71A945DF50

Uniqueness

Uniqueness Score: -1.00%

Function 04F02816, Relevance: 2.6, Strings: 2, Instructions: 58COMMON

Download Yara Rule

Strings

N, xrefs: 04F028BD
7, xrefs: 04F02817

Memory Dump Source

Source File: 00000000.00000002.344657910.0000000004F00000.00000040.00000001.sdmp, Offset: 04F00000, based on PE: false

Similarity

API ID:
String ID: 7$N
API String ID: 0-3202983734
Opcode ID: b386a8e2588e0465f2f4d13b154cbe71f50061bcad1af9a4900a4c88f5ddfc8a
Instruction ID: 2c51335eb58965c9cc9154178da345d9fe9d792c0991219e6c3425509006a9f6
Opcode Fuzzy Hash: b386a8e2588e0465f2f4d13b154cbe71f50061bcad1af9a4900a4c88f5ddfc8a
Instruction Fuzzy Hash: 1021CF79E42228CFEB658F24C8597E8BBB0BB4A301F0080EAD64DA2281D7345E85DF11

Uniqueness

Uniqueness Score: -1.00%

Function 00F3AB26, Relevance: 1.6, APIs: 1, Instructions: 92registryCOMMON

Download Yara Rule

APIs

RegOpenKeyExW.KERNELBASE(?,00000E2C), ref: 00F3ABD5

Memory Dump Source

Source File: 00000000.00000002.343106373.0000000000F3A000.00000040.00000001.sdmp, Offset: 00F3A000, based on PE: false

Similarity

API ID: Open
String ID:
API String ID: 71445658-0
Opcode ID: f8615cc986ca848914f9b5a8c0d32bde35ece6701122125678e13ccbc03696ed
Instruction ID: 0b1ce04dc005b70d5265c1f12bff8092e5a5c54dbfd581e93923f70d6d8ca92a
Opcode Fuzzy Hash: f8615cc986ca848914f9b5a8c0d32bde35ece6701122125678e13ccbc03696ed
Instruction Fuzzy Hash: E731A272504384AFE7228B25CC45F67BFACEF46720F08849BED849B152D264E849CB71

Uniqueness

Uniqueness Score: -1.00%

Function 00F3AC1D, Relevance: 1.6, APIs: 1, Instructions: 89registryCOMMON

Download Yara Rule

APIs

RegQueryValueExW.KERNELBASE(?,00000E2C,8CD492CC,00000000,00000000,00000000,00000000), ref: 00F3ACD8

Memory Dump Source

Source File: 00000000.00000002.343106373.0000000000F3A000.00000040.00000001.sdmp, Offset: 00F3A000, based on PE: false

Similarity

API ID: QueryValue
String ID:
API String ID: 3660427363-0
Opcode ID: 83f892c2880d5bf07d0f3b6d106eee2a1d42d1299d3f08d57fa3c474c1964721
Instruction ID: 709ebca7cff345186a874877c4092757f840293381bb12944f1f41eee0304649
Opcode Fuzzy Hash: 83f892c2880d5bf07d0f3b6d106eee2a1d42d1299d3f08d57fa3c474c1964721
Instruction Fuzzy Hash: 44319371505384AFE722CB25DC44F62BFB8EF06320F18849AE9859B152D264E949CB61

Uniqueness

Uniqueness Score: -1.00%

Function 00F3B074, Relevance: 1.6, APIs: 1, Instructions: 77COMMON

Download Yara Rule

APIs

SetConsoleCtrlHandler.KERNELBASE(?,00000E2C,?,?), ref: 00F3B10E

Memory Dump Source

Source File: 00000000.00000002.343106373.0000000000F3A000.00000040.00000001.sdmp, Offset: 00F3A000, based on PE: false

Similarity

API ID: ConsoleCtrlHandler
String ID:
API String ID: 1513847179-0
Opcode ID: 538344e08050fe790b266357c11ace089e6b6fff4eee956f70f055192d0816cc
Instruction ID: 99eca74e5c3cf0c2e1876e6dd0ad95848706b758cbd2f862f2c2a47f47ebd8d6
Opcode Fuzzy Hash: 538344e08050fe790b266357c11ace089e6b6fff4eee956f70f055192d0816cc
Instruction Fuzzy Hash: B921B87144D7C06FD3138B259C51B22BFB4EF87620F0941DBE884CB553D225A919C762

Uniqueness

Uniqueness Score: -1.00%

Function 00F3AB56, Relevance: 1.6, APIs: 1, Instructions: 74registryCOMMON

Download Yara Rule

APIs

RegOpenKeyExW.KERNELBASE(?,00000E2C), ref: 00F3ABD5

Memory Dump Source

Source File: 00000000.00000002.343106373.0000000000F3A000.00000040.00000001.sdmp, Offset: 00F3A000, based on PE: false

Similarity

API ID: Open
String ID:
API String ID: 71445658-0
Opcode ID: bad367c2f1d1481606ef2b94bd426cef91d2d7927addc59fe2e9298bcf2a3889
Instruction ID: 17c030c977b13d2ab35886282efa267f71fe5a2f3f1180385d408de6abfa04d0
Opcode Fuzzy Hash: bad367c2f1d1481606ef2b94bd426cef91d2d7927addc59fe2e9298bcf2a3889
Instruction Fuzzy Hash: 0721AE72500704AFEB21DB65DC84F6BFBECEF54720F14845BEE859B241D664E8089BB2

Uniqueness

Uniqueness Score: -1.00%

Function 00F3BE1D, Relevance: 1.6, APIs: 1, Instructions: 70COMMON

Download Yara Rule

APIs

DrawTextExW.USER32(?,?,?,?,?,?), ref: 00F3BE9F

Memory Dump Source

Source File: 00000000.00000002.343106373.0000000000F3A000.00000040.00000001.sdmp, Offset: 00F3A000, based on PE: false

Similarity

API ID: DrawText
String ID:
API String ID: 2175133113-0
Opcode ID: 0fc66da95decb6c8d7ad0e125f6ec9c278218862d0631fedec05e450a328a211
Instruction ID: 2e1b3c61dd0aa1b685fac9ef9ef4d636db12a1fe6238a806ff5fd30d074d14c9
Opcode Fuzzy Hash: 0fc66da95decb6c8d7ad0e125f6ec9c278218862d0631fedec05e450a328a211
Instruction Fuzzy Hash: F7219271509384AFDB22CF25D844B92BFF4EF06320F0984DAEA848B163D375E808DB61

Uniqueness

Uniqueness Score: -1.00%

Function 00F3AC5E, Relevance: 1.6, APIs: 1, Instructions: 69registryCOMMON

Download Yara Rule

APIs

RegQueryValueExW.KERNELBASE(?,00000E2C,8CD492CC,00000000,00000000,00000000,00000000), ref: 00F3ACD8

Memory Dump Source

Source File: 00000000.00000002.343106373.0000000000F3A000.00000040.00000001.sdmp, Offset: 00F3A000, based on PE: false

Similarity

API ID: QueryValue
String ID:
API String ID: 3660427363-0
Opcode ID: 43f0b3b4b077e5f578ee74e0193da36fadc2e3907e608b621842b36f6fc55c81
Instruction ID: 3853cf9e60c65cb98f5c45e34850a02463ac21042a61d0702a4c6e72ce41bc69
Opcode Fuzzy Hash: 43f0b3b4b077e5f578ee74e0193da36fadc2e3907e608b621842b36f6fc55c81
Instruction Fuzzy Hash: 4C218C72600604AFEB20CF16DC80F67FBECEF05720F14846AEE859B251D660E809DA72

Uniqueness

Uniqueness Score: -1.00%

Function 00F3B46D, Relevance: 1.6, APIs: 1, Instructions: 65libraryCOMMON

Download Yara Rule

APIs

LoadLibraryShim.MSCOREE(?,?,?,?), ref: 00F3B4E9

Memory Dump Source

Source File: 00000000.00000002.343106373.0000000000F3A000.00000040.00000001.sdmp, Offset: 00F3A000, based on PE: false

Similarity

API ID: LibraryLoadShim
String ID:
API String ID: 1475914169-0
Opcode ID: 13c2ae59cc1448e315a14bd4c299544810c4a199a442760d050973cb2b304587
Instruction ID: 9265a5d06bcbe8a047355da5cfd0384da188e9e72ae4bad94d61178b29f6988b
Opcode Fuzzy Hash: 13c2ae59cc1448e315a14bd4c299544810c4a199a442760d050973cb2b304587
Instruction Fuzzy Hash: 9C218171509384AFDB22CE15DC45B62BFE8EF56724F08808AED848B253D365E908DB71

Uniqueness

Uniqueness Score: -1.00%

Function 050605C5, Relevance: 1.6, APIs: 1, Instructions: 62windowCOMMON

Download Yara Rule

APIs

PostMessageW.USER32(?,?,?,?), ref: 05060639

Memory Dump Source

Source File: 00000000.00000002.345504158.0000000005060000.00000040.00000001.sdmp, Offset: 05060000, based on PE: false

Similarity

API ID: MessagePost
String ID:
API String ID: 410705778-0
Opcode ID: fc1d0c7fc6791bd7308b5646c8705a9c17cddff005ee55962ce5dd34cf717973
Instruction ID: 3962b4a31f0405c231f66c73e7f86858fbb8908e5f4edbb2739eed581cc42389
Opcode Fuzzy Hash: fc1d0c7fc6791bd7308b5646c8705a9c17cddff005ee55962ce5dd34cf717973
Instruction Fuzzy Hash: 2E218C714093C0AFDB238B25DC54A52FFB4EF07220F0984DAE9848F163D265A858DB62

Uniqueness

Uniqueness Score: -1.00%

Function 00F3A5AF, Relevance: 1.6, APIs: 1, Instructions: 61COMMON

Download Yara Rule

APIs

DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 00F3A61A

Memory Dump Source

Source File: 00000000.00000002.343106373.0000000000F3A000.00000040.00000001.sdmp, Offset: 00F3A000, based on PE: false

Similarity

API ID: DuplicateHandle
String ID:
API String ID: 3793708945-0
Opcode ID: ebd49d77e0d919c4a377450757eab723cf3480564a4bfaf57cfdf0a6e7505b10
Instruction ID: d92cce0c611a5864e3e0bd4cb163a4fa4777740c78b608f1f7c72cd6f78a53e9
Opcode Fuzzy Hash: ebd49d77e0d919c4a377450757eab723cf3480564a4bfaf57cfdf0a6e7505b10
Instruction Fuzzy Hash: 05118471409380AFDB228F55DC44A62FFF8EF4A320F0884DAEE858B162D275A518DB61

Uniqueness

Uniqueness Score: -1.00%

Function 00F3A65A, Relevance: 1.6, APIs: 1, Instructions: 59COMMON

Download Yara Rule

APIs

SetErrorMode.KERNELBASE(?), ref: 00F3A6CC

Memory Dump Source

Source File: 00000000.00000002.343106373.0000000000F3A000.00000040.00000001.sdmp, Offset: 00F3A000, based on PE: false

Similarity

API ID: ErrorMode
String ID:
API String ID: 2340568224-0
Opcode ID: 3b8532654ad8e6c0c6bb082e6311781312fd1e73ddaf842fa60e372f731f9f83
Instruction ID: 3096e81f7555d25869302d9a261460034dbb1d559d45fba5eae989083186ed92
Opcode Fuzzy Hash: 3b8532654ad8e6c0c6bb082e6311781312fd1e73ddaf842fa60e372f731f9f83
Instruction Fuzzy Hash: 4F1159758093C49FDB128B25CC95A52BFB4DF07220F0E80DBD9859F2A3D2696948DB72

Uniqueness

Uniqueness Score: -1.00%

Function 05060957, Relevance: 1.6, APIs: 1, Instructions: 56windowCOMMON

Download Yara Rule

APIs

PostMessageW.USER32(?,?,?,?), ref: 050609C1

Memory Dump Source

Source File: 00000000.00000002.345504158.0000000005060000.00000040.00000001.sdmp, Offset: 05060000, based on PE: false

Similarity

API ID: MessagePost
String ID:
API String ID: 410705778-0
Opcode ID: c53562f8f0c6b07ca5faa8aeab5679871aff2211a8e2a1c20d6fc9b2d23cb127
Instruction ID: 9f095562825524e097596b944a9f48ec2ebb29a499c16441056d44c508c92bd8
Opcode Fuzzy Hash: c53562f8f0c6b07ca5faa8aeab5679871aff2211a8e2a1c20d6fc9b2d23cb127
Instruction Fuzzy Hash: 8C119072449384AFDB228F15DC45B56FFB4EF06224F08849EED858B163D275A418DB61

Uniqueness

Uniqueness Score: -1.00%

Function 00F3BE4E, Relevance: 1.6, APIs: 1, Instructions: 52COMMON

Download Yara Rule

APIs

DrawTextExW.USER32(?,?,?,?,?,?), ref: 00F3BE9F

Memory Dump Source

Source File: 00000000.00000002.343106373.0000000000F3A000.00000040.00000001.sdmp, Offset: 00F3A000, based on PE: false

Similarity

API ID: DrawText
String ID:
API String ID: 2175133113-0
Opcode ID: ef0a7c5d18cc7d00b5d6ff0596df068b0ba139869ffe6fff2dfb999a229cec01
Instruction ID: 88e89bebee07821aeb42cd348e288d76b6ec9b6838aa37f3b033bc4f36f5b1cf
Opcode Fuzzy Hash: ef0a7c5d18cc7d00b5d6ff0596df068b0ba139869ffe6fff2dfb999a229cec01
Instruction Fuzzy Hash: D1112E75900604DFEB20CF69D885BA6FBE8EF04720F1884AADF458B612D375E458DB71

Uniqueness

Uniqueness Score: -1.00%

Function 00F3A9F0, Relevance: 1.5, APIs: 1, Instructions: 48COMMON

Download Yara Rule

APIs

SetWindowLongW.USER32 ref: 00F3AA4A

Memory Dump Source

Source File: 00000000.00000002.343106373.0000000000F3A000.00000040.00000001.sdmp, Offset: 00F3A000, based on PE: false

Similarity

API ID: LongWindow
String ID:
API String ID: 1378638983-0
Opcode ID: a72d3f3fe963f54c3e2a533633eed0ef7a0a7950a001574fb68947c1847a247d
Instruction ID: 42536c4489fb1d5ea0338aae5f2a33df4af573c62dc189aa6b953b32753442ea
Opcode Fuzzy Hash: a72d3f3fe963f54c3e2a533633eed0ef7a0a7950a001574fb68947c1847a247d
Instruction Fuzzy Hash: F711A032404384AFDB21CF55DC84B52FFF4EF06320F08C49AED854B262C275A818DB62

Uniqueness

Uniqueness Score: -1.00%

Function 00F3B49E, Relevance: 1.5, APIs: 1, Instructions: 46libraryCOMMON

Download Yara Rule

APIs

LoadLibraryShim.MSCOREE(?,?,?,?), ref: 00F3B4E9

Memory Dump Source

Source File: 00000000.00000002.343106373.0000000000F3A000.00000040.00000001.sdmp, Offset: 00F3A000, based on PE: false

Similarity

API ID: LibraryLoadShim
String ID:
API String ID: 1475914169-0
Opcode ID: 913e6051596ff7ef5be77f2944242577d75ff5a9be48b2239ce65df8382861f9
Instruction ID: ff90fbfeab5dbbb8a60187f4c97b63a314372bf842df2ad380b32206f03bd2d2
Opcode Fuzzy Hash: 913e6051596ff7ef5be77f2944242577d75ff5a9be48b2239ce65df8382861f9
Instruction Fuzzy Hash: FD0180719006049FDB20DE1AD885B22FFE8EF14730F18849ADE498B356D371E408DB71

Uniqueness

Uniqueness Score: -1.00%

Function 00F3A5D6, Relevance: 1.5, APIs: 1, Instructions: 45COMMON

Download Yara Rule

APIs

DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 00F3A61A

Memory Dump Source

Source File: 00000000.00000002.343106373.0000000000F3A000.00000040.00000001.sdmp, Offset: 00F3A000, based on PE: false

Similarity

API ID: DuplicateHandle
String ID:
API String ID: 3793708945-0
Opcode ID: afa22d047d673a1e4631856076861b17d9b1f2c2e09ce6f1f924c3f8566db2dd
Instruction ID: 9bdad65acffef376d2f899bea9931b45b6e428b7171b546001d538ef76ae0169
Opcode Fuzzy Hash: afa22d047d673a1e4631856076861b17d9b1f2c2e09ce6f1f924c3f8566db2dd
Instruction Fuzzy Hash: AC018032800600EFDB21CF56D845B56FFE4EF48720F18C5AADE894B612D275A418EF62

Uniqueness

Uniqueness Score: -1.00%

Function 00F3B0BE, Relevance: 1.5, APIs: 1, Instructions: 43COMMON

Download Yara Rule

APIs

SetConsoleCtrlHandler.KERNELBASE(?,00000E2C,?,?), ref: 00F3B10E

Memory Dump Source

Source File: 00000000.00000002.343106373.0000000000F3A000.00000040.00000001.sdmp, Offset: 00F3A000, based on PE: false

Similarity

API ID: ConsoleCtrlHandler
String ID:
API String ID: 1513847179-0
Opcode ID: 5317c02a48bb89a19aefbfd468a22f143f782239618e9e64c60f7b277da24cd7
Instruction ID: 7a04c5ab0c3f0f95c3f1331f733c19a8a9d5fb693106b9d00484ed5c746e14a7
Opcode Fuzzy Hash: 5317c02a48bb89a19aefbfd468a22f143f782239618e9e64c60f7b277da24cd7
Instruction Fuzzy Hash: 5B01AD72500600ABD610DF16DC82F26FBA8FBC8B20F14815AED089B741E331F916CBE6

Uniqueness

Uniqueness Score: -1.00%

Function 05060986, Relevance: 1.5, APIs: 1, Instructions: 42windowCOMMON

Download Yara Rule

APIs

PostMessageW.USER32(?,?,?,?), ref: 050609C1

Memory Dump Source

Source File: 00000000.00000002.345504158.0000000005060000.00000040.00000001.sdmp, Offset: 05060000, based on PE: false

Similarity

API ID: MessagePost
String ID:
API String ID: 410705778-0
Opcode ID: fb9df98947e24a1a9d210c3bf24c1c4924dc20cfa161d20e47b9b9d60475ba83
Instruction ID: 1b933224dd1cc3eb126e401a547b5deee60dc950b16e5812f703c1cb41c3da12
Opcode Fuzzy Hash: fb9df98947e24a1a9d210c3bf24c1c4924dc20cfa161d20e47b9b9d60475ba83
Instruction Fuzzy Hash: B3019E31540600DFEB208F15E884B6AFFA5EF04220F08809ADE454B652D271A418CB71

Uniqueness

Uniqueness Score: -1.00%

Function 050605FE, Relevance: 1.5, APIs: 1, Instructions: 38windowCOMMON

Download Yara Rule

APIs

PostMessageW.USER32(?,?,?,?), ref: 05060639

Memory Dump Source

Source File: 00000000.00000002.345504158.0000000005060000.00000040.00000001.sdmp, Offset: 05060000, based on PE: false

Similarity

API ID: MessagePost
String ID:
API String ID: 410705778-0
Opcode ID: 2e98e4ad8e334f834e734b3890a145a86f86eeccb616b4aa024bcd6c454d11f9
Instruction ID: 98d2dfd029b7204448c255247b429aaf893994599099928c8d474194f3a3b826
Opcode Fuzzy Hash: 2e98e4ad8e334f834e734b3890a145a86f86eeccb616b4aa024bcd6c454d11f9
Instruction Fuzzy Hash: F601A731400604DFDB20CF56D844B2AFFE0EF44320F08C49AEE490B216D275A458CFA2

Uniqueness

Uniqueness Score: -1.00%

Function 00F3AA12, Relevance: 1.5, APIs: 1, Instructions: 37COMMON

Download Yara Rule

APIs

SetWindowLongW.USER32 ref: 00F3AA4A

Memory Dump Source

Source File: 00000000.00000002.343106373.0000000000F3A000.00000040.00000001.sdmp, Offset: 00F3A000, based on PE: false

Similarity

API ID: LongWindow
String ID:
API String ID: 1378638983-0
Opcode ID: fd840b0feebe2df83d1849f67570b323d65c6b18b3dbc09bd31e523bbea5695f
Instruction ID: cbff9e8edb56b8ccd6f1df80952598662b7f569a9da745ed4cbe0104addf9332
Opcode Fuzzy Hash: fd840b0feebe2df83d1849f67570b323d65c6b18b3dbc09bd31e523bbea5695f
Instruction Fuzzy Hash: 8E01D132800604DFDB20DF46D984716FFA0EF04730F18C09ADE890B212C2B9A418EFB2

Uniqueness

Uniqueness Score: -1.00%

Function 00F3A69A, Relevance: 1.5, APIs: 1, Instructions: 35COMMON

Download Yara Rule

APIs

SetErrorMode.KERNELBASE(?), ref: 00F3A6CC

Memory Dump Source

Source File: 00000000.00000002.343106373.0000000000F3A000.00000040.00000001.sdmp, Offset: 00F3A000, based on PE: false

Similarity

API ID: ErrorMode
String ID:
API String ID: 2340568224-0
Opcode ID: 0ceb46770a7ff7c8c2fc7c81b784075b0620da14ec817472873a11ef2af01b5a
Instruction ID: c7b5fcaf9a3628ae0774d023c117ed36dd572ec4a7c07b3a1d2bd32ea57259b4
Opcode Fuzzy Hash: 0ceb46770a7ff7c8c2fc7c81b784075b0620da14ec817472873a11ef2af01b5a
Instruction Fuzzy Hash: 8DF08C35800644DFDB109F16D885762FFA4EF04330F18C0AADE894B216D2B9A448EEA2

Uniqueness

Uniqueness Score: -1.00%

Function 04F00599, Relevance: 1.4, Strings: 1, Instructions: 173COMMON

Download Yara Rule

Strings

:@Dr, xrefs: 04F006D4

Memory Dump Source

Source File: 00000000.00000002.344657910.0000000004F00000.00000040.00000001.sdmp, Offset: 04F00000, based on PE: false

Similarity

API ID:
String ID: :@Dr
API String ID: 0-3830894600
Opcode ID: c74ef161c8a9334f00fb85315a687575077ec2a3525dc331593c416276be821c
Instruction ID: ad896af2073f0b0da8df70ba0d59f0e0473022e20699f57d6b1d12b2fad22801
Opcode Fuzzy Hash: c74ef161c8a9334f00fb85315a687575077ec2a3525dc331593c416276be821c
Instruction Fuzzy Hash: 81712974E01218CFDB54CFA9D494BADBBF2BF89310F1080A9D509AB391DB70A985DF50

Uniqueness

Uniqueness Score: -1.00%

Function 04F02838, Relevance: 1.3, Strings: 1, Instructions: 49COMMON

Download Yara Rule

Strings

X, xrefs: 04F02884

Memory Dump Source

Source File: 00000000.00000002.344657910.0000000004F00000.00000040.00000001.sdmp, Offset: 04F00000, based on PE: false

Similarity

API ID:
String ID: X
API String ID: 0-3081909835
Opcode ID: 5c704a70088ab1735d8aafda525faba8947dc511a6db7115be19fa6e2cf5de60
Instruction ID: 85ad0af21d8b06ca714d1ed87269b6aa8632b90a9ca756d463701c001b05a902
Opcode Fuzzy Hash: 5c704a70088ab1735d8aafda525faba8947dc511a6db7115be19fa6e2cf5de60
Instruction Fuzzy Hash: 9221B274E42228CFEB64CF24C8597D9BBB1BF8A301F0080EA958DA7281DB745E85DF51

Uniqueness

Uniqueness Score: -1.00%

Function 04F00A41, Relevance: .7, Instructions: 737COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.344657910.0000000004F00000.00000040.00000001.sdmp, Offset: 04F00000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1259be8e4bc25d854a829d4a1b825bd85fd40aa77ca45a7a69a4bf7d709213c8
Instruction ID: a3159e1caa2e88d7f8aa00a8495d0055d37fa35a218f02413df0ae768e0362a2
Opcode Fuzzy Hash: 1259be8e4bc25d854a829d4a1b825bd85fd40aa77ca45a7a69a4bf7d709213c8
Instruction Fuzzy Hash: 8872A434A01218CFDB64DB64C894BADB7B2FF8A311F5180E9D549AB361DB316E99CF01

Uniqueness

Uniqueness Score: -1.00%

Function 04F00A50, Relevance: .7, Instructions: 729COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.344657910.0000000004F00000.00000040.00000001.sdmp, Offset: 04F00000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: dbf4340cf1fc9dc6b3f70246f6c1fcd3f3a6320e80bdf3c11a586d28363ccafb
Instruction ID: 4e450fa00f140f78df1a385c5ef2ba32047346aa5615ffc063029ce65e3062fc
Opcode Fuzzy Hash: dbf4340cf1fc9dc6b3f70246f6c1fcd3f3a6320e80bdf3c11a586d28363ccafb
Instruction Fuzzy Hash: 48729334A01218CFDB64DB64C994BADB7B2FF8A311F5180E9D509AB361DB316E99CF01

Uniqueness

Uniqueness Score: -1.00%

Function 04F0B8A8, Relevance: .3, Instructions: 313COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.344657910.0000000004F00000.00000040.00000001.sdmp, Offset: 04F00000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 387ccba49dec13426c480f1d4cf58791fd4e0ca5bebe6ced7d29e6e32843a9c1
Instruction ID: 5f89af015da304e9ebe79cf937d19ba8439840116b16bfc20dc1a722908655ca
Opcode Fuzzy Hash: 387ccba49dec13426c480f1d4cf58791fd4e0ca5bebe6ced7d29e6e32843a9c1
Instruction Fuzzy Hash: EAD11170D05218CFDB24DFA5D5587EDBBB0FB4A305F1094AAC419B3281DB786A8AEF14

Uniqueness

Uniqueness Score: -1.00%

Function 04F04AE7, Relevance: .2, Instructions: 244COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.344657910.0000000004F00000.00000040.00000001.sdmp, Offset: 04F00000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ea0c7df9444d35437478bc9d7d86467e0cb2303a654988f721445df7f42fceca
Instruction ID: 15b804b30103c1f0ece127568be6601acd9e99e1301f45770fa828f9470142e9
Opcode Fuzzy Hash: ea0c7df9444d35437478bc9d7d86467e0cb2303a654988f721445df7f42fceca
Instruction Fuzzy Hash: F3C12770A00348DFDB54DF68E988A9CBBF1FB49305F2095A9D909AB395DB70A985CF40

Uniqueness

Uniqueness Score: -1.00%

Function 04F04C54, Relevance: .2, Instructions: 232COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.344657910.0000000004F00000.00000040.00000001.sdmp, Offset: 04F00000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 251e30359d89a15a33c92ec6cd9ef35a4ce7fd25d4e8deda23ee08848b159c1b
Instruction ID: b084052c76402f2ec02a3a039502ac8678c81425d6ccabc24f9be4813845de1f
Opcode Fuzzy Hash: 251e30359d89a15a33c92ec6cd9ef35a4ce7fd25d4e8deda23ee08848b159c1b
Instruction Fuzzy Hash: 96C115B4A40318CFDB50EF64E948B9CBBB1FB89305F1095A9D90AA7385DB706E81CF11

Uniqueness

Uniqueness Score: -1.00%

Function 04F02FF8, Relevance: .2, Instructions: 218COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.344657910.0000000004F00000.00000040.00000001.sdmp, Offset: 04F00000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c8fb91efc056a006745b831f825546eb6ac9d5da9956d13514d47faff4955e56
Instruction ID: 457692931973875b9d62c660b182ee4c56100e17325ac4a7519ab6d5afe40f01
Opcode Fuzzy Hash: c8fb91efc056a006745b831f825546eb6ac9d5da9956d13514d47faff4955e56
Instruction Fuzzy Hash: B7913776D06368CEDF288FA1C9587ECFAB4BB86349F04909AD409B3191D7741AC9DF14

Uniqueness

Uniqueness Score: -1.00%

Function 04F04E24, Relevance: .2, Instructions: 208COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.344657910.0000000004F00000.00000040.00000001.sdmp, Offset: 04F00000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ba3163fe5bb58ad722a5c6bc64beeb74dfc2f4a233c3e193bd81389eced1b68e
Instruction ID: e35356bdac1e61f6053d319cf81e4b1259e5bae72c8f159395da5ea9bd5a2791
Opcode Fuzzy Hash: ba3163fe5bb58ad722a5c6bc64beeb74dfc2f4a233c3e193bd81389eced1b68e
Instruction Fuzzy Hash: CDA115B1E40349CFDB50DFA4E988B9CBBB0FB49305F1095AAD509AB395DB70A985CF10

Uniqueness

Uniqueness Score: -1.00%

Function 04F051DC, Relevance: .2, Instructions: 184COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.344657910.0000000004F00000.00000040.00000001.sdmp, Offset: 04F00000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f01e99da934f2a9b48e1b2169d46950a5a8c31f4c04cc404e7acbd4dde0a89e1
Instruction ID: 94a2a3bbe0744b8cc785b6a8ebe79bcf7814a4d5af87b1b8d99ca4ce50ce7790
Opcode Fuzzy Hash: f01e99da934f2a9b48e1b2169d46950a5a8c31f4c04cc404e7acbd4dde0a89e1
Instruction Fuzzy Hash: B29115B4E40349CFDB50DFA4E948B9CBBB0FB49305F1095AAD909AB385DB70A985CF11

Uniqueness

Uniqueness Score: -1.00%

Function 04F04AB8, Relevance: .2, Instructions: 184COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.344657910.0000000004F00000.00000040.00000001.sdmp, Offset: 04F00000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d29fa04d99bd569d487c7114ea2291a0821797dd5a7b55d2eea1c49e4d8d1e64
Instruction ID: 2e0fc651f05de7ee24dd20e92e9c16a59f308284a71f9eec01f563cb108a769a
Opcode Fuzzy Hash: d29fa04d99bd569d487c7114ea2291a0821797dd5a7b55d2eea1c49e4d8d1e64
Instruction Fuzzy Hash: 189124B0E40349CFDB50DFA4E948B9CBBB0FB49305F1095AAD90AA7381DB70A985DF11

Uniqueness

Uniqueness Score: -1.00%

Function 04F04ECD, Relevance: .2, Instructions: 180COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.344657910.0000000004F00000.00000040.00000001.sdmp, Offset: 04F00000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e6d0fd591cdc996058bd812f57a20ba4ab7b700d383a1a3698e27e3d9589b181
Instruction ID: ee3fa8fa0fd9d9a9c8b8f0b48aeca951a64fdac8cb2e889f4f49d1d49191c621
Opcode Fuzzy Hash: e6d0fd591cdc996058bd812f57a20ba4ab7b700d383a1a3698e27e3d9589b181
Instruction Fuzzy Hash: 829114B0E40349CFDB50DFA4E948B9CBBB1FB49305F1095AAD909AB385DB70A985CF50

Uniqueness

Uniqueness Score: -1.00%

Function 04F04AA8, Relevance: .2, Instructions: 180COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.344657910.0000000004F00000.00000040.00000001.sdmp, Offset: 04F00000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9263c042ab274147d7aa91d6a34328095a714402348cb8807e3de4ad6c1e25af
Instruction ID: 2342024966f5457f8a698694c25050dde1f2737ad45ae7a84d2d3f384d4c5c62
Opcode Fuzzy Hash: 9263c042ab274147d7aa91d6a34328095a714402348cb8807e3de4ad6c1e25af
Instruction Fuzzy Hash: FF9146B0A40349CFDB50DFA4E948B9CBBF0FB49305F1095AAD50AAB391DB70A985DF11

Uniqueness

Uniqueness Score: -1.00%

Function 04F04880, Relevance: .1, Instructions: 118COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.344657910.0000000004F00000.00000040.00000001.sdmp, Offset: 04F00000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 37491b1f9110aa03d3c040c89d86b41c35e2b85bfaa3688628b816a07c5d285b
Instruction ID: cd4e3a80fb620090e2dcef7f3d1d8adee13b3adad8d9be16b27fbb2a3546a826
Opcode Fuzzy Hash: 37491b1f9110aa03d3c040c89d86b41c35e2b85bfaa3688628b816a07c5d285b
Instruction Fuzzy Hash: 06416CB0D002448FDB04DFAAD5446ADFBF2AF89324F14C269E524AB3A5E630A9029F51

Uniqueness

Uniqueness Score: -1.00%

Function 04F00280, Relevance: .1, Instructions: 117COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.344657910.0000000004F00000.00000040.00000001.sdmp, Offset: 04F00000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 501a67d631a6eadaaf2390319aceb2faa74268d55191f283c3eaa9838dc22e93
Instruction ID: c3b43114655c4b81f014a4ad2cba9320a0dfd2772663c98824f252da9a8c8ce0
Opcode Fuzzy Hash: 501a67d631a6eadaaf2390319aceb2faa74268d55191f283c3eaa9838dc22e93
Instruction Fuzzy Hash: 7641A278E00218DFDB10CFA8D480B9DBBF1EB8D310F1054A5E915AB3A0D775A941EF60

Uniqueness

Uniqueness Score: -1.00%

Function 04F0301E, Relevance: .1, Instructions: 114COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.344657910.0000000004F00000.00000040.00000001.sdmp, Offset: 04F00000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7050dc6cd4fb9c88fd6c932e6e6af27a9b3905617dcc4d7dc6398fa80b77c6cc
Instruction ID: 0ad8fc5906e21703a716f0faf24f3a13e8197ca2e5b01e9bf95c61bec76231c1
Opcode Fuzzy Hash: 7050dc6cd4fb9c88fd6c932e6e6af27a9b3905617dcc4d7dc6398fa80b77c6cc
Instruction Fuzzy Hash: 15410571D05268CEDB28CFA1C9587ECFAB8BB89349F1091DAD809B3291D7741AC9DF14

Uniqueness

Uniqueness Score: -1.00%

Function 04F04351, Relevance: .1, Instructions: 107COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.344657910.0000000004F00000.00000040.00000001.sdmp, Offset: 04F00000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 664a68e6e83ccca4f02109cc265c0c090d25dc1cfd893596de3b7cef280c1657
Instruction ID: 4502af9438ccb21954d506aa10b92842d145656fd9c2a1c48dd2d6e3ac658601
Opcode Fuzzy Hash: 664a68e6e83ccca4f02109cc265c0c090d25dc1cfd893596de3b7cef280c1657
Instruction Fuzzy Hash: 4441A4B4D01208DFCB48DFA9D5959ADBBF2FF88300F208069E405AB364DB346945CF54

Uniqueness

Uniqueness Score: -1.00%

Function 027FA944, Relevance: .1, Instructions: 93COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.343171792.00000000027F2000.00000040.00000001.sdmp, Offset: 027F2000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 95ffcc2c4efaccb09d6f1e277cdebd640fb122ce34994e59dbcffad3e888361f
Instruction ID: a5a5533abba09ccd64a8499984bdeac17bc55100f99f7a411153cccc92bee32d
Opcode Fuzzy Hash: 95ffcc2c4efaccb09d6f1e277cdebd640fb122ce34994e59dbcffad3e888361f
Instruction Fuzzy Hash: BC31ADB6508340AFD350CF09EC41A57FFE8EB85630F08C96EFD499B211D275A9048FA2

Uniqueness

Uniqueness Score: -1.00%

Function 027FA6EC, Relevance: .1, Instructions: 92COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.343171792.00000000027F2000.00000040.00000001.sdmp, Offset: 027F2000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8135659aa34475a51db20be302141b5fe4aef883facbd0da13e287902a9af16f
Instruction ID: 5f78200d56ad6f91d4740c7a4c4ca8cec9d8f92cca240578ed141edca69c5c22
Opcode Fuzzy Hash: 8135659aa34475a51db20be302141b5fe4aef883facbd0da13e287902a9af16f
Instruction Fuzzy Hash: 19316D76509341AFD310DF19EC41957FFE8EB89630F08C85EF9499B311D275A908CBA2

Uniqueness

Uniqueness Score: -1.00%

Function 027FA5C0, Relevance: .1, Instructions: 86COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.343171792.00000000027F2000.00000040.00000001.sdmp, Offset: 027F2000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: cc722da1196ccd92e52b15085e8fff5fa5a461eec3a14b5e3936b8d7e275545f
Instruction ID: 06d22a8a80f32eba1943aeaba8bdbe609cc3871107461185f46511209e76a4b2
Opcode Fuzzy Hash: cc722da1196ccd92e52b15085e8fff5fa5a461eec3a14b5e3936b8d7e275545f
Instruction Fuzzy Hash: 7821C476504704AFD710CF49EC41E57FFE8EB85A30F18C95AFE099B211D275B9148BA2

Uniqueness

Uniqueness Score: -1.00%

Function 027FA81B, Relevance: .1, Instructions: 86COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.343171792.00000000027F2000.00000040.00000001.sdmp, Offset: 027F2000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6940ca73f197458a9e73f412575f658a4ece3a8f4f49e044bb6cc3719611f4e7
Instruction ID: 85b8919e67b232a961468667e153e48fa93a27741ec203691dab0941702bc2e5
Opcode Fuzzy Hash: 6940ca73f197458a9e73f412575f658a4ece3a8f4f49e044bb6cc3719611f4e7
Instruction Fuzzy Hash: E7216BB6508340AFD700CF09EC41E57FFE8EB89620F18C96EF94997211D275A918CBA2

Uniqueness

Uniqueness Score: -1.00%

Function 027FAAC8, Relevance: .1, Instructions: 82COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.343171792.00000000027F2000.00000040.00000001.sdmp, Offset: 027F2000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3f86b969957ab86d8ba4887b7485aa04d2a357a0970dcef7ebf0e59a3bb51fc0
Instruction ID: 5bf738f85716bebeeeaf47d3b479555f9c1eafc2b0a35092c432d477dc5d6a5c
Opcode Fuzzy Hash: 3f86b969957ab86d8ba4887b7485aa04d2a357a0970dcef7ebf0e59a3bb51fc0
Instruction Fuzzy Hash: C3312BB650D3C15FD302CF25C850A56BFF4EB8A214F0888DEF9C8DB252D2759908CB62

Uniqueness

Uniqueness Score: -1.00%

Function 027FA3AB, Relevance: .1, Instructions: 82COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.343171792.00000000027F2000.00000040.00000001.sdmp, Offset: 027F2000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a08c1b8a9abad575a6513eb8fd9390e9f590777e103b0b3bd755733819214ebb
Instruction ID: fb0a9a8a0a1532e705cda941d08a8433249b39f5b83f188db4945c2ea983c532
Opcode Fuzzy Hash: a08c1b8a9abad575a6513eb8fd9390e9f590777e103b0b3bd755733819214ebb
Instruction Fuzzy Hash: A521B276508340AFD7108F46AC41A57FFA8EF85630F08C99BFE499B211D275A9148BA2

Uniqueness

Uniqueness Score: -1.00%

Function 027FA191, Relevance: .1, Instructions: 77COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.343171792.00000000027F2000.00000040.00000001.sdmp, Offset: 027F2000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 15a1ba6aff1a4996015f9bdccfe7a532b95971a311af5d6dd0c9408cf2452274
Instruction ID: 5f5238f0202170e90195ca1437c78590dad7b008094d89275608c9aa8d56f454
Opcode Fuzzy Hash: 15a1ba6aff1a4996015f9bdccfe7a532b95971a311af5d6dd0c9408cf2452274
Instruction Fuzzy Hash: EA21F676504340AFD7108F46AC41E63FFA8EB85630F09C99FFE099B212D275B914CBA1

Uniqueness

Uniqueness Score: -1.00%

Function 04F00006, Relevance: .1, Instructions: 76COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.344657910.0000000004F00000.00000040.00000001.sdmp, Offset: 04F00000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 76a82a5e20b5dc47c21eabf67d30ad4850dd9b8b1baa756c989818309c33aadd
Instruction ID: c82b03f0d471528ca74a817d6bf96a1dae588d07fcf737a5c0613c87c5f18c42
Opcode Fuzzy Hash: 76a82a5e20b5dc47c21eabf67d30ad4850dd9b8b1baa756c989818309c33aadd
Instruction Fuzzy Hash: B6216AA180E3C44FDB53473458A56EA7F709F13204F1A44DBC081EB1E3EA6C490BC762

Uniqueness

Uniqueness Score: -1.00%

Function 027FA96E, Relevance: .1, Instructions: 75COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.343171792.00000000027F2000.00000040.00000001.sdmp, Offset: 027F2000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b4ac406005ad13ca8dc52e37189bf765d77a74c5ac58cbff5a2242be60a297bb
Instruction ID: e2ae44f9b0281d9e40af3e54ff759aba03a5b0792ba778204731ccd54da43be4
Opcode Fuzzy Hash: b4ac406005ad13ca8dc52e37189bf765d77a74c5ac58cbff5a2242be60a297bb
Instruction Fuzzy Hash: 7C213AB6604300AFE350DF4AEC41A57FBE8EB88630F14C92EFD4897311D275A9148BA2

Uniqueness

Uniqueness Score: -1.00%

Function 027FA842, Relevance: .1, Instructions: 75COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.343171792.00000000027F2000.00000040.00000001.sdmp, Offset: 027F2000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c95f7308535c5c7ba498e27a07c927c94e9d95ff4cbf5422a278c37f3d37de69
Instruction ID: 9036d5622a59aa7fc68dfdff0ffc210c0cda9c1a760264af15da4a9cc9bebe03
Opcode Fuzzy Hash: c95f7308535c5c7ba498e27a07c927c94e9d95ff4cbf5422a278c37f3d37de69
Instruction Fuzzy Hash: D7214CB6644300AFD310DF4AEC41E57FBE8EB88630F14C92EFD4897311D275A9148BA2

Uniqueness

Uniqueness Score: -1.00%

Function 027FA716, Relevance: .1, Instructions: 75COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.343171792.00000000027F2000.00000040.00000001.sdmp, Offset: 027F2000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: aa0a6edcd6d98c71edbdbb840e7b1bad640306ff6ced4493220396b1e7731ecf
Instruction ID: 4953598027c7b2e34a3891094ad806efc458c28f2215815096a215c884d726fc
Opcode Fuzzy Hash: aa0a6edcd6d98c71edbdbb840e7b1bad640306ff6ced4493220396b1e7731ecf
Instruction Fuzzy Hash: 00214FB6504300AFD310DF4AEC41E57FBE8EB88630F14C92EFD4897311D275A9148BA2

Uniqueness

Uniqueness Score: -1.00%

Function 027FA5EA, Relevance: .1, Instructions: 69COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.343171792.00000000027F2000.00000040.00000001.sdmp, Offset: 027F2000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b9447ff28d3a251e08bf642fff829465d95642c7695f91157883c699cb0016ee
Instruction ID: 8c3808f13d49ae54c9e57e86e0068796fc21800a16482dd99dcf7d1bb374239c
Opcode Fuzzy Hash: b9447ff28d3a251e08bf642fff829465d95642c7695f91157883c699cb0016ee
Instruction Fuzzy Hash: 12119376544304BFE6109F4AEC41E67FBA8EB84630F14C96AFE0D9B311D276B5148AA2

Uniqueness

Uniqueness Score: -1.00%

Function 027FA3D2, Relevance: .1, Instructions: 69COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.343171792.00000000027F2000.00000040.00000001.sdmp, Offset: 027F2000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 019977de08fadced8f6f24376df318426d37940679a43ff4df4633f9fd63d466
Instruction ID: 7fd0c0910c93fc03d11bf6aee69773c8bbaebcbd2819f0c9105af6c73b0b0615
Opcode Fuzzy Hash: 019977de08fadced8f6f24376df318426d37940679a43ff4df4633f9fd63d466
Instruction Fuzzy Hash: CC119376544304BFE610DF4AEC41E67FBA8EB84630F14C96AFE0D9B311D276B5148BA2

Uniqueness

Uniqueness Score: -1.00%

Function 04F02988, Relevance: .1, Instructions: 68COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.344657910.0000000004F00000.00000040.00000001.sdmp, Offset: 04F00000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: be1a8b932854751d4c37e5298921f48ccfae81e0980c8ef936a12a3cabfe1544
Instruction ID: dd9c29b801bfb2dc06cdbac534a5333aa167e7cd20dfc98c5c047cfabff8fc22
Opcode Fuzzy Hash: be1a8b932854751d4c37e5298921f48ccfae81e0980c8ef936a12a3cabfe1544
Instruction Fuzzy Hash: 1B21B7B4D01209DFCB04DFA9C5846AEFBF2BF88310F21D5A9C414B7245D734AA81DBA1

Uniqueness

Uniqueness Score: -1.00%

Function 027FA640, Relevance: .1, Instructions: 65COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.343171792.00000000027F2000.00000040.00000001.sdmp, Offset: 027F2000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5d8fbdfa980881e2528664a35a9f5d6e4c27c4ec680b181a190984bb64ca36ba
Instruction ID: ed0c1f8e0712a328d08087ba8ea9526fcdd3afc5f1b03800ec4c9a81f9b2cc51
Opcode Fuzzy Hash: 5d8fbdfa980881e2528664a35a9f5d6e4c27c4ec680b181a190984bb64ca36ba
Instruction Fuzzy Hash: DF214DB5509380AFE702CF15DC51957BFE4EF86620F09899AF9889B253D235A908CB62

Uniqueness

Uniqueness Score: -1.00%

Function 027FA1BA, Relevance: .1, Instructions: 64COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.343171792.00000000027F2000.00000040.00000001.sdmp, Offset: 027F2000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 673db95dd0735de662d97f291e7646d9544b809fe6d9923b5a144d6bf7fa38b3
Instruction ID: 6d783e8fc056be002ae555d32d6602e6ad4b98db5c23e1c8afee38513bca15bc
Opcode Fuzzy Hash: 673db95dd0735de662d97f291e7646d9544b809fe6d9923b5a144d6bf7fa38b3
Instruction Fuzzy Hash: B411A776644204BFE6109E4AEC41E63FBACEB84630F18C46AFE095B211D276B5148AA1

Uniqueness

Uniqueness Score: -1.00%

Function 04F000F9, Relevance: .1, Instructions: 61COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.344657910.0000000004F00000.00000040.00000001.sdmp, Offset: 04F00000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e03f8aa6d4a1f90409ade1d6b32d6619a8438b738bc18ff1d8cc96cd26f77e75
Instruction ID: a2827b87dd7dd6f22e7f8d0f5aa3f83b07ddd1c21b989a09efac90ee99e0b47a
Opcode Fuzzy Hash: e03f8aa6d4a1f90409ade1d6b32d6619a8438b738bc18ff1d8cc96cd26f77e75
Instruction Fuzzy Hash: 6921DC70E0824ACFCB44EFA8D8419AD7FB9FF41300F1045A8EA11A735AEB702E05DB52

Uniqueness

Uniqueness Score: -1.00%

Function 028A075C, Relevance: .1, Instructions: 59COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.343332848.00000000028A0000.00000040.00000040.sdmp, Offset: 028A0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 43282ddf215bdaced30e5bee206bfb1017384874a0fb4f06977b2a92c755bd59
Instruction ID: 3af9e4d0a86479673da76926f1262542fedc7a3707a08394380e18cbdab9384b
Opcode Fuzzy Hash: 43282ddf215bdaced30e5bee206bfb1017384874a0fb4f06977b2a92c755bd59
Instruction Fuzzy Hash: 5111B43C204244EFE715CB24C994B26BBA5EB88708F24C59DE9495B653CB7BD803CE51

Uniqueness

Uniqueness Score: -1.00%

Function 027FAB09, Relevance: .1, Instructions: 56COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.343171792.00000000027F2000.00000040.00000001.sdmp, Offset: 027F2000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 45dbcbc47931c344ecac7649cb2e12e254cede778c3a4b93b36e6eb0cf5eaeca
Instruction ID: 59588458c2db05962e51900d3281f70b007654cff43f5115c6cac811fc2a0409
Opcode Fuzzy Hash: 45dbcbc47931c344ecac7649cb2e12e254cede778c3a4b93b36e6eb0cf5eaeca
Instruction Fuzzy Hash: D911C6B5908301AFD340CF19D881A5BFBE4FB88664F04892EF998E7311D275E9048FA2

Uniqueness

Uniqueness Score: -1.00%

Function 04F02978, Relevance: .1, Instructions: 55COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.344657910.0000000004F00000.00000040.00000001.sdmp, Offset: 04F00000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6bb1c85277fe98c167bc3b948f508a0c67c6e115f046c940f17bfa5ee7bd6d23
Instruction ID: 33837bddf2ede3abc35b5b537b0b1655efe108de8d0f0ce26a119d3c48d01cc8
Opcode Fuzzy Hash: 6bb1c85277fe98c167bc3b948f508a0c67c6e115f046c940f17bfa5ee7bd6d23
Instruction Fuzzy Hash: 5B11FB75D05349CFCB04CFA9C4446EEFFB2AF89310F14D1AAC404A7355D6349A86DBA1

Uniqueness

Uniqueness Score: -1.00%

Function 027FA118, Relevance: .0, Instructions: 50COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.343171792.00000000027F2000.00000040.00000001.sdmp, Offset: 027F2000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3f835a290c35e0e9223a51b03f720c6d200f6984c64ba40eaa45b1bfc7d34597
Instruction ID: 90e880e49cae2b62ba6f58b833cd65042891e7538ecf2a8b4bba6ece5982bb20
Opcode Fuzzy Hash: 3f835a290c35e0e9223a51b03f720c6d200f6984c64ba40eaa45b1bfc7d34597
Instruction Fuzzy Hash: A101247100D3C06FE31247269C51A93BF78DF43620F0C84CBEE889F163D2166909C7A2

