Play interactive tour

Edit tour

Analysis Report YfceI5MZX4.exe

Overview

General Information

Sample Name:	YfceI5MZX4.exe
Analysis ID:	385233
MD5:	a3cbeb3e732b11954572b3ee6755242c
SHA1:	ebb41b49de8f1b09ea20dabffcfd85b93b68d7f3
SHA256:	e006460ad1e34ddbbc28430c2d529a7ee491893c7ae8b6902b2d8d8c56620510
Tags:	exeNanoCorenVpnRAT
Infos:
Most interesting Screenshot:

Detection

Nanocore

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Detected Nanocore Rat

Found malware configuration

Malicious sample detected (through community Yara rule)

Sigma detected: NanoCore

Sigma detected: Scheduled temp file as task from temp location

Yara detected AntiVM3

Yara detected Nanocore RAT

.NET source code contains potential unpacker

Allocates memory in foreign processes

C2 URLs / IPs found in malware configuration

Hides that the sample has been downloaded from the Internet (zone.identifier)

Injects a PE file into a foreign processes

Machine Learning detection for dropped file

Machine Learning detection for sample

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Uses dynamic DNS services

Uses schtasks.exe or at.exe to add and modify task schedules

Writes to foreign memory regions

Antivirus or Machine Learning detection for unpacked file

Contains capabilities to detect virtual machines

Contains functionality to call native functions

Contains functionality to open a port and listen for incoming connection (possibly a backdoor)

Contains long sleeps (>= 3 min)

Creates a process in suspended mode (likely to inject code)

Detected TCP or UDP traffic on non-standard ports

Detected potential crypto function

Drops PE files

Enables debug privileges

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

Found inlined nop instructions (likely shell or obfuscated code)

IP address seen in connection with other malware

Installs a raw input device (often for capturing keystrokes)

Internet Provider seen in connection with other malware

May sleep (evasive loops) to hinder dynamic analysis

PE file contains strange resources

Queries the volume information (name, serial number etc) of a device

Sample execution stops while process was sleeping (likely an evasion)

Sample file is different than original file name gathered from version info

Tries to resolve domain names, but no domain seems valid (expired dropper behavior)

Uses 32bit PE files

Uses code obfuscation techniques (call, push, ret)

Yara signature match

Classification

Startup

System is w10x64

YfceI5MZX4.exe (PID: 6136 cmdline: 'C:\Users\user\Desktop\YfceI5MZX4.exe' MD5: A3CBEB3E732B11954572B3EE6755242C)

schtasks.exe (PID: 5564 cmdline: 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\gmSlQSien' /XML 'C:\Users\user\AppData\Local\Temp\tmp7762.tmp' MD5: 15FF7D8324231381BAD48A052F85DF04)

conhost.exe (PID: 2908 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)

RegSvcs.exe (PID: 5996 cmdline: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe MD5: 71369277D09DA0830C8C59F9E22BB23A)

dhcpmon.exe (PID: 6464 cmdline: 'C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe' MD5: 71369277D09DA0830C8C59F9E22BB23A)

conhost.exe (PID: 6472 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)

cleanup

Malware Configuration

Threatname: NanoCore

{"Version": "1.2.2.0", "Mutex": "f57d5a77-8670-45ef-b736-5f3a07b6", "Group": "Addora", "Domain1": "79.134.225.30", "Domain2": "nassiru1155.ddns.net", "Port": 1144, "KeyboardLogging": "Enable", "RunOnStartup": "Enable", "RequestElevation": "Disable", "BypassUAC": "Disable", "ClearZoneIdentifier": "Enable", "ClearAccessControl": "Disable", "SetCriticalProcess": "Disable", "PreventSystemSleep": "Enable", "ActivateAwayMode": "Disable", "EnableDebugMode": "Disable", "RunDelay": 0, "ConnectDelay": 4000, "RestartDelay": 5000, "TimeoutInterval": 5000, "KeepAliveTimeout": 30000, "MutexTimeout": 5000, "LanTimeout": 2500, "WanTimeout": 8000, "BufferSize": "ffff0000", "MaxPacketSize": "0000a000", "GCThreshold": "0000a000", "UseCustomDNS": "Enable", "PrimaryDNSServer": "8.8.8.8", "BackupDNSServer": "8.8.4.4"}

Yara Overview

Memory Dumps

Source	Rule	Description	Author	Strings
00000005.00000002.500274474.0000000003FBB000.00000004.00000001.sdmp	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
00000005.00000002.500274474.0000000003FBB000.00000004.00000001.sdmp	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0xf3e5:$a: NanoCore 0xf43e:$a: NanoCore 0xf47b:$a: NanoCore 0xf4f4:$a: NanoCore 0x22b9f:$a: NanoCore 0x22bb4:$a: NanoCore 0x22be9:$a: NanoCore 0x3b66b:$a: NanoCore 0x3b680:$a: NanoCore 0x3b6b5:$a: NanoCore 0xf447:$b: ClientPlugin 0xf484:$b: ClientPlugin 0xfd82:$b: ClientPlugin 0xfd8f:$b: ClientPlugin 0x2295b:$b: ClientPlugin 0x22976:$b: ClientPlugin 0x229a6:$b: ClientPlugin 0x22bbd:$b: ClientPlugin 0x22bf2:$b: ClientPlugin 0x3b427:$b: ClientPlugin 0x3b442:$b: ClientPlugin
00000005.00000002.492901504.0000000000402000.00000040.00000001.sdmp	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0xff8d:$x1: NanoCore.ClientPluginHost 0xffca:$x2: IClientNetworkHost 0x13afd:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
00000005.00000002.492901504.0000000000402000.00000040.00000001.sdmp	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
00000005.00000002.492901504.0000000000402000.00000040.00000001.sdmp	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0xfcf5:$a: NanoCore 0xfd05:$a: NanoCore 0xff39:$a: NanoCore 0xff4d:$a: NanoCore 0xff8d:$a: NanoCore 0xfd54:$b: ClientPlugin 0xff56:$b: ClientPlugin 0xff96:$b: ClientPlugin 0xfe7b:$c: ProjectData 0x10882:$d: DESCrypto 0x1824e:$e: KeepAlive 0x1623c:$g: LogClientMessage 0x12437:$i: get_Connected 0x10bb8:$j: #=q 0x10be8:$j: #=q 0x10c04:$j: #=q 0x10c34:$j: #=q 0x10c50:$j: #=q 0x10c6c:$j: #=q 0x10c9c:$j: #=q 0x10cb8:$j: #=q
00000005.00000002.501754781.0000000005470000.00000004.00000001.sdmp	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0xe75:$x1: NanoCore.ClientPluginHost 0xe8f:$x2: IClientNetworkHost
00000005.00000002.501754781.0000000005470000.00000004.00000001.sdmp	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0xe75:$x2: NanoCore.ClientPluginHost 0x1261:$s3: PipeExists 0x1136:$s4: PipeCreated 0xeb0:$s5: IClientLoggingHost
00000000.00000002.247117060.0000000002945000.00000004.00000001.sdmp	JoeSecurity_AntiVM_3	Yara detected AntiVM_3	Joe Security
00000000.00000002.248677483.0000000003AB9000.00000004.00000001.sdmp	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0xa8fb5:$x1: NanoCore.ClientPluginHost 0xdb7d5:$x1: NanoCore.ClientPluginHost 0xa8ff2:$x2: IClientNetworkHost 0xdb812:$x2: IClientNetworkHost 0xacb25:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe 0xdf345:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
00000000.00000002.248677483.0000000003AB9000.00000004.00000001.sdmp	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
00000000.00000002.248677483.0000000003AB9000.00000004.00000001.sdmp	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0xa8d1d:$a: NanoCore 0xa8d2d:$a: NanoCore 0xa8f61:$a: NanoCore 0xa8f75:$a: NanoCore 0xa8fb5:$a: NanoCore 0xdb53d:$a: NanoCore 0xdb54d:$a: NanoCore 0xdb781:$a: NanoCore 0xdb795:$a: NanoCore 0xdb7d5:$a: NanoCore 0xa8d7c:$b: ClientPlugin 0xa8f7e:$b: ClientPlugin 0xa8fbe:$b: ClientPlugin 0xdb59c:$b: ClientPlugin 0xdb79e:$b: ClientPlugin 0xdb7de:$b: ClientPlugin 0xa8ea3:$c: ProjectData 0xdb6c3:$c: ProjectData 0xa98aa:$d: DESCrypto 0xdc0ca:$d: DESCrypto 0xb1276:$e: KeepAlive
00000005.00000002.502139157.00000000058D0000.00000004.00000001.sdmp	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0xf7ad:$x1: NanoCore.ClientPluginHost 0xf7da:$x2: IClientNetworkHost
00000005.00000002.502139157.00000000058D0000.00000004.00000001.sdmp	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0xf7ad:$x2: NanoCore.ClientPluginHost 0x10888:$s4: PipeCreated 0xf7c7:$s5: IClientLoggingHost
00000005.00000002.502139157.00000000058D0000.00000004.00000001.sdmp	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
Process Memory Space: YfceI5MZX4.exe PID: 6136	JoeSecurity_AntiVM_3	Yara detected AntiVM_3	Joe Security
Process Memory Space: RegSvcs.exe PID: 5996	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x2107b:$x1: NanoCore.ClientPluginHost 0x26c3a:$x1: NanoCore.ClientPluginHost 0x37aaf:$x1: NanoCore.ClientPluginHost 0x239731:$x1: NanoCore.ClientPluginHost 0x261574:$x1: NanoCore.ClientPluginHost 0x2f32b6:$x1: NanoCore.ClientPluginHost 0x362572:$x1: NanoCore.ClientPluginHost 0x210a1:$x2: IClientNetworkHost 0x26c7f:$x2: IClientNetworkHost 0x37af4:$x2: IClientNetworkHost 0x239792:$x2: IClientNetworkHost 0x26159a:$x2: IClientNetworkHost 0x2f32fb:$x2: IClientNetworkHost 0x362598:$x2: IClientNetworkHost 0x23eb97:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe 0x24cb09:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
Process Memory Space: RegSvcs.exe PID: 5996	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
Process Memory Space: RegSvcs.exe PID: 5996	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0x20f6d:$a: NanoCore 0x2100e:$a: NanoCore 0x2107b:$a: NanoCore 0x2113c:$a: NanoCore 0x2200d:$a: NanoCore 0x22060:$a: NanoCore 0x22099:$a: NanoCore 0x2210c:$a: NanoCore 0x26bb4:$a: NanoCore 0x26be1:$a: NanoCore 0x26c3a:$a: NanoCore 0x2e449:$a: NanoCore 0x2e45c:$a: NanoCore 0x2e48e:$a: NanoCore 0x37a29:$a: NanoCore 0x37a56:$a: NanoCore 0x37aaf:$a: NanoCore 0x3f2be:$a: NanoCore 0x3f2d1:$a: NanoCore 0x3f303:$a: NanoCore 0x239236:$a: NanoCore
Click to see the 13 entries

Unpacked PEs

Source	Rule	Description	Author	Strings
0.2.YfceI5MZX4.exe.3b51e28.3.raw.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x1018d:$x1: NanoCore.ClientPluginHost 0x429ad:$x1: NanoCore.ClientPluginHost 0x101ca:$x2: IClientNetworkHost 0x429ea:$x2: IClientNetworkHost 0x13cfd:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe 0x4651d:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
0.2.YfceI5MZX4.exe.3b51e28.3.raw.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0xff05:$x1: NanoCore Client.exe 0x42725:$x1: NanoCore Client.exe 0x1018d:$x2: NanoCore.ClientPluginHost 0x429ad:$x2: NanoCore.ClientPluginHost 0x117c6:$s1: PluginCommand 0x43fe6:$s1: PluginCommand 0x117ba:$s2: FileCommand 0x43fda:$s2: FileCommand 0x1266b:$s3: PipeExists 0x44e8b:$s3: PipeExists 0x18422:$s4: PipeCreated 0x4ac42:$s4: PipeCreated 0x101b7:$s5: IClientLoggingHost 0x429d7:$s5: IClientLoggingHost
0.2.YfceI5MZX4.exe.3b51e28.3.raw.unpack	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
0.2.YfceI5MZX4.exe.3b51e28.3.raw.unpack	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0xfef5:$a: NanoCore 0xff05:$a: NanoCore 0x10139:$a: NanoCore 0x1014d:$a: NanoCore 0x1018d:$a: NanoCore 0x42715:$a: NanoCore 0x42725:$a: NanoCore 0x42959:$a: NanoCore 0x4296d:$a: NanoCore 0x429ad:$a: NanoCore 0xff54:$b: ClientPlugin 0x10156:$b: ClientPlugin 0x10196:$b: ClientPlugin 0x42774:$b: ClientPlugin 0x42976:$b: ClientPlugin 0x429b6:$b: ClientPlugin 0x1007b:$c: ProjectData 0x4289b:$c: ProjectData 0x10a82:$d: DESCrypto 0x432a2:$d: DESCrypto 0x1844e:$e: KeepAlive
5.2.RegSvcs.exe.3fd2a65.3.raw.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0xb184:$x1: NanoCore.ClientPluginHost 0x23c50:$x1: NanoCore.ClientPluginHost 0xb1b1:$x2: IClientNetworkHost 0x23c7d:$x2: IClientNetworkHost
5.2.RegSvcs.exe.3fd2a65.3.raw.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0xb184:$x2: NanoCore.ClientPluginHost 0x23c50:$x2: NanoCore.ClientPluginHost 0xc25f:$s4: PipeCreated 0x24d2b:$s4: PipeCreated 0xb19e:$s5: IClientLoggingHost 0x23c6a:$s5: IClientLoggingHost
5.2.RegSvcs.exe.3fd2a65.3.raw.unpack	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
5.2.RegSvcs.exe.58d0000.9.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0xd9ad:$x1: NanoCore.ClientPluginHost 0xd9da:$x2: IClientNetworkHost
5.2.RegSvcs.exe.58d0000.9.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0xd9ad:$x2: NanoCore.ClientPluginHost 0xea88:$s4: PipeCreated 0xd9c7:$s5: IClientLoggingHost
5.2.RegSvcs.exe.58d0000.9.unpack	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
5.2.RegSvcs.exe.5470000.6.raw.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0xe75:$x1: NanoCore.ClientPluginHost 0xe8f:$x2: IClientNetworkHost
5.2.RegSvcs.exe.5470000.6.raw.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0xe75:$x2: NanoCore.ClientPluginHost 0x1261:$s3: PipeExists 0x1136:$s4: PipeCreated 0xeb0:$s5: IClientLoggingHost
5.2.RegSvcs.exe.58d4629.10.raw.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0xb184:$x1: NanoCore.ClientPluginHost 0xb1b1:$x2: IClientNetworkHost
5.2.RegSvcs.exe.58d4629.10.raw.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0xb184:$x2: NanoCore.ClientPluginHost 0xc25f:$s4: PipeCreated 0xb19e:$s5: IClientLoggingHost
5.2.RegSvcs.exe.58d4629.10.raw.unpack	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
5.2.RegSvcs.exe.3fc9606.2.raw.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0xe75:$x1: NanoCore.ClientPluginHost 0x145e3:$x1: NanoCore.ClientPluginHost 0x2d0af:$x1: NanoCore.ClientPluginHost 0xe8f:$x2: IClientNetworkHost 0x14610:$x2: IClientNetworkHost 0x2d0dc:$x2: IClientNetworkHost
5.2.RegSvcs.exe.3fc9606.2.raw.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0xe75:$x2: NanoCore.ClientPluginHost 0x145e3:$x2: NanoCore.ClientPluginHost 0x2d0af:$x2: NanoCore.ClientPluginHost 0x1261:$s3: PipeExists 0x1136:$s4: PipeCreated 0x156be:$s4: PipeCreated 0x2e18a:$s4: PipeCreated 0xeb0:$s5: IClientLoggingHost 0x145fd:$s5: IClientLoggingHost 0x2d0c9:$s5: IClientLoggingHost
5.2.RegSvcs.exe.3fc9606.2.raw.unpack	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
5.2.RegSvcs.exe.3fc9606.2.raw.unpack	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0xddf:$a: NanoCore 0xe38:$a: NanoCore 0xe75:$a: NanoCore 0xeee:$a: NanoCore 0x14599:$a: NanoCore 0x145ae:$a: NanoCore 0x145e3:$a: NanoCore 0x2d065:$a: NanoCore 0x2d07a:$a: NanoCore 0x2d0af:$a: NanoCore 0xe41:$b: ClientPlugin 0xe7e:$b: ClientPlugin 0x177c:$b: ClientPlugin 0x1789:$b: ClientPlugin 0x14355:$b: ClientPlugin 0x14370:$b: ClientPlugin 0x143a0:$b: ClientPlugin 0x145b7:$b: ClientPlugin 0x145ec:$b: ClientPlugin 0x2ce21:$b: ClientPlugin 0x2ce3c:$b: ClientPlugin
5.2.RegSvcs.exe.2f9139c.1.raw.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0xe75:$x1: NanoCore.ClientPluginHost 0xe8f:$x2: IClientNetworkHost
5.2.RegSvcs.exe.2f9139c.1.raw.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0xe75:$x2: NanoCore.ClientPluginHost 0x1261:$s3: PipeExists 0x1136:$s4: PipeCreated 0xeb0:$s5: IClientLoggingHost
5.2.RegSvcs.exe.3fce43c.4.raw.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0xf7ad:$x1: NanoCore.ClientPluginHost 0x28279:$x1: NanoCore.ClientPluginHost 0xf7da:$x2: IClientNetworkHost 0x282a6:$x2: IClientNetworkHost
5.2.RegSvcs.exe.3fce43c.4.raw.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0xf7ad:$x2: NanoCore.ClientPluginHost 0x28279:$x2: NanoCore.ClientPluginHost 0x10888:$s4: PipeCreated 0x29354:$s4: PipeCreated 0xf7c7:$s5: IClientLoggingHost 0x28293:$s5: IClientLoggingHost
5.2.RegSvcs.exe.3fce43c.4.raw.unpack	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
5.2.RegSvcs.exe.3fce43c.4.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0xd9ad:$x1: NanoCore.ClientPluginHost 0xd9da:$x2: IClientNetworkHost
5.2.RegSvcs.exe.3fce43c.4.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0xd9ad:$x2: NanoCore.ClientPluginHost 0xea88:$s4: PipeCreated 0xd9c7:$s5: IClientLoggingHost
5.2.RegSvcs.exe.3fce43c.4.unpack	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
5.2.RegSvcs.exe.58d0000.9.raw.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0xf7ad:$x1: NanoCore.ClientPluginHost 0xf7da:$x2: IClientNetworkHost
5.2.RegSvcs.exe.58d0000.9.raw.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0xf7ad:$x2: NanoCore.ClientPluginHost 0x10888:$s4: PipeCreated 0xf7c7:$s5: IClientLoggingHost
5.2.RegSvcs.exe.58d0000.9.raw.unpack	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
5.2.RegSvcs.exe.400000.0.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x1018d:$x1: NanoCore.ClientPluginHost 0x101ca:$x2: IClientNetworkHost 0x13cfd:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
5.2.RegSvcs.exe.400000.0.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0xff05:$x1: NanoCore Client.exe 0x1018d:$x2: NanoCore.ClientPluginHost 0x117c6:$s1: PluginCommand 0x117ba:$s2: FileCommand 0x1266b:$s3: PipeExists 0x18422:$s4: PipeCreated 0x101b7:$s5: IClientLoggingHost
5.2.RegSvcs.exe.400000.0.unpack	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
5.2.RegSvcs.exe.400000.0.unpack	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0xfef5:$a: NanoCore 0xff05:$a: NanoCore 0x10139:$a: NanoCore 0x1014d:$a: NanoCore 0x1018d:$a: NanoCore 0xff54:$b: ClientPlugin 0x10156:$b: ClientPlugin 0x10196:$b: ClientPlugin 0x1007b:$c: ProjectData 0x10a82:$d: DESCrypto 0x1844e:$e: KeepAlive 0x1643c:$g: LogClientMessage 0x12637:$i: get_Connected 0x10db8:$j: #=q 0x10de8:$j: #=q 0x10e04:$j: #=q 0x10e34:$j: #=q 0x10e50:$j: #=q 0x10e6c:$j: #=q 0x10e9c:$j: #=q 0x10eb8:$j: #=q
0.2.YfceI5MZX4.exe.3b51e28.3.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0xe38d:$x1: NanoCore.ClientPluginHost 0xe3ca:$x2: IClientNetworkHost 0x11efd:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
0.2.YfceI5MZX4.exe.3b51e28.3.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0xe105:$x1: NanoCore Client.exe 0xe38d:$x2: NanoCore.ClientPluginHost 0xf9c6:$s1: PluginCommand 0xf9ba:$s2: FileCommand 0x1086b:$s3: PipeExists 0x16622:$s4: PipeCreated 0xe3b7:$s5: IClientLoggingHost
0.2.YfceI5MZX4.exe.3b51e28.3.unpack	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
0.2.YfceI5MZX4.exe.3b51e28.3.unpack	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0xe0f5:$a: NanoCore 0xe105:$a: NanoCore 0xe339:$a: NanoCore 0xe34d:$a: NanoCore 0xe38d:$a: NanoCore 0xe154:$b: ClientPlugin 0xe356:$b: ClientPlugin 0xe396:$b: ClientPlugin 0xe27b:$c: ProjectData 0xec82:$d: DESCrypto 0x1664e:$e: KeepAlive 0x1463c:$g: LogClientMessage 0x10837:$i: get_Connected 0xefb8:$j: #=q 0xefe8:$j: #=q 0xf004:$j: #=q 0xf034:$j: #=q 0xf050:$j: #=q 0xf06c:$j: #=q 0xf09c:$j: #=q 0xf0b8:$j: #=q
Click to see the 33 entries

Sigma Overview

System Summary:

Sigma detected: NanoCore

Show sources

Source: File created

Author: Joe Security: Data: EventID: 11, Image: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe, ProcessId: 5996, TargetFilename: C:\Users\user\AppData\Roaming\D06ED635-68F6-4E9A-955C-4899F5F57B9A\run.dat

Sigma detected: Scheduled temp file as task from temp location

Show sources

Source: Process started

Author: Joe Security: Data: Command: 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\gmSlQSien' /XML 'C:\Users\user\AppData\Local\Temp\tmp7762.tmp', CommandLine: 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\gmSlQSien' /XML 'C:\Users\user\AppData\Local\Temp\tmp7762.tmp', CommandLine|base64offset|contains: *j, Image: C:\Windows\SysWOW64\schtasks.exe, NewProcessName: C:\Windows\SysWOW64\schtasks.exe, OriginalFileName: C:\Windows\SysWOW64\schtasks.exe, ParentCommandLine: 'C:\Users\user\Desktop\YfceI5MZX4.exe' , ParentImage: C:\Users\user\Desktop\YfceI5MZX4.exe, ParentProcessId: 6136, ProcessCommandLine: 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\gmSlQSien' /XML 'C:\Users\user\AppData\Local\Temp\tmp7762.tmp', ProcessId: 5564

Signature Overview

Click to jump to signature section

Show All Signature Results

AV Detection:

Found malware configuration

Show sources

Source: 00000005.00000002.500274474.0000000003FBB000.00000004.00000001.sdmp

Malware Configuration Extractor: NanoCore {"Version": "1.2.2.0", "Mutex": "f57d5a77-8670-45ef-b736-5f3a07b6", "Group": "Addora", "Domain1": "79.134.225.30", "Domain2": "nassiru1155.ddns.net", "Port": 1144, "KeyboardLogging": "Enable", "RunOnStartup": "Enable", "RequestElevation": "Disable", "BypassUAC": "Disable", "ClearZoneIdentifier": "Enable", "ClearAccessControl": "Disable", "SetCriticalProcess": "Disable", "PreventSystemSleep": "Enable", "ActivateAwayMode": "Disable", "EnableDebugMode": "Disable", "RunDelay": 0, "ConnectDelay": 4000, "RestartDelay": 5000, "TimeoutInterval": 5000, "KeepAliveTimeout": 30000, "MutexTimeout": 5000, "LanTimeout": 2500, "WanTimeout": 8000, "BufferSize": "ffff0000", "MaxPacketSize": "0000a000", "GCThreshold": "0000a000", "UseCustomDNS": "Enable", "PrimaryDNSServer": "8.8.8.8", "BackupDNSServer": "8.8.4.4"}

Yara detected Nanocore RAT

Show sources

Source: Yara match	File source: 00000005.00000002.500274474.0000000003FBB000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000002.492901504.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.248677483.0000000003AB9000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000002.502139157.00000000058D0000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: RegSvcs.exe PID: 5996, type: MEMORY
Source: Yara match	File source: 0.2.YfceI5MZX4.exe.3b51e28.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.2.RegSvcs.exe.3fd2a65.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.2.RegSvcs.exe.58d0000.9.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.2.RegSvcs.exe.58d4629.10.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.2.RegSvcs.exe.3fc9606.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.2.RegSvcs.exe.3fce43c.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.2.RegSvcs.exe.3fce43c.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.2.RegSvcs.exe.58d0000.9.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.2.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.YfceI5MZX4.exe.3b51e28.3.unpack, type: UNPACKEDPE

Machine Learning detection for dropped file

Show sources

Source: C:\Users\user\AppData\Roaming\gmSlQSien.exe

Joe Sandbox ML: detected

Machine Learning detection for sample

Show sources

Source: YfceI5MZX4.exe

Joe Sandbox ML: detected

Source: 5.2.RegSvcs.exe.58d0000.9.unpack	Avira: Label: TR/NanoCore.fadte
Source: 5.2.RegSvcs.exe.400000.0.unpack	Avira: Label: TR/Dropper.MSIL.Gen7

Source: YfceI5MZX4.exe

Static PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE

Source: C:\Users\user\Desktop\YfceI5MZX4.exe

File opened: C:\Windows\WinSxS\x86_microsoft.vc80.crt_1fc8b3b9a1e18e3b_8.0.50727.9445_none_d08c58b4442ba54f\MSVCR80.dll

Jump to behavior

Source: YfceI5MZX4.exe

Static PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT

Source:	Binary string: symbols\dll\System.pdb source: RegSvcs.exe, 00000005.00000002.502127000.00000000058CC000.00000004.00000001.sdmp
Source:	Binary string: C:\Windows\System.pdbzz source: RegSvcs.exe, 00000005.00000002.496361214.0000000002B05000.00000004.00000040.sdmp
Source:	Binary string: C:\Windows\dll\System.pdb source: RegSvcs.exe, 00000005.00000002.496361214.0000000002B05000.00000004.00000040.sdmp
Source:	Binary string: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.pdb source: RegSvcs.exe, 00000005.00000002.496361214.0000000002B05000.00000004.00000040.sdmp
Source:	Binary string: oC:\Windows\System.pdb source: RegSvcs.exe, 00000005.00000002.502127000.00000000058CC000.00000004.00000001.sdmp
Source:	Binary string: System.pdb H source: RegSvcs.exe, 00000005.00000002.502127000.00000000058CC000.00000004.00000001.sdmp
Source:	Binary string: indows\RegSvcs.pdbpdbvcs.pdb source: RegSvcs.exe, 00000005.00000002.496361214.0000000002B05000.00000004.00000040.sdmp
Source:	Binary string: C:\Windows\symbols\exe\RegSvcs.pdb source: RegSvcs.exe, 00000005.00000002.496361214.0000000002B05000.00000004.00000040.sdmp
Source:	Binary string: RegSvcs.pdb source: RegSvcs.exe, 00000005.00000003.247448254.0000000001128000.00000004.00000001.sdmp, dhcpmon.exe, dhcpmon.exe.5.dr
Source:	Binary string: C:\Windows\assembly\GA.pdbL\System\2.0.0.0__b77a5c561934e089\System.dll source: RegSvcs.exe, 00000005.00000002.502127000.00000000058CC000.00000004.00000001.sdmp
Source:	Binary string: indows\System.pdbpdbtem.pdb source: RegSvcs.exe, 00000005.00000002.496361214.0000000002B05000.00000004.00000040.sdmp
Source:	Binary string: C:\Windows\symbols\dll\System.pdb source: RegSvcs.exe, 00000005.00000002.496361214.0000000002B05000.00000004.00000040.sdmp
Source:	Binary string: System.pdb source: RegSvcs.exe, 00000005.00000002.496361214.0000000002B05000.00000004.00000040.sdmp
Source:	Binary string: mscorrc.pdb source: YfceI5MZX4.exe, 00000000.00000002.253471849.0000000006A00000.00000002.00000001.sdmp, RegSvcs.exe, 00000005.00000002.501899583.00000000055F0000.00000002.00000001.sdmp
Source:	Binary string: C:\Windows\assembly\GAC_MSIL\System\2.0.0.0__b77a5c561934e089\System.pdb source: RegSvcs.exe, 00000005.00000002.496361214.0000000002B05000.00000004.00000040.sdmp
Source:	Binary string: System.pdbSystem.pdbpdbtem.pdbm\2.0.0.0__b77a5c561934e089\System.pdb source: RegSvcs.exe, 00000005.00000002.502127000.00000000058CC000.00000004.00000001.sdmp

Source: C:\Users\user\Desktop\YfceI5MZX4.exe	Code function: 4x nop then mov dword ptr [ebp-1Ch], 00000000h	0_2_04975DD0
Source: C:\Users\user\Desktop\YfceI5MZX4.exe	Code function: 4x nop then mov dword ptr [ebp-1Ch], 00000000h	0_2_04975DE0
Source: C:\Users\user\Desktop\YfceI5MZX4.exe	Code function: 4x nop then mov dword ptr [ebp-1Ch], 00000000h	0_2_04975F10
Source: C:\Users\user\Desktop\YfceI5MZX4.exe	Code function: 4x nop then mov dword ptr [ebp-1Ch], 00000000h	0_2_04975F20

Networking:

C2 URLs / IPs found in malware configuration

Show sources

Source: Malware configuration extractor	URLs: nassiru1155.ddns.net
Source: Malware configuration extractor	URLs: 79.134.225.30

Uses dynamic DNS services

Show sources

Source: unknown

DNS query: name: nassiru1155.ddns.net

Source: global traffic

TCP traffic: 192.168.2.5:49699 -> 79.134.225.30:1144

Source: Joe Sandbox View

IP Address: 79.134.225.30 79.134.225.30

Source: Joe Sandbox View

ASN Name: FINK-TELECOM-SERVICESCH FINK-TELECOM-SERVICESCH

Source: unknown

DNS traffic detected: query: nassiru1155.ddns.net replaycode: Name error (3)

Source: unknown	TCP traffic detected without corresponding DNS query: 79.134.225.30
Source: unknown	TCP traffic detected without corresponding DNS query: 79.134.225.30
Source: unknown	TCP traffic detected without corresponding DNS query: 79.134.225.30
Source: unknown	TCP traffic detected without corresponding DNS query: 79.134.225.30
Source: unknown	TCP traffic detected without corresponding DNS query: 79.134.225.30
Source: unknown	TCP traffic detected without corresponding DNS query: 79.134.225.30
Source: unknown	TCP traffic detected without corresponding DNS query: 79.134.225.30
Source: unknown	TCP traffic detected without corresponding DNS query: 79.134.225.30
Source: unknown	TCP traffic detected without corresponding DNS query: 79.134.225.30
Source: unknown	TCP traffic detected without corresponding DNS query: 79.134.225.30
Source: unknown	TCP traffic detected without corresponding DNS query: 79.134.225.30
Source: unknown	TCP traffic detected without corresponding DNS query: 79.134.225.30
Source: unknown	TCP traffic detected without corresponding DNS query: 79.134.225.30
Source: unknown	TCP traffic detected without corresponding DNS query: 79.134.225.30
Source: unknown	TCP traffic detected without corresponding DNS query: 79.134.225.30
Source: unknown	TCP traffic detected without corresponding DNS query: 79.134.225.30
Source: unknown	TCP traffic detected without corresponding DNS query: 79.134.225.30
Source: unknown	TCP traffic detected without corresponding DNS query: 79.134.225.30

Source: unknown

DNS traffic detected: queries for: nassiru1155.ddns.net

Source: YfceI5MZX4.exe, 00000000.00000002.252311067.0000000006042000.00000004.00000001.sdmp	String found in binary or memory: http://fontfabrik.com
Source: YfceI5MZX4.exe, 00000000.00000002.252311067.0000000006042000.00000004.00000001.sdmp	String found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0
Source: YfceI5MZX4.exe, 00000000.00000002.252311067.0000000006042000.00000004.00000001.sdmp	String found in binary or memory: http://www.carterandcone.coml
Source: YfceI5MZX4.exe, 00000000.00000002.252311067.0000000006042000.00000004.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com
Source: YfceI5MZX4.exe, 00000000.00000003.233084984.0000000004D0D000.00000004.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com/designers
Source: YfceI5MZX4.exe, 00000000.00000002.252311067.0000000006042000.00000004.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com/designers/?
Source: YfceI5MZX4.exe, 00000000.00000002.252311067.0000000006042000.00000004.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com/designers/cabarga.htmlN
Source: YfceI5MZX4.exe, 00000000.00000002.252311067.0000000006042000.00000004.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com/designers/frere-jones.html
Source: YfceI5MZX4.exe, 00000000.00000002.252311067.0000000006042000.00000004.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com/designers8
Source: YfceI5MZX4.exe, 00000000.00000002.252311067.0000000006042000.00000004.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com/designers?
Source: YfceI5MZX4.exe, 00000000.00000002.252311067.0000000006042000.00000004.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com/designersG
Source: YfceI5MZX4.exe, 00000000.00000003.245702831.0000000004D00000.00000004.00000001.sdmp	String found in binary or memory: http://www.fontbureau.coma
Source: YfceI5MZX4.exe, 00000000.00000003.245702831.0000000004D00000.00000004.00000001.sdmp	String found in binary or memory: http://www.fontbureau.comiona=
Source: YfceI5MZX4.exe, 00000000.00000002.252311067.0000000006042000.00000004.00000001.sdmp	String found in binary or memory: http://www.fonts.com
Source: YfceI5MZX4.exe, 00000000.00000003.227190711.0000000004D1B000.00000004.00000001.sdmp	String found in binary or memory: http://www.fonts.comX
Source: YfceI5MZX4.exe, 00000000.00000003.227156723.0000000004D1B000.00000004.00000001.sdmp	String found in binary or memory: http://www.fonts.comtem7W
Source: YfceI5MZX4.exe, 00000000.00000002.252311067.0000000006042000.00000004.00000001.sdmp, YfceI5MZX4.exe, 00000000.00000003.228908914.0000000004D3D000.00000004.00000001.sdmp	String found in binary or memory: http://www.founder.com.cn/cn
Source: YfceI5MZX4.exe, 00000000.00000003.229242210.0000000004D04000.00000004.00000001.sdmp	String found in binary or memory: http://www.founder.com.cn/cn/
Source: YfceI5MZX4.exe, 00000000.00000002.252311067.0000000006042000.00000004.00000001.sdmp	String found in binary or memory: http://www.founder.com.cn/cn/bThe
Source: YfceI5MZX4.exe, 00000000.00000002.252311067.0000000006042000.00000004.00000001.sdmp	String found in binary or memory: http://www.founder.com.cn/cn/cThe
Source: YfceI5MZX4.exe, 00000000.00000003.228931312.0000000004D04000.00000004.00000001.sdmp	String found in binary or memory: http://www.founder.com.cn/cne
Source: YfceI5MZX4.exe, 00000000.00000003.229331040.0000000004D0B000.00000004.00000001.sdmp	String found in binary or memory: http://www.founder.com.cn/cnmf
Source: YfceI5MZX4.exe, 00000000.00000003.229242210.0000000004D04000.00000004.00000001.sdmp	String found in binary or memory: http://www.founder.com.cn/cnsof
Source: YfceI5MZX4.exe, 00000000.00000002.252311067.0000000006042000.00000004.00000001.sdmp	String found in binary or memory: http://www.galapagosdesign.com/DPlease
Source: YfceI5MZX4.exe, 00000000.00000002.252311067.0000000006042000.00000004.00000001.sdmp	String found in binary or memory: http://www.galapagosdesign.com/staff/dennis.htm
Source: YfceI5MZX4.exe, 00000000.00000002.252311067.0000000006042000.00000004.00000001.sdmp	String found in binary or memory: http://www.goodfont.co.kr
Source: YfceI5MZX4.exe, 00000000.00000002.252311067.0000000006042000.00000004.00000001.sdmp	String found in binary or memory: http://www.jiyu-kobo.co.jp/
Source: YfceI5MZX4.exe, 00000000.00000003.230882117.0000000004D04000.00000004.00000001.sdmp	String found in binary or memory: http://www.jiyu-kobo.co.jp/&t
Source: YfceI5MZX4.exe, 00000000.00000003.230882117.0000000004D04000.00000004.00000001.sdmp	String found in binary or memory: http://www.jiyu-kobo.co.jp/=t
Source: YfceI5MZX4.exe, 00000000.00000003.230882117.0000000004D04000.00000004.00000001.sdmp	String found in binary or memory: http://www.jiyu-kobo.co.jp/Lt
Source: YfceI5MZX4.exe, 00000000.00000003.230882117.0000000004D04000.00000004.00000001.sdmp	String found in binary or memory: http://www.jiyu-kobo.co.jp/gt
Source: YfceI5MZX4.exe, 00000000.00000003.230882117.0000000004D04000.00000004.00000001.sdmp	String found in binary or memory: http://www.jiyu-kobo.co.jp/jp/
Source: YfceI5MZX4.exe, 00000000.00000003.230882117.0000000004D04000.00000004.00000001.sdmp	String found in binary or memory: http://www.jiyu-kobo.co.jp/ut
Source: YfceI5MZX4.exe, 00000000.00000003.230882117.0000000004D04000.00000004.00000001.sdmp	String found in binary or memory: http://www.jiyu-kobo.co.jp/x
Source: YfceI5MZX4.exe, 00000000.00000003.227000738.0000000004D1B000.00000004.00000001.sdmp, YfceI5MZX4.exe, 00000000.00000002.252311067.0000000006042000.00000004.00000001.sdmp	String found in binary or memory: http://www.sajatypeworks.com
Source: YfceI5MZX4.exe, 00000000.00000002.252311067.0000000006042000.00000004.00000001.sdmp	String found in binary or memory: http://www.sakkal.com
Source: YfceI5MZX4.exe, 00000000.00000002.252311067.0000000006042000.00000004.00000001.sdmp	String found in binary or memory: http://www.sandoll.co.kr
Source: YfceI5MZX4.exe, 00000000.00000003.228260396.0000000004D09000.00000004.00000001.sdmp	String found in binary or memory: http://www.sandoll.co.krAh
Source: YfceI5MZX4.exe, 00000000.00000003.228260396.0000000004D09000.00000004.00000001.sdmp	String found in binary or memory: http://www.sandoll.co.krN.TTFp
Source: YfceI5MZX4.exe, 00000000.00000002.252311067.0000000006042000.00000004.00000001.sdmp	String found in binary or memory: http://www.tiro.com
Source: YfceI5MZX4.exe, 00000000.00000003.227413461.0000000004D1B000.00000004.00000001.sdmp	String found in binary or memory: http://www.tiro.comtn
Source: YfceI5MZX4.exe, 00000000.00000002.252311067.0000000006042000.00000004.00000001.sdmp	String found in binary or memory: http://www.typography.netD
Source: YfceI5MZX4.exe, 00000000.00000002.252311067.0000000006042000.00000004.00000001.sdmp	String found in binary or memory: http://www.urwpp.deDPlease
Source: YfceI5MZX4.exe, 00000000.00000002.252311067.0000000006042000.00000004.00000001.sdmp	String found in binary or memory: http://www.zhongyicts.com.cn
Source: YfceI5MZX4.exe, 00000000.00000002.247117060.0000000002945000.00000004.00000001.sdmp	String found in binary or memory: https://stackpath.bootstrapcdn.com/bootstrap/4.5.0/css/bootstrap.min.css

Source: RegSvcs.exe, 00000005.00000002.500274474.0000000003FBB000.00000004.00000001.sdmp

Binary or memory string: RegisterRawInputDevices

E-Banking Fraud:

Yara detected Nanocore RAT

Show sources

Source: Yara match	File source: 00000005.00000002.500274474.0000000003FBB000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000002.492901504.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.248677483.0000000003AB9000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000002.502139157.00000000058D0000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: RegSvcs.exe PID: 5996, type: MEMORY
Source: Yara match	File source: 0.2.YfceI5MZX4.exe.3b51e28.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.2.RegSvcs.exe.3fd2a65.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.2.RegSvcs.exe.58d0000.9.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.2.RegSvcs.exe.58d4629.10.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.2.RegSvcs.exe.3fc9606.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.2.RegSvcs.exe.3fce43c.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.2.RegSvcs.exe.3fce43c.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.2.RegSvcs.exe.58d0000.9.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.2.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.YfceI5MZX4.exe.3b51e28.3.unpack, type: UNPACKEDPE

System Summary:

Malicious sample detected (through community Yara rule)

Show sources

Source: 00000005.00000002.500274474.0000000003FBB000.00000004.00000001.sdmp, type: MEMORY	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 00000005.00000002.492901504.0000000000402000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 00000005.00000002.492901504.0000000000402000.00000040.00000001.sdmp, type: MEMORY	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 00000005.00000002.501754781.0000000005470000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 00000000.00000002.248677483.0000000003AB9000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 00000000.00000002.248677483.0000000003AB9000.00000004.00000001.sdmp, type: MEMORY	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 00000005.00000002.502139157.00000000058D0000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: Process Memory Space: RegSvcs.exe PID: 5996, type: MEMORY	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: Process Memory Space: RegSvcs.exe PID: 5996, type: MEMORY	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 0.2.YfceI5MZX4.exe.3b51e28.3.raw.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 0.2.YfceI5MZX4.exe.3b51e28.3.raw.unpack, type: UNPACKEDPE	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 5.2.RegSvcs.exe.3fd2a65.3.raw.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 5.2.RegSvcs.exe.58d0000.9.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 5.2.RegSvcs.exe.5470000.6.raw.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 5.2.RegSvcs.exe.58d4629.10.raw.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 5.2.RegSvcs.exe.3fc9606.2.raw.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 5.2.RegSvcs.exe.3fc9606.2.raw.unpack, type: UNPACKEDPE	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 5.2.RegSvcs.exe.2f9139c.1.raw.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 5.2.RegSvcs.exe.3fce43c.4.raw.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 5.2.RegSvcs.exe.3fce43c.4.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 5.2.RegSvcs.exe.58d0000.9.raw.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 5.2.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 5.2.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 0.2.YfceI5MZX4.exe.3b51e28.3.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 0.2.YfceI5MZX4.exe.3b51e28.3.unpack, type: UNPACKEDPE	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>

Source: C:\Users\user\Desktop\YfceI5MZX4.exe	Code function: 0_2_06A9088E NtQueryInformationProcess,	0_2_06A9088E
Source: C:\Users\user\Desktop\YfceI5MZX4.exe	Code function: 0_2_06A909FE NtQuerySystemInformation,	0_2_06A909FE
Source: C:\Users\user\Desktop\YfceI5MZX4.exe	Code function: 0_2_06A9086C NtQueryInformationProcess,	0_2_06A9086C
Source: C:\Users\user\Desktop\YfceI5MZX4.exe	Code function: 0_2_06A909C3 NtQuerySystemInformation,	0_2_06A909C3
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe	Code function: 5_2_052A144A NtQuerySystemInformation,	5_2_052A144A
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe	Code function: 5_2_052A1428 NtQuerySystemInformation,	5_2_052A1428

Source: C:\Users\user\Desktop\YfceI5MZX4.exe	Code function: 0_2_001685C8	0_2_001685C8
Source: C:\Users\user\Desktop\YfceI5MZX4.exe	Code function: 0_2_00A12E09	0_2_00A12E09
Source: C:\Users\user\Desktop\YfceI5MZX4.exe	Code function: 0_2_04972E98	0_2_04972E98
Source: C:\Users\user\Desktop\YfceI5MZX4.exe	Code function: 0_2_04973ED1	0_2_04973ED1
Source: C:\Users\user\Desktop\YfceI5MZX4.exe	Code function: 0_2_04972AE8	0_2_04972AE8
Source: C:\Users\user\Desktop\YfceI5MZX4.exe	Code function: 0_2_049734E8	0_2_049734E8
Source: C:\Users\user\Desktop\YfceI5MZX4.exe	Code function: 0_2_04975985	0_2_04975985
Source: C:\Users\user\Desktop\YfceI5MZX4.exe	Code function: 0_2_049715D0	0_2_049715D0
Source: C:\Users\user\Desktop\YfceI5MZX4.exe	Code function: 0_2_04971148	0_2_04971148
Source: C:\Users\user\Desktop\YfceI5MZX4.exe	Code function: 0_2_04972E87	0_2_04972E87
Source: C:\Users\user\Desktop\YfceI5MZX4.exe	Code function: 0_2_049742A1	0_2_049742A1
Source: C:\Users\user\Desktop\YfceI5MZX4.exe	Code function: 0_2_04975AD7	0_2_04975AD7
Source: C:\Users\user\Desktop\YfceI5MZX4.exe	Code function: 0_2_04972AD9	0_2_04972AD9
Source: C:\Users\user\Desktop\YfceI5MZX4.exe	Code function: 0_2_04970070	0_2_04970070
Source: C:\Users\user\Desktop\YfceI5MZX4.exe	Code function: 0_2_04970710	0_2_04970710
Source: C:\Users\user\Desktop\YfceI5MZX4.exe	Code function: 0_2_04B2F8B0	0_2_04B2F8B0
Source: C:\Users\user\Desktop\YfceI5MZX4.exe	Code function: 0_2_04B268B8	0_2_04B268B8
Source: C:\Users\user\Desktop\YfceI5MZX4.exe	Code function: 0_2_04B28080	0_2_04B28080
Source: C:\Users\user\Desktop\YfceI5MZX4.exe	Code function: 0_2_04B240DF	0_2_04B240DF
Source: C:\Users\user\Desktop\YfceI5MZX4.exe	Code function: 0_2_04B24410	0_2_04B24410
Source: C:\Users\user\Desktop\YfceI5MZX4.exe	Code function: 0_2_04B261D0	0_2_04B261D0
Source: C:\Users\user\Desktop\YfceI5MZX4.exe	Code function: 0_2_04B2D698	0_2_04B2D698
Source: C:\Users\user\Desktop\YfceI5MZX4.exe	Code function: 0_2_04B24EE0	0_2_04B24EE0
Source: C:\Users\user\Desktop\YfceI5MZX4.exe	Code function: 0_2_04B27210	0_2_04B27210
Source: C:\Users\user\Desktop\YfceI5MZX4.exe	Code function: 0_2_04B25261	0_2_04B25261
Source: C:\Users\user\Desktop\YfceI5MZX4.exe	Code function: 0_2_04B2A3A1	0_2_04B2A3A1
Source: C:\Users\user\Desktop\YfceI5MZX4.exe	Code function: 0_2_04B29828	0_2_04B29828
Source: C:\Users\user\Desktop\YfceI5MZX4.exe	Code function: 0_2_04B29819	0_2_04B29819
Source: C:\Users\user\Desktop\YfceI5MZX4.exe	Code function: 0_2_04B28002	0_2_04B28002
Source: C:\Users\user\Desktop\YfceI5MZX4.exe	Code function: 0_2_04B24400	0_2_04B24400
Source: C:\Users\user\Desktop\YfceI5MZX4.exe	Code function: 0_2_04B29DB8	0_2_04B29DB8
Source: C:\Users\user\Desktop\YfceI5MZX4.exe	Code function: 0_2_04B29DA9	0_2_04B29DA9
Source: C:\Users\user\Desktop\YfceI5MZX4.exe	Code function: 0_2_04B2A1E8	0_2_04B2A1E8
Source: C:\Users\user\Desktop\YfceI5MZX4.exe	Code function: 0_2_04B28DE8	0_2_04B28DE8
Source: C:\Users\user\Desktop\YfceI5MZX4.exe	Code function: 0_2_04B28DD8	0_2_04B28DD8
Source: C:\Users\user\Desktop\YfceI5MZX4.exe	Code function: 0_2_04B2A1D8	0_2_04B2A1D8
Source: C:\Users\user\Desktop\YfceI5MZX4.exe	Code function: 0_2_04B2D930	0_2_04B2D930
Source: C:\Users\user\Desktop\YfceI5MZX4.exe	Code function: 0_2_04B2613B	0_2_04B2613B
Source: C:\Users\user\Desktop\YfceI5MZX4.exe	Code function: 0_2_04B2E940	0_2_04B2E940
Source: C:\Users\user\Desktop\YfceI5MZX4.exe	Code function: 0_2_04B2DED0	0_2_04B2DED0
Source: C:\Users\user\Desktop\YfceI5MZX4.exe	Code function: 0_2_04B24ED0	0_2_04B24ED0
Source: C:\Users\user\Desktop\YfceI5MZX4.exe	Code function: 0_2_04B25600	0_2_04B25600
Source: C:\Users\user\Desktop\YfceI5MZX4.exe	Code function: 0_2_04B2AE73	0_2_04B2AE73
Source: C:\Users\user\Desktop\YfceI5MZX4.exe	Code function: 0_2_04B29FB0	0_2_04B29FB0
Source: C:\Users\user\Desktop\YfceI5MZX4.exe	Code function: 0_2_04B29FAC	0_2_04B29FAC
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe	Code function: 5_2_02A67ABF	5_2_02A67ABF
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe	Code function: 5_2_05183850	5_2_05183850
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe	Code function: 5_2_0518B068	5_2_0518B068
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe	Code function: 5_2_05188798	5_2_05188798
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe	Code function: 5_2_05182FA8	5_2_05182FA8
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe	Code function: 5_2_051823A0	5_2_051823A0
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe	Code function: 5_2_0518945F	5_2_0518945F
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe	Code function: 5_2_05189C40	5_2_05189C40
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe	Code function: 5_2_0518306F	5_2_0518306F
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe	Code function: 5_2_05189398	5_2_05189398

Source: YfceI5MZX4.exe	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: YfceI5MZX4.exe	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: YfceI5MZX4.exe	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: gmSlQSien.exe.0.dr	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: gmSlQSien.exe.0.dr	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: gmSlQSien.exe.0.dr	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST

Source: YfceI5MZX4.exe	Binary or memory string: OriginalFilename vs YfceI5MZX4.exe
Source: YfceI5MZX4.exe, 00000000.00000002.255010686.0000000006E30000.00000004.00000001.sdmp	Binary or memory string: OriginalFilenameDSASignature.dll" vs YfceI5MZX4.exe
Source: YfceI5MZX4.exe, 00000000.00000002.253471849.0000000006A00000.00000002.00000001.sdmp	Binary or memory string: OriginalFilenamemscorrc.dllT vs YfceI5MZX4.exe
Source: YfceI5MZX4.exe, 00000000.00000002.255623504.0000000007370000.00000002.00000001.sdmp	Binary or memory string: System.OriginalFileName vs YfceI5MZX4.exe
Source: YfceI5MZX4.exe, 00000000.00000002.245810299.0000000000162000.00000002.00020000.sdmp	Binary or memory string: OriginalFilenameHostProtectionAttribute.exe> vs YfceI5MZX4.exe
Source: YfceI5MZX4.exe, 00000000.00000002.247073600.0000000002911000.00000004.00000001.sdmp	Binary or memory string: OriginalFilenameSimpleUI.dll2 vs YfceI5MZX4.exe
Source: YfceI5MZX4.exe, 00000000.00000002.255836419.0000000007460000.00000002.00000001.sdmp	Binary or memory string: originalfilename vs YfceI5MZX4.exe
Source: YfceI5MZX4.exe, 00000000.00000002.255836419.0000000007460000.00000002.00000001.sdmp	Binary or memory string: OriginalFilenamepropsys.dll.mui@ vs YfceI5MZX4.exe
Source: YfceI5MZX4.exe	Binary or memory string: OriginalFilenameHostProtectionAttribute.exe> vs YfceI5MZX4.exe

Source: YfceI5MZX4.exe

Static PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE

Source: 00000005.00000002.500274474.0000000003FBB000.00000004.00000001.sdmp, type: MEMORY	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 00000005.00000002.492901504.0000000000402000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 00000005.00000002.492901504.0000000000402000.00000040.00000001.sdmp, type: MEMORY	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 00000005.00000002.501754781.0000000005470000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 00000005.00000002.501754781.0000000005470000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 00000000.00000002.248677483.0000000003AB9000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 00000000.00000002.248677483.0000000003AB9000.00000004.00000001.sdmp, type: MEMORY	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 00000005.00000002.502139157.00000000058D0000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 00000005.00000002.502139157.00000000058D0000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: Process Memory Space: RegSvcs.exe PID: 5996, type: MEMORY	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: Process Memory Space: RegSvcs.exe PID: 5996, type: MEMORY	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 0.2.YfceI5MZX4.exe.3b51e28.3.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 0.2.YfceI5MZX4.exe.3b51e28.3.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 0.2.YfceI5MZX4.exe.3b51e28.3.raw.unpack, type: UNPACKEDPE	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 5.2.RegSvcs.exe.3fd2a65.3.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 5.2.RegSvcs.exe.3fd2a65.3.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 5.2.RegSvcs.exe.58d0000.9.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 5.2.RegSvcs.exe.58d0000.9.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 5.2.RegSvcs.exe.5470000.6.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 5.2.RegSvcs.exe.5470000.6.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 5.2.RegSvcs.exe.58d4629.10.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 5.2.RegSvcs.exe.58d4629.10.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 5.2.RegSvcs.exe.3fc9606.2.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 5.2.RegSvcs.exe.3fc9606.2.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 5.2.RegSvcs.exe.3fc9606.2.raw.unpack, type: UNPACKEDPE	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 5.2.RegSvcs.exe.2f9139c.1.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 5.2.RegSvcs.exe.2f9139c.1.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 5.2.RegSvcs.exe.3fce43c.4.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 5.2.RegSvcs.exe.3fce43c.4.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 5.2.RegSvcs.exe.3fce43c.4.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 5.2.RegSvcs.exe.3fce43c.4.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 5.2.RegSvcs.exe.58d0000.9.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 5.2.RegSvcs.exe.58d0000.9.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 5.2.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 5.2.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 5.2.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 0.2.YfceI5MZX4.exe.3b51e28.3.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 0.2.YfceI5MZX4.exe.3b51e28.3.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 0.2.YfceI5MZX4.exe.3b51e28.3.unpack, type: UNPACKEDPE	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore

Source: YfceI5MZX4.exe	Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
Source: gmSlQSien.exe.0.dr	Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ

Source: 5.2.RegSvcs.exe.400000.0.unpack, u0023u003dqVxXNKnhAcArgJoGGYXiyyQu003du003d.cs	Cryptographic APIs: 'CreateDecryptor'
Source: 5.2.RegSvcs.exe.400000.0.unpack, u0023u003dqVxXNKnhAcArgJoGGYXiyyQu003du003d.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: 5.2.RegSvcs.exe.400000.0.unpack, u0023u003dqjIje6jGWLd2EOkfZXKqBbgu003du003d.cs	Cryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'

Source: classification engine

Classification label: mal100.troj.evad.winEXE@8/8@9/1

Source: C:\Users\user\Desktop\YfceI5MZX4.exe	Code function: 0_2_06A9053E AdjustTokenPrivileges,	0_2_06A9053E
Source: C:\Users\user\Desktop\YfceI5MZX4.exe	Code function: 0_2_06A90507 AdjustTokenPrivileges,	0_2_06A90507
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe	Code function: 5_2_052A10DA AdjustTokenPrivileges,	5_2_052A10DA
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe	Code function: 5_2_052A10A3 AdjustTokenPrivileges,	5_2_052A10A3

Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe

File created: C:\Program Files (x86)\DHCP Monitor

Jump to behavior

Source: C:\Users\user\Desktop\YfceI5MZX4.exe

File created: C:\Users\user\AppData\Roaming\gmSlQSien.exe

Jump to behavior

Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:2908:120:WilError_01
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6472:120:WilError_01
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe	Mutant created: \Sessions\1\BaseNamedObjects\Global\{f57d5a77-8670-45ef-b736-5f3a07b68725}
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe	Mutant created: \Sessions\1\BaseNamedObjects\Global\.net clr networking
Source: C:\Users\user\Desktop\YfceI5MZX4.exe	Mutant created: \Sessions\1\BaseNamedObjects\NFKnYlgkNzhyGKSdXXNN

Source: C:\Users\user\Desktop\YfceI5MZX4.exe

File created: C:\Users\user\AppData\Local\Temp\tmp7762.tmp

Jump to behavior

Source: YfceI5MZX4.exe

Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ

Source: C:\Users\user\Desktop\YfceI5MZX4.exe	Section loaded: C:\Windows\assembly\NativeImages_v2.0.50727_32\mscorlib\9603718106bd57ecfbb18fefd769cab4\mscorlib.ni.dll	Jump to behavior
Source: C:\Users\user\Desktop\YfceI5MZX4.exe	Section loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sorttbls.nlp	Jump to behavior
Source: C:\Users\user\Desktop\YfceI5MZX4.exe	Section loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sortkey.nlp	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe	Section loaded: C:\Windows\assembly\NativeImages_v2.0.50727_32\mscorlib\9603718106bd57ecfbb18fefd769cab4\mscorlib.ni.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe	Section loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sorttbls.nlp	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe	Section loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sortkey.nlp	Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Section loaded: C:\Windows\assembly\NativeImages_v2.0.50727_32\mscorlib\9603718106bd57ecfbb18fefd769cab4\mscorlib.ni.dll	Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Section loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sorttbls.nlp	Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Section loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sortkey.nlp	Jump to behavior

Source: C:\Users\user\Desktop\YfceI5MZX4.exe

File read: C:\Users\user\Desktop\desktop.ini

Jump to behavior

Source: C:\Users\user\Desktop\YfceI5MZX4.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe	File read: C:\Windows\System32\drivers\etc\hosts			Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe	File read: C:\Windows\System32\drivers\etc\hosts			Jump to behavior

Source: YfceI5MZX4.exe, 00000000.00000002.247117060.0000000002945000.00000004.00000001.sdmp	Binary or memory string: Select * from UnmanagedMemoryStreamWrapper WHERE modelo=@modelo;?
Source: YfceI5MZX4.exe, 00000000.00000002.247117060.0000000002945000.00000004.00000001.sdmp	Binary or memory string: Select * from Clientes WHERE id=@id;;
Source: YfceI5MZX4.exe, 00000000.00000002.247117060.0000000002945000.00000004.00000001.sdmp	Binary or memory string: Select * from Aluguel5Erro ao listar Banco sql-UnmanagedMemoryStreamWrapper.INSERT INTO Aluguel VALUES(@clienteID, @data);
Source: YfceI5MZX4.exe, 00000000.00000002.247117060.0000000002945000.00000004.00000001.sdmp	Binary or memory string: INSERT INTO UnmanagedMemoryStreamWrapper VALUES(@modelo, @fabricante, @ano, @cor);
Source: YfceI5MZX4.exe, 00000000.00000002.247117060.0000000002945000.00000004.00000001.sdmp	Binary or memory string: INSERT INTO Itens_Aluguel VALUES(@aluguelID, @aviaoID, @validade);
Source: YfceI5MZX4.exe, 00000000.00000002.247117060.0000000002945000.00000004.00000001.sdmp	Binary or memory string: Insert into Clientes values (@nome, @cpf, @rg, @cidade, @endereco, @uf, @telefone);
Source: YfceI5MZX4.exe, 00000000.00000002.247117060.0000000002945000.00000004.00000001.sdmp	Binary or memory string: INSERT INTO Aluguel VALUES(@clienteID, @data);

Source: C:\Users\user\Desktop\YfceI5MZX4.exe

File read: C:\Users\user\Desktop\YfceI5MZX4.exe

Jump to behavior

Source: unknown	Process created: C:\Users\user\Desktop\YfceI5MZX4.exe 'C:\Users\user\Desktop\YfceI5MZX4.exe'
Source: C:\Users\user\Desktop\YfceI5MZX4.exe	Process created: C:\Windows\SysWOW64\schtasks.exe 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\gmSlQSien' /XML 'C:\Users\user\AppData\Local\Temp\tmp7762.tmp'
Source: C:\Windows\SysWOW64\schtasks.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\YfceI5MZX4.exe	Process created: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe
Source: unknown	Process created: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe 'C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe'
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\YfceI5MZX4.exe	Process created: C:\Windows\SysWOW64\schtasks.exe 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\gmSlQSien' /XML 'C:\Users\user\AppData\Local\Temp\tmp7762.tmp'	Jump to behavior
Source: C:\Users\user\Desktop\YfceI5MZX4.exe	Process created: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe	Jump to behavior

Source: C:\Users\user\Desktop\YfceI5MZX4.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{95E15D0A-66E6-93D9-C53C-76E6219D3341}\InProcServer32

Jump to behavior

Source: Window Recorder

Window detected: More than 3 window changes detected

Source: C:\Users\user\Desktop\YfceI5MZX4.exe

File opened: C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorrc.dll

Jump to behavior

Source: YfceI5MZX4.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR

Source: C:\Users\user\Desktop\YfceI5MZX4.exe

File opened: C:\Windows\WinSxS\x86_microsoft.vc80.crt_1fc8b3b9a1e18e3b_8.0.50727.9445_none_d08c58b4442ba54f\MSVCR80.dll

Jump to behavior

Source: YfceI5MZX4.exe

Static PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT

Source:	Binary string: symbols\dll\System.pdb source: RegSvcs.exe, 00000005.00000002.502127000.00000000058CC000.00000004.00000001.sdmp
Source:	Binary string: C:\Windows\System.pdbzz source: RegSvcs.exe, 00000005.00000002.496361214.0000000002B05000.00000004.00000040.sdmp
Source:	Binary string: C:\Windows\dll\System.pdb source: RegSvcs.exe, 00000005.00000002.496361214.0000000002B05000.00000004.00000040.sdmp
Source:	Binary string: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.pdb source: RegSvcs.exe, 00000005.00000002.496361214.0000000002B05000.00000004.00000040.sdmp
Source:	Binary string: oC:\Windows\System.pdb source: RegSvcs.exe, 00000005.00000002.502127000.00000000058CC000.00000004.00000001.sdmp
Source:	Binary string: System.pdb H source: RegSvcs.exe, 00000005.00000002.502127000.00000000058CC000.00000004.00000001.sdmp
Source:	Binary string: indows\RegSvcs.pdbpdbvcs.pdb source: RegSvcs.exe, 00000005.00000002.496361214.0000000002B05000.00000004.00000040.sdmp
Source:	Binary string: C:\Windows\symbols\exe\RegSvcs.pdb source: RegSvcs.exe, 00000005.00000002.496361214.0000000002B05000.00000004.00000040.sdmp
Source:	Binary string: RegSvcs.pdb source: RegSvcs.exe, 00000005.00000003.247448254.0000000001128000.00000004.00000001.sdmp, dhcpmon.exe, dhcpmon.exe.5.dr
Source:	Binary string: C:\Windows\assembly\GA.pdbL\System\2.0.0.0__b77a5c561934e089\System.dll source: RegSvcs.exe, 00000005.00000002.502127000.00000000058CC000.00000004.00000001.sdmp
Source:	Binary string: indows\System.pdbpdbtem.pdb source: RegSvcs.exe, 00000005.00000002.496361214.0000000002B05000.00000004.00000040.sdmp
Source:	Binary string: C:\Windows\symbols\dll\System.pdb source: RegSvcs.exe, 00000005.00000002.496361214.0000000002B05000.00000004.00000040.sdmp
Source:	Binary string: System.pdb source: RegSvcs.exe, 00000005.00000002.496361214.0000000002B05000.00000004.00000040.sdmp
Source:	Binary string: mscorrc.pdb source: YfceI5MZX4.exe, 00000000.00000002.253471849.0000000006A00000.00000002.00000001.sdmp, RegSvcs.exe, 00000005.00000002.501899583.00000000055F0000.00000002.00000001.sdmp
Source:	Binary string: C:\Windows\assembly\GAC_MSIL\System\2.0.0.0__b77a5c561934e089\System.pdb source: RegSvcs.exe, 00000005.00000002.496361214.0000000002B05000.00000004.00000040.sdmp
Source:	Binary string: System.pdbSystem.pdbpdbtem.pdbm\2.0.0.0__b77a5c561934e089\System.pdb source: RegSvcs.exe, 00000005.00000002.502127000.00000000058CC000.00000004.00000001.sdmp

Data Obfuscation:

.NET source code contains potential unpacker

Show sources

Source: 5.2.RegSvcs.exe.400000.0.unpack, u0023u003dqxoz66kOqvxr21iYXZYXWiumy9eZGwFWaiX4C5X8aecUu003d.cs	.Net Code: #=qKU0J1fiP8KA33eFK1owekQ== System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: 5.2.RegSvcs.exe.400000.0.unpack, u0023u003dqjIje6jGWLd2EOkfZXKqBbgu003du003d.cs	.Net Code: #=q_FL69pQf17BUSAFbWYu1SStMAbdu$R1GJ8VY8UL5_EA= System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])

Source: C:\Users\user\Desktop\YfceI5MZX4.exe	Code function: 0_2_00166A9F push es; iretd	0_2_00166B77
Source: C:\Users\user\Desktop\YfceI5MZX4.exe	Code function: 0_2_0016A2BC push es; retf	0_2_0016A2FC
Source: C:\Users\user\Desktop\YfceI5MZX4.exe	Code function: 0_2_0016A0AC push es; retf	0_2_0016A272
Source: C:\Users\user\Desktop\YfceI5MZX4.exe	Code function: 0_2_0016A274 push es; retf	0_2_0016A28A
Source: C:\Users\user\Desktop\YfceI5MZX4.exe	Code function: 0_2_0016A2FE push es; retf	0_2_0016A30E
Source: C:\Users\user\Desktop\YfceI5MZX4.exe	Code function: 0_2_04B2D4BB push ebx; iretd	0_2_04B2D4D5
Source: C:\Users\user\Desktop\YfceI5MZX4.exe	Code function: 0_2_04B2C1C5 push edi; retf	0_2_04B2C1CB
Source: C:\Users\user\Desktop\YfceI5MZX4.exe	Code function: 0_2_04B2C11D push CCFFFFFEh; ret	0_2_04B2C122
Source: C:\Users\user\Desktop\YfceI5MZX4.exe	Code function: 0_2_04B2CA7F push esp; retf	0_2_04B2CA81
Source: C:\Users\user\Desktop\YfceI5MZX4.exe	Code function: 0_2_04B2D3E2 push eax; retf	0_2_04B2D3E5
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe	Code function: 5_2_02A69D74 push eax; retf	5_2_02A69D75
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe	Code function: 5_2_02A69D78 pushad ; retf	5_2_02A69D79
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe	Code function: 5_2_02A681DB push eax; iretd	5_2_02A681F1
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe	Code function: 5_2_02C30D47 push cs; ret	5_2_02C30D4A
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe	Code function: 5_2_02C30D87 push cs; ret	5_2_02C30D32
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe	Code function: 5_2_02C30D13 push cs; ret	5_2_02C30D2A
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe	Code function: 5_2_02C30D2B push cs; ret	5_2_02C30D32
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe	Code function: 5_2_02C30D33 push cs; ret	5_2_02C30D36
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe	Code function: 5_2_0518902D push ebx; ret	5_2_0518902E
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe	Code function: 5_2_05186C50 push esp; ret	5_2_05186C59

Source: initial sample	Static PE information: section name: .text entropy: 7.9540154939
Source: initial sample	Static PE information: section name: .text entropy: 7.9540154939

Source: 5.2.RegSvcs.exe.400000.0.unpack, u0023u003dqJT4I5hOweIku0024xYFEeDszbikglXCuquUdu0024v9AXtyq2nsu003d.cs	High entropy of concatenated method names: '#=qBeOBlH6CwHFnQdZWWBgZ_pemudZ6CfCVcfOQtgpeG$Y=', '#=q5v5cLSMFBaxiTtOEjscx86gN2ozXlfytiL6UmXnyWtg=', '#=q_XA5h2lVGHLcY9dK754wKGrOjAm6aBbwPxcUJXgJThJUz83kMbCL53G5uuOLP6Rq', '#=qIFfr$DrKqIieRc688$vylAlBsEnx9Z3$TxvrDsPURfM=', '#=qejgvNXJQvgM2GomZsygLjreyguSPQ29pQHqjR_a0dWk=', '#=qCGokdf0OOxeMJLDkXSfc3NPmwygIQ29RjKQWj$wbNGB9C1pPgma_891QiNyTRXcA', '#=qDqyUVyJLXCtYqhZ0$opqkomqhUBn2WCeEEvGAXlNQ$I=', '#=qdImPAY1o3YhbLtukwCQ91cISaeIEWRKSYrGZ3dTVnkY=', '#=qza7O1AHrroJC7yRIJz4wINR_Sgo4hDpQrj_OYfIrlJE=', '#=q6Ct3QmvVLFC7my$dL1uEiHGmXJ5qCuK4WIhDwfhPTFs='
Source: 5.2.RegSvcs.exe.400000.0.unpack, u0023u003dqWrm21vQ8CBMZP_RBTwpusAu003du003d.cs	High entropy of concatenated method names: '#=qCgU$tDqtOAyz2b$RwfSF7UzBcCAr0rFJWxm16x7Lre0=', '#=qeD3MBfedCIuKIQf9V1u2N3YS4VXE_FOHqw_XAjWtZK8=', '#=q$mvEHEBkZud$AdHPWqsMQnw5Xm5sD4vBSSmqrKuXGOk=', '#=qZaN94n8dM6tBEf$qCdY2kbTZb5BOW8Z134$2tNv7EJs=', '#=qtlZnL8mho$rv1eTFz0Mw9UYFC_yCabEZ0xtVePn6wR5aSHE7ti3UfKg2l7D0_xk8', '#=qVS$QmQjvFfsXSqQAKGSl6HGbkse2SG0XCab4upVjtRJkvhTEk$oIS2I9Zja7id1Q', '#=qxJg7RxTW1v5mnt12xXeJiYJv_bcctbtL2BCD5MjDi45Hlz6t8vwDNTv1Rv7tgIct', '#=qp$ZVC1r9spi890l$D7IwEd3faoKeWHvv42mVq8wIIWM=', '#=qCoWHlVuoVRMkOzC7RZubJCslkxaEWn9yZiIydECf69$ktj0IPD5wAwC2H5Cc8C$L', '#=qqs1moO$mYaS72OXOWe0Z6GycslEb6e9Ipoy7ppW0O5abIp05ajv8doqdJZHlN3cK'

Source: C:\Users\user\Desktop\YfceI5MZX4.exe	File created: C:\Users\user\AppData\Roaming\gmSlQSien.exe			Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe	File created: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe			Jump to dropped file

Boot Survival:

Uses schtasks.exe or at.exe to add and modify task schedules

Show sources

Source: C:\Users\user\Desktop\YfceI5MZX4.exe

Process created: C:\Windows\SysWOW64\schtasks.exe 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\gmSlQSien' /XML 'C:\Users\user\AppData\Local\Temp\tmp7762.tmp'

Hooking and other Techniques for Hiding and Protection:

Hides that the sample has been downloaded from the Internet (zone.identifier)

Show sources

Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe

File opened: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe:Zone.Identifier read attributes | delete

Jump to behavior

Source: C:\Users\user\Desktop\YfceI5MZX4.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\YfceI5MZX4.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\YfceI5MZX4.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\YfceI5MZX4.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\YfceI5MZX4.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\YfceI5MZX4.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\YfceI5MZX4.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\YfceI5MZX4.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\YfceI5MZX4.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\YfceI5MZX4.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\YfceI5MZX4.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\YfceI5MZX4.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\YfceI5MZX4.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\YfceI5MZX4.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\YfceI5MZX4.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\YfceI5MZX4.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\YfceI5MZX4.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\YfceI5MZX4.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\YfceI5MZX4.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\YfceI5MZX4.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\YfceI5MZX4.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\YfceI5MZX4.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\YfceI5MZX4.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\YfceI5MZX4.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\YfceI5MZX4.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\YfceI5MZX4.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\YfceI5MZX4.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\YfceI5MZX4.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\YfceI5MZX4.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\YfceI5MZX4.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\YfceI5MZX4.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\YfceI5MZX4.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\YfceI5MZX4.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\YfceI5MZX4.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\YfceI5MZX4.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\YfceI5MZX4.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\YfceI5MZX4.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\YfceI5MZX4.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\YfceI5MZX4.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Malware Analysis System Evasion:

Yara detected AntiVM3

Show sources

Source: Yara match	File source: 00000000.00000002.247117060.0000000002945000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: YfceI5MZX4.exe PID: 6136, type: MEMORY

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Show sources

Source: YfceI5MZX4.exe, 00000000.00000002.247117060.0000000002945000.00000004.00000001.sdmp	Binary or memory string: WINE_GET_UNIX_FILE_NAME
Source: YfceI5MZX4.exe, 00000000.00000002.247117060.0000000002945000.00000004.00000001.sdmp	Binary or memory string: SBIEDLL.DLL

Source: C:\Users\user\Desktop\YfceI5MZX4.exe

File opened / queried: SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}

Jump to behavior

Source: C:\Users\user\Desktop\YfceI5MZX4.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Thread delayed: delay time: 922337203685477	Jump to behavior

Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe	Window / User API: threadDelayed 663			Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe	Window / User API: foregroundWindowGot 937			Jump to behavior

Source: C:\Users\user\Desktop\YfceI5MZX4.exe TID: 4508	Thread sleep time: -100892s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\YfceI5MZX4.exe TID: 2964	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe TID: 6524	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior

Source: C:\Windows\System32\conhost.exe

Last function: Thread delayed

Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe

Code function: 5_2_052A0D66 GetSystemInfo,

5_2_052A0D66

Source: C:\Users\user\Desktop\YfceI5MZX4.exe	Thread delayed: delay time: 100892	Jump to behavior
Source: C:\Users\user\Desktop\YfceI5MZX4.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Thread delayed: delay time: 922337203685477	Jump to behavior

Source: RegSvcs.exe, 00000005.00000002.502606412.00000000062B0000.00000002.00000001.sdmp	Binary or memory string: A Virtual Machine could not be started because Hyper-V is not installed.
Source: YfceI5MZX4.exe, 00000000.00000002.247117060.0000000002945000.00000004.00000001.sdmp	Binary or memory string: vmware
Source: YfceI5MZX4.exe, 00000000.00000002.247117060.0000000002945000.00000004.00000001.sdmp	Binary or memory string: C:\PROGRAM FILES\VMWARE\VMWARE TOOLS\
Source: YfceI5MZX4.exe, 00000000.00000002.247117060.0000000002945000.00000004.00000001.sdmp	Binary or memory string: SOFTWARE\VMware, Inc.\VMware Tools
Source: YfceI5MZX4.exe, 00000000.00000002.247117060.0000000002945000.00000004.00000001.sdmp	Binary or memory string: VMware SVGA II!Add-MpPreference -ExclusionPath "
Source: RegSvcs.exe, 00000005.00000002.494732255.00000000010CA000.00000004.00000020.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll%
Source: RegSvcs.exe, 00000005.00000002.494732255.00000000010CA000.00000004.00000020.sdmp	Binary or memory string: Hyper-V RAW
Source: YfceI5MZX4.exe, 00000000.00000002.247117060.0000000002945000.00000004.00000001.sdmp	Binary or memory string: VMWARE
Source: YfceI5MZX4.exe, 00000000.00000002.247117060.0000000002945000.00000004.00000001.sdmp	Binary or memory string: InstallPath%C:\PROGRAM FILES\VMWARE\VMWARE TOOLS\
Source: RegSvcs.exe, 00000005.00000002.502606412.00000000062B0000.00000002.00000001.sdmp	Binary or memory string: A communication protocol error has occurred between the Hyper-V Host and Guest Compute Service.
Source: RegSvcs.exe, 00000005.00000002.502606412.00000000062B0000.00000002.00000001.sdmp	Binary or memory string: The communication protocol version between the Hyper-V Host and Guest Compute Services is not supported.
Source: YfceI5MZX4.exe, 00000000.00000002.247117060.0000000002945000.00000004.00000001.sdmp	Binary or memory string: VMWARE"SOFTWARE\VMware, Inc.\VMware ToolsLHARDWARE\DEVICEMAP\Scsi\Scsi Port 1\Scsi Bus 0\Target Id 0\Logical Unit Id 0LHARDWARE\DEVICEMAP\Scsi\Scsi Port 2\Scsi Bus 0\Target Id 0\Logical Unit Id 0'SYSTEM\ControlSet001\Services\Disk\Enum
Source: YfceI5MZX4.exe, 00000000.00000002.247117060.0000000002945000.00000004.00000001.sdmp	Binary or memory string: VMware SVGA II
Source: YfceI5MZX4.exe, 00000000.00000002.247117060.0000000002945000.00000004.00000001.sdmp	Binary or memory string: vmwareNSYSTEM\ControlSet001\Control\Class\{4D36E968-E325-11CE-BFC1-08002BE10318}\0000
Source: RegSvcs.exe, 00000005.00000002.502606412.00000000062B0000.00000002.00000001.sdmp	Binary or memory string: An unknown internal message was received by the Hyper-V Compute Service.

Source: C:\Users\user\Desktop\YfceI5MZX4.exe

Process information queried: ProcessInformation

Jump to behavior

Source: C:\Users\user\Desktop\YfceI5MZX4.exe

Process token adjusted: Debug

Jump to behavior

Source: C:\Users\user\Desktop\YfceI5MZX4.exe

Memory allocated: page read and write | page guard

Jump to behavior

HIPS / PFW / Operating System Protection Evasion:

Allocates memory in foreign processes

Show sources

Source: C:\Users\user\Desktop\YfceI5MZX4.exe

Memory allocated: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe base: 400000 protect: page execute and read and write

Jump to behavior

Injects a PE file into a foreign processes

Show sources

Source: C:\Users\user\Desktop\YfceI5MZX4.exe

Memory written: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe base: 400000 value starts with: 4D5A

Jump to behavior

Writes to foreign memory regions

Show sources

Source: C:\Users\user\Desktop\YfceI5MZX4.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe base: 400000	Jump to behavior
Source: C:\Users\user\Desktop\YfceI5MZX4.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe base: 402000	Jump to behavior
Source: C:\Users\user\Desktop\YfceI5MZX4.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe base: 420000	Jump to behavior
Source: C:\Users\user\Desktop\YfceI5MZX4.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe base: 422000	Jump to behavior
Source: C:\Users\user\Desktop\YfceI5MZX4.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe base: B23008	Jump to behavior

Source: C:\Users\user\Desktop\YfceI5MZX4.exe	Process created: C:\Windows\SysWOW64\schtasks.exe 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\gmSlQSien' /XML 'C:\Users\user\AppData\Local\Temp\tmp7762.tmp'			Jump to behavior
Source: C:\Users\user\Desktop\YfceI5MZX4.exe	Process created: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe			Jump to behavior

Source: RegSvcs.exe, 00000005.00000002.499074335.000000000303E000.00000004.00000001.sdmp	Binary or memory string: Program Manager
Source: RegSvcs.exe, 00000005.00000002.495703857.0000000001650000.00000002.00000001.sdmp	Binary or memory string: Shell_TrayWnd
Source: RegSvcs.exe, 00000005.00000002.495703857.0000000001650000.00000002.00000001.sdmp	Binary or memory string: Progman
Source: RegSvcs.exe, 00000005.00000002.495703857.0000000001650000.00000002.00000001.sdmp	Binary or memory string: SProgram Managerl
Source: RegSvcs.exe, 00000005.00000003.313582411.000000000118E000.00000004.00000001.sdmp	Binary or memory string: Program Managerx8
Source: RegSvcs.exe, 00000005.00000002.494732255.00000000010CA000.00000004.00000020.sdmp	Binary or memory string: Program Managertb
Source: RegSvcs.exe, 00000005.00000002.495703857.0000000001650000.00000002.00000001.sdmp	Binary or memory string: Shell_TrayWnd,
Source: RegSvcs.exe, 00000005.00000002.495392948.000000000117C000.00000004.00000020.sdmp	Binary or memory string: Program Managerknown.
Source: RegSvcs.exe, 00000005.00000002.495703857.0000000001650000.00000002.00000001.sdmp	Binary or memory string: Progmanlock
Source: RegSvcs.exe, 00000005.00000002.494732255.00000000010CA000.00000004.00000020.sdmp	Binary or memory string: Program Manager (x86)\DHCP Monitor\dhcpmon.exe

Source: C:\Users\user\Desktop\YfceI5MZX4.exe	Queries volume information: C:\Windows\Fonts\arial.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\YfceI5MZX4.exe	Queries volume information: C:\Windows\Fonts\ariali.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\YfceI5MZX4.exe	Queries volume information: C:\Windows\Fonts\arialbd.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\YfceI5MZX4.exe	Queries volume information: C:\Windows\Fonts\arialbi.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\YfceI5MZX4.exe	Queries volume information: C:\Windows\Fonts\ARIALN.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\YfceI5MZX4.exe	Queries volume information: C:\Windows\Fonts\ariblk.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\YfceI5MZX4.exe	Queries volume information: C:\Windows\Fonts\ARIALNI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\YfceI5MZX4.exe	Queries volume information: C:\Windows\Fonts\ARIALNB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\YfceI5MZX4.exe	Queries volume information: C:\Windows\Fonts\ARIALNBI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\YfceI5MZX4.exe	Queries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\YfceI5MZX4.exe	Queries volume information: C:\Windows\Fonts\calibri.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\YfceI5MZX4.exe	Queries volume information: C:\Windows\Fonts\calibril.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\YfceI5MZX4.exe	Queries volume information: C:\Windows\Fonts\calibrii.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\YfceI5MZX4.exe	Queries volume information: C:\Windows\Fonts\calibrili.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\YfceI5MZX4.exe	Queries volume information: C:\Windows\Fonts\calibrib.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\YfceI5MZX4.exe	Queries volume information: C:\Windows\Fonts\calibriz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\YfceI5MZX4.exe	Queries volume information: C:\Windows\Fonts\cambria.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\YfceI5MZX4.exe	Queries volume information: C:\Windows\Fonts\cambriai.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\YfceI5MZX4.exe	Queries volume information: C:\Windows\Fonts\cambriab.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\YfceI5MZX4.exe	Queries volume information: C:\Windows\Fonts\cambriaz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\YfceI5MZX4.exe	Queries volume information: C:\Windows\Fonts\Candara.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\YfceI5MZX4.exe	Queries volume information: C:\Windows\Fonts\Candarai.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\YfceI5MZX4.exe	Queries volume information: C:\Windows\Fonts\Candarab.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\YfceI5MZX4.exe	Queries volume information: C:\Windows\Fonts\Candaraz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\YfceI5MZX4.exe	Queries volume information: C:\Windows\Fonts\comic.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\YfceI5MZX4.exe	Queries volume information: C:\Windows\Fonts\comici.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\YfceI5MZX4.exe	Queries volume information: C:\Windows\Fonts\comicbd.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\YfceI5MZX4.exe	Queries volume information: C:\Windows\Fonts\comicz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\YfceI5MZX4.exe	Queries volume information: C:\Windows\Fonts\consola.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\YfceI5MZX4.exe	Queries volume information: C:\Windows\Fonts\consolai.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\YfceI5MZX4.exe	Queries volume information: C:\Windows\Fonts\consolab.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\YfceI5MZX4.exe	Queries volume information: C:\Windows\Fonts\consolaz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\YfceI5MZX4.exe	Queries volume information: C:\Windows\Fonts\constan.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\YfceI5MZX4.exe	Queries volume information: C:\Windows\Fonts\constani.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\YfceI5MZX4.exe	Queries volume information: C:\Windows\Fonts\constanb.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\YfceI5MZX4.exe	Queries volume information: C:\Windows\Fonts\constanz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\YfceI5MZX4.exe	Queries volume information: C:\Windows\Fonts\corbel.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\YfceI5MZX4.exe	Queries volume information: C:\Windows\Fonts\corbeli.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\YfceI5MZX4.exe	Queries volume information: C:\Windows\Fonts\corbelb.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\YfceI5MZX4.exe	Queries volume information: C:\Windows\Fonts\corbelz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\YfceI5MZX4.exe	Queries volume information: C:\Windows\Fonts\cour.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\YfceI5MZX4.exe	Queries volume information: C:\Windows\Fonts\couri.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\YfceI5MZX4.exe	Queries volume information: C:\Windows\Fonts\courbd.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\YfceI5MZX4.exe	Queries volume information: C:\Windows\Fonts\courbi.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\YfceI5MZX4.exe	Queries volume information: C:\Windows\Fonts\ebrima.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\YfceI5MZX4.exe	Queries volume information: C:\Windows\Fonts\ebrimabd.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\YfceI5MZX4.exe	Queries volume information: C:\Windows\Fonts\framd.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\YfceI5MZX4.exe	Queries volume information: C:\Windows\Fonts\FRADM.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\YfceI5MZX4.exe	Queries volume information: C:\Windows\Fonts\framdit.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\YfceI5MZX4.exe	Queries volume information: C:\Windows\Fonts\FRADMIT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\YfceI5MZX4.exe	Queries volume information: C:\Windows\Fonts\FRAMDCN.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\YfceI5MZX4.exe	Queries volume information: C:\Windows\Fonts\FRADMCN.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\YfceI5MZX4.exe	Queries volume information: C:\Windows\Fonts\FRAHV.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\YfceI5MZX4.exe	Queries volume information: C:\Windows\Fonts\FRAHVIT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\YfceI5MZX4.exe	Queries volume information: C:\Windows\Fonts\Gabriola.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\YfceI5MZX4.exe	Queries volume information: C:\Windows\Fonts\gadugi.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\YfceI5MZX4.exe	Queries volume information: C:\Windows\Fonts\gadugib.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\YfceI5MZX4.exe	Queries volume information: C:\Windows\Fonts\georgia.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\YfceI5MZX4.exe	Queries volume information: C:\Windows\Fonts\georgiai.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\YfceI5MZX4.exe	Queries volume information: C:\Windows\Fonts\georgiab.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\YfceI5MZX4.exe	Queries volume information: C:\Windows\Fonts\georgiaz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\YfceI5MZX4.exe	Queries volume information: C:\Windows\Fonts\impact.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\YfceI5MZX4.exe	Queries volume information: C:\Windows\Fonts\Inkfree.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\YfceI5MZX4.exe	Queries volume information: C:\Windows\Fonts\javatext.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\YfceI5MZX4.exe	Queries volume information: C:\Windows\Fonts\LeelawUI.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\YfceI5MZX4.exe	Queries volume information: C:\Windows\Fonts\LeelUIsl.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\YfceI5MZX4.exe	Queries volume information: C:\Windows\Fonts\LeelaUIb.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\YfceI5MZX4.exe	Queries volume information: C:\Windows\Fonts\lucon.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\YfceI5MZX4.exe	Queries volume information: C:\Windows\Fonts\l_10646.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\YfceI5MZX4.exe	Queries volume information: C:\Windows\Fonts\malgun.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\YfceI5MZX4.exe	Queries volume information: C:\Windows\Fonts\malgunsl.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\YfceI5MZX4.exe	Queries volume information: C:\Windows\Fonts\malgunbd.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\YfceI5MZX4.exe	Queries volume information: C:\Windows\Fonts\himalaya.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\YfceI5MZX4.exe	Queries volume information: C:\Windows\Fonts\msjh.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\YfceI5MZX4.exe	Queries volume information: C:\Windows\Fonts\msjhl.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\YfceI5MZX4.exe	Queries volume information: C:\Windows\Fonts\msjhbd.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\YfceI5MZX4.exe	Queries volume information: C:\Windows\Fonts\ntailu.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\YfceI5MZX4.exe	Queries volume information: C:\Windows\Fonts\ntailub.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\YfceI5MZX4.exe	Queries volume information: C:\Windows\Fonts\phagspa.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\YfceI5MZX4.exe	Queries volume information: C:\Windows\Fonts\phagspab.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\YfceI5MZX4.exe	Queries volume information: C:\Windows\Fonts\micross.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\YfceI5MZX4.exe	Queries volume information: C:\Windows\Fonts\taile.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\YfceI5MZX4.exe	Queries volume information: C:\Windows\Fonts\taileb.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\YfceI5MZX4.exe	Queries volume information: C:\Windows\Fonts\msyh.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\YfceI5MZX4.exe	Queries volume information: C:\Windows\Fonts\msyhl.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\YfceI5MZX4.exe	Queries volume information: C:\Windows\Fonts\msyhbd.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\YfceI5MZX4.exe	Queries volume information: C:\Windows\Fonts\msyi.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\YfceI5MZX4.exe	Queries volume information: C:\Windows\Fonts\mingliub.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\YfceI5MZX4.exe	Queries volume information: C:\Windows\Fonts\monbaiti.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\YfceI5MZX4.exe	Queries volume information: C:\Windows\Fonts\msgothic.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\YfceI5MZX4.exe	Queries volume information: C:\Windows\Fonts\mvboli.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\YfceI5MZX4.exe	Queries volume information: C:\Windows\Fonts\mmrtext.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\YfceI5MZX4.exe	Queries volume information: C:\Windows\Fonts\mmrtextb.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\YfceI5MZX4.exe	Queries volume information: C:\Windows\Fonts\Nirmala.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\YfceI5MZX4.exe	Queries volume information: C:\Windows\Fonts\NirmalaS.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\YfceI5MZX4.exe	Queries volume information: C:\Windows\Fonts\NirmalaB.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\YfceI5MZX4.exe	Queries volume information: C:\Windows\Fonts\pala.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\YfceI5MZX4.exe	Queries volume information: C:\Windows\Fonts\palai.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\YfceI5MZX4.exe	Queries volume information: C:\Windows\Fonts\palab.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\YfceI5MZX4.exe	Queries volume information: C:\Windows\Fonts\palabi.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\YfceI5MZX4.exe	Queries volume information: C:\Windows\Fonts\segoepr.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\YfceI5MZX4.exe	Queries volume information: C:\Windows\Fonts\segoeprb.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\YfceI5MZX4.exe	Queries volume information: C:\Windows\Fonts\segoesc.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\YfceI5MZX4.exe	Queries volume information: C:\Windows\Fonts\segoescb.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\YfceI5MZX4.exe	Queries volume information: C:\Windows\Fonts\segoeuii.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\YfceI5MZX4.exe	Queries volume information: C:\Windows\Fonts\seguisli.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\YfceI5MZX4.exe	Queries volume information: C:\Windows\Fonts\seguili.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\YfceI5MZX4.exe	Queries volume information: C:\Windows\Fonts\seguisbi.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\YfceI5MZX4.exe	Queries volume information: C:\Windows\Fonts\segoeuiz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\YfceI5MZX4.exe	Queries volume information: C:\Windows\Fonts\seguibl.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\YfceI5MZX4.exe	Queries volume information: C:\Windows\Fonts\seguibli.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\YfceI5MZX4.exe	Queries volume information: C:\Windows\Fonts\seguiemj.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\YfceI5MZX4.exe	Queries volume information: C:\Windows\Fonts\seguihis.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\YfceI5MZX4.exe	Queries volume information: C:\Windows\Fonts\seguisym.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\YfceI5MZX4.exe	Queries volume information: C:\Windows\Fonts\simsun.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\YfceI5MZX4.exe	Queries volume information: C:\Windows\Fonts\simsunb.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\YfceI5MZX4.exe	Queries volume information: C:\Windows\Fonts\Sitka.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\YfceI5MZX4.exe	Queries volume information: C:\Windows\Fonts\SitkaI.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\YfceI5MZX4.exe	Queries volume information: C:\Windows\Fonts\SitkaB.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\YfceI5MZX4.exe	Queries volume information: C:\Windows\Fonts\SitkaZ.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\YfceI5MZX4.exe	Queries volume information: C:\Windows\Fonts\sylfaen.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\YfceI5MZX4.exe	Queries volume information: C:\Windows\Fonts\symbol.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\YfceI5MZX4.exe	Queries volume information: C:\Windows\Fonts\tahoma.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\YfceI5MZX4.exe	Queries volume information: C:\Windows\Fonts\tahomabd.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\YfceI5MZX4.exe	Queries volume information: C:\Windows\Fonts\timesi.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\YfceI5MZX4.exe	Queries volume information: C:\Windows\Fonts\timesbd.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\YfceI5MZX4.exe	Queries volume information: C:\Windows\Fonts\timesbi.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\YfceI5MZX4.exe	Queries volume information: C:\Windows\Fonts\trebuc.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\YfceI5MZX4.exe	Queries volume information: C:\Windows\Fonts\trebucit.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\YfceI5MZX4.exe	Queries volume information: C:\Windows\Fonts\trebucbd.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\YfceI5MZX4.exe	Queries volume information: C:\Windows\Fonts\trebucbi.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\YfceI5MZX4.exe	Queries volume information: C:\Windows\Fonts\verdana.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\YfceI5MZX4.exe	Queries volume information: C:\Windows\Fonts\verdanai.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\YfceI5MZX4.exe	Queries volume information: C:\Windows\Fonts\verdanab.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\YfceI5MZX4.exe	Queries volume information: C:\Windows\Fonts\verdanaz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\YfceI5MZX4.exe	Queries volume information: C:\Windows\Fonts\webdings.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\YfceI5MZX4.exe	Queries volume information: C:\Windows\Fonts\wingding.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\YfceI5MZX4.exe	Queries volume information: C:\Windows\Fonts\YuGothR.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\YfceI5MZX4.exe	Queries volume information: C:\Windows\Fonts\YuGothM.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\YfceI5MZX4.exe	Queries volume information: C:\Windows\Fonts\YuGothL.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\YfceI5MZX4.exe	Queries volume information: C:\Windows\Fonts\YuGothB.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\YfceI5MZX4.exe	Queries volume information: C:\Windows\Fonts\holomdl2.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\YfceI5MZX4.exe	Queries volume information: C:\Windows\Fonts\CENTURY.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\YfceI5MZX4.exe	Queries volume information: C:\Windows\Fonts\LEELAWAD.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\YfceI5MZX4.exe	Queries volume information: C:\Windows\Fonts\LEELAWDB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\YfceI5MZX4.exe	Queries volume information: C:\Windows\Fonts\MSUIGHUR.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\YfceI5MZX4.exe	Queries volume information: C:\Windows\Fonts\MSUIGHUB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\YfceI5MZX4.exe	Queries volume information: C:\Windows\Fonts\WINGDNG2.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\YfceI5MZX4.exe	Queries volume information: C:\Windows\Fonts\WINGDNG3.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\YfceI5MZX4.exe	Queries volume information: C:\Windows\Fonts\TEMPSITC.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\YfceI5MZX4.exe	Queries volume information: C:\Windows\Fonts\PRISTINA.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\YfceI5MZX4.exe	Queries volume information: C:\Windows\Fonts\PAPYRUS.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\YfceI5MZX4.exe	Queries volume information: C:\Windows\Fonts\MISTRAL.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\YfceI5MZX4.exe	Queries volume information: C:\Windows\Fonts\LHANDW.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\YfceI5MZX4.exe	Queries volume information: C:\Windows\Fonts\ITCKRIST.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\YfceI5MZX4.exe	Queries volume information: C:\Windows\Fonts\JUICE___.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\YfceI5MZX4.exe	Queries volume information: C:\Windows\Fonts\FRSCRIPT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\YfceI5MZX4.exe	Queries volume information: C:\Windows\Fonts\FREESCPT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\YfceI5MZX4.exe	Queries volume information: C:\Windows\Fonts\BRADHITC.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\YfceI5MZX4.exe	Queries volume information: C:\Windows\Fonts\OUTLOOK.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\YfceI5MZX4.exe	Queries volume information: C:\Windows\Fonts\BKANT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\YfceI5MZX4.exe	Queries volume information: C:\Windows\Fonts\ANTQUAI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\YfceI5MZX4.exe	Queries volume information: C:\Windows\Fonts\ANTQUAB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\YfceI5MZX4.exe	Queries volume information: C:\Windows\Fonts\ANTQUABI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\YfceI5MZX4.exe	Queries volume information: C:\Windows\Fonts\GARA.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\YfceI5MZX4.exe	Queries volume information: C:\Windows\Fonts\GARAIT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\YfceI5MZX4.exe	Queries volume information: C:\Windows\Fonts\GARABD.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\YfceI5MZX4.exe	Queries volume information: C:\Windows\Fonts\MTCORSVA.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\YfceI5MZX4.exe	Queries volume information: C:\Windows\Fonts\GOTHIC.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\YfceI5MZX4.exe	Queries volume information: C:\Windows\Fonts\GOTHICI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\YfceI5MZX4.exe	Queries volume information: C:\Windows\Fonts\GOTHICB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\YfceI5MZX4.exe	Queries volume information: C:\Windows\Fonts\GOTHICBI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\YfceI5MZX4.exe	Queries volume information: C:\Windows\Fonts\ALGER.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\YfceI5MZX4.exe	Queries volume information: C:\Windows\Fonts\BASKVILL.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\YfceI5MZX4.exe	Queries volume information: C:\Windows\Fonts\BAUHS93.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\YfceI5MZX4.exe	Queries volume information: C:\Windows\Fonts\BELL.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\YfceI5MZX4.exe	Queries volume information: C:\Windows\Fonts\BELLI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\YfceI5MZX4.exe	Queries volume information: C:\Windows\Fonts\BELLB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\YfceI5MZX4.exe	Queries volume information: C:\Windows\Fonts\BRLNSR.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\YfceI5MZX4.exe	Queries volume information: C:\Windows\Fonts\BRLNSDB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\YfceI5MZX4.exe	Queries volume information: C:\Windows\Fonts\BRLNSB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\YfceI5MZX4.exe	Queries volume information: C:\Windows\Fonts\BERNHC.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\YfceI5MZX4.exe	Queries volume information: C:\Windows\Fonts\BOD_PSTC.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\YfceI5MZX4.exe	Queries volume information: C:\Windows\Fonts\BRITANIC.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\YfceI5MZX4.exe	Queries volume information: C:\Windows\Fonts\BROADW.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\YfceI5MZX4.exe	Queries volume information: C:\Windows\Fonts\BRUSHSCI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\YfceI5MZX4.exe	Queries volume information: C:\Windows\Fonts\CALIFR.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\YfceI5MZX4.exe	Queries volume information: C:\Windows\Fonts\CALIFI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\YfceI5MZX4.exe	Queries volume information: C:\Windows\Fonts\CALIFB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\YfceI5MZX4.exe	Queries volume information: C:\Windows\Fonts\CENTAUR.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\YfceI5MZX4.exe	Queries volume information: C:\Windows\Fonts\CHILLER.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\YfceI5MZX4.exe	Queries volume information: C:\Windows\Fonts\COLONNA.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\YfceI5MZX4.exe	Queries volume information: C:\Windows\Fonts\COOPBL.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\YfceI5MZX4.exe	Queries volume information: C:\Windows\Fonts\FTLTLT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\YfceI5MZX4.exe	Queries volume information: C:\Windows\Fonts\HARLOWSI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\YfceI5MZX4.exe	Queries volume information: C:\Windows\Fonts\HARNGTON.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\YfceI5MZX4.exe	Queries volume information: C:\Windows\Fonts\HTOWERT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\YfceI5MZX4.exe	Queries volume information: C:\Windows\Fonts\HTOWERTI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\YfceI5MZX4.exe	Queries volume information: C:\Windows\Fonts\JOKERMAN.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\YfceI5MZX4.exe	Queries volume information: C:\Windows\Fonts\KUNSTLER.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\YfceI5MZX4.exe	Queries volume information: C:\Windows\Fonts\LBRITE.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\YfceI5MZX4.exe	Queries volume information: C:\Windows\Fonts\LBRITED.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\YfceI5MZX4.exe	Queries volume information: C:\Windows\Fonts\LBRITEI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\YfceI5MZX4.exe	Queries volume information: C:\Windows\Fonts\LBRITEDI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\YfceI5MZX4.exe	Queries volume information: C:\Windows\Fonts\LCALLIG.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\YfceI5MZX4.exe	Queries volume information: C:\Windows\Fonts\LFAX.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\YfceI5MZX4.exe	Queries volume information: C:\Windows\Fonts\LFAXD.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\YfceI5MZX4.exe	Queries volume information: C:\Windows\Fonts\LFAXI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\YfceI5MZX4.exe	Queries volume information: C:\Windows\Fonts\LFAXDI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\YfceI5MZX4.exe	Queries volume information: C:\Windows\Fonts\MAGNETOB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\YfceI5MZX4.exe	Queries volume information: C:\Windows\Fonts\MATURASC.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\YfceI5MZX4.exe	Queries volume information: C:\Windows\Fonts\MOD20.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\YfceI5MZX4.exe	Queries volume information: C:\Windows\Fonts\NIAGENG.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\YfceI5MZX4.exe	Queries volume information: C:\Windows\Fonts\NIAGSOL.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\YfceI5MZX4.exe	Queries volume information: C:\Windows\Fonts\OLDENGL.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\YfceI5MZX4.exe	Queries volume information: C:\Windows\Fonts\ONYX.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\YfceI5MZX4.exe	Queries volume information: C:\Windows\Fonts\PARCHM.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\YfceI5MZX4.exe	Queries volume information: C:\Windows\Fonts\PLAYBILL.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\YfceI5MZX4.exe	Queries volume information: C:\Windows\Fonts\POORICH.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\YfceI5MZX4.exe	Queries volume information: C:\Windows\Fonts\RAVIE.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\YfceI5MZX4.exe	Queries volume information: C:\Windows\Fonts\INFROMAN.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\YfceI5MZX4.exe	Queries volume information: C:\Windows\Fonts\SHOWG.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\YfceI5MZX4.exe	Queries volume information: C:\Windows\Fonts\SNAP____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\YfceI5MZX4.exe	Queries volume information: C:\Windows\Fonts\STENCIL.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\YfceI5MZX4.exe	Queries volume information: C:\Windows\Fonts\VINERITC.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\YfceI5MZX4.exe	Queries volume information: C:\Windows\Fonts\VIVALDII.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\YfceI5MZX4.exe	Queries volume information: C:\Windows\Fonts\VLADIMIR.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\YfceI5MZX4.exe	Queries volume information: C:\Windows\Fonts\LATINWD.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\YfceI5MZX4.exe	Queries volume information: C:\Windows\Fonts\TCM_____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\YfceI5MZX4.exe	Queries volume information: C:\Windows\Fonts\TCMI____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\YfceI5MZX4.exe	Queries volume information: C:\Windows\Fonts\TCB_____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\YfceI5MZX4.exe	Queries volume information: C:\Windows\Fonts\TCBI____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\YfceI5MZX4.exe	Queries volume information: C:\Windows\Fonts\TCCM____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\YfceI5MZX4.exe	Queries volume information: C:\Windows\Fonts\TCCB____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\YfceI5MZX4.exe	Queries volume information: C:\Windows\Fonts\TCCEB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\YfceI5MZX4.exe	Queries volume information: C:\Windows\Fonts\SCRIPTBL.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\YfceI5MZX4.exe	Queries volume information: C:\Windows\Fonts\ROCK.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\YfceI5MZX4.exe	Queries volume information: C:\Windows\Fonts\ROCKI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\YfceI5MZX4.exe	Queries volume information: C:\Windows\Fonts\ROCKB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\YfceI5MZX4.exe	Queries volume information: C:\Windows\Fonts\ROCKEB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\YfceI5MZX4.exe	Queries volume information: C:\Windows\Fonts\ROCKBI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\YfceI5MZX4.exe	Queries volume information: C:\Windows\Fonts\ROCC____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\YfceI5MZX4.exe	Queries volume information: C:\Windows\Fonts\ROCCB___.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\YfceI5MZX4.exe	Queries volume information: C:\Windows\Fonts\RAGE.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\YfceI5MZX4.exe	Queries volume information: C:\Windows\Fonts\PERTILI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\YfceI5MZX4.exe	Queries volume information: C:\Windows\Fonts\PERTIBD.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\YfceI5MZX4.exe	Queries volume information: C:\Windows\Fonts\PER_____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\YfceI5MZX4.exe	Queries volume information: C:\Windows\Fonts\PERI____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\YfceI5MZX4.exe	Queries volume information: C:\Windows\Fonts\PERB____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\YfceI5MZX4.exe	Queries volume information: C:\Windows\Fonts\PERBI___.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\YfceI5MZX4.exe	Queries volume information: C:\Windows\Fonts\PALSCRI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\YfceI5MZX4.exe	Queries volume information: C:\Windows\Fonts\OCRAEXT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\YfceI5MZX4.exe	Queries volume information: C:\Windows\Fonts\MAIAN.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\YfceI5MZX4.exe	Queries volume information: C:\Windows\Fonts\LTYPE.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\YfceI5MZX4.exe	Queries volume information: C:\Windows\Fonts\LTYPEO.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\YfceI5MZX4.exe	Queries volume information: C:\Windows\Fonts\LTYPEB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\YfceI5MZX4.exe	Queries volume information: C:\Windows\Fonts\LTYPEBO.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\YfceI5MZX4.exe	Queries volume information: C:\Windows\Fonts\LSANS.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\YfceI5MZX4.exe	Queries volume information: C:\Windows\Fonts\LSANSD.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\YfceI5MZX4.exe	Queries volume information: C:\Windows\Fonts\LSANSI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\YfceI5MZX4.exe	Queries volume information: C:\Windows\Fonts\LSANSDI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\YfceI5MZX4.exe	Queries volume information: C:\Windows\Fonts\IMPRISHA.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\YfceI5MZX4.exe	Queries volume information: C:\Windows\Fonts\HATTEN.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\YfceI5MZX4.exe	Queries volume information: C:\Windows\Fonts\GOUDYSTO.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\YfceI5MZX4.exe	Queries volume information: C:\Windows\Fonts\GOUDOS.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\YfceI5MZX4.exe	Queries volume information: C:\Windows\Fonts\GOUDOSI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\YfceI5MZX4.exe	Queries volume information: C:\Windows\Fonts\GOUDOSB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\YfceI5MZX4.exe	Queries volume information: C:\Windows\Fonts\GLECB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\YfceI5MZX4.exe	Queries volume information: C:\Windows\Fonts\GIL_____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\YfceI5MZX4.exe	Queries volume information: C:\Windows\Fonts\GILI____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\YfceI5MZX4.exe	Queries volume information: C:\Windows\Fonts\GILB____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\YfceI5MZX4.exe	Queries volume information: C:\Windows\Fonts\GILBI___.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\YfceI5MZX4.exe	Queries volume information: C:\Windows\Fonts\GILC____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\YfceI5MZX4.exe	Queries volume information: C:\Windows\Fonts\GLSNECB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\YfceI5MZX4.exe	Queries volume information: C:\Windows\Fonts\GIGI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\YfceI5MZX4.exe	Queries volume information: C:\Windows\Fonts\FRABK.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\YfceI5MZX4.exe	Queries volume information: C:\Windows\Fonts\FRABKIT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\YfceI5MZX4.exe	Queries volume information: C:\Windows\Fonts\FORTE.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\YfceI5MZX4.exe	Queries volume information: C:\Windows\Fonts\FELIXTI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\YfceI5MZX4.exe	Queries volume information: C:\Windows\Fonts\ERASMD.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\YfceI5MZX4.exe	Queries volume information: C:\Windows\Fonts\ERASLGHT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\YfceI5MZX4.exe	Queries volume information: C:\Windows\Fonts\ERASDEMI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\YfceI5MZX4.exe	Queries volume information: C:\Windows\Fonts\ERASBD.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\YfceI5MZX4.exe	Queries volume information: C:\Windows\Fonts\ENGR.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\YfceI5MZX4.exe	Queries volume information: C:\Windows\Fonts\ELEPHNT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\YfceI5MZX4.exe	Queries volume information: C:\Windows\Fonts\ELEPHNTI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\YfceI5MZX4.exe	Queries volume information: C:\Windows\Fonts\ITCEDSCR.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\YfceI5MZX4.exe	Queries volume information: C:\Windows\Fonts\CURLZ___.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\YfceI5MZX4.exe	Queries volume information: C:\Windows\Fonts\COPRGTL.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\YfceI5MZX4.exe	Queries volume information: C:\Windows\Fonts\COPRGTB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\YfceI5MZX4.exe	Queries volume information: C:\Windows\Fonts\CENSCBK.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\YfceI5MZX4.exe	Queries volume information: C:\Windows\Fonts\SCHLBKI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\YfceI5MZX4.exe	Queries volume information: C:\Windows\Fonts\SCHLBKB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\YfceI5MZX4.exe	Queries volume information: C:\Windows\Fonts\SCHLBKBI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\YfceI5MZX4.exe	Queries volume information: C:\Windows\Fonts\CASTELAR.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\YfceI5MZX4.exe	Queries volume information: C:\Windows\Fonts\CALIST.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\YfceI5MZX4.exe	Queries volume information: C:\Windows\Fonts\CALISTI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\YfceI5MZX4.exe	Queries volume information: C:\Windows\Fonts\CALISTB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\YfceI5MZX4.exe	Queries volume information: C:\Windows\Fonts\CALISTBI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\YfceI5MZX4.exe	Queries volume information: C:\Windows\Fonts\BOOKOS.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\YfceI5MZX4.exe	Queries volume information: C:\Windows\Fonts\BOOKOSB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\YfceI5MZX4.exe	Queries volume information: C:\Windows\Fonts\BOOKOSI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\YfceI5MZX4.exe	Queries volume information: C:\Windows\Fonts\BOOKOSBI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\YfceI5MZX4.exe	Queries volume information: C:\Windows\Fonts\BOD_R.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\YfceI5MZX4.exe	Queries volume information: C:\Windows\Fonts\BOD_I.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\YfceI5MZX4.exe	Queries volume information: C:\Windows\Fonts\BOD_B.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\YfceI5MZX4.exe	Queries volume information: C:\Windows\Fonts\BOD_BI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\YfceI5MZX4.exe	Queries volume information: C:\Windows\Fonts\BOD_CR.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\YfceI5MZX4.exe	Queries volume information: C:\Windows\Fonts\BOD_BLAR.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\YfceI5MZX4.exe	Queries volume information: C:\Windows\Fonts\BOD_CI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\YfceI5MZX4.exe	Queries volume information: C:\Windows\Fonts\BOD_CB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\YfceI5MZX4.exe	Queries volume information: C:\Windows\Fonts\BOD_BLAI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\YfceI5MZX4.exe	Queries volume information: C:\Windows\Fonts\BOD_CBI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\YfceI5MZX4.exe	Queries volume information: C:\Windows\Fonts\ITCBLKAD.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\YfceI5MZX4.exe	Queries volume information: C:\Windows\Fonts\ARLRDBD.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\YfceI5MZX4.exe	Queries volume information: C:\Windows\Fonts\AGENCYR.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\YfceI5MZX4.exe	Queries volume information: C:\Windows\Fonts\AGENCYB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\YfceI5MZX4.exe	Queries volume information: C:\Windows\Fonts\BSSYM7.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\YfceI5MZX4.exe	Queries volume information: C:\Windows\Fonts\REFSAN.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\YfceI5MZX4.exe	Queries volume information: C:\Windows\Fonts\REFSPCL.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\YfceI5MZX4.exe	Queries volume information: C:\Windows\Fonts\MTEXTRA.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\YfceI5MZX4.exe	Queries volume information: C:\Windows\Fonts\marlett.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\YfceI5MZX4.exe	Queries volume information: C:\Windows\Fonts\micross.ttf VolumeInformation	Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Queries volume information: C:\Windows\assembly\GAC_32\System.EnterpriseServices\2.0.0.0__b03f5f7f11d50a3a\System.EnterpriseServices.dll VolumeInformation	Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Queries volume information: C:\Windows\assembly\GAC_32\System.EnterpriseServices\2.0.0.0__b03f5f7f11d50a3a\System.EnterpriseServices.dll VolumeInformation	Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Queries volume information: C:\Windows\assembly\GAC_32\System.EnterpriseServices\2.0.0.0__b03f5f7f11d50a3a\System.EnterpriseServices.Wrapper.dll VolumeInformation	Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Queries volume information: C:\Windows\assembly\GAC_32\System.EnterpriseServices\2.0.0.0__b03f5f7f11d50a3a\System.EnterpriseServices.Wrapper.dll VolumeInformation	Jump to behavior

Source: C:\Users\user\Desktop\YfceI5MZX4.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Stealing of Sensitive Information:

Yara detected Nanocore RAT

Show sources

Source: Yara match	File source: 00000005.00000002.500274474.0000000003FBB000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000002.492901504.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.248677483.0000000003AB9000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000002.502139157.00000000058D0000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: RegSvcs.exe PID: 5996, type: MEMORY
Source: Yara match	File source: 0.2.YfceI5MZX4.exe.3b51e28.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.2.RegSvcs.exe.3fd2a65.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.2.RegSvcs.exe.58d0000.9.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.2.RegSvcs.exe.58d4629.10.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.2.RegSvcs.exe.3fc9606.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.2.RegSvcs.exe.3fce43c.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.2.RegSvcs.exe.3fce43c.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.2.RegSvcs.exe.58d0000.9.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.2.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.YfceI5MZX4.exe.3b51e28.3.unpack, type: UNPACKEDPE

Remote Access Functionality:

Detected Nanocore Rat

Show sources

Source: RegSvcs.exe, 00000005.00000002.500274474.0000000003FBB000.00000004.00000001.sdmp	String found in binary or memory: NanoCore.ClientPluginHost
Source: RegSvcs.exe, 00000005.00000002.500274474.0000000003FBB000.00000004.00000001.sdmp	String found in binary or memory: <Module>mscorlibMicrosoft.VisualBasicMyApplicationNanoCore.MyMyComputerMyProjectMyWebServicesThreadSafeObjectProvider`1IClientNetworkNanoCore.ClientPluginIClientDataIClientAppIClientDataHostNanoCore.ClientPluginHostIClientNetworkHostIClientUIHostIClientLoggingHostIClientAppHostIClientNameObjectCollectionNanoCoreIClientReadOnlyNameObjectCollectionClientInvokeDelegateMicrosoft.VisualBasic.ApplicationServicesApplicationBase.ctorMicrosoft.VisualBasic.DevicesComputerSystemObject.cctorget_Computerm_ComputerObjectProviderget_Applicationm_AppObjectProviderUserget_Userm_UserObjectProviderget_WebServicesm_MyWebServicesObjectProviderApplicationWebServicesEqualsoGetHashCodeTypeGetTypeToStringCreate__Instance__TinstanceDispose__Instance__get_GetInstanceMicrosoft.VisualBasic.MyServices.InternalContextValue`1m_ContextGetInstanceReadPacketpipeNameparamsPipeCreatedPipeClosedConnectionStateChangedconnectedConnectionFailedhostportBuildingHostCacheVariableChangednameClientSettingChangedPluginUninstallingClientUninstallingget_Variablesget_ClientSettingsget_BuilderSettingsVariablesClientSettingsBuilderSettingsget_ConnectedClosePipePipeExistsRebuildHostCacheAddHostEntryDisconnectSendToServercompressConnectedInvokemethodstateLogClientMessagemessageExceptionLogClientExceptionexsiteRestartShutdownDisableProtectionRestoreProtectionUninstallEntryExistsSystem.Collections.GenericKeyValuePair`2GetEntriesGetValuedefaultValueSetValuevalueRemoveValueMulticastDelegateTargetObjectTargetMethodIAsyncResultAsyncCallbackBeginInvokeDelegateCallbackDelegateAsyncStateEndInvokeDelegateAsyncResultSystem.ComponentModelEditorBrowsableAttributeEditorBrowsableStateSystem.CodeDom.CompilerGeneratedCodeAttributeSystem.DiagnosticsDebuggerHiddenAttributeMicrosoft.VisualBasic.CompilerServicesStandardModuleAttributeHideModuleNameAttributeSystem.ComponentModel.DesignHelpKeywordAttributeSystem.Runtime.CompilerServicesRuntimeHelpersGetObjectValueRuntimeTypeHandleGetTypeFromHandleActivatorCreateInstanceMyGroupCollectionAttributeget_Valueset_ValueSystem.Runtime.InteropServicesComVisibleAttributeParamArrayAttributeCompilationRelaxationsAttributeRuntimeCompatibilityAttributeSystem.ReflectionAssemblyFileVersionAttributeGuidAttributeAssemblyTrademarkAttributeAssemblyCopyrightAttributeAssemblyProductAttributeAssemblyCompanyAttributeAssemblyDescriptionAttributeAssemblyTitleAttributeClientPluginClientPlugin.dll

Yara detected Nanocore RAT

Show sources

Source: Yara match	File source: 00000005.00000002.500274474.0000000003FBB000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000002.492901504.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.248677483.0000000003AB9000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000002.502139157.00000000058D0000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: RegSvcs.exe PID: 5996, type: MEMORY
Source: Yara match	File source: 0.2.YfceI5MZX4.exe.3b51e28.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.2.RegSvcs.exe.3fd2a65.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.2.RegSvcs.exe.58d0000.9.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.2.RegSvcs.exe.58d4629.10.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.2.RegSvcs.exe.3fc9606.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.2.RegSvcs.exe.3fce43c.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.2.RegSvcs.exe.3fce43c.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.2.RegSvcs.exe.58d0000.9.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.2.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.YfceI5MZX4.exe.3b51e28.3.unpack, type: UNPACKEDPE

Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe	Code function: 5_2_052A256E bind,		5_2_052A256E
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe	Code function: 5_2_052A253B bind,		5_2_052A253B

Mitre Att&ck Matrix

Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Exfiltration	Command and Control	Network Effects	Remote Service Effects	Impact
Valid Accounts	Scheduled Task/Job1	Scheduled Task/Job1	Access Token Manipulation1	Masquerading2	Input Capture11	Security Software Discovery111	Remote Services	Input Capture11	Exfiltration Over Other Network Medium	Encrypted Channel1	Eavesdrop on Insecure Network Communication	Remotely Track Device Without Authorization	Modify System Partition
Default Accounts	Scheduled Task/Job	Boot or Logon Initialization Scripts	Process Injection312	Disable or Modify Tools1	LSASS Memory	Process Discovery2	Remote Desktop Protocol	Archive Collected Data11	Exfiltration Over Bluetooth	Non-Standard Port1	Exploit SS7 to Redirect Phone Calls/SMS	Remotely Wipe Data Without Authorization	Device Lockout
Domain Accounts	At (Linux)	Logon Script (Windows)	Scheduled Task/Job1	Virtualization/Sandbox Evasion31	Security Account Manager	Virtualization/Sandbox Evasion31	SMB/Windows Admin Shares	Data from Network Shared Drive	Automated Exfiltration	Remote Access Software1	Exploit SS7 to Track Device Location	Obtain Device Cloud Backups	Delete Device Data
Local Accounts	At (Windows)	Logon Script (Mac)	Logon Script (Mac)	Access Token Manipulation1	NTDS	Application Window Discovery1	Distributed Component Object Model	Input Capture	Scheduled Transfer	Non-Application Layer Protocol1	SIM Card Swap		Carrier Billing Fraud
Cloud Accounts	Cron	Network Logon Script	Network Logon Script	Process Injection312	LSA Secrets	Remote System Discovery1	SSH	Keylogging	Data Transfer Size Limits	Application Layer Protocol21	Manipulate Device Communication		Manipulate App Store Rankings or Ratings
Replication Through Removable Media	Launchd	Rc.common	Rc.common	Deobfuscate/Decode Files or Information1	Cached Domain Credentials	File and Directory Discovery1	VNC	GUI Input Capture	Exfiltration Over C2 Channel	Multiband Communication	Jamming or Denial of Service		Abuse Accessibility Features
External Remote Services	Scheduled Task	Startup Items	Startup Items	Hidden Files and Directories1	DCSync	System Information Discovery13	Windows Remote Management	Web Portal Capture	Exfiltration Over Alternative Protocol	Commonly Used Port	Rogue Wi-Fi Access Points		Data Encrypted for Impact
Drive-by Compromise	Command and Scripting Interpreter	Scheduled Task/Job	Scheduled Task/Job	Obfuscated Files or Information3	Proc Filesystem	Network Service Scanning	Shared Webroot	Credential API Hooking	Exfiltration Over Symmetric Encrypted Non-C2 Protocol	Application Layer Protocol	Downgrade to Insecure Protocols		Generate Fraudulent Advertising Revenue
Exploit Public-Facing Application	PowerShell	At (Linux)	At (Linux)	Software Packing13	/etc/passwd and /etc/shadow	System Network Connections Discovery	Software Deployment Tools	Data Staged	Exfiltration Over Asymmetric Encrypted Non-C2 Protocol	Web Protocols	Rogue Cellular Base Station		Data Destruction

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Source	Detection	Scanner	Label	Link
YfceI5MZX4.exe	100%	Joe Sandbox ML

Dropped Files

Source	Detection	Scanner	Link
C:\Users\user\AppData\Roaming\gmSlQSien.exe	100%	Joe Sandbox ML
C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	0%	Metadefender	Browse
C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	0%	ReversingLabs

Unpacked PE Files

Source	Detection	Scanner	Label	Link	Download
5.2.RegSvcs.exe.58d0000.9.unpack	100%	Avira	TR/NanoCore.fadte		Download File
5.2.RegSvcs.exe.400000.0.unpack	100%	Avira	TR/Dropper.MSIL.Gen7		Download File

Domains

No Antivirus matches

URLs

Source	Detection	Scanner	Label
nassiru1155.ddns.net	0%	Avira URL Cloud	safe
http://www.sandoll.co.krN.TTFp	0%	Avira URL Cloud	safe
http://www.founder.com.cn/cn/bThe	0%	URL Reputation	safe
http://www.founder.com.cn/cn/bThe	0%	URL Reputation	safe
http://www.founder.com.cn/cn/bThe	0%	URL Reputation	safe
http://www.sandoll.co.krAh	0%	Avira URL Cloud	safe
http://www.jiyu-kobo.co.jp/&t	0%	Avira URL Cloud	safe
http://www.jiyu-kobo.co.jp/=t	0%	Avira URL Cloud	safe
http://www.tiro.com	0%	URL Reputation	safe
http://www.tiro.com	0%	URL Reputation	safe
http://www.tiro.com	0%	URL Reputation	safe
http://www.goodfont.co.kr	0%	URL Reputation	safe
http://www.goodfont.co.kr	0%	URL Reputation	safe
http://www.goodfont.co.kr	0%	URL Reputation	safe
http://www.jiyu-kobo.co.jp/jp/	0%	URL Reputation	safe
http://www.jiyu-kobo.co.jp/jp/	0%	URL Reputation	safe
http://www.jiyu-kobo.co.jp/jp/	0%	URL Reputation	safe
http://www.jiyu-kobo.co.jp/ut	0%	Avira URL Cloud	safe
http://www.fontbureau.coma	0%	URL Reputation	safe
http://www.fontbureau.coma	0%	URL Reputation	safe
http://www.fontbureau.coma	0%	URL Reputation	safe
http://www.tiro.comtn	0%	Avira URL Cloud	safe
79.134.225.30	0%	Avira URL Cloud	safe
http://www.fonts.comX	0%	URL Reputation	safe
http://www.fonts.comX	0%	URL Reputation	safe
http://www.fonts.comX	0%	URL Reputation	safe
http://www.carterandcone.coml	0%	URL Reputation	safe
http://www.carterandcone.coml	0%	URL Reputation	safe
http://www.carterandcone.coml	0%	URL Reputation	safe
http://www.sajatypeworks.com	0%	URL Reputation	safe
http://www.sajatypeworks.com	0%	URL Reputation	safe
http://www.sajatypeworks.com	0%	URL Reputation	safe
http://www.founder.com.cn/cn/	0%	URL Reputation	safe
http://www.founder.com.cn/cn/	0%	URL Reputation	safe
http://www.founder.com.cn/cn/	0%	URL Reputation	safe
http://www.typography.netD	0%	URL Reputation	safe
http://www.typography.netD	0%	URL Reputation	safe
http://www.typography.netD	0%	URL Reputation	safe
http://www.founder.com.cn/cn/cThe	0%	URL Reputation	safe
http://www.founder.com.cn/cn/cThe	0%	URL Reputation	safe
http://www.founder.com.cn/cn/cThe	0%	URL Reputation	safe
http://www.jiyu-kobo.co.jp/Lt	0%	Avira URL Cloud	safe
http://www.galapagosdesign.com/staff/dennis.htm	0%	URL Reputation	safe
http://www.galapagosdesign.com/staff/dennis.htm	0%	URL Reputation	safe
http://www.galapagosdesign.com/staff/dennis.htm	0%	URL Reputation	safe
http://fontfabrik.com	0%	URL Reputation	safe
http://fontfabrik.com	0%	URL Reputation	safe
http://fontfabrik.com	0%	URL Reputation	safe
http://www.founder.com.cn/cn	0%	URL Reputation	safe
http://www.founder.com.cn/cn	0%	URL Reputation	safe
http://www.founder.com.cn/cn	0%	URL Reputation	safe
http://www.jiyu-kobo.co.jp/x	0%	URL Reputation	safe
http://www.jiyu-kobo.co.jp/x	0%	URL Reputation	safe
http://www.jiyu-kobo.co.jp/x	0%	URL Reputation	safe
http://www.jiyu-kobo.co.jp/gt	0%	Avira URL Cloud	safe
http://www.jiyu-kobo.co.jp/	0%	URL Reputation	safe
http://www.jiyu-kobo.co.jp/	0%	URL Reputation	safe
http://www.jiyu-kobo.co.jp/	0%	URL Reputation	safe
http://www.galapagosdesign.com/DPlease	0%	URL Reputation	safe
http://www.galapagosdesign.com/DPlease	0%	URL Reputation	safe
http://www.galapagosdesign.com/DPlease	0%	URL Reputation	safe
http://www.fonts.comtem7W	0%	Avira URL Cloud	safe
http://www.sandoll.co.kr	0%	URL Reputation	safe
http://www.sandoll.co.kr	0%	URL Reputation	safe
http://www.sandoll.co.kr	0%	URL Reputation	safe
http://www.founder.com.cn/cnmf	0%	Avira URL Cloud	safe
http://www.urwpp.deDPlease	0%	URL Reputation	safe
http://www.urwpp.deDPlease	0%	URL Reputation	safe
http://www.urwpp.deDPlease	0%	URL Reputation	safe
http://www.zhongyicts.com.cn	0%	URL Reputation	safe
http://www.zhongyicts.com.cn	0%	URL Reputation	safe
http://www.zhongyicts.com.cn	0%	URL Reputation	safe
http://www.sakkal.com	0%	URL Reputation	safe
http://www.sakkal.com	0%	URL Reputation	safe
http://www.sakkal.com	0%	URL Reputation	safe
http://www.founder.com.cn/cne	0%	Avira URL Cloud	safe
http://www.fontbureau.comiona=	0%	Avira URL Cloud	safe
http://www.founder.com.cn/cnsof	0%	Avira URL Cloud	safe

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Antivirus Detection	Reputation
nassiru1155.ddns.net	unknown	unknown	true		unknown

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
nassiru1155.ddns.net	true	Avira URL Cloud: safe	unknown
79.134.225.30	true	Avira URL Cloud: safe	unknown

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
http://www.apache.org/licenses/LICENSE-2.0	YfceI5MZX4.exe, 00000000.00000002.252311067.0000000006042000.00000004.00000001.sdmp	false		high
http://www.fontbureau.com	YfceI5MZX4.exe, 00000000.00000002.252311067.0000000006042000.00000004.00000001.sdmp	false		high
http://www.fontbureau.com/designersG	YfceI5MZX4.exe, 00000000.00000002.252311067.0000000006042000.00000004.00000001.sdmp	false		high
http://www.sandoll.co.krN.TTFp	YfceI5MZX4.exe, 00000000.00000003.228260396.0000000004D09000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
http://www.fontbureau.com/designers/?	YfceI5MZX4.exe, 00000000.00000002.252311067.0000000006042000.00000004.00000001.sdmp	false		high
http://www.founder.com.cn/cn/bThe	YfceI5MZX4.exe, 00000000.00000002.252311067.0000000006042000.00000004.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://www.fontbureau.com/designers?	YfceI5MZX4.exe, 00000000.00000002.252311067.0000000006042000.00000004.00000001.sdmp	false		high
http://www.sandoll.co.krAh	YfceI5MZX4.exe, 00000000.00000003.228260396.0000000004D09000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
http://www.jiyu-kobo.co.jp/&t	YfceI5MZX4.exe, 00000000.00000003.230882117.0000000004D04000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
http://www.jiyu-kobo.co.jp/=t	YfceI5MZX4.exe, 00000000.00000003.230882117.0000000004D04000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
http://www.tiro.com	YfceI5MZX4.exe, 00000000.00000002.252311067.0000000006042000.00000004.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://www.fontbureau.com/designers	YfceI5MZX4.exe, 00000000.00000003.233084984.0000000004D0D000.00000004.00000001.sdmp	false		high
http://www.goodfont.co.kr	YfceI5MZX4.exe, 00000000.00000002.252311067.0000000006042000.00000004.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://www.jiyu-kobo.co.jp/jp/	YfceI5MZX4.exe, 00000000.00000003.230882117.0000000004D04000.00000004.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://www.jiyu-kobo.co.jp/ut	YfceI5MZX4.exe, 00000000.00000003.230882117.0000000004D04000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
http://www.fontbureau.coma	YfceI5MZX4.exe, 00000000.00000003.245702831.0000000004D00000.00000004.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://www.tiro.comtn	YfceI5MZX4.exe, 00000000.00000003.227413461.0000000004D1B000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
http://www.fonts.comX	YfceI5MZX4.exe, 00000000.00000003.227190711.0000000004D1B000.00000004.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
https://stackpath.bootstrapcdn.com/bootstrap/4.5.0/css/bootstrap.min.css	YfceI5MZX4.exe, 00000000.00000002.247117060.0000000002945000.00000004.00000001.sdmp	false		high
http://www.carterandcone.coml	YfceI5MZX4.exe, 00000000.00000002.252311067.0000000006042000.00000004.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://www.sajatypeworks.com	YfceI5MZX4.exe, 00000000.00000003.227000738.0000000004D1B000.00000004.00000001.sdmp, YfceI5MZX4.exe, 00000000.00000002.252311067.0000000006042000.00000004.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://www.founder.com.cn/cn/	YfceI5MZX4.exe, 00000000.00000003.229242210.0000000004D04000.00000004.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://www.typography.netD	YfceI5MZX4.exe, 00000000.00000002.252311067.0000000006042000.00000004.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://www.fontbureau.com/designers/cabarga.htmlN	YfceI5MZX4.exe, 00000000.00000002.252311067.0000000006042000.00000004.00000001.sdmp	false		high
http://www.founder.com.cn/cn/cThe	YfceI5MZX4.exe, 00000000.00000002.252311067.0000000006042000.00000004.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://www.jiyu-kobo.co.jp/Lt	YfceI5MZX4.exe, 00000000.00000003.230882117.0000000004D04000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
http://www.galapagosdesign.com/staff/dennis.htm	YfceI5MZX4.exe, 00000000.00000002.252311067.0000000006042000.00000004.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://fontfabrik.com	YfceI5MZX4.exe, 00000000.00000002.252311067.0000000006042000.00000004.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://www.founder.com.cn/cn	YfceI5MZX4.exe, 00000000.00000002.252311067.0000000006042000.00000004.00000001.sdmp, YfceI5MZX4.exe, 00000000.00000003.228908914.0000000004D3D000.00000004.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://www.jiyu-kobo.co.jp/x	YfceI5MZX4.exe, 00000000.00000003.230882117.0000000004D04000.00000004.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://www.fontbureau.com/designers/frere-jones.html	YfceI5MZX4.exe, 00000000.00000002.252311067.0000000006042000.00000004.00000001.sdmp	false		high
http://www.jiyu-kobo.co.jp/gt	YfceI5MZX4.exe, 00000000.00000003.230882117.0000000004D04000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
http://www.jiyu-kobo.co.jp/	YfceI5MZX4.exe, 00000000.00000002.252311067.0000000006042000.00000004.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://www.galapagosdesign.com/DPlease	YfceI5MZX4.exe, 00000000.00000002.252311067.0000000006042000.00000004.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://www.fontbureau.com/designers8	YfceI5MZX4.exe, 00000000.00000002.252311067.0000000006042000.00000004.00000001.sdmp	false		high
http://www.fonts.comtem7W	YfceI5MZX4.exe, 00000000.00000003.227156723.0000000004D1B000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
http://www.fonts.com	YfceI5MZX4.exe, 00000000.00000002.252311067.0000000006042000.00000004.00000001.sdmp	false		high
http://www.sandoll.co.kr	YfceI5MZX4.exe, 00000000.00000002.252311067.0000000006042000.00000004.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://www.founder.com.cn/cnmf	YfceI5MZX4.exe, 00000000.00000003.229331040.0000000004D0B000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
http://www.urwpp.deDPlease	YfceI5MZX4.exe, 00000000.00000002.252311067.0000000006042000.00000004.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://www.zhongyicts.com.cn	YfceI5MZX4.exe, 00000000.00000002.252311067.0000000006042000.00000004.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://www.sakkal.com	YfceI5MZX4.exe, 00000000.00000002.252311067.0000000006042000.00000004.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://www.founder.com.cn/cne	YfceI5MZX4.exe, 00000000.00000003.228931312.0000000004D04000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
http://www.fontbureau.comiona=	YfceI5MZX4.exe, 00000000.00000003.245702831.0000000004D00000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	low
http://www.founder.com.cn/cnsof	YfceI5MZX4.exe, 00000000.00000003.229242210.0000000004D04000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown

Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public

IP	Domain	Country	Flag	ASN	ASN Name	Malicious
79.134.225.30	unknown	Switzerland		6775	FINK-TELECOM-SERVICESCH	true

General Information

Joe Sandbox Version:	31.0.0 Emerald
Analysis ID:	385233
Start date:	12.04.2021
Start time:	08:41:27
Joe Sandbox Product:	CloudBasic
Overall analysis duration:	0h 8m 34s
Hypervisor based Inspection enabled:	false
Report type:	full
Sample file name:	YfceI5MZX4.exe
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 85, IE 11, Adobe Reader DC 19, Java 8 Update 211
Number of analysed new started processes analysed:	29
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled HDC enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Detection:	MAL
Classification:	mal100.troj.evad.winEXE@8/8@9/1
EGA Information:	Failed
HDC Information:	Successful, ratio: 0.8% (good quality ratio 0.5%) Quality average: 37.4% Quality standard deviation: 34.8%
HCA Information:	Successful, ratio: 98% Number of executed functions: 459 Number of non-executed functions: 24
Cookbook Comments:	Adjust boot time Enable AMSI Found application associated with file extension: .exe
Warnings:	Show All Behavior information exceeds normal sizes, reducing to normal. Report will have missing behavior information. Exclude process from analysis (whitelisted): taskhostw.exe, MpCmdRun.exe, BackgroundTransferHost.exe, backgroundTaskHost.exe, SgrmBroker.exe, conhost.exe, svchost.exe Excluded IPs from analysis (whitelisted): 204.79.197.200, 13.107.21.200, 93.184.220.29, 20.82.210.154, 40.88.32.150, 92.122.145.220, 104.43.193.48, 184.30.24.56, 104.43.139.144, 168.61.161.212, 92.122.213.194, 92.122.213.247, 104.42.151.234, 67.26.73.254, 67.26.137.254, 8.241.78.254, 8.241.90.126, 8.241.79.126, 20.50.102.62, 20.54.26.129, 20.49.157.6 Excluded domains from analysis (whitelisted): cs9.wac.phicdn.net, arc.msn.com.nsatc.net, store-images.s-microsoft.com-c.edgekey.net, fs-wildcard.microsoft.com.edgekey.net, fs-wildcard.microsoft.com.edgekey.net.globalredir.akadns.net, a1449.dscg2.akamai.net, arc.msn.com, skypedataprdcoleus15.cloudapp.net, e12564.dspb.akamaiedge.net, ocsp.digicert.com, www-bing-com.dual-a-0001.a-msedge.net, audownload.windowsupdate.nsatc.net, arc.trafficmanager.net, watson.telemetry.microsoft.com, img-prod-cms-rt-microsoft-com.akamaized.net, auto.au.download.windowsupdate.com.c.footprint.net, prod.fs.microsoft.com.akadns.net, au-bg-shim.trafficmanager.net, www.bing.com, fs.microsoft.com, dual-a-0001.a-msedge.net, ris-prod.trafficmanager.net, e1723.g.akamaiedge.net, skypedataprdcolcus17.cloudapp.net, ctldl.windowsupdate.com, skypedataprdcolcus16.cloudapp.net, skypedataprdcolcus15.cloudapp.net, ris.api.iris.microsoft.com, a-0001.a-afdentry.net.trafficmanager.net, store-images.s-microsoft.com, blobcollector.events.data.trafficmanager.net, skypedataprdcolwus16.cloudapp.net Report size getting too big, too many NtAllocateVirtualMemory calls found. Report size getting too big, too many NtOpenKeyEx calls found. Report size getting too big, too many NtProtectVirtualMemory calls found. Report size getting too big, too many NtQueryValueKey calls found. VT rate limit hit for: /opt/package/joesandbox/database/analysis/385233/sample/YfceI5MZX4.exe

Simulations

Behavior and APIs

Time	Type	Description
08:42:23	API Interceptor	1x Sleep call for process: YfceI5MZX4.exe modified
08:42:27	API Interceptor	981x Sleep call for process: RegSvcs.exe modified
08:42:27	Autostart	Run: HKLM\Software\Microsoft\Windows\CurrentVersion\Run DHCP Monitor C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe

Joe Sandbox View / Context

IPs

Match	Associated Sample Name / URL	SHA 256	Detection	Link
79.134.225.30	SOL2021-03-14-NETC-NI-21-049-CEVA INV.xlsx	Get hash	malicious	Browse
	TSskTqG9V9.exe	Get hash	malicious	Browse
	Files Specification.xlsx	Get hash	malicious	Browse
	J62DQ7fO0b.exe	Get hash	malicious	Browse
	oE6O5K1emC.exe	Get hash	malicious	Browse
	AIC7VMxudf.exe	Get hash	malicious	Browse
	Payment Confirmation.exe	Get hash	malicious	Browse
	JOIN.exe	Get hash	malicious	Browse
	Itinerary.pdf.exe	Get hash	malicious	Browse
	vVH0wIFYFd.exe	Get hash	malicious	Browse
	GWee9QSphp.exe	Get hash	malicious	Browse
	s7pnYY2USl.jar	Get hash	malicious	Browse
	s7pnYY2USl.jar	Get hash	malicious	Browse
	SecuriteInfo.com.BehavesLike.Win32.Generic.dc.exe	Get hash	malicious	Browse
	Import and Export Regulation.xlsx	Get hash	malicious	Browse
	BBdzKOGQ36.exe	Get hash	malicious	Browse
	BL.exe	Get hash	malicious	Browse
	Payment Invoice.exe	Get hash	malicious	Browse
	Payment Invoice.pdf.exe	Get hash	malicious	Browse
	Inquiries_scan_011023783591374376585.exe	Get hash	malicious	Browse

Domains

No context

ASN

Match	Associated Sample Name / URL	SHA 256	Detection	Link	Context
FINK-TELECOM-SERVICESCH	SOL2021-03-14-NETC-NI-21-049-CEVA INV.xlsx	Get hash	malicious	Browse	79.134.225.30
	OjAJYVQ7iK.exe	Get hash	malicious	Browse	79.134.225.112
	TSskTqG9V9.exe	Get hash	malicious	Browse	79.134.225.30
	Files Specification.xlsx	Get hash	malicious	Browse	79.134.225.30
	J62DQ7fO0b.exe	Get hash	malicious	Browse	79.134.225.30
	oE6O5K1emC.exe	Get hash	malicious	Browse	79.134.225.30
	zunUbtZ2Y3.exe	Get hash	malicious	Browse	79.134.225.40
	EASTERS.exe	Get hash	malicious	Browse	79.134.225.118
	LIST OF POEA DELISTED AGENCIES.pdf.exe	Get hash	malicious	Browse	79.134.225.9
	AWB.pdf.exe	Get hash	malicious	Browse	79.134.225.102
	AIC7VMxudf.exe	Get hash	malicious	Browse	79.134.225.30
	9mm case for ROYAL METAL INDUSTRIES 3milmonth Specification drawings.exe	Get hash	malicious	Browse	79.134.225.21
	PO50164.exe	Get hash	malicious	Browse	79.134.225.79
	Fast color scan to a PDFfile_1_20210331084231346.pdf.exe	Get hash	malicious	Browse	79.134.225.102
	n7dIHuG3v6.exe	Get hash	malicious	Browse	79.134.225.92
	F6JT4fXIAQ.exe	Get hash	malicious	Browse	79.134.225.92
	order_inquiry2094.xls.exe	Get hash	malicious	Browse	79.134.225.102
	5H957qLghX.exe	Get hash	malicious	Browse	79.134.225.25
	yBio5dWAOl.exe	Get hash	malicious	Browse	79.134.225.7
	wDIaJji4Vv.exe	Get hash	malicious	Browse	79.134.225.7

JA3 Fingerprints

No context

Dropped Files

Match	Associated Sample Name / URL	SHA 256	Detection	Link
C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	TSskTqG9V9.exe	Get hash	malicious	Browse
	oE6O5K1emC.exe	Get hash	malicious	Browse
	GS_ PO NO.1862021.exe	Get hash	malicious	Browse
	wDIaJji4Vv.exe	Get hash	malicious	Browse
	cJtVGjtNGZ.exe	Get hash	malicious	Browse
	Bilansno placanje.exe	Get hash	malicious	Browse
	SecuriteInfo.com.Trojan.Inject4.9647.20479.exe	Get hash	malicious	Browse
	wnIPBdB5OF.exe	Get hash	malicious	Browse
	Delivery Form C.exe	Get hash	malicious	Browse
	h6uc8EaDQX.exe	Get hash	malicious	Browse
	3aDHivUqWtumbXb.exe	Get hash	malicious	Browse
	fMy120EQiT6NaRd.exe	Get hash	malicious	Browse
	SecuriteInfo.com.Variant.Bulz.394792.29952.exe	Get hash	malicious	Browse
	SecuriteInfo.com.Trojan.PackedNET.578.18498.exe	Get hash	malicious	Browse
	sfTZCyMKuC.exe	Get hash	malicious	Browse
	y9Rtu1cnBk.exe	Get hash	malicious	Browse
	Ixli7b5j6A.exe	Get hash	malicious	Browse
	nq0aCrCXyE.exe	Get hash	malicious	Browse
	73SriHObnQ.exe	Get hash	malicious	Browse
	0672IMP000158021.pdf.exe	Get hash	malicious	Browse

Created / dropped Files

C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe Download File
Process:	C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe
File Type:	PE32 executable (console) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	32768
Entropy (8bit):	3.7515815714465193
Encrypted:	false
SSDEEP:	384:BOj9Y8/gS7SDriLGKq1MHR5U4Ag6ihJSxUCR1rgCPKabK2t0X5P7DZ+JgWSW72uw:B+gSAdN1MH3HAFRJngW2u
MD5:	71369277D09DA0830C8C59F9E22BB23A
SHA1:	37F9781314F0F6B7E9CB529A573F2B1C8DE9E93F
SHA-256:	D4527B7AD2FC4778CC5BE8709C95AEA44EAC0568B367EE14F7357D72898C3698
SHA-512:	2F470383E3C796C4CF212EC280854DBB9E7E8C8010CE6857E58F8E7066D7516B7CD7039BC5C0F547E1F5C7F9F2287869ADFFB2869800B08B2982A88BE96E9FB7
Malicious:	false
Antivirus:	Antivirus: Metadefender, Detection: 0%, Browse Antivirus: ReversingLabs, Detection: 0%
Joe Sandbox View:	Filename: TSskTqG9V9.exe, Detection: malicious, Browse Filename: oE6O5K1emC.exe, Detection: malicious, Browse Filename: GS_ PO NO.1862021.exe, Detection: malicious, Browse Filename: wDIaJji4Vv.exe, Detection: malicious, Browse Filename: cJtVGjtNGZ.exe, Detection: malicious, Browse Filename: Bilansno placanje.exe, Detection: malicious, Browse Filename: SecuriteInfo.com.Trojan.Inject4.9647.20479.exe, Detection: malicious, Browse Filename: wnIPBdB5OF.exe, Detection: malicious, Browse Filename: Delivery Form C.exe, Detection: malicious, Browse Filename: h6uc8EaDQX.exe, Detection: malicious, Browse Filename: 3aDHivUqWtumbXb.exe, Detection: malicious, Browse Filename: fMy120EQiT6NaRd.exe, Detection: malicious, Browse Filename: SecuriteInfo.com.Variant.Bulz.394792.29952.exe, Detection: malicious, Browse Filename: SecuriteInfo.com.Trojan.PackedNET.578.18498.exe, Detection: malicious, Browse Filename: sfTZCyMKuC.exe, Detection: malicious, Browse Filename: y9Rtu1cnBk.exe, Detection: malicious, Browse Filename: Ixli7b5j6A.exe, Detection: malicious, Browse Filename: nq0aCrCXyE.exe, Detection: malicious, Browse Filename: 73SriHObnQ.exe, Detection: malicious, Browse Filename: 0672IMP000158021.pdf.exe, Detection: malicious, Browse
Reputation:	moderate, very likely benign file
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L.....{Z.................P... .......k... ........@.. ...............................[....@..................................k..K................................... k............................................... ............... ..H............text....K... ...P.................. ..`.rsrc................`..............@..@.reloc...............p..............@..B........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Microsoft\CLR_v2.0_32\UsageLogs\YfceI5MZX4.exe.log Download File
Process:	C:\Users\user\Desktop\YfceI5MZX4.exe
File Type:	ASCII text, with CRLF line terminators
Category:	modified
Size (bytes):	664
Entropy (8bit):	5.288448637977022
Encrypted:	false
SSDEEP:	12:Q3LaJU20NaL10Ug+9Yz9t0U29hJ5g1B0U2ukyrFk70U2xANlW3ANv:MLF20NaL3z2p29hJ5g522rW2xAi3A9
MD5:	B1DB55991C3DA14E35249AEA1BC357CA
SHA1:	0DD2D91198FDEF296441B12F1A906669B279700C
SHA-256:	34D3E48321D5010AD2BD1F3F0B728077E4F5A7F70D66FA36B57E5209580B6BDC
SHA-512:	BE38A31888C9C2F8047FA9C99672CB985179D325107514B7500DDA9523AE3E1D20B45EACC4E6C8A5D096360D0FBB98A120E63F38FFE324DF8A0559F6890CC801
Malicious:	true
Reputation:	moderate, very likely benign file
Preview:	1,"fusion","GAC",0..3,"C:\Windows\assembly\NativeImages_v2.0.50727_32\System\1ffc437de59fb69ba2b865ffdc98ffd1\System.ni.dll",0..3,"C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.VisualBas#\cd7c74fce2a0eab72cd25cbe4bb61614\Microsoft.VisualBasic.ni.dll",0..3,"C:\Windows\assembly\NativeImages_v2.0.50727_32\System.Drawing\54d944b3ca0ea1188d700fbd8089726b\System.Drawing.ni.dll",0..3,"C:\Windows\assembly\NativeImages_v2.0.50727_32\System.Windows.Forms\bd8d59c984c9f5f2695f64341115cdf0\System.Windows.Forms.ni.dll",0..3,"C:\Windows\assembly\NativeImages_v2.0.50727_32\System.Runtime.Remo#\35774dc3cd31b4550ab06c3354cf4ba5\System.Runtime.Remoting.ni.dll",0..

C:\Users\user\AppData\Local\Microsoft\CLR_v2.0_32\UsageLogs\dhcpmon.exe.log Download File
Process:	C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe
File Type:	ASCII text, with CRLF line terminators
Category:	modified
Size (bytes):	120
Entropy (8bit):	5.016405576253028
Encrypted:	false
SSDEEP:	3:QHXMKaoWglAFXMWA2yTMGfsbNXLVd49Am12MFuAvOAsDeieVyn:Q3LawlAFXMWTyAGCFLIP12MUAvvrs
MD5:	50DEC1858E13F033E6DCA3CBFAD5E8DE
SHA1:	79AE1E9131B0FAF215B499D2F7B4C595AA120925
SHA-256:	14A557E226E3BA8620BB3A70035E1E316F1E9FB5C9E8F74C07110EE90B8D8AE4
SHA-512:	1BD73338DF685A5B57B0546E102ECFDEE65800410D6F77845E50456AC70DE72929088AF19B59647F01CBA7A5ACFB399C52D9EF2402A9451366586862EF88E7BF
Malicious:	false
Reputation:	moderate, very likely benign file
Preview:	1,"fusion","GAC",0..2,"System.EnterpriseServices, Version=2.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a",0..

C:\Users\user\AppData\Local\Temp\tmp7762.tmp Download File
Process:	C:\Users\user\Desktop\YfceI5MZX4.exe
File Type:	XML 1.0 document, ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	1646
Entropy (8bit):	5.163880473843948
Encrypted:	false
SSDEEP:	24:2dH4+SEqC/a7hTlNMFpH/rlMhEMjnGpwjpIgUYODOLD9RJh7h8gKBatn:cbhC7ZlNQF/rydbz9I3YODOLNdq3W
MD5:	50FDC626522E1DF1A07E1D398F973780
SHA1:	0ABC2C77CCC61B37DE9D46F29D4C5502E557A025
SHA-256:	1C91BC758FA2DDAAAA0436A3AA7D56AA59D381A358658FBB8632CCACE623E026
SHA-512:	A4AF7DCABE63A86D665C64C8F0C80D240D11EDEA89E4F33FDBF0E4F82EE892C61E713F6D5044CA601271DE26956B6E0A8F7A680DA8F8669EEF7DFFF4F285ED22
Malicious:	true
Reputation:	low
Preview:	<?xml version="1.0" encoding="UTF-16"?>..<Task version="1.2" xmlns="http://schemas.microsoft.com/windows/2004/02/mit/task">.. <RegistrationInfo>.. <Date>2014-10-25T14:27:44.8929027</Date>.. <Author>computer\user</Author>.. </RegistrationInfo>.. <Triggers>.. <LogonTrigger>.. <Enabled>true</Enabled>.. <UserId>computer\user</UserId>.. </LogonTrigger>.. <RegistrationTrigger>.. <Enabled>false</Enabled>.. </RegistrationTrigger>.. </Triggers>.. <Principals>.. <Principal id="Author">.. <UserId>computer\user</UserId>.. <LogonType>InteractiveToken</LogonType>.. <RunLevel>LeastPrivilege</RunLevel>.. </Principal>.. </Principals>.. <Settings>.. <MultipleInstancesPolicy>StopExisting</MultipleInstancesPolicy>.. <DisallowStartIfOnBatteries>false</DisallowStartIfOnBatteries>.. <StopIfGoingOnBatteries>true</StopIfGoingOnBatteries>.. <AllowHardTerminate>false</AllowHardTerminate>.. <StartWhenAvailable>t

C:\Users\user\AppData\Roaming\D06ED635-68F6-4E9A-955C-4899F5F57B9A\run.dat Download File
Process:	C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe
File Type:	Non-ISO extended-ASCII text, with no line terminators
Category:	dropped
Size (bytes):	8
Entropy (8bit):	3.0
Encrypted:	false
SSDEEP:	3:hRn:Ln
MD5:	A127AD6897FA6E51DF688E6D956222AC
SHA1:	0D7279C1E6363F5B40B8BE2D0B8153E84C88469F
SHA-256:	2A2A333F41D3469127ACFF3D213E66B1E987AE2DF1B47C928774B2F1757BC33B
SHA-512:	116C9B6576214AB66D5D19B2B2B7C47F3573FCB7385FB1C28E3D585B4891B2259C63A906C5951832264CFBA4F016B1ED27C5C7B1E5894333D207B5F3B7E5BC35
Malicious:	true
Reputation:	low
Preview:	7.D....H

C:\Users\user\AppData\Roaming\gmSlQSien.exe Download File
Process:	C:\Users\user\Desktop\YfceI5MZX4.exe
File Type:	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	802304
Entropy (8bit):	7.807064216316379
Encrypted:	false
SSDEEP:	12288:fqPhNb1Cpc0vs3YpRTYmuCBWhfCfyxmbKzYwafnJMKrXe3tw2luRVZzQKaq:iPhxcpHUIpRTY0c1uyUeU3nJMKoCaq
MD5:	A3CBEB3E732B11954572B3EE6755242C
SHA1:	EBB41B49DE8F1B09EA20DABFFCFD85B93B68D7F3
SHA-256:	E006460AD1E34DDBBC28430C2D529A7EE491893C7AE8B6902B2D8D8C56620510
SHA-512:	455C3CAE5F85B8F3334004E09C5EF42BB6E8410F7501AEF0D520E1023EB376E31D6FA892DAB8DC8AAEA94914F31EC7915E8424362F1046F25F9B55C58EF94BD6
Malicious:	true
Antivirus:	Antivirus: Joe Sandbox ML, Detection: 100%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L.....s`..............P..2...........P... ...`....@.. ....................................@.................................@P..O....`............................................................................... ............... ..H............text....0... ...2.................. ..`.rsrc........`.......4..............@..@.reloc...............<..............@..B................tP......H........}..du...............]...........................................0............(....(..........(.....o .........................(!......("......(#......($......(%....N..(....o....(&....&..('.....s(........s)........s........s+........s,............0...........~....o-....+...0...........~....o.....+...0...........~....o/....+...0...........~....o0....+...0...........~....o1....+...0..<........~.....(2.....,!r...p.....(3...o4...s5............~.....+...0......

C:\Users\user\AppData\Roaming\gmSlQSien.exe:Zone.Identifier Download File
Process:	C:\Users\user\Desktop\YfceI5MZX4.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	26
Entropy (8bit):	3.95006375643621
Encrypted:	false
SSDEEP:	3:ggPYV:rPYV
MD5:	187F488E27DB4AF347237FE461A079AD
SHA1:	6693BA299EC1881249D59262276A0D2CB21F8E64
SHA-256:	255A65D30841AB4082BD9D0EEA79D49C5EE88F56136157D8D6156AEF11C12309
SHA-512:	89879F237C0C051EBE784D0690657A6827A312A82735DA42DAD5F744D734FC545BEC9642C19D14C05B2F01FF53BC731530C92F7327BB7DC9CDE1B60FB21CD64E
Malicious:	true
Preview:	[ZoneTransfer]....ZoneId=0

\Device\ConDrv Download File
Process:	C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	1145
Entropy (8bit):	4.462201512373672
Encrypted:	false
SSDEEP:	24:zKLXkzPDObntKlglUEnfQtvNuNpKOK5aM9YJC:zKL0zPDQntKKH1MqJC
MD5:	46EBEB88876A00A52CC37B1F8E0D0438
SHA1:	5E5DB352F964E5F398301662FF558BD905798A65
SHA-256:	D65BD5A6CC112838AFE8FA70BF61FD13C1313BCE3EE3E76C50E454D7B581238B
SHA-512:	E713E6F304A469FB71235C598BC7E2C6F8458ABC61DAF3D1F364F66579CAFA4A7F3023E585BDA552FB400009E7805A8CA0311A50D5EDC9C2AD2D067772A071BE
Malicious:	false
Preview:	Microsoft (R) .NET Framework Services Installation Utility Version 2.0.50727.8922..Copyright (c) Microsoft Corporation. All rights reserved.....USAGE: regsvcs.exe [options] AssemblyName..Options:.. /? or /help Display this usage message... /fc Find or create target application (default)... /c Create target application, error if it already exists... /exapp Expect an existing application... /tlb:<tlbfile> Filename for the exported type library... /appname:<name> Use the specified name for the target application... /parname:<name> Use the specified name or id for the target partition... /extlb Use an existing type library... /reconfig Reconfigure existing target application (default)... /noreconfig Don't reconfigure existing target application... /u Uninstall target application... /nologo Suppress logo output... /quiet Suppress logo output and success output...

Static File Info

General
File type:	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Entropy (8bit):	7.807064216316379
TrID:	Win32 Executable (generic) Net Framework (10011505/4) 49.83% Win32 Executable (generic) a (10002005/4) 49.78% Generic CIL Executable (.NET, Mono, etc.) (73296/58) 0.36% Generic Win/DOS Executable (2004/3) 0.01% DOS Executable Generic (2002/1) 0.01%
File name:	YfceI5MZX4.exe
File size:	802304
MD5:	a3cbeb3e732b11954572b3ee6755242c
SHA1:	ebb41b49de8f1b09ea20dabffcfd85b93b68d7f3
SHA256:	e006460ad1e34ddbbc28430c2d529a7ee491893c7ae8b6902b2d8d8c56620510
SHA512:	455c3cae5f85b8f3334004e09c5ef42bb6e8410f7501aef0d520e1023eb376e31d6fa892dab8dc8aaea94914f31ec7915e8424362f1046f25f9b55c58ef94bd6
SSDEEP:	12288:fqPhNb1Cpc0vs3YpRTYmuCBWhfCfyxmbKzYwafnJMKrXe3tw2luRVZzQKaq:iPhxcpHUIpRTY0c1uyUeU3nJMKoCaq
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L.....s`..............P..2...........P... ...`....@.. ....................................@................................

File Icon


Icon Hash:	5dd0e0ccc4ecb3f0

Static PE Info

General
Entrypoint:	0x4b5092
Entrypoint Section:	.text
Digitally signed:	false
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	32BIT_MACHINE, EXECUTABLE_IMAGE
DLL Characteristics:	NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
Time Stamp:	0x6073DD85 [Mon Apr 12 05:41:25 2021 UTC]
TLS Callbacks:
CLR (.Net) Version:	v2.0.50727
OS Version Major:	4
OS Version Minor:	0
File Version Major:	4
File Version Minor:	0
Subsystem Version Major:	4
Subsystem Version Minor:	0
Import Hash:	f34d5f2d4577ed6d9ceec516c1f5a744

Entrypoint Preview

Instruction
jmp dword ptr [00402000h]
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0xb5040	0x4f	.text
IMAGE_DIRECTORY_ENTRY_RESOURCE	0xb6000	0x107ec	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0xc8000	0xc	.reloc
IMAGE_DIRECTORY_ENTRY_DEBUG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x2000	0x8	.text
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x2008	0x48	.text
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x2000	0xb3098	0xb3200	False	0.954216732816	data	7.9540154939	IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
.rsrc	0xb6000	0x107ec	0x10800	False	0.389012192235	data	4.61893381614	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.reloc	0xc8000	0xc	0x200	False	0.044921875	data	0.101910425663	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type
RT_ICON	0xb6370	0x2e8	data
RT_ICON	0xb6658	0x128	GLS_BINARY_LSB_FIRST
RT_ICON	0xb6780	0xea8	data
RT_ICON	0xb7628	0x8a8	data
RT_ICON	0xb7ed0	0x568	GLS_BINARY_LSB_FIRST
RT_ICON	0xb8438	0x35e2	PNG image data, 256 x 256, 8-bit/color RGBA, non-interlaced
RT_ICON	0xbba1c	0x4228	dBase IV DBT of \200.DBF, blocks size 0, block length 16896, next free block index 40, next free block 240, next used block 117440512
RT_ICON	0xbfc44	0x25a8	data
RT_ICON	0xc21ec	0x1a68	data
RT_ICON	0xc3c54	0x10a8	data
RT_ICON	0xc4cfc	0x988	data
RT_ICON	0xc5684	0x6b8	data
RT_ICON	0xc5d3c	0x468	GLS_BINARY_LSB_FIRST
RT_GROUP_ICON	0xc61a4	0xbc	data
RT_VERSION	0xc6260	0x39e	data
RT_MANIFEST	0xc6600	0x1ea	XML 1.0 document, UTF-8 Unicode (with BOM) text, with CRLF line terminators

Imports

DLL	Import
mscoree.dll	_CorExeMain

Version Infos

Description	Data
Translation	0x0000 0x04b0
LegalCopyright	Copyright 2012
Assembly Version	8.1.1.15
InternalName	HostProtectionAttribute.exe
FileVersion	8.1.1.14
CompanyName	Landskip Yard Care
LegalTrademarks	A++
Comments
ProductName	LevelActivator
ProductVersion	8.1.1.14
FileDescription	LevelActivator
OriginalFilename	HostProtectionAttribute.exe

Network Behavior

Network Port Distribution

TCP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Apr 12, 2021 08:42:29.363123894 CEST	49699	1144	192.168.2.5	79.134.225.30
Apr 12, 2021 08:42:32.425513029 CEST	49699	1144	192.168.2.5	79.134.225.30
Apr 12, 2021 08:42:38.511714935 CEST	49699	1144	192.168.2.5	79.134.225.30
Apr 12, 2021 08:42:49.366292953 CEST	49706	1144	192.168.2.5	79.134.225.30
Apr 12, 2021 08:42:52.418766022 CEST	49706	1144	192.168.2.5	79.134.225.30
Apr 12, 2021 08:42:58.427855968 CEST	49706	1144	192.168.2.5	79.134.225.30
Apr 12, 2021 08:43:08.273983955 CEST	49713	1144	192.168.2.5	79.134.225.30
Apr 12, 2021 08:43:11.288147926 CEST	49713	1144	192.168.2.5	79.134.225.30
Apr 12, 2021 08:43:17.304327965 CEST	49713	1144	192.168.2.5	79.134.225.30
Apr 12, 2021 08:43:38.994872093 CEST	49722	1144	192.168.2.5	79.134.225.30
Apr 12, 2021 08:43:42.011059999 CEST	49722	1144	192.168.2.5	79.134.225.30
Apr 12, 2021 08:43:48.009885073 CEST	49722	1144	192.168.2.5	79.134.225.30
Apr 12, 2021 08:43:56.278103113 CEST	49724	1144	192.168.2.5	79.134.225.30
Apr 12, 2021 08:43:59.276504993 CEST	49724	1144	192.168.2.5	79.134.225.30
Apr 12, 2021 08:44:05.277298927 CEST	49724	1144	192.168.2.5	79.134.225.30
Apr 12, 2021 08:44:14.357616901 CEST	49727	1144	192.168.2.5	79.134.225.30
Apr 12, 2021 08:44:17.356199980 CEST	49727	1144	192.168.2.5	79.134.225.30
Apr 12, 2021 08:44:23.356575012 CEST	49727	1144	192.168.2.5	79.134.225.30

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Apr 12, 2021 08:42:10.067460060 CEST	52704	53	192.168.2.5	8.8.8.8
Apr 12, 2021 08:42:10.116363049 CEST	53	52704	8.8.8.8	192.168.2.5
Apr 12, 2021 08:42:10.292814970 CEST	52212	53	192.168.2.5	8.8.8.8
Apr 12, 2021 08:42:10.342643023 CEST	53	52212	8.8.8.8	192.168.2.5
Apr 12, 2021 08:42:10.418169022 CEST	54302	53	192.168.2.5	8.8.8.8
Apr 12, 2021 08:42:10.457545042 CEST	53784	53	192.168.2.5	8.8.8.8
Apr 12, 2021 08:42:10.478559971 CEST	53	54302	8.8.8.8	192.168.2.5
Apr 12, 2021 08:42:10.506891966 CEST	53	53784	8.8.8.8	192.168.2.5
Apr 12, 2021 08:42:14.032279015 CEST	65307	53	192.168.2.5	8.8.8.8
Apr 12, 2021 08:42:14.089629889 CEST	53	65307	8.8.8.8	192.168.2.5
Apr 12, 2021 08:42:14.621452093 CEST	64344	53	192.168.2.5	8.8.8.8
Apr 12, 2021 08:42:14.682523966 CEST	53	64344	8.8.8.8	192.168.2.5
Apr 12, 2021 08:42:30.647139072 CEST	62060	53	192.168.2.5	8.8.8.8
Apr 12, 2021 08:42:30.696383953 CEST	53	62060	8.8.8.8	192.168.2.5
Apr 12, 2021 08:42:37.969374895 CEST	61805	53	192.168.2.5	8.8.8.8
Apr 12, 2021 08:42:38.033551931 CEST	53	61805	8.8.8.8	192.168.2.5
Apr 12, 2021 08:42:47.482378006 CEST	54795	53	192.168.2.5	8.8.8.8
Apr 12, 2021 08:42:47.554399967 CEST	53	54795	8.8.8.8	192.168.2.5
Apr 12, 2021 08:42:55.569442034 CEST	49557	53	192.168.2.5	8.8.8.8
Apr 12, 2021 08:42:55.618032932 CEST	53	49557	8.8.8.8	192.168.2.5
Apr 12, 2021 08:42:56.509201050 CEST	61733	53	192.168.2.5	8.8.8.8
Apr 12, 2021 08:42:56.560765982 CEST	53	61733	8.8.8.8	192.168.2.5
Apr 12, 2021 08:42:57.330655098 CEST	65447	53	192.168.2.5	8.8.8.8
Apr 12, 2021 08:42:57.392369032 CEST	53	65447	8.8.8.8	192.168.2.5
Apr 12, 2021 08:42:57.416785955 CEST	52441	53	192.168.2.5	8.8.8.8
Apr 12, 2021 08:42:57.468317986 CEST	53	52441	8.8.8.8	192.168.2.5
Apr 12, 2021 08:42:58.331079006 CEST	62176	53	192.168.2.5	8.8.8.8
Apr 12, 2021 08:42:58.382704973 CEST	53	62176	8.8.8.8	192.168.2.5
Apr 12, 2021 08:43:05.623831987 CEST	59596	53	192.168.2.5	8.8.8.8
Apr 12, 2021 08:43:05.681453943 CEST	53	59596	8.8.8.8	192.168.2.5
Apr 12, 2021 08:43:14.520704985 CEST	65296	53	192.168.2.5	8.8.8.8
Apr 12, 2021 08:43:14.572243929 CEST	53	65296	8.8.8.8	192.168.2.5
Apr 12, 2021 08:43:15.428941965 CEST	63183	53	192.168.2.5	8.8.8.8
Apr 12, 2021 08:43:15.477699041 CEST	53	63183	8.8.8.8	192.168.2.5
Apr 12, 2021 08:43:16.488647938 CEST	60151	53	192.168.2.5	8.8.8.8
Apr 12, 2021 08:43:16.545650959 CEST	53	60151	8.8.8.8	192.168.2.5
Apr 12, 2021 08:43:17.499808073 CEST	56969	53	192.168.2.5	8.8.8.8
Apr 12, 2021 08:43:17.551426888 CEST	53	56969	8.8.8.8	192.168.2.5
Apr 12, 2021 08:43:18.761195898 CEST	55161	53	192.168.2.5	8.8.8.8
Apr 12, 2021 08:43:18.820871115 CEST	53	55161	8.8.8.8	192.168.2.5
Apr 12, 2021 08:43:25.496901989 CEST	54757	53	192.168.2.5	8.8.8.8
Apr 12, 2021 08:43:25.556852102 CEST	53	54757	8.8.8.8	192.168.2.5
Apr 12, 2021 08:43:25.590512991 CEST	49992	53	192.168.2.5	8.8.4.4
Apr 12, 2021 08:43:25.642020941 CEST	53	49992	8.8.4.4	192.168.2.5
Apr 12, 2021 08:43:25.719460964 CEST	60075	53	192.168.2.5	8.8.8.8
Apr 12, 2021 08:43:25.781299114 CEST	53	60075	8.8.8.8	192.168.2.5
Apr 12, 2021 08:43:29.804601908 CEST	55016	53	192.168.2.5	8.8.8.8
Apr 12, 2021 08:43:29.853324890 CEST	53	55016	8.8.8.8	192.168.2.5
Apr 12, 2021 08:43:30.054189920 CEST	64345	53	192.168.2.5	8.8.8.8
Apr 12, 2021 08:43:30.113343954 CEST	53	64345	8.8.8.8	192.168.2.5
Apr 12, 2021 08:43:30.342442989 CEST	57128	53	192.168.2.5	8.8.4.4
Apr 12, 2021 08:43:30.399633884 CEST	53	57128	8.8.4.4	192.168.2.5
Apr 12, 2021 08:43:30.409482956 CEST	54791	53	192.168.2.5	8.8.8.8
Apr 12, 2021 08:43:30.458221912 CEST	53	54791	8.8.8.8	192.168.2.5
Apr 12, 2021 08:43:33.248797894 CEST	50463	53	192.168.2.5	8.8.8.8
Apr 12, 2021 08:43:33.309731007 CEST	53	50463	8.8.8.8	192.168.2.5
Apr 12, 2021 08:43:34.618954897 CEST	50394	53	192.168.2.5	8.8.8.8
Apr 12, 2021 08:43:34.677774906 CEST	53	50394	8.8.8.8	192.168.2.5
Apr 12, 2021 08:43:34.846693993 CEST	58530	53	192.168.2.5	8.8.4.4
Apr 12, 2021 08:43:34.903510094 CEST	53	58530	8.8.4.4	192.168.2.5
Apr 12, 2021 08:43:34.932809114 CEST	53813	53	192.168.2.5	8.8.8.8
Apr 12, 2021 08:43:34.981901884 CEST	53	53813	8.8.8.8	192.168.2.5
Apr 12, 2021 08:43:49.493936062 CEST	63732	53	192.168.2.5	8.8.8.8
Apr 12, 2021 08:43:49.559073925 CEST	53	63732	8.8.8.8	192.168.2.5
Apr 12, 2021 08:44:12.017734051 CEST	57344	53	192.168.2.5	8.8.8.8
Apr 12, 2021 08:44:12.069437027 CEST	53	57344	8.8.8.8	192.168.2.5
Apr 12, 2021 08:44:13.993952036 CEST	54450	53	192.168.2.5	8.8.8.8
Apr 12, 2021 08:44:14.042953014 CEST	53	54450	8.8.8.8	192.168.2.5

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class
Apr 12, 2021 08:43:25.496901989 CEST	192.168.2.5	8.8.8.8	0x2d32	Standard query (0)	nassiru1155.ddns.net	A (IP address)	IN (0x0001)
Apr 12, 2021 08:43:25.590512991 CEST	192.168.2.5	8.8.4.4	0x5856	Standard query (0)	nassiru1155.ddns.net	A (IP address)	IN (0x0001)
Apr 12, 2021 08:43:25.719460964 CEST	192.168.2.5	8.8.8.8	0x3e34	Standard query (0)	nassiru1155.ddns.net	A (IP address)	IN (0x0001)
Apr 12, 2021 08:43:30.054189920 CEST	192.168.2.5	8.8.8.8	0x287e	Standard query (0)	nassiru1155.ddns.net	A (IP address)	IN (0x0001)
Apr 12, 2021 08:43:30.342442989 CEST	192.168.2.5	8.8.4.4	0xa69	Standard query (0)	nassiru1155.ddns.net	A (IP address)	IN (0x0001)
Apr 12, 2021 08:43:30.409482956 CEST	192.168.2.5	8.8.8.8	0xdd53	Standard query (0)	nassiru1155.ddns.net	A (IP address)	IN (0x0001)
Apr 12, 2021 08:43:34.618954897 CEST	192.168.2.5	8.8.8.8	0xaa7	Standard query (0)	nassiru1155.ddns.net	A (IP address)	IN (0x0001)
Apr 12, 2021 08:43:34.846693993 CEST	192.168.2.5	8.8.4.4	0xea51	Standard query (0)	nassiru1155.ddns.net	A (IP address)	IN (0x0001)
Apr 12, 2021 08:43:34.932809114 CEST	192.168.2.5	8.8.8.8	0x471	Standard query (0)	nassiru1155.ddns.net	A (IP address)	IN (0x0001)

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	CName	Address	Type	Class
Apr 12, 2021 08:43:25.556852102 CEST	8.8.8.8	192.168.2.5	0x2d32	Name error (3)	nassiru1155.ddns.net	none	none	A (IP address)	IN (0x0001)
Apr 12, 2021 08:43:25.642020941 CEST	8.8.4.4	192.168.2.5	0x5856	Name error (3)	nassiru1155.ddns.net	none	none	A (IP address)	IN (0x0001)
Apr 12, 2021 08:43:25.781299114 CEST	8.8.8.8	192.168.2.5	0x3e34	Name error (3)	nassiru1155.ddns.net	none	none	A (IP address)	IN (0x0001)
Apr 12, 2021 08:43:30.113343954 CEST	8.8.8.8	192.168.2.5	0x287e	Name error (3)	nassiru1155.ddns.net	none	none	A (IP address)	IN (0x0001)
Apr 12, 2021 08:43:30.399633884 CEST	8.8.4.4	192.168.2.5	0xa69	Name error (3)	nassiru1155.ddns.net	none	none	A (IP address)	IN (0x0001)
Apr 12, 2021 08:43:30.458221912 CEST	8.8.8.8	192.168.2.5	0xdd53	Name error (3)	nassiru1155.ddns.net	none	none	A (IP address)	IN (0x0001)
Apr 12, 2021 08:43:34.677774906 CEST	8.8.8.8	192.168.2.5	0xaa7	Name error (3)	nassiru1155.ddns.net	none	none	A (IP address)	IN (0x0001)
Apr 12, 2021 08:43:34.903510094 CEST	8.8.4.4	192.168.2.5	0xea51	Name error (3)	nassiru1155.ddns.net	none	none	A (IP address)	IN (0x0001)
Apr 12, 2021 08:43:34.981901884 CEST	8.8.8.8	192.168.2.5	0x471	Name error (3)	nassiru1155.ddns.net	none	none	A (IP address)	IN (0x0001)

Code Manipulations

Statistics

CPU Usage

Click to jump to process

Memory Usage

Click to jump to process

High Level Behavior Distribution

Click to dive into process behavior distribution

Behavior

Click to jump to process

System Behavior

Analysis Process: YfceI5MZX4.exe PID: 6136 Parent PID: 5552

General

Start time:	08:42:17
Start date:	12/04/2021
Path:	C:\Users\user\Desktop\YfceI5MZX4.exe
Wow64 process (32bit):	true
Commandline:	'C:\Users\user\Desktop\YfceI5MZX4.exe'
Imagebase:	0x160000
File size:	802304 bytes
MD5 hash:	A3CBEB3E732B11954572B3EE6755242C
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	.Net C# or VB.NET
Yara matches:	Rule: JoeSecurity_AntiVM_3, Description: Yara detected AntiVM_3, Source: 00000000.00000002.247117060.0000000002945000.00000004.00000001.sdmp, Author: Joe Security Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 00000000.00000002.248677483.0000000003AB9000.00000004.00000001.sdmp, Author: Florian Roth Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 00000000.00000002.248677483.0000000003AB9000.00000004.00000001.sdmp, Author: Joe Security Rule: NanoCore, Description: unknown, Source: 00000000.00000002.248677483.0000000003AB9000.00000004.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
Reputation:	low

Chronological Activities

Analysis Process: schtasks.exe PID: 5564 Parent PID: 6136

General

Start time:	08:42:25
Start date:	12/04/2021
Path:	C:\Windows\SysWOW64\schtasks.exe
Wow64 process (32bit):	true
Commandline:	'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\gmSlQSien' /XML 'C:\Users\user\AppData\Local\Temp\tmp7762.tmp'
Imagebase:	0x12d0000
File size:	185856 bytes
MD5 hash:	15FF7D8324231381BAD48A052F85DF04
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Chronological Activities

Analysis Process: conhost.exe PID: 2908 Parent PID: 5564

General

Start time:	08:42:25
Start date:	12/04/2021
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff7ecfc0000
File size:	625664 bytes
MD5 hash:	EA777DEEA782E8B4D7C7C33BBF8A4496
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Chronological Activities

Analysis Process: RegSvcs.exe PID: 5996 Parent PID: 6136

General

Start time:	08:42:26
Start date:	12/04/2021
Path:	C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe
Wow64 process (32bit):	true
Commandline:	C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe
Imagebase:	0x9b0000
File size:	32768 bytes
MD5 hash:	71369277D09DA0830C8C59F9E22BB23A
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	.Net C# or VB.NET
Yara matches:	Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 00000005.00000002.500274474.0000000003FBB000.00000004.00000001.sdmp, Author: Joe Security Rule: NanoCore, Description: unknown, Source: 00000005.00000002.500274474.0000000003FBB000.00000004.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net> Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 00000005.00000002.492901504.0000000000402000.00000040.00000001.sdmp, Author: Florian Roth Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 00000005.00000002.492901504.0000000000402000.00000040.00000001.sdmp, Author: Joe Security Rule: NanoCore, Description: unknown, Source: 00000005.00000002.492901504.0000000000402000.00000040.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net> Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 00000005.00000002.501754781.0000000005470000.00000004.00000001.sdmp, Author: Florian Roth Rule: Nanocore_RAT_Feb18_1, Description: Detects Nanocore RAT, Source: 00000005.00000002.501754781.0000000005470000.00000004.00000001.sdmp, Author: Florian Roth Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 00000005.00000002.502139157.00000000058D0000.00000004.00000001.sdmp, Author: Florian Roth Rule: Nanocore_RAT_Feb18_1, Description: Detects Nanocore RAT, Source: 00000005.00000002.502139157.00000000058D0000.00000004.00000001.sdmp, Author: Florian Roth Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 00000005.00000002.502139157.00000000058D0000.00000004.00000001.sdmp, Author: Joe Security
Reputation:	moderate

Chronological Activities

Analysis Process: dhcpmon.exe PID: 6464 Parent PID: 3472

General

Start time:	08:42:35
Start date:	12/04/2021
Path:	C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe
Wow64 process (32bit):	true
Commandline:	'C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe'
Imagebase:	0x3f0000
File size:	32768 bytes
MD5 hash:	71369277D09DA0830C8C59F9E22BB23A
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	.Net C# or VB.NET
Antivirus matches:	Detection: 0%, Metadefender, Browse Detection: 0%, ReversingLabs
Reputation:	moderate

Chronological Activities

Analysis Process: conhost.exe PID: 6472 Parent PID: 6464

General

Start time:	08:42:36
Start date:	12/04/2021
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff7ecfc0000
File size:	625664 bytes
MD5 hash:	EA777DEEA782E8B4D7C7C33BBF8A4496
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Chronological Activities

Disassembly

Code Analysis

Reset < >

Analysis Process: YfceI5MZX4.exe PID: 6136 Parent PID: 5552 YfceI5MZX4.exeCOMMON

Executed Functions

Function 04B24410, Relevance: 2.6, Strings: 2, Instructions: 150COMMON

Download Yara Rule

Strings

X$&r, xrefs: 04B24569
X$&r, xrefs: 04B24559

Memory Dump Source

Source File: 00000000.00000002.250076545.0000000004B20000.00000040.00000001.sdmp, Offset: 04B20000, based on PE: false

Similarity

API ID:
String ID: X$&r$X$&r
API String ID: 0-3226593409
Opcode ID: 3e832a0b1a3f5a0d27ec3382157215897b29d8cfc6b193372f537e5d6aeb29d7
Instruction ID: 534adf9663197a93deab576aff273583341621c3e453d46c88775a1c73e45500
Opcode Fuzzy Hash: 3e832a0b1a3f5a0d27ec3382157215897b29d8cfc6b193372f537e5d6aeb29d7
Instruction Fuzzy Hash: 8A619174E00218DFDB04DFA9D984A9DBBF2FF88304F248169E809AB764DB74A941CF51

Uniqueness

Uniqueness Score: -1.00%

Function 06A90507, Relevance: 1.6, APIs: 1, Instructions: 75COMMON

Download Yara Rule

APIs

AdjustTokenPrivileges.KERNELBASE(?,?,?,?,?,?), ref: 06A90587

Memory Dump Source

Source File: 00000000.00000002.253798029.0000000006A90000.00000040.00000001.sdmp, Offset: 06A90000, based on PE: false

Similarity

API ID: AdjustPrivilegesToken
String ID:
API String ID: 2874748243-0
Opcode ID: c30f341cc7966a32bd6a232979dfe5a930481def966e46adc489b2b0e5ffc3fa
Instruction ID: 0f3d435cad36dec60a987192079ac7dd59db08c495ad69ef1f96414095acfca5
Opcode Fuzzy Hash: c30f341cc7966a32bd6a232979dfe5a930481def966e46adc489b2b0e5ffc3fa
Instruction Fuzzy Hash: 9821BF755093849FDB228F25DC40B52BFF8EF06210F0884DAE9858F163D274E808CB72

Uniqueness

Uniqueness Score: -1.00%

Function 06A909C3, Relevance: 1.6, APIs: 1, Instructions: 64nativeCOMMON

Download Yara Rule

APIs

NtQuerySystemInformation.NTDLL(?,?,?,?), ref: 06A90A39

Memory Dump Source

Source File: 00000000.00000002.253798029.0000000006A90000.00000040.00000001.sdmp, Offset: 06A90000, based on PE: false

Similarity

API ID: InformationQuerySystem
String ID:
API String ID: 3562636166-0
Opcode ID: 281b985f5b668979f3d4812cf899fc46d6502d6505abdb0da0f85ac98aa2813e
Instruction ID: ebaa002fe9342c218165caee94d7657ad71f15a57a1d57fc889324f05b08e240
Opcode Fuzzy Hash: 281b985f5b668979f3d4812cf899fc46d6502d6505abdb0da0f85ac98aa2813e
Instruction Fuzzy Hash: 4321AE754097C09FDB238B20DC45A52FFB4EF16214F0980DFE9848F163D265A509DB72

Uniqueness

Uniqueness Score: -1.00%

Function 06A9053E, Relevance: 1.6, APIs: 1, Instructions: 52COMMON

Download Yara Rule

APIs

AdjustTokenPrivileges.KERNELBASE(?,?,?,?,?,?), ref: 06A90587

Memory Dump Source

Source File: 00000000.00000002.253798029.0000000006A90000.00000040.00000001.sdmp, Offset: 06A90000, based on PE: false

Similarity

API ID: AdjustPrivilegesToken
String ID:
API String ID: 2874748243-0
Opcode ID: 884bbf87a12bb00bb6fff10f7c376b814570123e9a905c45063c599617f4fc30
Instruction ID: 49ec77c763f92d250cdabf716b283a7b38633887ae7451f1e1f495d0e5f81961
Opcode Fuzzy Hash: 884bbf87a12bb00bb6fff10f7c376b814570123e9a905c45063c599617f4fc30
Instruction Fuzzy Hash: 35115E759002049FDB60DF55D944B66FBE8EF04220F18C46EED858B616D375E414DB71

Uniqueness

Uniqueness Score: -1.00%

Function 06A9086C, Relevance: 1.6, APIs: 1, Instructions: 50nativeCOMMON

Download Yara Rule

APIs

NtQueryInformationProcess.NTDLL(?,?,?,?,?), ref: 06A908CC

Memory Dump Source

Source File: 00000000.00000002.253798029.0000000006A90000.00000040.00000001.sdmp, Offset: 06A90000, based on PE: false

Similarity

API ID: InformationProcessQuery
String ID:
API String ID: 1778838933-0
Opcode ID: 7d65afbdce45b09dbf95215998605014ad037615dfd826a8d1d0ae046923c279
Instruction ID: bffd715a6224fecfadd1fbf3e9ddc35bf321cd05ad6b321ed061e9d1a735e145
Opcode Fuzzy Hash: 7d65afbdce45b09dbf95215998605014ad037615dfd826a8d1d0ae046923c279
Instruction Fuzzy Hash: 98119131505784AFDB228F25DC44A52FFF4EF45220F08C59EED854B162C375A419CB61

Uniqueness

Uniqueness Score: -1.00%

Function 06A9088E, Relevance: 1.5, APIs: 1, Instructions: 39nativeCOMMON

Download Yara Rule

APIs

NtQueryInformationProcess.NTDLL(?,?,?,?,?), ref: 06A908CC

Memory Dump Source

Source File: 00000000.00000002.253798029.0000000006A90000.00000040.00000001.sdmp, Offset: 06A90000, based on PE: false

Similarity

API ID: InformationProcessQuery
String ID:
API String ID: 1778838933-0
Opcode ID: dc3227510e6b976897f04d9365ca8452584130da317f0be7ea88cb0d3d282eaf
Instruction ID: 18185c04e87047b0d5bbbd4f38d4176572d190ff1840e6cda4d1c37c58dc6347
Opcode Fuzzy Hash: dc3227510e6b976897f04d9365ca8452584130da317f0be7ea88cb0d3d282eaf
Instruction Fuzzy Hash: 37017131500744DFDB609F55D944B65FBE4EF08720F18C59EEE454A625C375A418CBB2

Uniqueness

Uniqueness Score: -1.00%

Function 06A909FE, Relevance: 1.5, APIs: 1, Instructions: 38nativeCOMMON

Download Yara Rule

APIs

NtQuerySystemInformation.NTDLL(?,?,?,?), ref: 06A90A39

Memory Dump Source

Source File: 00000000.00000002.253798029.0000000006A90000.00000040.00000001.sdmp, Offset: 06A90000, based on PE: false

Similarity

API ID: InformationQuerySystem
String ID:
API String ID: 3562636166-0
Opcode ID: 80747796b34c45bc173ac8d143439ab255a682934ebdd984e2355dbe6ed6c2a6
Instruction ID: 5bf6bd98e0d168099cb05c225d7a3ac240a2d8cefe8272303b659b3e7204dcca
Opcode Fuzzy Hash: 80747796b34c45bc173ac8d143439ab255a682934ebdd984e2355dbe6ed6c2a6
Instruction Fuzzy Hash: 97018F35400204DFEB60AF15D844B25FBE0EF08320F18C49EED894B615D375A418DBB2

Uniqueness

Uniqueness Score: -1.00%

Function 04B2F8B0, Relevance: 1.5, Strings: 1, Instructions: 225COMMON

Download Yara Rule

Strings

@ep, xrefs: 04B2F992

Memory Dump Source

Source File: 00000000.00000002.250076545.0000000004B20000.00000040.00000001.sdmp, Offset: 04B20000, based on PE: false

Similarity

API ID:
String ID: @ep
API String ID: 0-323641960
Opcode ID: 5a176382ddac91a335b215c2a8e558fcd8c0c72f88f0da0633fe180a4b80de02
Instruction ID: bf9a96b9445c95aa1edf1d8128d5267279865fa015bbe6b9dbf08f9437e1744e
Opcode Fuzzy Hash: 5a176382ddac91a335b215c2a8e558fcd8c0c72f88f0da0633fe180a4b80de02
Instruction Fuzzy Hash: 49A12470E15228DFCB14DFE4D6986EDBBB5FB89304F20946AD01ABB254E730A941DF24

Uniqueness

Uniqueness Score: -1.00%

Function 04973ED1, Relevance: 1.5, Strings: 1, Instructions: 208COMMON

Download Yara Rule

Strings

T, xrefs: 04974121

Memory Dump Source

Source File: 00000000.00000002.249760587.0000000004970000.00000040.00000001.sdmp, Offset: 04970000, based on PE: false

Similarity

API ID:
String ID: T
API String ID: 0-3187964512
Opcode ID: 1b30c643dec26631d533789ce522ceab96b865f34cb3de42e654179b95c81b33
Instruction ID: 794e315bb9a8f38058acf4287a6345231e7d5a1e35bd21a8b924ab4b55b3d16d
Opcode Fuzzy Hash: 1b30c643dec26631d533789ce522ceab96b865f34cb3de42e654179b95c81b33
Instruction Fuzzy Hash: 40911375E0520ADFDB44CFE6D5405EEBBB2FB89340F20A92AD805BB214E7346A01DF65

Uniqueness

Uniqueness Score: -1.00%

Function 04B24400, Relevance: 1.4, Strings: 1, Instructions: 141COMMON

Download Yara Rule

Strings

X$&r, xrefs: 04B24559

Memory Dump Source

Source File: 00000000.00000002.250076545.0000000004B20000.00000040.00000001.sdmp, Offset: 04B20000, based on PE: false

Similarity

API ID:
String ID: X$&r
API String ID: 0-1835828569
Opcode ID: 46e9dc90dd914317291d9dae2051a35b02ca2bf616082c290734c16f63a07641
Instruction ID: f296d5cccbf4c3b2a97d384b2aedc85132583ce09e4832e8211f19d5f412a1c5
Opcode Fuzzy Hash: 46e9dc90dd914317291d9dae2051a35b02ca2bf616082c290734c16f63a07641
Instruction Fuzzy Hash: 7351B174E00258DFDB04DFA9C984A9DBBF2FF88300F148169E809AB765DB75A942CF51

Uniqueness

Uniqueness Score: -1.00%

Function 04B28002, Relevance: .4, Instructions: 435COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.250076545.0000000004B20000.00000040.00000001.sdmp, Offset: 04B20000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 12968e79723f2d49fd986afa1670c3a75199f304469d3f2736247c3527894a43
Instruction ID: ab3f931f6666e4f782e14e74f7def6d31ee7ad6de9066e18beafc5b934e9fa17
Opcode Fuzzy Hash: 12968e79723f2d49fd986afa1670c3a75199f304469d3f2736247c3527894a43
Instruction Fuzzy Hash: C8F1D1B1D05166CFCB14DFA4C6804EEBBB1FB5A310F1496D9C019AB251EB34BA43CBA5

Uniqueness

Uniqueness Score: -1.00%

Function 04972E87, Relevance: .3, Instructions: 319COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.249760587.0000000004970000.00000040.00000001.sdmp, Offset: 04970000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1378e89b1aeaff10c7d1a6c8e2f48a337ef36855964fd4690bbec32f3e35d303
Instruction ID: 871e83c2fe5e5c48881523e697aad75796a79335d89c42f78282c136a444f54e
Opcode Fuzzy Hash: 1378e89b1aeaff10c7d1a6c8e2f48a337ef36855964fd4690bbec32f3e35d303
Instruction Fuzzy Hash: F5D14670E12208DFDB14CFA1D985BDDBBB2EF89710F20946AE505BB294DB746A41CF24

Uniqueness

Uniqueness Score: -1.00%

Function 04972E98, Relevance: .3, Instructions: 314COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.249760587.0000000004970000.00000040.00000001.sdmp, Offset: 04970000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2a321e19af675652db3a8f75e3a99221ec7efbbed9bcc67a6e54e878ea26fb9c
Instruction ID: 1a984a13dc8105f6842ef14235f3cadde49446fcf65a0fb5edba31cbce5af136
Opcode Fuzzy Hash: 2a321e19af675652db3a8f75e3a99221ec7efbbed9bcc67a6e54e878ea26fb9c
Instruction Fuzzy Hash: AED13770E16208DFDB14CFA1D995BDDBBB2EB89710F20A46AE505BB284DB746940CF18

Uniqueness

Uniqueness Score: -1.00%

Function 04B28080, Relevance: .3, Instructions: 269COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.250076545.0000000004B20000.00000040.00000001.sdmp, Offset: 04B20000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2034beecb285b9533401f4f518f05f2a9421cab0e110e048a9a7ead11b2d596f
Instruction ID: 673bb6a61ed121745971e736db2a977d0c034fd106dc2e8f7cc10c318ecf3b0d
Opcode Fuzzy Hash: 2034beecb285b9533401f4f518f05f2a9421cab0e110e048a9a7ead11b2d596f
Instruction Fuzzy Hash: 44C13870D0521ADFCB04DFA4C6848AEFBB1FF48351F249A9AC416BB255D734AA41CFA1

Uniqueness

Uniqueness Score: -1.00%

Function 04971148, Relevance: .2, Instructions: 232COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.249760587.0000000004970000.00000040.00000001.sdmp, Offset: 04970000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 25123e916e2d87b995b449f56772ec2186b8b56766420c4fb4aeccf3f5687627
Instruction ID: f7d26c36379e1a4610b8a4c0a458141d5ec802f05d3ec0ae9895bd6e716061d5
Opcode Fuzzy Hash: 25123e916e2d87b995b449f56772ec2186b8b56766420c4fb4aeccf3f5687627
Instruction Fuzzy Hash: A1A11870D0120ADFCB04CFE9D5829AEFBB6EF49314F208565D425BB355D734AA428F91

Uniqueness

Uniqueness Score: -1.00%

Function 04B24EE0, Relevance: .2, Instructions: 230COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.250076545.0000000004B20000.00000040.00000001.sdmp, Offset: 04B20000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0a249ec32d2469da5f77bfdc8c6724351e4ca32aba5622405372fcc3abca2b55
Instruction ID: e531c0f528e276e9aaa1595405a0b0dffb7400912ead007b837ab34a138724a8
Opcode Fuzzy Hash: 0a249ec32d2469da5f77bfdc8c6724351e4ca32aba5622405372fcc3abca2b55
Instruction Fuzzy Hash: 74913471E00228DFDB14DFA9C940BEEBBB2BF89318F4081A9D41CBB654DB7469458F61

Uniqueness

Uniqueness Score: -1.00%

Function 04B2613B, Relevance: .2, Instructions: 226COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.250076545.0000000004B20000.00000040.00000001.sdmp, Offset: 04B20000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5381ebdd5d640bc8ac355e862b4e21f929607eda5009d8672466c684d38ead02
Instruction ID: aa52be8ef35efc5329130fa87e946be3353f1d2292a7b66d8f83487f8639f720
Opcode Fuzzy Hash: 5381ebdd5d640bc8ac355e862b4e21f929607eda5009d8672466c684d38ead02
Instruction Fuzzy Hash: D3914A70D01259DFEB04CFA9D9846DDBBB2FF89318F2080AAD405AB350D736A94ACF50

Uniqueness

Uniqueness Score: -1.00%

Function 04B25261, Relevance: .2, Instructions: 225COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.250076545.0000000004B20000.00000040.00000001.sdmp, Offset: 04B20000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0dfe687eaf252dad33f1931809894ad5a55381934a51d82ac3f6be0d69439db5
Instruction ID: d42dd2fe0fbf0a0e2fd06e3ab8d9837c28548f49749bc95d34796ec38b0e8a88
Opcode Fuzzy Hash: 0dfe687eaf252dad33f1931809894ad5a55381934a51d82ac3f6be0d69439db5
Instruction Fuzzy Hash: 00915770D002289FCB14DFA9C6446ADFBF2BF49319F64C2A9D428BB359D734A941CB61

Uniqueness

Uniqueness Score: -1.00%

Function 04975985, Relevance: .2, Instructions: 213COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.249760587.0000000004970000.00000040.00000001.sdmp, Offset: 04970000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fc71cf42d12e434427baddd4d0fc515485d20deed86a567039140e024cbc06ce
Instruction ID: 4cf19cddd080381e1f771bef89bebc335c7ab8e6c79f70d2d386459f89d8d873
Opcode Fuzzy Hash: fc71cf42d12e434427baddd4d0fc515485d20deed86a567039140e024cbc06ce
Instruction Fuzzy Hash: 49813970D19219EFCB94CFE0C5805ADFBB2FB49320F41A92AD016BBA54E374A901CB15

Uniqueness

Uniqueness Score: -1.00%

Function 04B24ED0, Relevance: .2, Instructions: 204COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.250076545.0000000004B20000.00000040.00000001.sdmp, Offset: 04B20000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 364244231d89f2168d1548b4d9c5f2b35d200bf1d912edb62d62ee87dd2ad209
Instruction ID: 1248475a70a9efbdba3493be3d8533fd1b84911c289fdb134c16c5429de081fe
Opcode Fuzzy Hash: 364244231d89f2168d1548b4d9c5f2b35d200bf1d912edb62d62ee87dd2ad209
Instruction Fuzzy Hash: DB812571E00228DFDB24DFA9C9407EDBBB2BF89318F4081A9D41CBB255DB7469858F61

Uniqueness

Uniqueness Score: -1.00%

Function 049734E8, Relevance: .2, Instructions: 174COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.249760587.0000000004970000.00000040.00000001.sdmp, Offset: 04970000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 62bd3dee9f53b401aef847ff39f7aded4cb226e9aa1427b82530f1a1ab767b50
Instruction ID: ee8a7c917250e7bb58628f025edb6fdb03e4f5aea16c498845c2e4c99f6696f3
Opcode Fuzzy Hash: 62bd3dee9f53b401aef847ff39f7aded4cb226e9aa1427b82530f1a1ab767b50
Instruction Fuzzy Hash: D871B2B4E05209DFCB04DFE5D58599DBBB2FF89301F20946AE80ABB394DB346A41DB50

Uniqueness

Uniqueness Score: -1.00%

Function 04B2D698, Relevance: .2, Instructions: 159COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.250076545.0000000004B20000.00000040.00000001.sdmp, Offset: 04B20000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ae2ccc7d0786f34d1e4a42086e6bb0352e552f4c2af7ebb39cdc9e1c5ef74518
Instruction ID: 617b72e487dfa92ffccc8fd6b8bb343d9c43e26f2032f2d3f3da429a1fea14f1
Opcode Fuzzy Hash: ae2ccc7d0786f34d1e4a42086e6bb0352e552f4c2af7ebb39cdc9e1c5ef74518
Instruction Fuzzy Hash: C37116B4E01219DFCB44CFE4DA985EEBBB5FF49300F20906AD41AAB260D7345A42CF51

Uniqueness

Uniqueness Score: -1.00%

Function 04B261D0, Relevance: .2, Instructions: 155COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.250076545.0000000004B20000.00000040.00000001.sdmp, Offset: 04B20000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 19004ee0e27630d29ab0fb5c4172e34e139ae18c5ebcc3c27ae86cb238f61aa4
Instruction ID: cd97b31444845e1ddbb542116d4892525bf094a30aaa391c59ab30397f8d30bb
Opcode Fuzzy Hash: 19004ee0e27630d29ab0fb5c4172e34e139ae18c5ebcc3c27ae86cb238f61aa4
Instruction Fuzzy Hash: A061C2B4E01219DFDB08CFE9D994AAEBBB2BF89300F20816AD415BB354DB355946CF50

Uniqueness

Uniqueness Score: -1.00%

Function 04B240DF, Relevance: .2, Instructions: 151COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.250076545.0000000004B20000.00000040.00000001.sdmp, Offset: 04B20000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 633ad155dff7a1aa7bc2b79729a2d9c553638a0eaf18ef7457a00982ab7a9dce
Instruction ID: 495760a8ee386add71b65f99df17cdf1920270593d5ad45abeafa12c1deda307
Opcode Fuzzy Hash: 633ad155dff7a1aa7bc2b79729a2d9c553638a0eaf18ef7457a00982ab7a9dce
Instruction Fuzzy Hash: 12511531D002188FDF19CFAAC9405DDBBB2FF8A315F64816AD814BB261DB346946CF61

Uniqueness

Uniqueness Score: -1.00%

Function 049715D0, Relevance: .2, Instructions: 150COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.249760587.0000000004970000.00000040.00000001.sdmp, Offset: 04970000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: bc5bba035b4de9c4d531e986160c663e11c99850bda853950a9e6c80435a1808
Instruction ID: f19aaa88bc4724daca5eea71c3b52bd7c9c683fe814b10be6d845c20e5cee288
Opcode Fuzzy Hash: bc5bba035b4de9c4d531e986160c663e11c99850bda853950a9e6c80435a1808
Instruction Fuzzy Hash: 68516C70E0521A9FCB04CFA9C5819AEFBF2FF89310F149969D411BB364D738AA018F61

Uniqueness

Uniqueness Score: -1.00%

Function 04B268B8, Relevance: .1, Instructions: 147COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.250076545.0000000004B20000.00000040.00000001.sdmp, Offset: 04B20000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f3747b7ad0564e899e6bea178e3b7ecffe9d4a654f915edc04dea597f0b1e9db
Instruction ID: a33c73ee4c72661db85edd21697eeb5744d289ff1db7c49e890dcf285db4743f
Opcode Fuzzy Hash: f3747b7ad0564e899e6bea178e3b7ecffe9d4a654f915edc04dea597f0b1e9db
Instruction Fuzzy Hash: 01514B71D0422A9FCB04CFA5C5416AEFFF2EB9D300F14D1AAC459A7251D7346A41CFA5

Uniqueness

Uniqueness Score: -1.00%

Function 04972AD9, Relevance: .1, Instructions: 122COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.249760587.0000000004970000.00000040.00000001.sdmp, Offset: 04970000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 019173d510cbacb1d3b636d89a528101a11189747a58db00bd724c6dc9b475ec
Instruction ID: c751f298a4cdae0a1d579521a594fba689763c9dc0b37a4c0d55584f81071533
Opcode Fuzzy Hash: 019173d510cbacb1d3b636d89a528101a11189747a58db00bd724c6dc9b475ec
Instruction Fuzzy Hash: 14414774E26209DFCB44CFA5D5819DEBFF2EB89310F24946AE005FB250E734A941CB68

Uniqueness

Uniqueness Score: -1.00%

Function 04972AE8, Relevance: .1, Instructions: 119COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.249760587.0000000004970000.00000040.00000001.sdmp, Offset: 04970000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 27d3fe7ec7d1981960e01e908b251d6a32bc63381668523771c550935b68fc99
Instruction ID: 380697cd4041a2e246834aaf537a259c66dc6d6a6c6a6caef1ae03ad288555f5
Opcode Fuzzy Hash: 27d3fe7ec7d1981960e01e908b251d6a32bc63381668523771c550935b68fc99
Instruction Fuzzy Hash: 28413674E26209DFCB44CFA5D5815DDFFF2EB89310F24986AE005FA250E734A941CB68

Uniqueness

Uniqueness Score: -1.00%

Function 04975AD7, Relevance: .1, Instructions: 103COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.249760587.0000000004970000.00000040.00000001.sdmp, Offset: 04970000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4fc790fd975a2c192070a79ae88d93eb7717a73ca536f08f71f44a87f805ac54
Instruction ID: f041b8a3741afe94654e3499b1ffc7cc233b70451aaf28e127bd08afb91d9b2c
Opcode Fuzzy Hash: 4fc790fd975a2c192070a79ae88d93eb7717a73ca536f08f71f44a87f805ac54
Instruction Fuzzy Hash: 46417E70D19259EFCB84CFE0C5805ADFBB2FB49320F01AA2AE016BBA58D774A405CF14

Uniqueness

Uniqueness Score: -1.00%

Function 04B2A3A1, Relevance: .1, Instructions: 86COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.250076545.0000000004B20000.00000040.00000001.sdmp, Offset: 04B20000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 71ea16ffceeca296612169af17d5a151366f7642bdd395894e1605201ec85883
Instruction ID: 0ded2a702ec9c24281e80bbaf6a87c8695b62682f1e891718ff99070dbbccfca
Opcode Fuzzy Hash: 71ea16ffceeca296612169af17d5a151366f7642bdd395894e1605201ec85883
Instruction Fuzzy Hash: C1312A70E006688FDB18CF6AD94479EBBB3AFC9300F14C0AAD84CAB255D7745A41CF51

Uniqueness

Uniqueness Score: -1.00%

Function 04B27210, Relevance: .1, Instructions: 70COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.250076545.0000000004B20000.00000040.00000001.sdmp, Offset: 04B20000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 381ae6bf9b43c7da5432c239a85375d311fe7f02cbdc58bb472b06f25c8793ca
Instruction ID: 19b4ae5a2d9fb473c59a9b325316c68ea3e117251877644fc5797ea932eba95c
Opcode Fuzzy Hash: 381ae6bf9b43c7da5432c239a85375d311fe7f02cbdc58bb472b06f25c8793ca
Instruction Fuzzy Hash: 41211BB1E046588BDB18CF96C9542DEFBF3EFC9310F14C16AD908AB264DB341946CB50

Uniqueness

Uniqueness Score: -1.00%

Function 04B20A18, Relevance: 2.4, Instructions: 2422COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.250076545.0000000004B20000.00000040.00000001.sdmp, Offset: 04B20000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 18bba59463835dc3027c068036d32c1c7983cb1f9fe27fb77427bdf199f6dff0
Instruction ID: c1cb6084c0f6d97d3b27794d328598fbc6de4b7eba3b290f501c2b9d23daf439
Opcode Fuzzy Hash: 18bba59463835dc3027c068036d32c1c7983cb1f9fe27fb77427bdf199f6dff0
Instruction Fuzzy Hash: 7A43C674A016188FCB25DF24C894B9EB7B2FF89301F5151E9E509AB3A1DB31AE84CF41

Uniqueness

Uniqueness Score: -1.00%

Function 04B20A28, Relevance: 2.4, Instructions: 2414COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.250076545.0000000004B20000.00000040.00000001.sdmp, Offset: 04B20000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ca7d8f65cb3c20307b023c68c929a191df426042e4a10123f2cf100a740cfdee
Instruction ID: 9d24637b185cbc86abd1e51b77f39d55dcf3318abd6d1b5fac29d963d94cde14
Opcode Fuzzy Hash: ca7d8f65cb3c20307b023c68c929a191df426042e4a10123f2cf100a740cfdee
Instruction Fuzzy Hash: 5943C674A016188FCB24DF24C894B9EB7B2FF89305F5151E9E509AB3A1DB31AE84CF41

Uniqueness

Uniqueness Score: -1.00%

Function 06A918BA, Relevance: 1.6, APIs: 1, Instructions: 132fileCOMMON

Download Yara Rule

APIs

CreateFileW.KERNELBASE(?,?,?,?,?,?), ref: 06A919C9

Memory Dump Source

Source File: 00000000.00000002.253798029.0000000006A90000.00000040.00000001.sdmp, Offset: 06A90000, based on PE: false

Similarity

API ID: CreateFile
String ID:
API String ID: 823142352-0
Opcode ID: 43a67038fa0955e5baa2f8040807844d0559309b1ff2a556ada2bf8f27f8f001
Instruction ID: a67e5e5e2b1ffedeb0f43cac9b29641d612d131a5092ec8d4ae92978932c6b7f
Opcode Fuzzy Hash: 43a67038fa0955e5baa2f8040807844d0559309b1ff2a556ada2bf8f27f8f001
Instruction Fuzzy Hash: 8C415A714093C06FEB139B758C55AA2BFB8AF07214F1984DBE8C4DF1A3D265A809D772

Uniqueness

Uniqueness Score: -1.00%

Function 06A91D2F, Relevance: 1.6, APIs: 1, Instructions: 102COMMON

Download Yara Rule

APIs

DuplicateHandle.KERNELBASE(?,00000E2C), ref: 06A91DDF

Memory Dump Source

Source File: 00000000.00000002.253798029.0000000006A90000.00000040.00000001.sdmp, Offset: 06A90000, based on PE: false

Similarity

API ID: DuplicateHandle
String ID:
API String ID: 3793708945-0
Opcode ID: e742d2790d3da20608b67e99844cb3419bffc9d322f357a771ffc3ae6ef7f961
Instruction ID: cb75a9d6406a08a33874d4c0373ec42927844a029ef4e131c5a31a42725ee707
Opcode Fuzzy Hash: e742d2790d3da20608b67e99844cb3419bffc9d322f357a771ffc3ae6ef7f961
Instruction Fuzzy Hash: 0F31B471504384AFEB228B25DC44FA7BFECEF06310F0885AAE985CB152D724A909CB71

Uniqueness

Uniqueness Score: -1.00%

Function 06A9019C, Relevance: 1.6, APIs: 1, Instructions: 93COMMON

Download Yara Rule

APIs

DuplicateHandle.KERNELBASE(?,00000E2C), ref: 06A90248

Memory Dump Source

Source File: 00000000.00000002.253798029.0000000006A90000.00000040.00000001.sdmp, Offset: 06A90000, based on PE: false

Similarity

API ID: DuplicateHandle
String ID:
API String ID: 3793708945-0
Opcode ID: 3231f545e9c822881c27d94a6e42f23760ee04cf595e1859a5f7df80dfa8c279
Instruction ID: 47c126945e781afe7cb480fb7f4f1999a4ad4bd3b28c4fa455e9af712857df2c
Opcode Fuzzy Hash: 3231f545e9c822881c27d94a6e42f23760ee04cf595e1859a5f7df80dfa8c279
Instruction Fuzzy Hash: 8131D5725043846FEB228B64DC44F66BFE8EF06314F0884AEE9848F153D774A918CB71

Uniqueness

Uniqueness Score: -1.00%

Function 00A0AB26, Relevance: 1.6, APIs: 1, Instructions: 92registryCOMMON

Download Yara Rule

APIs

RegOpenKeyExW.KERNELBASE(?,00000E2C), ref: 00A0ABD5

Memory Dump Source

Source File: 00000000.00000002.246329277.0000000000A0A000.00000040.00000001.sdmp, Offset: 00A0A000, based on PE: false

Similarity

API ID: Open
String ID:
API String ID: 71445658-0
Opcode ID: 0e9c1eb538e450d52739c98b865a7c2529387cd5f90839062d75f9e2f5f9cccb
Instruction ID: 838d91c225d99d1e3b289bdfdb0167fb580b433555ed32d6d8cc23986475601c
Opcode Fuzzy Hash: 0e9c1eb538e450d52739c98b865a7c2529387cd5f90839062d75f9e2f5f9cccb
Instruction Fuzzy Hash: 7C31D6B25043846FE7228B25DC45F67BFECEF06710F08849AED848B152D264E949C771

Uniqueness

Uniqueness Score: -1.00%

Function 00A0AC1D, Relevance: 1.6, APIs: 1, Instructions: 89registryCOMMON

Download Yara Rule

APIs

RegQueryValueExW.KERNELBASE(?,00000E2C,779DED2B,00000000,00000000,00000000,00000000), ref: 00A0ACD8

Memory Dump Source

Source File: 00000000.00000002.246329277.0000000000A0A000.00000040.00000001.sdmp, Offset: 00A0A000, based on PE: false

Similarity

API ID: QueryValue
String ID:
API String ID: 3660427363-0
Opcode ID: 758d563d099f1bd513bbb5983c8f307b85a6c85f3ab29623027bd26b8b733790
Instruction ID: cfdafdb142645e7c143ce28ae69f04c56553b9cd319a594975bb6b11165fa812
Opcode Fuzzy Hash: 758d563d099f1bd513bbb5983c8f307b85a6c85f3ab29623027bd26b8b733790
Instruction Fuzzy Hash: EB31B3721053845FE722CB25DC44F62BFECEF06314F08849AE984CB192D364E848CB71

Uniqueness

Uniqueness Score: -1.00%

Function 06A90D2E, Relevance: 1.6, APIs: 1, Instructions: 89synchronizationCOMMON

Download Yara Rule

APIs

CreateMutexW.KERNELBASE(?,?), ref: 06A90DD5

Memory Dump Source

Source File: 00000000.00000002.253798029.0000000006A90000.00000040.00000001.sdmp, Offset: 06A90000, based on PE: false

Similarity

API ID: CreateMutex
String ID:
API String ID: 1964310414-0
Opcode ID: 39976cb7aff0214cdef14e845465821180d7f1dd70590e0ecd70586c032d7104
Instruction ID: bc9599c174ecd2974adb4142c2655e4ae0564d5dc2cededb35215c0fd7cc0ae1
Opcode Fuzzy Hash: 39976cb7aff0214cdef14e845465821180d7f1dd70590e0ecd70586c032d7104
Instruction Fuzzy Hash: 43318F71509784AFE722DB25CC84B56BFE8EF06210F1884AEE984CF292D375E908C771

Uniqueness

Uniqueness Score: -1.00%

Function 06A910CA, Relevance: 1.6, APIs: 1, Instructions: 89fileCOMMON

Download Yara Rule

APIs

CopyFileW.KERNELBASE(?,?,?), ref: 06A91156

Memory Dump Source

Source File: 00000000.00000002.253798029.0000000006A90000.00000040.00000001.sdmp, Offset: 06A90000, based on PE: false

Similarity

API ID: CopyFile
String ID:
API String ID: 1304948518-0
Opcode ID: 9949274066d1a1df975a8240a4a082222c918eb0e8f1a5d651a5e82639583f80
Instruction ID: 63ae92ffecba01a154b70a6d2cfadab6ffb1b7756d9b9669e3914fa463720187
Opcode Fuzzy Hash: 9949274066d1a1df975a8240a4a082222c918eb0e8f1a5d651a5e82639583f80
Instruction Fuzzy Hash: A3317C615093C45FD7538B249C64662BFB89F17214F1D84DFE884CF1A3E2299849C772

Uniqueness

Uniqueness Score: -1.00%

Function 06A90774, Relevance: 1.6, APIs: 1, Instructions: 88COMMON

Download Yara Rule

APIs

GetExitCodeProcess.KERNELBASE(?,00000E2C,779DED2B,00000000,00000000,00000000,00000000), ref: 06A90808

Memory Dump Source

Source File: 00000000.00000002.253798029.0000000006A90000.00000040.00000001.sdmp, Offset: 06A90000, based on PE: false

Similarity

API ID: CodeExitProcess
String ID:
API String ID: 3861947596-0
Opcode ID: 77aca4371f385fbf898358818352a054e48c8802604d65b77ad5c1ba93e4403f
Instruction ID: e4cf316c2b6f37233dd82a6ef9073dceb8951b0cc6e944d0a18daa11988d7263
Opcode Fuzzy Hash: 77aca4371f385fbf898358818352a054e48c8802604d65b77ad5c1ba93e4403f
Instruction Fuzzy Hash: 4421D8715097806FEB128B24DC45FA6BFA8EF46320F1884EAE988DF193D264A505C771

Uniqueness

Uniqueness Score: -1.00%

Function 06A900B1, Relevance: 1.6, APIs: 1, Instructions: 86COMMON

Download Yara Rule

APIs

GetTokenInformation.KERNELBASE(?,00000E2C,779DED2B,00000000,00000000,00000000,00000000), ref: 06A90149

Memory Dump Source

Source File: 00000000.00000002.253798029.0000000006A90000.00000040.00000001.sdmp, Offset: 06A90000, based on PE: false

Similarity

API ID: InformationToken
String ID:
API String ID: 4114910276-0
Opcode ID: ba81d5a2920f3b7fe0b3a354cdd318330129c1b611f054b181e9bc329c1f4cf2
Instruction ID: c8da169e05e7b01b4c2526ec1251f6396df18b1cc206b9c67bb549470eea0c3d
Opcode Fuzzy Hash: ba81d5a2920f3b7fe0b3a354cdd318330129c1b611f054b181e9bc329c1f4cf2
Instruction Fuzzy Hash: 25319372509380AFEB128B25DC55FA6BFB8EF06314F0884EEE9849F153D364A508CB71

Uniqueness

Uniqueness Score: -1.00%

Function 06A9151B, Relevance: 1.6, APIs: 1, Instructions: 84COMMON

Download Yara Rule

APIs

GetTokenInformation.KERNELBASE(?,00000E2C,779DED2B,00000000,00000000,00000000,00000000), ref: 06A915B0

Memory Dump Source

Source File: 00000000.00000002.253798029.0000000006A90000.00000040.00000001.sdmp, Offset: 06A90000, based on PE: false

Similarity

API ID: InformationToken
String ID:
API String ID: 4114910276-0
Opcode ID: 1585334687e682fe912b0bd2936ec167e175461c8de807652b24babdd4844a7b
Instruction ID: 97226f0374963b21a7018662c9bd84b1016b6be08c2059c01db34217779ea339
Opcode Fuzzy Hash: 1585334687e682fe912b0bd2936ec167e175461c8de807652b24babdd4844a7b
Instruction Fuzzy Hash: 98217371505384AFDB21CF65DC45FA6BFE8EF05210F0884AEE985DB152D764A444CB61

Uniqueness

Uniqueness Score: -1.00%

Function 06A9036D, Relevance: 1.6, APIs: 1, Instructions: 84COMMON

Download Yara Rule

APIs

LookupPrivilegeValueW.ADVAPI32(?,?,?), ref: 06A90406

Memory Dump Source

Source File: 00000000.00000002.253798029.0000000006A90000.00000040.00000001.sdmp, Offset: 06A90000, based on PE: false

Similarity

API ID: LookupPrivilegeValue
String ID:
API String ID: 3899507212-0
Opcode ID: 4d6013eb1f46023f1e65b80eade61b267bf8643109fd50535857b538087f4b9e
Instruction ID: 97439dddfaee2adf3b5957b2fc8ce70654aab4b4850006cc9b931646982b0e82
Opcode Fuzzy Hash: 4d6013eb1f46023f1e65b80eade61b267bf8643109fd50535857b538087f4b9e
Instruction Fuzzy Hash: F6318E715093C09FDB138B749C55A92BFB8AF13210F0D84EBD984CF1A3D2649808CB72

Uniqueness

Uniqueness Score: -1.00%

Function 06A91D62, Relevance: 1.6, APIs: 1, Instructions: 80COMMON

Download Yara Rule

APIs

DuplicateHandle.KERNELBASE(?,00000E2C), ref: 06A91DDF

Memory Dump Source

Source File: 00000000.00000002.253798029.0000000006A90000.00000040.00000001.sdmp, Offset: 06A90000, based on PE: false

Similarity

API ID: DuplicateHandle
String ID:
API String ID: 3793708945-0
Opcode ID: c7c9d433f9f25297b675dfd8c17855598367b3a5d435f4067149372551b91ef1
Instruction ID: b7b9039e2e070d8c502ce09f12a1c16f063454c985b31c6c1b551206d8e2e417
Opcode Fuzzy Hash: c7c9d433f9f25297b675dfd8c17855598367b3a5d435f4067149372551b91ef1
Instruction Fuzzy Hash: 6E219072500304AFEB21AF65DC44F6AFBECEF08320F14896AE945DB651D774E9048BB1

Uniqueness

Uniqueness Score: -1.00%

Function 06A91E3D, Relevance: 1.6, APIs: 1, Instructions: 79fileCOMMON

Download Yara Rule

APIs

DeleteFileW.KERNELBASE(?), ref: 06A91EC4

Memory Dump Source

Source File: 00000000.00000002.253798029.0000000006A90000.00000040.00000001.sdmp, Offset: 06A90000, based on PE: false

Similarity

API ID: DeleteFile
String ID:
API String ID: 4033686569-0
Opcode ID: 5cef0e254c0cfa3ca44566ba5f0bec2ceb871fba7529dadd7f710aa90fc6e15a
Instruction ID: 3b49dfe919dc0f3d80a97b20a685e6b7f0e0e236ee3a402fe9dcc9c02e4778d5
Opcode Fuzzy Hash: 5cef0e254c0cfa3ca44566ba5f0bec2ceb871fba7529dadd7f710aa90fc6e15a
Instruction Fuzzy Hash: 81219F769093C09FDB138B25DC95B92BFA4AF17210F0D84DADD858F2A3D265A908CB71

Uniqueness

Uniqueness Score: -1.00%

Function 06A91A20, Relevance: 1.6, APIs: 1, Instructions: 76COMMON

Download Yara Rule

APIs

GetFileType.KERNELBASE(?,00000E2C,779DED2B,00000000,00000000,00000000,00000000), ref: 06A91AB5

Memory Dump Source

Source File: 00000000.00000002.253798029.0000000006A90000.00000040.00000001.sdmp, Offset: 06A90000, based on PE: false

Similarity

API ID: FileType
String ID:
API String ID: 3081899298-0
Opcode ID: c388bbf398b0959cf32530244c6d7428249b2591928425dcbf466293d9cef31b
Instruction ID: da28a2b2b5b87d4227e100f9281f3d05c10a85d1028146927d5b1abf55e20de3
Opcode Fuzzy Hash: c388bbf398b0959cf32530244c6d7428249b2591928425dcbf466293d9cef31b
Instruction Fuzzy Hash: F321F5B64087846FE7128B25DC41FA3BFA8EF46720F18809AED848F153D364A909C771

Uniqueness

Uniqueness Score: -1.00%

Function 06A9194A, Relevance: 1.6, APIs: 1, Instructions: 76fileCOMMON

Download Yara Rule

APIs

CreateFileW.KERNELBASE(?,?,?,?,?,?), ref: 06A919C9

Memory Dump Source

Source File: 00000000.00000002.253798029.0000000006A90000.00000040.00000001.sdmp, Offset: 06A90000, based on PE: false

Similarity

API ID: CreateFile
String ID:
API String ID: 823142352-0
Opcode ID: ee5b3e6ff6eeff9cff32f5bd81549e2f3d30e917fe0e336592b7e06c9535ff56
Instruction ID: 6318916a425a4a3ae16ca6df19e8d99959a21e899f604871a10884ba9493b4e6
Opcode Fuzzy Hash: ee5b3e6ff6eeff9cff32f5bd81549e2f3d30e917fe0e336592b7e06c9535ff56
Instruction Fuzzy Hash: B2217F71500744AFEB21EF65CD85F66FBE8EF08310F148469E9858B652D375E904CB71

Uniqueness

Uniqueness Score: -1.00%

Function 06A91AF0, Relevance: 1.6, APIs: 1, Instructions: 75fileCOMMON

Download Yara Rule

APIs

WriteFile.KERNELBASE(?,00000E2C,779DED2B,00000000,00000000,00000000,00000000), ref: 06A91B81

Memory Dump Source

Source File: 00000000.00000002.253798029.0000000006A90000.00000040.00000001.sdmp, Offset: 06A90000, based on PE: false

Similarity

API ID: FileWrite
String ID:
API String ID: 3934441357-0
Opcode ID: efae9191c953b65e74b636a2e450c791f66cc636bdb417ab7ce4b3284c7634f1
Instruction ID: 033ddbf38771928d0b525b4b0fad2e86f84f8b835097b6522d361670c0113117
Opcode Fuzzy Hash: efae9191c953b65e74b636a2e450c791f66cc636bdb417ab7ce4b3284c7634f1
Instruction Fuzzy Hash: DC219271409384AFDB228B25DC44F56BFB8EF46314F08849BE9889F153C364A509CB72

Uniqueness

Uniqueness Score: -1.00%

Function 06A901D6, Relevance: 1.6, APIs: 1, Instructions: 75COMMON

Download Yara Rule

APIs

DuplicateHandle.KERNELBASE(?,00000E2C), ref: 06A90248

Memory Dump Source

Source File: 00000000.00000002.253798029.0000000006A90000.00000040.00000001.sdmp, Offset: 06A90000, based on PE: false

Similarity

API ID: DuplicateHandle
String ID:
API String ID: 3793708945-0
Opcode ID: a9d2d9362139c88209a4a12658a6d315e2472ffcd62d199392910eda8ff43538
Instruction ID: 04a41f4bceaa618d6fb6c9e2c4dc1d0d0304ca540789322800303bfc11a8404d
Opcode Fuzzy Hash: a9d2d9362139c88209a4a12658a6d315e2472ffcd62d199392910eda8ff43538
Instruction Fuzzy Hash: 1321C272500304AFEB219F64DC45F6AFBE8EF04710F1488AEEE458A151D774E5088B71

Uniqueness

Uniqueness Score: -1.00%

Function 00A0AB56, Relevance: 1.6, APIs: 1, Instructions: 74registryCOMMON

Download Yara Rule

APIs

RegOpenKeyExW.KERNELBASE(?,00000E2C), ref: 00A0ABD5

Memory Dump Source

Source File: 00000000.00000002.246329277.0000000000A0A000.00000040.00000001.sdmp, Offset: 00A0A000, based on PE: false

Similarity

API ID: Open
String ID:
API String ID: 71445658-0
Opcode ID: 2dca9ad02175143cce2f05d8d19c13d2e03aea0acd180d19e68200562de50a1e
Instruction ID: 90a84d1156d81257619581027f426b3888c66df30c249124bfbf33adbded1827
Opcode Fuzzy Hash: 2dca9ad02175143cce2f05d8d19c13d2e03aea0acd180d19e68200562de50a1e
Instruction Fuzzy Hash: 7821A1B2500308AFE721DB59DC44F6AFBECEF18710F14845AED459B251D774E9488B72

Uniqueness

Uniqueness Score: -1.00%

Function 06A90D62, Relevance: 1.6, APIs: 1, Instructions: 72synchronizationCOMMON

Download Yara Rule

APIs

CreateMutexW.KERNELBASE(?,?), ref: 06A90DD5

Memory Dump Source

Source File: 00000000.00000002.253798029.0000000006A90000.00000040.00000001.sdmp, Offset: 06A90000, based on PE: false

Similarity

API ID: CreateMutex
String ID:
API String ID: 1964310414-0
Opcode ID: 3a917c34c4ae4c1832920d9c3e77f0e4522380a4d2b1c774a4f56d4e456e96f9
Instruction ID: 91def2d76c584d2afe61c0ae1f56748739ebd2bbda869f4e67f512f807820f35
Opcode Fuzzy Hash: 3a917c34c4ae4c1832920d9c3e77f0e4522380a4d2b1c774a4f56d4e456e96f9
Instruction Fuzzy Hash: 68217C71600244AFEB61EB29CD85BA6FBE8EF04710F18846EE9488F245D775E504CA71

Uniqueness

Uniqueness Score: -1.00%

Function 06A908FF, Relevance: 1.6, APIs: 1, Instructions: 72COMMON

Download Yara Rule

APIs

K32EnumProcesses.KERNEL32(?,?,?,779DED2B,00000000,?,?,?,?,?,?,?,?,72AF3C38), ref: 06A9097A

Memory Dump Source

Source File: 00000000.00000002.253798029.0000000006A90000.00000040.00000001.sdmp, Offset: 06A90000, based on PE: false

Similarity

API ID: EnumProcesses
String ID:
API String ID: 84517404-0
Opcode ID: 0550e6412ff131d4f256d895d222a85889efa85724c92c4701c2232b5593ae20
Instruction ID: 77498d5ebc01d0cd4f630d9a44f8c29aefa9bb25cd4133a30473748e9762da0c
Opcode Fuzzy Hash: 0550e6412ff131d4f256d895d222a85889efa85724c92c4701c2232b5593ae20
Instruction Fuzzy Hash: 0C2130755093C45FEB128B25DC54BA2BFA8EF47214F0984DEE984CF153D2659808CB71

Uniqueness

Uniqueness Score: -1.00%

Function 00A0AC5E, Relevance: 1.6, APIs: 1, Instructions: 69registryCOMMON

Download Yara Rule

APIs

RegQueryValueExW.KERNELBASE(?,00000E2C,779DED2B,00000000,00000000,00000000,00000000), ref: 00A0ACD8

Memory Dump Source

Source File: 00000000.00000002.246329277.0000000000A0A000.00000040.00000001.sdmp, Offset: 00A0A000, based on PE: false

Similarity

API ID: QueryValue
String ID:
API String ID: 3660427363-0
Opcode ID: ec38e2085c5e91ba9ed6fbd0f0be3caf7f496e2645dd343a90898c1e84740ede
Instruction ID: d677d234d3b951fc1c694fcc81e75687e665d20f3f34e5e232bfbc2cab255399
Opcode Fuzzy Hash: ec38e2085c5e91ba9ed6fbd0f0be3caf7f496e2645dd343a90898c1e84740ede
Instruction Fuzzy Hash: 5F218E71600708AFE720DF55DC80F66FBECEF18710F04846AE949DB291D764E808CA72

Uniqueness

Uniqueness Score: -1.00%

Function 06A91546, Relevance: 1.6, APIs: 1, Instructions: 69COMMON

Download Yara Rule

APIs

GetTokenInformation.KERNELBASE(?,00000E2C,779DED2B,00000000,00000000,00000000,00000000), ref: 06A915B0

Memory Dump Source

Source File: 00000000.00000002.253798029.0000000006A90000.00000040.00000001.sdmp, Offset: 06A90000, based on PE: false

Similarity

API ID: InformationToken
String ID:
API String ID: 4114910276-0
Opcode ID: a1dac534f87a5ecc36de6b7909841a75c6b20c2acf7f05cd87ebc4147c735d04
Instruction ID: bfc648299f605ea76ee2d0b7036b26215e8ca4a838700b25b300479237793d58
Opcode Fuzzy Hash: a1dac534f87a5ecc36de6b7909841a75c6b20c2acf7f05cd87ebc4147c735d04
Instruction Fuzzy Hash: 0B1160B1500305AFEB219F69DD45FAAFBECEF08320F14846AE949DB251D774E4448BB1

Uniqueness

Uniqueness Score: -1.00%

Function 00A0B46D, Relevance: 1.6, APIs: 1, Instructions: 65libraryCOMMON

Download Yara Rule

APIs

LoadLibraryShim.MSCOREE(?,?,?,?), ref: 00A0B4E9

Memory Dump Source

Source File: 00000000.00000002.246329277.0000000000A0A000.00000040.00000001.sdmp, Offset: 00A0A000, based on PE: false

Similarity

API ID: LibraryLoadShim
String ID:
API String ID: 1475914169-0
Opcode ID: 2ebd3f4c512be140130ddda7c047b401b67efa2fb929705217a35a148e2d2574
Instruction ID: dd92ffd295925f85f26a12deaa14e59e05aea06079427a0bbcde2f6aaced28da
Opcode Fuzzy Hash: 2ebd3f4c512be140130ddda7c047b401b67efa2fb929705217a35a148e2d2574
Instruction Fuzzy Hash: 7421C0B15093849FD7228B25DC41B62BFE8EF56314F0884DAED85CB293D365E908CB72

Uniqueness

Uniqueness Score: -1.00%

Function 06A902A6, Relevance: 1.6, APIs: 1, Instructions: 65memoryCOMMON

Download Yara Rule

APIs

VirtualProtect.KERNELBASE(?,?,?,?), ref: 06A90325

Memory Dump Source

Source File: 00000000.00000002.253798029.0000000006A90000.00000040.00000001.sdmp, Offset: 06A90000, based on PE: false

Similarity

API ID: ProtectVirtual
String ID:
API String ID: 544645111-0
Opcode ID: 51fa554921f6cdd5d288a2a05f81d571731f1a90934e14b678e53cef0c2e08f7
Instruction ID: 155a2e60c0babb0c83b719232ea9fb625bb4cde75b6f5ce59cda03ad62031dfc
Opcode Fuzzy Hash: 51fa554921f6cdd5d288a2a05f81d571731f1a90934e14b678e53cef0c2e08f7
Instruction Fuzzy Hash: 8D21B0764097C09FDB128B259C54B62FFB4EF06320F0D80DEE9854A163D224A808DB71

Uniqueness

Uniqueness Score: -1.00%

Function 06A900EA, Relevance: 1.6, APIs: 1, Instructions: 64COMMON

Download Yara Rule

APIs

GetTokenInformation.KERNELBASE(?,00000E2C,779DED2B,00000000,00000000,00000000,00000000), ref: 06A90149

Memory Dump Source

Source File: 00000000.00000002.253798029.0000000006A90000.00000040.00000001.sdmp, Offset: 06A90000, based on PE: false

Similarity

API ID: InformationToken
String ID:
API String ID: 4114910276-0
Opcode ID: 1064b24ced8073b84df91a84f5b505a94eb33535c22436401f4a5d3429ebf4a8
Instruction ID: c0c2f55f01e31a2166da9cd9f42231b3533cc4f847e7eac0aedf5fcc5dba4724
Opcode Fuzzy Hash: 1064b24ced8073b84df91a84f5b505a94eb33535c22436401f4a5d3429ebf4a8
Instruction Fuzzy Hash: 76119072500304AFEB219F65DC45FAAFBE8EF09324F24846EED49DE251D774A4448BB1

Uniqueness

Uniqueness Score: -1.00%

Function 06A91FA9, Relevance: 1.6, APIs: 1, Instructions: 62windowCOMMON

Download Yara Rule

APIs

PostMessageW.USER32(?,?,?,?), ref: 06A9201D

Memory Dump Source

Source File: 00000000.00000002.253798029.0000000006A90000.00000040.00000001.sdmp, Offset: 06A90000, based on PE: false

Similarity

API ID: MessagePost
String ID:
API String ID: 410705778-0
Opcode ID: dd8a779ff7a4974dac5227cab90b5cbc77c97633717510f8bc13f035304fdcda
Instruction ID: 784c1545e991b65dae867d7d0b8c82c3aad068fa474a96cc81d51b0dda286934
Opcode Fuzzy Hash: dd8a779ff7a4974dac5227cab90b5cbc77c97633717510f8bc13f035304fdcda
Instruction Fuzzy Hash: B1218C714093C0AFDB138B25CC54A52BFB4EF17210F0985DAE9C48F163D265A918DB62

Uniqueness

Uniqueness Score: -1.00%

Function 00A0A5AF, Relevance: 1.6, APIs: 1, Instructions: 61COMMON

Download Yara Rule

APIs

DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 00A0A61A

Memory Dump Source

Source File: 00000000.00000002.246329277.0000000000A0A000.00000040.00000001.sdmp, Offset: 00A0A000, based on PE: false

Similarity

API ID: DuplicateHandle
String ID:
API String ID: 3793708945-0
Opcode ID: d9738e5997e087e3b2f133816864bc6af4dd5f85ee80e619c79895c4131b56a2
Instruction ID: 98dabdc8ecde1bad75c197b2f7505066608eb7da4de21366a5a06cc2c168e063
Opcode Fuzzy Hash: d9738e5997e087e3b2f133816864bc6af4dd5f85ee80e619c79895c4131b56a2
Instruction Fuzzy Hash: A011A271409384AFDB228F50DC44A62FFF4EF5A310F0884DAED858B152C375A418DB62

Uniqueness

Uniqueness Score: -1.00%

Function 00A0B095, Relevance: 1.6, APIs: 1, Instructions: 61COMMON

Download Yara Rule

APIs

SetConsoleCtrlHandler.KERNELBASE(?,00000E2C,?,?), ref: 00A0B10E

Memory Dump Source

Source File: 00000000.00000002.246329277.0000000000A0A000.00000040.00000001.sdmp, Offset: 00A0A000, based on PE: false

Similarity

API ID: ConsoleCtrlHandler
String ID:
API String ID: 1513847179-0
Opcode ID: 82a471be182f92d86052cc968d7696ea728375d0581c03613968b716059d30fb
Instruction ID: 0b042d3ec24352a2af5af20af922e082915ba0414483ee05c3040e393e996e19
Opcode Fuzzy Hash: 82a471be182f92d86052cc968d7696ea728375d0581c03613968b716059d30fb
Instruction Fuzzy Hash: E1119471505380BFD3118B15DC41F72FFB8FF86A20F19819AED488B642D275B915CBA2

Uniqueness

Uniqueness Score: -1.00%

Function 06A907B2, Relevance: 1.6, APIs: 1, Instructions: 61COMMON

Download Yara Rule

APIs

GetExitCodeProcess.KERNELBASE(?,00000E2C,779DED2B,00000000,00000000,00000000,00000000), ref: 06A90808

Memory Dump Source

Source File: 00000000.00000002.253798029.0000000006A90000.00000040.00000001.sdmp, Offset: 06A90000, based on PE: false

Similarity

API ID: CodeExitProcess
String ID:
API String ID: 3861947596-0
Opcode ID: 8c706976d120c9e38d244a43da06f8df8c70b519f6c4ffa53df74aa40cc391d6
Instruction ID: e5613f6faf2868bc7ae33eafb23b090dc8eda1cd8a3b77a7ea8b67d12a8459e7
Opcode Fuzzy Hash: 8c706976d120c9e38d244a43da06f8df8c70b519f6c4ffa53df74aa40cc391d6
Instruction Fuzzy Hash: BB118F71600204AEEB109B29DC85BAABBE8DF44320F14C4AAED49DF245D774A4048BB1

Uniqueness

Uniqueness Score: -1.00%

Function 00A0A1F4, Relevance: 1.6, APIs: 1, Instructions: 60COMMON

Download Yara Rule

APIs

OutputDebugStringW.KERNELBASE(?), ref: 00A0A298

Memory Dump Source

Source File: 00000000.00000002.246329277.0000000000A0A000.00000040.00000001.sdmp, Offset: 00A0A000, based on PE: false

Similarity

API ID: DebugOutputString
String ID:
API String ID: 1166629820-0
Opcode ID: ae6b83041179ae987a4703cba948068df9c26cc834696cdef7159529ac10f6dd
Instruction ID: 5adf933ef2b2379f3f69076672edfea5b56cee0ef88d5a59c3f77fc409c9a8f5
Opcode Fuzzy Hash: ae6b83041179ae987a4703cba948068df9c26cc834696cdef7159529ac10f6dd
Instruction Fuzzy Hash: BF214F3550E3C48FD7528B25D890794BFB0AF17310F1D84DBC885CF2A3C2299949C762

Uniqueness

Uniqueness Score: -1.00%

Function 06A91B22, Relevance: 1.6, APIs: 1, Instructions: 60fileCOMMON

Download Yara Rule

APIs

WriteFile.KERNELBASE(?,00000E2C,779DED2B,00000000,00000000,00000000,00000000), ref: 06A91B81

Memory Dump Source

Source File: 00000000.00000002.253798029.0000000006A90000.00000040.00000001.sdmp, Offset: 06A90000, based on PE: false

Similarity

API ID: FileWrite
String ID:
API String ID: 3934441357-0
Opcode ID: e1900e8b0ff29dbf31636a19aded1f34bb4259d8ed8f603977c7ceabd8f7f146
Instruction ID: 1c36f606de7d7f04e484d84e8c3d74d1f734fee4f5702f2e670f2d1d587c2e36
Opcode Fuzzy Hash: e1900e8b0ff29dbf31636a19aded1f34bb4259d8ed8f603977c7ceabd8f7f146
Instruction Fuzzy Hash: BB118F72500304AFEB219F55DD84FA6FBE8EF48724F14846AED499F252D774A4048BB1

Uniqueness

Uniqueness Score: -1.00%

Function 06A911D1, Relevance: 1.6, APIs: 1, Instructions: 60COMMON

Download Yara Rule

APIs

SetFileAttributesW.KERNELBASE(?,?), ref: 06A91233

Memory Dump Source

Source File: 00000000.00000002.253798029.0000000006A90000.00000040.00000001.sdmp, Offset: 06A90000, based on PE: false

Similarity

API ID: AttributesFile
String ID:
API String ID: 3188754299-0
Opcode ID: 1075db76cb7d7b93c0483462d4271fb5338770e421d3eb5a6861c5bda130bfe0
Instruction ID: 1d6f1790762cda8829b3240d987abf1e300a0c8b4a4ead3cb622a65517d0472f
Opcode Fuzzy Hash: 1075db76cb7d7b93c0483462d4271fb5338770e421d3eb5a6861c5bda130bfe0
Instruction Fuzzy Hash: 2F11BE759093849FDB119F25DC85B56BFE8EF06220F0884EAEC84CF252D275E849CB61

Uniqueness

Uniqueness Score: -1.00%

Function 00A0A65A, Relevance: 1.6, APIs: 1, Instructions: 59COMMON

Download Yara Rule

APIs

SetErrorMode.KERNELBASE(?), ref: 00A0A6CC

Memory Dump Source

Source File: 00000000.00000002.246329277.0000000000A0A000.00000040.00000001.sdmp, Offset: 00A0A000, based on PE: false

Similarity

API ID: ErrorMode
String ID:
API String ID: 2340568224-0
Opcode ID: ae46fa41055e73e9936f876a9f60d0d303c0c2d1aa76aa74797c6152266f46f8
Instruction ID: e058ea590c2b64ec124b64ccad2bf924800e3c5ec91427e356933f670862aa08
Opcode Fuzzy Hash: ae46fa41055e73e9936f876a9f60d0d303c0c2d1aa76aa74797c6152266f46f8
Instruction Fuzzy Hash: 1F1159754093C49FD7128B25DC94A52BFB4EF17224F0E80DBD9858F1A3D269A948CB72

Uniqueness

Uniqueness Score: -1.00%

Function 06A9233B, Relevance: 1.6, APIs: 1, Instructions: 56windowCOMMON

Download Yara Rule

APIs

PostMessageW.USER32(?,?,?,?), ref: 06A923A5

Memory Dump Source

Source File: 00000000.00000002.253798029.0000000006A90000.00000040.00000001.sdmp, Offset: 06A90000, based on PE: false

Similarity

API ID: MessagePost
String ID:
API String ID: 410705778-0
Opcode ID: 0f32a5adbe5472fe1478591e91eb6f4cb4c748b89fbf03f0da069c7de2c1869f
Instruction ID: 85cde19ff5290be8ca01d9078b4dbac356ba618522549926cc0b0c94ab28f086
Opcode Fuzzy Hash: 0f32a5adbe5472fe1478591e91eb6f4cb4c748b89fbf03f0da069c7de2c1869f
Instruction Fuzzy Hash: AF119071509384AFDB228F25DC45B52FFB4EF06224F1884DEED858B163C275A558CB61

Uniqueness

Uniqueness Score: -1.00%

Function 00A0B074, Relevance: 1.6, APIs: 1, Instructions: 55COMMON

Download Yara Rule

APIs

SetConsoleCtrlHandler.KERNELBASE(?,00000E2C,?,?), ref: 00A0B10E

Memory Dump Source

Source File: 00000000.00000002.246329277.0000000000A0A000.00000040.00000001.sdmp, Offset: 00A0A000, based on PE: false

Similarity

API ID: ConsoleCtrlHandler
String ID:
API String ID: 1513847179-0
Opcode ID: 3f0ade1c003fd53f0491ae2531b14b20c75875821894dded892802e7385cd788
Instruction ID: 11f83fe7e1b6ec422ab778b00fdee8af83225c5b0294c0d0abfab170d9db204a
Opcode Fuzzy Hash: 3f0ade1c003fd53f0491ae2531b14b20c75875821894dded892802e7385cd788
Instruction Fuzzy Hash: 0D11C2755093849FC7138B24AC91924BFB0FE8731430A45DBC884CB263D730E91ACBA2

Uniqueness

Uniqueness Score: -1.00%

Function 06A903BE, Relevance: 1.6, APIs: 1, Instructions: 53COMMON

Download Yara Rule

APIs

LookupPrivilegeValueW.ADVAPI32(?,?,?), ref: 06A90406

Memory Dump Source

Source File: 00000000.00000002.253798029.0000000006A90000.00000040.00000001.sdmp, Offset: 06A90000, based on PE: false

Similarity

API ID: LookupPrivilegeValue
String ID:
API String ID: 3899507212-0
Opcode ID: 8637d7a47feceda7e91991888d37fb021a475082351ed72fb9824785c4cd1541
Instruction ID: 8a98d5fd1130b2276eec8acda0a67085251596cb7fa67e195ab0a1b1cb039679
Opcode Fuzzy Hash: 8637d7a47feceda7e91991888d37fb021a475082351ed72fb9824785c4cd1541
Instruction Fuzzy Hash: 9A118E71A002008FEB50EF29D884B56FBE8EF54260F18846EED49CB252D274E404CA72

Uniqueness

Uniqueness Score: -1.00%

Function 06A9110E, Relevance: 1.6, APIs: 1, Instructions: 53fileCOMMON

Download Yara Rule

APIs

CopyFileW.KERNELBASE(?,?,?), ref: 06A91156

Memory Dump Source

Source File: 00000000.00000002.253798029.0000000006A90000.00000040.00000001.sdmp, Offset: 06A90000, based on PE: false

Similarity

API ID: CopyFile
String ID:
API String ID: 1304948518-0
Opcode ID: 8637d7a47feceda7e91991888d37fb021a475082351ed72fb9824785c4cd1541
Instruction ID: 838265a39430b1e056fa54f333dccd21c3f2daa2387d2d0bc3834bcf4cfa280a
Opcode Fuzzy Hash: 8637d7a47feceda7e91991888d37fb021a475082351ed72fb9824785c4cd1541
Instruction Fuzzy Hash: FC118E71A002019FDB90EF29D884B66FBE8EF15620F28846EEC49CF256D674E804CA71

Uniqueness

Uniqueness Score: -1.00%

Function 06A91A62, Relevance: 1.6, APIs: 1, Instructions: 52COMMON

Download Yara Rule

APIs

GetFileType.KERNELBASE(?,00000E2C,779DED2B,00000000,00000000,00000000,00000000), ref: 06A91AB5

Memory Dump Source

Source File: 00000000.00000002.253798029.0000000006A90000.00000040.00000001.sdmp, Offset: 06A90000, based on PE: false

Similarity

API ID: FileType
String ID:
API String ID: 3081899298-0
Opcode ID: 9f5b4cb2fd3166124223ab99f7b1d6c83af2f63d80ae891ae73eaa9b64ce54fa
Instruction ID: 2012ad9a0b3949d79331e3b1600de92dbd50b81d78312a83b1631e4c24bf6c83
Opcode Fuzzy Hash: 9f5b4cb2fd3166124223ab99f7b1d6c83af2f63d80ae891ae73eaa9b64ce54fa
Instruction Fuzzy Hash: FD01C471500304AEEB10EB15DC45F66FBD8DF48720F24805AED489F651D674A8088AB1

Uniqueness

Uniqueness Score: -1.00%

Function 00A0A23C, Relevance: 1.6, APIs: 1, Instructions: 51COMMON

Download Yara Rule

APIs

OutputDebugStringW.KERNELBASE(?), ref: 00A0A298

Memory Dump Source

Source File: 00000000.00000002.246329277.0000000000A0A000.00000040.00000001.sdmp, Offset: 00A0A000, based on PE: false

Similarity

API ID: DebugOutputString
String ID:
API String ID: 1166629820-0
Opcode ID: aef2bb4a9216e61973b25e34695caaf58838719c38c55f982117b6ec1e249197
Instruction ID: 3511092202231abd4335b9242b6267e7dab8772c5fa0d20027ccd07928afef50
Opcode Fuzzy Hash: aef2bb4a9216e61973b25e34695caaf58838719c38c55f982117b6ec1e249197
Instruction Fuzzy Hash: 1711A171505784AFD711CF15DC84B62FFA8EF55324F08809AED858B252D375A908CB72

Uniqueness

Uniqueness Score: -1.00%

Function 06A9093A, Relevance: 1.5, APIs: 1, Instructions: 49COMMON

Download Yara Rule

APIs

K32EnumProcesses.KERNEL32(?,?,?,779DED2B,00000000,?,?,?,?,?,?,?,?,72AF3C38), ref: 06A9097A

Memory Dump Source

Source File: 00000000.00000002.253798029.0000000006A90000.00000040.00000001.sdmp, Offset: 06A90000, based on PE: false

Similarity

API ID: EnumProcesses
String ID:
API String ID: 84517404-0
Opcode ID: f8dd68225790f9277630e850e17c82b9e4762d0a8bdb2ad41df8af22e0daadd6
Instruction ID: 9dbf4cbd746d1e069275579893e5b004db9cf681022d9b9ca75171cb682c05a4
Opcode Fuzzy Hash: f8dd68225790f9277630e850e17c82b9e4762d0a8bdb2ad41df8af22e0daadd6
Instruction Fuzzy Hash: B3113C75A002048FEB50DF69D884B66FBE8EF04220F1884AEED498B256D674E404CB71

Uniqueness

Uniqueness Score: -1.00%

Function 00A0A9F0, Relevance: 1.5, APIs: 1, Instructions: 48COMMON

Download Yara Rule

APIs

SetWindowLongW.USER32 ref: 00A0AA4A

Memory Dump Source

Source File: 00000000.00000002.246329277.0000000000A0A000.00000040.00000001.sdmp, Offset: 00A0A000, based on PE: false

Similarity

API ID: LongWindow
String ID:
API String ID: 1378638983-0
Opcode ID: b38c90081c83cab5520b5abb22869d96bb4ef79a9417276e724b429697ee5493
Instruction ID: 8c08733567455789e6ae40c76fe70ae3bce2ecd4b70f2477280a82853de2f62e
Opcode Fuzzy Hash: b38c90081c83cab5520b5abb22869d96bb4ef79a9417276e724b429697ee5493
Instruction Fuzzy Hash: E0117C325097849FD7218F15DC85B52FFB4EF56320F08C59AED898B2A2D375A818CB62

Uniqueness

Uniqueness Score: -1.00%

Function 06A911F6, Relevance: 1.5, APIs: 1, Instructions: 48COMMON

Download Yara Rule

APIs

SetFileAttributesW.KERNELBASE(?,?), ref: 06A91233

Memory Dump Source

Source File: 00000000.00000002.253798029.0000000006A90000.00000040.00000001.sdmp, Offset: 06A90000, based on PE: false

Similarity

API ID: AttributesFile
String ID:
API String ID: 3188754299-0
Opcode ID: 968b914d3bc4eb4df92486eb8d809e3b32f9fdb8c0051012b25c880fa5427ef3
Instruction ID: 3c5db6c2d41e6beb2d15654e14d84a4480f9fba0a4789437261c8db9dcc5ed4d
Opcode Fuzzy Hash: 968b914d3bc4eb4df92486eb8d809e3b32f9fdb8c0051012b25c880fa5427ef3
Instruction Fuzzy Hash: 86018075A002059FEB50EF29D884766FBE8EF05220F1884BADC49CF656D279E804CB71

Uniqueness

Uniqueness Score: -1.00%

Function 06A91E8A, Relevance: 1.5, APIs: 1, Instructions: 47fileCOMMON

Download Yara Rule

APIs

DeleteFileW.KERNELBASE(?), ref: 06A91EC4

Memory Dump Source

Source File: 00000000.00000002.253798029.0000000006A90000.00000040.00000001.sdmp, Offset: 06A90000, based on PE: false

Similarity

API ID: DeleteFile
String ID:
API String ID: 4033686569-0
Opcode ID: 80279bb18faeb3efd20481b514bff8e6c88338ef51ee1ff74ade82db5b7d8fc9
Instruction ID: 1bd688d6dfdb86a0357c4e5b39867742cb2c9fd56f0f8255631a87b73d2be3eb
Opcode Fuzzy Hash: 80279bb18faeb3efd20481b514bff8e6c88338ef51ee1ff74ade82db5b7d8fc9
Instruction Fuzzy Hash: 3501B171A002458FDB50EF2AD985766FBE8EF01220F18C0AAED49CF646D374E804CBB1

Uniqueness

Uniqueness Score: -1.00%

Function 00A0B49E, Relevance: 1.5, APIs: 1, Instructions: 46libraryCOMMON

Download Yara Rule

APIs

LoadLibraryShim.MSCOREE(?,?,?,?), ref: 00A0B4E9

Memory Dump Source

Source File: 00000000.00000002.246329277.0000000000A0A000.00000040.00000001.sdmp, Offset: 00A0A000, based on PE: false

Similarity

API ID: LibraryLoadShim
String ID:
API String ID: 1475914169-0
Opcode ID: cb9fd1d537d072400e5c3a584650d818767124ce444224f899c112c00904e297
Instruction ID: fe3e7644f29819f72559083d2fbf5785d5b2a9fa40b1bdd47cc5f4edca9bc6b6
Opcode Fuzzy Hash: cb9fd1d537d072400e5c3a584650d818767124ce444224f899c112c00904e297
Instruction Fuzzy Hash: 690140715102089FDB20DF19E985B26FBE8EF54720F188499DD498B296D375E504CB72

Uniqueness

Uniqueness Score: -1.00%

Function 00A0A5D6, Relevance: 1.5, APIs: 1, Instructions: 45COMMON

Download Yara Rule

APIs

DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 00A0A61A

Memory Dump Source

Source File: 00000000.00000002.246329277.0000000000A0A000.00000040.00000001.sdmp, Offset: 00A0A000, based on PE: false

Similarity

API ID: DuplicateHandle
String ID:
API String ID: 3793708945-0
Opcode ID: 9d8ec866ba8843f8c7435a7d4c46025b6f0f1f0ee8b6f5c85e613be97cea434b
Instruction ID: 4264f0da5e42598f07ca0b8fb32c3e4301b3ddc9b34b4bc48e611fc9cb17b5c0
Opcode Fuzzy Hash: 9d8ec866ba8843f8c7435a7d4c46025b6f0f1f0ee8b6f5c85e613be97cea434b
Instruction Fuzzy Hash: 1F018B32800704DFDB218F55E844B52FFF0EF18320F08C4AAED894A652C376A414DF62

Uniqueness

Uniqueness Score: -1.00%

Function 00A0B0BE, Relevance: 1.5, APIs: 1, Instructions: 43COMMON

Download Yara Rule

APIs

SetConsoleCtrlHandler.KERNELBASE(?,00000E2C,?,?), ref: 00A0B10E

Memory Dump Source

Source File: 00000000.00000002.246329277.0000000000A0A000.00000040.00000001.sdmp, Offset: 00A0A000, based on PE: false

Similarity

API ID: ConsoleCtrlHandler
String ID:
API String ID: 1513847179-0
Opcode ID: 15566cc7f0642e7fde2d3c3f3dd00d802c46c1393362e78fb97117d71c3b9539
Instruction ID: a3d1d2098a6d376f91edd7c8fcbe1fd722eb76ec46b18ac3a22993b8a7ecaf59
Opcode Fuzzy Hash: 15566cc7f0642e7fde2d3c3f3dd00d802c46c1393362e78fb97117d71c3b9539
Instruction Fuzzy Hash: 0101A271500200ABD210DF1ADC82B36FBA8FB88B20F14815AED084B745D671F515CBE6

Uniqueness

Uniqueness Score: -1.00%

Function 06A902EA, Relevance: 1.5, APIs: 1, Instructions: 42memoryCOMMON

Download Yara Rule

APIs

VirtualProtect.KERNELBASE(?,?,?,?), ref: 06A90325

Memory Dump Source

Source File: 00000000.00000002.253798029.0000000006A90000.00000040.00000001.sdmp, Offset: 06A90000, based on PE: false

Similarity

API ID: ProtectVirtual
String ID:
API String ID: 544645111-0
Opcode ID: 658964a255f20edbf1fcafa6218f03acf45bab137a0ecbba6d94b971ea2a326c
Instruction ID: f3e23259f8301115aeda434a54b594256e6e2364258e5d1296944563563a046c
Opcode Fuzzy Hash: 658964a255f20edbf1fcafa6218f03acf45bab137a0ecbba6d94b971ea2a326c
Instruction Fuzzy Hash: 67017135500644DFDB609F25D884B66FBE4EF08320F18C4AEED898B665D275E418DB72

Uniqueness

Uniqueness Score: -1.00%

Function 06A9236A, Relevance: 1.5, APIs: 1, Instructions: 42windowCOMMON

Download Yara Rule

APIs

PostMessageW.USER32(?,?,?,?), ref: 06A923A5

Memory Dump Source

Source File: 00000000.00000002.253798029.0000000006A90000.00000040.00000001.sdmp, Offset: 06A90000, based on PE: false

Similarity

API ID: MessagePost
String ID:
API String ID: 410705778-0
Opcode ID: e04e563b53ec3ebf7620c09d96469a2e65214a357007593b0b21e3edfb3f3dda
Instruction ID: 030a1694ef9f1befb4a7a49eef4bd43bb40cefaddfc13978f61ab6b4e577e32e
Opcode Fuzzy Hash: e04e563b53ec3ebf7620c09d96469a2e65214a357007593b0b21e3edfb3f3dda
Instruction Fuzzy Hash: 92019E35910644DFDB609F25D844B66FBE4EF04220F18C09EED454A625C275E558CBB2

Uniqueness

Uniqueness Score: -1.00%

Function 00A0A25E, Relevance: 1.5, APIs: 1, Instructions: 39COMMON

Download Yara Rule

APIs

OutputDebugStringW.KERNELBASE(?), ref: 00A0A298

Memory Dump Source

Source File: 00000000.00000002.246329277.0000000000A0A000.00000040.00000001.sdmp, Offset: 00A0A000, based on PE: false

Similarity

API ID: DebugOutputString
String ID:
API String ID: 1166629820-0
Opcode ID: 3070f37671676a7344d71c328e1f866a7d36e0c9a701baa893448797e3d17c34
Instruction ID: 8ba3efb40bd4ac31bce022d66db10b786d1967a688fdb1d4f34fd72418f80bd9
Opcode Fuzzy Hash: 3070f37671676a7344d71c328e1f866a7d36e0c9a701baa893448797e3d17c34
Instruction Fuzzy Hash: EB018635500748DFD710DF15E8857A5FBA4EF18724F18C0AADD498B366D279E804CB62

Uniqueness

Uniqueness Score: -1.00%

Function 06A91FE2, Relevance: 1.5, APIs: 1, Instructions: 38windowCOMMON

Download Yara Rule

APIs

PostMessageW.USER32(?,?,?,?), ref: 06A9201D

Memory Dump Source

Source File: 00000000.00000002.253798029.0000000006A90000.00000040.00000001.sdmp, Offset: 06A90000, based on PE: false

Similarity

API ID: MessagePost
String ID:
API String ID: 410705778-0
Opcode ID: 4762e17dabca963f21445802bb274add392162f4355e9724e140a224c1a94fd8
Instruction ID: 17e5500e36b04a5f583f2984283c231107d35ad46e5cba6760292317156edf57
Opcode Fuzzy Hash: 4762e17dabca963f21445802bb274add392162f4355e9724e140a224c1a94fd8
Instruction Fuzzy Hash: B7018F31910344DFDB209F15D884B25FBE0EF08320F18C4AEDD894B226D375A918CBB2

Uniqueness

Uniqueness Score: -1.00%

Function 00A0AA12, Relevance: 1.5, APIs: 1, Instructions: 37COMMON

Download Yara Rule

APIs

SetWindowLongW.USER32 ref: 00A0AA4A

Memory Dump Source

Source File: 00000000.00000002.246329277.0000000000A0A000.00000040.00000001.sdmp, Offset: 00A0A000, based on PE: false

Similarity

API ID: LongWindow
String ID:
API String ID: 1378638983-0
Opcode ID: bface596abf6b07d2e9d6522b9b10686a65c0f6dac55e2a28ba2fe6e4a262dc6
Instruction ID: d35896092b376c3e4ffe7a984951764546d195a89684787dcb6679dda00aaedb
Opcode Fuzzy Hash: bface596abf6b07d2e9d6522b9b10686a65c0f6dac55e2a28ba2fe6e4a262dc6
Instruction Fuzzy Hash: 4D01AD31500708CFDB209F15E984B26FBA0EF18720F08C09AED894B296C375A408DF72

Uniqueness

Uniqueness Score: -1.00%

Function 00A0A69A, Relevance: 1.5, APIs: 1, Instructions: 35COMMON

Download Yara Rule

APIs

SetErrorMode.KERNELBASE(?), ref: 00A0A6CC

Memory Dump Source

Source File: 00000000.00000002.246329277.0000000000A0A000.00000040.00000001.sdmp, Offset: 00A0A000, based on PE: false

Similarity

API ID: ErrorMode
String ID:
API String ID: 2340568224-0
Opcode ID: 0cb5b359c476e8471f3c67e079a5f62550c58aac4d8b9481ffb5030aca1cbd8a
Instruction ID: 5c59a50914775b1b65c9d456b6271becc279b1cf922b8823a3ee4735f06e3b44
Opcode Fuzzy Hash: 0cb5b359c476e8471f3c67e079a5f62550c58aac4d8b9481ffb5030aca1cbd8a
Instruction Fuzzy Hash: E9F0AF34900348CFDB10DF15E984761FBA4EF14320F1CC09ADD494B256D27AA448CE72

Uniqueness

Uniqueness Score: -1.00%

Function 04B205A8, Relevance: 1.5, Strings: 1, Instructions: 201COMMON

Download Yara Rule

Strings

`5&r, xrefs: 04B2072D

Memory Dump Source

Source File: 00000000.00000002.250076545.0000000004B20000.00000040.00000001.sdmp, Offset: 04B20000, based on PE: false

Similarity

API ID:
String ID: `5&r
API String ID: 0-1159175248
Opcode ID: 27e27f2a7caf85bb6030cbad72707e30a8cd87092ec1ef78fa09f8c21ff30bb8
Instruction ID: bde5f738d02118261fa44e6d370327530cd9ff93f28701e3ba7af21cb1c667fe
Opcode Fuzzy Hash: 27e27f2a7caf85bb6030cbad72707e30a8cd87092ec1ef78fa09f8c21ff30bb8
Instruction Fuzzy Hash: 4891C374E01228CFDB14DFA9C994BADBBB1FF89310F1051A9D509AB3A0DB71A985CF50

Uniqueness

Uniqueness Score: -1.00%

Function 04B286D1, Relevance: 1.3, Strings: 1, Instructions: 56COMMON

Download Yara Rule

Strings

5*DH, xrefs: 04B2870C

Memory Dump Source

Source File: 00000000.00000002.250076545.0000000004B20000.00000040.00000001.sdmp, Offset: 04B20000, based on PE: false

Similarity

API ID:
String ID: 5*DH
API String ID: 0-1064916762
Opcode ID: a43d95c230eca497b5dd4e77e813e5fb6280beef03746d640ae5752fd660b36a
Instruction ID: 349f626fb9bbc5bcf6207e971126cf3ef1cb14443545b9fbb9c7b2b9594648f4
Opcode Fuzzy Hash: a43d95c230eca497b5dd4e77e813e5fb6280beef03746d640ae5752fd660b36a
Instruction Fuzzy Hash: 5C210334E09208EFDB05DFA9C68899DBBF1FF89300F15C6DAD419AB265D635AA01DB00

Uniqueness

Uniqueness Score: -1.00%

Function 04B286E0, Relevance: 1.3, Strings: 1, Instructions: 54COMMON

Download Yara Rule

Strings

5*DH, xrefs: 04B2870C

Memory Dump Source

Source File: 00000000.00000002.250076545.0000000004B20000.00000040.00000001.sdmp, Offset: 04B20000, based on PE: false

Similarity

API ID:
String ID: 5*DH
API String ID: 0-1064916762
Opcode ID: 277d1dc28c672cbced116052623d69b4a99ca7edff4f890b4bc566a404c916f8
Instruction ID: 3ab06f0cf404582c02a192cc6749f492fdfe4e42a149d4a1ffc94475225584b8
Opcode Fuzzy Hash: 277d1dc28c672cbced116052623d69b4a99ca7edff4f890b4bc566a404c916f8
Instruction Fuzzy Hash: 94113234E04218EFDB04EFA9D684A9DFBF1FB88300F25C59AD409AB261D735AA01DB40

Uniqueness

Uniqueness Score: -1.00%

Function 04B2BC10, Relevance: 1.3, Strings: 1, Instructions: 19COMMON

Download Yara Rule

Strings

<, xrefs: 04B2BC36

Memory Dump Source

Source File: 00000000.00000002.250076545.0000000004B20000.00000040.00000001.sdmp, Offset: 04B20000, based on PE: false

Similarity

API ID:
String ID: <
API String ID: 0-4251816714
Opcode ID: 68a5e58eae95bd8ce77ac5bef2403f0848faed9f3fed66da7c4461556e41c422
Instruction ID: 5abcd78bb04ebafe3e713c3c31b45cd36fd010c6ec1a18fa5d1d10241192292f
Opcode Fuzzy Hash: 68a5e58eae95bd8ce77ac5bef2403f0848faed9f3fed66da7c4461556e41c422
Instruction Fuzzy Hash: 5FF0AFB4D05269CFDB20CF25DA98BE9BB70BB58201F10C1D9C49AB7220D7702AC1DF14

Uniqueness

Uniqueness Score: -1.00%

Function 04972035, Relevance: 1.3, Strings: 1, Instructions: 18COMMON

Download Yara Rule

Strings

k4A0, xrefs: 0497204B

Memory Dump Source

Source File: 00000000.00000002.249760587.0000000004970000.00000040.00000001.sdmp, Offset: 04970000, based on PE: false

Similarity

API ID:
String ID: k4A0
API String ID: 0-565882042
Opcode ID: 3b30a378f01e64863e7d9e194b3584f1fd18b9ee39ab8f368e75bff81778121a
Instruction ID: fe59340cfe7f3bfe4b935bf1d1cee442f4bf035a44b33f16c4bfcd3e24f985bc
Opcode Fuzzy Hash: 3b30a378f01e64863e7d9e194b3584f1fd18b9ee39ab8f368e75bff81778121a
Instruction Fuzzy Hash: 0EF015749012A88FCB94DFA0C84479CBBB2FB44301F1099AAA50FB7344EB705E80CF00

Uniqueness

Uniqueness Score: -1.00%

Function 04B27742, Relevance: 1.3, Strings: 1, Instructions: 18COMMON

Download Yara Rule

Strings

)XtO, xrefs: 04B27745

Memory Dump Source

Source File: 00000000.00000002.250076545.0000000004B20000.00000040.00000001.sdmp, Offset: 04B20000, based on PE: false

Similarity

API ID:
String ID: )XtO
API String ID: 0-870424659
Opcode ID: fc563f93ac6f218415fa86210a12f12effdfbe25306ccf15fe6658fc03daecd9
Instruction ID: 25a63588d82c38b67ac2ea9f2fadc7064a85486b47250bfec3d563fbb1c31b16
Opcode Fuzzy Hash: fc563f93ac6f218415fa86210a12f12effdfbe25306ccf15fe6658fc03daecd9
Instruction Fuzzy Hash: 29E0ED74906269CFDF10CF94DA4079DFBB0AB04340F10A4DAD409B6318EB346B81DF25

Uniqueness

Uniqueness Score: -1.00%

Function 04B24898, Relevance: .2, Instructions: 177COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.250076545.0000000004B20000.00000040.00000001.sdmp, Offset: 04B20000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b5acf0c425d426dc576c45e945e0ecb6f218d0b8f1b431b615f3425b6830f0e3
Instruction ID: 042bb0668802c49edb90fa9d29ce084cab8368c270e8556744963827fb3b4b81
Opcode Fuzzy Hash: b5acf0c425d426dc576c45e945e0ecb6f218d0b8f1b431b615f3425b6830f0e3
Instruction Fuzzy Hash: 54710374D09258DFCB04DFA8D994AADBFB2FF4A300F2090AAD809AB361D7345945CF50

Uniqueness

Uniqueness Score: -1.00%

Function 04B20598, Relevance: .2, Instructions: 175COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.250076545.0000000004B20000.00000040.00000001.sdmp, Offset: 04B20000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 77713e6904d2f6b7a8614ed321c221fbe5e6d8764688f438524907747f6c18fb
Instruction ID: d8d19e537481aa84f8f26ddd5ff63daef757b714bca8ca8a018d0398a0dfbfd1
Opcode Fuzzy Hash: 77713e6904d2f6b7a8614ed321c221fbe5e6d8764688f438524907747f6c18fb
Instruction Fuzzy Hash: 2571E474E00228CFDB14DFA9C994BADBBB1FF49310F1081A9D509AB360DB75A985DF50

Uniqueness

Uniqueness Score: -1.00%

Function 04B248A8, Relevance: .1, Instructions: 145COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.250076545.0000000004B20000.00000040.00000001.sdmp, Offset: 04B20000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2f8e021977aca2f027dc83e408376cd4729f34abd6d41c0bdf6d9abbe9305d95
Instruction ID: 64b5101d82b553f410c47bb1f6081ce6e3121f5f53eb448d66f364c14f9da74b
Opcode Fuzzy Hash: 2f8e021977aca2f027dc83e408376cd4729f34abd6d41c0bdf6d9abbe9305d95
Instruction Fuzzy Hash: 7951D4B4E05228DFCB04DFA9D984AADBBF2FF49300F2094AAD409AB350E7356941CF54

Uniqueness

Uniqueness Score: -1.00%

Function 04B24ABA, Relevance: .1, Instructions: 138COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.250076545.0000000004B20000.00000040.00000001.sdmp, Offset: 04B20000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0f15fed7037bda52949ea4f094a4bc8fadc6c89bbabd08645e8ae617a35cf2bf
Instruction ID: ede58ae5fc5a251e0645584d555119457253af902cd27ff7a2e23ae478eea4ea
Opcode Fuzzy Hash: 0f15fed7037bda52949ea4f094a4bc8fadc6c89bbabd08645e8ae617a35cf2bf
Instruction Fuzzy Hash: F451D374E05228DFCB04DFA8E584AADBBB1FF49300F2094AAD809AB760D775A945CF50

Uniqueness

Uniqueness Score: -1.00%

Function 04B20271, Relevance: .1, Instructions: 121COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.250076545.0000000004B20000.00000040.00000001.sdmp, Offset: 04B20000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6accef0c29d10ee93dd4afc3794609ae140c7f0b1fc60cd38feac34478158b42
Instruction ID: 5b1e5db074999f0d3db90f65428a65490d93c8652a583429a27aede8529555a8
Opcode Fuzzy Hash: 6accef0c29d10ee93dd4afc3794609ae140c7f0b1fc60cd38feac34478158b42
Instruction Fuzzy Hash: A3519EB8A00218DFDB04DFA8C584BEDBBF1EF4D310F145495EA05AB360D635AA85DF61

Uniqueness

Uniqueness Score: -1.00%

Function 04B20280, Relevance: .1, Instructions: 113COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.250076545.0000000004B20000.00000040.00000001.sdmp, Offset: 04B20000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c900a7995895c4c425ed8c10b0b907b9feaae67322ccde918bef9ef4c87e4d69
Instruction ID: e859898751c71cba353cb91c602a3d5c3826fdb5a00f745d5efc8660d3e91133
Opcode Fuzzy Hash: c900a7995895c4c425ed8c10b0b907b9feaae67322ccde918bef9ef4c87e4d69
Instruction Fuzzy Hash: CA418DB8A00218DFDB14DFA8C984BEDBBF1EF4D310F1454A5E606AB360D635A984DF64

Uniqueness

Uniqueness Score: -1.00%

Function 04B2E6C8, Relevance: .1, Instructions: 105COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.250076545.0000000004B20000.00000040.00000001.sdmp, Offset: 04B20000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fec88903405ac2f900167cf52e73b530533dcc5230f5d525005edf842dfbed12
Instruction ID: 1a636fb7786516f18480c1f9cbc8dd51a9e0d69313d98f1d9dbdbc2c524912e8
Opcode Fuzzy Hash: fec88903405ac2f900167cf52e73b530533dcc5230f5d525005edf842dfbed12
Instruction Fuzzy Hash: 1D41B375E0121C8FDB64CFE9D954ADDBBB6FF88300F20802AD419AB251DB35A946CF50

Uniqueness

Uniqueness Score: -1.00%

Function 049727D8, Relevance: .1, Instructions: 95COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.249760587.0000000004970000.00000040.00000001.sdmp, Offset: 04970000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 60813098ab5e33a317adf4c83e761c25c6cb775e29d90235a6cac6c543e693eb
Instruction ID: 613d1d0ae3f498d8e250400ee40ce7d661beffce911425690b9698961524e48d
Opcode Fuzzy Hash: 60813098ab5e33a317adf4c83e761c25c6cb775e29d90235a6cac6c543e693eb
Instruction Fuzzy Hash: 9E313C70D26209DFCB44DFA9D5815DDFBF1FB49310F10686AD116FA210E339A901CB64

Uniqueness

Uniqueness Score: -1.00%

Function 00A1AE6F, Relevance: .1, Instructions: 94COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.246346364.0000000000A12000.00000040.00000001.sdmp, Offset: 00A12000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c72c6a873832956b67494937376d66c22dd181121f5a3fbab9635bfbb0227e31
Instruction ID: 748c742e190def9a8bbd8654b086a8d84dc64340e0fe88739150d264b3b2ecff
Opcode Fuzzy Hash: c72c6a873832956b67494937376d66c22dd181121f5a3fbab9635bfbb0227e31
Instruction Fuzzy Hash: 88317FB6509340AFD311CF19EC41E67FFE8EB89660F18C95EFD499B211D275A8048BB2

Uniqueness

Uniqueness Score: -1.00%

Function 00A1AD44, Relevance: .1, Instructions: 93COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.246346364.0000000000A12000.00000040.00000001.sdmp, Offset: 00A12000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e6c3da7df2dbb366075f05ae853953ec27a6b58932e776884ed9f3c38c97c156
Instruction ID: 823f8648d79dfe807d7ff2241695c46a5ddc2609869574874ef27a21ed3a53e2
Opcode Fuzzy Hash: e6c3da7df2dbb366075f05ae853953ec27a6b58932e776884ed9f3c38c97c156
Instruction Fuzzy Hash: 453171B6509344AFD311CF09EC41E67FFE8EB89660F14C95EFD499B211D275A8048BB2

Uniqueness

Uniqueness Score: -1.00%

Function 00A1AF9D, Relevance: .1, Instructions: 93COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.246346364.0000000000A12000.00000040.00000001.sdmp, Offset: 00A12000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b518d4611333d91857c3265007118a7b5b51f1cf92a09aab58a303490f3435b3
Instruction ID: 5f4f110964582a36fe2469a1cda36d5d37c7b9bddece52709351e0c94300bbf7
Opcode Fuzzy Hash: b518d4611333d91857c3265007118a7b5b51f1cf92a09aab58a303490f3435b3
Instruction Fuzzy Hash: 2B316DB6509340AFD311CF09EC41E67FFE8EB85660F18C95FFD489B211D275A9048BA2

Uniqueness

Uniqueness Score: -1.00%

Function 049727E8, Relevance: .1, Instructions: 91COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.249760587.0000000004970000.00000040.00000001.sdmp, Offset: 04970000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 747654a36ac90842bb8eac6e0bc16407901415b3881eb1cd8657ac3b1a1221a6
Instruction ID: 78a5f582b0ef8fd9928195edc1ae22f637a0b63ea40c55bcd637824b2cc34021
Opcode Fuzzy Hash: 747654a36ac90842bb8eac6e0bc16407901415b3881eb1cd8657ac3b1a1221a6
Instruction Fuzzy Hash: AB313C70D26209DFCB40DFA9D5815DDFBF5FB4D310F10686AD116FA210E33AA9018B68

Uniqueness

Uniqueness Score: -1.00%

Function 00A1AC18, Relevance: .1, Instructions: 86COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.246346364.0000000000A12000.00000040.00000001.sdmp, Offset: 00A12000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1c1bfc7860777b0d4cd64331e201eccff87049350ba42d90aebd27b0f86ac76e
Instruction ID: c9cda4b02bdf20e511af71ed41d6b1c30e8a33d660595ae21d334fd70adf1622
Opcode Fuzzy Hash: 1c1bfc7860777b0d4cd64331e201eccff87049350ba42d90aebd27b0f86ac76e
Instruction Fuzzy Hash: 8F21A1B6509244BFE2118F06EC41E67FFA8EB85660F18C95EFD495B211D275B8048BB2

Uniqueness

Uniqueness Score: -1.00%

Function 00A1AA01, Relevance: .1, Instructions: 85COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.246346364.0000000000A12000.00000040.00000001.sdmp, Offset: 00A12000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3af17b1aab09a98bcbdff3069360b5b180f31da0877556a7ae8a1e616dbf7256
Instruction ID: d675d26b0f7af7ac66a4c5161d4cdf44df48bc124c6b210c86e177026675c48a
Opcode Fuzzy Hash: 3af17b1aab09a98bcbdff3069360b5b180f31da0877556a7ae8a1e616dbf7256
Instruction Fuzzy Hash: 0921ACB6505304BFE6118F06EC41EA7FFACEB85660F18C95EFD495B211D276A8048BB2

Uniqueness

Uniqueness Score: -1.00%

Function 00A1B120, Relevance: .1, Instructions: 83COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.246346364.0000000000A12000.00000040.00000001.sdmp, Offset: 00A12000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4efa67bbab94d7a87cb48d5bf942fb0c081b10a0e7a602033ea175075fda5d3c
Instruction ID: c203e3e48232aae6ff2401023e4643f42191e8d933b52848cffc284a4c7f05c6
Opcode Fuzzy Hash: 4efa67bbab94d7a87cb48d5bf942fb0c081b10a0e7a602033ea175075fda5d3c
Instruction Fuzzy Hash: 57314CB550E3C19FD302CF258850A56BFF4EF8A214F0989DEF8C8DB252D2759908CB62

Uniqueness

Uniqueness Score: -1.00%

Function 04B26AD0, Relevance: .1, Instructions: 83COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.250076545.0000000004B20000.00000040.00000001.sdmp, Offset: 04B20000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 46ce757c8f00305f3bde0719979125ccdade70f0e85a656ae5268769c23b4b8c
Instruction ID: eab2548c6b0ad1caf52f2aa544ac897317b7c4c25bb5fb99476e101ce224c0a4
Opcode Fuzzy Hash: 46ce757c8f00305f3bde0719979125ccdade70f0e85a656ae5268769c23b4b8c
Instruction Fuzzy Hash: 783119B4E04219DFCB44CFA9C6955AEBBB1FF49300F10959AD815AB360D738AA42CF60

Uniqueness

Uniqueness Score: -1.00%

Function 00A1A7EA, Relevance: .1, Instructions: 81COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.246346364.0000000000A12000.00000040.00000001.sdmp, Offset: 00A12000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b8ab83d6ee8642e83206733e7dc925828c6f5f3341f86d9f62a2e07a4b5633ae
Instruction ID: 62538d1f30d82e4f830b30d9f120ee650fad3afa8bdbdd4112f9ac32f877a7bb
Opcode Fuzzy Hash: b8ab83d6ee8642e83206733e7dc925828c6f5f3341f86d9f62a2e07a4b5633ae
Instruction Fuzzy Hash: CD21D0B2505244BFD7118B06AC41E63FFA8EB85620F08C55FFD499B212D276A8048BB2

Uniqueness

Uniqueness Score: -1.00%

Function 04B26AE0, Relevance: .1, Instructions: 78COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.250076545.0000000004B20000.00000040.00000001.sdmp, Offset: 04B20000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: dc0431e4cfb826680ed38542a2699e099fddcbad54d24258fbafe5ea441926c2
Instruction ID: 914950e451d67ba9e750510c58c13e1ec161403fdb59bd3bd73d1996a668864b
Opcode Fuzzy Hash: dc0431e4cfb826680ed38542a2699e099fddcbad54d24258fbafe5ea441926c2
Instruction Fuzzy Hash: 2431E8B4E04219DFCB44CFA6D6859AEBBB1FF49300F10D59AD819A7350E778AA41CF50

Uniqueness

Uniqueness Score: -1.00%

Function 04970BBB, Relevance: .1, Instructions: 76COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.249760587.0000000004970000.00000040.00000001.sdmp, Offset: 04970000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 217bfa46f87dc1412564a793a473d01e4dd87e1d19eecadc4bbe9c52b8e70803
Instruction ID: 0f30596fc98fa7afa634ebee3e025ffa03888f26158b1cfb17d483e7c61040c3
Opcode Fuzzy Hash: 217bfa46f87dc1412564a793a473d01e4dd87e1d19eecadc4bbe9c52b8e70803
Instruction Fuzzy Hash: 9A11C13094E38A8FCB52CBB898801CCBF71EF96304B1899EBC4819B656D3381517DBA1

Uniqueness

Uniqueness Score: -1.00%

Function 00A1AD6E, Relevance: .1, Instructions: 75COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.246346364.0000000000A12000.00000040.00000001.sdmp, Offset: 00A12000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: bd21c9b12df7f1571643f2434be3fe52625986790d81d51ad1681ff81a2fc090
Instruction ID: 6132165b5da359a8bbd7e2645f906999ad273d2868407a7b34b3209db3b53880
Opcode Fuzzy Hash: bd21c9b12df7f1571643f2434be3fe52625986790d81d51ad1681ff81a2fc090
Instruction Fuzzy Hash: F1212FB6644304AFD210CF0AEC41E67FBE8EB88670F14C96EFD4997311D275E9148BA2

Uniqueness

Uniqueness Score: -1.00%

Function 00A1AE9A, Relevance: .1, Instructions: 75COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.246346364.0000000000A12000.00000040.00000001.sdmp, Offset: 00A12000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ca6f2d550b122fec1345be77daa51ede2b572e727467a3373402442f74d9ffc0
Instruction ID: 600a7035ba6c3c97e5071a3862be3a3caa1d1dde6c52c7616565c83081ebf2b1
Opcode Fuzzy Hash: ca6f2d550b122fec1345be77daa51ede2b572e727467a3373402442f74d9ffc0
Instruction Fuzzy Hash: 53212FB6644304AFD210CF0AEC41E67FBE8EB88630F14C96EFD4997311D275E9148BA2

Uniqueness

Uniqueness Score: -1.00%

Function 00A1AFC6, Relevance: .1, Instructions: 75COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.246346364.0000000000A12000.00000040.00000001.sdmp, Offset: 00A12000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 766601ceb07cdfabaa131fe74c3044671d0402206d64834e6a549455f8634681
Instruction ID: fde1b395138b17cdb7f00683e2dc56d45bf78dd80995c6138acdcfcaf4f619bd
Opcode Fuzzy Hash: 766601ceb07cdfabaa131fe74c3044671d0402206d64834e6a549455f8634681
Instruction Fuzzy Hash: E8212FB6644304AFD210CF0AEC41E67FBE8EB88630F14C96EFD4997311D275E9148BA2

Uniqueness

Uniqueness Score: -1.00%

Function 04B26C08, Relevance: .1, Instructions: 74COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.250076545.0000000004B20000.00000040.00000001.sdmp, Offset: 04B20000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 286efab2ff42d37b3f098768c91224fc773642c2c0c081bd8d7c4b9c49530eb3
Instruction ID: ace2f0d8a733460927bc9591e091286dbf4cbfaf7ef229308a7cc9457b6931c1
Opcode Fuzzy Hash: 286efab2ff42d37b3f098768c91224fc773642c2c0c081bd8d7c4b9c49530eb3
Instruction Fuzzy Hash: D0313E70E08219DFCB08DFA6D68199EFBF1FF99300F11C99AD405AB255D735AA018F50

Uniqueness

Uniqueness Score: -1.00%

Function 009C05D0, Relevance: .1, Instructions: 71COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.246308879.00000000009C0000.00000040.00000040.sdmp, Offset: 009C0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6cf63ff1b4736df9febd4a7c9c35c347c28c44166b3b95650dcafada63bec9fd
Instruction ID: 8e942801f0bd867b24666d0e2f2fa85c907ccec0b09ca779cfd35b5f64fa4221
Opcode Fuzzy Hash: 6cf63ff1b4736df9febd4a7c9c35c347c28c44166b3b95650dcafada63bec9fd
Instruction Fuzzy Hash: 9801967150D7C49FC712CB19DC54866FFA8DB8662070984DFEC498B653C225A909CB62

Uniqueness

Uniqueness Score: -1.00%

Function 049718F8, Relevance: .1, Instructions: 71COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.249760587.0000000004970000.00000040.00000001.sdmp, Offset: 04970000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e27b9d855071242a6b80194560fe6b8c8ae73ecbd0634835a8eb78cc33a41468
Instruction ID: 801a91256bf0e52e2997ee4fbfdcc38efde53cfc4a8f67e32bcc1071f3979acf
Opcode Fuzzy Hash: e27b9d855071242a6b80194560fe6b8c8ae73ecbd0634835a8eb78cc33a41468
Instruction Fuzzy Hash: 6031F274E04209DFCB04CFA9D5869EEBBF2FB48310F10846AE905AB355DB34AA41CF94

Uniqueness

Uniqueness Score: -1.00%

Function 00A1AA2A, Relevance: .1, Instructions: 69COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.246346364.0000000000A12000.00000040.00000001.sdmp, Offset: 00A12000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d43c4652f74a22db589c0afe46da224798b0bd58287e583dd457eece0d041e44
Instruction ID: 51ce3cff195a4ffa979c61508ede4ebeae63581aab1021fc32c73b2f9d6d6b11
Opcode Fuzzy Hash: d43c4652f74a22db589c0afe46da224798b0bd58287e583dd457eece0d041e44
Instruction Fuzzy Hash: B6119376644204BFD2108F06EC41E67FBA8EB84630F18C96EFD095B211D276B5148BB2

Uniqueness

Uniqueness Score: -1.00%

Function 00A1AC42, Relevance: .1, Instructions: 69COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.246346364.0000000000A12000.00000040.00000001.sdmp, Offset: 00A12000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0ba52a7e53851049029b0113020262364036f1bc7a34ae584cbb06da7287c16c
Instruction ID: 09c0947406f18393c09d32eb2cd65569e64da7c0d48a761fa7f28f58d17430bc
Opcode Fuzzy Hash: 0ba52a7e53851049029b0113020262364036f1bc7a34ae584cbb06da7287c16c
Instruction Fuzzy Hash: 3C119376644204BFD2108F06EC41E67FBA8EB84670F18C96EFD495B211D276B5148BB2

Uniqueness

Uniqueness Score: -1.00%

Function 04B20016, Relevance: .1, Instructions: 69COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.250076545.0000000004B20000.00000040.00000001.sdmp, Offset: 04B20000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: cfdd8d6dd3b1a6a1011f678fe4d0e87cd498b212677703e2f49ffaf2963ffe51
Instruction ID: f0397df97aeb800cd7ea1a384a035d3c15847cfd5ed8e662c78748b6bae123b1
Opcode Fuzzy Hash: cfdd8d6dd3b1a6a1011f678fe4d0e87cd498b212677703e2f49ffaf2963ffe51
Instruction Fuzzy Hash: 4911E76084E2D94FD7069B7489647EBBFB0EF46210F0902EBC440EB593D66C544AD7A1

Uniqueness

Uniqueness Score: -1.00%

Function 00A1AC50, Relevance: .1, Instructions: 66COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.246346364.0000000000A12000.00000040.00000001.sdmp, Offset: 00A12000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d1298101142f040b9a572c1ffb5073625bc74174bec9daffacba88d388b7b7aa
Instruction ID: fb141860d3722fe93f3b7e7e292878e628c9861513d83670793636b3849ed17c
Opcode Fuzzy Hash: d1298101142f040b9a572c1ffb5073625bc74174bec9daffacba88d388b7b7aa
Instruction Fuzzy Hash: F811C476649204AFD2008F45AC41E67FFA8EB85730F18C96BFD489A211D176A5149BA2

Uniqueness

Uniqueness Score: -1.00%

Function 04B242A9, Relevance: .1, Instructions: 66COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.250076545.0000000004B20000.00000040.00000001.sdmp, Offset: 04B20000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4042dfe60daa603456f42466cdf21c7799afef7381018bf96f0a45b9beaaf368
Instruction ID: 58bbd898c55c4462be32dff2a0e9ea2d5385fca14d37beae605a042e83dae337
Opcode Fuzzy Hash: 4042dfe60daa603456f42466cdf21c7799afef7381018bf96f0a45b9beaaf368
Instruction Fuzzy Hash: FF215774E08218DFCF00DFA9D6845AEBFB1EF46315F6082EAD848A7660D7346A51CF61

Uniqueness

Uniqueness Score: -1.00%

Function 00A1AC98, Relevance: .1, Instructions: 65COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.246346364.0000000000A12000.00000040.00000001.sdmp, Offset: 00A12000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 954c62dae013bcd92308718d6ec686cda3a1133abe642bf38b9d73b28cdf3e35
Instruction ID: 468fd1750c5f8c38f9bec33bab99758459043721ee0fe8951672dd698cdaedaf
Opcode Fuzzy Hash: 954c62dae013bcd92308718d6ec686cda3a1133abe642bf38b9d73b28cdf3e35
Instruction Fuzzy Hash: 7B214DB554D380AFD702CF25DC51956BFE4EF86620F0989DFF8889B252D235A908CB62

Uniqueness

Uniqueness Score: -1.00%

Function 00A1A812, Relevance: .1, Instructions: 64COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.246346364.0000000000A12000.00000040.00000001.sdmp, Offset: 00A12000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 14fdd79327d0956d7cfaedc09eb8e024456d665a6aaab6486f1c8d202cb8de38
Instruction ID: b7c00e19e3e2bddcc8256082ffafb6dda929cc38e33b05b232a5d2eaa5aee73a
Opcode Fuzzy Hash: 14fdd79327d0956d7cfaedc09eb8e024456d665a6aaab6486f1c8d202cb8de38
Instruction Fuzzy Hash: 5311C676640204BFD6108F0AEC41E72FBA8EB84630F18C56FFD095B211D276B5148BB2

Uniqueness

Uniqueness Score: -1.00%

Function 009C0724, Relevance: .1, Instructions: 61COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.246308879.00000000009C0000.00000040.00000040.sdmp, Offset: 009C0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 10fc6699d83e1172ff6e83a76d4c3e736f1d4bae8836c916cf4c1a8c0002db05
Instruction ID: 569d9699de12bb10429e6d9df9c5bcc84ae6fbba2e806f23d3d0a7d1ab5c1bb6
Opcode Fuzzy Hash: 10fc6699d83e1172ff6e83a76d4c3e736f1d4bae8836c916cf4c1a8c0002db05
Instruction Fuzzy Hash: 11216F355093C09FC717CB20C890B65BFB5AB96314F2981EED4899B6A3C23A9C17CB52

Uniqueness

Uniqueness Score: -1.00%

Function 009C075C, Relevance: .1, Instructions: 59COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.246308879.00000000009C0000.00000040.00000040.sdmp, Offset: 009C0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5be4a2682e8853512d8d2d77410d144f5192442b9aa3a05441c4075e82fcda64
Instruction ID: d229045bbedc0f5dc47c233f1d6da65347ffd4562201d6534ac2cc8693c7e969
Opcode Fuzzy Hash: 5be4a2682e8853512d8d2d77410d144f5192442b9aa3a05441c4075e82fcda64
Instruction Fuzzy Hash: 7311E434604244DFD709CB24CD80F26BB99EB88708F24C99CE8494B652C77FE803CE52

Uniqueness

Uniqueness Score: -1.00%

Function 04B285F8, Relevance: .1, Instructions: 59COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.250076545.0000000004B20000.00000040.00000001.sdmp, Offset: 04B20000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fe4a8466fd9a45dca2f7d4e6bc6b49180397b8b6fe2a90eb5a51ed13fa5291b2
Instruction ID: ddaa11ab4fa3d925a76e281e0ef968feab4cb0132eb889b61b117d8600116ec2
Opcode Fuzzy Hash: fe4a8466fd9a45dca2f7d4e6bc6b49180397b8b6fe2a90eb5a51ed13fa5291b2
Instruction Fuzzy Hash: E9219F70D05219DFCB05DFA9C6404ADFBB1FF49340F148AEAD409AB224D338AB42DB51

Uniqueness

Uniqueness Score: -1.00%

Function 009C0884, Relevance: .1, Instructions: 58COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.246308879.00000000009C0000.00000040.00000040.sdmp, Offset: 009C0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 48de8a1c636a80d7f0e99b588684f9e8b7ef3f6c46af0e7398c9e295552c5517
Instruction ID: 46ca4149ea1f16aa8f8f82acb054643b014fc527d231ee35a35c2afe258f48d8
Opcode Fuzzy Hash: 48de8a1c636a80d7f0e99b588684f9e8b7ef3f6c46af0e7398c9e295552c5517
Instruction Fuzzy Hash: 02113C72904204AFD610DE59DC80DA7B7ECEF88624F14C91EFD498B201D336ED158FA2

Uniqueness

Uniqueness Score: -1.00%

Function 04970CE0, Relevance: .1, Instructions: 57COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.249760587.0000000004970000.00000040.00000001.sdmp, Offset: 04970000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c0b9fba7eb04e8a71623e2b07d1d85a11a619b1e5c35191ee141a792748d5e40
Instruction ID: 79f3d76983efca3bfc5a57d3a8c10964b68c49d0f83a2675fc1782fad58a631a
Opcode Fuzzy Hash: c0b9fba7eb04e8a71623e2b07d1d85a11a619b1e5c35191ee141a792748d5e40
Instruction Fuzzy Hash: 5221E2B4D05309DBCB44CFA9C5859AEFBF6FB48300F2094AAD809AB354E774AA019F51

Uniqueness

Uniqueness Score: -1.00%

Function 00A1B161, Relevance: .1, Instructions: 56COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.246346364.0000000000A12000.00000040.00000001.sdmp, Offset: 00A12000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 62524df1e59d216961f9836f0599030f53ba60db4a543afa8bc1b19aea703250
Instruction ID: 25ea2c9b7a0aebcc4cf9865db780f337d817a3c940cd3c9c0416382564346f4b
Opcode Fuzzy Hash: 62524df1e59d216961f9836f0599030f53ba60db4a543afa8bc1b19aea703250
Instruction Fuzzy Hash: 4F11D4B5A48301AFD340CF19D881A5BFBE4FB88664F04896EF89897311D375E9048FA2

Uniqueness

Uniqueness Score: -1.00%

Function 04B200F9, Relevance: .1, Instructions: 56COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.250076545.0000000004B20000.00000040.00000001.sdmp, Offset: 04B20000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0f512d976ee21e60fa66d685833e98dfcb89ab7d6ce20128e21e46d0680045e2
Instruction ID: da2ba6115193deeaafe2890aa9d3f80f34a9a244a14cb65b8e8b45dbbd3bca6b
Opcode Fuzzy Hash: 0f512d976ee21e60fa66d685833e98dfcb89ab7d6ce20128e21e46d0680045e2
Instruction Fuzzy Hash: D221513090120ADFCB08EFE8D6555ED7FB1FF44304B1581BAE501AB2A9DB745E11CB51

Uniqueness

Uniqueness Score: -1.00%

Function 00A1A770, Relevance: .0, Instructions: 50COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.246346364.0000000000A12000.00000040.00000001.sdmp, Offset: 00A12000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 532f48052b22198352eccd3040702ca5693c00c3ce53f98bd47671808cd5880d
Instruction ID: 458e824b335341eb3ef88585fb10431d6c72c479f96f1694ebc69f86f5c81d3c
Opcode Fuzzy Hash: 532f48052b22198352eccd3040702ca5693c00c3ce53f98bd47671808cd5880d
Instruction Fuzzy Hash: 4301B17150E3C46FE3124B259C95AA2BF78DF43620F0D84CBED849F1A3D25A6909C7B2

Uniqueness

Uniqueness Score: -1.00%

Function 04B20108, Relevance: .0, Instructions: 50COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.250076545.0000000004B20000.00000040.00000001.sdmp, Offset: 04B20000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 04127e6c793c1ab9ccb42f2b3fb178ea3b8215504d7d004123160407ed9cda07
Instruction ID: af5628f89553b5b731aa9c60a82364e83ab4ce0aafd16fb11e2d0262e5b38c87
Opcode Fuzzy Hash: 04127e6c793c1ab9ccb42f2b3fb178ea3b8215504d7d004123160407ed9cda07
Instruction Fuzzy Hash: 1811FE3094120EDFCB04EFE8EA459DD7BB1FF44304B218179EA05AB2A9DB745E51CB51

Uniqueness

Uniqueness Score: -1.00%

Function 04B247F8, Relevance: .0, Instructions: 43COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.250076545.0000000004B20000.00000040.00000001.sdmp, Offset: 04B20000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b4ff009fdcb287bc4e3cf583ced898ee42da17821292b6169909bf6356f9750e
Instruction ID: 8b0ad3540cb01cf948e4fb55eace96ffc422d37ffeb53e217c36d1a88cfdf613
Opcode Fuzzy Hash: b4ff009fdcb287bc4e3cf583ced898ee42da17821292b6169909bf6356f9750e
Instruction Fuzzy Hash: 4501D13099E198CFCB01DBB4DA409EDBF71EF07311F2462DAD8495B662D2752505D760

Uniqueness

Uniqueness Score: -1.00%

Function 04973E38, Relevance: .0, Instructions: 41COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.249760587.0000000004970000.00000040.00000001.sdmp, Offset: 04970000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b455179f23c61d8cd0b084d2a2fd9880a59d11aefd541ef5fdd7d7d38f1d252a
Instruction ID: d49b4026dfce18f40f8faf81b48075a3e4398d0fe227b31a063bb1500137571c
Opcode Fuzzy Hash: b455179f23c61d8cd0b084d2a2fd9880a59d11aefd541ef5fdd7d7d38f1d252a
Instruction Fuzzy Hash: B7012870E09209DFCB44DFA5DA895AEBBB6FF89300F2085A9D805A7354D7746E00DF91

Uniqueness

Uniqueness Score: -1.00%

Function 04972881, Relevance: .0, Instructions: 40COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.249760587.0000000004970000.00000040.00000001.sdmp, Offset: 04970000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1dc63b4cf090a5bf9361c594ddc00190ada6e33cede84a30fa8775f3e5ece92c
Instruction ID: 9f77c625686af2edd831fc6a1d1a01aa0c82d931f6dc7bd896008f8d953fbb66
Opcode Fuzzy Hash: 1dc63b4cf090a5bf9361c594ddc00190ada6e33cede84a30fa8775f3e5ece92c
Instruction Fuzzy Hash: 5C011630D5A209DFCB00CFA8E1815DDFBB0FB4C314F1098AAE116FA210E336A9519F54

Uniqueness

Uniqueness Score: -1.00%

Function 04B203E9, Relevance: .0, Instructions: 35COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.250076545.0000000004B20000.00000040.00000001.sdmp, Offset: 04B20000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9a974c50265c2cb3e6823835ab9aa924059e175abf3006197df0e2fb969305be
Instruction ID: 7d547f299382e480221b16562ff94f997af5a4f55acd99643355b1ccedee802d
Opcode Fuzzy Hash: 9a974c50265c2cb3e6823835ab9aa924059e175abf3006197df0e2fb969305be
Instruction Fuzzy Hash: 5DF05E74A42108DBD708DBF0C690BAF7377EF8A304F6498A5840567294CA749E41EA65

Uniqueness

Uniqueness Score: -1.00%

Function 009C08C6, Relevance: .0, Instructions: 34COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.246308879.00000000009C0000.00000040.00000040.sdmp, Offset: 009C0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 40379417e215b40a94047d907c0c8220b071ebbda04341ab001c5e82c1194404
Instruction ID: ad3a54c35a0576ee6efb6601dc26713cf0d95ba9f91f60778cb52edaac49d97b
Opcode Fuzzy Hash: 40379417e215b40a94047d907c0c8220b071ebbda04341ab001c5e82c1194404
Instruction Fuzzy Hash: A3F082B2905204AFD200DF09EC41866F7ECDFD4621B18C52EEC488B300E276B9144EF2

Uniqueness

Uniqueness Score: -1.00%

Function 049752BF, Relevance: .0, Instructions: 34COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.249760587.0000000004970000.00000040.00000001.sdmp, Offset: 04970000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 221e7e5000028478d9657427e90c153866b735afdba46aa65ae51d387cb1b6fa
Instruction ID: 31364e17a2e52996df45f4a203b5ad16d810464248f3c4e13c8d85b43b061dea
Opcode Fuzzy Hash: 221e7e5000028478d9657427e90c153866b735afdba46aa65ae51d387cb1b6fa
Instruction Fuzzy Hash: 2D11B074901229CFCB60DF54C984BE8FBB0BB58305F0044EA990DBB251D7706AC5DF10

Uniqueness

Uniqueness Score: -1.00%

Function 04B2B782, Relevance: .0, Instructions: 34COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.250076545.0000000004B20000.00000040.00000001.sdmp, Offset: 04B20000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 636823d6c4da368f4e5c7a2d7f7f026b8443fc259c2c68ce150de46416ca1d83
Instruction ID: a147eb03204158b2441647d69451bcfd8ebe7084e041487405229696bde87333
Opcode Fuzzy Hash: 636823d6c4da368f4e5c7a2d7f7f026b8443fc259c2c68ce150de46416ca1d83
Instruction Fuzzy Hash: 87F0F6749093A9DECB21CF21C190796BB70FB06220F2025C6C0AE56029E7346946DF56

Uniqueness

Uniqueness Score: -1.00%

Function 04B27DDE, Relevance: .0, Instructions: 34COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.250076545.0000000004B20000.00000040.00000001.sdmp, Offset: 04B20000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 025e3422bc99d8e030ff26e07aad9ac37e8276ba567882a9986258e75de33ea6
Instruction ID: 86c9e96bafed66934ca359179e5114de8a9248af6e9ca285e578d93974ebea5d
Opcode Fuzzy Hash: 025e3422bc99d8e030ff26e07aad9ac37e8276ba567882a9986258e75de33ea6
Instruction Fuzzy Hash: E101D674815168CFCB14DF94C6809CCBB70FB84340F10689AC01AAB218DB34B945CF65

Uniqueness

Uniqueness Score: -1.00%

Function 04B20531, Relevance: .0, Instructions: 34COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.250076545.0000000004B20000.00000040.00000001.sdmp, Offset: 04B20000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 77ae868f0cf2d78213561ddf0054b4eb9195c0b0f59eebb64eeadb1923ca08b9
Instruction ID: f213511349c4f1095d8dfcb5f9b07fe373c3abf99c6a9d2ac53ff50612ef002b
Opcode Fuzzy Hash: 77ae868f0cf2d78213561ddf0054b4eb9195c0b0f59eebb64eeadb1923ca08b9
Instruction Fuzzy Hash: B7011438905209DFCB40DFA8C1849DDBBB0FB09310F2086D9D808A7311D338AE46DB50

Uniqueness

Uniqueness Score: -1.00%

Function 04B2C4DE, Relevance: .0, Instructions: 33COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.250076545.0000000004B20000.00000040.00000001.sdmp, Offset: 04B20000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d7afda46506b5467c6f0c7054feb0ec2acbb94bc82f3e49993293580c27205ef
Instruction ID: f3e5635a2a053ed1fc6e64c83e9f8485656ea3d6ff387df00cda549a47d0d626
Opcode Fuzzy Hash: d7afda46506b5467c6f0c7054feb0ec2acbb94bc82f3e49993293580c27205ef
Instruction Fuzzy Hash: 19019374A042698FCB54DF58C945B9DBBB2BB88300F10C4DAD50ABB354DA359D84CF15

Uniqueness

Uniqueness Score: -1.00%

Function 04B20070, Relevance: .0, Instructions: 33COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.250076545.0000000004B20000.00000040.00000001.sdmp, Offset: 04B20000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2517bfe0d1287eb121c35e97ca006781484afe08023c3c1f22dc5abf082ca910
Instruction ID: 306a786c4ee970baeceee69d20723b8db98120c1c562f89d36bb6990e5351949
Opcode Fuzzy Hash: 2517bfe0d1287eb121c35e97ca006781484afe08023c3c1f22dc5abf082ca910
Instruction Fuzzy Hash: D0F08C70D0121D9BEB54EFB9C9557EFBEF4EB49704F20182AC104B3380DAB469448BE4

Uniqueness

Uniqueness Score: -1.00%

Function 049757F0, Relevance: .0, Instructions: 32COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.249760587.0000000004970000.00000040.00000001.sdmp, Offset: 04970000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 20e3616dcbdd8248bc6663cad1c643244b35a2e4f338eeb281aa4ac621ee684d
Instruction ID: 152fb3738089059088c517b41cfcac9f6bf8dd4b3b30b1308e0bfc5d9f3bd83d
Opcode Fuzzy Hash: 20e3616dcbdd8248bc6663cad1c643244b35a2e4f338eeb281aa4ac621ee684d
Instruction Fuzzy Hash: FAF03070D00308DFCB84EFB9D9555ADBBF5FB89301F1088699405A7390DBB45940CB95

Uniqueness

Uniqueness Score: -1.00%

Function 04B2F008, Relevance: .0, Instructions: 32COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.250076545.0000000004B20000.00000040.00000001.sdmp, Offset: 04B20000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f6c728366fa5ec391f1cb4ed087fa27516eb731a0518725d46b53f6598a9939e
Instruction ID: 54b77ead77006ef1940fbd0d23bdf8557f5ca05d22c77f559ef01702c11feea6
Opcode Fuzzy Hash: f6c728366fa5ec391f1cb4ed087fa27516eb731a0518725d46b53f6598a9939e
Instruction Fuzzy Hash: 3BF0BB30E01209DBDB44DFE8E6446ADBBB6EB85301F10C199D90857354EF345D11EB51

Uniqueness

Uniqueness Score: -1.00%

Function 04B20451, Relevance: .0, Instructions: 32COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.250076545.0000000004B20000.00000040.00000001.sdmp, Offset: 04B20000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b93aa7d7ec65b06e9635c94ba65b2e5d1f3ab52f4ec24b385977dfeeb02cae63
Instruction ID: 8efa3e560c00c5515a75f2c679e545ca1c2a148f1b9ed99ff3a89bcab532a88f
Opcode Fuzzy Hash: b93aa7d7ec65b06e9635c94ba65b2e5d1f3ab52f4ec24b385977dfeeb02cae63
Instruction Fuzzy Hash: 79F0F974C45248DFCB01DBB8D8545EEBFB0EF46201F1046A9C855A3362D6789916DB50

Uniqueness

Uniqueness Score: -1.00%

Function 04B203F8, Relevance: .0, Instructions: 32COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.250076545.0000000004B20000.00000040.00000001.sdmp, Offset: 04B20000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: bc50cee2bf8e6a3fcd1dba013631ffd4d3b4caef32e6d4c841ef8b7ff31c39ee
Instruction ID: 2970ea4029a685853ad814aee77596e8f967104d178369fc3f4c979dbcdc77d1
Opcode Fuzzy Hash: bc50cee2bf8e6a3fcd1dba013631ffd4d3b4caef32e6d4c841ef8b7ff31c39ee
Instruction Fuzzy Hash: 02F01C70A42208EBD708DBF1C650BAFB37BDF89304F6498A4840523284CE749E41EA54

Uniqueness

Uniqueness Score: -1.00%

Function 009C0818, Relevance: .0, Instructions: 31COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.246308879.00000000009C0000.00000040.00000040.sdmp, Offset: 009C0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: db8f86a91a53104c9855b02ce3d80620bd03ac1c2281c4cc2ebcd3669947181e
Instruction ID: 835a3b36be015e5d25bbc6e856576b7919ca5c6500b1c1573b2d38d04cfc45db
Opcode Fuzzy Hash: db8f86a91a53104c9855b02ce3d80620bd03ac1c2281c4cc2ebcd3669947181e
Instruction Fuzzy Hash: 2BF0FB35504644DFC606CB44D940F15FBA6EB89718F24C6ADE9490B652C33BA813DA81

Uniqueness

Uniqueness Score: -1.00%

Function 04974AB8, Relevance: .0, Instructions: 30COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.249760587.0000000004970000.00000040.00000001.sdmp, Offset: 04970000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2ab4b6d88c3e3de58678b59eb4d406f9c157136531c8f56b02a5316c549c2be6
Instruction ID: 3813a1c5a0bfc851b78d75aa0da93988e1b0d77102df6f746a2d693fda39938d
Opcode Fuzzy Hash: 2ab4b6d88c3e3de58678b59eb4d406f9c157136531c8f56b02a5316c549c2be6
Instruction Fuzzy Hash: 15019C759012299FDBA0DF54CC84BD9BBB5AB48308F1085EAD40CAB251C734AA85DF44

Uniqueness

Uniqueness Score: -1.00%

Function 049733E7, Relevance: .0, Instructions: 30COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.249760587.0000000004970000.00000040.00000001.sdmp, Offset: 04970000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6ddbe80ff556501d9e58e7785027415852ef688a09e6a19f4a42f35eec16d242
Instruction ID: 931f906d20811268190f3382bb48bb80403fb21f2f9d49ac8f57c038792157fe
Opcode Fuzzy Hash: 6ddbe80ff556501d9e58e7785027415852ef688a09e6a19f4a42f35eec16d242
Instruction Fuzzy Hash: 92F06570849208AFC755EFF4A8056D97BB8EB42300F1041F5980493251DA385E56DBA1

Uniqueness

Uniqueness Score: -1.00%

Function 04975381, Relevance: .0, Instructions: 29COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.249760587.0000000004970000.00000040.00000001.sdmp, Offset: 04970000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f41df7a9e49cf80188a94806baec5b2de30b4ea6159495a0eba32a15be163573
Instruction ID: 5b4416da664208d904088626d1ec3dfa515aba9f14f1af267eca14501bbb667d
Opcode Fuzzy Hash: f41df7a9e49cf80188a94806baec5b2de30b4ea6159495a0eba32a15be163573
Instruction Fuzzy Hash: 65F0C475A04218CFDB14CF94C880ADDFBB9BF48314F0481AAE508AB251D375AA81CF21

Uniqueness

Uniqueness Score: -1.00%

Function 04971A30, Relevance: .0, Instructions: 28COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.249760587.0000000004970000.00000040.00000001.sdmp, Offset: 04970000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 35888b6477c8ffe4fd0be754d1ac50f977d69046a27ceb50b64799f0b081651c
Instruction ID: b610b09683496b0a0cb96e1a672d7e8c1a9074328518a726149ccc3e8394b6eb
Opcode Fuzzy Hash: 35888b6477c8ffe4fd0be754d1ac50f977d69046a27ceb50b64799f0b081651c
Instruction Fuzzy Hash: 5BF01C70D08249AFCB85EBB8D9426EEBBB5FB45300F6441AAD854D7351D6781901CB61

Uniqueness

Uniqueness Score: -1.00%

Function 009C05F6, Relevance: .0, Instructions: 27COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.246308879.00000000009C0000.00000040.00000040.sdmp, Offset: 009C0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4edaf970e3cc467f5b5ab4b2adcb76a772433b3e4c87327024ddc0e2110078f5
Instruction ID: 8ac753891bd057f9b98e59790d3d2c61079363541f3a31c1d637d8df63f11d22
Opcode Fuzzy Hash: 4edaf970e3cc467f5b5ab4b2adcb76a772433b3e4c87327024ddc0e2110078f5
Instruction Fuzzy Hash: 09E092B66006048BD650DF0AEC81466FBD8EB88630718C47FDC0D8B701D675B504CFA6

Uniqueness

Uniqueness Score: -1.00%

Function 04974A07, Relevance: .0, Instructions: 27COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.249760587.0000000004970000.00000040.00000001.sdmp, Offset: 04970000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 04595cd2eab0d4ef4d3b2ba2303496a9eae0ab9c11811e696cec0fa2a70a17f4
Instruction ID: e67ad9efd8a6079d6d2926cf0188dc66f13ccab11f55bbdbbf6e47116b9a33dd
Opcode Fuzzy Hash: 04595cd2eab0d4ef4d3b2ba2303496a9eae0ab9c11811e696cec0fa2a70a17f4
Instruction Fuzzy Hash: 1001CC74909229CFDB25CF65C848BECBBB1BB09348F8485E9841DAB250D7716BC6CF40

Uniqueness

Uniqueness Score: -1.00%

Function 04973C00, Relevance: .0, Instructions: 27COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.249760587.0000000004970000.00000040.00000001.sdmp, Offset: 04970000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5bb5d8be6cd0fd684c4dc2dc635e69fcfc719545738b7b406c982efa03591655
Instruction ID: 6a56d555098afdeda9eae83298ecfb921f279d297b1ab3ca424ab4276fd066d4
Opcode Fuzzy Hash: 5bb5d8be6cd0fd684c4dc2dc635e69fcfc719545738b7b406c982efa03591655
Instruction Fuzzy Hash: 6DE09230D46208AFC754EFB5E9456DDBFB4EB41300F2040A6CC04D3261D6391556CB61

Uniqueness

Uniqueness Score: -1.00%

Function 04B20220, Relevance: .0, Instructions: 27COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.250076545.0000000004B20000.00000040.00000001.sdmp, Offset: 04B20000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3bb9398bba8adbac6ae24a7c5b384573b6ff0ed6d7d758146230463299f1b8ef
Instruction ID: 13451ab6e6240a5fdd81aafc88e89e7b61e7c49273a95431a819f684ae3e28b9
Opcode Fuzzy Hash: 3bb9398bba8adbac6ae24a7c5b384573b6ff0ed6d7d758146230463299f1b8ef
Instruction Fuzzy Hash: 13F0E53080D284DFCF05DFB495606DC7FB1EB0A310F1881E6CC8997361D6386A16DB11

Uniqueness

Uniqueness Score: -1.00%

Function 04B24850, Relevance: .0, Instructions: 27COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.250076545.0000000004B20000.00000040.00000001.sdmp, Offset: 04B20000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 31cdcd17a593ca719c053c0d735b56aa3e9e1f55cdfa0412245002683c96deeb
Instruction ID: 481d53489db53e123efe029fc6158c2772b1e475d8ed19f3c8063d593cbf349b
Opcode Fuzzy Hash: 31cdcd17a593ca719c053c0d735b56aa3e9e1f55cdfa0412245002683c96deeb
Instruction Fuzzy Hash: C3F0E53049E2889FCB15CBA4D9605DDBF70DF47315F1042D9CC8557322C3391556EB60

Uniqueness

Uniqueness Score: -1.00%

Function 00A1A9BB, Relevance: .0, Instructions: 26COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.246346364.0000000000A12000.00000040.00000001.sdmp, Offset: 00A12000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: cfd8e4f437849fa897c8a65cf7c66538fbb17fcf2b28adaaf760437af233130d
Instruction ID: 6ff9e5b75643a4a677300ec8340fac0d99c6125cba18fe93128a52126f609632
Opcode Fuzzy Hash: cfd8e4f437849fa897c8a65cf7c66538fbb17fcf2b28adaaf760437af233130d
Instruction Fuzzy Hash: F6E04875A412046BD2509F06DC86B62FB5CDB44930F58C55BED095B701D1B5B5048BF5

Uniqueness

Uniqueness Score: -1.00%

Function 00A1B1C3, Relevance: .0, Instructions: 26COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.246346364.0000000000A12000.00000040.00000001.sdmp, Offset: 00A12000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4897b00f5dffe26ece9202d61a728310d6711aa4ebe9421ca902f169b7e5fdb7
Instruction ID: 680546c1f0df036f7d955056b48743f80bf71e95f9ebbc10f23edb378604481e
Opcode Fuzzy Hash: 4897b00f5dffe26ece9202d61a728310d6711aa4ebe9421ca902f169b7e5fdb7
Instruction Fuzzy Hash: A1E0D872A81304ABE2109F06DC42F62FB58DB84A31F18C55BED081B301D1B5B5148AF1

Uniqueness

Uniqueness Score: -1.00%

Function 00A1ABD3, Relevance: .0, Instructions: 26COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.246346364.0000000000A12000.00000040.00000001.sdmp, Offset: 00A12000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 02eac772d24195995e35cda95ad8153fa1713311417e3170cb7c1a3fc5620fa5
Instruction ID: 181041479bc1164952612739436959f8da1c56ffb274cb2a800dc82233146691
Opcode Fuzzy Hash: 02eac772d24195995e35cda95ad8153fa1713311417e3170cb7c1a3fc5620fa5
Instruction Fuzzy Hash: ADE0D871641204ABD2509F06DC82B63FB5CDB44A30F18C55BED085B301D1B5B5048AF1

Uniqueness

Uniqueness Score: -1.00%

Function 00A1ACFB, Relevance: .0, Instructions: 26COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.246346364.0000000000A12000.00000040.00000001.sdmp, Offset: 00A12000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 929dc2ee16791eca4611b86ac8031f2b69cde15b2edd8985282ebc8da5993504
Instruction ID: 50fe103303ec95039e62e72becdd2f9bc1edae73ced26a8a40d01d47015d1e1f
Opcode Fuzzy Hash: 929dc2ee16791eca4611b86ac8031f2b69cde15b2edd8985282ebc8da5993504
Instruction Fuzzy Hash: E9E0D872681204ABD2109F06DC86F62FB58DB54A30F18C55BED091B341D1B5B5048AF1

Uniqueness

Uniqueness Score: -1.00%

Function 00A1AE27, Relevance: .0, Instructions: 26COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.246346364.0000000000A12000.00000040.00000001.sdmp, Offset: 00A12000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c8e99d42bdbd54cfe4e3f520edf67a5a5f51988e8d2f464bc78a2cfd6d4f8001
Instruction ID: c78028b8991fe9ef2f5ecb3e14d887e0ef75e7d74d46956f6acd4896ba6c6c92
Opcode Fuzzy Hash: c8e99d42bdbd54cfe4e3f520edf67a5a5f51988e8d2f464bc78a2cfd6d4f8001
Instruction Fuzzy Hash: 3BE0D872A41204ABD2109F069C42F62FB58DB44A34F18C55BED081B301D1B5B5048AF5

Uniqueness

Uniqueness Score: -1.00%

Function 00A1A7A4, Relevance: .0, Instructions: 26COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.246346364.0000000000A12000.00000040.00000001.sdmp, Offset: 00A12000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2f249c0f5eb73bb4ad5bc443971110380d51dc4c1d16160443631c899fcc7e98
Instruction ID: 40001ecaf5094161bf8aceecdf8df2c7293f94fe7f95503def434e4ff686214d
Opcode Fuzzy Hash: 2f249c0f5eb73bb4ad5bc443971110380d51dc4c1d16160443631c899fcc7e98
Instruction Fuzzy Hash: 18E0D8716412046BD2109F06DC82B62FB58DB44930F18C55BED081B302E1B5B5048AF1

Uniqueness

Uniqueness Score: -1.00%

Function 00A1AF53, Relevance: .0, Instructions: 26COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.246346364.0000000000A12000.00000040.00000001.sdmp, Offset: 00A12000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c978a2dbfaf3e22a875bff6bdc7c4a684c0e393d25f3f4c341606e8ba7c88e63
Instruction ID: 76c5582027b210209425982ab7b440c212917dba7273fbda8f9259b0622248cc
Opcode Fuzzy Hash: c978a2dbfaf3e22a875bff6bdc7c4a684c0e393d25f3f4c341606e8ba7c88e63
Instruction Fuzzy Hash: 7EE0D872A41304ABD2109F0A9C42F62FB58DB54A30F18C56BED081B301D1B5B5048AF5

Uniqueness

Uniqueness Score: -1.00%

Function 04973B39, Relevance: .0, Instructions: 26COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.249760587.0000000004970000.00000040.00000001.sdmp, Offset: 04970000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5d49b775b3d79fe7cdf8f1259077349e39e434af17186512f4219306edb38593
Instruction ID: 18defee090766d8bc82a9f315e9ca32c355136627aadd0c1371ea2b0b58abc5d
Opcode Fuzzy Hash: 5d49b775b3d79fe7cdf8f1259077349e39e434af17186512f4219306edb38593
Instruction Fuzzy Hash: A6F03934900208AFC745EFB8D5066ADBBF4EF45300F1080EAD805D7261D638599ACB61

Uniqueness

Uniqueness Score: -1.00%

Function 04B2D5BF, Relevance: .0, Instructions: 26COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.250076545.0000000004B20000.00000040.00000001.sdmp, Offset: 04B20000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0d03ccd1bb83f74f22fe56dcc225e085a746cbc06e6cd966942a25bd74ac55d1
Instruction ID: cd70872e1c91f4bbfadbba05ee01f1ea4b4b75d2e689bb2fb83cc7b318536cff
Opcode Fuzzy Hash: 0d03ccd1bb83f74f22fe56dcc225e085a746cbc06e6cd966942a25bd74ac55d1
Instruction Fuzzy Hash: C4F01534905208AFCB91EBB8D58A6CDBFB0EF46300F2040AAD856D3261E6795516CF12

Uniqueness

Uniqueness Score: -1.00%

Function 04B2B10D, Relevance: .0, Instructions: 26COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.250076545.0000000004B20000.00000040.00000001.sdmp, Offset: 04B20000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a8b73c68f7248e7f8381dca447f4ba4532ffdb4127eefdcf031fbf3db8b11e71
Instruction ID: 08ef42058dcb09c94e055fc8f8e930b21c7724c76adbf5280ff23197f9431ccb
Opcode Fuzzy Hash: a8b73c68f7248e7f8381dca447f4ba4532ffdb4127eefdcf031fbf3db8b11e71
Instruction Fuzzy Hash: 0CF030B0A08754CFEB12CF34C65578EB7B2FF4A300F1484E6A909AB245C7356E918E16

Uniqueness

Uniqueness Score: -1.00%

Function 04973DA0, Relevance: .0, Instructions: 25COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.249760587.0000000004970000.00000040.00000001.sdmp, Offset: 04970000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c49b8f4dc6224d380d95dd565e598ffbe6072d2465a4f784ff08003271a888d9
Instruction ID: 54b53dc3cb289a47e14ac9a273a1b0f208d11b962f932cbacb598795d28cd1f4
Opcode Fuzzy Hash: c49b8f4dc6224d380d95dd565e598ffbe6072d2465a4f784ff08003271a888d9
Instruction Fuzzy Hash: 2AE026308192486FC351BBB4AC482ED7FF4EB01300F3008BAC881C32A1EA341992C371

Uniqueness

Uniqueness Score: -1.00%

Function 04B24808, Relevance: .0, Instructions: 25COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.250076545.0000000004B20000.00000040.00000001.sdmp, Offset: 04B20000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6a6e8df623e4971c8746c70940b1cd211d5468947247e2b120413939787098d6
Instruction ID: db4954af560b3f0ce708629e6cecc663af5ce397f4cda3f4c581585bca29e19d
Opcode Fuzzy Hash: 6a6e8df623e4971c8746c70940b1cd211d5468947247e2b120413939787098d6
Instruction Fuzzy Hash: 37E0D83095A14CDFC704DFA0DA408EDBB79EB06301F10A295D80827350C7302951D6A0

Uniqueness

Uniqueness Score: -1.00%

Function 04973370, Relevance: .0, Instructions: 24COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.249760587.0000000004970000.00000040.00000001.sdmp, Offset: 04970000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 72f81b06d5f05f022916840a0e1cad423cdb716aac9d0ed0bf0a87f24f60b70b
Instruction ID: 9cfa7dcb3aead2d15e73ce9496ee3f8d00e62568ec4574e55114dfb31061e5ab
Opcode Fuzzy Hash: 72f81b06d5f05f022916840a0e1cad423cdb716aac9d0ed0bf0a87f24f60b70b
Instruction Fuzzy Hash: FFE0DF70409348AFC362EFF898092AC3FB8EB02300F5000E6C840D3261DA346A80C772

Uniqueness

Uniqueness Score: -1.00%

Function 04B2B096, Relevance: .0, Instructions: 24COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.250076545.0000000004B20000.00000040.00000001.sdmp, Offset: 04B20000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2b79b7d8fe92ffdd934087a01e707745a16c1c20f08ad20b571b8c120bf4db92
Instruction ID: 13b856a2489a5291c6aa6d830afe3c785c25b5c6762aa13509777b3ac3ea64aa
Opcode Fuzzy Hash: 2b79b7d8fe92ffdd934087a01e707745a16c1c20f08ad20b571b8c120bf4db92
Instruction Fuzzy Hash: 0FF098B4A04358CFEB51CF64DA40B9EB7B6EB4A300F244496AA09AB245D7355E418F26

Uniqueness

Uniqueness Score: -1.00%

Function 04B20460, Relevance: .0, Instructions: 24COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.250076545.0000000004B20000.00000040.00000001.sdmp, Offset: 04B20000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 415e6c4dc73b48c6ff26013c29b95e47e1644bbf25edd37f46277faa0e29d33c
Instruction ID: c5f6a0605f06ed4d52a8355ead09161cc6d609ccdf20b649d3b6723d32858932
Opcode Fuzzy Hash: 415e6c4dc73b48c6ff26013c29b95e47e1644bbf25edd37f46277faa0e29d33c
Instruction Fuzzy Hash: 26F0C974D01218EFCB04EFF8D5486AEBBB4EB45301F5085A9D814A3360D774AA51CF91

Uniqueness

Uniqueness Score: -1.00%

Function 00A1ABDC, Relevance: .0, Instructions: 23COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.246346364.0000000000A12000.00000040.00000001.sdmp, Offset: 00A12000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e9e6c449e80ea6a551175800f9544db56e3e4fcb99cbcff0d7e1468af216277b
Instruction ID: 1e8e6c12f9ca8639aa93f95ae4695a159966388bfa272d5e7066320f7578063a
Opcode Fuzzy Hash: e9e6c449e80ea6a551175800f9544db56e3e4fcb99cbcff0d7e1468af216277b
Instruction Fuzzy Hash: 3BE0CD72A413009FD2505F056C82BB2FF54DF40630F1CC59BEC085F242D175A214CBE2

Uniqueness

Uniqueness Score: -1.00%

Function 049758A9, Relevance: .0, Instructions: 23COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.249760587.0000000004970000.00000040.00000001.sdmp, Offset: 04970000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 17d573499fd96ae05d5976771c556f6e1fdfdc379dae2093b7a253f9eca1c043
Instruction ID: 25464a166e8d29c9a123836f41dcb51fdf6eee7e05efe7835d6c664bdb2edc88
Opcode Fuzzy Hash: 17d573499fd96ae05d5976771c556f6e1fdfdc379dae2093b7a253f9eca1c043
Instruction Fuzzy Hash: 4CE0DF70905304AFC7559BB49906B997FF4EB01B00F2000ED8A05A72A0DA785A41C761

Uniqueness

Uniqueness Score: -1.00%

Function 04974CC4, Relevance: .0, Instructions: 23COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.249760587.0000000004970000.00000040.00000001.sdmp, Offset: 04970000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 34e7952b2014b8236208a52447ab3c8865f72a0821cfe41aae6e31bf4d2964a3
Instruction ID: 773ed1afccb490fb273d0624b292d328dd431b562af64800129395bd6b07f6fb
Opcode Fuzzy Hash: 34e7952b2014b8236208a52447ab3c8865f72a0821cfe41aae6e31bf4d2964a3
Instruction Fuzzy Hash: 81F0CF74A112288FDB21DF64C8817D9BBB0FF4A340F5085E9C48E67245DB70AAC1EF41

Uniqueness

Uniqueness Score: -1.00%

Function 04973D20, Relevance: .0, Instructions: 23COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.249760587.0000000004970000.00000040.00000001.sdmp, Offset: 04970000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0f2ef5385600528d8d57050b92fcf8ee0998ad42e8d8767e6f251c3541fff6be
Instruction ID: 77fccca2d64769d3ec83fa11ec1d3c879715e21a26e34b4e2c3834efc2dc3e2c
Opcode Fuzzy Hash: 0f2ef5385600528d8d57050b92fcf8ee0998ad42e8d8767e6f251c3541fff6be
Instruction Fuzzy Hash: 04E09270C05248AFC751EBB494412DC7FB4EB41300F1040E6C854D7361D6381559CBA2

Uniqueness

Uniqueness Score: -1.00%

Function 04973B79, Relevance: .0, Instructions: 23COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.249760587.0000000004970000.00000040.00000001.sdmp, Offset: 04970000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5dfdd4056778ce5e54ff2558c8a6abfcba1bbeddfdead6d8559271c5f122259b
Instruction ID: 1c5839d24f55b02fbc1c0af219aa697cc8b9685b87b3b0a9d00c30283fd0fe6c
Opcode Fuzzy Hash: 5dfdd4056778ce5e54ff2558c8a6abfcba1bbeddfdead6d8559271c5f122259b
Instruction Fuzzy Hash: 46E04F70859348AFC791AFF899461D97FB4EB02301F6000E6D885D6262E5351555C7B2

Uniqueness

Uniqueness Score: -1.00%

Function 04974210, Relevance: .0, Instructions: 22COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.249760587.0000000004970000.00000040.00000001.sdmp, Offset: 04970000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 162ee73e7b993b37357a725accdc218bca2b0314cfb8718f4b53b24b71706272
Instruction ID: e2e930ca908adf402bcb39004751a1ac3de9b703b60345dc42dbad2afc5668bc
Opcode Fuzzy Hash: 162ee73e7b993b37357a725accdc218bca2b0314cfb8718f4b53b24b71706272
Instruction Fuzzy Hash: 91F0C975D0420CAFCF41EFA8D940AADBBB5FB48300F10856AE914A2351D7755661EB51

Uniqueness

Uniqueness Score: -1.00%

Function 04B24E90, Relevance: .0, Instructions: 22COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.250076545.0000000004B20000.00000040.00000001.sdmp, Offset: 04B20000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0b8273df00b3daed6b0689cdc2ce4634408b9d54ef8e9d124a2d432bec4ae029
Instruction ID: 52dec6045ef77a6441e9312c27d5e7223255dbb621023eca6d2598b60d9a46c3
Opcode Fuzzy Hash: 0b8273df00b3daed6b0689cdc2ce4634408b9d54ef8e9d124a2d432bec4ae029
Instruction Fuzzy Hash: 2BE0DF3088D2A8DFC745EBF4A9451ECBFB0EF06300F5454EAC888677A2D2742946DB62

Uniqueness

Uniqueness Score: -1.00%

Function 0497499E, Relevance: .0, Instructions: 21COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.249760587.0000000004970000.00000040.00000001.sdmp, Offset: 04970000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 45d8e842f4b03a75a20b2623850b9c2df36110c140644a81a12e4a581f6827bb
Instruction ID: 7c5c13b4232655b8a9c1e7cba630675c1162c25e63ef5416f888aa0ac05b2f25
Opcode Fuzzy Hash: 45d8e842f4b03a75a20b2623850b9c2df36110c140644a81a12e4a581f6827bb
Instruction Fuzzy Hash: 7CF03975E4421ADFCF24CFA0C940BECFBB1FB08304F1084AA9519AB286D335AA42DF40

Uniqueness

Uniqueness Score: -1.00%

Function 04974856, Relevance: .0, Instructions: 21COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.249760587.0000000004970000.00000040.00000001.sdmp, Offset: 04970000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fd0261a07628390568e9d1a24cca2fde845c0c3abf1f1ee83665cb518d6fd59e
Instruction ID: f9e776cd1145b179ceb8d493125cbde74270bb044cffe918abefa4aea3ba3203
Opcode Fuzzy Hash: fd0261a07628390568e9d1a24cca2fde845c0c3abf1f1ee83665cb518d6fd59e
Instruction Fuzzy Hash: 3CF0A474945269CFDB64CF51C984BDCB7B0BB4A314F148AEAC41A77281D7729A86CF40

Uniqueness

Uniqueness Score: -1.00%

Function 0497536D, Relevance: .0, Instructions: 21COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.249760587.0000000004970000.00000040.00000001.sdmp, Offset: 04970000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4f6be3c9fdd2b1f9e35751ce049be8d2fd09d4aa69032d46e6fe5c425e008453
Instruction ID: fcefd0def5bb29d1d9ea3d6257a9cd1cf3719e146fa5041f990891a303f76564
Opcode Fuzzy Hash: 4f6be3c9fdd2b1f9e35751ce049be8d2fd09d4aa69032d46e6fe5c425e008453
Instruction Fuzzy Hash: 97F0AEB580926ADEDFA0CF64C9047E8BAB0AB55754F4419EA880DB2191D7B46BC4DF00

Uniqueness

Uniqueness Score: -1.00%

Function 04B20230, Relevance: .0, Instructions: 21COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.250076545.0000000004B20000.00000040.00000001.sdmp, Offset: 04B20000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 03e48b1438c41b9f87ee04acc238caf7f0fbd2c346e49a2927fe3e463ea02d78
Instruction ID: b51dfa3fe9b3f6fa1207c6f9d61f6a61cdff8d8b20da854ef4faa8ceace91fb2
Opcode Fuzzy Hash: 03e48b1438c41b9f87ee04acc238caf7f0fbd2c346e49a2927fe3e463ea02d78
Instruction Fuzzy Hash: EEE04634909309EBCB14EFE8E60569CBBB5EB49301F2080FAD809A3350E7756A51DB91

Uniqueness

Uniqueness Score: -1.00%

Function 04B255B8, Relevance: .0, Instructions: 21COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.250076545.0000000004B20000.00000040.00000001.sdmp, Offset: 04B20000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1257fe046ab66c85c54947a9219e9d558afd71cc338834dccf1df229f8383c56
Instruction ID: dcf8e453283c6e7f49650c2addae4b49611c6793c5f1a451301f01bf379b7741
Opcode Fuzzy Hash: 1257fe046ab66c85c54947a9219e9d558afd71cc338834dccf1df229f8383c56
Instruction Fuzzy Hash: A8E01A7000A2819FC352DFB4AD5D2DA7F65EF06312F1580E6E44AD62B2CA340956CB62

Uniqueness

Uniqueness Score: -1.00%

Function 04B27377, Relevance: .0, Instructions: 21COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.250076545.0000000004B20000.00000040.00000001.sdmp, Offset: 04B20000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5723c44195c8eaa0ebd9b27c37fa3f4039f8d2f39d86a2f8a00487fee414dbdf
Instruction ID: a0af0c5ee0651d94d2e92cf93399bcbc304a839b3d42ccbc5f01fdf6ead459b9
Opcode Fuzzy Hash: 5723c44195c8eaa0ebd9b27c37fa3f4039f8d2f39d86a2f8a00487fee414dbdf
Instruction Fuzzy Hash: 6CF0C974A05254CFCB54CFA4D65499D7BF2FB8A301F544499E40A9B354CB35AE85CF04

Uniqueness

Uniqueness Score: -1.00%

Function 04974FEE, Relevance: .0, Instructions: 20COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.249760587.0000000004970000.00000040.00000001.sdmp, Offset: 04970000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 09859afa2a3c6432f1300ae9392279741a9da4606df276932e2b1e166bc11750
Instruction ID: c9acc5888cbc34f8b105ad1dd94caf52fe1737572d9c3eefe8038172a426cf8e
Opcode Fuzzy Hash: 09859afa2a3c6432f1300ae9392279741a9da4606df276932e2b1e166bc11750
Instruction Fuzzy Hash: 77F0A5759052199ECB54DF90D985BE9B7F8BB48300F0096EA9409E6245D735AB82CF50

Uniqueness

Uniqueness Score: -1.00%

Function 04B27E06, Relevance: .0, Instructions: 20COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.250076545.0000000004B20000.00000040.00000001.sdmp, Offset: 04B20000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 04617c71e5f51acbee2c035fc5a93e185e19904de432027839e24c2072476c4e
Instruction ID: 067730058ba81da07c46401895016eb8dca51ae27ce77bcaa3325ddf7321bfb2
Opcode Fuzzy Hash: 04617c71e5f51acbee2c035fc5a93e185e19904de432027839e24c2072476c4e
Instruction Fuzzy Hash: 39F015349062688FCB50DF98C9849CDBBB0FB84300F01A599D40AAB228DB34BE85CF60

Uniqueness

Uniqueness Score: -1.00%

Function 04B209D9, Relevance: .0, Instructions: 20COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.250076545.0000000004B20000.00000040.00000001.sdmp, Offset: 04B20000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 90d51fabe9dd6daa3f9c0f56968a3bf0fa58f854ab4c9d0b3326133380a9d63c
Instruction ID: 60d3823ca60897f00aa339040046959522c03b4e3d03f181b6242930e6ee710b
Opcode Fuzzy Hash: 90d51fabe9dd6daa3f9c0f56968a3bf0fa58f854ab4c9d0b3326133380a9d63c
Instruction Fuzzy Hash: F7E04F305092848FCB06DBB8D6657AEBF719B02204F1A50E694445B362C6345E50C725

Uniqueness

Uniqueness Score: -1.00%

Function 04B2C748, Relevance: .0, Instructions: 19COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.250076545.0000000004B20000.00000040.00000001.sdmp, Offset: 04B20000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 72e5e117f8f6ac1e90e1d487a207211778321e06680d400813fe98242f578098
Instruction ID: 157d9af18a34da550a051699b443d6e9342cba9947f809e1aca7b41ce05d26f5
Opcode Fuzzy Hash: 72e5e117f8f6ac1e90e1d487a207211778321e06680d400813fe98242f578098
Instruction Fuzzy Hash: 28E0E5B5E043599EDB04CBA5C941B9EB7F5BF89340F1090A5D108AB250E7305A008F55

Uniqueness

Uniqueness Score: -1.00%

Function 04970C98, Relevance: .0, Instructions: 18COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.249760587.0000000004970000.00000040.00000001.sdmp, Offset: 04970000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 88763036c81649c4f7b1a0f0181b8172273562b83c043cd4b4f7f73a754e79d7
Instruction ID: fb22570afb613d2fa8bdc4adc4d535c1ecccc0ef43668fd9991fb77467f30e11
Opcode Fuzzy Hash: 88763036c81649c4f7b1a0f0181b8172273562b83c043cd4b4f7f73a754e79d7
Instruction Fuzzy Hash: 35E01274D05308DFC754EFB8D54569DBBB9EB44304F2086BAC80463340D7396545CB45

Uniqueness

Uniqueness Score: -1.00%

Function 04974BE2, Relevance: .0, Instructions: 18COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.249760587.0000000004970000.00000040.00000001.sdmp, Offset: 04970000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 678876b0ffae4f0e44b8de36e6fa03926c660d39095c8da71266787ffc24c664
Instruction ID: cbc19ff8cf84b3f6dad0759b896f5d30e1e1de76dc46cf407b6a2a7ec29b7b93
Opcode Fuzzy Hash: 678876b0ffae4f0e44b8de36e6fa03926c660d39095c8da71266787ffc24c664
Instruction Fuzzy Hash: F5E0C2399051189FCF61CFA0C844BDCFBB2AB0C314F2081EA9408A3251C7369A82DF00

Uniqueness

Uniqueness Score: -1.00%

Function 0497451D, Relevance: .0, Instructions: 18COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.249760587.0000000004970000.00000040.00000001.sdmp, Offset: 04970000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5e9c34a177d443c98e271a0f0800470be8bb5a6972b9261677d116bc1e0a87a8
Instruction ID: 3cfde8407002bd2da666e16c843cd6250facdf93c526383b94fa8fec8571ec73
Opcode Fuzzy Hash: 5e9c34a177d443c98e271a0f0800470be8bb5a6972b9261677d116bc1e0a87a8
Instruction Fuzzy Hash: 64E0E574A05229CFCB60DF24CD95BA8FBB2BB49300F0005E9910DA6241E7305E809F11

Uniqueness

Uniqueness Score: -1.00%

Function 04B2EFC0, Relevance: .0, Instructions: 18COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.250076545.0000000004B20000.00000040.00000001.sdmp, Offset: 04B20000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ad87e1ace634bb25b064f7f98907c50fdedae513a159204da2a25c0789496af4
Instruction ID: bef69fc35d704bf1419a93e2bbae51b776caa655b0c1286e39d78f230e1fb220
Opcode Fuzzy Hash: ad87e1ace634bb25b064f7f98907c50fdedae513a159204da2a25c0789496af4
Instruction Fuzzy Hash: B3E01274D05208DFC794EFB9E54569DBBB5EB44304F2085FAC81863340D7396945CB45

Uniqueness

Uniqueness Score: -1.00%

Function 04970F50, Relevance: .0, Instructions: 17COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.249760587.0000000004970000.00000040.00000001.sdmp, Offset: 04970000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d343b2f657ccb6c15fa775c7415a03475cae0b004534de59efee40ccbb8edbe1
Instruction ID: 288bd6d9e31d8ed44fc353dc7791040e2bb3b840f4403ca3212c0f90182d601e
Opcode Fuzzy Hash: d343b2f657ccb6c15fa775c7415a03475cae0b004534de59efee40ccbb8edbe1
Instruction Fuzzy Hash: E9E0E270D01208EFCB94EFB895443ACBBB4AB44304F6081A9C848A2340EB39AA41CB81

Uniqueness

Uniqueness Score: -1.00%

Function 04B2E688, Relevance: .0, Instructions: 17COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.250076545.0000000004B20000.00000040.00000001.sdmp, Offset: 04B20000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e8dd5ffcbe12423335a09b9ac16f3838b64bcf5e901497ee28cd94164bf58aeb
Instruction ID: 9df5aee338b1dea918e99fbbf9f10bc4783265c52d3bdf289b4e9ade3bd623aa
Opcode Fuzzy Hash: e8dd5ffcbe12423335a09b9ac16f3838b64bcf5e901497ee28cd94164bf58aeb
Instruction Fuzzy Hash: 48E0E270D01208EFCB94EFB8954439CBBB4EB44304F2081A98808A2340EA39AA41CF42

Uniqueness

Uniqueness Score: -1.00%

Function 04B200ED, Relevance: .0, Instructions: 17COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.250076545.0000000004B20000.00000040.00000001.sdmp, Offset: 04B20000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 963724becdfc8c245d1e1cfa0e448f418b369d97beb38807465f2fb3c4e648cd
Instruction ID: cf0cff40706d0ee8951f8666e9f119d5ae4ddcb654791e7e192af04dd386ef50
Opcode Fuzzy Hash: 963724becdfc8c245d1e1cfa0e448f418b369d97beb38807465f2fb3c4e648cd
Instruction Fuzzy Hash: 95D01775E01108CFCB00DFF4E0842EDB7B0EB89329F208466C618A3210C33154458F60

Uniqueness

Uniqueness Score: -1.00%

Function 04B2E8C0, Relevance: .0, Instructions: 17COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.250076545.0000000004B20000.00000040.00000001.sdmp, Offset: 04B20000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6f8b3264f875372ce863051dbd3fb307ed7660aaba4793f0265dc08f3f538fbb
Instruction ID: bc6cfae6d7a7590d06c6e43869f01d474d16f6c8fab1107b462e4a3d5fced33c
Opcode Fuzzy Hash: 6f8b3264f875372ce863051dbd3fb307ed7660aaba4793f0265dc08f3f538fbb
Instruction Fuzzy Hash: 06E0E270D0120CAFCB94EFB8954429CBBB4EB44304F6080A9C808A7340EA39AA41CB51

Uniqueness

Uniqueness Score: -1.00%

Function 04B2E5B0, Relevance: .0, Instructions: 17COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.250076545.0000000004B20000.00000040.00000001.sdmp, Offset: 04B20000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 68e72db7c3f60e708ee827cfd346fb9756a00cb29825d7a0ea06d29e8a1c9115
Instruction ID: 17b37688bda701fb1282d8fb69d8f28dd3c14e78a515a9e40c1d69c71fec40bc
Opcode Fuzzy Hash: 68e72db7c3f60e708ee827cfd346fb9756a00cb29825d7a0ea06d29e8a1c9115
Instruction Fuzzy Hash: 2CE012749041089FC784FFB8D99875C7BF4EB04305F2041A9DD0A97350EA346954CB51

Uniqueness

Uniqueness Score: -1.00%

Function 04B2D5D0, Relevance: .0, Instructions: 17COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.250076545.0000000004B20000.00000040.00000001.sdmp, Offset: 04B20000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 06bd2210ce6dc2941c69045294155b2b7f6581af67e459596934fe1abc5f658d
Instruction ID: 1d4f750933b7d677bdf3637d2ef288bdef032f445416fe716c760a906ac23ce8
Opcode Fuzzy Hash: 06bd2210ce6dc2941c69045294155b2b7f6581af67e459596934fe1abc5f658d
Instruction Fuzzy Hash: C1E0EC74D00208DFC740EFA8D54469CBBF4EB04304F1040E9D80893350E674A944CF41

Uniqueness

Uniqueness Score: -1.00%

Function 04B2777A, Relevance: .0, Instructions: 17COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.250076545.0000000004B20000.00000040.00000001.sdmp, Offset: 04B20000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b5bcbdc8ac571b88a42c74d64332d7ee76c77167243c95d17a5c158f12ae1001
Instruction ID: a3b6c33b597c34454ee11328066a8dec1fb0cd18a3fb07bad9959d1ad3e4fd10
Opcode Fuzzy Hash: b5bcbdc8ac571b88a42c74d64332d7ee76c77167243c95d17a5c158f12ae1001
Instruction Fuzzy Hash: 60E07DB4902228CFCB50CF68C980ADDB7B1BF49314F1051D9D419A7354D734AB81CF11

Uniqueness

Uniqueness Score: -1.00%

Function 04971B92, Relevance: .0, Instructions: 16COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.249760587.0000000004970000.00000040.00000001.sdmp, Offset: 04970000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e415d8d79545b930245c2dbeb8925895db02e02c0a764d4248e7ed29b6de6015
Instruction ID: 06212f3a459a2b91fa56d841aab70397265d24f51a15a91c64936df86b65ec5a
Opcode Fuzzy Hash: e415d8d79545b930245c2dbeb8925895db02e02c0a764d4248e7ed29b6de6015
Instruction Fuzzy Hash: 73E08C70A01109CFDB04CFA0D880A5D77B3FB8A300F148966D20AAB34CD774BD148F04

Uniqueness

Uniqueness Score: -1.00%

Function 04972AA8, Relevance: .0, Instructions: 16COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.249760587.0000000004970000.00000040.00000001.sdmp, Offset: 04970000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 98a43a6d1b807824ae258b0240d0f99337894f7057bb873db50ef4c3bc3bf9ef
Instruction ID: fba8947a5db38709a1d73c37a313364cd2f5dfb22cc34b9448c378941fea64ea
Opcode Fuzzy Hash: 98a43a6d1b807824ae258b0240d0f99337894f7057bb873db50ef4c3bc3bf9ef
Instruction Fuzzy Hash: A1D05E70D0430CAFCB94FFF8A5043ACBFF99B04700F2081FA8844A2380EA385640CB91

Uniqueness

Uniqueness Score: -1.00%

Function 049729D0, Relevance: .0, Instructions: 16COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.249760587.0000000004970000.00000040.00000001.sdmp, Offset: 04970000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 650782f22a563abb16c1eb7319a7fd6b8b305ff7c01ab4cb8da3cd3868b34fa8
Instruction ID: 25aa736b9f42f817b840b53820cd8271497a172382a0e53bda7589a551a15f14
Opcode Fuzzy Hash: 650782f22a563abb16c1eb7319a7fd6b8b305ff7c01ab4cb8da3cd3868b34fa8
Instruction Fuzzy Hash: 74D01270D012089FC750EFA8D54539CBBF4DB04700F2040A9880493340E6345A00CB41

Uniqueness

Uniqueness Score: -1.00%

Function 04B255C8, Relevance: .0, Instructions: 16COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.250076545.0000000004B20000.00000040.00000001.sdmp, Offset: 04B20000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a569e3fb6a72cab990755c3cbfa26d5536276d4ea643fd01c9e1371fe35c7609
Instruction ID: 28b38df748d8f2a2f4ffc311562cdb38727e8d6df4127a3266f7bbca99d6d1ab
Opcode Fuzzy Hash: a569e3fb6a72cab990755c3cbfa26d5536276d4ea643fd01c9e1371fe35c7609
Instruction Fuzzy Hash: 0AD09E71405205AFC351EFF4FD1D6DA7BA9EB05712F108064A40BD2270DF751946CAA2

Uniqueness

Uniqueness Score: -1.00%

Function 04B2CC4D, Relevance: .0, Instructions: 15COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.250076545.0000000004B20000.00000040.00000001.sdmp, Offset: 04B20000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 32c832fed3d2c1b61ceb99531a45053b67414b2e403f80cc3793d40a84f0f029
Instruction ID: 702386f7d486513baec08622e9a3a085d927c406cda1bcbf0a181d55ca2f53d3
Opcode Fuzzy Hash: 32c832fed3d2c1b61ceb99531a45053b67414b2e403f80cc3793d40a84f0f029
Instruction Fuzzy Hash: 78E0E2B8D0822DCFDB08CFA8C981BDEBBB5BF4D344F115496C009A7240E7346A808F65

Uniqueness

Uniqueness Score: -1.00%

Function 04B209E8, Relevance: .0, Instructions: 15COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.250076545.0000000004B20000.00000040.00000001.sdmp, Offset: 04B20000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6aebeb9f686ad6a954ad44510d434b4b8565c2ad67f8d2d0524b8cc4b2af8eb1
Instruction ID: d8bde70502eb48dd8a7f9a96410066f47a77b0f831a1ab669b23e7113858f245
Opcode Fuzzy Hash: 6aebeb9f686ad6a954ad44510d434b4b8565c2ad67f8d2d0524b8cc4b2af8eb1
Instruction Fuzzy Hash: EAD0A930842208EFC708EBE8EA02BADF729DB01310F2010A9980823390CA792E50C7A1

Uniqueness

Uniqueness Score: -1.00%

Function 00A023F4, Relevance: .0, Instructions: 15COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.246320364.0000000000A02000.00000040.00000001.sdmp, Offset: 00A02000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: dfb44634140fa40129b2e8df40125c290cbf24cbb1b55fa7379636f8654369c1
Instruction ID: ac87bc980013ff0328a387d9b917bf5ab0a73a411fb85e400ad3aab3a525f675
Opcode Fuzzy Hash: dfb44634140fa40129b2e8df40125c290cbf24cbb1b55fa7379636f8654369c1
Instruction Fuzzy Hash: 51D05E79245B854FD3268B1CD1ACB953B94AB51B04F4644F9EC008B6A3C369D981D200

Uniqueness

Uniqueness Score: -1.00%

Function 049722FC, Relevance: .0, Instructions: 14COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.249760587.0000000004970000.00000040.00000001.sdmp, Offset: 04970000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 15001cb8c39560e009d9b5f8585186f8079cb709e0eaec01219bfcd7e9b640e2
Instruction ID: 5540675fed0cdb50be557df99cfa9305432824756c864025be8c8a0fe18423c5
Opcode Fuzzy Hash: 15001cb8c39560e009d9b5f8585186f8079cb709e0eaec01219bfcd7e9b640e2
Instruction Fuzzy Hash: A4D0A775C46289DF8700CBF0C90759EFB70FE04340B84686EC417EA228E3346605EB50

Uniqueness

Uniqueness Score: -1.00%

Function 04B200CD, Relevance: .0, Instructions: 14COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.250076545.0000000004B20000.00000040.00000001.sdmp, Offset: 04B20000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8a9e7696e33c9ba076c3e70e3c258a7566ab79c48f6d6317db4e662577e07820
Instruction ID: 3c16d53671937e3cd1c9ec6840ab62bd6a2b0320979a3c802d70a7a03f1be1e4
Opcode Fuzzy Hash: 8a9e7696e33c9ba076c3e70e3c258a7566ab79c48f6d6317db4e662577e07820
Instruction Fuzzy Hash: 9FD0C976E01108DF8B00CFF8E4440DCF775EB89225B209466C514B3310C7319415CF60

Uniqueness

Uniqueness Score: -1.00%

Function 04B2B139, Relevance: .0, Instructions: 14COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.250076545.0000000004B20000.00000040.00000001.sdmp, Offset: 04B20000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0b8b56bbac2d9ef5f033644e82c07fb30345298daf4e85638ee7b1a106a0590e
Instruction ID: 319b06c2414d66315a1bd727238b8e242ab143350681a1a9e914e0ef6b611c26
Opcode Fuzzy Hash: 0b8b56bbac2d9ef5f033644e82c07fb30345298daf4e85638ee7b1a106a0590e
Instruction Fuzzy Hash: FFD067B4E081589FDB00CFD4CA41BEDB7B5BF49300F0090969519BB244D7349A458F19

Uniqueness

Uniqueness Score: -1.00%

Function 04B25F55, Relevance: .0, Instructions: 14COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.250076545.0000000004B20000.00000040.00000001.sdmp, Offset: 04B20000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d342675a8ee38ec293ba1cd9e394e79e78319e02331f38a1954056eeb5eae6b5
Instruction ID: 3bbdf65fc2b4bb0ec81bdc75b96fe35780fa99033c41e76f7d30fea0caca442e
Opcode Fuzzy Hash: d342675a8ee38ec293ba1cd9e394e79e78319e02331f38a1954056eeb5eae6b5
Instruction Fuzzy Hash: 41E09270916129EFDBA4DB64DEA1A88BBB1BB44204F1086EAD40DA7264DF305E99CF44

Uniqueness

Uniqueness Score: -1.00%

Function 00A023BC, Relevance: .0, Instructions: 14COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.246320364.0000000000A02000.00000040.00000001.sdmp, Offset: 00A02000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 21897926ee0ac459636d5a24edc21d8f87b26bf76dbe43767e485d46ed2c0edc
Instruction ID: a78a6f9b1ceaf46cbab9df3dc837c6f421363fd7fb5a79ac6cd2e3b656a8fbbe
Opcode Fuzzy Hash: 21897926ee0ac459636d5a24edc21d8f87b26bf76dbe43767e485d46ed2c0edc
Instruction Fuzzy Hash: 94D05E343012854BDB26DB0CE1E8F593BD4AB81B00F0644E8AC008F2A2C7B8EC81C600

Uniqueness

Uniqueness Score: -1.00%

Function 04B260C2, Relevance: .0, Instructions: 13COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.250076545.0000000004B20000.00000040.00000001.sdmp, Offset: 04B20000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a3d8d1afdb1b736999c32252569160af048081ca3d1ebc42fd3339bdfad52ec1
Instruction ID: fd8174259a154e0d2ca6c6e105cb39c0a2ed9d808874c4eee9c86d5820009c43
Opcode Fuzzy Hash: a3d8d1afdb1b736999c32252569160af048081ca3d1ebc42fd3339bdfad52ec1
Instruction Fuzzy Hash: AFD05B71F0532EEFCB50DF50D941A8DB7BABB52240F115596A444A7380D6305D404F11

Uniqueness

Uniqueness Score: -1.00%

Function 04972004, Relevance: .0, Instructions: 12COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.249760587.0000000004970000.00000040.00000001.sdmp, Offset: 04970000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: de02043b3d0375c225ba6c6d4a217e2308419231c8b466a5008e980c19f38a8d
Instruction ID: 57de452acf527f32f4a1a99abc09cbd75e808610327ed3957c146e2a2ab0f08e
Opcode Fuzzy Hash: de02043b3d0375c225ba6c6d4a217e2308419231c8b466a5008e980c19f38a8d
Instruction Fuzzy Hash: 3CD01C398053688FEB00CFE0D944ADCBBB0BB00344F600A6AA002AB284E7388A44CF00

Uniqueness

Uniqueness Score: -1.00%

Function 04971F0F, Relevance: .0, Instructions: 12COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.249760587.0000000004970000.00000040.00000001.sdmp, Offset: 04970000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 382daf14227247acb11aacdbdd49b040fe4a8e14785a0812d0e91b55deaa1450
Instruction ID: 5c3282473d6a5d12fe955b59456259a435072a4c305e3a7137ed8b7ba6d521e0
Opcode Fuzzy Hash: 382daf14227247acb11aacdbdd49b040fe4a8e14785a0812d0e91b55deaa1450
Instruction Fuzzy Hash: FFD0C93480891CCAD7109FA49A86A9CFFB1EB05609FC654D5C19A2620AEB341B329B0C

Uniqueness

Uniqueness Score: -1.00%

Function 04971C71, Relevance: .0, Instructions: 12COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.249760587.0000000004970000.00000040.00000001.sdmp, Offset: 04970000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 12b73f9468cc162a06a3ee5c9d5f94c1079c52a6d28155af766c5ea13dd333fc
Instruction ID: 4f450b92f5b216bb6279ddd417d7a925dd2e4e5594d9649bbd54a8edf6f8c512
Opcode Fuzzy Hash: 12b73f9468cc162a06a3ee5c9d5f94c1079c52a6d28155af766c5ea13dd333fc
Instruction Fuzzy Hash: 4BD01730902358DFD710DBA0DD55A4DB772FB4A201F505599E1066B294D7706A808F50

Uniqueness

Uniqueness Score: -1.00%

Function 04971F38, Relevance: .0, Instructions: 11COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.249760587.0000000004970000.00000040.00000001.sdmp, Offset: 04970000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8e3a6f0906bf8ee60915d795aef6a052bb58d246738a6f7377c24cd31ce0e73d
Instruction ID: 6cba5e06cecdc9dd2252491e1486c1bc2c1943241efe2c50a418eef397b8e409
Opcode Fuzzy Hash: 8e3a6f0906bf8ee60915d795aef6a052bb58d246738a6f7377c24cd31ce0e73d
Instruction Fuzzy Hash: 1AD0C97081590CC6D710BFA0EA89AACFF70EB44306F4444D1DAC928148EA31563A9749

Uniqueness

Uniqueness Score: -1.00%

Function 04B2BDB3, Relevance: .0, Instructions: 11COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.250076545.0000000004B20000.00000040.00000001.sdmp, Offset: 04B20000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d280a1e42b61c1f108d3f0590646cb7cf6c5788dfe7e14cc07c4160f12f52725
Instruction ID: b6a3eef182f0cdcc6f715b822a7c5677a3cac6a554970524952a36838591f43d
Opcode Fuzzy Hash: d280a1e42b61c1f108d3f0590646cb7cf6c5788dfe7e14cc07c4160f12f52725
Instruction Fuzzy Hash: 1ED0CAB4D08168CBCB20CFA8CA50BAEF375BF08340F10509A8429A3209D3306A828F09

Uniqueness

Uniqueness Score: -1.00%

Function 04974534, Relevance: .0, Instructions: 10COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.249760587.0000000004970000.00000040.00000001.sdmp, Offset: 04970000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 589ec42140208e7289bffbf9b9f5f0643730d98b0c05b3647e65425c00f15df9
Instruction ID: 44cf4c2d2fd378c0c7704f13f7500c6148aeba785cf544f3195ffb35dbde1478
Opcode Fuzzy Hash: 589ec42140208e7289bffbf9b9f5f0643730d98b0c05b3647e65425c00f15df9
Instruction Fuzzy Hash: FFC02B32C5C10B55C720CD008804BFAF5B563022C8F4026F2000077015F330D2806F44

Uniqueness

Uniqueness Score: -1.00%

Function 04B2B7CD, Relevance: .0, Instructions: 10COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.250076545.0000000004B20000.00000040.00000001.sdmp, Offset: 04B20000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8988c8412c353ca011299141047227e7d091d3984c6f67971e9ae5b6302cbc94
Instruction ID: 9fc82be312cbeceb60dfa08ca7d1a3fd3bab2726ca6a5eb80bb488bb9b4fba6d
Opcode Fuzzy Hash: 8988c8412c353ca011299141047227e7d091d3984c6f67971e9ae5b6302cbc94
Instruction Fuzzy Hash: 4CC012B8D082188ACB40CF94C540B9EB3B9BB49300F2090968048A3204DB345A808B19

Uniqueness

Uniqueness Score: -1.00%

Function 04972415, Relevance: .0, Instructions: 9COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.249760587.0000000004970000.00000040.00000001.sdmp, Offset: 04970000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8f0fe14c8a552b7a0689cca40f45e868c1455eccf57968221d6e9ea76d047b27
Instruction ID: 0a38aa37974ba45793f453f8a59f03dc39a4c75a48072293ec73b3df8d88df0f
Opcode Fuzzy Hash: 8f0fe14c8a552b7a0689cca40f45e868c1455eccf57968221d6e9ea76d047b27
Instruction Fuzzy Hash: E3D01271D0A248CFC704CFD1E45485CF772FF45311F50A61694066A258D774A9018B59

Uniqueness

Uniqueness Score: -1.00%

Function 04971CE4, Relevance: .0, Instructions: 7COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.249760587.0000000004970000.00000040.00000001.sdmp, Offset: 04970000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f475d3a287bbc9d99c312e1305a822fa62fb79c56454a253a5cc4630febf2719
Instruction ID: 29b418dde2c43832c37059543b62f5ba460e302244382c321dbcd6e1da26aa02
Opcode Fuzzy Hash: f475d3a287bbc9d99c312e1305a822fa62fb79c56454a253a5cc4630febf2719
Instruction Fuzzy Hash: 57C08C30529245CF8348CFD0D10121CB771F7413007401829B112AE09CDB3C5504CB14

Uniqueness

Uniqueness Score: -1.00%

Function 04972352, Relevance: .0, Instructions: 7COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.249760587.0000000004970000.00000040.00000001.sdmp, Offset: 04970000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e794cb718218fdd6dabfe3764547fef92bc0b936557babb602956428f84ab886
Instruction ID: 4630e06ec0f7ba71764ac74ed3031782c347aaeabe60a997be5dd6dbfcee397d
Opcode Fuzzy Hash: e794cb718218fdd6dabfe3764547fef92bc0b936557babb602956428f84ab886
Instruction Fuzzy Hash: 35C08C30C46208DFC700CBD0CA4146DF7B1FF48340F0014A9800AAA1A8E33469008F20

Uniqueness

Uniqueness Score: -1.00%

Non-executed Functions

Function 04B2E940, Relevance: 1.4, Strings: 1, Instructions: 145COMMON

Download Yara Rule

Strings

Dz, xrefs: 04B2ECE5

Memory Dump Source

Source File: 00000000.00000002.250076545.0000000004B20000.00000040.00000001.sdmp, Offset: 04B20000, based on PE: false

Similarity

API ID:
String ID: Dz
API String ID: 0-2870256512
Opcode ID: dd801958a13addbf101b828ce80af53def379696689fca4149cf79551845a8e5
Instruction ID: c86706aa16ef0c73434f6e9cc5915d3eb943bbc741921fd077aa489fa56a67f1
Opcode Fuzzy Hash: dd801958a13addbf101b828ce80af53def379696689fca4149cf79551845a8e5
Instruction Fuzzy Hash: F451F770D04229DFCB54CFAAC6844ADFBB2EF89304F24C5AAC819AB355D734AA01DF51

Uniqueness

Uniqueness Score: -1.00%

Function 04B29819, Relevance: 1.4, Strings: 1, Instructions: 140COMMON

Download Yara Rule

Strings

(G7M, xrefs: 04B298B1

Memory Dump Source

Source File: 00000000.00000002.250076545.0000000004B20000.00000040.00000001.sdmp, Offset: 04B20000, based on PE: false

Similarity

API ID:
String ID: (G7M
API String ID: 0-2843565713
Opcode ID: c0e5da79d6aca5eb68c59ed9c79ac2a43912baf29f664367487bf9c571dc9f8f
Instruction ID: afd4f4666aa028c27d52be0bb63c1c3872ee37bd5abe6ab4333535763bd8214e
Opcode Fuzzy Hash: c0e5da79d6aca5eb68c59ed9c79ac2a43912baf29f664367487bf9c571dc9f8f
Instruction Fuzzy Hash: 9F51D3B0E15229DFCB04CFA9D6809AEFBF1FF49350F148596D409AB214D734AA41CFA1

Uniqueness

Uniqueness Score: -1.00%

Function 04B29828, Relevance: 1.4, Strings: 1, Instructions: 138COMMON

Download Yara Rule

Strings

(G7M, xrefs: 04B298B1

Memory Dump Source

Source File: 00000000.00000002.250076545.0000000004B20000.00000040.00000001.sdmp, Offset: 04B20000, based on PE: false

Similarity

API ID:
String ID: (G7M
API String ID: 0-2843565713
Opcode ID: d1a722c7bd73293dcb0c33be32e5941f17c174994a5e80040f3f421650f88f43
Instruction ID: 5636c0f7d8ba5a6c7fa7ce63aa1c4abf80478574f1ce548932ddb3ca6b87a093
Opcode Fuzzy Hash: d1a722c7bd73293dcb0c33be32e5941f17c174994a5e80040f3f421650f88f43
Instruction Fuzzy Hash: 5951D3B4E15229DFCB04CFA9D6809AEFBF1FB48350F149595D409BB214D330AA41CFA5

Uniqueness

Uniqueness Score: -1.00%

Function 001685C8, Relevance: .4, Instructions: 427
COMMONCrypto

Download Yara Rule

C-Code - Quality: 68%

			E001685C8(intOrPtr* __eax, signed int __ebx, signed int __ecx, signed int* __edx, void* __edi, signed int __esi, void* __fp0) {
				signed int _t211;
				intOrPtr* _t212;
				signed int _t213;
				signed int _t214;
				intOrPtr* _t215;
				signed char _t217;
				intOrPtr* _t218;
				signed char _t219;
				signed int _t220;
				signed int _t221;
				intOrPtr* _t222;
				signed char _t223;
				intOrPtr* _t224;
				signed char _t225;
				signed char _t227;
				signed char _t230;
				signed int _t232;
				signed int _t233;
				signed char _t234;
				signed char _t235;
				signed int _t236;
				signed char _t237;
				signed int _t239;
				signed char _t240;
				signed char _t241;
				signed char _t242;
				signed char _t243;
				signed char _t246;
				signed char _t247;
				signed char _t248;
				signed char _t250;
				signed char _t251;
				signed int _t253;
				signed int _t254;
				signed int _t255;
				signed int _t256;
				signed char _t257;
				signed char _t258;
				signed char _t259;
				signed int _t260;
				signed int _t261;
				signed int _t262;
				intOrPtr* _t263;
				intOrPtr* _t264;
				signed char _t266;
				signed char _t269;
				signed char _t270;
				signed char _t271;
				intOrPtr* _t273;
				intOrPtr* _t276;
				intOrPtr* _t277;
				signed char _t279;
				signed char _t280;
				intOrPtr* _t281;
				intOrPtr* _t282;
				intOrPtr* _t283;
				signed char _t284;
				signed char _t285;
				signed char _t286;
				signed char _t287;
				signed char _t289;
				signed int _t290;
				signed char _t291;
				signed char _t292;
				intOrPtr* _t293;
				signed int _t295;
				void* _t296;
				intOrPtr* _t297;
				signed char _t300;
				void* _t302;
				signed int* _t305;
				signed int* _t306;
				signed int* _t308;
				signed int* _t312;
				signed int* _t313;
				void* _t317;
				signed int _t323;
				signed char _t324;
				void* _t326;
				intOrPtr* _t327;
				intOrPtr* _t328;
				intOrPtr* _t329;
				signed int _t330;
				void* _t331;
				void* _t333;
				void* _t335;
				intOrPtr* _t336;
				void* _t339;
				signed int _t342;
				void* _t344;
				void* _t349;
				void* _t351;
				void* _t355;
				intOrPtr* _t362;
				intOrPtr* _t363;
				intOrPtr _t364;
				intOrPtr* _t365;
				signed int _t366;
				signed char _t372;
				signed int _t373;
				signed char _t374;
				void* _t375;
				signed int _t376;
				signed int _t378;
				void* _t379;
				intOrPtr* _t380;
				void* _t382;
				signed char _t384;
				signed int _t385;
				signed int _t387;
				void* _t388;
				signed int _t390;
				signed int _t391;
				signed int _t392;
				signed int _t394;
				intOrPtr* _t395;
				intOrPtr* _t396;
				signed int _t404;
				signed int _t405;
				signed int* _t406;
				void* _t408;
				void* _t412;
				intOrPtr* _t414;
				void* _t418;
				signed int _t420;
				signed int _t421;
				signed int _t422;
				intOrPtr* _t424;
				void* _t425;
				signed int _t439;
				signed int _t440;
				signed int _t441;
				signed int _t442;

				_t360 = __ecx;
				asm("adc ecx, [eax]");
				_t300 = __ebx ^  *__edx;
				asm("out dx, eax");
				_t211 = __eax +  *__eax;
				 *_t211 =  *_t211 & _t211;
				 *_t211 =  *_t211 + _t211;
				 *_t300 =  *_t300 + __edx;
				 *(__edi + __edx - 0xc) =  *(__edi + __edx - 0xc) | _t300;
				_t212 = _t211 +  *_t211;
				asm("loopne 0x23");
				 *_t212 =  *_t212 + _t212;
				 *_t212 =  *_t212 + _t212;
				asm("adc ecx, [eax]");
				_t390 = __edi + 1;
				_t213 = _t212 +  *_t212;
				_t372 = _t213 *  *__ecx >> 0x20;
				_t214 = _t213 *  *__ecx;
				 *_t214 =  *_t214 + _t214;
				 *_t214 =  *_t214 + _t214;
				asm("adc ecx, [eax]");
				 *_t214 =  *_t214 | _t214;
				es = _t300;
				_t215 = _t214 +  *_t214;
				 *_t372 =  *_t372 + _t215;
				 *_t215 =  *_t215 + _t215;
				 *_t215 =  *_t215 + _t215;
				asm("adc ecx, [eax]");
				asm("fst qword [ecx]");
				es = es;
				es = es;
				_t217 = _t215 +  *_t215 ^ 0x00000022;
				 *_t217 =  *_t217 + _t217;
				 *_t217 =  *_t217 + _t217;
				asm("adc ecx, [eax]");
				 *_t372 =  *_t372 << 7;
				es = es;
				_t218 = _t217 +  *_t217;
				asm("o16 and al, [eax]");
				 *_t218 =  *_t218 + _t218;
				 *__ecx =  *__ecx + _t372;
				asm("sbb [eax+0x19], ah");
				asm("sbb [ebx], al");
				_t219 = _t218 +  *_t218;
				 *_t219 =  *_t219 + _t219;
				 *_t219 =  *_t219 + _t219;
				asm("sbb [edx+0x19], bl");
				 *_t300 =  *_t300 + _t219;
				 *_t372 =  *_t372 + _t372;
				asm("adc [eax], eax");
				asm("bound ebx, [ecx-0x3ffffcf9]");
				_t220 = _t219 &  *_t219;
				 *_t220 =  *_t220 + _t220;
				 *__esi =  *__esi + _t372;
				_t373 = _t372 | _t300;
				ds = es;
				asm("adc eax, 0x44000507");
				_t221 = _t220 &  *_t220;
				 *_t221 =  *_t221 + _t221;
				 *_t300 =  *_t300 + _t373;
				 *_t373 =  *_t373 | _t300;
				asm("sbb al, 0x15");
				es = es;
				_t222 = _t221 + 0x235b00;
				 *_t222 =  *_t222 + _t222;
				 *__esi =  *__esi + _t222;
				asm("sbb [edx+0x19], bl");
				 *0x236400 =  *0x236400 + _t222;
				 *_t222 =  *_t222 + _t222;
				 *__esi =  *__esi + _t373;
				asm("sbb [edx], bl");
				es = es;
				_t223 = _t222 + 0x237c00;
				 *_t223 =  *_t223 + _t223;
				 *__esi =  *__esi + _t373;
				 *__ecx =  *__ecx | _t223;
				asm("sbb [edx], ebx");
				_pop(es);
				_t224 = _t223 + 0x239400;
				 *_t224 =  *_t224 + _t224;
				 *__esi =  *__esi + _t224;
				asm("sbb [edx+0x19], bl");
				es = ds;
				_t225 = _t224 + 0x242c00;
				 *_t225 =  *_t225 + _t225;
				 *__esi =  *__esi + _t225;
				_t302 = (_t300 | __ecx) + _t225;
				_t227 = _t225 &  *(_t302 + 5) |  *(_t225 &  *(_t302 + 5));
				asm("les esp, [eax+eax]");
				 *_t227 =  *_t227 + _t227;
				 *0xfc000b00 =  *0xfc000b00 | _t373;
				_t230 = _t227 + _t227 + _t227 + _t227 & 0x00000000;
				 *_t230 =  *_t230 + _t230;
				 *__ecx =  *__ecx + _t230;
				 *((intOrPtr*)(_t373 + 0x20)) =  *((intOrPtr*)(_t373 + 0x20)) + _t373;
				 *((intOrPtr*)(_t230 + _t230)) =  *((intOrPtr*)(_t230 + _t230)) + __ecx;
				asm("sbb ch, [0x0]");
				es = es;
				_t232 = _t230 & 0x0000002d;
				 *_t232 =  *_t232 + _t232;
				 *_t232 =  *_t232 & _t232;
				_t305 = (_t302 + 0x00000001 |  *_t230) + 1;
				_t233 = _t232;
				_t306 =  &(_t305[0]);
				 *_t390 =  *_t390 + _t233;
				_pop(es);
				_t234 = _t233 | 0x002d3700;
				 *_t234 =  *_t234 + _t234;
				_t306[2] = _t306[2] + _t234;
				asm("int1");
				 *0x40000d07 =  *0x40000d07 + __ecx;
				_t235 = _t234;
				_t439 =  *_t372 +  *_t390 |  *_t305 | __esi |  *(_t235 + 1);
				_t236 = _t235 ^ 0x00000007;
				_push(cs);
				 *((intOrPtr*)(_t373 + 0x2d)) =  *((intOrPtr*)(_t373 + 0x2d)) + __ecx;
				 *_t236 =  *_t236 + _t236;
				 *_t236 =  *_t236 & _t236;
				_t308 =  &(_t306[0]);
				_t420 = _t418 +  *0x2d000c07 |  *(__esi + 1);
				_push(cs);
				_t308[0xb] = _t308[0xb] + _t373;
				 *_t236 =  *_t236 + _t236;
				 *_t236 =  *_t236 + _t236;
				_t237 = _t236 | __esi;
				 *((intOrPtr*)(7 + __ecx)) =  *((intOrPtr*)(7 + __ecx)) + _t237;
				asm("ltr word [ebp+0x2d]");
				 *_t237 =  *_t237 + _t237;
				 *_t237 =  *_t237 & _t237;
				_t374 = _t373 | _t439;
				 *((intOrPtr*)(7 + _t390)) =  *((intOrPtr*)(7 + _t390)) + _t237;
				asm("verr word [esi+0x2d]");
				 *_t237 =  *_t237 + _t237;
				 *_t237 =  *_t237 + _t237;
				_t440 = _t439 |  *(_t374 + 0x10074e01);
				 *((intOrPtr*)(_t237 + 0x2d)) =  *((intOrPtr*)(_t237 + 0x2d)) + _t374;
				 *_t237 =  *_t237 + _t237;
				 *_t237 =  *_t237 & _t237;
				_t312 =  &(_t308[1]);
				_t404 = __esi |  *(__ecx + _t237 + 0x100754);
				if(_t404 < 0) {
					 *_t237 =  *_t237 + _t237;
					 *_t237 =  *_t237 + _t237;
					_t360 = __ecx |  *(_t420 + 0x11074102);
					 *((intOrPtr*)(_t420 + 0x200000 + _t420)) =  *((intOrPtr*)(_t420 + 0x200000 + _t420)) + _t237;
					_t312 = ( &(_t312[0]) | _t312[0x441d1c1]) + _t237 + 1;
					_t404 = _t404 |  *_t360;
					_t237 = _t237 +  *_t390;
					_pop(es);
					asm("adc al, [eax]");
					 *0x200000 =  *0x200000 >> 1;
				}
				_t312[2] = _t312[2] + _t237;
				_t239 = _t237 - 0xffffffffda001207;
				_t313 =  &(_t312[0]);
				_t405 = _t404 |  *_t239;
				_t313[1] = _t313 + _t313[1];
				asm("adc eax, [eax]");
				asm("in al, 0x2d");
				 *_t239 =  *_t239 + _t239;
				 *_t239 =  *_t239 & _t239;
				_t240 = _t239 |  *(_t360 + 1);
				asm("popad");
				_pop(es);
				asm("adc eax, [eax]");
				asm("daa");
				 *[cs:eax] =  *[cs:eax] + _t240;
				 *_t240 =  *_t240 + _t240;
				_t421 = _t420;
				asm("adc al, 0x0");
				_t241 = _t240 ^ 0x0000002e;
				 *_t241 =  *_t241 + _t241;
				 *_t241 =  *_t241 & _t241;
				_t317 =  &(_t313[0]) + _t313[2] + 1;
				_t391 = _t390 | _t405;
				_t242 = _t241 +  *((intOrPtr*)(7 + _t360));
				asm("adc al, 0x0");
				if(_t242 <= 0) {
					 *_t242 =  *_t242 + _t242;
					 *_t242 =  *_t242 + _t242;
					_t295 = _t242 |  *(_t391 + 2);
					_pop(_t355);
					_pop(es);
					asm("adc eax, 0x2e8400");
					 *_t295 =  *_t295 + _t295;
					 *((intOrPtr*)(_t355 + 0xb)) =  *((intOrPtr*)(_t355 + 0xb)) + _t295;
					_pop(_t296);
					_t297 = _t296 +  *((intOrPtr*)(7 + _t360));
					asm("adc eax, 0x2ec700");
					 *_t297 =  *_t297 + _t297;
					 *((intOrPtr*)(_t355 + 0xb)) =  *((intOrPtr*)(_t355 + 0xb)) + _t297;
					asm("retf");
					_t317 = _t355 +  *((intOrPtr*)(_t355 + 7));
					_push(ss);
					_t242 = _t297 + _t374;
					 *[cs:eax] =  *[cs:eax] + _t242;
					 *_t242 =  *_t242 & _t242;
				}
				_t243 = _t242 +  *((intOrPtr*)(7 + _t360));
				_push(ss);
				 *_t391 =  *_t391 + _t374;
				asm("das");
				 *_t243 =  *_t243 + _t243;
				 *_t243 =  *_t243 + _t243;
				_t422 = _t421 |  *(_t360 + 0x17075b02);
				 *((intOrPtr*)(_t391 + _t422)) =  *((intOrPtr*)(_t391 + _t422)) + _t243;
				 *_t243 =  *_t243 + _t243;
				 *_t243 =  *_t243 & _t243;
				_t392 = _t391 |  *(_t374 + 0x17076102);
				 *((intOrPtr*)(0x2f + _t392)) =  *((intOrPtr*)(0x2f + _t392)) + _t243;
				 *_t243 =  *_t243 + _t243;
				 *_t243 =  *_t243 + _t243;
				_t323 = (_t317 + 0x00000001 | _t440) + 3 |  *_t243;
				_t58 = 7 + _t243;
				 *_t58 =  *((intOrPtr*)(7 + _t243)) + _t422;
				asm("sbb [eax], al");
				if( *_t58 != 0) {
					 *_t243 =  *_t243 + _t243;
					 *_t243 =  *_t243 & _t243;
					_t323 = _t323 + 1;
					_t440 = _t440 |  *(_t360 + _t243);
					asm("outsb");
					_pop(es);
					asm("sbb [eax], al");
					 *_t360 = 0x2f +  *_t360;
					 *((intOrPtr*)(_t422 + 0x19045307)) =  *((intOrPtr*)(_t422 + 0x19045307)) + _t360;
					 *0x0000005F =  *((intOrPtr*)(0x5f)) + 0x2f;
					 *_t405 =  *_t405 + 0x2f;
					asm("sbb [edx+0x19], bl");
					_push(es);
					 *_t374 =  *_t374 + _t323;
					_t243 = 0x2f + _t323;
					 *0x2f =  *0x2f ^ _t243;
					 *0x2f =  *0x2f + _t243;
					 *_t360 =  *_t360 + _t243;
				}
				 *((intOrPtr*)(_t243 + 0x1a0775)) =  *((intOrPtr*)(_t243 + 0x1a0775)) + _t360;
				asm("sbb eax, 0x32");
				 *_t360 =  *_t360 + _t243;
				_pop(es);
				asm("sbb al, 0x0");
				_t324 = _t323 + 1;
				_t246 = _t243 + _t243 + 0x00000075 ^  *(_t243 + _t243 + 0x75);
				 *_t246 =  *_t246 + _t246;
				 *_t360 =  *_t360 + _t246;
				_t67 = _t360 + 0xf;
				 *_t67 =  *((intOrPtr*)(_t360 + 0xf)) + _t324;
				if( *_t67 == 0) {
					_push(ds);
					 *((intOrPtr*)(_t405 + 0x32)) =  *((intOrPtr*)(_t405 + 0x32)) + _t246;
					 *_t246 =  *_t246 + _t246;
					 *_t246 =  *_t246 + _t246;
				}
				 *_t405 =  *_t405 + _t246;
				asm("sbb [edx+0x19], bl");
				_push(es);
				 *_t246 =  *_t246 + _t246;
				 *((intOrPtr*)(_t246 + 0x32)) =  *((intOrPtr*)(_t246 + 0x32)) + _t374;
				 *_t246 =  *_t246 + _t246;
				 *_t246 =  *_t246 + _t246;
				_push(es);
				 *_t360 =  *_t360 | _t374;
				asm("adc dh, [edx]");
				_t247 = _t246 +  *_t246;
				 *((intOrPtr*)(_t247 + 0x32)) =  *((intOrPtr*)(_t247 + 0x32)) + _t360;
				 *_t247 =  *_t247 + _t247;
				 *_t247 =  *_t247 + _t247;
				_push(es);
				 *0x20018f12 =  *0x20018f12 | _t247;
				 *((intOrPtr*)(_t374 + _t405)) =  *((intOrPtr*)(_t374 + _t405)) + _t247;
				 *_t247 =  *_t247 | _t374;
				asm("sbb [edx], dh");
				_t248 = _t247 +  *_t360;
				 *((intOrPtr*)(_t374 + _t405)) =  *((intOrPtr*)(_t374 + _t405)) + _t324;
				 *(_t248 + _t324 - 0x71) =  *(_t248 + _t324 - 0x71) | _t248;
				 *_t360 =  *_t360 + _t440;
				 *((intOrPtr*)(_t248 + 0x32)) =  *((intOrPtr*)(_t248 + 0x32)) + _t374;
				 *_t405 =  *_t405 + _t248;
				 *(_t392 + 0x14) =  *(_t392 + 0x14) | _t248;
				asm("repe add [edx], ah");
				_t250 = _t248 + _t360 ^  *(_t248 + _t360);
				 *_t250 =  *_t250 + _t250;
				 *_t405 =  *_t405 + _t250;
				 *(_t324 + 0x14) =  *(_t324 + 0x14) | _t324;
				asm("adc eax, 0xfc002200");
				_t251 = _t250 ^  *_t250;
				 *_t251 =  *_t251 + _t251;
				 *_t360 =  *_t360 + _t251;
				 *_t374 =  *_t374 + _t360;
				asm("sbb bh, [ebp+0x7]");
				_t253 = es;
				_t254 = _t253 ^  *_t253;
				 *_t254 =  *_t254 + _t254;
				 *_t360 =  *_t360 + _t374;
				_t375 = _t374 + _t374;
				asm("adc [edi+0x70002507], eax");
				_t255 = _t254 ^  *_t254;
				 *_t255 =  *_t255 + _t255;
				 *_t360 =  *_t360 + _t255;
				_t256 = _t255 + _t324;
				 *(_t392 + _t256 + 0x33c40026) =  *(_t392 + _t256 + 0x33c40026) & _t360;
				 *_t256 =  *_t256 + _t256;
				 *_t256 =  *_t256 + _t256;
				 *_t256 =  *_t256 + _t256;
				_t257 = _t256 & 0x28078c1d;
				 *_t257 =  *_t257 + _t375;
				_t258 = _t257 ^ 0x00000000;
				 *_t258 =  *_t258 + _t258;
				 *_t405 =  *_t405 + _t258;
				 *_t258 =  *_t258 + _t375;
				asm("sbb eax, 0x2a0796");
				_t259 = es;
				_t260 = _t259 ^ 0x00000000;
				 *_t260 =  *_t260 + _t260;
				 *_t360 =  *_t360 + _t260;
				 *(_t392 + 0x14) =  *(_t392 + 0x14) + _t360;
				asm("repe add [edx], ch");
				 *((intOrPtr*)(_t260 + 0x34)) =  *((intOrPtr*)(_t260 + 0x34)) + _t375;
				 *_t360 =  *_t360 + _t260;
				_t261 = _t260 | 0x002a07a1;
				asm("loopne 0x36");
				 *_t261 =  *_t261 + _t261;
				 *_t261 =  *_t261 + _t261;
				 *_t261 =  *_t261 + _t261;
				asm("lodsd");
				asm("adc [edx], esi");
				_t362 = _t360 + _t260 +  *_t324;
				 *_t261 =  *_t261 + _t375;
				_t262 = _t261 ^ 0x00000000;
				 *_t262 =  *_t262 + _t262;
				 *_t262 =  *_t262 + _t262;
				 *[ss:eax] =  *[ss:eax] + _t262;
				 *_t262 =  *_t262 + _t262;
				 *_t262 =  *_t262 + _t262;
				_t263 = _t262 - 0x2b000614;
				 *((intOrPtr*)(_t263 + 0x36)) =  *((intOrPtr*)(_t263 + 0x36)) + _t362;
				 *_t362 =  *_t362 + _t263;
				_t376 = _t375 + _t324;
				asm("adc eax, 0x2b0006");
				 *_t263 =  *_t263 + _t263;
				 *_t263 =  *_t263 + _t263;
				 *_t263 =  *_t263 + _t263;
				asm("adc dl, [esi+eax]");
				 *_t324 =  *_t324 + _t362;
				 *((intOrPtr*)(0x2b000605 + _t405)) =  *((intOrPtr*)(0x2b000605 + _t405)) + _t362;
				 *_t263 =  *_t263 + _t263;
				 *_t263 =  *_t263 + _t263;
				 *_t263 =  *_t263 + _t263;
				 *((intOrPtr*)(_t405 + _t263)) =  *((intOrPtr*)(_t405 + _t263)) + _t376;
				 *_t324 =  *_t324 + _t362;
				 *((intOrPtr*)(_t263 + 0x37)) =  *((intOrPtr*)(_t263 + 0x37)) + _t324;
				 *_t263 =  *_t263 + _t263;
				 *_t263 =  *_t263 + _t263;
				 *_t263 =  *_t263 + _t263;
				asm("rol dword [0x2b0006], cl");
				L10();
				 *_t362 =  *_t362 + _t263;
				 *_t376 =  *_t376 + _t263;
				_t264 = _t263 + 0x2b0006;
				asm("adc edi, [eax]");
				 *_t264 =  *_t264 + _t264;
				 *_t264 =  *_t264 + _t264;
				_push(es);
				asm("sbb [edx+0x19], bl");
				_push(es);
				 *_t324 =  *_t324 + _t362;
				 *((intOrPtr*)(_t264 + 0x2b000605)) =  *((intOrPtr*)(_t264 + 0x2b000605)) + _t362;
				 *_t264 =  *_t264 + _t264;
				_t266 = _t264 + _t264 + _t264 + _t264;
				 *0x9c002b00 =  *0x9c002b00 | _t376;
				 *_t266 =  *_t266 + _t266;
				 *_t362 =  *_t362 + _t266;
				 *((intOrPtr*)(_t376 + 0x20)) =  *((intOrPtr*)(_t376 + 0x20)) + _t376;
				_push(es);
				 *((intOrPtr*)(_t266 + _t266)) =  *((intOrPtr*)(_t266 + _t266)) + _t362;
				_t394 = 0x2b000605 -  *_t376;
				 *_t266 =  *_t266 + _t266;
				 *_t266 =  *_t266 + _t266;
				asm("sbb eax, 0x2c0768");
				 *_t266 =  *_t266 + _t266;
				 *_t266 =  *_t266 & _t266;
				_t326 = _t324 + 2;
				_t441 = _t440 | 0x2b000605;
				asm("sbb eax, 0x2c076e");
				if(_t441 == 0) {
					 *_t266 =  *_t266 + _t266;
					 *_t266 =  *_t266 + _t266;
					_t326 = _t326 + 1;
					_t405 = _t405 - 1;
					_pop(es);
					_t293 = _t266 - 0x3a8800;
					 *_t293 =  *_t293 + _t293;
					_t112 = _t326 + 0xb;
					 *_t112 =  *((intOrPtr*)(_t326 + 0xb)) + _t293;
					if( *_t112 == 0) {
						es = _t441;
					}
					_t266 = _t293 - 0x3acb00;
					 *_t266 =  *_t266 + _t266;
					 *_t405 =  *_t405 + _t266;
					 *((intOrPtr*)(_t394 + _t266 + 6)) =  *((intOrPtr*)(_t394 + _t266 + 6)) + _t326;
					 *_t405 =  *_t405 + _t362;
					 *((intOrPtr*)(_t326 + 0x32)) =  *((intOrPtr*)(_t326 + 0x32)) + _t266;
					 *_t266 =  *_t266 + _t266;
					 *_t266 =  *_t266 + _t266;
					 *_t266 =  *_t266 + _t266;
					_t422 = 0x2e077504;
					 *((intOrPtr*)(_t326 + 0x32)) =  *((intOrPtr*)(_t326 + 0x32)) + _t266;
					 *_t266 =  *_t266 + _t266;
				}
				 *_t266 =  *_t266 + _t266;
				 *_t266 =  *_t266 + _t266;
				_t378 =  *_t266 * 0x75;
				_pop(es);
				 *_t266 =  *_t266 ^ _t266;
				asm("loopne 0x3c");
				 *_t266 =  *_t266 + _t266;
				 *_t266 =  *_t266 + _t266;
				_push(es);
				 *(_t422 + 2) =  *(_t422 + 2) | _t394;
				_t327 = _t326 + 1;
				_t269 = _t266 + _t362 ^  *(_t266 + _t362) ^  *(_t266 + _t362 ^  *(_t266 + _t362));
				 *_t269 =  *_t269 + _t269;
				 *_t362 =  *_t362 + _t269;
				 *_t378 =  *_t378 + _t269;
				asm("adc [esi-0x10ffcdf9], esp");
				 *_t269 =  *_t269 + _t269;
				 *_t405 =  *_t405 + _t269;
				asm("sbb [edx+0x19], bl");
				_push(es);
				 *((intOrPtr*)(_t269 + _t269)) =  *((intOrPtr*)(_t269 + _t269)) + _t378;
				 *_t327 =  *_t327 + _t327;
				 *_t269 =  *_t269 + _t269;
				 *_t269 =  *_t269 + _t269;
				 *_t269 =  *_t269 + _t269;
				if( *_t269 == 0) {
					_t269 = _t269 ^ 0x00000000;
					_t441 = _t441 + 1;
					 *_t269 =  *_t269 + _t269;
				}
				 *_t362 =  *_t362 + _t269;
				_t328 = _t327 + _t269;
				_pop(es);
				 *_t405 =  *_t405 + _t378;
				 *((intOrPtr*)(_t328 + _t394)) =  *((intOrPtr*)(_t328 + _t394)) + _t378;
				 *_t269 =  *_t269 + _t269;
				 *_t405 =  *_t405 + _t269;
				 *((intOrPtr*)(_t394 + 0x15)) =  *((intOrPtr*)(_t394 + 0x15)) + _t362;
				asm("scasb");
				es = es;
				 *[ss:ebx+edi] =  *[ss:ebx+edi] + _t328;
				 *((intOrPtr*)(_t269 + 0xe)) =  *((intOrPtr*)(_t269 + 0xe)) + _t328;
				_t379 = es;
				_t380 = _t379 +  *_t405;
				_t363 = _t362 + _t269;
				 *_t269 =  *_t269 + _t269;
				 *_t363 =  *_t363 + _t269;
				 *_t328 =  *_t328 + _t363;
				asm("adc [ebp+0x7], dh");
				_t270 = _t269 + _t380;
				 *_t270 =  *_t270 + _t270;
				 *_t363 =  *_t363 + _t270;
				 *((intOrPtr*)(_t328 + 0x38000619)) =  *((intOrPtr*)(_t328 + 0x38000619)) + _t328;
				 *_t270 =  *_t270 + _t328;
				 *_t270 =  *_t270 + _t270;
				_push(ss);
				asm("adc [ebp+0x7], dh");
				_t271 = _t270 & 0x0000003d;
				 *_t271 =  *_t271 + _t271;
				 *_t271 =  *_t271 + _t271;
				 *_t271 =  *_t271 + _t271;
				goto 0x4c00;
				 *[ds:eax] =  *[ds:eax] + _t271;
				 *_t271 =  *_t271 + _t271;
				 *_t271 =  *_t271 + _t271;
				_t134 = _t422 + 0x10;
				 *_t134 =  *((intOrPtr*)(_t422 + 0x10)) + _t380;
				if( *_t134 == 0) {
					_pop(_t271);
					 *[ds:eax] =  *[ds:eax] + _t271;
					 *_t271 =  *_t271 + _t271;
				}
				 *_t363 =  *_t363 + _t271;
				 *_t380 =  *_t380 + _t363;
				asm("sbb al, 0x6");
				 *((intOrPtr*)(_t271 + _t271)) =  *((intOrPtr*)(_t271 + _t271)) + _t328;
				 *_t271 =  *_t271 + _t271;
				 *_t363 =  *_t363 + _t271;
				_t138 = _t422 + 0x10;
				 *_t138 =  *((intOrPtr*)(_t422 + 0x10)) + _t328;
				if( *_t138 == 0) {
					_t328 =  *_t394;
					 *_t271 =  *_t271 + _t271;
					 *_t271 =  *_t271 + _t271;
				}
				 *_t363 =  *_t363 + _t271;
				 *((intOrPtr*)(_t394 + 0x1e)) =  *((intOrPtr*)(_t394 + 0x1e)) + _t380;
				_push(es);
				 *_t405 =  *_t405 + _t328;
				 *((intOrPtr*)(_t394 + _t394)) =  *((intOrPtr*)(_t394 + _t394)) + _t380;
				 *_t271 =  *_t271 + _t271;
				_t406 = _t405 + 1;
				_push(ds);
				asm("adc [eax], al");
				_t273 = _t271 + _t363 + 1;
				 *_t273 =  *_t273 + _t273;
				 *_t273 =  *_t273 + _t273;
				 *_t273 =  *_t273 + _t273;
				_t395 = _t273;
				asm("pcmpeqw mm0, [edi]");
				asm("aas");
				_t276 = _t394 + _t328 + 1;
				 *_t276 =  *_t276 + _t276;
				 *_t276 =  *_t276 + _t276;
				 *_t276 =  *_t276 + _t276;
				asm("wait");
				_t277 = _t276 + 6;
				 *_t363 =  *_t363 + _t277;
				_push(_t441);
				 *_t277 =  *_t277 + _t277;
				 *_t277 =  *_t277 + _t277;
				 *_t277 =  *_t277 + _t277;
				asm("cmc");
				asm("adc [ebp+0x7], dh");
				_t364 = _t363 + 1;
				_t406[0x10] = _t406[0x10] + _t328;
				 *_t277 =  *_t277 + _t277;
				 *_t277 =  *_t277 + _t277;
				 *_t277 =  *_t277 + _t277;
				_push(es);
				 *_t328 =  *_t328 + _t277;
				asm("insd");
				_t382 = _t380 + 2;
				 *_t277 =  *_t277 + _t277;
				 *_t277 =  *_t277 + _t277;
				 *_t277 =  *_t277 + _t277;
				asm("stosd");
				asm("pcmpeqw mm0, [edi]");
				_t329 = _t328 + 1;
				 *((intOrPtr*)(_t277 + 0x42)) =  *((intOrPtr*)(_t277 + 0x42)) + _t329;
				 *_t277 =  *_t277 + _t277;
				 *_t277 =  *_t277 + _t277;
				 *_t277 =  *_t277 + _t277;
				 *((intOrPtr*)(_t441 + 0x8a000c06)) =  *((intOrPtr*)(_t441 + 0x8a000c06)) + _t364;
				 *0x45000603 =  *0x45000603 + 0x45000603;
				 *0x45000603 =  *0x45000603 + 0x45000603;
				 *0x45000603 =  *0x45000603 + 0x45000603;
				_t365 =  *_t395;
				 *_t395 = _t364;
				if( *0x45000603 == 0) {
					_t422 = _t422 + 1;
					 *0x45000603 =  *0x45000603 + _t329;
					_t441 = _t441 + 1;
					 *0x45000603 =  *0x45000603 + 0x45000603;
					 *0x45000603 =  *0x45000603 + 0x45000603;
				}
				 *_t365 =  *_t365 + 0x45000603;
				 *((intOrPtr*)(_t441 + 0x45470609)) =  *((intOrPtr*)(_t441 + 0x45470609)) + _t382;
				asm("in al, dx");
				 *0x45000603 =  *0x45000603 + 0x45000603;
				 *0x45000603 =  *0x45000603 + 0x45000603;
				 *0x45000603 =  *0x45000603 + 0x45000603;
				asm("rcl dword [eax], 0x75");
				_pop(es);
				_t396 = _t395 + 1;
				_t279 = 0x45000603 + _t329;
				_t424 = _t422 + 2;
				 *_t279 =  *_t279 + _t279;
				 *_t279 =  *_t279 + _t279;
				 *_t279 =  *_t279 + _t279;
				_push(es);
				 *_t365 =  *_t365 + _t365;
				_t280 = _t279 | 0x00000048;
				 *_t280 =  *_t280 + _t280;
				 *_t280 =  *_t280 + _t280;
				 *_t280 =  *_t280 + _t280;
				_t281 = _t280 + 1;
				asm("adc [ebp+0x7], dh");
				_t366 = _t365 - 1;
				 *_t281 =  *_t281 + _t329;
				_t282 = _t281 - 1;
				 *_t282 =  *_t282 + _t282;
				 *_t282 =  *_t282 + _t282;
				 *_t282 =  *_t282 + _t282;
				_push(es);
				 *_t329 =  *_t329 + _t366;
				_t283 = _t282 + 0x49;
				 *_t283 =  *_t283 + _t283;
				 *_t283 =  *_t283 + _t283;
				 *_t283 =  *_t283 + _t283;
				_t384 = 0x0000001b |  *_t366;
				if(0x1b == 0) {
					_t329 = _t329 - 1;
					 *_t283 =  *_t283 + 0x1b;
					_t366 = _t366 - 1;
					 *_t283 =  *_t283 + _t283;
					 *_t283 =  *_t283 + _t283;
				}
				 *_t366 =  *_t366 + _t283;
				 *0x4d000623 =  *0x4d000623 + _t384;
				_t284 = _t283 + _t366;
				_t385 = _t384 - 1;
				 *_t284 =  *_t284 + _t284;
				 *_t284 =  *_t284 + _t284;
				 *_t284 =  *_t284 + _t284;
				asm("in al, 0x10");
				if( *_t284 == 0) {
					_t424 = _t424 - 1;
					_t284 = _t284 + _t385;
					_t385 = _t385 - 1;
					 *_t284 =  *_t284 + _t284;
					 *_t284 =  *_t284 + _t284;
				}
				 *_t366 =  *_t366 + _t284;
				 *_t385 =  *_t385 + _t284;
				_t285 = _t284 &  *_t406;
				 *_t396 =  *_t396 + _t366;
				asm("int3");
				_t442 = _t441 - 1;
				 *_t285 =  *_t285 + _t285;
				 *_t285 =  *_t285 + _t285;
				 *_t285 =  *_t285 + _t285;
				asm("rcl dword [eax], 1");
				if( *_t285 == 0) {
					_t396 = _t396 - 1;
					_t285 = _t285 + _t329;
					_t442 = _t442 - 1;
					 *_t285 =  *_t285 + _t285;
					 *_t285 =  *_t285 + _t285;
				}
				 *_t366 =  *_t366 + _t285;
				 *_t385 =  *_t385 + _t285;
				_t286 = _t285 &  *_t406;
				 *_t366 =  *_t366 + _t385;
				 *_t286 =  *_t286 + _t286;
				 *_t366 =  *_t366 + _t286;
				 *((intOrPtr*)(_t329 + 0x5107750f)) =  *((intOrPtr*)(_t329 + 0x5107750f)) + _t329;
				 *((intOrPtr*)(_t406 + _t366 * 2)) =  *((intOrPtr*)(_t406 + _t366 * 2)) + _t286;
				 *_t286 =  *_t286 + _t286;
				 *_t366 =  *_t366 + _t286;
				_t330 = _t329 + _t385;
				_t287 = _t286 +  *_t406;
				 *_t330 =  *_t330 + _t385;
				asm("movsb");
				 *_t287 =  *_t287 + _t287;
				 *_t287 =  *_t287 + _t287;
				asm("les eax, [edx]");
				asm("ror byte [ecx], 0x15");
				 *_t330 =  *_t330 + _t385;
				asm("hlt");
				 *_t287 =  *_t287 + _t287;
				 *_t287 =  *_t287 + _t287;
				 *_t287 =  *_t287 + _t287;
				if( *_t287 >= 0) {
					 *((intOrPtr*)(_t287 + _t287 - 0x4a)) =  *((intOrPtr*)(_t287 + _t287 - 0x4a)) + _t385;
					 *_t287 =  *_t287 + _t287;
					 *_t287 =  *_t287 + _t287;
					_t366 = _t366 | _t385;
					es = es;
					_t442 = 0xc0005407;
					 *_t287 =  *_t287 + _t287;
					 *_t287 =  *_t287 & _t287;
					_t330 = _t330 + 2 | _t442;
					_pop(es);
					asm("outsb");
					_pop(es);
					_push(_t442);
					 *_t330 =  *_t330 + _t287;
				}
				_t331 = _t330 +  *_t424;
				 *_t287 =  *_t287 + _t287;
				 *((intOrPtr*)(_t331 + 0xb)) =  *((intOrPtr*)(_t331 + 0xb)) + _t287;
				 *0x2000005d =  *0x2000005d + _t366;
				 *((intOrPtr*)(_t331 + 0xb)) =  *((intOrPtr*)(_t331 + 0xb)) + 7;
				asm("sahf");
				_t425 = ss;
				 *7 = 7 +  *7;
				 *7 = 7 +  *7;
				_t387 = 0x16005507 |  *(_t425 + 0x56076819);
				 *7 = 7 +  *7;
				 *7 = 7 +  *7;
				 *7 =  *7 & 0x00000007;
				_t333 = _t331 + 2;
				 *((intOrPtr*)(_t333 + 0x5d)) =  *((intOrPtr*)(_t333 + 0x5d)) + 7;
				 *7 = 7 +  *7;
				 *7 = 7 +  *7;
				 *7 = 7 +  *7;
				 *7 =  *7 & 0x00000007;
				_t335 = _t333 + 2;
				_t289 = 0x00000007 |  *0x6D07C320;
				 *((intOrPtr*)(_t335 + 0x5d)) =  *((intOrPtr*)(_t335 + 0x5d)) + _t387;
				 *((intOrPtr*)(_t335 + 0xb)) =  *((intOrPtr*)(_t335 + 0xb)) + _t289;
				asm("loop 0x1d");
				 *_t289 =  *_t289 + _t289;
				 *_t289 =  *_t289 & _t289;
				_t336 = _t335 + 1;
				asm("sbb ebp, [esi+0x7]");
				_t290 = 0xc0005807;
				 *_t336 =  *_t336 + _t290;
				_t408 = 0x70005707;
				 *_t290 =  *_t290 + _t290;
				 *_t290 =  *_t290 + _t290;
				 *_t290 =  *_t290 + _t290;
				 *_t290 =  *_t290 & _t290;
				_t339 = (_t336 + 0x00000001 |  *(_t408 + _t336 + 1)) + 1;
				asm("outsb");
				es = ds;
				 *((intOrPtr*)(_t339 + 0x5e)) =  *((intOrPtr*)(_t339 + 0x5e)) + _t387;
				 *_t290 =  *_t290 + _t290;
				 *_t290 =  *_t290 + _t290;
				 *_t290 =  *_t290 + _t290;
				 *_t290 =  *_t290 & _t290;
				_t342 = _t339 + 2 |  *(_t339 + 2 + _t290 + 0x6e);
				es = 0x60005a07;
				_t388 = 0x10005907;
				 *((intOrPtr*)(_t342 + 0x5e)) =  *((intOrPtr*)(_t342 + 0x5e)) + 7;
				 *((intOrPtr*)(_t342 + 0xb)) =  *((intOrPtr*)(_t342 + 0xb)) + _t290;
				_t412 = 0xb0005b07;
				 *_t290 =  *_t290 + _t290;
				 *_t290 =  *_t290 & _t290;
				_t291 = _t290 |  *(_t412 + 0x22);
				asm("outsb");
				es = _t424;
				_t344 = ss;
				 *_t291 =  *_t291 + _t291;
				 *_t291 =  *_t291 + _t291;
				_t292 = _t291 ^ 0x00000007;
				_pop(_t414);
				 *_t292 =  *_t292 + _t292;
				 *_t292 =  *_t292 & _t292;
				 *_t414 =  *_t414 + _t292;
				 *_t292 =  *_t292 + _t292;
				 *_t292 =  *_t292 + _t292;
				 *_t292 =  *_t292 + _t388;
				 *_t292 =  *_t292 + _t292;
				 *_t292 =  *_t292 & _t292;
				_t349 = _t344 + _t388 + 4;
				 *((intOrPtr*)(_t349 + 0x5f)) =  *((intOrPtr*)(_t349 + 0x5f)) + _t388;
				 *_t292 =  *_t292 + _t292;
				 *_t292 =  *_t292 + _t292;
				 *((intOrPtr*)(_t292 + 0x5f)) =  *((intOrPtr*)(_t292 + 0x5f)) + 7;
				 *_t292 =  *_t292 + _t292;
				 *_t292 =  *_t292 & _t292;
				_t351 = _t349 + 2;
				asm("outsb");
				_pop(es);
				 *((intOrPtr*)(_t351 + 0x5f)) =  *((intOrPtr*)(_t351 + 0x5f)) + _t292;
				 *((intOrPtr*)(_t351 + 0xb)) =  *((intOrPtr*)(_t351 + 0xb)) + _t292;
				return _t292;
			}

0x001685c8
0x001685c8
0x001685ca
0x001685cc
0x001685d0
0x001685d1
0x001685d3
0x001685d5
0x001685d7
0x001685dc
0x001685de
0x001685e0
0x001685e2
0x001685e4
0x001685e6
0x001685ea
0x001685ec
0x001685ec
0x001685ee
0x001685f0
0x001685f2
0x001685f5
0x001685f7
0x001685f8
0x001685fa
0x001685fc
0x001685fe
0x00168600
0x00168602
0x00168604
0x00168605
0x00168608
0x0016860a
0x0016860c
0x0016860e
0x00168610
0x00168613
0x00168614
0x00168616
0x00168619
0x0016861b
0x0016861d
0x00168620
0x00168622
0x00168626
0x00168628
0x0016862b
0x0016862f
0x00168631
0x00168638
0x0016863a
0x00168641
0x00168643
0x00168645
0x00168647
0x00168649
0x0016864a
0x0016864f
0x00168651
0x00168653
0x00168655
0x00168657
0x00168659
0x0016865a
0x0016865f
0x00168661
0x00168663
0x00168667
0x0016866d
0x0016866f
0x00168673
0x00168675
0x00168676
0x0016867b
0x0016867d
0x0016867f
0x00168681
0x00168683
0x00168684
0x00168689
0x0016868b
0x0016868d
0x00168691
0x00168692
0x00168697
0x00168699
0x0016869b
0x001686a0
0x001686a2
0x001686a5
0x001686ab
0x001686b1
0x001686b3
0x001686b5
0x001686b7
0x001686bb
0x001686be
0x001686c9
0x001686cc
0x001686ce
0x001686d0
0x001686d2
0x001686db
0x001686e0
0x001686e3
0x001686e5
0x001686e6
0x001686eb
0x001686ed
0x001686f0
0x001686f1
0x001686f7
0x001686fd
0x00168700
0x00168702
0x00168703
0x00168706
0x00168708
0x0016870a
0x0016870b
0x00168710
0x00168711
0x00168714
0x00168716
0x00168719
0x0016871b
0x0016871e
0x00168722
0x00168724
0x00168727
0x00168729
0x0016872c
0x00168730
0x00168732
0x00168735
0x0016873b
0x0016873e
0x00168740
0x00168742
0x00168743
0x0016874a
0x0016874c
0x0016874e
0x00168751
0x00168757
0x0016876c
0x0016876d
0x0016876f
0x00168771
0x00168772
0x00168774
0x00168774
0x00168779
0x00168783
0x00168788
0x00168789
0x0016878b
0x0016878e
0x00168790
0x00168792
0x00168794
0x00168797
0x0016879a
0x0016879b
0x0016879c
0x0016879e
0x0016879f
0x001687a2
0x001687a5
0x001687aa
0x001687ac
0x001687ae
0x001687b0
0x001687b2
0x001687b3
0x001687b5
0x001687b8
0x001687ba
0x001687bc
0x001687be
0x001687c1
0x001687c4
0x001687c5
0x001687c6
0x001687cb
0x001687cd
0x001687d0
0x001687d1
0x001687d4
0x001687d9
0x001687db
0x001687de
0x001687df
0x001687e2
0x001687e3
0x001687e5
0x001687e8
0x001687e8
0x001687ed
0x001687f0
0x001687f1
0x001687f3
0x001687f4
0x001687f6
0x001687f9
0x001687ff
0x00168802
0x00168804
0x00168807
0x0016880d
0x00168810
0x00168812
0x00168815
0x00168817
0x00168817
0x0016881a
0x0016881c
0x0016881e
0x00168820
0x00168822
0x00168823
0x00168826
0x00168827
0x00168828
0x0016882f
0x00168831
0x00168837
0x0016883d
0x0016883f
0x00168842
0x00168843
0x00168845
0x00168847
0x00168849
0x0016884b
0x0016884b
0x0016884d
0x00168854
0x00168859
0x0016885f
0x00168860
0x00168862
0x00168863
0x00168865
0x00168867
0x00168869
0x00168869
0x0016886c
0x0016886e
0x0016886f
0x00168872
0x00168874
0x00168874
0x00168875
0x00168877
0x0016887a
0x0016887b
0x0016887d
0x00168880
0x00168882
0x00168884
0x00168885
0x00168887
0x00168889
0x0016888b
0x0016888e
0x00168890
0x00168892
0x00168893
0x00168899
0x001688a1
0x001688a3
0x001688a5
0x001688a7
0x001688af
0x001688b3
0x001688b5
0x001688bb
0x001688bd
0x001688c0
0x001688c5
0x001688c7
0x001688c9
0x001688cb
0x001688ce
0x001688d3
0x001688d5
0x001688d7
0x001688d9
0x001688db
0x001688e0
0x001688e1
0x001688e3
0x001688e5
0x001688e7
0x001688e9
0x001688ef
0x001688f1
0x001688f3
0x001688f5
0x001688f7
0x001688fe
0x00168900
0x00168902
0x00168904
0x00168909
0x0016890b
0x0016890d
0x0016890f
0x00168911
0x00168913
0x00168918
0x00168919
0x0016891b
0x0016891d
0x0016891f
0x00168922
0x00168925
0x0016892b
0x0016892f
0x00168934
0x00168936
0x00168938
0x0016893a
0x0016893c
0x0016893d
0x0016893f
0x00168941
0x00168943
0x00168948
0x0016894f
0x00168951
0x00168954
0x00168956
0x00168958
0x0016895d
0x00168963
0x00168965
0x00168967
0x0016896e
0x00168970
0x00168972
0x00168974
0x00168977
0x00168979
0x0016897c
0x0016897e
0x00168980
0x00168982
0x00168985
0x00168987
0x0016898a
0x0016898c
0x0016898e
0x00168990
0x00168996
0x0016899b
0x0016899d
0x0016899f
0x001689a4
0x001689a6
0x001689a8
0x001689aa
0x001689ab
0x001689ae
0x001689af
0x001689b1
0x001689b5
0x001689b9
0x001689bb
0x001689c3
0x001689c5
0x001689c7
0x001689ca
0x001689cb
0x001689ce
0x001689d0
0x001689d2
0x001689d7
0x001689de
0x001689e0
0x001689e2
0x001689e3
0x001689e5
0x001689ea
0x001689ec
0x001689ee
0x001689f0
0x001689f4
0x001689f5
0x001689f6
0x001689fb
0x001689fd
0x001689fd
0x00168a00
0x00168a03
0x00168a03
0x00168a04
0x00168a09
0x00168a0b
0x00168a0d
0x00168a11
0x00168a13
0x00168a16
0x00168a18
0x00168a1a
0x00168a1c
0x00168a21
0x00168a24
0x00168a24
0x00168a26
0x00168a28
0x00168a2a
0x00168a2d
0x00168a2e
0x00168a30
0x00168a32
0x00168a34
0x00168a36
0x00168a39
0x00168a3e
0x00168a3f
0x00168a41
0x00168a43
0x00168a45
0x00168a47
0x00168a4f
0x00168a51
0x00168a53
0x00168a56
0x00168a57
0x00168a5a
0x00168a5c
0x00168a5e
0x00168a60
0x00168a64
0x00168a66
0x00168a68
0x00168a6b
0x00168a6b
0x00168a6d
0x00168a6f
0x00168a71
0x00168a73
0x00168a75
0x00168a79
0x00168a7b
0x00168a7d
0x00168a80
0x00168a81
0x00168a82
0x00168a8b
0x00168a8e
0x00168a8f
0x00168a91
0x00168a95
0x00168a97
0x00168a99
0x00168a9b
0x00168a9e
0x00168aa3
0x00168aa5
0x00168aa7
0x00168aad
0x00168ab4
0x00168ab6
0x00168ab7
0x00168abc
0x00168abe
0x00168ac0
0x00168ac2
0x00168ac4
0x00168acb
0x00168ace
0x00168ad0
0x00168ad1
0x00168ad1
0x00168ad4
0x00168ad8
0x00168ad9
0x00168adc
0x00168adc
0x00168add
0x00168adf
0x00168ae1
0x00168ae3
0x00168ae9
0x00168aeb
0x00168aed
0x00168aed
0x00168af0
0x00168af4
0x00168af6
0x00168af8
0x00168af8
0x00168af9
0x00168afb
0x00168afe
0x00168aff
0x00168b01
0x00168b08
0x00168b0a
0x00168b0b
0x00168b0c
0x00168b11
0x00168b12
0x00168b14
0x00168b16
0x00168b18
0x00168b19
0x00168b1c
0x00168b1f
0x00168b20
0x00168b22
0x00168b24
0x00168b26
0x00168b27
0x00168b29
0x00168b2c
0x00168b2e
0x00168b30
0x00168b32
0x00168b34
0x00168b35
0x00168b38
0x00168b39
0x00168b3c
0x00168b3e
0x00168b40
0x00168b44
0x00168b45
0x00168b48
0x00168b49
0x00168b4a
0x00168b4c
0x00168b4e
0x00168b50
0x00168b51
0x00168b54
0x00168b55
0x00168b58
0x00168b5a
0x00168b5c
0x00168b63
0x00168b66
0x00168b68
0x00168b6a
0x00168b6c
0x00168b6c
0x00168b6e
0x00168b70
0x00168b71
0x00168b73
0x00168b74
0x00168b76
0x00168b76
0x00168b77
0x00168b79
0x00168b80
0x00168b82
0x00168b84
0x00168b86
0x00168b88
0x00168b8b
0x00168b8c
0x00168b8d
0x00168b8f
0x00168b90
0x00168b92
0x00168b94
0x00168b98
0x00168b99
0x00168b9c
0x00168b9e
0x00168ba0
0x00168ba2
0x00168ba4
0x00168ba5
0x00168ba8
0x00168ba9
0x00168bab
0x00168bac
0x00168bae
0x00168bb0
0x00168bb4
0x00168bb5
0x00168bb8
0x00168bba
0x00168bbc
0x00168bbe
0x00168bc0
0x00168bc2
0x00168bc4
0x00168bc5
0x00168bc7
0x00168bc8
0x00168bca
0x00168bca
0x00168bcb
0x00168bcd
0x00168bd3
0x00168bd5
0x00168bd6
0x00168bd8
0x00168bda
0x00168bdc
0x00168bde
0x00168be0
0x00168be1
0x00168be3
0x00168be4
0x00168be6
0x00168be6
0x00168be7
0x00168be9
0x00168beb
0x00168bed
0x00168bf0
0x00168bf1
0x00168bf2
0x00168bf4
0x00168bf6
0x00168bf8
0x00168bfa
0x00168bfc
0x00168bfd
0x00168bff
0x00168c00
0x00168c02
0x00168c02
0x00168c03
0x00168c05
0x00168c07
0x00168c09
0x00168c0f
0x00168c11
0x00168c13
0x00168c19
0x00168c1d
0x00168c1f
0x00168c21
0x00168c23
0x00168c25
0x00168c28
0x00168c2a
0x00168c2c
0x00168c2e
0x00168c30
0x00168c33
0x00168c36
0x00168c38
0x00168c3a
0x00168c3c
0x00168c3e
0x00168c41
0x00168c46
0x00168c48
0x00168c4b
0x00168c4d
0x00168c53
0x00168c54
0x00168c56
0x00168c59
0x00168c5b
0x00168c5c
0x00168c5d
0x00168c5e
0x00168c5f
0x00168c5f
0x00168c60
0x00168c63
0x00168c65
0x00168c6d
0x00168c73
0x00168c76
0x00168c7d
0x00168c7e
0x00168c80
0x00168c83
0x00168c89
0x00168c8c
0x00168c8e
0x00168c90
0x00168c97
0x00168c9a
0x00168c9c
0x00168ca8
0x00168caa
0x00168cac
0x00168cad
0x00168cb3
0x00168cb9
0x00168cbc
0x00168cc4
0x00168cc6
0x00168cc8
0x00168ccb
0x00168cce
0x00168ccf
0x00168cd1
0x00168cd2
0x00168cd4
0x00168ce0
0x00168ce2
0x00168ce4
0x00168ce8
0x00168ce9
0x00168ceb
0x00168cee
0x00168cf0
0x00168cfc
0x00168cfe
0x00168d01
0x00168d05
0x00168d06
0x00168d07
0x00168d0d
0x00168d17
0x00168d18
0x00168d1a
0x00168d1d
0x00168d20
0x00168d21
0x00168d22
0x00168d26
0x00168d28
0x00168d2e
0x00168d33
0x00168d34
0x00168d36
0x00168d3f
0x00168d42
0x00168d44
0x00168d4d
0x00168d50
0x00168d52
0x00168d54
0x00168d5b
0x00168d5e
0x00168d60
0x00168d69
0x00168d6c
0x00168d6e
0x00168d70
0x00168d74
0x00168d75
0x00168d77
0x00168d7d
0x00168d80

Memory Dump Source

Source File: 00000000.00000002.245810299.0000000000162000.00000002.00020000.sdmp, Offset: 00160000, based on PE: true

Associated: 00000000.00000002.245800248.0000000000160000.00000002.00020000.sdmp Download File

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 02d98b7460223e123317e24dde068dc75af5f7607a661930a572cbef303d8124
Instruction ID: 3c51a3380ff2dfe898febcb357bc089982c31457834f2cbc9cd085d880ec1596
Opcode Fuzzy Hash: 02d98b7460223e123317e24dde068dc75af5f7607a661930a572cbef303d8124
Instruction Fuzzy Hash: 3A02286684E3C15FD7038B748CB56927FB1AF2721471E46DBC0C1CF4A3D2195A6AC762

Uniqueness

Uniqueness Score: -1.00%

Function 00A12E09, Relevance: .3, Instructions: 337COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.246346364.0000000000A12000.00000040.00000001.sdmp, Offset: 00A12000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 677c9245357b02ecdd31e58f7cd0eb65ef102ad3dd24591e42afd8f929eb9090
Instruction ID: 461c15a3952b09febf8f103c27729b53bf1f27fd5eac83cb747deabfed67deb4
Opcode Fuzzy Hash: 677c9245357b02ecdd31e58f7cd0eb65ef102ad3dd24591e42afd8f929eb9090
Instruction Fuzzy Hash: EF51AC9A91EBC15FE703473068665823FB0AE2320874F54EBD4C1CF1B3E1585A0AE732

Uniqueness

Uniqueness Score: -1.00%

Function 04B2DED0, Relevance: .2, Instructions: 174COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.250076545.0000000004B20000.00000040.00000001.sdmp, Offset: 04B20000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d73195ead29d06526c9a5dc072a0e0a432004773aedb6defc9a73b8b75c2a414
Instruction ID: 2e22c8e8d0661c06de8c79faec173ee5e47d0f159d08a00f12ff508b2c950153
Opcode Fuzzy Hash: d73195ead29d06526c9a5dc072a0e0a432004773aedb6defc9a73b8b75c2a414
Instruction Fuzzy Hash: D2813A74E04268DFDB14DFA9C68059DFBB2FB89304F24C5A9C819AB309D734AA42CF50

Uniqueness

Uniqueness Score: -1.00%

Function 04B28DE8, Relevance: .2, Instructions: 168COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.250076545.0000000004B20000.00000040.00000001.sdmp, Offset: 04B20000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: cb979c208ab98a35b4a0157ccbc5d78ae19102efaecb4719b4785031c09e1b60
Instruction ID: 56b7e8820acd281aeaf295b81809099cff37771ff21c099ca3a2d5385d73570a
Opcode Fuzzy Hash: cb979c208ab98a35b4a0157ccbc5d78ae19102efaecb4719b4785031c09e1b60
Instruction Fuzzy Hash: 7C71FC74E15219EFCB84DFA9D68099DBBF1FF49310F1099AAE419AB214D338AA40CF10

Uniqueness

Uniqueness Score: -1.00%

Function 04B28DD8, Relevance: .2, Instructions: 168COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.250076545.0000000004B20000.00000040.00000001.sdmp, Offset: 04B20000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: eed8b94dcb25b67f477373c335d5ba5538a37db83264466e5f3dfd1dee2b8430
Instruction ID: 1d60f1767d341b853ed0a254a3c70197e23daec6f9acde9bb5c029351c5a61f2
Opcode Fuzzy Hash: eed8b94dcb25b67f477373c335d5ba5538a37db83264466e5f3dfd1dee2b8430
Instruction Fuzzy Hash: 2771FD74E15219EFCB84DFA9D68499DBBF1FF49310F14D9AAE409AB214D338AA41CF10

Uniqueness

Uniqueness Score: -1.00%

Function 049742A1, Relevance: .2, Instructions: 151COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.249760587.0000000004970000.00000040.00000001.sdmp, Offset: 04970000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 18a5b60595b5a07f0ef9786c2c8f7b1a11712dd202b1b61e7974e8405e11967d
Instruction ID: d9c91b79afb3cd8cf9935ee197fe0fb092bd63357e18ee3dbf54fbaf3a500bf1
Opcode Fuzzy Hash: 18a5b60595b5a07f0ef9786c2c8f7b1a11712dd202b1b61e7974e8405e11967d
Instruction Fuzzy Hash: 1D516970E4522ADFDB68CF6AC9447ADFBB6FB89210F0094FAC51DA6611E7305A819F40

Uniqueness

Uniqueness Score: -1.00%

Function 04B29FB0, Relevance: .1, Instructions: 144COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.250076545.0000000004B20000.00000040.00000001.sdmp, Offset: 04B20000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9fecc7278d7070358d765be09280e5fb3398b87a2a5e256e6e230b59f610a096
Instruction ID: aa2b5597920b490833c88c758858ce3f1a3c3516774395c170dd006483811e44
Opcode Fuzzy Hash: 9fecc7278d7070358d765be09280e5fb3398b87a2a5e256e6e230b59f610a096
Instruction Fuzzy Hash: C351D3B4E1521ADFCB44CFA9C5809EEBBF1FB89200F1095AAD419B7254D338AA41CF64

Uniqueness

Uniqueness Score: -1.00%

Function 04B29FAC, Relevance: .1, Instructions: 140COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.250076545.0000000004B20000.00000040.00000001.sdmp, Offset: 04B20000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0a5aabea033ac7eccccfe4ef6859dbb679cc12b95fb4755071539e0db2a1bc25
Instruction ID: d9382054f0db8997480ff6e769f809d7962ea284f03505967e0080f5fe3d162b
Opcode Fuzzy Hash: 0a5aabea033ac7eccccfe4ef6859dbb679cc12b95fb4755071539e0db2a1bc25
Instruction Fuzzy Hash: F151E374E1521ADFCF44CFA9C5809EEBBF1FB89200F2095AAD419B7294D338AA41DF54

Uniqueness

Uniqueness Score: -1.00%

Function 04B2AE73, Relevance: .1, Instructions: 121COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.250076545.0000000004B20000.00000040.00000001.sdmp, Offset: 04B20000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 52fe1b0ab2f28094353aadcd131f7c073e444c5f387ef52f08458db5fcd03e31
Instruction ID: 75eb55a8eb00575f527540564bea136b915a90b353383698d2d58ffb8b5075a9
Opcode Fuzzy Hash: 52fe1b0ab2f28094353aadcd131f7c073e444c5f387ef52f08458db5fcd03e31
Instruction Fuzzy Hash: 71514171E056588BEB5CCF6B8D5429EFBF3AFC9300F14C1BA950CAA265DB3415468F11

Uniqueness

Uniqueness Score: -1.00%

Function 04B2A1D8, Relevance: .1, Instructions: 104COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.250076545.0000000004B20000.00000040.00000001.sdmp, Offset: 04B20000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9b219bce9e0c04e838d7539f9d17d08626fc671d362d0f273001be6ceb8aef8f
Instruction ID: 549ff59975c726b474a5e9e3fdce1966f4dc523de6c7d6ba7e670d979eef1e30
Opcode Fuzzy Hash: 9b219bce9e0c04e838d7539f9d17d08626fc671d362d0f273001be6ceb8aef8f
Instruction Fuzzy Hash: E6411970E0521ADFCF04CFE5D6814AEFBB2EF89310F2495AAC405BB214D735AA41CBA5

Uniqueness

Uniqueness Score: -1.00%

Function 04B29DA9, Relevance: .1, Instructions: 103COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.250076545.0000000004B20000.00000040.00000001.sdmp, Offset: 04B20000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3cf0c5af5e3da6c5526cfefe48c0f5ba88b0d34f08a34e397fc886742b4d4afe
Instruction ID: 9a6d95a22c6e61c3c34bcd8c7c1b10a47f1ed6b5100e9207947f55a98397adcf
Opcode Fuzzy Hash: 3cf0c5af5e3da6c5526cfefe48c0f5ba88b0d34f08a34e397fc886742b4d4afe
Instruction Fuzzy Hash: 54411AB1E0421A9FCB44CFA9C5815AEFBB1FF89350F14D4AAC519AB214E3346645DF90

Uniqueness

Uniqueness Score: -1.00%

Function 04B2A1E8, Relevance: .1, Instructions: 100COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.250076545.0000000004B20000.00000040.00000001.sdmp, Offset: 04B20000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5a1f93a08d40d82f5dc695f50ae2ce1634a576f6b9509e459f468935a8915976
Instruction ID: 19223652606782fc38019dc070c5f765ac88393f6d350682e095a699ca71a96e
Opcode Fuzzy Hash: 5a1f93a08d40d82f5dc695f50ae2ce1634a576f6b9509e459f468935a8915976
Instruction Fuzzy Hash: 0F410A70E0521ADFCF04CFD5D6814AEFBB2FB89300F20959AC519BB214E735AA41CBA5

Uniqueness

Uniqueness Score: -1.00%

Function 04B29DB8, Relevance: .1, Instructions: 99COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.250076545.0000000004B20000.00000040.00000001.sdmp, Offset: 04B20000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0a4dd9dbc45c1c531df4b5b5abd775c31d945406bc4205ad352b9c0350dce945
Instruction ID: fa8b7c865ab84f67bc8907847898f4a9ba6f2bbf59118c9048ee11019d1e1aa4
Opcode Fuzzy Hash: 0a4dd9dbc45c1c531df4b5b5abd775c31d945406bc4205ad352b9c0350dce945
Instruction Fuzzy Hash: DE4107B1E0421ADFDB44CF9AC6815AEFBB1FB88340F10D86AD519AB244E3346645DF90

Uniqueness

Uniqueness Score: -1.00%

Function 04B2D930, Relevance: .1, Instructions: 92COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.250076545.0000000004B20000.00000040.00000001.sdmp, Offset: 04B20000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: cea0d84695c72cac493c53f8b9de9ffac274bf15e61de63c6e50c29dfefe33ab
Instruction ID: cfb6855cd25e7335f539ce1f6ec1355dbbf9cbbac8140ea86793e3c145d4841d
Opcode Fuzzy Hash: cea0d84695c72cac493c53f8b9de9ffac274bf15e61de63c6e50c29dfefe33ab
Instruction Fuzzy Hash: 72414970E04629CFCF58CFAACA415AEFBB6FB89200F10D5AAD418BB250D7345602CF44

Uniqueness

Uniqueness Score: -1.00%

Function 04975DE0, Relevance: .1, Instructions: 86COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.249760587.0000000004970000.00000040.00000001.sdmp, Offset: 04970000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a76b64552c54790345f50257622a77068b758e548833704558626d900f52b555
Instruction ID: ac3dd06ccda46a3bfede6f21ea11a69ee6491182fdc74e88a258cb0bb786b6cf
Opcode Fuzzy Hash: a76b64552c54790345f50257622a77068b758e548833704558626d900f52b555
Instruction Fuzzy Hash: 1F313670D05218FFDB90CFA4D488BEDBAF9AF0A320F165839E405B3650D7746A85DB58

Uniqueness

Uniqueness Score: -1.00%

Function 04975DD0, Relevance: .1, Instructions: 84COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.249760587.0000000004970000.00000040.00000001.sdmp, Offset: 04970000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c9665f3c48a84b0f87cfd840d930450ef4d7015169cca6bbc95f1c2884101303
Instruction ID: aefb92a010aa1900aa789655cff6c5e3c5da6b90d0b1f4902b15fef5b4851483
Opcode Fuzzy Hash: c9665f3c48a84b0f87cfd840d930450ef4d7015169cca6bbc95f1c2884101303
Instruction Fuzzy Hash: 82315970915218FFDB94CFA4D588BEDBBF5AF0A320F16187AE005B3660D7346941DB68

Uniqueness

Uniqueness Score: -1.00%

Function 04975F10, Relevance: .1, Instructions: 64COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.249760587.0000000004970000.00000040.00000001.sdmp, Offset: 04970000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6ad3e7d1873cf0f23df4128a48dd50f843b5c4aa839ae2f761a07dfd36051ae9
Instruction ID: c6ba929c4e5631551666c119f797cd54880baa94a7d6ef4ede874002b4ca8ce2
Opcode Fuzzy Hash: 6ad3e7d1873cf0f23df4128a48dd50f843b5c4aa839ae2f761a07dfd36051ae9
Instruction Fuzzy Hash: 94116770D45219AEDB50CFB5C944BFEBEF0AB0A310F14547AE441F2291EB349640CFA4

Uniqueness

Uniqueness Score: -1.00%

Function 04B25600, Relevance: .1, Instructions: 62COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.250076545.0000000004B20000.00000040.00000001.sdmp, Offset: 04B20000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 20acd2e00fd2b0c058c2524038d3fc8c5b9123d9f3ba877505f26c19fd30945f
Instruction ID: a3e2c42ba99a54713d220da14c68501e862bd0d9d40bc18b95c0e1cc9a973f50
Opcode Fuzzy Hash: 20acd2e00fd2b0c058c2524038d3fc8c5b9123d9f3ba877505f26c19fd30945f
Instruction Fuzzy Hash: 3121ED71E016189BDB18CF6BD9406DEFBF3AFC9300F18C1BAD408A6254EB3415468B50

Uniqueness

Uniqueness Score: -1.00%

Function 04975F20, Relevance: .1, Instructions: 55COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.249760587.0000000004970000.00000040.00000001.sdmp, Offset: 04970000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9a4ec41faeef28745a62de40d7e6c638d768e304730e63e14c13e2cf9c179c67
Instruction ID: 856847ba0d60a471fe93f468504b47b63de225f1fef18c4013f8ae30916164b5
Opcode Fuzzy Hash: 9a4ec41faeef28745a62de40d7e6c638d768e304730e63e14c13e2cf9c179c67
Instruction Fuzzy Hash: 7511E370D452199ECB54CFAAD844BEEFEF5AB4A310F149479E404B3290E7789A40DFA8

Uniqueness

Uniqueness Score: -1.00%

Function 04970070, Relevance: .1, Instructions: 55COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.249760587.0000000004970000.00000040.00000001.sdmp, Offset: 04970000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4df07c15ca9f52810491c9bce9f8b6694d282b13cd16037355cdd00daf48fb36
Instruction ID: c752d68a1b6f4e9f8efcde7ab741055e7465439be779ae7a4ff067abc7e89fe2
Opcode Fuzzy Hash: 4df07c15ca9f52810491c9bce9f8b6694d282b13cd16037355cdd00daf48fb36
Instruction Fuzzy Hash: 3811E471E056099BDB48CFAAC9411AEFBF7FF89300F14C57AC414AB214E73856029F44

Uniqueness

Uniqueness Score: -1.00%

Function 04970710, Relevance: .0, Instructions: 49COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.249760587.0000000004970000.00000040.00000001.sdmp, Offset: 04970000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ba5f1df8667f10da905c60aaa1044a75eddb88d2132854fce8ae6e3e53668eb9
Instruction ID: 72826c42134bb28cf5c77e9557a9d5a66a74099f25effe540e3de52a53b104bf
Opcode Fuzzy Hash: ba5f1df8667f10da905c60aaa1044a75eddb88d2132854fce8ae6e3e53668eb9
Instruction Fuzzy Hash: B411A8B1E05609DBDB58CFABC94059EFBF7AFC8300F24C57AD818A7215EA345A529F40

Uniqueness

Uniqueness Score: -1.00%

Analysis Process: RegSvcs.exe PID: 5996 Parent PID: 6136 RegSvcs.exeCOMMON

Executed Functions

Function 0518B068, Relevance: 2.2, Strings: 1, Instructions: 905COMMON

Download Yara Rule

Strings

r, xrefs: 0518BB1C

Memory Dump Source

Source File: 00000005.00000002.501156212.0000000005180000.00000040.00000001.sdmp, Offset: 05180000, based on PE: false

Similarity

API ID:
String ID: r
API String ID: 0-1812594589
Opcode ID: cb51eddd21c5a0270b7daffe03d347ae552b220d06cc733fdd8301f6a71b390b
Instruction ID: 1b3e9e6134786c0631dc9c2b716f2edb37ed7ec746be1436b02d77fd8e9fb73f
Opcode Fuzzy Hash: cb51eddd21c5a0270b7daffe03d347ae552b220d06cc733fdd8301f6a71b390b
Instruction Fuzzy Hash: ED825670A0460ADFCB24DF68C494AAEFBF2FF88310F158569D45AAB655D730E885CF90

Uniqueness

Uniqueness Score: -1.00%

Function 052A253B, Relevance: 1.6, APIs: 1, Instructions: 81networkCOMMON

Download Yara Rule

APIs

bind.WS2_32(?,00000E2C,DC0C5294,00000000,00000000,00000000,00000000), ref: 052A25CF

Memory Dump Source

Source File: 00000005.00000002.501447909.00000000052A0000.00000040.00000001.sdmp, Offset: 052A0000, based on PE: false

Similarity

API ID: bind
String ID:
API String ID: 1187836755-0
Opcode ID: fa24a6dfa750b0f3f786b05140be82da33736a9124f9747e2398d286d42cba84
Instruction ID: 75f1c7971d8bae06fd1792056e8287bae0e5a764d9773424cb1e6cee0eb0a214
Opcode Fuzzy Hash: fa24a6dfa750b0f3f786b05140be82da33736a9124f9747e2398d286d42cba84
Instruction Fuzzy Hash: 102191B6509380AFD7128F65CC44FA6BFE8EF46310F0884ABE948DF152D364A409CB71

Uniqueness

Uniqueness Score: -1.00%

Function 052A10A3, Relevance: 1.6, APIs: 1, Instructions: 75COMMON

Download Yara Rule

APIs

AdjustTokenPrivileges.KERNELBASE(?,?,?,?,?,?), ref: 052A1123

Memory Dump Source

Source File: 00000005.00000002.501447909.00000000052A0000.00000040.00000001.sdmp, Offset: 052A0000, based on PE: false

Similarity

API ID: AdjustPrivilegesToken
String ID:
API String ID: 2874748243-0
Opcode ID: c445a78288a5a724cf680ad5418c07629f741c4402ab9b60875642e0a81b591b
Instruction ID: 92c554bfc2767464ca3b6aa2c9f4441d70652a476964b37f10ed211921a93ed0
Opcode Fuzzy Hash: c445a78288a5a724cf680ad5418c07629f741c4402ab9b60875642e0a81b591b
Instruction Fuzzy Hash: 21219F765097849FDB228F25DC40B52BFB4AF06320F0884EAE9898F163D3759918CBA1

Uniqueness

Uniqueness Score: -1.00%

Function 052A256E, Relevance: 1.6, APIs: 1, Instructions: 62networkCOMMON

Download Yara Rule

APIs

bind.WS2_32(?,00000E2C,DC0C5294,00000000,00000000,00000000,00000000), ref: 052A25CF

Memory Dump Source

Source File: 00000005.00000002.501447909.00000000052A0000.00000040.00000001.sdmp, Offset: 052A0000, based on PE: false

Similarity

API ID: bind
String ID:
API String ID: 1187836755-0
Opcode ID: c551b40cdec7610eac8e8bd5d8fc86c9ca521c55b4f156671a2bcfa67076b831
Instruction ID: ff412cf8474c7db357a9c1a7808fdf97cad529084044d8f6699b1edd2308cfe0
Opcode Fuzzy Hash: c551b40cdec7610eac8e8bd5d8fc86c9ca521c55b4f156671a2bcfa67076b831
Instruction Fuzzy Hash: 59118BB6500300AFE720DF55DD84FA6BBE8EF48720F04846AEA499B245D774A4048A71

Uniqueness

Uniqueness Score: -1.00%

Function 052A10DA, Relevance: 1.6, APIs: 1, Instructions: 52COMMON

Download Yara Rule

APIs

AdjustTokenPrivileges.KERNELBASE(?,?,?,?,?,?), ref: 052A1123

Memory Dump Source

Source File: 00000005.00000002.501447909.00000000052A0000.00000040.00000001.sdmp, Offset: 052A0000, based on PE: false

Similarity

API ID: AdjustPrivilegesToken
String ID:
API String ID: 2874748243-0
Opcode ID: 63bdff46a6cfca107c0b5b55e91d182beb409ac9b5fcb093c20d8621fa893005
Instruction ID: 90d9811b1bd7890fadd9c188aabd9aef0832a2b6f093533b0143647a3f53591f
Opcode Fuzzy Hash: 63bdff46a6cfca107c0b5b55e91d182beb409ac9b5fcb093c20d8621fa893005
Instruction Fuzzy Hash: 771170365007049FDB20CF55D944B66FBE5FF04320F0884AAED498B656D375E418CFA1

Uniqueness

Uniqueness Score: -1.00%

Function 052A1428, Relevance: 1.6, APIs: 1, Instructions: 50nativeCOMMON

Download Yara Rule

APIs

NtQuerySystemInformation.NTDLL(?,?,?,?), ref: 052A1485

Memory Dump Source

Source File: 00000005.00000002.501447909.00000000052A0000.00000040.00000001.sdmp, Offset: 052A0000, based on PE: false

Similarity

API ID: InformationQuerySystem
String ID:
API String ID: 3562636166-0
Opcode ID: 6f80180d0c330b7b40f8551f30c908884eb433b0c58a37a6382a90299d0c6809
Instruction ID: 3ccb7dc7ba89554e24d9b133800a6d0144aafdf51168eea52ecb9670780de09e
Opcode Fuzzy Hash: 6f80180d0c330b7b40f8551f30c908884eb433b0c58a37a6382a90299d0c6809
Instruction Fuzzy Hash: A411C6754093809FD7228F15DC44E62FFB4EF46320F09C49EED884B252C375A418DB61

Uniqueness

Uniqueness Score: -1.00%

Function 052A0D66, Relevance: 1.5, APIs: 1, Instructions: 39COMMON

Download Yara Rule

APIs

GetSystemInfo.KERNELBASE(?), ref: 052A0D98

Memory Dump Source

Source File: 00000005.00000002.501447909.00000000052A0000.00000040.00000001.sdmp, Offset: 052A0000, based on PE: false

Similarity

API ID: InfoSystem
String ID:
API String ID: 31276548-0
Opcode ID: 80d213e43120923f5cf4ea60fd8122f5ef70af378eabb53a4198a161455613e0
Instruction ID: 60bdc92ab49549551cd6746975a5f8e57106bcf0176fea39590fc77602e3b895
Opcode Fuzzy Hash: 80d213e43120923f5cf4ea60fd8122f5ef70af378eabb53a4198a161455613e0
Instruction Fuzzy Hash: 9301627A9147449FDB10DF15D988BA5FF94EF05320F18C4AADD498F216D279A404CB61

Uniqueness

Uniqueness Score: -1.00%

Function 052A144A, Relevance: 1.5, APIs: 1, Instructions: 38nativeCOMMON

Download Yara Rule

APIs

NtQuerySystemInformation.NTDLL(?,?,?,?), ref: 052A1485

Memory Dump Source

Source File: 00000005.00000002.501447909.00000000052A0000.00000040.00000001.sdmp, Offset: 052A0000, based on PE: false

Similarity

API ID: InformationQuerySystem
String ID:
API String ID: 3562636166-0
Opcode ID: 688bf44c425e3729df638945843f91d0692eda619bebf371b9bd951e467dba24
Instruction ID: 7f5f966496459ade19419c624c9459ef482c7070e1ba388dd4427d36e5ee3ae0
Opcode Fuzzy Hash: 688bf44c425e3729df638945843f91d0692eda619bebf371b9bd951e467dba24
Instruction Fuzzy Hash: 69017C364103409FDB209F59D944B65FBA5FF04720F08C09ADE894B216C379A428DB62

Uniqueness

Uniqueness Score: -1.00%

Function 05183850, Relevance: .8, Instructions: 755COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.501156212.0000000005180000.00000040.00000001.sdmp, Offset: 05180000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0d369fe61b7ff092786454b3299662ca1fc2cb51a1c1a014ef0614f68277cb54
Instruction ID: 3e6c51008999a3b3ba9544aa2ef64ca904e752fa57f0b81fce632f25b9d9726e
Opcode Fuzzy Hash: 0d369fe61b7ff092786454b3299662ca1fc2cb51a1c1a014ef0614f68277cb54
Instruction Fuzzy Hash: CE52D471A04105CFCB25DF68C8949BAFBB2FF45700B1A89A6D8259F256C771EC42CF91

Uniqueness

Uniqueness Score: -1.00%

Function 05188798, Relevance: .5, Instructions: 505COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.501156212.0000000005180000.00000040.00000001.sdmp, Offset: 05180000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2fd7d1935b71886456a8d755288b4ae4f365fba31aa2a864f3929c81609a49d1
Instruction ID: a3a37638e5abf559fe1dc99fde4011b91b6be415b7aa2867c152e7f54b773001
Opcode Fuzzy Hash: 2fd7d1935b71886456a8d755288b4ae4f365fba31aa2a864f3929c81609a49d1
Instruction Fuzzy Hash: 09128E30A14225DFCB38EF65C49467EBBF2BF85304F95896AE0169B294DB75D881CF40

Uniqueness

Uniqueness Score: -1.00%

Function 051823A0, Relevance: .5, Instructions: 505COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.501156212.0000000005180000.00000040.00000001.sdmp, Offset: 05180000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 45232954738874c90409617bdfb17d73f0dec22918914c344dd6e591a3a88a48
Instruction ID: 60db48529b8db98f9f4c5f096f16e76a49666d473a2f85df3395350e12dcf00f
Opcode Fuzzy Hash: 45232954738874c90409617bdfb17d73f0dec22918914c344dd6e591a3a88a48
Instruction Fuzzy Hash: EF12B838E00215CFCB3AEB29C5946B9BBF2BF88304F258569D426AB355DB34C846CF50

Uniqueness

Uniqueness Score: -1.00%

Function 05182FA8, Relevance: .2, Instructions: 239COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.501156212.0000000005180000.00000040.00000001.sdmp, Offset: 05180000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 325c7e08eac612c971801fdb50c87ab2beb7f2b07d99c49bbff1b93155608314
Instruction ID: 3c0c55d913ae16820d1c88e5dd290be4ad3bf33b31ba1832a8d112131830ea5b
Opcode Fuzzy Hash: 325c7e08eac612c971801fdb50c87ab2beb7f2b07d99c49bbff1b93155608314
Instruction Fuzzy Hash: 1E818E71F001159FCB28EB69D894A6EBBF3AFC8710F2A8475E415AB365DF349C018B90

Uniqueness

Uniqueness Score: -1.00%

Function 051809A0, Relevance: 5.2, Strings: 4, Instructions: 177COMMON

Download Yara Rule

Strings

X1&r, xrefs: 05180A50
X1&r, xrefs: 05180AA2
X1&r, xrefs: 05180A5A
X1&r, xrefs: 05180A98

Memory Dump Source

Source File: 00000005.00000002.501156212.0000000005180000.00000040.00000001.sdmp, Offset: 05180000, based on PE: false

Similarity

API ID:
String ID: X1&r$X1&r$X1&r$X1&r
API String ID: 0-320564238
Opcode ID: 304c4e2fab72e7c9bbfd21d8b8d41c6b596dcefd5d8231630f01f42d36e0ba15
Instruction ID: 63d372bc284ebfc12bfbeceaac343f3684af816652f9b08f390b8354c6ec9d43
Opcode Fuzzy Hash: 304c4e2fab72e7c9bbfd21d8b8d41c6b596dcefd5d8231630f01f42d36e0ba15
Instruction Fuzzy Hash: 6451C235B44109DFCB24EBA8C898ABEB7E3FF48714F2584A5D4469B250CB31ED06CB90

Uniqueness

Uniqueness Score: -1.00%

Function 051843C0, Relevance: 3.9, Strings: 3, Instructions: 117COMMON

Download Yara Rule

Strings

X1&r, xrefs: 0518437C
X1&r, xrefs: 051843A2
X1&r, xrefs: 051843AC

Memory Dump Source

Source File: 00000005.00000002.501156212.0000000005180000.00000040.00000001.sdmp, Offset: 05180000, based on PE: false

Similarity

API ID:
String ID: X1&r$X1&r$X1&r
API String ID: 0-1838269
Opcode ID: 8707ec0070416f419c517d8c10fcc954b17c45eb5000fcc58afd5ef258bb300e
Instruction ID: adb68d175e38ae4ba16eb53df55b3618aad96bb06ad82ef7931500e31060eb3e
Opcode Fuzzy Hash: 8707ec0070416f419c517d8c10fcc954b17c45eb5000fcc58afd5ef258bb300e
Instruction Fuzzy Hash: 7641B131640165CFCB29EB68E8588BDBBF2FF8431431585A9E4069B36ADF31A857CF50

Uniqueness

Uniqueness Score: -1.00%

Function 0518EB01, Relevance: 3.8, Strings: 3, Instructions: 28COMMON

Download Yara Rule

Strings

X1&r, xrefs: 0518EAEE
X1&r, xrefs: 0518EABC
X1&r, xrefs: 0518EAE4

Memory Dump Source

Source File: 00000005.00000002.501156212.0000000005180000.00000040.00000001.sdmp, Offset: 05180000, based on PE: false

Similarity

API ID:
String ID: X1&r$X1&r$X1&r
API String ID: 0-1838269
Opcode ID: f774775477440a01a0dee2f78a23d6b016b7091962d5310fed532370f55e9563
Instruction ID: 228bffce3e8dc29073ec536e90415bdd50927e309cf8add62e825eda37a4102f
Opcode Fuzzy Hash: f774775477440a01a0dee2f78a23d6b016b7091962d5310fed532370f55e9563
Instruction Fuzzy Hash: 78F05C3270409187DB7477BC411837A7BD2ABC5A90F8402EDC4DA47B42CF7088418B45

Uniqueness

Uniqueness Score: -1.00%

Function 051812A0, Relevance: 1.7, Strings: 1, Instructions: 460COMMON

Download Yara Rule

Strings

$g#r, xrefs: 05181349

Memory Dump Source

Source File: 00000005.00000002.501156212.0000000005180000.00000040.00000001.sdmp, Offset: 05180000, based on PE: false

Similarity

API ID:
String ID: $g#r
API String ID: 0-1127112097
Opcode ID: 6d6be1c1c5a068178e1e2906cb51b647360372863e23068c269e298289d8bc5c
Instruction ID: 4cab551b680e7ec1d396680bb620c18c6fb6476883baefac31c603d728a4909e
Opcode Fuzzy Hash: 6d6be1c1c5a068178e1e2906cb51b647360372863e23068c269e298289d8bc5c
Instruction Fuzzy Hash: 5D22E534A40605CFC728EF28C590A6ABBF2FF88314F118699D85A9B759DB34ED46CF41

Uniqueness

Uniqueness Score: -1.00%

Function 052A1590, Relevance: 1.6, APIs: 1, Instructions: 126networkCOMMON

Download Yara Rule

APIs

DnsQuery_A.DNSAPI(?,00000E2C,?,?), ref: 052A1686

Memory Dump Source

Source File: 00000005.00000002.501447909.00000000052A0000.00000040.00000001.sdmp, Offset: 052A0000, based on PE: false

Similarity

API ID: Query_
String ID:
API String ID: 428220571-0
Opcode ID: 2ae264a084c1db191f721b2214ee6a55a89d6bcd0890405659b026bcdf8c72ae
Instruction ID: 547e147a4d251164988a7e6d59c103ca177213ebed2cf48655af2fdfc47ab831
Opcode Fuzzy Hash: 2ae264a084c1db191f721b2214ee6a55a89d6bcd0890405659b026bcdf8c72ae
Instruction Fuzzy Hash: 6741166540E7C06FD3138B358C61A61BFB4EF47614B0E85CBD884CF5A3D268A909D7B2

Uniqueness

Uniqueness Score: -1.00%

Function 052A2888, Relevance: 1.6, APIs: 1, Instructions: 111COMMON

Download Yara Rule

APIs

getaddrinfo.WS2_32(?,00000E2C), ref: 052A297F

Memory Dump Source

Source File: 00000005.00000002.501447909.00000000052A0000.00000040.00000001.sdmp, Offset: 052A0000, based on PE: false

Similarity

API ID: getaddrinfo
String ID:
API String ID: 300660673-0
Opcode ID: e1926ec75c19e07551109fc7c3e88cfe7ab0dcb6b19b69c42fa8060f2be501e4
Instruction ID: d66386c92a9efd6f203ef81cab88e46e75905feca11a576ed53bf16247507700
Opcode Fuzzy Hash: e1926ec75c19e07551109fc7c3e88cfe7ab0dcb6b19b69c42fa8060f2be501e4
Instruction Fuzzy Hash: CD4191721093C06FE7238B258C94FA6BFB8EF06710F1944DBE9849F193D265A949C771

Uniqueness

Uniqueness Score: -1.00%

Function 052A0390, Relevance: 1.6, APIs: 1, Instructions: 93registryCOMMON

Download Yara Rule

APIs

RegQueryValueExA.KERNELBASE(?,00000E2C), ref: 052A045E

Memory Dump Source

Source File: 00000005.00000002.501447909.00000000052A0000.00000040.00000001.sdmp, Offset: 052A0000, based on PE: false

Similarity

API ID: QueryValue
String ID:
API String ID: 3660427363-0
Opcode ID: c12b2c0d518309240867335a44845fa2b3d725b4d0d962f672ef5db682bed7d5
Instruction ID: 7c37bbddd54184337f1cdb18cd67fe908074901da5288540fa650d26cbc47db5
Opcode Fuzzy Hash: c12b2c0d518309240867335a44845fa2b3d725b4d0d962f672ef5db682bed7d5
Instruction Fuzzy Hash: F131C4B20043446FE7228F21CC41FA6FFA8FF06310F04859EE9859B192D3A5A949CBB1

Uniqueness

Uniqueness Score: -1.00%

Function 052A07F4, Relevance: 1.6, APIs: 1, Instructions: 92fileCOMMON

Download Yara Rule

APIs

CreateFileW.KERNELBASE(?,?,?,?,?,?), ref: 052A0899

Memory Dump Source

Source File: 00000005.00000002.501447909.00000000052A0000.00000040.00000001.sdmp, Offset: 052A0000, based on PE: false

Similarity

API ID: CreateFile
String ID:
API String ID: 823142352-0
Opcode ID: 73bca80344f71d7288c3c098744b6b16b18eb2553982536bf549376be9130f9a
Instruction ID: 84672fc931a7a667aab5f6361f4db3d4137f1b50a8bd6ef563289554646095fb
Opcode Fuzzy Hash: 73bca80344f71d7288c3c098744b6b16b18eb2553982536bf549376be9130f9a
Instruction Fuzzy Hash: C4316F71504380AFE722CF25DC44F66BFE8EF05310F0884AEE9898B252D375E409CB65

Uniqueness

Uniqueness Score: -1.00%

Function 052A2360, Relevance: 1.6, APIs: 1, Instructions: 91timeCOMMON

Download Yara Rule

APIs

GetProcessTimes.KERNELBASE(?,00000E2C,DC0C5294,00000000,00000000,00000000,00000000), ref: 052A23FD

Memory Dump Source

Source File: 00000005.00000002.501447909.00000000052A0000.00000040.00000001.sdmp, Offset: 052A0000, based on PE: false

Similarity

API ID: ProcessTimes
String ID:
API String ID: 1995159646-0
Opcode ID: fa4f19a45a3d8487b91d389c7068008da35a11ef465bbf73617c2a2a58fbbba3
Instruction ID: 5f4094edda6066b684585bc130782f1fded581c458665cd46539f708b7a58b0a
Opcode Fuzzy Hash: fa4f19a45a3d8487b91d389c7068008da35a11ef465bbf73617c2a2a58fbbba3
Instruction Fuzzy Hash: 6531D776509780AFDB128F25DC45FA6BFB8EF06310F0884AAE989DF153D324A505CB71

Uniqueness

Uniqueness Score: -1.00%

Function 052A00F6, Relevance: 1.6, APIs: 1, Instructions: 89synchronizationCOMMON

Download Yara Rule

APIs

CreateMutexW.KERNELBASE(?,?), ref: 052A019D

Memory Dump Source

Source File: 00000005.00000002.501447909.00000000052A0000.00000040.00000001.sdmp, Offset: 052A0000, based on PE: false

Similarity

API ID: CreateMutex
String ID:
API String ID: 1964310414-0
Opcode ID: 7b36a9365f77f888b14d496abf9b5f94c0fdf455297c025cafd0d8c3ec812b6e
Instruction ID: bd3c9765996b28341b733189787d752dd32e7e4951805c24fcabbdd095823fd9
Opcode Fuzzy Hash: 7b36a9365f77f888b14d496abf9b5f94c0fdf455297c025cafd0d8c3ec812b6e
Instruction Fuzzy Hash: AF3181715097806FE712CB25DC44FA6BFE8EF06310F08849AE988CB292D365E908CB61

Uniqueness

Uniqueness Score: -1.00%

Function 052A1EF4, Relevance: 1.6, APIs: 1, Instructions: 87fileCOMMON

Download Yara Rule

APIs

MapViewOfFile.KERNELBASE ref: 052A1FA6

Memory Dump Source

Source File: 00000005.00000002.501447909.00000000052A0000.00000040.00000001.sdmp, Offset: 052A0000, based on PE: false

Similarity

API ID: FileView
String ID:
API String ID: 3314676101-0
Opcode ID: 2bd3ff124506da522fabd7974ee1ad8c60a02ed518db728216373202cbf7a9aa
Instruction ID: 192866083db12d307c617d219924f91bdb004310ff0e4fd47b805b3221e1346e
Opcode Fuzzy Hash: 2bd3ff124506da522fabd7974ee1ad8c60a02ed518db728216373202cbf7a9aa
Instruction Fuzzy Hash: F731A4B2404784AFE722CF55DC45F56FFF8FF06320F04459AE9888B252D365A549CB61

Uniqueness

Uniqueness Score: -1.00%

Function 052A04AB, Relevance: 1.6, APIs: 1, Instructions: 86registryCOMMON

Download Yara Rule

APIs

RegQueryValueExW.KERNELBASE(?,00000E2C,DC0C5294,00000000,00000000,00000000,00000000), ref: 052A055C

Memory Dump Source

Source File: 00000005.00000002.501447909.00000000052A0000.00000040.00000001.sdmp, Offset: 052A0000, based on PE: false

Similarity

API ID: QueryValue
String ID:
API String ID: 3660427363-0
Opcode ID: d935cd5b1e5791860dc88016bf717d95003da5b55476db7e31b05f8b2badee19
Instruction ID: 1ffbd059d5805c1ccc51c5beaa667ed10277f4834dfd23d8c30a669b29938966
Opcode Fuzzy Hash: d935cd5b1e5791860dc88016bf717d95003da5b55476db7e31b05f8b2badee19
Instruction Fuzzy Hash: 3A318472509780AFD722CB25DC44F52BFF8EF06310F0885DAE9899B162D364E808CB71

Uniqueness

Uniqueness Score: -1.00%

Function 052A28DA, Relevance: 1.6, APIs: 1, Instructions: 84COMMON

Download Yara Rule

APIs

getaddrinfo.WS2_32(?,00000E2C), ref: 052A297F

Memory Dump Source

Source File: 00000005.00000002.501447909.00000000052A0000.00000040.00000001.sdmp, Offset: 052A0000, based on PE: false

Similarity

API ID: getaddrinfo
String ID:
API String ID: 300660673-0
Opcode ID: c1fb58b86a2d0cb86d5c962d956dbf8bc00174bfca79ddf9fedc9dcb4c1215e1
Instruction ID: cc640f7ccc5ccc1199c296805e24b955385168b5e342ab90367ac25790c0c4a5
Opcode Fuzzy Hash: c1fb58b86a2d0cb86d5c962d956dbf8bc00174bfca79ddf9fedc9dcb4c1215e1
Instruction Fuzzy Hash: 9621E572100304AFFB21DF65CC84FA6FBACEF04710F14885AFA489A181D6B4A5488BB1

Uniqueness

Uniqueness Score: -1.00%

Function 052A27B0, Relevance: 1.6, APIs: 1, Instructions: 80windowCOMMON

Download Yara Rule

APIs

FormatMessageW.KERNELBASE(?,00000E2C,?,?), ref: 052A2852

Memory Dump Source

Source File: 00000005.00000002.501447909.00000000052A0000.00000040.00000001.sdmp, Offset: 052A0000, based on PE: false

Similarity

API ID: FormatMessage
String ID:
API String ID: 1306739567-0
Opcode ID: a1dda84adf0df90665260d675cb354a746d2cc3f96b724baa92cadf1555f0d81
Instruction ID: fb091b783e54eac4d0caecc7aac92379da4fdae470d05d122f83e6de2086367a
Opcode Fuzzy Hash: a1dda84adf0df90665260d675cb354a746d2cc3f96b724baa92cadf1555f0d81
Instruction Fuzzy Hash: 2B21A17190D3C06FD7128B65CC51B66BFB8EF47610F0980DBD9848F2A3D624A919C7A2

Uniqueness

Uniqueness Score: -1.00%

Function 052A02AB, Relevance: 1.6, APIs: 1, Instructions: 79registryCOMMON

Download Yara Rule

APIs

RegOpenKeyExA.KERNELBASE(?,00000E2C), ref: 052A0353

Memory Dump Source

Source File: 00000005.00000002.501447909.00000000052A0000.00000040.00000001.sdmp, Offset: 052A0000, based on PE: false

Similarity

API ID: Open
String ID:
API String ID: 71445658-0
Opcode ID: bb506651db8b879fbbfe4001b7b9747e4a8a0f019a4c65f8c65e6946fd23361b
Instruction ID: 158b36b25d078b4bc24d2760f93a1f33105ab54ea2b1a7fa9c4ea050e9a40bfa
Opcode Fuzzy Hash: bb506651db8b879fbbfe4001b7b9747e4a8a0f019a4c65f8c65e6946fd23361b
Instruction Fuzzy Hash: C821B7760097806FE7228F21DC45FA6FFB8EF06310F0884DAE9848F192D275A949C775

Uniqueness

Uniqueness Score: -1.00%

Function 052A1E12, Relevance: 1.6, APIs: 1, Instructions: 78COMMON

Download Yara Rule

APIs

OpenFileMappingW.KERNELBASE(?,?), ref: 052A1E9D

Memory Dump Source

Source File: 00000005.00000002.501447909.00000000052A0000.00000040.00000001.sdmp, Offset: 052A0000, based on PE: false

Similarity

API ID: FileMappingOpen
String ID:
API String ID: 1680863896-0
Opcode ID: 5ff697bcb1b5952bea9215f4ebf9cfd85b921f8c05f7452bd3670a7e7ae6de22
Instruction ID: 181767e697f4640129ee5ed0ed546fa8c3602ef2c21a1f755ebefe388ba21886
Opcode Fuzzy Hash: 5ff697bcb1b5952bea9215f4ebf9cfd85b921f8c05f7452bd3670a7e7ae6de22
Instruction Fuzzy Hash: FD217171509380AFE722CB65DD45F66FFE8EF05320F0884AAE9898B252D375E508CB61

Uniqueness

Uniqueness Score: -1.00%

Function 052A16B2, Relevance: 1.6, APIs: 1, Instructions: 77networkCOMMON

Download Yara Rule

APIs

WSASocketW.WS2_32(?,?,?,?,?), ref: 052A173E

Memory Dump Source

Source File: 00000005.00000002.501447909.00000000052A0000.00000040.00000001.sdmp, Offset: 052A0000, based on PE: false

Similarity

API ID: Socket
String ID:
API String ID: 38366605-0
Opcode ID: f3d0204fb801a15a8897e900b379756887bb9e52620ebfd5310de5b7d7ce6aa6
Instruction ID: e3f41b06d6083a4a83a887d96590951f10695eab03aeb85e0f82b8bdb99ae9ca
Opcode Fuzzy Hash: f3d0204fb801a15a8897e900b379756887bb9e52620ebfd5310de5b7d7ce6aa6
Instruction Fuzzy Hash: 8B217C72505784AFE7228F65DC44F66FFE8EF05320F08849AE9898B652D375A448CB62

Uniqueness

Uniqueness Score: -1.00%

Function 052A081A, Relevance: 1.6, APIs: 1, Instructions: 76fileCOMMON

Download Yara Rule

APIs

CreateFileW.KERNELBASE(?,?,?,?,?,?), ref: 052A0899

Memory Dump Source

Source File: 00000005.00000002.501447909.00000000052A0000.00000040.00000001.sdmp, Offset: 052A0000, based on PE: false

Similarity

API ID: CreateFile
String ID:
API String ID: 823142352-0
Opcode ID: 1e26ed74c5b5ea9c027601d1e4844cb6a5070e30c9592a30e64351a813ba4ed6
Instruction ID: 4936dd0ffc647327f0873b94855f014eb4c5c04325320a9d551f9a6028203701
Opcode Fuzzy Hash: 1e26ed74c5b5ea9c027601d1e4844cb6a5070e30c9592a30e64351a813ba4ed6
Instruction Fuzzy Hash: CF218E76500744AFE721DF65CD48F6AFBE8FF08310F048469E9898B252D375E404CBA5

Uniqueness

Uniqueness Score: -1.00%

Function 052A0C58, Relevance: 1.6, APIs: 1, Instructions: 76fileCOMMON

Download Yara Rule

APIs

DeleteFileA.KERNELBASE(?,00000E2C), ref: 052A0CEF

Memory Dump Source

Source File: 00000005.00000002.501447909.00000000052A0000.00000040.00000001.sdmp, Offset: 052A0000, based on PE: false

Similarity

API ID: DeleteFile
String ID:
API String ID: 4033686569-0
Opcode ID: 99e29c34968750eff0f4802aee776bdf045fe4bdc57162ae2b1e7f77d564262e
Instruction ID: fdab7ed5bbd247793b5b82d6b7021077f846ae7fcba25e7d0681c6047bd49188
Opcode Fuzzy Hash: 99e29c34968750eff0f4802aee776bdf045fe4bdc57162ae2b1e7f77d564262e
Instruction Fuzzy Hash: 5721C8722057806FE7218B25DC45FB6FFA8EF46310F18809AF9848F192D275A949C765

Uniqueness

Uniqueness Score: -1.00%

Function 052A08F0, Relevance: 1.6, APIs: 1, Instructions: 76COMMON

Download Yara Rule

APIs

GetFileType.KERNELBASE(?,00000E2C,DC0C5294,00000000,00000000,00000000,00000000), ref: 052A0985

Memory Dump Source

Source File: 00000005.00000002.501447909.00000000052A0000.00000040.00000001.sdmp, Offset: 052A0000, based on PE: false

Similarity

API ID: FileType
String ID:
API String ID: 3081899298-0
Opcode ID: e4b4961faefbaf5678d28218db040d6959b4a36056803ceb1f263cd818789a4b
Instruction ID: 65600ab4ddaf42bd56ed19ea56cec4ce36ff10846f3290e713b38fda0d83fd75
Opcode Fuzzy Hash: e4b4961faefbaf5678d28218db040d6959b4a36056803ceb1f263cd818789a4b
Instruction Fuzzy Hash: 3D210AB64087806FE7128B25DC41FA3BFBCEF46720F18809AED848B153D364A905C771

Uniqueness

Uniqueness Score: -1.00%

Function 052A0B79, Relevance: 1.6, APIs: 1, Instructions: 75registryCOMMON

Download Yara Rule

APIs

RegSetValueExW.KERNELBASE(?,00000E2C,DC0C5294,00000000,00000000,00000000,00000000), ref: 052A0C10

Memory Dump Source

Source File: 00000005.00000002.501447909.00000000052A0000.00000040.00000001.sdmp, Offset: 052A0000, based on PE: false

Similarity

API ID: Value
String ID:
API String ID: 3702945584-0
Opcode ID: 5f2ea5f10412e36b2b95329b1ef320fb7165a9ed44f95e87d9d4f5b0a2146f5a
Instruction ID: b2b376d7aa1593ba50f9d5648c5678e68f6bbff414369deee3d21f07e02e35fe
Opcode Fuzzy Hash: 5f2ea5f10412e36b2b95329b1ef320fb7165a9ed44f95e87d9d4f5b0a2146f5a
Instruction Fuzzy Hash: 44219DB2508740AFE7218E15DC85F67FFECEF05310F08889AE9899B252D364E808CB71

Uniqueness

Uniqueness Score: -1.00%

Function 052A03CA, Relevance: 1.6, APIs: 1, Instructions: 75registryCOMMON

Download Yara Rule

APIs

RegQueryValueExA.KERNELBASE(?,00000E2C), ref: 052A045E

Memory Dump Source

Source File: 00000005.00000002.501447909.00000000052A0000.00000040.00000001.sdmp, Offset: 052A0000, based on PE: false

Similarity

API ID: QueryValue
String ID:
API String ID: 3660427363-0
Opcode ID: 8850e6d954cde70986978f8419c0212772f3fab6cbe57dcb475dbd23fce0a0ea
Instruction ID: 6e7df2ef1ce844668cc26c17ec4faf0abfc92d913c81dc0199accde40cf914be
Opcode Fuzzy Hash: 8850e6d954cde70986978f8419c0212772f3fab6cbe57dcb475dbd23fce0a0ea
Instruction Fuzzy Hash: F321F272100304AFEB21DF25CC84FB6FBACFF04310F00885AFA499A291D6B4A548CBB1

Uniqueness

Uniqueness Score: -1.00%

Function 052A09C0, Relevance: 1.6, APIs: 1, Instructions: 75fileCOMMON

Download Yara Rule

APIs

WriteFile.KERNELBASE(?,00000E2C,DC0C5294,00000000,00000000,00000000,00000000), ref: 052A0A51

Memory Dump Source

Source File: 00000005.00000002.501447909.00000000052A0000.00000040.00000001.sdmp, Offset: 052A0000, based on PE: false

Similarity

API ID: FileWrite
String ID:
API String ID: 3934441357-0
Opcode ID: 24da6a73df0b07e787c8053096f58bc75562a6035cae6492a4f0491ee144b775
Instruction ID: b216283ae79d4caccc1ce6355501133e5345ea4e0367955615b956559eb494f1
Opcode Fuzzy Hash: 24da6a73df0b07e787c8053096f58bc75562a6035cae6492a4f0491ee144b775
Instruction Fuzzy Hash: 302174725093806FD7228F65DC44F66BFB8EF46314F08849BE9889F153C365A409CBB1

Uniqueness

Uniqueness Score: -1.00%

Function 052A012A, Relevance: 1.6, APIs: 1, Instructions: 72synchronizationCOMMON

Download Yara Rule

APIs

CreateMutexW.KERNELBASE(?,?), ref: 052A019D

Memory Dump Source

Source File: 00000005.00000002.501447909.00000000052A0000.00000040.00000001.sdmp, Offset: 052A0000, based on PE: false

Similarity

API ID: CreateMutex
String ID:
API String ID: 1964310414-0
Opcode ID: cd814031b572061457f20f4a104a3bb60632f42e57a608c71f69cf5444322e9f
Instruction ID: 9ea5eb62f0fefb56e67ccd27cbc80f71f7c4469da157295e69ac3bb0bd3d146a
Opcode Fuzzy Hash: cd814031b572061457f20f4a104a3bb60632f42e57a608c71f69cf5444322e9f
Instruction Fuzzy Hash: 68218E72604244AFE720DF29DD89FAAFBE8EF05710F04846AE9498B241D7B5E504CA65

Uniqueness

Uniqueness Score: -1.00%

Function 052A0723, Relevance: 1.6, APIs: 1, Instructions: 71COMMON

Download Yara Rule

APIs

CreateDirectoryW.KERNELBASE(?,?), ref: 052A079F

Memory Dump Source

Source File: 00000005.00000002.501447909.00000000052A0000.00000040.00000001.sdmp, Offset: 052A0000, based on PE: false

Similarity

API ID: CreateDirectory
String ID:
API String ID: 4241100979-0
Opcode ID: 22e9ca68d028415f3eb1aff62e24167abe1eede1ed86de173f626262054f5c10
Instruction ID: 2d9644c8f7fad391740d84f5e30c3befbbada47d11a71ea6f5c0f794b86a0aca
Opcode Fuzzy Hash: 22e9ca68d028415f3eb1aff62e24167abe1eede1ed86de173f626262054f5c10
Instruction Fuzzy Hash: E52180765093819FD712CF25DC48B56BFE8EF06210F0984EAE989CF253E274E949CB61

Uniqueness

Uniqueness Score: -1.00%

Function 052A0A9B, Relevance: 1.6, APIs: 1, Instructions: 71fileCOMMON

Download Yara Rule

APIs

CopyFileW.KERNELBASE(?,?,?), ref: 052A0B1E

Memory Dump Source

Source File: 00000005.00000002.501447909.00000000052A0000.00000040.00000001.sdmp, Offset: 052A0000, based on PE: false

Similarity

API ID: CopyFile
String ID:
API String ID: 1304948518-0
Opcode ID: fa9e0a415c1f673e2a91cbb08c9181617f20f3c5649646a2ff53e9aecbe3d568
Instruction ID: 047e4520cf0b3e2f9c86fff1ba3695e805f126eef5e9ba600fc4c27f96a831de
Opcode Fuzzy Hash: fa9e0a415c1f673e2a91cbb08c9181617f20f3c5649646a2ff53e9aecbe3d568
Instruction Fuzzy Hash: DE2180B25093855FD722CF25DC55B62BFE8AF16314F0884EAE989CB253D225E808CB61

Uniqueness

Uniqueness Score: -1.00%

Function 052A1E32, Relevance: 1.6, APIs: 1, Instructions: 68COMMON

Download Yara Rule

APIs

OpenFileMappingW.KERNELBASE(?,?), ref: 052A1E9D

Memory Dump Source

Source File: 00000005.00000002.501447909.00000000052A0000.00000040.00000001.sdmp, Offset: 052A0000, based on PE: false

Similarity

API ID: FileMappingOpen
String ID:
API String ID: 1680863896-0
Opcode ID: 02505bf57b0ab45b27b15f9073c786878e5416d01acf4900033eaf2f32cde861
Instruction ID: ddec68b44f27306169e22394fb6adfd7c1ab5c16333868e2684ebd3d263172ed
Opcode Fuzzy Hash: 02505bf57b0ab45b27b15f9073c786878e5416d01acf4900033eaf2f32cde861
Instruction Fuzzy Hash: 61219072504240AFE721DF65DD45F66FBE8EF04720F14846AED898B242D775E408CB76

Uniqueness

Uniqueness Score: -1.00%

Function 052A1170, Relevance: 1.6, APIs: 1, Instructions: 68COMMON

Download Yara Rule

APIs

FindCloseChangeNotification.KERNELBASE(?), ref: 052A11DC

Memory Dump Source

Source File: 00000005.00000002.501447909.00000000052A0000.00000040.00000001.sdmp, Offset: 052A0000, based on PE: false

Similarity

API ID: ChangeCloseFindNotification
String ID:
API String ID: 2591292051-0
Opcode ID: 3f7b172037f5b0dc6aa2fa9f600692bc84b8d83fe933e0fbe051e3aebba5a832
Instruction ID: 1111d287a35d117143c4c4786f6ab27ea40dce25bd4600bac2f8bf1904a60024
Opcode Fuzzy Hash: 3f7b172037f5b0dc6aa2fa9f600692bc84b8d83fe933e0fbe051e3aebba5a832
Instruction Fuzzy Hash: 9B21AE725093C05FDB028B25DC54A92BFA4AF07324F0980EAEC858F663D264A908CB62

Uniqueness

Uniqueness Score: -1.00%

Function 052A01F4, Relevance: 1.6, APIs: 1, Instructions: 68COMMON

Download Yara Rule

APIs

FindCloseChangeNotification.KERNELBASE(?), ref: 052A0264

Memory Dump Source

Source File: 00000005.00000002.501447909.00000000052A0000.00000040.00000001.sdmp, Offset: 052A0000, based on PE: false

Similarity

API ID: ChangeCloseFindNotification
String ID:
API String ID: 2591292051-0
Opcode ID: 00f683958ee3108c5c44a37f71e1ca5316b8bd7af2a9cf186117ecc3677b4c76
Instruction ID: daa5a8fa3af19c5cdc0a8ba16b133de0d6f089e64a53e18c475918fdbb8c0af8
Opcode Fuzzy Hash: 00f683958ee3108c5c44a37f71e1ca5316b8bd7af2a9cf186117ecc3677b4c76
Instruction Fuzzy Hash: AA21A7B69097845FD711CF54DC49B51BFA8FF06324F0980DBED848B553E274A805CB61

Uniqueness

Uniqueness Score: -1.00%

Function 052A1225, Relevance: 1.6, APIs: 1, Instructions: 67COMMON

Download Yara Rule

APIs

K32EnumProcesses.KERNEL32(?,?,?,DC0C5294,00000000,?,?,?,?,?,?,?,?,72AF3C38), ref: 052A1296

Memory Dump Source

Source File: 00000005.00000002.501447909.00000000052A0000.00000040.00000001.sdmp, Offset: 052A0000, based on PE: false

Similarity

API ID: EnumProcesses
String ID:
API String ID: 84517404-0
Opcode ID: 9c3eff866c67a2e05d28d5c0f1be66dc4affb3d86b8b7718467783f1c92e8d90
Instruction ID: 31002f86dc40614fdfc3b71fb15a37af892c673253365facf70597c54f726035
Opcode Fuzzy Hash: 9c3eff866c67a2e05d28d5c0f1be66dc4affb3d86b8b7718467783f1c92e8d90
Instruction Fuzzy Hash: E22150765093845FD712CF65DC44B96BFE8AF06320F0984EAE989CF163D364E918CB61

Uniqueness

Uniqueness Score: -1.00%

Function 052A1F32, Relevance: 1.6, APIs: 1, Instructions: 67fileCOMMON

Download Yara Rule

APIs

MapViewOfFile.KERNELBASE ref: 052A1FA6

Memory Dump Source

Source File: 00000005.00000002.501447909.00000000052A0000.00000040.00000001.sdmp, Offset: 052A0000, based on PE: false

Similarity

API ID: FileView
String ID:
API String ID: 3314676101-0
Opcode ID: 4d2c395b8ef94bee5cb1dbbab4a8c85e90410750fde5fb660c9fa0515c277362
Instruction ID: 769cb51e7467480178e7b05932450725e62cea00c1cb9bf5676b859d7fbd13af
Opcode Fuzzy Hash: 4d2c395b8ef94bee5cb1dbbab4a8c85e90410750fde5fb660c9fa0515c277362
Instruction Fuzzy Hash: 2621AE72500344AFE721DF59DD84F6AFBE8FF08320F14845AEA888B251D775E508CB62

Uniqueness

Uniqueness Score: -1.00%

Function 052A16D2, Relevance: 1.6, APIs: 1, Instructions: 67networkCOMMON

Download Yara Rule

APIs

WSASocketW.WS2_32(?,?,?,?,?), ref: 052A173E

Memory Dump Source

Source File: 00000005.00000002.501447909.00000000052A0000.00000040.00000001.sdmp, Offset: 052A0000, based on PE: false

Similarity

API ID: Socket
String ID:
API String ID: 38366605-0
Opcode ID: 812fc61cc712f635e9c2d9eae818945c7454cd19564de5640eb40a91e9518ac7
Instruction ID: 074d650b3ed337e0b5ca24bf9b52e34b94af60d6ccef8e7d662bbbe9438c4840
Opcode Fuzzy Hash: 812fc61cc712f635e9c2d9eae818945c7454cd19564de5640eb40a91e9518ac7
Instruction Fuzzy Hash: 5521A172500744AFE722DF65DD44F66FBE8EF08320F0484AAE9898B651D775A418CB61

Uniqueness

Uniqueness Score: -1.00%

Function 052A0B9E, Relevance: 1.6, APIs: 1, Instructions: 65registryCOMMON

Download Yara Rule

APIs

RegSetValueExW.KERNELBASE(?,00000E2C,DC0C5294,00000000,00000000,00000000,00000000), ref: 052A0C10

Memory Dump Source

Source File: 00000005.00000002.501447909.00000000052A0000.00000040.00000001.sdmp, Offset: 052A0000, based on PE: false

Similarity

API ID: Value
String ID:
API String ID: 3702945584-0
Opcode ID: ee1b1e4f083546a31e97b0fc4d8e78bb90740e3aaee7375355d6adddf24a8ee6
Instruction ID: 205740a10e64c43d902a4195a5d9ffdfd129d40a85995f4badd2633b6c4f6787
Opcode Fuzzy Hash: ee1b1e4f083546a31e97b0fc4d8e78bb90740e3aaee7375355d6adddf24a8ee6
Instruction Fuzzy Hash: BF11BEB2500704AFEB209E15CD85F67FBECEF08710F04885AED499B251D764E408CA71

Uniqueness

Uniqueness Score: -1.00%

Function 052A04EA, Relevance: 1.6, APIs: 1, Instructions: 65registryCOMMON

Download Yara Rule

APIs

RegQueryValueExW.KERNELBASE(?,00000E2C,DC0C5294,00000000,00000000,00000000,00000000), ref: 052A055C

Memory Dump Source

Source File: 00000005.00000002.501447909.00000000052A0000.00000040.00000001.sdmp, Offset: 052A0000, based on PE: false

Similarity

API ID: QueryValue
String ID:
API String ID: 3660427363-0
Opcode ID: 21429831334322dd566eebae3e864e0b72e6025c5f2930c06409ccb9b041e27a
Instruction ID: d930a3fa6a4c5c663c43102c9fad1bff0194e819b1e9301eb55e9bf81dedebc9
Opcode Fuzzy Hash: 21429831334322dd566eebae3e864e0b72e6025c5f2930c06409ccb9b041e27a
Instruction Fuzzy Hash: 53117C72500704AFEB20DE19DC84F66FBECFF08720F0884AAE94A9B251D764E448CB71

Uniqueness

Uniqueness Score: -1.00%

Function 052A239E, Relevance: 1.6, APIs: 1, Instructions: 64timeCOMMON

Download Yara Rule

APIs

GetProcessTimes.KERNELBASE(?,00000E2C,DC0C5294,00000000,00000000,00000000,00000000), ref: 052A23FD

Memory Dump Source

Source File: 00000005.00000002.501447909.00000000052A0000.00000040.00000001.sdmp, Offset: 052A0000, based on PE: false

Similarity

API ID: ProcessTimes
String ID:
API String ID: 1995159646-0
Opcode ID: 1ec57ae3de34f9e55ab979e463d048bcc4c64271193b93fcd782f6529f6357a9
Instruction ID: f93390981898a3d0385b0f8581e7f0442f8b739d455024b51477abc5916599e1
Opcode Fuzzy Hash: 1ec57ae3de34f9e55ab979e463d048bcc4c64271193b93fcd782f6529f6357a9
Instruction Fuzzy Hash: 2F119076500300AFEB21DF65DD45FAAFBE8EF08320F04846AED499B251D774E4488B71

Uniqueness

Uniqueness Score: -1.00%

Function 052A0E9C, Relevance: 1.6, APIs: 1, Instructions: 64COMMON

Download Yara Rule

APIs

LookupPrivilegeValueW.ADVAPI32(?,?,?), ref: 052A0F06

Memory Dump Source

Source File: 00000005.00000002.501447909.00000000052A0000.00000040.00000001.sdmp, Offset: 052A0000, based on PE: false

Similarity

API ID: LookupPrivilegeValue
String ID:
API String ID: 3899507212-0
Opcode ID: 3c862eeae7d81a12e695521133bccea2ace3d7fec35aaef6316ee660ebca2720
Instruction ID: 983cbad479c73cb51cf27870bc96d7a44ded6f8552ebc7347f117ca47c4d3c80
Opcode Fuzzy Hash: 3c862eeae7d81a12e695521133bccea2ace3d7fec35aaef6316ee660ebca2720
Instruction Fuzzy Hash: A1117F726093819FD721CF25DC85B57BFE8FF15210F0884AAED49CB252D275E808CB61

Uniqueness

Uniqueness Score: -1.00%

Function 052A0C86, Relevance: 1.6, APIs: 1, Instructions: 60fileCOMMON

Download Yara Rule

APIs

DeleteFileA.KERNELBASE(?,00000E2C), ref: 052A0CEF

Memory Dump Source

Source File: 00000005.00000002.501447909.00000000052A0000.00000040.00000001.sdmp, Offset: 052A0000, based on PE: false

Similarity

API ID: DeleteFile
String ID:
API String ID: 4033686569-0
Opcode ID: 0ad6653d3de1556a2dd42c67592ae73cd75432ff159aa941083b20273944c625
Instruction ID: 51b2db86e9a3306905784b8a8ac0455efb6202c9bc7ef532c01a2d8c17e1b726
Opcode Fuzzy Hash: 0ad6653d3de1556a2dd42c67592ae73cd75432ff159aa941083b20273944c625
Instruction Fuzzy Hash: C911C676600704AFF720DB29DD85F76FBD8EF08720F14845AFD498A285D6B4B9488B61

Uniqueness

Uniqueness Score: -1.00%

Function 052A09F2, Relevance: 1.6, APIs: 1, Instructions: 60fileCOMMON

Download Yara Rule

APIs

WriteFile.KERNELBASE(?,00000E2C,DC0C5294,00000000,00000000,00000000,00000000), ref: 052A0A51

Memory Dump Source

Source File: 00000005.00000002.501447909.00000000052A0000.00000040.00000001.sdmp, Offset: 052A0000, based on PE: false

Similarity

API ID: FileWrite
String ID:
API String ID: 3934441357-0
Opcode ID: 86d05af43746f4a2ac6ea98fc3ec057304a2883d24f046eb1d47362c5fe4a842
Instruction ID: 0960057e5157c25867c611d0d59b249a0bbe164fbb329dc38015f847d1de8cf6
Opcode Fuzzy Hash: 86d05af43746f4a2ac6ea98fc3ec057304a2883d24f046eb1d47362c5fe4a842
Instruction Fuzzy Hash: D0119172500304AFEB21DF55DD45FAAFBE8EF08720F14846AEE499B256C775A408CBB1

Uniqueness

Uniqueness Score: -1.00%

Function 052A02DE, Relevance: 1.6, APIs: 1, Instructions: 60registryCOMMON

Download Yara Rule

APIs

RegOpenKeyExA.KERNELBASE(?,00000E2C), ref: 052A0353

Memory Dump Source

Source File: 00000005.00000002.501447909.00000000052A0000.00000040.00000001.sdmp, Offset: 052A0000, based on PE: false

Similarity

API ID: Open
String ID:
API String ID: 71445658-0
Opcode ID: 7619d7d3438ffc20042e4b78ced8bc1ff234e3b4f484ae3c399d87da2e768f49
Instruction ID: 7ba563449dadc0ad09e4f4ba054bec77cec84f17c517c36b505d2c6f80356d30
Opcode Fuzzy Hash: 7619d7d3438ffc20042e4b78ced8bc1ff234e3b4f484ae3c399d87da2e768f49
Instruction Fuzzy Hash: 6911C172100700AFEB21DF15DD85F76FBA8EF04720F14849AFE494A291C2B5A548CBB5

Uniqueness

Uniqueness Score: -1.00%

Function 052A0D33, Relevance: 1.6, APIs: 1, Instructions: 56COMMON

Download Yara Rule

APIs

GetSystemInfo.KERNELBASE(?), ref: 052A0D98

Memory Dump Source

Source File: 00000005.00000002.501447909.00000000052A0000.00000040.00000001.sdmp, Offset: 052A0000, based on PE: false

Similarity

API ID: InfoSystem
String ID:
API String ID: 31276548-0
Opcode ID: 3e8e4083766865e3da5439e94e82a5e67e4afa8c8b12d32a5c9408d828030ff0
Instruction ID: 1e9f229bf7d5a3b0c5945973af2b7a9ac2d4ecc4141e6d6ce9924ab826fb306c
Opcode Fuzzy Hash: 3e8e4083766865e3da5439e94e82a5e67e4afa8c8b12d32a5c9408d828030ff0
Instruction Fuzzy Hash: 871160754093C09FD7128F25DC44B96BFB4EF06224F0984EBED888F153D279A449CB61

Uniqueness

Uniqueness Score: -1.00%

Function 052A0EBE, Relevance: 1.6, APIs: 1, Instructions: 53COMMON

Download Yara Rule

APIs

LookupPrivilegeValueW.ADVAPI32(?,?,?), ref: 052A0F06

Memory Dump Source

Source File: 00000005.00000002.501447909.00000000052A0000.00000040.00000001.sdmp, Offset: 052A0000, based on PE: false

Similarity

API ID: LookupPrivilegeValue
String ID:
API String ID: 3899507212-0
Opcode ID: f031bbf29d1057e1883e0b0a57d9139dc374d6a55482c2f33ac2d292ee738071
Instruction ID: a996f70faff4ad0f3bd5841a188f206386259793f22e8d5c40e106daab27a655
Opcode Fuzzy Hash: f031bbf29d1057e1883e0b0a57d9139dc374d6a55482c2f33ac2d292ee738071
Instruction Fuzzy Hash: 4D11AD72A143019FDB20DF29D988B66FBE8FF14320F0884AAED49DB246D674E504CB71

Uniqueness

Uniqueness Score: -1.00%

Function 052A0AD6, Relevance: 1.6, APIs: 1, Instructions: 53fileCOMMON

Download Yara Rule

APIs

CopyFileW.KERNELBASE(?,?,?), ref: 052A0B1E

Memory Dump Source

Source File: 00000005.00000002.501447909.00000000052A0000.00000040.00000001.sdmp, Offset: 052A0000, based on PE: false

Similarity

API ID: CopyFile
String ID:
API String ID: 1304948518-0
Opcode ID: f031bbf29d1057e1883e0b0a57d9139dc374d6a55482c2f33ac2d292ee738071
Instruction ID: b877d77cd40d572fd8cf8fe5e3d3ddc9b3076bb9bdac9f43f14660515b81f831
Opcode Fuzzy Hash: f031bbf29d1057e1883e0b0a57d9139dc374d6a55482c2f33ac2d292ee738071
Instruction Fuzzy Hash: E011A1726103058FDB10DF29D989B66FBD8FF04324F0884AAED49CB242D274E404CB71

Uniqueness

Uniqueness Score: -1.00%

Function 052A0932, Relevance: 1.6, APIs: 1, Instructions: 52COMMON

Download Yara Rule

APIs

GetFileType.KERNELBASE(?,00000E2C,DC0C5294,00000000,00000000,00000000,00000000), ref: 052A0985

Memory Dump Source

Source File: 00000005.00000002.501447909.00000000052A0000.00000040.00000001.sdmp, Offset: 052A0000, based on PE: false

Similarity

API ID: FileType
String ID:
API String ID: 3081899298-0
Opcode ID: f58c8f137161865cf5409a3f755cd096e54eb48a4b7994ce11f8852f849b6412
Instruction ID: 787e834fc66e5563cc83d12cf881eae4c7e729add7ae001dd5cd74828ecce1a0
Opcode Fuzzy Hash: f58c8f137161865cf5409a3f755cd096e54eb48a4b7994ce11f8852f849b6412
Instruction Fuzzy Hash: E301D272510304AFE710DB19DD85F66FBDCEF09720F14809AEE489F251C678A4448AB1

Uniqueness

Uniqueness Score: -1.00%

Function 052A075A, Relevance: 1.6, APIs: 1, Instructions: 52COMMON

Download Yara Rule

APIs

CreateDirectoryW.KERNELBASE(?,?), ref: 052A079F

Memory Dump Source

Source File: 00000005.00000002.501447909.00000000052A0000.00000040.00000001.sdmp, Offset: 052A0000, based on PE: false

Similarity

API ID: CreateDirectory
String ID:
API String ID: 4241100979-0
Opcode ID: c00e12535da953f13bc3e7f3a2e896302726260f773577422d457ba325c03ded
Instruction ID: 6c4e05c883c8c0ca931a0d67d11061567aa6260c5c044b4b7a543a9f78d81106
Opcode Fuzzy Hash: c00e12535da953f13bc3e7f3a2e896302726260f773577422d457ba325c03ded
Instruction Fuzzy Hash: 9B11A1766102418FDB51CF29DC88B66FBD8EF04320F08C4AADD09CB642D274E444CF61

Uniqueness

Uniqueness Score: -1.00%

Function 052A1256, Relevance: 1.5, APIs: 1, Instructions: 49COMMON

Download Yara Rule

APIs

K32EnumProcesses.KERNEL32(?,?,?,DC0C5294,00000000,?,?,?,?,?,?,?,?,72AF3C38), ref: 052A1296

Memory Dump Source

Source File: 00000005.00000002.501447909.00000000052A0000.00000040.00000001.sdmp, Offset: 052A0000, based on PE: false

Similarity

API ID: EnumProcesses
String ID:
API String ID: 84517404-0
Opcode ID: 77c1ede3e6ce745dbec6dcab9b33205b4b30b6afd0d5a4cbbb2f40e43490a582
Instruction ID: 18efb338b49f9167b2d35cd35a570f472838904b2b7ed01f988cb1d218c06ab9
Opcode Fuzzy Hash: 77c1ede3e6ce745dbec6dcab9b33205b4b30b6afd0d5a4cbbb2f40e43490a582
Instruction Fuzzy Hash: 21116D766143448FDB20CF69D884BA6FBE8EF04320F0884AAED49CB656E374E454CB61

Uniqueness

Uniqueness Score: -1.00%

Function 052A2802, Relevance: 1.5, APIs: 1, Instructions: 47windowCOMMON

Download Yara Rule

APIs

FormatMessageW.KERNELBASE(?,00000E2C,?,?), ref: 052A2852

Memory Dump Source

Source File: 00000005.00000002.501447909.00000000052A0000.00000040.00000001.sdmp, Offset: 052A0000, based on PE: false

Similarity

API ID: FormatMessage
String ID:
API String ID: 1306739567-0
Opcode ID: d24c7b67975c764d267ac6e2142a31e8c53fe93998997a07120e307a454de057
Instruction ID: bcd9e9187db574391b7a339a4f7e1333fb1d386727214e5d272f88b8552b5541
Opcode Fuzzy Hash: d24c7b67975c764d267ac6e2142a31e8c53fe93998997a07120e307a454de057
Instruction Fuzzy Hash: 7D019E75900200ABD210DF1ADC81B26FBA8EB88A20F14812AED088B645D671F515CBE5

Uniqueness

Uniqueness Score: -1.00%

Function 052A0232, Relevance: 1.5, APIs: 1, Instructions: 43COMMON

Download Yara Rule

APIs

FindCloseChangeNotification.KERNELBASE(?), ref: 052A0264

Memory Dump Source

Source File: 00000005.00000002.501447909.00000000052A0000.00000040.00000001.sdmp, Offset: 052A0000, based on PE: false

Similarity

API ID: ChangeCloseFindNotification
String ID:
API String ID: 2591292051-0
Opcode ID: c27c920d1ba485cba5c245b91411a213e7ad4105a1306e5f1317121756c60130
Instruction ID: 8417c3bdf27d949204c5dc684ef22f8d64b8e39502d1ecae8bd1985e07f27273
Opcode Fuzzy Hash: c27c920d1ba485cba5c245b91411a213e7ad4105a1306e5f1317121756c60130
Instruction Fuzzy Hash: 6D018F769103409FEB10DF29D9887A6FB94EF44320F08C4AADD498F656E279E448CB61

Uniqueness

Uniqueness Score: -1.00%

Function 052A1636, Relevance: 1.5, APIs: 1, Instructions: 43networkCOMMON

Download Yara Rule

APIs

DnsQuery_A.DNSAPI(?,00000E2C,?,?), ref: 052A1686

Memory Dump Source

Source File: 00000005.00000002.501447909.00000000052A0000.00000040.00000001.sdmp, Offset: 052A0000, based on PE: false

Similarity

API ID: Query_
String ID:
API String ID: 428220571-0
Opcode ID: adb3bead3e7eaea62c71384431fd9bdee7cc750d5358bfa87ae653e529f95509
Instruction ID: a6d46f07ba1da0238fe1c8d05b850eab1bd9b66583ed409d34af5787c362e055
Opcode Fuzzy Hash: adb3bead3e7eaea62c71384431fd9bdee7cc750d5358bfa87ae653e529f95509
Instruction Fuzzy Hash: DD01AD75600200ABD220DF1ADC82B36FBE8FF88B20F14811AED084B745E671F915CBE6

Uniqueness

Uniqueness Score: -1.00%

Function 052A11AA, Relevance: 1.5, APIs: 1, Instructions: 43COMMON

Download Yara Rule

APIs

FindCloseChangeNotification.KERNELBASE(?), ref: 052A11DC

Memory Dump Source

Source File: 00000005.00000002.501447909.00000000052A0000.00000040.00000001.sdmp, Offset: 052A0000, based on PE: false

Similarity

API ID: ChangeCloseFindNotification
String ID:
API String ID: 2591292051-0
Opcode ID: 4f88ad8d3357138a1e434ae92c9419b74ccbf13cea225ad637cc15b718ec14ce
Instruction ID: 693e97831365f26eadd9aa22de0e94926253efd4405b5da371c8a89f7f37dd81
Opcode Fuzzy Hash: 4f88ad8d3357138a1e434ae92c9419b74ccbf13cea225ad637cc15b718ec14ce
Instruction Fuzzy Hash: 0C017C766103408FDB10DF69D984B66FBA4EF44330F08C0AADD498B656D374E418CB62

Uniqueness

Uniqueness Score: -1.00%

Function 051820D0, Relevance: 1.4, Strings: 1, Instructions: 198COMMON

Download Yara Rule

Strings

r*+, xrefs: 0518230F

Memory Dump Source

Source File: 00000005.00000002.501156212.0000000005180000.00000040.00000001.sdmp, Offset: 05180000, based on PE: false

Similarity

API ID:
String ID: r*+
API String ID: 0-3221063712
Opcode ID: 762b0f7cc1b8a90a5c2731b2fed7a920936f6ad2566491fbbc1c1bb63e338601
Instruction ID: 5dd9fdae922be3fe4b7364ec37b2ca81d64c9e97f0804f21e88b282c6f17adc7
Opcode Fuzzy Hash: 762b0f7cc1b8a90a5c2731b2fed7a920936f6ad2566491fbbc1c1bb63e338601
Instruction Fuzzy Hash: 37718434E08209DFCB69EFA8C4556BEBBB2FF44300F21856AD52297255DB349942CF51

Uniqueness

Uniqueness Score: -1.00%

Function 051802E8, Relevance: 1.4, Strings: 1, Instructions: 169COMMON

Download Yara Rule

Strings

`5&r, xrefs: 051803A5

Memory Dump Source

Source File: 00000005.00000002.501156212.0000000005180000.00000040.00000001.sdmp, Offset: 05180000, based on PE: false

Similarity

API ID:
String ID: `5&r
API String ID: 0-1159175248
Opcode ID: f205bb1c467080fbc578a0ba1872abae9271803fbdb2761f05b1b7bb21f20bb8
Instruction ID: 26d6b832c8b0bfef868fb0a7fecb08295244fa3dd65f2a62fae7c9ec775734bc
Opcode Fuzzy Hash: f205bb1c467080fbc578a0ba1872abae9271803fbdb2761f05b1b7bb21f20bb8
Instruction Fuzzy Hash: 3E517030A04205CFCB28DF68C558A7E7BF2EF89300F158069D906AB355DB35AC45CF91

Uniqueness

Uniqueness Score: -1.00%

Function 05182D58, Relevance: 1.4, Strings: 1, Instructions: 135COMMON

Download Yara Rule

Strings

, xrefs: 05182E76

Memory Dump Source

Source File: 00000005.00000002.501156212.0000000005180000.00000040.00000001.sdmp, Offset: 05180000, based on PE: false

Similarity

API ID:
String ID:
API String ID: 0-3916222277
Opcode ID: 22dd01f4816f3cb917e95633be294f13e79aa85261459e6b45d27b24a12fc75a
Instruction ID: 4a8dc6d4e8c866e7a71b85ea32b60cdfec40e21331df4f7a8da9b59767013d20
Opcode Fuzzy Hash: 22dd01f4816f3cb917e95633be294f13e79aa85261459e6b45d27b24a12fc75a
Instruction Fuzzy Hash: 8341D238F041459FCB36EB68C8845BEBBA3FBC1314B25C566C4669B601C735E8828F86

Uniqueness

Uniqueness Score: -1.00%

Function 05181458, Relevance: 1.4, Strings: 1, Instructions: 128COMMON

Download Yara Rule

Strings

$g#r, xrefs: 051814C7

Memory Dump Source

Source File: 00000005.00000002.501156212.0000000005180000.00000040.00000001.sdmp, Offset: 05180000, based on PE: false

Similarity

API ID:
String ID: $g#r
API String ID: 0-1127112097
Opcode ID: d780c184d52f6423a094f98ad7d7743ab65b2edaa3ce32e7edf8424c77f222d4
Instruction ID: 0ae1ab6487c6009457b70baf47d4c53db19ba519db266921302d17faa786055d
Opcode Fuzzy Hash: d780c184d52f6423a094f98ad7d7743ab65b2edaa3ce32e7edf8424c77f222d4
Instruction Fuzzy Hash: E4511934A00218CFDB68EF64C894BADBBB2BF49304F5141E9D40AAB365CB359D89CF51

Uniqueness

Uniqueness Score: -1.00%

Function 05181290, Relevance: 1.3, Strings: 1, Instructions: 99COMMON

Download Yara Rule

Strings

$g#r, xrefs: 05181349

Memory Dump Source

Source File: 00000005.00000002.501156212.0000000005180000.00000040.00000001.sdmp, Offset: 05180000, based on PE: false

Similarity

API ID:
String ID: $g#r
API String ID: 0-1127112097
Opcode ID: cec6856acdfbe0aacfb94a1cfe58f69e1901e0b4b9659afffec5c9c8a0ba5199
Instruction ID: 11290f1f56d1b1ca19245c87f095779d3a3efe30a04dcb556fd481db2343cfd1
Opcode Fuzzy Hash: cec6856acdfbe0aacfb94a1cfe58f69e1901e0b4b9659afffec5c9c8a0ba5199
Instruction Fuzzy Hash: 3F414834E44219DFCB68EF68C890BADBBB2BF49304F0141A9D40AAB355CB309D86CF51

Uniqueness

Uniqueness Score: -1.00%

Function 051885F0, Relevance: 1.3, Strings: 1, Instructions: 98COMMON

Download Yara Rule

Strings

r*+, xrefs: 05188707

Memory Dump Source

Source File: 00000005.00000002.501156212.0000000005180000.00000040.00000001.sdmp, Offset: 05180000, based on PE: false

Similarity

API ID:
String ID: r*+
API String ID: 0-3221063712
Opcode ID: aff84ba1d66d506f39b13526294c762120c7437c015f8e95f4fa9f0468cb1235
Instruction ID: 2c7abe59ba9963b46f95b2554b04b100a40826558980476e7270589eae94179d
Opcode Fuzzy Hash: aff84ba1d66d506f39b13526294c762120c7437c015f8e95f4fa9f0468cb1235
Instruction Fuzzy Hash: D8411D34E04209EFCB78EFA5C5596BEBBB2BF44304F61846AD402A7264DB345A41CF51

Uniqueness

Uniqueness Score: -1.00%

Function 0518DC79, Relevance: 1.3, Strings: 1, Instructions: 78COMMON

Download Yara Rule

Strings

l$r, xrefs: 0518DD33

Memory Dump Source

Source File: 00000005.00000002.501156212.0000000005180000.00000040.00000001.sdmp, Offset: 05180000, based on PE: false

Similarity

API ID:
String ID: l$r
API String ID: 0-2735013045
Opcode ID: 6ab030a62ab4d9db53e44bbcf99a847d3b1cf0c2066e4516638c5cdb22298378
Instruction ID: 00d5139e6b0a01fbfc47f833d65e63d35ca40225b349f4d3449ccc2a45c865c7
Opcode Fuzzy Hash: 6ab030a62ab4d9db53e44bbcf99a847d3b1cf0c2066e4516638c5cdb22298378
Instruction Fuzzy Hash: 2121A179A04308DBCB39EA68A4107BEBBF6AB88310F15456EE446DB3C0DF719C418B90

Uniqueness

Uniqueness Score: -1.00%

Function 051805B9, Relevance: 1.3, Strings: 1, Instructions: 51COMMON

Download Yara Rule

Strings

8`q, xrefs: 051805D6

Memory Dump Source

Source File: 00000005.00000002.501156212.0000000005180000.00000040.00000001.sdmp, Offset: 05180000, based on PE: false

Similarity

API ID:
String ID: 8`q
API String ID: 0-956788207
Opcode ID: fad3f7807796f1f6a261f941f3832098e7a8afc156a09c02a0a7c821911c8ec5
Instruction ID: 6f88638a43465beb84aa134f074c099d462f50b36c16ce115100b9f6877658cc
Opcode Fuzzy Hash: fad3f7807796f1f6a261f941f3832098e7a8afc156a09c02a0a7c821911c8ec5
Instruction Fuzzy Hash: D50128207402640FC66D327E50627FF5B9BAFC5110B69802FF04AE7386CE6A9C4747E6

Uniqueness

Uniqueness Score: -1.00%

Function 0518A01F, Relevance: 1.3, Strings: 1, Instructions: 46COMMON

Download Yara Rule

Strings

Hu$r, xrefs: 0518A053

Memory Dump Source

Source File: 00000005.00000002.501156212.0000000005180000.00000040.00000001.sdmp, Offset: 05180000, based on PE: false

Similarity

API ID:
String ID: Hu$r
API String ID: 0-1648227523
Opcode ID: 700d90487443916c6df46421f3f2948930cabc8851d56a5c01498340c92fc0fc
Instruction ID: b753f687aaee03c4a5514f842dff0b97d630107a3d7d3fc0e7dd1bee79ba47fc
Opcode Fuzzy Hash: 700d90487443916c6df46421f3f2948930cabc8851d56a5c01498340c92fc0fc
Instruction Fuzzy Hash: B1F028203481800BC768A67C589067D2F636FC5230765436BE05ACF2DACE188C0A8392

Uniqueness

Uniqueness Score: -1.00%

Function 051805C8, Relevance: 1.3, Strings: 1, Instructions: 45COMMON

Download Yara Rule

Strings

8`q, xrefs: 051805D6

Memory Dump Source

Source File: 00000005.00000002.501156212.0000000005180000.00000040.00000001.sdmp, Offset: 05180000, based on PE: false

Similarity

API ID:
String ID: 8`q
API String ID: 0-956788207
Opcode ID: e573b6c46eae809ade39118f23924367cce82c06bab9dd367f8f4c0d692656ce
Instruction ID: f4301e22eaa86773d27a17e67e159a1631a5797a58c20070900cca17471dc8cc
Opcode Fuzzy Hash: e573b6c46eae809ade39118f23924367cce82c06bab9dd367f8f4c0d692656ce
Instruction Fuzzy Hash: CEF0B4317402240FC55C767E5425ABF629F5BC8650765802FF14AE7385CE7AAC4743E6

Uniqueness

Uniqueness Score: -1.00%

Function 05184710, Relevance: 1.3, Strings: 1, Instructions: 43COMMON

Download Yara Rule

Strings

X1&r, xrefs: 05184747

Memory Dump Source

Source File: 00000005.00000002.501156212.0000000005180000.00000040.00000001.sdmp, Offset: 05180000, based on PE: false

Similarity

API ID:
String ID: X1&r
API String ID: 0-2005001410
Opcode ID: 169e53abb8075d340632b4950273f93f06277bf92304665b23e969f9f0646c6f
Instruction ID: 2d587ea923903cd80e3c07fc709027d13cb6ff2b5d9623e6ec8682a2690de4cf
Opcode Fuzzy Hash: 169e53abb8075d340632b4950273f93f06277bf92304665b23e969f9f0646c6f
Instruction Fuzzy Hash: 6DF059373006508BCE39B2F954107BE32CB9BCA664F84007EE50AC7781DEB6C88247A0

Uniqueness

Uniqueness Score: -1.00%

Function 05187372, Relevance: 1.3, Strings: 1, Instructions: 43COMMON

Download Yara Rule

Strings

Hu$r, xrefs: 051873A3

Memory Dump Source

Source File: 00000005.00000002.501156212.0000000005180000.00000040.00000001.sdmp, Offset: 05180000, based on PE: false

Similarity

API ID:
String ID: Hu$r
API String ID: 0-1648227523
Opcode ID: 26484299d83bc3fe0eeb25ce3ec837c50446c75414ee1f046eaf8a51c60e62d5
Instruction ID: a7b81472636beb3395ef020c984ed1596af51ff7becfca6801e115a02713fc7c
Opcode Fuzzy Hash: 26484299d83bc3fe0eeb25ce3ec837c50446c75414ee1f046eaf8a51c60e62d5
Instruction Fuzzy Hash: 6CF046717082404BC728B27C6C90A7D6F67ABC5230379466AAC16DF3DADE518C014362

Uniqueness

Uniqueness Score: -1.00%

Function 05187380, Relevance: 1.3, Strings: 1, Instructions: 40COMMON

Download Yara Rule

Strings

Hu$r, xrefs: 051873A3

Memory Dump Source

Source File: 00000005.00000002.501156212.0000000005180000.00000040.00000001.sdmp, Offset: 05180000, based on PE: false

Similarity

API ID:
String ID: Hu$r
API String ID: 0-1648227523
Opcode ID: 1a80cb576b04fb4f270011b93d72a8f77ec36061f4a2e5af86d054ec3759150d
Instruction ID: 16fca7fe68c2d4457e3a62019de5514e9962291025cb13eb11b7914716a46530
Opcode Fuzzy Hash: 1a80cb576b04fb4f270011b93d72a8f77ec36061f4a2e5af86d054ec3759150d
Instruction Fuzzy Hash: 0BF0E93174821057C578766D5C80E7E695BEBC53303B1433ABC2ADB3D9DF529C4143A2

Uniqueness

Uniqueness Score: -1.00%

Function 05185EBA, Relevance: 1.3, Strings: 1, Instructions: 25COMMON

Download Yara Rule

Strings

l$r, xrefs: 05185ED6

Memory Dump Source

Source File: 00000005.00000002.501156212.0000000005180000.00000040.00000001.sdmp, Offset: 05180000, based on PE: false

Similarity

API ID:
String ID: l$r
API String ID: 0-2735013045
Opcode ID: 7e4ea53a337538a8cceb3baca325b929dc88323091768136176dcbd1a19fa3d0
Instruction ID: 56c2c7730351335215efbf4223d394bb06e1363adceb6b511142ab16deeb3fdd
Opcode Fuzzy Hash: 7e4ea53a337538a8cceb3baca325b929dc88323091768136176dcbd1a19fa3d0
Instruction Fuzzy Hash: 9DE02610B892D01FD72367BC68605FEAF3AAE8261130508EAD482CB242DE058C03C7A1

Uniqueness

Uniqueness Score: -1.00%

Function 05185EC8, Relevance: 1.3, Strings: 1, Instructions: 20COMMON

Download Yara Rule

Strings

l$r, xrefs: 05185ED6

Memory Dump Source

Source File: 00000005.00000002.501156212.0000000005180000.00000040.00000001.sdmp, Offset: 05180000, based on PE: false

Similarity

API ID:
String ID: l$r
API String ID: 0-2735013045
Opcode ID: ebba88e1396e29d79e5285f9e92b47e5657087b7b545765ff14ec08b3ce52995
Instruction ID: 1c6ad87e9788e95f7ac883a0a33882b652a09a7f32a5b27c511f19aa70c74048
Opcode Fuzzy Hash: ebba88e1396e29d79e5285f9e92b47e5657087b7b545765ff14ec08b3ce52995
Instruction Fuzzy Hash: D4D0A725BC02242BA52576BE5814A7F774FAFC0E6134108B9E406C6341EF05CC0243D5

Uniqueness

Uniqueness Score: -1.00%

Function 051880E0, Relevance: .3, Instructions: 254COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.501156212.0000000005180000.00000040.00000001.sdmp, Offset: 05180000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 483b8f192b7e38b82d6177c771da320745ca3c36b5a72fe98cc3060ec5f82b2e
Instruction ID: 3a61c3ba115c743e4fc4d314b7f21c74faef224f95b422d7732d20ae61f025eb
Opcode Fuzzy Hash: 483b8f192b7e38b82d6177c771da320745ca3c36b5a72fe98cc3060ec5f82b2e
Instruction Fuzzy Hash: C0A18175E00619DFCB24DFA8C9849ADFBF1FF48310F61896AD856A7250DB31A946CF80

Uniqueness

Uniqueness Score: -1.00%

Function 05185FB0, Relevance: .2, Instructions: 241COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.501156212.0000000005180000.00000040.00000001.sdmp, Offset: 05180000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ba444bc50e0d7a666d210c51f0ce6bca6cfe77e6663e62c3c3aee7f5f0807eed
Instruction ID: 77ee18b9a98695f07f0ba1eaa25bd043233490c63b297c796aa1895ee67d0a07
Opcode Fuzzy Hash: ba444bc50e0d7a666d210c51f0ce6bca6cfe77e6663e62c3c3aee7f5f0807eed
Instruction Fuzzy Hash: 8D817E31A00519CFCF25DF14C890AEAB7B3BF85304F1585E5D80AAF216DB71AA86CF91

Uniqueness

Uniqueness Score: -1.00%

Function 0518AABF, Relevance: .2, Instructions: 226COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.501156212.0000000005180000.00000040.00000001.sdmp, Offset: 05180000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5a449b554aa152089cfa31bd5525f5d92f93287d292532bf14cca1f353fc1eb5
Instruction ID: cd404cb7589d275c7ce8c6f2c33a0f44f168ee911248d1b01856e998b712e595
Opcode Fuzzy Hash: 5a449b554aa152089cfa31bd5525f5d92f93287d292532bf14cca1f353fc1eb5
Instruction Fuzzy Hash: 208195307005168BD704EBA8C4A5AAE7BB7FFC4300F91852EE1059B7A8DF74AD55CB92

Uniqueness

Uniqueness Score: -1.00%

Function 051851F2, Relevance: .2, Instructions: 215COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.501156212.0000000005180000.00000040.00000001.sdmp, Offset: 05180000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 258e16f7403df85ef09be1a83c8108a23879e0a1fb350c468f676e012617bb54
Instruction ID: 93da99be03e1a28f81b9bc958d11e4374c19bd31c102240548ffcc542c3c36d4
Opcode Fuzzy Hash: 258e16f7403df85ef09be1a83c8108a23879e0a1fb350c468f676e012617bb54
Instruction Fuzzy Hash: 40818C34A04205AFDB15EBB8C458AADBBF3FF4A304F1644A5D006AB275DB70AD0ACF51

Uniqueness

Uniqueness Score: -1.00%

Function 0518B219, Relevance: .2, Instructions: 210COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.501156212.0000000005180000.00000040.00000001.sdmp, Offset: 05180000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 13d56ae5aa92e69065a8e7491f9e94168d35c8ac81292313b84bcfbc2f80316a
Instruction ID: 6abd613187bd16c83d95216c20d1530f6f3c6cdb4252b1915f1babe61d775aab
Opcode Fuzzy Hash: 13d56ae5aa92e69065a8e7491f9e94168d35c8ac81292313b84bcfbc2f80316a
Instruction Fuzzy Hash: 42A1F374A04609DFCB24DF69C495AAEFBB2FF88310F14C569D82AA7715D730A981CF90

Uniqueness

Uniqueness Score: -1.00%

Function 0518E519, Relevance: .2, Instructions: 188COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.501156212.0000000005180000.00000040.00000001.sdmp, Offset: 05180000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7811d757efd24ec51d4bd852d44a62d86eed4361729f939c88b55a93260d5c04
Instruction ID: 443720b2885fe3dbf5f8a738fc2f80fe4e9191ebc02bd9687c581db204a6bbf9
Opcode Fuzzy Hash: 7811d757efd24ec51d4bd852d44a62d86eed4361729f939c88b55a93260d5c04
Instruction Fuzzy Hash: 8D716D34A04604DFDB28EF64C494BB9BBF6BF88314F258669D512A7761DB31E881CF90

Uniqueness

Uniqueness Score: -1.00%

Function 0518ECD8, Relevance: .2, Instructions: 164COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.501156212.0000000005180000.00000040.00000001.sdmp, Offset: 05180000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: bf9c65fda5b6c00bec06e501d82537c726e750871ed4cb18c386157ef19821f0
Instruction ID: 8e8acf357dac357995a88adc1e83d264ccd818054884d77b02a3b25877306d5f
Opcode Fuzzy Hash: bf9c65fda5b6c00bec06e501d82537c726e750871ed4cb18c386157ef19821f0
Instruction Fuzzy Hash: 76518335A002199FCF28EF54C4949BEB7BBFF84310B158625E506AF355DB30AD45CB91

Uniqueness

Uniqueness Score: -1.00%

Function 051874E8, Relevance: .2, Instructions: 161COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.501156212.0000000005180000.00000040.00000001.sdmp, Offset: 05180000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a1498af2153788c9950c8b78a0fe5ecd425cf492fe21603425969ee300cabdd6
Instruction ID: b5285795002f2334d551067da03c499ac0353989affd35c6f6320bacab82fb3f
Opcode Fuzzy Hash: a1498af2153788c9950c8b78a0fe5ecd425cf492fe21603425969ee300cabdd6
Instruction Fuzzy Hash: 7831193191061ACFDF25DF14C854BEABBB2EF85304F628494D9097B255DB71AA8ACF80

Uniqueness

Uniqueness Score: -1.00%

Function 05187138, Relevance: .2, Instructions: 159COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.501156212.0000000005180000.00000040.00000001.sdmp, Offset: 05180000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 13426c47a1c0a05cf7b3a41377a0eba761e0d964f1bc1d22bc5e9ed15685252f
Instruction ID: 83ae15d343c9c72871c51bf6fc94c5b71e247a02a8b6cc1b8da172ea0e519459
Opcode Fuzzy Hash: 13426c47a1c0a05cf7b3a41377a0eba761e0d964f1bc1d22bc5e9ed15685252f
Instruction Fuzzy Hash: 6C512F31B002158BCB28EBB9C5549BEB7F3AB84310B254569D806AB395DF35AD42CB91

Uniqueness

Uniqueness Score: -1.00%

Function 05187A21, Relevance: .1, Instructions: 140COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.501156212.0000000005180000.00000040.00000001.sdmp, Offset: 05180000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0479b3f3b6be68787a52d635c3de14d6a45073c6aafba620b92b061f567a8eeb
Instruction ID: 6c5135be675a75619b952b89ed00b9f1017d000215973e7f2cc8b71859a6bb45
Opcode Fuzzy Hash: 0479b3f3b6be68787a52d635c3de14d6a45073c6aafba620b92b061f567a8eeb
Instruction Fuzzy Hash: CC514C34A00215CFCB24EB74C594AACBBF2FF85300F2585A9D44A9B295DB35DC81CF61

Uniqueness

Uniqueness Score: -1.00%

Function 0518CBB8, Relevance: .1, Instructions: 134COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.501156212.0000000005180000.00000040.00000001.sdmp, Offset: 05180000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f9b626fadc70038091fa132a0aae56ecea563524f3fd01592f247d84962331d8
Instruction ID: 244bf2df74c03bda504b4338c811e56a81981b8403d503ca8a4398c0b99e7f8c
Opcode Fuzzy Hash: f9b626fadc70038091fa132a0aae56ecea563524f3fd01592f247d84962331d8
Instruction Fuzzy Hash: CC418234A006059FD738EF79C49897ABBE3FB88314B15CA29D4569B650DF34AC42CFA0

Uniqueness

Uniqueness Score: -1.00%

Function 05180682, Relevance: .1, Instructions: 134COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.501156212.0000000005180000.00000040.00000001.sdmp, Offset: 05180000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fbdf64c2c2f3cb5ef272b188c92680ae1f535812009a1f19acaac6264ad2b355
Instruction ID: e2946f6fb0e9c5a7a902ea5b7d8bd77b5d761630c107adf1c76a4563abdf3ff6
Opcode Fuzzy Hash: fbdf64c2c2f3cb5ef272b188c92680ae1f535812009a1f19acaac6264ad2b355
Instruction Fuzzy Hash: D1416C30AA02048BD7287B78EC2C67DBB66FF8471975549AAF442C72A5DF308C568B91

Uniqueness

Uniqueness Score: -1.00%

Function 05180BC0, Relevance: .1, Instructions: 132COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.501156212.0000000005180000.00000040.00000001.sdmp, Offset: 05180000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 08a10c53502fe453e0c9c9d0bdbb0ebb8df39cac9f708fb7e9fc0c648e11f709
Instruction ID: cb05d8c7c5384f6107a5907129548c21136ed253d1a6356de1b3c7ad09914f3f
Opcode Fuzzy Hash: 08a10c53502fe453e0c9c9d0bdbb0ebb8df39cac9f708fb7e9fc0c648e11f709
Instruction Fuzzy Hash: FC41A831B041188FC739DF68C4546BE7BE7AF89310F1684A6E806AF355CF759C0A8B91

Uniqueness

Uniqueness Score: -1.00%

Function 05182BF8, Relevance: .1, Instructions: 122COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.501156212.0000000005180000.00000040.00000001.sdmp, Offset: 05180000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 276d5dd28fdd736bba089e4556c0f0f5a91ce52948a4f502d8c263f894c7af3d
Instruction ID: eded4c53a5816600c9afd848797b0a58d6085f01a4073754d21f3c4bf5ef1bf3
Opcode Fuzzy Hash: 276d5dd28fdd736bba089e4556c0f0f5a91ce52948a4f502d8c263f894c7af3d
Instruction Fuzzy Hash: 3141283860C2958FC73BA7348498579BFF2AF42210B0A8D97D4A6CB652C7759C06CB51

Uniqueness

Uniqueness Score: -1.00%

Function 05186CB8, Relevance: .1, Instructions: 119COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.501156212.0000000005180000.00000040.00000001.sdmp, Offset: 05180000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0df3cb50f9540fee3e00df0258bfcc6aad00f88154c1910d2bf3a532637d732e
Instruction ID: 5c8f2c394f2d3ef90a192fabbfc0a6ce84fd9de7cfeb4c3e216b8603d38a4348
Opcode Fuzzy Hash: 0df3cb50f9540fee3e00df0258bfcc6aad00f88154c1910d2bf3a532637d732e
Instruction Fuzzy Hash: 5E41AF34B01210CF871ABB79E8644A97BF6BB8D70075402A9E8069B387DF319C46CB91

Uniqueness

Uniqueness Score: -1.00%

Function 05186CC8, Relevance: .1, Instructions: 115COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.501156212.0000000005180000.00000040.00000001.sdmp, Offset: 05180000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d08a1b7ca1594f6e76fc87226d6c4db3a23dbfca73ea85c13a2eb0aa79641e09
Instruction ID: 1e66e395f8d1df9fedc1d585a7a762b6809cb3bc0b0e98dca79af74e523e2d3d
Opcode Fuzzy Hash: d08a1b7ca1594f6e76fc87226d6c4db3a23dbfca73ea85c13a2eb0aa79641e09
Instruction Fuzzy Hash: C841AF34B01200CF871ABB79D4644BD7BE6BB8D7107540269E8069B387DF31AC42CB91

Uniqueness

Uniqueness Score: -1.00%

Function 0518AE60, Relevance: .1, Instructions: 112COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.501156212.0000000005180000.00000040.00000001.sdmp, Offset: 05180000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9910bd7ae0624641308e7600f3cc5ff6db006a420e913d68bd87cc1711d1c7e4
Instruction ID: cf6502c8c01ba7301e5dac6c76f3efa3ad70343ad24c75dc55567fb003a5cdc2
Opcode Fuzzy Hash: 9910bd7ae0624641308e7600f3cc5ff6db006a420e913d68bd87cc1711d1c7e4
Instruction Fuzzy Hash: 5331E2B1B046658FCB24EAA9C4945BEBBF6FF88320F24542AE446D7740DB34EC41CB90

Uniqueness

Uniqueness Score: -1.00%

Function 051802DA, Relevance: .1, Instructions: 103COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.501156212.0000000005180000.00000040.00000001.sdmp, Offset: 05180000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 91c706969e1c31817e320fcc6f0292a3e1a5c98750be0b7f8b8b35b5bff99d1c
Instruction ID: 63a761a52bf5acfe14e95f2b6ba8788d86b44c99e8d7990c6209a86c9be11eb5
Opcode Fuzzy Hash: 91c706969e1c31817e320fcc6f0292a3e1a5c98750be0b7f8b8b35b5bff99d1c
Instruction Fuzzy Hash: E0316B30B006098FDB28DB68C158BBE7BB3EF89710F144469D902AB7A4DB75AC45CF90

Uniqueness

Uniqueness Score: -1.00%

Function 0518ECC9, Relevance: .1, Instructions: 101COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.501156212.0000000005180000.00000040.00000001.sdmp, Offset: 05180000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 00fa31325610801503a2559792582172c633ead8d6de70db9091198e2cb240b5
Instruction ID: f889a530854dc4df8e2af25729b91a6f989fd6d45a340b495ef7e500253b9325
Opcode Fuzzy Hash: 00fa31325610801503a2559792582172c633ead8d6de70db9091198e2cb240b5
Instruction Fuzzy Hash: 47318235A002199FCF28EF94C8549BEBBBBBF84300F014629E506AB261DB309D09CB91

Uniqueness

Uniqueness Score: -1.00%

Function 0518EBB8, Relevance: .1, Instructions: 100COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.501156212.0000000005180000.00000040.00000001.sdmp, Offset: 05180000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: eecd81e7b3827685259ac0f4a928bd84fc0d6d12346c769e6a26b46fa19bdf4b
Instruction ID: 94d0dcbc1e6f72d65b9ce6ee25ed7b9f256cb7248e05dc7cee36c2ca05fa8997
Opcode Fuzzy Hash: eecd81e7b3827685259ac0f4a928bd84fc0d6d12346c769e6a26b46fa19bdf4b
Instruction Fuzzy Hash: DE313F75E04604DFCB68EF68C544ABDFBFABB88310F158A69D40AA7241D731D845CFA1

Uniqueness

Uniqueness Score: -1.00%

Function 051845C8, Relevance: .1, Instructions: 95COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.501156212.0000000005180000.00000040.00000001.sdmp, Offset: 05180000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4e5d15aafa39b32ece6314bd04ebd417a8fb23d6bc0e29cd977e901822c81e83
Instruction ID: 93dab2ae5af6fca3beb30d295eca7bbbe2f01be5310c8998dd97a7bd7804ce2a
Opcode Fuzzy Hash: 4e5d15aafa39b32ece6314bd04ebd417a8fb23d6bc0e29cd977e901822c81e83
Instruction Fuzzy Hash: 2B217531F0011A9BDF24EA95DD41BFEB7BBFB84214F214126D619D3144EFB05905CBA1

Uniqueness

Uniqueness Score: -1.00%

Function 0518E258, Relevance: .1, Instructions: 94COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.501156212.0000000005180000.00000040.00000001.sdmp, Offset: 05180000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6ef7b2e0bbc5dd5a4e53ccda26aeba6be0e06c4e8d53793d0e756d52c28e1598
Instruction ID: aca9f5407c116da867f1f493b6c6e5c0fc76d107e16a98b44532f2266d8ae315
Opcode Fuzzy Hash: 6ef7b2e0bbc5dd5a4e53ccda26aeba6be0e06c4e8d53793d0e756d52c28e1598
Instruction Fuzzy Hash: 7C41F530904B51CFD339EB2AC544776BBE6BF85305F18896EC59B86AA0DB76E841CF00

Uniqueness

Uniqueness Score: -1.00%

Function 0518CC20, Relevance: .1, Instructions: 93COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.501156212.0000000005180000.00000040.00000001.sdmp, Offset: 05180000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5e81f7da13824109749f6c6129ad193c365cea716c728be324c8482dd6395c86
Instruction ID: af80b3af09c036b9a9b296b9913ea7e8cd66637385652ae13de85a6de903a994
Opcode Fuzzy Hash: 5e81f7da13824109749f6c6129ad193c365cea716c728be324c8482dd6395c86
Instruction Fuzzy Hash: 86313E34A002058FD728FBB9C5989BABBE3EB88314B158929D4129B255DF349C468FA0

Uniqueness

Uniqueness Score: -1.00%

Function 05187128, Relevance: .1, Instructions: 92COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.501156212.0000000005180000.00000040.00000001.sdmp, Offset: 05180000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c93928de34125f3c74bbddb10384b66d79d468cee6c57bc4d0cc6042914c7361
Instruction ID: 1126eb8c5b98d3f0208d7585d76c8d7a57e64dca63ff280c56dfe1117a52aa7e
Opcode Fuzzy Hash: c93928de34125f3c74bbddb10384b66d79d468cee6c57bc4d0cc6042914c7361
Instruction Fuzzy Hash: 94312031E002098FCB18EBB9C5549EEBBF3EF84310B158569C816AB355DB31AD46CB90

Uniqueness

Uniqueness Score: -1.00%

Function 051850E0, Relevance: .1, Instructions: 92COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.501156212.0000000005180000.00000040.00000001.sdmp, Offset: 05180000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6ced08c302cd7f5d1ef3b5ef99d808a4c5f50fd77a9507bc9a73fa4e0a2fd236
Instruction ID: 0cad5e8d65cf9f93876d661b19a8c10ac1b917e75f86f2a1a976e3b53ef8ac8f
Opcode Fuzzy Hash: 6ced08c302cd7f5d1ef3b5ef99d808a4c5f50fd77a9507bc9a73fa4e0a2fd236
Instruction Fuzzy Hash: 40214D75E003099FDB18EFA9C4146AEFBF7AF88300F164529D506AB355EB70A946CF81

Uniqueness

Uniqueness Score: -1.00%

Function 0518DDD8, Relevance: .1, Instructions: 90COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.501156212.0000000005180000.00000040.00000001.sdmp, Offset: 05180000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6430a691eda41ac88404164a3a070d9b0d424dc73eb135a4f147d36d03720ad7
Instruction ID: 9526d0344f53a568e08c80e75c3a8a3325573e44ae5cf94f132b2b5da6f98b9b
Opcode Fuzzy Hash: 6430a691eda41ac88404164a3a070d9b0d424dc73eb135a4f147d36d03720ad7
Instruction Fuzzy Hash: D0315C342406028FC754AB78C55056EB7A3BFC13047658D2CE1869F7A8DF7AE8038B91

Uniqueness

Uniqueness Score: -1.00%

Function 05185831, Relevance: .1, Instructions: 89COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.501156212.0000000005180000.00000040.00000001.sdmp, Offset: 05180000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8683120bdd33af14c797222fe91f2f609068421ad85fcdac3ef98efc053999c1
Instruction ID: b3c91400c735542ed3064622eb4cb5f66fb878fd3f450e6c5d5b1872ce05d385
Opcode Fuzzy Hash: 8683120bdd33af14c797222fe91f2f609068421ad85fcdac3ef98efc053999c1
Instruction Fuzzy Hash: E321F731B04105ABCB38B7BA98549BEBBE7EFC5210752457AD4139B2A6DF718C018B91

Uniqueness

Uniqueness Score: -1.00%

Function 051885C0, Relevance: .1, Instructions: 88COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.501156212.0000000005180000.00000040.00000001.sdmp, Offset: 05180000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 40a8a75aa114d472a755615b08db60e7d43093cd1acc07d293c2b5b04b29af09
Instruction ID: 08c8dc75ec3a06bf91403bc70f86e962b2dfcdb938469235b6551345b60d8db8
Opcode Fuzzy Hash: 40a8a75aa114d472a755615b08db60e7d43093cd1acc07d293c2b5b04b29af09
Instruction Fuzzy Hash: B631BA30909284EFCB39EBB4C1557BEBFB2EF41300FA549AAD4429B292D7349905CF52

Uniqueness

Uniqueness Score: -1.00%

Function 0518DF48, Relevance: .1, Instructions: 87COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.501156212.0000000005180000.00000040.00000001.sdmp, Offset: 05180000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 06d36cdef4c2e3823224094a6d6ced76a238c3c78db5b54597b259cafef21969
Instruction ID: ff4123d6f603d5ac38f82bc947447fe97e95aa9e4464ba414ee0c0a71b575bb7
Opcode Fuzzy Hash: 06d36cdef4c2e3823224094a6d6ced76a238c3c78db5b54597b259cafef21969
Instruction Fuzzy Hash: 18310E30B007058FCB68DFA9D594AAEBBF6AB88700B505529E5069B750DB35EC42CB91

Uniqueness

Uniqueness Score: -1.00%

Function 051843D0, Relevance: .1, Instructions: 87COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.501156212.0000000005180000.00000040.00000001.sdmp, Offset: 05180000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9d20ccd482618b61248ea6609b1c8735d6475dd1a2ad412c8b9c467905df9e25
Instruction ID: d5559b179507cb072ec40d4543bd43304c61903efd64731835d1b70c5e733933
Opcode Fuzzy Hash: 9d20ccd482618b61248ea6609b1c8735d6475dd1a2ad412c8b9c467905df9e25
Instruction Fuzzy Hash: F531B135540119CFCB18FF68E8588ADBBB2FF8830871585A9E4065B26ADF35E827DF50

Uniqueness

Uniqueness Score: -1.00%

Function 0518DF3B, Relevance: .1, Instructions: 86COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.501156212.0000000005180000.00000040.00000001.sdmp, Offset: 05180000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: aeb315afc08e209803dddebc586e7c71a9f876261cf450a79fb49d0275a7af08
Instruction ID: 1ad62f6de21c11b8577e564d60128522bd6580e244770cb3ba00ef7712103e70
Opcode Fuzzy Hash: aeb315afc08e209803dddebc586e7c71a9f876261cf450a79fb49d0275a7af08
Instruction Fuzzy Hash: 9B313E31B003058FCB68DFA9C594AAEBBF6AB88300F504529E5069B790DB35DC42CF91

Uniqueness

Uniqueness Score: -1.00%

Function 051855E8, Relevance: .1, Instructions: 85COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.501156212.0000000005180000.00000040.00000001.sdmp, Offset: 05180000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 15573a4bff48a615d6c4a671b015d6be22e7f09f613d3f6e1d7b4fba529f0961
Instruction ID: 14cbde955063f37d5cf88e19a1ac6b3e4057459d96fc6aef1cd082582b0a0f45
Opcode Fuzzy Hash: 15573a4bff48a615d6c4a671b015d6be22e7f09f613d3f6e1d7b4fba529f0961
Instruction Fuzzy Hash: 1D21C430B402059FDB28AB7894547BE7AF7FB88710F690079E502EB391DFB589458B91

Uniqueness

Uniqueness Score: -1.00%

Function 05188430, Relevance: .1, Instructions: 83COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.501156212.0000000005180000.00000040.00000001.sdmp, Offset: 05180000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: dfc9bbdb4e462de9373f836c0d3b252ececd1d0995c7f44393409dab80da4ff4
Instruction ID: 2039a238aec8834f73b3535c0348053f2134aa55e0bb4b24ba3c6e9a196ae55d
Opcode Fuzzy Hash: dfc9bbdb4e462de9373f836c0d3b252ececd1d0995c7f44393409dab80da4ff4
Instruction Fuzzy Hash: BC317A316542409FC76DFB78E46897E3BA7AB85311796886AE106CB395DF348D01CB41

Uniqueness

Uniqueness Score: -1.00%

Function 051850D0, Relevance: .1, Instructions: 82COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.501156212.0000000005180000.00000040.00000001.sdmp, Offset: 05180000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8112f9350c373bc620d82312faa01d55191a4f19af7f91b386fff0aab4548b2a
Instruction ID: c61d1950cba22e5c320ef7e792072bc20cd8aae8f368c08b198c4776485ccb5b
Opcode Fuzzy Hash: 8112f9350c373bc620d82312faa01d55191a4f19af7f91b386fff0aab4548b2a
Instruction Fuzzy Hash: 4221A932E00349AFDB11DFA4D8556EEBBB2EF88310F124465C809AB212E771654ACF80

Uniqueness

Uniqueness Score: -1.00%

Function 05186AE7, Relevance: .1, Instructions: 82COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.501156212.0000000005180000.00000040.00000001.sdmp, Offset: 05180000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fbde3abeca0a6fdb748a15da54d0039701784892e7f3b76d4c1b05256b218ac4
Instruction ID: 14475d937b124bcbfcdf74b0a44aa57d667911e20485c109972556fcf5eb65a4
Opcode Fuzzy Hash: fbde3abeca0a6fdb748a15da54d0039701784892e7f3b76d4c1b05256b218ac4
Instruction Fuzzy Hash: BC317E346503058BC718AB78D5685AE3BA7EF853083918A6EE04B8F399DF359C57CB81

Uniqueness

Uniqueness Score: -1.00%

Function 0518A748, Relevance: .1, Instructions: 81COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.501156212.0000000005180000.00000040.00000001.sdmp, Offset: 05180000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 339b81ee5946d296d758815906c8482b5d247102a614cc430cd7a5cfe6fdaab3
Instruction ID: 8557576a3ba1d3c8beea4329d6c2e95a63a9a0e27b4ff0175b5f6de227251da3
Opcode Fuzzy Hash: 339b81ee5946d296d758815906c8482b5d247102a614cc430cd7a5cfe6fdaab3
Instruction Fuzzy Hash: 49217130B046499BCB38FB74D940ABEB7B3BF88754F11496AD402AB244DB71AC41CFA1

Uniqueness

Uniqueness Score: -1.00%

Function 051821E9, Relevance: .1, Instructions: 76COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.501156212.0000000005180000.00000040.00000001.sdmp, Offset: 05180000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f8909b4d99cf7092751fc4665b7fa753a6e613973c459881158f50d3ea8765ce
Instruction ID: 0fbccfad589a968b2c114c40ecbbd36d6e77644fd1bb54203cfc305c42ae9edc
Opcode Fuzzy Hash: f8909b4d99cf7092751fc4665b7fa753a6e613973c459881158f50d3ea8765ce
Instruction Fuzzy Hash: 38316B74D08209CFCB7AEBA8C1546BDBBB3FF45300F1140AAD45297265D7359A46CF52

Uniqueness

Uniqueness Score: -1.00%

Function 051825DE, Relevance: .1, Instructions: 75COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.501156212.0000000005180000.00000040.00000001.sdmp, Offset: 05180000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b222bf349647075c9d8f4bdfc82d187e8c4973a098ae01f63da215f97ec5b728
Instruction ID: e915c56f89cb19fb058fc96abdd60fb2ade90fa0e543e6c5912771be8e560d42
Opcode Fuzzy Hash: b222bf349647075c9d8f4bdfc82d187e8c4973a098ae01f63da215f97ec5b728
Instruction Fuzzy Hash: AC31AA78E0028ACFCB61EF65C54466AFBF2BF84308F20C6A9C015AB254DB74D48ACF41

Uniqueness

Uniqueness Score: -1.00%

Function 051889D6, Relevance: .1, Instructions: 75COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.501156212.0000000005180000.00000040.00000001.sdmp, Offset: 05180000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 60d1fe97add6b1aa277fee6bcb56cb32fbe591fc0c26afb51109e6acab086b17
Instruction ID: d02e2b82480b289f933e01c6164ff3c1808c962d841939c8d7cf6181279e1cb3
Opcode Fuzzy Hash: 60d1fe97add6b1aa277fee6bcb56cb32fbe591fc0c26afb51109e6acab086b17
Instruction Fuzzy Hash: 5A318734A10359CFCB20EF65C45866ABBB2BF84304F54D96AE0059F294DFB89486CF41

Uniqueness

Uniqueness Score: -1.00%

Function 05184F10, Relevance: .1, Instructions: 75COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.501156212.0000000005180000.00000040.00000001.sdmp, Offset: 05180000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 123251cfb919619487b67984ce154a9dbea80c43b01564e56e3af35517519259
Instruction ID: 361ccaf69871a5e3a5fdc4264a380145ac40232527c2d39205b0401a5d76f3af
Opcode Fuzzy Hash: 123251cfb919619487b67984ce154a9dbea80c43b01564e56e3af35517519259
Instruction Fuzzy Hash: 5921B33021914A8FC73CF778E5A09797B63FB81314716856EE0464B55ECFA898038F91

Uniqueness

Uniqueness Score: -1.00%

Function 051848B9, Relevance: .1, Instructions: 74COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.501156212.0000000005180000.00000040.00000001.sdmp, Offset: 05180000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a1d540434fef40347524d6763f621eaa060854a75ae11bfcb40fd15089778281
Instruction ID: 4557b6b9338175c87d7ad3dbf96435e4a811a486d5584784a8efec962eb577ee
Opcode Fuzzy Hash: a1d540434fef40347524d6763f621eaa060854a75ae11bfcb40fd15089778281
Instruction Fuzzy Hash: FD110331F041569BCF3AEA78C8609FEBBB7AFC9314B15402AD852B7241DE605A078F90

Uniqueness

Uniqueness Score: -1.00%

Function 0518AE51, Relevance: .1, Instructions: 72COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.501156212.0000000005180000.00000040.00000001.sdmp, Offset: 05180000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8526d5bedfadc7a3a58ce3c2aaced62cc699be1ff4decce9c442fbf8f7bbe8b3
Instruction ID: 9e26bc7fff97c269517b0936a7751e59ac41d2812ef390ab132bdfd00600b4d8
Opcode Fuzzy Hash: 8526d5bedfadc7a3a58ce3c2aaced62cc699be1ff4decce9c442fbf8f7bbe8b3
Instruction Fuzzy Hash: 752193B1F102259BCB14DE99D8956BEFBB6FB88720F10453AF815E3340D734A915CB94

Uniqueness

Uniqueness Score: -1.00%

Function 05185840, Relevance: .1, Instructions: 70COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.501156212.0000000005180000.00000040.00000001.sdmp, Offset: 05180000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c618e55fcff1dfd8c5c0cc470b72c8a4cac315ec8b4b5ccff09c67409f54ded4
Instruction ID: c6eded5ce23c505fb205a8187f115385ffb0ed59451822428fbe836603a2cecc
Opcode Fuzzy Hash: c618e55fcff1dfd8c5c0cc470b72c8a4cac315ec8b4b5ccff09c67409f54ded4
Instruction Fuzzy Hash: DF11B635B00105ABCB3CF7BA885497FBAEBEFC92107524539D4179B3A5DE719C018BA1

Uniqueness

Uniqueness Score: -1.00%

Function 0518A738, Relevance: .1, Instructions: 70COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.501156212.0000000005180000.00000040.00000001.sdmp, Offset: 05180000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f5fdc676b40910c705ffe4627d6b675a87e1b469400d1020395307c924a40f58
Instruction ID: ccafcee134e8d444deef6609ce942215b132d0dad7576ef6434f0330f0f11657
Opcode Fuzzy Hash: f5fdc676b40910c705ffe4627d6b675a87e1b469400d1020395307c924a40f58
Instruction Fuzzy Hash: F911A230B446559BDB38FA74D941ABE77B3BF88260F15456BD4029B244EB3298019BE1

Uniqueness

Uniqueness Score: -1.00%

Function 051821F8, Relevance: .1, Instructions: 69COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.501156212.0000000005180000.00000040.00000001.sdmp, Offset: 05180000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 254f88209ff8cd65ba727df63dced7e593c56c2259a330c1d4bbc37c07e73b08
Instruction ID: fa1353e2b268874afb4499e7b4bb731b778be7715e5abe30a56ba64e5d3180d3
Opcode Fuzzy Hash: 254f88209ff8cd65ba727df63dced7e593c56c2259a330c1d4bbc37c07e73b08
Instruction Fuzzy Hash: B2210C74E08209DFCB79EBA8C1446BDBBB3FB44304F11416AD42297264DB359A45CF52

Uniqueness

Uniqueness Score: -1.00%

Function 05184511, Relevance: .1, Instructions: 67COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.501156212.0000000005180000.00000040.00000001.sdmp, Offset: 05180000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2af9456665f71c216f7357e1f4724daefe99e0a276481a5dd578b70d08b95baa
Instruction ID: fd476360edaf00e7418cfc4f175163ec0452e77dfb366f661a5ff7f4e689dd95
Opcode Fuzzy Hash: 2af9456665f71c216f7357e1f4724daefe99e0a276481a5dd578b70d08b95baa
Instruction Fuzzy Hash: 04112732E085458BCF25EA68D4101FFBBB69FC6211F05407ADD469B251CFF1981ACB90

Uniqueness

Uniqueness Score: -1.00%

Function 05185000, Relevance: .1, Instructions: 67COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.501156212.0000000005180000.00000040.00000001.sdmp, Offset: 05180000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 18d569b64077058d9c2385edcbda76a5d03d83aaba0a0c2871f86e754f22114c
Instruction ID: ea57b87ad191f23e4faaead97a240b6f370487ac5ef49d366a8b70fd29f27473
Opcode Fuzzy Hash: 18d569b64077058d9c2385edcbda76a5d03d83aaba0a0c2871f86e754f22114c
Instruction Fuzzy Hash: 31117231A04215DFCB68FBB8955067E7AE2EB886147564575C80697345EF309D02CBE2

Uniqueness

Uniqueness Score: -1.00%

Function 05184700, Relevance: .1, Instructions: 62COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.501156212.0000000005180000.00000040.00000001.sdmp, Offset: 05180000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d1a577f0d578c727e5b98647a2a8955aa74ec9f8b48fe6eaaf653840f39db2bf
Instruction ID: 3361e30dfb3cd8265a388d3250862ca38a5705a8df04239e16fbef8160bf0370
Opcode Fuzzy Hash: d1a577f0d578c727e5b98647a2a8955aa74ec9f8b48fe6eaaf653840f39db2bf
Instruction Fuzzy Hash: 2D112532A041955FCF31F2B8A854BFA7B66EB82228F1505BAE446D7242DFA248038F40

Uniqueness

Uniqueness Score: -1.00%

Function 051869E9, Relevance: .1, Instructions: 61COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.501156212.0000000005180000.00000040.00000001.sdmp, Offset: 05180000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a6e961ff1f9cfd99b6049d8198cfae5dffac5863798278306758a4cbbf342ef6
Instruction ID: 619db807d100877bc8364ba7b4be13e788ac27f73b1e7471a100dd6ef9595445
Opcode Fuzzy Hash: a6e961ff1f9cfd99b6049d8198cfae5dffac5863798278306758a4cbbf342ef6
Instruction Fuzzy Hash: BC11D370B001558FCB74FBB895607BEBBE5BB94300F6041BED065D7286EB309955CB91

Uniqueness

Uniqueness Score: -1.00%

Function 0518C698, Relevance: .1, Instructions: 61COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.501156212.0000000005180000.00000040.00000001.sdmp, Offset: 05180000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: bae6f301a0654dff8fad892101ee8d9b2b39cdfdf59534f34696614afdb5f849
Instruction ID: 6a0305e266276d1a5328ef25a0f01f8b28b464fcc13360383e9424f052413897
Opcode Fuzzy Hash: bae6f301a0654dff8fad892101ee8d9b2b39cdfdf59534f34696614afdb5f849
Instruction Fuzzy Hash: 47118F34B000149BC768FB69C454E7EB7EBABC83147258069E806DB355CF32EC02CBA1

Uniqueness

Uniqueness Score: -1.00%

Function 05185730, Relevance: .1, Instructions: 60COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.501156212.0000000005180000.00000040.00000001.sdmp, Offset: 05180000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7bc2f616f5f7ec29b06fe9d08b35f1c7b7c2bb7f0b32b8a26b3f35992c4e045d
Instruction ID: a8ca950668aeebef32b252738ea47b0f0766b845a71aa8397a69e56af4c59530
Opcode Fuzzy Hash: 7bc2f616f5f7ec29b06fe9d08b35f1c7b7c2bb7f0b32b8a26b3f35992c4e045d
Instruction Fuzzy Hash: 02118231A41208DFD728FB74E9916BE7BB3FF44350F61416AC4019A249D7329943CF90

Uniqueness

Uniqueness Score: -1.00%

Function 0518C7C8, Relevance: .1, Instructions: 59COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.501156212.0000000005180000.00000040.00000001.sdmp, Offset: 05180000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6bb558a6a733c8d19b418c4d4156ecf2ef6e807c6d53be8abc74d37c6b6d7571
Instruction ID: 49077089c0510b5fbb279d8e42c359746ebaac70344b9ceca5170ffd6cb53e1e
Opcode Fuzzy Hash: 6bb558a6a733c8d19b418c4d4156ecf2ef6e807c6d53be8abc74d37c6b6d7571
Instruction Fuzzy Hash: 10119070354600CBC228F769815053EBAA39FC6608785886EA04B8F691DF76DC028FA1

Uniqueness

Uniqueness Score: -1.00%

Function 02C3087C, Relevance: .1, Instructions: 59COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.496497830.0000000002C30000.00000040.00000040.sdmp, Offset: 02C30000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 96671d9b1d43cb09eca3bef8c15f26de27fc95c52384c0387e89f3462d128a00
Instruction ID: 3c4190f8557e5e3f9bc30e7b1c5fcf5aa253541bcd6c0b094dd06c361f686405
Opcode Fuzzy Hash: 96671d9b1d43cb09eca3bef8c15f26de27fc95c52384c0387e89f3462d128a00
Instruction Fuzzy Hash: C3110636204384DFE306CB14C940B26BB95EF98718F28CDACE9494B752C37BD803CA91

Uniqueness

Uniqueness Score: -1.00%

Function 051811DF, Relevance: .1, Instructions: 56COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.501156212.0000000005180000.00000040.00000001.sdmp, Offset: 05180000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1d0b0a0ecdfdf890b47fc44bcc9bf1f6d1801f548e92c150a79b93836265811d
Instruction ID: de96a426bffc65b72916497f3d2fa7287152c56cad038ec79dc2c272306e4882
Opcode Fuzzy Hash: 1d0b0a0ecdfdf890b47fc44bcc9bf1f6d1801f548e92c150a79b93836265811d
Instruction Fuzzy Hash: 2C1186313481809FC72AE728C0648B97FF7AF8630072A45EAD442CB276CF658C0BCB41

Uniqueness

Uniqueness Score: -1.00%

Function 0518C3B0, Relevance: .1, Instructions: 56COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.501156212.0000000005180000.00000040.00000001.sdmp, Offset: 05180000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9b7ccbcbe6ccfb88412e4c56cb828017d7812b98dca891124edffac714e4c84c
Instruction ID: 750726856975d7dbd4c33de0dff1c0f4475c3d2da9b1bb5d4d50f72e74b55598
Opcode Fuzzy Hash: 9b7ccbcbe6ccfb88412e4c56cb828017d7812b98dca891124edffac714e4c84c
Instruction Fuzzy Hash: 7F11A0357503209FD309AB78A464B3E3BABEBC9711F0504A5F506DB389DE309C42CB94

Uniqueness

Uniqueness Score: -1.00%

Function 051854F8, Relevance: .1, Instructions: 55COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.501156212.0000000005180000.00000040.00000001.sdmp, Offset: 05180000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ca24c483d7c90dd02383a3eee87bff055eddd2c47fe4a3576fcb332f20973179
Instruction ID: 484016abe98fe798b0f7bfc285374bf89662c16a490ccb74b7dad0649546ceb6
Opcode Fuzzy Hash: ca24c483d7c90dd02383a3eee87bff055eddd2c47fe4a3576fcb332f20973179
Instruction Fuzzy Hash: A1114F30A512089FC768EBB8E865AFE7FB3FB88300F114669D5069B255DB315947CF90

Uniqueness

Uniqueness Score: -1.00%

Function 05184FF0, Relevance: .1, Instructions: 55COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.501156212.0000000005180000.00000040.00000001.sdmp, Offset: 05180000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 90d3cfb882bc16acc85145d858f0c0f40914d497d14f91fe3cf58152c53ffb42
Instruction ID: bbde4b4f3647bbfe21db73b4dbb1bc6957b7610f737c154360ff2ad8319cee09
Opcode Fuzzy Hash: 90d3cfb882bc16acc85145d858f0c0f40914d497d14f91fe3cf58152c53ffb42
Instruction Fuzzy Hash: F701D631A052059FC764FBB8A8517FEBBF2EB84210B664136C805D7242EB314943CFE2

Uniqueness

Uniqueness Score: -1.00%

Function 05184789, Relevance: .1, Instructions: 54COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.501156212.0000000005180000.00000040.00000001.sdmp, Offset: 05180000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5d44b95de0287c4be64921000312b5192766111d0216d66f58a616dba47248ad
Instruction ID: f2294ee9af3c83ff2cf1729a4a2571691897d960cb616c7438ca709f9cf29ce0
Opcode Fuzzy Hash: 5d44b95de0287c4be64921000312b5192766111d0216d66f58a616dba47248ad
Instruction Fuzzy Hash: 45015B31E011498FCB65EBB898512EEBFF2EB89310F20847AC449E7281EA3149468BD1

Uniqueness

Uniqueness Score: -1.00%

Function 0518DAE8, Relevance: .1, Instructions: 54COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.501156212.0000000005180000.00000040.00000001.sdmp, Offset: 05180000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9ba71235c21f5e1764a0e6c250c44b4c2fb3b781cea5a39cea2a19731d51fd0a
Instruction ID: 7b9a1257cf72a59152cf28f7bf705d0e85f57602d0151a088e6a02cdee225f78
Opcode Fuzzy Hash: 9ba71235c21f5e1764a0e6c250c44b4c2fb3b781cea5a39cea2a19731d51fd0a
Instruction Fuzzy Hash: 54015231B002159FCB283BB9985C66E7BDEEBC9764B554839E406C7355DF35CC0287A0

Uniqueness

Uniqueness Score: -1.00%

Function 0518238F, Relevance: .1, Instructions: 52COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.501156212.0000000005180000.00000040.00000001.sdmp, Offset: 05180000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 75e3291759b8b1025a289f52120898e67609cc2e17b18634e252ba4bb7d8ee43
Instruction ID: f7e2ab1dec41da87b8f644a2e45792f7c90e670f5f56e51ebf451062a758beed
Opcode Fuzzy Hash: 75e3291759b8b1025a289f52120898e67609cc2e17b18634e252ba4bb7d8ee43
Instruction Fuzzy Hash: E5116A78908259CFCB3AEFA4C560ABEBFB2EF48300F114069D962A6345DB754846CF50

Uniqueness

Uniqueness Score: -1.00%

Function 02A6ACF0, Relevance: .1, Instructions: 52COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.495923421.0000000002A62000.00000040.00000001.sdmp, Offset: 02A62000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b617d9045280479b5161a61ce74108e450ff27595dd5d07b435f150936c2e4f9
Instruction ID: c02b277db449a57041fde35b2b0977e7f7311a40ab560f91ff5a8c26e28149b6
Opcode Fuzzy Hash: b617d9045280479b5161a61ce74108e450ff27595dd5d07b435f150936c2e4f9
Instruction Fuzzy Hash: 8C11ECB5608301AFD350CF09D880E5BFBE8FB88660F04891EFD9897311D235E9048FA2

Uniqueness

Uniqueness Score: -1.00%

Function 05188048, Relevance: .0, Instructions: 50COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.501156212.0000000005180000.00000040.00000001.sdmp, Offset: 05180000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5a2c03b678394eab046920ff27c39922b0e54ac0ed0e9c5d1e101cb31485eaa4
Instruction ID: e1df45c643c50d37b0ebd055da453cdfb30683f70d991b9d5c87d5e512d67d16
Opcode Fuzzy Hash: 5a2c03b678394eab046920ff27c39922b0e54ac0ed0e9c5d1e101cb31485eaa4
Instruction Fuzzy Hash: 6201B531A08105ABDB38EA64C950ABFBBB29B84310F55486EC546A7341CB72AD458FD1

Uniqueness

Uniqueness Score: -1.00%

Function 0518A358, Relevance: .0, Instructions: 50COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.501156212.0000000005180000.00000040.00000001.sdmp, Offset: 05180000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 74a41e7871742ab137f10cdb67f9ef4999f51c21421a358242cd14fe3b0a6c6c
Instruction ID: 4cda17bcce8c3fb2c333962e6444f45aee80697551cdc20fb4052005c5370fba
Opcode Fuzzy Hash: 74a41e7871742ab137f10cdb67f9ef4999f51c21421a358242cd14fe3b0a6c6c
Instruction Fuzzy Hash: 1C019231A081048BCB39EA54C950EBFBBB29F84220F15446FC946A7A40DB71AD018FD1

Uniqueness

Uniqueness Score: -1.00%

Function 05185740, Relevance: .0, Instructions: 50COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.501156212.0000000005180000.00000040.00000001.sdmp, Offset: 05180000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 68815682d76b03b951ced563fa85af8d50bc8b3bdaa153e6eb8fe163479579e9
Instruction ID: f166166031e01cc6b90f245eb0770d840f9b440a085ab985f8d777fb85a531d0
Opcode Fuzzy Hash: 68815682d76b03b951ced563fa85af8d50bc8b3bdaa153e6eb8fe163479579e9
Instruction Fuzzy Hash: FF113C31A40208DFD728FBB5E990ABE7BB7FB45340F61412AD401AB289D7329902CB91

Uniqueness

Uniqueness Score: -1.00%

Function 0518DAF8, Relevance: .0, Instructions: 50COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.501156212.0000000005180000.00000040.00000001.sdmp, Offset: 05180000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 71480e375ee8b7637095cb72371d12fe77ebc6d17efd16b6a022edde6e2dfd97
Instruction ID: 20e647ed2d29a9a829bf9a5abd5c6b13aa9919b707c2da667f667add28fe0ddf
Opcode Fuzzy Hash: 71480e375ee8b7637095cb72371d12fe77ebc6d17efd16b6a022edde6e2dfd97
Instruction Fuzzy Hash: 9F017C31B002259BCB283AB9985896E7ADFABC97247554839E406C7385DE35CC0287A0

Uniqueness

Uniqueness Score: -1.00%

Function 05188039, Relevance: .0, Instructions: 48COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.501156212.0000000005180000.00000040.00000001.sdmp, Offset: 05180000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 56af3f417effa880c64c37c1996b4070e91cce3138a0a56e66c0e32888b4a09f
Instruction ID: 7dddd0742050c49530e5232753903ae600f89043f6abd2646cbbe9b00a0ec75e
Opcode Fuzzy Hash: 56af3f417effa880c64c37c1996b4070e91cce3138a0a56e66c0e32888b4a09f
Instruction Fuzzy Hash: 5701D230608145ABD739EE74C9516BE7BF39B84300F5A486DC582AB282CB76AD068FC1

Uniqueness

Uniqueness Score: -1.00%

Function 02C3085F, Relevance: .0, Instructions: 47COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.496497830.0000000002C30000.00000040.00000040.sdmp, Offset: 02C30000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: abb35a016598f89bcf9b4aaa3eff5cbbac0e8fa53f2b56b2ad9c6ac0e62b911a
Instruction ID: 98487b448c76e0c33af35946c8d334fc3a63bbfca1fe109324ef0c9d0e40e675
Opcode Fuzzy Hash: abb35a016598f89bcf9b4aaa3eff5cbbac0e8fa53f2b56b2ad9c6ac0e62b911a
Instruction Fuzzy Hash: 8E116D351093C4DFD717CB20D890B15BFB1AF96704F298ADED8894B6A3C33A9816CB52

Uniqueness

Uniqueness Score: -1.00%

Function 0518A870, Relevance: .0, Instructions: 46COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.501156212.0000000005180000.00000040.00000001.sdmp, Offset: 05180000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: deaf0f30a3ebc3757a9d69ad71e5105d1f09b1976a7437a7401ef838ed0970b4
Instruction ID: 9cd268ea0eebb62c1c91bdb951b6c6699098afe36f826c39b811220fae20d781
Opcode Fuzzy Hash: deaf0f30a3ebc3757a9d69ad71e5105d1f09b1976a7437a7401ef838ed0970b4
Instruction Fuzzy Hash: 1B012872E442099FDB64FBB9A8157AEBBF4EB84220F11416BD619D3240EB3199118FE1

Uniqueness

Uniqueness Score: -1.00%

Function 0518C3A0, Relevance: .0, Instructions: 46COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.501156212.0000000005180000.00000040.00000001.sdmp, Offset: 05180000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0723544808c7c577e5a3915b24ea5ce84a92dd038adf74a0a750747cad3adaec
Instruction ID: a4d2b3ea7dc163821df25133f9ac04168dc0a3379e2e764aa453211e2886aad0
Opcode Fuzzy Hash: 0723544808c7c577e5a3915b24ea5ce84a92dd038adf74a0a750747cad3adaec
Instruction Fuzzy Hash: 260192743143649FD30AAB68E46873A3BAAFB89715F0504A5F506CB299DF309C82CB94

Uniqueness

Uniqueness Score: -1.00%

Function 051869F8, Relevance: .0, Instructions: 45COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.501156212.0000000005180000.00000040.00000001.sdmp, Offset: 05180000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2cc1c8a3ada8f6d83df96e150974ea2815b244a5358a9d77dae0538bfe0f1636
Instruction ID: edf30fd40edd61d8bd4980bc7fbbead88f36da8a05506a2be5cb90f864028436
Opcode Fuzzy Hash: 2cc1c8a3ada8f6d83df96e150974ea2815b244a5358a9d77dae0538bfe0f1636
Instruction Fuzzy Hash: 39014B75E001089FDB64EBB9E8517BEBBF4FB84210F20417AD619D3285EB305955CBD1

Uniqueness

Uniqueness Score: -1.00%

Function 051855D9, Relevance: .0, Instructions: 44COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.501156212.0000000005180000.00000040.00000001.sdmp, Offset: 05180000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: cce62132438ab4ffc94dfc216e68c1509a60802fef1c6cf02d08097898abbbb6
Instruction ID: f359da8c2ef2fadc0717886f2672899c5930e9935d5ff782d716ebb6487e2e11
Opcode Fuzzy Hash: cce62132438ab4ffc94dfc216e68c1509a60802fef1c6cf02d08097898abbbb6
Instruction Fuzzy Hash: 1BF02B33B140446ACB215578BC552FEFFF7DBC4230F1801B7D944D3602EB11541A8AD0

Uniqueness

Uniqueness Score: -1.00%

Function 05185F59, Relevance: .0, Instructions: 44COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.501156212.0000000005180000.00000040.00000001.sdmp, Offset: 05180000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4b90549fce59b23fa2b6f9e90a38a4a1af7fbeb725e3f6420efb648fb3ebbfbd
Instruction ID: 775899b5dd41ff617d491724c96bb4c0cd38426d610b696001af3ad4e4d20de8
Opcode Fuzzy Hash: 4b90549fce59b23fa2b6f9e90a38a4a1af7fbeb725e3f6420efb648fb3ebbfbd
Instruction Fuzzy Hash: 660171607042A14FC376A2BC08205BA7FD29BC621070A44EFD0AADB383CE629C02CB80

Uniqueness

Uniqueness Score: -1.00%

Function 0518A34F, Relevance: .0, Instructions: 44COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.501156212.0000000005180000.00000040.00000001.sdmp, Offset: 05180000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3b3d884575c4a85a89a540454239158408dce22b9e7f1750de993c22cb2dfe4b
Instruction ID: 80b988bbc350bbe224b058f5a6c3dbff28973b38302eaede902156aacbe21509
Opcode Fuzzy Hash: 3b3d884575c4a85a89a540454239158408dce22b9e7f1750de993c22cb2dfe4b
Instruction Fuzzy Hash: A3015230A081448BD739EB64C561FBF7BF25F85224F19485EC846ABA41DB65AD018F81

Uniqueness

Uniqueness Score: -1.00%

Function 02C305CF, Relevance: .0, Instructions: 44COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.496497830.0000000002C30000.00000040.00000040.sdmp, Offset: 02C30000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e59d81291b50f4d700c9279fcce5c7757067c05a6671da3f851f217ffc06a322
Instruction ID: fc9e00771cd451027e5a8436de476a1ce9f41f4be95f3e4bc4c59167921a1fc6
Opcode Fuzzy Hash: e59d81291b50f4d700c9279fcce5c7757067c05a6671da3f851f217ffc06a322
Instruction Fuzzy Hash: C701A2B65097806FD7128B16AC51862FFA8EF86220749849BED498B612D129A808CB62

Uniqueness

Uniqueness Score: -1.00%

Function 0518A9E0, Relevance: .0, Instructions: 43COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.501156212.0000000005180000.00000040.00000001.sdmp, Offset: 05180000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 03bee9e9824fd0e5a30611cf757fc409ad2239be74282652a4ccf72981f4ecb3
Instruction ID: 2a09e7cdb1718b133e4831200f942a3ae88a3c1bd16ffb383c05879864e50274
Opcode Fuzzy Hash: 03bee9e9824fd0e5a30611cf757fc409ad2239be74282652a4ccf72981f4ecb3
Instruction Fuzzy Hash: CF018430244244CFC728FBB8D5258697BA7AF8532070640BBF506CB669DF71DD058B55

Uniqueness

Uniqueness Score: -1.00%

Function 0518A860, Relevance: .0, Instructions: 43COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.501156212.0000000005180000.00000040.00000001.sdmp, Offset: 05180000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8aec5d39d3b8b7015b200e572c820afe5cc95bef2e6b0eaef1c416d535af25e3
Instruction ID: 0b321738c97c82de419886a1f539217292d6a8bb524266740e1b9d6e33c025e3
Opcode Fuzzy Hash: 8aec5d39d3b8b7015b200e572c820afe5cc95bef2e6b0eaef1c416d535af25e3
Instruction Fuzzy Hash: 92017C70A042099FCB64FB7898667BEBFF4EF44210F11416AE605E7645EB3089118FD1

Uniqueness

Uniqueness Score: -1.00%

Function 05181218, Relevance: .0, Instructions: 42COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.501156212.0000000005180000.00000040.00000001.sdmp, Offset: 05180000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 38e7d9359543259b18466862164934fdf4a7b6c1a79958728de1c0e115b17a9a
Instruction ID: de8c3d56e30f4324d37d80817e11fffee23048d57cf4139eca9b0ee174d626ba
Opcode Fuzzy Hash: 38e7d9359543259b18466862164934fdf4a7b6c1a79958728de1c0e115b17a9a
Instruction Fuzzy Hash: 71016D313540109BC66CEB2CD05897A7BEBAFC5700B2645AAE006CB279CF759C0ACB81

Uniqueness

Uniqueness Score: -1.00%

Function 05187928, Relevance: .0, Instructions: 39COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.501156212.0000000005180000.00000040.00000001.sdmp, Offset: 05180000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7609d86832e753fb13d7e427cbd946238a3129c541dab4ae9915281a92b750f5
Instruction ID: cdee14ee16c93fa3fe87427a46db12e019ae955eed7625d569dd9f814bba0ba4
Opcode Fuzzy Hash: 7609d86832e753fb13d7e427cbd946238a3129c541dab4ae9915281a92b750f5
Instruction Fuzzy Hash: BD01A7359001559FCB16CFA4C8A5AADBFF2EF4C300F0981A5E6859B366DA31C816DF80

Uniqueness

Uniqueness Score: -1.00%

Function 0518A9F0, Relevance: .0, Instructions: 39COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.501156212.0000000005180000.00000040.00000001.sdmp, Offset: 05180000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0dd8bd1145523eeccb5eb630397c13d0271b7fac908b2683d6d78d7ed1115f4c
Instruction ID: 0ac04a4ffc5315b88aa52df60b9b3a3fa6ac0d7a1b95d43047ba74d42299a7ce
Opcode Fuzzy Hash: 0dd8bd1145523eeccb5eb630397c13d0271b7fac908b2683d6d78d7ed1115f4c
Instruction Fuzzy Hash: 5FF0A430240204CBC728F7B8D1254697BA7EF8832071541BAF10ACB768EF71DC058B95

Uniqueness

Uniqueness Score: -1.00%

Function 05185FA0, Relevance: .0, Instructions: 39COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.501156212.0000000005180000.00000040.00000001.sdmp, Offset: 05180000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7b573f666524878568d34feb2fbde9a0adb499f169492b36cceaa23cdb0a50b2
Instruction ID: 097fe8258b3de1af5a1ff0bad508a72c21d0bcff3648129d8a8d2e65b5745446
Opcode Fuzzy Hash: 7b573f666524878568d34feb2fbde9a0adb499f169492b36cceaa23cdb0a50b2
Instruction Fuzzy Hash: E7F02430B04454AFCB34A2785461AFEBFF3DB88650F0640AACD4AE3641DB245A078FC1

Uniqueness

Uniqueness Score: -1.00%

Function 051863D0, Relevance: .0, Instructions: 38COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.501156212.0000000005180000.00000040.00000001.sdmp, Offset: 05180000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d60ee74956e4ee7eeb061b7f4ebcde8f4d27428982346ae6ca40295cff053229
Instruction ID: e6653c8391bd44b5dd9e1b145ab2b987f07298a4677d4ef65ddcfd0c33ea1558
Opcode Fuzzy Hash: d60ee74956e4ee7eeb061b7f4ebcde8f4d27428982346ae6ca40295cff053229
Instruction Fuzzy Hash: C1F0B430A055549FCB74A2746811AFEBFF29B95290B514066CD47A3341DF251E468ED1

Uniqueness

Uniqueness Score: -1.00%

Function 051863E0, Relevance: .0, Instructions: 38COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.501156212.0000000005180000.00000040.00000001.sdmp, Offset: 05180000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c430ebc7f2eb02744fd9667b6d31aafee09e8b3720ea93e5ff65ee83412e802c
Instruction ID: 826ec51d9dd2aa7c1acbb9e9fb364638e14d0d04311a71804eb23853fd4f0ad4
Opcode Fuzzy Hash: c430ebc7f2eb02744fd9667b6d31aafee09e8b3720ea93e5ff65ee83412e802c
Instruction Fuzzy Hash: D9F0E230B04515DB8B38F2396914ABFBBE79799694F414036CE0BD7384EF255E068ED2

Uniqueness

Uniqueness Score: -1.00%

Function 0518E1E7, Relevance: .0, Instructions: 36COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.501156212.0000000005180000.00000040.00000001.sdmp, Offset: 05180000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 20e9c1c752fbee842e5ef6caf7df737ff9d7347d5bb3b1b10847b98ee71b98b8
Instruction ID: adfe5c93a73f512e525f7217d424920a0c66f2b0a7392ad5c4aef2af2348d0a1
Opcode Fuzzy Hash: 20e9c1c752fbee842e5ef6caf7df737ff9d7347d5bb3b1b10847b98ee71b98b8
Instruction Fuzzy Hash: 49F02772A082505BEB3C719D685C7B67F8FB785311F06033AE81B9B181DB504C008FA1

Uniqueness

Uniqueness Score: -1.00%

Function 05185B19, Relevance: .0, Instructions: 36COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.501156212.0000000005180000.00000040.00000001.sdmp, Offset: 05180000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d8412d632995d97d0e649bdefb5cc79bf2e8acc424f0f714848211a949b0bddc
Instruction ID: 13c29a724cb98bea4824a75ffd673c3634adb7f8abe99cb8bd9907564c737650
Opcode Fuzzy Hash: d8412d632995d97d0e649bdefb5cc79bf2e8acc424f0f714848211a949b0bddc
Instruction Fuzzy Hash: 37F024302096D04BC73273B804A86B9BFD39F93150B6E00DBC8DA9B643DB21D816CF45

Uniqueness

Uniqueness Score: -1.00%

Function 051845B9, Relevance: .0, Instructions: 35COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.501156212.0000000005180000.00000040.00000001.sdmp, Offset: 05180000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 046eefdffe80393f3024677e9a54e29a3c07481ebc34cb2a61abe682a8dccb19
Instruction ID: 564cb62100fcd6dfdee5ef530407369b515389a72a7daec5f3d9e4b220ab720c
Opcode Fuzzy Hash: 046eefdffe80393f3024677e9a54e29a3c07481ebc34cb2a61abe682a8dccb19
Instruction Fuzzy Hash: 5FF09E30E043890FCB11CBB89C46BFEBFF8DF8A210F1000ABD488D7152E6200806CBA1

Uniqueness

Uniqueness Score: -1.00%

Function 05189FB1, Relevance: .0, Instructions: 35COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.501156212.0000000005180000.00000040.00000001.sdmp, Offset: 05180000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f816f8981728366755903774301bc2b65655789cad5f55045688d5ef92eefb48
Instruction ID: 8eb14aed3e2c1548720ad54123af757d43aaed5696ec0e1e87fe2a636198552c
Opcode Fuzzy Hash: f816f8981728366755903774301bc2b65655789cad5f55045688d5ef92eefb48
Instruction Fuzzy Hash: 38F0F6713083808FC359A77894204B97FB69BC2211359886FE04ECF396CE399C0AC752

Uniqueness

Uniqueness Score: -1.00%

Function 0518C688, Relevance: .0, Instructions: 35COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.501156212.0000000005180000.00000040.00000001.sdmp, Offset: 05180000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 28b8f785e3d1213965891fc5b2ae9ca6b79c78294b36e1eeb1542e4b86a69ab3
Instruction ID: f68341baba292a6013ff5ddd3ab583c7b6a347abd31976223472d78c4054bd23
Opcode Fuzzy Hash: 28b8f785e3d1213965891fc5b2ae9ca6b79c78294b36e1eeb1542e4b86a69ab3
Instruction Fuzzy Hash: F8F05C367442501B42B9326C1864A3F3FDBC7C4620359013AF849D7342CF11AC1283F5

Uniqueness

Uniqueness Score: -1.00%

Function 051880D0, Relevance: .0, Instructions: 34COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.501156212.0000000005180000.00000040.00000001.sdmp, Offset: 05180000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2fd3557c68796d3802b48781dd2fab452ebfb13020d157d5ed78a040879e1ce3
Instruction ID: 9abf0c2b5773bfa0de0b126e1b9c7d1d74bf63cc071484b55b9a6e520b8860af
Opcode Fuzzy Hash: 2fd3557c68796d3802b48781dd2fab452ebfb13020d157d5ed78a040879e1ce3
Instruction Fuzzy Hash: C4F09070B04105EFC778EA649D869BBFFF2FF85200F514866D05196100DB30A5158F95

Uniqueness

Uniqueness Score: -1.00%

Function 05180918, Relevance: .0, Instructions: 33COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.501156212.0000000005180000.00000040.00000001.sdmp, Offset: 05180000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1a127afc326a73ec1ec571ff212a0112f94d15549e7dba53e640311e5d8ff9fe
Instruction ID: 965cfc70682a9b3d3fcf111f0601546f32bd3b6b9868ae5fa6f7b56c8367051f
Opcode Fuzzy Hash: 1a127afc326a73ec1ec571ff212a0112f94d15549e7dba53e640311e5d8ff9fe
Instruction Fuzzy Hash: DFE0E532E1621C9ADB34B5F99C481BFBBAA97C9650F0245B7992BA3200DB7058094AD1

Uniqueness

Uniqueness Score: -1.00%

Function 051846A9, Relevance: .0, Instructions: 32COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.501156212.0000000005180000.00000040.00000001.sdmp, Offset: 05180000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 74f06b4bd4a4b1d51bc04dc01871a46156439e9e503f621b9283235d53133a09
Instruction ID: a0860cb4bca119235fc2c43df2d8da2e73768389d18f3c8287aca85ab0c63841
Opcode Fuzzy Hash: 74f06b4bd4a4b1d51bc04dc01871a46156439e9e503f621b9283235d53133a09
Instruction Fuzzy Hash: 87F0A720A441D18FCB3267B864646FD3F62AF4131872900D6E486CB562DE46CC17C786

Uniqueness

Uniqueness Score: -1.00%

Function 0518E169, Relevance: .0, Instructions: 31COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.501156212.0000000005180000.00000040.00000001.sdmp, Offset: 05180000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8448bad4257263da740cd03c6d998237595ef10b3c91d62f7dbdc9c74cc95ec5
Instruction ID: f3e39dc52a90d14c61a30be404aed8cba54a041fbc28930427fbab9e5e5bf0d0
Opcode Fuzzy Hash: 8448bad4257263da740cd03c6d998237595ef10b3c91d62f7dbdc9c74cc95ec5
Instruction Fuzzy Hash: 24E02B313142115BC634E7D9D52497B7B9EEFC0314741852ED40A8F700DF32E8028BC0

Uniqueness

Uniqueness Score: -1.00%

Function 02C30938, Relevance: .0, Instructions: 31COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.496497830.0000000002C30000.00000040.00000040.sdmp, Offset: 02C30000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: db8f86a91a53104c9855b02ce3d80620bd03ac1c2281c4cc2ebcd3669947181e
Instruction ID: 30865089226a79cf1eac3a0cb1dfb1f680bd05e8d9f137265f5f8639e3116293
Opcode Fuzzy Hash: db8f86a91a53104c9855b02ce3d80620bd03ac1c2281c4cc2ebcd3669947181e
Instruction Fuzzy Hash: 95F01D35104644DFC706CF00D940B16FBA6EB89718F24CAADE9490B752C337D913DA81

Uniqueness

Uniqueness Score: -1.00%

Function 05180908, Relevance: .0, Instructions: 30COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.501156212.0000000005180000.00000040.00000001.sdmp, Offset: 05180000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2f44d355d5cf87bf08a49fac302f12806923206778abeae8c370375c18e4cc07
Instruction ID: ed6ce19866a8f6bd8d52700bef0a7d6417fe2f13b841992da40b9f4051dd2d8f
Opcode Fuzzy Hash: 2f44d355d5cf87bf08a49fac302f12806923206778abeae8c370375c18e4cc07
Instruction Fuzzy Hash: 09F0A730D1521C9ED774AAF8585C2BFBB66AB89340F034566982B53205DF64581A8A41

Uniqueness

Uniqueness Score: -1.00%

Function 0518EB28, Relevance: .0, Instructions: 30COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.501156212.0000000005180000.00000040.00000001.sdmp, Offset: 05180000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4438cec3c4a9abf357e254c649d93b7fb7bb8b1b4cd29ede08c5f96389f6039e
Instruction ID: 1b385f97302e570a4dfbeaa919a7f117193a8955ca478492bd25a72ea7e52775
Opcode Fuzzy Hash: 4438cec3c4a9abf357e254c649d93b7fb7bb8b1b4cd29ede08c5f96389f6039e
Instruction Fuzzy Hash: C7F0E53120425197C234E658C951E7BBB9ADBC5650B88842ED02B8B740DF26DC064B90

Uniqueness

Uniqueness Score: -1.00%

Function 05189FC8, Relevance: .0, Instructions: 30COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.501156212.0000000005180000.00000040.00000001.sdmp, Offset: 05180000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4ebb0bc01d73296355b85c9004b80a11772fbf0cf0530dcc74d856f68e7bf79a
Instruction ID: d111020a015936dabf0da88ef2b60ffadcda0f9e5211ffbf066f09f8a8461a36
Opcode Fuzzy Hash: 4ebb0bc01d73296355b85c9004b80a11772fbf0cf0530dcc74d856f68e7bf79a
Instruction Fuzzy Hash: BDF0A7313002008B8718A76C941087D7BABDBC5320359883EF10ECF354CF36DC468B51

Uniqueness

Uniqueness Score: -1.00%

Function 0518C9BE, Relevance: .0, Instructions: 29COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.501156212.0000000005180000.00000040.00000001.sdmp, Offset: 05180000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0a77661a00a485deb22087c853243d87889036d316cd0f0a7d7ae10dbc864290
Instruction ID: 7a9de348a44049f33ef642147f02dafada418b3bf583bd81fc0858f889f09b23
Opcode Fuzzy Hash: 0a77661a00a485deb22087c853243d87889036d316cd0f0a7d7ae10dbc864290
Instruction Fuzzy Hash: 5DE0D131718281DB8A35F159542147D3B5B5BD669531750DBD107CF251DE558C0187F2

Uniqueness

Uniqueness Score: -1.00%

Function 0518730F, Relevance: .0, Instructions: 29COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.501156212.0000000005180000.00000040.00000001.sdmp, Offset: 05180000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e5b7b9ff059aa549e8f1aac5d534eb5ebf75f84d2a6c6b885c76a3311c16021b
Instruction ID: 3ba6a977b05d2502e8035164f831eb0bfb3237a5379859b9e3bb30b9e4fc3148
Opcode Fuzzy Hash: e5b7b9ff059aa549e8f1aac5d534eb5ebf75f84d2a6c6b885c76a3311c16021b
Instruction Fuzzy Hash: 5AE09B34F415504BCF15B3F994287FD96869FC4A18F844839C917CB7C5EF208C168B92

Uniqueness

Uniqueness Score: -1.00%

Function 051857A2, Relevance: .0, Instructions: 29COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.501156212.0000000005180000.00000040.00000001.sdmp, Offset: 05180000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ac9f5ed4672a3cf81b104f654df24814f7e325969c932fc28b4a821672a5b578
Instruction ID: 373e7c37c067ed153d4f2342997d4b21cac597f9a0788bcd564526bcdb642d86
Opcode Fuzzy Hash: ac9f5ed4672a3cf81b104f654df24814f7e325969c932fc28b4a821672a5b578
Instruction Fuzzy Hash: C0F0A031F44504DBDB28FBB8EA647BC77A3EF84205F628536D1069B188EF3058028F51

Uniqueness

Uniqueness Score: -1.00%

Function 05186380, Relevance: .0, Instructions: 28COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.501156212.0000000005180000.00000040.00000001.sdmp, Offset: 05180000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: db5bdc5c2603cc9be21ef21b444a5373d7fe0ae860ac0dc8cfdc7e1ae5657edd
Instruction ID: 19aaed9f9d7f9ff918e39ef97c07e112e462b17c78a61c9d24cf956850e0ee6b
Opcode Fuzzy Hash: db5bdc5c2603cc9be21ef21b444a5373d7fe0ae860ac0dc8cfdc7e1ae5657edd
Instruction Fuzzy Hash: D0E0D82098D4D48FE73132B85419EFC6FA6DB52311B190097DD8AC7152CF868C438F92

Uniqueness

Uniqueness Score: -1.00%

Function 05188559, Relevance: .0, Instructions: 27COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.501156212.0000000005180000.00000040.00000001.sdmp, Offset: 05180000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 452c4aa62924c91383cf6e7fc60c5f2d928bfe3da0ebd893cbc8c1a4af1a0cbc
Instruction ID: 6508844eb80eca1baa990fc0b5dc1da7cf573b2ea2b617dcec56024b5cfe233d
Opcode Fuzzy Hash: 452c4aa62924c91383cf6e7fc60c5f2d928bfe3da0ebd893cbc8c1a4af1a0cbc
Instruction Fuzzy Hash: 2CE0ED36E052928FCB696BA4A9345703FF2EB9C26130409AAD442DB301CF31880ACF95

Uniqueness

Uniqueness Score: -1.00%

Function 02C305F6, Relevance: .0, Instructions: 27COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.496497830.0000000002C30000.00000040.00000040.sdmp, Offset: 02C30000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f5ce13fb42b6a0949fadea1f8a75b63850053a1d2164f52c2bb0b8f8208d8b3d
Instruction ID: 194435f137201312397b3f56e1a1e97d14f6ea7bb7003080619312b99718ed03
Opcode Fuzzy Hash: f5ce13fb42b6a0949fadea1f8a75b63850053a1d2164f52c2bb0b8f8208d8b3d
Instruction Fuzzy Hash: 81E092B66006004BD650CF0AEC81456FBD8EB84630B18C47FDC0D8B701D139F504CFA5

Uniqueness

Uniqueness Score: -1.00%

Function 0518E178, Relevance: .0, Instructions: 26COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.501156212.0000000005180000.00000040.00000001.sdmp, Offset: 05180000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 023f7ff8b335df16d0269b3552cdc7e6de1f23e942039780401e5474e1915c91
Instruction ID: 1bcda6f334411a4dff3fcf5be1a6af348c8044ef8c0604f2027ff8ad6d77b382
Opcode Fuzzy Hash: 023f7ff8b335df16d0269b3552cdc7e6de1f23e942039780401e5474e1915c91
Instruction Fuzzy Hash: CEE0DF323002215B8634E69CC92087BBB9ECBC1620341882ED40A8F740EF32EC024BD0

Uniqueness

Uniqueness Score: -1.00%

Function 05188568, Relevance: .0, Instructions: 26COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.501156212.0000000005180000.00000040.00000001.sdmp, Offset: 05180000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1d9dc293250701b8a875a4e1f13a9c3fb1594bf9730352332c6dd3f29deaaa98
Instruction ID: b853fb7ade0fed181d3b72ce64a5a27d33ff1ce32a83b71f4e5977e3924c2feb
Opcode Fuzzy Hash: 1d9dc293250701b8a875a4e1f13a9c3fb1594bf9730352332c6dd3f29deaaa98
Instruction Fuzzy Hash: 16E09236F401259B8B7467A8A934A357BEBE78C7A1310092AE907E3308DF70CC068FD5

Uniqueness

Uniqueness Score: -1.00%

Function 0518BC08, Relevance: .0, Instructions: 26COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.501156212.0000000005180000.00000040.00000001.sdmp, Offset: 05180000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 80a03b41bd297a13732de4ee85c3db7d84f3a52535ebf1b3cd9145495db6636b
Instruction ID: 68169c891088f0c4262323df3afac8bd4d56e22e7f1ad20d54e56aef74933c48
Opcode Fuzzy Hash: 80a03b41bd297a13732de4ee85c3db7d84f3a52535ebf1b3cd9145495db6636b
Instruction Fuzzy Hash: 94F01536204B049F8330DF5AD544C23F7FAEF896203518A6EE59A83A10CB70F8058FA1

Uniqueness

Uniqueness Score: -1.00%

Function 0518EB38, Relevance: .0, Instructions: 26COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.501156212.0000000005180000.00000040.00000001.sdmp, Offset: 05180000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7053bdc1cd3afbe5788941e94d42837fdfa2f0a77288e91220d7655bea95e2a6
Instruction ID: c8328dd9feab277dddd709746aaf8d39573d1bfc3b2c41c3b6ae0f9ad8aa67a9
Opcode Fuzzy Hash: 7053bdc1cd3afbe5788941e94d42837fdfa2f0a77288e91220d7655bea95e2a6
Instruction Fuzzy Hash: 52E0DF312002114B8238E69CC95087BB79EDBC1620348843EE42F8B700EF32DC064B90

Uniqueness

Uniqueness Score: -1.00%

Function 0518AFA1, Relevance: .0, Instructions: 26COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.501156212.0000000005180000.00000040.00000001.sdmp, Offset: 05180000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7e8f8ce6ebab8f3f42c455877e4b5ace3948cd6e8f72e4cfce44c872a8ef7214
Instruction ID: a994991b6f5fd95221958a2849fa30e54fb8417f48608fc4045dbe9549ff2bc3
Opcode Fuzzy Hash: 7e8f8ce6ebab8f3f42c455877e4b5ace3948cd6e8f72e4cfce44c872a8ef7214
Instruction Fuzzy Hash: 59E01271644B144BC324AE6FD441953FBEAFBD4720B148A3E955982714D7B9A80946A0

Uniqueness

Uniqueness Score: -1.00%

Function 02A6AD3F, Relevance: .0, Instructions: 26COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.495923421.0000000002A62000.00000040.00000001.sdmp, Offset: 02A62000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4521bc3eb3e3e54fd84a4d2c05c0277b10b758c1552d4a9dccad5e74fa4db73a
Instruction ID: f97e888d365b5128c2176c8a8c1841958a4086ddd9f4f1523f43f893cdc1dbd4
Opcode Fuzzy Hash: 4521bc3eb3e3e54fd84a4d2c05c0277b10b758c1552d4a9dccad5e74fa4db73a
Instruction Fuzzy Hash: AEE092726402046BD2108E069C81B12FB98EB40A30F04C557EE081B301D175B5048AE5

Uniqueness

Uniqueness Score: -1.00%

Function 0518A920, Relevance: .0, Instructions: 25COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.501156212.0000000005180000.00000040.00000001.sdmp, Offset: 05180000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 24ed019951240da3c2b2e564ceaa7009a8868818f0282d7544e37392e08c73cb
Instruction ID: 0b795db31b09a76b6a66a08982589d5a5512b08cfeac7fb3d096c28ef1ca0b33
Opcode Fuzzy Hash: 24ed019951240da3c2b2e564ceaa7009a8868818f0282d7544e37392e08c73cb
Instruction Fuzzy Hash: 6DE0223470D3848FC7A5B3BC802903D7FEB9F4A22131204ABE55ACB352CE3A4811CB02

Uniqueness

Uniqueness Score: -1.00%

Function 0518C9D0, Relevance: .0, Instructions: 24COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.501156212.0000000005180000.00000040.00000001.sdmp, Offset: 05180000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f401775389cad881917ed7a55d5067d4d12deb5132c53f24c1bad2ad556b2549
Instruction ID: a34b966902f80e62af3dc2fb5d2d1e10b99dfbd270cb6f420b852383574dbd70
Opcode Fuzzy Hash: f401775389cad881917ed7a55d5067d4d12deb5132c53f24c1bad2ad556b2549
Instruction Fuzzy Hash: AFE01231714155E74938F15E90118BE728BABD95A571601AFE107CF350EF959C018BF2

Uniqueness

Uniqueness Score: -1.00%

Function 0518EB78, Relevance: .0, Instructions: 23COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.501156212.0000000005180000.00000040.00000001.sdmp, Offset: 05180000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c4d4054aa47bfcac5f094939ea0282eaad7af00dd05f26c85b637d5d0fe44c8f
Instruction ID: 1d5596e9a35449af291ff4a28490112e53a1f70668b39be3678352b4c5576b8e
Opcode Fuzzy Hash: c4d4054aa47bfcac5f094939ea0282eaad7af00dd05f26c85b637d5d0fe44c8f
Instruction Fuzzy Hash: 9EE0263000D220EBC63CB76494A47B2BFAEEB09202F4A466AE04B86100DB2188098F91

Uniqueness

Uniqueness Score: -1.00%

Function 051883E0, Relevance: .0, Instructions: 23COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.501156212.0000000005180000.00000040.00000001.sdmp, Offset: 05180000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 886759be04f65df1c358b5c16ae27c0700bbab3e5ed23c5b94b79f0293699add
Instruction ID: dda4b429b20b9f4acd78c1f4c42e5e0547e8ae09212aae7f3096ae4c2af3a864
Opcode Fuzzy Hash: 886759be04f65df1c358b5c16ae27c0700bbab3e5ed23c5b94b79f0293699add
Instruction Fuzzy Hash: 67E0ED3216820EEBC628FB58E590D793F66FB44308752881BB901CA66CE774ED15CF81

Uniqueness

Uniqueness Score: -1.00%

Function 0518EA38, Relevance: .0, Instructions: 23COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.501156212.0000000005180000.00000040.00000001.sdmp, Offset: 05180000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e071d149c8ddb37d2c5625c5dba6a6630ef0a715d47b6c114bfc0a4c1d07df2c
Instruction ID: 9fa775da92e56dff6f33747541989a46c47dc339691bae0e273f821ac3477417
Opcode Fuzzy Hash: e071d149c8ddb37d2c5625c5dba6a6630ef0a715d47b6c114bfc0a4c1d07df2c
Instruction Fuzzy Hash: 5CE0CD753441156BE504A6ED99249B7779DD794750B058859E409C7341CE719C0287C0

Uniqueness

Uniqueness Score: -1.00%

Function 05185BA1, Relevance: .0, Instructions: 22COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.501156212.0000000005180000.00000040.00000001.sdmp, Offset: 05180000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: bf027f37585131dd34b4dd89af8a85a46baedc20ffac1a80c43d4bf92dcab1ea
Instruction ID: 36da0d31dd9a2f75dc68fc17b90a7d65d314da3d7b32066876f918ece9919677
Opcode Fuzzy Hash: bf027f37585131dd34b4dd89af8a85a46baedc20ffac1a80c43d4bf92dcab1ea
Instruction Fuzzy Hash: 16D0C22060E1946FCB3672B404B10BD1FA74E9702031A45FAC8868B243CD8548034B82

Uniqueness

Uniqueness Score: -1.00%

Function 05182D20, Relevance: .0, Instructions: 21COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.501156212.0000000005180000.00000040.00000001.sdmp, Offset: 05180000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 392daf0f765cf0f1e7ffb9b7acee9a6db063461a0bd42ed3ee6772a2c2f525c4
Instruction ID: 7f0a6f643e49c1bce14e264a4d1e613217ab3cf06561243cc237354aed73b931
Opcode Fuzzy Hash: 392daf0f765cf0f1e7ffb9b7acee9a6db063461a0bd42ed3ee6772a2c2f525c4
Instruction Fuzzy Hash: 74D0173C04D2C49ED37B527858BB7F47F32DB1B301F1A0AD2D4D64E4A2826224178E41

Uniqueness

Uniqueness Score: -1.00%

Function 05180170, Relevance: .0, Instructions: 21COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.501156212.0000000005180000.00000040.00000001.sdmp, Offset: 05180000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 57211fe24666409d0d186f26ced1bb8c37f125c458c9874966414c81dc433a5c
Instruction ID: 7273d53751378437d13d904daba8ec47c309c18767fdbbdef0ca51c31db1c064
Opcode Fuzzy Hash: 57211fe24666409d0d186f26ced1bb8c37f125c458c9874966414c81dc433a5c
Instruction Fuzzy Hash: D2E0C23054A7808FC71A5770A02E4AC7F71EE0620131409EEDC46CBA62DE3AD4A3CF00

Uniqueness

Uniqueness Score: -1.00%

Function 05186390, Relevance: .0, Instructions: 20COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.501156212.0000000005180000.00000040.00000001.sdmp, Offset: 05180000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1244ce2e0eafbce451385679dd7e44c29bed40f6a5b6b63283544b246cd5353d
Instruction ID: a7b54eaac6bf0b4e55448a0d868d94adcf731918e2055974720a5a694ebe0d7a
Opcode Fuzzy Hash: 1244ce2e0eafbce451385679dd7e44c29bed40f6a5b6b63283544b246cd5353d
Instruction Fuzzy Hash: E8D05B31A9C459C7E63475A85508FBD758F9751356F050027DE0FC2240DFD69C404BD7

Uniqueness

Uniqueness Score: -1.00%

Function 051802A0, Relevance: .0, Instructions: 20COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.501156212.0000000005180000.00000040.00000001.sdmp, Offset: 05180000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: dbdfd37784b5c8d5f8138347dda7ad2bc3f508ffb9dd4832e8e66096bf58f42a
Instruction ID: a74fbdfc297e512a1150c30a1998e9588770b020665372eb1ce6fe0876c150de
Opcode Fuzzy Hash: dbdfd37784b5c8d5f8138347dda7ad2bc3f508ffb9dd4832e8e66096bf58f42a
Instruction Fuzzy Hash: 02E0C23044DB84CFC372D3A495AA4A5BFF6EF4A600305CC8ED4C24795ACB68BC1ACB01

Uniqueness

Uniqueness Score: -1.00%

Function 0518E1B9, Relevance: .0, Instructions: 19COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.501156212.0000000005180000.00000040.00000001.sdmp, Offset: 05180000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4b645619269d6f5946800a2956a35655ded1ca2d19931fbc13eeaa51b1cc7b7d
Instruction ID: 80b99bd31f236f89254c0ad0f9bdcc572953b75b14cac6aef2df315170aad2eb
Opcode Fuzzy Hash: 4b645619269d6f5946800a2956a35655ded1ca2d19931fbc13eeaa51b1cc7b7d
Instruction Fuzzy Hash: 89E01231119701DBC33CAB91E428672776EFB45765F12466AF4064E510CB727850CF80

Uniqueness

Uniqueness Score: -1.00%

Function 051874A8, Relevance: .0, Instructions: 19COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.501156212.0000000005180000.00000040.00000001.sdmp, Offset: 05180000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: cfc4c44e4add19ed1b9f1dd6a772ae7785a323202c0a0c969de78592d9876040
Instruction ID: edef19de1e406508de5a1911c3577b6dd97f66698474a06c4602991d4b6313de
Opcode Fuzzy Hash: cfc4c44e4add19ed1b9f1dd6a772ae7785a323202c0a0c969de78592d9876040
Instruction Fuzzy Hash: B0D0C231008710DBDB39F6A5A4006727EEEEB81204F16086E818B057C0877BAC84CBA2

Uniqueness

Uniqueness Score: -1.00%

Function 05185F68, Relevance: .0, Instructions: 19COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.501156212.0000000005180000.00000040.00000001.sdmp, Offset: 05180000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7531e4ccd401516fccab1bfc0b9bc9be90795897eca6bf1c807bf30848fdcec4
Instruction ID: c77c95819bda6f59c9f5859e52df5e0ff0d06ffa18d2710737841480c4d42ec2
Opcode Fuzzy Hash: 7531e4ccd401516fccab1bfc0b9bc9be90795897eca6bf1c807bf30848fdcec4
Instruction Fuzzy Hash: A4D0A7213802255BA504E5EC8810CBBB39FDBC5520304886FA50ED7341CE739C0287D0

Uniqueness

Uniqueness Score: -1.00%

Function 0518EB88, Relevance: .0, Instructions: 19COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.501156212.0000000005180000.00000040.00000001.sdmp, Offset: 05180000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 295e763011eded6a9500d0a60f3fb769aadcba8cd1234d57d104182e9e9f2ff8
Instruction ID: ad75e1d9b487461b9f4faffd7ea367789a0379e2a9eb8e294f72453f51db501b
Opcode Fuzzy Hash: 295e763011eded6a9500d0a60f3fb769aadcba8cd1234d57d104182e9e9f2ff8
Instruction Fuzzy Hash: FBD05B31119220DBCA7CF5545090572BB9EEB4951274A476BF54B86500DB2198498FD1

Uniqueness

Uniqueness Score: -1.00%

Function 051857F6, Relevance: .0, Instructions: 19COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.501156212.0000000005180000.00000040.00000001.sdmp, Offset: 05180000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 170955ac052b0a7e794d9e11d9ebcd80e35909c4122db59b865c79dcd410c405
Instruction ID: f5d156233cc0df1f821ed94eb4023ef7d4a30212721ed4f92a778a32615e836e
Opcode Fuzzy Hash: 170955ac052b0a7e794d9e11d9ebcd80e35909c4122db59b865c79dcd410c405
Instruction Fuzzy Hash: AED0EC35E44004DBCA28B7E5AA592FCBBA2DB84129B025477C11797101DF3044168B92

Uniqueness

Uniqueness Score: -1.00%

Function 0518EA48, Relevance: .0, Instructions: 19COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.501156212.0000000005180000.00000040.00000001.sdmp, Offset: 05180000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 575ecdf6339e435c90b7618121203368d31ee4e167a745976894de77a7a7ecd3
Instruction ID: e70e7b7e6c4b74ac549ba29383189038f525e9785fc5dc9ab31c4b166b0efb28
Opcode Fuzzy Hash: 575ecdf6339e435c90b7618121203368d31ee4e167a745976894de77a7a7ecd3
Instruction Fuzzy Hash: 50D0A7353802245B6508E5EC8910CBBB39EDBD5510304886EB40AD7341CE729C0287D0

Uniqueness

Uniqueness Score: -1.00%

Function 0518064F, Relevance: .0, Instructions: 19COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.501156212.0000000005180000.00000040.00000001.sdmp, Offset: 05180000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c1e6ce619e9bfefc046bdbaf833737a92b7944f03b01d15699ee911822d30d72
Instruction ID: fc5d71a61cdf6b6c5228c315b238dad1f03ab64db15c694d1af7fe0a1c6d0aa7
Opcode Fuzzy Hash: c1e6ce619e9bfefc046bdbaf833737a92b7944f03b01d15699ee911822d30d72
Instruction Fuzzy Hash: BAD05EB28893888FD77956711C6E1F47F62DFA722476489A6C8414B8228622259BEE21

Uniqueness

Uniqueness Score: -1.00%

Function 0518E1C8, Relevance: .0, Instructions: 15COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.501156212.0000000005180000.00000040.00000001.sdmp, Offset: 05180000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 334211ece04f3493772ee1f3d927d7d70bae13c85b1950e965625bd989c160dc
Instruction ID: ebc339db824e235238671bbb058bc6e2309a6c5f31037a187b1af26611da13ee
Opcode Fuzzy Hash: 334211ece04f3493772ee1f3d927d7d70bae13c85b1950e965625bd989c160dc
Instruction Fuzzy Hash: A4D0C931219315DB823CFA55E8144B2776FAB456627424A6AF40B4F6009B62B940CF91

Uniqueness

Uniqueness Score: -1.00%

Function 05186F58, Relevance: .0, Instructions: 15COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.501156212.0000000005180000.00000040.00000001.sdmp, Offset: 05180000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9a0939ec5680cffb9ecca245d0aafbbebb033a67d769e75d7ec85179cdc98f5e
Instruction ID: 7a58d875c4a0499b5b7aa4867f2a8e931079372bef132df7b49f9b81774c8a70
Opcode Fuzzy Hash: 9a0939ec5680cffb9ecca245d0aafbbebb033a67d769e75d7ec85179cdc98f5e
Instruction Fuzzy Hash: 1BD0E23AA000048FC700CB88D5849D8F7F1FB88324F28C0A6D905A7251C732EE12CE50

Uniqueness

Uniqueness Score: -1.00%

Function 0518EA80, Relevance: .0, Instructions: 14COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.501156212.0000000005180000.00000040.00000001.sdmp, Offset: 05180000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f223ef644f23e2446bb82f1d70948e3b893cace1de9d5350fe52857dc9518f82
Instruction ID: 3de6bf54e489776e49627bae585200eadc04f5aa5c72adbd12c5ab32a60406e2
Opcode Fuzzy Hash: f223ef644f23e2446bb82f1d70948e3b893cace1de9d5350fe52857dc9518f82
Instruction Fuzzy Hash: BBC08076DD41484FCF4037F5F41C7B4776CE744305F440454E95D41541EF6458554B10

Uniqueness

Uniqueness Score: -1.00%

Function 0518799E, Relevance: .0, Instructions: 13COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.501156212.0000000005180000.00000040.00000001.sdmp, Offset: 05180000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 363600e5bec03dd40b94e4924c056e6eed21e9048cdebb9cc3b3a2524e13ef53
Instruction ID: 0ea9b24986a5ae0108dbd88d535cdb927f1d009ef310ad02748c0d620c5bbc5c
Opcode Fuzzy Hash: 363600e5bec03dd40b94e4924c056e6eed21e9048cdebb9cc3b3a2524e13ef53
Instruction Fuzzy Hash: 5BD01C70A40208CFCB29EB7199A40AD37E2EB08220321072AE8129B386E7384812CF00

Uniqueness

Uniqueness Score: -1.00%

Function 05185478, Relevance: .0, Instructions: 13COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.501156212.0000000005180000.00000040.00000001.sdmp, Offset: 05180000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e2ce17ea6498b9780f3c41260b08b7566ede5083035e1d298d5cfec522ff7b2b
Instruction ID: 50436df6e6d8032640c39e3098c97a1c7390ba6ffaf0744a0ea34fd41f020d6a
Opcode Fuzzy Hash: e2ce17ea6498b9780f3c41260b08b7566ede5083035e1d298d5cfec522ff7b2b
Instruction Fuzzy Hash: CBD0C930888244ABDB3477B8680D73DBA6AE70070AB060581D01780A61FF24C87ACE12

Uniqueness

Uniqueness Score: -1.00%

Function 0518D161, Relevance: .0, Instructions: 12COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.501156212.0000000005180000.00000040.00000001.sdmp, Offset: 05180000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 24038d55675345135fe5b233587dff2ffd71439f7cf1fd0a0a013e4ec7048543
Instruction ID: 85ebad963b28fbd3f472e4af43fcf981c167ff2de7279f8dea247f141ecebf38
Opcode Fuzzy Hash: 24038d55675345135fe5b233587dff2ffd71439f7cf1fd0a0a013e4ec7048543
Instruction Fuzzy Hash: D6D012310A8348D7C316B715E8197657F29FB16340F4A0459F4014519EDF64A616CBA1

Uniqueness

Uniqueness Score: -1.00%

Function 05180180, Relevance: .0, Instructions: 12COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.501156212.0000000005180000.00000040.00000001.sdmp, Offset: 05180000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: cbd7da247c133397b3d64ce6d929d64b0c6b14d9c6c7f390a63baaed37d21cf8
Instruction ID: c558a16baf9764e782a9c9acf1266582c178248e242e621119375a2581082bd4
Opcode Fuzzy Hash: cbd7da247c133397b3d64ce6d929d64b0c6b14d9c6c7f390a63baaed37d21cf8
Instruction Fuzzy Hash: 1BD0E935641304CFCB1D6B74A01D42877A9AB456063500979E91686754DF7AE852DA44

Uniqueness

Uniqueness Score: -1.00%

Function 05185B28, Relevance: .0, Instructions: 11COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.501156212.0000000005180000.00000040.00000001.sdmp, Offset: 05180000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3eabafb6811b9e4ce2e13736f74392789358c61c2d9f0790c3f6690d634436d3
Instruction ID: de7d321aaeb5fad7d0e78bc8fe38df855d2f5e7e08c792fb9b894c49ca8bdc37
Opcode Fuzzy Hash: 3eabafb6811b9e4ce2e13736f74392789358c61c2d9f0790c3f6690d634436d3
Instruction Fuzzy Hash: EFC08C30681A048FCA203BB0298E63DBB8FDF412093890454E80AC9000EF34D4204941

Uniqueness

Uniqueness Score: -1.00%

Function 05180660, Relevance: .0, Instructions: 10COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.501156212.0000000005180000.00000040.00000001.sdmp, Offset: 05180000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d1b3ae39c055e79c1756c6041b99b774c20cffc3fb364083c87e4dfe394102cb
Instruction ID: 1f67f4a37b648f233d9a9283ed357a610e905aa9e0457a8661f79f42c2a6cc70
Opcode Fuzzy Hash: d1b3ae39c055e79c1756c6041b99b774c20cffc3fb364083c87e4dfe394102cb
Instruction Fuzzy Hash: 27C02B3008530CCEC23CF6722C0D539B30A9BC4304720C833D40100120CF32B46ACC61

Uniqueness

Uniqueness Score: -1.00%

Function 05186360, Relevance: .0, Instructions: 9COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.501156212.0000000005180000.00000040.00000001.sdmp, Offset: 05180000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 08396cff8d25d999751a5958f290bebe8f41b0f475f85ee008d5a2def9f77acb
Instruction ID: 68f52d1ea4dde37f0c9af9a2be4be53ea986064cc299bb4d7d8a55c4673c3ed4
Opcode Fuzzy Hash: 08396cff8d25d999751a5958f290bebe8f41b0f475f85ee008d5a2def9f77acb
Instruction Fuzzy Hash: 1FB0920C42D6C5DFC72303B41D7A851AFB4AC0700138D40E68CD086A53860C282AA353

Uniqueness

Uniqueness Score: -1.00%

Function 0518C799, Relevance: .0, Instructions: 9COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.501156212.0000000005180000.00000040.00000001.sdmp, Offset: 05180000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9fd0522175d07b50bd144f3cb97c517886cfc93af0d9bf7f0f72b10e5661aed6
Instruction ID: 63d23587a8fe369cfe12ecf7dc496f0c87981993be9137c1ce3242a8a6e28291
Opcode Fuzzy Hash: 9fd0522175d07b50bd144f3cb97c517886cfc93af0d9bf7f0f72b10e5661aed6
Instruction Fuzzy Hash: 22C09B355916008FDF059731D4793553735F742306F981455F562C73C4DA3DD405D750

Uniqueness

Uniqueness Score: -1.00%

Function 0518D170, Relevance: .0, Instructions: 8COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.501156212.0000000005180000.00000040.00000001.sdmp, Offset: 05180000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0e9980ac39cd3e8724fd4643c4ffd7c68da8a3450395541756e9be5c335977b5
Instruction ID: 02957eb5db58bd0ec538033cd78862301e032f6942f03a197a3c7994cdd45086
Opcode Fuzzy Hash: 0e9980ac39cd3e8724fd4643c4ffd7c68da8a3450395541756e9be5c335977b5
Instruction Fuzzy Hash: B2B092700A830CD78269F715E94A87A7B2EFA526407820519F402410EEEF64A9128BA6

Uniqueness

Uniqueness Score: -1.00%

Function 05186F7C, Relevance: .0, Instructions: 8COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.501156212.0000000005180000.00000040.00000001.sdmp, Offset: 05180000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9331830965d72d12fcbefa973c87c0cf332396a92bd300e1243d284f656f33ac
Instruction ID: 7717d95729b12216f5d129a8e791a4e2e548e05982b33ca4e61fc317a67e9060
Opcode Fuzzy Hash: 9331830965d72d12fcbefa973c87c0cf332396a92bd300e1243d284f656f33ac
Instruction Fuzzy Hash: BBB092B7A04048C9DB20DA84B4423EDF770E7A0365F104023C31092000C33A01648A91

Uniqueness

Uniqueness Score: -1.00%

Function 0518EA90, Relevance: .0, Instructions: 8COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.501156212.0000000005180000.00000040.00000001.sdmp, Offset: 05180000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8d3c67876cbb22a0ca6686012a276c25a22794b6f7c190a63e7b97116e46b062
Instruction ID: 19e9f4206b4826195e9187ad50998069dc9310fa731fa09397649cc5c275f4dc
Opcode Fuzzy Hash: 8d3c67876cbb22a0ca6686012a276c25a22794b6f7c190a63e7b97116e46b062
Instruction Fuzzy Hash: 4BB01260E8470C4BCD8033F8700C42CB78C0A4061178404D1982D43282FFA9B8180951

Uniqueness

Uniqueness Score: -1.00%

Function 05182EC0, Relevance: .0, Instructions: 8COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.501156212.0000000005180000.00000040.00000001.sdmp, Offset: 05180000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 83cce31870ad6430b39ac4d16ed1507d6cc1139b7fd522a56c6ec6be2c41538b
Instruction ID: 6cec9b97e928ec1bbb16f72e2aad819d2a1a462f37e39a76f15118d30b3bb26b
Opcode Fuzzy Hash: 83cce31870ad6430b39ac4d16ed1507d6cc1139b7fd522a56c6ec6be2c41538b
Instruction Fuzzy Hash: 38B012302442090B179066B9280CE33738C56405053500460D81CC0000FB20D0E02545

Uniqueness

Uniqueness Score: -1.00%

Function 0518EB20, Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.501156212.0000000005180000.00000040.00000001.sdmp, Offset: 05180000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f7f81c82278d69ddda98e66f788c8e2bdac25980fadecd637060e172f220c004
Instruction ID: 4940d8b13dd7d263685b6feb9e77d418302b24f070e306c17a559e9a87b980fc
Opcode Fuzzy Hash: f7f81c82278d69ddda98e66f788c8e2bdac25980fadecd637060e172f220c004
Instruction Fuzzy Hash: 78A00239704444E7CA39F722E9E44363A27A7892203E69755844609029C725980A4D62

Uniqueness

Uniqueness Score: -1.00%

Non-executed Functions

Analysis Process: dhcpmon.exe PID: 6464 Parent PID: 3472 dhcpmon.exeCOMMON

Executed Functions

Function 00CEA4AA, Relevance: 1.6, APIs: 1, Instructions: 79fileCOMMON

Download Yara Rule

APIs

WriteFile.KERNELBASE(?,00000E2C,95CAA2CE,00000000,00000000,00000000,00000000), ref: 00CEA53D

Memory Dump Source

Source File: 00000009.00000002.269301255.0000000000CEA000.00000040.00000001.sdmp, Offset: 00CEA000, based on PE: false

Similarity

API ID: FileWrite
String ID:
API String ID: 3934441357-0
Opcode ID: f2e32e7ec4e0f6fa67d5f6133d929d9ef1d8576eab94214e13a71165bcefbf54
Instruction ID: 7d1acaf1ce38b94bc7d4070445f48916582c711c005c71c68fb4281afa2cb2c6
Opcode Fuzzy Hash: f2e32e7ec4e0f6fa67d5f6133d929d9ef1d8576eab94214e13a71165bcefbf54
Instruction Fuzzy Hash: 76219172409780AFD7128B659C44F96BFB8EF06310F0884DBE988DF153D364A508C772

Uniqueness

Uniqueness Score: -1.00%

Function 00CEA1F4, Relevance: 1.6, APIs: 1, Instructions: 62COMMON

Download Yara Rule

APIs

GetConsoleOutputCP.KERNELBASE ref: 00CEA269

Memory Dump Source

Source File: 00000009.00000002.269301255.0000000000CEA000.00000040.00000001.sdmp, Offset: 00CEA000, based on PE: false

Similarity

API ID: ConsoleOutput
String ID:
API String ID: 3985236979-0
Opcode ID: eb3301f4b354b5f1e61fafbb002b29c0121385c0e7a3d8e5fd1e1d01499c6724
Instruction ID: 14ea14143e67a1d956776fe873a8c8b547244651ddd63005017127e2a9acbe02
Opcode Fuzzy Hash: eb3301f4b354b5f1e61fafbb002b29c0121385c0e7a3d8e5fd1e1d01499c6724
Instruction Fuzzy Hash: 4B216D3140E3C05FD7138B658895652BFB4EF13220F0A85DBD9848F1A3D369A949CB62

Uniqueness

Uniqueness Score: -1.00%

Function 00CEA4DE, Relevance: 1.6, APIs: 1, Instructions: 60fileCOMMON

Download Yara Rule

APIs

WriteFile.KERNELBASE(?,00000E2C,95CAA2CE,00000000,00000000,00000000,00000000), ref: 00CEA53D

Memory Dump Source

Source File: 00000009.00000002.269301255.0000000000CEA000.00000040.00000001.sdmp, Offset: 00CEA000, based on PE: false

Similarity

API ID: FileWrite
String ID:
API String ID: 3934441357-0
Opcode ID: 48fefe1299a8523e7708651b0ab61494dd1104cd3045f67834e89c74f912a2fe
Instruction ID: 8dbf32a79b7ef4e3a50d0de0224666bf57997fd8fe469b9d6f175c263150895f
Opcode Fuzzy Hash: 48fefe1299a8523e7708651b0ab61494dd1104cd3045f67834e89c74f912a2fe
Instruction Fuzzy Hash: 50119D72400744AEEB21DF56DD40BAAFBA8EF08320F14846AE9499A251D774A5488B72

Uniqueness

Uniqueness Score: -1.00%

Function 00CEA23A, Relevance: 1.5, APIs: 1, Instructions: 34COMMON

Download Yara Rule

APIs

GetConsoleOutputCP.KERNELBASE ref: 00CEA269

Memory Dump Source

Source File: 00000009.00000002.269301255.0000000000CEA000.00000040.00000001.sdmp, Offset: 00CEA000, based on PE: false

Similarity

API ID: ConsoleOutput
String ID:
API String ID: 3985236979-0
Opcode ID: cad1cb850fe00656d8991afabf2c47bb88b0b901c8a9628ee112a77082056836
Instruction ID: 003462a70693e2931f269db826f41b5e80e327da0521a5b994ba5060c584ef24
Opcode Fuzzy Hash: cad1cb850fe00656d8991afabf2c47bb88b0b901c8a9628ee112a77082056836
Instruction Fuzzy Hash: 0AF0AF318043848FDB109F1AD884761FF94EF04720F18C0AAEE494B216D27AA944CAA2

Uniqueness

Uniqueness Score: -1.00%

Function 027B0818, Relevance: .4, Instructions: 358COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.269460576.00000000027B0000.00000040.00000001.sdmp, Offset: 027B0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c7a4e554adad0e0aecb4a21edb53990d40008acb3fd3b52ec56b1c6126b99642
Instruction ID: d8d89f42d5c19b26dea41b3eaffb48fd0ee2e3504659be08ee431fc0eb99e934
Opcode Fuzzy Hash: c7a4e554adad0e0aecb4a21edb53990d40008acb3fd3b52ec56b1c6126b99642
Instruction Fuzzy Hash: 65E15630200642CFDB19DF64DA84B6F7BA2FFC4308B24C51DD5868B699DB31E942CB96

Uniqueness

Uniqueness Score: -1.00%

Function 027B010F, Relevance: .2, Instructions: 227COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.269460576.00000000027B0000.00000040.00000001.sdmp, Offset: 027B0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 306ca75d4ad119b36240ca709920c1009da1a90536edb9be974d6214074cbfa9
Instruction ID: 95bf0499726cce628cf1bd49fe800dc5b25900d8566c100b8326e61c59e950c0
Opcode Fuzzy Hash: 306ca75d4ad119b36240ca709920c1009da1a90536edb9be974d6214074cbfa9
Instruction Fuzzy Hash: CD91BE35A002458FCB29EB78D958BAE7BF2BF88304F148069D906DB7A4CB718D41CB81

Uniqueness

Uniqueness Score: -1.00%

Function 027B06F8, Relevance: .1, Instructions: 86COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.269460576.00000000027B0000.00000040.00000001.sdmp, Offset: 027B0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 70187e40f8ef13bfbc64e0be2f9eef289f7cd108a8b8574c830cf9e1b3db1ab2
Instruction ID: d5fd82b727551f235b05b0ec38d4fbe82aac426c483a574498feb72be3a32686
Opcode Fuzzy Hash: 70187e40f8ef13bfbc64e0be2f9eef289f7cd108a8b8574c830cf9e1b3db1ab2
Instruction Fuzzy Hash: FB21E9303012118FCB69AB7CD019B6E3AE6AF85305B2505B8E40ACF7A5EE76DC85C791

Uniqueness

Uniqueness Score: -1.00%

Function 027B06F7, Relevance: .1, Instructions: 86COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.269460576.00000000027B0000.00000040.00000001.sdmp, Offset: 027B0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1ab914d49d1fedcafe3e8ebbca8727945c21f9b522c44a3ce751183cc726bc73
Instruction ID: 9c7a8611d8c60a25a6f2fb80d7b93ccc6bc34f9c6bf1ccb8b82b2ecf447add63
Opcode Fuzzy Hash: 1ab914d49d1fedcafe3e8ebbca8727945c21f9b522c44a3ce751183cc726bc73
Instruction Fuzzy Hash: 7B212C303012118FCB69AB7CD018B6E3AE6AF85305B2505BCE40ACF7A5EE76CC45CB81

Uniqueness

Uniqueness Score: -1.00%

Function 027B0DD0, Relevance: .1, Instructions: 53COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.269460576.00000000027B0000.00000040.00000001.sdmp, Offset: 027B0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 61002282a9c902f7059bdf28bb9de0e7d0ccc54be8d1b82e933b34429c7bfeba
Instruction ID: d22a8bf92633c1a288eba739ea630920d2b0dd6fe670c14292aeeea07bb5271b
Opcode Fuzzy Hash: 61002282a9c902f7059bdf28bb9de0e7d0ccc54be8d1b82e933b34429c7bfeba
Instruction Fuzzy Hash: B001B171B146485FDB55E7BC98106AF7F75AF85200B1080A6D249CB2A2DF358E46CBA2

Uniqueness

Uniqueness Score: -1.00%

Function 00E405D0, Relevance: .0, Instructions: 43COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.269388543.0000000000E40000.00000040.00000040.sdmp, Offset: 00E40000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7f1869b1cbf43b74a271f89f0cee9ebabef585ac9f56e5846fd71ff47d11b4c3
Instruction ID: 0367c27bdf9fe86fd6d6ea9c854ff4824b5560005ba71e0844e3f15788808783
Opcode Fuzzy Hash: 7f1869b1cbf43b74a271f89f0cee9ebabef585ac9f56e5846fd71ff47d11b4c3
Instruction Fuzzy Hash: CC0186765097846FD7128B16DC51862FFB8EF86630709C49FEC498B612D229A809CB76

Uniqueness

Uniqueness Score: -1.00%

Function 027B00AF, Relevance: .0, Instructions: 42COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.269460576.00000000027B0000.00000040.00000001.sdmp, Offset: 027B0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b76630dfe0d2f9dbae6104522e8106573c86bfe57d7ebe77da467d75cc361b39
Instruction ID: d12ee2e0dc5050f13e4a8d393b611c109a156587fa6a29a006169fbf30d8984b
Opcode Fuzzy Hash: b76630dfe0d2f9dbae6104522e8106573c86bfe57d7ebe77da467d75cc361b39
Instruction Fuzzy Hash: 18F03071D4A2899FCF62DFB89C44BEFBFF4EE59350B2401AAD048E3112E2310615CBA1

Uniqueness

Uniqueness Score: -1.00%

Function 00E405F6, Relevance: .0, Instructions: 27COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.269388543.0000000000E40000.00000040.00000040.sdmp, Offset: 00E40000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8108508af5517ab08131d76f6156db99998f8ee713b610582511cb56d25cba0e
Instruction ID: 815eee6c44fa756b738d1d7246fce680aff149ee78e1b916faec1809b06bdbb2
Opcode Fuzzy Hash: 8108508af5517ab08131d76f6156db99998f8ee713b610582511cb56d25cba0e
Instruction Fuzzy Hash: C3E092B66406045BD650CF0AEC81456FBD8EB84630B18C47FDC0D8B701E23AB504CEA5

Uniqueness

Uniqueness Score: -1.00%

Function 027B0DC0, Relevance: .0, Instructions: 25COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.269460576.00000000027B0000.00000040.00000001.sdmp, Offset: 027B0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b04dcfc4fd947899101ef6fed76c3ebaccca48c117ebda8d6958b4b4bd1592cd
Instruction ID: e0075105a89e26833940194bfcb9cbb980dfe940870b872f9d7fe7669e5f9d65
Opcode Fuzzy Hash: b04dcfc4fd947899101ef6fed76c3ebaccca48c117ebda8d6958b4b4bd1592cd
Instruction Fuzzy Hash: 98E0DF32A293404FCB22D775AD187DA3FA8DF03214F0000DAE5408B1D5DB66AC08C3E2

Uniqueness

Uniqueness Score: -1.00%

Function 027B00D0, Relevance: .0, Instructions: 23COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.269460576.00000000027B0000.00000040.00000001.sdmp, Offset: 027B0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a8597762bc8d21cf8724f570e3ef83662a89969cbd75da30c8cc15ed87eacbce
Instruction ID: 6d70b77eaa28175d3499fcb5f90821b18323b965a294b2af904077957d4757eb
Opcode Fuzzy Hash: a8597762bc8d21cf8724f570e3ef83662a89969cbd75da30c8cc15ed87eacbce
Instruction Fuzzy Hash: DFE075B1D0525D9F8F40DFB999456DEBFF8FA48250B204466D508E3200E23556118BE5

Uniqueness

Uniqueness Score: -1.00%

Function 027B0F08, Relevance: .0, Instructions: 23COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.269460576.00000000027B0000.00000040.00000001.sdmp, Offset: 027B0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 33f35ef0fec7776186134471b8828da3798034e8810487083bbd47e319fb56f2
Instruction ID: 54277c48b8bf4769d60faac2aea3de8e7c244d092b2663257e5faed3552c8bb2
Opcode Fuzzy Hash: 33f35ef0fec7776186134471b8828da3798034e8810487083bbd47e319fb56f2
Instruction Fuzzy Hash: ADE0DF387001108FC304FB7CE448E9A37EBAF8922875042B6D809CBB28CE30AC01CBD0

Uniqueness

Uniqueness Score: -1.00%

Function 027B0F07, Relevance: .0, Instructions: 23COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.269460576.00000000027B0000.00000040.00000001.sdmp, Offset: 027B0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4ce01b947b722b064ed4320cd5028dabf584a167ee0656db5802073855bbdcc4
Instruction ID: 40b4cb2fab5141eebbbbe2793f74ac526fe035c9d115f3f6683e22d008991bad
Opcode Fuzzy Hash: 4ce01b947b722b064ed4320cd5028dabf584a167ee0656db5802073855bbdcc4
Instruction Fuzzy Hash: 0BE0D8387000108FC314F77CE448E9A37E7AF8931475042BAD40ADBB68CA709C05CF90

Uniqueness

Uniqueness Score: -1.00%

Function 027B03C5, Relevance: .0, Instructions: 23COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.269460576.00000000027B0000.00000040.00000001.sdmp, Offset: 027B0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: daaf53cf4bfcc8fe2d7d165f738336d8a5976c573b1c97abc3298639663b5215
Instruction ID: cd707998f9f816e0bfd716e6b87d2421d9aaf6d7baf855d603e346f5e0938f0d
Opcode Fuzzy Hash: daaf53cf4bfcc8fe2d7d165f738336d8a5976c573b1c97abc3298639663b5215
Instruction Fuzzy Hash: 7AF030749402549FEB159BB4C56C7FE7EF1AF48309F100459D402A72A0CF748D84CB45

Uniqueness

Uniqueness Score: -1.00%

Function 00CE23F4, Relevance: .0, Instructions: 15COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.269295133.0000000000CE2000.00000040.00000001.sdmp, Offset: 00CE2000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7d80c011722d872a97703227fa3b7dbc4cb1a3209eec043b45b5d02889bb25a3
Instruction ID: 2c3946c0c0a0583f75be91aac52e4a8f67aa09f1fb521ddab198005e2ec81c5f
Opcode Fuzzy Hash: 7d80c011722d872a97703227fa3b7dbc4cb1a3209eec043b45b5d02889bb25a3
Instruction Fuzzy Hash: F3D05E7A205AC14FD3268B1CC1A8B953BD8AB51B04F4644F9E8008B6A3C368DA81E200

Uniqueness

Uniqueness Score: -1.00%

Function 00CE23BC, Relevance: .0, Instructions: 14COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.269295133.0000000000CE2000.00000040.00000001.sdmp, Offset: 00CE2000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 97d973d53b22ccf5126857a3054fdc791122379a8ca11d40880d371f9cc868d2
Instruction ID: 986d94ffa9bead2daee105bcdc2d2fdd5a2543b6e795a8cda045c65f12b65c5d
Opcode Fuzzy Hash: 97d973d53b22ccf5126857a3054fdc791122379a8ca11d40880d371f9cc868d2
Instruction Fuzzy Hash: 9CD05E343012814BC726DB0DC1D4F593BD8AB81B00F1644E8AC108B272C7A8ED81CA00

Uniqueness

Uniqueness Score: -1.00%

Function 027B0D97, Relevance: .0, Instructions: 13COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.269460576.00000000027B0000.00000040.00000001.sdmp, Offset: 027B0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3f97183dc42c1c0fe6aefb8026e29dff80a4fc4019565f4d67aa318fa3fbc81b
Instruction ID: c62435f9adfc9ff69ba258bcf11b15a4911ec948ca4593326d38526d00a872e8
Opcode Fuzzy Hash: 3f97183dc42c1c0fe6aefb8026e29dff80a4fc4019565f4d67aa318fa3fbc81b
Instruction Fuzzy Hash: 76D022313082204FC3089B68B8409AEBFE59A84270321012ED00BC3B20CAA04C00CB84

Uniqueness

Uniqueness Score: -1.00%

Non-executed Functions

Description:	Adversaries may abuse task scheduling functionality to facilitate initial or recurring execution of malicious code. Utilities exist within all major operating systems to schedule programs or scripts to be executed at a specified date and time. A task can also be scheduled on a remote system, provided the proper authentication is met (ex: RPC and file and printer sharing in Windows environments). Scheduling a task on a remote system typically requires being a member of an admin or otherwise privileged group on the remote system.
Tactics:	Execution, Persistence, Privilege Escalation
Data Sources:	File monitoring, Process command-line parameters, Process monitoring, Windows event logs
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify access tokens to operate under a different user or system security context to perform actions and bypass access controls. Windows uses access tokens to determine the ownership of a running process. A user can manipulate access tokens to make a running process appear as though it is the child of a different process or belongs to someone other than the user that started the process. When this occurs, the process also takes on the security context associated with the new token.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	API monitoring, Access tokens, Authentication logs, Process command-line parameters, Process monitoring, Windows event logs
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	API monitoring, DLL monitoring, File monitoring, Named Pipes, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata, File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may disable security tools to avoid possible detection of their tools and activities. This can take the form of killing security software or event logging processes, deleting Registry keys so that tools do not start at run time, or other methods to interfere with security tools scanning or reporting information.
Tactics:	Defense Evasion
Data Sources:	File monitoring, Process command-line parameters, Services, Windows Registry
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use Obfuscated Files or Information to hide artifacts of an intrusion from analysis. They may require separate mechanisms to decode or deobfuscate that information depending on how they intend to use it. Methods for doing that include built-in functionality of malware or by using utilities present on the system.
Tactics:	Defense Evasion
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may set files and directories to be hidden to evade detection mechanisms. To prevent normal users from accidentally changing special files on a system, most operating systems have the concept of a ‘hidden’ file. These files don’t show up when a user browses the file system with a GUI or when using normal commands on the command line. Users must explicitly ask to show the hidden files either via a series of Graphical User Interface (GUI) prompts or with command line switches ( `dir /a` for Windows and `ls –a` for Linux and macOS).
Tactics:	Defense Evasion
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata, Email gateway, Environment variable, File monitoring, Malware reverse engineering, Network intrusion detection system, Network protocol analysis, Process command-line parameters, Process monitoring, Process use of network, SSL/TLS inspection, Windows event logs
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may perform software packing or virtual machine software protection to conceal their code. Software packing is a method of compressing or encrypting an executable. Packing an executable changes the file signature in an attempt to avoid signature-based detection. Most decompression techniques decompress the executable code in memory. Virtual machine software protection translates an executable's original code into a special format that only a special virtual machine can run. A virtual machine is then called to run this code.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata
Platforms:	macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use methods of capturing user input to obtain credentials or collect information. During normal system usage, users often provide credentials to various different locations, such as login pages/portals or system dialog boxes. Input capture mechanisms may be transparent to the user (e.g. Credential API Hooking ) or rely on deceiving the user into providing input into what they believe to be a genuine service (e.g. Web Portal Capture ).
Tactics:	Collection, Credential Access
Data Sources:	API monitoring, Binary file metadata, DLL monitoring, Kernel drivers, Loaded DLLs, PowerShell logs, Process command-line parameters, Process monitoring, User interface, Windows Registry, Windows event logs
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	AWS CloudTrail logs, Azure activity logs, File monitoring, Process command-line parameters, Process monitoring, Stackdriver logs
Platforms:	AWS, Azure, Azure AD, GCP, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	API monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	AWS CloudTrail logs, Azure activity logs, Process command-line parameters, Process monitoring, Stackdriver logs
Platforms:	AWS, Azure, GCP, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Binary file metadata, File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Malware reverse engineering, Netflow/Enclave netflow, Packet capture, Process monitoring, Process use of network, SSL/TLS inspection
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using a protocol and port paring that are typically not associated. For example, HTTPS over port 8088or port 587as opposed to the traditional port 443. Adversaries may make changes to the standard port used by a protocol to bypass filtering or muddle analysis/parsing of network data.
Tactics:	Command and Control
Data Sources:	Netflow/Enclave netflow, Packet capture, Process monitoring, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may use legitimate desktop support and remote access software, such as Team Viewer, Go2Assist, LogMein, AmmyyAdmin, etc, to establish an interactive command and control channel to target systems within networks. These services are commonly used as legitimate technical support software, and may be allowed by application control within a target environment. Remote access tools like VNC, Ammyy, and Teamviewer are used frequently when compared with other legitimate software commonly used by adversaries.
Tactics:	Command and Control
Data Sources:	Network intrusion detection system, Network protocol analysis, Process monitoring, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use a non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Host network interface, Netflow/Enclave netflow, Network intrusion detection system, Network protocol analysis, Packet capture, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading ...

Warning!

Analysis Report YfceI5MZX4.exe

Overview

General Information

Detection

Signatures

Classification

Startup

Malware Configuration

Threatname: NanoCore

Yara Overview

Memory Dumps

Unpacked PEs

Sigma Overview

System Summary:

Signature Overview

AV Detection:

Compliance:

Software Vulnerabilities:

Networking:

Key, Mouse, Clipboard, Microphone and Screen Capturing:

E-Banking Fraud:

System Summary:

Data Obfuscation:

Persistence and Installation Behavior:

Boot Survival:

Hooking and other Techniques for Hiding and Protection:

Malware Analysis System Evasion:

Anti Debugging:

HIPS / PFW / Operating System Protection Evasion:

Language, Device and Operating System Detection:

Stealing of Sensitive Information:

Remote Access Functionality:

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

URLs from Memory and Binaries

Contacted IPs

Public

General Information

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASN

JA3 Fingerprints

Dropped Files

Created / dropped Files

Static File Info

General

File Icon

Static PE Info

General

Entrypoint Preview

Data Directories

Sections

Resources

Imports

Version Infos

Network Behavior

Network Port Distribution

TCP Packets

UDP Packets

Description:	Adversaries may communicate using application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	DNS records, Netflow/Enclave netflow, Network protocol analysis, Packet capture, Process monitoring, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre