Play interactive tour

Edit tour

Analysis Report oE6O5K1emC.exe

Overview

General Information

Sample Name:	oE6O5K1emC.exe
Analysis ID:	384479
MD5:	0cf0cd25346ee69b7e5aa8e366c886e9
SHA1:	ca13e5bbc69f2d808139ee18ea5ad56579f8b003
SHA256:	f542bc0175168daa808ce1448a019f88b058df6d0702c6daa4a0f83a481f2a5e
Tags:	exeNanoCoreRAT
Infos:
Most interesting Screenshot:

Detection

Nanocore

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Detected Nanocore Rat

Found malware configuration

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for submitted file

Sigma detected: NanoCore

Sigma detected: Scheduled temp file as task from temp location

Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)

Yara detected AntiVM3

Yara detected Nanocore RAT

C2 URLs / IPs found in malware configuration

Hides that the sample has been downloaded from the Internet (zone.identifier)

Injects a PE file into a foreign processes

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Uses schtasks.exe or at.exe to add and modify task schedules

Writes to foreign memory regions

Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)

Contains capabilities to detect virtual machines

Contains functionality to call native functions

Contains long sleeps (>= 3 min)

Creates a process in suspended mode (likely to inject code)

Detected TCP or UDP traffic on non-standard ports

Detected potential crypto function

Drops PE files

Enables debug privileges

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

Found inlined nop instructions (likely shell or obfuscated code)

IP address seen in connection with other malware

Internet Provider seen in connection with other malware

May sleep (evasive loops) to hinder dynamic analysis

Monitors certain registry keys / values for changes (often done to protect autostart functionality)

Queries the volume information (name, serial number etc) of a device

Sample execution stops while process was sleeping (likely an evasion)

Sample file is different than original file name gathered from version info

Uses 32bit PE files

Uses code obfuscation techniques (call, push, ret)

Yara signature match

Classification

Startup

System is w10x64

oE6O5K1emC.exe (PID: 6360 cmdline: 'C:\Users\user\Desktop\oE6O5K1emC.exe' MD5: 0CF0CD25346EE69B7E5AA8E366C886E9)

schtasks.exe (PID: 6456 cmdline: 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\DKCbURUccsSVSl' /XML 'C:\Users\user\AppData\Local\Temp\tmp8EBC.tmp' MD5: 15FF7D8324231381BAD48A052F85DF04)

conhost.exe (PID: 6464 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)

RegSvcs.exe (PID: 6500 cmdline: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe MD5: 71369277D09DA0830C8C59F9E22BB23A)

dhcpmon.exe (PID: 7024 cmdline: 'C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe' MD5: 71369277D09DA0830C8C59F9E22BB23A)

conhost.exe (PID: 7032 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)

cleanup

Malware Configuration

Threatname: NanoCore

{"Version": "1.2.2.0", "Mutex": "f57d5a77-8670-45ef-b736-5f3a07b6", "Group": "Addora", "Domain1": "79.134.225.30", "Domain2": "nassiru1155.ddns.net", "Port": 1144, "KeyboardLogging": "Enable", "RunOnStartup": "Enable", "RequestElevation": "Disable", "BypassUAC": "Disable", "ClearZoneIdentifier": "Enable", "ClearAccessControl": "Disable", "SetCriticalProcess": "Disable", "PreventSystemSleep": "Enable", "ActivateAwayMode": "Disable", "EnableDebugMode": "Disable", "RunDelay": 0, "ConnectDelay": 4000, "RestartDelay": 5000, "TimeoutInterval": 5000, "KeepAliveTimeout": 30000, "MutexTimeout": 5000, "LanTimeout": 2500, "WanTimeout": 8000, "BufferSize": "ffff0000", "MaxPacketSize": "0000a000", "GCThreshold": "0000a000", "UseCustomDNS": "Enable", "PrimaryDNSServer": "8.8.8.8"}

Yara Overview

Memory Dumps

Source	Rule	Description	Author	Strings
00000000.00000002.676048550.000000000363F000.00000004.00000001.sdmp	JoeSecurity_AntiVM_3	Yara detected AntiVM_3	Joe Security
00000000.00000002.676767398.00000000046CA000.00000004.00000001.sdmp	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0xa85fd:$x1: NanoCore.ClientPluginHost 0xdae1d:$x1: NanoCore.ClientPluginHost 0xa863a:$x2: IClientNetworkHost 0xdae5a:$x2: IClientNetworkHost 0xac16d:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe 0xde98d:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
00000000.00000002.676767398.00000000046CA000.00000004.00000001.sdmp	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
00000000.00000002.676767398.00000000046CA000.00000004.00000001.sdmp	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0xa8365:$a: NanoCore 0xa8375:$a: NanoCore 0xa85a9:$a: NanoCore 0xa85bd:$a: NanoCore 0xa85fd:$a: NanoCore 0xdab85:$a: NanoCore 0xdab95:$a: NanoCore 0xdadc9:$a: NanoCore 0xdaddd:$a: NanoCore 0xdae1d:$a: NanoCore 0xa83c4:$b: ClientPlugin 0xa85c6:$b: ClientPlugin 0xa8606:$b: ClientPlugin 0xdabe4:$b: ClientPlugin 0xdade6:$b: ClientPlugin 0xdae26:$b: ClientPlugin 0xa84eb:$c: ProjectData 0xdad0b:$c: ProjectData 0xa8ef2:$d: DESCrypto 0xdb712:$d: DESCrypto 0xb08be:$e: KeepAlive
Process Memory Space: oE6O5K1emC.exe PID: 6360	JoeSecurity_AntiVM_3	Yara detected AntiVM_3	Joe Security

Unpacked PEs

Source	Rule	Description	Author	Strings
3.3.RegSvcs.exe.3d02987.0.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x41ee:$x1: NanoCore.ClientPluginHost 0x422b:$x2: IClientNetworkHost
3.3.RegSvcs.exe.3d02987.0.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0x41ee:$x2: NanoCore.ClientPluginHost 0x7641:$s4: PipeCreated 0x4218:$s5: IClientLoggingHost
0.2.oE6O5K1emC.exe.4762470.1.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0xe38d:$x1: NanoCore.ClientPluginHost 0xe3ca:$x2: IClientNetworkHost 0x11efd:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
0.2.oE6O5K1emC.exe.4762470.1.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0xe105:$x1: NanoCore Client.exe 0xe38d:$x2: NanoCore.ClientPluginHost 0xf9c6:$s1: PluginCommand 0xf9ba:$s2: FileCommand 0x1086b:$s3: PipeExists 0x16622:$s4: PipeCreated 0xe3b7:$s5: IClientLoggingHost
0.2.oE6O5K1emC.exe.4762470.1.unpack	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
0.2.oE6O5K1emC.exe.4762470.1.unpack	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0xe0f5:$a: NanoCore 0xe105:$a: NanoCore 0xe339:$a: NanoCore 0xe34d:$a: NanoCore 0xe38d:$a: NanoCore 0xe154:$b: ClientPlugin 0xe356:$b: ClientPlugin 0xe396:$b: ClientPlugin 0xe27b:$c: ProjectData 0xec82:$d: DESCrypto 0x1664e:$e: KeepAlive 0x1463c:$g: LogClientMessage 0x10837:$i: get_Connected 0xefb8:$j: #=q 0xefe8:$j: #=q 0xf004:$j: #=q 0xf034:$j: #=q 0xf050:$j: #=q 0xf06c:$j: #=q 0xf09c:$j: #=q 0xf0b8:$j: #=q
3.3.RegSvcs.exe.3d02987.0.raw.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x5fee:$x1: NanoCore.ClientPluginHost 0x602b:$x2: IClientNetworkHost
0.2.oE6O5K1emC.exe.4762470.1.raw.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x1018d:$x1: NanoCore.ClientPluginHost 0x429ad:$x1: NanoCore.ClientPluginHost 0x101ca:$x2: IClientNetworkHost 0x429ea:$x2: IClientNetworkHost 0x13cfd:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe 0x4651d:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
0.2.oE6O5K1emC.exe.4762470.1.raw.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0xff05:$x1: NanoCore Client.exe 0x42725:$x1: NanoCore Client.exe 0x1018d:$x2: NanoCore.ClientPluginHost 0x429ad:$x2: NanoCore.ClientPluginHost 0x117c6:$s1: PluginCommand 0x43fe6:$s1: PluginCommand 0x117ba:$s2: FileCommand 0x43fda:$s2: FileCommand 0x1266b:$s3: PipeExists 0x44e8b:$s3: PipeExists 0x18422:$s4: PipeCreated 0x4ac42:$s4: PipeCreated 0x101b7:$s5: IClientLoggingHost 0x429d7:$s5: IClientLoggingHost
0.2.oE6O5K1emC.exe.4762470.1.raw.unpack	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
0.2.oE6O5K1emC.exe.4762470.1.raw.unpack	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0xfef5:$a: NanoCore 0xff05:$a: NanoCore 0x10139:$a: NanoCore 0x1014d:$a: NanoCore 0x1018d:$a: NanoCore 0x42715:$a: NanoCore 0x42725:$a: NanoCore 0x42959:$a: NanoCore 0x4296d:$a: NanoCore 0x429ad:$a: NanoCore 0xff54:$b: ClientPlugin 0x10156:$b: ClientPlugin 0x10196:$b: ClientPlugin 0x42774:$b: ClientPlugin 0x42976:$b: ClientPlugin 0x429b6:$b: ClientPlugin 0x1007b:$c: ProjectData 0x4289b:$c: ProjectData 0x10a82:$d: DESCrypto 0x432a2:$d: DESCrypto 0x1844e:$e: KeepAlive
Click to see the 6 entries

Sigma Overview

System Summary:

Sigma detected: NanoCore

Show sources

Source: File created

Author: Joe Security: Data: EventID: 11, Image: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe, ProcessId: 6500, TargetFilename: C:\Users\user\AppData\Roaming\D06ED635-68F6-4E9A-955C-4899F5F57B9A\run.dat

Sigma detected: Scheduled temp file as task from temp location

Show sources

Source: Process started

Author: Joe Security: Data: Command: 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\DKCbURUccsSVSl' /XML 'C:\Users\user\AppData\Local\Temp\tmp8EBC.tmp', CommandLine: 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\DKCbURUccsSVSl' /XML 'C:\Users\user\AppData\Local\Temp\tmp8EBC.tmp', CommandLine|base64offset|contains: *j, Image: C:\Windows\SysWOW64\schtasks.exe, NewProcessName: C:\Windows\SysWOW64\schtasks.exe, OriginalFileName: C:\Windows\SysWOW64\schtasks.exe, ParentCommandLine: 'C:\Users\user\Desktop\oE6O5K1emC.exe' , ParentImage: C:\Users\user\Desktop\oE6O5K1emC.exe, ParentProcessId: 6360, ProcessCommandLine: 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\DKCbURUccsSVSl' /XML 'C:\Users\user\AppData\Local\Temp\tmp8EBC.tmp', ProcessId: 6456

Signature Overview

Click to jump to signature section

Show All Signature Results

AV Detection:

Found malware configuration

Show sources

Source: 0.2.oE6O5K1emC.exe.4762470.1.raw.unpack

Malware Configuration Extractor: NanoCore {"Version": "1.2.2.0", "Mutex": "f57d5a77-8670-45ef-b736-5f3a07b6", "Group": "Addora", "Domain1": "79.134.225.30", "Domain2": "nassiru1155.ddns.net", "Port": 1144, "KeyboardLogging": "Enable", "RunOnStartup": "Enable", "RequestElevation": "Disable", "BypassUAC": "Disable", "ClearZoneIdentifier": "Enable", "ClearAccessControl": "Disable", "SetCriticalProcess": "Disable", "PreventSystemSleep": "Enable", "ActivateAwayMode": "Disable", "EnableDebugMode": "Disable", "RunDelay": 0, "ConnectDelay": 4000, "RestartDelay": 5000, "TimeoutInterval": 5000, "KeepAliveTimeout": 30000, "MutexTimeout": 5000, "LanTimeout": 2500, "WanTimeout": 8000, "BufferSize": "ffff0000", "MaxPacketSize": "0000a000", "GCThreshold": "0000a000", "UseCustomDNS": "Enable", "PrimaryDNSServer": "8.8.8.8"}

Multi AV Scanner detection for submitted file

Show sources

Source: oE6O5K1emC.exe

Virustotal: Detection: 12%

Perma Link

Yara detected Nanocore RAT

Show sources

Source: Yara match	File source: 00000000.00000002.676767398.00000000046CA000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0.2.oE6O5K1emC.exe.4762470.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.oE6O5K1emC.exe.4762470.1.raw.unpack, type: UNPACKEDPE

Source: oE6O5K1emC.exe

Static PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED

Source: C:\Users\user\Desktop\oE6O5K1emC.exe

File opened: C:\Windows\WinSxS\x86_microsoft.vc80.crt_1fc8b3b9a1e18e3b_8.0.50727.9445_none_d08c58b4442ba54f\MSVCR80.dll

Jump to behavior

Source: oE6O5K1emC.exe

Static PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT

Source:	Binary string: RegSvcs.pdb source: dhcpmon.exe, dhcpmon.exe.3.dr
Source:	Binary string: mscorrc.pdb source: oE6O5K1emC.exe, 00000000.00000002.686501476.0000000008D90000.00000002.00000001.sdmp

Source: C:\Users\user\Desktop\oE6O5K1emC.exe	Code function: 4x nop then mov dword ptr [ebp-1Ch], 00000000h		0_2_019768B8
Source: C:\Users\user\Desktop\oE6O5K1emC.exe	Code function: 4x nop then mov dword ptr [ebp-1Ch], 00000000h		0_2_019768A8

Networking:

Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)

Show sources

Source: Traffic	Snort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.2.4:49727 -> 79.134.225.30:1144
Source: Traffic	Snort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.2.4:49736 -> 79.134.225.30:1144
Source: Traffic	Snort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.2.4:49743 -> 79.134.225.30:1144
Source: Traffic	Snort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.2.4:49745 -> 79.134.225.30:1144
Source: Traffic	Snort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.2.4:49747 -> 79.134.225.30:1144
Source: Traffic	Snort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.2.4:49748 -> 79.134.225.30:1144
Source: Traffic	Snort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.2.4:49750 -> 79.134.225.30:1144
Source: Traffic	Snort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.2.4:49758 -> 79.134.225.30:1144
Source: Traffic	Snort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.2.4:49760 -> 79.134.225.30:1144
Source: Traffic	Snort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.2.4:49761 -> 79.134.225.30:1144
Source: Traffic	Snort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.2.4:49762 -> 79.134.225.30:1144
Source: Traffic	Snort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.2.4:49763 -> 79.134.225.30:1144
Source: Traffic	Snort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.2.4:49766 -> 79.134.225.30:1144
Source: Traffic	Snort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.2.4:49768 -> 79.134.225.30:1144
Source: Traffic	Snort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.2.4:49774 -> 79.134.225.30:1144
Source: Traffic	Snort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.2.4:49775 -> 79.134.225.30:1144
Source: Traffic	Snort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.2.4:49776 -> 79.134.225.30:1144
Source: Traffic	Snort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.2.4:49777 -> 79.134.225.30:1144
Source: Traffic	Snort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.2.4:49778 -> 79.134.225.30:1144

C2 URLs / IPs found in malware configuration

Show sources

Source: Malware configuration extractor	URLs: nassiru1155.ddns.net
Source: Malware configuration extractor	URLs: 79.134.225.30

Source: global traffic

TCP traffic: 192.168.2.4:49727 -> 79.134.225.30:1144

Source: Joe Sandbox View

IP Address: 79.134.225.30 79.134.225.30

Source: Joe Sandbox View

ASN Name: FINK-TELECOM-SERVICESCH FINK-TELECOM-SERVICESCH

Source: unknown	TCP traffic detected without corresponding DNS query: 79.134.225.30
Source: unknown	TCP traffic detected without corresponding DNS query: 79.134.225.30
Source: unknown	TCP traffic detected without corresponding DNS query: 79.134.225.30
Source: unknown	TCP traffic detected without corresponding DNS query: 79.134.225.30
Source: unknown	TCP traffic detected without corresponding DNS query: 79.134.225.30
Source: unknown	TCP traffic detected without corresponding DNS query: 79.134.225.30
Source: unknown	TCP traffic detected without corresponding DNS query: 79.134.225.30
Source: unknown	TCP traffic detected without corresponding DNS query: 79.134.225.30
Source: unknown	TCP traffic detected without corresponding DNS query: 79.134.225.30
Source: unknown	TCP traffic detected without corresponding DNS query: 79.134.225.30
Source: unknown	TCP traffic detected without corresponding DNS query: 79.134.225.30
Source: unknown	TCP traffic detected without corresponding DNS query: 79.134.225.30
Source: unknown	TCP traffic detected without corresponding DNS query: 79.134.225.30
Source: unknown	TCP traffic detected without corresponding DNS query: 79.134.225.30
Source: unknown	TCP traffic detected without corresponding DNS query: 79.134.225.30
Source: unknown	TCP traffic detected without corresponding DNS query: 79.134.225.30
Source: unknown	TCP traffic detected without corresponding DNS query: 79.134.225.30
Source: unknown	TCP traffic detected without corresponding DNS query: 79.134.225.30
Source: unknown	TCP traffic detected without corresponding DNS query: 79.134.225.30
Source: unknown	TCP traffic detected without corresponding DNS query: 79.134.225.30
Source: unknown	TCP traffic detected without corresponding DNS query: 79.134.225.30
Source: unknown	TCP traffic detected without corresponding DNS query: 79.134.225.30
Source: unknown	TCP traffic detected without corresponding DNS query: 79.134.225.30
Source: unknown	TCP traffic detected without corresponding DNS query: 79.134.225.30
Source: unknown	TCP traffic detected without corresponding DNS query: 79.134.225.30
Source: unknown	TCP traffic detected without corresponding DNS query: 79.134.225.30
Source: unknown	TCP traffic detected without corresponding DNS query: 79.134.225.30
Source: unknown	TCP traffic detected without corresponding DNS query: 79.134.225.30
Source: unknown	TCP traffic detected without corresponding DNS query: 79.134.225.30
Source: unknown	TCP traffic detected without corresponding DNS query: 79.134.225.30
Source: unknown	TCP traffic detected without corresponding DNS query: 79.134.225.30
Source: unknown	TCP traffic detected without corresponding DNS query: 79.134.225.30
Source: unknown	TCP traffic detected without corresponding DNS query: 79.134.225.30
Source: unknown	TCP traffic detected without corresponding DNS query: 79.134.225.30
Source: unknown	TCP traffic detected without corresponding DNS query: 79.134.225.30
Source: unknown	TCP traffic detected without corresponding DNS query: 79.134.225.30
Source: unknown	TCP traffic detected without corresponding DNS query: 79.134.225.30
Source: unknown	TCP traffic detected without corresponding DNS query: 79.134.225.30
Source: unknown	TCP traffic detected without corresponding DNS query: 79.134.225.30
Source: unknown	TCP traffic detected without corresponding DNS query: 79.134.225.30
Source: unknown	TCP traffic detected without corresponding DNS query: 79.134.225.30
Source: unknown	TCP traffic detected without corresponding DNS query: 79.134.225.30
Source: unknown	TCP traffic detected without corresponding DNS query: 79.134.225.30
Source: unknown	TCP traffic detected without corresponding DNS query: 79.134.225.30
Source: unknown	TCP traffic detected without corresponding DNS query: 79.134.225.30
Source: unknown	TCP traffic detected without corresponding DNS query: 79.134.225.30
Source: unknown	TCP traffic detected without corresponding DNS query: 79.134.225.30
Source: unknown	TCP traffic detected without corresponding DNS query: 79.134.225.30
Source: unknown	TCP traffic detected without corresponding DNS query: 79.134.225.30
Source: unknown	TCP traffic detected without corresponding DNS query: 79.134.225.30

Source: oE6O5K1emC.exe, 00000000.00000003.649181303.00000000059DB000.00000004.00000001.sdmp	String found in binary or memory: http://en.w7
Source: oE6O5K1emC.exe, 00000000.00000002.680503330.0000000006BD2000.00000004.00000001.sdmp	String found in binary or memory: http://fontfabrik.com
Source: oE6O5K1emC.exe, 00000000.00000002.680503330.0000000006BD2000.00000004.00000001.sdmp	String found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0
Source: oE6O5K1emC.exe, 00000000.00000003.651544478.00000000059FE000.00000004.00000001.sdmp	String found in binary or memory: http://www.carterandcone.com
Source: oE6O5K1emC.exe, 00000000.00000003.651855574.00000000059FE000.00000004.00000001.sdmp	String found in binary or memory: http://www.carterandcone.comTC
Source: oE6O5K1emC.exe, 00000000.00000003.651855574.00000000059FE000.00000004.00000001.sdmp	String found in binary or memory: http://www.carterandcone.comTCD
Source: oE6O5K1emC.exe, 00000000.00000003.652006523.00000000059FE000.00000004.00000001.sdmp	String found in binary or memory: http://www.carterandcone.comTCH
Source: oE6O5K1emC.exe, 00000000.00000003.651855574.00000000059FE000.00000004.00000001.sdmp	String found in binary or memory: http://www.carterandcone.comTCe
Source: oE6O5K1emC.exe, 00000000.00000003.652274217.00000000059FE000.00000004.00000001.sdmp	String found in binary or memory: http://www.carterandcone.comTCoo
Source: oE6O5K1emC.exe, 00000000.00000003.651855574.00000000059FE000.00000004.00000001.sdmp	String found in binary or memory: http://www.carterandcone.comX
Source: oE6O5K1emC.exe, 00000000.00000003.651855574.00000000059FE000.00000004.00000001.sdmp	String found in binary or memory: http://www.carterandcone.comd
Source: oE6O5K1emC.exe, 00000000.00000003.651855574.00000000059FE000.00000004.00000001.sdmp	String found in binary or memory: http://www.carterandcone.comexcR
Source: oE6O5K1emC.exe, 00000000.00000003.651544478.00000000059FE000.00000004.00000001.sdmp	String found in binary or memory: http://www.carterandcone.comgy
Source: oE6O5K1emC.exe, 00000000.00000002.680503330.0000000006BD2000.00000004.00000001.sdmp	String found in binary or memory: http://www.carterandcone.coml
Source: oE6O5K1emC.exe, 00000000.00000003.651855574.00000000059FE000.00000004.00000001.sdmp	String found in binary or memory: http://www.carterandcone.comnew=
Source: oE6O5K1emC.exe, 00000000.00000003.651652317.00000000059FE000.00000004.00000001.sdmp	String found in binary or memory: http://www.carterandcone.comypoD
Source: oE6O5K1emC.exe, 00000000.00000002.680503330.0000000006BD2000.00000004.00000001.sdmp, oE6O5K1emC.exe, 00000000.00000003.655776932.00000000059C4000.00000004.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com
Source: oE6O5K1emC.exe, 00000000.00000003.659379671.00000000059F5000.00000004.00000001.sdmp, oE6O5K1emC.exe, 00000000.00000003.654702563.00000000059F5000.00000004.00000001.sdmp, oE6O5K1emC.exe, 00000000.00000003.654666209.00000000059F5000.00000004.00000001.sdmp, oE6O5K1emC.exe, 00000000.00000003.655363826.00000000059F5000.00000004.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com/designers
Source: oE6O5K1emC.exe, 00000000.00000003.654419205.00000000059F5000.00000004.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com/designers/
Source: oE6O5K1emC.exe, 00000000.00000002.680503330.0000000006BD2000.00000004.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com/designers/?
Source: oE6O5K1emC.exe, 00000000.00000002.680503330.0000000006BD2000.00000004.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com/designers/cabarga.htmlN
Source: oE6O5K1emC.exe, 00000000.00000002.680503330.0000000006BD2000.00000004.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com/designers/frere-user.html
Source: oE6O5K1emC.exe, 00000000.00000003.654947203.00000000059F5000.00000004.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com/designers/frere-user.html/
Source: oE6O5K1emC.exe, 00000000.00000002.680503330.0000000006BD2000.00000004.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com/designers8
Source: oE6O5K1emC.exe, 00000000.00000002.680503330.0000000006BD2000.00000004.00000001.sdmp, oE6O5K1emC.exe, 00000000.00000003.655396524.00000000059F5000.00000004.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com/designers?
Source: oE6O5K1emC.exe, 00000000.00000002.680503330.0000000006BD2000.00000004.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com/designersG
Source: oE6O5K1emC.exe, 00000000.00000003.654970747.00000000059F5000.00000004.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com/designersJ
Source: oE6O5K1emC.exe, 00000000.00000003.655634998.00000000059F5000.00000004.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com/designersn
Source: oE6O5K1emC.exe, 00000000.00000003.655634998.00000000059F5000.00000004.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com/designerss
Source: oE6O5K1emC.exe, 00000000.00000003.655776932.00000000059C4000.00000004.00000001.sdmp	String found in binary or memory: http://www.fontbureau.comFg
Source: oE6O5K1emC.exe, 00000000.00000003.655776932.00000000059C4000.00000004.00000001.sdmp	String found in binary or memory: http://www.fontbureau.comM.TTFK
Source: oE6O5K1emC.exe, 00000000.00000003.655776932.00000000059C4000.00000004.00000001.sdmp	String found in binary or memory: http://www.fontbureau.comasa
Source: oE6O5K1emC.exe, 00000000.00000003.673968990.00000000059C0000.00000004.00000001.sdmp	String found in binary or memory: http://www.fontbureau.comionm
Source: oE6O5K1emC.exe, 00000000.00000003.655776932.00000000059C4000.00000004.00000001.sdmp	String found in binary or memory: http://www.fontbureau.comsiefeq
Source: oE6O5K1emC.exe, 00000000.00000003.655776932.00000000059C4000.00000004.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com~
Source: oE6O5K1emC.exe, 00000000.00000002.680503330.0000000006BD2000.00000004.00000001.sdmp	String found in binary or memory: http://www.fonts.com
Source: oE6O5K1emC.exe, 00000000.00000003.649295268.00000000059DB000.00000004.00000001.sdmp	String found in binary or memory: http://www.fonts.com)
Source: oE6O5K1emC.exe, 00000000.00000003.649256448.00000000059DB000.00000004.00000001.sdmp	String found in binary or memory: http://www.fonts.com-u
Source: oE6O5K1emC.exe, 00000000.00000003.649256448.00000000059DB000.00000004.00000001.sdmp	String found in binary or memory: http://www.fonts.comX
Source: oE6O5K1emC.exe, 00000000.00000003.649273531.00000000059DB000.00000004.00000001.sdmp	String found in binary or memory: http://www.fonts.comx
Source: oE6O5K1emC.exe, 00000000.00000003.650828055.00000000059C4000.00000004.00000001.sdmp	String found in binary or memory: http://www.founder.com.c
Source: oE6O5K1emC.exe, 00000000.00000002.680503330.0000000006BD2000.00000004.00000001.sdmp, oE6O5K1emC.exe, 00000000.00000003.650806583.00000000059FD000.00000004.00000001.sdmp	String found in binary or memory: http://www.founder.com.cn/cn
Source: oE6O5K1emC.exe, 00000000.00000003.651132859.00000000059C4000.00000004.00000001.sdmp	String found in binary or memory: http://www.founder.com.cn/cn/
Source: oE6O5K1emC.exe, 00000000.00000002.680503330.0000000006BD2000.00000004.00000001.sdmp	String found in binary or memory: http://www.founder.com.cn/cn/bThe
Source: oE6O5K1emC.exe, 00000000.00000002.680503330.0000000006BD2000.00000004.00000001.sdmp	String found in binary or memory: http://www.founder.com.cn/cn/cThe
Source: oE6O5K1emC.exe, 00000000.00000003.651132859.00000000059C4000.00000004.00000001.sdmp	String found in binary or memory: http://www.founder.com.cn/cn/g
Source: oE6O5K1emC.exe, 00000000.00000003.650806583.00000000059FD000.00000004.00000001.sdmp	String found in binary or memory: http://www.founder.com.cn/cne-d
Source: oE6O5K1emC.exe, 00000000.00000003.651132859.00000000059C4000.00000004.00000001.sdmp	String found in binary or memory: http://www.founder.com.cn/cni
Source: oE6O5K1emC.exe, 00000000.00000003.656920941.00000000059CD000.00000004.00000001.sdmp	String found in binary or memory: http://www.galapagosdesign.com/
Source: oE6O5K1emC.exe, 00000000.00000003.656920941.00000000059CD000.00000004.00000001.sdmp	String found in binary or memory: http://www.galapagosdesign.com/C
Source: oE6O5K1emC.exe, 00000000.00000002.680503330.0000000006BD2000.00000004.00000001.sdmp	String found in binary or memory: http://www.galapagosdesign.com/DPlease
Source: oE6O5K1emC.exe, 00000000.00000002.680503330.0000000006BD2000.00000004.00000001.sdmp	String found in binary or memory: http://www.galapagosdesign.com/staff/dennis.htm
Source: oE6O5K1emC.exe, 00000000.00000002.680503330.0000000006BD2000.00000004.00000001.sdmp	String found in binary or memory: http://www.goodfont.co.kr
Source: oE6O5K1emC.exe, 00000000.00000002.680503330.0000000006BD2000.00000004.00000001.sdmp	String found in binary or memory: http://www.jiyu-kobo.co.jp/
Source: oE6O5K1emC.exe, 00000000.00000003.649181303.00000000059DB000.00000004.00000001.sdmp, oE6O5K1emC.exe, 00000000.00000002.680503330.0000000006BD2000.00000004.00000001.sdmp	String found in binary or memory: http://www.sajatypeworks.com
Source: oE6O5K1emC.exe, 00000000.00000002.680503330.0000000006BD2000.00000004.00000001.sdmp	String found in binary or memory: http://www.sakkal.com
Source: oE6O5K1emC.exe, 00000000.00000002.680503330.0000000006BD2000.00000004.00000001.sdmp	String found in binary or memory: http://www.sandoll.co.kr
Source: oE6O5K1emC.exe, 00000000.00000003.650167999.00000000059C6000.00000004.00000001.sdmp	String found in binary or memory: http://www.sandoll.co.kre
Source: oE6O5K1emC.exe, 00000000.00000002.680503330.0000000006BD2000.00000004.00000001.sdmp	String found in binary or memory: http://www.tiro.com
Source: oE6O5K1emC.exe, 00000000.00000003.649513321.00000000059DB000.00000004.00000001.sdmp	String found in binary or memory: http://www.tiro.comtna
Source: oE6O5K1emC.exe, 00000000.00000002.680503330.0000000006BD2000.00000004.00000001.sdmp	String found in binary or memory: http://www.typography.netD
Source: oE6O5K1emC.exe, 00000000.00000002.680503330.0000000006BD2000.00000004.00000001.sdmp	String found in binary or memory: http://www.urwpp.deDPlease
Source: oE6O5K1emC.exe, 00000000.00000003.655776932.00000000059C4000.00000004.00000001.sdmp	String found in binary or memory: http://www.urwpp.dew
Source: oE6O5K1emC.exe, 00000000.00000002.680503330.0000000006BD2000.00000004.00000001.sdmp	String found in binary or memory: http://www.zhongyicts.com.cn
Source: oE6O5K1emC.exe, 00000000.00000002.676048550.000000000363F000.00000004.00000001.sdmp	String found in binary or memory: https://stackpath.bootstrapcdn.com/bootstrap/4.5.0/css/bootstrap.min.css

E-Banking Fraud:

Yara detected Nanocore RAT

Show sources

Source: Yara match	File source: 00000000.00000002.676767398.00000000046CA000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0.2.oE6O5K1emC.exe.4762470.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.oE6O5K1emC.exe.4762470.1.raw.unpack, type: UNPACKEDPE

System Summary:

Malicious sample detected (through community Yara rule)

Show sources

Source: 00000000.00000002.676767398.00000000046CA000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 00000000.00000002.676767398.00000000046CA000.00000004.00000001.sdmp, type: MEMORY	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 3.3.RegSvcs.exe.3d02987.0.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 0.2.oE6O5K1emC.exe.4762470.1.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 0.2.oE6O5K1emC.exe.4762470.1.unpack, type: UNPACKEDPE	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 3.3.RegSvcs.exe.3d02987.0.raw.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 0.2.oE6O5K1emC.exe.4762470.1.raw.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 0.2.oE6O5K1emC.exe.4762470.1.raw.unpack, type: UNPACKEDPE	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>

Source: C:\Users\user\Desktop\oE6O5K1emC.exe	Code function: 0_2_05850AAA NtQueryInformationProcess,	0_2_05850AAA
Source: C:\Users\user\Desktop\oE6O5K1emC.exe	Code function: 0_2_05850C1A NtQuerySystemInformation,	0_2_05850C1A
Source: C:\Users\user\Desktop\oE6O5K1emC.exe	Code function: 0_2_05850A88 NtQueryInformationProcess,	0_2_05850A88
Source: C:\Users\user\Desktop\oE6O5K1emC.exe	Code function: 0_2_05850BDF NtQuerySystemInformation,	0_2_05850BDF

Source: C:\Users\user\Desktop\oE6O5K1emC.exe	Code function: 0_2_00DE90E1	0_2_00DE90E1
Source: C:\Users\user\Desktop\oE6O5K1emC.exe	Code function: 0_2_019739D8	0_2_019739D8
Source: C:\Users\user\Desktop\oE6O5K1emC.exe	Code function: 0_2_019735E8	0_2_019735E8
Source: C:\Users\user\Desktop\oE6O5K1emC.exe	Code function: 0_2_019748F8	0_2_019748F8
Source: C:\Users\user\Desktop\oE6O5K1emC.exe	Code function: 0_2_01976440	0_2_01976440
Source: C:\Users\user\Desktop\oE6O5K1emC.exe	Code function: 0_2_01973F78	0_2_01973F78
Source: C:\Users\user\Desktop\oE6O5K1emC.exe	Code function: 0_2_019732D8	0_2_019732D8
Source: C:\Users\user\Desktop\oE6O5K1emC.exe	Code function: 0_2_019716C0	0_2_019716C0
Source: C:\Users\user\Desktop\oE6O5K1emC.exe	Code function: 0_2_01970AF0	0_2_01970AF0
Source: C:\Users\user\Desktop\oE6O5K1emC.exe	Code function: 0_2_019735D8	0_2_019735D8
Source: C:\Users\user\Desktop\oE6O5K1emC.exe	Code function: 0_2_019739C9	0_2_019739C9
Source: C:\Users\user\Desktop\oE6O5K1emC.exe	Code function: 0_2_01972110	0_2_01972110
Source: C:\Users\user\Desktop\oE6O5K1emC.exe	Code function: 0_2_01972100	0_2_01972100
Source: C:\Users\user\Desktop\oE6O5K1emC.exe	Code function: 0_2_0197655E	0_2_0197655E
Source: C:\Users\user\Desktop\oE6O5K1emC.exe	Code function: 0_2_01971978	0_2_01971978
Source: C:\Users\user\Desktop\oE6O5K1emC.exe	Code function: 0_2_01974C80	0_2_01974C80
Source: C:\Users\user\Desktop\oE6O5K1emC.exe	Code function: 0_2_01973F69	0_2_01973F69
Source: C:\Users\user\Desktop\oE6O5K1emC.exe	Code function: 0_2_01973280	0_2_01973280
Source: C:\Users\user\Desktop\oE6O5K1emC.exe	Code function: 0_2_019742B8	0_2_019742B8
Source: C:\Users\user\Desktop\oE6O5K1emC.exe	Code function: 0_2_019742A9	0_2_019742A9
Source: C:\Users\user\Desktop\oE6O5K1emC.exe	Code function: 0_2_019732C8	0_2_019732C8
Source: C:\Users\user\Desktop\oE6O5K1emC.exe	Code function: 0_2_01970AE1	0_2_01970AE1
Source: C:\Users\user\Desktop\oE6O5K1emC.exe	Code function: 0_2_01971208	0_2_01971208
Source: C:\Users\user\Desktop\oE6O5K1emC.exe	Code function: 0_2_05708121	0_2_05708121
Source: C:\Users\user\Desktop\oE6O5K1emC.exe	Code function: 0_2_057045E8	0_2_057045E8
Source: C:\Users\user\Desktop\oE6O5K1emC.exe	Code function: 0_2_05705DE8	0_2_05705DE8
Source: C:\Users\user\Desktop\oE6O5K1emC.exe	Code function: 0_2_05706180	0_2_05706180
Source: C:\Users\user\Desktop\oE6O5K1emC.exe	Code function: 0_2_0570B18A	0_2_0570B18A
Source: C:\Users\user\Desktop\oE6O5K1emC.exe	Code function: 0_2_057070B0	0_2_057070B0
Source: C:\Users\user\Desktop\oE6O5K1emC.exe	Code function: 0_2_05707891	0_2_05707891
Source: C:\Users\user\Desktop\oE6O5K1emC.exe	Code function: 0_2_05703498	0_2_05703498
Source: C:\Users\user\Desktop\oE6O5K1emC.exe	Code function: 0_2_0570E328	0_2_0570E328
Source: C:\Users\user\Desktop\oE6O5K1emC.exe	Code function: 0_2_05708FE0	0_2_05708FE0
Source: C:\Users\user\Desktop\oE6O5K1emC.exe	Code function: 0_2_0570F7D8	0_2_0570F7D8
Source: C:\Users\user\Desktop\oE6O5K1emC.exe	Code function: 0_2_0570353A	0_2_0570353A
Source: C:\Users\user\Desktop\oE6O5K1emC.exe	Code function: 0_2_05706508	0_2_05706508
Source: C:\Users\user\Desktop\oE6O5K1emC.exe	Code function: 0_2_0570ADF1	0_2_0570ADF1
Source: C:\Users\user\Desktop\oE6O5K1emC.exe	Code function: 0_2_05709C70	0_2_05709C70
Source: C:\Users\user\Desktop\oE6O5K1emC.exe	Code function: 0_2_05709C61	0_2_05709C61
Source: C:\Users\user\Desktop\oE6O5K1emC.exe	Code function: 0_2_0570AC30	0_2_0570AC30
Source: C:\Users\user\Desktop\oE6O5K1emC.exe	Code function: 0_2_0570AC20	0_2_0570AC20
Source: C:\Users\user\Desktop\oE6O5K1emC.exe	Code function: 0_2_05707CA0	0_2_05707CA0
Source: C:\Users\user\Desktop\oE6O5K1emC.exe	Code function: 0_2_0570F0A0	0_2_0570F0A0
Source: C:\Users\user\Desktop\oE6O5K1emC.exe	Code function: 0_2_0570F08F	0_2_0570F08F
Source: C:\Users\user\Desktop\oE6O5K1emC.exe	Code function: 0_2_05704750	0_2_05704750
Source: C:\Users\user\Desktop\oE6O5K1emC.exe	Code function: 0_2_05706FF8	0_2_05706FF8
Source: C:\Users\user\Desktop\oE6O5K1emC.exe	Code function: 0_2_0570AFE8	0_2_0570AFE8
Source: C:\Users\user\Desktop\oE6O5K1emC.exe	Code function: 0_2_0570AFD8	0_2_0570AFD8
Source: C:\Users\user\Desktop\oE6O5K1emC.exe	Code function: 0_2_05706FA3	0_2_05706FA3
Source: C:\Users\user\Desktop\oE6O5K1emC.exe	Code function: 0_2_05703A69	0_2_05703A69
Source: C:\Users\user\Desktop\oE6O5K1emC.exe	Code function: 0_2_0570AE00	0_2_0570AE00
Source: C:\Users\user\Desktop\oE6O5K1emC.exe	Code function: 0_2_0570EAE0	0_2_0570EAE0
Source: C:\Users\user\Desktop\oE6O5K1emC.exe	Code function: 0_2_05708EEF	0_2_05708EEF
Source: C:\Users\user\Desktop\oE6O5K1emC.exe	Code function: 0_2_0570EAC8	0_2_0570EAC8
Source: C:\Users\user\Desktop\oE6O5K1emC.exe	Code function: 0_2_0570A6A0	0_2_0570A6A0
Source: C:\Users\user\Desktop\oE6O5K1emC.exe	Code function: 0_2_0570A691	0_2_0570A691
Source: C:\Users\user\Desktop\oE6O5K1emC.exe	Code function: 0_2_05704699	0_2_05704699

Source: oE6O5K1emC.exe, 00000000.00000002.686501476.0000000008D90000.00000002.00000001.sdmp	Binary or memory string: OriginalFilenamemscorrc.dllT vs oE6O5K1emC.exe
Source: oE6O5K1emC.exe, 00000000.00000002.687029231.0000000009730000.00000002.00000001.sdmp	Binary or memory string: originalfilename vs oE6O5K1emC.exe
Source: oE6O5K1emC.exe, 00000000.00000002.687029231.0000000009730000.00000002.00000001.sdmp	Binary or memory string: OriginalFilenamepropsys.dll.mui@ vs oE6O5K1emC.exe
Source: oE6O5K1emC.exe, 00000000.00000002.686733497.0000000009110000.00000004.00000001.sdmp	Binary or memory string: OriginalFilenameDSASignature.dll" vs oE6O5K1emC.exe
Source: oE6O5K1emC.exe, 00000000.00000002.674253648.0000000000F60000.00000002.00020000.sdmp	Binary or memory string: OriginalFilenameSafeBuffer.exe( vs oE6O5K1emC.exe
Source: oE6O5K1emC.exe, 00000000.00000002.686891802.0000000009630000.00000002.00000001.sdmp	Binary or memory string: System.OriginalFileName vs oE6O5K1emC.exe
Source: oE6O5K1emC.exe, 00000000.00000002.686584573.0000000008F80000.00000004.00000001.sdmp	Binary or memory string: OriginalFilenameSimpleUI.dll2 vs oE6O5K1emC.exe
Source: oE6O5K1emC.exe	Binary or memory string: OriginalFilenameSafeBuffer.exe( vs oE6O5K1emC.exe

Source: oE6O5K1emC.exe

Static PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED

Source: 00000000.00000002.676767398.00000000046CA000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 00000000.00000002.676767398.00000000046CA000.00000004.00000001.sdmp, type: MEMORY	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 3.3.RegSvcs.exe.3d02987.0.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 3.3.RegSvcs.exe.3d02987.0.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 0.2.oE6O5K1emC.exe.4762470.1.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 0.2.oE6O5K1emC.exe.4762470.1.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 0.2.oE6O5K1emC.exe.4762470.1.unpack, type: UNPACKEDPE	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 3.3.RegSvcs.exe.3d02987.0.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 0.2.oE6O5K1emC.exe.4762470.1.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 0.2.oE6O5K1emC.exe.4762470.1.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 0.2.oE6O5K1emC.exe.4762470.1.raw.unpack, type: UNPACKEDPE	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore

Source: classification engine

Classification label: mal100.troj.evad.winEXE@8/12@0/1

Source: C:\Users\user\Desktop\oE6O5K1emC.exe	Code function: 0_2_05850806 AdjustTokenPrivileges,		0_2_05850806
Source: C:\Users\user\Desktop\oE6O5K1emC.exe	Code function: 0_2_058507CF AdjustTokenPrivileges,		0_2_058507CF

Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe

File created: C:\Program Files (x86)\DHCP Monitor

Jump to behavior

Source: C:\Users\user\Desktop\oE6O5K1emC.exe

File created: C:\Users\user\AppData\Roaming\DKCbURUccsSVSl.exe

Jump to behavior

Source: C:\Users\user\Desktop\oE6O5K1emC.exe	Mutant created: \Sessions\1\BaseNamedObjects\hekBcBncHUQUQSzS
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe	Mutant created: \Sessions\1\BaseNamedObjects\Global\{f57d5a77-8670-45ef-b736-5f3a07b68725}
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe	Mutant created: \Sessions\1\BaseNamedObjects\Global\.net clr networking
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6464:120:WilError_01
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7032:120:WilError_01

Source: C:\Users\user\Desktop\oE6O5K1emC.exe

File created: C:\Users\user\AppData\Local\Temp\tmp8EBC.tmp

Jump to behavior

Source: oE6O5K1emC.exe

Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ

Source: C:\Users\user\Desktop\oE6O5K1emC.exe	Section loaded: C:\Windows\assembly\NativeImages_v2.0.50727_32\mscorlib\9603718106bd57ecfbb18fefd769cab4\mscorlib.ni.dll	Jump to behavior
Source: C:\Users\user\Desktop\oE6O5K1emC.exe	Section loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sorttbls.nlp	Jump to behavior
Source: C:\Users\user\Desktop\oE6O5K1emC.exe	Section loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sortkey.nlp	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe	Section loaded: C:\Windows\assembly\NativeImages_v2.0.50727_32\mscorlib\9603718106bd57ecfbb18fefd769cab4\mscorlib.ni.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe	Section loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sorttbls.nlp	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe	Section loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sortkey.nlp	Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Section loaded: C:\Windows\assembly\NativeImages_v2.0.50727_32\mscorlib\9603718106bd57ecfbb18fefd769cab4\mscorlib.ni.dll	Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Section loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sorttbls.nlp	Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Section loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sortkey.nlp	Jump to behavior

Source: C:\Users\user\Desktop\oE6O5K1emC.exe

File read: C:\Users\user\Desktop\desktop.ini

Jump to behavior

Source: C:\Users\user\Desktop\oE6O5K1emC.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: oE6O5K1emC.exe, 00000000.00000002.676048550.000000000363F000.00000004.00000001.sdmp	Binary or memory string: Select * from UnmanagedMemoryStreamWrapper WHERE modelo=@modelo;?
Source: oE6O5K1emC.exe, 00000000.00000002.676048550.000000000363F000.00000004.00000001.sdmp	Binary or memory string: Select * from Clientes WHERE id=@id;;
Source: oE6O5K1emC.exe, 00000000.00000002.676048550.000000000363F000.00000004.00000001.sdmp	Binary or memory string: Select * from Aluguel5Erro ao listar Banco sql-UnmanagedMemoryStreamWrapper.INSERT INTO Aluguel VALUES(@clienteID, @data);
Source: oE6O5K1emC.exe, 00000000.00000002.676048550.000000000363F000.00000004.00000001.sdmp	Binary or memory string: INSERT INTO UnmanagedMemoryStreamWrapper VALUES(@modelo, @fabricante, @ano, @cor);
Source: oE6O5K1emC.exe, 00000000.00000002.676048550.000000000363F000.00000004.00000001.sdmp	Binary or memory string: INSERT INTO Itens_Aluguel VALUES(@aluguelID, @aviaoID, @validade);
Source: oE6O5K1emC.exe, 00000000.00000002.676048550.000000000363F000.00000004.00000001.sdmp	Binary or memory string: Insert into Clientes values (@nome, @cpf, @rg, @cidade, @endereco, @uf, @telefone);
Source: oE6O5K1emC.exe, 00000000.00000002.676048550.000000000363F000.00000004.00000001.sdmp	Binary or memory string: INSERT INTO Aluguel VALUES(@clienteID, @data);

Source: oE6O5K1emC.exe

Virustotal: Detection: 12%

Source: C:\Users\user\Desktop\oE6O5K1emC.exe

File read: C:\Users\user\Desktop\oE6O5K1emC.exe

Jump to behavior

Source: unknown	Process created: C:\Users\user\Desktop\oE6O5K1emC.exe 'C:\Users\user\Desktop\oE6O5K1emC.exe'
Source: C:\Users\user\Desktop\oE6O5K1emC.exe	Process created: C:\Windows\SysWOW64\schtasks.exe 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\DKCbURUccsSVSl' /XML 'C:\Users\user\AppData\Local\Temp\tmp8EBC.tmp'
Source: C:\Windows\SysWOW64\schtasks.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\oE6O5K1emC.exe	Process created: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe
Source: unknown	Process created: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe 'C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe'
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\oE6O5K1emC.exe	Process created: C:\Windows\SysWOW64\schtasks.exe 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\DKCbURUccsSVSl' /XML 'C:\Users\user\AppData\Local\Temp\tmp8EBC.tmp'	Jump to behavior
Source: C:\Users\user\Desktop\oE6O5K1emC.exe	Process created: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe	Jump to behavior

Source: C:\Users\user\Desktop\oE6O5K1emC.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{95E15D0A-66E6-93D9-C53C-76E6219D3341}\InProcServer32

Jump to behavior

Source: C:\Users\user\Desktop\oE6O5K1emC.exe

File opened: C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorrc.dll

Jump to behavior

Source: oE6O5K1emC.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR

Source: oE6O5K1emC.exe

Static PE information: Virtual size of .text is bigger than: 0x100000

Source: oE6O5K1emC.exe

Static file information: File size 1554944 > 1048576

Source: C:\Users\user\Desktop\oE6O5K1emC.exe

File opened: C:\Windows\WinSxS\x86_microsoft.vc80.crt_1fc8b3b9a1e18e3b_8.0.50727.9445_none_d08c58b4442ba54f\MSVCR80.dll

Jump to behavior

Source: oE6O5K1emC.exe

Static PE information: Raw size of .text is bigger than: 0x100000 < 0x15ea00

Source: oE6O5K1emC.exe

Static PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT

Source:	Binary string: RegSvcs.pdb source: dhcpmon.exe, dhcpmon.exe.3.dr
Source:	Binary string: mscorrc.pdb source: oE6O5K1emC.exe, 00000000.00000002.686501476.0000000008D90000.00000002.00000001.sdmp

Source: C:\Users\user\Desktop\oE6O5K1emC.exe	Code function: 0_2_017473E8 pushfd ; ret		0_2_017473FD
Source: C:\Users\user\Desktop\oE6O5K1emC.exe	Code function: 0_2_019767B0 pushad ; retf		0_2_019767B1

Source: initial sample	Static PE information: section name: .text entropy: 7.5082657765
Source: initial sample	Static PE information: section name: .text entropy: 7.5082657765

Source: C:\Users\user\Desktop\oE6O5K1emC.exe	File created: C:\Users\user\AppData\Roaming\DKCbURUccsSVSl.exe			Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe	File created: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe			Jump to dropped file

Boot Survival:

Uses schtasks.exe or at.exe to add and modify task schedules

Show sources

Source: C:\Users\user\Desktop\oE6O5K1emC.exe

Process created: C:\Windows\SysWOW64\schtasks.exe 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\DKCbURUccsSVSl' /XML 'C:\Users\user\AppData\Local\Temp\tmp8EBC.tmp'

Hooking and other Techniques for Hiding and Protection:

Hides that the sample has been downloaded from the Internet (zone.identifier)

Show sources

Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe

File opened: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe:Zone.Identifier read attributes | delete

Jump to behavior

Source: C:\Users\user\Desktop\oE6O5K1emC.exe

Registry key monitored for changes: HKEY_CURRENT_USER_Classes

Jump to behavior

Source: C:\Users\user\Desktop\oE6O5K1emC.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\oE6O5K1emC.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\oE6O5K1emC.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\oE6O5K1emC.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\oE6O5K1emC.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\oE6O5K1emC.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\oE6O5K1emC.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\oE6O5K1emC.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\oE6O5K1emC.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\oE6O5K1emC.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\oE6O5K1emC.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\oE6O5K1emC.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\oE6O5K1emC.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\oE6O5K1emC.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\oE6O5K1emC.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\oE6O5K1emC.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\oE6O5K1emC.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\oE6O5K1emC.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\oE6O5K1emC.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\oE6O5K1emC.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\oE6O5K1emC.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\oE6O5K1emC.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\oE6O5K1emC.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\oE6O5K1emC.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\oE6O5K1emC.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\oE6O5K1emC.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\oE6O5K1emC.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\oE6O5K1emC.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\oE6O5K1emC.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\oE6O5K1emC.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\oE6O5K1emC.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\oE6O5K1emC.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\oE6O5K1emC.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\oE6O5K1emC.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\oE6O5K1emC.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\oE6O5K1emC.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\oE6O5K1emC.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\oE6O5K1emC.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Malware Analysis System Evasion:

Yara detected AntiVM3

Show sources

Source: Yara match	File source: 00000000.00000002.676048550.000000000363F000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: oE6O5K1emC.exe PID: 6360, type: MEMORY

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Show sources

Source: oE6O5K1emC.exe, 00000000.00000002.676048550.000000000363F000.00000004.00000001.sdmp	Binary or memory string: WINE_GET_UNIX_FILE_NAME
Source: oE6O5K1emC.exe, 00000000.00000002.676048550.000000000363F000.00000004.00000001.sdmp	Binary or memory string: SBIEDLL.DLL

Source: C:\Users\user\Desktop\oE6O5K1emC.exe

File opened / queried: SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}

Jump to behavior

Source: C:\Users\user\Desktop\oE6O5K1emC.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Thread delayed: delay time: 922337203685477	Jump to behavior

Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe	Window / User API: foregroundWindowGot 590			Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe	Window / User API: foregroundWindowGot 612			Jump to behavior

Source: C:\Users\user\Desktop\oE6O5K1emC.exe TID: 6364	Thread sleep time: -104975s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\oE6O5K1emC.exe TID: 6384	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe TID: 7080	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior

Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed

Source: C:\Users\user\Desktop\oE6O5K1emC.exe	Thread delayed: delay time: 104975	Jump to behavior
Source: C:\Users\user\Desktop\oE6O5K1emC.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Thread delayed: delay time: 922337203685477	Jump to behavior

Source: oE6O5K1emC.exe, 00000000.00000002.676048550.000000000363F000.00000004.00000001.sdmp	Binary or memory string: vmware
Source: oE6O5K1emC.exe, 00000000.00000002.676048550.000000000363F000.00000004.00000001.sdmp	Binary or memory string: C:\PROGRAM FILES\VMWARE\VMWARE TOOLS\
Source: oE6O5K1emC.exe, 00000000.00000002.676048550.000000000363F000.00000004.00000001.sdmp	Binary or memory string: SOFTWARE\VMware, Inc.\VMware Tools
Source: RegSvcs.exe, 00000003.00000003.766854769.0000000000869000.00000004.00000001.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dlllanceExClientPlugin.resources.EXES/p
Source: oE6O5K1emC.exe, 00000000.00000002.676048550.000000000363F000.00000004.00000001.sdmp	Binary or memory string: VMware SVGA II!Add-MpPreference -ExclusionPath "
Source: oE6O5K1emC.exe, 00000000.00000002.676048550.000000000363F000.00000004.00000001.sdmp	Binary or memory string: VMWARE
Source: oE6O5K1emC.exe, 00000000.00000002.676048550.000000000363F000.00000004.00000001.sdmp	Binary or memory string: InstallPath%C:\PROGRAM FILES\VMWARE\VMWARE TOOLS\
Source: oE6O5K1emC.exe, 00000000.00000002.676048550.000000000363F000.00000004.00000001.sdmp	Binary or memory string: VMWARE"SOFTWARE\VMware, Inc.\VMware ToolsLHARDWARE\DEVICEMAP\Scsi\Scsi Port 1\Scsi Bus 0\Target Id 0\Logical Unit Id 0LHARDWARE\DEVICEMAP\Scsi\Scsi Port 2\Scsi Bus 0\Target Id 0\Logical Unit Id 0'SYSTEM\ControlSet001\Services\Disk\Enum
Source: oE6O5K1emC.exe, 00000000.00000002.676048550.000000000363F000.00000004.00000001.sdmp	Binary or memory string: VMware SVGA II
Source: oE6O5K1emC.exe, 00000000.00000002.676048550.000000000363F000.00000004.00000001.sdmp	Binary or memory string: vmwareNSYSTEM\ControlSet001\Control\Class\{4D36E968-E325-11CE-BFC1-08002BE10318}\0000

Source: C:\Users\user\Desktop\oE6O5K1emC.exe

Process information queried: ProcessInformation

Jump to behavior

Source: C:\Users\user\Desktop\oE6O5K1emC.exe

Process token adjusted: Debug

Jump to behavior

Source: C:\Users\user\Desktop\oE6O5K1emC.exe

Memory allocated: page read and write | page guard

Jump to behavior

HIPS / PFW / Operating System Protection Evasion:

Injects a PE file into a foreign processes

Show sources

Source: C:\Users\user\Desktop\oE6O5K1emC.exe

Memory written: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe base: 400000 value starts with: 4D5A

Jump to behavior

Writes to foreign memory regions

Show sources

Source: C:\Users\user\Desktop\oE6O5K1emC.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe base: 400000	Jump to behavior
Source: C:\Users\user\Desktop\oE6O5K1emC.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe base: 402000	Jump to behavior
Source: C:\Users\user\Desktop\oE6O5K1emC.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe base: 420000	Jump to behavior
Source: C:\Users\user\Desktop\oE6O5K1emC.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe base: 422000	Jump to behavior
Source: C:\Users\user\Desktop\oE6O5K1emC.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe base: 3B1008	Jump to behavior

Source: C:\Users\user\Desktop\oE6O5K1emC.exe	Process created: C:\Windows\SysWOW64\schtasks.exe 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\DKCbURUccsSVSl' /XML 'C:\Users\user\AppData\Local\Temp\tmp8EBC.tmp'			Jump to behavior
Source: C:\Users\user\Desktop\oE6O5K1emC.exe	Process created: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe			Jump to behavior

Source: RegSvcs.exe, 00000003.00000003.795197126.0000000000869000.00000004.00000001.sdmp	Binary or memory string: Program Managern has been aborted because of either a thread exit or an application request.
Source: RegSvcs.exe, 00000003.00000003.678235636.0000000000877000.00000004.00000001.sdmp	Binary or memory string: Program Manager.NET\Framework\v2.0.50727\h
Source: RegSvcs.exe, 00000003.00000003.794087932.00000000008AD000.00000004.00000001.sdmp	Binary or memory string: Program Manager
Source: RegSvcs.exe, 00000003.00000003.723840483.00000000057C1000.00000004.00000001.sdmp	Binary or memory string: Program Manager (x86)\DHCP Monitor\dhcpmon.exe

Source: C:\Users\user\Desktop\oE6O5K1emC.exe	Queries volume information: C:\Windows\Fonts\arial.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\oE6O5K1emC.exe	Queries volume information: C:\Windows\Fonts\ariali.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\oE6O5K1emC.exe	Queries volume information: C:\Windows\Fonts\arialbd.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\oE6O5K1emC.exe	Queries volume information: C:\Windows\Fonts\arialbi.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\oE6O5K1emC.exe	Queries volume information: C:\Windows\Fonts\ARIALN.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\oE6O5K1emC.exe	Queries volume information: C:\Windows\Fonts\ariblk.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\oE6O5K1emC.exe	Queries volume information: C:\Windows\Fonts\ARIALNI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\oE6O5K1emC.exe	Queries volume information: C:\Windows\Fonts\ARIALNB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\oE6O5K1emC.exe	Queries volume information: C:\Windows\Fonts\ARIALNBI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\oE6O5K1emC.exe	Queries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\oE6O5K1emC.exe	Queries volume information: C:\Windows\Fonts\calibri.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\oE6O5K1emC.exe	Queries volume information: C:\Windows\Fonts\calibril.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\oE6O5K1emC.exe	Queries volume information: C:\Windows\Fonts\calibrii.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\oE6O5K1emC.exe	Queries volume information: C:\Windows\Fonts\calibrili.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\oE6O5K1emC.exe	Queries volume information: C:\Windows\Fonts\calibrib.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\oE6O5K1emC.exe	Queries volume information: C:\Windows\Fonts\calibriz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\oE6O5K1emC.exe	Queries volume information: C:\Windows\Fonts\cambria.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\oE6O5K1emC.exe	Queries volume information: C:\Windows\Fonts\cambriai.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\oE6O5K1emC.exe	Queries volume information: C:\Windows\Fonts\cambriab.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\oE6O5K1emC.exe	Queries volume information: C:\Windows\Fonts\cambriaz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\oE6O5K1emC.exe	Queries volume information: C:\Windows\Fonts\Candara.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\oE6O5K1emC.exe	Queries volume information: C:\Windows\Fonts\Candarai.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\oE6O5K1emC.exe	Queries volume information: C:\Windows\Fonts\Candarab.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\oE6O5K1emC.exe	Queries volume information: C:\Windows\Fonts\Candaraz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\oE6O5K1emC.exe	Queries volume information: C:\Windows\Fonts\comic.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\oE6O5K1emC.exe	Queries volume information: C:\Windows\Fonts\comici.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\oE6O5K1emC.exe	Queries volume information: C:\Windows\Fonts\comicbd.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\oE6O5K1emC.exe	Queries volume information: C:\Windows\Fonts\comicz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\oE6O5K1emC.exe	Queries volume information: C:\Windows\Fonts\consola.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\oE6O5K1emC.exe	Queries volume information: C:\Windows\Fonts\consolai.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\oE6O5K1emC.exe	Queries volume information: C:\Windows\Fonts\consolab.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\oE6O5K1emC.exe	Queries volume information: C:\Windows\Fonts\consolaz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\oE6O5K1emC.exe	Queries volume information: C:\Windows\Fonts\constan.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\oE6O5K1emC.exe	Queries volume information: C:\Windows\Fonts\constani.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\oE6O5K1emC.exe	Queries volume information: C:\Windows\Fonts\constanb.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\oE6O5K1emC.exe	Queries volume information: C:\Windows\Fonts\constanz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\oE6O5K1emC.exe	Queries volume information: C:\Windows\Fonts\corbel.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\oE6O5K1emC.exe	Queries volume information: C:\Windows\Fonts\corbeli.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\oE6O5K1emC.exe	Queries volume information: C:\Windows\Fonts\corbelb.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\oE6O5K1emC.exe	Queries volume information: C:\Windows\Fonts\corbelz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\oE6O5K1emC.exe	Queries volume information: C:\Windows\Fonts\cour.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\oE6O5K1emC.exe	Queries volume information: C:\Windows\Fonts\couri.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\oE6O5K1emC.exe	Queries volume information: C:\Windows\Fonts\courbd.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\oE6O5K1emC.exe	Queries volume information: C:\Windows\Fonts\courbi.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\oE6O5K1emC.exe	Queries volume information: C:\Windows\Fonts\ebrima.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\oE6O5K1emC.exe	Queries volume information: C:\Windows\Fonts\ebrimabd.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\oE6O5K1emC.exe	Queries volume information: C:\Windows\Fonts\framd.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\oE6O5K1emC.exe	Queries volume information: C:\Windows\Fonts\FRADM.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\oE6O5K1emC.exe	Queries volume information: C:\Windows\Fonts\framdit.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\oE6O5K1emC.exe	Queries volume information: C:\Windows\Fonts\FRADMIT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\oE6O5K1emC.exe	Queries volume information: C:\Windows\Fonts\FRAMDCN.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\oE6O5K1emC.exe	Queries volume information: C:\Windows\Fonts\FRADMCN.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\oE6O5K1emC.exe	Queries volume information: C:\Windows\Fonts\FRAHV.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\oE6O5K1emC.exe	Queries volume information: C:\Windows\Fonts\FRAHVIT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\oE6O5K1emC.exe	Queries volume information: C:\Windows\Fonts\Gabriola.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\oE6O5K1emC.exe	Queries volume information: C:\Windows\Fonts\gadugi.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\oE6O5K1emC.exe	Queries volume information: C:\Windows\Fonts\gadugib.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\oE6O5K1emC.exe	Queries volume information: C:\Windows\Fonts\georgia.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\oE6O5K1emC.exe	Queries volume information: C:\Windows\Fonts\georgiai.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\oE6O5K1emC.exe	Queries volume information: C:\Windows\Fonts\georgiab.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\oE6O5K1emC.exe	Queries volume information: C:\Windows\Fonts\georgiaz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\oE6O5K1emC.exe	Queries volume information: C:\Windows\Fonts\impact.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\oE6O5K1emC.exe	Queries volume information: C:\Windows\Fonts\Inkfree.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\oE6O5K1emC.exe	Queries volume information: C:\Windows\Fonts\javatext.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\oE6O5K1emC.exe	Queries volume information: C:\Windows\Fonts\LeelawUI.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\oE6O5K1emC.exe	Queries volume information: C:\Windows\Fonts\LeelUIsl.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\oE6O5K1emC.exe	Queries volume information: C:\Windows\Fonts\LeelaUIb.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\oE6O5K1emC.exe	Queries volume information: C:\Windows\Fonts\lucon.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\oE6O5K1emC.exe	Queries volume information: C:\Windows\Fonts\l_10646.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\oE6O5K1emC.exe	Queries volume information: C:\Windows\Fonts\malgun.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\oE6O5K1emC.exe	Queries volume information: C:\Windows\Fonts\malgunsl.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\oE6O5K1emC.exe	Queries volume information: C:\Windows\Fonts\malgunbd.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\oE6O5K1emC.exe	Queries volume information: C:\Windows\Fonts\himalaya.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\oE6O5K1emC.exe	Queries volume information: C:\Windows\Fonts\msjh.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\oE6O5K1emC.exe	Queries volume information: C:\Windows\Fonts\msjhl.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\oE6O5K1emC.exe	Queries volume information: C:\Windows\Fonts\msjhbd.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\oE6O5K1emC.exe	Queries volume information: C:\Windows\Fonts\ntailu.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\oE6O5K1emC.exe	Queries volume information: C:\Windows\Fonts\ntailub.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\oE6O5K1emC.exe	Queries volume information: C:\Windows\Fonts\phagspa.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\oE6O5K1emC.exe	Queries volume information: C:\Windows\Fonts\phagspab.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\oE6O5K1emC.exe	Queries volume information: C:\Windows\Fonts\micross.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\oE6O5K1emC.exe	Queries volume information: C:\Windows\Fonts\taile.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\oE6O5K1emC.exe	Queries volume information: C:\Windows\Fonts\taileb.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\oE6O5K1emC.exe	Queries volume information: C:\Windows\Fonts\msyh.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\oE6O5K1emC.exe	Queries volume information: C:\Windows\Fonts\msyhl.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\oE6O5K1emC.exe	Queries volume information: C:\Windows\Fonts\msyhbd.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\oE6O5K1emC.exe	Queries volume information: C:\Windows\Fonts\msyi.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\oE6O5K1emC.exe	Queries volume information: C:\Windows\Fonts\mingliub.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\oE6O5K1emC.exe	Queries volume information: C:\Windows\Fonts\monbaiti.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\oE6O5K1emC.exe	Queries volume information: C:\Windows\Fonts\msgothic.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\oE6O5K1emC.exe	Queries volume information: C:\Windows\Fonts\mvboli.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\oE6O5K1emC.exe	Queries volume information: C:\Windows\Fonts\mmrtext.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\oE6O5K1emC.exe	Queries volume information: C:\Windows\Fonts\mmrtextb.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\oE6O5K1emC.exe	Queries volume information: C:\Windows\Fonts\Nirmala.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\oE6O5K1emC.exe	Queries volume information: C:\Windows\Fonts\NirmalaS.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\oE6O5K1emC.exe	Queries volume information: C:\Windows\Fonts\NirmalaB.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\oE6O5K1emC.exe	Queries volume information: C:\Windows\Fonts\pala.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\oE6O5K1emC.exe	Queries volume information: C:\Windows\Fonts\palai.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\oE6O5K1emC.exe	Queries volume information: C:\Windows\Fonts\palab.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\oE6O5K1emC.exe	Queries volume information: C:\Windows\Fonts\palabi.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\oE6O5K1emC.exe	Queries volume information: C:\Windows\Fonts\segoepr.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\oE6O5K1emC.exe	Queries volume information: C:\Windows\Fonts\segoeprb.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\oE6O5K1emC.exe	Queries volume information: C:\Windows\Fonts\segoesc.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\oE6O5K1emC.exe	Queries volume information: C:\Windows\Fonts\segoescb.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\oE6O5K1emC.exe	Queries volume information: C:\Windows\Fonts\seguiemj.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\oE6O5K1emC.exe	Queries volume information: C:\Windows\Fonts\seguihis.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\oE6O5K1emC.exe	Queries volume information: C:\Windows\Fonts\seguisym.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\oE6O5K1emC.exe	Queries volume information: C:\Windows\Fonts\simsun.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\oE6O5K1emC.exe	Queries volume information: C:\Windows\Fonts\simsunb.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\oE6O5K1emC.exe	Queries volume information: C:\Windows\Fonts\Sitka.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\oE6O5K1emC.exe	Queries volume information: C:\Windows\Fonts\SitkaI.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\oE6O5K1emC.exe	Queries volume information: C:\Windows\Fonts\SitkaB.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\oE6O5K1emC.exe	Queries volume information: C:\Windows\Fonts\SitkaZ.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\oE6O5K1emC.exe	Queries volume information: C:\Windows\Fonts\sylfaen.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\oE6O5K1emC.exe	Queries volume information: C:\Windows\Fonts\symbol.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\oE6O5K1emC.exe	Queries volume information: C:\Windows\Fonts\tahoma.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\oE6O5K1emC.exe	Queries volume information: C:\Windows\Fonts\tahomabd.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\oE6O5K1emC.exe	Queries volume information: C:\Windows\Fonts\trebuc.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\oE6O5K1emC.exe	Queries volume information: C:\Windows\Fonts\trebucit.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\oE6O5K1emC.exe	Queries volume information: C:\Windows\Fonts\trebucbd.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\oE6O5K1emC.exe	Queries volume information: C:\Windows\Fonts\trebucbi.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\oE6O5K1emC.exe	Queries volume information: C:\Windows\Fonts\verdana.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\oE6O5K1emC.exe	Queries volume information: C:\Windows\Fonts\verdanai.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\oE6O5K1emC.exe	Queries volume information: C:\Windows\Fonts\verdanab.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\oE6O5K1emC.exe	Queries volume information: C:\Windows\Fonts\verdanaz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\oE6O5K1emC.exe	Queries volume information: C:\Windows\Fonts\webdings.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\oE6O5K1emC.exe	Queries volume information: C:\Windows\Fonts\wingding.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\oE6O5K1emC.exe	Queries volume information: C:\Windows\Fonts\YuGothR.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\oE6O5K1emC.exe	Queries volume information: C:\Windows\Fonts\YuGothM.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\oE6O5K1emC.exe	Queries volume information: C:\Windows\Fonts\YuGothL.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\oE6O5K1emC.exe	Queries volume information: C:\Windows\Fonts\YuGothB.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\oE6O5K1emC.exe	Queries volume information: C:\Windows\Fonts\holomdl2.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\oE6O5K1emC.exe	Queries volume information: C:\Windows\Fonts\CENTURY.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\oE6O5K1emC.exe	Queries volume information: C:\Windows\Fonts\LEELAWAD.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\oE6O5K1emC.exe	Queries volume information: C:\Windows\Fonts\LEELAWDB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\oE6O5K1emC.exe	Queries volume information: C:\Windows\Fonts\MSUIGHUR.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\oE6O5K1emC.exe	Queries volume information: C:\Windows\Fonts\MSUIGHUB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\oE6O5K1emC.exe	Queries volume information: C:\Windows\Fonts\WINGDNG2.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\oE6O5K1emC.exe	Queries volume information: C:\Windows\Fonts\WINGDNG3.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\oE6O5K1emC.exe	Queries volume information: C:\Windows\Fonts\TEMPSITC.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\oE6O5K1emC.exe	Queries volume information: C:\Windows\Fonts\PRISTINA.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\oE6O5K1emC.exe	Queries volume information: C:\Windows\Fonts\PAPYRUS.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\oE6O5K1emC.exe	Queries volume information: C:\Windows\Fonts\MISTRAL.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\oE6O5K1emC.exe	Queries volume information: C:\Windows\Fonts\LHANDW.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\oE6O5K1emC.exe	Queries volume information: C:\Windows\Fonts\ITCKRIST.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\oE6O5K1emC.exe	Queries volume information: C:\Windows\Fonts\JUICE___.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\oE6O5K1emC.exe	Queries volume information: C:\Windows\Fonts\FRSCRIPT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\oE6O5K1emC.exe	Queries volume information: C:\Windows\Fonts\FREESCPT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\oE6O5K1emC.exe	Queries volume information: C:\Windows\Fonts\BRADHITC.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\oE6O5K1emC.exe	Queries volume information: C:\Windows\Fonts\OUTLOOK.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\oE6O5K1emC.exe	Queries volume information: C:\Windows\Fonts\BKANT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\oE6O5K1emC.exe	Queries volume information: C:\Windows\Fonts\ANTQUAI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\oE6O5K1emC.exe	Queries volume information: C:\Windows\Fonts\ANTQUAB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\oE6O5K1emC.exe	Queries volume information: C:\Windows\Fonts\ANTQUABI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\oE6O5K1emC.exe	Queries volume information: C:\Windows\Fonts\GARA.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\oE6O5K1emC.exe	Queries volume information: C:\Windows\Fonts\GARAIT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\oE6O5K1emC.exe	Queries volume information: C:\Windows\Fonts\GARABD.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\oE6O5K1emC.exe	Queries volume information: C:\Windows\Fonts\MTCORSVA.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\oE6O5K1emC.exe	Queries volume information: C:\Windows\Fonts\GOTHIC.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\oE6O5K1emC.exe	Queries volume information: C:\Windows\Fonts\GOTHICI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\oE6O5K1emC.exe	Queries volume information: C:\Windows\Fonts\GOTHICB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\oE6O5K1emC.exe	Queries volume information: C:\Windows\Fonts\GOTHICBI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\oE6O5K1emC.exe	Queries volume information: C:\Windows\Fonts\ALGER.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\oE6O5K1emC.exe	Queries volume information: C:\Windows\Fonts\BASKVILL.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\oE6O5K1emC.exe	Queries volume information: C:\Windows\Fonts\BAUHS93.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\oE6O5K1emC.exe	Queries volume information: C:\Windows\Fonts\BELL.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\oE6O5K1emC.exe	Queries volume information: C:\Windows\Fonts\BELLI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\oE6O5K1emC.exe	Queries volume information: C:\Windows\Fonts\BELLB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\oE6O5K1emC.exe	Queries volume information: C:\Windows\Fonts\BRLNSR.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\oE6O5K1emC.exe	Queries volume information: C:\Windows\Fonts\BRLNSDB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\oE6O5K1emC.exe	Queries volume information: C:\Windows\Fonts\BRLNSB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\oE6O5K1emC.exe	Queries volume information: C:\Windows\Fonts\BERNHC.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\oE6O5K1emC.exe	Queries volume information: C:\Windows\Fonts\BOD_PSTC.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\oE6O5K1emC.exe	Queries volume information: C:\Windows\Fonts\BRITANIC.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\oE6O5K1emC.exe	Queries volume information: C:\Windows\Fonts\BROADW.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\oE6O5K1emC.exe	Queries volume information: C:\Windows\Fonts\BRUSHSCI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\oE6O5K1emC.exe	Queries volume information: C:\Windows\Fonts\CALIFR.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\oE6O5K1emC.exe	Queries volume information: C:\Windows\Fonts\CALIFI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\oE6O5K1emC.exe	Queries volume information: C:\Windows\Fonts\CALIFB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\oE6O5K1emC.exe	Queries volume information: C:\Windows\Fonts\CENTAUR.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\oE6O5K1emC.exe	Queries volume information: C:\Windows\Fonts\CHILLER.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\oE6O5K1emC.exe	Queries volume information: C:\Windows\Fonts\COLONNA.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\oE6O5K1emC.exe	Queries volume information: C:\Windows\Fonts\COOPBL.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\oE6O5K1emC.exe	Queries volume information: C:\Windows\Fonts\FTLTLT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\oE6O5K1emC.exe	Queries volume information: C:\Windows\Fonts\HARLOWSI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\oE6O5K1emC.exe	Queries volume information: C:\Windows\Fonts\HARNGTON.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\oE6O5K1emC.exe	Queries volume information: C:\Windows\Fonts\HTOWERT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\oE6O5K1emC.exe	Queries volume information: C:\Windows\Fonts\HTOWERTI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\oE6O5K1emC.exe	Queries volume information: C:\Windows\Fonts\JOKERMAN.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\oE6O5K1emC.exe	Queries volume information: C:\Windows\Fonts\KUNSTLER.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\oE6O5K1emC.exe	Queries volume information: C:\Windows\Fonts\LBRITE.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\oE6O5K1emC.exe	Queries volume information: C:\Windows\Fonts\LBRITED.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\oE6O5K1emC.exe	Queries volume information: C:\Windows\Fonts\LBRITEI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\oE6O5K1emC.exe	Queries volume information: C:\Windows\Fonts\LBRITEDI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\oE6O5K1emC.exe	Queries volume information: C:\Windows\Fonts\LCALLIG.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\oE6O5K1emC.exe	Queries volume information: C:\Windows\Fonts\LFAX.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\oE6O5K1emC.exe	Queries volume information: C:\Windows\Fonts\LFAXD.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\oE6O5K1emC.exe	Queries volume information: C:\Windows\Fonts\LFAXI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\oE6O5K1emC.exe	Queries volume information: C:\Windows\Fonts\LFAXDI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\oE6O5K1emC.exe	Queries volume information: C:\Windows\Fonts\MAGNETOB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\oE6O5K1emC.exe	Queries volume information: C:\Windows\Fonts\MATURASC.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\oE6O5K1emC.exe	Queries volume information: C:\Windows\Fonts\MOD20.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\oE6O5K1emC.exe	Queries volume information: C:\Windows\Fonts\NIAGENG.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\oE6O5K1emC.exe	Queries volume information: C:\Windows\Fonts\NIAGSOL.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\oE6O5K1emC.exe	Queries volume information: C:\Windows\Fonts\OLDENGL.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\oE6O5K1emC.exe	Queries volume information: C:\Windows\Fonts\ONYX.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\oE6O5K1emC.exe	Queries volume information: C:\Windows\Fonts\PARCHM.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\oE6O5K1emC.exe	Queries volume information: C:\Windows\Fonts\PLAYBILL.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\oE6O5K1emC.exe	Queries volume information: C:\Windows\Fonts\POORICH.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\oE6O5K1emC.exe	Queries volume information: C:\Windows\Fonts\RAVIE.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\oE6O5K1emC.exe	Queries volume information: C:\Windows\Fonts\INFROMAN.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\oE6O5K1emC.exe	Queries volume information: C:\Windows\Fonts\SHOWG.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\oE6O5K1emC.exe	Queries volume information: C:\Windows\Fonts\SNAP____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\oE6O5K1emC.exe	Queries volume information: C:\Windows\Fonts\STENCIL.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\oE6O5K1emC.exe	Queries volume information: C:\Windows\Fonts\VINERITC.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\oE6O5K1emC.exe	Queries volume information: C:\Windows\Fonts\VIVALDII.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\oE6O5K1emC.exe	Queries volume information: C:\Windows\Fonts\VLADIMIR.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\oE6O5K1emC.exe	Queries volume information: C:\Windows\Fonts\LATINWD.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\oE6O5K1emC.exe	Queries volume information: C:\Windows\Fonts\TCM_____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\oE6O5K1emC.exe	Queries volume information: C:\Windows\Fonts\TCMI____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\oE6O5K1emC.exe	Queries volume information: C:\Windows\Fonts\TCB_____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\oE6O5K1emC.exe	Queries volume information: C:\Windows\Fonts\TCBI____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\oE6O5K1emC.exe	Queries volume information: C:\Windows\Fonts\TCCM____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\oE6O5K1emC.exe	Queries volume information: C:\Windows\Fonts\TCCB____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\oE6O5K1emC.exe	Queries volume information: C:\Windows\Fonts\TCCEB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\oE6O5K1emC.exe	Queries volume information: C:\Windows\Fonts\SCRIPTBL.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\oE6O5K1emC.exe	Queries volume information: C:\Windows\Fonts\ROCK.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\oE6O5K1emC.exe	Queries volume information: C:\Windows\Fonts\ROCKI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\oE6O5K1emC.exe	Queries volume information: C:\Windows\Fonts\ROCKB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\oE6O5K1emC.exe	Queries volume information: C:\Windows\Fonts\ROCKEB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\oE6O5K1emC.exe	Queries volume information: C:\Windows\Fonts\ROCKBI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\oE6O5K1emC.exe	Queries volume information: C:\Windows\Fonts\ROCC____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\oE6O5K1emC.exe	Queries volume information: C:\Windows\Fonts\ROCCB___.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\oE6O5K1emC.exe	Queries volume information: C:\Windows\Fonts\RAGE.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\oE6O5K1emC.exe	Queries volume information: C:\Windows\Fonts\PERTILI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\oE6O5K1emC.exe	Queries volume information: C:\Windows\Fonts\PERTIBD.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\oE6O5K1emC.exe	Queries volume information: C:\Windows\Fonts\PER_____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\oE6O5K1emC.exe	Queries volume information: C:\Windows\Fonts\PERI____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\oE6O5K1emC.exe	Queries volume information: C:\Windows\Fonts\PERB____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\oE6O5K1emC.exe	Queries volume information: C:\Windows\Fonts\PERBI___.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\oE6O5K1emC.exe	Queries volume information: C:\Windows\Fonts\PALSCRI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\oE6O5K1emC.exe	Queries volume information: C:\Windows\Fonts\OCRAEXT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\oE6O5K1emC.exe	Queries volume information: C:\Windows\Fonts\MAIAN.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\oE6O5K1emC.exe	Queries volume information: C:\Windows\Fonts\LTYPE.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\oE6O5K1emC.exe	Queries volume information: C:\Windows\Fonts\LTYPEO.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\oE6O5K1emC.exe	Queries volume information: C:\Windows\Fonts\LTYPEB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\oE6O5K1emC.exe	Queries volume information: C:\Windows\Fonts\LTYPEBO.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\oE6O5K1emC.exe	Queries volume information: C:\Windows\Fonts\LSANS.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\oE6O5K1emC.exe	Queries volume information: C:\Windows\Fonts\LSANSD.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\oE6O5K1emC.exe	Queries volume information: C:\Windows\Fonts\LSANSI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\oE6O5K1emC.exe	Queries volume information: C:\Windows\Fonts\LSANSDI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\oE6O5K1emC.exe	Queries volume information: C:\Windows\Fonts\IMPRISHA.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\oE6O5K1emC.exe	Queries volume information: C:\Windows\Fonts\HATTEN.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\oE6O5K1emC.exe	Queries volume information: C:\Windows\Fonts\GOUDYSTO.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\oE6O5K1emC.exe	Queries volume information: C:\Windows\Fonts\GOUDOS.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\oE6O5K1emC.exe	Queries volume information: C:\Windows\Fonts\GOUDOSI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\oE6O5K1emC.exe	Queries volume information: C:\Windows\Fonts\GOUDOSB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\oE6O5K1emC.exe	Queries volume information: C:\Windows\Fonts\GLECB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\oE6O5K1emC.exe	Queries volume information: C:\Windows\Fonts\GIL_____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\oE6O5K1emC.exe	Queries volume information: C:\Windows\Fonts\GILI____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\oE6O5K1emC.exe	Queries volume information: C:\Windows\Fonts\GILB____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\oE6O5K1emC.exe	Queries volume information: C:\Windows\Fonts\GILBI___.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\oE6O5K1emC.exe	Queries volume information: C:\Windows\Fonts\GILC____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\oE6O5K1emC.exe	Queries volume information: C:\Windows\Fonts\GLSNECB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\oE6O5K1emC.exe	Queries volume information: C:\Windows\Fonts\GIGI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\oE6O5K1emC.exe	Queries volume information: C:\Windows\Fonts\FRABK.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\oE6O5K1emC.exe	Queries volume information: C:\Windows\Fonts\FRABKIT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\oE6O5K1emC.exe	Queries volume information: C:\Windows\Fonts\FORTE.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\oE6O5K1emC.exe	Queries volume information: C:\Windows\Fonts\FELIXTI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\oE6O5K1emC.exe	Queries volume information: C:\Windows\Fonts\ERASMD.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\oE6O5K1emC.exe	Queries volume information: C:\Windows\Fonts\ERASLGHT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\oE6O5K1emC.exe	Queries volume information: C:\Windows\Fonts\ERASDEMI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\oE6O5K1emC.exe	Queries volume information: C:\Windows\Fonts\ERASBD.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\oE6O5K1emC.exe	Queries volume information: C:\Windows\Fonts\ENGR.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\oE6O5K1emC.exe	Queries volume information: C:\Windows\Fonts\ELEPHNT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\oE6O5K1emC.exe	Queries volume information: C:\Windows\Fonts\ELEPHNTI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\oE6O5K1emC.exe	Queries volume information: C:\Windows\Fonts\ITCEDSCR.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\oE6O5K1emC.exe	Queries volume information: C:\Windows\Fonts\CURLZ___.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\oE6O5K1emC.exe	Queries volume information: C:\Windows\Fonts\COPRGTL.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\oE6O5K1emC.exe	Queries volume information: C:\Windows\Fonts\COPRGTB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\oE6O5K1emC.exe	Queries volume information: C:\Windows\Fonts\CENSCBK.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\oE6O5K1emC.exe	Queries volume information: C:\Windows\Fonts\SCHLBKI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\oE6O5K1emC.exe	Queries volume information: C:\Windows\Fonts\SCHLBKB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\oE6O5K1emC.exe	Queries volume information: C:\Windows\Fonts\SCHLBKBI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\oE6O5K1emC.exe	Queries volume information: C:\Windows\Fonts\CASTELAR.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\oE6O5K1emC.exe	Queries volume information: C:\Windows\Fonts\CALIST.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\oE6O5K1emC.exe	Queries volume information: C:\Windows\Fonts\CALISTI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\oE6O5K1emC.exe	Queries volume information: C:\Windows\Fonts\CALISTB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\oE6O5K1emC.exe	Queries volume information: C:\Windows\Fonts\CALISTBI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\oE6O5K1emC.exe	Queries volume information: C:\Windows\Fonts\BOOKOS.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\oE6O5K1emC.exe	Queries volume information: C:\Windows\Fonts\BOOKOSB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\oE6O5K1emC.exe	Queries volume information: C:\Windows\Fonts\BOOKOSI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\oE6O5K1emC.exe	Queries volume information: C:\Windows\Fonts\BOOKOSBI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\oE6O5K1emC.exe	Queries volume information: C:\Windows\Fonts\BOD_R.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\oE6O5K1emC.exe	Queries volume information: C:\Windows\Fonts\BOD_I.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\oE6O5K1emC.exe	Queries volume information: C:\Windows\Fonts\BOD_B.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\oE6O5K1emC.exe	Queries volume information: C:\Windows\Fonts\BOD_BI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\oE6O5K1emC.exe	Queries volume information: C:\Windows\Fonts\BOD_CR.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\oE6O5K1emC.exe	Queries volume information: C:\Windows\Fonts\BOD_BLAR.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\oE6O5K1emC.exe	Queries volume information: C:\Windows\Fonts\BOD_CI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\oE6O5K1emC.exe	Queries volume information: C:\Windows\Fonts\BOD_CB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\oE6O5K1emC.exe	Queries volume information: C:\Windows\Fonts\BOD_BLAI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\oE6O5K1emC.exe	Queries volume information: C:\Windows\Fonts\BOD_CBI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\oE6O5K1emC.exe	Queries volume information: C:\Windows\Fonts\ITCBLKAD.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\oE6O5K1emC.exe	Queries volume information: C:\Windows\Fonts\ARLRDBD.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\oE6O5K1emC.exe	Queries volume information: C:\Windows\Fonts\AGENCYR.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\oE6O5K1emC.exe	Queries volume information: C:\Windows\Fonts\AGENCYB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\oE6O5K1emC.exe	Queries volume information: C:\Windows\Fonts\BSSYM7.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\oE6O5K1emC.exe	Queries volume information: C:\Windows\Fonts\REFSAN.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\oE6O5K1emC.exe	Queries volume information: C:\Windows\Fonts\REFSPCL.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\oE6O5K1emC.exe	Queries volume information: C:\Windows\Fonts\MTEXTRA.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\oE6O5K1emC.exe	Queries volume information: C:\Windows\Fonts\marlett.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\oE6O5K1emC.exe	Queries volume information: C:\Windows\Fonts\micross.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\oE6O5K1emC.exe	Queries volume information: C:\Windows\Fonts\calibri.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\oE6O5K1emC.exe	Queries volume information: C:\Windows\Fonts\calibrii.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\oE6O5K1emC.exe	Queries volume information: C:\Windows\Fonts\calibrib.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\oE6O5K1emC.exe	Queries volume information: C:\Windows\Fonts\calibriz.ttf VolumeInformation	Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Queries volume information: C:\Windows\assembly\GAC_32\System.EnterpriseServices\2.0.0.0__b03f5f7f11d50a3a\System.EnterpriseServices.dll VolumeInformation	Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Queries volume information: C:\Windows\assembly\GAC_32\System.EnterpriseServices\2.0.0.0__b03f5f7f11d50a3a\System.EnterpriseServices.dll VolumeInformation	Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Queries volume information: C:\Windows\assembly\GAC_32\System.EnterpriseServices\2.0.0.0__b03f5f7f11d50a3a\System.EnterpriseServices.Wrapper.dll VolumeInformation	Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Queries volume information: C:\Windows\assembly\GAC_32\System.EnterpriseServices\2.0.0.0__b03f5f7f11d50a3a\System.EnterpriseServices.Wrapper.dll VolumeInformation	Jump to behavior

Source: C:\Users\user\Desktop\oE6O5K1emC.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiVirusProduct
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiSpywareProduct
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM FirewallProduct
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiVirusProduct
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiSpywareProduct
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM FirewallProduct
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiVirusProduct
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiSpywareProduct
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM FirewallProduct
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiVirusProduct
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiSpywareProduct
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM FirewallProduct
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiVirusProduct
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiSpywareProduct
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM FirewallProduct
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiVirusProduct
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiSpywareProduct
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM FirewallProduct
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiVirusProduct
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiSpywareProduct
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM FirewallProduct
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiVirusProduct
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiSpywareProduct
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM FirewallProduct
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiVirusProduct
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiSpywareProduct
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM FirewallProduct
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiVirusProduct
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiSpywareProduct
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM FirewallProduct
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiVirusProduct
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiSpywareProduct
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM FirewallProduct
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiVirusProduct
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiSpywareProduct
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM FirewallProduct
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiVirusProduct
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiSpywareProduct
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM FirewallProduct
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiVirusProduct
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiSpywareProduct
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM FirewallProduct
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiVirusProduct
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiSpywareProduct
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM FirewallProduct
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiVirusProduct
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiSpywareProduct
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM FirewallProduct
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiVirusProduct
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiSpywareProduct
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM FirewallProduct

Stealing of Sensitive Information:

Yara detected Nanocore RAT

Show sources

Source: Yara match	File source: 00000000.00000002.676767398.00000000046CA000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0.2.oE6O5K1emC.exe.4762470.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.oE6O5K1emC.exe.4762470.1.raw.unpack, type: UNPACKEDPE

Remote Access Functionality:

Detected Nanocore Rat

Show sources

Source: RegSvcs.exe, 00000003.00000003.687967168.0000000003CFF000.00000004.00000001.sdmp

String found in binary or memory: NanoCore.ClientPluginHost

Yara detected Nanocore RAT

Show sources

Source: Yara match	File source: 00000000.00000002.676767398.00000000046CA000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0.2.oE6O5K1emC.exe.4762470.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.oE6O5K1emC.exe.4762470.1.raw.unpack, type: UNPACKEDPE

Mitre Att&ck Matrix

Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Exfiltration	Command and Control	Network Effects	Remote Service Effects	Impact
Valid Accounts	Windows Management Instrumentation1	Scheduled Task/Job1	Access Token Manipulation1	Masquerading2	OS Credential Dumping	Query Registry1	Remote Services	Archive Collected Data1	Exfiltration Over Other Network Medium	Encrypted Channel1	Eavesdrop on Insecure Network Communication	Remotely Track Device Without Authorization	Modify System Partition
Default Accounts	Scheduled Task/Job1	Boot or Logon Initialization Scripts	Process Injection212	Disable or Modify Tools1	LSASS Memory	Security Software Discovery121	Remote Desktop Protocol	Data from Removable Media	Exfiltration Over Bluetooth	Non-Standard Port1	Exploit SS7 to Redirect Phone Calls/SMS	Remotely Wipe Data Without Authorization	Device Lockout
Domain Accounts	At (Linux)	Logon Script (Windows)	Scheduled Task/Job1	Virtualization/Sandbox Evasion31	Security Account Manager	Process Discovery2	SMB/Windows Admin Shares	Data from Network Shared Drive	Automated Exfiltration	Remote Access Software1	Exploit SS7 to Track Device Location	Obtain Device Cloud Backups	Delete Device Data
Local Accounts	At (Windows)	Logon Script (Mac)	Logon Script (Mac)	Access Token Manipulation1	NTDS	Virtualization/Sandbox Evasion31	Distributed Component Object Model	Input Capture	Scheduled Transfer	Application Layer Protocol1	SIM Card Swap		Carrier Billing Fraud
Cloud Accounts	Cron	Network Logon Script	Network Logon Script	Process Injection212	LSA Secrets	Application Window Discovery1	SSH	Keylogging	Data Transfer Size Limits	Fallback Channels	Manipulate Device Communication		Manipulate App Store Rankings or Ratings
Replication Through Removable Media	Launchd	Rc.common	Rc.common	Hidden Files and Directories1	Cached Domain Credentials	File and Directory Discovery1	VNC	GUI Input Capture	Exfiltration Over C2 Channel	Multiband Communication	Jamming or Denial of Service		Abuse Accessibility Features
External Remote Services	Scheduled Task	Startup Items	Startup Items	Obfuscated Files or Information3	DCSync	System Information Discovery12	Windows Remote Management	Web Portal Capture	Exfiltration Over Alternative Protocol	Commonly Used Port	Rogue Wi-Fi Access Points		Data Encrypted for Impact
Drive-by Compromise	Command and Scripting Interpreter	Scheduled Task/Job	Scheduled Task/Job	Software Packing1	Proc Filesystem	Network Service Scanning	Shared Webroot	Credential API Hooking	Exfiltration Over Symmetric Encrypted Non-C2 Protocol	Application Layer Protocol	Downgrade to Insecure Protocols		Generate Fraudulent Advertising Revenue

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Source	Detection	Scanner	Label	Link
oE6O5K1emC.exe	13%	Virustotal		Browse

Dropped Files

Source	Detection	Scanner	Label	Link
C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	0%	Metadefender		Browse
C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	0%	ReversingLabs

Unpacked PE Files

No Antivirus matches

Domains

No Antivirus matches

URLs

Source	Detection	Scanner	Label
nassiru1155.ddns.net	0%	Avira URL Cloud	safe
http://www.carterandcone.comTCe	0%	Avira URL Cloud	safe
http://www.founder.com.cn/cn/bThe	0%	URL Reputation	safe
http://www.founder.com.cn/cn/bThe	0%	URL Reputation	safe
http://www.founder.com.cn/cn/bThe	0%	URL Reputation	safe
http://www.founder.com.cn/cn/bThe	0%	URL Reputation	safe
http://www.carterandcone.comypoD	0%	Avira URL Cloud	safe
http://www.fonts.com)	0%	Avira URL Cloud	safe
http://www.tiro.com	0%	URL Reputation	safe
http://www.tiro.com	0%	URL Reputation	safe
http://www.tiro.com	0%	URL Reputation	safe
http://www.goodfont.co.kr	0%	URL Reputation	safe
http://www.goodfont.co.kr	0%	URL Reputation	safe
http://www.goodfont.co.kr	0%	URL Reputation	safe
http://www.carterandcone.com	0%	URL Reputation	safe
http://www.carterandcone.com	0%	URL Reputation	safe
http://www.carterandcone.com	0%	URL Reputation	safe
http://www.carterandcone.comTCH	0%	Avira URL Cloud	safe
http://www.sajatypeworks.com	0%	URL Reputation	safe
http://www.sajatypeworks.com	0%	URL Reputation	safe
http://www.sajatypeworks.com	0%	URL Reputation	safe
http://www.typography.netD	0%	URL Reputation	safe
http://www.typography.netD	0%	URL Reputation	safe
http://www.typography.netD	0%	URL Reputation	safe
http://www.founder.com.cn/cn/cThe	0%	URL Reputation	safe
http://www.founder.com.cn/cn/cThe	0%	URL Reputation	safe
http://www.founder.com.cn/cn/cThe	0%	URL Reputation	safe
http://www.galapagosdesign.com/staff/dennis.htm	0%	URL Reputation	safe
http://www.galapagosdesign.com/staff/dennis.htm	0%	URL Reputation	safe
http://www.galapagosdesign.com/staff/dennis.htm	0%	URL Reputation	safe
http://fontfabrik.com	0%	URL Reputation	safe
http://fontfabrik.com	0%	URL Reputation	safe
http://fontfabrik.com	0%	URL Reputation	safe
http://www.carterandcone.comTCD	0%	Avira URL Cloud	safe
http://www.galapagosdesign.com/DPlease	0%	URL Reputation	safe
http://www.galapagosdesign.com/DPlease	0%	URL Reputation	safe
http://www.galapagosdesign.com/DPlease	0%	URL Reputation	safe
http://www.fontbureau.comM.TTFK	0%	Avira URL Cloud	safe
http://www.founder.com.cn/cn/g	0%	Avira URL Cloud	safe
http://www.sandoll.co.kr	0%	URL Reputation	safe
http://www.sandoll.co.kr	0%	URL Reputation	safe
http://www.sandoll.co.kr	0%	URL Reputation	safe
http://www.tiro.comtna	0%	Avira URL Cloud	safe
http://www.urwpp.deDPlease	0%	URL Reputation	safe
http://www.urwpp.deDPlease	0%	URL Reputation	safe
http://www.urwpp.deDPlease	0%	URL Reputation	safe
http://www.zhongyicts.com.cn	0%	URL Reputation	safe
http://www.zhongyicts.com.cn	0%	URL Reputation	safe
http://www.zhongyicts.com.cn	0%	URL Reputation	safe
http://www.sakkal.com	0%	URL Reputation	safe
http://www.sakkal.com	0%	URL Reputation	safe
http://www.sakkal.com	0%	URL Reputation	safe
http://www.fonts.comx	0%	Avira URL Cloud	safe
http://www.founder.com.cn/cni	0%	Avira URL Cloud	safe
http://www.fontbureau.comasa	0%	Avira URL Cloud	safe
http://www.carterandcone.comexcR	0%	Avira URL Cloud	safe
http://www.galapagosdesign.com/	0%	URL Reputation	safe
http://www.galapagosdesign.com/	0%	URL Reputation	safe
http://www.galapagosdesign.com/	0%	URL Reputation	safe
http://www.carterandcone.comd	0%	URL Reputation	safe
http://www.carterandcone.comd	0%	URL Reputation	safe
http://www.carterandcone.comd	0%	URL Reputation	safe
http://www.carterandcone.comgy	0%	Avira URL Cloud	safe
http://www.carterandcone.comTC	0%	URL Reputation	safe
http://www.carterandcone.comTC	0%	URL Reputation	safe
http://www.carterandcone.comTC	0%	URL Reputation	safe
http://www.carterandcone.comX	0%	Avira URL Cloud	safe
http://www.founder.com.c	0%	URL Reputation	safe
http://www.founder.com.c	0%	URL Reputation	safe
http://www.founder.com.c	0%	URL Reputation	safe
http://www.galapagosdesign.com/C	0%	Avira URL Cloud	safe
http://www.sandoll.co.kre	0%	Avira URL Cloud	safe
79.134.225.30	0%	Avira URL Cloud	safe
http://www.carterandcone.coml	0%	URL Reputation	safe
http://www.carterandcone.coml	0%	URL Reputation	safe
http://www.carterandcone.coml	0%	URL Reputation	safe
http://www.founder.com.cn/cn/	0%	URL Reputation	safe
http://www.founder.com.cn/cn/	0%	URL Reputation	safe
http://www.founder.com.cn/cn/	0%	URL Reputation	safe
http://www.founder.com.cn/cn	0%	URL Reputation	safe
http://www.founder.com.cn/cn	0%	URL Reputation	safe
http://www.founder.com.cn/cn	0%	URL Reputation	safe
http://www.urwpp.dew	0%	Avira URL Cloud	safe
http://www.fontbureau.comionm	0%	Avira URL Cloud	safe
http://www.carterandcone.comnew=	0%	Avira URL Cloud	safe
http://www.founder.com.cn/cne-d	0%	Avira URL Cloud	safe
http://www.jiyu-kobo.co.jp/	0%	URL Reputation	safe
http://www.jiyu-kobo.co.jp/	0%	URL Reputation	safe
http://www.jiyu-kobo.co.jp/	0%	URL Reputation	safe
http://www.fontbureau.comFg	0%	Avira URL Cloud	safe
http://en.w7	0%	Avira URL Cloud	safe
http://www.fontbureau.comsiefeq	0%	Avira URL Cloud	safe
http://www.carterandcone.comTCoo	0%	Avira URL Cloud	safe
http://www.fonts.com-u	0%	Avira URL Cloud	safe
http://www.fontbureau.com~	0%	Avira URL Cloud	safe

Domains and IPs

Contacted Domains

No contacted domains info

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
nassiru1155.ddns.net	true	Avira URL Cloud: safe	unknown
79.134.225.30	true	Avira URL Cloud: safe	unknown

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
http://www.fontbureau.com/designersG	oE6O5K1emC.exe, 00000000.00000002.680503330.0000000006BD2000.00000004.00000001.sdmp	false		high
http://www.carterandcone.comTCe	oE6O5K1emC.exe, 00000000.00000003.651855574.00000000059FE000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
http://www.fontbureau.com/designers/?	oE6O5K1emC.exe, 00000000.00000002.680503330.0000000006BD2000.00000004.00000001.sdmp	false		high
http://www.founder.com.cn/cn/bThe	oE6O5K1emC.exe, 00000000.00000002.680503330.0000000006BD2000.00000004.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://www.carterandcone.comypoD	oE6O5K1emC.exe, 00000000.00000003.651652317.00000000059FE000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
http://www.fontbureau.com/designersJ	oE6O5K1emC.exe, 00000000.00000003.654970747.00000000059F5000.00000004.00000001.sdmp	false		high
http://www.fontbureau.com/designers?	oE6O5K1emC.exe, 00000000.00000002.680503330.0000000006BD2000.00000004.00000001.sdmp, oE6O5K1emC.exe, 00000000.00000003.655396524.00000000059F5000.00000004.00000001.sdmp	false		high
http://www.fonts.com)	oE6O5K1emC.exe, 00000000.00000003.649295268.00000000059DB000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	low
http://www.fontbureau.com/designers/frere-user.html/	oE6O5K1emC.exe, 00000000.00000003.654947203.00000000059F5000.00000004.00000001.sdmp	false		high
http://www.tiro.com	oE6O5K1emC.exe, 00000000.00000002.680503330.0000000006BD2000.00000004.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://www.fontbureau.com/designers	oE6O5K1emC.exe, 00000000.00000003.659379671.00000000059F5000.00000004.00000001.sdmp, oE6O5K1emC.exe, 00000000.00000003.654702563.00000000059F5000.00000004.00000001.sdmp, oE6O5K1emC.exe, 00000000.00000003.654666209.00000000059F5000.00000004.00000001.sdmp, oE6O5K1emC.exe, 00000000.00000003.655363826.00000000059F5000.00000004.00000001.sdmp	false		high
http://www.goodfont.co.kr	oE6O5K1emC.exe, 00000000.00000002.680503330.0000000006BD2000.00000004.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://www.carterandcone.com	oE6O5K1emC.exe, 00000000.00000003.651544478.00000000059FE000.00000004.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://www.carterandcone.comTCH	oE6O5K1emC.exe, 00000000.00000003.652006523.00000000059FE000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
https://stackpath.bootstrapcdn.com/bootstrap/4.5.0/css/bootstrap.min.css	oE6O5K1emC.exe, 00000000.00000002.676048550.000000000363F000.00000004.00000001.sdmp	false		high
http://www.sajatypeworks.com	oE6O5K1emC.exe, 00000000.00000003.649181303.00000000059DB000.00000004.00000001.sdmp, oE6O5K1emC.exe, 00000000.00000002.680503330.0000000006BD2000.00000004.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://www.typography.netD	oE6O5K1emC.exe, 00000000.00000002.680503330.0000000006BD2000.00000004.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://www.founder.com.cn/cn/cThe	oE6O5K1emC.exe, 00000000.00000002.680503330.0000000006BD2000.00000004.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://www.galapagosdesign.com/staff/dennis.htm	oE6O5K1emC.exe, 00000000.00000002.680503330.0000000006BD2000.00000004.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://fontfabrik.com	oE6O5K1emC.exe, 00000000.00000002.680503330.0000000006BD2000.00000004.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://www.carterandcone.comTCD	oE6O5K1emC.exe, 00000000.00000003.651855574.00000000059FE000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
http://www.galapagosdesign.com/DPlease	oE6O5K1emC.exe, 00000000.00000002.680503330.0000000006BD2000.00000004.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://www.fontbureau.comM.TTFK	oE6O5K1emC.exe, 00000000.00000003.655776932.00000000059C4000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
http://www.fonts.com	oE6O5K1emC.exe, 00000000.00000002.680503330.0000000006BD2000.00000004.00000001.sdmp	false		high
http://www.founder.com.cn/cn/g	oE6O5K1emC.exe, 00000000.00000003.651132859.00000000059C4000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
http://www.sandoll.co.kr	oE6O5K1emC.exe, 00000000.00000002.680503330.0000000006BD2000.00000004.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://www.tiro.comtna	oE6O5K1emC.exe, 00000000.00000003.649513321.00000000059DB000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
http://www.urwpp.deDPlease	oE6O5K1emC.exe, 00000000.00000002.680503330.0000000006BD2000.00000004.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://www.zhongyicts.com.cn	oE6O5K1emC.exe, 00000000.00000002.680503330.0000000006BD2000.00000004.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://www.sakkal.com	oE6O5K1emC.exe, 00000000.00000002.680503330.0000000006BD2000.00000004.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://www.fonts.comx	oE6O5K1emC.exe, 00000000.00000003.649273531.00000000059DB000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
http://www.founder.com.cn/cni	oE6O5K1emC.exe, 00000000.00000003.651132859.00000000059C4000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
http://www.fontbureau.com/designersn	oE6O5K1emC.exe, 00000000.00000003.655634998.00000000059F5000.00000004.00000001.sdmp	false		high
http://www.fontbureau.comasa	oE6O5K1emC.exe, 00000000.00000003.655776932.00000000059C4000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
http://www.fontbureau.com/designerss	oE6O5K1emC.exe, 00000000.00000003.655634998.00000000059F5000.00000004.00000001.sdmp	false		high
http://www.apache.org/licenses/LICENSE-2.0	oE6O5K1emC.exe, 00000000.00000002.680503330.0000000006BD2000.00000004.00000001.sdmp	false		high
http://www.carterandcone.comexcR	oE6O5K1emC.exe, 00000000.00000003.651855574.00000000059FE000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
http://www.fontbureau.com	oE6O5K1emC.exe, 00000000.00000002.680503330.0000000006BD2000.00000004.00000001.sdmp, oE6O5K1emC.exe, 00000000.00000003.655776932.00000000059C4000.00000004.00000001.sdmp	false		high
http://www.galapagosdesign.com/	oE6O5K1emC.exe, 00000000.00000003.656920941.00000000059CD000.00000004.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://www.carterandcone.comd	oE6O5K1emC.exe, 00000000.00000003.651855574.00000000059FE000.00000004.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://www.carterandcone.comgy	oE6O5K1emC.exe, 00000000.00000003.651544478.00000000059FE000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
http://www.carterandcone.comTC	oE6O5K1emC.exe, 00000000.00000003.651855574.00000000059FE000.00000004.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://www.carterandcone.comX	oE6O5K1emC.exe, 00000000.00000003.651855574.00000000059FE000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
http://www.founder.com.c	oE6O5K1emC.exe, 00000000.00000003.650828055.00000000059C4000.00000004.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://www.galapagosdesign.com/C	oE6O5K1emC.exe, 00000000.00000003.656920941.00000000059CD000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
http://www.sandoll.co.kre	oE6O5K1emC.exe, 00000000.00000003.650167999.00000000059C6000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
http://www.fonts.comX	oE6O5K1emC.exe, 00000000.00000003.649256448.00000000059DB000.00000004.00000001.sdmp	false		unknown
http://www.carterandcone.coml	oE6O5K1emC.exe, 00000000.00000002.680503330.0000000006BD2000.00000004.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://www.founder.com.cn/cn/	oE6O5K1emC.exe, 00000000.00000003.651132859.00000000059C4000.00000004.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://www.fontbureau.com/designers/cabarga.htmlN	oE6O5K1emC.exe, 00000000.00000002.680503330.0000000006BD2000.00000004.00000001.sdmp	false		high
http://www.founder.com.cn/cn	oE6O5K1emC.exe, 00000000.00000002.680503330.0000000006BD2000.00000004.00000001.sdmp, oE6O5K1emC.exe, 00000000.00000003.650806583.00000000059FD000.00000004.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://www.urwpp.dew	oE6O5K1emC.exe, 00000000.00000003.655776932.00000000059C4000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
http://www.fontbureau.com/designers/frere-user.html	oE6O5K1emC.exe, 00000000.00000002.680503330.0000000006BD2000.00000004.00000001.sdmp	false		high
http://www.fontbureau.comionm	oE6O5K1emC.exe, 00000000.00000003.673968990.00000000059C0000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
http://www.carterandcone.comnew=	oE6O5K1emC.exe, 00000000.00000003.651855574.00000000059FE000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	low
http://www.founder.com.cn/cne-d	oE6O5K1emC.exe, 00000000.00000003.650806583.00000000059FD000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
http://www.jiyu-kobo.co.jp/	oE6O5K1emC.exe, 00000000.00000002.680503330.0000000006BD2000.00000004.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://www.fontbureau.comFg	oE6O5K1emC.exe, 00000000.00000003.655776932.00000000059C4000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
http://en.w7	oE6O5K1emC.exe, 00000000.00000003.649181303.00000000059DB000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
http://www.fontbureau.com/designers8	oE6O5K1emC.exe, 00000000.00000002.680503330.0000000006BD2000.00000004.00000001.sdmp	false		high
http://www.fontbureau.comsiefeq	oE6O5K1emC.exe, 00000000.00000003.655776932.00000000059C4000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
http://www.carterandcone.comTCoo	oE6O5K1emC.exe, 00000000.00000003.652274217.00000000059FE000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
http://www.fontbureau.com/designers/	oE6O5K1emC.exe, 00000000.00000003.654419205.00000000059F5000.00000004.00000001.sdmp	false		high
http://www.fonts.com-u	oE6O5K1emC.exe, 00000000.00000003.649256448.00000000059DB000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
http://www.fontbureau.com~	oE6O5K1emC.exe, 00000000.00000003.655776932.00000000059C4000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	low

Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public

IP	Domain	Country	Flag	ASN	ASN Name	Malicious
79.134.225.30	unknown	Switzerland		6775	FINK-TELECOM-SERVICESCH	true

General Information

Joe Sandbox Version:	31.0.0 Emerald
Analysis ID:	384479
Start date:	09.04.2021
Start time:	09:46:16
Joe Sandbox Product:	CloudBasic
Overall analysis duration:	0h 8m 31s
Hypervisor based Inspection enabled:	false
Report type:	full
Sample file name:	oE6O5K1emC.exe
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 85, IE 11, Adobe Reader DC 19, Java 8 Update 211
Number of analysed new started processes analysed:	23
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled HDC enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Detection:	MAL
Classification:	mal100.troj.evad.winEXE@8/12@0/1
EGA Information:	Failed
HDC Information:	Successful, ratio: 2.3% (good quality ratio 1.8%) Quality average: 51.1% Quality standard deviation: 33.7%
HCA Information:	Successful, ratio: 97% Number of executed functions: 233 Number of non-executed functions: 28
Cookbook Comments:	Adjust boot time Enable AMSI Found application associated with file extension: .exe
Warnings:	Show All Behavior information exceeds normal sizes, reducing to normal. Report will have missing behavior information. Exclude process from analysis (whitelisted): BackgroundTransferHost.exe, backgroundTaskHost.exe, svchost.exe Report size getting too big, too many NtAllocateVirtualMemory calls found. Report size getting too big, too many NtOpenKeyEx calls found. Report size getting too big, too many NtProtectVirtualMemory calls found. Report size getting too big, too many NtQueryValueKey calls found.

Simulations

Behavior and APIs

Time	Type	Description
09:47:11	API Interceptor	1x Sleep call for process: oE6O5K1emC.exe modified
09:47:18	API Interceptor	936x Sleep call for process: RegSvcs.exe modified
09:47:20	Autostart	Run: HKLM\Software\Microsoft\Windows\CurrentVersion\Run DHCP Monitor C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe

Joe Sandbox View / Context

IPs

Match	Associated Sample Name / URL	SHA 256	Detection	Link
79.134.225.30	AIC7VMxudf.exe	Get hash	malicious	Browse
	Payment Confirmation.exe	Get hash	malicious	Browse
	JOIN.exe	Get hash	malicious	Browse
	Itinerary.pdf.exe	Get hash	malicious	Browse
	vVH0wIFYFd.exe	Get hash	malicious	Browse
	GWee9QSphp.exe	Get hash	malicious	Browse
	s7pnYY2USl.jar	Get hash	malicious	Browse
	s7pnYY2USl.jar	Get hash	malicious	Browse
	SecuriteInfo.com.BehavesLike.Win32.Generic.dc.exe	Get hash	malicious	Browse
	Import and Export Regulation.xlsx	Get hash	malicious	Browse
	BBdzKOGQ36.exe	Get hash	malicious	Browse
	BL.exe	Get hash	malicious	Browse
	Payment Invoice.exe	Get hash	malicious	Browse
	Payment Invoice.pdf.exe	Get hash	malicious	Browse
	Inquiries_scan_011023783591374376585.exe	Get hash	malicious	Browse

Domains

No context

ASN

Match	Associated Sample Name / URL	SHA 256	Detection	Link	Context
FINK-TELECOM-SERVICESCH	zunUbtZ2Y3.exe	Get hash	malicious	Browse	79.134.225.40
	EASTERS.exe	Get hash	malicious	Browse	79.134.225.118
	LIST OF POEA DELISTED AGENCIES.pdf.exe	Get hash	malicious	Browse	79.134.225.9
	AWB.pdf.exe	Get hash	malicious	Browse	79.134.225.102
	AIC7VMxudf.exe	Get hash	malicious	Browse	79.134.225.30
	9mm case for ROYAL METAL INDUSTRIES 3milmonth Specification drawings.exe	Get hash	malicious	Browse	79.134.225.21
	PO50164.exe	Get hash	malicious	Browse	79.134.225.79
	Fast color scan to a PDFfile_1_20210331084231346.pdf.exe	Get hash	malicious	Browse	79.134.225.102
	n7dIHuG3v6.exe	Get hash	malicious	Browse	79.134.225.92
	F6JT4fXIAQ.exe	Get hash	malicious	Browse	79.134.225.92
	order_inquiry2094.xls.exe	Get hash	malicious	Browse	79.134.225.102
	5H957qLghX.exe	Get hash	malicious	Browse	79.134.225.25
	yBio5dWAOl.exe	Get hash	malicious	Browse	79.134.225.7
	wDIaJji4Vv.exe	Get hash	malicious	Browse	79.134.225.7
	DkZY1k3y9F.exe	Get hash	malicious	Browse	79.134.225.23
	hbvo9thTAX.exe	Get hash	malicious	Browse	79.134.225.7
	SCAN ORDER DOC 040202021.exe	Get hash	malicious	Browse	79.134.225.71
	Waybill Doc_pdf.exe	Get hash	malicious	Browse	79.134.225.92
	gfcYixSdyD.exe	Get hash	malicious	Browse	79.134.225.71
	cJtVGjtNGZ.exe	Get hash	malicious	Browse	79.134.225.40

JA3 Fingerprints

No context

Dropped Files

Match	Associated Sample Name / URL	SHA 256	Detection	Link
C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	GS_ PO NO.1862021.exe	Get hash	malicious	Browse
	wDIaJji4Vv.exe	Get hash	malicious	Browse
	cJtVGjtNGZ.exe	Get hash	malicious	Browse
	Bilansno placanje.exe	Get hash	malicious	Browse
	SecuriteInfo.com.Trojan.Inject4.9647.20479.exe	Get hash	malicious	Browse
	wnIPBdB5OF.exe	Get hash	malicious	Browse
	Delivery Form C.exe	Get hash	malicious	Browse
	h6uc8EaDQX.exe	Get hash	malicious	Browse
	3aDHivUqWtumbXb.exe	Get hash	malicious	Browse
	fMy120EQiT6NaRd.exe	Get hash	malicious	Browse
	SecuriteInfo.com.Variant.Bulz.394792.29952.exe	Get hash	malicious	Browse
	SecuriteInfo.com.Trojan.PackedNET.578.18498.exe	Get hash	malicious	Browse
	sfTZCyMKuC.exe	Get hash	malicious	Browse
	y9Rtu1cnBk.exe	Get hash	malicious	Browse
	Ixli7b5j6A.exe	Get hash	malicious	Browse
	nq0aCrCXyE.exe	Get hash	malicious	Browse
	73SriHObnQ.exe	Get hash	malicious	Browse
	0672IMP000158021.pdf.exe	Get hash	malicious	Browse
	rb86llCYzA.exe	Get hash	malicious	Browse
	C3GWn5tduT.exe	Get hash	malicious	Browse

Created / dropped Files

C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe Download File
Process:	C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe
File Type:	PE32 executable (console) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	32768
Entropy (8bit):	3.7515815714465193
Encrypted:	false
SSDEEP:	384:BOj9Y8/gS7SDriLGKq1MHR5U4Ag6ihJSxUCR1rgCPKabK2t0X5P7DZ+JgWSW72uw:B+gSAdN1MH3HAFRJngW2u
MD5:	71369277D09DA0830C8C59F9E22BB23A
SHA1:	37F9781314F0F6B7E9CB529A573F2B1C8DE9E93F
SHA-256:	D4527B7AD2FC4778CC5BE8709C95AEA44EAC0568B367EE14F7357D72898C3698
SHA-512:	2F470383E3C796C4CF212EC280854DBB9E7E8C8010CE6857E58F8E7066D7516B7CD7039BC5C0F547E1F5C7F9F2287869ADFFB2869800B08B2982A88BE96E9FB7
Malicious:	false
Antivirus:	Antivirus: Metadefender, Detection: 0%, Browse Antivirus: ReversingLabs, Detection: 0%
Joe Sandbox View:	Filename: GS_ PO NO.1862021.exe, Detection: malicious, Browse Filename: wDIaJji4Vv.exe, Detection: malicious, Browse Filename: cJtVGjtNGZ.exe, Detection: malicious, Browse Filename: Bilansno placanje.exe, Detection: malicious, Browse Filename: SecuriteInfo.com.Trojan.Inject4.9647.20479.exe, Detection: malicious, Browse Filename: wnIPBdB5OF.exe, Detection: malicious, Browse Filename: Delivery Form C.exe, Detection: malicious, Browse Filename: h6uc8EaDQX.exe, Detection: malicious, Browse Filename: 3aDHivUqWtumbXb.exe, Detection: malicious, Browse Filename: fMy120EQiT6NaRd.exe, Detection: malicious, Browse Filename: SecuriteInfo.com.Variant.Bulz.394792.29952.exe, Detection: malicious, Browse Filename: SecuriteInfo.com.Trojan.PackedNET.578.18498.exe, Detection: malicious, Browse Filename: sfTZCyMKuC.exe, Detection: malicious, Browse Filename: y9Rtu1cnBk.exe, Detection: malicious, Browse Filename: Ixli7b5j6A.exe, Detection: malicious, Browse Filename: nq0aCrCXyE.exe, Detection: malicious, Browse Filename: 73SriHObnQ.exe, Detection: malicious, Browse Filename: 0672IMP000158021.pdf.exe, Detection: malicious, Browse Filename: rb86llCYzA.exe, Detection: malicious, Browse Filename: C3GWn5tduT.exe, Detection: malicious, Browse
Reputation:	moderate, very likely benign file
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L.....{Z.................P... .......k... ........@.. ...............................[....@..................................k..K................................... k............................................... ............... ..H............text....K... ...P.................. ..`.rsrc................`..............@..@.reloc...............p..............@..B........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Microsoft\CLR_v2.0_32\UsageLogs\dhcpmon.exe.log Download File
Process:	C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe
File Type:	ASCII text, with CRLF line terminators
Category:	modified
Size (bytes):	120
Entropy (8bit):	5.016405576253028
Encrypted:	false
SSDEEP:	3:QHXMKaoWglAFXMWA2yTMGfsbNXLVd49Am12MFuAvOAsDeieVyn:Q3LawlAFXMWTyAGCFLIP12MUAvvrs
MD5:	50DEC1858E13F033E6DCA3CBFAD5E8DE
SHA1:	79AE1E9131B0FAF215B499D2F7B4C595AA120925
SHA-256:	14A557E226E3BA8620BB3A70035E1E316F1E9FB5C9E8F74C07110EE90B8D8AE4
SHA-512:	1BD73338DF685A5B57B0546E102ECFDEE65800410D6F77845E50456AC70DE72929088AF19B59647F01CBA7A5ACFB399C52D9EF2402A9451366586862EF88E7BF
Malicious:	false
Reputation:	moderate, very likely benign file
Preview:	1,"fusion","GAC",0..2,"System.EnterpriseServices, Version=2.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a",0..

C:\Users\user\AppData\Local\Microsoft\CLR_v2.0_32\UsageLogs\oE6O5K1emC.exe.log Download File
Process:	C:\Users\user\Desktop\oE6O5K1emC.exe
File Type:	ASCII text, with CRLF line terminators
Category:	modified
Size (bytes):	664
Entropy (8bit):	5.288448637977022
Encrypted:	false
SSDEEP:	12:Q3LaJU20NaL10Ug+9Yz9t0U29hJ5g1B0U2ukyrFk70U2xANlW3ANv:MLF20NaL3z2p29hJ5g522rW2xAi3A9
MD5:	B1DB55991C3DA14E35249AEA1BC357CA
SHA1:	0DD2D91198FDEF296441B12F1A906669B279700C
SHA-256:	34D3E48321D5010AD2BD1F3F0B728077E4F5A7F70D66FA36B57E5209580B6BDC
SHA-512:	BE38A31888C9C2F8047FA9C99672CB985179D325107514B7500DDA9523AE3E1D20B45EACC4E6C8A5D096360D0FBB98A120E63F38FFE324DF8A0559F6890CC801
Malicious:	true
Reputation:	moderate, very likely benign file
Preview:	1,"fusion","GAC",0..3,"C:\Windows\assembly\NativeImages_v2.0.50727_32\System\1ffc437de59fb69ba2b865ffdc98ffd1\System.ni.dll",0..3,"C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.VisualBas#\cd7c74fce2a0eab72cd25cbe4bb61614\Microsoft.VisualBasic.ni.dll",0..3,"C:\Windows\assembly\NativeImages_v2.0.50727_32\System.Drawing\54d944b3ca0ea1188d700fbd8089726b\System.Drawing.ni.dll",0..3,"C:\Windows\assembly\NativeImages_v2.0.50727_32\System.Windows.Forms\bd8d59c984c9f5f2695f64341115cdf0\System.Windows.Forms.ni.dll",0..3,"C:\Windows\assembly\NativeImages_v2.0.50727_32\System.Runtime.Remo#\35774dc3cd31b4550ab06c3354cf4ba5\System.Runtime.Remoting.ni.dll",0..

C:\Users\user\AppData\Local\Temp\tmp8EBC.tmp Download File
Process:	C:\Users\user\Desktop\oE6O5K1emC.exe
File Type:	XML 1.0 document, ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	1647
Entropy (8bit):	5.185753707490085
Encrypted:	false
SSDEEP:	24:2dH4+SEqC/S7hblNMFp//rlMhEMjnGpwjpIgUYODOLD9RJh7h8gKBG6kbBtn:cbhK79lNQR/rydbz9I3YODOLNdq3Vkn
MD5:	8691364F6187303B5A987AB904210902
SHA1:	23A74D45BD4BD827501964713B23CBF891EFD72E
SHA-256:	43D8999891D99A3D4406474CC11A627A59E769993069DE5E4240CCD5C9862841
SHA-512:	9EA6FA83631DC1618B820EF9762C65128F5E148B2969165F1C39A0A590B0195EEB5F13D399BA09CDD9DCA1F8F0E30D361839F78350EF50555BA02F16D5142E3B
Malicious:	true
Reputation:	low
Preview:	<?xml version="1.0" encoding="UTF-16"?>..<Task version="1.2" xmlns="http://schemas.microsoft.com/windows/2004/02/mit/task">.. <RegistrationInfo>.. <Date>2014-10-25T14:27:44.8929027</Date>.. <Author>computer\user</Author>.. </RegistrationInfo>.. <Triggers>.. <LogonTrigger>.. <Enabled>true</Enabled>.. <UserId>computer\user</UserId>.. </LogonTrigger>.. <RegistrationTrigger>.. <Enabled>false</Enabled>.. </RegistrationTrigger>.. </Triggers>.. <Principals>.. <Principal id="Author">.. <UserId>computer\user</UserId>.. <LogonType>InteractiveToken</LogonType>.. <RunLevel>LeastPrivilege</RunLevel>.. </Principal>.. </Principals>.. <Settings>.. <MultipleInstancesPolicy>StopExisting</MultipleInstancesPolicy>.. <DisallowStartIfOnBatteries>false</DisallowStartIfOnBatteries>.. <StopIfGoingOnBatteries>true</StopIfGoingOnBatteries>.. <AllowHardTerminate>false</AllowHardTerminate>.. <StartWhenAvailable>true

C:\Users\user\AppData\Roaming\D06ED635-68F6-4E9A-955C-4899F5F57B9A\catalog.dat Download File
Process:	C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe
File Type:	data
Category:	dropped
Size (bytes):	1296
Entropy (8bit):	7.012278113302776
Encrypted:	false
SSDEEP:	24:IQnybgCyHJ5lQnybgCyHJ5lQnybgCyHJ5lQnybgCyHJ5lQnybgCyHJ5lQnybgCy6:IkR5lkR5lkR5lkR5lkR5lkR5i
MD5:	383833878D639AB9D3EE3ADF842AC47F
SHA1:	E873365BC70A3B3F0E4B2156478B5FC45FAA8098
SHA-256:	DA0C5534BB335E6BDFFA15200AC4ED932500D425999D1200C855A48FF4483FB0
SHA-512:	22117398C7BD9D74CBF8EF5B3CB3D259806A5B363DB85C3990B31EE51B647C7BD0E4F95FFBC5AAD060520E910FCB43817E56DEADA96781A8DF15B1EEA573DA9F
Malicious:	false
Reputation:	low
Preview:	Gj.h\.3.A...5.x..&...i+..c(1.P..P.cLT...A.b........4h.P.vY.........S.5.6.C4..E.Y.\|........).zs...w.gl..\.G..J.M.vES.0....P.:..6...T....+5.1............r.P.V..+..(.2d.f... ..q.. 7iO.+..c.....!.'...mL\|XGj.h\.3.A...5.x..&...i+..c(1.P..P.cLT...A.b........4h.P.vY.........S.5.6.C4..E.Y.\|........).zs...w.gl..\.G..J.M.vES.0....P.:..6...T....+5.1............r.P.V..+..(.2d.f... ..q.. 7iO.+..c.....!.'...mL\|XGj.h\.3.A...5.x..&...i+..c(1.P..P.cLT...A.b........4h.P.vY.........S.5.6.C4..E.Y.\|........).zs...w.gl..\.G..J.M.vES.0....P.:..6...T....+5.1............r.P.V..+..(.2d.f... ..q.. 7iO.+..c.....!.'...mL\|XGj.h\.3.A...5.x..&...i+..c(1.P..P.cLT...A.b........4h.P.vY.........S.5.6.C4..E.Y.\|........).zs...w.gl..\.G..J.M.vES.0....P.:..6...T....+5.1............r.P.V..+..(.2d.f... ..q.. 7iO.+..c.....!.'...mL\|XGj.h\.3.A...5.x..&...i+..c(1.P..P.cLT...A.b........4h.P.vY.........S.5.6.C4..E.Y.\|........).zs...w.gl..\.G..J.M.vES.0....P.:..6..

C:\Users\user\AppData\Roaming\D06ED635-68F6-4E9A-955C-4899F5F57B9A\run.dat Download File
Process:	C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe
File Type:	data
Category:	dropped
Size (bytes):	8
Entropy (8bit):	3.0
Encrypted:	false
SSDEEP:	3:Q9tn:Q9t
MD5:	8BACB37884A4AF96860567FB19A77E4C
SHA1:	BBBE9A196EDA91481E15FC68C5AE337DED70E0A9
SHA-256:	4391234F02BA7E0982E043C27997CD7046186ECC7329E798C3582657E5EF55AF
SHA-512:	C51F23901A481F26B8AB5B85366E7899F76A15EFD1DB98B04CD68E2E1F38C9FAF325D2B91BB38C67B9C65F4853BAF91AC7AFED231FEED71AA5072EC7F872256C
Malicious:	true
Preview:	*/..+..H

C:\Users\user\AppData\Roaming\D06ED635-68F6-4E9A-955C-4899F5F57B9A\settings.bak Download File
Process:	C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe
File Type:	data
Category:	dropped
Size (bytes):	24
Entropy (8bit):	4.501629167387823
Encrypted:	false
SSDEEP:	3:9bzY6oRDIvYk:RzWDI3
MD5:	ACD3FB4310417DC77FE06F15B0E353E6
SHA1:	80E7002E655EB5765FDEB21114295CB96AD9D5EB
SHA-256:	DC3AE604991C9BB8FF8BC4502AE3D0DB8A3317512C0F432490B103B89C1A4368
SHA-512:	DA46A917DB6276CD4528CFE4AD113292D873CA2EBE53414730F442B83502E5FAF3D1AE87BFA295ADF01E3B44FDBCE239E21A318BFB2CCD1F4753846CB21F6F97
Malicious:	false
Preview:	9iH...}Z.4..f..J".C;"a

C:\Users\user\AppData\Roaming\D06ED635-68F6-4E9A-955C-4899F5F57B9A\settings.bin Download File
Process:	C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe
File Type:	data
Category:	dropped
Size (bytes):	64
Entropy (8bit):	5.320159765557392
Encrypted:	false
SSDEEP:	3:9bzY6oRDIvYVsRLY6oRDT6P2bfVn1:RzWDIfRWDT621
MD5:	BB0F9B9992809E733EFFF8B0E562CFD6
SHA1:	F0BAB3CF73A04F5A689E6AFC764FEE9276992742
SHA-256:	C48F04FE7525AA3A3F9540889883F649726233DE021724823720A59B4F37CEAC
SHA-512:	AE4280AA460DC1C0301D458A3A443F6884A0BE37481737B2ADAFD72C33C55F09BED88ED239C91FE6F19CA137AC3CD7C9B8454C21D3F8E759687F701C8B3C7A16
Malicious:	false
Preview:	9iH...}Z.4..f..J".C;"a9iH...}Z.4..f.~a........~.~.......3.U.

C:\Users\user\AppData\Roaming\D06ED635-68F6-4E9A-955C-4899F5F57B9A\storage.dat Download File
Process:	C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe
File Type:	data
Category:	dropped
Size (bytes):	426840
Entropy (8bit):	7.999608491116724
Encrypted:	true
SSDEEP:	12288:zKf137EiDsTjevgA4p0V7njXuWSvdVU7V4OC0Rr:+134i2lp67i5d8+OCg
MD5:	963D5E2C9C0008DFF05518B47C367A7F
SHA1:	C183D601FABBC9AC8FBFA0A0937DECC677535E74
SHA-256:	5EACF2974C9BB2C2E24CDC651C4840DD6F4B76A98F0E85E90279F1DBB2E6F3C0
SHA-512:	0C04E1C1A13070D48728D9F7F300D9B26DEC6EC8875D8D3017EAD52B9EE5BDF9B651A7F0FCC537761212831107646ED72B8ED017E7477E600BC0137EF857AE2C
Malicious:	false
Preview:	..g&jo...IPg...GM....R>i...o...I.>.&.r{....8...}...E....v.!7.u3e.. .....db...}.......".t(.xC9.cp.B....7...'.......%......w.^.._.......B.W%.<..i.0.{9.xS...5...)..w..$..C..?`F..u.5.T.X.w'Si..z.n{...Y!m...RA...xg....[7...z..9@.K.-...T..+.ACe....R....enO.....AoNMT.\^....}H&..4I...B.:..@..J...v..rI5..kP......2j....B..B.~.T..>.c..emW;Rn<9..[.r.o....R[....@=...:...L.g<.....I..%4[.G^.~.l'......v.p&.........+..S...9d/.{..H.`@.1..........f.\s...X.a.].<.h...J4...k.x....%3.......3.c..?%....>.!.}..)(.{...H...3..`'].Q.[sN..JX(.%pH....+......(...v.....H...3..8.a_..J..?4...y.N(..D.h..g.jD..I...44Q?..N......oX.A......l...n?./..........$.!..;.^9"H...........OkF....v.m_.e.v..f...."..bq{.....O.-....%R+...-..P.i..t5....2Z# ...#...,L..{..j..heT -=Z.P;...g.m)<owJ].J..../.p..8.u8.&..#.m9...j%..g&....g.x.I,....u.[....>./W...........X...bZ...ex.0..x.}.....Tb...[..H_M._.^N.d&...g._."@4N.pDs].GbT.......&p........Nw...%$=.....{..J.1....2....<E{..<!G..

C:\Users\user\AppData\Roaming\DKCbURUccsSVSl.exe Download File
Process:	C:\Users\user\Desktop\oE6O5K1emC.exe
File Type:	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	1554944
Entropy (8bit):	7.385331204380147
Encrypted:	false
SSDEEP:	24576:8ZHdBedlcA8hbbgPFbg3TwSxivyHOcq5pCkQha6g53oG4l2GfONmPr:uBedlv8hbbgPFbhGYDHJ6g545lpfi8
MD5:	0CF0CD25346EE69B7E5AA8E366C886E9
SHA1:	CA13E5BBC69F2D808139EE18EA5AD56579F8B003
SHA-256:	F542BC0175168DAA808CE1448A019F88B058DF6D0702C6DAA4A0F83A481F2A5E
SHA-512:	03DFE9E8D76C37AB36CFF64E569F22861C10BAADAFEDA98C6CD9400A17ECBD93B38DF885BAC7C9D4237C912796F9C2C2A163D360D4FF7D58A101F59E021D5219
Malicious:	false
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...P.o`............................6.... ... ....@.. ....................... ............@.....................................W....@....................... ....................................................... ............... ..H............text...<.... ...................... ..`.reloc....... ......................@..B.rsrc........@......................@..@........................H...........o..........,...............................................z.(......}.....(....o ...}.........0...........{......E............8...Z...u..................}..... ].4S}......}.......}..... ..Q.}......}.......}......{.... Km.a}......}.......}..... ,...}......}.......}......{.... ..=.a}......}.......}..... ....}......}.......}..... "G.R}......}.......}........{.....s!...z.2.{.....f...*....0..<........{......3..{....(....o ...3...}......+..s.......{....}..

C:\Users\user\AppData\Roaming\DKCbURUccsSVSl.exe:Zone.Identifier Download File
Process:	C:\Users\user\Desktop\oE6O5K1emC.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	26
Entropy (8bit):	3.95006375643621
Encrypted:	false
SSDEEP:	3:ggPYV:rPYV
MD5:	187F488E27DB4AF347237FE461A079AD
SHA1:	6693BA299EC1881249D59262276A0D2CB21F8E64
SHA-256:	255A65D30841AB4082BD9D0EEA79D49C5EE88F56136157D8D6156AEF11C12309
SHA-512:	89879F237C0C051EBE784D0690657A6827A312A82735DA42DAD5F744D734FC545BEC9642C19D14C05B2F01FF53BC731530C92F7327BB7DC9CDE1B60FB21CD64E
Malicious:	false
Preview:	[ZoneTransfer]....ZoneId=0

\Device\ConDrv Download File
Process:	C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	1145
Entropy (8bit):	4.462201512373672
Encrypted:	false
SSDEEP:	24:zKLXkzPDObntKlglUEnfQtvNuNpKOK5aM9YJC:zKL0zPDQntKKH1MqJC
MD5:	46EBEB88876A00A52CC37B1F8E0D0438
SHA1:	5E5DB352F964E5F398301662FF558BD905798A65
SHA-256:	D65BD5A6CC112838AFE8FA70BF61FD13C1313BCE3EE3E76C50E454D7B581238B
SHA-512:	E713E6F304A469FB71235C598BC7E2C6F8458ABC61DAF3D1F364F66579CAFA4A7F3023E585BDA552FB400009E7805A8CA0311A50D5EDC9C2AD2D067772A071BE
Malicious:	false
Preview:	Microsoft (R) .NET Framework Services Installation Utility Version 2.0.50727.8922..Copyright (c) Microsoft Corporation. All rights reserved.....USAGE: regsvcs.exe [options] AssemblyName..Options:.. /? or /help Display this usage message... /fc Find or create target application (default)... /c Create target application, error if it already exists... /exapp Expect an existing application... /tlb:<tlbfile> Filename for the exported type library... /appname:<name> Use the specified name for the target application... /parname:<name> Use the specified name or id for the target partition... /extlb Use an existing type library... /reconfig Reconfigure existing target application (default)... /noreconfig Don't reconfigure existing target application... /u Uninstall target application... /nologo Suppress logo output... /quiet Suppress logo output and success output...

Static File Info

General
File type:	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Entropy (8bit):	7.385331204380147
TrID:	Win32 Executable (generic) Net Framework (10011505/4) 49.80% Win32 Executable (generic) a (10002005/4) 49.75% Generic CIL Executable (.NET, Mono, etc.) (73296/58) 0.36% Windows Screen Saver (13104/52) 0.07% Generic Win/DOS Executable (2004/3) 0.01%
File name:	oE6O5K1emC.exe
File size:	1554944
MD5:	0cf0cd25346ee69b7e5aa8e366c886e9
SHA1:	ca13e5bbc69f2d808139ee18ea5ad56579f8b003
SHA256:	f542bc0175168daa808ce1448a019f88b058df6d0702c6daa4a0f83a481f2a5e
SHA512:	03dfe9e8d76c37ab36cff64e569f22861c10baadafeda98c6cd9400a17ecbd93b38df885bac7c9d4237c912796f9c2c2a163d360d4ff7d58a101f59e021d5219
SSDEEP:	24576:8ZHdBedlcA8hbbgPFbg3TwSxivyHOcq5pCkQha6g53oG4l2GfONmPr:uBedlv8hbbgPFbhGYDHJ6g545lpfi8
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...P.o`............................6.... ... ....@.. ....................... ............@................................

File Icon


Icon Hash:	f0cef27270b2ce70

Static PE Info

General
Entrypoint:	0x560836
Entrypoint Section:	.text
Digitally signed:	false
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED
DLL Characteristics:	NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
Time Stamp:	0x606FFB50 [Fri Apr 9 06:59:28 2021 UTC]
TLS Callbacks:
CLR (.Net) Version:	v2.0.50727
OS Version Major:	4
OS Version Minor:	0
File Version Major:	4
File Version Minor:	0
Subsystem Version Major:	4
Subsystem Version Minor:	0
Import Hash:	f34d5f2d4577ed6d9ceec516c1f5a744

Entrypoint Preview

Instruction
jmp dword ptr [00402000h]
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0x1607dc	0x57	.text
IMAGE_DIRECTORY_ENTRY_RESOURCE	0x164000	0x1cacc	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x162000	0xc	.reloc
IMAGE_DIRECTORY_ENTRY_DEBUG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x2000	0x8	.text
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x2008	0x48	.text
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x2000	0x15e83c	0x15ea00	False	0.646118120544	Applesoft BASIC program data, first line number 22	7.5082657765	IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
.reloc	0x162000	0xc	0x200	False	0.044921875	data	0.0776331623432	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ
.rsrc	0x164000	0x1cacc	0x1cc00	False	0.35202955163	data	4.73788431456	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type
RT_ICON	0x164220	0x4228	dBase III DBT, version number 0, next free block index 40
RT_ICON	0x168448	0x10a8	data
RT_ICON	0x1694f0	0x25a8	data
RT_ICON	0x16ba98	0x4228	dBase IV DBT of \200.DBF, blocks size 0, block length 16896, next free block index 40, next free block 0, next used block 0
RT_ICON	0x16fcc0	0x10828	dBase IV DBT, blocks size 0, block length 2048, next free block index 40, next free block 16777216, next used block 16777216
RT_GROUP_ICON	0x1804e8	0x14	data
RT_GROUP_ICON	0x1804fc	0x4c	data
RT_VERSION	0x180548	0x338	data
RT_MANIFEST	0x180880	0x249	XML 1.0 document, UTF-8 Unicode (with BOM) text, with very long lines, with no line terminators

Imports

DLL	Import
mscoree.dll	_CorExeMain

Version Infos

Description	Data
Translation	0x0000 0x04b0
LegalCopyright	Copyright Northern Star
Assembly Version	2.1.0.8
InternalName	SafeBuffer.exe
FileVersion	2.1.0.8
CompanyName	Northern Star
LegalTrademarks
Comments
ProductName	MDM
ProductVersion	2.1.0.8
FileDescription	MDM
OriginalFilename	SafeBuffer.exe

Network Behavior

Snort IDS Alerts

Timestamp	Protocol	SID	Message	Source Port	Dest Port	Source IP	Dest IP
04/09/21-09:47:19.737316	TCP	2025019	ET TROJAN Possible NanoCore C2 60B	49727	1144	192.168.2.4	79.134.225.30
04/09/21-09:47:27.294035	TCP	2025019	ET TROJAN Possible NanoCore C2 60B	49736	1144	192.168.2.4	79.134.225.30
04/09/21-09:47:33.578124	TCP	2025019	ET TROJAN Possible NanoCore C2 60B	49743	1144	192.168.2.4	79.134.225.30
04/09/21-09:47:39.889240	TCP	2025019	ET TROJAN Possible NanoCore C2 60B	49745	1144	192.168.2.4	79.134.225.30
04/09/21-09:47:46.602499	TCP	2025019	ET TROJAN Possible NanoCore C2 60B	49747	1144	192.168.2.4	79.134.225.30
04/09/21-09:47:52.785449	TCP	2025019	ET TROJAN Possible NanoCore C2 60B	49748	1144	192.168.2.4	79.134.225.30
04/09/21-09:47:59.259086	TCP	2025019	ET TROJAN Possible NanoCore C2 60B	49750	1144	192.168.2.4	79.134.225.30
04/09/21-09:48:05.484805	TCP	2025019	ET TROJAN Possible NanoCore C2 60B	49758	1144	192.168.2.4	79.134.225.30
04/09/21-09:48:11.811392	TCP	2025019	ET TROJAN Possible NanoCore C2 60B	49760	1144	192.168.2.4	79.134.225.30
04/09/21-09:48:17.958802	TCP	2025019	ET TROJAN Possible NanoCore C2 60B	49761	1144	192.168.2.4	79.134.225.30
04/09/21-09:48:24.238559	TCP	2025019	ET TROJAN Possible NanoCore C2 60B	49762	1144	192.168.2.4	79.134.225.30
04/09/21-09:48:30.288193	TCP	2025019	ET TROJAN Possible NanoCore C2 60B	49763	1144	192.168.2.4	79.134.225.30
04/09/21-09:48:36.397083	TCP	2025019	ET TROJAN Possible NanoCore C2 60B	49766	1144	192.168.2.4	79.134.225.30
04/09/21-09:48:42.401372	TCP	2025019	ET TROJAN Possible NanoCore C2 60B	49768	1144	192.168.2.4	79.134.225.30
04/09/21-09:48:48.419509	TCP	2025019	ET TROJAN Possible NanoCore C2 60B	49774	1144	192.168.2.4	79.134.225.30
04/09/21-09:48:54.493298	TCP	2025019	ET TROJAN Possible NanoCore C2 60B	49775	1144	192.168.2.4	79.134.225.30
04/09/21-09:49:00.548310	TCP	2025019	ET TROJAN Possible NanoCore C2 60B	49776	1144	192.168.2.4	79.134.225.30
04/09/21-09:49:06.594824	TCP	2025019	ET TROJAN Possible NanoCore C2 60B	49777	1144	192.168.2.4	79.134.225.30
04/09/21-09:49:12.597526	TCP	2025019	ET TROJAN Possible NanoCore C2 60B	49778	1144	192.168.2.4	79.134.225.30

Network Port Distribution

TCP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Apr 9, 2021 09:47:19.387187004 CEST	49727	1144	192.168.2.4	79.134.225.30
Apr 9, 2021 09:47:19.569410086 CEST	1144	49727	79.134.225.30	192.168.2.4
Apr 9, 2021 09:47:19.570259094 CEST	49727	1144	192.168.2.4	79.134.225.30
Apr 9, 2021 09:47:19.737315893 CEST	49727	1144	192.168.2.4	79.134.225.30
Apr 9, 2021 09:47:19.953636885 CEST	1144	49727	79.134.225.30	192.168.2.4
Apr 9, 2021 09:47:19.988003016 CEST	49727	1144	192.168.2.4	79.134.225.30
Apr 9, 2021 09:47:20.082568884 CEST	1144	49727	79.134.225.30	192.168.2.4
Apr 9, 2021 09:47:20.082724094 CEST	49727	1144	192.168.2.4	79.134.225.30
Apr 9, 2021 09:47:20.206301928 CEST	1144	49727	79.134.225.30	192.168.2.4
Apr 9, 2021 09:47:20.206500053 CEST	49727	1144	192.168.2.4	79.134.225.30
Apr 9, 2021 09:47:20.307507992 CEST	1144	49727	79.134.225.30	192.168.2.4
Apr 9, 2021 09:47:20.389694929 CEST	1144	49727	79.134.225.30	192.168.2.4
Apr 9, 2021 09:47:20.389797926 CEST	49727	1144	192.168.2.4	79.134.225.30
Apr 9, 2021 09:47:20.605148077 CEST	1144	49727	79.134.225.30	192.168.2.4
Apr 9, 2021 09:47:20.605645895 CEST	49727	1144	192.168.2.4	79.134.225.30
Apr 9, 2021 09:47:20.828927040 CEST	1144	49727	79.134.225.30	192.168.2.4
Apr 9, 2021 09:47:20.829598904 CEST	49727	1144	192.168.2.4	79.134.225.30
Apr 9, 2021 09:47:20.881007910 CEST	1144	49727	79.134.225.30	192.168.2.4
Apr 9, 2021 09:47:20.881432056 CEST	49727	1144	192.168.2.4	79.134.225.30
Apr 9, 2021 09:47:20.882491112 CEST	1144	49727	79.134.225.30	192.168.2.4
Apr 9, 2021 09:47:20.882616997 CEST	1144	49727	79.134.225.30	192.168.2.4
Apr 9, 2021 09:47:20.882684946 CEST	49727	1144	192.168.2.4	79.134.225.30
Apr 9, 2021 09:47:20.883604050 CEST	1144	49727	79.134.225.30	192.168.2.4
Apr 9, 2021 09:47:20.885317087 CEST	1144	49727	79.134.225.30	192.168.2.4
Apr 9, 2021 09:47:20.885413885 CEST	49727	1144	192.168.2.4	79.134.225.30
Apr 9, 2021 09:47:20.885556936 CEST	1144	49727	79.134.225.30	192.168.2.4
Apr 9, 2021 09:47:20.885907888 CEST	1144	49727	79.134.225.30	192.168.2.4
Apr 9, 2021 09:47:20.885955095 CEST	49727	1144	192.168.2.4	79.134.225.30
Apr 9, 2021 09:47:20.887207985 CEST	1144	49727	79.134.225.30	192.168.2.4
Apr 9, 2021 09:47:20.887270927 CEST	49727	1144	192.168.2.4	79.134.225.30
Apr 9, 2021 09:47:20.887959003 CEST	1144	49727	79.134.225.30	192.168.2.4
Apr 9, 2021 09:47:20.888298988 CEST	1144	49727	79.134.225.30	192.168.2.4
Apr 9, 2021 09:47:20.888351917 CEST	49727	1144	192.168.2.4	79.134.225.30
Apr 9, 2021 09:47:21.051882029 CEST	1144	49727	79.134.225.30	192.168.2.4
Apr 9, 2021 09:47:21.075663090 CEST	1144	49727	79.134.225.30	192.168.2.4
Apr 9, 2021 09:47:21.089603901 CEST	1144	49727	79.134.225.30	192.168.2.4
Apr 9, 2021 09:47:21.090198994 CEST	49727	1144	192.168.2.4	79.134.225.30
Apr 9, 2021 09:47:21.090348959 CEST	1144	49727	79.134.225.30	192.168.2.4
Apr 9, 2021 09:47:21.090464115 CEST	1144	49727	79.134.225.30	192.168.2.4
Apr 9, 2021 09:47:21.091731071 CEST	1144	49727	79.134.225.30	192.168.2.4
Apr 9, 2021 09:47:21.091831923 CEST	49727	1144	192.168.2.4	79.134.225.30
Apr 9, 2021 09:47:21.093956947 CEST	1144	49727	79.134.225.30	192.168.2.4
Apr 9, 2021 09:47:21.094014883 CEST	1144	49727	79.134.225.30	192.168.2.4
Apr 9, 2021 09:47:21.094084978 CEST	1144	49727	79.134.225.30	192.168.2.4
Apr 9, 2021 09:47:21.094121933 CEST	49727	1144	192.168.2.4	79.134.225.30
Apr 9, 2021 09:47:21.094146013 CEST	49727	1144	192.168.2.4	79.134.225.30
Apr 9, 2021 09:47:21.095455885 CEST	1144	49727	79.134.225.30	192.168.2.4
Apr 9, 2021 09:47:21.100219011 CEST	1144	49727	79.134.225.30	192.168.2.4
Apr 9, 2021 09:47:21.100867987 CEST	1144	49727	79.134.225.30	192.168.2.4
Apr 9, 2021 09:47:21.100920916 CEST	1144	49727	79.134.225.30	192.168.2.4
Apr 9, 2021 09:47:21.100979090 CEST	49727	1144	192.168.2.4	79.134.225.30
Apr 9, 2021 09:47:21.101022959 CEST	49727	1144	192.168.2.4	79.134.225.30
Apr 9, 2021 09:47:21.101886988 CEST	1144	49727	79.134.225.30	192.168.2.4
Apr 9, 2021 09:47:21.103204966 CEST	1144	49727	79.134.225.30	192.168.2.4
Apr 9, 2021 09:47:21.103307962 CEST	49727	1144	192.168.2.4	79.134.225.30
Apr 9, 2021 09:47:21.104449034 CEST	1144	49727	79.134.225.30	192.168.2.4
Apr 9, 2021 09:47:21.104614973 CEST	1144	49727	79.134.225.30	192.168.2.4
Apr 9, 2021 09:47:21.104712009 CEST	49727	1144	192.168.2.4	79.134.225.30
Apr 9, 2021 09:47:21.105263948 CEST	1144	49727	79.134.225.30	192.168.2.4
Apr 9, 2021 09:47:21.105859995 CEST	1144	49727	79.134.225.30	192.168.2.4
Apr 9, 2021 09:47:21.109786987 CEST	49727	1144	192.168.2.4	79.134.225.30
Apr 9, 2021 09:47:21.115653038 CEST	1144	49727	79.134.225.30	192.168.2.4
Apr 9, 2021 09:47:21.115708113 CEST	1144	49727	79.134.225.30	192.168.2.4
Apr 9, 2021 09:47:21.115840912 CEST	49727	1144	192.168.2.4	79.134.225.30
Apr 9, 2021 09:47:21.151675940 CEST	49727	1144	192.168.2.4	79.134.225.30
Apr 9, 2021 09:47:21.278796911 CEST	1144	49727	79.134.225.30	192.168.2.4
Apr 9, 2021 09:47:21.280217886 CEST	1144	49727	79.134.225.30	192.168.2.4
Apr 9, 2021 09:47:21.280369043 CEST	49727	1144	192.168.2.4	79.134.225.30
Apr 9, 2021 09:47:21.288764954 CEST	1144	49727	79.134.225.30	192.168.2.4
Apr 9, 2021 09:47:21.288822889 CEST	1144	49727	79.134.225.30	192.168.2.4
Apr 9, 2021 09:47:21.289503098 CEST	49727	1144	192.168.2.4	79.134.225.30
Apr 9, 2021 09:47:21.297285080 CEST	1144	49727	79.134.225.30	192.168.2.4
Apr 9, 2021 09:47:21.297326088 CEST	1144	49727	79.134.225.30	192.168.2.4
Apr 9, 2021 09:47:21.297487020 CEST	49727	1144	192.168.2.4	79.134.225.30
Apr 9, 2021 09:47:21.297586918 CEST	1144	49727	79.134.225.30	192.168.2.4
Apr 9, 2021 09:47:21.298300028 CEST	49727	1144	192.168.2.4	79.134.225.30
Apr 9, 2021 09:47:21.298979044 CEST	1144	49727	79.134.225.30	192.168.2.4
Apr 9, 2021 09:47:21.299038887 CEST	1144	49727	79.134.225.30	192.168.2.4
Apr 9, 2021 09:47:21.300040007 CEST	1144	49727	79.134.225.30	192.168.2.4
Apr 9, 2021 09:47:21.300153971 CEST	49727	1144	192.168.2.4	79.134.225.30
Apr 9, 2021 09:47:21.303910017 CEST	1144	49727	79.134.225.30	192.168.2.4
Apr 9, 2021 09:47:21.304107904 CEST	1144	49727	79.134.225.30	192.168.2.4
Apr 9, 2021 09:47:21.304913998 CEST	49727	1144	192.168.2.4	79.134.225.30
Apr 9, 2021 09:47:21.305011988 CEST	1144	49727	79.134.225.30	192.168.2.4
Apr 9, 2021 09:47:21.305495977 CEST	49727	1144	192.168.2.4	79.134.225.30
Apr 9, 2021 09:47:21.305567026 CEST	1144	49727	79.134.225.30	192.168.2.4
Apr 9, 2021 09:47:21.305697918 CEST	49727	1144	192.168.2.4	79.134.225.30
Apr 9, 2021 09:47:21.305702925 CEST	1144	49727	79.134.225.30	192.168.2.4
Apr 9, 2021 09:47:21.305758953 CEST	49727	1144	192.168.2.4	79.134.225.30
Apr 9, 2021 09:47:21.307041883 CEST	1144	49727	79.134.225.30	192.168.2.4
Apr 9, 2021 09:47:21.307765961 CEST	1144	49727	79.134.225.30	192.168.2.4
Apr 9, 2021 09:47:21.307977915 CEST	1144	49727	79.134.225.30	192.168.2.4
Apr 9, 2021 09:47:21.308029890 CEST	49727	1144	192.168.2.4	79.134.225.30
Apr 9, 2021 09:47:21.308058977 CEST	49727	1144	192.168.2.4	79.134.225.30
Apr 9, 2021 09:47:21.317260027 CEST	1144	49727	79.134.225.30	192.168.2.4
Apr 9, 2021 09:47:21.317495108 CEST	1144	49727	79.134.225.30	192.168.2.4
Apr 9, 2021 09:47:21.317498922 CEST	49727	1144	192.168.2.4	79.134.225.30
Apr 9, 2021 09:47:21.317555904 CEST	49727	1144	192.168.2.4	79.134.225.30
Apr 9, 2021 09:47:21.317639112 CEST	1144	49727	79.134.225.30	192.168.2.4
Apr 9, 2021 09:47:21.317718029 CEST	1144	49727	79.134.225.30	192.168.2.4
Apr 9, 2021 09:47:21.317781925 CEST	49727	1144	192.168.2.4	79.134.225.30
Apr 9, 2021 09:47:21.317882061 CEST	1144	49727	79.134.225.30	192.168.2.4
Apr 9, 2021 09:47:21.323237896 CEST	49727	1144	192.168.2.4	79.134.225.30
Apr 9, 2021 09:47:21.329560995 CEST	1144	49727	79.134.225.30	192.168.2.4
Apr 9, 2021 09:47:21.329629898 CEST	1144	49727	79.134.225.30	192.168.2.4
Apr 9, 2021 09:47:21.331473112 CEST	49727	1144	192.168.2.4	79.134.225.30
Apr 9, 2021 09:47:21.342427969 CEST	1144	49727	79.134.225.30	192.168.2.4
Apr 9, 2021 09:47:21.342544079 CEST	49727	1144	192.168.2.4	79.134.225.30
Apr 9, 2021 09:47:21.342703104 CEST	1144	49727	79.134.225.30	192.168.2.4
Apr 9, 2021 09:47:21.342806101 CEST	49727	1144	192.168.2.4	79.134.225.30
Apr 9, 2021 09:47:21.343000889 CEST	1144	49727	79.134.225.30	192.168.2.4
Apr 9, 2021 09:47:21.344182014 CEST	1144	49727	79.134.225.30	192.168.2.4
Apr 9, 2021 09:47:21.344293118 CEST	49727	1144	192.168.2.4	79.134.225.30
Apr 9, 2021 09:47:21.345177889 CEST	1144	49727	79.134.225.30	192.168.2.4
Apr 9, 2021 09:47:21.346004009 CEST	49727	1144	192.168.2.4	79.134.225.30
Apr 9, 2021 09:47:21.346154928 CEST	1144	49727	79.134.225.30	192.168.2.4
Apr 9, 2021 09:47:21.346214056 CEST	49727	1144	192.168.2.4	79.134.225.30
Apr 9, 2021 09:47:21.346473932 CEST	1144	49727	79.134.225.30	192.168.2.4
Apr 9, 2021 09:47:21.346728086 CEST	1144	49727	79.134.225.30	192.168.2.4
Apr 9, 2021 09:47:21.346803904 CEST	49727	1144	192.168.2.4	79.134.225.30
Apr 9, 2021 09:47:21.351841927 CEST	1144	49727	79.134.225.30	192.168.2.4
Apr 9, 2021 09:47:21.351911068 CEST	1144	49727	79.134.225.30	192.168.2.4
Apr 9, 2021 09:47:21.353001118 CEST	1144	49727	79.134.225.30	192.168.2.4
Apr 9, 2021 09:47:21.353128910 CEST	49727	1144	192.168.2.4	79.134.225.30
Apr 9, 2021 09:47:21.362327099 CEST	1144	49727	79.134.225.30	192.168.2.4
Apr 9, 2021 09:47:21.362426043 CEST	49727	1144	192.168.2.4	79.134.225.30
Apr 9, 2021 09:47:21.363136053 CEST	1144	49727	79.134.225.30	192.168.2.4
Apr 9, 2021 09:47:21.363270998 CEST	1144	49727	79.134.225.30	192.168.2.4
Apr 9, 2021 09:47:21.363306999 CEST	49727	1144	192.168.2.4	79.134.225.30
Apr 9, 2021 09:47:21.363667965 CEST	1144	49727	79.134.225.30	192.168.2.4
Apr 9, 2021 09:47:21.363728046 CEST	49727	1144	192.168.2.4	79.134.225.30
Apr 9, 2021 09:47:21.390722990 CEST	1144	49727	79.134.225.30	192.168.2.4
Apr 9, 2021 09:47:21.482803106 CEST	1144	49727	79.134.225.30	192.168.2.4
Apr 9, 2021 09:47:21.483529091 CEST	49727	1144	192.168.2.4	79.134.225.30
Apr 9, 2021 09:47:21.484049082 CEST	1144	49727	79.134.225.30	192.168.2.4
Apr 9, 2021 09:47:21.484124899 CEST	49727	1144	192.168.2.4	79.134.225.30
Apr 9, 2021 09:47:21.485022068 CEST	1144	49727	79.134.225.30	192.168.2.4
Apr 9, 2021 09:47:21.487219095 CEST	1144	49727	79.134.225.30	192.168.2.4
Apr 9, 2021 09:47:21.487435102 CEST	49727	1144	192.168.2.4	79.134.225.30
Apr 9, 2021 09:47:21.487610102 CEST	1144	49727	79.134.225.30	192.168.2.4
Apr 9, 2021 09:47:21.488672972 CEST	49727	1144	192.168.2.4	79.134.225.30
Apr 9, 2021 09:47:21.489093065 CEST	1144	49727	79.134.225.30	192.168.2.4
Apr 9, 2021 09:47:21.489542007 CEST	49727	1144	192.168.2.4	79.134.225.30
Apr 9, 2021 09:47:21.491130114 CEST	1144	49727	79.134.225.30	192.168.2.4
Apr 9, 2021 09:47:21.494252920 CEST	49727	1144	192.168.2.4	79.134.225.30
Apr 9, 2021 09:47:21.500560999 CEST	1144	49727	79.134.225.30	192.168.2.4
Apr 9, 2021 09:47:21.500583887 CEST	1144	49727	79.134.225.30	192.168.2.4
Apr 9, 2021 09:47:21.500621080 CEST	1144	49727	79.134.225.30	192.168.2.4
Apr 9, 2021 09:47:21.500637054 CEST	1144	49727	79.134.225.30	192.168.2.4
Apr 9, 2021 09:47:21.500718117 CEST	49727	1144	192.168.2.4	79.134.225.30
Apr 9, 2021 09:47:21.500740051 CEST	49727	1144	192.168.2.4	79.134.225.30
Apr 9, 2021 09:47:21.501717091 CEST	1144	49727	79.134.225.30	192.168.2.4
Apr 9, 2021 09:47:21.503217936 CEST	1144	49727	79.134.225.30	192.168.2.4
Apr 9, 2021 09:47:21.504103899 CEST	1144	49727	79.134.225.30	192.168.2.4
Apr 9, 2021 09:47:21.504229069 CEST	49727	1144	192.168.2.4	79.134.225.30
Apr 9, 2021 09:47:21.504982948 CEST	1144	49727	79.134.225.30	192.168.2.4
Apr 9, 2021 09:47:21.507452965 CEST	49727	1144	192.168.2.4	79.134.225.30
Apr 9, 2021 09:47:21.513849974 CEST	1144	49727	79.134.225.30	192.168.2.4
Apr 9, 2021 09:47:21.513986111 CEST	1144	49727	79.134.225.30	192.168.2.4
Apr 9, 2021 09:47:21.514008045 CEST	1144	49727	79.134.225.30	192.168.2.4
Apr 9, 2021 09:47:21.514187098 CEST	49727	1144	192.168.2.4	79.134.225.30
Apr 9, 2021 09:47:21.514421940 CEST	1144	49727	79.134.225.30	192.168.2.4
Apr 9, 2021 09:47:21.514480114 CEST	1144	49727	79.134.225.30	192.168.2.4
Apr 9, 2021 09:47:21.514547110 CEST	49727	1144	192.168.2.4	79.134.225.30
Apr 9, 2021 09:47:21.514607906 CEST	1144	49727	79.134.225.30	192.168.2.4
Apr 9, 2021 09:47:21.515295029 CEST	49727	1144	192.168.2.4	79.134.225.30
Apr 9, 2021 09:47:21.520210981 CEST	1144	49727	79.134.225.30	192.168.2.4
Apr 9, 2021 09:47:21.520237923 CEST	1144	49727	79.134.225.30	192.168.2.4
Apr 9, 2021 09:47:21.520272970 CEST	1144	49727	79.134.225.30	192.168.2.4
Apr 9, 2021 09:47:21.520301104 CEST	1144	49727	79.134.225.30	192.168.2.4
Apr 9, 2021 09:47:21.520414114 CEST	49727	1144	192.168.2.4	79.134.225.30
Apr 9, 2021 09:47:21.520452976 CEST	49727	1144	192.168.2.4	79.134.225.30
Apr 9, 2021 09:47:21.521173000 CEST	1144	49727	79.134.225.30	192.168.2.4
Apr 9, 2021 09:47:21.523516893 CEST	49727	1144	192.168.2.4	79.134.225.30
Apr 9, 2021 09:47:21.524518013 CEST	1144	49727	79.134.225.30	192.168.2.4
Apr 9, 2021 09:47:21.524540901 CEST	1144	49727	79.134.225.30	192.168.2.4
Apr 9, 2021 09:47:21.524610043 CEST	49727	1144	192.168.2.4	79.134.225.30
Apr 9, 2021 09:47:21.524655104 CEST	1144	49727	79.134.225.30	192.168.2.4
Apr 9, 2021 09:47:21.526163101 CEST	49727	1144	192.168.2.4	79.134.225.30
Apr 9, 2021 09:47:21.526231050 CEST	1144	49727	79.134.225.30	192.168.2.4
Apr 9, 2021 09:47:21.527242899 CEST	1144	49727	79.134.225.30	192.168.2.4
Apr 9, 2021 09:47:21.527285099 CEST	1144	49727	79.134.225.30	192.168.2.4
Apr 9, 2021 09:47:21.527409077 CEST	49727	1144	192.168.2.4	79.134.225.30
Apr 9, 2021 09:47:21.527419090 CEST	1144	49727	79.134.225.30	192.168.2.4
Apr 9, 2021 09:47:21.529479980 CEST	49727	1144	192.168.2.4	79.134.225.30
Apr 9, 2021 09:47:21.546267986 CEST	1144	49727	79.134.225.30	192.168.2.4
Apr 9, 2021 09:47:21.551182032 CEST	1144	49727	79.134.225.30	192.168.2.4
Apr 9, 2021 09:47:21.551208973 CEST	1144	49727	79.134.225.30	192.168.2.4
Apr 9, 2021 09:47:21.551356077 CEST	49727	1144	192.168.2.4	79.134.225.30
Apr 9, 2021 09:47:21.560461044 CEST	1144	49727	79.134.225.30	192.168.2.4
Apr 9, 2021 09:47:21.561074018 CEST	1144	49727	79.134.225.30	192.168.2.4
Apr 9, 2021 09:47:21.561346054 CEST	1144	49727	79.134.225.30	192.168.2.4
Apr 9, 2021 09:47:21.561379910 CEST	1144	49727	79.134.225.30	192.168.2.4
Apr 9, 2021 09:47:21.561477900 CEST	49727	1144	192.168.2.4	79.134.225.30
Apr 9, 2021 09:47:21.565418005 CEST	49727	1144	192.168.2.4	79.134.225.30
Apr 9, 2021 09:47:21.569114923 CEST	1144	49727	79.134.225.30	192.168.2.4
Apr 9, 2021 09:47:21.570291042 CEST	1144	49727	79.134.225.30	192.168.2.4
Apr 9, 2021 09:47:21.570430994 CEST	49727	1144	192.168.2.4	79.134.225.30
Apr 9, 2021 09:47:21.575227022 CEST	1144	49727	79.134.225.30	192.168.2.4
Apr 9, 2021 09:47:21.575875998 CEST	1144	49727	79.134.225.30	192.168.2.4
Apr 9, 2021 09:47:21.575905085 CEST	1144	49727	79.134.225.30	192.168.2.4
Apr 9, 2021 09:47:21.576059103 CEST	49727	1144	192.168.2.4	79.134.225.30
Apr 9, 2021 09:47:21.577248096 CEST	1144	49727	79.134.225.30	192.168.2.4
Apr 9, 2021 09:47:21.577617884 CEST	49727	1144	192.168.2.4	79.134.225.30
Apr 9, 2021 09:47:21.585156918 CEST	1144	49727	79.134.225.30	192.168.2.4
Apr 9, 2021 09:47:21.587505102 CEST	49727	1144	192.168.2.4	79.134.225.30
Apr 9, 2021 09:47:21.593907118 CEST	1144	49727	79.134.225.30	192.168.2.4
Apr 9, 2021 09:47:21.595475912 CEST	49727	1144	192.168.2.4	79.134.225.30
Apr 9, 2021 09:47:21.600272894 CEST	1144	49727	79.134.225.30	192.168.2.4
Apr 9, 2021 09:47:21.601250887 CEST	1144	49727	79.134.225.30	192.168.2.4
Apr 9, 2021 09:47:21.601418972 CEST	49727	1144	192.168.2.4	79.134.225.30
Apr 9, 2021 09:47:21.610562086 CEST	1144	49727	79.134.225.30	192.168.2.4
Apr 9, 2021 09:47:21.613534927 CEST	49727	1144	192.168.2.4	79.134.225.30
Apr 9, 2021 09:47:21.673069954 CEST	1144	49727	79.134.225.30	192.168.2.4
Apr 9, 2021 09:47:21.674277067 CEST	1144	49727	79.134.225.30	192.168.2.4
Apr 9, 2021 09:47:21.678004980 CEST	49727	1144	192.168.2.4	79.134.225.30
Apr 9, 2021 09:47:21.695451975 CEST	1144	49727	79.134.225.30	192.168.2.4
Apr 9, 2021 09:47:21.695481062 CEST	1144	49727	79.134.225.30	192.168.2.4
Apr 9, 2021 09:47:21.695517063 CEST	1144	49727	79.134.225.30	192.168.2.4
Apr 9, 2021 09:47:21.695640087 CEST	49727	1144	192.168.2.4	79.134.225.30
Apr 9, 2021 09:47:21.697033882 CEST	1144	49727	79.134.225.30	192.168.2.4
Apr 9, 2021 09:47:21.697856903 CEST	1144	49727	79.134.225.30	192.168.2.4
Apr 9, 2021 09:47:21.697875977 CEST	49727	1144	192.168.2.4	79.134.225.30
Apr 9, 2021 09:47:21.697926998 CEST	49727	1144	192.168.2.4	79.134.225.30
Apr 9, 2021 09:47:21.719525099 CEST	1144	49727	79.134.225.30	192.168.2.4
Apr 9, 2021 09:47:21.720330000 CEST	1144	49727	79.134.225.30	192.168.2.4
Apr 9, 2021 09:47:21.720393896 CEST	49727	1144	192.168.2.4	79.134.225.30
Apr 9, 2021 09:47:21.720432043 CEST	49727	1144	192.168.2.4	79.134.225.30
Apr 9, 2021 09:47:21.721419096 CEST	1144	49727	79.134.225.30	192.168.2.4
Apr 9, 2021 09:47:21.721487045 CEST	49727	1144	192.168.2.4	79.134.225.30
Apr 9, 2021 09:47:21.721527100 CEST	1144	49727	79.134.225.30	192.168.2.4
Apr 9, 2021 09:47:21.721627951 CEST	49727	1144	192.168.2.4	79.134.225.30
Apr 9, 2021 09:47:21.722052097 CEST	1144	49727	79.134.225.30	192.168.2.4
Apr 9, 2021 09:47:21.722099066 CEST	1144	49727	79.134.225.30	192.168.2.4
Apr 9, 2021 09:47:21.725493908 CEST	49727	1144	192.168.2.4	79.134.225.30
Apr 9, 2021 09:47:21.729271889 CEST	1144	49727	79.134.225.30	192.168.2.4
Apr 9, 2021 09:47:21.730163097 CEST	1144	49727	79.134.225.30	192.168.2.4
Apr 9, 2021 09:47:21.730276108 CEST	49727	1144	192.168.2.4	79.134.225.30
Apr 9, 2021 09:47:21.732623100 CEST	1144	49727	79.134.225.30	192.168.2.4
Apr 9, 2021 09:47:21.732923985 CEST	1144	49727	79.134.225.30	192.168.2.4
Apr 9, 2021 09:47:21.733011007 CEST	49727	1144	192.168.2.4	79.134.225.30
Apr 9, 2021 09:47:21.734086037 CEST	1144	49727	79.134.225.30	192.168.2.4
Apr 9, 2021 09:47:21.734925985 CEST	49727	1144	192.168.2.4	79.134.225.30
Apr 9, 2021 09:47:21.734992981 CEST	1144	49727	79.134.225.30	192.168.2.4
Apr 9, 2021 09:47:21.735059977 CEST	49727	1144	192.168.2.4	79.134.225.30
Apr 9, 2021 09:47:21.736069918 CEST	1144	49727	79.134.225.30	192.168.2.4
Apr 9, 2021 09:47:21.736093044 CEST	1144	49727	79.134.225.30	192.168.2.4
Apr 9, 2021 09:47:21.739481926 CEST	49727	1144	192.168.2.4	79.134.225.30
Apr 9, 2021 09:47:21.740310907 CEST	1144	49727	79.134.225.30	192.168.2.4
Apr 9, 2021 09:47:21.740714073 CEST	1144	49727	79.134.225.30	192.168.2.4
Apr 9, 2021 09:47:21.742347956 CEST	1144	49727	79.134.225.30	192.168.2.4
Apr 9, 2021 09:47:21.742520094 CEST	49727	1144	192.168.2.4	79.134.225.30
Apr 9, 2021 09:47:21.743015051 CEST	1144	49727	79.134.225.30	192.168.2.4
Apr 9, 2021 09:47:21.743479013 CEST	49727	1144	192.168.2.4	79.134.225.30
Apr 9, 2021 09:47:21.743529081 CEST	1144	49727	79.134.225.30	192.168.2.4
Apr 9, 2021 09:47:21.744144917 CEST	49727	1144	192.168.2.4	79.134.225.30
Apr 9, 2021 09:47:21.752162933 CEST	1144	49727	79.134.225.30	192.168.2.4
Apr 9, 2021 09:47:21.753523111 CEST	49727	1144	192.168.2.4	79.134.225.30
Apr 9, 2021 09:47:21.757054090 CEST	1144	49727	79.134.225.30	192.168.2.4
Apr 9, 2021 09:47:21.757837057 CEST	49727	1144	192.168.2.4	79.134.225.30
Apr 9, 2021 09:47:21.776639938 CEST	1144	49727	79.134.225.30	192.168.2.4
Apr 9, 2021 09:47:21.776704073 CEST	1144	49727	79.134.225.30	192.168.2.4
Apr 9, 2021 09:47:21.776748896 CEST	1144	49727	79.134.225.30	192.168.2.4
Apr 9, 2021 09:47:21.776793957 CEST	1144	49727	79.134.225.30	192.168.2.4
Apr 9, 2021 09:47:21.776804924 CEST	49727	1144	192.168.2.4	79.134.225.30
Apr 9, 2021 09:47:21.776840925 CEST	1144	49727	79.134.225.30	192.168.2.4
Apr 9, 2021 09:47:21.776845932 CEST	49727	1144	192.168.2.4	79.134.225.30
Apr 9, 2021 09:47:21.776890039 CEST	1144	49727	79.134.225.30	192.168.2.4
Apr 9, 2021 09:47:21.776894093 CEST	49727	1144	192.168.2.4	79.134.225.30
Apr 9, 2021 09:47:21.776937962 CEST	1144	49727	79.134.225.30	192.168.2.4
Apr 9, 2021 09:47:21.776952028 CEST	49727	1144	192.168.2.4	79.134.225.30
Apr 9, 2021 09:47:21.776972055 CEST	49727	1144	192.168.2.4	79.134.225.30
Apr 9, 2021 09:47:21.776990891 CEST	49727	1144	192.168.2.4	79.134.225.30
Apr 9, 2021 09:47:21.777220011 CEST	1144	49727	79.134.225.30	192.168.2.4
Apr 9, 2021 09:47:21.777333021 CEST	1144	49727	79.134.225.30	192.168.2.4
Apr 9, 2021 09:47:21.777415037 CEST	49727	1144	192.168.2.4	79.134.225.30
Apr 9, 2021 09:47:21.788070917 CEST	1144	49727	79.134.225.30	192.168.2.4
Apr 9, 2021 09:47:21.788116932 CEST	1144	49727	79.134.225.30	192.168.2.4
Apr 9, 2021 09:47:21.788259983 CEST	49727	1144	192.168.2.4	79.134.225.30
Apr 9, 2021 09:47:21.789788008 CEST	1144	49727	79.134.225.30	192.168.2.4
Apr 9, 2021 09:47:21.789843082 CEST	1144	49727	79.134.225.30	192.168.2.4
Apr 9, 2021 09:47:21.791282892 CEST	1144	49727	79.134.225.30	192.168.2.4
Apr 9, 2021 09:47:21.791445971 CEST	49727	1144	192.168.2.4	79.134.225.30
Apr 9, 2021 09:47:21.791624069 CEST	1144	49727	79.134.225.30	192.168.2.4
Apr 9, 2021 09:47:21.791702032 CEST	1144	49727	79.134.225.30	192.168.2.4
Apr 9, 2021 09:47:21.793258905 CEST	49727	1144	192.168.2.4	79.134.225.30
Apr 9, 2021 09:47:21.798316002 CEST	1144	49727	79.134.225.30	192.168.2.4
Apr 9, 2021 09:47:21.798424959 CEST	1144	49727	79.134.225.30	192.168.2.4
Apr 9, 2021 09:47:21.798459053 CEST	49727	1144	192.168.2.4	79.134.225.30
Apr 9, 2021 09:47:21.798502922 CEST	49727	1144	192.168.2.4	79.134.225.30
Apr 9, 2021 09:47:21.807674885 CEST	1144	49727	79.134.225.30	192.168.2.4
Apr 9, 2021 09:47:21.807796955 CEST	1144	49727	79.134.225.30	192.168.2.4
Apr 9, 2021 09:47:21.807796001 CEST	49727	1144	192.168.2.4	79.134.225.30
Apr 9, 2021 09:47:21.807856083 CEST	1144	49727	79.134.225.30	192.168.2.4
Apr 9, 2021 09:47:21.807909966 CEST	1144	49727	79.134.225.30	192.168.2.4
Apr 9, 2021 09:47:21.807967901 CEST	49727	1144	192.168.2.4	79.134.225.30
Apr 9, 2021 09:47:21.808094025 CEST	49727	1144	192.168.2.4	79.134.225.30
Apr 9, 2021 09:47:21.873373985 CEST	1144	49727	79.134.225.30	192.168.2.4
Apr 9, 2021 09:47:21.873982906 CEST	1144	49727	79.134.225.30	192.168.2.4
Apr 9, 2021 09:47:21.875500917 CEST	49727	1144	192.168.2.4	79.134.225.30
Apr 9, 2021 09:47:21.913238049 CEST	1144	49727	79.134.225.30	192.168.2.4
Apr 9, 2021 09:47:21.913299084 CEST	1144	49727	79.134.225.30	192.168.2.4
Apr 9, 2021 09:47:21.915340900 CEST	1144	49727	79.134.225.30	192.168.2.4
Apr 9, 2021 09:47:21.915397882 CEST	1144	49727	79.134.225.30	192.168.2.4
Apr 9, 2021 09:47:21.915498018 CEST	49727	1144	192.168.2.4	79.134.225.30
Apr 9, 2021 09:47:21.915534019 CEST	49727	1144	192.168.2.4	79.134.225.30
Apr 9, 2021 09:47:21.916320086 CEST	1144	49727	79.134.225.30	192.168.2.4
Apr 9, 2021 09:47:21.918507099 CEST	49727	1144	192.168.2.4	79.134.225.30
Apr 9, 2021 09:47:21.924468994 CEST	1144	49727	79.134.225.30	192.168.2.4
Apr 9, 2021 09:47:21.925000906 CEST	1144	49727	79.134.225.30	192.168.2.4
Apr 9, 2021 09:47:21.926239014 CEST	1144	49727	79.134.225.30	192.168.2.4
Apr 9, 2021 09:47:21.926311016 CEST	49727	1144	192.168.2.4	79.134.225.30
Apr 9, 2021 09:47:21.926353931 CEST	49727	1144	192.168.2.4	79.134.225.30
Apr 9, 2021 09:47:21.927081108 CEST	1144	49727	79.134.225.30	192.168.2.4
Apr 9, 2021 09:47:21.928106070 CEST	1144	49727	79.134.225.30	192.168.2.4
Apr 9, 2021 09:47:21.928291082 CEST	49727	1144	192.168.2.4	79.134.225.30
Apr 9, 2021 09:47:21.933173895 CEST	1144	49727	79.134.225.30	192.168.2.4
Apr 9, 2021 09:47:21.934129953 CEST	1144	49727	79.134.225.30	192.168.2.4
Apr 9, 2021 09:47:21.934175968 CEST	1144	49727	79.134.225.30	192.168.2.4
Apr 9, 2021 09:47:21.934315920 CEST	49727	1144	192.168.2.4	79.134.225.30
Apr 9, 2021 09:47:21.935209990 CEST	1144	49727	79.134.225.30	192.168.2.4
Apr 9, 2021 09:47:21.936079979 CEST	1144	49727	79.134.225.30	192.168.2.4
Apr 9, 2021 09:47:21.938692093 CEST	49727	1144	192.168.2.4	79.134.225.30
Apr 9, 2021 09:47:21.943389893 CEST	1144	49727	79.134.225.30	192.168.2.4
Apr 9, 2021 09:47:21.943762064 CEST	1144	49727	79.134.225.30	192.168.2.4
Apr 9, 2021 09:47:21.943990946 CEST	49727	1144	192.168.2.4	79.134.225.30
Apr 9, 2021 09:47:21.953325987 CEST	1144	49727	79.134.225.30	192.168.2.4
Apr 9, 2021 09:47:21.953421116 CEST	49727	1144	192.168.2.4	79.134.225.30
Apr 9, 2021 09:47:21.953433990 CEST	1144	49727	79.134.225.30	192.168.2.4
Apr 9, 2021 09:47:21.953486919 CEST	49727	1144	192.168.2.4	79.134.225.30
Apr 9, 2021 09:47:21.962620974 CEST	1144	49727	79.134.225.30	192.168.2.4
Apr 9, 2021 09:47:21.962673903 CEST	1144	49727	79.134.225.30	192.168.2.4
Apr 9, 2021 09:47:21.962713003 CEST	1144	49727	79.134.225.30	192.168.2.4
Apr 9, 2021 09:47:21.962827921 CEST	49727	1144	192.168.2.4	79.134.225.30
Apr 9, 2021 09:47:21.963151932 CEST	1144	49727	79.134.225.30	192.168.2.4
Apr 9, 2021 09:47:21.963191032 CEST	1144	49727	79.134.225.30	192.168.2.4
Apr 9, 2021 09:47:21.964284897 CEST	1144	49727	79.134.225.30	192.168.2.4
Apr 9, 2021 09:47:21.964384079 CEST	49727	1144	192.168.2.4	79.134.225.30
Apr 9, 2021 09:47:21.964814901 CEST	1144	49727	79.134.225.30	192.168.2.4
Apr 9, 2021 09:47:21.966238976 CEST	1144	49727	79.134.225.30	192.168.2.4
Apr 9, 2021 09:47:21.967514038 CEST	49727	1144	192.168.2.4	79.134.225.30
Apr 9, 2021 09:47:21.981280088 CEST	1144	49727	79.134.225.30	192.168.2.4
Apr 9, 2021 09:47:21.981317997 CEST	1144	49727	79.134.225.30	192.168.2.4
Apr 9, 2021 09:47:21.982209921 CEST	1144	49727	79.134.225.30	192.168.2.4
Apr 9, 2021 09:47:21.982248068 CEST	49727	1144	192.168.2.4	79.134.225.30
Apr 9, 2021 09:47:21.987564087 CEST	49727	1144	192.168.2.4	79.134.225.30
Apr 9, 2021 09:47:21.991152048 CEST	1144	49727	79.134.225.30	192.168.2.4
Apr 9, 2021 09:47:21.993324995 CEST	1144	49727	79.134.225.30	192.168.2.4
Apr 9, 2021 09:47:21.993760109 CEST	49727	1144	192.168.2.4	79.134.225.30
Apr 9, 2021 09:47:21.994204044 CEST	1144	49727	79.134.225.30	192.168.2.4
Apr 9, 2021 09:47:21.995484114 CEST	1144	49727	79.134.225.30	192.168.2.4
Apr 9, 2021 09:47:21.999408007 CEST	49727	1144	192.168.2.4	79.134.225.30
Apr 9, 2021 09:47:22.012700081 CEST	1144	49727	79.134.225.30	192.168.2.4
Apr 9, 2021 09:47:22.012779951 CEST	1144	49727	79.134.225.30	192.168.2.4
Apr 9, 2021 09:47:22.013432026 CEST	1144	49727	79.134.225.30	192.168.2.4
Apr 9, 2021 09:47:22.013490915 CEST	1144	49727	79.134.225.30	192.168.2.4
Apr 9, 2021 09:47:22.013623953 CEST	49727	1144	192.168.2.4	79.134.225.30
Apr 9, 2021 09:47:22.019501925 CEST	49727	1144	192.168.2.4	79.134.225.30
Apr 9, 2021 09:47:22.020828009 CEST	1144	49727	79.134.225.30	192.168.2.4
Apr 9, 2021 09:47:22.022507906 CEST	49727	1144	192.168.2.4	79.134.225.30
Apr 9, 2021 09:47:22.023185015 CEST	1144	49727	79.134.225.30	192.168.2.4
Apr 9, 2021 09:47:22.023675919 CEST	1144	49727	79.134.225.30	192.168.2.4
Apr 9, 2021 09:47:22.023736000 CEST	1144	49727	79.134.225.30	192.168.2.4
Apr 9, 2021 09:47:22.023854017 CEST	49727	1144	192.168.2.4	79.134.225.30
Apr 9, 2021 09:47:22.024501085 CEST	1144	49727	79.134.225.30	192.168.2.4
Apr 9, 2021 09:47:22.025299072 CEST	1144	49727	79.134.225.30	192.168.2.4
Apr 9, 2021 09:47:22.025487900 CEST	49727	1144	192.168.2.4	79.134.225.30
Apr 9, 2021 09:47:22.027189970 CEST	1144	49727	79.134.225.30	192.168.2.4
Apr 9, 2021 09:47:22.028255939 CEST	1144	49727	79.134.225.30	192.168.2.4
Apr 9, 2021 09:47:22.028400898 CEST	49727	1144	192.168.2.4	79.134.225.30
Apr 9, 2021 09:47:22.028450966 CEST	1144	49727	79.134.225.30	192.168.2.4
Apr 9, 2021 09:47:22.029301882 CEST	1144	49727	79.134.225.30	192.168.2.4
Apr 9, 2021 09:47:22.030272961 CEST	1144	49727	79.134.225.30	192.168.2.4
Apr 9, 2021 09:47:22.030402899 CEST	49727	1144	192.168.2.4	79.134.225.30
Apr 9, 2021 09:47:22.030864000 CEST	1144	49727	79.134.225.30	192.168.2.4
Apr 9, 2021 09:47:22.032732964 CEST	1144	49727	79.134.225.30	192.168.2.4
Apr 9, 2021 09:47:22.033456087 CEST	1144	49727	79.134.225.30	192.168.2.4
Apr 9, 2021 09:47:22.033603907 CEST	49727	1144	192.168.2.4	79.134.225.30
Apr 9, 2021 09:47:22.034189939 CEST	1144	49727	79.134.225.30	192.168.2.4
Apr 9, 2021 09:47:22.034235954 CEST	1144	49727	79.134.225.30	192.168.2.4
Apr 9, 2021 09:47:22.035137892 CEST	1144	49727	79.134.225.30	192.168.2.4
Apr 9, 2021 09:47:22.035222054 CEST	49727	1144	192.168.2.4	79.134.225.30
Apr 9, 2021 09:47:22.035965919 CEST	1144	49727	79.134.225.30	192.168.2.4
Apr 9, 2021 09:47:22.037100077 CEST	1144	49727	79.134.225.30	192.168.2.4
Apr 9, 2021 09:47:22.037185907 CEST	49727	1144	192.168.2.4	79.134.225.30
Apr 9, 2021 09:47:22.038022041 CEST	1144	49727	79.134.225.30	192.168.2.4
Apr 9, 2021 09:47:22.038299084 CEST	1144	49727	79.134.225.30	192.168.2.4
Apr 9, 2021 09:47:22.038398981 CEST	49727	1144	192.168.2.4	79.134.225.30
Apr 9, 2021 09:47:22.038944960 CEST	1144	49727	79.134.225.30	192.168.2.4
Apr 9, 2021 09:47:22.040347099 CEST	1144	49727	79.134.225.30	192.168.2.4
Apr 9, 2021 09:47:22.041033030 CEST	1144	49727	79.134.225.30	192.168.2.4
Apr 9, 2021 09:47:22.041157961 CEST	49727	1144	192.168.2.4	79.134.225.30
Apr 9, 2021 09:47:22.042254925 CEST	1144	49727	79.134.225.30	192.168.2.4
Apr 9, 2021 09:47:22.042503119 CEST	49727	1144	192.168.2.4	79.134.225.30
Apr 9, 2021 09:47:22.094603062 CEST	1144	49727	79.134.225.30	192.168.2.4
Apr 9, 2021 09:47:22.094657898 CEST	1144	49727	79.134.225.30	192.168.2.4
Apr 9, 2021 09:47:22.095278978 CEST	49727	1144	192.168.2.4	79.134.225.30
Apr 9, 2021 09:47:22.108356953 CEST	1144	49727	79.134.225.30	192.168.2.4
Apr 9, 2021 09:47:22.111529112 CEST	49727	1144	192.168.2.4	79.134.225.30
Apr 9, 2021 09:47:22.114204884 CEST	1144	49727	79.134.225.30	192.168.2.4
Apr 9, 2021 09:47:22.114265919 CEST	1144	49727	79.134.225.30	192.168.2.4
Apr 9, 2021 09:47:22.114427090 CEST	49727	1144	192.168.2.4	79.134.225.30
Apr 9, 2021 09:47:22.115673065 CEST	1144	49727	79.134.225.30	192.168.2.4
Apr 9, 2021 09:47:22.116439104 CEST	1144	49727	79.134.225.30	192.168.2.4
Apr 9, 2021 09:47:22.117460966 CEST	1144	49727	79.134.225.30	192.168.2.4
Apr 9, 2021 09:47:22.117611885 CEST	49727	1144	192.168.2.4	79.134.225.30
Apr 9, 2021 09:47:22.125336885 CEST	1144	49727	79.134.225.30	192.168.2.4
Apr 9, 2021 09:47:22.125428915 CEST	1144	49727	79.134.225.30	192.168.2.4
Apr 9, 2021 09:47:22.126713991 CEST	49727	1144	192.168.2.4	79.134.225.30
Apr 9, 2021 09:47:22.127111912 CEST	1144	49727	79.134.225.30	192.168.2.4
Apr 9, 2021 09:47:22.127253056 CEST	1144	49727	79.134.225.30	192.168.2.4
Apr 9, 2021 09:47:22.127331972 CEST	49727	1144	192.168.2.4	79.134.225.30
Apr 9, 2021 09:47:22.134337902 CEST	1144	49727	79.134.225.30	192.168.2.4
Apr 9, 2021 09:47:22.135206938 CEST	1144	49727	79.134.225.30	192.168.2.4
Apr 9, 2021 09:47:22.135366917 CEST	49727	1144	192.168.2.4	79.134.225.30
Apr 9, 2021 09:47:22.148380995 CEST	1144	49727	79.134.225.30	192.168.2.4
Apr 9, 2021 09:47:22.149187088 CEST	1144	49727	79.134.225.30	192.168.2.4
Apr 9, 2021 09:47:22.150288105 CEST	1144	49727	79.134.225.30	192.168.2.4
Apr 9, 2021 09:47:22.150326967 CEST	1144	49727	79.134.225.30	192.168.2.4
Apr 9, 2021 09:47:22.150382042 CEST	49727	1144	192.168.2.4	79.134.225.30
Apr 9, 2021 09:47:22.152168036 CEST	1144	49727	79.134.225.30	192.168.2.4
Apr 9, 2021 09:47:22.152304888 CEST	49727	1144	192.168.2.4	79.134.225.30
Apr 9, 2021 09:47:22.158612967 CEST	1144	49727	79.134.225.30	192.168.2.4
Apr 9, 2021 09:47:22.158901930 CEST	49727	1144	192.168.2.4	79.134.225.30
Apr 9, 2021 09:47:22.159296989 CEST	1144	49727	79.134.225.30	192.168.2.4
Apr 9, 2021 09:47:22.160399914 CEST	1144	49727	79.134.225.30	192.168.2.4
Apr 9, 2021 09:47:22.160434961 CEST	1144	49727	79.134.225.30	192.168.2.4
Apr 9, 2021 09:47:22.160619020 CEST	49727	1144	192.168.2.4	79.134.225.30
Apr 9, 2021 09:47:22.168535948 CEST	1144	49727	79.134.225.30	192.168.2.4
Apr 9, 2021 09:47:22.170465946 CEST	49727	1144	192.168.2.4	79.134.225.30
Apr 9, 2021 09:47:22.768858910 CEST	49727	1144	192.168.2.4	79.134.225.30
Apr 9, 2021 09:47:22.808068037 CEST	49727	1144	192.168.2.4	79.134.225.30
Apr 9, 2021 09:47:23.045702934 CEST	1144	49727	79.134.225.30	192.168.2.4
Apr 9, 2021 09:47:23.081265926 CEST	49727	1144	192.168.2.4	79.134.225.30
Apr 9, 2021 09:47:27.101094961 CEST	49736	1144	192.168.2.4	79.134.225.30
Apr 9, 2021 09:47:27.293250084 CEST	1144	49736	79.134.225.30	192.168.2.4
Apr 9, 2021 09:47:27.293412924 CEST	49736	1144	192.168.2.4	79.134.225.30
Apr 9, 2021 09:47:27.294034958 CEST	49736	1144	192.168.2.4	79.134.225.30
Apr 9, 2021 09:47:27.515748024 CEST	1144	49736	79.134.225.30	192.168.2.4
Apr 9, 2021 09:47:27.519932985 CEST	49736	1144	192.168.2.4	79.134.225.30
Apr 9, 2021 09:47:27.613208055 CEST	1144	49736	79.134.225.30	192.168.2.4
Apr 9, 2021 09:47:27.660913944 CEST	49736	1144	192.168.2.4	79.134.225.30
Apr 9, 2021 09:47:27.736984015 CEST	1144	49736	79.134.225.30	192.168.2.4
Apr 9, 2021 09:47:27.737116098 CEST	49736	1144	192.168.2.4	79.134.225.30
Apr 9, 2021 09:47:27.927567005 CEST	1144	49736	79.134.225.30	192.168.2.4
Apr 9, 2021 09:47:27.927746058 CEST	49736	1144	192.168.2.4	79.134.225.30
Apr 9, 2021 09:47:28.144289017 CEST	1144	49736	79.134.225.30	192.168.2.4
Apr 9, 2021 09:47:28.145519972 CEST	49736	1144	192.168.2.4	79.134.225.30
Apr 9, 2021 09:47:28.360236883 CEST	1144	49736	79.134.225.30	192.168.2.4
Apr 9, 2021 09:47:28.360315084 CEST	49736	1144	192.168.2.4	79.134.225.30
Apr 9, 2021 09:47:28.501749039 CEST	1144	49736	79.134.225.30	192.168.2.4
Apr 9, 2021 09:47:28.501858950 CEST	49736	1144	192.168.2.4	79.134.225.30
Apr 9, 2021 09:47:28.538827896 CEST	1144	49736	79.134.225.30	192.168.2.4
Apr 9, 2021 09:47:28.538906097 CEST	49736	1144	192.168.2.4	79.134.225.30
Apr 9, 2021 09:47:28.736270905 CEST	1144	49736	79.134.225.30	192.168.2.4
Apr 9, 2021 09:47:28.736385107 CEST	49736	1144	192.168.2.4	79.134.225.30
Apr 9, 2021 09:47:28.803081036 CEST	1144	49736	79.134.225.30	192.168.2.4
Apr 9, 2021 09:47:28.934375048 CEST	1144	49736	79.134.225.30	192.168.2.4
Apr 9, 2021 09:47:28.934519053 CEST	49736	1144	192.168.2.4	79.134.225.30
Apr 9, 2021 09:47:29.136024952 CEST	1144	49736	79.134.225.30	192.168.2.4
Apr 9, 2021 09:47:29.136105061 CEST	49736	1144	192.168.2.4	79.134.225.30
Apr 9, 2021 09:47:29.287292957 CEST	49736	1144	192.168.2.4	79.134.225.30
Apr 9, 2021 09:47:29.348763943 CEST	1144	49736	79.134.225.30	192.168.2.4
Apr 9, 2021 09:47:29.348882914 CEST	49736	1144	192.168.2.4	79.134.225.30
Apr 9, 2021 09:47:33.381769896 CEST	49743	1144	192.168.2.4	79.134.225.30
Apr 9, 2021 09:47:33.573417902 CEST	1144	49743	79.134.225.30	192.168.2.4
Apr 9, 2021 09:47:33.573569059 CEST	49743	1144	192.168.2.4	79.134.225.30
Apr 9, 2021 09:47:33.578124046 CEST	49743	1144	192.168.2.4	79.134.225.30
Apr 9, 2021 09:47:33.793262005 CEST	1144	49743	79.134.225.30	192.168.2.4
Apr 9, 2021 09:47:33.796400070 CEST	49743	1144	192.168.2.4	79.134.225.30
Apr 9, 2021 09:47:34.007823944 CEST	1144	49743	79.134.225.30	192.168.2.4
Apr 9, 2021 09:47:34.008497953 CEST	49743	1144	192.168.2.4	79.134.225.30
Apr 9, 2021 09:47:34.065527916 CEST	1144	49743	79.134.225.30	192.168.2.4
Apr 9, 2021 09:47:34.114528894 CEST	49743	1144	192.168.2.4	79.134.225.30
Apr 9, 2021 09:47:34.227693081 CEST	1144	49743	79.134.225.30	192.168.2.4
Apr 9, 2021 09:47:34.227914095 CEST	49743	1144	192.168.2.4	79.134.225.30
Apr 9, 2021 09:47:34.410307884 CEST	1144	49743	79.134.225.30	192.168.2.4
Apr 9, 2021 09:47:34.410761118 CEST	49743	1144	192.168.2.4	79.134.225.30
Apr 9, 2021 09:47:34.631021976 CEST	1144	49743	79.134.225.30	192.168.2.4
Apr 9, 2021 09:47:34.632153034 CEST	49743	1144	192.168.2.4	79.134.225.30
Apr 9, 2021 09:47:34.848062992 CEST	1144	49743	79.134.225.30	192.168.2.4
Apr 9, 2021 09:47:34.848169088 CEST	49743	1144	192.168.2.4	79.134.225.30
Apr 9, 2021 09:47:34.974242926 CEST	1144	49743	79.134.225.30	192.168.2.4
Apr 9, 2021 09:47:34.974451065 CEST	49743	1144	192.168.2.4	79.134.225.30
Apr 9, 2021 09:47:35.026778936 CEST	1144	49743	79.134.225.30	192.168.2.4
Apr 9, 2021 09:47:35.031006098 CEST	49743	1144	192.168.2.4	79.134.225.30
Apr 9, 2021 09:47:35.154906034 CEST	1144	49743	79.134.225.30	192.168.2.4
Apr 9, 2021 09:47:35.155055046 CEST	49743	1144	192.168.2.4	79.134.225.30
Apr 9, 2021 09:47:35.246706963 CEST	1144	49743	79.134.225.30	192.168.2.4
Apr 9, 2021 09:47:35.246895075 CEST	49743	1144	192.168.2.4	79.134.225.30
Apr 9, 2021 09:47:35.374131918 CEST	1144	49743	79.134.225.30	192.168.2.4
Apr 9, 2021 09:47:35.374221087 CEST	49743	1144	192.168.2.4	79.134.225.30
Apr 9, 2021 09:47:35.426896095 CEST	1144	49743	79.134.225.30	192.168.2.4
Apr 9, 2021 09:47:35.474070072 CEST	49743	1144	192.168.2.4	79.134.225.30
Apr 9, 2021 09:47:35.555941105 CEST	1144	49743	79.134.225.30	192.168.2.4
Apr 9, 2021 09:47:35.556181908 CEST	49743	1144	192.168.2.4	79.134.225.30
Apr 9, 2021 09:47:35.693970919 CEST	49743	1144	192.168.2.4	79.134.225.30
Apr 9, 2021 09:47:35.772077084 CEST	1144	49743	79.134.225.30	192.168.2.4
Apr 9, 2021 09:47:35.772252083 CEST	49743	1144	192.168.2.4	79.134.225.30
Apr 9, 2021 09:47:39.710449934 CEST	49745	1144	192.168.2.4	79.134.225.30
Apr 9, 2021 09:47:39.888180971 CEST	1144	49745	79.134.225.30	192.168.2.4
Apr 9, 2021 09:47:39.888428926 CEST	49745	1144	192.168.2.4	79.134.225.30
Apr 9, 2021 09:47:39.889240026 CEST	49745	1144	192.168.2.4	79.134.225.30
Apr 9, 2021 09:47:40.120045900 CEST	1144	49745	79.134.225.30	192.168.2.4
Apr 9, 2021 09:47:40.120243073 CEST	49745	1144	192.168.2.4	79.134.225.30
Apr 9, 2021 09:47:40.228355885 CEST	1144	49745	79.134.225.30	192.168.2.4
Apr 9, 2021 09:47:40.287024975 CEST	49745	1144	192.168.2.4	79.134.225.30
Apr 9, 2021 09:47:40.340715885 CEST	1144	49745	79.134.225.30	192.168.2.4
Apr 9, 2021 09:47:40.641737938 CEST	49745	1144	192.168.2.4	79.134.225.30
Apr 9, 2021 09:47:40.835756063 CEST	1144	49745	79.134.225.30	192.168.2.4
Apr 9, 2021 09:47:40.835931063 CEST	49745	1144	192.168.2.4	79.134.225.30
Apr 9, 2021 09:47:41.062982082 CEST	1144	49745	79.134.225.30	192.168.2.4
Apr 9, 2021 09:47:41.063143015 CEST	49745	1144	192.168.2.4	79.134.225.30
Apr 9, 2021 09:47:41.308326960 CEST	1144	49745	79.134.225.30	192.168.2.4
Apr 9, 2021 09:47:41.308456898 CEST	49745	1144	192.168.2.4	79.134.225.30
Apr 9, 2021 09:47:41.418872118 CEST	1144	49745	79.134.225.30	192.168.2.4
Apr 9, 2021 09:47:41.418960094 CEST	49745	1144	192.168.2.4	79.134.225.30
Apr 9, 2021 09:47:41.507004976 CEST	1144	49745	79.134.225.30	192.168.2.4
Apr 9, 2021 09:47:41.507129908 CEST	49745	1144	192.168.2.4	79.134.225.30
Apr 9, 2021 09:47:41.611946106 CEST	1144	49745	79.134.225.30	192.168.2.4
Apr 9, 2021 09:47:41.612126112 CEST	49745	1144	192.168.2.4	79.134.225.30
Apr 9, 2021 09:47:41.728219032 CEST	1144	49745	79.134.225.30	192.168.2.4
Apr 9, 2021 09:47:41.728389025 CEST	49745	1144	192.168.2.4	79.134.225.30
Apr 9, 2021 09:47:41.860299110 CEST	1144	49745	79.134.225.30	192.168.2.4
Apr 9, 2021 09:47:41.860435009 CEST	49745	1144	192.168.2.4	79.134.225.30
Apr 9, 2021 09:47:41.910288095 CEST	1144	49745	79.134.225.30	192.168.2.4
Apr 9, 2021 09:47:41.959089041 CEST	49745	1144	192.168.2.4	79.134.225.30
Apr 9, 2021 09:47:42.038028955 CEST	1144	49745	79.134.225.30	192.168.2.4
Apr 9, 2021 09:47:42.038213015 CEST	49745	1144	192.168.2.4	79.134.225.30
Apr 9, 2021 09:47:42.256978989 CEST	1144	49745	79.134.225.30	192.168.2.4
Apr 9, 2021 09:47:42.257154942 CEST	49745	1144	192.168.2.4	79.134.225.30
Apr 9, 2021 09:47:42.382735968 CEST	49745	1144	192.168.2.4	79.134.225.30
Apr 9, 2021 09:47:42.488028049 CEST	1144	49745	79.134.225.30	192.168.2.4
Apr 9, 2021 09:47:42.488209009 CEST	49745	1144	192.168.2.4	79.134.225.30
Apr 9, 2021 09:47:46.399137974 CEST	49747	1144	192.168.2.4	79.134.225.30
Apr 9, 2021 09:47:46.599386930 CEST	1144	49747	79.134.225.30	192.168.2.4
Apr 9, 2021 09:47:46.599514008 CEST	49747	1144	192.168.2.4	79.134.225.30
Apr 9, 2021 09:47:46.602499008 CEST	49747	1144	192.168.2.4	79.134.225.30
Apr 9, 2021 09:47:46.846363068 CEST	1144	49747	79.134.225.30	192.168.2.4
Apr 9, 2021 09:47:46.846450090 CEST	49747	1144	192.168.2.4	79.134.225.30
Apr 9, 2021 09:47:46.890940905 CEST	1144	49747	79.134.225.30	192.168.2.4
Apr 9, 2021 09:47:46.943694115 CEST	49747	1144	192.168.2.4	79.134.225.30
Apr 9, 2021 09:47:47.101984978 CEST	1144	49747	79.134.225.30	192.168.2.4
Apr 9, 2021 09:47:47.102092981 CEST	49747	1144	192.168.2.4	79.134.225.30
Apr 9, 2021 09:47:47.300396919 CEST	1144	49747	79.134.225.30	192.168.2.4
Apr 9, 2021 09:47:47.300482035 CEST	49747	1144	192.168.2.4	79.134.225.30
Apr 9, 2021 09:47:47.522936106 CEST	1144	49747	79.134.225.30	192.168.2.4
Apr 9, 2021 09:47:47.524805069 CEST	49747	1144	192.168.2.4	79.134.225.30
Apr 9, 2021 09:47:47.783165932 CEST	1144	49747	79.134.225.30	192.168.2.4
Apr 9, 2021 09:47:47.783309937 CEST	49747	1144	192.168.2.4	79.134.225.30
Apr 9, 2021 09:47:47.934834003 CEST	1144	49747	79.134.225.30	192.168.2.4
Apr 9, 2021 09:47:47.935004950 CEST	49747	1144	192.168.2.4	79.134.225.30
Apr 9, 2021 09:47:47.991290092 CEST	1144	49747	79.134.225.30	192.168.2.4
Apr 9, 2021 09:47:47.992841959 CEST	49747	1144	192.168.2.4	79.134.225.30
Apr 9, 2021 09:47:48.179008007 CEST	1144	49747	79.134.225.30	192.168.2.4
Apr 9, 2021 09:47:48.179150105 CEST	49747	1144	192.168.2.4	79.134.225.30
Apr 9, 2021 09:47:48.191520929 CEST	1144	49747	79.134.225.30	192.168.2.4
Apr 9, 2021 09:47:48.240755081 CEST	49747	1144	192.168.2.4	79.134.225.30
Apr 9, 2021 09:47:48.409960032 CEST	1144	49747	79.134.225.30	192.168.2.4
Apr 9, 2021 09:47:48.410131931 CEST	49747	1144	192.168.2.4	79.134.225.30
Apr 9, 2021 09:47:48.585561991 CEST	49747	1144	192.168.2.4	79.134.225.30
Apr 9, 2021 09:47:48.597357988 CEST	1144	49747	79.134.225.30	192.168.2.4
Apr 9, 2021 09:47:48.597512007 CEST	49747	1144	192.168.2.4	79.134.225.30
Apr 9, 2021 09:47:52.601752043 CEST	49748	1144	192.168.2.4	79.134.225.30
Apr 9, 2021 09:47:52.784781933 CEST	1144	49748	79.134.225.30	192.168.2.4
Apr 9, 2021 09:47:52.784972906 CEST	49748	1144	192.168.2.4	79.134.225.30
Apr 9, 2021 09:47:52.785449028 CEST	49748	1144	192.168.2.4	79.134.225.30
Apr 9, 2021 09:47:53.020747900 CEST	1144	49748	79.134.225.30	192.168.2.4
Apr 9, 2021 09:47:53.020827055 CEST	49748	1144	192.168.2.4	79.134.225.30
Apr 9, 2021 09:47:53.090010881 CEST	1144	49748	79.134.225.30	192.168.2.4
Apr 9, 2021 09:47:53.131747007 CEST	49748	1144	192.168.2.4	79.134.225.30
Apr 9, 2021 09:47:53.241481066 CEST	1144	49748	79.134.225.30	192.168.2.4
Apr 9, 2021 09:47:53.241601944 CEST	49748	1144	192.168.2.4	79.134.225.30
Apr 9, 2021 09:47:53.423321009 CEST	1144	49748	79.134.225.30	192.168.2.4
Apr 9, 2021 09:47:53.426173925 CEST	49748	1144	192.168.2.4	79.134.225.30
Apr 9, 2021 09:47:53.678683996 CEST	1144	49748	79.134.225.30	192.168.2.4
Apr 9, 2021 09:47:53.678828001 CEST	49748	1144	192.168.2.4	79.134.225.30
Apr 9, 2021 09:47:53.926028967 CEST	1144	49748	79.134.225.30	192.168.2.4
Apr 9, 2021 09:47:53.926282883 CEST	49748	1144	192.168.2.4	79.134.225.30
Apr 9, 2021 09:47:54.060842037 CEST	1144	49748	79.134.225.30	192.168.2.4
Apr 9, 2021 09:47:54.061120033 CEST	49748	1144	192.168.2.4	79.134.225.30
Apr 9, 2021 09:47:54.109064102 CEST	1144	49748	79.134.225.30	192.168.2.4
Apr 9, 2021 09:47:54.109281063 CEST	49748	1144	192.168.2.4	79.134.225.30
Apr 9, 2021 09:47:54.239548922 CEST	1144	49748	79.134.225.30	192.168.2.4
Apr 9, 2021 09:47:54.288100958 CEST	49748	1144	192.168.2.4	79.134.225.30
Apr 9, 2021 09:47:54.322429895 CEST	1144	49748	79.134.225.30	192.168.2.4
Apr 9, 2021 09:47:54.322531939 CEST	49748	1144	192.168.2.4	79.134.225.30
Apr 9, 2021 09:47:54.509978056 CEST	1144	49748	79.134.225.30	192.168.2.4
Apr 9, 2021 09:47:54.510093927 CEST	49748	1144	192.168.2.4	79.134.225.30
Apr 9, 2021 09:47:54.689996004 CEST	1144	49748	79.134.225.30	192.168.2.4
Apr 9, 2021 09:47:54.690177917 CEST	49748	1144	192.168.2.4	79.134.225.30
Apr 9, 2021 09:47:54.741695881 CEST	49748	1144	192.168.2.4	79.134.225.30
Apr 9, 2021 09:47:54.904647112 CEST	1144	49748	79.134.225.30	192.168.2.4
Apr 9, 2021 09:47:54.904737949 CEST	49748	1144	192.168.2.4	79.134.225.30
Apr 9, 2021 09:47:59.054819107 CEST	49750	1144	192.168.2.4	79.134.225.30
Apr 9, 2021 09:47:59.258203030 CEST	1144	49750	79.134.225.30	192.168.2.4
Apr 9, 2021 09:47:59.258404016 CEST	49750	1144	192.168.2.4	79.134.225.30
Apr 9, 2021 09:47:59.259085894 CEST	49750	1144	192.168.2.4	79.134.225.30
Apr 9, 2021 09:47:59.511145115 CEST	1144	49750	79.134.225.30	192.168.2.4
Apr 9, 2021 09:47:59.511239052 CEST	49750	1144	192.168.2.4	79.134.225.30
Apr 9, 2021 09:47:59.580732107 CEST	1144	49750	79.134.225.30	192.168.2.4
Apr 9, 2021 09:47:59.580939054 CEST	49750	1144	192.168.2.4	79.134.225.30
Apr 9, 2021 09:47:59.735488892 CEST	1144	49750	79.134.225.30	192.168.2.4
Apr 9, 2021 09:47:59.735618114 CEST	49750	1144	192.168.2.4	79.134.225.30
Apr 9, 2021 09:47:59.804061890 CEST	1144	49750	79.134.225.30	192.168.2.4
Apr 9, 2021 09:47:59.804445028 CEST	49750	1144	192.168.2.4	79.134.225.30
Apr 9, 2021 09:47:59.922483921 CEST	1144	49750	79.134.225.30	192.168.2.4
Apr 9, 2021 09:47:59.922601938 CEST	49750	1144	192.168.2.4	79.134.225.30
Apr 9, 2021 09:48:00.041476011 CEST	1144	49750	79.134.225.30	192.168.2.4
Apr 9, 2021 09:48:00.041588068 CEST	49750	1144	192.168.2.4	79.134.225.30
Apr 9, 2021 09:48:00.150051117 CEST	1144	49750	79.134.225.30	192.168.2.4
Apr 9, 2021 09:48:00.150151014 CEST	49750	1144	192.168.2.4	79.134.225.30
Apr 9, 2021 09:48:00.277662039 CEST	1144	49750	79.134.225.30	192.168.2.4
Apr 9, 2021 09:48:00.277762890 CEST	49750	1144	192.168.2.4	79.134.225.30
Apr 9, 2021 09:48:00.388556004 CEST	1144	49750	79.134.225.30	192.168.2.4
Apr 9, 2021 09:48:00.390748978 CEST	49750	1144	192.168.2.4	79.134.225.30
Apr 9, 2021 09:48:00.440943956 CEST	1144	49750	79.134.225.30	192.168.2.4
Apr 9, 2021 09:48:00.442059040 CEST	49750	1144	192.168.2.4	79.134.225.30
Apr 9, 2021 09:48:00.495951891 CEST	1144	49750	79.134.225.30	192.168.2.4
Apr 9, 2021 09:48:00.496603012 CEST	49750	1144	192.168.2.4	79.134.225.30
Apr 9, 2021 09:48:00.587091923 CEST	1144	49750	79.134.225.30	192.168.2.4
Apr 9, 2021 09:48:00.587236881 CEST	49750	1144	192.168.2.4	79.134.225.30
Apr 9, 2021 09:48:00.688687086 CEST	1144	49750	79.134.225.30	192.168.2.4
Apr 9, 2021 09:48:00.688937902 CEST	49750	1144	192.168.2.4	79.134.225.30
Apr 9, 2021 09:48:00.717928886 CEST	1144	49750	79.134.225.30	192.168.2.4
Apr 9, 2021 09:48:00.856595993 CEST	1144	49750	79.134.225.30	192.168.2.4
Apr 9, 2021 09:48:00.856770992 CEST	49750	1144	192.168.2.4	79.134.225.30
Apr 9, 2021 09:48:00.904504061 CEST	1144	49750	79.134.225.30	192.168.2.4
Apr 9, 2021 09:48:00.904989958 CEST	49750	1144	192.168.2.4	79.134.225.30
Apr 9, 2021 09:48:01.057579994 CEST	1144	49750	79.134.225.30	192.168.2.4
Apr 9, 2021 09:48:01.057734966 CEST	49750	1144	192.168.2.4	79.134.225.30
Apr 9, 2021 09:48:01.120718956 CEST	1144	49750	79.134.225.30	192.168.2.4
Apr 9, 2021 09:48:01.196083069 CEST	49750	1144	192.168.2.4	79.134.225.30
Apr 9, 2021 09:48:01.286633968 CEST	1144	49750	79.134.225.30	192.168.2.4
Apr 9, 2021 09:48:01.286854982 CEST	49750	1144	192.168.2.4	79.134.225.30
Apr 9, 2021 09:48:05.215997934 CEST	49758	1144	192.168.2.4	79.134.225.30
Apr 9, 2021 09:48:05.398225069 CEST	1144	49758	79.134.225.30	192.168.2.4
Apr 9, 2021 09:48:05.398411989 CEST	49758	1144	192.168.2.4	79.134.225.30
Apr 9, 2021 09:48:05.484805107 CEST	49758	1144	192.168.2.4	79.134.225.30
Apr 9, 2021 09:48:05.707510948 CEST	1144	49758	79.134.225.30	192.168.2.4
Apr 9, 2021 09:48:05.707750082 CEST	49758	1144	192.168.2.4	79.134.225.30
Apr 9, 2021 09:48:05.760406971 CEST	1144	49758	79.134.225.30	192.168.2.4
Apr 9, 2021 09:48:05.760500908 CEST	49758	1144	192.168.2.4	79.134.225.30
Apr 9, 2021 09:48:05.921596050 CEST	1144	49758	79.134.225.30	192.168.2.4
Apr 9, 2021 09:48:05.921680927 CEST	49758	1144	192.168.2.4	79.134.225.30
Apr 9, 2021 09:48:05.974879026 CEST	1144	49758	79.134.225.30	192.168.2.4
Apr 9, 2021 09:48:06.108391047 CEST	1144	49758	79.134.225.30	192.168.2.4
Apr 9, 2021 09:48:06.108540058 CEST	49758	1144	192.168.2.4	79.134.225.30
Apr 9, 2021 09:48:06.323193073 CEST	1144	49758	79.134.225.30	192.168.2.4
Apr 9, 2021 09:48:06.323282957 CEST	49758	1144	192.168.2.4	79.134.225.30
Apr 9, 2021 09:48:06.688590050 CEST	49758	1144	192.168.2.4	79.134.225.30
Apr 9, 2021 09:48:06.693514109 CEST	1144	49758	79.134.225.30	192.168.2.4
Apr 9, 2021 09:48:06.693742037 CEST	49758	1144	192.168.2.4	79.134.225.30
Apr 9, 2021 09:48:06.867317915 CEST	1144	49758	79.134.225.30	192.168.2.4
Apr 9, 2021 09:48:06.867460012 CEST	49758	1144	192.168.2.4	79.134.225.30
Apr 9, 2021 09:48:06.877279997 CEST	1144	49758	79.134.225.30	192.168.2.4
Apr 9, 2021 09:48:07.068113089 CEST	1144	49758	79.134.225.30	192.168.2.4
Apr 9, 2021 09:48:07.068197966 CEST	49758	1144	192.168.2.4	79.134.225.30
Apr 9, 2021 09:48:07.282056093 CEST	1144	49758	79.134.225.30	192.168.2.4
Apr 9, 2021 09:48:07.282115936 CEST	49758	1144	192.168.2.4	79.134.225.30
Apr 9, 2021 09:48:07.465301991 CEST	1144	49758	79.134.225.30	192.168.2.4
Apr 9, 2021 09:48:07.465676069 CEST	49758	1144	192.168.2.4	79.134.225.30
Apr 9, 2021 09:48:07.576013088 CEST	49758	1144	192.168.2.4	79.134.225.30
Apr 9, 2021 09:48:07.640474081 CEST	1144	49758	79.134.225.30	192.168.2.4
Apr 9, 2021 09:48:07.640554905 CEST	49758	1144	192.168.2.4	79.134.225.30
Apr 9, 2021 09:48:11.604785919 CEST	49760	1144	192.168.2.4	79.134.225.30
Apr 9, 2021 09:48:11.801178932 CEST	1144	49760	79.134.225.30	192.168.2.4
Apr 9, 2021 09:48:11.801392078 CEST	49760	1144	192.168.2.4	79.134.225.30
Apr 9, 2021 09:48:11.811392069 CEST	49760	1144	192.168.2.4	79.134.225.30
Apr 9, 2021 09:48:12.031173944 CEST	1144	49760	79.134.225.30	192.168.2.4
Apr 9, 2021 09:48:12.031327009 CEST	49760	1144	192.168.2.4	79.134.225.30
Apr 9, 2021 09:48:12.258147955 CEST	1144	49760	79.134.225.30	192.168.2.4
Apr 9, 2021 09:48:12.258550882 CEST	49760	1144	192.168.2.4	79.134.225.30
Apr 9, 2021 09:48:12.280761957 CEST	1144	49760	79.134.225.30	192.168.2.4
Apr 9, 2021 09:48:12.320972919 CEST	49760	1144	192.168.2.4	79.134.225.30
Apr 9, 2021 09:48:12.483858109 CEST	1144	49760	79.134.225.30	192.168.2.4
Apr 9, 2021 09:48:12.483992100 CEST	49760	1144	192.168.2.4	79.134.225.30
Apr 9, 2021 09:48:12.681935072 CEST	1144	49760	79.134.225.30	192.168.2.4
Apr 9, 2021 09:48:12.682224035 CEST	49760	1144	192.168.2.4	79.134.225.30
Apr 9, 2021 09:48:12.898747921 CEST	1144	49760	79.134.225.30	192.168.2.4
Apr 9, 2021 09:48:12.899199009 CEST	49760	1144	192.168.2.4	79.134.225.30
Apr 9, 2021 09:48:13.116813898 CEST	1144	49760	79.134.225.30	192.168.2.4
Apr 9, 2021 09:48:13.117572069 CEST	49760	1144	192.168.2.4	79.134.225.30
Apr 9, 2021 09:48:13.310828924 CEST	1144	49760	79.134.225.30	192.168.2.4
Apr 9, 2021 09:48:13.310993910 CEST	49760	1144	192.168.2.4	79.134.225.30
Apr 9, 2021 09:48:13.511794090 CEST	1144	49760	79.134.225.30	192.168.2.4
Apr 9, 2021 09:48:13.511980057 CEST	49760	1144	192.168.2.4	79.134.225.30
Apr 9, 2021 09:48:13.691293001 CEST	49760	1144	192.168.2.4	79.134.225.30
Apr 9, 2021 09:48:13.766750097 CEST	1144	49760	79.134.225.30	192.168.2.4
Apr 9, 2021 09:48:13.767127037 CEST	49760	1144	192.168.2.4	79.134.225.30
Apr 9, 2021 09:48:17.760294914 CEST	49761	1144	192.168.2.4	79.134.225.30
Apr 9, 2021 09:48:17.957216978 CEST	1144	49761	79.134.225.30	192.168.2.4
Apr 9, 2021 09:48:17.957443953 CEST	49761	1144	192.168.2.4	79.134.225.30
Apr 9, 2021 09:48:17.958801985 CEST	49761	1144	192.168.2.4	79.134.225.30
Apr 9, 2021 09:48:18.176593065 CEST	1144	49761	79.134.225.30	192.168.2.4
Apr 9, 2021 09:48:18.176668882 CEST	49761	1144	192.168.2.4	79.134.225.30
Apr 9, 2021 09:48:18.260104895 CEST	1144	49761	79.134.225.30	192.168.2.4
Apr 9, 2021 09:48:18.260198116 CEST	49761	1144	192.168.2.4	79.134.225.30
Apr 9, 2021 09:48:18.410092115 CEST	1144	49761	79.134.225.30	192.168.2.4
Apr 9, 2021 09:48:18.412302971 CEST	49761	1144	192.168.2.4	79.134.225.30
Apr 9, 2021 09:48:18.596548080 CEST	1144	49761	79.134.225.30	192.168.2.4
Apr 9, 2021 09:48:18.596833944 CEST	49761	1144	192.168.2.4	79.134.225.30
Apr 9, 2021 09:48:18.834023952 CEST	1144	49761	79.134.225.30	192.168.2.4
Apr 9, 2021 09:48:18.834139109 CEST	49761	1144	192.168.2.4	79.134.225.30
Apr 9, 2021 09:48:19.083156109 CEST	1144	49761	79.134.225.30	192.168.2.4
Apr 9, 2021 09:48:19.086281061 CEST	49761	1144	192.168.2.4	79.134.225.30
Apr 9, 2021 09:48:19.258379936 CEST	1144	49761	79.134.225.30	192.168.2.4
Apr 9, 2021 09:48:19.258743048 CEST	49761	1144	192.168.2.4	79.134.225.30
Apr 9, 2021 09:48:19.313638926 CEST	1144	49761	79.134.225.30	192.168.2.4
Apr 9, 2021 09:48:19.313781977 CEST	49761	1144	192.168.2.4	79.134.225.30
Apr 9, 2021 09:48:19.493469000 CEST	1144	49761	79.134.225.30	192.168.2.4
Apr 9, 2021 09:48:19.493590117 CEST	49761	1144	192.168.2.4	79.134.225.30
Apr 9, 2021 09:48:19.552534103 CEST	1144	49761	79.134.225.30	192.168.2.4
Apr 9, 2021 09:48:19.552781105 CEST	49761	1144	192.168.2.4	79.134.225.30
Apr 9, 2021 09:48:19.689085960 CEST	1144	49761	79.134.225.30	192.168.2.4
Apr 9, 2021 09:48:19.689383984 CEST	49761	1144	192.168.2.4	79.134.225.30
Apr 9, 2021 09:48:19.737051964 CEST	1144	49761	79.134.225.30	192.168.2.4
Apr 9, 2021 09:48:19.737112999 CEST	49761	1144	192.168.2.4	79.134.225.30
Apr 9, 2021 09:48:19.900624037 CEST	49761	1144	192.168.2.4	79.134.225.30
Apr 9, 2021 09:48:20.075251102 CEST	1144	49761	79.134.225.30	192.168.2.4
Apr 9, 2021 09:48:20.075335979 CEST	49761	1144	192.168.2.4	79.134.225.30
Apr 9, 2021 09:48:20.105791092 CEST	1144	49761	79.134.225.30	192.168.2.4
Apr 9, 2021 09:48:20.105856895 CEST	49761	1144	192.168.2.4	79.134.225.30
Apr 9, 2021 09:48:24.001339912 CEST	49762	1144	192.168.2.4	79.134.225.30
Apr 9, 2021 09:48:24.237463951 CEST	1144	49762	79.134.225.30	192.168.2.4
Apr 9, 2021 09:48:24.237705946 CEST	49762	1144	192.168.2.4	79.134.225.30
Apr 9, 2021 09:48:24.238559008 CEST	49762	1144	192.168.2.4	79.134.225.30
Apr 9, 2021 09:48:24.472413063 CEST	1144	49762	79.134.225.30	192.168.2.4
Apr 9, 2021 09:48:24.472647905 CEST	49762	1144	192.168.2.4	79.134.225.30
Apr 9, 2021 09:48:24.614272118 CEST	1144	49762	79.134.225.30	192.168.2.4
Apr 9, 2021 09:48:24.614481926 CEST	49762	1144	192.168.2.4	79.134.225.30
Apr 9, 2021 09:48:24.699191093 CEST	1144	49762	79.134.225.30	192.168.2.4
Apr 9, 2021 09:48:24.699328899 CEST	49762	1144	192.168.2.4	79.134.225.30
Apr 9, 2021 09:48:24.846410036 CEST	1144	49762	79.134.225.30	192.168.2.4
Apr 9, 2021 09:48:24.846607924 CEST	49762	1144	192.168.2.4	79.134.225.30
Apr 9, 2021 09:48:24.928124905 CEST	1144	49762	79.134.225.30	192.168.2.4
Apr 9, 2021 09:48:24.978182077 CEST	49762	1144	192.168.2.4	79.134.225.30
Apr 9, 2021 09:48:25.096626997 CEST	1144	49762	79.134.225.30	192.168.2.4
Apr 9, 2021 09:48:25.096795082 CEST	49762	1144	192.168.2.4	79.134.225.30
Apr 9, 2021 09:48:25.337502956 CEST	1144	49762	79.134.225.30	192.168.2.4
Apr 9, 2021 09:48:25.337635994 CEST	49762	1144	192.168.2.4	79.134.225.30
Apr 9, 2021 09:48:25.479691029 CEST	1144	49762	79.134.225.30	192.168.2.4
Apr 9, 2021 09:48:25.479873896 CEST	49762	1144	192.168.2.4	79.134.225.30
Apr 9, 2021 09:48:25.519160986 CEST	1144	49762	79.134.225.30	192.168.2.4
Apr 9, 2021 09:48:25.519262075 CEST	49762	1144	192.168.2.4	79.134.225.30
Apr 9, 2021 09:48:25.694772005 CEST	1144	49762	79.134.225.30	192.168.2.4
Apr 9, 2021 09:48:25.694972038 CEST	49762	1144	192.168.2.4	79.134.225.30
Apr 9, 2021 09:48:26.088031054 CEST	49762	1144	192.168.2.4	79.134.225.30
Apr 9, 2021 09:48:26.261883020 CEST	1144	49762	79.134.225.30	192.168.2.4
Apr 9, 2021 09:48:26.261975050 CEST	49762	1144	192.168.2.4	79.134.225.30
Apr 9, 2021 09:48:30.107728004 CEST	49763	1144	192.168.2.4	79.134.225.30
Apr 9, 2021 09:48:30.287067890 CEST	1144	49763	79.134.225.30	192.168.2.4
Apr 9, 2021 09:48:30.287354946 CEST	49763	1144	192.168.2.4	79.134.225.30
Apr 9, 2021 09:48:30.288192987 CEST	49763	1144	192.168.2.4	79.134.225.30
Apr 9, 2021 09:48:30.506262064 CEST	1144	49763	79.134.225.30	192.168.2.4
Apr 9, 2021 09:48:30.506377935 CEST	49763	1144	192.168.2.4	79.134.225.30
Apr 9, 2021 09:48:30.623899937 CEST	1144	49763	79.134.225.30	192.168.2.4
Apr 9, 2021 09:48:30.624135971 CEST	49763	1144	192.168.2.4	79.134.225.30
Apr 9, 2021 09:48:30.757329941 CEST	1144	49763	79.134.225.30	192.168.2.4
Apr 9, 2021 09:48:30.757646084 CEST	49763	1144	192.168.2.4	79.134.225.30
Apr 9, 2021 09:48:30.872596025 CEST	1144	49763	79.134.225.30	192.168.2.4
Apr 9, 2021 09:48:30.872733116 CEST	49763	1144	192.168.2.4	79.134.225.30
Apr 9, 2021 09:48:30.959086895 CEST	1144	49763	79.134.225.30	192.168.2.4
Apr 9, 2021 09:48:30.959290028 CEST	49763	1144	192.168.2.4	79.134.225.30
Apr 9, 2021 09:48:31.110155106 CEST	1144	49763	79.134.225.30	192.168.2.4
Apr 9, 2021 09:48:31.110291004 CEST	49763	1144	192.168.2.4	79.134.225.30
Apr 9, 2021 09:48:31.185736895 CEST	1144	49763	79.134.225.30	192.168.2.4
Apr 9, 2021 09:48:31.373003006 CEST	1144	49763	79.134.225.30	192.168.2.4
Apr 9, 2021 09:48:31.373243093 CEST	49763	1144	192.168.2.4	79.134.225.30
Apr 9, 2021 09:48:31.476991892 CEST	1144	49763	79.134.225.30	192.168.2.4
Apr 9, 2021 09:48:31.477125883 CEST	49763	1144	192.168.2.4	79.134.225.30
Apr 9, 2021 09:48:31.560717106 CEST	1144	49763	79.134.225.30	192.168.2.4
Apr 9, 2021 09:48:31.560935974 CEST	49763	1144	192.168.2.4	79.134.225.30
Apr 9, 2021 09:48:31.681746960 CEST	1144	49763	79.134.225.30	192.168.2.4
Apr 9, 2021 09:48:31.681906939 CEST	49763	1144	192.168.2.4	79.134.225.30
Apr 9, 2021 09:48:31.780209064 CEST	1144	49763	79.134.225.30	192.168.2.4
Apr 9, 2021 09:48:31.780571938 CEST	49763	1144	192.168.2.4	79.134.225.30
Apr 9, 2021 09:48:31.908155918 CEST	1144	49763	79.134.225.30	192.168.2.4
Apr 9, 2021 09:48:31.908261061 CEST	49763	1144	192.168.2.4	79.134.225.30
Apr 9, 2021 09:48:31.956765890 CEST	1144	49763	79.134.225.30	192.168.2.4
Apr 9, 2021 09:48:32.010011911 CEST	49763	1144	192.168.2.4	79.134.225.30
Apr 9, 2021 09:48:32.093666077 CEST	1144	49763	79.134.225.30	192.168.2.4
Apr 9, 2021 09:48:32.093805075 CEST	49763	1144	192.168.2.4	79.134.225.30
Apr 9, 2021 09:48:32.197963953 CEST	49763	1144	192.168.2.4	79.134.225.30
Apr 9, 2021 09:48:32.310467958 CEST	1144	49763	79.134.225.30	192.168.2.4
Apr 9, 2021 09:48:32.310575962 CEST	49763	1144	192.168.2.4	79.134.225.30
Apr 9, 2021 09:48:36.214389086 CEST	49766	1144	192.168.2.4	79.134.225.30
Apr 9, 2021 09:48:36.396521091 CEST	1144	49766	79.134.225.30	192.168.2.4
Apr 9, 2021 09:48:36.396615982 CEST	49766	1144	192.168.2.4	79.134.225.30
Apr 9, 2021 09:48:36.397083044 CEST	49766	1144	192.168.2.4	79.134.225.30
Apr 9, 2021 09:48:36.626214981 CEST	1144	49766	79.134.225.30	192.168.2.4
Apr 9, 2021 09:48:36.626323938 CEST	49766	1144	192.168.2.4	79.134.225.30
Apr 9, 2021 09:48:36.689476967 CEST	1144	49766	79.134.225.30	192.168.2.4
Apr 9, 2021 09:48:36.744849920 CEST	49766	1144	192.168.2.4	79.134.225.30
Apr 9, 2021 09:48:36.966491938 CEST	1144	49766	79.134.225.30	192.168.2.4
Apr 9, 2021 09:48:36.969455957 CEST	49766	1144	192.168.2.4	79.134.225.30
Apr 9, 2021 09:48:37.246548891 CEST	1144	49766	79.134.225.30	192.168.2.4
Apr 9, 2021 09:48:37.246735096 CEST	49766	1144	192.168.2.4	79.134.225.30
Apr 9, 2021 09:48:37.522943020 CEST	1144	49766	79.134.225.30	192.168.2.4
Apr 9, 2021 09:48:37.523088932 CEST	49766	1144	192.168.2.4	79.134.225.30
Apr 9, 2021 09:48:37.768345118 CEST	1144	49766	79.134.225.30	192.168.2.4
Apr 9, 2021 09:48:37.768517017 CEST	49766	1144	192.168.2.4	79.134.225.30
Apr 9, 2021 09:48:37.903107882 CEST	1144	49766	79.134.225.30	192.168.2.4
Apr 9, 2021 09:48:37.903331041 CEST	49766	1144	192.168.2.4	79.134.225.30
Apr 9, 2021 09:48:37.993957043 CEST	1144	49766	79.134.225.30	192.168.2.4
Apr 9, 2021 09:48:37.994199038 CEST	49766	1144	192.168.2.4	79.134.225.30
Apr 9, 2021 09:48:38.126070023 CEST	1144	49766	79.134.225.30	192.168.2.4
Apr 9, 2021 09:48:38.126174927 CEST	49766	1144	192.168.2.4	79.134.225.30
Apr 9, 2021 09:48:38.198580980 CEST	49766	1144	192.168.2.4	79.134.225.30
Apr 9, 2021 09:48:38.241255999 CEST	1144	49766	79.134.225.30	192.168.2.4
Apr 9, 2021 09:48:38.241363049 CEST	49766	1144	192.168.2.4	79.134.225.30
Apr 9, 2021 09:48:38.355109930 CEST	1144	49766	79.134.225.30	192.168.2.4
Apr 9, 2021 09:48:38.355324984 CEST	49766	1144	192.168.2.4	79.134.225.30
Apr 9, 2021 09:48:42.215667963 CEST	49768	1144	192.168.2.4	79.134.225.30
Apr 9, 2021 09:48:42.399915934 CEST	1144	49768	79.134.225.30	192.168.2.4
Apr 9, 2021 09:48:42.400736094 CEST	49768	1144	192.168.2.4	79.134.225.30
Apr 9, 2021 09:48:42.401371956 CEST	49768	1144	192.168.2.4	79.134.225.30
Apr 9, 2021 09:48:42.620147943 CEST	1144	49768	79.134.225.30	192.168.2.4
Apr 9, 2021 09:48:42.620398998 CEST	49768	1144	192.168.2.4	79.134.225.30
Apr 9, 2021 09:48:42.660789967 CEST	1144	49768	79.134.225.30	192.168.2.4
Apr 9, 2021 09:48:42.713990927 CEST	49768	1144	192.168.2.4	79.134.225.30
Apr 9, 2021 09:48:42.843733072 CEST	1144	49768	79.134.225.30	192.168.2.4
Apr 9, 2021 09:48:42.843883991 CEST	49768	1144	192.168.2.4	79.134.225.30
Apr 9, 2021 09:48:43.031232119 CEST	1144	49768	79.134.225.30	192.168.2.4
Apr 9, 2021 09:48:43.031379938 CEST	49768	1144	192.168.2.4	79.134.225.30
Apr 9, 2021 09:48:43.257347107 CEST	1144	49768	79.134.225.30	192.168.2.4
Apr 9, 2021 09:48:43.257477045 CEST	49768	1144	192.168.2.4	79.134.225.30
Apr 9, 2021 09:48:43.497376919 CEST	1144	49768	79.134.225.30	192.168.2.4
Apr 9, 2021 09:48:43.497698069 CEST	49768	1144	192.168.2.4	79.134.225.30
Apr 9, 2021 09:48:43.622601986 CEST	1144	49768	79.134.225.30	192.168.2.4
Apr 9, 2021 09:48:43.625309944 CEST	49768	1144	192.168.2.4	79.134.225.30
Apr 9, 2021 09:48:43.686877012 CEST	1144	49768	79.134.225.30	192.168.2.4
Apr 9, 2021 09:48:43.687329054 CEST	49768	1144	192.168.2.4	79.134.225.30
Apr 9, 2021 09:48:43.827146053 CEST	1144	49768	79.134.225.30	192.168.2.4
Apr 9, 2021 09:48:43.827893972 CEST	49768	1144	192.168.2.4	79.134.225.30
Apr 9, 2021 09:48:43.929622889 CEST	1144	49768	79.134.225.30	192.168.2.4
Apr 9, 2021 09:48:43.930048943 CEST	49768	1144	192.168.2.4	79.134.225.30
Apr 9, 2021 09:48:44.086860895 CEST	1144	49768	79.134.225.30	192.168.2.4
Apr 9, 2021 09:48:44.087007999 CEST	49768	1144	192.168.2.4	79.134.225.30
Apr 9, 2021 09:48:44.149843931 CEST	1144	49768	79.134.225.30	192.168.2.4
Apr 9, 2021 09:48:44.150100946 CEST	49768	1144	192.168.2.4	79.134.225.30
Apr 9, 2021 09:48:44.218492031 CEST	49768	1144	192.168.2.4	79.134.225.30
Apr 9, 2021 09:48:44.299204111 CEST	1144	49768	79.134.225.30	192.168.2.4
Apr 9, 2021 09:48:44.306490898 CEST	49768	1144	192.168.2.4	79.134.225.30
Apr 9, 2021 09:48:44.416090012 CEST	1144	49768	79.134.225.30	192.168.2.4
Apr 9, 2021 09:48:44.416172981 CEST	49768	1144	192.168.2.4	79.134.225.30
Apr 9, 2021 09:48:48.235975981 CEST	49774	1144	192.168.2.4	79.134.225.30
Apr 9, 2021 09:48:48.415714979 CEST	1144	49774	79.134.225.30	192.168.2.4
Apr 9, 2021 09:48:48.418895960 CEST	49774	1144	192.168.2.4	79.134.225.30
Apr 9, 2021 09:48:48.419508934 CEST	49774	1144	192.168.2.4	79.134.225.30
Apr 9, 2021 09:48:48.644623041 CEST	1144	49774	79.134.225.30	192.168.2.4
Apr 9, 2021 09:48:48.644958973 CEST	49774	1144	192.168.2.4	79.134.225.30
Apr 9, 2021 09:48:48.868730068 CEST	1144	49774	79.134.225.30	192.168.2.4
Apr 9, 2021 09:48:48.868804932 CEST	49774	1144	192.168.2.4	79.134.225.30
Apr 9, 2021 09:48:48.970396042 CEST	1144	49774	79.134.225.30	192.168.2.4
Apr 9, 2021 09:48:48.973293066 CEST	49774	1144	192.168.2.4	79.134.225.30
Apr 9, 2021 09:48:49.085845947 CEST	1144	49774	79.134.225.30	192.168.2.4
Apr 9, 2021 09:48:49.086024046 CEST	49774	1144	192.168.2.4	79.134.225.30
Apr 9, 2021 09:48:49.186484098 CEST	1144	49774	79.134.225.30	192.168.2.4
Apr 9, 2021 09:48:49.186589003 CEST	49774	1144	192.168.2.4	79.134.225.30
Apr 9, 2021 09:48:49.268565893 CEST	1144	49774	79.134.225.30	192.168.2.4
Apr 9, 2021 09:48:49.323905945 CEST	49774	1144	192.168.2.4	79.134.225.30
Apr 9, 2021 09:48:49.400753021 CEST	1144	49774	79.134.225.30	192.168.2.4
Apr 9, 2021 09:48:49.400821924 CEST	49774	1144	192.168.2.4	79.134.225.30
Apr 9, 2021 09:48:49.620675087 CEST	1144	49774	79.134.225.30	192.168.2.4
Apr 9, 2021 09:48:49.620763063 CEST	49774	1144	192.168.2.4	79.134.225.30
Apr 9, 2021 09:48:49.753679037 CEST	1144	49774	79.134.225.30	192.168.2.4
Apr 9, 2021 09:48:49.753834963 CEST	49774	1144	192.168.2.4	79.134.225.30
Apr 9, 2021 09:48:49.817050934 CEST	1144	49774	79.134.225.30	192.168.2.4
Apr 9, 2021 09:48:49.817240000 CEST	49774	1144	192.168.2.4	79.134.225.30
Apr 9, 2021 09:48:49.938751936 CEST	1144	49774	79.134.225.30	192.168.2.4
Apr 9, 2021 09:48:49.938936949 CEST	49774	1144	192.168.2.4	79.134.225.30
Apr 9, 2021 09:48:50.033328056 CEST	1144	49774	79.134.225.30	192.168.2.4
Apr 9, 2021 09:48:50.033540964 CEST	49774	1144	192.168.2.4	79.134.225.30
Apr 9, 2021 09:48:50.160037041 CEST	1144	49774	79.134.225.30	192.168.2.4
Apr 9, 2021 09:48:50.160192966 CEST	49774	1144	192.168.2.4	79.134.225.30
Apr 9, 2021 09:48:50.219085932 CEST	1144	49774	79.134.225.30	192.168.2.4
Apr 9, 2021 09:48:50.261737108 CEST	49774	1144	192.168.2.4	79.134.225.30
Apr 9, 2021 09:48:50.293562889 CEST	49774	1144	192.168.2.4	79.134.225.30
Apr 9, 2021 09:48:50.341204882 CEST	1144	49774	79.134.225.30	192.168.2.4
Apr 9, 2021 09:48:50.341382980 CEST	49774	1144	192.168.2.4	79.134.225.30
Apr 9, 2021 09:48:54.310146093 CEST	49775	1144	192.168.2.4	79.134.225.30
Apr 9, 2021 09:48:54.492616892 CEST	1144	49775	79.134.225.30	192.168.2.4
Apr 9, 2021 09:48:54.492733002 CEST	49775	1144	192.168.2.4	79.134.225.30
Apr 9, 2021 09:48:54.493298054 CEST	49775	1144	192.168.2.4	79.134.225.30
Apr 9, 2021 09:48:54.713577986 CEST	1144	49775	79.134.225.30	192.168.2.4
Apr 9, 2021 09:48:54.713670015 CEST	49775	1144	192.168.2.4	79.134.225.30
Apr 9, 2021 09:48:54.848858118 CEST	1144	49775	79.134.225.30	192.168.2.4
Apr 9, 2021 09:48:54.848970890 CEST	49775	1144	192.168.2.4	79.134.225.30
Apr 9, 2021 09:48:54.927819014 CEST	1144	49775	79.134.225.30	192.168.2.4
Apr 9, 2021 09:48:54.929667950 CEST	49775	1144	192.168.2.4	79.134.225.30
Apr 9, 2021 09:48:55.108339071 CEST	1144	49775	79.134.225.30	192.168.2.4
Apr 9, 2021 09:48:55.108417034 CEST	49775	1144	192.168.2.4	79.134.225.30
Apr 9, 2021 09:48:55.155750036 CEST	1144	49775	79.134.225.30	192.168.2.4
Apr 9, 2021 09:48:55.199400902 CEST	49775	1144	192.168.2.4	79.134.225.30
Apr 9, 2021 09:48:55.337439060 CEST	1144	49775	79.134.225.30	192.168.2.4
Apr 9, 2021 09:48:55.337563992 CEST	49775	1144	192.168.2.4	79.134.225.30
Apr 9, 2021 09:48:55.562052011 CEST	1144	49775	79.134.225.30	192.168.2.4
Apr 9, 2021 09:48:55.562129021 CEST	49775	1144	192.168.2.4	79.134.225.30
Apr 9, 2021 09:48:55.706731081 CEST	1144	49775	79.134.225.30	192.168.2.4
Apr 9, 2021 09:48:55.706823111 CEST	49775	1144	192.168.2.4	79.134.225.30
Apr 9, 2021 09:48:55.753935099 CEST	1144	49775	79.134.225.30	192.168.2.4
Apr 9, 2021 09:48:55.754374981 CEST	49775	1144	192.168.2.4	79.134.225.30
Apr 9, 2021 09:48:55.929088116 CEST	1144	49775	79.134.225.30	192.168.2.4
Apr 9, 2021 09:48:55.929410934 CEST	49775	1144	192.168.2.4	79.134.225.30
Apr 9, 2021 09:48:55.999768972 CEST	1144	49775	79.134.225.30	192.168.2.4
Apr 9, 2021 09:48:56.000754118 CEST	49775	1144	192.168.2.4	79.134.225.30
Apr 9, 2021 09:48:56.177743912 CEST	1144	49775	79.134.225.30	192.168.2.4
Apr 9, 2021 09:48:56.177943945 CEST	49775	1144	192.168.2.4	79.134.225.30
Apr 9, 2021 09:48:56.180928946 CEST	1144	49775	79.134.225.30	192.168.2.4
Apr 9, 2021 09:48:56.230741978 CEST	49775	1144	192.168.2.4	79.134.225.30
Apr 9, 2021 09:48:56.309333086 CEST	49775	1144	192.168.2.4	79.134.225.30
Apr 9, 2021 09:48:56.362231016 CEST	1144	49775	79.134.225.30	192.168.2.4
Apr 9, 2021 09:48:56.362349033 CEST	49775	1144	192.168.2.4	79.134.225.30
Apr 9, 2021 09:49:00.327218056 CEST	49776	1144	192.168.2.4	79.134.225.30
Apr 9, 2021 09:49:00.547559023 CEST	1144	49776	79.134.225.30	192.168.2.4
Apr 9, 2021 09:49:00.547672033 CEST	49776	1144	192.168.2.4	79.134.225.30
Apr 9, 2021 09:49:00.548310041 CEST	49776	1144	192.168.2.4	79.134.225.30
Apr 9, 2021 09:49:00.763112068 CEST	1144	49776	79.134.225.30	192.168.2.4
Apr 9, 2021 09:49:00.763453960 CEST	49776	1144	192.168.2.4	79.134.225.30
Apr 9, 2021 09:49:01.004693031 CEST	1144	49776	79.134.225.30	192.168.2.4
Apr 9, 2021 09:49:01.004790068 CEST	49776	1144	192.168.2.4	79.134.225.30
Apr 9, 2021 09:49:01.137769938 CEST	1144	49776	79.134.225.30	192.168.2.4
Apr 9, 2021 09:49:01.137937069 CEST	49776	1144	192.168.2.4	79.134.225.30
Apr 9, 2021 09:49:01.231920004 CEST	1144	49776	79.134.225.30	192.168.2.4
Apr 9, 2021 09:49:01.232069969 CEST	49776	1144	192.168.2.4	79.134.225.30
Apr 9, 2021 09:49:01.372605085 CEST	1144	49776	79.134.225.30	192.168.2.4
Apr 9, 2021 09:49:01.372714043 CEST	49776	1144	192.168.2.4	79.134.225.30
Apr 9, 2021 09:49:01.455583096 CEST	1144	49776	79.134.225.30	192.168.2.4
Apr 9, 2021 09:49:01.496969938 CEST	49776	1144	192.168.2.4	79.134.225.30
Apr 9, 2021 09:49:01.595814943 CEST	1144	49776	79.134.225.30	192.168.2.4
Apr 9, 2021 09:49:01.596050978 CEST	49776	1144	192.168.2.4	79.134.225.30
Apr 9, 2021 09:49:01.848989010 CEST	1144	49776	79.134.225.30	192.168.2.4
Apr 9, 2021 09:49:01.849071980 CEST	49776	1144	192.168.2.4	79.134.225.30
Apr 9, 2021 09:49:01.967780113 CEST	1144	49776	79.134.225.30	192.168.2.4
Apr 9, 2021 09:49:01.972035885 CEST	49776	1144	192.168.2.4	79.134.225.30
Apr 9, 2021 09:49:02.031734943 CEST	1144	49776	79.134.225.30	192.168.2.4
Apr 9, 2021 09:49:02.031958103 CEST	49776	1144	192.168.2.4	79.134.225.30
Apr 9, 2021 09:49:02.200486898 CEST	1144	49776	79.134.225.30	192.168.2.4
Apr 9, 2021 09:49:02.200720072 CEST	49776	1144	192.168.2.4	79.134.225.30
Apr 9, 2021 09:49:02.248032093 CEST	1144	49776	79.134.225.30	192.168.2.4
Apr 9, 2021 09:49:02.248177052 CEST	49776	1144	192.168.2.4	79.134.225.30
Apr 9, 2021 09:49:02.388020039 CEST	49776	1144	192.168.2.4	79.134.225.30
Apr 9, 2021 09:49:02.399775982 CEST	1144	49776	79.134.225.30	192.168.2.4
Apr 9, 2021 09:49:02.399956942 CEST	49776	1144	192.168.2.4	79.134.225.30
Apr 9, 2021 09:49:02.423249006 CEST	1144	49776	79.134.225.30	192.168.2.4
Apr 9, 2021 09:49:02.423595905 CEST	49776	1144	192.168.2.4	79.134.225.30
Apr 9, 2021 09:49:06.404413939 CEST	49777	1144	192.168.2.4	79.134.225.30
Apr 9, 2021 09:49:06.593183994 CEST	1144	49777	79.134.225.30	192.168.2.4
Apr 9, 2021 09:49:06.593744993 CEST	49777	1144	192.168.2.4	79.134.225.30
Apr 9, 2021 09:49:06.594824076 CEST	49777	1144	192.168.2.4	79.134.225.30
Apr 9, 2021 09:49:06.821192026 CEST	1144	49777	79.134.225.30	192.168.2.4
Apr 9, 2021 09:49:06.824450970 CEST	49777	1144	192.168.2.4	79.134.225.30
Apr 9, 2021 09:49:06.865636110 CEST	1144	49777	79.134.225.30	192.168.2.4
Apr 9, 2021 09:49:06.865852118 CEST	49777	1144	192.168.2.4	79.134.225.30
Apr 9, 2021 09:49:07.039181948 CEST	1144	49777	79.134.225.30	192.168.2.4
Apr 9, 2021 09:49:07.040491104 CEST	49777	1144	192.168.2.4	79.134.225.30
Apr 9, 2021 09:49:07.243622065 CEST	1144	49777	79.134.225.30	192.168.2.4
Apr 9, 2021 09:49:07.243743896 CEST	49777	1144	192.168.2.4	79.134.225.30
Apr 9, 2021 09:49:07.464520931 CEST	1144	49777	79.134.225.30	192.168.2.4
Apr 9, 2021 09:49:07.468548059 CEST	49777	1144	192.168.2.4	79.134.225.30
Apr 9, 2021 09:49:07.688539028 CEST	1144	49777	79.134.225.30	192.168.2.4
Apr 9, 2021 09:49:07.692558050 CEST	49777	1144	192.168.2.4	79.134.225.30
Apr 9, 2021 09:49:07.821702957 CEST	1144	49777	79.134.225.30	192.168.2.4
Apr 9, 2021 09:49:07.824547052 CEST	49777	1144	192.168.2.4	79.134.225.30
Apr 9, 2021 09:49:07.873604059 CEST	1144	49777	79.134.225.30	192.168.2.4
Apr 9, 2021 09:49:07.873701096 CEST	49777	1144	192.168.2.4	79.134.225.30
Apr 9, 2021 09:49:08.076016903 CEST	1144	49777	79.134.225.30	192.168.2.4
Apr 9, 2021 09:49:08.076128006 CEST	49777	1144	192.168.2.4	79.134.225.30
Apr 9, 2021 09:49:08.076153040 CEST	1144	49777	79.134.225.30	192.168.2.4
Apr 9, 2021 09:49:08.076204062 CEST	49777	1144	192.168.2.4	79.134.225.30
Apr 9, 2021 09:49:08.303623915 CEST	1144	49777	79.134.225.30	192.168.2.4
Apr 9, 2021 09:49:08.303710938 CEST	49777	1144	192.168.2.4	79.134.225.30
Apr 9, 2021 09:49:08.388686895 CEST	49777	1144	192.168.2.4	79.134.225.30
Apr 9, 2021 09:49:08.478244066 CEST	1144	49777	79.134.225.30	192.168.2.4
Apr 9, 2021 09:49:08.478421926 CEST	49777	1144	192.168.2.4	79.134.225.30
Apr 9, 2021 09:49:12.404438972 CEST	49778	1144	192.168.2.4	79.134.225.30
Apr 9, 2021 09:49:12.595768929 CEST	1144	49778	79.134.225.30	192.168.2.4
Apr 9, 2021 09:49:12.597254038 CEST	49778	1144	192.168.2.4	79.134.225.30
Apr 9, 2021 09:49:12.597526073 CEST	49778	1144	192.168.2.4	79.134.225.30
Apr 9, 2021 09:49:12.783847094 CEST	1144	49778	79.134.225.30	192.168.2.4
Apr 9, 2021 09:49:12.825839996 CEST	49778	1144	192.168.2.4	79.134.225.30
Apr 9, 2021 09:49:13.024173975 CEST	1144	49778	79.134.225.30	192.168.2.4
Apr 9, 2021 09:49:13.024370909 CEST	49778	1144	192.168.2.4	79.134.225.30
Apr 9, 2021 09:49:13.220320940 CEST	1144	49778	79.134.225.30	192.168.2.4
Apr 9, 2021 09:49:13.220846891 CEST	49778	1144	192.168.2.4	79.134.225.30

Code Manipulations

Statistics

CPU Usage

Click to jump to process

Memory Usage

Click to jump to process

High Level Behavior Distribution

Click to dive into process behavior distribution

Behavior

Click to jump to process

System Behavior

Analysis Process: oE6O5K1emC.exe PID: 6360 Parent PID: 5940

General

Start time:	09:47:04
Start date:	09/04/2021
Path:	C:\Users\user\Desktop\oE6O5K1emC.exe
Wow64 process (32bit):	true
Commandline:	'C:\Users\user\Desktop\oE6O5K1emC.exe'
Imagebase:	0xde0000
File size:	1554944 bytes
MD5 hash:	0CF0CD25346EE69B7E5AA8E366C886E9
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	.Net C# or VB.NET
Yara matches:	Rule: JoeSecurity_AntiVM_3, Description: Yara detected AntiVM_3, Source: 00000000.00000002.676048550.000000000363F000.00000004.00000001.sdmp, Author: Joe Security Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 00000000.00000002.676767398.00000000046CA000.00000004.00000001.sdmp, Author: Florian Roth Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 00000000.00000002.676767398.00000000046CA000.00000004.00000001.sdmp, Author: Joe Security Rule: NanoCore, Description: unknown, Source: 00000000.00000002.676767398.00000000046CA000.00000004.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
Reputation:	low

Chronological Activities

Analysis Process: schtasks.exe PID: 6456 Parent PID: 6360

General

Start time:	09:47:15
Start date:	09/04/2021
Path:	C:\Windows\SysWOW64\schtasks.exe
Wow64 process (32bit):	true
Commandline:	'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\DKCbURUccsSVSl' /XML 'C:\Users\user\AppData\Local\Temp\tmp8EBC.tmp'
Imagebase:	0xf70000
File size:	185856 bytes
MD5 hash:	15FF7D8324231381BAD48A052F85DF04
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Chronological Activities

Analysis Process: conhost.exe PID: 6464 Parent PID: 6456

General

Start time:	09:47:16
Start date:	09/04/2021
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff724c50000
File size:	625664 bytes
MD5 hash:	EA777DEEA782E8B4D7C7C33BBF8A4496
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Chronological Activities

Analysis Process: RegSvcs.exe PID: 6500 Parent PID: 6360

General

Start time:	09:47:16
Start date:	09/04/2021
Path:	C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe
Wow64 process (32bit):	true
Commandline:	C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe
Imagebase:	0x30000
File size:	32768 bytes
MD5 hash:	71369277D09DA0830C8C59F9E22BB23A
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	.Net C# or VB.NET
Reputation:	moderate

Chronological Activities

Analysis Process: dhcpmon.exe PID: 7024 Parent PID: 3424

General

Start time:	09:47:29
Start date:	09/04/2021
Path:	C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe
Wow64 process (32bit):	true
Commandline:	'C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe'
Imagebase:	0xdc0000
File size:	32768 bytes
MD5 hash:	71369277D09DA0830C8C59F9E22BB23A
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	.Net C# or VB.NET
Antivirus matches:	Detection: 0%, Metadefender, Browse Detection: 0%, ReversingLabs
Reputation:	moderate

Chronological Activities

Analysis Process: conhost.exe PID: 7032 Parent PID: 7024

General

Start time:	09:47:29
Start date:	09/04/2021
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff724c50000
File size:	625664 bytes
MD5 hash:	EA777DEEA782E8B4D7C7C33BBF8A4496
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Chronological Activities

Disassembly

Code Analysis

Reset < >

Analysis Process: oE6O5K1emC.exe PID: 6360 Parent PID: 5940 oE6O5K1emC.exeCOMMON

Executed Functions

Function 01970AF0, Relevance: 4.0, Strings: 3, Instructions: 216COMMON

Download Yara Rule

Strings

8r, xrefs: 01970CDA
7 Z[, xrefs: 01970D48
,", xrefs: 01970BE1, 01970BE6

Memory Dump Source

Source File: 00000000.00000002.674998295.0000000001970000.00000040.00000001.sdmp, Offset: 01970000, based on PE: false

Similarity

API ID:
String ID: 7 Z[$8r$,"
API String ID: 0-855956665
Opcode ID: bde7d1c2be1553699a9704d744608a48ec9bf1f6cdf6155ca5a21b894c8f2a02
Instruction ID: 14f94558b81182060223f380b673990fcce7eb8380691ecdac9ca1d0a768d051
Opcode Fuzzy Hash: bde7d1c2be1553699a9704d744608a48ec9bf1f6cdf6155ca5a21b894c8f2a02
Instruction Fuzzy Hash: 92A12470E05309CFDB14CFA4D588AADBBB1FF4A305F28582AE41ABB254D7345A80CF24

Uniqueness

Uniqueness Score: -1.00%

Function 01970AE1, Relevance: 2.7, Strings: 2, Instructions: 221COMMON

Download Yara Rule

Strings

7 Z[, xrefs: 01970D48
,", xrefs: 01970BE1, 01970BE6

Memory Dump Source

Source File: 00000000.00000002.674998295.0000000001970000.00000040.00000001.sdmp, Offset: 01970000, based on PE: false

Similarity

API ID:
String ID: 7 Z[$,"
API String ID: 0-2372672601
Opcode ID: d9bf031d3cb836c299f0eaa63c9318d0625068363cf83ee190de25e063496ad6
Instruction ID: bc7c5e991d5bbe2c59fe74443baa943f6f7b7a116adf70f4f69e171f324f97ac
Opcode Fuzzy Hash: d9bf031d3cb836c299f0eaa63c9318d0625068363cf83ee190de25e063496ad6
Instruction Fuzzy Hash: 49A11470E05309CFDB14DFB4D588AADBBB1FF4A315F28582AE41AAB254D7345A80CF64

Uniqueness

Uniqueness Score: -1.00%

Function 058507CF, Relevance: 1.6, APIs: 1, Instructions: 75COMMON

Download Yara Rule

APIs

AdjustTokenPrivileges.KERNELBASE(?,?,?,?,?,?), ref: 0585084F

Memory Dump Source

Source File: 00000000.00000002.677973193.0000000005850000.00000040.00000001.sdmp, Offset: 05850000, based on PE: false

Similarity

API ID: AdjustPrivilegesToken
String ID:
API String ID: 2874748243-0
Opcode ID: 4dc672b31927f58332c1921ce7c9e419296f24293bc8ea0b374e41eba4070a37
Instruction ID: ef1f6c04ad134ea7d0d043c60f9f49b8ec61b27c6c2e0cf044d00fc530b10c7f
Opcode Fuzzy Hash: 4dc672b31927f58332c1921ce7c9e419296f24293bc8ea0b374e41eba4070a37
Instruction Fuzzy Hash: B921A0765097849FEB128F25DC44B52BFA4EF06310F0885DAED858B163D2709808CB61

Uniqueness

Uniqueness Score: -1.00%

Function 05850BDF, Relevance: 1.6, APIs: 1, Instructions: 64nativeCOMMON

Download Yara Rule

APIs

NtQuerySystemInformation.NTDLL(?,?,?,?), ref: 05850C55

Memory Dump Source

Source File: 00000000.00000002.677973193.0000000005850000.00000040.00000001.sdmp, Offset: 05850000, based on PE: false

Similarity

API ID: InformationQuerySystem
String ID:
API String ID: 3562636166-0
Opcode ID: bda25906538d60bee24cadfb4e13acad06b5143d3ea3752056f6367844259286
Instruction ID: e35dc8c9b2ec485798a4e3a2386fc156c8bd48969dd3ec2ec56e4f5885e91f76
Opcode Fuzzy Hash: bda25906538d60bee24cadfb4e13acad06b5143d3ea3752056f6367844259286
Instruction Fuzzy Hash: 8121AE714097C09FDB238B21DC55A62FFB4EF17324F0984DBED848B163D265A909DB62

Uniqueness

Uniqueness Score: -1.00%

Function 05850806, Relevance: 1.6, APIs: 1, Instructions: 52COMMON

Download Yara Rule

APIs

AdjustTokenPrivileges.KERNELBASE(?,?,?,?,?,?), ref: 0585084F

Memory Dump Source

Source File: 00000000.00000002.677973193.0000000005850000.00000040.00000001.sdmp, Offset: 05850000, based on PE: false

Similarity

API ID: AdjustPrivilegesToken
String ID:
API String ID: 2874748243-0
Opcode ID: 996998c7edc81bf59a4ac5d0c3077d85aa7e7523b4cfd47b927f045e9af5cecc
Instruction ID: c8dffcd35d8f5ac03bdac15c1dd54faf37a2fc394504b6abf9178c0095a4f1a1
Opcode Fuzzy Hash: 996998c7edc81bf59a4ac5d0c3077d85aa7e7523b4cfd47b927f045e9af5cecc
Instruction Fuzzy Hash: C8114C75500704DFEB20CF59DC45B66FBA4EF08320F0888AADD498B652D275E814DBA1

Uniqueness

Uniqueness Score: -1.00%

Function 05850A88, Relevance: 1.6, APIs: 1, Instructions: 50nativeCOMMON

Download Yara Rule

APIs

NtQueryInformationProcess.NTDLL(?,?,?,?,?), ref: 05850AE8

Memory Dump Source

Source File: 00000000.00000002.677973193.0000000005850000.00000040.00000001.sdmp, Offset: 05850000, based on PE: false

Similarity

API ID: InformationProcessQuery
String ID:
API String ID: 1778838933-0
Opcode ID: 406985897c827edfc613be25b3464f17d9281ab6c8c4d903d0a4a81804fb9ce0
Instruction ID: b06198283268e08b293dc6a9851fb7d92050a9bbe2698f7b4490d5bfea1de7ff
Opcode Fuzzy Hash: 406985897c827edfc613be25b3464f17d9281ab6c8c4d903d0a4a81804fb9ce0
Instruction Fuzzy Hash: 65118F31409784AFDB228F15DC84A62FFB4EF06320F08859EED854B662C375A418CB62

Uniqueness

Uniqueness Score: -1.00%

Function 05850AAA, Relevance: 1.5, APIs: 1, Instructions: 39nativeCOMMON

Download Yara Rule

APIs

NtQueryInformationProcess.NTDLL(?,?,?,?,?), ref: 05850AE8

Memory Dump Source

Source File: 00000000.00000002.677973193.0000000005850000.00000040.00000001.sdmp, Offset: 05850000, based on PE: false

Similarity

API ID: InformationProcessQuery
String ID:
API String ID: 1778838933-0
Opcode ID: a64ba07f0621b459771c11dce0b1b4dffefca56f091dcc21bad8034f160cbb20
Instruction ID: 457f2f17579020e61927b214d6dc014d3ba2b96ea0fb204711ea8c91c8652ff8
Opcode Fuzzy Hash: a64ba07f0621b459771c11dce0b1b4dffefca56f091dcc21bad8034f160cbb20
Instruction Fuzzy Hash: 50017C35500704DFDB218F46D988B66FBA1EF08724F08849ADE494A666D375E418CF72

Uniqueness

Uniqueness Score: -1.00%

Function 05850C1A, Relevance: 1.5, APIs: 1, Instructions: 38nativeCOMMON

Download Yara Rule

APIs

NtQuerySystemInformation.NTDLL(?,?,?,?), ref: 05850C55

Memory Dump Source

Source File: 00000000.00000002.677973193.0000000005850000.00000040.00000001.sdmp, Offset: 05850000, based on PE: false

Similarity

API ID: InformationQuerySystem
String ID:
API String ID: 3562636166-0
Opcode ID: a094a3e553601d266ffbcbb71a8120f41c4d7bdd4986ecff836d23e53d33852e
Instruction ID: a4ed32c32a03f26b7c8245c25e1c0fa6f819af8a94b45c4f35536768726955dc
Opcode Fuzzy Hash: a094a3e553601d266ffbcbb71a8120f41c4d7bdd4986ecff836d23e53d33852e
Instruction Fuzzy Hash: CC017835900344DFDB608F4AD889B21FBE0EF09320F08C49ADE494A626D275A818DB62

Uniqueness

Uniqueness Score: -1.00%

Function 05706FA3, Relevance: 1.5, Strings: 1, Instructions: 254COMMON

Download Yara Rule

Strings

5"Z], xrefs: 05706FA8

Memory Dump Source

Source File: 00000000.00000002.677398895.0000000005700000.00000040.00000001.sdmp, Offset: 05700000, based on PE: false

Similarity

API ID:
String ID: 5"Z]
API String ID: 0-2297879958
Opcode ID: 598fe1b9dcd5e307eca478d159309748b319cbd8c42c6450c622b5451e67eea0
Instruction ID: 9c4885afcbc738bf03716aa70e882e63de9994e419f67a1ad081fd1b116882a0
Opcode Fuzzy Hash: 598fe1b9dcd5e307eca478d159309748b319cbd8c42c6450c622b5451e67eea0
Instruction Fuzzy Hash: F7B15875E05249DFCB08CFA5C95469EBBF2FF89300F14A1AAD015BB3A1E734A9019F90

Uniqueness

Uniqueness Score: -1.00%

Function 01973F69, Relevance: 1.4, Strings: 1, Instructions: 163COMMON

Download Yara Rule

Strings

:@fq, xrefs: 0197403A

Memory Dump Source

Source File: 00000000.00000002.674998295.0000000001970000.00000040.00000001.sdmp, Offset: 01970000, based on PE: false

Similarity

API ID:
String ID: :@fq
API String ID: 0-3673016210
Opcode ID: bb58c806f1ca7120ff56636c23640dc0058bbfeabf1831eb62c04d97949b82d9
Instruction ID: 61a830aabf9be8c4a80d2aaa14083d2fd77af8ff08add42d9f8f25de6d3ae7ab
Opcode Fuzzy Hash: bb58c806f1ca7120ff56636c23640dc0058bbfeabf1831eb62c04d97949b82d9
Instruction Fuzzy Hash: 6C71C074E01249DFCB04DFE4D554AADBBB2FF89340F20846AD80AAB354DB345A41CF61

Uniqueness

Uniqueness Score: -1.00%

Function 019716C0, Relevance: 1.4, Strings: 1, Instructions: 163COMMON

Download Yara Rule

Strings

D?v, xrefs: 0197170F

Memory Dump Source

Source File: 00000000.00000002.674998295.0000000001970000.00000040.00000001.sdmp, Offset: 01970000, based on PE: false

Similarity

API ID:
String ID: D?v
API String ID: 0-3178551903
Opcode ID: 044bced40f0b58b10588e60a82191b09ab467c91583fa642dec6ad500619c85f
Instruction ID: 18b0875e79d0034a6f14ff8bd93c35b1b70279febb46086c243e5a3d5f8b6276
Opcode Fuzzy Hash: 044bced40f0b58b10588e60a82191b09ab467c91583fa642dec6ad500619c85f
Instruction Fuzzy Hash: 6D618E74D0520ACFCF04CFA9C581AEEFBB2BF89310F24996AC019BB255D3349A45CB65

Uniqueness

Uniqueness Score: -1.00%

Function 01973F78, Relevance: 1.4, Strings: 1, Instructions: 159COMMON

Download Yara Rule

Strings

:@fq, xrefs: 0197403A

Memory Dump Source

Source File: 00000000.00000002.674998295.0000000001970000.00000040.00000001.sdmp, Offset: 01970000, based on PE: false

Similarity

API ID:
String ID: :@fq
API String ID: 0-3673016210
Opcode ID: 225cf04a65406fb968a3ff03c6a95e46c178ea16f55f6504bab8717c81eae982
Instruction ID: 1c8f0b9f414378a2958de32d6725cb17741aeec9d7c4a947569a4b2fb4b9b2aa
Opcode Fuzzy Hash: 225cf04a65406fb968a3ff03c6a95e46c178ea16f55f6504bab8717c81eae982
Instruction Fuzzy Hash: 5961B074E01249DFCB04DFE5D584AADBBB2FF89340F20842AD80AAB358DB345A45CF61

Uniqueness

Uniqueness Score: -1.00%

Function 0570E328, Relevance: 1.4, Strings: 1, Instructions: 150COMMON

Download Yara Rule

Strings

,", xrefs: 0570E51B, 0570E520

Memory Dump Source

Source File: 00000000.00000002.677398895.0000000005700000.00000040.00000001.sdmp, Offset: 05700000, based on PE: false

Similarity

API ID:
String ID: ,"
API String ID: 0-2180619917
Opcode ID: f8d05cf4a6b818dfe84547c0c743061e1025f763d686f78b780f9d8f960fa5a6
Instruction ID: 1deb782038b0f6a257877c9edacb0169a97a7ee6bf7c395f95fd828fbb1203a1
Opcode Fuzzy Hash: f8d05cf4a6b818dfe84547c0c743061e1025f763d686f78b780f9d8f960fa5a6
Instruction Fuzzy Hash: CC61E274E05289DFCB44CFA8D5846ADBFF6FF89300F10986AE806A7294D7345A81CF52

Uniqueness

Uniqueness Score: -1.00%

Function 05707891, Relevance: 1.4, Strings: 1, Instructions: 120COMMON

Download Yara Rule

Strings

^|6H, xrefs: 057079D0

Memory Dump Source

Source File: 00000000.00000002.677398895.0000000005700000.00000040.00000001.sdmp, Offset: 05700000, based on PE: false

Similarity

API ID:
String ID: ^|6H
API String ID: 0-2791730798
Opcode ID: 16c83385b12fce6784f20341ab0497cce04d5f30ff9d9482a352d547e9258e2f
Instruction ID: ae631444191be06c4c9a4408d8c26a0828b87ed18e125e567b122706307901f8
Opcode Fuzzy Hash: 16c83385b12fce6784f20341ab0497cce04d5f30ff9d9482a352d547e9258e2f
Instruction Fuzzy Hash: 6A4145B4E04249CFDB08CFAAC4446AEFBF2FF89310F14D16AD459A7290D7346A41DB64

Uniqueness

Uniqueness Score: -1.00%

Function 05703498, Relevance: 1.0, Instructions: 984COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.677398895.0000000005700000.00000040.00000001.sdmp, Offset: 05700000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 45331a079195231c668e1c1d65b8fdabd3bd4a8d04727326179275838b36e0ec
Instruction ID: 379691d90ff4b2db20eeda1bb05d9693d76a56d0af51a8658e36cbed04ce9995
Opcode Fuzzy Hash: 45331a079195231c668e1c1d65b8fdabd3bd4a8d04727326179275838b36e0ec
Instruction Fuzzy Hash: 84924875E14629CFCB24CF69C880AADB7F2BF88310F15C5AAD459EB285D7349981CF90

Uniqueness

Uniqueness Score: -1.00%

Function 0570353A, Relevance: .4, Instructions: 360COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.677398895.0000000005700000.00000040.00000001.sdmp, Offset: 05700000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b7c87a6d6d08b566544f356c7de5ca74d599f0c8162a9724080fca6825a73d98
Instruction ID: 38f47838e0e7c934c866d6fbcbecc730a9dcd1cfd9f7578198270659c724037a
Opcode Fuzzy Hash: b7c87a6d6d08b566544f356c7de5ca74d599f0c8162a9724080fca6825a73d98
Instruction Fuzzy Hash: BFE18C75E0062ACFDB24CF79C880AAEB7F3BF88314F11D56AD455EB294DB3499418B80

Uniqueness

Uniqueness Score: -1.00%

Function 05708EEF, Relevance: .3, Instructions: 336COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.677398895.0000000005700000.00000040.00000001.sdmp, Offset: 05700000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3ddeef5b1106dc03b67c0c2c1565d65aec473fdecc873cfabf77e1e7647e4cfa
Instruction ID: 5ca12fafd7158b15e07d601f06a7d54955b578950d9f893b1f4b30afd8b54262
Opcode Fuzzy Hash: 3ddeef5b1106dc03b67c0c2c1565d65aec473fdecc873cfabf77e1e7647e4cfa
Instruction Fuzzy Hash: 1CE19170908246DFCB04CFA4C54489EFBF2FF59350B16A1A9D505BB2A2C731EA41DF92

Uniqueness

Uniqueness Score: -1.00%

Function 019739C9, Relevance: .3, Instructions: 278COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.674998295.0000000001970000.00000040.00000001.sdmp, Offset: 01970000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7f02f73d5af2ca8c472494ed4087537b83ca550ca45f0b628768bf142972f96f
Instruction ID: ba16b6d36ec90083e2980b2db9efe8c7d5b876d89dfadf2b48b6f72adf633a32
Opcode Fuzzy Hash: 7f02f73d5af2ca8c472494ed4087537b83ca550ca45f0b628768bf142972f96f
Instruction Fuzzy Hash: 41C12574E01208DFDB14DFA4E981B9DBBB1FF89750F209429E40ABB294DB306A41CF65

Uniqueness

Uniqueness Score: -1.00%

Function 019739D8, Relevance: .3, Instructions: 275COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.674998295.0000000001970000.00000040.00000001.sdmp, Offset: 01970000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 93778f9004ec9798b1f095686a20856e854e16a1d651a36abef1904d693c0a78
Instruction ID: c4debb73bf7bc4713795b653c171cd6bb7479ddf5e2580670415946a71550068
Opcode Fuzzy Hash: 93778f9004ec9798b1f095686a20856e854e16a1d651a36abef1904d693c0a78
Instruction Fuzzy Hash: 0BC12574E05208DFDB14DFA4E981B9DBBB1FF89350F209429E40ABB294DB705A41CF25

Uniqueness

Uniqueness Score: -1.00%

Function 057045E8, Relevance: .3, Instructions: 274COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.677398895.0000000005700000.00000040.00000001.sdmp, Offset: 05700000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: bbdc7f54257ae2fd5cf014a19e6d41916fa03903129c286df9bde29651a5b2e9
Instruction ID: ab88380a965fb9e415b419f15005dbe17355aae533bdfc5f5849602371efd6bb
Opcode Fuzzy Hash: bbdc7f54257ae2fd5cf014a19e6d41916fa03903129c286df9bde29651a5b2e9
Instruction Fuzzy Hash: C3919A32F141259FDB14DB69C844AAEB7F3AFC8314B2A8179E405DB3A5EE31DC419B90

Uniqueness

Uniqueness Score: -1.00%

Function 05706FF8, Relevance: .2, Instructions: 248COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.677398895.0000000005700000.00000040.00000001.sdmp, Offset: 05700000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: eb634128e2c92fab4ab05742e06b2a8c5316ae33feaa7831d3b11f3e90f12b9d
Instruction ID: 69ad650b2e517635ddb7ac3d01427e5350d61d399c4ee9c9bac4e5c5a65cbde6
Opcode Fuzzy Hash: eb634128e2c92fab4ab05742e06b2a8c5316ae33feaa7831d3b11f3e90f12b9d
Instruction Fuzzy Hash: 35A13775E04249DFCB08CFA5C95469EBBF2FF89340F14A1AAD415BB3A0E735A9019F90

Uniqueness

Uniqueness Score: -1.00%

Function 05708FE0, Relevance: .2, Instructions: 244COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.677398895.0000000005700000.00000040.00000001.sdmp, Offset: 05700000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6cb6cd1f622734d52d2a398b009ab41c7880fa725836ac1117195326a3ffbf84
Instruction ID: a4928c76877811f8062d42f40fbfe70c7514b4dc398037f7a635f360da3ce139
Opcode Fuzzy Hash: 6cb6cd1f622734d52d2a398b009ab41c7880fa725836ac1117195326a3ffbf84
Instruction Fuzzy Hash: C2B13C74E0520ADFCB04CFA5C6808AEFBF2FF49310B14A559D501BB296D731AA81DFA5

Uniqueness

Uniqueness Score: -1.00%

Function 05704699, Relevance: .2, Instructions: 242COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.677398895.0000000005700000.00000040.00000001.sdmp, Offset: 05700000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c558cfb9bd64c8286fd6ad643edd50269ab7e80d1f3a8bc1b5818bbcb796c237
Instruction ID: d956928c6aad2b2a422c5c56c037a52ac7b3b074612855f6cdbe26cc54cab83a
Opcode Fuzzy Hash: c558cfb9bd64c8286fd6ad643edd50269ab7e80d1f3a8bc1b5818bbcb796c237
Instruction Fuzzy Hash: 43818A72F205259FDB14DB69C844AAEB7F3AFC8710F2A8175E505DB3A5EA30DC418B90

Uniqueness

Uniqueness Score: -1.00%

Function 01976440, Relevance: .2, Instructions: 229COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.674998295.0000000001970000.00000040.00000001.sdmp, Offset: 01970000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 821ea85e62a0a3653f614127c836b201689f481b64676931a616eb5e9f0ff489
Instruction ID: d2f31f82a48b1f5901abe17146fa6b1206ed39aea19c0cdb7320f2e9fade729b
Opcode Fuzzy Hash: 821ea85e62a0a3653f614127c836b201689f481b64676931a616eb5e9f0ff489
Instruction Fuzzy Hash: 4B9156B0D1965ACFEB14CFE4D9849ADFBB5FF4A340F106A1AD00AAB249D3349946CF05

Uniqueness

Uniqueness Score: -1.00%

Function 05706180, Relevance: .2, Instructions: 217COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.677398895.0000000005700000.00000040.00000001.sdmp, Offset: 05700000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 735f66ee7a37ee0fe8f83c23faf02056997ff81c0a43d960182f624b43a69a88
Instruction ID: 1e18255a7bc72d5bed62babbdf91aa36cf43e3a051f387078ae67d4282ef39a6
Opcode Fuzzy Hash: 735f66ee7a37ee0fe8f83c23faf02056997ff81c0a43d960182f624b43a69a88
Instruction Fuzzy Hash: 119113B0D00208CFCB04DFA9C894AADFBF2BF89324F659669D414BB295D7709951DFA0

Uniqueness

Uniqueness Score: -1.00%

Function 05705DE8, Relevance: .2, Instructions: 216COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.677398895.0000000005700000.00000040.00000001.sdmp, Offset: 05700000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0dce01f14bb728957f2da9c46c56f17aef45afdd1f3a4c11b08c0bbf1ec328d6
Instruction ID: 998e0d55348320c7822ff76b8986ad89ecc4e17a6647db679824d3a06c4437d4
Opcode Fuzzy Hash: 0dce01f14bb728957f2da9c46c56f17aef45afdd1f3a4c11b08c0bbf1ec328d6
Instruction Fuzzy Hash: C98100B0D00219CBDF18DFAAC840AEEBBF2BF89314F50D169D518BB294DB7159469F60

Uniqueness

Uniqueness Score: -1.00%

Function 019748F8, Relevance: .2, Instructions: 207COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.674998295.0000000001970000.00000040.00000001.sdmp, Offset: 01970000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4b8ecc92a4c5f43915dc081daa0b6af9bb7a2b67ccd807cb13b64c4d07fbd921
Instruction ID: 9269627cfacebfb1fa35277d79b8b455e933f903364e1bae6c89fa6c411a6d14
Opcode Fuzzy Hash: 4b8ecc92a4c5f43915dc081daa0b6af9bb7a2b67ccd807cb13b64c4d07fbd921
Instruction Fuzzy Hash: 4E91E274E05209CFCB04CFA9D5409AEBBF2FF89310F20996AD419BB315D7305A41CBA5

Uniqueness

Uniqueness Score: -1.00%

Function 057070B0, Relevance: .2, Instructions: 170COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.677398895.0000000005700000.00000040.00000001.sdmp, Offset: 05700000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 39a538433aa89f3f048f728ac929d9adb09fb72469239543106495ae49c9c40b
Instruction ID: b589a31c370c9dda92f11f79272077675b6448755f25cafc00f28c5355f6271e
Opcode Fuzzy Hash: 39a538433aa89f3f048f728ac929d9adb09fb72469239543106495ae49c9c40b
Instruction Fuzzy Hash: 5C71D074E01209DFDB08CFA5D944AAEBBF2FF88300F10916AD406AB294DB75AA45CF54

Uniqueness

Uniqueness Score: -1.00%

Function 019735D8, Relevance: .1, Instructions: 142COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.674998295.0000000001970000.00000040.00000001.sdmp, Offset: 01970000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 36361ae55205233bd5a84694081677b5da23e2c8bdc89aa58675ac7f0664767e
Instruction ID: 4e7d4cba98e625e4b7caa7612fd1029281b61567c5cbc81ae1970419ae1d0bd0
Opcode Fuzzy Hash: 36361ae55205233bd5a84694081677b5da23e2c8bdc89aa58675ac7f0664767e
Instruction Fuzzy Hash: C35118B0E16209DFCB44CFB5D5819DEFBF1FF8A250F20982AD009BA254D7359A418B29

Uniqueness

Uniqueness Score: -1.00%

Function 019735E8, Relevance: .1, Instructions: 136COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.674998295.0000000001970000.00000040.00000001.sdmp, Offset: 01970000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 598eadaadaa51942ab6b3591be16ec39f62e18f141a5141157f60756654e90e6
Instruction ID: 11356e1f6ca0f21db917bb120edfcd0d8d85a9510ab0db58ca9f3ea2f2ab2c2a
Opcode Fuzzy Hash: 598eadaadaa51942ab6b3591be16ec39f62e18f141a5141157f60756654e90e6
Instruction Fuzzy Hash: D15138B0E16209DFCB44CFA5D5859DEFBF5FF89250F20A82AD009B6254D7349A40CB29

Uniqueness

Uniqueness Score: -1.00%

Function 0570F7D8, Relevance: .1, Instructions: 134COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.677398895.0000000005700000.00000040.00000001.sdmp, Offset: 05700000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4faf4c00e46f1007af7b9373ef9bc5e7f814618d6572de32363e98c231149302
Instruction ID: 402355b98fa831ac3129fbc2e22987ee47c47ac52d71984140fb9f049c590cc8
Opcode Fuzzy Hash: 4faf4c00e46f1007af7b9373ef9bc5e7f814618d6572de32363e98c231149302
Instruction Fuzzy Hash: 2951E475E15208DFCF64CFA9D94469DBBF6FF88300F24902AD416AB294E7306946CF41

Uniqueness

Uniqueness Score: -1.00%

Function 01973280, Relevance: .1, Instructions: 133COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.674998295.0000000001970000.00000040.00000001.sdmp, Offset: 01970000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 85a148c1cb1fc857897efb9947a44531a4877378ce87012ab1e08f8e4f4fc318
Instruction ID: c9019db17a5e8bbbcd428f84493601ef39ba320451a3ed12720d0b35d95198fc
Opcode Fuzzy Hash: 85a148c1cb1fc857897efb9947a44531a4877378ce87012ab1e08f8e4f4fc318
Instruction Fuzzy Hash: 5141DD30E092889FCB01CFB8D9546DDBFF1FF8A210F1484AAC409EB255D7329A44CB65

Uniqueness

Uniqueness Score: -1.00%

Function 0197655E, Relevance: .1, Instructions: 121COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.674998295.0000000001970000.00000040.00000001.sdmp, Offset: 01970000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 327ebaf2091a58e8c1591f926d06509dfad58f0018bec240399f5287ff93e3d7
Instruction ID: a6ca0c7d924101fa80a54a10fbd5533b1c5493d306e15c070ffcf263f7d3dd71
Opcode Fuzzy Hash: 327ebaf2091a58e8c1591f926d06509dfad58f0018bec240399f5287ff93e3d7
Instruction Fuzzy Hash: 94411270C1969ACFDB14CFE0D9409ADFBB0FF4A341F006A1AD00ABB658D3749945DB19

Uniqueness

Uniqueness Score: -1.00%

Function 019732C8, Relevance: .1, Instructions: 96COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.674998295.0000000001970000.00000040.00000001.sdmp, Offset: 01970000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 78912a785500f4183ace5bcabb196f47f47b7871935cc2ef2fb127e3ca964b7e
Instruction ID: 3a821a0359bcd2122cedbe0db9581a5d2ed2d3af2f0bce09dabdaa25cada24fc
Opcode Fuzzy Hash: 78912a785500f4183ace5bcabb196f47f47b7871935cc2ef2fb127e3ca964b7e
Instruction Fuzzy Hash: 4C316A74E152499FCB14CFB8D584AEEFBF5FF89310F50982AD009B6214E7318A448B68

Uniqueness

Uniqueness Score: -1.00%

Function 019732D8, Relevance: .1, Instructions: 95COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.674998295.0000000001970000.00000040.00000001.sdmp, Offset: 01970000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f44709e8113f934a7e52a409fbada6c4b8d69e0317021b41d840b4b8cca571b8
Instruction ID: e66687808531de2a7e67ef4494c1e41a3deaca25cff52df79c3101ec1ca4d535
Opcode Fuzzy Hash: f44709e8113f934a7e52a409fbada6c4b8d69e0317021b41d840b4b8cca571b8
Instruction Fuzzy Hash: 22313A70E15209DFCB14CFA9D584AEEBBF5FF8D310F50982AD409B6314EB319A408B69

Uniqueness

Uniqueness Score: -1.00%

Function 05708121, Relevance: .1, Instructions: 73COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.677398895.0000000005700000.00000040.00000001.sdmp, Offset: 05700000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 41b40793374b7cef16abfb5a21eb8432057bbd66fd459db480af196513619798
Instruction ID: da393ccaf36d635e27c67f29886c5e360dabbfddc0a5ea7abfd4bcc799ed79a4
Opcode Fuzzy Hash: 41b40793374b7cef16abfb5a21eb8432057bbd66fd459db480af196513619798
Instruction Fuzzy Hash: BF2128B1E056588BDB18CFAAD8402DEFFF3AFC9314F14C0AAD509AA254DB351A46CF51

Uniqueness

Uniqueness Score: -1.00%

Function 0570B18A, Relevance: .1, Instructions: 69COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.677398895.0000000005700000.00000040.00000001.sdmp, Offset: 05700000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8394659a8988bcdd4a027d45312dbcc0ce17f7cde264d624d72051e409e176e4
Instruction ID: fb9c255c7fe270c524482c446b1d00736ebad27e1c08071c68d2cc5b8d71d495
Opcode Fuzzy Hash: 8394659a8988bcdd4a027d45312dbcc0ce17f7cde264d624d72051e409e176e4
Instruction Fuzzy Hash: 3921E671E056189FDB18CF6BD84069EBBF3AFCA200F14C1AAD448AA268DB301A458F51

Uniqueness

Uniqueness Score: -1.00%

Function 0570067F, Relevance: 40.0, Strings: 30, Instructions: 2479COMMON

Download Yara Rule

Strings

:, xrefs: 05702181
%, xrefs: 05701248
}, xrefs: 05702819
', xrefs: 05702312
R, xrefs: 05700975
%, xrefs: 057018EF
:, xrefs: 05702823
:, xrefs: 0570248F
%, xrefs: 05701C51
,, xrefs: 0570172D
,, xrefs: 057013F4
:, xrefs: 05702659
}, xrefs: 05702485
&, xrefs: 05700E6E
,, xrefs: 05701A9B
(, xrefs: 05701F04
%, xrefs: 05701FD2
(, xrefs: 05701B89
}, xrefs: 0570264F
,, xrefs: 05701E1C
&, xrefs: 0570223A
U, xrefs: 057019CD
%, xrefs: 05701581
&, xrefs: 057020A9
L, xrefs: 05701C47
), xrefs: 05700A22
U, xrefs: 05701D54
R, xrefs: 05701FC8
,, xrefs: 057010DF
:, xrefs: 05700BAA

Memory Dump Source

Source File: 00000000.00000002.677398895.0000000005700000.00000040.00000001.sdmp, Offset: 05700000, based on PE: false

Similarity

API ID:
String ID: %$%$%$%$%$&$&$&$'$($($)$,$,$,$,$,$:$:$:$:$:$L$R$R$U$U$}$}$}
API String ID: 0-171310274
Opcode ID: 9ce4ca99dbda3bbce7dd0d584814b12aea1eb283f62a19e373655df0d8d1d26b
Instruction ID: 9fb678d5b0d11eae9f143f9507cc29b283a032e84f6ec401a1c9d3efe2447d35
Opcode Fuzzy Hash: 9ce4ca99dbda3bbce7dd0d584814b12aea1eb283f62a19e373655df0d8d1d26b
Instruction Fuzzy Hash: C533F474A002148FDB599B28C858BACBBF6AF89305F1580F9E50ADB3A1DF369D45CF41

Uniqueness

Uniqueness Score: -1.00%

Function 05700690, Relevance: 40.0, Strings: 30, Instructions: 2472COMMON

Download Yara Rule

Strings

:, xrefs: 05702181
%, xrefs: 05701248
}, xrefs: 05702819
', xrefs: 05702312
R, xrefs: 05700975
%, xrefs: 057018EF
:, xrefs: 05702823
:, xrefs: 0570248F
%, xrefs: 05701C51
,, xrefs: 0570172D
,, xrefs: 057013F4
:, xrefs: 05702659
}, xrefs: 05702485
&, xrefs: 05700E6E
,, xrefs: 05701A9B
(, xrefs: 05701F04
%, xrefs: 05701FD2
(, xrefs: 05701B89
}, xrefs: 0570264F
,, xrefs: 05701E1C
&, xrefs: 0570223A
U, xrefs: 057019CD
%, xrefs: 05701581
&, xrefs: 057020A9
L, xrefs: 05701C47
), xrefs: 05700A22
U, xrefs: 05701D54
R, xrefs: 05701FC8
,, xrefs: 057010DF
:, xrefs: 05700BAA

Memory Dump Source

Source File: 00000000.00000002.677398895.0000000005700000.00000040.00000001.sdmp, Offset: 05700000, based on PE: false

Similarity

API ID:
String ID: %$%$%$%$%$&$&$&$'$($($)$,$,$,$,$,$:$:$:$:$:$L$R$R$U$U$}$}$}
API String ID: 0-171310274
Opcode ID: e7113ce82e162fb64c5973396f1752981c8ee43a0e435411010f2ca02b65f41a
Instruction ID: bae74ab44bcfd53b8eb6914cda782271256c56d04d1dbe76f7122bf2115118af
Opcode Fuzzy Hash: e7113ce82e162fb64c5973396f1752981c8ee43a0e435411010f2ca02b65f41a
Instruction Fuzzy Hash: 6833F474A002148FDB599B28C858BACBBF6AF89305F1580F9E50ADB3A1DF369D45CF41

Uniqueness

Uniqueness Score: -1.00%

Function 05704318, Relevance: 4.0, Strings: 3, Instructions: 247COMMON

Download Yara Rule

Strings

E4, xrefs: 0570448B
, xrefs: 05704581
>_kq, xrefs: 057044C0

Memory Dump Source

Source File: 00000000.00000002.677398895.0000000005700000.00000040.00000001.sdmp, Offset: 05700000, based on PE: false

Similarity

API ID:
String ID: $>_kq$E4
API String ID: 0-710048092
Opcode ID: 829e26fec85d65169c97f6734d9a7f1372b4f00718589b74aec675a452a87437
Instruction ID: beb300d0d28f04399311819229c325e8c4b29194f871b4f581f2a81522231a66
Opcode Fuzzy Hash: 829e26fec85d65169c97f6734d9a7f1372b4f00718589b74aec675a452a87437
Instruction Fuzzy Hash: 8581DC71B04219CFCF14CFA8C8849BEBBF2FF85214B15916AD608EB785D770A841CB90

Uniqueness

Uniqueness Score: -1.00%

Function 057065B6, Relevance: 2.5, Strings: 2, Instructions: 35COMMON

Download Yara Rule

Strings

f]kq, xrefs: 057065BB
f]kq, xrefs: 057065FC

Memory Dump Source

Source File: 00000000.00000002.677398895.0000000005700000.00000040.00000001.sdmp, Offset: 05700000, based on PE: false

Similarity

API ID:
String ID: f]kq$f]kq
API String ID: 0-2717885394
Opcode ID: 253bffa4dbb33d5fff454fd32288344c8c1fa5bc8b77d2dc4361605875cb32ac
Instruction ID: 551872d11adad81ae9b8c144074e96eabe7fb24724da48c1a1e6762d5231cb1d
Opcode Fuzzy Hash: 253bffa4dbb33d5fff454fd32288344c8c1fa5bc8b77d2dc4361605875cb32ac
Instruction Fuzzy Hash: B4015A74E11229CFEB64CF64D840B8EB7F2BB99300F5191A5D408AB284CB749E818F04

Uniqueness

Uniqueness Score: -1.00%

Function 05851B6E, Relevance: 1.6, APIs: 1, Instructions: 135fileCOMMON

Download Yara Rule

APIs

CreateFileW.KERNELBASE(?,?,?,?,?,?), ref: 05851C7D

Memory Dump Source

Source File: 00000000.00000002.677973193.0000000005850000.00000040.00000001.sdmp, Offset: 05850000, based on PE: false

Similarity

API ID: CreateFile
String ID:
API String ID: 823142352-0
Opcode ID: 96386eaff4586da69e9e12ea0e2e58146ca95b87ad4497bb7c4afafa5f3d42e4
Instruction ID: 79da57fc8158a27829fa27ca20b746546112d9dace7bf661d3adb0da5bf1740b
Opcode Fuzzy Hash: 96386eaff4586da69e9e12ea0e2e58146ca95b87ad4497bb7c4afafa5f3d42e4
Instruction Fuzzy Hash: FB514A715093C05FE7138B658C54AA2BFB5AF07724F0A44DBD8C4DF1A3D265A809C772

Uniqueness

Uniqueness Score: -1.00%

Function 058510E0, Relevance: 1.6, APIs: 1, Instructions: 120synchronizationCOMMON

Download Yara Rule

APIs

CreateMutexW.KERNELBASE(?,?), ref: 05851089

Memory Dump Source

Source File: 00000000.00000002.677973193.0000000005850000.00000040.00000001.sdmp, Offset: 05850000, based on PE: false

Similarity

API ID: CreateMutex
String ID:
API String ID: 1964310414-0
Opcode ID: 4b28160f0ed1d241f194a11dd13ba74284febee38d8a859bc8163cd8f393f8e4
Instruction ID: 147d56f9b834402da84ae3e7955db4e223ea5d08d6a4a894ca4931b604b85d05
Opcode Fuzzy Hash: 4b28160f0ed1d241f194a11dd13ba74284febee38d8a859bc8163cd8f393f8e4
Instruction Fuzzy Hash: D2419D754097C05FE7128B25DC45B66BFB4EF47620F0981DBDC848F693D225A90ACBA2

Uniqueness

Uniqueness Score: -1.00%

Function 05851FE3, Relevance: 1.6, APIs: 1, Instructions: 102COMMON

Download Yara Rule

APIs

DuplicateHandle.KERNELBASE(?,00000E2C), ref: 05852093

Memory Dump Source

Source File: 00000000.00000002.677973193.0000000005850000.00000040.00000001.sdmp, Offset: 05850000, based on PE: false

Similarity

API ID: DuplicateHandle
String ID:
API String ID: 3793708945-0
Opcode ID: c2b9613c9ab15ec08d99fc45a8129f8b2aaab06db26b6e275e29f9005c0b08d6
Instruction ID: 9a0d22a54426312d4f783d847b001ab3e6198cbe83a58a2f89623c2b041daaab
Opcode Fuzzy Hash: c2b9613c9ab15ec08d99fc45a8129f8b2aaab06db26b6e275e29f9005c0b08d6
Instruction Fuzzy Hash: F63194715043846FEB228F65DC45FA6BFBCEF06320F0489AAED85DB152D224A909CB71

Uniqueness

Uniqueness Score: -1.00%

Function 05850464, Relevance: 1.6, APIs: 1, Instructions: 93COMMON

Download Yara Rule

APIs

DuplicateHandle.KERNELBASE(?,00000E2C), ref: 05850510

Memory Dump Source

Source File: 00000000.00000002.677973193.0000000005850000.00000040.00000001.sdmp, Offset: 05850000, based on PE: false

Similarity

API ID: DuplicateHandle
String ID:
API String ID: 3793708945-0
Opcode ID: 3bd95dea4c49559d21f645714d41e8b775a73653abd4dc2d43201187ab0d70f8
Instruction ID: 08c943ee90ddb508f14f4f921355c00f6bb81a173759309cf1a8b56ea8145c0a
Opcode Fuzzy Hash: 3bd95dea4c49559d21f645714d41e8b775a73653abd4dc2d43201187ab0d70f8
Instruction Fuzzy Hash: 6831B572504744AFEB228F64DC45F67BFA8EF06310F0984AEED858B153D274E919CB61

Uniqueness

Uniqueness Score: -1.00%

Function 05850FE2, Relevance: 1.6, APIs: 1, Instructions: 89synchronizationCOMMON

Download Yara Rule

APIs

CreateMutexW.KERNELBASE(?,?), ref: 05851089

Memory Dump Source

Source File: 00000000.00000002.677973193.0000000005850000.00000040.00000001.sdmp, Offset: 05850000, based on PE: false

Similarity

API ID: CreateMutex
String ID:
API String ID: 1964310414-0
Opcode ID: 2f99216fbd541587063d668a4188ee82b4a0b40b2006db5cffd66dd526e17543
Instruction ID: 80931739182e66b65b7816b39709ca1edacb726e323aa18c5cc1cc5d3c5b606d
Opcode Fuzzy Hash: 2f99216fbd541587063d668a4188ee82b4a0b40b2006db5cffd66dd526e17543
Instruction Fuzzy Hash: 713181B1509780AFE722CB25DC84B56FFE8EF06310F08849AED85CB292D375E909C761

Uniqueness

Uniqueness Score: -1.00%

Function 0585137E, Relevance: 1.6, APIs: 1, Instructions: 89fileCOMMON

Download Yara Rule

APIs

CopyFileW.KERNELBASE(?,?,?), ref: 0585140A

Memory Dump Source

Source File: 00000000.00000002.677973193.0000000005850000.00000040.00000001.sdmp, Offset: 05850000, based on PE: false

Similarity

API ID: CopyFile
String ID:
API String ID: 1304948518-0
Opcode ID: 225c59171c08769a166f6761b68a21326225f040ad5f08bc29b329a975309f1a
Instruction ID: c67c66079be44aed953be44d2fbd267c708a533573646fef92400d54fb635d95
Opcode Fuzzy Hash: 225c59171c08769a166f6761b68a21326225f040ad5f08bc29b329a975309f1a
Instruction Fuzzy Hash: 9B315E7150D3C05FD7138B249C65B62BFA8AF07220F0D84DBDD84CF163E269A848C762

Uniqueness

Uniqueness Score: -1.00%

Function 05850990, Relevance: 1.6, APIs: 1, Instructions: 86COMMON

Download Yara Rule

APIs

GetExitCodeProcess.KERNELBASE(?,00000E2C,3A22D61B,00000000,00000000,00000000,00000000), ref: 05850A24

Memory Dump Source

Source File: 00000000.00000002.677973193.0000000005850000.00000040.00000001.sdmp, Offset: 05850000, based on PE: false

Similarity

API ID: CodeExitProcess
String ID:
API String ID: 3861947596-0
Opcode ID: d1a91286164e6375c6812c31772bf0facbd982b5de62fafac587892d1522adc1
Instruction ID: eb0b035f9fb0acab048a2636f81e60c532ae989b4280758fd3624b3705426793
Opcode Fuzzy Hash: d1a91286164e6375c6812c31772bf0facbd982b5de62fafac587892d1522adc1
Instruction Fuzzy Hash: 822191B25093806FE7128B25DC45BA6BFB8EF46320F0884EAE984DF193D2649945CB61

Uniqueness

Uniqueness Score: -1.00%

Function 05850379, Relevance: 1.6, APIs: 1, Instructions: 86COMMON

Download Yara Rule

APIs

GetTokenInformation.KERNELBASE(?,00000E2C,3A22D61B,00000000,00000000,00000000,00000000), ref: 05850411

Memory Dump Source

Source File: 00000000.00000002.677973193.0000000005850000.00000040.00000001.sdmp, Offset: 05850000, based on PE: false

Similarity

API ID: InformationToken
String ID:
API String ID: 4114910276-0
Opcode ID: 084e5597cf149ece0c162a252e64253fa0166403d4f001ee326909f8cc3b7fc1
Instruction ID: 05077cef2ffc4c8dc107c626eb6e119f9f7198aad9bad640466d57f9b5aa9c20
Opcode Fuzzy Hash: 084e5597cf149ece0c162a252e64253fa0166403d4f001ee326909f8cc3b7fc1
Instruction Fuzzy Hash: 90317171509380AFEB228F25DD55FA6BFB8EF06314F0884DAED849F153D264A908CB71

Uniqueness

Uniqueness Score: -1.00%

Function 058517CF, Relevance: 1.6, APIs: 1, Instructions: 84COMMON

Download Yara Rule

APIs

GetTokenInformation.KERNELBASE(?,00000E2C,3A22D61B,00000000,00000000,00000000,00000000), ref: 05851864

Memory Dump Source

Source File: 00000000.00000002.677973193.0000000005850000.00000040.00000001.sdmp, Offset: 05850000, based on PE: false

Similarity

API ID: InformationToken
String ID:
API String ID: 4114910276-0
Opcode ID: 1a485a1a822f41d7817857017e38724a84d0d1c9552ee66cf13e542c36fe5c06
Instruction ID: 6e7100cd93aa87931dd4295a131fa2b12be2b2cb9b4259c5aa7d10578a846223
Opcode Fuzzy Hash: 1a485a1a822f41d7817857017e38724a84d0d1c9552ee66cf13e542c36fe5c06
Instruction Fuzzy Hash: 3B217171504384AFEB22CF65DC45FA6BFB8EF06320F0888AAE985DB152D224E444CB61

Uniqueness

Uniqueness Score: -1.00%

Function 05850635, Relevance: 1.6, APIs: 1, Instructions: 84COMMON

Download Yara Rule

APIs

LookupPrivilegeValueW.ADVAPI32(?,?,?), ref: 058506CE

Memory Dump Source

Source File: 00000000.00000002.677973193.0000000005850000.00000040.00000001.sdmp, Offset: 05850000, based on PE: false

Similarity

API ID: LookupPrivilegeValue
String ID:
API String ID: 3899507212-0
Opcode ID: aed9cb1fca8ffd56acc1c2bb0ec2bbe90f5262f23a3da10e8612ffe56d27b351
Instruction ID: 2747b9ee4f516b5a798fc30138ae7d945c691f1bfa183a6602efb230290ce3d4
Opcode Fuzzy Hash: aed9cb1fca8ffd56acc1c2bb0ec2bbe90f5262f23a3da10e8612ffe56d27b351
Instruction Fuzzy Hash: 20315E725093C09FD7138B759C55A92BFB8AF07220F0D88DBD884CF163D2649849CB62

Uniqueness

Uniqueness Score: -1.00%

Function 05852016, Relevance: 1.6, APIs: 1, Instructions: 80COMMON

Download Yara Rule

APIs

DuplicateHandle.KERNELBASE(?,00000E2C), ref: 05852093

Memory Dump Source

Source File: 00000000.00000002.677973193.0000000005850000.00000040.00000001.sdmp, Offset: 05850000, based on PE: false

Similarity

API ID: DuplicateHandle
String ID:
API String ID: 3793708945-0
Opcode ID: 68dae3962d2920f52526576331db30c7b7f25dfca529b8b5fe686c1c0488f843
Instruction ID: 337e860922731d6ddac3596a4ecdd42f3219efee2192771f003d92a2ffda482b
Opcode Fuzzy Hash: 68dae3962d2920f52526576331db30c7b7f25dfca529b8b5fe686c1c0488f843
Instruction Fuzzy Hash: 6E21B072500304AFEB21CF69DC44F6ABBACEF08320F04886AED46DA651D634E849CB71

Uniqueness

Uniqueness Score: -1.00%

Function 05851CD4, Relevance: 1.6, APIs: 1, Instructions: 77COMMON

Download Yara Rule

APIs

GetFileType.KERNELBASE(?,00000E2C,3A22D61B,00000000,00000000,00000000,00000000), ref: 05851D69

Memory Dump Source

Source File: 00000000.00000002.677973193.0000000005850000.00000040.00000001.sdmp, Offset: 05850000, based on PE: false

Similarity

API ID: FileType
String ID:
API String ID: 3081899298-0
Opcode ID: 9b73324ad0bb959cbbabfdb28569f2ddc2755d1fb265658ba9a932c200a6d008
Instruction ID: bc1c88b05bb13c70fe0474508f5b2875162846f3c917c74d1c6900f9a238dbca
Opcode Fuzzy Hash: 9b73324ad0bb959cbbabfdb28569f2ddc2755d1fb265658ba9a932c200a6d008
Instruction Fuzzy Hash: F921B3B64087846FE712CB259C44FB2BFB8EF46720F1885DAED849B153D224A909C771

Uniqueness

Uniqueness Score: -1.00%

Function 058520F1, Relevance: 1.6, APIs: 1, Instructions: 77fileCOMMON

Download Yara Rule

APIs

DeleteFileW.KERNELBASE(?), ref: 05852178

Memory Dump Source

Source File: 00000000.00000002.677973193.0000000005850000.00000040.00000001.sdmp, Offset: 05850000, based on PE: false

Similarity

API ID: DeleteFile
String ID:
API String ID: 4033686569-0
Opcode ID: 2b0f4045ce8904b9b896564ee9ffdcb4a4f119502ae474acb7a289bf17d8c743
Instruction ID: 935ef7ba792c248e82530a6a0b0d4f74d956592f852265116a9431d9be9f1e82
Opcode Fuzzy Hash: 2b0f4045ce8904b9b896564ee9ffdcb4a4f119502ae474acb7a289bf17d8c743
Instruction Fuzzy Hash: 62219F765093C09FDB13CB25DC94B56BFB4EF07620F0984DADD858F263D625A908CB62

Uniqueness

Uniqueness Score: -1.00%

Function 05851BFE, Relevance: 1.6, APIs: 1, Instructions: 76fileCOMMON

Download Yara Rule

APIs

CreateFileW.KERNELBASE(?,?,?,?,?,?), ref: 05851C7D

Memory Dump Source

Source File: 00000000.00000002.677973193.0000000005850000.00000040.00000001.sdmp, Offset: 05850000, based on PE: false

Similarity

API ID: CreateFile
String ID:
API String ID: 823142352-0
Opcode ID: 512e9239255b280552b7e8541248de530a23ee3addfb55cc00ca13733fa4e646
Instruction ID: 434123ba0004fc7e7ba400ce1d78dff7856b9f6ce411e6cdef75ca2064539c31
Opcode Fuzzy Hash: 512e9239255b280552b7e8541248de530a23ee3addfb55cc00ca13733fa4e646
Instruction Fuzzy Hash: E9217C75600704AFE721DF69DD89B66FBE8EF08320F04896AED858B651D376E804CB61

Uniqueness

Uniqueness Score: -1.00%

Function 0585049E, Relevance: 1.6, APIs: 1, Instructions: 75COMMON

Download Yara Rule

APIs

DuplicateHandle.KERNELBASE(?,00000E2C), ref: 05850510

Memory Dump Source

Source File: 00000000.00000002.677973193.0000000005850000.00000040.00000001.sdmp, Offset: 05850000, based on PE: false

Similarity

API ID: DuplicateHandle
String ID:
API String ID: 3793708945-0
Opcode ID: c1de628c7c7da8f09fae123b7e62ce1a1895ad9146a5341536f8277ce858d4f3
Instruction ID: 6c22d94cce1b7399f9252f7c2c7364cf83028336dffd2d1d500f207efa8a94e7
Opcode Fuzzy Hash: c1de628c7c7da8f09fae123b7e62ce1a1895ad9146a5341536f8277ce858d4f3
Instruction Fuzzy Hash: F621CF72500304EFEB21CF69DC45F6AFBA9EF08320F04886AED85DA651D234E919CB71

Uniqueness

Uniqueness Score: -1.00%

Function 05851DA4, Relevance: 1.6, APIs: 1, Instructions: 75fileCOMMON

Download Yara Rule

APIs

WriteFile.KERNELBASE(?,00000E2C,3A22D61B,00000000,00000000,00000000,00000000), ref: 05851E35

Memory Dump Source

Source File: 00000000.00000002.677973193.0000000005850000.00000040.00000001.sdmp, Offset: 05850000, based on PE: false

Similarity

API ID: FileWrite
String ID:
API String ID: 3934441357-0
Opcode ID: 1c776ee3c042237b83a6e34502819e5b9e2171cbe50ec3a903ca9f27b703baa4
Instruction ID: 5b2227320f86ad33df3d78bbec45a9c8c3d7fee81e92ac9eeb1f2a3102076ab4
Opcode Fuzzy Hash: 1c776ee3c042237b83a6e34502819e5b9e2171cbe50ec3a903ca9f27b703baa4
Instruction Fuzzy Hash: AB219271409380AFE7228F25DC44F66BFB8EF06314F0884EBED849B153C224A809CB62

Uniqueness

Uniqueness Score: -1.00%

Function 05851016, Relevance: 1.6, APIs: 1, Instructions: 72synchronizationCOMMON

Download Yara Rule

APIs

CreateMutexW.KERNELBASE(?,?), ref: 05851089

Memory Dump Source

Source File: 00000000.00000002.677973193.0000000005850000.00000040.00000001.sdmp, Offset: 05850000, based on PE: false

Similarity

API ID: CreateMutex
String ID:
API String ID: 1964310414-0
Opcode ID: 0897fcda55b985f54b8f8e0cbde2c2626497e613bb5c951c8e865d6f14df9ec0
Instruction ID: 006205e6064bd0a9ac97e1a00b2a3ca8405d800291c2bf880d5357eb99203a2a
Opcode Fuzzy Hash: 0897fcda55b985f54b8f8e0cbde2c2626497e613bb5c951c8e865d6f14df9ec0
Instruction Fuzzy Hash: E2217C71604244AFE720DF6AD889B66FBE8EF04320F1484AAED85CB641D675E805CA61

Uniqueness

Uniqueness Score: -1.00%

Function 05850B1B, Relevance: 1.6, APIs: 1, Instructions: 72COMMON

Download Yara Rule

APIs

K32EnumProcesses.KERNEL32(?,?,?,3A22D61B,00000000,?,?,?,?,?,?,?,?,72203C38), ref: 05850B96

Memory Dump Source

Source File: 00000000.00000002.677973193.0000000005850000.00000040.00000001.sdmp, Offset: 05850000, based on PE: false

Similarity

API ID: EnumProcesses
String ID:
API String ID: 84517404-0
Opcode ID: 93545c17a8246f146039183959153e33df8277fff69d58b1c390189d1d50646b
Instruction ID: 40ee6d98c699b5b257488114a2102c12334ce13ddbef5b4f31169cd43cdc6e8c
Opcode Fuzzy Hash: 93545c17a8246f146039183959153e33df8277fff69d58b1c390189d1d50646b
Instruction Fuzzy Hash: 6D2162755093C49FEB128B25DC94B62BFA4EF07324F0984DBED84CF153D2659908CB62

Uniqueness

Uniqueness Score: -1.00%

Function 058517FA, Relevance: 1.6, APIs: 1, Instructions: 69COMMON

Download Yara Rule

APIs

GetTokenInformation.KERNELBASE(?,00000E2C,3A22D61B,00000000,00000000,00000000,00000000), ref: 05851864

Memory Dump Source

Source File: 00000000.00000002.677973193.0000000005850000.00000040.00000001.sdmp, Offset: 05850000, based on PE: false

Similarity

API ID: InformationToken
String ID:
API String ID: 4114910276-0
Opcode ID: 55c90fa7534b3559585b4bff498ae7b1b4084c9dc04673429a3cb4f2c3f0f1aa
Instruction ID: 088dc04b1b730b13bd5010b3a4593f9cf4540b8a3050c968e7c6ed1898efd98c
Opcode Fuzzy Hash: 55c90fa7534b3559585b4bff498ae7b1b4084c9dc04673429a3cb4f2c3f0f1aa
Instruction Fuzzy Hash: FC115EB1500304AFEB21CF69DD45FAABBACEF04320F04886AED45DA655D674E844CB71

Uniqueness

Uniqueness Score: -1.00%

Function 0585056E, Relevance: 1.6, APIs: 1, Instructions: 65memoryCOMMON

Download Yara Rule

APIs

VirtualProtect.KERNELBASE(?,?,?,?), ref: 058505ED

Memory Dump Source

Source File: 00000000.00000002.677973193.0000000005850000.00000040.00000001.sdmp, Offset: 05850000, based on PE: false

Similarity

API ID: ProtectVirtual
String ID:
API String ID: 544645111-0
Opcode ID: 31d85748f95908a9993e935c6497e6f2e58b3b4e214deb964181278b18fc11a1
Instruction ID: 3f62acef3d7f2403a66bd554183a819921bbe582ce2d1b5e52aa28280185365e
Opcode Fuzzy Hash: 31d85748f95908a9993e935c6497e6f2e58b3b4e214deb964181278b18fc11a1
Instruction Fuzzy Hash: C32192764097C19FDB228B25DC55AA2FFB4EF47324F0D84DEED854B153D2209908DB61

Uniqueness

Uniqueness Score: -1.00%

Function 058503B2, Relevance: 1.6, APIs: 1, Instructions: 64COMMON

Download Yara Rule

APIs

GetTokenInformation.KERNELBASE(?,00000E2C,3A22D61B,00000000,00000000,00000000,00000000), ref: 05850411

Memory Dump Source

Source File: 00000000.00000002.677973193.0000000005850000.00000040.00000001.sdmp, Offset: 05850000, based on PE: false

Similarity

API ID: InformationToken
String ID:
API String ID: 4114910276-0
Opcode ID: 1e590aaa1a8a9f8d2c58b494d6714683230293c96b09810e140a65bd29065274
Instruction ID: 392f6b97d10879ea2f0c2f9196e38e91b6a53dd0f9de2d72799e196a2f968b68
Opcode Fuzzy Hash: 1e590aaa1a8a9f8d2c58b494d6714683230293c96b09810e140a65bd29065274
Instruction Fuzzy Hash: F311E671500304AFEB21CF65DC44F66FBA8EF04320F04846AED45CB251D274E804CB71

Uniqueness

Uniqueness Score: -1.00%

Function 0585225D, Relevance: 1.6, APIs: 1, Instructions: 62windowCOMMON

Download Yara Rule

APIs

PostMessageW.USER32(?,?,?,?), ref: 058522D1

Memory Dump Source

Source File: 00000000.00000002.677973193.0000000005850000.00000040.00000001.sdmp, Offset: 05850000, based on PE: false

Similarity

API ID: MessagePost
String ID:
API String ID: 410705778-0
Opcode ID: c40a2fa03f07f9b96971d4609c065d318fd675c97cd4412f849ca0a3439e585b
Instruction ID: 671c8575bc6a9f9919706af022541c3021b49c407acb275cb08387880f6eb13e
Opcode Fuzzy Hash: c40a2fa03f07f9b96971d4609c065d318fd675c97cd4412f849ca0a3439e585b
Instruction Fuzzy Hash: 65218C754093C09FDB238B25DC44A62FFB4EF07220F0985DBED858F163D225A818DB62

Uniqueness

Uniqueness Score: -1.00%

Function 058509CE, Relevance: 1.6, APIs: 1, Instructions: 61COMMON

Download Yara Rule

APIs

GetExitCodeProcess.KERNELBASE(?,00000E2C,3A22D61B,00000000,00000000,00000000,00000000), ref: 05850A24

Memory Dump Source

Source File: 00000000.00000002.677973193.0000000005850000.00000040.00000001.sdmp, Offset: 05850000, based on PE: false

Similarity

API ID: CodeExitProcess
String ID:
API String ID: 3861947596-0
Opcode ID: 79fec812fb92fe90dc1069bbd07f31d4d1ecfb511a1632daf0d3ebdefd4e6e4e
Instruction ID: 564f02c65a895bbff7717fd53062d1ed49e9cfec76a1b19b4da3b010e5cf9fbf
Opcode Fuzzy Hash: 79fec812fb92fe90dc1069bbd07f31d4d1ecfb511a1632daf0d3ebdefd4e6e4e
Instruction Fuzzy Hash: 3011E771600304AFEB11CF69DC45F6ABB98EF04720F14846AED05DB246D674E904CB71

Uniqueness

Uniqueness Score: -1.00%

Function 05851485, Relevance: 1.6, APIs: 1, Instructions: 60COMMON

Download Yara Rule

APIs

SetFileAttributesW.KERNELBASE(?,?), ref: 058514E7

Memory Dump Source

Source File: 00000000.00000002.677973193.0000000005850000.00000040.00000001.sdmp, Offset: 05850000, based on PE: false

Similarity

API ID: AttributesFile
String ID:
API String ID: 3188754299-0
Opcode ID: b0e36b9e1b9ff52ba793ce5f788ea21aee1cb1f9a6c875dba3933a4f5a85350c
Instruction ID: ae41256d10b5c9513c48e0cb3ffbff7d4cc9b3964304d1ff8fabd240d3875b44
Opcode Fuzzy Hash: b0e36b9e1b9ff52ba793ce5f788ea21aee1cb1f9a6c875dba3933a4f5a85350c
Instruction Fuzzy Hash: C21193765093809FDB11CF29DC85B56BFE8EF06220F0984EAED85CF252D274D845CB61

Uniqueness

Uniqueness Score: -1.00%

Function 05851DD6, Relevance: 1.6, APIs: 1, Instructions: 60fileCOMMON

Download Yara Rule

APIs

WriteFile.KERNELBASE(?,00000E2C,3A22D61B,00000000,00000000,00000000,00000000), ref: 05851E35

Memory Dump Source

Source File: 00000000.00000002.677973193.0000000005850000.00000040.00000001.sdmp, Offset: 05850000, based on PE: false

Similarity

API ID: FileWrite
String ID:
API String ID: 3934441357-0
Opcode ID: bd9e7d92647ecbb53cce28cc82133f9b01c1b28a376a7fb4c17cddfe91143266
Instruction ID: f77cc6d303280ec920f3a4c66b45114b1402056c4c547ed32f52916274550644
Opcode Fuzzy Hash: bd9e7d92647ecbb53cce28cc82133f9b01c1b28a376a7fb4c17cddfe91143266
Instruction Fuzzy Hash: 3011A372500344AFEB21CF59DD44F6AFBA8EF04720F14886AED859B656D374E408CBB1

Uniqueness

Uniqueness Score: -1.00%

Function 058525EF, Relevance: 1.6, APIs: 1, Instructions: 56windowCOMMON

Download Yara Rule

APIs

PostMessageW.USER32(?,?,?,?), ref: 05852659

Memory Dump Source

Source File: 00000000.00000002.677973193.0000000005850000.00000040.00000001.sdmp, Offset: 05850000, based on PE: false

Similarity

API ID: MessagePost
String ID:
API String ID: 410705778-0
Opcode ID: c1de858d8817d1ad89c929bf6e94e3607f76280ec38b6ef401d204d19bd86a2b
Instruction ID: f1ffee52634bf1434d48110cd266b1689cb3b1f0b2528e0bb8c50742449adb6e
Opcode Fuzzy Hash: c1de858d8817d1ad89c929bf6e94e3607f76280ec38b6ef401d204d19bd86a2b
Instruction Fuzzy Hash: B51190754093809FDB228F15DC45B62FFB4EF06224F0884DEED858B663D275A818CB62

Uniqueness

Uniqueness Score: -1.00%

Function 05850686, Relevance: 1.6, APIs: 1, Instructions: 53COMMON

Download Yara Rule

APIs

LookupPrivilegeValueW.ADVAPI32(?,?,?), ref: 058506CE

Memory Dump Source

Source File: 00000000.00000002.677973193.0000000005850000.00000040.00000001.sdmp, Offset: 05850000, based on PE: false

Similarity

API ID: LookupPrivilegeValue
String ID:
API String ID: 3899507212-0
Opcode ID: c794225c9f7bca31b0778269d48e9ba1ad98af40ac9baf381f71d12cece100d4
Instruction ID: 13a8598cb13eb10c1977b9569f065c4c846bd397ee5bad6916a509ccf72446b4
Opcode Fuzzy Hash: c794225c9f7bca31b0778269d48e9ba1ad98af40ac9baf381f71d12cece100d4
Instruction Fuzzy Hash: 13113075604305CFDB60CF6AD849B66FBE8EB44320F0884AADD49CB656E675E808CA71

Uniqueness

Uniqueness Score: -1.00%

Function 058513C2, Relevance: 1.6, APIs: 1, Instructions: 53fileCOMMON

Download Yara Rule

APIs

CopyFileW.KERNELBASE(?,?,?), ref: 0585140A

Memory Dump Source

Source File: 00000000.00000002.677973193.0000000005850000.00000040.00000001.sdmp, Offset: 05850000, based on PE: false

Similarity

API ID: CopyFile
String ID:
API String ID: 1304948518-0
Opcode ID: c794225c9f7bca31b0778269d48e9ba1ad98af40ac9baf381f71d12cece100d4
Instruction ID: c444ea36a4922798dbe4bb846a7f1d01a431acbb572bc41de2a2d07e1f20810e
Opcode Fuzzy Hash: c794225c9f7bca31b0778269d48e9ba1ad98af40ac9baf381f71d12cece100d4
Instruction Fuzzy Hash: 8B11A575A003008FDB60CF2AD884B66FBD8EF04220F08846ADD49CB642E674E804CB72

Uniqueness

Uniqueness Score: -1.00%

Function 05851D16, Relevance: 1.6, APIs: 1, Instructions: 52COMMON

Download Yara Rule

APIs

GetFileType.KERNELBASE(?,00000E2C,3A22D61B,00000000,00000000,00000000,00000000), ref: 05851D69

Memory Dump Source

Source File: 00000000.00000002.677973193.0000000005850000.00000040.00000001.sdmp, Offset: 05850000, based on PE: false

Similarity

API ID: FileType
String ID:
API String ID: 3081899298-0
Opcode ID: 3b072561b341fe2bf87679c54b39fd21b439363f6eb7522ca656810d731f4741
Instruction ID: 3b734dd84a06dd16f2af389ae353cc8e97a2138292e3d22b4d37e2c6800ac468
Opcode Fuzzy Hash: 3b072561b341fe2bf87679c54b39fd21b439363f6eb7522ca656810d731f4741
Instruction Fuzzy Hash: CC01C071500704AEE721CF19DD89F76FB98EF05730F54849AED489B246D378E808CAB2

Uniqueness

Uniqueness Score: -1.00%

Function 05850B56, Relevance: 1.5, APIs: 1, Instructions: 49COMMON

Download Yara Rule

APIs

K32EnumProcesses.KERNEL32(?,?,?,3A22D61B,00000000,?,?,?,?,?,?,?,?,72203C38), ref: 05850B96

Memory Dump Source

Source File: 00000000.00000002.677973193.0000000005850000.00000040.00000001.sdmp, Offset: 05850000, based on PE: false

Similarity

API ID: EnumProcesses
String ID:
API String ID: 84517404-0
Opcode ID: 6229bed9c79f5551ac078033775fc9d021e369fe694454a027af847e86048bfc
Instruction ID: 918f24bb830dc8ce98eaaa9d4e26532e6c0945285550f0d96308ec97a0b842d4
Opcode Fuzzy Hash: 6229bed9c79f5551ac078033775fc9d021e369fe694454a027af847e86048bfc
Instruction Fuzzy Hash: 72116175600344DFEB60CF69D888B66FBE4EF04324F0884AADD49CB656D274E844CB62

Uniqueness

Uniqueness Score: -1.00%

Function 058514AA, Relevance: 1.5, APIs: 1, Instructions: 48COMMON

Download Yara Rule

APIs

SetFileAttributesW.KERNELBASE(?,?), ref: 058514E7

Memory Dump Source

Source File: 00000000.00000002.677973193.0000000005850000.00000040.00000001.sdmp, Offset: 05850000, based on PE: false

Similarity

API ID: AttributesFile
String ID:
API String ID: 3188754299-0
Opcode ID: d8764afede403f9d52bd3b2ecbe6416b4512976f0da336cf5c3a9e1499dad6de
Instruction ID: 4588e0587795eb0b21d96307b235eda348746c35a82615ce2a1c3962e0545d51
Opcode Fuzzy Hash: d8764afede403f9d52bd3b2ecbe6416b4512976f0da336cf5c3a9e1499dad6de
Instruction Fuzzy Hash: 700192716003448FEB60CF6AD888766FBD4EF04730F0884AADD4ACB646E274D804CB62

Uniqueness

Uniqueness Score: -1.00%

Function 0585213E, Relevance: 1.5, APIs: 1, Instructions: 47fileCOMMON

Download Yara Rule

APIs

DeleteFileW.KERNELBASE(?), ref: 05852178

Memory Dump Source

Source File: 00000000.00000002.677973193.0000000005850000.00000040.00000001.sdmp, Offset: 05850000, based on PE: false

Similarity

API ID: DeleteFile
String ID:
API String ID: 4033686569-0
Opcode ID: 4dc37721de66a3d6d6363170def9424154b86e35856a9e3b6cac5a09ae5cd22b
Instruction ID: 0258380055adb40258eeb15b30d0c55810acd501d05f819cc7b7703f0cb857ea
Opcode Fuzzy Hash: 4dc37721de66a3d6d6363170def9424154b86e35856a9e3b6cac5a09ae5cd22b
Instruction Fuzzy Hash: 9C0152756442448FDB50DF2AD88576AFB98EF04620F0884AADD4ACF745D674E844CB61

Uniqueness

Uniqueness Score: -1.00%

Function 058505B2, Relevance: 1.5, APIs: 1, Instructions: 42memoryCOMMON

Download Yara Rule

APIs

VirtualProtect.KERNELBASE(?,?,?,?), ref: 058505ED

Memory Dump Source

Source File: 00000000.00000002.677973193.0000000005850000.00000040.00000001.sdmp, Offset: 05850000, based on PE: false

Similarity

API ID: ProtectVirtual
String ID:
API String ID: 544645111-0
Opcode ID: c479b42b44a748c73ea294195a2cbed7300de13c5c88a00ff26e0841b30394e9
Instruction ID: 88cdc2e809180e7e8d2dfbbaf46c6d630c23b20a69b92214bbd06ff216d3c214
Opcode Fuzzy Hash: c479b42b44a748c73ea294195a2cbed7300de13c5c88a00ff26e0841b30394e9
Instruction Fuzzy Hash: E101BC31500704DFDB208F5AD988B66FBA0EF48320F08C4AADD4A8B652D275E818CF62

Uniqueness

Uniqueness Score: -1.00%

Function 0585261E, Relevance: 1.5, APIs: 1, Instructions: 42windowCOMMON

Download Yara Rule

APIs

PostMessageW.USER32(?,?,?,?), ref: 05852659

Memory Dump Source

Source File: 00000000.00000002.677973193.0000000005850000.00000040.00000001.sdmp, Offset: 05850000, based on PE: false

Similarity

API ID: MessagePost
String ID:
API String ID: 410705778-0
Opcode ID: cbfa3ae22263d0f51200682498c76a3644257a37bbc2c3eb22916317243bd615
Instruction ID: 3bee27da1f75ea4e0d5f64ab39876bcb237387ab4c4da18abff7f80db1be94a9
Opcode Fuzzy Hash: cbfa3ae22263d0f51200682498c76a3644257a37bbc2c3eb22916317243bd615
Instruction Fuzzy Hash: 0401B1355003008FDB208F1AD844B65FBE0EF04320F08C49EDD468B652D675E818CFA2

Uniqueness

Uniqueness Score: -1.00%

Function 05852296, Relevance: 1.5, APIs: 1, Instructions: 38windowCOMMON

Download Yara Rule

APIs

PostMessageW.USER32(?,?,?,?), ref: 058522D1

Memory Dump Source

Source File: 00000000.00000002.677973193.0000000005850000.00000040.00000001.sdmp, Offset: 05850000, based on PE: false

Similarity

API ID: MessagePost
String ID:
API String ID: 410705778-0
Opcode ID: 170238cf57a9e2863748c8059d517827cd15663d23188f28702b1eeacc5e28d6
Instruction ID: b4649adc809831135ba99d3a96bca6fc03b4fa1e1fb18b3269ee0eed8c5fe7d7
Opcode Fuzzy Hash: 170238cf57a9e2863748c8059d517827cd15663d23188f28702b1eeacc5e28d6
Instruction Fuzzy Hash: 6A017C395007449FDB20CF5AD845B25FBA0EF08320F08C49ADD4A4A616D675A418DBA2

Uniqueness

Uniqueness Score: -1.00%

Function 057003B0, Relevance: 1.4, Strings: 1, Instructions: 183COMMON

Download Yara Rule

Strings

:@fq, xrefs: 05700600

Memory Dump Source

Source File: 00000000.00000002.677398895.0000000005700000.00000040.00000001.sdmp, Offset: 05700000, based on PE: false

Similarity

API ID:
String ID: :@fq
API String ID: 0-3673016210
Opcode ID: 59215d0d6c40a6f83ba8c2f40966f9168641e72f098dacb756bc8474ef7d16cc
Instruction ID: 186fe00c55f50d0ed810f57550357d01e2818aa73d85fc1b5296c4485736d8b9
Opcode Fuzzy Hash: 59215d0d6c40a6f83ba8c2f40966f9168641e72f098dacb756bc8474ef7d16cc
Instruction Fuzzy Hash: 93519F34B05205CFCB18DB69D454BAEBBF3AFC9320F54446AE406AB391CB35AD06CB91

Uniqueness

Uniqueness Score: -1.00%

Function 05700198, Relevance: 1.3, Strings: 1, Instructions: 95COMMON

Download Yara Rule

Strings

t, xrefs: 057001A9

Memory Dump Source

Source File: 00000000.00000002.677398895.0000000005700000.00000040.00000001.sdmp, Offset: 05700000, based on PE: false

Similarity

API ID:
String ID: t
API String ID: 0-2238339752
Opcode ID: 14545ffe429a0dafbd4d025f7f1c7f6f585d80264c34f7a8d9b9f59600fdae28
Instruction ID: f7e19d19e26813944c3f9f3a7adf93818642e8c35ae08b494543d578936bca47
Opcode Fuzzy Hash: 14545ffe429a0dafbd4d025f7f1c7f6f585d80264c34f7a8d9b9f59600fdae28
Instruction Fuzzy Hash: 8B318170708306DFEB14CF68C854B6A77E6BF8A740F5444AAE502EB394EB34ED019B51

Uniqueness

Uniqueness Score: -1.00%

Function 05703230, Relevance: 1.3, Strings: 1, Instructions: 92COMMON

Download Yara Rule

Strings

], xrefs: 0570335F

Memory Dump Source

Source File: 00000000.00000002.677398895.0000000005700000.00000040.00000001.sdmp, Offset: 05700000, based on PE: false

Similarity

API ID:
String ID: ]
API String ID: 0-636209891
Opcode ID: 1c189b3b281f8bba4430d6d78f143e754a7681c260be42efc76fab7d6628ebf4
Instruction ID: 0d7568683dcc1a46ac7e0f6ab8b1395247e2b09fe7e2b4321ef71297ccb87562
Opcode Fuzzy Hash: 1c189b3b281f8bba4430d6d78f143e754a7681c260be42efc76fab7d6628ebf4
Instruction Fuzzy Hash: 27414C74E0020ACFDB58DFA9C545AAEFBF2FF48314F20846AC406A7294DB759A45DF11

Uniqueness

Uniqueness Score: -1.00%

Function 057001B8, Relevance: 1.3, Strings: 1, Instructions: 74COMMON

Download Yara Rule

Strings

7, xrefs: 0570022A

Memory Dump Source

Source File: 00000000.00000002.677398895.0000000005700000.00000040.00000001.sdmp, Offset: 05700000, based on PE: false

Similarity

API ID:
String ID: 7
API String ID: 0-1790921346
Opcode ID: 182bc82e9f64b2c0a24fa82566f8764440f06426d5655e6f090a648cef5f475f
Instruction ID: a8188e6dd7e7b0fb3cfdc0fd0aa6c9d813a1d10828dad56c98cadbc97136ca55
Opcode Fuzzy Hash: 182bc82e9f64b2c0a24fa82566f8764440f06426d5655e6f090a648cef5f475f
Instruction Fuzzy Hash: 7F21A1707093469FEB20CB68C844FAA77E6FF86750F1445AAE5019B395E734E801CB51

Uniqueness

Uniqueness Score: -1.00%

Function 0570CE01, Relevance: 1.3, Strings: 1, Instructions: 33COMMON

Download Yara Rule

Strings

<, xrefs: 0570CE50

Memory Dump Source

Source File: 00000000.00000002.677398895.0000000005700000.00000040.00000001.sdmp, Offset: 05700000, based on PE: false

Similarity

API ID:
String ID: <
API String ID: 0-4251816714
Opcode ID: b9e4177d797964a02ce25efaa4f749f273d27f4b449ee589b2613c66af2373bd
Instruction ID: 45fa39b49007126fdea6a8aaeaa7ff58f2b92e94dc7621b86cc90e410cb28f59
Opcode Fuzzy Hash: b9e4177d797964a02ce25efaa4f749f273d27f4b449ee589b2613c66af2373bd
Instruction Fuzzy Hash: 6C11B0B8E0432ACFDB60DF64C988BADBBF1AF48301F109299D51AA7291C7345E81DF11

Uniqueness

Uniqueness Score: -1.00%

Function 057052C1, Relevance: .3, Instructions: 284COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.677398895.0000000005700000.00000040.00000001.sdmp, Offset: 05700000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 36c01c5834a9da304a08c4f70dfb31c89b2410dbcec9dc50a4b3d830cc86f840
Instruction ID: 5fd4afce8ae0b3fbf7e20e9391ac771f13fddbb53ad7096150ba9ae21962dd67
Opcode Fuzzy Hash: 36c01c5834a9da304a08c4f70dfb31c89b2410dbcec9dc50a4b3d830cc86f840
Instruction Fuzzy Hash: D6A1AF3590E3C48FCB128B749C689A9BFF1AF43308B1991D7D480DF2E3D665580ADB62

Uniqueness

Uniqueness Score: -1.00%

Function 057055D8, Relevance: .2, Instructions: 183COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.677398895.0000000005700000.00000040.00000001.sdmp, Offset: 05700000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b919d57298522bd4011758705ac418480e48a675873952dcbdb287470a049f88
Instruction ID: 9add57139ddaeec2f39916f8a45b6893baf0051b4300482542abb32fbb2740c3
Opcode Fuzzy Hash: b919d57298522bd4011758705ac418480e48a675873952dcbdb287470a049f88
Instruction Fuzzy Hash: FE51B334A04215CFDB10DF78C88877EBBF6BB85314F10A56AD0169B2C1DB759845EFA1

Uniqueness

Uniqueness Score: -1.00%

Function 05706170, Relevance: .2, Instructions: 155COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.677398895.0000000005700000.00000040.00000001.sdmp, Offset: 05700000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0f2448347a27525719eb30c09b21e25eaab51d5b88e9c456d2f200dc82f9388b
Instruction ID: 6d59e0ab6131bd2b3de40517dd1c7f3b57678511db9a799eb1bb27e03a3c0857
Opcode Fuzzy Hash: 0f2448347a27525719eb30c09b21e25eaab51d5b88e9c456d2f200dc82f9388b
Instruction Fuzzy Hash: BF514570D00208CFCB04DFAAC894AADFBF2BF8A324F64D669D814AB295D7309951DF50

Uniqueness

Uniqueness Score: -1.00%

Function 057058E8, Relevance: .1, Instructions: 144COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.677398895.0000000005700000.00000040.00000001.sdmp, Offset: 05700000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4d2d22eacdb50b6ee634723f9996dffc54cf78c28532ca508c733bd51a8c8391
Instruction ID: 88f345a4e8f5c2f1919c1b396b712f7e9b37f52bb0c9778e559c22a279fe1781
Opcode Fuzzy Hash: 4d2d22eacdb50b6ee634723f9996dffc54cf78c28532ca508c733bd51a8c8391
Instruction Fuzzy Hash: 4B51E1B4E05208DFDB04DFA9D488AAEBBF2FF89310F10916AD806AB394DB345945CF51

Uniqueness

Uniqueness Score: -1.00%

Function 057003A0, Relevance: .1, Instructions: 120COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.677398895.0000000005700000.00000040.00000001.sdmp, Offset: 05700000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d8af1dc37f467b55683eb60e33281ea57771f980d04a2d1e76d89f3496cf14fc
Instruction ID: 08eaaa695ad2cfc9855e185ec79422c687b81f029abadd2f951674e34e655901
Opcode Fuzzy Hash: d8af1dc37f467b55683eb60e33281ea57771f980d04a2d1e76d89f3496cf14fc
Instruction Fuzzy Hash: 2641AE30A01604CFDB14CF68C458BBDBBF3AF8A320F945469E406AB391DB35AC42DB50

Uniqueness

Uniqueness Score: -1.00%

Function 019708C3, Relevance: .1, Instructions: 115COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.674998295.0000000001970000.00000040.00000001.sdmp, Offset: 01970000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7fa3e3aa706672037a111ead3a6c1ed74153b531abf2b6954349688f3aa41316
Instruction ID: a09df83a1ca25cd69cda29a543c6a96d5a69a0e02c95cc679f4c899ffb4e3a56
Opcode Fuzzy Hash: 7fa3e3aa706672037a111ead3a6c1ed74153b531abf2b6954349688f3aa41316
Instruction Fuzzy Hash: 5141A070E0934ACFC742CF64C85459DFBF2FF86210B1984AAC480AB752D7305E41CB91

Uniqueness

Uniqueness Score: -1.00%

Function 057031DF, Relevance: .1, Instructions: 113COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.677398895.0000000005700000.00000040.00000001.sdmp, Offset: 05700000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9912f3427df72b305738b488cb91e7c4b49601594de029bfaee934b824dd2d10
Instruction ID: 225b5d5c708fad1a59c7a80486347865bf7cac264c8a7beb2c59cbe1d8d47730
Opcode Fuzzy Hash: 9912f3427df72b305738b488cb91e7c4b49601594de029bfaee934b824dd2d10
Instruction Fuzzy Hash: 51418B74D09389CFCB05DBA9C415AADBBF2BF46314F1484AAC045EB2A2E7399D05CB52

Uniqueness

Uniqueness Score: -1.00%

Function 057055C8, Relevance: .1, Instructions: 109COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.677398895.0000000005700000.00000040.00000001.sdmp, Offset: 05700000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3b6c070e48eb15174e6100d118be91cb930972ecd898c590dd0ba10e5639b6db
Instruction ID: f674d7a3fd695e105510bac8e4b8c3969bdbf1b5063554535b4e8a25291e3fda
Opcode Fuzzy Hash: 3b6c070e48eb15174e6100d118be91cb930972ecd898c590dd0ba10e5639b6db
Instruction Fuzzy Hash: 0131F230B00205DFEB24AA79C848B7EB6E7AFC1714F259029901A9B3D1CEB19C459B95

Uniqueness

Uniqueness Score: -1.00%

Function 01970013, Relevance: .1, Instructions: 99COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.674998295.0000000001970000.00000040.00000001.sdmp, Offset: 01970000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: df2e1eef1958e2a233bd3a2dd18bba3f407d6f6e95c70a04f684166e3ff79cd6
Instruction ID: 9ea40ff51a219b92255c397f994e7ad2ea41741c00dd96ba04febb8e1ecb154a
Opcode Fuzzy Hash: df2e1eef1958e2a233bd3a2dd18bba3f407d6f6e95c70a04f684166e3ff79cd6
Instruction Fuzzy Hash: 17418D30A09389DFCB46DFA8D85458EBFB2FF46304F18859AD045DB29AEB345C45CB92

Uniqueness

Uniqueness Score: -1.00%

Function 057053E0, Relevance: .1, Instructions: 92COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.677398895.0000000005700000.00000040.00000001.sdmp, Offset: 05700000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7bd6550ccbc5962b99910e8051def811e23d852bc6f705e712f5725908eabde2
Instruction ID: e9e1a97fae2dd71d2443ac46759b7dc45e44a1d1134d5370b2ec335e312d5ee1
Opcode Fuzzy Hash: 7bd6550ccbc5962b99910e8051def811e23d852bc6f705e712f5725908eabde2
Instruction Fuzzy Hash: 38316972E00259DFCB55CBA8CC448EEBBF6FF85315B148256E815A73A1C730A842DFA0

Uniqueness

Uniqueness Score: -1.00%

Function 0174B10C, Relevance: .1, Instructions: 92COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.674782512.0000000001742000.00000040.00000001.sdmp, Offset: 01742000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3b82d78b9316507470c3b9841be9b3be4ab670c3d4f00b705333dbb14ca1433b
Instruction ID: 84c240b15747deff007881f049100598c13d5b9f5f7cd8a7d410e3a5ee0e2532
Opcode Fuzzy Hash: 3b82d78b9316507470c3b9841be9b3be4ab670c3d4f00b705333dbb14ca1433b
Instruction Fuzzy Hash: 05314C7550D3805FD302CF298851A56BFF4EF8A254F0989DFE8C8DB262D2759909CB62

Uniqueness

Uniqueness Score: -1.00%

Function 057001D8, Relevance: .1, Instructions: 90COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.677398895.0000000005700000.00000040.00000001.sdmp, Offset: 05700000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 45446a70b347d1a1b81553f60586daf021b616636b92024c7fe5b9b5477a296f
Instruction ID: 0facbfc31664bb8403a87295da527f4e79b248932c5ed9a825c3036eb8683916
Opcode Fuzzy Hash: 45446a70b347d1a1b81553f60586daf021b616636b92024c7fe5b9b5477a296f
Instruction Fuzzy Hash: 1E314F707053069FEB10CF68C844F6A77E6FF8A750F14046AE505AB394EA70F9018BA1

Uniqueness

Uniqueness Score: -1.00%

Function 057001E8, Relevance: .1, Instructions: 88COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.677398895.0000000005700000.00000040.00000001.sdmp, Offset: 05700000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: de7f0acc5020eb83f48c8a6c9db46632080ff0ace45a78f376db551351ce758e
Instruction ID: 061579c5691a9c4ea450847f288ead85e130e042c4bbadd2c7f8013c6a608662
Opcode Fuzzy Hash: de7f0acc5020eb83f48c8a6c9db46632080ff0ace45a78f376db551351ce758e
Instruction Fuzzy Hash: 93213C707052069FEB10DE68C844FAA77EAFF8A790F500469E505EB394EA70F9018BA1

Uniqueness

Uniqueness Score: -1.00%

Function 05707A30, Relevance: .1, Instructions: 80COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.677398895.0000000005700000.00000040.00000001.sdmp, Offset: 05700000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 59ae07b676a8ad52f24cb1ce3164dc643837e59b43697535b79d5cf24241327f
Instruction ID: 5f41f6f5aa55f6a042bd5ebbc52b46b73b6119293c0758c9b83f98cb77539d02
Opcode Fuzzy Hash: 59ae07b676a8ad52f24cb1ce3164dc643837e59b43697535b79d5cf24241327f
Instruction Fuzzy Hash: E331F9B4E04249DFCB48DFA9C4819AEBBF2FF49300F1095AAD415AB365D738AA41CF51

Uniqueness

Uniqueness Score: -1.00%

Function 05700007, Relevance: .1, Instructions: 78COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.677398895.0000000005700000.00000040.00000001.sdmp, Offset: 05700000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 07b3c7a1506f765623c09dc522ed3dcf320f728c1e857437c5372979e88d3490
Instruction ID: 2822b1ce782b81e5f7c331e4716dc35b3c9bb28fa196586f0e72dfd98c20b533
Opcode Fuzzy Hash: 07b3c7a1506f765623c09dc522ed3dcf320f728c1e857437c5372979e88d3490
Instruction Fuzzy Hash: 9611516194E7C19FC7039B7488297A67FF4AB13230F5A54EBD480DB0A3E2684849D7A2

Uniqueness

Uniqueness Score: -1.00%

Function 05707EC8, Relevance: .1, Instructions: 78COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.677398895.0000000005700000.00000040.00000001.sdmp, Offset: 05700000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 486579b68c897c5c7acc45c99114b3bed633833b9ba5591213a8cf1fb5206402
Instruction ID: 45ef7cf3b1e1adc6a0f99adecc7e084072fe59193e651d98dbbeaa75cc3fc82b
Opcode Fuzzy Hash: 486579b68c897c5c7acc45c99114b3bed633833b9ba5591213a8cf1fb5206402
Instruction Fuzzy Hash: AD3137749092899FCB09DBB8C850AAEBFF1FF4A304F1085EAC8549B391D731A946CF51

Uniqueness

Uniqueness Score: -1.00%

Function 0174AD5A, Relevance: .1, Instructions: 75COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.674782512.0000000001742000.00000040.00000001.sdmp, Offset: 01742000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8ea2c14cb20e4648b978ef0ccbf5a57c69f8de3e107193b73946422b6f196c8c
Instruction ID: 23aa23a6e45191e21dd19aff1ed6ccbd58f2b8b86b599087b8b177326d622354
Opcode Fuzzy Hash: 8ea2c14cb20e4648b978ef0ccbf5a57c69f8de3e107193b73946422b6f196c8c
Instruction Fuzzy Hash: AC213AB6644300AFD750CF0AEC41A67FBE8EB88620F14C96EFD4997311D271E9148BA2

Uniqueness

Uniqueness Score: -1.00%

Function 0174AFB2, Relevance: .1, Instructions: 75COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.674782512.0000000001742000.00000040.00000001.sdmp, Offset: 01742000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: bcdce0f712492cbc9055d366a3ad27d2da2949cd6edc549397b98dba624eb04f
Instruction ID: 26d7ad06efa1c4e1d2a70ce5c63ddb7e03f6206caff5a6b67b5a63f372f84dc2
Opcode Fuzzy Hash: bcdce0f712492cbc9055d366a3ad27d2da2949cd6edc549397b98dba624eb04f
Instruction Fuzzy Hash: 43211AB6644300AFD750CF0AEC41A67FBE8EB88620F14C96EFD4997311D275E9148BA2

Uniqueness

Uniqueness Score: -1.00%

Function 0174AE86, Relevance: .1, Instructions: 75COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.674782512.0000000001742000.00000040.00000001.sdmp, Offset: 01742000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2922a3d4be6bd0bcbd21f7673acee50797b11a858c234ab257d277e7411cebc9
Instruction ID: 1f7cd511b1ac9bebd94a988fd48d055cacbc63d377df0360a3204962e9735b19
Opcode Fuzzy Hash: 2922a3d4be6bd0bcbd21f7673acee50797b11a858c234ab257d277e7411cebc9
Instruction Fuzzy Hash: 34211AB6644300AFD750CF0AEC41A67FBE8EB88620F14C96EFD5997311D275E9148FA2

Uniqueness

Uniqueness Score: -1.00%

Function 05707A40, Relevance: .1, Instructions: 73COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.677398895.0000000005700000.00000040.00000001.sdmp, Offset: 05700000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1b51b99afe5fdf4727cbfab5b93500b4d230582c1b4a8d3a1436b8d2d7718cdc
Instruction ID: b97c9a6eac88b7ca1d733d02febad7486beafd8df76e6e032d81f7d70974bea5
Opcode Fuzzy Hash: 1b51b99afe5fdf4727cbfab5b93500b4d230582c1b4a8d3a1436b8d2d7718cdc
Instruction Fuzzy Hash: 5B31E5B4E0421ADFCB48DFA9C4809AEBBF2FB48300F50956AD415AB764D738AA41CF50

Uniqueness

Uniqueness Score: -1.00%

Function 01971F78, Relevance: .1, Instructions: 71COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.674998295.0000000001970000.00000040.00000001.sdmp, Offset: 01970000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fb727057bfabee017b025430f784610cff4b87848f08a774bb40988f5983b27c
Instruction ID: 829d2fb9721cb4192ac4dbafcd1441a5c8e6f44f77993bed2b2c8f2cb1caba3e
Opcode Fuzzy Hash: fb727057bfabee017b025430f784610cff4b87848f08a774bb40988f5983b27c
Instruction Fuzzy Hash: 4731F174E04209CFCB15CFA9C584AEEBBB2FF58300F10816AD815A7350DB34AA41CF64

Uniqueness

Uniqueness Score: -1.00%

Function 01971F6A, Relevance: .1, Instructions: 71COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.674998295.0000000001970000.00000040.00000001.sdmp, Offset: 01970000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 88143f4e4178de21ba3507e757a7fc905c3944f66a6c9218ed9ea5f6d18654c4
Instruction ID: a987c22e29b53a8b2503c536e221a65e202aefda7036cc5561d39297765cb0b9
Opcode Fuzzy Hash: 88143f4e4178de21ba3507e757a7fc905c3944f66a6c9218ed9ea5f6d18654c4
Instruction Fuzzy Hash: 70312574E04209CFCB15CFA8D944AEEBBB6FF59300F1081AAE815AB354D734AA45CF64

Uniqueness

Uniqueness Score: -1.00%

Function 01970070, Relevance: .1, Instructions: 71COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.674998295.0000000001970000.00000040.00000001.sdmp, Offset: 01970000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a4086d2de600840539f1d9c3caddbac89367284402bdc966307b72b609338c7d
Instruction ID: c0268ef1eba8900b6f1bd2f43707494b051af4ef8971f7972c03aa395d0ddf5e
Opcode Fuzzy Hash: a4086d2de600840539f1d9c3caddbac89367284402bdc966307b72b609338c7d
Instruction Fuzzy Hash: 32312B30E0124DCFCB54DFA8D54869EBBB6FF89305F148559E405AB388EB306D82CB91

Uniqueness

Uniqueness Score: -1.00%

Function 0174AA16, Relevance: .1, Instructions: 69COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.674782512.0000000001742000.00000040.00000001.sdmp, Offset: 01742000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1ec86c9fae397a27d98ff9a9d00c654cc856f5ea81b159fdbd4097156b5bc25a
Instruction ID: 8f9207e68effe4bfa3a2f066de7b96e542c9ce143712117aa0424b2acdb5f69e
Opcode Fuzzy Hash: 1ec86c9fae397a27d98ff9a9d00c654cc856f5ea81b159fdbd4097156b5bc25a
Instruction Fuzzy Hash: F6116676644304BFD6108F0AEC41D67FBE8EB89670F14C96AFD0D57311D275E5148BA2

Uniqueness

Uniqueness Score: -1.00%

Function 0174AC2E, Relevance: .1, Instructions: 69COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.674782512.0000000001742000.00000040.00000001.sdmp, Offset: 01742000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c5115ca26653874ad633a7210027d36cad1c16a664b01ab4574a6ee40b7c3b51
Instruction ID: 8a3d5ed9ef90455f3058a0b85021d8504bc3a2384b6d89c9fc28b13e9cd66499
Opcode Fuzzy Hash: c5115ca26653874ad633a7210027d36cad1c16a664b01ab4574a6ee40b7c3b51
Instruction Fuzzy Hash: 87119376644200BFD6108F0AEC41E67FBE8EB89630F18C96AFD095B311D276E5148FA2

Uniqueness

Uniqueness Score: -1.00%

Function 05707B58, Relevance: .1, Instructions: 68COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.677398895.0000000005700000.00000040.00000001.sdmp, Offset: 05700000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7b6ba6ef1438dfa18f142be11e686f4b19e1380f94b5d746e1abbc890c6d9794
Instruction ID: e00554325f5c1a54878d0501b618b690a0c3a830db3c0cface7632a77fe418bb
Opcode Fuzzy Hash: 7b6ba6ef1438dfa18f142be11e686f4b19e1380f94b5d746e1abbc890c6d9794
Instruction Fuzzy Hash: C6214874E08209DFCB08DFA9D4849AEBBF6FF89310F10D99AD414AB255D730AA41CF91

Uniqueness

Uniqueness Score: -1.00%

Function 0174AC84, Relevance: .1, Instructions: 65COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.674782512.0000000001742000.00000040.00000001.sdmp, Offset: 01742000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 526ad1e075eef1784ae7377013660b457b73529bea82e1d14a41b1f5d7ff3349
Instruction ID: 87d999ceb5b8ecc5b08fe95887bf6d07281945ab2f2f592501fcb87c121a85aa
Opcode Fuzzy Hash: 526ad1e075eef1784ae7377013660b457b73529bea82e1d14a41b1f5d7ff3349
Instruction Fuzzy Hash: D1215EB550D3806FD712CF19DC51957BFF4EF86620F0989DAF8889B253D235A908CB62

Uniqueness

Uniqueness Score: -1.00%

Function 01973428, Relevance: .1, Instructions: 64COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.674998295.0000000001970000.00000040.00000001.sdmp, Offset: 01970000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 27751e21f406d24c5b870f52bf945932819643da8b4cd07d52e3408308f1e693
Instruction ID: 7ea09fc398e437a2c691a4819227fe16bad93c5ec5681c14b6287d6bc10a4950
Opcode Fuzzy Hash: 27751e21f406d24c5b870f52bf945932819643da8b4cd07d52e3408308f1e693
Instruction Fuzzy Hash: 0121A634E082499FCB19CFB8E4545DDBFB1FF4A704F1085AAD459AA365EB328A18CF50

Uniqueness

Uniqueness Score: -1.00%

Function 0174A7FE, Relevance: .1, Instructions: 64COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.674782512.0000000001742000.00000040.00000001.sdmp, Offset: 01742000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 11288c54782365424860cc3004c8ee43ce00162bb3e8c28520d459ab21f4619e
Instruction ID: b8f590b08e36b0c77f03ddf00e90372a996179354f5dd136c16efe2c8a90d98a
Opcode Fuzzy Hash: 11288c54782365424860cc3004c8ee43ce00162bb3e8c28520d459ab21f4619e
Instruction Fuzzy Hash: F611A376640204BFD6108E0AEC41E62FBACEB89A30F18C96AFD095B211D276F5148BA1

Uniqueness

Uniqueness Score: -1.00%

Function 057000C8, Relevance: .1, Instructions: 62COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.677398895.0000000005700000.00000040.00000001.sdmp, Offset: 05700000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6aa557770d9362933b3f6382265567401b59effb22668963b6f306a473051b2a
Instruction ID: 49faf7a9b567e36ab8ead6660d9d67260a0f9b39f9503897137be3f4c9eceda0
Opcode Fuzzy Hash: 6aa557770d9362933b3f6382265567401b59effb22668963b6f306a473051b2a
Instruction Fuzzy Hash: 9F216F34608742DFCB10EB74D04855ABBE2FFC2714F00852EE0468B249EF39D8098742

Uniqueness

Uniqueness Score: -1.00%

Function 057094F0, Relevance: .1, Instructions: 60COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.677398895.0000000005700000.00000040.00000001.sdmp, Offset: 05700000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0eafa13e1eae93d8e6c9354742b953b3cad0f212633db92aefcc9e950fe67c12
Instruction ID: f8bfbc6a5ff06e7028f3412130441d0224aadd86ebdcf93ec16b4cb018c87f60
Opcode Fuzzy Hash: 0eafa13e1eae93d8e6c9354742b953b3cad0f212633db92aefcc9e950fe67c12
Instruction Fuzzy Hash: F5214970D09249DFCB00CFA6D840AAEFFF1FF4A344F1495AAD405AB296D7309A40EB51

Uniqueness

Uniqueness Score: -1.00%

Function 0140075C, Relevance: .1, Instructions: 59COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.674461268.0000000001400000.00000040.00000040.sdmp, Offset: 01400000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 60634eaf1a38f47296dba1a7f416de5eb95d6d93987b2943d6370124d36a01eb
Instruction ID: bfecf3f7b95dc9d0413cb012c1bdd447173340facd650047cdf554b3fc65f9d9
Opcode Fuzzy Hash: 60634eaf1a38f47296dba1a7f416de5eb95d6d93987b2943d6370124d36a01eb
Instruction Fuzzy Hash: CA11A535204284DFD316CB15C980B26BB95AB48708F24C5AEF9491B7A3C77BD803CE51

Uniqueness

Uniqueness Score: -1.00%

Function 01400884, Relevance: .1, Instructions: 58COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.674461268.0000000001400000.00000040.00000040.sdmp, Offset: 01400000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ad4cef6ee2c69cfaa2cc3c2097bc496c673abf8a9be23d596266591c0bf4eeec
Instruction ID: 8c3193ecdb80c07edd44d77d9f12796c01aee69e32d20d0c0bb901e684fa280e
Opcode Fuzzy Hash: ad4cef6ee2c69cfaa2cc3c2097bc496c673abf8a9be23d596266591c0bf4eeec
Instruction Fuzzy Hash: 50117072904200AFD611CE49DC80967B7E8EF85624F14C82EF94987211D336E9158BA2

Uniqueness

Uniqueness Score: -1.00%

Function 0174B14D, Relevance: .1, Instructions: 56COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.674782512.0000000001742000.00000040.00000001.sdmp, Offset: 01742000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: db6318bb59948abd4724b21f43304f6722abb97004cbeea3b4265a9a498c10f9
Instruction ID: 088f7ecb4d044751472e638f89a54a74dfd8f49ccfb75562db3e98bac604a35f
Opcode Fuzzy Hash: db6318bb59948abd4724b21f43304f6722abb97004cbeea3b4265a9a498c10f9
Instruction Fuzzy Hash: F411D7B5A08301AFD350CF19D881A5BFBE4FB88664F048D6EF99897311D331E9048FA2

Uniqueness

Uniqueness Score: -1.00%

Function 0197623F, Relevance: .1, Instructions: 54COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.674998295.0000000001970000.00000040.00000001.sdmp, Offset: 01970000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7b2a4106fb0c3e367559e15c958fda88db7bc731f6e23f486c5feac1aa64edf7
Instruction ID: ea917ae86d2abe637a1f0ddd179fd46677a6805b0a66d537549d30ea3c57f3d5
Opcode Fuzzy Hash: 7b2a4106fb0c3e367559e15c958fda88db7bc731f6e23f486c5feac1aa64edf7
Instruction Fuzzy Hash: FE118F74E04649DFDB48CFA9D5406ADBBB2FF86300F14856AD419B7254D7304A04CB11

Uniqueness

Uniqueness Score: -1.00%

Function 01400737, Relevance: .1, Instructions: 51COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.674461268.0000000001400000.00000040.00000040.sdmp, Offset: 01400000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d556495ab8ddbb50a84f589c37c3da3b93b1929cf09ce02c5e2e02e0a34564a8
Instruction ID: 4d9ba80499420f5736786a2f376c3e5815eecc72b2bea53362a9bcfb7d0e25dd
Opcode Fuzzy Hash: d556495ab8ddbb50a84f589c37c3da3b93b1929cf09ce02c5e2e02e0a34564a8
Instruction Fuzzy Hash: 4A117C351093C08FD717CB25C890B15BFB1AF46308F2985EEE8884B6A3C33A8807CB52

Uniqueness

Uniqueness Score: -1.00%

Function 01974750, Relevance: .0, Instructions: 50COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.674998295.0000000001970000.00000040.00000001.sdmp, Offset: 01970000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d0ed2ae63cbfa30a207af4f640e540fe2ce0319958e954095d635a5959f1038f
Instruction ID: 987fd913cee7c70b2d715eca6ac56504c5463656a747d5b6b49078dbd4c1ab51
Opcode Fuzzy Hash: d0ed2ae63cbfa30a207af4f640e540fe2ce0319958e954095d635a5959f1038f
Instruction Fuzzy Hash: 95115734D042489FCB05DFB8D8002ADBBB4BF86604F1085EAC85857350D7326A04CB81

Uniqueness

Uniqueness Score: -1.00%

Function 01976250, Relevance: .0, Instructions: 50COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.674998295.0000000001970000.00000040.00000001.sdmp, Offset: 01970000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 60efa6d19b0e3b4859f5c770e191ac90cf1be8230d79cfcb4d687066e9a5db2c
Instruction ID: f4802f034b7a7d96bd3903b4dedeee152d0830abdd9d34256fcb9db968f392df
Opcode Fuzzy Hash: 60efa6d19b0e3b4859f5c770e191ac90cf1be8230d79cfcb4d687066e9a5db2c
Instruction Fuzzy Hash: 13118BB0E0860EDFDB48DFA9D9446AEBBB6FF89300F10C56AD419B7254DB309A04CB55

Uniqueness

Uniqueness Score: -1.00%

Function 0174A75C, Relevance: .0, Instructions: 50COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.674782512.0000000001742000.00000040.00000001.sdmp, Offset: 01742000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1858fac62e07607bb30694933b977e13e81a348686612f5e71895c2253cc86ca
Instruction ID: f13280134108790b48d47e65677f568cdf18222937d7d2a83e293f681ba771c7
Opcode Fuzzy Hash: 1858fac62e07607bb30694933b977e13e81a348686612f5e71895c2253cc86ca
Instruction Fuzzy Hash: E101D47150D3C02FD71347255C55AA2BFB8DF43620F0885CBE9849F193D226A909C7A2

Uniqueness

Uniqueness Score: -1.00%

Function 019748A0, Relevance: .0, Instructions: 48COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.674998295.0000000001970000.00000040.00000001.sdmp, Offset: 01970000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4656684c54c13ef6ebd37f365e986f15e4e39448d382f7545bb289cb5b890821
Instruction ID: ef0327820588f58c388da06c2704ccf8cfdf88d554f75fd4f9937e007a46b2c3
Opcode Fuzzy Hash: 4656684c54c13ef6ebd37f365e986f15e4e39448d382f7545bb289cb5b890821
Instruction Fuzzy Hash: F7113974D042489FDB58EFB8E8416AEBFB0FB4A305F1086AAC868A3352D7305A40CF51

Uniqueness

Uniqueness Score: -1.00%

Function 05703380, Relevance: .0, Instructions: 48COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.677398895.0000000005700000.00000040.00000001.sdmp, Offset: 05700000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fdd224ee49255f7a5ad345fd6f0f5b0568d9e92e6990f4949e81619386089762
Instruction ID: 282f79048fdc5aff302a79a806deea95a8a681d35a5eab5d3b53ac508f7825b2
Opcode Fuzzy Hash: fdd224ee49255f7a5ad345fd6f0f5b0568d9e92e6990f4949e81619386089762
Instruction Fuzzy Hash: 0E012871B04709CFD311CA68D8443BE7BF1EB44344F209C7AD001CB284EF748842A740

Uniqueness

Uniqueness Score: -1.00%

Function 057095C9, Relevance: .0, Instructions: 43COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.677398895.0000000005700000.00000040.00000001.sdmp, Offset: 05700000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4b7d63874aa8aed18be6f9ceb2779bf6c2760ee645f0e014c4947820de39a81b
Instruction ID: 418ed60f3b9514b7a01ef0b53bb1b4a01db53f25740196e7e6399aa295a84d15
Opcode Fuzzy Hash: 4b7d63874aa8aed18be6f9ceb2779bf6c2760ee645f0e014c4947820de39a81b
Instruction Fuzzy Hash: 2A017C38A04208AFC705DFB9C954A9ABFF5FF4A204F15C0D9E9489B3A2D631ED41CB41

Uniqueness

Uniqueness Score: -1.00%

Function 014005D4, Relevance: .0, Instructions: 42COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.674461268.0000000001400000.00000040.00000040.sdmp, Offset: 01400000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 55d68321d530afc6eb6ec1b1fa3087d8a0fc372b0ac3791099227bcaf5159193
Instruction ID: d7cf54d36dcc1d470dc25c136ae3c82d89ddb2e7edbe127c7f8f9b23cd0ddcdf
Opcode Fuzzy Hash: 55d68321d530afc6eb6ec1b1fa3087d8a0fc372b0ac3791099227bcaf5159193
Instruction Fuzzy Hash: 0CF0A9755497806FD7118F1AEC40853FFE8EF46230719C5ABEC49CB212D275B549CB61

Uniqueness

Uniqueness Score: -1.00%

Function 0197293E, Relevance: .0, Instructions: 42COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.674998295.0000000001970000.00000040.00000001.sdmp, Offset: 01970000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 663d7c798894baff323e641d4ceea3018102f35a67b764ac6efbdc4b74db3f81
Instruction ID: dcaa772f93c290023374e0711d9009309bbbe98d6462bedb26846a0d1fc59d0b
Opcode Fuzzy Hash: 663d7c798894baff323e641d4ceea3018102f35a67b764ac6efbdc4b74db3f81
Instruction Fuzzy Hash: 6D217E74A022A88FEB60DFA4D954B9CBBB1BB49240F1046DAD40DA7394DB305E85CF60

Uniqueness

Uniqueness Score: -1.00%

Function 057033E0, Relevance: .0, Instructions: 42COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.677398895.0000000005700000.00000040.00000001.sdmp, Offset: 05700000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 99c8d6c4f8b3ec6f826344d4aef74d26bff902d5f20e58c7b2ddeb3e77435b61
Instruction ID: 2d35d9d5a4c870acc5bd28bec3e4a27fcfa5f9aea2e14f17a26885bb66f0412b
Opcode Fuzzy Hash: 99c8d6c4f8b3ec6f826344d4aef74d26bff902d5f20e58c7b2ddeb3e77435b61
Instruction Fuzzy Hash: 4E017C70A04309CBDB64DF68C4557AF7EF6EB48710F10142AE001EB384DF7558459B90

Uniqueness

Uniqueness Score: -1.00%

Function 01973389, Relevance: .0, Instructions: 37COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.674998295.0000000001970000.00000040.00000001.sdmp, Offset: 01970000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a97206d9cae46c614e3505d1e83c9882fd815694b63c43a5d5ff28312bfdb584
Instruction ID: c079913fd66392978d686335b2c5a0d5c3f043509a2515cfefe78c0b6cbb8f45
Opcode Fuzzy Hash: a97206d9cae46c614e3505d1e83c9882fd815694b63c43a5d5ff28312bfdb584
Instruction Fuzzy Hash: 74014674E0520ADFCB14CFA8E1849DDBBB1FB88310F50882AE019A6314EB319A448F14

Uniqueness

Uniqueness Score: -1.00%

Function 01975314, Relevance: .0, Instructions: 37COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.674998295.0000000001970000.00000040.00000001.sdmp, Offset: 01970000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 16ca91f402cedf0b150849f15642b2208cbc4775ffd367436fc666c633f843de
Instruction ID: a5ba9e7da2cb1ab8702bca88b92f6cfae10f55aa40d8d98581b3f51b42f93d65
Opcode Fuzzy Hash: 16ca91f402cedf0b150849f15642b2208cbc4775ffd367436fc666c633f843de
Instruction Fuzzy Hash: A111AB70A04328CFDB64CF59C880BDDBBB8EF49341F4581AAA408AB261D770AA81CF54

Uniqueness

Uniqueness Score: -1.00%

Function 01970366, Relevance: .0, Instructions: 37COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.674998295.0000000001970000.00000040.00000001.sdmp, Offset: 01970000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b57fa8f68efac3c191ec90699b9d3aca6385a94fdcbccd74262eec99d26a858c
Instruction ID: ade9f5a613f5027b2397dc1ac50932de64ec33ed1690791de6e00cbb3daffbc5
Opcode Fuzzy Hash: b57fa8f68efac3c191ec90699b9d3aca6385a94fdcbccd74262eec99d26a858c
Instruction Fuzzy Hash: AB110970B01368CFCB64DF24D8487AEB7B6FB86244F1094D9950AA7354DB309E82CF92

Uniqueness

Uniqueness Score: -1.00%

Function 01970647, Relevance: .0, Instructions: 37COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.674998295.0000000001970000.00000040.00000001.sdmp, Offset: 01970000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 069a01175e7e92b28176402122d8c68713cf75118e7818f0e1c27801d42d1c94
Instruction ID: 93dc3bb7c3262e0c0996acf9f63c7811fd0124af2bce0dbb3c94fd9021cb283a
Opcode Fuzzy Hash: 069a01175e7e92b28176402122d8c68713cf75118e7818f0e1c27801d42d1c94
Instruction Fuzzy Hash: B7012970B11348CFCF44DFA8D9489AEBBF6FB89304B2089599509AB354EB309D42CB81

Uniqueness

Uniqueness Score: -1.00%

Function 05705890, Relevance: .0, Instructions: 37COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.677398895.0000000005700000.00000040.00000001.sdmp, Offset: 05700000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 44f54775e14c6571caa5896ab0e2894d6485b0930bb8c19dfeba4551faee37f9
Instruction ID: 1b6cb7946b19b09731935b8f762f9d3b01e24d420ee861e143b6babd41864520
Opcode Fuzzy Hash: 44f54775e14c6571caa5896ab0e2894d6485b0930bb8c19dfeba4551faee37f9
Instruction Fuzzy Hash: 89F0303094F248EFDB159BA4D8444ADBFF5BB07200F04B1AAD845572D6D7305909EB55

Uniqueness

Uniqueness Score: -1.00%

Function 05700350, Relevance: .0, Instructions: 36COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.677398895.0000000005700000.00000040.00000001.sdmp, Offset: 05700000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2ae8b001dfafc73970a938ff33fb2e2559037f77b237fee410d86eb6e58ab6a4
Instruction ID: c02f50d9d117a2dd65e582d4a2508b0a2442dae8ea74e67fde4c3845a3a9c44c
Opcode Fuzzy Hash: 2ae8b001dfafc73970a938ff33fb2e2559037f77b237fee410d86eb6e58ab6a4
Instruction Fuzzy Hash: 57F01C2550DBC08FCB37C730A4689A1FFF0AE4762035996DFD0868B6E7C654AC4AC791

Uniqueness

Uniqueness Score: -1.00%

Function 05707F30, Relevance: .0, Instructions: 35COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.677398895.0000000005700000.00000040.00000001.sdmp, Offset: 05700000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c278c061bbc296b910feec9cf456bcd2e8e495024863906064b34c8c04642e2c
Instruction ID: 2b190f951d770e2ebf864bd495fe28a3584b25cbce6d5bc57e15f861f3aa3b54
Opcode Fuzzy Hash: c278c061bbc296b910feec9cf456bcd2e8e495024863906064b34c8c04642e2c
Instruction Fuzzy Hash: 8401C9B4E00208DFCB48EFA8D545AADBBF1FF88300F1085A9D815A7754D771A981CF40

Uniqueness

Uniqueness Score: -1.00%

Function 014008C6, Relevance: .0, Instructions: 34COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.674461268.0000000001400000.00000040.00000040.sdmp, Offset: 01400000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f4617ee9eed03ecd9698be4e8833088b26a6a78cf8e98eaba9e26b5b1e20da6c
Instruction ID: d226e6fc56d248186c1c8fdacea7b69e1bcdfb0c6daacdeda6600787bc92775b
Opcode Fuzzy Hash: f4617ee9eed03ecd9698be4e8833088b26a6a78cf8e98eaba9e26b5b1e20da6c
Instruction Fuzzy Hash: 0DF08CB28056046FD640DF09ED418A6F7ECDF85621B18C96FED088B301E276AA158AE6

Uniqueness

Uniqueness Score: -1.00%

Function 0570CCF7, Relevance: .0, Instructions: 34COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.677398895.0000000005700000.00000040.00000001.sdmp, Offset: 05700000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: dbbdaf1c4cea54a4d69cd9ee23b94e8132d1f65dd9c3f3cd7a9181c9ebd19ccd
Instruction ID: b58ec86cb6bb69f2c673dc8c4ff861f8dbd06a1bb4c1b8f5059641f23b49a521
Opcode Fuzzy Hash: dbbdaf1c4cea54a4d69cd9ee23b94e8132d1f65dd9c3f3cd7a9181c9ebd19ccd
Instruction Fuzzy Hash: 2E01E574A04519CBDB64DF64C884A9DF7B2BF99300F508199940DA7394DB305E81CF51

Uniqueness

Uniqueness Score: -1.00%

Function 057095D8, Relevance: .0, Instructions: 33COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.677398895.0000000005700000.00000040.00000001.sdmp, Offset: 05700000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7aafb7e3f54e879b8087ffa400da08c04fbefb35aefaa0171b8b55cd08e6ee6a
Instruction ID: 0fabc4ddc0a01cad35c5c4d69b68675fece42a6e22383c569c92e3f0605f919b
Opcode Fuzzy Hash: 7aafb7e3f54e879b8087ffa400da08c04fbefb35aefaa0171b8b55cd08e6ee6a
Instruction Fuzzy Hash: CCF07478A00208AFDB04DFA9D588A9DFFF5FF88310F15C19999099B365DB30EA90CB41

Uniqueness

Uniqueness Score: -1.00%

Function 019758D3, Relevance: .0, Instructions: 32COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.674998295.0000000001970000.00000040.00000001.sdmp, Offset: 01970000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ddc70ab3134eceaa7edd287e908c466ea3e5a009aca8c2377f643bbdc26b62d4
Instruction ID: e1a76ea1fee13810af2f33a2b5ca96783c9340824d9ec71048bb46a1eff39082
Opcode Fuzzy Hash: ddc70ab3134eceaa7edd287e908c466ea3e5a009aca8c2377f643bbdc26b62d4
Instruction Fuzzy Hash: ED01C075C00228CFDB65DF20C8A1BE9BBB0FB09310F409AD9D65DAB241D7309A82DF50

Uniqueness

Uniqueness Score: -1.00%

Function 01400818, Relevance: .0, Instructions: 31COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.674461268.0000000001400000.00000040.00000040.sdmp, Offset: 01400000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8388fa57679453dc7b04d871bb3dcfd317d9f8cb342853e5fed44ee7779b5e3e
Instruction ID: 1663106d069ca9f616e67b8647daa3c772a5dc707813f4dd1a8f2e4e656306c6
Opcode Fuzzy Hash: 8388fa57679453dc7b04d871bb3dcfd317d9f8cb342853e5fed44ee7779b5e3e
Instruction Fuzzy Hash: ECF0FB35108644DFC206CB44D940B26FBA2EB89718F24C6A9E9490B762C33BD813DA81

Uniqueness

Uniqueness Score: -1.00%

Function 01970DB3, Relevance: .0, Instructions: 31COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.674998295.0000000001970000.00000040.00000001.sdmp, Offset: 01970000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 452fe3961cea6e03d3ff092e7fdd67f683c887cd706a5616d84f08103709d952
Instruction ID: 3b502d0a8234330346fb329dbf8bf10154114ef9e3c9120493db378859e1355d
Opcode Fuzzy Hash: 452fe3961cea6e03d3ff092e7fdd67f683c887cd706a5616d84f08103709d952
Instruction Fuzzy Hash: BF011970E04309CFDB04DF64E15869DBBB6EF4E311F14582AE00AAA244DB346C84CF55

Uniqueness

Uniqueness Score: -1.00%

Function 057083F5, Relevance: .0, Instructions: 31COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.677398895.0000000005700000.00000040.00000001.sdmp, Offset: 05700000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 42330c70977f0021b7a8269ca5caa6db207ffe1974f7a2edb409d18e225e719e
Instruction ID: 6eca8e1450f2757d68c330001f1dd40d3315a3f228921ca442d6e80cdecf4e64
Opcode Fuzzy Hash: 42330c70977f0021b7a8269ca5caa6db207ffe1974f7a2edb409d18e225e719e
Instruction Fuzzy Hash: 61015E74A01358CFCB94CF64C984B98BBF2EB49311F209099E809AB354D7359E80CF45

Uniqueness

Uniqueness Score: -1.00%

Function 01975777, Relevance: .0, Instructions: 30COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.674998295.0000000001970000.00000040.00000001.sdmp, Offset: 01970000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8e224d96c64e31bca4771556d72384574530233059fba6e03e995582658b7f89
Instruction ID: 1301ca958bff33f1538b1c675def5bb7f07d15bb96f001318f8f86793ed176d9
Opcode Fuzzy Hash: 8e224d96c64e31bca4771556d72384574530233059fba6e03e995582658b7f89
Instruction Fuzzy Hash: 6F019974C04228CEEB61CF65C941BEEBBB5BF49304F1085D9944AA6241C7326A82CF40

Uniqueness

Uniqueness Score: -1.00%

Function 0197521E, Relevance: .0, Instructions: 29COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.674998295.0000000001970000.00000040.00000001.sdmp, Offset: 01970000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 95754c90bfefaf932777bd4417fb6f75b57d07db682e909dea63a8734c012086
Instruction ID: d7278fd4b6d5fde46252f5c61dacd2d5e1a6ced8ad63091b2511517e529a7e81
Opcode Fuzzy Hash: 95754c90bfefaf932777bd4417fb6f75b57d07db682e909dea63a8734c012086
Instruction Fuzzy Hash: D301D27490022DEFDBA0CF50C940BD9BBB4FB08304F5185D9A409A7251DB746B85DF50

Uniqueness

Uniqueness Score: -1.00%

Function 0570CB94, Relevance: .0, Instructions: 29COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.677398895.0000000005700000.00000040.00000001.sdmp, Offset: 05700000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 29a293c72ee0fbb62204da668ef708be29867fe33f6474999de64bda81599c58
Instruction ID: d3db51a6632d2323380fd7b8ea9f91038c290f838324044469ce85835ceacbee
Opcode Fuzzy Hash: 29a293c72ee0fbb62204da668ef708be29867fe33f6474999de64bda81599c58
Instruction Fuzzy Hash: E6F032B0D04729CFDB14CFA4C844B9EF7F5FF49304F00A1AA8409AB264D334AA418F01

Uniqueness

Uniqueness Score: -1.00%

Function 014005F6, Relevance: .0, Instructions: 27COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.674461268.0000000001400000.00000040.00000040.sdmp, Offset: 01400000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f26600488eaac1252cacbce8132636f12230034c7cd2665bff6faa89c924f3bc
Instruction ID: 314069b7c4da9e8ad50e4c45883e3215092b97909a8f78335eb67fb7d140dacb
Opcode Fuzzy Hash: f26600488eaac1252cacbce8132636f12230034c7cd2665bff6faa89c924f3bc
Instruction Fuzzy Hash: C7E06D76A006005BD650CF0AEC41462FBD8EB88630718C46BDC0D8B711E535F5048EA5

Uniqueness

Uniqueness Score: -1.00%

Function 01974BE1, Relevance: .0, Instructions: 27COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.674998295.0000000001970000.00000040.00000001.sdmp, Offset: 01970000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 75476dba822267094a2cb0068cbbd6caf1fa1abe8adfaecfba077e707ea53fe8
Instruction ID: dbd5198857820a7de3464ffa333bf24c8758e8578b025a05fd02d55fbf0bb8f6
Opcode Fuzzy Hash: 75476dba822267094a2cb0068cbbd6caf1fa1abe8adfaecfba077e707ea53fe8
Instruction Fuzzy Hash: B8F05E75D0020DEFDB01DFA8C84069DBFB1FF48300F1086AAE81893251D3719E61DB91

Uniqueness

Uniqueness Score: -1.00%

Function 01975619, Relevance: .0, Instructions: 27COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.674998295.0000000001970000.00000040.00000001.sdmp, Offset: 01970000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 46ce4de121978354e28c4ab006813b9a9ded8613b0037818157019b058208af6
Instruction ID: beee70ce368e9d775ae4be18ae4bf170cf226e3b1d3b14ae18b4154c51765b2b
Opcode Fuzzy Hash: 46ce4de121978354e28c4ab006813b9a9ded8613b0037818157019b058208af6
Instruction Fuzzy Hash: EFF01775E05228CFCB26CF60DC41BDDBBB1FF48340F1484999569A7292D3355A81CF51

Uniqueness

Uniqueness Score: -1.00%

Function 0570C3C8, Relevance: .0, Instructions: 27COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.677398895.0000000005700000.00000040.00000001.sdmp, Offset: 05700000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4357399895c5661b1d82066afad8c8665f774098facce6a6b9fc8e768268b1fd
Instruction ID: 740110ea5bb9cbbf2311cbebd77c66eb3862f5e89424109c9ce42fd80ab81c87
Opcode Fuzzy Hash: 4357399895c5661b1d82066afad8c8665f774098facce6a6b9fc8e768268b1fd
Instruction Fuzzy Hash: 8EF08274848358DFCB51CB60C0457AEF6F6FB53306F1161EA819B55154C7348A43DF52

Uniqueness

Uniqueness Score: -1.00%

Function 0174A9A7, Relevance: .0, Instructions: 26COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.674782512.0000000001742000.00000040.00000001.sdmp, Offset: 01742000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4965d4c9dbc042ca438a17052824b36b96c89321db602ae2a8f93519c5cb4b7e
Instruction ID: 62f2c0f00ad4b4718ed802cc28db4ea383c6e14b5a1e8a2b8703d90c4300d39f
Opcode Fuzzy Hash: 4965d4c9dbc042ca438a17052824b36b96c89321db602ae2a8f93519c5cb4b7e
Instruction Fuzzy Hash: 0CE0D871A403006BD2508E0AAC42B22FB98DB44930F44C957ED0C5B301E175F5048AE5

Uniqueness

Uniqueness Score: -1.00%

Function 0174B1AF, Relevance: .0, Instructions: 26COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.674782512.0000000001742000.00000040.00000001.sdmp, Offset: 01742000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a29f51eec7516ae332c73a5e64f61e9dc5d24f96a5af738fe22c3ebcb6bedc93
Instruction ID: 41e8d2d4da0ddbcb557de7a4ce23931329a4f12367718872c709fd1c262e1dff
Opcode Fuzzy Hash: a29f51eec7516ae332c73a5e64f61e9dc5d24f96a5af738fe22c3ebcb6bedc93
Instruction Fuzzy Hash: 31E0D872A403006BD2508E0AAC42B22FB98DB44A30F04C557ED081B302E171F5148AE5

Uniqueness

Uniqueness Score: -1.00%

Function 0174ABBF, Relevance: .0, Instructions: 26COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.674782512.0000000001742000.00000040.00000001.sdmp, Offset: 01742000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6fe80fa6a3486db6410fda8734fa78f3bbb282b39c5610e52af1d6efaaef5fa5
Instruction ID: 5a105436796074d69db6108037763a3fdd82169238b486078a2f70e3636e3bf9
Opcode Fuzzy Hash: 6fe80fa6a3486db6410fda8734fa78f3bbb282b39c5610e52af1d6efaaef5fa5
Instruction Fuzzy Hash: DEE02071A403006BD2509F0AEC42B23FB9CDB44930F44C957ED0C1B302E175F5048EE5

Uniqueness

Uniqueness Score: -1.00%

Function 0174ACE7, Relevance: .0, Instructions: 26COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.674782512.0000000001742000.00000040.00000001.sdmp, Offset: 01742000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2b31137dfbe647c8c66a2b3581f3bed73bbfd8b25eeb67d4482f233616e0f82a
Instruction ID: 2bb70e67dbf42448a32bbbeedb44b0838b7202ef82dacb8d9dd3cb3f572b2905
Opcode Fuzzy Hash: 2b31137dfbe647c8c66a2b3581f3bed73bbfd8b25eeb67d4482f233616e0f82a
Instruction Fuzzy Hash: 82E0D876A413006BD2608F0AAC42F23FB98DB54A30F04C55BED081B301E171F5048AE5

Uniqueness

Uniqueness Score: -1.00%

Function 0174AF3F, Relevance: .0, Instructions: 26COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.674782512.0000000001742000.00000040.00000001.sdmp, Offset: 01742000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4c3f854f8fe0b45a32fe38269bfd20bd8e37ba257c87a04bf432747f29a3557c
Instruction ID: 339631713a359f371f96cc62df6bf6c38093c122c975d7ef03aa459a936f4289
Opcode Fuzzy Hash: 4c3f854f8fe0b45a32fe38269bfd20bd8e37ba257c87a04bf432747f29a3557c
Instruction Fuzzy Hash: 46E0D872A403006BD2508F0AAC42F22FB98DB54A30F08C55BED081B301E171F5048AE5

Uniqueness

Uniqueness Score: -1.00%

Function 0174A790, Relevance: .0, Instructions: 26COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.674782512.0000000001742000.00000040.00000001.sdmp, Offset: 01742000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 015f0a7441757d9bd7eab4a69f8de20f2d32b51e286c018cd59545cfd7001b2f
Instruction ID: cbe2685a6086cf6f86fa8482b47b7d3e1d87f4668beb02467e0cb9291779f047
Opcode Fuzzy Hash: 015f0a7441757d9bd7eab4a69f8de20f2d32b51e286c018cd59545cfd7001b2f
Instruction Fuzzy Hash: E4E02071A403006BD2509F0AEC42B23FB9CDB44930F44C957ED0C1B302E175F5048EE5

Uniqueness

Uniqueness Score: -1.00%

Function 0174AE13, Relevance: .0, Instructions: 26COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.674782512.0000000001742000.00000040.00000001.sdmp, Offset: 01742000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b69d838edf01ccf41f8d75cecd6b21c3f0806df3a1f3b96d51279e4355ae65b3
Instruction ID: 5681a5090b0c1302d939c2bc908ec7a6c2daa51ec5c47536c80987a9d1719f67
Opcode Fuzzy Hash: b69d838edf01ccf41f8d75cecd6b21c3f0806df3a1f3b96d51279e4355ae65b3
Instruction Fuzzy Hash: B1E0D872A403006BD2608F0AAC42F22FB98EB44A30F04C55BED081B301E171F5048AE5

Uniqueness

Uniqueness Score: -1.00%

Function 01970F50, Relevance: .0, Instructions: 25COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.674998295.0000000001970000.00000040.00000001.sdmp, Offset: 01970000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d52c4ede1ad432ab3b2511c5d6c5d2db17b4ab8c03000efff4829e7a5ef74c75
Instruction ID: b4a78f16517e1ba1bc501365d5903ee7e4e134e3a4329b4252ef97c40a5eb534
Opcode Fuzzy Hash: d52c4ede1ad432ab3b2511c5d6c5d2db17b4ab8c03000efff4829e7a5ef74c75
Instruction Fuzzy Hash: 53E06570D1A248AFCB599BB8D0052EDBFB0EB86304F2486EEC894A7211D7354949CF01

Uniqueness

Uniqueness Score: -1.00%

Function 01976358, Relevance: .0, Instructions: 25COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.674998295.0000000001970000.00000040.00000001.sdmp, Offset: 01970000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2919296a2a68771b030c9fb0fc6f4934d286770cf5b7d1ad96a63f10e2c208d1
Instruction ID: f7aa2ccf75aabf2a010e0a66b85747c937390a8dfcb9d88241c8c222b75676b2
Opcode Fuzzy Hash: 2919296a2a68771b030c9fb0fc6f4934d286770cf5b7d1ad96a63f10e2c208d1
Instruction Fuzzy Hash: D1E01A7086A3849FD7169BB894212DA7FF0AF47319F7445EEC884DB262D3325548CB11

Uniqueness

Uniqueness Score: -1.00%

Function 057058A0, Relevance: .0, Instructions: 25COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.677398895.0000000005700000.00000040.00000001.sdmp, Offset: 05700000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7dfb042597456fb153265950b84e537eda89d5ef182f83ab6e2f040cdb186121
Instruction ID: 380d25df2d65d53795b97c712c88e139b4d923373acb4f7f4d755f952ffd3934
Opcode Fuzzy Hash: 7dfb042597456fb153265950b84e537eda89d5ef182f83ab6e2f040cdb186121
Instruction Fuzzy Hash: CCE01234846208EBD714EF54D4059ADBBB9FB46311F50A159EC4513284C7305954EB55

Uniqueness

Uniqueness Score: -1.00%

Function 01975781, Relevance: .0, Instructions: 24COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.674998295.0000000001970000.00000040.00000001.sdmp, Offset: 01970000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f9eb5fe96646486a853879cee65da91f4b9cf841ced43d09ef1b2b78e9bc334d
Instruction ID: fef9dcf911a98ed926fea4b8a6a47b1f3480cc0dec56e6fe16ee26cb8687a6db
Opcode Fuzzy Hash: f9eb5fe96646486a853879cee65da91f4b9cf841ced43d09ef1b2b78e9bc334d
Instruction Fuzzy Hash: 02F09D75D04228DFEB61DF64C840BEEBBB5FB08300F2085D9940AA3251D7325A82DF40

Uniqueness

Uniqueness Score: -1.00%

Function 0570CB4F, Relevance: .0, Instructions: 24COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.677398895.0000000005700000.00000040.00000001.sdmp, Offset: 05700000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1ac8de288770abc6c127a76c4fd21b268e3267d2269476a2981b344e41512584
Instruction ID: 57c27d3bcffd7d7751f072e694c62ecb178b149ba279362bb05af4b207818eb4
Opcode Fuzzy Hash: 1ac8de288770abc6c127a76c4fd21b268e3267d2269476a2981b344e41512584
Instruction Fuzzy Hash: 1FF058B0C04369CFDB10CFA8C884BAEFBF2BF58301F0050A99549AB244D7346A00CF15

Uniqueness

Uniqueness Score: -1.00%

Function 05700640, Relevance: .0, Instructions: 24COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.677398895.0000000005700000.00000040.00000001.sdmp, Offset: 05700000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: baad5dce660b551580cd674630ccb5fc2fe76f889fa25d9635f1d2024b09cd10
Instruction ID: 172a9cdc0154589d00d7a143be0a4d5faea8b0ab205610534a00add41ce12ece
Opcode Fuzzy Hash: baad5dce660b551580cd674630ccb5fc2fe76f889fa25d9635f1d2024b09cd10
Instruction Fuzzy Hash: BCD05E2271082517090A326EA8148AF928FDBCAD65394002EF10ADB384CE58AD0A03EA

Uniqueness

Uniqueness Score: -1.00%

Function 019720B7, Relevance: .0, Instructions: 23COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.674998295.0000000001970000.00000040.00000001.sdmp, Offset: 01970000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d815e0065e3f5236112793dc888eae265c20485b4244f6abf74a9fcab055abe0
Instruction ID: 899afcdbb4113c712585f181698e49fc99839a95fe15aa3791f8d870b4fcc3a9
Opcode Fuzzy Hash: d815e0065e3f5236112793dc888eae265c20485b4244f6abf74a9fcab055abe0
Instruction Fuzzy Hash: 79F01574D092489FCB06EFA8D8552AEBFB0FB49700F0085EED85497261E3745A45CF92

Uniqueness

Uniqueness Score: -1.00%

Function 019748B0, Relevance: .0, Instructions: 23COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.674998295.0000000001970000.00000040.00000001.sdmp, Offset: 01970000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 11d3b6add68ae5da23cd103807b4ef9c978bca2c3248857fd155bbe95bbedcf6
Instruction ID: 375d95fb07c0158389973c1d42deb4cf30b12b11828b3ab9016b92191cafe205
Opcode Fuzzy Hash: 11d3b6add68ae5da23cd103807b4ef9c978bca2c3248857fd155bbe95bbedcf6
Instruction Fuzzy Hash: 14E04874E0020CDFC744EFB8D8455AEBBB4FB49341F1086A9D818A3341D7706A41CF95

Uniqueness

Uniqueness Score: -1.00%

Function 019734C0, Relevance: .0, Instructions: 23COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.674998295.0000000001970000.00000040.00000001.sdmp, Offset: 01970000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6c7cf0c48267bab1761a02dcb02776cc229707ee42183f5999aef42632ed74a2
Instruction ID: 68e227de2c58c57bd3f4a4821cacf9c031acff5293855699141d6a81a01e5351
Opcode Fuzzy Hash: 6c7cf0c48267bab1761a02dcb02776cc229707ee42183f5999aef42632ed74a2
Instruction Fuzzy Hash: AEE06D70D183489FCB16DFB8C4112DDBFB0AF06604F1085EEC884D7221D2364A18CF51

Uniqueness

Uniqueness Score: -1.00%

Function 01973006, Relevance: .0, Instructions: 23COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.674998295.0000000001970000.00000040.00000001.sdmp, Offset: 01970000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6e2268f21a09a853140b307b9dde8ce689a5825ea650792f834a46d1834d64fe
Instruction ID: 630cf84578f0beda7c21ac0d9207f7ab21c559748a0019e5508da3df1e0e1638
Opcode Fuzzy Hash: 6e2268f21a09a853140b307b9dde8ce689a5825ea650792f834a46d1834d64fe
Instruction Fuzzy Hash: 22F09D74D09368CFDB22CF60DA88B99BBB2BB55342F2045DA950A67294C7356FC4CF12

Uniqueness

Uniqueness Score: -1.00%

Function 0197562E, Relevance: .0, Instructions: 23COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.674998295.0000000001970000.00000040.00000001.sdmp, Offset: 01970000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c4bac8f6c92159ee95b5b098cb240208fa0ec48e3933f9b3d59c4e5d3873eadc
Instruction ID: 6d726963999088d18cc645482cd5eb3276a502e5572ed1ebc2626e4d057ad948
Opcode Fuzzy Hash: c4bac8f6c92159ee95b5b098cb240208fa0ec48e3933f9b3d59c4e5d3873eadc
Instruction Fuzzy Hash: FBF0B735902229DFCB60CF54C980BD9F7B5FB48304F1494D9D41DA7252D735AA95CF00

Uniqueness

Uniqueness Score: -1.00%

Function 01973E77, Relevance: .0, Instructions: 23COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.674998295.0000000001970000.00000040.00000001.sdmp, Offset: 01970000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 56c33c7d7c39883623502a8568468a283fa8d2a39ed1f08842f0541c45b70a84
Instruction ID: 377d6bb2c38b0d68b547765edb2d695c48fc3b3863a967bd00200399e655ddb0
Opcode Fuzzy Hash: 56c33c7d7c39883623502a8568468a283fa8d2a39ed1f08842f0541c45b70a84
Instruction Fuzzy Hash: 51F0153091A344DFCB19EFB49419299BFF0BF86300F2486EEC41697260D7398A45CF06

Uniqueness

Uniqueness Score: -1.00%

Function 0570E252, Relevance: .0, Instructions: 23COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.677398895.0000000005700000.00000040.00000001.sdmp, Offset: 05700000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8069ac84033b377b981fa56a77fede1efa626a1c782c6cfe16f4b42efaff93da
Instruction ID: fe2442c8bca73186e5e796b5416ca75e6cccd29d448870728b85a873485582b8
Opcode Fuzzy Hash: 8069ac84033b377b981fa56a77fede1efa626a1c782c6cfe16f4b42efaff93da
Instruction Fuzzy Hash: 3AF092349183489FCB55DFB8D455699BFF0EF4A204F1445EEC885D7261D6315944CB11

Uniqueness

Uniqueness Score: -1.00%

Function 057002CF, Relevance: .0, Instructions: 23COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.677398895.0000000005700000.00000040.00000001.sdmp, Offset: 05700000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ce4d98b69c0377424d7bd4a7c0e81fc57bc338d7ec3d41de0089af8932f3049d
Instruction ID: ee4c8d45f12038698ba84be42048b3c5fb3e175e1074c0c28a71ef6e7f068a92
Opcode Fuzzy Hash: ce4d98b69c0377424d7bd4a7c0e81fc57bc338d7ec3d41de0089af8932f3049d
Instruction Fuzzy Hash: 9CE02621A0C7DC07C7254234581C3677FC61BC2524F49089EC9C947B82CDA4680083E7

Uniqueness

Uniqueness Score: -1.00%

Function 019745B1, Relevance: .0, Instructions: 22COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.674998295.0000000001970000.00000040.00000001.sdmp, Offset: 01970000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0b1a329207de7bb11dd8517a03ec850033a9b318f31ad8f16303677a8f031626
Instruction ID: b046bd0b46893e4395099db348f72042f9cfc6fc8d32652f9b62a31d7e8701a3
Opcode Fuzzy Hash: 0b1a329207de7bb11dd8517a03ec850033a9b318f31ad8f16303677a8f031626
Instruction Fuzzy Hash: D8E06578A01208AFD708DFB8D444298BFF0EF45704F0081AA9808A7391EB319E48CF42

Uniqueness

Uniqueness Score: -1.00%

Function 01974BF0, Relevance: .0, Instructions: 22COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.674998295.0000000001970000.00000040.00000001.sdmp, Offset: 01970000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 019a754cb282149dbe294b7a53a31fb68b484c093b11e314c5afecc89283d0aa
Instruction ID: c5776ce620b4865c5c227d383b292eb523ca22cd21985c8d08ccec4ca71252d2
Opcode Fuzzy Hash: 019a754cb282149dbe294b7a53a31fb68b484c093b11e314c5afecc89283d0aa
Instruction Fuzzy Hash: 99F0C975D0020DEFCF41EFA8D845AAEBFB5FB48300F00855AE924A3250D7719660DF91

Uniqueness

Uniqueness Score: -1.00%

Function 01971091, Relevance: .0, Instructions: 22COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.674998295.0000000001970000.00000040.00000001.sdmp, Offset: 01970000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a40aaff5ee142e69732577ee1f5d74962707ec1298d0915e9bcd86f34bd53fe0
Instruction ID: 3fe98cc8ce1dd5dc4a8c270e273ed1a2aea13aa3b93512924aa76efb08422385
Opcode Fuzzy Hash: a40aaff5ee142e69732577ee1f5d74962707ec1298d0915e9bcd86f34bd53fe0
Instruction Fuzzy Hash: 94E06D71E14248DFDB55DBB8D41129C7FB0AB8A304F2082ADC44497251E7368540CF41

Uniqueness

Uniqueness Score: -1.00%

Function 01974799, Relevance: .0, Instructions: 21COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.674998295.0000000001970000.00000040.00000001.sdmp, Offset: 01970000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8031b42d10152499dc36c05e947e0aa3bc3bd0752643a9cdf0a6ee195590ef09
Instruction ID: d23d952da8fe0e296750e47df68a31d9525d5f298e655a561eaec546046b17aa
Opcode Fuzzy Hash: 8031b42d10152499dc36c05e947e0aa3bc3bd0752643a9cdf0a6ee195590ef09
Instruction Fuzzy Hash: 06E09A70E04348AFCB50EFB8D40129CBFB4AF45608F1481EECC4897282E2309A04CB41

Uniqueness

Uniqueness Score: -1.00%

Function 019755AE, Relevance: .0, Instructions: 21COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.674998295.0000000001970000.00000040.00000001.sdmp, Offset: 01970000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4a9fc8e9a4689bc68cb3b8931bdde0bbe7a73f7c26ac6dd8f3e14cb146bbeab4
Instruction ID: 6e17b0a67f0ae6dd5b0d9c796f170e99f0678bcc92db14998004ff2cbdb73264
Opcode Fuzzy Hash: 4a9fc8e9a4689bc68cb3b8931bdde0bbe7a73f7c26ac6dd8f3e14cb146bbeab4
Instruction Fuzzy Hash: B7F01575E00218CFCB25CFA0CD81BDCBBB1FB08300F1080999628AB291D335AA81CF50

Uniqueness

Uniqueness Score: -1.00%

Function 01973E01, Relevance: .0, Instructions: 21COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.674998295.0000000001970000.00000040.00000001.sdmp, Offset: 01970000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 423c74e7fc7b1e017d6dc1134a91b95d2c4dd78505ac1e1e3e0fdc274ba4286d
Instruction ID: d50d2ac66c00342410f0eb2c9cd7802f6a2b17fff445a3bbded5d1a2ceae31de
Opcode Fuzzy Hash: 423c74e7fc7b1e017d6dc1134a91b95d2c4dd78505ac1e1e3e0fdc274ba4286d
Instruction Fuzzy Hash: 5BE0DF30E152448FC702EFB8A40928CBFF0BF06300F2406EAC844C3121E3744644CB51

Uniqueness

Uniqueness Score: -1.00%

Function 01974678, Relevance: .0, Instructions: 21COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.674998295.0000000001970000.00000040.00000001.sdmp, Offset: 01970000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9873a302b1cebb7131ef3566735c93ef97b4120b98283d97d0e9244cca60b9d4
Instruction ID: eff28917054a19123ac638c515e44547c99a9b97b63e9fb754d936b979d14b50
Opcode Fuzzy Hash: 9873a302b1cebb7131ef3566735c93ef97b4120b98283d97d0e9244cca60b9d4
Instruction Fuzzy Hash: 6EE01270E1520C9FEB54DFB8D44569DBFB0AB86304F1086EAC80897251D3345A45CF41

Uniqueness

Uniqueness Score: -1.00%

Function 0570BB2A, Relevance: .0, Instructions: 21COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.677398895.0000000005700000.00000040.00000001.sdmp, Offset: 05700000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c40b933de0515fefe2b62ffa35a7c277dad4fe0074c79ac55a8e1fb836e97046
Instruction ID: 86c9ea7098f25e8d8156aac54acabffae2c86e6a4b6902444d91a0f296b1a3d1
Opcode Fuzzy Hash: c40b933de0515fefe2b62ffa35a7c277dad4fe0074c79ac55a8e1fb836e97046
Instruction Fuzzy Hash: E6E08631B0924CDFEF11DF58F840A9C7BA1FB46214F1055D9D55C86096D63116118F41

Uniqueness

Uniqueness Score: -1.00%

Function 01973598, Relevance: .0, Instructions: 20COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.674998295.0000000001970000.00000040.00000001.sdmp, Offset: 01970000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 049a741c666c703faf72d9d6cc14a1ca15f29d9cbf9e6a68ac6bbf5bb7fb20b2
Instruction ID: 2bef68c65eef9604aa7980a15364c253a2aab9da2eade72c62e7bfadbb6f32c8
Opcode Fuzzy Hash: 049a741c666c703faf72d9d6cc14a1ca15f29d9cbf9e6a68ac6bbf5bb7fb20b2
Instruction Fuzzy Hash: 50E04FB8D0A3499FCB15FBB8A80566DBFB5AF45704F1081EE884497291E7745A44CB42

Uniqueness

Uniqueness Score: -1.00%

Function 019745F0, Relevance: .0, Instructions: 20COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.674998295.0000000001970000.00000040.00000001.sdmp, Offset: 01970000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: de9b94a485c6209b8b0c4e23fd8e1db7ef5429f888dfd640cfc1b8570a11d83d
Instruction ID: 0aa81d9f91438c9bfaad810bd49af32a1109ec3e6b396487587758433d06adfe
Opcode Fuzzy Hash: de9b94a485c6209b8b0c4e23fd8e1db7ef5429f888dfd640cfc1b8570a11d83d
Instruction Fuzzy Hash: ABE0867490A3889FD702ABBCD8092597FB4EF07619F1405EEC58487253E6326A59CB92

Uniqueness

Uniqueness Score: -1.00%

Function 01974818, Relevance: .0, Instructions: 20COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.674998295.0000000001970000.00000040.00000001.sdmp, Offset: 01970000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8e5d63b239806424a401292d589d88d5b4699b36bbfdc060cdbb0eff7f3ce817
Instruction ID: 08592f7fe76fe2dc6a40352b40bd402020fce0a9cf54ade93c2a39f99528dcfb
Opcode Fuzzy Hash: 8e5d63b239806424a401292d589d88d5b4699b36bbfdc060cdbb0eff7f3ce817
Instruction Fuzzy Hash: 65E086308592885FCB55EFBCD81529D7FB0EF07608F1485EEC94597156D7320654CB51

Uniqueness

Uniqueness Score: -1.00%

Function 0570FBA8, Relevance: .0, Instructions: 18COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.677398895.0000000005700000.00000040.00000001.sdmp, Offset: 05700000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 195613c63bc8b75e73e6ab852b150f1d13a69c6380a1a11f20b38ade01f5d8c4
Instruction ID: f3f03686c7581ef576ab27cc30513ed01e2edd729c7deba8ced8e944fd764074
Opcode Fuzzy Hash: 195613c63bc8b75e73e6ab852b150f1d13a69c6380a1a11f20b38ade01f5d8c4
Instruction Fuzzy Hash: 28E0EC74D05208DBC754EFB8D40565DBBB4BB44304F1086AAC80463244D7355554CF81

Uniqueness

Uniqueness Score: -1.00%

Function 05705DAB, Relevance: .0, Instructions: 18COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.677398895.0000000005700000.00000040.00000001.sdmp, Offset: 05700000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6f8e88bd16b96b6c53683aaee4a6193ae4cc8d61e54b20351fb4700375f06178
Instruction ID: cabb1421c44abe52c1a158650fcc8b6bee5977174c2f1c87e1f349a4c0e17ca6
Opcode Fuzzy Hash: 6f8e88bd16b96b6c53683aaee4a6193ae4cc8d61e54b20351fb4700375f06178
Instruction Fuzzy Hash: AAE04630895308DBCB60EFA4E1481ADBFF4FB46320F1051AEC80562280D3701940DF41

Uniqueness

Uniqueness Score: -1.00%

Function 05700070, Relevance: .0, Instructions: 18COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.677398895.0000000005700000.00000040.00000001.sdmp, Offset: 05700000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6772cc61708d41b5a09b4a8e9fbd5440b79609d173c616f224ed6e885b86e974
Instruction ID: 09fd6da0fcf8c16ffd09aed52723aa33e275d55a0f07d2a74a9774cf3ae98ca5
Opcode Fuzzy Hash: 6772cc61708d41b5a09b4a8e9fbd5440b79609d173c616f224ed6e885b86e974
Instruction Fuzzy Hash: 3ED05BB0D1430EDADB10AB7D8D0EB6F7EF89B45254F504C39D140D7241EA7555005BE1

Uniqueness

Uniqueness Score: -1.00%

Function 0570CC25, Relevance: .0, Instructions: 18COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.677398895.0000000005700000.00000040.00000001.sdmp, Offset: 05700000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1b4827395de78903553fd48e27f28514119eba891ab44ace73d89005193edb6d
Instruction ID: ad147a44200489156e2bd9786e75f21f634b08289e348109278990d3898e9560
Opcode Fuzzy Hash: 1b4827395de78903553fd48e27f28514119eba891ab44ace73d89005193edb6d
Instruction Fuzzy Hash: C6E08CB0808319AFDB10DE50C484BDAF7F6AB59305F0060AA9549AB284C3345A408F1A

Uniqueness

Uniqueness Score: -1.00%

Function 01972787, Relevance: .0, Instructions: 17COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.674998295.0000000001970000.00000040.00000001.sdmp, Offset: 01970000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 317f57c76cfdd331a24ff48366d36f200be680fc1eea0feef2b7ac4664b867ff
Instruction ID: cf898ba4dff4c2f89225618aa48743b4bbd1607f31d35daf95a84cc551613e1b
Opcode Fuzzy Hash: 317f57c76cfdd331a24ff48366d36f200be680fc1eea0feef2b7ac4664b867ff
Instruction Fuzzy Hash: 25E04670F1519A8FCB45CFE0DA4065CB3B2FF99351F04842AC10AAE648C738A9058B14

Uniqueness

Uniqueness Score: -1.00%

Function 0570836D, Relevance: .0, Instructions: 17COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.677398895.0000000005700000.00000040.00000001.sdmp, Offset: 05700000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a332ca7900e311d64ff4f0b19091f804bd3fc67ec2c25d36a085bc98bac69cf2
Instruction ID: 1658c8fc2f9941805f8270b07a0aa5c6894acd2a78a54c0ca01a797617918677
Opcode Fuzzy Hash: a332ca7900e311d64ff4f0b19091f804bd3fc67ec2c25d36a085bc98bac69cf2
Instruction Fuzzy Hash: 33F02B7591529A8FCB64CFA8C990B99B7F2AF09704F1011D99509AB255D734AE80CE12

Uniqueness

Uniqueness Score: -1.00%

Function 05705DB0, Relevance: .0, Instructions: 17COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.677398895.0000000005700000.00000040.00000001.sdmp, Offset: 05700000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ea261fbf1cbe9320ea374328141febe3e2eabe4832d4e45ddf49776795602bfe
Instruction ID: d1f3dd701d23c6e7097c0fc435a9f0eb93b233c7abac67c79b8ab99959379f80
Opcode Fuzzy Hash: ea261fbf1cbe9320ea374328141febe3e2eabe4832d4e45ddf49776795602bfe
Instruction Fuzzy Hash: F2D0173485530CDBC710EBA8E4496ADBFF8FB05611F1051AAC80563384D7705A40DF91

Uniqueness

Uniqueness Score: -1.00%

Function 0570F798, Relevance: .0, Instructions: 17COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.677398895.0000000005700000.00000040.00000001.sdmp, Offset: 05700000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 007ceb5ab6c19defed08b9aecdd20683751206d91cd401f6004b6d3fdddb2b85
Instruction ID: ae8633469501a6d0f5bbbc87f9a4f2b16782b0a3a4f6b5a8032ebfd697b14648
Opcode Fuzzy Hash: 007ceb5ab6c19defed08b9aecdd20683751206d91cd401f6004b6d3fdddb2b85
Instruction Fuzzy Hash: 3BE0E274D04208EFCB64EFB8D40529CBBF4AB45304F1082A9C84893240E739AA80CB41

Uniqueness

Uniqueness Score: -1.00%

Function 0570E260, Relevance: .0, Instructions: 17COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.677398895.0000000005700000.00000040.00000001.sdmp, Offset: 05700000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ad01c8c20dae12f611bdf0800db69f7d0890f3b31572cc6175bcebbaaa05cc2f
Instruction ID: b19b8d16ed7cbc1bb17763d89a347ba05a915bdc93713758e34400334c03105a
Opcode Fuzzy Hash: ad01c8c20dae12f611bdf0800db69f7d0890f3b31572cc6175bcebbaaa05cc2f
Instruction Fuzzy Hash: B0E0BD78E00208EFCB50EFA8E449A9CBBF4AB49204F1081AA984893350E730AA44CB41

Uniqueness

Uniqueness Score: -1.00%

Function 0570FA48, Relevance: .0, Instructions: 17COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.677398895.0000000005700000.00000040.00000001.sdmp, Offset: 05700000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ca10fcd150e3d53ee5ca00a6bf01131054f8e402ec54d48854c8b4beac3d58b3
Instruction ID: 04230ece8f3661ae280be956741fa55a091903a9455e0d3664992f6751a455a9
Opcode Fuzzy Hash: ca10fcd150e3d53ee5ca00a6bf01131054f8e402ec54d48854c8b4beac3d58b3
Instruction Fuzzy Hash: 10E0E2B4D04208EFCB64EFB8E40529CBBF4AB49204F1081AAC818A7240E735AA80CB41

Uniqueness

Uniqueness Score: -1.00%

Function 0570F6C0, Relevance: .0, Instructions: 17COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.677398895.0000000005700000.00000040.00000001.sdmp, Offset: 05700000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 55acc54ceab1ace71876329aa5a5434b30278f05081ac13bf8b6ccc79ff98618
Instruction ID: 0bbb375847f5d55756ae9913cbcf1ef2f8c6f8094518366da71bfc433454663c
Opcode Fuzzy Hash: 55acc54ceab1ace71876329aa5a5434b30278f05081ac13bf8b6ccc79ff98618
Instruction Fuzzy Hash: 80E01734900208DFC754EFB8E8486697BF4FB08319F2446AACD4693290EB30A9D4CF42

Uniqueness

Uniqueness Score: -1.00%

Function 019735A8, Relevance: .0, Instructions: 16COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.674998295.0000000001970000.00000040.00000001.sdmp, Offset: 01970000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 05996e6f1f54d1a314a258b63b534f9bdc7044e081e1e8a404a1f8590f5bab8e
Instruction ID: 403e8b87666d90bf45e3559debb796becb0a6c3d43aa8adff1ebd9e3e6ef8d8d
Opcode Fuzzy Hash: 05996e6f1f54d1a314a258b63b534f9bdc7044e081e1e8a404a1f8590f5bab8e
Instruction Fuzzy Hash: 14D017B4D10208AFCB50EBB8A4042ADBFF5AB44205F1082AA885892280E7345640CB81

Uniqueness

Uniqueness Score: -1.00%

Function 019751D3, Relevance: .0, Instructions: 16COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.674998295.0000000001970000.00000040.00000001.sdmp, Offset: 01970000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: cfc520b0040ae31402c7be86531956686a26badb64f4d42a79b2e13184a9211b
Instruction ID: 64235c96f429daf274f32552adb78c6f1534cc085c4f66427212a9cf9f84544b
Opcode Fuzzy Hash: cfc520b0040ae31402c7be86531956686a26badb64f4d42a79b2e13184a9211b
Instruction Fuzzy Hash: 28E01238910229CFCB60CF60C940BE8BBF0EB48310F0094EA840DA7361D735AE82CF10

Uniqueness

Uniqueness Score: -1.00%

Function 01974F75, Relevance: .0, Instructions: 16COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.674998295.0000000001970000.00000040.00000001.sdmp, Offset: 01970000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7d4aa230d5213504b68fc12f6c3fdeedc3e0e81ac6ee0e32cae804360643b03e
Instruction ID: 4cde61fe2b5f9ae3cb8ee03bf74a52d10a6f8613dee9b4790887d69deb7d395c
Opcode Fuzzy Hash: 7d4aa230d5213504b68fc12f6c3fdeedc3e0e81ac6ee0e32cae804360643b03e
Instruction Fuzzy Hash: 0FE0E5349002249FCB60CFA0E884B98BBB0EB48350F1086E9840997261D7359AC1CF10

Uniqueness

Uniqueness Score: -1.00%

Function 019734D0, Relevance: .0, Instructions: 16COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.674998295.0000000001970000.00000040.00000001.sdmp, Offset: 01970000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 52a5ca73a777775e76fe7a324a0212c3592b52963f2ce5f841f1114b890403a4
Instruction ID: b9407216edca2ff606db9ccab593941895a40d242d014bbe778e3515e9244eb8
Opcode Fuzzy Hash: 52a5ca73a777775e76fe7a324a0212c3592b52963f2ce5f841f1114b890403a4
Instruction Fuzzy Hash: 8DD01774E00208AFCB64EFACD40539DBBF8AB44700F1086AAC858A3240E7309A40CB81

Uniqueness

Uniqueness Score: -1.00%

Function 057002E0, Relevance: .0, Instructions: 16COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.677398895.0000000005700000.00000040.00000001.sdmp, Offset: 05700000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3f1d3ccdd5c81e9cbb02075383b761a85d6f4c065798a384459ba0f2819c4f51
Instruction ID: 85f3aa7133f7d8c84589d8d07b8c7c616d9079109c00278701eeae2aab63b6bc
Opcode Fuzzy Hash: 3f1d3ccdd5c81e9cbb02075383b761a85d6f4c065798a384459ba0f2819c4f51
Instruction Fuzzy Hash: 75D0A72020839802D314527955583177ACB1BC1628E09446DC1C547741CDA5A80483D7

Uniqueness

Uniqueness Score: -1.00%

Function 05706705, Relevance: .0, Instructions: 14COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.677398895.0000000005700000.00000040.00000001.sdmp, Offset: 05700000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7e4dbe51193a38f773c3985a077a28db68bb3ed3837833a0ec357cf09a0326dc
Instruction ID: 10ee5bd4e9dc6c955846f1e904b1ea997d6c9c0c1e96311695dff3ecd999c2eb
Opcode Fuzzy Hash: 7e4dbe51193a38f773c3985a077a28db68bb3ed3837833a0ec357cf09a0326dc
Instruction Fuzzy Hash: 2FE09270A12259DFDB60CF64DD94B9CBBB1FB44200F1016D9D00AA7298DB345E80CF11

Uniqueness

Uniqueness Score: -1.00%

Function 019754AB, Relevance: .0, Instructions: 13COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.674998295.0000000001970000.00000040.00000001.sdmp, Offset: 01970000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a73bb04185dc39e854d7d33f50ecdfadcbbcd3d12ec492455e0a1d3d573a261c
Instruction ID: 904d60d0ce6ea2da7b6a822eeac3bea8dbc4c993720b1a73e969297cf63368f8
Opcode Fuzzy Hash: a73bb04185dc39e854d7d33f50ecdfadcbbcd3d12ec492455e0a1d3d573a261c
Instruction Fuzzy Hash: D2E01278901214CFCB20CF24C9406D9B7B1FF55320F10C6DA8559A3281D3355EC2CF00

Uniqueness

Uniqueness Score: -1.00%

Function 05708775, Relevance: .0, Instructions: 13COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.677398895.0000000005700000.00000040.00000001.sdmp, Offset: 05700000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7c369d611389a372195d153e7df6b327fd045cdfd19b9a36d127a0611bedc04a
Instruction ID: bc1bc839d4b70d12c33082fb8e6bd0ac7f205ea92e2639c1ad714e80d77f13f5
Opcode Fuzzy Hash: 7c369d611389a372195d153e7df6b327fd045cdfd19b9a36d127a0611bedc04a
Instruction Fuzzy Hash: 78E0E231A12389DFC794CF60C1888987BB2FF4A325F501998E40A9B290CB35EEC0CF02

Uniqueness

Uniqueness Score: -1.00%

Function 0570C78F, Relevance: .0, Instructions: 13COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.677398895.0000000005700000.00000040.00000001.sdmp, Offset: 05700000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5237a47fdcba1c977cda6c878a0d67cca18773435376b0c43cc521164e6dbacc
Instruction ID: 04b8e41291af732fded0dc8ade08f43b77d54910b32ec4eab4192f735fb48445
Opcode Fuzzy Hash: 5237a47fdcba1c977cda6c878a0d67cca18773435376b0c43cc521164e6dbacc
Instruction Fuzzy Hash: D1D05E74D44269DFCF10CFA8C840BAEF7B5FB64304F006099C019A7254D7349A81CF54

Uniqueness

Uniqueness Score: -1.00%

Function 0570CAD2, Relevance: .0, Instructions: 13COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.677398895.0000000005700000.00000040.00000001.sdmp, Offset: 05700000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 45d3e1f5845164564cfd64ccb4a42e9fa7baee1c90616f73fe1e10cd43757bd9
Instruction ID: d8d7d360da407e68f6cf9dc1bb5de7e79cb14e2c3af809312aa425c3023310f5
Opcode Fuzzy Hash: 45d3e1f5845164564cfd64ccb4a42e9fa7baee1c90616f73fe1e10cd43757bd9
Instruction Fuzzy Hash: 2AD09EB1808364DECB119E2068502ADF7F36B65304F0161DA805566145D7354A469FD5

Uniqueness

Uniqueness Score: -1.00%

Function 05706D33, Relevance: .0, Instructions: 12COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.677398895.0000000005700000.00000040.00000001.sdmp, Offset: 05700000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4fd1296a6230bbb966627537222f8b011672d3d60f1e4e10fc84d144153f92b2
Instruction ID: 9942262940fd9df61bb9ef1f6ebf01913e0ff7adefc1688b0ae79772d83241d8
Opcode Fuzzy Hash: 4fd1296a6230bbb966627537222f8b011672d3d60f1e4e10fc84d144153f92b2
Instruction Fuzzy Hash: 8FD05E70D1422ADFDF50CF95D980A9EF7F3BF95200F20A5898414BB244C7309A40CF11

Uniqueness

Uniqueness Score: -1.00%

Function 0570C904, Relevance: .0, Instructions: 12COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.677398895.0000000005700000.00000040.00000001.sdmp, Offset: 05700000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4d55ddacfd53f0b106c6f3ed21d88e645a547ddedd6c03bcaf611b1d524ca8a9
Instruction ID: e780e4ad8d05c8c5ec1ff91a44fbd8c9d142845070a9517fae9b3a6d944d4c73
Opcode Fuzzy Hash: 4d55ddacfd53f0b106c6f3ed21d88e645a547ddedd6c03bcaf611b1d524ca8a9
Instruction Fuzzy Hash: 0BD09E74D04119DBDB90CEE4C44179DF7B5AB55300F105496406DA6658D73856458F25

Uniqueness

Uniqueness Score: -1.00%

Function 01975B83, Relevance: .0, Instructions: 11COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.674998295.0000000001970000.00000040.00000001.sdmp, Offset: 01970000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9c5cc134b6a17685b7df0c2e86f16c5f111e8e03f4cb83870a8d5df75cef3046
Instruction ID: 102fe2bd908f77f2a983a4f5f9e9bd179384790332c2f1cc4627fb2b9e8d43e1
Opcode Fuzzy Hash: 9c5cc134b6a17685b7df0c2e86f16c5f111e8e03f4cb83870a8d5df75cef3046
Instruction Fuzzy Hash: 97D0127195662ACBC773CB24C800FECBB74EF19680F006D9540ADE7622C3B4A5814EA5

Uniqueness

Uniqueness Score: -1.00%

Function 01972F67, Relevance: .0, Instructions: 11COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.674998295.0000000001970000.00000040.00000001.sdmp, Offset: 01970000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ba2fbb57de50dfa21a192960f1af9a48407700885c93ef8b413ad64300f0fc82
Instruction ID: b9ac0d819fe3ed1864d99ac9f0dff83d717ae23e24f3640f701359cfed9e2a10
Opcode Fuzzy Hash: ba2fbb57de50dfa21a192960f1af9a48407700885c93ef8b413ad64300f0fc82
Instruction Fuzzy Hash: C2C08C728E22168FCB02DBE0C680C9E7B34FF403A07259813D102EF908D3389203AB60

Uniqueness

Uniqueness Score: -1.00%

Function 057045D0, Relevance: .0, Instructions: 11COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.677398895.0000000005700000.00000040.00000001.sdmp, Offset: 05700000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 91d3842fa1344b12086e593d54c9ba9b2c73d72280a13a2680b4ea7bccc562c0
Instruction ID: 5b9aa69d9c9942127d15f3f86766318e60dde5a9bf8cc0a5cab98cd7532a7417
Opcode Fuzzy Hash: 91d3842fa1344b12086e593d54c9ba9b2c73d72280a13a2680b4ea7bccc562c0
Instruction Fuzzy Hash: 07B092352546084BEA6496B67804B2632CDA740628F404872F50CC2D40EA96E4902648

Uniqueness

Uniqueness Score: -1.00%

Function 0570C42B, Relevance: .0, Instructions: 11COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.677398895.0000000005700000.00000040.00000001.sdmp, Offset: 05700000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0ac92a7a23b5d276ec8115059abd00fe3c5f3230a4b4c170dd243c41a06cc8cc
Instruction ID: ad9ec3ed0c75b224011c8bbdc794de2875bbbc84260b465ee8f551c6575b369c
Opcode Fuzzy Hash: 0ac92a7a23b5d276ec8115059abd00fe3c5f3230a4b4c170dd243c41a06cc8cc
Instruction Fuzzy Hash: 61D0C974D053189FDF50DBA4C44479EF3F9BB65304F20A0A9805AA7244D7309A46CF02

Uniqueness

Uniqueness Score: -1.00%

Function 0570BEA4, Relevance: .0, Instructions: 11COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.677398895.0000000005700000.00000040.00000001.sdmp, Offset: 05700000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 725650e3b677b1c2f6a0b891b60bb0bfca97eecd27f3206b17d025006ef9c902
Instruction ID: d97e303fc3492acb7c4cf02f7f4df58fb0cfac1d14c627f8adf517529e0e0b64
Opcode Fuzzy Hash: 725650e3b677b1c2f6a0b891b60bb0bfca97eecd27f3206b17d025006ef9c902
Instruction Fuzzy Hash: 32D0C978D0411CDBCF60CFA4C880BAEF3B5BB28304F10519A8029A3284C73059408F09

Uniqueness

Uniqueness Score: -1.00%

Function 057000A5, Relevance: .0, Instructions: 11COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.677398895.0000000005700000.00000040.00000001.sdmp, Offset: 05700000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c09d0020a4691be956fba6711a1be752943340312939d12ce669538e7d5202c7
Instruction ID: 6cac199e90413e44505cd6f916859ec4465c30af018fdf6ae0f42aab5a6059af
Opcode Fuzzy Hash: c09d0020a4691be956fba6711a1be752943340312939d12ce669538e7d5202c7
Instruction Fuzzy Hash: 5BC08C3BB04104CF9B20CAB4F0040CCB372EBC823A72081B6C20892200CB324D628B51

Uniqueness

Uniqueness Score: -1.00%

Function 0570CAA3, Relevance: .0, Instructions: 10COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.677398895.0000000005700000.00000040.00000001.sdmp, Offset: 05700000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0a19b341e2481265a2c5511f77c7884c92c45b485113c84d548303439b837511
Instruction ID: b8dbc4dd7b1c771bb2e4eb5361b41ade432e0f6b40a3dc1f186f89b7a0a9d499
Opcode Fuzzy Hash: 0a19b341e2481265a2c5511f77c7884c92c45b485113c84d548303439b837511
Instruction Fuzzy Hash: 59C012B4C042289BCB10CFA4D800BAEF3FAAB66300F00A0AA8158B3244D7304A408F49

Uniqueness

Uniqueness Score: -1.00%

Function 01972FE4, Relevance: .0, Instructions: 8COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.674998295.0000000001970000.00000040.00000001.sdmp, Offset: 01970000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: cb4bcac5b1b0e796bba6d9ece5ca46ae93475e3e30a388582ef5a3d3f91b8bac
Instruction ID: 03e9b56060af7ad2b47736871be17e0c1d5c5ef24f6ee1ec340379886f54d7c9
Opcode Fuzzy Hash: cb4bcac5b1b0e796bba6d9ece5ca46ae93475e3e30a388582ef5a3d3f91b8bac
Instruction Fuzzy Hash: A4C08C30E0D14C8FCB00CFA0CA14A5CF771BF45341F00245B8207AB048C3746A449F24

Uniqueness

Uniqueness Score: -1.00%

Function 019728BD, Relevance: .0, Instructions: 8COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.674998295.0000000001970000.00000040.00000001.sdmp, Offset: 01970000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e8a9a4fc7f6ed7ec51168d40d7c066e2c764ffd4db2c52eea8be036a35057f7b
Instruction ID: e95e76588d5e091fab12dc9e70b05c7bbfb0f035ddd269c6016b6fd4a1ed3f6f
Opcode Fuzzy Hash: e8a9a4fc7f6ed7ec51168d40d7c066e2c764ffd4db2c52eea8be036a35057f7b
Instruction Fuzzy Hash: 39D01230D1129CCBEB00CBA0C944E9CB7B1FF89381F2055CBC00AAA2ACC7706A81CF20

Uniqueness

Uniqueness Score: -1.00%

Function 01972A13, Relevance: .0, Instructions: 8COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.674998295.0000000001970000.00000040.00000001.sdmp, Offset: 01970000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3c43122614177d92ab6b2e22316627accdbcfce1a4aab23bd1994fab5a1d9e07
Instruction ID: 50702e562d6a2af3b6b5ecb182c2a045d2979fb5ff3659bd17febf40ea96b0ce
Opcode Fuzzy Hash: 3c43122614177d92ab6b2e22316627accdbcfce1a4aab23bd1994fab5a1d9e07
Instruction Fuzzy Hash: 00C01230624349CBC760CF90D54495E7731FB45344F10445AC00656114C7349A418A26

Uniqueness

Uniqueness Score: -1.00%

Function 01975B15, Relevance: .0, Instructions: 6COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.674998295.0000000001970000.00000040.00000001.sdmp, Offset: 01970000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 00bd3134df6170481b2e9b2d61545af65e996ccb852b0d43284baca8e45c6c34
Instruction ID: d71189ad6be5c7f1dfb7276a2985e716047e25e94fca884601669d38d3f09063
Opcode Fuzzy Hash: 00bd3134df6170481b2e9b2d61545af65e996ccb852b0d43284baca8e45c6c34
Instruction Fuzzy Hash: E4C0923091521ADFC731CB20D444F9CBB74BB0E2D1F00A9A580AEA6422D7B8AA808E25

Uniqueness

Uniqueness Score: -1.00%

Function 05704448, Relevance: .0, Instructions: 6COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.677398895.0000000005700000.00000040.00000001.sdmp, Offset: 05700000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d9f4a7a1aa7254ce7e74f4797c17d417cc2cf23485c4c26ff46eef51916e90a4
Instruction ID: 2d5ae4b12817d1d83f408e81765d37e9172cba37caa3420c71809ae9ee9e217b
Opcode Fuzzy Hash: d9f4a7a1aa7254ce7e74f4797c17d417cc2cf23485c4c26ff46eef51916e90a4
Instruction Fuzzy Hash: 6BB0126C618D48C7DB3036205405A7272C1B1412083C0405CD09144002D2214003BC02

Uniqueness

Uniqueness Score: -1.00%

Non-executed Functions

Function 00DE90E1, Relevance: 3.1, Instructions: 3076COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.674082267.0000000000DE2000.00000002.00020000.sdmp, Offset: 00DE0000, based on PE: true

Associated: 00000000.00000002.674073416.0000000000DE0000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.674234999.0000000000F44000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.674253648.0000000000F60000.00000002.00020000.sdmp Download File

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9aa894744ea8aeff6a31c5411ac5379fa12cc6a5bc60e34138e6599b4712d1e8
Instruction ID: dabdb5ec30a586f5179bb486b6bdaafa4bf865bde8bd3c785091a6159ce4e15c
Opcode Fuzzy Hash: 9aa894744ea8aeff6a31c5411ac5379fa12cc6a5bc60e34138e6599b4712d1e8
Instruction Fuzzy Hash: 4433656104F7C21FC7139B786A712E1BFB1AE5321471E98CBC4C08F1A3E5151AAAE776

Uniqueness

Uniqueness Score: -1.00%

Function 05709C61, Relevance: 1.4, Strings: 1, Instructions: 154COMMON

Download Yara Rule

Strings

+1k, xrefs: 05709D86

Memory Dump Source

Source File: 00000000.00000002.677398895.0000000005700000.00000040.00000001.sdmp, Offset: 05700000, based on PE: false

Similarity

API ID:
String ID: +1k
API String ID: 0-58332949
Opcode ID: d218166e1464a54e865cc0c50729f5351ad6d4ca6f15842d3b160b7ebe784597
Instruction ID: 42ce087e5c19279762ecac5053087fbada428f16b5ac577daed96d783ce3495e
Opcode Fuzzy Hash: d218166e1464a54e865cc0c50729f5351ad6d4ca6f15842d3b160b7ebe784597
Instruction Fuzzy Hash: 0661BC74E15209DFCB44CFA9C08499EFBF1AF49310F14E19AD859AB352D334AA41DF60

Uniqueness

Uniqueness Score: -1.00%

Function 05709C70, Relevance: 1.4, Strings: 1, Instructions: 150COMMON

Download Yara Rule

Strings

+1k, xrefs: 05709D86

Memory Dump Source

Source File: 00000000.00000002.677398895.0000000005700000.00000040.00000001.sdmp, Offset: 05700000, based on PE: false

Similarity

API ID:
String ID: +1k
API String ID: 0-58332949
Opcode ID: 815dbc3d275cee4294c1d3c9ca174f01e74065d54655c7cf001702d9b69a0dd6
Instruction ID: 18a9f7553e90bb6aa94f6f71cf6e027609a95d2205ce48d60b04245dee2b4559
Opcode Fuzzy Hash: 815dbc3d275cee4294c1d3c9ca174f01e74065d54655c7cf001702d9b69a0dd6
Instruction Fuzzy Hash: 2261BB74E14209DFCB44CFA9C58499EFBF2BB49310F14E5AAE829AB251D334AA41DF50

Uniqueness

Uniqueness Score: -1.00%

Function 0570AFD8, Relevance: 1.3, Strings: 1, Instructions: 98COMMON

Download Yara Rule

Strings

?WK, xrefs: 0570B058

Memory Dump Source

Source File: 00000000.00000002.677398895.0000000005700000.00000040.00000001.sdmp, Offset: 05700000, based on PE: false

Similarity

API ID:
String ID: ?WK
API String ID: 0-278720592
Opcode ID: 3e34cd7bd4c548d9a19d757d23b77008c64e404935dc3a82d6bafe5cd013b828
Instruction ID: 410f66704494553d2d27f3df86c889d253f135757403038b6350c42d10d68889
Opcode Fuzzy Hash: 3e34cd7bd4c548d9a19d757d23b77008c64e404935dc3a82d6bafe5cd013b828
Instruction Fuzzy Hash: 9A4112B1D0920ADFCB04CFA9D5814AEFBF2BF89310F20A4AAC455AB250D7349B44DB91

Uniqueness

Uniqueness Score: -1.00%

Function 0570AFE8, Relevance: 1.3, Strings: 1, Instructions: 93COMMON

Download Yara Rule

Strings

?WK, xrefs: 0570B058

Memory Dump Source

Source File: 00000000.00000002.677398895.0000000005700000.00000040.00000001.sdmp, Offset: 05700000, based on PE: false

Similarity

API ID:
String ID: ?WK
API String ID: 0-278720592
Opcode ID: 68d9c1b758fcb670c01456cc8c2c70c11fb64d0c25b98f4f91a6d81e78f36b2a
Instruction ID: c8292da0545d4bebf22f0bdd0c782e2c7d0d90ef921ced8b9ddd299e60838216
Opcode Fuzzy Hash: 68d9c1b758fcb670c01456cc8c2c70c11fb64d0c25b98f4f91a6d81e78f36b2a
Instruction Fuzzy Hash: BC4103B1D1520ADBCB04CFA9D5814AEFBF2FB88310F20E56AC419BB254D7349B41DB95

Uniqueness

Uniqueness Score: -1.00%

Function 0570EAE0, Relevance: .3, Instructions: 330COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.677398895.0000000005700000.00000040.00000001.sdmp, Offset: 05700000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 65403cbe75c42f2871d051573998c29c3a6db725a7fdddca40d477611ef34019
Instruction ID: 0753174d208024a9778d4edfbc3bcf248b024bdc24eec89a45acc4acb3630d77
Opcode Fuzzy Hash: 65403cbe75c42f2871d051573998c29c3a6db725a7fdddca40d477611ef34019
Instruction Fuzzy Hash: 37F10174E04218DFCB14CFA9C5809ADBBF2FB89304F2495AAD815AB395D734AE41DF90

Uniqueness

Uniqueness Score: -1.00%

Function 0570EAC8, Relevance: .3, Instructions: 324COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.677398895.0000000005700000.00000040.00000001.sdmp, Offset: 05700000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9a5ac0c0c44cdd1b9657dc8d359520f0e417ea0de57fd8836c37a11846fd41dd
Instruction ID: 489245368e59e169543652a5afe05919da616112666d5b0fc35c3e93045eee47
Opcode Fuzzy Hash: 9a5ac0c0c44cdd1b9657dc8d359520f0e417ea0de57fd8836c37a11846fd41dd
Instruction Fuzzy Hash: 19E13274D04218DFCB04CFA9C5809ADBBF2FB89304F2495AAD815AB395D734AE42DF90

Uniqueness

Uniqueness Score: -1.00%

Function 01971208, Relevance: .2, Instructions: 237COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.674998295.0000000001970000.00000040.00000001.sdmp, Offset: 01970000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 25a99e36f1bed087964e1f81a7666a0b2e1559a3e4f9c77d507aefa77cf9d735
Instruction ID: cd374d4d8033a51f4c1dd53aa969d4dd17704f7ef3821fc7189762697438a193
Opcode Fuzzy Hash: 25a99e36f1bed087964e1f81a7666a0b2e1559a3e4f9c77d507aefa77cf9d735
Instruction Fuzzy Hash: F7A148B0D0520ADFCB04CFA9D5809AEFFB6BF89314F24856AD019AB255D7349A428F90

Uniqueness

Uniqueness Score: -1.00%

Function 05704750, Relevance: .2, Instructions: 178COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.677398895.0000000005700000.00000040.00000001.sdmp, Offset: 05700000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: de7a1ae4ee223dcf08a3a4a1d032f30bd069a10a55d33808d6524746e1ea3564
Instruction ID: ea44eac2059cf4967a19e4220476e0b8f084ed5047d1a8fc79699792427e6be4
Opcode Fuzzy Hash: de7a1ae4ee223dcf08a3a4a1d032f30bd069a10a55d33808d6524746e1ea3564
Instruction Fuzzy Hash: 80515C72F105259BDB14DB69CC84B6EB7E3AFC4710F2AC164E4059B3A9DE34DC419B90

Uniqueness

Uniqueness Score: -1.00%

Function 01974C80, Relevance: .2, Instructions: 157COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.674998295.0000000001970000.00000040.00000001.sdmp, Offset: 01970000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8d2fa243dcaefdb152049fc55615538f2e7dd343cae96574046b879157e57681
Instruction ID: 759592c3302063751da989d0c9e2adfa40a7caf4d15a2dae591040cd7bb2f197
Opcode Fuzzy Hash: 8d2fa243dcaefdb152049fc55615538f2e7dd343cae96574046b879157e57681
Instruction Fuzzy Hash: F7511770E0561ACBEB68CF66C844BA9FBB2BF89300F15C4EAC51DA7615E7305A85CF41

Uniqueness

Uniqueness Score: -1.00%

Function 05707CA0, Relevance: .1, Instructions: 148COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.677398895.0000000005700000.00000040.00000001.sdmp, Offset: 05700000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3fdbe14af000bb4a5aa5ba5edd159bb9b03fb0d1d73261b65659aaadd4183cbe
Instruction ID: 533896b8ce0dfb039509ca1e11f31cf439912330d1e92e442c852ccf06510fd9
Opcode Fuzzy Hash: 3fdbe14af000bb4a5aa5ba5edd159bb9b03fb0d1d73261b65659aaadd4183cbe
Instruction Fuzzy Hash: 03510474D0520ADFCB08CFA8D5819AEBBF2FB49314F20A59AC405BB251D331AA41DFA1

Uniqueness

Uniqueness Score: -1.00%

Function 0570A6A0, Relevance: .1, Instructions: 143COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.677398895.0000000005700000.00000040.00000001.sdmp, Offset: 05700000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 940f6c19990bb154573b9203afa01a4e60641055a8337262431e7a8ded0e375d
Instruction ID: 1897632a1eca2fb91b0344b38f0cdd6640cdb2fcfb20b36ee57ba7486c95d3a2
Opcode Fuzzy Hash: 940f6c19990bb154573b9203afa01a4e60641055a8337262431e7a8ded0e375d
Instruction Fuzzy Hash: 8351E274D1621ADFCB04CFA8D5809AEFBF2FB48340F10A55AD416BB291D330AA41DFA5

Uniqueness

Uniqueness Score: -1.00%

Function 0570A691, Relevance: .1, Instructions: 142COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.677398895.0000000005700000.00000040.00000001.sdmp, Offset: 05700000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9b15da52bd276130916ae9546057e1fb9d7c49b6f5d95f3949961752818da953
Instruction ID: 564bbac161bafdc9f3875b416b6f5bc7203d3e730d3fccfa4555145ae18a8a6d
Opcode Fuzzy Hash: 9b15da52bd276130916ae9546057e1fb9d7c49b6f5d95f3949961752818da953
Instruction Fuzzy Hash: 5851E274D1621ADFCB04CFA8D5808AEFBF2FF48340F14A55AD416AB291D330AA41DFA5

Uniqueness

Uniqueness Score: -1.00%

Function 0570ADF1, Relevance: .1, Instructions: 137COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.677398895.0000000005700000.00000040.00000001.sdmp, Offset: 05700000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d30a97856eb55a7f60f5227a548667442655301e9ae4c1a16e8d1ac0f53d0e9d
Instruction ID: 40607be9ead54d47a2d16b1b4bdb6b6f580a99d72c6c86b4be24a739b927afea
Opcode Fuzzy Hash: d30a97856eb55a7f60f5227a548667442655301e9ae4c1a16e8d1ac0f53d0e9d
Instruction Fuzzy Hash: 8D51DDB4E05209DFCF04CFAAD4819AEBBF2BF89300F2491AAD415A7254D334AA018F55

Uniqueness

Uniqueness Score: -1.00%

Function 0570AE00, Relevance: .1, Instructions: 129COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.677398895.0000000005700000.00000040.00000001.sdmp, Offset: 05700000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f75dace80e85e0f39399ee77b6dd5df72c2fc0af0e4ae1bbd300a53293b58f91
Instruction ID: 4f9e75414749c5da5f34ff54b6ca400f4e6cd6ae0588f917427e397bfc77de68
Opcode Fuzzy Hash: f75dace80e85e0f39399ee77b6dd5df72c2fc0af0e4ae1bbd300a53293b58f91
Instruction Fuzzy Hash: 9F51CEB0E05219DFCF04CFAAD5859AEFBF2BF89300F24916AE419B7254D3349A418F59

Uniqueness

Uniqueness Score: -1.00%

Function 05703A69, Relevance: .1, Instructions: 103COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.677398895.0000000005700000.00000040.00000001.sdmp, Offset: 05700000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fd26aa0444c9f11e98275989d7497a2b020565195af213f70a97f1cb6de50879
Instruction ID: 94483fe07e6111c4c2c2da0ed400678f8ae681310e387c151d33e8a598d1efe9
Opcode Fuzzy Hash: fd26aa0444c9f11e98275989d7497a2b020565195af213f70a97f1cb6de50879
Instruction Fuzzy Hash: 4B411779E5111ADFDF20CFA9E4819ADF7F2BF48314B15E215D02AEB244DB31A841CB90

Uniqueness

Uniqueness Score: -1.00%

Function 019742A9, Relevance: .1, Instructions: 98COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.674998295.0000000001970000.00000040.00000001.sdmp, Offset: 01970000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1dce8383a1e8c3cfa3dc674d2cde3a597a910196c4e7737966e3c6c9dd2ca3a6
Instruction ID: 5e3ecbe2ff610d0a98272e481e2fc53695620424498735de02e14aac56dad8dd
Opcode Fuzzy Hash: 1dce8383a1e8c3cfa3dc674d2cde3a597a910196c4e7737966e3c6c9dd2ca3a6
Instruction Fuzzy Hash: B7415778E0520ADFCB44CFA5D5846AEBBF1FF49304F10D8AAC40AA7251E3389A40CF55

Uniqueness

Uniqueness Score: -1.00%

Function 019742B8, Relevance: .1, Instructions: 96COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.674998295.0000000001970000.00000040.00000001.sdmp, Offset: 01970000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d965908be5e65bef6f9e1f05ad85ccbd4f4a50f249b92486ae8ef2d09a093197
Instruction ID: 15b7efc122916975bd710d31c97682e7b7a10d64be4c9efaa67dd2eed5b8550c
Opcode Fuzzy Hash: d965908be5e65bef6f9e1f05ad85ccbd4f4a50f249b92486ae8ef2d09a093197
Instruction Fuzzy Hash: 8B414878D0520ADFCB44CFA5D5846AEBBF1FF49204F10D86AC41AA7251E3389A40CF55

Uniqueness

Uniqueness Score: -1.00%

Function 0570AC20, Relevance: .1, Instructions: 94COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.677398895.0000000005700000.00000040.00000001.sdmp, Offset: 05700000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ca15838f00c5cd0071952d52c18b76cac55644f8a9547419924b2426c56058b1
Instruction ID: ce9bb5c7e11277a571d1e6737e1c3096186635d346400309e868eab8764b4286
Opcode Fuzzy Hash: ca15838f00c5cd0071952d52c18b76cac55644f8a9547419924b2426c56058b1
Instruction Fuzzy Hash: 9A4137B4D0420ADFCB04CFAAC4819AEFBF2BF89350F19D56AD425AB254D7345A41EF90

Uniqueness

Uniqueness Score: -1.00%

Function 019768A8, Relevance: .1, Instructions: 92COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.674998295.0000000001970000.00000040.00000001.sdmp, Offset: 01970000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3a6deba570ce919675539e8ba22dd17ab0c50a07b5c881ee1a5fa9c545d6171a
Instruction ID: ca8c692c49391b03a46b53cc2efac0c5992e1f0b98a9226501c3e96bd8b5285a
Opcode Fuzzy Hash: 3a6deba570ce919675539e8ba22dd17ab0c50a07b5c881ee1a5fa9c545d6171a
Instruction Fuzzy Hash: BF31BC70D09509DEEB04DFA4E048BFEBFF4AF0A301F20986AE459B3281CB344944CB55

Uniqueness

Uniqueness Score: -1.00%

Function 0570AC30, Relevance: .1, Instructions: 89COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.677398895.0000000005700000.00000040.00000001.sdmp, Offset: 05700000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8c730b697d5869d8c8f55d54aaf9d4922c6f70b0a183e790f47cec184252d31b
Instruction ID: bf97f24f6684300fcc223fbe1fa844f65fb61b8d75c8e9433bdf45de093406d2
Opcode Fuzzy Hash: 8c730b697d5869d8c8f55d54aaf9d4922c6f70b0a183e790f47cec184252d31b
Instruction Fuzzy Hash: 5E3107B4D0420ADFCB08CFA6C4819AEFBF2BF88350F15D56AD415A7254D7345641DF94

Uniqueness

Uniqueness Score: -1.00%

Function 019768B8, Relevance: .1, Instructions: 79COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.674998295.0000000001970000.00000040.00000001.sdmp, Offset: 01970000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 495cb6cfaf15d2d3e8458a5107b34e192c1cf36df26213d1898ab20ce052c447
Instruction ID: 6a0d8acfccab2d0a7f9ae17e29adc810d76dabe367a8f454c4c66f566400d350
Opcode Fuzzy Hash: 495cb6cfaf15d2d3e8458a5107b34e192c1cf36df26213d1898ab20ce052c447
Instruction Fuzzy Hash: B6214A70D09609DAEB04CFA9D488BFEBFF5AF0A311F146829E419B3291D7744944CB55

Uniqueness

Uniqueness Score: -1.00%

Function 05706508, Relevance: .1, Instructions: 62COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.677398895.0000000005700000.00000040.00000001.sdmp, Offset: 05700000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4964769bd634265063b1fc44ab45aa3e78c9dcc43ddf019b981d14572b4e8a95
Instruction ID: 4770d30b3c4e8832826c6e06f539bde217831d5af356e50801e10d1ae440d749
Opcode Fuzzy Hash: 4964769bd634265063b1fc44ab45aa3e78c9dcc43ddf019b981d14572b4e8a95
Instruction Fuzzy Hash: 1321DBB1E116189FEB18CFABD84069EFBF3BFC9210F14D17AD458A6264D73405518B51

Uniqueness

Uniqueness Score: -1.00%

Function 01971978, Relevance: .1, Instructions: 60COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.674998295.0000000001970000.00000040.00000001.sdmp, Offset: 01970000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 70048d19e18d71a661593ade18f146d5da256763b268a7ee8934a28139e8de69
Instruction ID: 852c95b7feb689829ef7b87d6b527e7db86a444d8575d215104aa50c0a0dfb51
Opcode Fuzzy Hash: 70048d19e18d71a661593ade18f146d5da256763b268a7ee8934a28139e8de69
Instruction Fuzzy Hash: B421F7B0D04609DBDB18CFABD5416AEFBF6BFC8300F24C67A8428AB255D73456028F50

Uniqueness

Uniqueness Score: -1.00%

Function 01972100, Relevance: .0, Instructions: 50COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.674998295.0000000001970000.00000040.00000001.sdmp, Offset: 01970000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0d904f343c3a251c4113edbdb324f8b4121e30938a6690fad9dc2ddbe6ac5bdc
Instruction ID: 8152d9d5b50a30df0e7a726f9c35045961d06a217b4a7412e01b00fa8a7e4bf4
Opcode Fuzzy Hash: 0d904f343c3a251c4113edbdb324f8b4121e30938a6690fad9dc2ddbe6ac5bdc
Instruction Fuzzy Hash: 9111F5B1D056489FDB09CFBBC90019EBFF2BFC9200F28C1AAC458AB215DB3556029F40

Uniqueness

Uniqueness Score: -1.00%

Function 01972110, Relevance: .0, Instructions: 47COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.674998295.0000000001970000.00000040.00000001.sdmp, Offset: 01970000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5c70a6841ca56240afb4477c7184baa3cdbb1d99d7e018af36355ca8189e4f4d
Instruction ID: 696c43be6f378b51fdd6468736cdff8fe4827503dd8b7a4815b6698f11b35692
Opcode Fuzzy Hash: 5c70a6841ca56240afb4477c7184baa3cdbb1d99d7e018af36355ca8189e4f4d
Instruction Fuzzy Hash: AA11D3B1E14609DBDB18CFABD94059EFBF7BFC8200F24C16A9918AB219DB3456019F40

Uniqueness

Uniqueness Score: -1.00%

Function 0570F08F, Relevance: .0, Instructions: 46COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.677398895.0000000005700000.00000040.00000001.sdmp, Offset: 05700000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2c54ff1e1e5d22c3de41b3059833316f5f9567d73067adb3ea138266e9279dff
Instruction ID: 47029454513a0210f53becfb635af080bea9fa0ed8ec24692d0dc043d8e38ba4
Opcode Fuzzy Hash: 2c54ff1e1e5d22c3de41b3059833316f5f9567d73067adb3ea138266e9279dff
Instruction Fuzzy Hash: 8911C2B0D056099FDB18CFBB984529EFBF2BFC9204F14C06AC418AB255EB7456069F45

Uniqueness

Uniqueness Score: -1.00%

Function 0570F0A0, Relevance: .0, Instructions: 44COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.677398895.0000000005700000.00000040.00000001.sdmp, Offset: 05700000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7b5b11ab7f63931d0702b504a47dae0dcffba9315510e5dc8f17c5e2488db2bd
Instruction ID: d81bd55ceca09f5dab0041a3970c0a8ceb9ca2a3595307570c52b5c8d0ca74fd
Opcode Fuzzy Hash: 7b5b11ab7f63931d0702b504a47dae0dcffba9315510e5dc8f17c5e2488db2bd
Instruction Fuzzy Hash: 4711C971D15619CBDB18CFABD9412AEFBF7BBC8200F14C17AD818A7255EB3456019F44

Uniqueness

Uniqueness Score: -1.00%

Analysis Process: dhcpmon.exe PID: 7024 Parent PID: 3424 dhcpmon.exeCOMMON

Executed Functions

Function 02E6A4AA, Relevance: 1.6, APIs: 1, Instructions: 79fileCOMMON

Download Yara Rule

APIs

WriteFile.KERNELBASE(?,00000E2C,F710CCD7,00000000,00000000,00000000,00000000), ref: 02E6A53D

Memory Dump Source

Source File: 00000007.00000002.703420209.0000000002E6A000.00000040.00000001.sdmp, Offset: 02E6A000, based on PE: false

Similarity

API ID: FileWrite
String ID:
API String ID: 3934441357-0
Opcode ID: 57dd3a4364c00a6fb622bd61cf4645c1d7f17747b6de6f1fd2bd2ab898617e5d
Instruction ID: b4a836a12ec5f89904b6fb3ee96931053991542fbc6d267a5308f9110663b6de
Opcode Fuzzy Hash: 57dd3a4364c00a6fb622bd61cf4645c1d7f17747b6de6f1fd2bd2ab898617e5d
Instruction Fuzzy Hash: 37218171409380AFEB228F65DC44FA6BFB8EF06310F0884DBE9849F153D264A509CB72

Uniqueness

Uniqueness Score: -1.00%

Function 02E6A1F4, Relevance: 1.6, APIs: 1, Instructions: 60COMMON

Download Yara Rule

APIs

GetConsoleOutputCP.KERNELBASE ref: 02E6A269

Memory Dump Source

Source File: 00000007.00000002.703420209.0000000002E6A000.00000040.00000001.sdmp, Offset: 02E6A000, based on PE: false

Similarity

API ID: ConsoleOutput
String ID:
API String ID: 3985236979-0
Opcode ID: 8d437b0bac44f9104f3cb714bfe5791b962b15f2ce753b77df6de3f4dd9fdf73
Instruction ID: a19a827ba7f92ecfc249a20f92b3c6d06f469c720fc1fdc45cc6b421fdb91997
Opcode Fuzzy Hash: 8d437b0bac44f9104f3cb714bfe5791b962b15f2ce753b77df6de3f4dd9fdf73
Instruction Fuzzy Hash: D6219A7544D3C05FD7138B658C94692BFB4EF03224F0E80EBD9848F2A3C268A909CB62

Uniqueness

Uniqueness Score: -1.00%

Function 02E6A4DE, Relevance: 1.6, APIs: 1, Instructions: 60fileCOMMON

Download Yara Rule

APIs

WriteFile.KERNELBASE(?,00000E2C,F710CCD7,00000000,00000000,00000000,00000000), ref: 02E6A53D

Memory Dump Source

Source File: 00000007.00000002.703420209.0000000002E6A000.00000040.00000001.sdmp, Offset: 02E6A000, based on PE: false

Similarity

API ID: FileWrite
String ID:
API String ID: 3934441357-0
Opcode ID: d7750b4b38b5de0c6fc55ba6b72ec190981005351e481e0b27d1755be171151f
Instruction ID: 63c4222746d10faa8d7eed8441057879e521514359aa7e085c598239cbb3ac83
Opcode Fuzzy Hash: d7750b4b38b5de0c6fc55ba6b72ec190981005351e481e0b27d1755be171151f
Instruction Fuzzy Hash: 1B11BFB1940300AFEB21CF55DD44BAAFBA8EF04320F14846AED459B656D274E408CBB1

Uniqueness

Uniqueness Score: -1.00%

Function 02E6A23A, Relevance: 1.5, APIs: 1, Instructions: 34COMMON

Download Yara Rule

APIs

GetConsoleOutputCP.KERNELBASE ref: 02E6A269

Memory Dump Source

Source File: 00000007.00000002.703420209.0000000002E6A000.00000040.00000001.sdmp, Offset: 02E6A000, based on PE: false

Similarity

API ID: ConsoleOutput
String ID:
API String ID: 3985236979-0
Opcode ID: e79d09e86884442e5cb13f391993bc27cac084b158ebe538645f97f2bbcb5978
Instruction ID: 137ed8565f3bdd6c32de4a3ba21af46abdb8e517dd4847f749c9ad1457b89abe
Opcode Fuzzy Hash: e79d09e86884442e5cb13f391993bc27cac084b158ebe538645f97f2bbcb5978
Instruction Fuzzy Hash: 5FF0AF309843448FDB208F46D888761FB90EF04624F18D0AADD094F746D379E448CAA2

Uniqueness

Uniqueness Score: -1.00%

Function 0562010F, Relevance: 1.5, Strings: 1, Instructions: 226COMMON

Download Yara Rule

Strings

:@fq, xrefs: 056202C5

Memory Dump Source

Source File: 00000007.00000002.704309911.0000000005620000.00000040.00000001.sdmp, Offset: 05620000, based on PE: false

Similarity

API ID:
String ID: :@fq
API String ID: 0-3673016210
Opcode ID: 0358d59652cc7c8880f110fb056dbc2823168b119abb904b9647be437b970d45
Instruction ID: 15f6ade76e3ac95e46230f5f81709e388bfe892a5f6814e231bb1f51f42cb61f
Opcode Fuzzy Hash: 0358d59652cc7c8880f110fb056dbc2823168b119abb904b9647be437b970d45
Instruction Fuzzy Hash: 3F919C30A412118FCB64DB7AD458BAD7BF7FB88350F1484A9E80A9B794CB759C85CF90

Uniqueness

Uniqueness Score: -1.00%

Function 02E62477, Relevance: 1.4, Strings: 1, Instructions: 191COMMON

Download Yara Rule

Strings

1'r<, xrefs: 02E624AC

Memory Dump Source

Source File: 00000007.00000002.703396738.0000000002E62000.00000040.00000001.sdmp, Offset: 02E62000, based on PE: false

Similarity

API ID:
String ID: 1'r<
API String ID: 0-1723299662
Opcode ID: a75fe8a341d56d10a723799ad804885a2044eb9dd31951030d9377b5779e1909
Instruction ID: 72b93aaa7b9c44b2ed436b68df344ef21c75ba61da734f5db3eddc63dab33324
Opcode Fuzzy Hash: a75fe8a341d56d10a723799ad804885a2044eb9dd31951030d9377b5779e1909
Instruction Fuzzy Hash: 4661AD6698E3C19FD71387345C392A4BF709F676A0B4AA0CBD984CF1E3E118584AC763

Uniqueness

Uniqueness Score: -1.00%

Function 05620818, Relevance: .4, Instructions: 371COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.704309911.0000000005620000.00000040.00000001.sdmp, Offset: 05620000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 882befce566650c9f64c907aa02b2cb7ae702829b82ac339792eef1067f305ab
Instruction ID: 7ecac44d73913f661b21fef8206dd0487aea373d3e84e9434d3bb5f05e013a26
Opcode Fuzzy Hash: 882befce566650c9f64c907aa02b2cb7ae702829b82ac339792eef1067f305ab
Instruction Fuzzy Hash: DCF17D30640A11CFDB28CF65D488A3A77BBFBC8365B24855CD8468B788CB71EC46CB91

Uniqueness

Uniqueness Score: -1.00%

Function 056206E8, Relevance: .1, Instructions: 94COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.704309911.0000000005620000.00000040.00000001.sdmp, Offset: 05620000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c63b28fb400f9fb60858c8f6328e3432a7ededc897310717442c704e020b144b
Instruction ID: 09a7d288d672f4835a59e883728d6a9fbda7a628fee9c81d20e5617c37d0c253
Opcode Fuzzy Hash: c63b28fb400f9fb60858c8f6328e3432a7ededc897310717442c704e020b144b
Instruction Fuzzy Hash: 00314A313052128FCB59A77CD418A2D37E3AF85355B1544BCE406DF7A1EE3ACC458B92

Uniqueness

Uniqueness Score: -1.00%

Function 056206F8, Relevance: .1, Instructions: 86COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.704309911.0000000005620000.00000040.00000001.sdmp, Offset: 05620000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 43f6ea6c270d0227190cb0912238d62e9bce442ccd8378610e9cf3532f581253
Instruction ID: 9d6c5488337bee225b1c60f5e249705d3856580867cab021b6fecacc893e1516
Opcode Fuzzy Hash: 43f6ea6c270d0227190cb0912238d62e9bce442ccd8378610e9cf3532f581253
Instruction Fuzzy Hash: 6A2139317012128FCB58AB7CD01CA2E36E7AF85355B1484BCE506DF7A1EE3ADC458B91

Uniqueness

Uniqueness Score: -1.00%

Function 05620DD0, Relevance: .1, Instructions: 72COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.704309911.0000000005620000.00000040.00000001.sdmp, Offset: 05620000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3fae6cce0bcbfa07eea4f802b361ee480b8407667b2e565e7db7a4d7b045414c
Instruction ID: 1bdaf45b6d24288b1a46f4b4639d41704c42eb5103fbfaa85945e1b24990353d
Opcode Fuzzy Hash: 3fae6cce0bcbfa07eea4f802b361ee480b8407667b2e565e7db7a4d7b045414c
Instruction Fuzzy Hash: 5E11D230A453449BC715E7B998156AE3BABEF89310F2080A5EA04DF7D5CE749D06CBA2

Uniqueness

Uniqueness Score: -1.00%

Function 02F205CF, Relevance: .0, Instructions: 47COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.703655088.0000000002F20000.00000040.00000040.sdmp, Offset: 02F20000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c21dd723f6edeabde17394d41311e4f6b7fa38bdf8ed62b489264e27cd894474
Instruction ID: 2ba6652b2fc64ef08ec6d25531331fce863c4dd0cb82b8fd570d280550931d82
Opcode Fuzzy Hash: c21dd723f6edeabde17394d41311e4f6b7fa38bdf8ed62b489264e27cd894474
Instruction Fuzzy Hash: 7301A27650D7806FD7128B16DC41872FFB8EF86620709C4DFEC89CB652D225A809CBA2

Uniqueness

Uniqueness Score: -1.00%

Function 056200C0, Relevance: .0, Instructions: 30COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.704309911.0000000005620000.00000040.00000001.sdmp, Offset: 05620000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 315ee2bf99cbca09f8e23d9d1bd818dffc924f9b20639e8cd15f65857f096b93
Instruction ID: c76a76f2777406f4b63dda9e4bc286b85972e8b230dac2497b3843abe69f16fc
Opcode Fuzzy Hash: 315ee2bf99cbca09f8e23d9d1bd818dffc924f9b20639e8cd15f65857f096b93
Instruction Fuzzy Hash: 40F08271D053998FCF51CFB9D8849DEBFF4EA49210B1441AAC448E7202E2350515CFA1

Uniqueness

Uniqueness Score: -1.00%

Function 05620EF7, Relevance: .0, Instructions: 29COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.704309911.0000000005620000.00000040.00000001.sdmp, Offset: 05620000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e91b8c6d3193b3d38471ac29f08d15cd5f709bd7e22501409a67085d1b44119d
Instruction ID: e367959d4ec5d7f0f41b6fc53b3923c0073f57fbe385e12e20e5dfc70919b5e5
Opcode Fuzzy Hash: e91b8c6d3193b3d38471ac29f08d15cd5f709bd7e22501409a67085d1b44119d
Instruction Fuzzy Hash: EEF0B4342052408FC310EB7CE88492637EEDF89314B1584EAD404CB7A1CA35AC00CB92

Uniqueness

Uniqueness Score: -1.00%

Function 02F205F6, Relevance: .0, Instructions: 27COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.703655088.0000000002F20000.00000040.00000040.sdmp, Offset: 02F20000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b158dc399cd7da53e55c96f6739e5f06d2a7d0bc08c174b5062b43476fbff32c
Instruction ID: dcc1d3d23da11fb3a6ac0f4c6b533ec855b9455487be797953ca01a0ae4b8bc8
Opcode Fuzzy Hash: b158dc399cd7da53e55c96f6739e5f06d2a7d0bc08c174b5062b43476fbff32c
Instruction Fuzzy Hash: C4E06D766446005BD650DF0AEC41462FBD8EB84630B18C06BDC0D8B700E535B5088EA5

Uniqueness

Uniqueness Score: -1.00%

Function 056203C5, Relevance: .0, Instructions: 23COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.704309911.0000000005620000.00000040.00000001.sdmp, Offset: 05620000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f77332ce4b14f790b31124609703667309f3e736f31070848083a487366effcc
Instruction ID: edc3d8b362e1d2618b217f6e0b5c347d67b01ea6536d8e51cab2ac1a83b6fd85
Opcode Fuzzy Hash: f77332ce4b14f790b31124609703667309f3e736f31070848083a487366effcc
Instruction Fuzzy Hash: FFF03930E80626CFDB24EBA9C15C7AC7BF1AF88320F544859C402AB6A0DF7848C8DF55

Uniqueness

Uniqueness Score: -1.00%

Function 05620F08, Relevance: .0, Instructions: 23COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.704309911.0000000005620000.00000040.00000001.sdmp, Offset: 05620000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f61b229f9c3cbceb5bf38deba4c931de33670647effa43df4d4ea65015e059a1
Instruction ID: 8f044620ffc175f3a22907c9bdf5671ffa129a79e2b8ec3bb74fc3f11e8283bc
Opcode Fuzzy Hash: f61b229f9c3cbceb5bf38deba4c931de33670647effa43df4d4ea65015e059a1
Instruction Fuzzy Hash: 95E01A357111148FC764EB6DE448A6A37EFEB8D324B5081AAE809DB3A0DE74AC04CB91

Uniqueness

Uniqueness Score: -1.00%

Function 056200D0, Relevance: .0, Instructions: 23COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.704309911.0000000005620000.00000040.00000001.sdmp, Offset: 05620000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4efaa1ff60da073723481a3ba2b64ce1fcf708cd762266339665da236e42d0ed
Instruction ID: 06713b845bbc539f173ba55ec44285959f2a28332169078563e29c48321b8efa
Opcode Fuzzy Hash: 4efaa1ff60da073723481a3ba2b64ce1fcf708cd762266339665da236e42d0ed
Instruction Fuzzy Hash: 1CE09A71D0521D9F8F40DFFA99495DEBFF8EB48250F500466D508E3200E33156158BE1

Uniqueness

Uniqueness Score: -1.00%

Function 02E623F4, Relevance: .0, Instructions: 15COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.703396738.0000000002E62000.00000040.00000001.sdmp, Offset: 02E62000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 669c5623f2a320fd882f112e32f430e1ad7e9a86d7e5541def343d15a5a3721f
Instruction ID: de2e2f75ad998771de98ad465b4791eb19b40144e8232872af07954d2f56430b
Opcode Fuzzy Hash: 669c5623f2a320fd882f112e32f430e1ad7e9a86d7e5541def343d15a5a3721f
Instruction Fuzzy Hash: D7D05E79285A914FD3268A1CC1ACBA53BD4AF52B08F4684F9EC008BA67C769D681E200

Uniqueness

Uniqueness Score: -1.00%

Function 02E623BC, Relevance: .0, Instructions: 14COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.703396738.0000000002E62000.00000040.00000001.sdmp, Offset: 02E62000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 976c2448a0ab0ae4ef3c6efb0a6ce5035dc4c481a19844963dd1f9405d8409bd
Instruction ID: 88178adbebb6b832d23958abc4248ee81192a4571a9ce9b1c9e8e02a1c85c7de
Opcode Fuzzy Hash: 976c2448a0ab0ae4ef3c6efb0a6ce5035dc4c481a19844963dd1f9405d8409bd
Instruction Fuzzy Hash: B7D05E342C02824BC715DB0CC598F6937D4AB41B08F0A94E9AD108B266C7A4D881C600

Uniqueness

Uniqueness Score: -1.00%

Non-executed Functions

Description:	Adversaries may abuse Windows Management Instrumentation (WMI) to achieve execution. WMI is a Windows administration feature that provides a uniform environment for local and remote access to Windows system components. It relies on the WMI service for local and remote access and the server message block (SMB) and Remote Procedure Call Service (RPCS) for remote access. RPCS operates over port 135.
Tactics:	Execution
Data Sources:	Authentication logs, Netflow/Enclave netflow, Process command-line parameters, Process monitoring
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse task scheduling functionality to facilitate initial or recurring execution of malicious code. Utilities exist within all major operating systems to schedule programs or scripts to be executed at a specified date and time. A task can also be scheduled on a remote system, provided the proper authentication is met (ex: RPC and file and printer sharing in Windows environments). Scheduling a task on a remote system typically requires being a member of an admin or otherwise privileged group on the remote system.
Tactics:	Execution, Persistence, Privilege Escalation
Data Sources:	File monitoring, Process command-line parameters, Process monitoring, Windows event logs
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify access tokens to operate under a different user or system security context to perform actions and bypass access controls. Windows uses access tokens to determine the ownership of a running process. A user can manipulate access tokens to make a running process appear as though it is the child of a different process or belongs to someone other than the user that started the process. When this occurs, the process also takes on the security context associated with the new token.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	API monitoring, Access tokens, Authentication logs, Process command-line parameters, Process monitoring, Windows event logs
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	API monitoring, DLL monitoring, File monitoring, Named Pipes, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata, File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may disable security tools to avoid possible detection of their tools and activities. This can take the form of killing security software or event logging processes, deleting Registry keys so that tools do not start at run time, or other methods to interfere with security tools scanning or reporting information.
Tactics:	Defense Evasion
Data Sources:	File monitoring, Process command-line parameters, Services, Windows Registry
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may set files and directories to be hidden to evade detection mechanisms. To prevent normal users from accidentally changing special files on a system, most operating systems have the concept of a ‘hidden’ file. These files don’t show up when a user browses the file system with a GUI or when using normal commands on the command line. Users must explicitly ask to show the hidden files either via a series of Graphical User Interface (GUI) prompts or with command line switches ( `dir /a` for Windows and `ls –a` for Linux and macOS).
Tactics:	Defense Evasion
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata, Email gateway, Environment variable, File monitoring, Malware reverse engineering, Network intrusion detection system, Network protocol analysis, Process command-line parameters, Process monitoring, Process use of network, SSL/TLS inspection, Windows event logs
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may perform software packing or virtual machine software protection to conceal their code. Software packing is a method of compressing or encrypting an executable. Packing an executable changes the file signature in an attempt to avoid signature-based detection. Most decompression techniques decompress the executable code in memory. Virtual machine software protection translates an executable's original code into a special format that only a special virtual machine can run. A virtual machine is then called to run this code.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata
Platforms:	macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may interact with the Windows Registry to gather information about the system, configuration, and installed software.
Tactics:	Discovery
Data Sources:	Process command-line parameters, Process monitoring, Windows Registry
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	AWS CloudTrail logs, Azure activity logs, File monitoring, Process command-line parameters, Process monitoring, Stackdriver logs
Platforms:	AWS, Azure, Azure AD, GCP, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	API monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	AWS CloudTrail logs, Azure activity logs, Process command-line parameters, Process monitoring, Stackdriver logs
Platforms:	AWS, Azure, GCP, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Binary file metadata, File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Malware reverse engineering, Netflow/Enclave netflow, Packet capture, Process monitoring, Process use of network, SSL/TLS inspection
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using a protocol and port paring that are typically not associated. For example, HTTPS over port 8088or port 587as opposed to the traditional port 443. Adversaries may make changes to the standard port used by a protocol to bypass filtering or muddle analysis/parsing of network data.
Tactics:	Command and Control
Data Sources:	Netflow/Enclave netflow, Packet capture, Process monitoring, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may use legitimate desktop support and remote access software, such as Team Viewer, Go2Assist, LogMein, AmmyyAdmin, etc, to establish an interactive command and control channel to target systems within networks. These services are commonly used as legitimate technical support software, and may be allowed by application control within a target environment. Remote access tools like VNC, Ammyy, and Teamviewer are used frequently when compared with other legitimate software commonly used by adversaries.
Tactics:	Command and Control
Data Sources:	Network intrusion detection system, Network protocol analysis, Process monitoring, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	DNS records, Netflow/Enclave netflow, Network protocol analysis, Packet capture, Process monitoring, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading ...

Warning!

Analysis Report oE6O5K1emC.exe

Overview

General Information

Detection

Signatures

Classification

Startup

Malware Configuration

Threatname: NanoCore

Yara Overview

Memory Dumps

Unpacked PEs

Sigma Overview

System Summary:

Signature Overview

AV Detection:

Compliance:

Software Vulnerabilities:

Networking:

E-Banking Fraud:

System Summary:

Data Obfuscation:

Persistence and Installation Behavior:

Boot Survival:

Hooking and other Techniques for Hiding and Protection:

Malware Analysis System Evasion:

Anti Debugging:

HIPS / PFW / Operating System Protection Evasion:

Language, Device and Operating System Detection:

Lowering of HIPS / PFW / Operating System Security Settings:

Stealing of Sensitive Information:

Remote Access Functionality:

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

URLs from Memory and Binaries

Contacted IPs

Public

General Information

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASN

JA3 Fingerprints

Dropped Files

Created / dropped Files

Static File Info

General

File Icon

Static PE Info

General

Entrypoint Preview

Data Directories

Sections

Resources

Imports

Version Infos

Network Behavior

Snort IDS Alerts

Network Port Distribution

TCP Packets