Uniqueness

Uniqueness Score: -1.00%

Function 04F00108, Relevance: .0, Instructions: 50COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.344657910.0000000004F00000.00000040.00000001.sdmp, Offset: 04F00000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0405d1cbf920f43b4a8c3d78a8e3a5a993e32dbbdc02d855dc7be0be91a43a0f
Instruction ID: 72f1830e40bbefd1abb89ac78cf7451742a64933d50e98a1b9dd890a7852efeb
Opcode Fuzzy Hash: 0405d1cbf920f43b4a8c3d78a8e3a5a993e32dbbdc02d855dc7be0be91a43a0f
Instruction Fuzzy Hash: 68115B74E4420ACFCB84EFA8D9459AE7BB9FB40304F108568EA11A7349EF706E15DF91

Uniqueness

Uniqueness Score: -1.00%

Function 028A05CF, Relevance: .0, Instructions: 45COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.343332848.00000000028A0000.00000040.00000040.sdmp, Offset: 028A0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a9beb33554482e58befd2b8c85e97f07d4ee1c310be86a41cf75bb5a9351885e
Instruction ID: f2aa078f002ea29e18ff60bb42ec115e82bb0ec6838218919bbefafa74b26f52
Opcode Fuzzy Hash: a9beb33554482e58befd2b8c85e97f07d4ee1c310be86a41cf75bb5a9351885e
Instruction Fuzzy Hash: 5B01DB715097806FD7128B16DC40863FFB8DE86630709C49FED898B612D1257909CB72

Uniqueness

Uniqueness Score: -1.00%

Function 028A074A, Relevance: .0, Instructions: 44COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.343332848.00000000028A0000.00000040.00000040.sdmp, Offset: 028A0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 44bad7d6514f7c4b03c7daadf37d5bc14d8c70745ffadc20f15a00762f092bfc
Instruction ID: 088f0c784b9aa685c0ae1b321e7c8a44da1a69eaebaadd2bc11224bc642a3a5c
Opcode Fuzzy Hash: 44bad7d6514f7c4b03c7daadf37d5bc14d8c70745ffadc20f15a00762f092bfc
Instruction Fuzzy Hash: 6D112E395092849FD716CB10C990B15BFB1AB46718F28C6EED8899B6A3C73BD806CF41

Uniqueness

Uniqueness Score: -1.00%

Function 04F003E9, Relevance: .0, Instructions: 42COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.344657910.0000000004F00000.00000040.00000001.sdmp, Offset: 04F00000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: bb907b6345e31749f2270d2cba2d8c2685ab5a065beabc09f0ded6925ba31337
Instruction ID: f49b3b263229bb174428c4dbc204185fc6a21896e65e85808183dbc127b81aed
Opcode Fuzzy Hash: bb907b6345e31749f2270d2cba2d8c2685ab5a065beabc09f0ded6925ba31337
Instruction Fuzzy Hash: A5F0F038A463889FD705DBB08800FEFB7769F9B300F2498D4840563382CE745E02EA66

Uniqueness

Uniqueness Score: -1.00%

Function 04F009D8, Relevance: .0, Instructions: 35COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.344657910.0000000004F00000.00000040.00000001.sdmp, Offset: 04F00000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8ef930a2ce328bb078dd1ef6ccce24c5952f39ccce049f9ac4f40d0e08dda45b
Instruction ID: 13ef868e85781524f258cfe8362317bb99421ee9571799f045ebdd5cdd0ff3c5
Opcode Fuzzy Hash: 8ef930a2ce328bb078dd1ef6ccce24c5952f39ccce049f9ac4f40d0e08dda45b
Instruction Fuzzy Hash: BEF0F671A48088AFCF05DBB8CA914AD7F31EF96100FA546DAC5419B392DE306E06C781

Uniqueness

Uniqueness Score: -1.00%

Function 04F00070, Relevance: .0, Instructions: 33COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.344657910.0000000004F00000.00000040.00000001.sdmp, Offset: 04F00000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d9325f74a98b2074760f7e419bf76981833a2b7952aa3f07836e01eef62b44e3
Instruction ID: 5eb6123c48303611b26e257d01f3149c839ebe68beb750fe0aa5755caf148e9b
Opcode Fuzzy Hash: d9325f74a98b2074760f7e419bf76981833a2b7952aa3f07836e01eef62b44e3
Instruction Fuzzy Hash: E8F0B830D002099BDB949BA4C809BAFBAF4AB49304F10882AC400B3280DA7069048BE4

Uniqueness

Uniqueness Score: -1.00%

Function 04F003F8, Relevance: .0, Instructions: 32COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.344657910.0000000004F00000.00000040.00000001.sdmp, Offset: 04F00000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4d545e484827fcebe21380f9d3c06de5f5ca148db084ed1491ba8f0349aceb44
Instruction ID: 77253e4324063d5907ddddf0ce678c382716ef6b9c7e05455915505de287000a
Opcode Fuzzy Hash: 4d545e484827fcebe21380f9d3c06de5f5ca148db084ed1491ba8f0349aceb44
Instruction Fuzzy Hash: 3EF0AC34A4220C9BD708EBF1D550FAF737B9B85204F649C94940523385CEB55E51A999

Uniqueness

Uniqueness Score: -1.00%

Function 04F00530, Relevance: .0, Instructions: 32COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.344657910.0000000004F00000.00000040.00000001.sdmp, Offset: 04F00000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 51a8cc17abac4f9947f61daa32f2ca350caeb417bf89a2cafa21dd367955bb6c
Instruction ID: d2a67567f51a3c3bcac8308a6e975f9c262c7ab8c52ff55c42ce7307358eaf68
Opcode Fuzzy Hash: 51a8cc17abac4f9947f61daa32f2ca350caeb417bf89a2cafa21dd367955bb6c
Instruction Fuzzy Hash: 33011978E44209DFDB44DFA8D545AADBBB0FB49314F2085A9DC04A7342D770EA429B91

Uniqueness

Uniqueness Score: -1.00%

Function 04F00221, Relevance: .0, Instructions: 32COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.344657910.0000000004F00000.00000040.00000001.sdmp, Offset: 04F00000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e29b471cd679a33fbf1c1c2584d3933c7f77bdff569228a1602b014c12a0e55a
Instruction ID: 2c6823d21efc836205a27d2d25d0e35500697205044b6b72e2637310b4e72756
Opcode Fuzzy Hash: e29b471cd679a33fbf1c1c2584d3933c7f77bdff569228a1602b014c12a0e55a
Instruction Fuzzy Hash: EAF0A035D4E388DFCB02EFA8A8016A8BFB5EF5B301F1480E6D84493352D6326D49DB52

Uniqueness

Uniqueness Score: -1.00%

Function 028A0818, Relevance: .0, Instructions: 31COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.343332848.00000000028A0000.00000040.00000040.sdmp, Offset: 028A0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 525cef522958239b2deb72ab7ac90410e2832b06fb356f1b7ca8807ee3c9392c
Instruction ID: 8edb7ca4dcb4154860ed7cd6a66708fe339ee11265e934a42b12eef309e9c032
Opcode Fuzzy Hash: 525cef522958239b2deb72ab7ac90410e2832b06fb356f1b7ca8807ee3c9392c
Instruction Fuzzy Hash: 9CF01D39104644DFC305CF40D980B15FBA2EB89718F24C6ADE9490B752C737D813DE81

Uniqueness

Uniqueness Score: -1.00%

Function 04F00453, Relevance: .0, Instructions: 29COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.344657910.0000000004F00000.00000040.00000001.sdmp, Offset: 04F00000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1a7ebbab929f8471116d937c71a1bb6d4762dfe15e9da600dd22611900dcab50
Instruction ID: 7902eb5ccf87bf5ad4532520d25f2a2668dc7e7ca5a9892edf96c873170c3161
Opcode Fuzzy Hash: 1a7ebbab929f8471116d937c71a1bb6d4762dfe15e9da600dd22611900dcab50
Instruction Fuzzy Hash: E7F03A34C4A248EFCB00EFB8D4585AEBFB0EF06204F5489E9C810A3352DB719A52DB41

Uniqueness

Uniqueness Score: -1.00%

Function 04F042FF, Relevance: .0, Instructions: 27COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.344657910.0000000004F00000.00000040.00000001.sdmp, Offset: 04F00000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 566bcc1eaa53806935b6bbd24f620e25a4d1fae8bbac634c7cec208f4fe6dd5e
Instruction ID: ec4afe2dac1782ea62b5f821bed02ad91f6ebc14fc4d16c2ba15967248c51f52
Opcode Fuzzy Hash: 566bcc1eaa53806935b6bbd24f620e25a4d1fae8bbac634c7cec208f4fe6dd5e
Instruction Fuzzy Hash: 0CF0A030808248EFCB09EF68D84A9A9BF70AF42301F10919AD8402B2E2C7302965EB64

Uniqueness

Uniqueness Score: -1.00%

Function 028A05F6, Relevance: .0, Instructions: 27COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.343332848.00000000028A0000.00000040.00000040.sdmp, Offset: 028A0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 09e685537e335c4caa908462ba69455c464372ac52443682c9d3e2aedbfc4324
Instruction ID: 3371fbd9c792a1ab6a9f9f745a6d2de35232458daa3d967aaaea2b2eb4697fb1
Opcode Fuzzy Hash: 09e685537e335c4caa908462ba69455c464372ac52443682c9d3e2aedbfc4324
Instruction Fuzzy Hash: 17E092766006008BD650DF0BEC81453FBD8EB88630B18C47FDD0D8B711E135B509CEA5

Uniqueness

Uniqueness Score: -1.00%

Function 027FA57B, Relevance: .0, Instructions: 26COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.343171792.00000000027F2000.00000040.00000001.sdmp, Offset: 027F2000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 50b26c6afee78c1a4770bd0ed7187e22380e9389af74ce1f490e630f339e8590
Instruction ID: ba44b55819e46ff7dcac3ba7022a3d252c0ddd8cc6802d8eb046ceb95ab80c6a
Opcode Fuzzy Hash: 50b26c6afee78c1a4770bd0ed7187e22380e9389af74ce1f490e630f339e8590
Instruction Fuzzy Hash: 06E0D87554030467E2109E06DC82B53FB5CDB80A30F54C457EE085B301D1B5B5048AE5

Uniqueness

Uniqueness Score: -1.00%

Function 027FA8FB, Relevance: .0, Instructions: 26COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.343171792.00000000027F2000.00000040.00000001.sdmp, Offset: 027F2000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ca834a64e17e5d3858458886f01b39f04ecb8b95a77029947e78d20d331458ee
Instruction ID: beb0def8a71647b8bb1df4ec9c0c388b7f403294acbb97338c29f01c94d74470
Opcode Fuzzy Hash: ca834a64e17e5d3858458886f01b39f04ecb8b95a77029947e78d20d331458ee
Instruction Fuzzy Hash: E2E0D876540300ABE2509F06DC82F53FB5CDB80A30F14C45BEE085B302E1B5B5148EE1

Uniqueness

Uniqueness Score: -1.00%

Function 027FAB6B, Relevance: .0, Instructions: 26COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.343171792.00000000027F2000.00000040.00000001.sdmp, Offset: 027F2000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fce1a762426291815ff22f41e32aeba8859e75a8d3956d868c1c4c6fba7182c1
Instruction ID: e626819d0390095650019c492dc3d8e35601ef67d6d18ff7c38b510fc29cd310
Opcode Fuzzy Hash: fce1a762426291815ff22f41e32aeba8859e75a8d3956d868c1c4c6fba7182c1
Instruction Fuzzy Hash: 09E0D8769403006BE210AE06DC82B53FF5CDB80A30F14C45BEE086B302E1B5B5148AE1

Uniqueness

Uniqueness Score: -1.00%

Function 027FA363, Relevance: .0, Instructions: 26COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.343171792.00000000027F2000.00000040.00000001.sdmp, Offset: 027F2000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: cfa9ad9e1f8dab2d21352f776488455134cdd3a7562120b98520382c26e7cf40
Instruction ID: d0bc5fb8995617daa3277f141a348ab0d30d7e137203c6e7466ae77386d42538
Opcode Fuzzy Hash: cfa9ad9e1f8dab2d21352f776488455134cdd3a7562120b98520382c26e7cf40
Instruction Fuzzy Hash: 22E0D87594130067E2109E06DC82B53FB5CDB80930F54C457EE085B302D1B5B5148AE1

Uniqueness

Uniqueness Score: -1.00%

Function 027FA7CF, Relevance: .0, Instructions: 26COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.343171792.00000000027F2000.00000040.00000001.sdmp, Offset: 027F2000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d8c605f36d854393f4cd15ead921525b7c08aba73fb8509bbb302a42cc2eb0ed
Instruction ID: beb009a7b23245ef7fdc68d6e67346fa6223292dc308916070b82233e2e40212
Opcode Fuzzy Hash: d8c605f36d854393f4cd15ead921525b7c08aba73fb8509bbb302a42cc2eb0ed
Instruction Fuzzy Hash: D2E0D876540300A7E210DF06DC82F53FB5CDB90A30F14C45BEE085B302E1B6B5148AF1

Uniqueness

Uniqueness Score: -1.00%

Function 027FA14C, Relevance: .0, Instructions: 26COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.343171792.00000000027F2000.00000040.00000001.sdmp, Offset: 027F2000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c59d836dddf1799490dec7ab61aef22e20e1b32b6c8e93b6273f4dc146eafd4f
Instruction ID: 301528bf5c16fb6ecefb5524a360aa1497f512c4ecac3b0141b1001d70105165
Opcode Fuzzy Hash: c59d836dddf1799490dec7ab61aef22e20e1b32b6c8e93b6273f4dc146eafd4f
Instruction Fuzzy Hash: ADE0D87554030467E2109E07DC82B53FB5CDB80930F58C457EE085B702E1B5B5048AE5

Uniqueness

Uniqueness Score: -1.00%

Function 027FA6A3, Relevance: .0, Instructions: 26COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.343171792.00000000027F2000.00000040.00000001.sdmp, Offset: 027F2000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b6a821699ce72e842366a2316163381dac8dcfe78145963e31ba354de61c21a4
Instruction ID: f76e2eb3bcd2853fa6d8a9ba478ed5888752e7b66deab134dab2ac7229af226f
Opcode Fuzzy Hash: b6a821699ce72e842366a2316163381dac8dcfe78145963e31ba354de61c21a4
Instruction Fuzzy Hash: E7E0D876540300A7E210AF06DC82F53FF5CDB80A30F14C55BEE085B302D1B5B5148AE1

Uniqueness

Uniqueness Score: -1.00%

Function 04F009E8, Relevance: .0, Instructions: 26COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.344657910.0000000004F00000.00000040.00000001.sdmp, Offset: 04F00000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: df6a7b539d7392555b5adfb0950b6c58cafc8b2fe168b90a7c0d7c3bc8b6f5bf
Instruction ID: 087606b7fba608db3c351dfb2437cbe6b0cf058f7db43d0e7cf8a3c8ad63a6ea
Opcode Fuzzy Hash: df6a7b539d7392555b5adfb0950b6c58cafc8b2fe168b90a7c0d7c3bc8b6f5bf
Instruction Fuzzy Hash: 6FF03070E4010CEBCB44EFA8D9516AEB775EF80301F6042A9850167390DF306E44DB91

Uniqueness

Uniqueness Score: -1.00%

Function 04F00460, Relevance: .0, Instructions: 24COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.344657910.0000000004F00000.00000040.00000001.sdmp, Offset: 04F00000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f4f64fd6c621009aa9c2f5125cfffcd8578b0ae2fe5f9e4d2f00b2fd739d5c0b
Instruction ID: 47d6350032e7099c58058c18653fd80d041fa1beb76d470ed65670d6a8de7f6c
Opcode Fuzzy Hash: f4f64fd6c621009aa9c2f5125cfffcd8578b0ae2fe5f9e4d2f00b2fd739d5c0b
Instruction Fuzzy Hash: 3CF03974D4520CEFCB04EFB4D0486AEBBB4FB04304F6089A9C81463340DB709A50CF80

Uniqueness

Uniqueness Score: -1.00%

Function 04F0D048, Relevance: .0, Instructions: 21COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.344657910.0000000004F00000.00000040.00000001.sdmp, Offset: 04F00000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a13cb011ef09b482ac34546e32b4d590e1435d9d68920c903b48ef81d628090b
Instruction ID: 413511e9c3a5416b069d17ad8a42f39827a9a833c89afae7919d3c18ca37d5dd
Opcode Fuzzy Hash: a13cb011ef09b482ac34546e32b4d590e1435d9d68920c903b48ef81d628090b
Instruction Fuzzy Hash: 05E04F74D04208EFCB04DFE4D8446ACFBB5EB89300F10C0AADC4867385D636AA52EF94

Uniqueness

Uniqueness Score: -1.00%

Function 04F00230, Relevance: .0, Instructions: 21COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.344657910.0000000004F00000.00000040.00000001.sdmp, Offset: 04F00000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0cc1065113595b1c176fc04e8bcf93eb341a18013ba7a04400c297d49919be43
Instruction ID: 0360c4cb7e731f4d06bb6b5274f81cfccf5f74abd094de165fab72569c9b931a
Opcode Fuzzy Hash: 0cc1065113595b1c176fc04e8bcf93eb341a18013ba7a04400c297d49919be43
Instruction Fuzzy Hash: 6EE04634E09308DFCB04EFA9E10569CBBB9EB85301F2080A9D80993380EB316A55EB81

Uniqueness

Uniqueness Score: -1.00%

Function 04F04310, Relevance: .0, Instructions: 21COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.344657910.0000000004F00000.00000040.00000001.sdmp, Offset: 04F00000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9c33ce689e8d7a1ac56f7e49c84abfdd4960ef9728bc8802e32791d416db56e3
Instruction ID: 30cc5838c8aee7b9238e7f1afb85767d0dc44a04abea0b191b82b49735e10dd1
Opcode Fuzzy Hash: 9c33ce689e8d7a1ac56f7e49c84abfdd4960ef9728bc8802e32791d416db56e3
Instruction Fuzzy Hash: D2E04630C44208EBCB48EFA8D8459ADBB71AB82301F109469EC0423280CB316AA4EAA4

Uniqueness

Uniqueness Score: -1.00%

Function 04F0BEC0, Relevance: .0, Instructions: 19COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.344657910.0000000004F00000.00000040.00000001.sdmp, Offset: 04F00000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: adb1ae8251b463bebe850040fa4b0d2cdfb8b682463b8a9d0c970dd0263834d8
Instruction ID: 412e8c9d0f6b4bac1df25806866c2e29f7db78ea51d198f43c7d8865656e0161
Opcode Fuzzy Hash: adb1ae8251b463bebe850040fa4b0d2cdfb8b682463b8a9d0c970dd0263834d8
Instruction Fuzzy Hash: E8E0EC74D45208EFCB04DFE4E5496ADBBB4EB85300F10C5A9D90563381D7706A51EF95

Uniqueness

Uniqueness Score: -1.00%

Function 04F000ED, Relevance: .0, Instructions: 17COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.344657910.0000000004F00000.00000040.00000001.sdmp, Offset: 04F00000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 49c9fedb32f64f5cb2801016f773be8543d69d5edfdcd7ba0de7fd19d6ce3cd2
Instruction ID: a8e14a379623b2bb7cefbd4e66c3baa1306da4ae69187bcf8ee4234c368d4543
Opcode Fuzzy Hash: 49c9fedb32f64f5cb2801016f773be8543d69d5edfdcd7ba0de7fd19d6ce3cd2
Instruction Fuzzy Hash: F1D01736E01208CFCB009FA9E0846ECB7B1EB89329F248966C218A3200C73154558F90

Uniqueness

Uniqueness Score: -1.00%

Function 00F323F4, Relevance: .0, Instructions: 15COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.343100088.0000000000F32000.00000040.00000001.sdmp, Offset: 00F32000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 59dad786009bd0ea32db707f5140c35ba007fdf3823df93fdf380fb1b5368537
Instruction ID: df00fc8ef47726f22b8d486abac9390c6cd189b7c6d08165a2ed821663b75766
Opcode Fuzzy Hash: 59dad786009bd0ea32db707f5140c35ba007fdf3823df93fdf380fb1b5368537
Instruction Fuzzy Hash: 45D05E79615A818FD326CA1CC1A8B953B94AB51B24F4644FDE8008B663C368E981E200

Uniqueness

Uniqueness Score: -1.00%

Function 00F323BC, Relevance: .0, Instructions: 14COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.343100088.0000000000F32000.00000040.00000001.sdmp, Offset: 00F32000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7459bcdb91f37b2b5aafb180a0693860739894c3c4412c52c057cc616f251f4c
Instruction ID: 4ec4cedb83dfb80ecb4acbf8a518b054513d1463d46984197fa2db519f5a59a3
Opcode Fuzzy Hash: 7459bcdb91f37b2b5aafb180a0693860739894c3c4412c52c057cc616f251f4c
Instruction Fuzzy Hash: 01D05E346402818BC715DB0CC594F5977D4AB41B20F0644E8AC008B762C7A8DC81D600

Uniqueness

Uniqueness Score: -1.00%

Function 04F000CD, Relevance: .0, Instructions: 14COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.344657910.0000000004F00000.00000040.00000001.sdmp, Offset: 04F00000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 16ac66c927932eecccb882b834d08be33776cd39a33e4297502a55cb36a1ec7a
Instruction ID: e812cd2a9b8a4ec3ea7f44502338db8f96aa7ac60e79ba9893450838e09f4c26
Opcode Fuzzy Hash: 16ac66c927932eecccb882b834d08be33776cd39a33e4297502a55cb36a1ec7a
Instruction Fuzzy Hash: 49D0C93AE41208CF8B109FE9E0840DCF775EB8A325B249566C614B3300C7319455CF50

Uniqueness

Uniqueness Score: -1.00%

Non-executed Functions

Function 0059AC81, Relevance: 1.9, Instructions: 1917
COMMONCrypto

Download Yara Rule

C-Code - Quality: 70%

			E0059AC81(signed int __eax, signed int* __ebx, void* __ecx, signed int __edx, void* __edi, signed int* __esi, void* __fp0) {
				signed char _t695;
				signed char _t697;
				signed char _t698;
				signed char _t699;
				intOrPtr* _t700;
				signed char _t701;
				signed int _t702;
				signed char _t705;
				void* _t1167;
				signed int _t1168;
				signed char _t1169;
				signed char _t1170;
				signed int* _t1172;
				signed char _t1197;
				signed int _t1484;
				signed char _t1485;
				void* _t1509;
				signed int* _t1545;
				void* _t1561;
				void* _t1562;
				void* _t1563;
				intOrPtr* _t1576;
				void* _t1587;
				signed int _t1591;
				intOrPtr _t1592;

				_t1545 = __esi;
				_t1509 = __edi;
				_t1484 = __edx;
				_t1172 = __ebx;
				_t695 = __eax |  *__esi;
				 *_t695 =  *_t695 + __ebx;
				asm("in eax, 0x1");
				 *_t695 =  *_t695 + _t695;
				_t1197 = __ecx +  *((intOrPtr*)(__edi + 0x5c));
				 *_t695 =  *_t695 + _t695;
				_push(es);
				asm("outsd");
				_t1562 = _t1561 + 1;
				 *0x720a0000 =  *0x720a0000 | 0x720a0000;
				if( *0x720a0000 < 0) {
					L4:
					_t1197 = _t1197 +  *[es:edi+0x5c];
					 *0x720a0000 =  *0x720a0000 + 0x720a0000;
					asm("outsd");
					asm("iretd");
					 *0x720a0000 =  *0x720a0000 + 0x720a0000;
					_t697 = 0x720a0000 |  *_t1545;
					 *_t697 =  *_t697 + _t1172;
					asm("stosd");
					 *_t697 =  *_t697 + _t697;
					 *_t1484 =  *_t1484 + _t697;
					asm("outsd");
					_t1485 = es;
					 *_t697 =  *_t697 + _t697;
					_push(es);
					asm("outsd");
					_t698 = 0x720a0000;
					_t1562 = _t1562 + 1;
					 *0x720a0000 =  *0x720a0000 | 0x720a0000;
					if( *0x720a0000 >= 0) {
						goto L5;
					}
					goto L6;
				} else {
					_t1170 = 0x720a0000 - __edx;
					 *0x720a0000 =  *0x720a0000 + _t1170;
					_t1485 = __edx |  *__esi;
					 *_t1197 =  *_t1197 + 1;
					_t700 = (_t1170 | 0x00000008) - 0x1d;
					_t1576 = _t700;
					if(_t1576 >= 0) {
						 *0x720a0000 = 0x720a0000;
						if(_t1576 < 0) {
							L5:
							_t1168 = _t698 - _t1485;
							 *_t1168 =  *_t1168 + _t1168;
							_t1485 = _t1485 |  *_t1545;
							 *_t1197 =  *_t1197 + 1;
							_t1169 = _t1168 | 0x721d2c09;
							_t2 = _t1197 - 0x2ed79000;
							_t3 = _t1197;
							_t1197 =  *_t2;
							 *_t2 = _t3;
							 *_t1169 =  *_t1169 + _t1169;
							_t698 = _t1169 |  *_t1545;
						} else {
							asm("rol dword [eax], 1");
							 *_t1485 =  *_t1485 + _t1197;
							goto L4;
						}
						L6:
						_t1197 = _t1197 +  *[es:edi+0x5a];
						 *_t698 =  *_t698 + _t698;
						_push(es);
						asm("outsd");
						asm("iretd");
						 *_t698 =  *_t698 + _t698;
						_t699 = _t698 |  *_t1545;
						 *_t699 =  *_t699 + _t1172;
						if( *_t699 < 0) {
							 *_t699 =  *_t699 + _t699;
						}
						 *_t1485 =  *_t1485 + _t699;
						asm("outsd");
						_pop(_t700);
					}
				}
				 *_t700 =  *_t700 + _t700;
				_push(es);
				asm("outsd");
				_t701 = 0x720a0000;
				_t1563 = _t1562 + 1;
				 *0x720a0000 =  *0x720a0000 | 0x720a0000;
				if( *0x720a0000 < 0) {
					L13:
					 *_t1485 =  *_t1485 + _t1197;
					_t1197 = _t1197 +  *[es:edi+0x58];
					 *_t701 =  *_t701 + _t701;
					_push(es);
					asm("outsd");
					goto L14;
				} else {
					_t1167 = 0x720a0000 - _t1485;
					 *0x720a0000 =  *0x720a0000 + _t1167;
					_t1485 = _t1485 |  *_t1545;
					 *_t1197 =  *_t1197 + 1;
					asm("adc eax, [ecx+edx]");
					_t704 = _t1167 + 0x2c;
					asm("sbb eax, 0x89ac72");
					if(_t704 < 0) {
						L15:
						_t701 = _t704 - _t1485;
						 *_t701 =  *_t701 + _t701;
						_t1485 = _t1485 |  *_t1545;
						 *_t1197 =  *_t1197 + 1;
						_t1587 =  *_t1197;
						asm("adc eax, [0x1d2c0511]");
						if(_t1587 < 0) {
							L14:
							asm("iretd");
							 *_t701 =  *_t701 + _t701;
							_t702 = _t701 |  *_t1545;
							 *_t702 =  *_t702 + _t1172;
							asm("outsd");
							 *[fs:eax] =  *[fs:eax] + (_t702 ^ 0x02000001);
							_push(es);
							asm("outsd");
							_t704 = 0x720a0000;
							_t1563 = _t1563 + 1;
							 *0x720a0000 =  *0x720a0000 | 0x720a0000;
							if( *0x720a0000 < 0) {
								goto L18;
							} else {
								goto L15;
							}
						} else {
							 *_t704 = _t704;
							if(_t1587 >= 0) {
								asm("rol dword [eax], 1");
								L18:
								 *_t1485 =  *_t1485 + _t1197;
								L19:
								_t1197 = _t1197 +  *[es:edi+0x64];
								 *_t704 =  *_t704 + _t704;
								_push(es);
								asm("outsd");
								asm("iretd");
								 *_t704 =  *_t704 + _t704;
								_t705 = _t704 |  *_t1545;
								 *_t705 =  *_t705 + _t1172;
								asm("stc");
								 *_t705 =  *_t705 + _t705;
								 *_t705 =  *_t705 + _t705;
								_t1172 = _t1172 +  *((intOrPtr*)(_t1172 - 0x64));
								 *_t705 =  *_t705 + _t705;
								_t704 = _t705 + 0x73;
								_t1591 = _t704 & 0x00000000;
								 *_t1485 =  *_t1485 + _t1197;
								asm("adc eax, [esi]");
								do {
								} while (_t1591 < 0);
								 *_t704 = _t704;
							}
						}
					} else {
						asm("rol dword [eax], 1");
						goto L13;
					}
				}
				_t7 = _t704 + 0x13;
				 *_t7 =  *((intOrPtr*)(_t704 + 0x13)) + _t1485;
				_t1592 =  *_t7;
				goto L25;
				_pop(es);
				asm("adc [edi], eax");
				asm("adc [esi], eax");
				if(_t1592 >= 0) {
					goto L19;
				} else {
					 *_t704 =  *_t704 + _t704;
					_t1485 = _t1485 |  *_t1172;
					 *_t1197 =  *_t1197 | _t1485;
					_push(es);
					asm("outsd");
					asm("stosd");
					 *_t704 =  *_t704 + _t704;
					_t704 = _t704 |  *_t704;
				}
				 *_t1197 =  *_t1197 + _t1485;
				 *(_t1509 - 0x2d) =  *(_t1509 - 0x2d) | _t1197;
				 *_t704 =  *_t704 + _t704;
				_t1485 = _t1485 |  *(_t1485 - 0x1f);
			}

0x0059ac81
0x0059ac81
0x0059ac81
0x0059ac81
0x0059ac81
0x0059ac83
0x0059ac85
0x0059ac87
0x0059ac89
0x0059ac8c
0x0059ac8e
0x0059ac8f
0x0059ac95
0x0059ac96
0x0059ac98
0x0059acb0
0x0059acb0
0x0059acb4
0x0059acb7
0x0059acb8
0x0059acb9
0x0059acbb
0x0059acbd
0x0059acbf
0x0059acc0
0x0059acc2
0x0059acc4
0x0059acc5
0x0059acc6
0x0059acc8
0x0059acc9
0x0059acca
0x0059accf
0x0059acd0
0x0059acd2
0x00000000
0x00000000
0x00000000
0x0059ac9a
0x0059ac9a
0x0059ac9c
0x0059ac9e
0x0059aca0
0x0059aca4
0x0059aca4
0x0059aca6
0x0059aca8
0x0059acaa
0x0059acd4
0x0059acd4
0x0059acd6
0x0059acd8
0x0059acda
0x0059acdc
0x0059ace1
0x0059ace1
0x0059ace1
0x0059ace1
0x0059ace7
0x0059ace9
0x0059acac
0x0059acac
0x0059acae
0x00000000
0x0059acae
0x0059acea
0x0059acea
0x0059acee
0x0059acf0
0x0059acf1
0x0059acf2
0x0059acf3
0x0059acf5
0x0059acf7
0x0059acf9
0x0059acfb
0x0059acfb
0x0059acfc
0x0059acfe
0x0059acff
0x0059acff
0x0059aca6
0x0059ad00
0x0059ad02
0x0059ad03
0x0059ad04
0x0059ad09
0x0059ad0a
0x0059ad0c
0x0059ad24
0x0059ad24
0x0059ad26
0x0059ad2a
0x0059ad2c
0x0059ad2d
0x00000000
0x0059ad0e
0x0059ad0e
0x0059ad10
0x0059ad12
0x0059ad14
0x0059ad16
0x0059ad19
0x0059ad1b
0x0059ad20
0x0059ad4a
0x0059ad4a
0x0059ad4c
0x0059ad4e
0x0059ad50
0x0059ad50
0x0059ad52
0x0059ad58
0x0059ad2e
0x0059ad2e
0x0059ad2f
0x0059ad31
0x0059ad33
0x0059ad3a
0x0059ad3b
0x0059ad3e
0x0059ad3f
0x0059ad40
0x0059ad45
0x0059ad46
0x0059ad48
0x00000000
0x00000000
0x00000000
0x00000000
0x0059ad5a
0x0059ad5a
0x0059ad5c
0x0059ad5e
0x0059ad60
0x0059ad60
0x0059ad62
0x0059ad62
0x0059ad66
0x0059ad68
0x0059ad69
0x0059ad6a
0x0059ad6b
0x0059ad6d
0x0059ad6f
0x0059ad71
0x0059ad72
0x0059ad74
0x0059ad76
0x0059ad79
0x0059ad7b
0x0059ad7d
0x0059ad7f
0x0059ad81
0x0059ad83
0x0059ad83
0x0059ad85
0x0059ad85
0x0059ad5c
0x0059ad22
0x0059ad22
0x00000000
0x0059ad22
0x0059ad20
0x0059ad86
0x0059ad86
0x0059ad86
0x0059ad86
0x0059ad89
0x0059ad8a
0x0059ad8c
0x0059ad8e
0x00000000
0x0059ad90
0x0059ad90
0x0059ad92
0x0059ad94
0x0059ad96
0x0059ad97
0x0059ad98
0x0059ad99
0x0059ad9b
0x0059ad9b
0x0059ad9c
0x0059ad9e
0x0059ada1
0x0059ada3

Memory Dump Source

Source File: 00000000.00000002.342481358.0000000000592000.00000002.00020000.sdmp, Offset: 00590000, based on PE: true

Associated: 00000000.00000002.342440349.0000000000590000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.342613471.000000000060A000.00000002.00020000.sdmp Download File

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 68adfbea7a52206f0ce5efa2377ae8cce8321fcbbb264cc01cd65247afc314aa
Instruction ID: ebad27a936236b8fda6a32e1db92bfd5d53350fd9bc70e3a96934b48aed9a3c3
Opcode Fuzzy Hash: 68adfbea7a52206f0ce5efa2377ae8cce8321fcbbb264cc01cd65247afc314aa
Instruction Fuzzy Hash: FDE2496100EBC29FEB134BB869711E1BFB5AE5322431E08D7D4C08F5B3E215196ADB76

Uniqueness

Uniqueness Score: -1.00%

Function 04F0C198, Relevance: .1, Instructions: 59COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.344657910.0000000004F00000.00000040.00000001.sdmp, Offset: 04F00000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 324152f240d580382e222674b47f03445abe1f708a05fec626c955ba99c5631f
Instruction ID: e5f3b6f76874e303fd14ea784c285436e6d0d5f4fb4703cb6f624f2c9e571ef9
Opcode Fuzzy Hash: 324152f240d580382e222674b47f03445abe1f708a05fec626c955ba99c5631f
Instruction Fuzzy Hash: 8F219A71D016598BEB2CCF6BCD0479AFAF7AFC9300F14C5BA990CA7254EB3419859E40

Uniqueness

Uniqueness Score: -1.00%

Function 04F0D098, Relevance: .1, Instructions: 55COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.344657910.0000000004F00000.00000040.00000001.sdmp, Offset: 04F00000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6e8a6f490f5d75ea699eaba805396e9c800519f94e8adcb6da40e72cb9897fe7
Instruction ID: 5c187258a48f9fe0cb64000fde2eefb1670920d2da4123a762c98cc6a21676ed
Opcode Fuzzy Hash: 6e8a6f490f5d75ea699eaba805396e9c800519f94e8adcb6da40e72cb9897fe7
Instruction Fuzzy Hash: 3C11E370D442199FDB54DFAAD844BEEBFF4AF4A300F149469D404B3280D7349645EFA8

Uniqueness

Uniqueness Score: -1.00%

Analysis Process: bbbe7872ea466446da60c4da50020cbb.exe PID: 6996 Parent PID: 6780 bbbe7872ea466446da60c4da50020cbb.exeCOMMON

Executed Functions

Function 0110AF9A, Relevance: 1.5, APIs: 1, Instructions: 43COMMON

Download Yara Rule

APIs

GetUserNameW.ADVAPI32(?,00000E2C,?,?), ref: 0110AFEA

Memory Dump Source

Source File: 00000004.00000002.594149633.000000000110A000.00000040.00000001.sdmp, Offset: 0110A000, based on PE: false

Similarity

API ID: NameUser
String ID:
API String ID: 2645101109-0
Opcode ID: 32a614ad9441b2843ebdbb48ec8d1d464f2fb58661dcdfd426e69511f5a0774f
Instruction ID: 2bf861bb879f9f5aedd71b6293a24e93961905f463a8ef1941c7f9081477fb92
Opcode Fuzzy Hash: 32a614ad9441b2843ebdbb48ec8d1d464f2fb58661dcdfd426e69511f5a0774f
Instruction Fuzzy Hash: 3201AD72600600ABD610DF16DC82F26FBA8FB88B20F14815AED084B741E371F916CBE6

Uniqueness

Uniqueness Score: -1.00%

Function 0110AA02, Relevance: 1.6, APIs: 1, Instructions: 92registryCOMMON

Download Yara Rule

APIs

RegOpenKeyExW.KERNELBASE(?,00000E2C), ref: 0110AAB1

Memory Dump Source

Source File: 00000004.00000002.594149633.000000000110A000.00000040.00000001.sdmp, Offset: 0110A000, based on PE: false

Similarity

API ID: Open
String ID:
API String ID: 71445658-0
Opcode ID: 8b90c14cd1f58e88814bca8e8b479f88e96a8a6a4539c4c7210edd62051af7f4
Instruction ID: 777f16aae7db899e11708b3b082c5b2666264f2e1b2767bf92bc5c5e1609cbed
Opcode Fuzzy Hash: 8b90c14cd1f58e88814bca8e8b479f88e96a8a6a4539c4c7210edd62051af7f4
Instruction Fuzzy Hash: AE31B472544384AFE7228B25DC45FA7BFACEF06710F08849BED819B192D364A849CB71

Uniqueness

Uniqueness Score: -1.00%

Function 0110AAF9, Relevance: 1.6, APIs: 1, Instructions: 89registryCOMMON

Download Yara Rule

APIs

RegQueryValueExW.KERNELBASE(?,00000E2C,0333D791,00000000,00000000,00000000,00000000), ref: 0110ABB4

Memory Dump Source

Source File: 00000004.00000002.594149633.000000000110A000.00000040.00000001.sdmp, Offset: 0110A000, based on PE: false

Similarity

API ID: QueryValue
String ID:
API String ID: 3660427363-0
Opcode ID: 7f9e4d1cc4ca370f717060c0752cddef91e0a18774e88512e9993eb03a48bd5d
Instruction ID: c5541c1037eb8e18ecbda16f1abb66c6dd1aed0ee4abe69fb30a14f0d32eb35f
Opcode Fuzzy Hash: 7f9e4d1cc4ca370f717060c0752cddef91e0a18774e88512e9993eb03a48bd5d
Instruction Fuzzy Hash: FE31B372508784AFE722CB25DC84F52BFF8EF06310F18849AE9858B193D3A0E448CB61

Uniqueness

Uniqueness Score: -1.00%

Function 0110AF50, Relevance: 1.6, APIs: 1, Instructions: 77COMMON

Download Yara Rule

APIs

GetUserNameW.ADVAPI32(?,00000E2C,?,?), ref: 0110AFEA

Memory Dump Source

Source File: 00000004.00000002.594149633.000000000110A000.00000040.00000001.sdmp, Offset: 0110A000, based on PE: false

Similarity

API ID: NameUser
String ID:
API String ID: 2645101109-0
Opcode ID: 40478777d406365036036c5b405c45d86d63348e09c34ffd0fa394ae0436b705
Instruction ID: 739aa39974154d74fc3e6974d76eee4314ab095781eda70c4aa88646912f6444
Opcode Fuzzy Hash: 40478777d406365036036c5b405c45d86d63348e09c34ffd0fa394ae0436b705
Instruction Fuzzy Hash: 7521B67154D3C06FD3138B259C51B22BFB4EF87A10F0A81DBEC84CB593D225A919C7A2

Uniqueness

Uniqueness Score: -1.00%

Function 0110AA32, Relevance: 1.6, APIs: 1, Instructions: 74registryCOMMON

Download Yara Rule

APIs

RegOpenKeyExW.KERNELBASE(?,00000E2C), ref: 0110AAB1

Memory Dump Source

Source File: 00000004.00000002.594149633.000000000110A000.00000040.00000001.sdmp, Offset: 0110A000, based on PE: false

Similarity

API ID: Open
String ID:
API String ID: 71445658-0
Opcode ID: 896b9cb6bcbfd660e854a489b39bfe79ff0bf2dc0cfc206d33bbb5cc963adcdc
Instruction ID: 7af0526e6581192e2a876fd9fe15334bbfe4ffa912c45022608aa710170bf7c1
Opcode Fuzzy Hash: 896b9cb6bcbfd660e854a489b39bfe79ff0bf2dc0cfc206d33bbb5cc963adcdc
Instruction Fuzzy Hash: 2F21CF72500304EEE722DB19DC84FABFBECEF04710F14845AEE419B281D7A0E8488B71

Uniqueness

Uniqueness Score: -1.00%

Function 0110AB3A, Relevance: 1.6, APIs: 1, Instructions: 69registryCOMMON

Download Yara Rule

APIs

RegQueryValueExW.KERNELBASE(?,00000E2C,0333D791,00000000,00000000,00000000,00000000), ref: 0110ABB4

Memory Dump Source

Source File: 00000004.00000002.594149633.000000000110A000.00000040.00000001.sdmp, Offset: 0110A000, based on PE: false

Similarity

API ID: QueryValue
String ID:
API String ID: 3660427363-0
Opcode ID: 7aea7f1a000489f227843b6ffbbbd6cd715d2f5f00dfa84bffa22e7df467f9b3
Instruction ID: 666307113e8a19326d46c48f9b6e6db804b5336ff01b52e549057243e5393f9d
Opcode Fuzzy Hash: 7aea7f1a000489f227843b6ffbbbd6cd715d2f5f00dfa84bffa22e7df467f9b3
Instruction Fuzzy Hash: B8214D75A00704AFE726CE29DC85F66FBECEF05710F14896AEE459B291D7A0E408CA71

Uniqueness

Uniqueness Score: -1.00%

Function 0110A51F, Relevance: 1.6, APIs: 1, Instructions: 61COMMON

Download Yara Rule

APIs

DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 0110A58A

Memory Dump Source

Source File: 00000004.00000002.594149633.000000000110A000.00000040.00000001.sdmp, Offset: 0110A000, based on PE: false

Similarity

API ID: DuplicateHandle
String ID:
API String ID: 3793708945-0
Opcode ID: 652686d2b94300b80f78ef02f9ba53d8acc8f525bbb2036ab08bbec15995004b
Instruction ID: bb073105c0dd37ed26804b00f0356d572fcf28dbf13d74675e0f4ea855fb94c0
Opcode Fuzzy Hash: 652686d2b94300b80f78ef02f9ba53d8acc8f525bbb2036ab08bbec15995004b
Instruction Fuzzy Hash: D9118472409384AFDB238F55DC44A62FFF4EF4A210F0885DAEE858B153D375A518DB61

Uniqueness

Uniqueness Score: -1.00%

Function 0110B7CA, Relevance: 1.6, APIs: 1, Instructions: 61windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,?,?,?), ref: 0110B841

Memory Dump Source

Source File: 00000004.00000002.594149633.000000000110A000.00000040.00000001.sdmp, Offset: 0110A000, based on PE: false

Similarity

API ID: MessageSend
String ID:
API String ID: 3850602802-0
Opcode ID: 749c149768368d0989bb2f10b5fc9aa8e36893d8ac4d594df71db2c9150c0165
Instruction ID: 4f9ded8f76e9006c67e222df874582c6041d17a975d8c09f514f292b7fc91d39
Opcode Fuzzy Hash: 749c149768368d0989bb2f10b5fc9aa8e36893d8ac4d594df71db2c9150c0165
Instruction Fuzzy Hash: 88219D764097C09FDB138B25DC50AA2BFB0EF0B220F0D84DAEDC44F163D265A958DB62

Uniqueness

Uniqueness Score: -1.00%

Function 0110BB4F, Relevance: 1.6, APIs: 1, Instructions: 59windowCOMMON

Download Yara Rule

APIs

PostMessageW.USER32(?,?,?,?), ref: 0110BBB9

Memory Dump Source

Source File: 00000004.00000002.594149633.000000000110A000.00000040.00000001.sdmp, Offset: 0110A000, based on PE: false

Similarity

API ID: MessagePost
String ID:
API String ID: 410705778-0
Opcode ID: 1eb4733a48a99613834f5aa3a99e301f9754975cea2a57c87db56954c650ca86
Instruction ID: 5c8c9d4fb3fac652e2374c0af9a467133fd165c40c91e43177ee3edb3edc33b6
Opcode Fuzzy Hash: 1eb4733a48a99613834f5aa3a99e301f9754975cea2a57c87db56954c650ca86
Instruction Fuzzy Hash: 9A11B135509780AFDB228F25CC85A52FFB4EF06220F0884DEED858B563D275A458DB61

Uniqueness

Uniqueness Score: -1.00%

Function 0110BE05, Relevance: 1.6, APIs: 1, Instructions: 58windowCOMMON

Download Yara Rule

APIs

DispatchMessageW.USER32(?), ref: 0110BE70

Memory Dump Source

Source File: 00000004.00000002.594149633.000000000110A000.00000040.00000001.sdmp, Offset: 0110A000, based on PE: false

Similarity

API ID: DispatchMessage
String ID:
API String ID: 2061451462-0
Opcode ID: 119c6c39b28423beb8902eb11b455240ddf73ab8b09d2a7e0ccae70259a4102c
Instruction ID: b9ecb7b42a36e9f7a0f44af4234383739412c4e609e59a9c7f1d610019316f38
Opcode Fuzzy Hash: 119c6c39b28423beb8902eb11b455240ddf73ab8b09d2a7e0ccae70259a4102c
Instruction Fuzzy Hash: E4117C758093C0AFDB138B259C84B61BFB4DF47624F0980DAED858F263D2B56808CB62

Uniqueness

Uniqueness Score: -1.00%

Function 0110B71E, Relevance: 1.6, APIs: 1, Instructions: 57windowCOMMON

Download Yara Rule

APIs

CreateIconFromResourceEx.USER32 ref: 0110B78A

Memory Dump Source

Source File: 00000004.00000002.594149633.000000000110A000.00000040.00000001.sdmp, Offset: 0110A000, based on PE: false

Similarity

API ID: CreateFromIconResource
String ID:
API String ID: 3668623891-0
Opcode ID: a485cab0a5df44ea6217a597d4043e6277044810b27f8b4edba96e8c38904660
Instruction ID: 19d941a99407087a8c428a9b7099d1b30f1857de42039dd39f719283c387e591
Opcode Fuzzy Hash: a485cab0a5df44ea6217a597d4043e6277044810b27f8b4edba96e8c38904660
Instruction Fuzzy Hash: E0119036408784AFDB228F54DC84A52FFF4EF4A210F08849EEE858B562D375A418CB61

Uniqueness

Uniqueness Score: -1.00%

Function 0110BEB4, Relevance: 1.6, APIs: 1, Instructions: 56fileCOMMON

Download Yara Rule

APIs

DeleteFileW.KERNELBASE(?), ref: 0110BF0C

Memory Dump Source

Source File: 00000004.00000002.594149633.000000000110A000.00000040.00000001.sdmp, Offset: 0110A000, based on PE: false

Similarity

API ID: DeleteFile
String ID:
API String ID: 4033686569-0
Opcode ID: 467abd822da5b2039b69931f46da85d8bf74b952e5007f23c95272bc0ff16e1e
Instruction ID: 09544e300a83bb55357daa03679fd68328cc603b34e7b134e38928289e95f3eb
Opcode Fuzzy Hash: 467abd822da5b2039b69931f46da85d8bf74b952e5007f23c95272bc0ff16e1e
Instruction Fuzzy Hash: 841191769093809FD716CF29DC85B56BFE8EF46220F0884AAED45CF252D375E848CB61

Uniqueness

Uniqueness Score: -1.00%

Function 0110A75B, Relevance: 1.6, APIs: 1, Instructions: 52comCOMMON

Download Yara Rule

APIs

OleInitialize.OLE32(?), ref: 0110A7BC

Memory Dump Source

Source File: 00000004.00000002.594149633.000000000110A000.00000040.00000001.sdmp, Offset: 0110A000, based on PE: false

Similarity

API ID: Initialize
String ID:
API String ID: 2538663250-0
Opcode ID: 87e6bec6cb54db5b3e5a6e954852f037361b3a84bf4b0bd84661e0397916e78f
Instruction ID: ee792119e167832f752606925585702f966ed02a2752a3898cec448f469c2e6f
Opcode Fuzzy Hash: 87e6bec6cb54db5b3e5a6e954852f037361b3a84bf4b0bd84661e0397916e78f
Instruction Fuzzy Hash: 3F11C171448384AFD712CF14DC85B52BFB4EF06220F0880DAED498F243D3B5A508CB62

Uniqueness

Uniqueness Score: -1.00%

Function 0110A8CC, Relevance: 1.5, APIs: 1, Instructions: 48COMMON

Download Yara Rule

APIs

SetWindowLongW.USER32(?,?,?), ref: 0110A926

Memory Dump Source

Source File: 00000004.00000002.594149633.000000000110A000.00000040.00000001.sdmp, Offset: 0110A000, based on PE: false

Similarity

API ID: LongWindow
String ID:
API String ID: 1378638983-0
Opcode ID: 30c370a63de129314a4189984dfe07c3a469117d07e7e09872c2702e805577bc
Instruction ID: ac6f7c278c195d1f912d2a0c9d7afba2a4857b1e59e98de94ff2cd73cc87fa75
Opcode Fuzzy Hash: 30c370a63de129314a4189984dfe07c3a469117d07e7e09872c2702e805577bc
Instruction Fuzzy Hash: 89118235509784AFD7228F15DC85A52FFF4EF06220F09C4DAED854B263D375A418CB62

Uniqueness

Uniqueness Score: -1.00%

Function 0110BED2, Relevance: 1.5, APIs: 1, Instructions: 47fileCOMMON

Download Yara Rule

APIs

DeleteFileW.KERNELBASE(?), ref: 0110BF0C

Memory Dump Source

Source File: 00000004.00000002.594149633.000000000110A000.00000040.00000001.sdmp, Offset: 0110A000, based on PE: false

Similarity

API ID: DeleteFile
String ID:
API String ID: 4033686569-0
Opcode ID: fbab70b6f6bf0545af74f04c2aa7066ddc08cd864bf6f6e88bc222072011befe
Instruction ID: c8dd5df53db879538b15f5012f78ab5e1fb6bedc271a1cd97ed874e4862979a3
Opcode Fuzzy Hash: fbab70b6f6bf0545af74f04c2aa7066ddc08cd864bf6f6e88bc222072011befe
Instruction Fuzzy Hash: 0601B175A042009FDB15CF29D885766FFD8DF00220F18C0AAED49CB282D7B5E408CF62

Uniqueness

Uniqueness Score: -1.00%

Function 0110A546, Relevance: 1.5, APIs: 1, Instructions: 45COMMON

Download Yara Rule

APIs

DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 0110A58A

Memory Dump Source

Source File: 00000004.00000002.594149633.000000000110A000.00000040.00000001.sdmp, Offset: 0110A000, based on PE: false

Similarity

API ID: DuplicateHandle
String ID:
API String ID: 3793708945-0
Opcode ID: 95d2c92f045530cca88a9c0e0e3749d68c87330280a1583e8f243c5baae0016f
Instruction ID: a8dffdf47d13a809dadff08a02df8eec5135001629eca539b0595fdd91a4f552
Opcode Fuzzy Hash: 95d2c92f045530cca88a9c0e0e3749d68c87330280a1583e8f243c5baae0016f
Instruction Fuzzy Hash: DA015E318007049FDB228F55D884B56FFE4EF08720F18C59ADE494B652D3B6A018DF62

Uniqueness

Uniqueness Score: -1.00%

Function 0110B746, Relevance: 1.5, APIs: 1, Instructions: 45windowCOMMON

Download Yara Rule

APIs

CreateIconFromResourceEx.USER32 ref: 0110B78A

Memory Dump Source

Source File: 00000004.00000002.594149633.000000000110A000.00000040.00000001.sdmp, Offset: 0110A000, based on PE: false

Similarity

API ID: CreateFromIconResource
String ID:
API String ID: 3668623891-0
Opcode ID: f18be0172eaca31b281e37c32412802de5295d3401a22aca75cab25957f91c06
Instruction ID: 0cc91abe0239cd0d8817128131dcc91bbd6d2969a9e61d63c08aa03848e65ac2
Opcode Fuzzy Hash: f18be0172eaca31b281e37c32412802de5295d3401a22aca75cab25957f91c06
Instruction Fuzzy Hash: 73016135804604DFDB228F55D884B56FFE4EF08710F18C59EDE494B652D3B5A018DF62

Uniqueness

Uniqueness Score: -1.00%

Function 0110BB7E, Relevance: 1.5, APIs: 1, Instructions: 42windowCOMMON

Download Yara Rule

APIs

PostMessageW.USER32(?,?,?,?), ref: 0110BBB9

Memory Dump Source

Source File: 00000004.00000002.594149633.000000000110A000.00000040.00000001.sdmp, Offset: 0110A000, based on PE: false

Similarity

API ID: MessagePost
String ID:
API String ID: 410705778-0
Opcode ID: 06023458bd5b3855a2d6159d095aec58e9665c1913bc04c5b51e9317819f7170
Instruction ID: 2d029d489e5f9def9672c0afdd9fed2b4da0c0e86fafdb606298c22cea42b8a3
Opcode Fuzzy Hash: 06023458bd5b3855a2d6159d095aec58e9665c1913bc04c5b51e9317819f7170
Instruction Fuzzy Hash: 0D01B139904B00DFDB258F19D885B66FFA0EF04320F18C09ADD4A4B666C3B1E418CB62

Uniqueness

Uniqueness Score: -1.00%

Function 0110A78A, Relevance: 1.5, APIs: 1, Instructions: 39comCOMMON

Download Yara Rule

APIs

OleInitialize.OLE32(?), ref: 0110A7BC

Memory Dump Source

Source File: 00000004.00000002.594149633.000000000110A000.00000040.00000001.sdmp, Offset: 0110A000, based on PE: false

Similarity

API ID: Initialize
String ID:
API String ID: 2538663250-0
Opcode ID: 853d4f12635ba0630a230192555685c6166e2f0f662c576ed6d952fc2cc02dd9
Instruction ID: 62905ff58bc87b3fd994ac22051a29c1b32faee3759a3fc3792aff8bc17f5dae
Opcode Fuzzy Hash: 853d4f12635ba0630a230192555685c6166e2f0f662c576ed6d952fc2cc02dd9
Instruction Fuzzy Hash: 2401AD758007409FDB15DF19E885766FFE4EF04320F18C0AADE4A8F242D3B6A408CBA2

Uniqueness

Uniqueness Score: -1.00%

Function 0110B806, Relevance: 1.5, APIs: 1, Instructions: 38windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,?,?,?), ref: 0110B841

Memory Dump Source

Source File: 00000004.00000002.594149633.000000000110A000.00000040.00000001.sdmp, Offset: 0110A000, based on PE: false

Similarity

API ID: MessageSend
String ID:
API String ID: 3850602802-0
Opcode ID: a82ea2329b73ca964917f24a3436d5dc94ba481b65b9d6173bc5c9cda1e37fb4
Instruction ID: bba0304052783d84f1e424e2e1e8e53cc2e1184a19384250eab19b346444e728
Opcode Fuzzy Hash: a82ea2329b73ca964917f24a3436d5dc94ba481b65b9d6173bc5c9cda1e37fb4
Instruction Fuzzy Hash: 3C018F35904744DFDB258F15D884B66FFA0EF08720F18C09BDE490B262D3B5A518CB62

Uniqueness

Uniqueness Score: -1.00%

Function 0110A8EE, Relevance: 1.5, APIs: 1, Instructions: 37COMMON

Download Yara Rule

APIs

SetWindowLongW.USER32(?,?,?), ref: 0110A926

Memory Dump Source

Source File: 00000004.00000002.594149633.000000000110A000.00000040.00000001.sdmp, Offset: 0110A000, based on PE: false

Similarity

API ID: LongWindow
String ID:
API String ID: 1378638983-0
Opcode ID: ed733991f4ddb3c84d7fbb275f8bf775e6a34f48984d4fc7e14b71c9e5fcd097
Instruction ID: 0b409ecc7be1d8f178cbada37a016ccbd61c1e429fcfee17e19c60ed6c718e6c
Opcode Fuzzy Hash: ed733991f4ddb3c84d7fbb275f8bf775e6a34f48984d4fc7e14b71c9e5fcd097
Instruction Fuzzy Hash: 5001AD35900704DFDB258F19E885B52FFA0EF05720F18C0AADE8A0B252D3B5A418CB62

Uniqueness

Uniqueness Score: -1.00%

Function 0110BE3E, Relevance: 1.5, APIs: 1, Instructions: 35windowCOMMON

Download Yara Rule

APIs

DispatchMessageW.USER32(?), ref: 0110BE70

Memory Dump Source

Source File: 00000004.00000002.594149633.000000000110A000.00000040.00000001.sdmp, Offset: 0110A000, based on PE: false

Similarity

API ID: DispatchMessage
String ID:
API String ID: 2061451462-0
Opcode ID: d3c97151b243661ddc31b2b5c58fae311c81fc14414fbec3a814246e45eae2f2
Instruction ID: bce42844c32708dfb3efc6fe1fcc055c5da54b469e59969eb9938b8e540f4d00
Opcode Fuzzy Hash: d3c97151b243661ddc31b2b5c58fae311c81fc14414fbec3a814246e45eae2f2
Instruction Fuzzy Hash: 0EF0AF39908644DFDB25CF19D885766FFA0EF04720F18C0AADE494B252D3F5A808CAA6

Uniqueness

Uniqueness Score: -1.00%

Function 0110A372, Relevance: 1.5, APIs: 1, Instructions: 35COMMON

Download Yara Rule

APIs

SetErrorMode.KERNELBASE(?), ref: 0110A3A4

Memory Dump Source

Source File: 00000004.00000002.594149633.000000000110A000.00000040.00000001.sdmp, Offset: 0110A000, based on PE: false

Similarity

API ID: ErrorMode
String ID:
API String ID: 2340568224-0
Opcode ID: d3c97151b243661ddc31b2b5c58fae311c81fc14414fbec3a814246e45eae2f2
Instruction ID: d1b4ac926114c019e16e589b8087c416a2b8742f09986f44b89c455ed09273fb
Opcode Fuzzy Hash: d3c97151b243661ddc31b2b5c58fae311c81fc14414fbec3a814246e45eae2f2
Instruction Fuzzy Hash: 4CF08C35904744DFDB25CF1AE885766FFA0EF04620F18C09ADE494F652D7F9A408CB62

Uniqueness

Uniqueness Score: -1.00%

Function 0111AEC0, Relevance: .1, Instructions: 52COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.594183406.0000000001112000.00000040.00000001.sdmp, Offset: 01112000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 84f6042fb25a2e2b6bbaf38e2d941fb5275f56388d0f80d75dc6ba57d7dd311f
Instruction ID: 5648cf07cc04736e9b35a742439b9da65b87f4b4291a1fc8b2543d909225e06f
Opcode Fuzzy Hash: 84f6042fb25a2e2b6bbaf38e2d941fb5275f56388d0f80d75dc6ba57d7dd311f
Instruction Fuzzy Hash: F111ECB5608301AFD350CF09DC81E5BFBE8EB88660F14891EFD9997311D371E9088BA2

Uniqueness

Uniqueness Score: -1.00%

Function 0111AF0F, Relevance: .0, Instructions: 26COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.594183406.0000000001112000.00000040.00000001.sdmp, Offset: 01112000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e65adc440bcd46c38f9e1aeea665fd1ac3bc7d44fe8f4c1bd6df09dd8de12131
Instruction ID: 6b0b8fecb9a8fdec2036ed4d6b1d63e36a4d69f724c4dcaff4ecca1e0d0a3a0f
Opcode Fuzzy Hash: e65adc440bcd46c38f9e1aeea665fd1ac3bc7d44fe8f4c1bd6df09dd8de12131
Instruction Fuzzy Hash: 38E0D872A403046BD2508E069C82B63FB5CEB40A30F14C557EE0D1B302D2B1B5148AF5

Uniqueness

Uniqueness Score: -1.00%

Function 011023F4, Relevance: .0, Instructions: 15COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.594128730.0000000001102000.00000040.00000001.sdmp, Offset: 01102000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2a2066a80782e45db9936a9ce42c039e78bcf80a38bd1470e1431348fc63bb57
Instruction ID: 130d890733e8cab8c2e2ba8538182e77ef09defabf0c2eadf791be90af3ad72d
Opcode Fuzzy Hash: 2a2066a80782e45db9936a9ce42c039e78bcf80a38bd1470e1431348fc63bb57
Instruction Fuzzy Hash: 33D05E79715A818FE32B8A1CC1A8B953FA4AB51B04F5744FDE800CB6A3C3A8D981D200

Uniqueness

Uniqueness Score: -1.00%

Function 011023BC, Relevance: .0, Instructions: 14COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.594128730.0000000001102000.00000040.00000001.sdmp, Offset: 01102000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 041596532e5df71f4e7b48a6143e88135f8c908061a2a4942599bdf3b0ea837b
Instruction ID: f4b4984bceb942d1d6ffe263a800be4fdc3b37abed351c067394bf94007474d7
Opcode Fuzzy Hash: 041596532e5df71f4e7b48a6143e88135f8c908061a2a4942599bdf3b0ea837b
Instruction Fuzzy Hash: 93D05E346042818BDB1ADB0CD598F593BD4AB45B00F0644E8AD008F6A2C3B4D881C600

Uniqueness

Uniqueness Score: -1.00%

Non-executed Functions

Analysis Process: bbbe7872ea466446da60c4da50020cbb.exe PID: 5620 Parent PID: 936 bbbe7872ea466446da60c4da50020cbb.exeCOMMON

Executed Functions

Function 029652C8, Relevance: 5.1, Strings: 4, Instructions: 139COMMON

Download Yara Rule

Strings

f]Ir, xrefs: 02965328
:@Dr, xrefs: 029653F4
>_Ir, xrefs: 02965411
`5kr, xrefs: 029654CD

Memory Dump Source

Source File: 0000000A.00000002.363301512.0000000002960000.00000040.00000001.sdmp, Offset: 02960000, based on PE: false

Similarity

API ID:
String ID: :@Dr$>_Ir$`5kr$f]Ir
API String ID: 0-3492759196
Opcode ID: 04105b2eb6c4f08a0f8779028a8a6bc885803dd2cde8ece53bb7eff2f2b166b0
Instruction ID: 733be2f584e00d2d85f1f09d31d2ece54762f9815d767e71d0f27cf46086e715
Opcode Fuzzy Hash: 04105b2eb6c4f08a0f8779028a8a6bc885803dd2cde8ece53bb7eff2f2b166b0
Instruction Fuzzy Hash: 25518770E00209CFE744EF6EEA8879DBBE6FB98344F148129D148AB358EB755946CB50

Uniqueness

Uniqueness Score: -1.00%

Function 029652D8, Relevance: 5.1, Strings: 4, Instructions: 136COMMON

Download Yara Rule

Strings

f]Ir, xrefs: 02965328
:@Dr, xrefs: 029653F4
>_Ir, xrefs: 02965411
`5kr, xrefs: 029654CD

Memory Dump Source

Source File: 0000000A.00000002.363301512.0000000002960000.00000040.00000001.sdmp, Offset: 02960000, based on PE: false

Similarity

API ID:
String ID: :@Dr$>_Ir$`5kr$f]Ir
API String ID: 0-3492759196
Opcode ID: af831d9919a6dc590a3d25ed3ad4f49eb48fab493bd766db0ba3c7a75c3a3fc9
Instruction ID: a08574fccde1ae184b769ee450d39495d8a0e3f6e492c501e81914e297e77ed6
Opcode Fuzzy Hash: af831d9919a6dc590a3d25ed3ad4f49eb48fab493bd766db0ba3c7a75c3a3fc9
Instruction Fuzzy Hash: 2E516770E00209CFE744EF6EE98879DBBF6FB88344F148129D148AB358DB755946CB51

Uniqueness

Uniqueness Score: -1.00%

Function 02964880, Relevance: .2, Instructions: 186COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.363301512.0000000002960000.00000040.00000001.sdmp, Offset: 02960000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 91cbcea4d973f41ba3a1a2f56d986759962f3fd9b59fb0424444c154614a5a3f
Instruction ID: 4a2f821279dae32526a47fc8310f8fee46530e5a5a1624c3a4445947d78642ca
Opcode Fuzzy Hash: 91cbcea4d973f41ba3a1a2f56d986759962f3fd9b59fb0424444c154614a5a3f
Instruction Fuzzy Hash: CB7139B0D002489FDB14CFEAD9946EDBBF2FF99325F64D229D414AB395D63099028F50

Uniqueness

Uniqueness Score: -1.00%

Function 02964890, Relevance: .2, Instructions: 168COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.363301512.0000000002960000.00000040.00000001.sdmp, Offset: 02960000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 82e94125157250f2e93bdc08abd3c2ecb74a734b5e49bd40a2706c1892afc316
Instruction ID: 45018e9d82e5ff6b547535f8bd266dda34a9d27d7125c65062cb4151dd8dc68b
Opcode Fuzzy Hash: 82e94125157250f2e93bdc08abd3c2ecb74a734b5e49bd40a2706c1892afc316
Instruction Fuzzy Hash: EB6145B0D002499FDB14CFEAC5946ADFBF2BF98324B64D259D424AB399D7309942CF60

Uniqueness

Uniqueness Score: -1.00%

Function 02964688, Relevance: .2, Instructions: 167COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.363301512.0000000002960000.00000040.00000001.sdmp, Offset: 02960000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fd47f70ec76cf86c2edae00c5c6d12b796e2f01601c849acee9efd64a886a238
Instruction ID: b0c7b3f74ea9405dadf0416570e6929ad1d78318014cec39e07bc2e93be195f9
Opcode Fuzzy Hash: fd47f70ec76cf86c2edae00c5c6d12b796e2f01601c849acee9efd64a886a238
Instruction Fuzzy Hash: 30510271D002188BDF19CFEAC854AEEBBF6EF99325F509129D514BB265EB309902CF50

Uniqueness

Uniqueness Score: -1.00%

Function 02964678, Relevance: .2, Instructions: 165COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.363301512.0000000002960000.00000040.00000001.sdmp, Offset: 02960000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 858e431bc7d16d2a8e3157786a4e0bb570a740f4f258c30ae9994575ae7c9cce
Instruction ID: e4651f20807641022c020af0498c62f9403eefbe5052c1203d571a555977cc56
Opcode Fuzzy Hash: 858e431bc7d16d2a8e3157786a4e0bb570a740f4f258c30ae9994575ae7c9cce
Instruction Fuzzy Hash: 63510371E002198FDB18CFEAC9546EEBBF6EF89314F249129D514AB295DB305902CF51

Uniqueness

Uniqueness Score: -1.00%

Function 029605A8, Relevance: 2.7, Strings: 2, Instructions: 201COMMON

Download Yara Rule

Strings

`5kr, xrefs: 0296072D
:@Dr, xrefs: 029606D4

Memory Dump Source

Source File: 0000000A.00000002.363301512.0000000002960000.00000040.00000001.sdmp, Offset: 02960000, based on PE: false

Similarity

API ID:
String ID: :@Dr$`5kr
API String ID: 0-2548079215
Opcode ID: 0a10e707a83e4931a73c0c6094b4b0cfecaf80a83a9870e9f58484c214cec2c4
Instruction ID: 4ef67eb4b87847174b53cb8250ee536cefe5b63c3764f1e9bc6f5fecac35b8dc
Opcode Fuzzy Hash: 0a10e707a83e4931a73c0c6094b4b0cfecaf80a83a9870e9f58484c214cec2c4
Instruction Fuzzy Hash: 8C91E374E01218CFEB54DFA9C898BADBBF2BF89314F109469D409AB3A0DB719945CF50

Uniqueness

Uniqueness Score: -1.00%

Function 02962816, Relevance: 2.6, Strings: 2, Instructions: 58COMMON

Download Yara Rule

Strings

N, xrefs: 029628BD
7, xrefs: 02962817

Memory Dump Source

Source File: 0000000A.00000002.363301512.0000000002960000.00000040.00000001.sdmp, Offset: 02960000, based on PE: false

Similarity

API ID:
String ID: 7$N
API String ID: 0-3202983734
Opcode ID: 3d2018bd2532de82c3c83e9917365ecfb93752e8f976e3a8909cb4dc7a56e287
Instruction ID: d78e160112a867a82347cf92e17b5127ab3b630f6a147de7c8d803fcc2357ddd
Opcode Fuzzy Hash: 3d2018bd2532de82c3c83e9917365ecfb93752e8f976e3a8909cb4dc7a56e287
Instruction Fuzzy Hash: 7E21BF74E02228CFEB25CF24C859BE8BBB5BB4A345F0040EAD58DA7281C7754A85CF45

Uniqueness

Uniqueness Score: -1.00%

Function 0106AB26, Relevance: 1.6, APIs: 1, Instructions: 92registryCOMMON

Download Yara Rule

APIs

RegOpenKeyExW.KERNELBASE(?,00000E2C), ref: 0106ABD5

Memory Dump Source

Source File: 0000000A.00000002.362995855.000000000106A000.00000040.00000001.sdmp, Offset: 0106A000, based on PE: false

Similarity

API ID: Open
String ID:
API String ID: 71445658-0
Opcode ID: c20ecff07b4da1323dd4971a5fc80fc254a013a7641517b2df34678c7b515d90
Instruction ID: 5fdbdb860859b0573c656de8fcf395fa914b44c3575767cbe2434c59236e976c
Opcode Fuzzy Hash: c20ecff07b4da1323dd4971a5fc80fc254a013a7641517b2df34678c7b515d90
Instruction Fuzzy Hash: 4931B472504384AFE7228B25CC45F67BFFCEF06720F08849BED809B152D265A849CB71

Uniqueness

Uniqueness Score: -1.00%

Function 0106AC1D, Relevance: 1.6, APIs: 1, Instructions: 89registryCOMMON

Download Yara Rule

APIs

RegQueryValueExW.KERNELBASE(?,00000E2C,356BE201,00000000,00000000,00000000,00000000), ref: 0106ACD8

Memory Dump Source

Source File: 0000000A.00000002.362995855.000000000106A000.00000040.00000001.sdmp, Offset: 0106A000, based on PE: false

Similarity

API ID: QueryValue
String ID:
API String ID: 3660427363-0
Opcode ID: 11dc2ec0cee8744842315bb073738ca65d0b525c8790d0ea0c580f835325f88a
Instruction ID: 35260c6379850715185725c6de93bc543a6d8863d4a9c5a7d43efb00663df3e0
Opcode Fuzzy Hash: 11dc2ec0cee8744842315bb073738ca65d0b525c8790d0ea0c580f835325f88a
Instruction Fuzzy Hash: 5C317071105384AFEB22CB25CC45F62BFECEF06320F18849AE9859B152D264E549CB61

Uniqueness

Uniqueness Score: -1.00%

Function 0106B074, Relevance: 1.6, APIs: 1, Instructions: 77COMMON

Download Yara Rule

APIs

SetConsoleCtrlHandler.KERNELBASE(?,00000E2C,?,?), ref: 0106B10E

Memory Dump Source

Source File: 0000000A.00000002.362995855.000000000106A000.00000040.00000001.sdmp, Offset: 0106A000, based on PE: false

Similarity

API ID: ConsoleCtrlHandler
String ID:
API String ID: 1513847179-0
Opcode ID: b41de51e94e1f2a4b01ac4cfd9ea3cbebb7d65dd06a58b8e2f821475fb06e337
Instruction ID: 98c9c129f073554b6a995d2b389080af1204ddf7edf1e186d48162166fd15823
Opcode Fuzzy Hash: b41de51e94e1f2a4b01ac4cfd9ea3cbebb7d65dd06a58b8e2f821475fb06e337
Instruction Fuzzy Hash: 4721B67154D7C06FD7138B259C51B22BFB8EF87610F0A81DBE884CB653D225A919C7A2

Uniqueness

Uniqueness Score: -1.00%

Function 0106AB56, Relevance: 1.6, APIs: 1, Instructions: 74registryCOMMON

Download Yara Rule

APIs

RegOpenKeyExW.KERNELBASE(?,00000E2C), ref: 0106ABD5

Memory Dump Source

Source File: 0000000A.00000002.362995855.000000000106A000.00000040.00000001.sdmp, Offset: 0106A000, based on PE: false

Similarity

API ID: Open
String ID:
API String ID: 71445658-0
Opcode ID: 7295e188121842f20da87ebae56755a5259c02f510a77508c22fa49991ce56a1
Instruction ID: 0cb59ebd5ba2e9f6307ef041b845821645725455ea3143a4103a52af5da3d652
Opcode Fuzzy Hash: 7295e188121842f20da87ebae56755a5259c02f510a77508c22fa49991ce56a1
Instruction Fuzzy Hash: B6219F72500604EFEB21AB19CC44F6BFBECEF04720F14885BEE85AB242D665E4088B71

Uniqueness

Uniqueness Score: -1.00%

Function 0106BE1D, Relevance: 1.6, APIs: 1, Instructions: 70COMMON

Download Yara Rule

APIs

DrawTextExW.USER32(?,?,?,?,?,?), ref: 0106BE9F

Memory Dump Source

Source File: 0000000A.00000002.362995855.000000000106A000.00000040.00000001.sdmp, Offset: 0106A000, based on PE: false

Similarity

API ID: DrawText
String ID:
API String ID: 2175133113-0
Opcode ID: c1ed52a9148d6195335a50a3b6e9d808e857c5c64f27bc9c1b2fc013cf19fdb1
Instruction ID: a9e2e5986002d377fd91a5abf7c18b3ba2dde0db8eb98d8fe66ba250c865f8f7
Opcode Fuzzy Hash: c1ed52a9148d6195335a50a3b6e9d808e857c5c64f27bc9c1b2fc013cf19fdb1
Instruction Fuzzy Hash: C1215171509784AFDB22CF65DC44B52BFE8EF06310F0984DAEA848B553D275E508CB61

Uniqueness

Uniqueness Score: -1.00%

Function 0106AC5E, Relevance: 1.6, APIs: 1, Instructions: 69registryCOMMON

Download Yara Rule

APIs

RegQueryValueExW.KERNELBASE(?,00000E2C,356BE201,00000000,00000000,00000000,00000000), ref: 0106ACD8

Memory Dump Source

Source File: 0000000A.00000002.362995855.000000000106A000.00000040.00000001.sdmp, Offset: 0106A000, based on PE: false

Similarity

API ID: QueryValue
String ID:
API String ID: 3660427363-0
Opcode ID: 46a274b1e1b380dc800e2ef2f07891c1d99517bd3597faa55f204f02ed37a951
Instruction ID: 8569f119d0970dd7dcaa6061df599500a593b2b0c9000b546f6d26008ef407c2
Opcode Fuzzy Hash: 46a274b1e1b380dc800e2ef2f07891c1d99517bd3597faa55f204f02ed37a951
Instruction Fuzzy Hash: 8D218171600604EFEB20DF19CC84F67BBECEF05720F0484AAEA85AB251D660E408CB71

Uniqueness

Uniqueness Score: -1.00%

Function 0106B46D, Relevance: 1.6, APIs: 1, Instructions: 65libraryCOMMON

Download Yara Rule

APIs

LoadLibraryShim.MSCOREE(?,?,?,?), ref: 0106B4E9

Memory Dump Source

Source File: 0000000A.00000002.362995855.000000000106A000.00000040.00000001.sdmp, Offset: 0106A000, based on PE: false

Similarity

API ID: LibraryLoadShim
String ID:
API String ID: 1475914169-0
Opcode ID: 9077bfa43d624659b3613ea7cfac0c3cfe41ceaa1088803cae891b88f061077c
Instruction ID: 43d7ad7bda3069f4410230502249eb48ec50bd08f700c1ba0660e1bbb7c19e8a
Opcode Fuzzy Hash: 9077bfa43d624659b3613ea7cfac0c3cfe41ceaa1088803cae891b88f061077c
Instruction Fuzzy Hash: 482193B15093846FDB228A15DC45B62BFE8EF46710F0880CAED84CB253D275E908CB71

Uniqueness

Uniqueness Score: -1.00%

Function 0502015D, Relevance: 1.6, APIs: 1, Instructions: 65COMMON

Download Yara Rule

APIs

FindCloseChangeNotification.KERNELBASE(?), ref: 050201C8

Memory Dump Source

Source File: 0000000A.00000002.366829602.0000000005020000.00000040.00000001.sdmp, Offset: 05020000, based on PE: false

Similarity

API ID: ChangeCloseFindNotification
String ID:
API String ID: 2591292051-0
Opcode ID: ebda5dfed71b0a869583021e9276e391471c734be30ee9de293ff54384c2c5bf
Instruction ID: 382cb4c8422ddff6341cd880a93c9b60f8bc540771fa70543d2fac9e2a9c983b
Opcode Fuzzy Hash: ebda5dfed71b0a869583021e9276e391471c734be30ee9de293ff54384c2c5bf
Instruction Fuzzy Hash: 0B21C0714093C0AFDB128B25DD94B52BFB8EF02220F0980DBED848F663D274A908CB71

Uniqueness

Uniqueness Score: -1.00%

Function 050205C5, Relevance: 1.6, APIs: 1, Instructions: 62windowCOMMON

Download Yara Rule

APIs

PostMessageW.USER32(?,?,?,?), ref: 05020639

Memory Dump Source

Source File: 0000000A.00000002.366829602.0000000005020000.00000040.00000001.sdmp, Offset: 05020000, based on PE: false

Similarity

API ID: MessagePost
String ID:
API String ID: 410705778-0
Opcode ID: 275798c43b16ccb249bc4a03b537537cd475bd384660f34b8e76eadda11a49ea
Instruction ID: 597f9e400577495ef6bd5f9346eebdbd0adc844271106509db9acb814ba5a0dc
Opcode Fuzzy Hash: 275798c43b16ccb249bc4a03b537537cd475bd384660f34b8e76eadda11a49ea
Instruction Fuzzy Hash: 80215C714093C0AFDB238B25DC54A52BFB4EF17220F0985DAE9848F163D266A958DB62

Uniqueness

Uniqueness Score: -1.00%

Function 0106A5AF, Relevance: 1.6, APIs: 1, Instructions: 61COMMON

Download Yara Rule

APIs

DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 0106A61A

Memory Dump Source

Source File: 0000000A.00000002.362995855.000000000106A000.00000040.00000001.sdmp, Offset: 0106A000, based on PE: false

Similarity

API ID: DuplicateHandle
String ID:
API String ID: 3793708945-0
Opcode ID: 8c53fbea5e886106fe746e718a807b369b777004ccc940cfe2eb8697b7331af5
Instruction ID: 891ae5ae3136a9909d901a58929785f71c8e02aeb0b5209ec899a5a103b9b717
Opcode Fuzzy Hash: 8c53fbea5e886106fe746e718a807b369b777004ccc940cfe2eb8697b7331af5
Instruction Fuzzy Hash: 25118471409380AFDB238F55DC44A62FFF8EF4A210F0884DAEE859B153D275A518DB61

Uniqueness

Uniqueness Score: -1.00%

Function 05020957, Relevance: 1.6, APIs: 1, Instructions: 56windowCOMMON

Download Yara Rule

APIs

PostMessageW.USER32(?,?,?,?), ref: 050209C1

Memory Dump Source

Source File: 0000000A.00000002.366829602.0000000005020000.00000040.00000001.sdmp, Offset: 05020000, based on PE: false

Similarity

API ID: MessagePost
String ID:
API String ID: 410705778-0
Opcode ID: 90cc745a2463321c416f034e14fbe340355d1b6004485b5950cf6ed52b74f88e
Instruction ID: f5b4e1f45b342ffbed7a277b3ce71d05b4b7fa40f7808f8e355d5cbbcec1d289
Opcode Fuzzy Hash: 90cc745a2463321c416f034e14fbe340355d1b6004485b5950cf6ed52b74f88e
Instruction Fuzzy Hash: 25119072409384AFDB228F15DC45F56FFB4EF06224F0884DEED858B563D275A818DB61

Uniqueness

Uniqueness Score: -1.00%

Function 0106BE4E, Relevance: 1.6, APIs: 1, Instructions: 52COMMON

Download Yara Rule

APIs

DrawTextExW.USER32(?,?,?,?,?,?), ref: 0106BE9F

Memory Dump Source

Source File: 0000000A.00000002.362995855.000000000106A000.00000040.00000001.sdmp, Offset: 0106A000, based on PE: false

Similarity

API ID: DrawText
String ID:
API String ID: 2175133113-0
Opcode ID: 2383ac1ea8f35b1cc88adc71789bcecdadc77b73857175550d3b8386a3004d99
Instruction ID: ea7600afbee7788db1da875ae1394bf4b0965c05dbb447d886b801fcfce592c6
Opcode Fuzzy Hash: 2383ac1ea8f35b1cc88adc71789bcecdadc77b73857175550d3b8386a3004d99
Instruction Fuzzy Hash: 65112E756006049FEB21CF69DD84B66FFE8EF04710F0884AADE85CB652D775E408CB61

Uniqueness

Uniqueness Score: -1.00%

Function 0106A9F0, Relevance: 1.5, APIs: 1, Instructions: 48COMMON

Download Yara Rule

APIs

SetWindowLongW.USER32 ref: 0106AA4A

Memory Dump Source

Source File: 0000000A.00000002.362995855.000000000106A000.00000040.00000001.sdmp, Offset: 0106A000, based on PE: false

Similarity

API ID: LongWindow
String ID:
API String ID: 1378638983-0
Opcode ID: 4c863537af7355ab095ab8f735207b93674b4a5af4000b39460b30de8c27c4b2
Instruction ID: df70edc1704a876a468b0697fe9bccc274acd313a4487ba513c2e1a734e6c50b
Opcode Fuzzy Hash: 4c863537af7355ab095ab8f735207b93674b4a5af4000b39460b30de8c27c4b2
Instruction Fuzzy Hash: B011AC32408384AFCB228F15DC84B56FFF4EF06220F08C0DAED855B262C375A808CB62

Uniqueness

Uniqueness Score: -1.00%

Function 0106B49E, Relevance: 1.5, APIs: 1, Instructions: 46libraryCOMMON

Download Yara Rule

APIs

LoadLibraryShim.MSCOREE(?,?,?,?), ref: 0106B4E9

Memory Dump Source

Source File: 0000000A.00000002.362995855.000000000106A000.00000040.00000001.sdmp, Offset: 0106A000, based on PE: false

Similarity

API ID: LibraryLoadShim
String ID:
API String ID: 1475914169-0
Opcode ID: ac73e8b56681b2591b58606f55a1354ddc02b86cc76147e4859c93012336fba4
Instruction ID: 1325ef14b708b34c888b0e9f7eb1be08e37e532e698014c0c87be179b7ba02a5
Opcode Fuzzy Hash: ac73e8b56681b2591b58606f55a1354ddc02b86cc76147e4859c93012336fba4
Instruction Fuzzy Hash: 4D0192B16006009FEB60DF1AD885B66FFE8EF04720F08809ADD89CB252D671E408CB71

Uniqueness

Uniqueness Score: -1.00%

Function 0106A5D6, Relevance: 1.5, APIs: 1, Instructions: 45COMMON

Download Yara Rule

APIs

DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 0106A61A

Memory Dump Source

Source File: 0000000A.00000002.362995855.000000000106A000.00000040.00000001.sdmp, Offset: 0106A000, based on PE: false

Similarity

API ID: DuplicateHandle
String ID:
API String ID: 3793708945-0
Opcode ID: 4fe52f792f8c1561d8a8a2e5e4612b6fa5e0c1828d9288c0007732a526491509
Instruction ID: 6bce87879063beac7c541742e03aa9c7862e48e28e7e874dcb3ec49c1c63fafd
Opcode Fuzzy Hash: 4fe52f792f8c1561d8a8a2e5e4612b6fa5e0c1828d9288c0007732a526491509
Instruction Fuzzy Hash: 36018031500600EFDF219F55D844B56FFE4EF48720F08C5AAEE895B612D2B6A418DF61

Uniqueness

Uniqueness Score: -1.00%

Function 0106B0BE, Relevance: 1.5, APIs: 1, Instructions: 43COMMON

Download Yara Rule

APIs

SetConsoleCtrlHandler.KERNELBASE(?,00000E2C,?,?), ref: 0106B10E

Memory Dump Source

Source File: 0000000A.00000002.362995855.000000000106A000.00000040.00000001.sdmp, Offset: 0106A000, based on PE: false

Similarity

API ID: ConsoleCtrlHandler
String ID:
API String ID: 1513847179-0
Opcode ID: 0845f6eee2378b29fbad8988eff6f5b7769e86f07532f40917ed50d3216475dc
Instruction ID: 9780aeddef7aa416287b7531c108f3670fc110535d2a70ee05f87dc476fc248b
Opcode Fuzzy Hash: 0845f6eee2378b29fbad8988eff6f5b7769e86f07532f40917ed50d3216475dc
Instruction Fuzzy Hash: 6501AD72500600ABD610DF16DC86F26FBA8FB88B20F14815AED085B741E371F916CBE6

Uniqueness

Uniqueness Score: -1.00%

Function 05020196, Relevance: 1.5, APIs: 1, Instructions: 43COMMON

Download Yara Rule

APIs

FindCloseChangeNotification.KERNELBASE(?), ref: 050201C8

Memory Dump Source

Source File: 0000000A.00000002.366829602.0000000005020000.00000040.00000001.sdmp, Offset: 05020000, based on PE: false

Similarity

API ID: ChangeCloseFindNotification
String ID:
API String ID: 2591292051-0
Opcode ID: 5b03bcb56c367917634556d4a7242393175ce13067f4ea6b1689e624e9b9fe9e
Instruction ID: 28e22db5f4b0bc4f417ff1c4c2d6145a668d59a3db7df99c4114ae259fd667dd
Opcode Fuzzy Hash: 5b03bcb56c367917634556d4a7242393175ce13067f4ea6b1689e624e9b9fe9e
Instruction Fuzzy Hash: F101B1315047009FDB10CF1AE88975AFBD4EF04220F08C0ABDD098B642D2B5A408CF72

Uniqueness

Uniqueness Score: -1.00%

Function 05020986, Relevance: 1.5, APIs: 1, Instructions: 42windowCOMMON

Download Yara Rule

APIs

PostMessageW.USER32(?,?,?,?), ref: 050209C1

Memory Dump Source

Source File: 0000000A.00000002.366829602.0000000005020000.00000040.00000001.sdmp, Offset: 05020000, based on PE: false

Similarity

API ID: MessagePost
String ID:
API String ID: 410705778-0
Opcode ID: f632d938dda99eb2038c5bfedc17d11052b3084d2870e482e978101197654c25
Instruction ID: 693b2ecdc6d2a2d4c28592d045a786e354b85655647c9e9fa071a013c61b122a
Opcode Fuzzy Hash: f632d938dda99eb2038c5bfedc17d11052b3084d2870e482e978101197654c25
Instruction Fuzzy Hash: E1017135504700DFEB20CF15E889B6AFFE5EF04320F08C09ADD464B652D2B5A458DF61

Uniqueness

Uniqueness Score: -1.00%

Function 050205FE, Relevance: 1.5, APIs: 1, Instructions: 38windowCOMMON

Download Yara Rule

APIs

PostMessageW.USER32(?,?,?,?), ref: 05020639

Memory Dump Source

Source File: 0000000A.00000002.366829602.0000000005020000.00000040.00000001.sdmp, Offset: 05020000, based on PE: false

Similarity

API ID: MessagePost
String ID:
API String ID: 410705778-0
Opcode ID: bed7c03d2827671d091155351825eba3091631c67ef32450b00bb5a2753f0f7c
Instruction ID: ba0ee2979edee20b699e2d0dcd47583eb6543bca92fc1c95d91d83e5ad2cc725
Opcode Fuzzy Hash: bed7c03d2827671d091155351825eba3091631c67ef32450b00bb5a2753f0f7c
Instruction Fuzzy Hash: C801A231400744DFDB20CF56D888B2AFFE1EF44320F08C09ADE490B616C2B6A458CFA2

Uniqueness

Uniqueness Score: -1.00%

Function 0106AA12, Relevance: 1.5, APIs: 1, Instructions: 37COMMON

Download Yara Rule

APIs

SetWindowLongW.USER32 ref: 0106AA4A

Memory Dump Source

Source File: 0000000A.00000002.362995855.000000000106A000.00000040.00000001.sdmp, Offset: 0106A000, based on PE: false

Similarity

API ID: LongWindow
String ID:
API String ID: 1378638983-0
Opcode ID: a957442a5bdc41c3a11d53853a7eee472a44e943fb0a0c86ef7b9bb63b3e1dfa
Instruction ID: e93a69318c3a162fa803c0a5e59b3f49edb08a9293a015e449e659e1c6df6d12
Opcode Fuzzy Hash: a957442a5bdc41c3a11d53853a7eee472a44e943fb0a0c86ef7b9bb63b3e1dfa
Instruction Fuzzy Hash: 1B01AD35500604DFDB209F09D984B1AFFE4EF04720F08C09BDE891B252C3B5A408CF62

Uniqueness

Uniqueness Score: -1.00%

Function 02960599, Relevance: 1.4, Strings: 1, Instructions: 174COMMON

Download Yara Rule

Strings

:@Dr, xrefs: 029606D4

Memory Dump Source

Source File: 0000000A.00000002.363301512.0000000002960000.00000040.00000001.sdmp, Offset: 02960000, based on PE: false

Similarity

API ID:
String ID: :@Dr
API String ID: 0-3830894600
Opcode ID: f05dcfff494eb1a4d953d52ae11e3ccbd2e309de3fabede929087884bccae811
Instruction ID: 149daa2084545b6f321aeff024548811b091829e2f471d86adb7647c53af521d
Opcode Fuzzy Hash: f05dcfff494eb1a4d953d52ae11e3ccbd2e309de3fabede929087884bccae811
Instruction Fuzzy Hash: 75710774D01218CFEB54DFA9C898BADBBF2BF89314F1091A9D409AB390DB719985CF50

Uniqueness

Uniqueness Score: -1.00%

Function 02962838, Relevance: 1.3, Strings: 1, Instructions: 49COMMON

Download Yara Rule

Strings

X, xrefs: 02962884

Memory Dump Source

Source File: 0000000A.00000002.363301512.0000000002960000.00000040.00000001.sdmp, Offset: 02960000, based on PE: false

Similarity

API ID:
String ID: X
API String ID: 0-3081909835
Opcode ID: 902d01b5c7c2e415330b9691b31f162ee412f3831aaf1370768a531246230f5b
Instruction ID: 590d76d4c708767a88c8a22ca45882c204bd799f268c333c7129eb0045ecd2c7
Opcode Fuzzy Hash: 902d01b5c7c2e415330b9691b31f162ee412f3831aaf1370768a531246230f5b
Instruction Fuzzy Hash: 7121BF74E02228CFEB21CF24C8597E8BBB5BF4A305F0080E9998DA7295CB755A85CF51

Uniqueness

Uniqueness Score: -1.00%

Function 02960A61, Relevance: .7, Instructions: 743COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.363301512.0000000002960000.00000040.00000001.sdmp, Offset: 02960000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7e35b354b7be94d7aa0d59392bc5c36f3a68c1bbeaa98ef68aafd8052cef3314
Instruction ID: 4fadab8719c7984bec204012080a3f226d1933eb0f5804c47563681be8cbf1d5
Opcode Fuzzy Hash: 7e35b354b7be94d7aa0d59392bc5c36f3a68c1bbeaa98ef68aafd8052cef3314
Instruction Fuzzy Hash: DD72A234A01218CFDB64DB64C994BADB7B2FF8A301F5180E9D549AB361DB31AE95CF01

Uniqueness

Uniqueness Score: -1.00%

Function 0296B8A8, Relevance: .3, Instructions: 313COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.363301512.0000000002960000.00000040.00000001.sdmp, Offset: 02960000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1391cd1db270ba6e2b0b78125af42a4db0bda7e3daa27b9e3ecdb7107eea51b4
Instruction ID: 5eda9e24e3f5fd660632cf7045d4ced264eab66e3144ea925d714d448c1e7fa5
Opcode Fuzzy Hash: 1391cd1db270ba6e2b0b78125af42a4db0bda7e3daa27b9e3ecdb7107eea51b4
Instruction Fuzzy Hash: 6CD1CF74C05218CFDB24DFA9D5687ADBBF1FB0A309F10946AD049B3280EB795A89CF14

Uniqueness

Uniqueness Score: -1.00%

Function 02964AE7, Relevance: .2, Instructions: 244COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.363301512.0000000002960000.00000040.00000001.sdmp, Offset: 02960000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 181f8d54daa06e20845ddd3bd1c872e634386c5869c7c3f73669dc878f7ed3b6
Instruction ID: 1df29e50ddf93dfc88a281c3126f797150eca667cfb6921ec8d7e7635d28e4d1
Opcode Fuzzy Hash: 181f8d54daa06e20845ddd3bd1c872e634386c5869c7c3f73669dc878f7ed3b6
Instruction Fuzzy Hash: 3CC11074A00249CFDB64EFA4D988BACBBF1FF48345F1095A9E809AB354DB709985CF50

Uniqueness

Uniqueness Score: -1.00%

Function 02964C54, Relevance: .2, Instructions: 232COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.363301512.0000000002960000.00000040.00000001.sdmp, Offset: 02960000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 18a6c9589728be68e12522aba76bc9478237fe202ac4a3f2f84466ce6e7a3d6d
Instruction ID: 7bf3759f4be3da72d2267a921d8b01b07aed18285f294cc3ce308c97bdd8070c
Opcode Fuzzy Hash: 18a6c9589728be68e12522aba76bc9478237fe202ac4a3f2f84466ce6e7a3d6d
Instruction Fuzzy Hash: 71C10E74A10259CFEB60EFA4D988BACBBB2FB44305F1095A9E809A7384DF705D85CF51

Uniqueness

Uniqueness Score: -1.00%

Function 02962FF8, Relevance: .2, Instructions: 218COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.363301512.0000000002960000.00000040.00000001.sdmp, Offset: 02960000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 071b8c6ebb40197647e43bb39e3753bf9fe5d3e02c0c08f2adeac2b73127fdb0
Instruction ID: 843a0bd24965170446948eb275a20a0915cd146337c27ae650c6de8b18fb636d
Opcode Fuzzy Hash: 071b8c6ebb40197647e43bb39e3753bf9fe5d3e02c0c08f2adeac2b73127fdb0
Instruction Fuzzy Hash: 01910475C05268CEDB288FA1C95C7FDFAF8BB46B49F0465DAD109B2191C7740A88CF18

Uniqueness

Uniqueness Score: -1.00%

Function 02964E57, Relevance: .2, Instructions: 205COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.363301512.0000000002960000.00000040.00000001.sdmp, Offset: 02960000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a27b800d6bab11fe7fe89e39fe2bd894d3598b9bb3dd04bf43353d185d2c5c39
Instruction ID: 3dab4bd7c1a024fab33c1595313bfe99eef29dd1cd6f400a6e14485c38247ab4
Opcode Fuzzy Hash: a27b800d6bab11fe7fe89e39fe2bd894d3598b9bb3dd04bf43353d185d2c5c39
Instruction Fuzzy Hash: 63A14F74900259CFEB20EFA4D988BACBBF1FF44344F1495AAE809A7394DB709985CF51

Uniqueness

Uniqueness Score: -1.00%

Function 02964AB8, Relevance: .2, Instructions: 184COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.363301512.0000000002960000.00000040.00000001.sdmp, Offset: 02960000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 930cf5b2150d6161b7cf5e1d0195a3734528451f19b4aad7cfb6cdd0f59fb3c4
Instruction ID: 1c3a59adeb4e80238502986f994a276305dff8c38f0c39d6aae132f23faeb4cf
Opcode Fuzzy Hash: 930cf5b2150d6161b7cf5e1d0195a3734528451f19b4aad7cfb6cdd0f59fb3c4
Instruction Fuzzy Hash: E9914C74D00259CFEB20EFA4D988BADBBF1FB48345F1095AAD809A7384DB709985CF11

Uniqueness

Uniqueness Score: -1.00%

Function 029651DC, Relevance: .2, Instructions: 184COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.363301512.0000000002960000.00000040.00000001.sdmp, Offset: 02960000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: dc51bcb2d866eca5b77fb7d219533a0493a052f4939aefd4042818565f533db5
Instruction ID: 244871fcc98cb3568bc73a1f1eeb76700d0fa521c3fe106a73fe7f75ddfe32e0
Opcode Fuzzy Hash: dc51bcb2d866eca5b77fb7d219533a0493a052f4939aefd4042818565f533db5
Instruction Fuzzy Hash: 30911F74D00259CFEB20EFA4D988BACBBF1FB48345F1095A9E809A7384DB709985CF51

Uniqueness

Uniqueness Score: -1.00%

Function 02964AA8, Relevance: .2, Instructions: 181COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.363301512.0000000002960000.00000040.00000001.sdmp, Offset: 02960000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8ff02f5100b8a4bf16809888798f7c3242fa92ef0e0d7ab4ccbeb761940b1e62
Instruction ID: 833a6887c5c6663a17e0c351cadfd98fd695b667f939ffe40742512951233f96
Opcode Fuzzy Hash: 8ff02f5100b8a4bf16809888798f7c3242fa92ef0e0d7ab4ccbeb761940b1e62
Instruction Fuzzy Hash: A5914D70900259CFEB20EFA4D988BACBBF1FF08345F1095AAD809A7394DB749985CF11

Uniqueness

Uniqueness Score: -1.00%

Function 02964ECD, Relevance: .2, Instructions: 180COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.363301512.0000000002960000.00000040.00000001.sdmp, Offset: 02960000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e5c23b315a0bc3b584f3f6eeb1a69258c19f3cb98810003c9b5085b65dbbb43d
Instruction ID: d050fc6616c67118d149c037eadb2f8b14380b800315a7f4358cac5f4ee7331e
Opcode Fuzzy Hash: e5c23b315a0bc3b584f3f6eeb1a69258c19f3cb98810003c9b5085b65dbbb43d
Instruction Fuzzy Hash: 22912E74D00259CFEB60EFA4D988BADBBF1FB48345F1095AAE809A7344DB709985CF50

Uniqueness

Uniqueness Score: -1.00%

Function 0107AA4B, Relevance: .2, Instructions: 170COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.363013218.0000000001072000.00000040.00000001.sdmp, Offset: 01072000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ea27ce1fb6f9e85110bc154a68409e3f9cd4ed7fea29924b6cbd212b170ac326
Instruction ID: 57def838aa1f7c43d7850727c60c213bae9b129d9d7fb253889e078ef81fc59e
Opcode Fuzzy Hash: ea27ce1fb6f9e85110bc154a68409e3f9cd4ed7fea29924b6cbd212b170ac326
Instruction Fuzzy Hash: 7751847650D380AFD712CF259C51A57BFF4EF46620F08889FE9889B253D275A908CB62

Uniqueness

Uniqueness Score: -1.00%

Function 0107A5C0, Relevance: .2, Instructions: 157COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.363013218.0000000001072000.00000040.00000001.sdmp, Offset: 01072000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5153856a60cd53264e931a20bfb468bdc8beb1e5b9bd10179c0b7dc33ee35e66
Instruction ID: acb4905f7e661c7568a5e36ae29f3b9ea03e438a1f6c1e8ddc4844f6054cfe10
Opcode Fuzzy Hash: 5153856a60cd53264e931a20bfb468bdc8beb1e5b9bd10179c0b7dc33ee35e66
Instruction Fuzzy Hash: 1A51A372509380AFD702CF15DC50957FFF4EF86620F09899FF9889B252D275A904CBA2

Uniqueness

Uniqueness Score: -1.00%

Function 02960270, Relevance: .1, Instructions: 125COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.363301512.0000000002960000.00000040.00000001.sdmp, Offset: 02960000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e5e9c22410aec964475c9c09f682da7a9f7efa21801d1c3daedabb16a055e757
Instruction ID: 16cd5c13e55928218acf1893931fb199d71fe52e8d9fa9ce2f24b99d8533a1c1
Opcode Fuzzy Hash: e5e9c22410aec964475c9c09f682da7a9f7efa21801d1c3daedabb16a055e757
Instruction Fuzzy Hash: 7E518B78E04618DFDB15CFA8C884AEDBBF1BB4D310F1454A5E902AB3A0D735AA50DF64

Uniqueness

Uniqueness Score: -1.00%

Function 0296301E, Relevance: .1, Instructions: 114COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.363301512.0000000002960000.00000040.00000001.sdmp, Offset: 02960000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1a83cf4b9a85ca5f6e941c48a2f7a2484c4ca658b6e78411d1e3a77611007091
Instruction ID: 5e788f3326051175f8a55a653b01982278399baeac6c5540bc16cc912733de8d
Opcode Fuzzy Hash: 1a83cf4b9a85ca5f6e941c48a2f7a2484c4ca658b6e78411d1e3a77611007091
Instruction Fuzzy Hash: 9041D271C05268CEDB288FA1C85C7FCBAF8BB45B49F1455DAD409B2291C7744AC8CF18

Uniqueness

Uniqueness Score: -1.00%

Function 02960280, Relevance: .1, Instructions: 113COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.363301512.0000000002960000.00000040.00000001.sdmp, Offset: 02960000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e55b65a4e33ecbc91c9bb2317f4662a72fe4a21d44c77435cf4eb8f55096e868
Instruction ID: e133804710f1924f309d6577960ed55a523759683ca0e2a2003687eaf2a98df3
Opcode Fuzzy Hash: e55b65a4e33ecbc91c9bb2317f4662a72fe4a21d44c77435cf4eb8f55096e868
Instruction Fuzzy Hash: 17419C78E00618DFDB14DFA8C884BADBBF1BB4D311F0454A5E502AB3A0D775A980DF64

Uniqueness

Uniqueness Score: -1.00%

Function 02964351, Relevance: .1, Instructions: 107COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.363301512.0000000002960000.00000040.00000001.sdmp, Offset: 02960000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5d9087a61a27fc26ee42f7d2ad6fba6ead5d0f9b4c49bc2f65c28a9c6cc10b77
Instruction ID: 10bc1d287639c21ef7aab76da6bc32617c8fea98b3d051be75346ceca651b753
Opcode Fuzzy Hash: 5d9087a61a27fc26ee42f7d2ad6fba6ead5d0f9b4c49bc2f65c28a9c6cc10b77
Instruction Fuzzy Hash: B4419EB4E012089FCB48DFA9D5859ADBBF2BF88300F24816AE409AB364DB359945CF54

Uniqueness

Uniqueness Score: -1.00%

Function 0107A81A, Relevance: .1, Instructions: 87COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.363013218.0000000001072000.00000040.00000001.sdmp, Offset: 01072000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e5deafd9006f4d517452b153a40b4753e11d3beb48a9b2bc86414b4e70789d9b
Instruction ID: 493819f546c2ab8a8dc526fa2265356862195e6079f4bdec5f4fac5b497e9768
Opcode Fuzzy Hash: e5deafd9006f4d517452b153a40b4753e11d3beb48a9b2bc86414b4e70789d9b
Instruction Fuzzy Hash: 81214BB6508340AFD710CF09EC45E5BFFE8EB85620F18C96EF95997211D275A904CBA2

Uniqueness

Uniqueness Score: -1.00%

Function 0107A700, Relevance: .1, Instructions: 84COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.363013218.0000000001072000.00000040.00000001.sdmp, Offset: 01072000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9daa6787a7173758f7cdb116bc4646240d46208514861562e37b60d7ccabcffd
Instruction ID: 38d236a71abe030a56196c171f2d7f3b80fd7728e308bc8441b3d9f9df23ed80
Opcode Fuzzy Hash: 9daa6787a7173758f7cdb116bc4646240d46208514861562e37b60d7ccabcffd
Instruction Fuzzy Hash: D52130B6544304BFD710CF0AEC41D5BFBE8EB88670F14C91EFD5997211D271A9148BA2

Uniqueness

Uniqueness Score: -1.00%

Function 0107A958, Relevance: .1, Instructions: 84COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.363013218.0000000001072000.00000040.00000001.sdmp, Offset: 01072000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2713806091623bd26069069ddc4674e586c45c49480fbb362a336d7a86468bbc
Instruction ID: 1409899746004f8b0773e31523ad8782148bfeca50a48a84c5290f343bd020d1
Opcode Fuzzy Hash: 2713806091623bd26069069ddc4674e586c45c49480fbb362a336d7a86468bbc
Instruction Fuzzy Hash: 832130B6544304BFD710CF0AEC41E6BFBE8EB88670F14C91EFD5997211D271A9148BA2

Uniqueness

Uniqueness Score: -1.00%

Function 0107A3BC, Relevance: .1, Instructions: 78COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.363013218.0000000001072000.00000040.00000001.sdmp, Offset: 01072000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e34d09d65717d3894386e77e24216b45cfea7fd336edfc483a40589f2ca26522
Instruction ID: 3ada193432fde3cc123334211da50fbc0a4a84dfed34969dad9add46b2ae27aa
Opcode Fuzzy Hash: e34d09d65717d3894386e77e24216b45cfea7fd336edfc483a40589f2ca26522
Instruction Fuzzy Hash: 2E219376644304BFE6108E4AEC41E67FFECEB84A70F14C95EFE4957211D272B9148BA1

Uniqueness

Uniqueness Score: -1.00%

Function 0107A716, Relevance: .1, Instructions: 75COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.363013218.0000000001072000.00000040.00000001.sdmp, Offset: 01072000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2a3581fd5e093efa96d85dc355a51e25cb0c1f24477a8f1072867761dc9ac13b
Instruction ID: 264c8e9c5fb8dfd88edb10017157dbce5c92a145899e3edaca688e9f955e0015
Opcode Fuzzy Hash: 2a3581fd5e093efa96d85dc355a51e25cb0c1f24477a8f1072867761dc9ac13b
Instruction Fuzzy Hash: 7D212FB6644304AFD710CF0AEC41E5BFBE8EB88630F14C96EFD5997311D275A9148BA2

Uniqueness

Uniqueness Score: -1.00%

Function 0107A842, Relevance: .1, Instructions: 75COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.363013218.0000000001072000.00000040.00000001.sdmp, Offset: 01072000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 291e7a9b0d37301e7ab7525fcdbb741164640ea31048efaf19e8c977f3925bda
Instruction ID: 895018f6fc1ff8b4946322beb8759915c8e1e7c35a76c9728410f7b66c998335
Opcode Fuzzy Hash: 291e7a9b0d37301e7ab7525fcdbb741164640ea31048efaf19e8c977f3925bda
Instruction Fuzzy Hash: 362121B6544304AFD710CF0AEC41E5BFBE8EB88630F14C96EFD5997311D275A9148BA2

Uniqueness

Uniqueness Score: -1.00%

Function 0107A96E, Relevance: .1, Instructions: 75COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.363013218.0000000001072000.00000040.00000001.sdmp, Offset: 01072000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 187e6504491bebd1f21c5fbdd2f81dbf42582affef44dd61ca8d679e08915ed7
Instruction ID: f2bc86bd3118659c7976a5689657fcfe0362b95032d8ab6350793309123a1e54
Opcode Fuzzy Hash: 187e6504491bebd1f21c5fbdd2f81dbf42582affef44dd61ca8d679e08915ed7
Instruction Fuzzy Hash: 9C213DB6604304AFD750CF0AEC41E5BFBE8EB88630F14C96EFD4897311D271A9148BA2

Uniqueness

Uniqueness Score: -1.00%

Function 0107A1A4, Relevance: .1, Instructions: 73COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.363013218.0000000001072000.00000040.00000001.sdmp, Offset: 01072000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 590c81c6d3a4e1ea9b2a2e62f56bff46a79501ba50cea2e70a6cd62946b94e24
Instruction ID: 65d10e67e87963e8a18befb5b9756d548578f72fc9507f12849f2fe154ce095c
Opcode Fuzzy Hash: 590c81c6d3a4e1ea9b2a2e62f56bff46a79501ba50cea2e70a6cd62946b94e24
Instruction Fuzzy Hash: 5B119676640204BFE6108E0AEC45E67FFACEB85A70F14C56EFE095B601D272B9148BB5

Uniqueness

Uniqueness Score: -1.00%

Function 0107A3D2, Relevance: .1, Instructions: 69COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.363013218.0000000001072000.00000040.00000001.sdmp, Offset: 01072000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 17ad8a9cd355705e0a48d6f61d7e0e05e6418e06816a5ea4c303679184e57a31
Instruction ID: 62875292a988c5faa7a548e70554494d0f6f899a2e8e61e8e9358804219671a6
Opcode Fuzzy Hash: 17ad8a9cd355705e0a48d6f61d7e0e05e6418e06816a5ea4c303679184e57a31
Instruction Fuzzy Hash: 7911B676644304BFD6108F4AEC41E67FBE8EB84630F18C56AFD0D5B311D276B9148BA2

Uniqueness

Uniqueness Score: -1.00%

Function 0107A5EA, Relevance: .1, Instructions: 69COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.363013218.0000000001072000.00000040.00000001.sdmp, Offset: 01072000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a40e05689291323d95d155f2e6c53edee8716627861037ae239ba94fed72a11f
Instruction ID: 74fc17f5c6ad7e0b530029a484f0eb317af5bbae0ac06b36f73d6338398a25aa
Opcode Fuzzy Hash: a40e05689291323d95d155f2e6c53edee8716627861037ae239ba94fed72a11f
Instruction Fuzzy Hash: A011B676644304BFD6108F0AEC41E67FBE9EB84630F18C56AFD0D5B311D276B9148BA2

Uniqueness

Uniqueness Score: -1.00%

Function 02962988, Relevance: .1, Instructions: 68COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.363301512.0000000002960000.00000040.00000001.sdmp, Offset: 02960000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: cd6615b3ee112ebd062b75c93c1b800bcf102db408119014b57b9a156ec224fb
Instruction ID: 4aeca0e092a4116182ea5f7ea269ed086bbdb4d0719911e22593fb11b86820b8
Opcode Fuzzy Hash: cd6615b3ee112ebd062b75c93c1b800bcf102db408119014b57b9a156ec224fb
Instruction Fuzzy Hash: F521C4B4D01209DFDB14DFAAC6846AEFBF2BF48314F249569D814B7344D7359A81CB90

Uniqueness

Uniqueness Score: -1.00%

Function 0107A1BA, Relevance: .1, Instructions: 64COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.363013218.0000000001072000.00000040.00000001.sdmp, Offset: 01072000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: bb53654b2eba5be78bc7a78e6648baaa278a004ca6b47dbabdd84d4189418a6e
Instruction ID: 935a21bcf5a870c1c18c47ccc3257ab73d06158439f654bff5fe6c7098476770
Opcode Fuzzy Hash: bb53654b2eba5be78bc7a78e6648baaa278a004ca6b47dbabdd84d4189418a6e
Instruction Fuzzy Hash: 8811C672640204BFE6108E0AEC41E67FBA8EB84A70F18C46BFD095B201D276B9148BB5

Uniqueness

Uniqueness Score: -1.00%

Function 0296001B, Relevance: .1, Instructions: 60COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.363301512.0000000002960000.00000040.00000001.sdmp, Offset: 02960000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5be285bcc3f4ae8b63c7cf762ac4f53c6f24d555f0085a471f926fd98f4c5173
Instruction ID: 60f2f55fe759887f789af215874dede8b73d7edfe58fa1de6787133c479a3d4b
Opcode Fuzzy Hash: 5be285bcc3f4ae8b63c7cf762ac4f53c6f24d555f0085a471f926fd98f4c5173
Instruction Fuzzy Hash: 22118F6084E3C58FDB568B7488A5AFABFF0AF47204F0944DFC0C1A7193D669081AC751

Uniqueness

Uniqueness Score: -1.00%

Function 029A075C, Relevance: .1, Instructions: 59COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.363373748.00000000029A0000.00000040.00000040.sdmp, Offset: 029A0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9b729c755a2d9b9c199c1494e64724f8970ba382005659ac3b0c9b23e0fe52ac
Instruction ID: a2a542252dce3a0636d2989ba3bf28bc1ac9fd003b76c30e01c8a9cd52b7337f
Opcode Fuzzy Hash: 9b729c755a2d9b9c199c1494e64724f8970ba382005659ac3b0c9b23e0fe52ac
Instruction Fuzzy Hash: 4511B134204384EFD715CB24C994B26BBE5EB88B08F24C9ADE9491B653C77BD803CE91

Uniqueness

Uniqueness Score: -1.00%

Function 029600F9, Relevance: .1, Instructions: 58COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.363301512.0000000002960000.00000040.00000001.sdmp, Offset: 02960000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 17d0a952c35310beb479b81f4907fe4b2a62b15c5cb316848d9feadceb34e70a
Instruction ID: 593c573a6833eab214572f1727e933a8514817ffecb52a644a7b75fbb555a381
Opcode Fuzzy Hash: 17d0a952c35310beb479b81f4907fe4b2a62b15c5cb316848d9feadceb34e70a
Instruction Fuzzy Hash: 63215B30E0018ACFDB04EBA4E8988ED7FB5FF40304B1445B9D982A7399DB765A05CB81

Uniqueness

Uniqueness Score: -1.00%

Function 0107AB09, Relevance: .1, Instructions: 56COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.363013218.0000000001072000.00000040.00000001.sdmp, Offset: 01072000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 021f3a4892808d9972f22b825e8e7bc87012302fb7d99e8972793ab387289d96
Instruction ID: 8cfdfaea5f21ae1da15e4f87daa7fc85fd7633f587cf65aa29a889acc1ed16bd
Opcode Fuzzy Hash: 021f3a4892808d9972f22b825e8e7bc87012302fb7d99e8972793ab387289d96
Instruction Fuzzy Hash: 9011D7B5908301AFD350CF19D881A5BFBE4FB88660F04896EF998A7311D371E9048FA2

Uniqueness

Uniqueness Score: -1.00%

Function 029A0724, Relevance: .1, Instructions: 53COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.363373748.00000000029A0000.00000040.00000040.sdmp, Offset: 029A0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 52fd871876a13b90332b062a7d25b198816642af7ae905ec43c1b5a59defa41e
Instruction ID: 717265cf15326c70b251e55b97d592f7aacc3fa18b24561148329eb11374ddf4
Opcode Fuzzy Hash: 52fd871876a13b90332b062a7d25b198816642af7ae905ec43c1b5a59defa41e
Instruction Fuzzy Hash: 0021A2355093C4DFC707CB20C964755BFB5AB8A704F29C6DED8985B693C33A9806CB91

Uniqueness

Uniqueness Score: -1.00%

Function 02962978, Relevance: .1, Instructions: 52COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.363301512.0000000002960000.00000040.00000001.sdmp, Offset: 02960000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c884c7d00865beccadf077214dd4f27b5971678a4425046e017573cfee2f366c
Instruction ID: 51a01c0940a77da44dafe34d0ebc02848cc681de3cf9a678c204ce01c09ea549
Opcode Fuzzy Hash: c884c7d00865beccadf077214dd4f27b5971678a4425046e017573cfee2f366c
Instruction Fuzzy Hash: A0111C74D05209CFDB08CFA9C5856EEFBF2AF89310F24946AC804B7254D7389A82CF90

Uniqueness

Uniqueness Score: -1.00%

Function 02960108, Relevance: .0, Instructions: 50COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.363301512.0000000002960000.00000040.00000001.sdmp, Offset: 02960000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e2a2c6b41e8eb52edfa1044323f77009bd16810b27cc4bee664ecd3491a43a58
Instruction ID: 3a4283a98b577a4de53560532f957efe71fe3fd8545fcedc205b36121da1e98e
Opcode Fuzzy Hash: e2a2c6b41e8eb52edfa1044323f77009bd16810b27cc4bee664ecd3491a43a58
Instruction Fuzzy Hash: D6111C30E0054ACFDB04EBA4E9885AD7BB6FB40308B144578D94267359DF725E05CF95

Uniqueness

Uniqueness Score: -1.00%

Function 0107A118, Relevance: .0, Instructions: 50COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.363013218.0000000001072000.00000040.00000001.sdmp, Offset: 01072000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 21563af60cde70f18cb4c1353bd0bce0986a1db9fefb0e3b3e989d0e0859345e
Instruction ID: 6b2d27acda5c1b6918ed7b71df799ae4c6aa55a41d657756c1f96c3a1b565af6
Opcode Fuzzy Hash: 21563af60cde70f18cb4c1353bd0bce0986a1db9fefb0e3b3e989d0e0859345e
Instruction Fuzzy Hash: 0401247150D3C46FE71247269C65A92BF78DF43620F0C84CBE9849F193D2666909C7A2

Uniqueness

Uniqueness Score: -1.00%

Function 029A05CF, Relevance: .0, Instructions: 42COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.363373748.00000000029A0000.00000040.00000040.sdmp, Offset: 029A0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 706f427b403de1e694a89913f4e0960127ded9fdceba6b5b7eb3351266fee15b
Instruction ID: 6254af5215522ebc24a38ea200c923aacfadc543cf533d23672b112ab90f1699
Opcode Fuzzy Hash: 706f427b403de1e694a89913f4e0960127ded9fdceba6b5b7eb3351266fee15b
Instruction Fuzzy Hash: BD0186755097C05FD7128B16EC51853FFF8DF8623070984AFED898B712D165B909CB62

Uniqueness

Uniqueness Score: -1.00%

Function 029603E9, Relevance: .0, Instructions: 39COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.363301512.0000000002960000.00000040.00000001.sdmp, Offset: 02960000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6383b0a8fef1f3fa7ad56a0d9d428f45d7e2b0a9eae9a98e9596dafa33050ba8
Instruction ID: e9477ce0a4adf4dcea1ffe1a3f06223da4f7e0399d863e0eb1e59d98784aedda
Opcode Fuzzy Hash: 6383b0a8fef1f3fa7ad56a0d9d428f45d7e2b0a9eae9a98e9596dafa33050ba8
Instruction Fuzzy Hash: B0F09034A462488FDB19D7B08890BFF77B79F86204F249CA8808167385CA795E52E650

Uniqueness

Uniqueness Score: -1.00%

Function 02960070, Relevance: .0, Instructions: 33COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.363301512.0000000002960000.00000040.00000001.sdmp, Offset: 02960000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: cc3834ffb7d003491ff70493cf2272c463806c61138f7f10a7ea52e5b5ae16b1
Instruction ID: 22393843c402454aeec50affe7bafd59070d6e3b9184bf0c249ef3429f40f7d0
Opcode Fuzzy Hash: cc3834ffb7d003491ff70493cf2272c463806c61138f7f10a7ea52e5b5ae16b1
Instruction Fuzzy Hash: 49F08C70D412099BEB649FB4C899BFFBBF8AB49700F10182AC001B3380DAB55914CBE4

Uniqueness

Uniqueness Score: -1.00%

Function 029603F8, Relevance: .0, Instructions: 32COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.363301512.0000000002960000.00000040.00000001.sdmp, Offset: 02960000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7a3a1d37cda28e4584b0ca56b3979e3f4d69c24e2b82a129886222adf568aa25
Instruction ID: cc8b543fdc8784222edc2a74f10224a391b6adca4898d0c73b2242a5740bb69e
Opcode Fuzzy Hash: 7a3a1d37cda28e4584b0ca56b3979e3f4d69c24e2b82a129886222adf568aa25
Instruction Fuzzy Hash: 3DF0AC34A4220C9BD718EBF1C550FAF73BB9B85204F649C94940523384DEB55E51AA95

Uniqueness

Uniqueness Score: -1.00%

Function 02960530, Relevance: .0, Instructions: 31COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.363301512.0000000002960000.00000040.00000001.sdmp, Offset: 02960000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d1d83e0d4263b52637ecfe82ad7c367d233eef6cea38d303c7b000157dc729c2
Instruction ID: 866139317b12e0eb08f88fd9bef0cb1638007133f671344e31bd6c0dc0f58722
Opcode Fuzzy Hash: d1d83e0d4263b52637ecfe82ad7c367d233eef6cea38d303c7b000157dc729c2
Instruction Fuzzy Hash: B7011474E40209DFCB04DFA8C589AADBBB0FB08314F2085AAD844AB345D3759A42CF91

Uniqueness

Uniqueness Score: -1.00%

Function 029A0818, Relevance: .0, Instructions: 31COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.363373748.00000000029A0000.00000040.00000040.sdmp, Offset: 029A0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 525cef522958239b2deb72ab7ac90410e2832b06fb356f1b7ca8807ee3c9392c
Instruction ID: 3b8b9dc9ebbea594fcdf000b70a4d691664ad7fde3a3c29a85518c79f5319b3a
Opcode Fuzzy Hash: 525cef522958239b2deb72ab7ac90410e2832b06fb356f1b7ca8807ee3c9392c
Instruction Fuzzy Hash: ACF01D35104644DFC305CF40D980B15FBA6EB89718F24CAADE9490B752C337D813DE81

Uniqueness

Uniqueness Score: -1.00%

Function 029609D8, Relevance: .0, Instructions: 30COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.363301512.0000000002960000.00000040.00000001.sdmp, Offset: 02960000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0327d313e8c8756e8410c76ddb59b0679d8def9521c8711dc908dc8b5521d066
Instruction ID: 5c4957afdbbe5ac7ca606f607ab176c3e0a56b253cb9d3266682449b047925c0
Opcode Fuzzy Hash: 0327d313e8c8756e8410c76ddb59b0679d8def9521c8711dc908dc8b5521d066
Instruction Fuzzy Hash: 16F0BE70D01149EFCB04EBB4CA606ADBB76EF91201F6402DAC4806B3A1EF302F41DB81

Uniqueness

Uniqueness Score: -1.00%

Function 029A0716, Relevance: .0, Instructions: 30COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.363373748.00000000029A0000.00000040.00000040.sdmp, Offset: 029A0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: dc3902d42ffc2432b440c3461076ffead90a835e427d9a401347b51b60c70cf3
Instruction ID: 373a5901a3ef73cbe4b98507ec879e531366e3a7b8ac07a6a7977430858e6939
Opcode Fuzzy Hash: dc3902d42ffc2432b440c3461076ffead90a835e427d9a401347b51b60c70cf3
Instruction Fuzzy Hash: 18F0C935244644DFC716CF44D990B25FBA2FB89718F24CAADE9491B662C3379813DE81

Uniqueness

Uniqueness Score: -1.00%

Function 02960221, Relevance: .0, Instructions: 29COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.363301512.0000000002960000.00000040.00000001.sdmp, Offset: 02960000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: cf70c2f6bd0cfe93aba195c28f8206b4477a7e37505edd7c47bcc25f1d43f90b
Instruction ID: 35a7dcdb13241cb4cb31a2cab81efb0435a3afcf1a05573beec9d6608ef9a77f
Opcode Fuzzy Hash: cf70c2f6bd0cfe93aba195c28f8206b4477a7e37505edd7c47bcc25f1d43f90b
Instruction Fuzzy Hash: A7F08C3094A388DFCB16CFA4E4465EC7FB1EF06300F1444AAC885A3362C33A4912DB40

Uniqueness

Uniqueness Score: -1.00%

Function 02960452, Relevance: .0, Instructions: 29COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.363301512.0000000002960000.00000040.00000001.sdmp, Offset: 02960000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a6283714de05c85ff0d72dc83425c213b5352a3633dbc378d9ee11868da03b07
Instruction ID: 83125dbed91aef22c6bdc58e24f9e46f9abfe32d3d681b5ffe80b89971017412
Opcode Fuzzy Hash: a6283714de05c85ff0d72dc83425c213b5352a3633dbc378d9ee11868da03b07
Instruction Fuzzy Hash: E4F01230C86258DFCB15EFB4C4585AEBBB1EF0A214F244AAAC841A3251D77A8A52CF40

Uniqueness

Uniqueness Score: -1.00%

Function 029642FF, Relevance: .0, Instructions: 27COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.363301512.0000000002960000.00000040.00000001.sdmp, Offset: 02960000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8c017082434d65384f9143ac193b1886bd64f9df22a6f9bfb782e7a71ba1c8cd
Instruction ID: 2f315136db16e345fd29328c2926ac0039c9e909ade3f8d9979ebdb323ed83dd
Opcode Fuzzy Hash: 8c017082434d65384f9143ac193b1886bd64f9df22a6f9bfb782e7a71ba1c8cd
Instruction Fuzzy Hash: FAF0E530C08348EFC715EF68D889CADBF75EF43300F1491AAE880272A2D7322956DB90

Uniqueness

Uniqueness Score: -1.00%

Function 029A05F6, Relevance: .0, Instructions: 27COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.363373748.00000000029A0000.00000040.00000040.sdmp, Offset: 029A0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ff576db7b554265a59fdc64ac931a644f105cc520db2cd1b17a6cb9fd74d5a90
Instruction ID: 10df94538a9d25c1444e0741d52c073f2b47220fce4c470208375f407218d000
Opcode Fuzzy Hash: ff576db7b554265a59fdc64ac931a644f105cc520db2cd1b17a6cb9fd74d5a90
Instruction Fuzzy Hash: 8AE092766006008BDA50CF0BEC81456F7D8EB88630B18C07FDC0D8B701E176B504CFA5

Uniqueness

Uniqueness Score: -1.00%

Function 029609E8, Relevance: .0, Instructions: 26COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.363301512.0000000002960000.00000040.00000001.sdmp, Offset: 02960000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b052d8b9b1cbb61e289bf3f62bb7f38af8f116c2947ba1e3190b552f75e2e9c4
Instruction ID: 9795ac9e7cd9e04f47abfdb992756b4d95b610574f6e279e6b9b4f9649273aaf
Opcode Fuzzy Hash: b052d8b9b1cbb61e289bf3f62bb7f38af8f116c2947ba1e3190b552f75e2e9c4
Instruction Fuzzy Hash: 3AF03970E4010DEBDB04EFA8DA51AADB776AF90201F6002A9844577380DF306E41DB91

Uniqueness

Uniqueness Score: -1.00%

Function 0107A6A3, Relevance: .0, Instructions: 26COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.363013218.0000000001072000.00000040.00000001.sdmp, Offset: 01072000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ccdc69e440e0c0af36085ee1eec69126f5d05504de15604088e7a9d35cd48b02
Instruction ID: f0d0f0b9790741039822a4cd5d2e4ca4d81ed0c51aabf0071b81296188398fff
Opcode Fuzzy Hash: ccdc69e440e0c0af36085ee1eec69126f5d05504de15604088e7a9d35cd48b02
Instruction Fuzzy Hash: B8E0D87254030467D6109F0B9C86F53FB58DB40A30F14C55BED081B342D1B2B5048AE1

Uniqueness

Uniqueness Score: -1.00%

Function 0107A7CF, Relevance: .0, Instructions: 26COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.363013218.0000000001072000.00000040.00000001.sdmp, Offset: 01072000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b47733bf725f1323ae7469bbe81da276e0d757578109c6dab8332da95895fe8b
Instruction ID: 13ddc88371fea35e39e83089cdcff31e1141111d36fdd2d55579cf2a547e87bf
Opcode Fuzzy Hash: b47733bf725f1323ae7469bbe81da276e0d757578109c6dab8332da95895fe8b
Instruction Fuzzy Hash: 05E0D8B254030467D6108F079C86F53FB58DF50A30F14C45BED0D1B342D1B2B5048AF1

Uniqueness

Uniqueness Score: -1.00%

Function 0107A14C, Relevance: .0, Instructions: 26COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.363013218.0000000001072000.00000040.00000001.sdmp, Offset: 01072000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ede1c0f0c78b73373038c6759bafcbe2cccf9e91e4e77bd9aa451bfb7e794a54
Instruction ID: 8649fb247a78405d0032f6a9571d999cac8bc0c5f0b66f86a6956518227195d6
Opcode Fuzzy Hash: ede1c0f0c78b73373038c6759bafcbe2cccf9e91e4e77bd9aa451bfb7e794a54
Instruction Fuzzy Hash: A7E0D87154030467D6108E07DC86B53FB58DB44930F14C457ED081B741D1B6B5048AE5

Uniqueness

Uniqueness Score: -1.00%

Function 0107A363, Relevance: .0, Instructions: 26COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.363013218.0000000001072000.00000040.00000001.sdmp, Offset: 01072000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c000d5734b880e821e56c0595206424c5bd5f83ccbd0734b3acdae2703647bb3
Instruction ID: ea2d683cbdd43dd22e7834c85d2d9270ea801735e615caf2d1b23649b7935a24
Opcode Fuzzy Hash: c000d5734b880e821e56c0595206424c5bd5f83ccbd0734b3acdae2703647bb3
Instruction Fuzzy Hash: CFE0D87194030467D6108E079C86B53FB98DB40930F14C457ED081B341D1B6B5048AE1

Uniqueness

Uniqueness Score: -1.00%

Function 0107AB6B, Relevance: .0, Instructions: 26COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.363013218.0000000001072000.00000040.00000001.sdmp, Offset: 01072000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2206926e3e938fa4fc79ece222654216f0a83a6e31b1efb3fd55978d92ae70eb
Instruction ID: b2c3148e6248bfb75ddd06da071021a7a9f07a20148973edd3ea48bbd9eaa8fc
Opcode Fuzzy Hash: 2206926e3e938fa4fc79ece222654216f0a83a6e31b1efb3fd55978d92ae70eb
Instruction Fuzzy Hash: 22E0D87294030467D6109E079C86F53FB58DB80A30F14C45BEE081B342E1B2B5148AE1

Uniqueness

Uniqueness Score: -1.00%

Function 0107A8FB, Relevance: .0, Instructions: 26COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.363013218.0000000001072000.00000040.00000001.sdmp, Offset: 01072000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 77b4f9fe664252369f9dcb361a04a73ed270f16c04a21609348a6b2fd6cf9833
Instruction ID: 94a7400f7ade9c3d1aa264396a15b64a6c94785fd5c658818822f1fe7ddb45d5
Opcode Fuzzy Hash: 77b4f9fe664252369f9dcb361a04a73ed270f16c04a21609348a6b2fd6cf9833
Instruction Fuzzy Hash: 9FE092B25402046BD6508A06DC86F53FB58DB40A30F14C45BED081A241D1B2A5048AA1

Uniqueness

Uniqueness Score: -1.00%

Function 0107A57B, Relevance: .0, Instructions: 26COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.363013218.0000000001072000.00000040.00000001.sdmp, Offset: 01072000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 84c0413bc100c5e22a070dfcbd33d614f61d8ed93ef78698a2a01b9e1e5cddd0
Instruction ID: 4505d53ce78aabe4c658d5b97277d8084b8ec032ec7d55525ad3cab020a29568
Opcode Fuzzy Hash: 84c0413bc100c5e22a070dfcbd33d614f61d8ed93ef78698a2a01b9e1e5cddd0
Instruction Fuzzy Hash: 5EE0D87154030467D6108E0B9C86B53FB58DB44930F14C457ED081B341D1B6B5048AE5

Uniqueness

Uniqueness Score: -1.00%

Function 02960460, Relevance: .0, Instructions: 24COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.363301512.0000000002960000.00000040.00000001.sdmp, Offset: 02960000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 862632d321b5e841600098290758c5bf6c6290c5cca463d4258578886559b6d9
Instruction ID: 6ec0d94bd578f130ec1890516dd4262e0f33415afb91d48478c9487e9d697234
Opcode Fuzzy Hash: 862632d321b5e841600098290758c5bf6c6290c5cca463d4258578886559b6d9
Instruction Fuzzy Hash: 8BF01574C4120CEFCB14EFB4C4485AEBBB5FB04304F1049A9C85463300EB769A50CF80

Uniqueness

Uniqueness Score: -1.00%

Function 02964310, Relevance: .0, Instructions: 21COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.363301512.0000000002960000.00000040.00000001.sdmp, Offset: 02960000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f9e284a2ce28e867df3b27bfe6649d227a942c77536ca0125272fd9884176d58
Instruction ID: ae0dbc1f61219c8730b3c0b41258259d5382f2dd7cb75fcbbfeaa7b43b256869
Opcode Fuzzy Hash: f9e284a2ce28e867df3b27bfe6649d227a942c77536ca0125272fd9884176d58
Instruction Fuzzy Hash: 19E08670C00208EFC714EFA4D4499ADBB75FB41301F109069DC4423350C7315A54DB94

Uniqueness

Uniqueness Score: -1.00%

Function 02960230, Relevance: .0, Instructions: 21COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.363301512.0000000002960000.00000040.00000001.sdmp, Offset: 02960000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5ee84036d66e17a7f575db857e37ee2a7277479911a9bba8b4fde4d914d9d6aa
Instruction ID: 0ddc60b78f7803484c50da06a4ea261703c25e2a4b7875552eb8c3ff79917ad0
Opcode Fuzzy Hash: 5ee84036d66e17a7f575db857e37ee2a7277479911a9bba8b4fde4d914d9d6aa
Instruction Fuzzy Hash: 15E04634D09308DFCB14EFA9E1896ACBBF9FB45305F1080A9D889A3344EB365A50DB81

Uniqueness

Uniqueness Score: -1.00%

Function 0296D048, Relevance: .0, Instructions: 21COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.363301512.0000000002960000.00000040.00000001.sdmp, Offset: 02960000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f42d00f36b001b65255ce31932fbd02b8e17db5d07df433273da3062fd5b1ae2
Instruction ID: 37ee56c5804d64448ec3ba79d49866fece7ab4eb6dff239916066b2d297d7740
Opcode Fuzzy Hash: f42d00f36b001b65255ce31932fbd02b8e17db5d07df433273da3062fd5b1ae2
Instruction Fuzzy Hash: BEE01A74D04248EFCB14DFA4D5486BCFBB9EB48300F10C0AADC5467341D6369A52DFA0

Uniqueness

Uniqueness Score: -1.00%

Function 0296BEC0, Relevance: .0, Instructions: 19COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.363301512.0000000002960000.00000040.00000001.sdmp, Offset: 02960000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 70f57cad0ff00177a007c1f61e6471e3e6819ad975bcb00271754d19cbb8280f
Instruction ID: 12d73e318be6cf1397d12f0357914f67787373a588a2f2aab019f696adeeec8c
Opcode Fuzzy Hash: 70f57cad0ff00177a007c1f61e6471e3e6819ad975bcb00271754d19cbb8280f
Instruction Fuzzy Hash: 7CE04634C44208EBCB04DFA4D4096ACBBB8AB44204F1080A99904B3340D7701A40CF90

Uniqueness

Uniqueness Score: -1.00%

Function 029600ED, Relevance: .0, Instructions: 17COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.363301512.0000000002960000.00000040.00000001.sdmp, Offset: 02960000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 75099be626180d492a465e02372821947b94e45aaad41162781e5877243e5b7c
Instruction ID: e5e463868e45092fe19cdb4e84938e901a51113e5b0db39bde8805aef63f73d2
Opcode Fuzzy Hash: 75099be626180d492a465e02372821947b94e45aaad41162781e5877243e5b7c
Instruction Fuzzy Hash: 84D06735D01209CBCB109FA9E4886EDB7B5FB89325F249966C515B3200C7355555CF90

Uniqueness

Uniqueness Score: -1.00%

Function 010623F4, Relevance: .0, Instructions: 15COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.362988702.0000000001062000.00000040.00000001.sdmp, Offset: 01062000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 39e386e760a9f8838e7601cabba4b6fe5dec489e83b29b75e18e0f8233326824
Instruction ID: be96c4e87d203138391e3400d498ee8fba840d3ce79ae1393ff72684138f9993
Opcode Fuzzy Hash: 39e386e760a9f8838e7601cabba4b6fe5dec489e83b29b75e18e0f8233326824
Instruction Fuzzy Hash: EFD05E79215A818FE3268A1CC1A8BA53FE8AF52B04F4644FDE8408B663CB68D9D1D200

Uniqueness

Uniqueness Score: -1.00%

Function 029600CD, Relevance: .0, Instructions: 14COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.363301512.0000000002960000.00000040.00000001.sdmp, Offset: 02960000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2ed15ad77209917e75cd07cca4164c6cb4e7e47ff506e4b7b566361834b3735a
Instruction ID: 8e95be2e328a12fd88ef7531501dc138e967f40702cf9877bbf86ec755ecd2b0
Opcode Fuzzy Hash: 2ed15ad77209917e75cd07cca4164c6cb4e7e47ff506e4b7b566361834b3735a
Instruction Fuzzy Hash: 65D0C93AE01208CF8B209FE9E4440DCF775EB8A225B249566C514B3300C7329856CF50

Uniqueness

Uniqueness Score: -1.00%

Function 010623BC, Relevance: .0, Instructions: 14COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.362988702.0000000001062000.00000040.00000001.sdmp, Offset: 01062000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 77c76a464bb71746ffc591236c00dc75fe62aec73e6bfdd62fbda3f39f405036
Instruction ID: 0e9b976d78db54db71b6ad6ad476276c750d66ebb634bd23e5a2daf42421f7cd
Opcode Fuzzy Hash: 77c76a464bb71746ffc591236c00dc75fe62aec73e6bfdd62fbda3f39f405036
Instruction Fuzzy Hash: CBD05E342002818BD715DB0CC594F593BD8AF41B00F0684E9AD408B662C3A4D881C600

Uniqueness

Uniqueness Score: -1.00%

Non-executed Functions

Analysis Process: dhcpmon.exe PID: 5656 Parent PID: 936 dhcpmon.exeCOMMON

Executed Functions

Function 02B052C8, Relevance: 5.1, Strings: 4, Instructions: 143COMMON

Download Yara Rule

Strings

`5kr, xrefs: 02B054CD
f]Ir, xrefs: 02B05328
>_Ir, xrefs: 02B05411
:@Dr, xrefs: 02B053F4

Memory Dump Source

Source File: 0000000B.00000002.366151852.0000000002B00000.00000040.00000001.sdmp, Offset: 02B00000, based on PE: false

Similarity

API ID:
String ID: :@Dr$>_Ir$`5kr$f]Ir
API String ID: 0-3492759196
Opcode ID: ea96d2b93b0da7222daa133e0389257affcd2d50c2cb5b443bcbef6d932ad4b9
Instruction ID: d83038a1dec54a36c82f992e43c36c87f42a4bb444170e190114f8f4ab69e5fb
Opcode Fuzzy Hash: ea96d2b93b0da7222daa133e0389257affcd2d50c2cb5b443bcbef6d932ad4b9
Instruction Fuzzy Hash: 55516870A042498FD744EF6ED895B9EBFE6FF88304F149139E149A7268DB71180ACF51

Uniqueness

Uniqueness Score: -1.00%

Function 02B052D8, Relevance: 5.1, Strings: 4, Instructions: 136COMMON

Download Yara Rule

Strings

`5kr, xrefs: 02B054CD
f]Ir, xrefs: 02B05328
>_Ir, xrefs: 02B05411
:@Dr, xrefs: 02B053F4

Memory Dump Source

Source File: 0000000B.00000002.366151852.0000000002B00000.00000040.00000001.sdmp, Offset: 02B00000, based on PE: false

Similarity

API ID:
String ID: :@Dr$>_Ir$`5kr$f]Ir
API String ID: 0-3492759196
Opcode ID: 3faeb72cd5d5a6f8cbfcf3565a4599af60adb94c56417fd635a58b688b35c8cf
Instruction ID: c2ec7a24da0e0eaf72d0b4520e47634d00d91f1c59a432c27c3177c5d216fd54
Opcode Fuzzy Hash: 3faeb72cd5d5a6f8cbfcf3565a4599af60adb94c56417fd635a58b688b35c8cf
Instruction Fuzzy Hash: C1515870A042498FE744EF6ED891B9EBBE2FF88304F149179E149A7268DB71180ACF50

Uniqueness

Uniqueness Score: -1.00%

Function 051706A3, Relevance: 1.6, APIs: 1, Instructions: 75COMMON

Download Yara Rule

APIs

AdjustTokenPrivileges.KERNELBASE(?,?,?,?,?,?), ref: 05170723

Memory Dump Source

Source File: 0000000B.00000002.369545823.0000000005170000.00000040.00000001.sdmp, Offset: 05170000, based on PE: false

Similarity

API ID: AdjustPrivilegesToken
String ID:
API String ID: 2874748243-0
Opcode ID: 16b3bc33bc1a89f8e6dd98909bf914c679c7ac639535aa583a477c1a1742fa40
Instruction ID: 8a40e36105f3079b572f7b43445ae22f741ce23223f14a2684a493d24a4b6747
Opcode Fuzzy Hash: 16b3bc33bc1a89f8e6dd98909bf914c679c7ac639535aa583a477c1a1742fa40
Instruction Fuzzy Hash: 1621A176509784AFEB228F25DC44B52BFF4EF06310F0885DAE9858F163D3759908DB61

Uniqueness

Uniqueness Score: -1.00%

Function 051706DA, Relevance: 1.6, APIs: 1, Instructions: 52COMMON

Download Yara Rule

APIs

AdjustTokenPrivileges.KERNELBASE(?,?,?,?,?,?), ref: 05170723

Memory Dump Source

Source File: 0000000B.00000002.369545823.0000000005170000.00000040.00000001.sdmp, Offset: 05170000, based on PE: false

Similarity

API ID: AdjustPrivilegesToken
String ID:
API String ID: 2874748243-0
Opcode ID: 0dd9639a3245513592e140c60cdb2b424d68e6016b4b626ac7d10317168e5fea
Instruction ID: 9f92d952699110dbc7cded5b0a7ea1fb516db98b6f9a9f285647be41374cf7d9
Opcode Fuzzy Hash: 0dd9639a3245513592e140c60cdb2b424d68e6016b4b626ac7d10317168e5fea
Instruction Fuzzy Hash: 6F11A0355007049FDB20DF59D888B66FBE4FF08320F0884AADD8A8B651D775E408CF61

Uniqueness

Uniqueness Score: -1.00%

Function 02B04890, Relevance: .2, Instructions: 168COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.366151852.0000000002B00000.00000040.00000001.sdmp, Offset: 02B00000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5c143794b44b9ea47d8b3786773d432dbbf4d844e1113d4ce9d894084e939408
Instruction ID: 1faca744e52a71586ecf1a1d05c7c6d89de5244d13c9d88f7e2b3bca8a3a65b7
Opcode Fuzzy Hash: 5c143794b44b9ea47d8b3786773d432dbbf4d844e1113d4ce9d894084e939408
Instruction Fuzzy Hash: 9E6116B0D002488FDB05DFAAC5906ADFBF2FF88324F64D2A5E524A7295D7309942CF60

Uniqueness

Uniqueness Score: -1.00%

Function 02B04688, Relevance: .2, Instructions: 167COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.366151852.0000000002B00000.00000040.00000001.sdmp, Offset: 02B00000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 88cd9cae51eb07d123d53265455bd26cf5c6c14a2af22e37581ea1a339facf4a
Instruction ID: a1d64e67a6ec1fa3bb9526d7390119d26545f45d1de7136233a6de291c700a3d
Opcode Fuzzy Hash: 88cd9cae51eb07d123d53265455bd26cf5c6c14a2af22e37581ea1a339facf4a
Instruction Fuzzy Hash: FE51F671D002188BDF05DFAAC890AEDFBB2FF89325F548269D514BB295EB316902CF51

Uniqueness

Uniqueness Score: -1.00%

Function 02B04678, Relevance: .1, Instructions: 131COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.366151852.0000000002B00000.00000040.00000001.sdmp, Offset: 02B00000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 957e7f0c59d9e757c14bca2fc71dcb399b71ae58d272ed06f61c0769c42fcfaa
Instruction ID: fc022c63ece578e029b97ab225e51028294e46d2d989bded45634a1fd39265ae
Opcode Fuzzy Hash: 957e7f0c59d9e757c14bca2fc71dcb399b71ae58d272ed06f61c0769c42fcfaa
Instruction Fuzzy Hash: 0B510971D002588FDB05CFBAC8906EDBBF2EF89215F54C16AD514BB2A5EB306902CF51

Uniqueness

Uniqueness Score: -1.00%

Function 02B005A8, Relevance: 5.2, Strings: 4, Instructions: 201COMMON

Download Yara Rule

Strings

`5kr, xrefs: 02B0072D
|e, xrefs: 02B00640, 02B0066B, 02B00742, 02B00762, 02B0096B
:@Dr, xrefs: 02B006D4
\,, xrefs: 02B006BD

Memory Dump Source

Source File: 0000000B.00000002.366151852.0000000002B00000.00000040.00000001.sdmp, Offset: 02B00000, based on PE: false

Similarity

API ID:
String ID: :@Dr$\,$`5kr$|e
API String ID: 0-1617226537
Opcode ID: da2263cfab8666b2494c15cbf2f20e6415619756c5bed56337bf99e8452879d7
Instruction ID: 26835a02bcd23db09f0a68d13a0116ca2c4acf66041b743c75f4db810be0fb5c
Opcode Fuzzy Hash: da2263cfab8666b2494c15cbf2f20e6415619756c5bed56337bf99e8452879d7
Instruction Fuzzy Hash: 6E91E274E01218CFDB54DFA9C994BADBBB2BF89310F1054A9D509AB3A0DB71A941CF50

Uniqueness

Uniqueness Score: -1.00%

Function 02B02816, Relevance: 2.6, Strings: 2, Instructions: 58COMMON

Download Yara Rule

Strings

N, xrefs: 02B028BD
7, xrefs: 02B02817

Memory Dump Source

Source File: 0000000B.00000002.366151852.0000000002B00000.00000040.00000001.sdmp, Offset: 02B00000, based on PE: false

Similarity

API ID:
String ID: 7$N
API String ID: 0-3202983734
Opcode ID: 05a8320433dcda27ea46833009841a27eca7b10bfe35068cfae4c2ef691bc18c
Instruction ID: c3db36e52b9d783b79008281f830d897b3f61f81caba3aa2d811082481412b83
Opcode Fuzzy Hash: 05a8320433dcda27ea46833009841a27eca7b10bfe35068cfae4c2ef691bc18c
Instruction Fuzzy Hash: C921A374E02228CFEB259F24C859BE9BBB0FF4A305F0051E9D58DA3291D7745A85CF45

Uniqueness

Uniqueness Score: -1.00%

Function 051704DD, Relevance: 1.6, APIs: 1, Instructions: 108COMMON

Download Yara Rule

APIs

LookupPrivilegeValueW.ADVAPI32(?,?,?), ref: 051705A2

Memory Dump Source

Source File: 0000000B.00000002.369545823.0000000005170000.00000040.00000001.sdmp, Offset: 05170000, based on PE: false

Similarity

API ID: LookupPrivilegeValue
String ID:
API String ID: 3899507212-0
Opcode ID: 792b5cb7356fc3dfae77d248990f7d0797d774e0f2ae38cfd00dca266c25bd73
Instruction ID: 2bf49dd952719334f4ec52a5c58cd00506ea386579eab0878e4d8b00d6b04573
Opcode Fuzzy Hash: 792b5cb7356fc3dfae77d248990f7d0797d774e0f2ae38cfd00dca266c25bd73
Instruction Fuzzy Hash: 5D412C7250E3C49FD7138B358C55A92BFB4AF07210F0E84DBD984CF1A3D2699949DB62

Uniqueness

Uniqueness Score: -1.00%

Function 00EBAB26, Relevance: 1.6, APIs: 1, Instructions: 92registryCOMMON

Download Yara Rule

APIs

RegOpenKeyExW.KERNELBASE(?,00000E2C), ref: 00EBABD5

Memory Dump Source

Source File: 0000000B.00000002.365747315.0000000000EBA000.00000040.00000001.sdmp, Offset: 00EBA000, based on PE: false

Similarity

API ID: Open
String ID:
API String ID: 71445658-0
Opcode ID: ead77777d3d9c27b84b5b03099637f2bb867cf73def1adf275541e92338c428e
Instruction ID: 8d426f65816ba1e70d9ae20aa3ceb45e90505e394547eeba028837ad2d328340
Opcode Fuzzy Hash: ead77777d3d9c27b84b5b03099637f2bb867cf73def1adf275541e92338c428e
Instruction Fuzzy Hash: 9631C572504384AFE7228B25CC45FA7FFBCEF06710F0884ABED819B152D264A849CB71

Uniqueness

Uniqueness Score: -1.00%

Function 00EBAC1D, Relevance: 1.6, APIs: 1, Instructions: 89registryCOMMON

Download Yara Rule

APIs

RegQueryValueExW.KERNELBASE(?,00000E2C,6FA31D46,00000000,00000000,00000000,00000000), ref: 00EBACD8

Memory Dump Source

Source File: 0000000B.00000002.365747315.0000000000EBA000.00000040.00000001.sdmp, Offset: 00EBA000, based on PE: false

Similarity

API ID: QueryValue
String ID:
API String ID: 3660427363-0
Opcode ID: 31b8df24f83ced67af093b28d26c4463704000addedfe3480a8c9beb991113cc
Instruction ID: 57e202dda1f43d3390ad189b769da962fb3f3c8e8f8b207b844e82fb2e5fe71e
Opcode Fuzzy Hash: 31b8df24f83ced67af093b28d26c4463704000addedfe3480a8c9beb991113cc
Instruction Fuzzy Hash: E031B371504384AFEB22CF21CC44FA3BFB8EF06314F18849AE985DB152D264E849CB61

Uniqueness

Uniqueness Score: -1.00%

Function 05170928, Relevance: 1.6, APIs: 1, Instructions: 87COMMON

Download Yara Rule

APIs

TerminateProcess.KERNELBASE(?,00000E2C,6FA31D46,00000000,00000000,00000000,00000000), ref: 051709BC

Memory Dump Source

Source File: 0000000B.00000002.369545823.0000000005170000.00000040.00000001.sdmp, Offset: 05170000, based on PE: false

Similarity

API ID: ProcessTerminate
String ID:
API String ID: 560597551-0
Opcode ID: 632b40bf96c89a595f7240b2bcea45ce03a2856e0ea52695adab886a9b69121a
Instruction ID: 0a760ad8d0b4dcfb483ebe5857947540d04c001e0f924cc7691254803b2d5bdd
Opcode Fuzzy Hash: 632b40bf96c89a595f7240b2bcea45ce03a2856e0ea52695adab886a9b69121a
Instruction Fuzzy Hash: 6321B4725093846FE7128B25DC45F96BFB8EF47320F0880DBE984DF192D264A549CB61

Uniqueness

Uniqueness Score: -1.00%

Function 00EBB074, Relevance: 1.6, APIs: 1, Instructions: 77COMMON

Download Yara Rule

APIs

SetConsoleCtrlHandler.KERNELBASE(?,00000E2C,?,?), ref: 00EBB10E

Memory Dump Source

Source File: 0000000B.00000002.365747315.0000000000EBA000.00000040.00000001.sdmp, Offset: 00EBA000, based on PE: false

Similarity

API ID: ConsoleCtrlHandler
String ID:
API String ID: 1513847179-0
Opcode ID: edf2f1fbffe2296ed7c3ded1b761a8a7097cf6a4d5f54948602f8490b0723da4
Instruction ID: 412bd0ac7cf198ddd178765ad48855f05cedcd9bcbe81a5ff3010e72daab1a6d
Opcode Fuzzy Hash: edf2f1fbffe2296ed7c3ded1b761a8a7097cf6a4d5f54948602f8490b0723da4
Instruction Fuzzy Hash: 4921B67154D7C06FD3138B259C51B62BFB4EF87610F0A81DBE884CB653D225A919C7A2

Uniqueness

Uniqueness Score: -1.00%

Function 00EBAB56, Relevance: 1.6, APIs: 1, Instructions: 74registryCOMMON

Download Yara Rule

APIs

RegOpenKeyExW.KERNELBASE(?,00000E2C), ref: 00EBABD5

Memory Dump Source

Source File: 0000000B.00000002.365747315.0000000000EBA000.00000040.00000001.sdmp, Offset: 00EBA000, based on PE: false

Similarity

API ID: Open
String ID:
API String ID: 71445658-0
Opcode ID: 1db0e41a3afe1dfaeaf7226950a3486ca8cfb8d04446369dd083ec71eeb7e57e
Instruction ID: 9e62a583b87d514df6fd508f4c794287b58438917e0324ffa0d0c9b212401077
Opcode Fuzzy Hash: 1db0e41a3afe1dfaeaf7226950a3486ca8cfb8d04446369dd083ec71eeb7e57e
Instruction Fuzzy Hash: 35219F72500604AFEB219B15DC85FABFBACEF04710F18846BEE459A241D674E8488B72

Uniqueness

Uniqueness Score: -1.00%

Function 05170770, Relevance: 1.6, APIs: 1, Instructions: 72COMMON

Download Yara Rule

APIs

K32EnumProcesses.KERNEL32(?,?,?,6FA31D46,00000000,?,?,?,?,?,?,?,?,72F43C38), ref: 051707EA

Memory Dump Source

Source File: 0000000B.00000002.369545823.0000000005170000.00000040.00000001.sdmp, Offset: 05170000, based on PE: false

Similarity

API ID: EnumProcesses
String ID:
API String ID: 84517404-0
Opcode ID: e4b57c233a0f7d91561930da19721b03e1b8c5106ec4becf2c9653eb029caa18
Instruction ID: cfdb0fb5a92193b64626be127588bf2d2d508c07bdaed42826a9a08c41fe9490
Opcode Fuzzy Hash: e4b57c233a0f7d91561930da19721b03e1b8c5106ec4becf2c9653eb029caa18
Instruction Fuzzy Hash: EF21A1725093849FDB12CF25DC45AA2BFF4AF07310F0984DAE9858F263D2749908CB61

Uniqueness

Uniqueness Score: -1.00%

Function 00EBBE1D, Relevance: 1.6, APIs: 1, Instructions: 70COMMON

Download Yara Rule

APIs

DrawTextExW.USER32(?,?,?,?,?,?), ref: 00EBBE9F

Memory Dump Source

Source File: 0000000B.00000002.365747315.0000000000EBA000.00000040.00000001.sdmp, Offset: 00EBA000, based on PE: false

Similarity

API ID: DrawText
String ID:
API String ID: 2175133113-0
Opcode ID: f655bafe5d488454a1ff2aaf1d3290d763f221360ae72611e6fc938ab865ec76
Instruction ID: 47c9670c155108576dc39068fdf9f5bc29afa77a35a29e6ac5ce3aa5ef18efbd
Opcode Fuzzy Hash: f655bafe5d488454a1ff2aaf1d3290d763f221360ae72611e6fc938ab865ec76
Instruction Fuzzy Hash: E3218171509384AFD722CF25D844B92BFE4EF06214F09849AE9849B163D375E808CB61

Uniqueness

Uniqueness Score: -1.00%

Function 00EBAC5E, Relevance: 1.6, APIs: 1, Instructions: 69registryCOMMON

Download Yara Rule

APIs

RegQueryValueExW.KERNELBASE(?,00000E2C,6FA31D46,00000000,00000000,00000000,00000000), ref: 00EBACD8

Memory Dump Source

Source File: 0000000B.00000002.365747315.0000000000EBA000.00000040.00000001.sdmp, Offset: 00EBA000, based on PE: false

Similarity

API ID: QueryValue
String ID:
API String ID: 3660427363-0
Opcode ID: 627aceb8ad59caaae3ec81f07fb11a70a59c8d0e9558c76b3a2e16ee963affe4
Instruction ID: 42c7b05564453b0e38ddaa078e4bc580c8263baa6e6e7905ae776b30f99585f7
Opcode Fuzzy Hash: 627aceb8ad59caaae3ec81f07fb11a70a59c8d0e9558c76b3a2e16ee963affe4
Instruction Fuzzy Hash: 16218C71600604AFEB20CF15DC80FA7FBECEF05714F18846AEA45AB251D764E808CB72

Uniqueness

Uniqueness Score: -1.00%

Function 00EBB46D, Relevance: 1.6, APIs: 1, Instructions: 65libraryCOMMON

Download Yara Rule

APIs

LoadLibraryShim.MSCOREE(?,?,?,?), ref: 00EBB4E9

Memory Dump Source

Source File: 0000000B.00000002.365747315.0000000000EBA000.00000040.00000001.sdmp, Offset: 00EBA000, based on PE: false

Similarity

API ID: LibraryLoadShim
String ID:
API String ID: 1475914169-0
Opcode ID: 2651aec08562794501bf37be58e613d0d64af2293606d1b0d792a978db62087f
Instruction ID: 2b9811234cf193a53925ed4670afad144fdef45743850d87df475592697698c4
Opcode Fuzzy Hash: 2651aec08562794501bf37be58e613d0d64af2293606d1b0d792a978db62087f
Instruction Fuzzy Hash: 1521C3715093806FD7228E15DC41B63BFE8EF06314F08808AED84DB253D365E808C772

Uniqueness

Uniqueness Score: -1.00%

Function 0517015D, Relevance: 1.6, APIs: 1, Instructions: 65COMMON

Download Yara Rule

APIs

FindCloseChangeNotification.KERNELBASE(?), ref: 051701C8

Memory Dump Source

Source File: 0000000B.00000002.369545823.0000000005170000.00000040.00000001.sdmp, Offset: 05170000, based on PE: false

Similarity

API ID: ChangeCloseFindNotification
String ID:
API String ID: 2591292051-0
Opcode ID: 3188d2d223a9d8cfc0ee9c55c22c4ed4d432c5d67040f94b7ebba24c3da932fb
Instruction ID: 619c74de8bc1bb3b6539adcc478e19e4d6512973755de2ca2764f8166d01dd07
Opcode Fuzzy Hash: 3188d2d223a9d8cfc0ee9c55c22c4ed4d432c5d67040f94b7ebba24c3da932fb
Instruction Fuzzy Hash: DC2181724093846FD7128B25DD45B92BFB8AF07210F0984DBE9858F653D264A948CB61

Uniqueness

Uniqueness Score: -1.00%

Function 05170AAD, Relevance: 1.6, APIs: 1, Instructions: 62windowCOMMON

Download Yara Rule

APIs

PostMessageW.USER32(?,?,?,?), ref: 05170B21

Memory Dump Source

Source File: 0000000B.00000002.369545823.0000000005170000.00000040.00000001.sdmp, Offset: 05170000, based on PE: false

Similarity

API ID: MessagePost
String ID:
API String ID: 410705778-0
Opcode ID: 12b929ceffcce89dfe72d398bbdf146a32ac7b90bfcae4aba1cd396801e89167
Instruction ID: 320e357f8605658963884cde42744ed0ed1af8e56b2e073c1b373a02b1b54873
Opcode Fuzzy Hash: 12b929ceffcce89dfe72d398bbdf146a32ac7b90bfcae4aba1cd396801e89167
Instruction Fuzzy Hash: DD218E714093C49FDB138F25CC44A52FFB4EF07210F0984DBE9848F163D265A958DB62

Uniqueness

Uniqueness Score: -1.00%

Function 00EBA5AF, Relevance: 1.6, APIs: 1, Instructions: 61COMMON

Download Yara Rule

APIs

DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 00EBA61A

Memory Dump Source

Source File: 0000000B.00000002.365747315.0000000000EBA000.00000040.00000001.sdmp, Offset: 00EBA000, based on PE: false

Similarity

API ID: DuplicateHandle
String ID:
API String ID: 3793708945-0
Opcode ID: 086d1d2307f78bf81a0ed229cf81b6a20e1ccb1c7fe2e5457e302fc29a8e0444
Instruction ID: 8fdf659703bbbf33df9296a8bf345a366bb72a5f6778e060ab3da3be2d921062
Opcode Fuzzy Hash: 086d1d2307f78bf81a0ed229cf81b6a20e1ccb1c7fe2e5457e302fc29a8e0444
Instruction Fuzzy Hash: 53118472409380AFDB228F55DC44A62FFF4EF4A310F0884DAEE858B162D275A518DB61

Uniqueness

Uniqueness Score: -1.00%

Function 05170966, Relevance: 1.6, APIs: 1, Instructions: 61COMMON

Download Yara Rule

APIs

TerminateProcess.KERNELBASE(?,00000E2C,6FA31D46,00000000,00000000,00000000,00000000), ref: 051709BC

Memory Dump Source

Source File: 0000000B.00000002.369545823.0000000005170000.00000040.00000001.sdmp, Offset: 05170000, based on PE: false

Similarity

API ID: ProcessTerminate
String ID:
API String ID: 560597551-0
Opcode ID: 92f6e3c77ba8016fe0835da6475a4f81da4485c1266575171800977718a03d3b
Instruction ID: 8ea8078a73664de9461750617c42b8043e5c62689f112c1da5a3214c282cf604
Opcode Fuzzy Hash: 92f6e3c77ba8016fe0835da6475a4f81da4485c1266575171800977718a03d3b
Instruction Fuzzy Hash: 8011A371504704AFEB20DF29DC89F6BFBA8EF45320F1484ABEE49DB241D674A4448B71

Uniqueness

Uniqueness Score: -1.00%

Function 05170E3F, Relevance: 1.6, APIs: 1, Instructions: 56windowCOMMON

Download Yara Rule

APIs

PostMessageW.USER32(?,?,?,?), ref: 05170EA9

Memory Dump Source

Source File: 0000000B.00000002.369545823.0000000005170000.00000040.00000001.sdmp, Offset: 05170000, based on PE: false

Similarity

API ID: MessagePost
String ID:
API String ID: 410705778-0
Opcode ID: 4d488dcbb9b3f62998e2f08f105dca40e874433617883d294105c3e71e5ffc40
Instruction ID: 860bfa4db4bf5aef6f77dc08f62dfd64c277189bf1b52333f61a0a5d782d62c5
Opcode Fuzzy Hash: 4d488dcbb9b3f62998e2f08f105dca40e874433617883d294105c3e71e5ffc40
Instruction Fuzzy Hash: DE11D072409384AFDB228F15DC45F62FFB4EF06224F08809EED858B263C275A458CB61

Uniqueness

Uniqueness Score: -1.00%

Function 0517055A, Relevance: 1.6, APIs: 1, Instructions: 53COMMON

Download Yara Rule

APIs

LookupPrivilegeValueW.ADVAPI32(?,?,?), ref: 051705A2

Memory Dump Source

Source File: 0000000B.00000002.369545823.0000000005170000.00000040.00000001.sdmp, Offset: 05170000, based on PE: false

Similarity

API ID: LookupPrivilegeValue
String ID:
API String ID: 3899507212-0
Opcode ID: bbb1920abcb80a80860b131876877738dc4b8740f6ac86429a145c61106fd320
Instruction ID: 7af847ccc4ceca484c61600e288728bf4eef26ba4ccfbb8b7047270f23237655
Opcode Fuzzy Hash: bbb1920abcb80a80860b131876877738dc4b8740f6ac86429a145c61106fd320
Instruction Fuzzy Hash: CA115E72A04744DFDB20CF29D889B66FBE8EF09220F0884AADD49DB241E774E444CE71

Uniqueness

Uniqueness Score: -1.00%

Function 00EBBE4E, Relevance: 1.6, APIs: 1, Instructions: 52COMMON

Download Yara Rule

APIs

DrawTextExW.USER32(?,?,?,?,?,?), ref: 00EBBE9F

Memory Dump Source

Source File: 0000000B.00000002.365747315.0000000000EBA000.00000040.00000001.sdmp, Offset: 00EBA000, based on PE: false

Similarity

API ID: DrawText
String ID:
API String ID: 2175133113-0
Opcode ID: 2ab9b70724e111cad856c4368e96a0ed647e951c312d9c1a7c58ecdcf5778660
Instruction ID: 4d67ac2c438cefb9c6e87066f2644aacc38689bd28e46c13eb8b9c9f21cf7585
Opcode Fuzzy Hash: 2ab9b70724e111cad856c4368e96a0ed647e951c312d9c1a7c58ecdcf5778660
Instruction Fuzzy Hash: 671170755006089FDB20CF65D984BE7FBE8EF04310F1894AADE459B222D7B5E408CB71

Uniqueness

Uniqueness Score: -1.00%

Function 051707AA, Relevance: 1.5, APIs: 1, Instructions: 49COMMON

Download Yara Rule

APIs

K32EnumProcesses.KERNEL32(?,?,?,6FA31D46,00000000,?,?,?,?,?,?,?,?,72F43C38), ref: 051707EA

Memory Dump Source

Source File: 0000000B.00000002.369545823.0000000005170000.00000040.00000001.sdmp, Offset: 05170000, based on PE: false

Similarity

API ID: EnumProcesses
String ID:
API String ID: 84517404-0
Opcode ID: d00a0a4cd66db776693ac35e95aebed6f57d30d259044ac7c2c66297d574660f
Instruction ID: ad2e0dbfa17f60ef6d85ff7f176e0cf866f099d45e54d15cbcd7b69ed8be1a1a
Opcode Fuzzy Hash: d00a0a4cd66db776693ac35e95aebed6f57d30d259044ac7c2c66297d574660f
Instruction Fuzzy Hash: E1116171A043049FDB20CF69D889B66FBE4EF08320F0884AADD49DB651D775E448CFA1

Uniqueness

Uniqueness Score: -1.00%

Function 00EBA9F0, Relevance: 1.5, APIs: 1, Instructions: 48COMMON

Download Yara Rule

APIs

SetWindowLongW.USER32 ref: 00EBAA4A

Memory Dump Source

Source File: 0000000B.00000002.365747315.0000000000EBA000.00000040.00000001.sdmp, Offset: 00EBA000, based on PE: false

Similarity

API ID: LongWindow
String ID:
API String ID: 1378638983-0
Opcode ID: 6f5212a467ee6c42cabe03220db374633aab5a4f64da3b35cd605e061ae79c57
Instruction ID: d07731f4b24bad453b705a05e1ea0f1a0303d10071ab4924e6bb6fb088167039
Opcode Fuzzy Hash: 6f5212a467ee6c42cabe03220db374633aab5a4f64da3b35cd605e061ae79c57
Instruction Fuzzy Hash: 4E11A032404384AFC7218F15DC85B52FFF4EF06320F08C09AED854B262D275A808CB62

Uniqueness

Uniqueness Score: -1.00%

Function 00EBB49E, Relevance: 1.5, APIs: 1, Instructions: 46libraryCOMMON

Download Yara Rule

APIs

LoadLibraryShim.MSCOREE(?,?,?,?), ref: 00EBB4E9

Memory Dump Source

Source File: 0000000B.00000002.365747315.0000000000EBA000.00000040.00000001.sdmp, Offset: 00EBA000, based on PE: false

Similarity

API ID: LibraryLoadShim
String ID:
API String ID: 1475914169-0
Opcode ID: d04519ed93ffc80d4e0592c4c524ce9a37ca27e201ded213c9b0624fbaa234bd
Instruction ID: c120a0f3625a41823186cb263ecf77f1a5d1b2b368756e18984942305e7e23c9
Opcode Fuzzy Hash: d04519ed93ffc80d4e0592c4c524ce9a37ca27e201ded213c9b0624fbaa234bd
Instruction Fuzzy Hash: BD0180719006009FDB20CE19D885BA3FBE4FF14720F18909ADD499B242E7B5E808CB72

Uniqueness

Uniqueness Score: -1.00%

Function 00EBA5D6, Relevance: 1.5, APIs: 1, Instructions: 45COMMON

Download Yara Rule

APIs

DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 00EBA61A

Memory Dump Source

Source File: 0000000B.00000002.365747315.0000000000EBA000.00000040.00000001.sdmp, Offset: 00EBA000, based on PE: false

Similarity

API ID: DuplicateHandle
String ID:
API String ID: 3793708945-0
Opcode ID: c4670479905adfa245deb129c565f3239b85fc6b26c88af4e39e5880c9c52a9c
Instruction ID: 588fd65b95991dd9f4490b4f90cfcc5715b2b840dea98f002cd346165ef46a16
Opcode Fuzzy Hash: c4670479905adfa245deb129c565f3239b85fc6b26c88af4e39e5880c9c52a9c
Instruction Fuzzy Hash: 1C01C072800600EFDF218F55D844B92FFE0EF08320F1CC4AADE495B615D275A418DF62

Uniqueness

Uniqueness Score: -1.00%

Function 00EBB0BE, Relevance: 1.5, APIs: 1, Instructions: 43COMMON

Download Yara Rule

APIs

SetConsoleCtrlHandler.KERNELBASE(?,00000E2C,?,?), ref: 00EBB10E

Memory Dump Source

Source File: 0000000B.00000002.365747315.0000000000EBA000.00000040.00000001.sdmp, Offset: 00EBA000, based on PE: false

Similarity

API ID: ConsoleCtrlHandler
String ID:
API String ID: 1513847179-0
Opcode ID: 40d6c5888558848987f9d1f62a891af82907bc3d7839072bc032fd513c785fdc
Instruction ID: 4799f3e71dcb3d75c09aa3f5e53113de9c0793357f17e0c5cf070479d8a34600
Opcode Fuzzy Hash: 40d6c5888558848987f9d1f62a891af82907bc3d7839072bc032fd513c785fdc
Instruction Fuzzy Hash: 5401A276900600ABD210DF16DC86F36FBA8FB89B20F14815AED084B741E735F515CBE5

Uniqueness

Uniqueness Score: -1.00%

Function 05170196, Relevance: 1.5, APIs: 1, Instructions: 43COMMON

Download Yara Rule

APIs

FindCloseChangeNotification.KERNELBASE(?), ref: 051701C8

Memory Dump Source

Source File: 0000000B.00000002.369545823.0000000005170000.00000040.00000001.sdmp, Offset: 05170000, based on PE: false

Similarity

API ID: ChangeCloseFindNotification
String ID:
API String ID: 2591292051-0
Opcode ID: 6a045ca3d5fdea24e1c5caaaf2822631c28ed27594f6ee24be860ec8d52c211a
Instruction ID: bd7b5e3bf08bea55cc904f918f5e596b6c37faf6042c2ad1f7fb5c872ce31800
Opcode Fuzzy Hash: 6a045ca3d5fdea24e1c5caaaf2822631c28ed27594f6ee24be860ec8d52c211a
Instruction Fuzzy Hash: C201B1319047049FD710CF29D889766FBA4EF08220F08C0ABDD098B602D6B4E408CF72

Uniqueness

Uniqueness Score: -1.00%

Function 05170E6E, Relevance: 1.5, APIs: 1, Instructions: 42windowCOMMON

Download Yara Rule

APIs

PostMessageW.USER32(?,?,?,?), ref: 05170EA9

Memory Dump Source

Source File: 0000000B.00000002.369545823.0000000005170000.00000040.00000001.sdmp, Offset: 05170000, based on PE: false

Similarity

API ID: MessagePost
String ID:
API String ID: 410705778-0
Opcode ID: 799571a526ec95b43317cdb0fcabca0425e1174e60b68c401c2f5626f2b40521
Instruction ID: 10c5cadfff70ca9077a2d858027ea537ed33577d18cbc4ee640fc844c00823f5
Opcode Fuzzy Hash: 799571a526ec95b43317cdb0fcabca0425e1174e60b68c401c2f5626f2b40521
Instruction Fuzzy Hash: 2F01B132900744DFDB208F19D888B66FFA0EF08320F18C0AEEE454B611DB75A498CF62

Uniqueness

Uniqueness Score: -1.00%

Function 05170AE6, Relevance: 1.5, APIs: 1, Instructions: 38windowCOMMON

Download Yara Rule

APIs

PostMessageW.USER32(?,?,?,?), ref: 05170B21

Memory Dump Source

Source File: 0000000B.00000002.369545823.0000000005170000.00000040.00000001.sdmp, Offset: 05170000, based on PE: false

Similarity

API ID: MessagePost
String ID:
API String ID: 410705778-0
Opcode ID: b50362c7e28c0ec027106af2e7d84e94c5bc7e454038c66cb4abfd845a796be1
Instruction ID: aa36619786e522614dd67ca651c54cb6f04bd115750e2b37e7b25b56eaf68128
Opcode Fuzzy Hash: b50362c7e28c0ec027106af2e7d84e94c5bc7e454038c66cb4abfd845a796be1
Instruction Fuzzy Hash: 0C018F35900748DFDB20CF19D888B26FFA1EF08324F18C09ADE494B212D375A558CF62

Uniqueness

Uniqueness Score: -1.00%

Function 00EBAA12, Relevance: 1.5, APIs: 1, Instructions: 37COMMON

Download Yara Rule

APIs

SetWindowLongW.USER32 ref: 00EBAA4A

Memory Dump Source

Source File: 0000000B.00000002.365747315.0000000000EBA000.00000040.00000001.sdmp, Offset: 00EBA000, based on PE: false

Similarity

API ID: LongWindow
String ID:
API String ID: 1378638983-0
Opcode ID: c701357f7123312549b55fc4dc8775ff6c73b69506bb32e916738607cf7c0f74
Instruction ID: 10865ad80a317ee71d92c6f9a35fbbf3371ab3fce70b6abad22c7e602894879f
Opcode Fuzzy Hash: c701357f7123312549b55fc4dc8775ff6c73b69506bb32e916738607cf7c0f74
Instruction Fuzzy Hash: 2F01D131800604DFDB208F45D9857A6FFA0EF04720F18D0AADE495B212D6B5A408DF72

Uniqueness

Uniqueness Score: -1.00%

Function 02B00108, Relevance: 1.3, Strings: 1, Instructions: 50COMMON

Download Yara Rule

Strings

pa, xrefs: 02B0011C

Memory Dump Source

Source File: 0000000B.00000002.366151852.0000000002B00000.00000040.00000001.sdmp, Offset: 02B00000, based on PE: false

Similarity

API ID:
String ID: pa
API String ID: 0-3361303919
Opcode ID: 5f6ae826f3eb085d81fa6d494c5086f1505048eac4465f866610da041c68a873
Instruction ID: a6aced71c06dc2a1d00a92b9d7c5c675cef1ebbbc6613c2faf216a5abc5e7ccd
Opcode Fuzzy Hash: 5f6ae826f3eb085d81fa6d494c5086f1505048eac4465f866610da041c68a873
Instruction Fuzzy Hash: D1113D30A0010ECFCB04FBA5D9559AE7BB1FF80305B14557CEA0577255DB726E06DB51

Uniqueness

Uniqueness Score: -1.00%

Function 02B02838, Relevance: 1.3, Strings: 1, Instructions: 49COMMON

Download Yara Rule

Strings

X, xrefs: 02B02884

Memory Dump Source

Source File: 0000000B.00000002.366151852.0000000002B00000.00000040.00000001.sdmp, Offset: 02B00000, based on PE: false

Similarity

API ID:
String ID: X
API String ID: 0-3081909835
Opcode ID: c19f3dbd043c100d8f96c4473d8960a88536bbb5ed19f73deb726b5a6150e8c1
Instruction ID: 426cd61ebacb60eb72a34126d9dae3a90fabcbdbff7f5ac93cd887f8620749b4
Opcode Fuzzy Hash: c19f3dbd043c100d8f96c4473d8960a88536bbb5ed19f73deb726b5a6150e8c1
Instruction Fuzzy Hash: A621E274E02228CFEB21CF24C8597D9BBB1BF4A305F0080E9958DA3290CB745A89CF45

Uniqueness

Uniqueness Score: -1.00%

Function 02B00530, Relevance: 1.3, Strings: 1, Instructions: 33COMMON

Download Yara Rule

Strings

pr, xrefs: 02B00563

Memory Dump Source

Source File: 0000000B.00000002.366151852.0000000002B00000.00000040.00000001.sdmp, Offset: 02B00000, based on PE: false

Similarity

API ID:
String ID: pr
API String ID: 0-2331350302
Opcode ID: d52dbf9cca9d458a098938566930670136dee27f27d6d43ecbd17fc33408c144
Instruction ID: fc426aeaf07001d9215c37b4039342798513689be542800ddb4af1cbf1d26788
Opcode Fuzzy Hash: d52dbf9cca9d458a098938566930670136dee27f27d6d43ecbd17fc33408c144
Instruction Fuzzy Hash: E5011974A49209DFCB05DFA8C58499DBFB0FF09314B2045E9D841A73A2D3759E46CF91

Uniqueness

Uniqueness Score: -1.00%

Function 02B00A61, Relevance: .7, Instructions: 743COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.366151852.0000000002B00000.00000040.00000001.sdmp, Offset: 02B00000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: cc880c7d478fa365996177afb7d7fe960028ee8368c645fe42f401f25296c67f
Instruction ID: 70c7245801dff8ac1eadd02a3cd67fc34e60afa7ead5b2390f20aaed06640944
Opcode Fuzzy Hash: cc880c7d478fa365996177afb7d7fe960028ee8368c645fe42f401f25296c67f
Instruction Fuzzy Hash: 0D72A334A01218DFDB64DB64C994BADB7B2FF8A301F5180E9D509AB361DB31AE95CF01

Uniqueness

Uniqueness Score: -1.00%

Function 02B0B8A8, Relevance: .3, Instructions: 313COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.366151852.0000000002B00000.00000040.00000001.sdmp, Offset: 02B00000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b6a0d63a100e9f3ac6ce21c4ed88a535a9ddd985983705d33529e5b12630e6de
Instruction ID: a1540de2d13a2e6d13244284b03cb69f1b6280b4c398f4b08ef5add668a7f647
Opcode Fuzzy Hash: b6a0d63a100e9f3ac6ce21c4ed88a535a9ddd985983705d33529e5b12630e6de
Instruction Fuzzy Hash: D1D11F70D05218CFDB25DFA6C5987ADBFB1FB0A309F1094AAC059B3291CB785A89DF14

Uniqueness

Uniqueness Score: -1.00%

Function 02B04AE7, Relevance: .2, Instructions: 244COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.366151852.0000000002B00000.00000040.00000001.sdmp, Offset: 02B00000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7d58ea569a0f47e2870d2c1ab6d092e35ac7989af784fd80d292849dacf53eee
Instruction ID: 0294874a283662e78213188e7cd380a32dafbd3487a550bef1aaae515464b55f
Opcode Fuzzy Hash: 7d58ea569a0f47e2870d2c1ab6d092e35ac7989af784fd80d292849dacf53eee
Instruction Fuzzy Hash: E4C11C74A00348CFDB54EF64D9A8B9CBBF1FB48305F1086AAD909A7394DB709989CF50

Uniqueness

Uniqueness Score: -1.00%

Function 02B04C54, Relevance: .2, Instructions: 232COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.366151852.0000000002B00000.00000040.00000001.sdmp, Offset: 02B00000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: afd33a269a7a3b8a000fb7606b787f7e943ab3776fb95dbf14dcae1ea6dcf010
Instruction ID: c49cf2a8b448da1e8f925e2f6ded46cb42c8cd8ffbf0367bb45376de4b15ef3a
Opcode Fuzzy Hash: afd33a269a7a3b8a000fb7606b787f7e943ab3776fb95dbf14dcae1ea6dcf010
Instruction Fuzzy Hash: B4C11B74A00358CFDB54DF64D9A8B9DBBB2FB44304F1081AAD90AA7394EB705D89CF11

Uniqueness

Uniqueness Score: -1.00%

Function 02B02FF8, Relevance: .2, Instructions: 218COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.366151852.0000000002B00000.00000040.00000001.sdmp, Offset: 02B00000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8344c4b9e0e264413c43089ea8df56327964fdc5a926712b459fec199e5caa75
Instruction ID: 0bfe08a54af285ea609138f369a5f4c6a437538ebaad845c6d89a6261508b98a
Opcode Fuzzy Hash: 8344c4b9e0e264413c43089ea8df56327964fdc5a926712b459fec199e5caa75
Instruction Fuzzy Hash: CD91F475C06268CFDB298FA2C998BECFAF4BB4A749F0450DAD149B2191C7744AC8CF14

Uniqueness

Uniqueness Score: -1.00%

Function 02B04E20, Relevance: .2, Instructions: 200COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.366151852.0000000002B00000.00000040.00000001.sdmp, Offset: 02B00000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0ca9cf1d670f2dbecd4bbc624c02557424a76c7c9d40d498ffc85ec610f42413
Instruction ID: 729aad5b5791208b191f294e946a0ada697410d6dc9ee4c8e3ba5ecaa944c3eb
Opcode Fuzzy Hash: 0ca9cf1d670f2dbecd4bbc624c02557424a76c7c9d40d498ffc85ec610f42413
Instruction Fuzzy Hash: 5AA11AB0A01249CFDB54EF64D998B9DBBF1FB44304F1086AAD909A7294DB709989CF50

Uniqueness

Uniqueness Score: -1.00%

Function 02B04AB8, Relevance: .2, Instructions: 184COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.366151852.0000000002B00000.00000040.00000001.sdmp, Offset: 02B00000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 45af1aa4d3f7508ca46596a24ce7069200d269bc1a96001471f58a86dc51c184
Instruction ID: a3d703aff48fb1e95d6272f354988ca17de9bbb9044e017c856b43a41b99a1cb
Opcode Fuzzy Hash: 45af1aa4d3f7508ca46596a24ce7069200d269bc1a96001471f58a86dc51c184
Instruction Fuzzy Hash: C19129B4900349CFDB54EFA5D998B9DBFF1FB48304F1085AAD90AA7294DB709988CF11

Uniqueness

Uniqueness Score: -1.00%

Function 02B051DC, Relevance: .2, Instructions: 184COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.366151852.0000000002B00000.00000040.00000001.sdmp, Offset: 02B00000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 574f78a4a067b5f213f7ecebb09a2872be6f29f01e2671bd83ba3a46fb3faef5
Instruction ID: 0e752a0572fa2e5e8cd947dcf7550f8807eac0354da498ecdfd665f1d8ac3be1
Opcode Fuzzy Hash: 574f78a4a067b5f213f7ecebb09a2872be6f29f01e2671bd83ba3a46fb3faef5
Instruction Fuzzy Hash: DA910A74A00348CFDB54DFA4D9A8B9CBBF1FB48305F1085AAD909A7394DB709989CF11

Uniqueness

Uniqueness Score: -1.00%

Function 02B04ECD, Relevance: .2, Instructions: 180COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.366151852.0000000002B00000.00000040.00000001.sdmp, Offset: 02B00000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: cef2fcfb2ca36522f2b6d74cc734d7febd6ccdafbf952c35414bd2bf466db560
Instruction ID: 470a9a855ffcc3d8c1d4907ecc470b76bc51ca95c0b3e160b8f3fe2146468863
Opcode Fuzzy Hash: cef2fcfb2ca36522f2b6d74cc734d7febd6ccdafbf952c35414bd2bf466db560
Instruction Fuzzy Hash: EF912A74A00349CFDB54DFA4D9A8B9DBBF1FB48305F1085AAD90AA7354DB709989CF10

Uniqueness

Uniqueness Score: -1.00%

Function 02B04AA8, Relevance: .2, Instructions: 179COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.366151852.0000000002B00000.00000040.00000001.sdmp, Offset: 02B00000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 812a5810e4fa942d87da26dac21f5ca18a4a16e31889f354cf0177654cf118e1
Instruction ID: b2c1d990d3bb11af8e2410ff91d469bb7696b5ab8f8ba864990a311192cbc6e1
Opcode Fuzzy Hash: 812a5810e4fa942d87da26dac21f5ca18a4a16e31889f354cf0177654cf118e1
Instruction Fuzzy Hash: 44811B70904349CFDB54DFA4D998B9DBFF1FB48304F1085AAD50AA7294DB709989CF11

Uniqueness

Uniqueness Score: -1.00%

Function 02B00270, Relevance: .1, Instructions: 124COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.366151852.0000000002B00000.00000040.00000001.sdmp, Offset: 02B00000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 93ee3f4fda8eb5dc708cba78d2864483b076e09d4012a1413d07305a11a2f736
Instruction ID: 0f07604e37055f7cf3391b3ae282a86c870f80b58b19ed5e37d8214f454de064
Opcode Fuzzy Hash: 93ee3f4fda8eb5dc708cba78d2864483b076e09d4012a1413d07305a11a2f736
Instruction Fuzzy Hash: 2F519D78A04218DFDB11DFA8C881BADBBF1EB4D310F1054A9E502BB3A0D775A941DF61

Uniqueness

Uniqueness Score: -1.00%

Function 02B04880, Relevance: .1, Instructions: 118COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.366151852.0000000002B00000.00000040.00000001.sdmp, Offset: 02B00000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: dec201b2cceea45bfa67477c114ac82a7d60f4051e3f071507da7346533a77a7
Instruction ID: 7a2698b5607ed47206135cd5e4a0761681cf7b098fe7c1c1359a0725c2916f35
Opcode Fuzzy Hash: dec201b2cceea45bfa67477c114ac82a7d60f4051e3f071507da7346533a77a7
Instruction Fuzzy Hash: 4E414FB0D012448FDB05DFAAD4906ADFBF2FF89324F54C6A9E524AB3A5D73099028F50

Uniqueness

Uniqueness Score: -1.00%

Function 02B0301E, Relevance: .1, Instructions: 114COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.366151852.0000000002B00000.00000040.00000001.sdmp, Offset: 02B00000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 583c67454741387a66e325fb92991992ada19d5866b0b4c8fd3a1b899a49c542
Instruction ID: d076569b318ea11c4fc56e42b5c69cee99ee03f6b721aa2172c21e9de1eaf17b
Opcode Fuzzy Hash: 583c67454741387a66e325fb92991992ada19d5866b0b4c8fd3a1b899a49c542
Instruction Fuzzy Hash: E341D271C05268CFDB298FA1C8987ECBAF8BB49349F1491DAD009B2291C7744AC8CF14

Uniqueness

Uniqueness Score: -1.00%

Function 02B00280, Relevance: .1, Instructions: 113COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.366151852.0000000002B00000.00000040.00000001.sdmp, Offset: 02B00000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 43639ccc1005b02a5715f04deaa09424d9452564c02f466c46b9dc2ae49cbbe0
Instruction ID: ab15998218b916aa20051fe926ef13560a12a3c587b83d7e88060954a696ff28
Opcode Fuzzy Hash: 43639ccc1005b02a5715f04deaa09424d9452564c02f466c46b9dc2ae49cbbe0
Instruction Fuzzy Hash: 9C418D78A00618DFDB15DFA8C881BADBBF1EB4D310F0058A5E506BB3A0D775A940DF61

Uniqueness

Uniqueness Score: -1.00%

Function 02B04351, Relevance: .1, Instructions: 111COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.366151852.0000000002B00000.00000040.00000001.sdmp, Offset: 02B00000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e459280207cc4437106a5bafbe0fbef5871812ff077358c4834bd9658b21dd57
Instruction ID: 0c9f171e8dcb281f97d323a146db5b479076b4f063453bb6afbbf2e1cae5a9a6
Opcode Fuzzy Hash: e459280207cc4437106a5bafbe0fbef5871812ff077358c4834bd9658b21dd57
Instruction Fuzzy Hash: 8351B0B4D012589FCB08DFAAD99499DBBF2FF88300F24816AE805BB360DB315945CF50

Uniqueness

Uniqueness Score: -1.00%

Function 00ECA6EC, Relevance: .1, Instructions: 94COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.365776958.0000000000EC2000.00000040.00000001.sdmp, Offset: 00EC2000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8d4fd1792ae44018702f2a768c3eebe7929baba56ff116fecb9e22176656e79c
Instruction ID: e11f43239cd3fb7dddf4dbf0cefc366eef046fdd9a06cf6412a3635af5ee425f
Opcode Fuzzy Hash: 8d4fd1792ae44018702f2a768c3eebe7929baba56ff116fecb9e22176656e79c
Instruction Fuzzy Hash: 2B319FB6909340AFD310CF09EC41E57FFE8EB85660F18C95EFD499B211D275A9048BA2

Uniqueness

Uniqueness Score: -1.00%

Function 00ECA944, Relevance: .1, Instructions: 93COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.365776958.0000000000EC2000.00000040.00000001.sdmp, Offset: 00EC2000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e9c2ed280daf18a6eb61947cd7df03406f4fc41dfc283e12c7b63c7a2fbf3440
Instruction ID: 958130df3d185f9ecabd49d184e77e88c1f17c7f147e50c68024b575d9df79cf
Opcode Fuzzy Hash: e9c2ed280daf18a6eb61947cd7df03406f4fc41dfc283e12c7b63c7a2fbf3440
Instruction Fuzzy Hash: E62182B6908304AFD310CF0AEC41E57FFE8EB85660F14C95EFD499B211D275A8048BB2

Uniqueness

Uniqueness Score: -1.00%

Function 00ECA5C0, Relevance: .1, Instructions: 87COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.365776958.0000000000EC2000.00000040.00000001.sdmp, Offset: 00EC2000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0758f5f93e97c581bdb4a1a751a818dc7cbccf508a0e89fc84d5f52ec219c37b
Instruction ID: 2cb68b052c9a82f2e694c937384b912b993cf37ad8c9450c91c3fb93a981883e
Opcode Fuzzy Hash: 0758f5f93e97c581bdb4a1a751a818dc7cbccf508a0e89fc84d5f52ec219c37b
Instruction Fuzzy Hash: 7021BF72908344AFD7118F09DC41E67FFB8EB86660F18C55EFD499A211D276A9048BA2

Uniqueness

Uniqueness Score: -1.00%

Function 00ECA81A, Relevance: .1, Instructions: 87COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.365776958.0000000000EC2000.00000040.00000001.sdmp, Offset: 00EC2000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0a4ac78921c186e71dc2469e9c5abc9072a0b5a6a7807344358ee037cc860852
Instruction ID: b33f664e6831dd1418485622e55ed2cf0db12551807c52f31f24d06461544343
Opcode Fuzzy Hash: 0a4ac78921c186e71dc2469e9c5abc9072a0b5a6a7807344358ee037cc860852
Instruction Fuzzy Hash: FF217C76908340AFD710CF09EC45E57FFE8EB89620F18C96FFD499B211D276A5048BA2

Uniqueness

Uniqueness Score: -1.00%

Function 00ECA3AA, Relevance: .1, Instructions: 86COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.365776958.0000000000EC2000.00000040.00000001.sdmp, Offset: 00EC2000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5994142d87245cbfccb8adfeaa64628b8c06e165d8a6d78f28d864190862f7bd
Instruction ID: 815e6e24fe41dd3829d25685ef29c043b9ae7892f042bbb5c7cafd896141c8ae
Opcode Fuzzy Hash: 5994142d87245cbfccb8adfeaa64628b8c06e165d8a6d78f28d864190862f7bd
Instruction Fuzzy Hash: D221F372908340BFD7118F099C41E67FFA8EB86670F18C55EFD499B211C236A4048BA2

Uniqueness

Uniqueness Score: -1.00%

Function 00ECAAC8, Relevance: .1, Instructions: 84COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.365776958.0000000000EC2000.00000040.00000001.sdmp, Offset: 00EC2000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: dcb272b03ae0e6dd6cbd3bb946f077444e48a1d3776aadb2d194f5b7a876ce26
Instruction ID: c89855765aa4f02a3d41c01c1d03c39e7d241b7dbf6353700b38fa49cf332afb
Opcode Fuzzy Hash: dcb272b03ae0e6dd6cbd3bb946f077444e48a1d3776aadb2d194f5b7a876ce26
Instruction Fuzzy Hash: D5314AB550E3C19FD302CF258850A56BFF4EF8A214F0988DFE8C8DB252D2759909CB62

Uniqueness

Uniqueness Score: -1.00%

Function 00ECA191, Relevance: .1, Instructions: 80COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.365776958.0000000000EC2000.00000040.00000001.sdmp, Offset: 00EC2000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d90f2cbb1c4917f56e9cf5f2dbff4078b2002883cdeeefe45e25bb75036971e4
Instruction ID: 578ed0c92572094163e8b86f5c9e05323cba80e4d6a00d882fe0abda4abe3205
Opcode Fuzzy Hash: d90f2cbb1c4917f56e9cf5f2dbff4078b2002883cdeeefe45e25bb75036971e4
Instruction Fuzzy Hash: C421D072609344BFD7118F0AAC41E66FFACEB86670F18C55FFD099A211C676A9048BA1

Uniqueness

Uniqueness Score: -1.00%

Function 02B042FF, Relevance: .1, Instructions: 76COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.366151852.0000000002B00000.00000040.00000001.sdmp, Offset: 02B00000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1239f89fe8f2e58cd2fea6c47ceddcea505d10bf1876c2f788eca9e270209773
Instruction ID: 353a904e1dd34e6cf0d9f018726da275ca7bb9198af6a410f35e02555035f84a
Opcode Fuzzy Hash: 1239f89fe8f2e58cd2fea6c47ceddcea505d10bf1876c2f788eca9e270209773
Instruction Fuzzy Hash: D111BC30909388EFCB06EB64E8959987F70EB06304F1046EAD880672E6D776585ACFA1

Uniqueness

Uniqueness Score: -1.00%

Function 02B00007, Relevance: .1, Instructions: 76COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.366151852.0000000002B00000.00000040.00000001.sdmp, Offset: 02B00000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b57032753f385d7c4d5dffe6628bb1438a430b9a2ac27296504d55cd2021f146
Instruction ID: f36c815e5ebcfe38f78c5a7b4dbda4ddb67af650e685b36b350e216d8c8926c7
Opcode Fuzzy Hash: b57032753f385d7c4d5dffe6628bb1438a430b9a2ac27296504d55cd2021f146
Instruction Fuzzy Hash: 6B21726180E3C45FC7135F704CA5AEA7FB09F13200F0A54DBD480EB2E3D6284909DB62

Uniqueness

Uniqueness Score: -1.00%

Function 00ECA96E, Relevance: .1, Instructions: 75COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.365776958.0000000000EC2000.00000040.00000001.sdmp, Offset: 00EC2000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 538affd50665c592194030602a589d6d19090247ffd2de23594b43f22b6e9a43
Instruction ID: 500424484d6e69ee06b6b5f52902f1464dd0ccab3b7a6752dda09c5f4817a708
Opcode Fuzzy Hash: 538affd50665c592194030602a589d6d19090247ffd2de23594b43f22b6e9a43
Instruction Fuzzy Hash: C82153B6A04304AFD310CF09EC41E57FBE8EB88670F14C92EFD4997301D675A5148BA2

Uniqueness

Uniqueness Score: -1.00%

Function 00ECA842, Relevance: .1, Instructions: 75COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.365776958.0000000000EC2000.00000040.00000001.sdmp, Offset: 00EC2000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 848d38a43eb8fd0dc931d924aaab2cd6b3772f8bb673b726c8a1c9160ca0b344
Instruction ID: 05c49089f277d0746176d504f9fe525150ad0ff5ff80c12fc488739264b847ee
Opcode Fuzzy Hash: 848d38a43eb8fd0dc931d924aaab2cd6b3772f8bb673b726c8a1c9160ca0b344
Instruction Fuzzy Hash: E3213376A44304AFD310CF09EC41E57FBE8EB88670F14C92EFD4997311D675A5148BA2

Uniqueness

Uniqueness Score: -1.00%

Function 00ECA716, Relevance: .1, Instructions: 75COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.365776958.0000000000EC2000.00000040.00000001.sdmp, Offset: 00EC2000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ccf0c4f4d47db5c0e8f072f6aea913313af4a44c0bde8ec9fc4f65067afd895b
Instruction ID: 66b1cfb9479bce0fcd1c5af9725a6569cd7e0340889d8e0d7d0b0160c41c7870
Opcode Fuzzy Hash: ccf0c4f4d47db5c0e8f072f6aea913313af4a44c0bde8ec9fc4f65067afd895b
Instruction Fuzzy Hash: EB2130B6A44304AFD310CF0AEC41E57FBE8EB88670F14C92EFD4997311D675A9148BA2

Uniqueness

Uniqueness Score: -1.00%

Function 00ECA5EA, Relevance: .1, Instructions: 69COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.365776958.0000000000EC2000.00000040.00000001.sdmp, Offset: 00EC2000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4bff521fe72434764d8fe8c22b97b3a41bec8ab0985da397e384a1ccfdd2d90d
Instruction ID: b94ce00206db3d9e8f631c38dbd5ee00520104d49b50b2401fe7c36c51b1f47c
Opcode Fuzzy Hash: 4bff521fe72434764d8fe8c22b97b3a41bec8ab0985da397e384a1ccfdd2d90d
Instruction Fuzzy Hash: 03119376A44304BFD2108F0AEC41E67FBA8EB84670F18C56EFD099B211D676B5148BA2

Uniqueness

Uniqueness Score: -1.00%

Function 00ECA3D2, Relevance: .1, Instructions: 69COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.365776958.0000000000EC2000.00000040.00000001.sdmp, Offset: 00EC2000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 23c6634a4acea123b5e4d1d0df1ad23433abc21dced47d4a8547da2969fd846f
Instruction ID: 3a7c3ecd1569883f436dbc7d95dd23a0a27d1a15a20cd05f0cce2c0ff170c5a7
Opcode Fuzzy Hash: 23c6634a4acea123b5e4d1d0df1ad23433abc21dced47d4a8547da2969fd846f
Instruction Fuzzy Hash: E9119676A44304BFD2108F0AEC41E67FBA8EB84670F14C56EFD095B311D676A5148BA2

Uniqueness

Uniqueness Score: -1.00%

Function 02B02988, Relevance: .1, Instructions: 68COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.366151852.0000000002B00000.00000040.00000001.sdmp, Offset: 02B00000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b2fd61c7bc60c605ec7effadaf8e838bf3023445d5e6a2544d9e3d8344edfce1
Instruction ID: f734d5660924e2fa4ae48eb4dffe4b355e3567e5849cca3295c5f155e022b2d7
Opcode Fuzzy Hash: b2fd61c7bc60c605ec7effadaf8e838bf3023445d5e6a2544d9e3d8344edfce1
Instruction Fuzzy Hash: 6E21E4B0D00209DFDB08DFAAC584AAEFBF2FF48314F2091A9C814B7254D7349A85CB90

Uniqueness

Uniqueness Score: -1.00%

Function 00ECA640, Relevance: .1, Instructions: 65COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.365776958.0000000000EC2000.00000040.00000001.sdmp, Offset: 00EC2000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b55d8c5f77a4785376b803e217ee5860d82737ae0463ee55193e7c4fa524d7ad
Instruction ID: cf4efb314aefc89cf986f0d824a3229d2f0814b0eb5515ba22df516eb49aff67
Opcode Fuzzy Hash: b55d8c5f77a4785376b803e217ee5860d82737ae0463ee55193e7c4fa524d7ad
Instruction Fuzzy Hash: 1B214DB5509380AFD702CF159C51957BFE4EF86620F09899AF9889B252D235A908CB62

Uniqueness

Uniqueness Score: -1.00%

Function 00ECA1BA, Relevance: .1, Instructions: 64COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.365776958.0000000000EC2000.00000040.00000001.sdmp, Offset: 00EC2000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2d9202874b981e0cba6a6c31a741b483f7344a8aad961aa3d3c0ff256a3bb36d
Instruction ID: d530b6355c2dce70f6d25cfd3583498cc86cac8866a61fb14b3f479ec939fae1
Opcode Fuzzy Hash: 2d9202874b981e0cba6a6c31a741b483f7344a8aad961aa3d3c0ff256a3bb36d
Instruction Fuzzy Hash: 5711C672A41204BFD7108E0AEC42E63FBACEB85A70F18C46FFD095B201D676B5148BB1

Uniqueness

Uniqueness Score: -1.00%

Function 0128075C, Relevance: .1, Instructions: 59COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.366047534.0000000001280000.00000040.00000040.sdmp, Offset: 01280000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 906df300d809bc1a261cc789d09ebb36980aec59e1033aeb63e0b0cef1dc0cb6
Instruction ID: 9555a77d40cd049cc88da5c09e7f0796831e97bc98b45a70913188116091f840
Opcode Fuzzy Hash: 906df300d809bc1a261cc789d09ebb36980aec59e1033aeb63e0b0cef1dc0cb6
Instruction Fuzzy Hash: 5611E434215284EFE309EB24C980B26BB91AB88B08F24C59CFA491B683C777D807CE55

Uniqueness

Uniqueness Score: -1.00%

Function 01280726, Relevance: .1, Instructions: 57COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.366047534.0000000001280000.00000040.00000040.sdmp, Offset: 01280000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 449ca3c4004c75fb7fc75b9317c28048fe288674c6eea1099d1afed9f36e12d1
Instruction ID: 8614e4ae79d846829daf952b7392736b14bb7810028d8b93734953cbe774977c
Opcode Fuzzy Hash: 449ca3c4004c75fb7fc75b9317c28048fe288674c6eea1099d1afed9f36e12d1
Instruction Fuzzy Hash: 92214F3550A3C19FD7179B20C850B15BFB1AB47314F1985EED5855B6A3C73A880ACB51

Uniqueness

Uniqueness Score: -1.00%

Function 00ECAB09, Relevance: .1, Instructions: 56COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.365776958.0000000000EC2000.00000040.00000001.sdmp, Offset: 00EC2000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 24cac8ea67e4cd1b27dbd109266fc9c6ce3463a54bf1168ab1d4be0ab88d3d8a
Instruction ID: be04029be7b7cb4e481d62fce6c5a9b479d7752a12bd2ab52e32ae5eb97ba48b
Opcode Fuzzy Hash: 24cac8ea67e4cd1b27dbd109266fc9c6ce3463a54bf1168ab1d4be0ab88d3d8a
Instruction Fuzzy Hash: 0011A7B5A08301AFD350CF19D881A5BFBE4FB88660F14896EF998D7311D375E9448FA2

Uniqueness

Uniqueness Score: -1.00%

Function 00ECA118, Relevance: .0, Instructions: 50COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.365776958.0000000000EC2000.00000040.00000001.sdmp, Offset: 00EC2000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0c769be53c7bc5ecba04854ca0f7e6567ec9142a38821e41878222d3cecf18fa
Instruction ID: 9f0b4fc56fd690923da17a65021700bc8a99b1c7139b447f372eb0233a3213b5
Opcode Fuzzy Hash: 0c769be53c7bc5ecba04854ca0f7e6567ec9142a38821e41878222d3cecf18fa
Instruction Fuzzy Hash: 4F01D4B250E3C46FD3124B265C55AA2BF78DF43660F0C84CBED849F193D25A6909D7B2

Uniqueness

Uniqueness Score: -1.00%

Function 012805D1, Relevance: .0, Instructions: 44COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.366047534.0000000001280000.00000040.00000040.sdmp, Offset: 01280000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: bc4ef9fe2f1648264ed27e7ac493d973356adba0164d70215a295f63f8d00131
Instruction ID: e371569af2a1fbb573beb1595787dbfa562fc7f45d7e73bb035e1313f7f7d3fa
Opcode Fuzzy Hash: bc4ef9fe2f1648264ed27e7ac493d973356adba0164d70215a295f63f8d00131
Instruction Fuzzy Hash: EBF0A9B65097806FD7128F06EC41862FFB8EF86670719C09FFD49CB611D525A948CB71

Uniqueness

Uniqueness Score: -1.00%

Function 02B003E9, Relevance: .0, Instructions: 37COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.366151852.0000000002B00000.00000040.00000001.sdmp, Offset: 02B00000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9209679f99d4a421610a7c927bb4285878b56bcfef57765911668cea11997527
Instruction ID: a15a8fb0261244798aa62310324e942526f7714748244f0b89691012788620e9
Opcode Fuzzy Hash: 9209679f99d4a421610a7c927bb4285878b56bcfef57765911668cea11997527
Instruction Fuzzy Hash: D4F03034A42208DFDB09DBB0D550FEF7376DF86204F2499A8904127385CA795F51EA55

Uniqueness

Uniqueness Score: -1.00%

Function 02B00070, Relevance: .0, Instructions: 33COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.366151852.0000000002B00000.00000040.00000001.sdmp, Offset: 02B00000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ca4893a568656118906fd3f867f5499339bde4a0d981e378466690864088620a
Instruction ID: 50d902928726b0f7c837b58b7bf38d41d8166dcfc8d444219db568803e925b41
Opcode Fuzzy Hash: ca4893a568656118906fd3f867f5499339bde4a0d981e378466690864088620a
Instruction Fuzzy Hash: 2EF05870D0120D9BEB55ABA5C895BAFBEF4AB09700F10582AD101B3280EAB559048BE5

Uniqueness

Uniqueness Score: -1.00%

Function 02B003F8, Relevance: .0, Instructions: 32COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.366151852.0000000002B00000.00000040.00000001.sdmp, Offset: 02B00000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 67d9b6900412e645c0e3efe03e0d469f0dbd31498a4202d9218693f033aba835
Instruction ID: f0131f9971b104753039863105d9f37872234c39ba05d2a2d4b88649ee21446b
Opcode Fuzzy Hash: 67d9b6900412e645c0e3efe03e0d469f0dbd31498a4202d9218693f033aba835
Instruction Fuzzy Hash: B7F0AC34A4220C9BD708EBF1C550FAF737BDB85204F649CA8940533385CEB59E51A995

Uniqueness

Uniqueness Score: -1.00%

Function 01280818, Relevance: .0, Instructions: 31COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.366047534.0000000001280000.00000040.00000040.sdmp, Offset: 01280000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 525cef522958239b2deb72ab7ac90410e2832b06fb356f1b7ca8807ee3c9392c
Instruction ID: eab0f8d3e3d6082c9010479e1b413318f02482f9ca87d85ea9670a701b66321a
Opcode Fuzzy Hash: 525cef522958239b2deb72ab7ac90410e2832b06fb356f1b7ca8807ee3c9392c
Instruction Fuzzy Hash: 69F01D35214645DFC306DF44D940B15FBA2EB89718F24C6ADE9490B752C337E813DE85

Uniqueness

Uniqueness Score: -1.00%

Function 02B009D8, Relevance: .0, Instructions: 30COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.366151852.0000000002B00000.00000040.00000001.sdmp, Offset: 02B00000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1ddad486e646728c6b32ef60282860403d8525d2262e21942f1146bbd518ef45
Instruction ID: 55c46534a66372cd2d0e7e9748c6d91ee1db40d0514a82b6157ff7dd08215c39
Opcode Fuzzy Hash: 1ddad486e646728c6b32ef60282860403d8525d2262e21942f1146bbd518ef45
Instruction Fuzzy Hash: F7F09070901208EFCB09EBF4CA526AD7B75DF81301F6411AAD400773A0EB301E45CB92

Uniqueness

Uniqueness Score: -1.00%

Function 012805F6, Relevance: .0, Instructions: 27COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.366047534.0000000001280000.00000040.00000040.sdmp, Offset: 01280000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d52d2b393a142dd5b3776f54feca4adf90eadb60d17140603468459d4c684a73
Instruction ID: a2c0971e26900344d5affeac6bd3d1716590a353817d418ff702d10c4951c24e
Opcode Fuzzy Hash: d52d2b393a142dd5b3776f54feca4adf90eadb60d17140603468459d4c684a73
Instruction Fuzzy Hash: 15E09276A006008BD650CF0BEC81462F7D8EB88630B18C07FDC0D8B700E539B504CEA5

Uniqueness

Uniqueness Score: -1.00%

Function 00ECAB6B, Relevance: .0, Instructions: 26COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.365776958.0000000000EC2000.00000040.00000001.sdmp, Offset: 00EC2000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 581a99c3d9b5d596c3bb91dcb693cbd96e4851d1597561627f11ebc47faffc15
Instruction ID: 57d4d79d1aec405ae417e75fe4632c50ebf7b0b3b5877830611aaaf8dc57214b
Opcode Fuzzy Hash: 581a99c3d9b5d596c3bb91dcb693cbd96e4851d1597561627f11ebc47faffc15
Instruction Fuzzy Hash: 02E0D872E403006BD2109E069C82B63FB9CEB40A70F14C45BEE085B342E5B5B5148AE1

Uniqueness

Uniqueness Score: -1.00%

Function 00ECA363, Relevance: .0, Instructions: 26COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.365776958.0000000000EC2000.00000040.00000001.sdmp, Offset: 00EC2000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: af7432a3f36f1d7793a74cfab031e172a267c3b335768a71ed5ca79feef143a5
Instruction ID: 67783bb3b75234061785c1045a906dd089cf38fa74cb3e7c64ff08d7aabb0c4e
Opcode Fuzzy Hash: af7432a3f36f1d7793a74cfab031e172a267c3b335768a71ed5ca79feef143a5
Instruction Fuzzy Hash: 0FE0D872E403006BD2108E069C82B63FB5CEB40970F14C45BED085B301D5B5B5048AE1

Uniqueness

Uniqueness Score: -1.00%

Function 00ECA8FB, Relevance: .0, Instructions: 26COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.365776958.0000000000EC2000.00000040.00000001.sdmp, Offset: 00EC2000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 64df7eb70d9c762c86b7c1e8c1021fe28be3ba3c10b62e56b555aa65f0bf0f59
Instruction ID: d69ce0c65df3aab95fa366629f3f32874fedcfa0642cd43d79c9c3652fa71729
Opcode Fuzzy Hash: 64df7eb70d9c762c86b7c1e8c1021fe28be3ba3c10b62e56b555aa65f0bf0f59
Instruction Fuzzy Hash: 8DE0D872A403006BD2508F06DC82F63FB5CEB51A70F14C45BED085F301D5B5B5048AE1

Uniqueness

Uniqueness Score: -1.00%

Function 00ECA57B, Relevance: .0, Instructions: 26COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.365776958.0000000000EC2000.00000040.00000001.sdmp, Offset: 00EC2000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 38b3ebdb0cf7c455d775fcd43bd72ae025f3f689ec6a08bb50c18f1095198ad3
Instruction ID: e60fe62b2188696979a57208eaf084b3cccd8fd3e2a3860c29c0d21d1e16ea92
Opcode Fuzzy Hash: 38b3ebdb0cf7c455d775fcd43bd72ae025f3f689ec6a08bb50c18f1095198ad3
Instruction Fuzzy Hash: BEE0D872A403046BD2108E069C82B63FB5CEB40970F14C45BED085B301D5B6B5048AE5

Uniqueness

Uniqueness Score: -1.00%

Function 00ECA14C, Relevance: .0, Instructions: 26COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.365776958.0000000000EC2000.00000040.00000001.sdmp, Offset: 00EC2000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7c4528a40bce206c0f56795759f40e68c82cdc598dfe32954263fa5c3b97ea56
Instruction ID: 01a52959999768b14bacaef8f58cae3c57f0719678601357576362de78f44137
Opcode Fuzzy Hash: 7c4528a40bce206c0f56795759f40e68c82cdc598dfe32954263fa5c3b97ea56
Instruction Fuzzy Hash: 1CE0D872A417046BD2108E079C82B63FB5CEB40970F14C45BED085B741D5B5B5048AE5

Uniqueness

Uniqueness Score: -1.00%

Function 00ECA7CF, Relevance: .0, Instructions: 26COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.365776958.0000000000EC2000.00000040.00000001.sdmp, Offset: 00EC2000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7bab2551b4bff035ced47f2f972dc6a5fbaa58ddf815e32fe7afc826ccab37cb
Instruction ID: 74b04db18c170cae27cf54e1797da40749ec82a9685830955d69738ed3018801
Opcode Fuzzy Hash: 7bab2551b4bff035ced47f2f972dc6a5fbaa58ddf815e32fe7afc826ccab37cb
Instruction Fuzzy Hash: 5EE0D872A403006BD2108F069C82F63FB5CEB54A70F14C45BED085F301D5B6B5048AF1

Uniqueness

Uniqueness Score: -1.00%

Function 00ECA6A3, Relevance: .0, Instructions: 26COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.365776958.0000000000EC2000.00000040.00000001.sdmp, Offset: 00EC2000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 47bf51e0947442582fd1cee88b8dbfd2431f32640f67b0137cbca2cfe5e71873
Instruction ID: 8631f7b9d3a4287333c1dece01cf2dec6448c043cff1d5f7515a3ddff98cdd71
Opcode Fuzzy Hash: 47bf51e0947442582fd1cee88b8dbfd2431f32640f67b0137cbca2cfe5e71873
Instruction Fuzzy Hash: ECE0D872A403006BD2109F069C82F63FF5CEB40A70F14C55BED085B301D5B5B5048AE1

Uniqueness

Uniqueness Score: -1.00%

Function 02B009E8, Relevance: .0, Instructions: 26COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.366151852.0000000002B00000.00000040.00000001.sdmp, Offset: 02B00000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c433fd7c5552c67aa8ecd256a77dedb029ccefad1d07a6959578d6a365dd86ba
Instruction ID: c55e4e85555f8bec8285f157d291f34255a8615469fe85cbcfd655ede1e02156
Opcode Fuzzy Hash: c433fd7c5552c67aa8ecd256a77dedb029ccefad1d07a6959578d6a365dd86ba
Instruction Fuzzy Hash: 32F01C30900108EBCB08EBE8DA52AADB775EF80301F6016A9D40577390DF315E41DB91

Uniqueness

Uniqueness Score: -1.00%

Function 02B00458, Relevance: .0, Instructions: 26COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.366151852.0000000002B00000.00000040.00000001.sdmp, Offset: 02B00000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d85f883b3adcde28d04eb81e6be82c95dda8ee25ff99a43cb5065c1f1bf3d9a2
Instruction ID: ab6ae83c2420c061afa0557d93f27aac0701f0afca0e1c9ebbbb876324dc8b95
Opcode Fuzzy Hash: d85f883b3adcde28d04eb81e6be82c95dda8ee25ff99a43cb5065c1f1bf3d9a2
Instruction Fuzzy Hash: 7FF03F70C01208DFCB04EFB4D408AAEBBB0FB4A205F204AAEC851A3210D7329A51CF80

Uniqueness

Uniqueness Score: -1.00%

Function 02B00460, Relevance: .0, Instructions: 24COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.366151852.0000000002B00000.00000040.00000001.sdmp, Offset: 02B00000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b91dcd9b26ba5386b848a9c863920704bb5d2450e7c213ac40b0749c27a16d1a
Instruction ID: 2ec93688fbf46a7f6fbf905677aa09607736efbe77190e10793f0e785f9ead72
Opcode Fuzzy Hash: b91dcd9b26ba5386b848a9c863920704bb5d2450e7c213ac40b0749c27a16d1a
Instruction Fuzzy Hash: 07F01574C01208EFCB04EFB5D448AAEBBB0FB04205F1049A9C81563350D7719A51CF81

Uniqueness

Uniqueness Score: -1.00%

Function 02B0D088, Relevance: .0, Instructions: 21COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.366151852.0000000002B00000.00000040.00000001.sdmp, Offset: 02B00000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f088204d46fe9e319c1aa7bf06b0ecc2130849be94cb31261827aee6edfa81c0
Instruction ID: 93dd19cad94e72cdf43fe0bc1a198b98bd1d2fe1ebcfc5312c2e30b676f24778
Opcode Fuzzy Hash: f088204d46fe9e319c1aa7bf06b0ecc2130849be94cb31261827aee6edfa81c0
Instruction Fuzzy Hash: 24E0ED74904208AFC705DF99D8549ACBBB5EB48300F10C0EA984853381D6369A52DF94

Uniqueness

Uniqueness Score: -1.00%

Function 02B00230, Relevance: .0, Instructions: 21COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.366151852.0000000002B00000.00000040.00000001.sdmp, Offset: 02B00000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 729bd4dccce5da326d435efa85156e049c3c3cfac1b27370454060fbdd4b3a66
Instruction ID: 17a81f7ed89c1bccf468db6193644d95e4406006ba4fd95081a19f23ee8f74c4
Opcode Fuzzy Hash: 729bd4dccce5da326d435efa85156e049c3c3cfac1b27370454060fbdd4b3a66
Instruction Fuzzy Hash: BEE04F34905308DFCB05EFA5D545A6DBBB5EB49301F1040B9D849A3350D7725A45DB81

Uniqueness

Uniqueness Score: -1.00%

Function 02B04310, Relevance: .0, Instructions: 21COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.366151852.0000000002B00000.00000040.00000001.sdmp, Offset: 02B00000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 44ad19b6354b6e10d774fdb3e84a1943b269ec73ac6ddd1db29e4b2f471393fb
Instruction ID: bb9a43a7402123fb2d7ef8e8a791f3325c5b788d1769db3683233bbf1f673296
Opcode Fuzzy Hash: 44ad19b6354b6e10d774fdb3e84a1943b269ec73ac6ddd1db29e4b2f471393fb
Instruction Fuzzy Hash: 55E08630804208EFC704EF64D8459ADBF71FB41301F109069DC4423390C7315A55DF94

Uniqueness

Uniqueness Score: -1.00%

Function 02B0BEC0, Relevance: .0, Instructions: 19COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.366151852.0000000002B00000.00000040.00000001.sdmp, Offset: 02B00000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7af0ff20013a9e70b394e5cf9809e81ba7e1d05e7852fc648bfabeeb75928541
Instruction ID: e370fd9e1bcc0ac4671b45b2986765ace87ff70c364e34d93fca8e796e075fb5
Opcode Fuzzy Hash: 7af0ff20013a9e70b394e5cf9809e81ba7e1d05e7852fc648bfabeeb75928541
Instruction Fuzzy Hash: 58E08C70C04208EFCB04DFA4D8446ACFBB5EB44304F1084F9C90863380C7702A04DF80

Uniqueness

Uniqueness Score: -1.00%

Function 02B000ED, Relevance: .0, Instructions: 17COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.366151852.0000000002B00000.00000040.00000001.sdmp, Offset: 02B00000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1f38c837bf1afebc30607af16d5b0ca096a7b6cde5399a4f0c422552f8d73401
Instruction ID: 7ad50b16eefeb4a79683d4a3c007023797b886cf7147386011f48320aa9f16ae
Opcode Fuzzy Hash: 1f38c837bf1afebc30607af16d5b0ca096a7b6cde5399a4f0c422552f8d73401
Instruction Fuzzy Hash: 9CD01736D01208CFCB009FA9E084AEDBBB1EB89325F248866C119B3200C7315485CF90

Uniqueness

Uniqueness Score: -1.00%

Function 00EB23F4, Relevance: .0, Instructions: 15COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.365736443.0000000000EB2000.00000040.00000001.sdmp, Offset: 00EB2000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 807c6fd0ba4f4652afdb0ee0a7025d22a6e074ee9d468eef74af5cb4e2d7b4be
Instruction ID: 94d2986d20c1b081aad2edea8b91b8f7be856e3406aa6edfd5a08932bd3f93a3
Opcode Fuzzy Hash: 807c6fd0ba4f4652afdb0ee0a7025d22a6e074ee9d468eef74af5cb4e2d7b4be
Instruction Fuzzy Hash: E6D05E79215A818FD3268A1CC1A8BD63F94EF51B09F4644FDE8008BA63C368D981E200

Uniqueness

Uniqueness Score: -1.00%

Function 00EB23BC, Relevance: .0, Instructions: 14COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.365736443.0000000000EB2000.00000040.00000001.sdmp, Offset: 00EB2000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 77efd5ad540f9ab4f0846bacd61a4ea53ea1083379b215518dbe6028a0178471
Instruction ID: 214c528f1878eeb9f9ea9eccaddfa072eb13153af82b6f30d5aa30ddaeef3dbd
Opcode Fuzzy Hash: 77efd5ad540f9ab4f0846bacd61a4ea53ea1083379b215518dbe6028a0178471
Instruction Fuzzy Hash: 52D05E342002828BC715DB0CD594F9A37D4AF41B04F0654ECAD009B662C3A8DCC1C600

Uniqueness

Uniqueness Score: -1.00%

Function 02B000CD, Relevance: .0, Instructions: 14COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.366151852.0000000002B00000.00000040.00000001.sdmp, Offset: 02B00000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b77cb130c8090936fa0c09834fc5df27ad43cd6bea2dd373f89873c57f5587ec
Instruction ID: abd570f72237e322795e773813870dee91a7a47c498ff247d148d74656dfde1a
Opcode Fuzzy Hash: b77cb130c8090936fa0c09834fc5df27ad43cd6bea2dd373f89873c57f5587ec
Instruction Fuzzy Hash: F4D0C93AE01208CF8B109FE9E4444DCF775EB8A226B249566C515B3310C7329456CF50

Uniqueness

Uniqueness Score: -1.00%

Non-executed Functions

Analysis Process: bbbe7872ea466446da60c4da50020cbb.exe PID: 348 Parent PID: 5620 bbbe7872ea466446da60c4da50020cbb.exeCOMMON

Executed Functions

Function 04FD3850, Relevance: 2.0, Strings: 1, Instructions: 760COMMON

Download Yara Rule

Strings

>_Ir, xrefs: 04FD3F9D

Memory Dump Source

Source File: 0000000C.00000002.378308772.0000000004FD0000.00000040.00000001.sdmp, Offset: 04FD0000, based on PE: false

Similarity

API ID:
String ID: >_Ir
API String ID: 0-3386957151
Opcode ID: c9d4c7d804c956133220c70fe653aa343dac9f3f4b75d37b25fc10b0f445a995
Instruction ID: aa7ae32c687fc28028077f004bda6c9b65a97698a2fc4bcbaf4256e6e640676f
Opcode Fuzzy Hash: c9d4c7d804c956133220c70fe653aa343dac9f3f4b75d37b25fc10b0f445a995
Instruction Fuzzy Hash: 5E52B376A00219CFCB15CF68C9849A9BBB3FF85300B1985A6DA159F256D731FC42CB92

Uniqueness

Uniqueness Score: -1.00%

Function 04FD23A0, Relevance: .5, Instructions: 505COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.378308772.0000000004FD0000.00000040.00000001.sdmp, Offset: 04FD0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 79d707c631bbab57813eba4107e83655a5e6b8a79d51da0b36e54d9d8ce87149
Instruction ID: 6e47f06c3301ef12d3e27a2cd8b353ffdc300e1686f736db31c347169ec722ce
Opcode Fuzzy Hash: 79d707c631bbab57813eba4107e83655a5e6b8a79d51da0b36e54d9d8ce87149
Instruction Fuzzy Hash: 6512BC36E00255CFD724DF28C5806AEBBF3FF84305F1A85A9D4169B385EB75A846DB80

Uniqueness

Uniqueness Score: -1.00%

Function 04FD2FA8, Relevance: .2, Instructions: 239COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.378308772.0000000004FD0000.00000040.00000001.sdmp, Offset: 04FD0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 62081c09c1c4ed642ec6cff4885e75e1c80e1f37a40502c10c2777307d5e8708
Instruction ID: b94c49f8a125cf89e1024f5e0c03eb9db341a1bf2d4bd2a01dd92f2af55b7d31
Opcode Fuzzy Hash: 62081c09c1c4ed642ec6cff4885e75e1c80e1f37a40502c10c2777307d5e8708
Instruction Fuzzy Hash: 4F818F32F001159BD718DB69C944A6EBBF3AFC8310F2A8175D915DB359DE31EC029B91

Uniqueness

Uniqueness Score: -1.00%

Function 04FD09A0, Relevance: 5.2, Strings: 4, Instructions: 180COMMON

Download Yara Rule

Strings

X1kr, xrefs: 04FD0A50
X1kr, xrefs: 04FD0A5A
X1kr, xrefs: 04FD0AA2
X1kr, xrefs: 04FD0A98

Memory Dump Source

Source File: 0000000C.00000002.378308772.0000000004FD0000.00000040.00000001.sdmp, Offset: 04FD0000, based on PE: false

Similarity

API ID:
String ID: X1kr$X1kr$X1kr$X1kr
API String ID: 0-2451847431
Opcode ID: d84d794ff4979089fa6f089def7bc12a83aa9d3b5a7da759e7c83ade1f318c30
Instruction ID: 33fe18b7cefbee322676a5e40c7b85b037fb67d5c8a52711b007efd54171538c
Opcode Fuzzy Hash: d84d794ff4979089fa6f089def7bc12a83aa9d3b5a7da759e7c83ade1f318c30
Instruction Fuzzy Hash: 4351D136B04255EFDB009BA8D854AAEB7A3EF84308F258465E506DB290DF30AD03DB81

Uniqueness

Uniqueness Score: -1.00%

Function 04FD02E8, Relevance: 2.7, Strings: 2, Instructions: 177COMMON

Download Yara Rule

Strings

`5kr, xrefs: 04FD03A5
:@Dr, xrefs: 04FD0537

Memory Dump Source

Source File: 0000000C.00000002.378308772.0000000004FD0000.00000040.00000001.sdmp, Offset: 04FD0000, based on PE: false

Similarity

API ID:
String ID: :@Dr$`5kr
API String ID: 0-2548079215
Opcode ID: d236d78b0c6f51367e143c219ee5bd558d14d24522d774b9b2bafd8e291a1952
Instruction ID: e4eeb763f82579c3341ba2836e3ec00e0d120d79923ea64386a60b58ddf16d91
Opcode Fuzzy Hash: d236d78b0c6f51367e143c219ee5bd558d14d24522d774b9b2bafd8e291a1952
Instruction Fuzzy Hash: 35517D35B05201CFDB08DF68C4A0A6E7BF3AF89714F188069D9069B395EF75AC06DB52

Uniqueness

Uniqueness Score: -1.00%

Function 04FD0681, Relevance: 2.6, Strings: 2, Instructions: 145COMMON

Download Yara Rule

Strings

Zip^, xrefs: 04FD06A1, 04FD06A6
Yip^, xrefs: 04FD0702, 04FD0707

Memory Dump Source

Source File: 0000000C.00000002.378308772.0000000004FD0000.00000040.00000001.sdmp, Offset: 04FD0000, based on PE: false

Similarity

API ID:
String ID: Zip^$Yip^
API String ID: 0-4053552665
Opcode ID: 3ed511c98109009a140419f3f2df04632a1bb0bc6b59bcc96390a7b5b7248b44
Instruction ID: 3b83cbcd0f765fc3f1d9cc4ec91236dae57098c9e560bf1cda7589fff132a322
Opcode Fuzzy Hash: 3ed511c98109009a140419f3f2df04632a1bb0bc6b59bcc96390a7b5b7248b44
Instruction Fuzzy Hash: 3941703AB40140CFE7047B78E91866E7B67BFC0705B59497AE503CA2D8DFB05C12AB96

Uniqueness

Uniqueness Score: -1.00%

Function 04FD2D58, Relevance: 2.6, Strings: 2, Instructions: 126COMMON

Download Yara Rule

Strings

, xrefs: 04FD2E76
>_Ir, xrefs: 04FD2DA5

Memory Dump Source

Source File: 0000000C.00000002.378308772.0000000004FD0000.00000040.00000001.sdmp, Offset: 04FD0000, based on PE: false

Similarity

API ID:
String ID: $>_Ir
API String ID: 0-1787506450
Opcode ID: b5fc7941c7968bc8fd9432ee24f204e4864f6506ced0655ce83670dfc5688844
Instruction ID: 28c8eb13758efa94c00649d6bfff4cf2403c087a564f2945df70f7aa0d98c5c3
Opcode Fuzzy Hash: b5fc7941c7968bc8fd9432ee24f204e4864f6506ced0655ce83670dfc5688844
Instruction Fuzzy Hash: 7D41A171F081558BDB10DF69C8805AEBB63ABC5214B2EC9A6C416DB645D631F8038BD2

Uniqueness

Uniqueness Score: -1.00%

Function 04FD12A0, Relevance: 1.7, Strings: 1, Instructions: 460COMMON

Download Yara Rule

Strings

$ghr, xrefs: 04FD1349

Memory Dump Source

Source File: 0000000C.00000002.378308772.0000000004FD0000.00000040.00000001.sdmp, Offset: 04FD0000, based on PE: false

Similarity

API ID:
String ID: $ghr
API String ID: 0-1352911727
Opcode ID: 0a42a7ae93d3b9fb63b4ee4e8531cbaa8a844c51f9f6cbea25e0dab7e11554e7
Instruction ID: 1aa6f34fcc8fd2daf4f164c10b8a19fd6f85522fb4de442c6f8c80c4b173a8a8
Opcode Fuzzy Hash: 0a42a7ae93d3b9fb63b4ee4e8531cbaa8a844c51f9f6cbea25e0dab7e11554e7
Instruction Fuzzy Hash: 6322E639A00A45CFC724DF28C690A6ABBF2FF88300F148599D85A9B759DB35BD46CF41

Uniqueness

Uniqueness Score: -1.00%

Function 0288AA02, Relevance: 1.6, APIs: 1, Instructions: 92registryCOMMON

Download Yara Rule

APIs

RegOpenKeyExW.KERNELBASE(?,00000E2C), ref: 0288AAB1

Memory Dump Source

Source File: 0000000C.00000002.375812165.000000000288A000.00000040.00000001.sdmp, Offset: 0288A000, based on PE: false

Similarity

API ID: Open
String ID:
API String ID: 71445658-0
Opcode ID: 7cb9412f2f7785ee9d2fb93b26bdc47a18cee8f89f97f1dcd1424199e5251367
Instruction ID: 6fabc0b4793c4a691dac67f9748edd7d18e0a39fdcd985415a9a061ee81a2a32
Opcode Fuzzy Hash: 7cb9412f2f7785ee9d2fb93b26bdc47a18cee8f89f97f1dcd1424199e5251367
Instruction Fuzzy Hash: 7131B476544384AFE7228B25CC45F67BFECEF06710F08849BED859B152D264E819CB71

Uniqueness

Uniqueness Score: -1.00%

Function 0288AAF9, Relevance: 1.6, APIs: 1, Instructions: 89registryCOMMON

Download Yara Rule

APIs

RegQueryValueExW.KERNELBASE(?,00000E2C,A5FBC8D9,00000000,00000000,00000000,00000000), ref: 0288ABB4

Memory Dump Source

Source File: 0000000C.00000002.375812165.000000000288A000.00000040.00000001.sdmp, Offset: 0288A000, based on PE: false

Similarity

API ID: QueryValue
String ID:
API String ID: 3660427363-0
Opcode ID: 9d658f0fb97f9be9f2222e9b8648f94768280b6b362e66829e37c7e01a6b0d2d
Instruction ID: 361430e7b96206d52f7a8e7e5a2713e20d7210ed0bc0eb0370944bca33fd4af9
Opcode Fuzzy Hash: 9d658f0fb97f9be9f2222e9b8648f94768280b6b362e66829e37c7e01a6b0d2d
Instruction Fuzzy Hash: 94319375509384AFD722CB65CC44F62BFF8EF06310F18849BE985DB192D364E549CB61

Uniqueness

Uniqueness Score: -1.00%

Function 051000F6, Relevance: 1.6, APIs: 1, Instructions: 89synchronizationCOMMON

Download Yara Rule

APIs

CreateMutexW.KERNELBASE(?,?), ref: 0510019D

Memory Dump Source

Source File: 0000000C.00000002.378757164.0000000005100000.00000040.00000001.sdmp, Offset: 05100000, based on PE: false

Similarity

API ID: CreateMutex
String ID:
API String ID: 1964310414-0
Opcode ID: 2b5109090b9d434555fca1d811f995d224dbfaabfcb403ac18338beb2816322d
Instruction ID: 5e64c7f50061e6a367ae955337cb5e9dde733c03baf497f97391e59cf59efe89
Opcode Fuzzy Hash: 2b5109090b9d434555fca1d811f995d224dbfaabfcb403ac18338beb2816322d
Instruction Fuzzy Hash: C1318F71509780AFE712CB65DC85F56FFE8EF06210F08849AE9858B292D375E909CB61

Uniqueness

Uniqueness Score: -1.00%

Function 0288AF50, Relevance: 1.6, APIs: 1, Instructions: 77COMMON

Download Yara Rule

APIs

SetConsoleCtrlHandler.KERNELBASE(?,00000E2C,?,?), ref: 0288AFEA

Memory Dump Source

Source File: 0000000C.00000002.375812165.000000000288A000.00000040.00000001.sdmp, Offset: 0288A000, based on PE: false

Similarity

API ID: ConsoleCtrlHandler
String ID:
API String ID: 1513847179-0
Opcode ID: 6b87f1a3b4b01a0bc18a37eeae325a1937e44b0a9fbd52eb27d546ec96c542bb
Instruction ID: bebca262fcb1f6df6d614e1761003f055af7471cca72cf96f72aedf75495c71e
Opcode Fuzzy Hash: 6b87f1a3b4b01a0bc18a37eeae325a1937e44b0a9fbd52eb27d546ec96c542bb
Instruction Fuzzy Hash: 4421D67554D3C06FD3138B258C51B22BFB4EF87610F0A81DBE884CB553D225A919C7A2

Uniqueness

Uniqueness Score: -1.00%

Function 0288AA32, Relevance: 1.6, APIs: 1, Instructions: 74registryCOMMON

Download Yara Rule

APIs

RegOpenKeyExW.KERNELBASE(?,00000E2C), ref: 0288AAB1

Memory Dump Source

Source File: 0000000C.00000002.375812165.000000000288A000.00000040.00000001.sdmp, Offset: 0288A000, based on PE: false

Similarity

API ID: Open
String ID:
API String ID: 71445658-0
Opcode ID: f64af01778b5df602f9517dee57f2b953fb70f645d7446c5d3d9c34aca46425d
Instruction ID: 0ee3d29f223506eaca616569acfebac2c7047ff21a8d4f9b22f8c437ea67efa7
Opcode Fuzzy Hash: f64af01778b5df602f9517dee57f2b953fb70f645d7446c5d3d9c34aca46425d
Instruction Fuzzy Hash: 8521CD76500204AFE7219B25CD84F6BFBECEF08720F14845BEE45DA681D674E8188BB1

Uniqueness

Uniqueness Score: -1.00%

Function 0510012A, Relevance: 1.6, APIs: 1, Instructions: 72synchronizationCOMMON

Download Yara Rule

APIs

CreateMutexW.KERNELBASE(?,?), ref: 0510019D

Memory Dump Source

Source File: 0000000C.00000002.378757164.0000000005100000.00000040.00000001.sdmp, Offset: 05100000, based on PE: false

Similarity

API ID: CreateMutex
String ID:
API String ID: 1964310414-0
Opcode ID: 8ec778171f15dc7b20c1b99114159f535ef891a004d455086acabc3d7c7c5b05
Instruction ID: 4ef877e772494fdffece2491dae2ed53d92be73100a9b79fa39082061bc3843a
Opcode Fuzzy Hash: 8ec778171f15dc7b20c1b99114159f535ef891a004d455086acabc3d7c7c5b05
Instruction Fuzzy Hash: E821D471504240AFE720DF25DC49F6AFBE8EF08310F14846AED458B281E7B0E504CB71

Uniqueness

Uniqueness Score: -1.00%

Function 0288AB3A, Relevance: 1.6, APIs: 1, Instructions: 69registryCOMMON

Download Yara Rule

APIs

RegQueryValueExW.KERNELBASE(?,00000E2C,A5FBC8D9,00000000,00000000,00000000,00000000), ref: 0288ABB4

Memory Dump Source

Source File: 0000000C.00000002.375812165.000000000288A000.00000040.00000001.sdmp, Offset: 0288A000, based on PE: false

Similarity

API ID: QueryValue
String ID:
API String ID: 3660427363-0
Opcode ID: 9303e6b6c167b29f4c6f13c14c195baff7359b5fc4f34fdb5b5ca42c2353afb4
Instruction ID: 291d1059a0ddb092ebd3305909fd6a26bbadbeb010dec7577cd9bd7e9c50cad1
Opcode Fuzzy Hash: 9303e6b6c167b29f4c6f13c14c195baff7359b5fc4f34fdb5b5ca42c2353afb4
Instruction Fuzzy Hash: B8213B79600604AFE720DE25DC84F67BBE8EF05710F14856BEA49DB291D760E408CAB1

Uniqueness

Uniqueness Score: -1.00%

Function 0288B7CA, Relevance: 1.6, APIs: 1, Instructions: 61windowCOMMON

Download Yara Rule

APIs

PostMessageW.USER32(?,?,?,?), ref: 0288B841

Memory Dump Source

Source File: 0000000C.00000002.375812165.000000000288A000.00000040.00000001.sdmp, Offset: 0288A000, based on PE: false

Similarity

API ID: MessagePost
String ID:
API String ID: 410705778-0
Opcode ID: 5af2f79c99145fe8afe2fc38d52dfc960a1ea133a2d20b0a4df8a28b5182079a
Instruction ID: 77bbfe357b483a0ccfe122b6e846d2fc71bbefcb6ce80b52af4f7ac7f211f291
Opcode Fuzzy Hash: 5af2f79c99145fe8afe2fc38d52dfc960a1ea133a2d20b0a4df8a28b5182079a
Instruction Fuzzy Hash: 8821AE754093C09FDB128B21DC54A92BFB0EF17324F0D84DAEDC58F163D265A958DB62

Uniqueness

Uniqueness Score: -1.00%

Function 0288A51F, Relevance: 1.6, APIs: 1, Instructions: 61COMMON

Download Yara Rule

APIs

DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 0288A58A

Memory Dump Source

Source File: 0000000C.00000002.375812165.000000000288A000.00000040.00000001.sdmp, Offset: 0288A000, based on PE: false

Similarity

API ID: DuplicateHandle
String ID:
API String ID: 3793708945-0
Opcode ID: 8a089209d6e1f7575a3535f58fe228910e17dbc5aa74519f67b3b31e6cd18e3b
Instruction ID: 18a6715f183690f2e0f59785312bba5cdc62206a8c77bf67d279322369e289a7
Opcode Fuzzy Hash: 8a089209d6e1f7575a3535f58fe228910e17dbc5aa74519f67b3b31e6cd18e3b
Instruction Fuzzy Hash: 7F118475409380AFDB228F55DC44B62FFF4EF4A220F0884DEEE898B552D375A518DB61

Uniqueness

Uniqueness Score: -1.00%

Function 0288BB4F, Relevance: 1.6, APIs: 1, Instructions: 59windowCOMMON

Download Yara Rule

APIs

PostMessageW.USER32(?,?,?,?), ref: 0288BBB9

Memory Dump Source

Source File: 0000000C.00000002.375812165.000000000288A000.00000040.00000001.sdmp, Offset: 0288A000, based on PE: false

Similarity

API ID: MessagePost
String ID:
API String ID: 410705778-0
Opcode ID: 85a141666c4b6203795332f2b3cbc8c74a0d8aed4f954e8461458e29a5225d92
Instruction ID: c1a5de19f49c97fd0211729e5066621e6a795028be4e44a6139499539b14ceab
Opcode Fuzzy Hash: 85a141666c4b6203795332f2b3cbc8c74a0d8aed4f954e8461458e29a5225d92
Instruction Fuzzy Hash: C911D0355093C0AFDB228F25CC45B52FFB4EF06220F0884EEED858B563D275A418DBA2

Uniqueness

Uniqueness Score: -1.00%

Function 0288BE05, Relevance: 1.6, APIs: 1, Instructions: 58windowCOMMON

Download Yara Rule

APIs

DispatchMessageW.USER32(?), ref: 0288BE70

Memory Dump Source

Source File: 0000000C.00000002.375812165.000000000288A000.00000040.00000001.sdmp, Offset: 0288A000, based on PE: false

Similarity

API ID: DispatchMessage
String ID:
API String ID: 2061451462-0
Opcode ID: deab1ae478b352afe668dacfd98c103fd27d5d6f5f896b823df3821beee271c2
Instruction ID: 814b570f17399c11343a27b797fb48cc57389a5dc5fc21fb320cb9ce3234ee72
Opcode Fuzzy Hash: deab1ae478b352afe668dacfd98c103fd27d5d6f5f896b823df3821beee271c2
Instruction Fuzzy Hash: 56117C754093C0AFD7128B259C44B62BFB4DF47624F0980DAED858F263D2656808CB62

Uniqueness

Uniqueness Score: -1.00%

Function 051004EF, Relevance: 1.6, APIs: 1, Instructions: 58COMMON

Download Yara Rule

APIs

FindCloseChangeNotification.KERNELBASE(?), ref: 05100550

Memory Dump Source

Source File: 0000000C.00000002.378757164.0000000005100000.00000040.00000001.sdmp, Offset: 05100000, based on PE: false

Similarity

API ID: ChangeCloseFindNotification
String ID:
API String ID: 2591292051-0
Opcode ID: 1cade70a78bd63e18efcf27ff9075dd190361a116f0f5b101200c541fa9c07bb
Instruction ID: fea46a8a401fb274815a35c6fc24ed0074ae3b5d79686b0ef81f322ca6284514
Opcode Fuzzy Hash: 1cade70a78bd63e18efcf27ff9075dd190361a116f0f5b101200c541fa9c07bb
Instruction Fuzzy Hash: C611E271509380AFD712CF25DC85B52BFB8EF06220F0880EBED468F693D275A408CB62

Uniqueness

Uniqueness Score: -1.00%

Function 0288B71E, Relevance: 1.6, APIs: 1, Instructions: 57windowCOMMON

Download Yara Rule

APIs

CreateIconFromResourceEx.USER32 ref: 0288B78A

Memory Dump Source

Source File: 0000000C.00000002.375812165.000000000288A000.00000040.00000001.sdmp, Offset: 0288A000, based on PE: false

Similarity

API ID: CreateFromIconResource
String ID:
API String ID: 3668623891-0
Opcode ID: c21e8104cff22607a6e54c14d553a10f938ab69aafaf76df330261c46956353c
Instruction ID: ba8ed9aa4bd4ec98fe7b1eb07a86831386dbc7dfcda2c05dafcffcd5ab32ab43
Opcode Fuzzy Hash: c21e8104cff22607a6e54c14d553a10f938ab69aafaf76df330261c46956353c
Instruction Fuzzy Hash: FA11A235404380AFDB228F55DC44B52FFF4EF49320F08849EEE898B522D375A418DB61

Uniqueness

Uniqueness Score: -1.00%

Function 0288BEB4, Relevance: 1.6, APIs: 1, Instructions: 56COMMON

Download Yara Rule

APIs

SetCurrentDirectoryW.KERNELBASE(?), ref: 0288BF0C

Memory Dump Source

Source File: 0000000C.00000002.375812165.000000000288A000.00000040.00000001.sdmp, Offset: 0288A000, based on PE: false

Similarity

API ID: CurrentDirectory
String ID:
API String ID: 1611563598-0
Opcode ID: c7f4cd6ddc8cfbef648fa19b5e46f141da3f3b54d4d547734c1c5b73f7ca5935
Instruction ID: f1313787995a043fa86de5d7b3acba2f80c64ec330736e21c3b065e1c445e9f7
Opcode Fuzzy Hash: c7f4cd6ddc8cfbef648fa19b5e46f141da3f3b54d4d547734c1c5b73f7ca5935
Instruction Fuzzy Hash: D4119175505384AFD711CF66DC85B56BFE8DF46220F0880EAED49DF252D274E848CB61

Uniqueness

Uniqueness Score: -1.00%

Function 0288A75B, Relevance: 1.6, APIs: 1, Instructions: 52comCOMMON

Download Yara Rule

APIs

OleInitialize.OLE32(?), ref: 0288A7BC

Memory Dump Source

Source File: 0000000C.00000002.375812165.000000000288A000.00000040.00000001.sdmp, Offset: 0288A000, based on PE: false

Similarity

API ID: Initialize
String ID:
API String ID: 2538663250-0
Opcode ID: d305c7181bce46983aa538fb177b935cd48e5ef0dc3f73b0c463b8ea0356cf9d
Instruction ID: ee70398fc0b3b5600996c090a265797bdb0c3a67c5d068006b19234ace755650
Opcode Fuzzy Hash: d305c7181bce46983aa538fb177b935cd48e5ef0dc3f73b0c463b8ea0356cf9d
Instruction Fuzzy Hash: 9111C175449384AFD712CF25DC44B52BFB4EF42220F0980EBED898F253D279A448CB62

Uniqueness

Uniqueness Score: -1.00%

Function 0288A8CC, Relevance: 1.5, APIs: 1, Instructions: 48COMMON

Download Yara Rule

APIs

SetWindowLongW.USER32 ref: 0288A926

Memory Dump Source

Source File: 0000000C.00000002.375812165.000000000288A000.00000040.00000001.sdmp, Offset: 0288A000, based on PE: false

Similarity

API ID: LongWindow
String ID:
API String ID: 1378638983-0
Opcode ID: d55ffc87be014508201c7d3a6cddde638c0e91536b591047ebcea1d1f26390ee
Instruction ID: 0fe0768ebdce59157f015ba304a6a08bfd56c33088ab81675ee4402c0bf1a973
Opcode Fuzzy Hash: d55ffc87be014508201c7d3a6cddde638c0e91536b591047ebcea1d1f26390ee
Instruction Fuzzy Hash: 05118235409784AFD721CF55DC85B52FFF4EF46220F09C49AED898B262C375A418CB62

Uniqueness

Uniqueness Score: -1.00%

Function 0288BED2, Relevance: 1.5, APIs: 1, Instructions: 47COMMON

Download Yara Rule

APIs

SetCurrentDirectoryW.KERNELBASE(?), ref: 0288BF0C

Memory Dump Source

Source File: 0000000C.00000002.375812165.000000000288A000.00000040.00000001.sdmp, Offset: 0288A000, based on PE: false

Similarity

API ID: CurrentDirectory
String ID:
API String ID: 1611563598-0
Opcode ID: 1244fb40e3e8238c6651849e53a806117555ffff3ecc92ed588ff74d88af1abc
Instruction ID: 7d9bf3cb7a6ceabf315d86f0e0db4069f7abbb86c949b12e93951af7d73ba137
Opcode Fuzzy Hash: 1244fb40e3e8238c6651849e53a806117555ffff3ecc92ed588ff74d88af1abc
Instruction Fuzzy Hash: 6901B179A002449FDB10DF6AD88576AFBD8DF44224F08C0AADD09CB742D7B4E408CF61

Uniqueness

Uniqueness Score: -1.00%

Function 0288A546, Relevance: 1.5, APIs: 1, Instructions: 45COMMON

Download Yara Rule

APIs

DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 0288A58A

Memory Dump Source

Source File: 0000000C.00000002.375812165.000000000288A000.00000040.00000001.sdmp, Offset: 0288A000, based on PE: false

Similarity

API ID: DuplicateHandle
String ID:
API String ID: 3793708945-0
Opcode ID: c3eec8d5af1532abe39c3593dc9c0a96d8db272b6d7dc5ba755e846cf40eea6e
Instruction ID: 8eed0f99cd404ef566703dad00c6e5396a6ce1070e0df2cd826102e37ae2c55b
Opcode Fuzzy Hash: c3eec8d5af1532abe39c3593dc9c0a96d8db272b6d7dc5ba755e846cf40eea6e
Instruction Fuzzy Hash: DD01AD39400604EFDB219F95D844B16FFE0EF08320F08C4AADE498B652D375E058DF61

Uniqueness

Uniqueness Score: -1.00%

Function 0288B746, Relevance: 1.5, APIs: 1, Instructions: 45windowCOMMON

Download Yara Rule

APIs

CreateIconFromResourceEx.USER32 ref: 0288B78A

Memory Dump Source

Source File: 0000000C.00000002.375812165.000000000288A000.00000040.00000001.sdmp, Offset: 0288A000, based on PE: false

Similarity

API ID: CreateFromIconResource
String ID:
API String ID: 3668623891-0
Opcode ID: fc5446bfc0946fe14f0870dbbfbf6c0f5ddbb219b7098760490f6d4583a06508
Instruction ID: b016fa1f1303ad87c38a272aa123d6eee5aa808deb486ea18db6d1e0e744198a
Opcode Fuzzy Hash: fc5446bfc0946fe14f0870dbbfbf6c0f5ddbb219b7098760490f6d4583a06508
Instruction Fuzzy Hash: 94015B39400704EFDB219F95D844B66FFE4EF48324F0885AADE4A8A612D3B5E418DBA1

Uniqueness

Uniqueness Score: -1.00%

Function 0288AF9A, Relevance: 1.5, APIs: 1, Instructions: 43COMMON

Download Yara Rule

APIs

SetConsoleCtrlHandler.KERNELBASE(?,00000E2C,?,?), ref: 0288AFEA

Memory Dump Source

Source File: 0000000C.00000002.375812165.000000000288A000.00000040.00000001.sdmp, Offset: 0288A000, based on PE: false

Similarity

API ID: ConsoleCtrlHandler
String ID:
API String ID: 1513847179-0
Opcode ID: 9cadbb60441408206054b180c2b072ad4f40e6f6e5fde54f2d1b04b018e3b856
Instruction ID: 24b8c5b8dae98574010e77792f3c19dd53be1200b04a35bfbf880b738f8605f0
Opcode Fuzzy Hash: 9cadbb60441408206054b180c2b072ad4f40e6f6e5fde54f2d1b04b018e3b856
Instruction Fuzzy Hash: A3018F76600600ABD210DF16DC82B26FBA8EB88A20F14815AED084B741E371F515CBE5

Uniqueness

Uniqueness Score: -1.00%

Function 0510051E, Relevance: 1.5, APIs: 1, Instructions: 43COMMON

Download Yara Rule

APIs

FindCloseChangeNotification.KERNELBASE(?), ref: 05100550

Memory Dump Source

Source File: 0000000C.00000002.378757164.0000000005100000.00000040.00000001.sdmp, Offset: 05100000, based on PE: false

Similarity

API ID: ChangeCloseFindNotification
String ID:
API String ID: 2591292051-0
Opcode ID: bb6155c5c748b0a5bbd2437adf803d92d0530521c1ff2c987d571eb79463ce8a
Instruction ID: 384494e0543710c3f033836d035ddccc168fb3ea3b3f124ffd175f55bf0db26f
Opcode Fuzzy Hash: bb6155c5c748b0a5bbd2437adf803d92d0530521c1ff2c987d571eb79463ce8a
Instruction Fuzzy Hash: 5B017175500640DFD710CF59D889766FF94EF48220F18D0AADD4A8B642D7B5E408CBB2

Uniqueness

Uniqueness Score: -1.00%

Function 0288BB7E, Relevance: 1.5, APIs: 1, Instructions: 42windowCOMMON

Download Yara Rule

APIs

PostMessageW.USER32(?,?,?,?), ref: 0288BBB9

Memory Dump Source

Source File: 0000000C.00000002.375812165.000000000288A000.00000040.00000001.sdmp, Offset: 0288A000, based on PE: false

Similarity

API ID: MessagePost
String ID:
API String ID: 410705778-0
Opcode ID: 8e16a9d2d99955445b794d06ede920b7ba969727c6a183bdbd22aa4eba43b050
Instruction ID: 3d096b4b72b6d6e5ee79a48dfb35ebda7ed11d04336105fc1d11920f44fba040
Opcode Fuzzy Hash: 8e16a9d2d99955445b794d06ede920b7ba969727c6a183bdbd22aa4eba43b050
Instruction Fuzzy Hash: B401B139500604DFDB209F16D844B66FFA0EF44324F08C0AEDD4A8B626C275E418CB61

Uniqueness

Uniqueness Score: -1.00%

Function 0288A78A, Relevance: 1.5, APIs: 1, Instructions: 39comCOMMON

Download Yara Rule

APIs

OleInitialize.OLE32(?), ref: 0288A7BC

Memory Dump Source

Source File: 0000000C.00000002.375812165.000000000288A000.00000040.00000001.sdmp, Offset: 0288A000, based on PE: false

Similarity

API ID: Initialize
String ID:
API String ID: 2538663250-0
Opcode ID: 6f4ff41e008804950c6d808f7a9029cba32e625f7496cb1c5525b9d65d596af3
Instruction ID: 5e7ab244a6371bf8760b0af092724fc4dd42595694fafbb7ddeb06a7891377f6
Opcode Fuzzy Hash: 6f4ff41e008804950c6d808f7a9029cba32e625f7496cb1c5525b9d65d596af3
Instruction Fuzzy Hash: BE01AD78900244DFDB10EF15D884766FFE4EF44220F18C0ABDE498F646D6B5A408DBA2

Uniqueness

Uniqueness Score: -1.00%

Function 0288B806, Relevance: 1.5, APIs: 1, Instructions: 38windowCOMMON

Download Yara Rule

APIs

PostMessageW.USER32(?,?,?,?), ref: 0288B841

Memory Dump Source

Source File: 0000000C.00000002.375812165.000000000288A000.00000040.00000001.sdmp, Offset: 0288A000, based on PE: false

Similarity

API ID: MessagePost
String ID:
API String ID: 410705778-0
Opcode ID: 5a58a4a176e6edb0ba482ab8405249281eb25ea2bdb52440bcf4211932ecc643
Instruction ID: 8da592290e0874804f70dd71bae5c3cd24c2401cf197c33d46332a65ef604e1a
Opcode Fuzzy Hash: 5a58a4a176e6edb0ba482ab8405249281eb25ea2bdb52440bcf4211932ecc643
Instruction Fuzzy Hash: B901A739500644DFDB209F55D844B56FFE0EF48324F08C09EDD498B622D375A418CFA1

Uniqueness

Uniqueness Score: -1.00%

Function 0288A8EE, Relevance: 1.5, APIs: 1, Instructions: 37COMMON

Download Yara Rule

APIs

SetWindowLongW.USER32 ref: 0288A926

Memory Dump Source

Source File: 0000000C.00000002.375812165.000000000288A000.00000040.00000001.sdmp, Offset: 0288A000, based on PE: false

Similarity

API ID: LongWindow
String ID:
API String ID: 1378638983-0
Opcode ID: 3880f54b462ed654adde0bc2a5c18d940a32b0737e3174bb6993e81cc86292dc
Instruction ID: 838a400efd8046f96cd18e392f087dba7deef04152709233aa131a6075384f27
Opcode Fuzzy Hash: 3880f54b462ed654adde0bc2a5c18d940a32b0737e3174bb6993e81cc86292dc
Instruction Fuzzy Hash: AE01AD39904604DFDB209F15DC85752FFA0EF09721F08C0ABDE4A4B652C3B5A408CBA2

Uniqueness

Uniqueness Score: -1.00%

Function 0288BE3E, Relevance: 1.5, APIs: 1, Instructions: 35windowCOMMON

Download Yara Rule

APIs

DispatchMessageW.USER32(?), ref: 0288BE70

Memory Dump Source

Source File: 0000000C.00000002.375812165.000000000288A000.00000040.00000001.sdmp, Offset: 0288A000, based on PE: false

Similarity

API ID: DispatchMessage
String ID:
API String ID: 2061451462-0
Opcode ID: 2235c383b54f8a64d633d6ed0670e4a3b78d97f56bdd0c750c01ac761f05356e
Instruction ID: 4b433c73462d2341bd8ca44951d3a83355a47fc28590247c7d03d671c2aad411
Opcode Fuzzy Hash: 2235c383b54f8a64d633d6ed0670e4a3b78d97f56bdd0c750c01ac761f05356e
Instruction Fuzzy Hash: 52F0AF3A904644DFDB209F15D884762FFA0EF44324F18C0AADE498B212D3B5A408CBA2

Uniqueness

Uniqueness Score: -1.00%

Function 04FD1458, Relevance: 1.4, Strings: 1, Instructions: 128COMMON

Download Yara Rule

Strings

$ghr, xrefs: 04FD14C7

Memory Dump Source

Source File: 0000000C.00000002.378308772.0000000004FD0000.00000040.00000001.sdmp, Offset: 04FD0000, based on PE: false

Similarity

API ID:
String ID: $ghr
API String ID: 0-1352911727
Opcode ID: 9d5ee2ef3aee99cbd92d5f12f6f89d5630ddd2eb5d261255d5062b70cbdcb3cc
Instruction ID: c387ccacfffdb07b475661d56a30526e4f9f563dcf898de8e0ebf963b87f2adc
Opcode Fuzzy Hash: 9d5ee2ef3aee99cbd92d5f12f6f89d5630ddd2eb5d261255d5062b70cbdcb3cc
Instruction Fuzzy Hash: 66511935A00254CFDB14EF64C994B9DBBB2BF89300F1440EAD40AAB365DB35AD89CF51

Uniqueness

Uniqueness Score: -1.00%

Function 04FD1290, Relevance: 1.4, Strings: 1, Instructions: 101COMMON

Download Yara Rule

Strings

$ghr, xrefs: 04FD1349

Memory Dump Source

Source File: 0000000C.00000002.378308772.0000000004FD0000.00000040.00000001.sdmp, Offset: 04FD0000, based on PE: false

Similarity

API ID:
String ID: $ghr
API String ID: 0-1352911727
Opcode ID: 14fd47e58f21e60d1d3ceae7aa0b8f11fa0b235e7dbc653e09a479765d546cf9
Instruction ID: f6a8e7f7110833ee9b096fa25b355670f2b659b7f225faff2be7c329568974d7
Opcode Fuzzy Hash: 14fd47e58f21e60d1d3ceae7aa0b8f11fa0b235e7dbc653e09a479765d546cf9
Instruction Fuzzy Hash: 44413835B04259CFCB24DF68C980B9EBBB2BF49300F1444AAD44AAB755EB30AD85CF51

Uniqueness

Uniqueness Score: -1.00%

Function 04FD21F8, Relevance: 1.3, Strings: 1, Instructions: 98COMMON

Download Yara Rule

Strings

r*+, xrefs: 04FD230F

Memory Dump Source

Source File: 0000000C.00000002.378308772.0000000004FD0000.00000040.00000001.sdmp, Offset: 04FD0000, based on PE: false

Similarity

API ID:
String ID: r*+
API String ID: 0-3221063712
Opcode ID: e699d2e91723016168b08bdde7f5ecc30bf30d0338b7106b991b6921d19a3219
Instruction ID: 9866739b854c096361239485b3080d206c62cf1047788faeb20a4f272f605ed1
Opcode Fuzzy Hash: e699d2e91723016168b08bdde7f5ecc30bf30d0338b7106b991b6921d19a3219
Instruction Fuzzy Hash: 73415F35E04209DFEB44DFA4C5456BEBBB2FF44301F1584AAD402D72A4EB35AA06DF92

Uniqueness

Uniqueness Score: -1.00%

Function 02890846, Relevance: 1.3, Strings: 1, Instructions: 58COMMON

Download Yara Rule

Strings

-X]Y, xrefs: 02890868

Memory Dump Source

Source File: 0000000C.00000002.375822136.0000000002890000.00000040.00000040.sdmp, Offset: 02890000, based on PE: false

Similarity

API ID:
String ID: -X]Y
API String ID: 0-202448318
Opcode ID: d3d50557d1ccb5eaef64b85feb342fe3a32fb00739e6035c1c9130d13332a6c2
Instruction ID: a34bc99d8b9465f440f33f5da03cfe6bdb5381739c34001a039460c9b3fd17b2
Opcode Fuzzy Hash: d3d50557d1ccb5eaef64b85feb342fe3a32fb00739e6035c1c9130d13332a6c2
Instruction Fuzzy Hash: F9216D3910D3C49FD7138B24C860B55BFB1AF47214F2986DAD8899F6A3C33A8817CB52

Uniqueness

Uniqueness Score: -1.00%

Function 02882477, Relevance: .2, Instructions: 207COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.375795146.0000000002882000.00000040.00000001.sdmp, Offset: 02882000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 51481620fb138bb4bceac5f5db77e953e4eb133896d500997e37572d22ebbbbe
Instruction ID: 50dded23671642123e70801de3da3b00d67f0aa1f6ffa39cd0c63b7689d01e35
Opcode Fuzzy Hash: 51481620fb138bb4bceac5f5db77e953e4eb133896d500997e37572d22ebbbbe
Instruction Fuzzy Hash: 816191BE99E7C24FC747B7346839654BFB29E1721870A61CBDC81CB0AFD11445498336

Uniqueness

Uniqueness Score: -1.00%

Function 04FD0BC0, Relevance: .1, Instructions: 132COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.378308772.0000000004FD0000.00000040.00000001.sdmp, Offset: 04FD0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1ecc93c4643dad423367fae04a6b8167c32161e65299b02b60b4b2ff54597c7c
Instruction ID: 09cfe5f4d5139b140bde865c937eaeda4da5059b29c9fd241e88fb57372cc313
Opcode Fuzzy Hash: 1ecc93c4643dad423367fae04a6b8167c32161e65299b02b60b4b2ff54597c7c
Instruction Fuzzy Hash: 4341E532B05104CFC7159F2CC414AAE7BE7AFC5314F19806AE906EF395DEB1AC069792

Uniqueness

Uniqueness Score: -1.00%

Function 04FD02D9, Relevance: .1, Instructions: 108COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.378308772.0000000004FD0000.00000040.00000001.sdmp, Offset: 04FD0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f0dd85750e2d967401128a9861231873d4b749395d763c255bd9e5d4105b3c50
Instruction ID: a5eeb33ba3a9d06c6112052471e0facf11e17edda8b31014a74cf453bfe542f5
Opcode Fuzzy Hash: f0dd85750e2d967401128a9861231873d4b749395d763c255bd9e5d4105b3c50
Instruction Fuzzy Hash: BC414735F01205CFDB08CB68C0A4BAE7BB3EF89714F184469D502AB395EF71AC429B51

Uniqueness

Uniqueness Score: -1.00%

Function 04FD0006, Relevance: .1, Instructions: 103COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.378308772.0000000004FD0000.00000040.00000001.sdmp, Offset: 04FD0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8220ee50093d79b206d147a91eecaafd57d1a81ee957511080d3f1efe6e8129a
Instruction ID: 95ef710b8e508993a36eba53a7239d314984e35571b29b88df7f9139fb84eaac
Opcode Fuzzy Hash: 8220ee50093d79b206d147a91eecaafd57d1a81ee957511080d3f1efe6e8129a
Instruction Fuzzy Hash: 39316479A0E3C1CFDB02AB7488650553FB5FE52204B0D449AD982CB69BFE745D0AD723

Uniqueness

Uniqueness Score: -1.00%

Function 04FD20D0, Relevance: .1, Instructions: 99COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.378308772.0000000004FD0000.00000040.00000001.sdmp, Offset: 04FD0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a6ec029004b8c66246f5fc8febd6d8259c041c0cf330b7226569a770132dd81a
Instruction ID: 3c1d8363430bc5db808067a83898ee6a6653a671c96547d83aa24b8dec3b77e9
Opcode Fuzzy Hash: a6ec029004b8c66246f5fc8febd6d8259c041c0cf330b7226569a770132dd81a
Instruction Fuzzy Hash: 07317032B04246DFDB05DFA8C88057E7BB6EB88340B1A84A6D5169B295EB30AC43D791

Uniqueness

Uniqueness Score: -1.00%

Function 04FD2C58, Relevance: .1, Instructions: 80COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.378308772.0000000004FD0000.00000040.00000001.sdmp, Offset: 04FD0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ae30b8a48463add0aa49a38478840bc18bc118fbd92db9c7878055bfd31fb4f7
Instruction ID: 948e5dd97dc11f15ade10c474a2d91a4a2dd59e3dbc55ddf88dcdcf13f1af1dc
Opcode Fuzzy Hash: ae30b8a48463add0aa49a38478840bc18bc118fbd92db9c7878055bfd31fb4f7
Instruction Fuzzy Hash: 3421073AB0C241CFC7159B289884A3DBBA6BF45220B1E45E6D556CB292DB20AC02D7D2

Uniqueness

Uniqueness Score: -1.00%

Function 04FD21E9, Relevance: .1, Instructions: 77COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.378308772.0000000004FD0000.00000040.00000001.sdmp, Offset: 04FD0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9eb04d931c599f5cc559833abccb153f3ec7ed4ab3b0ef4361fc36b2b3ae615f
Instruction ID: 78b2853ff30999f7696fef05a05ee2aa23cbdfdc54820034fb9de7c71634749f
Opcode Fuzzy Hash: 9eb04d931c599f5cc559833abccb153f3ec7ed4ab3b0ef4361fc36b2b3ae615f
Instruction Fuzzy Hash: 0F318175E08209DFEB44DFA8C5406BDBBB2FF45301F1544D6E402D7255EB30AA42DB92

Uniqueness

Uniqueness Score: -1.00%

Function 04FD25DE, Relevance: .1, Instructions: 75COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.378308772.0000000004FD0000.00000040.00000001.sdmp, Offset: 04FD0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 27d85b5970f38d93afdd395487ba6c58793ed0fdb1a8690eec26f5b3b82fefbd
Instruction ID: 4b918ca41a7722effdea36744c799d4d4dcb64a37b1a21111d1a08649ad49faf
Opcode Fuzzy Hash: 27d85b5970f38d93afdd395487ba6c58793ed0fdb1a8690eec26f5b3b82fefbd
Instruction Fuzzy Hash: 95318D35E00385CFEB60DF65C84065AFBB2FF84314F25C5A9C4049B294DBB4A84ACF81

Uniqueness

Uniqueness Score: -1.00%

Function 04FD4190, Relevance: .1, Instructions: 69COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.378308772.0000000004FD0000.00000040.00000001.sdmp, Offset: 04FD0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8fd39f708e6513b1a1a04365247959b6524257e345b6316f175f0ce8658a408d
Instruction ID: 76c5746038526dd4eca19c57b32dca55eca4b3b5ac5a9d82d90a7c82d2aee76a
Opcode Fuzzy Hash: 8fd39f708e6513b1a1a04365247959b6524257e345b6316f175f0ce8658a408d
Instruction Fuzzy Hash: 5311B176B002158BEB14BBB8D8445BF7AA7EFD4340F59452BC507D7284EE70A84297A2

Uniqueness

Uniqueness Score: -1.00%

Function 04FD0871, Relevance: .1, Instructions: 61COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.378308772.0000000004FD0000.00000040.00000001.sdmp, Offset: 04FD0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 061be8998d8ee56b4b91845239c3f12a738070790cc9bb5cbe801ab568be5e02
Instruction ID: 76a507f8ffe0b40366f4d2437ef7fd701d09af5a6e9b65e6a0a049b165018193
Opcode Fuzzy Hash: 061be8998d8ee56b4b91845239c3f12a738070790cc9bb5cbe801ab568be5e02
Instruction Fuzzy Hash: E721C03AE81141DFE7102B74F91C29CBB62EF8030AB5958B6F443C50E5EF645866EBA1

Uniqueness

Uniqueness Score: -1.00%

Function 0289087C, Relevance: .1, Instructions: 59COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.375822136.0000000002890000.00000040.00000040.sdmp, Offset: 02890000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 59b50b5d78f3f9d888db71812c7d7ff2bc7cfcd4a0a1533853a3e33baf298845
Instruction ID: 6190c05086ea9ed9a19aca425a642cddd01128a22fe0559995833c29ac92934d
Opcode Fuzzy Hash: 59b50b5d78f3f9d888db71812c7d7ff2bc7cfcd4a0a1533853a3e33baf298845
Instruction Fuzzy Hash: 29110A3C204344EFDB05DB14C944B26BBE1AB48708F28C59CE9499B743C777D403CA91

Uniqueness

Uniqueness Score: -1.00%

Function 04FD11DF, Relevance: .1, Instructions: 56COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.378308772.0000000004FD0000.00000040.00000001.sdmp, Offset: 04FD0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7e7aa3e11f786f429cdfab310fc3bc159223137d3f77f82df1cdcd2f748008aa
Instruction ID: bbf7f07b3c09078af3b6fc42254839c41c4390c611940ad3d0993209ba4f8ec7
Opcode Fuzzy Hash: 7e7aa3e11f786f429cdfab310fc3bc159223137d3f77f82df1cdcd2f748008aa
Instruction Fuzzy Hash: CD11A132308180CFC7059B2CC5689697FE6EF8620271940EBD446CB7A6DE665C0B9752

Uniqueness

Uniqueness Score: -1.00%

Function 04FD05B9, Relevance: .1, Instructions: 53COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.378308772.0000000004FD0000.00000040.00000001.sdmp, Offset: 04FD0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c621583daa492d0ecd303e1c4377fe3b4389fa453b7ea39c961dfd6db6e9bfca
Instruction ID: d5204e39ef70e74e8cb79ae3daed1d5f4e8b17cfd4d785b99fa0f33e867f597a
Opcode Fuzzy Hash: c621583daa492d0ecd303e1c4377fe3b4389fa453b7ea39c961dfd6db6e9bfca
Instruction Fuzzy Hash: CB01F4667041610FD7093A3D94212BF779B9BC5A50B58006BD106DF385EDB48C0313E7

Uniqueness

Uniqueness Score: -1.00%

Function 04FD05C8, Relevance: .0, Instructions: 45COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.378308772.0000000004FD0000.00000040.00000001.sdmp, Offset: 04FD0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 604c0b9d5b0d3d5e8597494da8c76252a6400f8c02cffbe3961f0287edfcaa40
Instruction ID: 9bf99dff7dc49b983b4e7e9ada031ff88363f58c9e566e3a91d0266cf937f860
Opcode Fuzzy Hash: 604c0b9d5b0d3d5e8597494da8c76252a6400f8c02cffbe3961f0287edfcaa40
Instruction Fuzzy Hash: 0CF0E9767001210BCA497A7D942177F628F9BC4A50B98412FD206DF388EEB09C0313D7

Uniqueness

Uniqueness Score: -1.00%

Function 028905CF, Relevance: .0, Instructions: 44COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.375822136.0000000002890000.00000040.00000040.sdmp, Offset: 02890000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0faa5818dd7f29ac11aa0501ae632b17f0d9470bb27d7b9520cf43e8b66cdc2a
Instruction ID: 639373a9352b311021a7c81a9b2b30d7e97d754efc3a28399b243329cc298a8a
Opcode Fuzzy Hash: 0faa5818dd7f29ac11aa0501ae632b17f0d9470bb27d7b9520cf43e8b66cdc2a
Instruction Fuzzy Hash: 4601D6765097806FD7128B16AC51863FFF8DF86230709C09FED898B612D225A809CBB2

Uniqueness

Uniqueness Score: -1.00%

Function 04FD1218, Relevance: .0, Instructions: 42COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.378308772.0000000004FD0000.00000040.00000001.sdmp, Offset: 04FD0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5289dcebecdbd27b7f422c471a51af47ce693a0d5d633bdec3babcf6c06fcbf3
Instruction ID: 5d9cb38c71c4b4794145b9e984852a6d5fd219f969203ae9f4ee43b2c753e1d8
Opcode Fuzzy Hash: 5289dcebecdbd27b7f422c471a51af47ce693a0d5d633bdec3babcf6c06fcbf3
Instruction Fuzzy Hash: B5011D36304050CBC604AB2CD1589697BEBFFC5711B2841AAE506CB765DFB2AC0A9B86

Uniqueness

Uniqueness Score: -1.00%

Function 04FD4180, Relevance: .0, Instructions: 40COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.378308772.0000000004FD0000.00000040.00000001.sdmp, Offset: 04FD0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e9fa053160bb09327a1c07975157f87a4aaea623c5666d90b542c9cf906ac68d
Instruction ID: afb9249aa1f700fce7f301c5c4799ba0b730945e93e63c67928360fc2698a855
Opcode Fuzzy Hash: e9fa053160bb09327a1c07975157f87a4aaea623c5666d90b542c9cf906ac68d
Instruction Fuzzy Hash: 25F05977B442688EEB2216B4784B0FEBF66CBDA190709046BD49BC2002FA7150138A61

Uniqueness

Uniqueness Score: -1.00%

Function 04FD0908, Relevance: .0, Instructions: 38COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.378308772.0000000004FD0000.00000040.00000001.sdmp, Offset: 04FD0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8c6defe1ee73089940c0d6ee8fe3c63ee9f1bb0c588cd89ff108279c7d286544
Instruction ID: 173336d7564244b45279fbfe75ee842bf8bb5e285e22ab8952d19739034899cf
Opcode Fuzzy Hash: 8c6defe1ee73089940c0d6ee8fe3c63ee9f1bb0c588cd89ff108279c7d286544
Instruction Fuzzy Hash: E3F02472F052408FEB101AB498141EF6FA39BC1354F0E0467D90393344FDA85C43A242

Uniqueness

Uniqueness Score: -1.00%

Function 04FD0918, Relevance: .0, Instructions: 33COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.378308772.0000000004FD0000.00000040.00000001.sdmp, Offset: 04FD0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4ad279c8bc3f22c3d4e32bd23de7c55c042ddf348ac63fe8e1b3dee1822f220f
Instruction ID: 11bf7d6c567aa9264c0818cbde9a7ccba65a4df2307b8ec435cefbfaa1517e7d
Opcode Fuzzy Hash: 4ad279c8bc3f22c3d4e32bd23de7c55c042ddf348ac63fe8e1b3dee1822f220f
Instruction Fuzzy Hash: 5FE0E533F152189E9B1069F8D8005AFBBAB97C5364F0845279B07A3344FD70A803A293

Uniqueness

Uniqueness Score: -1.00%

Function 02890938, Relevance: .0, Instructions: 31COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.375822136.0000000002890000.00000040.00000040.sdmp, Offset: 02890000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 525cef522958239b2deb72ab7ac90410e2832b06fb356f1b7ca8807ee3c9392c
Instruction ID: 643c67635eb82e8ee0c2347af8770babcabbfd5a5b3698d77b486e0abb5d292d
Opcode Fuzzy Hash: 525cef522958239b2deb72ab7ac90410e2832b06fb356f1b7ca8807ee3c9392c
Instruction Fuzzy Hash: 76F03139204644DFC705DF40D940B15FBA2FB89718F28C6ADE9491B752C337D813DA81

Uniqueness

Uniqueness Score: -1.00%

Function 028905F6, Relevance: .0, Instructions: 27COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.375822136.0000000002890000.00000040.00000040.sdmp, Offset: 02890000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 51fd9d89f29e1be9de99104b3c1ec385411e467354422c0a58e5a726c7e9fb80
Instruction ID: 191e2a2c663433c7283cbed0a2edf29ce17883d625b3104ada965ae5ffa2b852
Opcode Fuzzy Hash: 51fd9d89f29e1be9de99104b3c1ec385411e467354422c0a58e5a726c7e9fb80
Instruction Fuzzy Hash: 95E06D76A406008B9650CF0BEC41452F7D8EB88630B18C07FDC0E8B701E575B5088FA5

Uniqueness

Uniqueness Score: -1.00%

Function 04FD2D20, Relevance: .0, Instructions: 22COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.378308772.0000000004FD0000.00000040.00000001.sdmp, Offset: 04FD0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 877823d9d175ae3273acf718508711d9eff9ce5a20218e25f399da3bd8361763
Instruction ID: 021db3ecc3f4165119e8fff2165233882b284ca2610c53284d0c0472013f8764
Opcode Fuzzy Hash: 877823d9d175ae3273acf718508711d9eff9ce5a20218e25f399da3bd8361763
Instruction Fuzzy Hash: C5D0A73A28C6889FF30261645C577A4BF158B1EB05F0F08E2D0EB8E0E3B400B00396E2

Uniqueness

Uniqueness Score: -1.00%

Function 04FD0170, Relevance: .0, Instructions: 21COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.378308772.0000000004FD0000.00000040.00000001.sdmp, Offset: 04FD0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 213ebddb69120cebd33a114c224d5129f4c115bd0c9fc68d30b0ed05bac6b64f
Instruction ID: 32f26e688297819b796ab0c24fb115c385bb9b1214e516fd2a243fa387840e51
Opcode Fuzzy Hash: 213ebddb69120cebd33a114c224d5129f4c115bd0c9fc68d30b0ed05bac6b64f
Instruction Fuzzy Hash: F7E02BB5509390CFEB062B70A01A0697FB8AE0A50030608FDC4468B793FE35D453C710

Uniqueness

Uniqueness Score: -1.00%

Function 04FD02A0, Relevance: .0, Instructions: 20COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.378308772.0000000004FD0000.00000040.00000001.sdmp, Offset: 04FD0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 57fcdedf17398dffd9872bbbc3750a8147809bb665098201b649f9435496840a
Instruction ID: 90fb53052cafc2288d29c313730a3a561db37aed74c4fd4cceb2e1b1467f195c
Opcode Fuzzy Hash: 57fcdedf17398dffd9872bbbc3750a8147809bb665098201b649f9435496840a
Instruction Fuzzy Hash: 54E0C27A50D6908FC3518A68A8A948ABFB5EB8A6003098D9ED492C7645EB607C038710

Uniqueness

Uniqueness Score: -1.00%

Function 04FD064F, Relevance: .0, Instructions: 19COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.378308772.0000000004FD0000.00000040.00000001.sdmp, Offset: 04FD0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e89d0b5038c8e4c70992befaaae44864bb9dc22b0909520d2db9a8294c4fd69b
Instruction ID: ad320cfe06ecf077f5f4fd783f3ca31a739a52ea128c43b09c79ef6e95cf2ad5
Opcode Fuzzy Hash: e89d0b5038c8e4c70992befaaae44864bb9dc22b0909520d2db9a8294c4fd69b
Instruction Fuzzy Hash: D6D0A7F78496808FD7011A702C590FCBB55DB93209B0848F2D41155813BF217563AB61

Uniqueness

Uniqueness Score: -1.00%

Function 028823F4, Relevance: .0, Instructions: 15COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.375795146.0000000002882000.00000040.00000001.sdmp, Offset: 02882000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8811a4867e551a05932de016b4fc5e5716205077a1da6f6a43c26bb99bdbe067
Instruction ID: 503aec8d39e6ab1484def2cff970a2486a881cd4e185ec8ca65b4abfb7f34bd8
Opcode Fuzzy Hash: 8811a4867e551a05932de016b4fc5e5716205077a1da6f6a43c26bb99bdbe067
Instruction Fuzzy Hash: B2D05E7D215AC18FD326DA1CC1A8B953B94BB51B08F4684FEEC00CB667C368D981D210

Uniqueness

Uniqueness Score: -1.00%

Function 028823BC, Relevance: .0, Instructions: 14COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.375795146.0000000002882000.00000040.00000001.sdmp, Offset: 02882000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: bd6088023616aa31b480eb5d4855e6d8529013cedbe1faf82f8870ec43680762
Instruction ID: 1bf7b8f13e26c6090708f8324a955785f1f1d9cc5eb65d622000d705b26e29ad
Opcode Fuzzy Hash: bd6088023616aa31b480eb5d4855e6d8529013cedbe1faf82f8870ec43680762
Instruction Fuzzy Hash: D5D05E3C2002818BC716EB0CC5A4F5937D4AB41B04F0A45E8BC00CB676C3A4D981C600

Uniqueness

Uniqueness Score: -1.00%

Function 04FD0180, Relevance: .0, Instructions: 12COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.378308772.0000000004FD0000.00000040.00000001.sdmp, Offset: 04FD0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0ef8ad6b26dcff157309c4efd0ee89088e271f5a5df44e9137fdcc954ce4d171
Instruction ID: f2d8ea6a58653459065b921691ab6b7cc858dce28c04089b9a6144a19a1c5155
Opcode Fuzzy Hash: 0ef8ad6b26dcff157309c4efd0ee89088e271f5a5df44e9137fdcc954ce4d171
Instruction Fuzzy Hash: E0D01239641324CFDF082BB4E01842933AAAB882063040C7CD91787788EF3AE8A0CA04

Uniqueness

Uniqueness Score: -1.00%

Function 04FD2EC0, Relevance: .0, Instructions: 11COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.378308772.0000000004FD0000.00000040.00000001.sdmp, Offset: 04FD0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fde5d2bd7ac281f71df249a2721ab743591b3748419990884b45a330353c5d64
Instruction ID: afdd49482da87f9cfe1a8c4623d9fc4c962be8fa77a62a26bf23005a99a3e5f0
Opcode Fuzzy Hash: fde5d2bd7ac281f71df249a2721ab743591b3748419990884b45a330353c5d64
Instruction Fuzzy Hash: 30B092316982080BEB509AB57848B66338C8780619F4904A1F80CCA940E94AE4E12180

Uniqueness

Uniqueness Score: -1.00%

Function 04FD0660, Relevance: .0, Instructions: 10COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.378308772.0000000004FD0000.00000040.00000001.sdmp, Offset: 04FD0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a515c3384fe1a2f4bd7341ce87217429ea248d0bff51b9c6fb5e7d23a8db4542
Instruction ID: 5bba46ecd2485743f3999937477f254d9c46c52189441fc13cdff08ff5e6761c
Opcode Fuzzy Hash: a515c3384fe1a2f4bd7341ce87217429ea248d0bff51b9c6fb5e7d23a8db4542
Instruction Fuzzy Hash: F0C02B33185204CEC20416702C0443DB20AD7C130AB44C831940120021AD32B473BC11

Uniqueness

Uniqueness Score: -1.00%

Non-executed Functions

Function 04FD0D93, Relevance: 5.2, Strings: 4, Instructions: 249COMMON

Download Yara Rule

Strings

:@Dr, xrefs: 04FD10CB
0jr, xrefs: 04FD0F8E
X1kr, xrefs: 04FD0F1C
,:kr, xrefs: 04FD0E38

Memory Dump Source

Source File: 0000000C.00000002.378308772.0000000004FD0000.00000040.00000001.sdmp, Offset: 04FD0000, based on PE: false

Similarity

API ID:
String ID: ,:kr$0jr$:@Dr$X1kr
API String ID: 0-1245831938
Opcode ID: 3235556389a59e4bdfcf7bed77a232bd7b32891458d84518f48936c0919f1d99
Instruction ID: ab8dc40d88a0abb4ba63cce52eec6619e7dda52ffc69ebf742bdd7d113b96c20
Opcode Fuzzy Hash: 3235556389a59e4bdfcf7bed77a232bd7b32891458d84518f48936c0919f1d99
Instruction Fuzzy Hash: 2BB1B771A08344CFD3A4DF789260B6ABBE2BBD4704F50596EE5498B398DF719C45CB02

Uniqueness

Uniqueness Score: -1.00%

Analysis Process: dhcpmon.exe PID: 6332 Parent PID: 5656 dhcpmon.exeCOMMON

Executed Functions

Function 04D43850, Relevance: 2.0, Strings: 1, Instructions: 737COMMON

Download Yara Rule

Strings

>_Ir, xrefs: 04D43F9D

Memory Dump Source

Source File: 0000000E.00000002.381559514.0000000004D40000.00000040.00000001.sdmp, Offset: 04D40000, based on PE: false

Similarity

API ID:
String ID: >_Ir
API String ID: 0-3386957151
Opcode ID: 40630fc042cf0582e1715a903d5641505daf765b570f430c162888234b7f8ee9
Instruction ID: 2776b250b5b048246c1a303f6fc4b438e0e7c6afb5503cae84ac0112ae521f3f
Opcode Fuzzy Hash: 40630fc042cf0582e1715a903d5641505daf765b570f430c162888234b7f8ee9
Instruction Fuzzy Hash: 7142C171B04215CFCB14CF6CC884AAAFBF2FF85310B1985AAD9499B252D771EC42CB91

Uniqueness

Uniqueness Score: -1.00%

Function 04D423A0, Relevance: .5, Instructions: 505COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000E.00000002.381559514.0000000004D40000.00000040.00000001.sdmp, Offset: 04D40000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b5920096ea2b4088d5e7431024745b285d75dac09256f0f6a3eff27dd5074cbb
Instruction ID: 49f5f0482ee0d822b0defac079da38f21ed94ab2b90a56c5ff8cefc39a7a4bfb
Opcode Fuzzy Hash: b5920096ea2b4088d5e7431024745b285d75dac09256f0f6a3eff27dd5074cbb
Instruction Fuzzy Hash: 0C12BB31A00215CFCB24DF68C98466DBBF2FF88394F1481A9E446AB395EB78E945CF50

Uniqueness

Uniqueness Score: -1.00%

Function 04D42FA8, Relevance: .2, Instructions: 239COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000E.00000002.381559514.0000000004D40000.00000040.00000001.sdmp, Offset: 04D40000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 376d0e7117084af32fe9c8397c6fd6b86358b34659b167c88cbaf696731775a9
Instruction ID: 12516e7afa8a4eb492056d3db8172457ef6faf9ab75973544bb3752ce4b17f0b
Opcode Fuzzy Hash: 376d0e7117084af32fe9c8397c6fd6b86358b34659b167c88cbaf696731775a9
Instruction Fuzzy Hash: 7B816C32F011159BD718DB6DD890A6EBBF3AFC8350F2A8175E815AB395DE31EC018B90

Uniqueness

Uniqueness Score: -1.00%

Function 04D409A0, Relevance: 5.2, Strings: 4, Instructions: 177COMMON

Download Yara Rule

Strings

X1kr, xrefs: 04D40AA2
X1kr, xrefs: 04D40A50
X1kr, xrefs: 04D40A98
X1kr, xrefs: 04D40A5A

Memory Dump Source

Source File: 0000000E.00000002.381559514.0000000004D40000.00000040.00000001.sdmp, Offset: 04D40000, based on PE: false

Similarity

API ID:
String ID: X1kr$X1kr$X1kr$X1kr
API String ID: 0-2451847431
Opcode ID: 03686a038135f42dcb3d1affd8162b03ab40abca0b2a0cbc16534c469a0be3c8
Instruction ID: 46b07f8ce57f3fdc20fd5e18cd908bd318d252195c87f835f3017e574e0e70a6
Opcode Fuzzy Hash: 03686a038135f42dcb3d1affd8162b03ab40abca0b2a0cbc16534c469a0be3c8
Instruction Fuzzy Hash: EE51B431B00215DFCB159FA8D854ABEB7F6BFC4704F2185A6E6469B290DB74ED02CB84

Uniqueness

Uniqueness Score: -1.00%

Function 04D402E8, Relevance: 2.7, Strings: 2, Instructions: 169COMMON

Download Yara Rule

Strings

`5kr, xrefs: 04D403A5
:@Dr, xrefs: 04D40537

Memory Dump Source

Source File: 0000000E.00000002.381559514.0000000004D40000.00000040.00000001.sdmp, Offset: 04D40000, based on PE: false

Similarity

API ID:
String ID: :@Dr$`5kr
API String ID: 0-2548079215
Opcode ID: 6319bdbfda3e8c6b44b7b7ae54552b36d5a9517a6519928e58cd74f58a44bea8
Instruction ID: 2802f5d9d8fe6a407557c16fd07077f0a18c28c27e21e8b41725d794f9d85500
Opcode Fuzzy Hash: 6319bdbfda3e8c6b44b7b7ae54552b36d5a9517a6519928e58cd74f58a44bea8
Instruction Fuzzy Hash: 05516D31B052058FDB09DF68C454B6E7BF2EFC9710F1480A9D646AB3A1EB75AC01DB91

Uniqueness

Uniqueness Score: -1.00%

Function 04D40682, Relevance: 2.6, Strings: 2, Instructions: 146COMMON

Download Yara Rule

Strings

Y=r^, xrefs: 04D40702, 04D40707
Z=r^, xrefs: 04D406A1, 04D406A6

Memory Dump Source

Source File: 0000000E.00000002.381559514.0000000004D40000.00000040.00000001.sdmp, Offset: 04D40000, based on PE: false

Similarity

API ID:
String ID: Z=r^$Y=r^
API String ID: 0-4142160698
Opcode ID: 8d1e8f5c150e6c45859c608a585021fa4668a58633fbdbe8161ab4901880bcf7
Instruction ID: 91119b35529ca3bf4debd05ac1112ff6309b12ad97f910d975c06f1a01bba55a
Opcode Fuzzy Hash: 8d1e8f5c150e6c45859c608a585021fa4668a58633fbdbe8161ab4901880bcf7
Instruction Fuzzy Hash: 3F518F316492008FC7057B74EC2866D3BA2BFC271A71845BAE543D72F1DFB85C059B96

Uniqueness

Uniqueness Score: -1.00%

Function 04D42D58, Relevance: 2.6, Strings: 2, Instructions: 132COMMON

Download Yara Rule

Strings

>_Ir, xrefs: 04D42DA5
, xrefs: 04D42E76

Memory Dump Source

Source File: 0000000E.00000002.381559514.0000000004D40000.00000040.00000001.sdmp, Offset: 04D40000, based on PE: false

Similarity

API ID:
String ID: $>_Ir
API String ID: 0-1787506450
Opcode ID: e4c918197c38e7e4bb6e897cccd0b5d6365ebb9b7421bbaf8485517b0b4cb77c
Instruction ID: 4d5cccb54cc1d4fd016e49d075b418dfcb191d65ae171577340928d1a3fd4c61
Opcode Fuzzy Hash: e4c918197c38e7e4bb6e897cccd0b5d6365ebb9b7421bbaf8485517b0b4cb77c
Instruction Fuzzy Hash: DA41D171F041158BCB10CF69C8806BEBBA2BBC0394B29C4B6E456DB645E735F9428B81

Uniqueness

Uniqueness Score: -1.00%

Function 04D412A0, Relevance: 1.7, Strings: 1, Instructions: 460COMMON

Download Yara Rule

Strings

$ghr, xrefs: 04D41349

Memory Dump Source

Source File: 0000000E.00000002.381559514.0000000004D40000.00000040.00000001.sdmp, Offset: 04D40000, based on PE: false

Similarity

API ID:
String ID: $ghr
API String ID: 0-1352911727
Opcode ID: 542692f3a68d97f377f5d97a3671ec3e40c49c0696ced70e4658b770e0e5491f
Instruction ID: d2c6d96996d87cc76fece1c5c7087d8dd488b300525cff65d7ae0ff71764f175
Opcode Fuzzy Hash: 542692f3a68d97f377f5d97a3671ec3e40c49c0696ced70e4658b770e0e5491f
Instruction Fuzzy Hash: 6322F335A00605CFCB64EF28C484A6ABBF2FF88310B14859AD85A9B755DB34FD89CF51

Uniqueness

Uniqueness Score: -1.00%

Function 00B5AA02, Relevance: 1.6, APIs: 1, Instructions: 92registryCOMMON

Download Yara Rule

APIs

RegOpenKeyExW.KERNELBASE(?,00000E2C), ref: 00B5AAB1

Memory Dump Source

Source File: 0000000E.00000002.379610260.0000000000B5A000.00000040.00000001.sdmp, Offset: 00B5A000, based on PE: false

Similarity

API ID: Open
String ID:
API String ID: 71445658-0
Opcode ID: f9c685c0b10ac8ab2d1d6e41e30472bd89835c6bc06967395676f1a296a02465
Instruction ID: 41e502bd63d9c5e53c5a4abefd71832c9c9f205b87a4a90f7b53fa8bcd6e51f2
Opcode Fuzzy Hash: f9c685c0b10ac8ab2d1d6e41e30472bd89835c6bc06967395676f1a296a02465
Instruction Fuzzy Hash: 5031B472544784AFE7228B25CC45F67BFECEF06710F08859BED859B152D264E809CB71

Uniqueness

Uniqueness Score: -1.00%

Function 00B5AAF9, Relevance: 1.6, APIs: 1, Instructions: 89registryCOMMON

Download Yara Rule

APIs

RegQueryValueExW.KERNELBASE(?,00000E2C,6649DFA0,00000000,00000000,00000000,00000000), ref: 00B5ABB4

Memory Dump Source

Source File: 0000000E.00000002.379610260.0000000000B5A000.00000040.00000001.sdmp, Offset: 00B5A000, based on PE: false

Similarity

API ID: QueryValue
String ID:
API String ID: 3660427363-0
Opcode ID: bd05d3aaa001257feb4295f4a4ea5ed3fce27b4c21265060f057235929dcfcdb
Instruction ID: 5ef8af91a18d0185e9798cc6137b6d8366e8f7c197d5538620f705f2ff53368a
Opcode Fuzzy Hash: bd05d3aaa001257feb4295f4a4ea5ed3fce27b4c21265060f057235929dcfcdb
Instruction Fuzzy Hash: 4631A472109384AFD722CB25DC45F52BFF8EF06310F1885DAE985DB152D264E949CBA1

Uniqueness

Uniqueness Score: -1.00%

Function 04E800F6, Relevance: 1.6, APIs: 1, Instructions: 89synchronizationCOMMON

Download Yara Rule

APIs

CreateMutexW.KERNELBASE(?,?), ref: 04E8019D

Memory Dump Source

Source File: 0000000E.00000002.381997904.0000000004E80000.00000040.00000001.sdmp, Offset: 04E80000, based on PE: false

Similarity

API ID: CreateMutex
String ID:
API String ID: 1964310414-0
Opcode ID: edadf7780040fe4087c49d7e17e90b99a537120d27a788e9df1cc72a3ef643a6
Instruction ID: 61af63cac4b24d48d7c1fe1636687a6f17d5833d30265c18d7ce8217315e66ce
Opcode Fuzzy Hash: edadf7780040fe4087c49d7e17e90b99a537120d27a788e9df1cc72a3ef643a6
Instruction Fuzzy Hash: E931A1715097806FE712DF25DC45F56FFE8EF06214F09849EE988CB292D364A908C761

Uniqueness

Uniqueness Score: -1.00%

Function 00B5AF50, Relevance: 1.6, APIs: 1, Instructions: 77COMMON

Download Yara Rule

APIs

CreateActCtxA.KERNEL32(?,00000E2C,?,?), ref: 00B5AFEA

Memory Dump Source

Source File: 0000000E.00000002.379610260.0000000000B5A000.00000040.00000001.sdmp, Offset: 00B5A000, based on PE: false

Similarity

API ID: Create
String ID:
API String ID: 2289755597-0
Opcode ID: 10229a3cd4e6aaf078c7f278a44537d57db90e887986962e3271520bcc997f21
Instruction ID: a025e5925ba1631c2efb935e6b45c3d95d974d61708e41477b88f0febd8c75ff
Opcode Fuzzy Hash: 10229a3cd4e6aaf078c7f278a44537d57db90e887986962e3271520bcc997f21
Instruction Fuzzy Hash: A721B67144D7C06FD3138B259C51B22BFB8EF87610F0A81DBED84CB553D225A919C7A2

Uniqueness

Uniqueness Score: -1.00%

Function 00B5AA32, Relevance: 1.6, APIs: 1, Instructions: 74registryCOMMON

Download Yara Rule

APIs

RegOpenKeyExW.KERNELBASE(?,00000E2C), ref: 00B5AAB1

Memory Dump Source

Source File: 0000000E.00000002.379610260.0000000000B5A000.00000040.00000001.sdmp, Offset: 00B5A000, based on PE: false

Similarity

API ID: Open
String ID:
API String ID: 71445658-0
Opcode ID: 49009d33b499b311e8aef1caa042acd92dfc72281d07c9bba3504aaf0301b32e
Instruction ID: 9185125187064fb7439626cba9e55c02d552dfe046b566672b8453a2dda4956b
Opcode Fuzzy Hash: 49009d33b499b311e8aef1caa042acd92dfc72281d07c9bba3504aaf0301b32e
Instruction Fuzzy Hash: 6E21A172500604AFE7219B15DD85F6BFBECEF14710F14859BEE459B241E664E808CB72

Uniqueness

Uniqueness Score: -1.00%

Function 04E8012A, Relevance: 1.6, APIs: 1, Instructions: 72synchronizationCOMMON

Download Yara Rule

APIs

CreateMutexW.KERNELBASE(?,?), ref: 04E8019D

Memory Dump Source

Source File: 0000000E.00000002.381997904.0000000004E80000.00000040.00000001.sdmp, Offset: 04E80000, based on PE: false

Similarity

API ID: CreateMutex
String ID:
API String ID: 1964310414-0
Opcode ID: 34433c6a273d395880c20d8823dea3a466bebed74b36163a9d1ac8c42cdc6885
Instruction ID: b13f75301687106100e18d702d8c03099690065c1aecd52d9205200fda10fd61
Opcode Fuzzy Hash: 34433c6a273d395880c20d8823dea3a466bebed74b36163a9d1ac8c42cdc6885
Instruction Fuzzy Hash: BC21AF71600600AFEB20DF25D945B6AFBE8EF05320F14856EED488B241E770E508CA75

Uniqueness

Uniqueness Score: -1.00%

Function 00B5AB3A, Relevance: 1.6, APIs: 1, Instructions: 69registryCOMMON

Download Yara Rule

APIs

RegQueryValueExW.KERNELBASE(?,00000E2C,6649DFA0,00000000,00000000,00000000,00000000), ref: 00B5ABB4

Memory Dump Source

Source File: 0000000E.00000002.379610260.0000000000B5A000.00000040.00000001.sdmp, Offset: 00B5A000, based on PE: false

Similarity

API ID: QueryValue
String ID:
API String ID: 3660427363-0
Opcode ID: 4fb53475fe3f1fec98ad955dd8a177616a5785866ebbad8b3444dc011401edf8
Instruction ID: 75ed1df82a87fa8e65ac2c3c4cdab0fd93ceaa4a62efe9f9e7642afece02abf8
Opcode Fuzzy Hash: 4fb53475fe3f1fec98ad955dd8a177616a5785866ebbad8b3444dc011401edf8
Instruction Fuzzy Hash: CF218E72500604AFE720CF25DC80F67FBECEF08711F1486AAED459B251D660E808CAB2

Uniqueness

Uniqueness Score: -1.00%

Function 00B5B7CA, Relevance: 1.6, APIs: 1, Instructions: 61windowCOMMON

Download Yara Rule

APIs

PostMessageW.USER32(?,?,?,?), ref: 00B5B841

Memory Dump Source

Source File: 0000000E.00000002.379610260.0000000000B5A000.00000040.00000001.sdmp, Offset: 00B5A000, based on PE: false

Similarity

API ID: MessagePost
String ID:
API String ID: 410705778-0
Opcode ID: f60efc7f1d79a1f5084cf2d45b045f931b890d1b10cc89629fe94766c8642c4f
Instruction ID: db06bcad836584998541398724a98fab9244e2071c582150ac3deb4fe57417f2
Opcode Fuzzy Hash: f60efc7f1d79a1f5084cf2d45b045f931b890d1b10cc89629fe94766c8642c4f
Instruction Fuzzy Hash: D5216A724097C09FDB128B21DC51AA2BFB4EF17324F0984DAED844F163D265A958DB62

Uniqueness

Uniqueness Score: -1.00%

Function 00B5A51F, Relevance: 1.6, APIs: 1, Instructions: 61COMMON

Download Yara Rule

APIs

DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 00B5A58A

Memory Dump Source

Source File: 0000000E.00000002.379610260.0000000000B5A000.00000040.00000001.sdmp, Offset: 00B5A000, based on PE: false

Similarity

API ID: DuplicateHandle
String ID:
API String ID: 3793708945-0
Opcode ID: 5f40ec1053cb0f1b4e7f0f0b6b7c336ae4f7b12c646f1d80e76f4beb584c0f0e
Instruction ID: 767b9026a007e59e48806a878facb6e3e61b05704bbf89fa9fae301050590be6
Opcode Fuzzy Hash: 5f40ec1053cb0f1b4e7f0f0b6b7c336ae4f7b12c646f1d80e76f4beb584c0f0e
Instruction Fuzzy Hash: 2711B472409380AFDB228F50DC44F62FFF4EF4A310F0885DAEE858B152D275A418DB61

Uniqueness

Uniqueness Score: -1.00%

Function 00B5BB4F, Relevance: 1.6, APIs: 1, Instructions: 59windowCOMMON

Download Yara Rule

APIs

PostMessageW.USER32(?,?,?,?), ref: 00B5BBB9

Memory Dump Source

Source File: 0000000E.00000002.379610260.0000000000B5A000.00000040.00000001.sdmp, Offset: 00B5A000, based on PE: false

Similarity

API ID: MessagePost
String ID:
API String ID: 410705778-0
Opcode ID: 661201ddadd4df94c8c4311fc3c7ad4dc696c9a122407096794ba819deb78148
Instruction ID: 026e09a3fe98c5b9ce02e3b0ccac79beb4ddbd56df3542f77f36d7daad572d78
Opcode Fuzzy Hash: 661201ddadd4df94c8c4311fc3c7ad4dc696c9a122407096794ba819deb78148
Instruction Fuzzy Hash: 6D11D0364097C0AFDB228F25DC45B52FFB4EF16220F0885DEED858B563D265A818DB62

Uniqueness

Uniqueness Score: -1.00%

Function 00B5BE05, Relevance: 1.6, APIs: 1, Instructions: 58windowCOMMON

Download Yara Rule

APIs

DispatchMessageW.USER32(?), ref: 00B5BE70

Memory Dump Source

Source File: 0000000E.00000002.379610260.0000000000B5A000.00000040.00000001.sdmp, Offset: 00B5A000, based on PE: false

Similarity

API ID: DispatchMessage
String ID:
API String ID: 2061451462-0
Opcode ID: 34a656cd5d6e5e7eee5e199f62e64f5d6fc8de8847447d7c0966e467cf0dc231
Instruction ID: f3b8bd732f4d383a314655c37f68639061821975cf96536fc9a8ffe785cf7e32
Opcode Fuzzy Hash: 34a656cd5d6e5e7eee5e199f62e64f5d6fc8de8847447d7c0966e467cf0dc231
Instruction Fuzzy Hash: 9D118E754093C0AFD7138B25DC45B61BFB4DF47624F0984DAED848F263D2656808CB62

Uniqueness

Uniqueness Score: -1.00%

Function 04E804EF, Relevance: 1.6, APIs: 1, Instructions: 58COMMON

Download Yara Rule

APIs

FindCloseChangeNotification.KERNELBASE(?), ref: 04E80550

Memory Dump Source

Source File: 0000000E.00000002.381997904.0000000004E80000.00000040.00000001.sdmp, Offset: 04E80000, based on PE: false

Similarity

API ID: ChangeCloseFindNotification
String ID:
API String ID: 2591292051-0
Opcode ID: cf844c3bd024acb1022bdb3a2563e333d4a4d236733479ae46eaea7df178db7b
Instruction ID: 9f97ebfeed57e3773fd89883cbf6ba16d21fbad7ff759b84f373aa0116c8a47e
Opcode Fuzzy Hash: cf844c3bd024acb1022bdb3a2563e333d4a4d236733479ae46eaea7df178db7b
Instruction Fuzzy Hash: F9119371449384AFDB12CF25DC85B52BFB8EF06224F1880DBED498F653D275A418CB62

Uniqueness

Uniqueness Score: -1.00%

Function 00B5B71E, Relevance: 1.6, APIs: 1, Instructions: 57windowCOMMON

Download Yara Rule

APIs

CreateIconFromResourceEx.USER32 ref: 00B5B78A

Memory Dump Source

Source File: 0000000E.00000002.379610260.0000000000B5A000.00000040.00000001.sdmp, Offset: 00B5A000, based on PE: false

Similarity

API ID: CreateFromIconResource
String ID:
API String ID: 3668623891-0
Opcode ID: 623ccc637ab336da09501a6c848d6a07f2a9c30aba69d1e17cbec44daf1300e7
Instruction ID: cc8fe7cc7efaeb1b737264ed42941f8770f39f0267d76ab22d0eda4a593d53d1
Opcode Fuzzy Hash: 623ccc637ab336da09501a6c848d6a07f2a9c30aba69d1e17cbec44daf1300e7
Instruction Fuzzy Hash: 9D115E32408784AFDB228F55DC44E52FFF4EF49310F08859AEE858B562D375A458DB61

Uniqueness

Uniqueness Score: -1.00%

Function 00B5BEB4, Relevance: 1.6, APIs: 1, Instructions: 56COMMON

Download Yara Rule

APIs

SetCurrentDirectoryW.KERNELBASE(?), ref: 00B5BF0C

Memory Dump Source

Source File: 0000000E.00000002.379610260.0000000000B5A000.00000040.00000001.sdmp, Offset: 00B5A000, based on PE: false

Similarity

API ID: CurrentDirectory
String ID:
API String ID: 1611563598-0
Opcode ID: 764b54b781f2a911e1e6d5c76a25b3534cb236f69a9c08af9c404f3af528179b
Instruction ID: cb3d5a46f7184618724b09db1ce0b581490f4a146a5b7cc6ac5c6b66ccdef24a
Opcode Fuzzy Hash: 764b54b781f2a911e1e6d5c76a25b3534cb236f69a9c08af9c404f3af528179b
Instruction Fuzzy Hash: 8B11A072505380AFD715CF25DC85B96BFE8EF46220F0884EAED49CF256D274E848CB61

Uniqueness

Uniqueness Score: -1.00%

Function 00B5A75B, Relevance: 1.6, APIs: 1, Instructions: 52comCOMMON

Download Yara Rule

APIs

OleInitialize.OLE32(?), ref: 00B5A7BC

Memory Dump Source

Source File: 0000000E.00000002.379610260.0000000000B5A000.00000040.00000001.sdmp, Offset: 00B5A000, based on PE: false

Similarity

API ID: Initialize
String ID:
API String ID: 2538663250-0
Opcode ID: d741d4244e287ffb5e1d4291646f0828b74fbb54f029edea75d10f02f7f1aec9
Instruction ID: 91255f71f8db5d887e7c432e66b05cbe18a01238b897970a9485b0c5a2cbc1ba
Opcode Fuzzy Hash: d741d4244e287ffb5e1d4291646f0828b74fbb54f029edea75d10f02f7f1aec9
Instruction Fuzzy Hash: 5C11BC71449384AFD712CF25DC45B52BFB4EF06220F0880EBED498F253D279A848CB62

Uniqueness

Uniqueness Score: -1.00%

Function 00B5A8CC, Relevance: 1.5, APIs: 1, Instructions: 48COMMON

Download Yara Rule

APIs

SetWindowLongW.USER32 ref: 00B5A926

Memory Dump Source

Source File: 0000000E.00000002.379610260.0000000000B5A000.00000040.00000001.sdmp, Offset: 00B5A000, based on PE: false

Similarity

API ID: LongWindow
String ID:
API String ID: 1378638983-0
Opcode ID: f387ab6f314768c1d54ccb6dcf2cc430cb9c013ed55786718d34fa6022393466
Instruction ID: b6cf00715cbccb4e418b18008df85abd5ec1e94264e891782bd90a97d43f7fa9
Opcode Fuzzy Hash: f387ab6f314768c1d54ccb6dcf2cc430cb9c013ed55786718d34fa6022393466
Instruction Fuzzy Hash: F3117031409784AFD7218F15DC85B52FFF4EF06320F0985DAED855B262D275A818CB62

Uniqueness

Uniqueness Score: -1.00%

Function 00B5BED2, Relevance: 1.5, APIs: 1, Instructions: 47COMMON

Download Yara Rule

APIs

SetCurrentDirectoryW.KERNELBASE(?), ref: 00B5BF0C

Memory Dump Source

Source File: 0000000E.00000002.379610260.0000000000B5A000.00000040.00000001.sdmp, Offset: 00B5A000, based on PE: false

Similarity

API ID: CurrentDirectory
String ID:
API String ID: 1611563598-0
Opcode ID: f697ec363a2946df937b7c572649ddcdee0f4f2c0362f2e8061c88fc758f3521
Instruction ID: 253ba800b27f658f331ce486c23c12151c9548f296c4c8886d8902f8fae20161
Opcode Fuzzy Hash: f697ec363a2946df937b7c572649ddcdee0f4f2c0362f2e8061c88fc758f3521
Instruction Fuzzy Hash: 2D014C716007449FDB10DF2ADC85B66FBD8DF44321F1884EADD49CB646E6B4E808CA61

Uniqueness

Uniqueness Score: -1.00%

Function 00B5A546, Relevance: 1.5, APIs: 1, Instructions: 45COMMON

Download Yara Rule

APIs

DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 00B5A58A

Memory Dump Source

Source File: 0000000E.00000002.379610260.0000000000B5A000.00000040.00000001.sdmp, Offset: 00B5A000, based on PE: false

Similarity

API ID: DuplicateHandle
String ID:
API String ID: 3793708945-0
Opcode ID: e3f511c975369a48ad4494ed3c6d04bbc6e5e618dfe0c3e6b7001c1e4e695521
Instruction ID: 8efe0cadfe6c694dbf6be6711f9a571abe37ac087fec78e702690e92fd657cc1
Opcode Fuzzy Hash: e3f511c975369a48ad4494ed3c6d04bbc6e5e618dfe0c3e6b7001c1e4e695521
Instruction Fuzzy Hash: 8B01AD32400600EFDB218F55E884B16FFE0EF08321F18C59ADE499B615E275E418DF62

Uniqueness

Uniqueness Score: -1.00%

Function 00B5B746, Relevance: 1.5, APIs: 1, Instructions: 45windowCOMMON

Download Yara Rule

APIs

CreateIconFromResourceEx.USER32 ref: 00B5B78A

Memory Dump Source

Source File: 0000000E.00000002.379610260.0000000000B5A000.00000040.00000001.sdmp, Offset: 00B5A000, based on PE: false

Similarity

API ID: CreateFromIconResource
String ID:
API String ID: 3668623891-0
Opcode ID: b01270332c267548cd548d938fa081145c212ff4e844821b1caed45c0e9ff9b4
Instruction ID: 460fc5335c8faab2e430cf34610b0c3e4f099d588cb24da99d9ceab6c20b15be
Opcode Fuzzy Hash: b01270332c267548cd548d938fa081145c212ff4e844821b1caed45c0e9ff9b4
Instruction Fuzzy Hash: C0016D32400640EFDB218F55D884F56FFE4EF48321F1885AAEE494B616D375E418DF61

Uniqueness

Uniqueness Score: -1.00%

Function 00B5AF9A, Relevance: 1.5, APIs: 1, Instructions: 43COMMON

Download Yara Rule

APIs

CreateActCtxA.KERNEL32(?,00000E2C,?,?), ref: 00B5AFEA

Memory Dump Source

Source File: 0000000E.00000002.379610260.0000000000B5A000.00000040.00000001.sdmp, Offset: 00B5A000, based on PE: false

Similarity

API ID: Create
String ID:
API String ID: 2289755597-0
Opcode ID: 32101ae1bb5d0b06992a168d18085f364d77ebd17f8a9bedafa39101b23e885f
Instruction ID: 64bccceccbdf929153d4be28e8b7f54c015328ce286ee3132fc87a9bbbf56be6
Opcode Fuzzy Hash: 32101ae1bb5d0b06992a168d18085f364d77ebd17f8a9bedafa39101b23e885f
Instruction Fuzzy Hash: 1B01AD72500600ABD210DF16DC82F26FBA8FB88B20F14815AED088B745E331F916CBE6

Uniqueness

Uniqueness Score: -1.00%

Function 04E8051E, Relevance: 1.5, APIs: 1, Instructions: 43COMMON

Download Yara Rule

APIs

FindCloseChangeNotification.KERNELBASE(?), ref: 04E80550

Memory Dump Source

Source File: 0000000E.00000002.381997904.0000000004E80000.00000040.00000001.sdmp, Offset: 04E80000, based on PE: false

Similarity

API ID: ChangeCloseFindNotification
String ID:
API String ID: 2591292051-0
Opcode ID: 611d45a5783e73b812cddd228619d7cfcb6bb8d907768d3b1ac2083a7011ab57
Instruction ID: 18920f4b3bde9da92ddd7e7d403fdf37067e64630d0e05053fc4e56aae33b623
Opcode Fuzzy Hash: 611d45a5783e73b812cddd228619d7cfcb6bb8d907768d3b1ac2083a7011ab57
Instruction Fuzzy Hash: B501DF719006409FDB20DF29E985796FFA4EF05220F08C0ABDD0E8B206E2B4E408CB72

Uniqueness

Uniqueness Score: -1.00%

Function 00B5BB7E, Relevance: 1.5, APIs: 1, Instructions: 42windowCOMMON

Download Yara Rule

APIs

PostMessageW.USER32(?,?,?,?), ref: 00B5BBB9

Memory Dump Source

Source File: 0000000E.00000002.379610260.0000000000B5A000.00000040.00000001.sdmp, Offset: 00B5A000, based on PE: false

Similarity

API ID: MessagePost
String ID:
API String ID: 410705778-0
Opcode ID: 369fd58a8496a3964693e54ac438daf19f33db461834a2b2de5452411a35bf83
Instruction ID: 81cfa3b95c5e07d62f474cb1a046c8c8d50600fdfde9f6ea10fb9a3eef6948bc
Opcode Fuzzy Hash: 369fd58a8496a3964693e54ac438daf19f33db461834a2b2de5452411a35bf83
Instruction Fuzzy Hash: 4601B135504640DFDB208F15D885B66FFE0EF08321F18C0DADE498B625D3B1E418DB61

Uniqueness

Uniqueness Score: -1.00%

Function 00B5A78A, Relevance: 1.5, APIs: 1, Instructions: 39comCOMMON

Download Yara Rule

APIs

OleInitialize.OLE32(?), ref: 00B5A7BC

Memory Dump Source

Source File: 0000000E.00000002.379610260.0000000000B5A000.00000040.00000001.sdmp, Offset: 00B5A000, based on PE: false

Similarity

API ID: Initialize
String ID:
API String ID: 2538663250-0
Opcode ID: 0043bb4e37311a5403d872bfc5f214b790e1e3ac1d289951ad7505b1669e92c2
Instruction ID: 7488d3c312e306ff0baffbb15e55109dcc3c9ac7c30ca0fcf7dc6982c4a6cf06
Opcode Fuzzy Hash: 0043bb4e37311a5403d872bfc5f214b790e1e3ac1d289951ad7505b1669e92c2
Instruction Fuzzy Hash: 8401AD758042449FDB10DF15D885766FFE4EF08321F18C1EADE489F206E2B5A808CBA2

Uniqueness

Uniqueness Score: -1.00%

Function 00B5B806, Relevance: 1.5, APIs: 1, Instructions: 38windowCOMMON

Download Yara Rule

APIs

PostMessageW.USER32(?,?,?,?), ref: 00B5B841

Memory Dump Source

Source File: 0000000E.00000002.379610260.0000000000B5A000.00000040.00000001.sdmp, Offset: 00B5A000, based on PE: false

Similarity

API ID: MessagePost
String ID:
API String ID: 410705778-0
Opcode ID: 36b1c2656d696e2e6525ee4504829d8b4a711d26134f5109967bbdb9503a5c3a
Instruction ID: 3335c4ff21eabdd9603b8015ac32f51847550ce0d9499f46b9e314e174d5c33c
Opcode Fuzzy Hash: 36b1c2656d696e2e6525ee4504829d8b4a711d26134f5109967bbdb9503a5c3a
Instruction Fuzzy Hash: 0E018B32800644DFDB208F16D885B66FFE4EF18321F18D0DEDE494B226D3B5A418DBA2

Uniqueness

Uniqueness Score: -1.00%

Function 00B5A8EE, Relevance: 1.5, APIs: 1, Instructions: 37COMMON

Download Yara Rule

APIs

SetWindowLongW.USER32 ref: 00B5A926

Memory Dump Source

Source File: 0000000E.00000002.379610260.0000000000B5A000.00000040.00000001.sdmp, Offset: 00B5A000, based on PE: false

Similarity

API ID: LongWindow
String ID:
API String ID: 1378638983-0
Opcode ID: 52fbcdedd93d28fdea831784d42ab99711a7a3cf5866cb6500462501a7dc4044
Instruction ID: 77977ca370917f39994e22dadabed5218f6430d64a1bfed5331b39bb25fef506
Opcode Fuzzy Hash: 52fbcdedd93d28fdea831784d42ab99711a7a3cf5866cb6500462501a7dc4044
Instruction Fuzzy Hash: 5701D131400644DFDB209F05D885B52FFE4EF09321F18C1EADE4A5B216C2B5A818DF72

Uniqueness

Uniqueness Score: -1.00%

Function 00B5BE3E, Relevance: 1.5, APIs: 1, Instructions: 35windowCOMMON

Download Yara Rule

APIs

DispatchMessageW.USER32(?), ref: 00B5BE70

Memory Dump Source

Source File: 0000000E.00000002.379610260.0000000000B5A000.00000040.00000001.sdmp, Offset: 00B5A000, based on PE: false

Similarity

API ID: DispatchMessage
String ID:
API String ID: 2061451462-0
Opcode ID: 02c12621ca5db7b7813fce364bb4d7c23e830a0f82faa9802af4c9722d9c46e5
Instruction ID: fb669ad40c9bf57ea325972ffc878d7e53eb486f4f00a71dc32594eac4de3b47
Opcode Fuzzy Hash: 02c12621ca5db7b7813fce364bb4d7c23e830a0f82faa9802af4c9722d9c46e5
Instruction Fuzzy Hash: 41F0A435804644DFD7108F15D886B61FFD0DF04721F18C4DADE494B216D3B5A40CCEA2

Uniqueness

Uniqueness Score: -1.00%

Function 04D420D0, Relevance: 1.4, Strings: 1, Instructions: 198COMMON

Download Yara Rule

Strings

r*+, xrefs: 04D4230F

Memory Dump Source

Source File: 0000000E.00000002.381559514.0000000004D40000.00000040.00000001.sdmp, Offset: 04D40000, based on PE: false

Similarity

API ID:
String ID: r*+
API String ID: 0-3221063712
Opcode ID: 9a1f5ed511a3166d90ba89ab92340f03155ce39af3183c43ae955ae8887e1da9
Instruction ID: 71117b4d21ee62b8445355a58ea1cb886239a24b07238ac0fd27671e432fc331
Opcode Fuzzy Hash: 9a1f5ed511a3166d90ba89ab92340f03155ce39af3183c43ae955ae8887e1da9
Instruction Fuzzy Hash: 2E713D30B08205DFCB44DFA4C89567EBBF1FB85380F1084AAE542976A5EB74AE41DB51

Uniqueness

Uniqueness Score: -1.00%

Function 04D41458, Relevance: 1.4, Strings: 1, Instructions: 128COMMON

Download Yara Rule

Strings

$ghr, xrefs: 04D414C7

Memory Dump Source

Source File: 0000000E.00000002.381559514.0000000004D40000.00000040.00000001.sdmp, Offset: 04D40000, based on PE: false

Similarity

API ID:
String ID: $ghr
API String ID: 0-1352911727
Opcode ID: eb216507974cf2b8d464a0a7168fcfa43da802320e4d301b06d744c213ed786e
Instruction ID: 7388e92dac43b1e0ca23872a19875ef6fc6f76e6f91c17788221bc764bff7670
Opcode Fuzzy Hash: eb216507974cf2b8d464a0a7168fcfa43da802320e4d301b06d744c213ed786e
Instruction Fuzzy Hash: B3510835A00215CFDB54EF64C898B9DBBB2BF89340F1040EAD40AAB365DB35AD89CF51

Uniqueness

Uniqueness Score: -1.00%

Function 04D41290, Relevance: 1.3, Strings: 1, Instructions: 99COMMON

Download Yara Rule

Strings

$ghr, xrefs: 04D41349

Memory Dump Source

Source File: 0000000E.00000002.381559514.0000000004D40000.00000040.00000001.sdmp, Offset: 04D40000, based on PE: false

Similarity

API ID:
String ID: $ghr
API String ID: 0-1352911727
Opcode ID: 82f0314897ce2c8559137577088ea5f969523f1680e304492ef2f538cdde4ac0
Instruction ID: b516f464a48f3a802b4a650297fbd841f2437ee7c732510c2b58ab6b27e88119
Opcode Fuzzy Hash: 82f0314897ce2c8559137577088ea5f969523f1680e304492ef2f538cdde4ac0
Instruction Fuzzy Hash: EE41F834A04259DFCB54EF68D888B9DBBB1BB89340F1040EAD44EAB755EB30AD84DF51

Uniqueness

Uniqueness Score: -1.00%

Function 00B52477, Relevance: .2, Instructions: 207COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000E.00000002.379588670.0000000000B52000.00000040.00000001.sdmp, Offset: 00B52000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6e81a79dd105050562d5f77dd18de0dad85eb37eebd09fb116659578b37287cf
Instruction ID: 969f4f9a45f40f0e8e70086fe7121f564a27dcaf63014fc2fb82fa0c32c59a5a
Opcode Fuzzy Hash: 6e81a79dd105050562d5f77dd18de0dad85eb37eebd09fb116659578b37287cf
Instruction Fuzzy Hash: 71517EA190F3C54EDF0797307879398BFF69A77312B0A41CBDD808B2A3E214454E8766

Uniqueness

Uniqueness Score: -1.00%

Function 04D40BC0, Relevance: .1, Instructions: 132COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000E.00000002.381559514.0000000004D40000.00000040.00000001.sdmp, Offset: 04D40000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8629baa6581f3957d234a56637119e49acbf586397c0a8f40e17245151f8a0db
Instruction ID: cc9b03839156d7dbff57775bee416e9b21ad54bf052bc967c19ff3d3c5b96274
Opcode Fuzzy Hash: 8629baa6581f3957d234a56637119e49acbf586397c0a8f40e17245151f8a0db
Instruction Fuzzy Hash: A441B631B05114CFC7169F68C414AAE7BE6AFC5310F15806AEA46EF391DEB1EC059791

Uniqueness

Uniqueness Score: -1.00%

Function 04D402DA, Relevance: .1, Instructions: 103COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000E.00000002.381559514.0000000004D40000.00000040.00000001.sdmp, Offset: 04D40000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8fe3bb92ff94132a7c29bec614aa8459e9c8abc9e556774993e0eb226805cd25
Instruction ID: a32cca6181f8e5388553ae6d59425a2677de55ef9bb94622056f8a3f4d500c6d
Opcode Fuzzy Hash: 8fe3bb92ff94132a7c29bec614aa8459e9c8abc9e556774993e0eb226805cd25
Instruction Fuzzy Hash: D7413731B01205CFDB19CF68C054BAE7BB2EFC9710F144469D606AB3A1EBB5AC40DB51

Uniqueness

Uniqueness Score: -1.00%

Function 04D40006, Relevance: .1, Instructions: 97COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000E.00000002.381559514.0000000004D40000.00000040.00000001.sdmp, Offset: 04D40000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b9b6b3efec1141fa2830df2858098d592c5ba6e5787419e23b62e70e9ace8786
Instruction ID: 7b43ae6c8896c95389620f48c4f44cce7cbc47d91c739e6df34cc79e53ad4e74
Opcode Fuzzy Hash: b9b6b3efec1141fa2830df2858098d592c5ba6e5787419e23b62e70e9ace8786
Instruction Fuzzy Hash: BF31617260E3C19FC703AFA4D8541583FF1BE8231470A45EBD585CB2A6EA79AC099B13

Uniqueness

Uniqueness Score: -1.00%

Function 04D42C58, Relevance: .1, Instructions: 79COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000E.00000002.381559514.0000000004D40000.00000040.00000001.sdmp, Offset: 04D40000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d73516e95de9680515a0b43f994aafd748382f57daf10273ca3ae73eaafb6dc4
Instruction ID: 71610adbcb8a16b04db71938d2ad652d408b02c6c8fe118c49b17abf82f85fa3
Opcode Fuzzy Hash: d73516e95de9680515a0b43f994aafd748382f57daf10273ca3ae73eaafb6dc4
Instruction Fuzzy Hash: 2A210735708241DFC7148B24D884A39BBE9BFC5390B1941E6F586CB691DB71FC04D792

Uniqueness

Uniqueness Score: -1.00%

Function 04D421E9, Relevance: .1, Instructions: 76COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000E.00000002.381559514.0000000004D40000.00000040.00000001.sdmp, Offset: 04D40000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 81e8edb5a52213a74a8eb120e531a547e217535337cf388cc82abd864cb5156b
Instruction ID: eb4506f9ba26332ffad874ae53901502b26329f2679e77aa75753603355e4fc6
Opcode Fuzzy Hash: 81e8edb5a52213a74a8eb120e531a547e217535337cf388cc82abd864cb5156b
Instruction Fuzzy Hash: 2E315070E08209DFCB44DFA4C4856BDBBF1FF84380F1045EAE442A76A0EA74AE45DB52

Uniqueness

Uniqueness Score: -1.00%

Function 04D425DE, Relevance: .1, Instructions: 75COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000E.00000002.381559514.0000000004D40000.00000040.00000001.sdmp, Offset: 04D40000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 01313c096f5ebd0e945a55a7d7aaa06b003dfe63885304220916510719c64d3d
Instruction ID: 547afaf1b121fbb73d28fef60b39be3c4185eb98fde789a817c2d8ed08dcef9e
Opcode Fuzzy Hash: 01313c096f5ebd0e945a55a7d7aaa06b003dfe63885304220916510719c64d3d
Instruction Fuzzy Hash: 85318A31A00246CFDB60DF69C95075ABBF2BF84358F20C1A9D405AB2A5DBB8A589CF41

Uniqueness

Uniqueness Score: -1.00%

Function 04D44190, Relevance: .1, Instructions: 69COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000E.00000002.381559514.0000000004D40000.00000040.00000001.sdmp, Offset: 04D40000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 54010593e365f7f90c322f9c6ac6e602fec68a36ea5bbee5c33698a96cbebf35
Instruction ID: d32b05a55aabe62ff80c07a0db490f00263a928bd1352877ca5352fe62c66361
Opcode Fuzzy Hash: 54010593e365f7f90c322f9c6ac6e602fec68a36ea5bbee5c33698a96cbebf35
Instruction Fuzzy Hash: 08110371B012158BDB14BBB8D8547BF7AF6AFC5340F51023ED507A7280EEB4E88097A2

Uniqueness

Uniqueness Score: -1.00%

Function 029E0940, Relevance: .1, Instructions: 65COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000E.00000002.380365973.00000000029E0000.00000040.00000040.sdmp, Offset: 029E0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1af98d36bb898fe48ca133b77aa0414c326bcf5cc04b35f51d64eb6fc321b9d8
Instruction ID: a3236ec01069b05fd8cc533248a8450d8ff66a8b775a3ae2f68d5a38da41f528
Opcode Fuzzy Hash: 1af98d36bb898fe48ca133b77aa0414c326bcf5cc04b35f51d64eb6fc321b9d8
Instruction Fuzzy Hash: 87214A3500D3C08FD7078B24D950751BFB1AF5B314F2986DBD5C59B2A3C27A881ADBA2

Uniqueness

Uniqueness Score: -1.00%

Function 029E087C, Relevance: .1, Instructions: 59COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000E.00000002.380365973.00000000029E0000.00000040.00000040.sdmp, Offset: 029E0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 05dbbb8c645fdf81f470986c485ccb47e32e49db3ba4e01234d2142a005be9b7
Instruction ID: bd1e3b521b544025a0423f8c2679a809d7c254eced46297a57f3918000b99e46
Opcode Fuzzy Hash: 05dbbb8c645fdf81f470986c485ccb47e32e49db3ba4e01234d2142a005be9b7
Instruction Fuzzy Hash: 1A112C34204344DFDB06CB14C940B26BFD5EB98708F24C99CE94A2B643C7BBD413CA51

Uniqueness

Uniqueness Score: -1.00%

Function 029E0845, Relevance: .1, Instructions: 58COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000E.00000002.380365973.00000000029E0000.00000040.00000040.sdmp, Offset: 029E0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d11583674a4cf97c945c8f6436cab5fcbaeebaaeae21a683e01225c4f3a43455
Instruction ID: 68699edcf7be73e19535c74e45fffc8022889c589f4904f228c1b2f80f9794da
Opcode Fuzzy Hash: d11583674a4cf97c945c8f6436cab5fcbaeebaaeae21a683e01225c4f3a43455
Instruction Fuzzy Hash: FC216F3410D3C09FD7178B24D850B15BFB1AF4B214F1986DED4859F6A3C33A881ADB62

Uniqueness

Uniqueness Score: -1.00%

Function 04D411DF, Relevance: .1, Instructions: 54COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000E.00000002.381559514.0000000004D40000.00000040.00000001.sdmp, Offset: 04D40000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 340c8894c89387c1ced2dec5368241a3ae66f600bc342bcb406250043ffe0552
Instruction ID: a7ac9026860a042a467de196a7fde229a0642fc3ace115d3b8e4759ae35c3a8d
Opcode Fuzzy Hash: 340c8894c89387c1ced2dec5368241a3ae66f600bc342bcb406250043ffe0552
Instruction Fuzzy Hash: 7211C031308180CFC7069738C4A9AAD7FE5AFC6301B1941EBD586CBBA2DEA59C499742

Uniqueness

Uniqueness Score: -1.00%

Function 04D44180, Relevance: .1, Instructions: 52COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000E.00000002.381559514.0000000004D40000.00000040.00000001.sdmp, Offset: 04D40000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9e45ad760af41dc64450ad989c653c618a141182093af248893dd543b68b6a80
Instruction ID: 8eb221759d17d9693253810a9f83fb5d3396d199d092ac869a8dd4e8879fd264
Opcode Fuzzy Hash: 9e45ad760af41dc64450ad989c653c618a141182093af248893dd543b68b6a80
Instruction Fuzzy Hash: 76012632709274CBCB2066B4AC043AB7BE9DBE5391B10457BC84786254FA76E0819A55

Uniqueness

Uniqueness Score: -1.00%

Function 04D405B9, Relevance: .0, Instructions: 48COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000E.00000002.381559514.0000000004D40000.00000040.00000001.sdmp, Offset: 04D40000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: cbbdb894ab5017911ece51f0271475fd972866c9feb6f9276703d2dfe689c9c1
Instruction ID: 1d3a4bf7466c2d27918bc8bfe02b8ee63cf2870197c96d3a92755a1a1901da1d
Opcode Fuzzy Hash: cbbdb894ab5017911ece51f0271475fd972866c9feb6f9276703d2dfe689c9c1
Instruction Fuzzy Hash: 3D01FF727060200BCB4A373C94223BF6ADB5BC6641B5801AEE146EB3C2EEA49C0343D6

Uniqueness

Uniqueness Score: -1.00%

Function 04D405C8, Relevance: .0, Instructions: 45COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000E.00000002.381559514.0000000004D40000.00000040.00000001.sdmp, Offset: 04D40000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c7cbbd1fa9cb7c8d05ce0a54fbd0de3edbbd8da149a6407635a5aeef2c8b4fcf
Instruction ID: 6dd980474cad2703e749ea9afad05599be4c7f75facda0031a40efd0bb77a588
Opcode Fuzzy Hash: c7cbbd1fa9cb7c8d05ce0a54fbd0de3edbbd8da149a6407635a5aeef2c8b4fcf
Instruction Fuzzy Hash: CAF0BE7270112107CA497B7D94127BF66CB9BCAA517A841AEE206EB3C5DEB49C0313E6

Uniqueness

Uniqueness Score: -1.00%

Function 029E05CF, Relevance: .0, Instructions: 44COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000E.00000002.380365973.00000000029E0000.00000040.00000040.sdmp, Offset: 029E0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ae943aec3ce324c0f2e1a0ad4ce918d7d6a31f85ed6cd7692d15bc05ccad5e99
Instruction ID: edde5d85a34f2f9e2e6e05699d7ae863e5297ce4f249b42b8c51b9f387032af9
Opcode Fuzzy Hash: ae943aec3ce324c0f2e1a0ad4ce918d7d6a31f85ed6cd7692d15bc05ccad5e99
Instruction Fuzzy Hash: 0801D67250D7806FD7128B16EC41862FFB8DB86220708C0DFED498B612D225A909CB76

Uniqueness

Uniqueness Score: -1.00%

Function 04D41218, Relevance: .0, Instructions: 42COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000E.00000002.381559514.0000000004D40000.00000040.00000001.sdmp, Offset: 04D40000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0cef94c82099b05750667f13a3c9e84e0e3b927eb87fdd6354e05b0f709830f5
Instruction ID: adf4c256b68ce5f494e383d67bc9ca615724c4f7f417082429f23798ccc7ef88
Opcode Fuzzy Hash: 0cef94c82099b05750667f13a3c9e84e0e3b927eb87fdd6354e05b0f709830f5
Instruction Fuzzy Hash: C901A431304010CBC644AB2CD09D96D7BEABFC5710B2441BAE546CBBB5DFB1EC499781

Uniqueness

Uniqueness Score: -1.00%

Function 04D40918, Relevance: .0, Instructions: 33COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000E.00000002.381559514.0000000004D40000.00000040.00000001.sdmp, Offset: 04D40000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 17128d751a178a2761850641cc7417e8c7388d01a3819a5503664ac25d023b81
Instruction ID: 0e8a7af2d3ba12dec258b51f7db3904e7fcbd59ac472c84982b1b74c3ba5f957
Opcode Fuzzy Hash: 17128d751a178a2761850641cc7417e8c7388d01a3819a5503664ac25d023b81
Instruction Fuzzy Hash: BEE0E532F192189BDB516AF998115AFBBA997CA650F084527DB47A3240FD70E80152D1

Uniqueness

Uniqueness Score: -1.00%

Function 029E0938, Relevance: .0, Instructions: 31COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000E.00000002.380365973.00000000029E0000.00000040.00000040.sdmp, Offset: 029E0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 525cef522958239b2deb72ab7ac90410e2832b06fb356f1b7ca8807ee3c9392c
Instruction ID: f9944bcacb32ccac0d53689d232b24ddaaa184474d828f4d604cc6bb0206c62f
Opcode Fuzzy Hash: 525cef522958239b2deb72ab7ac90410e2832b06fb356f1b7ca8807ee3c9392c
Instruction Fuzzy Hash: 0DF01D35104644DFC706DF00D540B15FBA6EB89718F24CAADE9891B752C377D823DA81

Uniqueness

Uniqueness Score: -1.00%

Function 04D40908, Relevance: .0, Instructions: 30COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000E.00000002.381559514.0000000004D40000.00000040.00000001.sdmp, Offset: 04D40000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 589212ef337a4f321a839606832c712c8d11bcde13e9b2dde9d76d3ac69b05b0
Instruction ID: cb17e8c62c6efa7b4d669029f08cc5ad865dc2b1a34dd25464aefa47fb2c9b8e
Opcode Fuzzy Hash: 589212ef337a4f321a839606832c712c8d11bcde13e9b2dde9d76d3ac69b05b0
Instruction Fuzzy Hash: 3AF0A030A292449BD7519BF88954A7F7BA59BCA340F09092BDB83A3281E9B4AC419641

Uniqueness

Uniqueness Score: -1.00%

Function 029E05F6, Relevance: .0, Instructions: 27COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000E.00000002.380365973.00000000029E0000.00000040.00000040.sdmp, Offset: 029E0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2c55b9928556f208ac5fb436f1e8dccbced7676ef6b83ffda5beff12d71b3c7c
Instruction ID: 8cc719802401d11033ce9773338ba96455c068d78a081a9a3be08f6731924f83
Opcode Fuzzy Hash: 2c55b9928556f208ac5fb436f1e8dccbced7676ef6b83ffda5beff12d71b3c7c
Instruction Fuzzy Hash: D2E06D76644A008BD650DF0AEC41452FB98EB88630B18C06FDC0D8B704E135B5048EA5

Uniqueness

Uniqueness Score: -1.00%

Function 04D4064F, Relevance: .0, Instructions: 19COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000E.00000002.381559514.0000000004D40000.00000040.00000001.sdmp, Offset: 04D40000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5260eb1972423625632d9f68268b25bd1315bb9da9807fae5dcdb510b734e5ac
Instruction ID: 39098b286d2f0b7f50a4b235dacd6fc77607388f44ba2accb01166e895551c61
Opcode Fuzzy Hash: 5260eb1972423625632d9f68268b25bd1315bb9da9807fae5dcdb510b734e5ac
Instruction Fuzzy Hash: BAD097B24893008FC3420BB01C0D1E03764EBD320070248B2CA0163460E876B9239692

Uniqueness

Uniqueness Score: -1.00%

Function 04D402A0, Relevance: .0, Instructions: 18COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000E.00000002.381559514.0000000004D40000.00000040.00000001.sdmp, Offset: 04D40000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 25897c881a11ec01d8505d48c7b2ebfac04bc6f0111038f841d3b5357d3b8139
Instruction ID: f15db30c7b57f1bb83a95d66b57a680dad03fe0533bb022ac7e4333e9fdb5d1a
Opcode Fuzzy Hash: 25897c881a11ec01d8505d48c7b2ebfac04bc6f0111038f841d3b5357d3b8139
Instruction Fuzzy Hash: D4D05E73708610C7C3518658EC96AC2BBE5BBD4700709C96EE596D7B94EBA4FC018B81

Uniqueness

Uniqueness Score: -1.00%

Function 04D42D20, Relevance: .0, Instructions: 17COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000E.00000002.381559514.0000000004D40000.00000040.00000001.sdmp, Offset: 04D40000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c9ca6087122115b419ec51ecbba6d6f343ad27f4a4bd303a2b70c10a12fbd768
Instruction ID: 955ea96f62039baec6e53f07743c3712f87a42806fa9451ea7e20499fbd899ad
Opcode Fuzzy Hash: c9ca6087122115b419ec51ecbba6d6f343ad27f4a4bd303a2b70c10a12fbd768
Instruction Fuzzy Hash: 21D0237124D140DFE34101549C36BF03F00C7793C1F0805D6F0C7650E4F2C2E2015541

Uniqueness

Uniqueness Score: -1.00%

Function 04D40170, Relevance: .0, Instructions: 16COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000E.00000002.381559514.0000000004D40000.00000040.00000001.sdmp, Offset: 04D40000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6f290f2ba2397df7bdf9d821eaae1c0f26e0cbbea81f24b5736d05012fa69786
Instruction ID: 5ac49d9df587d40b5200a413ef8834c3cf4b71d013c6d3e01a11c4e9f4436d2f
Opcode Fuzzy Hash: 6f290f2ba2397df7bdf9d821eaae1c0f26e0cbbea81f24b5736d05012fa69786
Instruction Fuzzy Hash: 44D05EF390A3418FCB06ABB0E81A6583B61AF6520174505BEC447C7BA1FAFBC451CA04

Uniqueness

Uniqueness Score: -1.00%

Function 00B523F4, Relevance: .0, Instructions: 15COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000E.00000002.379588670.0000000000B52000.00000040.00000001.sdmp, Offset: 00B52000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f883e959930917b35e9bd4cd19bcab08a0d7163eca23a972afde0b3b614161aa
Instruction ID: 640910d258c8102e84a2e2301c42bb7c288afbf9ac50224a83bbc69186a6c4e6
Opcode Fuzzy Hash: f883e959930917b35e9bd4cd19bcab08a0d7163eca23a972afde0b3b614161aa
Instruction Fuzzy Hash: 80D05E79216A818FD3268B1CC1A9B953BD4EB52B05F4644FDEC008B763C368D985D200

Uniqueness

Uniqueness Score: -1.00%

Function 00B523BC, Relevance: .0, Instructions: 14COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000E.00000002.379588670.0000000000B52000.00000040.00000001.sdmp, Offset: 00B52000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f24bf5fa4c09d182f76981c4244a717d64240a7882ad0c0297c2c3f1342c866c
Instruction ID: 9d687c8c0321d01600f4c9071d6af6ce21170621249f272d106e78499330d36d
Opcode Fuzzy Hash: f24bf5fa4c09d182f76981c4244a717d64240a7882ad0c0297c2c3f1342c866c
Instruction Fuzzy Hash: F2D05E342012818FD715DB0CC594F5937D4EB42B01F0644E8AC008B662C3A8DC85C600

Uniqueness

Uniqueness Score: -1.00%

Function 04D40180, Relevance: .0, Instructions: 12COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000E.00000002.381559514.0000000004D40000.00000040.00000001.sdmp, Offset: 04D40000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f753f19b7768e99a9385350434da9e38b1d215e19e3c405ddcfee6a988b547ae
Instruction ID: c1fb25d2486aad85cd9cd1cef186e612f2ca22483e38351f8da6d1084ad2590b
Opcode Fuzzy Hash: f753f19b7768e99a9385350434da9e38b1d215e19e3c405ddcfee6a988b547ae
Instruction Fuzzy Hash: 3FD01232201309CFCB083BB0E41942833AAAB88206300087DD807877A0EFBBE890CA44

Uniqueness

Uniqueness Score: -1.00%

Function 04D40660, Relevance: .0, Instructions: 10COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000E.00000002.381559514.0000000004D40000.00000040.00000001.sdmp, Offset: 04D40000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ba56c73416a167bf47cd2f8fdc7e1ba25f8767ce4cc83b34a9d5573ceedae528
Instruction ID: e4ff9c4ffd37949ed2107e829d2b7cd7286b04f6e33d3194d8728eaece06829d
Opcode Fuzzy Hash: ba56c73416a167bf47cd2f8fdc7e1ba25f8767ce4cc83b34a9d5573ceedae528
Instruction Fuzzy Hash: 22C02B3018A204CFC28527702C04839720996D2305300C832CA03310309D72F471A811

Uniqueness

Uniqueness Score: -1.00%

Function 04D42EC0, Relevance: .0, Instructions: 8COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000E.00000002.381559514.0000000004D40000.00000040.00000001.sdmp, Offset: 04D40000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c2b5f03163f32fc6d27876d86c2b6301a4edc7a2206e0d11adb58d210fe1efc9
Instruction ID: 158b897fe79431a5049a85d0730994d19d27ffb460b893e0e6291c6613683d89
Opcode Fuzzy Hash: c2b5f03163f32fc6d27876d86c2b6301a4edc7a2206e0d11adb58d210fe1efc9
Instruction Fuzzy Hash: 88B0123021424A1B17405BB12C08A12338C578054535000B0E80CC2400F965E0902140

Uniqueness

Uniqueness Score: -1.00%

Non-executed Functions

Function 04D40D8C, Relevance: 5.3, Strings: 4, Instructions: 251COMMON

Download Yara Rule

Strings

0jr, xrefs: 04D40F8E
:@Dr, xrefs: 04D410CB
X1kr, xrefs: 04D40F1C
,:kr, xrefs: 04D40E38

Memory Dump Source

Source File: 0000000E.00000002.381559514.0000000004D40000.00000040.00000001.sdmp, Offset: 04D40000, based on PE: false

Similarity

API ID:
String ID: ,:kr$0jr$:@Dr$X1kr
API String ID: 0-1245831938
Opcode ID: c432783a8938d9fb849ffc4bcf06b5297215d4378854edf105703caa467dde34
Instruction ID: a52b52a038b2178f9181a6d0ddbe70e7a3f6c220bba1c42852481c24280521a2
Opcode Fuzzy Hash: c432783a8938d9fb849ffc4bcf06b5297215d4378854edf105703caa467dde34
Instruction Fuzzy Hash: 91B1D871A04344CFD394EF788160B6ABBE2BBD4704F50996EE5498B388DFB19C41CB02

Uniqueness

Uniqueness Score: -1.00%

Description:	Adversaries may abuse task scheduling functionality to facilitate initial or recurring execution of malicious code. Utilities exist within all major operating systems to schedule programs or scripts to be executed at a specified date and time. A task can also be scheduled on a remote system, provided the proper authentication is met (ex: RPC and file and printer sharing in Windows environments). Scheduling a task on a remote system typically requires being a member of an admin or otherwise privileged group on the remote system.
Tactics:	Execution, Persistence, Privilege Escalation
Data Sources:	File monitoring, Process command-line parameters, Process monitoring, Windows event logs
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify access tokens to operate under a different user or system security context to perform actions and bypass access controls. Windows uses access tokens to determine the ownership of a running process. A user can manipulate access tokens to make a running process appear as though it is the child of a different process or belongs to someone other than the user that started the process. When this occurs, the process also takes on the security context associated with the new token.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	API monitoring, Access tokens, Authentication logs, Process command-line parameters, Process monitoring, Windows event logs
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	API monitoring, DLL monitoring, File monitoring, Named Pipes, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata, File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may disable security tools to avoid possible detection of their tools and activities. This can take the form of killing security software or event logging processes, deleting Registry keys so that tools do not start at run time, or other methods to interfere with security tools scanning or reporting information.
Tactics:	Defense Evasion
Data Sources:	File monitoring, Process command-line parameters, Services, Windows Registry
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use Obfuscated Files or Information to hide artifacts of an intrusion from analysis. They may require separate mechanisms to decode or deobfuscate that information depending on how they intend to use it. Methods for doing that include built-in functionality of malware or by using utilities present on the system.
Tactics:	Defense Evasion
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may set files and directories to be hidden to evade detection mechanisms. To prevent normal users from accidentally changing special files on a system, most operating systems have the concept of a ‘hidden’ file. These files don’t show up when a user browses the file system with a GUI or when using normal commands on the command line. Users must explicitly ask to show the hidden files either via a series of Graphical User Interface (GUI) prompts or with command line switches ( `dir /a` for Windows and `ls –a` for Linux and macOS).
Tactics:	Defense Evasion
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata, Email gateway, Environment variable, File monitoring, Malware reverse engineering, Network intrusion detection system, Network protocol analysis, Process command-line parameters, Process monitoring, Process use of network, SSL/TLS inspection, Windows event logs
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may perform software packing or virtual machine software protection to conceal their code. Software packing is a method of compressing or encrypting an executable. Packing an executable changes the file signature in an attempt to avoid signature-based detection. Most decompression techniques decompress the executable code in memory. Virtual machine software protection translates an executable's original code into a special format that only a special virtual machine can run. A virtual machine is then called to run this code.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata
Platforms:	macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use methods of capturing user input to obtain credentials or collect information. During normal system usage, users often provide credentials to various different locations, such as login pages/portals or system dialog boxes. Input capture mechanisms may be transparent to the user (e.g. Credential API Hooking ) or rely on deceiving the user into providing input into what they believe to be a genuine service (e.g. Web Portal Capture ).
Tactics:	Collection, Credential Access
Data Sources:	API monitoring, Binary file metadata, DLL monitoring, Kernel drivers, Loaded DLLs, PowerShell logs, Process command-line parameters, Process monitoring, User interface, Windows Registry, Windows event logs
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	AWS CloudTrail logs, Azure activity logs, File monitoring, Process command-line parameters, Process monitoring, Stackdriver logs
Platforms:	AWS, Azure, Azure AD, GCP, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	API monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to identify the primary user, currently logged in user, set of users that commonly uses a system, or whether a user is actively using the system. They may do this, for example, by retrieving account usernames or by using OS Credential Dumping . The information may be collected in a number of different ways using other Discovery techniques, because user and username details are prevalent throughout a system and include running process ownership, file/directory ownership, session information, and system logs. Adversaries may use the information from [System Owner/User Discovery](https://attack.mitre.org/techniques/T1033) during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	AWS CloudTrail logs, Azure activity logs, Process command-line parameters, Process monitoring, Stackdriver logs
Platforms:	AWS, Azure, GCP, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Binary file metadata, File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Malware reverse engineering, Netflow/Enclave netflow, Packet capture, Process monitoring, Process use of network, SSL/TLS inspection
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using a protocol and port paring that are typically not associated. For example, HTTPS over port 8088or port 587as opposed to the traditional port 443. Adversaries may make changes to the standard port used by a protocol to bypass filtering or muddle analysis/parsing of network data.
Tactics:	Command and Control
Data Sources:	Netflow/Enclave netflow, Packet capture, Process monitoring, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may use legitimate desktop support and remote access software, such as Team Viewer, Go2Assist, LogMein, AmmyyAdmin, etc, to establish an interactive command and control channel to target systems within networks. These services are commonly used as legitimate technical support software, and may be allowed by application control within a target environment. Remote access tools like VNC, Ammyy, and Teamviewer are used frequently when compared with other legitimate software commonly used by adversaries.
Tactics:	Command and Control
Data Sources:	Network intrusion detection system, Network protocol analysis, Process monitoring, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use a non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Host network interface, Netflow/Enclave netflow, Network intrusion detection system, Network protocol analysis, Packet capture, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading ...

Warning!

Analysis Report bbbe7872ea466446da60c4da50020cbb.exe

Overview

General Information

Detection

Signatures

Classification

Startup

Malware Configuration

Threatname: NanoCore

Yara Overview

Memory Dumps

Unpacked PEs

Sigma Overview

System Summary:

Signature Overview

AV Detection:

Compliance:

Software Vulnerabilities:

Networking:

Key, Mouse, Clipboard, Microphone and Screen Capturing:

E-Banking Fraud:

System Summary:

Data Obfuscation:

Persistence and Installation Behavior:

Boot Survival:

Hooking and other Techniques for Hiding and Protection:

Malware Analysis System Evasion:

Anti Debugging:

HIPS / PFW / Operating System Protection Evasion:

Language, Device and Operating System Detection:

Stealing of Sensitive Information:

Remote Access Functionality:

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

URLs from Memory and Binaries

Contacted IPs

Public

General Information

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASN

JA3 Fingerprints

Dropped Files

Created / dropped Files

Static File Info

General

File Icon

Static PE Info

General

Entrypoint Preview

Data Directories

Sections

Resources

Imports

Version Infos

Network Behavior

Network Port Distribution

TCP Packets

UDP Packets

Description:	Adversaries may communicate using application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	DNS records, Netflow/Enclave netflow, Network protocol analysis, Packet capture, Process monitoring, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre